From ece5971c6f6b4ba59f30dcbd3e84bcd6aaafe1e1 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Wed, 11 Sep 2019 13:57:11 -0700
Subject: [PATCH 001/420] Add proposed quorum rules

Adapted from Stephen Walli's document, except that "majority"
is changed to "super majority" for consistency with existing
text in this doc.

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Maintainers.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index bdbecdc0bf..9046d913b1 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -13,6 +13,22 @@ but when that fails, the Committee calls for a vote where the super majority
 (two-thirds) wins. This is to prevent obstructionism by removing the possibility
 of a one person veto.
 
+Quorum for Community Maintenance Committee meetings requires at least fifty
+percent of all members of the Community Maintenance Committee to be present. The
+Community Maintenance Committee may continue to meet if quorum is not met but will
+be prevented from making any decisions at the meeting.
+
+Except for the cases below, decisions by vote at a meeting require a super majority
+vote of those in attendance, provided quorum is met:
+
+* Revisions to this document
+* Decisions regarding open source licence(s) for Open Enclave code or dependencies
+  from Open Enclave code.
+
+Decisions made by electronic vote without a meeting, and all decisions on the topics
+above, require a super majority vote of all members of the Community Maintenance Committee.
+
+
 Committee Members
 -----------------
 

From 83793ce5680ab73215cfdd81585c675e37471c89 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Wed, 11 Sep 2019 14:13:25 -0700
Subject: [PATCH 002/420] Rename Community Maintenance Committee

Given the confusion between Maintainer vs CMC member, Maintainers Group
for example might be clearer.  Mike and John indicated initial support
for this term.

Another term used by many projects is "Technical Steering Committee",
which is the term that also appears in Stephen Walli's doc.   I would
be ok with that term, just for consistency with other open source
projects, if the group prefers that term.  However, it has the same
confusion between Maintainer vs TSC member.   One way that could be
resolved, should the TSC name be used, would be to remove the term
"Maintainer" and only use "TSC member", "Committer", and "Contributor"
as roles, which is the approach Stephen's doc takes.

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/GovernanceModel.md | 16 +++++++--------
 docs/Maintainers.md     | 43 +++++++++++++++++++++--------------------
 2 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/docs/GovernanceModel.md b/docs/GovernanceModel.md
index 8f187d335c..0938bd185e 100644
--- a/docs/GovernanceModel.md
+++ b/docs/GovernanceModel.md
@@ -17,9 +17,9 @@ In order to maintain a pleasant and welcoming environment, we want to reiterate
 that it is imperative that all community members adhere to our
 [Code of Conduct](Contributing.md#code-of-conduct).
 Anyone failing to follow the Code of Conduct will be removed from the community
-by the [Community Maintenance Committee](Maintainers.md). If you are made to
+by the [Maintainers Group](Maintainers.md). If you are made to
 feel uncomfortable, or have any concerns about behavior within the community, we
-encourage you to reach out to members of the Community Maintenance Committee.
+encourage you to reach out to members of the Maintainers Group.
 
 Design and Development Discussions
 ----------------------------------
@@ -44,17 +44,17 @@ Issues](Contributing.md#reporting-security-issues).
 Maintainers, Committers, and Contributors
 -----------------------------------------
 
-We define "maintainer" as members of the Open Enclave "Community Maintenance
-Committee", as listed in the [maintainers document](Maintainers.md). A
+We define "maintainer" as members of the Open Enclave "Maintainers
+Group", as listed in the [maintainers document](Maintainers.md). A
 "committer" is anyone with direct write access to the Open Enclave repository on
-GitHub, as granted by the Committee. All maintainers are committers, but not all
+GitHub, as granted by the Maintainers Group. All maintainers are committers, but not all
 committers are maintainers. Finally, "contributor" is anyone else making
 contributions to the project, including: creating or commenting on issues,
 opening or reviewing pull requests, or other useful contributions such as
 providing support in forums or chats.
 
-See the [maintainers document](Maintainers.md) for the Community Maintenance
-Committee, our process for adding new committers and maintainers, as well the
+See the [maintainers document](Maintainers.md) for the Maintainers
+Group, our process for adding new committers and maintainers, as well the
 areas of expertise for each of the committers.
 
 Accepting Contributions
@@ -69,7 +69,7 @@ Committers may revert changes if they are found to be breaking.
 We make most decisions through a consensus seeking process, rather than a formal
 voting process. For example, committers can merge contributions that were
 reviewed without objections. If there are objections that cannot be resolved, an
-issue can be escalated to the Community Maintenance Committee to make a
+issue can be escalated to the Maintaines Group to make a
 decision, which handles issues as discussed in the
 [maintainers document](Maintainers.md).
 
diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index bdbecdc0bf..f7e4c9f98e 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -1,20 +1,21 @@
-Community Maintenance Committee
-===============================
+Maintainers Group
+=================
 
-This document describes the Community Maintenance Committee of Open Enclave. By
+This document describes the Open Enclave Maintainers Group, which in some open source
+projects is also known as a Technical Steering Committee. By
 our liberal contribution policy outlined in our
 [governance model](GovernanceModel.md), maintainers are committers that are
 trusted to grant new committer rights, and grant new membership into the
-Committee.
+Maintainers Group.
 
-When making decisions, the Community Maintenance Committee uses a "consensus
+When making decisions, the Maintainers Group uses a "consensus
 seeking" process. This means that most decisions should be reached by consensus,
-but when that fails, the Committee calls for a vote where the super majority
+but when that fails, the Maintainers Group calls for a vote where the super majority
 (two-thirds) wins. This is to prevent obstructionism by removing the possibility
 of a one person veto.
 
-Committee Members
------------------
+Maintainers
+-----------
 
 | Name                 | Company   | Email                         | GitHub Alias   |
 |----------------------|-----------|-------------------------------|----------------|
@@ -27,33 +28,33 @@ Committee Members
 | Mike Brasher         | Microsoft | mikbras@microsoft.com         | mikbras        |
 | Simon Leet           | Microsoft | simon.leet@microsoft.com      | CodeMonkeyLeet |
 
-Committee Responsibilities
---------------------------
+Responsibilities
+----------------
 
-The primary responsibility of the Committee is to grant new committer rights
+The primary responsibility of the Maintainers Group is to grant new committer rights
 (that is, write access to the main Open Enclave SDK repository or related
-repositories), and to grant new membership into the committee. Conversely, the
-Committee must also remove committer rights and membership from those found to
+repositories), and to grant new membership into the Maintainers Group. Conversely, the
+Group must also remove committer rights and membership from those found to
 be violating the project's Code of Conduct or otherwise negatively affecting the
 project's community health.
 
-This Committee is not intended to make every technical decision, as those should
+This Group is not intended to make every technical decision, as those should
 generally be made by agreement among committers as PRs are reviewed and merged.
 Where disagreements take place and need further resolution, those can be brought
-up with the Committee as part of its responsibility to maintain the project's
+up with the Group as part of its responsibility to maintain the project's
 community health. Otherwise technical decisions are left to the active
 committers (by virtue of the liberal contribution policy).
 
-The Community Maintenance Committee should meet regularly, for example, once a
+The Maintainers Group should meet regularly, for example, once a
 month. This meeting is a private meeting among just the maintainers to nominate
 new committers and maintainer members. Priority consideration should be given to
-those actively contributing to the project. The Committee uses the consensus
+those actively contributing to the project. The Group uses the consensus
 seeking process outlined above when making decisions, including adding or
-removing any members. The Committee should also discuss the community's health
+removing any members. The Group should also discuss the community's health
 and work to resolve any negative issues.
 
 In order to maintain a healthy developer community, it is recommended that the
-Committee also host a regular public community meeting. This meeting should be
+Group also host a regular public community meeting. This meeting should be
 open all members of the community, and start with an open forum to hear
 questions or concerns from the community. Any remaining time in the meeting
 should be used to discuss and review open pull requests or issues (especially
@@ -63,12 +64,12 @@ Project Committers
 ==================
 
 The following people have been granted commit permissions (that is, write
-access) to the Open Enclave SDK by the Community Maintenance Committee. The area
+access) to the Open Enclave SDK by the Maintainers Group. The area
 column describes which technical areas each committer is most interested in, and
 therefore should usually be consulted for changes relating to that area.
 However, it is up to each committer to determine who should review which PR, and
 when to merge it. Remember that a PR must not be merged if a committer objects;
-instead, it should be brought up with the Community Maintenance Committee.
+instead, it should be brought up with the Maintainers Group.
 
 | Name                  | GitHub Alias        | Area                           |
 |-----------------------|---------------------|--------------------------------|

From d79c431d71e7792e9c0e25476160bcfb8ad330ab Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Wed, 11 Sep 2019 15:02:14 -0700
Subject: [PATCH 003/420] Add developer guidance around abbreviations and
 doxygen

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/DevelopmentGuide.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/DevelopmentGuide.md b/docs/DevelopmentGuide.md
index df26880aaa..b02b6a0764 100644
--- a/docs/DevelopmentGuide.md
+++ b/docs/DevelopmentGuide.md
@@ -11,8 +11,18 @@ Coding Conventions
 * **DO** use `const` and `static` and visibility modifiers to scope exposure of
    variables and methods as much as possible.
 
+* **DO** use doxygen comments, with \[in,out\]
+  [direction annotation](http://www.doxygen.nl/manual/commands.html#cmdparam) in all public API
+  headers. This is also encouraged, but not strictly required, for internal API
+  headers as well.
+
 * **DON'T** use global variables where possible.
 
+* **DON'T** use abbreviations unless they are already well-known terms known by
+  users (e.g., "app", "info"), or are already required for use by developers (e.g,
+  "min", "max", "args").  Examples of bad use would be `num_widgets` instead of
+  `widget_count`, and `opt_widgets` instead of `option_widgets` or `optional_widgets`.
+
 Style Guide
 -----------
 

From 28232e4c52524a875493bdd6b433731d939b14ca Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Thu, 12 Sep 2019 11:25:44 -0700
Subject: [PATCH 004/420] Accept Simon's proposed change

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Maintainers.md | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index 9046d913b1..2a3733dec4 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -13,20 +13,13 @@ but when that fails, the Committee calls for a vote where the super majority
 (two-thirds) wins. This is to prevent obstructionism by removing the possibility
 of a one person veto.
 
-Quorum for Community Maintenance Committee meetings requires at least fifty
-percent of all members of the Community Maintenance Committee to be present. The
+Quorum for Community Maintenance Committee meetings requires at least two-thirds
+all members of the Community Maintenance Committee to be present. The
 Community Maintenance Committee may continue to meet if quorum is not met but will
 be prevented from making any decisions at the meeting.
 
-Except for the cases below, decisions by vote at a meeting require a super majority
-vote of those in attendance, provided quorum is met:
-
-* Revisions to this document
-* Decisions regarding open source licence(s) for Open Enclave code or dependencies
-  from Open Enclave code.
-
-Decisions made by electronic vote without a meeting, and all decisions on the topics
-above, require a super majority vote of all members of the Community Maintenance Committee.
+All decisions by vote, whether during a meeting or otherwise, require a super majority
+vote of all members of the Community Maintenance Committee.
 
 
 Committee Members

From 15e397cbdd5ed5cecbdb91c0798790141246753d Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Thu, 12 Sep 2019 16:38:52 -0700
Subject: [PATCH 005/420] Remove all use of Maintainer as a term

Per review discussion so far

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Maintainers.md | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index f7e4c9f98e..689480e689 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -1,21 +1,21 @@
-Maintainers Group
-=================
+Community Governance Committee
+==============================
 
-This document describes the Open Enclave Maintainers Group, which in some open source
+This document describes the Open Enclave Community Governance Committee, which in some open source
 projects is also known as a Technical Steering Committee. By
 our liberal contribution policy outlined in our
 [governance model](GovernanceModel.md), maintainers are committers that are
 trusted to grant new committer rights, and grant new membership into the
-Maintainers Group.
+Committee.
 
-When making decisions, the Maintainers Group uses a "consensus
+When making decisions, the Community Governance Committee uses a "consensus
 seeking" process. This means that most decisions should be reached by consensus,
-but when that fails, the Maintainers Group calls for a vote where the super majority
+but when that fails, the Committee calls for a vote where the super majority
 (two-thirds) wins. This is to prevent obstructionism by removing the possibility
 of a one person veto.
 
-Maintainers
------------
+Committee Members
+-----------------
 
 | Name                 | Company   | Email                         | GitHub Alias   |
 |----------------------|-----------|-------------------------------|----------------|
@@ -28,33 +28,33 @@ Maintainers
 | Mike Brasher         | Microsoft | mikbras@microsoft.com         | mikbras        |
 | Simon Leet           | Microsoft | simon.leet@microsoft.com      | CodeMonkeyLeet |
 
-Responsibilities
-----------------
+Committee Responsibilities
+--------------------------
 
-The primary responsibility of the Maintainers Group is to grant new committer rights
+The primary responsibility of the Committee is to grant new committer rights
 (that is, write access to the main Open Enclave SDK repository or related
-repositories), and to grant new membership into the Maintainers Group. Conversely, the
-Group must also remove committer rights and membership from those found to
+repositories), and to grant new membership into the Committee. Conversely, the
+Commitee must also remove committer rights and membership from those found to
 be violating the project's Code of Conduct or otherwise negatively affecting the
 project's community health.
 
-This Group is not intended to make every technical decision, as those should
+This Committee is not intended to make every technical decision, as those should
 generally be made by agreement among committers as PRs are reviewed and merged.
 Where disagreements take place and need further resolution, those can be brought
-up with the Group as part of its responsibility to maintain the project's
+up with the Committee as part of its responsibility to maintain the project's
 community health. Otherwise technical decisions are left to the active
 committers (by virtue of the liberal contribution policy).
 
-The Maintainers Group should meet regularly, for example, once a
+The Community Governance Committee should meet regularly, for example, once a
 month. This meeting is a private meeting among just the maintainers to nominate
 new committers and maintainer members. Priority consideration should be given to
-those actively contributing to the project. The Group uses the consensus
+those actively contributing to the project. The Committee uses the consensus
 seeking process outlined above when making decisions, including adding or
-removing any members. The Group should also discuss the community's health
+removing any members. The Committee should also discuss the community's health
 and work to resolve any negative issues.
 
 In order to maintain a healthy developer community, it is recommended that the
-Group also host a regular public community meeting. This meeting should be
+Committee also host a regular public community meeting. This meeting should be
 open all members of the community, and start with an open forum to hear
 questions or concerns from the community. Any remaining time in the meeting
 should be used to discuss and review open pull requests or issues (especially
@@ -64,12 +64,12 @@ Project Committers
 ==================
 
 The following people have been granted commit permissions (that is, write
-access) to the Open Enclave SDK by the Maintainers Group. The area
+access) to the Open Enclave SDK by the Community Governance Committee. The area
 column describes which technical areas each committer is most interested in, and
 therefore should usually be consulted for changes relating to that area.
 However, it is up to each committer to determine who should review which PR, and
 when to merge it. Remember that a PR must not be merged if a committer objects;
-instead, it should be brought up with the Maintainers Group.
+instead, it should be brought up with the Community Governance Committee.
 
 | Name                  | GitHub Alias        | Area                           |
 |-----------------------|---------------------|--------------------------------|

From 5bc22b544c41a49d7988c7204c6445903ad5fe51 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Thu, 12 Sep 2019 16:39:50 -0700
Subject: [PATCH 006/420] Remove use of Maintainers as a term

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/GovernanceModel.md | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/docs/GovernanceModel.md b/docs/GovernanceModel.md
index 0938bd185e..6e7001ad27 100644
--- a/docs/GovernanceModel.md
+++ b/docs/GovernanceModel.md
@@ -17,9 +17,9 @@ In order to maintain a pleasant and welcoming environment, we want to reiterate
 that it is imperative that all community members adhere to our
 [Code of Conduct](Contributing.md#code-of-conduct).
 Anyone failing to follow the Code of Conduct will be removed from the community
-by the [Maintainers Group](Maintainers.md). If you are made to
+by the [Community Governance Committee](Maintainers.md). If you are made to
 feel uncomfortable, or have any concerns about behavior within the community, we
-encourage you to reach out to members of the Maintainers Group.
+encourage you to reach out to members of the Community Governance Committee.
 
 Design and Development Discussions
 ----------------------------------
@@ -41,20 +41,18 @@ Remember that security issues should be reported through a separate channel, and
 will receive a response within 24 hours. See [Reporting Security
 Issues](Contributing.md#reporting-security-issues).
 
-Maintainers, Committers, and Contributors
------------------------------------------
+Community Maintenance Commitee Members, Committers, and Contributors
+--------------------------------------------------------------------
 
-We define "maintainer" as members of the Open Enclave "Maintainers
-Group", as listed in the [maintainers document](Maintainers.md). A
-"committer" is anyone with direct write access to the Open Enclave repository on
-GitHub, as granted by the Maintainers Group. All maintainers are committers, but not all
-committers are maintainers. Finally, "contributor" is anyone else making
+A "committer" is anyone with direct write access to the Open Enclave repository on
+GitHub, as granted by the Committee. All Committee members are committers, but not all
+committers are Committee members. Finally, "contributor" is anyone else making
 contributions to the project, including: creating or commenting on issues,
 opening or reviewing pull requests, or other useful contributions such as
 providing support in forums or chats.
 
-See the [maintainers document](Maintainers.md) for the Maintainers
-Group, our process for adding new committers and maintainers, as well the
+See the [Community Governance Committee document](Maintainers.md) for more information
+on the Community Governance Committee, our process for adding new committers and maintainers, as well the
 areas of expertise for each of the committers.
 
 Accepting Contributions
@@ -69,11 +67,11 @@ Committers may revert changes if they are found to be breaking.
 We make most decisions through a consensus seeking process, rather than a formal
 voting process. For example, committers can merge contributions that were
 reviewed without objections. If there are objections that cannot be resolved, an
-issue can be escalated to the Maintaines Group to make a
+issue can be escalated to the Community Governance Committee to make a
 decision, which handles issues as discussed in the
-[maintainers document](Maintainers.md).
+[Community Governance Committee document](Maintainers.md).
 
-See the [maintainers document](Maintainers.md) for the list of project
+See the [Community Governance Committee document](Maintainers.md) for the list of project
 committers, and how to become one.
 
 Community Approval of Releases

From af902ca1cf7d82dc582c979a391afcfbf8373a5c Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Thu, 12 Sep 2019 16:42:13 -0700
Subject: [PATCH 007/420] Remove use of Maintainer as a term

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Contributing.md     | 6 +++---
 docs/DevelopmentGuide.md | 2 +-
 docs/GovernanceModel.md  | 2 +-
 docs/Maintainers.md      | 6 +++---
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/Contributing.md b/docs/Contributing.md
index 653e21feac..c2f09f1156 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -39,7 +39,7 @@ You are encouraged to start a discussion with us through a GitHub issue before
 implementing any major changes. We want your contributions, but we also want to
 make sure the community is in agreement before you invest your time.
 
-You may be asked by maintainers to provide a design document before writing an
+You may be asked by Committers to provide a design document before writing an
 implementation. The simplest way to provide this is through a Pull Request to
 our repository with a Markdown style document (like this one) to the
 [docs/DesignDocs](DesignDocs) folder, and see its [readme](DesignDocs/README.md)
@@ -81,7 +81,7 @@ Please do:
 
 - **DO** submit all code changes via pull requests (PRs) rather than through a
   direct commit. PRs will be reviewed and potentially merged by the repo
-  maintainers after a peer review that includes at least one maintainer.
+  Committers after a peer review that includes at least one Committer.
 - **DO** give PRs short-but-descriptive names (e.g. "Improve code coverage for
   System.Console by 10%", not "Fix #1234").
 - **DO** add breaking changes, new features, deprecations, and bug
@@ -134,7 +134,7 @@ Merging Pull Requests
 Instead of merging pull requests with "the big green button" on GitHub, we use
 an automated system called [Bors](https://bors.tech/). The Bors bot is the
 _only_ approved mechanism of merging code to `master`. When a PR is ready to be
-merged, a maintainer will comment on it with `bors r+`.
+merged, a Committer will comment on it with `bors r+`.
 
 Bors will automatically:
 1. Apply the PR's commits to a `staging` branch based on `master`.
diff --git a/docs/DevelopmentGuide.md b/docs/DevelopmentGuide.md
index df26880aaa..500ca3ad4d 100644
--- a/docs/DevelopmentGuide.md
+++ b/docs/DevelopmentGuide.md
@@ -97,7 +97,7 @@ in that file takes precedence.
 Note that we _no longer_ use `CamelCase` nor double underscores (`__`), but you
 may find remnants and so again should prefer the local style. This is especially
 the case for classes, which are still using `PascalCase`. For now, follow the
-existing style. The project maintainers prefer to fix style issues in bulk using
+existing style. The project Committers prefer to fix style issues in bulk using
 automation, so avoid submitting PRs intended to fix only a few instances of the
 inconsistent style.
 
diff --git a/docs/GovernanceModel.md b/docs/GovernanceModel.md
index 6e7001ad27..3cbfdcc7b6 100644
--- a/docs/GovernanceModel.md
+++ b/docs/GovernanceModel.md
@@ -52,7 +52,7 @@ opening or reviewing pull requests, or other useful contributions such as
 providing support in forums or chats.
 
 See the [Community Governance Committee document](Maintainers.md) for more information
-on the Community Governance Committee, our process for adding new committers and maintainers, as well the
+on the Community Governance Committee, our process for adding new committers and Committee members, as well the
 areas of expertise for each of the committers.
 
 Accepting Contributions
diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index 689480e689..248d1f7b52 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -4,7 +4,7 @@ Community Governance Committee
 This document describes the Open Enclave Community Governance Committee, which in some open source
 projects is also known as a Technical Steering Committee. By
 our liberal contribution policy outlined in our
-[governance model](GovernanceModel.md), maintainers are committers that are
+[governance model](GovernanceModel.md), Committee members are committers that are
 trusted to grant new committer rights, and grant new membership into the
 Committee.
 
@@ -46,8 +46,8 @@ community health. Otherwise technical decisions are left to the active
 committers (by virtue of the liberal contribution policy).
 
 The Community Governance Committee should meet regularly, for example, once a
-month. This meeting is a private meeting among just the maintainers to nominate
-new committers and maintainer members. Priority consideration should be given to
+month. This meeting is a private meeting among just the Committee members to nominate
+new committers and Committee members. Priority consideration should be given to
 those actively contributing to the project. The Committee uses the consensus
 seeking process outlined above when making decisions, including adding or
 removing any members. The Committee should also discuss the community's health

From 4dafeb9c724ddbca288fe1605afb24001b376031 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Fri, 13 Sep 2019 00:26:37 +0000
Subject: [PATCH 008/420] Clone mbedTLS v2.7.11 into 3rdparty/mbedtls/mbedtls

---
 3rdparty/mbedtls/mbedtls/.globalrc            |    3 +
 3rdparty/mbedtls/mbedtls/.travis.yml          |    3 +-
 3rdparty/mbedtls/mbedtls/CMakeLists.txt       |   26 +-
 3rdparty/mbedtls/mbedtls/ChangeLog            |   94 ++
 3rdparty/mbedtls/mbedtls/Makefile             |    9 +
 3rdparty/mbedtls/mbedtls/circle.yml           |   44 -
 .../mbedtls/doxygen/input/doc_mainpage.h      |    2 +-
 .../mbedtls/mbedtls/doxygen/mbedtls.doxyfile  |    2 +-
 .../mbedtls/mbedtls/include/CMakeLists.txt    |    2 +-
 .../mbedtls/mbedtls/include/mbedtls/aesni.h   |    6 +
 .../mbedtls/include/mbedtls/asn1write.h       |   31 +-
 .../mbedtls/mbedtls/include/mbedtls/base64.h  |    6 +
 .../mbedtls/mbedtls/include/mbedtls/bn_mul.h  |    8 +-
 .../mbedtls/mbedtls/include/mbedtls/ccm.h     |    6 +
 .../mbedtls/mbedtls/include/mbedtls/certs.h   |    6 +
 .../mbedtls/mbedtls/include/mbedtls/cmac.h    |    6 +
 .../mbedtls/include/mbedtls/compat-1.3.h      |    6 +
 .../mbedtls/mbedtls/include/mbedtls/config.h  |   20 +
 .../mbedtls/include/mbedtls/ctr_drbg.h        |    6 +
 .../mbedtls/mbedtls/include/mbedtls/ecdh.h    |    6 +
 .../mbedtls/mbedtls/include/mbedtls/ecdsa.h   |    6 +
 .../mbedtls/mbedtls/include/mbedtls/ecjpake.h |    5 +
 .../mbedtls/mbedtls/include/mbedtls/ecp.h     |    6 +
 .../mbedtls/include/mbedtls/ecp_internal.h    |    6 +
 .../mbedtls/mbedtls/include/mbedtls/error.h   |    6 +
 .../mbedtls/mbedtls/include/mbedtls/gcm.h     |    6 +
 .../mbedtls/mbedtls/include/mbedtls/havege.h  |    6 +
 .../mbedtls/include/mbedtls/hmac_drbg.h       |    6 +
 .../mbedtls/mbedtls/include/mbedtls/net.h     |    5 +
 .../mbedtls/mbedtls/include/mbedtls/padlock.h |    6 +
 .../mbedtls/mbedtls/include/mbedtls/pem.h     |    6 +
 .../mbedtls/mbedtls/include/mbedtls/pkcs12.h  |    6 +
 .../mbedtls/mbedtls/include/mbedtls/pkcs5.h   |    6 +
 .../mbedtls/mbedtls/include/mbedtls/ssl.h     |   21 +-
 .../mbedtls/include/mbedtls/ssl_cache.h       |    6 +
 .../include/mbedtls/ssl_ciphersuites.h        |    6 +
 .../mbedtls/include/mbedtls/ssl_cookie.h      |    6 +
 .../mbedtls/include/mbedtls/ssl_internal.h    |    6 +
 .../mbedtls/include/mbedtls/ssl_ticket.h      |    6 +
 .../mbedtls/mbedtls/include/mbedtls/version.h |    8 +-
 .../mbedtls/include/mbedtls/x509_crt.h        |    2 +-
 .../mbedtls/include/mbedtls/x509_csr.h        |    8 +
 .../mbedtls/mbedtls/library/CMakeLists.txt    |   12 +-
 3rdparty/mbedtls/mbedtls/library/asn1write.c  |   28 +-
 3rdparty/mbedtls/mbedtls/library/bignum.c     |   66 +-
 3rdparty/mbedtls/mbedtls/library/certs.c      |   94 +-
 3rdparty/mbedtls/mbedtls/library/debug.c      |   44 +-
 3rdparty/mbedtls/mbedtls/library/ecdh.c       |   16 +-
 3rdparty/mbedtls/mbedtls/library/ecdsa.c      |    9 +-
 .../mbedtls/library/ssl_ciphersuites.c        |   57 +-
 3rdparty/mbedtls/mbedtls/library/ssl_tls.c    |  143 +-
 .../mbedtls/library/version_features.c        |    3 +
 3rdparty/mbedtls/mbedtls/library/x509.c       |   51 +-
 3rdparty/mbedtls/mbedtls/library/x509_crl.c   |   10 +-
 3rdparty/mbedtls/mbedtls/library/x509_crt.c   |   13 +-
 3rdparty/mbedtls/mbedtls/library/x509_csr.c   |   15 +-
 .../mbedtls/mbedtls/library/x509write_crt.c   |  190 ++-
 .../mbedtls/mbedtls/library/x509write_csr.c   |   36 +-
 3rdparty/mbedtls/mbedtls/programs/Makefile    |    6 +-
 .../mbedtls/programs/pkey/key_app_writer.c    |    2 +-
 .../mbedtls/programs/pkey/rsa_sign_pss.c      |    1 -
 .../mbedtls/programs/ssl/ssl_client2.c        |   62 +-
 .../mbedtls/programs/ssl/ssl_mail_client.c    |   30 +-
 .../mbedtls/programs/ssl/ssl_server2.c        |   55 +-
 .../mbedtls/programs/test/CMakeLists.txt      |    4 +-
 .../mbedtls/programs/test/ssl_cert_test.c     |  261 ----
 .../mbedtls/mbedtls/programs/test/udp_proxy.c |   29 +-
 .../mbedtls/mbedtls/programs/x509/cert_req.c  |   98 +-
 .../mbedtls/programs/x509/cert_write.c        |    6 +-
 3rdparty/mbedtls/mbedtls/scripts/abi_check.py |  406 ++++++
 3rdparty/mbedtls/mbedtls/scripts/config.pl    |    2 +
 3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt |   13 +-
 3rdparty/mbedtls/mbedtls/tests/Makefile       |    3 +-
 3rdparty/mbedtls/mbedtls/tests/compat.sh      |    7 +-
 .../mbedtls/mbedtls/tests/data_files/Makefile |   58 +
 .../mbedtls/tests/data_files/cert_md2.crt     |   91 +-
 .../mbedtls/tests/data_files/cert_md4.crt     |   89 +-
 .../mbedtls/tests/data_files/cert_md5.crt     |   89 +-
 .../tests/data_files/server1-ms.req.sha256    |   16 +
 .../tests/data_files/server1.cert_type.crt    |   12 +-
 .../data_files/server1.cert_type_noauthid.crt |   14 +-
 .../tests/data_files/server1.key_usage.crt    |   14 +-
 .../data_files/server1.key_usage_noauthid.crt |   14 +-
 .../tests/data_files/server1.req.cert_type    |   14 +-
 .../data_files/server1.req.cert_type_empty    |   17 +
 .../tests/data_files/server1.req.key_usage    |   14 +-
 .../data_files/server1.req.key_usage_empty    |   17 +
 .../tests/data_files/server1.req.ku-ct        |   14 +-
 .../tests/data_files/server5.req.ku.sha1      |    6 +-
 3rdparty/mbedtls/mbedtls/tests/scripts/all.sh | 1252 ++++++++++-------
 .../mbedtls/tests/scripts/basic-build-test.sh |    2 +-
 .../mbedtls/tests/scripts/check-files.py      |  156 +-
 .../mbedtls/tests/scripts/check-names.sh      |   42 +-
 .../mbedtls/tests/scripts/list-identifiers.sh |   32 +-
 .../mbedtls/tests/scripts/list-symbols.sh     |   15 +-
 .../mbedtls/tests/scripts/run-test-suites.pl  |   68 +-
 3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh     |   33 +-
 .../mbedtls/tests/suites/helpers.function     |    1 +
 .../mbedtls/tests/suites/test_suite_ccm.data  |    1 +
 .../tests/suites/test_suite_cipher.function   |    7 +-
 .../mbedtls/tests/suites/test_suite_ecdh.data |   16 +
 .../tests/suites/test_suite_ecdh.function     |  150 ++
 .../mbedtls/tests/suites/test_suite_mpi.data  |    3 +
 .../tests/suites/test_suite_mpi.function      |    3 +
 .../tests/suites/test_suite_timing.data       |   48 +-
 .../tests/suites/test_suite_timing.function   |  391 +----
 .../tests/suites/test_suite_version.data      |    4 +-
 .../tests/suites/test_suite_x509parse.data    |  402 +++---
 .../suites/test_suite_x509parse.function      |   11 +
 .../tests/suites/test_suite_x509write.data    |   46 +-
 .../suites/test_suite_x509write.function      |   16 +-
 .../mbedtls/visualc/VS2010/mbedTLS.sln        |   13 -
 .../visualc/VS2010/ssl_cert_test.vcxproj      |  174 ---
 113 files changed, 3130 insertions(+), 2444 deletions(-)
 create mode 100644 3rdparty/mbedtls/mbedtls/.globalrc
 delete mode 100644 3rdparty/mbedtls/mbedtls/circle.yml
 delete mode 100644 3rdparty/mbedtls/mbedtls/programs/test/ssl_cert_test.c
 create mode 100755 3rdparty/mbedtls/mbedtls/scripts/abi_check.py
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server1-ms.req.sha256
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
 delete mode 100644 3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_cert_test.vcxproj

diff --git a/3rdparty/mbedtls/mbedtls/.globalrc b/3rdparty/mbedtls/mbedtls/.globalrc
new file mode 100644
index 0000000000..01b2ea5a31
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/.globalrc
@@ -0,0 +1,3 @@
+default:\
+    :langmap=c\:.c.h.function:\
+
diff --git a/3rdparty/mbedtls/mbedtls/.travis.yml b/3rdparty/mbedtls/mbedtls/.travis.yml
index 4d23652c67..b4f21a30f0 100644
--- a/3rdparty/mbedtls/mbedtls/.travis.yml
+++ b/3rdparty/mbedtls/mbedtls/.travis.yml
@@ -24,7 +24,8 @@ after_failure:
 - tests/scripts/travis-log-failure.sh
 env:
   global:
-    secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="
+    - SEED=1
+    - secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k="
 
 addons:
   apt:
diff --git a/3rdparty/mbedtls/mbedtls/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/CMakeLists.txt
index 0ade1d4cb8..7309d02e70 100644
--- a/3rdparty/mbedtls/mbedtls/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/CMakeLists.txt
@@ -65,8 +65,14 @@ set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
 # to the corresponding path in the source directory.
 function(link_to_source base_name)
     # Get OS dependent path to use in `execute_process`
-    file(TO_NATIVE_PATH "${CMAKE_CURRENT_BINARY_DIR}/${base_name}" link)
-    file(TO_NATIVE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}" target)
+    if (CMAKE_HOST_WIN32)
+        #mklink is an internal command of cmd.exe it can only work with \
+        string(REPLACE "/" "\\" link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
+        string(REPLACE "/" "\\" target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
+    else()
+        set(link "${CMAKE_CURRENT_BINARY_DIR}/${base_name}")
+        set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
+    endif()
 
     if (NOT EXISTS ${link})
         if (CMAKE_HOST_UNIX)
@@ -200,13 +206,13 @@ if(ENABLE_TESTING)
             COMMAND mv DartConfiguration.tcl.bak DartConfiguration.tcl
         )
     endif(UNIX)
-endif()
 
-# Make scripts needed for testing available in an out-of-source build.
-if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
-    link_to_source(scripts)
-    # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
-    # keep things simple with the sed commands in the memcheck target.
-    configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
-                   ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
+    # Make scripts needed for testing available in an out-of-source build.
+    if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+        link_to_source(scripts)
+        # Copy (don't link) DartConfiguration.tcl, needed for memcheck, to
+        # keep things simple with the sed commands in the memcheck target.
+        configure_file(${CMAKE_CURRENT_SOURCE_DIR}/DartConfiguration.tcl
+                    ${CMAKE_CURRENT_BINARY_DIR}/DartConfiguration.tcl COPYONLY)
+    endif()
 endif()
diff --git a/3rdparty/mbedtls/mbedtls/ChangeLog b/3rdparty/mbedtls/mbedtls/ChangeLog
index 661eb82510..857cc4036a 100644
--- a/3rdparty/mbedtls/mbedtls/ChangeLog
+++ b/3rdparty/mbedtls/mbedtls/ChangeLog
@@ -1,5 +1,99 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.7.11 branch released 2019-06-11
+
+Security
+   * Make mbedtls_ecdh_get_params return an error if the second key
+     belongs to a different group from the first. Before, if an application
+     passed keys that belonged to different group, the first key's data was
+     interpreted according to the second group, which could lead to either
+     an error or a meaningless output from mbedtls_ecdh_get_params. In the
+     latter case, this could expose at most 5 bits of the private key.
+
+Bugfix
+   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
+     mbedTLS configuration only SHA-2 signed certificates are accepted.
+     This certificate is used in the demo server programs, which lead the
+     client programs to fail at the peer's certificate verification
+     due to an unacceptable hash signature. The certificate has been
+     updated to one that is SHA-256 signed. Fix contributed by
+     Illya Gerasymchuk.
+   * Fix private key DER output in the key_app_writer example. File contents
+     were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
+     Christian Walther in #2239.
+   * Fix potential memory leak in X.509 self test. Found and fixed by
+     Junhwan Park, #2106.
+   * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
+     used with negative inputs. Found by Guido Vranken in #2404. Credit to
+     OSS-Fuzz.
+   * Fix bugs in the AEAD test suite which would be exposed by ciphers which
+     either used both encrypt and decrypt key schedules, or which perform padding.
+     GCM and CCM were not affected. Fixed by Jack Lloyd.
+   * Fix incorrect default port number in ssl_mail_client example's usage.
+     Found and fixed by irwir. #2337
+   * Add missing parentheses around parameters in the definition of the
+     public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation
+     in case operators binding less strongly than subtraction were used
+     for the parameter.
+   * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
+     sni entry parameter. Reported by inestlerode in #560.
+   * Fix missing bounds checks in X.509 parsing functions that could
+     lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
+   * Fix multiple X.509 functions previously returning ASN.1 low-level error
+     codes to always wrap these codes into X.509 high level error codes before
+     returning. Fixes #2431.
+
+Changes
+   * Return from various debugging routines immediately if the
+     provided SSL context is unset.
+   * Remove dead code from bignum.c in the default configuration.
+     Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
+   * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
+     Contributed by Peter Kolbus (Garmin).
+   * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
+     improve clarity. Fixes #2258.
+   * Improve debug output of ssl_client2 and ssl_server2 in case suitable
+     test CRTs are available because MBEDTLS_PEM_PARSE_C is disabled.
+     Fixes #2254.
+   * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
+
+= mbed TLS 2.7.10 branch released 2019-03-19
+
+Features
+   * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
+     from the default list (enabled by default). See
+     https://sweet32.info/SWEET32_CCS16.pdf.
+
+Bugfix
+   * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
+     Raised as a comment in #1996.
+   * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
+   * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
+   * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
+     Fixes #2190.
+   * Ensure that unused bits are zero when writing ASN.1 bitstrings when using
+     mbedtls_asn1_write_bitstring().
+   * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
+     extensions in CSRs and CRTs that caused these bitstrings to not be encoded
+     correctly as trailing zeroes were not accounted for as unused bits in the
+     leading content octet. Fixes #1610.
+
+Changes
+   * Include configuration file in all header files that use configuration,
+     instead of relying on other header files that they include.
+     Inserted as an enhancement for #1371
+   * Add support for alternative CSR headers, as used by Microsoft and defined
+     in RFC 7468. Found by Michael Ernst. Fixes #767.
+   * Fix clobber list in MIPS assembly for large integer multiplication.
+     Previously, this could lead to functionally incorrect assembly being
+     produced by some optimizing compilers, showing up as failures in
+     e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
+     by Aurelien Jarno and submitted by Jeffrey Martin.
+   * Reduce the complexity of the timing tests. They were assuming more than the
+     underlying OS actually guarantees.
+   * Ciphersuites based on 3DES now have the lowest priority by default when
+     they are enabled.
+
 = mbed TLS 2.7.9 branch released 2018-12-21
 
 Bugfix
diff --git a/3rdparty/mbedtls/mbedtls/Makefile b/3rdparty/mbedtls/mbedtls/Makefile
index a0fcb2bc56..6014597a97 100644
--- a/3rdparty/mbedtls/mbedtls/Makefile
+++ b/3rdparty/mbedtls/mbedtls/Makefile
@@ -108,3 +108,12 @@ apidoc:
 apidoc_clean:
 	rm -rf apidoc
 endif
+
+## Editor navigation files
+C_SOURCE_FILES = $(wildcard include/*/*.h library/*.[hc] programs/*/*.[hc] tests/suites/*.function)
+tags: $(C_SOURCE_FILES)
+	ctags -o $@ $(C_SOURCE_FILES)
+TAGS: $(C_SOURCE_FILES)
+	etags -o $@ $(C_SOURCE_FILES)
+GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
+	ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc
diff --git a/3rdparty/mbedtls/mbedtls/circle.yml b/3rdparty/mbedtls/mbedtls/circle.yml
deleted file mode 100644
index eaed02a815..0000000000
--- a/3rdparty/mbedtls/mbedtls/circle.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-# Purpose:
-# - To test and prove that a new commit in  the mbed TLS repository builds
-# and integrates with mbed-os properly.
-#           AND
-# - To test and prove that the current development head of mbed TLS builds
-# and integrates with the current mbed-os master branch.
-#
-# The script fetches all the prerequisites and builds the mbed TLS 'tls-client'
-# example. This script is triggered by every commit and once each night and the
-# exact behaviour depends on how it was triggered:
-# - If it is a nightly build then it builds the mbed TLS development head with
-#   mbed-os master.
-# - If it was triggered by the commit, then it builds the example with mbed TLS
-#   at that commit and mbed-os at the commit pointed by mbed-os.lib in the
-#   example repository.
-
-test:
-    override:
-        - cd ../mbed-os-example-tls/tls-client/ && mbed compile -m K64F -t GCC_ARM -c
-
-dependencies:
-    pre:
-        # Install gcc-arm
-        - cd .. && wget "https://launchpad.net/gcc-arm-embedded/4.9/4.9-2015-q3-update/+download/gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2"
-        - cd .. && tar -xvjf gcc-arm-none-eabi-4_9-2015q3-20150921-linux.tar.bz2
-        - ln -s ../gcc-arm-none-eabi-4_9-2015q3/bin/* ../bin/
-        # Install mbed-cli
-        - cd ../ && git clone https://github.com/ARMmbed/mbed-cli.git
-        - cd ../mbed-cli && sudo -H pip install -e .
-        # Get the sample application
-        - cd ../ && git clone git@github.com:ARMmbed/mbed-os-example-tls.git
-        # Get mbed-os
-        - cd ../mbed-os-example-tls/tls-client && mbed deploy
-        # Update mbed-os to master only if it is a nightly build
-        - >
-            if [ -n "${RUN_NIGHTLY_BUILD}" ]; then
-                cd ../mbed-os-example-tls/tls-client/mbed-os/ && mbed update master;
-            fi
-        # Import mbedtls current revision
-        - ln -s ../../../../../../../mbedtls/ ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/TARGET_IGNORE/mbedtls
-        - cd ../mbed-os-example-tls/tls-client/mbed-os/features/mbedtls/importer/ && make
-    override:
-        # Install the missing python packages
-        - cd ../mbed-os-example-tls/tls-client/mbed-os/ && sudo -H pip install -r requirements.txt
diff --git a/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h b/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
index 0038615fef..bb5987137c 100644
--- a/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
+++ b/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
  */
 
 /**
- * @mainpage mbed TLS v2.7.9 source code documentation
+ * @mainpage mbed TLS v2.7.11 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in
diff --git a/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile b/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
index 54e446398c..22ae878ee8 100644
--- a/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
+++ b/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@ DOXYFILE_ENCODING      = UTF-8
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v2.7.9"
+PROJECT_NAME           = "mbed TLS v2.7.11"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or
diff --git a/3rdparty/mbedtls/mbedtls/include/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/include/CMakeLists.txt
index 1b581a54dd..c2f2bd4e6f 100644
--- a/3rdparty/mbedtls/mbedtls/include/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/include/CMakeLists.txt
@@ -11,6 +11,6 @@ if(INSTALL_MBEDTLS_HEADERS)
 endif(INSTALL_MBEDTLS_HEADERS)
 
 # Make config.h available in an out-of-source build. ssl-opt.sh requires it.
-if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
+if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     link_to_source(mbedtls)
 endif()
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
index 746baa0e17..7b16b4bad0 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_AESNI_H
 #define MBEDTLS_AESNI_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #define MBEDTLS_AESNI_AES      0x02000000u
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
index f76fc807d0..083601af32 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"
 
 #define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
@@ -183,24 +189,27 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
                            const char *text, size_t text_len );
 
 /**
- * \brief           Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       the bitstring
- * \param bits      the total number of bits in the bitstring
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
                           const unsigned char *buf, size_t bits );
 
 /**
- * \brief           Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
  *
  * \param p         reference to current position pointer
  * \param start     start of the buffer (for bounds-checking)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
index 7a64f52163..10e4145ee6 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
index 80e4b380d1..3a254aae9d 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
@@ -38,6 +38,12 @@
 #ifndef MBEDTLS_BN_MUL_H
 #define MBEDTLS_BN_MUL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"
 
 #if defined(MBEDTLS_HAVE_ASM)
@@ -734,7 +740,7 @@
         "sw     $10, %2         \n\t"   \
         : "=m" (c), "=m" (d), "=m" (s)                      \
         : "m" (s), "m" (d), "m" (c), "m" (b)                \
-        : "$9", "$10", "$11", "$12", "$13", "$14", "$15"    \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
     );
 
 #endif /* MIPS */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
index 630b7fdf6c..e311e751d5 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
@@ -34,6 +34,12 @@
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
index 8dab7b5ce8..b7c5708f85 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #ifdef __cplusplus
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
index 24839a20eb..adfe1c3e01 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
@@ -26,6 +26,12 @@
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #ifdef __cplusplus
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
index 600a0f154c..94de845dd8 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
@@ -25,6 +25,12 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 
 #if defined(MBEDTLS_DEPRECATED_WARNING)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
index 50239e1ff5..f3039f937f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
@@ -556,6 +556,26 @@
  */
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
 /**
  * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
  *
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
index 2b4dc73d3f..5a32843152 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
@@ -28,6 +28,12 @@
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #if defined(MBEDTLS_THREADING_C)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
index 99cfde00d0..d16bad2d8e 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
@@ -33,6 +33,12 @@
 #ifndef MBEDTLS_ECDH_H
 #define MBEDTLS_ECDH_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"
 
 #ifdef __cplusplus
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
index ff6efbc3ff..cfd1370120 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
@@ -31,6 +31,12 @@
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"
 #include "md.h"
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
index d86e8207f1..8d09bf2293 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
@@ -40,6 +40,11 @@
  * The payloads are serialized in a way suitable for use in TLS, but could
  * also be use outside TLS.
  */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
 #include "ecp.h"
 #include "md.h"
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
index 7b8ffff44e..6c43c00693 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"
 
 /*
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp_internal.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp_internal.h
index 18040697ad..7625ed48e1 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp_internal.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp_internal.h
@@ -61,6 +61,12 @@
 #ifndef MBEDTLS_ECP_INTERNAL_H
 #define MBEDTLS_ECP_INTERNAL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
 
 /**
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
index 8b4d3a8755..ef22bc6842 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
index 00ed42190c..bd258aae54 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
@@ -31,6 +31,12 @@
 #ifndef MBEDTLS_GCM_H
 #define MBEDTLS_GCM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #include <stdint.h>
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
index d4cb3ed38d..e6bf6fae8e 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_HAVEGE_H
 #define MBEDTLS_HAVEGE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
index dd31fc8fdd..f58b1e31d8 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_HMAC_DRBG_H
 #define MBEDTLS_HMAC_DRBG_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"
 
 #if defined(MBEDTLS_THREADING_C)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/net.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/net.h
index 6c13b53fb9..8cead58e5d 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/net.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/net.h
@@ -23,6 +23,11 @@
  *
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #include "net_sockets.h"
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
index 677936ebf8..918e6195ad 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
@@ -25,6 +25,12 @@
 #ifndef MBEDTLS_PADLOCK_H
 #define MBEDTLS_PADLOCK_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
index 2cf4c0a709..81918503e9 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs12.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs12.h
index 69f04177c8..d441357b7f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs12.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs12.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"
 #include "cipher.h"
 #include "asn1.h"
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
index d4bb36dfae..f201250046 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
@@ -26,6 +26,12 @@
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"
 #include "md.h"
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
index 5593a5282a..5fd6969da9 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
@@ -2106,12 +2106,27 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
- * \brief          Set the maximum fragment length to emit and/or negotiate
- *                 (Default: MBEDTLS_SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: #MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is
+ *                 set to `2^14` bytes)
  *                 (Server: set maximum fragment length to emit,
- *                 usually negotiated by the client during handshake
+ *                 usually negotiated by the client during handshake)
  *                 (Client: set maximum fragment length to emit *and*
  *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
  *
  * \param conf     SSL configuration
  * \param mfl_code Code for maximum fragment length (allowed values:
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cache.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cache.h
index ec081e6d24..52ba0948c5 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cache.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cache.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_CACHE_H
 #define MBEDTLS_SSL_CACHE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 
 #if defined(MBEDTLS_THREADING_C)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
index 1d2aabc372..655d130b7c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_CIPHERSUITES_H
 #define MBEDTLS_SSL_CIPHERSUITES_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "pk.h"
 #include "cipher.h"
 #include "md.h"
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
index 80b65bbbb9..6a7ff9c757 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_COOKIE_H
 #define MBEDTLS_SSL_COOKIE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 
 #if defined(MBEDTLS_THREADING_C)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
index 2b5a61637b..168d4a2568 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_INTERNAL_H
 #define MBEDTLS_SSL_INTERNAL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 #include "cipher.h"
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
index 93ad46ac9c..ff7eccbb8c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_TICKET_H
 #define MBEDTLS_SSL_TICKET_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 /*
  * This implementation of the session ticket callbacks includes key
  * management, rotating the keys periodically in order to preserve forward
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
index 36feff0d82..79b651387a 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
@@ -40,16 +40,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR  2
 #define MBEDTLS_VERSION_MINOR  7
-#define MBEDTLS_VERSION_PATCH  9
+#define MBEDTLS_VERSION_PATCH  11
 
 /**
  * The single version number has the following structure:
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x02070900
-#define MBEDTLS_VERSION_STRING         "2.7.9"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.9"
+#define MBEDTLS_VERSION_NUMBER         0x02070B00
+#define MBEDTLS_VERSION_STRING         "2.7.11"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.11"
 
 #if defined(MBEDTLS_VERSION_C)
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
index 2c3c758e9e..e72231ee8c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
@@ -98,7 +98,7 @@ mbedtls_x509_crt;
  * Build flag from an algorithm/curve identifier (pk, md, ecp)
  * Since 0 is always XXX_NONE, ignore it.
  */
-#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( id - 1 ) )
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( ( id ) - 1 ) )
 
 /**
  * Security profile for certificate verification.
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_csr.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_csr.h
index 0c6ccad78d..a3c28048e0 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_csr.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_csr.h
@@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty
  * \param key_usage key usage flags to set
  *
  * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
  */
 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
 
diff --git a/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
index 59df9589a4..f1c9a59d9a 100644
--- a/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
@@ -91,6 +91,12 @@ if(CMAKE_COMPILER_IS_CLANG)
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
 endif(CMAKE_COMPILER_IS_CLANG)
 
+if(UNSAFE_BUILD)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error")
+    set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error")
+    set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error")
+endif(UNSAFE_BUILD)
+
 if(WIN32)
     set(libs ${libs} ws2_32)
 endif(WIN32)
@@ -141,15 +147,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
 
 if(USE_SHARED_MBEDTLS_LIBRARY)
     add_library(mbedcrypto SHARED ${src_crypto})
-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.9 SOVERSION 2)
+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.11 SOVERSION 2)
     target_link_libraries(mbedcrypto ${libs})
 
     add_library(mbedx509 SHARED ${src_x509})
-    set_target_properties(mbedx509 PROPERTIES VERSION 2.7.9 SOVERSION 0)
+    set_target_properties(mbedx509 PROPERTIES VERSION 2.7.11 SOVERSION 0)
     target_link_libraries(mbedx509 ${libs} mbedcrypto)
 
     add_library(mbedtls SHARED ${src_tls})
-    set_target_properties(mbedtls PROPERTIES VERSION 2.7.9 SOVERSION 10)
+    set_target_properties(mbedtls PROPERTIES VERSION 2.7.11 SOVERSION 10)
     target_link_libraries(mbedtls ${libs} mbedx509)
 
     install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/3rdparty/mbedtls/mbedtls/library/asn1write.c b/3rdparty/mbedtls/mbedtls/library/asn1write.c
index c13e85e56a..b451887ed3 100644
--- a/3rdparty/mbedtls/mbedtls/library/asn1write.c
+++ b/3rdparty/mbedtls/mbedtls/library/asn1write.c
@@ -294,22 +294,28 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
                           const unsigned char *buf, size_t bits )
 {
     int ret;
-    size_t len = 0, size;
+    size_t len = 0;
+    size_t unused_bits, byte_len;
 
-    size = ( bits / 8 ) + ( ( bits % 8 ) ? 1 : 0 );
+    byte_len = ( bits + 7 ) / 8;
+    unused_bits = ( byte_len * 8 ) - bits;
 
-    // Calculate byte length
-    //
-    if( *p < start || (size_t)( *p - start ) < size + 1 )
+    if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
-    len = size + 1;
-    (*p) -= size;
-    memcpy( *p, buf, size );
+    len = byte_len + 1;
 
-    // Write unused bits
-    //
-    *--(*p) = (unsigned char) (size * 8 - bits);
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if( byte_len > 0 )
+    {
+        byte_len--;
+        *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+        ( *p ) -= byte_len;
+        memcpy( *p, buf, byte_len );
+    }
+
+    /* Write unused bits */
+    *--( *p ) = (unsigned char)unused_bits;
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
diff --git a/3rdparty/mbedtls/mbedtls/library/bignum.c b/3rdparty/mbedtls/mbedtls/library/bignum.c
index 18daea2589..d142fe69b8 100644
--- a/3rdparty/mbedtls/mbedtls/library/bignum.c
+++ b/3rdparty/mbedtls/mbedtls/library/bignum.c
@@ -500,26 +500,38 @@ int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
 }
 
 /*
- * Helper to write the digits high-order first
+ * Helper to write the digits high-order first.
  */
-static int mpi_write_hlp( mbedtls_mpi *X, int radix, char **p )
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+                          char **p, const size_t buflen )
 {
     int ret;
     mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
 
-    if( radix < 2 || radix > 16 )
-        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    do
+    {
+        if( length >= buflen )
+        {
+            return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if( r < 0xA )
+            *(--p_end) = (char)( '0' + r );
+        else
+            *(--p_end) = (char)( 'A' + ( r - 0xA ) );
 
-    if( mbedtls_mpi_cmp_int( X, 0 ) != 0 )
-        MBEDTLS_MPI_CHK( mpi_write_hlp( X, radix, p ) );
+        length++;
+    } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
 
-    if( r < 10 )
-        *(*p)++ = (char)( r + 0x30 );
-    else
-        *(*p)++ = (char)( r + 0x37 );
+    memmove( *p, p_end, length );
+    *p += length;
 
 cleanup:
 
@@ -540,15 +552,20 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
     if( radix < 2 || radix > 16 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
 
-    n = mbedtls_mpi_bitlen( X );
-    if( radix >=  4 ) n >>= 1;
-    if( radix >= 16 ) n >>= 1;
-    /*
-     * Round up the buffer length to an even value to ensure that there is
-     * enough room for hexadecimal values that can be represented in an odd
-     * number of digits.
-     */
-    n += 3 + ( ( n + 1 ) & 1 );
+    n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
+    if( radix >=  4 ) n >>= 1;   /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    if( radix >= 16 ) n >>= 1;   /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
 
     if( buflen < n )
     {
@@ -560,7 +577,10 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
     mbedtls_mpi_init( &T );
 
     if( X->s == -1 )
+    {
         *p++ = '-';
+        buflen--;
+    }
 
     if( radix == 16 )
     {
@@ -589,7 +609,7 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
         if( T.s == -1 )
             T.s = 1;
 
-        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
+        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
     }
 
     *p++ = '\0';
@@ -1667,8 +1687,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
             ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
 
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
     if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
         wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
 
     j = N->n + 1;
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
diff --git a/3rdparty/mbedtls/mbedtls/library/certs.c b/3rdparty/mbedtls/mbedtls/library/certs.c
index f1379b8cb1..2c6fbdfedb 100644
--- a/3rdparty/mbedtls/mbedtls/library/certs.c
+++ b/3rdparty/mbedtls/mbedtls/library/certs.c
@@ -116,7 +116,6 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
 #endif /* MBEDTLS_ECDSA_C */
 
 #if defined(MBEDTLS_RSA_C)
-
 #if defined(MBEDTLS_SHA256_C)
 #define TEST_CA_CRT_RSA_SHA256                                          \
 "-----BEGIN CERTIFICATE-----\r\n"                                       \
@@ -141,13 +140,11 @@ const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
 "n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n"      \
 "-----END CERTIFICATE-----\r\n"
 
+static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
 const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA256;
 const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
 #define TEST_CA_CRT_RSA_SOME
-
-static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
-
-#endif
+#endif /* MBEDTLS_SHA256_C */
 
 #if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
 #define TEST_CA_CRT_RSA_SHA1                                            \
@@ -173,14 +170,72 @@ static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
 "7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n"      \
 "-----END CERTIFICATE-----\r\n"
 
+static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+
 #if !defined (TEST_CA_CRT_RSA_SOME)
 const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA1;
 const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
-#endif
+#endif /* !TEST_CA_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
 
-static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
+#if defined(MBEDTLS_SHA256_C)
+/* tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256                                          \
+"-----BEGIN CERTIFICATE-----\r\n"                                        \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"   \
+"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"   \
+"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"   \
+"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"   \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"   \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"   \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"   \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"   \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"   \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"   \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"   \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n"   \
+"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n"   \
+"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n"   \
+"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n"   \
+"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n"   \
+"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n"   \
+"e4K1cVANRPN2o9Y=\r\n"                                                   \
+"-----END CERTIFICATE-----\r\n"
 
-#endif
+const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA256;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#define TEST_SRV_CRT_RSA_SOME
+#endif /* MBEDTLS_SHA256_C */
+
+#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
+/* tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1                                          \
+"-----BEGIN CERTIFICATE-----\r\n"                                      \
+"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" \
+"oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" \
+"UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" \
+"iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" \
+"wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" \
+"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" \
+"zhuYwjVuX6JHG0c=\r\n"                                                 \
+"-----END CERTIFICATE-----\r\n";
+
+#if !defined(TEST_SRV_CRT_RSA_SOME)
+const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA1;
+const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
+#endif /* TEST_SRV_CRT_RSA_SOME */
+#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
 
 const char mbedtls_test_ca_key_rsa[] =
 "-----BEGIN RSA PRIVATE KEY-----\r\n"
@@ -218,29 +273,6 @@ const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
 const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
 const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
 
-const char mbedtls_test_srv_crt_rsa[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
-"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
-"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
-"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
-"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
-"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
-"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
-"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
-"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
-"oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
-"UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
-"iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
-"wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
-"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
-"zhuYwjVuX6JHG0c=\r\n"
-"-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
-
 const char mbedtls_test_srv_key_rsa[] =
 "-----BEGIN RSA PRIVATE KEY-----\r\n"
 "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
diff --git a/3rdparty/mbedtls/mbedtls/library/debug.c b/3rdparty/mbedtls/mbedtls/library/debug.c
index db3924ac54..30c8c7bb81 100644
--- a/3rdparty/mbedtls/mbedtls/library/debug.c
+++ b/3rdparty/mbedtls/mbedtls/library/debug.c
@@ -86,8 +86,13 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
     char str[DEBUG_BUF_SIZE];
     int ret;
 
-    if( NULL == ssl || NULL == ssl->conf || NULL == ssl->conf->f_dbg || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     va_start( argp, format );
 #if defined(_WIN32)
@@ -121,8 +126,13 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
 {
     char str[DEBUG_BUF_SIZE];
 
-    if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     /*
      * With non-blocking I/O and examples that just retry immediately,
@@ -146,8 +156,13 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
     char txt[17];
     size_t i, idx = 0;
 
-    if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
               text, (unsigned int) len );
@@ -199,8 +214,13 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
 {
     char str[DEBUG_BUF_SIZE];
 
-    if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
     mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
@@ -219,8 +239,14 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
     int j, k, zeros = 1;
     size_t i, n, idx = 0;
 
-    if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == X                ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     for( n = X->n - 1; n > 0; n-- )
         if( X->p[n] != 0 )
@@ -345,8 +371,14 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
     char str[DEBUG_BUF_SIZE];
     int i = 0;
 
-    if( ssl->conf == NULL || ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold )
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == crt              ||
+        level > debug_threshold )
+    {
         return;
+    }
 
     while( crt != NULL )
     {
diff --git a/3rdparty/mbedtls/mbedtls/library/ecdh.c b/3rdparty/mbedtls/mbedtls/library/ecdh.c
index 61380b6936..75630bd356 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecdh.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecdh.c
@@ -179,8 +179,20 @@ int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypai
 {
     int ret;
 
-    if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 )
-        return( ret );
+    if( ctx->grp.id == MBEDTLS_ECP_DP_NONE )
+    {
+        /* This is the first call to get_params(). Copy the group information
+         * into the context. */
+        if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* This is not the first call to get_params(). Check that the group
+         * is the same as the first time. */
+        if( ctx->grp.id != key->grp.id )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
 
     /* If it's not our key, just import the public part as Qp */
     if( side == MBEDTLS_ECDH_THEIRS )
diff --git a/3rdparty/mbedtls/mbedtls/library/ecdsa.c b/3rdparty/mbedtls/mbedtls/library/ecdsa.c
index 17a88bdd29..ab75620b37 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecdsa.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecdsa.c
@@ -420,8 +420,13 @@ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-    return( mbedtls_ecp_group_load( &ctx->grp, gid ) ||
-            mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) );
+    int ret = 0;
+    ret = mbedtls_ecp_group_load( &ctx->grp, gid );
+    if( ret != 0 )
+        return( ret );
+
+   return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
+                                    &ctx->Q, f_rng, p_rng ) );
 }
 #endif /* MBEDTLS_ECDSA_GENKEY_ALT */
 
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c b/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
index 800b5f84d8..01d1c458a2 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
@@ -43,11 +43,11 @@
 /*
  * Ordered from most preferred to least preferred in terms of security.
  *
- * Current rule (except rc4, weak and null which come last):
+ * Current rule (except RC4 and 3DES, weak and null which come last):
  * 1. By key exchange:
  *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
  * 2. By key length and cipher:
- *    AES-256 > Camellia-256 > AES-128 > Camellia-128 > 3DES
+ *    AES-256 > Camellia-256 > AES-128 > Camellia-128
  * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
  * 4. By hash function used when relevant
  * 5. By key exchange/auth again: EC > non-EC
@@ -105,11 +105,6 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
 
-    /* All remaining >= 128-bit ephemeral suites */
-    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-
     /* The PSK ephemeral suites */
     MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
@@ -133,9 +128,6 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
 
-    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
-    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
-
     /* The ECJPAKE suite */
     MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
 
@@ -183,11 +175,6 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
 
-    /* All remaining >= 128-bit suites */
-    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-
     /* The RSA PSK suites */
     MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
@@ -201,8 +188,6 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
 
-    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
-
     /* The PSK suites */
     MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
@@ -220,6 +205,16 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
 
+    /* 3DES suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
 
     /* RC4 suites */
@@ -1704,6 +1699,26 @@ const int *mbedtls_ssl_list_ciphersuites( void )
 static int supported_ciphersuites[MAX_CIPHERSUITES];
 static int supported_init = 0;
 
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+    (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+        cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+    {
+        return( 1 );
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+    return( 0 );
+}
+
 const int *mbedtls_ssl_list_ciphersuites( void )
 {
     /*
@@ -1719,14 +1734,12 @@ const int *mbedtls_ssl_list_ciphersuites( void )
              *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
              p++ )
         {
-#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
             const mbedtls_ssl_ciphersuite_t *cs_info;
             if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
-                cs_info->cipher != MBEDTLS_CIPHER_ARC4_128 )
-#else
-            if( mbedtls_ssl_ciphersuite_from_id( *p ) != NULL )
-#endif
+                !ciphersuite_is_removed( cs_info ) )
+            {
                 *(q++) = *p;
+            }
         }
         *q = 0;
 
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_tls.c b/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
index 6956b5f31b..1270ee9b85 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
@@ -3702,81 +3702,23 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
     }
 
-    /* Check length against bounds of the current transform and version */
-    if( ssl->transform_in == NULL )
-    {
-        if( ssl->in_msglen < 1 ||
-            ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-    }
-    else
-    {
-        if( ssl->in_msglen < ssl->transform_in->minlen )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
-            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        /*
-         * TLS encrypted messages can have up to 256 bytes of padding
-         */
-        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
-            ssl->in_msglen > ssl->transform_in->minlen +
-                             MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-#endif
-    }
-
     /*
-     * DTLS-related tests done last, because most of them may result in
-     * silently dropping the record (but not the whole datagram), and we only
-     * want to consider that after ensuring that the "basic" fields (type,
-     * version, length) are sane.
+     * DTLS-related tests.
+     * Check epoch before checking length constraint because
+     * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+     * message gets duplicated before the corresponding Finished message,
+     * the second ChangeCipherSpec should be discarded because it belongs
+     * to an old epoch, but not because its length is shorter than
+     * the minimum record length for packets using the new record transform.
+     * Note that these two kinds of failures are handled differently,
+     * as an unexpected record is silently skipped but an invalid
+     * record leads to the entire datagram being dropped.
      */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
     {
         unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
 
-        /* Drop unexpected ChangeCipherSpec messages */
-        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
-            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
-            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
-            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
-        }
-
-        /* Drop unexpected ApplicationData records,
-         * except at the beginning of renegotiations */
-        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
-            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-            && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
-                   ssl->state == MBEDTLS_SSL_SERVER_HELLO )
-#endif
-            )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
-            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
-        }
-
         /* Check epoch (and sequence number) with DTLS */
         if( rec_epoch != ssl->in_epoch )
         {
@@ -3816,9 +3758,74 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
         }
 #endif
+
+        /* Drop unexpected ChangeCipherSpec messages */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+
+        /* Drop unexpected ApplicationData records,
+         * except at the beginning of renegotiations */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+                   ssl->state == MBEDTLS_SSL_SERVER_HELLO )
+#endif
+            )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
     }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
+
+    /* Check length against bounds of the current transform and version */
+    if( ssl->transform_in == NULL )
+    {
+        if( ssl->in_msglen < 1 ||
+            ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+    else
+    {
+        if( ssl->in_msglen < ssl->transform_in->minlen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * TLS encrypted messages can have up to 256 bytes of padding
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
+            ssl->in_msglen > ssl->transform_in->minlen +
+                             MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+    }
+
     return( 0 );
 }
 
diff --git a/3rdparty/mbedtls/mbedtls/library/version_features.c b/3rdparty/mbedtls/mbedtls/library/version_features.c
index da47e3d753..d6deb01498 100644
--- a/3rdparty/mbedtls/mbedtls/library/version_features.c
+++ b/3rdparty/mbedtls/mbedtls/library/version_features.c
@@ -270,6 +270,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
     "MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
 #endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
     "MBEDTLS_ECP_DP_SECP192R1_ENABLED",
 #endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
diff --git a/3rdparty/mbedtls/mbedtls/library/x509.c b/3rdparty/mbedtls/mbedtls/library/x509.c
index 264c7fb0c6..59b6ba3bdd 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509.c
@@ -357,6 +357,8 @@ static int x509_get_attr_type_value( unsigned char **p,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
         return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
 
+    end = *p + len;
+
     if( ( end - *p ) < 1 )
         return( MBEDTLS_ERR_X509_INVALID_NAME +
                 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
@@ -390,6 +392,12 @@ static int x509_get_attr_type_value( unsigned char **p,
     val->p = *p;
     *p += val->len;
 
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
     cur->next = NULL;
 
     return( 0 );
@@ -696,30 +704,25 @@ int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x50
  * be either manually updated or extensions should be parsed!)
  */
 int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
-                  mbedtls_x509_buf *ext, int tag )
+                          mbedtls_x509_buf *ext, int tag )
 {
     int ret;
     size_t len;
 
-    if( *p == end )
-        return( 0 );
-
-    ext->tag = **p;
-
-    if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
-            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag ) ) != 0 )
-        return( ret );
+    /* Extension structure use EXPLICIT tagging. That is, the actual
+     * `Extensions` structure is wrapped by a tag-length pair using
+     * the respective context-specific tag. */
+    ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+              MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag );
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
 
-    ext->p = *p;
-    end = *p + ext->len;
+    ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+    ext->p   = *p;
+    end      = *p + ext->len;
 
     /*
      * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
-     *
-     * Extension  ::=  SEQUENCE  {
-     *      extnID      OBJECT IDENTIFIER,
-     *      critical    BOOLEAN DEFAULT FALSE,
-     *      extnValue   OCTET STRING  }
      */
     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
@@ -1032,8 +1035,8 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
  */
 int mbedtls_x509_self_test( int verbose )
 {
+    int ret = 0;
 #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
-    int ret;
     uint32_t flags;
     mbedtls_x509_crt cacert;
     mbedtls_x509_crt clicert;
@@ -1041,6 +1044,7 @@ int mbedtls_x509_self_test( int verbose )
     if( verbose != 0 )
         mbedtls_printf( "  X.509 certificate load: " );
 
+    mbedtls_x509_crt_init( &cacert );
     mbedtls_x509_crt_init( &clicert );
 
     ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
@@ -1050,11 +1054,9 @@ int mbedtls_x509_self_test( int verbose )
         if( verbose != 0 )
             mbedtls_printf( "failed\n" );
 
-        return( ret );
+        goto cleanup;
     }
 
-    mbedtls_x509_crt_init( &cacert );
-
     ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
                           mbedtls_test_ca_crt_len );
     if( ret != 0 )
@@ -1062,7 +1064,7 @@ int mbedtls_x509_self_test( int verbose )
         if( verbose != 0 )
             mbedtls_printf( "failed\n" );
 
-        return( ret );
+        goto cleanup;
     }
 
     if( verbose != 0 )
@@ -1074,20 +1076,19 @@ int mbedtls_x509_self_test( int verbose )
         if( verbose != 0 )
             mbedtls_printf( "failed\n" );
 
-        return( ret );
+        goto cleanup;
     }
 
     if( verbose != 0 )
         mbedtls_printf( "passed\n\n");
 
+cleanup:
     mbedtls_x509_crt_free( &cacert  );
     mbedtls_x509_crt_free( &clicert );
-
-    return( 0 );
 #else
     ((void) verbose);
-    return( 0 );
 #endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
+    return( ret );
 }
 
 #endif /* MBEDTLS_SELF_TEST */
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_crl.c b/3rdparty/mbedtls/mbedtls/library/x509_crl.c
index b0f39d428b..3ceb77091e 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_crl.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_crl.c
@@ -107,17 +107,17 @@ static int x509_get_crl_ext( unsigned char **p,
 {
     int ret;
 
+    if( *p == end )
+        return( 0 );
+
     /*
      * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
      *                              -- if present, version MUST be v2
      */
     if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
-    {
-        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
-
         return( ret );
-    }
+
+    end = ext->p + ext->len;
 
     while( *p < end )
     {
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_crt.c b/3rdparty/mbedtls/mbedtls/library/x509_crt.c
index d64d7279a5..3ad53a7156 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_crt.c
@@ -234,7 +234,7 @@ static int x509_get_version( unsigned char **p,
             return( 0 );
         }
 
-        return( ret );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
     }
 
     end = *p + len;
@@ -301,7 +301,7 @@ static int x509_get_uid( unsigned char **p,
         if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
             return( 0 );
 
-        return( ret );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
     }
 
     uid->p = *p;
@@ -540,14 +540,13 @@ static int x509_get_crt_ext( unsigned char **p,
     size_t len;
     unsigned char *end_ext_data, *end_ext_octet;
 
-    if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
-    {
-        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
+    if( *p == end )
+        return( 0 );
 
+    if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
         return( ret );
-    }
 
+    end = crt->v3_ext.p + crt->v3_ext.len;
     while( *p < end )
     {
         /*
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_csr.c b/3rdparty/mbedtls/mbedtls/library/x509_csr.c
index 779098d4e9..87c179e3d4 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_csr.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_csr.c
@@ -283,15 +283,24 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz
     {
         mbedtls_pem_init( &pem );
         ret = mbedtls_pem_read_buffer( &pem,
-                               "-----BEGIN CERTIFICATE REQUEST-----",
-                               "-----END CERTIFICATE REQUEST-----",
-                               buf, NULL, 0, &use_len );
+                                       "-----BEGIN CERTIFICATE REQUEST-----",
+                                       "-----END CERTIFICATE REQUEST-----",
+                                       buf, NULL, 0, &use_len );
+        if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        {
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN NEW CERTIFICATE REQUEST-----",
+                                           "-----END NEW CERTIFICATE REQUEST-----",
+                                           buf, NULL, 0, &use_len );
+        }
 
         if( ret == 0 )
+        {
             /*
              * Was PEM encoded, parse the result
              */
             ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
+        }
 
         mbedtls_pem_free( &pem );
         if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
index de7bf0c70f..4cdb941a10 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
@@ -222,26 +222,51 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *
 }
 #endif /* MBEDTLS_SHA1_C */
 
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
 int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
                                          unsigned int key_usage )
 {
     unsigned char buf[4], ku;
     unsigned char *c;
     int ret;
-
-    /* We currently only support 7 bits, from 0x80 to 0x02 */
-    if( ( key_usage & ~0xfe ) != 0 )
+    size_t unused_bits;
+    const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+        MBEDTLS_X509_KU_NON_REPUDIATION   |
+        MBEDTLS_X509_KU_KEY_ENCIPHERMENT  |
+        MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+        MBEDTLS_X509_KU_KEY_AGREEMENT     |
+        MBEDTLS_X509_KU_KEY_CERT_SIGN     |
+        MBEDTLS_X509_KU_CRL_SIGN;
+
+    /* Check that nothing other than the allowed flags is set */
+    if( ( key_usage & ~allowed_bits ) != 0 )
         return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
 
     c = buf + 4;
-    ku = (unsigned char) key_usage;
+    ku = (unsigned char)key_usage;
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
 
-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 7 ) ) != 4 )
+    if( ret < 0 )
         return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
 
     ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
-                                       1, buf, 4 );
+                                       1, c, (size_t)ret );
     if( ret != 0 )
         return( ret );
 
@@ -253,16 +278,22 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
 {
     unsigned char buf[4];
     unsigned char *c;
+    size_t unused_bits;
     int ret;
 
     c = buf + 4;
 
-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+    if( ret < 3 || ret > 4 )
         return( ret );
 
     ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
-                                       0, buf, 4 );
+                                       0, c, (size_t)ret );
     if( ret != 0 )
         return( ret );
 
@@ -298,10 +329,9 @@ static int x509_write_time( unsigned char **p, unsigned char *start,
     return( (int) len );
 }
 
-int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
-                               unsigned char *buf, size_t size,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng )
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
     const char *sig_oid;
@@ -309,14 +339,15 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     unsigned char *c, *c2;
     unsigned char hash[64];
     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char tmp_buf[2048];
     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
     mbedtls_pk_type_t pk_alg;
 
     /*
-     * Prepare data to be signed at the end of the target buffer
+     * Prepare data to be signed in tmp_buf
      */
-    c = buf + size;
+    c = tmp_buf + sizeof( tmp_buf );
 
     /* Signature algorithm needed in TBS, and later for actual signature */
 
@@ -342,36 +373,27 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     /* Only for v3 */
     if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
     {
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_x509_write_extensions( &c,
-                                                      buf, ctx->extensions ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                                      MBEDTLS_ASN1_CONSTRUCTED |
-                                                      MBEDTLS_ASN1_SEQUENCE ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                               MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                           MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
     }
 
     /*
      *  SubjectPublicKeyInfo
      */
-    MBEDTLS_ASN1_CHK_ADD( pub_len,
-                          mbedtls_pk_write_pubkey_der( ctx->subject_key,
-                                                       buf, c - buf ) );
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                tmp_buf, c - tmp_buf ) );
     c -= pub_len;
     len += pub_len;
 
     /*
      *  Subject  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_x509_write_names( &c, buf,
-                                                    ctx->subject ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
 
     /*
      *  Validity ::= SEQUENCE {
@@ -380,39 +402,32 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
      */
     sub_len = 0;
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len,
-                          x509_write_time( &c, buf, ctx->not_after,
-                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len,
-                          x509_write_time( &c, buf, ctx->not_before,
-                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
     len += sub_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) );
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_asn1_write_tag( &c, buf,
-                                                  MBEDTLS_ASN1_CONSTRUCTED |
-                                                  MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      *  Issuer  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
-                                                         ctx->issuer ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
 
     /*
      *  Signature   ::=  AlgorithmIdentifier
      */
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_asn1_write_algorithm_identifier( &c, buf,
-                                              sig_oid, strlen( sig_oid ), 0 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+                       sig_oid, strlen( sig_oid ), 0 ) );
 
     /*
      *  Serial   ::=  INTEGER
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf,
-                                                       &ctx->serial ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
 
     /*
      *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
@@ -422,67 +437,48 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
     {
         sub_len = 0;
-        MBEDTLS_ASN1_CHK_ADD( sub_len,
-                              mbedtls_asn1_write_int( &c, buf, ctx->version ) );
+        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
         len += sub_len;
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_len( &c, buf, sub_len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                               MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
     }
 
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len,
-                mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                       MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      * Make signature
      */
-
-    /* Compute hash of CRT. */
     if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
                             len, hash ) ) != 0 )
     {
         return( ret );
     }
 
-    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
-                                 hash, 0, sig, &sig_len,
-                                 f_rng, p_rng ) ) != 0 )
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+                         f_rng, p_rng ) ) != 0 )
     {
         return( ret );
     }
 
-    /* Move CRT to the front of the buffer to have space
-     * for the signature. */
-    memmove( buf, c, len );
-    c = buf + len;
-
-    /* Add signature at the end of the buffer,
-     * making sure that it doesn't underflow
-     * into the CRT buffer. */
+    /*
+     * Write data to output buffer
+     */
     c2 = buf + size;
-    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c,
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
                                         sig_oid, sig_oid_len, sig, sig_len ) );
 
-    /*
-     * Memory layout after this step:
-     *
-     * buf       c=buf+len                c2            buf+size
-     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
-     */
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
-    /* Move raw CRT to just before the signature. */
-    c = c2 - len;
-    memmove( c, buf, len );
+    c2 -= len;
+    memcpy( c2, c, len );
 
     len += sig_and_oid_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf,
-                                                 MBEDTLS_ASN1_CONSTRUCTED |
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     return( (int) len );
@@ -492,23 +488,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
 #define PEM_END_CRT             "-----END CERTIFICATE-----\n"
 
 #if defined(MBEDTLS_PEM_WRITE_C)
-int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt,
-                               unsigned char *buf, size_t size,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng )
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
-    size_t olen;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
 
-    if( ( ret = mbedtls_x509write_crt_der( crt, buf, size,
+    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
                                    f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }
 
     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
-                                          buf + size - ret, ret,
-                                          buf, size, &olen ) ) != 0 )
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
     {
         return( ret );
     }
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
index e80053828f..d59354dc4f 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
@@ -85,20 +85,39 @@ int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
                                0, val, val_len );
 }
 
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
 {
     unsigned char buf[4];
     unsigned char *c;
+    size_t unused_bits;
     int ret;
 
     c = buf + 4;
 
-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 7 ) ) != 4 )
+    unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+    if( ret < 0 )
         return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
 
     ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
-                                       buf, 4 );
+                                       c, (size_t)ret );
     if( ret != 0 )
         return( ret );
 
@@ -110,16 +129,25 @@ int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
 {
     unsigned char buf[4];
     unsigned char *c;
+    size_t unused_bits;
     int ret;
 
     c = buf + 4;
 
-    if( ( ret = mbedtls_asn1_write_bitstring( &c, buf, &ns_cert_type, 8 ) ) != 4 )
+    unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
         return( ret );
 
     ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
-                                       buf, 4 );
+                                       c, (size_t)ret );
     if( ret != 0 )
         return( ret );
 
diff --git a/3rdparty/mbedtls/mbedtls/programs/Makefile b/3rdparty/mbedtls/mbedtls/programs/Makefile
index 25f184f8c3..b4a553a934 100644
--- a/3rdparty/mbedtls/mbedtls/programs/Makefile
+++ b/3rdparty/mbedtls/mbedtls/programs/Makefile
@@ -65,7 +65,7 @@ APPS =	aes/aescrypt2$(EXEXT)		aes/crypt_and_hash$(EXEXT)	\
 	ssl/ssl_mail_client$(EXEXT)	random/gen_entropy$(EXEXT)	\
 	random/gen_random_havege$(EXEXT)				\
 	random/gen_random_ctr_drbg$(EXEXT)				\
-	test/ssl_cert_test$(EXEXT)	test/benchmark$(EXEXT)		\
+	test/benchmark$(EXEXT)                          		\
 	test/selftest$(EXEXT)		test/udp_proxy$(EXEXT)		\
 	util/pem2der$(EXEXT)		util/strerror$(EXEXT)		\
 	x509/cert_app$(EXEXT)		x509/crl_app$(EXEXT)		\
@@ -233,10 +233,6 @@ ssl/mini_client$(EXEXT): ssl/mini_client.c $(DEP)
 	echo "  CC    ssl/mini_client.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/mini_client.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-test/ssl_cert_test$(EXEXT): test/ssl_cert_test.c $(DEP)
-	echo "  CC    test/ssl_cert_test.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/ssl_cert_test.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
 test/benchmark$(EXEXT): test/benchmark.c $(DEP)
 	echo "  CC    test/benchmark.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
index cd0c230644..0450a17101 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
@@ -175,7 +175,7 @@ static int write_private_key( mbedtls_pk_context *key, const char *output_file )
             return( ret );
 
         len = ret;
-        c = output_buf + sizeof(output_buf) - len - 1;
+        c = output_buf + sizeof(output_buf) - len;
     }
 
     if( ( f = fopen( output_file, "w" ) ) == NULL )
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
index b0b0f7ecf4..e1c8ef6fe1 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
@@ -54,7 +54,6 @@ int main( void )
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/md.h"
 #include "mbedtls/rsa.h"
-#include "mbedtls/md.h"
 #include "mbedtls/x509.h"
 
 #include <stdio.h>
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
index 81514321ff..c63c4f75a1 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
@@ -1072,20 +1072,20 @@ int main( int argc, char *argv[] )
     mbedtls_printf( "  . Loading the CA root certificate ..." );
     fflush( stdout );
 
+    if( strcmp( opt.ca_path, "none" ) == 0 ||
+        strcmp( opt.ca_file, "none" ) == 0 )
+    {
+        ret = 0;
+    }
+    else
 #if defined(MBEDTLS_FS_IO)
     if( strlen( opt.ca_path ) )
-        if( strcmp( opt.ca_path, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path );
+        ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path );
     else if( strlen( opt.ca_file ) )
-        if( strcmp( opt.ca_file, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
+        ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C)
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
         for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
         {
             ret = mbedtls_x509_crt_parse( &cacert,
@@ -1097,9 +1097,13 @@ int main( int argc, char *argv[] )
 #else
     {
         ret = 1;
-        mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+#if !defined(MBEDTLS_CERTS_C)
+        mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
+#else
+        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif
+#endif /* MBEDTLS_CERTS_C */
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret < 0 )
     {
         mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
@@ -1116,46 +1120,54 @@ int main( int argc, char *argv[] )
     mbedtls_printf( "  . Loading the client cert. and key..." );
     fflush( stdout );
 
+    if( strcmp( opt.crt_file, "none" ) == 0 )
+        ret = 0;
+    else
 #if defined(MBEDTLS_FS_IO)
     if( strlen( opt.crt_file ) )
-        if( strcmp( opt.crt_file, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_x509_crt_parse_file( &clicert, opt.crt_file );
+        ret = mbedtls_x509_crt_parse_file( &clicert, opt.crt_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C)
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
         ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
                 mbedtls_test_cli_crt_len );
 #else
     {
         ret = 1;
-        mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+#if !defined(MBEDTLS_CERTS_C)
+        mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
+#else
+        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif
+#endif /* MBEDTLS_CERTS_C */
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret != 0 )
     {
         mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
         goto exit;
     }
 
+    if( strcmp( opt.key_file, "none" ) == 0 )
+        ret = 0;
+    else
 #if defined(MBEDTLS_FS_IO)
     if( strlen( opt.key_file ) )
-        if( strcmp( opt.key_file, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
+        ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C)
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
         ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key,
                 mbedtls_test_cli_key_len, NULL, 0 );
 #else
     {
         ret = 1;
-        mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+#if !defined(MBEDTLS_CERTS_C)
+        mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
+#else
+        mbedtls_printf( "All test keys loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif
+#endif /* MBEDTLS_CERTS_C */
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret != 0 )
     {
         mbedtls_printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
index 7214dc2631..8ec6079d59 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
@@ -104,9 +104,9 @@ int main( void )
 
 #if defined(MBEDTLS_BASE64_C)
 #define USAGE_AUTH \
-    "    authentication=%%d   default: 0 (disabled)\n"      \
-    "    user_name=%%s        default: \"user\"\n"          \
-    "    user_pwd=%%s         default: \"password\"\n"
+    "    authentication=%%d   default: 0 (disabled)\n"          \
+    "    user_name=%%s        default: \"" DFL_USER_NAME "\"\n" \
+    "    user_pwd=%%s         default: \"" DFL_USER_PWD "\"\n"
 #else
 #define USAGE_AUTH \
     "    authentication options disabled. (Require MBEDTLS_BASE64_C)\n"
@@ -123,17 +123,17 @@ int main( void )
 #endif /* MBEDTLS_FS_IO */
 
 #define USAGE \
-    "\n usage: ssl_mail_client param=<>...\n"               \
-    "\n acceptable parameters:\n"                           \
-    "    server_name=%%s      default: localhost\n"         \
-    "    server_port=%%d      default: 4433\n"              \
-    "    debug_level=%%d      default: 0 (disabled)\n"      \
+    "\n usage: ssl_mail_client param=<>...\n"                 \
+    "\n acceptable parameters:\n"                             \
+    "    server_name=%%s      default: " DFL_SERVER_NAME "\n" \
+    "    server_port=%%d      default: " DFL_SERVER_PORT "\n" \
+    "    debug_level=%%d      default: 0 (disabled)\n"        \
     "    mode=%%d             default: 0 (SSL/TLS) (1 for STARTTLS)\n"  \
-    USAGE_AUTH                                              \
-    "    mail_from=%%s        default: \"\"\n"              \
-    "    mail_to=%%s          default: \"\"\n"              \
-    USAGE_IO                                                \
-    "    force_ciphersuite=<name>    default: all enabled\n"\
+    USAGE_AUTH                                                \
+    "    mail_from=%%s        default: \"\"\n"                \
+    "    mail_to=%%s          default: \"\"\n"                \
+    USAGE_IO                                                  \
+    "    force_ciphersuite=<name>    default: all enabled\n"  \
     " acceptable ciphersuite names:\n"
 
 /*
@@ -306,7 +306,7 @@ static int write_and_get_response( mbedtls_net_context *sock_fd, unsigned char *
     mbedtls_printf("\n%s", buf);
     if( len && ( ret = mbedtls_net_send( sock_fd, buf, len ) ) <= 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
+        mbedtls_printf( " failed\n  ! mbedtls_net_send returned %d\n\n", ret );
             return -1;
     }
 
@@ -318,7 +318,7 @@ static int write_and_get_response( mbedtls_net_context *sock_fd, unsigned char *
 
         if( ret <= 0 )
         {
-            mbedtls_printf( "failed\n  ! read returned %d\n\n", ret );
+            mbedtls_printf( "failed\n  ! mbedtls_net_recv returned %d\n\n", ret );
             return -1;
         }
 
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
index b6e8a1d146..ae57f1fda0 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
@@ -201,8 +201,12 @@ int main( void )
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
-#define USAGE_PSK                                                   \
-    "    psk=%%s              default: \"\" (in hex, without 0x)\n" \
+#define USAGE_PSK                                                       \
+    "    psk=%%s              default: \"\" (in hex, without 0x)\n"     \
+    "    psk_list=%%s         default: \"\"\n"                          \
+    "                          A list of (PSK identity, PSK value) pairs.\n" \
+    "                          The PSK values are in hex, without 0x.\n" \
+    "                          id1,psk1[,id2,psk2[,...]]\n"             \
     "    psk_identity=%%s     default: \"Client_identity\"\n"
 #else
 #define USAGE_PSK ""
@@ -225,8 +229,14 @@ int main( void )
 #endif /* MBEDTLS_SSL_CACHE_C */
 
 #if defined(SNI_OPTION)
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+#define SNI_CRL              ",crl"
+#else
+#define SNI_CRL              ""
+#endif
+
 #define USAGE_SNI                                                           \
-    "    sni=%%s              name1,cert1,key1,ca1,crl1,auth1[,...]\n"  \
+    "    sni=%%s              name1,cert1,key1,ca1"SNI_CRL",auth1[,...]\n"  \
     "                        default: disabled\n"
 #else
 #define USAGE_SNI ""
@@ -561,10 +571,10 @@ void sni_free( sni_entry *head )
 
         mbedtls_x509_crt_free( cur->ca );
         mbedtls_free( cur->ca );
-
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
         mbedtls_x509_crl_free( cur->crl );
         mbedtls_free( cur->crl );
-
+#endif
         next = cur->next;
         mbedtls_free( cur );
         cur = next;
@@ -583,7 +593,10 @@ sni_entry *sni_parse( char *sni_string )
     sni_entry *cur = NULL, *new = NULL;
     char *p = sni_string;
     char *end = p;
-    char *crt_file, *key_file, *ca_file, *crl_file, *auth_str;
+    char *crt_file, *key_file, *ca_file, *auth_str;
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    char *crl_file;
+#endif
 
     while( *end != '\0' )
         ++end;
@@ -601,7 +614,9 @@ sni_entry *sni_parse( char *sni_string )
         GET_ITEM( crt_file );
         GET_ITEM( key_file );
         GET_ITEM( ca_file );
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
         GET_ITEM( crl_file );
+#endif
         GET_ITEM( auth_str );
 
         if( ( new->cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL ||
@@ -626,6 +641,7 @@ sni_entry *sni_parse( char *sni_string )
                 goto error;
         }
 
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
         if( strcmp( crl_file, "-" ) != 0 )
         {
             if( ( new->crl = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ) ) == NULL )
@@ -636,6 +652,7 @@ sni_entry *sni_parse( char *sni_string )
             if( mbedtls_x509_crl_parse_file( new->crl, crl_file ) != 0 )
                 goto error;
         }
+#endif
 
         if( strcmp( auth_str, "-" ) != 0 )
         {
@@ -1578,20 +1595,20 @@ int main( int argc, char *argv[] )
     mbedtls_printf( "  . Loading the CA root certificate ..." );
     fflush( stdout );
 
+    if( strcmp( opt.ca_path, "none" ) == 0 ||
+        strcmp( opt.ca_file, "none" ) == 0 )
+    {
+        ret = 0;
+    }
+    else
 #if defined(MBEDTLS_FS_IO)
     if( strlen( opt.ca_path ) )
-        if( strcmp( opt.ca_path, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path );
+        ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path );
     else if( strlen( opt.ca_file ) )
-        if( strcmp( opt.ca_file, "none" ) == 0 )
-            ret = 0;
-        else
-            ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
+        ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C)
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
         for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
         {
             ret = mbedtls_x509_crt_parse( &cacert,
@@ -1603,9 +1620,13 @@ int main( int argc, char *argv[] )
 #else
     {
         ret = 1;
-        mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+#if !defined(MBEDTLS_CERTS_C)
+        mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
+#else
+        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif
+#endif /* MBEDTLS_CERTS_C */
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret < 0 )
     {
         mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
index 0ed7145466..64b963719a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
@@ -16,12 +16,10 @@ target_link_libraries(selftest ${libs})
 add_executable(benchmark benchmark.c)
 target_link_libraries(benchmark ${libs})
 
-add_executable(ssl_cert_test ssl_cert_test.c)
-target_link_libraries(ssl_cert_test ${libs})
 
 add_executable(udp_proxy udp_proxy.c)
 target_link_libraries(udp_proxy ${libs})
 
-install(TARGETS selftest benchmark ssl_cert_test udp_proxy
+install(TARGETS selftest benchmark udp_proxy
         DESTINATION "bin"
         PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/ssl_cert_test.c b/3rdparty/mbedtls/mbedtls/programs/test/ssl_cert_test.c
deleted file mode 100644
index fd3526f7fe..0000000000
--- a/3rdparty/mbedtls/mbedtls/programs/test/ssl_cert_test.c
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- *  SSL certificate functionality tests
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#include <stdlib.h>
-#define mbedtls_snprintf        snprintf
-#define mbedtls_printf          printf
-#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
-#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
-#endif /* MBEDTLS_PLATFORM_C */
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && \
-    defined(MBEDTLS_FS_IO) && defined(MBEDTLS_X509_CRL_PARSE_C)
-#include "mbedtls/certs.h"
-#include "mbedtls/x509_crt.h"
-
-#include <stdio.h>
-#include <string.h>
-#endif
-
-#define MAX_CLIENT_CERTS    8
-
-#if !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_X509_CRL_PARSE_C)
-int main( void )
-{
-    mbedtls_printf("MBEDTLS_RSA_C and/or MBEDTLS_X509_CRT_PARSE_C "
-           "MBEDTLS_FS_IO and/or MBEDTLS_X509_CRL_PARSE_C "
-           "not defined.\n");
-    return( 0 );
-}
-#else
-const char *client_certificates[MAX_CLIENT_CERTS] =
-{
-    "client1.crt",
-    "client2.crt",
-    "server1.crt",
-    "server2.crt",
-    "cert_sha224.crt",
-    "cert_sha256.crt",
-    "cert_sha384.crt",
-    "cert_sha512.crt"
-};
-
-const char *client_private_keys[MAX_CLIENT_CERTS] =
-{
-    "client1.key",
-    "client2.key",
-    "server1.key",
-    "server2.key",
-    "cert_digest.key",
-    "cert_digest.key",
-    "cert_digest.key",
-    "cert_digest.key"
-};
-
-int main( void )
-{
-    int ret = 1, i;
-    int exit_code = MBEDTLS_EXIT_FAILURE;
-    mbedtls_x509_crt cacert;
-    mbedtls_x509_crl crl;
-    char buf[10240];
-
-    mbedtls_x509_crt_init( &cacert );
-    mbedtls_x509_crl_init( &crl );
-
-    /*
-     * 1.1. Load the trusted CA
-     */
-    mbedtls_printf( "\n  . Loading the CA root certificate ..." );
-    fflush( stdout );
-
-    /*
-     * Alternatively, you may load the CA certificates from a .pem or
-     * .crt file by calling mbedtls_x509_crt_parse_file( &cacert, "myca.crt" ).
-     */
-    ret = mbedtls_x509_crt_parse_file( &cacert, "ssl/test-ca/test-ca.crt" );
-    if( ret != 0 )
-    {
-        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse_file returned %d\n\n", ret );
-        goto exit;
-    }
-
-    mbedtls_printf( " ok\n" );
-
-    mbedtls_x509_crt_info( buf, 1024, "CRT: ", &cacert );
-    mbedtls_printf("%s\n", buf );
-
-    /*
-     * 1.2. Load the CRL
-     */
-    mbedtls_printf( "  . Loading the CRL ..." );
-    fflush( stdout );
-
-    ret = mbedtls_x509_crl_parse_file( &crl, "ssl/test-ca/crl.pem" );
-    if( ret != 0 )
-    {
-        mbedtls_printf( " failed\n  !  mbedtls_x509_crl_parse_file returned %d\n\n", ret );
-        goto exit;
-    }
-
-    mbedtls_printf( " ok\n" );
-
-    mbedtls_x509_crl_info( buf, 1024, "CRL: ", &crl );
-    mbedtls_printf("%s\n", buf );
-
-    for( i = 0; i < MAX_CLIENT_CERTS; i++ )
-    {
-        /*
-         * 1.3. Load own certificate
-         */
-        char    name[512];
-        uint32_t flags;
-        mbedtls_x509_crt clicert;
-        mbedtls_pk_context pk;
-
-        mbedtls_x509_crt_init( &clicert );
-        mbedtls_pk_init( &pk );
-
-        mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_certificates[i]);
-
-        mbedtls_printf( "  . Loading the client certificate %s...", name );
-        fflush( stdout );
-
-        ret = mbedtls_x509_crt_parse_file( &clicert, name );
-        if( ret != 0 )
-        {
-            mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse_file returned %d\n\n", ret );
-            goto exit;
-        }
-
-        mbedtls_printf( " ok\n" );
-
-        /*
-         * 1.4. Verify certificate validity with CA certificate
-         */
-        mbedtls_printf( "  . Verify the client certificate with CA certificate..." );
-        fflush( stdout );
-
-        ret = mbedtls_x509_crt_verify( &clicert, &cacert, &crl, NULL, &flags, NULL,
-                               NULL );
-        if( ret != 0 )
-        {
-            if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
-            {
-                 char vrfy_buf[512];
-
-                 mbedtls_printf( " failed\n" );
-                 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
-                 mbedtls_printf( "%s\n", vrfy_buf );
-             }
-             else
-             {
-                mbedtls_printf( " failed\n  !  mbedtls_x509_crt_verify returned %d\n\n", ret );
-                goto exit;
-            }
-        }
-
-        mbedtls_printf( " ok\n" );
-
-        /*
-         * 1.5. Load own private key
-         */
-        mbedtls_snprintf(name, 512, "ssl/test-ca/%s", client_private_keys[i]);
-
-        mbedtls_printf( "  . Loading the client private key %s...", name );
-        fflush( stdout );
-
-        ret = mbedtls_pk_parse_keyfile( &pk, name, NULL );
-        if( ret != 0 )
-        {
-            mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile returned %d\n\n", ret );
-            goto exit;
-        }
-
-        mbedtls_printf( " ok\n" );
-
-        /*
-         * 1.6. Verify certificate validity with private key
-         */
-        mbedtls_printf( "  . Verify the client certificate with private key..." );
-        fflush( stdout );
-
-
-        /* EC NOT IMPLEMENTED YET */
-        if( ! mbedtls_pk_can_do( &clicert.pk, MBEDTLS_PK_RSA ) )
-        {
-            mbedtls_printf( " failed\n  !  certificate's key is not RSA\n\n" );
-            goto exit;
-        }
-
-        ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->N, &mbedtls_pk_rsa( clicert.pk )->N);
-        if( ret != 0 )
-        {
-            mbedtls_printf( " failed\n  !  mbedtls_mpi_cmp_mpi for N returned %d\n\n", ret );
-            goto exit;
-        }
-
-        ret = mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa( pk )->E, &mbedtls_pk_rsa( clicert.pk )->E);
-        if( ret != 0 )
-        {
-            mbedtls_printf( " failed\n  !  mbedtls_mpi_cmp_mpi for E returned %d\n\n", ret );
-            goto exit;
-        }
-
-        ret = mbedtls_rsa_check_privkey( mbedtls_pk_rsa( pk ) );
-        if( ret != 0 )
-        {
-            mbedtls_printf( " failed\n  !  mbedtls_rsa_check_privkey returned %d\n\n", ret );
-            goto exit;
-        }
-
-        mbedtls_printf( " ok\n" );
-
-        mbedtls_x509_crt_free( &clicert );
-        mbedtls_pk_free( &pk );
-    }
-
-    exit_code = MBEDTLS_EXIT_SUCCESS;
-
-exit:
-    mbedtls_x509_crt_free( &cacert );
-    mbedtls_x509_crl_free( &crl );
-
-#if defined(_WIN32)
-    mbedtls_printf( "  + Press Enter to exit this program.\n" );
-    fflush( stdout ); getchar();
-#endif
-
-    return( exit_code );
-}
-#endif /* MBEDTLS_RSA_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO &&
-          MBEDTLS_X509_CRL_PARSE_C */
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
index 1865b0f1b9..02428b9dd0 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
+++ b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
@@ -372,32 +372,17 @@ void clear_pending( void )
 static unsigned char dropped[2048] = { 0 };
 #define DROP_MAX 2
 
-/*
- * OpenSSL groups packets in a datagram the first time it sends them, but not
- * when it resends them. Count every record as seen the first time.
- */
+/* We only drop packets at the level of entire datagrams, not at the level
+ * of records. In particular, if the peer changes the way it packs multiple
+ * records into a single datagram, we don't necessarily count the number of
+ * times a record has been dropped correctly. However, the only known reason
+ * why a peer would change datagram packing is disabling the latter on
+ * retransmission, in which case we'd drop involved records at most
+ * DROP_MAX + 1 times. */
 void update_dropped( const packet *p )
 {
     size_t id = p->len % sizeof( dropped );
-    const unsigned char *end = p->buf + p->len;
-    const unsigned char *cur = p->buf;
-    size_t len = ( ( cur[11] << 8 ) | cur[12] ) + 13;
-
     ++dropped[id];
-
-    /* Avoid counting single record twice */
-    if( len == p->len )
-        return;
-
-    while( cur < end )
-    {
-        len = ( ( cur[11] << 8 ) | cur[12] ) + 13;
-
-        id = len % sizeof( dropped );
-        ++dropped[id];
-
-        cur += len;
-    }
 }
 
 int handle_message( const char *way,
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c b/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
index a32ac505f2..784f719330 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
@@ -63,7 +63,10 @@ int main( void )
 #define DFL_OUTPUT_FILENAME     "cert.req"
 #define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
 #define DFL_KEY_USAGE           0
+#define DFL_FORCE_KEY_USAGE     0
 #define DFL_NS_CERT_TYPE        0
+#define DFL_FORCE_NS_CERT_TYPE  0
+#define DFL_MD_ALG              MBEDTLS_MD_SHA256
 
 #define USAGE \
     "\n usage: cert_req param=<>...\n"                  \
@@ -81,6 +84,8 @@ int main( void )
     "                          key_agreement\n"         \
     "                          key_cert_sign\n"  \
     "                          crl_sign\n"              \
+    "    force_key_usage=0/1  default: off\n"           \
+    "                          Add KeyUsage even if it is empty\n"  \
     "    ns_cert_type=%%s     default: (empty)\n"       \
     "                        Comma-separated-list of values:\n"     \
     "                          ssl_client\n"            \
@@ -90,6 +95,13 @@ int main( void )
     "                          ssl_ca\n"                \
     "                          email_ca\n"              \
     "                          object_signing_ca\n"     \
+    "    force_ns_cert_type=0/1 default: off\n"         \
+    "                          Add NsCertType even if it is empty\n"    \
+    "    md=%%s               default: SHA256\n"       \
+    "                          possible values:\n"     \
+    "                          MD2, MD4, MD5, SHA1\n"  \
+    "                          SHA224, SHA256\n"       \
+    "                          SHA384, SHA512\n"       \
     "\n"
 
 /*
@@ -102,7 +114,10 @@ struct options
     const char *output_file;    /* where to store the constructed key file  */
     const char *subject_name;   /* subject name for certificate request */
     unsigned char key_usage;    /* key usage flags                      */
+    int force_key_usage;        /* Force adding the KeyUsage extension  */
     unsigned char ns_cert_type; /* NS cert type                         */
+    int force_ns_cert_type;     /* Force adding NsCertType extension    */
+    mbedtls_md_type_t md_alg;   /* Hash algorithm used for signature.   */
 } opt;
 
 int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file,
@@ -151,7 +166,6 @@ int main( int argc, char *argv[] )
      * Set to sane values
      */
     mbedtls_x509write_csr_init( &req );
-    mbedtls_x509write_csr_set_md_alg( &req, MBEDTLS_MD_SHA256 );
     mbedtls_pk_init( &key );
     mbedtls_ctr_drbg_init( &ctr_drbg );
     memset( buf, 0, sizeof( buf ) );
@@ -168,7 +182,10 @@ int main( int argc, char *argv[] )
     opt.output_file         = DFL_OUTPUT_FILENAME;
     opt.subject_name        = DFL_SUBJECT_NAME;
     opt.key_usage           = DFL_KEY_USAGE;
+    opt.force_key_usage     = DFL_FORCE_KEY_USAGE;
     opt.ns_cert_type        = DFL_NS_CERT_TYPE;
+    opt.force_ns_cert_type  = DFL_FORCE_NS_CERT_TYPE;
+    opt.md_alg              = DFL_MD_ALG;
 
     for( i = 1; i < argc; i++ )
     {
@@ -192,6 +209,61 @@ int main( int argc, char *argv[] )
         {
             opt.subject_name = q;
         }
+        else if( strcmp( p, "md" ) == 0 )
+        {
+            if( strcmp( q, "SHA256" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_SHA256;
+            }
+            else if( strcmp( q, "SHA224" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_SHA224;
+            }
+            else
+#if defined(MBEDTLS_MD5_C)
+            if( strcmp( q, "MD5" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_MD5;
+            }
+            else
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MD4_C)
+            if( strcmp( q, "MD4" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_MD4;
+            }
+            else
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MD2_C)
+            if( strcmp( q, "MD2" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_MD2;
+            }
+            else
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_SHA1_C)
+            if( strcmp( q, "SHA1" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_SHA1;
+            }
+            else
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA512_C)
+            if( strcmp( q, "SHA384" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_SHA384;
+            }
+            else
+            if( strcmp( q, "SHA512" ) == 0 )
+            {
+                opt.md_alg = MBEDTLS_MD_SHA512;
+            }
+            else
+#endif /* MBEDTLS_SHA512_C */
+            {
+                goto usage;
+            }
+        }
         else if( strcmp( p, "key_usage" ) == 0 )
         {
             while( q != NULL )
@@ -219,6 +291,15 @@ int main( int argc, char *argv[] )
                 q = r;
             }
         }
+        else if( strcmp( p, "force_key_usage" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.force_key_usage = 0; break;
+                case 1: opt.force_key_usage = 1; break;
+                default: goto usage;
+            }
+        }
         else if( strcmp( p, "ns_cert_type" ) == 0 )
         {
             while( q != NULL )
@@ -246,14 +327,25 @@ int main( int argc, char *argv[] )
                 q = r;
             }
         }
+        else if( strcmp( p, "force_ns_cert_type" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0: opt.force_ns_cert_type = 0; break;
+                case 1: opt.force_ns_cert_type = 1; break;
+                default: goto usage;
+            }
+        }
         else
             goto usage;
     }
 
-    if( opt.key_usage )
+    mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg );
+
+    if( opt.key_usage || opt.force_key_usage == 1 )
         mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage );
 
-    if( opt.ns_cert_type )
+    if( opt.ns_cert_type || opt.force_ns_cert_type == 1 )
         mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );
 
     /*
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c b/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
index 527d9ec74d..adade1c868 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
@@ -120,7 +120,7 @@ int main( void )
     "    max_pathlen=%%d          default: -1 (none)\n"     \
     "    md=%%s                   default: SHA256\n"        \
     "                            Supported values:\n"       \
-    "                            MD5, SHA1, SHA256, SHA512\n"\
+    "                            MD2, MD4, MD5, SHA1, SHA256, SHA512\n"\
     "    version=%%d              default: 3\n"            \
     "                            Possible values: 1, 2, 3\n"\
     "    subject_identifier=%%s   default: 1\n"             \
@@ -359,6 +359,10 @@ int main( int argc, char *argv[] )
                 opt.md = MBEDTLS_MD_SHA256;
             else if( strcmp( q, "SHA512" ) == 0 )
                 opt.md = MBEDTLS_MD_SHA512;
+            else if( strcmp( q, "MD2" ) == 0 )
+                opt.md = MBEDTLS_MD_MD2;
+            else if( strcmp( q, "MD4" ) == 0 )
+                opt.md = MBEDTLS_MD_MD4;
             else if( strcmp( q, "MD5" ) == 0 )
                 opt.md = MBEDTLS_MD_MD5;
             else
diff --git a/3rdparty/mbedtls/mbedtls/scripts/abi_check.py b/3rdparty/mbedtls/mbedtls/scripts/abi_check.py
new file mode 100755
index 0000000000..502c7ae02e
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/scripts/abi_check.py
@@ -0,0 +1,406 @@
+#!/usr/bin/env python3
+"""
+This file is part of Mbed TLS (https://tls.mbed.org)
+
+Copyright (c) 2018, Arm Limited, All Rights Reserved
+
+Purpose
+
+This script is a small wrapper around the abi-compliance-checker and
+abi-dumper tools, applying them to compare the ABI and API of the library
+files from two different Git revisions within an Mbed TLS repository.
+The results of the comparison are either formatted as HTML and stored at
+a configurable location, or are given as a brief list of problems.
+Returns 0 on success, 1 on ABI/API non-compliance, and 2 if there is an error
+while running the script. Note: must be run from Mbed TLS root.
+"""
+
+import os
+import sys
+import traceback
+import shutil
+import subprocess
+import argparse
+import logging
+import tempfile
+import fnmatch
+from types import SimpleNamespace
+
+import xml.etree.ElementTree as ET
+
+
+class AbiChecker(object):
+    """API and ABI checker."""
+
+    def __init__(self, old_version, new_version, configuration):
+        """Instantiate the API/ABI checker.
+
+        old_version: RepoVersion containing details to compare against
+        new_version: RepoVersion containing details to check
+        configuration.report_dir: directory for output files
+        configuration.keep_all_reports: if false, delete old reports
+        configuration.brief: if true, output shorter report to stdout
+        configuration.skip_file: path to file containing symbols and types to skip
+        """
+        self.repo_path = "."
+        self.log = None
+        self.verbose = configuration.verbose
+        self._setup_logger()
+        self.report_dir = os.path.abspath(configuration.report_dir)
+        self.keep_all_reports = configuration.keep_all_reports
+        self.can_remove_report_dir = not (os.path.exists(self.report_dir) or
+                                          self.keep_all_reports)
+        self.old_version = old_version
+        self.new_version = new_version
+        self.skip_file = configuration.skip_file
+        self.brief = configuration.brief
+        self.git_command = "git"
+        self.make_command = "make"
+
+    @staticmethod
+    def check_repo_path():
+        current_dir = os.path.realpath('.')
+        root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+        if current_dir != root_dir:
+            raise Exception("Must be run from Mbed TLS root")
+
+    def _setup_logger(self):
+        self.log = logging.getLogger()
+        if self.verbose:
+            self.log.setLevel(logging.DEBUG)
+        else:
+            self.log.setLevel(logging.INFO)
+        self.log.addHandler(logging.StreamHandler())
+
+    @staticmethod
+    def check_abi_tools_are_installed():
+        for command in ["abi-dumper", "abi-compliance-checker"]:
+            if not shutil.which(command):
+                raise Exception("{} not installed, aborting".format(command))
+
+    def _get_clean_worktree_for_git_revision(self, version):
+        """Make a separate worktree with version.revision checked out.
+        Do not modify the current worktree."""
+        git_worktree_path = tempfile.mkdtemp()
+        if version.repository:
+            self.log.debug(
+                "Checking out git worktree for revision {} from {}".format(
+                    version.revision, version.repository
+                )
+            )
+            fetch_output = subprocess.check_output(
+                [self.git_command, "fetch",
+                 version.repository, version.revision],
+                cwd=self.repo_path,
+                stderr=subprocess.STDOUT
+            )
+            self.log.debug(fetch_output.decode("utf-8"))
+            worktree_rev = "FETCH_HEAD"
+        else:
+            self.log.debug("Checking out git worktree for revision {}".format(
+                version.revision
+            ))
+            worktree_rev = version.revision
+        worktree_output = subprocess.check_output(
+            [self.git_command, "worktree", "add", "--detach",
+             git_worktree_path, worktree_rev],
+            cwd=self.repo_path,
+            stderr=subprocess.STDOUT
+        )
+        self.log.debug(worktree_output.decode("utf-8"))
+        return git_worktree_path
+
+    def _update_git_submodules(self, git_worktree_path, version):
+        """If the crypto submodule is present, initialize it.
+        if version.crypto_revision exists, update it to that revision,
+        otherwise update it to the default revision"""
+        update_output = subprocess.check_output(
+            [self.git_command, "submodule", "update", "--init", '--recursive'],
+            cwd=git_worktree_path,
+            stderr=subprocess.STDOUT
+        )
+        self.log.debug(update_output.decode("utf-8"))
+        if not (os.path.exists(os.path.join(git_worktree_path, "crypto"))
+                and version.crypto_revision):
+            return
+
+        if version.crypto_repository:
+            fetch_output = subprocess.check_output(
+                [self.git_command, "fetch", version.crypto_repository,
+                 version.crypto_revision],
+                cwd=os.path.join(git_worktree_path, "crypto"),
+                stderr=subprocess.STDOUT
+            )
+            self.log.debug(fetch_output.decode("utf-8"))
+            crypto_rev = "FETCH_HEAD"
+        else:
+            crypto_rev = version.crypto_revision
+
+        checkout_output = subprocess.check_output(
+            [self.git_command, "checkout", crypto_rev],
+            cwd=os.path.join(git_worktree_path, "crypto"),
+            stderr=subprocess.STDOUT
+        )
+        self.log.debug(checkout_output.decode("utf-8"))
+
+    def _build_shared_libraries(self, git_worktree_path, version):
+        """Build the shared libraries in the specified worktree."""
+        my_environment = os.environ.copy()
+        my_environment["CFLAGS"] = "-g -Og"
+        my_environment["SHARED"] = "1"
+        if os.path.exists(os.path.join(git_worktree_path, "crypto")):
+            my_environment["USE_CRYPTO_SUBMODULE"] = "1"
+        make_output = subprocess.check_output(
+            [self.make_command, "lib"],
+            env=my_environment,
+            cwd=git_worktree_path,
+            stderr=subprocess.STDOUT
+        )
+        self.log.debug(make_output.decode("utf-8"))
+        for root, _dirs, files in os.walk(git_worktree_path):
+            for file in fnmatch.filter(files, "*.so"):
+                version.modules[os.path.splitext(file)[0]] = (
+                    os.path.join(root, file)
+                )
+
+    def _get_abi_dumps_from_shared_libraries(self, version):
+        """Generate the ABI dumps for the specified git revision.
+        The shared libraries must have been built and the module paths
+        present in version.modules."""
+        for mbed_module, module_path in version.modules.items():
+            output_path = os.path.join(
+                self.report_dir, "{}-{}-{}.dump".format(
+                    mbed_module, version.revision, version.version
+                )
+            )
+            abi_dump_command = [
+                "abi-dumper",
+                module_path,
+                "-o", output_path,
+                "-lver", version.revision
+            ]
+            abi_dump_output = subprocess.check_output(
+                abi_dump_command,
+                stderr=subprocess.STDOUT
+            )
+            self.log.debug(abi_dump_output.decode("utf-8"))
+            version.abi_dumps[mbed_module] = output_path
+
+    def _cleanup_worktree(self, git_worktree_path):
+        """Remove the specified git worktree."""
+        shutil.rmtree(git_worktree_path)
+        worktree_output = subprocess.check_output(
+            [self.git_command, "worktree", "prune"],
+            cwd=self.repo_path,
+            stderr=subprocess.STDOUT
+        )
+        self.log.debug(worktree_output.decode("utf-8"))
+
+    def _get_abi_dump_for_ref(self, version):
+        """Generate the ABI dumps for the specified git revision."""
+        git_worktree_path = self._get_clean_worktree_for_git_revision(version)
+        self._update_git_submodules(git_worktree_path, version)
+        self._build_shared_libraries(git_worktree_path, version)
+        self._get_abi_dumps_from_shared_libraries(version)
+        self._cleanup_worktree(git_worktree_path)
+
+    def _remove_children_with_tag(self, parent, tag):
+        children = parent.getchildren()
+        for child in children:
+            if child.tag == tag:
+                parent.remove(child)
+            else:
+                self._remove_children_with_tag(child, tag)
+
+    def _remove_extra_detail_from_report(self, report_root):
+        for tag in ['test_info', 'test_results', 'problem_summary',
+                    'added_symbols', 'affected']:
+            self._remove_children_with_tag(report_root, tag)
+
+        for report in report_root:
+            for problems in report.getchildren()[:]:
+                if not problems.getchildren():
+                    report.remove(problems)
+
+    def get_abi_compatibility_report(self):
+        """Generate a report of the differences between the reference ABI
+        and the new ABI. ABI dumps from self.old_version and self.new_version
+        must be available."""
+        compatibility_report = ""
+        compliance_return_code = 0
+        shared_modules = list(set(self.old_version.modules.keys()) &
+                              set(self.new_version.modules.keys()))
+        for mbed_module in shared_modules:
+            output_path = os.path.join(
+                self.report_dir, "{}-{}-{}.html".format(
+                    mbed_module, self.old_version.revision,
+                    self.new_version.revision
+                )
+            )
+            abi_compliance_command = [
+                "abi-compliance-checker",
+                "-l", mbed_module,
+                "-old", self.old_version.abi_dumps[mbed_module],
+                "-new", self.new_version.abi_dumps[mbed_module],
+                "-strict",
+                "-report-path", output_path,
+            ]
+            if self.skip_file:
+                abi_compliance_command += ["-skip-symbols", self.skip_file,
+                                           "-skip-types", self.skip_file]
+            if self.brief:
+                abi_compliance_command += ["-report-format", "xml",
+                                           "-stdout"]
+            try:
+                subprocess.check_output(
+                    abi_compliance_command,
+                    stderr=subprocess.STDOUT
+                )
+            except subprocess.CalledProcessError as err:
+                if err.returncode == 1:
+                    compliance_return_code = 1
+                    if self.brief:
+                        self.log.info(
+                            "Compatibility issues found for {}".format(mbed_module)
+                        )
+                        report_root = ET.fromstring(err.output.decode("utf-8"))
+                        self._remove_extra_detail_from_report(report_root)
+                        self.log.info(ET.tostring(report_root).decode("utf-8"))
+                    else:
+                        self.can_remove_report_dir = False
+                        compatibility_report += (
+                            "Compatibility issues found for {}, "
+                            "for details see {}\n".format(mbed_module, output_path)
+                        )
+                else:
+                    raise err
+            else:
+                compatibility_report += (
+                    "No compatibility issues for {}\n".format(mbed_module)
+                )
+                if not (self.keep_all_reports or self.brief):
+                    os.remove(output_path)
+        for version in [self.old_version, self.new_version]:
+            for mbed_module, mbed_module_dump in version.abi_dumps.items():
+                os.remove(mbed_module_dump)
+        if self.can_remove_report_dir:
+            os.rmdir(self.report_dir)
+        self.log.info(compatibility_report)
+        return compliance_return_code
+
+    def check_for_abi_changes(self):
+        """Generate a report of ABI differences
+        between self.old_rev and self.new_rev."""
+        self.check_repo_path()
+        self.check_abi_tools_are_installed()
+        self._get_abi_dump_for_ref(self.old_version)
+        self._get_abi_dump_for_ref(self.new_version)
+        return self.get_abi_compatibility_report()
+
+
+def run_main():
+    try:
+        parser = argparse.ArgumentParser(
+            description=(
+                """This script is a small wrapper around the
+                abi-compliance-checker and abi-dumper tools, applying them
+                to compare the ABI and API of the library files from two
+                different Git revisions within an Mbed TLS repository.
+                The results of the comparison are either formatted as HTML and
+                stored at a configurable location, or are given as a brief list
+                of problems. Returns 0 on success, 1 on ABI/API non-compliance,
+                and 2 if there is an error while running the script.
+                Note: must be run from Mbed TLS root."""
+            )
+        )
+        parser.add_argument(
+            "-v", "--verbose", action="store_true",
+            help="set verbosity level",
+        )
+        parser.add_argument(
+            "-r", "--report-dir", type=str, default="reports",
+            help="directory where reports are stored, default is reports",
+        )
+        parser.add_argument(
+            "-k", "--keep-all-reports", action="store_true",
+            help="keep all reports, even if there are no compatibility issues",
+        )
+        parser.add_argument(
+            "-o", "--old-rev", type=str, help="revision for old version.",
+            required=True,
+        )
+        parser.add_argument(
+            "-or", "--old-repo", type=str, help="repository for old version."
+        )
+        parser.add_argument(
+            "-oc", "--old-crypto-rev", type=str,
+            help="revision for old crypto submodule."
+        )
+        parser.add_argument(
+            "-ocr", "--old-crypto-repo", type=str,
+            help="repository for old crypto submodule."
+        )
+        parser.add_argument(
+            "-n", "--new-rev", type=str, help="revision for new version",
+            required=True,
+        )
+        parser.add_argument(
+            "-nr", "--new-repo", type=str, help="repository for new version."
+        )
+        parser.add_argument(
+            "-nc", "--new-crypto-rev", type=str,
+            help="revision for new crypto version"
+        )
+        parser.add_argument(
+            "-ncr", "--new-crypto-repo", type=str,
+            help="repository for new crypto submodule."
+        )
+        parser.add_argument(
+            "-s", "--skip-file", type=str,
+            help="path to file containing symbols and types to skip"
+        )
+        parser.add_argument(
+            "-b", "--brief", action="store_true",
+            help="output only the list of issues to stdout, instead of a full report",
+        )
+        abi_args = parser.parse_args()
+        if os.path.isfile(abi_args.report_dir):
+            print("Error: {} is not a directory".format(abi_args.report_dir))
+            parser.exit()
+        old_version = SimpleNamespace(
+            version="old",
+            repository=abi_args.old_repo,
+            revision=abi_args.old_rev,
+            crypto_repository=abi_args.old_crypto_repo,
+            crypto_revision=abi_args.old_crypto_rev,
+            abi_dumps={},
+            modules={}
+        )
+        new_version = SimpleNamespace(
+            version="new",
+            repository=abi_args.new_repo,
+            revision=abi_args.new_rev,
+            crypto_repository=abi_args.new_crypto_repo,
+            crypto_revision=abi_args.new_crypto_rev,
+            abi_dumps={},
+            modules={}
+        )
+        configuration = SimpleNamespace(
+            verbose=abi_args.verbose,
+            report_dir=abi_args.report_dir,
+            keep_all_reports=abi_args.keep_all_reports,
+            brief=abi_args.brief,
+            skip_file=abi_args.skip_file
+        )
+        abi_check = AbiChecker(old_version, new_version, configuration)
+        return_code = abi_check.check_for_abi_changes()
+        sys.exit(return_code)
+    except Exception: # pylint: disable=broad-except
+        # Print the backtrace and exit explicitly so as to exit with
+        # status 2, not 1.
+        traceback.print_exc()
+        sys.exit(2)
+
+
+if __name__ == "__main__":
+    run_main()
diff --git a/3rdparty/mbedtls/mbedtls/scripts/config.pl b/3rdparty/mbedtls/mbedtls/scripts/config.pl
index 468aeb93e1..ab4322bab3 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/config.pl
+++ b/3rdparty/mbedtls/mbedtls/scripts/config.pl
@@ -29,6 +29,7 @@
 #   MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
 #   MBEDTLS_NO_PLATFORM_ENTROPY
 #   MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#   MBEDTLS_REMOVE_3DES_CIPHERSUITES
 #   MBEDTLS_SSL_HW_RECORD_ACCEL
 #   MBEDTLS_RSA_NO_CRT
 #   MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
@@ -89,6 +90,7 @@
 MBEDTLS_NO_PLATFORM_ENTROPY
 MBEDTLS_RSA_NO_CRT
 MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+MBEDTLS_REMOVE_3DES_CIPHERSUITES
 MBEDTLS_SSL_HW_RECORD_ACCEL
 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
diff --git a/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
index 9fd4916bbd..0f3c58f6a8 100644
--- a/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
@@ -15,6 +15,13 @@ if(NOT PERL_FOUND)
     message(FATAL_ERROR "Cannot build test suites without Perl")
 endif()
 
+# Test suites caught by SKIP_TEST_SUITES are built but not executed.
+# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
+# but not "test_suite_foobar".
+string(REGEX REPLACE "[ ,;]" "|" SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES}")
+string(REPLACE "." "\\." SKIP_TEST_SUITES_REGEX "${SKIP_TEST_SUITES_REGEX}")
+set(SKIP_TEST_SUITES_REGEX "^(${SKIP_TEST_SUITES_REGEX})(\$|\\.)")
+
 function(add_test_suite suite_name)
     if(ARGV1)
         set(data_name ${ARGV1})
@@ -31,7 +38,11 @@ function(add_test_suite suite_name)
     include_directories(${CMAKE_CURRENT_SOURCE_DIR})
     add_executable(test_suite_${data_name} test_suite_${data_name}.c)
     target_link_libraries(test_suite_${data_name} ${libs})
-    add_test(${data_name}-suite test_suite_${data_name} --verbose)
+    if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX})
+        message(STATUS "The test suite ${data_name} will not be executed.")
+    else()
+        add_test(${data_name}-suite test_suite_${data_name} --verbose)
+    endif()
 endfunction(add_test_suite)
 
 if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG)
diff --git a/3rdparty/mbedtls/mbedtls/tests/Makefile b/3rdparty/mbedtls/mbedtls/tests/Makefile
index d85617fdca..03f1a7f2fc 100644
--- a/3rdparty/mbedtls/mbedtls/tests/Makefile
+++ b/3rdparty/mbedtls/mbedtls/tests/Makefile
@@ -444,7 +444,8 @@ else
 	del /Q /F *.c *.exe
 endif
 
+# Test suites caught by SKIP_TEST_SUITES are built but not executed.
 check: $(APPS)
-	perl scripts/run-test-suites.pl
+	perl scripts/run-test-suites.pl --skip=$(SKIP_TEST_SUITES)
 
 test: check
diff --git a/3rdparty/mbedtls/mbedtls/tests/compat.sh b/3rdparty/mbedtls/mbedtls/tests/compat.sh
index a2b2d5ba12..df499dcf01 100755
--- a/3rdparty/mbedtls/mbedtls/tests/compat.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/compat.sh
@@ -53,7 +53,12 @@ MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2"
 VERIFIES="NO YES"
 TYPES="ECDSA RSA PSK"
 FILTER=""
-EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR' # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# exclude:
+# - NULL: excluded from our default config
+# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
+#   avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# - 3DES: not in default config
+EXCLUDE='NULL\|DES\|RC4\|ARCFOUR'
 VERBOSE=""
 MEMCHECK=0
 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile b/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
index 2a7a50c2e1..c10020c040 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
@@ -14,6 +14,7 @@
 OPENSSL ?= openssl
 FAKETIME ?= faketime
 MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
+MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req
 
 ## Build the generated test data. Note that since the final outputs
 ## are committed to the repository, this target should do nothing on a
@@ -701,6 +702,37 @@ ec_prv.pk8param.pem: ec_prv.pk8param.der
 	$(OPENSSL) pkey -in $< -inform DER -out $@
 all_final += ec_prv.pk8param.pem
 
+# server5*
+
+# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
+server5.req.ku.sha1: server5.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server5.req.ku.sha1
+
+################################################################
+### Generate CSRs for X.509 write test suite
+################################################################
+
+server1.req.cert_type: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.cert_type
+
+server1.req.key_usage: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.key_usage
+
+server1.req.ku-ct: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.ku-ct
+
+server1.req.key_usage_empty: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_key_usage=1
+all_final += server1.req.key_usage_empty
+
+server1.req.cert_type_empty: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1
+all_final += server1.req.cert_type_empty
+
 ################################################################
 ### Generate certificates for CRT write check tests
 ################################################################
@@ -776,7 +808,33 @@ server1.v1.der.openssl: server1.v1.crt.openssl
 
 server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
 
+# MD2, MD4, MD5 test certificates
+
+cert_md_test_key = $(cli_crt_key_file_rsa)
+
+cert_md2.csr: $(cert_md_test_key)
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Cert MD2" md=MD2
+all_intermediate += cert_md2.csr
+
+cert_md2.crt: cert_md2.csr
+	$(MBEDTLS_CERT_WRITE) request_file=$< serial=9 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20000101121212 not_after=20300101121212 md=MD2 version=3 output_file=$@
+all_final += cert_md2.crt
+
+cert_md4.csr: $(cert_md_test_key)
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Cert MD4" md=MD4
+all_intermediate += cert_md4.csr
+
+cert_md4.crt: cert_md4.csr
+	$(MBEDTLS_CERT_WRITE) request_file=$< serial=5 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20000101121212 not_after=20300101121212 md=MD4 version=3 output_file=$@
+all_final += cert_md4.crt
+
+cert_md5.csr: $(cert_md_test_key)
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Cert MD5" md=MD5
+all_intermediate += cert_md5.csr
 
+cert_md5.crt: cert_md5.csr
+	$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20000101121212 not_after=20300101121212 md=MD5 version=3 output_file=$@
+all_final += cert_md5.crt
 
 ################################################################
 #### Meta targets
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md2.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md2.crt
index bfea77b6f3..94b89afce3 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md2.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md2.crt
@@ -1,77 +1,20 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 9 (0x9)
-        Signature Algorithm: md2WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Jul 12 10:56:59 2009 GMT
-            Not After : Jul 12 10:56:59 2011 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:dc:13:74:81:c6:12:f6:67:5d:a1:66:72:ed:dc:
-                    79:b6:58:5c:32:58:b3:d4:14:fd:6c:02:61:9e:0b:
-                    99:46:63:a3:0a:41:d4:42:33:21:e6:ed:43:07:5a:
-                    1d:a2:3b:64:29:a8:2a:c1:66:28:00:59:d8:0c:49:
-                    2d:30:b7:3d:8c:bb:60:62:31:83:27:7f:4b:95:92:
-                    2e:a0:d6:c6:84:94:4b:b3:e4:a6:cc:ff:32:3a:c5:
-                    ec:4c:c9:24:58:bf:b3:33:77:6a:b5:17:8b:02:10:
-                    29:8e:95:aa:91:60:17:43:42:87:a8:7c:da:09:83:
-                    98:9d:7a:65:5e:20:52:07:2e:65:a5:31:fd:d9:74:
-                    1e:00:c9:ae:9d:81:56:8b:08:0a:f5:1e:9c:dc:a2:
-                    5e:6c:db:ff:11:83:15:f4:d1:24:57:9b:0f:eb:35:
-                    c9:f1:aa:46:4e:74:7f:fe:1d:b0:91:1f:89:4a:84:
-                    cb:df:75:e3:cd:77:82:62:09:e5:9f:6d:29:de:2e:
-                    25:d8:48:b6:20:be:51:97:4c:2d:20:65:2d:2a:50:
-                    9e:24:5d:72:95:e0:a2:06:41:8c:61:e4:50:57:74:
-                    96:b1:29:b5:a1:88:37:f1:5c:9e:b2:9e:8e:83:8d:
-                    72:3b:b5:5c:fe:bb:12:89:72:5c:a1:f9:d8:18:29:
-                    b2:27
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                B7:51:D4:E5:20:D5:45:54:F4:C5:51:1B:E0:82:B5:61:05:AF:9B:B6
-            X509v3 Authority Key Identifier: 
-                keyid:CF:22:31:27:91:D8:C2:54:FF:1E:DA:D9:EE:8A:C5:89:32:AD:0C:21
-
-    Signature Algorithm: md2WithRSAEncryption
-        28:5a:dd:48:fb:ec:80:fe:de:b7:20:c0:4c:05:a9:4b:51:e9:
-        a7:d1:4b:5e:76:42:d2:5d:9a:14:19:3b:cb:f9:91:d7:0f:11:
-        c9:cd:dd:00:8b:2c:76:73:22:a0:19:49:81:63:40:30:48:27:
-        62:90:ca:b8:dc:33:35:b3:4b:58:ca:dc:07:66:87:2e:ea:44:
-        2a:6a:13:67:7a:32:5e:48:1d:88:88:c5:70:e6:e7:ec:1b:2f:
-        a7:f4:61:71:29:f6:66:93:30:60:7e:b3:4c:01:c8:2c:53:ce:
-        00:11:ec:bf:f6:f2:ce:51:97:d8:ed:ed:dc:c9:6b:b8:19:15:
-        c8:9a:61:6d:12:9a:99:25:d8:03:1d:a6:4c:20:a5:f8:46:a3:
-        05:32:bb:1a:8e:1a:65:0d:f3:13:35:1d:6f:73:28:31:12:d7:
-        c4:9e:73:a0:a7:ce:82:25:d1:40:e8:1b:77:60:f3:3e:81:7f:
-        19:ee:cf:97:4d:c8:c3:35:9b:72:98:3b:c3:35:43:14:0a:04:
-        21:7b:f7:db:e6:5f:ce:21:d1:ce:bf:b7:ef:c1:63:21:c2:78:
-        e1:37:aa:b1:e0:31:b3:b6:63:4c:fd:66:c8:e6:cf:f8:d9:97:
-        2f:cf:92:81:3f:d4:bf:ec:e2:ad:6e:39:c7:a6:a8:e0:32:b0:
-        2e:0d:e1:30
 -----BEGIN CERTIFICATE-----
 MIIDPzCCAiegAwIBAgIBCTANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MDkwNzEyMTA1NjU5WhcNMTEwNzEyMTA1NjU5WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQyMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3BN0gcYS9mddoWZy7dx5tlhcMliz
-1BT9bAJhnguZRmOjCkHUQjMh5u1DB1odojtkKagqwWYoAFnYDEktMLc9jLtgYjGD
-J39LlZIuoNbGhJRLs+SmzP8yOsXsTMkkWL+zM3dqtReLAhApjpWqkWAXQ0KHqHza
-CYOYnXplXiBSBy5lpTH92XQeAMmunYFWiwgK9R6c3KJebNv/EYMV9NEkV5sP6zXJ
-8apGTnR//h2wkR+JSoTL33XjzXeCYgnln20p3i4l2Ei2IL5Rl0wtIGUtKlCeJF1y
-leCiBkGMYeRQV3SWsSm1oYg38Vyesp6Og41yO7Vc/rsSiXJcofnYGCmyJwIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBS3UdTlINVFVPTFURvggrVhBa+btjAf
-BgNVHSMEGDAWgBTPIjEnkdjCVP8e2tnuisWJMq0MITANBgkqhkiG9w0BAQIFAAOC
-AQEAKFrdSPvsgP7etyDATAWpS1Hpp9FLXnZC0l2aFBk7y/mR1w8Ryc3dAIssdnMi
-oBlJgWNAMEgnYpDKuNwzNbNLWMrcB2aHLupEKmoTZ3oyXkgdiIjFcObn7Bsvp/Rh
-cSn2ZpMwYH6zTAHILFPOABHsv/byzlGX2O3t3MlruBkVyJphbRKamSXYAx2mTCCl
-+EajBTK7Go4aZQ3zEzUdb3MoMRLXxJ5zoKfOgiXRQOgbd2DzPoF/Ge7Pl03IwzWb
-cpg7wzVDFAoEIXv32+ZfziHRzr+378FjIcJ44TeqseAxs7ZjTP1myObP+NmXL8+S
-gT/Uv+zirW45x6ao4DKwLg3hMA==
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQIFAAOC
+AQEAXLWqy34iaZ2YV+5eE1QMV/9m9nQI2X/yumRH1MT1R3oYde/YDV7+HSOM6qLs
+qSgH1DSyXv1YnJww2OyTtAVhPalICLjVjUQCyeUCiFpAIO6Xz1VE6v4GMFLqhlV1
+Nox9dDtR5Go2zwPaH64Ze9GxuDZfW+VnPRNgYOrqqCBnuhnp2uPRfOewus2AAo50
+dx1XTooCEqElQlB9EIPWbvPdJZjRjruCUtDbz+oxG4J4Ml4KCYm+/MyXNPqxV9+H
+5A9oQltuHMWasMWSfXeimQI5PPpdjndmJOhfT4RGmvTw/uNC/Xuy1kPxXQKoocz6
+93U8RQvyJxdIPtQuARNMRZ7G+Q==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md4.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md4.crt
index 16f166b815..7d0f7cb1b4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md4.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md4.crt
@@ -1,77 +1,20 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 5 (0x5)
-        Signature Algorithm: md4WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:07 2011 GMT
-            Not After : Feb 12 14:44:07 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:b9:3c:4a:c5:c8:a3:8e:90:17:a4:9e:52:aa:71:
-                    75:26:61:80:e7:c7:b5:6d:8c:ff:aa:b6:41:26:b7:
-                    be:11:ad:5c:73:16:0c:64:11:48:04:ff:d6:e1:3b:
-                    05:db:89:bb:b3:97:09:d5:1c:14:dd:68:87:39:b0:
-                    3d:71:cb:e2:76:d0:1a:d8:18:2d:80:1b:54:f6:e5:
-                    44:9a:f1:cb:af:61:2e:df:49:0d:9d:09:b7:ed:b1:
-                    fd:3c:fd:3c:fa:24:cf:5d:bf:7c:e4:53:e7:25:b5:
-                    ea:44:22:e9:26:d3:ea:20:94:9e:e6:61:67:ba:2e:
-                    07:67:0b:03:2f:a2:09:ed:f0:33:8f:0b:ce:10:ef:
-                    67:a4:c6:08:da:c1:ed:c2:3f:d7:4a:dd:15:3d:f9:
-                    5e:1c:81:60:46:3e:b5:b3:3d:2f:a6:de:47:1c:bc:
-                    92:ae:eb:df:27:6b:16:56:b7:dc:ec:d1:55:57:a5:
-                    6e:ec:75:25:f5:b7:7b:df:ab:d2:3a:5a:91:98:7d:
-                    97:17:0b:13:0a:a7:6b:4a:8b:c1:47:30:fb:3a:f8:
-                    41:04:d5:c1:df:b8:1d:bf:7b:01:a5:65:a2:e0:1e:
-                    36:b7:a6:5c:cc:30:5a:f8:cd:6f:cd:f1:19:62:25:
-                    ca:01:e3:35:7f:fa:20:f5:dc:fd:69:b2:6a:00:7d:
-                    17:f7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                7D:E4:9C:6B:E6:F9:71:7D:46:D2:12:3D:AD:6B:1D:FD:C2:AA:78:4C
-            X509v3 Authority Key Identifier: 
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-
-    Signature Algorithm: md4WithRSAEncryption
-        94:db:e1:86:71:2d:43:d6:51:61:a7:95:bc:e8:73:da:ff:e4:
-        fd:41:0f:5c:de:14:f4:c4:ba:5d:2c:30:2c:a6:dc:2d:e8:87:
-        45:f1:c5:fe:d1:4a:64:99:19:09:2f:72:7c:3f:8d:c8:31:22:
-        dd:0a:69:03:3d:12:8c:4d:c3:f7:a3:c5:d1:5d:c9:ff:4b:83:
-        6b:d6:b4:e5:d8:ce:94:5e:ec:bf:68:c5:b2:63:8e:5c:cb:f3:
-        8d:62:73:82:62:7e:df:db:7d:0b:8d:21:10:db:9a:a1:62:4d:
-        46:42:d1:bb:38:32:ef:c1:fc:a1:e2:7f:60:08:37:32:20:2c:
-        7c:a2:c9:12:0d:89:fe:2b:15:08:91:79:e2:a9:79:a4:da:cd:
-        81:43:01:e2:09:2d:1a:f4:16:ef:af:4d:50:46:5e:2d:dd:48:
-        27:10:c0:42:b7:a5:9e:c2:1f:6e:50:36:03:ed:95:77:9a:a3:
-        d9:4c:d7:23:93:b1:24:2a:63:27:28:7a:de:3d:59:d2:92:c8:
-        8f:f6:39:1d:65:ab:09:78:05:46:90:a9:f6:10:b1:ef:c8:8c:
-        4d:7d:8d:f2:78:b7:88:15:09:7e:df:e9:87:a8:64:c1:95:53:
-        fb:da:05:b7:62:bc:ad:fb:d9:a4:a9:06:6c:6b:98:01:b9:39:
-        78:d3:4e:87
 -----BEGIN CERTIFICATE-----
 MIIDPzCCAiegAwIBAgIBBTANBgkqhkiG9w0BAQMFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDA3WhcNMjEwMjEyMTQ0NDA3WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQ0MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuTxKxcijjpAXpJ5SqnF1JmGA58e1
-bYz/qrZBJre+Ea1ccxYMZBFIBP/W4TsF24m7s5cJ1RwU3WiHObA9ccvidtAa2Bgt
-gBtU9uVEmvHLr2Eu30kNnQm37bH9PP08+iTPXb985FPnJbXqRCLpJtPqIJSe5mFn
-ui4HZwsDL6IJ7fAzjwvOEO9npMYI2sHtwj/XSt0VPfleHIFgRj61sz0vpt5HHLyS
-ruvfJ2sWVrfc7NFVV6Vu7HUl9bd736vSOlqRmH2XFwsTCqdrSovBRzD7OvhBBNXB
-37gdv3sBpWWi4B42t6ZczDBa+M1vzfEZYiXKAeM1f/og9dz9abJqAH0X9wIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBR95Jxr5vlxfUbSEj2tax39wqp4TDAf
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ0MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQMFAAOC
-AQEAlNvhhnEtQ9ZRYaeVvOhz2v/k/UEPXN4U9MS6XSwwLKbcLeiHRfHF/tFKZJkZ
-CS9yfD+NyDEi3QppAz0SjE3D96PF0V3J/0uDa9a05djOlF7sv2jFsmOOXMvzjWJz
-gmJ+39t9C40hENuaoWJNRkLRuzgy78H8oeJ/YAg3MiAsfKLJEg2J/isVCJF54ql5
-pNrNgUMB4gktGvQW769NUEZeLd1IJxDAQrelnsIfblA2A+2Vd5qj2UzXI5OxJCpj
-Jyh63j1Z0pLIj/Y5HWWrCXgFRpCp9hCx78iMTX2N8ni3iBUJft/ph6hkwZVT+9oF
-t2K8rfvZpKkGbGuYAbk5eNNOhw==
+AQEArXIW7Dy1hBXMKY8/TAfACqkFZzbGDJdD5ohQknENk6FzUHVw9SVibhi5J+nh
+/mhUhoczFg78T8ZopDcsPHKQTuy0LNcLWhZDD4S4CJCibmsf+8BWmPcSp1tsS9Zj
+etO5qNuUarL74W+rRa3qQcCXcglYTubv/PcCV+LGVqZ4XDlO5EBFJJREAREzG+iK
+Epm2y0mi1WTwjy7m7rxYHs5i5ybDHDDwU55H5wh50Vs4/vDx2kZab2K9gx6V2ggY
+CCYmRWKQHdI4XZBkpYFbbREZxMY4Y5c2PUMlr8GUq6s6eu9/GvmnIx/+EySSfxgv
+9GpN+gnyx03hjYNGO7iX8nPnXA==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md5.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md5.crt
index 13d43f1acb..e514fd631c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md5.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/cert_md5.crt
@@ -1,77 +1,20 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 6 (0x6)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:07 2011 GMT
-            Not After : Feb 12 14:44:07 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:b9:3c:4a:c5:c8:a3:8e:90:17:a4:9e:52:aa:71:
-                    75:26:61:80:e7:c7:b5:6d:8c:ff:aa:b6:41:26:b7:
-                    be:11:ad:5c:73:16:0c:64:11:48:04:ff:d6:e1:3b:
-                    05:db:89:bb:b3:97:09:d5:1c:14:dd:68:87:39:b0:
-                    3d:71:cb:e2:76:d0:1a:d8:18:2d:80:1b:54:f6:e5:
-                    44:9a:f1:cb:af:61:2e:df:49:0d:9d:09:b7:ed:b1:
-                    fd:3c:fd:3c:fa:24:cf:5d:bf:7c:e4:53:e7:25:b5:
-                    ea:44:22:e9:26:d3:ea:20:94:9e:e6:61:67:ba:2e:
-                    07:67:0b:03:2f:a2:09:ed:f0:33:8f:0b:ce:10:ef:
-                    67:a4:c6:08:da:c1:ed:c2:3f:d7:4a:dd:15:3d:f9:
-                    5e:1c:81:60:46:3e:b5:b3:3d:2f:a6:de:47:1c:bc:
-                    92:ae:eb:df:27:6b:16:56:b7:dc:ec:d1:55:57:a5:
-                    6e:ec:75:25:f5:b7:7b:df:ab:d2:3a:5a:91:98:7d:
-                    97:17:0b:13:0a:a7:6b:4a:8b:c1:47:30:fb:3a:f8:
-                    41:04:d5:c1:df:b8:1d:bf:7b:01:a5:65:a2:e0:1e:
-                    36:b7:a6:5c:cc:30:5a:f8:cd:6f:cd:f1:19:62:25:
-                    ca:01:e3:35:7f:fa:20:f5:dc:fd:69:b2:6a:00:7d:
-                    17:f7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                7D:E4:9C:6B:E6:F9:71:7D:46:D2:12:3D:AD:6B:1D:FD:C2:AA:78:4C
-            X509v3 Authority Key Identifier: 
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-
-    Signature Algorithm: md5WithRSAEncryption
-        92:13:81:0c:ff:ac:ab:98:52:6c:28:c9:c6:3e:80:c6:ec:77:
-        d0:13:e1:a2:29:1d:2f:b7:c5:95:41:83:60:d9:50:9c:d0:d6:
-        09:f7:0f:97:cd:c0:e6:b2:68:fa:31:c9:2a:a3:d3:1e:53:ae:
-        79:dc:35:ba:b0:d9:e5:7a:37:1b:2a:92:fa:d2:59:90:43:1b:
-        6a:91:c1:db:36:da:e9:39:d3:f5:ac:e3:46:01:ca:55:04:17:
-        1a:b1:97:28:e8:ff:1b:e7:e1:10:c9:b5:31:d8:ce:a6:89:6a:
-        4a:df:78:7b:02:2f:83:b3:41:d5:ef:0b:b6:44:ff:32:a6:cf:
-        1b:c2:f4:b0:75:66:a9:da:6f:7c:a5:e3:c6:c1:3a:2f:bf:f8:
-        12:6f:04:2c:37:f2:4e:fc:b9:09:ff:a4:5b:40:19:e9:58:91:
-        64:82:d6:ad:b9:7f:c0:12:c2:ce:b7:b6:ba:fb:10:a2:3f:74:
-        97:10:39:d4:dc:4a:e5:5c:f7:e5:3a:d9:68:d7:17:6b:f5:51:
-        08:b4:a2:30:0d:cc:36:10:6d:4e:1d:22:cc:48:d1:38:44:ba:
-        cc:2b:47:99:f7:c6:8b:41:24:f3:f1:2c:10:1a:f2:88:bb:b2:
-        e0:fd:44:26:3d:ad:ea:af:1d:d0:00:56:41:4e:f4:b0:3b:9d:
-        32:6f:48:c7
 -----BEGIN CERTIFICATE-----
 MIIDPzCCAiegAwIBAgIBBjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTEwMjEyMTQ0NDA3WhcNMjEwMjEyMTQ0NDA3WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuTxKxcijjpAXpJ5SqnF1JmGA58e1
-bYz/qrZBJre+Ea1ccxYMZBFIBP/W4TsF24m7s5cJ1RwU3WiHObA9ccvidtAa2Bgt
-gBtU9uVEmvHLr2Eu30kNnQm37bH9PP08+iTPXb985FPnJbXqRCLpJtPqIJSe5mFn
-ui4HZwsDL6IJ7fAzjwvOEO9npMYI2sHtwj/XSt0VPfleHIFgRj61sz0vpt5HHLyS
-ruvfJ2sWVrfc7NFVV6Vu7HUl9bd736vSOlqRmH2XFwsTCqdrSovBRzD7OvhBBNXB
-37gdv3sBpWWi4B42t6ZczDBa+M1vzfEZYiXKAeM1f/og9dz9abJqAH0X9wIDAQAB
-o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBR95Jxr5vlxfUbSEj2tax39wqp4TDAf
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MDAwMTAxMTIxMjEyWhcNMzAwMTAxMTIxMjEyWjA8MQswCQYDVQQGEwJOTDERMA8G
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENlcnQgTUQ1MIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
+M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
+1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw
+MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
+4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
+/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQQFAAOC
-AQEAkhOBDP+sq5hSbCjJxj6Axux30BPhoikdL7fFlUGDYNlQnNDWCfcPl83A5rJo
-+jHJKqPTHlOuedw1urDZ5Xo3GyqS+tJZkEMbapHB2zba6TnT9azjRgHKVQQXGrGX
-KOj/G+fhEMm1MdjOpolqSt94ewIvg7NB1e8LtkT/MqbPG8L0sHVmqdpvfKXjxsE6
-L7/4Em8ELDfyTvy5Cf+kW0AZ6ViRZILWrbl/wBLCzre2uvsQoj90lxA51NxK5Vz3
-5TrZaNcXa/VRCLSiMA3MNhBtTh0izEjROES6zCtHmffGi0Ek8/EsEBryiLuy4P1E
-Jj2t6q8d0ABWQU70sDudMm9Ixw==
+AQEAF4QcMshVtVbYgvvU7f2lWakubbAISM/k+FW/f7u63m0MSSoSFeYflBOC1Wf4
+imgDEnWcWTH5V7sxsLNogxfpfTuFUaKfHeQmRhAK4UgqbDEs4dZvgo3wZ/w92G0/
+QNntJefnqaFiITXZTn6J8hxeoEq4QbucbWgeY6fTAwXtIv40BvMOSakkuIFAyIvV
+90VY1j4vnx0/xv5lIBAxah1HdtXhqtDu/sUfdCtWX5SCcVUwwM3gZ4Q1ZdWQmlvF
+737ZG7XaINxsDaI04sJxc7qvuRYhLdCwUPnZL5TGEQJ8jNa/39eEbnkvs7hbTU98
+6qG8UAYsSI7aMe1j7DZpkoPL9w==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1-ms.req.sha256 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1-ms.req.sha256
new file mode 100644
index 0000000000..b0d9414a25
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1-ms.req.sha256
@@ -0,0 +1,16 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
+A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
++OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
+eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
+3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
+TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
+ox+ATHKxQ/XpRQP+2OTb9sw1kM59
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
index 91c3a90213..107328edf0 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
@@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
-AEAwDQYJKoZIhvcNAQEFBQADggEBAJ28VuktjDGkUWcVpM/W+YjohFDay676Yozx
-BbBLU3QZiDkcdXZbX/jOaKKBGWrjWiB6txchV4XrlvEtVtPgPrQLil2xaD20LOqJ
-e/ZEFIAIndf06CAcimdQaPD6mww04v3gZw3cwPQd/aMQCw9tm93tyf6YU4uIh/o8
-evG1ZBrNHRyiW18kbuueLNZ2daYQIISRJSIFrAERacfOvA8r7yXJCqZnB6AU5j9u
-V+ySNW3sdZIOTfs1nWKU6SECWo72dd89Yvs7wCf3NSZNM2UemLeOjQOmZIHBiR8L
-PAhDxhra5B/QBKaWeTVQohEvKz75pLAWouUGIKlgHiqJ4cvBGcg=
+BkAwDQYJKoZIhvcNAQEFBQADggEBAL+IvLnq101fUrpfWA1s9HhyOrnJH+N2gO1F
+6UnLmDw4NuX9pttIK60Xesb5pEhtU76y2hP2EAICe8tTQgGgZG4MW4TxIvAliuHl
+qvUB/lfmAAGJoQ9WrKriL90IxcKnH3I4aIzNyG2TSIHYo6L8FXVoSrPAuL3X133D
+JF6Ie0H8GUK7UOY0pZ0c6x8LCium4Ho/1UNfouSW3x7uq8gEz8lUn2blWUr0HlQr
+HDyxTV4tjZ1jKPh0VHYBmcpxdNbObK4NRZanYRKAUCIUCD+kHi67akMAukv0qjbm
+Y8DPy+gTLyl89BHnXDR/xCzlta5KkG1oKh3jgV7QQ6BS2+mR7+4=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
index ed8b80baaf..0f71ecb141 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
@@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
-BglghkgBhvhCAQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEBABNT+r+6vvlpjtyz
-mewrGOKPt5iwb8w2aReJ0AWuyQzTiduN26MhXq93cXHV0pHj2rD7MfiBEwBSWnf9
-FcxkE0g77GVyM9Vs9Uy/MspIqOce7JD0c36G4EI8lYce2TYwQLE9CGNl+LDxqkLy
-prijXBl/FaD+IO/SNMr3VVnfFEZqPUxg+BSTaGgD+52Z7B4nPP0xGPjlW367RGDv
-9dIkr1thve2WOeC9ixxl9K/864I7/0GdbgKSf77xl3/5vnQUOY7kugRvkvxWIgHS
-HNVnmEN2I2Nb0M8lQNF1sFDbpFwVbh9CkBF5LJNesy0VWd67Ho6EntPEb7vBFF/x
-jz0b2l4=
+BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBADAWS7qdGNShzKm+
+AO7vfM3/+6YyIq7Jelm4T7n1GkmiGJ0bf2KhX3ohvaRz5gl0165teWVhLAivaIqB
+lK3wLU9TSEaLAtgCMxw+TZhq11qq07FuaawH3nbdMAo4qA2UT0eu2CM1NJjgg8iL
+b5FYGwsNcaCmmQYWVRbKlqkA1VNY2p/4PDn8xgRcgVgmqrHf7BUrEPoRA5RXBAhM
+huceZxFpA+15x789xKUZHmMoOYvDeZNYw2Fg6Dk4jV403kxzrcP8sSx8Abu6aROb
+b2ktuUS5hS8FjrbhDgeosDTU10PQR0Ov9LpMYO4WshkYUBpgC3pSR81pGOKxJuuH
+8EV3rhc=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
index 8f4e59f2dd..303a222077 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
@@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
-BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCAeAw
-DQYJKoZIhvcNAQEFBQADggEBABKC/1x0m57EY4H412ue3ghCWgg07VcRKamnUSTs
-tnqI5T0mSvuPrxhINdQB6360ibctBkXP3S9rxGHiUdeK/JqxYs2YamCs50TSWpon
-p4Hzcmjsw1YgXsQ6pmYwkzU03zqs361gt7JSOzL2dN0IjwIy47qfLQb/AXhX2Ims
-7gBuqVpYqJuSHR0qsN/c6WgIE3IrbK1MB6CJTkxBfcSc5E4oUIBHmww+RSVLOczM
-nGk3U13dmfG0ndhMtrMyyxBZZSUwoZLjRZ6J5mHSv+k8oo1PYQeiivNEP53mgVaY
-ha0gLUIk6zNBRpY1uUmxQ+RQSMIyYPBb1RedHn2s8El2mlo=
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
+DQYJKoZIhvcNAQEFBQADggEBAFqG4NbAqtsec3lFOiUDKQiGmMCO4Yq3NHhnRWkD
+e9r9jWo+gfLgfUJKe02a76ciE5forJRFxG4+pa3Lo38WsF5/2YRz3IfQLOjcK6c6
+DdHrTEsPXgdqhVYJZgZbCeD5Yu5YBXlegGOrlXB9+71BKX0H+AkrR2oXsdg/31Kn
+R17yP84tLucQpLdh079ecE8QTZ/21n0VTag6fQFHMeMY35MWkT4K6eRrz/Dta2tm
+keHSq/coKsmm0poYPzoMPcbh/D+kSa05Ut03NL2Y+2Q9uTjv5/K/zOgGef/mJbV2
+QxB+1as+WLTtpwc20IqAz3PVBoxbRyN2Z6vjiqqAzGlfB4M=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
index d66e515352..7ff26924a7 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
@@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
-BgNVHQ8BAf8EBAMCAeAwDQYJKoZIhvcNAQEFBQADggEBAJZRIISo4+rDvHXXaS43
-shfSkyJyur588mNJFzty1WVfhaIkwjMIGHeGlHS29fwgPsBUgelZ3Qv3J7wsm42+
-3BwQet0l36FIBIJtFhcrTGlaCFUo/5bZJUPGgiOFB9ec/8lOszVlX8cH34UimWqg
-q2wXRGoXWPbuRnUWlJhI2bAv5ri9Mt7Rs4nK4wyS1ZjC8ByXMn4tk3yMjkUEqu0o
-37zoQiF+FJApu0eTKK5goA2hisyfCX9eJMppAbcyvJwoj/AmiBkXW8J3kEMJtLmZ
-VoxXYknnXumxBLxUrGuamR/3cmbaJHIHE1Dqox7hB+9miyp4lue1/uXHCocGAIeF
-JTo=
+BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBALIkgZjEfQcV7d7zovec
+tNVvaPO5hSE8kDVjMCdUZsKgZjMxpY8gJ4CLNIOamkIqN8sSd1zdhdexMdn3iE/O
+z5y3rQBQLs8UjLippm3abKksKrpTEkM9x7Z1X8KS7GOrnOgBWLzoE9D4F/2ay7yk
+H57qRUXEw1NlnAwKYS6hmEwf497szNKXvgr7MGbahQ/N+WfQbILW6+OSUttuoDrD
+t2uBZsGAVQGDzcQGyOuo7k8CE0D62HHZqA+ZPo/xicvyTbkk+lUfY6q6QA8sojaU
+2LuU0nBtd+LmY8odaUsQItwbIyfYZrZbXKruevVHfMKb9VuoYj6anA5jEl0pe7wN
+Tu0=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
index 5677f32bec..3feb1fc9bf 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
@@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV
-MBMwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQB95Pkjpg/N
-Jbgl5nZcAk8maGMpUFlrhJS4kGutQKZugNX9v8cfABW905IHYXV1dm6zxVcyeqZM
-FiOgbV943fu5JbufoazdYXnnR2/iKMigqX4CzZrK3F5ZzegxkfDIfDrn/shC+rWb
-SS5WBVLJ3QNj9vwn3/b66IRbp/ViOwHx7+9JT4K/rLId/ynjYf2T57AsmNd/jptc
-Zs19fGgtrUXweWkliEZN2zE47Cc53jkx6+Li4TNs4Bjk5P/aXrCP0fBwgGt2K6YW
-dQ/nr0PwIbXzVlgUukSTHkJJfhF4Y/WqcUfOPrRdw+zxOLusJ9nzJBR0FOohcBxM
-kPBVna0dze/o
+MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBfm+BA0PSA
+9EFSFgdVODuBtjVoe+RzjiwrHVjja9/GAMurams5WSeJ0g3n0QJuNPf4m3vpSgQE
+qXZrkn2aNYSRPipiPYFUj0NMvji2gmyzmvy6VJyyerZ/saPfuySiVSJbCycA88/V
+vSv93qVHQ7QGwXlwg5dkhw4VNn1NK5CtA0DSEsGITKhdLZUZKkEdylwdjFdi+NTf
+Qx/LQ+cEECBM31s/88C6+ynd4ni42/YYRRcpj5+4TAyKt+nl9a0osrR1y3MmBeo3
+/9s9QEIpXPHMJnJDVq0q03FZwAkgGTaKI8bRsf125eh1CSBynvC6vC+LJSkPrW9g
+HUYYkPMQiQ2C
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
new file mode 100644
index 0000000000..d61ef6bcf4
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU
+MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAFsbkVHizurV
+Ub9uDSTEEFm7R/TcCYjqAbP243sEOVfyCwZh49E7hrjq7lp1n/myILHX+keaxKEY
+hUq9B0Rpa61H5lTJPG3Iy1mDHcF0et4cPkDEsQw4GgjZ/A0RCNfYD+OZLATsDKMy
+AgGCZcYhjoL/8iZaYljfuE+a8Bo3xMePo+jignUhB+hEK2cNmUN2m7HqT22Ba4ag
+eJQtY0NUmBoXGJlNaDbzO79mwLl0HHxDmanLVnSzKXqzrH4U0fuoGZFuxY7Dn7AM
+vJujuWOxN1FtHOfJIimnVepuEG6wvDXMLgEPJTXSKbW6CMTgaz6fudEZzgVB6OKR
+zIbUGFi6kLg=
+-----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
index 053aed909b..5df41e1d25 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
@@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP
-MA0wCwYDVR0PBAQDAgHgMA0GCSqGSIb3DQEBBQUAA4IBAQCj6jCu0wE5OQ1JGQwZ
-FNwPqZrvKntSq2yLIbgmGxwlvDLxOzn0KmidSFiKRqh0KXwj9siodlz5C0d9tUqq
-7xUXg+j+wDHqUV8zo42Jke+UmWXFPpnXx/fDFGTITdLSn8ZDxkt31ESLTEVZvPFD
-odm+C+zWJtKpyL+9op4KvyBQ1MZ9nWZpwMaK4g4mdtOIsz75gMa74w8ZT7VzhGMY
-cZGmafsl7x++GDDtf0oCPgrj9xy+Ovv/GyUBaB+6lweflTfPDTRSoN0meFlP5ynF
-vqcBM5JKH2FUQIizfc9o6Z8tKxe9FCov3x8szAuoMRA7bjhVngeQIrEkTcaQBvBY
-NalC
+MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQCn0RjrgOyNn5ZQ9Hfn
+zhN5q7EAMBYdKBQayeJQQkmreqTdzG/rCHZtt3bIZ/8SWIPNiIOkvsnsGzdBLp8B
+zAAwINhcDIQtIQVObgTLZmvC1syjXfjdH02mYKAccP9OxlnWIVivSPRp9jr9IwYO
+cnT6pzGvP/RWoQen+DougM2WwiZ8YJTrtoe8DlzDq+hbTgoGeQuEGhOnxMlkiLzs
++g6yoi/1F3nsUwJI+QhBxG7Xf74gCCHZckCtSs2MBEavhcPu7o9QjuWR0YFRTaCf
+5uBL7/gNIVmrWnsQLcH1+DexxzW7lPBN1iFXUXNcweoo0fX3ykkvBYdKKicF7bM1
+zZzQ
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
new file mode 100644
index 0000000000..1ac1bc3d4e
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
+GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
+ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
+HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
+W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
+FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
+DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO
+MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAHkw230TfJnAoc+6j/5R
+oGfXR92g/k2DTlDaFQywO2j03h97isp47bEq/peOlKhAuMA+aHt5n8J1w6eWsr8B
+VpoQ079jDnMtlLVAtgsEAjhwEPZchB9oZzfGztzBC4kVKchMGiSHLVQptIM3DiOT
+/5JBlfGkAfap4V4V6qRYiNESBSpEdU/wGctg4ELgQgdpRSlqRud2LgClmMy3+A3o
+rHjyAY+1oANNNOV+TBwA58OKqwsniyqmSWkhlj4c0O4n8FdE+o1eKyrsQfH9LBx7
+DBo2ilAkp0O/+G0n9Wisov2i6QuOraxW3g5/YBdfrqoVpJ5+8YZvoSGJFYDYoWvN
+CvU=
+-----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
index 0e057d58aa..4a0eab88ed 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
@@ -7,11 +7,11 @@ HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi
-MCAwCwYDVR0PBAQDAgHgMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQUF
-AAOCAQEANlNG9hW852OzVKj2Z8TtU9jxstAoSCH9yc9Coj4Vw2TTjs1zcuBWsMl1
-2bf2I6ZvEH6ZhcQY7i7nyHQyPlqE4l6U9D8ct967QN7smuAHNY2HiQ2++eCBTHck
-PdtGJAzIvNlXcoqNi8UC5fGepNtI1usNo41SKMvbg6nGA5gdcQKk7CVlk8lrD0qI
-Xn/HvjSRoDE4ZGxAtNvPXWorGSxtgcy8EMPoXVUab5fNt8q//x/NQ4yEQKPrexmR
-IuOiQ8VW8QZtkORGpZbGSvskU0WfKANui4zCcXYRc4mVR4Wf0C+fyHeihhjslSnT
-RbC7nQn5HSHp31qJlr80QodywaK1Dg==
+MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF
+AAOCAQEAKIF06WMMbkfDi6z3FzG0OVqGVgCIdQjJUK2S8VrVXJ74goM8SD7jp2RC
+2d5nszk0do3ruAqaI3YOk5U9HQR0qHMSXEcAeB/qqIYWXrlZKacdzSk6vd88VC01
+uAWBSE2IQ4TWPSiWLCN54VtO8AXuF5wJgjGOh4yixVqKzcQh5b+mJs3e7cgMsC5a
+3iPt0EemCT+irT4cXtcJe9/DAvnvvvCZ5UCcvc3shBIA5pBsOOmd1yCYCbxrq3aL
+PhFf/vbbf9eORMwWsqOWopnRgBkPpVnTu9G27t/Nyjencjfk8NEaM9q8YnF0x5lD
+elCFyt+HGwoCeOBN9odfQmKQpW+eGg==
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1 b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
index 7556d1a052..6f3b7aaf4e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY
+MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY
 BgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
 QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d
 Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD
-AgHAMAsGByqGSM49BAEFAANIADBFAiBjnnD7nwsFnCL+MpPPFJE3K/Tgj+5rAgXj
-e5UejDX2CAIhAKdbigWJL/ZatvG9CFHq7ykrRns2x8JEXehWu8DsXdx9
+AgbAMAsGByqGSM49BAEFAANJADBGAiEAmhkNVnF6mGzzyHxGMMuUM2tYw5/y5tlF
+3424Bs7DbG8CIQCJteTtpZ8RJ7PjpxcmVpP4fcYHFTR50zoc9jOV0AYPLQ==
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
index 391de195be..30e6d5f424 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
@@ -55,21 +55,46 @@
 # Notes for maintainers
 # ---------------------
 #
+# The bulk of the code is organized into functions that follow one of the
+# following naming conventions:
+#  * pre_XXX: things to do before running the tests, in order.
+#  * component_XXX: independent components. They can be run in any order.
+#      * component_check_XXX: quick tests that aren't worth parallelizing.
+#      * component_build_XXX: build things but don't run them.
+#      * component_test_XXX: build and test.
+#  * support_XXX: if support_XXX exists and returns false then
+#    component_XXX is not run by default.
+#  * post_XXX: things to do after running the tests.
+#  * other: miscellaneous support functions.
+#
+# Each component must start by invoking `msg` with a short informative message.
+#
+# The framework performs some cleanup tasks after each component. This
+# means that components can assume that the working directory is in a
+# cleaned-up state, and don't need to perform the cleanup themselves.
+# * Run `make clean`.
+# * Restore `include/mbedtks/config.h` from a backup made before running
+#   the component.
+# * Check out `Makefile`, `library/Makefile`, `programs/Makefile` and
+#   `tests/Makefile` from git. This cleans up after an in-tree use of
+#   CMake.
+#
+# Any command that is expected to fail must be protected so that the
+# script keeps running in --keep-going mode despite `set -e`. In keep-going
+# mode, if a protected command fails, this is logged as a failure and the
+# script will exit with a failure status once it has run all components.
+# Commands can be protected in any of the following ways:
+# * `make` is a function which runs the `make` command with protection.
+#   Note that you must write `make VAR=value`, not `VAR=value make`,
+#   because the `VAR=value make` syntax doesn't work with functions.
+# * Put `report_status` before the command to protect it.
+# * Put `if_build_successful` before a command. This protects it, and
+#   additionally skips it if a prior invocation of `make` in the same
+#   component failed.
+#
 # The tests are roughly in order from fastest to slowest. This doesn't
 # have to be exact, but in general you should add slower tests towards
 # the end and fast checks near the beginning.
-#
-# Sanity checks have the following form:
-#   1. msg "short description of what is about to be done"
-#   2. run sanity check (failure stops the script)
-#
-# Build or build-and-test steps have the following form:
-#   1. msg "short description of what is about to be done"
-#   2. cleanup
-#   3. preparation (config.pl, cmake, ...) (failure stops the script)
-#   4. make
-#   5. Run tests if relevant. All tests must be prefixed with
-#      if_build_successful for the sake of --keep-going.
 
 
 
@@ -80,50 +105,93 @@
 # Abort on errors (and uninitialised variables)
 set -eu
 
-if [ "$( uname )" != "Linux" ]; then
-    echo "This script only works in Linux" >&2
-    exit 1
-elif [ -d library -a -d include -a -d tests ]; then :; else
-    echo "Must be run from mbed TLS root" >&2
-    exit 1
-fi
+pre_check_environment () {
+    if [ -d library -a -d include -a -d tests ]; then :; else
+        echo "Must be run from mbed TLS root" >&2
+        exit 1
+    fi
+}
 
-CONFIG_H='include/mbedtls/config.h'
-CONFIG_BAK="$CONFIG_H.bak"
-
-MEMORY=0
-FORCE=0
-KEEP_GOING=0
-RUN_ARMCC=1
-YOTTA=1
-
-# Default commands, can be overriden by the environment
-: ${OPENSSL:="openssl"}
-: ${OPENSSL_LEGACY:="$OPENSSL"}
-: ${GNUTLS_CLI:="gnutls-cli"}
-: ${GNUTLS_SERV:="gnutls-serv"}
-: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
-: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
-: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
-: ${ARMC5_BIN_DIR:=/usr/bin}
-: ${ARMC6_BIN_DIR:=/usr/bin}
-
-# if MAKEFLAGS is not set add the -j option to speed up invocations of make
-if [ -n "${MAKEFLAGS+set}" ]; then
-    export MAKEFLAGS="-j"
-fi
+pre_initialize_variables () {
+    CONFIG_H='include/mbedtls/config.h'
+    CONFIG_BAK="$CONFIG_H.bak"
+
+    MEMORY=0
+    FORCE=0
+    KEEP_GOING=0
+    YOTTA=1
+
+    # Default commands, can be overriden by the environment
+    : ${OPENSSL:="openssl"}
+    : ${OPENSSL_LEGACY:="$OPENSSL"}
+    : ${GNUTLS_CLI:="gnutls-cli"}
+    : ${GNUTLS_SERV:="gnutls-serv"}
+    : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
+    : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
+    : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
+    : ${ARMC5_BIN_DIR:=/usr/bin}
+    : ${ARMC6_BIN_DIR:=/usr/bin}
+
+    # if MAKEFLAGS is not set add the -j option to speed up invocations of make
+    if [ -z "${MAKEFLAGS+set}" ]; then
+        export MAKEFLAGS="-j"
+    fi
+
+    # Gather the list of available components. These are the functions
+    # defined in this script whose name starts with "component_".
+    # Parse the script with sed, because in sh there is no way to list
+    # defined functions.
+    ALL_COMPONENTS=$(sed -n 's/^ *component_\([0-9A-Z_a-z]*\) *().*/\1/p' <"$0")
+
+    # Exclude components that are not supported on this platform.
+    SUPPORTED_COMPONENTS=
+    for component in $ALL_COMPONENTS; do
+        case $(type "support_$component" 2>&1) in
+            *' function'*)
+                if ! support_$component; then continue; fi;;
+        esac
+        SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
+    done
+}
+
+# Test whether the component $1 is included in the command line patterns.
+is_component_included()
+{
+    set -f
+    for pattern in $COMMAND_LINE_COMPONENTS; do
+        set +f
+        case ${1#component_} in $pattern) return 0;; esac
+    done
+    set +f
+    return 1
+}
 
 usage()
 {
     cat <<EOF
-Usage: $0 [OPTION]...
-  -h|--help             Print this help.
+Usage: $0 [OPTION]... [COMPONENT]...
+Run mbedtls release validation tests.
+By default, run all tests. With one or more COMPONENT, run only those.
+COMPONENT can be the name of a component or a shell wildcard pattern.
+
+Examples:
+  $0 "check_*"
+    Run all sanity checks.
+  $0 --no-armcc --except test_memsan
+    Run everything except builds that require armcc and MemSan.
+
+Special options:
+  -h|--help             Print this help and exit.
+  --list-all-components List all available test components and exit.
+  --list-components     List components supported on this platform and exit.
 
 General options:
   -f|--force            Force the tests to overwrite any modified files.
   -k|--keep-going       Run all tests and report errors at the end.
   -m|--memory           Additional optional memory tests.
      --armcc            Run ARM Compiler builds (on by default).
+     --except           Exclude the COMPONENTs listed on the command line,
+                        instead of running only those.
      --no-armcc         Skip ARM Compiler builds.
      --no-force         Refuse to overwrite modified files (default).
      --no-keep-going    Stop at the first error (default).
@@ -190,25 +258,27 @@ trap 'fatal_signal TERM' TERM
 
 msg()
 {
+    if [ -n "${current_component:-}" ]; then
+        current_section="${current_component#component_}: $1"
+    else
+        current_section="$1"
+    fi
     echo ""
     echo "******************************************************************"
-    echo "* $1 "
+    echo "* $current_section "
     printf "* "; date
     echo "******************************************************************"
-    current_section=$1
 }
 
-if [ $RUN_ARMCC -ne 0 ]; then
-    armc6_build_test()
-    {
-        FLAGS="$1"
+armc6_build_test()
+{
+    FLAGS="$1"
 
-        msg "build: ARM Compiler 6 ($FLAGS), make"
-        ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
-                        WARNING_CFLAGS='-xc -std=c99' make lib
-        make clean
-    }
-fi
+    msg "build: ARM Compiler 6 ($FLAGS), make"
+    ARM_TOOL_VARIANT="ult" CC="$ARMC6_CC" AR="$ARMC6_AR" CFLAGS="$FLAGS" \
+                    WARNING_CFLAGS='-xc -std=c99' make lib
+    make clean
+}
 
 err_msg()
 {
@@ -225,72 +295,108 @@ check_tools()
     done
 }
 
-while [ $# -gt 0 ]; do
-    case "$1" in
-        --armcc) RUN_ARMCC=1;;
-        --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
-        --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
-        --force|-f) FORCE=1;;
-        --gnutls-cli) shift; GNUTLS_CLI="$1";;
-        --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
-        --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
-        --gnutls-serv) shift; GNUTLS_SERV="$1";;
-        --help|-h) usage; exit;;
-        --keep-going|-k) KEEP_GOING=1;;
-        --memory|-m) MEMORY=1;;
-        --no-armcc) RUN_ARMCC=0;;
-        --no-force) FORCE=0;;
-        --no-keep-going) KEEP_GOING=0;;
-        --no-memory) MEMORY=0;;
-        --no-yotta) YOTTA=0;;
-        --openssl) shift; OPENSSL="$1";;
-        --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
-        --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
-        --random-seed) unset SEED;;
-        --release-test|-r) SEED=1;;
-        --seed|-s) shift; SEED="$1";;
-        --yotta) YOTTA=1;;
-        *)
-            echo >&2 "Unknown option: $1"
-            echo >&2 "Run $0 --help for usage."
-            exit 120
-            ;;
-    esac
-    shift
-done
+pre_parse_command_line () {
+    COMMAND_LINE_COMPONENTS=
+    all_except=0
+    no_armcc=
+
+    while [ $# -gt 0 ]; do
+        case "$1" in
+            --armcc) no_armcc=;;
+            --armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
+            --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
+            --except) all_except=1;;
+            --force|-f) FORCE=1;;
+            --gnutls-cli) shift; GNUTLS_CLI="$1";;
+            --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
+            --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
+            --gnutls-serv) shift; GNUTLS_SERV="$1";;
+            --help|-h) usage; exit;;
+            --keep-going|-k) KEEP_GOING=1;;
+            --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;;
+            --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;;
+            --memory|-m) MEMORY=1;;
+            --no-armcc) no_armcc=1;;
+            --no-force) FORCE=0;;
+            --no-keep-going) KEEP_GOING=0;;
+            --no-memory) MEMORY=0;;
+            --no-yotta) YOTTA=0;;
+            --openssl) shift; OPENSSL="$1";;
+            --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
+            --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
+            --random-seed) unset SEED;;
+            --release-test|-r) SEED=1;;
+            --seed|-s) shift; SEED="$1";;
+            --yotta) YOTTA=1;;
+            -*)
+                echo >&2 "Unknown option: $1"
+                echo >&2 "Run $0 --help for usage."
+                exit 120
+                ;;
+            *) COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS $1";;
+        esac
+        shift
+    done
 
-if [ $FORCE -eq 1 ]; then
-    if [ $YOTTA -eq 1 ]; then
-        rm -rf yotta/module "$OUT_OF_SOURCE_DIR"
+    # With no list of components, run everything.
+    if [ -z "$COMMAND_LINE_COMPONENTS" ]; then
+        all_except=1
     fi
-    git checkout-index -f -q $CONFIG_H
-    cleanup
-else
 
-    if [ $YOTTA -ne 0 ] && [ -d yotta/module ]; then
-        err_msg "Warning - there is an existing yotta module in the directory 'yotta/module'"
-        echo "You can either delete your work and retry, or force the test to overwrite the"
-        echo "test by rerunning the script as: $0 --force"
-        exit 1
+    # --no-armcc is a legacy option. The modern way is --except '*_armcc*'.
+    # Ignore it if components are listed explicitly on the command line.
+    if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then
+        COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*"
+        # --no-armcc also disables yotta.
+        COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_yotta*"
     fi
 
-    if [ -d "$OUT_OF_SOURCE_DIR" ]; then
-        echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
-        echo "You can either delete this directory manually, or force the test by rerunning"
-        echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR"
-        exit 1
-    fi
+    # Build the list of components to run.
+    RUN_COMPONENTS=
+    for component in $SUPPORTED_COMPONENTS; do
+        if is_component_included "$component"; [ $? -eq $all_except ]; then
+            RUN_COMPONENTS="$RUN_COMPONENTS $component"
+        fi
+    done
 
-    if ! git diff-files --quiet include/mbedtls/config.h; then
-        err_msg "Warning - the configuration file 'include/mbedtls/config.h' has been edited. "
-        echo "You can either delete or preserve your work, or force the test by rerunning the"
-        echo "script as: $0 --force"
-        exit 1
+    unset all_except
+    unset no_armcc
+}
+
+pre_check_git () {
+    if [ $FORCE -eq 1 ]; then
+        rm -rf "$OUT_OF_SOURCE_DIR"
+        if [ $YOTTA -eq 1 ]; then
+            rm -rf yotta/module
+        fi
+        git checkout-index -f -q $CONFIG_H
+        cleanup
+    else
+
+        if [ $YOTTA -ne 0 ] && [ -d yotta/module ]; then
+            err_msg "Warning - there is an existing yotta module in the directory 'yotta/module'"
+            echo "You can either delete your work and retry, or force the test to overwrite the"
+            echo "test by rerunning the script as: $0 --force"
+            exit 1
+        fi
+
+        if [ -d "$OUT_OF_SOURCE_DIR" ]; then
+            echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
+            echo "You can either delete this directory manually, or force the test by rerunning"
+            echo "the script as: $0 --force --out-of-source-dir $OUT_OF_SOURCE_DIR"
+            exit 1
+        fi
+
+        if ! git diff --quiet include/mbedtls/config.h; then
+            err_msg "Warning - the configuration file 'include/mbedtls/config.h' has been edited. "
+            echo "You can either delete or preserve your work, or force the test by rerunning the"
+            echo "script as: $0 --force"
+            exit 1
+        fi
     fi
-fi
+}
 
-build_status=0
-if [ $KEEP_GOING -eq 1 ]; then
+pre_setup_keep_going () {
     failure_summary=
     failure_count=0
     start_red=
@@ -344,53 +450,94 @@ $text"
             echo "Killed by SIG$1."
         fi
     }
-else
-    record_status () {
-        "$@"
-    }
-fi
+}
+
 if_build_succeeded () {
     if [ $build_status -eq 0 ]; then
         record_status "$@"
     fi
 }
 
-msg "info: $0 configuration"
-echo "MEMORY: $MEMORY"
-echo "FORCE: $FORCE"
-echo "SEED: ${SEED-"UNSET"}"
-echo "OPENSSL: $OPENSSL"
-echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
-echo "GNUTLS_CLI: $GNUTLS_CLI"
-echo "GNUTLS_SERV: $GNUTLS_SERV"
-echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
-echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
-echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
-echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
-
-ARMC5_CC="$ARMC5_BIN_DIR/armcc"
-ARMC5_AR="$ARMC5_BIN_DIR/armar"
-ARMC6_CC="$ARMC6_BIN_DIR/armclang"
-ARMC6_AR="$ARMC6_BIN_DIR/armar"
-
-# To avoid setting OpenSSL and GnuTLS for each call to compat.sh and ssl-opt.sh
-# we just export the variables they require
-export OPENSSL_CMD="$OPENSSL"
-export GNUTLS_CLI="$GNUTLS_CLI"
-export GNUTLS_SERV="$GNUTLS_SERV"
-
-# Avoid passing --seed flag in every call to ssl-opt.sh
-if [ -n "${SEED-}" ]; then
-  export SEED
-fi
+# to be used instead of ! for commands run with
+# record_status or if_build_succeeded
+not() {
+    ! "$@"
+}
+
+
+pre_print_configuration () {
+    msg "info: $0 configuration"
+    echo "MEMORY: $MEMORY"
+    echo "FORCE: $FORCE"
+    echo "SEED: ${SEED-"UNSET"}"
+    echo "OPENSSL: $OPENSSL"
+    echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
+    echo "GNUTLS_CLI: $GNUTLS_CLI"
+    echo "GNUTLS_SERV: $GNUTLS_SERV"
+    echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
+    echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
+    echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
+    echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
+}
 
 # Make sure the tools we need are available.
-check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$GNUTLS_CLI" "$GNUTLS_SERV" \
-            "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" "doxygen" "dot" \
-            "arm-none-eabi-gcc" "i686-w64-mingw32-gcc"
-if [ $RUN_ARMCC -ne 0 ]; then
-    check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR"
-fi
+pre_check_tools () {
+    # Build the list of variables to pass to output_env.sh.
+    set env
+
+    case " $RUN_COMPONENTS " in
+        # Require OpenSSL and GnuTLS if running any tests (as opposed to
+        # only doing builds). Not all tests run OpenSSL and GnuTLS, but this
+        # is a good enough approximation in practice.
+        *" test_"*)
+            # To avoid setting OpenSSL and GnuTLS for each call to compat.sh
+            # and ssl-opt.sh, we just export the variables they require.
+            export OPENSSL_CMD="$OPENSSL"
+            export GNUTLS_CLI="$GNUTLS_CLI"
+            export GNUTLS_SERV="$GNUTLS_SERV"
+            # Avoid passing --seed flag in every call to ssl-opt.sh
+            if [ -n "${SEED-}" ]; then
+                export SEED
+            fi
+            set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
+            set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
+            set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
+            set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
+            check_tools "$OPENSSL" "$OPENSSL_LEGACY" \
+                        "$GNUTLS_CLI" "$GNUTLS_SERV" \
+                        "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
+            ;;
+    esac
+
+    case " $RUN_COMPONENTS " in
+        *_doxygen[_\ ]*) check_tools "doxygen" "dot";;
+    esac
+
+    case " $RUN_COMPONENTS " in
+        *_arm_none_eabi_gcc[_\ ]*) check_tools "arm-none-eabi-gcc";;
+    esac
+
+    case " $RUN_COMPONENTS " in
+        *_mingw[_\ ]*) check_tools "i686-w64-mingw32-gcc";;
+    esac
+
+    case " $RUN_COMPONENTS " in
+        *_armcc*|*_yotta*)
+            ARMC5_CC="$ARMC5_BIN_DIR/armcc"
+            ARMC5_AR="$ARMC5_BIN_DIR/armar"
+            ARMC6_CC="$ARMC6_BIN_DIR/armclang"
+            ARMC6_AR="$ARMC6_BIN_DIR/armar"
+            check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR";;
+    esac
+
+    msg "info: output_env.sh"
+    case $RUN_COMPONENTS in
+        *_armcc*|*_yotta*)
+            set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
+        *) set "$@" RUN_ARMCC=0;;
+    esac
+    "$@" scripts/output_env.sh
+}
 
 
 
@@ -409,378 +556,425 @@ fi
 #
 # Indicative running times are given for reference.
 
-msg "info: output_env.sh"
-OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_CLI" \
-    GNUTLS_SERV="$GNUTLS_SERV" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
-    GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" ARMC5_CC="$ARMC5_CC" \
-    ARMC6_CC="$ARMC6_CC" RUN_ARMCC="$RUN_ARMCC" scripts/output_env.sh
-
-msg "test: recursion.pl" # < 1s
-record_status tests/scripts/recursion.pl library/*.c
-
-msg "test: freshness of generated source files" # < 1s
-record_status tests/scripts/check-generated-files.sh
+component_check_recursion () {
+    msg "test: recursion.pl" # < 1s
+    record_status tests/scripts/recursion.pl library/*.c
+}
 
-msg "test: doxygen markup outside doxygen blocks" # < 1s
-record_status tests/scripts/check-doxy-blocks.pl
+component_check_generated_files () {
+    msg "test: freshness of generated source files" # < 1s
+    record_status tests/scripts/check-generated-files.sh
+}
 
-msg "test: check-files.py" # < 1s
-cleanup
-record_status tests/scripts/check-files.py
+component_check_doxy_blocks () {
+    msg "test: doxygen markup outside doxygen blocks" # < 1s
+    record_status tests/scripts/check-doxy-blocks.pl
+}
 
-msg "test/build: declared and exported names" # < 3s
-cleanup
-record_status tests/scripts/check-names.sh
+component_check_files () {
+    msg "test: check-files.py" # < 1s
+    record_status tests/scripts/check-files.py
+}
 
-msg "test: doxygen warnings" # ~ 3s
-cleanup
-record_status tests/scripts/doxygen.sh
+component_check_names () {
+    msg "test/build: declared and exported names" # < 3s
+    record_status tests/scripts/check-names.sh -v
+}
 
+component_check_doxygen_warnings () {
+    msg "test: doxygen warnings" # ~ 3s
+    record_status tests/scripts/doxygen.sh
+}
 
 
 ################################################################
 #### Build and test many configurations and targets
 ################################################################
 
-if [ $RUN_ARMCC -ne 0 ] && [ $YOTTA -ne 0 ]; then
+component_test_default_out_of_box () {
+    msg "build: make, default config (out-of-box)" # ~1min
+    make
+
+    msg "test: main suites make, default config (out-of-box)" # ~10s
+    make test
+
+    msg "selftest: make, default config (out-of-box)" # ~10s
+    programs/test/selftest
+}
+
+component_build_yotta () {
     # Note - use of yotta is deprecated, and yotta also requires armcc to be on the
     # path, and uses whatever version of armcc it finds there.
     msg "build: create and build yotta module" # ~ 30s
-    cleanup
     record_status tests/scripts/yotta-build.sh
-fi
+}
+support_build_yotta () {
+    [ $YOTTA -ne 0 ]
+}
 
-msg "build: cmake, gcc, ASan" # ~ 1 min 50s
-cleanup
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+component_test_default_cmake_gcc_asan () {
+    msg "build: cmake, gcc, ASan" # ~ 1 min 50s
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
 
-msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+    msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s
+    make test
 
-msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
-if_build_succeeded tests/ssl-opt.sh
+    msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
+    if_build_succeeded tests/ssl-opt.sh
 
-msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
-record_status tests/scripts/test-ref-configs.pl
+    msg "test: compat.sh (ASan build)" # ~ 6 min
+    if_build_succeeded tests/compat.sh
+}
 
-msg "build: with ASan (rebuild after ref-configs)" # ~ 1 min
-make
+component_test_ref_configs () {
+    msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    record_status tests/scripts/test-ref-configs.pl
+}
 
-msg "test: compat.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/compat.sh
+component_test_sslv3 () {
+    msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
+    scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
 
-msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+    msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s
+    make test
 
-msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+    msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
+    if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2'
+    if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
 
-msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2'
-if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
+    msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
+    if_build_succeeded tests/ssl-opt.sh
+}
 
-msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/ssl-opt.sh
+component_test_no_renegotiation () {
+    msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
+    scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
 
-msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+    msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
+    make test
 
-msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+    msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
+    if_build_succeeded tests/ssl-opt.sh
+}
 
-msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min
-if_build_succeeded tests/ssl-opt.sh
+component_test_rsa_no_crt () {
+    msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
+    scripts/config.pl set MBEDTLS_RSA_NO_CRT
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
 
-msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_RSA_NO_CRT
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+    msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
+    make test
 
-msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s
-make test
+    msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
+    if_build_succeeded tests/ssl-opt.sh -f RSA
 
-msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s
-if_build_succeeded tests/ssl-opt.sh -f RSA
+    msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
+    if_build_succeeded tests/compat.sh -t RSA
+}
 
-msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min
-if_build_succeeded tests/compat.sh -t RSA
+component_test_full_cmake_clang () {
+    msg "build: cmake, full config, clang" # ~ 50s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+    CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On .
+    make
 
-msg "build: cmake, full config, clang" # ~ 50s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
-CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On .
-make
+    msg "test: main suites (full config)" # ~ 5s
+    make test
 
-msg "test: main suites (full config)" # ~ 5s
-make test
+    msg "test: ssl-opt.sh default (full config)" # ~ 1s
+    if_build_succeeded tests/ssl-opt.sh -f Default
 
-msg "test: ssl-opt.sh default (full config)" # ~ 1s
-if_build_succeeded tests/ssl-opt.sh -f Default
+    msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
+    if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
+}
 
-msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
-if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
+component_build_deprecated () {
+    msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
+    # Build with -O -Wextra to catch a maximum of issues.
+    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
+    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
 
-msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
-# Build with -O -Wextra to catch a maximum of issues.
-make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
-make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
-
-msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
-# No cleanup, just tweak the configuration and rebuild
-make clean
-scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
-scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
-# Build with -O -Wextra to catch a maximum of issues.
-make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
-make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
-
-msg "test/build: curves.pl (gcc)" # ~ 4 min
-cleanup
-record_status tests/scripts/curves.pl
+    msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
+    # No cleanup, just tweak the configuration and rebuild
+    make clean
+    scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+    scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
+    # Build with -O -Wextra to catch a maximum of issues.
+    make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
+    make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+}
 
-msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
-cleanup
-record_status tests/scripts/depends-hashes.pl
+component_test_depends_curves () {
+    msg "test/build: curves.pl (gcc)" # ~ 4 min
+    record_status tests/scripts/curves.pl
+}
 
-msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
-cleanup
-record_status tests/scripts/depends-pkalgs.pl
+component_test_depends_hashes () {
+    msg "test/build: depends-hashes.pl (gcc)" # ~ 2 min
+    record_status tests/scripts/depends-hashes.pl
+}
 
-msg "test/build: key-exchanges (gcc)" # ~ 1 min
-cleanup
-record_status tests/scripts/key-exchanges.pl
+component_test_depends_pkalgs () {
+    msg "test/build: depends-pkalgs.pl (gcc)" # ~ 2 min
+    record_status tests/scripts/depends-pkalgs.pl
+}
 
-msg "build: Unix make, -Os (gcc)" # ~ 30s
-cleanup
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+component_build_key_exchanges () {
+    msg "test/build: key-exchanges (gcc)" # ~ 1 min
+    record_status tests/scripts/key-exchanges.pl
+}
 
-# Full configuration build, without platform support, file IO and net sockets.
-# This should catch missing mbedtls_printf definitions, and by disabling file
-# IO, it should catch missing '#include <stdio.h>'
-msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_PLATFORM_C
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY
-scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
-scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
-scripts/config.pl unset MBEDTLS_FS_IO
-# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
-# to re-enable platform integration features otherwise disabled in C99 builds
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' test
-
-# catch compile bugs in _uninit functions
-msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+component_build_default_make_gcc () {
+    msg "build: Unix make, -Os (gcc)" # ~ 30s
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+}
 
-msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_SSL_SRV_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+component_test_no_platform () {
+    # Full configuration build, without platform support, file IO and net sockets.
+    # This should catch missing mbedtls_printf definitions, and by disabling file
+    # IO, it should catch missing '#include <stdio.h>'
+    msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_PLATFORM_C
+    scripts/config.pl unset MBEDTLS_NET_C
+    scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY
+    scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
+    # to re-enable platform integration features otherwise disabled in C99 builds
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' test
+}
 
-msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_SSL_CLI_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
-
-# Note, C99 compliance can also be tested with the sockets support disabled,
-# as that requires a POSIX platform (which isn't the same as C99).
-msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+component_build_no_std_function () {
+    # catch compile bugs in _uninit functions
+    msg "build: full config with NO_STD_FUNCTION, make, gcc" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
 
-msg "build: default config except MFL extension (ASan build)" # ~ 30s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+component_build_no_ssl_srv () {
+    msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_SSL_SRV_C
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
 
-msg "test: ssl-opt.sh, MFL-related tests"
-if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
+component_build_no_ssl_cli () {
+    msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_SSL_CLI_C
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0'
+}
 
-msg "build: default config with  MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
-scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-scripts/config.pl set MBEDTLS_ENTROPY_C
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
-scripts/config.pl unset MBEDTLS_HAVEGE_C
-CC=gcc cmake  -D UNSAFE_BUILD=ON -D CMAKE_C_FLAGS:String="-fsanitize=address -fno-common -O3" .
-make
-
-msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
-make test
-
-msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_PLATFORM_MEMORY
-scripts/config.pl set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
-scripts/config.pl set MBEDTLS_PLATFORM_FREE_MACRO   free
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
+component_build_no_sockets () {
+    # Note, C99 compliance can also be tested with the sockets support disabled,
+    # as that requires a POSIX platform (which isn't the same as C99).
+    msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
+    scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib
+}
+
+component_test_no_max_fragment_length () {
+    msg "build: default config except MFL extension (ASan build)" # ~ 30s
+    scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: ssl-opt.sh, MFL-related tests"
+    if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
+}
+
+component_test_null_entropy () {
+    msg "build: default config with  MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
+    scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
+    scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+    scripts/config.pl set MBEDTLS_ENTROPY_C
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
+    scripts/config.pl unset MBEDTLS_HAVEGE_C
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
+    make
+
+    msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
+    make test
+}
 
-msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
-make test
+component_test_platform_calloc_macro () {
+    msg "build: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
+    scripts/config.pl set MBEDTLS_PLATFORM_MEMORY
+    scripts/config.pl set MBEDTLS_PLATFORM_CALLOC_MACRO calloc
+    scripts/config.pl set MBEDTLS_PLATFORM_FREE_MACRO   free
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: MBEDTLS_PLATFORM_{CALLOC/FREE}_MACRO enabled (ASan build)"
+    make test
+}
 
-if uname -a | grep -F Linux >/dev/null; then
+component_test_make_shared () {
     msg "build/test: make shared" # ~ 40s
-    cleanup
     make SHARED=1 all check
-fi
+}
 
-if uname -a | grep -F x86_64 >/dev/null; then
+component_test_m32_o0 () {
     # Build once with -O0, to compile out the i386 specific inline assembly
     msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
-    cleanup
-    cp "$CONFIG_H" "$CONFIG_BAK"
     scripts/config.pl full
     make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address'
 
     msg "test: i386, make, gcc -O0 (ASan build)"
     make test
+}
+support_test_m32_o0 () {
+    case $(uname -m) in
+        *64*) true;;
+        *) false;;
+    esac
+}
 
+component_test_m32_o1 () {
     # Build again with -O1, to compile in the i386 specific inline assembly
     msg "build: i386, make, gcc -O1 (ASan build)" # ~ 30s
-    cleanup
-    cp "$CONFIG_H" "$CONFIG_BAK"
     scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+    scripts/config.pl unset MBEDTLS_MEMORY_DEBUG
     make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address'
 
     msg "test: i386, make, gcc -O1 (ASan build)"
     make test
 
+    msg "test ssl-opt.sh, i386, make, gcc-O1"
+    if_build_succeeded tests/ssl-opt.sh
+}
+support_test_m32_o1 () {
+    support_test_m32_o0 "$@"
+}
+
+component_test_mx32 () {
     msg "build: 64-bit ILP32, make, gcc" # ~ 30s
-    cleanup
-    cp "$CONFIG_H" "$CONFIG_BAK"
     scripts/config.pl full
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32'
 
     msg "test: 64-bit ILP32, make, gcc"
     make test
-fi # x86_64
+}
+support_test_mx32 () {
+    case $(uname -m) in
+        amd64|x86_64) true;;
+        *) false;;
+    esac
+}
 
-msg "build: gcc, force 32-bit bignum limbs"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_HAVE_ASM
-scripts/config.pl unset MBEDTLS_AESNI_C
-scripts/config.pl unset MBEDTLS_PADLOCK_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
+component_test_min_mpi_window_size () {
+    msg "build: Default + MBEDTLS_MPI_WINDOW_SIZE=1 (ASan build)" # ~ 10s
+    scripts/config.pl set MBEDTLS_MPI_WINDOW_SIZE 1
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
 
-msg "test: gcc, force 32-bit bignum limbs"
-make test
+    msg "test: MBEDTLS_MPI_WINDOW_SIZE=1 - main suites (inc. selftests) (ASan build)" # ~ 10s
+    make test
+}
 
-msg "build: gcc, force 64-bit bignum limbs"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl unset MBEDTLS_HAVE_ASM
-scripts/config.pl unset MBEDTLS_AESNI_C
-scripts/config.pl unset MBEDTLS_PADLOCK_C
-make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+component_test_have_int32 () {
+    msg "build: gcc, force 32-bit bignum limbs"
+    scripts/config.pl unset MBEDTLS_HAVE_ASM
+    scripts/config.pl unset MBEDTLS_AESNI_C
+    scripts/config.pl unset MBEDTLS_PADLOCK_C
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT32'
 
-msg "test: gcc, force 64-bit bignum limbs"
-make test
+    msg "test: gcc, force 32-bit bignum limbs"
+    make test
+}
+
+component_test_have_int64 () {
+    msg "build: gcc, force 64-bit bignum limbs"
+    scripts/config.pl unset MBEDTLS_HAVE_ASM
+    scripts/config.pl unset MBEDTLS_AESNI_C
+    scripts/config.pl unset MBEDTLS_PADLOCK_C
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -DMBEDTLS_HAVE_INT64'
+
+    msg "test: gcc, force 64-bit bignum limbs"
+    make test
+}
+
+component_build_arm_none_eabi_gcc () {
+    msg "build: arm-none-eabi-gcc, make" # ~ 10s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_NET_C
+    scripts/config.pl unset MBEDTLS_TIMING_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+    # following things are not in the default config
+    scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+    scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+    scripts/config.pl unset MBEDTLS_THREADING_C
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+    make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
+}
+
+component_build_arm_none_eabi_gcc_no_udbl_division () {
+    msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_NET_C
+    scripts/config.pl unset MBEDTLS_TIMING_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+    # following things are not in the default config
+    scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+    scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+    scripts/config.pl unset MBEDTLS_THREADING_C
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+    scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+    make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
+    echo "Checking that software 64-bit division is not required"
+    if_build_succeeded not grep __aeabi_uldiv library/*.o
+}
+
+component_build_armcc () {
+    msg "build: ARM Compiler 5, make"
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_NET_C
+    scripts/config.pl unset MBEDTLS_TIMING_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl unset MBEDTLS_HAVE_TIME
+    scripts/config.pl unset MBEDTLS_HAVE_TIME_DATE
+    scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+    # following things are not in the default config
+    scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+    scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+    scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+    scripts/config.pl unset MBEDTLS_THREADING_C
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+    scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
 
-msg "build: arm-none-eabi-gcc, make" # ~ 10s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
-
-msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
-make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
-echo "Checking that software 64-bit division is not required"
-! grep __aeabi_uldiv library/*.o
-
-msg "build: ARM Compiler 5, make"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl full
-scripts/config.pl unset MBEDTLS_NET_C
-scripts/config.pl unset MBEDTLS_TIMING_C
-scripts/config.pl unset MBEDTLS_FS_IO
-scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
-scripts/config.pl unset MBEDTLS_HAVE_TIME
-scripts/config.pl unset MBEDTLS_HAVE_TIME_DATE
-scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
-# following things are not in the default config
-scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
-scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
-scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
-scripts/config.pl unset MBEDTLS_THREADING_C
-scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
-scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
-scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
-
-if [ $RUN_ARMCC -ne 0 ]; then
     make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
     make clean
 
@@ -798,46 +992,33 @@ if [ $RUN_ARMCC -ne 0 ]; then
 
     # ARM Compiler 6 - Target ARMv8-A - AArch64
     armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a"
-fi
-
-msg "build: allow SHA1 in certificates by default"
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
-make CFLAGS='-Werror -Wall -Wextra'
-msg "test: allow SHA1 in certificates by default"
-make test
-if_build_succeeded tests/ssl-opt.sh -f SHA-1
-
-msg "build: Default + MBEDTLS_RSA_NO_CRT (ASan build)" # ~ 6 min
-cleanup
-cp "$CONFIG_H" "$CONFIG_BAK"
-scripts/config.pl set MBEDTLS_RSA_NO_CRT
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-make
-
-msg "test: MBEDTLS_RSA_NO_CRT - main suites (inc. selftests) (ASan build)"
-make test
+}
 
-msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
-cleanup
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
+component_test_allow_sha1 () {
+    msg "build: allow SHA1 in certificates by default"
+    scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+    make CFLAGS='-Werror -Wall -Wextra'
+    msg "test: allow SHA1 in certificates by default"
+    make test
+    if_build_succeeded tests/ssl-opt.sh -f SHA-1
+}
 
-# note Make tests only builds the tests, but doesn't run them
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
-make WINDOWS_BUILD=1 clean
+component_build_mingw () {
+    msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs
 
-msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
-make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
-make WINDOWS_BUILD=1 clean
+    # note Make tests only builds the tests, but doesn't run them
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests
+    make WINDOWS_BUILD=1 clean
 
-# MemSan currently only available on Linux 64 bits
-if uname -a | grep 'Linux.*x86_64' >/dev/null; then
+    msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs
+    make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests
+    make WINDOWS_BUILD=1 clean
+}
 
+component_test_memsan () {
     msg "build: MSan (clang)" # ~ 1 min 20s
-    cleanup
-    cp "$CONFIG_H" "$CONFIG_BAK"
     scripts/config.pl unset MBEDTLS_AESNI_C # memsan doesn't grok asm
     CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
     make
@@ -854,21 +1035,18 @@ if uname -a | grep 'Linux.*x86_64' >/dev/null; then
         msg "test: compat.sh (MSan)" # ~ 6 min 20s
         if_build_succeeded tests/compat.sh
     fi
+}
 
-else # no MemSan
-
+component_test_valgrind () {
     msg "build: Release (clang)"
-    cleanup
     CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
     make
 
     msg "test: main suites valgrind (Release)"
     make memcheck
 
-    # Optional part(s)
-    # Currently broken, programs don't seem to receive signals
-    # under valgrind on OS X
-
+    # Optional parts (slow; currently broken on OS X because programs don't
+    # seem to receive signals under valgrind on OS X).
     if [ "$MEMORY" -gt 0 ]; then
         msg "test: ssl-opt.sh --memcheck (Release)"
         if_build_succeeded tests/ssl-opt.sh --memcheck
@@ -878,33 +1056,33 @@ else # no MemSan
         msg "test: compat.sh --memcheck (Release)"
         if_build_succeeded tests/compat.sh --memcheck
     fi
+}
 
-fi # MemSan
+component_test_cmake_out_of_source () {
+    msg "build: cmake 'out-of-source' build"
+    MBEDTLS_ROOT_DIR="$PWD"
+    mkdir "$OUT_OF_SOURCE_DIR"
+    cd "$OUT_OF_SOURCE_DIR"
+    cmake "$MBEDTLS_ROOT_DIR"
+    make
 
-msg "build: cmake 'out-of-source' build"
-cleanup
-MBEDTLS_ROOT_DIR="$PWD"
-mkdir "$OUT_OF_SOURCE_DIR"
-cd "$OUT_OF_SOURCE_DIR"
-cmake "$MBEDTLS_ROOT_DIR"
-make
-
-msg "test: cmake 'out-of-source' build"
-make test
-# Test an SSL option that requires an auxiliary script in test/scripts/.
-# Also ensure that there are no error messages such as
-# "No such file or directory", which would indicate that some required
-# file is missing (ssl-opt.sh tolerates the absence of some files so
-# may exit with status 0 but emit errors).
-if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err
-if [ -s ssl-opt.err ]; then
-  cat ssl-opt.err >&2
-  record_status [ ! -s ssl-opt.err ]
-  rm ssl-opt.err
-fi
-cd "$MBEDTLS_ROOT_DIR"
-rm -rf "$OUT_OF_SOURCE_DIR"
-unset MBEDTLS_ROOT_DIR
+    msg "test: cmake 'out-of-source' build"
+    make test
+    # Test an SSL option that requires an auxiliary script in test/scripts/.
+    # Also ensure that there are no error messages such as
+    # "No such file or directory", which would indicate that some required
+    # file is missing (ssl-opt.sh tolerates the absence of some files so
+    # may exit with status 0 but emit errors).
+    if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err
+    if [ -s ssl-opt.err ]; then
+        cat ssl-opt.err >&2
+        record_status [ ! -s ssl-opt.err ]
+        rm ssl-opt.err
+    fi
+    cd "$MBEDTLS_ROOT_DIR"
+    rm -rf "$OUT_OF_SOURCE_DIR"
+    unset MBEDTLS_ROOT_DIR
+}
 
 
 
@@ -912,7 +1090,51 @@ unset MBEDTLS_ROOT_DIR
 #### Termination
 ################################################################
 
-msg "Done, cleaning up"
+post_report () {
+    msg "Done, cleaning up"
+    cleanup
+
+    final_report
+}
+
+
+
+################################################################
+#### Run all the things
+################################################################
+
+# Run one component and clean up afterwards.
+run_component () {
+    # Back up the configuration in case the component modifies it.
+    # The cleanup function will restore it.
+    cp -p "$CONFIG_H" "$CONFIG_BAK"
+    current_component="$1"
+    "$@"
+    cleanup
+}
+
+# Preliminary setup
+pre_check_environment
+pre_initialize_variables
+pre_parse_command_line "$@"
+
+pre_check_git
+build_status=0
+if [ $KEEP_GOING -eq 1 ]; then
+    pre_setup_keep_going
+else
+    record_status () {
+        "$@"
+    }
+fi
+pre_print_configuration
+pre_check_tools
 cleanup
 
-final_report
+# Run the requested tests.
+for component in $RUN_COMPONENTS; do
+    run_component "component_$component"
+done
+
+# We're done.
+post_report
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
index fbe757d9ef..97120ea84d 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
@@ -91,7 +91,7 @@ OPENSSL_CMD="$OPENSSL_LEGACY"                               \
 OPENSSL_CMD="$OPENSSL_LEGACY"                                       \
     GNUTLS_CLI="$GNUTLS_LEGACY_CLI"                                 \
     GNUTLS_SERV="$GNUTLS_LEGACY_SERV"                               \
-    sh compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' | \
+    sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'         |     \
     tee -a compat-test-$TEST_OUTPUT
 echo
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py b/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
index 7ea321f880..0bf01206e4 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
@@ -19,14 +19,23 @@
 import sys
 
 
-class IssueTracker(object):
-    """Base class for issue tracking. Issues should inherit from this and
-    overwrite either issue_with_line if they check the file line by line, or
-    overwrite check_file_for_issue if they check the file as a whole."""
+class FileIssueTracker(object):
+    """Base class for file-wide issue tracking.
+
+    To implement a checker that processes a file as a whole, inherit from
+    this class and implement `check_file_for_issue` and define ``heading``.
+
+    ``files_exemptions``: files whose name ends with a string in this set
+     will not be checked.
+
+    ``heading``: human-readable description of the issue
+    """
+
+    files_exemptions = frozenset()
+    # heading must be defined in derived classes.
+    # pylint: disable=no-member
 
     def __init__(self):
-        self.heading = ""
-        self.files_exemptions = []
         self.files_with_issues = {}
 
     def should_check_file(self, filepath):
@@ -35,23 +44,14 @@ def should_check_file(self, filepath):
                 return False
         return True
 
-    def issue_with_line(self, line):
-        raise NotImplementedError
-
     def check_file_for_issue(self, filepath):
-        with open(filepath, "rb") as f:
-            for i, line in enumerate(iter(f.readline, b"")):
-                self.check_file_line(filepath, line, i + 1)
+        raise NotImplementedError
 
     def record_issue(self, filepath, line_number):
         if filepath not in self.files_with_issues.keys():
             self.files_with_issues[filepath] = []
         self.files_with_issues[filepath].append(line_number)
 
-    def check_file_line(self, filepath, line, line_number):
-        if self.issue_with_line(line):
-            self.record_issue(filepath, line_number)
-
     def output_file_issues(self, logger):
         if self.files_with_issues.values():
             logger.info(self.heading)
@@ -64,24 +64,44 @@ def output_file_issues(self, logger):
                     logger.info(filename)
             logger.info("")
 
+class LineIssueTracker(FileIssueTracker):
+    """Base class for line-by-line issue tracking.
 
-class PermissionIssueTracker(IssueTracker):
+    To implement a checker that processes files line by line, inherit from
+    this class and implement `line_with_issue`.
+    """
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Incorrect permissions:"
+    def issue_with_line(self, line, filepath):
+        raise NotImplementedError
+
+    def check_file_line(self, filepath, line, line_number):
+        if self.issue_with_line(line, filepath):
+            self.record_issue(filepath, line_number)
+
+    def check_file_for_issue(self, filepath):
+        with open(filepath, "rb") as f:
+            for i, line in enumerate(iter(f.readline, b"")):
+                self.check_file_line(filepath, line, i + 1)
+
+class PermissionIssueTracker(FileIssueTracker):
+    """Track files with bad permissions.
+
+    Files that are not executable scripts must not be executable."""
+
+    heading = "Incorrect permissions:"
 
     def check_file_for_issue(self, filepath):
-        if not (os.access(filepath, os.X_OK) ==
-                filepath.endswith((".sh", ".pl", ".py"))):
+        is_executable = os.access(filepath, os.X_OK)
+        should_be_executable = filepath.endswith((".sh", ".pl", ".py"))
+        if is_executable != should_be_executable:
             self.files_with_issues[filepath] = None
 
 
-class EndOfFileNewlineIssueTracker(IssueTracker):
+class EndOfFileNewlineIssueTracker(FileIssueTracker):
+    """Track files that end with an incomplete line
+    (no newline character at the end of the last line)."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Missing newline at end of file:"
+    heading = "Missing newline at end of file:"
 
     def check_file_for_issue(self, filepath):
         with open(filepath, "rb") as f:
@@ -89,11 +109,11 @@ def check_file_for_issue(self, filepath):
                 self.files_with_issues[filepath] = None
 
 
-class Utf8BomIssueTracker(IssueTracker):
+class Utf8BomIssueTracker(FileIssueTracker):
+    """Track files that start with a UTF-8 BOM.
+    Files should be ASCII or UTF-8. Valid UTF-8 does not start with a BOM."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "UTF-8 BOM present:"
+    heading = "UTF-8 BOM present:"
 
     def check_file_for_issue(self, filepath):
         with open(filepath, "rb") as f:
@@ -101,77 +121,76 @@ def check_file_for_issue(self, filepath):
                 self.files_with_issues[filepath] = None
 
 
-class LineEndingIssueTracker(IssueTracker):
+class LineEndingIssueTracker(LineIssueTracker):
+    """Track files with non-Unix line endings (i.e. files with CR)."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Non Unix line endings:"
+    heading = "Non Unix line endings:"
 
-    def issue_with_line(self, line):
+    def issue_with_line(self, line, _filepath):
         return b"\r" in line
 
 
-class TrailingWhitespaceIssueTracker(IssueTracker):
+class TrailingWhitespaceIssueTracker(LineIssueTracker):
+    """Track lines with trailing whitespace."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Trailing whitespace:"
-        self.files_exemptions = [".md"]
+    heading = "Trailing whitespace:"
+    files_exemptions = frozenset(".md")
 
-    def issue_with_line(self, line):
+    def issue_with_line(self, line, _filepath):
         return line.rstrip(b"\r\n") != line.rstrip()
 
 
-class TabIssueTracker(IssueTracker):
+class TabIssueTracker(LineIssueTracker):
+    """Track lines with tabs."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Tabs present:"
-        self.files_exemptions = [
-            "Makefile", "generate_visualc_files.pl"
-        ]
+    heading = "Tabs present:"
+    files_exemptions = frozenset([
+        "Makefile",
+        "generate_visualc_files.pl",
+    ])
 
-    def issue_with_line(self, line):
+    def issue_with_line(self, line, _filepath):
         return b"\t" in line
 
 
-class MergeArtifactIssueTracker(IssueTracker):
+class MergeArtifactIssueTracker(LineIssueTracker):
+    """Track lines with merge artifacts.
+    These are leftovers from a ``git merge`` that wasn't fully edited."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "Merge artifact:"
+    heading = "Merge artifact:"
 
-    def issue_with_line(self, filepath, line):
+    def issue_with_line(self, line, _filepath):
         # Detect leftover git conflict markers.
         if line.startswith(b'<<<<<<< ') or line.startswith(b'>>>>>>> '):
             return True
         if line.startswith(b'||||||| '): # from merge.conflictStyle=diff3
             return True
         if line.rstrip(b'\r\n') == b'=======' and \
-           not filepath.endswith('.md'):
+           not _filepath.endswith('.md'):
             return True
         return False
 
-    def check_file_line(self, filepath, line, line_number):
-        if self.issue_with_line(filepath, line):
-            self.record_issue(filepath, line_number)
-
-class TodoIssueTracker(IssueTracker):
+class TodoIssueTracker(LineIssueTracker):
+    """Track lines containing ``TODO``."""
 
-    def __init__(self):
-        super().__init__()
-        self.heading = "TODO present:"
-        self.files_exemptions = [
-            __file__, "benchmark.c", "pull_request_template.md"
-        ]
+    heading = "TODO present:"
+    files_exemptions = frozenset([
+        os.path.basename(__file__),
+        "benchmark.c",
+        "pull_request_template.md",
+    ])
 
-    def issue_with_line(self, line):
+    def issue_with_line(self, line, _filepath):
         return b"todo" in line.lower()
 
 
 class IntegrityChecker(object):
+    """Sanity-check files under the current directory."""
 
     def __init__(self, log_file):
+        """Instantiate the sanity checker.
+        Check files under the current directory.
+        Write a report of issues to log_file."""
         self.check_repo_path()
         self.logger = None
         self.setup_logger(log_file)
@@ -196,7 +215,8 @@ def __init__(self, log_file):
             TodoIssueTracker(),
         ]
 
-    def check_repo_path(self):
+    @staticmethod
+    def check_repo_path():
         if not all(os.path.isdir(d) for d in ["include", "library", "tests"]):
             raise Exception("Must be run from Mbed TLS root")
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
index 4c66440e25..66c487cffd 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
@@ -2,26 +2,42 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# This script confirms that the naming of all symbols and identifiers in mbed
-# TLS are consistent with the house style and are also self-consistent.
-#
+# Copyright (c) 2015-2019, ARM Limited, All Rights Reserved
+
 set -eu
 
+if [ $# -ne 0 ] && [ "$1" = "--help" ]; then
+    cat <<EOF
+$0 [-v]
+This script confirms that the naming of all symbols and identifiers in mbed
+TLS are consistent with the house style and are also self-consistent.
+
+  -v    If the script fails unexpectedly, print a command trace.
+EOF
+    exit
+fi
+
 if grep --version|head -n1|grep GNU >/dev/null; then :; else
     echo "This script requires GNU grep.">&2
     exit 1
 fi
 
+trace=
+if [ $# -ne 0 ] && [ "$1" = "-v" ]; then
+  shift
+  trace='-x'
+  exec 2>check-names.err
+  trap 'echo "FAILED UNEXPECTEDLY, status=$?";
+        cat check-names.err' EXIT
+  set -x
+fi
+
 printf "Analysing source code...\n"
 
-tests/scripts/list-macros.sh
+sh $trace tests/scripts/list-macros.sh
 tests/scripts/list-enum-consts.pl
-tests/scripts/list-identifiers.sh
-tests/scripts/list-symbols.sh
+sh $trace tests/scripts/list-identifiers.sh
+sh $trace tests/scripts/list-symbols.sh
 
 FAIL=0
 
@@ -82,6 +98,12 @@ else
     FAIL=1
 fi
 
+if [ -n "$trace" ]; then
+  set +x
+  trap - EXIT
+  rm check-names.err
+fi
+
 printf "\nOverall: "
 if [ "$FAIL" -eq 0 ]; then
     rm macros actual-macros enum-consts identifiers exported-symbols
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/list-identifiers.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/list-identifiers.sh
index 130d9d63f6..cc9c54fad6 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/list-identifiers.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/list-identifiers.sh
@@ -1,4 +1,10 @@
-#!/bin/sh
+#!/bin/bash
+#
+# Create a file named identifiers containing identifiers from internal header
+# files or all header files, based on --internal flag.
+# Outputs the line count of the file to stdout.
+#
+# Usage: list-identifiers.sh [ -i | --internal ]
 
 set -eu
 
@@ -7,7 +13,29 @@ if [ -d include/mbedtls ]; then :; else
     exit 1
 fi
 
-HEADERS=$( ls include/mbedtls/*.h | egrep -v 'compat-1\.3\.h|bn_mul' )
+INTERNAL=""
+
+until [ -z "${1-}" ]
+do
+  case "$1" in
+    -i|--internal)
+      INTERNAL="1"
+      ;;
+    *)
+      # print error
+      echo "Unknown argument: '$1'"
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+if [ $INTERNAL ]
+then
+    HEADERS=$( ls include/mbedtls/*_internal.h | egrep -v 'compat-1\.3\.h|bn_mul' )
+else
+    HEADERS=$( ls include/mbedtls/*.h | egrep -v 'compat-1\.3\.h|bn_mul' )
+fi
 
 rm -f identifiers
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/list-symbols.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/list-symbols.sh
index c258719429..930722c1bb 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/list-symbols.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/list-symbols.sh
@@ -14,8 +14,21 @@ fi
 
 cp include/mbedtls/config.h include/mbedtls/config.h.bak
 scripts/config.pl full
-CFLAGS=-fno-asynchronous-unwind-tables make clean lib >/dev/null 2>&1
+make clean
+make_ret=
+CFLAGS=-fno-asynchronous-unwind-tables make lib \
+      >list-symbols.make.log 2>&1 ||
+  {
+    make_ret=$?
+    echo "Build failure: CFLAGS=-fno-asynchronous-unwind-tables make lib"
+    cat list-symbols.make.log >&2
+  }
+rm list-symbols.make.log
 mv include/mbedtls/config.h.bak include/mbedtls/config.h
+if [ -n "$make_ret" ]; then
+    exit "$make_ret"
+fi
+
 if uname | grep -F Darwin >/dev/null; then
     nm -gUj library/libmbed*.a 2>/dev/null | sed -n -e 's/^_//p'
 elif uname | grep -F Linux >/dev/null; then
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/run-test-suites.pl b/3rdparty/mbedtls/mbedtls/tests/scripts/run-test-suites.pl
index d0d4046215..1c9dc1dfcb 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/run-test-suites.pl
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/run-test-suites.pl
@@ -4,19 +4,24 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# Executes all the available test suites, and provides a basic summary of the
-# results.
-#
-# Usage: run-test-suites.pl [-v]
-#
-# Options :
-#   -v|--verbose    - Provide a pass/fail/skip breakdown per test suite and
-#                     in total
-#
+# Copyright (c) 2015-2018, ARM Limited, All Rights Reserved
+
+=head1 SYNOPSIS
+
+Execute all the test suites and print a summary of the results.
+
+ run-test-suites.pl [[-v|--verbose] [VERBOSITY]] [--skip=SUITE[...]]
+
+Options:
+
+  -v|--verbose        Print detailed failure information.
+  -v 2|--verbose=2    Print detailed failure information and summary messages.
+  -v 3|--verbose=3    Print detailed information about every test case.
+  --skip=SUITE[,SUITE...]
+                      Skip the specified SUITE(s). This option can be used
+                      multiple times.
+
+=cut
 
 use warnings;
 use strict;
@@ -24,10 +29,15 @@
 use utf8;
 use open qw(:std utf8);
 
-use Getopt::Long;
+use Getopt::Long qw(:config auto_help gnu_compat);
+use Pod::Usage;
 
 my $verbose = 0;
-GetOptions( "verbose|v:1" => \$verbose );
+my @skip_patterns = ();
+GetOptions(
+           'skip=s' => \@skip_patterns,
+           'verbose|v:1' => \$verbose,
+          ) or die;
 
 # All test suites = executable files, excluding source files, debug
 # and profiling information, etc. We can't just grep {! /\./} because
@@ -36,6 +46,17 @@
 @suites = grep { !/\.c$/ && !/\.data$/ && -f } @suites;
 die "$0: no test suite found\n" unless @suites;
 
+# "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
+# but not "test_suite_foobar".
+my $skip_re =
+    ( '\Atest_suite_(' .
+      join('|', map {
+          s/[ ,;]/|/g; # allow any of " ,;|" as separators
+          s/\./\./g; # "." in the input means ".", not "any character"
+          $_
+      } @skip_patterns) .
+      ')(\z|\.)' );
+
 # in case test suites are linked dynamically
 $ENV{'LD_LIBRARY_PATH'} = '../library';
 $ENV{'DYLD_LIBRARY_PATH'} = '../library';
@@ -45,6 +66,7 @@
 my ($failed_suites, $total_tests_run, $failed, $suite_cases_passed,
     $suite_cases_failed, $suite_cases_skipped, $total_cases_passed,
     $total_cases_failed, $total_cases_skipped );
+my $suites_skipped = 0;
 
 sub pad_print_center {
     my( $width, $padchar, $string ) = @_;
@@ -55,6 +77,12 @@ sub pad_print_center {
 for my $suite (@suites)
 {
     print "$suite ", "." x ( 72 - length($suite) - 2 - 4 ), " ";
+    if( $suite =~ /$skip_re/o ) {
+        print "SKIP\n";
+        ++$suites_skipped;
+        next;
+    }
+
     my $command = "$prefix$suite";
     if( $verbose ) {
         $command .= ' -v';
@@ -101,7 +129,10 @@ sub pad_print_center {
 
 print "-" x 72, "\n";
 print $failed_suites ? "FAILED" : "PASSED";
-printf " (%d suites, %d tests run)\n", scalar @suites, $total_tests_run;
+printf( " (%d suites, %d tests run%s)\n",
+        scalar(@suites) - $suites_skipped,
+        $total_tests_run,
+        $suites_skipped ? ", $suites_skipped suites skipped" : "" );
 
 if( $verbose > 1 ) {
     print "  test cases passed :", $total_cases_passed, "\n";
@@ -111,8 +142,11 @@ sub pad_print_center {
             "\n";
     print " of available tests :",
             ( $total_cases_passed + $total_cases_failed + $total_cases_skipped ),
-            "\n"
+            "\n";
+    if( $suites_skipped != 0 ) {
+        print "Note: $suites_skipped suites were skipped.\n";
     }
+}
 
 exit( $failed_suites ? 1 : 0 );
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh b/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
index ae98ae9862..fbd03673cf 100755
--- a/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
@@ -3708,26 +3708,37 @@ run_test    "ECJPAKE: working, DTLS, nolog" \
 # Tests for ciphersuites per version
 
 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
 run_test    "Per-version suites: SSL3" \
-            "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=ssl3" \
             0 \
-            -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
+            -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
 run_test    "Per-version suites: TLS 1.0" \
-            "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=tls1 arc4=1" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
 run_test    "Per-version suites: TLS 1.1" \
-            "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=tls1_1" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_CAMELLIA_C
+requires_config_enabled MBEDTLS_AES_C
 run_test    "Per-version suites: TLS 1.2" \
-            "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=tls1_2" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
@@ -3736,7 +3747,7 @@ run_test    "Per-version suites: TLS 1.2" \
 
 requires_gnutls
 run_test    "ClientHello without extensions, SHA-1 allowed" \
-            "$P_SRV debug_level=3" \
+            "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
             "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
             0 \
             -s "dumping 'client hello extensions' (0 bytes)"
@@ -5126,8 +5137,8 @@ run_test    "DTLS proxy: duplicate every packet" \
             0 \
             -c "replayed record" \
             -s "replayed record" \
-            -c "discarding invalid record" \
-            -s "discarding invalid record" \
+            -c "record from another epoch" \
+            -s "record from another epoch" \
             -S "resend" \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5139,8 +5150,8 @@ run_test    "DTLS proxy: duplicate every packet, server anti-replay off" \
             0 \
             -c "replayed record" \
             -S "replayed record" \
-            -c "discarding invalid record" \
-            -s "discarding invalid record" \
+            -c "record from another epoch" \
+            -s "record from another epoch" \
             -c "resend" \
             -s "resend" \
             -s "Extra-header:" \
@@ -5201,8 +5212,6 @@ run_test    "DTLS proxy: delay ChangeCipherSpec" \
             0 \
             -c "record from another epoch" \
             -s "record from another epoch" \
-            -c "discarding invalid record" \
-            -s "discarding invalid record" \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function b/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
index eef41c79a6..755c3eabd4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
@@ -144,6 +144,7 @@ static int redirect_output( FILE** out_stream, const char* path )
 
     if( *out_stream == NULL )
     {
+        close( stdout_fd );
         return -1;
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
index 90ba42d83c..65dc382432 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
@@ -36,6 +36,7 @@ CCM lengths #6 tag length not even
 ccm_lengths:5:10:5:7:MBEDTLS_ERR_CCM_BAD_INPUT
 
 CCM lenghts #7 AD too long (2^16 - 2^8 + 1)
+depends_on:!MBEDTLS_CCM_ALT
 ccm_lengths:5:10:65281:8:MBEDTLS_ERR_CCM_BAD_INPUT
 
 CCM lengths #8 msg too long for this IV length (2^16, q = 2)
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
index 343dd78635..2518ba5761 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
@@ -627,6 +627,9 @@ void auth_crypt_tv( int cipher_id, char *hex_key, char *hex_iv,
     TEST_ASSERT( memcmp( output, clear, clear_len ) == 0 );
 
     /* then encrypt the clear and make sure we get the same ciphertext and tag */
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, 8 * key_len,
+                                             MBEDTLS_ENCRYPT ) );
+
     memset( output, 0xFF, sizeof( output ) );
     outlen = 0;
 
@@ -635,8 +638,8 @@ void auth_crypt_tv( int cipher_id, char *hex_key, char *hex_iv,
                                my_tag, tag_len );
     TEST_ASSERT( ret == 0 );
 
-    TEST_ASSERT( outlen == clear_len );
-    TEST_ASSERT( memcmp( output, cipher, clear_len ) == 0 );
+    TEST_ASSERT( outlen == cipher_len );
+    TEST_ASSERT( memcmp( output, cipher, cipher_len ) == 0 );
     TEST_ASSERT( memcmp( my_tag, tag, tag_len ) == 0 );
 
     /* make sure we didn't overwrite */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
index f7119de416..4ed32219b7 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
@@ -37,3 +37,19 @@ ecdh_exchange:MBEDTLS_ECP_DP_SECP192R1
 ECDH exchange #2
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
 ecdh_exchange:MBEDTLS_ECP_DP_SECP521R1
+
+ECDH calc_secret: ours first, SECP256R1 (RFC 5903)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_exchange_calc_secret:MBEDTLS_ECP_DP_SECP256R1:"c6ef9c5d78ae012a011164acb397ce2088685d8f06bf9be0b283ab46476bee53":"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":0:"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de"
+
+ECDH calc_secret: theirs first, SECP256R1 (RFC 5903)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_exchange_calc_secret:MBEDTLS_ECP_DP_SECP256R1:"c6ef9c5d78ae012a011164acb397ce2088685d8f06bf9be0b283ab46476bee53":"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":1:"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de"
+
+ECDH get_params with mismatched groups: our BP256R1, their SECP256R1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"1234567812345678123456781234567812345678123456781234567812345678":MBEDTLS_ECP_DP_SECP256R1:"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":0:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ECDH get_params with mismatched groups: their SECP256R1, our BP256R1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecdh_exchange_get_params_fail:MBEDTLS_ECP_DP_BP256R1:"1234567812345678123456781234567812345678123456781234567812345678":MBEDTLS_ECP_DP_SECP256R1:"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
index 4c6a97baf0..0645ce798b 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
@@ -1,5 +1,47 @@
 /* BEGIN_HEADER */
 #include "mbedtls/ecdh.h"
+
+static int load_public_key( int grp_id, const char *point_str,
+                            mbedtls_ecp_keypair *ecp )
+{
+    int ok = 0;
+    unsigned char point_buf[MBEDTLS_ECP_MAX_PT_LEN];
+    size_t point_len = unhexify( point_buf, point_str );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &ecp->grp, grp_id ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_point_read_binary( &ecp->grp,
+                                                &ecp->Q,
+                                                point_buf,
+                                                point_len ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_check_pubkey( &ecp->grp,
+                                           &ecp->Q ) == 0 );
+    ok = 1;
+exit:
+    return( ok );
+}
+
+static int load_private_key( int grp_id, const char *private_key_str,
+                             mbedtls_ecp_keypair *ecp,
+                             rnd_pseudo_info *rnd_info )
+{
+    int ok = 0;
+    unsigned char private_key_buf[MBEDTLS_ECP_MAX_BYTES];
+    size_t private_key_len = unhexify( private_key_buf, private_key_str );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &ecp->grp, grp_id ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_binary( &ecp->d,
+                                          private_key_buf,
+                                          private_key_len ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_check_privkey( &ecp->grp, &ecp->d ) == 0 );
+    /* Calculate the public key from the private key. */
+    TEST_ASSERT( mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d,
+                                  &ecp->grp.G,
+                                  &rnd_pseudo_rand, rnd_info ) == 0 );
+    ok = 1;
+exit:
+    return( ok );
+}
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -158,3 +200,111 @@ exit:
     mbedtls_ecdh_free( &cli );
 }
 /* END_CASE */
+
+/* BEGIN_CASE */
+void ecdh_exchange_calc_secret( int grp_id,
+                                char *our_private_key,
+                                char *their_point,
+                                int ours_first,
+                                char *expected_str )
+{
+    rnd_pseudo_info rnd_info;
+    unsigned char expected_buf[MBEDTLS_ECP_MAX_BYTES];
+    size_t expected_len;
+    mbedtls_ecp_keypair our_key;
+    mbedtls_ecp_keypair their_key;
+    mbedtls_ecdh_context ecdh;
+    unsigned char shared_secret[MBEDTLS_ECP_MAX_BYTES];
+    size_t shared_secret_length = 0;
+
+    memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
+    mbedtls_ecdh_init( &ecdh );
+    mbedtls_ecp_keypair_init( &our_key );
+    mbedtls_ecp_keypair_init( &their_key );
+
+    expected_len = unhexify( expected_buf, expected_str );
+
+    if( ! load_private_key( grp_id, our_private_key, &our_key, &rnd_info ) )
+        goto exit;
+    if( ! load_public_key( grp_id, their_point, &their_key ) )
+        goto exit;
+
+    /* Import the keys to the ECDH calculation. */
+    if( ours_first )
+    {
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &our_key, MBEDTLS_ECDH_OURS ) == 0 );
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &their_key, MBEDTLS_ECDH_THEIRS ) == 0 );
+    }
+    else
+    {
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &their_key, MBEDTLS_ECDH_THEIRS ) == 0 );
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &our_key, MBEDTLS_ECDH_OURS ) == 0 );
+    }
+
+    /* Perform the ECDH calculation. */
+    TEST_ASSERT( mbedtls_ecdh_calc_secret(
+                     &ecdh,
+                     &shared_secret_length,
+                     shared_secret, sizeof( shared_secret ),
+                     &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( shared_secret_length == expected_len );
+    TEST_ASSERT( memcmp( expected_buf, shared_secret,
+                         shared_secret_length ) == 0 );
+
+exit:
+    mbedtls_ecdh_free( &ecdh );
+    mbedtls_ecp_keypair_free( &our_key );
+    mbedtls_ecp_keypair_free( &their_key );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ecdh_exchange_get_params_fail( int our_grp_id,
+                                    char *our_private_key,
+                                    int their_grp_id,
+                                    char *their_point,
+                                    int ours_first,
+                                    int expected_ret )
+{
+    rnd_pseudo_info rnd_info;
+    mbedtls_ecp_keypair our_key;
+    mbedtls_ecp_keypair their_key;
+    mbedtls_ecdh_context ecdh;
+
+    memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
+    mbedtls_ecdh_init( &ecdh );
+    mbedtls_ecp_keypair_init( &our_key );
+    mbedtls_ecp_keypair_init( &their_key );
+
+    if( ! load_private_key( our_grp_id, our_private_key, &our_key, &rnd_info ) )
+        goto exit;
+    if( ! load_public_key( their_grp_id, their_point, &their_key ) )
+        goto exit;
+
+    if( ours_first )
+    {
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &our_key, MBEDTLS_ECDH_OURS ) == 0 );
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &their_key, MBEDTLS_ECDH_THEIRS ) ==
+                     expected_ret );
+    }
+    else
+    {
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &their_key, MBEDTLS_ECDH_THEIRS ) == 0 );
+        TEST_ASSERT( mbedtls_ecdh_get_params(
+                         &ecdh, &our_key, MBEDTLS_ECDH_OURS ) ==
+                     expected_ret );
+    }
+
+exit:
+    mbedtls_ecdh_free( &ecdh );
+    mbedtls_ecp_keypair_free( &our_key );
+    mbedtls_ecp_keypair_free( &their_key );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
index 296064196c..b8d7ad14ce 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
@@ -19,6 +19,9 @@ mpi_read_write_string:16:"-20":10:"-32":100:0:0
 Base test mpi_read_write_string #3 (Negative decimal)
 mpi_read_write_string:16:"-23":16:"-23":100:0:0
 
+Base test mpi_read_write_string #4 (Buffer just fits)
+mpi_read_write_string:16:"-4":4:"-10":4:0:0
+
 Test mpi_read_write_string #1 (Invalid character)
 mpi_read_write_string:10:"a28":0:"":100:MBEDTLS_ERR_MPI_INVALID_CHARACTER:0
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
index 04dca0fcb2..aa3c332bbc 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
@@ -81,6 +81,8 @@ void mpi_read_write_string( int radix_X, char *input_X, int radix_A,
 
     mbedtls_mpi_init( &X );
 
+    memset( str, '!', sizeof( str ) );
+
     TEST_ASSERT( mbedtls_mpi_read_string( &X, radix_X, input_X ) == result_read );
     if( result_read == 0 )
     {
@@ -88,6 +90,7 @@ void mpi_read_write_string( int radix_X, char *input_X, int radix_A,
         if( result_write == 0 )
         {
             TEST_ASSERT( strcasecmp( str, input_A ) == 0 );
+            TEST_ASSERT( str[len] == '!' );
         }
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.data
index 4dddcf7fc1..2522da1eaf 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.data
@@ -1,41 +1,17 @@
-Timing: basic timer operation
-timing_timer_simple:
-
-Timing: timer reset
-timing_timer_reset:
-
-Timing: two parallel timers, delay 0
-timing_two_timers:0:
-
-Timing: two parallel timers, delay 100
-timing_two_timers:100:
-
-Timing: two parallel timers, delay 1000
-timing_two_timers:1000:
-
-Timing: two parallel timers, delay 10000
-timing_two_timers:10000:
-
-Timing: delay 0ms, 0ms
-timing_delay:0:0:
-
-Timing: delay 0ms, 50ms
-timing_delay:0:50:
-
-Timing: delay 50ms, 50ms
-timing_delay:50:50:
+Timing: hardclock
+timing_hardclock:
 
-Timing: delay 50ms, 100ms
-timing_delay:50:100:
+Timing: get timer
+timing_get_timer:
 
-Timing: delay 50ms, 200ms
-timing_delay:50:200:
+Timing: set alarm with no delay
+timing_set_alarm:0:
 
-Timing: alarm in 0 second
-timing_alarm:0:
+Timing: set alarm with 1s delay
+timing_set_alarm:1:
 
-Timing: alarm in 1 second
-timing_alarm:1:
+Timing: delay 0ms
+timing_delay:0:
 
-Timing: hardclock
-timing_hardclock:
+Timing: delay 100ms
+timing_delay:100:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.function
index 1610155fbf..74dc823171 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_timing.function
@@ -1,51 +1,14 @@
 /* BEGIN_HEADER */
 
-/* This test module exercises the timing module. One of the expected failure
-   modes is for timers to never expire, which could lead to an infinite loop.
-   The function timing_timer_simple is protected against this failure mode and
-   checks that timers do expire. Other functions will terminate if their
-   timers do expire. Therefore it is recommended to run timing_timer_simple
-   first and run other test functions only if that timing_timer_simple
-   succeeded. */
+/* This test module exercises the timing module. Since, depending on the
+ * underlying operating system, the timing routines are not always reliable,
+ * this suite only performs very basic sanity checks of the timing API.
+ */
 
 #include <limits.h>
 
 #include "mbedtls/timing.h"
 
-/* Wait this many milliseconds for a short timing test. This duration
-   should be large enough that, in practice, if you read the timer
-   value twice in a row, it won't have jumped by that much. */
-#define TIMING_SHORT_TEST_MS 100
-
-/* A loop that waits TIMING_SHORT_TEST_MS must not take more than this many
-   iterations. This value needs to be large enough to accommodate fast
-   platforms (e.g. at 4GHz and 10 cycles/iteration a CPU can run through 20
-   million iterations in 50ms). The only motivation to keep this value low is
-   to avoid having an infinite loop if the timer functions are not implemented
-   correctly. Ideally this value should be based on the processor speed but we
-   don't have this information! */
-#define TIMING_SHORT_TEST_ITERATIONS_MAX 1e8
-
-/* alarm(0) must fire in no longer than this amount of time. */
-#define TIMING_ALARM_0_DELAY_MS TIMING_SHORT_TEST_MS
-
-static int expected_delay_status( uint32_t int_ms, uint32_t fin_ms,
-                                  unsigned long actual_ms )
-{
-    return( fin_ms == 0 ? -1 :
-            actual_ms >= fin_ms ? 2 :
-            actual_ms >= int_ms ? 1 :
-            0 );
-}
-
-/* Some conditions in timing_timer_simple suggest that timers are unreliable.
-   Most other test cases rely on timers to terminate, and could loop
-   indefinitely if timers are too broken. So if timing_timer_simple detected a
-   timer that risks not terminating (going backwards, or not reaching the
-   desired count in the alloted clock cycles), set this flag to immediately
-   fail those other tests without running any timers. */
-static int timers_are_badly_broken = 0;
-
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -54,350 +17,58 @@ static int timers_are_badly_broken = 0;
  */
 
 /* BEGIN_CASE */
-void timing_timer_simple( )
+void timing_hardclock( )
 {
-    struct mbedtls_timing_hr_time timer;
-    unsigned long millis = 0;
-    unsigned long new_millis = 0;
-    unsigned long iterations = 0;
-    /* Start the timer. */
-    (void) mbedtls_timing_get_timer( &timer, 1 );
-    /* Busy-wait loop for a few milliseconds. */
-    do
-    {
-        new_millis = mbedtls_timing_get_timer( &timer, 0 );
-        ++iterations;
-        /* Check that the timer didn't go backwards */
-        TEST_ASSERT( new_millis >= millis );
-        millis = new_millis;
-    }
-    while( millis < TIMING_SHORT_TEST_MS &&
-           iterations <= TIMING_SHORT_TEST_ITERATIONS_MAX );
-    /* The wait duration should have been large enough for at least a
-       few runs through the loop, even on the slowest realistic platform. */
-    TEST_ASSERT( iterations >= 2 );
-    /* The wait duration shouldn't have overflowed the iteration count. */
-    TEST_ASSERT( iterations < TIMING_SHORT_TEST_ITERATIONS_MAX );
-    return;
-
-exit:
-    if( iterations >= TIMING_SHORT_TEST_ITERATIONS_MAX ||
-        new_millis < millis )
-    {
-        /* The timer was very unreliable: it didn't increment and the loop ran
-           out, or it went backwards. Other tests that use timers might go
-           into an infinite loop, so we'll skip them. */
-        timers_are_badly_broken = 1;
-    }
-
-    /* No cleanup needed, but show some diagnostic iterations, because timing
-       problems can be hard to reproduce. */
-    mbedtls_fprintf( stdout, "  Finished with millis=%lu new_millis=%lu get(timer)<=%lu iterations=%lu\n",
-                     millis, new_millis, mbedtls_timing_get_timer( &timer, 0 ),
-                     iterations );
+    (void) mbedtls_timing_hardclock();
+    /* This goto is added to avoid warnings from the generated code. */
+    goto exit;
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void timing_timer_reset( )
+void timing_get_timer( )
 {
-    struct mbedtls_timing_hr_time timer;
-    unsigned long millis = 0;
-    unsigned long iterations = 0;
-
-    /* Skip this test if it looks like timers don't work at all, to avoid an
-       infinite loop below. */
-    TEST_ASSERT( !timers_are_badly_broken );
-
-    /* Start the timer. Timers are always reset to 0. */
-    TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
-    /* Busy-wait loop for a few milliseconds */
-    do
-    {
-        ++iterations;
-        millis = mbedtls_timing_get_timer( &timer, 0 );
-    }
-    while( millis < TIMING_SHORT_TEST_MS );
-
-    /* Reset the timer and check that it has restarted. */
-    TEST_ASSERT( mbedtls_timing_get_timer( &timer, 1 ) == 0 );
-    /* Read the timer immediately after reset. It should be 0 or close
-       to it. */
-    TEST_ASSERT( mbedtls_timing_get_timer( &timer, 0 ) < TIMING_SHORT_TEST_MS );
-    return;
-
-exit:
-    /* No cleanup needed, but show some diagnostic information, because timing
-       problems can be hard to reproduce. */
-    if( !timers_are_badly_broken )
-        mbedtls_fprintf( stdout, "  Finished with millis=%lu get(timer)<=%lu iterations=%lu\n",
-                         millis, mbedtls_timing_get_timer( &timer, 0 ),
-                         iterations );
+    struct mbedtls_timing_hr_time time;
+    (void) mbedtls_timing_get_timer( &time, 1 );
+    (void) mbedtls_timing_get_timer( &time, 0 );
+    /* This goto is added to avoid warnings from the generated code. */
+    goto exit;
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void timing_two_timers( int delta )
+void timing_set_alarm( int seconds )
 {
-    struct mbedtls_timing_hr_time timer1, timer2;
-    unsigned long millis1 = 0, millis2 = 0;
-
-    /* Skip this test if it looks like timers don't work at all, to avoid an
-       infinite loop below. */
-    TEST_ASSERT( !timers_are_badly_broken );
-
-    /* Start the first timer and wait for a short time. */
-    (void) mbedtls_timing_get_timer( &timer1, 1 );
-    do
-    {
-        millis1 = mbedtls_timing_get_timer( &timer1, 0 );
-    }
-    while( millis1 < TIMING_SHORT_TEST_MS );
-
-    /* Do a short busy-wait, so that the difference between timer1 and timer2
-       doesn't practically always end up being very close to a whole number of
-       milliseconds. */
-    while( delta > 0 )
-        --delta;
-
-    /* Start the second timer and compare it with the first. */
-    mbedtls_timing_get_timer( &timer2, 1 );
-    do
+    if( seconds == 0 )
     {
-        millis1 = mbedtls_timing_get_timer( &timer1, 0 );
-        millis2 = mbedtls_timing_get_timer( &timer2, 0 );
-        /* The first timer should always be ahead of the first. */
-        TEST_ASSERT( millis1 > millis2 );
-        /* The timers shouldn't drift apart, i.e. millis2-millis1 should stay
-           roughly constant, but this is hard to test reliably, especially in
-           a busy environment such as an overloaded continuous integration
-           system, so we don't test it it. */
+        mbedtls_set_alarm( seconds );
+        TEST_ASSERT( mbedtls_timing_alarmed == 1 );
     }
-    while( millis2 < TIMING_SHORT_TEST_MS );
-
-    return;
-
-exit:
-    /* No cleanup needed, but show some diagnostic iterations, because timing
-       problems can be hard to reproduce. */
-    if( !timers_are_badly_broken )
-        mbedtls_fprintf( stdout, "  Finished with millis1=%lu get(timer1)<=%lu millis2=%lu get(timer2)<=%lu\n",
-                         millis1, mbedtls_timing_get_timer( &timer1, 0 ),
-                         millis2, mbedtls_timing_get_timer( &timer2, 0 ) );
-}
-/* END_CASE */
-
-/* BEGIN_CASE */
-void timing_alarm( int seconds )
-{
-    struct mbedtls_timing_hr_time timer;
-    unsigned long millis = 0;
-    /* We check that about the desired number of seconds has elapsed. Be
-       slightly liberal with the lower bound, so as to allow platforms where
-       the alarm (with second resolution) and the timer (with millisecond
-       resolution) are based on different clocks. Be very liberal with the
-       upper bound, because the platform might be busy. */
-    unsigned long millis_min = ( seconds > 0 ?
-                                 seconds * 900 :
-                                 0 );
-    unsigned long millis_max = ( seconds > 0 ?
-                                 seconds * 1100 + 400 :
-                                 TIMING_ALARM_0_DELAY_MS );
-    unsigned long iterations = 0;
-
-    /* Skip this test if it looks like timers don't work at all, to avoid an
-       infinite loop below. */
-    TEST_ASSERT( !timers_are_badly_broken );
-
-    /* Set an alarm and count how long it takes with a timer. */
-    (void) mbedtls_timing_get_timer( &timer, 1 );
-    mbedtls_set_alarm( seconds );
-
-    if( seconds > 0 )
-    {
-        /* We set the alarm for at least 1 second. It should not have fired
-           immediately, even on a slow and busy platform. */
-        TEST_ASSERT( !mbedtls_timing_alarmed );
-    }
-    /* A 0-second alarm should fire quickly, but we don't guarantee that it
-       fires immediately, so mbedtls_timing_alarmed may or may not be set at
-       this point. */
-
-    /* Busy-wait until the alarm rings */
-    do
+    else
     {
-        ++iterations;
-        millis = mbedtls_timing_get_timer( &timer, 0 );
+        mbedtls_set_alarm( seconds );
+        TEST_ASSERT( mbedtls_timing_alarmed == 0 ||
+                     mbedtls_timing_alarmed == 1 );
     }
-    while( !mbedtls_timing_alarmed && millis <= millis_max );
-
-    TEST_ASSERT( mbedtls_timing_alarmed );
-    TEST_ASSERT( millis >= millis_min );
-    TEST_ASSERT( millis <= millis_max );
-
-    mbedtls_timing_alarmed = 0;
-    return;
-
-exit:
-    /* Show some diagnostic iterations, because timing
-       problems can be hard to reproduce. */
-    if( !timers_are_badly_broken )
-        mbedtls_fprintf( stdout, "  Finished with alarmed=%d millis=%lu get(timer)<=%lu iterations=%lu\n",
-                         mbedtls_timing_alarmed,
-                         millis, mbedtls_timing_get_timer( &timer, 0 ),
-                         iterations );
-    /* Cleanup */
-    mbedtls_timing_alarmed = 0;
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void timing_delay( int int_ms, int fin_ms )
+void timing_delay( int fin_ms )
 {
-    /* This function assumes that if int_ms is nonzero then it is large
-       enough that we have time to read all timers at least once in an
-       interval of time lasting int_ms milliseconds, and likewise for (fin_ms
-       - int_ms). So don't call it with arguments that are too small. */
-
-    mbedtls_timing_delay_context delay;
-    struct mbedtls_timing_hr_time timer;
-    unsigned long delta = 0; /* delay started between timer=0 and timer=delta */
-    unsigned long before = 0, after = 0;
-    unsigned long iterations = 0;
-    int status = -2;
-    int saw_status_1 = 0;
-    int warn_inconclusive = 0;
-
-    assert( int_ms >= 0 );
-    assert( fin_ms >= 0 );
-
-    /* Skip this test if it looks like timers don't work at all, to avoid an
-       infinite loop below. */
-    TEST_ASSERT( !timers_are_badly_broken );
-
-    /* Start a reference timer. Program a delay, and verify that the status of
-       the delay is consistent with the time given by the reference timer. */
-    (void) mbedtls_timing_get_timer( &timer, 1 );
-    mbedtls_timing_set_delay( &delay, int_ms, fin_ms );
-    /* Set delta to an upper bound for the interval between the start of timer
-       and the start of delay. Reading timer after starting delay gives us an
-       upper bound for the interval, rounded to a 1ms precision. Since this
-       might have been rounded down, but we need an upper bound, we add 1. */
-    delta = mbedtls_timing_get_timer( &timer, 0 ) + 1;
-
-    status = mbedtls_timing_get_delay( &delay );
+    mbedtls_timing_delay_context ctx;
+    int result;
     if( fin_ms == 0 )
     {
-        /* Cancelled timer. Just check the correct status for this case. */
-        TEST_ASSERT( status == -1 );
-        return;
-    }
-
-    /* Initially, none of the delays must be passed yet if they're nonzero.
-       This could fail for very small values of int_ms and fin_ms, where "very
-       small" depends how fast and how busy the platform is. */
-    if( int_ms > 0 )
-    {
-        TEST_ASSERT( status == 0 );
+        mbedtls_timing_set_delay( &ctx, 0, 0 );
+        result = mbedtls_timing_get_delay( &ctx );
+        TEST_ASSERT( result == -1 );
     }
     else
     {
-        TEST_ASSERT( status == 1 );
+        mbedtls_timing_set_delay( &ctx, fin_ms / 2, fin_ms );
+        result = mbedtls_timing_get_delay( &ctx );
+        TEST_ASSERT( result >= 0 && result <= 2 );
     }
-
-    do
-    {
-        unsigned long delay_min, delay_max;
-        int status_min, status_max;
-        ++iterations;
-        before = mbedtls_timing_get_timer( &timer, 0 );
-        status = mbedtls_timing_get_delay( &delay );
-        after = mbedtls_timing_get_timer( &timer, 0 );
-        /* At a time between before and after, the delay's status was status.
-           Check that this is consistent given that the delay was started
-           between times 0 and delta. */
-        delay_min = ( before > delta ? before - delta : 0 );
-        status_min = expected_delay_status( int_ms, fin_ms, delay_min );
-        delay_max = after;
-        status_max = expected_delay_status( int_ms, fin_ms, delay_max );
-        TEST_ASSERT( status >= status_min );
-        TEST_ASSERT( status <= status_max );
-        if( status == 1 )
-            saw_status_1 = 1;
-    }
-    while ( before <= fin_ms + delta && status != 2 );
-
-    /* Since we've waited at least fin_ms, the delay must have fully
-       expired. */
-    TEST_ASSERT( status == 2 );
-
-    /* If the second delay is more than the first, then there must have been a
-       point in time when the first delay was passed but not the second delay.
-       This could fail for very small values of (fin_ms - int_ms), where "very
-       small" depends how fast and how busy the platform is. In practice, this
-       is the test that's most likely to fail on a heavily loaded machine. */
-    if( fin_ms > int_ms )
-    {
-        warn_inconclusive = 1;
-        TEST_ASSERT( saw_status_1 );
-    }
-
-    return;
-
-exit:
-    /* No cleanup needed, but show some diagnostic iterations, because timing
-       problems can be hard to reproduce. */
-    if( !timers_are_badly_broken )
-        mbedtls_fprintf( stdout, "  Finished with delta=%lu before=%lu after=%lu status=%d iterations=%lu\n",
-                         delta, before, after, status, iterations );
-    if( warn_inconclusive )
-        mbedtls_fprintf( stdout, "  Inconclusive test, try running it on a less heavily loaded machine.\n" );
- }
-/* END_CASE */
-
-/* BEGIN_CASE */
-void timing_hardclock( )
-{
-    /* We make very few guarantees about mbedtls_timing_hardclock: its rate is
-       platform-dependent, it can wrap around. So there isn't much we can
-       test. But we do at least test that it doesn't crash, stall or return
-       completely nonsensical values. */
-
-    struct mbedtls_timing_hr_time timer;
-    unsigned long hardclock0 = -1, hardclock1 = -1, delta1 = -1;
-
-    /* Skip this test if it looks like timers don't work at all, to avoid an
-       infinite loop below. */
-    TEST_ASSERT( !timers_are_badly_broken );
-
-    hardclock0 = mbedtls_timing_hardclock( );
-    /* Wait 2ms to ensure a nonzero delay. Since the timer interface has 1ms
-       resolution and unspecified precision, waiting 1ms might be a very small
-       delay that's rounded up. */
-    (void) mbedtls_timing_get_timer( &timer, 1 );
-    while( mbedtls_timing_get_timer( &timer, 0 ) < 2 )
-        /*busy-wait loop*/;
-    hardclock1 = mbedtls_timing_hardclock( );
-
-    /* Although the hardclock counter can wrap around, the difference
-       (hardclock1 - hardclock0) is taken modulo the type size, so it is
-       correct as long as the counter only wrapped around at most once. We
-       further require the difference to be nonzero (after a wait of more than
-       1ms, the counter must have changed), and not to be overly large (after
-       a wait of less than 3ms, plus time lost because other processes were
-       scheduled on the CPU). If the hardclock counter runs at 4GHz, then
-       1000000000 (which is 1/4 of the counter wraparound on a 32-bit machine)
-       allows 250ms. */
-    delta1 = hardclock1 - hardclock0;
-    TEST_ASSERT( delta1 > 0 );
-    TEST_ASSERT( delta1 < 1000000000 );
-    return;
-
-exit:
-    /* No cleanup needed, but show some diagnostic iterations, because timing
-       problems can be hard to reproduce. */
-    if( !timers_are_badly_broken )
-        mbedtls_fprintf( stdout, "  Finished with hardclock=%lu,%lu\n",
-                         hardclock0, hardclock1 );
 }
 /* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
index eafceb3e84..1aa9c5333a 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
 Check compiletime library version
-check_compiletime_version:"2.7.9"
+check_compiletime_version:"2.7.11"
 
 Check runtime library version
-check_runtime_version:"2.7.9"
+check_runtime_version:"2.7.11"
 
 Check for MBEDTLS_VERSION_C
 check_feature:"MBEDTLS_VERSION_C":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
index 19a8af31c4..0fe68cb06f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
@@ -12,15 +12,15 @@ x509_cert_info:"data_files/test-ca.crt":"cert. version     \: 3\nserial number
 
 X509 Certificate information MD2 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509_cert_info:"data_files/cert_md2.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2\nissued  on        \: 2009-07-12 10\:56\:59\nexpires on        \: 2011-07-12 10\:56\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/cert_md2.crt":"cert. version     \: 3\nserial number     \: 09\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2\nissued  on        \: 2000-01-01 12\:12\:12\nexpires on        \: 2030-01-01 12\:12\:12\nsigned using      \: RSA with MD2\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 Certificate information MD4 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD4_C
-x509_cert_info:"data_files/cert_md4.crt":"cert. version     \: 3\nserial number     \: 05\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4\nissued  on        \: 2011-02-12 14\:44\:07\nexpires on        \: 2021-02-12 14\:44\:07\nsigned using      \: RSA with MD4\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/cert_md4.crt":"cert. version     \: 3\nserial number     \: 05\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4\nissued  on        \: 2000-01-01 12\:12\:12\nexpires on        \: 2030-01-01 12\:12\:12\nsigned using      \: RSA with MD4\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 Certificate information MD5 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD5_C
-x509_cert_info:"data_files/cert_md5.crt":"cert. version     \: 3\nserial number     \: 06\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued  on        \: 2011-02-12 14\:44\:07\nexpires on        \: 2021-02-12 14\:44\:07\nsigned using      \: RSA with MD5\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+x509_cert_info:"data_files/cert_md5.crt":"cert. version     \: 3\nserial number     \: 06\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued  on        \: 2000-01-01 12\:12\:12\nexpires on        \: 2030-01-01 12\:12\:12\nsigned using      \: RSA with MD5\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
 X509 Certificate information SHA1 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
@@ -226,7 +226,7 @@ X509 CSR Information RSA with SHA224
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 mbedtls_x509_csr_info:"data_files/server1.req.sha224":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-224\nRSA key size  \: 2048 bits\n"
 
-X509 CSR Information RSA with SHA256
+X509 CSR Information RSA with SHA-256
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
 mbedtls_x509_csr_info:"data_files/server1.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
 
@@ -278,6 +278,10 @@ X509 CSR Information RSA-PSS with SHA512
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C
 mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size  \: 1024 bits\n"
 
+X509 CSR Information RSA with SHA-256 - Microsoft header
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
+mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with SHA-256\nRSA key size  \: 2048 bits\n"
+
 X509 Verify Information: empty
 x509_verify_info:0:"":""
 
@@ -447,14 +451,30 @@ X509 Certificate verification #10 (Not trusted Cert, Expired CRL)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
 x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
 
-X509 Certificate verification #12 (Valid Cert MD4 Digest)
+X509 Certificate verification #12 (Valid Cert MD2 Digest, MD2 forbidden)
+depends_on:MBEDTLS_MD2_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"data_files/cert_md2.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
+
+X509 Certificate verification #12 (Valid Cert MD4 Digest, MD4 forbidden)
 depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
 
-X509 Certificate verification #13 (Valid Cert MD5 Digest)
+X509 Certificate verification #13 (Valid Cert MD5 Digest, MD5 forbidden)
 depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL"
 
+X509 Certificate verification #12 (Valid Cert MD2 Digest, MD2 allowed)
+depends_on:MBEDTLS_MD2_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"data_files/cert_md2.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"all":"NULL"
+
+X509 Certificate verification #12 (Valid Cert MD4 Digest, MD4 allowed)
+depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"all":"NULL"
+
+X509 Certificate verification #13 (Valid Cert MD5 Digest, MD5 allowed)
+depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"all":"NULL"
+
 X509 Certificate verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile)
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
 x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
@@ -972,171 +992,171 @@ X509 Certificate ASN1 (TBSCertificate, correct alg, unknown alg_id)
 x509parse_crt:"30173015a0030201028204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND
 
 X509 Certificate ASN1 (TBSCertificate, correct alg, specific alg_id)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"301c301aa0030201028204deadbeef300d06092a864886f70d0101020500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"301c301aa0030201028204deadbeef300d06092a864886f70d01010b0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, correct alg, unknown specific alg_id)
 x509parse_crt:"301c301aa0030201028204deadbeef300d06092a864886f70d0101010500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND
 
 X509 Certificate ASN1 (TBSCertificate, correct alg, bad RSASSA-PSS params)
 depends_on:MBEDTLS_X509_RSASSA_PSS_SUPPORT
-x509parse_crt:"30193017A003020102020118300D06092A864886F70D01010A3100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"30193017a003020102020118300d06092a864886f70d01010a3100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate, issuer no set data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"301e301ca0030201028204deadbeef300d06092a864886f70d01010205003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"301e301ca0030201028204deadbeef300d06092a864886f70d01010b05003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer no inner seq data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"3020301ea0030201028204deadbeef300d06092a864886f70d010102050030023100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3020301ea0030201028204deadbeef300d06092a864886f70d01010b050030023100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer no inner set data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d0101020500300431023000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d01010b0500300431023000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010b05003006310430003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer no oid data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430020600":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010b05003006310430020600":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer invalid tag)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600060454657374":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600060454657374":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate, issuer, no string data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d0101020500300731053003060013":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d01010b0500300731053003060013":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer, no full following string)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":MBEDTLS_ERR_X509_INVALID_NAME+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d01010b0500300d310b3009060013045465737400":"":MBEDTLS_ERR_X509_INVALID_NAME+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate, valid issuer, no validity)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, too much date data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301d170c303930313031303030303030170c30393132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301d170c303930313031303030303030170c30393132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate, invalid from date)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303000000000170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303000000000170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE
 
 X509 Certificate ASN1 (TBSCertificate, invalid to date)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE
 
 X509 Certificate ASN1 (TBSCertificate, valid validity, no subject)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c30393132333132333539353930":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c30393132333132333539353930":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, valid subject, no pubkeyinfo)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30563054a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30563054a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, no alg)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30583056a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743000":"":MBEDTLS_ERR_PK_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30583056a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743000":"":MBEDTLS_ERR_PK_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, valid subject, unknown pk alg)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092A864886F70D0101000500":"":MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092a864886f70d0101000500":"":MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, no bitstring)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092A864886F70D0101010500":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092a864886f70d0101010500":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, no bitstring data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30693067a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743011300d06092A864886F70D01010105000300":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30693067a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743011300d06092a864886f70d01010105000300":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, invalid bitstring start)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"306a3068a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743012300d06092A864886F70D0101010500030101":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"306a3068a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743012300d06092a864886f70d0101010500030101":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, invalid internal bitstring length)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092a864886f70d0101010500030400300000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, invalid internal bitstring tag)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092a864886f70d0101010500030400310000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, invalid mbedtls_mpi)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092a864886f70d0101010500030b0030080202ffff0302ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, total length mismatch)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30753073a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301d300d06092A864886F70D0101010500030b0030080202ffff0202ffff00":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30753073a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301d300d06092a864886f70d0101010500030b0030080202ffff0202ffff00":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, check failed)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092a864886f70d0101010500030b0030080202ffff0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY
 
 X509 Certificate ASN1 (TBSCertificate, pubkey, check failed, expanded length notation)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY
 
 X509 Certificate ASN1 (TBSCertificate v3, Optional UIDs, Extensions not present)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, issuerID wrong tag)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308184308181a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff00":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308184308181a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff00":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate v3, UIDs, no ext)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bb":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bb":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, UIDs, invalid length)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa185aaa201bb":"":MBEDTLS_ERR_ASN1_INVALID_LENGTH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa185aaa201bb":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_INVALID_LENGTH
 
 X509 Certificate ASN1 (TBSCertificate v3, ext empty)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30818b308188a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba300":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30818b308188a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba300":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, ext length mismatch)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30818e30818ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba303300000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30818e30818ba0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba303300000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate v3, first ext invalid)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30818f30818ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30330023000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30818f30818ca0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30330023000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, first ext invalid tag)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30819030818da0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba3043002310000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819030818da0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba3043002310000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, bool len missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, data missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no octet present)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30d300b30090603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30d300b30090603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet data missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30819c308199a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba311300f300d0603551d130101010403300100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819c308199a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba311300f300d0603551d130101010403300100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no pathlen)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010406300402010102":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010406300402010102":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet len mismatch)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (ExtKeyUsage, bad second tag)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
@@ -1144,101 +1164,101 @@ x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d040
 
 X509 Certificate ASN1 (SubjectAltName repeated)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa340303e301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
 
 X509 Certificate ASN1 (ExtKeyUsage repeated)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
 x509parse_crt:"3081fd3081faa003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
 
 X509 Certificate ASN1 (correct pubkey, no sig_alg)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (sig_alg mismatch)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0102020500":"":MBEDTLS_ERR_X509_SIG_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0102020500":"":MBEDTLS_ERR_X509_SIG_MISMATCH
 
 X509 Certificate ASN1 (sig_alg, no sig)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (signature, invalid sig data)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308195308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030100":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_INVALID_DATA
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308195308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030100":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_INVALID_DATA
 
 X509 Certificate ASN1 (signature, data left)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308197308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff00":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308197308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff00":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
-X509 Certificate ASN1 (correct)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+X509 Certificate ASN1 (well-formed)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (GeneralizedTime instead of UTCTime)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308198308182a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301e180e3230313030313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2010-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308198308182a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301e180e3230313030313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2010-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 CN)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550403130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: CN=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b0603550403130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: CN=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 C)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550406130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: C=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b0603550406130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: C=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 L)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550407130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: L=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b0603550407130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: L=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 ST)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550408130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ST=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b0603550408130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ST=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 O)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b060355040a130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: O=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b060355040a130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: O=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with X520 OU)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b060355040b130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: OU=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b060355040b130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: OU=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with unknown X520 part)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b06035504de130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d01010b0500300f310d300b06035504de130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with composite RDN)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
 x509parse_crt:"3082029f30820208a00302010202044c20e3bd300d06092a864886f70d01010505003056310b3009060355040613025553310b300906035504080c0243413121301f060355040a0c18496e7465726e6574205769646769747320507479204c74643117301506035504030c0e4672616e6b656e63657274204341301e170d3133303830323135313433375a170d3135303831373035353433315a3081d1310b3009060355040613025553311330110603550408130a57617368696e67746f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311a3018060355040a1311417574686f72697a652e4e6574204c4c43311d301b060355040f131450726976617465204f7267616e697a6174696f6e312a300e06035504051307343336393139313018060355040313117777772e617574686f72697a652e6e6574311630140603550407130d53616e204672616e636973636f30819f300d06092a864886f70d010101050003818d0030818902818100d885c62e209b6ac005c64f0bcfdaac1f2b67a18802f75b08851ff933deed888b7b68a62fcabdb21d4a8914becfeaaa1b7e08a09ffaf9916563586dc95e2877262b0b5f5ec27eb4d754aa6facd1d39d25b38a2372891bacdd3e919f791ed25704e8920e380e5623a38e6a23935978a3aec7a8e761e211d42effa2713e44e7de0b0203010001300d06092a864886f70d010105050003818100092f7424d3f6da4b8553829d958ed1980b9270b42c0d3d5833509a28c66bb207df9f3c51d122065e00b87c08c2730d2745fe1c279d16fae4d53b4bf5bdfa3631fceeb2e772b6b08a3eca5a2e2c687aefd23b4b73bf77ac6099711342cf070b35c6f61333a7cbf613d8dd4bd73e9df34bcd4284b0b4df57c36c450613f11e5dac":"cert. version     \: 3\nserial number     \: 4C\:20\:E3\:BD\nissuer name       \: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Frankencert CA\nsubject name      \: C=US, ST=Washington, ??=US, ??=Delaware, O=Authorize.Net LLC, ??=Private Organization, serialNumber=4369191 + CN=www.authorize.net, L=San Francisco\nissued  on        \: 2013-08-02 15\:14\:37\nexpires on        \: 2015-08-17 05\:54\:31\nsigned using      \: RSA with SHA1\nRSA key size      \: 1024 bits\n":0
 
 X509 Certificate ASN1 (Name with PKCS9 email)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d010102050030153113301106092a864886f70d010901130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: emailAddress=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d01010b050030153113301106092a864886f70d010901130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: emailAddress=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (Name with unknown PKCS9 part)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
-x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d010102050030153113301106092a864886f70d0109ab130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with MD2\nRSA key size      \: 128 bits\n":0
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d01010b050030153113301106092a864886f70d0109ab130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d01010b0500030200ff":"cert. version     \: 1\nserial number     \: DE\:AD\:BE\:EF\nissuer name       \: ?\?=Test\nsubject name      \: ?\?=Test\nissued  on        \: 2009-01-01 00\:00\:00\nexpires on        \: 2009-12-31 23\:59\:59\nsigned using      \: RSA with SHA-256\nRSA key size      \: 128 bits\n":0
 
 X509 Certificate ASN1 (ECDSA signature, RSA key)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C
-x509parse_crt:"3081E630819E020103300906072A8648CE3D0401300F310D300B0603550403130454657374301E170D3133303731303039343631385A170D3233303730383039343631385A300F310D300B0603550403130454657374304C300D06092A864886F70D0101010500033B003038023100E8F546061D3B49BC2F6B7524B7EA4D73A8D5293EE8C64D9407B70B5D16BAEBC32B8205591EAB4E1EB57E9241883701250203010001300906072A8648CE3D0401033800303502186E18209AFBED14A0D9A796EFCAD68891E3CCD5F75815C833021900E92B4FD460B1994693243B9FFAD54729DE865381BDA41D25":"cert. version     \: 1\nserial number     \: 03\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:46\:18\nexpires on        \: 2023-07-08 09\:46\:18\nsigned using      \: ECDSA with SHA1\nRSA key size      \: 384 bits\n":0
+x509parse_crt:"3081e630819e020103300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343631385a170d3233303730383039343631385a300f310d300b0603550403130454657374304c300d06092a864886f70d0101010500033b003038023100e8f546061d3b49bc2f6b7524b7ea4d73a8d5293ee8c64d9407b70b5d16baebc32b8205591eab4e1eb57e9241883701250203010001300906072a8648ce3d0401033800303502186e18209afbed14a0d9a796efcad68891e3ccd5f75815c833021900e92b4fd460b1994693243b9ffad54729de865381bda41d25":"cert. version     \: 1\nserial number     \: 03\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:46\:18\nexpires on        \: 2023-07-08 09\:46\:18\nsigned using      \: ECDSA with SHA1\nRSA key size      \: 384 bits\n":0
 
 X509 Certificate ASN1 (ECDSA signature, EC key)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C
-x509parse_crt:"3081EB3081A3020900F41534662EC7E912300906072A8648CE3D0401300F310D300B0603550403130454657374301E170D3133303731303039343031395A170D3233303730383039343031395A300F310D300B06035504031304546573743049301306072A8648CE3D020106082A8648CE3D030101033200042137969FABD4E370624A0E1A33E379CAB950CCE00EF8C3C3E2ADAEB7271C8F07659D65D3D777DCF21614363AE4B6E617300906072A8648CE3D04010338003035021858CC0F957946FE6A303D92885A456AA74C743C7B708CBD37021900FE293CAC21AF352D16B82EB8EA54E9410B3ABAADD9F05DD6":"cert. version     \: 1\nserial number     \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:40\:19\nexpires on        \: 2023-07-08 09\:40\:19\nsigned using      \: ECDSA with SHA1\nEC key size       \: 192 bits\n":0
+x509parse_crt:"3081eb3081a3020900f41534662ec7e912300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3133303731303039343031395a170d3233303730383039343031395a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d030101033200042137969fabd4e370624a0e1a33e379cab950cce00ef8c3c3e2adaeb7271c8f07659d65d3d777dcf21614363ae4b6e617300906072a8648ce3d04010338003035021858cc0f957946fe6a303d92885a456aa74c743c7b708cbd37021900fe293cac21af352d16b82eb8ea54e9410b3abaadd9f05dd6":"cert. version     \: 1\nserial number     \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 09\:40\:19\nexpires on        \: 2023-07-08 09\:40\:19\nsigned using      \: ECDSA with SHA1\nEC key size       \: 192 bits\n":0
 
 X509 Certificate ASN1 (RSA signature, EC key)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C
-x509parse_crt:"3081E430819F020104300D06092A864886F70D0101050500300F310D300B0603550403130454657374301E170D3133303731303135303233375A170D3233303730383135303233375A300F310D300B06035504031304546573743049301306072A8648CE3D020106082A8648CE3D03010103320004E962551A325B21B50CF6B990E33D4318FD16677130726357A196E3EFE7107BCB6BDC6D9DB2A4DF7C964ACFE81798433D300D06092A864886F70D01010505000331001A6C18CD1E457474B2D3912743F44B571341A7859A0122774A8E19A671680878936949F904C9255BDD6FFFDB33A7E6D8":"cert. version     \: 1\nserial number     \: 04\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 15\:02\:37\nexpires on        \: 2023-07-08 15\:02\:37\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\n":0
+x509parse_crt:"3081e430819f020104300d06092a864886f70d0101050500300f310d300b0603550403130454657374301e170d3133303731303135303233375a170d3233303730383135303233375a300f310d300b06035504031304546573743049301306072a8648ce3d020106082a8648ce3d03010103320004e962551a325b21b50cf6b990e33d4318fd16677130726357a196e3efe7107bcb6bdc6d9db2a4df7c964acfe81798433d300d06092a864886f70d01010505000331001a6c18cd1e457474b2d3912743f44b571341a7859a0122774a8e19a671680878936949f904c9255bdd6fffdb33a7e6d8":"cert. version     \: 1\nserial number     \: 04\nissuer name       \: CN=Test\nsubject name      \: CN=Test\nissued  on        \: 2013-07-10 15\:02\:37\nexpires on        \: 2023-07-08 15\:02\:37\nsigned using      \: RSA with SHA1\nEC key size       \: 192 bits\n":0
 
 X509 Certificate ASN1 (invalid version 3)
 x509parse_crt:"30173015a0030201038204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 X509 Certificate ASN1 (invalid version overflow)
-x509parse_crt:"301A3018a00602047FFFFFFF8204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+x509parse_crt:"301a3018a00602047fffffff8204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 X509 Certificate ASN1 (invalid SubjectAltNames tag)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509parse_crt:"308203723082025AA003020102020111300D06092A864886F70D0101050500303B310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C3119301706035504031310506F6C617253534C2054657374204341301E170D3132303531303133323334315A170D3232303531313133323334315A303A310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C311830160603550403130F7777772E6578616D706C652E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100B93C4AC5C8A38E9017A49E52AA7175266180E7C7B56D8CFFAAB64126B7BE11AD5C73160C64114804FFD6E13B05DB89BBB39709D51C14DD688739B03D71CBE276D01AD8182D801B54F6E5449AF1CBAF612EDF490D9D09B7EDB1FD3CFD3CFA24CF5DBF7CE453E725B5EA4422E926D3EA20949EE66167BA2E07670B032FA209EDF0338F0BCE10EF67A4C608DAC1EDC23FD74ADD153DF95E1C8160463EB5B33D2FA6DE471CBC92AEEBDF276B1656B7DCECD15557A56EEC7525F5B77BDFABD23A5A91987D97170B130AA76B4A8BC14730FB3AF84104D5C1DFB81DBF7B01A565A2E01E36B7A65CCC305AF8CD6FCDF1196225CA01E3357FFA20F5DCFD69B26A007D17F70203010001A38181307F30090603551D1304023000301D0603551D0E041604147DE49C6BE6F9717D46D2123DAD6B1DFDC2AA784C301F0603551D23041830168014B45AE4A5B3DED252F6B9D5A6950FEB3EBCC7FDFF30320603551D11042B3029C20B6578616D706C652E636F6D820B6578616D706C652E6E6574820D2A2E6578616D706C652E6F7267300D06092A864886F70D010105050003820101004F09CB7AD5EEF5EF620DDC7BA285D68CCA95B46BDA115B92007513B9CA0BCEEAFBC31FE23F7F217479E2E6BCDA06E52F6FF655C67339CF48BC0D2F0CD27A06C34A4CD9485DA0D07389E4D4851D969A0E5799C66F1D21271F8D0529E840AE823968C39707CF3C934C1ADF2FA6A455487F7C8C1AC922DA24CD9239C68AECB08DF5698267CB04EEDE534196C127DC2FFE33FAD30EB8D432A9842853A5F0D189D5A298E71691BB9CC0418E8C58ACFFE3DD2E7AABB0B97176AD0F2733F7A929D3C076C0BF06407C0ED5A47C8AE2326E16AEDA641FB0557CDBDDF1A4BA447CB39958D2346E00EA976C143AF2101E0AA249107601F4F2C818FDCC6346128B091BF194E6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CRL ASN1 (Incorrect first tag)
 x509parse_crl:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT
@@ -1308,7 +1328,7 @@ X509 CRL ASN1 (invalid version 2)
 x509parse_crl:"30463031020102300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 X509 CRL ASN1 (invalid version overflow)
-x509parse_crl:"3049303102047FFFFFFF300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+x509parse_crl:"3049303102047fffffff300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 X509 CRL ASN1 (extension seq too long, crl-idp.pem byte 121)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
@@ -1463,28 +1483,28 @@ depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBE
 mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca2.crt":-1:-4:"":8
 
 X509 OID description #1
-x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication"
+x509_oid_desc:"2b06010505070301":"TLS Web Server Authentication"
 
 X509 OID description #2
-x509_oid_desc:"2B0601050507030f":"notfound"
+x509_oid_desc:"2b0601050507030f":"notfound"
 
 X509 OID description #3
-x509_oid_desc:"2B0601050507030100":"notfound"
+x509_oid_desc:"2b0601050507030100":"notfound"
 
 X509 OID numstring #1 (wide buffer)
-x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":20:17
+x509_oid_numstr:"2b06010505070301":"1.3.6.1.5.5.7.3.1":20:17
 
 X509 OID numstring #2 (buffer just fits)
-x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":18:17
+x509_oid_numstr:"2b06010505070301":"1.3.6.1.5.5.7.3.1":18:17
 
 X509 OID numstring #3 (buffer too small)
-x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":17:MBEDTLS_ERR_OID_BUF_TOO_SMALL
+x509_oid_numstr:"2b06010505070301":"1.3.6.1.5.5.7.3.1":17:MBEDTLS_ERR_OID_BUF_TOO_SMALL
 
 X509 OID numstring #4 (larger number)
-x509_oid_numstr:"2A864886F70D":"1.2.840.113549":15:14
+x509_oid_numstr:"2a864886f70d":"1.2.840.113549":15:14
 
 X509 OID numstring #5 (arithmetic overflow)
-x509_oid_numstr:"2A8648F9F8F7F6F5F4F3F2F1F001":"":100:MBEDTLS_ERR_OID_BUF_TOO_SMALL
+x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_OID_BUF_TOO_SMALL
 
 X509 crt keyUsage #1 (no extension, expected KU)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
@@ -1532,31 +1552,31 @@ x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGI
 
 X509 crt extendedKeyUsage #1 (no extension, serverAuth)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0
+x509_check_extended_key_usage:"data_files/server5.crt":"2b06010505070301":0
 
 X509 crt extendedKeyUsage #2 (single value, present)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2B06010505070301":0
+x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2b06010505070301":0
 
 X509 crt extendedKeyUsage #3 (single value, absent)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2B06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2b06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 crt extendedKeyUsage #4 (two values, first)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070301":0
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070301":0
 
 X509 crt extendedKeyUsage #5 (two values, second)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070302":0
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070302":0
 
 X509 crt extendedKeyUsage #6 (two values, other)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA
+x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2b06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA
 
 X509 crt extendedKeyUsage #7 (any, random)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
-x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2B060105050703FF":0
+x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2b060105050703ff":0
 
 X509 RSASSA-PSS parameters ASN1 (good, all defaults)
 x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
@@ -1565,113 +1585,113 @@ X509 RSASSA-PSS parameters ASN1 (wrong initial tag)
 x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (unknown tag in top-level sequence)
-x509_parse_rsassa_pss_params:"A400":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a400":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (good, HashAlg SHA256)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A00D300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:0
+x509_parse_rsassa_pss_params:"a00d300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:0
 
 X509 RSASSA-PSS parameters ASN1 (good, explicit HashAlg = default)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_parse_rsassa_pss_params:"A009300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
+x509_parse_rsassa_pss_params:"a009300706052b0e03021a":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
 
 X509 RSASSA-PSS parameters ASN1 (HashAlg wrong len #1)
-x509_parse_rsassa_pss_params:"A00A300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a00a300706052b0e03021a":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (HashAlg wrong len #2)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_parse_rsassa_pss_params:"A00A300706052B0E03021A00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a00a300706052b0e03021a00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (HashAlg with parameters)
-x509_parse_rsassa_pss_params:"A00F300D06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_INVALID_DATA
+x509_parse_rsassa_pss_params:"a00f300d06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_INVALID_DATA
 
 X509 RSASSA-PSS parameters ASN1 (HashAlg unknown OID)
-x509_parse_rsassa_pss_params:"A00D300B06096086480165030402FF":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND
+x509_parse_rsassa_pss_params:"a00d300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND
 
 X509 RSASSA-PSS parameters ASN1 (good, MGAlg = MGF1-SHA256)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0
+x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0
 
 X509 RSASSA-PSS parameters ASN1 (good, explicit MGAlg = default)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_parse_rsassa_pss_params:"A116301406092A864886F70D010108300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
+x509_parse_rsassa_pss_params:"a116301406092a864886f70d010108300706052b0e03021a":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg wrong len #1)
-x509_parse_rsassa_pss_params:"A11B301806092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a11b301806092a864886f70d010108300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg wrong len #2)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A11B301806092A864886F70D010108300B060960864801650304020100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a11b301806092a864886f70d010108300b060960864801650304020100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg AlgId wrong len #1)
-x509_parse_rsassa_pss_params:"A11A301906092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a11a301906092a864886f70d010108300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg OID != MGF1)
-x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010109300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE + MBEDTLS_ERR_OID_NOT_FOUND
+x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010109300b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE + MBEDTLS_ERR_OID_NOT_FOUND
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong tag)
-x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108310B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108310b0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1a)
-x509_parse_rsassa_pss_params:"A10F300D06092A864886F70D0101083000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a10f300d06092a864886f70d0101083000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1b)
-x509_parse_rsassa_pss_params:"A11B301906092A864886F70D010108300C0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a11b301906092a864886f70d010108300c0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg not an OID)
-x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B0709608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b0709608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg unknown OID)
-x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B06096086480165030402FF":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND
+x509_parse_rsassa_pss_params:"a11a301806092a864886f70d010108300b06096086480165030402ff":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params.params NULL)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A11C301A06092A864886F70D010108300D06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0
+x509_parse_rsassa_pss_params:"a11c301a06092a864886f70d010108300d06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params.params wrong tag)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A11C301A06092A864886F70D010108300D06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_rsassa_pss_params:"a11c301a06092a864886f70d010108300d06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1c)
-x509_parse_rsassa_pss_params:"A11D301B06092A864886F70D010108300E06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a11d301b06092a864886f70d010108300e06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #2)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509_parse_rsassa_pss_params:"A11D301B06092A864886F70D010108300E0609608648016503040201050000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a11d301b06092a864886f70d010108300e0609608648016503040201050000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (good, saltLen = 94)
-x509_parse_rsassa_pss_params:"A20302015E":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:0
+x509_parse_rsassa_pss_params:"a20302015e":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:0
 
 X509 RSASSA-PSS parameters ASN1 (good, explicit saltLen = default)
-x509_parse_rsassa_pss_params:"A203020114":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
+x509_parse_rsassa_pss_params:"a203020114":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
 
 X509 RSASSA-PSS parameters ASN1 (saltLen wrong len #1)
-x509_parse_rsassa_pss_params:"A20402015E":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a20402015e":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (saltLen wrong len #2)
-x509_parse_rsassa_pss_params:"A20402015E00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a20402015e00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (saltLen not an int)
-x509_parse_rsassa_pss_params:"A2023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_rsassa_pss_params:"a2023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (good, explicit trailerField = default)
-x509_parse_rsassa_pss_params:"A303020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
+x509_parse_rsassa_pss_params:"a303020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0
 
 X509 RSASSA-PSS parameters ASN1 (trailerField wrong len #1)
-x509_parse_rsassa_pss_params:"A304020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+x509_parse_rsassa_pss_params:"a304020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 RSASSA-PSS parameters ASN1 (trailerField wrong len #2)
-x509_parse_rsassa_pss_params:"A30402010100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+x509_parse_rsassa_pss_params:"a30402010100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 RSASSA-PSS parameters ASN1 (trailerField not an int)
-x509_parse_rsassa_pss_params:"A3023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509_parse_rsassa_pss_params:"a3023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 RSASSA-PSS parameters ASN1 (trailerField not 1)
-x509_parse_rsassa_pss_params:"A303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG
+x509_parse_rsassa_pss_params:"a303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG
 
 X509 CSR ASN.1 (OK)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-mbedtls_x509_csr_parse:"308201183081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF97243":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA1\nEC key size   \: 256 bits\n":0
+mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=localhost\nsigned using  \: ECDSA with SHA1\nEC key size   \: 256 bits\n":0
 
 X509 CSR ASN.1 (bad first tag)
 mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT
@@ -1704,63 +1724,63 @@ X509 CSR ASN.1 (bad CRI.Name payload: not a set)
 mbedtls_x509_csr_parse:"3009300702010030023000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (bad CRI.Name payload: overlong)
-mbedtls_x509_csr_parse:"300A30080201003002310100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"300a30080201003002310100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad SubjectPublicKeyInfo: missing)
-mbedtls_x509_csr_parse:"30143012020100300D310B3009060355040613024E4C":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"30143012020100300d310b3009060355040613024e4c":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad SubjectPublicKeyInfo: not a sequence)
-mbedtls_x509_csr_parse:"30163014020100300D310B3009060355040613024E4C3100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse:"30163014020100300d310b3009060355040613024e4c3100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (bad SubjectPublicKeyInfo: overlong)
-mbedtls_x509_csr_parse:"30173014020100300D310B3009060355040613024E4C300100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"30173014020100300d310b3009060355040613024e4c300100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad attributes: missing)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081973081940201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"3081973081940201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad attributes: bad tag)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081993081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse:"3081993081960201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (bad attributes: overlong)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"30819A3081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA00100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"30819a3081960201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa00100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad sigAlg: missing)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081C23081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"3081c23081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad sigAlg: not a sequence)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse:"3081c43081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e03100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (bad sigAlg: overlong)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03001":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"3081c43081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e03001":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad sigAlg: unknown)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04FF":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+mbedtls_x509_csr_parse:"3081cd3081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04ff":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
 
 X509 CSR ASN.1 (bad sig: missing)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-mbedtls_x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D0401":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"3081cd3081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d0401":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (bad sig: not a bit string)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-mbedtls_x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010400":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+mbedtls_x509_csr_parse:"3081cf3081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010400":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
 
 X509 CSR ASN.1 (bad sig: overlong)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-mbedtls_x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010301":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+mbedtls_x509_csr_parse:"3081cf3081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010301":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 CSR ASN.1 (extra data after signature)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-mbedtls_x509_csr_parse:"308201193081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF9724300":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+mbedtls_x509_csr_parse:"308201193081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf9724300":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 CSR ASN.1 (invalid version overflow)
-mbedtls_x509_csr_parse:"3008300602047FFFFFFF":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
+mbedtls_x509_csr_parse:"3008300602047fffffff":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION
 
 X509 File parse (no issues)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
index 06f0108280..584ee822b6 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
@@ -13,6 +13,15 @@ than the current threshold 19. To test larger values, please \
 adapt the script tests/data_files/dir-max/long.sh."
 #endif
 
+/* Test-only profile allowing all digests, PK algorithms, and curves. */
+const mbedtls_x509_crt_profile profile_all =
+{
+    0xFFFFFFFF, /* Any MD        */
+    0xFFFFFFFF, /* Any PK alg    */
+    0xFFFFFFFF, /* Any curve     */
+    1024,
+};
+
 /* Profile for backward compatibility. Allows SHA-1, unlike the default
    profile. */
 const mbedtls_x509_crt_profile compat_profile =
@@ -291,6 +300,8 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
         profile = &mbedtls_x509_crt_profile_suiteb;
     else if( strcmp( profile_str, "compat" ) == 0 )
         profile = &compat_profile;
+    else if( strcmp( profile_str, "all" ) == 0 )
+        profile = &profile_all;
     else
         TEST_ASSERT( "Unknown algorithm profile" == 0 );
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.data
index 5b54d85885..c196625037 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.data
@@ -1,78 +1,86 @@
 Certificate Request check Server1 SHA1
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0
 
 Certificate Request check Server1 SHA224
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0
 
 Certificate Request check Server1 SHA256
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0
 
 Certificate Request check Server1 SHA384
 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0
 
 Certificate Request check Server1 SHA512
 depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0
 
 Certificate Request check Server1 MD4
 depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0
 
 Certificate Request check Server1 MD5
 depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0
 
 Certificate Request check Server1 key_usage
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0
+
+Certificate Request check Server1 key_usage empty
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0
 
 Certificate Request check Server1 ns_cert_type
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
+
+Certificate Request check Server1 ns_cert_type empty
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1
 
 Certificate Request check Server1 key_usage + ns_cert_type
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1
 
 Certificate Request check Server5 ECDSA, key_usage
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0
+x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0
 
 Certificate write check Server1 SHA1
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:-1:"data_files/server1.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0
 
 Certificate write check Server1 SHA1, key_usage
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:1:-1:"data_files/server1.key_usage.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0
 
 Certificate write check Server1 SHA1, ns_cert_type
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:-1:"data_files/server1.cert_type.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0
 
 Certificate write check Server1 SHA1, version 1
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
 
 Certificate write check Server1 SHA1, RSA_ALT
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:-1:"data_files/server1.noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1
 
 Certificate write check Server1 SHA1, RSA_ALT, key_usage
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
 
 Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:0:-1:"data_files/server1.cert_type_noauthid.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1
 
 Certificate write check Server1 SHA1, RSA_ALT, version 1
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
-x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
+x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1
 
 X509 String to Names #1
 mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
index 62f82e8a05..aba23d4c91 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
@@ -35,8 +35,9 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
-void x509_csr_check( char *key_file, char *cert_req_check_file,
-                     int md_type, int key_usage, int cert_type )
+void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type,
+                     int key_usage, int set_key_usage, int cert_type,
+                     int set_cert_type )
 {
     mbedtls_pk_context key;
     mbedtls_x509write_csr req;
@@ -58,9 +59,9 @@ void x509_csr_check( char *key_file, char *cert_req_check_file,
     mbedtls_x509write_csr_set_md_alg( &req, md_type );
     mbedtls_x509write_csr_set_key( &req, &key );
     TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 );
-    if( key_usage != 0 )
+    if( set_key_usage != 0 )
         TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 );
-    if( cert_type != 0 )
+    if( set_cert_type != 0 )
         TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 );
 
     ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ),
@@ -99,7 +100,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
                      char *subject_name, char *issuer_key_file,
                      char *issuer_pwd, char *issuer_name,
                      char *serial_str, char *not_before, char *not_after,
-                     int md_type, int key_usage, int cert_type, int auth_ident,
+                     int md_type, int key_usage, int set_key_usage,
+                     int cert_type, int set_cert_type, int auth_ident,
                      int ver, char *cert_check_file, int rsa_alt )
 {
     mbedtls_pk_context subject_key, issuer_key, issuer_key_alt;
@@ -167,9 +169,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
         TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 );
         if( auth_ident )
             TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 );
-        if( key_usage != 0 )
+        if( set_key_usage != 0 )
             TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 );
-        if( cert_type != 0 )
+        if( set_cert_type != 0 )
             TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 );
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
index 686091c7f7..89178cc2d5 100644
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
@@ -183,11 +183,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gen_random_ctr_drbg", "gen_
 		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
 	EndProjectSection
 EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssl_cert_test", "ssl_cert_test.vcxproj", "{3FE0C0E1-D9BA-6A26-380C-F293E543B914}"
-	ProjectSection(ProjectDependencies) = postProject
-		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
-	EndProjectSection
-EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "benchmark", "benchmark.vcxproj", "{90EFD9A4-C6B0-3EE8-1F06-0A0E0D55AEDA}"
 	ProjectSection(ProjectDependencies) = postProject
 		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
@@ -542,14 +537,6 @@ Global
 		{5FCC71F6-FF33-EBCF-FBA2-8FC783D5318E}.Release|Win32.Build.0 = Release|Win32
 		{5FCC71F6-FF33-EBCF-FBA2-8FC783D5318E}.Release|x64.ActiveCfg = Release|x64
 		{5FCC71F6-FF33-EBCF-FBA2-8FC783D5318E}.Release|x64.Build.0 = Release|x64
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Debug|Win32.ActiveCfg = Debug|Win32
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Debug|Win32.Build.0 = Debug|Win32
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Debug|x64.ActiveCfg = Debug|x64
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Debug|x64.Build.0 = Debug|x64
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Release|Win32.ActiveCfg = Release|Win32
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Release|Win32.Build.0 = Release|Win32
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Release|x64.ActiveCfg = Release|x64
-		{3FE0C0E1-D9BA-6A26-380C-F293E543B914}.Release|x64.Build.0 = Release|x64
 		{90EFD9A4-C6B0-3EE8-1F06-0A0E0D55AEDA}.Debug|Win32.ActiveCfg = Debug|Win32
 		{90EFD9A4-C6B0-3EE8-1F06-0A0E0D55AEDA}.Debug|Win32.Build.0 = Debug|Win32
 		{90EFD9A4-C6B0-3EE8-1F06-0A0E0D55AEDA}.Debug|x64.ActiveCfg = Debug|x64
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_cert_test.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_cert_test.vcxproj
deleted file mode 100644
index b8f014e367..0000000000
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_cert_test.vcxproj
+++ /dev/null
@@ -1,174 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|x64">
-      <Configuration>Debug</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|x64">
-      <Configuration>Release</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="..\..\programs\test\ssl_cert_test.c" />
-  </ItemGroup>
-  <ItemGroup>
-    <ProjectReference Include="mbedTLS.vcxproj">
-      <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
-      <LinkLibraryDependencies>true</LinkLibraryDependencies>
-    </ProjectReference>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{3FE0C0E1-D9BA-6A26-380C-F293E543B914}</ProjectGuid>
-    <Keyword>Win32Proj</Keyword>
-    <RootNamespace>ssl_cert_test</RootNamespace>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>Unicode</CharacterSet>
-    <PlatformToolset>Windows7.1SDK</PlatformToolset>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LinkIncremental>true</LinkIncremental>
-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LinkIncremental>true</LinkIncremental>
-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <LinkIncremental>false</LinkIncremental>
-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LinkIncremental>false</LinkIncremental>
-    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <ShowProgress>NotSet</ShowProgress>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
-      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
-    </Link>
-    <ProjectReference>
-      <LinkLibraryDependencies>false</LinkLibraryDependencies>
-    </ProjectReference>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <ClCompile>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <ShowProgress>NotSet</ShowProgress>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
-      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
-    </Link>
-    <ProjectReference>
-      <LinkLibraryDependencies>false</LinkLibraryDependencies>
-    </ProjectReference>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <Optimization>MaxSpeed</Optimization>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
-      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <Optimization>MaxSpeed</Optimization>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
-      <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>

From ac71ba6b49546330fdebff41f76d4860d81599ef Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Fri, 13 Sep 2019 02:24:30 +0000
Subject: [PATCH 009/420] Integrate mbedTLS v2.7.11 into OE SDK

- Update CHANGELOG.md to reflect move to mbedTLS v2.7.11.
- Update mbedtls/update.make to move to mbedTLS v2.7.11.
- Patch mbedtls/library/x509write_crt.c to support attested TLS.
    - Add patch file of required changes for future updates.
    - Update .check-license.ignore to ignore .patch files.
- Add README.md for 3rdparty/mbedtls folder to document modifications to
  mbedtls for enclaves.
---
 ...atch-x509write_crt.c-for-attestedTLS.patch | 264 ++++++++++++++++++
 3rdparty/mbedtls/README.md                    |  21 ++
 .../mbedtls/mbedtls/library/x509write_crt.c   | 143 ++++++----
 3rdparty/mbedtls/update.make                  |   2 +-
 CHANGELOG.md                                  |   1 +
 scripts/.check-license.ignore                 |   1 +
 6 files changed, 377 insertions(+), 55 deletions(-)
 create mode 100644 3rdparty/mbedtls/0001-Patch-x509write_crt.c-for-attestedTLS.patch
 create mode 100644 3rdparty/mbedtls/README.md

diff --git a/3rdparty/mbedtls/0001-Patch-x509write_crt.c-for-attestedTLS.patch b/3rdparty/mbedtls/0001-Patch-x509write_crt.c-for-attestedTLS.patch
new file mode 100644
index 0000000000..6bf2af9a97
--- /dev/null
+++ b/3rdparty/mbedtls/0001-Patch-x509write_crt.c-for-attestedTLS.patch
@@ -0,0 +1,264 @@
+From cede0947eb335c4f2d425fa113adbf093efe8f6b Mon Sep 17 00:00:00 2001
+From: Simon Leet <simon.leet@microsoft.com>
+Date: Fri, 13 Sep 2019 01:20:45 +0000
+Subject: [PATCH] Patch x509write_crt.c for attestedTLS
+
+---
+ .../mbedtls/mbedtls/library/x509write_crt.c   | 143 +++++++++++-------
+ 1 file changed, 89 insertions(+), 54 deletions(-)
+
+diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+index 41dfe87b7..de7bf0c70 100644
+--- a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
++++ b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+@@ -298,9 +298,10 @@ static int x509_write_time( unsigned char **p, unsigned char *start,
+     return( (int) len );
+ }
+
+-int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+-                       int (*f_rng)(void *, unsigned char *, size_t),
+-                       void *p_rng )
++int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
++                               unsigned char *buf, size_t size,
++                               int (*f_rng)(void *, unsigned char *, size_t),
++                               void *p_rng )
+ {
+     int ret;
+     const char *sig_oid;
+@@ -308,15 +309,14 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
+     unsigned char *c, *c2;
+     unsigned char hash[64];
+     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+-    unsigned char tmp_buf[2048];
+     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+     size_t len = 0;
+     mbedtls_pk_type_t pk_alg;
+
+     /*
+-     * Prepare data to be signed in tmp_buf
++     * Prepare data to be signed at the end of the target buffer
+      */
+-    c = tmp_buf + sizeof( tmp_buf );
++    c = buf + size;
+
+     /* Signature algorithm needed in TBS, and later for actual signature */
+
+@@ -342,27 +342,36 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
+     /* Only for v3 */
+     if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
+     {
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+-                                                           MBEDTLS_ASN1_SEQUENCE ) );
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+-                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
++        MBEDTLS_ASN1_CHK_ADD( len,
++                              mbedtls_x509_write_extensions( &c,
++                                                      buf, ctx->extensions ) );
++        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
++        MBEDTLS_ASN1_CHK_ADD( len,
++                              mbedtls_asn1_write_tag( &c, buf,
++                                                      MBEDTLS_ASN1_CONSTRUCTED |
++                                                      MBEDTLS_ASN1_SEQUENCE ) );
++        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
++        MBEDTLS_ASN1_CHK_ADD( len,
++                              mbedtls_asn1_write_tag( &c, buf,
++                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
++                                               MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+     }
+
+     /*
+      *  SubjectPublicKeyInfo
+      */
+-    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+-                                                tmp_buf, c - tmp_buf ) );
++    MBEDTLS_ASN1_CHK_ADD( pub_len,
++                          mbedtls_pk_write_pubkey_der( ctx->subject_key,
++                                                       buf, c - buf ) );
+     c -= pub_len;
+     len += pub_len;
+
+     /*
+      *  Subject  ::=  Name
+      */
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
++    MBEDTLS_ASN1_CHK_ADD( len,
++                          mbedtls_x509_write_names( &c, buf,
++                                                    ctx->subject ) );
+
+     /*
+      *  Validity ::= SEQUENCE {
+@@ -371,32 +380,39 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
+      */
+     sub_len = 0;
+
+-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
++    MBEDTLS_ASN1_CHK_ADD( sub_len,
++                          x509_write_time( &c, buf, ctx->not_after,
++                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
++    MBEDTLS_ASN1_CHK_ADD( sub_len,
++                          x509_write_time( &c, buf, ctx->not_before,
++                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+     len += sub_len;
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+-                                                    MBEDTLS_ASN1_SEQUENCE ) );
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) );
++    MBEDTLS_ASN1_CHK_ADD( len,
++                          mbedtls_asn1_write_tag( &c, buf,
++                                                  MBEDTLS_ASN1_CONSTRUCTED |
++                                                  MBEDTLS_ASN1_SEQUENCE ) );
+
+     /*
+      *  Issuer  ::=  Name
+      */
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
++                                                         ctx->issuer ) );
+
+     /*
+      *  Signature   ::=  AlgorithmIdentifier
+      */
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+-                       sig_oid, strlen( sig_oid ), 0 ) );
++    MBEDTLS_ASN1_CHK_ADD( len,
++                          mbedtls_asn1_write_algorithm_identifier( &c, buf,
++                                              sig_oid, strlen( sig_oid ), 0 ) );
+
+     /*
+      *  Serial   ::=  INTEGER
+      */
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf,
++                                                       &ctx->serial ) );
+
+     /*
+      *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+@@ -406,48 +422,67 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
+     if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
+     {
+         sub_len = 0;
+-        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
++        MBEDTLS_ASN1_CHK_ADD( sub_len,
++                              mbedtls_asn1_write_int( &c, buf, ctx->version ) );
+         len += sub_len;
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+-                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
++        MBEDTLS_ASN1_CHK_ADD( len,
++                              mbedtls_asn1_write_len( &c, buf, sub_len ) );
++        MBEDTLS_ASN1_CHK_ADD( len,
++                              mbedtls_asn1_write_tag( &c, buf,
++                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
++                                               MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+     }
+
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+-                                                       MBEDTLS_ASN1_SEQUENCE ) );
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
++    MBEDTLS_ASN1_CHK_ADD( len,
++                mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
++                                                     MBEDTLS_ASN1_SEQUENCE ) );
+
+     /*
+      * Make signature
+      */
++
++    /* Compute hash of CRT. */
+     if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
+                             len, hash ) ) != 0 )
+     {
+         return( ret );
+     }
+
+-    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+-                         f_rng, p_rng ) ) != 0 )
++    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
++                                 hash, 0, sig, &sig_len,
++                                 f_rng, p_rng ) ) != 0 )
+     {
+         return( ret );
+     }
+
+-    /*
+-     * Write data to output buffer
+-     */
++    /* Move CRT to the front of the buffer to have space
++     * for the signature. */
++    memmove( buf, c, len );
++    c = buf + len;
++
++    /* Add signature at the end of the buffer,
++     * making sure that it doesn't underflow
++     * into the CRT buffer. */
+     c2 = buf + size;
+-    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
++    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c,
+                                         sig_oid, sig_oid_len, sig, sig_len ) );
+
+-    if( len > (size_t)( c2 - buf ) )
+-        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
++    /*
++     * Memory layout after this step:
++     *
++     * buf       c=buf+len                c2            buf+size
++     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
++     */
+
+-    c2 -= len;
+-    memcpy( c2, c, len );
++    /* Move raw CRT to just before the signature. */
++    c = c2 - len;
++    memmove( c, buf, len );
+
+     len += sig_and_oid_len;
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
++    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf,
++                                                 MBEDTLS_ASN1_CONSTRUCTED |
+                                                  MBEDTLS_ASN1_SEQUENCE ) );
+
+     return( (int) len );
+@@ -457,23 +492,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
+ #define PEM_END_CRT             "-----END CERTIFICATE-----\n"
+
+ #if defined(MBEDTLS_PEM_WRITE_C)
+-int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+-                       int (*f_rng)(void *, unsigned char *, size_t),
+-                       void *p_rng )
++int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt,
++                               unsigned char *buf, size_t size,
++                               int (*f_rng)(void *, unsigned char *, size_t),
++                               void *p_rng )
+ {
+     int ret;
+-    unsigned char output_buf[4096];
+-    size_t olen = 0;
++    size_t olen;
+
+-    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
++    if( ( ret = mbedtls_x509write_crt_der( crt, buf, size,
+                                    f_rng, p_rng ) ) < 0 )
+     {
+         return( ret );
+     }
+
+     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
+-                                  output_buf + sizeof(output_buf) - ret,
+-                                  ret, buf, size, &olen ) ) != 0 )
++                                          buf + size - ret, ret,
++                                          buf, size, &olen ) ) != 0 )
+     {
+         return( ret );
+     }
+--
+2.17.1
diff --git a/3rdparty/mbedtls/README.md b/3rdparty/mbedtls/README.md
new file mode 100644
index 0000000000..659a570819
--- /dev/null
+++ b/3rdparty/mbedtls/README.md
@@ -0,0 +1,21 @@
+mbedTLS:
+========
+
+This directory contains the **mbedTLS** crypto library for enclaves.
+The `./mbedtls` subdirectory contains a clone of the sources downloaded
+from https://tls.mbed.org/download-archive.
+
+The version of mbedTLS currently in use is reflected in `update.make`.
+
+The enclave version of mbedTLS builds the cloned sources with the following
+changes:
+
+- It uses a custom, scoped-down `config.h` defined in this folder.
+
+- It compiles in `mbedtls_hardware_poll.c` extension to provide the custom
+  entropy implementation mbedTLS libraries to avoid a circular dependency
+  with the Open Enclave core runtime.
+
+- It patches `mbedtls/library/x509write_crt.c` with
+  `0001-Patch-x509write_crt.c-for-attestedTLS.patch` to add support for writing
+  certificates that support using TLS with enclave attestation for auth.
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
index 4cdb941a10..64b3d2c2fb 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
@@ -329,9 +329,10 @@ static int x509_write_time( unsigned char **p, unsigned char *start,
     return( (int) len );
 }
 
-int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng )
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
+                               unsigned char *buf, size_t size,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
 {
     int ret;
     const char *sig_oid;
@@ -339,15 +340,14 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     unsigned char *c, *c2;
     unsigned char hash[64];
     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
-    unsigned char tmp_buf[2048];
     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
     mbedtls_pk_type_t pk_alg;
 
     /*
-     * Prepare data to be signed in tmp_buf
+     * Prepare data to be signed at the end of the target buffer
      */
-    c = tmp_buf + sizeof( tmp_buf );
+    c = buf + size;
 
     /* Signature algorithm needed in TBS, and later for actual signature */
 
@@ -373,27 +373,36 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     /* Only for v3 */
     if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
     {
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                           MBEDTLS_ASN1_SEQUENCE ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_x509_write_extensions( &c,
+                                                      buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                                      MBEDTLS_ASN1_CONSTRUCTED |
+                                                      MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                               MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
     }
 
     /*
      *  SubjectPublicKeyInfo
      */
-    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
-                                                tmp_buf, c - tmp_buf ) );
+    MBEDTLS_ASN1_CHK_ADD( pub_len,
+                          mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                       buf, c - buf ) );
     c -= pub_len;
     len += pub_len;
 
     /*
      *  Subject  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_x509_write_names( &c, buf,
+                                                    ctx->subject ) );
 
     /*
      *  Validity ::= SEQUENCE {
@@ -402,32 +411,39 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
      */
     sub_len = 0;
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len,
+                          x509_write_time( &c, buf, ctx->not_after,
+                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len,
+                          x509_write_time( &c, buf, ctx->not_before,
+                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
     len += sub_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                    MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_asn1_write_tag( &c, buf,
+                                                  MBEDTLS_ASN1_CONSTRUCTED |
+                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      *  Issuer  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
+                                                         ctx->issuer ) );
 
     /*
      *  Signature   ::=  AlgorithmIdentifier
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
-                       sig_oid, strlen( sig_oid ), 0 ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_asn1_write_algorithm_identifier( &c, buf,
+                                              sig_oid, strlen( sig_oid ), 0 ) );
 
     /*
      *  Serial   ::=  INTEGER
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf,
+                                                       &ctx->serial ) );
 
     /*
      *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
@@ -437,48 +453,67 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
     {
         sub_len = 0;
-        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+        MBEDTLS_ASN1_CHK_ADD( sub_len,
+                              mbedtls_asn1_write_int( &c, buf, ctx->version ) );
         len += sub_len;
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_len( &c, buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                               MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
     }
 
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                       MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      * Make signature
      */
+
+    /* Compute hash of CRT. */
     if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
                             len, hash ) ) != 0 )
     {
         return( ret );
     }
 
-    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
-                         f_rng, p_rng ) ) != 0 )
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
+                                 hash, 0, sig, &sig_len,
+                                 f_rng, p_rng ) ) != 0 )
     {
         return( ret );
     }
 
-    /*
-     * Write data to output buffer
-     */
+    /* Move CRT to the front of the buffer to have space
+     * for the signature. */
+    memmove( buf, c, len );
+    c = buf + len;
+
+    /* Add signature at the end of the buffer,
+     * making sure that it doesn't underflow
+     * into the CRT buffer. */
     c2 = buf + size;
-    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c,
                                         sig_oid, sig_oid_len, sig, sig_len ) );
 
-    if( len > (size_t)( c2 - buf ) )
-        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    /*
+     * Memory layout after this step:
+     *
+     * buf       c=buf+len                c2            buf+size
+     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
+     */
 
-    c2 -= len;
-    memcpy( c2, c, len );
+    /* Move raw CRT to just before the signature. */
+    c = c2 - len;
+    memmove( c, buf, len );
 
     len += sig_and_oid_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf,
+                                                 MBEDTLS_ASN1_CONSTRUCTED |
                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     return( (int) len );
@@ -488,23 +523,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
 #define PEM_END_CRT             "-----END CERTIFICATE-----\n"
 
 #if defined(MBEDTLS_PEM_WRITE_C)
-int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng )
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt,
+                               unsigned char *buf, size_t size,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
 {
     int ret;
-    unsigned char output_buf[4096];
-    size_t olen = 0;
+    size_t olen;
 
-    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
+    if( ( ret = mbedtls_x509write_crt_der( crt, buf, size,
                                    f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }
 
     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
-                                  output_buf + sizeof(output_buf) - ret,
-                                  ret, buf, size, &olen ) ) != 0 )
+                                          buf + size - ret, ret,
+                                          buf, size, &olen ) ) != 0 )
     {
         return( ret );
     }
diff --git a/3rdparty/mbedtls/update.make b/3rdparty/mbedtls/update.make
index bdd96f6892..4b5c353837 100755
--- a/3rdparty/mbedtls/update.make
+++ b/3rdparty/mbedtls/update.make
@@ -4,7 +4,7 @@
 # Licensed under the MIT License.
 
 # mbedTLS library definitions
-VERSION=2.7.9
+VERSION=2.7.11
 BASE=mbedtls-$(VERSION)
 PKG=$(BASE)-apache.tgz
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99abbf50e9..2e7adaa0ce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Transferred repository from [microsoft/openenclave](https://github.com/microsoft/openenclave) to [openenclave/openenclave](https://github.com/openenclave/openenclave).
 - Change debugging contract for oegdb. Enclaves and hosts built prior to this release cannot be debugged with this version of oegdb and vice versa.
 - Update LLVM libcxx to version 8.0.0.
+- Update mbedTLS to version 2.7.11.
 
 [v0.6.0] - 2019-06-29
 ---------------------
diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 4edcbbb6a4..90623840c7 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -6,6 +6,7 @@
 .*\.html$
 .*\.json$
 .*\.md$
+.*\.patch$
 .*\.pdf$
 .*\.pem$
 .*\.png$

From bbbb68aea20befdd8e152b58648429c17e2a4526 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Mon, 26 Aug 2019 11:03:00 -0700
Subject: [PATCH 010/420] Update docs for Windows

Consistent formatting

More formatting

Add todo: Provide link for 2.2 PSW install

Address comments and remove instructions for SGX1 without FLC

Remove Windows Server 2016

More cleanup

More cleanup

Change prereqs to include VS build tools instead or VS itself

Specify workload while installing build tools

Fix typo

Address comments

Fix docs

Fix docs

Fix PSW 2.3 to 2.4

Add issue #for EnclaveCommonAPI

Add SGX1 documents

Add SGX1 documentation
---
 .../libcxx/libcxx/utils/libcxx/test/config.py |   2 +-
 .../Contributors/SGX1FLCGettingStarted.md     |   7 +-
 .../Contributors/SGX1GettingStarted.md        |   4 +-
 .../Contributors/SimulatorGettingStarted.md   |   6 +-
 .../WindowsManualInstallPrereqs.md            |  83 +++++++++++
 .../WindowsManualSGX1FLCDCAPPrereqs.md        |  53 +++++++
 .../Contributors/WindowsManualSGX1Prereqs.md  |  25 ++++
 .../WindowsSGX1FLCGettingStarted.md           | 131 ++++++++++++++++++
 .../Contributors/WindowsSGX1GettingStarted.md | 118 ++++++++++++++++
 .../Contributors/building_oe_sdk.md           |  18 +--
 scripts/test-build-config                     |  14 +-
 11 files changed, 437 insertions(+), 24 deletions(-)
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md

diff --git a/3rdparty/libcxx/libcxx/utils/libcxx/test/config.py b/3rdparty/libcxx/libcxx/utils/libcxx/test/config.py
index 1aa52ddbbd..228af73d49 100644
--- a/3rdparty/libcxx/libcxx/utils/libcxx/test/config.py
+++ b/3rdparty/libcxx/libcxx/utils/libcxx/test/config.py
@@ -420,7 +420,7 @@ def configure_features(self):
         # Insert the platform name into the available features as a lower case.
         self.config.available_features.add(target_platform)
 
-        # Simulator testing can take a really long time for some of these tests
+        # Simulation mode testing can take a really long time for some of these tests
         # so add a feature check so we can REQUIRES: long_tests in them
         self.long_tests = self.get_lit_bool('long_tests')
         if self.long_tests is None:
diff --git a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
index 16cc2b870e..cb13e60161 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
@@ -59,9 +59,6 @@ or
 cmake -G "Ninja" ..
 ninja
 ```
-
-Open Enclave will support attestation workflows outside of Azure using DCAP in an upcoming release.
-
 Refer to the [Advanced Build Information](AdvancedBuildInfo.md) documentation for further information.
 
 ## Run unittests
@@ -96,9 +93,9 @@ Test project /home/youradminusername/openenclave/build
 100% tests passed, 0 tests failed out of 123
 
 Total Test time (real) =  83.61 sec
-```
+```A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
 
-A clean pass of the above unitests run is an indication that your Open Enclave setup was successful. You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
+You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
 
 For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
 
diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index 82a08909b4..abba31fa7b 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -102,7 +102,9 @@ Test project /home/youradminusername/openenclave/build
 Total Test time (real) =  83.61 sec
 ```
 
-A clean pass of the above unitests run is an indication that your Open Enclave setup was successful. You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
+A clean pass of the above unitests run is an indication that your Open Enclave setup was successful.
+
+You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
 
 For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
 
diff --git a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
index dedf6ec797..01dd367ee5 100644
--- a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
@@ -1,4 +1,4 @@
-# Getting Started with Open Enclave in Simulator mode
+# Getting Started with Open Enclave in Simulation mode
 
 ## Platform requirement
 
@@ -98,7 +98,9 @@ Errors while running CTest
 
 Some of the tests are skipped (Not Run) by design because the current simulator is not fully featured yet.
 
-A clean pass of the above unitests run is an indication that your Open Enclave setup was successful. You can start playing with those Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
+A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
+
+You can start playing with those Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
 
 For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
new file mode 100644
index 0000000000..02380313a1
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -0,0 +1,83 @@
+
+# Manually Installing Open Enclave Prerequisites for Windows on a System which supports SGX
+
+## Platform requirements
+- A system with support for SGX1 or SGX1 with Flexible Launch Control (FLC).
+ Note: To check if your system has support for SGX1 with or without FLC, please look [here](../SGXSupportLevel.md).
+ 
+- A version of Windows OS with native support for SGX features:
+   - For server: Windows Server 2016
+   - For client: Windows 10 64-bit version 1709 or newer
+   - To check your Windows version, run `winver` on the command line.
+
+## Software prerequisites
+- [Microsoft Visual Studio Build Tools 2017](https://aka.ms/vs/15/release/vs_buildtools.exe)
+- [Git for Windows 64-bit](https://git-scm.com/download/win)
+- [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
+- [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
+
+## Prerequisites specific to SGX support on your system
+- For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.md)
+- For systems with support for SGX1 + FLC - 
+ [Intel's PSW 2.4, Intel's Data Center Attestation primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
+
+## Microsoft Visual Studio Build Tools 2017
+
+Install [Visual Studio Build Tools 2017](https://aka.ms/vs/15/release/vs_buildtools.exe). Choose the "Visual C++ build tools" workload.
+Visual Studio Build Tools 2017's CMake support (ver 3.12 or above) is required for building the Open Enclave SDK.
+Note that cmake in Visual Studio 2019 is not fully supported yet.
+For more information about cmake support, refer to
+https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/
+
+## Git for Windows 64-bit
+
+Install Git and add Git's bash to the path.
+Typically, Git's bash is located in C:\Program Files\Git\bin.
+Currently the Open Enclave SDK build system uses bash scripts to configure
+and build Linux-based 3rd-party libraries.
+
+Open a command prompt and ensure that bash is available in the path:
+```cmd
+C:\>where bash
+C:\Program Files\Git\bin\bash.exe
+```
+
+Tools available in the Git bash environment are also used for test and sample
+builds. For example, OpenSSL is used to generate test certificates, so it is
+also useful to have the `Git\mingw64\bin` folder pathed. This can be checked
+from the command prompt as well:
+
+```cmd
+C:\>where openssl
+C:\Program Files\Git\mingw64\bin\openssl.exe
+```
+
+## Clang
+
+Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
+to the path. Open Enclave SDK uses clang to build the enclave binaries.
+
+Open up a command prompt and ensure that clang is available in the path:
+```cmd
+C:\> where clang
+C:\Program Files\LLVM\bin\clang.exe
+C:\> where llvm-ar
+C:\Program Files\LLVM\bin\llvm-ar.exe
+C:\> where ld.lld
+C:\Program Files\LLVM\bin\ld.lld.exe
+```
+
+## OCaml
+
+Install [OCaml for Windows (64-bit)](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/).
+Please download and install the [mingw64 exe for OCaml](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.exe).
+
+[Alternate OCaml Web-site](https://fdopen.github.io/opam-repository-mingw/installation/)
+
+OCaml is used to build the oeedger8r tool as part of the OE SDK.
+
+Open up a command prompt and ensure that ocaml is available in the path:
+```cmd
+C:\> where ocaml
+C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
+```
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
new file mode 100644
index 0000000000..7513ca86f7
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -0,0 +1,53 @@
+# SGX1 with Flexible Launch Control (FLC) Prerequisites on Windows
+
+## [Intel Platform Software for Windows (PSW) v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe)
+
+After unpacking the self-extracting ZIP executable, install the *PSW_EXE_RS2_and_before* version:
+```cmd
+C:\Intel SGX PSW for Windows v2.4.100.51291\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.4.100.51291.exe"
+```
+
+## [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
+
+Note that this is optional since you can choose an alternate implementation of the DCAP client or create your own.
+The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. it is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
+
+```cmd
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\openenclave\prereqs\nuget
+```
+
+##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
+After unpacking the self-extracting ZIP executable, you can refer to the *Intel SGX DCAP Windows SW Installation Guide.pdf*
+for more details on how to install the contents of the package.
+
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
+
+1. Unzip the required drivers from the extracted subfolders:
+    - `LC_driver_WinServer2016\Signed_1152921504628095185.zip`
+    - `DCAP_INF\WinServer2016\Signed_1152921504628099289.zip`
+
+   The following instructions will assume that these have been unzipped into the `LC_driver` and `DCAP_INF` folders respectively.
+
+2. Allow the SGX Launch Configuration driver (LC_driver) to run:
+    - From an elevated command prompt:
+      ```cmd
+      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sgx_lc_msr\Parameters /v "SGX_Launch_Config_Optin" /t REG_DWORD /d 1
+      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sgx_lc_msr\Parameters /v "SGX_Launch_Config_Optin"
+      ```
+    - If the driver is already installed and running, the machine will need to be rebooted for the change to take effect.
+
+3. Install the drivers:
+    - `devcon.exe` from the [Windows Driver Kit for Windows 10](https://go.microsoft.com/fwlink/?linkid=2026156)
+      can be used to install the drivers from an elevated command prompt:
+      ```cmd
+      devcon.exe install LC_driver\drivers\b361e4d8-bc01-43fc-b8a6-8d101e659ed1\sgx_base_dev.inf root\SgxLCDevice
+      devcon.exe install DCAP_INF\drivers\226fdf07-49d3-46aa-a0ce-f21b6d4a05cf\sgx_dcap_dev.inf root\SgxLCDevice_DCAP
+      ```
+    - Note that `devcon.exe` is usually installed to `C:\Program Files (x86)\Windows Kits\10\tools\x64` which is not in the PATH environment variable by default.
+4. Install the DCAP nuget packages:
+    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
+      ```cmd
+      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C\openenclave\prereqs\nuget
+      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\openenclave\prereqs\nuget
+      ```
+    - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
new file mode 100644
index 0000000000..8783f6d456
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -0,0 +1,25 @@
+# SGX1 Prerequisites on Windows
+
+## Intel SGX Platform Software for Windows (PSW) v2.2
+
+The PSW should be installed automatically on Windows 10 version 1709 or newer, or on a Windows Server 2016 image for an Azure ConfidentialCompute VM. You can verify that is the case on the command line as follows:
+
+```cmd
+sc query aesmservice
+```
+
+The state of the service should be "running" (4). Follow Intel's documentation for troubleshooting.
+
+If you have a Windows Server 2016 image that does not have Intel PSW 2.2, please get the PSW 2.2 [zipped executable](https://oejenkins.blob.core.windows.net/oejenkins/intel_sgx_win_2.2.100.47975_PV.zip).
+
+After downloading  and extracting the zipped executable, run the executable to install PSW 2.2.
+
+```cmd
+C:\Intel SGX PSW for Windows v2.2.100.48339.exe\PSW_EXE_RS2_and_before\Intel(R)Intel(R)_SGX_Windows_x64_PSW_2.2.100.48339.exe
+```
+
+Start the AESM service by running the following command from Powershell.
+
+```powershell
+Start-Service "AESMService"
+```
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
new file mode 100644
index 0000000000..b58a2d8317
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -0,0 +1,131 @@
+# Getting Started with Open Enclave on Windows for systems with support for SGX1 with Flexible Launch Control(FLC)
+
+## Platform requirements
+
+Intel® X86-64bit architecture with SGX1 and Flexible Launch Control (FLC) support. (e.g. Intel Coffee Lake CPU)
+
+Note: To check if your system has support for SGX1 with FLC, please look [here](../SGXSupportLevel.md)
+
+A version of Windows OS with native support for SGX features:
+- For server: Windows Server 2016
+- For client: Windows 10 64-bit version 1709 or newer
+- To check your Windows version, run `winver` on the command line.
+
+## Install Git and Clone the Open Enclave SDK repo
+
+Download and install Git for Windows from [here](https://git-scm.com/download/win)
+
+Clone the Open Enclave SDK
+
+```powershell
+git clone https://github.com/openenclave/openenclave.git
+```
+
+This creates a source tree under the directory called openenclave.
+
+## Install project prerequisites
+
+First, change directory into the openenclave repository:
+
+```powershell
+cd openenclave
+```
+
+Run the following from powershell to deploy all the prerequisites for building Open Enclave (including Intel's DCAP primitives and Azure's DCAP library).
+
+```scripts/install-windows-prereqs.ps1```
+
+To install the prerequisites along with the Azure Data Center Attestation Primitives (DCAP) Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM.
+
+```powershell
+cd scripts
+.\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+```
+If you would like to skip the installation of the Azure DCAP Client, use the command below.
+
+```powershell
+cd scripts
+.\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType None
+```
+If there is another DCAP Client type that you would like to install, you are welcome to submit a pull request to add support for that DCAP Client.
+
+As an example, if you cloned the Open Enclave SDK repo into C:\openenclave and want to install the Azure DCAP Client, you would run the following command.
+
+```powershell
+cd scripts
+.\install-windows-prereqs.ps1 -InstallPath C:\openenclave -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+```
+
+If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
+
+## Build
+
+Launch the [x64 Native Tools Command Prompt for VS 2017](
+https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
+Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
+To build, first create a build directory ("build" in the example below) and change directory into it.
+Then run `cmake` to configure the build and generate the Makefiles, and then build by running `ninja`.
+
+To build debug enclaves
+```cmd
+cd C:\openenclave
+mkdir build\x64-Debug
+cd build\x64-Debug
+cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 ..\..
+ninja
+```
+
+Similarly, to build release enclaves
+```cmd
+cd C:\openenclave
+mkdir build\x64-Release
+cd build\x64-Release
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ../..
+ninja
+```
+
+## Run unittests
+
+After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
+
+Run the following command from the build directory to run tests(In this example, we are testing the debug build):
+
+```cmd
+ctest
+```
+
+You will see test logs similar to the following:
+
+```cmd
+  Test project C:/openenclave/build/x64-Debug
+        Start   1: tests/lockless_queue
+  1/107 Test   #1: tests/lockless_queue ..................................   Passed    3.49 sec
+        Start   2: tests/mem
+  2/107 Test   #2: tests/mem .............................................   Passed    0.01 sec
+  ...
+  ....
+100% tests passed, 0 tests failed out of 107
+```
+
+A clean pass of the above unit tests run is an indication that your Open Enclave setup was successful. 
+
+You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
+
+For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
+
+## Installing the SDK on local machine
+
+To install the SDK on the local machine use the following:
+
+```cmd
+cd build\x64-Debug
+ninja install
+```
+
+This installs the SDK in c:\opt\openenclave.
+
+## Known Issues
+
+Samples have not yet been ported to Windows.
+
+Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
new file mode 100644
index 0000000000..9fdce89559
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -0,0 +1,118 @@
+# Getting Started with Open Enclave on Windows for systems with support for SGX1
+
+## Platform requirements
+
+Intel® X86-64bit architecture with SGX1
+
+A version of Windows OS with native support for SGX features:
+- For server: Windows Server 2016
+- For client: Windows 10 64-bit version 1709 or newer
+- To check your Windows version, run winver on the command line.
+
+## Install Git and Clone the Open Enclave SDK repo
+
+Download and install Git for Windows from [here](https://git-scm.com/download/win)
+
+Clone the Open Enclave SDK
+
+```powershell
+git clone https://github.com/openenclave/openenclave.git
+```
+
+This creates a source tree under the directory called openenclave.
+
+## Install project prerequisites
+
+First, change directory into the openenclave repository:
+
+```powershell
+cd openenclave
+```
+
+To deploy all the prerequisities for building Open Enclave, you can run the following from powershell. Note that the Data Center Attestation Primitives Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC).
+
+```powershell
+cd scripts
+.\install-windows-prereqs.ps1 -InstallPath PATH_TO_OE_REPO -LaunchConfiguration SGX1 -DCAPClientType None
+```
+
+As an example, if you cloned Open Enclave SDK repo into C:\openenclave, you would run the following:
+
+```powershell
+cd scripts
+.\install-windows-prereqs.ps1 -InstallPath C:\openenclave -LaunchConfiguration SGX1 -DCAPClientType None
+```
+
+If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
+
+## Building on Windows using Developer Command Prompt
+
+1. Launch the [x64 Native Tools Command Prompt for VS 2017](
+https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
+Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
+
+2. At the x64 Native Tools command prompt, use cmake and ninja to build the debug version:
+
+   ```cmd
+   cd C:\openenclave
+   mkdir build\x64-Debug
+   cd build\x64-Debug
+   cmake -G Ninja -DBUILD_ENCLAVES=1 ..\.
+   ninja
+   ```
+
+   Similarly, build the release version with:
+
+    ```cmd
+   cd C:\openenclave
+   mkdir build\x64-Release
+   cd build\x64-Release
+   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ..\..
+   ninja
+   ```
+
+## Run unittests
+
+After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected. In this example, we are testing the debug build.
+
+Run the following command from the build directory:
+
+```cmd
+ctest
+```
+
+You will see test logs similar to the following:
+
+```cmd
+  Test project C:/openenclave/build/x64-Debug
+        Start   1: tests/lockless_queue
+  1/107 Test   #1: tests/lockless_queue ..................................   Passed    3.49 sec
+        Start   2: tests/mem
+  2/107 Test   #2: tests/mem .............................................   Passed    0.01 sec
+  ...
+  ....
+100% tests passed, 0 tests failed out of 107
+```
+
+A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
+
+You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
+
+For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
+
+## Installing the SDK on local machine
+
+To install the SDK on the local machine use the following:
+
+```cmd
+cd build\x64-Debug
+ninja install
+```
+
+This installs the SDK in c:\opt\openenclave.
+
+## Known Issues
+
+Samples have not yet been ported to Windows.
+
+Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index ecbe134884..5058caf4dc 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -21,7 +21,7 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    - `SGX1+FLC`: In this mode, the Open Enclave SDK takes advantage of the Flexible Launch
                  Control mode for better managing architectural enclaves.
 
-   - `Simulator`: Open Enclave comes with a SGX software simulator that simulates a subset of
+   - `Simulation`: Open Enclave comes with a SGX software simulation mode that simulates a subset of
                   the SGX feature set. This simulator enables the Open Enclave SDK to run on
                   systems without actual SGX hardware support.
 
@@ -31,10 +31,10 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    |:---------------------------|:-----------------------------------:|
    | SGX1+FLC                   | SGX1+FLC                            |
    | SGX1                       | SGX1 or SGX1+FLC                    |
-   | Simulator                  | Any level                           |
+   | Simulation                  | Any level                           |
 
-   On Linux, if your target system does not have any SGX hardware support, you may want to choose "Simulator" mode.
-   On Windows, Open Enclave SDK does not support "Simulator" mode.
+   On Linux, if your target system does not have any SGX hardware support, you may want to choose simulation.
+   On Windows, Open Enclave SDK does not support simulation mode.
 
 #### 3. Build, install and run
 
@@ -42,12 +42,14 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    The links below contain instructions on how to set up Open Enclave SDK environment for a given mode.
 
 On Linux
-  - [Setup Open Enclave SDK for SGX1+FLC mode](SGX1FLCGettingStarted.md)
-  - [Setup Open Enclave SDK for SGX1 mode](SGX1GettingStarted.md)
-  - [Setup Open Enclave SDK for Simulator mode](SimulatorGettingStarted.md)
+  - [Setup Open Enclave SDK for SGX1+FLC](SGX1FLCGettingStarted.md)
+  - [Setup Open Enclave SDK for SGX1](SGX1GettingStarted.md)
+  - [Setup Open Enclave SDK for simulation mode](SimulatorGettingStarted.md)
 
 On Windows
- - [Set up Open Enclave SDK](/docs/GettingStartedDocs/GettingStarted.Windows.md)
+ - [Set up Open Enclave SDK for SGX1+FLC](WindowsSGX1FLCGettingStarted.md)
+ - [Set up Open Enclave SDK for SGX1](WindowsSGX1GettingStarted.md)
+ - Simulation mode is not supported on Windows
 
 ## Samples
 
diff --git a/scripts/test-build-config b/scripts/test-build-config
index ff75176fd0..263143a823 100755
--- a/scripts/test-build-config
+++ b/scripts/test-build-config
@@ -6,9 +6,9 @@
 ##====================================================================================
 ##
 ## This script fires OE build and test for specified build-type, platform and
-## simulator/hardware mode.
+## simulation/hardware mode.
 ## Default run with no parameters builds with Debug build-type and for SGX1
-## platform and will test in Simulator mode.
+## platform and will test in simulation.
 ## Run this from the root of the source tree as sudo.
 ## Please note that this script does not install any packages needed for build/test.
 ## Please install all packages necessary for your test before invoking this script.
@@ -19,7 +19,7 @@ if [[ $1 == "-h" || $1 == "--help" ]]; then
    echo "Script to fire OE build and test with specified platform/build-type/test mode" 
    echo " Usage: "
    echo " ./scripts/test-build-config"
-   echo "        -d or --disable_sim to Disable Simulator Test Mode"
+   echo "        -d or --disable_sim to Disable Simulation Test Mode"
    echo "        -p SGX1FLC or -p=SGX1FLC to build for SGX1FLC platform"
    echo "        -b Debug|RelWithDebInfo|Release or -b=Debug|RelWithDebInfo|Release"
    echo "        -h or --help to Display usage and exit"
@@ -28,14 +28,14 @@ if [[ $1 == "-h" || $1 == "--help" ]]; then
    echo "        --enable_full_libcxx_tests to Enable libcxx tests"
    echo "        --enable_full_libc_tests to Enable libc tests"
    echo " Default is to build for SGX1 platform, Debug Build type & test in"
-   echo " simulator mode"
+   echo " simulation"
    echo ""
    exit 0
 fi
 
 # Default values for the arguments
-# Disable Simulator test mode to run on SGX hardware
-# Default test mode is Simulator, disable Simulator test mode with -d or --disable_sim
+# Disable Simulation test mode to run on SGX hardware
+# Default test mode is simulation, disable simulation test mode with -d or --disable_sim
 DISABLE_SIM=0
 # Valid PLATFORM_MODE values are SGX1 or SGX1FLC
 PLATFORM_MODE="SGX1"
@@ -156,7 +156,7 @@ if ! make; then
     exit 1
 fi
 
-# Finally run the tests in Simulator mode or on Hardware
+# Finally run the tests in simulation or on Hardware
 if [[ ${DISABLE_SIM} -ne 1 ]]; then
     SIMULATION_MODE_TEXT="simulation"
     export OE_SIMULATION=1

From 3dbc8b6856d785b436e6ad437a04acd79d9ddb7a Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 13 Sep 2019 11:57:44 -0700
Subject: [PATCH 011/420] Update manual instructions with VS2019

---
 .../Contributors/SGX1FLCGettingStarted.md     |  4 +--
 .../Contributors/SGX1GettingStarted.md        |  4 +--
 .../WindowsManualInstallPrereqs.md            | 34 +++++++++----------
 .../WindowsManualSGX1FLCDCAPPrereqs.md        |  2 +-
 .../Contributors/WindowsManualSGX1Prereqs.md  |  2 +-
 .../WindowsSGX1FLCGettingStarted.md           | 31 ++++++++---------
 .../Contributors/WindowsSGX1GettingStarted.md | 20 ++++++-----
 .../Contributors/building_oe_sdk.md           |  7 ++--
 8 files changed, 52 insertions(+), 52 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
index cb13e60161..8e5b1f21c4 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
@@ -61,7 +61,7 @@ ninja
 ```
 Refer to the [Advanced Build Information](AdvancedBuildInfo.md) documentation for further information.
 
-## Run unittests
+## Run unit tests
 
 After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
 
@@ -93,7 +93,7 @@ Test project /home/youradminusername/openenclave/build
 100% tests passed, 0 tests failed out of 123
 
 Total Test time (real) =  83.61 sec
-```A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
+A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
 
 You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
 
diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index abba31fa7b..f487189d9d 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -68,7 +68,7 @@ make
 
 Refer to the [Advanced Build Information](AdvancedBuildInfo.md) documentation for further information.
 
-## Run unittests
+## Run unit tests
 
 After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
 
@@ -102,7 +102,7 @@ Test project /home/youradminusername/openenclave/build
 Total Test time (real) =  83.61 sec
 ```
 
-A clean pass of the above unitests run is an indication that your Open Enclave setup was successful.
+A clean pass of the above unit tests is an indication that your Open Enclave setup was successful.
 
 You can start playing with the Open Enclave samples after following the instructions in the "Install" section below to configure samples for building,
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 02380313a1..6937210d5e 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -1,8 +1,8 @@
-
 # Manually Installing Open Enclave Prerequisites for Windows on a System which supports SGX
 
 ## Platform requirements
 - A system with support for SGX1 or SGX1 with Flexible Launch Control (FLC).
+
  Note: To check if your system has support for SGX1 with or without FLC, please look [here](../SGXSupportLevel.md).
  
 - A version of Windows OS with native support for SGX features:
@@ -11,32 +11,29 @@
    - To check your Windows version, run `winver` on the command line.
 
 ## Software prerequisites
-- [Microsoft Visual Studio Build Tools 2017](https://aka.ms/vs/15/release/vs_buildtools.exe)
+- [Microsoft Visual Studio Build Tools 2019](https://aka.ms/vs/15/release/vs_buildtools.exe)
 - [Git for Windows 64-bit](https://git-scm.com/download/win)
 - [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
 - [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
 
 ## Prerequisites specific to SGX support on your system
-- For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.md)
-- For systems with support for SGX1 + FLC - 
- [Intel's PSW 2.4, Intel's Data Center Attestation primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
-## Microsoft Visual Studio Build Tools 2017
+For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.md)
+
+For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
-Install [Visual Studio Build Tools 2017](https://aka.ms/vs/15/release/vs_buildtools.exe). Choose the "Visual C++ build tools" workload.
-Visual Studio Build Tools 2017's CMake support (ver 3.12 or above) is required for building the Open Enclave SDK.
-Note that cmake in Visual Studio 2019 is not fully supported yet.
-For more information about cmake support, refer to
-https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/
+## Microsoft Visual Studio Build Tools 2019
+Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
 
 ## Git for Windows 64-bit
 
-Install Git and add Git's bash to the path.
-Typically, Git's bash is located in C:\Program Files\Git\bin.
+Install Git and add Git Bash to the PATH environment variable.
+Typically, Git Bash is located in `C:\Program Files\Git\bin`.
 Currently the Open Enclave SDK build system uses bash scripts to configure
 and build Linux-based 3rd-party libraries.
 
-Open a command prompt and ensure that bash is available in the path:
+Open a command prompt and ensure that Git Bash is added to PATH.
+
 ```cmd
 C:\>where bash
 C:\Program Files\Git\bin\bash.exe
@@ -44,7 +41,7 @@ C:\Program Files\Git\bin\bash.exe
 
 Tools available in the Git bash environment are also used for test and sample
 builds. For example, OpenSSL is used to generate test certificates, so it is
-also useful to have the `Git\mingw64\bin` folder pathed. This can be checked
+also useful to have the `Git\mingw64\bin` folder added to PATH. This can be checked
 from the command prompt as well:
 
 ```cmd
@@ -55,9 +52,10 @@ C:\Program Files\Git\mingw64\bin\openssl.exe
 ## Clang
 
 Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
-to the path. Open Enclave SDK uses clang to build the enclave binaries.
+to PATH. Open Enclave SDK uses clang to build the enclave binaries.
+
+Open up a command prompt and ensure that clang is added to PATH.
 
-Open up a command prompt and ensure that clang is available in the path:
 ```cmd
 C:\> where clang
 C:\Program Files\LLVM\bin\clang.exe
@@ -76,7 +74,7 @@ Please download and install the [mingw64 exe for OCaml](https://www.ocamlpro.com
 
 OCaml is used to build the oeedger8r tool as part of the OE SDK.
 
-Open up a command prompt and ensure that ocaml is available in the path:
+Open up a command prompt and ensure that ocaml is added to PATH.
 ```cmd
 C:\> where ocaml
 C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 7513ca86f7..5a00c6da70 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -10,7 +10,7 @@ C:\Intel SGX PSW for Windows v2.4.100.51291\PSW_EXE_RS2_and_before\Intel(R)_SGX_
 ## [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
 
 Note that this is optional since you can choose an alternate implementation of the DCAP client or create your own.
-The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. it is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
+The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
 
 ```cmd
 nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\openenclave\prereqs\nuget
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 8783f6d456..e9fb083fef 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -12,7 +12,7 @@ The state of the service should be "running" (4). Follow Intel's documentation f
 
 If you have a Windows Server 2016 image that does not have Intel PSW 2.2, please get the PSW 2.2 [zipped executable](https://oejenkins.blob.core.windows.net/oejenkins/intel_sgx_win_2.2.100.47975_PV.zip).
 
-After downloading  and extracting the zipped executable, run the executable to install PSW 2.2.
+After downloading and extracting the zipped executable, run the executable to install PSW 2.2.
 
 ```cmd
 C:\Intel SGX PSW for Windows v2.2.100.48339.exe\PSW_EXE_RS2_and_before\Intel(R)Intel(R)_SGX_Windows_x64_PSW_2.2.100.48339.exe
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index b58a2d8317..5bd69b082e 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -4,7 +4,7 @@
 
 Intel® X86-64bit architecture with SGX1 and Flexible Launch Control (FLC) support. (e.g. Intel Coffee Lake CPU)
 
-Note: To check if your system has support for SGX1 with FLC, please look [here](../SGXSupportLevel.md)
+Note: To check if your system has support for SGX1 with FLC, please look [here](../SGXSupportLevel.md).
 
 A version of Windows OS with native support for SGX features:
 - For server: Windows Server 2016
@@ -13,15 +13,15 @@ A version of Windows OS with native support for SGX features:
 
 ## Install Git and Clone the Open Enclave SDK repo
 
-Download and install Git for Windows from [here](https://git-scm.com/download/win)
+- Download and install Git for Windows from [here](https://git-scm.com/download/win).
 
-Clone the Open Enclave SDK
+- Clone the Open Enclave SDK.
 
-```powershell
-git clone https://github.com/openenclave/openenclave.git
-```
+      ```powershell
+      git clone https://github.com/openenclave/openenclave.git
+      ```
 
-This creates a source tree under the directory called openenclave.
+      This creates a source tree under the directory called openenclave.
 
 ## Install project prerequisites
 
@@ -31,23 +31,23 @@ First, change directory into the openenclave repository:
 cd openenclave
 ```
 
-Run the following from powershell to deploy all the prerequisites for building Open Enclave (including Intel's DCAP primitives and Azure's DCAP library).
+Run the following from Powershell to deploy all the prerequisites for building Open Enclave
 
 ```scripts/install-windows-prereqs.ps1```
 
-To install the prerequisites along with the Azure Data Center Attestation Primitives (DCAP) Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM.
+To install the prerequisites along with the Azure DCAP Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM.
 
 ```powershell
 cd scripts
 .\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
+
 If you would like to skip the installation of the Azure DCAP Client, use the command below.
 
 ```powershell
 cd scripts
 .\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType None
 ```
-If there is another DCAP Client type that you would like to install, you are welcome to submit a pull request to add support for that DCAP Client.
 
 As an example, if you cloned the Open Enclave SDK repo into C:\openenclave and want to install the Azure DCAP Client, you would run the following command.
 
@@ -60,13 +60,12 @@ If you prefer to manually install prerequisites, please refer to this [document]
 
 ## Build
 
-Launch the [x64 Native Tools Command Prompt for VS 2017](
+Launch the [x64 Native Tools Command Prompt for VS(2017 or 2019)](
 https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
 To build, first create a build directory ("build" in the example below) and change directory into it.
 Then run `cmake` to configure the build and generate the Makefiles, and then build by running `ninja`.
 
-To build debug enclaves
+To build debug enclaves:
 ```cmd
 cd C:\openenclave
 mkdir build\x64-Debug
@@ -75,7 +74,7 @@ cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 ..\..
 ninja
 ```
 
-Similarly, to build release enclaves
+Similarly, to build release enclaves:
 ```cmd
 cd C:\openenclave
 mkdir build\x64-Release
@@ -84,7 +83,7 @@ cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ../..
 ninja
 ```
 
-## Run unittests
+## Run unit tests
 
 After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
 
@@ -113,7 +112,7 @@ You can start playing with the Open Enclave samples after following the instruct
 
 For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
 
-## Installing the SDK on local machine
+## Installing the SDK on the local machine
 
 To install the SDK on the local machine use the following:
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 9fdce89559..2faa4d784b 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -2,16 +2,18 @@
 
 ## Platform requirements
 
-Intel® X86-64bit architecture with SGX1
+Intel® X86-64bit architecture with SGX1.
+
+Note: To check if your system has support for SGX1, please look [here](../SGXSupportLevel.md).
 
 A version of Windows OS with native support for SGX features:
 - For server: Windows Server 2016
 - For client: Windows 10 64-bit version 1709 or newer
-- To check your Windows version, run winver on the command line.
+- To check your Windows version, run `winver` on the command line.
 
 ## Install Git and Clone the Open Enclave SDK repo
 
-Download and install Git for Windows from [here](https://git-scm.com/download/win)
+Download and install Git for Windows from [here](https://git-scm.com/download/win).
 
 Clone the Open Enclave SDK
 
@@ -29,14 +31,14 @@ First, change directory into the openenclave repository:
 cd openenclave
 ```
 
-To deploy all the prerequisities for building Open Enclave, you can run the following from powershell. Note that the Data Center Attestation Primitives Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC).
+To deploy all the prerequisities for building Open Enclave, you can run the following from Powershell. Note that the Data Center Attestation Primitives (DCAP) Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC).
 
 ```powershell
 cd scripts
 .\install-windows-prereqs.ps1 -InstallPath PATH_TO_OE_REPO -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
-As an example, if you cloned Open Enclave SDK repo into C:\openenclave, you would run the following:
+As an example, if you cloned Open Enclave SDK repo into `C:\openenclave`, you would run the following:
 
 ```powershell
 cd scripts
@@ -51,13 +53,13 @@ If you prefer to manually install prerequisites, please refer to this [document]
 https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
 Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
 
-2. At the x64 Native Tools command prompt, use cmake and ninja to build the debug version:
+2. At the x64 Native Tools command prompt, use CMake and ninja to build the debug version:
 
    ```cmd
    cd C:\openenclave
    mkdir build\x64-Debug
    cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 ..\.
+   cmake -G Ninja -DBUILD_ENCLAVES=1 ..\..
    ninja
    ```
 
@@ -71,7 +73,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    ninja
    ```
 
-## Run unittests
+## Run unit tests
 
 After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected. In this example, we are testing the debug build.
 
@@ -100,7 +102,7 @@ You can start playing with the Open Enclave samples after following the instruct
 
 For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) document.
 
-## Installing the SDK on local machine
+## Installing the SDK on the local machine
 
 To install the SDK on the local machine use the following:
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 5058caf4dc..877627f1d0 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -21,7 +21,7 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    - `SGX1+FLC`: In this mode, the Open Enclave SDK takes advantage of the Flexible Launch
                  Control mode for better managing architectural enclaves.
 
-   - `Simulation`: Open Enclave comes with a SGX software simulation mode that simulates a subset of
+   - `Simulation`: Open Enclave comes with an SGX software simulation mode that simulates a subset of
                   the SGX feature set. This simulator enables the Open Enclave SDK to run on
                   systems without actual SGX hardware support.
 
@@ -34,6 +34,7 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    | Simulation                  | Any level                           |
 
    On Linux, if your target system does not have any SGX hardware support, you may want to choose simulation.
+
    On Windows, Open Enclave SDK does not support simulation mode.
 
 #### 3. Build, install and run
@@ -41,12 +42,12 @@ Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSuppor
    Choose an operating mode that is compatible with the SGX support level of your target system.
    The links below contain instructions on how to set up Open Enclave SDK environment for a given mode.
 
-On Linux
+On Linux:
   - [Setup Open Enclave SDK for SGX1+FLC](SGX1FLCGettingStarted.md)
   - [Setup Open Enclave SDK for SGX1](SGX1GettingStarted.md)
   - [Setup Open Enclave SDK for simulation mode](SimulatorGettingStarted.md)
 
-On Windows
+On Windows:
  - [Set up Open Enclave SDK for SGX1+FLC](WindowsSGX1FLCGettingStarted.md)
  - [Set up Open Enclave SDK for SGX1](WindowsSGX1GettingStarted.md)
  - Simulation mode is not supported on Windows

From 54ff2075023682a18dbbf1cd80952f423fdeebf2 Mon Sep 17 00:00:00 2001
From: Cheng-mean Liu <soccerl@microsoft.com>
Date: Sat, 14 Sep 2019 02:13:32 -0500
Subject: [PATCH 012/420] Fixed QE Idenity regression

---
 host/sgx/ocalls.c           | 3 ++-
 host/sgx/sgxquoteprovider.h | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/host/sgx/ocalls.c b/host/sgx/ocalls.c
index 2f2d91fa2b..d11a3ae249 100644
--- a/host/sgx/ocalls.c
+++ b/host/sgx/ocalls.c
@@ -260,7 +260,7 @@ oe_result_t oe_get_revocation_info_ocall(
         &buffer_too_small));
 
     if (buffer_too_small)
-        OE_RAISE(OE_BUFFER_TOO_SMALL);
+        OE_RAISE_NO_TRACE(OE_BUFFER_TOO_SMALL);
 
     result = OE_OK;
 
@@ -308,6 +308,7 @@ oe_result_t oe_get_qe_identify_info_ocall(
         memcpy(issuer_chain, args.issuer_chain, args.issuer_chain_size);
 
     *issuer_chain_size_out = args.issuer_chain_size;
+    result = OE_OK;
 
 done:
 
diff --git a/host/sgx/sgxquoteprovider.h b/host/sgx/sgxquoteprovider.h
index ba3858bb9c..1658800f3e 100644
--- a/host/sgx/sgxquoteprovider.h
+++ b/host/sgx/sgxquoteprovider.h
@@ -28,8 +28,8 @@ typedef struct _oe_sgx_quote_provider
 
 #define SGX_QL_GET_REVOCATION_INFO_NAME "sgx_ql_get_revocation_info"
 #define SGX_QL_FREE_REVOCATION_INFO_NAME "sgx_ql_free_revocation_info"
-#define SGX_QL_GET_QE_IDENTITY_INFO_NAME "sgx_ql_get_qe_identity_info"
-#define SGX_QL_FREE_QE_IDENTITY_INFO_NAME "sgx_ql_free_qe_identity_info"
+#define SGX_QL_GET_QE_IDENTITY_INFO_NAME "sgx_get_qe_identity_info"
+#define SGX_QL_FREE_QE_IDENTITY_INFO_NAME "sgx_free_qe_identity_info"
 #define SGX_QL_SET_LOGGING_FUNCTION_NAME "sgx_ql_set_logging_function"
 
 OE_EXTERNC_END

From b8b637bd7fd53f0f39caf322b4204fc6fa905c19 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Mon, 16 Sep 2019 13:09:28 +0300
Subject: [PATCH 013/420] Clean copied sources and binaries from
 ExternalProject_Add rules

---
 3rdparty/CMakeLists.txt                                     | 4 ++++
 3rdparty/libcxx/CMakeLists.txt                              | 4 ++++
 3rdparty/libcxx/libcxx/benchmarks/CMakeLists.txt            | 6 ++++++
 .../libcxx/utils/google-benchmark/cmake/HandleGTest.cmake   | 4 +++-
 3rdparty/musl/CMakeLists.txt                                | 5 +++++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index cee4b76f40..189589a712 100755
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -79,6 +79,10 @@ if (OE_TRUSTZONE)
       BYPRODUCTS
         <BINARY_DIR>/libteec/libteec.a)
 
+    set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+      ${CMAKE_CURRENT_BINARY_DIR}/optee_client
+      ${CMAKE_BINARY_DIR}/libteec/libteec.a
+    )
     ExternalProject_Get_property(optee_client-wrap SOURCE_DIR)
     ExternalProject_Get_property(optee_client-wrap BINARY_DIR)
 
diff --git a/3rdparty/libcxx/CMakeLists.txt b/3rdparty/libcxx/CMakeLists.txt
index 710955e404..68e73b9298 100644
--- a/3rdparty/libcxx/CMakeLists.txt
+++ b/3rdparty/libcxx/CMakeLists.txt
@@ -11,6 +11,10 @@ ExternalProject_Add(libcxx_includes
     COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_LIST_DIR}/__config ${LIBCXX_INCLUDES}/__config
   INSTALL_COMMAND "")
 
+set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+    ${LIBCXX_INCLUDES}
+)
+
 add_library(libcxx OBJECT
   __dso_handle.cpp
   libcxx/src/algorithm.cpp
diff --git a/3rdparty/libcxx/libcxx/benchmarks/CMakeLists.txt b/3rdparty/libcxx/libcxx/benchmarks/CMakeLists.txt
index 3823b87b39..414bde48fd 100644
--- a/3rdparty/libcxx/libcxx/benchmarks/CMakeLists.txt
+++ b/3rdparty/libcxx/libcxx/benchmarks/CMakeLists.txt
@@ -38,6 +38,9 @@ ExternalProject_Add(google-benchmark-libcxx
           -DBENCHMARK_USE_LIBCXX:BOOL=ON
           -DBENCHMARK_ENABLE_TESTING:BOOL=OFF)
 
+set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+  ${CMAKE_CURRENT_BINARY_DIR}/benchmark-libcxx
+)
 #==============================================================================
 # Build Google Benchmark for the native stdlib
 #==============================================================================
@@ -61,6 +64,9 @@ if (LIBCXX_BENCHMARK_NATIVE_STDLIB)
           -DCMAKE_BUILD_TYPE:STRING=RELEASE
           -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR>
           -DBENCHMARK_ENABLE_TESTING:BOOL=OFF)
+  set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/benchmark-native
+  )
 endif()
 
 
diff --git a/3rdparty/libcxx/libcxx/utils/google-benchmark/cmake/HandleGTest.cmake b/3rdparty/libcxx/libcxx/utils/google-benchmark/cmake/HandleGTest.cmake
index b9c14436db..751ed6704f 100644
--- a/3rdparty/libcxx/libcxx/utils/google-benchmark/cmake/HandleGTest.cmake
+++ b/3rdparty/libcxx/libcxx/utils/google-benchmark/cmake/HandleGTest.cmake
@@ -50,7 +50,9 @@ macro(build_external_gtest)
         -DCMAKE_CXX_FLAGS:STRING=${GTEST_FLAGS}
         -Dgtest_force_shared_crt:BOOL=ON
       )
-
+  set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES 
+    ${CMAKE_BINARY_DIR}/googletest
+  )
   ExternalProject_Get_Property(googletest install_dir)
   set(GTEST_INCLUDE_DIRS ${install_dir}/include)
   file(MAKE_DIRECTORY ${GTEST_INCLUDE_DIRS})
diff --git a/3rdparty/musl/CMakeLists.txt b/3rdparty/musl/CMakeLists.txt
index 9186035ed0..037f5e33c0 100644
--- a/3rdparty/musl/CMakeLists.txt
+++ b/3rdparty/musl/CMakeLists.txt
@@ -95,6 +95,11 @@ ExternalProject_Add(musl_includes
     ${MUSL_INCLUDES} ${MUSL_DIR}
   INSTALL_COMMAND "")
 
+set_property(DIRECTORY PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+    ${MUSL_INCLUDES}
+    ${MUSL_DIR}
+)
+
 add_library(oelibc_includes INTERFACE)
 
 add_dependencies(oelibc_includes musl_includes)

From df0e37fa5a571119af76e9ff0601bcdb1d756dfd Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 12 Sep 2019 23:11:01 +0000
Subject: [PATCH 014/420] Setup CODEOWNERS

This will make PRs automatically ping people!
---
 docs/CODEOWNERS               | 52 +++++++++++++++++++++++++++++++++++
 scripts/.check-license.ignore |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 docs/CODEOWNERS

diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
new file mode 100644
index 0000000000..ca0e35fef7
--- /dev/null
+++ b/docs/CODEOWNERS
@@ -0,0 +1,52 @@
+# Each line is a file pattern followed by one or more owners.
+# Refer to https://help.github.com/en/articles/about-code-owners
+
+# Order is important; the last matching pattern takes the most
+# precedence. Try to keep at least two owners per pattern.
+
+# These owners will be the default owners for everything in the repo.
+# Unless a later match takes precedence, they will be requested for
+# review when someone opens a pull request.
+* @openenclave/committers
+
+/3rdparty/ @mikbras @CodeMonkeyLeet
+/cmake/ @andschwa @BRMcLaren
+/common/ @CodeMonkeyLeet @gupta-ak @mikbras
+/debugger/ @anakrish @jxyang
+/enclave/ @CodeMonkeyLeet @gupta-ak @mikbras
+/host/ @CodeMonkeyLeet @gupta-ak @mikbras
+# TODO: Break this folder out?
+/include/ @achamayou @dthaler @mikbras @CodeMonkeyLeet
+/libc/ @mikbras @CodeMonkeyLeet
+/scripts/ @achamayou @andschwa @johnkord
+/samples/ @andschwa @dthaler @soccerGB
+/syscall/ @mikbras @yakman2020
+# TODO: Break this folder out?
+/tests/ @EmilAlexandruStoica @mikbras
+/tools/ @anakrish @CodeMonkeyLeet
+/tools/oeedger8r/ @andschwa @anakrish @jxyang
+/pkgconfig/ @gupta-ak @mikbras
+/prereqs/ @johnkord @CodeMonkeyLeet
+
+# Matches all folders with these names, not just in root.
+optee/ @Britel @dthaler @HernanGatta
+sgx/ @CodeMonkeyLeet @gupta-ak @mikbras
+linux/ @mikbras @yakman2020
+windows/ @CodeMonkeyLeet @yakman2020
+crypto/ @CodeMonkeyLeet @gupta-ak
+
+# Match all CMake, anywhere.
+CMakeLists.txt @andschwa @BRMcLaren @EmilAlexandruStoica
+*.cmake @andschwa @BRMcLaren @EmilAlexandruStoica
+
+# Match all Markdown, anywhere.
+*.md @CodeMonkeyLeet @johnkord @andschwa @radhikaj
+
+# Except design reviews, which should be everyone.
+/docs/DesignDocs/ @openenclave/committers
+
+# And governance documents.
+/docs/Contributing.md @openenclave/maintainers
+/docs/GovernanceModel.md @openenclave/maintainers
+/docs/Maintainers.md @openenclave/maintainers
+/docs/Releasing.md @openenclave/maintainers
diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 4edcbbb6a4..a096f080b3 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -42,6 +42,7 @@ tools/oeedger8r/intel/.*
 3rdparty/musl/endian\.h\.suffix
 3rdparty/optee/optee_client
 3rdparty/optee/optee_os
+docs/CODEOWNERS
 LICENSE
 THIRD_PARTY_NOTICES
 VERSION

From 79cae813ff92cb45cfce70be8f88c299ba447a2d Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Mon, 16 Sep 2019 11:33:15 -0700
Subject: [PATCH 015/420] Fix typos

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/GovernanceModel.md | 2 +-
 docs/Maintainers.md     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GovernanceModel.md b/docs/GovernanceModel.md
index 3cbfdcc7b6..3acffa0260 100644
--- a/docs/GovernanceModel.md
+++ b/docs/GovernanceModel.md
@@ -41,7 +41,7 @@ Remember that security issues should be reported through a separate channel, and
 will receive a response within 24 hours. See [Reporting Security
 Issues](Contributing.md#reporting-security-issues).
 
-Community Maintenance Commitee Members, Committers, and Contributors
+Community Governance Committee Members, Committers, and Contributors
 --------------------------------------------------------------------
 
 A "committer" is anyone with direct write access to the Open Enclave repository on
diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index 248d1f7b52..d9222ba353 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -34,7 +34,7 @@ Committee Responsibilities
 The primary responsibility of the Committee is to grant new committer rights
 (that is, write access to the main Open Enclave SDK repository or related
 repositories), and to grant new membership into the Committee. Conversely, the
-Commitee must also remove committer rights and membership from those found to
+Committee must also remove committer rights and membership from those found to
 be violating the project's Code of Conduct or otherwise negatively affecting the
 project's community health.
 

From 033c8c988efb9d5e9c317fbb9ef7384a98aaae0c Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Mon, 16 Sep 2019 11:34:21 -0700
Subject: [PATCH 016/420] Omit reference to a TSC

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Maintainers.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/Maintainers.md b/docs/Maintainers.md
index d9222ba353..0d927b330b 100644
--- a/docs/Maintainers.md
+++ b/docs/Maintainers.md
@@ -1,8 +1,7 @@
 Community Governance Committee
 ==============================
 
-This document describes the Open Enclave Community Governance Committee, which in some open source
-projects is also known as a Technical Steering Committee. By
+This document describes the Open Enclave Community Governance Committee. By
 our liberal contribution policy outlined in our
 [governance model](GovernanceModel.md), Committee members are committers that are
 trusted to grant new committer rights, and grant new membership into the

From 136afafbe16270be803e4a087e1464f3a8d7558a Mon Sep 17 00:00:00 2001
From: Radoslav Gerganov <rgerganov@vmware.com>
Date: Tue, 17 Sep 2019 11:29:40 +0300
Subject: [PATCH 017/420] Fix file-encryptor README

The file-encryptor sample doesn't use oe_is_outside_enclave API. This
patch fixes the README file for this sample.

Signed-off-by: Radoslav Gerganov <rgerganov@vmware.com>
---
 samples/file-encryptor/README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/samples/file-encryptor/README.md b/samples/file-encryptor/README.md
index fdf6069b68..f07d04c4dc 100644
--- a/samples/file-encryptor/README.md
+++ b/samples/file-encryptor/README.md
@@ -17,7 +17,6 @@ It has the following properties:
   - mbedtls_entropy_*
   - mbedtls_ctr_drbg_*
   - mbedtls_sha256_*
-  - oe_is_outside_enclave
 - Also runs in OE simulation mode
 
 ## Host application

From 076b19c5857f826e64592ca8472538756e59f6f9 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 17 Sep 2019 22:07:47 +0000
Subject: [PATCH 018/420] Update CGC team name in CODEOWNERS

---
 docs/CODEOWNERS | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
index ca0e35fef7..f35b4d8c5a 100644
--- a/docs/CODEOWNERS
+++ b/docs/CODEOWNERS
@@ -46,7 +46,7 @@ CMakeLists.txt @andschwa @BRMcLaren @EmilAlexandruStoica
 /docs/DesignDocs/ @openenclave/committers
 
 # And governance documents.
-/docs/Contributing.md @openenclave/maintainers
-/docs/GovernanceModel.md @openenclave/maintainers
-/docs/Maintainers.md @openenclave/maintainers
-/docs/Releasing.md @openenclave/maintainers
+/docs/Contributing.md @openenclave/committee
+/docs/GovernanceModel.md @openenclave/committee
+/docs/Maintainers.md @openenclave/committee
+/docs/Releasing.md @openenclave/committee

From d4fb942541599ae6b33d15017762e0ed57f217b7 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 17 Sep 2019 22:12:25 +0000
Subject: [PATCH 019/420] Rename Maintainers.md to Committers.md

---
 docs/CODEOWNERS                        | 2 +-
 docs/{Maintainers.md => Committers.md} | 0
 docs/GovernanceModel.md                | 8 ++++----
 3 files changed, 5 insertions(+), 5 deletions(-)
 rename docs/{Maintainers.md => Committers.md} (100%)

diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
index f35b4d8c5a..c261a0b1a2 100644
--- a/docs/CODEOWNERS
+++ b/docs/CODEOWNERS
@@ -48,5 +48,5 @@ CMakeLists.txt @andschwa @BRMcLaren @EmilAlexandruStoica
 # And governance documents.
 /docs/Contributing.md @openenclave/committee
 /docs/GovernanceModel.md @openenclave/committee
-/docs/Maintainers.md @openenclave/committee
+/docs/Committers.md @openenclave/committee
 /docs/Releasing.md @openenclave/committee
diff --git a/docs/Maintainers.md b/docs/Committers.md
similarity index 100%
rename from docs/Maintainers.md
rename to docs/Committers.md
diff --git a/docs/GovernanceModel.md b/docs/GovernanceModel.md
index 3acffa0260..d4e4669d75 100644
--- a/docs/GovernanceModel.md
+++ b/docs/GovernanceModel.md
@@ -17,7 +17,7 @@ In order to maintain a pleasant and welcoming environment, we want to reiterate
 that it is imperative that all community members adhere to our
 [Code of Conduct](Contributing.md#code-of-conduct).
 Anyone failing to follow the Code of Conduct will be removed from the community
-by the [Community Governance Committee](Maintainers.md). If you are made to
+by the [Community Governance Committee](Committers.md). If you are made to
 feel uncomfortable, or have any concerns about behavior within the community, we
 encourage you to reach out to members of the Community Governance Committee.
 
@@ -51,7 +51,7 @@ contributions to the project, including: creating or commenting on issues,
 opening or reviewing pull requests, or other useful contributions such as
 providing support in forums or chats.
 
-See the [Community Governance Committee document](Maintainers.md) for more information
+See the [Community Governance Committee document](Committers.md) for more information
 on the Community Governance Committee, our process for adding new committers and Committee members, as well the
 areas of expertise for each of the committers.
 
@@ -69,9 +69,9 @@ voting process. For example, committers can merge contributions that were
 reviewed without objections. If there are objections that cannot be resolved, an
 issue can be escalated to the Community Governance Committee to make a
 decision, which handles issues as discussed in the
-[Community Governance Committee document](Maintainers.md).
+[Community Governance Committee document](Committers.md).
 
-See the [Community Governance Committee document](Maintainers.md) for the list of project
+See the [Community Governance Committee document](Committers.md) for the list of project
 committers, and how to become one.
 
 Community Approval of Releases

From 2ad99e075cdecb75974e7e832e9d14e7d2f1e0db Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 17 Sep 2019 22:13:47 +0000
Subject: [PATCH 020/420] Rename GovernanceModel.md to Governance.md

For consistency
---
 README.md                                  | 2 +-
 docs/CODEOWNERS                            | 2 +-
 docs/Committers.md                         | 2 +-
 docs/Contributing.md                       | 4 ++--
 docs/{GovernanceModel.md => Governance.md} | 0
 docs/Releasing.md                          | 4 ++--
 6 files changed, 7 insertions(+), 7 deletions(-)
 rename docs/{GovernanceModel.md => Governance.md} (100%)

diff --git a/README.md b/README.md
index 6b29d8172a..c78d6c5cd5 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ additional questions or comments.
 
 See the [Development Guide](docs/DevelopmentGuide.md) for details about
 contributing code to this project, such as coding style and development
-processes. Also see our [Governance Model](docs/GovernanceModel.md) for how we
+processes. Also see our [Governance Model](docs/Governance.md) for how we
 maintain the project.
 
 Licensing
diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
index c261a0b1a2..a44e5aa0f8 100644
--- a/docs/CODEOWNERS
+++ b/docs/CODEOWNERS
@@ -47,6 +47,6 @@ CMakeLists.txt @andschwa @BRMcLaren @EmilAlexandruStoica
 
 # And governance documents.
 /docs/Contributing.md @openenclave/committee
-/docs/GovernanceModel.md @openenclave/committee
+/docs/Governance.md @openenclave/committee
 /docs/Committers.md @openenclave/committee
 /docs/Releasing.md @openenclave/committee
diff --git a/docs/Committers.md b/docs/Committers.md
index 0d927b330b..e227fdb645 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -3,7 +3,7 @@ Community Governance Committee
 
 This document describes the Open Enclave Community Governance Committee. By
 our liberal contribution policy outlined in our
-[governance model](GovernanceModel.md), Committee members are committers that are
+[governance model](Governance.md), Committee members are committers that are
 trusted to grant new committer rights, and grant new membership into the
 Committee.
 
diff --git a/docs/Contributing.md b/docs/Contributing.md
index c2f09f1156..8e52b43a8b 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -9,7 +9,7 @@ filing an issue.
 General contribution guidance is included in this document. Additional guidance
 is defined in the documents linked below:
 
-- [Governance Model](GovernanceModel.md) describes how we intend our
+- [Governance Model](Governance.md) describes how we intend our
   collaboration to happen.
 - [Development Guide](DevelopmentGuide.md) describes the coding style and other
   development practices applied to this project.
@@ -59,7 +59,7 @@ General Guidelines
 Please do:
 
 - **DO** open an issue for design discussion before making any major changes.
-- **DO** read our [Governance Model](GovernanceModel.md) to understand how our
+- **DO** read our [Governance Model](Governance.md) to understand how our
   community works.
 - **DO** follow our coding style described in the [Development Guide](
   DevelopmentGuide.md).
diff --git a/docs/GovernanceModel.md b/docs/Governance.md
similarity index 100%
rename from docs/GovernanceModel.md
rename to docs/Governance.md
diff --git a/docs/Releasing.md b/docs/Releasing.md
index 45ca22a533..19fa1694ad 100644
--- a/docs/Releasing.md
+++ b/docs/Releasing.md
@@ -97,7 +97,7 @@ release. These notes should be suitable for a blog post.
 Community Approval
 ------------------
 
-See the [Governance Model](GovernanceModel.md#community-approval-of-releases)
+See the [Governance Model](Governance.md#community-approval-of-releases)
 documentation for the necessary steps to approve the release with the community.
 
 GitHub Release and Git Tag Creation
@@ -146,5 +146,5 @@ notes, and any social media we currently use).
 Servicing
 ---------
 
-See the [Governance Model](GovernanceModel.md#servicing-of-releases)
+See the [Governance Model](Governance.md#servicing-of-releases)
 documentation for our intended servicing model.

From a66872cfbbdba6dd777a47e6d09e8913bcbdd723 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Fri, 23 Aug 2019 19:44:37 +0000
Subject: [PATCH 021/420] The 2nd half installment of switchless ocalls

* Create threads to service switchless ocalls
* Necessary sychronizations between threads
* Add generic handling of configurations during enclave creation
* Use switchless specific struct to configure and start switchless
* Add a switchless test case and measure its performance
* Expose the changes related to enclave configuration in the public API (marked as experimental)
* Tear down per-thread shared memory arenas during EEXIT (previously during enclave termination)
* Protect sync variable accesses with memory barriers
* Add OS agnostic thread and atomic routines for better readability (#2098)

This also fixes issue 2098.
---
 common/result.c                           |   9 ++
 enclave/core/CMakeLists.txt               |   3 +-
 enclave/core/arena.c                      |  98 +++++++++++++++
 enclave/core/arena.h                      |  27 ++++
 enclave/core/hostcalls.c                  |   6 +-
 enclave/core/optee/gp.c                   |   6 +
 enclave/core/optee/hostcalls.c            |   6 +-
 enclave/core/sgx/calls.c                  |  80 ++++++------
 enclave/core/sgx/hostcalls.c              |   6 +-
 enclave/core/shm.c                        | 111 -----------------
 enclave/core/shm.h                        |  28 -----
 enclave/core/switchlesscalls.c            | 143 ++++++++++++++++++++++
 enclave/core/switchlesscalls.h            |  15 +++
 host/CMakeLists.txt                       |   3 +-
 host/calls.h                              |   2 +
 host/hostthread.h                         |  29 ++++-
 host/linux/hostthread.c                   |  13 +-
 host/optee/linux/enclave.c                |  18 ++-
 host/sgx/calls.c                          |  15 +--
 host/sgx/create.c                         |  72 ++++++++++-
 host/sgx/enclave.h                        |   6 +-
 host/sgx/switchless.c                     | 135 ++++++++++++++++++++
 host/traceh.c                             |   2 +-
 host/windows/hostthread.c                 |  27 +++-
 include/openenclave/bits/result.h         |  15 +++
 include/openenclave/host.h                |  70 ++++++++++-
 include/openenclave/internal/atomic.h     |  36 ++++++
 include/openenclave/internal/calls.h      |   1 +
 include/openenclave/internal/switchless.h |  32 +++++
 include/openenclave/internal/thread.h     |   4 +-
 include/openenclave/internal/utils.h      |  10 ++
 tests/create-errors/host/host.c           |  27 +++-
 tests/switchless/enc/CMakeLists.txt       |   4 +-
 tests/switchless/enc/enc.c                |  79 +++++++-----
 tests/switchless/host/CMakeLists.txt      |   4 +-
 tests/switchless/host/host.c              |  92 +++++++++-----
 tests/switchless/switchless.edl           |  20 ++-
 tools/oeedger8r/Emitter.ml                |  15 +++
 38 files changed, 971 insertions(+), 298 deletions(-)
 create mode 100644 enclave/core/arena.c
 create mode 100644 enclave/core/arena.h
 delete mode 100644 enclave/core/shm.c
 delete mode 100644 enclave/core/shm.h
 create mode 100644 enclave/core/switchlesscalls.c
 create mode 100644 enclave/core/switchlesscalls.h
 create mode 100644 host/sgx/switchless.c
 create mode 100644 include/openenclave/internal/switchless.h

diff --git a/common/result.c b/common/result.c
index 1802738ced..9a77b863a1 100644
--- a/common/result.c
+++ b/common/result.c
@@ -118,6 +118,12 @@ const char* oe_result_str(oe_result_t result)
             return "QE_QUOTE_ENCLAVE_IDENTITY_PRODUCTID_MISMATCH";
         case OE_VERIFY_FAILED_AES_CMAC_MISMATCH:
             return "OE_VERIFY_FAILED_AES_CMAC_MISMATCH";
+        case OE_CONTEXT_SWITCHLESS_OCALL_MISSED:
+            return "OE_CONTEXT_SWITCHLESS_OCALL_MISSED";
+        case OE_THREAD_CREATE_ERROR:
+            return "OE_THREAD_CREATE_ERROR";
+        case OE_THREAD_JOIN_ERROR:
+            return "OE_THREAD_JOIN_ERROR";
         case __OE_RESULT_MAX:
             break;
     }
@@ -180,6 +186,9 @@ bool oe_is_valid_result(uint32_t result)
         case OE_QUOTE_ENCLAVE_IDENTITY_UNIQUEID_MISMATCH:
         case QE_QUOTE_ENCLAVE_IDENTITY_PRODUCTID_MISMATCH:
         case OE_VERIFY_FAILED_AES_CMAC_MISMATCH:
+        case OE_CONTEXT_SWITCHLESS_OCALL_MISSED:
+        case OE_THREAD_CREATE_ERROR:
+        case OE_THREAD_JOIN_ERROR:
         {
             return true;
         }
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 9b63d123bb..c12447fdd3 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -136,12 +136,13 @@ add_library(oecore STATIC
     pthread.c
     result.c
     sbrk.c
-    shm.c
+    arena.c
     stdio.c
     strerror.c
     string.c
     strtok_r.c
     strtoul.c
+    switchlesscalls.c
     tee_t_wrapper.c
     time.c
     tracee.c
diff --git a/enclave/core/arena.c b/enclave/core/arena.c
new file mode 100644
index 0000000000..1b0877d955
--- /dev/null
+++ b/enclave/core/arena.c
@@ -0,0 +1,98 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include "arena.h"
+#include <openenclave/bits/safemath.h>
+#include <openenclave/edger8r/common.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/thread.h>
+#include <openenclave/internal/utils.h>
+#include <string.h>
+
+// The per-thread shared memory arena
+static __thread shared_memory_arena_t _arena = {0};
+
+// Default shared memory arena capacity is 1 mb
+static size_t _capacity = 1024 * 1024;
+
+static const size_t _max_capacity = 1 << 30;
+
+void* oe_allocate_arena(size_t capacity);
+void oe_deallocate_arena(void* buffer);
+
+bool oe_configure_arena_capacity(size_t cap)
+{
+    if (cap > _max_capacity)
+    {
+        return false;
+    }
+    _capacity = cap;
+    return true;
+}
+
+void* oe_arena_malloc(size_t size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    size_t total_size = 0;
+    const size_t align = OE_EDGER8R_BUFFER_ALIGNMENT;
+
+    // Create the anera if it hasn't been created.
+    if (_arena.buffer == NULL)
+    {
+        void* buffer = oe_allocate_arena(_capacity);
+        if (buffer == NULL)
+            return NULL;
+        _arena.buffer = (uint8_t*)buffer;
+        _arena.capacity = _capacity;
+        _arena.used = 0;
+    }
+
+    // Round up to the nearest alignment size.
+    total_size = oe_round_up_to_multiple(size, align);
+
+    // check for overflow
+    if (total_size < size)
+        return NULL;
+
+    // check for capacity
+    size_t used_after;
+    OE_CHECK(oe_safe_add_sizet(_arena.used, total_size, &used_after));
+
+    // Ok if the incoming malloc puts us below the capacity.
+    if (used_after <= _arena.capacity)
+    {
+        uint8_t* addr = _arena.buffer + _arena.used;
+        _arena.used = used_after;
+        return addr;
+    }
+
+done:
+    return NULL;
+}
+
+void* oe_arena_calloc(size_t num, size_t size)
+{
+    size_t total = 0;
+    if (oe_safe_mul_sizet(num, size, &total) != OE_OK)
+        return NULL;
+
+    void* ptr = oe_arena_malloc(total);
+    if (ptr != NULL)
+    {
+        memset(ptr, 0, total);
+    }
+    return ptr;
+}
+
+void oe_arena_free_all()
+{
+    _arena.used = 0;
+}
+
+// Free the arena in the current thread.
+void oe_teardown_arena()
+{
+    if (_arena.buffer != NULL)
+        oe_deallocate_arena(_arena.buffer);
+    memset(&_arena, 0, sizeof(_arena));
+}
diff --git a/enclave/core/arena.h b/enclave/core/arena.h
new file mode 100644
index 0000000000..214bf525e7
--- /dev/null
+++ b/enclave/core/arena.h
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_ARENA_H
+#define _OE_ARENA_H
+
+#include <openenclave/bits/types.h>
+
+typedef struct _shared_memory_arena_t
+{
+    /* Buffer holding the shared memory pool */
+    uint8_t* buffer;
+    size_t capacity;
+    size_t used;
+} shared_memory_arena_t;
+
+bool oe_configure_arena_capacity(size_t cap);
+
+void* oe_arena_malloc(size_t size);
+
+void* oe_arena_calloc(size_t num, size_t size);
+
+void oe_arena_free_all();
+
+void oe_teardown_arena();
+
+#endif /* _OE_ARENA_H */
diff --git a/enclave/core/hostcalls.c b/enclave/core/hostcalls.c
index 584ee5fc1c..531f0dfbe0 100644
--- a/enclave/core/hostcalls.c
+++ b/enclave/core/hostcalls.c
@@ -11,7 +11,7 @@
 #include <openenclave/internal/print.h>
 #include <openenclave/internal/stack_alloc.h>
 
-#include "shm.h"
+#include "arena.h"
 #include "tee_t.h"
 
 void* oe_host_malloc(size_t size)
@@ -160,14 +160,14 @@ int oe_host_fprintf(int device, const char* fmt, ...)
 // A stack-based allocation scheme is the most efficient in this case.
 void* oe_allocate_switchless_ocall_buffer(size_t size)
 {
-    return oe_shm_malloc(size);
+    return oe_arena_malloc(size);
 }
 
 // Function used by oeedger8r for freeing ocall buffers.
 void oe_free_switchless_ocall_buffer(void* buffer)
 {
     OE_UNUSED(buffer);
-    /* Do nothing. Buffer will be freed on ECALL RETURN */
+    oe_arena_free_all();
 }
 
 int oe_host_write(int device, const char* str, size_t len)
diff --git a/enclave/core/optee/gp.c b/enclave/core/optee/gp.c
index dbd6f41d6b..a786cc36b0 100644
--- a/enclave/core/optee/gp.c
+++ b/enclave/core/optee/gp.c
@@ -469,6 +469,12 @@ TEE_Result TA_InvokeCommandEntryPoint(
             result = TEE_ERROR_BAD_STATE;
             break;
         }
+        case OE_ECALL_INIT_CONTEXT_SWITCHLESS:
+        {
+            /* TODO: initialize switchless calls */
+            result = TEE_ERROR_NOT_IMPLEMENTED;
+            break;
+        }
         default:
         {
             /* No function found with the number */
diff --git a/enclave/core/optee/hostcalls.c b/enclave/core/optee/hostcalls.c
index 9ea093e243..fb29802efb 100644
--- a/enclave/core/optee/hostcalls.c
+++ b/enclave/core/optee/hostcalls.c
@@ -24,14 +24,14 @@ void oe_free_ocall_buffer(void* buffer)
 }
 
 // TODO
-void* oe_reserve_shm(size_t capacity)
+void* oe_allocate_arena(size_t capacity)
 {
     OE_UNUSED(capacity);
     return NULL;
 }
 
 // TODO
-void oe_unreserve_shm(void* buffer)
+void oe_deallocate_arena(void* buffer)
 {
     OE_UNUSED(buffer);
-}
\ No newline at end of file
+}
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 08eb0e804e..533fe89fd4 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -8,6 +8,7 @@
 #include <openenclave/corelibc/string.h>
 #include <openenclave/edger8r/enclave.h>
 #include <openenclave/enclave.h>
+#include <openenclave/internal/atomic.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/fault.h>
 #include <openenclave/internal/globals.h>
@@ -20,8 +21,9 @@
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
 #include "../../sgx/report.h"
+#include "../arena.h"
 #include "../atexit.h"
-#include "../shm.h"
+#include "../switchlesscalls.h"
 #include "asmdefs.h"
 #include "cpuid.h"
 #include "init.h"
@@ -386,8 +388,6 @@ static void _handle_ecall(
         case OE_ECALL_CALL_ENCLAVE_FUNCTION:
         {
             arg_out = _handle_call_enclave_function(arg_in);
-            /* clear up shared memory upon ERET */
-            oe_shm_clear();
             break;
         }
         case OE_ECALL_DESTRUCTOR:
@@ -398,9 +398,6 @@ static void _handle_ecall(
             /* Call all finalization functions */
             oe_call_fini_functions();
 
-            /* Free shared memory upon destroying enclave */
-            oe_shm_destroy();
-
 #if defined(OE_USE_DEBUG_MALLOC)
 
             /* If memory still allocated, print a trace and return an error */
@@ -421,6 +418,11 @@ static void _handle_ecall(
             arg_out = _handle_init_enclave(arg_in);
             break;
         }
+        case OE_ECALL_INIT_CONTEXT_SWITCHLESS:
+        {
+            arg_out = oe_handle_init_switchless(arg_in);
+            break;
+        }
         default:
         {
             /* No function found with the number */
@@ -431,6 +433,12 @@ static void _handle_ecall(
 
 done:
 
+    /* Free shared memory arena before we clear TLS */
+    if (td->depth == 1)
+    {
+        oe_teardown_arena();
+    }
+
     /* Remove ECALL context from front of td_t.ecalls list */
     td_pop_callsite(td);
 
@@ -566,7 +574,7 @@ oe_result_t oe_call_host_function_by_table_id(
         OE_RAISE(OE_INVALID_PARAMETER);
 
     /* Initialize the arguments */
-    args = switchless ? oe_shm_calloc(sizeof(*args))
+    args = switchless ? oe_arena_calloc(1, sizeof(*args))
                       : oe_host_calloc(1, sizeof(*args));
 
     if (args == NULL)
@@ -585,9 +593,31 @@ oe_result_t oe_call_host_function_by_table_id(
     args->result = OE_UNEXPECTED;
 
     /* Call the host function with this address */
-    // TODO: for switchessless calls, push the job (wrapped in args) to an
-    // available worker thread, and wait for result
-    // if (!switchless)
+    if (switchless && oe_is_switchless_initialized())
+    {
+        oe_result_t post_result = oe_post_switchless_ocall(args);
+
+        // Fall back to regular OCALL if host worker threads are unavailable
+        if (post_result == OE_CONTEXT_SWITCHLESS_OCALL_MISSED)
+            OE_CHECK(
+                oe_ocall(OE_OCALL_CALL_HOST_FUNCTION, (uint64_t)args, NULL));
+        else
+        {
+            OE_CHECK(post_result);
+            // Wait until args.result is set by the host worker.
+            while (true)
+            {
+                OE_ATOMIC_MEMORY_BARRIER_ACQUIRE();
+                if (__atomic_load_n(&args->result, __ATOMIC_SEQ_CST) !=
+                    __OE_RESULT_MAX)
+                    break;
+
+                /* Yield to CPU */
+                asm volatile("pause");
+            }
+        }
+    }
+    else
     {
         OE_CHECK(oe_ocall(OE_OCALL_CALL_HOST_FUNCTION, (uint64_t)args, NULL));
     }
@@ -635,34 +665,6 @@ oe_result_t oe_call_host_function(
         false /* non-switchless */);
 }
 
-/*
-**==============================================================================
-**
-** oe_switchless_call_host_function()
-** This is the preferred way to call host functions switchlessly.
-**
-**==============================================================================
-*/
-
-oe_result_t oe_switchless_call_host_function(
-    size_t function_id,
-    const void* input_buffer,
-    size_t input_buffer_size,
-    void* output_buffer,
-    size_t output_buffer_size,
-    size_t* output_bytes_written)
-{
-    return oe_call_host_function_by_table_id(
-        OE_UINT64_MAX,
-        function_id,
-        input_buffer,
-        input_buffer_size,
-        output_buffer,
-        output_buffer_size,
-        output_bytes_written,
-        true /* switchless */);
-}
-
 /*
 **==============================================================================
 **
@@ -900,7 +902,7 @@ void oe_abort(void)
     }
 
     // Free the shared memory pools
-    oe_shm_destroy();
+    oe_teardown_arena();
 
     // Return to the latest ECALL.
     _handle_exit(OE_CODE_ERET, 0, __oe_enclave_status);
diff --git a/enclave/core/sgx/hostcalls.c b/enclave/core/sgx/hostcalls.c
index 260fdfc2fc..8f2712ea52 100644
--- a/enclave/core/sgx/hostcalls.c
+++ b/enclave/core/sgx/hostcalls.c
@@ -18,12 +18,12 @@ void oe_free_ocall_buffer(void* buffer)
     oe_host_free(buffer);
 }
 
-void* oe_reserve_shm(size_t capacity)
+void* oe_allocate_arena(size_t capacity)
 {
     return oe_host_malloc(capacity);
 }
 
-void oe_unreserve_shm(void* buffer)
+void oe_deallocate_arena(void* buffer)
 {
     oe_host_free(buffer);
-}
\ No newline at end of file
+}
diff --git a/enclave/core/shm.c b/enclave/core/shm.c
deleted file mode 100644
index 024c76454e..0000000000
--- a/enclave/core/shm.c
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#include "shm.h"
-#include <openenclave/bits/safemath.h>
-#include <openenclave/internal/raise.h>
-#include <openenclave/internal/thread.h>
-#include <openenclave/internal/utils.h>
-#include <string.h>
-
-#define ALIGNMENT sizeof(uint64_t)
-
-// the per-thread shared memory pool
-__thread Shared_memory_pool shm = {0};
-
-// the global list of shared memory pools
-Shared_memory_pool* _shm_list = NULL;
-
-static oe_spinlock_t _shm_list_lock = OE_SPINLOCK_INITIALIZER;
-
-// default shared memory pool capacity is 1 mb
-size_t capacity = 1024 * 1024;
-
-size_t max_capacity = 1 << 30;
-
-void* oe_reserve_shm(size_t capacity);
-void oe_unreserve_shm(void* buffer);
-
-bool oe_configure_shm_capacity(size_t cap)
-{
-    if (cap > max_capacity)
-    {
-        return false;
-    }
-    capacity = cap;
-    return true;
-}
-
-void* oe_shm_malloc(size_t size)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    size_t total_size = 0;
-
-    if (shm.buffer == NULL)
-    {
-        void* buffer = oe_reserve_shm(capacity);
-        if (buffer == NULL)
-            OE_RAISE(OE_OUT_OF_MEMORY);
-        shm.buffer = (uint8_t*)buffer;
-        shm.capacity = capacity;
-        shm.used = 0;
-
-        // add the newly created pool to the global list
-        oe_spin_lock(&_shm_list_lock);
-        shm.next = _shm_list;
-        _shm_list = &shm;
-        oe_spin_unlock(&_shm_list_lock);
-    }
-
-    // Round up to the nearest alignment size.
-    total_size = oe_round_up_to_multiple(size, ALIGNMENT);
-
-    // check for overflow
-    OE_CHECK(total_size < size);
-
-    // check for capacity
-    size_t used_after;
-    OE_CHECK(oe_safe_add_sizet(shm.used, total_size, &used_after));
-
-    // Ok if the incoming malloc puts us below the capacity.
-    if (used_after <= shm.capacity)
-    {
-        uint8_t* addr = shm.buffer + shm.used;
-        shm.used = used_after;
-        return addr;
-    }
-    else
-        OE_RAISE(OE_OUT_OF_MEMORY);
-
-done:
-    return NULL;
-}
-
-void* oe_shm_calloc(size_t size)
-{
-    void* ptr = oe_shm_malloc(size);
-    if (ptr != NULL)
-    {
-        memset(ptr, 0, size);
-    }
-    return ptr;
-}
-
-void oe_shm_clear()
-{
-    shm.used = 0;
-}
-
-// Free all shared memory pools in the global list
-void oe_shm_destroy()
-{
-    Shared_memory_pool* next = _shm_list;
-    while (next != NULL)
-    {
-        oe_unreserve_shm(next->buffer);
-        Shared_memory_pool* current = next;
-        next = next->next;
-        memset(current, 0, sizeof(shm));
-    }
-    _shm_list = NULL;
-}
\ No newline at end of file
diff --git a/enclave/core/shm.h b/enclave/core/shm.h
deleted file mode 100644
index c873409dc8..0000000000
--- a/enclave/core/shm.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#ifndef _OE_SHM_H
-#define _OE_SHM_H
-
-#include <openenclave/bits/types.h>
-
-typedef struct _shared_memory_pool
-{
-    /* Buffer holding the shared memory pool */
-    uint8_t* buffer;
-    size_t capacity;
-    size_t used;
-    struct _shared_memory_pool* next;
-} Shared_memory_pool;
-
-bool oe_configure_shm_capacity(size_t cap);
-
-void* oe_shm_malloc(size_t size);
-
-void* oe_shm_calloc(size_t size);
-
-void oe_shm_clear();
-
-void oe_shm_destroy();
-
-#endif /* _OE_SHM_H */
\ No newline at end of file
diff --git a/enclave/core/switchlesscalls.c b/enclave/core/switchlesscalls.c
new file mode 100644
index 0000000000..40c5c38f0f
--- /dev/null
+++ b/enclave/core/switchlesscalls.c
@@ -0,0 +1,143 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include "switchlesscalls.h"
+#include <openenclave/edger8r/enclave.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/atomic.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/utils.h>
+
+// The number of host thread workers. Initialized by host through ECALL
+static size_t _host_worker_count = 0;
+
+// The array of host worker contexts. Initialized by host through ECALL
+static oe_host_worker_context_t* _host_worker_contexts = NULL;
+
+/*
+**==============================================================================
+**
+** oe_is_switchless_initialized
+**
+** Return whether oe_handle_init_switchless has been called or not.
+**
+**==============================================================================
+*/
+bool oe_is_switchless_initialized()
+{
+    return _host_worker_count != 0;
+}
+
+/*
+**==============================================================================
+**
+** oe_handle_init_switchless()
+**
+** Handle the OE_ECALL_INIT_CONTEXT_SWITCHLESS from host.
+**
+**==============================================================================
+*/
+oe_result_t oe_handle_init_switchless(uint64_t arg_in)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_switchless_call_manager_t* manager = NULL;
+    oe_switchless_call_manager_t safe_manager;
+    size_t contexts_size, threads_size;
+
+    if (arg_in == 0)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    manager = (oe_switchless_call_manager_t*)arg_in;
+    safe_manager = *manager;
+
+    contexts_size =
+        sizeof(oe_host_worker_context_t) * safe_manager.num_host_workers;
+    threads_size = sizeof(oe_thread_t) * safe_manager.num_host_workers;
+
+    // Ensure the switchless manager and its arrays are outside of enclave
+    if (!oe_is_outside_enclave(manager, sizeof(oe_switchless_call_manager_t)) ||
+        !oe_is_outside_enclave(
+            safe_manager.host_worker_contexts, contexts_size) ||
+        !oe_is_outside_enclave(
+            safe_manager.host_worker_threads, threads_size) ||
+        safe_manager.num_host_workers == 0)
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    /* lfence after checks. */
+    oe_lfence();
+
+    // Copy the worker context array pointer and its size to avoid TOCTOU
+    _host_worker_count = safe_manager.num_host_workers;
+    _host_worker_contexts = safe_manager.host_worker_contexts;
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+/*
+**==============================================================================
+**
+** oe_post_switchless_ocall()
+**
+**  Post the function call (wrapped in args) to a free host worker thread
+**  by writing to its context.
+**
+**==============================================================================
+*/
+oe_result_t oe_post_switchless_ocall(oe_call_host_function_args_t* args)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    OE_ATOMIC_MEMORY_BARRIER_RELEASE();
+    args->result = __OE_RESULT_MAX; // Means the call hasn't been processed.
+
+    // Cycle through the worker contexts until we find a free worker.
+    size_t tries = _host_worker_count;
+    while (tries--)
+    {
+        if (_host_worker_contexts[tries].call_arg == NULL)
+        {
+            if (oe_atomic_compare_and_swap_ptr(
+                    (void* volatile*)&_host_worker_contexts[tries].call_arg,
+                    NULL,
+                    args))
+            {
+                return OE_OK;
+            }
+        }
+    }
+
+    result = OE_CONTEXT_SWITCHLESS_OCALL_MISSED;
+
+    return result;
+}
+
+/*
+**==============================================================================
+**
+** oe_switchless_call_host_function()
+**
+**==============================================================================
+*/
+
+oe_result_t oe_switchless_call_host_function(
+    size_t function_id,
+    const void* input_buffer,
+    size_t input_buffer_size,
+    void* output_buffer,
+    size_t output_buffer_size,
+    size_t* output_bytes_written)
+{
+    return oe_call_host_function_by_table_id(
+        OE_UINT64_MAX,
+        function_id,
+        input_buffer,
+        input_buffer_size,
+        output_buffer,
+        output_buffer_size,
+        output_bytes_written,
+        true /* switchless */);
+}
diff --git a/enclave/core/switchlesscalls.h b/enclave/core/switchlesscalls.h
new file mode 100644
index 0000000000..5893d54adf
--- /dev/null
+++ b/enclave/core/switchlesscalls.h
@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_SWITCHLESSCALLS_H
+#define _OE_SWITCHLESSCALLS_H
+
+#include <openenclave/internal/switchless.h>
+
+bool oe_is_switchless_initialized();
+
+oe_result_t oe_handle_init_switchless(uint64_t arg_in);
+
+oe_result_t oe_post_switchless_ocall(oe_call_host_function_args_t* args);
+
+#endif // _OE_SWITCHLESSCALLS_H
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index bd10b4e6d8..4a75a4e2c2 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -147,7 +147,8 @@ if (OE_SGX)
     sgx/sgxmeasure.c
     sgx/sgxquote.c
     sgx/sgxsign.c
-    sgx/sgxtypes.c)
+    sgx/sgxtypes.c
+    sgx/switchless.c)
 
   # OS specific as well.
   if (UNIX)
diff --git a/host/calls.h b/host/calls.h
index c152354ef8..38daa10d76 100644
--- a/host/calls.h
+++ b/host/calls.h
@@ -17,4 +17,6 @@ typedef struct _ocall_table
 
 extern ocall_table_t _ocall_tables[];
 
+oe_result_t oe_handle_call_host_function(uint64_t arg, oe_enclave_t* enclave);
+
 #endif /* OE_HOST_CALLS_H */
diff --git a/host/hostthread.h b/host/hostthread.h
index 65f206a5f2..5e23df5460 100644
--- a/host/hostthread.h
+++ b/host/hostthread.h
@@ -11,7 +11,9 @@
 #define _HOSTTHREAD_H
 
 #include <openenclave/bits/defs.h>
+#include <openenclave/bits/result.h>
 #include <openenclave/bits/types.h>
+#include <openenclave/internal/thread.h>
 
 #if __GNUC__
 #include <pthread.h>
@@ -28,8 +30,6 @@ OE_EXTERNC_BEGIN
 typedef pthread_once_t oe_once_type;
 #define OE_H_ONCE_INITIALIZER PTHREAD_ONCE_INIT
 
-typedef pthread_t oe_thread;
-
 typedef pthread_mutex_t oe_mutex;
 #define OE_H_MUTEX_INITIALIZER PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP
 
@@ -40,8 +40,6 @@ typedef pthread_key_t oe_thread_key;
 typedef INIT_ONCE oe_once_type;
 #define OE_H_ONCE_INITIALIZER INIT_ONCE_STATIC_INIT
 
-typedef DWORD oe_thread;
-
 typedef HANDLE oe_mutex;
 #define OE_H_MUTEX_INITIALIZER INVALID_HANDLE_VALUE
 
@@ -49,6 +47,25 @@ typedef DWORD oe_thread_key;
 
 #endif
 
+/**
+ * Create a platform-specific thread.
+ *
+ * @param func The pointer to the start routine.
+ * @param arg The argument to the start routine.
+ *
+ * @returns Returns zero on success.
+ */
+int oe_thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg);
+
+/**
+ * Join a platform-specific thread.
+ *
+ * @param thread The thread to be joined.
+ *
+ * @returns Returns zero on success.
+ */
+int oe_thread_join(oe_thread_t thread);
+
 /**
  * Returns the identifier of the current thread.
  *
@@ -57,7 +74,7 @@ typedef DWORD oe_thread_key;
  *
  * @returns Returns the thread identifier of the calling thread.
  */
-oe_thread oe_thread_self(void);
+oe_thread_t oe_thread_self(void);
 
 /**
  * Checks two thread identifiers for equality.
@@ -70,7 +87,7 @@ oe_thread oe_thread_self(void);
  *
  * @returns Returns non-zero if the thread identifiers are equal.
  */
-int oe_thread_equal(oe_thread thread1, oe_thread thread2);
+int oe_thread_equal(oe_thread_t thread1, oe_thread_t thread2);
 
 /**
  * Calls the given function exactly once.
diff --git a/host/linux/hostthread.c b/host/linux/hostthread.c
index 644755768a..65a87251fb 100644
--- a/host/linux/hostthread.c
+++ b/host/linux/hostthread.c
@@ -13,13 +13,22 @@
 **
 **==============================================================================
 */
+int oe_thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
+{
+    return pthread_create(thread, NULL, func, arg);
+}
+
+int oe_thread_join(oe_thread_t thread)
+{
+    return pthread_join(thread, NULL);
+}
 
-oe_thread oe_thread_self(void)
+oe_thread_t oe_thread_self(void)
 {
     return pthread_self();
 }
 
-int oe_thread_equal(oe_thread thread1, oe_thread thread2)
+int oe_thread_equal(oe_thread_t thread1, oe_thread_t thread2)
 {
     return pthread_equal(thread1, thread2);
 }
diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index 06c8c80019..cda2e3bf3f 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -399,10 +399,15 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    const oe_enclave_config_t* configs,
+    uint32_t config_count,
+#else
     const void* config,
     uint32_t config_size,
+#endif
     const oe_ocall_func_t* ocall_table,
-    uint32_t ocall_table_size,
+    uint32_t ocall_count,
     oe_enclave_t** enclave_out)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -425,10 +430,15 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_OPTEE) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+        (config_count > 0 && configs == NULL) ||
+        (config_count == 0 && configs != NULL) ||
+#else
+        config || config_size > 0 ||
+#endif
         (flags & OE_ENCLAVE_FLAG_RESERVED) ||
         (!(flags & OE_ENCLAVE_FLAG_SIMULATE) &&
-         (flags & OE_ENCLAVE_FLAG_DEBUG)) ||
-        config || config_size > 0)
+         (flags & OE_ENCLAVE_FLAG_DEBUG)))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     /* Convert the path into a TEE UUID. */
@@ -482,7 +492,7 @@ oe_result_t oe_create_enclave(
     enclave->path = strndup(
         enclave_path, 38); // 37 + 1 = length of a UUID + NULL terminator
     enclave->ocalls = (const oe_ocall_func_t*)ocall_table;
-    enclave->num_ocalls = ocall_table_size;
+    enclave->num_ocalls = ocall_count;
 
     *enclave_out = enclave;
     result = OE_OK;
diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index 4c21d96ae3..a3fdb0f25f 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -26,6 +26,7 @@
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/registers.h>
 #include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/switchless.h>
 #include <openenclave/internal/utils.h>
 #include "../calls.h"
 #include "../hostthread.h"
@@ -245,16 +246,14 @@ static oe_result_t _do_eenter(
 /*
 **==============================================================================
 **
-** _handle_call_host_function()
+** oe_handle_call_host_function()
 **
 ** Handle calls from the enclave.
 **
 **==============================================================================
 */
 
-static oe_result_t _handle_call_host_function(
-    uint64_t arg,
-    oe_enclave_t* enclave)
+oe_result_t oe_handle_call_host_function(uint64_t arg, oe_enclave_t* enclave)
 {
     oe_call_host_function_args_t* args_ptr = NULL;
     oe_result_t result = OE_OK;
@@ -320,6 +319,7 @@ static oe_result_t _handle_call_host_function(
         &args_ptr->output_bytes_written);
 
     // The ocall succeeded.
+    OE_ATOMIC_MEMORY_BARRIER_RELEASE();
     args_ptr->result = OE_OK;
     result = OE_OK;
 done:
@@ -359,7 +359,8 @@ static const char* oe_ecall_str(oe_func_t ecall)
         "DESTRUCTOR",
         "INIT_ENCLAVE",
         "CALL_ENCLAVE_FUNCTION",
-        "VIRTUAL_EXCEPTION_HANDLER"
+        "VIRTUAL_EXCEPTION_HANDLER",
+        "INIT_CONTEXT_SWITCHLESS",
     };
     // clang-format on
 
@@ -408,7 +409,7 @@ static oe_result_t _handle_ocall(
     switch ((oe_func_t)func)
     {
         case OE_OCALL_CALL_HOST_FUNCTION:
-            _handle_call_host_function(arg_in, enclave);
+            OE_CHECK(oe_handle_call_host_function(arg_in, enclave));
             break;
 
         case OE_OCALL_MALLOC:
@@ -567,7 +568,7 @@ static void* _assign_tcs(oe_enclave_t* enclave)
 {
     void* tcs = NULL;
     size_t i;
-    oe_thread thread = oe_thread_self();
+    oe_thread_t thread = oe_thread_self();
 
     oe_mutex_lock(&enclave->lock);
     {
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 71d3977893..1a437abb12 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -45,6 +45,7 @@ static char* get_fullpath(const char* path)
 #include <openenclave/internal/result.h>
 #include <openenclave/internal/sgxcreate.h>
 #include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/switchless.h>
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
 #include <string.h>
@@ -401,6 +402,52 @@ static oe_result_t _initialize_enclave(oe_enclave_t* enclave)
     return result;
 }
 
+/*
+** _config_enclave()
+**
+** Config the enclave with an array of configurations.
+*/
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+
+static oe_result_t _configure_enclave(
+    oe_enclave_t* enclave,
+    const oe_enclave_config_t* configs,
+    uint32_t config_count)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    for (uint32_t i = 0; i < config_count; i++)
+    {
+        switch (configs[i].config_type)
+        {
+            // Configure the switchless ocalls, such as the number of workers.
+            case OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS:
+            {
+                size_t max_host_workers =
+                    configs[i].u.context_switchless_config->max_host_workers;
+                size_t max_enclave_workers =
+                    configs[i].u.context_switchless_config->max_enclave_workers;
+
+                // Switchless ecalls are not enabled yet. Make sure the max
+                // number of enclave workers is always 0.
+                if (max_enclave_workers != 0)
+                    OE_RAISE(OE_INVALID_PARAMETER);
+
+                OE_CHECK(
+                    oe_start_switchless_manager(enclave, max_host_workers));
+                break;
+            }
+            default:
+                OE_RAISE(OE_INVALID_PARAMETER);
+        }
+    }
+    result = OE_OK;
+
+done:
+    return result;
+}
+#endif
+
 oe_result_t oe_sgx_validate_enclave_properties(
     const oe_sgx_enclave_properties_t* properties,
     const char** field_name)
@@ -644,10 +691,15 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    const oe_enclave_config_t* configs,
+    uint32_t config_count,
+#else
     const void* config,
     uint32_t config_size,
+#endif
     const oe_ocall_func_t* ocall_table,
-    uint32_t ocall_table_size,
+    uint32_t ocall_count,
     oe_enclave_t** enclave_out)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -663,7 +715,13 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_SGX) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-        (flags & OE_ENCLAVE_FLAG_RESERVED) || config || config_size > 0)
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+        (config_count > 0 && configs == NULL) ||
+        (config_count == 0 && configs != NULL) ||
+#else
+        config || config_size > 0 ||
+#endif
+        (flags & OE_ENCLAVE_FLAG_RESERVED))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     /* Allocate and zero-fill the enclave structure */
@@ -747,11 +805,16 @@ oe_result_t oe_create_enclave(
     /* Enclave initialization invokes global constructors which could make
      * ocalls. Therefore setup ocall table prior to initialization. */
     enclave->ocalls = (const oe_ocall_func_t*)ocall_table;
-    enclave->num_ocalls = ocall_table_size;
+    enclave->num_ocalls = ocall_count;
 
     /* Invoke enclave initialization. */
     OE_CHECK(_initialize_enclave(enclave));
 
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    /* Apply the list of configurations to the enclave */
+    OE_CHECK(_configure_enclave(enclave, configs, config_count));
+#endif
+
     /* Setup logging configuration */
     oe_log_enclave_init(enclave);
 
@@ -794,6 +857,9 @@ oe_result_t oe_terminate_enclave(oe_enclave_t* enclave)
     /* Remove this enclave from the global list. */
     oe_remove_enclave_instance(enclave);
 
+    /* Shut down the switchless manager */
+    OE_CHECK(oe_stop_switchless_manager(enclave));
+
     /* Clear the magic number */
     enclave->magic = 0;
 
diff --git a/host/sgx/enclave.h b/host/sgx/enclave.h
index e684a3d4a6..b914b488b4 100644
--- a/host/sgx/enclave.h
+++ b/host/sgx/enclave.h
@@ -10,6 +10,7 @@
 #include <openenclave/internal/debugrt/host.h>
 #include <openenclave/internal/load.h>
 #include <openenclave/internal/sgxcreate.h>
+#include <openenclave/internal/switchless.h>
 #include <stdbool.h>
 #include "../hostthread.h"
 #include "asmdefs.h"
@@ -56,7 +57,7 @@ typedef struct _thread_binding
     uint64_t tcs;
 
     /* The thread this slot is assigned to */
-    oe_thread thread;
+    oe_thread_t thread;
 
     /* Flags */
     uint64_t flags;
@@ -124,6 +125,9 @@ struct _oe_enclave
 
     /* Meta-data needed by debugrt  */
     oe_debug_enclave_t* debug_enclave;
+
+    /* Manager for switchless calls */
+    oe_switchless_call_manager_t* switchless_manager;
 };
 
 // Static asserts for consistency with
diff --git a/host/sgx/switchless.c b/host/sgx/switchless.c
new file mode 100644
index 0000000000..bd21754dd6
--- /dev/null
+++ b/host/sgx/switchless.c
@@ -0,0 +1,135 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/switchless.h>
+#include "../calls.h"
+#include "../hostthread.h"
+#include "../ocalls.h"
+#include "enclave.h"
+
+/*
+** The thread function that handles switchless ocalls
+**
+*/
+static void* _switchless_ocall_worker(void* arg)
+{
+    oe_host_worker_context_t* context = (oe_host_worker_context_t*)arg;
+
+    while (!context->is_stopping)
+    {
+        volatile oe_call_host_function_args_t* local_call_arg = NULL;
+        if ((local_call_arg = context->call_arg) != NULL)
+        {
+            context->call_arg = NULL;
+            oe_handle_call_host_function(
+                (uint64_t)local_call_arg, context->enclave);
+        }
+    }
+    return NULL;
+}
+
+static oe_result_t oe_stop_worker_threads(oe_switchless_call_manager_t* manager)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    for (size_t i = 0; i < manager->num_host_workers; i++)
+    {
+        manager->host_worker_contexts[i].is_stopping = true;
+    }
+
+    for (size_t i = 0; i < manager->num_host_workers; i++)
+    {
+        if (manager->host_worker_threads[i] != (oe_thread_t)NULL)
+            if (oe_thread_join(manager->host_worker_threads[i]))
+                OE_RAISE(OE_THREAD_JOIN_ERROR);
+    }
+
+    result = OE_OK;
+done:
+    return result;
+}
+
+oe_result_t oe_start_switchless_manager(
+    oe_enclave_t* enclave,
+    size_t num_host_workers)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    uint64_t result_out = 0;
+    oe_switchless_call_manager_t* manager = NULL;
+    oe_host_worker_context_t* contexts = NULL;
+    oe_thread_t* threads = NULL;
+
+    if (num_host_workers < 1 || enclave == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (enclave->switchless_manager != NULL)
+        OE_RAISE(OE_UNEXPECTED);
+
+    // Limit the number of host workers to the number of thread bindings
+    // because the maximum parallelism is dictated by the latter for
+    // synchronous ocalls. We may need to revisit this for asynchronous
+    // calls later.
+    if (num_host_workers > enclave->num_bindings)
+        num_host_workers = (uint32_t)enclave->num_bindings;
+
+    // Allocate memory for the manager and its arrays
+    manager = calloc(1, sizeof(oe_switchless_call_manager_t));
+    if (manager == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    contexts = calloc(num_host_workers, sizeof(oe_host_worker_context_t));
+    if (contexts == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    threads = calloc(num_host_workers, sizeof(oe_thread_t));
+    if (threads == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    manager->num_host_workers = num_host_workers;
+    manager->host_worker_contexts = contexts;
+    manager->host_worker_threads = threads;
+
+    // Start the worker threads, and assign each one a private context.
+    for (size_t i = 0; i < num_host_workers; i++)
+    {
+        manager->host_worker_contexts[i].enclave = enclave;
+        if (oe_thread_create(
+                &manager->host_worker_threads[i],
+                _switchless_ocall_worker,
+                &manager->host_worker_contexts[i]) != 0)
+        {
+            oe_stop_worker_threads(manager);
+            OE_RAISE(OE_THREAD_CREATE_ERROR);
+        }
+    }
+
+    // Each enclave has at most one switchless manager.
+    enclave->switchless_manager = manager;
+
+    // Inform the enclave about the switchless manager through an ECALL
+    OE_CHECK(oe_ecall(
+        enclave,
+        OE_ECALL_INIT_CONTEXT_SWITCHLESS,
+        (uint64_t)manager,
+        &result_out));
+    OE_CHECK((oe_result_t)result_out);
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+oe_result_t oe_stop_switchless_manager(oe_enclave_t* enclave)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    if (enclave != NULL && enclave->switchless_manager != NULL)
+    {
+        OE_CHECK(oe_stop_worker_threads(enclave->switchless_manager));
+    }
+    result = OE_OK;
+done:
+    return result;
+}
diff --git a/host/traceh.c b/host/traceh.c
index e0114eb28d..1d5bc2f9ff 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -101,7 +101,7 @@ static void _write_message_to_stream(
     struct tm* t = localtime(&lt);
 #endif
 
-    oe_thread thread_id = oe_thread_self();
+    oe_thread_t thread_id = oe_thread_self();
 
     fprintf(
         stream,
diff --git a/host/windows/hostthread.c b/host/windows/hostthread.c
index a7aae96e36..2c42368385 100644
--- a/host/windows/hostthread.c
+++ b/host/windows/hostthread.c
@@ -3,8 +3,11 @@
 
 #include "../hostthread.h"
 #include <assert.h>
+#include <openenclave/corelibc/errno.h>
 #include <openenclave/host.h>
 
+typedef DWORD (*start_routine_t)(void*);
+
 /*
 **==============================================================================
 **
@@ -13,12 +16,30 @@
 **==============================================================================
 */
 
-oe_thread oe_thread_self(void)
+int oe_thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
+{
+    start_routine_t start_routine = (start_routine_t)func;
+    *thread = (oe_thread_t)CreateThread(NULL, 0, start_routine, arg, 0, NULL);
+    return *thread == (oe_thread_t)NULL ? OE_EINVAL : 0;
+}
+
+int oe_thread_join(oe_thread_t thread)
+{
+    HANDLE handle = (HANDLE)thread;
+    if (WaitForSingleObject(handle, INFINITE) == WAIT_OBJECT_0)
+    {
+        CloseHandle(handle);
+        return 0;
+    }
+    return OE_EINVAL;
+}
+
+oe_thread_t oe_thread_self(void)
 {
-    return GetCurrentThreadId();
+    return (oe_thread_t)GetCurrentThreadId();
 }
 
-int oe_thread_equal(oe_thread thread1, oe_thread thread2)
+int oe_thread_equal(oe_thread_t thread1, oe_thread_t thread2)
 {
     return thread1 == thread2;
 }
diff --git a/include/openenclave/bits/result.h b/include/openenclave/bits/result.h
index 77aef25bde..9116b48714 100644
--- a/include/openenclave/bits/result.h
+++ b/include/openenclave/bits/result.h
@@ -314,6 +314,21 @@ typedef enum _oe_result
      */
     OE_VERIFY_FAILED_AES_CMAC_MISMATCH,
 
+    /**
+     * Failed to post a switchless call to host workers
+     */
+    OE_CONTEXT_SWITCHLESS_OCALL_MISSED,
+
+    /**
+     * Thread creation failed.
+     */
+    OE_THREAD_CREATE_ERROR,
+
+    /**
+     * Thread join failed.
+     */
+    OE_THREAD_JOIN_ERROR,
+
     __OE_RESULT_MAX = OE_ENUM_MAX,
 } oe_result_t;
 /**< typedef enum _oe_result oe_result_t*/
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 45172e0c89..1f17488e7d 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -50,6 +50,7 @@ OE_EXTERNC_BEGIN
  */
 #define OE_ENCLAVE_FLAG_RESERVED \
     (~(OE_ENCLAVE_FLAG_DEBUG | OE_ENCLAVE_FLAG_SIMULATE))
+
 /**
  * @endcond
  */
@@ -64,6 +65,60 @@ typedef void (*oe_ocall_func_t)(
     size_t output_buffer_size,
     size_t* output_bytes_written);
 
+/**
+ * The following structures are used by context-switchless calls, which is
+ * experimental, and subject to changes.
+ */
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+
+/**
+ * Types of configurations passed into **oe_create_enclave**
+ */
+typedef enum _oe_enclave_config_type
+{
+    OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS = 0xdc73a628,
+} oe_enclave_config_type_t;
+
+/**
+ * The configuration for context-switchless calls.
+ */
+typedef struct _oe_enclave_config_context_switchless
+{
+    /**
+     * The max number of worker threads for context-switchless ocalls.
+     * The actual number of threads launched could be capped for performance
+     * reasons.
+     */
+    size_t max_host_workers;
+    /**
+     * Context-switchless ecalls are not enabled yet. The max number of enclave
+     * workers should be 0.
+     */
+    size_t max_enclave_workers;
+} oe_enclave_config_context_switchless_t;
+
+/**
+ * The uniform structure type containing a specific type of enclave
+ * configuration.
+ */
+typedef struct _oe_enclave_config
+{
+    /**
+     * The type of the configuration in **u**
+     */
+    oe_enclave_config_type_t config_type;
+    /**
+     * The specific configuration for the enclave, such as configuring
+     * context-switchless calls.
+     */
+    union {
+        const oe_enclave_config_context_switchless_t* context_switchless_config;
+        /* Add new configuration types here. */
+    } u;
+} oe_enclave_config_t;
+
+#endif /* OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE */
+
 /**
  * Create an enclave from an enclave image file.
  *
@@ -83,15 +138,15 @@ typedef void (*oe_ocall_func_t)(
  *     - OE_ENCLAVE_FLAG_DEBUG - runs the enclave in debug mode.
  *                               DO NOT SHIP CODE with this flag
  *
- * @param config Additional enclave creation configuration data for the specific
- * enclave type. This parameter is reserved and must be NULL.
+ * @param configs Array of additional enclave creation configurations for
+ * the specific enclave type.
  *
- * @param config_size The size of the **config** data buffer in bytes.
+ * @param config_count The number of configurations in the **configs**.
  *
  * @param ocall_table Pointer to table of ocall functions generated by
  * oeedger8r.
  *
- * @param ocall_table_size The size of the **ocall_table**.
+ * @param ocall_count The number of functions in the **ocall_table**.
  *
  * @param enclave This points to the enclave instance upon success.
  *
@@ -102,10 +157,15 @@ oe_result_t oe_create_enclave(
     const char* path,
     oe_enclave_type_t type,
     uint32_t flags,
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    const oe_enclave_config_t* configs,
+    uint32_t config_count,
+#else
     const void* config,
     uint32_t config_size,
+#endif
     const oe_ocall_func_t* ocall_table,
-    uint32_t ocall_table_size,
+    uint32_t ocall_count,
     oe_enclave_t** enclave);
 
 /**
diff --git a/include/openenclave/internal/atomic.h b/include/openenclave/internal/atomic.h
index 754babeddf..5e177bc786 100644
--- a/include/openenclave/internal/atomic.h
+++ b/include/openenclave/internal/atomic.h
@@ -10,8 +10,12 @@
 #if defined(_MSC_VER)
 #pragma intrinsic(_InterlockedIncrement64)
 #pragma intrinsic(_InterlockedDecrement64)
+#pragma intrinsic(_InterlockedCompareExchange64)
+#pragma intrinsic(_InterlockedCompareExchangePointer)
 __int64 _InterlockedIncrement64(__int64* lpAddend);
 __int64 _InterlockedDecrement64(__int64* lpAddend);
+__int64 _InterlockedCompareExchange64(__int64* Dest, __int64 val, __int64 old);
+void* _InterlockedCompareExchangePointer(void** Dest, void* newptr, void* old);
 #endif
 
 /* Atomically increment **x** and return its new value */
@@ -38,4 +42,36 @@ OE_INLINE uint64_t oe_atomic_decrement(volatile uint64_t* x)
 #endif
 }
 
+OE_INLINE
+bool oe_atomic_compare_and_swap(
+    int64_t volatile* dest,
+    int64_t old,
+    int64_t newval)
+{
+#if defined(__GNUC__)
+    return __atomic_compare_exchange_n(
+        dest, &old, newval, 1, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE);
+#elif defined(_MSC_VER)
+    return _InterlockedCompareExchange64(dest, newval, old) == old;
+#else
+#error "unsupported"
+#endif
+}
+
+OE_INLINE
+bool oe_atomic_compare_and_swap_ptr(
+    void* volatile* dest,
+    void* old,
+    void* newptr)
+{
+#if defined(__GNUC__)
+    return __atomic_compare_exchange_n(
+        dest, &old, newptr, 1, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE);
+#elif defined(_MSC_VER)
+    return _InterlockedCompareExchangePointer(dest, newptr, old) == old;
+#else
+#error "unsupported"
+#endif
+}
+
 #endif /* _OE_ATOMIC_H */
diff --git a/include/openenclave/internal/calls.h b/include/openenclave/internal/calls.h
index fc9e97c70e..7cf7d91fce 100644
--- a/include/openenclave/internal/calls.h
+++ b/include/openenclave/internal/calls.h
@@ -75,6 +75,7 @@ typedef enum _oe_func
     OE_ECALL_INIT_ENCLAVE,
     OE_ECALL_CALL_ENCLAVE_FUNCTION,
     OE_ECALL_VIRTUAL_EXCEPTION_HANDLER,
+    OE_ECALL_INIT_CONTEXT_SWITCHLESS,
     /* Caution: always add new ECALL function numbers here */
     OE_ECALL_MAX,
 
diff --git a/include/openenclave/internal/switchless.h b/include/openenclave/internal/switchless.h
new file mode 100644
index 0000000000..7b8d214231
--- /dev/null
+++ b/include/openenclave/internal/switchless.h
@@ -0,0 +1,32 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_SWITCHLESS_H
+#define _OE_SWITCHLESS_H
+
+#include <openenclave/bits/defs.h>
+#include <openenclave/bits/types.h>
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/thread.h>
+
+typedef struct _host_worker_thread_context
+{
+    volatile oe_call_host_function_args_t* call_arg;
+    volatile bool is_stopping;
+    oe_enclave_t* enclave;
+} oe_host_worker_context_t;
+
+typedef struct _oe_switchless_call_manager
+{
+    oe_host_worker_context_t* host_worker_contexts;
+    oe_thread_t* host_worker_threads;
+    size_t num_host_workers;
+} oe_switchless_call_manager_t;
+
+oe_result_t oe_start_switchless_manager(
+    oe_enclave_t* enclave,
+    size_t num_host_workers);
+
+oe_result_t oe_stop_switchless_manager(oe_enclave_t* enclave);
+
+#endif /* _OE_SWITCHLESS_H */
diff --git a/include/openenclave/internal/thread.h b/include/openenclave/internal/thread.h
index bd848625cc..4371010dc7 100644
--- a/include/openenclave/internal/thread.h
+++ b/include/openenclave/internal/thread.h
@@ -8,11 +8,11 @@
 #include <openenclave/bits/result.h>
 #include <openenclave/bits/types.h>
 
+typedef uint64_t oe_thread_t;
+
 #ifdef OE_BUILD_ENCLAVE
 OE_EXTERNC_BEGIN
 
-typedef uint64_t oe_thread_t;
-
 /*
  * Note that all the __impl[] fields in the below implementations are
  * all larger than what is actually needed. This is to account for
diff --git a/include/openenclave/internal/utils.h b/include/openenclave/internal/utils.h
index 46d8c4ae1e..42c0379c4a 100644
--- a/include/openenclave/internal/utils.h
+++ b/include/openenclave/internal/utils.h
@@ -6,6 +6,9 @@
 
 #include <openenclave/bits/types.h>
 #include <openenclave/internal/defs.h>
+#if defined(_MSC_VER)
+#include <intrin.h>
+#endif
 
 OE_EXTERNC_BEGIN
 
@@ -126,10 +129,17 @@ OE_INLINE uint64_t StrCode(const char* s, uint64_t n)
  * understanding see "C++ and the Perils of Double-Checked Locking"
  * http://www.aristeia.com/Papers/DDJ_Jul_Aug_2004_revised.pdf.
  */
+#if defined(__linux__)
 #define OE_ATOMIC_MEMORY_BARRIER_ACQUIRE() \
     __atomic_thread_fence(__ATOMIC_ACQUIRE)
 #define OE_ATOMIC_MEMORY_BARRIER_RELEASE() \
     __atomic_thread_fence(__ATOMIC_RELEASE)
+#elif defined(_MSC_VER)
+#define OE_ATOMIC_MEMORY_BARRIER_ACQUIRE() _ReadBarrier()
+#define OE_ATOMIC_MEMORY_BARRIER_RELEASE() _WriteBarrier()
+#else
+#error "Unsupported platform"
+#endif
 
 #if __x86_64__ || _M_X64
 #define OE_CPU_RELAX() asm volatile("pause" ::: "memory")
diff --git a/tests/create-errors/host/host.c b/tests/create-errors/host/host.c
index 2867b4b9be..9222148155 100644
--- a/tests/create-errors/host/host.c
+++ b/tests/create-errors/host/host.c
@@ -13,6 +13,15 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 {
     oe_enclave_t* enclave = NULL;
 
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    oe_enclave_config_t invalid_config = {0, {NULL}};
+    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_t configs[] = {{
+        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
+        .u.context_switchless_config = &config,
+    }};
+#endif
+
     /* Null path. */
     oe_result_t result = oe_create_create_errors_enclave(
         NULL, OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
@@ -36,11 +45,25 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 
     OE_TEST(result == OE_INVALID_PARAMETER);
 
-    /* Content field filled. */
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    /* Invalid configuration with incorrect **config_count** */
+    result = oe_create_create_errors_enclave(
+        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_config, 0, &enclave);
+
+    OE_TEST(result == OE_INVALID_PARAMETER);
+
+    /* Invalid configuration with correct **config_count** */
+    result = oe_create_create_errors_enclave(
+        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_config, 1, &enclave);
+
+    OE_TEST(result == OE_INVALID_PARAMETER);
+
+    /* Valid configuration with incorrect **config_count** */
     result = oe_create_create_errors_enclave(
-        path, OE_ENCLAVE_TYPE_AUTO, flags, &enclave, 0, &enclave);
+        path, OE_ENCLAVE_TYPE_SGX, flags, configs, 0, &enclave);
 
     OE_TEST(result == OE_INVALID_PARAMETER);
+#endif
 
     /* Content size non-zero. */
     result = oe_create_create_errors_enclave(
diff --git a/tests/switchless/enc/CMakeLists.txt b/tests/switchless/enc/CMakeLists.txt
index 0e4c7ec0f2..d60a56b861 100644
--- a/tests/switchless/enc/CMakeLists.txt
+++ b/tests/switchless/enc/CMakeLists.txt
@@ -3,7 +3,9 @@
 
 add_custom_command(
   OUTPUT switchless_t.h switchless_t.c switchless_args.h
-  DEPENDS ../switchless.edl
+  DEPENDS
+  edger8r
+  ../switchless.edl
   COMMAND edger8r --experimental --trusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless.edl)
 
 # Dummy target used for generating from EDL on demand.
diff --git a/tests/switchless/enc/enc.c b/tests/switchless/enc/enc.c
index 1829f26c40..3c7041075e 100644
--- a/tests/switchless/enc/enc.c
+++ b/tests/switchless/enc/enc.c
@@ -6,56 +6,71 @@
 #include <openenclave/internal/print.h>
 #include "switchless_t.h"
 
-char* oe_host_strdup(const char* str)
-{
-    size_t n = oe_strlen(str);
-
-    char* dup = (char*)oe_host_calloc(1, n + 1);
-
-    if (dup)
-        memcpy(dup, str, n + 1);
+#define STRING_LEN 100
+#define STRING_HELLO "Hello World"
+#define HOST_PARAM_STRING "host string parameter"
+#define HOST_STACK_STRING "host string on stack"
 
-    return dup;
-}
-
-int enc_echo(char* in, char out[100])
+int enc_echo_switchless(char* in, char out[STRING_LEN], int repeats)
 {
     oe_result_t result;
 
-    if (oe_strcmp(in, "Hello World") != 0)
+    if (oe_strcmp(in, STRING_HELLO) != 0)
     {
         return -1;
     }
 
-    char* host_allocated_str = oe_host_strdup("oe_host_strdup2");
-    if (host_allocated_str == NULL)
+    char stack_allocated_str[STRING_LEN] = HOST_STACK_STRING;
+    int return_val;
+
+    for (int i = 0; i < repeats; i++)
     {
-        return -1;
+        result = host_echo_switchless(
+            &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+        if (result != OE_OK)
+        {
+            return -1;
+        }
+
+        if (return_val != 0)
+        {
+            return -1;
+        }
     }
 
-    char stack_allocated_str[100] = "oe_host_strdup3";
-    int return_val;
+    oe_host_printf("Hello from switchless Echo function!\n");
 
-    result = host_echo(
-        &return_val,
-        in,
-        out,
-        "oe_host_strdup1",
-        host_allocated_str,
-        stack_allocated_str);
-    if (result != OE_OK)
+    return 0;
+}
+
+int enc_echo_regular(char* in, char out[STRING_LEN], int repeats)
+{
+    oe_result_t result;
+
+    if (oe_strcmp(in, STRING_HELLO) != 0)
     {
         return -1;
     }
 
-    if (return_val != 0)
+    char stack_allocated_str[STRING_LEN] = HOST_STACK_STRING;
+    int return_val;
+
+    for (int i = 0; i < repeats; i++)
     {
-        return -1;
-    }
+        result = host_echo_regular(
+            &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+        if (result != OE_OK)
+        {
+            return -1;
+        }
 
-    oe_host_printf("Hello from Echo function!\n");
+        if (return_val != 0)
+        {
+            return -1;
+        }
+    }
 
-    oe_host_free(host_allocated_str);
+    oe_host_printf("Hello from regular Echo function!\n");
 
     return 0;
 }
@@ -66,4 +81,4 @@ OE_SET_ENCLAVE_SGX(
     true, /* AllowDebug */
     1024, /* HeapPageCount */
     1024, /* StackPageCount */
-    16);  /* TCSCount */
+    2);   /* TCSCount */
diff --git a/tests/switchless/host/CMakeLists.txt b/tests/switchless/host/CMakeLists.txt
index 3464b68275..bd9dcd8019 100644
--- a/tests/switchless/host/CMakeLists.txt
+++ b/tests/switchless/host/CMakeLists.txt
@@ -3,7 +3,9 @@
 
 add_custom_command(
   OUTPUT switchless_u.h switchless_u.c switchless_args.h
-  DEPENDS ../switchless.edl
+  DEPENDS
+  edger8r
+  ../switchless.edl
   COMMAND edger8r --experimental --untrusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless.edl)
 
 # Dummy target used for generating from EDL on demand.
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index 907c245f1d..38706fa597 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -9,40 +9,31 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <time.h>
 #include "../../../host/strings.h"
 #include "switchless_u.h"
 
 #define NUM_HOST_THREADS 16
+#define STRING_LEN 100
 
-int host_echo(char* in, char* out, char* str1, char* str2, char str3[100])
+int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
 {
-    OE_TEST(strcmp(str1, "oe_host_strdup1") == 0);
-    OE_TEST(strcmp(str2, "oe_host_strdup2") == 0);
-    OE_TEST(strcmp(str3, "oe_host_strdup3") == 0);
+    OE_TEST(strcmp(str1, "host string parameter") == 0);
+    OE_TEST(strcmp(str2, "host string on stack") == 0);
 
     strcpy(out, in);
 
     return 0;
 }
 
-void* host_thread(void* arg)
+int host_echo_regular(char* in, char* out, char* str1, char str2[STRING_LEN])
 {
-    char out[100];
-    int return_val;
-
-    oe_enclave_t* enclave = (oe_enclave_t*)arg;
-    oe_result_t result = enc_echo(enclave, &return_val, "Hello World", out);
-
-    if (result != OE_OK)
-        oe_put_err("oe_call_enclave() failed: result=%u", result);
-
-    if (return_val != 0)
-        oe_put_err("ECALL failed args.result=%d", return_val);
+    OE_TEST(strcmp(str1, "host string parameter") == 0);
+    OE_TEST(strcmp(str2, "host string on stack") == 0);
 
-    if (strcmp("Hello World", out) != 0)
-        oe_put_err("ecall failed: %s != %s\n", "Hello World", out);
+    strcpy(out, in);
 
-    return NULL;
+    return 0;
 }
 
 int main(int argc, const char* argv[])
@@ -58,30 +49,63 @@ int main(int argc, const char* argv[])
 
     const uint32_t flags = oe_get_create_flags();
 
+#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
+    // Enable switchless and configure host worker number
+    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_t configs[] = {{
+        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
+        .u.context_switchless_config = &config,
+    }};
+
+    if ((result = oe_create_switchless_enclave(
+             argv[1],
+             OE_ENCLAVE_TYPE_SGX,
+             flags,
+             configs,
+             OE_COUNTOF(configs),
+             &enclave)) != OE_OK)
+#else
     if ((result = oe_create_switchless_enclave(
              argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave)) != OE_OK)
+#endif
         oe_put_err("oe_create_enclave(): result=%u", result);
 
-    pthread_t threads[NUM_HOST_THREADS];
-    for (int i = 0; i < NUM_HOST_THREADS; i++)
-    {
-        int ret = 0;
-        if ((ret = pthread_create(&threads[i], 0, host_thread, enclave)))
-        {
-            oe_put_err("pthread_create(host): ret=%u", ret);
-        }
-        else
-            printf("created thread %u\n", i);
-    }
+    char out[STRING_LEN];
+    int return_val;
 
-    for (int i = 0; i < NUM_HOST_THREADS; i++)
-    {
-        pthread_join(threads[i], NULL);
-    }
+    double switchless_microseconds = 0;
+    struct timespec start, end;
+
+    // Increase this number to have a meaningful performance measurement
+    int repeats = 10;
+
+    clock_gettime(CLOCK_REALTIME, &start);
+    OE_TEST(
+        enc_echo_switchless(
+            enclave, &return_val, "Hello World", out, repeats) == OE_OK);
+    clock_gettime(CLOCK_REALTIME, &end);
+    switchless_microseconds += (double)(end.tv_sec - start.tv_sec) * 1000000.0 +
+                               (double)(end.tv_nsec - start.tv_nsec) / 1000.0;
+
+    double regular_microseconds = 0;
+    clock_gettime(CLOCK_REALTIME, &start);
+    OE_TEST(
+        enc_echo_regular(enclave, &return_val, "Hello World", out, repeats) ==
+        OE_OK);
+    clock_gettime(CLOCK_REALTIME, &end);
+    regular_microseconds += (double)(end.tv_sec - start.tv_sec) * 1000000.0 +
+                            (double)(end.tv_nsec - start.tv_nsec) / 1000.0;
 
     result = oe_terminate_enclave(enclave);
     OE_TEST(result == OE_OK);
 
+    printf(
+        "Time spent in repeating OCALL %d times: switchless %d vs "
+        "regular %d ms, speed up: %.2f\n",
+        repeats,
+        (int)switchless_microseconds / 1000,
+        (int)regular_microseconds / 1000,
+        (double)regular_microseconds / switchless_microseconds);
     printf("=== passed all tests (switchless)\n");
 
     return 0;
diff --git a/tests/switchless/switchless.edl b/tests/switchless/switchless.edl
index 6cc0cf7dd9..eeb038ffbb 100644
--- a/tests/switchless/switchless.edl
+++ b/tests/switchless/switchless.edl
@@ -3,18 +3,28 @@
 
 enclave {
     trusted {
-        public int enc_echo(
+        public int enc_echo_switchless(
             [string, in] char* in,
-            [out] char out[100]);
+            [out] char out[100],
+            int repeats);
+        public int enc_echo_regular(
+            [string, in] char* in,
+            [out] char out[100],
+            int repeats);
     };
 
     untrusted {
-        int host_echo(
+        int host_echo_switchless(
             [string, in] char* in,
             [out] char out[100],
             [string, in] char* str1,
-            [user_check] char* str2,
-            [in] char str3[100])
+            [in] char str2[100])
             transition_using_threads;
+
+        int host_echo_regular(
+            [string, in] char* in,
+            [out] char out[100],
+            [string, in] char* str1,
+            [in] char str2[100]);
     };
 };
diff --git a/tools/oeedger8r/Emitter.ml b/tools/oeedger8r/Emitter.ml
index ec641db196..07bbb8de60 100644
--- a/tools/oeedger8r/Emitter.ml
+++ b/tools/oeedger8r/Emitter.ml
@@ -1368,8 +1368,13 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
+    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
+    ; "    const oe_enclave_config_t* configs,"
+    ; "    uint32_t config_count,"
+    ; "#else"
     ; "    const void* config,"
     ; "    uint32_t config_size,"
+    ; "#endif"
     ; "    oe_enclave_t** enclave);"
     ; ""
     ; "/**** ECALL prototypes. ****/"
@@ -1427,16 +1432,26 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
+    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
+    ; "    const oe_enclave_config_t* configs,"
+    ; "    uint32_t config_count,"
+    ; "#else"
     ; "    const void* config,"
     ; "    uint32_t config_size,"
+    ; "#endif"
     ; "    oe_enclave_t** enclave)"
     ; "{"
     ; "    return oe_create_enclave("
     ; "               path,"
     ; "               type,"
     ; "               flags,"
+    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
+    ; "               configs,"
+    ; "               config_count,"
+    ; "#else"
     ; "               config,"
     ; "               config_size,"
+    ; "#endif"
     ; sprintf "               __%s_ocall_function_table," ec.enclave_name
     ; sprintf "               %d," (List.length ufs)
     ; "               enclave);"

From 10ea77d9cf22b2690bb2109fb4dba6eef216563b Mon Sep 17 00:00:00 2001
From: Oprin <moprin@cloudbasesolutions.com>
Date: Wed, 18 Sep 2019 15:04:18 +0300
Subject: [PATCH 022/420] OpenSSL standalone install on Windows

---
 scripts/install-windows-prereqs.ps1 | 34 +++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 0248eec0d3..a65318f790 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -5,6 +5,8 @@
 Param(
     [string]$GitURL = 'https://github.com/git-for-windows/git/releases/download/v2.19.1.windows.1/Git-2.19.1-64-bit.exe',
     [string]$GitHash = '5E11205840937DD4DFA4A2A7943D08DA7443FAA41D92CCC5DAFBB4F82E724793',
+    [string]$OpenSSLURL = 'https://slproweb.com/download/Win64OpenSSL-1_1_1d.exe',
+    [string]$OpenSSLHash = '6AFA17D0768CF91B6F69F31FBC67CAB1AC2E3F40CCAAADB7A9D6C7FC37B38492',
     [string]$SevenZipURL = 'https://www.7-zip.org/a/7z1806-x64.msi',
     [string]$SevenZipHash = 'F00E1588ED54DDF633D8652EB89D0A8F95BD80CCCFC3EED362D81927BEC05AA5',
     [string]$VSBuildToolsURL = 'https://aka.ms/vs/15/release/vs_buildtools.exe',
@@ -110,6 +112,10 @@ $PACKAGES = @{
         "hash" = $AzureDCAPNupkgHash
         "local_file" = Join-Path $PACKAGES_DIRECTORY "Azure.DCAP.Windows.nupkg"
     }
+    "openssl" = @{
+        "url" = $OpenSSLURL
+        "local_file" = Join-Path $PACKAGES_DIRECTORY "Win64OpenSSL-1_1_1d.exe"
+    }
 }
 
 filter Timestamp { "[$(Get-Date -Format o)] $_" }
@@ -318,6 +324,29 @@ function Install-Git {
                  -EnvironmentPath @("$installDir\cmd", "$installDir\bin", "$installDir\mingw64\bin")
 }
 
+function Install-OpenSSL {
+    $installDir = $installDir = Join-Path $env:ProgramFiles "OpenSSL-Win64"
+    Install-Tool -InstallerPath $PACKAGES["openssl"]["local_file"] `
+                 -InstallDirectory $installDir `
+                 -ArgumentList @("/silent", "/eula=accept") `
+                 -EnvironmentPath @($installDir)
+
+    $binDir = Join-Path $installDir "bin"
+    $systemPath = [System.Environment]::GetEnvironmentVariable('Path', 'Machine')
+    $currentPath = $env:PATH
+    if($binDir -notin $systemPath) {
+         $systemPath = "$binDir;$systemPath"
+    }
+    if($binDir -notin $currentPath) {
+         $currentPath = "$binDir;$currentPath"
+    }
+    $env:PATH = $currentPath
+    setx.exe /M PATH $systemPath
+    if($LASTEXITCODE) {
+        Throw "Failed to set the new system path"
+    }
+}
+
 function Install-7Zip {
     $installDir = Join-Path $env:ProgramFiles "7-Zip"
     Install-Tool -InstallerPath $PACKAGES["7z"]["local_file"] `
@@ -585,16 +614,17 @@ try {
     Install-7Zip
     Install-Nuget
     Install-VisualStudio
+    Install-OpenSSL
     Install-LLVM
     Install-Git
     Install-OCaml
     Install-Shellcheck
     Install-PSW
-    
+
     if ($DCAPClientType -eq "Azure")
     {
         Write-Host "*** Installing Azure.DCAP.Windows ***"
-        Install-AzureDCAPWindows 
+        Install-AzureDCAPWindows
     }
     else
     {

From 5d100018f576f49eea3320511092ac10d68748c5 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 18 Sep 2019 22:18:13 +0000
Subject: [PATCH 023/420] Fix some language in contributing and governance

---
 docs/Contributing.md | 23 +++++++++++++----------
 docs/Governance.md   |  2 +-
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/docs/Contributing.md b/docs/Contributing.md
index 8e52b43a8b..58e541511a 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -82,15 +82,17 @@ Please do:
 - **DO** submit all code changes via pull requests (PRs) rather than through a
   direct commit. PRs will be reviewed and potentially merged by the repo
   Committers after a peer review that includes at least one Committer.
-- **DO** give PRs short-but-descriptive names (e.g. "Improve code coverage for
-  System.Console by 10%", not "Fix #1234").
+- **DO** give PRs short but descriptive names (e.g. "Improve code coverage for
+  edger8r", not "Fix #1234").
 - **DO** add breaking changes, new features, deprecations, and bug
-  fixes to the [unreleased section of the
-  changelog](../CHANGELOG.md#unreleased).
+  fixes to the [unreleased section of the changelog](../CHANGELOG.md#unreleased).
 - **DO** refer to any relevant issues and include [keywords](
   https://help.github.com/articles/closing-issues-via-commit-messages/) that
   automatically close issues when the PR is merged.
-- **DO** tag any users that should know about and/or review the change.
+- **DO** tag any users that should know about and/or review the change. While
+   [CODEOWNERS](https://help.github.com/en/articles/about-code-owners) should
+   automatically tag reviewers, if you know of specific people that should look
+   at a PR, add them too.
 - **DO** ensure each commit successfully builds on all platforms and passes all
   unit tests.
 - **DO** rebase and squash unnecessary commits before opening the PR, so that
@@ -103,8 +105,8 @@ Please do:
 Please do not:
 
 - **DON'T** make PRs for style changes. For example, do not send PRs that are
-  focused on changing usage of ```Int32``` to ```int```. The team would prefer
-  to address these holistically with tooling.
+  focused on changing usage of `SomeVar` to `some_var`. The team would prefer
+  to address these with automated tooling.
 - **DON'T** surprise us with big pull requests. Instead, file an issue and start
   a discussion so we can agree on a direction before you invest a large amount
   of time.
@@ -120,11 +122,12 @@ Please do not:
   discuss it.
 - **DON'T** submit changes to the public API without filing an issue and
   discussing with us first.
-- **DON'T** submit "work in progress" PRs.  A PR should only be submitted when
-  it is considered ready for review and subsequent merging by the contributor.
+- **DON'T** use GitHub [_Draft_ pull
+  requests](https://help.github.com/en/articles/about-pull-requests#draft-pull-requests)
+  to share work-in-progress. This will suppress CODEOWNER notifications
 - **DON'T** fix merge conflicts using a merge commit. Prefer `git rebase`.
 - **DON'T** mix independent, unrelated changes in one PR. Separate real
-  product/test code changes from larger code formatting/dead code removal
+  project/test code changes from larger code formatting/dead code removal
   changes. Separate unrelated fixes into separate PRs, especially if they are
   in different libraries.
 
diff --git a/docs/Governance.md b/docs/Governance.md
index d4e4669d75..d909cb9212 100644
--- a/docs/Governance.md
+++ b/docs/Governance.md
@@ -58,7 +58,7 @@ areas of expertise for each of the committers.
 Accepting Contributions
 -----------------------
 
-Project committers will merge changes that improve the product significantly and
+Project committers will merge changes that improve the project significantly and
 broadly and that align with the
 [Open Enclave roadmap](https://github.com/openenclave/openenclave/projects).
 Contributions must also satisfy the other [published guidelines](Contributing.md).

From 3be0dff179b0ebcfca6124aaeac362a9f09d7577 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Sun, 22 Sep 2019 03:47:18 +0000
Subject: [PATCH 024/420] Add a sample and a multi-threaded test for switchless

* Add a sample to illustrade switchless calls
* Explain the concept of switchless calls in the sameple readme
* Remove the experimental feature guard for switchless
* Add a multi-threaded switchless test case
* Enable both single-threaded and multi-threaded switchless tests on Windows
---
 host/optee/linux/enclave.c                    |   9 -
 host/sgx/create.c                             |  13 --
 include/openenclave/host.h                    |  13 --
 samples/CMakeLists.txt                        |   2 +-
 samples/README.md                             |   7 +
 samples/switchless/CMakeLists.txt             |  35 ++++
 samples/switchless/Makefile                   |  20 +++
 samples/switchless/README.md                  | 133 +++++++++++++++
 samples/switchless/enclave/CMakeLists.txt     |  16 ++
 samples/switchless/enclave/Makefile           |  40 +++++
 samples/switchless/enclave/enc.c              |  31 ++++
 samples/switchless/enclave/switchless.conf    |  10 ++
 samples/switchless/host/CMakeLists.txt        |  14 ++
 samples/switchless/host/Makefile              |  28 ++++
 samples/switchless/host/host.c                |  77 +++++++++
 samples/switchless/switchless.edl             |  13 ++
 samples/test-samples.cmake                    |   2 +-
 tests/CMakeLists.txt                          |   3 +-
 tests/create-errors/host/host.c               |   4 -
 tests/switchless/host/host.c                  |  52 ++++--
 tests/switchless_threads/CMakeLists.txt       |  12 ++
 tests/switchless_threads/enc/CMakeLists.txt   |  17 ++
 tests/switchless_threads/enc/enc.c            |  75 +++++++++
 tests/switchless_threads/host/CMakeLists.txt  |  17 ++
 tests/switchless_threads/host/host.c          | 156 ++++++++++++++++++
 .../switchless_threads/switchless_threads.edl |  29 ++++
 tools/oeedger8r/Emitter.ml                    |  15 --
 27 files changed, 770 insertions(+), 73 deletions(-)
 create mode 100644 samples/switchless/CMakeLists.txt
 create mode 100644 samples/switchless/Makefile
 create mode 100644 samples/switchless/README.md
 create mode 100644 samples/switchless/enclave/CMakeLists.txt
 create mode 100644 samples/switchless/enclave/Makefile
 create mode 100644 samples/switchless/enclave/enc.c
 create mode 100644 samples/switchless/enclave/switchless.conf
 create mode 100644 samples/switchless/host/CMakeLists.txt
 create mode 100644 samples/switchless/host/Makefile
 create mode 100644 samples/switchless/host/host.c
 create mode 100644 samples/switchless/switchless.edl
 create mode 100644 tests/switchless_threads/CMakeLists.txt
 create mode 100644 tests/switchless_threads/enc/CMakeLists.txt
 create mode 100644 tests/switchless_threads/enc/enc.c
 create mode 100644 tests/switchless_threads/host/CMakeLists.txt
 create mode 100644 tests/switchless_threads/host/host.c
 create mode 100644 tests/switchless_threads/switchless_threads.edl

diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index cda2e3bf3f..bba574714d 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -399,13 +399,8 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     const oe_enclave_config_t* configs,
     uint32_t config_count,
-#else
-    const void* config,
-    uint32_t config_size,
-#endif
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
@@ -430,12 +425,8 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_OPTEE) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
         (config_count > 0 && configs == NULL) ||
         (config_count == 0 && configs != NULL) ||
-#else
-        config || config_size > 0 ||
-#endif
         (flags & OE_ENCLAVE_FLAG_RESERVED) ||
         (!(flags & OE_ENCLAVE_FLAG_SIMULATE) &&
          (flags & OE_ENCLAVE_FLAG_DEBUG)))
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 1a437abb12..42c15f5d1a 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -407,7 +407,6 @@ static oe_result_t _initialize_enclave(oe_enclave_t* enclave)
 **
 ** Config the enclave with an array of configurations.
 */
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
 
 static oe_result_t _configure_enclave(
     oe_enclave_t* enclave,
@@ -446,7 +445,6 @@ static oe_result_t _configure_enclave(
 done:
     return result;
 }
-#endif
 
 oe_result_t oe_sgx_validate_enclave_properties(
     const oe_sgx_enclave_properties_t* properties,
@@ -691,13 +689,8 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     const oe_enclave_config_t* configs,
     uint32_t config_count,
-#else
-    const void* config,
-    uint32_t config_size,
-#endif
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
@@ -715,12 +708,8 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_SGX) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
         (config_count > 0 && configs == NULL) ||
         (config_count == 0 && configs != NULL) ||
-#else
-        config || config_size > 0 ||
-#endif
         (flags & OE_ENCLAVE_FLAG_RESERVED))
         OE_RAISE(OE_INVALID_PARAMETER);
 
@@ -810,10 +799,8 @@ oe_result_t oe_create_enclave(
     /* Invoke enclave initialization. */
     OE_CHECK(_initialize_enclave(enclave));
 
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     /* Apply the list of configurations to the enclave */
     OE_CHECK(_configure_enclave(enclave, configs, config_count));
-#endif
 
     /* Setup logging configuration */
     oe_log_enclave_init(enclave);
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 1f17488e7d..c5bf4cc045 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -65,12 +65,6 @@ typedef void (*oe_ocall_func_t)(
     size_t output_buffer_size,
     size_t* output_bytes_written);
 
-/**
- * The following structures are used by context-switchless calls, which is
- * experimental, and subject to changes.
- */
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
-
 /**
  * Types of configurations passed into **oe_create_enclave**
  */
@@ -117,8 +111,6 @@ typedef struct _oe_enclave_config
     } u;
 } oe_enclave_config_t;
 
-#endif /* OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE */
-
 /**
  * Create an enclave from an enclave image file.
  *
@@ -157,13 +149,8 @@ oe_result_t oe_create_enclave(
     const char* path,
     oe_enclave_type_t type,
     uint32_t flags,
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     const oe_enclave_config_t* configs,
     uint32_t config_count,
-#else
-    const void* config,
-    uint32_t config_size,
-#endif
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave);
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index fdd493a7ef..edb5621b1f 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -9,7 +9,7 @@ if (USE_LIBSGX)
         GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
 endif ()
 
-install(DIRECTORY helloworld file-encryptor data-sealing
+install(DIRECTORY helloworld file-encryptor data-sealing switchless
   DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 install(FILES README.md
diff --git a/samples/README.md b/samples/README.md
index c90c3e129d..fdcdd1c772 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -147,3 +147,10 @@ The following samples demonstrate how to develop enclave applications using OE A
   - between two enclaves
   - between one non-enclave client and an enclave
 
+#### [Switchless Calls](switchless/README.md)
+
+- Explain the concept of switchless calls
+- Demonstrate how to enable switchless calls in an enclave application in steps:
+  - Mark a function as `transition_using_threads`
+  - Enable and configure switchless for an enclave
+  - Making a switchless call
diff --git a/samples/switchless/CMakeLists.txt b/samples/switchless/CMakeLists.txt
new file mode 100644
index 0000000000..740d88835d
--- /dev/null
+++ b/samples/switchless/CMakeLists.txt
@@ -0,0 +1,35 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+cmake_minimum_required(VERSION 3.11)
+
+project("Switchless Call Sample" LANGUAGES C CXX)
+
+find_package(OpenEnclave CONFIG REQUIRED)
+
+set(CMAKE_CXX_STANDARD 11)
+
+add_subdirectory(enclave)
+add_subdirectory(host)
+
+# Generate key
+add_custom_command(OUTPUT private.pem public.pem
+  COMMAND openssl genrsa -out private.pem -3 3072
+  COMMAND openssl rsa -in private.pem -pubout -out public.pem)
+
+# Sign enclave
+add_custom_command(OUTPUT enclave/enclave.signed
+  DEPENDS enclave enclave/switchless.conf private.pem
+  COMMAND openenclave::oesign sign -e $<TARGET_FILE:enclave> -c ${CMAKE_SOURCE_DIR}/enclave/switchless.conf -k private.pem)
+
+add_custom_target(sign ALL DEPENDS enclave/enclave.signed)
+
+if ((NOT DEFINED ENV{OE_SIMULATION}) OR (NOT $ENV{OE_SIMULATION}))
+  add_custom_target(run
+    DEPENDS switchless_host sign
+    COMMAND switchless_host ${CMAKE_BINARY_DIR}/enclave/enclave.signed)
+endif ()
+
+add_custom_target(simulate
+  DEPENDS switchless_host sign
+  COMMAND switchless_host ${CMAKE_BINARY_DIR}/enclave/enclave.signed --simulate)
diff --git a/samples/switchless/Makefile b/samples/switchless/Makefile
new file mode 100644
index 0000000000..5ec9108611
--- /dev/null
+++ b/samples/switchless/Makefile
@@ -0,0 +1,20 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+.PHONY: all build clean run simulate
+
+all: build
+
+build:
+	$(MAKE) -C enclave
+	$(MAKE) -C host
+
+clean:
+	$(MAKE) -C enclave clean
+	$(MAKE) -C host clean
+
+run:
+	host/switchlesshost ./enclave/switchlessenc.signed
+
+simulate:
+	host/switchlesshost ./enclave/switchlessenc.signed --simulate
diff --git a/samples/switchless/README.md b/samples/switchless/README.md
new file mode 100644
index 0000000000..93af5368bd
--- /dev/null
+++ b/samples/switchless/README.md
@@ -0,0 +1,133 @@
+# Switchless Calls Sample
+
+This sample demonstrates how to make switchless calls to host from inside an enclave. It is built on top of the [`Hello World`](../helloworld/README.md) sample. The addition is a host function `host_helloworld_switchless` which is called from the enclave switchlessly.
+
+It has the following properties:
+
+- Explain the concept of switchless calls
+- Demonstrate how to mark a function as `transition_using_threads` in EDL, and use [`oeedger8r`](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/Edger8rGettingStarted.md) tool to compile it
+- Demonstrate how to configure an enclave to enable switchless calls within it
+
+Prerequisite: you may want to read [Common Sample Information](../README.md#common-sample-information) before going further.
+
+## Switchless Calls
+
+In an enclave application, the host makes **ECALL**s into functions exposed by the enclaves it created. Likewise, the enclaves make **OCALL**s into functions exposed by the host that created them. In either case, the execution has to be transitioned from an untrusted environment to a trusted environment, or vice versa. Since the transition is costly due to heavy security checks, it might be more performance advantageous to make the calls **context-switchless**: the caller delegates the function call to a worker thread in the other environment, which does the real job of calling the function and post the result to the caller. Both the calling thread and the worker thread never leave their respective execution contexts during the perceived function call.
+
+The calling thread and the worker thread need to exchange information twice during the call. When the switchless call is initiated, the caller needs to pass the `job` (representing the function call) to the worker thread. And when the call finishes, the worker thread needs to pass the result back to the caller. Both exchanges need to be synchronized.
+
+## How does OE support switchless OCALLs
+
+OE only supports synchronous switchless OCALLs currently. When the caller within an enclave makes a switchless OCALL, the trusted OE runtime creates a `job` out of the function call. The `job` object includes information such as the function ID, the parameters marshaled into a buffer, and a buffer for holding the return value(s). The job is posted to a shared memory region which both the enclave and the host can access.
+
+A host worker thread checks and retrieves `job` from the shared memory region. It uses the untrusted OE runtime to process the `job` by unmarshaling the parameters, then dispatching to the callee function, and finally relaying the result back to the trusted OE runtime, which is further forwarded back to the caller.
+
+To support simultaneous switchless OCALLs made from enclaves, the host workers are multi-threaded. OE allows users to configure how many host worker threads are to be created for servicing switchless OCALLs. The following example illustrates how to do that. A word of caution is that too many host worker threads might increase competition of cores between threads and degrade the performance. Therefore, if a enclave has switchless calls enabled, OE caps the number of host worker threads for it to the number of enclave threads specified.
+
+## About the EDL
+
+First we need to define the functions we want to call between the host and the enclave. To do this we create a `switchless.edl` file:
+
+```edl
+enclave {
+    trusted {
+        public void enclave_helloworld();
+
+    };
+
+    untrusted {
+        void host_helloworld();
+        void host_helloworld_switchless() transition_using_threads;
+    };
+};
+```
+
+Function `host_helloworld_switchless`'s declaration ends with keyword `transition_using_threads`, indicating it should be called switchlessly at run time. However, this a best-effort directive. OE runtime may still choose to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs.
+
+To generate the functions with the marshaling code, the `oeedger8r` tool is called in both the host and enclave directories from their Makefiles. For example:
+
+```bash
+cd host
+oeedger8r ../switchless.edl --untrusted --experimental
+```
+
+`oeedger8r` needs the command line flag `--experimental` to be able to recognize the keyword `transition_using_threads`.
+
+## About the host
+
+The host first defines a structure specifically for configuring switchless calls. In this case, we specify the first field `2` as the number of host worker threads for switchless OCALLs. The 2nd field specifies the number of enclave threads for switchless ECALLs. Since switchless ECALL is not yet implementated, we require the 2nd field to be `0`.
+
+```c
+oe_enclave_config_context_switchless_t config = {2, 0};
+```
+
+The host then puts the structure address and the configuration type in an array of configurations for the enclave to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the flexibility of adding more than one configurations (with different types) for an enclave in the future.
+
+```c
+oe_enclave_config_t configs[] = {{
+        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
+        .u.context_switchless_config = &config,
+    }};
+```
+
+To make the configurations created above effective, we need to pass the array `configs` into `oe_create_enclave` in the following way:
+
+```c
+oe_create_switchless_enclave(
+             argv[1],
+             OE_ENCLAVE_TYPE_SGX,
+             flags,
+             configs,
+             OE_COUNTOF(configs),
+             &enclave);
+```
+
+The host then makes an ECALL of `enclave_helloworld` to transition into the enclave. After the ECALL returns, the host terminates the enclave.
+
+As shown in the EDL file, the host exposes two host functions: `host_helloworld` and `host_helloworld_switchless`. The former prints "Hello world from regular OCALL", and the latter prints "Hello world from switchless OCALL".
+
+## About the enclave
+
+The enclave exposes only one function `enclave_helloworld`. The function prints "Hello world from the enclave" first, then call the host function `host_helloworld`, followed by calling host function `host_helloworld_switchless`. Internally, the last call is fulfilled switchlessly. If everything work as expected, the output of this enclave function would be:
+
+```
+Hello world from the enclave
+Hello world from regular OCALL
+Hello world from switchless OCALL
+```
+
+## Build and run
+
+Note that there are two different build systems supported, one using GNU Make and
+`pkg-config`, the other using CMake.
+
+### CMake
+
+This uses the CMake package provided by the Open Enclave SDK.
+
+```bash
+cd switchless
+mkdir build && cd build
+cmake ..
+make run
+```
+
+### GNU Make
+
+```bash
+cd helloworld
+make build
+make run
+```
+#### Note
+
+switchless sample can run under OE simulation mode.
+
+To run the switchless sample in simulation mode from the command like, use the following:
+
+```bash
+# if built with cmake
+./host/switchless_host ./enclave/switchless_enc.signed --simulate
+# or, if built with GNU Make and pkg-config
+make simulate
+```
diff --git a/samples/switchless/enclave/CMakeLists.txt b/samples/switchless/enclave/CMakeLists.txt
new file mode 100644
index 0000000000..51770083ef
--- /dev/null
+++ b/samples/switchless/enclave/CMakeLists.txt
@@ -0,0 +1,16 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# Use the edger8r to generate C bindings from the EDL file.
+add_custom_command(OUTPUT switchless_t.h switchless_t.c switchless_args.h
+  DEPENDS ${CMAKE_SOURCE_DIR}/switchless.edl
+  COMMAND openenclave::oeedger8r --experimental --trusted ${CMAKE_SOURCE_DIR}/switchless.edl)
+
+add_executable(enclave enc.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_t.c)
+
+target_compile_definitions(enclave PUBLIC OE_API_VERSION=2)
+
+# Need for the generated file switchless_t.h
+target_include_directories(enclave PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(enclave openenclave::oeenclave openenclave::oelibc)
diff --git a/samples/switchless/enclave/Makefile b/samples/switchless/enclave/Makefile
new file mode 100644
index 0000000000..2fb5e4121f
--- /dev/null
+++ b/samples/switchless/enclave/Makefile
@@ -0,0 +1,40 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# Detect C and C++ compiler options
+# if not gcc, default to clang-7
+
+COMPILER=$(notdir $(CC))
+ifeq ($(COMPILER), gcc)
+        USE_GCC = true
+endif
+
+ifeq ($(USE_GCC),)
+        CC = clang-7
+        COMPILER=clang
+endif
+
+CFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --cflags)
+LDFLAGS=$(shell pkg-config oeenclave-$(COMPILER) --libs)
+
+all:
+	$(MAKE) build
+	$(MAKE) keys
+	$(MAKE) sign
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../switchless.edl --trusted --experimental
+	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 enc.c -o enc.o
+	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 switchless_t.c -o switchless_t.o
+	$(CC) -o switchlessenc switchless_t.o enc.o $(LDFLAGS)
+
+sign:
+	oesign sign -e switchlessenc -c switchless.conf -k private.pem
+
+clean:
+	rm -f enc.o switchlessenc switchlessenc.signed private.pem public.pem switchless_t.o switchless_t.h switchless_t.c switchless_args.h
+
+keys:
+	openssl genrsa -out private.pem -3 3072
+	openssl rsa -in private.pem -pubout -out public.pem
diff --git a/samples/switchless/enclave/enc.c b/samples/switchless/enclave/enc.c
new file mode 100644
index 0000000000..483562c7a9
--- /dev/null
+++ b/samples/switchless/enclave/enc.c
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <stdio.h>
+#include "switchless_t.h"
+
+void enclave_helloworld()
+{
+    fprintf(stdout, "Hello world from the enclave\n");
+
+    // Call back into the host
+    oe_result_t result = host_helloworld();
+    if (result != OE_OK)
+    {
+        fprintf(stderr, "host_helloworld(): result=%u", result);
+    }
+
+    result = host_helloworld_switchless();
+    if (result != OE_OK)
+    {
+        fprintf(stderr, "host_helloworld_switchless(): result=%u", result);
+    }
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    1024, /* HeapPageCount */
+    1024, /* StackPageCount */
+    2);   /* TCSCount */
diff --git a/samples/switchless/enclave/switchless.conf b/samples/switchless/enclave/switchless.conf
new file mode 100644
index 0000000000..5d4ce9ef95
--- /dev/null
+++ b/samples/switchless/enclave/switchless.conf
@@ -0,0 +1,10 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# Enclave settings:
+Debug=1
+NumHeapPages=1024
+NumStackPages=1024
+NumTCS=1
+ProductID=1
+SecurityVersion=1
diff --git a/samples/switchless/host/CMakeLists.txt b/samples/switchless/host/CMakeLists.txt
new file mode 100644
index 0000000000..79ba9764e2
--- /dev/null
+++ b/samples/switchless/host/CMakeLists.txt
@@ -0,0 +1,14 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT switchless_u.h switchless_u.c switchless_args.h
+  DEPENDS ${CMAKE_SOURCE_DIR}/switchless.edl
+  COMMAND openenclave::oeedger8r --experimental --untrusted ${CMAKE_SOURCE_DIR}/switchless.edl)
+
+add_executable(switchless_host host.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_u.c)
+
+target_include_directories(switchless_host PRIVATE
+  # Needed for the generated file switchless_u.h
+  ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(switchless_host openenclave::oehostapp)
diff --git a/samples/switchless/host/Makefile b/samples/switchless/host/Makefile
new file mode 100644
index 0000000000..cceb1a40e5
--- /dev/null
+++ b/samples/switchless/host/Makefile
@@ -0,0 +1,28 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+# Detect C and C++ compiler options
+# if not gcc, default to clang-7
+
+COMPILER=$(notdir $(CC))
+ifeq ($(COMPILER), gcc)
+        USE_GCC = true
+endif
+
+ifeq ($(USE_GCC),)
+        CC = clang-7
+        COMPILER=clang
+endif
+
+CFLAGS=$(shell pkg-config oehost-$(COMPILER) --cflags)
+LDFLAGS=$(shell pkg-config oehost-$(COMPILER) --libs)
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../switchless.edl --untrusted --experimental
+	$(CC) -g -c $(CFLAGS) host.c
+	$(CC) -g -c $(CFLAGS) switchless_u.c
+	$(CC) -o switchlesshost switchless_u.o host.o $(LDFLAGS)
+
+clean:
+	rm -f switchlesshost host.o switchless_u.o switchless_u.c switchless_u.h switchless_args.h
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
new file mode 100644
index 0000000000..9b39ab2af1
--- /dev/null
+++ b/samples/switchless/host/host.c
@@ -0,0 +1,77 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "switchless_u.h"
+
+void host_helloworld()
+{
+    fprintf(stdout, "Hello world from regular OCALL\n");
+}
+
+void host_helloworld_switchless()
+{
+    fprintf(stdout, "Hello world from switchless OCALL\n");
+}
+
+static bool check_simulate_opt(int* argc, const char* argv[])
+{
+    for (int i = 0; i < *argc; i++)
+    {
+        if (strcmp(argv[i], "--simulate") == 0)
+        {
+            fprintf(stderr, "Running in simulation mode\n");
+            memmove(&argv[i], &argv[i + 1], (*argc - i) * sizeof(char*));
+            (*argc)--;
+            return true;
+        }
+    }
+    return false;
+}
+
+int main(int argc, const char* argv[])
+{
+    oe_enclave_t* enclave = NULL;
+    oe_result_t result;
+    int ret = 1;
+
+    if (argc != 2 && argc != 3)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE_PATH [--simulate]\n", argv[0]);
+        return 1;
+    }
+
+    uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
+    if (check_simulate_opt(&argc, argv))
+    {
+        flags |= OE_ENCLAVE_FLAG_SIMULATE;
+    }
+
+    // Enable switchless and configure host worker number
+    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_t configs[] = {{
+        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
+        .u.context_switchless_config = &config,
+    }};
+
+    if ((result = oe_create_switchless_enclave(
+             argv[1],
+             OE_ENCLAVE_TYPE_SGX,
+             flags,
+             configs,
+             OE_COUNTOF(configs),
+             &enclave)) != OE_OK)
+        fprintf(stderr, "oe_create_enclave(): result=%u", result);
+
+    // Call into the enclave
+    result = enclave_helloworld(enclave);
+    if (result != OE_OK)
+        fprintf(stderr, "enclave_helloworld(): result=%u", result);
+
+    ret = result != OE_OK ? 1 : 0;
+    oe_terminate_enclave(enclave);
+
+    return ret;
+}
diff --git a/samples/switchless/switchless.edl b/samples/switchless/switchless.edl
new file mode 100644
index 0000000000..b8df7cebd8
--- /dev/null
+++ b/samples/switchless/switchless.edl
@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public void enclave_helloworld();
+    };
+
+    untrusted {
+        void host_helloworld();
+        void host_helloworld_switchless() transition_using_threads;
+    };
+};
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index 5338bc4e7b..d814ed795d 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -7,7 +7,7 @@
 #     cmake -DUSE_LIBSGX=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
 
 # These two samples can run in simulation, and therefore run in every configuration.
-set(SAMPLES_LIST helloworld file-encryptor)
+set(SAMPLES_LIST helloworld file-encryptor switchless)
 
 if ($ENV{OE_SIMULATION})
   message(WARNING "Running only sample simulation tests due to OE_SIMULATION=$ENV{OE_SIMULATION}!")
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 04f5d7fbba..cb4d4af8aa 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -27,6 +27,8 @@ if (OE_SGX)
     add_subdirectory(aesm)
     add_subdirectory(debugger)
     add_subdirectory(host_verify)
+    add_subdirectory(switchless)
+    add_subdirectory(switchless_threads)
 endif()
 
 if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
@@ -96,5 +98,4 @@ if (OE_SGX AND UNIX)
 
    # Attestation supported only on Linux
    add_subdirectory(tls_e2e)
-   add_subdirectory(switchless)
 endif()
diff --git a/tests/create-errors/host/host.c b/tests/create-errors/host/host.c
index 9222148155..7b0dc3af69 100644
--- a/tests/create-errors/host/host.c
+++ b/tests/create-errors/host/host.c
@@ -13,14 +13,12 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 {
     oe_enclave_t* enclave = NULL;
 
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     oe_enclave_config_t invalid_config = {0, {NULL}};
     oe_enclave_config_context_switchless_t config = {2, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
     }};
-#endif
 
     /* Null path. */
     oe_result_t result = oe_create_create_errors_enclave(
@@ -45,7 +43,6 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 
     OE_TEST(result == OE_INVALID_PARAMETER);
 
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     /* Invalid configuration with incorrect **config_count** */
     result = oe_create_create_errors_enclave(
         path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_config, 0, &enclave);
@@ -63,7 +60,6 @@ static void _test_invalid_param(const char* path, uint32_t flags)
         path, OE_ENCLAVE_TYPE_SGX, flags, configs, 0, &enclave);
 
     OE_TEST(result == OE_INVALID_PARAMETER);
-#endif
 
     /* Content size non-zero. */
     result = oe_create_create_errors_enclave(
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index 38706fa597..d6ff0290f9 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -5,17 +5,35 @@
 #include <openenclave/host.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/tests.h>
-#include <pthread.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#if _MSC_VER
+#include <Windows.h>
+#endif
 #include "../../../host/strings.h"
 #include "switchless_u.h"
 
-#define NUM_HOST_THREADS 16
 #define STRING_LEN 100
 
+#if _MSC_VER
+static double frequency;
+#endif
+
+double get_relative_time_in_microseconds()
+{
+#if __GNUC__
+    struct timespec current_time;
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    return current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+#elif _MSC_VER
+    double current_time;
+    QueryPerformanceCounter(&current_time);
+    return current_time / frequency;
+#endif
+}
+
 int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
 {
     OE_TEST(strcmp(str1, "host string parameter") == 0);
@@ -47,9 +65,13 @@ int main(int argc, const char* argv[])
         return 1;
     }
 
+#if _MSC_VER
+    QueryPerformanceFrequency(&frequency);
+    frequency /= 1000000; // convert to microseconds
+#endif
+
     const uint32_t flags = oe_get_create_flags();
 
-#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
     // Enable switchless and configure host worker number
     oe_enclave_config_context_switchless_t config = {2, 0};
     oe_enclave_config_t configs[] = {{
@@ -64,37 +86,35 @@ int main(int argc, const char* argv[])
              configs,
              OE_COUNTOF(configs),
              &enclave)) != OE_OK)
-#else
-    if ((result = oe_create_switchless_enclave(
-             argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave)) != OE_OK)
-#endif
         oe_put_err("oe_create_enclave(): result=%u", result);
 
     char out[STRING_LEN];
     int return_val;
 
     double switchless_microseconds = 0;
-    struct timespec start, end;
+    double start, end;
 
     // Increase this number to have a meaningful performance measurement
     int repeats = 10;
 
-    clock_gettime(CLOCK_REALTIME, &start);
+    start = get_relative_time_in_microseconds();
+
     OE_TEST(
         enc_echo_switchless(
             enclave, &return_val, "Hello World", out, repeats) == OE_OK);
-    clock_gettime(CLOCK_REALTIME, &end);
-    switchless_microseconds += (double)(end.tv_sec - start.tv_sec) * 1000000.0 +
-                               (double)(end.tv_nsec - start.tv_nsec) / 1000.0;
+
+    end = get_relative_time_in_microseconds();
+    switchless_microseconds = end - start;
 
     double regular_microseconds = 0;
-    clock_gettime(CLOCK_REALTIME, &start);
+    start = get_relative_time_in_microseconds();
+
     OE_TEST(
         enc_echo_regular(enclave, &return_val, "Hello World", out, repeats) ==
         OE_OK);
-    clock_gettime(CLOCK_REALTIME, &end);
-    regular_microseconds += (double)(end.tv_sec - start.tv_sec) * 1000000.0 +
-                            (double)(end.tv_nsec - start.tv_nsec) / 1000.0;
+
+    end = get_relative_time_in_microseconds();
+    regular_microseconds = end - start;
 
     result = oe_terminate_enclave(enclave);
     OE_TEST(result == OE_OK);
diff --git a/tests/switchless_threads/CMakeLists.txt b/tests/switchless_threads/CMakeLists.txt
new file mode 100644
index 0000000000..3627f2c6ce
--- /dev/null
+++ b/tests/switchless_threads/CMakeLists.txt
@@ -0,0 +1,12 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_custom_target(switchless_threads_gen DEPENDS switchless_threads_enc_gen switchless_threads_host_gen)
+
+add_subdirectory(host)
+
+if (BUILD_ENCLAVES)
+	add_subdirectory(enc)
+endif()
+
+add_enclave_test(tests/switchless_threads switchless_threads_host switchless_threads_enc)
\ No newline at end of file
diff --git a/tests/switchless_threads/enc/CMakeLists.txt b/tests/switchless_threads/enc/CMakeLists.txt
new file mode 100644
index 0000000000..b6f6895238
--- /dev/null
+++ b/tests/switchless_threads/enc/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_custom_command(
+  OUTPUT switchless_threads_t.h switchless_threads_t.c switchless_threads_args.h
+  DEPENDS
+  edger8r
+  ../switchless_threads.edl
+  COMMAND edger8r --experimental --trusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless_threads.edl)
+
+# Dummy target used for generating from EDL on demand.
+add_custom_target(switchless_threads_enc_gen DEPENDS switchless_threads_t.h switchless_threads_t.c switchless_threads_args.h)
+
+add_enclave(TARGET switchless_threads_enc UUID 6e818629-0ce7-46cd-822a-6c7e081fc68b SOURCES enc.c switchless_threads_t.c)
+
+target_include_directories(switchless_threads_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(switchless_threads_enc oelibc)
diff --git a/tests/switchless_threads/enc/enc.c b/tests/switchless_threads/enc/enc.c
new file mode 100644
index 0000000000..bd582a528e
--- /dev/null
+++ b/tests/switchless_threads/enc/enc.c
@@ -0,0 +1,75 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/corelibc/string.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/print.h>
+#include "switchless_threads_t.h"
+
+#define STRING_LEN 100
+#define STRING_HELLO "Hello World"
+#define HOST_PARAM_STRING "host string parameter"
+#define HOST_STACK_STRING "host string on stack"
+
+int enc_echo_single(char* in, char out[100])
+{
+    oe_result_t result;
+
+    if (oe_strcmp(in, STRING_HELLO) != 0)
+    {
+        return -1;
+    }
+
+    char stack_allocated_str[STRING_LEN] = HOST_STACK_STRING;
+    int return_val;
+
+    result = host_echo_regular(
+        &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+
+    if (result != OE_OK || return_val != 0)
+        return -1;
+
+    result = host_echo_switchless(
+        &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+
+    if (result != OE_OK || return_val != 0)
+        return -1;
+
+    return 0;
+}
+
+int enc_echo_multiple(char* in, char out[STRING_LEN], int repeats)
+{
+    oe_result_t result;
+
+    if (oe_strcmp(in, STRING_HELLO) != 0)
+    {
+        return -1;
+    }
+
+    char stack_allocated_str[STRING_LEN] = HOST_STACK_STRING;
+    int return_val;
+
+    for (int i = 0; i < repeats; i++)
+    {
+        result = host_echo_regular(
+            &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+        if (result != OE_OK || return_val != 0)
+            return -1;
+
+        result = host_echo_switchless(
+            &return_val, in, out, HOST_PARAM_STRING, stack_allocated_str);
+        if (result != OE_OK || return_val != 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    1024, /* HeapPageCount */
+    1024, /* StackPageCount */
+    8);   /* TCSCount */
diff --git a/tests/switchless_threads/host/CMakeLists.txt b/tests/switchless_threads/host/CMakeLists.txt
new file mode 100644
index 0000000000..99f3d8b81e
--- /dev/null
+++ b/tests/switchless_threads/host/CMakeLists.txt
@@ -0,0 +1,17 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_custom_command(
+  OUTPUT switchless_threads_u.h switchless_threads_u.c switchless_threads_args.h
+  DEPENDS
+  edger8r
+  ../switchless_threads.edl
+  COMMAND edger8r --experimental --untrusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless_threads.edl)
+
+# Dummy target used for generating from EDL on demand.
+add_custom_target(switchless_threads_host_gen DEPENDS switchless_threads_u.h switchless_threads_u.c switchless_threads_args.h)
+
+add_executable(switchless_threads_host host.c switchless_threads_u.c)
+
+target_include_directories(switchless_threads_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(switchless_threads_host oehostapp)
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
new file mode 100644
index 0000000000..0651601862
--- /dev/null
+++ b/tests/switchless_threads/host/host.c
@@ -0,0 +1,156 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <openenclave/internal/error.h>
+#include <openenclave/internal/tests.h>
+#include <openenclave/internal/thread.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#if __GNUC__
+#include <pthread.h>
+#elif _MSC_VER
+#include <windows.h>
+#endif
+#include "switchless_threads_u.h"
+
+#define NUM_HOST_THREADS 7
+#define STRING_LEN 100
+#define STRING_HELLO "Hello World"
+#define HOST_PARAM_STRING "host string parameter"
+#define HOST_STACK_STRING "host string on stack"
+
+static int thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
+{
+#if __GNUC__
+    return pthread_create(thread, NULL, func, arg);
+#elif _MSC_VER
+    typedef DWORD (*start_routine_t)(void*);
+    start_routine_t start_routine = (start_routine_t)func;
+    *thread = (oe_thread_t)CreateThread(NULL, 0, start_routine, arg, 0, NULL);
+    return *thread == (oe_thread_t)NULL ? 1 : 0;
+#endif
+}
+
+static int thread_join(oe_thread_t thread)
+{
+#if __GNUC__
+    return pthread_join(thread, NULL);
+#elif _MSC_VER
+    HANDLE handle = (HANDLE)thread;
+    if (WaitForSingleObject(handle, INFINITE) == WAIT_OBJECT_0)
+    {
+        CloseHandle(handle);
+        return 0;
+    }
+    return 1;
+#endif
+}
+
+int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
+{
+    OE_TEST(strcmp(str1, HOST_PARAM_STRING) == 0);
+    OE_TEST(strcmp(str2, HOST_STACK_STRING) == 0);
+
+    strcpy(out, in);
+
+    return 0;
+}
+
+int host_echo_regular(char* in, char* out, char* str1, char str2[STRING_LEN])
+{
+    OE_TEST(strcmp(str1, HOST_PARAM_STRING) == 0);
+    OE_TEST(strcmp(str2, HOST_STACK_STRING) == 0);
+
+    strcpy(out, in);
+
+    return 0;
+}
+
+void* thread_func(void* arg)
+{
+    char out[100];
+    int return_val;
+
+    oe_enclave_t* enclave = (oe_enclave_t*)arg;
+    oe_result_t result =
+        enc_echo_single(enclave, &return_val, "Hello World", out);
+
+    if (result != OE_OK)
+        oe_put_err("oe_call_enclave() failed: result=%u", result);
+
+    if (return_val != 0)
+        oe_put_err("ECALL failed args.result=%d", return_val);
+
+    if (strcmp("Hello World", out) != 0)
+        oe_put_err("ecall failed: %s != %s\n", "Hello World", out);
+
+    return NULL;
+}
+
+int main(int argc, const char* argv[])
+{
+    oe_enclave_t* enclave = NULL;
+    oe_result_t result;
+
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE_PATH\n", argv[0]);
+        return 1;
+    }
+
+    const uint32_t flags = oe_get_create_flags();
+
+    // Enable switchless and configure host worker number
+    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_t configs[] = {{
+        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
+        .u.context_switchless_config = &config,
+    }};
+
+    if ((result = oe_create_switchless_threads_enclave(
+             argv[1],
+             OE_ENCLAVE_TYPE_SGX,
+             flags,
+             configs,
+             OE_COUNTOF(configs),
+             &enclave)) != OE_OK)
+        oe_put_err("oe_create_enclave(): result=%u", result);
+
+    oe_thread_t threads[NUM_HOST_THREADS];
+
+    // Start threads that each invokes 'enc_echo_single', an ECALL that makes
+    // only one regular OCALL and one switchless OCALL.
+    for (int i = 0; i < NUM_HOST_THREADS; i++)
+    {
+        int ret = 0;
+        if ((ret = thread_create(&threads[i], thread_func, enclave)))
+        {
+            oe_put_err("thread_create(host): ret=%u", ret);
+        }
+    }
+
+    // Invoke 'enc_echo_multiple` which makes multiple regular OCALLs and
+    // multiple switchless OCALLs.
+    char out[STRING_LEN];
+    int return_val;
+    int repeats = 10;
+    OE_TEST(
+        enc_echo_multiple(enclave, &return_val, "Hello World", out, repeats) ==
+        OE_OK);
+
+    // Wait for the threads to complete.
+    for (int i = 0; i < NUM_HOST_THREADS; i++)
+    {
+        thread_join(threads[i]);
+    }
+
+    result = oe_terminate_enclave(enclave);
+    OE_TEST(result == OE_OK);
+
+    printf("=== passed all tests (switchless_threads)\n");
+
+    return 0;
+}
diff --git a/tests/switchless_threads/switchless_threads.edl b/tests/switchless_threads/switchless_threads.edl
new file mode 100644
index 0000000000..b5921c9a0f
--- /dev/null
+++ b/tests/switchless_threads/switchless_threads.edl
@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public int enc_echo_single(
+            [string, in] char* in,
+            [out] char out[100]);
+        public int enc_echo_multiple(
+            [string, in] char* in,
+            [out] char out[100],
+            int repeats);
+    };
+
+    untrusted {
+        int host_echo_switchless(
+            [string, in] char* in,
+            [out] char out[100],
+            [string, in] char* str1,
+            [in] char str2[100])
+            transition_using_threads;
+
+        int host_echo_regular(
+            [string, in] char* in,
+            [out] char out[100],
+            [string, in] char* str1,
+            [in] char str2[100]);
+    };
+};
diff --git a/tools/oeedger8r/Emitter.ml b/tools/oeedger8r/Emitter.ml
index 07bbb8de60..76e0d71e1c 100644
--- a/tools/oeedger8r/Emitter.ml
+++ b/tools/oeedger8r/Emitter.ml
@@ -1368,13 +1368,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
-    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
     ; "    const oe_enclave_config_t* configs,"
     ; "    uint32_t config_count,"
-    ; "#else"
-    ; "    const void* config,"
-    ; "    uint32_t config_size,"
-    ; "#endif"
     ; "    oe_enclave_t** enclave);"
     ; ""
     ; "/**** ECALL prototypes. ****/"
@@ -1432,26 +1427,16 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
-    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
     ; "    const oe_enclave_config_t* configs,"
     ; "    uint32_t config_count,"
-    ; "#else"
-    ; "    const void* config,"
-    ; "    uint32_t config_size,"
-    ; "#endif"
     ; "    oe_enclave_t** enclave)"
     ; "{"
     ; "    return oe_create_enclave("
     ; "               path,"
     ; "               type,"
     ; "               flags,"
-    ; "#ifdef OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE"
     ; "               configs,"
     ; "               config_count,"
-    ; "#else"
-    ; "               config,"
-    ; "               config_size,"
-    ; "#endif"
     ; sprintf "               __%s_ocall_function_table," ec.enclave_name
     ; sprintf "               %d," (List.length ufs)
     ; "               enclave);"

From ef6cd1f0bb925e1f9e550e6ea5d4f0a0cef3acfe Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Mon, 16 Sep 2019 20:55:19 +0000
Subject: [PATCH 025/420] Update mbedtls_hardware_poll to use RDSEED

According to the [Intel DRNG implementation guide](
https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide),
Open Enclave can provide stronger prediction resistance by seeding the mbedTLS
random number generator with RDSEED, or by condensing the entropy provided by
RDRAND through several rounds of reseeding of its internal DRNG. This changeset
applies this guidance:

- Update rand.asm/rand.S files to support RDSEED via `oe_rdseed`.
    - Also update the `oe_rdrand` instruction to PAUSE prior to each retry as
      suggested by the DRNG implementation guide.

- Change `oe_get_entropy` API to return the source of entropy provided.
    - This allows the entropy intialization function in the crypto library to
      compensate for the lower quality of RDRAND by condensing it.
    - This responsibility is delegated to the crypto library as condensing the
      entropy requires a cryptographic hashing function (e.g. AES-CBC-CMAC,
      SHA2) which is not available in `oecore` for `oe_get_entropy`.

- Update `mbedtls_hardware_poll` implementation to condense entropy from
  RDRAND as suggested by the Intel DRNG implementation guide when RDSEED is not
  available.
    - While most SGX-capable systems will have RDSEED available, this is not
      guaranteed for all Intel SKUs, or in simulation mode.

- Update tests/crypto to also test `oe_rdseed` implementation.
    - Also rename `TestRdrand` to `TestCpuEntropy` to reflect this.
    - Reduced the number of iterations for oe_rdrand as it does not manage to
      saturate the RDRAND interface single-threaded anyway. See #2188.

Fixes #242.
---
 3rdparty/mbedtls/mbedtls_hardware_poll.c | 118 ++++++++++++++++++++++-
 common/sgx/rand.S                        |  25 +++--
 common/sgx/rand.asm                      |  32 +++---
 enclave/core/optee/entropy.c             |   4 +-
 enclave/core/sgx/entropy.c               |  94 ++++++++++++------
 include/openenclave/internal/cpuid.h     |   4 +-
 include/openenclave/internal/entropy.h   |  21 +++-
 include/openenclave/internal/rdrand.h    |   2 +-
 include/openenclave/internal/rdseed.h    |  24 +++++
 tests/crypto/cpu_entropy_test.c          |  57 +++++++++++
 tests/crypto/enclave/enc/CMakeLists.txt  |   2 +-
 tests/crypto/host/CMakeLists.txt         |   2 +-
 tests/crypto/rdrand_test.c               |  28 ------
 tests/crypto/tests.c                     |   4 +-
 tests/crypto/tests.h                     |   2 +-
 15 files changed, 332 insertions(+), 87 deletions(-)
 create mode 100644 include/openenclave/internal/rdseed.h
 create mode 100644 tests/crypto/cpu_entropy_test.c
 delete mode 100644 tests/crypto/rdrand_test.c

diff --git a/3rdparty/mbedtls/mbedtls_hardware_poll.c b/3rdparty/mbedtls/mbedtls_hardware_poll.c
index d8dcb18c6b..06a2e8b48a 100644
--- a/3rdparty/mbedtls/mbedtls_hardware_poll.c
+++ b/3rdparty/mbedtls/mbedtls_hardware_poll.c
@@ -3,9 +3,90 @@
 
 #include <openenclave/enclave.h>
 #include <openenclave/internal/entropy.h>
+#include <string.h>
+#include "mbedtls/include/mbedtls/platform.h"
+#include "mbedtls/include/mbedtls/sha512.h"
+
+/* Per https://software.intel.com/en-us/articles/intel-digital-random-number
+ * -generator-drng-software-implementation-guide, reading 512 x 128-bit values
+ * causes RDRAND to reseed */
+#define RDRAND_RESEED_SIZE_BYTES 8192
+
+#define SHA512_HASH_LENGTH_BYTES 64
 
 int mbedtls_hardware_poll(void*, unsigned char*, size_t, size_t*);
 
+static void _fill_buffer(
+    uint8_t* source,
+    size_t source_size,
+    uint8_t** target,
+    size_t* target_size)
+{
+    size_t copy_size =
+        (*target_size > source_size) ? source_size : *target_size;
+    memcpy(*target, source, copy_size);
+    *target += copy_size;
+    *target_size -= copy_size;
+}
+
+static int _get_seed_from_rdrand(uint8_t** seed, size_t* seed_size)
+{
+    int ret = -1;
+    uint8_t* rdrand_seed = NULL;
+    uint8_t* rdrand_bytes = NULL;
+    oe_entropy_kind_t kind = OE_ENTROPY_KIND_NONE;
+
+    /* Per Intel's DRNG software implementation guide we try to obtain an
+     * equivalent amount of entropy by condensing several reseed windows of
+     * RDRAND into a single value.
+     *
+     * The DRBG that underlies RDRAND is limited to 128-bit security, so the
+     * seed for each consecutive RDRAND_RESEED_SIZE_BYTES of data can be
+     * recovered with 2^128 rounds of work. In general, to achieve N*128 bits
+     * of security, we need a buffer of (N+1)*RDRAND_RESEED_SIZE_BYTES bytes.
+     * To get to 256-bit security, similar to RDSEED for 32-bytes, we use N=3.
+     *
+     * Note that we hash this down to a 512-bit (64-byte) value via SHA-512 to
+     * avoid loss of entropy that would otherwise occur in hash collisions when
+     * mapping 256-bits of unique values into a 256-bit hash space.
+     */
+    size_t rdrand_bytes_size = RDRAND_RESEED_SIZE_BYTES * 3;
+    rdrand_bytes = (uint8_t*)mbedtls_calloc(1, rdrand_bytes_size);
+    if (!rdrand_bytes)
+        goto done;
+
+    if (oe_get_entropy(rdrand_bytes, rdrand_bytes_size, &kind) != OE_OK ||
+        kind != OE_ENTROPY_KIND_RDRAND)
+        goto done;
+
+    /* Hash the bytes down to a single 64-byte seed value */
+    rdrand_seed = (uint8_t*)mbedtls_calloc(1, SHA512_HASH_LENGTH_BYTES);
+    if (!rdrand_seed)
+        goto done;
+
+    if (mbedtls_sha512_ret(rdrand_bytes, rdrand_bytes_size, rdrand_seed, 0) !=
+        0)
+        goto done;
+
+    *seed_size = SHA512_HASH_LENGTH_BYTES;
+    *seed = rdrand_seed;
+    rdrand_seed = NULL;
+    ret = 0;
+
+done:
+    if (rdrand_bytes)
+    {
+        mbedtls_free(rdrand_bytes);
+        rdrand_bytes = NULL;
+    }
+    if (rdrand_seed)
+    {
+        mbedtls_free(rdrand_seed);
+        rdrand_seed = NULL;
+    }
+    return ret;
+}
+
 /*
  * MBEDTLS links this function definition when MBEDTLS_ENTROPY_HARDWARE_ALT
  * is defined in the MBEDTLS config.h file. This is the sole source of entropy
@@ -19,13 +100,48 @@ int mbedtls_hardware_poll(
     size_t* olen)
 {
     int ret = -1;
+    oe_entropy_kind_t kind = OE_ENTROPY_KIND_NONE;
     OE_UNUSED(data);
 
     if (olen)
         *olen = 0;
 
-    if (oe_get_entropy(output, len) != OE_OK)
+    if (oe_get_entropy(output, len, &kind) != OE_OK)
+        goto done;
+
+    if (kind == OE_ENTROPY_KIND_RDSEED || kind == OE_ENTROPY_KIND_OPTEE)
+    {
+        /* According to Intel's DRNG software implementation guide, RDSEED
+         * produces values that are already passed through a conditioner that
+         * hashes pairs of 256-bit raw entropy samples via AES-CBC-MAC, so no
+         * further work needs to be done.
+         *
+         * For OPTEE TEE_GenerateRandom, the actual predictive resistance of
+         * underlying implementation may vary, so this simply takes the value
+         * provided as is. */
+    }
+    else if (kind == OE_ENTROPY_KIND_RDRAND)
+    {
+        /* If RDSEED is not supported, fallback to using RDRAND to obtain a
+         * seed for entropy. */
+        unsigned char* p = (unsigned char*)output;
+        size_t bytes_left = len;
+        while (bytes_left > 0)
+        {
+            uint8_t* seed_bytes = NULL;
+            size_t seed_size = 0;
+
+            if (_get_seed_from_rdrand(&seed_bytes, &seed_size) != OE_OK)
+                goto done;
+
+            _fill_buffer(seed_bytes, seed_size, &p, &bytes_left);
+            mbedtls_free(seed_bytes);
+        }
+    }
+    else
+    {
         goto done;
+    }
 
     if (olen)
         *olen = len;
diff --git a/common/sgx/rand.S b/common/sgx/rand.S
index 948a7d08db..154a29b6d8 100644
--- a/common/sgx/rand.S
+++ b/common/sgx/rand.S
@@ -3,15 +3,28 @@
 
 .text
 .globl  oe_rdrand
+.type oe_rdrand, @function
+.globl  oe_rdseed
+.type oe_rdseed, @function
 
 oe_rdrand:
-    pushq   %rbp
-    movq    %rsp, %rbp
-
+.cfi_startproc
 _rdrand_retry:
     rdrand %rax
-    jnc _rdrand_retry
-
-    leave
+    jc _rdrand_epilogue
+    pause
+    jmp _rdrand_retry
+_rdrand_epilogue:
     ret
+.cfi_endproc
 
+oe_rdseed:
+.cfi_startproc
+_rdseed_retry:
+    rdseed %rax
+    jc _rdseed_epilogue
+    pause
+    jmp _rdseed_retry
+_rdseed_epilogue:
+    ret
+.cfi_endproc
diff --git a/common/sgx/rand.asm b/common/sgx/rand.asm
index 9045b7907a..ff7bdc413d 100644
--- a/common/sgx/rand.asm
+++ b/common/sgx/rand.asm
@@ -4,22 +4,30 @@
 
 PUBLIC oe_rdrand
 oe_rdrand PROC
-;; Subroutine Prologue
-	push rbp     ;; Save the old base pointer value.
-	mov rbp, rsp ;; Set the new base pointer value.
-	sub rsp, 4   ;; Make room for one 4-byte local variable.
 
-;; Subroutine Body
 _rdrand_retry:
-	rdrand rax
-	jnc _rdrand_retry
+    rdrand rax
+    jc _rdrand_epilogue
+    pause
+    jmp _rdrand_retry
 
-;; Subroutine Epilogue
-	mov rsp, rbp ;; Deallocate local variables
-	pop rbp      ;; Restore the caller's base pointer value
-
-	ret
+_rdrand_epilogue:
+    ret
 
 oe_rdrand ENDP
 
+PUBLIC oe_rdseed
+oe_rdseed PROC
+
+_rdseed_retry:
+    rdseed rax
+    jc _rdseed_epilogue
+    pause
+    jmp _rdseed_retry
+
+_rdseed_epilogue:
+    ret
+
+oe_rdseed ENDP
+
 END
diff --git a/enclave/core/optee/entropy.c b/enclave/core/optee/entropy.c
index 174d625fd0..131ac8b55d 100644
--- a/enclave/core/optee/entropy.c
+++ b/enclave/core/optee/entropy.c
@@ -7,12 +7,12 @@
 
 #include <tee_internal_api.h>
 
-oe_result_t oe_get_entropy(void* output, size_t len)
+oe_result_t oe_get_entropy(void* output, size_t len, oe_entropy_kind_t* kind)
 {
     if (len > OE_UINT32_MAX)
         return OE_OUT_OF_BOUNDS;
 
     TEE_GenerateRandom(output, (uint32_t)len);
-
+    *kind = OE_ENTROPY_KIND_OPTEE;
     return OE_OK;
 }
diff --git a/enclave/core/sgx/entropy.c b/enclave/core/sgx/entropy.c
index b526bf872d..bdf5c31836 100644
--- a/enclave/core/sgx/entropy.c
+++ b/enclave/core/sgx/entropy.c
@@ -1,48 +1,86 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-#include <openenclave/bits/safecrt.h>
+#include <openenclave/corelibc/string.h>
 #include <openenclave/enclave.h>
 #include <openenclave/internal/entropy.h>
+#include <openenclave/internal/raise.h>
 #include <openenclave/internal/rdrand.h>
+#include <openenclave/internal/rdseed.h>
+#include "cpuid.h"
 
-/* TODO: This should use RDSEED instead. See issue #242. */
-oe_result_t oe_get_entropy(void* output, size_t len)
+typedef uint64_t (*_entropy_function_t)(void);
+
+OE_INLINE bool _has_cpuid_feature(
+    uint32_t leaf,
+    uint32_t feature,
+    uint32_t feature_register)
 {
-    oe_result_t ret = OE_UNEXPECTED;
-    unsigned char* p = (unsigned char*)output;
+    oe_assert(feature_register < OE_CPUID_REG_COUNT);
+    uint64_t r[OE_CPUID_REG_COUNT] = {0};
+    r[OE_CPUID_RAX] = leaf;
+    return (
+        (oe_emulate_cpuid(
+             &r[OE_CPUID_RAX],
+             &r[OE_CPUID_RBX],
+             &r[OE_CPUID_RCX],
+             &r[OE_CPUID_RDX]) == 0) &&
+        (r[feature_register] & feature));
+}
 
-    if (!output)
-        goto done;
+static oe_entropy_kind_t _get_entropy_kind()
+{
+    oe_entropy_kind_t result = OE_ENTROPY_KIND_NONE;
 
-    /* Copy 64-bit random integers to output */
-    {
-        size_t n = len / sizeof(uint64_t);
+    /* The ordering of checks is important: we want the presence of
+     * stronger entropy sources to supersede the weaker ones, so
+     * go from least to most preferred sources.
+     */
+    if (_has_cpuid_feature(1, OE_CPUID_RDRAND_FEATURE, OE_CPUID_RCX))
+        result = OE_ENTROPY_KIND_RDRAND;
 
-        while (n--)
-        {
-            uint64_t x = oe_rdrand();
+    if (_has_cpuid_feature(7, OE_CPUID_RDSEED_FEATURE, OE_CPUID_RBX))
+        result = OE_ENTROPY_KIND_RDSEED;
 
-            if (oe_memcpy_s(p, len, &x, sizeof(uint64_t)) != OE_OK)
-                goto done;
+    return result;
+}
 
-            p += sizeof(uint64_t);
-            len -= sizeof(uint64_t);
-        }
-    }
+oe_result_t oe_get_entropy(void* output, size_t len, oe_entropy_kind_t* kind)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    _entropy_function_t get_entropy = NULL;
+    unsigned char* p = (unsigned char*)output;
+    size_t bytes_left = len;
 
-    /* Copy remaining random bytes to output */
-    {
-        size_t r = len % sizeof(uint64_t);
-        uint64_t x = oe_rdrand();
-        const unsigned char* q = (const unsigned char*)&x;
+    if (kind)
+        *kind = OE_ENTROPY_KIND_NONE;
+
+    if (output)
+        memset(output, 0, len);
 
-        if (oe_memcpy_s(p, len, q, r) != OE_OK)
-            goto done;
+    if (!output || !kind)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    *kind = _get_entropy_kind();
+    if (*kind == OE_ENTROPY_KIND_RDSEED)
+        get_entropy = oe_rdseed;
+    else if (*kind == OE_ENTROPY_KIND_RDRAND)
+        get_entropy = oe_rdrand;
+    else
+        OE_RAISE(OE_UNSUPPORTED);
+
+    while (bytes_left > 0)
+    {
+        uint64_t random = get_entropy();
+        size_t copy_size =
+            (sizeof(random) > bytes_left) ? bytes_left : sizeof(random);
+        memcpy(p, &random, copy_size);
+        p += copy_size;
+        bytes_left -= copy_size;
     }
 
-    ret = OE_OK;
+    result = OE_OK;
 
 done:
-    return ret;
+    return result;
 }
diff --git a/include/openenclave/internal/cpuid.h b/include/openenclave/internal/cpuid.h
index e6c9c669b1..9a79509e51 100644
--- a/include/openenclave/internal/cpuid.h
+++ b/include/openenclave/internal/cpuid.h
@@ -16,7 +16,9 @@
 #define OE_CPUID_RDX 3
 #define OE_CPUID_REG_COUNT 4
 
-#define OE_CPUID_AESNI_FEATURE 0x02000000u
+#define OE_CPUID_AESNI_FEATURE 0x02000000u  /* Leaf 1, subleaf 0, ECX */
+#define OE_CPUID_RDRAND_FEATURE 0x40000000u /* Leaf 1, subleaf 0, ECX */
+#define OE_CPUID_RDSEED_FEATURE 0x00040000u /* Leaf 7, subleaf 0, EBX */
 
 /**
  * The list of cpuid leafs that are emulated.
diff --git a/include/openenclave/internal/entropy.h b/include/openenclave/internal/entropy.h
index bdd3bdf95e..6ea2ad21a4 100644
--- a/include/openenclave/internal/entropy.h
+++ b/include/openenclave/internal/entropy.h
@@ -9,18 +9,33 @@
 
 OE_EXTERNC_BEGIN
 
+/**
+ * The kind of entropy returned by the oe_get_entropy method, as classified
+ * by the Digital Random Number Generator (DRNG) implementation used.
+ */
+typedef enum _oe_entropy_kind
+{
+    OE_ENTROPY_KIND_NONE = 0,
+    OE_ENTROPY_KIND_RDRAND = 1,
+    OE_ENTROPY_KIND_RDSEED = 2,
+    OE_ENTROPY_KIND_OPTEE = 3,
+    __OE_ENTROPY_KIND_MAX = OE_ENUM_MAX
+} oe_entropy_kind_t;
+
 /**
  * Generates a sequence of high quality sequence of random bytes that
  * is suitable for a seed to a pseudorandom number generator (PRNG).
  *
  * This function will block if there is insufficient hardware entropy.
  *
- * @param data the buffer that will be filled with random bytes
- * @param size the size of the buffer
+ * @param data The buffer that will be filled with random bytes
+ * @param size The size of the buffer
+ * @param kind The kind of entropy returned as classified by the Digital
+ *             Random Number Generator (DRNG) implementation used.
  *
  * @return OE_OK on success
  */
-oe_result_t oe_get_entropy(void* data, size_t size);
+oe_result_t oe_get_entropy(void* data, size_t size, oe_entropy_kind_t* kind);
 
 OE_EXTERNC_END
 
diff --git a/include/openenclave/internal/rdrand.h b/include/openenclave/internal/rdrand.h
index 5814082e01..1189026843 100644
--- a/include/openenclave/internal/rdrand.h
+++ b/include/openenclave/internal/rdrand.h
@@ -15,7 +15,7 @@ OE_EXTERNC_BEGIN
  * instruction. This method will block if there is insufficient hardware
  * entropy to provide the full 64-bits of randomness.
  *
- * @return OE_OK on success
+ * @return uint64_t 8-bytes of randomness.
  */
 uint64_t oe_rdrand(void);
 
diff --git a/include/openenclave/internal/rdseed.h b/include/openenclave/internal/rdseed.h
new file mode 100644
index 0000000000..6e1618c042
--- /dev/null
+++ b/include/openenclave/internal/rdseed.h
@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_RDSEED_H
+#define _OE_RDSEED_H
+
+#include <openenclave/bits/types.h>
+
+OE_EXTERNC_BEGIN
+
+/**
+ * Generate a sequence of random bytes using Intel RDSEED instruction
+ *
+ * This function generates 8 random bytes using direct call to Intel's RDSEED
+ * instruction. This method will block if there is insufficient hardware
+ * entropy to provide the full 64-bits of randomness.
+ *
+ * @return uint64_t 8-bytes of randomness.
+ */
+uint64_t oe_rdseed(void);
+
+OE_EXTERNC_END
+
+#endif /* _OE_RDSEED_H */
diff --git a/tests/crypto/cpu_entropy_test.c b/tests/crypto/cpu_entropy_test.c
new file mode 100644
index 0000000000..a657b16510
--- /dev/null
+++ b/tests/crypto/cpu_entropy_test.c
@@ -0,0 +1,57 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#define MAX_LOOP_SIZE 1000
+
+#include <openenclave/enclave.h>
+#include <openenclave/internal/rdrand.h>
+#include <openenclave/internal/rdseed.h>
+#include <openenclave/internal/tests.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+// Test that RDSEED and RDRAND functions synchronously block and
+// retry until the sufficient entropy exists to be returned.
+void TestCpuEntropy()
+{
+    uint64_t rand_num = 0;
+    printf("=== begin %s()\n", __FUNCTION__);
+
+    /* TODO: This test does not actually manage to exhaust the RDRAND
+     * entropy pool regardless of the number of iterations run since
+     * the operation of retrieving the RDRAND value through the bus
+     * architecture is slow enough that a single thread can't saturate
+     * the interface regardless of the number of iterations run.
+     */
+    for (uint64_t i = 0; i < MAX_LOOP_SIZE; i++)
+    {
+        rand_num = oe_rdrand();
+
+        /* 0 is a legal random value that could be returned, but the
+         * odds of this happening twice in a row are very unlikely
+         * unless we've run out of hardware entropy and are returning
+         * without retrying until we have sufficient entropy.
+         */
+        if (rand_num == 0)
+        {
+            rand_num = oe_rdrand();
+            OE_TEST(rand_num != 0);
+        }
+    }
+
+    /* Empirically, RDSEED will start to run out ~20 iterations, on a
+     * Coffeelake device, so the MAX_LOOP_SIZE should be plenty.
+     */
+    for (uint64_t i = 0; i < MAX_LOOP_SIZE; i++)
+    {
+        rand_num = oe_rdseed();
+        if (rand_num == 0)
+        {
+            rand_num = oe_rdseed();
+            OE_TEST(rand_num != 0);
+        }
+    }
+
+    printf("=== passed %s()\n", __FUNCTION__);
+}
diff --git a/tests/crypto/enclave/enc/CMakeLists.txt b/tests/crypto/enclave/enc/CMakeLists.txt
index fca04fbb39..82638f3161 100644
--- a/tests/crypto/enclave/enc/CMakeLists.txt
+++ b/tests/crypto/enclave/enc/CMakeLists.txt
@@ -21,7 +21,7 @@ set(SRCS
 if (OE_SGX)
     list(APPEND SRCS
         ../../../../common/sgx/rand.S
-        ../../rdrand_test.c)
+        ../../cpu_entropy_test.c)
 endif ()
 
 add_enclave(TARGET cryptoenc UUID f0be7db0-ce7c-4dc4-b8c8-b161f4216225
diff --git a/tests/crypto/host/CMakeLists.txt b/tests/crypto/host/CMakeLists.txt
index bb87c5fd72..fa75d83153 100644
--- a/tests/crypto/host/CMakeLists.txt
+++ b/tests/crypto/host/CMakeLists.txt
@@ -21,7 +21,7 @@ endif()
 
 if (OE_SGX)
   list(APPEND PLATFORM_SRC
-    ../rdrand_test.c)
+    ../cpu_entropy_test.c)
 endif ()
 
 add_executable(hostcrypto
diff --git a/tests/crypto/rdrand_test.c b/tests/crypto/rdrand_test.c
deleted file mode 100644
index b365a54df5..0000000000
--- a/tests/crypto/rdrand_test.c
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#define MAX_LOOP_SIZE 100000000
-#include <openenclave/enclave.h>
-#include <openenclave/internal/rdrand.h>
-#include <openenclave/internal/tests.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-// TestRdrand is trying to ensure that oe_rdrand function incorporates blocking
-// wait to retry if the RDRAND instruction is out of entropy
-void TestRdrand()
-{
-    uint64_t rand_num = 0;
-    printf("=== begin %s()\n", __FUNCTION__);
-    for (uint64_t i = 0; i < MAX_LOOP_SIZE; i++)
-    {
-        rand_num = oe_rdrand();
-        if (rand_num == 0)
-        {
-            rand_num = oe_rdrand();
-            OE_TEST(rand_num != 0);
-        }
-    }
-    printf("=== passed %s()\n", __FUNCTION__);
-}
diff --git a/tests/crypto/tests.c b/tests/crypto/tests.c
index bb1816f7a2..b3110fa6a1 100644
--- a/tests/crypto/tests.c
+++ b/tests/crypto/tests.c
@@ -13,8 +13,8 @@ void TestAll()
     TestRSA();
     TestRandom();
 #if defined(__x86_64__) || defined(__i386__)
-    // This test exercises the rdrand instruction, which is x86/64-specific.
-    TestRdrand();
+    // Test the RDRAND/RDSEED instructions, which are x86/64-specific.
+    TestCpuEntropy();
 #endif
     TestHMAC();
     TestKDF();
diff --git a/tests/crypto/tests.h b/tests/crypto/tests.h
index 5ad9c907c9..d893d91660 100644
--- a/tests/crypto/tests.h
+++ b/tests/crypto/tests.h
@@ -9,7 +9,7 @@ void TestCRL(void);
 void TestEC(void);
 void TestKDF(void);
 void TestRandom(void);
-void TestRdrand(void);
+void TestCpuEntropy(void);
 void TestRSA(void);
 void TestSHA(void);
 void TestHMAC(void);

From 5a011c46cd324d687ae088b497d7b5727db8e94c Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 25 Sep 2019 04:48:40 +0000
Subject: [PATCH 026/420] Address review comments

---
 samples/switchless/README.md      | 109 ++++++++++++++++++++++--------
 samples/switchless/enclave/enc.c  |  19 ++----
 samples/switchless/host/host.c    |  20 +++---
 samples/switchless/switchless.edl |   5 +-
 4 files changed, 98 insertions(+), 55 deletions(-)

diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index 93af5368bd..e75900541b 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -1,48 +1,90 @@
 # Switchless Calls Sample
 
-This sample demonstrates how to make switchless calls to host from inside an enclave. It is built on top of the [`Hello World`](../helloworld/README.md) sample. The addition is a host function `host_helloworld_switchless` which is called from the enclave switchlessly.
-
+This sample demonstrates how to make switchless calls to host from inside an enclave.
 It has the following properties:
 
 - Explain the concept of switchless calls
+- Identify cases where switchless calls are appropriate
 - Demonstrate how to mark a function as `transition_using_threads` in EDL, and use [`oeedger8r`](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/Edger8rGettingStarted.md) tool to compile it
-- Demonstrate how to configure an enclave to enable switchless calls within it
+- Demonstrate how to configure an enclave to enable switchless calls originated within it
+- Recommend the number of host worker threads required for switchless calls in practice
 
 Prerequisite: you may want to read [Common Sample Information](../README.md#common-sample-information) before going further.
 
 ## Switchless Calls
 
-In an enclave application, the host makes **ECALL**s into functions exposed by the enclaves it created. Likewise, the enclaves make **OCALL**s into functions exposed by the host that created them. In either case, the execution has to be transitioned from an untrusted environment to a trusted environment, or vice versa. Since the transition is costly due to heavy security checks, it might be more performance advantageous to make the calls **context-switchless**: the caller delegates the function call to a worker thread in the other environment, which does the real job of calling the function and post the result to the caller. Both the calling thread and the worker thread never leave their respective execution contexts during the perceived function call.
+In an enclave application, the host makes **ECALL**s into functions exposed by the enclaves it created. Likewise,
+the enclaves may make **OCALL**s into functions exposed by the host that created them. In either case, the
+execution has to be transitioned from an untrusted environment to a trusted environment, or vice versa. Since the
+transition is costly due to heavy security checks, it might be more performance advantageous to make the calls
+**context-switchless**: the caller delegates the function call to a worker thread in the other environment, which does the real job of calling the function and post the result to the caller. Both the calling thread and the
+worker thread never leave their respective execution contexts during the perceived function call.
+
+The calling thread and the worker thread need to exchange information twice during the call. When the switchless
+call is initiated, the caller needs to pass the `job` (encapsulating information regarding the function call in a
+ single object, for details see the next section) to the worker thread. And when the call finishes, the worker
+thread needs to pass the result back to the caller. Both exchanges need to be synchronized.
+
+While switchless calls save transition time, they require at least one additional thread to service the calls.
+More threads typically means more competition of the CPU cores and more context switches, hurting the performance.
+Whether to make a particular function switchless has to weigh the associated costs and savings. In general, the
+good candidates for switchless calls are functions that are: 1) short, thus the transition takes relatively high
+percentage of the overall execution time of the call; and 2) called frequently, so the savings in transition time
+add up.
+
+## How does OpenEnclave support switchless OCALLs
+
+OpenEnclave only supports synchronous switchless OCALLs currently. When the caller within an enclave makes a
+switchless OCALL, the trusted OpenEnclave runtime creates a `job` out of the function call. The `job` object
+includes information such as the function ID, the parameters marshaled into a buffer, and a buffer for holding the
+return value(s). The job is posted to a shared memory region which both the enclave and the host can access.
 
-The calling thread and the worker thread need to exchange information twice during the call. When the switchless call is initiated, the caller needs to pass the `job` (representing the function call) to the worker thread. And when the call finishes, the worker thread needs to pass the result back to the caller. Both exchanges need to be synchronized.
+A host worker thread checks and retrieves `job` from the shared memory region. It uses the untrusted OpenEnclave
+runtime to process the `job` by unmarshaling the parameters, then dispatching to the callee function, and finally
+relaying the result back to the trusted OpenEnclave runtime, which is further forwarded back to the caller.
 
-## How does OE support switchless OCALLs
+To support simultaneous switchless OCALLs made from enclaves, the host workers are multi-threaded. OpenEnclave
+allows users to configure how many host worker threads are to be created for servicing switchless OCALLs. The
+following example illustrates how to do that. A word of caution is that too many host worker threads might increase
+competition of cores between threads and degrade the performance. Therefore, if a enclave has switchless calls
+enabled, OpenEnclave caps the number of host worker threads for it to the number of enclave threads specified.
 
-OE only supports synchronous switchless OCALLs currently. When the caller within an enclave makes a switchless OCALL, the trusted OE runtime creates a `job` out of the function call. The `job` object includes information such as the function ID, the parameters marshaled into a buffer, and a buffer for holding the return value(s). The job is posted to a shared memory region which both the enclave and the host can access.
+With the current implementation, we recommend users to avoid using more host worker threads than the minimum of:
 
-A host worker thread checks and retrieves `job` from the shared memory region. It uses the untrusted OE runtime to process the `job` by unmarshaling the parameters, then dispatching to the callee function, and finally relaying the result back to the trusted OE runtime, which is further forwarded back to the caller.
+1. the number of simultaneously active enclave threads, and
+2. the number of cores that are potentially available to host worker threads.
 
-To support simultaneous switchless OCALLs made from enclaves, the host workers are multi-threaded. OE allows users to configure how many host worker threads are to be created for servicing switchless OCALLs. The following example illustrates how to do that. A word of caution is that too many host worker threads might increase competition of cores between threads and degrade the performance. Therefore, if a enclave has switchless calls enabled, OE caps the number of host worker threads for it to the number of enclave threads specified.
+For example, on a 4-core machine, if the number of the simultaneously active enclave threads is 2, and there is no
+host threads other than the two threads making ECALLs and the switchless worker threads, both 1) and 2) would be 2. So we recommend setting the number of host worker threads to 2.
+
+The exception to the above rule happens when 1) or 2) is zero or negative. For example, if the host starts two more
+additional threads that are expected to be active along with the two enclave threads, the number of cores available
+to the worker threads is actually 0, and the minimum of 1) and 2) would be 0. In this case, we recommend setting
+the number of host worker threads to 1 nevertheless, to ensure switchless calls are serviced by at least one thread.
+
+The above recommendation may change when we modify the behavior of worker threads in the future.
 
 ## About the EDL
 
+In this sample, we pretend the enclave doesn't know addition. It relies on a host function `host_increment` to
+increment a number by 1, and repeat calling it `N` times to add `N` to a given number. Since `host_increment` is
+short and called frequently, it is appropriate to make it a switchless function.
+
 First we need to define the functions we want to call between the host and the enclave. To do this we create a `switchless.edl` file:
 
 ```edl
 enclave {
     trusted {
-        public void enclave_helloworld();
-
+        public void enclave_add_N([in, out] int* m, int n);
     };
 
     untrusted {
-        void host_helloworld();
-        void host_helloworld_switchless() transition_using_threads;
+        void host_increment([in, out] int* m) transition_using_threads;
     };
 };
 ```
 
-Function `host_helloworld_switchless`'s declaration ends with keyword `transition_using_threads`, indicating it should be called switchlessly at run time. However, this a best-effort directive. OE runtime may still choose to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs.
+Function `host_increment`'s declaration ends with keyword `transition_using_threads`, indicating it should be called switchlessly at run time. However, this a best-effort directive. OpenEnclave runtime may still choose to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs.
 
 To generate the functions with the marshaling code, the `oeedger8r` tool is called in both the host and enclave directories from their Makefiles. For example:
 
@@ -55,13 +97,18 @@ oeedger8r ../switchless.edl --untrusted --experimental
 
 ## About the host
 
-The host first defines a structure specifically for configuring switchless calls. In this case, we specify the first field `2` as the number of host worker threads for switchless OCALLs. The 2nd field specifies the number of enclave threads for switchless ECALLs. Since switchless ECALL is not yet implementated, we require the 2nd field to be `0`.
+The host first defines a structure specifically for configuring switchless calls. In this case, we specify the
+first field `1` as the number of host worker threads for switchless OCALLs. In this example, 1) There is at most
+1 enclave thread all the time, and 2) The number of cores available to the host worker threads is  1 (assuming a
+2-core machine) or 3 (assuming a 4-core machine). In any case, The minimum of 1) and 2) is 1, which we choose to
+be the number of host worker threads. The 2nd field specifies the number of enclave threads for switchless ECALLs.
+Since switchless ECALL is not yet implemented, we require the 2nd field to be `0`.
 
 ```c
-oe_enclave_config_context_switchless_t config = {2, 0};
+oe_enclave_config_context_switchless_t config = {1, 0};
 ```
 
-The host then puts the structure address and the configuration type in an array of configurations for the enclave to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the flexibility of adding more than one configurations (with different types) for an enclave in the future.
+The host then puts the structure address and the configuration type in an array of configurations for the enclave to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the flexibility of adding more than one configuration (with different types) for an enclave in the future.
 
 ```c
 oe_enclave_config_t configs[] = {{
@@ -70,7 +117,8 @@ oe_enclave_config_t configs[] = {{
     }};
 ```
 
-To make the configurations created above effective, we need to pass the array `configs` into `oe_create_enclave` in the following way:
+To make the configurations created above effective, we need to pass the array `configs` into `oe_create_enclave`
+in the following way:
 
 ```c
 oe_create_switchless_enclave(
@@ -82,25 +130,28 @@ oe_create_switchless_enclave(
              &enclave);
 ```
 
-The host then makes an ECALL of `enclave_helloworld` to transition into the enclave. After the ECALL returns, the host terminates the enclave.
+The host then makes an ECALL of `enclave_add_N` to transition into the enclave. After the ECALL returns, the
+host prints the returned value and terminates the enclave.
 
-As shown in the EDL file, the host exposes two host functions: `host_helloworld` and `host_helloworld_switchless`. The former prints "Hello world from regular OCALL", and the latter prints "Hello world from switchless OCALL".
+As shown in the EDL file, the host exposes a host function `host_increment` which takes an integer `n`, and returns the result of `n+1`.
 
 ## About the enclave
 
-The enclave exposes only one function `enclave_helloworld`. The function prints "Hello world from the enclave" first, then call the host function `host_helloworld`, followed by calling host function `host_helloworld_switchless`. Internally, the last call is fulfilled switchlessly. If everything work as expected, the output of this enclave function would be:
-
-```
-Hello world from the enclave
-Hello world from regular OCALL
-Hello world from switchless OCALL
-```
+The enclave exposes only one function `enclave_add_N`. The function takes two parameter `m` and `n`. It calls
+the host function `host_increment` switchlessly in a loop of `n` iterations.
 
 ## Build and run
 
 Note that there are two different build systems supported, one using GNU Make and
 `pkg-config`, the other using CMake.
 
+If the build and run succeed, the following output is expected:
+
+```bash
+host/switchlesshost ./enclave/switchlessenc.signed
+enclave_add_N(): 10000 + 10000 = 20000
+```
+
 ### CMake
 
 This uses the CMake package provided by the Open Enclave SDK.
@@ -115,13 +166,13 @@ make run
 ### GNU Make
 
 ```bash
-cd helloworld
+cd switchless
 make build
 make run
 ```
 #### Note
 
-switchless sample can run under OE simulation mode.
+switchless sample can run under OpenEnclave simulation mode.
 
 To run the switchless sample in simulation mode from the command like, use the following:
 
diff --git a/samples/switchless/enclave/enc.c b/samples/switchless/enclave/enc.c
index 483562c7a9..4d3442ebd7 100644
--- a/samples/switchless/enclave/enc.c
+++ b/samples/switchless/enclave/enc.c
@@ -4,21 +4,16 @@
 #include <stdio.h>
 #include "switchless_t.h"
 
-void enclave_helloworld()
+void enclave_add_N(int* m, int n)
 {
-    fprintf(stdout, "Hello world from the enclave\n");
-
     // Call back into the host
-    oe_result_t result = host_helloworld();
-    if (result != OE_OK)
-    {
-        fprintf(stderr, "host_helloworld(): result=%u", result);
-    }
-
-    result = host_helloworld_switchless();
-    if (result != OE_OK)
+    for (int i = 0; i < n; i++)
     {
-        fprintf(stderr, "host_helloworld_switchless(): result=%u", result);
+        oe_result_t result = host_increment(m);
+        if (result != OE_OK)
+        {
+            fprintf(stderr, "host_increment(): result=%u", result);
+        }
     }
 }
 
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index 9b39ab2af1..fbaa070b47 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -6,14 +6,9 @@
 #include <stdlib.h>
 #include "switchless_u.h"
 
-void host_helloworld()
+void host_increment(int* n)
 {
-    fprintf(stdout, "Hello world from regular OCALL\n");
-}
-
-void host_helloworld_switchless()
-{
-    fprintf(stdout, "Hello world from switchless OCALL\n");
+    *n = *n + 1;
 }
 
 static bool check_simulate_opt(int* argc, const char* argv[])
@@ -35,7 +30,8 @@ int main(int argc, const char* argv[])
 {
     oe_enclave_t* enclave = NULL;
     oe_result_t result;
-    int ret = 1;
+    int ret = 1, m = 10000, n = 10000;
+    int oldm = m;
 
     if (argc != 2 && argc != 3)
     {
@@ -50,7 +46,7 @@ int main(int argc, const char* argv[])
     }
 
     // Enable switchless and configure host worker number
-    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_context_switchless_t config = {1, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
@@ -66,9 +62,11 @@ int main(int argc, const char* argv[])
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
     // Call into the enclave
-    result = enclave_helloworld(enclave);
+    result = enclave_add_N(enclave, &m, n);
     if (result != OE_OK)
-        fprintf(stderr, "enclave_helloworld(): result=%u", result);
+        fprintf(stderr, "enclave_add_N(): result=%u", result);
+
+    fprintf(stderr, "enclave_add_N(): %d + %d = %d\n", oldm, n, m);
 
     ret = result != OE_OK ? 1 : 0;
     oe_terminate_enclave(enclave);
diff --git a/samples/switchless/switchless.edl b/samples/switchless/switchless.edl
index b8df7cebd8..c2753b0999 100644
--- a/samples/switchless/switchless.edl
+++ b/samples/switchless/switchless.edl
@@ -3,11 +3,10 @@
 
 enclave {
     trusted {
-        public void enclave_helloworld();
+        public void enclave_add_N([in, out] int* m, int n);
     };
 
     untrusted {
-        void host_helloworld();
-        void host_helloworld_switchless() transition_using_threads;
+        void host_increment([in, out] int* m) transition_using_threads;
     };
 };

From ed638898a9e1d5184f712cda4ae641bd1e612ca0 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Tue, 10 Sep 2019 23:22:05 +0000
Subject: [PATCH 027/420] Attestation security updates during quote
 verification:

1. Added validity checks for all certs, CRLs and QE identity info.
2. Refactored code with additional error details.
3. Added cert functions to get cert validity datetimes.
---
 common/datetime.c                          |  46 +-
 common/result.c                            |   3 +
 common/sgx/collaterals.c                   | 152 ++++++
 common/sgx/collaterals.h                   |  35 ++
 common/sgx/qeidentity.c                    | 170 ++++---
 common/sgx/qeidentity.h                    |  25 +-
 common/sgx/quote.c                         | 548 +++++++++++++++++----
 common/sgx/quote.h                         |  78 ++-
 common/sgx/revocation.c                    | 372 ++++++++++----
 common/sgx/revocation.h                    |  59 ++-
 enclave/CMakeLists.txt                     |   1 +
 enclave/core/CMakeLists.txt                |   1 +
 enclave/crypto/cert.c                      |  43 ++
 enclave/sgx/qeidinfo.c                     |   2 +-
 enclave/sgx/report.c                       |   4 +-
 enclave/sgx/revocationinfo.c               |   2 +-
 host/CMakeLists.txt                        |   2 +
 host/crypto/bcrypt/cert.c                  |  42 +-
 host/crypto/bcrypt/crl.c                   |  29 +-
 host/crypto/bcrypt/util.c                  |  31 ++
 host/crypto/bcrypt/util.h                  |  22 +
 host/crypto/openssl/asn1.c                 |  92 ++++
 host/crypto/openssl/asn1.h                 |  28 ++
 host/crypto/openssl/cert.c                 |  44 ++
 host/crypto/openssl/crl.c                  |  98 +---
 host/sgx/hostverify_report.c               |   6 +-
 host/sgx/report.c                          |   7 +-
 host/sgx/sgxquoteprovider.c                |   4 +-
 include/openenclave/bits/result.h          |   5 +
 include/openenclave/internal/crypto/cert.h |  14 +
 include/openenclave/internal/datetime.h    |  10 +
 include/openenclave/internal/report.h      |  51 ++
 tests/host_verify/host/host.cpp            | 230 +++++++--
 tests/report/common/tests.cpp              | 464 +++++++++++++++++
 tests/report/common/tests.h                |   1 +
 tests/report/enc/enc.cpp                   |   9 +
 tests/report/host/host.cpp                 |   4 +
 tests/report/tests.edl                     |   1 +
 tests/tools/oecert/host/host.cpp           |  65 ++-
 39 files changed, 2370 insertions(+), 430 deletions(-)
 create mode 100644 common/sgx/collaterals.c
 create mode 100644 common/sgx/collaterals.h
 create mode 100644 host/crypto/bcrypt/util.c
 create mode 100644 host/crypto/bcrypt/util.h
 create mode 100644 host/crypto/openssl/asn1.h

diff --git a/common/datetime.c b/common/datetime.c
index 7a420f04e3..e7c1fcf8d5 100644
--- a/common/datetime.c
+++ b/common/datetime.c
@@ -3,8 +3,10 @@
 
 #include <openenclave/internal/datetime.h>
 #include <openenclave/internal/raise.h>
+#include <time.h>
 
 #define UNIX_EPOCH_YEAR (1970)
+#define OE_DATETIME_STR_SIZE (21)
 
 oe_result_t oe_datetime_is_valid(const oe_datetime_t* datetime)
 {
@@ -121,10 +123,10 @@ oe_result_t oe_datetime_to_string(
     if (datetime == NULL || str_length == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    if (str == NULL || *str_length < 21)
+    if (str == NULL || *str_length < OE_DATETIME_STR_SIZE)
     {
-        *str_length = 21;
-        OE_RAISE(OE_BUFFER_TOO_SMALL);
+        *str_length = OE_DATETIME_STR_SIZE;
+        OE_RAISE_NO_TRACE(OE_BUFFER_TOO_SMALL);
     }
 
     OE_CHECK(oe_datetime_is_valid(datetime));
@@ -149,7 +151,7 @@ oe_result_t oe_datetime_to_string(
 
     // Null terminator.
     *p++ = 0;
-    *str_length = 21;
+    *str_length = OE_DATETIME_STR_SIZE;
     result = OE_OK;
 done:
     return result;
@@ -221,3 +223,39 @@ int32_t oe_datetime_compare(
 
     return 0;
 }
+
+oe_result_t oe_datetime_now(oe_datetime_t* value)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    time_t now;
+    struct tm* timeinfo;
+
+    if (value == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    time(&now);
+    timeinfo = gmtime(&now);
+
+    value->year = (uint32_t)timeinfo->tm_year + 1900;
+    value->month = (uint32_t)timeinfo->tm_mon + 1;
+    value->day = (uint32_t)timeinfo->tm_mday;
+    value->hours = (uint32_t)timeinfo->tm_hour;
+    value->minutes = (uint32_t)timeinfo->tm_min;
+    value->seconds = (uint32_t)timeinfo->tm_sec;
+
+    result = OE_OK;
+done:
+
+    return result;
+}
+
+void oe_datetime_log_info(const char* msg, const oe_datetime_t* date)
+{
+    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_INFO)
+    {
+        char str[OE_DATETIME_STR_SIZE];
+        size_t size = sizeof(str);
+        oe_datetime_to_string(date, str, &size);
+        OE_TRACE_INFO("%s %s\n", msg, str);
+    }
+}
diff --git a/common/result.c b/common/result.c
index 9a77b863a1..490ee7297e 100644
--- a/common/result.c
+++ b/common/result.c
@@ -100,6 +100,8 @@ const char* oe_result_str(oe_result_t result)
             return "OE_UNSUPPORTED_ENCLAVE_IMAGE";
         case OE_VERIFY_CRL_EXPIRED:
             return "OE_VERIFY_CRL_EXPIRED";
+        case OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD:
+            return "OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD";
         case OE_VERIFY_CRL_MISSING:
             return "OE_VERIFY_CRL_MISSING";
         case OE_VERIFY_REVOKED:
@@ -177,6 +179,7 @@ bool oe_is_valid_result(uint32_t result)
         case OE_INVALID_QE_IDENTITY_INFO:
         case OE_UNSUPPORTED_ENCLAVE_IMAGE:
         case OE_VERIFY_CRL_EXPIRED:
+        case OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD:
         case OE_VERIFY_CRL_MISSING:
         case OE_VERIFY_REVOKED:
         case OE_CRYPTO_ERROR:
diff --git a/common/sgx/collaterals.c b/common/sgx/collaterals.c
new file mode 100644
index 0000000000..c3adce1f7c
--- /dev/null
+++ b/common/sgx/collaterals.c
@@ -0,0 +1,152 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include "collaterals.h"
+#include <openenclave/internal/datetime.h>
+#include <openenclave/internal/raise.h>
+#include "../common.h"
+
+#include "qeidentity.h"
+#include "quote.h"
+#include "revocation.h"
+
+oe_result_t oe_get_collaterals_internal(
+    const uint8_t* remote_report,
+    size_t remote_report_size,
+    uint8_t** collaterals_buffer,
+    size_t* collaterals_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    uint8_t* buffer = NULL;
+    oe_collaterals_header_t* header = NULL;
+    oe_collaterals_t* collaterals = NULL;
+
+    const uint8_t* pem_pck_certificate = NULL;
+    size_t pem_pck_certificate_size = 0;
+    oe_cert_chain_t pck_cert_chain = {0};
+    oe_cert_t leaf_cert = {0};
+    oe_cert_t intermediate_cert = {0};
+
+    OE_TRACE_INFO("Enter call %s\n", __FUNCTION__);
+
+    if ((collaterals_buffer == NULL) || (collaterals_buffer_size == NULL))
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    *collaterals_buffer = NULL;
+    *collaterals_buffer_size = 0;
+
+    buffer = (uint8_t*)oe_calloc(1, OE_COLLATERALS_SIZE);
+    if (buffer == NULL)
+    {
+        OE_RAISE(OE_OUT_OF_MEMORY);
+    }
+
+    header = (oe_collaterals_header_t*)buffer;
+    collaterals = (oe_collaterals_t*)(buffer + OE_COLLATERALS_HEADER_SIZE);
+
+    // Collateral header initialization
+    header->collaterals_size = OE_COLLATERALS_BODY_SIZE;
+
+    //
+    // Get the uri from the quote certificates, and then get the
+    // CRL (oe_get_revocation_info_from_certs)
+    //
+
+    // Get PCK cert chain from the quote.
+    OE_CHECK_MSG(
+        oe_get_quote_cert_chain_internal(
+            remote_report,
+            remote_report_size,
+            &pem_pck_certificate,
+            &pem_pck_certificate_size,
+            &pck_cert_chain),
+        "Failed to get certificate chain from quote. %s",
+        oe_result_str(result));
+
+    // Fetch leaf and intermediate certificates.
+    OE_CHECK_MSG(
+        oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
+        "Failed to get leaf certificate. %s",
+        oe_result_str(result));
+    OE_CHECK_MSG(
+        oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert),
+        "Failed to get intermediate certificate. %s",
+        oe_result_str(result));
+
+    // Get revocation information
+    OE_CHECK_MSG(
+        oe_get_revocation_info_from_certs(
+            &leaf_cert, &intermediate_cert, &(collaterals->revocation_info)),
+        "Failed to get certificate revocation information. %s",
+        oe_result_str(result));
+
+    // Application specific collaterals
+    collaterals->app_collaterals_size = 0;
+
+    //
+    // QE identify info
+    //
+    OE_CHECK_MSG(
+        oe_get_qe_identity_info(&(collaterals->qe_id_info)),
+        "Failed to get quote enclave identity information. %s",
+        oe_result_str(result));
+
+    // Record creation datetime.
+    {
+        oe_datetime_t datetime_now = {0};
+        size_t datetime_size = sizeof(collaterals->creation_datetime);
+
+        OE_CHECK(oe_datetime_now(&datetime_now));
+
+        OE_CHECK_MSG(
+            oe_datetime_to_string(
+                &datetime_now, collaterals->creation_datetime, &datetime_size),
+            "Failed to update collateral creation time. %s",
+            oe_result_str(result));
+    }
+
+    result = OE_OK;
+done:
+    oe_cert_free(&leaf_cert);
+    oe_cert_free(&intermediate_cert);
+    oe_cert_chain_free(&pck_cert_chain);
+
+    if (result == OE_OK)
+    {
+        *collaterals_buffer = buffer;
+        *collaterals_buffer_size = OE_COLLATERALS_SIZE;
+    }
+    else if (buffer)
+    {
+        oe_free_get_revocation_info_args(&(collaterals->revocation_info));
+        oe_free_qe_identity_info_args(&(collaterals->qe_id_info));
+
+        oe_free(buffer);
+    }
+
+    OE_TRACE_INFO(
+        "Exit call %s: %d(%s)\n", __FUNCTION__, result, oe_result_str(result));
+
+    return result;
+}
+
+/**
+ * Free up any resources allocated by oe_get_collateras()
+ *
+ * @param collaterals_buffer The buffer containing the collaterals.
+ */
+void oe_free_collaterals_internal(uint8_t* collaterals_buffer)
+{
+    if (collaterals_buffer)
+    {
+        oe_collaterals_t* collaterals =
+            (oe_collaterals_t*)(collaterals_buffer + OE_COLLATERALS_HEADER_SIZE);
+
+        oe_free_qe_identity_info_args(&collaterals->qe_id_info);
+        oe_free_get_revocation_info_args(&collaterals->revocation_info);
+
+        oe_free(collaterals_buffer);
+    }
+}
\ No newline at end of file
diff --git a/common/sgx/collaterals.h b/common/sgx/collaterals.h
new file mode 100644
index 0000000000..ba413efa7a
--- /dev/null
+++ b/common/sgx/collaterals.h
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_COMMON_OE_COLLATERALS_H
+#define _OE_COMMON_OE_COLLATERALS_H
+
+#include <openenclave/bits/defs.h>
+#include <openenclave/bits/result.h>
+
+OE_EXTERNC_BEGIN
+
+/**
+ * Get the collaterals for the respective remote report.
+ *
+ * @param remote_report[in] The remote report.
+ * @param remote_report_size[in] The size of the remote report.
+ * @param collaterals_buffer[out] The buffer where to store the collaterals.
+ * @param collaterals_buffer_size[out] The size of the collaterals.
+ */
+oe_result_t oe_get_collaterals_internal(
+    const uint8_t* remote_report,
+    size_t remote_report_size,
+    uint8_t** collaterals_buffer,
+    size_t* collaterals_buffer_size);
+
+/**
+ * Free up any resources allocated by oe_get_collateras()
+ *
+ * @param collaterals_buffer The buffer containing the collaterals.
+ */
+void oe_free_collaterals_internal(uint8_t* collaterals_buffer);
+
+OE_EXTERNC_END
+
+#endif /* _OE_COMMON_OE_COLLATERALS_H */
diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index 8d5876b730..bb96c9bf4c 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -32,84 +32,97 @@ void dump_info(const char* title, const uint8_t* data, const uint8_t count)
     }
 }
 
-oe_result_t oe_enforce_qe_identity(sgx_report_body_t* qe_report_body)
+oe_result_t oe_validate_qe_report_body(sgx_report_body_t* qe_report_body)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    if (qe_report_body == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // No qe_identity info returned from the quote provider, this could be
+    // because either get_qe_identity_info API was not supported or
+    // unexpected error. In both cases, check against hardcoded quoting
+    // enclave properties instead Assert that the qe report's MRSIGNER
+    // matches Intel's quoting. We will remove these hardcoded values once
+    // the libdcap_quoteprov.so was updated to support qe identity feature.
+
+    // enclave's mrsigner.
+    if (!oe_constant_time_mem_equal(
+            qe_report_body->mrsigner, g_qe_mrsigner, sizeof(g_qe_mrsigner)))
+    {
+        dump_info("Expected mrsigner", g_qe_mrsigner, sizeof(g_qe_mrsigner));
+        dump_info(
+            "Actual mrsigner",
+            qe_report_body->mrsigner,
+            sizeof(qe_report_body->mrsigner));
+        OE_RAISE_MSG(
+            OE_QUOTE_ENCLAVE_IDENTITY_UNIQUEID_MISMATCH,
+            "mrsigner mismatch",
+            NULL);
+    }
+
+    if (qe_report_body->isvprodid != g_qe_isvprodid)
+        OE_RAISE_MSG(
+            QE_QUOTE_ENCLAVE_IDENTITY_PRODUCTID_MISMATCH,
+            "isvprodid mismatch. Expected 0x%04X, actual 0x%04X",
+            g_qe_isvprodid,
+            qe_report_body->isvprodid);
+
+    if (qe_report_body->isvsvn < g_qeisvsvn)
+        OE_RAISE_MSG(
+            OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
+            "isvsvn is out-of-date. Required SVN 0x%08X, actual SVN 0x%08X",
+            g_qeisvsvn,
+            qe_report_body->isvsvn);
+
+    // Ensure that the QE is not a debug supporting enclave.
+    if (qe_report_body->attributes.flags & SGX_FLAGS_DEBUG)
+        OE_RAISE_MSG(
+            OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
+            "QE has SGX_FLAGS_DEBUG set!!",
+            NULL);
+
+    result = OE_OK;
+
+done:
+
+    return result;
+}
+
+oe_result_t oe_validate_qe_identity(
+    sgx_report_body_t* qe_report_body,
+    oe_get_qe_identity_info_args_t* qe_id_args,
+    oe_datetime_t* validity_from,
+    oe_datetime_t* validity_until)
 {
     oe_result_t result = OE_FAILURE;
-    oe_get_qe_identity_info_args_t qe_id_args = {0};
     const uint8_t* pem_pck_certificate = NULL;
     size_t pem_pck_certificate_size = 0;
     oe_cert_chain_t pck_cert_chain = {0};
+    oe_cert_t leaf_cert = {0};
     oe_parsed_qe_identity_info_t parsed_info = {0};
+    oe_datetime_t from = {0};
+    oe_datetime_t until = {0};
 
     OE_TRACE_INFO("Calling %s\n", __FUNCTION__);
 
-    // fetch qe identity information
-    result = oe_get_qe_identity_info(&qe_id_args);
-    if (result == OE_QUOTE_PROVIDER_CALL_ERROR)
-    {
-        // No qe_identity info returned from the quote provider, this could be
-        // because either get_qe_identity_info API was not supported or
-        // unexpected error. In both cases, check against hardcoded quoting
-        // enclave properties instead Assert that the qe report's MRSIGNER
-        // matches Intel's quoting. We will remove these hardcoded values once
-        // the libdcap_quoteprov.so was updated to support qe identity feature.
-
-        // enclave's mrsigner.
-        if (!oe_constant_time_mem_equal(
-                qe_report_body->mrsigner, g_qe_mrsigner, sizeof(g_qe_mrsigner)))
-        {
-            dump_info(
-                "Expected mrsigner", g_qe_mrsigner, sizeof(g_qe_mrsigner));
-            dump_info(
-                "Actual mrsigner",
-                qe_report_body->mrsigner,
-                sizeof(qe_report_body->mrsigner));
-            OE_RAISE_MSG(
-                OE_QUOTE_ENCLAVE_IDENTITY_UNIQUEID_MISMATCH,
-                "mrsigner mismatch",
-                NULL);
-        }
-
-        if (qe_report_body->isvprodid != g_qe_isvprodid)
-            OE_RAISE_MSG(
-                QE_QUOTE_ENCLAVE_IDENTITY_PRODUCTID_MISMATCH,
-                "isvprodid mismatch. Expected 0x%04X, actual 0x%04X",
-                g_qe_isvprodid,
-                qe_report_body->isvprodid);
-
-        if (qe_report_body->isvsvn < g_qeisvsvn)
-            OE_RAISE_MSG(
-                OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
-                "isvsvn is out-of-date. Required SVN 0x%08X, actual SVN 0x%08X",
-                g_qeisvsvn,
-                qe_report_body->isvsvn);
-
-        // Ensure that the QE is not a debug supporting enclave.
-        if (qe_report_body->attributes.flags & SGX_FLAGS_DEBUG)
-            OE_RAISE_MSG(
-                OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
-                "QE has SGX_FLAGS_DEBUG set!!",
-                NULL);
-
-        result = OE_OK;
-        goto done;
-    }
-    OE_CHECK(result);
+    if (qe_id_args == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
 
     // Use QE Identity info to validate QE
     // Check against fetched qe identityinfo
-    OE_TRACE_INFO("qe_identity.issuer_chain:[%s]\n", qe_id_args.issuer_chain);
-    pem_pck_certificate = qe_id_args.issuer_chain;
-    pem_pck_certificate_size = qe_id_args.issuer_chain_size;
+    OE_TRACE_INFO("qe_identity.issuer_chain:[%s]\n", qe_id_args->issuer_chain);
+    pem_pck_certificate = qe_id_args->issuer_chain;
+    pem_pck_certificate_size = qe_id_args->issuer_chain_size;
 
     // validate the cert chain.
     OE_CHECK(oe_cert_chain_read_pem(
         &pck_cert_chain, pem_pck_certificate, pem_pck_certificate_size));
 
     // parse identity info json blob
-    OE_TRACE_INFO("*qe_identity.qe_id_info:[%s]\n", qe_id_args.qe_id_info);
+    OE_TRACE_INFO("*qe_identity.qe_id_info:[%s]\n", qe_id_args->qe_id_info);
     OE_CHECK(oe_parse_qe_identity_info_json(
-        qe_id_args.qe_id_info, qe_id_args.qe_id_info_size, &parsed_info));
+        qe_id_args->qe_id_info, qe_id_args->qe_id_info_size, &parsed_info));
 
     // verify qe identity signature
     OE_TRACE_INFO("Calling oe_verify_ecdsa256_signature\n");
@@ -120,14 +133,24 @@ oe_result_t oe_enforce_qe_identity(sgx_report_body_t* qe_report_body)
         &pck_cert_chain));
     OE_TRACE_INFO("oe_verify_ecdsa256_signature succeeded\n");
 
+    // Get leaf certificate
+    OE_CHECK_MSG(
+        oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
+        "Failed to get leaf certificate.",
+        NULL);
+    oe_cert_get_validity_dates(&leaf_cert, &from, &until);
+
+    oe_datetime_log_info("QE identity cert issue date: ", &from);
+    oe_datetime_log_info("QE identity cert next update: ", &until);
+
     // Check that issue_date and next_update are after the earliest date that
     // the enclave accepts.
     if (oe_datetime_compare(
-            &parsed_info.issue_date, &_sgx_minimim_crl_tcb_issue_date) != 1)
+            &parsed_info.issue_date, &_sgx_minimim_crl_tcb_issue_date) < 0)
         OE_RAISE(OE_INVALID_QE_IDENTITY_INFO);
 
     if (oe_datetime_compare(
-            &parsed_info.next_update, &_sgx_minimim_crl_tcb_issue_date) != 1)
+            &parsed_info.next_update, &_sgx_minimim_crl_tcb_issue_date) < 0)
         OE_RAISE(OE_INVALID_QE_IDENTITY_INFO);
 
     // Assert that the qe report's MRSIGNER matches Intel's quoting enclave's
@@ -195,11 +218,34 @@ oe_result_t oe_enforce_qe_identity(sgx_report_body_t* qe_report_body)
             parsed_info.attributes_xfrm_mask,
             parsed_info.attributes.xfrm);
 
-    oe_cleanup_qe_identity_info_args(&qe_id_args);
+    if (qe_report_body->attributes.flags & SGX_FLAGS_DEBUG)
+        OE_RAISE_MSG(
+            OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
+            "QE has SGX_FLAGS_DEBUG set!!",
+            NULL);
+
+    if (oe_datetime_compare(&parsed_info.issue_date, &from) > 0)
+        from = parsed_info.issue_date;
+    if (oe_datetime_compare(&parsed_info.next_update, &until) < 0)
+        until = parsed_info.next_update;
+
+    oe_datetime_log_info("QE identity overall issue date: ", &from);
+    oe_datetime_log_info("QE identity overall next update: ", &until);
+    if (oe_datetime_compare(&from, &until) > 0)
+        OE_RAISE_MSG(
+            OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+            "Failed to find an overall QE identity validity period.",
+            NULL);
+
+    *validity_from = from;
+    *validity_until = until;
+
     result = OE_OK;
 
 done:
     if (pck_cert_chain.impl[0] != 0)
         oe_cert_chain_free(&pck_cert_chain);
+    oe_cert_free(&leaf_cert);
+
     return result;
 }
diff --git a/common/sgx/qeidentity.h b/common/sgx/qeidentity.h
index ef4ad7970a..1327da2b3a 100644
--- a/common/sgx/qeidentity.h
+++ b/common/sgx/qeidentity.h
@@ -12,13 +12,34 @@
 
 OE_EXTERNC_BEGIN
 
-oe_result_t oe_enforce_qe_identity(sgx_report_body_t* qe_report_body);
+/**
+ * This is needed to be backwards compatible
+ * with the older quote provider.
+ *
+ * @param[in] qe_report_body The QE report body from the quote.
+ */
+oe_result_t oe_validate_qe_report_body(sgx_report_body_t* qe_report_body);
+
+/**
+ * Validate the QE identity information.  Returns the validity time range
+ * for the caller to validate.
+ *
+ * @param[in] qe_report_body The QE report body from the quote.
+ * @param[in] qe_id_args The QE identity info.
+ * @param[out] validity_from The date from which the QE identity info is valid.
+ * @param[out] validity_until The date which the QE identity info expires.
+ */
+oe_result_t oe_validate_qe_identity(
+    sgx_report_body_t* qe_report_body,
+    oe_get_qe_identity_info_args_t* qe_id_args,
+    oe_datetime_t* validity_from,
+    oe_datetime_t* validity_until);
 
 // Fetch qe identity info using the specified args structure.
 oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args);
 
 // Cleanup the args structure.
-void oe_cleanup_qe_identity_info_args(oe_get_qe_identity_info_args_t* args);
+void oe_free_qe_identity_info_args(oe_get_qe_identity_info_args_t* args);
 
 void dump_info(const char* title, const uint8_t* data, const uint8_t count);
 
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index 7fd01324ec..cf6d95e313 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -9,9 +9,12 @@
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 #include "../common.h"
+#include "collaterals.h"
 #include "qeidentity.h"
 #include "revocation.h"
 
+#include <time.h>
+
 // Public key of Intel's root certificate.
 static const char* g_expected_root_certificate_key =
     "-----BEGIN PUBLIC KEY-----\n"
@@ -29,6 +32,49 @@ OE_INLINE uint32_t ReadUint32(const uint8_t* p)
     return (uint32_t)(p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
 }
 
+static oe_result_t _validate_sgx_quote(const sgx_quote_t* sgx_quote)
+{
+    oe_result_t result = OE_OK;
+
+    if (sgx_quote->version != OE_SGX_QUOTE_VERSION)
+    {
+        OE_RAISE_MSG(
+            OE_QUOTE_VERIFICATION_ERROR,
+            "Unexpected quote version sgx_quote->version=%d",
+            sgx_quote->version);
+    }
+
+done:
+    return result;
+}
+
+static oe_result_t _validate_qe_cert_data(
+    const sgx_qe_cert_data_t* qe_cert_data)
+{
+    oe_result_t result = OE_OK;
+
+    // The certificate provided in the quote is preferred.
+    if (qe_cert_data->type != OE_SGX_PCK_ID_PCK_CERT_CHAIN)
+        OE_RAISE_MSG(
+            OE_MISSING_CERTIFICATE_CHAIN,
+            "Unexpected certificate type (qe_cert_data->type=%d)",
+            qe_cert_data->type);
+
+    if (qe_cert_data->size == 0)
+        OE_RAISE_MSG(
+            OE_QUOTE_VERIFICATION_ERROR,
+            "Quoting enclave certificate data is empty.",
+            NULL);
+
+    if (qe_cert_data->data == NULL)
+        OE_RAISE_MSG(
+            OE_MISSING_CERTIFICATE_CHAIN,
+            "No PCK certificate found in SGX quote.",
+            NULL);
+done:
+    return result;
+}
+
 static oe_result_t _parse_quote(
     const uint8_t* quote,
     size_t quote_size,
@@ -43,20 +89,27 @@ static oe_result_t _parse_quote(
     const uint8_t* const quote_end = quote + quote_size;
 
     if (quote_end < p)
-    {
         // Pointer wrapped around.
-        OE_RAISE(OE_REPORT_PARSE_ERROR);
-    }
+        OE_RAISE_MSG(
+            OE_REPORT_PARSE_ERROR,
+            "Parsing error.  Pointer wrapper around.",
+            NULL);
 
     *sgx_quote = NULL;
 
     *sgx_quote = (sgx_quote_t*)p;
     p += sizeof(sgx_quote_t);
     if (p > quote_end)
-        OE_RAISE(OE_REPORT_PARSE_ERROR);
+        OE_RAISE_MSG(
+            OE_REPORT_PARSE_ERROR,
+            "Parse error after parsing SGX quote, before signature.",
+            NULL);
 
     if (p + (*sgx_quote)->signature_len != quote_end)
-        OE_RAISE(OE_REPORT_PARSE_ERROR);
+        OE_RAISE_MSG(
+            OE_REPORT_PARSE_ERROR,
+            "Parse error after parsing SGX signature.",
+            NULL);
 
     *quote_auth_data = (sgx_quote_auth_data_t*)(*sgx_quote)->signature;
     p += sizeof(sgx_quote_auth_data_t);
@@ -67,7 +120,10 @@ static oe_result_t _parse_quote(
     p += qe_auth_data->size;
 
     if (p > quote_end)
-        OE_RAISE(OE_REPORT_PARSE_ERROR);
+        OE_RAISE_MSG(
+            OE_REPORT_PARSE_ERROR,
+            "Parse error after parsing QE authorization data.",
+            NULL);
 
     qe_cert_data->type = ReadUint16(p);
     p += 2;
@@ -77,7 +133,21 @@ static oe_result_t _parse_quote(
     p += qe_cert_data->size;
 
     if (p != quote_end)
-        OE_RAISE(OE_REPORT_PARSE_ERROR);
+        OE_RAISE_MSG(
+            OE_REPORT_PARSE_ERROR,
+            "Unexpected quote length while parsing.",
+            NULL);
+
+    //
+    // Validation
+    //
+    OE_CHECK_MSG(
+        _validate_sgx_quote(*sgx_quote), "SGX quote validation failed.", NULL);
+
+    OE_CHECK_MSG(
+        _validate_qe_cert_data(qe_cert_data),
+        "Failed to validate QE certificate data.",
+        NULL);
 
     result = OE_OK;
 done:
@@ -134,15 +204,10 @@ static oe_result_t _ecdsa_verify(
     return result;
 }
 
-oe_result_t oe_verify_quote_internal(
+static oe_result_t oe_verify_quote_internal(
     const uint8_t* quote,
     size_t quote_size,
-    const uint8_t* pem_pck_certificate,
-    size_t pem_pck_certificate_size,
-    const uint8_t* pck_crl,
-    size_t pck_crl_size,
-    const uint8_t* tcb_info_json,
-    size_t tcb_info_json_size)
+    bool no_collaterals)
 {
     oe_result_t result = OE_UNEXPECTED;
     sgx_quote_t* sgx_quote = NULL;
@@ -161,84 +226,89 @@ oe_result_t oe_verify_quote_internal(
     oe_ec_public_key_t expected_root_public_key = {0};
     bool key_equal = false;
 
-    OE_UNUSED(pck_crl);
-    OE_UNUSED(pck_crl_size);
-    OE_UNUSED(tcb_info_json);
-    OE_UNUSED(tcb_info_json_size);
-
-    OE_CHECK(_parse_quote(
-        quote,
-        quote_size,
-        &sgx_quote,
-        &quote_auth_data,
-        &qe_auth_data,
-        &qe_cert_data));
+    uint8_t* pem_pck_certificate = NULL;
+    size_t pem_pck_certificate_size = 0;
 
-    if (sgx_quote->version != OE_SGX_QUOTE_VERSION)
-    {
-        OE_RAISE_MSG(
-            OE_QUOTE_VERIFICATION_ERROR,
-            "Unexpected quote version sgx_quote->version=%d",
-            sgx_quote->version);
-    }
-
-    // The certificate provided in the quote is preferred.
-    if (qe_cert_data.type == OE_SGX_PCK_ID_PCK_CERT_CHAIN)
-    {
-        if (qe_cert_data.size == 0)
-            OE_RAISE(OE_QUOTE_VERIFICATION_ERROR);
-        pem_pck_certificate = qe_cert_data.data;
-        pem_pck_certificate_size = qe_cert_data.size;
-    }
-    else
-    {
-        OE_RAISE_MSG(
-            OE_MISSING_CERTIFICATE_CHAIN,
-            "Unexpected certificate type (qe_cert_data.type=%d)",
-            qe_cert_data.type);
-    }
-
-    if (pem_pck_certificate == NULL)
-        OE_RAISE_MSG(
-            OE_MISSING_CERTIFICATE_CHAIN, "No certificate found", NULL);
+    OE_CHECK_MSG(
+        _parse_quote(
+            quote,
+            quote_size,
+            &sgx_quote,
+            &quote_auth_data,
+            &qe_auth_data,
+            &qe_cert_data),
+        "Failed to parse quote. %s",
+        oe_result_str(result));
+
+    pem_pck_certificate = qe_cert_data.data;
+    pem_pck_certificate_size = qe_cert_data.size;
 
     // PckCertificate Chain validations.
     {
         // Read and validate the chain.
-        OE_CHECK(oe_cert_chain_read_pem(
-            &pck_cert_chain, pem_pck_certificate, pem_pck_certificate_size));
+        OE_CHECK_MSG(
+            oe_cert_chain_read_pem(
+                &pck_cert_chain, pem_pck_certificate, pem_pck_certificate_size),
+            "Failed to parse certificate chain.",
+            NULL);
 
         // Fetch leaf and root certificates.
-        OE_CHECK(oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert));
-        OE_CHECK(oe_cert_chain_get_root_cert(&pck_cert_chain, &root_cert));
-        OE_CHECK(
-            oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert));
+        OE_CHECK_MSG(
+            oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
+            "Failed to get leaf certificate.",
+            NULL);
+        OE_CHECK_MSG(
+            oe_cert_chain_get_root_cert(&pck_cert_chain, &root_cert),
+            "Failed to get root certificate.",
+            NULL);
+        OE_CHECK_MSG(
+            oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert),
+            "Failed to get intermediate certificate.",
+            NULL);
 
-        OE_CHECK(oe_cert_get_ec_public_key(&leaf_cert, &leaf_public_key));
-        OE_CHECK(oe_cert_get_ec_public_key(&root_cert, &root_public_key));
+        // Get public keys.
+        OE_CHECK_MSG(
+            oe_cert_get_ec_public_key(&leaf_cert, &leaf_public_key),
+            "Failed to get leaf cert public key.",
+            NULL);
+        OE_CHECK_MSG(
+            oe_cert_get_ec_public_key(&root_cert, &root_public_key),
+            "Failed to get root cert public key.",
+            NULL);
 
         // Ensure that the root certificate matches root of trust.
-        OE_CHECK(oe_ec_public_key_read_pem(
-            &expected_root_public_key,
-            (const uint8_t*)g_expected_root_certificate_key,
-            oe_strlen(g_expected_root_certificate_key) + 1));
-
-        OE_CHECK(oe_ec_public_key_equal(
-            &root_public_key, &expected_root_public_key, &key_equal));
-        if (!key_equal)
-            OE_RAISE(OE_QUOTE_VERIFICATION_ERROR);
-
         OE_CHECK_MSG(
-            oe_enforce_revocation(
-                &leaf_cert, &intermediate_cert, &pck_cert_chain),
-            "enforcing CRL",
+            oe_ec_public_key_read_pem(
+                &expected_root_public_key,
+                (const uint8_t*)g_expected_root_certificate_key,
+                oe_strlen(g_expected_root_certificate_key) + 1),
+            "Failed to read expected root cert key.",
             NULL);
+        OE_CHECK_MSG(
+            oe_ec_public_key_equal(
+                &root_public_key, &expected_root_public_key, &key_equal),
+            "Failed to compare keys.",
+            NULL);
+        if (!key_equal)
+            OE_RAISE_MSG(
+                OE_QUOTE_VERIFICATION_ERROR,
+                "Failed to verify root public key.",
+                NULL);
+
+        if (no_collaterals)
+            OE_CHECK_MSG(
+                oe_enforce_revocation(&leaf_cert, &intermediate_cert),
+                "Failed when enforcing CRL",
+                NULL);
     }
 
     // Quote validations.
     {
         // Verify SHA256 ECDSA (qe_report_body_signature, qe_report_body,
         // PckCertificate.pub_key)
+        //
+        // Hash with PCK(QE report body) == QE report body signature
+        //
         OE_CHECK_MSG(
             _ecdsa_verify(
                 &leaf_public_key,
@@ -257,23 +327,26 @@ oe_result_t oe_verify_quote_internal(
             (const uint8_t*)&quote_auth_data->attestation_key,
             sizeof(quote_auth_data->attestation_key)));
         if (qe_auth_data.size > 0)
-        {
             OE_CHECK(oe_sha256_update(
                 &sha256_ctx, qe_auth_data.data, qe_auth_data.size));
-        }
         OE_CHECK(oe_sha256_final(&sha256_ctx, &sha256));
 
         if (!oe_constant_time_mem_equal(
                 &sha256,
                 &quote_auth_data->qe_report_body.report_data,
                 sizeof(sha256)))
-            OE_RAISE(OE_QUOTE_VERIFICATION_ERROR);
+            OE_RAISE_MSG(
+                OE_QUOTE_VERIFICATION_ERROR,
+                "QE authentication data signature verification failed.",
+                NULL);
 
         // Verify SHA256 ECDSA (attestation_key, SGX_QUOTE_SIGNED_DATA,
         // signature)
+        //
+        // Hash with attestation_key(sgx_quote) == quote_auth_data signature
+        //
         OE_CHECK(_read_public_key(
             &quote_auth_data->attestation_key, &attestation_key));
-
         OE_CHECK_MSG(
             _ecdsa_verify(
                 &attestation_key,
@@ -284,11 +357,12 @@ oe_result_t oe_verify_quote_internal(
             NULL);
     }
 
-    // Quoting Enclave validations.
-    OE_CHECK_MSG(
-        oe_enforce_qe_identity(&quote_auth_data->qe_report_body),
-        "Quoting enclave identity checking",
-        NULL);
+    if (no_collaterals)
+        OE_CHECK_MSG(
+            oe_validate_qe_report_body(&quote_auth_data->qe_report_body),
+            "Quoting enclave identity checking",
+            NULL);
+
     result = OE_OK;
 
 done:
@@ -302,3 +376,311 @@ oe_result_t oe_verify_quote_internal(
     oe_cert_chain_free(&pck_cert_chain);
     return result;
 }
+
+oe_result_t oe_get_quote_cert_chain_internal(
+    const uint8_t* quote,
+    const size_t quote_size,
+    const uint8_t** pem_pck_certificate,
+    size_t* pem_pck_certificate_size,
+    oe_cert_chain_t* pck_cert_chain)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    sgx_quote_t* sgx_quote = NULL;
+    sgx_quote_auth_data_t* quote_auth_data = NULL;
+    sgx_qe_auth_data_t qe_auth_data = {0};
+    sgx_qe_cert_data_t qe_cert_data = {0};
+
+    if (quote == NULL || pem_pck_certificate == NULL || pck_cert_chain == NULL)
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    OE_CHECK_MSG(
+        _parse_quote(
+            quote,
+            quote_size,
+            &sgx_quote,
+            &quote_auth_data,
+            &qe_auth_data,
+            &qe_cert_data),
+        "Failed to parse quote. %s",
+        oe_result_str(result));
+
+    *pem_pck_certificate = qe_cert_data.data;
+    *pem_pck_certificate_size = qe_cert_data.size;
+
+    // Read and validate the chain.
+    OE_CHECK(oe_cert_chain_read_pem(
+        pck_cert_chain, *pem_pck_certificate, *pem_pck_certificate_size));
+
+    result = OE_OK;
+done:
+
+    return result;
+}
+
+static void _update_validity(
+    oe_datetime_t* latest_from,
+    oe_datetime_t* earliest_until,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    if (oe_datetime_compare(from, latest_from) > 0)
+    {
+        *latest_from = *from;
+    }
+
+    if (oe_datetime_compare(until, earliest_until) < 0)
+    {
+        *earliest_until = *until;
+    }
+}
+
+oe_result_t oe_verify_quote_internal_with_collaterals(
+    const uint8_t* quote,
+    size_t quote_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* validation_time)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    uint8_t* local_collaterals = NULL;
+    size_t local_collaterals_size = 0;
+    oe_datetime_t validity_from = {0};
+    oe_datetime_t validity_until = {0};
+    oe_datetime_t creation_time = {0};
+
+    bool no_collaterals = false;
+
+    if (quote == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (collaterals == NULL)
+    {
+        result = oe_get_collaterals_internal(
+            quote,
+            quote_size,
+            (uint8_t**)&local_collaterals,
+            &local_collaterals_size);
+
+        if (result == OE_QUOTE_PROVIDER_CALL_ERROR)
+        {
+            // No qe_identity info returned from the quote provider, this could
+            // be because either get_qe_identity_info API was not supported or
+            // unexpected error. In both cases, check against hardcoded quoting
+            // enclave properties instead Assert that the qe report's MRSIGNER
+            // matches Intel's quoting. We will remove these hardcoded values
+            // once the libdcap_quoteprov.so was updated to support qe identity
+            // feature.
+            no_collaterals = true;
+        }
+        else
+        {
+            OE_CHECK_MSG(
+                result, "Failed to get collaterals. %s", oe_result_str(result));
+            collaterals = local_collaterals;
+            collaterals_size = local_collaterals_size;
+        }
+    }
+
+    OE_CHECK_MSG(
+        oe_verify_quote_internal(quote, quote_size, no_collaterals),
+        "Failed to verify remote quote.",
+        NULL);
+
+    if (!no_collaterals)
+    {
+        oe_collaterals_t* collaterals_body =
+            (oe_collaterals_t*)(collaterals + OE_COLLATERALS_HEADER_SIZE);
+
+        OE_CHECK_MSG(
+            oe_get_quote_validity_with_collaterals_internal(
+                quote,
+                quote_size,
+                collaterals,
+                collaterals_size,
+                &validity_from,
+                &validity_until),
+            "Failed to validate quote. %s",
+            oe_result_str(result));
+
+        // Verify quote/collaterals for the given time.  Use collateral creation
+        // time if one was not provided.
+        if (validation_time == NULL)
+        {
+            OE_CHECK_MSG(
+                oe_datetime_from_string(
+                    collaterals_body->creation_datetime,
+                    sizeof(collaterals_body->creation_datetime),
+                    &creation_time),
+                "Invalid creation time in collaterals.",
+                NULL);
+            validation_time = &creation_time;
+        }
+
+        oe_datetime_log_info("Validation datetime: ", validation_time);
+        if (oe_datetime_compare(validation_time, &validity_from) < 0)
+        {
+            oe_datetime_log_info("Latests valid datetime: ", &validity_from);
+            OE_RAISE_MSG(
+                OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+                "Time to validate quote is earlier than the "
+                "latest 'valid from' value.",
+                NULL);
+        }
+        if (oe_datetime_compare(validation_time, &validity_until) > 0)
+        {
+            oe_datetime_log_info(
+                "Earliest expiration datetime: ", &validity_until);
+            OE_RAISE_MSG(
+                OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+                "Time to validate quoteis later than the "
+                "earliest 'valid to' value.",
+                NULL);
+        }
+    }
+
+    result = OE_OK;
+
+done:
+    if (local_collaterals)
+        oe_free_collaterals_internal(local_collaterals);
+
+    return result;
+}
+
+oe_result_t oe_get_quote_validity_with_collaterals_internal(
+    const uint8_t* quote,
+    const size_t quote_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* valid_from,
+    oe_datetime_t* valid_until)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    sgx_quote_t* sgx_quote = NULL;
+    sgx_quote_auth_data_t* quote_auth_data = NULL;
+    sgx_qe_auth_data_t qe_auth_data = {0};
+    sgx_qe_cert_data_t qe_cert_data = {0};
+
+    const uint8_t* pem_pck_certificate = NULL;
+    size_t pem_pck_certificate_size = 0;
+    oe_cert_chain_t pck_cert_chain = {0};
+
+    oe_collaterals_header_t* col_header = (oe_collaterals_header_t*)collaterals;
+    oe_collaterals_t* col =
+        (oe_collaterals_t*)(collaterals + OE_COLLATERALS_HEADER_SIZE);
+
+    oe_cert_t root_cert = {0};
+    oe_cert_t intermediate_cert = {0};
+    oe_cert_t pck_cert = {0};
+
+    oe_datetime_t latest_from = {0};
+    oe_datetime_t earliest_until = {0};
+    oe_datetime_t from;
+    oe_datetime_t until;
+
+    if ((quote == NULL) || (collaterals == NULL) || (valid_from == NULL) ||
+        (valid_until == NULL))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if ((col_header->collaterals_size != OE_COLLATERALS_BODY_SIZE) ||
+        (collaterals_size != OE_COLLATERALS_SIZE))
+        OE_RAISE_MSG(OE_INVALID_PARAMETER, "Invalid collaterals size.", NULL);
+
+    OE_TRACE_INFO("Call enter %s\n", __FUNCTION__);
+
+    OE_CHECK_MSG(
+        _parse_quote(
+            quote,
+            quote_size,
+            &sgx_quote,
+            &quote_auth_data,
+            &qe_auth_data,
+            &qe_cert_data),
+        "Failed to parse quote. %s",
+        oe_result_str(result));
+
+    pem_pck_certificate = qe_cert_data.data;
+    pem_pck_certificate_size = qe_cert_data.size;
+
+    OE_CHECK_MSG(
+        oe_get_quote_cert_chain_internal(
+            quote,
+            quote_size,
+            &pem_pck_certificate,
+            &pem_pck_certificate_size,
+            &pck_cert_chain),
+        "Failed to retreive PCK cert chain. %s",
+        oe_result_str(result));
+
+    // Fetch certificates.
+    OE_CHECK_MSG(
+        oe_cert_chain_get_leaf_cert(&pck_cert_chain, &pck_cert),
+        "Failed to get leaf certificate.",
+        NULL);
+    OE_CHECK_MSG(
+        oe_cert_chain_get_root_cert(&pck_cert_chain, &root_cert),
+        "Failed to get root certificate.",
+        NULL);
+    OE_CHECK_MSG(
+        oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert),
+        "Failed to get intermediate certificate.",
+        NULL);
+
+    // Process certs validity dates.
+    OE_CHECK_MSG(
+        oe_cert_get_validity_dates(&root_cert, &latest_from, &earliest_until),
+        "Failed to get validity info from cert. %s",
+        oe_result_str(result));
+    OE_CHECK_MSG(
+        oe_cert_get_validity_dates(&intermediate_cert, &from, &until),
+        "Failed to get validity info from cert. %s",
+        oe_result_str(result));
+    _update_validity(&latest_from, &earliest_until, &from, &until);
+
+    OE_CHECK_MSG(
+        oe_cert_get_validity_dates(&pck_cert, &from, &until),
+        "Failed to get validity info from cert. %s",
+        oe_result_str(result));
+    _update_validity(&latest_from, &earliest_until, &from, &until);
+
+    // Fetch revocation info validity dates.
+    OE_CHECK_MSG(
+        oe_validate_revocation_list(
+            &pck_cert, &col->revocation_info, &from, &until),
+        "Failed to validate revocation info. %s",
+        oe_result_str(result));
+    _update_validity(&latest_from, &earliest_until, &from, &until);
+
+    // QE identity info validity dates.
+    OE_CHECK_MSG(
+        oe_validate_qe_identity(
+            &quote_auth_data->qe_report_body, &col->qe_id_info, &from, &until),
+        "Failed quoting enclave identity checking. %s",
+        oe_result_str(result));
+    _update_validity(&latest_from, &earliest_until, &from, &until);
+
+    oe_datetime_log_info("Quote overall issue date: ", &latest_from);
+    oe_datetime_log_info("Quote overall next update: ", &earliest_until);
+    if (oe_datetime_compare(&latest_from, &earliest_until) > 0)
+        OE_RAISE_MSG(
+            OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+            "Failed to find an overall validity period in quote.",
+            NULL);
+
+    *valid_from = latest_from;
+    *valid_until = earliest_until;
+
+    result = OE_OK;
+
+done:
+    oe_cert_free(&pck_cert);
+    oe_cert_free(&intermediate_cert);
+    oe_cert_free(&root_cert);
+    oe_cert_chain_free(&pck_cert_chain);
+
+    return result;
+}
diff --git a/common/sgx/quote.h b/common/sgx/quote.h
index bf279e25de..a1aa93357b 100644
--- a/common/sgx/quote.h
+++ b/common/sgx/quote.h
@@ -7,18 +7,80 @@
 #include <openenclave/bits/defs.h>
 #include <openenclave/bits/result.h>
 #include <openenclave/bits/types.h>
+#include <openenclave/internal/crypto/cert.h>
 
 OE_EXTERNC_BEGIN
 
-oe_result_t oe_verify_quote_internal(
-    const uint8_t* enc_quote,
+/*!
+ * Verify quote with optional collaterals.
+ *
+ * @param quote[in] Input quote.
+ * @param quote_size[in] The size of the quote.
+ * @param collaterals[in] Optional collaterals related to the quote.
+ * @param collatterals_size[in] The size of the collaterals.
+ * @param input_validation_time[in] Optional time to use for validation,
+ * defaults to the time the collaterals were created.
+ */
+oe_result_t oe_verify_quote_internal_with_collaterals(
+    const uint8_t* quote,
     size_t quote_size,
-    const uint8_t* enc_pem_pck_certificate,
-    size_t pem_pck_certificate_size,
-    const uint8_t* enc_pck_crl,
-    size_t enc_pck_crl_size,
-    const uint8_t* enc_tcb_info_json,
-    size_t enc_tcb_info_json_size);
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* input_validation_time);
+
+/*!
+ * Retrieves certifate chain from the quote.
+ *
+ * Caller is responsible for deallocating memory in pck_cert_chain.
+ *
+ * @param quote[in] Input quote.
+ * @param quote_size[in] The size of the quote.
+ * @param pem_pck_certifcate[out] Pointer to the quote where the certificate PCK
+ * starts.
+ * @param pem_pck_certificate_size[out] Size of the PCK certificate.
+ * @param pck_cert_chain[out] Reference to an instance of oe_cert_chain_t where
+ * to store the chain.  Caller needs to free resources by calling
+ * oe_cert_chain_free()
+ */
+oe_result_t oe_get_quote_cert_chain_internal(
+    const uint8_t* quote,
+    const size_t quote_size,
+    const uint8_t** pem_pck_certificate,
+    size_t* pem_pck_certificate_size,
+    oe_cert_chain_t* pck_cert_chain);
+
+/*!
+ * Find the valid datetime range for the given quote, collaterals.  This
+ * function accounts for the following items:
+ *
+ * 1. From the quote:
+ *          a) Root CA.
+ *          b) Intermediate CA.
+ *          b) PCK CA.
+ * 2. From the revocation info:
+ *          a) Root CA CRL.
+ *          b) Intermediate CA CRL.
+ *          c) PCK CA CRL.
+ *          d) TCB info cert.
+ *          e) TCB info.
+ * 3. From QE identity info
+ *          a) QE identity cert.
+ *          b) QE identity.
+ *
+ * @param quote[in] Input quote.
+ * @param quote_size[in] The size of the quote.
+ * @param collaterals[in] Optional collaterals related to the quote.
+ * @param collatterals_size[in] The size of the collaterals.
+ * @param valid_from[out] validity_from The date from which the quote is valid.
+ * @param valid_until[out] validity_until The date which the quote expires.
+ */
+oe_result_t oe_get_quote_validity_with_collaterals_internal(
+    const uint8_t* quote,
+    const size_t quote_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* valid_from,
+    oe_datetime_t* valid_until);
 
 OE_EXTERNC_END
 
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 1b0884211c..9e968b8d3b 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -42,6 +42,104 @@ oe_result_t __oe_sgx_set_minimum_crl_tcb_issue_date(
     return result;
 }
 
+static oe_result_t _get_tcb_info_validity(
+    const oe_parsed_tcb_info_t* parsed_tcb_info,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    *from = parsed_tcb_info->issue_date;
+    *until = parsed_tcb_info->next_update;
+
+    return OE_OK;
+}
+
+static oe_result_t _get_crl_validity(
+    const oe_crl_t* crls,
+    const uint32_t crls_count,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_datetime_t crl_this_update_date = {0};
+    oe_datetime_t crl_next_update_date = {0};
+
+    if (crls_count > 0)
+    {
+        OE_CHECK_MSG(
+            oe_crl_get_update_dates(&crls[0], from, until),
+            "Failed to get CRL update dates. %s",
+            oe_result_str(result));
+
+        for (uint32_t i = 0; i < crls_count; ++i)
+        {
+            OE_CHECK_MSG(
+                oe_crl_get_update_dates(
+                    &crls[0], &crl_this_update_date, &crl_next_update_date),
+                "Failed to get CRL update dates. %s",
+                oe_result_str(result));
+
+            if (oe_datetime_compare(&crl_this_update_date, from) > 0)
+            {
+                *from = crl_this_update_date;
+            }
+            if (oe_datetime_compare(&crl_next_update_date, until) < 0)
+            {
+                *until = crl_next_update_date;
+            }
+        }
+
+        result = OE_OK;
+    }
+
+done:
+    return result;
+}
+
+static oe_result_t _get_revocation_validity(
+    const oe_parsed_tcb_info_t* parsed_tcb_info,
+    const oe_crl_t* crls,
+    const uint32_t crls_count,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_datetime_t latest_from = {0};
+    oe_datetime_t earliest_until = {0};
+    oe_datetime_t current_from = {0};
+    oe_datetime_t current_until = {0};
+
+    OE_CHECK_MSG(
+        _get_tcb_info_validity(parsed_tcb_info, &latest_from, &earliest_until),
+        "Failed to get TCB info validity datetime info. %s",
+        oe_result_str(result));
+    oe_datetime_log_info("TCB info validity from date: ", &latest_from);
+    oe_datetime_log_info("TCB info validity until date: ", &earliest_until);
+
+    OE_CHECK_MSG(
+        _get_crl_validity(crls, crls_count, &current_from, &current_until),
+        "Failed to get CRL validity datetime info. %s",
+        oe_result_str(result));
+    oe_datetime_log_info("CRL validity from date: ", &current_from);
+    oe_datetime_log_info("CRL validity until date: ", &current_until);
+
+    // Currently we are ignoring TCB Info validity dates because
+    // the data is expired.  See Icm 148493545
+    latest_from = current_from;
+    earliest_until = current_until;
+
+    oe_datetime_log_info(
+        "Revocation overall validity from date: ", &latest_from);
+    oe_datetime_log_info(
+        "Revocation overall validity until date: ", &earliest_until);
+
+    *from = latest_from;
+    *until = earliest_until;
+    result = OE_OK;
+
+done:
+    return result;
+}
+
 /**
  * Parse sgx extensions from given cert.
  */
@@ -141,50 +239,28 @@ static oe_result_t _get_crl_distribution_point(oe_cert_t* cert, char** url)
     return result;
 }
 
-static void _trace_datetime(const char* msg, const oe_datetime_t* date)
-{
-    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_INFO)
-    {
-        char str[21];
-        size_t size = sizeof(str);
-        oe_datetime_to_string(date, str, &size);
-        OE_TRACE_INFO("%s%s\n", msg, str);
-    }
-}
-
-oe_result_t oe_enforce_revocation(
+/**
+ * Call into host to fetch revocation information given the CA and PCK
+ * certificates.
+ */
+oe_result_t oe_get_revocation_info_from_certs(
     oe_cert_t* leaf_cert,
     oe_cert_t* intermediate_cert,
-    oe_cert_chain_t* pck_cert_chain)
+    oe_get_revocation_info_args_t* args)
 {
     oe_result_t result = OE_FAILURE;
     ParsedExtensionInfo parsed_extension_info = {{0}};
-    oe_get_revocation_info_args_t revocation_args = {0};
-    oe_cert_chain_t tcb_issuer_chain = {0};
-    oe_cert_chain_t crl_issuer_chain[3] = {{{0}}};
-    oe_parsed_tcb_info_t parsed_tcb_info = {0};
-    oe_tcb_level_t platform_tcb_level = {{0}};
     char* intermediate_crl_url = NULL;
     char* leaf_crl_url = NULL;
-    oe_crl_t crls[2] = {{{0}}};
-    const oe_crl_t* crl_ptrs[2] = {&crls[0], &crls[1]};
-    oe_datetime_t crl_this_update_date = {0};
-    oe_datetime_t crl_next_update_date = {0};
-
-    OE_UNUSED(pck_cert_chain);
 
     if (intermediate_cert == NULL || leaf_cert == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    OE_STATIC_ASSERT(
-        OE_COUNTOF(crl_issuer_chain) ==
-        OE_COUNTOF(revocation_args.crl_issuer_chain));
-
     // Gather fmspc.
     OE_CHECK(_parse_sgx_extensions(leaf_cert, &parsed_extension_info));
     OE_CHECK(oe_memcpy_s(
-        revocation_args.fmspc,
-        sizeof(revocation_args.fmspc),
+        args->fmspc,
+        sizeof(args->fmspc),
         parsed_extension_info.fmspc,
         sizeof(parsed_extension_info.fmspc)));
 
@@ -193,32 +269,109 @@ oe_result_t oe_enforce_revocation(
         _get_crl_distribution_point(intermediate_cert, &intermediate_crl_url));
     OE_CHECK(_get_crl_distribution_point(leaf_cert, &leaf_crl_url));
 
-    revocation_args.crl_urls[0] = leaf_crl_url;
-    revocation_args.crl_urls[1] = intermediate_crl_url;
-    revocation_args.num_crl_urls = 2;
+    args->crl_urls[0] = leaf_crl_url;
+    args->crl_urls[1] = intermediate_crl_url;
+    args->num_crl_urls = 2;
 
-    OE_CHECK(oe_get_revocation_info(&revocation_args));
+    OE_CHECK(oe_get_revocation_info(args));
+
+    result = OE_OK;
+done:
+
+    oe_free(leaf_crl_url);
+    oe_free(intermediate_crl_url);
+
+    return result;
+}
+
+oe_result_t oe_enforce_revocation(
+    oe_cert_t* leaf_cert,
+    oe_cert_t* intermediate_cert)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_get_revocation_info_args_t revocation_args = {0};
+    oe_datetime_t validity_from = {0};
+    oe_datetime_t validity_until = {0};
+
+    OE_CHECK(oe_get_revocation_info_from_certs(
+        leaf_cert, intermediate_cert, &revocation_args));
+
+    OE_CHECK(oe_validate_revocation_list(
+        leaf_cert, &revocation_args, &validity_from, &validity_until));
+
+    result = OE_OK;
+
+done:
+    oe_free_get_revocation_info_args(&revocation_args);
+
+    return result;
+}
+
+oe_result_t oe_validate_revocation_list(
+    oe_cert_t* pck_cert,
+    oe_get_revocation_info_args_t* revocation_args,
+    oe_datetime_t* validity_from,
+    oe_datetime_t* validity_until)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    ParsedExtensionInfo parsed_extension_info = {{0}};
+    oe_cert_chain_t tcb_issuer_chain = {0};
+    oe_cert_chain_t crl_issuer_chain[3] = {{{0}}};
+    oe_cert_t tcb_cert = {0};
+    oe_parsed_tcb_info_t parsed_tcb_info = {0};
+    oe_tcb_level_t platform_tcb_level = {{0}};
+
+    oe_crl_t crls[2] = {{{0}}};
+    const oe_crl_t* crl_ptrs[2] = {&crls[0], &crls[1]};
+    oe_datetime_t from = {0};
+    oe_datetime_t until = {0};
+    oe_datetime_t latest_from = {0};
+    oe_datetime_t earliest_until = {0};
+
+    if (pck_cert == NULL || revocation_args == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    OE_STATIC_ASSERT(
+        OE_COUNTOF(crl_issuer_chain) ==
+        OE_COUNTOF(revocation_args->crl_issuer_chain));
+
+    OE_CHECK_MSG(
+        _parse_sgx_extensions(pck_cert, &parsed_extension_info),
+        "Failed to parse SGX extensions from leaf cert. %s",
+        oe_result_str(result));
 
     // Apply revocation info.
-    OE_CHECK(oe_cert_chain_read_pem(
-        &tcb_issuer_chain,
-        revocation_args.tcb_issuer_chain,
-        revocation_args.tcb_issuer_chain_size));
+    OE_CHECK_MSG(
+        oe_cert_chain_read_pem(
+            &tcb_issuer_chain,
+            revocation_args->tcb_issuer_chain,
+            revocation_args->tcb_issuer_chain_size),
+        "Failed to read TCB chain certificate. %s",
+        oe_result_str(result));
 
     // Read CRLs for each cert other than root. If any CRL is missing, the read
     // will error out.
-    for (uint32_t i = 0; i < revocation_args.num_crl_urls; ++i)
+    for (uint32_t i = 0; i < revocation_args->num_crl_urls; ++i)
     {
-        OE_CHECK(oe_crl_read_der(
-            &crls[i], revocation_args.crl[i], revocation_args.crl_size[i]));
-        OE_CHECK(oe_cert_chain_read_pem(
-            &crl_issuer_chain[i],
-            revocation_args.crl_issuer_chain[i],
-            revocation_args.crl_issuer_chain_size[i]));
+        OE_CHECK_MSG(
+            oe_crl_read_der(
+                &crls[i],
+                revocation_args->crl[i],
+                revocation_args->crl_size[i]),
+            "Failed to read CRL. %s",
+            oe_result_str(result));
+        OE_CHECK_MSG(
+            oe_cert_chain_read_pem(
+                &crl_issuer_chain[i],
+                revocation_args->crl_issuer_chain[i],
+                revocation_args->crl_issuer_chain_size[i]),
+            "Failed to read CRL cert chain. %s",
+            oe_result_str(result));
         OE_TRACE_VERBOSE(
             "CRL certificate[%d]: \n[%s]\n",
             i,
-            revocation_args.crl_issuer_chain[i]);
+            revocation_args->crl_issuer_chain[i]);
     }
 
     // Verify the leaf cert.
@@ -236,8 +389,11 @@ oe_result_t oe_enforce_revocation(
     // constraint. If the crl_issuer_chain was different from the certificate
     // chain, then verification would fail because the CRLs will not be found
     // for certificates in the chain.
-    OE_CHECK(oe_cert_verify(
-        leaf_cert, crl_issuer_chain, crl_ptrs, OE_COUNTOF(crl_ptrs)));
+    OE_CHECK_MSG(
+        oe_cert_verify(
+            pck_cert, crl_issuer_chain, crl_ptrs, OE_COUNTOF(crl_ptrs)),
+        "Failed to verify leaf certificate. %s",
+        oe_result_str(result));
 
     for (uint32_t i = 0; i < OE_COUNTOF(platform_tcb_level.sgx_tcb_comp_svn);
          ++i)
@@ -248,62 +404,96 @@ oe_result_t oe_enforce_revocation(
     platform_tcb_level.pce_svn = parsed_extension_info.pce_svn;
     platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
 
-    OE_CHECK(oe_parse_tcb_info_json(
-        revocation_args.tcb_info,
-        revocation_args.tcb_info_size,
-        &platform_tcb_level,
-        &parsed_tcb_info));
-
-    OE_CHECK(oe_verify_ecdsa256_signature(
-        parsed_tcb_info.tcb_info_start,
-        parsed_tcb_info.tcb_info_size,
-        (sgx_ecdsa256_signature_t*)parsed_tcb_info.signature,
-        &tcb_issuer_chain));
-
-    // Check that the tcb has been issued after the earliest date that the
-    // enclave accepts.
-    if (oe_datetime_compare(
-            &parsed_tcb_info.issue_date, &_sgx_minimim_crl_tcb_issue_date) != 1)
-        OE_RAISE(OE_INVALID_REVOCATION_INFO);
-
-    // Check that the CRLs have not expired.
-    // The next update of the CRL must be after the earliest date that
-    // the enclave accepts.
-    for (uint32_t i = 0; i < OE_COUNTOF(crls); ++i)
+    OE_CHECK_MSG(
+        oe_parse_tcb_info_json(
+            revocation_args->tcb_info,
+            revocation_args->tcb_info_size,
+            &platform_tcb_level,
+            &parsed_tcb_info),
+        "Failed to parse TCB info. %s",
+        oe_result_str(result));
+
+    OE_CHECK_MSG(
+        oe_verify_ecdsa256_signature(
+            parsed_tcb_info.tcb_info_start,
+            parsed_tcb_info.tcb_info_size,
+            (sgx_ecdsa256_signature_t*)parsed_tcb_info.signature,
+            &tcb_issuer_chain),
+        "Failed to verify ECDSA 256 signature in TCB. %s",
+        oe_result_str(result));
+
+    OE_CHECK_MSG(
+        _get_revocation_validity(
+            &parsed_tcb_info,
+            crls,
+            OE_COUNTOF(crls),
+            &latest_from,
+            &earliest_until),
+        "Failed to get revocation validity datetime info. %s",
+        oe_result_str(result));
+
+    if (oe_datetime_compare(&latest_from, &_sgx_minimim_crl_tcb_issue_date) < 0)
     {
-        OE_CHECK(oe_crl_get_update_dates(
-            &crls[i], &crl_this_update_date, &crl_next_update_date));
-
-        _trace_datetime("crl this update date ", &crl_this_update_date);
-        _trace_datetime("crl next update date ", &crl_next_update_date);
-
-        // CRL must be issued after minimum date.
-        if (oe_datetime_compare(
-                &crl_this_update_date, &_sgx_minimim_crl_tcb_issue_date) != 1)
-            OE_RAISE(OE_INVALID_REVOCATION_INFO);
+        oe_datetime_log_info("Latest issue date : ", &latest_from);
+        oe_datetime_log_info(
+            " is earlier than minimum issue date: ",
+            &_sgx_minimim_crl_tcb_issue_date);
+        OE_RAISE_MSG(
+            OE_INVALID_REVOCATION_INFO,
+            "Revocation validation failed minimum issue date. %s",
+            oe_result_str(result));
+    }
 
-        // Also check that next update date is after minimum date.
-        if (oe_datetime_compare(
-                &crl_next_update_date, &_sgx_minimim_crl_tcb_issue_date) != 1)
-            OE_RAISE(OE_INVALID_REVOCATION_INFO);
+    if (oe_datetime_compare(&earliest_until, &_sgx_minimim_crl_tcb_issue_date) <
+        0)
+    {
+        oe_datetime_log_info("Next update date : ", &earliest_until);
+        oe_datetime_log_info(
+            " is earlier than minimum issue date: ",
+            &_sgx_minimim_crl_tcb_issue_date);
+        OE_RAISE_MSG(
+            OE_INVALID_REVOCATION_INFO,
+            "Revocation validation failed minimum issue date. %s",
+            oe_result_str(result));
     }
 
+    // Get TCB cert validity period.
+    OE_CHECK_MSG(
+        oe_cert_chain_get_leaf_cert(&tcb_issuer_chain, &tcb_cert),
+        "Failed to get TCB certificate.",
+        NULL);
+    oe_cert_get_validity_dates(&tcb_cert, &from, &until);
+    oe_datetime_log_info("TCB cert issue date: ", &from);
+    oe_datetime_log_info("TCB cert next update: ", &until);
+
+    if (oe_datetime_compare(&from, &latest_from) > 0)
+        latest_from = from;
+    if (oe_datetime_compare(&until, &earliest_until) < 0)
+        earliest_until = until;
+    oe_datetime_log_info("Revocation overall issue date: ", &latest_from);
+    oe_datetime_log_info("Revocation overall next update: ", &earliest_until);
+
+    if (oe_datetime_compare(&latest_from, &earliest_until) > 0)
+        OE_RAISE_MSG(
+            OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+            "Failed to find an overall revocation validity period.",
+            NULL);
+
+    *validity_from = latest_from;
+    *validity_until = earliest_until;
     result = OE_OK;
 
 done:
-    for (int32_t i = (int32_t)revocation_args.num_crl_urls - 1; i >= 0; --i)
+    for (int32_t i = (int32_t)revocation_args->num_crl_urls - 1; i >= 0; --i)
     {
         oe_crl_free(&crls[i]);
     }
-    for (uint32_t i = 0; i < revocation_args.num_crl_urls; ++i)
+    for (uint32_t i = 0; i < revocation_args->num_crl_urls; ++i)
     {
         oe_cert_chain_free(&crl_issuer_chain[i]);
     }
     oe_cert_chain_free(&tcb_issuer_chain);
-
-    oe_free(leaf_crl_url);
-    oe_free(intermediate_crl_url);
-    oe_cleanup_get_revocation_info_args(&revocation_args);
+    oe_cert_free(&tcb_cert);
 
     return result;
-}
+}
\ No newline at end of file
diff --git a/common/sgx/revocation.h b/common/sgx/revocation.h
index e5abbe24df..fc2e2436fe 100644
--- a/common/sgx/revocation.h
+++ b/common/sgx/revocation.h
@@ -12,16 +12,67 @@
 
 OE_EXTERNC_BEGIN
 
+/**
+ * This function gets the revocation information from the given
+ * PCK Cert and CA cert and does validation.
+ *
+ * @param[in] leaf_cert The PCK certificate.
+ * @param[in] revocation_args The revocation information.
+ */
 oe_result_t oe_enforce_revocation(
+    oe_cert_t* leaf_cert,
+    oe_cert_t* intermediate_cert);
+
+/** Validate revocation info.  Make sure the following:
+ *
+ *  1. TCB info.
+ *  2. CRL.
+ *
+ * Are valid and returns the validity dates for this
+ * revocation information for the caller to validate.
+ *
+ * @param pck_cert[in] The PCK certificate.
+ * @param revocation_args[in] The revocation information.
+ * @param validity_from[out] The date from which the revocation info is valid.
+ * @param validity_until[out] The date which the revocation info expires.
+ */
+oe_result_t oe_validate_revocation_list(
+    oe_cert_t* pck_cert,
+    oe_get_revocation_info_args_t* revocation_args,
+    oe_datetime_t* validity_from,
+    oe_datetime_t* validity_until);
+
+/**
+ * Fetch revocation info for the PCK certificate and CA
+ * certificate.
+ *
+ * Caller is responsbile for freeing the revocation info resources
+ * by calling oe_free_get_revocation_info_args().
+ *
+ * @param leaf_cert[in] the PCK certificate.
+ * @param intermediate_cert[in] the CA certificate.
+ * @param args[out] the revocation info.
+ */
+oe_result_t oe_get_revocation_info_from_certs(
     oe_cert_t* leaf_cert,
     oe_cert_t* intermediate_cert,
-    oe_cert_chain_t* pck_cert_chain);
+    oe_get_revocation_info_args_t* args);
 
-// Fetch revocation info using the specified args structure.
+/**
+ * Get the revocation info.  Caller is responsible for
+ * configuring the revocation info input parameters.
+ *
+ * @param args[in/out] the revocation info.
+ */
 oe_result_t oe_get_revocation_info(oe_get_revocation_info_args_t* args);
 
-// Cleanup the args structure.
-void oe_cleanup_get_revocation_info_args(oe_get_revocation_info_args_t* args);
+/**
+ * Free resources allocated by oe_get_revocation_info() and
+ * oe_get_revocation_info_from_certs().
+ *
+ * @param args[in] the revocation info.
+ */
+void oe_free_get_revocation_info_args(oe_get_revocation_info_args_t* args);
 
 OE_EXTERNC_END
 
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 84891f5a51..30ce23569f 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -6,6 +6,7 @@ add_subdirectory(crypto)
 
 if (OE_SGX)
     set(PLATFORM_SRC
+        ../common/sgx/collaterals.c
         ../common/sgx/qeidentity.c
         ../common/sgx/quote.c
         ../common/sgx/report.c
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index c12447fdd3..4afb255ffd 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -50,6 +50,7 @@ set(MUSL_SRC_DIR ${PROJECT_SOURCE_DIR}/3rdparty/musl/musl/src)
 
 if (OE_SGX)
     list(APPEND PLATFORM_SRC
+        ../../common/sgx/collaterals.c
         sgx/backtrace.c
         sgx/calls.c
         sgx/cpuid.c
diff --git a/enclave/crypto/cert.c b/enclave/crypto/cert.c
index 9b562eb890..4416cc7698 100644
--- a/enclave/crypto/cert.c
+++ b/enclave/crypto/cert.c
@@ -1181,3 +1181,46 @@ oe_result_t oe_gen_custom_x509_cert(
 
     return result;
 }
+
+oe_result_t oe_cert_get_validity_dates(
+    const oe_cert_t* cert,
+    oe_datetime_t* not_before,
+    oe_datetime_t* not_after)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    const Cert* impl = (const Cert*)cert;
+
+    if (not_before)
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
+    if (not_after)
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
+    /* Reject invalid parameters */
+    if (!_cert_is_valid(impl))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (not_before)
+    {
+        not_before->year = (uint32_t)impl->cert->valid_from.year;
+        not_before->month = (uint32_t)impl->cert->valid_from.mon;
+        not_before->day = (uint32_t)impl->cert->valid_from.day;
+        not_before->hours = (uint32_t)impl->cert->valid_from.hour;
+        not_before->minutes = (uint32_t)impl->cert->valid_from.min;
+        not_before->seconds = (uint32_t)impl->cert->valid_from.sec;
+    }
+
+    if (not_after)
+    {
+        not_after->year = (uint32_t)impl->cert->valid_to.year;
+        not_after->month = (uint32_t)impl->cert->valid_to.mon;
+        not_after->day = (uint32_t)impl->cert->valid_to.day;
+        not_after->hours = (uint32_t)impl->cert->valid_to.hour;
+        not_after->minutes = (uint32_t)impl->cert->valid_to.min;
+        not_after->seconds = (uint32_t)impl->cert->valid_to.sec;
+    }
+    result = OE_OK;
+
+done:
+    return result;
+}
diff --git a/enclave/sgx/qeidinfo.c b/enclave/sgx/qeidinfo.c
index 78d6c37899..6f4bdd45a3 100644
--- a/enclave/sgx/qeidinfo.c
+++ b/enclave/sgx/qeidinfo.c
@@ -117,7 +117,7 @@ oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args_out)
 }
 
 // Cleanup the args structure.
-void oe_cleanup_qe_identity_info_args(oe_get_qe_identity_info_args_t* args)
+void oe_free_qe_identity_info_args(oe_get_qe_identity_info_args_t* args)
 {
     if (!args)
         return;
diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c
index d86a685849..a667d8e770 100644
--- a/enclave/sgx/report.c
+++ b/enclave/sgx/report.c
@@ -66,8 +66,8 @@ oe_result_t oe_verify_report(
 
     if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
     {
-        OE_CHECK(oe_verify_quote_internal(
-            header->report, header->report_size, NULL, 0, NULL, 0, NULL, 0));
+        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+            header->report, header->report_size, NULL, 0, NULL));
     }
     else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
     {
diff --git a/enclave/sgx/revocationinfo.c b/enclave/sgx/revocationinfo.c
index 0b1d1689dd..c82ea664d4 100644
--- a/enclave/sgx/revocationinfo.c
+++ b/enclave/sgx/revocationinfo.c
@@ -152,7 +152,7 @@ oe_result_t oe_get_revocation_info(oe_get_revocation_info_args_t* args)
     return result;
 }
 
-void oe_cleanup_get_revocation_info_args(oe_get_revocation_info_args_t* args)
+void oe_free_get_revocation_info_args(oe_get_revocation_info_args_t* args)
 {
     if (args)
     {
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 4a75a4e2c2..cfc0bbb4b1 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -93,6 +93,7 @@ elseif (WIN32)
     crypto/bcrypt/rsa.c
     crypto/bcrypt/sha.c
     crypto/bcrypt/pem.c
+    crypto/bcrypt/util.c
     windows/hostthread.c)
 
   set(PLATFORM_SDK_ONLY_SRC
@@ -118,6 +119,7 @@ endif()
 # SGX specific files.
 if (OE_SGX)
   list(APPEND PLATFORM_HOST_ONLY_SRC
+    ../common/sgx/collaterals.c
     ../common/sgx/qeidentity.c
     ../common/sgx/quote.c
     ../common/sgx/report.c
diff --git a/host/crypto/bcrypt/cert.c b/host/crypto/bcrypt/cert.c
index fef8edcf78..e5ca149d21 100644
--- a/host/crypto/bcrypt/cert.c
+++ b/host/crypto/bcrypt/cert.c
@@ -17,6 +17,7 @@
 #include "key.h"
 #include "pem.h"
 #include "rsa.h"
+#include "util.h"
 
 /*
 **==============================================================================
@@ -28,9 +29,8 @@
 
 #define _OE_CERT_CHAIN_LENGTH_ANY 0
 
-static const DWORD _OE_DEFAULT_GET_CRL_FLAGS = CERT_STORE_SIGNATURE_FLAG |
-                                               CERT_STORE_TIME_VALIDITY_FLAG |
-                                               CERT_STORE_BASE_CRL_FLAG;
+static const DWORD _OE_DEFAULT_GET_CRL_FLAGS =
+    CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
 
 static const CERT_CHAIN_POLICY_PARA _OE_DEFAULT_CERT_CHAIN_POLICY = {
     .cbSize = sizeof(CERT_CHAIN_POLICY_PARA),
@@ -1296,3 +1296,39 @@ oe_result_t oe_cert_find_extension(
 done:
     return result;
 }
+
+oe_result_t oe_cert_get_validity_dates(
+    const oe_cert_t* cert,
+    oe_datetime_t* not_before,
+    oe_datetime_t* not_after)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    const cert_t* impl = (const cert_t*)cert;
+
+    if (not_before)
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
+    if (not_after)
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
+    if (!_cert_is_valid(impl))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (not_before)
+    {
+        OE_CHECK(oe_util_filetime_to_oe_datetime(
+            &impl->cert->pCertInfo->NotBefore, not_before));
+    }
+
+    if (not_after)
+    {
+        OE_CHECK(oe_util_filetime_to_oe_datetime(
+            &impl->cert->pCertInfo->NotAfter, not_after));
+    }
+
+    result = OE_OK;
+
+done:
+
+    return result;
+}
diff --git a/host/crypto/bcrypt/crl.c b/host/crypto/bcrypt/crl.c
index 658806e80c..cb8bd53b18 100644
--- a/host/crypto/bcrypt/crl.c
+++ b/host/crypto/bcrypt/crl.c
@@ -38,31 +38,6 @@ OE_INLINE void _crl_destroy(crl_t* impl)
     }
 }
 
-static oe_result_t _filetime_to_oe_datetime(
-    const FILETIME* filetime,
-    oe_datetime_t* datetime)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    SYSTEMTIME systime = {0};
-    if (!FileTimeToSystemTime(filetime, &systime))
-        OE_RAISE_MSG(
-            OE_INVALID_UTC_DATE_TIME,
-            "FileTimeToSystemTime failed, err=%#x\n",
-            GetLastError());
-
-    datetime->year = systime.wYear;
-    datetime->month = systime.wMonth;
-    datetime->day = systime.wDay;
-    datetime->hours = systime.wHour;
-    datetime->minutes = systime.wMinute;
-    datetime->seconds = systime.wSecond;
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
 oe_result_t oe_crl_get_context(const oe_crl_t* crl, PCCRL_CONTEXT* crl_context)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -151,10 +126,10 @@ oe_result_t oe_crl_get_update_dates(
     PCRL_INFO crl_info = impl->crl->pCrlInfo;
 
     if (last)
-        OE_CHECK(_filetime_to_oe_datetime(&crl_info->ThisUpdate, last));
+        OE_CHECK(oe_util_filetime_to_oe_datetime(&crl_info->ThisUpdate, last));
 
     if (next)
-        OE_CHECK(_filetime_to_oe_datetime(&crl_info->NextUpdate, next));
+        OE_CHECK(oe_util_filetime_to_oe_datetime(&crl_info->NextUpdate, next));
 
     result = OE_OK;
 
diff --git a/host/crypto/bcrypt/util.c b/host/crypto/bcrypt/util.c
new file mode 100644
index 0000000000..910f375cdf
--- /dev/null
+++ b/host/crypto/bcrypt/util.c
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/raise.h>
+
+#include "util.h"
+
+oe_result_t oe_util_filetime_to_oe_datetime(
+    const FILETIME* filetime,
+    oe_datetime_t* datetime)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    SYSTEMTIME systime = {0};
+    if (!FileTimeToSystemTime(filetime, &systime))
+        OE_RAISE_MSG(
+            OE_INVALID_UTC_DATE_TIME,
+            "FileTimeToSystemTime failed, err=%#x\n",
+            GetLastError());
+
+    datetime->year = systime.wYear;
+    datetime->month = systime.wMonth;
+    datetime->day = systime.wDay;
+    datetime->hours = systime.wHour;
+    datetime->minutes = systime.wMinute;
+    datetime->seconds = systime.wSecond;
+
+    result = OE_OK;
+
+done:
+    return result;
+}
diff --git a/host/crypto/bcrypt/util.h b/host/crypto/bcrypt/util.h
new file mode 100644
index 0000000000..2a4ab51ec3
--- /dev/null
+++ b/host/crypto/bcrypt/util.h
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_HOST_CRYPTO_UTIL_H
+#define _OE_HOST_CRYPTO_UTIL_H
+
+#include <openenclave/internal/datetime.h>
+#include <openenclave/internal/result.h>
+
+#include <windows.h>
+
+/**
+ * Convert FILETIME to oe_datetime_t.
+ *
+ * @param filetime[in] The FILETIME to convert.
+ * @param datetime[out] The corresponding oe_datetime_t.
+ */
+oe_result_t oe_util_filetime_to_oe_datetime(
+    const FILETIME* filetime,
+    oe_datetime_t* datetime);
+
+#endif /* _OE_HOST_CRYPTO_UTIL_H */
\ No newline at end of file
diff --git a/host/crypto/openssl/asn1.c b/host/crypto/openssl/asn1.c
index babcc2d01f..4a93e72309 100644
--- a/host/crypto/openssl/asn1.c
+++ b/host/crypto/openssl/asn1.c
@@ -4,6 +4,7 @@
 #include "../common/asn1.h"
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/internal/asn1.h>
+#include <openenclave/internal/datetime.h>
 #include <openenclave/internal/defs.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/utils.h>
@@ -11,6 +12,8 @@
 #include <openssl/pem.h>
 #include <string.h>
 
+#include "asn1.h"
+
 OE_STATIC_ASSERT(V_ASN1_CONSTRUCTED == OE_ASN1_TAG_CONSTRUCTED);
 OE_STATIC_ASSERT(V_ASN1_SEQUENCE == OE_ASN1_TAG_SEQUENCE);
 OE_STATIC_ASSERT(V_ASN1_INTEGER == OE_ASN1_TAG_INTEGER);
@@ -179,3 +182,92 @@ oe_result_t oe_asn1_get_octet_string(
 done:
     return result;
 }
+
+oe_result_t oe_asn1_string_to_date(const char* str, oe_datetime_t* date)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    char month[4];
+
+    memset(date, 0, sizeof(oe_datetime_t));
+
+    /* Convert the string to oe_datetime_t struct */
+    if (sscanf(
+            str,
+            "%3s %02u %02u:%02u:%02u %04u",
+            month,
+            &date->day,
+            &date->hours,
+            &date->minutes,
+            &date->seconds,
+            &date->year) != 6)
+    {
+        OE_RAISE(OE_FAILURE);
+    }
+
+    /* Convert the month string to integer */
+    {
+        static const char* _month[] = {"Jan",
+                                       "Feb",
+                                       "Mar",
+                                       "Apr",
+                                       "May",
+                                       "Jun",
+                                       "Jul",
+                                       "Aug",
+                                       "Sep",
+                                       "Oct",
+                                       "Nov",
+                                       "Dec"};
+
+        date->month = UINT_MAX;
+
+        for (uint32_t i = 0; i < OE_COUNTOF(_month); i++)
+        {
+            if (strncmp(month, _month[i], 3) == 0)
+            {
+                date->month = i + 1;
+                break;
+            }
+        }
+
+        if (date->month == UINT_MAX)
+            OE_RAISE(OE_FAILURE);
+    }
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+oe_result_t oe_asn1_time_to_date(const ASN1_TIME* time, oe_datetime_t* date)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    struct tm;
+    BIO* bio = NULL;
+    BUF_MEM* mem;
+    const char null_terminator = '\0';
+
+    if (!(bio = BIO_new(BIO_s_mem())))
+        OE_RAISE(OE_CRYPTO_ERROR);
+
+    if (!ASN1_TIME_print(bio, time))
+        OE_RAISE(OE_CRYPTO_ERROR);
+
+    if (!BIO_get_mem_ptr(bio, &mem))
+        OE_RAISE(OE_CRYPTO_ERROR);
+
+    if (BIO_write(bio, &null_terminator, sizeof(null_terminator)) <= 0)
+        OE_RAISE(OE_CRYPTO_ERROR);
+
+    OE_CHECK(oe_asn1_string_to_date(mem->data, date));
+
+    result = OE_OK;
+
+done:
+
+    if (bio)
+        BIO_free(bio);
+
+    return result;
+}
\ No newline at end of file
diff --git a/host/crypto/openssl/asn1.h b/host/crypto/openssl/asn1.h
new file mode 100644
index 0000000000..325d0eb01d
--- /dev/null
+++ b/host/crypto/openssl/asn1.h
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_HOST_CRYPTO_ASN1_OPENSSL_H
+#define _OE_HOST_CRYPTO_ASN1_OPENSSL_H
+
+#include <openenclave/internal/datetime.h>
+#include <openenclave/internal/result.h>
+#include <openssl/asn1.h>
+
+/**
+ * Parse a string into a oe_datetime_t: example: "May 30 10:23:42 2018 GMT".
+ * This format is specific to OpenSSL: produced by ASN1_TIME_print().
+ *
+ * @param str[in] string to parse into a oe_datetime_t
+ * @param date[out] output datetime.
+ */
+oe_result_t oe_asn1_string_to_date(const char* str, oe_datetime_t* date);
+
+/**
+ * Convert an ASN1_TIME in openSSL format ta a oe_datetime_t.
+ *
+ * @param time[in] The time to convert.
+ * @param date[out] The output datetime.
+ */
+oe_result_t oe_asn1_time_to_date(const ASN1_TIME* time, oe_datetime_t* date);
+
+#endif /* _OE_HOST_CRYPTO_ASN1_OPENSSL_H */
\ No newline at end of file
diff --git a/host/crypto/openssl/cert.c b/host/crypto/openssl/cert.c
index 97833dca13..274dd329df 100644
--- a/host/crypto/openssl/cert.c
+++ b/host/crypto/openssl/cert.c
@@ -17,6 +17,7 @@
 #include <openssl/x509v3.h>
 #include <string.h>
 #include "../magic.h"
+#include "asn1.h"
 #include "crl.h"
 #include "ec.h"
 #include "init.h"
@@ -958,3 +959,46 @@ oe_result_t oe_cert_find_extension(
 done:
     return result;
 }
+
+oe_result_t oe_cert_get_validity_dates(
+    const oe_cert_t* cert,
+    oe_datetime_t* not_before,
+    oe_datetime_t* not_after)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    const cert_t* impl = (const cert_t*)cert;
+
+    if (not_before)
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
+    if (not_after)
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
+    if (!_cert_is_valid(impl))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (not_before)
+    {
+        const ASN1_TIME* time;
+
+        if (!(time = X509_get_notBefore(impl->x509)))
+            OE_RAISE(OE_CRYPTO_ERROR);
+
+        OE_CHECK(oe_asn1_time_to_date(time, not_before));
+    }
+
+    if (not_after)
+    {
+        const ASN1_TIME* time;
+
+        if (!(time = X509_get_notAfter(impl->x509)))
+            OE_RAISE(OE_CRYPTO_ERROR);
+
+        OE_CHECK(oe_asn1_time_to_date(time, not_after));
+    }
+
+    result = OE_OK;
+done:
+
+    return result;
+}
diff --git a/host/crypto/openssl/crl.c b/host/crypto/openssl/crl.c
index d38ad214d7..aa627b33e8 100644
--- a/host/crypto/openssl/crl.c
+++ b/host/crypto/openssl/crl.c
@@ -14,6 +14,7 @@
 #include <time.h>
 
 #include "../magic.h"
+#include "asn1.h"
 #include "crl.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -118,99 +119,6 @@ oe_result_t oe_crl_free(oe_crl_t* crl)
     return result;
 }
 
-// Parse a string into a oe_datetime_t: example: "May 30 10:23:42 2018 GMT".
-// This format is specific to OpenSSL: produced by ASN1_TIME_print().
-static oe_result_t _string_to_date(const char* str, oe_datetime_t* date)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    char month[4];
-
-    memset(date, 0, sizeof(oe_datetime_t));
-
-    /* Convert the string to oe_datetime_t struct */
-    if (sscanf(
-            str,
-            "%3s %02u %02u:%02u:%02u %04u",
-            month,
-            &date->day,
-            &date->hours,
-            &date->minutes,
-            &date->seconds,
-            &date->year) != 6)
-    {
-        OE_RAISE(OE_FAILURE);
-    }
-
-    /* Convert the month string to integer */
-    {
-        static const char* _month[] = {"Jan",
-                                       "Feb",
-                                       "Mar",
-                                       "Apr",
-                                       "May",
-                                       "Jun",
-                                       "Jul",
-                                       "Aug",
-                                       "Sep",
-                                       "Oct",
-                                       "Nov",
-                                       "Dec"};
-
-        date->month = UINT_MAX;
-
-        for (uint32_t i = 0; i < OE_COUNTOF(_month); i++)
-        {
-            if (strncmp(month, _month[i], 3) == 0)
-            {
-                date->month = i + 1;
-                break;
-            }
-        }
-
-        if (date->month == UINT_MAX)
-            OE_RAISE(OE_FAILURE);
-    }
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static oe_result_t _asn1_time_to_date(
-    const ASN1_TIME* time,
-    oe_datetime_t* date)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    struct tm;
-    BIO* bio = NULL;
-    BUF_MEM* mem;
-    const char null_terminator = '\0';
-
-    if (!(bio = BIO_new(BIO_s_mem())))
-        OE_RAISE(OE_CRYPTO_ERROR);
-
-    if (!ASN1_TIME_print(bio, time))
-        OE_RAISE(OE_CRYPTO_ERROR);
-
-    if (!BIO_get_mem_ptr(bio, &mem))
-        OE_RAISE(OE_CRYPTO_ERROR);
-
-    if (BIO_write(bio, &null_terminator, sizeof(null_terminator)) <= 0)
-        OE_RAISE(OE_CRYPTO_ERROR);
-
-    OE_CHECK(_string_to_date(mem->data, date));
-
-    result = OE_OK;
-
-done:
-
-    if (bio)
-        BIO_free(bio);
-
-    return result;
-}
-
 oe_result_t oe_crl_get_update_dates(
     const oe_crl_t* crl,
     oe_datetime_t* last,
@@ -235,7 +143,7 @@ oe_result_t oe_crl_get_update_dates(
         if (!(time = X509_CRL_get0_lastUpdate(impl->crl)))
             OE_RAISE(OE_CRYPTO_ERROR);
 
-        OE_CHECK(_asn1_time_to_date(time, last));
+        OE_CHECK(oe_asn1_time_to_date(time, last));
     }
 
     if (next)
@@ -245,7 +153,7 @@ oe_result_t oe_crl_get_update_dates(
         if (!(time = X509_CRL_get0_nextUpdate(impl->crl)))
             OE_RAISE(OE_CRYPTO_ERROR);
 
-        OE_CHECK(_asn1_time_to_date(time, next));
+        OE_CHECK(oe_asn1_time_to_date(time, next));
     }
 
     result = OE_OK;
diff --git a/host/sgx/hostverify_report.c b/host/sgx/hostverify_report.c
index 68b3c65b4e..4448a0733d 100644
--- a/host/sgx/hostverify_report.c
+++ b/host/sgx/hostverify_report.c
@@ -36,8 +36,8 @@ oe_result_t oe_verify_remote_report(
         OE_RAISE(OE_UNSUPPORTED);
 
     // Quote attestation can be done entirely on the host side.
-    OE_CHECK(oe_verify_quote_internal(
-        header->report, header->report_size, NULL, 0, NULL, 0, NULL, 0));
+    OE_CHECK(oe_verify_quote_internal_with_collaterals(
+        header->report, header->report_size, NULL, 0, NULL));
 
     // Optionally return parsed report.
     if (parsed_report != NULL)
@@ -47,4 +47,4 @@ oe_result_t oe_verify_remote_report(
 
 done:
     return result;
-}
+}
\ No newline at end of file
diff --git a/host/sgx/report.c b/host/sgx/report.c
index 0ac6b07014..1fcb9dedd4 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -43,7 +43,7 @@ static oe_result_t _get_local_report(
     if (report_buffer == NULL || *report_buffer_size < sizeof(sgx_report_t))
     {
         *report_buffer_size = sizeof(sgx_report_t);
-        OE_RAISE(OE_BUFFER_TOO_SMALL);
+        OE_RAISE_NO_TRACE(OE_BUFFER_TOO_SMALL);
     }
 
     OE_CHECK(oe_get_sgx_report_ecall(
@@ -294,8 +294,8 @@ oe_result_t oe_verify_report(
         OE_CHECK(oe_initialize_quote_provider());
 
         // Quote attestation can be done entirely on the host side.
-        OE_CHECK(oe_verify_quote_internal(
-            header->report, header->report_size, NULL, 0, NULL, 0, NULL, 0));
+        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+            header->report, header->report_size, NULL, 0, NULL));
     }
     else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
     {
@@ -308,7 +308,6 @@ oe_result_t oe_verify_report(
 
         OE_CHECK(retval);
     }
-
     else
     {
         OE_RAISE(OE_INVALID_PARAMETER);
diff --git a/host/sgx/sgxquoteprovider.c b/host/sgx/sgxquoteprovider.c
index 29e7dfa504..12116c12b8 100644
--- a/host/sgx/sgxquoteprovider.c
+++ b/host/sgx/sgxquoteprovider.c
@@ -232,7 +232,7 @@ oe_result_t oe_get_revocation_info(oe_get_revocation_info_args_t* args)
     return result;
 }
 
-void oe_cleanup_get_revocation_info_args(oe_get_revocation_info_args_t* args)
+void oe_free_get_revocation_info_args(oe_get_revocation_info_args_t* args)
 {
     if (args)
     {
@@ -329,7 +329,7 @@ oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args)
     return result;
 }
 
-void oe_cleanup_qe_identity_info_args(oe_get_qe_identity_info_args_t* args)
+void oe_free_qe_identity_info_args(oe_get_qe_identity_info_args_t* args)
 {
     if (args)
     {
diff --git a/include/openenclave/bits/result.h b/include/openenclave/bits/result.h
index 9116b48714..f931aca9b4 100644
--- a/include/openenclave/bits/result.h
+++ b/include/openenclave/bits/result.h
@@ -279,6 +279,11 @@ typedef enum _oe_result
      */
     OE_VERIFY_REVOKED,
 
+    /**
+     * Could not find a valid validity period.
+     */
+    OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+
     /**
      * An underlying crypto provider returned an error.
      */
diff --git a/include/openenclave/internal/crypto/cert.h b/include/openenclave/internal/crypto/cert.h
index 9a432939ca..ee9bf8d8b2 100644
--- a/include/openenclave/internal/crypto/cert.h
+++ b/include/openenclave/internal/crypto/cert.h
@@ -345,6 +345,20 @@ oe_result_t oe_get_crl_distribution_points(
     uint8_t* buffer,
     size_t* buffer_size);
 
+/**
+ * Gets the validation datetimes from the certificate.
+ *
+ * @param cert[in] the certificate.
+ * @param not_before the date when the certificate validate starts (may be
+ * null).
+ * @param not_after the date at which this CRL should be considered invalid
+ *        (may be null).
+ */
+oe_result_t oe_cert_get_validity_dates(
+    const oe_cert_t* cert,
+    oe_datetime_t* not_before,
+    oe_datetime_t* not_after);
+
 #ifdef OE_BUILD_ENCLAVE
 
 typedef struct _oe_cert_config
diff --git a/include/openenclave/internal/datetime.h b/include/openenclave/internal/datetime.h
index b7dfdb6301..384a0e6113 100644
--- a/include/openenclave/internal/datetime.h
+++ b/include/openenclave/internal/datetime.h
@@ -52,6 +52,16 @@ int32_t oe_datetime_compare(
     const oe_datetime_t* date1,
     const oe_datetime_t* date2);
 
+/**
+ * Return the current system time in GMT time.
+ */
+oe_result_t oe_datetime_now(oe_datetime_t* value);
+
+/**
+ * Log date at the INFO level.
+ */
+void oe_datetime_log_info(const char* msg, const oe_datetime_t* date);
+
 OE_EXTERNC_END
 
 #endif /* _OE_INTERNAL_DATETIME_H */
diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h
index 4ed83a63fb..00b24c465f 100644
--- a/include/openenclave/internal/report.h
+++ b/include/openenclave/internal/report.h
@@ -47,6 +47,57 @@ typedef struct _oe_get_qe_identity_info_args
     uint8_t* host_out_buffer; /* out */
 } oe_get_qe_identity_info_args_t;
 
+/*
+**==============================================================================
+**
+** oe_collaterals_header_t
+**
+**==============================================================================
+*/
+typedef struct _oe_collaterals_header
+{
+    /** Size of the collaterals */
+    uint32_t collaterals_size;
+
+    /** Collaterals data **/
+    uint8_t collaterals[];
+
+} oe_collaterals_header_t;
+
+OE_STATIC_ASSERT(sizeof(oe_collaterals_header_t) == 4);
+
+/*
+**==============================================================================
+**
+** oe_collaterals_t
+**
+** Structure with the collateral contents.  The collaterals are used during
+** the verification of the oe_report_t.
+**
+**==============================================================================
+*/
+typedef struct _oe_collaterals
+{
+    oe_get_qe_identity_info_args_t qe_id_info;
+    oe_get_revocation_info_args_t revocation_info;
+
+    /* Time the collaterals were generated */
+    char creation_datetime[24];
+
+    uint64_t app_collaterals_size;
+    uint8_t app_collaterals[];
+
+} oe_collaterals_t;
+
+OE_STATIC_ASSERT(
+    OE_OFFSETOF(oe_collaterals_header_t, collaterals) ==
+    sizeof(oe_collaterals_header_t));
+
+#define OE_COLLATERALS_HEADER_SIZE (sizeof(oe_collaterals_header_t))
+#define OE_COLLATERALS_BODY_SIZE (sizeof(oe_collaterals_t))
+#define OE_COLLATERALS_SIZE \
+    (OE_COLLATERALS_HEADER_SIZE + OE_COLLATERALS_BODY_SIZE)
+
 /*
 **==============================================================================
 **
diff --git a/tests/host_verify/host/host.cpp b/tests/host_verify/host/host.cpp
index cd3c7eabb4..d15b2b5e29 100644
--- a/tests/host_verify/host/host.cpp
+++ b/tests/host_verify/host/host.cpp
@@ -7,6 +7,7 @@
 #include <openenclave/host_verify.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -14,6 +15,9 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include "../../../common/sgx/quote.h"
+#include "../../../host/sgx/sgxquoteprovider.h"
+
 #if defined(__linux__)
 #include <unistd.h>
 #elif defined(_WIN32)
@@ -32,6 +36,14 @@
 #define REPORT_FILENAME "sgx_report.bin"
 #define REPORT_BAD_FILENAME "sgx_report_bad.bin"
 
+//
+// TODO: Report with collaterals tests.  Will to refactor the contentns
+// of the collaterals to be self-contained in order to support
+// serialization.
+//
+//#define COLLATERALS_FILENAME "sgx_report.bin.col"
+//#define COLLATERALS_BAD_FILENAME "sgx_report_bad.bin.col"
+
 #define SKIP_RETURN_CODE 2
 
 oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
@@ -110,54 +122,185 @@ static oe_result_t _verify_cert(const char* filename, bool pass)
     return oe_ret;
 }
 
-static int _verify_report(const char* report_filename, bool pass)
+/**
+ * Verify the integrity of the remote report and its signature,
+ * with optional collateral data.
+ *
+ * This function verifies that the report signature is valid. It
+ * verifies that the signing authority is rooted to a trusted authority
+ * such as the enclave platform manufacturer.
+ *
+ * @param report The buffer containing the report to verify.
+ * @param report_size The size of the **report** buffer.
+ * @param collaterals The collateral data that is associated with the report.
+ * @param collaterals_size The size of the **collaterals** buffer.
+ * @param parsed_report Optional **oe_report_t** structure to populate
+ * with the report properties in a standard format.
+ *
+ * @retval OE_OK The report was successfully verified.
+ * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
+ *
+ */
+static oe_result_t oe_verify_remote_report_with_collaterals(
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_report_t* parsed_report)
 {
-    FILE* report_fp = NULL;
-    int ret = -1;
-    size_t file_size = 0;
-    uint8_t* data = NULL;
-    oe_result_t result = OE_FAILURE;
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_t oe_report = {0};
+    oe_report_header_t* header = (oe_report_header_t*)report;
+
+    if (report == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (report_size == 0 || report_size > OE_MAX_REPORT_SIZE)
+        OE_RAISE(OE_INVALID_PARAMETER);
 
-    OE_TRACE_INFO("\n\nVerifying report %s\n", report_filename);
-    report_fp = fopen(report_filename, "rb");
-    if (report_fp == NULL)
-        OE_TRACE_ERROR("Failed to find file: %s\n", report_fp);
+    // The two host side attestation API's are oe_get_report and
+    // oe_verify_report. Initialize the quote provider in both these APIs.
+    OE_CHECK(oe_initialize_quote_provider());
 
-    OE_TEST(report_fp != NULL);
+    // Ensure that the report is parseable before using the header.
+    OE_CHECK(oe_parse_report(report, report_size, &oe_report));
+
+    if (header->report_type != OE_REPORT_TYPE_SGX_REMOTE)
+        OE_RAISE(OE_UNSUPPORTED);
+
+    // Quote attestation can be done entirely on the host side.
+    OE_CHECK(oe_verify_quote_internal_with_collaterals(
+        header->report,
+        header->report_size,
+        collaterals,
+        collaterals_size,
+        NULL));
+
+    // Optionally return parsed report.
+    if (parsed_report != NULL)
+        OE_CHECK(oe_parse_report(report, report_size, parsed_report));
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+static size_t _get_filesize(FILE* fp)
+{
+    size_t size = 0;
+    fseek(fp, 0, SEEK_END);
+    size = (size_t)ftell(fp);
+    fseek(fp, 0, SEEK_SET);
+
+    return size;
+}
+
+static void _read_binary_file(
+    const char* filename,
+    uint8_t** data_ptr,
+    size_t* size_ptr)
+{
+    FILE* fp = fopen(filename, "rb");
+    size_t size = 0;
+    uint8_t* data = NULL;
+
+    if (fp == NULL)
+        OE_TRACE_ERROR("Failed to find file: %s\n", filename);
+    OE_TEST(fp != NULL);
 
     // Find file size
-    fseek(report_fp, 0, SEEK_END);
-    file_size = (size_t)ftell(report_fp);
-    fseek(report_fp, 0, SEEK_SET);
+    size = _get_filesize(fp);
 
-    data = (uint8_t*)malloc((size_t)file_size);
+    data = (uint8_t*)malloc(size);
     OE_TEST(data != NULL);
 
-    size_t bytes_read = fread(data, sizeof(uint8_t), file_size, report_fp);
-    OE_TEST(bytes_read == file_size);
+    size_t bytes_read = fread(data, sizeof(uint8_t), size, fp);
+    OE_TEST(bytes_read == size);
 
-    result = oe_verify_remote_report(data, file_size, NULL);
-    if (pass)
-        OE_TEST(result == OE_OK);
+    if (fp)
+        fclose(fp);
+
+    *data_ptr = data;
+    *size_ptr = bytes_read;
+}
+
+static int _verify_report(
+    const char* report_filename,
+    const char* collaterals_filename,
+    bool pass)
+{
+    int ret = -1;
+    size_t report_file_size = 0;
+    size_t collaterals_file_size = 0;
+    uint8_t* report_data = NULL;
+    uint8_t* collaterals_data = NULL;
+    oe_result_t result = OE_FAILURE;
+
+    OE_TRACE_INFO(
+        "\n\nVerifying report %s, collaterals: %s\n",
+        report_filename,
+        collaterals_filename);
+
+    _read_binary_file(report_filename, &report_data, &report_file_size);
+
+    if (collaterals_filename == NULL)
+    {
+        result = oe_verify_remote_report(report_data, report_file_size, NULL);
+        if (pass)
+            OE_TEST(result == OE_OK);
+        else
+        {
+            // Note: The failure result code is different between linux vs
+            // windows.
+            //
+            OE_TEST(result != OE_OK);
+            OE_TRACE_INFO(
+                "Report %s verification failed as expected. Failure %d(%s)\n",
+                report_filename,
+                result,
+                oe_result_str(result));
+        }
+
+        OE_TRACE_INFO("Report %s verified successfully!\n\n", report_filename);
+    }
     else
     {
-        // Note: Failure results are different when running in linux vs windows.
-        OE_TEST(result != OE_OK);
-        OE_TRACE_INFO(
-            "Report %s verification failed as expected. Failure %d(%s)\n",
-            report_filename,
-            result,
-            oe_result_str(result));
+        _read_binary_file(
+            collaterals_filename, &collaterals_data, &collaterals_file_size);
+
+        result = oe_verify_remote_report_with_collaterals(
+            report_data,
+            report_file_size,
+            collaterals_data,
+            collaterals_file_size,
+            NULL);
+
+        if (pass)
+            OE_TEST(result == OE_OK);
+        else
+        {
+            // Note: The failure result code is different between linux vs
+            // windows.
+            //
+            OE_TEST(result != OE_OK);
+            OE_TRACE_INFO(
+                "Report %s and collateral %s verification failed as expected. "
+                "Failure %d(%s)\n",
+                report_filename,
+                collaterals_filename,
+                result,
+                oe_result_str(result));
+        }
+
+        OE_TRACE_INFO("Report %s verified successfully!\n\n", report_filename);
     }
-
-    OE_TRACE_INFO("Report %s verified successfully!\n\n", report_filename);
     ret = 0;
 
-    if (report_fp != NULL)
-        fclose(report_fp);
-
-    if (data != NULL)
-        free(data);
+    if (report_data != NULL)
+        free(report_data);
+    if (collaterals_data != NULL)
+        free(collaterals_data);
 
     return ret;
 }
@@ -172,6 +315,10 @@ int main()
         return SKIP_RETURN_CODE;
     }
 
+    //
+    // Report only tests
+    //
+
     // These files are generated by oecert and do not always exists.
     // Run these tests if the file exists.  The Jenkins CI/CD system
     // is responsible for running oecert to generate these files.
@@ -183,7 +330,7 @@ int main()
         _verify_cert(CERT_RSA_FILENAME, true);
 
     if (_validate_file(REPORT_FILENAME, false))
-        _verify_report(REPORT_FILENAME, true);
+        _verify_report(REPORT_FILENAME, NULL, true);
 
     // These files are checked in and should always exist.
     if (_validate_file(CERT_EC_BAD_FILENAME, true))
@@ -193,7 +340,18 @@ int main()
         _verify_cert(CERT_RSA_BAD_FILENAME, false);
 
     if (_validate_file(REPORT_BAD_FILENAME, true))
-        _verify_report(REPORT_BAD_FILENAME, false);
+        _verify_report(REPORT_BAD_FILENAME, NULL, false);
+
+    //
+    // TODO: Report with collaterals tests.  Will to refactor the contentns
+    // of the collaterals to be self-contained in order to support
+    // serialization.
+    //
+    // if (_validate_file(REPORT_FILENAME, false))
+    //    _verify_report(REPORT_FILENAME, COLLATERALS_FILENAME, true);
+
+    // if (_validate_file(REPORT_BAD_FILENAME, true))
+    //     _verify_report(REPORT_FILENAME, COLLATERALS_BAD_FILENAME, false);
 
     return 0;
 }
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index cd2517e19a..c6bcf8f5c8 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -2,15 +2,292 @@
 // Licensed under the MIT License.
 
 #include "../common/tests.h"
+#include <openenclave/internal/crypto/cmac.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
 #include <openenclave/internal/tests.h>
 
+#ifndef OE_BUILD_ENCLAVE
+#include "../../../host/sgx/sgxquoteprovider.h"
+#endif
+#include "../../../common/oe_host_stdlib.h"
+#include "../../../common/sgx/collaterals.h"
+#include "../../../common/sgx/qeidentity.h"
+#include "../../../common/sgx/quote.h"
+#include "../../../common/sgx/revocation.h"
+
+#include <time.h>
+
+/**
+ * Get collateral data which can be used with future function
+ * oe_verify_report_with_collaterals().
+ *
+ * @param collaterals_buffer The buffer containing the collaterals to parse.
+ * @param collaterals_buffer_size The size of the **collaterals_buffer**.
+ *
+ * @retval OE_OK The collaterals were successfully retrieved.
+ */
+oe_result_t oe_get_collaterals(
+#ifndef OE_BUILD_ENCLAVE
+    oe_enclave_t* enclave,
+#endif
+    uint8_t** collaterals_buffer,
+    size_t* collaterals_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    size_t report_size = OE_MAX_REPORT_SIZE;
+    uint8_t* remote_report = NULL;
+    oe_report_t* parsed_report = NULL;
+    oe_report_header_t* header = NULL;
+
+    OE_TRACE_INFO("Enter enclave call %s\n", __FUNCTION__);
+
+    if ((collaterals_buffer == NULL) || (collaterals_buffer_size == NULL))
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    *collaterals_buffer = NULL;
+    *collaterals_buffer_size = 0;
+
+#ifdef OE_BUILD_ENCLAVE
+    // Get a remote OE report.
+    // We need a report in order to fetch the uris of the certificates in the
+    // sgx quote.
+    OE_CHECK_MSG(
+        oe_get_report(
+            OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+            NULL,
+            0,
+            NULL,
+            0,
+            (uint8_t**)&remote_report,
+            &report_size),
+        "Failed to get OE remote report. %s",
+        oe_result_str(result));
+    header = (oe_report_header_t*)remote_report;
+
+    OE_CHECK_MSG(
+        oe_verify_report(remote_report, report_size, parsed_report),
+        "Failed to verify OE remote report. %s",
+        oe_result_str(result));
+#else
+    OE_CHECK_MSG(
+        oe_initialize_quote_provider(),
+        "Failed to initialize quote provider. %s",
+        oe_result_str(result));
+
+    OE_CHECK_MSG(
+        oe_get_report(
+            enclave,
+            OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+            NULL,
+            0,
+            (uint8_t**)&remote_report,
+            &report_size),
+        "Failed to get OE remote report. %s",
+        oe_result_str(result));
+    header = (oe_report_header_t*)remote_report;
+
+    OE_CHECK_MSG(
+        oe_verify_report(enclave, remote_report, report_size, parsed_report),
+        "Failed to verify OE remote report. %s",
+        oe_result_str(result));
+#endif
+
+    OE_CHECK_MSG(
+        oe_get_collaterals_internal(
+            header->report,
+            header->report_size,
+            collaterals_buffer,
+            collaterals_buffer_size),
+        "Failed to get collaterals. %s",
+        oe_result_str(result));
+
+    result = OE_OK;
+done:
+    if (remote_report)
+        oe_free_report(remote_report);
+
+    OE_TRACE_INFO(
+        "Exit enclave call %s: %d(%s)\n",
+        __FUNCTION__,
+        result,
+        oe_result_str(result));
+
+    return result;
+}
+
+/**
+ * Verify the integrity of the report and its signature,
+ * with optional collateral data that is associated with the report.
+ *
+ * This function verifies that the report signature is valid. If the report is
+ * local, it verifies that it is correctly signed by the enclave
+ * platform. If the report is remote, it verifies that the signing authority is
+ * rooted to a trusted authority such as the enclave platform manufacturer.
+ *
+ * @param enclave The instance of the enclave that will be used to
+ * verify a local report. For remote reports, this parameter can be NULL.
+ * @param report The buffer containing the report to verify.
+ * @param report_size The size of the **report** buffer.
+ * @param collaterals The collateral data that is associated with the report.
+ * @param collaterals_size The size of the **collaterals** buffer.
+ * @param parsed_report Optional **oe_report_t** structure to populate with the
+ * report properties in a standard format.
+ *
+ * @retval OE_OK The report was successfully created.
+ * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
+ *
+ */
+static oe_result_t oe_verify_report_with_collaterals(
+#ifndef OE_BUILD_ENCLAVE
+    oe_enclave_t* enclave,
+#endif
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* input_validation_time,
+    oe_report_t* parsed_report)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_t oe_report = {0};
+    oe_report_header_t* header = (oe_report_header_t*)report;
+
+    if (report == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (report_size == 0 || report_size > OE_MAX_REPORT_SIZE)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Ensure that the report is parseable before using the header.
+    OE_CHECK(oe_parse_report(report, report_size, &oe_report));
+
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
+    {
+#ifndef OE_BUILD_ENCLAVE
+        // Intialize the quote provider if we want to verify a remote quote.
+        // Note that we don't have the OE_USE_LIBSGX guard here since we don't
+        // need the sgx libraries to verify the quote. All we need is the quote
+        // provider.
+        OE_CHECK(oe_initialize_quote_provider());
+#endif
+
+        // Quote attestation can be done entirely on the host side.
+        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            input_validation_time));
+
+        // Optionally return parsed report.
+        if (parsed_report != NULL)
+            OE_CHECK(oe_parse_report(report, report_size, parsed_report));
+    }
+    else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
+    {
+        if (collaterals != NULL || collaterals_size > 0)
+        {
+            OE_RAISE_MSG(
+                OE_UNSUPPORTED,
+                "Local reports should not have collaterals.",
+                NULL);
+        }
+
+#ifndef OE_BUILD_ENCLAVE
+        if (enclave == NULL)
+            OE_RAISE(OE_INVALID_PARAMETER);
+
+        OE_CHECK(oe_verify_report(enclave, report, report_size, parsed_report));
+#else
+        OE_CHECK(oe_verify_report(report, report_size, parsed_report));
+#endif
+    }
+    else
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    result = OE_OK;
+done:
+    return result;
+}
+
+/**
+ * Free up any resources allocated by oe_get_collateras()
+ *
+ * @param collaterals_buffer The buffer containing the collaterals.
+ */
+static void oe_free_collaterals(uint8_t* collaterals_buffer)
+{
+    oe_free_collaterals_internal(collaterals_buffer);
+}
+
+static oe_result_t oe_get_quote_validity_with_collaterals(
+    const uint8_t* report,
+    const size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* valid_from,
+    oe_datetime_t* valid_until)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_t oe_report = {0};
+    oe_report_header_t* header = (oe_report_header_t*)report;
+
+    if (report == NULL || collaterals == NULL || valid_from == NULL ||
+        valid_until == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (report_size == 0 || report_size > OE_MAX_REPORT_SIZE ||
+        collaterals_size == 0)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Ensure that the report is parseable before using the header.
+    OE_CHECK(oe_parse_report(report, report_size, &oe_report));
+
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
+    {
+#ifndef OE_BUILD_ENCLAVE
+        // Intialize the quote provider if we want to verify a remote quote.
+        // Note that we don't have the OE_USE_LIBSGX guard here since we don't
+        // need the sgx libraries to verify the quote. All we need is the quote
+        // provider.
+        OE_CHECK(oe_initialize_quote_provider());
+#endif
+
+        // Quote attestation can be done entirely on the host side.
+        OE_CHECK(oe_get_quote_validity_with_collaterals_internal(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            valid_from,
+            valid_until));
+    }
+    else
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    result = OE_OK;
+done:
+    return result;
+}
+
 #ifdef OE_BUILD_ENCLAVE
 #include <openenclave/corelibc/string.h>
 
 #define GetReport oe_get_report
 #define GetReport_v2 oe_get_report_v2
 
+#define GetCollaterals oe_get_collaterals
+
 #define VerifyReport oe_verify_report
+#define VerifyReportWithCollaterals oe_verify_report_with_collaterals
+#define GetQuoteValidityWithCollaterals oe_get_quote_validity_with_collaterals
 
 #else
 
@@ -24,6 +301,10 @@ oe_enclave_t* g_enclave = NULL;
 #define GetReport_v2(flags, rd, rds, op, ops, rb, rbs) \
     oe_get_report_v2(g_enclave, flags, op, ops, rb, rbs)
 
+// Get collateral macros.  Host side API has an additional enclave object.
+#define GetCollaterals(data, data_size) \
+    oe_get_collaterals(g_enclave, data, data_size)
+
 oe_result_t VerifyReport(
     const uint8_t* report,
     size_t report_size,
@@ -43,6 +324,61 @@ oe_result_t VerifyReport(
     return oe_verify_report(g_enclave, report, report_size, parsed_report);
 }
 
+oe_result_t VerifyReportWithCollaterals(
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* input_validation_time,
+    oe_report_t* parsed_report)
+{
+    oe_report_t tmp_report = {0};
+    OE_TEST(oe_parse_report(report, report_size, &tmp_report) == OE_OK);
+
+    if (tmp_report.identity.attributes & OE_REPORT_ATTRIBUTES_REMOTE)
+    {
+        return oe_verify_report_with_collaterals(
+            g_enclave,
+            report,
+            report_size,
+            collaterals,
+            collaterals_size,
+            input_validation_time,
+            parsed_report);
+    }
+    else
+    {
+        return OE_UNSUPPORTED;
+    }
+}
+
+oe_result_t GetQuoteValidityWithCollaterals(
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* valid_from,
+    oe_datetime_t* valid_until)
+{
+    oe_report_t tmp_report = {0};
+    OE_TEST(oe_parse_report(report, report_size, &tmp_report) == OE_OK);
+
+    if (tmp_report.identity.attributes & OE_REPORT_ATTRIBUTES_REMOTE)
+    {
+        return oe_get_quote_validity_with_collaterals(
+            report,
+            report_size,
+            collaterals,
+            collaterals_size,
+            valid_from,
+            valid_until);
+    }
+    else
+    {
+        return OE_UNSUPPORTED;
+    }
+}
+
 #endif
 
 #define OE_LOCAL_REPORT_SIZE (sizeof(oe_report_header_t) + sizeof(sgx_report_t))
@@ -887,3 +1223,131 @@ void test_remote_verify_report()
 #endif
     }
 }
+
+void test_verify_report_with_collaterals()
+{
+    uint32_t flags = OE_REPORT_FLAGS_REMOTE_ATTESTATION;
+
+    size_t report_ptr_size;
+    uint8_t* report_buffer_ptr;
+
+    size_t collaterals_ptr_size = 0;
+    uint8_t* collaterals_buffer_ptr = NULL;
+
+    /* Test 1: Verify report with collaterals */
+    OE_TEST(
+        GetReport_v2(
+            flags, NULL, 0, NULL, 0, &report_buffer_ptr, &report_ptr_size) ==
+        OE_OK);
+
+    /* Verify report without collaterals */
+    OE_TEST(
+        VerifyReportWithCollaterals(
+            report_buffer_ptr, report_ptr_size, NULL, 0, NULL, NULL) == OE_OK);
+
+    if (GetCollaterals(&collaterals_buffer_ptr, &collaterals_ptr_size) == OE_OK)
+    {
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                NULL, // Validate using current time
+                NULL) == OE_OK);
+
+        /* Test with time in the past */
+        time_t t;
+        struct tm* timeinfo;
+        time(&t);
+        timeinfo = gmtime(&t);
+
+        // convert tm to oe_datetime_t
+        oe_datetime_t past = {(uint32_t)timeinfo->tm_year + 1890,
+                              (uint32_t)timeinfo->tm_mon + 1,
+                              (uint32_t)timeinfo->tm_mday,
+                              (uint32_t)timeinfo->tm_hour,
+                              (uint32_t)timeinfo->tm_min,
+                              (uint32_t)timeinfo->tm_sec};
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &past,
+                NULL) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+
+        /* Test with time in the future */
+        oe_datetime_t future = {(uint32_t)timeinfo->tm_year + 1910,
+                                (uint32_t)timeinfo->tm_mon + 1,
+                                (uint32_t)timeinfo->tm_mday,
+                                (uint32_t)timeinfo->tm_hour,
+                                (uint32_t)timeinfo->tm_min,
+                                (uint32_t)timeinfo->tm_sec};
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &future,
+                NULL) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+
+        /* Get validity range and use it to validate edge cases.*/
+        oe_datetime_t valid_from = {0};
+        oe_datetime_t valid_until = {0};
+        OE_TEST(
+            GetQuoteValidityWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &valid_from,
+                &valid_until) == OE_OK);
+        /* At latest valid from date */
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &valid_from,
+                NULL) == OE_OK);
+        /* At earliest expiration date */
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &valid_until,
+                NULL) == OE_OK);
+
+        valid_from.seconds -= 1;
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &valid_from,
+                NULL) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+
+        valid_until.seconds += 1;
+        OE_TEST(
+            VerifyReportWithCollaterals(
+                report_buffer_ptr,
+                report_ptr_size,
+                collaterals_buffer_ptr,
+                collaterals_ptr_size,
+                &valid_until,
+                NULL) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+    }
+
+    oe_free_collaterals(collaterals_buffer_ptr);
+    oe_free_report(report_buffer_ptr);
+
+    collaterals_buffer_ptr = NULL;
+    report_buffer_ptr = NULL;
+}
\ No newline at end of file
diff --git a/tests/report/common/tests.h b/tests/report/common/tests.h
index c8a4911bd4..4c1544fc18 100644
--- a/tests/report/common/tests.h
+++ b/tests/report/common/tests.h
@@ -25,5 +25,6 @@ void test_remote_report();
 void test_parse_report_negative();
 void test_local_verify_report();
 void test_remote_verify_report();
+void test_verify_report_with_collaterals();
 
 #endif
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index 3e71365de1..34581752b1 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -94,6 +94,10 @@ void test_minimum_issue_date(oe_datetime_t now)
         oe_verify_report(report_v2, report_v2_size, NULL) ==
         OE_INVALID_REVOCATION_INFO);
 
+    // Restore default minimum CRL/TCB issue date
+    OE_TEST(
+        __oe_sgx_set_minimum_crl_tcb_issue_date(2017, 3, 17, 0, 0, 0) == OE_OK);
+
     oe_free_report(report);
     oe_free_report(report_v2);
 
@@ -128,6 +132,11 @@ void enclave_test_remote_verify_report()
     test_remote_verify_report();
 }
 
+void enclave_test_verify_report_with_collaterals()
+{
+    test_verify_report_with_collaterals();
+}
+
 OE_SET_ENCLAVE_SGX(
     0,    /* ProductID */
     0,    /* SecurityVersion */
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 5c17b0a9f6..538cb8e176 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -161,6 +161,8 @@ int main(int argc, const char* argv[])
 
     test_remote_verify_report();
 
+    test_verify_report_with_collaterals();
+
     OE_TEST(test_iso8601_time(enclave) == OE_OK);
     OE_TEST(test_iso8601_time_negative(enclave) == OE_OK);
 
@@ -176,6 +178,8 @@ int main(int argc, const char* argv[])
 
     OE_TEST(enclave_test_remote_verify_report(enclave) == OE_OK);
 
+    OE_TEST(enclave_test_verify_report_with_collaterals(enclave) == OE_OK);
+
     TestVerifyTCBInfo(enclave, "./data/tcbInfo.json");
     TestVerifyTCBInfo(enclave, "./data/tcbInfo_with_pceid.json");
 
diff --git a/tests/report/tests.edl b/tests/report/tests.edl
index e5e791e117..590035bf51 100644
--- a/tests/report/tests.edl
+++ b/tests/report/tests.edl
@@ -24,6 +24,7 @@ enclave {
         public void enclave_test_parse_report_negative();
         public void enclave_test_local_verify_report();
         public void enclave_test_remote_verify_report();
+        public void enclave_test_verify_report_with_collaterals();
     };
 
     untrusted {
diff --git a/tests/tools/oecert/host/host.cpp b/tests/tools/oecert/host/host.cpp
index 0dd6424a0b..a76a1a0cf5 100644
--- a/tests/tools/oecert/host/host.cpp
+++ b/tests/tools/oecert/host/host.cpp
@@ -3,17 +3,21 @@
 
 #include <limits.h>
 #include <openenclave/host.h>
+#include <openenclave/internal/report.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "oecert_u.h"
 
+#include "../../../../common/sgx/collaterals.h"
+
 #ifdef OE_USE_LIBSGX
 
 #define INPUT_PARAM_OPTION_CERT "--cert"
 #define INPUT_PARAM_OPTION_REPORT "--report"
 #define INPUT_PARAM_OPTION_OUT_FILE "--out"
+#define INPUT_PARAM_OPTION_COLLATERALS "--collaterals"
 
 // Structure to store input parameters
 //
@@ -25,6 +29,7 @@ typedef struct _input_params
     const char* out_filename;
     bool gen_cert;
     bool gen_report;
+    bool gen_collaterals;
 } input_params_t;
 
 static input_params_t _params;
@@ -189,6 +194,55 @@ static oe_result_t _gen_report(
                 // TODO: Dump report.
             }
         }
+
+        // Check if collaterals need to be generated
+        if (_params.gen_collaterals)
+        {
+            char collateral_filename[1024 + 1];
+
+            if (strlen(report_filename) < (1024 - 4))
+            {
+                uint8_t* collaterals = NULL;
+                size_t collaterals_size = 0;
+                oe_report_header_t* header = (oe_report_header_t*)remote_report;
+
+                sprintf(collateral_filename, "%s.col", report_filename);
+                printf(
+                    "Generatting collateral file: %s\n", collateral_filename);
+
+                result = oe_get_collaterals_internal(
+                    header->report,
+                    header->report_size,
+                    &collaterals,
+                    &collaterals_size);
+                if (result != OE_OK)
+                {
+                    printf("ERROR: Failed to get collaterals\n");
+                    goto exit;
+                }
+
+                // TODO: Current collateral structure is not self contained.
+                // Needs to be updated to be serialisable.
+                //
+                FILE* col_fp = fopen(collateral_filename, "wb");
+                if (!col_fp)
+                {
+                    printf(
+                        "Failed to open collateral file %s\n",
+                        collateral_filename);
+                    result = OE_FAILURE;
+                    goto exit;
+                }
+                fwrite(collaterals, collaterals_size, 1, col_fp);
+                fclose(col_fp);
+                printf("collaterals_size = %zu\n", collaterals_size);
+            }
+            else
+            {
+                printf("ERROR: Report filename is too long.\n");
+                exit(1);
+            }
+        }
     }
     else
     {
@@ -211,6 +265,10 @@ static void _display_help(const char* cmd)
         INPUT_PARAM_OPTION_CERT);
     printf(
         "\t%s : generate binary enclave report.\n", INPUT_PARAM_OPTION_REPORT);
+    printf(
+        "\t%s : generate binary collaterals.  Valid only if %s is specified.\n",
+        INPUT_PARAM_OPTION_COLLATERALS,
+        INPUT_PARAM_OPTION_REPORT);
     printf("\t%s : output filename.\n", INPUT_PARAM_OPTION_OUT_FILE);
 
     // TODO: Add option to display certs
@@ -271,7 +329,6 @@ static int _parse_args(int argc, const char* argv[])
             if (argc >= i)
             {
                 _params.gen_report = true;
-
                 i += 1;
             }
             else
@@ -283,12 +340,16 @@ static int _parse_args(int argc, const char* argv[])
                 return 1;
             }
         }
+        else if (strcmp(INPUT_PARAM_OPTION_COLLATERALS, argv[i]) == 0)
+        {
+            _params.gen_collaterals = true;
+            i += 1;
+        }
         else if (strcmp(INPUT_PARAM_OPTION_OUT_FILE, argv[i]) == 0)
         {
             if (argc >= i + 1)
             {
                 _params.out_filename = argv[i + 1];
-
                 i += 2;
             }
             else

From 12136b0e9a97a9f6aa730dcaa53745ef14ce1e4f Mon Sep 17 00:00:00 2001
From: Jay Chetty <jay.chetty@intel.com>
Date: Wed, 25 Sep 2019 09:16:59 -0700
Subject: [PATCH 028/420] Fixed issue with decrypting the encryption key with
 the password key

The current code was using the previous encryption key generated from previous encrypt operation which was cached in the global dispatcher object. The decrypt operation didn't alter the encryption key due to couple of reasons.
---
 samples/file-encryptor/enclave/encryptor.cpp | 1 +
 samples/file-encryptor/enclave/keys.cpp      | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/samples/file-encryptor/enclave/encryptor.cpp b/samples/file-encryptor/enclave/encryptor.cpp
index 2eaa4e874d..2067005f8a 100644
--- a/samples/file-encryptor/enclave/encryptor.cpp
+++ b/samples/file-encryptor/enclave/encryptor.cpp
@@ -38,6 +38,7 @@ int ecall_dispatcher::initialize(
         encrypt ? "encrypting" : "decrypting");
 
     m_encrypt = encrypt;
+    memset((void*)m_encryption_key, 0, ENCRYPTION_KEY_SIZE_IN_BYTES);
 
     ret = process_encryption_header(encrypt, password, password_len, header);
     if (ret != 0)
diff --git a/samples/file-encryptor/enclave/keys.cpp b/samples/file-encryptor/enclave/keys.cpp
index 250e71b8fe..b930c8f877 100644
--- a/samples/file-encryptor/enclave/keys.cpp
+++ b/samples/file-encryptor/enclave/keys.cpp
@@ -226,7 +226,12 @@ int ecall_dispatcher::cipher_encryption_key(
     mbedtls_aes_init(&aescontext);
 
     // set aes key
-    ret = mbedtls_aes_setkey_enc(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
+    if (encrypt){
+        ret = mbedtls_aes_setkey_enc(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
+    }
+    else {
+        ret = mbedtls_aes_setkey_dec(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
+    }
     if (ret != 0)
     {
         TRACE_ENCLAVE("mbedtls_aes_setkey_enc failed with %d", ret);
@@ -371,8 +376,8 @@ int ecall_dispatcher::parse_encryption_header(
         DECRYPT_OPERATION,
         header->encrypted_key,
         ENCRYPTION_KEY_SIZE_IN_BYTES,
-        (unsigned char*)m_encryption_key,
         password_key,
+        (unsigned char*)m_encryption_key,
         ENCRYPTION_KEY_SIZE_IN_BYTES);
     if (ret != 0)
     {

From 4858e03787b9701b3e4d8f955d4d4711fdf2f569 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Wed, 25 Sep 2019 17:11:23 +0000
Subject: [PATCH 029/420] Code review changes.

---
 common/datetime.c                       |  6 ++---
 common/sgx/collaterals.c                | 12 ++++-----
 common/sgx/qeidentity.c                 | 34 +++++++++++++++++--------
 common/sgx/qeidentity.h                 |  2 +-
 common/sgx/quote.c                      | 16 ++++++------
 common/sgx/revocation.c                 | 29 ++++++++++-----------
 enclave/crypto/cert.c                   | 10 +++-----
 host/crypto/bcrypt/cert.c               | 12 ++++-----
 host/crypto/bcrypt/util.h               |  2 +-
 host/crypto/openssl/asn1.c              |  2 +-
 host/crypto/openssl/asn1.h              |  2 +-
 host/crypto/openssl/cert.c              | 10 +++-----
 include/openenclave/internal/datetime.h |  4 +--
 tests/host_verify/host/host.cpp         | 19 --------------
 tests/report/common/tests.cpp           |  2 +-
 15 files changed, 74 insertions(+), 88 deletions(-)

diff --git a/common/datetime.c b/common/datetime.c
index e7c1fcf8d5..fdb8e5bdae 100644
--- a/common/datetime.c
+++ b/common/datetime.c
@@ -249,13 +249,13 @@ oe_result_t oe_datetime_now(oe_datetime_t* value)
     return result;
 }
 
-void oe_datetime_log_info(const char* msg, const oe_datetime_t* date)
+void oe_datetime_log(const char* msg, const oe_datetime_t* date)
 {
-    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_INFO)
+    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_VERBOSE)
     {
         char str[OE_DATETIME_STR_SIZE];
         size_t size = sizeof(str);
         oe_datetime_to_string(date, str, &size);
-        OE_TRACE_INFO("%s %s\n", msg, str);
+        OE_TRACE_VERBOSE("%s %s\n", msg, str);
     }
 }
diff --git a/common/sgx/collaterals.c b/common/sgx/collaterals.c
index c3adce1f7c..759ff0691b 100644
--- a/common/sgx/collaterals.c
+++ b/common/sgx/collaterals.c
@@ -107,18 +107,16 @@ oe_result_t oe_get_collaterals_internal(
             oe_result_str(result));
     }
 
+    *collaterals_buffer = buffer;
+    *collaterals_buffer_size = OE_COLLATERALS_SIZE;
     result = OE_OK;
+
 done:
     oe_cert_free(&leaf_cert);
     oe_cert_free(&intermediate_cert);
     oe_cert_chain_free(&pck_cert_chain);
 
-    if (result == OE_OK)
-    {
-        *collaterals_buffer = buffer;
-        *collaterals_buffer_size = OE_COLLATERALS_SIZE;
-    }
-    else if (buffer)
+    if ((result != OE_OK) && buffer)
     {
         oe_free_get_revocation_info_args(&(collaterals->revocation_info));
         oe_free_qe_identity_info_args(&(collaterals->qe_id_info));
@@ -133,7 +131,7 @@ oe_result_t oe_get_collaterals_internal(
 }
 
 /**
- * Free up any resources allocated by oe_get_collateras()
+ * Free up any resources allocated by oe_get_collaterals()
  *
  * @param collaterals_buffer The buffer containing the collaterals.
  */
diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index bb96c9bf4c..99a9cbf28a 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -106,7 +106,8 @@ oe_result_t oe_validate_qe_identity(
 
     OE_TRACE_INFO("Calling %s\n", __FUNCTION__);
 
-    if (qe_id_args == NULL)
+    if ((qe_id_args == NULL) || (validity_from == NULL) ||
+        (validity_until == NULL))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     // Use QE Identity info to validate QE
@@ -136,22 +137,33 @@ oe_result_t oe_validate_qe_identity(
     // Get leaf certificate
     OE_CHECK_MSG(
         oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
-        "Failed to get leaf certificate.",
-        NULL);
-    oe_cert_get_validity_dates(&leaf_cert, &from, &until);
+        "Failed to get leaf certificate. %s",
+        oe_result_str(result));
+    OE_CHECK_MSG(
+        oe_cert_get_validity_dates(&leaf_cert, &from, &until),
+        "Failed to get validity dates from cert. %s",
+        oe_result_str(result));
 
-    oe_datetime_log_info("QE identity cert issue date: ", &from);
-    oe_datetime_log_info("QE identity cert next update: ", &until);
+    oe_datetime_log("QE identity cert issue date: ", &from);
+    oe_datetime_log("QE identity cert next update: ", &until);
 
     // Check that issue_date and next_update are after the earliest date that
     // the enclave accepts.
     if (oe_datetime_compare(
             &parsed_info.issue_date, &_sgx_minimim_crl_tcb_issue_date) < 0)
-        OE_RAISE(OE_INVALID_QE_IDENTITY_INFO);
+        OE_RAISE_MSG(
+            OE_INVALID_QE_IDENTITY_INFO,
+            "QE identity info issue date does not meet CRL/TCB minimum issue "
+            "date.",
+            NULL);
 
     if (oe_datetime_compare(
             &parsed_info.next_update, &_sgx_minimim_crl_tcb_issue_date) < 0)
-        OE_RAISE(OE_INVALID_QE_IDENTITY_INFO);
+        OE_RAISE_MSG(
+            OE_INVALID_QE_IDENTITY_INFO,
+            "QE identity info next update does not meet CRL/TCB minimum issue "
+            "date.",
+            NULL);
 
     // Assert that the qe report's MRSIGNER matches Intel's quoting enclave's
     // mrsigner.
@@ -229,8 +241,10 @@ oe_result_t oe_validate_qe_identity(
     if (oe_datetime_compare(&parsed_info.next_update, &until) < 0)
         until = parsed_info.next_update;
 
-    oe_datetime_log_info("QE identity overall issue date: ", &from);
-    oe_datetime_log_info("QE identity overall next update: ", &until);
+    oe_datetime_log("QE identity issue date: ", &parsed_info.issue_date);
+    oe_datetime_log("QE identity next update date: ", &parsed_info.next_update);
+    oe_datetime_log("QE identity overall issue date: ", &from);
+    oe_datetime_log("QE identity overall next update: ", &until);
     if (oe_datetime_compare(&from, &until) > 0)
         OE_RAISE_MSG(
             OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
diff --git a/common/sgx/qeidentity.h b/common/sgx/qeidentity.h
index 1327da2b3a..96c62a8472 100644
--- a/common/sgx/qeidentity.h
+++ b/common/sgx/qeidentity.h
@@ -14,7 +14,7 @@ OE_EXTERNC_BEGIN
 
 /**
  * This is needed to be backwards compatible
- * with the older quote provider.
+ * with providers that do not support QE identity.
  *
  * @param[in] qe_report_body The QE report body from the quote.
  */
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index cf6d95e313..01b735f04d 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -514,15 +514,16 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
                     collaterals_body->creation_datetime,
                     sizeof(collaterals_body->creation_datetime),
                     &creation_time),
-                "Invalid creation time in collaterals.",
-                NULL);
+                "Invalid creation time in collaterals: %s",
+                collaterals_body->creation_datetime);
+
             validation_time = &creation_time;
         }
 
-        oe_datetime_log_info("Validation datetime: ", validation_time);
+        oe_datetime_log("Validation datetime: ", validation_time);
         if (oe_datetime_compare(validation_time, &validity_from) < 0)
         {
-            oe_datetime_log_info("Latests valid datetime: ", &validity_from);
+            oe_datetime_log("Latests valid datetime: ", &validity_from);
             OE_RAISE_MSG(
                 OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
                 "Time to validate quote is earlier than the "
@@ -531,8 +532,7 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
         }
         if (oe_datetime_compare(validation_time, &validity_until) > 0)
         {
-            oe_datetime_log_info(
-                "Earliest expiration datetime: ", &validity_until);
+            oe_datetime_log("Earliest expiration datetime: ", &validity_until);
             OE_RAISE_MSG(
                 OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
                 "Time to validate quoteis later than the "
@@ -663,8 +663,8 @@ oe_result_t oe_get_quote_validity_with_collaterals_internal(
         oe_result_str(result));
     _update_validity(&latest_from, &earliest_until, &from, &until);
 
-    oe_datetime_log_info("Quote overall issue date: ", &latest_from);
-    oe_datetime_log_info("Quote overall next update: ", &earliest_until);
+    oe_datetime_log("Quote overall issue date: ", &latest_from);
+    oe_datetime_log("Quote overall next update: ", &earliest_until);
     if (oe_datetime_compare(&latest_from, &earliest_until) > 0)
         OE_RAISE_MSG(
             OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 9e968b8d3b..3bd08d9608 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -112,24 +112,23 @@ static oe_result_t _get_revocation_validity(
         _get_tcb_info_validity(parsed_tcb_info, &latest_from, &earliest_until),
         "Failed to get TCB info validity datetime info. %s",
         oe_result_str(result));
-    oe_datetime_log_info("TCB info validity from date: ", &latest_from);
-    oe_datetime_log_info("TCB info validity until date: ", &earliest_until);
+    oe_datetime_log("TCB info validity from date: ", &latest_from);
+    oe_datetime_log("TCB info validity until date: ", &earliest_until);
 
     OE_CHECK_MSG(
         _get_crl_validity(crls, crls_count, &current_from, &current_until),
         "Failed to get CRL validity datetime info. %s",
         oe_result_str(result));
-    oe_datetime_log_info("CRL validity from date: ", &current_from);
-    oe_datetime_log_info("CRL validity until date: ", &current_until);
+    oe_datetime_log("CRL validity from date: ", &current_from);
+    oe_datetime_log("CRL validity until date: ", &current_until);
 
     // Currently we are ignoring TCB Info validity dates because
     // the data is expired.  See Icm 148493545
     latest_from = current_from;
     earliest_until = current_until;
 
-    oe_datetime_log_info(
-        "Revocation overall validity from date: ", &latest_from);
-    oe_datetime_log_info(
+    oe_datetime_log("Revocation overall validity from date: ", &latest_from);
+    oe_datetime_log(
         "Revocation overall validity until date: ", &earliest_until);
 
     *from = latest_from;
@@ -434,8 +433,8 @@ oe_result_t oe_validate_revocation_list(
 
     if (oe_datetime_compare(&latest_from, &_sgx_minimim_crl_tcb_issue_date) < 0)
     {
-        oe_datetime_log_info("Latest issue date : ", &latest_from);
-        oe_datetime_log_info(
+        oe_datetime_log("Latest issue date : ", &latest_from);
+        oe_datetime_log(
             " is earlier than minimum issue date: ",
             &_sgx_minimim_crl_tcb_issue_date);
         OE_RAISE_MSG(
@@ -447,8 +446,8 @@ oe_result_t oe_validate_revocation_list(
     if (oe_datetime_compare(&earliest_until, &_sgx_minimim_crl_tcb_issue_date) <
         0)
     {
-        oe_datetime_log_info("Next update date : ", &earliest_until);
-        oe_datetime_log_info(
+        oe_datetime_log("Next update date : ", &earliest_until);
+        oe_datetime_log(
             " is earlier than minimum issue date: ",
             &_sgx_minimim_crl_tcb_issue_date);
         OE_RAISE_MSG(
@@ -463,15 +462,15 @@ oe_result_t oe_validate_revocation_list(
         "Failed to get TCB certificate.",
         NULL);
     oe_cert_get_validity_dates(&tcb_cert, &from, &until);
-    oe_datetime_log_info("TCB cert issue date: ", &from);
-    oe_datetime_log_info("TCB cert next update: ", &until);
+    oe_datetime_log("TCB cert issue date: ", &from);
+    oe_datetime_log("TCB cert next update: ", &until);
 
     if (oe_datetime_compare(&from, &latest_from) > 0)
         latest_from = from;
     if (oe_datetime_compare(&until, &earliest_until) < 0)
         earliest_until = until;
-    oe_datetime_log_info("Revocation overall issue date: ", &latest_from);
-    oe_datetime_log_info("Revocation overall next update: ", &earliest_until);
+    oe_datetime_log("Revocation overall issue date: ", &latest_from);
+    oe_datetime_log("Revocation overall next update: ", &earliest_until);
 
     if (oe_datetime_compare(&latest_from, &earliest_until) > 0)
         OE_RAISE_MSG(
diff --git a/enclave/crypto/cert.c b/enclave/crypto/cert.c
index 4416cc7698..061a678d86 100644
--- a/enclave/crypto/cert.c
+++ b/enclave/crypto/cert.c
@@ -1190,18 +1190,14 @@ oe_result_t oe_cert_get_validity_dates(
     oe_result_t result = OE_UNEXPECTED;
     const Cert* impl = (const Cert*)cert;
 
-    if (not_before)
-        memset(not_before, 0, sizeof(oe_datetime_t));
-
-    if (not_after)
-        memset(not_after, 0, sizeof(oe_datetime_t));
-
     /* Reject invalid parameters */
     if (!_cert_is_valid(impl))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     if (not_before)
     {
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
         not_before->year = (uint32_t)impl->cert->valid_from.year;
         not_before->month = (uint32_t)impl->cert->valid_from.mon;
         not_before->day = (uint32_t)impl->cert->valid_from.day;
@@ -1212,6 +1208,8 @@ oe_result_t oe_cert_get_validity_dates(
 
     if (not_after)
     {
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
         not_after->year = (uint32_t)impl->cert->valid_to.year;
         not_after->month = (uint32_t)impl->cert->valid_to.mon;
         not_after->day = (uint32_t)impl->cert->valid_to.day;
diff --git a/host/crypto/bcrypt/cert.c b/host/crypto/bcrypt/cert.c
index e5ca149d21..53661c903e 100644
--- a/host/crypto/bcrypt/cert.c
+++ b/host/crypto/bcrypt/cert.c
@@ -30,7 +30,7 @@
 #define _OE_CERT_CHAIN_LENGTH_ANY 0
 
 static const DWORD _OE_DEFAULT_GET_CRL_FLAGS =
-    CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
+    CERT_STORE_SIGNATURE_FLAG | CERT_STORE_BASE_CRL_FLAG;
 
 static const CERT_CHAIN_POLICY_PARA _OE_DEFAULT_CERT_CHAIN_POLICY = {
     .cbSize = sizeof(CERT_CHAIN_POLICY_PARA),
@@ -1305,23 +1305,21 @@ oe_result_t oe_cert_get_validity_dates(
     oe_result_t result = OE_UNEXPECTED;
     const cert_t* impl = (const cert_t*)cert;
 
-    if (not_before)
-        memset(not_before, 0, sizeof(oe_datetime_t));
-
-    if (not_after)
-        memset(not_after, 0, sizeof(oe_datetime_t));
-
     if (!_cert_is_valid(impl))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     if (not_before)
     {
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
         OE_CHECK(oe_util_filetime_to_oe_datetime(
             &impl->cert->pCertInfo->NotBefore, not_before));
     }
 
     if (not_after)
     {
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
         OE_CHECK(oe_util_filetime_to_oe_datetime(
             &impl->cert->pCertInfo->NotAfter, not_after));
     }
diff --git a/host/crypto/bcrypt/util.h b/host/crypto/bcrypt/util.h
index 2a4ab51ec3..ab237b54cf 100644
--- a/host/crypto/bcrypt/util.h
+++ b/host/crypto/bcrypt/util.h
@@ -19,4 +19,4 @@ oe_result_t oe_util_filetime_to_oe_datetime(
     const FILETIME* filetime,
     oe_datetime_t* datetime);
 
-#endif /* _OE_HOST_CRYPTO_UTIL_H */
\ No newline at end of file
+#endif /* _OE_HOST_CRYPTO_UTIL_H */
diff --git a/host/crypto/openssl/asn1.c b/host/crypto/openssl/asn1.c
index 4a93e72309..a4b595438b 100644
--- a/host/crypto/openssl/asn1.c
+++ b/host/crypto/openssl/asn1.c
@@ -270,4 +270,4 @@ oe_result_t oe_asn1_time_to_date(const ASN1_TIME* time, oe_datetime_t* date)
         BIO_free(bio);
 
     return result;
-}
\ No newline at end of file
+}
diff --git a/host/crypto/openssl/asn1.h b/host/crypto/openssl/asn1.h
index 325d0eb01d..a6121c5ba2 100644
--- a/host/crypto/openssl/asn1.h
+++ b/host/crypto/openssl/asn1.h
@@ -25,4 +25,4 @@ oe_result_t oe_asn1_string_to_date(const char* str, oe_datetime_t* date);
  */
 oe_result_t oe_asn1_time_to_date(const ASN1_TIME* time, oe_datetime_t* date);
 
-#endif /* _OE_HOST_CRYPTO_ASN1_OPENSSL_H */
\ No newline at end of file
+#endif /* _OE_HOST_CRYPTO_ASN1_OPENSSL_H */
diff --git a/host/crypto/openssl/cert.c b/host/crypto/openssl/cert.c
index 274dd329df..b44cf0f58e 100644
--- a/host/crypto/openssl/cert.c
+++ b/host/crypto/openssl/cert.c
@@ -968,12 +968,6 @@ oe_result_t oe_cert_get_validity_dates(
     oe_result_t result = OE_UNEXPECTED;
     const cert_t* impl = (const cert_t*)cert;
 
-    if (not_before)
-        memset(not_before, 0, sizeof(oe_datetime_t));
-
-    if (not_after)
-        memset(not_after, 0, sizeof(oe_datetime_t));
-
     if (!_cert_is_valid(impl))
         OE_RAISE(OE_INVALID_PARAMETER);
 
@@ -981,6 +975,8 @@ oe_result_t oe_cert_get_validity_dates(
     {
         const ASN1_TIME* time;
 
+        memset(not_before, 0, sizeof(oe_datetime_t));
+
         if (!(time = X509_get_notBefore(impl->x509)))
             OE_RAISE(OE_CRYPTO_ERROR);
 
@@ -991,6 +987,8 @@ oe_result_t oe_cert_get_validity_dates(
     {
         const ASN1_TIME* time;
 
+        memset(not_after, 0, sizeof(oe_datetime_t));
+
         if (!(time = X509_get_notAfter(impl->x509)))
             OE_RAISE(OE_CRYPTO_ERROR);
 
diff --git a/include/openenclave/internal/datetime.h b/include/openenclave/internal/datetime.h
index 384a0e6113..4b426fd42e 100644
--- a/include/openenclave/internal/datetime.h
+++ b/include/openenclave/internal/datetime.h
@@ -58,9 +58,9 @@ int32_t oe_datetime_compare(
 oe_result_t oe_datetime_now(oe_datetime_t* value);
 
 /**
- * Log date at the INFO level.
+ * Log the given datetime.
  */
-void oe_datetime_log_info(const char* msg, const oe_datetime_t* date);
+void oe_datetime_log(const char* msg, const oe_datetime_t* date);
 
 OE_EXTERNC_END
 
diff --git a/tests/host_verify/host/host.cpp b/tests/host_verify/host/host.cpp
index d15b2b5e29..331862d737 100644
--- a/tests/host_verify/host/host.cpp
+++ b/tests/host_verify/host/host.cpp
@@ -36,14 +36,6 @@
 #define REPORT_FILENAME "sgx_report.bin"
 #define REPORT_BAD_FILENAME "sgx_report_bad.bin"
 
-//
-// TODO: Report with collaterals tests.  Will to refactor the contentns
-// of the collaterals to be self-contained in order to support
-// serialization.
-//
-//#define COLLATERALS_FILENAME "sgx_report.bin.col"
-//#define COLLATERALS_BAD_FILENAME "sgx_report_bad.bin.col"
-
 #define SKIP_RETURN_CODE 2
 
 oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
@@ -342,16 +334,5 @@ int main()
     if (_validate_file(REPORT_BAD_FILENAME, true))
         _verify_report(REPORT_BAD_FILENAME, NULL, false);
 
-    //
-    // TODO: Report with collaterals tests.  Will to refactor the contentns
-    // of the collaterals to be self-contained in order to support
-    // serialization.
-    //
-    // if (_validate_file(REPORT_FILENAME, false))
-    //    _verify_report(REPORT_FILENAME, COLLATERALS_FILENAME, true);
-
-    // if (_validate_file(REPORT_BAD_FILENAME, true))
-    //     _verify_report(REPORT_FILENAME, COLLATERALS_BAD_FILENAME, false);
-
     return 0;
 }
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index c6bcf8f5c8..13049adaa5 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -1350,4 +1350,4 @@ void test_verify_report_with_collaterals()
 
     collaterals_buffer_ptr = NULL;
     report_buffer_ptr = NULL;
-}
\ No newline at end of file
+}

From 2d57a50ea297da253099c964374c33e026e4491f Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Mon, 16 Sep 2019 21:12:45 +0000
Subject: [PATCH 030/420] Clone mbedTLS v2.16.2 into 3rdparty/mbedtls/mbedtls

---
 3rdparty/mbedtls/mbedtls/.pylintrc            |   52 +
 3rdparty/mbedtls/mbedtls/.travis.yml          |    9 +-
 3rdparty/mbedtls/mbedtls/CMakeLists.txt       |   24 +-
 3rdparty/mbedtls/mbedtls/CONTRIBUTING.md      |   95 +
 3rdparty/mbedtls/mbedtls/ChangeLog            |  436 ++-
 3rdparty/mbedtls/mbedtls/Makefile             |   14 +-
 3rdparty/mbedtls/mbedtls/README.md            |   49 +-
 .../mbedtls/configs/config-ccm-psk-tls1_2.h   |    2 +-
 .../mbedtls/configs/config-no-entropy.h       |    1 +
 .../mbedtls/mbedtls/configs/config-picocoin.h |   74 -
 .../mbedtls/doxygen/input/doc_mainpage.h      |    2 +-
 .../mbedtls/mbedtls/doxygen/mbedtls.doxyfile  |    2 +-
 .../mbedtls/mbedtls/include/mbedtls/aes.h     |  325 +-
 .../mbedtls/mbedtls/include/mbedtls/aesni.h   |   46 +-
 .../mbedtls/mbedtls/include/mbedtls/arc4.h    |   29 +-
 .../mbedtls/mbedtls/include/mbedtls/aria.h    |  370 +++
 .../mbedtls/include/mbedtls/asn1write.h       |  286 +-
 .../mbedtls/mbedtls/include/mbedtls/base64.h  |    3 +
 .../mbedtls/mbedtls/include/mbedtls/bignum.h  |  822 +++--
 .../mbedtls/include/mbedtls/blowfish.h        |  200 +-
 .../mbedtls/mbedtls/include/mbedtls/bn_mul.h  |   22 +-
 .../mbedtls/include/mbedtls/camellia.h        |  253 +-
 .../mbedtls/mbedtls/include/mbedtls/ccm.h     |  222 +-
 .../mbedtls/mbedtls/include/mbedtls/certs.h   |  234 +-
 .../mbedtls/include/mbedtls/chacha20.h        |  226 ++
 .../mbedtls/include/mbedtls/chachapoly.h      |  358 +++
 .../mbedtls/include/mbedtls/check_config.h    |   22 +-
 .../mbedtls/mbedtls/include/mbedtls/cipher.h  |  594 ++--
 .../mbedtls/include/mbedtls/cipher_internal.h |   15 +
 .../mbedtls/mbedtls/include/mbedtls/cmac.h    |   55 +-
 .../mbedtls/include/mbedtls/compat-1.3.h      |    3 +-
 .../mbedtls/mbedtls/include/mbedtls/config.h  |  488 ++-
 .../mbedtls/include/mbedtls/ctr_drbg.h        |  131 +-
 .../mbedtls/mbedtls/include/mbedtls/debug.h   |   36 +
 .../mbedtls/mbedtls/include/mbedtls/des.h     |   31 +-
 .../mbedtls/mbedtls/include/mbedtls/dhm.h     |  247 +-
 .../mbedtls/mbedtls/include/mbedtls/ecdh.h    |  363 ++-
 .../mbedtls/mbedtls/include/mbedtls/ecdsa.h   |  439 ++-
 .../mbedtls/mbedtls/include/mbedtls/ecjpake.h |  165 +-
 .../mbedtls/mbedtls/include/mbedtls/ecp.h     | 1188 +++++---
 .../mbedtls/mbedtls/include/mbedtls/entropy.h |    6 +-
 .../mbedtls/mbedtls/include/mbedtls/error.h   |   24 +-
 .../mbedtls/mbedtls/include/mbedtls/gcm.h     |  165 +-
 .../mbedtls/mbedtls/include/mbedtls/havege.h  |    2 +-
 .../mbedtls/mbedtls/include/mbedtls/hkdf.h    |  141 +
 .../mbedtls/include/mbedtls/hmac_drbg.h       |   44 +-
 3rdparty/mbedtls/mbedtls/include/mbedtls/md.h |  111 +-
 .../mbedtls/mbedtls/include/mbedtls/md2.h     |   31 +-
 .../mbedtls/mbedtls/include/mbedtls/md4.h     |   31 +-
 .../mbedtls/mbedtls/include/mbedtls/md5.h     |   31 +-
 .../mbedtls/include/mbedtls/net_sockets.h     |   48 +-
 .../mbedtls/mbedtls/include/mbedtls/nist_kw.h |  184 ++
 .../mbedtls/mbedtls/include/mbedtls/oid.h     |   26 +-
 .../mbedtls/mbedtls/include/mbedtls/padlock.h |   36 +-
 .../mbedtls/mbedtls/include/mbedtls/pem.h     |    2 +-
 3rdparty/mbedtls/mbedtls/include/mbedtls/pk.h |  221 +-
 .../mbedtls/include/mbedtls/pk_internal.h     |   23 +
 .../mbedtls/mbedtls/include/mbedtls/pkcs11.h  |    3 +-
 .../mbedtls/mbedtls/include/mbedtls/pkcs5.h   |    4 +
 .../mbedtls/include/mbedtls/platform.h        |   77 +-
 .../mbedtls/include/mbedtls/platform_util.h   |  185 ++
 .../mbedtls/include/mbedtls/poly1305.h        |  192 ++
 .../mbedtls/include/mbedtls/ripemd160.h       |   32 +-
 .../mbedtls/mbedtls/include/mbedtls/rsa.h     |  995 ++++---
 .../mbedtls/mbedtls/include/mbedtls/sha1.h    |  196 +-
 .../mbedtls/mbedtls/include/mbedtls/sha256.h  |  137 +-
 .../mbedtls/mbedtls/include/mbedtls/sha512.h  |  142 +-
 .../mbedtls/mbedtls/include/mbedtls/ssl.h     |  780 ++++-
 .../include/mbedtls/ssl_ciphersuites.h        |   48 +
 .../mbedtls/include/mbedtls/ssl_cookie.h      |    2 +-
 .../mbedtls/include/mbedtls/ssl_internal.h    |  159 +-
 .../mbedtls/include/mbedtls/ssl_ticket.h      |    4 +-
 .../mbedtls/include/mbedtls/threading.h       |   17 +-
 .../mbedtls/mbedtls/include/mbedtls/timing.h  |   26 +-
 .../mbedtls/mbedtls/include/mbedtls/version.h |   10 +-
 .../mbedtls/mbedtls/include/mbedtls/x509.h    |    4 +
 .../mbedtls/include/mbedtls/x509_crt.h        |  104 +-
 .../mbedtls/mbedtls/include/mbedtls/xtea.h    |   30 +-
 .../mbedtls/mbedtls/library/CMakeLists.txt    |   24 +-
 3rdparty/mbedtls/mbedtls/library/Makefile     |   71 +-
 3rdparty/mbedtls/mbedtls/library/aes.c        |  837 +++++-
 3rdparty/mbedtls/mbedtls/library/aesni.c      |    6 +
 3rdparty/mbedtls/mbedtls/library/arc4.c       |    8 +-
 3rdparty/mbedtls/mbedtls/library/aria.c       | 1079 +++++++
 3rdparty/mbedtls/mbedtls/library/asn1parse.c  |   10 +-
 3rdparty/mbedtls/mbedtls/library/asn1write.c  |   34 +-
 3rdparty/mbedtls/mbedtls/library/bignum.c     |  451 ++-
 3rdparty/mbedtls/mbedtls/library/blowfish.c   |   64 +-
 3rdparty/mbedtls/mbedtls/library/camellia.c   |   76 +-
 3rdparty/mbedtls/mbedtls/library/ccm.c        |   94 +-
 3rdparty/mbedtls/mbedtls/library/certs.c      | 2073 ++++++++++---
 3rdparty/mbedtls/mbedtls/library/chacha20.c   |  570 ++++
 3rdparty/mbedtls/mbedtls/library/chachapoly.c |  540 ++++
 3rdparty/mbedtls/mbedtls/library/cipher.c     |  343 ++-
 .../mbedtls/mbedtls/library/cipher_wrap.c     |  821 +++++
 3rdparty/mbedtls/mbedtls/library/cmac.c       |   36 +-
 3rdparty/mbedtls/mbedtls/library/ctr_drbg.c   |  129 +-
 3rdparty/mbedtls/mbedtls/library/debug.c      |   50 +
 3rdparty/mbedtls/mbedtls/library/des.c        |   97 +-
 3rdparty/mbedtls/mbedtls/library/dhm.c        |   87 +-
 3rdparty/mbedtls/mbedtls/library/ecdh.c       |  570 +++-
 3rdparty/mbedtls/mbedtls/library/ecdsa.c      |  563 +++-
 3rdparty/mbedtls/mbedtls/library/ecjpake.c    |   38 +-
 3rdparty/mbedtls/mbedtls/library/ecp.c        | 1259 ++++++--
 3rdparty/mbedtls/mbedtls/library/ecp_curves.c |  203 +-
 3rdparty/mbedtls/mbedtls/library/entropy.c    |   18 +-
 .../mbedtls/mbedtls/library/entropy_poll.c    |   11 +-
 3rdparty/mbedtls/mbedtls/library/error.c      |  114 +-
 3rdparty/mbedtls/mbedtls/library/gcm.c        |   60 +-
 3rdparty/mbedtls/mbedtls/library/havege.c     |   10 +-
 3rdparty/mbedtls/mbedtls/library/hkdf.c       |  192 ++
 3rdparty/mbedtls/mbedtls/library/hmac_drbg.c  |   47 +-
 3rdparty/mbedtls/mbedtls/library/md.c         |   15 +-
 3rdparty/mbedtls/mbedtls/library/md2.c        |    8 +-
 3rdparty/mbedtls/mbedtls/library/md4.c        |   38 +-
 3rdparty/mbedtls/mbedtls/library/md5.c        |   29 +-
 .../mbedtls/library/memory_buffer_alloc.c     |   20 +-
 .../mbedtls/mbedtls/library/net_sockets.c     |   82 +-
 3rdparty/mbedtls/mbedtls/library/nist_kw.c    |  755 +++++
 3rdparty/mbedtls/mbedtls/library/oid.c        |   53 +-
 3rdparty/mbedtls/mbedtls/library/pem.c        |   34 +-
 3rdparty/mbedtls/mbedtls/library/pk.c         |  216 +-
 3rdparty/mbedtls/mbedtls/library/pk_wrap.c    |  213 +-
 3rdparty/mbedtls/mbedtls/library/pkcs12.c     |   20 +-
 3rdparty/mbedtls/mbedtls/library/pkparse.c    |  132 +-
 3rdparty/mbedtls/mbedtls/library/pkwrite.c    |   32 +-
 3rdparty/mbedtls/mbedtls/library/platform.c   |   29 +-
 .../mbedtls/mbedtls/library/platform_util.c   |  136 +
 3rdparty/mbedtls/mbedtls/library/poly1305.c   |  559 ++++
 3rdparty/mbedtls/mbedtls/library/ripemd160.c  |   47 +-
 3rdparty/mbedtls/mbedtls/library/rsa.c        |  319 +-
 .../mbedtls/mbedtls/library/rsa_internal.c    |    9 +-
 3rdparty/mbedtls/mbedtls/library/sha1.c       |   64 +-
 3rdparty/mbedtls/mbedtls/library/sha256.c     |   64 +-
 3rdparty/mbedtls/mbedtls/library/sha512.c     |   54 +-
 .../mbedtls/library/ssl_ciphersuites.c        |  485 ++-
 3rdparty/mbedtls/mbedtls/library/ssl_cli.c    |  222 +-
 3rdparty/mbedtls/mbedtls/library/ssl_cookie.c |   10 +-
 3rdparty/mbedtls/mbedtls/library/ssl_srv.c    |  612 ++--
 3rdparty/mbedtls/mbedtls/library/ssl_ticket.c |   10 +-
 3rdparty/mbedtls/mbedtls/library/ssl_tls.c    | 2631 ++++++++++++-----
 3rdparty/mbedtls/mbedtls/library/threading.c  |   44 +-
 3rdparty/mbedtls/mbedtls/library/timing.c     |    3 +-
 3rdparty/mbedtls/mbedtls/library/version.c    |    2 +-
 .../mbedtls/library/version_features.c        |   57 +
 3rdparty/mbedtls/mbedtls/library/x509.c       |   50 +-
 .../mbedtls/mbedtls/library/x509_create.c     |  171 +-
 3rdparty/mbedtls/mbedtls/library/x509_crl.c   |   17 +-
 3rdparty/mbedtls/mbedtls/library/x509_crt.c   | 1351 +++++----
 3rdparty/mbedtls/mbedtls/library/x509_csr.c   |   14 +-
 .../mbedtls/mbedtls/library/x509write_crt.c   |  151 +-
 .../mbedtls/mbedtls/library/x509write_csr.c   |    8 +-
 3rdparty/mbedtls/mbedtls/library/xtea.c       |    8 +-
 3rdparty/mbedtls/mbedtls/programs/Makefile    |   28 +-
 3rdparty/mbedtls/mbedtls/programs/README.md   |  123 +
 .../mbedtls/mbedtls/programs/aes/aescrypt2.c  |   32 +-
 .../mbedtls/programs/aes/crypt_and_hash.c     |   32 +-
 .../mbedtls/programs/hash/generic_sum.c       |   14 +
 .../mbedtls/mbedtls/programs/hash/hello.c     |   14 +
 .../mbedtls/mbedtls/programs/pkey/dh_client.c |   14 +
 .../mbedtls/programs/pkey/dh_genprime.c       |   15 +-
 .../mbedtls/mbedtls/programs/pkey/dh_server.c |   14 +
 .../mbedtls/programs/pkey/ecdh_curve25519.c   |   17 +-
 .../mbedtls/mbedtls/programs/pkey/ecdsa.c     |   13 +
 .../mbedtls/mbedtls/programs/pkey/gen_key.c   |   14 +
 .../mbedtls/mbedtls/programs/pkey/key_app.c   |   14 +
 .../mbedtls/programs/pkey/key_app_writer.c    |   14 +
 .../mbedtls/mbedtls/programs/pkey/mpi_demo.c  |   14 +
 .../mbedtls/programs/pkey/pk_decrypt.c        |   14 +
 .../mbedtls/programs/pkey/pk_encrypt.c        |   14 +
 .../mbedtls/mbedtls/programs/pkey/pk_sign.c   |   13 +
 .../mbedtls/mbedtls/programs/pkey/pk_verify.c |   13 +
 .../mbedtls/programs/pkey/rsa_decrypt.c       |   13 +
 .../mbedtls/programs/pkey/rsa_encrypt.c       |   13 +
 .../mbedtls/programs/pkey/rsa_genkey.c        |   14 +
 .../mbedtls/mbedtls/programs/pkey/rsa_sign.c  |   13 +
 .../mbedtls/programs/pkey/rsa_sign_pss.c      |   13 +
 .../mbedtls/programs/pkey/rsa_verify.c        |   13 +
 .../mbedtls/programs/pkey/rsa_verify_pss.c    |   13 +
 .../mbedtls/programs/random/gen_entropy.c     |   14 +
 .../programs/random/gen_random_ctr_drbg.c     |   14 +
 .../programs/random/gen_random_havege.c       |   14 +
 .../mbedtls/programs/ssl/CMakeLists.txt       |    2 +
 .../mbedtls/programs/ssl/dtls_client.c        |   15 +
 .../mbedtls/programs/ssl/dtls_server.c        |   15 +
 .../mbedtls/programs/ssl/mini_client.c        |   36 +-
 .../mbedtls/programs/ssl/query_config.c       | 2515 ++++++++++++++++
 .../mbedtls/programs/ssl/ssl_client1.c        |   13 +
 .../mbedtls/programs/ssl/ssl_client2.c        |  514 +++-
 .../mbedtls/programs/ssl/ssl_fork_server.c    |   13 +
 .../mbedtls/programs/ssl/ssl_mail_client.c    |   18 +
 .../mbedtls/programs/ssl/ssl_pthread_server.c |   16 +
 .../mbedtls/mbedtls/programs/ssl/ssl_server.c |   15 +
 .../mbedtls/programs/ssl/ssl_server2.c        |  770 ++++-
 .../mbedtls/programs/test/CMakeLists.txt      |   13 +-
 .../mbedtls/mbedtls/programs/test/benchmark.c |  256 +-
 .../mbedtls/programs/test/cpp_dummy_build.cpp |  119 +
 .../programs/test/query_compile_time_config.c |   56 +
 .../mbedtls/mbedtls/programs/test/selftest.c  |   32 +
 .../mbedtls/mbedtls/programs/test/udp_proxy.c |  405 ++-
 .../programs/test/udp_proxy_wrapper.sh        |  117 +
 .../mbedtls/mbedtls/programs/test/zeroize.c   |  101 +
 .../mbedtls/mbedtls/programs/util/pem2der.c   |   14 +
 .../mbedtls/mbedtls/programs/x509/cert_app.c  |   13 +
 .../mbedtls/mbedtls/programs/x509/cert_req.c  |   20 +-
 .../mbedtls/programs/x509/cert_write.c        |   19 +-
 .../mbedtls/mbedtls/programs/x509/crl_app.c   |   13 +
 .../mbedtls/mbedtls/programs/x509/req_app.c   |   13 +
 .../mbedtls/mbedtls/scripts/bump_version.sh   |    3 +
 3rdparty/mbedtls/mbedtls/scripts/config.pl    |    1 +
 .../scripts/data_files/query_config.fmt       |  139 +
 .../data_files/vs2010-app-template.vcxproj    |    3 +-
 3rdparty/mbedtls/mbedtls/scripts/footprint.sh |    5 -
 .../mbedtls/scripts/generate_errors.pl        |    8 +-
 .../mbedtls/scripts/generate_query_config.pl  |   75 +
 .../mbedtls/scripts/generate_visualc_files.pl |    8 +-
 .../mbedtls/mbedtls/scripts/output_env.sh     |    5 +
 3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt |   21 +-
 3rdparty/mbedtls/mbedtls/tests/Makefile       |  446 +--
 3rdparty/mbedtls/mbedtls/tests/compat.sh      |  172 +-
 .../mbedtls/mbedtls/tests/data_files/Makefile |  253 +-
 .../mbedtls/tests/data_files/Readme-x509.txt  |   42 +-
 .../mbedtls/tests/data_files/cli-rsa-sha1.crt |   21 +-
 .../tests/data_files/cli-rsa-sha256.crt       |   21 +-
 .../tests/data_files/cli-rsa-sha256.crt.der   |  Bin 0 -> 835 bytes
 .../tests/data_files/cli-rsa-sha256.key.der   |  Bin 0 -> 1192 bytes
 .../mbedtls/tests/data_files/cli-rsa.key.der  |  Bin 0 -> 1192 bytes
 .../mbedtls/tests/data_files/cli2.crt.der     |  Bin 0 -> 560 bytes
 .../mbedtls/tests/data_files/cli2.key.der     |  Bin 0 -> 121 bytes
 .../data_files/rsa_pkcs1_2048_public.der      |  Bin 0 -> 270 bytes
 .../data_files/rsa_pkcs1_2048_public.pem      |    8 +
 .../data_files/rsa_pkcs8_1024_public.der      |  Bin 0 -> 162 bytes
 .../data_files/rsa_pkcs8_2048_public.der      |  Bin 0 -> 294 bytes
 .../data_files/rsa_pkcs8_2048_public.pem      |    9 +
 .../tests/data_files/server1.cert_type.crt    |   16 +-
 .../data_files/server1.cert_type_noauthid.crt |   18 +-
 .../mbedtls/tests/data_files/server1.crt      |   16 +-
 .../mbedtls/tests/data_files/server1.crt.der  |  Bin 0 -> 835 bytes
 .../tests/data_files/server1.key_usage.crt    |   16 +-
 .../data_files/server1.key_usage_noauthid.crt |   18 +-
 .../tests/data_files/server1.noauthid.crt     |   16 +-
 .../tests/data_files/server1.req.cert_type    |   18 +-
 .../data_files/server1.req.cert_type_empty    |   18 +-
 .../tests/data_files/server1.req.key_usage    |   18 +-
 .../data_files/server1.req.key_usage_empty    |   18 +-
 .../tests/data_files/server1.req.ku-ct        |   16 +-
 .../mbedtls/tests/data_files/server1.req.md4  |   16 +-
 .../mbedtls/tests/data_files/server1.req.md5  |   16 +-
 .../mbedtls/tests/data_files/server1.req.sha1 |   16 +-
 .../tests/data_files/server1.req.sha224       |   16 +-
 .../tests/data_files/server1.req.sha256       |   16 +-
 .../tests/data_files/server1.req.sha384       |   16 +-
 .../tests/data_files/server1.req.sha512       |   16 +-
 .../mbedtls/tests/data_files/server1.v1.crt   |   18 +-
 .../tests/data_files/server10-badsign.crt     |   10 +
 .../tests/data_files/server10-bs_int3.pem     |   22 +
 .../mbedtls/tests/data_files/server10.crt     |   10 +
 .../tests/data_files/server10_int3-bs.pem     |   22 +
 .../tests/data_files/server2-sha256.crt       |   23 +-
 .../tests/data_files/server2-sha256.crt.der   |  Bin 0 -> 827 bytes
 .../mbedtls/tests/data_files/server2.crt      |   75 +-
 .../mbedtls/tests/data_files/server2.crt.der  |  Bin 0 -> 827 bytes
 .../mbedtls/tests/data_files/server2.key.der  |  Bin 0 -> 1192 bytes
 .../mbedtls/tests/data_files/server5.crt.der  |  Bin 0 -> 547 bytes
 .../mbedtls/tests/data_files/server5.key.der  |  Bin 0 -> 121 bytes
 .../tests/data_files/server5.req.ku.sha1      |    8 +-
 .../tests/data_files/test-ca-alt-good.crt     |   21 +-
 .../tests/data_files/test-ca-good-alt.crt     |   21 +-
 .../mbedtls/tests/data_files/test-ca-sha1.crt |   21 +-
 .../tests/data_files/test-ca-sha1.crt.der     |  Bin 0 -> 837 bytes
 .../tests/data_files/test-ca-sha256.crt       |   21 +-
 .../tests/data_files/test-ca-sha256.crt.der   |  Bin 0 -> 837 bytes
 .../mbedtls/tests/data_files/test-ca.crt      |   82 +-
 .../mbedtls/tests/data_files/test-ca.crt.der  |  Bin 0 -> 837 bytes
 .../mbedtls/tests/data_files/test-ca.key.der  |  Bin 0 -> 1192 bytes
 .../mbedtls/tests/data_files/test-ca2.crt.der |  Bin 0 -> 598 bytes
 .../mbedtls/tests/data_files/test-ca2.key.der |  Bin 0 -> 167 bytes
 .../mbedtls/tests/data_files/test-ca2.key.enc |    9 +
 .../tests/data_files/test-ca_cat12.crt        |   82 +-
 .../tests/data_files/test-ca_cat21.crt        |   82 +-
 .../tests/data_files/test-int-ca3-badsign.crt |   12 +
 3rdparty/mbedtls/mbedtls/tests/scripts/all.sh |  275 +-
 .../mbedtls/tests/scripts/basic-build-test.sh |    3 +
 .../mbedtls/tests/scripts/check-files.py      |    1 -
 .../tests/scripts/check-generated-files.sh    |    1 +
 .../mbedtls/tests/scripts/check-names.sh      |    2 +-
 .../tests/scripts/check-python-files.sh       |   12 +
 .../mbedtls/tests/scripts/generate_code.pl    |  411 ---
 .../tests/scripts/generate_test_code.py       | 1152 ++++++++
 .../mbedtls/tests/scripts/mbedtls_test.py     |  379 +++
 .../mbedtls/tests/scripts/test-ref-configs.pl |    2 -
 .../tests/scripts/test_generate_test_code.py  | 1755 +++++++++++
 .../mbedtls/tests/scripts/test_zeroize.gdb    |   71 +
 .../mbedtls/tests/scripts/yotta-build.sh      |   61 -
 3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh     | 2414 +++++++++++++--
 .../mbedtls/tests/suites/helpers.function     |  261 +-
 .../mbedtls/tests/suites/host_test.function   |  672 +++++
 .../mbedtls/tests/suites/main_test.function   |  663 ++---
 .../mbedtls/tests/suites/target_test.function |  413 +++
 .../tests/suites/test_suite_aes.function      |  615 +++-
 .../tests/suites/test_suite_aes.ofb.data      |   35 +
 .../tests/suites/test_suite_aes.rest.data     |    6 +
 .../tests/suites/test_suite_aes.xts.data      |  158 +
 .../tests/suites/test_suite_arc4.function     |   22 +-
 .../mbedtls/tests/suites/test_suite_aria.data |  104 +
 .../tests/suites/test_suite_aria.function     |  527 ++++
 .../suites/test_suite_asn1write.function      |   46 +-
 .../tests/suites/test_suite_base64.function   |   41 +-
 .../tests/suites/test_suite_blowfish.data     |   14 +-
 .../tests/suites/test_suite_blowfish.function |  315 +-
 .../tests/suites/test_suite_camellia.data     |   10 +-
 .../tests/suites/test_suite_camellia.function |  302 +-
 .../mbedtls/tests/suites/test_suite_ccm.data  |  231 +-
 .../tests/suites/test_suite_ccm.function      |  436 ++-
 .../tests/suites/test_suite_chacha20.data     |   29 +
 .../tests/suites/test_suite_chacha20.function |  136 +
 .../tests/suites/test_suite_chachapoly.data   |   27 +
 .../suites/test_suite_chachapoly.function     |  337 +++
 .../tests/suites/test_suite_cipher.aes.data   |  394 ++-
 .../tests/suites/test_suite_cipher.ccm.data   |  240 +-
 .../suites/test_suite_cipher.chacha20.data    |  111 +
 .../suites/test_suite_cipher.chachapoly.data  |  123 +
 .../tests/suites/test_suite_cipher.function   |  718 +++--
 .../tests/suites/test_suite_cipher.misc.data  |    5 +
 .../suites/test_suite_cipher.padding.data     |    3 -
 .../tests/suites/test_suite_cmac.function     |  108 +-
 .../tests/suites/test_suite_ctr_drbg.data     |  713 +++--
 .../tests/suites/test_suite_ctr_drbg.function |  201 +-
 .../tests/suites/test_suite_debug.function    |   27 +-
 .../tests/suites/test_suite_des.function      |  196 +-
 .../mbedtls/tests/suites/test_suite_dhm.data  |    3 +
 .../tests/suites/test_suite_dhm.function      |  111 +-
 .../mbedtls/tests/suites/test_suite_ecdh.data |   42 +
 .../tests/suites/test_suite_ecdh.function     |  382 ++-
 .../tests/suites/test_suite_ecdsa.data        |   95 +-
 .../tests/suites/test_suite_ecdsa.function    |  368 ++-
 .../tests/suites/test_suite_ecjpake.data      |    3 +
 .../tests/suites/test_suite_ecjpake.function  |  169 +-
 .../mbedtls/tests/suites/test_suite_ecp.data  |   56 +-
 .../tests/suites/test_suite_ecp.function      |  591 +++-
 .../tests/suites/test_suite_entropy.function  |   19 +-
 .../tests/suites/test_suite_error.function    |    2 +-
 .../suites/test_suite_gcm.aes128_de.data      |  336 +--
 .../suites/test_suite_gcm.aes192_de.data      |  336 +--
 .../suites/test_suite_gcm.aes256_de.data      |  336 +--
 .../tests/suites/test_suite_gcm.camellia.data |   72 +-
 .../tests/suites/test_suite_gcm.function      |  279 +-
 .../tests/suites/test_suite_gcm.misc.data     |    5 +
 .../mbedtls/tests/suites/test_suite_hkdf.data |   98 +
 .../tests/suites/test_suite_hkdf.function     |  174 ++
 .../suites/test_suite_hmac_drbg.function      |  126 +-
 .../tests/suites/test_suite_md.function       |  129 +-
 .../tests/suites/test_suite_mdx.function      |   36 +-
 .../test_suite_memory_buffer_alloc.function   |   11 +-
 .../mbedtls/tests/suites/test_suite_mpi.data  |   38 +-
 .../tests/suites/test_suite_mpi.function      |  430 ++-
 .../tests/suites/test_suite_nist_kw.data      |  483 +++
 .../tests/suites/test_suite_nist_kw.function  |  347 +++
 .../tests/suites/test_suite_pem.function      |   14 +-
 .../mbedtls/tests/suites/test_suite_pk.data   |   42 +
 .../tests/suites/test_suite_pk.function       |  697 ++++-
 .../suites/test_suite_pkcs1_v15.function      |  101 +-
 .../tests/suites/test_suite_pkcs1_v21.data    |   48 +-
 .../suites/test_suite_pkcs1_v21.function      |  121 +-
 .../tests/suites/test_suite_pkcs5.function    |   48 +-
 .../tests/suites/test_suite_pkparse.data      |   14 +-
 .../tests/suites/test_suite_pkparse.function  |   18 +-
 .../tests/suites/test_suite_pkwrite.function  |    4 +-
 .../tests/suites/test_suite_poly1305.data     |   42 +
 .../tests/suites/test_suite_poly1305.function |  135 +
 .../mbedtls/tests/suites/test_suite_rsa.data  |   26 +-
 .../tests/suites/test_suite_rsa.function      |  838 ++++--
 .../mbedtls/tests/suites/test_suite_shax.data |   18 +
 .../tests/suites/test_suite_shax.function     |  230 +-
 .../mbedtls/tests/suites/test_suite_ssl.data  |   32 +-
 .../tests/suites/test_suite_ssl.function      |   12 +-
 .../tests/suites/test_suite_version.data      |    4 +-
 .../tests/suites/test_suite_version.function  |    4 +-
 .../tests/suites/test_suite_x509parse.data    |  114 +-
 .../suites/test_suite_x509parse.function      |  144 +-
 .../suites/test_suite_x509write.function      |    4 +-
 .../tests/suites/test_suite_xtea.function     |   90 +-
 .../mbedtls/visualc/VS2010/mbedTLS.sln        |   26 +
 .../mbedtls/visualc/VS2010/mbedTLS.vcxproj    |   14 +
 .../VS2010/query_compile_time_config.vcxproj  |  175 ++
 .../visualc/VS2010/ssl_client2.vcxproj        |    1 +
 .../visualc/VS2010/ssl_server2.vcxproj        |    1 +
 .../mbedtls/visualc/VS2010/zeroize.vcxproj    |  174 ++
 .../mbedtls/mbedtls/yotta/create-module.sh    |   47 -
 3rdparty/mbedtls/mbedtls/yotta/data/README.md |  103 -
 .../mbedtls/yotta/data/adjust-config.sh       |   77 -
 .../yotta/data/entropy_hardware_poll.c        |   88 -
 .../yotta/data/example-authcrypt/README.md    |   68 -
 .../yotta/data/example-authcrypt/main.cpp     |  197 --
 .../yotta/data/example-benchmark/README.md    |  100 -
 .../yotta/data/example-benchmark/main.cpp     |  951 ------
 .../yotta/data/example-hashing/README.md      |   67 -
 .../yotta/data/example-hashing/main.cpp       |  177 --
 .../yotta/data/example-selftest/README.md     |   82 -
 .../yotta/data/example-selftest/main.cpp      |  268 --
 .../mbedtls/mbedtls/yotta/data/module.json    |   18 -
 .../mbedtls/yotta/data/target_config.h        |   35 -
 402 files changed, 50094 insertions(+), 14567 deletions(-)
 create mode 100644 3rdparty/mbedtls/mbedtls/.pylintrc
 create mode 100644 3rdparty/mbedtls/mbedtls/CONTRIBUTING.md
 delete mode 100644 3rdparty/mbedtls/mbedtls/configs/config-picocoin.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/aria.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/chacha20.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/chachapoly.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/hkdf.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/nist_kw.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/platform_util.h
 create mode 100644 3rdparty/mbedtls/mbedtls/include/mbedtls/poly1305.h
 create mode 100644 3rdparty/mbedtls/mbedtls/library/aria.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/chacha20.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/chachapoly.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/hkdf.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/nist_kw.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/platform_util.c
 create mode 100644 3rdparty/mbedtls/mbedtls/library/poly1305.c
 create mode 100644 3rdparty/mbedtls/mbedtls/programs/README.md
 create mode 100644 3rdparty/mbedtls/mbedtls/programs/ssl/query_config.c
 create mode 100644 3rdparty/mbedtls/mbedtls/programs/test/cpp_dummy_build.cpp
 create mode 100644 3rdparty/mbedtls/mbedtls/programs/test/query_compile_time_config.c
 create mode 100755 3rdparty/mbedtls/mbedtls/programs/test/udp_proxy_wrapper.sh
 create mode 100644 3rdparty/mbedtls/mbedtls/programs/test/zeroize.c
 create mode 100644 3rdparty/mbedtls/mbedtls/scripts/data_files/query_config.fmt
 create mode 100755 3rdparty/mbedtls/mbedtls/scripts/generate_query_config.pl
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/cli2.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/cli2.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_1024_public.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server10-badsign.crt
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server10-bs_int3.pem
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server10.crt
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server10_int3-bs.pem
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server2.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server5.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/server5.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.crt.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.der
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.enc
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/data_files/test-int-ca3-badsign.crt
 create mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/check-python-files.sh
 delete mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/generate_code.pl
 create mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/generate_test_code.py
 create mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/mbedtls_test.py
 create mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/test_generate_test_code.py
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/scripts/test_zeroize.gdb
 delete mode 100755 3rdparty/mbedtls/mbedtls/tests/scripts/yotta-build.sh
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/host_test.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/target_test.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.ofb.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.xts.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chacha20.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chachapoly.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.misc.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.misc.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.function
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.data
 create mode 100644 3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.function
 create mode 100644 3rdparty/mbedtls/mbedtls/visualc/VS2010/query_compile_time_config.vcxproj
 create mode 100644 3rdparty/mbedtls/mbedtls/visualc/VS2010/zeroize.vcxproj
 delete mode 100755 3rdparty/mbedtls/mbedtls/yotta/create-module.sh
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/README.md
 delete mode 100755 3rdparty/mbedtls/mbedtls/yotta/data/adjust-config.sh
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/entropy_hardware_poll.c
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/README.md
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/main.cpp
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/README.md
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/main.cpp
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/README.md
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/main.cpp
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/README.md
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/main.cpp
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/module.json
 delete mode 100644 3rdparty/mbedtls/mbedtls/yotta/data/target_config.h

diff --git a/3rdparty/mbedtls/mbedtls/.pylintrc b/3rdparty/mbedtls/mbedtls/.pylintrc
new file mode 100644
index 0000000000..168e0b7590
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/.pylintrc
@@ -0,0 +1,52 @@
+[BASIC]
+# We're ok with short funtion argument names.
+# [invalid-name]
+argument-rgx=[a-z_][a-z0-9_]*$
+
+# Allow filter and map.
+# [bad-builtin]
+bad-functions=input
+
+# We prefer docstrings, but we don't require them on all functions.
+# Require them only on long functions (for some value of long).
+# [missing-docstring]
+docstring-min-length=10
+
+# Allow longer methods than the default.
+# [invalid-name]
+method-rgx=[a-z_][a-z0-9_]{2,35}$
+
+# Allow module names containing a dash (but no underscore or uppercase letter).
+# They are whole programs, not meant to be included by another module.
+# [invalid-name]
+module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+)|[a-z][-0-9a-z]+)$
+
+# Some functions don't need docstrings.
+# [missing-docstring]
+no-docstring-rgx=(run_)main$
+
+# We're ok with short local or global variable names.
+# [invalid-name]
+variable-rgx=[a-z_][a-z0-9_]*$
+
+[DESIGN]
+# Allow more than the default 7 attributes.
+# [too-many-instance-attributes]
+max-attributes=15
+
+[FORMAT]
+# Allow longer modules than the default recommended maximum.
+# [too-many-lines]
+max-module-lines=2000
+
+[MESSAGES CONTROL]
+disable=
+
+[REPORTS]
+# Don't diplay statistics. Just the facts.
+reports=no
+
+[VARIABLES]
+# Allow unused variables if their name starts with an underscore.
+# [unused-argument]
+dummy-variables-rgx=_.*
diff --git a/3rdparty/mbedtls/mbedtls/.travis.yml b/3rdparty/mbedtls/mbedtls/.travis.yml
index b4f21a30f0..c45d4081d0 100644
--- a/3rdparty/mbedtls/mbedtls/.travis.yml
+++ b/3rdparty/mbedtls/mbedtls/.travis.yml
@@ -4,6 +4,13 @@ compiler:
 - gcc
 sudo: false
 cache: ccache
+
+# blocklist
+branches:
+  except:
+  - development-psa
+  - coverity_scan
+
 script:
 - tests/scripts/recursion.pl library/*.c
 - tests/scripts/check-generated-files.sh
@@ -35,7 +42,7 @@ addons:
   coverity_scan:
     project:
       name: "ARMmbed/mbedtls"
-    notification_email: p.j.bakker@polarssl.org
+    notification_email: simon.butcher@arm.com
     build_command_prepend:
     build_command: make
     branch_pattern: coverity_scan
diff --git a/3rdparty/mbedtls/mbedtls/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/CMakeLists.txt
index 7309d02e70..5f7d0d8862 100644
--- a/3rdparty/mbedtls/mbedtls/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/CMakeLists.txt
@@ -1,5 +1,9 @@
 cmake_minimum_required(VERSION 2.6)
-project("mbed TLS" C)
+if(TEST_CPP)
+    project("mbed TLS" C CXX)
+else()
+    project("mbed TLS" C)
+endif()
 
 option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF)
 option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
@@ -32,9 +36,27 @@ set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
                          "${NULL_ENTROPY_WARN_L3}"
                          "${WARNING_BORDER}")
 
+set(CTR_DRBG_128_BIT_KEY_WARN_L1 "****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
+set(CTR_DRBG_128_BIT_KEY_WARN_L2 "****  Using 128-bit keys for CTR_DRBG limits the security of generated\n")
+set(CTR_DRBG_128_BIT_KEY_WARN_L3 "****  keys and operations that use random values generated to 128-bit security\n")
+
+set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L1}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L2}"
+                         "${CTR_DRBG_128_BIT_KEY_WARN_L3}"
+                         "${WARNING_BORDER}")
+
+find_package(PythonInterp)
 find_package(Perl)
 if(PERL_FOUND)
 
+    # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
+    execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+                        RESULT_VARIABLE result)
+    if(${result} EQUAL 0)
+        message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
+    endif()
+
     # If NULL Entropy is configured, display an appropriate warning
     execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
                         RESULT_VARIABLE result)
diff --git a/3rdparty/mbedtls/mbedtls/CONTRIBUTING.md b/3rdparty/mbedtls/mbedtls/CONTRIBUTING.md
new file mode 100644
index 0000000000..010dffc638
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/CONTRIBUTING.md
@@ -0,0 +1,95 @@
+Contributing
+============
+We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
+
+ - As with any open source project, contributions will be reviewed by the project team and community and may need some modifications to be accepted.
+ - The contribution should not break API or ABI, unless there is a real justification for that. If there is an API change, the contribution, if accepted, will be merged only when there will be a major release.
+
+Contributor License Agreement (CLA)
+-----------------------------------
+- All contributions, whether large or small, require a Contributor's License Agreement (CLA) to be accepted. This is because source code can possibly fall under copyright law and we need your consent to share in the ownership of the copyright.
+- To accept the Contributor’s License Agreement (CLA), individual contributors can do this by creating an Mbed account and [accepting the online agreement here with a click through](https://developer.mbed.org/contributor_agreement/). Alternatively, for contributions from corporations, or those that do not wish to create an Mbed account, a slightly different agreement can be found [here](https://www.mbed.com/en/about-mbed/contributor-license-agreements/). This agreement should be signed and returned to Arm as described in the instructions given.
+
+Coding Standards
+----------------
+- We would ask that contributions conform to [our coding standards](https://tls.mbed.org/kb/development/mbedtls-coding-standards), and that contributions are fully tested before submission, as mentioned in the [Tests](#tests) and [Continuous Integration](#continuous-integration-tests) sections.
+- The code should be written in a clean and readable style.
+- The code should be written in a portable generic way, that will benefit the whole community, and not only your own needs.
+- The code should be secure, and will be reviewed from a security point of view as well.
+
+Making a Contribution
+---------------------
+1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
+1. Fork the [Mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/ARMmbed/mbedtls/tree/development) as a basis.
+1. Write a test which shows that the bug was fixed or that the feature works as expected.
+1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. We will include your name in the ChangeLog :)
+1. For quick merging, the contribution should be short, and concentrated on a single feature or topic. The larger the contribution is, the longer it would take to review it and merge it.
+1. Mbed TLS is released under the Apache license, and as such, all the added files should include the Apache license header.
+
+API/ABI Compatibility
+---------------------
+The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches.
+
+To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change.
+
+Where changes to an existing interface are necessary, functions in the public interface which need to be changed, are marked as 'deprecated'. This is done with the preprocessor symbols `MBEDTLS_DEPRECATED_WARNING` and `MBEDTLS_DEPRECATED_REMOVED`. Then, a new function with a new name but similar if not identical behaviour to the original function containing the necessary changes should be created alongside the existing deprecated function.
+
+When a build is made with the deprecation preprocessor symbols defined, a compiler warning will be generated to warn a user that the function will be removed at some point in the future, notifying users that they should change from the older deprecated function to the newer function at their own convenience.
+
+Therefore, no changes are permitted to the definition of functions in the public interface which will change the API. Instead the interface can only be changed by its extension. As described above, if a function needs to be changed, a new function needs to be created alongside it, with a new name, and whatever change is necessary, such as a new parameter or the addition of a return value.
+
+Periodically, the library will remove deprecated functions from the library which will be a breaking change in the API, but such changes will be made only in a planned, structured way that gives sufficient notice to users of the library.
+
+Long Term Support Branches
+--------------------------
+Mbed TLS maintains several LTS (Long Term Support) branches, which are maintained continuously for a given period. The LTS branches are provided to allow users of the library to have a maintained, stable version of the library which contains only security fixes and fixes for other defects, without encountering additional features or API extensions which may introduce issues or change the code size or RAM usage, which can be significant considerations on some platforms. To allow users to take advantage of the LTS branches, these branches maintain backwards compatibility for both the public API and ABI.
+
+When backporting to these branches please observe the following rules:
+
+ 1. Any change to the library which changes the API or ABI cannot be backported.
+
+ 2. All bug fixes that correct a defect that is also present in an LTS branch must be backported to that LTS branch. If a bug fix introduces a change to the API such as a new function, the fix should be reworked to avoid the API change. API changes without very strong justification are unlikely to be accepted.
+
+ 3. If a contribution is a new feature or enhancement, no backporting is required. Exceptions to this may be addtional test cases or quality improvements such as changes to build or test scripts.
+
+It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors.
+
+Currently maintained LTS branches are:
+
+1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7)
+
+1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16)
+
+
+Tests
+-----
+As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
+
+Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_mpi.c`). These files are generated from a `function file` (e.g. `suites/test_suite_mpi.function`) and a `data file` (e.g. `suites/test_suite_mpi.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
+
+[A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://tls.mbed.org/kb/development/test_suites).
+
+A test script `tests/scripts/basic-build-test.sh` is available to show test coverage of the library. New code contributions should provide a similar level of code coverage to that which already exists for the library.
+
+Sample applications, if needed, should be modified as well.
+
+Continuous Integration Tests
+----------------------------
+Once a PR has been made, the Continuous Integration (CI) tests are triggered and run. You should follow the result of the CI tests, and fix failures.
+
+It is advised to enable the [githooks scripts](https://github.com/ARMmbed/mbedtls/tree/development/tests/git-scripts) prior to pushing your changes, for catching some of the issues as early as possible.
+
+Documentation
+-------------
+Mbed TLS is well documented, but if you think documentation is needed, speak out!
+
+1. All interfaces should be documented through Doxygen. New APIs should introduce Doxygen documentation.
+
+2. Complex parts in the code should include comments.
+
+3. If needed, a Readme file is advised.
+
+4. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
+
+5. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog) entry should be added for this contribution.
+
diff --git a/3rdparty/mbedtls/mbedtls/ChangeLog b/3rdparty/mbedtls/mbedtls/ChangeLog
index 857cc4036a..8c1d03c0ba 100644
--- a/3rdparty/mbedtls/mbedtls/ChangeLog
+++ b/3rdparty/mbedtls/mbedtls/ChangeLog
@@ -1,6 +1,6 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 2.7.11 branch released 2019-06-11
+= mbed TLS 2.16.2 branch released 2019-06-11
 
 Security
    * Make mbedtls_ecdh_get_params return an error if the second key
@@ -23,6 +23,7 @@ Bugfix
      Christian Walther in #2239.
    * Fix potential memory leak in X.509 self test. Found and fixed by
      Junhwan Park, #2106.
+   * Reduce stack usage of hkdf tests. Fixes #2195.
    * Fix 1-byte buffer overflow in mbedtls_mpi_write_string() when
      used with negative inputs. Found by Guido Vranken in #2404. Credit to
      OSS-Fuzz.
@@ -37,6 +38,9 @@ Bugfix
      for the parameter.
    * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
      sni entry parameter. Reported by inestlerode in #560.
+   * Add DER-encoded test CRTs to library/certs.c, allowing
+     the example programs ssl_server2 and ssl_client2 to be run
+     if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
    * Fix missing bounds checks in X.509 parsing functions that could
      lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
    * Fix multiple X.509 functions previously returning ASN.1 low-level error
@@ -52,12 +56,9 @@ Changes
      Contributed by Peter Kolbus (Garmin).
    * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
      improve clarity. Fixes #2258.
-   * Improve debug output of ssl_client2 and ssl_server2 in case suitable
-     test CRTs are available because MBEDTLS_PEM_PARSE_C is disabled.
-     Fixes #2254.
    * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
 
-= mbed TLS 2.7.10 branch released 2019-03-19
+= mbed TLS 2.16.1 branch released 2019-03-19
 
 Features
    * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
@@ -65,12 +66,29 @@ Features
      https://sweet32.info/SWEET32_CCS16.pdf.
 
 Bugfix
+   * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
+     when MBEDTLS_ECP_ALT is defined. Reported by jwhui. Fixes #2242.
    * Run the AD too long test only if MBEDTLS_CCM_ALT is not defined.
      Raised as a comment in #1996.
-   * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
-   * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
+   * Reduce the stack consumption of mbedtls_mpi_fill_random() which could
+     previously lead to a stack overflow on constrained targets.
+   * Add `MBEDTLS_SELF_TEST` for the mbedtls_self_test functions
+     in the header files, which missed the precompilation check. #971
+   * Fix clobber list in MIPS assembly for large integer multiplication.
+     Previously, this could lead to functionally incorrect assembly being
+     produced by some optimizing compilers, showing up as failures in
+     e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
+     by Aurelien Jarno and submitted by Jeffrey Martin.
+   * Fix signed-to-unsigned integer conversion warning
+     in X.509 module. Fixes #2212.
    * Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
      Fixes #2190.
+   * Remove a duplicate #include in a sample program. Fixed by Masashi Honma #2326.
+   * Remove the mbedtls namespacing from the header file, to fix a "file not found"
+     build error. Fixed by Haijun Gu #2319.
+   * Fix returning the value 1 when mbedtls_ecdsa_genkey failed.
+   * Fix false failure in all.sh when backup files exist in include/mbedtls
+     (e.g. config.h.bak). Fixed by Peter Kolbus (Garmin) #2407.
    * Ensure that unused bits are zero when writing ASN.1 bitstrings when using
      mbedtls_asn1_write_bitstring().
    * Fix issue when writing the named bitstrings in KeyUsage and NsCertType
@@ -84,17 +102,53 @@ Changes
      Inserted as an enhancement for #1371
    * Add support for alternative CSR headers, as used by Microsoft and defined
      in RFC 7468. Found by Michael Ernst. Fixes #767.
-   * Fix clobber list in MIPS assembly for large integer multiplication.
-     Previously, this could lead to functionally incorrect assembly being
-     produced by some optimizing compilers, showing up as failures in
-     e.g. RSA or ECC signature operations. Reported in #1722, fix suggested
-     by Aurelien Jarno and submitted by Jeffrey Martin.
+   * Fix configuration queries in ssl-opt.h. #2030
+   * Ensure that ssl-opt.h can be run in OS X. #2029
    * Reduce the complexity of the timing tests. They were assuming more than the
      underlying OS actually guarantees.
+   * Re-enable certain interoperability tests in ssl-opt.sh which had previously
+     been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
    * Ciphersuites based on 3DES now have the lowest priority by default when
      they are enabled.
 
-= mbed TLS 2.7.9 branch released 2018-12-21
+= mbed TLS 2.16.0 branch released 2018-12-21
+
+Features
+   * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation
+     of parameters in the API. This allows detection of obvious misuses of the
+     API, such as passing NULL pointers. The API of existing functions hasn't
+     changed, but requirements on parameters have been made more explicit in
+     the documentation. See the corresponding API documentation for each
+     function to see for which parameter values it is defined. This feature is
+     disabled by default. See its API documentation in config.h for additional
+     steps you have to take when enabling it.
+
+API Changes
+   * The following functions in the random generator modules have been
+     deprecated and replaced as shown below. The new functions change
+     the return type from void to int to allow returning error codes when
+     using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
+     primitive. Fixes #1798.
+     mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
+     mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
+   * Extend ECDH interface to enable alternative implementations.
+   * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for
+     ARIA, CAMELLIA and Blowfish. These error codes will be replaced by
+     the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
+   * Additional parameter validation checks have been added for the following
+     modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH,
+     ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI.
+     Where modules have had parameter validation added, existing parameter
+     checks may have changed. Some modules, such as Chacha20 had existing
+     parameter validation whereas other modules had little. This has now been
+     changed so that the same level of validation is present in all modules, and
+     that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default
+     is off. That means that checks which were previously present by default
+     will no longer be.
+
+New deprecations
+   * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
+     in favor of functions that can return an error code.
 
 Bugfix
    * Fix for Clang, which was reporting a warning for the bignum.c inline
@@ -109,10 +163,12 @@ Bugfix
    * Add explicit integer to enumeration type casts to example program
      programs/pkey/gen_key which previously led to compilation failure
      on some toolchains. Reported by phoenixmcallister. Fixes #2170.
+   * Fix double initialization of ECC hardware that made some accelerators
+     hang.
    * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence
      of check for certificate/key matching. Reported by Attila Molnar, #507.
 
-= mbed TLS 2.7.8 branch released 2018-11-30
+= mbed TLS 2.14.1 branch released 2018-11-30
 
 Security
    * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
@@ -141,7 +197,7 @@ API Changes
      report errors whereas the old functions return void. We recommend that
      applications use the new functions.
 
-= mbed TLS 2.7.7 branch released 2018-11-19
+= mbed TLS 2.14.0 branch released 2018-11-19
 
 Security
    * Fix overly strict DN comparison when looking for CRLs belonging to a
@@ -154,7 +210,7 @@ Security
      incoming message buffer was placed within the first 64KiB of address
      space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
      to trigger a memory access up to 64KiB beyond the incoming message buffer,
-     potentially leading to application crash or information disclosure.
+     potentially leading to an application crash or information disclosure.
    * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
      previous settings for the number of rounds made it practical for an
      adversary to construct non-primes that would be erroneously accepted as
@@ -167,31 +223,79 @@ Security
      See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
      Kenneth G. Paterson and Juraj Somorovsky.
 
+Features
+   * Add support for temporarily suspending expensive ECC computations after
+     some configurable amount of operations. This is intended to be used in
+     constrained, single-threaded systems where ECC is time consuming and can
+     block other operations until they complete. This is disabled by default,
+     but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
+     configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
+     xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
+     yet), and to existing functions in ECDH and SSL (currently only
+     implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
+     including client authentication).
+   * Add support for Arm CPU DSP extensions to accelerate asymmetric key
+     operations. On CPUs where the extensions are available, they can accelerate
+     MPI multiplications used in ECC and RSA cryptography. Contributed by
+     Aurelien Jarno.
+   * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
+     signature always used a salt with the same length as the hash, and returned
+     an error if this was not possible. Now the salt size may be up to two bytes
+     shorter. This allows the library to support all hash and signature sizes
+     that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
+   * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
+     than 256 bits limits the security of generated material to 128 bits.
+
+API Changes
+   * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
+     a feature that is not supported by underlying alternative
+     implementations implementing cryptographic primitives. This is useful for
+     hardware accelerators that don't implement all options or features.
+
+New deprecations
+   * All module specific errors following the form
+     MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
+     supported are deprecated and are now replaced by the new equivalent
+     platform error.
+   * All module specific generic hardware acceleration errors following the
+     form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
+     by the equivalent plaform error.
+   * Deprecate the function mbedtls_mpi_is_prime() in favor of
+     mbedtls_mpi_is_prime_ext() which allows specifying the number of
+     Miller-Rabin rounds.
+
 Bugfix
-   * Fix failure in hmac_drbg in the benchmark sample application, when
-     MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
-   * Fix a bug in the update function for SSL ticket keys which previously
-     invalidated keys of a lifetime of less than a 1s. Fixes #1968.
-   * Fix a bug in the record decryption routine ssl_decrypt_buf()
-     which led to accepting properly authenticated but improperly
-     padded records in case of CBC ciphersuites using Encrypt-then-MAC.
    * Fix wrong order of freeing in programs/ssl/ssl_server2 example
      application leading to a memory leak in case both
      MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
      Fixes #2069.
+   * Fix a bug in the update function for SSL ticket keys which previously
+     invalidated keys of a lifetime of less than a 1s. Fixes #1968.
+   * Fix failure in hmac_drbg in the benchmark sample application, when
+     MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
+   * Fix a bug in the record decryption routine ssl_decrypt_buf()
+     which lead to accepting properly authenticated but improperly
+     padded records in case of CBC ciphersuites using Encrypt-then-MAC.
    * Fix memory leak and freeing without initialization in the example
      program programs/x509/cert_write. Fixes #1422.
    * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
-     MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes for #1091.
-   * Zeroize memory used for reassembling handshake messages after use.
-   * Use `mbedtls_zeroize()` instead of `memset()` for zeroization of
-     sensitive data in the example programs aescrypt2 and crypt_and_hash.
+     MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
+   * Zeroize memory used for buffering or reassembling handshake messages
+     after use.
+   * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
+     of sensitive data in the example programs aescrypt2 and crypt_and_hash.
+   * Change the default string format used for various X.509 DN attributes to
+     UTF8String. Previously, the use of the PrintableString format led to
+     wildcards and non-ASCII characters being unusable in some DN attributes.
+     Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
+     Thomas-Dee.
    * Fix compilation failure for configurations which use compile time
      replacements of standard calloc/free functions through the macros
      MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
      Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
 
 Changes
+   * Removed support for Yotta as a build tool.
    * Add tests for session resumption in DTLS.
    * Close a test gap in (D)TLS between the client side and the server side:
      test the handling of large packets and small packets on the client side
@@ -201,10 +305,35 @@ Changes
    * Change the use of Windows threading to use Microsoft Visual C++ runtime
      calls, rather than Win32 API calls directly. This is necessary to avoid
      conflict with C runtime usage. Found and fixed by irwir.
+   * Remember the string format of X.509 DN attributes when replicating
+     X.509 DNs. Previously, DN attributes were always written in their default
+     string format (mostly PrintableString), which could lead to CRTs being
+     created which used PrintableStrings in the issuer field even though the
+     signing CA used UTF8Strings in its subject field; while X.509 compliant,
+     such CRTs were rejected in some applications, e.g. some versions of
+     Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
+     Thomas-Dee.
    * Improve documentation of mbedtls_ssl_get_verify_result().
      Fixes #517 reported by github-monoculture.
+   * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
+     use it to reduce error probability in RSA key generation to levels mandated
+     by FIPS-186-4.
+
+= mbed TLS 2.13.1 branch released 2018-09-06
 
-= mbed TLS 2.7.6 branch released 2018-08-31
+API Changes
+   * Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
+     whose implementation should behave as a thread-safe version of gmtime().
+     This allows users to configure such an implementation at compile time when
+     the target system cannot be deduced automatically, by setting the option
+     MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
+     automatically select implementations for Windows and POSIX C libraries.
+
+Bugfix
+   * Fix build failures on platforms where only gmtime() is available but
+     neither gmtime_r() nor gmtime_s() are present. Fixes #1907.
+
+= mbed TLS 2.13.0 branch released 2018-08-31
 
 Security
    * Fix an issue in the X.509 module which could lead to a buffer overread
@@ -212,35 +341,66 @@ Security
      input (extensions length field equal to 0), an illegal read of one byte
      beyond the input buffer is made. Found and analyzed by Nathan Crandall.
 
+Features
+   * Add support for fragmentation of outgoing DTLS handshake messages. This
+     is controlled by the maximum fragment length as set locally or negotiated
+     with the peer, as well as by a new per-connection MTU option, set using
+     mbedtls_ssl_set_mtu().
+   * Add support for auto-adjustment of MTU to a safe value during the
+     handshake when flights do not get through (RFC 6347, section 4.1.1.1,
+     last paragraph).
+   * Add support for packing multiple records within a single datagram,
+     enabled by default.
+   * Add support for buffering out-of-order handshake messages in DTLS.
+     The maximum amount of RAM used for this can be controlled by the
+     compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
+     in mbedtls/config.h.
+
+API Changes
+   * Add function mbedtls_ssl_set_datagram_packing() to configure
+     the use of datagram packing (enabled by default).
+
 Bugfix
    * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
      failure in the function could lead to other buffers being leaked.
-   * Fixes a missing test dependency on MBEDTLS_ARC4_C. #1890
+   * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
+     MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
    * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
      Fix contributed by Espressif Systems.
    * Add ecc extensions only if an ecc based ciphersuite is used.
      This improves compliance to RFC 4492, and as a result, solves
      interoperability issues with BouncyCastle. Raised by milenamil in #1157.
+   * Replace printf with mbedtls_printf in the ARIA module. Found by
+     TrinityTonic in #1908.
    * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
      and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
-   * Fix a miscalculation of the maximum record expansion in
-     mbedtls_ssl_get_record_expansion() in case of CBC ciphersuites
-     in (D)TLS versions 1.1 or higher. Fixes #1914.
    * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
      with TLS versions 1.1 and earlier when the server requested authentication
      without providing a list of CAs. This was due to an overly strict bounds
-     check in parsing the CertificateRequest message, introduced in
-     Mbed TLS 2.12.0. Fixes #1954.
+     check in parsing the CertificateRequest message,
+     introduced in Mbed TLS 2.12.0. Fixes #1954.
+   * Fix a miscalculation of the maximum record expansion in
+     mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
+     or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
    * Fix undefined shifts with negative values in certificates parsing
      (found by Catena cyber using oss-fuzz)
    * Fix memory leak and free without initialization in pk_encrypt
      and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
+   * Remove redundant else statement. Raised by irwir. Fixes #1776.
 
 Changes
+   * Copy headers preserving timestamps when doing a "make install".
+     Contributed by xueruini.
+   * Allow the forward declaration of public structs. Contributed by Dawid
+     Drozd. Fixes #1215 raised by randombit.
    * Improve compatibility with some alternative CCM implementations by using
      CCM test vectors from RAM.
+   * Add support for buffering of out-of-order handshake messages.
+   * Add warnings to the documentation of the HKDF module to reduce the risk
+     of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
+     functions. Fixes #1775. Reported by Brian J. Murray.
 
-= mbed TLS 2.7.5 branch released 2018-07-25
+= mbed TLS 2.12.0 branch released 2018-07-25
 
 Security
    * Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
@@ -275,23 +435,40 @@ Security
      Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
      Eyal Ronen and Adi Shamir.
 
+Features
+   * Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
+     authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
+     by Daniel King.
+   * Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
+   * Add platform support for the Haiku OS. (https://www.haiku-os.org).
+     Contributed by Augustin Cavalier.
+   * Make the receive and transmit buffers independent sizes, for situations
+     where the outgoing buffer can be fixed at a smaller size than the incoming
+     buffer, which can save some RAM. If buffer lengths are kept equal, there
+     is no functional difference. Contributed by Angus Gratton, and also
+     independently contributed again by Paul Sokolovsky.
+   * Add support for key wrapping modes based on AES as defined by
+     NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
+
 Bugfix
+   * Fix the key_app_writer example which was writing a leading zero byte which
+     was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
    * Fix compilation error on C++, because of a variable named new.
      Found and fixed by Hirotaka Niisato in #1783.
-   * Fix the inline assembly for the MPI multiply helper function for i386 and
-     i386 with SSE2. Found by László Langó. Fixes #1550
-   * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
-     Philippe Antoine. Fixes #1623.
+   * Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
+     contributed by tabascoeye.
    * Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
      return value. Found by @davidwu2000. #839
-   * Fix the key_app_writer example which was writing a leading zero byte which
-     was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes #1257.
+   * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
+     Philippe Antoine. Fixes #1623.
    * Remove unused headers included in x509.c. Found by Chris Hanson and fixed
      by Brendan Shanks. Part of a fix for #992.
    * Fix compilation error when MBEDTLS_ARC4_C is disabled and
      MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
    * Added length checks to some TLS parsing functions. Found and fixed by
      Philippe Antoine from Catena cyber. #1663.
+   * Fix the inline assembly for the MPI multiply helper function for i386 and
+     i386 with SSE2. Found by László Langó. Fixes #1550
    * Fix namespacing in header files. Remove the `mbedtls` namespacing in
      the `#include` in the header files. Resolves #857
    * Fix compiler warning of 'use before initialisation' in
@@ -308,34 +485,76 @@ Bugfix
      Fixes #1833.
    * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
      deep copy of the session, and the peer certificate is not lost. Fixes #926.
+   * Fix build using -std=c99. Fixed by Nick Wilson.
 
 Changes
    * Fail when receiving a TLS alert message with an invalid length, or invalid
      zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
+   * Change the default behaviour of mbedtls_hkdf_extract() to return an error
+     when calling with a NULL salt and non-zero salt_len. Contributed by
+     Brian J Murray
    * Change the shebang line in Perl scripts to look up perl in the PATH.
-     Contributed by fbrosson in #1533.
+     Contributed by fbrosson.
+   * Allow overriding the time on Windows via the platform-time abstraction.
+     Fixed by Nick Wilson.
+   * Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
+
+= mbed TLS 2.11.0 branch released 2018-06-18
 
-= mbed TLS 2.7.4 branch released 2018-06-18
+Features
+   * Add additional block mode, OFB (Output Feedback), to the AES module and
+     cipher abstraction module.
+   * Implement the HMAC-based extract-and-expand key derivation function
+     (HKDF) per RFC 5869. Contributed by Thomas Fossati.
+   * Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
+   * Add support for the XTS block cipher mode with AES (AES-XTS).
+     Contributed by Aorimn in pull request #414.
+   * In TLS servers, support offloading private key operations to an external
+     cryptoprocessor. Private key operations can be asynchronous to allow
+     non-blocking operation of the TLS server stack.
 
 Bugfix
-   * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
-     TrinityTonic. #1359.
+   * Fix the cert_write example to handle certificates signed with elliptic
+     curves as well as RSA. Fixes #777 found by dbedev.
    * Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
      used by user applications. Found and fixed by Fabio Alessandrelli.
-   * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
-   * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
-     build to fail. Found by zv-io. Fixes #1651.
    * Fix compilation warnings with IAR toolchain, on 32 bit platform.
      Reported by rahmanih in #683
+   * Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
 
 Changes
-   * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
    * Changed CMake defaults for IAR to treat all compiler warnings as errors.
    * Changed the Clang parameters used in the CMake build files to work for
      versions later than 3.6. Versions of Clang earlier than this may no longer
      work. Fixes #1072
 
-= mbed TLS 2.7.3 branch released 2018-04-30
+= mbed TLS 2.10.0 branch released 2018-06-06
+
+Features
+   * Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
+     (RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
+
+API Changes
+   * Extend the platform module with a util component that contains
+     functionality shared by multiple Mbed TLS modules. At this stage
+     platform_util.h (and its associated platform_util.c) only contain
+     mbedtls_platform_zeroize(), which is a critical function from a security
+     point of view. mbedtls_platform_zeroize() needs to be regularly tested
+     against compilers to ensure that calls to it are not removed from the
+     output binary as part of redundant code elimination optimizations.
+     Therefore, mbedtls_platform_zeroize() is moved to the platform module to
+     facilitate testing and maintenance.
+
+Bugfix
+   * Fix an issue with MicroBlaze support in bn_mul.h which was causing the
+     build to fail. Found by zv-io. Fixes #1651.
+
+Changes
+   * Support TLS testing in out-of-source builds using cmake. Fixes #1193.
+   * Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
+     TrinityTonic. #1359.
+
+= mbed TLS 2.9.0 branch released 2018-04-30
 
 Security
    * Fix an issue in the X.509 module which could lead to a buffer overread
@@ -357,6 +576,25 @@ Security
      chosen by the server. This could lead to corruption of internal data
      structures for some configurations.
 
+Features
+   * Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
+     tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
+     Suggested and contributed by jkivilin in pull request #394.
+   * Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
+     ECDH primitive functions (mbedtls_ecdh_gen_public(),
+     mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
+     Nicholas Wilson in pull request #348.
+
+API Changes
+   * Extend the public API with the function of mbedtls_net_poll() to allow user
+     applications to wait for a network context to become ready before reading
+     or writing.
+   * Add function mbedtls_ssl_check_pending() to the public API to allow
+     a check for whether more more data is pending to be processed in the
+     internal message buffers.
+     This function is necessary to determine when it is safe to idle on the
+     underlying transport in case event-driven IO is used.
+
 Bugfix
    * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
      contributed by Brian J Murray and David Brown.
@@ -378,13 +616,25 @@ Bugfix
      Andy Leiserson.
    * Fix overriding and ignoring return values when parsing and writing to
      a file in pk_sign program. Found by kevlut in #1142.
+   * Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
+     where data needs to be fetched from the underlying transport in order
+     to make progress. Previously, this error code was also occasionally
+     returned when unexpected messages were being discarded, ignoring that
+     further messages could potentially already be pending to be processed
+     in the internal buffers; these cases led to deadlocks when event-driven
+     I/O was used. Found and reported by Hubert Mis in #772.
    * Fix buffer length assertions in the ssl_parse_certificate_request()
      function which leads to a potential one byte overread of the message
      buffer.
    * Fix invalid buffer sizes passed to zlib during record compression and
      decompression.
+   * Fix the soversion of libmbedcrypto to match the soversion of the
+     maintained 2.7 branch. The soversion was increased in Mbed TLS
+     version 2.7.1 to reflect breaking changes in that release, but the
+     increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
 
 Changes
+   * Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
    * Support cmake builds where Mbed TLS is a subproject. Fix contributed
      independently by Matthieu Volat and Arne Schwabe.
    * Improve testing in configurations that omit certain hashes or
@@ -393,9 +643,16 @@ Changes
    * Do not define global mutexes around readdir() and gmtime() in
      configurations where the feature is disabled. Found and fixed by Gergely
      Budai.
+   * Harden the function mbedtls_ssl_config_free() against misuse, so that it
+     doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
+     instead incorrectly manipulates the configuration structure directly.
+     Found and fix submitted by junyeonLEE in #1220.
    * Provide an empty implementation of mbedtls_pkcs5_pbes2() when
      MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
      without PBES2. Fixed by Marcos Del Sol Vives.
+   * Add the order of the base point as N in the mbedtls_ecp_group structure
+     for Curve25519 (other curves had it already). Contributed by Nicholas
+     Wilson #481
    * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
      Krylov.
    * Improve the documentation of mbedtls_ssl_write(). Suggested by
@@ -405,16 +662,40 @@ Changes
      Alex Hixon.
    * Allow configuring the shared library extension by setting the DLEXT
      environment variable when using the project makefiles.
+   * Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
+     by Alexey Skalozub in #405.
    * In the SSL module, when f_send, f_recv or f_recv_timeout report
      transmitting more than the required length, return an error. Raised by
      Sam O'Connor in #1245.
    * Improve robustness of mbedtls_ssl_derive_keys against the use of
      HMAC functions with non-HMAC ciphersuites. Independently contributed
      by Jiayuan Chen in #1377. Fixes #1437.
+   * Improve security of RSA key generation by including criteria from
+     FIPS 186-4. Contributed by Jethro Beekman. #1380
+   * Declare functions in header files even when an alternative implementation
+     of the corresponding module is activated by defining the corresponding
+     MBEDTLS_XXX_ALT macro. This means that alternative implementations do
+     not need to copy the declarations, and ensures that they will have the
+     same API.
+   * Add platform setup and teardown calls in test suites.
+
+= mbed TLS 2.8.0 branch released 2018-03-16
 
-= mbed TLS 2.7.2 branch released 2018-03-16
+Default behavior changes
+   * The truncated HMAC extension now conforms to RFC 6066. This means
+     that when both sides of a TLS connection negotiate the truncated
+     HMAC extension, Mbed TLS can now interoperate with other
+     compliant implementations, but this breaks interoperability with
+     prior versions of Mbed TLS. To restore the old behavior, enable
+     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
+     config.h. Found by Andreas Walz (ivESK, Offenburg University of
+     Applied Sciences).
 
 Security
+   * Fix implementation of the truncated HMAC extension. The previous
+     implementation allowed an offline 2^80 brute force attack on the
+     HMAC key of a single, uninterrupted connection (with no
+     resumption of the session).
    * Verify results of RSA private key operations to defend
      against Bellcore glitch attack.
    * Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
@@ -430,8 +711,21 @@ Features
      This allows reading encrypted PEM files produced by software that
      uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
      OpenVPN Inc. Fixes #1339
+   * Add support for public keys encoded in PKCS#1 format. #1122
+
+New deprecations
+   * Deprecate support for record compression (configuration option
+     MBEDTLS_ZLIB_SUPPORT).
 
 Bugfix
+   * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
+     Fixes #1358.
+   * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
+   * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
+     with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
+     In the context of SSL, this resulted in handshake failure. Reported by
+     daniel in the Mbed TLS forum. #1351
+   * Fix Windows x64 builds with the included mbedTLS.sln file. #1347
    * Fix setting version TLSv1 as minimal version, even if TLS 1
      is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
      and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
@@ -455,43 +749,16 @@ Bugfix
    * Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
      Found through fuzz testing.
 
-Changes
-   * Clarify the documentation of mbedtls_ssl_setup.
-
-= mbed TLS 2.7.1 branch released 2018-02-23
-
-Default behavior changes
-   * The truncated HMAC extension now conforms to RFC 6066. This means
-     that when both sides of a TLS connection negotiate the truncated
-     HMAC extension, Mbed TLS can now interoperate with other
-     compliant implementations, but this breaks interoperability with
-     prior versions of Mbed TLS. To restore the old behavior, enable
-     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
-     config.h. Found by Andreas Walz (ivESK, Offenburg University of
-     Applied Sciences).
-
-Security
-   * Fix implementation of the truncated HMAC extension. The previous
-     implementation allowed an offline 2^80 brute force attack on the
-     HMAC key of a single, uninterrupted connection (with no
-     resumption of the session).
-
-Bugfix
-   * Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
-     Fixes #1358.
-   * Fix test_suite_pk to work on 64-bit ILP32 systems. #849
-   * Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
-     with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
-     In the context of SSL, this resulted in handshake failure. Reported by
-     daniel in the Mbed TLS forum. #1351
-   * Fix Windows x64 builds with the included mbedTLS.sln file. #1347
-
 Changes
    * Fix tag lengths and value ranges in the documentation of CCM encryption.
      Contributed by Mathieu Briand.
    * Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
+   * Remove support for the library reference configuration for picocoin.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
+   * Clarify the documentation of mbedtls_ssl_setup.
+   * Use (void) when defining functions with no parameters. Contributed by
+     Joris Aerts. #678
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 
@@ -608,7 +875,7 @@ Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records
      as recommended in RFC 6347 Section 4.1.2.7.
    * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
-     Found by projectgus and jethrogb, #836.
+     Found by projectgus and Jethro Beekman, #836.
    * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
    * Parse signature algorithm extension when renegotiating. Previously,
      renegotiated handshakes would only accept signatures using SHA-1
@@ -802,8 +1069,7 @@ Bugfix
      Previous behaviour was to keep processing data even after the alert has
      been sent.
    * Accept empty trusted CA chain in authentication mode
-     MBEDTLS_SSL_VERIFY_OPTIONAL.
-     Found by jethrogb. #864
+     MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864
    * Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
      fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
      reflect bad EC curves within verification result.
diff --git a/3rdparty/mbedtls/mbedtls/Makefile b/3rdparty/mbedtls/mbedtls/Makefile
index 6014597a97..1ae6bd9917 100644
--- a/3rdparty/mbedtls/mbedtls/Makefile
+++ b/3rdparty/mbedtls/mbedtls/Makefile
@@ -23,7 +23,7 @@ tests: lib
 ifndef WINDOWS
 install: no_test
 	mkdir -p $(DESTDIR)/include/mbedtls
-	cp -r include/mbedtls $(DESTDIR)/include
+	cp -rp include/mbedtls $(DESTDIR)/include
 
 	mkdir -p $(DESTDIR)/lib
 	cp -RP library/libmbedtls.*    $(DESTDIR)/lib
@@ -61,9 +61,21 @@ NULL_ENTROPY_WARN_L3=****  AND IS *NOT* SUITABLE FOR PRODUCTION USE     ****\n
 
 NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
 
+WARNING_BORDER_LONG      =**********************************************************************************\n
+CTR_DRBG_128_BIT_KEY_WARN_L1=****  WARNING!  MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!                      ****\n
+CTR_DRBG_128_BIT_KEY_WARN_L2=****  Using 128-bit keys for CTR_DRBG limits the security of generated         ****\n
+CTR_DRBG_128_BIT_KEY_WARN_L3=****  keys and operations that use random values generated to 128-bit security ****\n
+
+CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG)
+
 # Post build steps
 post_build:
 ifndef WINDOWS
+
+	# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
+	-scripts/config.pl get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
+	    echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
+
 	# If NULL Entropy is configured, display an appropriate warning
 	-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
 	    echo '$(NULL_ENTROPY_WARNING)'
diff --git a/3rdparty/mbedtls/mbedtls/README.md b/3rdparty/mbedtls/mbedtls/README.md
index ced36e1921..94ea84b9d5 100644
--- a/3rdparty/mbedtls/mbedtls/README.md
+++ b/3rdparty/mbedtls/mbedtls/README.md
@@ -11,47 +11,16 @@ Compiler options can be set using conventional environment variables such as `CC
 Compiling
 ---------
 
-There are currently four active build systems used within Mbed TLS releases:
+There are currently three active build systems used within Mbed TLS releases:
 
--   yotta
 -   GNU Make
 -   CMake
 -   Microsoft Visual Studio (Microsoft Visual Studio 2010 or later)
 
 The main systems used for development are CMake and GNU Make. Those systems are always complete and up-to-date. The others should reflect all changes present in the CMake and Make build system, although features may not be ported there automatically.
 
-Yotta, as a build system, is slightly different from the other build systems:
-
--   it provides a minimalistic configuration file by default
--   depending on the yotta target, features of Mbed OS may be used in examples and tests
-
 The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`. Also, when loading shared libraries using dlopen(), you'll need to load libmbedcrypto first, then libmbedx509, before you can load libmbedtls.
 
-### Yotta
-
-[yotta](http://yottabuild.org) is a package manager and build system developed by Mbed, and is the build system of Mbed OS 16.03. To install it on your platform, please follow the yotta [installation instructions](http://docs.yottabuild.org/#installing).
-
-Once yotta is installed, you can use it to download the latest version of Mbed TLS from the yotta registry with:
-
-    yotta install mbedtls
-
-and build it with:
-
-    yotta build
-
-If, on the other hand, you already have a copy of Mbed TLS from a source other than the yotta registry, for example from cloning our GitHub repository, or from downloading a tarball of the standalone edition, then you'll first need to generate the yotta module by running:
-
-    yotta/create-module.sh
-
-This should be executed from the root Mbed TLS project directory. This will create the yotta module in the `yotta/module` directory within it. You can then change to that directory and build as usual:
-
-    cd yotta/module
-    yotta build
-
-In any case, you'll probably want to set the yotta target before building unless it has already been set globally. For more information on using yotta, please consult the [yotta documentation](http://docs.yottabuild.org/).
-
-For more details on the yotta/Mbed OS edition of Mbed TLS, including example programs, please consult the [Readme at the root of the yotta module](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/README.md).
-
 ### Make
 
 We require GNU Make. To build the library and the sample programs, GNU Make and a C compiler are sufficient. Some of the more advanced build targets require some Unix/Linux tools.
@@ -66,7 +35,7 @@ In order to run the tests, enter:
 
     make check
 
-The tests need Perl to be built and run. If you don't have Perl installed, you can skip building the tests with:
+The tests need Python to be built and Perl to be run. If you don't have one of them installed, you can skip building the tests with:
 
     make no_test
 
@@ -78,11 +47,11 @@ In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if th
 
 Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved.
 
-Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so it you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overriden from the command line.
+Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overriden from the command line.
 
 Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
 
-In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS knowledge base](https://tls.mbed.org/kb).
+In case you find that you need to do something else as well, please let us know what, so we can add it to the [Mbed TLS Knowledge Base](https://tls.mbed.org/kb).
 
 ### CMake
 
@@ -96,7 +65,7 @@ In order to run the tests, enter:
 
     make test
 
-The test suites need Perl to be built. If you don't have Perl installed, you'll want to disable the test suites with:
+The test suites need Python to be built and Perl to be executed. If you don't have one of these installed, you'll want to disable the test suites with:
 
     cmake -DENABLE_TESTING=Off /path/to/mbedtls_source
 
@@ -164,17 +133,17 @@ on the build mode as seen above), it's merely prepended to it.
 
 The build files for Microsoft Visual Studio are generated for Visual Studio 2010.
 
-The solution file `mbedTLS.sln` contains all the basic projects needed to build the library and all the programs. The files in tests are not generated and compiled, as these need a perl environment as well. However, the selftest program in `programs/test/` is still available.
+The solution file `mbedTLS.sln` contains all the basic projects needed to build the library and all the programs. The files in tests are not generated and compiled, as these need Python and perl environments as well. However, the selftest program in `programs/test/` is still available.
 
 Example programs
 ----------------
 
-We've included example programs for a lot of different features and uses in `programs/`. Most programs only focus on a single feature or usage scenario, so keep that in mind when copying parts of the code.
+We've included example programs for a lot of different features and uses in [`programs/`](programs/README.md). Most programs only focus on a single feature or usage scenario, so keep that in mind when copying parts of the code.
 
 Tests
 -----
 
-Mbed TLS includes an elaborate test suite in `tests/` that initially requires Perl to generate the tests files (e.g. `test\_suite\_mpi.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_mpi.function`) and a `data file` (e.g. `suites/test\_suite\_mpi.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
+Mbed TLS includes an elaborate test suite in `tests/` that initially requires Python to generate the tests files (e.g. `test\_suite\_mpi.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_mpi.function`) and a `data file` (e.g. `suites/test\_suite\_mpi.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
 
 For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, additional test scripts are available:
 
@@ -192,7 +161,7 @@ We provide some non-standard configurations focused on specific use cases in the
 Porting Mbed TLS
 ----------------
 
-Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following knowledge base articles useful:
+Mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following Knowledge Base articles useful:
 
 -   [Porting Mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS)
 -   [What external dependencies does Mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
diff --git a/3rdparty/mbedtls/mbedtls/configs/config-ccm-psk-tls1_2.h b/3rdparty/mbedtls/mbedtls/configs/config-ccm-psk-tls1_2.h
index a783e6b73b..c9b58dd538 100644
--- a/3rdparty/mbedtls/mbedtls/configs/config-ccm-psk-tls1_2.h
+++ b/3rdparty/mbedtls/mbedtls/configs/config-ccm-psk-tls1_2.h
@@ -81,7 +81,7 @@
  * both ends of the connection!  (See comments in "mbedtls/ssl.h".)
  * The optimal size here depends on the typical size of records.
  */
-#define MBEDTLS_SSL_MAX_CONTENT_LEN             512
+#define MBEDTLS_SSL_MAX_CONTENT_LEN             1024
 
 #include "mbedtls/check_config.h"
 
diff --git a/3rdparty/mbedtls/mbedtls/configs/config-no-entropy.h b/3rdparty/mbedtls/mbedtls/configs/config-no-entropy.h
index b4a0930b9c..7d34ad52ec 100644
--- a/3rdparty/mbedtls/mbedtls/configs/config-no-entropy.h
+++ b/3rdparty/mbedtls/mbedtls/configs/config-no-entropy.h
@@ -82,6 +82,7 @@
 #define MBEDTLS_X509_USE_C
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_CRL_PARSE_C
+//#define MBEDTLS_CMAC_C
 
 /* Miscellaneous options */
 #define MBEDTLS_AES_ROM_TABLES
diff --git a/3rdparty/mbedtls/mbedtls/configs/config-picocoin.h b/3rdparty/mbedtls/mbedtls/configs/config-picocoin.h
deleted file mode 100644
index 5d41f282f1..0000000000
--- a/3rdparty/mbedtls/mbedtls/configs/config-picocoin.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * \file config-picocoin.h
- *
- * \brief Reduced configuration used by Picocoin.
- */
-/*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-/*
- * Reduced configuration used by Picocoin.
- *
- * See README.txt for usage instructions.
- *
- * Distinguishing features:
- * - no SSL/TLS;
- * - no X.509;
- * - ECDSA/PK and some other chosen crypto bits.
- */
-
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
-
-/* System support */
-#define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HAVE_TIME
-
-/* mbed TLS feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define MBEDTLS_ECDSA_DETERMINISTIC
-#define MBEDTLS_PK_PARSE_EC_EXTENDED
-#define MBEDTLS_ERROR_STRERROR_DUMMY
-#define MBEDTLS_FS_IO
-
-/* mbed TLS modules */
-#define MBEDTLS_AESNI_C
-#define MBEDTLS_AES_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PADLOCK_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_RIPEMD160_C
-#define MBEDTLS_SHA1_C
-#define MBEDTLS_SHA256_C
-
-#include "mbedtls/check_config.h"
-
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h b/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
index bb5987137c..3336f0fcaa 100644
--- a/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
+++ b/3rdparty/mbedtls/mbedtls/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
  */
 
 /**
- * @mainpage mbed TLS v2.7.11 source code documentation
+ * @mainpage mbed TLS v2.16.2 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in
diff --git a/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile b/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
index 22ae878ee8..40a1cabb33 100644
--- a/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
+++ b/3rdparty/mbedtls/mbedtls/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@ DOXYFILE_ENCODING      = UTF-8
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v2.7.11"
+PROJECT_NAME           = "mbed TLS v2.16.2"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/aes.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/aes.h
index 46016dcb7f..94e7282d36 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/aes.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/aes.h
@@ -1,7 +1,9 @@
 /**
  * \file aes.h
  *
- * \brief   The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ * \brief   This file contains AES definitions and functions.
+ *
+ *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
  *          cryptographic algorithm that can be used to protect electronic
  *          data.
  *
@@ -11,7 +13,13 @@
  *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
  *          techniques -- Encryption algorithms -- Part 2: Asymmetric
  *          ciphers</em>.
+ *
+ *          The AES-XTS block mode is standardized by NIST SP 800-38E
+ *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
+ *          and described in detail by IEEE P1619
+ *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
  */
+
 /*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
  *  SPDX-License-Identifier: Apache-2.0
  *
@@ -50,8 +58,13 @@
 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
 
-/* Error codes in range 0x0023-0x0025 */
+/* Error codes in range 0x0021-0x0025 */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
 
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
@@ -59,18 +72,18 @@
 #define inline __inline
 #endif
 
-#if !defined(MBEDTLS_AES_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_AES_ALT)
+// Regular implementation
+//
+
 /**
  * \brief The AES context-type definition.
  */
-typedef struct
+typedef struct mbedtls_aes_context
 {
     int nr;                     /*!< The number of rounds. */
     uint32_t *rk;               /*!< AES round keys. */
@@ -85,13 +98,30 @@ typedef struct
 }
 mbedtls_aes_context;
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief The AES XTS context-type definition.
+ */
+typedef struct mbedtls_aes_xts_context
+{
+    mbedtls_aes_context crypt; /*!< The AES context to use for AES block
+                                        encryption or decryption. */
+    mbedtls_aes_context tweak; /*!< The AES context used for tweak
+                                        computation. */
+} mbedtls_aes_xts_context;
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#else  /* MBEDTLS_AES_ALT */
+#include "aes_alt.h"
+#endif /* MBEDTLS_AES_ALT */
+
 /**
  * \brief          This function initializes the specified AES context.
  *
  *                 It must be the first API called before using
  *                 the context.
  *
- * \param ctx      The AES context to initialize.
+ * \param ctx      The AES context to initialize. This must not be \c NULL.
  */
 void mbedtls_aes_init( mbedtls_aes_context *ctx );
 
@@ -99,21 +129,46 @@ void mbedtls_aes_init( mbedtls_aes_context *ctx );
  * \brief          This function releases and clears the specified AES context.
  *
  * \param ctx      The AES context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
  */
 void mbedtls_aes_free( mbedtls_aes_context *ctx );
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function initializes the specified AES XTS context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES XTS context.
+ *
+ * \param ctx      The AES XTS context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 /**
  * \brief          This function sets the encryption key.
  *
  * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The encryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of data passed in bits. Valid options are:
  *                 <ul><li>128 bits</li>
  *                 <li>192 bits</li>
  *                 <li>256 bits</li></ul>
  *
- * \return         \c 0 on success or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
  */
 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
                     unsigned int keybits );
@@ -122,17 +177,62 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
  * \brief          This function sets the decryption key.
  *
  * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
  * \param key      The decryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
  * \param keybits  The size of data passed. Valid options are:
  *                 <ul><li>128 bits</li>
  *                 <li>192 bits</li>
  *                 <li>256 bits</li></ul>
  *
- * \return         \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
  */
 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
                     unsigned int keybits );
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function prepares an XTS context for encryption and
+ *                 sets the encryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+
+/**
+ * \brief          This function prepares an XTS context for decryption and
+ *                 sets the decryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 /**
  * \brief          This function performs an AES single-block encryption or
  *                 decryption operation.
@@ -146,10 +246,13 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
  *                 call to this API with the same context.
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
- * \param input    The 16-Byte buffer holding the input data.
- * \param output   The 16-Byte buffer holding the output data.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and at least \c 16 Bytes long.
+ * \param output   The buffer where the output data will be written.
+ *                 It must be writeable and at least \c 16 Bytes long.
 
  * \return         \c 0 on success.
  */
@@ -172,8 +275,8 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
  *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
  *         before the first call to this API with the same context.
  *
- * \note   This function operates on aligned blocks, that is, the input size
- *         must be a multiple of the AES block size of 16 Bytes.
+ * \note   This function operates on full blocks, that is, the input size
+ *         must be a multiple of the AES block size of \c 16 Bytes.
  *
  * \note   Upon exit, the content of the IV is updated so that you can
  *         call the same function again on the next
@@ -184,15 +287,20 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
  * \param length   The length of the input data in Bytes. This must be a
- *                 multiple of the block size (16 Bytes).
+ *                 multiple of the block size (\c 16 Bytes).
  * \param iv       Initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
- * \return         \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
  *                 on failure.
  */
 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
@@ -203,6 +311,50 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
                     unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief      This function performs an AES-XTS encryption or decryption
+ *             operation for an entire XTS data unit.
+ *
+ *             AES-XTS encrypts or decrypts blocks based on their location as
+ *             defined by a data unit number. The data unit number must be
+ *             provided by \p data_unit.
+ *
+ *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ *             AES blocks. If the data unit is larger than this, this function
+ *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
+ * \param ctx          The AES XTS context to use for AES XTS operations.
+ *                     It must be initialized and bound to a key.
+ * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                     #MBEDTLS_AES_DECRYPT.
+ * \param length       The length of a data unit in Bytes. This can be any
+ *                     length between 16 bytes and 2^24 bytes inclusive
+ *                     (between 1 and 2^20 block cipher blocks).
+ * \param data_unit    The address of the data unit encoded as an array of 16
+ *                     bytes in little-endian format. For disk encryption, this
+ *                     is typically the index of the block device sector that
+ *                     contains the data.
+ * \param input        The buffer holding the input data (which is an entire
+ *                     data unit). This function reads \p length Bytes from \p
+ *                     input.
+ * \param output       The buffer holding the output data (which is an entire
+ *                     data unit). This function writes \p length Bytes to \p
+ *                     output.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
+ *                     smaller than an AES block in size (16 Bytes) or if \p
+ *                     length is larger than 2^20 blocks (16 MiB).
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
  * \brief This function performs an AES-CFB128 encryption or decryption
@@ -228,13 +380,18 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT.
- * \param length   The length of the input data.
+ * \param length   The length of the input data in Bytes.
  * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
  * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  */
@@ -269,12 +426,16 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
  *
  *
  * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
  *                 #MBEDTLS_AES_DECRYPT
  * \param length   The length of the input data.
  * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
  * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
  * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
  *
  * \return         \c 0 on success.
  */
@@ -286,6 +447,61 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
                     unsigned char *output );
 #endif /*MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/**
+ * \brief       This function performs an AES-OFB (Output Feedback Mode)
+ *              encryption or decryption operation.
+ *
+ *              For OFB, you must set up the context with
+ *              mbedtls_aes_setkey_enc(), regardless of whether you are
+ *              performing an encryption or decryption operation. This is
+ *              because OFB mode uses the same key schedule for encryption and
+ *              decryption.
+ *
+ *              The OFB operation is identical for encryption or decryption,
+ *              therefore no operation mode needs to be specified.
+ *
+ * \note        Upon exit, the content of iv, the Initialisation Vector, is
+ *              updated so that you can call the same function again on the next
+ *              block(s) of data and get the same result as if it was encrypted
+ *              in one call. This allows a "streaming" usage, by initialising
+ *              iv_off to 0 before the first call, and preserving its value
+ *              between calls.
+ *
+ *              For non-streaming use, the iv should be initialised on each call
+ *              to a unique value, and iv_off set to 0 on each call.
+ *
+ *              If you need to retain the contents of the initialisation vector,
+ *              you must either save it manually or use the cipher module
+ *              instead.
+ *
+ * \warning     For the OFB mode, the initialisation vector must be unique
+ *              every encryption operation. Reuse of an initialisation vector
+ *              will compromise security.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param length   The length of the input data.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
  * \brief      This function performs an AES-CTR encryption or decryption
@@ -300,20 +516,68 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
  *             must use the context initialized with mbedtls_aes_setkey_enc()
  *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
  *
- * \warning    You must keep the maximum use of your counter in mind.
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an AES block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
  *
  * \param ctx              The AES context to use for encryption or decryption.
+ *                         It must be initialized and bound to a key.
  * \param length           The length of the input data.
  * \param nc_off           The offset in the current \p stream_block, for
  *                         resuming within the current cipher stream. The
  *                         offset pointer should be 0 at the start of a stream.
+ *                         It must point to a valid \c size_t.
  * \param nonce_counter    The 128-bit nonce and counter.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
  * \param stream_block     The saved stream block for resuming. This is
  *                         overwritten by the function.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
  * \param input            The buffer holding the input data.
+ *                         It must be readable and of size \p length Bytes.
  * \param output           The buffer holding the output data.
+ *                         It must be writeable and of size \p length Bytes.
  *
- * \return     \c 0 on success.
+ * \return                 \c 0 on success.
  */
 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
                        size_t length,
@@ -364,7 +628,7 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
  * \brief           Deprecated internal AES block encryption function
  *                  without return value.
  *
- * \deprecated      Superseded by mbedtls_aes_encrypt_ext() in 2.5.0.
+ * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
  *
  * \param ctx       The AES context to use for encryption.
  * \param input     Plaintext block.
@@ -378,7 +642,7 @@ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
  * \brief           Deprecated internal AES block decryption function
  *                  without return value.
  *
- * \deprecated      Superseded by mbedtls_aes_decrypt_ext() in 2.5.0.
+ * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
  *
  * \param ctx       The AES context to use for decryption.
  * \param input     Ciphertext block.
@@ -391,25 +655,18 @@ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_AES_ALT */
-#include "aes_alt.h"
-#endif /* MBEDTLS_AES_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
 
+#if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_aes_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
index 7b16b4bad0..a4ca012f8a 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/aesni.h
@@ -2,6 +2,9 @@
  * \file aesni.h
  *
  * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
  */
 /*
  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
@@ -48,7 +51,10 @@ extern "C" {
 #endif
 
 /**
- * \brief          AES-NI features detection routine
+ * \brief          Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param what     The feature to detect
  *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
@@ -58,7 +64,10 @@ extern "C" {
 int mbedtls_aesni_has_support( unsigned int what );
 
 /**
- * \brief          AES-NI AES-ECB block en(de)cryption
+ * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param ctx      AES context
  * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -68,12 +77,15 @@ int mbedtls_aesni_has_support( unsigned int what );
  * \return         0 on success (cannot fail)
  */
 int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
-                     int mode,
-                     const unsigned char input[16],
-                     unsigned char output[16] );
+                             int mode,
+                             const unsigned char input[16],
+                             unsigned char output[16] );
 
 /**
- * \brief          GCM multiplication: c = a * b in GF(2^128)
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param c        Result
  * \param a        First operand
@@ -83,21 +95,29 @@ int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
  *                 elements of GF(2^128) as per the GCM spec.
  */
 void mbedtls_aesni_gcm_mult( unsigned char c[16],
-                     const unsigned char a[16],
-                     const unsigned char b[16] );
+                             const unsigned char a[16],
+                             const unsigned char b[16] );
 
 /**
- * \brief           Compute decryption round keys from encryption round keys
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
  *
  * \param invkey    Round keys for the equivalent inverse cipher
  * \param fwdkey    Original round keys (for encryption)
  * \param nr        Number of rounds (that is, number of round keys minus one)
  */
 void mbedtls_aesni_inverse_key( unsigned char *invkey,
-                        const unsigned char *fwdkey, int nr );
+                                const unsigned char *fwdkey,
+                                int nr );
 
 /**
- * \brief           Perform key expansion (for encryption)
+ * \brief           Internal key expansion for encryption
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
  *
  * \param rk        Destination buffer where the round keys are written
  * \param key       Encryption key
@@ -106,8 +126,8 @@ void mbedtls_aesni_inverse_key( unsigned char *invkey,
  * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
  */
 int mbedtls_aesni_setkey_enc( unsigned char *rk,
-                      const unsigned char *key,
-                      size_t bits );
+                              const unsigned char *key,
+                              size_t bits );
 
 #ifdef __cplusplus
 }
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/arc4.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/arc4.h
index f9d93f822f..fb044d5b7f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/arc4.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/arc4.h
@@ -36,16 +36,17 @@
 
 #include <stddef.h>
 
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
 
-#if !defined(MBEDTLS_ARC4_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_ARC4_ALT)
+// Regular implementation
+//
+
 /**
  * \brief     ARC4 context structure
  *
@@ -53,7 +54,7 @@ extern "C" {
  *            security risk. We recommend considering stronger ciphers instead.
  *
  */
-typedef struct
+typedef struct mbedtls_arc4_context
 {
     int x;                      /*!< permutation index */
     int y;                      /*!< permutation index */
@@ -61,6 +62,10 @@ typedef struct
 }
 mbedtls_arc4_context;
 
+#else  /* MBEDTLS_ARC4_ALT */
+#include "arc4_alt.h"
+#endif /* MBEDTLS_ARC4_ALT */
+
 /**
  * \brief          Initialize ARC4 context
  *
@@ -118,17 +123,7 @@ void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
 int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
                 unsigned char *output );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_ARC4_ALT */
-#include "arc4_alt.h"
-#endif /* MBEDTLS_ARC4_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          Checkup routine
@@ -142,6 +137,8 @@ extern "C" {
  */
 int mbedtls_arc4_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/aria.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/aria.h
new file mode 100644
index 0000000000..1e8956ed13
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/aria.h
@@ -0,0 +1,370 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ *        The ARIA algorithm is a symmetric block cipher that can encrypt and
+ *        decrypt information. It is defined by the Korean Agency for
+ *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ *        and also described by the IETF in <em>RFC 5794</em>.
+ */
+/*  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maxiumum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct mbedtls_aria_context
+{
+    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
+    /*! The ARIA round keys. */
+    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else  /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief          This function initializes the specified ARIA context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The ARIA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aria_init( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified ARIA context.
+ *
+ * \param ctx      The ARIA context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized ARIA context.
+ */
+void mbedtls_aria_free( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The encryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of \p key in Bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function performs an ARIA single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs encryption or decryption (depending on whether
+ *                 the key was set for encryption on decryption) on the input
+ *                 data buffer defined in the \p input parameter.
+ *
+ *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ *                 mbedtls_aria_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an ARIA-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aria_init(), and either
+ *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data \p input in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 This must not be larger than 15.
+ * \param iv       The initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an ARIA-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aria_setkey_enc()
+ *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an ARIA block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The ARIA context to use for encryption or decryption.
+ *                         This must be initialized and bound to a key.
+ * \param length           The length of the input data \p input in Bytes.
+ * \param nc_off           The offset in Bytes in the current \p stream_block,
+ *                         for resuming within the current cipher stream. The
+ *                         offset pointer should be \c 0 at the start of a
+ *                         stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter    The 128-bit nonce and counter. This must point to
+ *                         a read/write buffer of length \c 16 bytes.
+ * \param stream_block     The saved stream block for resuming. This must
+ *                         point to a read/write buffer of length \c 16 bytes.
+ *                         This is overwritten by the function.
+ * \param input            The buffer holding the input data. This must
+ *                         be a readable buffer of length \p length Bytes.
+ * \param output           The buffer holding the output data. This must
+ *                         be a writable buffer of length \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ * \return                 A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
index 083601af32..a194243696 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/asn1write.h
@@ -32,161 +32,239 @@
 
 #include "asn1.h"
 
-#define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
-                                g += ret; } while( 0 )
+#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if( ( ret = (f) ) < 0 )                         \
+            return( ret );                              \
+        else                                            \
+            (g) += ret;                                 \
+    } while( 0 )
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /**
- * \brief           Write a length field in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a length field in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param len       the length to write
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param len       The length value to write.
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
-
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start,
+                            size_t len );
 /**
- * \brief           Write a ASN.1 tag in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an ASN.1 tag in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param tag       the tag to write
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The tag to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
-                    unsigned char tag );
+                            unsigned char tag );
 
 /**
- * \brief           Write raw buffer data
- *                  Note: function works backwards in data buffer
+ * \brief           Write raw buffer data.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       data buffer to write
- * \param size      length of the data buffer
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The data buffer to write.
+ * \param size      The length of the data buffer.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
-                           const unsigned char *buf, size_t size );
+                                   const unsigned char *buf, size_t size );
 
 #if defined(MBEDTLS_BIGNUM_C)
 /**
- * \brief           Write a big number (MBEDTLS_ASN1_INTEGER) in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param X         the MPI to write
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param X         The MPI to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X );
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start,
+                            const mbedtls_mpi *X );
 #endif /* MBEDTLS_BIGNUM_C */
 
 /**
- * \brief           Write a NULL tag (MBEDTLS_ASN1_NULL) with zero data in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
 
 /**
- * \brief           Write an OID tag (MBEDTLS_ASN1_OID) and data in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ *                  in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param oid       the OID to write
- * \param oid_len   length of the OID
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID to write.
+ * \param oid_len   The length of the OID.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
-                    const char *oid, size_t oid_len );
+                            const char *oid, size_t oid_len );
 
 /**
- * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param oid       the OID of the algorithm
- * \param oid_len   length of the OID
- * \param par_len   length of parameters, which must be already written.
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
  *                  If 0, NULL parameters are added
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
-                                     const char *oid, size_t oid_len,
-                                     size_t par_len );
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p,
+                                             unsigned char *start,
+                                             const char *oid, size_t oid_len,
+                                             size_t par_len );
 
 /**
- * \brief           Write a boolean tag (MBEDTLS_ASN1_BOOLEAN) and value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param boolean   0 or 1
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param boolean   The boolean value to write, either \c 0 or \c 1.
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean );
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
+                             int boolean );
 
 /**
- * \brief           Write an int tag (MBEDTLS_ASN1_INTEGER) and value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param val       the integer value
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
 
 /**
- * \brief           Write a printable string tag (MBEDTLS_ASN1_PRINTABLE_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a string in ASN.1 format using a specific
+ *                  string encoding tag.
+
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The string encoding tag to write, e.g.
+ *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start,
+                                      int tag, const char *text,
+                                      size_t text_len );
+
+/**
+ * \brief           Write a string in ASN.1 format using the PrintableString
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string( unsigned char **p,
+                                         unsigned char *start,
+                                         const char *text, size_t text_len );
+
+/**
+ * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param text      the text to write
- * \param text_len  length of the text
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
-                                 const char *text, size_t text_len );
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+                                    const char *text, size_t text_len );
 
 /**
- * \brief           Write an IA5 string tag (MBEDTLS_ASN1_IA5_STRING) and
- *                  value in ASN.1 format
- *                  Note: function works backwards in data buffer
+ * \brief           Write a string in ASN.1 format using the IA5String
+ *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param text      the text to write
- * \param text_len  length of the text
+ * \note            This function works backwards in data buffer.
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
-                           const char *text, size_t text_len );
+                                   const char *text, size_t text_len );
 
 /**
  * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
@@ -203,7 +281,7 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
  * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
-                          const unsigned char *buf, size_t bits );
+                                  const unsigned char *buf, size_t bits );
 
 /**
  * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
@@ -211,15 +289,16 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
  *
  * \note            This function works backwards in data buffer.
  *
- * \param p         reference to current position pointer
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       data buffer to write
- * \param size      length of the data buffer
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The buffer holding the data to write.
+ * \param size      The length of the data buffer \p buf.
  *
- * \return          the length written or a negative error code
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
-                             const unsigned char *buf, size_t size );
+                                     const unsigned char *buf, size_t size );
 
 /**
  * \brief           Create or find a specific named_data entry for writing in a
@@ -227,15 +306,16 @@ int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
  *                  a new entry is added to the head of the list.
  *                  Warning: Destructive behaviour for the val data!
  *
- * \param list      Pointer to the location of the head of the list to seek
- *                  through (will be updated in case of a new entry)
- * \param oid       The OID to look for
- * \param oid_len   Size of the OID
- * \param val       Data to store (can be NULL if you want to fill it by hand)
- * \param val_len   Minimum length of the data buffer needed
+ * \param list      The pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry).
+ * \param oid       The OID to look for.
+ * \param oid_len   The size of the OID.
+ * \param val       The data to store (can be \c NULL if you want to fill
+ *                  it by hand).
+ * \param val_len   The minimum length of the data buffer needed.
  *
- * \return      NULL if if there was a memory allocation error, or a pointer
- *              to the new / existing entry.
+ * \return          A pointer to the new / existing entry on success.
+ * \return          \c NULL if if there was a memory allocation error.
  */
 mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
                                         const char *oid, size_t oid_len,
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
index 10e4145ee6..0d024164c5 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/base64.h
@@ -81,6 +81,7 @@ int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
 int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
                    const unsigned char *src, size_t slen );
 
+#if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine
  *
@@ -88,6 +89,8 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
  */
 int mbedtls_base64_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/bignum.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/bignum.h
index 3bf02a7ee1..1c8607264f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/bignum.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/bignum.h
@@ -46,7 +46,12 @@
 #define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
 #define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
 
-#define MBEDTLS_MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 )
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if( ( ret = (f) ) != 0 ) \
+            goto cleanup;        \
+    } while( 0 )
 
 /*
  * Maximum size MPIs are allowed to grow to in number of limbs.
@@ -177,7 +182,7 @@ extern "C" {
 /**
  * \brief          MPI structure
  */
-typedef struct
+typedef struct mbedtls_mpi
 {
     int s;              /*!<  integer sign      */
     size_t n;           /*!<  total # of limbs  */
@@ -186,90 +191,115 @@ typedef struct
 mbedtls_mpi;
 
 /**
- * \brief           Initialize one MPI (make internal references valid)
- *                  This just makes it ready to be set or freed,
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
  *                  but does not define a value for the MPI.
  *
- * \param X         One MPI to initialize.
+ * \param X         The MPI context to initialize. This must not be \c NULL.
  */
 void mbedtls_mpi_init( mbedtls_mpi *X );
 
 /**
- * \brief          Unallocate one MPI
+ * \brief          This function frees the components of an MPI context.
  *
- * \param X        One MPI to unallocate.
+ * \param X        The MPI context to be cleared. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is
+ *                 not \c NULL, it must point to an initialized MPI.
  */
 void mbedtls_mpi_free( mbedtls_mpi *X );
 
 /**
- * \brief          Enlarge to the specified number of limbs
+ * \brief          Enlarge an MPI to the specified number of limbs.
+ *
+ * \note           This function does nothing if the MPI is
+ *                 already large enough.
  *
- * \param X        MPI to grow
- * \param nblimbs  The target number of limbs
+ * \param X        The MPI to grow. It must be initialized.
+ * \param nblimbs  The target number of limbs.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs );
 
 /**
- * \brief          Resize down, keeping at least the specified number of limbs
+ * \brief          This function resizes an MPI downwards, keeping at least the
+ *                 specified number of limbs.
+ *
+ *                 If \c X is smaller than \c nblimbs, it is resized up
+ *                 instead.
  *
- * \param X        MPI to shrink
- * \param nblimbs  The minimum number of limbs to keep
+ * \param X        The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs  The minimum number of limbs to keep.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ *                 (this can only happen when resizing up).
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs );
 
 /**
- * \brief          Copy the contents of Y into X
+ * \brief          Make a copy of an MPI.
  *
- * \param X        Destination MPI
- * \param Y        Source MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param Y        The source MPI. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \note           The limb-buffer in the destination MPI is enlarged
+ *                 if necessary to hold the value in the source MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y );
 
 /**
- * \brief          Swap the contents of X and Y
+ * \brief          Swap the contents of two MPIs.
  *
- * \param X        First MPI value
- * \param Y        Second MPI value
+ * \param X        The first MPI. It must be initialized.
+ * \param Y        The second MPI. It must be initialized.
  */
 void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y );
 
 /**
- * \brief          Safe conditional assignement X = Y if assign is 1
- *
- * \param X        MPI to conditionally assign to
- * \param Y        Value to be assigned
- * \param assign   1: perform the assignment, 0: keep X's original value
+ * \brief          Perform a safe conditional copy of MPI which doesn't
+ *                 reveal whether the condition was true or not.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X        The MPI to conditionally assign to. This must point
+ *                 to an initialized MPI.
+ * \param Y        The MPI to be assigned from. This must point to an
+ *                 initialized MPI.
+ * \param assign   The condition deciding whether to perform the
+ *                 assignment or not. Possible values:
+ *                 * \c 1: Perform the assignment `X = Y`.
+ *                 * \c 0: Keep the original value of \p X.
  *
  * \note           This function is equivalent to
- *                      if( assign ) mbedtls_mpi_copy( X, Y );
+ *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
  *                 except that it avoids leaking any information about whether
  *                 the assignment was done or not (the above code may leak
  *                 information through branch prediction and/or memory access
  *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign );
 
 /**
- * \brief          Safe conditional swap X <-> Y if swap is 1
- *
- * \param X        First mbedtls_mpi value
- * \param Y        Second mbedtls_mpi value
- * \param assign   1: perform the swap, 0: keep X and Y's original values
+ * \brief          Perform a safe conditional swap which doesn't
+ *                 reveal whether the condition was true or not.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ * \param X        The first MPI. This must be initialized.
+ * \param Y        The second MPI. This must be initialized.
+ * \param assign   The condition deciding whether to perform
+ *                 the swap or not. Possible values:
+ *                 * \c 1: Swap the values of \p X and \p Y.
+ *                 * \c 0: Keep the original values of \p X and \p Y.
  *
  * \note           This function is equivalent to
  *                      if( assign ) mbedtls_mpi_swap( X, Y );
@@ -277,415 +307,512 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
  *                 the assignment was done or not (the above code may leak
  *                 information through branch prediction and/or memory access
  *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ *
  */
 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign );
 
 /**
- * \brief          Set value from integer
+ * \brief          Store integer value in MPI.
  *
- * \param X        MPI to set
- * \param z        Value to use
+ * \param X        The MPI to set. This must be initialized.
+ * \param z        The value to use.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z );
 
 /**
- * \brief          Get a specific bit from X
+ * \brief          Get a specific bit from an MPI.
  *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
+ * \param X        The MPI to query. This must be initialized.
+ * \param pos      Zero-based index of the bit to query.
  *
- * \return         Either a 0 or a 1
+ * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
+ *                 of \c X is unset or set.
+ * \return         A negative error code on failure.
  */
 int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos );
 
 /**
- * \brief          Set a bit of X to a specific value of 0 or 1
+ * \brief          Modify a specific bit in an MPI.
  *
- * \note           Will grow X if necessary to set a bit to 1 in a not yet
- *                 existing limb. Will not grow if bit should be set to 0
+ * \note           This function will grow the target MPI if necessary to set a
+ *                 bit to \c 1 in a not yet existing limb. It will not grow if
+ *                 the bit should be set to \c 0.
  *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
- * \param val      The value to set the bit to (0 or 1)
+ * \param X        The MPI to modify. This must be initialized.
+ * \param pos      Zero-based index of the bit to modify.
+ * \param val      The desired value of bit \c pos: \c 0 or \c 1.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val );
 
 /**
- * \brief          Return the number of zero-bits before the least significant
- *                 '1' bit
+ * \brief          Return the number of bits of value \c 0 before the
+ *                 least significant bit of value \c 1.
  *
- * Note: Thus also the zero-based index of the least significant '1' bit
+ * \note           This is the same as the zero-based index of
+ *                 the least significant bit of value \c 1.
  *
- * \param X        MPI to use
+ * \param X        The MPI to query.
+ *
+ * \return         The number of bits of value \c 0 before the least significant
+ *                 bit of value \c 1 in \p X.
  */
 size_t mbedtls_mpi_lsb( const mbedtls_mpi *X );
 
 /**
  * \brief          Return the number of bits up to and including the most
- *                 significant '1' bit'
+ *                 significant bit of value \c 1.
+ *
+ * * \note         This is same as the one-based index of the most
+ *                 significant bit of value \c 1.
  *
- * Note: Thus also the one-based index of the most significant '1' bit
+ * \param X        The MPI to query. This must point to an initialized MPI.
  *
- * \param X        MPI to use
+ * \return         The number of bits up to and including the most
+ *                 significant bit of value \c 1.
  */
 size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X );
 
 /**
- * \brief          Return the total size in bytes
+ * \brief          Return the total size of an MPI value in bytes.
+ *
+ * \param X        The MPI to use. This must point to an initialized MPI.
+ *
+ * \note           The value returned by this function may be less than
+ *                 the number of bytes used to store \p X internally.
+ *                 This happens if and only if there are trailing bytes
+ *                 of value zero.
  *
- * \param X        MPI to use
+ * \return         The least number of bytes capable of storing
+ *                 the absolute value of \p X.
  */
 size_t mbedtls_mpi_size( const mbedtls_mpi *X );
 
 /**
- * \brief          Import from an ASCII string
+ * \brief          Import an MPI from an ASCII string.
  *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param s        Null-terminated string buffer
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the input string.
+ * \param s        Null-terminated string buffer.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s );
 
 /**
- * \brief          Export into an ASCII string
+ * \brief          Export an MPI to an ASCII string.
  *
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param buf      Buffer to write the string to
- * \param buflen   Length of buf
- * \param olen     Length of the string written, including final NUL byte
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the output string.
+ * \param buf      The buffer to write the string to. This must be writable
+ *                 buffer of length \p buflen Bytes.
+ * \param buflen   The available size in Bytes of \p buf.
+ * \param olen     The address at which to store the length of the string
+ *                 written, including the  final \c NULL byte. This must
+ *                 not be \c NULL.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code.
- *                 *olen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
+ * \note           You can call this function with `buflen == 0` to obtain the
+ *                 minimum required buffer size in `*olen`.
  *
- * \note           Call this function with buflen = 0 to obtain the
- *                 minimum required buffer size in *olen.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ *                 is too small to hold the value of \p X in the desired base.
+ *                 In this case, `*olen` is nonetheless updated to contain the
+ *                 size of \p buf required for a successful call.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
                               char *buf, size_t buflen, size_t *olen );
 
 #if defined(MBEDTLS_FS_IO)
 /**
- * \brief          Read MPI from a line in an opened file
+ * \brief          Read an MPI from a line in an opened file.
  *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param fin      Input file handle
- *
- * \return         0 if successful, MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if
- *                 the file read buffer is too small or a
- *                 MBEDTLS_ERR_MPI_XXX error code
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the string representation used
+ *                 in the source line.
+ * \param fin      The input file handle to use. This must not be \c NULL.
  *
  * \note           On success, this function advances the file stream
  *                 to the end of the current line or to EOF.
  *
- *                 The function returns 0 on an empty line.
+ *                 The function returns \c 0 on an empty line.
  *
  *                 Leading whitespaces are ignored, as is a
- *                 '0x' prefix for radix 16.
+ *                 '0x' prefix for radix \c 16.
  *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ *                 is too small.
+ * \return         Another negative error code on failure.
  */
 int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
 
 /**
- * \brief          Write X into an opened file, or stdout if fout is NULL
- *
- * \param p        Prefix, can be NULL
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param fout     Output file handle (can be NULL)
+ * \brief          Export an MPI into an opened file.
  *
- * \return         0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ * \param p        A string prefix to emit prior to the MPI data.
+ *                 For example, this might be a label, or "0x" when
+ *                 printing in base \c 16. This may be \c NULL if no prefix
+ *                 is needed.
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base to be used in the emitted string.
+ * \param fout     The output file handle. This may be \c NULL, in which case
+ *                 the output is written to \c stdout.
  *
- * \note           Set fout == NULL to print X on the console.
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout );
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X,
+                            int radix, FILE *fout );
 #endif /* MBEDTLS_FS_IO */
 
 /**
- * \brief          Import X from unsigned binary data, big endian
+ * \brief          Import an MPI from unsigned big endian binary data.
  *
- * \param X        Destination MPI
- * \param buf      Input buffer
- * \param buflen   Input buffer size
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen );
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
+                             size_t buflen );
 
 /**
- * \brief          Export X into unsigned binary data, big endian.
- *                 Always fills the whole buffer, which will start with zeros
- *                 if the number is smaller.
+ * \brief          Export an MPI into unsigned big endian binary data
+ *                 of fixed size.
  *
- * \param X        Source MPI
- * \param buf      Output buffer
- * \param buflen   Output buffer size
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf, size_t buflen );
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
+                              size_t buflen );
 
 /**
- * \brief          Left-shift: X <<= count
+ * \brief          Perform a left-shift on an MPI: X <<= count
  *
- * \param X        MPI to shift
- * \param count    Amount to shift
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count );
 
 /**
- * \brief          Right-shift: X >>= count
+ * \brief          Perform a right-shift on an MPI: X >>= count
  *
- * \param X        MPI to shift
- * \param count    Amount to shift
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
 int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count );
 
 /**
- * \brief          Compare unsigned values
+ * \brief          Compare the absolute values of two MPIs.
  *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
  *
- * \return         1 if |X| is greater than |Y|,
- *                -1 if |X| is lesser  than |Y| or
- *                 0 if |X| is equal to |Y|
+ * \return         \c 1 if `|X|` is greater than `|Y|`.
+ * \return         \c -1 if `|X|` is lesser than `|Y|`.
+ * \return         \c 0 if `|X|` is equal to `|Y|`.
  */
 int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y );
 
 /**
- * \brief          Compare signed values
+ * \brief          Compare two MPIs.
  *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
  *
- * \return         1 if X is greater than Y,
- *                -1 if X is lesser  than Y or
- *                 0 if X is equal to Y
+ * \return         \c 1 if \p X is greater than \p Y.
+ * \return         \c -1 if \p X is lesser than \p Y.
+ * \return         \c 0 if \p X is equal to \p Y.
  */
 int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y );
 
 /**
- * \brief          Compare signed values
+ * \brief          Compare an MPI with an integer.
  *
- * \param X        Left-hand MPI
- * \param z        The integer value to compare to
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param z        The integer value to compare \p X to.
  *
- * \return         1 if X is greater than z,
- *                -1 if X is lesser  than z or
- *                 0 if X is equal to z
+ * \return         \c 1 if \p X is greater than \p z.
+ * \return         \c -1 if \p X is lesser than \p z.
+ * \return         \c 0 if \p X is equal to \p z.
  */
 int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z );
 
 /**
- * \brief          Unsigned addition: X = |A| + |B|
+ * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Unsigned subtraction: X = |A| - |B|
+ * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B is greater than A
  */
-int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Signed addition: X = A + B
+ * \brief          Perform a signed addition of MPIs: X = A + B
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Signed subtraction: X = A - B
+ * \brief          Perform a signed subtraction of MPIs: X = A - B
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Signed addition: X = A + b
+ * \brief          Perform a signed addition of an MPI and an integer: X = A + b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to add
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param b        The second summand.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
 
 /**
- * \brief          Signed subtraction: X = A - b
+ * \brief          Perform a signed subtraction of an MPI and an integer:
+ *                 X = A - b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to subtract
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param b        The subtrahend.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
 
 /**
- * \brief          Baseline multiplication: X = A * B
+ * \brief          Perform a multiplication of two MPIs: X = A * B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param B        The second factor. This must point to an initialized MPI.
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
  */
-int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Baseline multiplication: X = A * b
+ * \brief          Perform a multiplication of an MPI with an unsigned integer:
+ *                 X = A * b
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The unsigned integer value to multiply with
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param b        The second factor.
  *
- * \note           b is unsigned
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
  */
-int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b );
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_uint b );
 
 /**
- * \brief          Division by mbedtls_mpi: A = Q * B + R
+ * \brief          Perform a division with remainder of two MPIs:
+ *                 A = Q * B + R
  *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param B        The divisor. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0
- *
- * \note           Either Q or R can be NULL.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Division by int: A = Q * b + R
- *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
+ * \brief          Perform a division with remainder of an MPI by an integer:
+ *                 A = Q * b + R
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param b        The divisor.
  *
- * \note           Either Q or R can be NULL.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
 
 /**
- * \brief          Modulo: R = A mod B
+ * \brief          Perform a modular reduction. R = A mod B
  *
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
+ * \param R        The destination MPI for the residue value.
+ *                 This must point to an initialized MPI.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPI.
+ * \param B        The base of the modular reduction.
+ *                 This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return         Another negative error code on different kinds of failure.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if B == 0,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if B < 0
  */
-int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B );
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
 
 /**
- * \brief          Modulo: r = A mod b
+ * \brief          Perform a modular reduction with respect to an integer.
+ *                 r = A mod b
  *
- * \param r        Destination mbedtls_mpi_uint
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
+ * \param r        The address at which to store the residue.
+ *                 This must not be \c NULL.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPi.
+ * \param b        The integer base of the modular reduction.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if b == 0,
- *                 MBEDTLS_ERR_MPI_NEGATIVE_VALUE if b < 0
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b );
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
 
 /**
- * \brief          Sliding-window exponentiation: X = A^E mod N
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param E        Exponent MPI
- * \param N        Modular MPI
- * \param _RR      Speed-up MPI used for recalculations
+ * \brief          Perform a sliding-window exponentiation: X = A^E mod N
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is negative or even or
- *                 if E is negative
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * \param E        The exponent MPI. This must point to an initialized MPI.
+ * \param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * \param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI. If it hasn't been used after
+ *                 the call to mbedtls_mpi_init(), this function will compute
+ *                 the helper value and store it in \p _RR for reuse on
+ *                 subsequent calls to this function. Otherwise, the function
+ *                 will assume that \p _RR holds the helper value set by a
+ *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * \return         Another negative error code on different kinds of failures.
  *
- * \note           _RR is used to avoid re-computing R*R mod N across
- *                 multiple calls, which speeds up things a bit. It can
- *                 be set to NULL if the extra performance is unneeded.
  */
-int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR );
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR );
 
 /**
- * \brief          Fill an MPI X with size bytes of random
+ * \brief          Fill an MPI with a number of random bytes.
  *
- * \param X        Destination MPI
- * \param size     Size in bytes
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param size     The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on failure.
  *
- * \note           The bytes obtained from the PRNG are interpreted
+ * \note           The bytes obtained from the RNG are interpreted
  *                 as a big-endian representation of an MPI; this can
  *                 be relevant in applications like deterministic ECDSA.
  */
@@ -694,64 +821,135 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
                      void *p_rng );
 
 /**
- * \brief          Greatest common divisor: G = gcd(A, B)
- *
- * \param G        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
- */
-int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B );
-
-/**
- * \brief          Modular inverse: X = A^-1 mod N
+ * \brief          Compute the greatest common divisor: G = gcd(A, B)
  *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param N        Right-hand MPI
+ * \param G        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first operand. This must point to an initialized MPI.
+ * \param B        The second operand. This must point to an initialized MPI.
  *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if N is <= 1,
-                   MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
  */
-int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N );
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A,
+                     const mbedtls_mpi *B );
 
 /**
- * \brief          Miller-Rabin primality test
+ * \brief          Compute the modular inverse: X = A^-1 mod N
  *
- * \param X        MPI to check
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The MPI to calculate the modular inverse of. This must point
+ *                 to an initialized MPI.
+ * \param N        The base of the modular inversion. This must point to an
+ *                 initialized MPI.
  *
- * \return         0 if successful (probably prime),
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ *                 or equal to one.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse
+ *                 with respect to \p N.
  */
-int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng );
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *N );
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
 /**
- * \brief          Prime number generation
- *
- * \param X        Destination MPI
- * \param nbits    Required size of X in bits
- *                 ( 3 <= nbits <= MBEDTLS_MPI_MAX_BITS )
- * \param dh_flag  If 1, then (X-1)/2 will be prime too
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful (probably prime),
- *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                 MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
- */
-int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
+ * \brief          Perform a Miller-Rabin primality test with error
+ *                 probability of 2<sup>-80</sup>.
+ *
+ * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
+ *                 specifying the number of Miller-Rabin rounds.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use a
+ *                 context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Miller-Rabin primality test.
+ *
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param rounds   The number of bases to perform the Miller-Rabin primality
+ *                 test for. The probability of returning 0 on a composite is
+ *                 at most 2<sup>-2*\p rounds</sup>.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng );
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
+    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
+
+/**
+ * \brief          Generate a prime number.
+ *
+ * \param X        The destination MPI to store the generated prime in.
+ *                 This must point to an initialized MPi.
+ * \param nbits    The required size of the destination MPI in bits.
+ *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, in which case \p X holds a
+ *                 probably prime number.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
                    int (*f_rng)(void *, unsigned char *, size_t),
                    void *p_rng );
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -759,6 +957,8 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
  */
 int mbedtls_mpi_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/blowfish.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/blowfish.h
index c0ef5a04cc..f01573dcaf 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/blowfish.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/blowfish.h
@@ -33,6 +33,8 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "platform_util.h"
+
 #define MBEDTLS_BLOWFISH_ENCRYPT     1
 #define MBEDTLS_BLOWFISH_DECRYPT     0
 #define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
@@ -40,63 +42,87 @@
 #define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
 #define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
 
-#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH                -0x0016  /**< Invalid key length. */
-#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH              -0x0018  /**< Invalid data input length. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
 
-#if !defined(MBEDTLS_BLOWFISH_ALT)
-// Regular implementation
-//
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          Blowfish context structure
  */
-typedef struct
+typedef struct mbedtls_blowfish_context
 {
     uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
     uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
 }
 mbedtls_blowfish_context;
 
+#else  /* MBEDTLS_BLOWFISH_ALT */
+#include "blowfish_alt.h"
+#endif /* MBEDTLS_BLOWFISH_ALT */
+
 /**
- * \brief          Initialize Blowfish context
+ * \brief          Initialize a Blowfish context.
  *
- * \param ctx      Blowfish context to be initialized
+ * \param ctx      The Blowfish context to be initialized.
+ *                 This must not be \c NULL.
  */
 void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
 
 /**
- * \brief          Clear Blowfish context
+ * \brief          Clear a Blowfish context.
  *
- * \param ctx      Blowfish context to be cleared
+ * \param ctx      The Blowfish context to be cleared.
+ *                 This may be \c NULL, in which case this function
+ *                 returns immediately. If it is not \c NULL, it must
+ *                 point to an initialized Blowfish context.
  */
 void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
 
 /**
- * \brief          Blowfish key schedule
+ * \brief          Perform a Blowfish key schedule operation.
  *
- * \param ctx      Blowfish context to be initialized
- * \param key      encryption key
- * \param keybits  must be between 32 and 448 bits
+ * \param ctx      The Blowfish context to perform the key schedule on.
+ * \param key      The encryption key. This must be a readable buffer of
+ *                 length \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be between
+ *                 \c 32 and \c 448 and a multiple of \c 8.
  *
- * \return         0 if successful, or MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
                      unsigned int keybits );
 
 /**
- * \brief          Blowfish-ECB block encryption/decryption
+ * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param input    8-byte input block
- * \param output   8-byte output block
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 8 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 8 Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
                         int mode,
@@ -105,9 +131,7 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          Blowfish-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (8 bytes)
+ * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -117,15 +141,22 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be
+ *                 multiple of \c 8.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 8 Bytes. It is updated by this function.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
                         int mode,
@@ -137,7 +168,7 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          Blowfish CFB buffer encryption/decryption.
+ * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -147,15 +178,25 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      Blowfish context
- * \param mode     MBEDTLS_BLOWFISH_ENCRYPT or MBEDTLS_BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in the initialiation vector.
+ *                 The value pointed to must be smaller than \c 8 Bytes.
+ *                 It is updated by this function to support the aforementioned
+ *                 streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of size \c 8 Bytes. It is updated after use.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
                           int mode,
@@ -168,22 +209,67 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief               Blowfish-CTR buffer encryption/decryption
+ * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**64
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 4 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 4 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**32 messages of up to 2**32 blocks each with the same key.
  *
- * Warning: You have to keep the maximum use of your counter in mind!
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter.
  *
- * \param ctx           Blowfish context
- * \param length        The length of the data
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a Blowfish block is 8 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The Blowfish context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data in Bytes.
  * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 64-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
- *
- * \return         0 if successful
+ *                      within current cipher stream). The offset pointer
+ *                      should be \c 0 at the start of a stream and must be
+ *                      smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ *                      read/write buffer of length \c 8 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must point to
+ *                      a read/write buffer of length \c 8 Bytes.
+ * \param input         The input data. This must be a readable buffer of
+ *                      length \p length Bytes.
+ * \param output        The output data. This must be a writable buffer of
+ *                      length \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
  */
 int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
                         size_t length,
@@ -198,8 +284,4 @@ int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
 }
 #endif
 
-#else  /* MBEDTLS_BLOWFISH_ALT */
-#include "blowfish_alt.h"
-#endif /* MBEDTLS_BLOWFISH_ALT */
-
 #endif /* blowfish.h */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
index 3a254aae9d..c33bd8d4ab 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/bn_mul.h
@@ -571,9 +571,8 @@
 #endif /* TriCore */
 
 /*
- * gcc -O0 by default uses r7 for the frame pointer, so it complains about our
- * use of r7 below, unless -fomit-frame-pointer is passed. Unfortunately,
- * passing that option is not easy when building with yotta.
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
  *
  * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
  * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
@@ -643,6 +642,23 @@
            "r6", "r7", "r8", "r9", "cc"         \
          );
 
+#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+
+#define MULADDC_INIT                            \
+    asm(
+
+#define MULADDC_CORE                            \
+            "ldr    r0, [%0], #4        \n\t"   \
+            "ldr    r1, [%1]            \n\t"   \
+            "umaal  r1, %2, %3, r0      \n\t"   \
+            "str    r1, [%1], #4        \n\t"
+
+#define MULADDC_STOP                            \
+         : "=r" (s),  "=r" (d), "=r" (c)        \
+         : "r" (b), "0" (s), "1" (d), "2" (c)   \
+         : "r0", "r1", "memory"                 \
+         );
+
 #else
 
 #define MULADDC_INIT                                    \
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/camellia.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/camellia.h
index cf07629d9b..3eeb66366d 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/camellia.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/camellia.h
@@ -33,78 +33,107 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "platform_util.h"
+
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0
 
-#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH           -0x0024  /**< Invalid key length. */
-#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH         -0x0026  /**< Invalid data input length. */
-#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
 
-#if !defined(MBEDTLS_CAMELLIA_ALT)
-// Regular implementation
-//
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          CAMELLIA context structure
  */
-typedef struct
+typedef struct mbedtls_camellia_context
 {
     int nr;                     /*!<  number of rounds  */
     uint32_t rk[68];            /*!<  CAMELLIA round keys    */
 }
 mbedtls_camellia_context;
 
+#else  /* MBEDTLS_CAMELLIA_ALT */
+#include "camellia_alt.h"
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
 /**
- * \brief          Initialize CAMELLIA context
+ * \brief          Initialize a CAMELLIA context.
  *
- * \param ctx      CAMELLIA context to be initialized
+ * \param ctx      The CAMELLIA context to be initialized.
+ *                 This must not be \c NULL.
  */
 void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
 
 /**
- * \brief          Clear CAMELLIA context
+ * \brief          Clear a CAMELLIA context.
  *
- * \param ctx      CAMELLIA context to be cleared
+ * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ *                 in which case this function returns immediately. If it is not
+ *                 \c NULL, it must be initialized.
  */
 void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
 
 /**
- * \brief          CAMELLIA key schedule (encryption)
+ * \brief          Perform a CAMELLIA key schedule operation for encryption.
  *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      encryption key
- * \param keybits  must be 128, 192 or 256
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The encryption key to use. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
  *
- * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
-                         unsigned int keybits );
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
 
 /**
- * \brief          CAMELLIA key schedule (decryption)
+ * \brief          Perform a CAMELLIA key schedule operation for decryption.
  *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      decryption key
- * \param keybits  must be 128, 192 or 256
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
  *
- * \return         0 if successful, or MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
-int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
-                         unsigned int keybits );
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
 
 /**
- * \brief          CAMELLIA-ECB block encryption/decryption
+ * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 16 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 16 Bytes.
  *
- * \return         0 if successful
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
                     int mode,
@@ -113,9 +142,7 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
 /**
- * \brief          CAMELLIA-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (16 bytes)
+ * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -125,15 +152,22 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length in Bytes of the input data \p input.
+ *                 This must be a multiple of \c 16 Bytes.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated to allow streaming
+ *                 use as explained above.
+ * \param input    The buffer holding the input data. This must point to a
+ *                 readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must point to a
+ *                 writable buffer of length \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
                     int mode,
@@ -145,11 +179,14 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
- * \brief          CAMELLIA-CFB128 buffer encryption/decryption
+ * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ *                 operation.
  *
- * Note: Due to the nature of CFB you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
+ * \note           Due to the nature of CFB mode, you should use the same
+ *                 key for both encryption and decryption. In particular, calls
+ *                 to this function should be preceded by a key-schedule via
+ *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
  *
  * \note           Upon exit, the content of the IV is updated so that you can
  *                 call the function same function again on the following
@@ -159,16 +196,24 @@ int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
  *                 IV, you should either save it manually or use the cipher
  *                 module instead.
  *
- * \param ctx      CAMELLIA context
- * \param mode     MBEDTLS_CAMELLIA_ENCRYPT or MBEDTLS_CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv_off   The current offset in the IV. This must be smaller
+ *                 than \c 16 Bytes. It is updated after this call to allow
+ *                 the aforementioned streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated after this call to
+ *                 allow the aforementioned streaming usage.
+ * \param input    The buffer holding the input data. This must be a readable
+ *                 buffer of size \p length Bytes.
+ * \param output   The buffer to hold the output data. This must be a writable
+ *                 buffer of length \p length Bytes.
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
  */
 int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
                        int mode,
@@ -181,26 +226,78 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
 
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /**
- * \brief               CAMELLIA-CTR buffer encryption/decryption
+ * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
+ *
+ * *note       Due to the nature of CTR mode, you should use the same
+ *             key for both encryption and decryption. In particular, calls
+ *             to this function should be preceded by a key-schedule via
+ *             mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
  *
- * Warning: You have to keep the maximum use of your counter in mind!
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
  *
- * Note: Due to the nature of CTR you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * mbedtls_camellia_setkey_enc() for both MBEDTLS_CAMELLIA_ENCRYPT and MBEDTLS_CAMELLIA_DECRYPT.
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
  *
- * \param ctx           CAMELLIA context
- * \param length        The length of the data
- * \param nc_off        The offset in the current stream_block (for resuming
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first \c 12 Bytes for the
+ *             per-message nonce, and the last \c 4 Bytes for internal use.
+ *             In that case, before calling this function on a new message you
+ *             need to set the first \c 12 Bytes of \p nonce_counter to your
+ *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ *             (which will cause \p stream_block to be ignored). That way, you
+ *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ *             each  with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be
+ *             unique. The recommended way to ensure uniqueness is to use a
+ *             message counter. An alternative is to generate random nonces,
+ *             but this limits the number of messages that can be securely
+ *             encrypted: for example, with 96-bit random nonces, you should
+ *             not encrypt more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a CAMELLIA block is \c 16 Bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The CAMELLIA context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data \p input in Bytes.
+ *                      Any value is allowed.
+ * \param nc_off        The offset in the current \p stream_block (for resuming
  *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
- *
- * \return         0 if successful
+ *                      should be \c 0 at the start of a stream. It is updated
+ *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ *                      buffer of length \c 16 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must be a
+ *                      read/write buffer of length \c 16 Bytes.
+ * \param input         The input data stream. This must be a readable buffer of
+ *                      size \p length Bytes.
+ * \param output        The output data stream. This must be a writable buffer
+ *                      of size \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
  */
 int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
                        size_t length,
@@ -211,17 +308,7 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
                        unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_CAMELLIA_ALT */
-#include "camellia_alt.h"
-#endif /* MBEDTLS_CAMELLIA_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          Checkup routine
@@ -230,6 +317,8 @@ extern "C" {
  */
 int mbedtls_camellia_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
index e311e751d5..f03e3b580e 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ccm.h
@@ -1,8 +1,11 @@
 /**
  * \file ccm.h
  *
- * \brief CCM combines Counter mode encryption with CBC-MAC authentication
- *        for 128-bit block ciphers.
+ * \brief This file provides an API for the CCM authenticated encryption
+ *        mode for block ciphers.
+ *
+ * CCM combines Counter mode encryption with CBC-MAC authentication
+ * for 128-bit block ciphers.
  *
  * Input to CCM includes the following elements:
  * <ul><li>Payload - data that is both authenticated and encrypted.</li>
@@ -11,6 +14,18 @@
  * <li>Nonce - A unique value that is assigned to the payload and the
  * associated data.</li></ul>
  *
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
  */
 /*
  *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -44,31 +59,38 @@
 
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
 #define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
-#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
 
-#if !defined(MBEDTLS_CCM_ALT)
-// Regular implementation
-//
+/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
 /**
  * \brief    The CCM context-type definition. The CCM context is passed
  *           to the APIs called.
  */
-typedef struct {
+typedef struct mbedtls_ccm_context
+{
     mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
 }
 mbedtls_ccm_context;
 
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
 /**
  * \brief           This function initializes the specified CCM context,
  *                  to make references valid, and prepare the context
  *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
  *
- * \param ctx       The CCM context to initialize.
+ * \param ctx       The CCM context to initialize. This must not be \c NULL.
  */
 void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
 
@@ -76,12 +98,14 @@ void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
  * \brief           This function initializes the CCM context set in the
  *                  \p ctx parameter and sets the encryption key.
  *
- * \param ctx       The CCM context to initialize.
+ * \param ctx       The CCM context to initialize. This must be an initialized
+ *                  context.
  * \param cipher    The 128-bit block cipher to use.
- * \param key       The encryption key.
+ * \param key       The encryption key. This must not be \c NULL.
  * \param keybits   The key size in bits. This must be acceptable by the cipher.
  *
- * \return          \c 0 on success, or a cipher-specific error code.
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
  */
 int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
                         mbedtls_cipher_id_t cipher,
@@ -92,36 +116,96 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
  * \brief   This function releases and clears the specified CCM context
  *          and underlying cipher sub-context.
  *
- * \param ctx       The CCM context to clear.
+ * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ *                  has no effect. Otherwise, this must be initialized.
  */
 void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
 
 /**
  * \brief           This function encrypts a buffer using CCM.
  *
- * \param ctx       The CCM context to use for encryption.
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
  * \param length    The length of the input data in Bytes.
- * \param iv        Initialization vector (nonce).
- * \param iv_len    The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
- * \param add       The additional data field.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. If \p add_len is greater than
+ *                  zero, \p add must be a readable buffer of at least that
+ *                  length.
  * \param add_len   The length of additional data in Bytes.
- *                  Must be less than 2^16 - 2^8.
- * \param input     The buffer holding the input data.
- * \param output    The buffer holding the output data.
- *                  Must be at least \p length Bytes wide.
- * \param tag       The buffer holding the tag.
- * \param tag_len   The length of the tag to generate in Bytes:
+ *                  This must be less than `2^16 - 2^8`.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
  *                  4, 6, 8, 10, 12, 14 or 16.
  *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function encrypts a buffer using CCM*.
+ *
  * \note            The tag is written to a separate buffer. To concatenate
  *                  the \p tag with the \p output, as done in <em>RFC-3610:
  *                  Counter with CBC-MAC (CCM)</em>, use
  *                  \p tag = \p output + \p length, and make sure that the
  *                  output buffer is at least \p length + \p tag_len wide.
  *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be encoded into the \p iv passed to
+ *                  this function.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is no
+ *                  longer authenticated.
+ *
  * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
  */
-int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
                          const unsigned char *iv, size_t iv_len,
                          const unsigned char *add, size_t add_len,
                          const unsigned char *input, unsigned char *output,
@@ -131,22 +215,32 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
  * \brief           This function performs a CCM authenticated decryption of a
  *                  buffer.
  *
- * \param ctx       The CCM context to use for decryption.
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
  * \param length    The length of the input data in Bytes.
- * \param iv        Initialization vector.
- * \param iv_len    The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13.
- * \param add       The additional data field.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer
+ *                  of at least that \p add_len Bytes..
  * \param add_len   The length of additional data in Bytes.
- *                  Must be less than 2^16 - 2^8.
- * \param input     The buffer holding the input data.
- * \param output    The buffer holding the output data.
- *                  Must be at least \p length Bytes wide.
- * \param tag       The buffer holding the tag.
- * \param tag_len   The length of the tag in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
  *                  4, 6, 8, 10, 12, 14 or 16.
  *
- * \return          0 if successful and authenticated, or
- *                  #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          \c 0 on success. This indicates that the message is authentic.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
  */
 int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                       const unsigned char *iv, size_t iv_len,
@@ -154,23 +248,57 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                       const unsigned char *input, unsigned char *output,
                       const unsigned char *tag, size_t tag_len );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_CCM_ALT */
-#include "ccm_alt.h"
-#endif /* MBEDTLS_CCM_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+/**
+ * \brief           This function performs a CCM* authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be decoded from \p iv and passed to
+ *                  this function as \p tag_len. (\p tag needs to be adjusted
+ *                  accordingly.)
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least that \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field in Bytes.
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is nos
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
 
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 /**
  * \brief          The CCM checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_ccm_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
index b7c5708f85..179ebbbad2 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/certs.h
@@ -36,68 +36,214 @@
 extern "C" {
 #endif
 
+/* List of all PEM-encoded CA certificates, terminated by NULL;
+ * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
+ * otherwise. */
+extern const char * mbedtls_test_cas[];
+extern const size_t mbedtls_test_cas_len[];
+
+/* List of all DER-encoded CA certificates, terminated by NULL */
+extern const unsigned char * mbedtls_test_cas_der[];
+extern const size_t mbedtls_test_cas_der_len[];
+
 #if defined(MBEDTLS_PEM_PARSE_C)
 /* Concatenation of all CA certificates in PEM format if available */
 extern const char   mbedtls_test_cas_pem[];
 extern const size_t mbedtls_test_cas_pem_len;
-#endif
-
-/* List of all CA certificates, terminated by NULL */
-extern const char * mbedtls_test_cas[];
-extern const size_t mbedtls_test_cas_len[];
+#endif /* MBEDTLS_PEM_PARSE_C */
 
 /*
- * Convenience for users who just want a certificate:
- * RSA by default, or ECDSA if RSA is not available
+ * CA test certificates
  */
+
+extern const char mbedtls_test_ca_crt_ec_pem[];
+extern const char mbedtls_test_ca_key_ec_pem[];
+extern const char mbedtls_test_ca_pwd_ec_pem[];
+extern const char mbedtls_test_ca_key_rsa_pem[];
+extern const char mbedtls_test_ca_pwd_rsa_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_ca_crt_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_rsa_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_ca_crt_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_ec_pem_len;
+extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_rsa_pem_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_ca_crt_ec_der_len;
+extern const size_t mbedtls_test_ca_key_ec_der_len;
+extern const size_t mbedtls_test_ca_pwd_ec_der_len;
+extern const size_t mbedtls_test_ca_key_rsa_der_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_ca_crt_ec[];
+extern const char mbedtls_test_ca_key_ec[];
+extern const char mbedtls_test_ca_pwd_ec[];
+extern const char mbedtls_test_ca_key_rsa[];
+extern const char mbedtls_test_ca_pwd_rsa[];
+extern const char mbedtls_test_ca_crt_rsa_sha1[];
+extern const char mbedtls_test_ca_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_ca_crt_ec_len;
+extern const size_t mbedtls_test_ca_key_ec_len;
+extern const size_t mbedtls_test_ca_pwd_ec_len;
+extern const size_t mbedtls_test_ca_key_rsa_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_ca_crt_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
 extern const char * mbedtls_test_ca_crt;
-extern const size_t mbedtls_test_ca_crt_len;
 extern const char * mbedtls_test_ca_key;
-extern const size_t mbedtls_test_ca_key_len;
 extern const char * mbedtls_test_ca_pwd;
+extern const size_t mbedtls_test_ca_crt_len;
+extern const size_t mbedtls_test_ca_key_len;
 extern const size_t mbedtls_test_ca_pwd_len;
+
+/*
+ * Server test certificates
+ */
+
+extern const char mbedtls_test_srv_crt_ec_pem[];
+extern const char mbedtls_test_srv_key_ec_pem[];
+extern const char mbedtls_test_srv_pwd_ec_pem[];
+extern const char mbedtls_test_srv_key_rsa_pem[];
+extern const char mbedtls_test_srv_pwd_rsa_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_srv_crt_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_rsa_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_srv_crt_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_ec_pem_len;
+extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_rsa_pem_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_srv_crt_ec_der_len;
+extern const size_t mbedtls_test_srv_key_ec_der_len;
+extern const size_t mbedtls_test_srv_pwd_ec_der_len;
+extern const size_t mbedtls_test_srv_key_rsa_der_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_srv_crt_ec[];
+extern const char mbedtls_test_srv_key_ec[];
+extern const char mbedtls_test_srv_pwd_ec[];
+extern const char mbedtls_test_srv_key_rsa[];
+extern const char mbedtls_test_srv_pwd_rsa[];
+extern const char mbedtls_test_srv_crt_rsa_sha1[];
+extern const char mbedtls_test_srv_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_srv_crt_ec_len;
+extern const size_t mbedtls_test_srv_key_ec_len;
+extern const size_t mbedtls_test_srv_pwd_ec_len;
+extern const size_t mbedtls_test_srv_key_rsa_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_srv_crt_rsa[];
+extern const size_t mbedtls_test_srv_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
 extern const char * mbedtls_test_srv_crt;
-extern const size_t mbedtls_test_srv_crt_len;
 extern const char * mbedtls_test_srv_key;
+extern const char * mbedtls_test_srv_pwd;
+extern const size_t mbedtls_test_srv_crt_len;
 extern const size_t mbedtls_test_srv_key_len;
-extern const char * mbedtls_test_cli_crt;
-extern const size_t mbedtls_test_cli_crt_len;
-extern const char * mbedtls_test_cli_key;
-extern const size_t mbedtls_test_cli_key_len;
+extern const size_t mbedtls_test_srv_pwd_len;
+
+/*
+ * Client test certificates
+ */
+
+extern const char mbedtls_test_cli_crt_ec_pem[];
+extern const char mbedtls_test_cli_key_ec_pem[];
+extern const char mbedtls_test_cli_pwd_ec_pem[];
+extern const char mbedtls_test_cli_key_rsa_pem[];
+extern const char mbedtls_test_cli_pwd_rsa_pem[];
+extern const char mbedtls_test_cli_crt_rsa_pem[];
+
+extern const unsigned char mbedtls_test_cli_crt_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_rsa_der[];
+extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
+
+extern const size_t mbedtls_test_cli_crt_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_ec_pem_len;
+extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_rsa_pem_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
+
+extern const size_t mbedtls_test_cli_crt_ec_der_len;
+extern const size_t mbedtls_test_cli_key_ec_der_len;
+extern const size_t mbedtls_test_cli_key_rsa_der_len;
+extern const size_t mbedtls_test_cli_crt_rsa_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_cli_crt_ec[];
+extern const char mbedtls_test_cli_key_ec[];
+extern const char mbedtls_test_cli_pwd_ec[];
+extern const char mbedtls_test_cli_key_rsa[];
+extern const char mbedtls_test_cli_pwd_rsa[];
+extern const char mbedtls_test_cli_crt_rsa[];
 
-#if defined(MBEDTLS_ECDSA_C)
-extern const char   mbedtls_test_ca_crt_ec[];
-extern const size_t mbedtls_test_ca_crt_ec_len;
-extern const char   mbedtls_test_ca_key_ec[];
-extern const size_t mbedtls_test_ca_key_ec_len;
-extern const char   mbedtls_test_ca_pwd_ec[];
-extern const size_t mbedtls_test_ca_pwd_ec_len;
-extern const char   mbedtls_test_srv_crt_ec[];
-extern const size_t mbedtls_test_srv_crt_ec_len;
-extern const char   mbedtls_test_srv_key_ec[];
-extern const size_t mbedtls_test_srv_key_ec_len;
-extern const char   mbedtls_test_cli_crt_ec[];
 extern const size_t mbedtls_test_cli_crt_ec_len;
-extern const char   mbedtls_test_cli_key_ec[];
 extern const size_t mbedtls_test_cli_key_ec_len;
-#endif
-
-#if defined(MBEDTLS_RSA_C)
-extern const char   mbedtls_test_ca_crt_rsa[];
-extern const size_t mbedtls_test_ca_crt_rsa_len;
-extern const char   mbedtls_test_ca_key_rsa[];
-extern const size_t mbedtls_test_ca_key_rsa_len;
-extern const char   mbedtls_test_ca_pwd_rsa[];
-extern const size_t mbedtls_test_ca_pwd_rsa_len;
-extern const char   mbedtls_test_srv_crt_rsa[];
-extern const size_t mbedtls_test_srv_crt_rsa_len;
-extern const char   mbedtls_test_srv_key_rsa[];
-extern const size_t mbedtls_test_srv_key_rsa_len;
-extern const char   mbedtls_test_cli_crt_rsa[];
-extern const size_t mbedtls_test_cli_crt_rsa_len;
-extern const char   mbedtls_test_cli_key_rsa[];
+extern const size_t mbedtls_test_cli_pwd_ec_len;
 extern const size_t mbedtls_test_cli_key_rsa_len;
-#endif
+extern const size_t mbedtls_test_cli_pwd_rsa_len;
+extern const size_t mbedtls_test_cli_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_cli_crt;
+extern const char * mbedtls_test_cli_key;
+extern const char * mbedtls_test_cli_pwd;
+extern const size_t mbedtls_test_cli_crt_len;
+extern const size_t mbedtls_test_cli_key_len;
+extern const size_t mbedtls_test_cli_pwd_len;
 
 #ifdef __cplusplus
 }
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/chacha20.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/chacha20.h
new file mode 100644
index 0000000000..2ae5e6e5f4
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/chacha20.h
@@ -0,0 +1,226 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief   This file contains ChaCha20 definitions and functions.
+ *
+ *          ChaCha20 is a stream cipher that can encrypt and decrypt
+ *          information. ChaCha was created by Daniel Bernstein as a variant of
+ *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ *          ChaCha20 is the variant with 20 rounds, that was also standardized
+ *          in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055  /**< Chacha20 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct mbedtls_chacha20_context
+{
+    uint32_t state[16];          /*! The state (before round operations). */
+    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
+    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else  /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by calls to
+ *                  \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts(), then one or more calls to
+ *                  to \c mbedtls_chacha20_update(), and finally to
+ *                  \c mbedtls_chacha20_free().
+ *
+ * \param ctx       The ChaCha20 context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20 context.
+ *
+ * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
+ *                  in which case this function is a no-op. If it is not
+ *                  \c NULL, it must point to an initialized context.
+ *
+ */
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function sets the encryption/decryption key.
+ *
+ * \note            After using this function, you must also call
+ *                  \c mbedtls_chacha20_starts() to set a nonce before you
+ *                  start encrypting/decrypting data with
+ *                  \c mbedtls_chacha_update().
+ *
+ * \param ctx       The ChaCha20 context to which the key should be bound.
+ *                  It must be initialized.
+ * \param key       The encryption/decryption key. This must be \c 32 Bytes
+ *                  in length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This function sets the nonce and initial counter value.
+ *
+ * \note            A ChaCha20 context can be re-used with the same key by
+ *                  calling this function to change the nonce.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality guarantees for the
+ *                  messages encrypted with the same nonce and key.
+ *
+ * \param ctx       The ChaCha20 context to which the nonce should be bound.
+ *                  It must be initialized and bound to a key.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ *                  NULL.
+ */
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter );
+
+/**
+ * \brief           This function encrypts or decrypts data.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \note            \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts() must be called at least once
+ *                  to setup the context before this function can be called.
+ *
+ * \note            This function can be called multiple times in a row in
+ *                  order to encrypt of decrypt data piecewise with the same
+ *                  key and nonce.
+ *
+ * \param ctx       The ChaCha20 context to use for encryption or decryption.
+ *                  It must be initialized and bound to a key and nonce.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                             size_t size,
+                             const unsigned char *input,
+                             unsigned char *output );
+
+/**
+ * \brief           This function encrypts or decrypts data with ChaCha20 and
+ *                  the given key and nonce.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \warning         You must never use the same (key, nonce) pair more than
+ *                  once. This would void any confidentiality guarantees for
+ *                  the messages encrypted with the same nonce and key.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \param key       The encryption/decryption key.
+ *                  This must be \c 32 Bytes in length.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t size,
+                            const unsigned char* input,
+                            unsigned char* output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/chachapoly.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/chachapoly.h
new file mode 100644
index 0000000000..49e615d278
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/chachapoly.h
@@ -0,0 +1,358 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ *          functions.
+ *
+ *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ *          with Associated Data (AEAD) that can be used to encrypt and
+ *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ *          Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* for shared error codes */
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
+    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "chacha20.h"
+
+typedef struct mbedtls_chachapoly_context
+{
+    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
+    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
+    int state;                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context. It must be followed by a call to
+ *                  \c mbedtls_chachapoly_setkey() before any operation can be
+ *                  done, and to \c mbedtls_chachapoly_free() once all
+ *                  operations with that context have been finished.
+ *
+ *                  In order to encrypt or decrypt full messages at once, for
+ *                  each message you should make a single call to
+ *                  \c mbedtls_chachapoly_crypt_and_tag() or
+ *                  \c mbedtls_chachapoly_auth_decrypt().
+ *
+ *                  In order to encrypt messages piecewise, for each
+ *                  message you should make a call to
+ *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update(), then one call to
+ *                  \c mbedtls_chachapoly_finish().
+ *
+ * \warning         Decryption with the piecewise API is discouraged! Always
+ *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ *                  If however this is not possible because the data is too
+ *                  large to fit in memory, you need to:
+ *
+ *                  - call \c mbedtls_chachapoly_starts() and (if needed)
+ *                  \c mbedtls_chachapoly_update_aad() as above,
+ *                  - call \c mbedtls_chachapoly_update() multiple times and
+ *                  ensure its output (the plaintext) is NOT used in any other
+ *                  way than placing it in temporary storage at this point,
+ *                  - call \c mbedtls_chachapoly_finish() to compute the
+ *                  authentication tag and compared it in constant time to the
+ *                  tag received with the ciphertext.
+ *
+ *                  If the tags are not equal, you must immediately discard
+ *                  all previous outputs of \c mbedtls_chachapoly_update(),
+ *                  otherwise you can now safely use the plaintext.
+ *
+ * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
+ */
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20-Poly1305 context.
+ *
+ * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op.
+ */
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function sets the ChaCha20-Poly1305
+ *                  symmetric encryption key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to which the key should be
+ *                  bound. This must be initialized.
+ * \param key       The \c 256 Bit (\c 32 Bytes) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] );
+
+/**
+ * \brief           This function starts a ChaCha20-Poly1305 encryption or
+ *                  decryption operation.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \note            If the context is being used for AAD only (no data to
+ *                  encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param nonce     The nonce/IV to use for the message.
+ *                  This must be a redable buffer of length \c 12 Bytes.
+ * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode );
+
+/**
+ * \brief           This function feeds additional data to be authenticated
+ *                  into an ongoing ChaCha20-Poly1305 operation.
+ *
+ *                  The Additional Authenticated Data (AAD), also called
+ *                  Associated Data (AD) is only authenticated but not
+ *                  encrypted nor included in the encrypted output. It is
+ *                  usually transmitted separately from the ciphertext or
+ *                  computed locally by each party.
+ *
+ * \note            This function is called before data is encrypted/decrypted.
+ *                  I.e. call this function to process the AAD before calling
+ *                  \c mbedtls_chachapoly_update().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of AAD. It is permitted to call
+ *                  this function 0 times, if no AAD is used.
+ *
+ *                  This function cannot be called any more if data has
+ *                  been processed by \c mbedtls_chachapoly_update(),
+ *                  or if the context has been finished.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param aad_len   The length in Bytes of the AAD. The length has no
+ *                  restrictions.
+ * \param aad       Buffer containing the AAD.
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ *                  if \p ctx or \p aad are NULL.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operations has not been started or has been
+ *                  finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len );
+
+/**
+ * \brief           Thus function feeds data to be encrypted or decrypted
+ *                  into an on-going ChaCha20-Poly1305
+ *                  operation.
+ *
+ *                  The direction (encryption or decryption) depends on the
+ *                  mode that was given when calling
+ *                  \c mbedtls_chachapoly_starts().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of data. It is permitted to call
+ *                  this function 0 times, if no data is to be encrypted
+ *                  or decrypted.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param len       The length (in bytes) of the data to encrypt or decrypt.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `len == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data is
+ *                  written. This must be able to hold \p len bytes.
+ *                  This pointer can be \c NULL if `len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output );
+
+/**
+ * \brief           This function finished the ChaCha20-Poly1305 operation and
+ *                  generates the MAC (authentication tag).
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated encryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ *                  This must be initialized.
+ * \param length    The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated
+ *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data
+ *                  is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
+ *                  is written. This must not be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated decryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length    The length (in Bytes) of the data to decrypt.
+ * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated data (AAD).
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param tag       The buffer holding the authentication tag.
+ *                  This must be a readable buffer of length \c 16 Bytes.
+ * \param input     The buffer containing the data to decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the decrypted data is written.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ *                  if the data was not authentic.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/check_config.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/check_config.h
index fa7110fe92..b86e5807e0 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/check_config.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/check_config.h
@@ -4,7 +4,7 @@
  * \brief Consistency checks for configuration options
  */
 /*
- *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -87,6 +87,11 @@
 #error "MBEDTLS_CMAC_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_NIST_KW_C) && \
+    ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) )
+#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif
@@ -103,6 +108,17 @@
 #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+      defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
+      defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
+      defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
+      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
+      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
+      defined(MBEDTLS_ECP_ALT) )
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
+#endif
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
@@ -195,6 +211,10 @@
 #error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HKDF_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
 #error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher.h
index 1c453a1d32..082a691741 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher.h
@@ -1,7 +1,9 @@
 /**
  * \file cipher.h
  *
- * \brief The generic cipher wrapper.
+ * \brief This file contains an abstraction interface for use with the cipher
+ * primitives provided by the library. It provides a common interface to all of
+ * the available cipher operations.
  *
  * \author Adriaan de Jong <dejong@fox-it.com>
  */
@@ -34,8 +36,9 @@
 #endif
 
 #include <stddef.h>
+#include "platform_util.h"
 
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 #define MBEDTLS_CIPHER_MODE_AEAD
 #endif
 
@@ -43,7 +46,8 @@
 #define MBEDTLS_CIPHER_MODE_WITH_PADDING
 #endif
 
-#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+    defined(MBEDTLS_CHACHA20_C)
 #define MBEDTLS_CIPHER_MODE_STREAM
 #endif
 
@@ -59,6 +63,8 @@
 #define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280  /**< Decryption of block requires a full block. */
 #define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300  /**< Authentication failed (for AEAD modes). */
 #define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380  /**< The context is invalid. For example, because it was freed. */
+
+/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400  /**< Cipher hardware accelerator failed. */
 
 #define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
@@ -69,93 +75,122 @@ extern "C" {
 #endif
 
 /**
- * \brief     An enumeration of supported ciphers.
+ * \brief     Supported cipher types.
  *
- * \warning   ARC4 and DES are considered weak ciphers and their use
- *            constitutes a security risk. We recommend considering stronger
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
  *            ciphers instead.
  */
 typedef enum {
-    MBEDTLS_CIPHER_ID_NONE = 0,
-    MBEDTLS_CIPHER_ID_NULL,
-    MBEDTLS_CIPHER_ID_AES,
-    MBEDTLS_CIPHER_ID_DES,
-    MBEDTLS_CIPHER_ID_3DES,
-    MBEDTLS_CIPHER_ID_CAMELLIA,
-    MBEDTLS_CIPHER_ID_BLOWFISH,
-    MBEDTLS_CIPHER_ID_ARC4,
+    MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
+    MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
+    MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. */
+    MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. */
+    MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_CIPHER_ID_BLOWFISH,  /**< The Blowfish cipher. */
+    MBEDTLS_CIPHER_ID_ARC4,      /**< The RC4 cipher. */
+    MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+    MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
 } mbedtls_cipher_id_t;
 
 /**
- * \brief     An enumeration of supported (cipher, mode) pairs.
+ * \brief     Supported {cipher type, cipher mode} pairs.
  *
- * \warning   ARC4 and DES are considered weak ciphers and their use
- *            constitutes a security risk. We recommend considering stronger
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
  *            ciphers instead.
  */
 typedef enum {
-    MBEDTLS_CIPHER_NONE = 0,
-    MBEDTLS_CIPHER_NULL,
-    MBEDTLS_CIPHER_AES_128_ECB,
-    MBEDTLS_CIPHER_AES_192_ECB,
-    MBEDTLS_CIPHER_AES_256_ECB,
-    MBEDTLS_CIPHER_AES_128_CBC,
-    MBEDTLS_CIPHER_AES_192_CBC,
-    MBEDTLS_CIPHER_AES_256_CBC,
-    MBEDTLS_CIPHER_AES_128_CFB128,
-    MBEDTLS_CIPHER_AES_192_CFB128,
-    MBEDTLS_CIPHER_AES_256_CFB128,
-    MBEDTLS_CIPHER_AES_128_CTR,
-    MBEDTLS_CIPHER_AES_192_CTR,
-    MBEDTLS_CIPHER_AES_256_CTR,
-    MBEDTLS_CIPHER_AES_128_GCM,
-    MBEDTLS_CIPHER_AES_192_GCM,
-    MBEDTLS_CIPHER_AES_256_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
-    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
-    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
-    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
-    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
-    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
-    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
-    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
-    MBEDTLS_CIPHER_DES_ECB,
-    MBEDTLS_CIPHER_DES_CBC,
-    MBEDTLS_CIPHER_DES_EDE_ECB,
-    MBEDTLS_CIPHER_DES_EDE_CBC,
-    MBEDTLS_CIPHER_DES_EDE3_ECB,
-    MBEDTLS_CIPHER_DES_EDE3_CBC,
-    MBEDTLS_CIPHER_BLOWFISH_ECB,
-    MBEDTLS_CIPHER_BLOWFISH_CBC,
-    MBEDTLS_CIPHER_BLOWFISH_CFB64,
-    MBEDTLS_CIPHER_BLOWFISH_CTR,
-    MBEDTLS_CIPHER_ARC4_128,
-    MBEDTLS_CIPHER_AES_128_CCM,
-    MBEDTLS_CIPHER_AES_192_CCM,
-    MBEDTLS_CIPHER_AES_256_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
-    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+    MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
+    MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
+    MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. */
+    MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_ECB,         /**< Blowfish cipher with ECB mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CBC,         /**< Blowfish cipher with CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,       /**< Blowfish cipher with CFB64 mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CTR,         /**< Blowfish cipher with CTR mode. */
+    MBEDTLS_CIPHER_ARC4_128,             /**< RC4 cipher with 128-bit mode. */
+    MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
+    MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
 } mbedtls_cipher_type_t;
 
 /** Supported cipher modes. */
 typedef enum {
-    MBEDTLS_MODE_NONE = 0,
-    MBEDTLS_MODE_ECB,
-    MBEDTLS_MODE_CBC,
-    MBEDTLS_MODE_CFB,
-    MBEDTLS_MODE_OFB, /* Unused! */
-    MBEDTLS_MODE_CTR,
-    MBEDTLS_MODE_GCM,
-    MBEDTLS_MODE_STREAM,
-    MBEDTLS_MODE_CCM,
+    MBEDTLS_MODE_NONE = 0,               /**< None. */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode. */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode. */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode. */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode. */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode. */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode. */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode. */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode. */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode. */
+    MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
 } mbedtls_cipher_mode_t;
 
 /** Supported cipher padding types. */
@@ -163,8 +198,8 @@ typedef enum {
     MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
     MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
     MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
-    MBEDTLS_PADDING_ZEROS,         /**< zero padding (not reversible). */
-    MBEDTLS_PADDING_NONE,          /**< never pad (full blocks only).   */
+    MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
+    MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
 } mbedtls_cipher_padding_t;
 
 /** Type of operation. */
@@ -204,7 +239,8 @@ typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
  * Cipher information. Allows calling cipher functions
  * in a generic way.
  */
-typedef struct {
+typedef struct mbedtls_cipher_info_t
+{
     /** Full cipher identifier. For example,
      * MBEDTLS_CIPHER_AES_256_CBC.
      */
@@ -228,7 +264,10 @@ typedef struct {
      */
     unsigned int iv_size;
 
-    /** Flags to set. For example, if the cipher supports variable IV sizes or variable key sizes. */
+    /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
+     *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
+     *  cipher supports variable IV or variable key sizes, respectively.
+     */
     int flags;
 
     /** The block size, in Bytes. */
@@ -242,7 +281,8 @@ typedef struct {
 /**
  * Generic cipher context.
  */
-typedef struct {
+typedef struct mbedtls_cipher_context_t
+{
     /** Information about the associated cipher. */
     const mbedtls_cipher_info_t *cipher_info;
 
@@ -268,7 +308,8 @@ typedef struct {
     /** Number of Bytes that have not been processed yet. */
     size_t unprocessed_len;
 
-    /** Current IV or NONCE_COUNTER for CTR-mode. */
+    /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
+     * for XTS-mode. */
     unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
 
     /** IV size in Bytes, for ciphers with variable-length IVs. */
@@ -296,10 +337,12 @@ const int *mbedtls_cipher_list( void );
  * \brief               This function retrieves the cipher-information
  *                      structure associated with the given cipher name.
  *
- * \param cipher_name   Name of the cipher to search for.
+ * \param cipher_name   Name of the cipher to search for. This must not be
+ *                      \c NULL.
  *
  * \return              The cipher information structure associated with the
- *                      given \p cipher_name, or NULL if not found.
+ *                      given \p cipher_name.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
 
@@ -310,7 +353,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher
  * \param cipher_type   Type of the cipher to search for.
  *
  * \return              The cipher information structure associated with the
- *                      given \p cipher_type, or NULL if not found.
+ *                      given \p cipher_type.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
 
@@ -325,7 +369,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher
  * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
  *
  * \return              The cipher information structure associated with the
- *                      given \p cipher_id, or NULL if not found.
+ *                      given \p cipher_id.
+ * \return              \c NULL if the associated cipher information is not found.
  */
 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
                                               int key_bitlen,
@@ -333,6 +378,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_ciph
 
 /**
  * \brief               This function initializes a \p cipher_context as NONE.
+ *
+ * \param ctx           The context to be initialized. This must not be \c NULL.
  */
 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
 
@@ -340,6 +387,10 @@ void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
  * \brief               This function frees and clears the cipher-specific
  *                      context of \p ctx. Freeing \p ctx itself remains the
  *                      responsibility of the caller.
+ *
+ * \param ctx           The context to be freed. If this is \c NULL, the
+ *                      function has no effect, otherwise this must point to an
+ *                      initialized context.
  */
 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
 
@@ -349,31 +400,35 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
  *                      structure with the appropriate values. It also clears
  *                      the structure.
  *
- * \param ctx           The context to initialize. May not be NULL.
+ * \param ctx           The context to initialize. This must be initialized.
  * \param cipher_info   The cipher to use.
  *
- * \return              \c 0 on success,
- *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter failure,
- *                      #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
- *                      cipher-specific context failed.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
  *
  * \internal Currently, the function also clears the structure.
  * In future versions, the caller will be required to call
  * mbedtls_cipher_init() on the structure first.
  */
-int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info );
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
+                          const mbedtls_cipher_info_t *cipher_info );
 
 /**
  * \brief        This function returns the block size of the given cipher.
  *
- * \param ctx    The context of the cipher. Must be initialized.
+ * \param ctx    The context of the cipher. This must be initialized.
  *
- * \return       The size of the blocks of the cipher, or zero if \p ctx
- *               has not been initialized.
+ * \return       The block size of the underlying cipher.
+ * \return       \c 0 if \p ctx has not been initialized.
  */
-static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx )
+static inline unsigned int mbedtls_cipher_get_block_size(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
         return 0;
 
     return ctx->cipher_info->block_size;
@@ -383,14 +438,16 @@ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_c
  * \brief        This function returns the mode of operation for
  *               the cipher. For example, MBEDTLS_MODE_CBC.
  *
- * \param ctx    The context of the cipher. Must be initialized.
+ * \param ctx    The context of the cipher. This must be initialized.
  *
- * \return       The mode of operation, or #MBEDTLS_MODE_NONE if
- *               \p ctx has not been initialized.
+ * \return       The mode of operation.
+ * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE );
+    if( ctx->cipher_info == NULL )
         return MBEDTLS_MODE_NONE;
 
     return ctx->cipher_info->mode;
@@ -400,15 +457,17 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtl
  * \brief       This function returns the size of the IV or nonce
  *              of the cipher, in Bytes.
  *
- * \param ctx   The context of the cipher. Must be initialized.
+ * \param ctx   The context of the cipher. This must be initialized.
  *
- * \return      <ul><li>If no IV has been set: the recommended IV size.
- *              0 for ciphers not using IV or nonce.</li>
- *              <li>If IV has already been set: the actual size.</li></ul>
+ * \return      The recommended IV size if no IV has been set.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      The actual size if an IV has been set.
  */
-static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx )
+static inline int mbedtls_cipher_get_iv_size(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
         return 0;
 
     if( ctx->iv_size != 0 )
@@ -420,14 +479,17 @@ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ct
 /**
  * \brief               This function returns the type of the given cipher.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
- * \return              The type of the cipher, or #MBEDTLS_CIPHER_NONE if
- *                      \p ctx has not been initialized.
+ * \return              The type of the cipher.
+ * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_CIPHER_NONE );
+    if( ctx->cipher_info == NULL )
         return MBEDTLS_CIPHER_NONE;
 
     return ctx->cipher_info->type;
@@ -437,14 +499,16 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_ciphe
  * \brief               This function returns the name of the given cipher
  *                      as a string.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
- * \return              The name of the cipher, or NULL if \p ctx has not
- *                      been not initialized.
+ * \return              The name of the cipher.
+ * \return              NULL if \p ctx has not been not initialized.
  */
-static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx )
+static inline const char *mbedtls_cipher_get_name(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
         return 0;
 
     return ctx->cipher_info->name;
@@ -453,15 +517,18 @@ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_
 /**
  * \brief               This function returns the key length of the cipher.
  *
- * \param ctx           The context of the cipher. Must be initialized.
+ * \param ctx           The context of the cipher. This must be initialized.
  *
- * \return              The key length of the cipher in bits, or
- *                      #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
+ * \return              The key length of the cipher in bits.
+ * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
  *                      initialized.
  */
-static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx )
+static inline int mbedtls_cipher_get_key_bitlen(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE );
+    if( ctx->cipher_info == NULL )
         return MBEDTLS_KEY_LENGTH_NONE;
 
     return (int) ctx->cipher_info->key_bitlen;
@@ -470,15 +537,17 @@ static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t
 /**
  * \brief          This function returns the operation of the given cipher.
  *
- * \param ctx      The context of the cipher. Must be initialized.
+ * \param ctx      The context of the cipher. This must be initialized.
  *
- * \return         The type of operation: #MBEDTLS_ENCRYPT or
- *                 #MBEDTLS_DECRYPT, or #MBEDTLS_OPERATION_NONE if \p ctx
- *                 has not been initialized.
+ * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
  */
-static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx )
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+    const mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_OPERATION_NONE );
+    if( ctx->cipher_info == NULL )
         return MBEDTLS_OPERATION_NONE;
 
     return ctx->operation;
@@ -487,20 +556,23 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_ci
 /**
  * \brief               This function sets the key to use with the given context.
  *
- * \param ctx           The generic cipher context. May not be NULL. Must have
- *                      been initialized using mbedtls_cipher_info_from_type()
- *                      or mbedtls_cipher_info_from_string().
- * \param key           The key to use.
- * \param key_bitlen    The key length to use, in bits.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param key           The key to use. This must be a readable buffer of at
+ *                      least \p key_bitlen Bits.
+ * \param key_bitlen    The key length to use, in Bits.
  * \param operation     The operation that the key will be used for:
  *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
  *
- * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails, or a cipher-specific
- *                      error code.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
  */
-int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
-                   int key_bitlen, const mbedtls_operation_t operation );
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation );
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
 /**
@@ -509,59 +581,71 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k
  *
  *                      The default passing mode is PKCS7 padding.
  *
- * \param ctx           The generic cipher context.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
  * \param mode          The padding mode.
  *
- * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
- *                      if the selected padding mode is not supported, or
- *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ *                      if the selected padding mode is not supported.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
  *                      does not support padding.
  */
-int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode );
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode );
 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
 
 /**
  * \brief           This function sets the initialization vector (IV)
  *                  or nonce.
  *
- * \param ctx       The generic cipher context.
- * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ * \note            Some ciphers do not use IVs nor nonce. For these
+ *                  ciphers, this function has no effect.
+ *
+ * \param ctx       The generic cipher context. This must be initialized and
+ *                  bound to a cipher information structure.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ *                  must be a readable buffer of at least \p iv_len Bytes.
  * \param iv_len    The IV length for ciphers with variable-size IV.
  *                  This parameter is discarded by ciphers with fixed-size IV.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
- *
- * \note            Some ciphers do not use IVs nor nonce. For these
- *                  ciphers, this function has no effect.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                  parameter-verification failure.
  */
 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
-                   const unsigned char *iv, size_t iv_len );
+                           const unsigned char *iv,
+                           size_t iv_len );
 
 /**
  * \brief         This function resets the cipher state.
  *
- * \param ctx     The generic cipher context.
+ * \param ctx     The generic cipher context. This must be initialized.
  *
- * \returns       \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
- *                if parameter verification fails.
+ * \return        \c 0 on success.
+ * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                parameter-verification failure.
  */
 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 /**
  * \brief               This function adds additional data for AEAD ciphers.
- *                      Only supported with GCM. Must be called
- *                      exactly once, after mbedtls_cipher_reset().
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called exactly once, after
+ *                      mbedtls_cipher_reset().
  *
- * \param ctx           The generic cipher context.
- * \param ad            The additional data to use.
- * \param ad_len        the Length of \p ad.
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param ad            The additional data to use. This must be a readable
+ *                      buffer of at least \p ad_len Bytes.
+ * \param ad_len        the Length of \p ad Bytes.
  *
- * \return              \c 0 on success, or a specific error code on failure.
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
  */
 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
                       const unsigned char *ad, size_t ad_len );
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
 /**
  * \brief               The generic cipher update function. It encrypts or
@@ -573,25 +657,29 @@ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
  *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
  *                      in size. For example, 16 Bytes for AES.
  *
- * \param ctx           The generic cipher context.
- * \param input         The buffer holding the input data.
+ * \note                If the underlying cipher is used in GCM mode, all calls
+ *                      to this function, except for the last one before
+ *                      mbedtls_cipher_finish(), must have \p ilen as a
+ *                      multiple of the block size of the cipher.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. Must be able to hold at
- *                      least \p ilen + block_size. Must not be the same buffer
- *                      as input.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
  *
- * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails,
- *                      #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
- *                      unsupported mode for a cipher, or a cipher-specific
- *                      error code.
- *
- * \note                If the underlying cipher is GCM, all calls to this
- *                      function, except the last one before
- *                      mbedtls_cipher_finish(). Must have \p ilen as a
- *                      multiple of the block_size.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
+ *                      unsupported mode for a cipher.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
                    size_t ilen, unsigned char *output, size_t *olen );
@@ -602,78 +690,94 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
  *                      contained in it is padded to the size of
  *                      the last block, and written to the \p output buffer.
  *
- * \param ctx           The generic cipher context.
- * \param output        The buffer to write data to. Needs block_size available.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param output        The buffer to write data to. This needs to be a writable
+ *                      buffer of at least \p block_size Bytes.
  * \param olen          The length of the data written to the \p output buffer.
+ *                      This may not be \c NULL.
  *
- * \returns             \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails,
- *                      #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
- *                      expected a full block but was not provided one,
- *                      #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- *                      while decrypting, or a cipher-specific error code
- *                      on failure for any other reason.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
                    unsigned char *output, size_t *olen );
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 /**
  * \brief               This function writes a tag for AEAD ciphers.
- *                      Only supported with GCM.
- *                      Must be called after mbedtls_cipher_finish().
- *
- * \param ctx           The generic cipher context.
- * \param tag           The buffer to write the tag to.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized,
+ *                      bound to a key, and have just completed a cipher
+ *                      operation through mbedtls_cipher_finish() the tag for
+ *                      which should be written.
+ * \param tag           The buffer to write the tag to. This must be a writable
+ *                      buffer of at least \p tag_len Bytes.
  * \param tag_len       The length of the tag to write.
  *
- * \return              \c 0 on success, or a specific error code on failure.
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
  */
 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
                       unsigned char *tag, size_t tag_len );
 
 /**
  * \brief               This function checks the tag for AEAD ciphers.
- *                      Only supported with GCM.
- *                      Must be called after mbedtls_cipher_finish().
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
  *
- * \param ctx           The generic cipher context.
- * \param tag           The buffer holding the tag.
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param tag           The buffer holding the tag. This must be a readable
+ *                      buffer of at least \p tag_len Bytes.
  * \param tag_len       The length of the tag to check.
  *
- * \return              \c 0 on success, or a specific error code on failure.
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
  */
 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
                       const unsigned char *tag, size_t tag_len );
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
 /**
  * \brief               The generic all-in-one encryption/decryption function,
  *                      for all ciphers except AEAD constructs.
  *
- * \param ctx           The generic cipher context.
+ * \param ctx           The generic cipher context. This must be initialized.
  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
  * \param iv_len        The IV length for ciphers with variable-size IV.
  *                      This parameter is discarded by ciphers with fixed-size
  *                      IV.
- * \param input         The buffer holding the input data.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. Must be able to hold at
- *                      least \p ilen + block_size. Must not be the same buffer
- *                      as input.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data in Bytes.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
  *
  * \note                Some ciphers do not use IVs nor nonce. For these
  *                      ciphers, use \p iv = NULL and \p iv_len = 0.
  *
- * \returns             \c 0 on success, or
- *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
- *                      #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
- *                      expected a full block but was not provided one, or
- *                      #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
- *                      while decrypting, or a cipher-specific error code on
- *                      failure for any other reason.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
                   const unsigned char *iv, size_t iv_len,
@@ -684,24 +788,32 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
 /**
  * \brief               The generic autenticated encryption (AEAD) function.
  *
- * \param ctx           The generic cipher context.
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
  * \param iv_len        The IV length for ciphers with variable-size IV.
  *                      This parameter is discarded by ciphers with fixed-size IV.
- * \param ad            The additional data to authenticate.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
  * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
- * \param output        The buffer for the output data.
- *                      Must be able to hold at least \p ilen.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least \p ilen Bytes.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
- * \param tag           The buffer for the authentication tag.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer for the authentication tag. This must be a
+ *                      writable buffer of at least \p tag_len Bytes.
  * \param tag_len       The desired length of the authentication tag.
  *
- * \returns             \c 0 on success, or
- *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
- *                      a cipher-specific error code.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *iv, size_t iv_len,
@@ -713,29 +825,37 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
 /**
  * \brief               The generic autenticated decryption (AEAD) function.
  *
- * \param ctx           The generic cipher context.
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      and bound to a key.
  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
  * \param iv_len        The IV length for ciphers with variable-size IV.
  *                      This parameter is discarded by ciphers with fixed-size IV.
- * \param ad            The additional data to be authenticated.
+ * \param ad            The additional data to be authenticated. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
  * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
  * \param ilen          The length of the input data.
  * \param output        The buffer for the output data.
- *                      Must be able to hold at least \p ilen.
+ *                      This must be able to hold at least \p ilen Bytes.
  * \param olen          The length of the output data, to be updated with the
- *                      actual number of Bytes written.
- * \param tag           The buffer holding the authentication tag.
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer holding the authentication tag. This must be
+ *                      a readable buffer of at least \p tag_len Bytes.
  * \param tag_len       The length of the authentication tag.
  *
- * \returns             \c 0 on success, or
- *                      #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or
- *                      #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic,
- *                      or a cipher-specific error code on failure for any other reason.
- *
- * \note                If the data is not authentic, then the output buffer
- *                      is zeroed out to prevent the unauthentic plaintext being
- *                      used, making this interface safer.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *iv, size_t iv_len,
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher_internal.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher_internal.h
index 969ff9ccb8..c6def0bef7 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher_internal.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/cipher_internal.h
@@ -64,6 +64,14 @@ struct mbedtls_cipher_base_t
                      unsigned char *output );
 #endif
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /** Encrypt using OFB (Full length) */
+    int (*ofb_func)( void *ctx, size_t length, size_t *iv_off,
+                     unsigned char *iv,
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     /** Encrypt using CTR */
     int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
@@ -71,6 +79,13 @@ struct mbedtls_cipher_base_t
                      const unsigned char *input, unsigned char *output );
 #endif
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    /** Encrypt or decrypt using XTS. */
+    int (*xts_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     const unsigned char data_unit[16],
+                     const unsigned char *input, unsigned char *output );
+#endif
+
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     /** Encrypt using STREAM */
     int (*stream_func)( void *ctx, size_t length,
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
index adfe1c3e01..9d42b3f209 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/cmac.h
@@ -1,8 +1,10 @@
 /**
  * \file cmac.h
  *
- * \brief The Cipher-based Message Authentication Code (CMAC) Mode for
- *        Authentication.
+ * \brief This file contains CMAC definitions and functions.
+ *
+ * The Cipher-based Message Authentication Code (CMAC) Mode for
+ * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
  */
 /*
  *  Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -38,15 +40,16 @@
 extern "C" {
 #endif
 
+/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
 
 #define MBEDTLS_AES_BLOCK_SIZE          16
 #define MBEDTLS_DES3_BLOCK_SIZE         8
 
 #if defined(MBEDTLS_AES_C)
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /* The longest block used by CMAC is that of AES. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /**< The longest block used by CMAC is that of AES. */
 #else
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /* The longest block used by CMAC is that of 3DES. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /**< The longest block used by CMAC is that of 3DES. */
 #endif
 
 #if !defined(MBEDTLS_CMAC_ALT)
@@ -67,22 +70,25 @@ struct mbedtls_cmac_context_t
     size_t              unprocessed_len;
 };
 
+#else  /* !MBEDTLS_CMAC_ALT */
+#include "cmac_alt.h"
+#endif /* !MBEDTLS_CMAC_ALT */
+
 /**
  * \brief               This function sets the CMAC key, and prepares to authenticate
  *                      the input data.
  *                      Must be called with an initialized cipher context.
  *
  * \param ctx           The cipher context used for the CMAC operation, initialized
- *                      as one of the following types:<ul>
- *                      <li>MBEDTLS_CIPHER_AES_128_ECB</li>
- *                      <li>MBEDTLS_CIPHER_AES_192_ECB</li>
- *                      <li>MBEDTLS_CIPHER_AES_256_ECB</li>
- *                      <li>MBEDTLS_CIPHER_DES_EDE3_ECB</li></ul>
+ *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
+ *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
+ *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
  * \param key           The CMAC key.
  * \param keybits       The length of the CMAC key in bits.
  *                      Must be supported by the cipher.
  *
- * \return              \c 0 on success, or a cipher-specific error code.
+ * \return              \c 0 on success.
+ * \return              A cipher-specific error code on failure.
  */
 int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
                                 const unsigned char *key, size_t keybits );
@@ -99,8 +105,9 @@ int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
  * \param input         The buffer holding the input data.
  * \param ilen          The length of the input data.
  *
- * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
- *                      if parameter verification fails.
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                     if parameter verification fails.
  */
 int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
                                 const unsigned char *input, size_t ilen );
@@ -116,7 +123,8 @@ int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
  * \param ctx           The cipher context used for the CMAC operation.
  * \param output        The output buffer for the CMAC checksum result.
  *
- * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
  *                      if parameter verification fails.
  */
 int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
@@ -132,7 +140,8 @@ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
  *
  * \param ctx           The cipher context used for the CMAC operation.
  *
- * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
  *                      if parameter verification fails.
  */
 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
@@ -155,7 +164,8 @@ int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
  * \param ilen          The length of the input data.
  * \param output        The buffer for the generic CMAC result.
  *
- * \returns             \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
  *                      if parameter verification fails.
  */
 int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
@@ -186,23 +196,12 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
                               unsigned char output[16] );
 #endif /* MBEDTLS_AES_C */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* !MBEDTLS_CMAC_ALT */
-#include "cmac_alt.h"
-#endif /* !MBEDTLS_CMAC_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
 /**
  * \brief          The CMAC checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_cmac_self_test( int verbose );
 #endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
index 94de845dd8..a58b47243d 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/compat-1.3.h
@@ -1384,7 +1384,8 @@
 #define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
 #define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
 #define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
-#define SSL_BUFFER_LEN MBEDTLS_SSL_BUFFER_LEN
+#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+                         ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
 #define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
 #define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
 #define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
index f3039f937f..654f9725e4 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/config.h
@@ -8,7 +8,7 @@
  *  memory footprint.
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -48,10 +48,14 @@
  * Requires support for asm() in compiler.
  *
  * Used in:
+ *      library/aria.c
  *      library/timing.c
- *      library/padlock.c
  *      include/mbedtls/bn_mul.h
  *
+ * Required by:
+ *      MBEDTLS_AESNI_C
+ *      MBEDTLS_PADLOCK_C
+ *
  * Comment to disable the use of assembly code.
  */
 #define MBEDTLS_HAVE_ASM
@@ -84,6 +88,28 @@
  */
 //#define MBEDTLS_NO_UDBL_DIVISION
 
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ *      library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
 /**
  * \def MBEDTLS_HAVE_SSE2
  *
@@ -111,12 +137,21 @@
 /**
  * \def MBEDTLS_HAVE_TIME_DATE
  *
- * System has time.h and time(), gmtime() and the clock is correct.
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
  * The time needs to be correct (not necesarily very accurate, but at least
  * the date should be correct). This is used to verify the validity period of
  * X.509 certificates.
  *
  * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
  */
 #define MBEDTLS_HAVE_TIME_DATE
 
@@ -221,6 +256,48 @@
  */
 //#define MBEDTLS_DEPRECATED_REMOVED
 
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - the pointer is checked to be non-NULL only if this option is enabled
+ * - the content of the buffer is always validated
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid, it will:
+ * - invoke the macro MBEDTLS_PARAM_FAILED() which by default expands to a
+ *   call to the function mbedtls_param_failed()
+ * - immediately return (with a specific error code unless the function
+ *   returns void and can't communicate an error).
+ *
+ * When defining this flag, you also need to:
+ * - either provide a definition of the function mbedtls_param_failed() in
+ *   your application (see platform_util.h for its prototype) as the library
+ *   calls that function, but does not provide a default definition for it,
+ * - or provide a different definition of the macro MBEDTLS_PARAM_FAILED()
+ *   below if the above mechanism is not flexible enough to suit your needs.
+ *   See the documentation of this macro later in this file.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
 /* \} name SECTION: System support */
 
 /**
@@ -271,23 +348,29 @@
  */
 //#define MBEDTLS_AES_ALT
 //#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
 //#define MBEDTLS_BLOWFISH_ALT
 //#define MBEDTLS_CAMELLIA_ALT
 //#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
 //#define MBEDTLS_CMAC_ALT
 //#define MBEDTLS_DES_ALT
 //#define MBEDTLS_DHM_ALT
 //#define MBEDTLS_ECJPAKE_ALT
 //#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
 //#define MBEDTLS_MD2_ALT
 //#define MBEDTLS_MD4_ALT
 //#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
 //#define MBEDTLS_RIPEMD160_ALT
 //#define MBEDTLS_RSA_ALT
 //#define MBEDTLS_SHA1_ALT
 //#define MBEDTLS_SHA256_ALT
 //#define MBEDTLS_SHA512_ALT
 //#define MBEDTLS_XTEA_ALT
+
 /*
  * When replacing the elliptic curve module, pleace consider, that it is
  * implemented with two .c files:
@@ -373,11 +456,11 @@
  *      unsigned char mbedtls_internal_ecp_grp_capable(
  *          const mbedtls_ecp_group *grp )
  *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
- *      void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
  * The mbedtls_internal_ecp_grp_capable function should return 1 if the
  * replacement functions implement arithmetic for the given group and 0
  * otherwise.
- * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
  * called before and after each point operation and provide an opportunity to
  * implement optimized set up and tear down instructions.
  *
@@ -440,12 +523,45 @@
 /**
  * \def MBEDTLS_AES_ROM_TABLES
  *
- * Store the AES tables in ROM.
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
  *
- * Uncomment this macro to store the AES tables in ROM.
  */
 //#define MBEDTLS_AES_ROM_TABLES
 
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
 /**
  * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
  *
@@ -476,6 +592,20 @@
  */
 #define MBEDTLS_CIPHER_MODE_CTR
 
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
 /**
  * \def MBEDTLS_CIPHER_NULL_CIPHER
  *
@@ -596,6 +726,7 @@
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
@@ -608,6 +739,30 @@
  */
 #define MBEDTLS_ECP_NIST_OPTIM
 
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note  This option only works with the default software implementation of
+ *        elliptic curve functionality. It is incompatible with
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
 /**
  * \def MBEDTLS_ECDSA_DETERMINISTIC
  *
@@ -1114,6 +1269,17 @@
  */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 
+/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
 /**
  * \def MBEDTLS_SSL_DEBUG_ALL
  *
@@ -1562,6 +1728,9 @@
  *
  * \note Currently compression can't be used with DTLS.
  *
+ * \deprecated This feature is deprecated and will be removed
+ *             in the next major revision of the library.
+ *
  * Used in: library/ssl_tls.c
  *          library/ssl_cli.c
  *          library/ssl_srv.c
@@ -1600,7 +1769,7 @@
  * Enable the AES block cipher.
  *
  * Module:  library/aes.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *          library/pem.c
  *          library/ctr_drbg.c
  *
@@ -1675,7 +1844,7 @@
  * Enable the ARCFOUR stream cipher.
  *
  * Module:  library/arc4.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1769,7 +1938,7 @@
  * Enable the Camellia block cipher.
  *
  * Module:  library/camellia.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1818,6 +1987,58 @@
  */
 #define MBEDTLS_CAMELLIA_C
 
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module:  library/aria.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
+
 /**
  * \def MBEDTLS_CCM_C
  *
@@ -1844,6 +2065,26 @@
  */
 #define MBEDTLS_CERTS_C
 
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module:  library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module:  library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
 /**
  * \def MBEDTLS_CIPHER_C
  *
@@ -1872,14 +2113,16 @@
 /**
  * \def MBEDTLS_CTR_DRBG_C
  *
- * Enable the CTR_DRBG AES-256-based random generator.
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
  *
  * Module:  library/ctr_drbg.c
  * Caller:
  *
  * Requires: MBEDTLS_AES_C
  *
- * This module provides the CTR_DRBG AES-256 random number generator.
+ * This module provides the CTR_DRBG AES random number generator.
  */
 #define MBEDTLS_CTR_DRBG_C
 
@@ -1904,7 +2147,7 @@
  *
  * Module:  library/des.c
  * Caller:  library/pem.c
- *          library/ssl_tls.c
+ *          library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -2074,6 +2317,21 @@
  */
 //#define MBEDTLS_HAVEGE_C
 
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module:  library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
 /**
  * \def MBEDTLS_HMAC_DRBG_C
  *
@@ -2088,6 +2346,19 @@
  */
 #define MBEDTLS_HMAC_DRBG_C
 
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module:  library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
 /**
  * \def MBEDTLS_MD_C
  *
@@ -2371,6 +2642,16 @@
  */
 #define MBEDTLS_PLATFORM_C
 
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module:  library/poly1305.c
+ * Caller:  library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
 /**
  * \def MBEDTLS_RIPEMD160_C
  *
@@ -2726,6 +3007,7 @@
 //#define MBEDTLS_CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY              /**< Use 128-bit key for CTR_DRBG - may reduce security (see ctr_drbg.h) */
 
 /* HMAC_DRBG options */
 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000 /**< Interval before reseed is performed by default */
@@ -2776,12 +3058,134 @@
 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
 
+/**
+ * \brief       This macro is invoked by the library when an invalid parameter
+ *              is detected that is only checked with MBEDTLS_CHECK_PARAMS
+ *              (see the documentation of that option for context).
+ *
+ *              When you leave this undefined here, a default definition is
+ *              provided that invokes the function mbedtls_param_failed(),
+ *              which is declared in platform_util.h for the benefit of the
+ *              library, but that you need to define in your application.
+ *
+ *              When you define this here, this replaces the default
+ *              definition in platform_util.h (which no longer declares the
+ *              function mbedtls_param_failed()) and it is your responsibility
+ *              to make sure this macro expands to something suitable (in
+ *              particular, that all the necessary declarations are visible
+ *              from within the library - you can ensure that by providing
+ *              them in this file next to the macro definition).
+ *
+ *              Note that you may define this macro to expand to nothing, in
+ *              which case you don't have to worry about declarations or
+ *              definitions. However, you will then be notified about invalid
+ *              parameters only in non-void functions, and void function will
+ *              just silently return early on invalid parameters, which
+ *              partially negates the benefits of enabling
+ *              #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond  The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond )               assert( cond )
+
 /* SSL Cache options */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
 
 /* SSL options */
-//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+ *
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
+ *
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of outgoing plaintext fragments.
+ *
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING             32768
+
 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
 //#define MBEDTLS_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
 //#define MBEDTLS_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@@ -2835,25 +3239,53 @@
  */
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
-/* \} name SECTION: Customisation configuration options */
-
-/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
+/**
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * mbedtls_platform_zeroize() is a widely used function across the library to
+ * zero a block of memory. The implementation is expected to be secure in the
+ * sense that it has been written to prevent the compiler from removing calls
+ * to mbedtls_platform_zeroize() as part of redundant code elimination
+ * optimizations. However, it is difficult to guarantee that calls to
+ * mbedtls_platform_zeroize() will not be optimized by the compiler as older
+ * versions of the C language standards do not provide a secure implementation
+ * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
+ * configure their own implementation of mbedtls_platform_zeroize(), for
+ * example by using directives specific to their compiler, features from newer
+ * C standards (e.g using memset_s() in C11) or calling a secure memset() from
+ * their system (e.g explicit_bzero() in BSD).
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
+
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
 
-#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
-#endif
+/* \} name SECTION: Customisation configuration options */
 
-/*
+/* Target and application specific configurations
+ *
  * Allow user to override any previous default.
  *
- * Use two macro names for that, as:
- * - with yotta the prefix YOTTA_CFG_ is forced
- * - without yotta is looks weird to have a YOTTA prefix.
  */
-#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
-#elif defined(MBEDTLS_USER_CONFIG_FILE)
+#if defined(MBEDTLS_USER_CONFIG_FILE)
 #include MBEDTLS_USER_CONFIG_FILE
 #endif
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
index 5a32843152..cc3df7b113 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ctr_drbg.h
@@ -1,10 +1,18 @@
 /**
  * \file ctr_drbg.h
  *
- * \brief    CTR_DRBG is based on AES-256, as defined in <em>NIST SP 800-90A:
- *           Recommendation for Random Number Generation Using Deterministic
- *           Random Bit Generators</em>.
+ * \brief    This file contains CTR_DRBG definitions and functions.
  *
+ * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ * Recommendation for Random Number Generation Using Deterministic Random
+ * Bit Generators</em>.
+ *
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * as the underlying block cipher.
+ *
+ *  \warning Using 128-bit keys for CTR_DRBG limits the security of generated
+ *  keys and operations that use random values generated to 128-bit security.
  */
 /*
  *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -46,7 +54,13 @@
 #define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
 
 #define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
-#define MBEDTLS_CTR_DRBG_KEYSIZE            32 /**< The key size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE            16 /**< The key size used by the cipher (compile-time choice: 128 bits). */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32 /**< The key size used by the cipher (compile-time choice: 256 bits). */
+#endif
+
 #define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
 #define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
 
@@ -109,7 +123,7 @@ extern "C" {
 /**
  * \brief          The CTR_DRBG context structure.
  */
-typedef struct
+typedef struct mbedtls_ctr_drbg_context
 {
     unsigned char counter[16];  /*!< The counter (V). */
     int reseed_counter;         /*!< The reseed counter. */
@@ -162,8 +176,8 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
                         identifiers. Can be NULL.
  * \param len           The length of the personalization data.
  *
- * \return              \c 0 on success, or
- *                      #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
  */
 int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
                    int (*f_entropy)(void *, unsigned char *, size_t),
@@ -222,49 +236,30 @@ void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
  * \param additional    Additional data to add to the state. Can be NULL.
  * \param len           The length of the additional data.
  *
- * \return   \c 0 on success, or
- *           #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
  */
 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
                      const unsigned char *additional, size_t len );
 
 /**
- * \brief               This function updates the state of the CTR_DRBG context.
- *
- * \param ctx           The CTR_DRBG context.
- * \param additional    The data to update the state with.
- * \param add_len       Length of \p additional in bytes. This must be at
- *                      most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
- *                      \p add_len is more than
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
- * \return              An error from the underlying AES cipher on failure.
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with.
+ * \param add_len      Length of \p additional in bytes. This must be at
+ *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                     \p add_len is more than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return             An error from the underlying AES cipher on failure.
  */
 int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
                                  const unsigned char *additional,
                                  size_t add_len );
 
-/**
- * \brief               This function updates the state of the CTR_DRBG context.
- *
- * \warning             This function cannot report errors. You should use
- *                      mbedtls_ctr_drbg_update_ret() instead.
- *
- * \note                If \p add_len is greater than
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
- *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
- *                      The remaining Bytes are silently discarded.
- *
- * \param ctx           The CTR_DRBG context.
- * \param additional    The data to update the state with.
- * \param add_len       Length of \p additional data.
- */
-void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
-                              const unsigned char *additional,
-                              size_t add_len );
-
 /**
  * \brief   This function updates a CTR_DRBG instance with additional
  *          data and uses it to generate random data.
@@ -278,8 +273,8 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
  * \param additional    Additional data to update. Can be NULL.
  * \param add_len       The length of the additional data.
  *
- * \return    \c 0 on success, or
- *            #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
  *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
  */
 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
@@ -296,13 +291,42 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
  * \param output        The buffer to fill.
  * \param output_len    The length of the buffer.
  *
- * \return              \c 0 on success, or
- *                      #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
  *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
  */
 int mbedtls_ctr_drbg_random( void *p_rng,
                      unsigned char *output, size_t output_len );
 
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
+ *                     in 2.16.0.
+ *
+ * \note               If \p add_len is greater than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ *                     The remaining Bytes are silently discarded.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with.
+ * \param add_len      Length of \p additional data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
+    mbedtls_ctr_drbg_context *ctx,
+    const unsigned char *additional,
+    size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.
@@ -310,9 +334,9 @@ int mbedtls_ctr_drbg_random( void *p_rng,
  * \param ctx           The CTR_DRBG context.
  * \param path          The name of the file.
  *
- * \return              \c 0 on success,
- *                      #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, or
- *                      #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
  *                      failure.
  */
 int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
@@ -324,21 +348,26 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char
  * \param ctx           The CTR_DRBG context.
  * \param path          The name of the file.
  *
- * \return              \c 0 on success,
- *                      #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error,
- *                      #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
  *                      #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG on failure.
  */
 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
 #endif /* MBEDTLS_FS_IO */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief               The CTR_DRBG checkup routine.
  *
- * \return              \c 0 on success, or \c 1 on failure.
+ * \return              \c 0 on success.
+ * \return              \c 1 on failure.
  */
 int mbedtls_ctr_drbg_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 /* Internal functions (do not call directly) */
 int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *,
                                int (*)(void *, unsigned char *, size_t), void *,
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/debug.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/debug.h
index ef8db67ff1..736444bb76 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/debug.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/debug.h
@@ -65,6 +65,11 @@
     mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
 #endif
 
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
+    mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
+#endif
+
 #else /* MBEDTLS_DEBUG_C */
 
 #define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
@@ -73,6 +78,7 @@
 #define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
 #define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
 #define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )     do { } while( 0 )
 
 #endif /* MBEDTLS_DEBUG_C */
 
@@ -221,6 +227,36 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
                       const char *text, const mbedtls_x509_crt *crt );
 #endif
 
+#if defined(MBEDTLS_ECDH_C)
+typedef enum
+{
+    MBEDTLS_DEBUG_ECDH_Q,
+    MBEDTLS_DEBUG_ECDH_QP,
+    MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief   Print a field of the ECDH structure in the SSL context to the debug
+ *          output. This function is always used through the
+ *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ *          and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param ecdh      the ECDH context
+ * \param attr      the identifier of the attribute being output
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr );
+#endif
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/des.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/des.h
index 5a1a636522..54e6b7894b 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/des.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/des.h
@@ -42,18 +42,20 @@
 #define MBEDTLS_DES_DECRYPT     0
 
 #define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
 
 #define MBEDTLS_DES_KEY_SIZE    8
 
-#if !defined(MBEDTLS_DES_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_DES_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          DES context structure
  *
@@ -61,7 +63,7 @@ extern "C" {
  *                 security risk. We recommend considering stronger ciphers
  *                 instead.
  */
-typedef struct
+typedef struct mbedtls_des_context
 {
     uint32_t sk[32];            /*!<  DES subkeys       */
 }
@@ -70,12 +72,16 @@ mbedtls_des_context;
 /**
  * \brief          Triple-DES context structure
  */
-typedef struct
+typedef struct mbedtls_des3_context
 {
     uint32_t sk[96];            /*!<  3DES subkeys      */
 }
 mbedtls_des3_context;
 
+#else  /* MBEDTLS_DES_ALT */
+#include "des_alt.h"
+#endif /* MBEDTLS_DES_ALT */
+
 /**
  * \brief          Initialize DES context
  *
@@ -331,17 +337,8 @@ int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
  */
 void mbedtls_des_setkey( uint32_t SK[32],
                          const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_DES_ALT */
-#include "des_alt.h"
-#endif /* MBEDTLS_DES_ALT */
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          Checkup routine
@@ -350,6 +347,8 @@ extern "C" {
  */
 int mbedtls_des_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/dhm.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/dhm.h
index 00fafd8d16..2909f5fbc8 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/dhm.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/dhm.h
@@ -1,7 +1,13 @@
 /**
  * \file dhm.h
  *
- * \brief Diffie-Hellman-Merkle key exchange.
+ * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
+ *          definitions and functions.
+ *
+ * Diffie-Hellman-Merkle (DHM) key exchange is defined in
+ * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
+ * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
+ * Hellman Key Agreement Standard</em>.
  *
  * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
  * Internet Key Exchange (IKE)</em> defines a number of standardized
@@ -65,7 +71,6 @@
 #include MBEDTLS_CONFIG_FILE
 #endif
 #include "bignum.h"
-#if !defined(MBEDTLS_DHM_ALT)
 
 /*
  * DHM Error codes
@@ -79,17 +84,22 @@
 #define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380  /**< The ASN.1 data is not formatted correctly. */
 #define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400  /**< Allocation of memory failed. */
 #define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480  /**< Read or write of file failed. */
+
+/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500  /**< DHM hardware accelerator failed. */
+
 #define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580  /**< Setting the modulus and generator failed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_DHM_ALT)
+
 /**
  * \brief          The DHM context structure.
  */
-typedef struct
+typedef struct mbedtls_dhm_context
 {
     size_t len;         /*!<  The size of \p P in Bytes. */
     mbedtls_mpi P;      /*!<  The prime modulus. */
@@ -105,6 +115,10 @@ typedef struct
 }
 mbedtls_dhm_context;
 
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
 /**
  * \brief          This function initializes the DHM context.
  *
@@ -113,9 +127,15 @@ mbedtls_dhm_context;
 void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
 
 /**
- * \brief          This function parses the ServerKeyExchange parameters.
+ * \brief          This function parses the DHM parameters in a
+ *                 TLS ServerKeyExchange handshake message
+ *                 (DHM modulus, generator, and public key).
+ *
+ * \note           In a TLS handshake, this is the how the client
+ *                 sets up its DHM context from the server's public
+ *                 DHM key material.
  *
- * \param ctx      The DHM context.
+ * \param ctx      The DHM context to use. This must be initialized.
  * \param p        On input, *p must be the start of the input buffer.
  *                 On output, *p is updated to point to the end of the data
  *                 that has been read. On success, this is the first byte
@@ -125,38 +145,44 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
  *                 failures.
  * \param end      The end of the input buffer.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
-                     unsigned char **p,
-                     const unsigned char *end );
+                             unsigned char **p,
+                             const unsigned char *end );
 
 /**
- * \brief          This function sets up and writes the ServerKeyExchange
- *                 parameters.
- *
- * \param ctx      The DHM context.
- * \param x_size   The private value size in Bytes.
- * \param olen     The number of characters written.
- * \param output   The destination buffer.
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG parameter.
- *
- * \note           The destination buffer must be large enough to hold
- *                 the reduced binary presentation of the modulus, the generator
- *                 and the public key, each wrapped with a 2-byte length field.
- *                 It is the responsibility of the caller to ensure that enough
- *                 space is available. Refer to \c mbedtls_mpi_size to computing
- *                 the byte-size of an MPI.
+ * \brief          This function generates a DHM key pair and exports its
+ *                 public part together with the DHM parameters in the format
+ *                 used in a TLS ServerKeyExchange handshake message.
  *
- * \note           This function assumes that \c ctx->P and \c ctx->G
- *                 have already been properly set. For that, use
+ * \note           This function assumes that the DHM parameters \c ctx->P
+ *                 and \c ctx->G have already been properly set. For that, use
  *                 mbedtls_dhm_set_group() below in conjunction with
  *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \note           In a TLS handshake, this is the how the server generates
+ *                 and exports its DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized
+ *                 and have the DHM parameters set. It may or may not
+ *                 already have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param olen     The address at which to store the number of Bytes
+ *                 written on success. This must not be \c NULL.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 sufficient size to hold the reduced binary presentation of
+ *                 the modulus, the generator and the public key, each wrapped
+ *                 with a 2-byte length field. It is the responsibility of the
+ *                 caller to ensure that enough space is available. Refer to
+ *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng    The RNG function. Must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
                      unsigned char *output, size_t *olen,
@@ -164,54 +190,66 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
                      void *p_rng );
 
 /**
- * \brief          Set prime modulus and generator
+ * \brief          This function sets the prime modulus and generator.
  *
- * \param ctx      The DHM context.
- * \param P        The MPI holding DHM prime modulus.
- * \param G        The MPI holding DHM generator.
+ * \note           This function can be used to set \c ctx->P, \c ctx->G
+ *                 in preparation for mbedtls_dhm_make_params().
  *
- * \note           This function can be used to set P, G
- *                 in preparation for \c mbedtls_dhm_make_params.
+ * \param ctx      The DHM context to configure. This must be initialized.
+ * \param P        The MPI holding the DHM prime modulus. This must be
+ *                 an initialized MPI.
+ * \param G        The MPI holding the DHM generator. This must be an
+ *                 initialized MPI.
  *
- * \return         \c 0 if successful, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
                            const mbedtls_mpi *P,
                            const mbedtls_mpi *G );
 
 /**
- * \brief          This function imports the public value G^Y of the peer.
+ * \brief          This function imports the raw public value of the peer.
  *
- * \param ctx      The DHM context.
- * \param input    The input buffer.
- * \param ilen     The size of the input buffer.
+ * \note           In a TLS handshake, this is the how the server imports
+ *                 the Client's public DHM key.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \param ctx      The DHM context to use. This must be initialized and have
+ *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ *                 It may or may not already have generated its own private key.
+ * \param input    The input buffer containing the \c G^Y value of the peer.
+ *                 This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen     The size of the input buffer \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
                      const unsigned char *input, size_t ilen );
 
 /**
- * \brief          This function creates its own private value \c X and
- *                 exports \c G^X.
+ * \brief          This function creates a DHM key pair and exports
+ *                 the raw public key in big-endian format.
  *
- * \param ctx      The DHM context.
- * \param x_size   The private value size in Bytes.
- * \param output   The destination buffer.
- * \param olen     The length of the destination buffer. Must be at least
-                   equal to ctx->len (the size of \c P).
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG parameter.
+ * \note           The destination buffer is always fully written
+ *                 so as to contain a big-endian representation of G^X mod P.
+ *                 If it is larger than \c ctx->len, it is padded accordingly
+ *                 with zero-bytes at the beginning.
  *
- * \note           The destination buffer will always be fully written
- *                 so as to contain a big-endian presentation of G^X mod P.
- *                 If it is larger than ctx->len, it will accordingly be
- *                 padded with zero-bytes in the beginning.
+ * \param ctx      The DHM context to use. This must be initialized and
+ *                 have the DHM parameters set. It may or may not already
+ *                 have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 size \p olen Bytes.
+ * \param olen     The length of the destination buffer. This must be at least
+ *                 equal to `ctx->len` (the size of \c P).
+ * \param f_rng    The RNG function. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
                      unsigned char *output, size_t olen,
@@ -219,25 +257,30 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
                      void *p_rng );
 
 /**
- * \brief               This function derives and exports the shared secret
- *                      \c (G^Y)^X mod \c P.
+ * \brief          This function derives and exports the shared secret
+ *                 \c (G^Y)^X mod \c P.
  *
- * \param ctx           The DHM context.
- * \param output        The destination buffer.
- * \param output_size   The size of the destination buffer. Must be at least
- *                      the size of ctx->len.
- * \param olen          On exit, holds the actual number of Bytes written.
- * \param f_rng         The RNG function, for blinding purposes.
- * \param p_rng         The RNG parameter.
+ * \note           If \p f_rng is not \c NULL, it is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our private key \c X is re-used, and not used
+ *                 otherwise. We recommend always passing a non-NULL
+ *                 \p f_rng argument.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code
- *                 on failure.
+ * \param ctx           The DHM context to use. This must be initialized
+ *                      and have its own private key generated and the peer's
+ *                      public key imported.
+ * \param output        The buffer to write the generated shared key to. This
+ *                      must be a writable buffer of size \p output_size Bytes.
+ * \param output_size   The size of the destination buffer. This must be at
+ *                      least the size of \c ctx->len (the size of \c P).
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function, for blinding purposes. This may
+ *                      b \c NULL if blinding isn't needed.
+ * \param p_rng         The RNG context. This may be \c NULL if \p f_rng
+ *                      doesn't need a context argument.
  *
- * \note           If non-NULL, \p f_rng is used to blind the input as
- *                 a countermeasure against timing attacks. Blinding is used
- *                 only if our secret value \p X is re-used and omitted
- *                 otherwise. Therefore, we recommend always passing a
- *                 non-NULL \p f_rng argument.
+ * \return              \c 0 on success.
+ * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
                      unsigned char *output, size_t output_size, size_t *olen,
@@ -245,9 +288,12 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
                      void *p_rng );
 
 /**
- * \brief          This function frees and clears the components of a DHM key.
+ * \brief          This function frees and clears the components
+ *                 of a DHM context.
  *
- * \param ctx      The DHM context to free and clear.
+ * \param ctx      The DHM context to free and clear. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is not \c NULL,
+ *                 it must point to an initialized DHM context.
  */
 void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
 
@@ -256,16 +302,19 @@ void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
 /**
  * \brief             This function parses DHM parameters in PEM or DER format.
  *
- * \param dhm         The DHM context to initialize.
- * \param dhmin       The input buffer.
- * \param dhminlen    The size of the buffer, including the terminating null
- *                    Byte for PEM data.
+ * \param dhm         The DHM context to import the DHM parameters into.
+ *                    This must be initialized.
+ * \param dhmin       The input buffer. This must be a readable buffer of
+ *                    length \p dhminlen Bytes.
+ * \param dhminlen    The size of the input buffer \p dhmin, including the
+ *                    terminating \c NULL Byte for PEM data.
  *
- * \return            \c 0 on success, or a specific DHM or PEM error code
- *                    on failure.
+ * \return            \c 0 on success.
+ * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ *                    code on failure.
  */
 int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
-                   size_t dhminlen );
+                           size_t dhminlen );
 
 #if defined(MBEDTLS_FS_IO)
 /** \ingroup x509_module */
@@ -273,34 +322,29 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
  * \brief          This function loads and parses DHM parameters from a file.
  *
  * \param dhm      The DHM context to load the parameters to.
+ *                 This must be initialized.
  * \param path     The filename to read the DHM parameters from.
+ *                 This must not be \c NULL.
  *
- * \return         \c 0 on success, or a specific DHM or PEM error code
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ *                 error code on failure.
  */
 int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
 #endif /* MBEDTLS_FS_IO */
 #endif /* MBEDTLS_ASN1_PARSE_C */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else /* MBEDTLS_DHM_ALT */
-#include "dhm_alt.h"
-#endif /* MBEDTLS_DHM_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          The DMH checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_dhm_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
 #ifdef __cplusplus
 }
 #endif
@@ -348,15 +392,6 @@ int mbedtls_dhm_self_test( int verbose );
 
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED __attribute__((deprecated))
-MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_constant_t;
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
-    ( (mbedtls_deprecated_constant_t) ( VAL ) )
-#else
-#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
-#endif /* ! MBEDTLS_DEPRECATED_WARNING */
-
 /**
  * \warning The origin of the primes in RFC 5114 is not documented and
  *          their use therefore constitutes a security risk!
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
index d16bad2d8e..4479a1d46f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdh.h
@@ -1,10 +1,11 @@
 /**
  * \file ecdh.h
  *
- * \brief The Elliptic Curve Diffie-Hellman (ECDH) protocol APIs.
+ * \brief This file contains ECDH definitions and functions.
  *
- * ECDH is an anonymous key agreement protocol allowing two parties to
- * establish a shared secret over an insecure channel. Each party must have an
+ * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ * key agreement protocol allowing two parties to establish a shared
+ * secret over an insecure channel. Each party must have an
  * elliptic-curve public–private key pair.
  *
  * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
@@ -41,26 +42,74 @@
 
 #include "ecp.h"
 
+/*
+ * Use a backward compatible ECDH context.
+ *
+ * This flag is always enabled for now and future versions might add a
+ * configuration option that conditionally undefines this flag.
+ * The configuration option in question may have a different name.
+ *
+ * Features undefining this flag, must have a warning in their description in
+ * config.h stating that the feature breaks backward compatibility.
+ */
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /**
- * Defines the source of the imported EC key:
- * <ul><li>Our key.</li>
- * <li>The key of the peer.</li></ul>
+ * Defines the source of the imported EC key.
  */
 typedef enum
 {
-    MBEDTLS_ECDH_OURS,
-    MBEDTLS_ECDH_THEIRS,
+    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
 } mbedtls_ecdh_side;
 
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed
+{
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
 /**
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
  * \brief           The ECDH context structure.
  */
-typedef struct
+typedef struct mbedtls_ecdh_context
 {
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
     mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
     mbedtls_mpi d;           /*!< The private key. */
     mbedtls_ecp_point Q;     /*!< The public key. */
@@ -70,6 +119,29 @@ typedef struct
     mbedtls_ecp_point Vi;    /*!< The blinding value. */
     mbedtls_ecp_point Vf;    /*!< The unblinding value. */
     mbedtls_mpi _d;          /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    int restart_enabled;        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+    uint8_t point_format;       /*!< The format of point export in TLS messages
+                                  as defined in RFC 4492. */
+    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
+    union
+    {
+        mbedtls_ecdh_context_mbed   mbed_ecdh;
+    } ctx;                      /*!< Implementation-specific context. The
+                                  context in use is specified by the \c var
+                                  field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
+                                  an alternative implementation not supporting
+                                  restartable mode must return
+                                  MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                  if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
 }
 mbedtls_ecdh_context;
 
@@ -81,16 +153,22 @@ mbedtls_ecdh_context;
  *                  implemented during the ECDH key exchange. The second core
  *                  computation is performed by mbedtls_ecdh_compute_shared().
  *
- * \param grp       The ECP group.
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
  * \param d         The destination MPI (private key).
+ *                  This must be initialized.
  * \param Q         The destination point (public key).
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
  *                  \c MBEDTLS_MPI_XXX error code on failure.
- *
- * \see             ecp.h
  */
 int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
                      int (*f_rng)(void *, unsigned char *, size_t),
@@ -103,21 +181,32 @@ int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp
  *                  implemented during the ECDH key exchange. The first core
  *                  computation is performed by mbedtls_ecdh_gen_public().
  *
- * \param grp       The ECP group.
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
  * \param z         The destination MPI (shared secret).
+ *                  This must be initialized.
  * \param Q         The public key from another party.
+ *                  This must be initialized.
  * \param d         Our secret exponent (private key).
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
- *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results during the ECP computations is
+ *                  not needed (discouraged). See the documentation of
+ *                  mbedtls_ecp_mul() for more.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't need a
+ *                  context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
  *                  \c MBEDTLS_MPI_XXX error code on failure.
- *
- * \see             ecp.h
- *
- * \note            If \p f_rng is not NULL, it is used to implement
- *                  countermeasures against potential elaborate timing
- *                  attacks. For more information, see mbedtls_ecp_mul().
  */
 int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
                          const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
@@ -127,39 +216,62 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
 /**
  * \brief           This function initializes an ECDH context.
  *
- * \param ctx       The ECDH context to initialize.
+ * \param ctx       The ECDH context to initialize. This must not be \c NULL.
  */
 void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
 
 /**
- * \brief           This function frees a context.
+ * \brief           This function sets up the ECDH context with the information
+ *                  given.
  *
- * \param ctx       The context to free.
- */
-void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
-
-/**
- * \brief           This function generates a public key and a TLS
- *                  ServerKeyExchange payload.
+ *                  This function should be called after mbedtls_ecdh_init() but
+ *                  before mbedtls_ecdh_make_params(). There is no need to call
+ *                  this function before mbedtls_ecdh_read_params().
  *
  *                  This is the first function used by a TLS server for ECDHE
  *                  ciphersuites.
  *
- * \param ctx       The ECDH context.
- * \param olen      The number of characters written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param grp_id    The group id of the group to set up the context for.
  *
- * \note            This function assumes that the ECP group (grp) of the
- *                  \p ctx context has already been properly set,
- *                  for example, using mbedtls_ecp_group_load().
+ * \return          \c 0 on success.
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
+                        mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           This function frees a context.
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *                  on failure.
+ * \param ctx       The context to free. This may be \c NULL, in which
+ *                  case this function does nothing. If it is not \c NULL,
+ *                  it must point to an initialized ECDH context.
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function generates an EC key pair and exports its
+ *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  message.
+ *
+ *                  This is the second function used by a TLS server for ECDHE
+ *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
  *
  * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen      The address at which to store the number of Bytes written.
+ * \param buf       The destination buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
  */
 int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
                       unsigned char *buf, size_t blen,
@@ -167,23 +279,32 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
                       void *p_rng );
 
 /**
- * \brief           This function parses and processes a TLS ServerKeyExhange
- *                  payload.
+ * \brief           This function parses the ECDHE parameters in a
+ *                  TLS ServerKeyExchange handshake message.
  *
- *                  This is the first function used by a TLS client for ECDHE
- *                  ciphersuites.
+ * \note            In a TLS handshake, this is the how the client
+ *                  sets up its ECDHE context from the server's public
+ *                  ECDHE key material.
+ *
+ * \see             ecp.h
  *
- * \param ctx       The ECDH context.
- * \param buf       The pointer to the start of the input buffer.
- * \param end       The address for one Byte past the end of the buffer.
+ * \param ctx       The ECDHE context to use. This must be initialized.
+ * \param buf       On input, \c *buf must be the start of the input buffer.
+ *                  On output, \c *buf is updated to point to the end of the
+ *                  data that has been read. On success, this is the first byte
+ *                  past the end of the ServerKeyExchange parameters.
+ *                  On error, this is the point at which an error has been
+ *                  detected, which is usually not useful except to debug
+ *                  failures.
+ * \param end       The end of the input buffer.
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *                  on failure.
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
  *
- * \see             ecp.h
  */
 int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
-                      const unsigned char **buf, const unsigned char *end );
+                              const unsigned char **buf,
+                              const unsigned char *end );
 
 /**
  * \brief           This function sets up an ECDH context from an EC key.
@@ -192,38 +313,47 @@ int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
  *                  ServerKeyEchange for static ECDH, and imports ECDH
  *                  parameters from the EC key information of a certificate.
  *
- * \param ctx       The ECDH context to set up.
- * \param key       The EC key to use.
- * \param side      Defines the source of the key:
- *                  <ul><li>1: Our key.</li>
-                    <li>0: The key of the peer.</li></ul>
+ * \see             ecp.h
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *                  on failure.
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param key       The EC key to use. This must be initialized.
+ * \param side      Defines the source of the key. Possible values are:
+ *                  - #MBEDTLS_ECDH_OURS: The key is ours.
+ *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
  *
- * \see             ecp.h
  */
-int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
-                     mbedtls_ecdh_side side );
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side );
 
 /**
- * \brief           This function generates a public key and a TLS
- *                  ClientKeyExchange payload.
+ * \brief           This function generates a public key and exports it
+ *                  as a TLS ClientKeyExchange payload.
  *
  *                  This is the second function used by a TLS client for ECDH(E)
  *                  ciphersuites.
  *
- * \param ctx       The ECDH context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The size of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
- *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *                  on failure.
- *
  * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, the latter usually by
+ *                  mbedtls_ecdh_read_params().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The destination buffer. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The size of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
  */
 int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
                       unsigned char *buf, size_t blen,
@@ -231,23 +361,26 @@ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
                       void *p_rng );
 
 /**
- * \brief       This function parses and processes a TLS ClientKeyExchange
- *              payload.
+ * \brief       This function parses and processes the ECDHE payload of a
+ *              TLS ClientKeyExchange message.
  *
- *              This is the second function used by a TLS server for ECDH(E)
- *              ciphersuites.
+ *              This is the third function used by a TLS server for ECDH(E)
+ *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ *              mbedtls_ecdh_make_params().)
  *
- * \param ctx   The ECDH context.
- * \param buf   The start of the input buffer.
- * \param blen  The length of the input buffer.
+ * \see         ecp.h
  *
- * \return      \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *              on failure.
+ * \param ctx   The ECDH context to use. This must be initialized
+ *              and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf   The pointer to the ClientKeyExchange payload. This must
+ *              be a readable buffer of length \p blen Bytes.
+ * \param blen  The length of the input buffer \p buf in Bytes.
  *
- * \see         ecp.h
+ * \return      \c 0 on success.
+ * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
  */
 int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
-                      const unsigned char *buf, size_t blen );
+                              const unsigned char *buf, size_t blen );
 
 /**
  * \brief           This function derives and exports the shared secret.
@@ -255,27 +388,51 @@ int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
  *                  This is the last function used by both TLS client
  *                  and servers.
  *
- * \param ctx       The ECDH context.
- * \param olen      The number of Bytes written.
- * \param buf       The destination buffer.
- * \param blen      The length of the destination buffer.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
- *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code
- *                  on failure.
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
  *
  * \see             ecp.h
- *
- * \note            If \p f_rng is not NULL, it is used to implement
- *                  countermeasures against potential elaborate timing
- *                  attacks. For more information, see mbedtls_ecp_mul().
+
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and have its own private key generated and the peer's
+ *                  public key imported.
+ * \param olen      The address at which to store the total number of
+ *                  Bytes written on success. This must not be \c NULL.
+ * \param buf       The buffer to write the generated shared key to. This
+ *                  must be a writable buffer of size \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function, for blinding purposes. This may
+ *                  b \c NULL if blinding isn't needed.
+ * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
+ *                  doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
  */
 int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
                       unsigned char *buf, size_t blen,
                       int (*f_rng)(void *, unsigned char *, size_t),
                       void *p_rng );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           This function enables restartable EC computations for this
+ *                  context.  (Default: disabled.)
+ *
+ * \see             \c mbedtls_ecp_set_max_ops()
+ *
+ * \note            It is not possible to safely disable restartable
+ *                  computations once enabled, except by free-ing the context,
+ *                  which cancels possible in-progress operations.
+ *
+ * \param ctx       The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
index cfd1370120..f8b28507c2 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecdsa.h
@@ -1,9 +1,10 @@
 /**
  * \file ecdsa.h
  *
- * \brief The Elliptic Curve Digital Signature Algorithm (ECDSA).
+ * \brief This file contains ECDSA definitions and functions.
  *
- * ECDSA is defined in <em>Standards for Efficient Cryptography Group (SECG):
+ * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG):
  * SEC1 Elliptic Curve Cryptography</em>.
  * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
  * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
@@ -60,29 +61,71 @@
 /** The maximal size of an ECDSA signature in Bytes. */
 #define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /**
  * \brief           The ECDSA context structure.
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
  */
 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
 
-#ifdef __cplusplus
-extern "C" {
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for ecdsa_verify()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief           Internal restart context for ecdsa_sign()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           Internal restart context for ecdsa_sign_det()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
 #endif
 
+/**
+ * \brief           General context for resuming ECDSA operations
+ */
+typedef struct
+{
+    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
+                                              shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
+#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message.
  *
- * \note            The deterministic version is usually preferred.
- *
- * \param grp       The ECP group.
- * \param r         The first output integer.
- * \param s         The second output integer.
- * \param d         The private signing key.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
+ * \note            The deterministic version implemented in
+ *                  mbedtls_ecdsa_sign_det() is usually preferred.
  *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated
@@ -90,10 +133,28 @@ extern "C" {
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.3, step 5.
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX
- *                  or \c MBEDTLS_MPI_XXX error code on failure.
- *
  * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized.
+ * \param buf       The content to be signed. This is usually the hash of
+ *                  the original data to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX
+ *                  or \c MBEDTLS_MPI_XXX error code on failure.
  */
 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
                 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
@@ -103,62 +164,80 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message, deterministic version.
+ *
  *                  For more information, see <em>RFC-6979: Deterministic
  *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
  *                  Curve Digital Signature Algorithm (ECDSA)</em>.
  *
- * \param grp       The ECP group.
- * \param r         The first output integer.
- * \param s         The second output integer.
- * \param d         The private signing key.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param md_alg    The MD algorithm used to hash the message.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.3, step 5.
  *
- * \return          \c 0 on success,
- *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- *
  * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized
+ *                  and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf       The hashed content to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param md_alg    The hash algorithm used to hash the original data.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
  */
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
-                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                    mbedtls_md_type_t md_alg );
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg );
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 /**
  * \brief           This function verifies the ECDSA signature of a
  *                  previously-hashed message.
  *
- * \param grp       The ECP group.
- * \param buf       The message hash.
- * \param blen      The length of \p buf.
- * \param Q         The public key to use for verification.
- * \param r         The first integer of the signature.
- * \param s         The second integer of the signature.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.4, step 3.
  *
- * \return          \c 0 on success,
- *                  #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
- *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure for any other reason.
- *
  * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
+ *                  is invalid.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure for any other reason.
  */
 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
-                  const unsigned char *buf, size_t blen,
-                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s);
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                          const mbedtls_mpi *s);
 
 /**
  * \brief           This function computes the ECDSA signature and writes it
@@ -175,38 +254,92 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
  *                  of the Digital Signature Algorithm (DSA) and Elliptic
  *                  Curve Digital Signature Algorithm (ECDSA)</em>.
  *
- * \param ctx       The ECDSA context.
- * \param md_alg    The message digest that was used to hash the message.
- * \param hash      The message hash.
- * \param hlen      The length of the hash.
- * \param sig       The buffer that holds the signature.
- * \param slen      The length of the signature written.
- * \param f_rng     The RNG function.
- * \param p_rng     The RNG parameter.
- *
- * \note            The \p sig buffer must be at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.3, step 5.
  *
- * \return          \c 0 on success,
- *                  or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- *
  * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                   mbedtls_md_type_t md_alg,
                            const unsigned char *hash, size_t hlen,
                            unsigned char *sig, size_t *slen,
                            int (*f_rng)(void *, unsigned char *, size_t),
                            void *p_rng );
 
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_write_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_write_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx );
+
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
@@ -215,31 +348,17 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief   This function computes an ECDSA signature and writes it to a buffer,
- *          serialized as defined in <em>RFC-4492: Elliptic Curve Cryptography
- *          (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ * \brief           This function computes an ECDSA signature and writes
+ *                  it to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
  *
- *          The deterministic version is defined in <em>RFC-6979:
- *          Deterministic Usage of the Digital Signature Algorithm (DSA) and
- *          Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
+ *                  The deterministic version is defined in <em>RFC-6979:
+ *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
+ *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
  *
  * \warning         It is not thread-safe to use the same context in
  *                  multiple threads.
-
- *
- * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in 2.0.0
- *
- * \param ctx       The ECDSA context.
- * \param hash      The Message hash.
- * \param hlen      The length of the hash.
- * \param sig       The buffer that holds the signature.
- * \param slen      The length of the signature written.
- * \param md_alg    The MD algorithm used to hash the message.
- *
- * \note            The \p sig buffer must be at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if a
- *                  256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
  *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
@@ -247,11 +366,29 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.3, step 5.
  *
- * \return          \c 0 on success,
- *                  or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- *
  * \see             ecp.h
+ *
+ * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
+ *                  Mbed TLS version 2.0 and later.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param md_alg    The message digest that was used to hash the message.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
                                const unsigned char *hash, size_t hlen,
@@ -264,75 +401,143 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
 /**
  * \brief           This function reads and verifies an ECDSA signature.
  *
- * \param ctx       The ECDSA context.
- * \param hash      The message hash.
- * \param hlen      The size of the hash.
- * \param sig       The signature to read and verify.
- * \param slen      The size of \p sig.
- *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated as
  *                  defined in <em>Standards for Efficient Cryptography Group
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.4, step 3.
  *
- * \return          \c 0 on success,
- *                  #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid,
- *                  #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
- *                  signature in sig but its length is less than \p siglen,
- *                  or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
- *                  error code on failure for any other reason.
- *
  * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
  */
 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
                           const unsigned char *hash, size_t hlen,
                           const unsigned char *sig, size_t slen );
 
+/**
+ * \brief           This function reads and verifies an ECDSA signature,
+ *                  in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_read_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx );
+
 /**
  * \brief          This function generates an ECDSA keypair on the given curve.
  *
+ * \see            ecp.h
+ *
  * \param ctx      The ECDSA context to store the keypair in.
+ *                 This must be initialized.
  * \param gid      The elliptic curve to use. One of the various
  *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG parameter.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
- *                 failure.
- *
- * \see            ecp.h
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
  */
 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
 /**
- * \brief           This function sets an ECDSA context from an EC key pair.
+ * \brief           This function sets up an ECDSA context from an EC key pair.
  *
- * \param ctx       The ECDSA context to set.
- * \param key       The EC key to use.
+ * \see             ecp.h
  *
- * \return          \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on
- *                  failure.
+ * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \param key       The EC key to use. This must be initialized and hold
+ *                  a private-public key pair or a public key. In the former
+ *                  case, the ECDSA context may be used for signature creation
+ *                  and verification after this call. In the latter case, it
+ *                  may be used for signature verification.
  *
- * \see             ecp.h
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
  */
-int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key );
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
+                                const mbedtls_ecp_keypair *key );
 
 /**
  * \brief           This function initializes an ECDSA context.
  *
  * \param ctx       The ECDSA context to initialize.
+ *                  This must not be \c NULL.
  */
 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
 
 /**
  * \brief           This function frees an ECDSA context.
  *
- * \param ctx       The ECDSA context to free.
+ * \param ctx       The ECDSA context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
  */
 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
index 8d09bf2293..3d8d02ae64 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecjpake.h
@@ -49,8 +49,6 @@
 #include "ecp.h"
 #include "md.h"
 
-#if !defined(MBEDTLS_ECJPAKE_ALT)
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -63,6 +61,7 @@ typedef enum {
     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
 } mbedtls_ecjpake_role;
 
+#if !defined(MBEDTLS_ECJPAKE_ALT)
 /**
  * EC J-PAKE context structure.
  *
@@ -74,7 +73,7 @@ typedef enum {
  * convetion from the Thread v1.0 spec. Correspondance is indicated in the
  * description as a pair C: client name, S: server name
  */
-typedef struct
+typedef struct mbedtls_ecjpake_context
 {
     const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
     mbedtls_ecp_group grp;              /**< Elliptic curve                 */
@@ -93,29 +92,38 @@ typedef struct
     mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
 } mbedtls_ecjpake_context;
 
+#else  /* MBEDTLS_ECJPAKE_ALT */
+#include "ecjpake_alt.h"
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
 /**
- * \brief           Initialize a context
- *                  (just makes it ready for setup() or free()).
+ * \brief           Initialize an ECJPAKE context.
  *
- * \param ctx       context to initialize
+ * \param ctx       The ECJPAKE context to initialize.
+ *                  This must not be \c NULL.
  */
 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
 
 /**
- * \brief           Set up a context for use
+ * \brief           Set up an ECJPAKE context for use.
  *
  * \note            Currently the only values for hash/curve allowed by the
- *                  standard are MBEDTLS_MD_SHA256/MBEDTLS_ECP_DP_SECP256R1.
+ *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
  *
- * \param ctx       context to set up
- * \param role      Our role: client or server
- * \param hash      hash function to use (MBEDTLS_MD_XXX)
- * \param curve     elliptic curve identifier (MBEDTLS_ECP_DP_XXX)
- * \param secret    pre-shared secret (passphrase)
- * \param len       length of the shared secret
+ * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param role      The role of the caller. This must be either
+ *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      The identifier of the hash function to use,
+ *                  for example #MBEDTLS_MD_SHA256.
+ * \param curve     The identifier of the elliptic curve to use,
+ *                  for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret    The pre-shared secret (passphrase). This must be
+ *                  a readable buffer of length \p len Bytes. It need
+ *                  only be valid for the duration of this call.
+ * \param len       The length of the pre-shared secret \p secret.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
                            mbedtls_ecjpake_role role,
@@ -125,29 +133,34 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
                            size_t len );
 
 /**
- * \brief           Check if a context is ready for use
+ * \brief           Check if an ECJPAKE context is ready for use.
  *
- * \param ctx       Context to check
+ * \param ctx       The ECJPAKE context to check. This must be
+ *                  initialized.
  *
- * \return          0 if the context is ready for use,
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
+ * \return          \c 0 if the context is ready for use.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
  */
 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
 
 /**
  * \brief           Generate and write the first round message
  *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes)
+ *                  excluding extension type and length bytes).
  *
- * \param ctx       Context to use
- * \param buf       Buffer to write the contents to
- * \param len       Buffer size
- * \param olen      Will be updated with the number of bytes written
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
+ * \param ctx       The ECJPAKE context to use. This must be
+ *                  initialized and set up.
+ * \param buf       The buffer to write the contents to. This must be a
+ *                  writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number
+ *                  of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
                             unsigned char *buf, size_t len, size_t *olen,
@@ -157,14 +170,16 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
 /**
  * \brief           Read and process the first round message
  *                  (TLS: contents of the Client/ServerHello extension,
- *                  excluding extension type and length bytes)
+ *                  excluding extension type and length bytes).
  *
- * \param ctx       Context to use
- * \param buf       Pointer to extension contents
- * \param len       Extension length
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up.
+ * \param buf       The buffer holding the first round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
                                     const unsigned char *buf,
@@ -172,17 +187,21 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
 
 /**
  * \brief           Generate and write the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange)
+ *                  (TLS: contents of the Client/ServerKeyExchange).
  *
- * \param ctx       Context to use
- * \param buf       Buffer to write the contents to
- * \param len       Buffer size
- * \param olen      Will be updated with the number of bytes written
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up, and already have performed round one.
+ * \param buf       The buffer to write the round two contents to.
+ *                  This must be a writable buffer of length \p len Bytes.
+ * \param len       The size of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
                             unsigned char *buf, size_t len, size_t *olen,
@@ -191,14 +210,16 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
 
 /**
  * \brief           Read and process the second round message
- *                  (TLS: contents of the Client/ServerKeyExchange)
+ *                  (TLS: contents of the Client/ServerKeyExchange).
  *
- * \param ctx       Context to use
- * \param buf       Pointer to the message
- * \param len       Message length
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up and already have performed round one.
+ * \param buf       The buffer holding the second round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
                                     const unsigned char *buf,
@@ -206,17 +227,21 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
 
 /**
  * \brief           Derive the shared secret
- *                  (TLS: Pre-Master Secret)
+ *                  (TLS: Pre-Master Secret).
  *
- * \param ctx       Context to use
- * \param buf       Buffer to write the contents to
- * \param len       Buffer size
- * \param olen      Will be updated with the number of bytes written
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
  *
- * \return          0 if successfull,
- *                  a negative error code otherwise
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
                             unsigned char *buf, size_t len, size_t *olen,
@@ -224,26 +249,17 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
                             void *p_rng );
 
 /**
- * \brief           Free a context's content
+ * \brief           This clears an ECJPAKE context and frees any
+ *                  embedded data structure.
  *
- * \param ctx       context to free
+ * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it is not
+ *                  \c NULL, it must point to an initialized ECJPAKE context.
  */
 void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_ECJPAKE_ALT */
-#include "ecjpake_alt.h"
-#endif /* MBEDTLS_ECJPAKE_ALT */
-
 #if defined(MBEDTLS_SELF_TEST)
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          Checkup routine
  *
@@ -251,10 +267,11 @@ extern "C" {
  */
 int mbedtls_ecjpake_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
 
-#endif /* MBEDTLS_SELF_TEST */
 
 #endif /* ecjpake.h */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
index 6c43c00693..065a4cc0b9 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ecp.h
@@ -1,10 +1,21 @@
 /**
  * \file ecp.h
  *
- * \brief Elliptic curves over GF(p)
+ * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
+ *
+ * The use of ECP in cryptography and TLS is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG): SEC1
+ * Elliptic Curve Cryptography</em> and
+ * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
+ * for Transport Layer Security (TLS)</em>.
+ *
+ * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
+ * group types.
+ *
  */
+
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -19,8 +30,9 @@
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
  *
- *  This file is part of mbed TLS (https://tls.mbed.org)
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
  */
+
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H
 
@@ -37,160 +49,165 @@
  */
 #define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00  /**< The buffer is too small to write to. */
-#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< Requested curve not available. */
+#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< The requested feature is not available, for example, the requested curve is not supported. */
 #define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00  /**< The signature is not valid. */
 #define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80  /**< Memory allocation failed. */
-#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as (ephemeral) key, failed. */
+#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as ephemeral key, failed. */
 #define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */
 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */
-#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< ECP hardware accelerator failed. */
 
-#if !defined(MBEDTLS_ECP_ALT)
-/*
- * default mbed TLS elliptic curve arithmetic implementation
- *
- * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
- * alternative implementation for the whole module and it will replace this
- * one.)
- */
+/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< The ECP hardware accelerator failed. */
+
+#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00  /**< Operation in progress, call again with the same parameters to continue. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /**
- * Domain parameters (curve, subgroup and generator) identifiers.
+ * Domain-parameter identifiers: curve, subgroup, and generator.
  *
- * Only curves over prime fields are supported.
+ * \note Only curves over prime fields are supported.
  *
  * \warning This library does not support validation of arbitrary domain
- * parameters. Therefore, only well-known domain parameters from trusted
+ * parameters. Therefore, only standardized domain parameters from trusted
  * sources should be used. See mbedtls_ecp_group_load().
  */
 typedef enum
 {
-    MBEDTLS_ECP_DP_NONE = 0,
-    MBEDTLS_ECP_DP_SECP192R1,      /*!< 192-bits NIST curve  */
-    MBEDTLS_ECP_DP_SECP224R1,      /*!< 224-bits NIST curve  */
-    MBEDTLS_ECP_DP_SECP256R1,      /*!< 256-bits NIST curve  */
-    MBEDTLS_ECP_DP_SECP384R1,      /*!< 384-bits NIST curve  */
-    MBEDTLS_ECP_DP_SECP521R1,      /*!< 521-bits NIST curve  */
-    MBEDTLS_ECP_DP_BP256R1,        /*!< 256-bits Brainpool curve */
-    MBEDTLS_ECP_DP_BP384R1,        /*!< 384-bits Brainpool curve */
-    MBEDTLS_ECP_DP_BP512R1,        /*!< 512-bits Brainpool curve */
-    MBEDTLS_ECP_DP_CURVE25519,           /*!< Curve25519               */
-    MBEDTLS_ECP_DP_SECP192K1,      /*!< 192-bits "Koblitz" curve */
-    MBEDTLS_ECP_DP_SECP224K1,      /*!< 224-bits "Koblitz" curve */
-    MBEDTLS_ECP_DP_SECP256K1,      /*!< 256-bits "Koblitz" curve */
+    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
+    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */
+    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */
 } mbedtls_ecp_group_id;
 
 /**
- * Number of supported curves (plus one for NONE).
+ * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
  *
- * (Montgomery curves excluded for now.)
+ * \note Montgomery curves are currently excluded.
  */
 #define MBEDTLS_ECP_DP_MAX     12
 
 /**
- * Curve information for use by other modules
+ * Curve information, for use by other modules.
  */
-typedef struct
+typedef struct mbedtls_ecp_curve_info
 {
-    mbedtls_ecp_group_id grp_id;    /*!< Internal identifier        */
-    uint16_t tls_id;                /*!< TLS NamedCurve identifier  */
-    uint16_t bit_size;              /*!< Curve size in bits         */
-    const char *name;               /*!< Human-friendly name        */
+    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
+    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */
+    uint16_t bit_size;              /*!< The curve size in bits. */
+    const char *name;               /*!< A human-friendly name. */
 } mbedtls_ecp_curve_info;
 
 /**
- * \brief           ECP point structure (jacobian coordinates)
+ * \brief           The ECP point structure, in Jacobian coordinates.
  *
  * \note            All functions expect and return points satisfying
- *                  the following condition: Z == 0 or Z == 1. (Other
- *                  values of Z are used by internal functions only.)
- *                  The point is zero, or "at infinity", if Z == 0.
- *                  Otherwise, X and Y are its standard (affine) coordinates.
+ *                  the following condition: <code>Z == 0</code> or
+ *                  <code>Z == 1</code>. Other values of \p Z are
+ *                  used only by internal functions.
+ *                  The point is zero, or "at infinity", if <code>Z == 0</code>.
+ *                  Otherwise, \p X and \p Y are its standard (affine)
+ *                  coordinates.
  */
-typedef struct
+typedef struct mbedtls_ecp_point
 {
-    mbedtls_mpi X;          /*!<  the point's X coordinate  */
-    mbedtls_mpi Y;          /*!<  the point's Y coordinate  */
-    mbedtls_mpi Z;          /*!<  the point's Z coordinate  */
+    mbedtls_mpi X;          /*!< The X coordinate of the ECP point. */
+    mbedtls_mpi Y;          /*!< The Y coordinate of the ECP point. */
+    mbedtls_mpi Z;          /*!< The Z coordinate of the ECP point. */
 }
 mbedtls_ecp_point;
 
-/**
- * \brief           ECP group structure
- *
- * We consider two types of curves equations:
- * 1. Short Weierstrass y^2 = x^3 + A x + B     mod P   (SEC1 + RFC 4492)
- * 2. Montgomery,       y^2 = x^3 + A x^2 + x   mod P   (Curve25519 + draft)
- * In both cases, a generator G for a prime-order subgroup is fixed. In the
- * short weierstrass, this subgroup is actually the whole curve, and its
- * cardinal is denoted by N.
- *
- * In the case of Short Weierstrass curves, our code requires that N is an odd
- * prime. (Use odd in mbedtls_ecp_mul() and prime in mbedtls_ecdsa_sign() for blinding.)
- *
- * In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is
- * the quantity actually used in the formulas. Also, nbits is not the size of N
- * but the required size for private keys.
+#if !defined(MBEDTLS_ECP_ALT)
+/*
+ * default mbed TLS elliptic curve arithmetic implementation
  *
- * If modp is NULL, reduction modulo P is done using a generic algorithm.
- * Otherwise, it must point to a function that takes an mbedtls_mpi in the range
- * 0..2^(2*pbits)-1 and transforms it in-place in an integer of little more
- * than pbits, so that the integer may be efficiently brought in the 0..P-1
- * range by a few additions or substractions. It must return 0 on success and
- * non-zero on failure.
+ * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
+ * alternative implementation for the whole module and it will replace this
+ * one.)
  */
-typedef struct
-{
-    mbedtls_ecp_group_id id;    /*!<  internal group identifier                     */
-    mbedtls_mpi P;              /*!<  prime modulus of the base field               */
-    mbedtls_mpi A;              /*!<  1. A in the equation, or 2. (A + 2) / 4       */
-    mbedtls_mpi B;              /*!<  1. B in the equation, or 2. unused            */
-    mbedtls_ecp_point G;        /*!<  generator of the (sub)group used              */
-    mbedtls_mpi N;              /*!<  1. the order of G, or 2. unused               */
-    size_t pbits;       /*!<  number of bits in P                           */
-    size_t nbits;       /*!<  number of bits in 1. P, or 2. private keys    */
-    unsigned int h;     /*!<  internal: 1 if the constants are static       */
-    int (*modp)(mbedtls_mpi *); /*!<  function for fast reduction mod P             */
-    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< unused                         */
-    int (*t_post)(mbedtls_ecp_point *, void *); /*!< unused                         */
-    void *t_data;                       /*!< unused                         */
-    mbedtls_ecp_point *T;       /*!<  pre-computed points for ecp_mul_comb()        */
-    size_t T_size;      /*!<  number for pre-computed points                */
-}
-mbedtls_ecp_group;
 
 /**
- * \brief           ECP key pair structure
+ * \brief           The ECP group structure.
+ *
+ * We consider two types of curve equations:
+ * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
+ * (SEC1 + RFC-4492)</li>
+ * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
+ * Curve448)</li></ul>
+ * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
+ *
+ * For Short Weierstrass, this subgroup is the whole curve, and its
+ * cardinality is denoted by \p N. Our code requires that \p N is an
+ * odd prime as mbedtls_ecp_mul() requires an odd number, and
+ * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
+ *
+ * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
+ * which is the quantity used in the formulas. Additionally, \p nbits is
+ * not the size of \p N but the required size for private keys.
+ *
+ * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
+ * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
+ * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
+ * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
+ * in size, so that it may be efficiently brought in the 0..P-1 range by a few
+ * additions or subtractions. Therefore, it is only an approximative modular
+ * reduction. It must return 0 on success and non-zero on failure.
+ *
+ * \note        Alternative implementations must keep the group IDs distinct. If
+ *              two group structures have the same ID, then they must be
+ *              identical.
  *
- * A generic key pair that could be used for ECDSA, fixed ECDH, etc.
- *
- * \note Members purposefully in the same order as struc mbedtls_ecdsa_context.
  */
-typedef struct
+typedef struct mbedtls_ecp_group
 {
-    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
-    mbedtls_mpi d;              /*!<  our secret value                  */
-    mbedtls_ecp_point Q;        /*!<  our public value                  */
+    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
+    mbedtls_mpi P;              /*!< The prime modulus of the base field. */
+    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. For
+                                     Montgomery curves: <code>(A + 2) / 4</code>. */
+    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.
+                                     For Montgomery curves: unused. */
+    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */
+    mbedtls_mpi N;              /*!< The order of \p G. */
+    size_t pbits;               /*!< The number of bits in \p P.*/
+    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
+                                     For Montgomery curves: the number of bits in the
+                                     private keys. */
+    unsigned int h;             /*!< \internal 1 if the constants are static. */
+    int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
+                                     mod \p P (see above).*/
+    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< Unused. */
+    int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
+    void *t_data;               /*!< Unused. */
+    mbedtls_ecp_point *T;       /*!< Pre-computed points for ecp_mul_comb(). */
+    size_t T_size;              /*!< The number of pre-computed points. */
 }
-mbedtls_ecp_keypair;
+mbedtls_ecp_group;
 
 /**
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in config.h, or define them using the compiler command line.
  * \{
  */
 
 #if !defined(MBEDTLS_ECP_MAX_BITS)
 /**
- * Maximum size of the groups (that is, of N and P)
+ * The maximum size of the groups, that is, of \c N and \c P.
  */
-#define MBEDTLS_ECP_MAX_BITS     521   /**< Maximum bit size of groups */
+#define MBEDTLS_ECP_MAX_BITS     521   /**< The maximum size of groups, in bits. */
 #endif
 
 #define MBEDTLS_ECP_MAX_BYTES    ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
@@ -213,11 +230,10 @@ mbedtls_ecp_keypair;
  *      521       145     141     135     120      97
  *      384       214     209     198     177     146
  *      256       320     320     303     262     226
-
  *      224       475     475     453     398     342
  *      192       640     640     633     587     476
  */
-#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< Maximum window size used */
+#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< The maximum window size used. */
 #endif /* MBEDTLS_ECP_WINDOW_SIZE */
 
 #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
@@ -232,33 +248,188 @@ mbedtls_ecp_keypair;
  *
  * Change this value to 0 to reduce peak memory usage.
  */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
 #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
 
 /* \} name SECTION: Module settings */
 
+#else  /* MBEDTLS_ECP_ALT */
+#include "ecp_alt.h"
+#endif /* MBEDTLS_ECP_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for multiplication
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief           Internal restart context for ecp_muladd()
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief           General context for resuming ECC operations
+ */
+typedef struct
+{
+    unsigned ops_done;                  /*!<  current ops count             */
+    unsigned depth;                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
+#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
+#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
+
+/**
+ * \brief           Internal; for restartable functions in other modules.
+ *                  Check and update basic ops budget.
+ *
+ * \param grp       Group structure
+ * \param rs_ctx    Restart context
+ * \param ops       Number of basic ops to do
+ *
+ * \return          \c 0 if doing \p ops basic ops is still allowed,
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops );
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
+                                               (unsigned) (ops) ) );
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET( ops )   /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief    The ECP key-pair structure.
+ *
+ * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
+ *
+ * \note    Members are deliberately in the same order as in the
+ *          ::mbedtls_ecdsa_context structure.
+ */
+typedef struct mbedtls_ecp_keypair
+{
+    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi d;              /*!<  our secret value                  */
+    mbedtls_ecp_point Q;        /*!<  our public value                  */
+}
+mbedtls_ecp_keypair;
+
 /*
  * Point formats, from RFC 4492's enum ECPointFormat
  */
-#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format */
-#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format. */
+#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format. */
 
 /*
  * Some other constants from RFC 4492
  */
-#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< ECCurveType's named_curve */
+#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Set the maximum number of basic operations done in a row.
+ *
+ *                  If more operations are needed to complete a computation,
+ *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ *                  function performing the computation. It is then the
+ *                  caller's responsibility to either call again with the same
+ *                  parameters until it returns 0 or an error code; or to free
+ *                  the restart context if the operation is to be aborted.
+ *
+ *                  It is strictly required that all input parameters and the
+ *                  restart context be the same on successive calls for the
+ *                  same operation, but output parameters need not be the
+ *                  same; they must not be used until the function finally
+ *                  returns 0.
+ *
+ *                  This only applies to functions whose documentation
+ *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ *                  SSL module). For functions that accept a "restart context"
+ *                  argument, passing NULL disables restart and makes the
+ *                  function equivalent to the function with the same name
+ *                  with \c _restartable removed. For functions in the ECDH
+ *                  module, restart is disabled unless the function accepts
+ *                  an "ECDH context" argument and
+ *                  mbedtls_ecdh_enable_restart() was previously called on
+ *                  that context. For function in the SSL module, restart is
+ *                  only enabled for specific sides and key exchanges
+ *                  (currently only for clients and ECDHE-ECDSA).
+ *
+ * \param max_ops   Maximum number of basic operations done in a row.
+ *                  Default: 0 (unlimited).
+ *                  Lower (non-zero) values mean ECC functions will block for
+ *                  a lesser maximum amount of time.
+ *
+ * \note            A "basic operation" is defined as a rough equivalent of a
+ *                  multiplication in GF(p) for the NIST P-256 curve.
+ *                  As an indication, with default settings, a scalar
+ *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
+ *                  - about 3300 basic operations for P-256
+ *                  - about 9400 basic operations for P-384
+ *
+ * \note            Very low values are not always respected: sometimes
+ *                  functions need to block for a minimum number of
+ *                  operations, and will do so even if max_ops is set to a
+ *                  lower value.  That minimum depends on the curve size, and
+ *                  can be made lower by decreasing the value of
+ *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
+ *                  lowest effective value for various curves and values of
+ *                  that parameter (w for short):
+ *                          w=6     w=5     w=4     w=3     w=2
+ *                  P-256   208     208     160     136     124
+ *                  P-384   682     416     320     272     248
+ *                  P-521  1364     832     640     544     496
+ *
+ * \note            This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops );
 
 /**
- * \brief           Get the list of supported curves in order of preferrence
- *                  (full information)
+ * \brief           Check if restart is enabled (max_ops != 0)
  *
- * \return          A statically allocated array, the last entry is 0.
+ * \return          \c 0 if \c max_ops == 0 (restart disabled)
+ * \return          \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled( void );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function retrieves the information defined in
+ *                  mbedtls_ecp_curve_info() for all supported curves in order
+ *                  of preference.
+ *
+ * \return          A statically allocated array. The last entry is 0.
  */
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
 
 /**
- * \brief           Get the list of supported curves in order of preferrence
- *                  (grp_id only)
+ * \brief           This function retrieves the list of internal group
+ *                  identifiers of all supported curves in the order of
+ *                  preference.
  *
  * \return          A statically allocated array,
  *                  terminated with MBEDTLS_ECP_DP_NONE.
@@ -266,416 +437,689 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
 const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
 
 /**
- * \brief           Get curve information from an internal group identifier
+ * \brief           This function retrieves curve information from an internal
+ *                  group identifier.
  *
- * \param grp_id    A MBEDTLS_ECP_DP_XXX value
+ * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.
  *
- * \return          The associated curve information or NULL
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
  */
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
 
 /**
- * \brief           Get curve information from a TLS NamedCurve value
+ * \brief           This function retrieves curve information from a TLS
+ *                  NamedCurve value.
  *
- * \param tls_id    A MBEDTLS_ECP_DP_XXX value
+ * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.
  *
- * \return          The associated curve information or NULL
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
  */
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
 
 /**
- * \brief           Get curve information from a human-readable name
+ * \brief           This function retrieves curve information from a
+ *                  human-readable name.
  *
- * \param name      The name
+ * \param name      The human-readable name.
  *
- * \return          The associated curve information or NULL
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
  */
 const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
 
 /**
- * \brief           Initialize a point (as zero)
+ * \brief           This function initializes a point as zero.
+ *
+ * \param pt        The point to initialize.
  */
 void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
 
 /**
- * \brief           Initialize a group (to something meaningless)
+ * \brief           This function initializes an ECP group context
+ *                  without loading any domain parameters.
+ *
+ * \note            After this function is called, domain parameters
+ *                  for various ECP groups can be loaded through the
+ *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
+ *                  functions.
  */
 void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
 
 /**
- * \brief           Initialize a key pair (as an invalid one)
+ * \brief           This function initializes a key pair as an invalid one.
+ *
+ * \param key       The key pair to initialize.
  */
 void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
 
 /**
- * \brief           Free the components of a point
+ * \brief           This function frees the components of a point.
+ *
+ * \param pt        The point to free.
  */
 void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
 
 /**
- * \brief           Free the components of an ECP group
+ * \brief           This function frees the components of an ECP group.
+ *
+ * \param grp       The group to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP group.
  */
 void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
 
 /**
- * \brief           Free the components of a key pair
+ * \brief           This function frees the components of a key pair.
+ *
+ * \param key       The key pair to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP key pair.
  */
 void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
 /**
- * \brief           Copy the contents of point Q into P
+ * \brief           Initialize a restart context.
  *
- * \param P         Destination point
- * \param Q         Source point
+ * \param ctx       The restart context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
  *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \param ctx       The restart context to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function copies the contents of point \p Q into
+ *                  point \p P.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param Q         The source point. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code for other kinds of failure.
  */
 int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
 
 /**
- * \brief           Copy the contents of a group object
+ * \brief           This function copies the contents of group \p src into
+ *                  group \p dst.
  *
- * \param dst       Destination group
- * \param src       Source group
+ * \param dst       The destination group. This must be initialized.
+ * \param src       The source group. This must be initialized.
  *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src );
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,
+                            const mbedtls_ecp_group *src );
 
 /**
- * \brief           Set a point to zero
+ * \brief           This function sets a point to the point at infinity.
  *
- * \param pt        Destination point
+ * \param pt        The point to set. This must be initialized.
  *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
 
 /**
- * \brief           Tell if a point is zero
+ * \brief           This function checks if a point is the point at infinity.
  *
- * \param pt        Point to test
+ * \param pt        The point to test. This must be initialized.
  *
- * \return          1 if point is zero, 0 otherwise
+ * \return          \c 1 if the point is zero.
+ * \return          \c 0 if the point is non-zero.
+ * \return          A negative error code on failure.
  */
 int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
 
 /**
- * \brief           Compare two points
+ * \brief           This function compares two points.
  *
- * \note            This assumes the points are normalized. Otherwise,
+ * \note            This assumes that the points are normalized. Otherwise,
  *                  they may compare as "not equal" even if they are.
  *
- * \param P         First point to compare
- * \param Q         Second point to compare
+ * \param P         The first point to compare. This must be initialized.
+ * \param Q         The second point to compare. This must be initialized.
  *
- * \return          0 if the points are equal,
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise
+ * \return          \c 0 if the points are equal.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
  */
 int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
                            const mbedtls_ecp_point *Q );
 
 /**
- * \brief           Import a non-zero point from two ASCII strings
+ * \brief           This function imports a non-zero point from two ASCII
+ *                  strings.
  *
- * \param P         Destination point
- * \param radix     Input numeric base
- * \param x         First affine coordinate as a null-terminated string
- * \param y         Second affine coordinate as a null-terminated string
+ * \param P         The destination point. This must be initialized.
+ * \param radix     The numeric base of the input.
+ * \param x         The first affine coordinate, as a null-terminated string.
+ * \param y         The second affine coordinate, as a null-terminated string.
  *
- * \return          0 if successful, or a MBEDTLS_ERR_MPI_XXX error code
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.
  */
 int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
                            const char *x, const char *y );
 
 /**
- * \brief           Export a point into unsigned binary data
- *
- * \param grp       Group to which the point should belong
- * \param P         Point to export
- * \param format    Point format, should be a MBEDTLS_ECP_PF_XXX macro
- * \param olen      Length of the actual output
- * \param buf       Output buffer
- * \param buflen    Length of the output buffer
- *
- * \return          0 if successful,
- *                  or MBEDTLS_ERR_ECP_BAD_INPUT_DATA
- *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ * \brief           This function exports a point into unsigned binary data.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The point to export. This must be initialized.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
                             int format, size_t *olen,
                             unsigned char *buf, size_t buflen );
 
 /**
- * \brief           Import a point from unsigned binary data
- *
- * \param grp       Group to which the point should belong
- * \param P         Point to import
- * \param buf       Input buffer
- * \param ilen      Actual length of input
- *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
- *                  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ * \brief           This function imports a point from unsigned binary data.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
+ *                  for that.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The destination context to import the point to.
+ *                  This must be initialized.
+ * \param buf       The input buffer. This must be a readable buffer
+ *                  of length \p ilen Bytes.
+ * \param ilen      The length of the input buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
  *                  is not implemented.
- *
- * \note            This function does NOT check that the point actually
- *                  belongs to the given group, see mbedtls_ecp_check_pubkey() for
- *                  that.
  */
-int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
-                           const unsigned char *buf, size_t ilen );
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *P,
+                                   const unsigned char *buf, size_t ilen );
 
 /**
- * \brief           Import a point from a TLS ECPoint record
- *
- * \param grp       ECP group used
- * \param pt        Destination point
- * \param buf       $(Start of input buffer)
- * \param len       Buffer length
- *
- * \note            buf is updated to point right after the ECPoint on exit
- *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_XXX if initialization failed
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid
+ * \brief           This function imports a point from a TLS ECPoint record.
+ *
+ * \note            On function return, \p *buf is updated to point immediately
+ *                  after the ECPoint record.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The destination point.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ *                  failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
  */
-int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
-                        const unsigned char **buf, size_t len );
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t len );
 
 /**
- * \brief           Export a point as a TLS ECPoint record
- *
- * \param grp       ECP group used
- * \param pt        Point to export
- * \param format    Export format
- * \param olen      length of data written
- * \param buf       Buffer to write to
- * \param blen      Buffer length
- *
- * \return          0 if successful,
- *                  or MBEDTLS_ERR_ECP_BAD_INPUT_DATA
- *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ * \brief           This function exports a point as a TLS ECPoint record
+ *                  defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to be exported. This must be initialized.
+ * \param format    The point format to use. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length in Bytes
+ *                  of the data written.
+ * \param buf       The target buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the target buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ *                  is too small to hold the exported point.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
-                         int format, size_t *olen,
-                         unsigned char *buf, size_t blen );
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *pt,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t blen );
 
 /**
- * \brief           Set a group using well-known domain parameters
+ * \brief           This function sets up an ECP group context
+ *                  from a standardized set of domain parameters.
  *
- * \param grp       Destination group
- * \param id        Index in the list of well-known domain parameters
+ * \note            The index should be a value of the NamedCurve enum,
+ *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
+ *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
+ *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
  *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_XXX if initialization failed
- *                  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for unkownn groups
+ * \param grp       The group context to setup. This must be initialized.
+ * \param id        The identifier of the domain parameter set to load.
  *
- * \note            Index should be a value of RFC 4492's enum NamedCurve,
- *                  usually in the form of a MBEDTLS_ECP_DP_XXX macro.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
 
 /**
- * \brief           Set a group from a TLS ECParameters record
+ * \brief           This function sets up an ECP group context from a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
  *
- * \param grp       Destination group
- * \param buf       &(Start of input buffer)
- * \param len       Buffer length
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
  *
- * \note            buf is updated to point right after ECParameters on exit
+ * \param grp       The group context to setup. This must be initialized.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
  *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_MPI_XXX if initialization failed
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len );
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len );
 
 /**
- * \brief           Write the TLS ECParameters record for a group
- *
- * \param grp       ECP group used
- * \param olen      Number of bytes actually written
- * \param buf       Buffer to write to
- * \param blen      Buffer length
- *
- * \return          0 if successful,
- *                  or MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+ * \brief           This function extracts an elliptic curve group ID from a
+ *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The address at which to store the group id.
+ *                  This must not be \c NULL.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
-                         unsigned char *buf, size_t blen );
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf,
+                                   size_t len );
+/**
+ * \brief           This function exports an elliptic curve as a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to be exported.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The buffer to write to. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ *                  buffer is too small to hold the exported group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
+                                 size_t *olen,
+                                 unsigned char *buf, size_t blen );
 
 /**
- * \brief           Multiplication by an integer: R = m * P
- *                  (Not thread-safe to use same group in multiple threads)
- *
- * \note            In order to prevent timing attacks, this function
- *                  executes the exact same sequence of (base field)
- *                  operations for any valid m. It avoids any if-branch or
- *                  array index depending on the value of m.
- *
- * \note            If f_rng is not NULL, it is used to randomize intermediate
- *                  results in order to prevent potential timing attacks
- *                  targeting these results. It is recommended to always
- *                  provide a non-NULL f_rng (the overhead is negligible).
- *
- * \param grp       ECP group
- * \param R         Destination point
- * \param m         Integer by which to multiply
- * \param P         Point to multiply
- * \param f_rng     RNG function (see notes)
- * \param p_rng     RNG parameter
- *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_ECP_INVALID_KEY if m is not a valid privkey
- *                  or P is not a valid pubkey,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \brief           This function performs a scalar multiplication of a point
+ *                  by an integer: \p R = \p m * \p P.
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            To prevent timing attacks, this function
+ *                  executes the exact same sequence of base-field
+ *                  operations for any valid \p m. It avoids any if-branch or
+ *                  array index depending on the value of \p m.
+ *
+ * \note            If \p f_rng is not NULL, it is used to randomize
+ *                  intermediate results to prevent potential timing attacks
+ *                  targeting these results. We recommend always providing
+ *                  a non-NULL \p f_rng. The overhead is negligible.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
 /**
- * \brief           Multiplication and addition of two points by integers:
- *                  R = m * P + n * Q
- *                  (Not thread-safe to use same group in multiple threads)
- *
- * \note            In contrast to mbedtls_ecp_mul(), this function does not guarantee
- *                  a constant execution flow and timing.
- *
- * \param grp       ECP group
- * \param R         Destination point
- * \param m         Integer by which to multiply P
- * \param P         Point to multiply by m
- * \param n         Integer by which to multiply Q
- * \param Q         Point to be multiplied by n
- *
- * \return          0 if successful,
- *                  MBEDTLS_ERR_ECP_INVALID_KEY if m or n is not a valid privkey
- *                  or P or Q is not a valid pubkey,
- *                  MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ * \brief           This function performs multiplication of a point by
+ *                  an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see             mbedtls_ecp_mul()
+ *
+ * \note            This function does the same as \c mbedtls_ecp_mul(), but
+ *                  it can return early and restart according to the limit set
+ *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            In contrast to mbedtls_ecp_mul(), this function does not
+ *                  guarantee a constant execution flow and timing.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
  */
 int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
              const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
 
 /**
- * \brief           Check that a point is a valid public key on this curve
- *
- * \param grp       Curve/group the point should belong to
- * \param pt        Point to check
- *
- * \return          0 if point is a valid public key,
- *                  MBEDTLS_ERR_ECP_INVALID_KEY otherwise.
- *
- * \note            This function only checks the point is non-zero, has valid
- *                  coordinates and lies on the curve, but not that it is
- *                  indeed a multiple of G. This is additional check is more
- *                  expensive, isn't required by standards, and shouldn't be
- *                  necessary if the group used has a small cofactor. In
- *                  particular, it is useless for the NIST groups which all
- *                  have a cofactor of 1.
- *
- * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
- *                  in order to ease use with other structures such as
- *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ *                  restartable way.
+ *
+ * \see             \c mbedtls_ecp_muladd()
+ *
+ * \note            This function works the same as \c mbedtls_ecp_muladd(),
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt );
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx );
 
 /**
- * \brief           Check that an mbedtls_mpi is a valid private key for this curve
- *
- * \param grp       Group used
- * \param d         Integer to check
- *
- * \return          0 if point is a valid private key,
- *                  MBEDTLS_ERR_ECP_INVALID_KEY otherwise.
- *
- * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
- *                  in order to ease use with other structures such as
- *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ * \brief           This function checks that a point is a valid public key
+ *                  on this curve.
+ *
+ *                  It only checks that the point is non-zero, has
+ *                  valid coordinates and lies on the curve. It does not verify
+ *                  that it is indeed a multiple of \p G. This additional
+ *                  check is computationally more expensive, is not required
+ *                  by standards, and should not be necessary if the group
+ *                  used has a small cofactor. In particular, it is useless for
+ *                  the NIST groups which all have a cofactor of 1.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure, to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the point should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid public key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ *                  a valid public key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d );
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt );
 
 /**
- * \brief           Generate a keypair with configurable base point
- *
- * \param grp       ECP group
- * \param G         Chosen base point
- * \param d         Destination MPI (secret part)
- * \param Q         Destination point (public part)
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
- *
- * \return          0 if successful,
- *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
- *
- * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
- *                  in order to ease use with other structures such as
- *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ * \brief           This function checks that an \p mbedtls_mpi is a
+ *                  valid private key for this curve.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the private key should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The integer to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid private key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ *                  private key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
  */
-int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
-                     const mbedtls_ecp_point *G,
-                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng );
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d );
 
 /**
- * \brief           Generate a keypair
- *
- * \param grp       ECP group
- * \param d         Destination MPI (secret part)
- * \param Q         Destination point (public part)
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
- *
- * \return          0 if successful,
- *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
- *
- * \note            Uses bare components rather than an mbedtls_ecp_keypair structure
- *                  in order to ease use with other structures such as
- *                  mbedtls_ecdh_context of mbedtls_ecdsa_context.
+ * \brief           This function generates a private key.
+ *
+ * \param grp       The ECP group to generate a private key for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part). This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
  */
-int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng );
 
 /**
- * \brief           Generate a keypair
+ * \brief           This function generates a keypair with a configurable base
+ *                  point.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param G         The base point to use. This must be initialized
+ *                  and belong to \p grp. It replaces the default base
+ *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                                  const mbedtls_ecp_point *G,
+                                  mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng );
+
+/**
+ * \brief           This function generates an ECP keypair.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,
+                             mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng );
+
+/**
+ * \brief           This function generates an ECP key.
  *
- * \param grp_id    ECP group identifier
- * \param key       Destination keypair
- * \param f_rng     RNG function
- * \param p_rng     RNG parameter
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key. This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
  *
- * \return          0 if successful,
- *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
  */
 int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
 
 /**
- * \brief           Check a public-private key pair
- *
- * \param pub       Keypair structure holding a public key
- * \param prv       Keypair structure holding a private (plus public) key
- *
- * \return          0 if successful (keys are valid and match), or
- *                  MBEDTLS_ERR_ECP_BAD_INPUT_DATA, or
- *                  a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX code.
+ * \brief           This function checks that the keypair objects
+ *                  \p pub and \p prv have the same group and the
+ *                  same public point, and that the private key in
+ *                  \p prv is consistent with the public key.
+ *
+ * \param pub       The keypair structure holding the public key. This
+ *                  must be initialized. If it contains a private key, that
+ *                  part is ignored.
+ * \param prv       The keypair structure holding the full keypair.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success, meaning that the keys are valid and match.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
  */
-int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv );
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,
+                                const mbedtls_ecp_keypair *prv );
 
 #if defined(MBEDTLS_SELF_TEST)
 
 /**
- * \brief          Checkup routine
+ * \brief          The ECP checkup routine.
  *
- * \return         0 if successful, or 1 if a test failed
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_ecp_self_test( int verbose );
 
@@ -685,8 +1129,4 @@ int mbedtls_ecp_self_test( int verbose );
 }
 #endif
 
-#else  /* MBEDTLS_ECP_ALT */
-#include "ecp_alt.h"
-#endif /* MBEDTLS_ECP_ALT */
-
 #endif /* ecp.h */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/entropy.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/entropy.h
index fcb4d02557..ca06dc3c58 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/entropy.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/entropy.h
@@ -107,7 +107,7 @@ typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, s
 /**
  * \brief           Entropy source state
  */
-typedef struct
+typedef struct mbedtls_entropy_source_state
 {
     mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
     void *          p_source;   /**< The callback data pointer */
@@ -120,7 +120,7 @@ mbedtls_entropy_source_state;
 /**
  * \brief           Entropy context structure
  */
-typedef struct
+typedef struct mbedtls_entropy_context
 {
     int accumulator_started;
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
@@ -166,7 +166,7 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx );
  * \param threshold Minimum required from source before entropy is released
  *                  ( with mbedtls_entropy_func() ) (in bytes)
  * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
- *                  MBEDTSL_ENTROPY_SOURCE_WEAK.
+ *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
  *                  At least one strong source needs to be added.
  *                  Weaker sources (such as the cycle counter) can be used as
  *                  a complement.
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
index ef22bc6842..bee0fe485a 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/error.h
@@ -4,7 +4,7 @@
  * \brief Error to string translation
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -59,7 +59,7 @@
  * GCM       3  0x0012-0x0014   0x0013-0x0013
  * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
  * THREADING 3  0x001A-0x001E
- * AES       4  0x0020-0x0022   0x0023-0x0025
+ * AES       5  0x0020-0x0022   0x0021-0x0025
  * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
  * XTEA      2  0x0028-0x0028   0x0029-0x0029
  * BASE64    2  0x002A-0x002C
@@ -68,7 +68,8 @@
  * DES       2  0x0032-0x0032   0x0033-0x0033
  * CTR_DBRG  4  0x0034-0x003A
  * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
- * NET      11  0x0042-0x0052   0x0043-0x0045
+ * NET      13  0x0042-0x0052   0x0043-0x0049
+ * ARIA      4  0x0058-0x005E
  * ASN1      7  0x0060-0x006C
  * CMAC      1  0x007A-0x007A
  * PBKDF2    1  0x007C-0x007C
@@ -79,9 +80,13 @@
  * MD4       1                  0x002D-0x002D
  * MD5       1                  0x002F-0x002F
  * RIPEMD160 1                  0x0031-0x0031
- * SHA1      1                  0x0035-0x0035
- * SHA256    1                  0x0037-0x0037
- * SHA512    1                  0x0039-0x0039
+ * SHA1      1                  0x0035-0x0035 0x0073-0x0073
+ * SHA256    1                  0x0037-0x0037 0x0074-0x0074
+ * SHA512    1                  0x0039-0x0039 0x0075-0x0075
+ * CHACHA20  3                  0x0051-0x0055
+ * POLY1305  3                  0x0057-0x005B
+ * CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM  1  0x0070-0x0072
  *
  * High-level module nr (3 bits - 0x0...-0x7...)
  * Name      ID  Nr of Errors
@@ -92,11 +97,12 @@
  * DHM       3   11
  * PK        3   15 (Started from top)
  * RSA       4   11
- * ECP       4   9 (Started from top)
+ * ECP       4   10 (Started from top)
  * MD        5   5
+ * HKDF      5   1 (Started from top)
  * CIPHER    6   8
- * SSL       6   17 (Started from top)
- * SSL       7   31
+ * SSL       6   23 (Started from top)
+ * SSL       7   32
  *
  * Module dependent error code (5 bits 0x.00.-0x.F8.)
  */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
index bd258aae54..fd130abd7c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/gcm.h
@@ -1,9 +1,11 @@
 /**
  * \file gcm.h
  *
- * \brief Galois/Counter Mode (GCM) for 128-bit block ciphers, as defined
- *        in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
- *        (GCM), Natl. Inst. Stand. Technol.</em>
+ * \brief This file contains GCM definitions and functions.
+ *
+ * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ * (GCM), Natl. Inst. Stand. Technol.</em>
  *
  * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
  * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
@@ -45,19 +47,23 @@
 #define MBEDTLS_GCM_DECRYPT     0
 
 #define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
-#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
 
-#if !defined(MBEDTLS_GCM_ALT)
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_GCM_ALT)
+
 /**
  * \brief          The GCM context structure.
  */
-typedef struct {
+typedef struct mbedtls_gcm_context
+{
     mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
     uint64_t HL[16];                      /*!< Precalculated HTable low. */
     uint64_t HH[16];                      /*!< Precalculated HTable high. */
@@ -72,6 +78,10 @@ typedef struct {
 }
 mbedtls_gcm_context;
 
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
 /**
  * \brief           This function initializes the specified GCM context,
  *                  to make references valid, and prepares the context
@@ -81,7 +91,7 @@ mbedtls_gcm_context;
  *                  cipher, nor set the key. For this purpose, use
  *                  mbedtls_gcm_setkey().
  *
- * \param ctx       The GCM context to initialize.
+ * \param ctx       The GCM context to initialize. This must not be \c NULL.
  */
 void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
 
@@ -89,15 +99,17 @@ void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
  * \brief           This function associates a GCM context with a
  *                  cipher algorithm and a key.
  *
- * \param ctx       The GCM context to initialize.
+ * \param ctx       The GCM context. This must be initialized.
  * \param cipher    The 128-bit block cipher to use.
- * \param key       The encryption key.
+ * \param key       The encryption key. This must be a readable buffer of at
+ *                  least \p keybits bits.
  * \param keybits   The key size in bits. Valid options are:
  *                  <ul><li>128 bits</li>
  *                  <li>192 bits</li>
  *                  <li>256 bits</li></ul>
  *
- * \return          \c 0 on success, or a cipher specific error code.
+ * \return          \c 0 on success.
+ * \return          A cipher-specific error code on failure.
  */
 int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
                         mbedtls_cipher_id_t cipher,
@@ -107,17 +119,18 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
 /**
  * \brief           This function performs GCM encryption or decryption of a buffer.
  *
- * \note For encryption, the output buffer can be the same as the input buffer.
- *       For decryption, the output buffer cannot be the same as input buffer.
- *       If the buffers overlap, the output buffer must trail at least 8 Bytes
- *       behind the input buffer.
+ * \note            For encryption, the output buffer can be the same as the
+ *                  input buffer. For decryption, the output buffer cannot be
+ *                  the same as input buffer. If the buffers overlap, the output
+ *                  buffer must trail at least 8 Bytes behind the input buffer.
  *
  * \warning         When this function performs a decryption, it outputs the
  *                  authentication tag and does not verify that the data is
  *                  authentic. You should use this function to perform encryption
  *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
  *
- * \param ctx       The GCM context to use for encryption or decryption.
+ * \param ctx       The GCM context to use for encryption or decryption. This
+ *                  must be initialized.
  * \param mode      The operation to perform:
  *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
  *                    The ciphertext is written to \p output and the
@@ -131,22 +144,28 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
  *                    calling this function in decryption mode.
  * \param length    The length of the input data, which is equal to the length
  *                  of the output data.
- * \param iv        The initialization vector.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
  * \param iv_len    The length of the IV.
- * \param add       The buffer holding the additional data.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
  * \param add_len   The length of the additional data.
- * \param input     The buffer holding the input data. Its size is \b length.
- * \param output    The buffer for holding the output data. It must have room
- *                  for \b length bytes.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is greater
+ *                  than zero, this must be a writable buffer of at least that
+ *                  size in Bytes.
  * \param tag_len   The length of the tag to generate.
- * \param tag       The buffer for holding the tag.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
  *
  * \return          \c 0 if the encryption or decryption was performed
  *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
  *                  this does not indicate that the data is authentic.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
- * \return          #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
- *                  error code if the encryption or decryption failed.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the encryption
+ *                  or decryption failed.
  */
 int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
                        int mode,
@@ -164,28 +183,34 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
  * \brief           This function performs a GCM authenticated decryption of a
  *                  buffer.
  *
- * \note For decryption, the output buffer cannot be the same as input buffer.
- *       If the buffers overlap, the output buffer must trail at least 8 Bytes
- *       behind the input buffer.
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
  *
- * \param ctx       The GCM context.
+ * \param ctx       The GCM context. This must be initialized.
  * \param length    The length of the ciphertext to decrypt, which is also
  *                  the length of the decrypted plaintext.
- * \param iv        The initialization vector.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
  * \param iv_len    The length of the IV.
- * \param add       The buffer holding the additional data.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
  * \param add_len   The length of the additional data.
- * \param tag       The buffer holding the tag to verify.
+ * \param tag       The buffer holding the tag to verify. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
  * \param tag_len   The length of the tag to verify.
- * \param input     The buffer holding the ciphertext. Its size is \b length.
- * \param output    The buffer for holding the decrypted plaintext. It must
- *                  have room for \b length bytes.
+ * \param input     The buffer holding the ciphertext. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size.
+ * \param output    The buffer for holding the decrypted plaintext. If \p length
+ *                  is greater than zero, this must be a writable buffer of at
+ *                  least that size.
  *
  * \return          \c 0 if successful and authenticated.
  * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths are not valid.
- * \return          #MBEDTLS_ERR_GCM_HW_ACCEL_FAILED or a cipher-specific
- *                  error code if the decryption failed.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the decryption
+ *                  failed.
  */
 int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
                       size_t length,
@@ -202,15 +227,18 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
  * \brief           This function starts a GCM encryption or decryption
  *                  operation.
  *
- * \param ctx       The GCM context.
+ * \param ctx       The GCM context. This must be initialized.
  * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
  *                  #MBEDTLS_GCM_DECRYPT.
- * \param iv        The initialization vector.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
  * \param iv_len    The length of the IV.
- * \param add       The buffer holding the additional data, or NULL if \p add_len is 0.
- * \param add_len   The length of the additional data. If 0, \p  add is NULL.
+ * \param add       The buffer holding the additional data, or \c NULL
+ *                  if \p add_len is \c 0.
+ * \param add_len   The length of the additional data. If \c 0,
+ *                  \p add may be \c NULL.
  *
- * \return         \c 0 on success.
+ * \return          \c 0 on success.
  */
 int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
                 int mode,
@@ -227,16 +255,22 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
  *                  Bytes. Only the last call before calling
  *                  mbedtls_gcm_finish() can be less than 16 Bytes.
  *
- * \note For decryption, the output buffer cannot be the same as input buffer.
- *       If the buffers overlap, the output buffer must trail at least 8 Bytes
- *       behind the input buffer.
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
  *
- * \param ctx       The GCM context.
- * \param length    The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish().
- * \param input     The buffer holding the input data.
- * \param output    The buffer for holding the output data.
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the input data. This must be a multiple of
+ *                  16 except in the last call before mbedtls_gcm_finish().
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is
+ *                  greater than zero, this must be a writable buffer of at
+ *                  least that size in Bytes.
  *
- * \return         \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
  */
 int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
                 size_t length,
@@ -250,11 +284,14 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
  *                  It wraps up the GCM stream, and generates the
  *                  tag. The tag can have a maximum length of 16 Bytes.
  *
- * \param ctx       The GCM context.
- * \param tag       The buffer for holding the tag.
- * \param tag_len   The length of the tag to generate. Must be at least four.
+ * \param ctx       The GCM context. This must be initialized.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to generate. This must be at least
+ *                  four.
  *
- * \return          \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
  */
 int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
                 unsigned char *tag,
@@ -264,29 +301,23 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
  * \brief           This function clears a GCM context and the underlying
  *                  cipher sub-context.
  *
- * \param ctx       The GCM context to clear.
+ * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ *                  no effect. Otherwise, this must be initialized.
  */
 void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* !MBEDTLS_GCM_ALT */
-#include "gcm_alt.h"
-#endif /* !MBEDTLS_GCM_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          The GCM checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_gcm_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
index e6bf6fae8e..4c1c86087a 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/havege.h
@@ -41,7 +41,7 @@ extern "C" {
 /**
  * \brief          HAVEGE state structure
  */
-typedef struct
+typedef struct mbedtls_havege_state
 {
     int PT1, PT2, offset[2];
     int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/hkdf.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/hkdf.h
new file mode 100644
index 0000000000..40ee64eb03
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/hkdf.h
@@ -0,0 +1,141 @@
+/**
+ * \file hkdf.h
+ *
+ * \brief   This file contains the HKDF interface.
+ *
+ *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
+ *          specified by RFC 5869.
+ */
+/*
+ * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HKDF_H
+#define MBEDTLS_HKDF_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+/**
+ *  \name HKDF Error codes
+ *  \{
+ */
+#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
+ *          (HKDF).
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  salt      An optional salt value (a non-secret random value);
+ *                    if the salt is not provided, a string of all zeros of
+ *                    md.size length is used as the salt.
+ *  \param  salt_len  The length in bytes of the optional \p salt.
+ *  \param  ikm       The input keying material.
+ *  \param  ikm_len   The length in bytes of \p ikm.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len );
+
+/**
+ *  \brief  Take the input keying material \p ikm and extract from it a
+ *          fixed-length pseudorandom key \p prk.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param       md        A hash function; md.size denotes the length of the
+ *                         hash function output in bytes.
+ *  \param       salt      An optional salt value (a non-secret random value);
+ *                         if the salt is not provided, a string of all zeros
+ *                         of md.size length is used as the salt.
+ *  \param       salt_len  The length in bytes of the optional \p salt.
+ *  \param       ikm       The input keying material.
+ *  \param       ikm_len   The length in bytes of \p ikm.
+ *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk );
+
+/**
+ *  \brief  Expand the supplied \p prk into several additional pseudorandom
+ *          keys, which is the output of the HKDF.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
+ *                    usually the output from the HKDF extract step.
+ *  \param  prk_len   The length in bytes of \p prk.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hkdf.h */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
index f58b1e31d8..7eae32bbd6 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/hmac_drbg.h
@@ -80,7 +80,7 @@ extern "C" {
 /**
  * HMAC_DRBG context.
  */
-typedef struct
+typedef struct mbedtls_hmac_drbg_context
 {
     /* Working state: the key K is not stored explicitely,
      * but is implied by the HMAC context */
@@ -210,23 +210,6 @@ void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
 int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
                        const unsigned char *additional, size_t add_len );
 
-/**
- * \brief               HMAC_DRBG update state
- *
- * \warning             This function cannot report errors. You should use
- *                      mbedtls_hmac_drbg_update_ret() instead.
- *
- * \param ctx           HMAC_DRBG context
- * \param additional    Additional data to update state with, or NULL
- * \param add_len       Length of additional data, or 0
- *
- * \note                Additional data is optional, pass NULL and 0 as second
- *                      third argument if no additional data is being used.
- */
-void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
-                               const unsigned char *additional,
-                               size_t add_len );
-
 /**
  * \brief               HMAC_DRBG reseeding (extracts data from entropy source)
  *
@@ -283,6 +266,31 @@ int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len
  */
 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
 
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief               HMAC_DRBG update state
+ *
+ * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
+ *                      in 2.16.0.
+ *
+ * \param ctx           HMAC_DRBG context
+ * \param additional    Additional data to update state with, or NULL
+ * \param add_len       Length of additional data, or 0
+ *
+ * \note                Additional data is optional, pass NULL and 0 as second
+ *                      third argument if no additional data is being used.
+ */
+MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
+    mbedtls_hmac_drbg_context *ctx,
+    const unsigned char *additional, size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               Write a seed file
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/md.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/md.h
index 06538c3827..8bcf766a6c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/md.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/md.h
@@ -1,7 +1,7 @@
  /**
  * \file md.h
  *
- * \brief The generic message-digest wrapper.
+ * \brief This file contains the generic message-digest wrapper.
  *
  * \author Adriaan de Jong <dejong@fox-it.com>
  */
@@ -39,6 +39,8 @@
 #define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
 #define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
+
+/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -46,7 +48,7 @@ extern "C" {
 #endif
 
 /**
- * \brief     Enumeration of supported message digests
+ * \brief     Supported message digests.
  *
  * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
  *            their use constitutes a security risk. We recommend considering
@@ -54,16 +56,16 @@ extern "C" {
  *
  */
 typedef enum {
-    MBEDTLS_MD_NONE=0,
-    MBEDTLS_MD_MD2,
-    MBEDTLS_MD_MD4,
-    MBEDTLS_MD_MD5,
-    MBEDTLS_MD_SHA1,
-    MBEDTLS_MD_SHA224,
-    MBEDTLS_MD_SHA256,
-    MBEDTLS_MD_SHA384,
-    MBEDTLS_MD_SHA512,
-    MBEDTLS_MD_RIPEMD160,
+    MBEDTLS_MD_NONE=0,    /**< None. */
+    MBEDTLS_MD_MD2,       /**< The MD2 message digest. */
+    MBEDTLS_MD_MD4,       /**< The MD4 message digest. */
+    MBEDTLS_MD_MD5,       /**< The MD5 message digest. */
+    MBEDTLS_MD_SHA1,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA224,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA256,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA384,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA512,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_RIPEMD160, /**< The RIPEMD-160 message digest. */
 } mbedtls_md_type_t;
 
 #if defined(MBEDTLS_SHA512_C)
@@ -80,7 +82,8 @@ typedef struct mbedtls_md_info_t mbedtls_md_info_t;
 /**
  * The generic message-digest context.
  */
-typedef struct {
+typedef struct mbedtls_md_context_t
+{
     /** Information about the associated message digest. */
     const mbedtls_md_info_t *md_info;
 
@@ -108,8 +111,8 @@ const int *mbedtls_md_list( void );
  *
  * \param md_name   The name of the digest to search for.
  *
- * \return          The message-digest information associated with \p md_name,
- *                  or NULL if not found.
+ * \return          The message-digest information associated with \p md_name.
+ * \return          NULL if the associated message-digest information is not found.
  */
 const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
 
@@ -119,8 +122,8 @@ const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
  *
  * \param md_type   The type of digest to search for.
  *
- * \return          The message-digest information associated with \p md_type,
- *                  or NULL if not found.
+ * \return          The message-digest information associated with \p md_type.
+ * \return          NULL if the associated message-digest information is not found.
  */
 const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type );
 
@@ -168,9 +171,10 @@ void mbedtls_md_free( mbedtls_md_context_t *ctx );
  * \param md_info   The information structure of the message-digest algorithm
  *                  to use.
  *
- * \returns         \c 0 on success,
- *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure,
- *                  #MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
  */
 int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED;
 #undef MBEDTLS_DEPRECATED
@@ -187,12 +191,13 @@ int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_
  * \param ctx       The context to set up.
  * \param md_info   The information structure of the message-digest algorithm
  *                  to use.
- * \param hmac      <ul><li>0: HMAC is not used. Saves some memory.</li>
- *                  <li>non-zero: HMAC is used with this context.</li></ul>
+ * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
+ *                  or non-zero: HMAC is used with this context.
  *
- * \returns         \c 0 on success,
- *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, or
- *                  #MBEDTLS_ERR_MD_ALLOC_FAILED on memory allocation failure.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
  */
 int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac );
 
@@ -212,8 +217,8 @@ int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_inf
  * \param dst       The destination context.
  * \param src       The context to be cloned.
  *
- * \return          \c 0 on success,
- *                  #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
  */
 int mbedtls_md_clone( mbedtls_md_context_t *dst,
                       const mbedtls_md_context_t *src );
@@ -260,8 +265,9 @@ const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info );
  *
  * \param ctx       The generic message-digest context.
  *
- * \returns         \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_starts( mbedtls_md_context_t *ctx );
 
@@ -277,8 +283,9 @@ int mbedtls_md_starts( mbedtls_md_context_t *ctx );
  * \param input     The buffer holding the input data.
  * \param ilen      The length of the input data.
  *
- * \returns         \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen );
 
@@ -296,8 +303,9 @@ int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, si
  * \param ctx       The generic message-digest context.
  * \param output    The buffer for the generic message-digest checksum result.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
 
@@ -315,8 +323,9 @@ int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
  * \param ilen     The length of the input data.
  * \param output   The generic message-digest checksum result.
  *
- * \returns        \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                 parameter verification fails.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
  */
 int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
         unsigned char *output );
@@ -334,9 +343,10 @@ int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, si
  * \param path     The input file name.
  * \param output   The generic message-digest checksum result.
  *
- * \return         \c 0 on success,
- *                 #MBEDTLS_ERR_MD_FILE_IO_ERROR if file input failed, or
- *                 #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
+ *                 the file pointed by \p path.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
  */
 int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
                      unsigned char *output );
@@ -356,8 +366,9 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
  * \param key       The HMAC secret key.
  * \param keylen    The length of the HMAC key in Bytes.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
                     size_t keylen );
@@ -377,8 +388,9 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
  * \param input     The buffer holding the input data.
  * \param ilen      The length of the input data.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input,
                     size_t ilen );
@@ -397,8 +409,9 @@ int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *inpu
  *                  context.
  * \param output    The generic HMAC checksum result.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
 
@@ -413,8 +426,9 @@ int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
  * \param ctx       The message digest context containing an embedded HMAC
  *                  context.
  *
- * \returns         \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                  parameter verification fails.
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
  */
 int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
 
@@ -436,8 +450,9 @@ int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
  * \param ilen     The length of the input data.
  * \param output   The generic HMAC result.
  *
- * \returns        \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if
- *                 parameter verification fails.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
  */
 int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
                 const unsigned char *input, size_t ilen,
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/md2.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/md2.h
index 0fd8b5afcc..fe97cf08d4 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/md2.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/md2.h
@@ -37,16 +37,17 @@
 
 #include <stddef.h>
 
+/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
 
-#if !defined(MBEDTLS_MD2_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_MD2_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          MD2 context structure
  *
@@ -55,7 +56,7 @@ extern "C" {
  *                 stronger message digests instead.
  *
  */
-typedef struct
+typedef struct mbedtls_md2_context
 {
     unsigned char cksum[16];    /*!< checksum of the data block */
     unsigned char state[48];    /*!< intermediate digest state  */
@@ -64,6 +65,10 @@ typedef struct
 }
 mbedtls_md2_context;
 
+#else  /* MBEDTLS_MD2_ALT */
+#include "md2_alt.h"
+#endif /* MBEDTLS_MD2_ALT */
+
 /**
  * \brief          Initialize MD2 context
  *
@@ -235,18 +240,6 @@ MBEDTLS_DEPRECATED void mbedtls_md2_process( mbedtls_md2_context *ctx );
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_MD2_ALT */
-#include "md2_alt.h"
-#endif /* MBEDTLS_MD2_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          Output = MD2( input buffer )
  *
@@ -290,6 +283,8 @@ MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -302,6 +297,8 @@ MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
  */
 int mbedtls_md2_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/md4.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/md4.h
index 23fa95e46a..ce703c0ba4 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/md4.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/md4.h
@@ -38,16 +38,17 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
 
-#if !defined(MBEDTLS_MD4_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_MD4_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          MD4 context structure
  *
@@ -56,7 +57,7 @@ extern "C" {
  *                 stronger message digests instead.
  *
  */
-typedef struct
+typedef struct mbedtls_md4_context
 {
     uint32_t total[2];          /*!< number of bytes processed  */
     uint32_t state[4];          /*!< intermediate digest state  */
@@ -64,6 +65,10 @@ typedef struct
 }
 mbedtls_md4_context;
 
+#else  /* MBEDTLS_MD4_ALT */
+#include "md4_alt.h"
+#endif /* MBEDTLS_MD4_ALT */
+
 /**
  * \brief          Initialize MD4 context
  *
@@ -238,18 +243,6 @@ MBEDTLS_DEPRECATED void mbedtls_md4_process( mbedtls_md4_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_MD4_ALT */
-#include "md4_alt.h"
-#endif /* MBEDTLS_MD4_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          Output = MD4( input buffer )
  *
@@ -295,6 +288,8 @@ MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -307,6 +302,8 @@ MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
  */
 int mbedtls_md4_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/md5.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/md5.h
index 06ea4c5d44..6eed6cc864 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/md5.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/md5.h
@@ -37,16 +37,17 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
 
-#if !defined(MBEDTLS_MD5_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_MD5_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          MD5 context structure
  *
@@ -55,7 +56,7 @@ extern "C" {
  *                 stronger message digests instead.
  *
  */
-typedef struct
+typedef struct mbedtls_md5_context
 {
     uint32_t total[2];          /*!< number of bytes processed  */
     uint32_t state[4];          /*!< intermediate digest state  */
@@ -63,6 +64,10 @@ typedef struct
 }
 mbedtls_md5_context;
 
+#else  /* MBEDTLS_MD5_ALT */
+#include "md5_alt.h"
+#endif /* MBEDTLS_MD5_ALT */
+
 /**
  * \brief          Initialize MD5 context
  *
@@ -238,18 +243,6 @@ MBEDTLS_DEPRECATED void mbedtls_md5_process( mbedtls_md5_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_MD5_ALT */
-#include "md5_alt.h"
-#endif /* MBEDTLS_MD5_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          Output = MD5( input buffer )
  *
@@ -295,6 +288,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -307,6 +302,8 @@ MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
  */
 int mbedtls_md5_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/net_sockets.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/net_sockets.h
index 52bb8de7c7..4c7ef00fe6 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/net_sockets.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/net_sockets.h
@@ -1,7 +1,23 @@
 /**
  * \file net_sockets.h
  *
- * \brief Network communication functions
+ * \brief   Network sockets abstraction layer to integrate Mbed TLS into a
+ *          BSD-style sockets API.
+ *
+ *          The network sockets module provides an example integration of the
+ *          Mbed TLS library into a BSD sockets implementation. The module is
+ *          intended to be an example of how Mbed TLS can be integrated into a
+ *          networking stack, as well as to be Mbed TLS's network integration
+ *          for its supported platforms.
+ *
+ *          The module is intended only to be used with the Mbed TLS library and
+ *          is not intended to be used by third party application software
+ *          directly.
+ *
+ *          The supported platforms are as follows:
+ *              * Microsoft Windows and Windows CE
+ *              * POSIX/Unix platforms including Linux, OS X
+ *
  */
 /*
  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
@@ -46,12 +62,17 @@
 #define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
 #define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
 #define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+#define MBEDTLS_ERR_NET_POLL_FAILED                       -0x0047  /**< Polling the net context failed. */
+#define MBEDTLS_ERR_NET_BAD_INPUT_DATA                    -0x0049  /**< Input invalid. */
 
 #define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
 
 #define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
 #define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
 
+#define MBEDTLS_NET_POLL_READ  1 /**< Used in \c mbedtls_net_poll to check for pending data  */
+#define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -63,7 +84,7 @@ extern "C" {
  * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
  * structures for hand-made UDP demultiplexing).
  */
-typedef struct
+typedef struct mbedtls_net_context
 {
     int fd;             /**< The underlying file descriptor                 */
 }
@@ -133,6 +154,29 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
                         mbedtls_net_context *client_ctx,
                         void *client_ip, size_t buf_size, size_t *ip_len );
 
+/**
+ * \brief          Check and wait for the context to be ready for read/write
+ *
+ * \param ctx      Socket to check
+ * \param rw       Bitflag composed of MBEDTLS_NET_POLL_READ and
+ *                 MBEDTLS_NET_POLL_WRITE specifying the events
+ *                 to wait for:
+ *                 - If MBEDTLS_NET_POLL_READ is set, the function
+ *                   will return as soon as the net context is available
+ *                   for reading.
+ *                 - If MBEDTLS_NET_POLL_WRITE is set, the function
+ *                   will return as soon as the net context is available
+ *                   for writing.
+ * \param timeout  Maximal amount of time to wait before returning,
+ *                 in milliseconds. If \c timeout is zero, the
+ *                 function returns immediately. If \c timeout is
+ *                 -1u, the function blocks potentially indefinitely.
+ *
+ * \return         Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
+ *                 on success or timeout, or a negative return code otherwise.
+ */
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout );
+
 /**
  * \brief          Set the socket blocking
  *
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/nist_kw.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/nist_kw.h
new file mode 100644
index 0000000000..3b67b59cd2
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/nist_kw.h
@@ -0,0 +1,184 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ *        padding (KWP) as defined in NIST SP 800-38F.
+ *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ *        Key wrapping specifies a deterministic authenticated-encryption mode
+ *        of operation, according to <em>NIST SP 800-38F: Recommendation for
+ *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ *        purpose is to protect cryptographic keys.
+ *
+ *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ *        https://tools.ietf.org/html/rfc3394
+ *        https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_KW_MODE_KW = 0,
+    MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The key wrapping context-type definition. The key wrapping context is passed
+ *           to the APIs called.
+ *
+ * \note     The definition of this type may change in future library versions.
+ *           Don't make any assumptions on this context!
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else  /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief           This function initializes the specified key wrapping context
+ *                  to make references valid and prepare the context
+ *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx       The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function initializes the key wrapping context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The key wrapping context.
+ * \param cipher    The 128-bit block cipher to use. Only AES is supported.
+ * \param key       The Key Encryption Key (KEK).
+ * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ *                  which are not supported.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap );
+
+/**
+ * \brief   This function releases and clears the specified key wrapping context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for encryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ *                  8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t* out_len, size_t out_size );
+
+/**
+ * \brief           This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for decryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  The input must be a multiple of semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ *                  depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t* out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The key wrapping checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/oid.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/oid.h
index 408645ece7..6fbd018aaa 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/oid.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/oid.h
@@ -97,6 +97,8 @@
 /* ISO arc for standard certificate and CRL extensions */
 #define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
 
+#define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
+
 /**
  * Private Internet Extensions
  * { iso(1) identified-organization(3) dod(6) internet(1)
@@ -219,12 +221,12 @@
 #define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
 #define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
 #define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_GOV "\x03\x04\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
-#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_GOV "\x03\x04\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
 
-#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_GOV "\x03\x04\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
 
-#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_GOV "\x03\x04\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
 
 #define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
 
@@ -241,7 +243,20 @@
  */
 #define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
 #define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+#define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
 
+/*
+ * Key Wrapping algorithms
+ */
+/*
+ * RFC 5649
+ */
+#define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
+#define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
+#define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
+#define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
+#define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
+#define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
 /*
  * PKCS#5 OIDs
  */
@@ -388,7 +403,8 @@ extern "C" {
 /**
  * \brief Base OID descriptor structure
  */
-typedef struct {
+typedef struct mbedtls_oid_descriptor_t
+{
     const char *asn1;               /*!< OID ASN.1 representation       */
     size_t asn1_len;                /*!< length of asn1                 */
     const char *name;               /*!< official name (e.g. from RFC)  */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
index 918e6195ad..721a5d4930 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/padlock.h
@@ -3,6 +3,9 @@
  *
  * \brief VIA PadLock ACE for HW encryption/decryption supported by some
  *        processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
  */
 /*
  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
@@ -56,14 +59,17 @@
 #define MBEDTLS_PADLOCK_PHE 0x0C00
 #define MBEDTLS_PADLOCK_PMM 0x3000
 
-#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) x & ~15))
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /**
- * \brief          PadLock detection routine
+ * \brief          Internal PadLock detection routine
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param feature  The feature to detect
  *
@@ -72,7 +78,10 @@ extern "C" {
 int mbedtls_padlock_has_support( int feature );
 
 /**
- * \brief          PadLock AES-ECB block en(de)cryption
+ * \brief          Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param ctx      AES context
  * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -82,12 +91,15 @@ int mbedtls_padlock_has_support( int feature );
  * \return         0 if success, 1 if operation failed
  */
 int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
-                       int mode,
-                       const unsigned char input[16],
-                       unsigned char output[16] );
+                               int mode,
+                               const unsigned char input[16],
+                               unsigned char output[16] );
 
 /**
- * \brief          PadLock AES-CBC buffer en(de)cryption
+ * \brief          Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
  *
  * \param ctx      AES context
  * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
@@ -99,11 +111,11 @@ int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
  * \return         0 if success, 1 if operation failed
  */
 int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
-                       int mode,
-                       size_t length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
+                               int mode,
+                               size_t length,
+                               unsigned char iv[16],
+                               const unsigned char *input,
+                               unsigned char *output );
 
 #ifdef __cplusplus
 }
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
index 81918503e9..a29e9ce300 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pem.h
@@ -57,7 +57,7 @@ extern "C" {
 /**
  * \brief       PEM context structure
  */
-typedef struct
+typedef struct mbedtls_pem_context
 {
     unsigned char *buf;     /*!< buffer for decoded data             */
     size_t buflen;          /*!< length of the buffer                */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pk.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pk.h
index ee06b2fd20..91950f9407 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pk.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pk.h
@@ -64,6 +64,8 @@
 #define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
 #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
 #define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
 
 #ifdef __cplusplus
@@ -87,7 +89,7 @@ typedef enum {
  * \brief           Options for RSASSA-PSS signature verification.
  *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
  */
-typedef struct
+typedef struct mbedtls_pk_rsassa_pss_options
 {
     mbedtls_md_type_t mgf1_hash_id;
     int expected_salt_len;
@@ -107,7 +109,7 @@ typedef enum
 /**
  * \brief           Item to send to the debug module
  */
-typedef struct
+typedef struct mbedtls_pk_debug_item
 {
     mbedtls_pk_debug_type type;
     const char *name;
@@ -125,12 +127,26 @@ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
 /**
  * \brief           Public key container
  */
-typedef struct
+typedef struct mbedtls_pk_context
 {
-    const mbedtls_pk_info_t *   pk_info; /**< Public key informations        */
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
     void *                      pk_ctx;  /**< Underlying public key context  */
 } mbedtls_pk_context;
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Context for resuming operations
+ */
+typedef struct
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    void *                      rs_ctx;  /**< Underlying restart context     */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #if defined(MBEDTLS_RSA_C)
 /**
  * Quick access to an RSA context inside a PK context.
@@ -181,20 +197,45 @@ typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
 const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
 
 /**
- * \brief           Initialize a mbedtls_pk_context (as NONE)
+ * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
  */
 void mbedtls_pk_init( mbedtls_pk_context *ctx );
 
 /**
- * \brief           Free a mbedtls_pk_context
+ * \brief           Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
  */
 void mbedtls_pk_free( mbedtls_pk_context *ctx );
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 /**
  * \brief           Initialize a PK context with the information given
  *                  and allocates the type-specific PK subcontext.
  *
- * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
  * \param info      Information to use
  *
  * \return          0 on success,
@@ -210,7 +251,8 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
 /**
  * \brief           Initialize an RSA-alt context
  *
- * \param ctx       Context to initialize. Must be empty (type NONE).
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
  * \param key       RSA key pointer
  * \param decrypt_func  Decryption function
  * \param sign_func     Signing function
@@ -230,7 +272,7 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
 /**
  * \brief           Get the size in bits of the underlying key
  *
- * \param ctx       Context to use
+ * \param ctx       The context to query. It must have been initialized.
  *
  * \return          Key size in bits, or 0 on error
  */
@@ -238,7 +280,8 @@ size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
 
 /**
  * \brief           Get the length in bytes of the underlying key
- * \param ctx       Context to use
+ *
+ * \param ctx       The context to query. It must have been initialized.
  *
  * \return          Key length in bytes, or 0 on error
  */
@@ -250,18 +293,21 @@ static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
 /**
  * \brief           Tell if a context can do the operation given by type
  *
- * \param ctx       Context to test
- * \param type      Target type
+ * \param ctx       The context to query. It must have been initialized.
+ * \param type      The desired type.
  *
- * \return          0 if context can't do the operations,
- *                  1 otherwise.
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type. This is always the case for a context that has
+ *                  been initialized but not set up, or that has been
+ *                  cleared with mbedtls_pk_free().
  */
 int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
 
 /**
  * \brief           Verify signature (including padding if relevant).
  *
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
@@ -286,13 +332,39 @@ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                const unsigned char *hash, size_t hash_len,
                const unsigned char *sig, size_t sig_len );
 
+/**
+ * \brief           Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_verify(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_verify(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx );
+
 /**
  * \brief           Verify signature, with options.
  *                  (Includes verification of the padding depending on type.)
  *
  * \param type      Signature type (inc. possible padding type) to verify
  * \param options   Pointer to type-specific options, or NULL
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
@@ -323,7 +395,8 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
 /**
  * \brief           Make signature, including padding if relevant.
  *
- * \param ctx       PK context to use - must hold a private key
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
  * \param hash_len  Hash length or 0 (see notes)
@@ -349,10 +422,41 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
              unsigned char *sig, size_t *sig_len,
              int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
+/**
+ * \brief           Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_sign(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_sign(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx );
+
 /**
  * \brief           Decrypt message (including padding if relevant).
  *
- * \param ctx       PK context to use - must hold a private key
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
  * \param input     Input to decrypt
  * \param ilen      Input size
  * \param output    Decrypted output
@@ -373,7 +477,7 @@ int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
 /**
  * \brief           Encrypt message (including padding if relevant).
  *
- * \param ctx       PK context to use
+ * \param ctx       The PK context to use. It must have been set up.
  * \param input     Message to encrypt
  * \param ilen      Message size
  * \param output    Encrypted output
@@ -404,7 +508,7 @@ int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_conte
 /**
  * \brief           Export debug information
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  * \param items     Place to write debug items
  *
  * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
@@ -414,7 +518,7 @@ int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *item
 /**
  * \brief           Access the type name
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  *
  * \return          Type name on success, or "invalid PK"
  */
@@ -423,9 +527,10 @@ const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
 /**
  * \brief           Get the key type
  *
- * \param ctx       Context to use
+ * \param ctx       The PK context to use. It must have been initialized.
  *
- * \return          Type on success, or MBEDTLS_PK_NONE
+ * \return          Type on success.
+ * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
  */
 mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
 
@@ -434,12 +539,22 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
 /**
  * \brief           Parse a private key in PEM or DER format
  *
- * \param ctx       key to be initialized
- * \param key       input buffer
- * \param keylen    size of the buffer
- *                  (including the terminating null byte for PEM data)
- * \param pwd       password for decryption (optional)
- * \param pwdlen    size of the password
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd       Optional password for decryption.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a string of \p pwdlen bytes if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param pwdlen    Size of the password in bytes.
+ *                  Ignored if \p pwd is \c NULL.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -457,10 +572,15 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
 /**
  * \brief           Parse a public key in PEM or DER format
  *
- * \param ctx       key to be initialized
- * \param key       input buffer
- * \param keylen    size of the buffer
- *                  (including the terminating null byte for PEM data)
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -478,9 +598,14 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
 /**
  * \brief           Load and parse a private key
  *
- * \param ctx       key to be initialized
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
  * \param path      filename to read the private key from
- * \param password  password to decrypt the file (can be NULL)
+ * \param password  Optional password to decrypt the file.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a null-terminated string if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -497,7 +622,8 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
 /**
  * \brief           Load and parse a public key
  *
- * \param ctx       key to be initialized
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
  * \param path      filename to read the public key from
  *
  * \note            On entry, ctx must be empty, either freshly initialised
@@ -520,7 +646,7 @@ int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
  *                        return value to determine where you should start
  *                        using the buffer
  *
- * \param ctx       private to write away
+ * \param ctx       PK context which must contain a valid private key.
  * \param buf       buffer to write to
  * \param size      size of the buffer
  *
@@ -535,7 +661,7 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_
  *                        return value to determine where you should start
  *                        using the buffer
  *
- * \param ctx       public key to write away
+ * \param ctx       PK context which must contain a valid public or private key.
  * \param buf       buffer to write to
  * \param size      size of the buffer
  *
@@ -548,9 +674,10 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, si
 /**
  * \brief           Write a public key to a PEM string
  *
- * \param ctx       public key to write away
- * \param buf       buffer to write to
- * \param size      size of the buffer
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
  *
  * \return          0 if successful, or a specific error code
  */
@@ -559,9 +686,10 @@ int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, si
 /**
  * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
  *
- * \param ctx       private to write away
- * \param buf       buffer to write to
- * \param size      size of the buffer
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
  *
  * \return          0 if successful, or a specific error code
  */
@@ -580,7 +708,8 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_
  *
  * \param p         the position in the ASN.1 data
  * \param end       end of the buffer
- * \param pk        the key to fill
+ * \param pk        The PK context to fill. It must have been initialized
+ *                  but not set up.
  *
  * \return          0 if successful, or a specific PK error code
  */
@@ -595,7 +724,7 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
  *
  * \param p         reference to current position pointer
  * \param start     start of the buffer (for bounds-checking)
- * \param key       public key to write away
+ * \param key       PK context which must contain a valid public or private key.
  *
  * \return          the length written or a negative error code
  */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pk_internal.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pk_internal.h
index 3dae0fc5b2..48b7a5f7bf 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pk_internal.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pk_internal.h
@@ -59,6 +59,21 @@ struct mbedtls_pk_info_t
                       int (*f_rng)(void *, unsigned char *, size_t),
                       void *p_rng );
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Verify signature (restartable) */
+    int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           const unsigned char *sig, size_t sig_len,
+                           void *rs_ctx );
+
+    /** Make signature (restartable) */
+    int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                         const unsigned char *hash, size_t hash_len,
+                         unsigned char *sig, size_t *sig_len,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng, void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     /** Decrypt message */
     int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
                          unsigned char *output, size_t *olen, size_t osize,
@@ -80,6 +95,14 @@ struct mbedtls_pk_info_t
     /** Free the given context */
     void (*ctx_free_func)( void *ctx );
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Allocate the restart context */
+    void * (*rs_alloc_func)( void );
+
+    /** Free the restart context */
+    void (*rs_free_func)( void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     /** Interface with the debug module */
     void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs11.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs11.h
index bf65c55a79..02427ddc1e 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs11.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs11.h
@@ -50,7 +50,8 @@ extern "C" {
 /**
  * Context for PKCS #11 private keys.
  */
-typedef struct {
+typedef struct mbedtls_pkcs11_context
+{
         pkcs11h_certificate_t pkcs11h_cert;
         int len;
 } mbedtls_pkcs11_context;
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
index f201250046..c92185f7a6 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/pkcs5.h
@@ -91,6 +91,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p
                        unsigned int iteration_count,
                        uint32_t key_length, unsigned char *output );
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -98,6 +100,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *p
  */
 int mbedtls_pkcs5_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/platform.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/platform.h
index 7c2835b305..89fe8a7b19 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/platform.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/platform.h
@@ -1,7 +1,16 @@
 /**
  * \file platform.h
  *
- * \brief The Mbed TLS platform abstraction layer.
+ * \brief This file contains the definitions and functions of the
+ *        Mbed TLS platform abstraction layer.
+ *
+ *        The platform abstraction layer removes the need for the library
+ *        to directly link to standard C library functions or operating
+ *        system services, making the library easier to port and embed.
+ *        Application developers and users of the library can provide their own
+ *        implementations of these functions, or implementations specific to
+ *        their platform, which can be statically linked to the library or
+ *        dynamically configured at runtime.
  */
 /*
  *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -34,6 +43,9 @@
 #include "platform_time.h"
 #endif
 
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -102,7 +114,7 @@ extern "C" {
 /* \} name SECTION: Module settings */
 
 /*
- * The function pointers for calloc and free
+ * The function pointers for calloc and free.
  */
 #if defined(MBEDTLS_PLATFORM_MEMORY)
 #if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
@@ -112,11 +124,12 @@ extern "C" {
 #else
 /* For size_t */
 #include <stddef.h>
-extern void * (*mbedtls_calloc)( size_t n, size_t size );
-extern void (*mbedtls_free)( void *ptr );
+extern void *mbedtls_calloc( size_t n, size_t size );
+extern void mbedtls_free( void *ptr );
 
 /**
- * \brief   This function allows configuring custom memory-management functions.
+ * \brief               This function dynamically sets the memory-management
+ *                      functions used by the library, during runtime.
  *
  * \param calloc_func   The \c calloc function implementation.
  * \param free_func     The \c free function implementation.
@@ -140,7 +153,9 @@ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
 extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
 
 /**
- * \brief   This function allows configuring a custom \p fprintf function pointer.
+ * \brief                This function dynamically configures the fprintf
+ *                       function that is called when the
+ *                       mbedtls_fprintf() function is invoked by the library.
  *
  * \param fprintf_func   The \c fprintf function implementation.
  *
@@ -163,8 +178,9 @@ int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char
 extern int (*mbedtls_printf)( const char *format, ... );
 
 /**
- * \brief    This function allows configuring a custom \c printf function
- *           pointer.
+ * \brief               This function dynamically configures the snprintf
+ *                      function that is called when the mbedtls_snprintf()
+ *                      function is invoked by the library.
  *
  * \param printf_func   The \c printf function implementation.
  *
@@ -197,12 +213,12 @@ int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
 extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
 
 /**
- * \brief   This function allows configuring a custom \c snprintf function
- *          pointer.
+ * \brief                 This function allows configuring a custom
+ *                        \c snprintf function pointer.
  *
  * \param snprintf_func   The \c snprintf function implementation.
  *
- * \return    \c 0 on success.
+ * \return                \c 0 on success.
  */
 int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
                                                  const char * format, ... ) );
@@ -221,12 +237,13 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
 extern void (*mbedtls_exit)( int status );
 
 /**
- * \brief   This function allows configuring a custom \c exit function
- *          pointer.
+ * \brief             This function dynamically configures the exit
+ *                    function that is called when the mbedtls_exit()
+ *                    function is invoked by the library.
  *
  * \param exit_func   The \c exit function implementation.
  *
- * \return  \c 0 on success.
+ * \return            \c 0 on success.
  */
 int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
 #else
@@ -301,8 +318,9 @@ int mbedtls_platform_set_nv_seed(
  * \note    This structure may be used to assist platform-specific
  *          setup or teardown operations.
  */
-typedef struct {
-    char dummy; /**< Placeholder member, as empty structs are not portable. */
+typedef struct mbedtls_platform_context
+{
+    char dummy; /**< A placeholder member, as empty structs are not portable. */
 }
 mbedtls_platform_context;
 
@@ -311,33 +329,34 @@ mbedtls_platform_context;
 #endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
 
 /**
- * \brief   This function performs any platform initialization operations.
+ * \brief   This function performs any platform-specific initialization
+ *          operations.
  *
- * \param   ctx     The Mbed TLS context.
+ * \note    This function should be called before any other library functions.
  *
- * \return  \c 0 on success.
- *
- * \note    This function is intended to allow platform-specific initialization,
- *          and should be called before any other library functions. Its
- *          implementation is platform-specific, and unless
+ *          Its implementation is platform-specific, and unless
  *          platform-specific code is provided, it does nothing.
  *
- *          Its use and whether it is necessary to call it is dependent on the
- *          platform.
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ * \return  \c 0 on success.
  */
 int mbedtls_platform_setup( mbedtls_platform_context *ctx );
 /**
  * \brief   This function performs any platform teardown operations.
  *
- * \param   ctx     The Mbed TLS context.
- *
  * \note    This function should be called after every other Mbed TLS module
  *          has been correctly freed using the appropriate free function.
+ *
  *          Its implementation is platform-specific, and unless
  *          platform-specific code is provided, it does nothing.
  *
- *          Its use and whether it is necessary to call it is dependent on the
- *          platform.
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
  */
 void mbedtls_platform_teardown( mbedtls_platform_context *ctx );
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/platform_util.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/platform_util.h
new file mode 100644
index 0000000000..dba6d45982
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/platform_util.h
@@ -0,0 +1,185 @@
+/**
+ * \file platform_util.h
+ *
+ * \brief Common and shared functions used by multiple modules in the Mbed TLS
+ *        library.
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_UTIL_H
+#define MBEDTLS_PLATFORM_UTIL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+
+#if defined(MBEDTLS_PARAM_FAILED)
+/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
+ *
+ * This flag can be used to check whether it is safe to assume that
+ * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
+ */
+#define MBEDTLS_PARAM_FAILED_ALT
+#else /* MBEDTLS_PARAM_FAILED */
+#define MBEDTLS_PARAM_FAILED( cond ) \
+    mbedtls_param_failed( #cond, __FILE__, __LINE__ )
+
+/**
+ * \brief       User supplied callback function for parameter validation failure.
+ *              See #MBEDTLS_CHECK_PARAMS for context.
+ *
+ *              This function will be called unless an alternative treatement
+ *              is defined through the #MBEDTLS_PARAM_FAILED macro.
+ *
+ *              This function can return, and the operation will be aborted, or
+ *              alternatively, through use of setjmp()/longjmp() can resume
+ *              execution in the application code.
+ *
+ * \param failure_condition The assertion that didn't hold.
+ * \param file  The file where the assertion failed.
+ * \param line  The line in the file where the assertion failed.
+ */
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line );
+#endif /* MBEDTLS_PARAM_FAILED */
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return( ret );                          \
+        }                                           \
+    } while( 0 )
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return;                                 \
+        }                                           \
+    } while( 0 )
+
+#else /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal macros meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           do { } while( 0 )
+
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
+ * to avoid conflict with other headers which define and use
+ * it, too. We might want to move all these definitions here at
+ * some point for uniformity. */
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
+#undef MBEDTLS_DEPRECATED
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief       Securely zeroize a buffer
+ *
+ *              The function is meant to wipe the data contained in a buffer so
+ *              that it can no longer be recovered even if the program memory
+ *              is later compromised. Call this function on sensitive data
+ *              stored on the stack before returning from a function, and on
+ *              sensitive data stored on the heap before freeing the heap
+ *              object.
+ *
+ *              It is extremely difficult to guarantee that calls to
+ *              mbedtls_platform_zeroize() are not removed by aggressive
+ *              compiler optimizations in a portable way. For this reason, Mbed
+ *              TLS provides the configuration option
+ *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ *              mbedtls_platform_zeroize() to use a suitable implementation for
+ *              their platform and needs
+ *
+ * \param buf   Buffer to be zeroized
+ * \param len   Length of the buffer in bytes
+ *
+ */
+void mbedtls_platform_zeroize( void *buf, size_t len );
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief      Platform-specific implementation of gmtime_r()
+ *
+ *             The function is a thread-safe abstraction that behaves
+ *             similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ *             Mbed TLS will try to identify the underlying platform and
+ *             make use of an appropriate underlying implementation (e.g.
+ *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ *             not possible, then gmtime() will be used. In this case, calls
+ *             from the library to gmtime() will be guarded by the mutex
+ *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ *             enabled. It is recommended that calls from outside the library
+ *             are also guarded by this mutex.
+ *
+ *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ *             unconditionally use the alternative implementation for
+ *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt     Pointer to an object containing time (in seconds) since the
+ *               epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return      Pointer to an object of type struct tm on success, otherwise
+ *              NULL
+ */
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf );
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PLATFORM_UTIL_H */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/poly1305.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/poly1305.h
new file mode 100644
index 0000000000..f0ec44c968
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/poly1305.h
@@ -0,0 +1,192 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief   This file contains Poly1305 definitions and functions.
+ *
+ *          Poly1305 is a one-time message authenticator that can be used to
+ *          authenticate messages. Poly1305-AES was created by Daniel
+ *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ *          7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B  /**< Poly1305 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct mbedtls_poly1305_context
+{
+    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t acc[5];    /** The accumulator number. */
+    uint8_t queue[16];  /** The current partial block of data. */
+    size_t queue_len;   /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else  /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief           This function initializes the specified Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by a call to
+ *                  \c mbedtls_poly1305_starts(), then one or more calls to
+ *                  \c mbedtls_poly1305_update(), then one call to
+ *                  \c mbedtls_poly1305_finish(), then finally
+ *                  \c mbedtls_poly1305_free().
+ *
+ * \param ctx       The Poly1305 context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  Poly1305 context.
+ *
+ * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op. If it is not \c NULL, it must
+ *                  point to an initialized Poly1305 context.
+ */
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function sets the one-time authentication key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param ctx       The Poly1305 context to which the key should be bound.
+ *                  This must be initialized.
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This functions feeds an input buffer into an ongoing
+ *                  Poly1305 computation.
+ *
+ *                  It is called between \c mbedtls_cipher_poly1305_starts() and
+ *                  \c mbedtls_cipher_poly1305_finish().
+ *                  It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief           This function generates the Poly1305 Message
+ *                  Authentication Code (MAC).
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param mac       The buffer to where the MAC is written. This must
+ *                  be a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] );
+
+/**
+ * \brief           This function calculates the Poly1305 MAC of the input
+ *                  buffer with the provided key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param mac       The buffer to where the MAC is written. This must be
+ *                  a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ripemd160.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ripemd160.h
index 3a8b50a621..b42f6d2a95 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ripemd160.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ripemd160.h
@@ -33,20 +33,22 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
 
-#if !defined(MBEDTLS_RIPEMD160_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          RIPEMD-160 context structure
  */
-typedef struct
+typedef struct mbedtls_ripemd160_context
 {
     uint32_t total[2];          /*!< number of bytes processed  */
     uint32_t state[5];          /*!< intermediate digest state  */
@@ -54,6 +56,10 @@ typedef struct
 }
 mbedtls_ripemd160_context;
 
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
 /**
  * \brief          Initialize RIPEMD-160 context
  *
@@ -178,18 +184,6 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_RIPEMD160_ALT */
-#include "ripemd160_alt.h"
-#endif /* MBEDTLS_RIPEMD160_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          Output = RIPEMD-160( input buffer )
  *
@@ -225,6 +219,8 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -232,6 +228,8 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
  */
 int mbedtls_ripemd160_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/rsa.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/rsa.h
index 5548f3c127..906c427332 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/rsa.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/rsa.h
@@ -1,11 +1,12 @@
 /**
  * \file rsa.h
  *
- * \brief The RSA public-key cryptosystem.
+ * \brief This file provides an API for the RSA public-key cryptosystem.
  *
- * For more information, see <em>Public-Key Cryptography Standards (PKCS)
- * #1 v1.5: RSA Encryption</em> and <em>Public-Key Cryptography Standards
- * (PKCS) #1 v2.1: RSA Cryptography Specifications</em>.
+ * The RSA public-key cryptosystem is defined in <em>Public-Key
+ * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
+ * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
+ * RSA Cryptography Specifications</em>.
  *
  */
 /*
@@ -54,7 +55,12 @@
 #define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
 #define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+
+/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+
+/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580  /**< RSA hardware accelerator failed. */
 
 /*
@@ -63,8 +69,8 @@
 #define MBEDTLS_RSA_PUBLIC      0 /**< Request private key operation. */
 #define MBEDTLS_RSA_PRIVATE     1 /**< Request public key operation. */
 
-#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS-1 v1.5 encoding. */
-#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS-1 v2.1 encoding. */
+#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
+#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
 
 #define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
 #define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
@@ -76,14 +82,14 @@
  * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
  */
 
-#if !defined(MBEDTLS_RSA_ALT)
-// Regular implementation
-//
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_RSA_ALT)
+// Regular implementation
+//
+
 /**
  * \brief   The RSA context structure.
  *
@@ -91,29 +97,29 @@ extern "C" {
  *          is deprecated. All manipulation should instead be done through
  *          the public interface functions.
  */
-typedef struct
+typedef struct mbedtls_rsa_context
 {
     int ver;                    /*!<  Always 0.*/
     size_t len;                 /*!<  The size of \p N in Bytes. */
 
-    mbedtls_mpi N;                      /*!<  The public modulus. */
-    mbedtls_mpi E;                      /*!<  The public exponent. */
+    mbedtls_mpi N;              /*!<  The public modulus. */
+    mbedtls_mpi E;              /*!<  The public exponent. */
 
-    mbedtls_mpi D;                      /*!<  The private exponent. */
-    mbedtls_mpi P;                      /*!<  The first prime factor. */
-    mbedtls_mpi Q;                      /*!<  The second prime factor. */
+    mbedtls_mpi D;              /*!<  The private exponent. */
+    mbedtls_mpi P;              /*!<  The first prime factor. */
+    mbedtls_mpi Q;              /*!<  The second prime factor. */
 
-    mbedtls_mpi DP;                     /*!<  \p D % (P - 1)       */
-    mbedtls_mpi DQ;                     /*!<  \p D % (Q - 1)       */
-    mbedtls_mpi QP;                     /*!<  1 / (Q % P)       */
+    mbedtls_mpi DP;             /*!<  <code>D % (P - 1)</code>. */
+    mbedtls_mpi DQ;             /*!<  <code>D % (Q - 1)</code>. */
+    mbedtls_mpi QP;             /*!<  <code>1 / (Q % P)</code>. */
 
-    mbedtls_mpi RN;                     /*!<  cached R^2 mod \p N  */
+    mbedtls_mpi RN;             /*!<  cached <code>R^2 mod N</code>. */
 
-    mbedtls_mpi RP;                     /*!<  cached R^2 mod \p P  */
-    mbedtls_mpi RQ;                     /*!<  cached R^2 mod \p Q  */
+    mbedtls_mpi RP;             /*!<  cached <code>R^2 mod P</code>. */
+    mbedtls_mpi RQ;             /*!<  cached <code>R^2 mod Q</code>. */
 
-    mbedtls_mpi Vi;                     /*!<  The cached blinding value. */
-    mbedtls_mpi Vf;                     /*!<  The cached un-blinding value. */
+    mbedtls_mpi Vi;             /*!<  The cached blinding value. */
+    mbedtls_mpi Vf;             /*!<  The cached un-blinding value. */
 
     int padding;                /*!< Selects padding mode:
                                      #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
@@ -128,18 +134,16 @@ typedef struct
 }
 mbedtls_rsa_context;
 
+#else  /* MBEDTLS_RSA_ALT */
+#include "rsa_alt.h"
+#endif /* MBEDTLS_RSA_ALT */
+
 /**
  * \brief          This function initializes an RSA context.
  *
  * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
  *                 encryption scheme and the RSASSA-PSS signature scheme.
  *
- * \param ctx      The RSA context to initialize.
- * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- *                 #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id  The hash identifier of #mbedtls_md_type_t type, if
- *                 \p padding is #MBEDTLS_RSA_PKCS_V21.
- *
  * \note           The \p hash_id parameter is ignored when using
  *                 #MBEDTLS_RSA_PKCS_V15 padding.
  *
@@ -153,22 +157,22 @@ mbedtls_rsa_context;
  *                 encryption. For PSS signatures, it is always used for
  *                 making signatures, but can be overriden for verifying them.
  *                 If set to #MBEDTLS_MD_NONE, it is always overriden.
+ *
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier of ::mbedtls_md_type_t type, if
+ *                 \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
+ *                 otherwise.
  */
 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
                        int padding,
-                       int hash_id);
+                       int hash_id );
 
 /**
  * \brief          This function imports a set of core parameters into an
  *                 RSA context.
  *
- * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus, or NULL.
- * \param P        The first prime factor of \p N, or NULL.
- * \param Q        The second prime factor of \p N, or NULL.
- * \param D        The private exponent, or NULL.
- * \param E        The public exponent, or NULL.
- *
  * \note           This function can be called multiple times for successive
  *                 imports, if the parameters are not simultaneously present.
  *
@@ -184,7 +188,15 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
  * \note           The imported parameters are copied and need not be preserved
  *                 for the lifetime of the RSA context being set up.
  *
- * \return         \c 0 on success, or a non-zero error code on failure.
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
  */
 int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
                         const mbedtls_mpi *N,
@@ -195,18 +207,6 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
  * \brief          This function imports core RSA parameters, in raw big-endian
  *                 binary format, into an RSA context.
  *
- * \param ctx      The initialized RSA context to store the parameters in.
- * \param N        The RSA modulus, or NULL.
- * \param N_len    The Byte length of \p N, ignored if \p N == NULL.
- * \param P        The first prime factor of \p N, or NULL.
- * \param P_len    The Byte length of \p P, ignored if \p P == NULL.
- * \param Q        The second prime factor of \p N, or NULL.
- * \param Q_len    The Byte length of \p Q, ignored if \p Q == NULL.
- * \param D        The private exponent, or NULL.
- * \param D_len    The Byte length of \p D, ignored if \p D == NULL.
- * \param E        The public exponent, or NULL.
- * \param E_len    The Byte length of \p E, ignored if \p E == NULL.
- *
  * \note           This function can be called multiple times for successive
  *                 imports, if the parameters are not simultaneously present.
  *
@@ -222,7 +222,20 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
  * \note           The imported parameters are copied and need not be preserved
  *                 for the lifetime of the RSA context being set up.
  *
- * \return         \c 0 on success, or a non-zero error code on failure.
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param P_len    The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
  */
 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
                             unsigned char const *N, size_t N_len,
@@ -250,17 +263,18 @@ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
  *                 the RSA context can be used for RSA operations without
  *                 the risk of failure or crash.
  *
- * \param ctx      The initialized RSA context holding imported parameters.
- *
- * \return         \c 0 on success, or #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the
- *                 attempted derivations failed.
- *
  * \warning        This function need not perform consistency checks
  *                 for the imported parameters. In particular, parameters that
  *                 are not needed by the implementation might be silently
  *                 discarded and left unchecked. To check the consistency
  *                 of the key material, see mbedtls_rsa_check_privkey().
  *
+ * \param ctx      The initialized RSA context holding imported parameters.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
+ *                 failed.
+ *
  */
 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
 
@@ -273,7 +287,7 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
  *                 zero Bytes.
  *
  *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
  *                 <li>An alternative RSA implementation is in use, which
  *                 stores the key externally, and either cannot or should
  *                 not export it into RAM.</li>
@@ -286,17 +300,22 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
  *                 the RSA context stays intact and remains usable.
  *
  * \param ctx      The initialized RSA context.
- * \param N        The MPI to hold the RSA modulus, or NULL.
- * \param P        The MPI to hold the first prime factor of \p N, or NULL.
- * \param Q        The MPI to hold the second prime factor of \p N, or NULL.
- * \param D        The MPI to hold the private exponent, or NULL.
- * \param E        The MPI to hold the public exponent, or NULL.
- *
- * \return         \c 0 on success,
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \param N        The MPI to hold the RSA modulus.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param P        The MPI to hold the first prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param Q        The MPI to hold the second prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param D        The MPI to hold the private exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param E        The MPI to hold the public exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
  *                 requested parameters cannot be done due to missing
- *                 functionality or because of security policies,
- *                 or a non-zero return code on any other failure.
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
  *
  */
 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
@@ -313,7 +332,7 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
  *                 zero Bytes.
  *
  *                 Possible reasons for returning
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
  *                 <li>An alternative RSA implementation is in use, which
  *                 stores the key externally, and either cannot or should
  *                 not export it into RAM.</li>
@@ -324,28 +343,31 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
  *                 If the function fails due to an unsupported operation,
  *                 the RSA context stays intact and remains usable.
  *
+ * \note           The length parameters are ignored if the corresponding
+ *                 buffer pointers are NULL.
+ *
  * \param ctx      The initialized RSA context.
- * \param N        The Byte array to store the RSA modulus, or NULL.
+ * \param N        The Byte array to store the RSA modulus,
+ *                 or \c NULL if this field need not be exported.
  * \param N_len    The size of the buffer for the modulus.
- * \param P        The Byte array to hold the first prime factor of \p N, or
- *                 NULL.
+ * \param P        The Byte array to hold the first prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
  * \param P_len    The size of the buffer for the first prime factor.
- * \param Q        The Byte array to hold the second prime factor of \p N, or
-                   NULL.
+ * \param Q        The Byte array to hold the second prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
  * \param Q_len    The size of the buffer for the second prime factor.
- * \param D        The Byte array to hold the private exponent, or NULL.
+ * \param D        The Byte array to hold the private exponent,
+ *                 or \c NULL if this field need not be exported.
  * \param D_len    The size of the buffer for the private exponent.
- * \param E        The Byte array to hold the public exponent, or NULL.
+ * \param E        The Byte array to hold the public exponent,
+ *                 or \c NULL if this field need not be exported.
  * \param E_len    The size of the buffer for the public exponent.
  *
- * \note           The length fields are ignored if the corresponding
- *                 buffer pointers are NULL.
- *
- * \return         \c 0 on success,
- *                 #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
  *                 requested parameters cannot be done due to missing
- *                 functionality or because of security policies,
- *                 or a non-zero return code on any other failure.
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
  */
 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
                             unsigned char *N, size_t N_len,
@@ -357,17 +379,21 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
 /**
  * \brief          This function exports CRT parameters of a private RSA key.
  *
- * \param ctx      The initialized RSA context.
- * \param DP       The MPI to hold D modulo P-1, or NULL.
- * \param DQ       The MPI to hold D modulo Q-1, or NULL.
- * \param QP       The MPI to hold modular inverse of Q modulo P, or NULL.
- *
- * \return         \c 0 on success, non-zero error code otherwise.
- *
  * \note           Alternative RSA implementations not using CRT-parameters
  *                 internally can implement this function based on
  *                 mbedtls_rsa_deduce_opt().
  *
+ * \param ctx      The initialized RSA context.
+ * \param DP       The MPI to hold \c D modulo `P-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param DQ       The MPI to hold \c D modulo `Q-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
+ *                 or \c NULL if it need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ *
  */
 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
                             mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
@@ -376,13 +402,13 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
  * \brief          This function sets padding for an already initialized RSA
  *                 context. See mbedtls_rsa_init() for details.
  *
- * \param ctx      The RSA context to be set.
- * \param padding  Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
- *                 #MBEDTLS_RSA_PKCS_V21.
+ * \param ctx      The initialized RSA context to be configured.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
  * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
  */
 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
-                              int hash_id);
+                              int hash_id );
 
 /**
  * \brief          This function retrieves the length of RSA modulus in Bytes.
@@ -397,17 +423,20 @@ size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
 /**
  * \brief          This function generates an RSA keypair.
  *
- * \param ctx      The RSA context used to hold the key.
- * \param f_rng    The RNG function.
- * \param p_rng    The RNG parameter.
- * \param nbits    The size of the public key in bits.
- * \param exponent The public exponent. For example, 65537.
- *
  * \note           mbedtls_rsa_init() must be called before this function,
  *                 to set up the RSA context.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
-                   on failure.
+ * \param ctx      The initialized RSA context used to hold the key.
+ * \param f_rng    The RNG function to be used for key generation.
+ *                 This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't need a context.
+ * \param nbits    The size of the public key in bits.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ *                 This must be odd and greater than \c 1.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
                          int (*f_rng)(void *, unsigned char *, size_t),
@@ -422,10 +451,10 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
  *                 enough information is present to perform an RSA public key
  *                 operation using mbedtls_rsa_public().
  *
- * \param ctx      The RSA context to check.
+ * \param ctx      The initialized RSA context to check.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  *
  */
 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
@@ -434,11 +463,6 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
  * \brief      This function checks if a context contains an RSA private key
  *             and perform basic consistency checks.
  *
- * \param ctx  The RSA context to check.
- *
- * \return     \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code on
- *             failure.
- *
  * \note       The consistency checks performed by this function not only
  *             ensure that mbedtls_rsa_private() can be called successfully
  *             on the given context, but that the various parameters are
@@ -465,6 +489,11 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
  *             user to ensure the trustworthiness of the source of his RSA
  *             parameters, which goes beyond what is effectively checkable
  *             by the library.</li></ul>
+ *
+ * \param ctx  The initialized RSA context to check.
+ *
+ * \return     \c 0 on success.
+ * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
 
@@ -473,11 +502,11 @@ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
  *
  *                 It checks each of the contexts, and makes sure they match.
  *
- * \param pub      The RSA context holding the public key.
- * \param prv      The RSA context holding the private key.
+ * \param pub      The initialized RSA context holding the public key.
+ * \param prv      The initialized RSA context holding the private key.
  *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
                                 const mbedtls_rsa_context *prv );
@@ -485,20 +514,21 @@ int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
 /**
  * \brief          This function performs an RSA public key operation.
  *
- * \param ctx      The RSA context.
- * \param input    The input buffer.
- * \param output   The output buffer.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
+ * \param ctx      The initialized RSA context to use.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
  *
  * \note           This function does not handle message padding.
  *
  * \note           Make sure to set \p input[0] = 0 or ensure that
  *                 input is smaller than \p N.
  *
- * \note           The input and output buffers must be large
- *                 enough. For example, 128 Bytes if RSA-1024 is used.
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
                 const unsigned char *input,
@@ -507,18 +537,6 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
 /**
  * \brief          This function performs an RSA private key operation.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for blinding.
- * \param p_rng    The RNG parameter.
- * \param input    The input buffer.
- * \param output   The output buffer.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The input and output buffers must be large
- *                 enough. For example, 128 Bytes if RSA-1024 is used.
- *
  * \note           Blinding is used if and only if a PRNG is provided.
  *
  * \note           If blinding is used, both the base of exponentation
@@ -530,6 +548,22 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
  *                 Future versions of the library may enforce the presence
  *                 of a PRNG.
  *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function, used for blinding. It is discouraged
+ *                 and deprecated to pass \c NULL here, in which case
+ *                 blinding will be omitted.
+ * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
  */
 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t),
@@ -544,16 +578,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  *                 It is the generic wrapper for performing a PKCS#1 encryption
  *                 operation using the \p mode from the context.
  *
- *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for padding, PKCS#1 v2.1
- *                 encoding, and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen     The length of the plaintext.
- * \param input    The buffer holding the data to encrypt.
- * \param output   The buffer used to hold the ciphertext.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -561,13 +585,29 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The input and output buffers must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG to use. It is mandatory for PKCS#1 v2.1 padding
+ *                 encoding, and for PKCS#1 v1.5 padding encoding when used
+ *                 with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
+ *                 padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
+ *                 it is used for blinding and should be provided in this
+ *                 case; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. May be
+ *                 \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
+ *                 need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
                        int (*f_rng)(void *, unsigned char *, size_t),
@@ -580,15 +620,6 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 encryption operation
  *                 (RSAES-PKCS1-v1_5-ENCRYPT).
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for padding and
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param ilen     The length of the plaintext.
- * \param input    The buffer holding the data to encrypt.
- * \param output   The buffer used to hold the ciphertext.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -596,13 +627,27 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The output buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. It is needed for padding generation
+ *                 if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
+ *                 #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
+ *                 blinding and should be provided; see mbedtls_rsa_private().
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may
+ *                 be \c NULL if \p f_rng is \c NULL or if \p f_rng
+ *                 doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
                                  int (*f_rng)(void *, unsigned char *, size_t),
@@ -615,31 +660,38 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
  * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
  *                   operation (RSAES-OAEP-ENCRYPT).
  *
- * \param ctx        The RSA context.
- * \param f_rng      The RNG function. Needed for padding and PKCS#1 v2.1
- *                   encoding and #MBEDTLS_RSA_PRIVATE.
- * \param p_rng      The RNG parameter.
- * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \note             The output buffer must be as large as the size
+ *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initnialized RSA context to use.
+ * \param f_rng      The RNG function to use. This is needed for padding
+ *                   generation and must be provided.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may
+ *                   be \c NULL if \p f_rng doesn't need a context argument.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param label      The buffer holding the custom label to use.
- * \param label_len  The length of the label.
- * \param ilen       The length of the plaintext.
- * \param input      The buffer holding the data to encrypt.
- * \param output     The buffer used to hold the ciphertext.
- *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param ilen       The length of the plaintext buffer \p input in Bytes.
+ * \param input      The input data to encrypt. This must be a readable
+ *                   buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output     The output buffer. This must be a writable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ *
+ * \return           \c 0 on success.
+ * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
                             int (*f_rng)(void *, unsigned char *, size_t),
@@ -657,14 +709,12 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  *                 It is the generic wrapper for performing a PKCS#1 decryption
  *                 operation using the \p mode from the context.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen     The length of the plaintext.
- * \param input    The buffer holding the encrypted data.
- * \param output   The buffer used to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N (for example,
+ *                 128 Bytes if RSA-1024 is used) to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
@@ -673,20 +723,28 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The output buffer length \c output_max_len should be
- *                 as large as the size \p ctx->len of \p ctx->N (for example,
- *                 128 Bytes if RSA-1024 is used) to be able to hold an
- *                 arbitrary decrypted message. If it is not large enough to
- *                 hold the decryption of the particular ciphertext provided,
- *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \note           The input buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
                        int (*f_rng)(void *, unsigned char *, size_t),
@@ -700,14 +758,12 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 decryption
  *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param olen     The length of the plaintext.
- * \param input    The buffer holding the encrypted data.
- * \param output   The buffer to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for example,
+ *                 128 Bytes if RSA-1024 is used, to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
@@ -716,20 +772,29 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  *
- * \note           The output buffer length \c output_max_len should be
- *                 as large as the size \p ctx->len of \p ctx->N, for example,
- *                 128 Bytes if RSA-1024 is used, to be able to hold an
- *                 arbitrary decrypted message. If it is not large enough to
- *                 hold the decryption of the particular ciphertext provided,
- *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \note           The input buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
  */
 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
                                  int (*f_rng)(void *, unsigned char *, size_t),
@@ -740,42 +805,50 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
                                  size_t output_max_len );
 
 /**
- * \brief          This function performs a PKCS#1 v2.1 OAEP decryption
- *                 operation (RSAES-OAEP-DECRYPT).
- *
- * \param ctx        The RSA context.
- * \param f_rng      The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng      The RNG parameter.
- * \param mode       #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \brief            This function performs a PKCS#1 v2.1 OAEP decryption
+ *                   operation (RSAES-OAEP-DECRYPT).
+ *
+ * \note             The output buffer length \c output_max_len should be
+ *                   as large as the size \p ctx->len of \p ctx->N, for
+ *                   example, 128 Bytes if RSA-1024 is used, to be able to
+ *                   hold an arbitrary decrypted message. If it is not
+ *                   large enough to hold the decryption of the particular
+ *                   ciphertext provided, the function returns
+ *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                   this is used for blinding and should be provided; see
+ *                   mbedtls_rsa_private() for more. If \p mode is
+ *                   #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may be
+ *                   \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param label      The buffer holding the custom label to use.
- * \param label_len  The length of the label.
- * \param olen       The length of the plaintext.
- * \param input      The buffer holding the encrypted data.
- * \param output     The buffer to hold the plaintext.
- * \param output_max_len    The maximum length of the output buffer.
- *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The output buffer length \c output_max_len should be
- *                 as large as the size \p ctx->len of \p ctx->N, for
- *                 example, 128 Bytes if RSA-1024 is used, to be able to
- *                 hold an arbitrary decrypted message. If it is not
- *                 large enough to hold the decryption of the particular
- *                 ciphertext provided, the function returns
- *                 #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
- *
- * \note           The input buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param olen       The address at which to store the length of
+ *                   the plaintext. This must not be \c NULL.
+ * \param input      The ciphertext buffer. This must be a readable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ * \param output     The buffer used to hold the plaintext. This must
+ *                   be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
                             int (*f_rng)(void *, unsigned char *, size_t),
@@ -794,16 +867,12 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  *                 It is the generic wrapper for performing a PKCS#1
  *                 signature using the \p mode from the context.
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_sign() for details on
+ *                 \p md_alg and \p hash_id.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
@@ -812,17 +881,33 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the signing operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           For PKCS#1 v2.1 encoding, see comments on
- *                 mbedtls_rsa_rsassa_pss_sign() for details on
- *                 \p md_alg and \p hash_id.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. If the padding mode is PKCS#1 v2.1,
+ *                 this must be provided. If the padding mode is PKCS#1 v1.5 and
+ *                 \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
+ *                 and should be provided; see mbedtls_rsa_private() for more
+ *                 more. It is ignored otherwise.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
                     int (*f_rng)(void *, unsigned char *, size_t),
@@ -837,16 +922,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 signature
  *                 operation (RSASSA-PKCS1-v1_5-SIGN).
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -854,14 +929,32 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the signing operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
                                int (*f_rng)(void *, unsigned char *, size_t),
@@ -876,16 +969,22 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v2.1 PSS signature
  *                 operation (RSASSA-PSS-SIGN).
  *
- * \param ctx      The RSA context.
- * \param f_rng    The RNG function. Needed for PKCS#1 v2.1 encoding and for
- *                 #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer to hold the ciphertext.
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 encoding. \p md_alg in the function call is the type of hash
+ *                 that is encoded. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same.
+ *
+ * \note           This function always uses the maximum possible salt size,
+ *                 up to the length of the payload hash. This choice of salt
+ *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ *                 minimum salt size which is the hash size minus 2 bytes. If
+ *                 this minimum size is too large given the key size (the salt
+ *                 size, plus the hash size, plus 2 bytes must be no more than
+ *                 the key size in bytes), this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
@@ -894,21 +993,29 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the signing operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           The \p hash_id in the RSA context is the one used for the
- *                 encoding. \p md_alg in the function call is the type of hash
- *                 that is encoded. According to <em>RFC-3447: Public-Key
- *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em> it is advised to keep both hashes the
- *                 same.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
                          int (*f_rng)(void *, unsigned char *, size_t),
@@ -926,15 +1033,9 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  *                 This is the generic wrapper for performing a PKCS#1
  *                 verification using the mode from the context.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
+ *                 \p hash_id.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
@@ -943,18 +1044,31 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the verify operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           For PKCS#1 v2.1 encoding, see comments on
- *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
- *                 \p hash_id.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
                       int (*f_rng)(void *, unsigned char *, size_t),
@@ -969,16 +1083,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 verification
  *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
- *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
  *                 are likely to remove the \p mode argument and have it
@@ -986,14 +1090,31 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the verify operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
                                  int (*f_rng)(void *, unsigned char *, size_t),
@@ -1011,15 +1132,13 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  *                 The hash function for the MGF mask generating function
  *                 is that specified in the RSA context.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer holding the ciphertext.
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 verification. \p md_alg in the function call is the type of
+ *                 hash that is verified. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same. If \p hash_id in the RSA context is unset,
+ *                 the \p md_alg from the function call is used.
  *
  * \deprecated     It is deprecated and discouraged to call this function
  *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
@@ -1028,22 +1147,31 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  *
  * \note           Alternative implementations of RSA need not support
  *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
- *
- * \return         \c 0 if the verify operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
- * \note           The \p sig buffer must be as large as the size
- *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
- *
- * \note           The \p hash_id in the RSA context is the one used for the
- *                 verification. \p md_alg in the function call is the type of
- *                 hash that is verified. According to <em>RFC-3447: Public-Key
- *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em> it is advised to keep both hashes the
- *                 same. If \p hash_id in the RSA context is unset,
- *                 the \p md_alg from the function call is used.
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
                            int (*f_rng)(void *, unsigned char *, size_t),
@@ -1061,27 +1189,37 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
  *                 The hash function for the MGF mask generating function
  *                 is that specified in \p mgf1_hash_id.
  *
- * \param ctx      The RSA public key context.
- * \param f_rng    The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
- * \param p_rng    The RNG parameter.
- * \param mode     #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
- * \param md_alg   The message-digest algorithm used to hash the original data.
- *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
- * \param hash     The buffer holding the message digest.
- * \param mgf1_hash_id The message digest used for mask generation.
- * \param expected_salt_len The length of the salt used in padding. Use
- *                 #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
- * \param sig      The buffer holding the ciphertext.
- *
- * \return         \c 0 if the verify operation was successful,
- *                 or an \c MBEDTLS_ERR_RSA_XXX error code
- *                 on failure.
- *
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
  *
  * \note           The \p hash_id in the RSA context is ignored.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param mgf1_hash_id      The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
                                int (*f_rng)(void *, unsigned char *, size_t),
@@ -1097,40 +1235,35 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
 /**
  * \brief          This function copies the components of an RSA context.
  *
- * \param dst      The destination context.
- * \param src      The source context.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The source context. This must be initialized.
  *
- * \return         \c 0 on success,
- *                 #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
  */
 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
 
 /**
  * \brief          This function frees the components of an RSA key.
  *
- * \param ctx      The RSA Context to free.
+ * \param ctx      The RSA context to free. May be \c NULL, in which case
+ *                 this function is a no-op. If it is not \c NULL, it must
+ *                 point to an initialized RSA context.
  */
 void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_RSA_ALT */
-#include "rsa_alt.h"
-#endif /* MBEDTLS_RSA_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          The RSA checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_rsa_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha1.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha1.h
index 05540cde12..bb6ecf05a4 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha1.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha1.h
@@ -1,7 +1,10 @@
 /**
  * \file sha1.h
  *
- * \brief The SHA-1 cryptographic hash function.
+ * \brief This file contains SHA-1 definitions and functions.
+ *
+ * The Secure Hash Algorithm 1 (SHA-1) cryptographic hash function is defined in
+ * <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
  *
  * \warning   SHA-1 is considered a weak message digest and its use constitutes
  *            a security risk. We recommend considering stronger message
@@ -37,16 +40,18 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
-
-#if !defined(MBEDTLS_SHA1_ALT)
-// Regular implementation
-//
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073  /**< SHA-1 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_SHA1_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          The SHA-1 context structure.
  *
@@ -55,7 +60,7 @@ extern "C" {
  *                 stronger message digests instead.
  *
  */
-typedef struct
+typedef struct mbedtls_sha1_context
 {
     uint32_t total[2];          /*!< The number of Bytes processed.  */
     uint32_t state[5];          /*!< The intermediate digest state.  */
@@ -63,40 +68,48 @@ typedef struct
 }
 mbedtls_sha1_context;
 
+#else  /* MBEDTLS_SHA1_ALT */
+#include "sha1_alt.h"
+#endif /* MBEDTLS_SHA1_ALT */
+
 /**
  * \brief          This function initializes a SHA-1 context.
  *
- * \param ctx      The SHA-1 context to initialize.
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context to initialize.
+ *                 This must not be \c NULL.
+ *
  */
 void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
 
 /**
  * \brief          This function clears a SHA-1 context.
  *
- * \param ctx      The SHA-1 context to clear.
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it is
+ *                 not \c NULL, it must point to an initialized
+ *                 SHA-1 context.
+ *
  */
 void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
 
 /**
  * \brief          This function clones the state of a SHA-1 context.
  *
- * \param dst      The destination context.
- * \param src      The context to clone.
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param dst      The SHA-1 context to clone to. This must be initialized.
+ * \param src      The SHA-1 context to clone from. This must be initialized.
+ *
  */
 void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
                          const mbedtls_sha1_context *src );
@@ -104,14 +117,15 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
 /**
  * \brief          This function starts a SHA-1 checksum calculation.
  *
- * \param ctx      The context to initialize.
- *
- * \return         \c 0 if successful
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
  */
 int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
 
@@ -119,16 +133,18 @@ int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
  * \brief          This function feeds an input buffer into an ongoing SHA-1
  *                 checksum calculation.
  *
- * \param ctx      The SHA-1 context.
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- *
- * \return         \c 0 if successful
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
                              const unsigned char *input,
@@ -138,31 +154,35 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
  * \brief          This function finishes the SHA-1 operation, and writes
  *                 the result to the output buffer.
  *
- * \param ctx      The SHA-1 context.
- * \param output   The SHA-1 checksum result.
- *
- * \return         \c 0 if successful
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context to use. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
                              unsigned char output[20] );
 
 /**
- * \brief          SHA-1 process data block (internal use only)
- *
- * \param ctx      SHA-1 context
- * \param data     The data block being processed.
- *
- * \return         \c 0 if successful
+ * \brief          SHA-1 process data block (internal use only).
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param ctx      The SHA-1 context to use. This must be initialized.
+ * \param data     The data block being processed. This must be a
+ *                 readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
  */
 int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
                                    const unsigned char data[64] );
@@ -174,65 +194,71 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief          SHA-1 context setup
- *
- * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0
- *
- * \param ctx      The SHA-1 context to be initialized.
+ * \brief          This function starts a SHA-1 checksum calculation.
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
 
 /**
- * \brief          SHA-1 process buffer
- *
- * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0
- *
- * \param ctx      The SHA-1 context.
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
                                              const unsigned char *input,
                                              size_t ilen );
 
 /**
- * \brief          SHA-1 final digest
- *
- * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0
- *
- * \param ctx      The SHA-1 context.
- * \param output   The SHA-1 checksum result.
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
                                              unsigned char output[20] );
 
 /**
- * \brief          SHA-1 process data block (internal use only)
- *
- * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0
- *
- * \param ctx      The SHA-1 context.
- * \param data     The data block being processed.
+ * \brief          SHA-1 process data block (internal use only).
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized.
+ * \param data     The data block being processed.
+ *                 This must be a readable buffer of length \c 64 bytes.
+ *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
                                               const unsigned char data[64] );
@@ -240,18 +266,6 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_SHA1_ALT */
-#include "sha1_alt.h"
-#endif /* MBEDTLS_SHA1_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          This function calculates the SHA-1 checksum of a buffer.
  *
@@ -261,16 +275,19 @@ extern "C" {
  *                 The SHA-1 result is calculated as
  *                 output = SHA-1(input buffer).
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-1 checksum result.
- *
- * \return         \c 0 if successful
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
  */
 int mbedtls_sha1_ret( const unsigned char *input,
                       size_t ilen,
@@ -283,18 +300,26 @@ int mbedtls_sha1_ret( const unsigned char *input,
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief          Output = SHA-1( input buffer )
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
  *
- * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-1 checksum result.
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
  *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of size \c 20 Bytes.
+ *
  */
 MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
                                       size_t ilen,
@@ -303,18 +328,23 @@ MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          The SHA-1 checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
- *
  * \warning        SHA-1 is considered a weak message digest and its use
  *                 constitutes a security risk. We recommend considering
  *                 stronger message digests instead.
  *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ *
  */
 int mbedtls_sha1_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha256.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha256.h
index ffb16c277a..d64739820c 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha256.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha256.h
@@ -1,7 +1,10 @@
 /**
  * \file sha256.h
  *
- * \brief The SHA-224 and SHA-256 cryptographic hash function.
+ * \brief This file contains SHA-224 and SHA-256 definitions and functions.
+ *
+ * The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
  */
 /*
  *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -33,16 +36,18 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
-
-#if !defined(MBEDTLS_SHA256_ALT)
-// Regular implementation
-//
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074  /**< SHA-256 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_SHA256_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          The SHA-256 context structure.
  *
@@ -50,36 +55,41 @@ extern "C" {
  *                 checksum calculations. The choice between these two is
  *                 made in the call to mbedtls_sha256_starts_ret().
  */
-typedef struct
+typedef struct mbedtls_sha256_context
 {
     uint32_t total[2];          /*!< The number of Bytes processed.  */
     uint32_t state[8];          /*!< The intermediate digest state.  */
     unsigned char buffer[64];   /*!< The data block being processed. */
-    int is224;                  /*!< Determines which function to use.
-                                     <ul><li>0: Use SHA-256.</li>
-                                     <li>1: Use SHA-224.</li></ul> */
+    int is224;                  /*!< Determines which function to use:
+                                     0: Use SHA-256, or 1: Use SHA-224. */
 }
 mbedtls_sha256_context;
 
+#else  /* MBEDTLS_SHA256_ALT */
+#include "sha256_alt.h"
+#endif /* MBEDTLS_SHA256_ALT */
+
 /**
  * \brief          This function initializes a SHA-256 context.
  *
- * \param ctx      The SHA-256 context to initialize.
+ * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
  */
 void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
 
 /**
  * \brief          This function clears a SHA-256 context.
  *
- * \param ctx      The SHA-256 context to clear.
+ * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-256 context.
  */
 void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
 
 /**
  * \brief          This function clones the state of a SHA-256 context.
  *
- * \param dst      The destination context.
- * \param src      The context to clone.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
  */
 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
                            const mbedtls_sha256_context *src );
@@ -88,12 +98,12 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
  * \brief          This function starts a SHA-224 or SHA-256 checksum
  *                 calculation.
  *
- * \param ctx      The context to initialize.
- * \param is224    Determines which function to use.
- *                 <ul><li>0: Use SHA-256.</li>
- *                 <li>1: Use SHA-224.</li></ul>
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    This determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
 
@@ -101,11 +111,14 @@ int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
  * \brief          This function feeds an input buffer into an ongoing
  *                 SHA-256 checksum calculation.
  *
- * \param ctx      SHA-256 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
                                const unsigned char *input,
@@ -115,10 +128,13 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
  * \brief          This function finishes the SHA-256 operation, and writes
  *                 the result to the output buffer.
  *
- * \param ctx      The SHA-256 context.
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
  * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
                                unsigned char output[32] );
@@ -128,10 +144,12 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
  *                 the ongoing SHA-256 computation. This function is for
  *                 internal use only.
  *
- * \param ctx      The SHA-256 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must
+ *                 be a readable buffer of length \c 64 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
                                      const unsigned char data[64] );
@@ -143,14 +161,14 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
 #define MBEDTLS_DEPRECATED
 #endif
 /**
- * \brief          This function starts a SHA-256 checksum calculation.
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
  *
  * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
  *
- * \param ctx      The SHA-256 context to initialize.
- * \param is224    Determines which function to use.
- *                 <ul><li>0: Use SHA-256.</li>
- *                 <li>1: Use SHA-224.</li></ul>
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
                                                int is224 );
@@ -161,9 +179,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
  *
- * \param ctx      The SHA-256 context to initialize.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-256 context to use. This must be
+ *                 initialized and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
                                                const unsigned char *input,
@@ -175,8 +195,10 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
  *
- * \param ctx      The SHA-256 context.
- * \param output   The SHA-224or SHA-256 checksum result.
+ * \param ctx      The SHA-256 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
                                                unsigned char output[32] );
@@ -188,25 +210,15 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
  *
- * \param ctx      The SHA-256 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of size \c 64 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
                                                 const unsigned char data[64] );
 
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_SHA256_ALT */
-#include "sha256_alt.h"
-#endif /* MBEDTLS_SHA256_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
 
 /**
  * \brief          This function calculates the SHA-224 or SHA-256
@@ -218,12 +230,13 @@ extern "C" {
  *                 The SHA-256 result is calculated as
  *                 output = SHA-256(input buffer).
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-224 or SHA-256 checksum result.
- * \param is224    Determines which function to use.
- *                 <ul><li>0: Use SHA-256.</li>
- *                 <li>1: Use SHA-224.</li></ul>
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must
+ *                 be a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 int mbedtls_sha256_ret( const unsigned char *input,
                         size_t ilen,
@@ -249,12 +262,13 @@ int mbedtls_sha256_ret( const unsigned char *input,
  *
  * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
  *
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-224 or SHA-256 checksum result.
- * \param is224    Determines which function to use.
- *                 <ul><li>0: Use SHA-256.</li>
- *                 <li>1: Use SHA-224.</li></ul>
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be either
+ *                 \c 0 for SHA-256, or \c 1 for SHA-224.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
                                         size_t ilen,
@@ -264,13 +278,18 @@ MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          The SHA-224 and SHA-256 checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_sha256_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha512.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha512.h
index 8404a2d599..c06ceed1d1 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/sha512.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/sha512.h
@@ -1,7 +1,9 @@
 /**
  * \file sha512.h
+ * \brief This file contains SHA-384 and SHA-512 definitions and functions.
  *
- * \brief The SHA-384 and SHA-512 cryptographic hash function.
+ * The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
  */
 /*
  *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@@ -33,16 +35,18 @@
 #include <stddef.h>
 #include <stdint.h>
 
+/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
-
-#if !defined(MBEDTLS_SHA512_ALT)
-// Regular implementation
-//
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075  /**< SHA-512 input data was malformed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_SHA512_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          The SHA-512 context structure.
  *
@@ -50,36 +54,43 @@ extern "C" {
  *                 checksum calculations. The choice between these two is
  *                 made in the call to mbedtls_sha512_starts_ret().
  */
-typedef struct
+typedef struct mbedtls_sha512_context
 {
     uint64_t total[2];          /*!< The number of Bytes processed. */
     uint64_t state[8];          /*!< The intermediate digest state. */
     unsigned char buffer[128];  /*!< The data block being processed. */
-    int is384;                  /*!< Determines which function to use.
-                                 *   <ul><li>0: Use SHA-512.</li>
-                                 *   <li>1: Use SHA-384.</li></ul> */
+    int is384;                  /*!< Determines which function to use:
+                                     0: Use SHA-512, or 1: Use SHA-384. */
 }
 mbedtls_sha512_context;
 
+#else  /* MBEDTLS_SHA512_ALT */
+#include "sha512_alt.h"
+#endif /* MBEDTLS_SHA512_ALT */
+
 /**
  * \brief          This function initializes a SHA-512 context.
  *
- * \param ctx      The SHA-512 context to initialize.
+ * \param ctx      The SHA-512 context to initialize. This must
+ *                 not be \c NULL.
  */
 void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
 
 /**
  * \brief          This function clears a SHA-512 context.
  *
- * \param ctx      The SHA-512 context to clear.
+ * \param ctx      The SHA-512 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it
+ *                 is not \c NULL, it must point to an initialized
+ *                 SHA-512 context.
  */
 void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
 
 /**
  * \brief          This function clones the state of a SHA-512 context.
  *
- * \param dst      The destination context.
- * \param src      The context to clone.
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
  */
 void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
                            const mbedtls_sha512_context *src );
@@ -88,12 +99,12 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
  * \brief          This function starts a SHA-384 or SHA-512 checksum
  *                 calculation.
  *
- * \param ctx      The SHA-512 context to initialize.
- * \param is384    Determines which function to use.
- *                 <ul><li>0: Use SHA-512.</li>
- *                 <li>1: Use SHA-384.</li></ul>
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be
+ *                 either \c for SHA-512, or \c 1 for SHA-384.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
 
@@ -101,11 +112,14 @@ int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
  * \brief          This function feeds an input buffer into an ongoing
  *                 SHA-512 checksum calculation.
  *
- * \param ctx      The SHA-512 context.
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
                     const unsigned char *input,
@@ -116,10 +130,13 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
  *                 the result to the output buffer. This function is for
  *                 internal use only.
  *
- * \param ctx      The SHA-512 context.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
  * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
                                unsigned char output[64] );
@@ -128,10 +145,12 @@ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
  * \brief          This function processes a single data block within
  *                 the ongoing SHA-512 computation.
  *
- * \param ctx      The SHA-512 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This
+ *                 must be a readable buffer of length \c 128 Bytes.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
                                      const unsigned char data[128] );
@@ -147,10 +166,9 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
  *
  * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
  *
- * \param ctx      The SHA-512 context to initialize.
- * \param is384    Determines which function to use.
- *                 <ul><li>0: Use SHA-512.</li>
- *                 <li>1: Use SHA-384.</li></ul>
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512 or \c 1 for SHA-384.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
                                                int is384 );
@@ -159,11 +177,13 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
  * \brief          This function feeds an input buffer into an ongoing
  *                 SHA-512 checksum calculation.
  *
- * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0
+ * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
                                                const unsigned char *input,
@@ -173,10 +193,12 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
  * \brief          This function finishes the SHA-512 operation, and writes
  *                 the result to the output buffer.
  *
- * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0
+ * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param output   The SHA-384 or SHA-512 checksum result.
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of size \c 64 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
                                                unsigned char output[64] );
@@ -186,10 +208,11 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
  *                 the ongoing SHA-512 computation. This function is for
  *                 internal use only.
  *
- * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0
+ * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0.
  *
- * \param ctx      The SHA-512 context.
- * \param data     The buffer holding one block of data.
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of length \c 128 Bytes.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512_process(
                                             mbedtls_sha512_context *ctx,
@@ -198,18 +221,6 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_process(
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_SHA512_ALT */
-#include "sha512_alt.h"
-#endif /* MBEDTLS_SHA512_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /**
  * \brief          This function calculates the SHA-512 or SHA-384
  *                 checksum of a buffer.
@@ -220,14 +231,16 @@ extern "C" {
  *                 The SHA-512 result is calculated as
  *                 output = SHA-512(input buffer).
  *
- * \param input    The buffer holding the input data.
- * \param ilen     The length of the input data.
+ * \param input    The buffer holding the input data. This must be
+ *                 a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
  * \param output   The SHA-384 or SHA-512 checksum result.
- * \param is384    Determines which function to use.
- *                 <ul><li>0: Use SHA-512.</li>
- *                 <li>1: Use SHA-384.</li></ul>
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
  *
  * \return         \c 0 on success.
+ * \return         A negative error code on failure.
  */
 int mbedtls_sha512_ret( const unsigned char *input,
                         size_t ilen,
@@ -240,6 +253,7 @@ int mbedtls_sha512_ret( const unsigned char *input,
 #else
 #define MBEDTLS_DEPRECATED
 #endif
+
 /**
  * \brief          This function calculates the SHA-512 or SHA-384
  *                 checksum of a buffer.
@@ -252,12 +266,13 @@ int mbedtls_sha512_ret( const unsigned char *input,
  *
  * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
  *
- * \param input    The buffer holding the data.
- * \param ilen     The length of the input data.
- * \param output   The SHA-384 or SHA-512 checksum result.
- * \param is384    Determines which function to use.
- *                 <ul><li>0: Use SHA-512.</li>
- *                 <li>1: Use SHA-384.</li></ul>
+ * \param input    The buffer holding the data. This must be a
+ *                 readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
  */
 MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
                                         size_t ilen,
@@ -266,12 +281,17 @@ MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
 
 #undef MBEDTLS_DEPRECATED
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
  /**
  * \brief          The SHA-384 or SHA-512 checkup routine.
  *
- * \return         \c 0 on success, or \c 1 on failure.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
 int mbedtls_sha512_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
 
 #ifdef __cplusplus
 }
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
index 5fd6969da9..d31f6cdd56 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl.h
@@ -49,6 +49,15 @@
 #endif
 
 #if defined(MBEDTLS_ZLIB_SUPPORT)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
+#endif
+
 #include "zlib.h"
 #endif
 
@@ -103,13 +112,17 @@
 #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
 #define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
 #define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
-#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< Connection requires a read call. */
+#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< No data of requested type currently available on underlying transport. */
 #define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
 #define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
 #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
 #define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
 #define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
 #define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
+#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
+#define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
 
 /*
  * Various constants
@@ -209,7 +222,7 @@
 #endif
 
 /*
- * Maxium fragment length in bytes,
+ * Maximum fragment length in bytes,
  * determines the size of each of the two internal I/O buffers.
  *
  * Note: the RFC defines the default size of SSL / TLS messages. If you
@@ -223,6 +236,22 @@
 #define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
 #endif
 
+#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+/*
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ */
+#if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+#endif
+
 /* \} name SECTION: Module settings */
 
 /*
@@ -526,7 +555,6 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx,
  */
 typedef int mbedtls_ssl_get_timer_t( void * ctx );
 
-
 /* Defined below */
 typedef struct mbedtls_ssl_session mbedtls_ssl_session;
 typedef struct mbedtls_ssl_context mbedtls_ssl_context;
@@ -543,6 +571,218 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
 typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
 #endif
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief           Callback type: start external signature operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  a signature decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p hash if the value
+ *                  is needed for later processing, because the \p hash buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \note            For RSA signatures, this function must produce output
+ *                  that is consistent with PKCS#1 v1.5 in the same way as
+ *                  mbedtls_rsa_pkcs1_sign(). Before the private key operation,
+ *                  apply the padding steps described in RFC 8017, section 9.2
+ *                  "EMSA-PKCS1-v1_5" as follows.
+ *                  - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the DigestInfo to be
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 3, with `T = hash` and `tLen = hash_len`.
+ *                  - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the hash to be encoded and
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 2, with `digestAlgorithm` obtained by calling
+ *                    mbedtls_oid_get_oid_by_md() on \p md_alg.
+ *
+ * \note            For ECDSA signatures, the output format is the DER encoding
+ *                  `Ecdsa-Sig-Value` defined in
+ *                  [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param md_alg          Hash algorithm.
+ * \param hash            Buffer containing the hash. This buffer is
+ *                        no longer valid when the function returns.
+ * \param hash_len        Size of the \c hash buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
+                                      mbedtls_x509_crt *cert,
+                                      mbedtls_md_type_t md_alg,
+                                      const unsigned char *hash,
+                                      size_t hash_len );
+
+/**
+ * \brief           Callback type: start external decryption operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  an RSA decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p input if the value
+ *                  is needed for later processing, because the \p input buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \warning         RSA decryption as used in TLS is subject to a potential
+ *                  timing side channel attack first discovered by Bleichenbacher
+ *                  in 1998. This attack can be remotely exploitable
+ *                  in practice. To avoid this attack, you must ensure that
+ *                  if the callback performs an RSA decryption, the time it
+ *                  takes to execute and return the result does not depend
+ *                  on whether the RSA decryption succeeded or reported
+ *                  invalid padding.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param input           Buffer containing the input ciphertext. This buffer
+ *                        is no longer valid when the function returns.
+ * \param input_len       Size of the \p input buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_decrypt_t( mbedtls_ssl_context *ssl,
+                                         mbedtls_x509_crt *cert,
+                                         const unsigned char *input,
+                                         size_t input_len );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief           Callback type: resume external operation.
+ *
+ *                  This callback is called during an SSL handshake to resume
+ *                  an external operation started by the
+ *                  ::mbedtls_ssl_async_sign_t or
+ *                  ::mbedtls_ssl_async_decrypt_t callback.
+ *
+ *                  This function typically checks the status of a pending
+ *                  request or causes the request queue to make progress, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *                  It may call mbedtls_ssl_set_async_operation_data() to modify
+ *                  this context.
+ *
+ *                  Note that when this function returns a status other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
+ *                  resources associated with the operation.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param output          Buffer containing the output (signature or decrypted
+ *                        data) on success.
+ * \param output_len      On success, number of bytes written to \p output.
+ * \param output_size     Size of the \p output buffer in bytes.
+ *
+ * \return          0 if output of the operation is available in the
+ *                  \p output buffer.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  is still in progress. Subsequent requests for progress
+ *                  on the SSL connection will call the resume callback
+ *                  again.
+ * \return          Any other error means that the operation is aborted.
+ *                  The SSL handshake is aborted. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        size_t *output_len,
+                                        size_t output_size );
+
+/**
+ * \brief           Callback type: cancel external operation.
+ *
+ *                  This callback is called if an SSL connection is closed
+ *                  while an asynchronous operation is in progress. Note that
+ *                  this callback is not called if the
+ *                  ::mbedtls_ssl_async_resume_t callback has run and has
+ *                  returned a value other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
+ *                  the asynchronous operation has already completed.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified.
+ */
+typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 /*
  * This structure is used for storing current session data.
  */
@@ -659,6 +899,16 @@ struct mbedtls_ssl_config
     mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+    mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+    void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
     const int *sig_hashes;          /*!< allowed signature hashes           */
 #endif
@@ -673,10 +923,18 @@ struct mbedtls_ssl_config
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
-    unsigned char *psk;             /*!< pre-shared key                     */
-    size_t         psk_len;         /*!< length of the pre-shared key       */
-    unsigned char *psk_identity;    /*!< identity for PSK negotiation       */
-    size_t         psk_identity_len;/*!< length of identity                 */
+    unsigned char *psk;             /*!< pre-shared key. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_len;         /*!< length of the pre-shared key. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    unsigned char *psk_identity;    /*!< identity for PSK negotiation. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_identity_len;/*!< length of identity. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
 #endif
 
 #if defined(MBEDTLS_SSL_ALPN)
@@ -774,14 +1032,14 @@ struct mbedtls_ssl_context
     int renego_records_seen;    /*!< Records since renego request, or with DTLS,
                                   number of retransmissions of request if
                                   renego_max_records is < 0           */
-#endif
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
 
     int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
     int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
 
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
     unsigned badmac_seen;       /*!< records with a bad MAC received    */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 
     mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
     mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
@@ -837,11 +1095,11 @@ struct mbedtls_ssl_context
     uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
     size_t next_record_offset;  /*!< offset of the next record in datagram
                                      (equal to in_left if none)       */
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     uint64_t in_window_top;     /*!< last validated record seq_num    */
     uint64_t in_window;         /*!< bitmask for replay detection     */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
 
     size_t in_hslen;            /*!< current handshake message length,
                                      including the handshake header   */
@@ -850,6 +1108,11 @@ struct mbedtls_ssl_context
     int keep_current_message;   /*!< drop or reuse current message
                                      on next call to record layer? */
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint8_t disable_datagram_packing;  /*!< Disable packing multiple records
+                                        *   within a single datagram.  */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
     /*
      * Record layer (outgoing data)
      */
@@ -864,12 +1127,18 @@ struct mbedtls_ssl_context
     size_t out_msglen;          /*!< record header: message length    */
     size_t out_left;            /*!< amount of data not yet written   */
 
+    unsigned char cur_out_ctr[8]; /*!<  Outgoing record sequence  number. */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t mtu;               /*!< path mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
 #if defined(MBEDTLS_ZLIB_SUPPORT)
     unsigned char *compress_buf;        /*!<  zlib data buffer        */
-#endif
+#endif /* MBEDTLS_ZLIB_SUPPORT */
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
     signed char split_done;     /*!< current record already splitted? */
-#endif
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
 
     /*
      * PKI layer
@@ -882,11 +1151,11 @@ struct mbedtls_ssl_context
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     char *hostname;             /*!< expected peer CN for verification
                                      (and SNI if available)                 */
-#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_ALPN)
     const char *alpn_chosen;    /*!<  negotiated protocol                   */
-#endif
+#endif /* MBEDTLS_SSL_ALPN */
 
     /*
      * Information for DTLS hello verify
@@ -894,7 +1163,7 @@ struct mbedtls_ssl_context
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
     unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
     size_t          cli_id_len;     /*!<  length of cli_id                  */
-#endif
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
 
     /*
      * Secure renegotiation
@@ -906,7 +1175,7 @@ struct mbedtls_ssl_context
     size_t verify_data_len;             /*!<  length of verify data stored   */
     char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
     char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
-#endif
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
 };
 
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
@@ -1126,6 +1395,52 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
                           mbedtls_ssl_recv_t *f_recv,
                           mbedtls_ssl_recv_timeout_t *f_recv_timeout );
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/**
+ * \brief          Set the Maximum Tranport Unit (MTU).
+ *                 Special value: 0 means unset (no limit).
+ *                 This represents the maximum size of a datagram payload
+ *                 handled by the transport layer (usually UDP) as determined
+ *                 by the network link and stack. In practice, this controls
+ *                 the maximum size datagram the DTLS layer will pass to the
+ *                 \c f_send() callback set using \c mbedtls_ssl_set_bio().
+ *
+ * \note           The limit on datagram size is converted to a limit on
+ *                 record payload by subtracting the current overhead of
+ *                 encapsulation and encryption/authentication if any.
+ *
+ * \note           This can be called at any point during the connection, for
+ *                 example when a Path Maximum Transfer Unit (PMTU)
+ *                 estimate becomes available from other sources,
+ *                 such as lower (or higher) protocol layers.
+ *
+ * \note           This setting only controls the size of the packets we send,
+ *                 and does not restrict the size of the datagrams we're
+ *                 willing to receive. Client-side, you can request the
+ *                 server to use smaller records with \c
+ *                 mbedtls_ssl_conf_max_frag_len().
+ *
+ * \note           If both a MTU and a maximum fragment length have been
+ *                 configured (or negotiated with the peer), the resulting
+ *                 lower limit on record payload (see first note) is used.
+ *
+ * \note           This can only be used to decrease the maximum size
+ *                 of datagrams (hence records, see first note) sent. It
+ *                 cannot be used to increase the maximum size of records over
+ *                 the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
+ *
+ * \note           Values lower than the current record layer expansion will
+ *                 result in an error when trying to send data.
+ *
+ * \note           Using record compression together with a non-zero MTU value
+ *                 will result in an error when trying to send data.
+ *
+ * \param ssl      SSL context
+ * \param mtu      Value of the path MTU in bytes
+ */
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
 /**
  * \brief          Set the timeout period for mbedtls_ssl_read()
  *                 (Default: no timeout.)
@@ -1289,6 +1604,85 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
         void *p_export_keys );
 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+/**
+ * \brief           Configure asynchronous private key operation callbacks.
+ *
+ * \param conf              SSL configuration context
+ * \param f_async_sign      Callback to start a signature operation. See
+ *                          the description of ::mbedtls_ssl_async_sign_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any signature
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_decrypt   Callback to start a decryption operation. See
+ *                          the description of ::mbedtls_ssl_async_decrypt_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any decryption
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_resume    Callback to resume an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_resume_t
+ *                          for more information. This may not be \c NULL unless
+ *                          \p f_async_sign and \p f_async_decrypt are both
+ *                          \c NULL.
+ * \param f_async_cancel    Callback to cancel an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_cancel_t
+ *                          for more information. This may be \c NULL if
+ *                          no cleanup is needed.
+ * \param config_data       A pointer to configuration data which can be
+ *                          retrieved with
+ *                          mbedtls_ssl_conf_get_async_config_data(). The
+ *                          library stores this value without dereferencing it.
+ */
+void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
+                                        mbedtls_ssl_async_sign_t *f_async_sign,
+                                        mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+                                        mbedtls_ssl_async_resume_t *f_async_resume,
+                                        mbedtls_ssl_async_cancel_t *f_async_cancel,
+                                        void *config_data );
+
+/**
+ * \brief           Retrieve the configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ *
+ * \param conf      SSL configuration context
+ * \return          The configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ */
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ *
+ * \return          The asynchronous operation user context that was last
+ *                  set during the current handshake. If
+ *                  mbedtls_ssl_set_async_operation_data() has not yet been
+ *                  called during the current handshake, this function returns
+ *                  \c NULL.
+ */
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ * \param ctx       The new value of the asynchronous operation user context.
+ *                  Call mbedtls_ssl_get_async_operation_data() later during the
+ *                  same handshake to retrieve this value.
+ */
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 /**
  * \brief          Callback type: generate a cookie
  *
@@ -1430,6 +1824,38 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi
 #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/**
+ * \brief          Allow or disallow packing of multiple handshake records
+ *                 within a single datagram.
+ *
+ * \param ssl           The SSL context to configure.
+ * \param allow_packing This determines whether datagram packing may
+ *                      be used or not. A value of \c 0 means that every
+ *                      record will be sent in a separate datagram; a
+ *                      value of \c 1 means that, if space permits,
+ *                      multiple handshake messages (including CCS) belonging to
+ *                      a single flight may be packed within a single datagram.
+ *
+ * \note           This is enabled by default and should only be disabled
+ *                 for test purposes, or if datagram packing causes
+ *                 interoperability issues with peers that don't support it.
+ *
+ * \note           Allowing datagram packing reduces the network load since
+ *                 there's less overhead if multiple messages share the same
+ *                 datagram. Also, it increases the handshake efficiency
+ *                 since messages belonging to a single datagram will not
+ *                 be reordered in transit, and so future message buffering
+ *                 or flight retransmission (if no buffering is used) as
+ *                 means to deal with reordering are needed less frequently.
+ *
+ * \note           Application records are not affected by this option and
+ *                 are currently always sent in separate datagrams.
+ *
+ */
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing );
+
 /**
  * \brief          Set retransmit timeout values for the DTLS handshake.
  *                 (DTLS only, no effect on TLS.)
@@ -1842,7 +2268,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
  *
  * \param ssl      SSL context
  * \param hostname the server hostname, may be NULL to clear hostname
- *
+
  * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
  *
  * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
@@ -2107,18 +2533,14 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
  * \brief          Set the maximum fragment length to emit and/or negotiate.
- *                 (Typical: #MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is
- *                 set to `2^14` bytes)
+ *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
+ *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
  *                 (Server: set maximum fragment length to emit,
  *                 usually negotiated by the client during handshake)
  *                 (Client: set maximum fragment length to emit *and*
  *                 negotiate with the server during handshake)
  *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
  *
- * \note           With TLS, this currently only affects ApplicationData (sent
- *                 with \c mbedtls_ssl_read()), not handshake messages.
- *                 With DTLS, this affects both ApplicationData and handshake.
- *
  * \note           On the client side, the maximum fragment length extension
  *                 *will not* be used, unless the maximum fragment length has
  *                 been set via this function to a value different than
@@ -2128,6 +2550,14 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
  *                 excluding record overhead that will be added to it, see
  *                 \c mbedtls_ssl_get_record_expansion().
  *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           For DTLS, it is also possible to set a limit for the total
+ *                 size of daragrams passed to the transport layer, including
+ *                 record overhead, see \c mbedtls_ssl_set_mtu().
+ *
  * \param conf     SSL configuration
  * \param mfl_code Code for maximum fragment length (allowed values:
  *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
@@ -2299,11 +2729,59 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
 /**
- * \brief          Return the number of data bytes available to read
+ * \brief          Check if there is data already read from the
+ *                 underlying transport but not yet processed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if nothing's pending, 1 otherwise.
+ *
+ * \note           This is different in purpose and behaviour from
+ *                 \c mbedtls_ssl_get_bytes_avail in that it considers
+ *                 any kind of unprocessed data, not only unread
+ *                 application data. If \c mbedtls_ssl_get_bytes
+ *                 returns a non-zero value, this function will
+ *                 also signal pending data, but the converse does
+ *                 not hold. For example, in DTLS there might be
+ *                 further records waiting to be processed from
+ *                 the current underlying transport's datagram.
+ *
+ * \note           If this function returns 1 (data pending), this
+ *                 does not imply that a subsequent call to
+ *                 \c mbedtls_ssl_read will provide any data;
+ *                 e.g., the unprocessed data might turn out
+ *                 to be an alert or a handshake message.
+ *
+ * \note           This function is useful in the following situation:
+ *                 If the SSL/TLS module successfully returns from an
+ *                 operation - e.g. a handshake or an application record
+ *                 read - and you're awaiting incoming data next, you
+ *                 must not immediately idle on the underlying transport
+ *                 to have data ready, but you need to check the value
+ *                 of this function first. The reason is that the desired
+ *                 data might already be read but not yet processed.
+ *                 If, in contrast, a previous call to the SSL/TLS module
+ *                 returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary
+ *                 to call this function, as the latter error code entails
+ *                 that all internal data has been processed.
+ *
+ */
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the number of application data bytes
+ *                 remaining to be read from the current record.
  *
  * \param ssl      SSL context
  *
- * \return         how many bytes are available in the read buffer
+ * \return         How many bytes are available in the application
+ *                 data record read buffer.
+ *
+ * \note           When working over a datagram transport, this is
+ *                 useful to detect the current datagram's boundary
+ *                 in case \c mbedtls_ssl_read has written the maximal
+ *                 amount of data fitting into the input buffer.
+ *
  */
 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
 
@@ -2343,6 +2821,9 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
  * \brief          Return the (maximum) number of bytes added by the record
  *                 layer: header + encryption/MAC overhead (inc. padding)
  *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
  * \param ssl      SSL context
  *
  * \return         Current maximum record expansion in bytes, or
@@ -2357,6 +2838,23 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
  *                 This is the value negotiated with peer if any,
  *                 or the locally configured value.
  *
+ * \sa             mbedtls_ssl_conf_max_frag_len()
+ * \sa             mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+/**
+ * \brief          Return the current maximum outgoing record payload in bytes.
+ *                 This takes into account the config.h setting \c
+ *                 MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
+ *                 max fragment length extension if used, and for DTLS the
+ *                 path MTU as configured and current record expansion.
+ *
  * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
  *                 called with a larger length value.
  *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
@@ -2364,12 +2862,19 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
  *                 to the caller to call \c mbedtls_ssl_write() again in
  *                 order to send the remaining bytes if any.
  *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \sa             mbedtls_ssl_set_mtu()
+ * \sa             mbedtls_ssl_get_max_frag_len()
+ * \sa             mbedtls_ssl_get_record_expansion()
+ *
  * \param ssl      SSL context
  *
- * \return         Current maximum fragment length.
+ * \return         Current maximum payload for an outgoing record,
+ *                 or a negative error code.
  */
-size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 /**
@@ -2424,21 +2929,50 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session
  *
  * \param ssl      SSL context
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
- *                 MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED (see below), or
- *                 a specific SSL error code.
- *
- * \note           If this function returns something other than 0 or
- *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
+ *                 and the client did not demonstrate reachability yet - in
+ *                 this case you must stop using the context (see below).
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
  *
  * \note           If DTLS is in use, then you may choose to handle
- *                 MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ *                 #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
  *                 purposes, as it is an expected return value rather than an
  *                 actual error, but you still need to reset/free the context.
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                 from the underlying transport layer is currently being processed,
+ *                 and it is safe to idle until the timer or the underlying transport
+ *                 signal a new event. This is not true for a successful handshake,
+ *                 in which case the datagram of the underlying transport that is
+ *                 currently being processed might or might not contain further
+ *                 DTLS records.
  */
 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
 
@@ -2446,20 +2980,21 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
  * \brief          Perform a single step of the SSL handshake
  *
  * \note           The state of the context (ssl->state) will be at
- *                 the next state after execution of this function. Do not
+ *                 the next state after this function returns \c 0. Do not
  *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
  *
- * \note           If this function returns something other than 0 or
- *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
- *
  * \param ssl      SSL context
  *
- * \return         0 if successful, or
- *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
- *                 a specific SSL error code.
+ * \return         See mbedtls_ssl_handshake().
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
  */
 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
 
@@ -2474,13 +3009,18 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
  * \param ssl      SSL context
  *
  * \return         0 if successful, or any mbedtls_ssl_handshake() return
- *                 value.
+ *                 value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
+ *                 happen during a renegotiation.
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
  *
- * \note           If this function returns something other than 0 or
- *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
  */
 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -2492,32 +3032,68 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
  * \param buf      buffer that will hold the data
  * \param len      maximum number of bytes to read
  *
- * \return         the number of bytes read, or
- *                 0 for EOF, or
- *                 MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE, or
- *                 MBEDTLS_ERR_SSL_CLIENT_RECONNECT (see below), or
- *                 another negative error code.
- *
- * \note           If this function returns something other than a positive
- *                 value or MBEDTLS_ERR_SSL_WANT_READ/WRITE or
- *                 MBEDTLS_ERR_SSL_CLIENT_RECONNECT, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
- *
- * \note           When this function return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * \return         The (positive) number of bytes read if successful.
+ * \return         \c 0 if the read end of the underlying transport was closed
+ *                 - in this case you must stop using the context (see below).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
+ *                 side of a DTLS connection and the client is initiating a
+ *                 new connection using the same source port. See below.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a positive value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
  *                 (which can only happen server-side), it means that a client
  *                 is initiating a new connection using the same source port.
  *                 You can either treat that as a connection close and wait
  *                 for the client to resend a ClientHello, or directly
  *                 continue with \c mbedtls_ssl_handshake() with the same
- *                 context (as it has beeen reset internally). Either way, you
- *                 should make sure this is seen by the application as a new
+ *                 context (as it has been reset internally). Either way, you
+ *                 must make sure this is seen by the application as a new
  *                 connection: application state, if any, should be reset, and
  *                 most importantly the identity of the client must be checked
  *                 again. WARNING: not validating the identity of the client
  *                 again, or not transmitting the new identity to the
  *                 application layer, would allow authentication bypass!
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                   from the underlying transport layer is currently being processed,
+ *                   and it is safe to idle until the timer or the underlying transport
+ *                   signal a new event.
+ *                 - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was
+ *                   initially available on the underlying transport, as this data may have
+ *                   been only e.g. duplicated messages or a renegotiation request.
+ *                   Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even
+ *                   when reacting to an incoming-data event from the underlying transport.
+ *                 - On success, the datagram of the underlying transport that is currently
+ *                   being processed may contain further DTLS records. You should call
+ *                   \c mbedtls_ssl_check_pending to check for remaining records.
+ *
  */
 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
 
@@ -2534,21 +3110,39 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
  * \param buf      buffer holding the data
  * \param len      how many bytes must be written
  *
- * \return         the number of bytes actually written (may be less than len),
- *                 or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ,
- *                 or another negative error code.
- *
- * \note           If this function returns something other than 0, a positive
- *                 value or MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop
- *                 using the SSL context for reading or writing, and either
- *                 free it or call \c mbedtls_ssl_session_reset() on it before
- *                 re-using it for a new connection; the current connection
- *                 must be closed.
- *
- * \note           When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ * \return         The (non-negative) number of bytes actually written if
+ *                 successful (may be less than \p len).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a non-negative value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
  *                 it must be called later with the *same* arguments,
  *                 until it returns a value greater that or equal to 0. When
- *                 the function returns MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ *                 the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
  *                 some partial data in the output buffer, however this is not
  *                 yet sent.
  *
@@ -2576,10 +3170,10 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_
  * \return          0 if successful, or a specific SSL error code.
  *
  * \note           If this function returns something other than 0 or
- *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
  */
 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
                             unsigned char level,
@@ -2592,10 +3186,10 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
  * \return          0 if successful, or a specific SSL error code.
  *
  * \note           If this function returns something other than 0 or
- *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
- *                 becomes unusable, and you should either free it or call
- *                 \c mbedtls_ssl_session_reset() on it before re-using it for
- *                 a new connection; the current connection must be closed.
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
  */
 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
index 655d130b7c..71053e5ba7 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
@@ -175,6 +175,45 @@ extern "C" {
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
 
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256         0xC03C /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384         0xC03D /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256     0xC044 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384     0xC045 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256  0xC04A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384  0xC04B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256   0xC04C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384   0xC04D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256    0xC04E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384    0xC04F /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256         0xC050 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384         0xC051 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256     0xC052 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384     0xC053 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256  0xC05E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384  0xC05F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256   0xC060 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384   0xC061 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256    0xC062 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384    0xC063 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256         0xC064 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384         0xC065 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256     0xC066 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384     0xC067 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256     0xC068 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384     0xC069 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256         0xC06A /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384         0xC06B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256     0xC06C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384     0xC06D /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256     0xC06E /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384     0xC06F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256   0xC070 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384   0xC071 /**< TLS 1.2 */
+
 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
 #define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
@@ -238,6 +277,15 @@ extern "C" {
 
 #define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8          0xC0FF  /**< experimental */
 
+/* RFC 7905 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256         0xCCAB /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   0xCCAC /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAD /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAE /**< TLS 1.2 */
+
 /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
  * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
  */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
index 6a7ff9c757..e34760ae85 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_cookie.h
@@ -56,7 +56,7 @@ extern "C" {
 /**
  * \brief          Context for the default cookie functions.
  */
-typedef struct
+typedef struct mbedtls_ssl_cookie_ctx
 {
     mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
 #if !defined(MBEDTLS_HAVE_TIME)
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
index 168d4a2568..bd5ad94dbf 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_internal.h
@@ -99,6 +99,14 @@
 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+    defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL__ECP_RESTARTABLE
+#endif
+
 #define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
 #define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
@@ -149,32 +157,76 @@
 #define MBEDTLS_SSL_PADDING_ADD              0
 #endif
 
-#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN    \
-                        + MBEDTLS_SSL_COMPRESSION_ADD            \
-                        + MBEDTLS_MAX_IV_LENGTH                  \
-                        + MBEDTLS_SSL_MAC_ADD                    \
-                        + MBEDTLS_SSL_PADDING_ADD                \
-                        )
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
+                                       MBEDTLS_MAX_IV_LENGTH +          \
+                                       MBEDTLS_SSL_MAC_ADD +            \
+                                       MBEDTLS_SSL_PADDING_ADD          \
+                                       )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                     ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                      ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
+/* Maximum length we can advertise as our max content length for
+   RFC 6066 max_fragment_length extension negotiation purposes
+   (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
+        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
+        ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
+        : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
+        )
 
 /*
  * Check that we obey the standard's message size bounds
  */
 
 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
-#error Bad configuration - record content too large.
+#error "Bad configuration - record content too large."
+#endif
+
+#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
 #endif
 
-#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
-#error Bad configuration - protected record payload too large.
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
 #endif
 
+/* Calculate buffer sizes */
+
 /* Note: Even though the TLS record header is only 5 bytes
    long, we're internally using 8 bytes to store the
    implicit sequence number. */
 #define MBEDTLS_SSL_HEADER_LEN 13
 
-#define MBEDTLS_SSL_BUFFER_LEN  \
-    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) )
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+
+#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+
+#ifdef MBEDTLS_ZLIB_SUPPORT
+/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
+#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
+        ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
+        ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
+        : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
+        )
+#endif
 
 /*
  * TLS extension flags (for extensions with outgoing ServerHello content
@@ -249,6 +301,18 @@ struct mbedtls_ssl_handshake_params
     mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    int ecrs_enabled;                   /*!< Handshake supports EC restart? */
+    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
+    enum { /* this complements ssl->state with info on intra-state operations */
+        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
+        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
+        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
+        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
+        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
+    } ecrs_state;                       /*!< current (or last) operation    */
+    size_t ecrs_n;                      /*!< place for saving a length      */
+#endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
     unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
@@ -258,18 +322,45 @@ struct mbedtls_ssl_handshake_params
     unsigned char verify_cookie_len;    /*!<  Cli: cookie length
                                               Srv: flag for sending a cookie */
 
-    unsigned char *hs_msg;              /*!<  Reassembled handshake message  */
-
     uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
     unsigned char retransmit_state;     /*!<  Retransmission state           */
-    mbedtls_ssl_flight_item *flight;            /*!<  Current outgoing flight        */
-    mbedtls_ssl_flight_item *cur_msg;           /*!<  Current message in flight      */
+    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
+    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
+    unsigned char *cur_msg_p;           /*!<  Position in current message    */
     unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
                                               flight being received          */
     mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
                                               resending messages             */
     unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
                                               for resending messages         */
+
+    struct
+    {
+        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+                                      *   buffers used for message buffering. */
+
+        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
+                                         *   been seen in the current flight. */
+
+        struct mbedtls_ssl_hs_buffer
+        {
+            unsigned is_valid      : 1;
+            unsigned is_fragmented : 1;
+            unsigned is_complete   : 1;
+            unsigned char *data;
+            size_t data_len;
+        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+        struct
+        {
+            unsigned char *data;
+            size_t len;
+            unsigned epoch;
+        } future_record;
+
+    } buffering;
+
+    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
     /*
@@ -313,8 +404,23 @@ struct mbedtls_ssl_handshake_params
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
     int extended_ms;                    /*!< use Extended Master Secret? */
 #endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /** Asynchronous operation context. This field is meant for use by the
+     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+     * mbedtls_ssl_config::f_async_decrypt_start,
+     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+     * The library does not use it internally. */
+    void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 };
 
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
 /*
  * This structure contains a full set of runtime transform parameters
  * either in negotiation or active.
@@ -416,9 +522,9 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
  * \brief           Free referenced items in an SSL handshake context and clear
  *                  memory
  *
- * \param handshake SSL handshake context
+ * \param ssl       SSL context
  */
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake );
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
 
 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
@@ -429,7 +535,6 @@ int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
 
-int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
@@ -441,7 +546,10 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
  *              of the logic of (D)TLS from the implementation
  *              of the secure transport.
  *
- * \param  ssl  SSL context to use
+ * \param  ssl              The SSL context to use.
+ * \param  update_hs_digest This indicates if the handshake digest
+ *                          should be automatically updated in case
+ *                          a handshake message is found.
  *
  * \return      0 or non-zero error code.
  *
@@ -507,10 +615,12 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
  *              following the above definition.
  *
  */
-int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest );
 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
 
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
 
 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
@@ -619,6 +729,7 @@ static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
 #endif
 
 /* Visible for testing purposes only */
@@ -658,9 +769,9 @@ int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
-                                        unsigned char *output,
-                                        unsigned char *data, size_t data_len,
-                                        mbedtls_md_type_t md_alg );
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg );
 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
           MBEDTLS_SSL_PROTO_TLS1_2 */
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
index ff7eccbb8c..a84e7816e4 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/ssl_ticket.h
@@ -50,7 +50,7 @@ extern "C" {
 /**
  * \brief   Information for session ticket protection
  */
-typedef struct
+typedef struct mbedtls_ssl_ticket_key
 {
     unsigned char name[4];          /*!< random key identifier              */
     uint32_t generation_time;       /*!< key generation timestamp (seconds) */
@@ -61,7 +61,7 @@ mbedtls_ssl_ticket_key;
 /**
  * \brief   Context for session ticket handling functions
  */
-typedef struct
+typedef struct mbedtls_ssl_ticket_context
 {
     mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
     unsigned char active;           /*!< index of the currently active key  */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/threading.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/threading.h
index aeea5d0e1a..92e6e6b987 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/threading.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/threading.h
@@ -36,13 +36,16 @@
 extern "C" {
 #endif
 
+/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
 #define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A  /**< The selected feature is not available. */
+
 #define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
 
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #include <pthread.h>
-typedef struct
+typedef struct mbedtls_threading_mutex_t
 {
     pthread_mutex_t mutex;
     char is_valid;
@@ -99,9 +102,17 @@ extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex );
 #if defined(MBEDTLS_FS_IO)
 extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
 #endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
 extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
-#endif
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
 #endif /* MBEDTLS_THREADING_C */
 
 #ifdef __cplusplus
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/timing.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/timing.h
index 2c497bf4eb..a965fe0d35 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/timing.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/timing.h
@@ -30,16 +30,16 @@
 #include MBEDTLS_CONFIG_FILE
 #endif
 
-#if !defined(MBEDTLS_TIMING_ALT)
-// Regular implementation
-//
-
 #include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_TIMING_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          timer structure
  */
@@ -51,13 +51,17 @@ struct mbedtls_timing_hr_time
 /**
  * \brief          Context for mbedtls_timing_set/get_delay()
  */
-typedef struct
+typedef struct mbedtls_timing_delay_context
 {
     struct mbedtls_timing_hr_time   timer;
     uint32_t                        int_ms;
     uint32_t                        fin_ms;
 } mbedtls_timing_delay_context;
 
+#else  /* MBEDTLS_TIMING_ALT */
+#include "timing_alt.h"
+#endif /* MBEDTLS_TIMING_ALT */
+
 extern volatile int mbedtls_timing_alarmed;
 
 /**
@@ -133,18 +137,6 @@ void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms );
  */
 int mbedtls_timing_get_delay( void *data );
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_TIMING_ALT */
-#include "timing_alt.h"
-#endif /* MBEDTLS_TIMING_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
index 79b651387a..ef8e4c1f4f 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/version.h
@@ -39,17 +39,17 @@
  * Major, Minor, Patchlevel
  */
 #define MBEDTLS_VERSION_MAJOR  2
-#define MBEDTLS_VERSION_MINOR  7
-#define MBEDTLS_VERSION_PATCH  11
+#define MBEDTLS_VERSION_MINOR  16
+#define MBEDTLS_VERSION_PATCH  2
 
 /**
  * The single version number has the following structure:
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x02070B00
-#define MBEDTLS_VERSION_STRING         "2.7.11"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.11"
+#define MBEDTLS_VERSION_NUMBER         0x02100200
+#define MBEDTLS_VERSION_STRING         "2.16.2"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.2"
 
 #if defined(MBEDTLS_VERSION_C)
 
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509.h
index d6db9c6e37..9ae825c183 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509.h
@@ -269,6 +269,8 @@ int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
  */
 int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
 
+#if defined(MBEDTLS_SELF_TEST)
+
 /**
  * \brief          Checkup routine
  *
@@ -276,6 +278,8 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
  */
 int mbedtls_x509_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 /*
  * Internal module functions. You probably do not want to use these unless you
  * know you do.
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
index e72231ee8c..670bd10d89 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/x509_crt.h
@@ -98,14 +98,14 @@ mbedtls_x509_crt;
  * Build flag from an algorithm/curve identifier (pk, md, ecp)
  * Since 0 is always XXX_NONE, ignore it.
  */
-#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( ( id ) - 1 ) )
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( (id) - 1 ) )
 
 /**
  * Security profile for certificate verification.
  *
  * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
  */
-typedef struct
+typedef struct mbedtls_x509_crt_profile
 {
     uint32_t allowed_mds;       /**< MDs for signatures         */
     uint32_t allowed_pks;       /**< PK algs for signatures     */
@@ -143,6 +143,63 @@ typedef struct mbedtls_x509write_cert
 }
 mbedtls_x509write_cert;
 
+/**
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain_item;
+
+/**
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE  ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/**
+ * Verification chain as built by \c mbedtls_crt_verify_chain()
+ */
+typedef struct
+{
+    mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+    unsigned len;
+} mbedtls_x509_crt_verify_chain;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief       Context for resuming X.509 verify operations
+ */
+typedef struct
+{
+    /* for check_signature() */
+    mbedtls_pk_restart_ctx pk;
+
+    /* for find_parent_in() */
+    mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
+    mbedtls_x509_crt *fallback_parent;
+    int fallback_signature_is_good;
+
+    /* for find_parent() */
+    int parent_is_trusted; /* -1 if find_parent is not in progress */
+
+    /* for verify_chain() */
+    enum {
+        x509_crt_rs_none,
+        x509_crt_rs_find_parent,
+    } in_progress;  /* none if no operation is in progress */
+    int self_cnt;
+    mbedtls_x509_crt_verify_chain ver_chain;
+
+} mbedtls_x509_crt_restart_ctx;
+
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_x509_crt_restart_ctx;
+
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 /**
  * Default security profile. Should provide a good balance between security
@@ -368,6 +425,37 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
 
+/**
+ * \brief          Restartable version of \c mbedtls_crt_verify_with_profile()
+ *
+ * \note           Performs the same job as \c mbedtls_crt_verify_with_profile()
+ *                 but can return early and restart according to the limit
+ *                 set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ * \param rs_ctx   restart context (NULL to disable restart)
+ *
+ * \return         See \c mbedtls_crt_verify_with_profile(), or
+ * \return         #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                 operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx );
+
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
 /**
  * \brief          Check usage of certificate against keyUsage extension.
@@ -439,6 +527,18 @@ void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
  * \param crt      Certificate chain to free
  */
 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 /* \} name */
diff --git a/3rdparty/mbedtls/mbedtls/include/mbedtls/xtea.h b/3rdparty/mbedtls/mbedtls/include/mbedtls/xtea.h
index 34ccee3c22..b47f553508 100644
--- a/3rdparty/mbedtls/mbedtls/include/mbedtls/xtea.h
+++ b/3rdparty/mbedtls/mbedtls/include/mbedtls/xtea.h
@@ -37,25 +37,31 @@
 #define MBEDTLS_XTEA_DECRYPT     0
 
 #define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
-#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
 
-#if !defined(MBEDTLS_XTEA_ALT)
-// Regular implementation
-//
+/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if !defined(MBEDTLS_XTEA_ALT)
+// Regular implementation
+//
+
 /**
  * \brief          XTEA context structure
  */
-typedef struct
+typedef struct mbedtls_xtea_context
 {
     uint32_t k[4];       /*!< key */
 }
 mbedtls_xtea_context;
 
+#else  /* MBEDTLS_XTEA_ALT */
+#include "xtea_alt.h"
+#endif /* MBEDTLS_XTEA_ALT */
+
 /**
  * \brief          Initialize XTEA context
  *
@@ -115,17 +121,7 @@ int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx,
                     unsigned char *output);
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* MBEDTLS_XTEA_ALT */
-#include "xtea_alt.h"
-#endif /* MBEDTLS_XTEA_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
 /**
  * \brief          Checkup routine
@@ -134,6 +130,8 @@ extern "C" {
  */
 int mbedtls_xtea_self_test( int verbose );
 
+#endif /* MBEDTLS_SELF_TEST */
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
index f1c9a59d9a..2a0d47d8be 100644
--- a/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/library/CMakeLists.txt
@@ -6,6 +6,7 @@ set(src_crypto
     aes.c
     aesni.c
     arc4.c
+    aria.c
     asn1parse.c
     asn1write.c
     base64.c
@@ -13,6 +14,8 @@ set(src_crypto
     blowfish.c
     camellia.c
     ccm.c
+    chacha20.c
+    chachapoly.c
     cipher.c
     cipher_wrap.c
     cmac.c
@@ -29,6 +32,7 @@ set(src_crypto
     error.c
     gcm.c
     havege.c
+    hkdf.c
     hmac_drbg.c
     md.c
     md2.c
@@ -36,6 +40,7 @@ set(src_crypto
     md5.c
     md_wrap.c
     memory_buffer_alloc.c
+    nist_kw.c
     oid.c
     padlock.c
     pem.c
@@ -46,6 +51,8 @@ set(src_crypto
     pkparse.c
     pkwrite.c
     platform.c
+    platform_util.c
+    poly1305.c
     ripemd160.c
     rsa.c
     rsa_internal.c
@@ -101,6 +108,17 @@ if(WIN32)
     set(libs ${libs} ws2_32)
 endif(WIN32)
 
+if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+    SET(CMAKE_C_ARCHIVE_CREATE   "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    SET(CMAKE_C_ARCHIVE_FINISH   "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+    SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+endif()
+
+if(HAIKU)
+    set(libs ${libs} network)
+endif(HAIKU)
+
 if(USE_PKCS11_HELPER_LIBRARY)
     set(libs ${libs} pkcs11-helper)
 endif(USE_PKCS11_HELPER_LIBRARY)
@@ -147,15 +165,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
 
 if(USE_SHARED_MBEDTLS_LIBRARY)
     add_library(mbedcrypto SHARED ${src_crypto})
-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.11 SOVERSION 2)
+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.2 SOVERSION 3)
     target_link_libraries(mbedcrypto ${libs})
 
     add_library(mbedx509 SHARED ${src_x509})
-    set_target_properties(mbedx509 PROPERTIES VERSION 2.7.11 SOVERSION 0)
+    set_target_properties(mbedx509 PROPERTIES VERSION 2.16.2 SOVERSION 0)
     target_link_libraries(mbedx509 ${libs} mbedcrypto)
 
     add_library(mbedtls SHARED ${src_tls})
-    set_target_properties(mbedtls PROPERTIES VERSION 2.7.11 SOVERSION 10)
+    set_target_properties(mbedtls PROPERTIES VERSION 2.16.2 SOVERSION 12)
     target_link_libraries(mbedtls ${libs} mbedx509)
 
     install(TARGETS mbedtls mbedx509 mbedcrypto
diff --git a/3rdparty/mbedtls/mbedtls/library/Makefile b/3rdparty/mbedtls/mbedtls/library/Makefile
index 97f796fcf8..430c598812 100644
--- a/3rdparty/mbedtls/mbedtls/library/Makefile
+++ b/3rdparty/mbedtls/mbedtls/library/Makefile
@@ -21,6 +21,10 @@ endif
 # if were running on Windows build for Windows
 ifdef WINDOWS
 WINDOWS_BUILD=1
+else ifeq ($(shell uname -s),Darwin)
+ifeq ($(AR),ar)
+APPLE_BUILD ?= 1
+endif
 endif
 
 # To compile as a shared library:
@@ -31,37 +35,52 @@ LOCAL_CFLAGS += -fPIC -fpic
 endif
 endif
 
-SOEXT_TLS=so.10
+SOEXT_TLS=so.12
 SOEXT_X509=so.0
-SOEXT_CRYPTO=so.2
-
-# Set DLEXT=dylib to compile as a shared library for Mac OS X
-DLEXT ?= so
+SOEXT_CRYPTO=so.3
 
 # Set AR_DASH= (empty string) to use an ar implentation that does not accept
 # the - prefix for command line options (e.g. llvm-ar)
 AR_DASH ?= -
 
-# Windows shared library extension:
+ARFLAGS = $(AR_DASH)src
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+ARFLAGS = $(AR_DASH)Src
+RLFLAGS = -no_warning_for_no_symbols -c
+RL ?= ranlib
+endif
+endif
+
+DLEXT ?= so
 ifdef WINDOWS_BUILD
-DLEXT=dll
+# Windows shared library extension:
+DLEXT = dll
+else ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
+# Mac OS X shared library extension:
+DLEXT = dylib
+endif
 endif
 
 OBJS_CRYPTO=	aes.o		aesni.o		arc4.o		\
-		asn1parse.o	asn1write.o	base64.o	\
-		bignum.o	blowfish.o	camellia.o	\
-		ccm.o		cipher.o	cipher_wrap.o	\
+		aria.o		asn1parse.o	asn1write.o	\
+		base64.o	bignum.o	blowfish.o	\
+		camellia.o	ccm.o		chacha20.o	\
+		chachapoly.o	cipher.o	cipher_wrap.o	\
 		cmac.o		ctr_drbg.o	des.o		\
 		dhm.o		ecdh.o		ecdsa.o		\
 		ecjpake.o	ecp.o				\
 		ecp_curves.o	entropy.o	entropy_poll.o	\
 		error.o		gcm.o		havege.o	\
+		hkdf.o						\
 		hmac_drbg.o	md.o		md2.o		\
 		md4.o		md5.o		md_wrap.o	\
-		memory_buffer_alloc.o		oid.o		\
-		padlock.o	pem.o		pk.o		\
-		pk_wrap.o	pkcs12.o	pkcs5.o		\
-		pkparse.o	pkwrite.o	platform.o	\
+		memory_buffer_alloc.o		nist_kw.o	\
+		oid.o		padlock.o	pem.o		\
+		pk.o		pk_wrap.o	pkcs12.o	\
+		pkcs5.o		pkparse.o	pkwrite.o	\
+		platform.o	platform_util.o	poly1305.o	\
 		ripemd160.o	rsa_internal.o	rsa.o  		\
 		sha1.o		sha256.o	sha512.o	\
 		threading.o	timing.o	version.o	\
@@ -94,9 +113,13 @@ shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT)
 # tls
 libmbedtls.a: $(OBJS_TLS)
 	echo "  AR    $@"
-	$(AR) $(AR_DASH)rc $@ $(OBJS_TLS)
+	$(AR) $(ARFLAGS) $@ $(OBJS_TLS)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
 	echo "  RL    $@"
-	$(AR) $(AR_DASH)s $@
+	$(RL) $(RLFLAGS) $@
+endif
+endif
 
 libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
 	echo "  LD    $@"
@@ -117,9 +140,13 @@ libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll
 # x509
 libmbedx509.a: $(OBJS_X509)
 	echo "  AR    $@"
-	$(AR) $(AR_DASH)rc $@ $(OBJS_X509)
+	$(AR) $(ARFLAGS) $@ $(OBJS_X509)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
 	echo "  RL    $@"
-	$(AR) $(AR_DASH)s $@
+	$(RL) $(RLFLAGS) $@
+endif
+endif
 
 libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
 	echo "  LD    $@"
@@ -140,9 +167,13 @@ libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
 # crypto
 libmbedcrypto.a: $(OBJS_CRYPTO)
 	echo "  AR    $@"
-	$(AR) $(AR_DASH)rc $@ $(OBJS_CRYPTO)
+	$(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO)
+ifdef APPLE_BUILD
+ifneq ($(APPLE_BUILD),0)
 	echo "  RL    $@"
-	$(AR) $(AR_DASH)s $@
+	$(RL) $(RLFLAGS) $@
+endif
+endif
 
 libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
 	echo "  LD    $@"
diff --git a/3rdparty/mbedtls/mbedtls/library/aes.c b/3rdparty/mbedtls/mbedtls/library/aes.c
index 3d2eac82dd..aff0a9939a 100644
--- a/3rdparty/mbedtls/mbedtls/library/aes.c
+++ b/3rdparty/mbedtls/mbedtls/library/aes.c
@@ -36,6 +36,8 @@
 #include <string.h>
 
 #include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
 #if defined(MBEDTLS_PADLOCK_C)
 #include "mbedtls/padlock.h"
 #endif
@@ -54,10 +56,11 @@
 
 #if !defined(MBEDTLS_AES_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+/* Parameter validation macros based on platform_util.h */
+#define AES_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
+#define AES_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 /*
  * 32-bit integer manipulation macros (little endian)
@@ -201,6 +204,8 @@ static const unsigned char FSb[256] =
 static const uint32_t FT0[256] = { FT };
 #undef V
 
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
 #define V(a,b,c,d) 0x##b##c##d##a
 static const uint32_t FT1[256] = { FT };
 #undef V
@@ -213,6 +218,8 @@ static const uint32_t FT2[256] = { FT };
 static const uint32_t FT3[256] = { FT };
 #undef V
 
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
 #undef FT
 
 /*
@@ -328,6 +335,8 @@ static const unsigned char RSb[256] =
 static const uint32_t RT0[256] = { RT };
 #undef V
 
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
 #define V(a,b,c,d) 0x##b##c##d##a
 static const uint32_t RT1[256] = { RT };
 #undef V
@@ -340,6 +349,8 @@ static const uint32_t RT2[256] = { RT };
 static const uint32_t RT3[256] = { RT };
 #undef V
 
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
 #undef RT
 
 /*
@@ -359,18 +370,22 @@ static const uint32_t RCON[10] =
  */
 static unsigned char FSb[256];
 static uint32_t FT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
 static uint32_t FT1[256];
 static uint32_t FT2[256];
 static uint32_t FT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
 
 /*
  * Reverse S-box & tables
  */
 static unsigned char RSb[256];
 static uint32_t RT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
 static uint32_t RT1[256];
 static uint32_t RT2[256];
 static uint32_t RT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
 
 /*
  * Round constants
@@ -380,9 +395,9 @@ static uint32_t RCON[10];
 /*
  * Tables generation code
  */
-#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
-#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
-#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
+#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
+#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
+#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
 
 static int aes_init_done = 0;
 
@@ -445,9 +460,11 @@ static void aes_gen_tables( void )
                  ( (uint32_t) x << 16 ) ^
                  ( (uint32_t) z << 24 );
 
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
         FT1[i] = ROTL8( FT0[i] );
         FT2[i] = ROTL8( FT1[i] );
         FT3[i] = ROTL8( FT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
 
         x = RSb[i];
 
@@ -456,16 +473,52 @@ static void aes_gen_tables( void )
                  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
                  ( (uint32_t) MUL( 0x0B, x ) << 24 );
 
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
         RT1[i] = ROTL8( RT0[i] );
         RT2[i] = ROTL8( RT1[i] );
         RT3[i] = ROTL8( RT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
     }
 }
 
+#undef ROTL8
+
 #endif /* MBEDTLS_AES_ROM_TABLES */
 
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define ROTL8(x)  ( (uint32_t)( ( x ) <<  8 ) + (uint32_t)( ( x ) >> 24 ) )
+#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
+#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >>  8 ) )
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) ROTL8(  RT0[idx] )
+#define AES_RT2(idx) ROTL16( RT0[idx] )
+#define AES_RT3(idx) ROTL24( RT0[idx] )
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) ROTL8(  FT0[idx] )
+#define AES_FT2(idx) ROTL16( FT0[idx] )
+#define AES_FT3(idx) ROTL24( FT0[idx] )
+
+#else /* MBEDTLS_AES_FEWER_TABLES */
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) RT1[idx]
+#define AES_RT2(idx) RT2[idx]
+#define AES_RT3(idx) RT3[idx]
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) FT1[idx]
+#define AES_FT2(idx) FT2[idx]
+#define AES_FT3(idx) FT3[idx]
+
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
 void mbedtls_aes_init( mbedtls_aes_context *ctx )
 {
+    AES_VALIDATE( ctx != NULL );
+
     memset( ctx, 0, sizeof( mbedtls_aes_context ) );
 }
 
@@ -474,8 +527,27 @@ void mbedtls_aes_free( mbedtls_aes_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
+{
+    AES_VALIDATE( ctx != NULL );
+
+    mbedtls_aes_init( &ctx->crypt );
+    mbedtls_aes_init( &ctx->tweak );
+}
+
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_aes_free( &ctx->crypt );
+    mbedtls_aes_free( &ctx->tweak );
 }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
 
 /*
  * AES key schedule (encryption)
@@ -487,14 +559,8 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
     unsigned int i;
     uint32_t *RK;
 
-#if !defined(MBEDTLS_AES_ROM_TABLES)
-    if( aes_init_done == 0 )
-    {
-        aes_gen_tables();
-        aes_init_done = 1;
-
-    }
-#endif
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
 
     switch( keybits )
     {
@@ -504,6 +570,14 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
         default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
     }
 
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if( aes_init_done == 0 )
+    {
+        aes_gen_tables();
+        aes_init_done = 1;
+    }
+#endif
+
 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
     if( aes_padlock_ace == -1 )
         aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
@@ -603,6 +677,9 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
     uint32_t *RK;
     uint32_t *SK;
 
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
     mbedtls_aes_init( &cty );
 
 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
@@ -641,10 +718,10 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
     {
         for( j = 0; j < 4; j++, SK++ )
         {
-            *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
-                    RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
-                    RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
-                    RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
+            *RK++ = AES_RT0( FSb[ ( *SK       ) & 0xFF ] ) ^
+                    AES_RT1( FSb[ ( *SK >>  8 ) & 0xFF ] ) ^
+                    AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
+                    AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
         }
     }
 
@@ -658,53 +735,133 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
 
     return( ret );
 }
-#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
 
-#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
-                 FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
-                 FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y0 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
-                 FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
-                 FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y2 >> 24 ) & 0xFF ];    \
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
+                                        unsigned int keybits,
+                                        const unsigned char **key1,
+                                        unsigned int *key1bits,
+                                        const unsigned char **key2,
+                                        unsigned int *key2bits )
+{
+    const unsigned int half_keybits = keybits / 2;
+    const unsigned int half_keybytes = half_keybits / 8;
+
+    switch( keybits )
+    {
+        case 256: break;
+        case 512: break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    *key1bits = half_keybits;
+    *key2bits = half_keybits;
+    *key1 = &key[0];
+    *key2 = &key[half_keybytes];
+
+    return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for the encryption mode. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for encryption. */
+    return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
 }
 
-#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
-                 RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
-                 RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y2 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
-                 RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
-                 RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y0 >> 24 ) & 0xFF ];    \
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for encryption. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for decryption. */
+    return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
 }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
+
+#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                     \
+    do                                                          \
+    {                                                           \
+        (X0) = *RK++ ^ AES_FT0( ( (Y0)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y1) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y3) >> 24 ) & 0xFF );        \
+                                                                \
+        (X1) = *RK++ ^ AES_FT0( ( (Y1)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y2) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y0) >> 24 ) & 0xFF );        \
+                                                                \
+        (X2) = *RK++ ^ AES_FT0( ( (Y2)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y3) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y1) >> 24 ) & 0xFF );        \
+                                                                \
+        (X3) = *RK++ ^ AES_FT0( ( (Y3)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y0) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y2) >> 24 ) & 0xFF );        \
+    } while( 0 )
+
+#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_RT0( ( (Y0)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y3) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y1) >> 24 ) & 0xFF );    \
+                                                            \
+        (X1) = *RK++ ^ AES_RT0( ( (Y1)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y0) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y2) >> 24 ) & 0xFF );    \
+                                                            \
+        (X2) = *RK++ ^ AES_RT0( ( (Y2)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y1) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y3) >> 24 ) & 0xFF );    \
+                                                            \
+        (X3) = *RK++ ^ AES_RT0( ( (Y3)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y2) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y0) >> 24 ) & 0xFF );    \
+    } while( 0 )
 
 /*
  * AES-ECB block encryption
@@ -846,10 +1003,16 @@ void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
  * AES-ECB block encryption/decryption
  */
 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] )
+                           int mode,
+                           const unsigned char input[16],
+                           unsigned char output[16] )
 {
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
         return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
@@ -887,6 +1050,13 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
     int i;
     unsigned char temp[16];
 
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
     if( length % 16 )
         return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
 
@@ -939,6 +1109,172 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
 }
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+/* Endianess with 64 bits values */
+#ifndef GET_UINT64_LE
+#define GET_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
+        | ( (uint64_t) (b)[(i) + 6] << 48 )             \
+        | ( (uint64_t) (b)[(i) + 5] << 40 )             \
+        | ( (uint64_t) (b)[(i) + 4] << 32 )             \
+        | ( (uint64_t) (b)[(i) + 3] << 24 )             \
+        | ( (uint64_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint64_t) (b)[(i)    ]       );            \
+}
+#endif
+
+#ifndef PUT_UINT64_LE
+#define PUT_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i)    ] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianess and hence works correctly on both big and little
+ * endian machines.
+ */
+static void mbedtls_gf128mul_x_ble( unsigned char r[16],
+                                    const unsigned char x[16] )
+{
+    uint64_t a, b, ra, rb;
+
+    GET_UINT64_LE( a, x, 0 );
+    GET_UINT64_LE( b, x, 8 );
+
+    ra = ( a << 1 )  ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
+    rb = ( a >> 63 ) | ( b << 1 );
+
+    PUT_UINT64_LE( ra, r, 0 );
+    PUT_UINT64_LE( rb, r, 8 );
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret;
+    size_t blocks = length / 16;
+    size_t leftover = length % 16;
+    unsigned char tweak[16];
+    unsigned char prev_tweak[16];
+    unsigned char tmp[16];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( data_unit != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    /* Data units must be at least 16 bytes long. */
+    if( length < 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
+    if( length > ( 1 << 20 ) * 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* Compute the tweak. */
+    ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
+                                 data_unit, tweak );
+    if( ret != 0 )
+        return( ret );
+
+    while( blocks-- )
+    {
+        size_t i;
+
+        if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
+        {
+            /* We are on the last block in a decrypt operation that has
+             * leftover bytes, so we need to use the next tweak for this block,
+             * and this tweak for the lefover bytes. Save the current tweak for
+             * the leftovers and then update the current tweak for use on this,
+             * the last full block. */
+            memcpy( prev_tweak, tweak, sizeof( tweak ) );
+            mbedtls_gf128mul_x_ble( tweak, tweak );
+        }
+
+        for( i = 0; i < 16; i++ )
+            tmp[i] = input[i] ^ tweak[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return( ret );
+
+        for( i = 0; i < 16; i++ )
+            output[i] = tmp[i] ^ tweak[i];
+
+        /* Update the tweak for the next block. */
+        mbedtls_gf128mul_x_ble( tweak, tweak );
+
+        output += 16;
+        input += 16;
+    }
+
+    if( leftover )
+    {
+        /* If we are on the leftover bytes in a decrypt operation, we need to
+         * use the previous tweak for these bytes (as saved in prev_tweak). */
+        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+        /* We are now on the final part of the data unit, which doesn't divide
+         * evenly by 16. It's time for ciphertext stealing. */
+        size_t i;
+        unsigned char *prev_output = output - 16;
+
+        /* Copy ciphertext bytes from the previous block to our output for each
+         * byte of cyphertext we won't steal. At the same time, copy the
+         * remainder of the input for this final round (since the loop bounds
+         * are the same). */
+        for( i = 0; i < leftover; i++ )
+        {
+            output[i] = prev_output[i];
+            tmp[i] = input[i] ^ t[i];
+        }
+
+        /* Copy ciphertext bytes from the previous block for input in this
+         * round. */
+        for( ; i < 16; i++ )
+            tmp[i] = prev_output[i] ^ t[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return ret;
+
+        /* Write the result back to the previous block, overriding the previous
+         * output we copied. */
+        for( i = 0; i < 16; i++ )
+            prev_output[i] = tmp[i] ^ t[i];
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /*
  * AES-CFB128 buffer encryption/decryption
@@ -952,7 +1288,20 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
                        unsigned char *output )
 {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
 
     if( mode == MBEDTLS_AES_DECRYPT )
     {
@@ -990,15 +1339,21 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
  * AES-CFB8 buffer encryption/decryption
  */
 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
-                       int mode,
-                       size_t length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
+                            int mode,
+                            size_t length,
+                            unsigned char iv[16],
+                            const unsigned char *input,
+                            unsigned char *output )
 {
     unsigned char c;
     unsigned char ov[17];
 
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
     while( length-- )
     {
         memcpy( ov, iv, 16 );
@@ -1017,7 +1372,52 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
 
     return( 0 );
 }
-#endif /*MBEDTLS_CIPHER_MODE_CFB */
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                           size_t length,
+                           size_t *iv_off,
+                           unsigned char iv[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret = 0;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 )
+        {
+            ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+            if( ret != 0 )
+                goto exit;
+        }
+        *output++ =  *input++ ^ iv[n];
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *iv_off = n;
+
+exit:
+    return( ret );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
 
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /*
@@ -1032,7 +1432,19 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
                        unsigned char *output )
 {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( nc_off != NULL );
+    AES_VALIDATE_RET( nonce_counter != NULL );
+    AES_VALIDATE_RET( stream_block != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *nc_off;
+
+    if ( n > 0x0F )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
 
     while( length-- )
     {
@@ -1171,6 +1583,72 @@ static const unsigned char aes_test_cfb128_ct[3][64] =
 };
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 /*
  * AES-CTR test vectors from:
@@ -1234,6 +1712,74 @@ static const int aes_test_ctr_len[3] =
     { 16, 32, 36 };
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 /*
  * Checkup routine
  */
@@ -1250,11 +1796,14 @@ int mbedtls_aes_self_test( int verbose )
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
     unsigned char prv[16];
 #endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
     size_t offset;
 #endif
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
     int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
     unsigned char nonce_counter[16];
     unsigned char stream_block[16];
 #endif
@@ -1294,7 +1843,7 @@ int mbedtls_aes_self_test( int verbose )
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
         {
             mbedtls_printf( "skipped\n" );
             continue;
@@ -1358,7 +1907,7 @@ int mbedtls_aes_self_test( int verbose )
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
         {
             mbedtls_printf( "skipped\n" );
             continue;
@@ -1423,7 +1972,7 @@ int mbedtls_aes_self_test( int verbose )
          * there is an alternative underlying implementation i.e. when
          * MBEDTLS_AES_ALT is defined.
          */
-        if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
         {
             mbedtls_printf( "skipped\n" );
             continue;
@@ -1462,6 +2011,69 @@ int mbedtls_aes_self_test( int verbose )
         mbedtls_printf( "\n" );
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /*
+     * OFB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-OFB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_ofb_iv, 16 );
+        memcpy( key, aes_test_ofb_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ofb_ct[u], 64 );
+            aes_tests = aes_test_ofb_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_ofb_pt, 64 );
+            aes_tests = aes_test_ofb_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     /*
      * CTR mode
@@ -1514,6 +2126,73 @@ int mbedtls_aes_self_test( int verbose )
         mbedtls_printf( "\n" );
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    {
+    static const int num_tests =
+        sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+    mbedtls_aes_xts_context ctx_xts;
+
+    /*
+     * XTS mode
+     */
+    mbedtls_aes_xts_init( &ctx_xts );
+
+    for( i = 0; i < num_tests << 1; i++ )
+    {
+        const unsigned char *data_unit;
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-XTS-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( key, 0, sizeof( key ) );
+        memcpy( key, aes_test_xts_key[u], 32 );
+        data_unit = aes_test_xts_data_unit[u];
+
+        len = sizeof( *aes_test_xts_ct32 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_ct32[u], len );
+            aes_tests = aes_test_xts_pt32[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_pt32[u], len );
+            aes_tests = aes_test_xts_ct32[u];
+        }
+
+
+        ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
+                                     buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    mbedtls_aes_xts_free( &ctx_xts );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
     ret = 0;
 
 exit:
diff --git a/3rdparty/mbedtls/mbedtls/library/aesni.c b/3rdparty/mbedtls/mbedtls/library/aesni.c
index 1ca3c3ef5b..062708b047 100644
--- a/3rdparty/mbedtls/mbedtls/library/aesni.c
+++ b/3rdparty/mbedtls/mbedtls/library/aesni.c
@@ -32,6 +32,12 @@
 
 #if defined(MBEDTLS_AESNI_C)
 
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
 #include "mbedtls/aesni.h"
 
 #include <string.h>
diff --git a/3rdparty/mbedtls/mbedtls/library/arc4.c b/3rdparty/mbedtls/mbedtls/library/arc4.c
index 05b33d3fdb..b8998ac6cd 100644
--- a/3rdparty/mbedtls/mbedtls/library/arc4.c
+++ b/3rdparty/mbedtls/mbedtls/library/arc4.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_ARC4_C)
 
 #include "mbedtls/arc4.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -47,11 +48,6 @@
 
 #if !defined(MBEDTLS_ARC4_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
-
 void mbedtls_arc4_init( mbedtls_arc4_context *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_arc4_context ) );
@@ -62,7 +58,7 @@ void mbedtls_arc4_free( mbedtls_arc4_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_arc4_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_arc4_context ) );
 }
 
 /*
diff --git a/3rdparty/mbedtls/mbedtls/library/aria.c b/3rdparty/mbedtls/mbedtls/library/aria.c
new file mode 100644
index 0000000000..aff66d667f
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/aria.c
@@ -0,0 +1,1079 @@
+/*
+ *  ARIA implementation
+ *
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define ARIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
+#define ARIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i )                \
+{                                               \
+    (n) = ( (uint32_t) (b)[(i)    ]       )     \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )     \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );    \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 r, x" );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ *
+ * Some compilers fail to translate this to a single instruction,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev r, x" );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+static inline uint32_t aria_p3( uint32_t x )
+{
+    __asm( "bswap %0" : "=r" (x) : "0" (x) );
+    return( x );
+}
+#define ARIA_P3 aria_p3
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P3)
+#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
+#endif
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a( uint32_t *a, uint32_t *b,
+                           uint32_t *c, uint32_t *d )
+{
+    uint32_t ta, tb, tc;
+    ta  =  *b;                      // 4567
+    *b  =  *a;                      // 0123
+    *a  =  ARIA_P2( ta );           // 6745
+    tb  =  ARIA_P2( *d );           // efcd
+    *d  =  ARIA_P1( *c );           // 98ba
+    *c  =  ARIA_P1( tb );           // fedc
+    ta  ^= *d;                      // 4567+98ba
+    tc  =  ARIA_P2( *b );           // 2301
+    ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
+    tb  ^= ARIA_P2( *d );           // ba98+efcd
+    tc  ^= ARIA_P1( *a );           // 2301+7654
+    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+    tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
+    *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+    ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
+    *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+    tc  =  ARIA_P2( tc );           // 0123+5476
+    *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl( uint32_t *a, uint32_t *b,
+                            uint32_t *c, uint32_t *d,
+                            const uint8_t sa[256], const uint8_t sb[256],
+                            const uint8_t sc[256], const uint8_t sd[256] )
+{
+    *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
+         (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *a >> 24        ]) << 24);
+    *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
+         (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *b >> 24        ]) << 24);
+    *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
+         (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *c >> 24        ]) << 24);
+    *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
+         (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *d >> 24        ]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+    0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+    0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+    0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+    0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * GET/PUT_UINT32_LE) so we need to reverse bytes here.
+ */
+static void aria_rot128( uint32_t r[4], const uint32_t a[4],
+                         const uint32_t b[4], uint8_t n )
+{
+    uint8_t i, j;
+    uint32_t t, u;
+
+    const uint8_t n1 = n % 32;              // bit offset
+    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
+
+    j = ( n / 32 ) % 4;                     // initial word offset
+    t = ARIA_P3( b[j] );                    // big endian
+    for( i = 0; i < 4; i++ )
+    {
+        j = ( j + 1 ) % 4;                  // get next word, big endian
+        u = ARIA_P3( b[j] );
+        t <<= n1;                           // rotate
+        t |= u >> n2;
+        t = ARIA_P3( t );                   // back to little endian
+        r[i] = a[i] ^ t;                    // store
+        t = u;                              // move to next word
+    }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    /* round constant masks */
+    const uint32_t rc[3][4] =
+    {
+        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
+        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
+        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
+    };
+
+    int i;
+    uint32_t w[4][4], *w2;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    if( keybits != 128 && keybits != 192 && keybits != 256 )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    /* Copy key to W0 (and potential remainder to W1) */
+    GET_UINT32_LE( w[0][0], key,  0 );
+    GET_UINT32_LE( w[0][1], key,  4 );
+    GET_UINT32_LE( w[0][2], key,  8 );
+    GET_UINT32_LE( w[0][3], key, 12 );
+
+    memset( w[1], 0, 16 );
+    if( keybits >= 192 )
+    {
+        GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
+        GET_UINT32_LE( w[1][1], key, 20 );
+    }
+    if( keybits == 256 )
+    {
+        GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
+        GET_UINT32_LE( w[1][3], key, 28 );
+    }
+
+    i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
+    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
+
+    aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
+    i = i < 2 ? i + 1 : 0;
+    aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
+    i = i < 2 ? i + 1 : 0;
+    aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
+
+    for( i = 0; i < 4; i++ )                // create round keys
+    {
+        w2 = w[(i + 1) & 3];
+        aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
+        aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
+        aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
+        aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
+    }
+    aria_rot128( ctx->rk[16], w[0], w[1], 19 );
+
+    /* w holds enough info to reconstruct the round keys */
+    mbedtls_platform_zeroize( w, sizeof( w ) );
+
+    return( 0 );
+}
+
+/*
+ * Set decryption key
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    int i, j, k, ret;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
+    if( ret != 0 )
+        return( ret );
+
+    /* flip the order of round keys */
+    for( i = 0, j = ctx->nr; i < j; i++, j-- )
+    {
+        for( k = 0; k < 4; k++ )
+        {
+            uint32_t t = ctx->rk[i][k];
+            ctx->rk[i][k] = ctx->rk[j][k];
+            ctx->rk[j][k] = t;
+        }
+    }
+
+    /* apply affine transform to middle keys */
+    for( i = 1; i < ctx->nr; i++ )
+    {
+        aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
+                &ctx->rk[i][2], &ctx->rk[i][3] );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
+{
+    int i;
+
+    uint32_t a, b, c, d;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( input != NULL );
+    ARIA_VALIDATE_RET( output != NULL );
+
+    GET_UINT32_LE( a, input,  0 );
+    GET_UINT32_LE( b, input,  4 );
+    GET_UINT32_LE( c, input,  8 );
+    GET_UINT32_LE( d, input, 12 );
+
+    i = 0;
+    while( 1 )
+    {
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+        aria_a( &a, &b, &c, &d );
+
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+        if( i >= ctx->nr )
+            break;
+        aria_a( &a, &b, &c, &d );
+    }
+
+    /* final key mixing */
+    a ^= ctx->rk[i][0];
+    b ^= ctx->rk[i][1];
+    c ^= ctx->rk[i][2];
+    d ^= ctx->rk[i][3];
+
+    PUT_UINT32_LE( a, output,  0 );
+    PUT_UINT32_LE( b, output,  4 );
+    PUT_UINT32_LE( c, output,  8 );
+    PUT_UINT32_LE( d, output, 12 );
+
+    return( 0 );
+}
+
+/* Initialize context */
+void mbedtls_aria_init( mbedtls_aria_context *ctx )
+{
+    ARIA_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_aria_context ) );
+}
+
+/* Clear context */
+void mbedtls_aria_free( mbedtls_aria_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+
+    if( length % MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
+            mbedtls_aria_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aria_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    unsigned char c;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+    ARIA_VALIDATE_RET( iv_off != NULL );
+
+    n = *iv_off;
+
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            c = *input++;
+            *output++ = c ^ iv[n];
+            iv[n] = c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int c, i;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( nonce_counter != NULL );
+    ARIA_VALIDATE_RET( stream_block  != NULL );
+    ARIA_VALIDATE_RET( nc_off != NULL );
+
+    n = *nc_off;
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aria_crypt_ecb( ctx, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] =           // test key
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
+    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
+    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
+{
+    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
+      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
+      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
+      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA"  Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
+    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
+    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
+{
+    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
+      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
+      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
+      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
+{
+    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
+      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
+      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
+      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
+{
+    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
+      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
+      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
+      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_IF_FAIL              \
+        {                                   \
+            if( verbose )                   \
+                mbedtls_printf( "failed\n" );       \
+            return( 1 );                    \
+        } else {                            \
+            if( verbose )                   \
+                mbedtls_printf( "passed\n" );       \
+        }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test( int verbose )
+{
+    int i;
+    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+    size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+     defined(MBEDTLS_CIPHER_MODE_CFB) || \
+     defined(MBEDTLS_CIPHER_MODE_CTR))
+    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+    /*
+     * Test set 1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        /* test ECB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
+        if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* test ECB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
+        if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+    /*
+     * Test set 2
+     */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CBC encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CBC decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+            aria_test2_cbc_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CFB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CFB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+            iv, aria_test2_cfb_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CTR encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CTR decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_ctr_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/asn1parse.c b/3rdparty/mbedtls/mbedtls/library/asn1parse.c
index 4dd65c03c0..171c340b8c 100644
--- a/3rdparty/mbedtls/mbedtls/library/asn1parse.c
+++ b/3rdparty/mbedtls/mbedtls/library/asn1parse.c
@@ -28,6 +28,7 @@
 #if defined(MBEDTLS_ASN1_PARSE_C)
 
 #include "mbedtls/asn1.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -43,11 +44,6 @@
 #define mbedtls_free       free
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
-
 /*
  * ASN.1 DER decoding routines
  */
@@ -313,7 +309,7 @@ int mbedtls_asn1_get_alg( unsigned char **p,
 
     if( *p == end )
     {
-        mbedtls_zeroize( params, sizeof(mbedtls_asn1_buf) );
+        mbedtls_platform_zeroize( params, sizeof(mbedtls_asn1_buf) );
         return( 0 );
     }
 
@@ -358,7 +354,7 @@ void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur )
     mbedtls_free( cur->oid.p );
     mbedtls_free( cur->val.p );
 
-    mbedtls_zeroize( cur, sizeof( mbedtls_asn1_named_data ) );
+    mbedtls_platform_zeroize( cur, sizeof( mbedtls_asn1_named_data ) );
 }
 
 void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head )
diff --git a/3rdparty/mbedtls/mbedtls/library/asn1write.c b/3rdparty/mbedtls/mbedtls/library/asn1write.c
index b451887ed3..c0b4622d58 100644
--- a/3rdparty/mbedtls/mbedtls/library/asn1write.c
+++ b/3rdparty/mbedtls/mbedtls/library/asn1write.c
@@ -236,9 +236,6 @@ int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
     int ret;
     size_t len = 0;
 
-    // DER format assumes 2s complement for numbers, so the leftmost bit
-    // should be 0 for positive numbers and 1 for negative numbers.
-    //
     if( *p - start < 1 )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
@@ -260,34 +257,37 @@ int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
     return( (int) len );
 }
 
-int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
-                                 const char *text, size_t text_len )
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start, int tag,
+    const char *text, size_t text_len )
 {
     int ret;
     size_t len = 0;
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
-                  (const unsigned char *) text, text_len ) );
+        (const unsigned char *) text, text_len ) );
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_PRINTABLE_STRING ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, tag ) );
 
     return( (int) len );
 }
 
-int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
-                           const char *text, size_t text_len )
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+    const char *text, size_t text_len )
 {
-    int ret;
-    size_t len = 0;
-
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
-                  (const unsigned char *) text, text_len ) );
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len) );
+}
 
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_IA5_STRING ) );
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
+                                 const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text, text_len) );
+}
 
-    return( (int) len );
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                           const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len) );
 }
 
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
diff --git a/3rdparty/mbedtls/mbedtls/library/bignum.c b/3rdparty/mbedtls/mbedtls/library/bignum.c
index d142fe69b8..41946183c5 100644
--- a/3rdparty/mbedtls/mbedtls/library/bignum.c
+++ b/3rdparty/mbedtls/mbedtls/library/bignum.c
@@ -45,6 +45,7 @@
 
 #include "mbedtls/bignum.h"
 #include "mbedtls/bn_mul.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -58,15 +59,10 @@
 #define mbedtls_free       free
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) {
-    volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0;
-}
-
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+#define MPI_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
+#define MPI_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 #define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
 #define biL    (ciL << 3)               /* bits  in limb  */
@@ -81,13 +77,18 @@ static void mbedtls_zeroize( void *v, size_t n ) {
 #define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
 #define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
 
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
+{
+    mbedtls_platform_zeroize( v, ciL * n );
+}
+
 /*
  * Initialize one MPI
  */
 void mbedtls_mpi_init( mbedtls_mpi *X )
 {
-    if( X == NULL )
-        return;
+    MPI_VALIDATE( X != NULL );
 
     X->s = 1;
     X->n = 0;
@@ -119,6 +120,7 @@ void mbedtls_mpi_free( mbedtls_mpi *X )
 int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
 {
     mbedtls_mpi_uint *p;
+    MPI_VALIDATE_RET( X != NULL );
 
     if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
         return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
@@ -150,6 +152,10 @@ int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
 {
     mbedtls_mpi_uint *p;
     size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
 
     /* Actually resize up in this case */
     if( X->n <= nblimbs )
@@ -184,8 +190,10 @@ int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
  */
 int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
 {
-    int ret;
+    int ret = 0;
     size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
 
     if( X == Y )
         return( 0 );
@@ -203,9 +211,15 @@ int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
 
     X->s = Y->s;
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
+    if( X->n < i )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
+    }
+    else
+    {
+        memset( X->p + i, 0, ( X->n - i ) * ciL );
+    }
 
-    memset( X->p, 0, X->n * ciL );
     memcpy( X->p, Y->p, i * ciL );
 
 cleanup:
@@ -219,6 +233,8 @@ int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
 void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
 {
     mbedtls_mpi T;
+    MPI_VALIDATE( X != NULL );
+    MPI_VALIDATE( Y != NULL );
 
     memcpy( &T,  X, sizeof( mbedtls_mpi ) );
     memcpy(  X,  Y, sizeof( mbedtls_mpi ) );
@@ -234,6 +250,8 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
 {
     int ret = 0;
     size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
 
     /* make sure assign is 0 or 1 in a time-constant manner */
     assign = (assign | (unsigned char)-assign) >> 7;
@@ -263,6 +281,8 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
     int ret, s;
     size_t i;
     mbedtls_mpi_uint tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
 
     if( X == Y )
         return( 0 );
@@ -295,6 +315,7 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char sw
 int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
 {
     int ret;
+    MPI_VALIDATE_RET( X != NULL );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
     memset( X->p, 0, X->n * ciL );
@@ -312,6 +333,8 @@ int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
  */
 int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
 {
+    MPI_VALIDATE_RET( X != NULL );
+
     if( X->n * biL <= pos )
         return( 0 );
 
@@ -330,6 +353,7 @@ int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
     int ret = 0;
     size_t off = pos / biL;
     size_t idx = pos % biL;
+    MPI_VALIDATE_RET( X != NULL );
 
     if( val != 0 && val != 1 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
@@ -356,6 +380,7 @@ int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
 size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
 {
     size_t i, j, count = 0;
+    MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
 
     for( i = 0; i < X->n; i++ )
         for( j = 0; j < biL; j++, count++ )
@@ -436,6 +461,8 @@ int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
     size_t i, j, slen, n;
     mbedtls_mpi_uint d;
     mbedtls_mpi T;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( s != NULL );
 
     if( radix < 2 || radix > 16 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
@@ -548,6 +575,9 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
     size_t n;
     char *p;
     mbedtls_mpi T;
+    MPI_VALIDATE_RET( X    != NULL );
+    MPI_VALIDATE_RET( olen != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
 
     if( radix < 2 || radix > 16 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
@@ -637,6 +667,12 @@ int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
      */
     char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
 
+    MPI_VALIDATE_RET( X   != NULL );
+    MPI_VALIDATE_RET( fin != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
     memset( s, 0, sizeof( s ) );
     if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
         return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
@@ -668,6 +704,10 @@ int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE
      * newline characters and '\0'
      */
     char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
 
     memset( s, 0, sizeof( s ) );
 
@@ -695,14 +735,104 @@ int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE
 }
 #endif /* MBEDTLS_FS_IO */
 
+
+/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi. */
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
+{
+    uint8_t i;
+    mbedtls_mpi_uint tmp = 0;
+    /* This works regardless of the endianness. */
+    for( i = 0; i < ciL; i++, x >>= 8 )
+        tmp |= ( x & 0xFF ) << ( ( ciL - 1 - i ) << 3 );
+    return( tmp );
+}
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
+{
+#if defined(__BYTE_ORDER__)
+
+/* Nothing to do on bigendian systems. */
+#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
+    return( x );
+#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
+
+#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
+
+/* For GCC and Clang, have builtins for byte swapping. */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4,3)
+#define have_bswap
+#endif
+#endif
+
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap32)  &&                 \
+    __has_builtin(__builtin_bswap64)
+#define have_bswap
+#endif
+#endif
+
+#if defined(have_bswap)
+    /* The compiler is hopefully able to statically evaluate this! */
+    switch( sizeof(mbedtls_mpi_uint) )
+    {
+        case 4:
+            return( __builtin_bswap32(x) );
+        case 8:
+            return( __builtin_bswap64(x) );
+    }
+#endif
+#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
+#endif /* __BYTE_ORDER__ */
+
+    /* Fall back to C-based reordering if we don't know the byte order
+     * or we couldn't use a compiler-specific builtin. */
+    return( mpi_uint_bigendian_to_host_c( x ) );
+}
+
+static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
+{
+    mbedtls_mpi_uint *cur_limb_left;
+    mbedtls_mpi_uint *cur_limb_right;
+    if( limbs == 0 )
+        return;
+
+    /*
+     * Traverse limbs and
+     * - adapt byte-order in each limb
+     * - swap the limbs themselves.
+     * For that, simultaneously traverse the limbs from left to right
+     * and from right to left, as long as the left index is not bigger
+     * than the right index (it's not a problem if limbs is odd and the
+     * indices coincide in the last iteration).
+     */
+    for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
+         cur_limb_left <= cur_limb_right;
+         cur_limb_left++, cur_limb_right-- )
+    {
+        mbedtls_mpi_uint tmp;
+        /* Note that if cur_limb_left == cur_limb_right,
+         * this code effectively swaps the bytes only once. */
+        tmp             = mpi_uint_bigendian_to_host( *cur_limb_left  );
+        *cur_limb_left  = mpi_uint_bigendian_to_host( *cur_limb_right );
+        *cur_limb_right = tmp;
+    }
+}
+
 /*
  * Import X from unsigned binary data, big endian
  */
 int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
 {
     int ret;
-    size_t i, j;
-    size_t const limbs = CHARS_TO_LIMBS( buflen );
+    size_t const limbs    = CHARS_TO_LIMBS( buflen );
+    size_t const overhead = ( limbs * ciL ) - buflen;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
 
     /* Ensure that target MPI has exactly the necessary number of limbs */
     if( X->n != limbs )
@@ -711,11 +841,17 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t bu
         mbedtls_mpi_init( X );
         MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
     }
-
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
 
-    for( i = buflen, j = 0; i > 0; i--, j++ )
-        X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
+    /* Avoid calling `memcpy` with NULL source argument,
+     * even if buflen is 0. */
+    if( buf != NULL )
+    {
+        Xp = (unsigned char*) X->p;
+        memcpy( Xp + overhead, buf, buflen );
+
+        mpi_bigendian_to_host( X->p, limbs );
+    }
 
 cleanup:
 
@@ -728,11 +864,16 @@ int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t bu
 int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
                               unsigned char *buf, size_t buflen )
 {
-    size_t stored_bytes = X->n * ciL;
+    size_t stored_bytes;
     size_t bytes_to_copy;
     unsigned char *p;
     size_t i;
 
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    stored_bytes = X->n * ciL;
+
     if( stored_bytes < buflen )
     {
         /* There is enough space in the output buffer. Write initial
@@ -771,6 +912,7 @@ int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
     int ret;
     size_t i, v0, t1;
     mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
 
     v0 = count / (biL    );
     t1 = count & (biL - 1);
@@ -820,6 +962,7 @@ int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
 {
     size_t i, v0, v1;
     mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
 
     v0 = count /  biL;
     v1 = count & (biL - 1);
@@ -862,6 +1005,8 @@ int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
 int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
 {
     size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
 
     for( i = X->n; i > 0; i-- )
         if( X->p[i - 1] != 0 )
@@ -892,6 +1037,8 @@ int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
 int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
 {
     size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
 
     for( i = X->n; i > 0; i-- )
         if( X->p[i - 1] != 0 )
@@ -926,6 +1073,7 @@ int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
 {
     mbedtls_mpi Y;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
 
     *p  = ( z < 0 ) ? -z : z;
     Y.s = ( z < 0 ) ? -1 : 1;
@@ -943,6 +1091,9 @@ int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     int ret;
     size_t i, j;
     mbedtls_mpi_uint *o, *p, c, tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
     if( X == B )
     {
@@ -1008,7 +1159,7 @@ static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
     while( c != 0 )
     {
         z = ( *d < c ); *d -= c;
-        c = z; i++; d++;
+        c = z; d++;
     }
 }
 
@@ -1020,6 +1171,9 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     mbedtls_mpi TB;
     int ret;
     size_t n;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
     if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
         return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
@@ -1060,8 +1214,12 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
  */
 int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
 {
-    int ret, s = A->s;
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
+    s = A->s;
     if( A->s * B->s < 0 )
     {
         if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
@@ -1091,8 +1249,12 @@ int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
  */
 int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
 {
-    int ret, s = A->s;
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
+    s = A->s;
     if( A->s * B->s > 0 )
     {
         if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
@@ -1124,6 +1286,8 @@ int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
 {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
 
     p[0] = ( b < 0 ) ? -b : b;
     _B.s = ( b < 0 ) ? -1 : 1;
@@ -1140,6 +1304,8 @@ int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint
 {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
 
     p[0] = ( b < 0 ) ? -b : b;
     _B.s = ( b < 0 ) ? -1 : 1;
@@ -1229,6 +1395,9 @@ int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     int ret;
     size_t i, j;
     mbedtls_mpi TA, TB;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
     mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
 
@@ -1246,8 +1415,8 @@ int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
 
-    for( i++; j > 0; j-- )
-        mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
+    for( ; j > 0; j-- )
+        mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
 
     X->s = A->s * B->s;
 
@@ -1265,6 +1434,8 @@ int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint
 {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
 
     _B.s = 1;
     _B.n = 1;
@@ -1373,11 +1544,14 @@ static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
 /*
  * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
  */
-int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B )
 {
     int ret;
     size_t i, n, t, k;
     mbedtls_mpi X, Y, Z, T1, T2;
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
     if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
         return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
@@ -1488,10 +1662,13 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, c
 /*
  * Division by int: A = Q * b + R
  */
-int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
+                         const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b )
 {
     mbedtls_mpi _B;
     mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( A != NULL );
 
     p[0] = ( b < 0 ) ? -b : b;
     _B.s = ( b < 0 ) ? -1 : 1;
@@ -1507,6 +1684,9 @@ int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, m
 int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
 {
     int ret;
+    MPI_VALIDATE_RET( R != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
 
     if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
         return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
@@ -1531,6 +1711,8 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_
 {
     size_t i;
     mbedtls_mpi_uint x, y, z;
+    MPI_VALIDATE_RET( r != NULL );
+    MPI_VALIDATE_RET( A != NULL );
 
     if( b == 0 )
         return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
@@ -1644,7 +1826,8 @@ static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
 /*
  * Montgomery reduction: A = A * R^-1 mod N
  */
-static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+                        mbedtls_mpi_uint mm, const mbedtls_mpi *T )
 {
     mbedtls_mpi_uint z = 1;
     mbedtls_mpi U;
@@ -1658,7 +1841,9 @@ static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N, mbedtls_mpi_uint m
 /*
  * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
  */
-int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *E, const mbedtls_mpi *N, mbedtls_mpi *_RR )
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR )
 {
     int ret;
     size_t wbits, wsize, one = 1;
@@ -1668,6 +1853,11 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
     int neg;
 
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( E != NULL );
+    MPI_VALIDATE_RET( N != NULL );
+
     if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
 
@@ -1874,6 +2064,10 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B
     size_t lz, lzt;
     mbedtls_mpi TG, TA, TB;
 
+    MPI_VALIDATE_RET( G != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
     mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
@@ -1929,16 +2123,28 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
                      void *p_rng )
 {
     int ret;
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    size_t const limbs = CHARS_TO_LIMBS( size );
+    size_t const overhead = ( limbs * ciL ) - size;
+    unsigned char *Xp;
 
-    if( size > MBEDTLS_MPI_MAX_SIZE )
-        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    Xp = (unsigned char*) X->p;
+    f_rng( p_rng, Xp + overhead, size );
 
-    MBEDTLS_MPI_CHK( f_rng( p_rng, buf, size ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) );
+    mpi_bigendian_to_host( X->p, limbs );
 
 cleanup:
-    mbedtls_zeroize( buf, sizeof( buf ) );
     return( ret );
 }
 
@@ -1949,6 +2155,9 @@ int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
 {
     int ret;
     mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( N != NULL );
 
     if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
@@ -2108,7 +2317,11 @@ static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
     size_t i, j, k, s;
     mbedtls_mpi W, R, T, A, RR;
 
-    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
+    mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
     mbedtls_mpi_init( &RR );
 
     /*
@@ -2180,7 +2393,8 @@ static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
     }
 
 cleanup:
-    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
+    mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
     mbedtls_mpi_free( &RR );
 
     return( ret );
@@ -2189,12 +2403,14 @@ static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
 /*
  * Pseudo-primality test: small factors, then Miller-Rabin
  */
-static int mpi_is_prime_internal( const mbedtls_mpi *X, int rounds,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng )
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
 {
     int ret;
     mbedtls_mpi XX;
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
 
     XX.s = 1;
     XX.n = X->n;
@@ -2218,6 +2434,7 @@ static int mpi_is_prime_internal( const mbedtls_mpi *X, int rounds,
     return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
 }
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /*
  * Pseudo-primality test, error probability 2^-80
  */
@@ -2225,22 +2442,45 @@ int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
                   int (*f_rng)(void *, unsigned char *, size_t),
                   void *p_rng )
 {
-    return mpi_is_prime_internal( X, 40, f_rng, p_rng );
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /*
+     * In the past our key generation aimed for an error rate of at most
+     * 2^-80. Since this function is deprecated, aim for the same certainty
+     * here as well.
+     */
+    return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
 }
+#endif
 
 /*
  * Prime number generation
+ *
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
  */
-int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
                    int (*f_rng)(void *, unsigned char *, size_t),
                    void *p_rng )
 {
-    int ret;
+#ifdef MBEDTLS_HAVE_INT64
+// ceil(2^63.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
+#else
+// ceil(2^31.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
+#endif
+    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
     size_t k, n;
     int rounds;
     mbedtls_mpi_uint r;
     mbedtls_mpi Y;
 
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
     if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
         return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
 
@@ -2248,78 +2488,89 @@ int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int dh_flag,
 
     n = BITS_TO_LIMBS( nbits );
 
-    /*
-     * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
-     */
-    rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
-               ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
-               ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
-
-    MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
-
-    k = mbedtls_mpi_bitlen( X );
-    if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits + 1 ) );
-
-    mbedtls_mpi_set_bit( X, nbits-1, 1 );
-
-    X->p[0] |= 1;
-
-    if( dh_flag == 0 )
+    if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
     {
-        while( ( ret = mpi_is_prime_internal( X, rounds, f_rng, p_rng ) ) != 0 )
-        {
-            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
-                goto cleanup;
-
-            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 2 ) );
-        }
+        /*
+         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+         */
+        rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
+                   ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
+                   ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
     }
     else
     {
         /*
-         * An necessary condition for Y and X = 2Y + 1 to be prime
-         * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
-         * Make sure it is satisfied, while keeping X = 3 mod 4
+         * 2^-100 error probability, number of rounds computed based on HAC,
+         * fact 4.48
          */
+        rounds = ( ( nbits >= 1450 ) ?  4 : ( nbits >=  1150 ) ?  5 :
+                   ( nbits >= 1000 ) ?  6 : ( nbits >=   850 ) ?  7 :
+                   ( nbits >=  750 ) ?  8 : ( nbits >=   500 ) ? 13 :
+                   ( nbits >=  250 ) ? 28 : ( nbits >=   150 ) ? 40 : 51 );
+    }
 
-        X->p[0] |= 2;
-
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
-        if( r == 0 )
-            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
-        else if( r == 1 )
-            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
+    while( 1 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
+        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
+        if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
 
-        /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
-        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
+        k = n * biL;
+        if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
+        X->p[0] |= 1;
 
-        while( 1 )
+        if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
         {
-            /*
-             * First, check small factors for X and Y
-             * before doing Miller-Rabin on any of them
-             */
-            if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
-                ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
-                ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
-                                                                == 0 &&
-                ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
-                                                                == 0 )
-            {
-                break;
-            }
+            ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
 
             if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
                 goto cleanup;
-
+        }
+        else
+        {
             /*
-             * Next candidates. We want to preserve Y = (X-1) / 2 and
-             * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
-             * so up Y by 6 and X by 12.
+             * An necessary condition for Y and X = 2Y + 1 to be prime
+             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+             * Make sure it is satisfied, while keeping X = 3 mod 4
              */
-            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
-            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
+
+            X->p[0] |= 2;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
+            if( r == 0 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
+            else if( r == 1 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
+
+            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
+
+            while( 1 )
+            {
+                /*
+                 * First, check small factors for X and Y
+                 * before doing Miller-Rabin on any of them
+                 */
+                if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
+                    ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
+                    ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
+                                                                    == 0 &&
+                    ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
+                                                                    == 0 )
+                    goto cleanup;
+
+                if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                    goto cleanup;
+
+                /*
+                 * Next candidates. We want to preserve Y = (X-1) / 2 and
+                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+                 * so up Y by 6 and X by 12.
+                 */
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
+            }
         }
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/library/blowfish.c b/3rdparty/mbedtls/mbedtls/library/blowfish.c
index 9003f0dfeb..cbf9238246 100644
--- a/3rdparty/mbedtls/mbedtls/library/blowfish.c
+++ b/3rdparty/mbedtls/mbedtls/library/blowfish.c
@@ -34,15 +34,17 @@
 #if defined(MBEDTLS_BLOWFISH_C)
 
 #include "mbedtls/blowfish.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_BLOWFISH_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+/* Parameter validation macros */
+#define BLOWFISH_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA )
+#define BLOWFISH_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 /*
  * 32-bit integer manipulation macros (big endian)
@@ -157,6 +159,7 @@ static void blowfish_dec( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t
 
 void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx )
 {
+    BLOWFISH_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_blowfish_context ) );
 }
 
@@ -165,22 +168,26 @@ void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_blowfish_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_blowfish_context ) );
 }
 
 /*
  * Blowfish key schedule
  */
-int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
-                     unsigned int keybits )
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits )
 {
     unsigned int i, j, k;
     uint32_t data, datal, datar;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( key != NULL );
 
-    if( keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS || keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS ||
-        ( keybits % 8 ) )
+    if( keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS    ||
+        keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS    ||
+        keybits % 8 != 0 )
     {
-        return( MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH );
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
     }
 
     keybits >>= 3;
@@ -235,6 +242,11 @@ int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
                     unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] )
 {
     uint32_t X0, X1;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( input  != NULL );
+    BLOWFISH_VALIDATE_RET( output != NULL );
 
     GET_UINT32_BE( X0, input,  0 );
     GET_UINT32_BE( X1, input,  4 );
@@ -267,6 +279,12 @@ int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
 {
     int i;
     unsigned char temp[MBEDTLS_BLOWFISH_BLOCKSIZE];
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
 
     if( length % MBEDTLS_BLOWFISH_BLOCKSIZE )
         return( MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH );
@@ -321,7 +339,19 @@ int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
                        unsigned char *output )
 {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv     != NULL );
+    BLOWFISH_VALIDATE_RET( iv_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
 
     if( mode == MBEDTLS_BLOWFISH_DECRYPT )
     {
@@ -369,7 +399,17 @@ int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
                        unsigned char *output )
 {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( nonce_counter != NULL );
+    BLOWFISH_VALIDATE_RET( stream_block  != NULL );
+    BLOWFISH_VALIDATE_RET( nc_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
 
     while( length-- )
     {
diff --git a/3rdparty/mbedtls/mbedtls/library/camellia.c b/3rdparty/mbedtls/mbedtls/library/camellia.c
index ac6f96a83a..22262b89a8 100644
--- a/3rdparty/mbedtls/mbedtls/library/camellia.c
+++ b/3rdparty/mbedtls/mbedtls/library/camellia.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_CAMELLIA_C)
 
 #include "mbedtls/camellia.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -48,10 +49,11 @@
 
 #if !defined(MBEDTLS_CAMELLIA_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+/* Parameter validation macros */
+#define CAMELLIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
+#define CAMELLIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 /*
  * 32-bit integer manipulation macros (big endian)
@@ -325,6 +327,7 @@ static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
 
 void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
 {
+    CAMELLIA_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
 }
 
@@ -333,14 +336,15 @@ void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
 }
 
 /*
  * Camellia key schedule (encryption)
  */
-int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned char *key,
-                         unsigned int keybits )
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
 {
     int idx;
     size_t i;
@@ -350,6 +354,9 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned c
     uint32_t KC[16];
     uint32_t TK[20];
 
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
+
     RK = ctx->rk;
 
     memset( t, 0, 64 );
@@ -360,7 +367,7 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned c
         case 128: ctx->nr = 3; idx = 0; break;
         case 192:
         case 256: ctx->nr = 4; idx = 1; break;
-        default : return( MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH );
+        default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
     }
 
     for( i = 0; i < keybits / 8; ++i )
@@ -444,14 +451,17 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx, const unsigned c
 /*
  * Camellia key schedule (decryption)
  */
-int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx, const unsigned char *key,
-                         unsigned int keybits )
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
 {
     int idx, ret;
     size_t i;
     mbedtls_camellia_context cty;
     uint32_t *RK;
     uint32_t *SK;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
 
     mbedtls_camellia_init( &cty );
 
@@ -499,6 +509,11 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
 {
     int NR;
     uint32_t *RK, X[4];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( input  != NULL );
+    CAMELLIA_VALIDATE_RET( output != NULL );
 
     ( (void) mode );
 
@@ -556,14 +571,20 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
  * Camellia-CBC buffer encryption/decryption
  */
 int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output )
+                                int mode,
+                                size_t length,
+                                unsigned char iv[16],
+                                const unsigned char *input,
+                                unsigned char *output )
 {
     int i;
     unsigned char temp[16];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
 
     if( length % 16 )
         return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
@@ -618,7 +639,18 @@ int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
                        unsigned char *output )
 {
     int c;
-    size_t n = *iv_off;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv     != NULL );
+    CAMELLIA_VALIDATE_RET( iv_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
 
     if( mode == MBEDTLS_CAMELLIA_DECRYPT )
     {
@@ -666,7 +698,17 @@ int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
                        unsigned char *output )
 {
     int c, i;
-    size_t n = *nc_off;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
+    CAMELLIA_VALIDATE_RET( stream_block  != NULL );
+    CAMELLIA_VALIDATE_RET( nc_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
 
     while( length-- )
     {
diff --git a/3rdparty/mbedtls/mbedtls/library/ccm.c b/3rdparty/mbedtls/mbedtls/library/ccm.c
index 658f0d2ff3..c6211ee773 100644
--- a/3rdparty/mbedtls/mbedtls/library/ccm.c
+++ b/3rdparty/mbedtls/mbedtls/library/ccm.c
@@ -37,6 +37,7 @@
 #if defined(MBEDTLS_CCM_C)
 
 #include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -51,10 +52,10 @@
 
 #if !defined(MBEDTLS_CCM_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+#define CCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
+#define CCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 #define CCM_ENCRYPT 0
 #define CCM_DECRYPT 1
@@ -64,6 +65,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
  */
 void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
 {
+    CCM_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
 }
 
@@ -75,6 +77,9 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
     int ret;
     const mbedtls_cipher_info_t *cipher_info;
 
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( key != NULL );
+
     cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
     if( cipher_info == NULL )
         return( MBEDTLS_ERR_CCM_BAD_INPUT );
@@ -101,8 +106,10 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
  */
 void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
 {
+    if( ctx == NULL )
+        return;
     mbedtls_cipher_free( &ctx->cipher_ctx );
-    mbedtls_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
 }
 
 /*
@@ -127,11 +134,17 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
  * This avoids allocating one more 16 bytes buffer while allowing src == dst.
  */
 #define CTR_CRYPT( dst, src, len  )                                            \
-    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, 16, b, &olen ) ) != 0 )  \
-        return( ret );                                                         \
-                                                                               \
-    for( i = 0; i < len; i++ )                                                 \
-        dst[i] = src[i] ^ b[i];
+    do                                                                  \
+    {                                                                   \
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr,       \
+                                           16, b, &olen ) ) != 0 )      \
+        {                                                               \
+            return( ret );                                              \
+        }                                                               \
+                                                                        \
+        for( i = 0; i < (len); i++ )                                    \
+            (dst)[i] = (src)[i] ^ b[i];                                 \
+    } while( 0 )
 
 /*
  * Authenticated encryption or decryption
@@ -156,8 +169,10 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
      * Check length requirements: SP800-38C A.1
      * Additional requirement: a < 2^16 - 2^8 to simplify the code.
      * 'length' checked later (when writing it to the first block)
+     *
+     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
      */
-    if( tag_len < 4 || tag_len > 16 || tag_len % 2 != 0 )
+    if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
         return( MBEDTLS_ERR_CCM_BAD_INPUT );
 
     /* Also implies q is within bounds */
@@ -306,20 +321,45 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
 /*
  * Authenticated encryption
  */
-int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
                          const unsigned char *iv, size_t iv_len,
                          const unsigned char *add, size_t add_len,
                          const unsigned char *input, unsigned char *output,
                          unsigned char *tag, size_t tag_len )
 {
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
     return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
                             add, add_len, input, output, tag, tag_len ) );
 }
 
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
+
 /*
  * Authenticated decryption
  */
-int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
                       const unsigned char *iv, size_t iv_len,
                       const unsigned char *add, size_t add_len,
                       const unsigned char *input, unsigned char *output,
@@ -330,6 +370,13 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
     unsigned char i;
     int diff;
 
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
     if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
                                 iv, iv_len, add, add_len,
                                 input, output, check_tag, tag_len ) ) != 0 )
@@ -343,13 +390,32 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
 
     if( diff != 0 )
     {
-        mbedtls_zeroize( output, length );
+        mbedtls_platform_zeroize( output, length );
         return( MBEDTLS_ERR_CCM_AUTH_FAILED );
     }
 
     return( 0 );
 }
 
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
 #endif /* !MBEDTLS_CCM_ALT */
 
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
diff --git a/3rdparty/mbedtls/mbedtls/library/certs.c b/3rdparty/mbedtls/mbedtls/library/certs.c
index 2c6fbdfedb..b07fd8a3a1 100644
--- a/3rdparty/mbedtls/mbedtls/library/certs.c
+++ b/3rdparty/mbedtls/mbedtls/library/certs.c
@@ -29,357 +29,1673 @@
 
 #if defined(MBEDTLS_CERTS_C)
 
-#if defined(MBEDTLS_ECDSA_C)
-#define TEST_CA_CRT_EC                                                  \
-"-----BEGIN CERTIFICATE-----\r\n"                                       \
-"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n"  \
-"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
-"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n"  \
-"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n"  \
-"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n"  \
-"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n"  \
-"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n"  \
-"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n"  \
-"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n"  \
-"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n"  \
-"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n"  \
-"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n"  \
-"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n"                                  \
-"-----END CERTIFICATE-----\r\n"
-const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
-const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
-
-const char mbedtls_test_ca_key_ec[] =
-"-----BEGIN EC PRIVATE KEY-----\r\n"
-"Proc-Type: 4,ENCRYPTED\r\n"
-"DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"
-"\r\n"
-"IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"
-"ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"
-"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
-"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
-"-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
-
-const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
-const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
-
-const char mbedtls_test_srv_crt_ec[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
-"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"
-"CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"
-"2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"
-"BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"
-"PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n"
-"clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"
-"CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n"
-"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
-"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
-"-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
-
-const char mbedtls_test_srv_key_ec[] =
-"-----BEGIN EC PRIVATE KEY-----\r\n"
-"MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"
-"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
-"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
-"-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
-
-const char mbedtls_test_cli_crt_ec[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
-"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n"
-"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n"
-"9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n"
-"MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n"
-"IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n"
-"CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n"
-"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
-"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
-"-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
-
-const char mbedtls_test_cli_key_ec[] =
-"-----BEGIN EC PRIVATE KEY-----\r\n"
-"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"
-"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
-"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
-"-----END EC PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
-#endif /* MBEDTLS_ECDSA_C */
+/*
+ * Test CA Certificates
+ *
+ * We define test CA certificates for each choice of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ *
+ */
 
-#if defined(MBEDTLS_RSA_C)
-#if defined(MBEDTLS_SHA256_C)
-#define TEST_CA_CRT_RSA_SHA256                                          \
-"-----BEGIN CERTIFICATE-----\r\n"                                       \
-"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
-"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
-"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
-"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
-"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
-"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
-"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
-"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
-"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
-"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
-"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n"  \
-"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n"  \
-"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n"  \
-"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n"  \
-"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n"  \
-"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n"  \
-"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n"  \
-"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n"  \
-"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n"      \
-"-----END CERTIFICATE-----\r\n"
-
-static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
-const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA256;
-const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
-#define TEST_CA_CRT_RSA_SOME
-#endif /* MBEDTLS_SHA256_C */
+/* This is taken from tests/data_files/test-ca2.crt */
+/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */
+#define TEST_CA_CRT_EC_PEM                                                 \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" \
+    "Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
+    "QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" \
+    "Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
+    "QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" \
+    "ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" \
+    "aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" \
+    "JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" \
+    "NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" \
+    "AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" \
+    "CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" \
+    "t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" \
+    "uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n"                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca2.crt.der */
+#define TEST_CA_CRT_EC_DER {                                                 \
+    0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,  \
+    0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,  \
+    0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,  \
+    0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,  \
+    0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,  \
+    0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,  \
+    0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x39,  \
+    0x32, 0x34, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a, 0x17, 0x0d, 0x32,  \
+    0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a,  \
+    0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,  \
+    0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,  \
+    0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,  \
+    0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,  \
+    0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,  \
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,  \
+    0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f,  \
+    0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e,  \
+    0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95,  \
+    0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95,  \
+    0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a,  \
+    0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2,  \
+    0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47,  \
+    0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66,  \
+    0x16, 0x60, 0x33, 0x1e, 0xa3, 0x81, 0xa0, 0x30, 0x81, 0x9d, 0x30, 0x1d,  \
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, 0x6d, 0x20,  \
+    0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24,  \
+    0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,  \
+    0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,  \
+    0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,  \
+    0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,  \
+    0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0c, 0x06,  \
+    0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,  \
+    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03,  \
+    0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xc3, 0xb4, 0x62, 0x73, 0x56,  \
+    0x28, 0x95, 0x00, 0x7d, 0x78, 0x12, 0x26, 0xd2, 0x71, 0x7b, 0x19, 0xf8,  \
+    0x8a, 0x98, 0x3e, 0x92, 0xfe, 0x33, 0x9e, 0xe4, 0x79, 0xd2, 0xfe, 0x7a,  \
+    0xb7, 0x87, 0x74, 0x3c, 0x2b, 0xb8, 0xd7, 0x69, 0x94, 0x0b, 0xa3, 0x67,  \
+    0x77, 0xb8, 0xb3, 0xbe, 0xd1, 0x36, 0x32, 0x02, 0x31, 0x00, 0xfd, 0x67,  \
+    0x9c, 0x94, 0x23, 0x67, 0xc0, 0x56, 0xba, 0x4b, 0x33, 0x15, 0x00, 0xc6,  \
+    0xe3, 0xcc, 0x31, 0x08, 0x2c, 0x9c, 0x8b, 0xda, 0xa9, 0x75, 0x23, 0x2f,  \
+    0xb8, 0x28, 0xe7, 0xf2, 0x9c, 0x14, 0x3a, 0x40, 0x01, 0x5c, 0xaf, 0x0c,  \
+    0xb2, 0xcf, 0x74, 0x7f, 0x30, 0x9f, 0x08, 0x43, 0xad, 0x20               \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca2.key.enc */
+/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca2.key.enc */
+#define TEST_CA_KEY_EC_PEM                                                 \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"                          \
+    "\r\n"                                                                 \
+    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n" \
+    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n" \
+    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n" \
+    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"                                 \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_EC_PEM "PolarSSLTest"
+
+/* This is generated from tests/data_files/test-ca2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca2.key.der */
+#define TEST_CA_KEY_EC_DER {                                                 \
+    0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e,  \
+    0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6,  \
+    0x11, 0x5d, 0x6d, 0xb4, 0x03, 0xe1, 0x29, 0x76, 0x45, 0xd7, 0x87, 0x6f,  \
+    0x23, 0xab, 0x44, 0x20, 0xea, 0x64, 0x7b, 0x85, 0xb1, 0x76, 0xe7, 0x85,  \
+    0x95, 0xaa, 0x74, 0xd6, 0xd1, 0xa4, 0x5e, 0xea, 0xa0, 0x07, 0x06, 0x05,  \
+    0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xc3,  \
+    0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89,  \
+    0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33,  \
+    0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f,  \
+    0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87,  \
+    0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3,  \
+    0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad,  \
+    0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55,  \
+    0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha256.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */
+#define TEST_CA_CRT_RSA_SHA256_PEM                                         \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA\r\n" \
+    "A4IBAQB2W2dIy4q4KysbrTL4HIaOqu62RceGuQ/KhyiI6O0ndCtQ/PgCBqHHTP8u\r\n" \
+    "8F1X2ivb60ynHV6baMLPI4Kf1k4MONtLSf/++1qh0Gdycd3A8IDAfy0YnC1F3OPK\r\n" \
+    "vWO/cZGitKoTbEpP4y4Rng3sFCDndRCWIRIDOEEW/H3lCcfL7sOQojdLl85ajFkh\r\n" \
+    "YvcDqjmnTcspUnuq9Y00C7porXJthZwz1S18qVjcFNk0zEhVMUbupSrdXVmKtOJW\r\n" \
+    "MWZjgcA+OXzcnb2hSKWbhjykH/u6/PqkuHPkD723rwXbmHdxRVS9CW57kDkn5ezJ\r\n" \
+    "5pE6Sam4qFsCNFJNBV9FRf3ZBMFi\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca-sha256.crt.der
+ * using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER tests/data_files/test-ca-sha256.crt.der */
+#define TEST_CA_CRT_RSA_SHA256_DER {                                         \
+    0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,  \
+    0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,  \
+    0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,  \
+    0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,  \
+    0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,  \
+    0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,  \
+    0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,  \
+    0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,  \
+    0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,  \
+    0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,  \
+    0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,  \
+    0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,  \
+    0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,  \
+    0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,  \
+    0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,  \
+    0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,  \
+    0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,  \
+    0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,  \
+    0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,  \
+    0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,  \
+    0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,  \
+    0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,  \
+    0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,  \
+    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,  \
+    0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,  \
+    0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,  \
+    0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,  \
+    0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,  \
+    0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x01, 0x00, 0x76, 0x5b, 0x67, 0x48, 0xcb, 0x8a, 0xb8,  \
+    0x2b, 0x2b, 0x1b, 0xad, 0x32, 0xf8, 0x1c, 0x86, 0x8e, 0xaa, 0xee, 0xb6,  \
+    0x45, 0xc7, 0x86, 0xb9, 0x0f, 0xca, 0x87, 0x28, 0x88, 0xe8, 0xed, 0x27,  \
+    0x74, 0x2b, 0x50, 0xfc, 0xf8, 0x02, 0x06, 0xa1, 0xc7, 0x4c, 0xff, 0x2e,  \
+    0xf0, 0x5d, 0x57, 0xda, 0x2b, 0xdb, 0xeb, 0x4c, 0xa7, 0x1d, 0x5e, 0x9b,  \
+    0x68, 0xc2, 0xcf, 0x23, 0x82, 0x9f, 0xd6, 0x4e, 0x0c, 0x38, 0xdb, 0x4b,  \
+    0x49, 0xff, 0xfe, 0xfb, 0x5a, 0xa1, 0xd0, 0x67, 0x72, 0x71, 0xdd, 0xc0,  \
+    0xf0, 0x80, 0xc0, 0x7f, 0x2d, 0x18, 0x9c, 0x2d, 0x45, 0xdc, 0xe3, 0xca,  \
+    0xbd, 0x63, 0xbf, 0x71, 0x91, 0xa2, 0xb4, 0xaa, 0x13, 0x6c, 0x4a, 0x4f,  \
+    0xe3, 0x2e, 0x11, 0x9e, 0x0d, 0xec, 0x14, 0x20, 0xe7, 0x75, 0x10, 0x96,  \
+    0x21, 0x12, 0x03, 0x38, 0x41, 0x16, 0xfc, 0x7d, 0xe5, 0x09, 0xc7, 0xcb,  \
+    0xee, 0xc3, 0x90, 0xa2, 0x37, 0x4b, 0x97, 0xce, 0x5a, 0x8c, 0x59, 0x21,  \
+    0x62, 0xf7, 0x03, 0xaa, 0x39, 0xa7, 0x4d, 0xcb, 0x29, 0x52, 0x7b, 0xaa,  \
+    0xf5, 0x8d, 0x34, 0x0b, 0xba, 0x68, 0xad, 0x72, 0x6d, 0x85, 0x9c, 0x33,  \
+    0xd5, 0x2d, 0x7c, 0xa9, 0x58, 0xdc, 0x14, 0xd9, 0x34, 0xcc, 0x48, 0x55,  \
+    0x31, 0x46, 0xee, 0xa5, 0x2a, 0xdd, 0x5d, 0x59, 0x8a, 0xb4, 0xe2, 0x56,  \
+    0x31, 0x66, 0x63, 0x81, 0xc0, 0x3e, 0x39, 0x7c, 0xdc, 0x9d, 0xbd, 0xa1,  \
+    0x48, 0xa5, 0x9b, 0x86, 0x3c, 0xa4, 0x1f, 0xfb, 0xba, 0xfc, 0xfa, 0xa4,  \
+    0xb8, 0x73, 0xe4, 0x0f, 0xbd, 0xb7, 0xaf, 0x05, 0xdb, 0x98, 0x77, 0x71,  \
+    0x45, 0x54, 0xbd, 0x09, 0x6e, 0x7b, 0x90, 0x39, 0x27, 0xe5, 0xec, 0xc9,  \
+    0xe6, 0x91, 0x3a, 0x49, 0xa9, 0xb8, 0xa8, 0x5b, 0x02, 0x34, 0x52, 0x4d,  \
+    0x05, 0x5f, 0x45, 0x45, 0xfd, 0xd9, 0x04, 0xc1, 0x62                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM tests/data_files/test-ca-sha1.crt */
+#define TEST_CA_CRT_RSA_SHA1_PEM                                           \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA\r\n" \
+    "A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI\r\n" \
+    "yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv\r\n" \
+    "czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST\r\n" \
+    "S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM\r\n" \
+    "iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS\r\n" \
+    "NWqiX9GyusBZjezaCaHabjDLU0qQ\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt.der. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER tests/data_files/test-ca-sha1.crt.der */
+#define TEST_CA_CRT_RSA_SHA1_DER {                                           \
+    0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,  \
+    0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,  \
+    0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,  \
+    0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,  \
+    0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,  \
+    0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,  \
+    0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,  \
+    0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,  \
+    0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,  \
+    0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,  \
+    0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,  \
+    0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,  \
+    0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,  \
+    0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,  \
+    0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,  \
+    0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,  \
+    0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,  \
+    0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,  \
+    0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,  \
+    0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,  \
+    0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,  \
+    0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,  \
+    0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,  \
+    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,  \
+    0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,  \
+    0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,  \
+    0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,  \
+    0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,  \
+    0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,  \
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,  \
+    0x03, 0x82, 0x01, 0x01, 0x00, 0x01, 0x13, 0x73, 0x84, 0x3d, 0xf1, 0x1d,  \
+    0xfd, 0xb7, 0x09, 0x5b, 0x96, 0x5d, 0x53, 0x7f, 0xd5, 0x80, 0xf3, 0x52,  \
+    0xe2, 0xd3, 0x33, 0x87, 0xc8, 0x27, 0x24, 0xff, 0xd5, 0xd8, 0x57, 0x2f,  \
+    0x16, 0xd1, 0xb2, 0x94, 0xca, 0x50, 0xab, 0xa6, 0x27, 0x10, 0x16, 0x08,  \
+    0xc8, 0x11, 0xc0, 0x2f, 0x80, 0xd1, 0xbe, 0x53, 0x18, 0xe6, 0xb9, 0xd7,  \
+    0x18, 0x1a, 0x77, 0x38, 0x34, 0x7c, 0x32, 0x9a, 0x87, 0x0b, 0xa0, 0x2a,  \
+    0xb9, 0x14, 0xc2, 0x2f, 0x38, 0xd2, 0xe7, 0xb8, 0x98, 0x7d, 0xff, 0xff,  \
+    0xe1, 0x01, 0x50, 0xa9, 0x6f, 0x67, 0xf7, 0x6c, 0xdc, 0xb6, 0xca, 0x6f,  \
+    0x73, 0x39, 0x1a, 0x3c, 0xa8, 0x23, 0xaa, 0x8d, 0x4d, 0xa3, 0x75, 0x2a,  \
+    0xd1, 0x76, 0xb3, 0xd7, 0x4a, 0xdc, 0xc7, 0x24, 0xd4, 0x3e, 0xb7, 0xf9,  \
+    0xc0, 0xd5, 0x51, 0x67, 0x65, 0x74, 0x2a, 0xf9, 0x65, 0xbc, 0x00, 0x15,  \
+    0x4b, 0x36, 0xc8, 0xe2, 0x6a, 0x5d, 0x51, 0x7c, 0xed, 0x8e, 0x14, 0x93,  \
+    0x4b, 0x90, 0x36, 0x05, 0xe5, 0x90, 0x00, 0x03, 0xab, 0xd3, 0x3a, 0xb5,  \
+    0x17, 0xb4, 0xd2, 0x45, 0x52, 0x69, 0x26, 0xce, 0xe3, 0x98, 0x1d, 0x9a,  \
+    0x8b, 0xf8, 0xa0, 0x92, 0x1d, 0x48, 0x02, 0x37, 0x2e, 0xc1, 0x5e, 0x95,  \
+    0xc2, 0x53, 0xfe, 0xb1, 0xbc, 0x34, 0x82, 0x34, 0x34, 0x36, 0x91, 0x8c,  \
+    0x88, 0x7a, 0x67, 0x97, 0x34, 0x40, 0x8b, 0xfb, 0x48, 0x6e, 0xd3, 0xaf,  \
+    0x30, 0x81, 0x8e, 0x05, 0x4d, 0x93, 0x21, 0xf6, 0xb1, 0xff, 0x98, 0xea,  \
+    0xd5, 0xa8, 0x14, 0xc7, 0x96, 0x8f, 0x99, 0x3e, 0x53, 0x58, 0x08, 0x89,  \
+    0x3c, 0xe3, 0x8f, 0xea, 0x5e, 0x71, 0x5e, 0x70, 0xf0, 0xc5, 0xe6, 0x12,  \
+    0x35, 0x6a, 0xa2, 0x5f, 0xd1, 0xb2, 0xba, 0xc0, 0x59, 0x8d, 0xec, 0xda,  \
+    0x09, 0xa1, 0xda, 0x6e, 0x30, 0xcb, 0x53, 0x4a, 0x90                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca.key */
+/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM tests/data_files/test-ca.key */
+#define TEST_CA_KEY_RSA_PEM                                                \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"                          \
+    "\r\n"                                                                 \
+    "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n" \
+    "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n" \
+    "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n" \
+    "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n" \
+    "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n" \
+    "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n" \
+    "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n" \
+    "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n" \
+    "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n" \
+    "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n" \
+    "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n" \
+    "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n" \
+    "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n" \
+    "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n" \
+    "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n" \
+    "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n" \
+    "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n" \
+    "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n" \
+    "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n" \
+    "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n" \
+    "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n" \
+    "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n" \
+    "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n" \
+    "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n" \
+    "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_RSA_PEM "PolarSSLTest"
+
+/* This was generated from test-ca.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER tests/data_files/test-ca.key.der */
+#define TEST_CA_KEY_RSA_DER {                                                \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde,  \
+    0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, 0x99, 0xd4,  \
+    0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, 0x9b, 0xc5,  \
+    0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, 0xc0, 0x8d,  \
+    0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, 0x93, 0xe8,  \
+    0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, 0xe7, 0x40,  \
+    0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, 0xf9, 0x3e,  \
+    0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, 0x29, 0x00,  \
+    0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, 0xbd, 0x83,  \
+    0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, 0x60, 0xc3,  \
+    0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, 0x32, 0xbe,  \
+    0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, 0xfb, 0xf5,  \
+    0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, 0xee, 0xe2,  \
+    0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, 0x47, 0xb1,  \
+    0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, 0xf1, 0x79,  \
+    0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, 0x6f, 0x27,  \
+    0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, 0xa1, 0x30,  \
+    0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, 0x28, 0xd1,  \
+    0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, 0x09, 0xea,  \
+    0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, 0xc9, 0xab,  \
+    0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, 0x9e, 0x99,  \
+    0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x3f, 0xf7, 0x07, 0xd3, 0x34, 0x6f, 0xdb, 0xc9, 0x37, 0xb7, 0x84,  \
+    0xdc, 0x37, 0x45, 0xe1, 0x63, 0xad, 0xb8, 0xb6, 0x75, 0xb1, 0xc7, 0x35,  \
+    0xb4, 0x77, 0x2a, 0x5b, 0x77, 0xf9, 0x7e, 0xe0, 0xc1, 0xa3, 0xd1, 0xb7,  \
+    0xcb, 0xa9, 0x5a, 0xc1, 0x87, 0xda, 0x5a, 0xfa, 0x17, 0xe4, 0xd5, 0x38,  \
+    0x03, 0xde, 0x68, 0x98, 0x81, 0xec, 0xb5, 0xf2, 0x2a, 0x8d, 0xe9, 0x2c,  \
+    0xf3, 0xa6, 0xe5, 0x32, 0x17, 0x7f, 0x33, 0x81, 0xe8, 0x38, 0x72, 0xd5,  \
+    0x9c, 0xfa, 0x4e, 0xfb, 0x26, 0xf5, 0x15, 0x0b, 0xaf, 0x84, 0x66, 0xab,  \
+    0x02, 0xe0, 0x18, 0xd5, 0x91, 0x7c, 0xd6, 0x8f, 0xc9, 0x4b, 0x76, 0x08,  \
+    0x2b, 0x1d, 0x81, 0x68, 0x30, 0xe1, 0xfa, 0x70, 0x6c, 0x13, 0x4e, 0x10,  \
+    0x03, 0x35, 0x3e, 0xc5, 0xca, 0x58, 0x20, 0x8a, 0x21, 0x18, 0x38, 0xa0,  \
+    0x0f, 0xed, 0xc4, 0xbb, 0x45, 0x6f, 0xf5, 0x84, 0x5b, 0xb0, 0xcf, 0x4e,  \
+    0x9d, 0x58, 0x13, 0x6b, 0x35, 0x35, 0x69, 0xa1, 0xd2, 0xc4, 0xf2, 0xc1,  \
+    0x48, 0x04, 0x20, 0x51, 0xb9, 0x6b, 0xa4, 0x5d, 0xa5, 0x4b, 0x84, 0x88,  \
+    0x43, 0x48, 0x99, 0x2c, 0xbb, 0xa4, 0x97, 0xd6, 0xd6, 0x18, 0xf6, 0xec,  \
+    0x5c, 0xd1, 0x31, 0x49, 0xc9, 0xf2, 0x8f, 0x0b, 0x4d, 0xef, 0x09, 0x02,  \
+    0xfe, 0x7d, 0xfd, 0xbb, 0xaf, 0x2b, 0x83, 0x94, 0x22, 0xc4, 0xa7, 0x3e,  \
+    0x66, 0xf5, 0xe0, 0x57, 0xdc, 0xf2, 0xed, 0x2c, 0x3e, 0x81, 0x74, 0x76,  \
+    0x1e, 0x96, 0x6f, 0x74, 0x1e, 0x32, 0x0e, 0x14, 0x31, 0xd0, 0x74, 0xf0,  \
+    0xf4, 0x07, 0xbd, 0xc3, 0xd1, 0x22, 0xc2, 0xa8, 0x95, 0x92, 0x06, 0x7f,  \
+    0x43, 0x02, 0x91, 0xbc, 0xdd, 0x23, 0x01, 0x89, 0x94, 0x20, 0x44, 0x64,  \
+    0xf5, 0x1d, 0x67, 0xd2, 0x8f, 0xe8, 0x69, 0xa5, 0x29, 0x25, 0xe6, 0x50,  \
+    0x9c, 0xe3, 0xe9, 0xcb, 0x75, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x29, 0x3e,  \
+    0xaa, 0x6b, 0xd5, 0x59, 0x1e, 0x9c, 0xe6, 0x47, 0xd5, 0xb6, 0xd7, 0xe3,  \
+    0xf1, 0x8e, 0x9e, 0xe9, 0x83, 0x5f, 0x10, 0x9f, 0x63, 0xec, 0x04, 0x44,  \
+    0xcc, 0x3f, 0xf8, 0xd9, 0x3a, 0x17, 0xe0, 0x4f, 0xfe, 0xd8, 0x4d, 0xcd,  \
+    0x46, 0x54, 0x74, 0xbf, 0x0a, 0xc4, 0x67, 0x9c, 0xa7, 0xd8, 0x89, 0x65,  \
+    0x4c, 0xfd, 0x58, 0x2a, 0x47, 0x0f, 0xf4, 0x37, 0xb6, 0x55, 0xb0, 0x1d,  \
+    0xed, 0xa7, 0x39, 0xfc, 0x4f, 0xa3, 0xc4, 0x75, 0x3a, 0xa3, 0x98, 0xa7,  \
+    0x45, 0xf5, 0x66, 0xcb, 0x7c, 0x65, 0xfb, 0x80, 0x23, 0xe6, 0xff, 0xfd,  \
+    0x99, 0x1f, 0x8e, 0x6b, 0xff, 0x5e, 0x93, 0x66, 0xdf, 0x6c, 0x6f, 0xc3,  \
+    0xf6, 0x38, 0x2e, 0xff, 0x69, 0xb5, 0xac, 0xae, 0xbb, 0xc6, 0x71, 0x16,  \
+    0x6b, 0xd0, 0xf8, 0x22, 0xd9, 0xf8, 0xa2, 0x72, 0x20, 0xd2, 0xe2, 0x3a,  \
+    0x70, 0x4b, 0xde, 0xab, 0x2f, 0x02, 0x81, 0x81, 0x00, 0xda, 0x51, 0x9b,  \
+    0xb8, 0xb2, 0x2a, 0x14, 0x75, 0x58, 0x40, 0x8d, 0x27, 0x70, 0xfa, 0x31,  \
+    0x48, 0xb0, 0x20, 0x21, 0x34, 0xfa, 0x4c, 0x57, 0xa8, 0x11, 0x88, 0xf3,  \
+    0xa7, 0xae, 0x21, 0xe9, 0xb6, 0x2b, 0xd1, 0xcd, 0xa7, 0xf8, 0xd8, 0x0c,  \
+    0x8a, 0x76, 0x22, 0x35, 0x44, 0xce, 0x3f, 0x25, 0x29, 0x83, 0x7d, 0x79,  \
+    0xa7, 0x31, 0xd6, 0xec, 0xb2, 0xbf, 0xda, 0x34, 0xb6, 0xf6, 0xb2, 0x3b,  \
+    0xf3, 0x78, 0x5a, 0x04, 0x83, 0x33, 0x3e, 0xa2, 0xe2, 0x81, 0x82, 0x13,  \
+    0xd4, 0x35, 0x17, 0x63, 0x9b, 0x9e, 0xc4, 0x8d, 0x91, 0x4c, 0x03, 0x77,  \
+    0xc7, 0x71, 0x5b, 0xee, 0x83, 0x6d, 0xd5, 0x78, 0x88, 0xf6, 0x2c, 0x79,  \
+    0xc2, 0x4a, 0xb4, 0x79, 0x90, 0x70, 0xbf, 0xdf, 0x34, 0x56, 0x96, 0x71,  \
+    0xe3, 0x0e, 0x68, 0x91, 0xbc, 0xea, 0xcb, 0x33, 0xc0, 0xbe, 0x45, 0xd7,  \
+    0xfc, 0x30, 0xfd, 0x01, 0x3b, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x9f, 0x2a,  \
+    0xb7, 0x38, 0x19, 0xc7, 0x17, 0x95, 0x73, 0x78, 0xae, 0xf5, 0xcb, 0x75,  \
+    0x83, 0x7f, 0x19, 0x4b, 0xcb, 0x86, 0xfb, 0x4a, 0x15, 0x9a, 0xb6, 0x17,  \
+    0x04, 0x49, 0x07, 0x8d, 0xf6, 0x66, 0x4a, 0x06, 0xf6, 0x05, 0xa7, 0xdf,  \
+    0x66, 0x82, 0x3c, 0xff, 0xb6, 0x1d, 0x57, 0x89, 0x33, 0x5f, 0x9c, 0x05,  \
+    0x75, 0x7f, 0xf3, 0x5d, 0xdc, 0x34, 0x65, 0x72, 0x85, 0x22, 0xa4, 0x14,  \
+    0x1b, 0x41, 0xc3, 0xe4, 0xd0, 0x9e, 0x69, 0xd5, 0xeb, 0x38, 0x74, 0x70,  \
+    0x43, 0xdc, 0xd9, 0x50, 0xe4, 0x97, 0x6d, 0x73, 0xd6, 0xfb, 0xc8, 0xa7,  \
+    0xfa, 0xb4, 0xc2, 0xc4, 0x9d, 0x5d, 0x0c, 0xd5, 0x9f, 0x79, 0xb3, 0x54,  \
+    0xc2, 0xb7, 0x6c, 0x3d, 0x7d, 0xcb, 0x2d, 0xf8, 0xc4, 0xf3, 0x78, 0x5a,  \
+    0x33, 0x2a, 0xb8, 0x0c, 0x6d, 0x06, 0xfa, 0xf2, 0x62, 0xd3, 0x42, 0xd0,  \
+    0xbd, 0xc8, 0x4a, 0xa5, 0x0d, 0x02, 0x81, 0x81, 0x00, 0xd4, 0xa9, 0x90,  \
+    0x15, 0xde, 0xbf, 0x2c, 0xc4, 0x8d, 0x9d, 0xfb, 0xa1, 0xc2, 0xe4, 0x83,  \
+    0xe3, 0x79, 0x65, 0x22, 0xd3, 0xb7, 0x49, 0x6c, 0x4d, 0x94, 0x1f, 0x22,  \
+    0xb1, 0x60, 0xe7, 0x3a, 0x00, 0xb1, 0x38, 0xa2, 0xab, 0x0f, 0xb4, 0x6c,  \
+    0xaa, 0xe7, 0x9e, 0x34, 0xe3, 0x7c, 0x40, 0x78, 0x53, 0xb2, 0xf9, 0x23,  \
+    0xea, 0xa0, 0x9a, 0xea, 0x60, 0xc8, 0x8f, 0xa6, 0xaf, 0xdf, 0x29, 0x09,  \
+    0x4b, 0x06, 0x1e, 0x31, 0xad, 0x17, 0xda, 0xd8, 0xd1, 0xe9, 0x33, 0xab,  \
+    0x5b, 0x18, 0x08, 0x5b, 0x87, 0xf8, 0xa5, 0x1f, 0xfd, 0xbb, 0xdc, 0xd8,  \
+    0xed, 0x97, 0x57, 0xe4, 0xc3, 0x73, 0xd6, 0xf0, 0x9e, 0x01, 0xa6, 0x9b,  \
+    0x48, 0x8e, 0x7a, 0xb4, 0xbb, 0xe5, 0x88, 0x91, 0xc5, 0x2a, 0xdf, 0x4b,  \
+    0xba, 0xd0, 0x8b, 0x3e, 0x03, 0x97, 0x77, 0x2f, 0x47, 0x7e, 0x51, 0x0c,  \
+    0xae, 0x65, 0x8d, 0xde, 0x87, 0x02, 0x81, 0x80, 0x20, 0x24, 0x0f, 0xd2,  \
+    0xaf, 0xc2, 0x28, 0x3b, 0x97, 0x20, 0xb2, 0x92, 0x49, 0xeb, 0x09, 0x68,  \
+    0x40, 0xb2, 0xbe, 0xd1, 0xc3, 0x83, 0x94, 0x34, 0x38, 0xd6, 0xc9, 0xec,  \
+    0x34, 0x09, 0xf9, 0x41, 0x6d, 0x5c, 0x42, 0x94, 0xf7, 0x04, 0xfc, 0x32,  \
+    0x39, 0x69, 0xbc, 0x1c, 0xfb, 0x3e, 0x61, 0x98, 0xc0, 0x80, 0xd8, 0x36,  \
+    0x47, 0xc3, 0x6d, 0xc2, 0x2e, 0xe7, 0x81, 0x2a, 0x17, 0x34, 0x64, 0x30,  \
+    0x4e, 0x96, 0xbb, 0x26, 0x16, 0xb9, 0x41, 0x36, 0xfe, 0x8a, 0xd6, 0x53,  \
+    0x7c, 0xaa, 0xec, 0x39, 0x42, 0x50, 0xef, 0xe3, 0xb3, 0x01, 0x28, 0x32,  \
+    0xca, 0x6d, 0xf5, 0x9a, 0x1e, 0x9f, 0x37, 0xbe, 0xfe, 0x38, 0x20, 0x22,  \
+    0x91, 0x8c, 0xcd, 0x95, 0x02, 0xf2, 0x4d, 0x6f, 0x1a, 0xb4, 0x43, 0xf0,  \
+    0x19, 0xdf, 0x65, 0xc0, 0x92, 0xe7, 0x9d, 0x2f, 0x09, 0xe7, 0xec, 0x69,  \
+    0xa8, 0xc2, 0x8f, 0x0d                                                   \
+}
+/* END FILE */
+
+/*
+ * Test server Certificates
+ *
+ * Test server certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/server5.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */
+#define TEST_SRV_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
+    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
+    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
+    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
+    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" \
+    "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
+    "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" \
+    "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" \
+    "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server5.crt.der */
+#define TEST_SRV_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x02, 0x1f, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35,  \
+    0x32, 0x30, 0x34, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59,  \
+    0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,  \
+    0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7,  \
+    0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0,  \
+    0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00,  \
+    0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd,  \
+    0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa,  \
+    0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d,  \
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5,  \
+    0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c,  \
+    0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,  \
+    0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,  \
+    0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,  \
+    0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,  \
+    0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68, 0x00,  \
+    0x30, 0x65, 0x02, 0x31, 0x00, 0x9a, 0x2c, 0x5c, 0xd7, 0xa6, 0xdb, 0xa2,  \
+    0xe5, 0x64, 0x0d, 0xf0, 0xb9, 0x4e, 0xdd, 0xd7, 0x61, 0xd6, 0x13, 0x31,  \
+    0xc7, 0xab, 0x73, 0x80, 0xbb, 0xd3, 0xd3, 0x73, 0x13, 0x54, 0xad, 0x92,  \
+    0x0b, 0x5d, 0xab, 0xd0, 0xbc, 0xf7, 0xae, 0x2f, 0xe6, 0xa1, 0x21, 0x29,  \
+    0x35, 0x95, 0xaa, 0x3e, 0x39, 0x02, 0x30, 0x21, 0x36, 0x7f, 0x9d, 0xc6,  \
+    0x5d, 0xc6, 0x0b, 0xab, 0x27, 0xf2, 0x25, 0x1d, 0x3b, 0xf1, 0xcf, 0xf1,  \
+    0x35, 0x25, 0x14, 0xe7, 0xe5, 0xf1, 0x97, 0xb5, 0x59, 0xe3, 0x5e, 0x15,  \
+    0x7c, 0x66, 0xb9, 0x90, 0x7b, 0xc7, 0x01, 0x10, 0x4f, 0x73, 0xc6, 0x00,  \
+    0x21, 0x52, 0x2a, 0x0e, 0xf1, 0xc7, 0xd5                                 \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server5.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server5.key */
+#define TEST_SRV_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" \
+    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server5.key.der */
+#define TEST_SRV_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76,  \
+    0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a,  \
+    0x5d, 0x86, 0xc8, 0xa2, 0x04, 0xf2, 0xc3, 0x0c, 0xa9, 0xeb, 0xf5, 0x1f,  \
+    0x0f, 0x0e, 0xa7, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x37, 0xcc, 0x56,  \
+    0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, 0x59, 0x2d, 0xff, 0x20,  \
+    0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, 0xad, 0x14, 0xb5, 0xf7,  \
+    0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, 0xd8, 0x23, 0x11, 0xff,  \
+    0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, 0x8a, 0x88, 0xc2, 0x6b,  \
+    0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, 0x01, 0xc8, 0xb4, 0xed,  \
+    0xff                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256_PEM                                        \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n" \
+    "kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n" \
+    "DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n" \
+    "3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n" \
+    "ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n" \
+    "eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n" \
+    "e4K1cVANRPN2o9Y=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER tests/data_files/server2-sha256.crt.der */
+#define TEST_SRV_CRT_RSA_SHA256_DER {                                        \
+    0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,  \
+    0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,  \
+    0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,  \
+    0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,  \
+    0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,  \
+    0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,  \
+    0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,  \
+    0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,  \
+    0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,  \
+    0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,  \
+    0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,  \
+    0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,  \
+    0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,  \
+    0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,  \
+    0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,  \
+    0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,  \
+    0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,  \
+    0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,  \
+    0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,  \
+    0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,  \
+    0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,  \
+    0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,  \
+    0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,  \
+    0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,  \
+    0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,  \
+    0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,  \
+    0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,  \
+    0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,  \
+    0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,  \
+    0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,  \
+    0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,  \
+    0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,  \
+    0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x61, 0x84, 0xb2, 0x14, 0xf9,  \
+    0x92, 0xf9, 0xd1, 0x98, 0xb5, 0x52, 0x71, 0x57, 0x94, 0x11, 0xdc, 0x08,  \
+    0xae, 0xf5, 0xbb, 0x7b, 0x36, 0xc6, 0x6d, 0x4b, 0xc9, 0xf1, 0x5c, 0x5e,  \
+    0x27, 0xbf, 0x7f, 0x1d, 0x28, 0xe5, 0x2e, 0x21, 0x9b, 0x31, 0xce, 0x2e,  \
+    0x51, 0xab, 0x61, 0xc2, 0xdc, 0xc4, 0x76, 0x2f, 0x51, 0xff, 0x80, 0xb9,  \
+    0x0d, 0x70, 0x4d, 0x78, 0x43, 0xd3, 0x91, 0xb0, 0x7e, 0x7e, 0x11, 0xb5,  \
+    0x5b, 0x4e, 0xa2, 0x1d, 0x88, 0xff, 0x0e, 0x9f, 0x3e, 0x69, 0xa1, 0xbb,  \
+    0x7e, 0xe0, 0xf1, 0x29, 0x52, 0x87, 0x55, 0x94, 0xaa, 0x06, 0x79, 0x90,  \
+    0x2e, 0x7e, 0xf7, 0xca, 0x6c, 0x9c, 0x95, 0x93, 0x47, 0x8a, 0x2e, 0x40,  \
+    0xde, 0x74, 0xd2, 0xf1, 0x65, 0x1a, 0x1c, 0x0c, 0xf1, 0x37, 0xfa, 0xda,  \
+    0x8c, 0xeb, 0x68, 0x33, 0xb6, 0x87, 0xd4, 0xff, 0x6d, 0x50, 0xba, 0x47,  \
+    0xae, 0x5f, 0xbb, 0x1c, 0xe7, 0x8b, 0x32, 0x9c, 0x54, 0x9f, 0x02, 0x35,  \
+    0xd9, 0x9a, 0x99, 0x68, 0xb2, 0x33, 0xc5, 0xb7, 0x1d, 0x25, 0x57, 0x2b,  \
+    0xad, 0xad, 0x85, 0xd3, 0x46, 0x97, 0x08, 0x69, 0x18, 0x54, 0xbb, 0xf2,  \
+    0xbd, 0xb6, 0x48, 0xab, 0xb2, 0xc2, 0xfb, 0x25, 0x72, 0xb1, 0xe8, 0xf9,  \
+    0x80, 0x27, 0x90, 0x60, 0x3e, 0xd5, 0x14, 0xe1, 0x24, 0xb3, 0x48, 0xe1,  \
+    0x16, 0x3a, 0xd2, 0xd3, 0xa8, 0x0f, 0xd3, 0xf5, 0xe7, 0x5a, 0xfe, 0xaf,  \
+    0x78, 0x1a, 0x0f, 0x7b, 0x3f, 0x5d, 0xf8, 0x20, 0xa3, 0x92, 0xb8, 0x6c,  \
+    0x7a, 0x25, 0xb3, 0x5c, 0xe8, 0xab, 0x88, 0x83, 0x08, 0x09, 0x7e, 0x3c,  \
+    0x12, 0x5a, 0x0e, 0xfc, 0x3a, 0xec, 0x31, 0x10, 0x2d, 0xbe, 0x5c, 0x2a,  \
+    0xec, 0x40, 0xf3, 0xe1, 0x08, 0x48, 0x2f, 0x3e, 0x9f, 0x7e, 0x77, 0x66,  \
+    0x7b, 0x82, 0xb5, 0x71, 0x50, 0x0d, 0x44, 0xf3, 0x76, 0xa3, 0xd6         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1_PEM                                          \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF\r\n" \
+    "y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF\r\n" \
+    "kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd\r\n" \
+    "dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu\r\n" \
+    "UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1\r\n" \
+    "fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r\r\n" \
+    "4mN4lW7gLdenN6g=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER tests/data_files/server2.crt.der */
+#define TEST_SRV_CRT_RSA_SHA1_DER {                                          \
+    0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,  \
+    0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,  \
+    0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,  \
+    0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,  \
+    0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,  \
+    0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,  \
+    0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,  \
+    0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,  \
+    0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,  \
+    0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,  \
+    0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,  \
+    0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,  \
+    0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,  \
+    0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,  \
+    0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,  \
+    0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,  \
+    0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,  \
+    0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,  \
+    0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,  \
+    0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,  \
+    0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,  \
+    0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,  \
+    0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,  \
+    0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,  \
+    0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,  \
+    0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,  \
+    0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,  \
+    0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,  \
+    0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,  \
+    0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,  \
+    0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,  \
+    0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,  \
+    0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x01, 0x73, 0x0b, 0x4a, 0xc5,  \
+    0xcb, 0xa0, 0xde, 0xf1, 0x63, 0x1c, 0x76, 0x04, 0x2b, 0x13, 0x0d, 0xc0,  \
+    0x84, 0x11, 0xc5, 0x8f, 0x3a, 0xa7, 0xc5, 0x9c, 0x35, 0x7a, 0x77, 0xb8,  \
+    0x20, 0x14, 0x82, 0xee, 0x54, 0xf0, 0xf2, 0xb0, 0x52, 0xcb, 0x78, 0xce,  \
+    0x59, 0x07, 0x4f, 0x51, 0x69, 0xfe, 0xd3, 0x2f, 0xe9, 0x09, 0xe7, 0x85,  \
+    0x92, 0xd8, 0xba, 0xb1, 0xeb, 0xc5, 0x76, 0x5d, 0x61, 0x2d, 0xe9, 0x86,  \
+    0xb5, 0xde, 0x2a, 0xf9, 0x3f, 0x53, 0x28, 0x42, 0x86, 0x83, 0x73, 0x43,  \
+    0xe0, 0x04, 0x5f, 0x07, 0x90, 0x14, 0x65, 0x9f, 0x6e, 0x10, 0x7a, 0xbc,  \
+    0x58, 0x19, 0x22, 0xc2, 0xeb, 0x39, 0x72, 0x51, 0x92, 0xd7, 0xb4, 0x1d,  \
+    0x75, 0x2f, 0xd3, 0x3a, 0x2b, 0x01, 0xe7, 0xdb, 0x50, 0xae, 0xe2, 0xf1,  \
+    0xd4, 0x4d, 0x5b, 0x3c, 0xbb, 0x41, 0x2b, 0x2a, 0xa4, 0xe2, 0x4a, 0x02,  \
+    0xe5, 0x60, 0x14, 0x2c, 0x9c, 0x1f, 0xa6, 0xcc, 0x06, 0x4b, 0x25, 0x89,  \
+    0x4e, 0x96, 0x30, 0x22, 0x9c, 0x5c, 0x58, 0x4d, 0xc3, 0xda, 0xd0, 0x6e,  \
+    0x50, 0x1e, 0x8c, 0x65, 0xf5, 0xd9, 0x17, 0x35, 0xa6, 0x58, 0x43, 0xb2,  \
+    0x29, 0xb7, 0xa8, 0x5e, 0x35, 0xde, 0xf0, 0x60, 0x42, 0x1a, 0x01, 0xcb,  \
+    0xcb, 0x0b, 0xd8, 0x0e, 0xc1, 0x90, 0xdf, 0xa1, 0xd2, 0x1a, 0xd1, 0x2c,  \
+    0x02, 0xf4, 0x76, 0x41, 0xa4, 0xcb, 0x4b, 0x15, 0x98, 0x71, 0xf9, 0x35,  \
+    0x7d, 0xb0, 0xe7, 0xe2, 0x34, 0x96, 0x91, 0xbe, 0x32, 0x67, 0x2d, 0x6b,  \
+    0xd3, 0x55, 0x04, 0x8a, 0x01, 0x50, 0xb4, 0xe3, 0x62, 0x78, 0x6c, 0x11,  \
+    0x15, 0xa5, 0x2a, 0x11, 0xc1, 0x49, 0x1c, 0x9b, 0xc4, 0x10, 0x65, 0x60,  \
+    0x87, 0xd9, 0x1e, 0x69, 0x59, 0x4e, 0x8f, 0x6b, 0xeb, 0xc1, 0xfe, 0x6b,  \
+    0xe2, 0x63, 0x78, 0x95, 0x6e, 0xe0, 0x2d, 0xd7, 0xa7, 0x37, 0xa8         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM tests/data_files/server2.key */
+#define TEST_SRV_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" \
+    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" \
+    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" \
+    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" \
+    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" \
+    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" \
+    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" \
+    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" \
+    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" \
+    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" \
+    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" \
+    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" \
+    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" \
+    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" \
+    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" \
+    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" \
+    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" \
+    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" \
+    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" \
+    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" \
+    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" \
+    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" \
+    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" \
+    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" \
+    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/server2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER tests/data_files/server2.key.der */
+#define TEST_SRV_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72,  \
+    0xb8, 0x99, 0xac, 0x0e, 0x78, 0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13,  \
+    0x16, 0xd0, 0x5a, 0xe4, 0xcd, 0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b,  \
+    0x96, 0xa7, 0x52, 0xb4, 0x90, 0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a,  \
+    0xfc, 0xb6, 0x34, 0xac, 0x24, 0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c,  \
+    0xb0, 0x28, 0x7d, 0xa1, 0xda, 0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc,  \
+    0xfe, 0xc1, 0x04, 0x52, 0xb3, 0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76,  \
+    0xd8, 0x90, 0xc1, 0x61, 0xb4, 0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa,  \
+    0xab, 0x74, 0x5e, 0x07, 0x7d, 0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0,  \
+    0xd9, 0x0d, 0x1c, 0x2d, 0x49, 0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8,  \
+    0x0b, 0x8a, 0x4f, 0x69, 0x0c, 0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10,  \
+    0x66, 0x7d, 0xae, 0x54, 0x2b, 0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61,  \
+    0xc3, 0xcd, 0x40, 0x49, 0x08, 0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2,  \
+    0x46, 0xbf, 0xd0, 0xb8, 0xaa, 0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a,  \
+    0x1e, 0x44, 0x18, 0x0f, 0x0f, 0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2,  \
+    0x18, 0xc6, 0x62, 0x2f, 0xc7, 0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3,  \
+    0x27, 0x89, 0x29, 0x01, 0xc5, 0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8,  \
+    0x4a, 0x0e, 0xef, 0xd6, 0xde, 0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d,  \
+    0x7a, 0xc4, 0x02, 0x3c, 0x9a, 0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b,  \
+    0xcb, 0x73, 0x4b, 0x52, 0x96, 0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69,  \
+    0x39, 0x5a, 0xd3, 0x0f, 0xb0, 0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea,  \
+    0x12, 0x01, 0x30, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0x97, 0x47, 0x44, 0xbc, 0x10, 0x81, 0xc5, 0x18, 0xe4, 0x59,  \
+    0xfb, 0xe0, 0x2d, 0x3a, 0x0e, 0x9e, 0x10, 0xdc, 0x43, 0xfb, 0x15, 0x6c,  \
+    0xd1, 0xfd, 0x48, 0x78, 0x6c, 0xf9, 0xed, 0x38, 0xe8, 0xdd, 0x09, 0xd7,  \
+    0x5f, 0xb5, 0x41, 0x64, 0xd7, 0x63, 0xfa, 0x9d, 0x44, 0x0a, 0xf8, 0x42,  \
+    0x13, 0xf1, 0xbb, 0x5e, 0x79, 0x20, 0x53, 0x98, 0x4b, 0x65, 0x7f, 0x86,  \
+    0x67, 0x48, 0xe4, 0xcf, 0xfb, 0x6a, 0x24, 0xe2, 0x34, 0xbd, 0x14, 0x9d,  \
+    0x2c, 0x16, 0xe2, 0xa4, 0x79, 0xd6, 0xa2, 0xec, 0x81, 0x43, 0x87, 0xbf,  \
+    0x03, 0x5c, 0x88, 0x25, 0xd9, 0x41, 0xb6, 0xa5, 0xf1, 0x27, 0x52, 0x84,  \
+    0xfe, 0x2b, 0x6e, 0x1d, 0x16, 0xcd, 0x73, 0x88, 0xf8, 0x90, 0xbf, 0x19,  \
+    0xfe, 0xbe, 0xa9, 0xbf, 0x09, 0xd3, 0x23, 0x43, 0xd2, 0xc7, 0x61, 0x2a,  \
+    0xb3, 0x4e, 0x3c, 0x61, 0xd4, 0xbd, 0xd8, 0xb4, 0xfa, 0xa8, 0x0b, 0xf8,  \
+    0x7e, 0x56, 0xcd, 0x0f, 0x13, 0x27, 0xda, 0xe6, 0x3b, 0xb3, 0x8c, 0x9c,  \
+    0x4b, 0x84, 0x3c, 0xc3, 0x52, 0x57, 0x9c, 0x27, 0x9a, 0x02, 0x76, 0x26,  \
+    0x59, 0x82, 0x39, 0xc3, 0x13, 0xbe, 0x6e, 0xf4, 0x44, 0x2d, 0x1d, 0x8c,  \
+    0x73, 0x3e, 0x43, 0x99, 0x59, 0xcb, 0xf2, 0x34, 0x72, 0x9a, 0x5e, 0xa5,  \
+    0xeb, 0x9f, 0x36, 0x6d, 0x2b, 0xf9, 0xa2, 0xe7, 0xd1, 0x78, 0x52, 0x1b,  \
+    0xc8, 0xf6, 0x5b, 0x41, 0x69, 0x57, 0x81, 0x89, 0xe9, 0xbb, 0xa1, 0xde,  \
+    0x19, 0x37, 0x3b, 0x13, 0x5c, 0xca, 0x61, 0x01, 0x86, 0xff, 0xdf, 0x83,  \
+    0x41, 0x49, 0x7f, 0xd6, 0xf4, 0x2e, 0x08, 0xfa, 0x90, 0xc2, 0x7c, 0xb4,  \
+    0xb5, 0x0a, 0x17, 0xdb, 0x0e, 0x6d, 0x75, 0x8a, 0x5d, 0x31, 0xd5, 0x66,  \
+    0xfb, 0x39, 0x0b, 0xb5, 0xb6, 0xa3, 0xcd, 0xd4, 0xef, 0x88, 0x92, 0x5a,  \
+    0x4d, 0x6c, 0xcb, 0xea, 0x5b, 0x79, 0x02, 0x81, 0x81, 0x00, 0xdf, 0x3a,  \
+    0xf9, 0x25, 0x5e, 0x24, 0x37, 0x26, 0x40, 0x97, 0x2f, 0xe0, 0x4a, 0xba,  \
+    0x52, 0x1b, 0x51, 0xaf, 0x84, 0x06, 0x32, 0x24, 0x0c, 0xcf, 0x44, 0xa8,  \
+    0x77, 0xa7, 0xad, 0xb5, 0x8c, 0x58, 0xcc, 0xc8, 0x31, 0xb7, 0x0d, 0xbc,  \
+    0x08, 0x8a, 0xe0, 0xa6, 0x8c, 0xc2, 0x73, 0xe5, 0x1a, 0x64, 0x92, 0xe8,  \
+    0xed, 0x4c, 0x6f, 0x0b, 0xa6, 0xa7, 0xf3, 0x9a, 0xf5, 0x6f, 0x69, 0xca,  \
+    0x3c, 0x22, 0xd0, 0x15, 0xa8, 0x20, 0x27, 0x41, 0xf8, 0x43, 0x42, 0x7f,  \
+    0xb1, 0x93, 0xa1, 0x04, 0x85, 0xda, 0xa0, 0x1c, 0xd6, 0xc6, 0xf7, 0x8a,  \
+    0x9e, 0xea, 0x5c, 0x78, 0xa7, 0x55, 0xc4, 0x6b, 0x05, 0x8b, 0xc0, 0x83,  \
+    0xcb, 0xce, 0x83, 0x05, 0xf8, 0xb2, 0x16, 0x2b, 0xdf, 0x06, 0x3f, 0xb8,  \
+    0xec, 0x16, 0xda, 0x43, 0x33, 0xc1, 0x8f, 0xb0, 0xb8, 0xac, 0xae, 0xd4,  \
+    0x94, 0xb8, 0xda, 0x6f, 0x6a, 0xc3, 0x02, 0x81, 0x81, 0x00, 0xdd, 0xae,  \
+    0x00, 0xcd, 0xa0, 0x72, 0x1a, 0x05, 0x8a, 0xee, 0x2f, 0xd4, 0x71, 0x4b,  \
+    0xf0, 0x3e, 0xe5, 0xc1, 0xe1, 0x29, 0x8b, 0xa6, 0x67, 0x30, 0x98, 0xe7,  \
+    0x12, 0xef, 0xdd, 0x12, 0x01, 0x90, 0x24, 0x58, 0xf0, 0x76, 0x92, 0xe7,  \
+    0x3d, 0xbb, 0x23, 0xe1, 0xce, 0xf9, 0xa1, 0xd4, 0x38, 0x1b, 0x3f, 0x20,  \
+    0xb3, 0x0f, 0x65, 0x6a, 0x8f, 0x55, 0x57, 0x36, 0xee, 0xb2, 0x84, 0x44,  \
+    0xfc, 0x91, 0x88, 0xe1, 0xa4, 0xdd, 0x3b, 0x4a, 0x40, 0x4d, 0x7c, 0x86,  \
+    0xed, 0xe1, 0xb5, 0x42, 0xef, 0xb9, 0x61, 0xcd, 0x58, 0x19, 0x77, 0x02,  \
+    0xae, 0x58, 0x80, 0xdb, 0x13, 0x3d, 0xc7, 0x1f, 0x9d, 0xed, 0xff, 0xac,  \
+    0x98, 0xfc, 0xcd, 0xf9, 0x62, 0x04, 0x83, 0x91, 0x89, 0x0d, 0x86, 0x43,  \
+    0x8c, 0x0c, 0xc7, 0x1b, 0x90, 0x4d, 0xbe, 0x2f, 0xc5, 0x7c, 0xcd, 0x42,  \
+    0xf5, 0xd3, 0xad, 0x8e, 0xfd, 0x9d, 0x02, 0x81, 0x80, 0x17, 0x4b, 0x79,  \
+    0x2a, 0x6c, 0x1b, 0x8d, 0x61, 0xc1, 0x85, 0xc5, 0x6a, 0x3b, 0x82, 0x1c,  \
+    0x05, 0x5b, 0xcd, 0xdc, 0x12, 0x25, 0x73, 0x5b, 0x9e, 0xd9, 0x84, 0x57,  \
+    0x10, 0x39, 0x71, 0x63, 0x96, 0xf4, 0xaf, 0xc3, 0x78, 0x5d, 0xc7, 0x8c,  \
+    0x80, 0xa9, 0x96, 0xd7, 0xc3, 0x87, 0x02, 0x96, 0x71, 0x7e, 0x5f, 0x2e,  \
+    0x3c, 0x36, 0xae, 0x59, 0x92, 0xd7, 0x3a, 0x09, 0x78, 0xb9, 0xea, 0x6f,  \
+    0xc2, 0x16, 0x42, 0xdc, 0x4b, 0x96, 0xad, 0x2c, 0xb2, 0x20, 0x23, 0x61,  \
+    0x2d, 0x8d, 0xb5, 0x02, 0x1e, 0xe1, 0x6c, 0x81, 0x01, 0x3c, 0x5d, 0xcb,  \
+    0xdd, 0x9b, 0x0e, 0xc0, 0x2f, 0x94, 0x12, 0xb2, 0xfe, 0x75, 0x75, 0x8b,  \
+    0x74, 0x1e, 0x7a, 0x26, 0x0c, 0xb7, 0x81, 0x96, 0x81, 0x79, 0x6e, 0xdb,  \
+    0xbc, 0x3a, 0xc4, 0x9e, 0x87, 0x09, 0x6e, 0xa0, 0xa6, 0xec, 0x8b, 0xa4,  \
+    0x85, 0x71, 0xce, 0x04, 0xaf, 0x02, 0x81, 0x81, 0x00, 0xc2, 0xa7, 0x47,  \
+    0x07, 0x48, 0x6a, 0xc8, 0xd4, 0xb3, 0x20, 0xe1, 0x98, 0xee, 0xff, 0x5a,  \
+    0x6f, 0x30, 0x7a, 0xa5, 0x47, 0x40, 0xdc, 0x16, 0x62, 0x42, 0xf1, 0x2c,  \
+    0xdc, 0xb8, 0xc7, 0x55, 0xde, 0x07, 0x3c, 0x9d, 0xb1, 0xd0, 0xdf, 0x02,  \
+    0x82, 0xb0, 0x48, 0x58, 0xe1, 0x34, 0xab, 0xcf, 0xb4, 0x85, 0x23, 0x26,  \
+    0x78, 0x4f, 0x7a, 0x59, 0x6f, 0xfb, 0x8c, 0x3d, 0xdf, 0x3d, 0x6c, 0x02,  \
+    0x47, 0x9c, 0xe5, 0x5e, 0x49, 0xf1, 0x05, 0x0b, 0x1f, 0xbf, 0x48, 0x0f,  \
+    0xdc, 0x10, 0xb9, 0x3d, 0x1d, 0x10, 0x77, 0x2a, 0x73, 0xf9, 0xdf, 0xbd,  \
+    0xcd, 0xf3, 0x1f, 0xeb, 0x6e, 0x64, 0xca, 0x2b, 0x78, 0x4f, 0xf8, 0x73,  \
+    0xc2, 0x10, 0xef, 0x79, 0x95, 0x33, 0x1e, 0x79, 0x35, 0x09, 0xff, 0x88,  \
+    0x1b, 0xb4, 0x3e, 0x4c, 0xe1, 0x27, 0x2e, 0x75, 0x80, 0x58, 0x11, 0x03,  \
+    0x21, 0x23, 0x96, 0x9a, 0xb5, 0x02, 0x81, 0x80, 0x05, 0x12, 0x64, 0x71,  \
+    0x83, 0x00, 0x1c, 0xfe, 0xef, 0x83, 0xea, 0xdd, 0x2c, 0xc8, 0x2c, 0x00,  \
+    0x62, 0x1e, 0x8f, 0x3a, 0xdb, 0x1c, 0xab, 0xd6, 0x34, 0x8b, 0xd1, 0xb2,  \
+    0x5a, 0x4f, 0x3d, 0x37, 0x38, 0x02, 0xe0, 0xd7, 0x70, 0xc1, 0xb0, 0x47,  \
+    0xe0, 0x08, 0x1a, 0x84, 0xec, 0x48, 0xc5, 0x7c, 0x76, 0x83, 0x12, 0x67,  \
+    0xab, 0x7c, 0x9f, 0x90, 0x97, 0xc8, 0x8f, 0x07, 0xf4, 0xb3, 0x60, 0xf2,  \
+    0x3f, 0x49, 0x18, 0xdb, 0x2e, 0x94, 0x6b, 0x53, 0x9e, 0xa2, 0x63, 0xde,  \
+    0x63, 0xd9, 0xab, 0x21, 0x2e, 0x2d, 0x0a, 0xe0, 0xd0, 0xe8, 0xba, 0xc4,  \
+    0x4c, 0x1e, 0xa5, 0xf5, 0x51, 0xa8, 0xc4, 0x92, 0xf8, 0x7f, 0x21, 0xe7,  \
+    0x65, 0xbf, 0x0b, 0xe6, 0x01, 0xaf, 0x9c, 0x1d, 0x5b, 0x6c, 0x3f, 0x1c,  \
+    0x2f, 0xa6, 0x0f, 0x68, 0x38, 0x8e, 0x85, 0xc4, 0x6c, 0x78, 0x2f, 0x6f,  \
+    0x06, 0x21, 0x2e, 0x56                                                   \
+}
+/* END FILE */
+
+/*
+ * Test client Certificates
+ *
+ * Test client certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - hash type
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/cli2.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */
+#define TEST_CLI_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n" \
+    "WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n" \
+    "9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n" \
+    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n" \
+    "IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n" \
+    "CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n" \
+    "lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n" \
+    "LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli2.crt.der */
+#define TEST_CLI_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x02, 0x2c, 0x30, 0x82, 0x01, 0xb2, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x0d, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35,  \
+    0x32, 0x30, 0x34, 0x5a, 0x30, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x16, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30,  \
+    0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01,  \
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42,  \
+    0x00, 0x04, 0x57, 0xe5, 0xae, 0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93,  \
+    0xb8, 0x81, 0xff, 0x12, 0xae, 0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53,  \
+    0xf6, 0x34, 0x0e, 0xcc, 0x2e, 0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2,  \
+    0xf3, 0x5c, 0x60, 0x36, 0x96, 0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f,  \
+    0x9f, 0xd5, 0x4b, 0x45, 0x18, 0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96,  \
+    0x8f, 0x87, 0x70, 0xa3, 0xe4, 0xc7, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a,  \
+    0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,  \
+    0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7a, 0x00,  \
+    0x5f, 0x86, 0x64, 0xfc, 0xe0, 0x5d, 0xe5, 0x11, 0x10, 0x3b, 0xb2, 0xe6,  \
+    0x3b, 0xc4, 0x26, 0x3f, 0xcf, 0xe2, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d,  \
+    0x23, 0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49,  \
+    0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb,  \
+    0xfb, 0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82,  \
+    0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a,  \
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68,  \
+    0x00, 0x30, 0x65, 0x02, 0x30, 0x4a, 0x65, 0x0d, 0x7b, 0x20, 0x83, 0xa2,  \
+    0x99, 0xb9, 0xa8, 0x0f, 0xfc, 0x8d, 0xee, 0x8f, 0x3d, 0xbb, 0x70, 0x4c,  \
+    0x96, 0x03, 0xac, 0x8e, 0x78, 0x70, 0xdd, 0xf2, 0x0e, 0xa0, 0xb2, 0x16,  \
+    0xcb, 0x65, 0x8e, 0x1a, 0xc9, 0x3f, 0x2c, 0x61, 0x7e, 0xf8, 0x3c, 0xef,  \
+    0xad, 0x1c, 0xee, 0x36, 0x20, 0x02, 0x31, 0x00, 0x9d, 0xf2, 0x27, 0xa6,  \
+    0xd5, 0x74, 0xb8, 0x24, 0xae, 0xe1, 0x6a, 0x3f, 0x31, 0xa1, 0xca, 0x54,  \
+    0x2f, 0x08, 0xd0, 0x8d, 0xee, 0x4f, 0x0c, 0x61, 0xdf, 0x77, 0x78, 0x7d,  \
+    0xb4, 0xfd, 0xfc, 0x42, 0x49, 0xee, 0xe5, 0xb2, 0x6a, 0xc2, 0xcd, 0x26,  \
+    0x77, 0x62, 0x8e, 0x28, 0x7c, 0x9e, 0x57, 0x45                           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli2.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli2.key */
+#define TEST_CLI_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" \
+    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli2.key.der */
+#define TEST_CLI_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1,  \
+    0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0,  \
+    0x05, 0xff, 0x96, 0x22, 0x8a, 0x7a, 0x84, 0x38, 0x64, 0x17, 0x32, 0x61,  \
+    0x98, 0xb7, 0x2a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae,  \
+    0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae,  \
+    0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e,  \
+    0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96,  \
+    0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18,  \
+    0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4,  \
+    0xc7                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa-sha256.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */
+#define TEST_CLI_CRT_RSA_PEM                                               \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n" \
+    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n" \
+    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n" \
+    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n" \
+    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n" \
+    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n" \
+    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n" \
+    "o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n" \
+    "BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \
+    "AQEAlHabem2Tu69VUN7EipwnQn1dIHdgvT5i+iQHpSxY1crPnBbAeSdAXwsVEqLQ\r\n" \
+    "gOOIAQD5VIITNuoGgo4i+4OpNh9u7ZkpRHla+/swsfrFWRRbBNP5Bcu74AGLstwU\r\n" \
+    "zM8gIkBiyfM1Q1qDQISV9trlCG6O8vh8dp/rbI3rfzo99BOHXgFCrzXjCuW4vDsF\r\n" \
+    "r+Dao26bX3sJ6UnEWg1H3o2x6PpUcvQ36h71/bz4TEbbUUEpe02V4QWuL+wrhHJL\r\n" \
+    "U7o3SVE3Og7jPF8sat0a50YUWhwEFI256m02KAXLg89ueUyYKEr6rNwhcvXJpvU9\r\n" \
+    "giIVvd0Sbjjnn7NC4VDbcXV8vw==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa-sha256.crt.der
+   using `xxd -i.` */
+/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER tests/data_files/cli-rsa-sha256.crt.der */
+#define TEST_CLI_CRT_RSA_DER {                                               \
+    0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,  \
+    0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,  \
+    0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,  \
+    0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,  \
+    0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,  \
+    0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, 0x31, 0x32, 0x31, 0x34, 0x34,  \
+    0x34, 0x30, 0x36, 0x5a, 0x30, 0x3c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,  \
+    0x11, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x6c,  \
+    0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,  \
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,  \
+    0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,  \
+    0x01, 0x01, 0x00, 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9,  \
+    0x45, 0xd9, 0x14, 0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f,  \
+    0x33, 0xad, 0x0d, 0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9,  \
+    0xcc, 0x66, 0x85, 0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63,  \
+    0x9e, 0x0a, 0x6e, 0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10,  \
+    0x93, 0x86, 0x49, 0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e,  \
+    0xd4, 0x2f, 0x77, 0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95,  \
+    0x48, 0x70, 0xf5, 0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed,  \
+    0xe6, 0x43, 0xea, 0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4,  \
+    0x57, 0x4e, 0xa9, 0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30,  \
+    0x32, 0x30, 0xd5, 0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2,  \
+    0x5f, 0xf9, 0x3d, 0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d,  \
+    0xfb, 0xe5, 0x0c, 0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2,  \
+    0x7f, 0xca, 0xad, 0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f,  \
+    0xe0, 0x9b, 0xf8, 0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34,  \
+    0x04, 0x66, 0xc7, 0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a,  \
+    0x06, 0x67, 0xf4, 0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe,  \
+    0x3c, 0x8b, 0x35, 0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f,  \
+    0xfc, 0x36, 0x6b, 0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d,  \
+    0x00, 0xcf, 0xaf, 0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4,  \
+    0xe7, 0x50, 0x71, 0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8,  \
+    0xe4, 0xc4, 0xfd, 0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01,  \
+    0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,  \
+    0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,  \
+    0x04, 0x14, 0x71, 0xa1, 0x00, 0x73, 0x72, 0x40, 0x2f, 0x54, 0x76, 0x5e,  \
+    0x33, 0xfc, 0x52, 0x8f, 0xbc, 0xf1, 0xdd, 0x6b, 0x46, 0x21, 0x30, 0x1f,  \
+    0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb4,  \
+    0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, 0xa6, 0x95,  \
+    0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a,  \
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,  \
+    0x01, 0x01, 0x00, 0x94, 0x76, 0x9b, 0x7a, 0x6d, 0x93, 0xbb, 0xaf, 0x55,  \
+    0x50, 0xde, 0xc4, 0x8a, 0x9c, 0x27, 0x42, 0x7d, 0x5d, 0x20, 0x77, 0x60,  \
+    0xbd, 0x3e, 0x62, 0xfa, 0x24, 0x07, 0xa5, 0x2c, 0x58, 0xd5, 0xca, 0xcf,  \
+    0x9c, 0x16, 0xc0, 0x79, 0x27, 0x40, 0x5f, 0x0b, 0x15, 0x12, 0xa2, 0xd0,  \
+    0x80, 0xe3, 0x88, 0x01, 0x00, 0xf9, 0x54, 0x82, 0x13, 0x36, 0xea, 0x06,  \
+    0x82, 0x8e, 0x22, 0xfb, 0x83, 0xa9, 0x36, 0x1f, 0x6e, 0xed, 0x99, 0x29,  \
+    0x44, 0x79, 0x5a, 0xfb, 0xfb, 0x30, 0xb1, 0xfa, 0xc5, 0x59, 0x14, 0x5b,  \
+    0x04, 0xd3, 0xf9, 0x05, 0xcb, 0xbb, 0xe0, 0x01, 0x8b, 0xb2, 0xdc, 0x14,  \
+    0xcc, 0xcf, 0x20, 0x22, 0x40, 0x62, 0xc9, 0xf3, 0x35, 0x43, 0x5a, 0x83,  \
+    0x40, 0x84, 0x95, 0xf6, 0xda, 0xe5, 0x08, 0x6e, 0x8e, 0xf2, 0xf8, 0x7c,  \
+    0x76, 0x9f, 0xeb, 0x6c, 0x8d, 0xeb, 0x7f, 0x3a, 0x3d, 0xf4, 0x13, 0x87,  \
+    0x5e, 0x01, 0x42, 0xaf, 0x35, 0xe3, 0x0a, 0xe5, 0xb8, 0xbc, 0x3b, 0x05,  \
+    0xaf, 0xe0, 0xda, 0xa3, 0x6e, 0x9b, 0x5f, 0x7b, 0x09, 0xe9, 0x49, 0xc4,  \
+    0x5a, 0x0d, 0x47, 0xde, 0x8d, 0xb1, 0xe8, 0xfa, 0x54, 0x72, 0xf4, 0x37,  \
+    0xea, 0x1e, 0xf5, 0xfd, 0xbc, 0xf8, 0x4c, 0x46, 0xdb, 0x51, 0x41, 0x29,  \
+    0x7b, 0x4d, 0x95, 0xe1, 0x05, 0xae, 0x2f, 0xec, 0x2b, 0x84, 0x72, 0x4b,  \
+    0x53, 0xba, 0x37, 0x49, 0x51, 0x37, 0x3a, 0x0e, 0xe3, 0x3c, 0x5f, 0x2c,  \
+    0x6a, 0xdd, 0x1a, 0xe7, 0x46, 0x14, 0x5a, 0x1c, 0x04, 0x14, 0x8d, 0xb9,  \
+    0xea, 0x6d, 0x36, 0x28, 0x05, 0xcb, 0x83, 0xcf, 0x6e, 0x79, 0x4c, 0x98,  \
+    0x28, 0x4a, 0xfa, 0xac, 0xdc, 0x21, 0x72, 0xf5, 0xc9, 0xa6, 0xf5, 0x3d,  \
+    0x82, 0x22, 0x15, 0xbd, 0xdd, 0x12, 0x6e, 0x38, 0xe7, 0x9f, 0xb3, 0x42,  \
+    0xe1, 0x50, 0xdb, 0x71, 0x75, 0x7c, 0xbf                                 \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM tests/data_files/cli-rsa.key */
+#define TEST_CLI_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" \
+    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n" \
+    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n" \
+    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n" \
+    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n" \
+    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n" \
+    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n" \
+    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n" \
+    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n" \
+    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n" \
+    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n" \
+    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n" \
+    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n" \
+    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n" \
+    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n" \
+    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n" \
+    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n" \
+    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n" \
+    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n" \
+    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n" \
+    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n" \
+    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n" \
+    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n" \
+    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" \
+    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER tests/data_files/cli-rsa.key.der */
+#define TEST_CLI_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14,  \
+    0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, 0x33, 0xad, 0x0d,  \
+    0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, 0xcc, 0x66, 0x85,  \
+    0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, 0x9e, 0x0a, 0x6e,  \
+    0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, 0x93, 0x86, 0x49,  \
+    0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, 0xd4, 0x2f, 0x77,  \
+    0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, 0x48, 0x70, 0xf5,  \
+    0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, 0xe6, 0x43, 0xea,  \
+    0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, 0x57, 0x4e, 0xa9,  \
+    0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, 0x32, 0x30, 0xd5,  \
+    0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, 0x5f, 0xf9, 0x3d,  \
+    0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, 0xfb, 0xe5, 0x0c,  \
+    0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, 0x7f, 0xca, 0xad,  \
+    0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, 0xe0, 0x9b, 0xf8,  \
+    0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, 0x04, 0x66, 0xc7,  \
+    0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, 0x06, 0x67, 0xf4,  \
+    0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, 0x3c, 0x8b, 0x35,  \
+    0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, 0xfc, 0x36, 0x6b,  \
+    0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, 0x00, 0xcf, 0xaf,  \
+    0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, 0xe7, 0x50, 0x71,  \
+    0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, 0xe4, 0xc4, 0xfd,  \
+    0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x67, 0x4d, 0xb5, 0xf6, 0x03, 0x89, 0xaa, 0x7a, 0x6f, 0x3b, 0x2d,  \
+    0xca, 0x10, 0xa2, 0x23, 0xc9, 0xbd, 0x4e, 0xda, 0xe1, 0x67, 0x0e, 0x0c,  \
+    0x8a, 0xc6, 0x84, 0x68, 0xdf, 0xe5, 0x97, 0x75, 0xd2, 0x8d, 0xa3, 0x86,  \
+    0xd9, 0xdb, 0xd5, 0xeb, 0x13, 0x19, 0x08, 0xc5, 0x7e, 0xe5, 0x37, 0x97,  \
+    0x0c, 0x73, 0x80, 0x66, 0x76, 0x35, 0xf1, 0x88, 0xb5, 0xf2, 0xfc, 0xf3,  \
+    0xe1, 0x4b, 0x76, 0x4e, 0x73, 0x45, 0xce, 0x2c, 0xc2, 0x10, 0x26, 0x0d,  \
+    0x68, 0x0d, 0x9f, 0x49, 0x3d, 0xd6, 0x80, 0x89, 0xe7, 0xc5, 0x49, 0x15,  \
+    0xdd, 0x85, 0xc0, 0xc8, 0xfe, 0x82, 0x37, 0x12, 0x5a, 0x0a, 0x6b, 0xf6,  \
+    0x68, 0x0d, 0x32, 0x16, 0xbd, 0xa4, 0x15, 0x54, 0x9e, 0x68, 0xa1, 0xad,  \
+    0xca, 0x6b, 0xe5, 0x8c, 0xda, 0x76, 0x35, 0x59, 0x2f, 0x9b, 0xb4, 0xe1,  \
+    0xf1, 0xf0, 0x50, 0x04, 0xee, 0xc8, 0xec, 0x05, 0xe1, 0xcf, 0x8d, 0xe4,  \
+    0xd2, 0x64, 0x7b, 0x5e, 0x63, 0xe0, 0x7b, 0x07, 0xbc, 0x02, 0x96, 0x4e,  \
+    0x1b, 0x78, 0x6c, 0xb6, 0x43, 0x9a, 0x32, 0xf6, 0xd6, 0x02, 0xf5, 0x80,  \
+    0xcc, 0x26, 0x6e, 0xa5, 0xd0, 0xe3, 0x65, 0x88, 0xce, 0x26, 0xa9, 0x40,  \
+    0xe1, 0xe1, 0x00, 0xe0, 0x7f, 0x3f, 0xc3, 0xb1, 0x7c, 0xde, 0xbe, 0x42,  \
+    0xba, 0x07, 0x81, 0x13, 0xc2, 0xe0, 0x11, 0x11, 0x23, 0x2c, 0xf8, 0xb2,  \
+    0x7a, 0x3a, 0xd4, 0xe4, 0x7d, 0x5f, 0xb9, 0xb1, 0x18, 0xfa, 0x1d, 0x1d,  \
+    0x97, 0x91, 0xd9, 0x04, 0x9e, 0xbc, 0xc9, 0xb4, 0xd7, 0x7d, 0x0e, 0x54,  \
+    0xf6, 0x8f, 0xd0, 0x28, 0x0d, 0xdd, 0x77, 0x4b, 0x68, 0x04, 0x48, 0x61,  \
+    0x75, 0x15, 0x03, 0x1b, 0x35, 0xad, 0x8e, 0xfc, 0x24, 0x11, 0x07, 0xea,  \
+    0x17, 0x5a, 0xde, 0x19, 0x68, 0xff, 0xb6, 0x87, 0x7f, 0x80, 0x2a, 0x5f,  \
+    0x0c, 0x58, 0xba, 0x5f, 0x41, 0x02, 0x81, 0x81, 0x00, 0xe3, 0x03, 0xaf,  \
+    0xfe, 0x98, 0xd2, 0x0b, 0x7b, 0x72, 0xe9, 0x3b, 0x8e, 0xbc, 0xa5, 0xf6,  \
+    0xac, 0xe5, 0x22, 0x06, 0xb2, 0xd7, 0x5e, 0xfd, 0x89, 0x4b, 0x16, 0x67,  \
+    0x32, 0x83, 0x22, 0x58, 0x8e, 0x62, 0xa4, 0xb4, 0x2d, 0xf9, 0x16, 0x13,  \
+    0x54, 0xf6, 0x9f, 0x2f, 0xf9, 0xbb, 0x0e, 0x7e, 0x8c, 0x6f, 0x08, 0xda,  \
+    0xc8, 0xe9, 0x1c, 0x66, 0x10, 0x70, 0x93, 0x90, 0x8d, 0xcf, 0x90, 0x3a,  \
+    0x43, 0x89, 0x49, 0xeb, 0x83, 0x2a, 0xfe, 0x5a, 0x87, 0xce, 0x74, 0x42,  \
+    0x41, 0x0d, 0x8c, 0x73, 0x51, 0xbc, 0x7b, 0x20, 0xc5, 0xfd, 0xf6, 0x0b,  \
+    0x65, 0xed, 0xa9, 0x2e, 0xfc, 0x0f, 0xf5, 0x50, 0xf9, 0x8d, 0x37, 0x36,  \
+    0x9a, 0x20, 0xdf, 0xc3, 0xe3, 0x27, 0xbc, 0x98, 0x72, 0xc1, 0x14, 0x4b,  \
+    0x71, 0xe9, 0x83, 0x14, 0xff, 0x24, 0xe2, 0x14, 0x15, 0xb6, 0x6f, 0x0f,  \
+    0x32, 0x9d, 0xd9, 0x98, 0xd1, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x0c, 0xfb,  \
+    0xc3, 0x33, 0x9b, 0x47, 0x88, 0x27, 0xf2, 0x26, 0xde, 0xeb, 0x5e, 0xee,  \
+    0x40, 0xf6, 0x63, 0x5b, 0x35, 0x23, 0xf5, 0xd5, 0x07, 0x61, 0xdf, 0xa2,  \
+    0x9f, 0x58, 0x30, 0x04, 0x22, 0x2b, 0xb4, 0xd9, 0xda, 0x46, 0x7f, 0x48,  \
+    0xf5, 0x4f, 0xd0, 0xea, 0xd7, 0xa0, 0x45, 0x8a, 0x62, 0x8b, 0x8c, 0xac,  \
+    0x73, 0x5e, 0xfa, 0x36, 0x65, 0x3e, 0xba, 0x6c, 0xba, 0x5e, 0x6b, 0x92,  \
+    0x29, 0x5e, 0x6a, 0x0f, 0xd6, 0xd2, 0xa5, 0x95, 0x86, 0xda, 0x72, 0xc5,  \
+    0x9e, 0xc9, 0x6b, 0x37, 0x5e, 0x4b, 0x9b, 0x77, 0xe1, 0x67, 0x1a, 0x1e,  \
+    0x30, 0xd8, 0x41, 0x68, 0x40, 0xd3, 0x9c, 0xb4, 0xf6, 0xeb, 0x2a, 0x22,  \
+    0xdf, 0x78, 0x29, 0xd2, 0x64, 0x92, 0x5b, 0x2f, 0x78, 0x64, 0x4a, 0xa2,  \
+    0xa6, 0x6b, 0x3e, 0x50, 0xb1, 0x7a, 0xb1, 0x8d, 0x59, 0xb4, 0x55, 0xba,  \
+    0xb6, 0x91, 0x85, 0xa3, 0x2f, 0x02, 0x81, 0x80, 0x10, 0x1e, 0x19, 0xe7,  \
+    0xbc, 0x97, 0xe5, 0x22, 0xcd, 0xa4, 0xcb, 0x8a, 0xb5, 0xd0, 0x1e, 0xb4,  \
+    0x65, 0xcc, 0x45, 0xa7, 0x7a, 0xed, 0x0e, 0x99, 0x29, 0xd0, 0x9c, 0x61,  \
+    0x14, 0xb8, 0x62, 0x8b, 0x31, 0x6b, 0xba, 0x33, 0x2d, 0x65, 0x28, 0xd8,  \
+    0x36, 0x6e, 0x54, 0xec, 0xa9, 0x20, 0x3d, 0x51, 0xe1, 0x2c, 0x42, 0xc4,  \
+    0x52, 0xf0, 0xa6, 0x3a, 0x72, 0x93, 0xb7, 0x86, 0xa9, 0xfe, 0xf6, 0x74,  \
+    0x07, 0x12, 0x4d, 0x7b, 0x51, 0x99, 0x1f, 0x7a, 0x56, 0xe9, 0x20, 0x2f,  \
+    0x18, 0x34, 0x29, 0x97, 0xdb, 0x06, 0xee, 0xeb, 0xbf, 0xbd, 0x31, 0x4f,  \
+    0xfa, 0x50, 0xb1, 0xba, 0x49, 0xb3, 0xc4, 0x1d, 0x03, 0xae, 0xb0, 0xdc,  \
+    0xbe, 0x8a, 0xc4, 0x90, 0xa3, 0x28, 0x9b, 0xb6, 0x42, 0x09, 0x1b, 0xd6,  \
+    0x29, 0x9b, 0x19, 0xe9, 0x87, 0x87, 0xd9, 0x9f, 0x35, 0x05, 0xab, 0x91,  \
+    0x8f, 0x6d, 0x7c, 0x91, 0x02, 0x81, 0x81, 0x00, 0x94, 0x57, 0xf0, 0xe0,  \
+    0x28, 0xfd, 0xbd, 0xf3, 0x9c, 0x43, 0x4d, 0x3e, 0xfd, 0x37, 0x4f, 0x23,  \
+    0x52, 0x8d, 0xe1, 0x4c, 0xfe, 0x4c, 0x55, 0x80, 0x82, 0xba, 0x3f, 0xfe,  \
+    0x51, 0xe1, 0x30, 0xd5, 0x3b, 0xd9, 0x73, 0x1d, 0xcb, 0x25, 0xbc, 0xbb,  \
+    0x3f, 0xa5, 0xda, 0x77, 0xa6, 0xb5, 0xfc, 0x1a, 0xaf, 0x79, 0xa1, 0xb2,  \
+    0x14, 0xa2, 0x1f, 0x10, 0x52, 0x1a, 0x05, 0x40, 0x48, 0xb6, 0x4f, 0x34,  \
+    0xd6, 0xc0, 0xc3, 0xa4, 0x36, 0x98, 0x73, 0x88, 0x0b, 0xd3, 0x45, 0xdc,  \
+    0xee, 0x51, 0x6e, 0x04, 0x73, 0x99, 0x93, 0x12, 0x58, 0x96, 0xcb, 0x39,  \
+    0x42, 0xb1, 0xa9, 0xb8, 0xe1, 0x25, 0xf5, 0x9c, 0x14, 0xb7, 0x92, 0x2b,  \
+    0x14, 0xb0, 0x5d, 0x61, 0xa2, 0xaa, 0x34, 0x7c, 0xcd, 0x54, 0x2d, 0x69,  \
+    0x08, 0xf7, 0xdb, 0xfc, 0x9c, 0x87, 0xe8, 0x3a, 0xf6, 0x1d, 0x4c, 0x6a,  \
+    0x83, 0x15, 0x30, 0x01, 0x02, 0x81, 0x81, 0x00, 0x9c, 0x53, 0xa1, 0xb6,  \
+    0x2f, 0xc0, 0x06, 0xf5, 0xdf, 0x5c, 0xd1, 0x4a, 0x4e, 0xc8, 0xbd, 0x6d,  \
+    0x32, 0xf1, 0x5e, 0xe5, 0x3b, 0x70, 0xd0, 0xa8, 0xe5, 0x41, 0x57, 0x6c,  \
+    0x87, 0x53, 0x0f, 0xeb, 0x28, 0xa0, 0x62, 0x8f, 0x43, 0x62, 0xec, 0x2e,  \
+    0x6c, 0x71, 0x55, 0x5b, 0x6a, 0xf4, 0x74, 0x14, 0xea, 0x7a, 0x03, 0xf6,  \
+    0xfc, 0xa4, 0xce, 0xc4, 0xac, 0xda, 0x1d, 0xf0, 0xb5, 0xa9, 0xfd, 0x11,  \
+    0x18, 0x3b, 0x14, 0xa0, 0x90, 0x8d, 0x26, 0xb7, 0x75, 0x73, 0x0a, 0x02,  \
+    0x2c, 0x6f, 0x0f, 0xd8, 0x41, 0x78, 0xc3, 0x73, 0x81, 0xac, 0xaa, 0xaf,  \
+    0xf2, 0xee, 0x32, 0xb5, 0x8d, 0x05, 0xf9, 0x59, 0x5a, 0x9e, 0x3e, 0x65,  \
+    0x9b, 0x74, 0xda, 0xa0, 0x74, 0x95, 0x17, 0x5f, 0x8d, 0x58, 0xfc, 0x8e,  \
+    0x4e, 0x2c, 0x1e, 0xbc, 0x81, 0x02, 0x18, 0xac, 0x12, 0xc6, 0xf9, 0x64,  \
+    0x8b, 0x87, 0xc3, 0x00                                                   \
+}
+/* END FILE */
+
+/*
+ *
+ * Test certificates and keys as C variables
+ *
+ */
+
+/*
+ * CA
+ */
+
+const char mbedtls_test_ca_crt_ec_pem[]           = TEST_CA_CRT_EC_PEM;
+const char mbedtls_test_ca_key_ec_pem[]           = TEST_CA_KEY_EC_PEM;
+const char mbedtls_test_ca_pwd_ec_pem[]           = TEST_CA_PWD_EC_PEM;
+const char mbedtls_test_ca_key_rsa_pem[]          = TEST_CA_KEY_RSA_PEM;
+const char mbedtls_test_ca_pwd_rsa_pem[]          = TEST_CA_PWD_RSA_PEM;
+const char mbedtls_test_ca_crt_rsa_sha1_pem[]     = TEST_CA_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_ca_crt_rsa_sha256_pem[]   = TEST_CA_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_ca_crt_ec_der[]   = TEST_CA_CRT_EC_DER;
+const unsigned char mbedtls_test_ca_key_ec_der[]   = TEST_CA_KEY_EC_DER;
+const unsigned char mbedtls_test_ca_key_rsa_der[]  = TEST_CA_KEY_RSA_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[]   =
+    TEST_CA_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[] =
+    TEST_CA_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_ca_crt_ec_pem_len =
+    sizeof( mbedtls_test_ca_crt_ec_pem );
+const size_t mbedtls_test_ca_key_ec_pem_len =
+    sizeof( mbedtls_test_ca_key_ec_pem );
+const size_t mbedtls_test_ca_pwd_ec_pem_len =
+    sizeof( mbedtls_test_ca_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_ca_key_rsa_pem_len =
+    sizeof( mbedtls_test_ca_key_rsa_pem );
+const size_t mbedtls_test_ca_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_ca_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_pem );
+const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_ca_crt_ec_der_len =
+    sizeof( mbedtls_test_ca_crt_ec_der );
+const size_t mbedtls_test_ca_key_ec_der_len =
+    sizeof( mbedtls_test_ca_key_ec_der );
+const size_t mbedtls_test_ca_pwd_ec_der_len = 0;
+const size_t mbedtls_test_ca_key_rsa_der_len =
+    sizeof( mbedtls_test_ca_key_rsa_der );
+const size_t mbedtls_test_ca_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_ca_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der );
+const size_t mbedtls_test_ca_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der );
+
+/*
+ * Server
+ */
+
+const char mbedtls_test_srv_crt_ec_pem[]           = TEST_SRV_CRT_EC_PEM;
+const char mbedtls_test_srv_key_ec_pem[]           = TEST_SRV_KEY_EC_PEM;
+const char mbedtls_test_srv_pwd_ec_pem[]           = "";
+const char mbedtls_test_srv_key_rsa_pem[]          = TEST_SRV_KEY_RSA_PEM;
+const char mbedtls_test_srv_pwd_rsa_pem[]          = "";
+const char mbedtls_test_srv_crt_rsa_sha1_pem[]     = TEST_SRV_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_srv_crt_rsa_sha256_pem[]   = TEST_SRV_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_srv_crt_ec_der[]   = TEST_SRV_CRT_EC_DER;
+const unsigned char mbedtls_test_srv_key_ec_der[]   = TEST_SRV_KEY_EC_DER;
+const unsigned char mbedtls_test_srv_key_rsa_der[]  = TEST_SRV_KEY_RSA_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[]   =
+    TEST_SRV_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[] =
+    TEST_SRV_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_srv_crt_ec_pem_len =
+    sizeof( mbedtls_test_srv_crt_ec_pem );
+const size_t mbedtls_test_srv_key_ec_pem_len =
+    sizeof( mbedtls_test_srv_key_ec_pem );
+const size_t mbedtls_test_srv_pwd_ec_pem_len =
+    sizeof( mbedtls_test_srv_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_srv_key_rsa_pem_len =
+    sizeof( mbedtls_test_srv_key_rsa_pem );
+const size_t mbedtls_test_srv_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_srv_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_pem );
+const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_srv_crt_ec_der_len =
+    sizeof( mbedtls_test_srv_crt_ec_der );
+const size_t mbedtls_test_srv_key_ec_der_len =
+    sizeof( mbedtls_test_srv_key_ec_der );
+const size_t mbedtls_test_srv_pwd_ec_der_len = 0;
+const size_t mbedtls_test_srv_key_rsa_der_len =
+    sizeof( mbedtls_test_srv_key_rsa_der );
+const size_t mbedtls_test_srv_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_srv_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_der );
+const size_t mbedtls_test_srv_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_der );
+
+/*
+ * Client
+ */
+
+const char mbedtls_test_cli_crt_ec_pem[]   = TEST_CLI_CRT_EC_PEM;
+const char mbedtls_test_cli_key_ec_pem[]   = TEST_CLI_KEY_EC_PEM;
+const char mbedtls_test_cli_pwd_ec_pem[]   = "";
+const char mbedtls_test_cli_key_rsa_pem[]  = TEST_CLI_KEY_RSA_PEM;
+const char mbedtls_test_cli_pwd_rsa_pem[]  = "";
+const char mbedtls_test_cli_crt_rsa_pem[]  = TEST_CLI_CRT_RSA_PEM;
+
+const unsigned char mbedtls_test_cli_crt_ec_der[]   = TEST_CLI_CRT_EC_DER;
+const unsigned char mbedtls_test_cli_key_ec_der[]   = TEST_CLI_KEY_EC_DER;
+const unsigned char mbedtls_test_cli_key_rsa_der[]  = TEST_CLI_KEY_RSA_DER;
+const unsigned char mbedtls_test_cli_crt_rsa_der[]  = TEST_CLI_CRT_RSA_DER;
+
+const size_t mbedtls_test_cli_crt_ec_pem_len =
+    sizeof( mbedtls_test_cli_crt_ec_pem );
+const size_t mbedtls_test_cli_key_ec_pem_len =
+    sizeof( mbedtls_test_cli_key_ec_pem );
+const size_t mbedtls_test_cli_pwd_ec_pem_len =
+    sizeof( mbedtls_test_cli_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_cli_key_rsa_pem_len =
+    sizeof( mbedtls_test_cli_key_rsa_pem );
+const size_t mbedtls_test_cli_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_cli_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_pem_len =
+    sizeof( mbedtls_test_cli_crt_rsa_pem );
+
+const size_t mbedtls_test_cli_crt_ec_der_len =
+    sizeof( mbedtls_test_cli_crt_ec_der );
+const size_t mbedtls_test_cli_key_ec_der_len =
+    sizeof( mbedtls_test_cli_key_ec_der );
+const size_t mbedtls_test_cli_key_rsa_der_len =
+    sizeof( mbedtls_test_cli_key_rsa_der );
+const size_t mbedtls_test_cli_crt_rsa_der_len =
+    sizeof( mbedtls_test_cli_crt_rsa_der );
+
+/*
+ *
+ * Definitions of test CRTs without specification of all parameters, choosing
+ * them automatically according to the config. For example, mbedtls_test_ca_crt
+ * is one of mbedtls_test_ca_crt_{rsa|ec}_{sha1|sha256}_{pem|der}.
+ *
+ */
+
+/*
+ * Dispatch between PEM and DER according to config
+ */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
 
-#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
-#define TEST_CA_CRT_RSA_SHA1                                            \
-"-----BEGIN CERTIFICATE-----\r\n"                                       \
-"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"  \
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"  \
-"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"  \
-"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"  \
-"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"  \
-"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"  \
-"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"  \
-"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"  \
-"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"  \
-"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"  \
-"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n"  \
-"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n"  \
-"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n"  \
-"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n"  \
-"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n"  \
-"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n"  \
-"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n"  \
-"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n"  \
-"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n"      \
-"-----END CERTIFICATE-----\r\n"
-
-static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
-
-#if !defined (TEST_CA_CRT_RSA_SOME)
-const char   mbedtls_test_ca_crt_rsa[]   = TEST_CA_CRT_RSA_SHA1;
-const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
-#endif /* !TEST_CA_CRT_RSA_SOME */
-#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
+/* PEM encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_PEM
+#define TEST_CA_PWD_RSA        TEST_CA_PWD_RSA_PEM
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_PEM
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_PEM
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_PEM
+#define TEST_CA_PWD_EC         TEST_CA_PWD_EC_PEM
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_PEM
+
+/* PEM encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_PEM
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_PEM
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_PEM
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_PEM
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_PEM
+
+/* PEM encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_PEM
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_PEM
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_PEM
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_PEM
+
+#else /* MBEDTLS_PEM_PARSE_C */
+
+/* DER encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_DER
+#define TEST_CA_PWD_RSA        ""
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_DER
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_DER
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_DER
+#define TEST_CA_PWD_EC         ""
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_DER
+
+/* DER encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_DER
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_DER
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_DER
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_DER
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_DER
+
+/* DER encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_DER
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_DER
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_DER
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_DER
+
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+const char mbedtls_test_ca_key_rsa[]         = TEST_CA_KEY_RSA;
+const char mbedtls_test_ca_pwd_rsa[]         = TEST_CA_PWD_RSA;
+const char mbedtls_test_ca_crt_rsa_sha256[]  = TEST_CA_CRT_RSA_SHA256;
+const char mbedtls_test_ca_crt_rsa_sha1[]    = TEST_CA_CRT_RSA_SHA1;
+const char mbedtls_test_ca_key_ec[]          = TEST_CA_KEY_EC;
+const char mbedtls_test_ca_pwd_ec[]          = TEST_CA_PWD_EC;
+const char mbedtls_test_ca_crt_ec[]          = TEST_CA_CRT_EC;
+
+const char mbedtls_test_srv_key_rsa[]        = TEST_SRV_KEY_RSA;
+const char mbedtls_test_srv_pwd_rsa[]        = TEST_SRV_PWD_RSA;
+const char mbedtls_test_srv_crt_rsa_sha256[] = TEST_SRV_CRT_RSA_SHA256;
+const char mbedtls_test_srv_crt_rsa_sha1[]   = TEST_SRV_CRT_RSA_SHA1;
+const char mbedtls_test_srv_key_ec[]         = TEST_SRV_KEY_EC;
+const char mbedtls_test_srv_pwd_ec[]         = TEST_SRV_PWD_EC;
+const char mbedtls_test_srv_crt_ec[]         = TEST_SRV_CRT_EC;
+
+const char mbedtls_test_cli_key_rsa[]        = TEST_CLI_KEY_RSA;
+const char mbedtls_test_cli_pwd_rsa[]        = TEST_CLI_PWD_RSA;
+const char mbedtls_test_cli_crt_rsa[]        = TEST_CLI_CRT_RSA;
+const char mbedtls_test_cli_key_ec[]         = TEST_CLI_KEY_EC;
+const char mbedtls_test_cli_pwd_ec[]         = TEST_CLI_PWD_EC;
+const char mbedtls_test_cli_crt_ec[]         = TEST_CLI_CRT_EC;
+
+const size_t mbedtls_test_ca_key_rsa_len =
+    sizeof( mbedtls_test_ca_key_rsa );
+const size_t mbedtls_test_ca_pwd_rsa_len =
+    sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 );
+const size_t mbedtls_test_ca_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 );
+const size_t mbedtls_test_ca_key_ec_len =
+    sizeof( mbedtls_test_ca_key_ec );
+const size_t mbedtls_test_ca_pwd_ec_len =
+    sizeof( mbedtls_test_ca_pwd_ec ) - 1;
+const size_t mbedtls_test_ca_crt_ec_len =
+    sizeof( mbedtls_test_ca_crt_ec );
+
+const size_t mbedtls_test_srv_key_rsa_len =
+    sizeof( mbedtls_test_srv_key_rsa );
+const size_t mbedtls_test_srv_pwd_rsa_len =
+    sizeof( mbedtls_test_srv_pwd_rsa ) -1;
+const size_t mbedtls_test_srv_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256 );
+const size_t mbedtls_test_srv_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1 );
+const size_t mbedtls_test_srv_key_ec_len =
+    sizeof( mbedtls_test_srv_key_ec );
+const size_t mbedtls_test_srv_pwd_ec_len =
+    sizeof( mbedtls_test_srv_pwd_ec ) - 1;
+const size_t mbedtls_test_srv_crt_ec_len =
+    sizeof( mbedtls_test_srv_crt_ec );
+
+const size_t mbedtls_test_cli_key_rsa_len =
+    sizeof( mbedtls_test_cli_key_rsa );
+const size_t mbedtls_test_cli_pwd_rsa_len =
+    sizeof( mbedtls_test_cli_pwd_rsa ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_len =
+    sizeof( mbedtls_test_cli_crt_rsa );
+const size_t mbedtls_test_cli_key_ec_len =
+    sizeof( mbedtls_test_cli_key_ec );
+const size_t mbedtls_test_cli_pwd_ec_len =
+    sizeof( mbedtls_test_cli_pwd_ec ) - 1;
+const size_t mbedtls_test_cli_crt_ec_len =
+    sizeof( mbedtls_test_cli_crt_ec );
+
+/*
+ * Dispatch between SHA-1 and SHA-256
+ */
 
 #if defined(MBEDTLS_SHA256_C)
-/* tests/data_files/server2-sha256.crt */
-#define TEST_SRV_CRT_RSA_SHA256                                          \
-"-----BEGIN CERTIFICATE-----\r\n"                                        \
-"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"   \
-"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"   \
-"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"   \
-"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"   \
-"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"   \
-"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"   \
-"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"   \
-"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"   \
-"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"   \
-"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"   \
-"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"   \
-"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n"   \
-"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n"   \
-"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n"   \
-"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n"   \
-"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n"   \
-"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n"   \
-"e4K1cVANRPN2o9Y=\r\n"                                                   \
-"-----END CERTIFICATE-----\r\n"
-
-const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA256;
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
-#define TEST_SRV_CRT_RSA_SOME
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA256
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA256
+#else
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA1
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA1
 #endif /* MBEDTLS_SHA256_C */
 
-#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
-/* tests/data_files/server2.crt */
-#define TEST_SRV_CRT_RSA_SHA1                                          \
-"-----BEGIN CERTIFICATE-----\r\n"                                      \
-"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
-"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
-"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
-"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
-"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
-"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
-"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
-"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
-"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
-"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
-"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" \
-"oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" \
-"UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" \
-"iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" \
-"wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" \
-"RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" \
-"zhuYwjVuX6JHG0c=\r\n"                                                 \
-"-----END CERTIFICATE-----\r\n";
-
-#if !defined(TEST_SRV_CRT_RSA_SOME)
-const char mbedtls_test_srv_crt_rsa[]     =  TEST_SRV_CRT_RSA_SHA1;
-const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
-#endif /* TEST_SRV_CRT_RSA_SOME */
-#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
-
-const char mbedtls_test_ca_key_rsa[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"Proc-Type: 4,ENCRYPTED\r\n"
-"DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
-"\r\n"
-"9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
-"7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
-"Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
-"PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
-"GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
-"gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
-"QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
-"PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
-"vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
-"WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
-"JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
-"KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
-"Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
-"9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
-"iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
-"tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
-"P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
-"1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
-"nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
-"X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
-"rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
-"L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
-"I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
-"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
-"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
-
-const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
-const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
-
-const char mbedtls_test_srv_key_rsa[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
-"lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
-"2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
-"Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
-"GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
-"y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
-"++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
-"Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
-"/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
-"WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
-"GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
-"TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
-"CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
-"nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
-"AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
-"sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
-"mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
-"BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
-"whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
-"vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
-"3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
-"3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
-"ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
-"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
-"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
-
-const char mbedtls_test_cli_crt_rsa[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
-"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
-"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
-"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
-"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
-"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
-"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
-"o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa\r\n"
-"gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV\r\n"
-"BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud\r\n"
-"EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom\r\n"
-"LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W\r\n"
-"iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK\r\n"
-"D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE\r\n"
-"ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj\r\n"
-"c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=\r\n"
-"-----END CERTIFICATE-----\r\n";
-const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
-
-const char mbedtls_test_cli_key_rsa[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
-"B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
-"bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
-"Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
-"7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
-"dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
-"yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
-"4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
-"ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
-"zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
-"l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
-"DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
-"VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
-"Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
-"wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
-"c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
-"33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
-"ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
-"BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
-"KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
-"UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
-"7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
-"gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
-"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
-"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
+const char mbedtls_test_ca_crt_rsa[]  = TEST_CA_CRT_RSA;
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA;
+
+const size_t mbedtls_test_ca_crt_rsa_len =
+    sizeof( mbedtls_test_ca_crt_rsa );
+const size_t mbedtls_test_srv_crt_rsa_len =
+    sizeof( mbedtls_test_srv_crt_rsa );
+
+/*
+ * Dispatch between RSA and EC
+ */
+
+#if defined(MBEDTLS_RSA_C)
+
+#define TEST_CA_KEY TEST_CA_KEY_RSA
+#define TEST_CA_PWD TEST_CA_PWD_RSA
+#define TEST_CA_CRT TEST_CA_CRT_RSA
+
+#define TEST_SRV_KEY TEST_SRV_KEY_RSA
+#define TEST_SRV_PWD TEST_SRV_PWD_RSA
+#define TEST_SRV_CRT TEST_SRV_CRT_RSA
+
+#define TEST_CLI_KEY TEST_CLI_KEY_RSA
+#define TEST_CLI_PWD TEST_CLI_PWD_RSA
+#define TEST_CLI_CRT TEST_CLI_CRT_RSA
+
+#else /* no RSA, so assume ECDSA */
+
+#define TEST_CA_KEY TEST_CA_KEY_EC
+#define TEST_CA_PWD TEST_CA_PWD_EC
+#define TEST_CA_CRT TEST_CA_CRT_EC
+
+#define TEST_SRV_KEY TEST_SRV_KEY_EC
+#define TEST_SRV_PWD TEST_SRV_PWD_EC
+#define TEST_SRV_CRT TEST_SRV_CRT_EC
+
+#define TEST_CLI_KEY TEST_CLI_KEY_EC
+#define TEST_CLI_PWD TEST_CLI_PWD_EC
+#define TEST_CLI_CRT TEST_CLI_CRT_EC
+
 #endif /* MBEDTLS_RSA_C */
 
-#if defined(MBEDTLS_PEM_PARSE_C)
-/* Concatenation of all available CA certificates */
-const char mbedtls_test_cas_pem[] =
-#ifdef TEST_CA_CRT_RSA_SHA1
-    TEST_CA_CRT_RSA_SHA1
-#endif
-#ifdef TEST_CA_CRT_RSA_SHA256
-    TEST_CA_CRT_RSA_SHA256
-#endif
-#ifdef TEST_CA_CRT_EC
-    TEST_CA_CRT_EC
-#endif
-    "";
-const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
-#endif
+/* API stability forces us to declare
+ *   mbedtls_test_{ca|srv|cli}_{key|pwd|crt}
+ * as pointers. */
+static const char test_ca_key[] = TEST_CA_KEY;
+static const char test_ca_pwd[] = TEST_CA_PWD;
+static const char test_ca_crt[] = TEST_CA_CRT;
+
+static const char test_srv_key[] = TEST_SRV_KEY;
+static const char test_srv_pwd[] = TEST_SRV_PWD;
+static const char test_srv_crt[] = TEST_SRV_CRT;
+
+static const char test_cli_key[] = TEST_CLI_KEY;
+static const char test_cli_pwd[] = TEST_CLI_PWD;
+static const char test_cli_crt[] = TEST_CLI_CRT;
+
+const char *mbedtls_test_ca_key = test_ca_key;
+const char *mbedtls_test_ca_pwd = test_ca_pwd;
+const char *mbedtls_test_ca_crt = test_ca_crt;
+
+const char *mbedtls_test_srv_key = test_srv_key;
+const char *mbedtls_test_srv_pwd = test_srv_pwd;
+const char *mbedtls_test_srv_crt = test_srv_crt;
+
+const char *mbedtls_test_cli_key = test_cli_key;
+const char *mbedtls_test_cli_pwd = test_cli_pwd;
+const char *mbedtls_test_cli_crt = test_cli_crt;
+
+const size_t mbedtls_test_ca_key_len =
+    sizeof( test_ca_key );
+const size_t mbedtls_test_ca_pwd_len =
+    sizeof( test_ca_pwd ) - 1;
+const size_t mbedtls_test_ca_crt_len =
+    sizeof( test_ca_crt );
+
+const size_t mbedtls_test_srv_key_len =
+    sizeof( test_srv_key );
+const size_t mbedtls_test_srv_pwd_len =
+    sizeof( test_srv_pwd ) - 1;
+const size_t mbedtls_test_srv_crt_len =
+    sizeof( test_srv_crt );
+
+const size_t mbedtls_test_cli_key_len =
+    sizeof( test_cli_key );
+const size_t mbedtls_test_cli_pwd_len =
+    sizeof( test_cli_pwd ) - 1;
+const size_t mbedtls_test_cli_crt_len =
+    sizeof( test_cli_crt );
 
-/* List of all available CA certificates */
+/*
+ *
+ * Lists of certificates
+ *
+ */
+
+/* List of CAs in PEM or DER, depending on config */
 const char * mbedtls_test_cas[] = {
-#if defined(TEST_CA_CRT_RSA_SHA1)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
     mbedtls_test_ca_crt_rsa_sha1,
 #endif
-#if defined(TEST_CA_CRT_RSA_SHA256)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
     mbedtls_test_ca_crt_rsa_sha256,
 #endif
 #if defined(MBEDTLS_ECDSA_C)
@@ -388,10 +1704,10 @@ const char * mbedtls_test_cas[] = {
     NULL
 };
 const size_t mbedtls_test_cas_len[] = {
-#if defined(TEST_CA_CRT_RSA_SHA1)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
     sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
 #endif
-#if defined(TEST_CA_CRT_RSA_SHA256)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
     sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
 #endif
 #if defined(MBEDTLS_ECDSA_C)
@@ -400,36 +1716,53 @@ const size_t mbedtls_test_cas_len[] = {
     0
 };
 
+/* List of all available CA certificates in DER format */
+const unsigned char * mbedtls_test_cas_der[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256_der,
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1_der,
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec_der,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL
+};
+
+const size_t mbedtls_test_cas_der_len[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der ),
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der ),
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec_der ),
+#endif /* MBEDTLS_ECDSA_C */
+    0
+};
+
+/* Concatenation of all available CA certificates in PEM format */
+#if defined(MBEDTLS_PEM_PARSE_C)
+const char mbedtls_test_cas_pem[] =
 #if defined(MBEDTLS_RSA_C)
-const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_rsa; /* SHA1 or SHA256 */
-const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_rsa;
-const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_rsa;
-const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
-const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
-const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
-const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
-const size_t mbedtls_test_ca_crt_len  = sizeof( mbedtls_test_ca_crt_rsa );
-const size_t mbedtls_test_ca_key_len  = sizeof( mbedtls_test_ca_key_rsa );
-const size_t mbedtls_test_ca_pwd_len  = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
-const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
-const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
-const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
-const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
-#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
-const char *mbedtls_test_ca_crt  = mbedtls_test_ca_crt_ec;
-const char *mbedtls_test_ca_key  = mbedtls_test_ca_key_ec;
-const char *mbedtls_test_ca_pwd  = mbedtls_test_ca_pwd_ec;
-const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_ec;
-const char *mbedtls_test_srv_key = mbedtls_test_srv_key_ec;
-const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_ec;
-const char *mbedtls_test_cli_key = mbedtls_test_cli_key_ec;
-const size_t mbedtls_test_ca_crt_len  = sizeof( mbedtls_test_ca_crt_ec );
-const size_t mbedtls_test_ca_key_len  = sizeof( mbedtls_test_ca_key_ec );
-const size_t mbedtls_test_ca_pwd_len  = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
-const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_ec );
-const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_ec );
-const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_ec );
-const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_ec );
+#if defined(MBEDTLS_SHA256_C)
+    TEST_CA_CRT_RSA_SHA256_PEM
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    TEST_CA_CRT_RSA_SHA1_PEM
+#endif /* MBEDTLS_SHA1_C */
 #endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    TEST_CA_CRT_EC_PEM
+#endif /* MBEDTLS_ECDSA_C */
+    "";
+const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
+#endif /* MBEDTLS_PEM_PARSE_C */
 
 #endif /* MBEDTLS_CERTS_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/chacha20.c b/3rdparty/mbedtls/mbedtls/library/chacha20.c
new file mode 100644
index 0000000000..8a3610f0e0
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/chacha20.c
@@ -0,0 +1,570 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define CHACHA20_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+#define CHACHA20_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                   \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )     \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )    \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )    \
+    )
+
+#define ROTL32( value, amount ) \
+    ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/**
+ * \brief           ChaCha20 quarter round operation.
+ *
+ *                  The quarter round is defined as follows (from RFC 7539):
+ *                      1.  a += b; d ^= a; d <<<= 16;
+ *                      2.  c += d; b ^= c; b <<<= 12;
+ *                      3.  a += b; d ^= a; d <<<= 8;
+ *                      4.  c += d; b ^= c; b <<<= 7;
+ *
+ * \param state     ChaCha20 state to modify.
+ * \param a         The index of 'a' in the state.
+ * \param b         The index of 'b' in the state.
+ * \param c         The index of 'c' in the state.
+ * \param d         The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round( uint32_t state[16],
+                                           size_t a,
+                                           size_t b,
+                                           size_t c,
+                                           size_t d )
+{
+    /* a += b; d ^= a; d <<<= 16; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 16 );
+
+    /* c += d; b ^= c; b <<<= 12 */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 12 );
+
+    /* a += b; d ^= a; d <<<= 8; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 8 );
+
+    /* c += d; b ^= c; b <<<= 7; */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 7 );
+}
+
+/**
+ * \brief           Perform the ChaCha20 inner block operation.
+ *
+ *                  This function performs two rounds: the column round and the
+ *                  diagonal round.
+ *
+ * \param state     The ChaCha20 state to update.
+ */
+static void chacha20_inner_block( uint32_t state[16] )
+{
+    chacha20_quarter_round( state, 0, 4, 8,  12 );
+    chacha20_quarter_round( state, 1, 5, 9,  13 );
+    chacha20_quarter_round( state, 2, 6, 10, 14 );
+    chacha20_quarter_round( state, 3, 7, 11, 15 );
+
+    chacha20_quarter_round( state, 0, 5, 10, 15 );
+    chacha20_quarter_round( state, 1, 6, 11, 12 );
+    chacha20_quarter_round( state, 2, 7, 8,  13 );
+    chacha20_quarter_round( state, 3, 4, 9,  14 );
+}
+
+/**
+ * \brief               Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream     Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block( const uint32_t initial_state[16],
+                            unsigned char keystream[64] )
+{
+    uint32_t working_state[16];
+    size_t i;
+
+    memcpy( working_state,
+            initial_state,
+            CHACHA20_BLOCK_SIZE_BYTES );
+
+    for( i = 0U; i < 10U; i++ )
+        chacha20_inner_block( working_state );
+
+    working_state[ 0] += initial_state[ 0];
+    working_state[ 1] += initial_state[ 1];
+    working_state[ 2] += initial_state[ 2];
+    working_state[ 3] += initial_state[ 3];
+    working_state[ 4] += initial_state[ 4];
+    working_state[ 5] += initial_state[ 5];
+    working_state[ 6] += initial_state[ 6];
+    working_state[ 7] += initial_state[ 7];
+    working_state[ 8] += initial_state[ 8];
+    working_state[ 9] += initial_state[ 9];
+    working_state[10] += initial_state[10];
+    working_state[11] += initial_state[11];
+    working_state[12] += initial_state[12];
+    working_state[13] += initial_state[13];
+    working_state[14] += initial_state[14];
+    working_state[15] += initial_state[15];
+
+    for( i = 0U; i < 16; i++ )
+    {
+        size_t offset = i * 4U;
+
+        keystream[offset     ] = (unsigned char)( working_state[i]       );
+        keystream[offset + 1U] = (unsigned char)( working_state[i] >>  8 );
+        keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
+        keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
+    }
+
+    mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
+}
+
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
+{
+    CHACHA20_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) );
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
+{
+    if( ctx != NULL )
+    {
+        mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
+    }
+}
+
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32] )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( key != NULL );
+
+    /* ChaCha20 constants - the string "expand 32-byte k" */
+    ctx->state[0] = 0x61707865;
+    ctx->state[1] = 0x3320646e;
+    ctx->state[2] = 0x79622d32;
+    ctx->state[3] = 0x6b206574;
+
+    /* Set key */
+    ctx->state[4]  = BYTES_TO_U32_LE( key, 0 );
+    ctx->state[5]  = BYTES_TO_U32_LE( key, 4 );
+    ctx->state[6]  = BYTES_TO_U32_LE( key, 8 );
+    ctx->state[7]  = BYTES_TO_U32_LE( key, 12 );
+    ctx->state[8]  = BYTES_TO_U32_LE( key, 16 );
+    ctx->state[9]  = BYTES_TO_U32_LE( key, 20 );
+    ctx->state[10] = BYTES_TO_U32_LE( key, 24 );
+    ctx->state[11] = BYTES_TO_U32_LE( key, 28 );
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+
+    /* Counter */
+    ctx->state[12] = counter;
+
+    /* Nonce */
+    ctx->state[13] = BYTES_TO_U32_LE( nonce, 0 );
+    ctx->state[14] = BYTES_TO_U32_LE( nonce, 4 );
+    ctx->state[15] = BYTES_TO_U32_LE( nonce, 8 );
+
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                              size_t size,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    size_t offset = 0U;
+    size_t i;
+
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || output != NULL );
+
+    /* Use leftover keystream bytes, if available */
+    while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        output[offset] = input[offset]
+                       ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+        ctx->keystream_bytes_used++;
+        offset++;
+        size--;
+    }
+
+    /* Process full blocks */
+    while( size >= CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < 64U; i += 8U )
+        {
+            output[offset + i  ] = input[offset + i  ] ^ ctx->keystream8[i  ];
+            output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1];
+            output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2];
+            output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3];
+            output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4];
+            output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5];
+            output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6];
+            output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7];
+        }
+
+        offset += CHACHA20_BLOCK_SIZE_BYTES;
+        size   -= CHACHA20_BLOCK_SIZE_BYTES;
+    }
+
+    /* Last (partial) block */
+    if( size > 0U )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < size; i++)
+        {
+            output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+        }
+
+        ctx->keystream_bytes_used = size;
+
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t data_len,
+                            const unsigned char* input,
+                            unsigned char* output )
+{
+    mbedtls_chacha20_context ctx;
+    int ret;
+
+    CHACHA20_VALIDATE_RET( key != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || output != NULL );
+
+    mbedtls_chacha20_init( &ctx );
+
+    ret = mbedtls_chacha20_setkey( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_starts( &ctx, nonce, counter );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_update( &ctx, data_len, input, output );
+
+cleanup:
+    mbedtls_chacha20_free( &ctx );
+    return( ret );
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+    }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x02
+    }
+};
+
+static const uint32_t test_counters[2] =
+{
+    0U,
+    1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+    }
+};
+
+static const unsigned char test_output[2][375] =
+{
+    {
+        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+    },
+    {
+        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+    }
+};
+
+static const size_t test_lengths[2] =
+{
+    64U,
+    375U
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chacha20_self_test( int verbose )
+{
+    unsigned char output[381];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20 test %u ", i );
+
+        ret = mbedtls_chacha20_crypt( test_keys[i],
+                                      test_nonces[i],
+                                      test_counters[i],
+                                      test_lengths[i],
+                                      test_input[i],
+                                      output );
+
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
+                ( "failed (output)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/chachapoly.c b/3rdparty/mbedtls/mbedtls/library/chachapoly.c
new file mode 100644
index 0000000000..dc643dd618
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/chachapoly.c
@@ -0,0 +1,540 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+/* Parameter validation macros */
+#define CHACHAPOLY_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define CHACHAPOLY_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CHACHAPOLY_STATE_INIT       ( 0 )
+#define CHACHAPOLY_STATE_AAD        ( 1 )
+#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED   ( 3 )
+
+/**
+ * \brief           Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+/**
+ * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
+{
+    CHACHAPOLY_VALIDATE( ctx != NULL );
+
+    mbedtls_chacha20_init( &ctx->chacha20_ctx );
+    mbedtls_poly1305_init( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_chacha20_free( &ctx->chacha20_ctx );
+    mbedtls_poly1305_free( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
+
+    return( ret );
+}
+
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode  )
+{
+    int ret;
+    unsigned char poly1305_key[64];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+
+    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+    ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+     * counter = 0.  This is the same as encrypting a buffer of zeroes.
+     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+     * The other 256 bits are discarded.
+     */
+    memset( poly1305_key, 0, sizeof( poly1305_key ) );
+    ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
+                                      poly1305_key, poly1305_key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
+
+    if( ret == 0 )
+    {
+        ctx->aad_len        = 0U;
+        ctx->ciphertext_len = 0U;
+        ctx->state          = CHACHAPOLY_STATE_AAD;
+        ctx->mode           = mode;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize( poly1305_key, 64U );
+    return( ret );
+}
+
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
+
+    if( ctx->state != CHACHAPOLY_STATE_AAD )
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    ctx->aad_len += aad_len;
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad, aad_len ) );
+}
+
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL );
+
+    if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
+        ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->ciphertext_len += len;
+
+    if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
+    {
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
+        if( ret != 0 )
+            return( ret );
+    }
+    else /* DECRYPT */
+    {
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, input, len );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] )
+{
+    int ret;
+    unsigned char len_block[16];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( mac != NULL );
+
+    if( ctx->state == CHACHAPOLY_STATE_INIT )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+    else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
+    {
+        ret = chachapoly_pad_ciphertext( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+    /* The lengths of the AAD and ciphertext are processed by
+     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+     */
+    len_block[ 0] = (unsigned char)( ctx->aad_len       );
+    len_block[ 1] = (unsigned char)( ctx->aad_len >>  8 );
+    len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
+    len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
+    len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
+    len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
+    len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
+    len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
+    len_block[ 8] = (unsigned char)( ctx->ciphertext_len       );
+    len_block[ 9] = (unsigned char)( ctx->ciphertext_len >>  8 );
+    len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
+    len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
+    len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
+    len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
+    len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
+    len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
+
+    ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
+
+    return( ret );
+}
+
+static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                     mbedtls_chachapoly_mode_t mode,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char *input,
+                                     unsigned char *output,
+                                     unsigned char tag[16] )
+{
+    int ret;
+
+    ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update( ctx, length, input, output );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_finish( ctx, tag );
+
+cleanup:
+    return( ret );
+}
+
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                      length, nonce, aad, aad_len,
+                                      input, output, tag ) );
+}
+
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    if( ( ret = chachapoly_crypt_and_tag( ctx,
+                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+                        aad, aad_len, input, output, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < sizeof( check_tag ); i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+    {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+    {
+        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
+    }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+    {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+        0xc4, 0xc5, 0xc6, 0xc7
+    }
+};
+
+static const size_t test_aad_len[1] =
+{
+    12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+    {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+        0x74, 0x2e
+    }
+};
+
+static const unsigned char test_output[1][114] =
+{
+    {
+        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+        0x61, 0x16
+    }
+};
+
+static const size_t test_input_len[1] =
+{
+    114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+    {
+        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chachapoly_self_test( int verbose )
+{
+    mbedtls_chachapoly_context ctx;
+    unsigned i;
+    int ret;
+    unsigned char output[200];
+    unsigned char mac[16];
+
+    for( i = 0U; i < 1U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20-Poly1305 test %u ", i );
+
+        mbedtls_chachapoly_init( &ctx );
+
+        ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
+        ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
+
+        ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                                  test_input_len[i],
+                                                  test_nonce[i],
+                                                  test_aad[i],
+                                                  test_aad_len[i],
+                                                  test_input[i],
+                                                  output,
+                                                  mac );
+
+        ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
+                ( "failure (wrong output)\n" ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
+                ( "failure (wrong MAC)\n" ) );
+
+        mbedtls_chachapoly_free( &ctx );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/cipher.c b/3rdparty/mbedtls/mbedtls/library/cipher.c
index bd39e4f097..273997577b 100644
--- a/3rdparty/mbedtls/mbedtls/library/cipher.c
+++ b/3rdparty/mbedtls/mbedtls/library/cipher.c
@@ -33,10 +33,15 @@
 
 #include "mbedtls/cipher.h"
 #include "mbedtls/cipher_internal.h"
+#include "mbedtls/platform_util.h"
 
 #include <stdlib.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
 #if defined(MBEDTLS_GCM_C)
 #include "mbedtls/gcm.h"
 #endif
@@ -45,6 +50,10 @@
 #include "mbedtls/ccm.h"
 #endif
 
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
 #if defined(MBEDTLS_CMAC_C)
 #include "mbedtls/cmac.h"
 #endif
@@ -56,10 +65,30 @@
 #define mbedtls_free   free
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
+#define CIPHER_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
+#define CIPHER_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/* Compare the contents of two buffers in constant time.
+ * Returns 0 if the contents are bitwise identical, otherwise returns
+ * a non-zero value.
+ * This is currently only used by GCM and ChaCha20+Poly1305.
+ */
+static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
+{
+    const unsigned char *p1 = (const unsigned char*) v1;
+    const unsigned char *p2 = (const unsigned char*) v2;
+    size_t i;
+    unsigned char diff;
+
+    for( diff = 0, i = 0; i < len; i++ )
+        diff |= p1[i] ^ p2[i];
+
+    return( (int)diff );
 }
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
 static int supported_init = 0;
 
@@ -126,6 +155,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_ciph
 
 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
 {
+    CIPHER_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
 }
 
@@ -137,7 +167,8 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
 #if defined(MBEDTLS_CMAC_C)
     if( ctx->cmac_ctx )
     {
-       mbedtls_zeroize( ctx->cmac_ctx, sizeof( mbedtls_cmac_context_t ) );
+       mbedtls_platform_zeroize( ctx->cmac_ctx,
+                                 sizeof( mbedtls_cmac_context_t ) );
        mbedtls_free( ctx->cmac_ctx );
     }
 #endif
@@ -145,12 +176,13 @@ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
     if( ctx->cipher_ctx )
         ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
 
-    mbedtls_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
+    mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
 }
 
 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
 {
-    if( NULL == cipher_info || NULL == ctx )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
@@ -174,10 +206,16 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_in
     return( 0 );
 }
 
-int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key,
-        int key_bitlen, const mbedtls_operation_t operation )
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( key != NULL );
+    CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
+                         operation == MBEDTLS_DECRYPT );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
@@ -190,34 +228,34 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k
     ctx->operation = operation;
 
     /*
-     * For CFB and CTR mode always use the encryption key schedule
+     * For OFB, CFB and CTR mode always use the encryption key schedule
      */
     if( MBEDTLS_ENCRYPT == operation ||
         MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
         MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
     {
-        return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
-                ctx->key_bitlen );
+        return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
     }
 
     if( MBEDTLS_DECRYPT == operation )
-        return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
-                ctx->key_bitlen );
+        return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
 
     return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 }
 
 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
-                   const unsigned char *iv, size_t iv_len )
+                           const unsigned char *iv,
+                           size_t iv_len )
 {
     size_t actual_iv_size;
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    else if( NULL == iv && iv_len != 0  )
-        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
-    if( NULL == iv && iv_len == 0 )
-        ctx->iv_size = 0;
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     /* avoid buffer overflow in ctx->iv */
     if( iv_len > MBEDTLS_MAX_IV_LENGTH )
@@ -233,6 +271,19 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
         if( actual_iv_size > iv_len )
             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
     }
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
+    {
+        if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
+                                           iv,
+                                           0U ) ) /* Initial counter value */
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+    }
+#endif
+
     if ( actual_iv_size != 0 )
     {
         memcpy( ctx->iv, iv, actual_iv_size );
@@ -244,7 +295,8 @@ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
 
 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     ctx->unprocessed_len = 0;
@@ -252,33 +304,60 @@ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
     return( 0 );
 }
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
                       const unsigned char *ad, size_t ad_len )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
+#if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
     {
-        return mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
-                           ctx->iv, ctx->iv_size, ad, ad_len );
+        return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
+                                    ctx->iv, ctx->iv_size, ad, ad_len ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int result;
+        mbedtls_chachapoly_mode_t mode;
+
+        mode = ( ctx->operation == MBEDTLS_ENCRYPT )
+                ? MBEDTLS_CHACHAPOLY_ENCRYPT
+                : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+        result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                        ctx->iv,
+                                                        mode );
+        if ( result != 0 )
+            return( result );
+
+        return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                               ad, ad_len ) );
     }
+#endif
 
     return( 0 );
 }
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
                    size_t ilen, unsigned char *output, size_t *olen )
 {
     int ret;
-    size_t block_size = 0;
+    size_t block_size;
 
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
-    {
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    }
 
     *olen = 0;
     block_size = mbedtls_cipher_get_block_size( ctx );
@@ -303,14 +382,23 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
     if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
     {
         *olen = ilen;
-        return mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
-                           output );
+        return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
+                                    output ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
+    {
+        *olen = ilen;
+        return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           ilen, input, output ) );
     }
 #endif
 
     if ( 0 == block_size )
     {
-        return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+        return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
     }
 
     if( input == output &&
@@ -373,7 +461,7 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
         {
             if( 0 == block_size )
             {
-                return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
+                return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
             }
 
             /* Encryption: only cache partial blocks
@@ -429,6 +517,21 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
     }
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
     {
@@ -445,6 +548,27 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
     }
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
+    {
+        if( ctx->unprocessed_len > 0 ) {
+            /* We can only process an entire data unit at a time. */
+            return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+        }
+
+        ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
+                ctx->operation, ilen, ctx->iv, input, output );
+        if( ret != 0 )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
     {
@@ -638,19 +762,30 @@ static int get_no_padding( unsigned char *input, size_t input_len,
 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
                    unsigned char *output, size_t *olen )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     *olen = 0;
 
     if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
         MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
         MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
         MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
     {
         return( 0 );
     }
 
+    if ( ( MBEDTLS_CIPHER_CHACHA20          == ctx->cipher_info->type ) ||
+         ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
+    {
+        return( 0 );
+    }
+
     if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
     {
         if( ctx->unprocessed_len != 0 )
@@ -700,8 +835,8 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
 
         /* Set output size for decryption */
         if( MBEDTLS_DECRYPT == ctx->operation )
-            return ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
-                                     olen );
+            return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
+                                      olen ) );
 
         /* Set output size for encryption */
         *olen = mbedtls_cipher_get_block_size( ctx );
@@ -715,10 +850,12 @@ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
 }
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
-int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode )
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode )
 {
-    if( NULL == ctx ||
-        MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+
+    if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
     {
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
     }
@@ -762,18 +899,35 @@ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_ciph
 }
 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
                       unsigned char *tag, size_t tag_len )
 {
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == tag )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
     if( MBEDTLS_ENCRYPT != ctx->operation )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
+#if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
-        return mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx, tag, tag_len );
+        return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                    tag, tag_len ) );
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != 16U )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           tag ) );
+    }
+#endif
 
     return( 0 );
 }
@@ -781,20 +935,22 @@ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
                       const unsigned char *tag, size_t tag_len )
 {
+    unsigned char check_tag[16];
     int ret;
 
-    if( NULL == ctx || NULL == ctx->cipher_info ||
-        MBEDTLS_DECRYPT != ctx->operation )
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_DECRYPT != ctx->operation )
     {
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
     }
 
+#if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
     {
-        unsigned char check_tag[16];
-        size_t i;
-        int diff;
-
         if( tag_len > sizeof( check_tag ) )
             return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
@@ -805,18 +961,38 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
         }
 
         /* Check the tag in "constant-time" */
-        for( diff = 0, i = 0; i < tag_len; i++ )
-            diff |= tag[i] ^ check_tag[i];
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
-        if( diff != 0 )
+        ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                     check_tag );
+        if ( ret != 0 )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
             return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
 
         return( 0 );
     }
+#endif /* MBEDTLS_CHACHAPOLY_C */
 
     return( 0 );
 }
-#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
 
 /*
  * Packet-oriented wrapper for non-AEAD modes
@@ -829,6 +1005,12 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
     int ret;
     size_t finish_olen;
 
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+
     if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
         return( ret );
 
@@ -857,6 +1039,14 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
                          unsigned char *output, size_t *olen,
                          unsigned char *tag, size_t tag_len )
 {
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
 #if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
     {
@@ -875,6 +1065,21 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
                                      tag, tag_len ) );
     }
 #endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
+                                ilen, iv, ad, ad_len, input, output, tag ) );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
 
     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
 }
@@ -889,6 +1094,14 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
                          unsigned char *output, size_t *olen,
                          const unsigned char *tag, size_t tag_len )
 {
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
 #if defined(MBEDTLS_GCM_C)
     if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
     {
@@ -921,6 +1134,28 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
         return( ret );
     }
 #endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int ret;
+
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, ad, ad_len, tag, input, output );
+
+        if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
 
     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/cipher_wrap.c b/3rdparty/mbedtls/mbedtls/library/cipher_wrap.c
index dbc5d3fe48..6dd8c5d3a9 100644
--- a/3rdparty/mbedtls/mbedtls/library/cipher_wrap.c
+++ b/3rdparty/mbedtls/mbedtls/library/cipher_wrap.c
@@ -33,6 +33,10 @@
 
 #include "mbedtls/cipher_internal.h"
 
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
 #if defined(MBEDTLS_AES_C)
 #include "mbedtls/aes.h"
 #endif
@@ -45,6 +49,10 @@
 #include "mbedtls/camellia.h"
 #endif
 
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
 #if defined(MBEDTLS_DES_C)
 #include "mbedtls/des.h"
 #endif
@@ -53,6 +61,10 @@
 #include "mbedtls/blowfish.h"
 #endif
 
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
 #if defined(MBEDTLS_GCM_C)
 #include "mbedtls/gcm.h"
 #endif
@@ -138,6 +150,15 @@ static int aes_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
 }
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap( void *ctx, size_t length, size_t *iv_off,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ofb( (mbedtls_aes_context *) ctx, length, iv_off,
+                                    iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
         unsigned char *nonce_counter, unsigned char *stream_block,
@@ -148,6 +169,33 @@ static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
 }
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap( void *ctx, mbedtls_operation_t operation,
+                               size_t length,
+                               const unsigned char data_unit[16],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    int mode;
+
+    switch( operation )
+    {
+        case MBEDTLS_ENCRYPT:
+            mode = MBEDTLS_AES_ENCRYPT;
+            break;
+        case MBEDTLS_DECRYPT:
+            mode = MBEDTLS_AES_DECRYPT;
+            break;
+        default:
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_aes_crypt_xts( xts_ctx, mode, length,
+                                  data_unit, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 static int aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
                                 unsigned int key_bitlen )
 {
@@ -187,9 +235,15 @@ static const mbedtls_cipher_base_t aes_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     aes_crypt_cfb128_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    aes_crypt_ofb_wrap,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     aes_crypt_ctr_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -302,6 +356,41 @@ static const mbedtls_cipher_info_t aes_256_cfb128_info = {
 };
 #endif /* MBEDTLS_CIPHER_MODE_CFB */
 
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+    MBEDTLS_CIPHER_AES_128_OFB,
+    MBEDTLS_MODE_OFB,
+    128,
+    "AES-128-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+    MBEDTLS_CIPHER_AES_192_OFB,
+    MBEDTLS_MODE_OFB,
+    192,
+    "AES-192-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+    MBEDTLS_CIPHER_AES_256_OFB,
+    MBEDTLS_MODE_OFB,
+    256,
+    "AES-256-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
 static const mbedtls_cipher_info_t aes_128_ctr_info = {
     MBEDTLS_CIPHER_AES_128_CTR,
@@ -337,6 +426,92 @@ static const mbedtls_cipher_info_t aes_256_ctr_info = {
 };
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
 
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_enc( xts_ctx, key, key_bitlen ) );
+}
+
+static int xts_aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_dec( xts_ctx, key, key_bitlen ) );
+}
+
+static void *xts_aes_ctx_alloc( void )
+{
+    mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc( 1, sizeof( *xts_ctx ) );
+
+    if( xts_ctx != NULL )
+        mbedtls_aes_xts_init( xts_ctx );
+
+    return( xts_ctx );
+}
+
+static void xts_aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+
+    if( xts_ctx == NULL )
+        return;
+
+    mbedtls_aes_xts_free( xts_ctx );
+    mbedtls_free( xts_ctx );
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    xts_aes_setkey_enc_wrap,
+    xts_aes_setkey_dec_wrap,
+    xts_aes_ctx_alloc,
+    xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+    MBEDTLS_CIPHER_AES_128_XTS,
+    MBEDTLS_MODE_XTS,
+    256,
+    "AES-128-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+    MBEDTLS_CIPHER_AES_256_XTS,
+    MBEDTLS_MODE_XTS,
+    512,
+    "AES-256-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_GCM_C)
 static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
                                 unsigned int key_bitlen )
@@ -354,9 +529,15 @@ static const mbedtls_cipher_base_t gcm_aes_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -417,9 +598,15 @@ static const mbedtls_cipher_base_t ccm_aes_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -544,9 +731,15 @@ static const mbedtls_cipher_base_t camellia_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     camellia_crypt_cfb128_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     camellia_crypt_ctr_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -711,9 +904,15 @@ static const mbedtls_cipher_base_t gcm_camellia_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -774,9 +973,15 @@ static const mbedtls_cipher_base_t ccm_camellia_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -822,6 +1027,382 @@ static const mbedtls_cipher_info_t camellia_256_ccm_info = {
 
 #endif /* MBEDTLS_CAMELLIA_C */
 
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    (void) operation;
+    return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cfb128( (mbedtls_aria_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_ctr( (mbedtls_aria_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int aria_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_dec( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static int aria_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_enc( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static void * aria_ctx_alloc( void )
+{
+    mbedtls_aria_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_aria_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_aria_init( ctx );
+
+    return( ctx );
+}
+
+static void aria_ctx_free( void *ctx )
+{
+    mbedtls_aria_free( (mbedtls_aria_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aria_setkey_enc_wrap,
+    aria_setkey_dec_wrap,
+    aria_ctx_alloc,
+    aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "ARIA-128-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "ARIA-192-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "ARIA-256-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "ARIA-128-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "ARIA-192-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "ARIA-256-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "ARIA-128-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "ARIA-192-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "ARIA-256-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "ARIA-128-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "ARIA-192-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "ARIA-256-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aria_setkey_wrap,
+    gcm_aria_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "ARIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "ARIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "ARIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aria_setkey_wrap,
+    ccm_aria_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "ARIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "ARIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "ARIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
 #if defined(MBEDTLS_DES_C)
 
 static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
@@ -950,9 +1531,15 @@ static const mbedtls_cipher_base_t des_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -995,9 +1582,15 @@ static const mbedtls_cipher_base_t des_ede_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -1040,9 +1633,15 @@ static const mbedtls_cipher_base_t des_ede3_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -1149,9 +1748,15 @@ static const mbedtls_cipher_base_t blowfish_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     blowfish_crypt_cfb64_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     blowfish_crypt_ctr_wrap,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     NULL,
 #endif
@@ -1259,9 +1864,15 @@ static const mbedtls_cipher_base_t arc4_base_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     arc4_crypt_stream_wrap,
 #endif
@@ -1283,6 +1894,162 @@ static const mbedtls_cipher_info_t arc4_128_info = {
 };
 #endif /* MBEDTLS_ARC4_C */
 
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chacha20_setkey( (mbedtls_chacha20_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static int chacha20_stream_wrap( void *ctx,  size_t length,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    int ret;
+
+    ret = mbedtls_chacha20_update( ctx, length, input, output );
+    if( ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( ret );
+}
+
+static void * chacha20_ctx_alloc( void )
+{
+    mbedtls_chacha20_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chacha20_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chacha20_init( ctx );
+
+    return( ctx );
+}
+
+static void chacha20_ctx_free( void *ctx )
+{
+    mbedtls_chacha20_free( (mbedtls_chacha20_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    chacha20_stream_wrap,
+#endif
+    chacha20_setkey_wrap,
+    chacha20_setkey_wrap,
+    chacha20_ctx_alloc,
+    chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+    MBEDTLS_CIPHER_CHACHA20,
+    MBEDTLS_MODE_STREAM,
+    256,
+    "CHACHA20",
+    12,
+    0,
+    1,
+    &chacha20_base_info
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap( void *ctx,
+                                   const unsigned char *key,
+                                   unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chachapoly_setkey( (mbedtls_chachapoly_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static void * chachapoly_ctx_alloc( void )
+{
+    mbedtls_chachapoly_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chachapoly_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chachapoly_init( ctx );
+
+    return( ctx );
+}
+
+static void chachapoly_ctx_free( void *ctx )
+{
+    mbedtls_chachapoly_free( (mbedtls_chachapoly_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    chachapoly_setkey_wrap,
+    chachapoly_setkey_wrap,
+    chachapoly_ctx_alloc,
+    chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,
+    MBEDTLS_MODE_CHACHAPOLY,
+    256,
+    "CHACHA20-POLY1305",
+    12,
+    0,
+    1,
+    &chachapoly_base_info
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
 static int null_crypt_stream( void *ctx, size_t length,
                               const unsigned char *input,
@@ -1322,9 +2089,15 @@ static const mbedtls_cipher_base_t null_base_info = {
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     NULL,
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_STREAM)
     null_crypt_stream,
 #endif
@@ -1362,11 +2135,20 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
     { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
     { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    { MBEDTLS_CIPHER_AES_128_OFB,          &aes_128_ofb_info },
+    { MBEDTLS_CIPHER_AES_192_OFB,          &aes_192_ofb_info },
+    { MBEDTLS_CIPHER_AES_256_OFB,          &aes_256_ofb_info },
+#endif
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
     { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
     { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    { MBEDTLS_CIPHER_AES_128_XTS,          &aes_128_xts_info },
+    { MBEDTLS_CIPHER_AES_256_XTS,          &aes_256_xts_info },
+#endif
 #if defined(MBEDTLS_GCM_C)
     { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
     { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
@@ -1427,6 +2209,37 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
 #endif
 #endif /* MBEDTLS_CAMELLIA_C */
 
+#if defined(MBEDTLS_ARIA_C)
+    { MBEDTLS_CIPHER_ARIA_128_ECB,     &aria_128_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_192_ECB,     &aria_192_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_256_ECB,     &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_ARIA_128_CBC,     &aria_128_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_192_CBC,     &aria_192_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_256_CBC,     &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_ARIA_128_CFB128,  &aria_128_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_192_CFB128,  &aria_192_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_256_CFB128,  &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_ARIA_128_CTR,     &aria_128_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_192_CTR,     &aria_192_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_256_CTR,     &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_GCM,     &aria_128_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_192_GCM,     &aria_192_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_256_GCM,     &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_CCM,     &aria_128_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_192_CCM,     &aria_192_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_256_CCM,     &aria_256_ccm_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
 #if defined(MBEDTLS_DES_C)
     { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
     { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
@@ -1438,6 +2251,14 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
 #endif
 #endif /* MBEDTLS_DES_C */
 
+#if defined(MBEDTLS_CHACHA20_C)
+    { MBEDTLS_CIPHER_CHACHA20,             &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
+#endif
+
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
     { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
 #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
diff --git a/3rdparty/mbedtls/mbedtls/library/cmac.c b/3rdparty/mbedtls/mbedtls/library/cmac.c
index 9a73faa6d5..5d101e1c7d 100644
--- a/3rdparty/mbedtls/mbedtls/library/cmac.c
+++ b/3rdparty/mbedtls/mbedtls/library/cmac.c
@@ -49,6 +49,7 @@
 #if defined(MBEDTLS_CMAC_C)
 
 #include "mbedtls/cmac.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -67,11 +68,6 @@
 
 #if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
-
 /*
  * Multiplication by u in the Galois field of GF(2^n)
  *
@@ -144,7 +140,7 @@ static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
     unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
     size_t olen, block_size;
 
-    mbedtls_zeroize( L, sizeof( L ) );
+    mbedtls_platform_zeroize( L, sizeof( L ) );
 
     block_size = ctx->cipher_info->block_size;
 
@@ -162,7 +158,7 @@ static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
         goto exit;
 
 exit:
-    mbedtls_zeroize( L, sizeof( L ) );
+    mbedtls_platform_zeroize( L, sizeof( L ) );
 
     return( ret );
 }
@@ -238,7 +234,7 @@ int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
 
     ctx->cmac_ctx = cmac_ctx;
 
-    mbedtls_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
+    mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
 
     return 0;
 }
@@ -330,8 +326,8 @@ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
     block_size = ctx->cipher_info->block_size;
     state = cmac_ctx->state;
 
-    mbedtls_zeroize( K1, sizeof( K1 ) );
-    mbedtls_zeroize( K2, sizeof( K2 ) );
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
     cmac_generate_subkeys( ctx, K1, K2 );
 
     last_block = cmac_ctx->unprocessed_block;
@@ -361,14 +357,14 @@ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
 exit:
     /* Wipe the generated keys on the stack, and any other transients to avoid
      * side channel leakage */
-    mbedtls_zeroize( K1, sizeof( K1 ) );
-    mbedtls_zeroize( K2, sizeof( K2 ) );
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
 
     cmac_ctx->unprocessed_len = 0;
-    mbedtls_zeroize( cmac_ctx->unprocessed_block,
-                     sizeof( cmac_ctx->unprocessed_block ) );
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
 
-    mbedtls_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
+    mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
     return( ret );
 }
 
@@ -383,10 +379,10 @@ int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
 
     /* Reset the internal state */
     cmac_ctx->unprocessed_len = 0;
-    mbedtls_zeroize( cmac_ctx->unprocessed_block,
-                     sizeof( cmac_ctx->unprocessed_block ) );
-    mbedtls_zeroize( cmac_ctx->state,
-                     sizeof( cmac_ctx->state ) );
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
+    mbedtls_platform_zeroize( cmac_ctx->state,
+                              sizeof( cmac_ctx->state ) );
 
     return( 0 );
 }
@@ -466,7 +462,7 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
                                output );
 
 exit:
-    mbedtls_zeroize( int_key, sizeof( int_key ) );
+    mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
 
     return( ret );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/ctr_drbg.c b/3rdparty/mbedtls/mbedtls/library/ctr_drbg.c
index d7a94840cc..fb121575bb 100644
--- a/3rdparty/mbedtls/mbedtls/library/ctr_drbg.c
+++ b/3rdparty/mbedtls/mbedtls/library/ctr_drbg.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_CTR_DRBG_C)
 
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -49,11 +50,6 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * CTR_DRBG context initialization
  */
@@ -70,6 +66,18 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
  * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
  * NIST tests to succeed (which require known length fixed entropy)
  */
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed_entropy_len(ctx, f_entropy, p_entropy,
+ *                                   custom, len, entropy_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for entropy_len bytes
+ * and with outputs
+ *   ctx = initial_working_state
+ */
 int mbedtls_ctr_drbg_seed_entropy_len(
                    mbedtls_ctr_drbg_context *ctx,
                    int (*f_entropy)(void *, unsigned char *, size_t),
@@ -125,7 +133,7 @@ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
     mbedtls_mutex_free( &ctx->mutex );
 #endif
     mbedtls_aes_free( &ctx->aes_ctx );
-    mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
 }
 
 void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
@@ -245,21 +253,29 @@ static int block_cipher_df( unsigned char *output,
     /*
     * tidy up the stack
     */
-    mbedtls_zeroize( buf, sizeof( buf ) );
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
-    mbedtls_zeroize( key, sizeof( key ) );
-    mbedtls_zeroize( chain, sizeof( chain ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( chain, sizeof( chain ) );
     if( 0 != ret )
     {
         /*
         * wipe partial seed from memory
         */
-        mbedtls_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
+        mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
     }
 
     return( ret );
 }
 
+/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ *   ctx->aes_ctx = Key
+ *   ctx->counter = V
+ */
 static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
                               const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
 {
@@ -299,10 +315,22 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
     memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
 
 exit:
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
     return( ret );
 }
 
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   ctx->counter = all-bits-0
+ *   ctx->aes_ctx = context from all-bits-0 key
+ *   additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ *   ctx = initial_working_state
+ */
 int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
                                  const unsigned char *additional,
                                  size_t add_len )
@@ -319,11 +347,11 @@ int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
         goto exit;
 
 exit:
-    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
     return( ret );
 }
 
-/* Deprecated function, kept for backward compatibility. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
                               const unsigned char *additional,
                               size_t add_len )
@@ -334,7 +362,20 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
         add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
     (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
 }
-
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ *                -> new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with output
+ *   ctx contains new_working_state
+ */
 int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
                      const unsigned char *additional, size_t len )
 {
@@ -382,10 +423,29 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
     ctx->reseed_counter = 1;
 
 exit:
-    mbedtls_zeroize( seed, sizeof( seed ) );
+    mbedtls_platform_zeroize( seed, sizeof( seed ) );
     return( ret );
 }
 
+/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ *                -> working_state_after_reseed
+ *                if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ *                   requested_number_of_bits, additional_input)
+ *                -> status, returned_bits, new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   requested_number_of_bits = 8 * output_len
+ *   additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ *   status = SUCCESS (this function does the reseed internally)
+ *   returned_bits = output[:output_len]
+ *   ctx contains new_working_state
+ */
 int mbedtls_ctr_drbg_random_with_add( void *p_rng,
                               unsigned char *output, size_t output_len,
                               const unsigned char *additional, size_t add_len )
@@ -455,8 +515,8 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
     ctx->reseed_counter++;
 
 exit:
-    mbedtls_zeroize( add_input, sizeof( add_input ) );
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }
 
@@ -499,7 +559,7 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char
         ret = 0;
 
 exit:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     fclose( f );
     return( ret );
@@ -508,35 +568,36 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char
 int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
 {
     int ret = 0;
-    FILE *f;
+    FILE *f = NULL;
     size_t n;
     unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+    unsigned char c;
 
     if( ( f = fopen( path, "rb" ) ) == NULL )
         return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
 
-    fseek( f, 0, SEEK_END );
-    n = (size_t) ftell( f );
-    fseek( f, 0, SEEK_SET );
-
-    if( n > MBEDTLS_CTR_DRBG_MAX_INPUT )
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
     {
-        fclose( f );
-        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+        goto exit;
     }
-
-    if( fread( buf, 1, n, f ) != n )
+    if( n == 0 || ferror( f ) )
+    {
         ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
-    else
-        ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
-
+        goto exit;
+    }
     fclose( f );
+    f = NULL;
 
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
 
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
     if( ret != 0 )
         return( ret );
-
     return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
 }
 #endif /* MBEDTLS_FS_IO */
diff --git a/3rdparty/mbedtls/mbedtls/library/debug.c b/3rdparty/mbedtls/mbedtls/library/debug.c
index 30c8c7bb81..36510cdd56 100644
--- a/3rdparty/mbedtls/mbedtls/library/debug.c
+++ b/3rdparty/mbedtls/mbedtls/library/debug.c
@@ -397,4 +397,54 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_ECDH_C)
+static void mbedtls_debug_printf_ecdh_internal( const mbedtls_ssl_context *ssl,
+                                                int level, const char *file,
+                                                int line,
+                                                const mbedtls_ecdh_context *ecdh,
+                                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    const mbedtls_ecdh_context* ctx = ecdh;
+#else
+    const mbedtls_ecdh_context_mbed* ctx = &ecdh->ctx.mbed_ecdh;
+#endif
+
+    switch( attr )
+    {
+        case MBEDTLS_DEBUG_ECDH_Q:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Q",
+                                     &ctx->Q );
+            break;
+        case MBEDTLS_DEBUG_ECDH_QP:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Qp",
+                                     &ctx->Qp );
+            break;
+        case MBEDTLS_DEBUG_ECDH_Z:
+            mbedtls_debug_print_mpi( ssl, level, file, line, "ECDH: z",
+                                     &ctx->z );
+            break;
+        default:
+            break;
+    }
+}
+
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh, attr );
+#else
+    switch( ecdh->var )
+    {
+        default:
+            mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh,
+                                                attr );
+    }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
+
 #endif /* MBEDTLS_DEBUG_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/des.c b/3rdparty/mbedtls/mbedtls/library/des.c
index 09f95cfc3b..8a33d82e50 100644
--- a/3rdparty/mbedtls/mbedtls/library/des.c
+++ b/3rdparty/mbedtls/mbedtls/library/des.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_DES_C)
 
 #include "mbedtls/des.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -48,11 +49,6 @@
 
 #if !defined(MBEDTLS_DES_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
-
 /*
  * 32-bit integer manipulation macros (big endian)
  */
@@ -261,50 +257,57 @@ static const uint32_t RHs[16] =
 /*
  * Initial Permutation macro
  */
-#define DES_IP(X,Y)                                             \
-{                                                               \
-    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-    Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF;                    \
-    T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T;                   \
-    X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF;                    \
-}
+#define DES_IP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
+        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
+    } while( 0 )
 
 /*
  * Final Permutation macro
  */
-#define DES_FP(X,Y)                                             \
-{                                                               \
-    X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF;                    \
-    T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T;                   \
-    Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF;                    \
-    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-}
+#define DES_FP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
+        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+    } while( 0 )
 
 /*
  * DES round macro
  */
-#define DES_ROUND(X,Y)                          \
-{                                               \
-    T = *SK++ ^ X;                              \
-    Y ^= SB8[ (T      ) & 0x3F ] ^              \
-         SB6[ (T >>  8) & 0x3F ] ^              \
-         SB4[ (T >> 16) & 0x3F ] ^              \
-         SB2[ (T >> 24) & 0x3F ];               \
-                                                \
-    T = *SK++ ^ ((X << 28) | (X >> 4));         \
-    Y ^= SB7[ (T      ) & 0x3F ] ^              \
-         SB5[ (T >>  8) & 0x3F ] ^              \
-         SB3[ (T >> 16) & 0x3F ] ^              \
-         SB1[ (T >> 24) & 0x3F ];               \
-}
-
-#define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
+#define DES_ROUND(X,Y)                              \
+    do                                              \
+    {                                               \
+        T = *SK++ ^ (X);                            \
+        (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
+               SB6[ (T >>  8) & 0x3F ] ^            \
+               SB4[ (T >> 16) & 0x3F ] ^            \
+               SB2[ (T >> 24) & 0x3F ];             \
+                                                    \
+        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
+        (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
+               SB5[ (T >>  8) & 0x3F ] ^            \
+               SB3[ (T >> 16) & 0x3F ] ^            \
+               SB1[ (T >> 24) & 0x3F ];             \
+    } while( 0 )
+
+#define SWAP(a,b)                                       \
+    do                                                  \
+    {                                                   \
+        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
+    } while( 0 )
 
 void mbedtls_des_init( mbedtls_des_context *ctx )
 {
@@ -316,7 +319,7 @@ void mbedtls_des_free( mbedtls_des_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_des_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
 }
 
 void mbedtls_des3_init( mbedtls_des3_context *ctx )
@@ -329,7 +332,7 @@ void mbedtls_des3_free( mbedtls_des3_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_des3_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
 }
 
 static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
@@ -553,7 +556,7 @@ int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
     uint32_t sk[96];
 
     des3_set2key( ctx->sk, sk, key );
-    mbedtls_zeroize( sk,  sizeof( sk ) );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -567,7 +570,7 @@ int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
     uint32_t sk[96];
 
     des3_set2key( sk, ctx->sk, key );
-    mbedtls_zeroize( sk,  sizeof( sk ) );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -604,7 +607,7 @@ int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
     uint32_t sk[96];
 
     des3_set3key( ctx->sk, sk, key );
-    mbedtls_zeroize( sk,  sizeof( sk ) );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
@@ -618,7 +621,7 @@ int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
     uint32_t sk[96];
 
     des3_set3key( sk, ctx->sk, key );
-    mbedtls_zeroize( sk,  sizeof( sk ) );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
 
     return( 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/dhm.c b/3rdparty/mbedtls/mbedtls/library/dhm.c
index 28ac31003c..8255632a99 100644
--- a/3rdparty/mbedtls/mbedtls/library/dhm.c
+++ b/3rdparty/mbedtls/mbedtls/library/dhm.c
@@ -36,6 +36,7 @@
 #if defined(MBEDTLS_DHM_C)
 
 #include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -58,10 +59,11 @@
 #endif
 
 #if !defined(MBEDTLS_DHM_ALT)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+
+#define DHM_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA )
+#define DHM_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 /*
  * helper to validate the mbedtls_mpi size and import it
@@ -124,6 +126,7 @@ static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
 
 void mbedtls_dhm_init( mbedtls_dhm_context *ctx )
 {
+    DHM_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_dhm_context ) );
 }
 
@@ -135,6 +138,9 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
                      const unsigned char *end )
 {
     int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( p != NULL && *p != NULL );
+    DHM_VALIDATE_RET( end != NULL );
 
     if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
         ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
@@ -160,6 +166,10 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
     int ret, count = 0;
     size_t n1, n2, n3;
     unsigned char *p;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
 
     if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
         return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
@@ -230,9 +240,9 @@ int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
                            const mbedtls_mpi *G )
 {
     int ret;
-
-    if( ctx == NULL || P == NULL || G == NULL )
-        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( P != NULL );
+    DHM_VALIDATE_RET( G != NULL );
 
     if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
         ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
@@ -251,8 +261,10 @@ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
                      const unsigned char *input, size_t ilen )
 {
     int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( input != NULL );
 
-    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
+    if( ilen < 1 || ilen > ctx->len )
         return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
 
     if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
@@ -270,8 +282,11 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
                      void *p_rng )
 {
     int ret, count = 0;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
 
-    if( ctx == NULL || olen < 1 || olen > ctx->len )
+    if( olen < 1 || olen > ctx->len )
         return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
 
     if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
@@ -383,8 +398,11 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
 {
     int ret;
     mbedtls_mpi GYb;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
 
-    if( ctx == NULL || output_size < ctx->len )
+    if( output_size < ctx->len )
         return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
 
     if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
@@ -431,13 +449,21 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
  */
 void mbedtls_dhm_free( mbedtls_dhm_context *ctx )
 {
-    mbedtls_mpi_free( &ctx->pX ); mbedtls_mpi_free( &ctx->Vf );
-    mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->RP );
-    mbedtls_mpi_free( &ctx->K  ); mbedtls_mpi_free( &ctx->GY );
-    mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X  );
-    mbedtls_mpi_free( &ctx->G  ); mbedtls_mpi_free( &ctx->P  );
-
-    mbedtls_zeroize( ctx, sizeof( mbedtls_dhm_context ) );
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->pX );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->K  );
+    mbedtls_mpi_free( &ctx->GY );
+    mbedtls_mpi_free( &ctx->GX );
+    mbedtls_mpi_free( &ctx->X  );
+    mbedtls_mpi_free( &ctx->G  );
+    mbedtls_mpi_free( &ctx->P  );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_dhm_context ) );
 }
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
@@ -452,7 +478,12 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
     unsigned char *p, *end;
 #if defined(MBEDTLS_PEM_PARSE_C)
     mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( dhmin != NULL );
 
+#if defined(MBEDTLS_PEM_PARSE_C)
     mbedtls_pem_init( &pem );
 
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
@@ -575,7 +606,7 @@ static int load_file( const char *path, unsigned char **buf, size_t *n )
     {
         fclose( f );
 
-        mbedtls_zeroize( *buf, *n + 1 );
+        mbedtls_platform_zeroize( *buf, *n + 1 );
         mbedtls_free( *buf );
 
         return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
@@ -599,13 +630,15 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
     int ret;
     size_t n;
     unsigned char *buf;
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( path != NULL );
 
     if( ( ret = load_file( path, &buf, &n ) ) != 0 )
         return( ret );
 
     ret = mbedtls_dhm_parse_dhm( dhm, buf, n );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -616,12 +649,28 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
 
 #if defined(MBEDTLS_SELF_TEST)
 
+#if defined(MBEDTLS_PEM_PARSE_C)
 static const char mbedtls_test_dhm_params[] =
 "-----BEGIN DH PARAMETERS-----\r\n"
 "MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
 "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
 "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
 "-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+  0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+  0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+  0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+  0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+  0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+  0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+  0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+  0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+  0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+  0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+  0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+  0x49, 0x75, 0xb3, 0x02, 0x01, 0x02 };
+#endif /* MBEDTLS_PEM_PARSE_C */
 
 static const size_t mbedtls_test_dhm_params_len = sizeof( mbedtls_test_dhm_params );
 
diff --git a/3rdparty/mbedtls/mbedtls/library/ecdh.c b/3rdparty/mbedtls/mbedtls/library/ecdh.c
index 75630bd356..c5726877d5 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecdh.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecdh.c
@@ -35,41 +35,92 @@
 #if defined(MBEDTLS_ECDH_C)
 
 #include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
+/* Parameter validation macros based on platform_util.h */
+#define ECDH_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDH_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+    const mbedtls_ecdh_context *ctx )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ctx->grp.id );
+#else
+    return( ctx->grp_id );
+#endif
+}
+
 #if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
 /*
- * Generate public key: simple wrapper around mbedtls_ecp_gen_keypair
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+
+    /* If multiplication is in progress, we already generated a privkey */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, Q, d, &grp->G,
+                                                  f_rng, p_rng, rs_ctx ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate public key
  */
 int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng )
 {
-    return mbedtls_ecp_gen_keypair( grp, d, Q, f_rng, p_rng );
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+    return( ecdh_gen_public_restartable( grp, d, Q, f_rng, p_rng, NULL ) );
 }
-#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
 
 #if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
 /*
  * Compute shared secret (SEC1 3.3.1)
  */
-int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+static int ecdh_compute_shared_restartable( mbedtls_ecp_group *grp,
+                         mbedtls_mpi *z,
                          const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
                          int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng )
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_ecp_point P;
 
     mbedtls_ecp_point_init( &P );
 
-    /*
-     * Make sure Q is a valid pubkey before using it
-     */
-    MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
-
-    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, &P, d, Q, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &P, d, Q,
+                                                  f_rng, p_rng, rs_ctx ) );
 
     if( mbedtls_ecp_is_zero( &P ) )
     {
@@ -84,65 +135,195 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
 
     return( ret );
 }
-#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
+{
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( z != NULL );
+    return( ecdh_compute_shared_restartable( grp, z, Q, d,
+                                             f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal( mbedtls_ecdh_context_mbed *ctx )
+{
+    mbedtls_ecp_group_init( &ctx->grp );
+    mbedtls_mpi_init( &ctx->d  );
+    mbedtls_ecp_point_init( &ctx->Q   );
+    mbedtls_ecp_point_init( &ctx->Qp  );
+    mbedtls_mpi_init( &ctx->z  );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_init( &ctx->rs );
+#endif
+}
 
 /*
  * Initialize context
  */
 void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx )
 {
+    ECDH_VALIDATE( ctx != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    ecdh_init_internal( ctx );
+    mbedtls_ecp_point_init( &ctx->Vi  );
+    mbedtls_ecp_point_init( &ctx->Vf  );
+    mbedtls_mpi_init( &ctx->_d );
+#else
     memset( ctx, 0, sizeof( mbedtls_ecdh_context ) );
+
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal( mbedtls_ecdh_context_mbed *ctx,
+                                mbedtls_ecp_group_id grp_id )
+{
+    int ret;
+
+    ret = mbedtls_ecp_group_load( &ctx->grp, grp_id );
+    if( ret != 0 )
+    {
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
 }
 
 /*
- * Free context
+ * Setup context
  */
-void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx )
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id )
 {
-    if( ctx == NULL )
-        return;
+    ECDH_VALIDATE_RET( ctx != NULL );
 
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_setup_internal( ctx, grp_id ) );
+#else
+    switch( grp_id )
+    {
+        default:
+            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+            ctx->grp_id = grp_id;
+            ecdh_init_internal( &ctx->ctx.mbed_ecdh );
+            return( ecdh_setup_internal( &ctx->ctx.mbed_ecdh, grp_id ) );
+    }
+#endif
+}
+
+static void ecdh_free_internal( mbedtls_ecdh_context_mbed *ctx )
+{
     mbedtls_ecp_group_free( &ctx->grp );
+    mbedtls_mpi_free( &ctx->d  );
     mbedtls_ecp_point_free( &ctx->Q   );
     mbedtls_ecp_point_free( &ctx->Qp  );
-    mbedtls_ecp_point_free( &ctx->Vi  );
-    mbedtls_ecp_point_free( &ctx->Vf  );
-    mbedtls_mpi_free( &ctx->d  );
     mbedtls_mpi_free( &ctx->z  );
-    mbedtls_mpi_free( &ctx->_d );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_free( &ctx->rs );
+#endif
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
 /*
- * Setup and write the ServerKeyExhange parameters (RFC 4492)
- *      struct {
- *          ECParameters    curve_params;
- *          ECPoint         public;
- *      } ServerECDHParams;
+ * Enable restartable operations for context
  */
-int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
-                      unsigned char *buf, size_t blen,
-                      int (*f_rng)(void *, unsigned char *, size_t),
-                      void *p_rng )
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx )
+{
+    ECDH_VALIDATE( ctx != NULL );
+
+    ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_point_free( &ctx->Vi );
+    mbedtls_ecp_point_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->_d );
+    ecdh_free_internal( ctx );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            ecdh_free_internal( &ctx->ctx.mbed_ecdh );
+            break;
+        default:
+            break;
+    }
+
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
 {
     int ret;
     size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
 
-    if( ctx == NULL || ctx->grp.pbits == 0 )
+    if( ctx->grp.pbits == 0 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
-    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) )
-                != 0 )
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
         return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
-    if( ( ret = mbedtls_ecp_tls_write_group( &ctx->grp, &grp_len, buf, blen ) )
-                != 0 )
+    if( ( ret = mbedtls_ecp_tls_write_group( &ctx->grp, &grp_len, buf,
+                                             blen ) ) != 0 )
         return( ret );
 
     buf += grp_len;
     blen -= grp_len;
 
-    if( ( ret = mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format,
-                                     &pt_len, buf, blen ) ) != 0 )
+    if( ( ret = mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format,
+                                             &pt_len, buf, blen ) ) != 0 )
         return( ret );
 
     *olen = grp_len + pt_len;
@@ -150,49 +331,98 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
 }
 
 /*
- * Read the ServerKeyExhange parameters (RFC 4492)
+ * Setup and write the ServerKeyExhange parameters (RFC 4492)
  *      struct {
  *          ECParameters    curve_params;
  *          ECPoint         public;
  *      } ServerECDHParams;
  */
-int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
-                      const unsigned char **buf, const unsigned char *end )
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
 {
-    int ret;
-
-    if( ( ret = mbedtls_ecp_tls_read_group( &ctx->grp, buf, end - *buf ) ) != 0 )
-        return( ret );
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#else
+    (void) restart_enabled;
+#endif
 
-    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf, end - *buf ) )
-                != 0 )
-        return( ret );
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_params_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_params_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
 
-    return( 0 );
+static int ecdh_read_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char **buf,
+                                      const unsigned char *end )
+{
+    return( mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf,
+                                        end - *buf ) );
 }
 
 /*
- * Get parameters from a keypair
+ * Read the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
  */
-int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key,
-                     mbedtls_ecdh_side side )
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                              const unsigned char **buf,
+                              const unsigned char *end )
 {
     int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( *buf != NULL );
+    ECDH_VALIDATE_RET( end != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, end - *buf ) )
+            != 0 )
+        return( ret );
 
-    if( ctx->grp.id == MBEDTLS_ECP_DP_NONE )
-    {
-        /* This is the first call to get_params(). Copy the group information
-         * into the context. */
-        if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 )
-            return( ret );
-    }
-    else
+    if( ( ret = mbedtls_ecdh_setup( ctx, grp_id ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_params_internal( ctx, buf, end ) );
+#else
+    switch( ctx->var )
     {
-        /* This is not the first call to get_params(). Check that the group
-         * is the same as the first time. */
-        if( ctx->grp.id != key->grp.id )
-            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_params_internal( &ctx->ctx.mbed_ecdh,
+                                               buf, end ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
     }
+#endif
+}
+
+static int ecdh_get_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                     const mbedtls_ecp_keypair *key,
+                                     mbedtls_ecdh_side side )
+{
+    int ret;
 
     /* If it's not our key, just import the public part as Qp */
     if( side == MBEDTLS_ECDH_THEIRS )
@@ -210,39 +440,129 @@ int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypai
 }
 
 /*
- * Setup and export the client public value
+ * Get parameters from a keypair
  */
-int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
-                      unsigned char *buf, size_t blen,
-                      int (*f_rng)(void *, unsigned char *, size_t),
-                      void *p_rng )
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side )
 {
     int ret;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( key != NULL );
+    ECDH_VALIDATE_RET( side == MBEDTLS_ECDH_OURS ||
+                       side == MBEDTLS_ECDH_THEIRS );
 
-    if( ctx == NULL || ctx->grp.pbits == 0 )
+    if( mbedtls_ecdh_grp_id( ctx ) == MBEDTLS_ECP_DP_NONE )
+    {
+        /* This is the first call to get_params(). Set up the context
+         * for use with the group. */
+        if( ( ret = mbedtls_ecdh_setup( ctx, key->grp.id ) ) != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* This is not the first call to get_params(). Check that the
+         * current key's group is the same as the context's, which was set
+         * from the first key's group. */
+        if( mbedtls_ecdh_grp_id( ctx ) != key->grp.id )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_get_params_internal( ctx, key, side ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_get_params_internal( &ctx->ctx.mbed_ecdh,
+                                              key, side ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_make_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx->grp.pbits == 0 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
-    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, f_rng, p_rng ) )
-                != 0 )
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
         return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
-    return mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, ctx->point_format,
-                                olen, buf, blen );
+    return mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format, olen,
+                                        buf, blen );
 }
 
 /*
- * Parse and import the client's public value
+ * Setup and export the client public value
  */
-int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
-                      const unsigned char *buf, size_t blen )
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_public_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_public_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char *buf, size_t blen )
 {
     int ret;
     const unsigned char *p = buf;
 
-    if( ctx == NULL )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-
-    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, &p, blen ) ) != 0 )
+    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, &p,
+                                            blen ) ) != 0 )
         return( ret );
 
     if( (size_t)( p - buf ) != blen )
@@ -252,23 +572,66 @@ int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
 }
 
 /*
- * Derive and export the shared secret
+ * Parse and import the client's public value
  */
-int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
-                      unsigned char *buf, size_t blen,
-                      int (*f_rng)(void *, unsigned char *, size_t),
-                      void *p_rng )
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                              const unsigned char *buf, size_t blen )
+{
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_public_internal( ctx, buf, blen ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_public_internal( &ctx->ctx.mbed_ecdh,
+                                                       buf, blen ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_calc_secret_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, unsigned char *buf,
+                                      size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
 {
     int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
 
-    if( ctx == NULL )
+    if( ctx == NULL || ctx->grp.pbits == 0 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
-    if( ( ret = mbedtls_ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d,
-                                     f_rng, p_rng ) ) != 0 )
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_compute_shared_restartable( &ctx->grp, &ctx->z, &ctx->Qp,
+                                                 &ctx->d, f_rng, p_rng,
+                                                 rs_ctx ) ) != 0 )
     {
         return( ret );
     }
+#else
+    if( ( ret = mbedtls_ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp,
+                                             &ctx->d, f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
     if( mbedtls_mpi_size( &ctx->z ) > blen )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
@@ -277,4 +640,37 @@ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
     return mbedtls_mpi_write_binary( &ctx->z, buf, *olen );
 }
 
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_calc_secret_internal( ctx, olen, buf, blen, f_rng, p_rng,
+                                       restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_calc_secret_internal( &ctx->ctx.mbed_ecdh, olen, buf,
+                                               blen, f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+#endif
+}
+
 #endif /* MBEDTLS_ECDH_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/ecdsa.c b/3rdparty/mbedtls/mbedtls/library/ecdsa.c
index ab75620b37..dc19384d61 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecdsa.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecdsa.c
@@ -42,6 +42,186 @@
 #include "mbedtls/hmac_drbg.h"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/platform_util.h"
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDSA_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDSA_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver
+{
+    mbedtls_mpi u1, u2;     /* intermediate values  */
+    enum {                  /* what to do next?     */
+        ecdsa_ver_init = 0, /* getting started      */
+        ecdsa_ver_muladd,   /* muladd step          */
+    } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    mbedtls_mpi_init( &ctx->u1 );
+    mbedtls_mpi_init( &ctx->u2 );
+    ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->u1 );
+    mbedtls_mpi_free( &ctx->u2 );
+
+    ecdsa_restart_ver_init( ctx );
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig
+{
+    int sign_tries;
+    int key_tries;
+    mbedtls_mpi k;          /* per-signature random */
+    mbedtls_mpi r;          /* r value              */
+    enum {                  /* what to do next?     */
+        ecdsa_sig_init = 0, /* getting started      */
+        ecdsa_sig_mul,      /* doing ecp_mul()      */
+        ecdsa_sig_modn,     /* mod N computations   */
+    } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    ctx->sign_tries = 0;
+    ctx->key_tries = 0;
+    mbedtls_mpi_init( &ctx->k );
+    mbedtls_mpi_init( &ctx->r );
+    ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->k );
+    mbedtls_mpi_free( &ctx->r );
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det
+{
+    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
+    enum {                      /* what to do next?     */
+        ecdsa_det_init = 0,     /* getting started      */
+        ecdsa_det_sign,         /* make signature       */
+    } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    mbedtls_hmac_drbg_init( &ctx->rng_ctx );
+    ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_hmac_drbg_free( &ctx->rng_ctx );
+
+    ecdsa_restart_det_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP    &rs_ctx->ecp
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, &rs_ctx->ecp, ops ) );
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER( SUB )   do {                                 \
+    /* reset ops count for this call if top-level */                 \
+    if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 )                 \
+        rs_ctx->ecp.ops_done = 0;                                    \
+                                                                     \
+    /* set up our own sub-context if needed */                       \
+    if( mbedtls_ecp_restart_is_enabled() &&                          \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                      \
+    {                                                                \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );   \
+        if( rs_ctx->SUB == NULL )                                    \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                  \
+                                                                     \
+        ecdsa_restart_## SUB ##_init( rs_ctx->SUB );                 \
+    }                                                                \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE( SUB )   do {                                 \
+    /* clear our sub-context when not in progress (done or error) */ \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                         \
+    {                                                                \
+        ecdsa_restart_## SUB ##_free( rs_ctx->SUB );                 \
+        mbedtls_free( rs_ctx->SUB );                                 \
+        rs_ctx->SUB = NULL;                                          \
+    }                                                                \
+                                                                     \
+    if( rs_ctx != NULL )                                             \
+        rs_ctx->ecp.depth--;                                         \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP    NULL
+
+#define ECDSA_BUDGET( ops )   /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER( SUB )   (void) rs_ctx
+#define ECDSA_RS_LEAVE( SUB )   (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 /*
  * Derive a suitable integer for group grp from a buffer of length len
  * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
@@ -70,13 +250,17 @@ static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
  * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
  * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
  */
-int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
+                mbedtls_mpi *r, mbedtls_mpi *s,
                 const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                mbedtls_ecdsa_restart_ctx *rs_ctx )
 {
-    int ret, key_tries, sign_tries, blind_tries;
+    int ret, key_tries, sign_tries;
+    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
     mbedtls_ecp_point R;
     mbedtls_mpi k, e, t;
+    mbedtls_mpi *pk = &k, *pr = r;
 
     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
     if( grp->N.p == NULL )
@@ -89,26 +273,72 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
     mbedtls_ecp_point_init( &R );
     mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
 
-    sign_tries = 0;
+    ECDSA_RS_ENTER( sig );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+    {
+        /* redirect to our context */
+        p_sign_tries = &rs_ctx->sig->sign_tries;
+        p_key_tries = &rs_ctx->sig->key_tries;
+        pk = &rs_ctx->sig->k;
+        pr = &rs_ctx->sig->r;
+
+        /* jump to current step */
+        if( rs_ctx->sig->state == ecdsa_sig_mul )
+            goto mul;
+        if( rs_ctx->sig->state == ecdsa_sig_modn )
+            goto modn;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    *p_sign_tries = 0;
     do
     {
+        if( *p_sign_tries++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+
         /*
          * Steps 1-3: generate a suitable ephemeral keypair
          * and set r = xR mod n
          */
-        key_tries = 0;
+        *p_key_tries = 0;
         do
         {
-            MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
-            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( r, &R.X, &grp->N ) );
-
-            if( key_tries++ > 10 )
+            if( *p_key_tries++ > 10 )
             {
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;
             }
+
+            MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( rs_ctx != NULL && rs_ctx->sig != NULL )
+                rs_ctx->sig->state = ecdsa_sig_mul;
+
+mul:
+#endif
+            MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
+                                                  f_rng, p_rng, ECDSA_RS_ECP ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
         }
-        while( mbedtls_mpi_cmp_int( r, 0 ) == 0 );
+        while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && rs_ctx->sig != NULL )
+            rs_ctx->sig->state = ecdsa_sig_modn;
+
+modn:
+#endif
+        /*
+         * Accounting for everything up to the end of the loop
+         * (step 6, but checking now avoids saving e and t)
+         */
+        ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 );
 
         /*
          * Step 5: derive MPI from hashed message
@@ -119,57 +349,67 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
          * Generate a random value to blind inv_mod in next step,
          * avoiding a potential timing leak.
          */
-        blind_tries = 0;
-        do
-        {
-            size_t n_size = ( grp->nbits + 7 ) / 8;
-            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &t, n_size, f_rng, p_rng ) );
-            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &t, 8 * n_size - grp->nbits ) );
-
-            /* See mbedtls_ecp_gen_keypair() */
-            if( ++blind_tries > 30 )
-                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
-        }
-        while( mbedtls_mpi_cmp_int( &t, 1 ) < 0 ||
-               mbedtls_mpi_cmp_mpi( &t, &grp->N ) >= 0 );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng, p_rng ) );
 
         /*
          * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
          */
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, r, d ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
-
-        if( sign_tries++ > 10 )
-        {
-            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
-            goto cleanup;
-        }
     }
     while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+        mbedtls_mpi_copy( r, pr );
+#endif
+
 cleanup:
     mbedtls_ecp_point_free( &R );
     mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
 
+    ECDSA_RS_LEAVE( sig );
+
     return( ret );
 }
-#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    return( ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                    f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 /*
  * Deterministic signature wrapper
  */
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *r, mbedtls_mpi *s,
                     const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                    mbedtls_md_type_t md_alg )
+                    mbedtls_md_type_t md_alg,
+                    mbedtls_ecdsa_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_hmac_drbg_context rng_ctx;
+    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
     unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
     size_t grp_len = ( grp->nbits + 7 ) / 8;
     const mbedtls_md_info_t *md_info;
@@ -181,21 +421,64 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
     mbedtls_mpi_init( &h );
     mbedtls_hmac_drbg_init( &rng_ctx );
 
+    ECDSA_RS_ENTER( det );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+    {
+        /* redirect to our context */
+        p_rng = &rs_ctx->det->rng_ctx;
+
+        /* jump to current step */
+        if( rs_ctx->det->state == ecdsa_det_sign )
+            goto sign;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
     /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
     MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
-    mbedtls_hmac_drbg_seed_buf( &rng_ctx, md_info, data, 2 * grp_len );
+    mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+        rs_ctx->det->state = ecdsa_det_sign;
 
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
     ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
-                      mbedtls_hmac_drbg_random, &rng_ctx );
+                              mbedtls_hmac_drbg_random, p_rng );
+#else
+    ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                      mbedtls_hmac_drbg_random, p_rng, rs_ctx );
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
 
 cleanup:
     mbedtls_hmac_drbg_free( &rng_ctx );
     mbedtls_mpi_free( &h );
 
+    ECDSA_RS_LEAVE( det );
+
     return( ret );
 }
+
+/*
+ * Deterministic signature wrapper
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                    mbedtls_md_type_t md_alg )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, NULL ) );
+}
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 #if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
@@ -203,21 +486,40 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
  * Verify ECDSA signature of hashed message (SEC1 4.1.4)
  * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
  */
-int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
-                  const unsigned char *buf, size_t blen,
-                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)
+static int ecdsa_verify_restartable( mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_mpi e, s_inv, u1, u2;
     mbedtls_ecp_point R;
+    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
 
     mbedtls_ecp_point_init( &R );
-    mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv ); mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
+    mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv );
+    mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
 
     /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
     if( grp->N.p == NULL )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
+    ECDSA_RS_ENTER( ver );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+    {
+        /* redirect to our context */
+        pu1 = &rs_ctx->ver->u1;
+        pu2 = &rs_ctx->ver->u2;
+
+        /* jump to current step */
+        if( rs_ctx->ver->state == ecdsa_ver_muladd )
+            goto muladd;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
     /*
      * Step 1: make sure r and s are in range 1..n-1
      */
@@ -228,11 +530,6 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
         goto cleanup;
     }
 
-    /*
-     * Additional precaution: make sure Q is valid
-     */
-    MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, Q ) );
-
     /*
      * Step 3: derive MPI from hashed message
      */
@@ -241,21 +538,27 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
     /*
      * Step 4: u1 = e / s mod n, u2 = r / s mod n
      */
+    ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 );
+
     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u1, &e, &s_inv ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u1, &u1, &grp->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) );
 
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u2, r, &s_inv ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &u2, &u2, &grp->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+        rs_ctx->ver->state = ecdsa_ver_muladd;
+
+muladd:
+#endif
     /*
      * Step 5: R = u1 G + u2 Q
-     *
-     * Since we're not using any secret data, no need to pass a RNG to
-     * mbedtls_ecp_mul() for countermesures.
      */
-    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, &R, &u1, &grp->G, &u2, Q ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp,
+                     &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) );
 
     if( mbedtls_ecp_is_zero( &R ) )
     {
@@ -280,11 +583,32 @@ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
 
 cleanup:
     mbedtls_ecp_point_free( &R );
-    mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv ); mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+    mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv );
+    mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+
+    ECDSA_RS_LEAVE( ver );
 
     return( ret );
 }
-#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q,
+                          const mbedtls_mpi *r,
+                          const mbedtls_mpi *s)
+{
+    ECDSA_VALIDATE_RET( grp != NULL );
+    ECDSA_VALIDATE_RET( Q   != NULL );
+    ECDSA_VALIDATE_RET( r   != NULL );
+    ECDSA_VALIDATE_RET( s   != NULL );
+    ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
+
+    return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
 
 /*
  * Convert a signature (given by context) to ASN.1
@@ -313,14 +637,20 @@ static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
 /*
  * Compute and write signature
  */
-int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg,
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
                            const unsigned char *hash, size_t hlen,
                            unsigned char *sig, size_t *slen,
                            int (*f_rng)(void *, unsigned char *, size_t),
-                           void *p_rng )
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
 
     mbedtls_mpi_init( &r );
     mbedtls_mpi_init( &s );
@@ -329,14 +659,19 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
     (void) f_rng;
     (void) p_rng;
 
-    MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ctx->grp, &r, &s, &ctx->d,
-                             hash, hlen, md_alg ) );
+    MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d,
+                             hash, hlen, md_alg, rs_ctx ) );
 #else
     (void) md_alg;
 
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
     MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
                          hash, hlen, f_rng, p_rng ) );
-#endif
+#else
+    MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d,
+                         hash, hlen, f_rng, p_rng, rs_ctx ) );
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
     MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
 
@@ -347,13 +682,35 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t
     return( ret );
 }
 
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED) && \
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                 mbedtls_md_type_t md_alg,
+                                 const unsigned char *hash, size_t hlen,
+                                 unsigned char *sig, size_t *slen,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+    return( mbedtls_ecdsa_write_signature_restartable(
+                ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
     defined(MBEDTLS_ECDSA_DETERMINISTIC)
 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
                                const unsigned char *hash, size_t hlen,
                                unsigned char *sig, size_t *slen,
                                mbedtls_md_type_t md_alg )
 {
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
     return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
                                    NULL, NULL ) );
 }
@@ -365,12 +722,30 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
                           const unsigned char *hash, size_t hlen,
                           const unsigned char *sig, size_t slen )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    return( mbedtls_ecdsa_read_signature_restartable(
+                ctx, hash, hlen, sig, slen, NULL ) );
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx )
 {
     int ret;
     unsigned char *p = (unsigned char *) sig;
     const unsigned char *end = sig + slen;
     size_t len;
     mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
 
     mbedtls_mpi_init( &r );
     mbedtls_mpi_init( &s );
@@ -395,10 +770,15 @@ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
         ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
         goto cleanup;
     }
-
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
     if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
-                              &ctx->Q, &r, &s ) ) != 0 )
+                                      &ctx->Q, &r, &s ) ) != 0 )
         goto cleanup;
+#else
+    if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen,
+                              &ctx->Q, &r, &s, rs_ctx ) ) != 0 )
+        goto cleanup;
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
 
     /* At this point we know that the buffer starts with a valid signature.
      * Return 0 if the buffer just contains the signature, and a specific
@@ -421,6 +801,9 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
     int ret = 0;
+    ECDSA_VALIDATE_RET( ctx   != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+
     ret = mbedtls_ecp_group_load( &ctx->grp, gid );
     if( ret != 0 )
         return( ret );
@@ -428,7 +811,7 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
    return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
                                     &ctx->Q, f_rng, p_rng ) );
 }
-#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
 
 /*
  * Set context from an mbedtls_ecp_keypair
@@ -436,6 +819,8 @@ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
 {
     int ret;
+    ECDSA_VALIDATE_RET( ctx != NULL );
+    ECDSA_VALIDATE_RET( key != NULL );
 
     if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
         ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
@@ -452,6 +837,8 @@ int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_ke
  */
 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
 {
+    ECDSA_VALIDATE( ctx != NULL );
+
     mbedtls_ecp_keypair_init( ctx );
 }
 
@@ -460,7 +847,53 @@ void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
  */
 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
 {
+    if( ctx == NULL )
+        return;
+
     mbedtls_ecp_keypair_free( ctx );
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    ECDSA_VALIDATE( ctx != NULL );
+
+    mbedtls_ecp_restart_init( &ctx->ecp );
+
+    ctx->ver = NULL;
+    ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_restart_free( &ctx->ecp );
+
+    ecdsa_restart_ver_free( ctx->ver );
+    mbedtls_free( ctx->ver );
+    ctx->ver = NULL;
+
+    ecdsa_restart_sig_free( ctx->sig );
+    mbedtls_free( ctx->sig );
+    ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ecdsa_restart_det_free( ctx->det );
+    mbedtls_free( ctx->det );
+    ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 #endif /* MBEDTLS_ECDSA_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/ecjpake.c b/3rdparty/mbedtls/mbedtls/library/ecjpake.c
index ec5a4007db..be941b14b1 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecjpake.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecjpake.c
@@ -33,11 +33,18 @@
 #if defined(MBEDTLS_ECJPAKE_C)
 
 #include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_ECJPAKE_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define ECJPAKE_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECJPAKE_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * Convert a mbedtls_ecjpake_role to identifier string
  */
@@ -54,8 +61,7 @@ static const char * const ecjpake_id[] = {
  */
 void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx )
 {
-    if( ctx == NULL )
-        return;
+    ECJPAKE_VALIDATE( ctx != NULL );
 
     ctx->md_info = NULL;
     mbedtls_ecp_group_init( &ctx->grp );
@@ -106,6 +112,11 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
 {
     int ret;
 
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( role == MBEDTLS_ECJPAKE_CLIENT ||
+                          role == MBEDTLS_ECJPAKE_SERVER );
+    ECJPAKE_VALIDATE_RET( secret != NULL || len == 0 );
+
     ctx->role = role;
 
     if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL )
@@ -127,6 +138,8 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
  */
 int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx )
 {
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+
     if( ctx->md_info == NULL ||
         ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
         ctx->s.p == NULL )
@@ -504,6 +517,9 @@ int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
                                     const unsigned char *buf,
                                     size_t len )
 {
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
     return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format,
                                &ctx->grp.G,
                                &ctx->Xp1, &ctx->Xp2, ID_PEER,
@@ -518,6 +534,11 @@ int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
                             int (*f_rng)(void *, unsigned char *, size_t),
                             void *p_rng )
 {
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
     return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format,
                                 &ctx->grp.G,
                                 &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
@@ -560,6 +581,9 @@ int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
     mbedtls_ecp_group grp;
     mbedtls_ecp_point G;    /* C: GB, S: GA */
 
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
     mbedtls_ecp_group_init( &grp );
     mbedtls_ecp_point_init( &G );
 
@@ -652,6 +676,11 @@ int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
     const unsigned char *end = buf + len;
     size_t ec_len;
 
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
     mbedtls_ecp_point_init( &G );
     mbedtls_ecp_point_init( &Xm );
     mbedtls_mpi_init( &xm );
@@ -727,6 +756,11 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
     unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
     size_t x_bytes;
 
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
     *olen = mbedtls_md_get_size( ctx->md_info );
     if( len < *olen )
         return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
diff --git a/3rdparty/mbedtls/mbedtls/library/ecp.c b/3rdparty/mbedtls/mbedtls/library/ecp.c
index 75233f8cef..db36191b9b 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecp.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecp.c
@@ -26,6 +26,7 @@
  * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
  * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
  * RFC 4492 for the related TLS structures and constants
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
  *
  * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
  *
@@ -46,15 +47,51 @@
 #include MBEDTLS_CONFIG_FILE
 #endif
 
+/**
+ * \brief Function level alternative implementation.
+ *
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
+ * replace certain functions in this module. The alternative implementations are
+ * typically hardware accelerators and need to activate the hardware before the
+ * computation starts and deactivate it after it finishes. The
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
+ * this purpose.
+ *
+ * To preserve the correct functionality the following conditions must hold:
+ *
+ * - The alternative implementation must be activated by
+ *   mbedtls_internal_ecp_init() before any of the replaceable functions is
+ *   called.
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
+ *   implementation is activated.
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
+ *   implementation is activated.
+ * - Public functions must not return while the alternative implementation is
+ *   activated.
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
+ *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
+ *   \endcode ensures that the alternative implementation supports the current
+ *   group.
+ */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+#endif
+
 #if defined(MBEDTLS_ECP_C)
 
 #include "mbedtls/ecp.h"
 #include "mbedtls/threading.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_ECP_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -72,11 +109,6 @@
 #define inline __inline
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 #if defined(MBEDTLS_SELF_TEST)
 /*
  * Counts of point addition and doubling, and field multiplications.
@@ -85,6 +117,233 @@ static void mbedtls_zeroize( void *v, size_t n ) {
 static unsigned long add_count, dbl_count, mul_count;
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops )
+{
+    ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled( void )
+{
+    return( ecp_max_ops != 0 );
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul
+{
+    mbedtls_ecp_point R;    /* current intermediate result                  */
+    size_t i;               /* current index in various loops, 0 outside    */
+    mbedtls_ecp_point *T;   /* table for precomputed points                 */
+    unsigned char T_size;   /* number of points in table T                  */
+    enum {                  /* what were we doing last time we returned?    */
+        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
+        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
+        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
+        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
+        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
+        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
+        ecp_rsm_final_norm,     /* do the final normalization               */
+    } state;
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->i = 0;
+    ctx->T = NULL;
+    ctx->T_size = 0;
+    ctx->state = ecp_rsm_init;
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    unsigned char i;
+
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->R );
+
+    if( ctx->T != NULL )
+    {
+        for( i = 0; i < ctx->T_size; i++ )
+            mbedtls_ecp_point_free( ctx->T + i );
+        mbedtls_free( ctx->T );
+    }
+
+    ecp_restart_rsm_init( ctx );
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd
+{
+    mbedtls_ecp_point mP;       /* mP value                             */
+    mbedtls_ecp_point R;        /* R intermediate result                */
+    enum {                      /* what should we do next?              */
+        ecp_rsma_mul1 = 0,      /* first multiplication                 */
+        ecp_rsma_mul2,          /* second multiplication                */
+        ecp_rsma_add,           /* addition                             */
+        ecp_rsma_norm,          /* normalization                        */
+    } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->mP );
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->mP );
+    mbedtls_ecp_point_free( &ctx->R );
+
+    ecp_restart_ma_init( ctx );
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx )
+{
+    ECP_VALIDATE( ctx != NULL );
+    ctx->ops_done = 0;
+    ctx->depth = 0;
+    ctx->rsm = NULL;
+    ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ecp_restart_rsm_free( ctx->rsm );
+    mbedtls_free( ctx->rsm );
+
+    ecp_restart_ma_free( ctx->ma );
+    mbedtls_free( ctx->ma );
+
+    mbedtls_ecp_restart_init( ctx );
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+
+    if( rs_ctx != NULL && ecp_max_ops != 0 )
+    {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if( grp->pbits >= 512 )
+            ops *= 4;
+        else if( grp->pbits >= 384 )
+            ops *= 2;
+
+        /* Avoid infinite loops: always allow first step.
+         * Because of that, however, it's not generally true
+         * that ops_done <= ecp_max_ops, so the check
+         * ops_done > ecp_max_ops below is mandatory. */
+        if( ( rs_ctx->ops_done != 0 ) &&
+            ( rs_ctx->ops_done > ecp_max_ops ||
+              ops > ecp_max_ops - rs_ctx->ops_done ) )
+        {
+            return( MBEDTLS_ERR_ECP_IN_PROGRESS );
+        }
+
+        /* update running count */
+        rs_ctx->ops_done += ops;
+    }
+
+    return( 0 );
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER( SUB )   do {                                      \
+    /* reset ops count for this call if top-level */                    \
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )                        \
+        rs_ctx->ops_done = 0;                                           \
+                                                                        \
+    /* set up our own sub-context if needed */                          \
+    if( mbedtls_ecp_restart_is_enabled() &&                             \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                         \
+    {                                                                   \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );      \
+        if( rs_ctx->SUB == NULL )                                       \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                     \
+                                                                        \
+        ecp_restart_## SUB ##_init( rs_ctx->SUB );                      \
+    }                                                                   \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE( SUB )   do {                                      \
+    /* clear our sub-context when not in progress (done or error) */    \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                            \
+    {                                                                   \
+        ecp_restart_## SUB ##_free( rs_ctx->SUB );                      \
+        mbedtls_free( rs_ctx->SUB );                                    \
+        rs_ctx->SUB = NULL;                                             \
+    }                                                                   \
+                                                                        \
+    if( rs_ctx != NULL )                                                \
+        rs_ctx->depth--;                                                \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER( sub )     (void) rs_ctx;
+#define ECP_RS_LEAVE( sub )     (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
     defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
     defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
@@ -99,7 +358,8 @@ static unsigned long add_count, dbl_count, mul_count;
 #define ECP_SHORTWEIERSTRASS
 #endif
 
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
 #define ECP_MONTGOMERY
 #endif
 
@@ -245,6 +505,9 @@ const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name
 {
     const mbedtls_ecp_curve_info *curve_info;
 
+    if( name == NULL )
+        return( NULL );
+
     for( curve_info = mbedtls_ecp_curve_list();
          curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
          curve_info++ )
@@ -275,8 +538,7 @@ static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp )
  */
 void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
 {
-    if( pt == NULL )
-        return;
+    ECP_VALIDATE( pt != NULL );
 
     mbedtls_mpi_init( &pt->X );
     mbedtls_mpi_init( &pt->Y );
@@ -288,10 +550,23 @@ void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
  */
 void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
 {
-    if( grp == NULL )
-        return;
-
-    memset( grp, 0, sizeof( mbedtls_ecp_group ) );
+    ECP_VALIDATE( grp != NULL );
+
+    grp->id = MBEDTLS_ECP_DP_NONE;
+    mbedtls_mpi_init( &grp->P );
+    mbedtls_mpi_init( &grp->A );
+    mbedtls_mpi_init( &grp->B );
+    mbedtls_ecp_point_init( &grp->G );
+    mbedtls_mpi_init( &grp->N );
+    grp->pbits = 0;
+    grp->nbits = 0;
+    grp->h = 0;
+    grp->modp = NULL;
+    grp->t_pre = NULL;
+    grp->t_post = NULL;
+    grp->t_data = NULL;
+    grp->T = NULL;
+    grp->T_size = 0;
 }
 
 /*
@@ -299,8 +574,7 @@ void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
  */
 void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key )
 {
-    if( key == NULL )
-        return;
+    ECP_VALIDATE( key != NULL );
 
     mbedtls_ecp_group_init( &key->grp );
     mbedtls_mpi_init( &key->d );
@@ -346,7 +620,7 @@ void mbedtls_ecp_group_free( mbedtls_ecp_group *grp )
         mbedtls_free( grp->T );
     }
 
-    mbedtls_zeroize( grp, sizeof( mbedtls_ecp_group ) );
+    mbedtls_platform_zeroize( grp, sizeof( mbedtls_ecp_group ) );
 }
 
 /*
@@ -368,6 +642,8 @@ void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key )
 int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
 {
     int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) );
@@ -382,7 +658,10 @@ int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
  */
 int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src )
 {
-    return mbedtls_ecp_group_load( dst, src->id );
+    ECP_VALIDATE_RET( dst != NULL );
+    ECP_VALIDATE_RET( src != NULL );
+
+    return( mbedtls_ecp_group_load( dst, src->id ) );
 }
 
 /*
@@ -391,6 +670,7 @@ int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src
 int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
 {
     int ret;
+    ECP_VALIDATE_RET( pt != NULL );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) );
@@ -405,6 +685,8 @@ int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
  */
 int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
 {
+    ECP_VALIDATE_RET( pt != NULL );
+
     return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 );
 }
 
@@ -414,6 +696,9 @@ int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
 int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
                            const mbedtls_ecp_point *Q )
 {
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
+
     if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 &&
         mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 &&
         mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 )
@@ -431,6 +716,9 @@ int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
                            const char *x, const char *y )
 {
     int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( x != NULL );
+    ECP_VALIDATE_RET( y != NULL );
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) );
@@ -443,16 +731,19 @@ int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
 /*
  * Export a point into unsigned binary data (SEC1 2.3.3)
  */
-int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
-                            int format, size_t *olen,
-                            unsigned char *buf, size_t buflen )
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,
+                                    const mbedtls_ecp_point *P,
+                                    int format, size_t *olen,
+                                    unsigned char *buf, size_t buflen )
 {
     int ret = 0;
     size_t plen;
-
-    if( format != MBEDTLS_ECP_PF_UNCOMPRESSED &&
-        format != MBEDTLS_ECP_PF_COMPRESSED )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( P    != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
 
     /*
      * Common case: P == 0
@@ -499,11 +790,15 @@ int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_
 /*
  * Import a point from unsigned binary data (SEC1 2.3.4)
  */
-int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
-                           const unsigned char *buf, size_t ilen )
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *pt,
+                                   const unsigned char *buf, size_t ilen )
 {
     int ret;
     size_t plen;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
 
     if( ilen < 1 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
@@ -538,11 +833,16 @@ int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp, mbedtls_ecp_poi
  *          opaque point <1..2^8-1>;
  *      } ECPoint;
  */
-int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
-                        const unsigned char **buf, size_t buf_len )
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t buf_len )
 {
     unsigned char data_len;
     const unsigned char *buf_start;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
 
     /*
      * We must have at least two bytes (1 for length, at least one for data)
@@ -560,7 +860,7 @@ int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp, mbedtls_ecp_point
     buf_start = *buf;
     *buf += data_len;
 
-    return mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len );
+    return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) );
 }
 
 /*
@@ -574,6 +874,12 @@ int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp
                          unsigned char *buf, size_t blen )
 {
     int ret;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( pt   != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
 
     /*
      * buffer length must be at least one, for our length byte
@@ -597,10 +903,33 @@ int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp
 /*
  * Set a group from an ECParameters record (RFC 4492)
  */
-int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **buf, size_t len )
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, len ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_group_load( grp, grp_id ) );
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf, size_t len )
 {
     uint16_t tls_id;
     const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
 
     /*
      * We expect at least three bytes (see below)
@@ -624,7 +953,9 @@ int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp, const unsigned char **bu
     if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
         return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
 
-    return mbedtls_ecp_group_load( grp, curve_info->grp_id );
+    *grp = curve_info->grp_id;
+
+    return( 0 );
 }
 
 /*
@@ -634,6 +965,9 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
                          unsigned char *buf, size_t blen )
 {
     const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
 
     if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
@@ -712,25 +1046,29 @@ static int ecp_modp( mbedtls_mpi *N, const mbedtls_ecp_group *grp )
 #define INC_MUL_COUNT
 #endif
 
-#define MOD_MUL( N )    do { MBEDTLS_MPI_CHK( ecp_modp( &N, grp ) ); INC_MUL_COUNT } \
-                        while( 0 )
+#define MOD_MUL( N )                                                    \
+    do                                                                  \
+    {                                                                   \
+        MBEDTLS_MPI_CHK( ecp_modp( &(N), grp ) );                       \
+        INC_MUL_COUNT                                                   \
+    } while( 0 )
 
 /*
  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
  * N->s < 0 is a very fast test, which fails only if N is 0
  */
-#define MOD_SUB( N )                                \
-    while( N.s < 0 && mbedtls_mpi_cmp_int( &N, 0 ) != 0 )   \
-        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &N, &N, &grp->P ) )
+#define MOD_SUB( N )                                                    \
+    while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 )           \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
 
 /*
  * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
  * We known P, N and the result are positive, so sub_abs is correct, and
  * a bit faster.
  */
-#define MOD_ADD( N )                                \
-    while( mbedtls_mpi_cmp_mpi( &N, &grp->P ) >= 0 )        \
-        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &N, &N, &grp->P ) )
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
 
 #if defined(ECP_SHORTWEIERSTRASS)
 /*
@@ -754,11 +1092,10 @@ static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
         return( 0 );
 
 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_normalize_jac( grp, pt );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac( grp, pt ) );
 #endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
     mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
 
     /*
@@ -798,32 +1135,33 @@ static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
  * Cost: 1N(t) := 1I + (6t - 3)M + 1S
  */
 static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
-                                   mbedtls_ecp_point *T[], size_t t_len )
+                                   mbedtls_ecp_point *T[], size_t T_size )
 {
     int ret;
     size_t i;
     mbedtls_mpi *c, u, Zi, ZZi;
 
-    if( t_len < 2 )
+    if( T_size < 2 )
         return( ecp_normalize_jac( grp, *T ) );
 
 #if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_normalize_jac_many(grp, T, t_len);
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac_many( grp, T, T_size ) );
 #endif
 
-    if( ( c = mbedtls_calloc( t_len, sizeof( mbedtls_mpi ) ) ) == NULL )
+    if( ( c = mbedtls_calloc( T_size, sizeof( mbedtls_mpi ) ) ) == NULL )
         return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
 
+    for( i = 0; i < T_size; i++ )
+        mbedtls_mpi_init( &c[i] );
+
     mbedtls_mpi_init( &u ); mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
 
     /*
      * c[i] = Z_0 * ... * Z_i
      */
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
-    for( i = 1; i < t_len; i++ )
+    for( i = 1; i < T_size; i++ )
     {
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &c[i], &c[i-1], &T[i]->Z ) );
         MOD_MUL( c[i] );
@@ -832,9 +1170,9 @@ static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
     /*
      * u = 1 / (Z_0 * ... * Z_n) mod P
      */
-    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[t_len-1], &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[T_size-1], &grp->P ) );
 
-    for( i = t_len - 1; ; i-- )
+    for( i = T_size - 1; ; i-- )
     {
         /*
          * Zi = 1 / Z_i mod p
@@ -874,7 +1212,7 @@ static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
 cleanup:
 
     mbedtls_mpi_free( &u ); mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
-    for( i = 0; i < t_len; i++ )
+    for( i = 0; i < T_size; i++ )
         mbedtls_mpi_free( &c[i] );
     mbedtls_free( c );
 
@@ -931,10 +1269,8 @@ static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 #endif
 
 #if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_double_jac( grp, R, P );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_jac( grp, R, P ) );
 #endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
 
     mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
@@ -1029,10 +1365,8 @@ static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 #endif
 
 #if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_add_mixed( grp, R, P, Q );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_add_mixed( grp, R, P, Q ) );
 #endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
 
     /*
@@ -1116,10 +1450,8 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
     int count = 0;
 
 #if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ) );
 #endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
 
     p_size = ( grp->pbits + 7 ) / 8;
@@ -1175,11 +1507,38 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
  * modified version that provides resistance to SPA by avoiding zero
  * digits in the representation as in [3]. We modify the method further by
  * requiring that all K_i be odd, which has the small cost that our
- * representation uses one more K_i, due to carries.
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
+ *
+ * Summary of the comb method and its modifications:
  *
- * Also, for the sake of compactness, only the seven low-order bits of x[i]
- * are used to represent K_i, and the msb of x[i] encodes the the sign (s_i in
- * the paper): it is set if and only if if s_i == -1;
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ *   index has residue i modulo d, and computes m * P as
+ *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ *   thereby successively converting it into a form where all summands
+ *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ *   Performing and iterating this procedure for those x[i] that are even
+ *   (keeping track of carry), we can transform the original sum into one of the form
+ *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ *   which is why we are only computing half of it in the first place in
+ *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ *   are used to represent its absolute value (K_i in the paper), and the msb
+ *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ *   if s_i == -1;
  *
  * Calling conventions:
  * - x is an array of size d + 1
@@ -1188,8 +1547,8 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
  * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
  *   (the result will be incorrect if these assumptions are not satisfied)
  */
-static void ecp_comb_fixed( unsigned char x[], size_t d,
-                            unsigned char w, const mbedtls_mpi *m )
+static void ecp_comb_recode_core( unsigned char x[], size_t d,
+                                  unsigned char w, const mbedtls_mpi *m )
 {
     size_t i, j;
     unsigned char c, cc, adjust;
@@ -1219,70 +1578,178 @@ static void ecp_comb_fixed( unsigned char x[], size_t d,
 }
 
 /*
- * Precompute points for the comb method
+ * Precompute points for the adapted comb method
  *
- * If i = i_{w-1} ... i_1 is the binary representation of i, then
- * T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P
+ * Assumption: T must be able to hold 2^{w - 1} elements.
  *
- * T must be able to hold 2^{w - 1} elements
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
  *
  * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ *       sum defining T[i] above) are not needed in our adaption
+ *       the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add]      Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step     (2)     (3)     (4)
+ * w = 5    142     165     208
+ * w = 4    136      77     160
+ * w = 3    130      33     136
+ * w = 2    124      11     124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
  */
 static int ecp_precompute_comb( const mbedtls_ecp_group *grp,
                                 mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
-                                unsigned char w, size_t d )
+                                unsigned char w, size_t d,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret;
-    unsigned char i, k;
-    size_t j;
+    unsigned char i;
+    size_t j = 0;
+    const unsigned char T_size = 1U << ( w - 1 );
     mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            goto dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl )
+            goto norm_dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_add )
+            goto add;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_add )
+            goto norm_add;
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+        /* initial state for the loop */
+        rs_ctx->rsm->i = 0;
+    }
+
+dbl:
+#endif
     /*
      * Set T[0] = P and
      * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
      */
     MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &T[0], P ) );
 
-    k = 0;
-    for( i = 1; i < ( 1U << ( w - 1 ) ); i <<= 1 )
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+        j = rs_ctx->rsm->i;
+    else
+#endif
+        j = 0;
+
+    for( ; j < d * ( w - 1 ); j++ )
     {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL );
+
+        i = 1U << ( j / d );
         cur = T + i;
-        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
-        for( j = 0; j < d; j++ )
-            MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
 
-        TT[k++] = cur;
+        if( j % d == 0 )
+            MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
+
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
     }
 
-    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, k ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
+
+norm_dbl:
+#endif
+    /*
+     * Normalize current elements in T. As T has holes,
+     * use an auxiliary array of pointers to elements in T.
+     */
+    j = 0;
+    for( i = 1; i < T_size; i <<= 1 )
+        TT[j++] = T + i;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_add;
+
+add:
+#endif
     /*
      * Compute the remaining ones using the minimal number of additions
      * Be careful to update T[2^l] only after using it!
      */
-    k = 0;
-    for( i = 1; i < ( 1U << ( w - 1 ) ); i <<= 1 )
+    MBEDTLS_ECP_BUDGET( ( T_size - 1 ) * MBEDTLS_ECP_OPS_ADD );
+
+    for( i = 1; i < T_size; i <<= 1 )
     {
         j = i;
         while( j-- )
-        {
             MBEDTLS_MPI_CHK( ecp_add_mixed( grp, &T[i + j], &T[j], &T[i] ) );
-            TT[k++] = &T[i + j];
-        }
     }
 
-    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, k ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+
+norm_add:
+#endif
+    /*
+     * Normalize final elements in T. Even though there are no holes now, we
+     * still need the auxiliary array for homogeneity with the previous
+     * call. Also, skip T[0] which is already normalised, being a copy of P.
+     */
+    for( j = 0; j + 1 < T_size; j++ )
+        TT[j] = T + j + 1;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
 
 cleanup:
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            rs_ctx->rsm->i = j;
+    }
+#endif
 
     return( ret );
 }
 
 /*
  * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
  */
 static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                            const mbedtls_ecp_point T[], unsigned char t_len,
+                            const mbedtls_ecp_point T[], unsigned char T_size,
                             unsigned char i )
 {
     int ret;
@@ -1292,7 +1759,7 @@ static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     ii =  ( i & 0x7Fu ) >> 1;
 
     /* Read the whole table to thwart cache-based timing attacks */
-    for( j = 0; j < t_len; j++ )
+    for( j = 0; j < T_size; j++ )
     {
         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->X, &T[j].X, j == ii ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->Y, &T[j].Y, j == ii ) );
@@ -1312,10 +1779,11 @@ static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  * Cost: d A + d D + 1 R
  */
 static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                              const mbedtls_ecp_point T[], unsigned char t_len,
+                              const mbedtls_ecp_point T[], unsigned char T_size,
                               const unsigned char x[], size_t d,
                               int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng )
+                              void *p_rng,
+                              mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_ecp_point Txi;
@@ -1323,17 +1791,42 @@ static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R
 
     mbedtls_ecp_point_init( &Txi );
 
-    /* Start with a non-zero point and randomize its coordinates */
-    i = d;
-    MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, t_len, x[i] ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
-    if( f_rng != 0 )
-        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        rs_ctx->rsm->state != ecp_rsm_comb_core )
+    {
+        rs_ctx->rsm->i = 0;
+        rs_ctx->rsm->state = ecp_rsm_comb_core;
+    }
+
+    /* new 'if' instead of nested for the sake of the 'else' branch */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+    {
+        /* restore current index (R already pointing to rs_ctx->rsm->R) */
+        i = rs_ctx->rsm->i;
+    }
+    else
+#endif
+    {
+        /* Start with a non-zero point and randomize its coordinates */
+        i = d;
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+        if( f_rng != 0 )
+            MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+    }
 
-    while( i-- != 0 )
+    while( i != 0 )
     {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD );
+        --i;
+
         MBEDTLS_MPI_CHK( ecp_double_jac( grp, R, R ) );
-        MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, t_len, x[i] ) );
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, T_size, x[i] ) );
         MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, R, &Txi ) );
     }
 
@@ -1341,32 +1834,130 @@ static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R
 
     mbedtls_ecp_point_free( &Txi );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        rs_ctx->rsm->i = i;
+        /* no need to save R, already pointing to rs_ctx->rsm->R */
+    }
+#endif
+
     return( ret );
 }
 
 /*
- * Multiplication using the comb method,
- * for curves in short Weierstrass form
- */
-static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
-                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                         int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng )
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
+ */
+static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
+                                   const mbedtls_mpi *m,
+                                   unsigned char k[COMB_MAX_D + 1],
+                                   size_t d,
+                                   unsigned char w,
+                                   unsigned char *parity_trick )
 {
     int ret;
-    unsigned char w, m_is_odd, p_eq_g, pre_len, i;
-    size_t d;
-    unsigned char k[COMB_MAX_D + 1];
-    mbedtls_ecp_point *T;
     mbedtls_mpi M, mm;
 
     mbedtls_mpi_init( &M );
     mbedtls_mpi_init( &mm );
 
-    /* we need N to be odd to trnaform m in an odd number, check now */
+    /* N is always odd (see above), just make extra sure */
     if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
+    /* do we need the parity trick? */
+    *parity_trick = ( mbedtls_mpi_get_bit( m, 0 ) == 0 );
+
+    /* execute parity fix in constant time */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, *parity_trick ) );
+
+    /* actual scalar recoding */
+    ecp_comb_recode_core( k, d, w, &M );
+
+cleanup:
+    mbedtls_mpi_free( &mm );
+    mbedtls_mpi_free( &M );
+
+    return( ret );
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m,
+                                const mbedtls_ecp_point *T,
+                                unsigned char T_size,
+                                unsigned char w,
+                                size_t d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char parity_trick;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        RR = &rs_ctx->rsm->R;
+
+        if( rs_ctx->rsm->state == ecp_rsm_final_norm )
+            goto final_norm;
+    }
+#endif
+
+    MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w,
+                                            &parity_trick ) );
+    MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, T_size, k, d,
+                                        f_rng, p_rng, rs_ctx ) );
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_final_norm;
+
+final_norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, RR ) );
+#endif
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size( const mbedtls_ecp_group *grp,
+                                           unsigned char p_eq_g )
+{
+    unsigned char w;
+
     /*
      * Minimize the number of multiplications, that is minimize
      * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
@@ -1379,14 +1970,8 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
      * Just adding one avoids upping the cost of the first mul too much,
      * and the memory cost too.
      */
-#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
-    p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
-               mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
     if( p_eq_g )
         w++;
-#else
-    p_eq_g = 0;
-#endif
 
     /*
      * Make sure w is within bounds.
@@ -1397,75 +1982,140 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
     if( w >= grp->nbits )
         w = 2;
 
-    /* Other sizes that depend on w */
-    pre_len = 1U << ( w - 1 );
+    return( w );
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ *   functions): allocation, computation, ownership tranfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char w, p_eq_g, i;
+    size_t d;
+    unsigned char T_size, T_ok;
+    mbedtls_ecp_point *T;
+
+    ECP_RS_ENTER( rsm );
+
+    /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
+               mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
+#else
+    p_eq_g = 0;
+#endif
+
+    /* Pick window size and deduce related sizes */
+    w = ecp_pick_window_size( grp, p_eq_g );
+    T_size = 1U << ( w - 1 );
     d = ( grp->nbits + w - 1 ) / w;
 
-    /*
-     * Prepare precomputed points: if P == G we want to
-     * use grp->T if already initialized, or initialize it.
-     */
-    T = p_eq_g ? grp->T : NULL;
+    /* Pre-computed table: do we have it already for the base point? */
+    if( p_eq_g && grp->T != NULL )
+    {
+        /* second pointer to the same table, will be deleted on exit */
+        T = grp->T;
+        T_ok = 1;
+    }
+    else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* Pre-computed table: do we have one in progress? complete? */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL )
+    {
+        /* transfer ownership of T from rsm to local function */
+        T = rs_ctx->rsm->T;
+        rs_ctx->rsm->T = NULL;
+        rs_ctx->rsm->T_size = 0;
 
-    if( T == NULL )
+        /* This effectively jumps to the call to mul_comb_after_precomp() */
+        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+    }
+    else
+#endif
+    /* Allocate table if we didn't have any */
     {
-        T = mbedtls_calloc( pre_len, sizeof( mbedtls_ecp_point ) );
+        T = mbedtls_calloc( T_size, sizeof( mbedtls_ecp_point ) );
         if( T == NULL )
         {
             ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
             goto cleanup;
         }
 
-        MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d ) );
+        for( i = 0; i < T_size; i++ )
+            mbedtls_ecp_point_init( &T[i] );
+
+        T_ok = 0;
+    }
+
+    /* Compute table (or finish computing it) if not done already */
+    if( !T_ok )
+    {
+        MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d, rs_ctx ) );
 
         if( p_eq_g )
         {
+            /* almost transfer ownership of T to the group, but keep a copy of
+             * the pointer to use for calling the next function more easily */
             grp->T = T;
-            grp->T_size = pre_len;
+            grp->T_size = T_size;
         }
     }
 
-    /*
-     * Make sure M is odd (M = m or M = N - m, since N is odd)
-     * using the fact that m * P = - (N - m) * P
-     */
-    m_is_odd = ( mbedtls_mpi_get_bit( m, 0 ) == 1 );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
-    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, ! m_is_odd ) );
+    /* Actual comb multiplication using precomputed points */
+    MBEDTLS_MPI_CHK( ecp_mul_comb_after_precomp( grp, R, m,
+                                                 T, T_size, w, d,
+                                                 f_rng, p_rng, rs_ctx ) );
 
-    /*
-     * Go for comb multiplication, R = M * P
-     */
-    ecp_comb_fixed( k, d, w, &M );
-    MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, R, T, pre_len, k, d, f_rng, p_rng ) );
+cleanup:
 
-    /*
-     * Now get m * P from M * P and normalize it
-     */
-    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, ! m_is_odd ) );
-    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
+    /* does T belong to the group? */
+    if( T == grp->T )
+        T = NULL;
 
-cleanup:
+    /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL )
+    {
+        /* transfer ownership of T from local function to rsm */
+        rs_ctx->rsm->T_size = T_size;
+        rs_ctx->rsm->T = T;
+        T = NULL;
+    }
+#endif
 
-    /* There are two cases where T is not stored in grp:
-     * - P != G
-     * - An intermediate operation failed before setting grp->T
-     * In either case, T must be freed.
-     */
-    if( T != NULL && T != grp->T )
+    /* did T belong to us? then let's destroy it! */
+    if( T != NULL )
     {
-        for( i = 0; i < pre_len; i++ )
+        for( i = 0; i < T_size; i++ )
             mbedtls_ecp_point_free( &T[i] );
         mbedtls_free( T );
     }
 
-    mbedtls_mpi_free( &M );
-    mbedtls_mpi_free( &mm );
-
+    /* don't free R while in progress in case R == P */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+    /* prevent caller from using invalid value */
     if( ret != 0 )
         mbedtls_ecp_point_free( R );
 
+    ECP_RS_LEAVE( rsm );
+
     return( ret );
 }
 
@@ -1489,10 +2139,8 @@ static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
     int ret;
 
 #if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_normalize_mxz( grp, P );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_mxz( grp, P ) );
 #endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
 
     MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
@@ -1520,10 +2168,8 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
     int count = 0;
 
 #if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
 #endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
 
     p_size = ( grp->pbits + 7 ) / 8;
@@ -1575,10 +2221,8 @@ static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
     mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
 
 #if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
-    if ( mbedtls_internal_ecp_grp_capable( grp ) )
-    {
-        return mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d );
-    }
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ) );
 #endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
 
     mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
@@ -1675,54 +2319,85 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 #endif /* ECP_MONTGOMERY */
 
 /*
- * Multiplication R = m * P
+ * Restartable multiplication R = m * P
  */
-int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
     char is_grp_capable = 0;
 #endif
-
-    /* Common sanity checks */
-    if( mbedtls_mpi_cmp_int( &P->Z, 1 ) != 0 )
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
-
-    if( ( ret = mbedtls_ecp_check_privkey( grp, m ) ) != 0 ||
-        ( ret = mbedtls_ecp_check_pubkey( grp, P ) ) != 0 )
-        return( ret );
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* reset ops count for this call if top-level */
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )
+        rs_ctx->ops_done = 0;
+#endif
 
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp )  )
-    {
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
         MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* skip argument check when restarting */
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+    {
+        /* check_privkey is free */
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_CHK );
+
+        /* Common sanity checks */
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_privkey( grp, m ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) );
     }
 
-#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
 #if defined(ECP_MONTGOMERY)
     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
-        ret = ecp_mul_mxz( grp, R, m, P, f_rng, p_rng );
-
+        MBEDTLS_MPI_CHK( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
 #endif
 #if defined(ECP_SHORTWEIERSTRASS)
     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
-        ret = ecp_mul_comb( grp, R, m, P, f_rng, p_rng );
-
+        MBEDTLS_MPI_CHK( ecp_mul_comb( grp, R, m, P, f_rng, p_rng, rs_ctx ) );
 #endif
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+
 cleanup:
 
-    if ( is_grp_capable )
-    {
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( is_grp_capable )
         mbedtls_internal_ecp_free( grp );
-    }
-
 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL )
+        rs_ctx->depth--;
+#endif
+
     return( ret );
 }
 
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) );
+}
+
 #if defined(ECP_SHORTWEIERSTRASS)
 /*
  * Check that an affine point is valid as a public key,
@@ -1780,7 +2455,8 @@ static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_
 static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
                                       mbedtls_ecp_point *R,
                                       const mbedtls_mpi *m,
-                                      const mbedtls_ecp_point *P )
+                                      const mbedtls_ecp_point *P,
+                                      mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret;
 
@@ -1796,7 +2472,8 @@ static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
     }
     else
     {
-        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, m, P, NULL, NULL ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, R, m, P,
+                                                      NULL, NULL, rs_ctx ) );
     }
 
 cleanup:
@@ -1804,51 +2481,118 @@ static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
 }
 
 /*
- * Linear combination
+ * Restartable linear combination
  * NOT constant-time
  */
-int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
              const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-             const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx )
 {
     int ret;
     mbedtls_ecp_point mP;
+    mbedtls_ecp_point *pmP = &mP;
+    mbedtls_ecp_point *pR = R;
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
     char is_grp_capable = 0;
 #endif
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
 
     if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS )
         return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
 
     mbedtls_ecp_point_init( &mP );
 
-    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, &mP, m, P ) );
-    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, R,   n, Q ) );
+    ECP_RS_ENTER( ma );
 
-#if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if (  is_grp_capable = mbedtls_internal_ecp_grp_capable( grp )  )
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
     {
-        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+        /* redirect intermediate results to restart context */
+        pmP = &rs_ctx->ma->mP;
+        pR  = &rs_ctx->ma->R;
+
+        /* jump to next operation */
+        if( rs_ctx->ma->state == ecp_rsma_mul2 )
+            goto mul2;
+        if( rs_ctx->ma->state == ecp_rsma_add )
+            goto add;
+        if( rs_ctx->ma->state == ecp_rsma_norm )
+            goto norm;
     }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pmP, m, P, rs_ctx ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_mul2;
+
+mul2:
+#endif
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pR,  n, Q, rs_ctx ) );
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
-    MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, &mP, R ) );
-    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
 
-cleanup:
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_add;
 
+add:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_ADD );
+    MBEDTLS_MPI_CHK( ecp_add_mixed( grp, pR, pmP, pR ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_norm;
+
+norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, pR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, pR ) );
+#endif
+
+cleanup:
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
-    if ( is_grp_capable )
-    {
+    if( is_grp_capable )
         mbedtls_internal_ecp_free( grp );
-    }
-
 #endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
     mbedtls_ecp_point_free( &mP );
 
+    ECP_RS_LEAVE( ma );
+
     return( ret );
 }
 
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
+    return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) );
+}
 
 #if defined(ECP_MONTGOMERY)
 /*
@@ -1857,6 +2601,8 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
 static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
 {
     /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+    /* Allow any public value, if it's too big then we'll just reduce it mod p
+     * (RFC 7748 sec. 5 para. 3). */
     if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
@@ -1867,8 +2613,12 @@ static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_
 /*
  * Check that a point is valid as a public key
  */
-int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt )
 {
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+
     /* Must use affine coordinates */
     if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
@@ -1887,19 +2637,26 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_po
 /*
  * Check that an mbedtls_mpi is valid as a private key
  */
-int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d )
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d )
 {
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( d   != NULL );
+
 #if defined(ECP_MONTGOMERY)
     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
     {
-        /* see [Curve25519] page 5 */
+        /* see RFC 7748 sec. 5 para. 5 */
         if( mbedtls_mpi_get_bit( d, 0 ) != 0 ||
             mbedtls_mpi_get_bit( d, 1 ) != 0 ||
-            mbedtls_mpi_get_bit( d, 2 ) != 0 ||
             mbedtls_mpi_bitlen( d ) - 1 != grp->nbits ) /* mbedtls_mpi_bitlen is one-based! */
             return( MBEDTLS_ERR_ECP_INVALID_KEY );
-        else
-            return( 0 );
+
+        /* see [Curve25519] page 5 */
+        if( grp->nbits == 254 && mbedtls_mpi_get_bit( d, 2 ) != 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+        return( 0 );
     }
 #endif /* ECP_MONTGOMERY */
 #if defined(ECP_SHORTWEIERSTRASS)
@@ -1918,16 +2675,21 @@ int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *
 }
 
 /*
- * Generate a keypair with configurable base point
+ * Generate a private key
  */
-int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
-                     const mbedtls_ecp_point *G,
-                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng )
 {
-    int ret;
-    size_t n_size = ( grp->nbits + 7 ) / 8;
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_size;
+
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    n_size = ( grp->nbits + 7 ) / 8;
 
 #if defined(ECP_MONTGOMERY)
     if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
@@ -1946,13 +2708,17 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
         else
             MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
 
-        /* Make sure the last three bits are unset */
+        /* Make sure the last two bits are unset for Curve448, three bits for
+           Curve25519 */
         MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
-        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+        if( grp->nbits == 254 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+        }
     }
-    else
 #endif /* ECP_MONTGOMERY */
+
 #if defined(ECP_SHORTWEIERSTRASS)
     if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
     {
@@ -1986,15 +2752,33 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
         while( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
                mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
     }
-    else
 #endif /* ECP_SHORTWEIERSTRASS */
-        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
 
 cleanup:
-    if( ret != 0 )
-        return( ret );
+    return( ret );
+}
+
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                     const mbedtls_ecp_point *G,
+                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( G     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
 
-    return( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
+cleanup:
+    return( ret );
 }
 
 /*
@@ -2005,6 +2789,11 @@ int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng )
 {
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
     return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) );
 }
 
@@ -2015,6 +2804,8 @@ int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
     int ret;
+    ECP_VALIDATE_RET( key   != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
 
     if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
         return( ret );
@@ -2030,6 +2821,8 @@ int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ec
     int ret;
     mbedtls_ecp_point Q;
     mbedtls_ecp_group grp;
+    ECP_VALIDATE_RET( pub != NULL );
+    ECP_VALIDATE_RET( prv != NULL );
 
     if( pub->grp.id == MBEDTLS_ECP_DP_NONE ||
         pub->grp.id != prv->grp.id ||
diff --git a/3rdparty/mbedtls/mbedtls/library/ecp_curves.c b/3rdparty/mbedtls/mbedtls/library/ecp_curves.c
index df5ac3eea5..282481d053 100644
--- a/3rdparty/mbedtls/mbedtls/library/ecp_curves.c
+++ b/3rdparty/mbedtls/mbedtls/library/ecp_curves.c
@@ -28,11 +28,18 @@
 #if defined(MBEDTLS_ECP_C)
 
 #include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
 #if !defined(MBEDTLS_ECP_ALT)
 
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
     !defined(inline) && !defined(__cplusplus)
 #define inline __inline
@@ -44,11 +51,11 @@
  */
 #if defined(MBEDTLS_HAVE_INT32)
 
-#define BYTES_TO_T_UINT_4( a, b, c, d )             \
-    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
-    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
-    ( (mbedtls_mpi_uint) c << 16 ) |                          \
-    ( (mbedtls_mpi_uint) d << 24 )
+#define BYTES_TO_T_UINT_4( a, b, c, d )                       \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 )
 
 #define BYTES_TO_T_UINT_2( a, b )                   \
     BYTES_TO_T_UINT_4( a, b, 0, 0 )
@@ -60,14 +67,14 @@
 #else /* 64-bits */
 
 #define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
-    ( (mbedtls_mpi_uint) a <<  0 ) |                          \
-    ( (mbedtls_mpi_uint) b <<  8 ) |                          \
-    ( (mbedtls_mpi_uint) c << 16 ) |                          \
-    ( (mbedtls_mpi_uint) d << 24 ) |                          \
-    ( (mbedtls_mpi_uint) e << 32 ) |                          \
-    ( (mbedtls_mpi_uint) f << 40 ) |                          \
-    ( (mbedtls_mpi_uint) g << 48 ) |                          \
-    ( (mbedtls_mpi_uint) h << 56 )
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 ) |                        \
+    ( (mbedtls_mpi_uint) (e) << 32 ) |                        \
+    ( (mbedtls_mpi_uint) (f) << 40 ) |                        \
+    ( (mbedtls_mpi_uint) (g) << 48 ) |                        \
+    ( (mbedtls_mpi_uint) (h) << 56 )
 
 #define BYTES_TO_T_UINT_4( a, b, c, d )             \
     BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
@@ -627,6 +634,9 @@ static int ecp_mod_p521( mbedtls_mpi * );
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
 static int ecp_mod_p255( mbedtls_mpi * );
 #endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448( mbedtls_mpi * );
+#endif
 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
 static int ecp_mod_p192k1( mbedtls_mpi * );
 #endif
@@ -670,7 +680,12 @@ static int ecp_use_curve25519( mbedtls_ecp_group *grp )
     MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
     grp->pbits = mbedtls_mpi_bitlen( &grp->P );
 
-    /* Y intentionaly not set, since we use x/z coordinates.
+    /* N = 2^252 + 27742317777372353535851937790883648493 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16,
+                                              "14DEF9DEA2F79CD65812631A5CF5D3ED" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
+
+    /* Y intentionally not set, since we use x/z coordinates.
      * This is used as a marker to identify Montgomery curves! */
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
@@ -687,11 +702,58 @@ static int ecp_use_curve25519( mbedtls_ecp_group *grp )
 }
 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
 
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448( mbedtls_ecp_group *grp )
+{
+    mbedtls_mpi Ns;
+    int ret;
+
+    mbedtls_mpi_init( &Ns );
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) );
+
+    /* P = 2^448 - 2^224 - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16,
+                                              "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 447;
+
+cleanup:
+    mbedtls_mpi_free( &Ns );
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
 /*
  * Set a group using well-known domain parameters
  */
 int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
 {
+    ECP_VALIDATE_RET( grp != NULL );
     mbedtls_ecp_group_free( grp );
 
     grp->id = id;
@@ -767,6 +829,12 @@ int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
             return( ecp_use_curve25519( grp ) );
 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
 
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            grp->modp = ecp_mod_p448;
+            return( ecp_use_curve448( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
         default:
             mbedtls_ecp_group_free( grp );
             return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
@@ -822,7 +890,7 @@ static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
 }
 
 #define WIDTH       8 / sizeof( mbedtls_mpi_uint )
-#define A( i )      N->p + i * WIDTH
+#define A( i )      N->p + (i) * WIDTH
 #define ADD( i )    add64( p, A( i ), &c )
 #define NEXT        p += WIDTH; carry64( p, &c )
 #define LAST        p += WIDTH; *p = c; while( ++p < end ) *p = 0
@@ -887,7 +955,8 @@ static int ecp_mod_p192( mbedtls_mpi *N )
 #else                               /* 64-bit */
 
 #define MAX32       N->n * 2
-#define A( j ) j % 2 ? (uint32_t)( N->p[j/2] >> 32 ) : (uint32_t)( N->p[j/2] )
+#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
+                         (uint32_t)( N->p[(j)/2] )
 #define STORE32                                   \
     if( i % 2 ) {                                 \
         N->p[i/2] &= 0x00000000FFFFFFFF;          \
@@ -921,20 +990,21 @@ static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
  * Helpers for the main 'loop'
  * (see fix_negative for the motivation of C)
  */
-#define INIT( b )                                           \
-    int ret;                                                \
-    signed char c = 0, cc;                                  \
-    uint32_t cur;                                           \
-    size_t i = 0, bits = b;                                 \
-    mbedtls_mpi C;                                                  \
-    mbedtls_mpi_uint Cp[ b / 8 / sizeof( mbedtls_mpi_uint) + 1 ];               \
-                                                            \
-    C.s = 1;                                                \
-    C.n = b / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
-    C.p = Cp;                                               \
-    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                \
-                                                            \
-    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, b * 2 / 8 / sizeof( mbedtls_mpi_uint ) ) ); \
+#define INIT( b )                                                       \
+    int ret;                                                            \
+    signed char c = 0, cc;                                              \
+    uint32_t cur;                                                       \
+    size_t i = 0, bits = (b);                                           \
+    mbedtls_mpi C;                                                      \
+    mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ];     \
+                                                                        \
+    C.s = 1;                                                            \
+    C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
+    C.p = Cp;                                                           \
+    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                  \
+                                                                        \
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 /                 \
+                                       sizeof( mbedtls_mpi_uint ) ) );  \
     LOAD32;
 
 #define NEXT                    \
@@ -1176,7 +1246,7 @@ static int ecp_mod_p255( mbedtls_mpi *N )
     M.s = 1;
     M.n = N->n - ( P255_WIDTH - 1 );
     if( M.n > P255_WIDTH + 1 )
-        M.n = P255_WIDTH + 1;
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
     M.p = Mp;
     memset( Mp, 0, sizeof Mp );
     memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
@@ -1197,6 +1267,77 @@ static int ecp_mod_p255( mbedtls_mpi *N )
 }
 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
 
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH      ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
+#define P224_WIDTH_MIN   ( 28 / sizeof( mbedtls_mpi_uint ) )
+#define P224_WIDTH_MAX   DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
+#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
+ * A0 + A1 + B1 + (B0 + B1) * 2^224.  This is different to the reference
+ * implementation of Curve448, which uses its own special 56-bit limbs rather
+ * than a generic bignum library.  We could squeeze some extra speed out on
+ * 32-bit machines by splitting N up into 32-bit limbs and doing the
+ * arithmetic using the limbs directly as we do for the NIST primes above,
+ * but for 64-bit targets it should use half the number of operations if we do
+ * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ */
+static int ecp_mod_p448( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, Q;
+    mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+
+    if( N->n <= P448_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P448_WIDTH );
+    if( M.n > P448_WIDTH )
+        /* Shouldn't be called with N larger than 2^896! */
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    M.p = Mp;
+    memset( Mp, 0, sizeof( Mp ) );
+    memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
+
+    /* N = A0 */
+    for( i = P448_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N += A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+    /* Q = B1, N += B1 */
+    Q = M;
+    Q.p = Qp;
+    memcpy( Qp, Mp, sizeof( Qp ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
+
+    /* M = (B0 + B1) * 2^224, N += M */
+    if( sizeof( mbedtls_mpi_uint ) > 4 )
+        Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
+    for( i = P224_WIDTH_MAX; i < M.n; ++i )
+        Mp[i] = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
+    M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
     defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
     defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
diff --git a/3rdparty/mbedtls/mbedtls/library/entropy.c b/3rdparty/mbedtls/mbedtls/library/entropy.c
index e17512e779..f8db1a5503 100644
--- a/3rdparty/mbedtls/mbedtls/library/entropy.c
+++ b/3rdparty/mbedtls/mbedtls/library/entropy.c
@@ -35,6 +35,7 @@
 
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -59,11 +60,6 @@
 #include "mbedtls/havege.h"
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 #define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
 
 void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
@@ -140,7 +136,7 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
     ctx->initial_entropy_run = 0;
 #endif
     ctx->source_count = 0;
-    mbedtls_zeroize( ctx->source, sizeof( ctx->source ) );
+    mbedtls_platform_zeroize( ctx->source, sizeof( ctx->source ) );
     ctx->accumulator_started = 0;
 }
 
@@ -232,7 +228,7 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id
 #endif
 
 cleanup:
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
 
     return( ret );
 }
@@ -300,7 +296,7 @@ static int entropy_gather_internal( mbedtls_entropy_context *ctx )
         ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
 
 cleanup:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     return( ret );
 }
@@ -433,7 +429,7 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
     ret = 0;
 
 exit:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
 #if defined(MBEDTLS_THREADING_C)
     if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
@@ -486,7 +482,7 @@ int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *p
     ret = 0;
 
 exit:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     fclose( f );
     return( ret );
@@ -516,7 +512,7 @@ int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *
 
     fclose( f );
 
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     if( ret != 0 )
         return( ret );
diff --git a/3rdparty/mbedtls/mbedtls/library/entropy_poll.c b/3rdparty/mbedtls/mbedtls/library/entropy_poll.c
index 02b25a2721..4556f88a55 100644
--- a/3rdparty/mbedtls/mbedtls/library/entropy_poll.c
+++ b/3rdparty/mbedtls/mbedtls/library/entropy_poll.c
@@ -19,19 +19,25 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if defined(__linux__)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#define _GNU_SOURCE
+#endif
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
 #include MBEDTLS_CONFIG_FILE
 #endif
 
+#include <string.h>
+
 #if defined(MBEDTLS_ENTROPY_C)
 
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
 
 #if defined(MBEDTLS_TIMING_C)
-#include <string.h>
 #include "mbedtls/timing.h"
 #endif
 #if defined(MBEDTLS_HAVEGE_C)
@@ -44,7 +50,8 @@
 #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
 
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
-    !defined(__APPLE__) && !defined(_WIN32)
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
 #error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
 #endif
 
diff --git a/3rdparty/mbedtls/mbedtls/library/error.c b/3rdparty/mbedtls/mbedtls/library/error.c
index b173c7e8ef..12312a0562 100644
--- a/3rdparty/mbedtls/mbedtls/library/error.c
+++ b/3rdparty/mbedtls/mbedtls/library/error.c
@@ -49,6 +49,10 @@
 #include "mbedtls/arc4.h"
 #endif
 
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
 #if defined(MBEDTLS_BASE64_C)
 #include "mbedtls/base64.h"
 #endif
@@ -69,6 +73,14 @@
 #include "mbedtls/ccm.h"
 #endif
 
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
 #if defined(MBEDTLS_CIPHER_C)
 #include "mbedtls/cipher.h"
 #endif
@@ -101,6 +113,10 @@
 #include "mbedtls/gcm.h"
 #endif
 
+#if defined(MBEDTLS_HKDF_C)
+#include "mbedtls/hkdf.h"
+#endif
+
 #if defined(MBEDTLS_HMAC_DRBG_C)
 #include "mbedtls/hmac_drbg.h"
 #endif
@@ -149,6 +165,14 @@
 #include "mbedtls/pkcs5.h"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+#include "mbedtls/poly1305.h"
+#endif
+
 #if defined(MBEDTLS_RIPEMD160_C)
 #include "mbedtls/ripemd160.h"
 #endif
@@ -256,19 +280,21 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
             mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
         if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
-            mbedtls_snprintf( buf, buflen, "ECP - Requested curve not available" );
+            mbedtls_snprintf( buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported" );
         if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
             mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
         if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
             mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
         if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
-            mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as (ephemeral) key, failed" );
+            mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed" );
         if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
             mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
         if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
             mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
         if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
-            mbedtls_snprintf( buf, buflen, "ECP - ECP hardware accelerator failed" );
+            mbedtls_snprintf( buf, buflen, "ECP - The ECP hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "ECP - Operation in progress, call again with the same parameters to continue" );
 #endif /* MBEDTLS_ECP_C */
 
 #if defined(MBEDTLS_MD_C)
@@ -478,7 +504,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
             mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
         if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
-            mbedtls_snprintf( buf, buflen, "SSL - Connection requires a read call" );
+            mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
         if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
             mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
         if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
@@ -491,6 +517,14 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
             mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
         if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
             mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
 #endif /* MBEDTLS_SSL_TLS_C */
 
 #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
@@ -570,6 +604,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
     if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) )
         mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid input data" );
     if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) )
         mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" );
     if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )
@@ -581,6 +617,17 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
 #endif /* MBEDTLS_ARC4_C */
 
+#if defined(MBEDTLS_ARIA_C)
+    if( use_ret == -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" );
+#endif /* MBEDTLS_ARIA_C */
+
 #if defined(MBEDTLS_ASN1_PARSE_C)
     if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
         mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
@@ -625,17 +672,17 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
 #endif /* MBEDTLS_BIGNUM_C */
 
 #if defined(MBEDTLS_BLOWFISH_C)
-    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH) )
-        mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid key length" );
-    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
-        mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Bad input data" );
     if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
         mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
 #endif /* MBEDTLS_BLOWFISH_C */
 
 #if defined(MBEDTLS_CAMELLIA_C)
-    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH) )
-        mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Bad input data" );
     if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
         mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
     if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) )
@@ -651,6 +698,22 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
 #endif /* MBEDTLS_CCM_C */
 
+#if defined(MBEDTLS_CHACHA20_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
 #if defined(MBEDTLS_CMAC_C)
     if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
         mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
@@ -696,6 +759,11 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
 #endif /* MBEDTLS_GCM_C */
 
+#if defined(MBEDTLS_HKDF_C)
+    if( use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
 #if defined(MBEDTLS_HMAC_DRBG_C)
     if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
         mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
@@ -745,6 +813,10 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
     if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
         mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
 #endif /* MBEDTLS_NET_C */
 
 #if defined(MBEDTLS_OID_C)
@@ -759,6 +831,22 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
         mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
 #endif /* MBEDTLS_PADLOCK_C */
 
+#if defined(MBEDTLS_PLATFORM_C)
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - Hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - The requested feature is not supported by the platform" );
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed" );
+#endif /* MBEDTLS_POLY1305_C */
+
 #if defined(MBEDTLS_RIPEMD160_C)
     if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
         mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
@@ -767,16 +855,22 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
 #if defined(MBEDTLS_SHA1_C)
     if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) )
         mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 input data was malformed" );
 #endif /* MBEDTLS_SHA1_C */
 
 #if defined(MBEDTLS_SHA256_C)
     if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) )
         mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 input data was malformed" );
 #endif /* MBEDTLS_SHA256_C */
 
 #if defined(MBEDTLS_SHA512_C)
     if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) )
         mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 input data was malformed" );
 #endif /* MBEDTLS_SHA512_C */
 
 #if defined(MBEDTLS_THREADING_C)
diff --git a/3rdparty/mbedtls/mbedtls/library/gcm.c b/3rdparty/mbedtls/mbedtls/library/gcm.c
index 294a86d3d4..675926a518 100644
--- a/3rdparty/mbedtls/mbedtls/library/gcm.c
+++ b/3rdparty/mbedtls/mbedtls/library/gcm.c
@@ -38,6 +38,7 @@
 #if defined(MBEDTLS_GCM_C)
 
 #include "mbedtls/gcm.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -47,9 +48,8 @@
 
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 #include "mbedtls/aes.h"
-#if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
-#else
+#if !defined(MBEDTLS_PLATFORM_C)
 #include <stdio.h>
 #define mbedtls_printf printf
 #endif /* MBEDTLS_PLATFORM_C */
@@ -57,6 +57,12 @@
 
 #if !defined(MBEDTLS_GCM_ALT)
 
+/* Parameter validation macros */
+#define GCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT )
+#define GCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 /*
  * 32-bit integer manipulation macros (big endian)
  */
@@ -80,16 +86,12 @@
 }
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * Initialize a context
  */
 void mbedtls_gcm_init( mbedtls_gcm_context *ctx )
 {
+    GCM_VALIDATE( ctx != NULL );
     memset( ctx, 0, sizeof( mbedtls_gcm_context ) );
 }
 
@@ -169,6 +171,10 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
     int ret;
     const mbedtls_cipher_info_t *cipher_info;
 
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( key != NULL );
+    GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 );
+
     cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
     if( cipher_info == NULL )
         return( MBEDTLS_ERR_GCM_BAD_INPUT );
@@ -279,6 +285,10 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
     const unsigned char *p;
     size_t use_len, olen = 0;
 
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+
     /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
     /* IV is not allowed to be zero length */
     if( iv_len == 0 ||
@@ -361,6 +371,10 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
     unsigned char *out_p = output;
     size_t use_len, olen = 0;
 
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
     if( output > input && (size_t) ( output - input ) < length )
         return( MBEDTLS_ERR_GCM_BAD_INPUT );
 
@@ -414,8 +428,14 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
 {
     unsigned char work_buf[16];
     size_t i;
-    uint64_t orig_len = ctx->len * 8;
-    uint64_t orig_add_len = ctx->add_len * 8;
+    uint64_t orig_len;
+    uint64_t orig_add_len;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
+    orig_len = ctx->len * 8;
+    orig_add_len = ctx->add_len * 8;
 
     if( tag_len > 16 || tag_len < 4 )
         return( MBEDTLS_ERR_GCM_BAD_INPUT );
@@ -457,6 +477,13 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
 {
     int ret;
 
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
     if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
         return( ret );
 
@@ -485,6 +512,13 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
     size_t i;
     int diff;
 
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
     if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length,
                                    iv, iv_len, add, add_len,
                                    input, output, tag_len, check_tag ) ) != 0 )
@@ -498,7 +532,7 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
 
     if( diff != 0 )
     {
-        mbedtls_zeroize( output, length );
+        mbedtls_platform_zeroize( output, length );
         return( MBEDTLS_ERR_GCM_AUTH_FAILED );
     }
 
@@ -507,8 +541,10 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
 
 void mbedtls_gcm_free( mbedtls_gcm_context *ctx )
 {
+    if( ctx == NULL )
+        return;
     mbedtls_cipher_free( &ctx->cipher_ctx );
-    mbedtls_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
 }
 
 #endif /* !MBEDTLS_GCM_ALT */
@@ -768,7 +804,7 @@ int mbedtls_gcm_self_test( int verbose )
              * there is an alternative underlying implementation i.e. when
              * MBEDTLS_AES_ALT is defined.
              */
-            if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && key_len == 192 )
+            if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192 )
             {
                 mbedtls_printf( "skipped\n" );
                 break;
diff --git a/3rdparty/mbedtls/mbedtls/library/havege.c b/3rdparty/mbedtls/mbedtls/library/havege.c
index 2b75ef7bd8..54f897c6e7 100644
--- a/3rdparty/mbedtls/mbedtls/library/havege.c
+++ b/3rdparty/mbedtls/mbedtls/library/havege.c
@@ -36,14 +36,10 @@
 
 #include "mbedtls/havege.h"
 #include "mbedtls/timing.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /* ------------------------------------------------------------------------
  * On average, one iteration accesses two 8-word blocks in the havege WALK
  * table, and generates 16 words in the RES array.
@@ -58,7 +54,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
  * ------------------------------------------------------------------------
  */
 
-#define SWAP(X,Y) { int *T = X; X = Y; Y = T; }
+#define SWAP(X,Y) { int *T = (X); (X) = (Y); (Y) = T; }
 
 #define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
 #define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
@@ -208,7 +204,7 @@ void mbedtls_havege_free( mbedtls_havege_state *hs )
     if( hs == NULL )
         return;
 
-    mbedtls_zeroize( hs, sizeof( mbedtls_havege_state ) );
+    mbedtls_platform_zeroize( hs, sizeof( mbedtls_havege_state ) );
 }
 
 /*
diff --git a/3rdparty/mbedtls/mbedtls/library/hkdf.c b/3rdparty/mbedtls/mbedtls/library/hkdf.c
new file mode 100644
index 0000000000..82d8a429f4
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/hkdf.c
@@ -0,0 +1,192 @@
+/*
+ *  HKDF implementation -- RFC 5869
+ *
+ *  Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len )
+{
+    int ret;
+    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+    ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
+
+    if( ret == 0 )
+    {
+        ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
+                                   info, info_len, okm, okm_len );
+    }
+
+    mbedtls_platform_zeroize( prk, sizeof( prk ) );
+
+    return( ret );
+}
+
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk )
+{
+    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+    if( salt == NULL )
+    {
+        size_t hash_len;
+
+        if( salt_len != 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        hash_len = mbedtls_md_get_size( md );
+
+        if( hash_len == 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
+}
+
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len )
+{
+    size_t hash_len;
+    size_t where = 0;
+    size_t n;
+    size_t t_len = 0;
+    size_t i;
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+    if( okm == NULL )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    hash_len = mbedtls_md_get_size( md );
+
+    if( prk_len < hash_len || hash_len == 0 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    if( info == NULL )
+    {
+        info = (const unsigned char *) "";
+        info_len = 0;
+    }
+
+    n = okm_len / hash_len;
+
+    if( (okm_len % hash_len) != 0 )
+    {
+        n++;
+    }
+
+    /*
+     * Per RFC 5869 Section 2.3, okm_len must not exceed
+     * 255 times the hash length
+     */
+    if( n > 255 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    mbedtls_md_init( &ctx );
+
+    if( (ret = mbedtls_md_setup( &ctx, md, 1) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+     * Where T(N) is defined in RFC 5869 Section 2.3
+     */
+    for( i = 1; i <= n; i++ )
+    {
+        size_t num_to_copy;
+        unsigned char c = i & 0xff;
+
+        ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, t, t_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, info, info_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        /* The constant concatenated to the end of each T(n) is a single octet.
+         * */
+        ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_finish( &ctx, t );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        num_to_copy = i != n ? hash_len : okm_len - where;
+        memcpy( okm + where, t, num_to_copy );
+        where += hash_len;
+        t_len = hash_len;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+    mbedtls_platform_zeroize( t, sizeof( t ) );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/hmac_drbg.c b/3rdparty/mbedtls/mbedtls/library/hmac_drbg.c
index 9801bc50d8..c50330e7d8 100644
--- a/3rdparty/mbedtls/mbedtls/library/hmac_drbg.c
+++ b/3rdparty/mbedtls/mbedtls/library/hmac_drbg.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_HMAC_DRBG_C)
 
 #include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -50,11 +51,6 @@
 #endif /* MBEDTLS_SELF_TEST */
 #endif /* MBEDTLS_PLATFORM_C */
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * HMAC_DRBG context initialization
  */
@@ -111,16 +107,18 @@ int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
     }
 
 exit:
-    mbedtls_zeroize( K, sizeof( K ) );
+    mbedtls_platform_zeroize( K, sizeof( K ) );
     return( ret );
 }
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
                                const unsigned char *additional,
                                size_t add_len )
 {
     (void) mbedtls_hmac_drbg_update_ret( ctx, additional, add_len );
 }
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 /*
  * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
@@ -192,7 +190,7 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
 
 exit:
     /* 4. Done */
-    mbedtls_zeroize( seed, seedlen );
+    mbedtls_platform_zeroize( seed, seedlen );
     return( ret );
 }
 
@@ -385,7 +383,7 @@ void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
     mbedtls_mutex_free( &ctx->mutex );
 #endif
     mbedtls_md_free( &ctx->md_ctx );
-    mbedtls_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
 }
 
 #if defined(MBEDTLS_FS_IO)
@@ -411,7 +409,7 @@ int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const cha
 
 exit:
     fclose( f );
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     return( ret );
 }
@@ -419,35 +417,36 @@ int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const cha
 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
 {
     int ret = 0;
-    FILE *f;
+    FILE *f = NULL;
     size_t n;
     unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+    unsigned char c;
 
     if( ( f = fopen( path, "rb" ) ) == NULL )
         return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
 
-    fseek( f, 0, SEEK_END );
-    n = (size_t) ftell( f );
-    fseek( f, 0, SEEK_SET );
-
-    if( n > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
     {
-        fclose( f );
-        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        goto exit;
     }
-
-    if( fread( buf, 1, n, f ) != n )
+    if( n == 0 || ferror( f ) )
+    {
         ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
-    else
-        ret = mbedtls_hmac_drbg_update_ret( ctx, buf, n );
-
+        goto exit;
+    }
     fclose( f );
+    f = NULL;
 
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    ret = mbedtls_hmac_drbg_update_ret( ctx, buf, n );
 
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
     if( ret != 0 )
         return( ret );
-
     return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
 }
 #endif /* MBEDTLS_FS_IO */
diff --git a/3rdparty/mbedtls/mbedtls/library/md.c b/3rdparty/mbedtls/mbedtls/library/md.c
index 00249af78b..303cdcbeeb 100644
--- a/3rdparty/mbedtls/mbedtls/library/md.c
+++ b/3rdparty/mbedtls/mbedtls/library/md.c
@@ -33,6 +33,7 @@
 
 #include "mbedtls/md.h"
 #include "mbedtls/md_internal.h"
+#include "mbedtls/platform_util.h"
 
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
@@ -48,11 +49,6 @@
 #include <stdio.h>
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * Reminder: update profiles in x509_crt.c when adding a new hash!
  */
@@ -193,11 +189,12 @@ void mbedtls_md_free( mbedtls_md_context_t *ctx )
 
     if( ctx->hmac_ctx != NULL )
     {
-        mbedtls_zeroize( ctx->hmac_ctx, 2 * ctx->md_info->block_size );
+        mbedtls_platform_zeroize( ctx->hmac_ctx,
+                                  2 * ctx->md_info->block_size );
         mbedtls_free( ctx->hmac_ctx );
     }
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
 }
 
 int mbedtls_md_clone( mbedtls_md_context_t *dst,
@@ -311,7 +308,7 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigne
         ret = md_info->finish_func( ctx.md_ctx, output );
 
 cleanup:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
     fclose( f );
     mbedtls_md_free( &ctx );
 
@@ -361,7 +358,7 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
         goto cleanup;
 
 cleanup:
-    mbedtls_zeroize( sum, sizeof( sum ) );
+    mbedtls_platform_zeroize( sum, sizeof( sum ) );
 
     return( ret );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/md2.c b/3rdparty/mbedtls/mbedtls/library/md2.c
index b88aa406af..1c0b3df52d 100644
--- a/3rdparty/mbedtls/mbedtls/library/md2.c
+++ b/3rdparty/mbedtls/mbedtls/library/md2.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_MD2_C)
 
 #include "mbedtls/md2.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -48,11 +49,6 @@
 
 #if !defined(MBEDTLS_MD2_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 static const unsigned char PI_SUBST[256] =
 {
     0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
@@ -93,7 +89,7 @@ void mbedtls_md2_free( mbedtls_md2_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_md2_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md2_context ) );
 }
 
 void mbedtls_md2_clone( mbedtls_md2_context *dst,
diff --git a/3rdparty/mbedtls/mbedtls/library/md4.c b/3rdparty/mbedtls/mbedtls/library/md4.c
index ba704f58e8..828fd42999 100644
--- a/3rdparty/mbedtls/mbedtls/library/md4.c
+++ b/3rdparty/mbedtls/mbedtls/library/md4.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_MD4_C)
 
 #include "mbedtls/md4.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -48,11 +49,6 @@
 
 #if !defined(MBEDTLS_MD4_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * 32-bit integer manipulation macros (little endian)
  */
@@ -86,7 +82,7 @@ void mbedtls_md4_free( mbedtls_md4_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_md4_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md4_context ) );
 }
 
 void mbedtls_md4_clone( mbedtls_md4_context *dst,
@@ -141,15 +137,21 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
     GET_UINT32_LE( X[14], data, 56 );
     GET_UINT32_LE( X[15], data, 60 );
 
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
 
     A = ctx->state[0];
     B = ctx->state[1];
     C = ctx->state[2];
     D = ctx->state[3];
 
-#define F(x, y, z) ((x & y) | ((~x) & z))
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x; a = S(a,s); }
+#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
+#define P(a,b,c,d,x,s)                           \
+    do                                           \
+    {                                            \
+        (a) += F((b),(c),(d)) + (x);             \
+        (a) = S((a),(s));                        \
+    } while( 0 )
+
 
     P( A, B, C, D, X[ 0],  3 );
     P( D, A, B, C, X[ 1],  7 );
@@ -171,8 +173,13 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
 #undef P
 #undef F
 
-#define F(x,y,z) ((x & y) | (x & z) | (y & z))
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x5A827999; a = S(a,s); }
+#define F(x,y,z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define P(a,b,c,d,x,s)                          \
+    do                                          \
+    {                                           \
+        (a) += F((b),(c),(d)) + (x) + 0x5A827999;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
 
     P( A, B, C, D, X[ 0],  3 );
     P( D, A, B, C, X[ 4],  5 );
@@ -194,8 +201,13 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
 #undef P
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x6ED9EBA1; a = S(a,s); }
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define P(a,b,c,d,x,s)                                  \
+    do                                                  \
+    {                                                   \
+        (a) += F((b),(c),(d)) + (x) + 0x6ED9EBA1;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
 
     P( A, B, C, D, X[ 0],  3 );
     P( D, A, B, C, X[ 8],  9 );
diff --git a/3rdparty/mbedtls/mbedtls/library/md5.c b/3rdparty/mbedtls/mbedtls/library/md5.c
index 3ba88cfc5d..a93da8a061 100644
--- a/3rdparty/mbedtls/mbedtls/library/md5.c
+++ b/3rdparty/mbedtls/mbedtls/library/md5.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_MD5_C)
 
 #include "mbedtls/md5.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -47,11 +48,6 @@
 
 #if !defined(MBEDTLS_MD5_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * 32-bit integer manipulation macros (little endian)
  */
@@ -85,7 +81,7 @@ void mbedtls_md5_free( mbedtls_md5_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_md5_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md5_context ) );
 }
 
 void mbedtls_md5_clone( mbedtls_md5_context *dst,
@@ -140,19 +136,22 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
     GET_UINT32_LE( X[14], data, 56 );
     GET_UINT32_LE( X[15], data, 60 );
 
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+#define S(x,n)                                                          \
+    ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
 
-#define P(a,b,c,d,k,s,t)                                \
-{                                                       \
-    a += F(b,c,d) + X[k] + t; a = S(a,s) + b;           \
-}
+#define P(a,b,c,d,k,s,t)                                        \
+    do                                                          \
+    {                                                           \
+        (a) += F((b),(c),(d)) + X[(k)] + (t);                   \
+        (a) = S((a),(s)) + (b);                                 \
+    } while( 0 )
 
     A = ctx->state[0];
     B = ctx->state[1];
     C = ctx->state[2];
     D = ctx->state[3];
 
-#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
     P( A, B, C, D,  0,  7, 0xD76AA478 );
     P( D, A, B, C,  1, 12, 0xE8C7B756 );
@@ -173,7 +172,7 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
 
 #undef F
 
-#define F(x,y,z) (y ^ (z & (x ^ y)))
+#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
 
     P( A, B, C, D,  1,  5, 0xF61E2562 );
     P( D, A, B, C,  6,  9, 0xC040B340 );
@@ -194,7 +193,7 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
 
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 
     P( A, B, C, D,  5,  4, 0xFFFA3942 );
     P( D, A, B, C,  8, 11, 0x8771F681 );
@@ -215,7 +214,7 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
 
 #undef F
 
-#define F(x,y,z) (y ^ (x | ~z))
+#define F(x,y,z) ((y) ^ ((x) | ~(z)))
 
     P( A, B, C, D,  0,  6, 0xF4292244 );
     P( D, A, B, C,  7, 10, 0x432AFF97 );
diff --git a/3rdparty/mbedtls/mbedtls/library/memory_buffer_alloc.c b/3rdparty/mbedtls/mbedtls/library/memory_buffer_alloc.c
index eb555f3326..51ea7c41d7 100644
--- a/3rdparty/mbedtls/mbedtls/library/memory_buffer_alloc.c
+++ b/3rdparty/mbedtls/mbedtls/library/memory_buffer_alloc.c
@@ -31,6 +31,7 @@
 /* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
    is dependent upon MBEDTLS_PLATFORM_C */
 #include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -42,11 +43,6 @@
 #include "mbedtls/threading.h"
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 #define MAGIC1       0xFF00AA55
 #define MAGIC2       0xEE119966
 #define MAX_BT 20
@@ -113,7 +109,7 @@ static void debug_header( memory_header *hdr )
 #endif
 }
 
-static void debug_chain()
+static void debug_chain( void )
 {
     memory_header *cur = heap.first;
 
@@ -180,7 +176,7 @@ static int verify_header( memory_header *hdr )
     return( 0 );
 }
 
-static int verify_chain()
+static int verify_chain( void )
 {
     memory_header *prv = heap.first, *cur;
 
@@ -504,13 +500,13 @@ void mbedtls_memory_buffer_set_verify( int verify )
     heap.verify = verify;
 }
 
-int mbedtls_memory_buffer_alloc_verify()
+int mbedtls_memory_buffer_alloc_verify( void )
 {
     return verify_chain();
 }
 
 #if defined(MBEDTLS_MEMORY_DEBUG)
-void mbedtls_memory_buffer_alloc_status()
+void mbedtls_memory_buffer_alloc_status( void )
 {
     mbedtls_fprintf( stderr,
                       "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
@@ -609,12 +605,12 @@ void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len )
     heap.first_free = heap.first;
 }
 
-void mbedtls_memory_buffer_alloc_free()
+void mbedtls_memory_buffer_alloc_free( void )
 {
 #if defined(MBEDTLS_THREADING_C)
     mbedtls_mutex_free( &heap.mutex );
 #endif
-    mbedtls_zeroize( &heap, sizeof(buffer_alloc_ctx) );
+    mbedtls_platform_zeroize( &heap, sizeof(buffer_alloc_ctx) );
 }
 
 #if defined(MBEDTLS_SELF_TEST)
@@ -629,7 +625,7 @@ static int check_pointer( void *p )
     return( 0 );
 }
 
-static int check_all_free( )
+static int check_all_free( void )
 {
     if(
 #if defined(MBEDTLS_MEMORY_DEBUG)
diff --git a/3rdparty/mbedtls/mbedtls/library/net_sockets.c b/3rdparty/mbedtls/mbedtls/library/net_sockets.c
index 1e737c8bb7..816b1303df 100644
--- a/3rdparty/mbedtls/mbedtls/library/net_sockets.c
+++ b/3rdparty/mbedtls/mbedtls/library/net_sockets.c
@@ -19,6 +19,11 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
@@ -28,7 +33,8 @@
 #if defined(MBEDTLS_NET_C)
 
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
-    !defined(__APPLE__) && !defined(_WIN32)
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
 #error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
 #endif
 
@@ -45,6 +51,8 @@
 #if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
     !defined(EFI32)
 
+#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
+
 #if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
 #undef _WIN32_WINNT
 /* Enables getaddrinfo() & Co */
@@ -83,6 +91,8 @@ static int wsa_init_done = 0;
 #include <netdb.h>
 #include <errno.h>
 
+#define IS_EINTR( ret ) ( ( ret ) == EINTR )
+
 #endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
 
 /* Some MS functions want int and MSVC warns if we pass size_t,
@@ -439,6 +449,72 @@ int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
 #endif
 }
 
+/*
+ * Check if data is available on the socket
+ */
+
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+
+    fd_set read_fds;
+    fd_set write_fds;
+
+    int fd = ctx->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    /* Ensure that memory sanitizers consider read_fds and write_fds as
+     * initialized even on platforms such as Glibc/x86_64 where FD_ZERO
+     * is implemented in assembly. */
+    memset( &read_fds, 0, sizeof( read_fds ) );
+    memset( &write_fds, 0, sizeof( write_fds ) );
+#endif
+#endif
+
+    FD_ZERO( &read_fds );
+    if( rw & MBEDTLS_NET_POLL_READ )
+    {
+        rw &= ~MBEDTLS_NET_POLL_READ;
+        FD_SET( fd, &read_fds );
+    }
+
+    FD_ZERO( &write_fds );
+    if( rw & MBEDTLS_NET_POLL_WRITE )
+    {
+        rw &= ~MBEDTLS_NET_POLL_WRITE;
+        FD_SET( fd, &write_fds );
+    }
+
+    if( rw != 0 )
+        return( MBEDTLS_ERR_NET_BAD_INPUT_DATA );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    do
+    {
+        ret = select( fd + 1, &read_fds, &write_fds, NULL,
+                      timeout == (uint32_t) -1 ? NULL : &tv );
+    }
+    while( IS_EINTR( ret ) );
+
+    if( ret < 0 )
+        return( MBEDTLS_ERR_NET_POLL_FAILED );
+
+    ret = 0;
+    if( FD_ISSET( fd, &read_fds ) )
+        ret |= MBEDTLS_NET_POLL_READ;
+    if( FD_ISSET( fd, &write_fds ) )
+        ret |= MBEDTLS_NET_POLL_WRITE;
+
+    return( ret );
+}
+
 /*
  * Portable usleep helper
  */
@@ -498,8 +574,8 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
 /*
  * Read at most 'len' characters, blocking for at most 'timeout' ms
  */
-int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
-                      uint32_t timeout )
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf,
+                              size_t len, uint32_t timeout )
 {
     int ret;
     struct timeval tv;
diff --git a/3rdparty/mbedtls/mbedtls/library/nist_kw.c b/3rdparty/mbedtls/mbedtls/library/nist_kw.c
new file mode 100644
index 0000000000..317a2426ae
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/nist_kw.c
@@ -0,0 +1,755 @@
+/*
+ *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ *  only
+ *
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH    8
+#define MIN_SEMIBLOCKS_COUNT   3
+
+/* constant-time buffer comparison */
+static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const  unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
+
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_nist_kw_context ) );
+}
+
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher,
+                                                   keybits,
+                                                   MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /*
+     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+     * "For KW and KWP, the underlying block cipher shall be approved, and the
+     *  block size shall be 128 bits. Currently, the AES block cipher, with key
+     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
+     *  this profile."
+     *  Currently we don't support other 128 bit block ciphers for key wrapping,
+     *  such as Camellia and Aria.
+     */
+    if( cipher != MBEDTLS_CIPHER_ID_AES )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                                       is_wrap ? MBEDTLS_ENCRYPT :
+                                                 MBEDTLS_DECRYPT )
+                                                                   ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_nist_kw_context ) );
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t( unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t )
+{
+    size_t i = 0;
+    for( i = 0; i < sizeof( t ); i++ )
+    {
+        A[i] ^= ( t >> ( ( sizeof( t ) - 1 - i ) * 8 ) ) & 0xff;
+    }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx,
+                          mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t semiblocks = 0;
+    size_t s;
+    size_t olen, padlen = 0;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+    unsigned char *A = output;
+
+    *out_len = 0;
+    /*
+     * Generate the String to work on
+     */
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KW
+         * must be between 2 to 2^54-1 semiblocks inclusive.
+         */
+        if( in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+            in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH );
+        memmove( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+    }
+    else
+    {
+        if( in_len % 8 != 0 )
+        {
+            padlen = ( 8 - ( in_len % 8 ) );
+        }
+
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KWP
+         * must be between 1 and 2^32-1 octets inclusive.
+         */
+        if( in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+            || in_len > 0xFFFFFFFF
+#endif
+          )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2 );
+        PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
+                       KW_SEMIBLOCK_LENGTH / 2 );
+
+        memcpy( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+        memset( output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen );
+    }
+    semiblocks = ( ( in_len + padlen ) / KW_SEMIBLOCK_LENGTH ) + 1;
+
+    s = 6 * ( semiblocks - 1 );
+
+    if( mode == MBEDTLS_KW_MODE_KWP
+        && in_len <= KW_SEMIBLOCK_LENGTH )
+    {
+        memcpy( inbuff, output, 16 );
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, output, &olen );
+        if( ret != 0 )
+            goto cleanup;
+    }
+    else
+    {
+        /*
+         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+         */
+        if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+        {
+            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        /* Calculate intermediate values */
+        for( t = 1; t <= s; t++ )
+        {
+            memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+            memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH );
+
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         inbuff, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            calc_a_xor_t( A, t );
+
+            memcpy( R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            R2 += KW_SEMIBLOCK_LENGTH;
+            if( R2 >= output + ( semiblocks * KW_SEMIBLOCK_LENGTH ) )
+                R2 = output + KW_SEMIBLOCK_LENGTH;
+        }
+    }
+
+    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+    if( ret != 0)
+    {
+        memset( output, 0, semiblocks * KW_SEMIBLOCK_LENGTH );
+    }
+    mbedtls_platform_zeroize( inbuff, KW_SEMIBLOCK_LENGTH * 2 );
+    mbedtls_platform_zeroize( outbuff, KW_SEMIBLOCK_LENGTH * 2 );
+
+    return( ret );
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap( mbedtls_nist_kw_context *ctx,
+                   const unsigned char *input, size_t semiblocks,
+                   unsigned char A[KW_SEMIBLOCK_LENGTH],
+                   unsigned char *output, size_t* out_len )
+{
+    int ret = 0;
+    const size_t s = 6 * ( semiblocks - 1 );
+    size_t olen;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+    *out_len = 0;
+
+    if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    memcpy( A, input, KW_SEMIBLOCK_LENGTH );
+    memmove( output, input + KW_SEMIBLOCK_LENGTH, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+
+    /* Calculate intermediate values */
+    for( t = s; t >= 1; t-- )
+    {
+        calc_a_xor_t( A, t );
+
+        memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+        memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH );
+
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, outbuff, &olen );
+        if( ret != 0 )
+            goto cleanup;
+
+        memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+
+        /* Set R as LSB64 of outbuff */
+        memcpy( R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+
+        if( R == output )
+            R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+        else
+            R -= KW_SEMIBLOCK_LENGTH;
+    }
+
+    *out_len = ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+    if( ret != 0)
+        memset( output, 0, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+    mbedtls_platform_zeroize( inbuff, sizeof( inbuff )  );
+    mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+
+    return( ret );
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
+                            mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t i, olen;
+    unsigned char A[KW_SEMIBLOCK_LENGTH];
+    unsigned char diff, bad_padding = 0;
+
+    *out_len = 0;
+    if( out_size < in_len - KW_SEMIBLOCK_LENGTH )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KW
+         * must be between 3 to 2^54 semiblocks inclusive.
+         */
+        if( in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+            in_len > 0x200000000000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                      A, output, out_len );
+        if( ret != 0 )
+            goto cleanup;
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto cleanup;
+        }
+
+    }
+    else if( mode == MBEDTLS_KW_MODE_KWP )
+    {
+        size_t padlen = 0;
+        uint32_t Plen;
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KWP
+         * must be between 2 to 2^29 semiblocks inclusive.
+         */
+        if( in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+            in_len > 0x100000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return(  MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        if( in_len == KW_SEMIBLOCK_LENGTH * 2 )
+        {
+            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         input, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            memcpy( output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+            *out_len = KW_SEMIBLOCK_LENGTH;
+        }
+        else
+        {
+            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
+            ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                          A, output, out_len );
+            if( ret != 0 )
+                goto cleanup;
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        GET_UINT32_BE( Plen, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        /*
+         * Plen is the length of the plaintext, when the input is valid.
+         * If Plen is larger than the plaintext and padding, padlen will be
+         * larger than 8, because of the type wrap around.
+         */
+        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+        if ( padlen > 7 )
+        {
+            padlen &= 7;
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        /* Check padding in "constant-time" */
+        for( diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++ )
+        {
+             if( i >= KW_SEMIBLOCK_LENGTH - padlen )
+                 diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+             else
+                 bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+        }
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        if( ret != 0 )
+        {
+            goto cleanup;
+        }
+        memset( output + Plen, 0, padlen );
+        *out_len = Plen;
+    }
+    else
+    {
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+cleanup:
+    if( ret != 0 )
+    {
+        memset( output, 0, *out_len );
+        *out_len = 0;
+    }
+
+    mbedtls_platform_zeroize( &bad_padding, sizeof( bad_padding) );
+    mbedtls_platform_zeroize( &diff, sizeof( diff ) );
+    mbedtls_platform_zeroize( A, sizeof( A ) );
+
+    return( ret );
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+#define KW_TESTS 3
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
+
+static const unsigned char kw_key[KW_TESTS][32] = {
+    { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+      0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+    { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+      0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+      0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+    { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+      0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+      0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+      0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+};
+
+static const unsigned char kw_msg[KW_TESTS][40] = {
+    { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+      0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+    { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+      0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+      0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+      0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+      0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+    { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+      0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+      0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+};
+
+static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
+static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
+static const unsigned char kw_res[KW_TESTS][48] = {
+    { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+      0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+      0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+    { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+      0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+      0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+      0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+      0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+      0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+    { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+      0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+      0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+      0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+};
+
+static const unsigned char kwp_key[KW_TESTS][32] = {
+    { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+      0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+    { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+      0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+      0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+    { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+      0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+      0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+      0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+};
+
+static const unsigned char kwp_msg[KW_TESTS][31] = {
+    { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+      0x96 },
+    { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+      0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+      0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+      0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+    { 0xd1 }
+};
+static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
+
+static const unsigned char kwp_res[KW_TESTS][48] = {
+    { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+      0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+      0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+    { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+      0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+      0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+      0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+      0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+    { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+      0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4  }
+};
+static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
+
+int mbedtls_nist_kw_self_test( int verbose )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char out[48];
+    size_t olen;
+    int i;
+    int ret = 0;
+    mbedtls_nist_kw_init( &ctx );
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  KW-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                      kw_key[i], key_len[i] * 8, 1 );
+        if( ret != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed " );
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+                                    kw_msg_len[i], out, &olen, sizeof( out ) );
+        if( ret != 0 || kw_out_len[i] != olen ||
+            memcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kw_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap( &ctx, MBEDTLS_KW_MODE_KW,
+                                      out, olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kw_msg_len[i] ||
+            memcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        olen = sizeof( out );
+        if( verbose != 0 )
+            mbedtls_printf( "  KWP-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+                                      key_len[i] * 8, 1 );
+        if( ret  != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed " );
+
+            goto end;
+        }
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+                                    kwp_msg_len[i], out, &olen, sizeof( out ) );
+
+        if( ret != 0 || kwp_out_len[i] != olen ||
+            memcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kwp_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap(  &ctx, MBEDTLS_KW_MODE_KWP, out,
+                                       olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kwp_msg_len[i] ||
+            memcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+end:
+    mbedtls_nist_kw_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/oid.c b/3rdparty/mbedtls/mbedtls/library/oid.c
index edea950f8f..33f437cbe6 100644
--- a/3rdparty/mbedtls/mbedtls/library/oid.c
+++ b/3rdparty/mbedtls/mbedtls/library/oid.c
@@ -54,22 +54,24 @@
  * Macro to generate an internal function for oid_XXX_from_asn1() (used by
  * the other functions)
  */
-#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                        \
-static const TYPE_T * oid_ ## NAME ## _from_asn1( const mbedtls_asn1_buf *oid )     \
-{                                                                           \
-    const TYPE_T *p = LIST;                                                 \
-    const mbedtls_oid_descriptor_t *cur = (const mbedtls_oid_descriptor_t *) p;             \
-    if( p == NULL || oid == NULL ) return( NULL );                          \
-    while( cur->asn1 != NULL ) {                                            \
-        if( cur->asn1_len == oid->len &&                                    \
-            memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {                  \
-            return( p );                                                    \
-        }                                                                   \
-        p++;                                                                \
-        cur = (const mbedtls_oid_descriptor_t *) p;                                 \
-    }                                                                       \
-    return( NULL );                                                         \
-}
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                    \
+    static const TYPE_T * oid_ ## NAME ## _from_asn1(                   \
+                                      const mbedtls_asn1_buf *oid )     \
+    {                                                                   \
+        const TYPE_T *p = (LIST);                                       \
+        const mbedtls_oid_descriptor_t *cur =                           \
+            (const mbedtls_oid_descriptor_t *) p;                       \
+        if( p == NULL || oid == NULL ) return( NULL );                  \
+        while( cur->asn1 != NULL ) {                                    \
+            if( cur->asn1_len == oid->len &&                            \
+                memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {          \
+                return( p );                                            \
+            }                                                           \
+            p++;                                                        \
+            cur = (const mbedtls_oid_descriptor_t *) p;                 \
+        }                                                               \
+        return( NULL );                                                 \
+    }
 
 /*
  * Macro to generate a function for retrieving a single attribute from the
@@ -103,12 +105,13 @@ int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )
  */
 #define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
                          ATTR2_TYPE, ATTR2)                                 \
-int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2 )  \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
+                                          ATTR2_TYPE * ATTR2 )              \
 {                                                                           \
     const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );            \
-    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                \
-    *ATTR1 = data->ATTR1;                                                   \
-    *ATTR2 = data->ATTR2;                                                   \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                 \
+    *(ATTR1) = data->ATTR1;                                                 \
+    *(ATTR2) = data->ATTR2;                                                 \
     return( 0 );                                                            \
 }
 
@@ -119,16 +122,16 @@ int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, ATTR2_TYPE * ATTR2
 #define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
 int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
 {                                                                           \
-    const TYPE_T *cur = LIST;                                               \
+    const TYPE_T *cur = (LIST);                                             \
     while( cur->descriptor.asn1 != NULL ) {                                 \
-        if( cur->ATTR1 == ATTR1 ) {                                         \
+        if( cur->ATTR1 == (ATTR1) ) {                                       \
             *oid = cur->descriptor.asn1;                                    \
             *olen = cur->descriptor.asn1_len;                               \
             return( 0 );                                                    \
         }                                                                   \
         cur++;                                                              \
     }                                                                       \
-    return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                    \
 }
 
 /*
@@ -140,9 +143,9 @@ int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
 int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
              size_t *olen )                                                 \
 {                                                                           \
-    const TYPE_T *cur = LIST;                                               \
+    const TYPE_T *cur = (LIST);                                             \
     while( cur->descriptor.asn1 != NULL ) {                                 \
-        if( cur->ATTR1 == ATTR1 && cur->ATTR2 == ATTR2 ) {                  \
+        if( cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2) ) {              \
             *oid = cur->descriptor.asn1;                                    \
             *olen = cur->descriptor.asn1_len;                               \
             return( 0 );                                                    \
diff --git a/3rdparty/mbedtls/mbedtls/library/pem.c b/3rdparty/mbedtls/mbedtls/library/pem.c
index ac86d7e479..897c8a0d6f 100644
--- a/3rdparty/mbedtls/mbedtls/library/pem.c
+++ b/3rdparty/mbedtls/mbedtls/library/pem.c
@@ -33,6 +33,7 @@
 #include "mbedtls/aes.h"
 #include "mbedtls/md5.h"
 #include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -45,11 +46,6 @@
 #endif
 
 #if defined(MBEDTLS_PEM_PARSE_C)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 void mbedtls_pem_init( mbedtls_pem_context *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_pem_context ) );
@@ -135,7 +131,7 @@ static int pem_pbkdf1( unsigned char *key, size_t keylen,
 
 exit:
     mbedtls_md5_free( &md5_ctx );
-    mbedtls_zeroize( md5sum, 16 );
+    mbedtls_platform_zeroize( md5sum, 16 );
 
     return( ret );
 }
@@ -164,7 +160,7 @@ static int pem_des_decrypt( unsigned char des_iv[8],
 
 exit:
     mbedtls_des_free( &des_ctx );
-    mbedtls_zeroize( des_key, 8 );
+    mbedtls_platform_zeroize( des_key, 8 );
 
     return( ret );
 }
@@ -192,7 +188,7 @@ static int pem_des3_decrypt( unsigned char des3_iv[8],
 
 exit:
     mbedtls_des3_free( &des3_ctx );
-    mbedtls_zeroize( des3_key, 24 );
+    mbedtls_platform_zeroize( des3_key, 24 );
 
     return( ret );
 }
@@ -222,7 +218,7 @@ static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
 
 exit:
     mbedtls_aes_free( &aes_ctx );
-    mbedtls_zeroize( aes_key, keylen );
+    mbedtls_platform_zeroize( aes_key, keylen );
 
     return( ret );
 }
@@ -359,7 +355,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 
     if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 )
     {
-        mbedtls_zeroize( buf, len );
+        mbedtls_platform_zeroize( buf, len );
         mbedtls_free( buf );
         return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
     }
@@ -370,7 +366,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
     ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
         if( pwd == NULL )
         {
-            mbedtls_zeroize( buf, len );
+            mbedtls_platform_zeroize( buf, len );
             mbedtls_free( buf );
             return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
         }
@@ -403,16 +399,16 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
          * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
          * length bytes (allow 4 to be sure) in all known use cases.
          *
-         * Use that as heurisitic to try detecting password mismatchs.
+         * Use that as a heuristic to try to detect password mismatches.
          */
         if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
         {
-            mbedtls_zeroize( buf, len );
+            mbedtls_platform_zeroize( buf, len );
             mbedtls_free( buf );
             return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH );
         }
 #else
-        mbedtls_zeroize( buf, len );
+        mbedtls_platform_zeroize( buf, len );
         mbedtls_free( buf );
         return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
 #endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
@@ -427,12 +423,14 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 
 void mbedtls_pem_free( mbedtls_pem_context *ctx )
 {
-    if( ctx->buf != NULL )
-        mbedtls_zeroize( ctx->buf, ctx->buflen );
-    mbedtls_free( ctx->buf );
+    if ( ctx->buf != NULL )
+    {
+        mbedtls_platform_zeroize( ctx->buf, ctx->buflen );
+        mbedtls_free( ctx->buf );
+    }
     mbedtls_free( ctx->info );
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_pem_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pem_context ) );
 }
 #endif /* MBEDTLS_PEM_PARSE_C */
 
diff --git a/3rdparty/mbedtls/mbedtls/library/pk.c b/3rdparty/mbedtls/mbedtls/library/pk.c
index b52c73fbc6..bac685dc19 100644
--- a/3rdparty/mbedtls/mbedtls/library/pk.c
+++ b/3rdparty/mbedtls/mbedtls/library/pk.c
@@ -29,6 +29,8 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/pk_internal.h"
 
+#include "mbedtls/platform_util.h"
+
 #if defined(MBEDTLS_RSA_C)
 #include "mbedtls/rsa.h"
 #endif
@@ -42,18 +44,18 @@
 #include <limits.h>
 #include <stdint.h>
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 /*
  * Initialise a mbedtls_pk_context
  */
 void mbedtls_pk_init( mbedtls_pk_context *ctx )
 {
-    if( ctx == NULL )
-        return;
+    PK_VALIDATE( ctx != NULL );
 
     ctx->pk_info = NULL;
     ctx->pk_ctx = NULL;
@@ -64,13 +66,43 @@ void mbedtls_pk_init( mbedtls_pk_context *ctx )
  */
 void mbedtls_pk_free( mbedtls_pk_context *ctx )
 {
-    if( ctx == NULL || ctx->pk_info == NULL )
+    if( ctx == NULL )
+        return;
+
+    if ( ctx->pk_info != NULL )
+        ctx->pk_info->ctx_free_func( ctx->pk_ctx );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pk_context ) );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
+{
+    PK_VALIDATE( ctx != NULL );
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL ||
+        ctx->pk_info->rs_free_func == NULL )
+    {
         return;
+    }
 
-    ctx->pk_info->ctx_free_func( ctx->pk_ctx );
+    ctx->pk_info->rs_free_func( ctx->rs_ctx );
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_pk_context ) );
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
 }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 
 /*
  * Get pk_info structure from type
@@ -103,7 +135,8 @@ const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
  */
 int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
 {
-    if( ctx == NULL || info == NULL || ctx->pk_info != NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    if( info == NULL || ctx->pk_info != NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
@@ -126,7 +159,8 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
     mbedtls_rsa_alt_context *rsa_alt;
     const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
 
-    if( ctx == NULL || ctx->pk_info != NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info != NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
@@ -150,7 +184,9 @@ int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
  */
 int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
 {
-    /* null or NONE context can't do anything */
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
     if( ctx == NULL || ctx->pk_info == NULL )
         return( 0 );
 
@@ -174,17 +210,71 @@ static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len
     return( 0 );
 }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
 /*
- * Verify a signature
+ * Helper to set up a restart context if needed
  */
-int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+static int pk_restart_setup( mbedtls_pk_restart_ctx *ctx,
+                             const mbedtls_pk_info_t *info )
+{
+    /* Don't do anything if already set up or invalid */
+    if( ctx == NULL || ctx->pk_info != NULL )
+        return( 0 );
+
+    /* Should never happen when we're called */
+    if( info->rs_alloc_func == NULL || info->rs_free_func == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->rs_ctx = info->rs_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
                const unsigned char *hash, size_t hash_len,
-               const unsigned char *sig, size_t sig_len )
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx )
 {
-    if( ctx == NULL || ctx->pk_info == NULL ||
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
         pk_hashlen_helper( md_alg, &hash_len ) != 0 )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->verify_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->verify_rs_func( ctx->pk_ctx,
+                   md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     if( ctx->pk_info->verify_func == NULL )
         return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
 
@@ -192,6 +282,17 @@ int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                                        sig, sig_len ) );
 }
 
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len )
+{
+    return( mbedtls_pk_verify_restartable( ctx, md_alg, hash, hash_len,
+                                           sig, sig_len, NULL ) );
+}
+
 /*
  * Verify a signature with options
  */
@@ -200,7 +301,12 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
                    const unsigned char *hash, size_t hash_len,
                    const unsigned char *sig, size_t sig_len )
 {
-    if( ctx == NULL || ctx->pk_info == NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ! mbedtls_pk_can_do( ctx, type ) )
@@ -251,17 +357,47 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
 }
 
 /*
- * Make a signature
+ * Make a signature (restartable)
  */
-int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
              const unsigned char *hash, size_t hash_len,
              unsigned char *sig, size_t *sig_len,
-             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx )
 {
-    if( ctx == NULL || ctx->pk_info == NULL ||
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
         pk_hashlen_helper( md_alg, &hash_len ) != 0 )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->sign_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->sign_rs_func( ctx->pk_ctx, md_alg,
+                hash, hash_len, sig, sig_len, f_rng, p_rng, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
     if( ctx->pk_info->sign_func == NULL )
         return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
 
@@ -269,6 +405,18 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                                      sig, sig_len, f_rng, p_rng ) );
 }
 
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_pk_sign_restartable( ctx, md_alg, hash, hash_len,
+                                         sig, sig_len, f_rng, p_rng, NULL ) );
+}
+
 /*
  * Decrypt message
  */
@@ -277,7 +425,12 @@ int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
                 unsigned char *output, size_t *olen, size_t osize,
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-    if( ctx == NULL || ctx->pk_info == NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ctx->pk_info->decrypt_func == NULL )
@@ -295,7 +448,12 @@ int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
                 unsigned char *output, size_t *olen, size_t osize,
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
-    if( ctx == NULL || ctx->pk_info == NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ctx->pk_info->encrypt_func == NULL )
@@ -310,8 +468,11 @@ int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
  */
 int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv )
 {
-    if( pub == NULL || pub->pk_info == NULL ||
-        prv == NULL || prv->pk_info == NULL ||
+    PK_VALIDATE_RET( pub != NULL );
+    PK_VALIDATE_RET( prv != NULL );
+
+    if( pub->pk_info == NULL ||
+        prv->pk_info == NULL ||
         prv->pk_info->check_pair_func == NULL )
     {
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -336,6 +497,8 @@ int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_conte
  */
 size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
 {
+    /* For backward compatibility, accept NULL or a context that
+     * isn't set up yet, and return a fake value that should be safe. */
     if( ctx == NULL || ctx->pk_info == NULL )
         return( 0 );
 
@@ -347,7 +510,8 @@ size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
  */
 int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
 {
-    if( ctx == NULL || ctx->pk_info == NULL )
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info == NULL )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
     if( ctx->pk_info->debug_func == NULL )
diff --git a/3rdparty/mbedtls/mbedtls/library/pk_wrap.c b/3rdparty/mbedtls/mbedtls/library/pk_wrap.c
index 5446e23507..87806be337 100644
--- a/3rdparty/mbedtls/mbedtls/library/pk_wrap.c
+++ b/3rdparty/mbedtls/mbedtls/library/pk_wrap.c
@@ -41,6 +41,10 @@
 #include "mbedtls/ecdsa.h"
 #endif
 
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+#include "mbedtls/platform_util.h"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
 #else
@@ -52,13 +56,6 @@
 #include <limits.h>
 #include <stdint.h>
 
-#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-#endif
-
 #if defined(MBEDTLS_RSA_C)
 static int rsa_can_do( mbedtls_pk_type_t type )
 {
@@ -193,11 +190,19 @@ const mbedtls_pk_info_t mbedtls_rsa_info = {
     rsa_can_do,
     rsa_verify_wrap,
     rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_decrypt_wrap,
     rsa_encrypt_wrap,
     rsa_check_pair_wrap,
     rsa_alloc_wrap,
     rsa_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_debug,
 };
 #endif /* MBEDTLS_RSA_C */
@@ -265,6 +270,110 @@ static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
     return( ret );
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx );
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx );
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct
+{
+    mbedtls_ecdsa_restart_ctx ecdsa_rs;
+    mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc( void )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
+
+    if( ctx != NULL )
+    {
+        rs_ctx = ctx;
+        mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
+        mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
+    }
+
+    return( ctx );
+}
+
+static void eckey_rs_free( void *ctx )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    if( ctx == NULL)
+        return;
+
+    rs_ctx = ctx;
+    mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
+    mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
+
+    mbedtls_free( ctx );
+}
+
+static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
+                                           md_alg, hash, hash_len,
+                                           sig, sig_len, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+
+static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
+                                         hash, hash_len, sig, sig_len,
+                                         f_rng, p_rng, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_ECDSA_C */
 
 static int eckey_check_pair( const void *pub, const void *prv )
@@ -304,15 +413,23 @@ const mbedtls_pk_info_t mbedtls_eckey_info = {
 #if defined(MBEDTLS_ECDSA_C)
     eckey_verify_wrap,
     eckey_sign_wrap,
-#else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_verify_rs_wrap,
+    eckey_sign_rs_wrap,
+#endif
+#else /* MBEDTLS_ECDSA_C */
     NULL,
     NULL,
-#endif
+#endif /* MBEDTLS_ECDSA_C */
     NULL,
     NULL,
     eckey_check_pair,
     eckey_alloc_wrap,
     eckey_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_rs_alloc,
+    eckey_rs_free,
+#endif
     eckey_debug,
 };
 
@@ -332,11 +449,19 @@ const mbedtls_pk_info_t mbedtls_eckeydh_info = {
     eckeydh_can_do,
     NULL,
     NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     NULL,
     NULL,
     eckey_check_pair,
     eckey_alloc_wrap,       /* Same underlying key structure */
     eckey_free_wrap,        /* Same underlying key structure */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     eckey_debug,            /* Same underlying key structure */
 };
 #endif /* MBEDTLS_ECP_C */
@@ -372,6 +497,40 @@ static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
                 md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature_restartable(
+            (mbedtls_ecdsa_context *) ctx,
+            hash, hash_len, sig, sig_len,
+            (mbedtls_ecdsa_restart_ctx *) rs_ctx );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx )
+{
+    return( mbedtls_ecdsa_write_signature_restartable(
+                (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
+                (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
+
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 static void *ecdsa_alloc_wrap( void )
 {
     void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
@@ -388,6 +547,24 @@ static void ecdsa_free_wrap( void *ctx )
     mbedtls_free( ctx );
 }
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static void *ecdsa_rs_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_restart_init( ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_rs_free( void *ctx )
+{
+    mbedtls_ecdsa_restart_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
 const mbedtls_pk_info_t mbedtls_ecdsa_info = {
     MBEDTLS_PK_ECDSA,
     "ECDSA",
@@ -395,11 +572,19 @@ const mbedtls_pk_info_t mbedtls_ecdsa_info = {
     ecdsa_can_do,
     ecdsa_verify_wrap,
     ecdsa_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_verify_rs_wrap,
+    ecdsa_sign_rs_wrap,
+#endif
     NULL,
     NULL,
     eckey_check_pair,   /* Compatible key structures */
     ecdsa_alloc_wrap,
     ecdsa_free_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_rs_alloc,
+    ecdsa_rs_free,
+#endif
     eckey_debug,        /* Compatible key structures */
 };
 #endif /* MBEDTLS_ECDSA_C */
@@ -498,7 +683,7 @@ static void *rsa_alt_alloc_wrap( void )
 
 static void rsa_alt_free_wrap( void *ctx )
 {
-    mbedtls_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
     mbedtls_free( ctx );
 }
 
@@ -509,6 +694,10 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
     rsa_alt_can_do,
     NULL,
     rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     rsa_alt_decrypt_wrap,
     NULL,
 #if defined(MBEDTLS_RSA_C)
@@ -518,6 +707,10 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
 #endif
     rsa_alt_alloc_wrap,
     rsa_alt_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
     NULL,
 };
 
diff --git a/3rdparty/mbedtls/mbedtls/library/pkcs12.c b/3rdparty/mbedtls/mbedtls/library/pkcs12.c
index 5e8b2879a0..7edf064c13 100644
--- a/3rdparty/mbedtls/mbedtls/library/pkcs12.c
+++ b/3rdparty/mbedtls/mbedtls/library/pkcs12.c
@@ -36,6 +36,7 @@
 #include "mbedtls/pkcs12.h"
 #include "mbedtls/asn1.h"
 #include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -47,11 +48,6 @@
 #include "mbedtls/des.h"
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 #if defined(MBEDTLS_ASN1_PARSE_C)
 
 static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
@@ -168,7 +164,7 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
         goto exit;
 
 exit:
-    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
     mbedtls_arc4_free( &ctx );
 
     return( ret );
@@ -225,8 +221,8 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
         ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
 
 exit:
-    mbedtls_zeroize( key, sizeof( key ) );
-    mbedtls_zeroize( iv,  sizeof( iv  ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( iv,  sizeof( iv  ) );
     mbedtls_cipher_free( &cipher_ctx );
 
     return( ret );
@@ -356,10 +352,10 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
     ret = 0;
 
 exit:
-    mbedtls_zeroize( salt_block, sizeof( salt_block ) );
-    mbedtls_zeroize( pwd_block, sizeof( pwd_block ) );
-    mbedtls_zeroize( hash_block, sizeof( hash_block ) );
-    mbedtls_zeroize( hash_output, sizeof( hash_output ) );
+    mbedtls_platform_zeroize( salt_block, sizeof( salt_block ) );
+    mbedtls_platform_zeroize( pwd_block, sizeof( pwd_block ) );
+    mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) );
+    mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) );
 
     mbedtls_md_free( &md_ctx );
 
diff --git a/3rdparty/mbedtls/mbedtls/library/pkparse.c b/3rdparty/mbedtls/mbedtls/library/pkparse.c
index ec9b55f8c5..ae210bca6a 100644
--- a/3rdparty/mbedtls/mbedtls/library/pkparse.c
+++ b/3rdparty/mbedtls/mbedtls/library/pkparse.c
@@ -30,6 +30,7 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/asn1.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -60,13 +61,11 @@
 #define mbedtls_free       free
 #endif
 
-#if defined(MBEDTLS_FS_IO) || \
-    defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-#endif
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 #if defined(MBEDTLS_FS_IO)
 /*
@@ -81,6 +80,10 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
     FILE *f;
     long size;
 
+    PK_VALIDATE_RET( path != NULL );
+    PK_VALIDATE_RET( buf != NULL );
+    PK_VALIDATE_RET( n != NULL );
+
     if( ( f = fopen( path, "rb" ) ) == NULL )
         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
 
@@ -105,7 +108,7 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
     {
         fclose( f );
 
-        mbedtls_zeroize( *buf, *n );
+        mbedtls_platform_zeroize( *buf, *n );
         mbedtls_free( *buf );
 
         return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
@@ -131,6 +134,9 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
     size_t n;
     unsigned char *buf;
 
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
         return( ret );
 
@@ -140,7 +146,7 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
         ret = mbedtls_pk_parse_key( ctx, buf, n,
                 (const unsigned char *) pwd, strlen( pwd ) );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -155,12 +161,15 @@ int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
     size_t n;
     unsigned char *buf;
 
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
     if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
         return( ret );
 
     ret = mbedtls_pk_parse_public_key( ctx, buf, n );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -612,6 +621,11 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
     mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
     const mbedtls_pk_info_t *pk_info;
 
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( end != NULL );
+    PK_VALIDATE_RET( pk != NULL );
+
     if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
     {
@@ -1152,16 +1166,22 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
 {
     int ret;
     const mbedtls_pk_info_t *pk_info;
-
 #if defined(MBEDTLS_PEM_PARSE_C)
     size_t len;
     mbedtls_pem_context pem;
+#endif
 
-    mbedtls_pem_init( &pem );
+    PK_VALIDATE_RET( pk != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+   mbedtls_pem_init( &pem );
 
 #if defined(MBEDTLS_RSA_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if( keylen == 0 || key[keylen - 1] != '\0' )
+    if( key[keylen - 1] != '\0' )
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer( &pem,
@@ -1192,7 +1212,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
 
 #if defined(MBEDTLS_ECP_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if( keylen == 0 || key[keylen - 1] != '\0' )
+    if( key[keylen - 1] != '\0' )
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer( &pem,
@@ -1222,7 +1242,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
 #endif /* MBEDTLS_ECP_C */
 
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if( keylen == 0 || key[keylen - 1] != '\0' )
+    if( key[keylen - 1] != '\0' )
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer( &pem,
@@ -1245,7 +1265,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
 
 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if( keylen == 0 || key[keylen - 1] != '\0' )
+    if( key[keylen - 1] != '\0' )
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer( &pem,
@@ -1283,9 +1303,6 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
     {
         unsigned char *key_copy;
 
-        if( keylen == 0 )
-            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
-
         if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
             return( MBEDTLS_ERR_PK_ALLOC_FAILED );
 
@@ -1294,7 +1311,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
         ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
                                                 pwd, pwdlen );
 
-        mbedtls_zeroize( key_copy, keylen );
+        mbedtls_platform_zeroize( key_copy, keylen );
         mbedtls_free( key_copy );
     }
 
@@ -1361,14 +1378,55 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
 {
     int ret;
     unsigned char *p;
+#if defined(MBEDTLS_RSA_C)
+    const mbedtls_pk_info_t *pk_info;
+#endif
 #if defined(MBEDTLS_PEM_PARSE_C)
     size_t len;
     mbedtls_pem_context pem;
+#endif
+
+    PK_VALIDATE_RET( ctx != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL || keylen == 0 );
 
+#if defined(MBEDTLS_PEM_PARSE_C)
     mbedtls_pem_init( &pem );
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PUBLIC KEY-----",
+                               "-----END RSA PUBLIC KEY-----",
+                               key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        p = pem.buf;
+        if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+            return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+        if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+            return( ret );
+
+        if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
+            mbedtls_pk_free( ctx );
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
 
     /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
-    if( keylen == 0 || key[keylen - 1] != '\0' )
+    if( key[keylen - 1] != '\0' )
         ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
     else
         ret = mbedtls_pem_read_buffer( &pem,
@@ -1381,23 +1439,43 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
         /*
          * Was PEM encoded
          */
-        key = pem.buf;
-        keylen = pem.buflen;
+        p = pem.buf;
+
+        ret = mbedtls_pk_parse_subpubkey( &p,  p + pem.buflen, ctx );
+        mbedtls_pem_free( &pem );
+        return( ret );
     }
     else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
     {
         mbedtls_pem_free( &pem );
         return( ret );
     }
+    mbedtls_pem_free( &pem );
 #endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_RSA_C)
+    if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+        return( ret );
+
+    p = (unsigned char *)key;
+    ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
+    if( ret == 0 )
+    {
+        return( ret );
+    }
+    mbedtls_pk_free( ctx );
+    if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
     p = (unsigned char *) key;
 
     ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
 
-#if defined(MBEDTLS_PEM_PARSE_C)
-    mbedtls_pem_free( &pem );
-#endif
-
     return( ret );
 }
 
diff --git a/3rdparty/mbedtls/mbedtls/library/pkwrite.c b/3rdparty/mbedtls/mbedtls/library/pkwrite.c
index 8eabd889b5..8d1da2f757 100644
--- a/3rdparty/mbedtls/mbedtls/library/pkwrite.c
+++ b/3rdparty/mbedtls/mbedtls/library/pkwrite.c
@@ -30,6 +30,7 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -54,6 +55,12 @@
 #define mbedtls_free       free
 #endif
 
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
 #if defined(MBEDTLS_RSA_C)
 /*
  *  RSAPublicKey ::= SEQUENCE {
@@ -151,6 +158,11 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
     int ret;
     size_t len = 0;
 
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( start != NULL );
+    PK_VALIDATE_RET( key != NULL );
+
 #if defined(MBEDTLS_RSA_C)
     if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
         MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) );
@@ -173,6 +185,11 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
     size_t len = 0, par_len = 0, oid_len;
     const char *oid;
 
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
     c = buf + size;
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );
@@ -217,9 +234,16 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
 int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
 {
     int ret;
-    unsigned char *c = buf + size;
+    unsigned char *c;
     size_t len = 0;
 
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
+    c = buf + size;
+
 #if defined(MBEDTLS_RSA_C)
     if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
     {
@@ -457,6 +481,9 @@ int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, si
     unsigned char output_buf[PUB_DER_MAX_BYTES];
     size_t olen = 0;
 
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
     if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf,
                                      sizeof(output_buf) ) ) < 0 )
     {
@@ -480,6 +507,9 @@ int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_
     const char *begin, *end;
     size_t olen = 0;
 
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
     if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
         return( ret );
 
diff --git a/3rdparty/mbedtls/mbedtls/library/platform.c b/3rdparty/mbedtls/mbedtls/library/platform.c
index aa88fc1a66..73a6db9ebe 100644
--- a/3rdparty/mbedtls/mbedtls/library/platform.c
+++ b/3rdparty/mbedtls/mbedtls/library/platform.c
@@ -28,14 +28,7 @@
 #if defined(MBEDTLS_PLATFORM_C)
 
 #include "mbedtls/platform.h"
-
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && \
-    !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
-#endif
+#include "mbedtls/platform_util.h"
 
 /* The compile time configuration of memory allocation via the macros
  * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
@@ -65,14 +58,24 @@ static void platform_free_uninit( void *ptr )
 #define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
 #endif /* !MBEDTLS_PLATFORM_STD_FREE */
 
-void * (*mbedtls_calloc)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
-void (*mbedtls_free)( void * )     = MBEDTLS_PLATFORM_STD_FREE;
+static void * (*mbedtls_calloc_func)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)( void * ) = MBEDTLS_PLATFORM_STD_FREE;
+
+void * mbedtls_calloc( size_t nmemb, size_t size )
+{
+    return (*mbedtls_calloc_func)( nmemb, size );
+}
+
+void mbedtls_free( void * ptr )
+{
+    (*mbedtls_free_func)( ptr );
+}
 
 int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
                               void (*free_func)( void * ) )
 {
-    mbedtls_calloc = calloc_func;
-    mbedtls_free = free_func;
+    mbedtls_calloc_func = calloc_func;
+    mbedtls_free_func = free_func;
     return( 0 );
 }
 #endif /* MBEDTLS_PLATFORM_MEMORY &&
@@ -250,7 +253,7 @@ int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
     if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
     {
         fclose( file );
-        mbedtls_zeroize( buf, buf_len );
+        mbedtls_platform_zeroize( buf, buf_len );
         return( -1 );
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/library/platform_util.c b/3rdparty/mbedtls/mbedtls/library/platform_util.c
new file mode 100644
index 0000000000..756e22679a
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/platform_util.c
@@ -0,0 +1,136 @@
+/*
+ * Common and shared functions used by multiple modules in the Mbed TLS
+ * library.
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+/*
+ * This implementation should never be optimized out by the compiler
+ *
+ * This implementation for mbedtls_platform_zeroize() was inspired from Colin
+ * Percival's blog article at:
+ *
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ *
+ * It uses a volatile function pointer to the standard memset(). Because the
+ * pointer is volatile the compiler expects it to change at
+ * any time and will not optimize out the call that could potentially perform
+ * other operations on the input buffer instead of just setting it to 0.
+ * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
+ * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
+ * details), optimizations of the following form are still possible:
+ *
+ * if( memset_func != memset )
+ *     memset_func( buf, 0, len );
+ *
+ * Note that it is extremely difficult to guarantee that
+ * mbedtls_platform_zeroize() will not be optimized out by aggressive compilers
+ * in a portable way. For this reason, Mbed TLS also provides the configuration
+ * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ * mbedtls_platform_zeroize() to use a suitable implementation for their
+ * platform and needs.
+ */
+static void * (* const volatile memset_func)( void *, int, size_t ) = memset;
+
+void mbedtls_platform_zeroize( void *buf, size_t len )
+{
+    memset_func( buf, 0, len );
+}
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define PLATFORM_UTIL_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf )
+{
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    return( ( gmtime_s( tm_buf, tt ) == 0 ) ? tm_buf : NULL );
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+    return( gmtime_r( tt, tm_buf ) );
+#else
+    struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    lt = gmtime( tt );
+
+    if( lt != NULL )
+    {
+        memcpy( tm_buf, lt, sizeof( struct tm ) );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    return( ( lt == NULL ) ? NULL : tm_buf );
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
diff --git a/3rdparty/mbedtls/mbedtls/library/poly1305.c b/3rdparty/mbedtls/mbedtls/library/poly1305.c
new file mode 100644
index 0000000000..2b56c5f7ef
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/library/poly1305.c
@@ -0,0 +1,559 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define POLY1305_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define POLY1305_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                     \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )   \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )  \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )  \
+    )
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64( uint32_t a, uint32_t b )
+{
+    /* a = al + 2**16 ah, b = bl + 2**16 bh */
+    const uint16_t al = (uint16_t) a;
+    const uint16_t bl = (uint16_t) b;
+    const uint16_t ah = a >> 16;
+    const uint16_t bh = b >> 16;
+
+    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+    const uint32_t lo = (uint32_t) al * bl;
+    const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh;
+    const uint32_t hi = (uint32_t) ah * bh;
+
+    return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) );
+}
+#else
+static inline uint64_t mul64( uint32_t a, uint32_t b )
+{
+    return( (uint64_t) a * b );
+}
+#endif
+
+
+/**
+ * \brief                   Process blocks with Poly1305.
+ *
+ * \param ctx               The Poly1305 context.
+ * \param nblocks           Number of blocks to process. Note that this
+ *                          function only processes full blocks.
+ * \param input             Buffer containing the input block(s).
+ * \param needs_padding     Set to 0 if the padding bit has already been
+ *                          applied to the input data before calling this
+ *                          function.  Otherwise, set this parameter to 1.
+ */
+static void poly1305_process( mbedtls_poly1305_context *ctx,
+                              size_t nblocks,
+                              const unsigned char *input,
+                              uint32_t needs_padding )
+{
+    uint64_t d0, d1, d2, d3;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t r0, r1, r2, r3;
+    uint32_t rs1, rs2, rs3;
+    size_t offset  = 0U;
+    size_t i;
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+
+    rs1 = r1 + ( r1 >> 2U );
+    rs2 = r2 + ( r2 >> 2U );
+    rs3 = r3 + ( r3 >> 2U );
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Process full blocks */
+    for( i = 0U; i < nblocks; i++ )
+    {
+        /* The input block is treated as a 128-bit little-endian integer */
+        d0   = BYTES_TO_U32_LE( input, offset + 0  );
+        d1   = BYTES_TO_U32_LE( input, offset + 4  );
+        d2   = BYTES_TO_U32_LE( input, offset + 8  );
+        d3   = BYTES_TO_U32_LE( input, offset + 12 );
+
+        /* Compute: acc += (padded) block as a 130-bit integer */
+        d0  += (uint64_t) acc0;
+        d1  += (uint64_t) acc1 + ( d0 >> 32U );
+        d2  += (uint64_t) acc2 + ( d1 >> 32U );
+        d3  += (uint64_t) acc3 + ( d2 >> 32U );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
+
+        /* Compute: acc *= r */
+        d0 = mul64( acc0, r0  ) +
+             mul64( acc1, rs3 ) +
+             mul64( acc2, rs2 ) +
+             mul64( acc3, rs1 );
+        d1 = mul64( acc0, r1  ) +
+             mul64( acc1, r0  ) +
+             mul64( acc2, rs3 ) +
+             mul64( acc3, rs2 ) +
+             mul64( acc4, rs1 );
+        d2 = mul64( acc0, r2  ) +
+             mul64( acc1, r1  ) +
+             mul64( acc2, r0  ) +
+             mul64( acc3, rs3 ) +
+             mul64( acc4, rs2 );
+        d3 = mul64( acc0, r3  ) +
+             mul64( acc1, r2  ) +
+             mul64( acc2, r1  ) +
+             mul64( acc3, r0  ) +
+             mul64( acc4, rs3 );
+        acc4 *= r0;
+
+        /* Compute: acc %= (2^130 - 5) (partial remainder) */
+        d1 += ( d0 >> 32 );
+        d2 += ( d1 >> 32 );
+        d3 += ( d2 >> 32 );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
+
+        d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
+        acc4 &= 3U;
+        acc0 = (uint32_t) d0;
+        d0 = (uint64_t) acc1 + ( d0 >> 32U );
+        acc1 = (uint32_t) d0;
+        d0 = (uint64_t) acc2 + ( d0 >> 32U );
+        acc2 = (uint32_t) d0;
+        d0 = (uint64_t) acc3 + ( d0 >> 32U );
+        acc3 = (uint32_t) d0;
+        d0 = (uint64_t) acc4 + ( d0 >> 32U );
+        acc4 = (uint32_t) d0;
+
+        offset    += POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    ctx->acc[0] = acc0;
+    ctx->acc[1] = acc1;
+    ctx->acc[2] = acc2;
+    ctx->acc[3] = acc3;
+    ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief                   Compute the Poly1305 MAC
+ *
+ * \param ctx               The Poly1305 context.
+ * \param mac               The buffer to where the MAC is written. Must be
+ *                          big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
+                                  unsigned char mac[16] )
+{
+    uint64_t d;
+    uint32_t g0, g1, g2, g3, g4;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t mask;
+    uint32_t mask_inv;
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+     * We do this by calculating acc - (2^130 - 5), then checking if
+     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+     */
+
+    /* Calculate acc + -(2^130 - 5) */
+    d  = ( (uint64_t) acc0 + 5U );
+    g0 = (uint32_t) d;
+    d  = ( (uint64_t) acc1 + ( d >> 32 ) );
+    g1 = (uint32_t) d;
+    d  = ( (uint64_t) acc2 + ( d >> 32 ) );
+    g2 = (uint32_t) d;
+    d  = ( (uint64_t) acc3 + ( d >> 32 ) );
+    g3 = (uint32_t) d;
+    g4 = acc4 + (uint32_t) ( d >> 32U );
+
+    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+    mask = (uint32_t) 0U - ( g4 >> 2U );
+    mask_inv = ~mask;
+
+    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+    acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
+    acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
+    acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
+    acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
+
+    /* Add 's' */
+    d = (uint64_t) acc0 + ctx->s[0];
+    acc0 = (uint32_t) d;
+    d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
+    acc1 = (uint32_t) d;
+    d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
+    acc2 = (uint32_t) d;
+    acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
+
+    /* Compute MAC (128 least significant bits of the accumulator) */
+    mac[ 0] = (unsigned char)( acc0       );
+    mac[ 1] = (unsigned char)( acc0 >>  8 );
+    mac[ 2] = (unsigned char)( acc0 >> 16 );
+    mac[ 3] = (unsigned char)( acc0 >> 24 );
+    mac[ 4] = (unsigned char)( acc1       );
+    mac[ 5] = (unsigned char)( acc1 >>  8 );
+    mac[ 6] = (unsigned char)( acc1 >> 16 );
+    mac[ 7] = (unsigned char)( acc1 >> 24 );
+    mac[ 8] = (unsigned char)( acc2       );
+    mac[ 9] = (unsigned char)( acc2 >>  8 );
+    mac[10] = (unsigned char)( acc2 >> 16 );
+    mac[11] = (unsigned char)( acc2 >> 24 );
+    mac[12] = (unsigned char)( acc3       );
+    mac[13] = (unsigned char)( acc3 >>  8 );
+    mac[14] = (unsigned char)( acc3 >> 16 );
+    mac[15] = (unsigned char)( acc3 >> 24 );
+}
+
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
+{
+    POLY1305_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( key != NULL );
+
+    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+    ctx->r[0] = BYTES_TO_U32_LE( key, 0 )  & 0x0FFFFFFFU;
+    ctx->r[1] = BYTES_TO_U32_LE( key, 4 )  & 0x0FFFFFFCU;
+    ctx->r[2] = BYTES_TO_U32_LE( key, 8 )  & 0x0FFFFFFCU;
+    ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
+
+    ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
+    ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
+    ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
+    ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
+
+    /* Initial accumulator state */
+    ctx->acc[0] = 0U;
+    ctx->acc[1] = 0U;
+    ctx->acc[2] = 0U;
+    ctx->acc[3] = 0U;
+    ctx->acc[4] = 0U;
+
+    /* Queue initially empty */
+    mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) );
+    ctx->queue_len = 0U;
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    size_t offset    = 0U;
+    size_t remaining = ilen;
+    size_t queue_free_len;
+    size_t nblocks;
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
+    {
+        queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        if( ilen < queue_free_len )
+        {
+            /* Not enough data to complete the block.
+             * Store this data with the other leftovers.
+             */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    ilen );
+
+            ctx->queue_len += ilen;
+
+            remaining = 0U;
+        }
+        else
+        {
+            /* Enough data to produce a complete block */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    queue_free_len );
+
+            ctx->queue_len = 0U;
+
+            poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */
+
+            offset    += queue_free_len;
+            remaining -= queue_free_len;
+        }
+    }
+
+    if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
+    {
+        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+        poly1305_process( ctx, nblocks, &input[offset], 1U );
+
+        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+        remaining %= POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    if( remaining > 0U )
+    {
+        /* Store partial block */
+        ctx->queue_len = remaining;
+        memcpy( ctx->queue, &input[offset], remaining );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+
+    /* Process any leftover data */
+    if( ctx->queue_len > 0U )
+    {
+        /* Add padding bit */
+        ctx->queue[ctx->queue_len] = 1U;
+        ctx->queue_len++;
+
+        /* Pad with zeroes */
+        memset( &ctx->queue[ctx->queue_len],
+                0,
+                POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        poly1305_process( ctx, 1U,          /* Process 1 block */
+                          ctx->queue, 0U ); /* Already padded above */
+    }
+
+    poly1305_compute_mac( ctx, mac );
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] )
+{
+    mbedtls_poly1305_context ctx;
+    int ret;
+    POLY1305_VALIDATE_RET( key != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    mbedtls_poly1305_init( &ctx );
+
+    ret = mbedtls_poly1305_starts( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_finish( &ctx, mac );
+
+cleanup:
+    mbedtls_poly1305_free( &ctx );
+    return( ret );
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+    },
+    {
+        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+    }
+};
+
+static const unsigned char test_data[2][127] =
+{
+    {
+        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+        0x75, 0x70
+    },
+    {
+        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+    }
+};
+
+static const size_t test_data_len[2] =
+{
+    34U,
+    127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+    {
+        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+    },
+    {
+        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_poly1305_self_test( int verbose )
+{
+    unsigned char mac[16];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  Poly1305 test %u ", i );
+
+        ret = mbedtls_poly1305_mac( test_keys[i],
+                                    test_data[i],
+                                    test_data_len[i],
+                                    mac );
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/ripemd160.c b/3rdparty/mbedtls/mbedtls/library/ripemd160.c
index 2ba48b7fdb..0791ae4cc9 100644
--- a/3rdparty/mbedtls/mbedtls/library/ripemd160.c
+++ b/3rdparty/mbedtls/mbedtls/library/ripemd160.c
@@ -34,6 +34,7 @@
 #if defined(MBEDTLS_RIPEMD160_C)
 
 #include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -71,11 +72,6 @@
 }
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_ripemd160_context ) );
@@ -86,7 +82,7 @@ void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_ripemd160_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ripemd160_context ) );
 }
 
 void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
@@ -151,22 +147,29 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
     D = Dp = ctx->state[3];
     E = Ep = ctx->state[4];
 
-#define F1( x, y, z )   ( x ^ y ^ z )
-#define F2( x, y, z )   ( ( x & y ) | ( ~x & z ) )
-#define F3( x, y, z )   ( ( x | ~y ) ^ z )
-#define F4( x, y, z )   ( ( x & z ) | ( y & ~z ) )
-#define F5( x, y, z )   ( x ^ ( y | ~z ) )
-
-#define S( x, n ) ( ( x << n ) | ( x >> (32 - n) ) )
-
-#define P( a, b, c, d, e, r, s, f, k )      \
-    a += f( b, c, d ) + X[r] + k;           \
-    a = S( a, s ) + e;                      \
-    c = S( c, 10 );
-
-#define P2( a, b, c, d, e, r, s, rp, sp )   \
-    P( a, b, c, d, e, r, s, F, K );         \
-    P( a ## p, b ## p, c ## p, d ## p, e ## p, rp, sp, Fp, Kp );
+#define F1( x, y, z )   ( (x) ^ (y) ^ (z) )
+#define F2( x, y, z )   ( ( (x) & (y) ) | ( ~(x) & (z) ) )
+#define F3( x, y, z )   ( ( (x) | ~(y) ) ^ (z) )
+#define F4( x, y, z )   ( ( (x) & (z) ) | ( (y) & ~(z) ) )
+#define F5( x, y, z )   ( (x) ^ ( (y) | ~(z) ) )
+
+#define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) )
+
+#define P( a, b, c, d, e, r, s, f, k )                \
+    do                                                \
+    {                                                 \
+        (a) += f( (b), (c), (d) ) + X[r] + (k);       \
+        (a) = S( (a), (s) ) + (e);                    \
+        (c) = S( (c), 10 );                           \
+    } while( 0 )
+
+#define P2( a, b, c, d, e, r, s, rp, sp )                               \
+    do                                                                  \
+    {                                                                   \
+        P( (a), (b), (c), (d), (e), (r), (s), F, K );                   \
+        P( a ## p, b ## p, c ## p, d ## p, e ## p,                      \
+           (rp), (sp), Fp, Kp );                                        \
+    } while( 0 )
 
 #define F   F1
 #define K   0x00000000
diff --git a/3rdparty/mbedtls/mbedtls/library/rsa.c b/3rdparty/mbedtls/mbedtls/library/rsa.c
index 4b3cc0213d..af1a878599 100644
--- a/3rdparty/mbedtls/mbedtls/library/rsa.c
+++ b/3rdparty/mbedtls/mbedtls/library/rsa.c
@@ -48,6 +48,7 @@
 #include "mbedtls/rsa.h"
 #include "mbedtls/rsa_internal.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -70,10 +71,11 @@
 
 #if !defined(MBEDTLS_RSA_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+/* Parameter validation macros */
+#define RSA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+#define RSA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
 
 #if defined(MBEDTLS_PKCS1_V15)
 /* constant-time buffer comparison */
@@ -97,6 +99,7 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
                         const mbedtls_mpi *D, const mbedtls_mpi *E )
 {
     int ret;
+    RSA_VALIDATE_RET( ctx != NULL );
 
     if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
         ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
@@ -121,6 +124,7 @@ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
                             unsigned char const *E, size_t E_len )
 {
     int ret = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
 
     if( N != NULL )
     {
@@ -244,12 +248,16 @@ static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
 {
     int ret = 0;
+    int have_N, have_P, have_Q, have_D, have_E;
+    int n_missing, pq_missing, d_missing, is_pub, is_priv;
+
+    RSA_VALIDATE_RET( ctx != NULL );
 
-    const int have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
-    const int have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
-    const int have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
-    const int have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
-    const int have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+    have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
+    have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
+    have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
+    have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
+    have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
 
     /*
      * Check whether provided parameters are enough
@@ -261,13 +269,13 @@ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
      *
      */
 
-    const int n_missing  =              have_P &&  have_Q &&  have_D && have_E;
-    const int pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
-    const int d_missing  =              have_P &&  have_Q && !have_D && have_E;
-    const int is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
 
     /* These three alternatives are mutually exclusive */
-    const int is_priv = n_missing || pq_missing || d_missing;
+    is_priv = n_missing || pq_missing || d_missing;
 
     if( !is_priv && !is_pub )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -340,9 +348,11 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
                             unsigned char *E, size_t E_len )
 {
     int ret = 0;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
 
     /* Check if key is private or public */
-    const int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
@@ -383,9 +393,11 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
                         mbedtls_mpi *D, mbedtls_mpi *E )
 {
     int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
 
     /* Check if key is private or public */
-    int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
@@ -425,9 +437,11 @@ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
                             mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
 {
     int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
 
     /* Check if key is private or public */
-    int is_priv =
+    is_priv =
         mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
         mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
@@ -463,6 +477,10 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
                int padding,
                int hash_id )
 {
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
     memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
 
     mbedtls_rsa_set_padding( ctx, padding, hash_id );
@@ -475,8 +493,13 @@ void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
 /*
  * Set padding for an existing RSA context
  */
-void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id )
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id )
 {
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
     ctx->padding = padding;
     ctx->hash_id = hash_id;
 }
@@ -495,6 +518,9 @@ size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
 
 /*
  * Generate an RSA keypair
+ *
+ * This generation method follows the RSA key pair generation procedure of
+ * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
  */
 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t),
@@ -502,65 +528,87 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
                  unsigned int nbits, int exponent )
 {
     int ret;
-    mbedtls_mpi H, G;
+    mbedtls_mpi H, G, L;
+    int prime_quality = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( f_rng != NULL );
 
-    if( f_rng == NULL || nbits < 128 || exponent < 3 )
+    if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
-    if( nbits % 2 )
-        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    /*
+     * If the modulus is 1024 bit long or shorter, then the security strength of
+     * the RSA algorithm is less than or equal to 80 bits and therefore an error
+     * rate of 2^-80 is sufficient.
+     */
+    if( nbits > 1024 )
+        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
 
     mbedtls_mpi_init( &H );
     mbedtls_mpi_init( &G );
+    mbedtls_mpi_init( &L );
 
     /*
      * find primes P and Q with Q < P so that:
-     * GCD( E, (P-1)*(Q-1) ) == 1
+     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
+     * 2.  GCD( E, (P-1)*(Q-1) ) == 1
+     * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
      */
     MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
 
     do
     {
-        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1, 0,
-                                                f_rng, p_rng ) );
-
-        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
-                                                f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
 
-        if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
-            continue;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
 
-        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
-        if( mbedtls_mpi_bitlen( &ctx->N ) != nbits )
+        /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
+        if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
             continue;
 
-        if( mbedtls_mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
+        /* not required by any standards, but some users rely on the fact that P > Q */
+        if( H.s < 0 )
             mbedtls_mpi_swap( &ctx->P, &ctx->Q );
 
         /* Temporarily replace P,Q by P-1, Q-1 */
         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
+
+        /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
         MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H  ) );
+        if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+            continue;
+
+        /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
+
+        if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
+            continue;
+
+        break;
     }
-    while( mbedtls_mpi_cmp_int( &G, 1 ) != 0 );
+    while( 1 );
 
     /* Restore P,Q */
     MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P,  &ctx->P, 1 ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q,  &ctx->Q, 1 ) );
 
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
+
     ctx->len = mbedtls_mpi_size( &ctx->N );
 
+#if !defined(MBEDTLS_RSA_NO_CRT)
     /*
-     * D  = E^-1 mod ((P-1)*(Q-1))
      * DP = D mod (P - 1)
      * DQ = D mod (Q - 1)
      * QP = Q^-1 mod P
      */
-
-    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &H  ) );
-
-#if !defined(MBEDTLS_RSA_NO_CRT)
     MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
                                              &ctx->DP, &ctx->DQ, &ctx->QP ) );
 #endif /* MBEDTLS_RSA_NO_CRT */
@@ -572,6 +620,7 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
 
     mbedtls_mpi_free( &H );
     mbedtls_mpi_free( &G );
+    mbedtls_mpi_free( &L );
 
     if( ret != 0 )
     {
@@ -589,6 +638,8 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
  */
 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+
     if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
         return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
 
@@ -612,6 +663,8 @@ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
  */
 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+
     if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
         rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
     {
@@ -641,6 +694,9 @@ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
                                 const mbedtls_rsa_context *prv )
 {
+    RSA_VALIDATE_RET( pub != NULL );
+    RSA_VALIDATE_RET( prv != NULL );
+
     if( mbedtls_rsa_check_pubkey( pub )  != 0 ||
         mbedtls_rsa_check_privkey( prv ) != 0 )
     {
@@ -666,6 +722,9 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
     int ret;
     size_t olen;
     mbedtls_mpi T;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( output != NULL );
 
     if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -808,6 +867,10 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
      * checked result; should be the same in the end. */
     mbedtls_mpi I, C;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input  != NULL );
+    RSA_VALIDATE_RET( output != NULL );
+
     if( rsa_check_context( ctx, 1             /* private key checks */,
                                 f_rng != NULL /* blinding y/n       */ ) != 0 )
     {
@@ -1042,7 +1105,7 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
     }
 
 exit:
-    mbedtls_zeroize( mask, sizeof( mask ) );
+    mbedtls_platform_zeroize( mask, sizeof( mask ) );
 
     return( ret );
 }
@@ -1068,6 +1131,13 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -1144,11 +1214,13 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
     int ret;
     unsigned char *p = output;
 
-    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
-        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
 
-    // We don't check p_rng because it won't be dereferenced here
-    if( f_rng == NULL || input == NULL || output == NULL )
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
     olen = ctx->len;
@@ -1162,6 +1234,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
     *p++ = 0;
     if( mode == MBEDTLS_RSA_PUBLIC )
     {
+        if( f_rng == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
         *p++ = MBEDTLS_RSA_CRYPT;
 
         while( nb_pad-- > 0 )
@@ -1206,6 +1281,12 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
                        const unsigned char *input,
                        unsigned char *output )
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+
     switch( ctx->padding )
     {
 #if defined(MBEDTLS_PKCS1_V15)
@@ -1248,6 +1329,14 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
     /*
      * Parameters sanity checks
      */
@@ -1356,8 +1445,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
     ret = 0;
 
 cleanup:
-    mbedtls_zeroize( buf, sizeof( buf ) );
-    mbedtls_zeroize( lhash, sizeof( lhash ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
 
     return( ret );
 }
@@ -1467,11 +1556,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
                                  size_t output_max_len )
 {
     int ret;
-    size_t ilen = ctx->len;
-    size_t i;
-    size_t plaintext_max_size = ( output_max_len > ilen - 11 ?
-                                  ilen - 11 :
-                                  output_max_len );
+    size_t ilen, i, plaintext_max_size;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
     /* The following variables take sensitive values: their value must
      * not leak into the observable behavior of the function other than
@@ -1489,6 +1574,18 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
     size_t plaintext_size = 0;
     unsigned output_too_large;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    ilen = ctx->len;
+    plaintext_max_size = ( output_max_len > ilen - 11 ?
+                           ilen - 11 :
+                           output_max_len );
+
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -1607,7 +1704,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
     *olen = plaintext_size;
 
 cleanup:
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     return( ret );
 }
@@ -1624,6 +1721,13 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
                        unsigned char *output,
                        size_t output_max_len)
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
     switch( ctx->padding )
     {
 #if defined(MBEDTLS_PKCS1_V15)
@@ -1660,11 +1764,18 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
     size_t olen;
     unsigned char *p = sig;
     unsigned char salt[MBEDTLS_MD_MAX_SIZE];
-    unsigned int slen, hlen, offset = 0;
+    size_t slen, min_slen, hlen, offset = 0;
     int ret;
     size_t msb;
     const mbedtls_md_info_t *md_info;
     mbedtls_md_context_t md_ctx;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
 
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1689,10 +1800,20 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
     hlen = mbedtls_md_get_size( md_info );
-    slen = hlen;
 
-    if( olen < hlen + slen + 2 )
+    /* Calculate the largest possible salt length. Normally this is the hash
+     * length, which is the maximum length the salt can have. If there is not
+     * enough room, use the maximum salt length that fits. The constraint is
+     * that the hash length plus the salt length plus 2 bytes must be at most
+     * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+     * (PKCS#1 v2.2) §9.1.1 step 3. */
+    min_slen = hlen - 2;
+    if( olen < hlen + min_slen + 2 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    else if( olen >= hlen + hlen + 2 )
+        slen = hlen;
+    else
+        slen = olen - hlen - 2;
 
     memset( sig, 0, olen );
 
@@ -1702,7 +1823,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
 
     /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
     msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
-    p += olen - hlen * 2 - 2;
+    p += olen - hlen - slen - 2;
     *p++ = 0x01;
     memcpy( p, salt, slen );
     p += slen;
@@ -1738,7 +1859,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
     p += hlen;
     *p++ = 0xBC;
 
-    mbedtls_zeroize( salt, sizeof( salt ) );
+    mbedtls_platform_zeroize( salt, sizeof( salt ) );
 
 exit:
     mbedtls_md_free( &md_ctx );
@@ -1880,7 +2001,7 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
      * after the initial bounds check. */
     if( p != dst + dst_len )
     {
-        mbedtls_zeroize( dst, dst_len );
+        mbedtls_platform_zeroize( dst, dst_len );
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
     }
 
@@ -1902,6 +2023,14 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
     int ret;
     unsigned char *sig_try = NULL, *verif = NULL;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -1971,6 +2100,14 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
                     const unsigned char *hash,
                     unsigned char *sig )
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
     switch( ctx->padding )
     {
 #if defined(MBEDTLS_PKCS1_V15)
@@ -2017,6 +2154,14 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
     mbedtls_md_context_t md_ctx;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -2145,7 +2290,16 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
                            const unsigned char *hash,
                            const unsigned char *sig )
 {
-    mbedtls_md_type_t mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
+    mbedtls_md_type_t mgf1_hash_id;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
                              ? (mbedtls_md_type_t) ctx->hash_id
                              : md_alg;
 
@@ -2171,9 +2325,19 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
                                  const unsigned char *sig )
 {
     int ret = 0;
-    const size_t sig_len = ctx->len;
+    size_t sig_len;
     unsigned char *encoded = NULL, *encoded_expected = NULL;
 
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    sig_len = ctx->len;
+
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
         return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
 
@@ -2217,13 +2381,13 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
 
     if( encoded != NULL )
     {
-        mbedtls_zeroize( encoded, sig_len );
+        mbedtls_platform_zeroize( encoded, sig_len );
         mbedtls_free( encoded );
     }
 
     if( encoded_expected != NULL )
     {
-        mbedtls_zeroize( encoded_expected, sig_len );
+        mbedtls_platform_zeroize( encoded_expected, sig_len );
         mbedtls_free( encoded_expected );
     }
 
@@ -2243,6 +2407,14 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
                       const unsigned char *hash,
                       const unsigned char *sig )
 {
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
     switch( ctx->padding )
     {
 #if defined(MBEDTLS_PKCS1_V15)
@@ -2268,6 +2440,8 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
 {
     int ret;
+    RSA_VALIDATE_RET( dst != NULL );
+    RSA_VALIDATE_RET( src != NULL );
 
     dst->ver = src->ver;
     dst->len = src->len;
@@ -2307,14 +2481,23 @@ int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
  */
 void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
 {
-    mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->Vf );
-    mbedtls_mpi_free( &ctx->RN ); mbedtls_mpi_free( &ctx->D  );
-    mbedtls_mpi_free( &ctx->Q  ); mbedtls_mpi_free( &ctx->P  );
-    mbedtls_mpi_free( &ctx->E  ); mbedtls_mpi_free( &ctx->N  );
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->RN );
+    mbedtls_mpi_free( &ctx->D  );
+    mbedtls_mpi_free( &ctx->Q  );
+    mbedtls_mpi_free( &ctx->P  );
+    mbedtls_mpi_free( &ctx->E  );
+    mbedtls_mpi_free( &ctx->N  );
 
 #if !defined(MBEDTLS_RSA_NO_CRT)
-    mbedtls_mpi_free( &ctx->RQ ); mbedtls_mpi_free( &ctx->RP );
-    mbedtls_mpi_free( &ctx->QP ); mbedtls_mpi_free( &ctx->DQ );
+    mbedtls_mpi_free( &ctx->RQ );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->QP );
+    mbedtls_mpi_free( &ctx->DQ );
     mbedtls_mpi_free( &ctx->DP );
 #endif /* MBEDTLS_RSA_NO_CRT */
 
diff --git a/3rdparty/mbedtls/mbedtls/library/rsa_internal.c b/3rdparty/mbedtls/mbedtls/library/rsa_internal.c
index 507009f131..9a42d47ceb 100644
--- a/3rdparty/mbedtls/mbedtls/library/rsa_internal.c
+++ b/3rdparty/mbedtls/mbedtls/library/rsa_internal.c
@@ -351,15 +351,20 @@ int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
      */
 
 #if defined(MBEDTLS_GENPRIME)
+    /*
+     * When generating keys, the strongest security we support aims for an error
+     * rate of at most 2^-100 and we are aiming for the same certainty here as
+     * well.
+     */
     if( f_rng != NULL && P != NULL &&
-        ( ret = mbedtls_mpi_is_prime( P, f_rng, p_rng ) ) != 0 )
+        ( ret = mbedtls_mpi_is_prime_ext( P, 50, f_rng, p_rng ) ) != 0 )
     {
         ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
         goto cleanup;
     }
 
     if( f_rng != NULL && Q != NULL &&
-        ( ret = mbedtls_mpi_is_prime( Q, f_rng, p_rng ) ) != 0 )
+        ( ret = mbedtls_mpi_is_prime_ext( Q, 50, f_rng, p_rng ) ) != 0 )
     {
         ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
         goto cleanup;
diff --git a/3rdparty/mbedtls/mbedtls/library/sha1.c b/3rdparty/mbedtls/mbedtls/library/sha1.c
index 5d0335d5ae..355c83d2f7 100644
--- a/3rdparty/mbedtls/mbedtls/library/sha1.c
+++ b/3rdparty/mbedtls/mbedtls/library/sha1.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_SHA1_C)
 
 #include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -45,12 +46,12 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
-#if !defined(MBEDTLS_SHA1_ALT)
+#define SHA1_VALIDATE_RET(cond)                             \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA )
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
-}
+#define SHA1_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA1_ALT)
 
 /*
  * 32-bit integer manipulation macros (big endian)
@@ -77,6 +78,8 @@ static void mbedtls_zeroize( void *v, size_t n ) {
 
 void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
 {
+    SHA1_VALIDATE( ctx != NULL );
+
     memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
 }
 
@@ -85,12 +88,15 @@ void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
 }
 
 void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
                          const mbedtls_sha1_context *src )
 {
+    SHA1_VALIDATE( dst != NULL );
+    SHA1_VALIDATE( src != NULL );
+
     *dst = *src;
 }
 
@@ -99,6 +105,8 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
  */
 int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx )
 {
+    SHA1_VALIDATE_RET( ctx != NULL );
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -124,6 +132,9 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
 {
     uint32_t temp, W[16], A, B, C, D, E;
 
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
+
     GET_UINT32_BE( W[ 0], data,  0 );
     GET_UINT32_BE( W[ 1], data,  4 );
     GET_UINT32_BE( W[ 2], data,  8 );
@@ -141,19 +152,21 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
     GET_UINT32_BE( W[14], data, 56 );
     GET_UINT32_BE( W[15], data, 60 );
 
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
 
-#define R(t)                                            \
-(                                                       \
-    temp = W[( t -  3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
-           W[( t - 14 ) & 0x0F] ^ W[  t       & 0x0F],  \
-    ( W[t & 0x0F] = S(temp,1) )                         \
-)
+#define R(t)                                                    \
+    (                                                           \
+        temp = W[( (t) -  3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \
+               W[( (t) - 14 ) & 0x0F] ^ W[  (t)       & 0x0F],  \
+        ( W[(t) & 0x0F] = S(temp,1) )                           \
+    )
 
-#define P(a,b,c,d,e,x)                                  \
-{                                                       \
-    e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);        \
-}
+#define P(a,b,c,d,e,x)                                          \
+    do                                                          \
+    {                                                           \
+        (e) += S((a),5) + F((b),(c),(d)) + K + (x);             \
+        (b) = S((b),30);                                        \
+    } while( 0 )
 
     A = ctx->state[0];
     B = ctx->state[1];
@@ -161,7 +174,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
     D = ctx->state[3];
     E = ctx->state[4];
 
-#define F(x,y,z) (z ^ (x & (y ^ z)))
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 #define K 0x5A827999
 
     P( A, B, C, D, E, W[0]  );
@@ -188,7 +201,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
 #undef K
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 #define K 0x6ED9EBA1
 
     P( A, B, C, D, E, R(20) );
@@ -215,7 +228,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
 #undef K
 #undef F
 
-#define F(x,y,z) ((x & y) | (z & (x | y)))
+#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
 #define K 0x8F1BBCDC
 
     P( A, B, C, D, E, R(40) );
@@ -242,7 +255,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
 #undef K
 #undef F
 
-#define F(x,y,z) (x ^ y ^ z)
+#define F(x,y,z) ((x) ^ (y) ^ (z))
 #define K 0xCA62C1D6
 
     P( A, B, C, D, E, R(60) );
@@ -298,6 +311,9 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
     size_t fill;
     uint32_t left;
 
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+
     if( ilen == 0 )
         return( 0 );
 
@@ -356,6 +372,9 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
     uint32_t used;
     uint32_t high, low;
 
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
     /*
      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
      */
@@ -424,6 +443,9 @@ int mbedtls_sha1_ret( const unsigned char *input,
     int ret;
     mbedtls_sha1_context ctx;
 
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
     mbedtls_sha1_init( &ctx );
 
     if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
diff --git a/3rdparty/mbedtls/mbedtls/library/sha256.c b/3rdparty/mbedtls/mbedtls/library/sha256.c
index 4ec9164a8d..2dc0e1a2c9 100644
--- a/3rdparty/mbedtls/mbedtls/library/sha256.c
+++ b/3rdparty/mbedtls/mbedtls/library/sha256.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_SHA256_C)
 
 #include "mbedtls/sha256.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -48,12 +49,11 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
-#if !defined(MBEDTLS_SHA256_ALT)
+#define SHA256_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
+#define SHA256_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+#if !defined(MBEDTLS_SHA256_ALT)
 
 /*
  * 32-bit integer manipulation macros (big endian)
@@ -80,6 +80,8 @@ do {                                                    \
 
 void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
 {
+    SHA256_VALIDATE( ctx != NULL );
+
     memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
 }
 
@@ -88,12 +90,15 @@ void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
 }
 
 void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
                            const mbedtls_sha256_context *src )
 {
+    SHA256_VALIDATE( dst != NULL );
+    SHA256_VALIDATE( src != NULL );
+
     *dst = *src;
 }
 
@@ -102,6 +107,9 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
  */
 int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
 {
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -164,8 +172,8 @@ static const uint32_t K[] =
     0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
 };
 
-#define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
+#define  SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
 
 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
@@ -173,21 +181,22 @@ static const uint32_t K[] =
 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
 
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
 #define R(t)                                    \
-(                                               \
-    W[t] = S1(W[t -  2]) + W[t -  7] +          \
-           S0(W[t - 15]) + W[t - 16]            \
-)
-
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-{                                               \
-    temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-    temp2 = S2(a) + F0(a,b,c);                  \
-    d += temp1; h = temp1 + temp2;              \
-}
+    (                                           \
+        W[t] = S1(W[(t) -  2]) + W[(t) -  7] +  \
+               S0(W[(t) - 15]) + W[(t) - 16]    \
+    )
+
+#define P(a,b,c,d,e,f,g,h,x,K)                          \
+    do                                                  \
+    {                                                   \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;              \
+    } while( 0 )
 
 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
                                 const unsigned char data[64] )
@@ -196,6 +205,9 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
     uint32_t A[8];
     unsigned int i;
 
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
+
     for( i = 0; i < 8; i++ )
         A[i] = ctx->state[i];
 
@@ -267,6 +279,9 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
     size_t fill;
     uint32_t left;
 
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+
     if( ilen == 0 )
         return( 0 );
 
@@ -325,6 +340,9 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
     uint32_t used;
     uint32_t high, low;
 
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
     /*
      * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
      */
@@ -399,6 +417,10 @@ int mbedtls_sha256_ret( const unsigned char *input,
     int ret;
     mbedtls_sha256_context ctx;
 
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
     mbedtls_sha256_init( &ctx );
 
     if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
diff --git a/3rdparty/mbedtls/mbedtls/library/sha512.c b/3rdparty/mbedtls/mbedtls/library/sha512.c
index db2617ebdf..bdd20b284a 100644
--- a/3rdparty/mbedtls/mbedtls/library/sha512.c
+++ b/3rdparty/mbedtls/mbedtls/library/sha512.c
@@ -33,6 +33,7 @@
 #if defined(MBEDTLS_SHA512_C)
 
 #include "mbedtls/sha512.h"
+#include "mbedtls/platform_util.h"
 
 #if defined(_MSC_VER) || defined(__WATCOMC__)
   #define UL64(x) x##ui64
@@ -54,12 +55,11 @@
 #endif /* MBEDTLS_PLATFORM_C */
 #endif /* MBEDTLS_SELF_TEST */
 
-#if !defined(MBEDTLS_SHA512_ALT)
+#define SHA512_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA )
+#define SHA512_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+#if !defined(MBEDTLS_SHA512_ALT)
 
 /*
  * 64-bit integer manipulation macros (big endian)
@@ -94,6 +94,8 @@ static void mbedtls_zeroize( void *v, size_t n ) {
 
 void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
 {
+    SHA512_VALIDATE( ctx != NULL );
+
     memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
 }
 
@@ -102,12 +104,15 @@ void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
 }
 
 void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
                            const mbedtls_sha512_context *src )
 {
+    SHA512_VALIDATE( dst != NULL );
+    SHA512_VALIDATE( src != NULL );
+
     *dst = *src;
 }
 
@@ -116,6 +121,9 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
  */
 int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 )
 {
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+
     ctx->total[0] = 0;
     ctx->total[1] = 0;
 
@@ -213,8 +221,11 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
     uint64_t temp1, temp2, W[80];
     uint64_t A, B, C, D, E, F, G, H;
 
-#define  SHR(x,n) (x >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+#define  SHR(x,n) ((x) >> (n))
+#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
 
 #define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
 #define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
@@ -222,15 +233,16 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
 #define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
 #define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
 
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
 
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-{                                               \
-    temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-    temp2 = S2(a) + F0(a,b,c);                  \
-    d += temp1; h = temp1 + temp2;              \
-}
+#define P(a,b,c,d,e,f,g,h,x,K)                                  \
+    do                                                          \
+    {                                                           \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;                      \
+    } while( 0 )
 
     for( i = 0; i < 16; i++ )
     {
@@ -298,6 +310,9 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
     size_t fill;
     unsigned int left;
 
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+
     if( ilen == 0 )
         return( 0 );
 
@@ -355,6 +370,9 @@ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
     unsigned used;
     uint64_t high, low;
 
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
     /*
      * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
      */
@@ -431,6 +449,10 @@ int mbedtls_sha512_ret( const unsigned char *input,
     int ret;
     mbedtls_sha512_context ctx;
 
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
     mbedtls_sha512_init( &ctx );
 
     if( ( ret = mbedtls_sha512_starts_ret( &ctx, is384 ) ) != 0 )
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c b/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
index 01d1c458a2..518f7dde00 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_ciphersuites.c
@@ -47,7 +47,7 @@
  * 1. By key exchange:
  *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
  * 2. By key length and cipher:
- *    AES-256 > Camellia-256 > AES-128 > Camellia-128
+ *    ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
  * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
  * 4. By hash function used when relevant
  * 5. By key exchange/auth again: EC > non-EC
@@ -57,6 +57,11 @@ static const int ciphersuite_preference[] =
 #if defined(MBEDTLS_SSL_CIPHERSUITES)
     MBEDTLS_SSL_CIPHERSUITES,
 #else
+    /* Chacha-Poly ephemeral suites */
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
     /* All AES-256 ephemeral suites */
     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -81,6 +86,14 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
 
+    /* All ARIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
     /* All AES-128 ephemeral suites */
     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@@ -105,7 +118,17 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
 
+    /* All ARIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
     /* The PSK ephemeral suites */
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
     MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
@@ -116,6 +139,9 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
 
     MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
@@ -127,6 +153,9 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
 
     /* The ECJPAKE suite */
     MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
@@ -153,6 +182,14 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
 
+    /* All ARIA-256 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
     /* All AES-128 suites */
     MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
     MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
@@ -175,20 +212,34 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
     MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
 
+    /* All ARIA-128 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
     /* The RSA PSK suites */
+    MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
 
     MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
     MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
     MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
 
     /* The PSK suites */
+    MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
     MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
     MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
@@ -196,6 +247,8 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
     MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
     MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
 
     MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
@@ -204,6 +257,8 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
     MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
 
     /* 3DES suites */
     MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -261,6 +316,75 @@ static const int ciphersuite_preference[] =
 
 static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 {
+#if defined(MBEDTLS_CHACHAPOLY_C) && \
+    defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#endif /* MBEDTLS_CHACHAPOLY_C &&
+          MBEDTLS_SHA256_C &&
+          MBEDTLS_SSL_PROTO_TLS1_2 */
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_AES_C)
 #if defined(MBEDTLS_SHA1_C)
@@ -1683,6 +1807,365 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_DES_C */
 #endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
 
+#if defined(MBEDTLS_ARIA_C)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_ARIA_C */
+
+
     { 0, "",
       MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
       0, 0, 0, 0, 0 }
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_cli.c b/3rdparty/mbedtls/mbedtls/library/ssl_cli.c
index 0d3623e613..afced7a99c 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_cli.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_cli.c
@@ -48,10 +48,7 @@
 #endif
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+#include "mbedtls/platform_util.h"
 #endif
 
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -60,7 +57,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
                                     size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t hostname_len;
 
     *olen = 0;
@@ -130,7 +127,7 @@ static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
                                          size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -174,7 +171,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
                                                 size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t sig_alg_len = 0;
     const int *md;
 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
@@ -259,7 +256,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
                                                      size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     unsigned char *elliptic_curve_list = p + 6;
     size_t elliptic_curve_len = 0;
     const mbedtls_ecp_curve_info *info;
@@ -332,7 +329,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
                                                    size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -365,7 +362,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
 {
     int ret;
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t kkpp_len;
 
     *olen = 0;
@@ -442,7 +439,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
                                                size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -475,7 +472,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
                                           unsigned char *buf, size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -507,7 +504,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
                                        unsigned char *buf, size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -541,7 +538,7 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
                                        unsigned char *buf, size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
 
     *olen = 0;
 
@@ -575,7 +572,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
                                           unsigned char *buf, size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t tlen = ssl->session_negotiate->ticket_len;
 
     *olen = 0;
@@ -619,7 +616,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
                                 unsigned char *buf, size_t *olen )
 {
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t alpnlen = 0;
     const char **cur;
 
@@ -1091,12 +1088,21 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
         mbedtls_ssl_send_flight_completed( ssl );
 #endif
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
 
     return( 0 );
@@ -1494,7 +1500,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
 
     buf = ssl->in_msg;
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         /* No alert on a read error. */
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
@@ -1757,6 +1763,14 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        ssl->handshake->ecrs_enabled = 1;
+    }
+#endif
+
     if( comp != MBEDTLS_SSL_COMPRESS_NULL
 #if defined(MBEDTLS_ZLIB_SUPPORT)
         && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
@@ -2013,8 +2027,14 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char *
 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
 {
     const mbedtls_ecp_curve_info *curve_info;
+    mbedtls_ecp_group_id grp_id;
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    grp_id = ssl->handshake->ecdh_ctx.grp.id;
+#else
+    grp_id = ssl->handshake->ecdh_ctx.grp_id;
+#endif
 
-    curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
+    curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
     if( curve_info == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@@ -2024,14 +2044,15 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
 
 #if defined(MBEDTLS_ECP_C)
-    if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
+    if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
 #else
     if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
         ssl->handshake->ecdh_ctx.grp.nbits > 521 )
 #endif
         return( -1 );
 
-    MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
+    MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                            MBEDTLS_DEBUG_ECDH_QP );
 
     return( 0 );
 }
@@ -2062,6 +2083,10 @@ static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
                                   (const unsigned char **) p, end ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
         return( ret );
     }
 
@@ -2132,7 +2157,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
     size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
     unsigned char *p = ssl->handshake->premaster + pms_offset;
 
-    if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
+    if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
         return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
@@ -2175,7 +2200,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
     if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
                             p, ssl->handshake->pmslen,
                             ssl->out_msg + offset + len_bytes, olen,
-                            MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
+                            MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
                             ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
@@ -2343,7 +2368,15 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
+    {
+        goto start_processing;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -2380,6 +2413,12 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
     }
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
+
+start_processing:
+#endif
     p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
     end = ssl->in_msg + ssl->in_hslen;
     MBEDTLS_SSL_DEBUG_BUF( 3,   "server key exchange", p, end - p );
@@ -2472,6 +2511,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
         mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
         unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
         size_t params_len = p - params;
+        void *rs_ctx = NULL;
 
         /*
          * Handle the digitally-signed structure
@@ -2518,6 +2558,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
         /*
          * Read signature
          */
+
         if( p > end - 2 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
@@ -2558,10 +2599,9 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
         if( md_alg != MBEDTLS_MD_NONE )
         {
-            /* Info from md_alg will be used instead */
-            hashlen = 0;
-            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params,
-                                                          params_len, md_alg );
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+                                                          params, params_len,
+                                                          md_alg );
             if( ret != 0 )
                 return( ret );
         }
@@ -2573,8 +2613,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 
-        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
-            (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
 
         if( ssl->session_negotiate->peer_cert == NULL )
         {
@@ -2595,12 +2634,25 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
         }
 
-        if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
-                               md_alg, hash, hashlen, p, sig_len ) ) != 0 )
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+            rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+        if( ( ret = mbedtls_pk_verify_restartable(
+                        &ssl->session_negotiate->peer_cert->pk,
+                        md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
         {
-            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                            MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
             return( ret );
         }
     }
@@ -2651,7 +2703,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
         return( 0 );
     }
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -2803,7 +2855,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -2898,6 +2950,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
          */
         i = 4;
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
+                goto ecdh_calc_secret;
+
+            mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
+        }
+#endif
+
         ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
                                 &n,
                                 &ssl->out_msg[i], 1000,
@@ -2905,11 +2967,27 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
         if( ret != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
             return( ret );
         }
 
-        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            ssl->handshake->ecrs_n = n;
+            ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
+        }
 
+ecdh_calc_secret:
+        if( ssl->handshake->ecrs_enabled )
+            n = ssl->handshake->ecrs_n;
+#endif
         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
                                       &ssl->handshake->pmslen,
                                        ssl->handshake->premaster,
@@ -2917,10 +2995,15 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
                                        ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
             return( ret );
         }
 
-        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
@@ -2942,7 +3025,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
         i = 4;
         n = ssl->conf->psk_identity_len;
 
-        if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
                                         "SSL buffer too short" ) );
@@ -2978,7 +3061,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
              */
             n = ssl->handshake->dhm_ctx.len;
 
-            if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
+            if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
                                             " or SSL buffer too short" ) );
@@ -3007,7 +3090,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
              * ClientECDiffieHellmanPublic public;
              */
             ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
-                    &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
+                    &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
                     ssl->conf->f_rng, ssl->conf->p_rng );
             if( ret != 0 )
             {
@@ -3015,7 +3098,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
                 return( ret );
             }
 
-            MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
+            MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                    MBEDTLS_DEBUG_ECDH_Q );
         }
         else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
@@ -3048,7 +3132,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
         i = 4;
 
         ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
-                ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
+                ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
                 ssl->conf->f_rng, ssl->conf->p_rng );
         if( ret != 0 )
         {
@@ -3079,9 +3163,9 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
 
     ssl->state++;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -3135,9 +3219,18 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
     unsigned char *hash_start = hash;
     mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
     unsigned int hashlen;
+    void *rs_ctx = NULL;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
+    {
+        goto sign;
+    }
+#endif
+
     if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
@@ -3169,8 +3262,15 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
     }
 
     /*
-     * Make an RSA signature of the handshake digests
+     * Make a signature of the handshake digests
      */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
+
+sign:
+#endif
+
     ssl->handshake->calc_verify( ssl, hash );
 
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
@@ -3247,11 +3347,21 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
     }
 
-    if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+    if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
+                         md_alg, hash_start, hashlen,
                          ssl->out_msg + 6 + offset, &n,
-                         ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+                         ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
         return( ret );
     }
 
@@ -3264,9 +3374,9 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
 
     ssl->state++;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -3292,7 +3402,7 @@ static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -3353,8 +3463,8 @@ static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
     if( ticket_len == 0 )
         return( 0 );
 
-    mbedtls_zeroize( ssl->session_negotiate->ticket,
-                      ssl->session_negotiate->ticket_len );
+    mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
+                              ssl->session_negotiate->ticket_len );
     mbedtls_free( ssl->session_negotiate->ticket );
     ssl->session_negotiate->ticket = NULL;
     ssl->session_negotiate->ticket_len = 0;
@@ -3406,10 +3516,10 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
     {
-        if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
             return( ret );
     }
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
     /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
      * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_cookie.c b/3rdparty/mbedtls/mbedtls/library/ssl_cookie.c
index caf119990d..56e9bdd2bf 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_cookie.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_cookie.c
@@ -40,14 +40,10 @@
 
 #include "mbedtls/ssl_cookie.h"
 #include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
  * available. Try SHA-256 first, 512 wastes resources since we need to stay
@@ -101,7 +97,7 @@ void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
     mbedtls_mutex_free( &ctx->mutex );
 #endif
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
 }
 
 int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
@@ -122,7 +118,7 @@ int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
     if( ret != 0 )
         return( ret );
 
-    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
 
     return( 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_srv.c b/3rdparty/mbedtls/mbedtls/library/ssl_srv.c
index c8da871cd7..bc77f80203 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_srv.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_srv.c
@@ -38,6 +38,7 @@
 #include "mbedtls/debug.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -49,13 +50,6 @@
 #include "mbedtls/platform_time.h"
 #endif
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-#endif
-
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
                                  const unsigned char *info,
@@ -572,7 +566,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
     memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
 
     /* Zeroize instead of free as we copied the content */
-    mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
+    mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
 
@@ -734,7 +728,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
                           cur->cert );
 
-        if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
+        if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
             continue;
@@ -758,7 +752,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_ECDSA_C)
         if( pk_alg == MBEDTLS_PK_ECDSA &&
-            ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
+            ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
             continue;
@@ -1300,7 +1294,7 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
         }
 
-        memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
+        memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
 
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
         if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
@@ -1328,7 +1322,7 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
     else
 #endif
     {
-        if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
@@ -2266,7 +2260,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
 {
     int ret;
     unsigned char *p = buf;
-    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     size_t kkpp_len;
 
     *olen = 0;
@@ -2373,7 +2367,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
     cookie_len_byte = p++;
 
     if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
-                                     &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
+                                     &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
                                      ssl->cli_id, ssl->cli_id_len ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
@@ -2390,11 +2384,20 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
 
     ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
         return( ret );
     }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
 
@@ -2630,7 +2633,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
 
-    ret = mbedtls_ssl_write_record( ssl );
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
 
@@ -2673,7 +2676,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
     size_t dn_size, total_dn_size; /* excluding length bytes */
     size_t ct_len, sa_len; /* including length bytes */
     unsigned char *buf, *p;
-    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
     const mbedtls_x509_crt *crt;
     int authmode;
 
@@ -2825,7 +2828,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
     ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
     ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
 
-    ret = mbedtls_ssl_write_record( ssl );
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
 
@@ -2863,54 +2866,56 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
           MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
 
-static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
+                                           size_t *signature_len )
+{
+    /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+     * signature length which will be added in ssl_write_server_key_exchange
+     * after the call to ssl_prepare_server_key_exchange.
+     * ssl_write_server_key_exchange also takes care of incrementing
+     * ssl->out_msglen. */
+    unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+    size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+                           - sig_start );
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         sig_start, signature_len, sig_max_len );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
+    return( ret );
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
+                                            size_t *signature_len )
 {
-    int ret;
-    size_t n = 0;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
                             ssl->transform_negotiate->ciphersuite_info;
-
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
-    unsigned char *p = ssl->out_msg + 4;
-    size_t len = 0;
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
-    unsigned char *dig_signed = p;
-    size_t dig_signed_len = 0;
+    unsigned char *dig_signed = NULL;
 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
-
-    /*
-     *
-     * Part 1: Extract static ECDH parameters and abort
-     *         if ServerKeyExchange not needed.
-     *
-     */
-
-    /* For suites involving ECDH, extract DH parameters
-     * from certificate at this point. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
-    if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
-    {
-        ssl_get_ecdh_params_from_cert( ssl );
-    }
-#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+    (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
 
-    /* Key exchanges not involving ephemeral keys don't use
-     * ServerKeyExchange, so end here. */
-#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
-    if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
-        ssl->state++;
-        return( 0 );
-    }
-#endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
+    ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
 
     /*
      *
-     * Part 2: Provide key exchange parameters for chosen ciphersuite.
+     * Part 1: Provide key exchange parameters for chosen ciphersuite.
      *
      */
 
@@ -2920,18 +2925,21 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
     {
-        const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
+        int ret;
+        size_t len = 0;
 
-        ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
-                p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng );
+        ret = mbedtls_ecjpake_write_round_two(
+            &ssl->handshake->ecjpake_ctx,
+            ssl->out_msg + ssl->out_msglen,
+            MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+            ssl->conf->f_rng, ssl->conf->p_rng );
         if( ret != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
             return( ret );
         }
 
-        p += len;
-        n += len;
+        ssl->out_msglen += len;
     }
 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
 
@@ -2945,10 +2953,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
     {
-        *(p++) = 0x00;
-        *(p++) = 0x00;
-
-        n += 2;
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
     }
 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
           MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
@@ -2959,6 +2965,9 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
     if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
     {
+        int ret;
+        size_t len = 0;
+
         if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
@@ -2982,21 +2991,21 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
             return( ret );
         }
 
-        if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
-                        (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
-                        p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        if( ( ret = mbedtls_dhm_make_params(
+                  &ssl->handshake->dhm_ctx,
+                  (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                  ssl->out_msg + ssl->out_msglen, &len,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
             return( ret );
         }
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
-        dig_signed = p;
-        dig_signed_len = len;
+        dig_signed = ssl->out_msg + ssl->out_msglen;
 #endif
 
-        p += len;
-        n += len;
+        ssl->out_msglen += len;
 
         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
         MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
@@ -3021,6 +3030,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
          */
         const mbedtls_ecp_curve_info **curve = NULL;
         const mbedtls_ecp_group_id *gid;
+        int ret;
+        size_t len = 0;
 
         /* Match our preference list against the offered curves */
         for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
@@ -3037,48 +3048,50 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
 
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
 
-        if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
-                                       (*curve)->grp_id ) ) != 0 )
+        if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
+                                        (*curve)->grp_id ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
             return( ret );
         }
 
-        if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
-                                      p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
-                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        if( ( ret = mbedtls_ecdh_make_params(
+                  &ssl->handshake->ecdh_ctx, &len,
+                  ssl->out_msg + ssl->out_msglen,
+                  MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
             return( ret );
         }
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
-        dig_signed     = p;
-        dig_signed_len = len;
+        dig_signed = ssl->out_msg + ssl->out_msglen;
 #endif
 
-        p += len;
-        n += len;
+        ssl->out_msglen += len;
 
-        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
     }
 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
 
     /*
      *
-     * Part 3: For key exchanges involving the server signing the
+     * Part 2: For key exchanges involving the server signing the
      *         exchange parameters, compute and add the signature here.
      *
      */
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
     if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
     {
-        size_t signature_len = 0;
-        unsigned int hashlen = 0;
-        unsigned char hash[64];
+        size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+        size_t hashlen = 0;
+        unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+        int ret;
 
         /*
-         * 3.1: Choose hash algorithm:
+         * 2.1: Choose hash algorithm:
          * A: For TLS 1.2, obey signature-hash-algorithm extension
          *    to choose appropriate hash.
          * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
@@ -3125,7 +3138,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
 
         /*
-         * 3.2: Compute the hash to be signed
+         * 2.2: Compute the hash to be signed
          */
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_1)
@@ -3145,9 +3158,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
         if( md_alg != MBEDTLS_MD_NONE )
         {
-            /* Info from md_alg will be used instead */
-            hashlen = 0;
-            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash,
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
                                                           dig_signed,
                                                           dig_signed_len,
                                                           md_alg );
@@ -3162,18 +3173,11 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 
-        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
-            (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
 
         /*
-         * 3.3: Compute and add the signature
+         * 2.3: Compute and add the signature
          */
-        if( mbedtls_ssl_own_key( ssl ) == NULL )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
-            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
-        }
-
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
         {
@@ -3193,46 +3197,162 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
              *
              */
 
-            *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg );
-            *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg );
-
-            n += 2;
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_hash_from_md_alg( md_alg );
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_sig_from_pk_alg( sig_alg );
         }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
-        if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
-                        p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( ssl->conf->f_async_sign_start != NULL )
+        {
+            ret = ssl->conf->f_async_sign_start( ssl,
+                                                 mbedtls_ssl_own_cert( ssl ),
+                                                 md_alg, hash, hashlen );
+            switch( ret )
+            {
+            case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+                /* act as if f_async_sign was null */
+                break;
+            case 0:
+                ssl->handshake->async_in_progress = 1;
+                return( ssl_resume_server_key_exchange( ssl, signature_len ) );
+            case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+                ssl->handshake->async_in_progress = 1;
+                return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+            default:
+                MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+        if( mbedtls_ssl_own_key( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+         * signature length which will be added in ssl_write_server_key_exchange
+         * after the call to ssl_prepare_server_key_exchange.
+         * ssl_write_server_key_exchange also takes care of incrementing
+         * ssl->out_msglen. */
+        if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
+                                     md_alg, hash, hashlen,
+                                     ssl->out_msg + ssl->out_msglen + 2,
+                                     signature_len,
+                                     ssl->conf->f_rng,
+                                     ssl->conf->p_rng ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
             return( ret );
         }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    return( 0 );
+}
+
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    /* Extract static ECDH parameters and abort if ServerKeyExchange
+     * is not needed. */
+    if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+    {
+        /* For suites involving ECDH, extract DH parameters
+         * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+        if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+        {
+            ssl_get_ecdh_params_from_cert( ssl );
+        }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
 
-        *(p++) = (unsigned char)( signature_len >> 8 );
-        *(p++) = (unsigned char)( signature_len      );
-        n += 2;
+        /* Key exchanges not involving ephemeral keys don't use
+         * ServerKeyExchange, so end here. */
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
 
-        MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already prepared the message and there is an ongoing
+     * signature operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
+        ret = ssl_resume_server_key_exchange( ssl, &signature_len );
+    }
+    else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+    {
+        /* ServerKeyExchange is needed. Prepare the message. */
+        ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
+    }
 
-        n += signature_len;
+    if( ret != 0 )
+    {
+        /* If we're starting to write a new message, set ssl->out_msglen
+         * to 0. But if we're resuming after an asynchronous message,
+         * out_msglen is the amount of data written so far and mst be
+         * preserved. */
+        if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
+        else
+            ssl->out_msglen = 0;
+        return( ret );
     }
-#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
 
-    /* Done with actual work; add header and send. */
+    /* If there is a signature, write its length.
+     * ssl_prepare_server_key_exchange already wrote the signature
+     * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( signature_len != 0 )
+    {
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len      );
 
-    ssl->out_msglen  = 4 + n;
+        MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
+                               ssl->out_msg + ssl->out_msglen,
+                               signature_len );
+
+        /* Skip over the already-written signature */
+        ssl->out_msglen += signature_len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    /* Add header and send. */
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
 
     ssl->state++;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
-
     return( 0 );
 }
 
@@ -3253,12 +3373,21 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
         mbedtls_ssl_send_flight_completed( ssl );
 #endif
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
 
     return( 0 );
@@ -3307,28 +3436,50 @@ static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char *
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
     defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
-                                    const unsigned char *p,
-                                    const unsigned char *end,
-                                    size_t pms_offset )
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
+                                   unsigned char *peer_pms,
+                                   size_t *peer_pmslen,
+                                   size_t peer_pmssize )
+{
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         peer_pms, peer_pmslen, peer_pmssize );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
+                                      const unsigned char *p,
+                                      const unsigned char *end,
+                                      unsigned char *peer_pms,
+                                      size_t *peer_pmslen,
+                                      size_t peer_pmssize )
 {
     int ret;
-    size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
-    unsigned char *pms = ssl->handshake->premaster + pms_offset;
-    unsigned char ver[2];
-    unsigned char fake_pms[48], peer_pms[48];
-    unsigned char mask;
-    size_t i, peer_pmslen;
-    unsigned int diff;
+    mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
+    mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
+    size_t len = mbedtls_pk_get_len( public_key );
 
-    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already started decoding the message and there is an ongoing
+     * decryption operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
-        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
+        return( ssl_resume_decrypt_pms( ssl,
+                                        peer_pms, peer_pmslen, peer_pmssize ) );
     }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 
     /*
-     * Decrypt the premaster using own private RSA key
+     * Prepare to decrypt the premaster using own private RSA key
      */
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
@@ -3353,30 +3504,120 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
         return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
     }
 
+    /*
+     * Decrypt the premaster secret
+     */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_decrypt_start != NULL )
+    {
+        ret = ssl->conf->f_async_decrypt_start( ssl,
+                                                mbedtls_ssl_own_cert( ssl ),
+                                                p, len );
+        switch( ret )
+        {
+        case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+            /* act as if f_async_decrypt_start was null */
+            break;
+        case 0:
+            ssl->handshake->async_in_progress = 1;
+            return( ssl_resume_decrypt_pms( ssl,
+                                            peer_pms,
+                                            peer_pmslen,
+                                            peer_pmssize ) );
+        case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+            ssl->handshake->async_in_progress = 1;
+            return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+        default:
+            MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    ret = mbedtls_pk_decrypt( private_key, p, len,
+                              peer_pms, peer_pmslen, peer_pmssize,
+                              ssl->conf->f_rng, ssl->conf->p_rng );
+    return( ret );
+}
+
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    const unsigned char *p,
+                                    const unsigned char *end,
+                                    size_t pms_offset )
+{
+    int ret;
+    unsigned char *pms = ssl->handshake->premaster + pms_offset;
+    unsigned char ver[2];
+    unsigned char fake_pms[48], peer_pms[48];
+    unsigned char mask;
+    size_t i, peer_pmslen;
+    unsigned int diff;
+
+    /* In case of a failure in decryption, the decryption may write less than
+     * 2 bytes of output, but we always read the first two bytes. It doesn't
+     * matter in the end because diff will be nonzero in that case due to
+     * peer_pmslen being less than 48, and we only care whether diff is 0.
+     * But do initialize peer_pms for robustness anyway. This also makes
+     * memory analyzers happy (don't access uninitialized memory, even
+     * if it's an unsigned char). */
+    peer_pms[0] = peer_pms[1] = ~0;
+
+    ret = ssl_decrypt_encrypted_pms( ssl, p, end,
+                                     peer_pms,
+                                     &peer_pmslen,
+                                     sizeof( peer_pms ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+        return( ret );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
     mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
-                       ssl->handshake->max_minor_ver,
-                       ssl->conf->transport, ver );
+                               ssl->handshake->max_minor_ver,
+                               ssl->conf->transport, ver );
+
+    /* Avoid data-dependent branches while checking for invalid
+     * padding, to protect against timing-based Bleichenbacher-type
+     * attacks. */
+    diff  = (unsigned int) ret;
+    diff |= peer_pmslen ^ 48;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
+
+    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
 
     /*
      * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
      * must not cause the connection to end immediately; instead, send a
      * bad_record_mac later in the handshake.
-     * Also, avoid data-dependant branches here to protect against
-     * timing-based variants.
+     * To protect against timing-based variants of the attack, we must
+     * not have any branch that depends on whether the decryption was
+     * successful. In particular, always generate the fake premaster secret,
+     * regardless of whether it will ultimately influence the output or not.
      */
     ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
     if( ret != 0 )
+    {
+        /* It's ok to abort on an RNG failure, since this does not reveal
+         * anything about the RSA decryption. */
         return( ret );
-
-    ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
-                      peer_pms, &peer_pmslen,
-                      sizeof( peer_pms ),
-                      ssl->conf->f_rng, ssl->conf->p_rng );
-
-    diff  = (unsigned int) ret;
-    diff |= peer_pmslen ^ 48;
-    diff |= peer_pms[0] ^ ver[0];
-    diff |= peer_pms[1] ^ ver[1];
+    }
 
 #if defined(MBEDTLS_SSL_DEBUG_ALL)
     if( diff != 0 )
@@ -3391,18 +3632,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
     }
     ssl->handshake->pmslen = 48;
 
-    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
-    /* MSVC has a warning about unary minus on unsigned, but this is
-     * well-defined and precisely what we want to do here */
-#if defined(_MSC_VER)
-#pragma warning( push )
-#pragma warning( disable : 4146 )
-#endif
-    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
-#if defined(_MSC_VER)
-#pragma warning( pop )
-#endif
-
+    /* Set pms to either the true or the fake PMS, without
+     * data-dependent branches. */
     for( i = 0; i < ssl->handshake->pmslen; i++ )
         pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
 
@@ -3484,7 +3715,21 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+    ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+    if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
+        ( ssl->handshake->async_in_progress != 0 ) )
+    {
+        /* We've already read a record and there is an asynchronous
+         * operation in progress to decrypt it. So skip reading the
+         * record. */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
+    }
+    else
+#endif
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -3550,7 +3795,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
         }
 
-        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
 
         if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
                                       &ssl->handshake->pmslen,
@@ -3562,7 +3808,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
         }
 
-        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z  ", &ssl->handshake->ecdh_ctx.z );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
@@ -3596,6 +3843,19 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
     if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
     {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if ( ssl->handshake->async_in_progress != 0 )
+        {
+            /* There is an asynchronous operation in progress to
+             * decrypt the encrypted premaster secret, so skip
+             * directly to resuming this operation. */
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
+            /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+             * won't actually use it, but maintain p anyway for robustness. */
+            p += ssl->conf->psk_identity_len + 2;
+        }
+        else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
         if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
@@ -3662,7 +3922,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
         }
 
-        MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
 
         if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
                         ciphersuite_info->key_exchange ) ) != 0 )
@@ -3781,21 +4042,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
     }
 
     /* Read the message without adding it to the checksum */
-    do {
-
-        if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
-            return( ret );
-        }
-
-        ret = mbedtls_ssl_handle_message_type( ssl );
-
-    } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
-
+    ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
     if( 0 != ret )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
         return( ret );
     }
 
@@ -3961,7 +4211,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
     if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
                                 ssl->session_negotiate,
                                 ssl->out_msg + 10,
-                                ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
+                                ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
                                 &tlen, &lifetime ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
@@ -3984,9 +4234,9 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
      */
     ssl->handshake->new_session_ticket = 0;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -4015,10 +4265,10 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
     {
-        if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
             return( ret );
     }
-#endif
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
     switch( ssl->state )
     {
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_ticket.c b/3rdparty/mbedtls/mbedtls/library/ssl_ticket.c
index 555c7b63bf..8492c19a8c 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_ticket.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_ticket.c
@@ -36,14 +36,10 @@
 #endif
 
 #include "mbedtls/ssl_ticket.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * Initialze context
  */
@@ -83,7 +79,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
                                  mbedtls_cipher_get_key_bitlen( &key->ctx ),
                                  MBEDTLS_ENCRYPT );
 
-    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
 
     return( ret );
 }
@@ -483,7 +479,7 @@ void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
     mbedtls_mutex_free( &ctx->mutex );
 #endif
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
 }
 
 #endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/ssl_tls.c b/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
index 1270ee9b85..38690fa664 100644
--- a/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
+++ b/3rdparty/mbedtls/mbedtls/library/ssl_tls.c
@@ -46,6 +46,7 @@
 #include "mbedtls/debug.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -53,10 +54,8 @@
 #include "mbedtls/oid.h"
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
 
 /* Length of the "epoch" field in the record header */
 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
@@ -100,7 +99,101 @@ static int ssl_check_timer( mbedtls_ssl_context *ssl )
     return( 0 );
 }
 
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform );
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform );
+
+#define SSL_DONT_FORCE_FLUSH 0
+#define SSL_FORCE_FLUSH      1
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/* Forward declarations for functions related to message buffering. */
+static void ssl_buffering_free( mbedtls_ssl_context *ssl );
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot );
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_buffer_message( mbedtls_ssl_context *ssl );
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
+
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
+static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
+{
+    size_t mtu = ssl_get_current_mtu( ssl );
+
+    if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
+        return( mtu );
+
+    return( MBEDTLS_SSL_OUT_BUFFER_LEN );
+}
+
+static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    size_t const bytes_written = ssl->out_left;
+    size_t const mtu           = ssl_get_maximum_datagram_size( ssl );
+
+    /* Double-check that the write-index hasn't gone
+     * past what we can transmit in a single datagram. */
+    if( bytes_written > mtu )
+    {
+        /* Should never happen... */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int) ( mtu - bytes_written ) );
+}
+
+static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    int ret;
+    size_t remaining, expansion;
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+
+    /* By the standard (RFC 6066 Sect. 4), the MFL extension
+     * only limits the maximum record payload size, so in theory
+     * we would be allowed to pack multiple records of payload size
+     * MFL into a single datagram. However, this would mean that there's
+     * no way to explicitly communicate MTU restrictions to the peer.
+     *
+     * The following reduction of max_len makes sure that we never
+     * write datagrams larger than MFL + Record Expansion Overhead.
+     */
+    if( max_len <= ssl->out_left )
+        return( 0 );
+
+    max_len -= ssl->out_left;
+#endif
+
+    ret = ssl_get_remaining_space_in_datagram( ssl );
+    if( ret < 0 )
+        return( ret );
+    remaining = (size_t) ret;
+
+    ret = mbedtls_ssl_get_record_expansion( ssl );
+    if( ret < 0 )
+        return( ret );
+    expansion = (size_t) ret;
+
+    if( remaining <= expansion )
+        return( 0 );
+
+    remaining -= expansion;
+    if( remaining >= max_len )
+        remaining = max_len;
+
+    return( (int) remaining );
+}
+
 /*
  * Double the retransmit timeout value, within the allowed range,
  * returning -1 if the maximum value has already been reached.
@@ -112,6 +205,18 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
     if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
         return( -1 );
 
+    /* Implement the final paragraph of RFC 6347 section 4.1.1.1
+     * in the following way: after the initial transmission and a first
+     * retransmission, back off to a temporary estimated MTU of 508 bytes.
+     * This value is guaranteed to be deliverable (if not guaranteed to be
+     * delivered) of any compliant IPv4 (and IPv6) network, and should work
+     * on most non-IP stacks too. */
+    if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+    {
+        ssl->handshake->mtu = 508;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
+    }
+
     new_timeout = 2 * ssl->handshake->retransmit_timeout;
 
     /* Avoid arithmetic overflow and range overflow */
@@ -145,14 +250,24 @@ static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
  *    } MaxFragmentLength;
  * and we add 0 -> extension unused
  */
-static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] =
+static unsigned int ssl_mfl_code_to_length( int mfl )
 {
-    MBEDTLS_SSL_MAX_CONTENT_LEN,    /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
-    512,                    /* MBEDTLS_SSL_MAX_FRAG_LEN_512  */
-    1024,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
-    2048,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
-    4096,                   /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
-};
+    switch( mfl )
+    {
+    case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+        return 512;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+        return 1024;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+        return 2048;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+        return 4096;
+    default:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    }
+}
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
 #if defined(MBEDTLS_SSL_CLI_C)
@@ -269,8 +384,8 @@ static int ssl3_prf( const unsigned char *secret, size_t slen,
     mbedtls_md5_free(  &md5  );
     mbedtls_sha1_free( &sha1 );
 
-    mbedtls_zeroize( padding, sizeof( padding ) );
-    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
+    mbedtls_platform_zeroize( padding, sizeof( padding ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
 
     return( ret );
 }
@@ -367,8 +482,8 @@ static int tls1_prf( const unsigned char *secret, size_t slen,
 
     mbedtls_md_free( &md_ctx );
 
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
-    mbedtls_zeroize( h_i, sizeof( h_i ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
 
     return( 0 );
 }
@@ -432,8 +547,8 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
 
     mbedtls_md_free( &md_ctx );
 
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
-    mbedtls_zeroize( h_i, sizeof( h_i ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
 
     return( 0 );
 }
@@ -642,7 +757,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
             return( ret );
         }
 
-        mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) );
+        mbedtls_platform_zeroize( handshake->premaster,
+                                  sizeof(handshake->premaster) );
     }
     else
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
@@ -653,7 +769,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
     memcpy( tmp, handshake->randbytes, 64 );
     memcpy( handshake->randbytes, tmp + 32, 32 );
     memcpy( handshake->randbytes + 32, tmp, 32 );
-    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
 
     /*
      *  SSLv3:
@@ -681,7 +797,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
     MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
 
-    mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) );
+    mbedtls_platform_zeroize( handshake->randbytes,
+                              sizeof( handshake->randbytes ) );
 
     /*
      * Determine the appropriate key, IV and MAC length.
@@ -690,18 +807,32 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
     transform->keylen = cipher_info->key_bitlen / 8;
 
     if( cipher_info->mode == MBEDTLS_MODE_GCM ||
-        cipher_info->mode == MBEDTLS_MODE_CCM )
+        cipher_info->mode == MBEDTLS_MODE_CCM ||
+        cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
     {
+        size_t taglen, explicit_ivlen;
+
         transform->maclen = 0;
         mac_key_len = 0;
 
+        /* All modes haves 96-bit IVs;
+         * GCM and CCM has 4 implicit and 8 explicit bytes
+         * ChachaPoly has all 12 bytes implicit
+         */
         transform->ivlen = 12;
-        transform->fixed_ivlen = 4;
+        if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+            transform->fixed_ivlen = 12;
+        else
+            transform->fixed_ivlen = 4;
+
+        /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
+        taglen = transform->ciphersuite_info->flags &
+                  MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
 
-        /* Minimum length is expicit IV + tag */
-        transform->minlen = transform->ivlen - transform->fixed_ivlen
-                            + ( transform->ciphersuite_info->flags &
-                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 );
+
+        /* Minimum length of encrypted record */
+        explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+        transform->minlen = explicit_ivlen + taglen;
     }
     else
     {
@@ -948,7 +1079,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
     }
 #endif /* MBEDTLS_CIPHER_MODE_CBC */
 
-    mbedtls_zeroize( keyblk, sizeof( keyblk ) );
+    mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
 
 #if defined(MBEDTLS_ZLIB_SUPPORT)
     // Initialize compression
@@ -958,11 +1089,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
         if( ssl->compress_buf == NULL )
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
-            ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN );
+            ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
             if( ssl->compress_buf == NULL )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
-                                    MBEDTLS_SSL_BUFFER_LEN ) );
+                                    MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
                 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
             }
         }
@@ -1202,7 +1333,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
         *(p++) = (unsigned char)( zlen      );
         p += zlen;
 
-        MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
@@ -1277,7 +1409,7 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx,
 
 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
     ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                                  \
-      ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) )
+      ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
 #define SSL_SOME_MODES_USE_MAC
 #endif
 
@@ -1323,14 +1455,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
                       ssl->out_msg, ssl->out_msglen );
 
-    if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
-                                    (unsigned) ssl->out_msglen,
-                                    MBEDTLS_SSL_MAX_CONTENT_LEN ) );
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
-
     /*
      * Add MAC before if needed
      */
@@ -1420,17 +1544,26 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
     if( mode == MBEDTLS_MODE_GCM ||
-        mode == MBEDTLS_MODE_CCM )
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
     {
         int ret;
         size_t enc_msglen, olen;
         unsigned char *enc_msg;
         unsigned char add_data[13];
-        unsigned char taglen = ssl->transform_out->ciphersuite_info->flags &
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_out;
+        unsigned char taglen = transform->ciphersuite_info->flags &
                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
 
+        /*
+         * Prepare additional authenticated data
+         */
         memcpy( add_data, ssl->out_ctr, 8 );
         add_data[8]  = ssl->out_msgtype;
         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
@@ -1438,44 +1571,57 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
         add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
         add_data[12] = ssl->out_msglen & 0xFF;
 
-        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
-                       add_data, 13 );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
 
         /*
          * Generate IV
          */
-        if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (=seqnum) */
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
+            memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->out_ctr[i];
+        }
+        else
         {
             /* Reminder if we ever add an AEAD mode with a different size */
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 
-        memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
-                             ssl->out_ctr, 8 );
-        memcpy( ssl->out_iv, ssl->out_ctr, 8 );
-
-        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
-                ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
+                                  iv, transform->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
+                                  ssl->out_iv, explicit_ivlen );
 
         /*
-         * Fix pointer positions and message length with added IV
+         * Fix message length with added IV
          */
         enc_msg = ssl->out_msg;
         enc_msglen = ssl->out_msglen;
-        ssl->out_msglen += ssl->transform_out->ivlen -
-                           ssl->transform_out->fixed_ivlen;
+        ssl->out_msglen += explicit_ivlen;
 
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
-                            "including %d bytes of padding",
-                       ssl->out_msglen, 0 ) );
+                                    "including 0 bytes of padding",
+                                    ssl->out_msglen ) );
 
         /*
          * Encrypt and authenticate
          */
-        if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc,
-                                         ssl->transform_out->iv_enc,
-                                         ssl->transform_out->ivlen,
+        if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+                                         iv, transform->ivlen,
                                          add_data, 13,
                                          enc_msg, enc_msglen,
                                          enc_msg, &olen,
@@ -1499,7 +1645,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
     else
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
-    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
     if( mode == MBEDTLS_MODE_CBC )
     {
         int ret;
@@ -1619,7 +1765,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
-          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -1639,7 +1785,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
 
 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
 {
-    size_t i;
     mbedtls_cipher_mode_t mode;
     int auth_done = 0;
 #if defined(SSL_SOME_MODES_USE_MAC)
@@ -1689,20 +1834,27 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
     if( mode == MBEDTLS_MODE_GCM ||
-        mode == MBEDTLS_MODE_CCM )
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
     {
         int ret;
         size_t dec_msglen, olen;
         unsigned char *dec_msg;
         unsigned char *dec_msg_result;
         unsigned char add_data[13];
-        unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_in;
+        unsigned char taglen = transform->ciphersuite_info->flags &
                                MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
-        size_t explicit_iv_len = ssl->transform_in->ivlen -
-                                 ssl->transform_in->fixed_ivlen;
+        size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
 
+        /*
+         * Compute and update sizes
+         */
         if( ssl->in_msglen < explicit_iv_len + taglen )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
@@ -1716,6 +1868,9 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
         dec_msg_result = ssl->in_msg;
         ssl->in_msglen = dec_msglen;
 
+        /*
+         * Prepare additional authenticated data
+         */
         memcpy( add_data, ssl->in_ctr, 8 );
         add_data[8]  = ssl->in_msgtype;
         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
@@ -1723,23 +1878,43 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
         add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
         add_data[12] = ssl->in_msglen & 0xFF;
 
-        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
-                       add_data, 13 );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
+
+        /*
+         * Prepare IV
+         */
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (transmitted) */
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
 
-        memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
-                ssl->in_iv,
-                ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->in_ctr[i];
+        }
+        else
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
 
-        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
-                                     ssl->transform_in->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
         MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
 
         /*
          * Decrypt and authenticate
          */
         if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
-                                         ssl->transform_in->iv_dec,
-                                         ssl->transform_in->ivlen,
+                                         iv, transform->ivlen,
                                          add_data, 13,
                                          dec_msg, dec_msglen,
                                          dec_msg_result, &olen,
@@ -1763,7 +1938,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
     else
 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
 #if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
-    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
     if( mode == MBEDTLS_MODE_CBC )
     {
         /*
@@ -1857,6 +2032,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
          */
         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
         {
+            unsigned char i;
             dec_msglen -= ssl->transform_in->ivlen;
             ssl->in_msglen -= ssl->transform_in->ivlen;
 
@@ -1931,19 +2107,20 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
              */
             size_t pad_count = 0, real_count = 1;
             size_t padding_idx = ssl->in_msglen - padlen;
+            size_t i;
 
             /*
              * Padding is guaranteed to be incorrect if:
              *   1. padlen > ssl->in_msglen
              *
-             *   2. padding_idx > MBEDTLS_SSL_MAX_CONTENT_LEN +
+             *   2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
              *                     ssl->transform_in->maclen
              *
              * In both cases we reset padding_idx to a safe value (0) to
              * prevent out-of-buffer reads.
              */
             correct &= ( padlen <= ssl->in_msglen );
-            correct &= ( padding_idx <= MBEDTLS_SSL_MAX_CONTENT_LEN +
+            correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
                                        ssl->transform_in->maclen );
 
             padding_idx *= correct;
@@ -1975,7 +2152,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
-          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -2183,6 +2360,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
     else
 #endif
     {
+        unsigned char i;
         for( i = 8; i > ssl_ep_len( ssl ); i-- )
             if( ++ssl->in_ctr[i - 1] != 0 )
                 break;
@@ -2232,7 +2410,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
     ssl->transform_out->ctx_deflate.next_in = msg_pre;
     ssl->transform_out->ctx_deflate.avail_in = len_pre;
     ssl->transform_out->ctx_deflate.next_out = msg_post;
-    ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN - bytes_written;
+    ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
 
     ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
     if( ret != Z_OK )
@@ -2241,7 +2419,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
     }
 
-    ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN -
+    ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
                       ssl->transform_out->ctx_deflate.avail_out - bytes_written;
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
@@ -2279,7 +2457,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
     ssl->transform_in->ctx_inflate.next_in = msg_pre;
     ssl->transform_in->ctx_inflate.avail_in = len_pre;
     ssl->transform_in->ctx_inflate.next_out = msg_post;
-    ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_BUFFER_LEN -
+    ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
                                                header_bytes;
 
     ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
@@ -2289,7 +2467,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
     }
 
-    ssl->in_msglen = MBEDTLS_SSL_BUFFER_LEN -
+    ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
                      ssl->transform_in->ctx_inflate.avail_out - header_bytes;
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
@@ -2364,7 +2542,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
-    if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -2444,10 +2622,13 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
          * that will end up being dropped.
          */
         if( ssl_check_timer( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
             ret = MBEDTLS_ERR_SSL_TIMEOUT;
+        }
         else
         {
-            len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
+            len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
 
             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
                 timeout = ssl->handshake->retransmit_timeout;
@@ -2569,7 +2750,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
 {
     int ret;
-    unsigned char *buf, i;
+    unsigned char *buf;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
 
@@ -2592,8 +2773,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
                        mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
 
-        buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) +
-              ssl->out_msglen - ssl->out_left;
+        buf = ssl->out_hdr - ssl->out_left;
         ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
 
         MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
@@ -2612,16 +2792,17 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
         ssl->out_left -= ret;
     }
 
-    for( i = 8; i > ssl_ep_len( ssl ); i-- )
-        if( ++ssl->out_ctr[i - 1] != 0 )
-            break;
-
-    /* The loop goes to its end iff the counter is wrapping */
-    if( i == ssl_ep_len( ssl ) )
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
-        return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        ssl->out_hdr = ssl->out_buf;
+    }
+    else
+#endif
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
     }
+    ssl_update_out_pointers( ssl, ssl->transform_out );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
 
@@ -2638,6 +2819,9 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
 static int ssl_flight_append( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_flight_item *msg;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
+                           ssl->out_msg, ssl->out_msglen );
 
     /* Allocate space for current message */
     if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
@@ -2671,6 +2855,7 @@ static int ssl_flight_append( mbedtls_ssl_context *ssl )
         cur->next = msg;
     }
 
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
     return( 0 );
 }
 
@@ -2719,19 +2904,12 @@ static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
     ssl->handshake->alt_transform_out = tmp_transform;
 
     /* Swap epoch + sequence_number */
-    memcpy( tmp_out_ctr,                 ssl->out_ctr,                8 );
-    memcpy( ssl->out_ctr,                ssl->handshake->alt_out_ctr, 8 );
+    memcpy( tmp_out_ctr,                 ssl->cur_out_ctr,            8 );
+    memcpy( ssl->cur_out_ctr,            ssl->handshake->alt_out_ctr, 8 );
     memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
 
     /* Adjust to the newly activated transform */
-    if( ssl->transform_out != NULL &&
-        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
-    {
-        ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen -
-                                     ssl->transform_out->fixed_ivlen;
-    }
-    else
-        ssl->out_msg = ssl->out_iv;
+    ssl_update_out_pointers( ssl, ssl->transform_out );
 
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
     if( mbedtls_ssl_hw_record_activate != NULL )
@@ -2747,20 +2925,38 @@ static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
 
 /*
  * Retransmit the current flight of messages.
+ */
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
+
+    ret = mbedtls_ssl_flight_transmit( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
+
+    return( ret );
+}
+
+/*
+ * Transmit or retransmit the current flight of messages.
  *
  * Need to remember the current message in case flush_output returns
  * WANT_WRITE, causing us to exit this function and come back later.
  * This function must be called until state is no longer SENDING.
  */
-int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
 {
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
+    int ret;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
 
     if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
 
         ssl->handshake->cur_msg = ssl->handshake->flight;
+        ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
         ssl_swap_epochs( ssl );
 
         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
@@ -2768,33 +2964,129 @@ int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
 
     while( ssl->handshake->cur_msg != NULL )
     {
-        int ret;
-        mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg;
+        size_t max_frag_len;
+        const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
+
+        int const is_finished =
+            ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+              cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
+
+        uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
+            SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
 
         /* Swap epochs before sending Finished: we can't do it after
          * sending ChangeCipherSpec, in case write returns WANT_READ.
          * Must be done before copying, may change out_msg pointer */
-        if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
-            cur->p[0] == MBEDTLS_SSL_HS_FINISHED )
+        if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
         {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
             ssl_swap_epochs( ssl );
         }
 
-        memcpy( ssl->out_msg, cur->p, cur->len );
-        ssl->out_msglen = cur->len;
-        ssl->out_msgtype = cur->type;
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+            return( ret );
+        max_frag_len = (size_t) ret;
+
+        /* CCS is copied as is, while HS messages may need fragmentation */
+        if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+        {
+            if( max_frag_len == 0 )
+            {
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+
+            memcpy( ssl->out_msg, cur->p, cur->len );
+            ssl->out_msglen  = cur->len;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur->len;
+        }
+        else
+        {
+            const unsigned char * const p = ssl->handshake->cur_msg_p;
+            const size_t hs_len = cur->len - 12;
+            const size_t frag_off = p - ( cur->p + 12 );
+            const size_t rem_len = hs_len - frag_off;
+            size_t cur_hs_frag_len, max_hs_frag_len;
+
+            if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
+            {
+                if( is_finished )
+                    ssl_swap_epochs( ssl );
+
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+            max_hs_frag_len = max_frag_len - 12;
+
+            cur_hs_frag_len = rem_len > max_hs_frag_len ?
+                max_hs_frag_len : rem_len;
+
+            if( frag_off == 0 && cur_hs_frag_len != hs_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
+                                            (unsigned) cur_hs_frag_len,
+                                            (unsigned) max_hs_frag_len ) );
+            }
+
+            /* Messages are stored with handshake headers as if not fragmented,
+             * copy beginning of headers then fill fragmentation fields.
+             * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
+            memcpy( ssl->out_msg, cur->p, 6 );
+
+            ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
+            ssl->out_msg[7] = ( ( frag_off >>  8 ) & 0xff );
+            ssl->out_msg[8] = ( ( frag_off       ) & 0xff );
 
-        ssl->handshake->cur_msg = cur->next;
+            ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
+            ssl->out_msg[10] = ( ( cur_hs_frag_len >>  8 ) & 0xff );
+            ssl->out_msg[11] = ( ( cur_hs_frag_len       ) & 0xff );
 
-        MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 );
+            MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
+
+            /* Copy the handshake message content and set records fields */
+            memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
+            ssl->out_msglen = cur_hs_frag_len + 12;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur_hs_frag_len;
+        }
+
+        /* If done with the current message move to the next one if any */
+        if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
+        {
+            if( cur->next != NULL )
+            {
+                ssl->handshake->cur_msg = cur->next;
+                ssl->handshake->cur_msg_p = cur->next->p + 12;
+            }
+            else
+            {
+                ssl->handshake->cur_msg = NULL;
+                ssl->handshake->cur_msg_p = NULL;
+            }
+        }
 
-        if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+        /* Actually send the message out */
+        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
             return( ret );
         }
     }
 
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+    /* Update state and set timer */
     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
     else
@@ -2803,7 +3095,7 @@ int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
         ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
     }
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
 
     return( 0 );
 }
@@ -2821,6 +3113,12 @@ void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
     /* The next incoming flight will start with this msg_seq */
     ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
 
+    /* We don't want to remember CCS's across flight boundaries. */
+    ssl->handshake->buffering.seen_ccs = 0;
+
+    /* Clear future message buffering structure. */
+    ssl_buffering_free( ssl );
+
     /* Cancel timer */
     ssl_set_timer( ssl, 0 );
 
@@ -2852,43 +3150,102 @@ void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 /*
- * Record layer functions
+ * Handshake layer functions
  */
 
 /*
- * Write current record.
- * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
+ * Write (DTLS: or queue) current handshake (including CCS) message.
+ *
+ *  - fill in handshake headers
+ *  - update handshake checksum
+ *  - DTLS: save message for resending
+ *  - then pass to the record layer
+ *
+ * DTLS: except for HelloRequest, messages are only queued, and will only be
+ * actually sent when calling flight_transmit() or resend().
+ *
+ * Inputs:
+ *  - ssl->out_msglen: 4 + actual handshake message len
+ *      (4 is the size of handshake headers for TLS)
+ *  - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
+ *  - ssl->out_msg + 4: the handshake message body
+ *
+ * Outputs, ie state before passing to flight_append() or write_record():
+ *   - ssl->out_msglen: the length of the record contents
+ *      (including handshake headers but excluding record headers)
+ *   - ssl->out_msg: the record contents (handshake headers + content)
  */
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
 {
-    int ret, done = 0, out_msg_type;
-    size_t len = ssl->out_msglen;
+    int ret;
+    const size_t hs_len = ssl->out_msglen - 4;
+    const unsigned char hs_type = ssl->out_msg[0];
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
+
+    /*
+     * Sanity checks
+     */
+    if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE          &&
+        ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        /* In SSLv3, the client might send a NoCertificate alert. */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+        if( ! ( ssl->minor_ver      == MBEDTLS_SSL_MINOR_VERSION_0 &&
+                ssl->out_msgtype    == MBEDTLS_SSL_MSG_ALERT       &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+
+    /* Whenever we send anything different from a
+     * HelloRequest we should be in a handshake - double check. */
+    if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
+        ssl->handshake == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
         ssl->handshake != NULL &&
         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
     {
-        ; /* Skip special handshake treatment when resending */
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
     }
-    else
 #endif
-    if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
-    {
-        out_msg_type = ssl->out_msg[0];
 
-        if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST &&
-            ssl->handshake == NULL )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-        }
+    /* Double-check that we did not exceed the bounds
+     * of the outgoing record buffer.
+     * This should never fail as the various message
+     * writing functions must obey the bounds of the
+     * outgoing record buffer, but better be safe.
+     *
+     * Note: We deliberately do not check for the MTU or MFL here.
+     */
+    if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
+                                    "size %u, maximum %u",
+                                    (unsigned) ssl->out_msglen,
+                                    (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
 
-        ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
-        ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
-        ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
+    /*
+     * Fill handshake headers
+     */
+    if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
+        ssl->out_msg[2] = (unsigned char)( hs_len >>  8 );
+        ssl->out_msg[3] = (unsigned char)( hs_len       );
 
         /*
          * DTLS has additional fields in the Handshake layer,
@@ -2901,21 +3258,20 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
         {
             /* Make room for the additional DTLS fields */
-            if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 )
+            if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
                               "size %u, maximum %u",
-                               (unsigned) ( ssl->in_hslen - 4 ),
-                               (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) );
+                               (unsigned) ( hs_len ),
+                               (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
                 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
             }
 
-            memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 );
+            memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
             ssl->out_msglen += 8;
-            len += 8;
 
             /* Write message_seq and update it, except for HelloRequest */
-            if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
             {
                 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
                 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
@@ -2927,23 +3283,23 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
                 ssl->out_msg[5] = 0;
             }
 
-            /* We don't fragment, so frag_offset = 0 and frag_len = len */
+            /* Handshake hashes are computed without fragmentation,
+             * so set frag_offset = 0 and frag_len = hs_len for now */
             memset( ssl->out_msg + 6, 0x00, 3 );
             memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
         }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-        if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
-            ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
+        /* Update running hashes of handshake messages seen */
+        if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
     }
 
-    /* Save handshake and CCS messages for resending */
+    /* Either send now, or just save to be sent (and resent) later */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-        ssl->handshake != NULL &&
-        ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING &&
-        ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ||
-          ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) )
+        ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
     {
         if( ( ret = ssl_flight_append( ssl ) ) != 0 )
         {
@@ -2951,7 +3307,40 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
             return( ret );
         }
     }
+    else
 #endif
+    {
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ *
+ * Uses:
+ *  - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
+ *  - ssl->out_msglen: length of the record content (excl headers)
+ *  - ssl->out_msg: record content
+ */
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
+{
+    int ret, done = 0;
+    size_t len = ssl->out_msglen;
+    uint8_t flush = force_flush;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
 
 #if defined(MBEDTLS_ZLIB_SUPPORT)
     if( ssl->transform_out != NULL &&
@@ -2985,10 +3374,14 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
     if( !done )
     {
+        unsigned i;
+        size_t protected_record_size;
+
         ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
         mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
                            ssl->conf->transport, ssl->out_hdr + 1 );
 
+        memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
         ssl->out_len[0] = (unsigned char)( len >> 8 );
         ssl->out_len[1] = (unsigned char)( len      );
 
@@ -3005,21 +3398,79 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
             ssl->out_len[1] = (unsigned char)( len      );
         }
 
-        ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen;
+        protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* In case of DTLS, double-check that we don't exceed
+         * the remaining space in the datagram. */
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            ret = ssl_get_remaining_space_in_datagram( ssl );
+            if( ret < 0 )
+                return( ret );
+
+            if( protected_record_size > (size_t) ret )
+            {
+                /* Should never happen */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
-                            "version = [%d:%d], msglen = %d",
-                       ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
-                     ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) );
+                                    "version = [%d:%d], msglen = %d",
+                                    ssl->out_hdr[0], ssl->out_hdr[1],
+                                    ssl->out_hdr[2], len ) );
 
         MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
-                       ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen );
-    }
+                               ssl->out_hdr, protected_record_size );
 
-    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
-    {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
-        return( ret );
+        ssl->out_left += protected_record_size;
+        ssl->out_hdr  += protected_record_size;
+        ssl_update_out_pointers( ssl, ssl->transform_out );
+
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        flush == SSL_DONT_FORCE_FLUSH )
+    {
+        size_t remaining;
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
+                                   ret );
+            return( ret );
+        }
+
+        remaining = (size_t) ret;
+        if( remaining == 0 )
+        {
+            flush = SSL_FORCE_FLUSH;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ( flush == SSL_FORCE_FLUSH ) &&
+        ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+        return( ret );
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
@@ -3028,6 +3479,52 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl )
 }
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < ssl->in_hslen ||
+        memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
+        memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
+    {
+        return( 1 );
+    }
+    return( 0 );
+}
+
+static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[9] << 16  ) |
+            ( ssl->in_msg[10] << 8  ) |
+              ssl->in_msg[11] );
+}
+
+static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[6] << 16 ) |
+            ( ssl->in_msg[7] << 8  ) |
+              ssl->in_msg[8] );
+}
+
+static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
+{
+    uint32_t msg_len, frag_off, frag_len;
+
+    msg_len  = ssl_get_hs_total_len( ssl );
+    frag_off = ssl_get_hs_frag_off( ssl );
+    frag_len = ssl_get_hs_frag_len( ssl );
+
+    if( frag_off > msg_len )
+        return( -1 );
+
+    if( frag_len > msg_len - frag_off )
+        return( -1 );
+
+    if( frag_len + 12 > ssl->in_msglen )
+        return( -1 );
+
+    return( 0 );
+}
+
 /*
  * Mark bits in bitmask (used for DTLS HS reassembly)
  */
@@ -3089,162 +3586,29 @@ static int ssl_bitmask_check( unsigned char *mask, size_t len )
     return( 0 );
 }
 
-/*
- * Reassemble fragmented DTLS handshake messages.
- *
- * Use a temporary buffer for reassembly, divided in two parts:
- * - the first holds the reassembled message (including handshake header),
- * - the second holds a bitmask indicating which parts of the message
- *   (excluding headers) have been received so far.
- */
-static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl )
+/* msg_len does not include the handshake header */
+static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
+                                              unsigned add_bitmap )
 {
-    unsigned char *msg, *bitmask;
-    size_t frag_len, frag_off;
-    size_t msg_len = ssl->in_hslen - 12; /* Without headers */
-
-    if( ssl->handshake == NULL )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
-        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
+    size_t alloc_len;
 
-    /*
-     * For first fragment, check size and allocate buffer
-     */
-    if( ssl->handshake->hs_msg == NULL )
-    {
-        size_t alloc_len;
-
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
-                            msg_len ) );
-
-        if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
-            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-
-        /* The bitmask needs one bit per byte of message excluding header */
-        alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 );
-
-        ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len );
-        if( ssl->handshake->hs_msg == NULL )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) );
-            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
-        }
-
-        /* Prepare final header: copy msg_type, length and message_seq,
-         * then add standardised fragment_offset and fragment_length */
-        memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 );
-        memset( ssl->handshake->hs_msg + 6, 0, 3 );
-        memcpy( ssl->handshake->hs_msg + 9,
-                ssl->handshake->hs_msg + 1, 3 );
-    }
-    else
-    {
-        /* Make sure msg_type and length are consistent */
-        if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
-            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-        }
-    }
-
-    msg = ssl->handshake->hs_msg + 12;
-    bitmask = msg + msg_len;
-
-    /*
-     * Check and copy current fragment
-     */
-    frag_off = ( ssl->in_msg[6]  << 16 ) |
-               ( ssl->in_msg[7]  << 8  ) |
-                 ssl->in_msg[8];
-    frag_len = ( ssl->in_msg[9]  << 16 ) |
-               ( ssl->in_msg[10] << 8  ) |
-                 ssl->in_msg[11];
-
-    if( frag_off + frag_len > msg_len )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
-                          frag_off, frag_len, msg_len ) );
-        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-    }
-
-    if( frag_len + 12 > ssl->in_msglen )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
-                          frag_len, ssl->in_msglen ) );
-        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
-    }
-
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
-                        frag_off, frag_len ) );
-
-    memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
-    ssl_bitmask_set( bitmask, frag_off, frag_len );
-
-    /*
-     * Do we have the complete message by now?
-     * If yes, finalize it, else ask to read the next record.
-     */
-    if( ssl_bitmask_check( bitmask, msg_len ) != 0 )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
-        return( MBEDTLS_ERR_SSL_WANT_READ );
-    }
-
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
-
-    if( frag_len + 12 < ssl->in_msglen )
-    {
-        /*
-         * We'got more handshake messages in the same record.
-         * This case is not handled now because no know implementation does
-         * that and it's hard to test, so we prefer to fail cleanly for now.
-         */
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
-        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
+    alloc_len  = 12;                                 /* Handshake header */
+    alloc_len += msg_len;                            /* Content buffer   */
 
-    if( ssl->in_left > ssl->next_record_offset )
-    {
-        /*
-         * We've got more data in the buffer after the current record,
-         * that we don't want to overwrite. Move it before writing the
-         * reassembled message, and adjust in_left and next_record_offset.
-         */
-        unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset;
-        unsigned char *new_remain = ssl->in_msg + ssl->in_hslen;
-        size_t remain_len = ssl->in_left - ssl->next_record_offset;
-
-        /* First compute and check new lengths */
-        ssl->next_record_offset = new_remain - ssl->in_hdr;
-        ssl->in_left = ssl->next_record_offset + remain_len;
-
-        if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN -
-                           (size_t)( ssl->in_hdr - ssl->in_buf ) )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
-            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
-        }
+    if( add_bitmap )
+        alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap       */
 
-        memmove( new_remain, cur_remain, remain_len );
-    }
-
-    memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen );
-
-    mbedtls_zeroize( ssl->handshake->hs_msg, ssl->in_hslen );
-    mbedtls_free( ssl->handshake->hs_msg );
-    ssl->handshake->hs_msg = NULL;
+    return( alloc_len );
+}
 
-    MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
-                   ssl->in_msg, ssl->in_hslen );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-    return( 0 );
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[1] << 16 ) |
+            ( ssl->in_msg[2] << 8  ) |
+              ssl->in_msg[3] );
 }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
 {
@@ -3255,10 +3619,7 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
     }
 
-    ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + (
-                    ( ssl->in_msg[1] << 16 ) |
-                    ( ssl->in_msg[2] << 8  ) |
-                      ssl->in_msg[3] );
+    ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
                         " %d, type = %d, hslen = %d",
@@ -3270,10 +3631,26 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
         int ret;
         unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
 
-        /* ssl->handshake is NULL when receiving ClientHello for renego */
+        if( ssl_check_hs_header( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
         if( ssl->handshake != NULL &&
-            recv_msg_seq != ssl->handshake->in_msg_seq )
+            ( ( ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
+                recv_msg_seq != ssl->handshake->in_msg_seq ) ||
+              ( ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
         {
+            if( recv_msg_seq > ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
+                                            recv_msg_seq,
+                                            ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+            }
+
             /* Retransmit only on last message from previous flight, to avoid
              * too many retransmissions.
              * Besides, No sane server ever retransmits HelloVerifyRequest */
@@ -3299,24 +3676,18 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
                                     ssl->handshake->in_msg_seq ) );
             }
 
-            return( MBEDTLS_ERR_SSL_WANT_READ );
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
         }
         /* Wait until message completion to increment in_msg_seq */
 
-        /* Reassemble if current message is fragmented or reassembly is
-         * already in progress */
-        if( ssl->in_msglen < ssl->in_hslen ||
-            memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
-            memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ||
-            ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) )
+        /* Message reassembly is handled alongside buffering of future
+         * messages; the commonality is that both handshake fragments and
+         * future messages cannot be forwarded immediately to the
+         * handshake logic layer. */
+        if( ssl_hs_is_proper_fragment( ssl ) == 1 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
-
-            if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 )
-            {
-                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret );
-                return( ret );
-            }
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
         }
     }
     else
@@ -3333,9 +3704,9 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
 
 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
 {
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
 
-    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
-        ssl->handshake != NULL )
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
     {
         ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
     }
@@ -3345,7 +3716,29 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
         ssl->handshake != NULL )
     {
-        ssl->handshake->in_msg_seq++;
+        unsigned offset;
+        mbedtls_ssl_hs_buffer *hs_buf;
+
+        /* Increment handshake sequence number */
+        hs->in_msg_seq++;
+
+        /*
+         * Clear up handshake buffering and reassembly structure.
+         */
+
+        /* Free first entry */
+        ssl_buffering_free_slot( ssl, 0 );
+
+        /* Shift all other entries */
+        for( offset = 0, hs_buf = &hs->buffering.hs[0];
+             offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
+             offset++, hs_buf++ )
+        {
+            *hs_buf = *(hs_buf + 1);
+        }
+
+        /* Create a fresh last entry */
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
     }
 #endif
 }
@@ -3598,7 +3991,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
             ssl->conf->p_cookie,
             ssl->cli_id, ssl->cli_id_len,
             ssl->in_buf, ssl->in_left,
-            ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len );
+            ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
 
     MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
 
@@ -3695,7 +4088,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
     }
 
     /* Check length against the size of our buffer */
-    if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN
+    if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
                          - (size_t)( ssl->in_msg - ssl->in_buf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
@@ -3746,7 +4139,16 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
             }
             else
 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+            {
+                /* Consider buffering the record. */
+                if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
+                    return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+                }
+
                 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
         }
 
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@@ -3759,15 +4161,6 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
         }
 #endif
 
-        /* Drop unexpected ChangeCipherSpec messages */
-        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
-            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
-            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
-            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
-        }
-
         /* Drop unexpected ApplicationData records,
          * except at the beginning of renegotiations */
         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
@@ -3789,7 +4182,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
     if( ssl->transform_in == NULL )
     {
         if( ssl->in_msglen < 1 ||
-            ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+            ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3805,7 +4198,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
 
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
         if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
-            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN )
+            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3818,7 +4211,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
          */
         if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
             ssl->in_msglen > ssl->transform_in->minlen +
-                             MBEDTLS_SSL_MAX_CONTENT_LEN + 256 )
+                             MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3866,7 +4259,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
         MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
                        ssl->in_msg, ssl->in_msglen );
 
-        if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -3904,7 +4297,14 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
  * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
  *
  */
-int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
+
+/* Helper functions for mbedtls_ssl_read_record(). */
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
+static int ssl_get_next_record( mbedtls_ssl_context *ssl );
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest )
 {
     int ret;
 
@@ -3914,30 +4314,71 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
     {
         do {
 
-            if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
-            {
-                MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+            ret = ssl_consume_current_message( ssl );
+            if( ret != 0 )
                 return( ret );
+
+            if( ssl_record_is_in_progress( ssl ) == 0 )
+            {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                int have_buffered = 0;
+
+                /* We only check for buffered messages if the
+                 * current datagram is fully consumed. */
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl_next_record_is_in_datagram( ssl ) == 0 )
+                {
+                    if( ssl_load_buffered_message( ssl ) == 0 )
+                        have_buffered = 1;
+                }
+
+                if( have_buffered == 0 )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+                {
+                    ret = ssl_get_next_record( ssl );
+                    if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
+                        continue;
+
+                    if( ret != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
+                        return( ret );
+                    }
+                }
             }
 
             ret = mbedtls_ssl_handle_message_type( ssl );
 
-        } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                /* Buffer future message */
+                ret = ssl_buffer_message( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
+                 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
 
         if( 0 != ret )
         {
-            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
             return( ret );
         }
 
-        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            update_hs_digest == 1 )
         {
             mbedtls_ssl_update_handshake_status( ssl );
         }
     }
     else
     {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
         ssl->keep_current_message = 0;
     }
 
@@ -3946,63 +4387,395 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
     return( 0 );
 }
 
-int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
 {
-    int ret;
+    if( ssl->in_left > ssl->next_record_offset )
+        return( 1 );
 
-    /*
-     * Step A
-     *
-     * Consume last content-layer message and potentially
-     * update in_msglen which keeps track of the contents'
-     * consumption state.
-     *
-     * (1) Handshake messages:
-     *     Remove last handshake message, move content
-     *     and adapt in_msglen.
-     *
-     * (2) Alert messages:
-     *     Consume whole record content, in_msglen = 0.
-     *
-     *     NOTE: This needs to be fixed, since like for
-     *     handshake messages it is allowed to have
-     *     multiple alerts witin a single record.
-     *     Internal reference IOTSSL-1321.
-     *
-     * (3) Change cipher spec:
-     *     Consume whole record content, in_msglen = 0.
-     *
-     * (4) Application data:
-     *     Don't do anything - the record layer provides
-     *     the application data as a stream transport
-     *     and consumes through mbedtls_ssl_read only.
-     *
-     */
+    return( 0 );
+}
 
-    /* Case (1): Handshake messages */
-    if( ssl->in_hslen != 0 )
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * hs_buf;
+    int ret = 0;
+
+    if( hs == NULL )
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
+
+    if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
+        ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
     {
-        /* Hard assertion to be sure that no application data
-         * is in flight, as corrupting ssl->in_msglen during
-         * ssl->in_offt != NULL is fatal. */
-        if( ssl->in_offt != NULL )
+        /* Check if we have seen a ChangeCipherSpec before.
+         * If yes, synthesize a CCS record. */
+        if( !hs->buffering.seen_ccs )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
+            ret = -1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+        ssl->in_msglen = 1;
+        ssl->in_msg[0] = 1;
+
+        /* As long as they are equal, the exact value doesn't matter. */
+        ssl->in_left            = 0;
+        ssl->next_record_offset = 0;
+
+        hs->buffering.seen_ccs = 0;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_DEBUG_C)
+    /* Debug only */
+    {
+        unsigned offset;
+        for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        {
+            hs_buf = &hs->buffering.hs[offset];
+            if( hs_buf->is_valid == 1 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
+                            hs->in_msg_seq + offset,
+                            hs_buf->is_complete ? "fully" : "partially" ) );
+            }
+        }
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+    /* Check if we have buffered and/or fully reassembled the
+     * next handshake message. */
+    hs_buf = &hs->buffering.hs[0];
+    if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
+    {
+        /* Synthesize a record containing the buffered HS message. */
+        size_t msg_len = ( hs_buf->data[1] << 16 ) |
+                         ( hs_buf->data[2] << 8  ) |
+                           hs_buf->data[3];
+
+        /* Double-check that we haven't accidentally buffered
+         * a message that doesn't fit into the input buffer. */
+        if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 
-        /*
-         * Get next Handshake message in the current record
-         */
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
+                               hs_buf->data, msg_len + 12 );
 
-        /* Notes:
-         * (1) in_hslen is *NOT* necessarily the size of the
-         *     current handshake content: If DTLS handshake
-         *     fragmentation is used, that's the fragment
-         *     size instead. Using the total handshake message
-         *     size here is FAULTY and should be changed at
-         *     some point. Internal reference IOTSSL-1414.
-         * (2) While it doesn't seem to cause problems, one
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+        ssl->in_hslen   = msg_len + 12;
+        ssl->in_msglen  = msg_len + 12;
+        memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
+
+        ret = 0;
+        goto exit;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
+                                    hs->in_msg_seq ) );
+    }
+
+    ret = -1;
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
+    return( ret );
+}
+
+static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
+                                  size_t desired )
+{
+    int offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
+                                (unsigned) desired ) );
+
+    /* Get rid of future records epoch first, if such exist. */
+    ssl_free_buffered_record( ssl );
+
+    /* Check if we have enough space available now. */
+    if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                     hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
+        return( 0 );
+    }
+
+    /* We don't have enough space to buffer the next expected handshake
+     * message. Remove buffers used for future messages to gain space,
+     * starting with the most distant one. */
+    for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
+         offset >= 0; offset-- )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
+                                    offset ) );
+
+        ssl_buffering_free_slot( ssl, (uint8_t) offset );
+
+        /* Check if we have enough space available now. */
+        if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
+            return( 0 );
+        }
+    }
+
+    return( -1 );
+}
+
+static int ssl_buffer_message( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
+
+    switch( ssl->in_msgtype )
+    {
+        case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
+
+            hs->buffering.seen_ccs = 1;
+            break;
+
+        case MBEDTLS_SSL_MSG_HANDSHAKE:
+        {
+            unsigned recv_msg_seq_offset;
+            unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+            mbedtls_ssl_hs_buffer *hs_buf;
+            size_t msg_len = ssl->in_hslen - 12;
+
+            /* We should never receive an old handshake
+             * message - double-check nonetheless. */
+            if( recv_msg_seq < ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
+            if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+            {
+                /* Silently ignore -- message too far in the future */
+                MBEDTLS_SSL_DEBUG_MSG( 2,
+                 ( "Ignore future HS message with sequence number %u, "
+                   "buffering window %u - %u",
+                   recv_msg_seq, ssl->handshake->in_msg_seq,
+                   ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
+
+                goto exit;
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
+                                        recv_msg_seq, recv_msg_seq_offset ) );
+
+            hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
+
+            /* Check if the buffering for this seq nr has already commenced. */
+            if( !hs_buf->is_valid )
+            {
+                size_t reassembly_buf_sz;
+
+                hs_buf->is_fragmented =
+                    ( ssl_hs_is_proper_fragment( ssl ) == 1 );
+
+                /* We copy the message back into the input buffer
+                 * after reassembly, so check that it's not too large.
+                 * This is an implementation-specific limitation
+                 * and not one from the standard, hence it is not
+                 * checked in ssl_check_hs_header(). */
+                if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
+                {
+                    /* Ignore message */
+                    goto exit;
+                }
+
+                /* Check if we have enough space to buffer the message. */
+                if( hs->buffering.total_bytes_buffered >
+                    MBEDTLS_SSL_DTLS_MAX_BUFFERING )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+
+                reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
+                                                       hs_buf->is_fragmented );
+
+                if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                                          hs->buffering.total_bytes_buffered ) )
+                {
+                    if( recv_msg_seq_offset > 0 )
+                    {
+                        /* If we can't buffer a future message because
+                         * of space limitations -- ignore. */
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        goto exit;
+                    }
+                    else
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                    }
+
+                    if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
+                             (unsigned) msg_len,
+                             (unsigned) reassembly_buf_sz,
+                             MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+                        goto exit;
+                    }
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
+                                            msg_len ) );
+
+                hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
+                if( hs_buf->data == NULL )
+                {
+                    ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+                    goto exit;
+                }
+                hs_buf->data_len = reassembly_buf_sz;
+
+                /* Prepare final header: copy msg_type, length and message_seq,
+                 * then add standardised fragment_offset and fragment_length */
+                memcpy( hs_buf->data, ssl->in_msg, 6 );
+                memset( hs_buf->data + 6, 0, 3 );
+                memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
+
+                hs_buf->is_valid = 1;
+
+                hs->buffering.total_bytes_buffered += reassembly_buf_sz;
+            }
+            else
+            {
+                /* Make sure msg_type and length are consistent */
+                if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
+                    /* Ignore */
+                    goto exit;
+                }
+            }
+
+            if( !hs_buf->is_complete )
+            {
+                size_t frag_len, frag_off;
+                unsigned char * const msg = hs_buf->data + 12;
+
+                /*
+                 * Check and copy current fragment
+                 */
+
+                /* Validation of header fields already done in
+                 * mbedtls_ssl_prepare_handshake_record(). */
+                frag_off = ssl_get_hs_frag_off( ssl );
+                frag_len = ssl_get_hs_frag_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
+                                            frag_off, frag_len ) );
+                memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
+
+                if( hs_buf->is_fragmented )
+                {
+                    unsigned char * const bitmask = msg + msg_len;
+                    ssl_bitmask_set( bitmask, frag_off, frag_len );
+                    hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
+                                                               msg_len ) == 0 );
+                }
+                else
+                {
+                    hs_buf->is_complete = 1;
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
+                                   hs_buf->is_complete ? "" : "not yet " ) );
+            }
+
+            break;
+        }
+
+        default:
+            /* We don't buffer other types of messages. */
+            break;
+    }
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
+{
+    /*
+     * Consume last content-layer message and potentially
+     * update in_msglen which keeps track of the contents'
+     * consumption state.
+     *
+     * (1) Handshake messages:
+     *     Remove last handshake message, move content
+     *     and adapt in_msglen.
+     *
+     * (2) Alert messages:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (3) Change cipher spec:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (4) Application data:
+     *     Don't do anything - the record layer provides
+     *     the application data as a stream transport
+     *     and consumes through mbedtls_ssl_read only.
+     *
+     */
+
+    /* Case (1): Handshake messages */
+    if( ssl->in_hslen != 0 )
+    {
+        /* Hard assertion to be sure that no application data
+         * is in flight, as corrupting ssl->in_msglen during
+         * ssl->in_offt != NULL is fatal. */
+        if( ssl->in_offt != NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Get next Handshake message in the current record
+         */
+
+        /* Notes:
+         * (1) in_hslen is not necessarily the size of the
+         *     current handshake content: If DTLS handshake
+         *     fragmentation is used, that's the fragment
+         *     size instead. Using the total handshake message
+         *     size here is faulty and should be changed at
+         *     some point.
+         * (2) While it doesn't seem to cause problems, one
          *     has to be very careful not to assume that in_hslen
          *     is always <= in_msglen in a sensible communication.
          *     Again, it's wrong for DTLS handshake fragmentation.
@@ -4039,26 +4812,161 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
         ssl->in_msglen = 0;
     }
 
-    /*
-     * Step B
-     *
-     * Fetch and decode new record if current one is fully consumed.
-     *
-     */
+    return( 0 );
+}
 
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
+{
     if( ssl->in_msglen > 0 )
+        return( 1 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    if( hs == NULL )
+        return;
+
+    if( hs->buffering.future_record.data != NULL )
     {
-        /* There's something left to be processed in the current record. */
+        hs->buffering.total_bytes_buffered -=
+            hs->buffering.future_record.len;
+
+        mbedtls_free( hs->buffering.future_record.data );
+        hs->buffering.future_record.data = NULL;
+    }
+}
+
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    unsigned char * rec;
+    size_t rec_len;
+    unsigned rec_epoch;
+
+    if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 0 );
+
+    if( hs == NULL )
         return( 0 );
+
+    rec       = hs->buffering.future_record.data;
+    rec_len   = hs->buffering.future_record.len;
+    rec_epoch = hs->buffering.future_record.epoch;
+
+    if( rec == NULL )
+        return( 0 );
+
+    /* Only consider loading future records if the
+     * input buffer is empty. */
+    if( ssl_next_record_is_in_datagram( ssl ) == 1 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
+
+    if( rec_epoch != ssl->in_epoch )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
+        goto exit;
     }
 
-    /* Need to fetch a new record */
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-read_record_header:
-#endif
+    /* Double-check that the record is not too large */
+    if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
+        (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
 
-    /* Current record either fully processed or to be discarded. */
+    memcpy( ssl->in_hdr, rec, rec_len );
+    ssl->in_left = rec_len;
+    ssl->next_record_offset = 0;
+
+    ssl_free_buffered_record( ssl );
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
+    return( 0 );
+}
+
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    size_t const rec_hdr_len = 13;
+    size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
+
+    /* Don't buffer future records outside handshakes. */
+    if( hs == NULL )
+        return( 0 );
+
+    /* Only buffer handshake records (we are only interested
+     * in Finished messages). */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+        return( 0 );
+
+    /* Don't buffer more than one future epoch record. */
+    if( hs->buffering.future_record.data != NULL )
+        return( 0 );
+
+    /* Don't buffer record if there's not enough buffering space remaining. */
+    if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                        (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                        (unsigned) hs->buffering.total_bytes_buffered ) );
+        return( 0 );
+    }
+
+    /* Buffer record */
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
+                                ssl->in_epoch + 1 ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
+                           rec_hdr_len + ssl->in_msglen );
+
+    /* ssl_parse_record_header() only considers records
+     * of the next epoch as candidates for buffering. */
+    hs->buffering.future_record.epoch = ssl->in_epoch + 1;
+    hs->buffering.future_record.len   = total_buf_sz;
+
+    hs->buffering.future_record.data =
+        mbedtls_calloc( 1, hs->buffering.future_record.len );
+    if( hs->buffering.future_record.data == NULL )
+    {
+        /* If we run out of RAM trying to buffer a
+         * record from the next epoch, just ignore. */
+        return( 0 );
+    }
+
+    memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
+
+    hs->buffering.total_bytes_buffered += total_buf_sz;
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_get_next_record( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    /* We might have buffered a future record; if so,
+     * and if the epoch matches now, load it.
+     * On success, this call will set ssl->in_left to
+     * the length of the buffered record, so that
+     * the calls to ssl_fetch_input() below will
+     * essentially be no-ops. */
+    ret = ssl_load_buffered_record( ssl );
+    if( ret != 0 )
+        return( ret );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
 
     if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
     {
@@ -4072,6 +4980,16 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
             ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
         {
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                ret = ssl_buffer_future_record( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                /* Fall through to handling of unexpected records */
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+            }
+
             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
             {
                 /* Skip unexpected record (but not whole datagram) */
@@ -4092,7 +5010,7 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
             }
 
             /* Get next record */
-            goto read_record_header;
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
         }
 #endif
         return( ret );
@@ -4111,7 +5029,13 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
     /* Done reading this record, get ready for the next one */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
         ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
+        if( ssl->next_record_offset < ssl->in_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
+        }
+    }
     else
 #endif
         ssl->in_left = 0;
@@ -4158,7 +5082,7 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
                 ssl->in_left = 0;
 
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
-                goto read_record_header;
+                return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
             }
 
             return( ret );
@@ -4179,46 +5103,6 @@ int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl )
         }
     }
 
-    /*
-     * When we sent the last flight of the handshake, we MUST respond to a
-     * retransmit of the peer's previous flight with a retransmit. (In
-     * practice, only the Finished message will make it, other messages
-     * including CCS use the old transform so they're dropped as invalid.)
-     *
-     * If the record we received is not a handshake message, however, it
-     * means the peer received our last flight so we can clean up
-     * handshake info.
-     *
-     * This check needs to be done before prepare_handshake() due to an edge
-     * case: if the client immediately requests renegotiation, this
-     * finishes the current handshake first, avoiding the new ClientHello
-     * being mistaken for an ancient message in the current handshake.
-     */
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-        ssl->handshake != NULL &&
-        ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
-    {
-        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
-                ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
-        {
-            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
-
-            if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
-            {
-                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
-                return( ret );
-            }
-
-            return( MBEDTLS_ERR_SSL_WANT_READ );
-        }
-        else
-        {
-            ssl_handshake_wrapup_free_hs_transform( ssl );
-        }
-    }
-#endif
-
     return( 0 );
 }
 
@@ -4237,6 +5121,39 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
         }
     }
 
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        if( ssl->in_msglen != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        if( ssl->in_msg[0] != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
+                                        ssl->in_msg[0] ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC    &&
+            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            if( ssl->handshake == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+        }
+#endif
+    }
+
     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
     {
         if( ssl->in_msglen != 2 )
@@ -4273,7 +5190,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
         {
-            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
             /* Will be handled when trying to parse ServerHello */
             return( 0 );
         }
@@ -4295,6 +5212,15 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
         return MBEDTLS_ERR_SSL_NON_FATAL;
     }
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
+    {
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+    }
+#endif
+
     return( 0 );
 }
 
@@ -4329,7 +5255,7 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
     ssl->out_msg[0] = level;
     ssl->out_msg[1] = message;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
         return( ret );
@@ -4469,10 +5395,10 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
     while( crt != NULL )
     {
         n = crt->raw.len;
-        if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i )
+        if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
-                           i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) );
+                           i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
             return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
         }
 
@@ -4498,9 +5424,9 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
 
     ssl->state++;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -4509,60 +5435,16 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
     return( ret );
 }
 
-int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+/*
+ * Once the certificate message is read, parse it into a cert chain and
+ * perform basic checks, but leave actual verification to the caller
+ */
+static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
 {
-    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    int ret;
     size_t i, n;
-    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
-    int authmode = ssl->conf->authmode;
     uint8_t alert;
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
-
-    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
-        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
-        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
-        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-#if defined(MBEDTLS_SSL_SRV_C)
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
-        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
-        authmode = ssl->handshake->sni_authmode;
-#endif
-
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
-        authmode == MBEDTLS_SSL_VERIFY_NONE )
-    {
-        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
-        ssl->state++;
-        return( 0 );
-    }
-#endif
-
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
-    {
-        /* mbedtls_ssl_read_record may have sent an alert already. We
-           let it decide whether to alert. */
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
-        return( ret );
-    }
-
-    ssl->state++;
-
 #if defined(MBEDTLS_SSL_SRV_C)
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
     /*
@@ -4582,10 +5464,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
                one. The client should know what's going on, so we
                don't send an alert. */
             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
-            if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
-                return( 0 );
-            else
-                return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
         }
     }
 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
@@ -4606,10 +5485,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
                one. The client should know what's going on, so we
                don't send an alert. */
             ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
-            if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
-                return( 0 );
-            else
-                return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
         }
     }
 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@@ -4759,6 +5635,94 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
     }
 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
 
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
+          ssl->transform_negotiate->ciphersuite_info;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+                       ? ssl->handshake->sni_authmode
+                       : ssl->conf->authmode;
+#else
+    const int authmode = ssl->conf->authmode;
+#endif
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+
+        ssl->state++;
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
+    {
+        goto crt_verify;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        /* mbedtls_ssl_read_record may have sent an alert already. We
+           let it decide whether to alert. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE &&
+            authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+        {
+            ret = 0;
+        }
+#endif
+
+        ssl->state++;
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
+
+crt_verify:
+    if( ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
     if( authmode != MBEDTLS_SSL_VERIFY_NONE )
     {
         mbedtls_x509_crt *ca_chain;
@@ -4780,19 +5744,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
         /*
          * Main check: verify certificate
          */
-        ret = mbedtls_x509_crt_verify_with_profile(
+        ret = mbedtls_x509_crt_verify_restartable(
                                 ssl->session_negotiate->peer_cert,
                                 ca_chain, ca_crl,
                                 ssl->conf->cert_profile,
                                 ssl->hostname,
                                &ssl->session_negotiate->verify_result,
-                                ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+                                ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
 
         if( ret != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
         }
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
+#endif
+
         /*
          * Secondary checks: always done, but change 'ret' only if it was 0
          */
@@ -4845,6 +5814,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 
         if( ret != 0 )
         {
+            uint8_t alert;
+
             /* The certificate may have been rejected for several reasons.
                Pick one and send the corresponding alert. Which alert to send
                may be a subject of debate in some cases. */
@@ -4887,6 +5858,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_DEBUG_C */
     }
 
+    ssl->state++;
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
 
     return( ret );
@@ -4911,9 +5884,9 @@ int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
 
     ssl->state++;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -4928,7 +5901,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -4942,13 +5915,8 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
     }
 
-    if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
-        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
-        return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
-    }
+    /* CCS records are only accepted if they have length 1 and content '1',
+     * so we don't need to check this here. */
 
     /*
      * Switch to our negotiated transform and session parameters for inbound
@@ -4978,16 +5946,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
     memset( ssl->in_ctr, 0, 8 );
 
-    /*
-     * Set the in_msg pointer to the correct location based on IV length
-     */
-    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
-    {
-        ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen -
-                      ssl->transform_negotiate->fixed_ivlen;
-    }
-    else
-        ssl->in_msg = ssl->in_iv;
+    ssl_update_in_pointers( ssl, ssl->transform_negotiate );
 
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
     if( mbedtls_ssl_hw_record_activate != NULL )
@@ -5178,9 +6137,9 @@ static void ssl_calc_finished_ssl(
     mbedtls_md5_free(  &md5  );
     mbedtls_sha1_free( &sha1 );
 
-    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
-    mbedtls_zeroize(  md5sum, sizeof(  md5sum ) );
-    mbedtls_zeroize( sha1sum, sizeof( sha1sum ) );
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_platform_zeroize(  md5sum, sizeof(  md5sum ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -5239,7 +6198,7 @@ static void ssl_calc_finished_tls(
     mbedtls_md5_free(  &md5  );
     mbedtls_sha1_free( &sha1 );
 
-    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -5289,7 +6248,7 @@ static void ssl_calc_finished_tls_sha256(
 
     mbedtls_sha256_free( &sha256 );
 
-    mbedtls_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -5338,7 +6297,7 @@ static void ssl_calc_finished_tls_sha384(
 
     mbedtls_sha512_free( &sha512 );
 
-    mbedtls_zeroize(  padbuf, sizeof( padbuf ) );
+    mbedtls_platform_zeroize(  padbuf, sizeof( padbuf ) );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
 }
@@ -5352,7 +6311,7 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
     /*
      * Free our handshake params
      */
-    mbedtls_ssl_handshake_free( ssl->handshake );
+    mbedtls_ssl_handshake_free( ssl );
     mbedtls_free( ssl->handshake );
     ssl->handshake = NULL;
 
@@ -5438,16 +6397,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
 
-    /*
-     * Set the out_msg pointer to the correct location based on IV length
-     */
-    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
-    {
-        ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen -
-                       ssl->transform_negotiate->fixed_ivlen;
-    }
-    else
-        ssl->out_msg = ssl->out_iv;
+    ssl_update_out_pointers( ssl, ssl->transform_negotiate );
 
     ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
 
@@ -5499,14 +6449,14 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
 
         /* Remember current epoch settings for resending */
         ssl->handshake->alt_transform_out = ssl->transform_out;
-        memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 );
+        memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
 
         /* Set sequence_number to zero */
-        memset( ssl->out_ctr + 2, 0, 6 );
+        memset( ssl->cur_out_ctr + 2, 0, 6 );
 
         /* Increment epoch */
         for( i = 2; i > 0; i-- )
-            if( ++ssl->out_ctr[i - 1] != 0 )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
                 break;
 
         /* The loop goes to its end iff the counter is wrapping */
@@ -5518,7 +6468,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
     }
     else
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
-    memset( ssl->out_ctr, 0, 8 );
+    memset( ssl->cur_out_ctr, 0, 8 );
 
     ssl->transform_out = ssl->transform_negotiate;
     ssl->session_out = ssl->session_negotiate;
@@ -5539,11 +6489,20 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
         mbedtls_ssl_send_flight_completed( ssl );
 #endif
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
         return( ret );
     }
+#endif
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
 
@@ -5566,7 +6525,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
 
     ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
 
-    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
         return( ret );
@@ -5678,6 +6637,10 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
 #endif
 #endif
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
+#endif
+
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
     handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
 #endif
@@ -5707,7 +6670,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
     if( ssl->session_negotiate )
         mbedtls_ssl_session_free( ssl->session_negotiate );
     if( ssl->handshake )
-        mbedtls_ssl_handshake_free( ssl->handshake );
+        mbedtls_ssl_handshake_free( ssl );
 
     /*
      * Either the pointers are now NULL or cleared properly and can be freed.
@@ -5797,6 +6760,78 @@ static int ssl_cookie_check_dummy( void *ctx,
 }
 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
 
+/* Once ssl->out_hdr as the address of the beginning of the
+ * next outgoing record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->out_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_ctr = ssl->out_hdr +  3;
+        ssl->out_len = ssl->out_hdr + 11;
+        ssl->out_iv  = ssl->out_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->out_ctr = ssl->out_hdr - 8;
+        ssl->out_len = ssl->out_hdr + 3;
+        ssl->out_iv  = ssl->out_hdr + 5;
+    }
+
+    /* Adjust out_msg to make space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->out_msg = ssl->out_iv;
+}
+
+/* Once ssl->in_hdr as the address of the beginning of the
+ * next incoming record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->in_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->in_ctr = ssl->in_hdr +  3;
+        ssl->in_len = ssl->in_hdr + 11;
+        ssl->in_iv  = ssl->in_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->in_ctr = ssl->in_hdr - 8;
+        ssl->in_len = ssl->in_hdr + 3;
+        ssl->in_iv  = ssl->in_hdr + 5;
+    }
+
+    /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->in_msg = ssl->in_iv;
+}
+
 /*
  * Initialize an SSL context
  */
@@ -5808,57 +6843,59 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
 /*
  * Setup an SSL context
  */
+
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
+{
+    /* Set the incoming and outgoing record pointers. */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+        ssl->in_hdr  = ssl->in_buf;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+        ssl->in_hdr  = ssl->in_buf  + 8;
+    }
+
+    /* Derive other internal pointers. */
+    ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
+    ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
+}
+
 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
                        const mbedtls_ssl_config *conf )
 {
     int ret;
-    const size_t len = MBEDTLS_SSL_BUFFER_LEN;
 
     ssl->conf = conf;
 
     /*
      * Prepare base structures
      */
-    ssl->in_buf = NULL;
+
+    /* Set to NULL in case of an error condition */
     ssl->out_buf = NULL;
-    if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
-        ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
+
+    ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
+    if( ssl->in_buf == NULL )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
         ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
         goto error;
     }
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
+    if( ssl->out_buf == NULL )
     {
-        ssl->out_hdr = ssl->out_buf;
-        ssl->out_ctr = ssl->out_buf +  3;
-        ssl->out_len = ssl->out_buf + 11;
-        ssl->out_iv  = ssl->out_buf + 13;
-        ssl->out_msg = ssl->out_buf + 13;
-
-        ssl->in_hdr = ssl->in_buf;
-        ssl->in_ctr = ssl->in_buf +  3;
-        ssl->in_len = ssl->in_buf + 11;
-        ssl->in_iv  = ssl->in_buf + 13;
-        ssl->in_msg = ssl->in_buf + 13;
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
     }
-    else
-#endif
-    {
-        ssl->out_ctr = ssl->out_buf;
-        ssl->out_hdr = ssl->out_buf +  8;
-        ssl->out_len = ssl->out_buf + 11;
-        ssl->out_iv  = ssl->out_buf + 13;
-        ssl->out_msg = ssl->out_buf + 13;
 
-        ssl->in_ctr = ssl->in_buf;
-        ssl->in_hdr = ssl->in_buf +  8;
-        ssl->in_len = ssl->in_buf + 11;
-        ssl->in_iv  = ssl->in_buf + 13;
-        ssl->in_msg = ssl->in_buf + 13;
-    }
+    ssl_reset_in_out_pointers( ssl );
 
     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
         goto error;
@@ -5900,6 +6937,11 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
 {
     int ret;
 
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) ||     \
+    !defined(MBEDTLS_SSL_SRV_C)
+    ((void) partial);
+#endif
+
     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
 
     /* Cancel any possibly running timer */
@@ -5916,12 +6958,10 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
     ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
 
     ssl->in_offt = NULL;
+    ssl_reset_in_out_pointers( ssl );
 
-    ssl->in_msg = ssl->in_buf + 13;
     ssl->in_msgtype = 0;
     ssl->in_msglen = 0;
-    if( partial == 0 )
-        ssl->in_left = 0;
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     ssl->next_record_offset = 0;
     ssl->in_epoch = 0;
@@ -5935,7 +6975,6 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
 
     ssl->keep_current_message = 0;
 
-    ssl->out_msg = ssl->out_buf + 13;
     ssl->out_msgtype = 0;
     ssl->out_msglen = 0;
     ssl->out_left = 0;
@@ -5944,16 +6983,23 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
         ssl->split_done = 0;
 #endif
 
+    memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
+
     ssl->transform_in = NULL;
     ssl->transform_out = NULL;
 
     ssl->session_in = NULL;
     ssl->session_out = NULL;
 
-    memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+    memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
 
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
     if( partial == 0 )
-        memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN );
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+    {
+        ssl->in_left = 0;
+        memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
+    }
 
 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
     if( mbedtls_ssl_hw_record_reset != NULL )
@@ -5986,7 +7032,9 @@ static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
 #endif
 
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
     if( partial == 0 )
+#endif
     {
         mbedtls_free( ssl->cli_id );
         ssl->cli_id = NULL;
@@ -6037,7 +7085,15 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
-void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max )
+
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing )
+{
+    ssl->disable_datagram_packing = !allow_packing;
+}
+
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
+                                         uint32_t min, uint32_t max )
 {
     conf->hs_timeout_min = min;
     conf->hs_timeout_max = max;
@@ -6087,6 +7143,13 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
     ssl->f_recv_timeout = f_recv_timeout;
 }
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
+{
+    ssl->mtu = mtu;
+}
+#endif
+
 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
 {
     conf->read_timeout   = timeout;
@@ -6278,14 +7341,14 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
 
     /* Identity len will be encoded on two bytes */
     if( ( psk_identity_len >> 16 ) != 0 ||
-        psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
     {
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
     if( conf->psk != NULL )
     {
-        mbedtls_zeroize( conf->psk, conf->psk_len );
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
 
         mbedtls_free( conf->psk );
         conf->psk = NULL;
@@ -6328,7 +7391,8 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
 
     if( ssl->handshake->psk != NULL )
     {
-        mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len );
+        mbedtls_platform_zeroize( ssl->handshake->psk,
+                                  ssl->handshake->psk_len );
         mbedtls_free( ssl->handshake->psk );
         ssl->handshake->psk_len = 0;
     }
@@ -6458,7 +7522,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
 
     if( ssl->hostname != NULL )
     {
-        mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
         mbedtls_free( ssl->hostname );
     }
 
@@ -6578,7 +7642,7 @@ void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
 {
     if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
-        mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN )
+        ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
     {
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
@@ -6657,6 +7721,43 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
 }
 #endif
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+    mbedtls_ssl_config *conf,
+    mbedtls_ssl_async_sign_t *f_async_sign,
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+    mbedtls_ssl_async_resume_t *f_async_resume,
+    mbedtls_ssl_async_cancel_t *f_async_cancel,
+    void *async_config_data )
+{
+    conf->f_async_sign_start = f_async_sign;
+    conf->f_async_decrypt_start = f_async_decrypt;
+    conf->f_async_resume = f_async_resume;
+    conf->f_async_cancel = f_async_cancel;
+    conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
+{
+    return( conf->p_async_config_data );
+}
+
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->handshake == NULL )
+        return( NULL );
+    else
+        return( ssl->handshake->user_async_ctx );
+}
+
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx )
+{
+    if( ssl->handshake != NULL )
+        ssl->handshake->user_async_ctx = ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 /*
  * SSL get accessors
  */
@@ -6665,6 +7766,61 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
 }
 
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
+{
+    /*
+     * Case A: We're currently holding back
+     * a message for further processing.
+     */
+
+    if( ssl->keep_current_message == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case B: Further records are pending in the current datagram.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->in_left > ssl->next_record_offset )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
+        return( 1 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Case C: A handshake message is being processed.
+     */
+
+    if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case D: An application data message is being processed
+     */
+    if( ssl->in_offt != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
+        return( 1 );
+    }
+
+    /*
+     * In all other cases, the rest of the message can be dropped.
+     * As in ssl_get_next_record, this needs to be adapted if
+     * we implement support for multiple alerts in single records.
+     */
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
+    return( 0 );
+}
+
 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
 {
     if( ssl->session != NULL )
@@ -6740,6 +7896,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
     {
         case MBEDTLS_MODE_GCM:
         case MBEDTLS_MODE_CCM:
+        case MBEDTLS_MODE_CHACHAPOLY:
         case MBEDTLS_MODE_STREAM:
             transform_expansion = transform->minlen;
             break;
@@ -6782,21 +7939,91 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
     /*
      * Assume mfl_code is correct since it was checked when set
      */
-    max_len = mfl_code_to_length[ssl->conf->mfl_code];
+    max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
 
-    /*
-     * Check if a smaller max length was negotiated
-     */
+    /* Check if a smaller max length was negotiated */
     if( ssl->session_out != NULL &&
-        mfl_code_to_length[ssl->session_out->mfl_code] < max_len )
+        ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
+    {
+        max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
+    }
+
+    /* During a handshake, use the value being negotiated */
+    if( ssl->session_negotiate != NULL &&
+        ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
     {
-        max_len = mfl_code_to_length[ssl->session_out->mfl_code];
+        max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
     }
 
-    return max_len;
+    return( max_len );
 }
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
+{
+    /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+          ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
+        return ( 0 );
+
+    if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
+        return( ssl->mtu );
+
+    if( ssl->mtu == 0 )
+        return( ssl->handshake->mtu );
+
+    return( ssl->mtu < ssl->handshake->mtu ?
+            ssl->mtu : ssl->handshake->mtu );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl_get_current_mtu( ssl ) != 0 )
+    {
+        const size_t mtu = ssl_get_current_mtu( ssl );
+        const int ret = mbedtls_ssl_get_record_expansion( ssl );
+        const size_t overhead = (size_t) ret;
+
+        if( ret < 0 )
+            return( ret );
+
+        if( mtu <= overhead )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
+        if( max_len > mtu - overhead )
+            max_len = mtu - overhead;
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    ((void) ssl);
+#endif
+
+    return( (int) max_len );
+}
+
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
 {
@@ -6884,9 +8111,9 @@ static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
 
-    if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
         return( ret );
     }
 
@@ -7016,7 +8243,7 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
 
     in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
                         ssl->conf->renego_period + ep_len, 8 - ep_len );
-    out_ctr_cmp = memcmp( ssl->out_ctr + ep_len,
+    out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
                           ssl->conf->renego_period + ep_len, 8 - ep_len );
 
     if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
@@ -7051,7 +8278,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
         if( ssl->handshake != NULL &&
             ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
         {
-            if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+            if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
                 return( ret );
         }
     }
@@ -7090,7 +8317,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
         }
     }
 
-    if( ssl->in_offt == NULL )
+    /* Loop as long as no application data record is available */
+    while( ssl->in_offt == NULL )
     {
         /* Start timer if not already running */
         if( ssl->f_get_timer != NULL &&
@@ -7099,7 +8327,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
             ssl_set_timer( ssl, ssl->conf->read_timeout );
         }
 
-        if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+        if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
         {
             if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
                 return( 0 );
@@ -7114,7 +8342,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
             /*
              * OpenSSL sends empty messages to randomize the IV
              */
-            if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
+            if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
             {
                 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
                     return( 0 );
@@ -7144,7 +8372,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
                 /* With DTLS, drop the packet (probably from last handshake) */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
-                    return( MBEDTLS_ERR_SSL_WANT_READ );
+                {
+                    continue;
+                }
 #endif
                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
             }
@@ -7159,7 +8389,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
                 /* With DTLS, drop the packet (probably from last handshake) */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
-                    return( MBEDTLS_ERR_SSL_WANT_READ );
+                {
+                    continue;
+                }
 #endif
                 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
             }
@@ -7232,7 +8464,25 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
                 }
             }
 
-            return( MBEDTLS_ERR_SSL_WANT_READ );
+            /* At this point, we don't know whether the renegotiation has been
+             * completed or not. The cases to consider are the following:
+             * 1) The renegotiation is complete. In this case, no new record
+             *    has been read yet.
+             * 2) The renegotiation is incomplete because the client received
+             *    an application data record while awaiting the ServerHello.
+             * 3) The renegotiation is incomplete because the client received
+             *    a non-handshake, non-application data message while awaiting
+             *    the ServerHello.
+             * In each of these case, looping will be the proper action:
+             * - For 1), the next iteration will read a new record and check
+             *   if it's application data.
+             * - For 2), the loop condition isn't satisfied as application data
+             *   is present, hence continue is the same as break
+             * - For 3), the loop condition is satisfied and read_record
+             *   will re-deliver the message that was held back by the client
+             *   when expecting the ServerHello.
+             */
+            continue;
         }
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
@@ -7325,12 +8575,15 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
 static int ssl_write_real( mbedtls_ssl_context *ssl,
                            const unsigned char *buf, size_t len )
 {
-    int ret;
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    size_t max_len = mbedtls_ssl_get_max_frag_len( ssl );
-#else
-    size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+    int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
+    const size_t max_len = (size_t) ret;
+
+    if( ret < 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
+        return( ret );
+    }
+
     if( len > max_len )
     {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -7371,7 +8624,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
         ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
         memcpy( ssl->out_msg, buf, len );
 
-        if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
             return( ret );
@@ -7506,7 +8759,7 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
     mbedtls_md_free( &transform->md_ctx_enc );
     mbedtls_md_free( &transform->md_ctx_dec );
 
-    mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
+    mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
 }
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -7523,11 +8776,57 @@ static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_buffering_free( mbedtls_ssl_context *ssl )
 {
+    unsigned offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return;
+
+    ssl_free_buffered_record( ssl );
+
+    for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        ssl_buffering_free_slot( ssl, offset );
+}
+
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
+
+    if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+        return;
+
+    if( hs_buf->is_valid == 1 )
+    {
+        hs->buffering.total_bytes_buffered -= hs_buf->data_len;
+        mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
+        mbedtls_free( hs_buf->data );
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
+    }
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
     if( handshake == NULL )
         return;
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
+    {
+        ssl->conf->f_async_cancel( ssl );
+        handshake->async_in_progress = 0;
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_1)
     mbedtls_md5_free(    &handshake->fin_md5  );
@@ -7566,7 +8865,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
     if( handshake->psk != NULL )
     {
-        mbedtls_zeroize( handshake->psk, handshake->psk_len );
+        mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
         mbedtls_free( handshake->psk );
     }
 #endif
@@ -7590,13 +8889,18 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake )
     }
 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
 
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     mbedtls_free( handshake->verify_cookie );
-    mbedtls_free( handshake->hs_msg );
     ssl_flight_free( handshake->flight );
+    ssl_buffering_free( ssl );
 #endif
 
-    mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) );
+    mbedtls_platform_zeroize( handshake,
+                              sizeof( mbedtls_ssl_handshake_params ) );
 }
 
 void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
@@ -7616,7 +8920,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
     mbedtls_free( session->ticket );
 #endif
 
-    mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) );
+    mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
 }
 
 /*
@@ -7631,20 +8935,20 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
 
     if( ssl->out_buf != NULL )
     {
-        mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
         mbedtls_free( ssl->out_buf );
     }
 
     if( ssl->in_buf != NULL )
     {
-        mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
         mbedtls_free( ssl->in_buf );
     }
 
 #if defined(MBEDTLS_ZLIB_SUPPORT)
     if( ssl->compress_buf != NULL )
     {
-        mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN );
+        mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
         mbedtls_free( ssl->compress_buf );
     }
 #endif
@@ -7657,7 +8961,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
 
     if( ssl->handshake )
     {
-        mbedtls_ssl_handshake_free( ssl->handshake );
+        mbedtls_ssl_handshake_free( ssl );
         mbedtls_ssl_transform_free( ssl->transform_negotiate );
         mbedtls_ssl_session_free( ssl->session_negotiate );
 
@@ -7675,7 +8979,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     if( ssl->hostname != NULL )
     {
-        mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
         mbedtls_free( ssl->hostname );
     }
 #endif
@@ -7695,7 +8999,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
 
     /* Actually clear after last debug message */
-    mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
+    mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
 }
 
 /*
@@ -7922,11 +9226,17 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
     if( conf->psk != NULL )
     {
-        mbedtls_zeroize( conf->psk, conf->psk_len );
-        mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len );
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
         mbedtls_free( conf->psk );
-        mbedtls_free( conf->psk_identity );
+        conf->psk = NULL;
         conf->psk_len = 0;
+    }
+
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
         conf->psk_identity_len = 0;
     }
 #endif
@@ -7935,7 +9245,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
     ssl_key_cert_free( conf->key_cert );
 #endif
 
-    mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
+    mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
 }
 
 #if defined(MBEDTLS_PK_C) && \
@@ -8418,13 +9728,14 @@ int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
-                                       unsigned char *output,
-                                       unsigned char *data, size_t data_len,
-                                       mbedtls_md_type_t md_alg )
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg )
 {
     int ret = 0;
     mbedtls_md_context_t ctx;
     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+    *hashlen = mbedtls_md_get_size( md_info );
 
     mbedtls_md_init( &ctx );
 
@@ -8455,7 +9766,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
         goto exit;
     }
-    if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 )
+    if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
         goto exit;
diff --git a/3rdparty/mbedtls/mbedtls/library/threading.c b/3rdparty/mbedtls/mbedtls/library/threading.c
index f1c37245c7..7c90c7c595 100644
--- a/3rdparty/mbedtls/mbedtls/library/threading.c
+++ b/3rdparty/mbedtls/mbedtls/library/threading.c
@@ -19,6 +19,14 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
@@ -29,6 +37,36 @@
 
 #include "mbedtls/threading.h"
 
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
 #if defined(MBEDTLS_THREADING_PTHREAD)
 static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex )
 {
@@ -114,7 +152,7 @@ void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t *
 #if defined(MBEDTLS_FS_IO)
     mbedtls_mutex_init( &mbedtls_threading_readdir_mutex );
 #endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
+#if defined(THREADING_USE_GMTIME)
     mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex );
 #endif
 }
@@ -127,7 +165,7 @@ void mbedtls_threading_free_alt( void )
 #if defined(MBEDTLS_FS_IO)
     mbedtls_mutex_free( &mbedtls_threading_readdir_mutex );
 #endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
+#if defined(THREADING_USE_GMTIME)
     mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex );
 #endif
 }
@@ -142,7 +180,7 @@ void mbedtls_threading_free_alt( void )
 #if defined(MBEDTLS_FS_IO)
 mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
 #endif
-#if defined(MBEDTLS_HAVE_TIME_DATE)
+#if defined(THREADING_USE_GMTIME)
 mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
 #endif
 
diff --git a/3rdparty/mbedtls/mbedtls/library/timing.c b/3rdparty/mbedtls/mbedtls/library/timing.c
index 8b9038326e..413d133fb6 100644
--- a/3rdparty/mbedtls/mbedtls/library/timing.c
+++ b/3rdparty/mbedtls/mbedtls/library/timing.c
@@ -39,7 +39,8 @@
 #if !defined(MBEDTLS_TIMING_ALT)
 
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
-    !defined(__APPLE__) && !defined(_WIN32)
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
 #error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
 #endif
 
diff --git a/3rdparty/mbedtls/mbedtls/library/version.c b/3rdparty/mbedtls/mbedtls/library/version.c
index 6ca80d4695..fd96750885 100644
--- a/3rdparty/mbedtls/mbedtls/library/version.c
+++ b/3rdparty/mbedtls/mbedtls/library/version.c
@@ -30,7 +30,7 @@
 #include "mbedtls/version.h"
 #include <string.h>
 
-unsigned int mbedtls_version_get_number()
+unsigned int mbedtls_version_get_number( void )
 {
     return( MBEDTLS_VERSION_NUMBER );
 }
diff --git a/3rdparty/mbedtls/mbedtls/library/version_features.c b/3rdparty/mbedtls/mbedtls/library/version_features.c
index d6deb01498..24143d052c 100644
--- a/3rdparty/mbedtls/mbedtls/library/version_features.c
+++ b/3rdparty/mbedtls/mbedtls/library/version_features.c
@@ -39,6 +39,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_NO_UDBL_DIVISION)
     "MBEDTLS_NO_UDBL_DIVISION",
 #endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+    "MBEDTLS_NO_64BIT_MULTIPLICATION",
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
 #if defined(MBEDTLS_HAVE_SSE2)
     "MBEDTLS_HAVE_SSE2",
 #endif /* MBEDTLS_HAVE_SSE2 */
@@ -81,6 +84,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_DEPRECATED_REMOVED)
     "MBEDTLS_DEPRECATED_REMOVED",
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_CHECK_PARAMS)
+    "MBEDTLS_CHECK_PARAMS",
+#endif /* MBEDTLS_CHECK_PARAMS */
 #if defined(MBEDTLS_TIMING_ALT)
     "MBEDTLS_TIMING_ALT",
 #endif /* MBEDTLS_TIMING_ALT */
@@ -90,6 +96,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_ARC4_ALT)
     "MBEDTLS_ARC4_ALT",
 #endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+    "MBEDTLS_ARIA_ALT",
+#endif /* MBEDTLS_ARIA_ALT */
 #if defined(MBEDTLS_BLOWFISH_ALT)
     "MBEDTLS_BLOWFISH_ALT",
 #endif /* MBEDTLS_BLOWFISH_ALT */
@@ -99,6 +108,12 @@ static const char *features[] = {
 #if defined(MBEDTLS_CCM_ALT)
     "MBEDTLS_CCM_ALT",
 #endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+    "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+    "MBEDTLS_CHACHAPOLY_ALT",
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
 #if defined(MBEDTLS_CMAC_ALT)
     "MBEDTLS_CMAC_ALT",
 #endif /* MBEDTLS_CMAC_ALT */
@@ -114,6 +129,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_GCM_ALT)
     "MBEDTLS_GCM_ALT",
 #endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+    "MBEDTLS_NIST_KW_ALT",
+#endif /* MBEDTLS_NIST_KW_ALT */
 #if defined(MBEDTLS_MD2_ALT)
     "MBEDTLS_MD2_ALT",
 #endif /* MBEDTLS_MD2_ALT */
@@ -123,6 +141,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_MD5_ALT)
     "MBEDTLS_MD5_ALT",
 #endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+    "MBEDTLS_POLY1305_ALT",
+#endif /* MBEDTLS_POLY1305_ALT */
 #if defined(MBEDTLS_RIPEMD160_ALT)
     "MBEDTLS_RIPEMD160_ALT",
 #endif /* MBEDTLS_RIPEMD160_ALT */
@@ -237,6 +258,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_AES_ROM_TABLES)
     "MBEDTLS_AES_ROM_TABLES",
 #endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+    "MBEDTLS_AES_FEWER_TABLES",
+#endif /* MBEDTLS_AES_FEWER_TABLES */
 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
     "MBEDTLS_CAMELLIA_SMALL_MEMORY",
 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
@@ -249,6 +273,12 @@ static const char *features[] = {
 #if defined(MBEDTLS_CIPHER_MODE_CTR)
     "MBEDTLS_CIPHER_MODE_CTR",
 #endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    "MBEDTLS_CIPHER_MODE_OFB",
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
     "MBEDTLS_CIPHER_NULL_CIPHER",
 #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
@@ -309,9 +339,15 @@ static const char *features[] = {
 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
     "MBEDTLS_ECP_DP_CURVE25519_ENABLED",
 #endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE448_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
 #if defined(MBEDTLS_ECP_NIST_OPTIM)
     "MBEDTLS_ECP_NIST_OPTIM",
 #endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    "MBEDTLS_ECP_RESTARTABLE",
+#endif /* MBEDTLS_ECP_RESTARTABLE */
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
     "MBEDTLS_ECDSA_DETERMINISTIC",
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@@ -399,6 +435,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
     "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
 #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    "MBEDTLS_SSL_ASYNC_PRIVATE",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 #if defined(MBEDTLS_SSL_DEBUG_ALL)
     "MBEDTLS_SSL_DEBUG_ALL",
 #endif /* MBEDTLS_SSL_DEBUG_ALL */
@@ -528,12 +567,21 @@ static const char *features[] = {
 #if defined(MBEDTLS_CAMELLIA_C)
     "MBEDTLS_CAMELLIA_C",
 #endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+    "MBEDTLS_ARIA_C",
+#endif /* MBEDTLS_ARIA_C */
 #if defined(MBEDTLS_CCM_C)
     "MBEDTLS_CCM_C",
 #endif /* MBEDTLS_CCM_C */
 #if defined(MBEDTLS_CERTS_C)
     "MBEDTLS_CERTS_C",
 #endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+    "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    "MBEDTLS_CHACHAPOLY_C",
+#endif /* MBEDTLS_CHACHAPOLY_C */
 #if defined(MBEDTLS_CIPHER_C)
     "MBEDTLS_CIPHER_C",
 #endif /* MBEDTLS_CIPHER_C */
@@ -576,9 +624,15 @@ static const char *features[] = {
 #if defined(MBEDTLS_HAVEGE_C)
     "MBEDTLS_HAVEGE_C",
 #endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HKDF_C)
+    "MBEDTLS_HKDF_C",
+#endif /* MBEDTLS_HKDF_C */
 #if defined(MBEDTLS_HMAC_DRBG_C)
     "MBEDTLS_HMAC_DRBG_C",
 #endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_NIST_KW_C)
+    "MBEDTLS_NIST_KW_C",
+#endif /* MBEDTLS_NIST_KW_C */
 #if defined(MBEDTLS_MD_C)
     "MBEDTLS_MD_C",
 #endif /* MBEDTLS_MD_C */
@@ -630,6 +684,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_PLATFORM_C)
     "MBEDTLS_PLATFORM_C",
 #endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+    "MBEDTLS_POLY1305_C",
+#endif /* MBEDTLS_POLY1305_C */
 #if defined(MBEDTLS_RIPEMD160_C)
     "MBEDTLS_RIPEMD160_C",
 #endif /* MBEDTLS_RIPEMD160_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/x509.c b/3rdparty/mbedtls/mbedtls/library/x509.c
index 59b6ba3bdd..a562df7ca3 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509.c
@@ -59,19 +59,23 @@
 #define mbedtls_snprintf  snprintf
 #endif
 
-
 #if defined(MBEDTLS_HAVE_TIME)
 #include "mbedtls/platform_time.h"
 #endif
-
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-#include <windows.h>
-#else
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_util.h"
 #include <time.h>
 #endif
 
-#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
-#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
+#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val)                      \
+    do                                                  \
+    {                                                   \
+        if( ( val ) < ( min ) || ( val ) > ( max ) )    \
+        {                                               \
+            return( ret );                              \
+        }                                               \
+    } while( 0 )
 
 /*
  *  CertificateSerialNumber  ::=  INTEGER
@@ -897,36 +901,14 @@ int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name )
  * Set the time structure to the current time.
  * Return 0 on success, non-zero on failure.
  */
-#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-static int x509_get_current_time( mbedtls_x509_time *now )
-{
-    SYSTEMTIME st;
-
-    GetSystemTime( &st );
-
-    now->year = st.wYear;
-    now->mon  = st.wMonth;
-    now->day  = st.wDay;
-    now->hour = st.wHour;
-    now->min  = st.wMinute;
-    now->sec  = st.wSecond;
-
-    return( 0 );
-}
-#else
 static int x509_get_current_time( mbedtls_x509_time *now )
 {
-    struct tm *lt;
+    struct tm *lt, tm_buf;
     mbedtls_time_t tt;
     int ret = 0;
 
-#if defined(MBEDTLS_THREADING_C)
-    if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
-        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
-#endif
-
     tt = mbedtls_time( NULL );
-    lt = gmtime( &tt );
+    lt = mbedtls_platform_gmtime_r( &tt, &tm_buf );
 
     if( lt == NULL )
         ret = -1;
@@ -940,14 +922,8 @@ static int x509_get_current_time( mbedtls_x509_time *now )
         now->sec  = lt->tm_sec;
     }
 
-#if defined(MBEDTLS_THREADING_C)
-    if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
-        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
-#endif
-
     return( ret );
 }
-#endif /* _WIN32 && !EFIX64 && !EFI32 */
 
 /*
  * Return 0 if before <= after, 1 otherwise
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_create.c b/3rdparty/mbedtls/mbedtls/library/x509_create.c
index df20ec8ebd..546e8fa1a9 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_create.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_create.c
@@ -33,48 +33,84 @@
 
 #include <string.h>
 
+/* Structure linking OIDs for X.509 DN AttributeTypes to their
+ * string representations and default string encodings used by Mbed TLS. */
 typedef struct {
-    const char *name;
-    size_t name_len;
-    const char*oid;
+   const char *name; /* String representation of AttributeType, e.g.
+                      * "CN" or "emailAddress". */
+   size_t name_len;  /* Length of 'name', without trailing 0 byte. */
+   const char *oid;  /* String representation of OID of AttributeType,
+                      * as per RFC 5280, Appendix A.1. */
+   int default_tag;  /* The default character encoding used for the
+                      * given attribute type, e.g.
+                      * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
 } x509_attr_descriptor_t;
 
 #define ADD_STRLEN( s )     s, sizeof( s ) - 1
 
+/* X.509 DN attributes from RFC 5280, Appendix A.1. */
 static const x509_attr_descriptor_t x509_attrs[] =
 {
-    { ADD_STRLEN( "CN" ),                       MBEDTLS_OID_AT_CN },
-    { ADD_STRLEN( "commonName" ),               MBEDTLS_OID_AT_CN },
-    { ADD_STRLEN( "C" ),                        MBEDTLS_OID_AT_COUNTRY },
-    { ADD_STRLEN( "countryName" ),              MBEDTLS_OID_AT_COUNTRY },
-    { ADD_STRLEN( "O" ),                        MBEDTLS_OID_AT_ORGANIZATION },
-    { ADD_STRLEN( "organizationName" ),         MBEDTLS_OID_AT_ORGANIZATION },
-    { ADD_STRLEN( "L" ),                        MBEDTLS_OID_AT_LOCALITY },
-    { ADD_STRLEN( "locality" ),                 MBEDTLS_OID_AT_LOCALITY },
-    { ADD_STRLEN( "R" ),                        MBEDTLS_OID_PKCS9_EMAIL },
-    { ADD_STRLEN( "OU" ),                       MBEDTLS_OID_AT_ORG_UNIT },
-    { ADD_STRLEN( "organizationalUnitName" ),   MBEDTLS_OID_AT_ORG_UNIT },
-    { ADD_STRLEN( "ST" ),                       MBEDTLS_OID_AT_STATE },
-    { ADD_STRLEN( "stateOrProvinceName" ),      MBEDTLS_OID_AT_STATE },
-    { ADD_STRLEN( "emailAddress" ),             MBEDTLS_OID_PKCS9_EMAIL },
-    { ADD_STRLEN( "serialNumber" ),             MBEDTLS_OID_AT_SERIAL_NUMBER },
-    { ADD_STRLEN( "postalAddress" ),            MBEDTLS_OID_AT_POSTAL_ADDRESS },
-    { ADD_STRLEN( "postalCode" ),               MBEDTLS_OID_AT_POSTAL_CODE },
-    { ADD_STRLEN( "dnQualifier" ),              MBEDTLS_OID_AT_DN_QUALIFIER },
-    { ADD_STRLEN( "title" ),                    MBEDTLS_OID_AT_TITLE },
-    { ADD_STRLEN( "surName" ),                  MBEDTLS_OID_AT_SUR_NAME },
-    { ADD_STRLEN( "SN" ),                       MBEDTLS_OID_AT_SUR_NAME },
-    { ADD_STRLEN( "givenName" ),                MBEDTLS_OID_AT_GIVEN_NAME },
-    { ADD_STRLEN( "GN" ),                       MBEDTLS_OID_AT_GIVEN_NAME },
-    { ADD_STRLEN( "initials" ),                 MBEDTLS_OID_AT_INITIALS },
-    { ADD_STRLEN( "pseudonym" ),                MBEDTLS_OID_AT_PSEUDONYM },
-    { ADD_STRLEN( "generationQualifier" ),      MBEDTLS_OID_AT_GENERATION_QUALIFIER },
-    { ADD_STRLEN( "domainComponent" ),          MBEDTLS_OID_DOMAIN_COMPONENT },
-    { ADD_STRLEN( "DC" ),                       MBEDTLS_OID_DOMAIN_COMPONENT },
-    { NULL, 0, NULL }
+    { ADD_STRLEN( "CN" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "commonName" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "C" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "countryName" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "O" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationName" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "L" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "locality" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "R" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "OU" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationalUnitName" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "ST" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "stateOrProvinceName" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "emailAddress" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "serialNumber" ),
+      MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalAddress" ),
+      MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalCode" ),
+      MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "dnQualifier" ),
+      MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "title" ),
+      MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "surName" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "SN" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "givenName" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "GN" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "initials" ),
+      MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "pseudonym" ),
+      MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "generationQualifier" ),
+      MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "domainComponent" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "DC" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT,   MBEDTLS_ASN1_IA5_STRING },
+    { NULL, 0, NULL, MBEDTLS_ASN1_NULL }
 };
 
-static const char *x509_at_oid_from_name( const char *name, size_t name_len )
+static const x509_attr_descriptor_t *x509_attr_descr_from_name( const char *name, size_t name_len )
 {
     const x509_attr_descriptor_t *cur;
 
@@ -83,7 +119,10 @@ static const char *x509_at_oid_from_name( const char *name, size_t name_len )
             strncmp( cur->name, name, name_len ) == 0 )
             break;
 
-    return( cur->oid );
+    if ( cur->name == NULL )
+        return( NULL );
+
+    return( cur );
 }
 
 int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
@@ -92,6 +131,7 @@ int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *na
     const char *s = name, *c = s;
     const char *end = s + strlen( s );
     const char *oid = NULL;
+    const x509_attr_descriptor_t* attr_descr = NULL;
     int in_tag = 1;
     char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
     char *d = data;
@@ -103,12 +143,13 @@ int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *na
     {
         if( in_tag && *c == '=' )
         {
-            if( ( oid = x509_at_oid_from_name( s, c - s ) ) == NULL )
+            if( ( attr_descr = x509_attr_descr_from_name( s, c - s ) ) == NULL )
             {
                 ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
                 goto exit;
             }
 
+            oid = attr_descr->oid;
             s = c + 1;
             in_tag = 0;
             d = data;
@@ -127,13 +168,19 @@ int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *na
         }
         else if( !in_tag && ( *c == ',' || c == end ) )
         {
-            if( mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
-                                       (unsigned char *) data,
-                                       d - data ) == NULL )
+            mbedtls_asn1_named_data* cur =
+                mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
+                                               (unsigned char *) data,
+                                               d - data );
+
+            if(cur == NULL )
             {
                 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
             }
 
+            // set tagType
+            cur->val.tag = attr_descr->default_tag;
+
             while( c < end && *(c + 1) == ' ' )
                 c++;
 
@@ -192,46 +239,40 @@ int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid,
  *
  *  AttributeValue ::= ANY DEFINED BY AttributeType
  */
-static int x509_write_name( unsigned char **p, unsigned char *start,
-                            const char *oid, size_t oid_len,
-                            const unsigned char *name, size_t name_len )
+static int x509_write_name( unsigned char **p, unsigned char *start, mbedtls_asn1_named_data* cur_name)
 {
     int ret;
     size_t len = 0;
-
-    // Write PrintableString for all except MBEDTLS_OID_PKCS9_EMAIL
-    //
-    if( MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_EMAIL ) == oid_len &&
-        memcmp( oid, MBEDTLS_OID_PKCS9_EMAIL, oid_len ) == 0 )
-    {
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_ia5_string( p, start,
-                                                  (const char *) name,
-                                                  name_len ) );
-    }
-    else
-    {
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_printable_string( p, start,
-                                                        (const char *) name,
-                                                        name_len ) );
-    }
-
+    const char *oid             = (const char*)cur_name->oid.p;
+    size_t oid_len              = cur_name->oid.len;
+    const unsigned char *name   = cur_name->val.p;
+    size_t name_len             = cur_name->val.len;
+
+    // Write correct string tag and value
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tagged_string( p, start,
+                                                       cur_name->val.tag,
+                                                       (const char *) name,
+                                                       name_len ) );
     // Write OID
     //
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid,
+                                                       oid_len ) );
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
-                                                 MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                    MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
 
     MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                 MBEDTLS_ASN1_CONSTRUCTED |
                                                  MBEDTLS_ASN1_SET ) );
 
     return( (int) len );
 }
 
 int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
-                      mbedtls_asn1_named_data *first )
+                              mbedtls_asn1_named_data *first )
 {
     int ret;
     size_t len = 0;
@@ -239,9 +280,7 @@ int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
 
     while( cur != NULL )
     {
-        MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, (char *) cur->oid.p,
-                                            cur->oid.len,
-                                            cur->val.p, cur->val.len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, cur ) );
         cur = cur->next;
     }
 
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_crl.c b/3rdparty/mbedtls/mbedtls/library/x509_crl.c
index 3ceb77091e..00f8545d7c 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_crl.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_crl.c
@@ -39,6 +39,7 @@
 
 #include "mbedtls/x509_crl.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -66,11 +67,6 @@
 #include <stdio.h>
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
  */
@@ -616,7 +612,7 @@ int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
 
     ret = mbedtls_x509_crl_parse( chain, buf, n );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -737,7 +733,7 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
             mbedtls_free( name_prv );
         }
 
@@ -746,13 +742,14 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
         {
             entry_prv = entry_cur;
             entry_cur = entry_cur->next;
-            mbedtls_zeroize( entry_prv, sizeof( mbedtls_x509_crl_entry ) );
+            mbedtls_platform_zeroize( entry_prv,
+                                      sizeof( mbedtls_x509_crl_entry ) );
             mbedtls_free( entry_prv );
         }
 
         if( crl_cur->raw.p != NULL )
         {
-            mbedtls_zeroize( crl_cur->raw.p, crl_cur->raw.len );
+            mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
             mbedtls_free( crl_cur->raw.p );
         }
 
@@ -766,7 +763,7 @@ void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
         crl_prv = crl_cur;
         crl_cur = crl_cur->next;
 
-        mbedtls_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
+        mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
         if( crl_prv != crl )
             mbedtls_free( crl_prv );
     }
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_crt.c b/3rdparty/mbedtls/mbedtls/library/x509_crt.c
index 3ad53a7156..97e1d72e3c 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_crt.c
@@ -27,6 +27,8 @@
  *
  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ *
+ *  [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
  */
 
 #if !defined(MBEDTLS_CONFIG_FILE)
@@ -39,6 +41,7 @@
 
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -75,10 +78,18 @@
 #endif /* !_WIN32 || EFIX64 || EFI32 */
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
+/*
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} x509_crt_verify_chain_item;
+
+/*
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define X509_MAX_VERIFY_CHAIN_SIZE    ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
 
 /*
  * Default profile
@@ -147,7 +158,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
 
 /*
  * Check md_alg against profile
- * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ * Return 0 if md_alg is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
                                       mbedtls_md_type_t md_alg )
@@ -163,7 +174,7 @@ static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
 
 /*
  * Check pk_alg against profile
- * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
                                       mbedtls_pk_type_t pk_alg )
@@ -179,12 +190,13 @@ static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
 
 /*
  * Check key against profile
- * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ * Return 0 if pk is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
-                                   mbedtls_pk_type_t pk_alg,
                                    const mbedtls_pk_context *pk )
 {
+    const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
+
 #if defined(MBEDTLS_RSA_C)
     if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
     {
@@ -200,7 +212,7 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
         pk_alg == MBEDTLS_PK_ECKEY ||
         pk_alg == MBEDTLS_PK_ECKEY_DH )
     {
-        mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
+        const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
 
         if( gid == MBEDTLS_ECP_DP_NONE )
             return( -1 );
@@ -215,6 +227,153 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
     return( -1 );
 }
 
+/*
+ * Like memcmp, but case-insensitive and always returns -1 if different
+ */
+static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
+{
+    size_t i;
+    unsigned char diff;
+    const unsigned char *n1 = s1, *n2 = s2;
+
+    for( i = 0; i < len; i++ )
+    {
+        diff = n1[i] ^ n2[i];
+
+        if( diff == 0 )
+            continue;
+
+        if( diff == 32 &&
+            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
+              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
+        {
+            continue;
+        }
+
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Return 0 if name matches wildcard, -1 otherwise
+ */
+static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name )
+{
+    size_t i;
+    size_t cn_idx = 0, cn_len = strlen( cn );
+
+    /* We can't have a match if there is no wildcard to match */
+    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
+        return( -1 );
+
+    for( i = 0; i < cn_len; ++i )
+    {
+        if( cn[i] == '.' )
+        {
+            cn_idx = i;
+            break;
+        }
+    }
+
+    if( cn_idx == 0 )
+        return( -1 );
+
+    if( cn_len - cn_idx == name->len - 1 &&
+        x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 strings, case-insensitive, and allowing for some encoding
+ * variations (but not all).
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
+{
+    if( a->tag == b->tag &&
+        a->len == b->len &&
+        memcmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        a->len == b->len &&
+        x509_memcasecmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 Names (aka rdnSequence).
+ *
+ * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
+ * we sometimes return unequal when the full algorithm would return equal,
+ * but never the other way. (In particular, we don't do Unicode normalisation
+ * or space folding.)
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
+{
+    /* Avoid recursion, it might not be optimised by the compiler */
+    while( a != NULL || b != NULL )
+    {
+        if( a == NULL || b == NULL )
+            return( -1 );
+
+        /* type */
+        if( a->oid.tag != b->oid.tag ||
+            a->oid.len != b->oid.len ||
+            memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+        {
+            return( -1 );
+        }
+
+        /* value */
+        if( x509_string_cmp( &a->val, &b->val ) != 0 )
+            return( -1 );
+
+        /* structure of the list of sets */
+        if( a->next_merged != b->next_merged )
+            return( -1 );
+
+        a = a->next;
+        b = b->next;
+    }
+
+    /* a == NULL == b */
+    return( 0 );
+}
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    size_t i;
+
+    for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
+    {
+        ver_chain->items[i].crt = NULL;
+        ver_chain->items[i].flags = (uint32_t) -1;
+    }
+
+    ver_chain->len = 0;
+}
+
 /*
  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
  */
@@ -1103,7 +1262,7 @@ int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
 
     ret = mbedtls_x509_crt_parse( chain, buf, n );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -1279,7 +1438,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
     }
 
 #define CERT_TYPE(type,name)                    \
-    if( ns_cert_type & type )                   \
+    if( ns_cert_type & (type) )                 \
         PRINT_ITEM( name );
 
 static int x509_info_cert_type( char **buf, size_t *size,
@@ -1306,7 +1465,7 @@ static int x509_info_cert_type( char **buf, size_t *size,
 }
 
 #define KEY_USAGE(code,name)    \
-    if( key_usage & code )      \
+    if( key_usage & (code) )    \
         PRINT_ITEM( name );
 
 static int x509_info_key_usage( char **buf, size_t *size,
@@ -1363,209 +1522,80 @@ static int x509_info_ext_key_usage( char **buf, size_t *size,
 }
 
 /*
- * Like memcmp, but case-insensitive and always returns -1 if different
+ * Return an informational string about the certificate.
  */
-static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
+#define BEFORE_COLON    18
+#define BC              "18"
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt )
 {
-    size_t i;
-    unsigned char diff;
-    const unsigned char *n1 = s1, *n2 = s2;
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
 
-    for( i = 0; i < len; i++ )
+    p = buf;
+    n = size;
+
+    if( NULL == crt )
     {
-        diff = n1[i] ^ n2[i];
+        ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
 
-        if( diff == 0 )
-            continue;
+        return( (int) ( size - n ) );
+    }
 
-        if( diff == 32 &&
-            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
-              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
-        {
-            continue;
-        }
+    ret = mbedtls_snprintf( p, n, "%scert. version     : %d\n",
+                               prefix, crt->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf( p, n, "%sserial number     : ",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-        return( -1 );
-    }
+    ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-    return( 0 );
-}
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name       : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->issuer  );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-/*
- * Return 0 if name matches wildcard, -1 otherwise
- */
-static int x509_check_wildcard( const char *cn, mbedtls_x509_buf *name )
-{
-    size_t i;
-    size_t cn_idx = 0, cn_len = strlen( cn );
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
-        return( 0 );
+    ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_from.year, crt->valid_from.mon,
+                   crt->valid_from.day,  crt->valid_from.hour,
+                   crt->valid_from.min,  crt->valid_from.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-    for( i = 0; i < cn_len; ++i )
-    {
-        if( cn[i] == '.' )
-        {
-            cn_idx = i;
-            break;
-        }
-    }
+    ret = mbedtls_snprintf( p, n, "\n%sexpires on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_to.year, crt->valid_to.mon,
+                   crt->valid_to.day,  crt->valid_to.hour,
+                   crt->valid_to.min,  crt->valid_to.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-    if( cn_idx == 0 )
-        return( -1 );
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
-    if( cn_len - cn_idx == name->len - 1 &&
-        x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
+                             crt->sig_md, crt->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /* Key size */
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
     {
-        return( 0 );
+        return( ret );
     }
 
-    return( -1 );
-}
-
-/*
- * Compare two X.509 strings, case-insensitive, and allowing for some encoding
- * variations (but not all).
- *
- * Return 0 if equal, -1 otherwise.
- */
-static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
-{
-    if( a->tag == b->tag &&
-        a->len == b->len &&
-        memcmp( a->p, b->p, b->len ) == 0 )
-    {
-        return( 0 );
-    }
-
-    if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
-        ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
-        a->len == b->len &&
-        x509_memcasecmp( a->p, b->p, b->len ) == 0 )
-    {
-        return( 0 );
-    }
-
-    return( -1 );
-}
-
-/*
- * Compare two X.509 Names (aka rdnSequence).
- *
- * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
- * we sometimes return unequal when the full algorithm would return equal,
- * but never the other way. (In particular, we don't do Unicode normalisation
- * or space folding.)
- *
- * Return 0 if equal, -1 otherwise.
- */
-static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
-{
-    /* Avoid recursion, it might not be optimised by the compiler */
-    while( a != NULL || b != NULL )
-    {
-        if( a == NULL || b == NULL )
-            return( -1 );
-
-        /* type */
-        if( a->oid.tag != b->oid.tag ||
-            a->oid.len != b->oid.len ||
-            memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
-        {
-            return( -1 );
-        }
-
-        /* value */
-        if( x509_string_cmp( &a->val, &b->val ) != 0 )
-            return( -1 );
-
-        /* structure of the list of sets */
-        if( a->next_merged != b->next_merged )
-            return( -1 );
-
-        a = a->next;
-        b = b->next;
-    }
-
-    /* a == NULL == b */
-    return( 0 );
-}
-
-/*
- * Return an informational string about the certificate.
- */
-#define BEFORE_COLON    18
-#define BC              "18"
-int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
-                   const mbedtls_x509_crt *crt )
-{
-    int ret;
-    size_t n;
-    char *p;
-    char key_size_str[BEFORE_COLON];
-
-    p = buf;
-    n = size;
-
-    if( NULL == crt )
-    {
-        ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
-        MBEDTLS_X509_SAFE_SNPRINTF;
-
-        return( (int) ( size - n ) );
-    }
-
-    ret = mbedtls_snprintf( p, n, "%scert. version     : %d\n",
-                               prefix, crt->version );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_snprintf( p, n, "%sserial number     : ",
-                               prefix );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf( p, n, "\n%sissuer name       : ", prefix );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_x509_dn_gets( p, n, &crt->issuer  );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf( p, n, "\n%ssubject name      : ", prefix );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-    ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crt->valid_from.year, crt->valid_from.mon,
-                   crt->valid_from.day,  crt->valid_from.hour,
-                   crt->valid_from.min,  crt->valid_from.sec );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf( p, n, "\n%sexpires on        : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crt->valid_to.year, crt->valid_to.mon,
-                   crt->valid_to.day,  crt->valid_to.hour,
-                   crt->valid_to.min,  crt->valid_to.sec );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
-                             crt->sig_md, crt->sig_opts );
-    MBEDTLS_X509_SAFE_SNPRINTF;
-
-    /* Key size */
-    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
-                                      mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
-                          (int) mbedtls_pk_get_bitlen( &crt->pk ) );
-    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &crt->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
 
     /*
      * Optional extensions
@@ -1818,7 +1848,7 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
             break;
         }
 
-        if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
+        if( x509_profile_check_key( profile, &ca->pk ) != 0 )
             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
         if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
@@ -1854,16 +1884,52 @@ static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
 }
 #endif /* MBEDTLS_X509_CRL_PARSE_C */
 
+/*
+ * Check the signature of a certificate by its parent
+ */
+static int x509_crt_check_signature( const mbedtls_x509_crt *child,
+                                     mbedtls_x509_crt *parent,
+                                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    const mbedtls_md_info_t *md_info;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    md_info = mbedtls_md_info_from_type( child->sig_md );
+    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
+    {
+        /* Note: this can't happen except after an internal error */
+        return( -1 );
+    }
+
+    /* Skip expensive computation on obvious mismatch */
+    if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
+        return( -1 );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
+    {
+        return( mbedtls_pk_verify_restartable( &parent->pk,
+                    child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                    child->sig.p, child->sig.len, &rs_ctx->pk ) );
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+    return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
+                child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                child->sig.p, child->sig.len ) );
+}
+
 /*
  * Check if 'parent' is a suitable parent (signing CA) for 'child'.
  * Return 0 if yes, -1 if not.
  *
  * top means parent is a locally-trusted certificate
- * bottom means child is the end entity cert
  */
 static int x509_crt_check_parent( const mbedtls_x509_crt *child,
                                   const mbedtls_x509_crt *parent,
-                                  int top, int bottom )
+                                  int top )
 {
     int need_ca_bit;
 
@@ -1878,14 +1944,6 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
     if( top && parent->version < 3 )
         need_ca_bit = 0;
 
-    /* Exception: self-signed end-entity certs that are locally trusted. */
-    if( top && bottom &&
-        child->raw.len == parent->raw.len &&
-        memcmp( child->raw.p, parent->raw.p, child->raw.len ) == 0 )
-    {
-        need_ca_bit = 0;
-    }
-
     if( need_ca_bit && ! parent->ca_istrue )
         return( -1 );
 
@@ -1901,103 +1959,130 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
 }
 
 /*
- * Verify a certificate with no parent inside the chain
- * (either the parent is a trusted root, or there is no parent)
+ * Find a suitable parent for child in candidates, or return NULL.
+ *
+ * Here suitable is defined as:
+ *  1. subject name matches child's issuer
+ *  2. if necessary, the CA bit is set and key usage allows signing certs
+ *  3. for trusted roots, the signature is correct
+ *     (for intermediates, the signature is checked and the result reported)
+ *  4. pathlen constraints are satisfied
  *
- * See comments for mbedtls_x509_crt_verify_with_profile()
- * (also for notation used below)
+ * If there's a suitable candidate which is also time-valid, return the first
+ * such. Otherwise, return the first suitable candidate (or NULL if there is
+ * none).
  *
- * This function is called in two cases:
- *  - child was found to have a parent in trusted roots, in which case we're
- *    called with trust_ca pointing directly to that parent (not the full list)
- *      - this is cases 1, 2 and 3 of the comment on verify_with_profile()
- *      - case 1 is special as child and trust_ca point to copies of the same
- *        certificate then
- *  - child was found to have no parent either in the chain or in trusted CAs
- *      - this is cases 4 and 5 of the comment on verify_with_profile()
+ * The rationale for this rule is that someone could have a list of trusted
+ * roots with two versions on the same root with different validity periods.
+ * (At least one user reported having such a list and wanted it to just work.)
+ * The reason we don't just require time-validity is that generally there is
+ * only one version, and if it's expired we want the flags to state that
+ * rather than NOT_TRUSTED, as would be the case if we required it here.
  *
- * For historical reasons, the function currently does not assume that
- * trust_ca points directly to the right root in the first case, and it
- * doesn't know in which case it starts, so it always starts by searching for
- * a parent in trust_ca.
+ * The rationale for rule 3 (signature for trusted roots) is that users might
+ * have two versions of the same CA with different keys in their list, and the
+ * way we select the correct one is by checking the signature (as we don't
+ * rely on key identifier extensions). (This is one way users might choose to
+ * handle key rollover, another relies on self-issued certs, see [SIRO].)
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent
+ *  - [in] candidates: chained list of potential parents
+ *  - [out] r_parent: parent found (or NULL)
+ *  - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
+ *         of the chain, 0 otherwise
+ *  - [in] path_cnt: number of intermediates seen so far
+ *  - [in] self_cnt: number of self-signed intermediates seen so far
+ *         (will never be greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
  */
-static int x509_crt_verify_top(
-                mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
-                mbedtls_x509_crl *ca_crl,
-                const mbedtls_x509_crt_profile *profile,
-                int path_cnt, int self_cnt, uint32_t *flags,
-                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                void *p_vrfy )
+static int x509_crt_find_parent_in(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *candidates,
+                        mbedtls_x509_crt **r_parent,
+                        int *r_signature_is_good,
+                        int top,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
 {
     int ret;
-    uint32_t ca_flags = 0;
-    int check_path_cnt;
-    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
-    const mbedtls_md_info_t *md_info;
-    mbedtls_x509_crt *future_past_ca = NULL;
+    mbedtls_x509_crt *parent, *fallback_parent;
+    int signature_is_good, fallback_signature_is_good;
 
-    if( mbedtls_x509_time_is_past( &child->valid_to ) )
-        *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
-
-    if( mbedtls_x509_time_is_future( &child->valid_from ) )
-        *flags |= MBEDTLS_X509_BADCERT_FUTURE;
-
-    if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* did we have something in progress? */
+    if( rs_ctx != NULL && rs_ctx->parent != NULL )
+    {
+        /* restore saved state */
+        parent = rs_ctx->parent;
+        fallback_parent = rs_ctx->fallback_parent;
+        fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
 
-    if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        /* clear saved state */
+        rs_ctx->parent = NULL;
+        rs_ctx->fallback_parent = NULL;
+        rs_ctx->fallback_signature_is_good = 0;
 
-    /*
-     * Child is the top of the chain. Check against the trust_ca list.
-     */
-    *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
-
-    md_info = mbedtls_md_info_from_type( child->sig_md );
-    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
-    {
-        /* Note: this can't happen except after an internal error */
-        /* Cannot check signature, no need to try any CA */
-        trust_ca = NULL;
+        /* resume where we left */
+        goto check_signature;
     }
+#endif
+
+    fallback_parent = NULL;
+    fallback_signature_is_good = 0;
 
-    for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
+    for( parent = candidates; parent != NULL; parent = parent->next )
     {
-        if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
+        /* basic parenting skills (name, CA bit, key usage) */
+        if( x509_crt_check_parent( child, parent, top ) != 0 )
             continue;
 
-        check_path_cnt = path_cnt + 1;
-
-        /*
-         * Reduce check_path_cnt to check against if top of the chain is
-         * the same as the trusted CA
-         */
-        if( child->subject_raw.len == trust_ca->subject_raw.len &&
-            memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                    child->subject_raw.len ) == 0 )
+        /* +1 because stored max_pathlen is 1 higher that the actual value */
+        if( parent->max_pathlen > 0 &&
+            (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt )
         {
-            check_path_cnt--;
+            continue;
         }
 
-        /* Self signed certificates do not count towards the limit */
-        if( trust_ca->max_pathlen > 0 &&
-            trust_ca->max_pathlen < check_path_cnt - self_cnt )
+        /* Signature */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+check_signature:
+#endif
+        ret = x509_crt_check_signature( child, parent, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
         {
-            continue;
+            /* save state */
+            rs_ctx->parent = parent;
+            rs_ctx->fallback_parent = fallback_parent;
+            rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
+
+            return( ret );
         }
+#else
+        (void) ret;
+#endif
 
-        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
-                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
-                           child->sig.p, child->sig.len ) != 0 )
-        {
+        signature_is_good = ret == 0;
+        if( top && ! signature_is_good )
             continue;
-        }
 
-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ||
-            mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        /* optional time check */
+        if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
+            mbedtls_x509_time_is_future( &parent->valid_from ) )
         {
-            if ( future_past_ca == NULL )
-                future_past_ca = trust_ca;
+            if( fallback_parent == NULL )
+            {
+                fallback_parent = parent;
+                fallback_signature_is_good = signature_is_good;
+            }
 
             continue;
         }
@@ -2005,197 +2090,409 @@ static int x509_crt_verify_top(
         break;
     }
 
-    if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL )
+    if( parent != NULL )
     {
-        /*
-         * Top of chain is signed by a trusted CA
-         */
-        *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
-
-        if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
-            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+    }
+    else
+    {
+        *r_parent = fallback_parent;
+        *r_signature_is_good = fallback_signature_is_good;
     }
 
-    /*
-     * If top of chain is not the same as the trusted CA send a verify request
-     * to the callback for any issues with validity and CRL presence for the
-     * trusted CA certificate.
-     */
-    if( trust_ca != NULL &&
-        ( child->subject_raw.len != trust_ca->subject_raw.len ||
-          memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                  child->subject_raw.len ) != 0 ) )
+    return( 0 );
+}
+
+/*
+ * Find a parent in trusted CAs or the provided chain, or return NULL.
+ *
+ * Searches in trusted CAs first, and return the first suitable parent found
+ * (see find_parent_in() for definition of suitable).
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent, followed
+ *         by a chain of possible intermediates
+ *  - [in] trust_ca: list of locally trusted certificates
+ *  - [out] parent: parent found (or NULL)
+ *  - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
+ *  - [out] signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
+ *  - [in] self_cnt: number of self-signed certs in the chain so far
+ *         (will always be no greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *trust_ca,
+                        mbedtls_x509_crt **parent,
+                        int *parent_is_trusted,
+                        int *signature_is_good,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_x509_crt *search_list;
+
+    *parent_is_trusted = 1;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* restore then clear saved state if we have some stored */
+    if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 )
     {
-#if defined(MBEDTLS_X509_CRL_PARSE_C)
-        /* Check trusted CA's CRL for the chain's top crt */
-        *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
-#else
-        ((void) ca_crl);
+        *parent_is_trusted = rs_ctx->parent_is_trusted;
+        rs_ctx->parent_is_trusted = -1;
+    }
 #endif
 
-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+    while( 1 ) {
+        search_list = *parent_is_trusted ? trust_ca : child->next;
 
-        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
-            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
+        ret = x509_crt_find_parent_in( child, search_list,
+                                       parent, signature_is_good,
+                                       *parent_is_trusted,
+                                       path_cnt, self_cnt, rs_ctx );
 
-        if( NULL != f_vrfy )
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
         {
-            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
-                                &ca_flags ) ) != 0 )
-            {
-                return( ret );
-            }
+            /* save state */
+            rs_ctx->parent_is_trusted = *parent_is_trusted;
+            return( ret );
         }
+#else
+        (void) ret;
+#endif
+
+        /* stop here if found or already in second iteration */
+        if( *parent != NULL || *parent_is_trusted == 0 )
+            break;
+
+        /* prepare second iteration */
+        *parent_is_trusted = 0;
     }
 
-    /* Call callback on top cert */
-    if( NULL != f_vrfy )
+    /* extra precaution against mistakes in the caller */
+    if( *parent == NULL )
     {
-        if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
-            return( ret );
+        *parent_is_trusted = 0;
+        *signature_is_good = 0;
     }
 
-    *flags |= ca_flags;
-
     return( 0 );
 }
 
 /*
- * Verify a certificate with a parent inside the chain
+ * Check if an end-entity certificate is locally trusted
  *
- * See comments for mbedtls_x509_crt_verify_with_profile()
+ * Currently we require such certificates to be self-signed (actually only
+ * check for self-issued as self-signatures are not checked)
  */
-static int x509_crt_verify_child(
-                mbedtls_x509_crt *child, mbedtls_x509_crt *parent,
-                mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl,
-                const mbedtls_x509_crt_profile *profile,
-                int path_cnt, int self_cnt, uint32_t *flags,
-                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
-                void *p_vrfy )
+static int x509_crt_check_ee_locally_trusted(
+                    mbedtls_x509_crt *crt,
+                    mbedtls_x509_crt *trust_ca )
 {
-    int ret;
-    uint32_t parent_flags = 0;
-    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
-    mbedtls_x509_crt *grandparent;
-    const mbedtls_md_info_t *md_info;
+    mbedtls_x509_crt *cur;
 
-    /* Counting intermediate self signed certificates */
-    if( ( path_cnt != 0 ) && x509_name_cmp( &child->issuer, &child->subject ) == 0 )
-        self_cnt++;
+    /* must be self-issued */
+    if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 )
+        return( -1 );
 
-    /* path_cnt is 0 for the first intermediate CA */
-    if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
+    /* look for an exact match with trusted cert */
+    for( cur = trust_ca; cur != NULL; cur = cur->next )
     {
-        /* return immediately as the goal is to avoid unbounded recursion */
-        return( MBEDTLS_ERR_X509_FATAL_ERROR );
+        if( crt->raw.len == cur->raw.len &&
+            memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
+        {
+            return( 0 );
+        }
     }
 
-    if( mbedtls_x509_time_is_past( &child->valid_to ) )
-        *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+    /* too bad */
+    return( -1 );
+}
 
-    if( mbedtls_x509_time_is_future( &child->valid_from ) )
-        *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+/*
+ * Build and verify a certificate chain
+ *
+ * Given a peer-provided list of certificates EE, C1, ..., Cn and
+ * a list of trusted certs R1, ... Rp, try to build and verify a chain
+ *      EE, Ci1, ... Ciq [, Rj]
+ * such that every cert in the chain is a child of the next one,
+ * jumping to a trusted root as early as possible.
+ *
+ * Verify that chain and return it with flags for all issues found.
+ *
+ * Special cases:
+ * - EE == Rj -> return a one-element list containing it
+ * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
+ *   -> return that chain with NOT_TRUSTED set on Ciq
+ *
+ * Tests for (aspects of) this function should include at least:
+ * - trusted EE
+ * - EE -> trusted root
+ * - EE -> intermedate CA -> trusted root
+ * - if relevant: EE untrusted
+ * - if relevant: EE -> intermediate, untrusted
+ * with the aspect under test checked at each relevant level (EE, int, root).
+ * For some aspects longer chains are required, but usually length 2 is
+ * enough (but length 1 is not in general).
+ *
+ * Arguments:
+ *  - [in] crt: the cert list EE, C1, ..., Cn
+ *  - [in] trust_ca: the trusted list R1, ..., Rp
+ *  - [in] ca_crl, profile: as in verify_with_profile()
+ *  - [out] ver_chain: the built and verified chain
+ *      Only valid when return value is 0, may contain garbage otherwise!
+ *      Restart note: need not be the same when calling again to resume.
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - non-zero if the chain could not be fully built and examined
+ *  - 0 is the chain was successfully built and examined,
+ *      even if it was found to be invalid
+ */
+static int x509_crt_verify_chain(
+                mbedtls_x509_crt *crt,
+                mbedtls_x509_crt *trust_ca,
+                mbedtls_x509_crl *ca_crl,
+                const mbedtls_x509_crt_profile *profile,
+                mbedtls_x509_crt_verify_chain *ver_chain,
+                mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    /* Don't initialize any of those variables here, so that the compiler can
+     * catch potential issues with jumping ahead when restarting */
+    int ret;
+    uint32_t *flags;
+    mbedtls_x509_crt_verify_chain_item *cur;
+    mbedtls_x509_crt *child;
+    mbedtls_x509_crt *parent;
+    int parent_is_trusted;
+    int child_is_trusted;
+    int signature_is_good;
+    unsigned self_cnt;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* resume if we had an operation in progress */
+    if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
+    {
+        /* restore saved state */
+        *ver_chain = rs_ctx->ver_chain; /* struct copy */
+        self_cnt = rs_ctx->self_cnt;
+
+        /* restore derived state */
+        cur = &ver_chain->items[ver_chain->len - 1];
+        child = cur->crt;
+        flags = &cur->flags;
+
+        goto find_parent;
+    }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    child = crt;
+    self_cnt = 0;
+    parent_is_trusted = 0;
+    child_is_trusted = 0;
+
+    while( 1 ) {
+        /* Add certificate to the verification chain */
+        cur = &ver_chain->items[ver_chain->len];
+        cur->crt = child;
+        cur->flags = 0;
+        ver_chain->len++;
+        flags = &cur->flags;
+
+        /* Check time-validity (all certificates) */
+        if( mbedtls_x509_time_is_past( &child->valid_to ) )
+            *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &child->valid_from ) )
+            *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+        /* Stop here for trusted roots (but not for trusted EE certs) */
+        if( child_is_trusted )
+            return( 0 );
 
-    if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+        /* Check signature algorithm: MD & PK algs */
+        if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
 
-    if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
-    md_info = mbedtls_md_info_from_type( child->sig_md );
-    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
-    {
-        /* Note: this can't happen except after an internal error */
-        *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
-    }
-    else
-    {
-        if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 )
-            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        /* Special case: EE certs that are locally trusted */
+        if( ver_chain->len == 1 &&
+            x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
+        {
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+        /* Look for a parent in trusted CAs or up the chain */
+        ret = x509_crt_find_parent( child, trust_ca, &parent,
+                                       &parent_is_trusted, &signature_is_good,
+                                       ver_chain->len - 1, self_cnt, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->in_progress = x509_crt_rs_find_parent;
+            rs_ctx->self_cnt = self_cnt;
+            rs_ctx->ver_chain = *ver_chain; /* struct copy */
 
-        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
-                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
-                           child->sig.p, child->sig.len ) != 0 )
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        /* No parent? We're done here */
+        if( parent == NULL )
         {
             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+            return( 0 );
+        }
+
+        /* Count intermediate self-issued (not necessarily self-signed) certs.
+         * These can occur with some strategies for key rollover, see [SIRO],
+         * and should be excluded from max_pathlen checks. */
+        if( ver_chain->len != 1 &&
+            x509_name_cmp( &child->issuer, &child->subject ) == 0 )
+        {
+            self_cnt++;
+        }
+
+        /* path_cnt is 0 for the first intermediate CA,
+         * and if parent is trusted it's not an intermediate CA */
+        if( ! parent_is_trusted &&
+            ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
+        {
+            /* return immediately to avoid overflow the chain array */
+            return( MBEDTLS_ERR_X509_FATAL_ERROR );
         }
-    }
+
+        /* signature was checked while searching parent */
+        if( ! signature_is_good )
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+        /* check size of signing key */
+        if( x509_profile_check_key( profile, &parent->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
-    /* Check trusted CA's CRL for the given crt */
-    *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile );
+        /* Check trusted CA's CRL for the given crt */
+        *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
+#else
+        (void) ca_crl;
 #endif
 
-    /* Look for a grandparent in trusted CAs */
-    for( grandparent = trust_ca;
-         grandparent != NULL;
-         grandparent = grandparent->next )
+        /* prepare for next iteration */
+        child = parent;
+        parent = NULL;
+        child_is_trusted = parent_is_trusted;
+        signature_is_good = 0;
+    }
+}
+
+/*
+ * Check for CN match
+ */
+static int x509_crt_check_cn( const mbedtls_x509_buf *name,
+                              const char *cn, size_t cn_len )
+{
+    /* try exact match */
+    if( name->len == cn_len &&
+        x509_memcasecmp( cn, name->p, cn_len ) == 0 )
     {
-        if( x509_crt_check_parent( parent, grandparent,
-                                   0, path_cnt == 0 ) == 0 )
-            break;
+        return( 0 );
     }
 
-    if( grandparent != NULL )
+    /* try wildcard match */
+    if( x509_check_wildcard( cn, name ) == 0 )
     {
-        ret = x509_crt_verify_top( parent, grandparent, ca_crl, profile,
-                                path_cnt + 1, self_cnt, &parent_flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            return( ret );
+        return( 0 );
     }
-    else
+
+    return( -1 );
+}
+
+/*
+ * Verify the requested CN - only call this if cn is not NULL!
+ */
+static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
+                                  const char *cn,
+                                  uint32_t *flags )
+{
+    const mbedtls_x509_name *name;
+    const mbedtls_x509_sequence *cur;
+    size_t cn_len = strlen( cn );
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
     {
-        /* Look for a grandparent upwards the chain */
-        for( grandparent = parent->next;
-             grandparent != NULL;
-             grandparent = grandparent->next )
+        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
         {
-            /* +2 because the current step is not yet accounted for
-             * and because max_pathlen is one higher than it should be.
-             * Also self signed certificates do not count to the limit. */
-            if( grandparent->max_pathlen > 0 &&
-                grandparent->max_pathlen < 2 + path_cnt - self_cnt )
-            {
-                continue;
-            }
-
-            if( x509_crt_check_parent( parent, grandparent,
-                                       0, path_cnt == 0 ) == 0 )
+            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
                 break;
         }
 
-        /* Is our parent part of the chain or at the top? */
-        if( grandparent != NULL )
-        {
-            ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
-                                         profile, path_cnt + 1, self_cnt, &parent_flags,
-                                         f_vrfy, p_vrfy );
-            if( ret != 0 )
-                return( ret );
-        }
-        else
+        if( cur == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+    }
+    else
+    {
+        for( name = &crt->subject; name != NULL; name = name->next )
         {
-            ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile,
-                                       path_cnt + 1, self_cnt, &parent_flags,
-                                       f_vrfy, p_vrfy );
-            if( ret != 0 )
-                return( ret );
+            if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
+                x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
+            {
+                break;
+            }
         }
+
+        if( name == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
     }
+}
 
-    /* child is verified to be a child of the parent, call verify callback */
-    if( NULL != f_vrfy )
-        if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
-            return( ret );
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_merge_flags_with_cb(
+           uint32_t *flags,
+           const mbedtls_x509_crt_verify_chain *ver_chain,
+           int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+           void *p_vrfy )
+{
+    int ret;
+    unsigned i;
+    uint32_t cur_flags;
+    const mbedtls_x509_crt_verify_chain_item *cur;
 
-    *flags |= parent_flags;
+    for( i = ver_chain->len; i != 0; --i )
+    {
+        cur = &ver_chain->items[i-1];
+        cur_flags = cur->flags;
+
+        if( NULL != f_vrfy )
+            if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 )
+                return( ret );
+
+        *flags |= cur_flags;
+    }
 
     return( 0 );
 }
 
 /*
- * Verify the certificate validity
+ * Verify the certificate validity (default profile, not restartable)
  */
 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
                      mbedtls_x509_crt *trust_ca,
@@ -2204,41 +2501,13 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy )
 {
-    return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
-                &mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                &mbedtls_x509_crt_profile_default, cn, flags,
+                f_vrfy, p_vrfy, NULL ) );
 }
 
-
 /*
- * Verify the certificate validity, with profile
- *
- * The chain building/verification is spread accross 4 functions:
- *  - this one
- *  - x509_crt_verify_child()
- *  - x509_crt_verify_top()
- *  - x509_crt_check_parent()
- *
- * There are five main cases to consider. Let's introduce some notation:
- *  - E means the end-entity certificate
- *  - I an intermediate CA
- *  - R the trusted root CA this chain anchors to
- *  - T the list of trusted roots (R and possible some others)
- *
- * The main cases with the calling sequence of the crt_verify_xxx() are:
- *  1. E = R (explicitly trusted EE cert)
- *      verify(E, T) -> verify_top(E, R)
- *  2. E -> R (EE signed by trusted root)
- *      verify(E, T) -> verify_top(E, R)
- *  3. E -> I -> R (EE signed by intermediate signed by trusted root)
- *      verify(E, T) -> verify_child(E, I, T) -> verify_top(I, R)
- *      (plus variant with multiple intermediates)
- *  4. E -> I (EE signed by intermediate that's not trusted)
- *      verify(E, T) -> verify_child(E, I, T) -> verify_top(I, T)
- *      (plus variant with multiple intermediates)
- *  5. E (EE not trusted)
- *      verify(E, T) -> verify_top(E, T)
- *
- * Note: this notation and case numbering is also used in x509_crt_verify_top()
+ * Verify the certificate validity (user-chosen profile, not restartable)
  */
 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
                      mbedtls_x509_crt *trust_ca,
@@ -2248,15 +2517,37 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
                      int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy )
 {
-    size_t cn_len;
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
+}
+
+/*
+ * Verify the certificate validity, with profile, restartable version
+ *
+ * This function:
+ *  - checks the requested CN (if any)
+ *  - checks the type and size of the EE cert's key,
+ *    as that isn't done as part of chain building/verification currently
+ *  - builds and verifies the chain
+ *  - then calls the callback and merges the flags
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
     int ret;
-    int pathlen = 0, selfsigned = 0;
-    mbedtls_x509_crt *parent;
-    mbedtls_x509_name *name;
-    mbedtls_x509_sequence *cur = NULL;
     mbedtls_pk_type_t pk_type;
+    mbedtls_x509_crt_verify_chain ver_chain;
+    uint32_t ee_flags;
 
     *flags = 0;
+    ee_flags = 0;
+    x509_crt_verify_chain_reset( &ver_chain );
 
     if( profile == NULL )
     {
@@ -2264,106 +2555,38 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
         goto exit;
     }
 
+    /* check name if requested */
     if( cn != NULL )
-    {
-        name = &crt->subject;
-        cn_len = strlen( cn );
-
-        if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
-        {
-            cur = &crt->subject_alt_names;
-
-            while( cur != NULL )
-            {
-                if( cur->buf.len == cn_len &&
-                    x509_memcasecmp( cn, cur->buf.p, cn_len ) == 0 )
-                    break;
-
-                if( cur->buf.len > 2 &&
-                    memcmp( cur->buf.p, "*.", 2 ) == 0 &&
-                    x509_check_wildcard( cn, &cur->buf ) == 0 )
-                {
-                    break;
-                }
-
-                cur = cur->next;
-            }
-
-            if( cur == NULL )
-                *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-        }
-        else
-        {
-            while( name != NULL )
-            {
-                if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 )
-                {
-                    if( name->val.len == cn_len &&
-                        x509_memcasecmp( name->val.p, cn, cn_len ) == 0 )
-                        break;
-
-                    if( name->val.len > 2 &&
-                        memcmp( name->val.p, "*.", 2 ) == 0 &&
-                        x509_check_wildcard( cn, &name->val ) == 0 )
-                        break;
-                }
-
-                name = name->next;
-            }
-
-            if( name == NULL )
-                *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-        }
-    }
+        x509_crt_verify_name( crt, cn, &ee_flags );
 
     /* Check the type and size of the key */
     pk_type = mbedtls_pk_get_type( &crt->pk );
 
     if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
-    if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
-        *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+    if( x509_profile_check_key( profile, &crt->pk ) != 0 )
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
-    /* Look for a parent in trusted CAs */
-    for( parent = trust_ca; parent != NULL; parent = parent->next )
-    {
-        if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
-            break;
-    }
+    /* Check the chain */
+    ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
+                                 &ver_chain, rs_ctx );
 
-    if( parent != NULL )
-    {
-        ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
-                                   pathlen, selfsigned, flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            goto exit;
-    }
-    else
-    {
-        /* Look for a parent upwards the chain */
-        for( parent = crt->next; parent != NULL; parent = parent->next )
-            if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
-                break;
+    if( ret != 0 )
+        goto exit;
 
-        /* Are we part of the chain or at the top? */
-        if( parent != NULL )
-        {
-            ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
-                                         pathlen, selfsigned, flags, f_vrfy, p_vrfy );
-            if( ret != 0 )
-                goto exit;
-        }
-        else
-        {
-            ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
-                                       pathlen, selfsigned, flags, f_vrfy, p_vrfy );
-            if( ret != 0 )
-                goto exit;
-        }
-    }
+    /* Merge end-entity flags */
+    ver_chain.items[0].flags |= ee_flags;
+
+    /* Build final flags, calling callback on the way if any */
+    ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
 
 exit:
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+        mbedtls_x509_crt_restart_free( rs_ctx );
+#endif
+
     /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
      * the SSL module for authmode optional, but non-zero return from the
      * callback means a fatal error so it shouldn't be ignored */
@@ -2418,7 +2641,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
             mbedtls_free( name_prv );
         }
 
@@ -2427,7 +2650,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
         {
             name_prv = name_cur;
             name_cur = name_cur->next;
-            mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
             mbedtls_free( name_prv );
         }
 
@@ -2436,7 +2659,8 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
         {
             seq_prv = seq_cur;
             seq_cur = seq_cur->next;
-            mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
             mbedtls_free( seq_prv );
         }
 
@@ -2445,13 +2669,14 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
         {
             seq_prv = seq_cur;
             seq_cur = seq_cur->next;
-            mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
             mbedtls_free( seq_prv );
         }
 
         if( cert_cur->raw.p != NULL )
         {
-            mbedtls_zeroize( cert_cur->raw.p, cert_cur->raw.len );
+            mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
             mbedtls_free( cert_cur->raw.p );
         }
 
@@ -2465,11 +2690,43 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
         cert_prv = cert_cur;
         cert_cur = cert_cur->next;
 
-        mbedtls_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
+        mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
         if( cert_prv != crt )
             mbedtls_free( cert_prv );
     }
     while( cert_cur != NULL );
 }
 
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    mbedtls_pk_restart_init( &ctx->pk );
+
+    ctx->parent = NULL;
+    ctx->fallback_parent = NULL;
+    ctx->fallback_signature_is_good = 0;
+
+    ctx->parent_is_trusted = -1;
+
+    ctx->in_progress = x509_crt_rs_none;
+    ctx->self_cnt = 0;
+    x509_crt_verify_chain_reset( &ctx->ver_chain );
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_pk_restart_free( &ctx->pk );
+    mbedtls_x509_crt_restart_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/x509_csr.c b/3rdparty/mbedtls/mbedtls/library/x509_csr.c
index 87c179e3d4..c8c08c87b2 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509_csr.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509_csr.c
@@ -39,6 +39,7 @@
 
 #include "mbedtls/x509_csr.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -60,11 +61,6 @@
 #include <stdio.h>
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  *  Version  ::=  INTEGER  {  v1(0)  }
  */
@@ -325,7 +321,7 @@ int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
 
     ret = mbedtls_x509_csr_parse( csr, buf, n );
 
-    mbedtls_zeroize( buf, n );
+    mbedtls_platform_zeroize( buf, n );
     mbedtls_free( buf );
 
     return( ret );
@@ -407,17 +403,17 @@ void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
     {
         name_prv = name_cur;
         name_cur = name_cur->next;
-        mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+        mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
         mbedtls_free( name_prv );
     }
 
     if( csr->raw.p != NULL )
     {
-        mbedtls_zeroize( csr->raw.p, csr->raw.len );
+        mbedtls_platform_zeroize( csr->raw.p, csr->raw.len );
         mbedtls_free( csr->raw.p );
     }
 
-    mbedtls_zeroize( csr, sizeof( mbedtls_x509_csr ) );
+    mbedtls_platform_zeroize( csr, sizeof( mbedtls_x509_csr ) );
 }
 
 #endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
index 64b3d2c2fb..10497e752b 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
@@ -37,6 +37,7 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/asn1write.h"
 #include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -44,11 +45,6 @@
 #include "mbedtls/pem.h"
 #endif /* MBEDTLS_PEM_WRITE_C */
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
@@ -65,7 +61,7 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
     mbedtls_asn1_free_named_data_list( &ctx->issuer );
     mbedtls_asn1_free_named_data_list( &ctx->extensions );
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
 }
 
 void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
@@ -329,10 +325,9 @@ static int x509_write_time( unsigned char **p, unsigned char *start,
     return( (int) len );
 }
 
-int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
-                               unsigned char *buf, size_t size,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng )
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
     const char *sig_oid;
@@ -340,14 +335,15 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     unsigned char *c, *c2;
     unsigned char hash[64];
     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char tmp_buf[2048];
     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
     mbedtls_pk_type_t pk_alg;
 
     /*
-     * Prepare data to be signed at the end of the target buffer
+     * Prepare data to be signed in tmp_buf
      */
-    c = buf + size;
+    c = tmp_buf + sizeof( tmp_buf );
 
     /* Signature algorithm needed in TBS, and later for actual signature */
 
@@ -373,36 +369,27 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     /* Only for v3 */
     if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
     {
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_x509_write_extensions( &c,
-                                                      buf, ctx->extensions ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                                      MBEDTLS_ASN1_CONSTRUCTED |
-                                                      MBEDTLS_ASN1_SEQUENCE ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                               MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                           MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
     }
 
     /*
      *  SubjectPublicKeyInfo
      */
-    MBEDTLS_ASN1_CHK_ADD( pub_len,
-                          mbedtls_pk_write_pubkey_der( ctx->subject_key,
-                                                       buf, c - buf ) );
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                tmp_buf, c - tmp_buf ) );
     c -= pub_len;
     len += pub_len;
 
     /*
      *  Subject  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_x509_write_names( &c, buf,
-                                                    ctx->subject ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
 
     /*
      *  Validity ::= SEQUENCE {
@@ -411,39 +398,32 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
      */
     sub_len = 0;
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len,
-                          x509_write_time( &c, buf, ctx->not_after,
-                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len,
-                          x509_write_time( &c, buf, ctx->not_before,
-                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
     len += sub_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) );
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_asn1_write_tag( &c, buf,
-                                                  MBEDTLS_ASN1_CONSTRUCTED |
-                                                  MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      *  Issuer  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
-                                                         ctx->issuer ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
 
     /*
      *  Signature   ::=  AlgorithmIdentifier
      */
-    MBEDTLS_ASN1_CHK_ADD( len,
-                          mbedtls_asn1_write_algorithm_identifier( &c, buf,
-                                              sig_oid, strlen( sig_oid ), 0 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+                       sig_oid, strlen( sig_oid ), 0 ) );
 
     /*
      *  Serial   ::=  INTEGER
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf,
-                                                       &ctx->serial ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
 
     /*
      *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
@@ -453,67 +433,48 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
     {
         sub_len = 0;
-        MBEDTLS_ASN1_CHK_ADD( sub_len,
-                              mbedtls_asn1_write_int( &c, buf, ctx->version ) );
+        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
         len += sub_len;
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_len( &c, buf, sub_len ) );
-        MBEDTLS_ASN1_CHK_ADD( len,
-                              mbedtls_asn1_write_tag( &c, buf,
-                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                               MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
     }
 
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len,
-                mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                     MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                       MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      * Make signature
      */
-
-    /* Compute hash of CRT. */
     if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
                             len, hash ) ) != 0 )
     {
         return( ret );
     }
 
-    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
-                                 hash, 0, sig, &sig_len,
-                                 f_rng, p_rng ) ) != 0 )
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+                         f_rng, p_rng ) ) != 0 )
     {
         return( ret );
     }
 
-    /* Move CRT to the front of the buffer to have space
-     * for the signature. */
-    memmove( buf, c, len );
-    c = buf + len;
-
-    /* Add signature at the end of the buffer,
-     * making sure that it doesn't underflow
-     * into the CRT buffer. */
+    /*
+     * Write data to output buffer
+     */
     c2 = buf + size;
-    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c,
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
                                         sig_oid, sig_oid_len, sig, sig_len ) );
 
-    /*
-     * Memory layout after this step:
-     *
-     * buf       c=buf+len                c2            buf+size
-     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
-     */
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
-    /* Move raw CRT to just before the signature. */
-    c = c2 - len;
-    memmove( c, buf, len );
+    c2 -= len;
+    memcpy( c2, c, len );
 
     len += sig_and_oid_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf,
-                                                 MBEDTLS_ASN1_CONSTRUCTED |
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     return( (int) len );
@@ -523,23 +484,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
 #define PEM_END_CRT             "-----END CERTIFICATE-----\n"
 
 #if defined(MBEDTLS_PEM_WRITE_C)
-int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt,
-                               unsigned char *buf, size_t size,
-                               int (*f_rng)(void *, unsigned char *, size_t),
-                               void *p_rng )
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
-    size_t olen;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
 
-    if( ( ret = mbedtls_x509write_crt_der( crt, buf, size,
+    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
                                    f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }
 
     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
-                                          buf + size - ret, ret,
-                                          buf, size, &olen ) ) != 0 )
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
     {
         return( ret );
     }
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
index d59354dc4f..d70ba0ed92 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_csr.c
@@ -35,6 +35,7 @@
 #include "mbedtls/x509_csr.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/asn1write.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 #include <stdlib.h>
@@ -43,11 +44,6 @@
 #include "mbedtls/pem.h"
 #endif
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@@ -58,7 +54,7 @@ void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
     mbedtls_asn1_free_named_data_list( &ctx->subject );
     mbedtls_asn1_free_named_data_list( &ctx->extensions );
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
 }
 
 void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
diff --git a/3rdparty/mbedtls/mbedtls/library/xtea.c b/3rdparty/mbedtls/mbedtls/library/xtea.c
index fe0a3509f6..a33707bc17 100644
--- a/3rdparty/mbedtls/mbedtls/library/xtea.c
+++ b/3rdparty/mbedtls/mbedtls/library/xtea.c
@@ -28,6 +28,7 @@
 #if defined(MBEDTLS_XTEA_C)
 
 #include "mbedtls/xtea.h"
+#include "mbedtls/platform_util.h"
 
 #include <string.h>
 
@@ -42,11 +43,6 @@
 
 #if !defined(MBEDTLS_XTEA_ALT)
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
-}
-
 /*
  * 32-bit integer manipulation macros (big endian)
  */
@@ -80,7 +76,7 @@ void mbedtls_xtea_free( mbedtls_xtea_context *ctx )
     if( ctx == NULL )
         return;
 
-    mbedtls_zeroize( ctx, sizeof( mbedtls_xtea_context ) );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_xtea_context ) );
 }
 
 /*
diff --git a/3rdparty/mbedtls/mbedtls/programs/Makefile b/3rdparty/mbedtls/mbedtls/programs/Makefile
index b4a553a934..28c747b769 100644
--- a/3rdparty/mbedtls/mbedtls/programs/Makefile
+++ b/3rdparty/mbedtls/mbedtls/programs/Makefile
@@ -4,9 +4,11 @@
 
 CFLAGS	?= -O2
 WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement
+WARNING_CXXFLAGS ?= -Wall -W
 LDFLAGS ?=
 
 LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -D_FILE_OFFSET_BITS=64
 LOCAL_LDFLAGS = -L../library 			\
 		-lmbedtls$(SHARED_SUFFIX)	\
 		-lmbedx509$(SHARED_SUFFIX)	\
@@ -67,6 +69,8 @@ APPS =	aes/aescrypt2$(EXEXT)		aes/crypt_and_hash$(EXEXT)	\
 	random/gen_random_ctr_drbg$(EXEXT)				\
 	test/benchmark$(EXEXT)                          		\
 	test/selftest$(EXEXT)		test/udp_proxy$(EXEXT)		\
+	test/zeroize$(EXEXT)						\
+	test/query_compile_time_config$(EXEXT)				\
 	util/pem2der$(EXEXT)		util/strerror$(EXEXT)		\
 	x509/cert_app$(EXEXT)		x509/crl_app$(EXEXT)		\
 	x509/cert_req$(EXEXT)		x509/cert_write$(EXEXT)		\
@@ -76,6 +80,10 @@ ifdef PTHREAD
 APPS +=	ssl/ssl_pthread_server$(EXEXT)
 endif
 
+ifdef TEST_CPP
+APPS += test/cpp_dummy_build$(EXEXT)
+endif
+
 .SILENT:
 
 .PHONY: all clean list
@@ -205,17 +213,17 @@ ssl/ssl_client1$(EXEXT): ssl/ssl_client1.c $(DEP)
 	echo "  CC    ssl/ssl_client1.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client1.c  $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c $(DEP)
+ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c ssl/query_config.c $(DEP)
 	echo "  CC    ssl/ssl_client2.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c  $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 ssl/ssl_server$(EXEXT): ssl/ssl_server.c $(DEP)
 	echo "  CC    ssl/ssl_server.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c $(DEP)
+ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c ssl/query_config.c $(DEP)
 	echo "  CC    ssl/ssl_server2.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 ssl/ssl_fork_server$(EXEXT): ssl/ssl_fork_server.c $(DEP)
 	echo "  CC    ssl/ssl_fork_server.c"
@@ -237,6 +245,10 @@ test/benchmark$(EXEXT): test/benchmark.c $(DEP)
 	echo "  CC    test/benchmark.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
+test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP)
+	echo "  CXX   test/cpp_dummy_build.cpp"
+	$(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
 test/selftest$(EXEXT): test/selftest.c $(DEP)
 	echo "  CC    test/selftest.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/selftest.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -245,6 +257,14 @@ test/udp_proxy$(EXEXT): test/udp_proxy.c $(DEP)
 	echo "  CC    test/udp_proxy.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/udp_proxy.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
+test/zeroize$(EXEXT): test/zeroize.c $(DEP)
+	echo "  CC    test/zeroize.c"
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/zeroize.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
+test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c ssl/query_config.c $(DEP)
+	echo "  CC    test/query_compile_time_config.c"
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+
 util/pem2der$(EXEXT): util/pem2der.c $(DEP)
 	echo "  CC    util/pem2der.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) util/pem2der.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
diff --git a/3rdparty/mbedtls/mbedtls/programs/README.md b/3rdparty/mbedtls/mbedtls/programs/README.md
new file mode 100644
index 0000000000..d26349d0f1
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/README.md
@@ -0,0 +1,123 @@
+Mbed TLS sample programs
+========================
+
+This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs.
+
+## Symmetric cryptography (AES) examples
+
+* [`aes/aescrypt2.c`](aes/aescrypt2.c): file encryption and authentication with a key derived from a low-entropy secret, demonstrating the low-level AES interface, the digest interface and HMAC.  
+  Warning: this program illustrates how to use low-level functions in the library. It should not be taken as an example of how to build a secure encryption mechanism. To derive a key from a low-entropy secret such as a password, use a standard key stretching mechanism such as PBKDF2 (provided by the `pkcs5` module). To encrypt and authenticate data, use a standard mode such as GCM or CCM (both available as library module).
+
+* [`aes/crypt_and_hash.c`](aes/crypt_and_hash.c): file encryption and authentication, demonstrating the generic cipher interface and the generic hash interface.
+
+## Hash (digest) examples
+
+* [`hash/generic_sum.c`](hash/generic_sum.c): file hash calculator and verifier, demonstrating the message digest (`md`) interface.
+
+* [`hash/hello.c`](hash/hello.c): hello-world program for MD5.
+
+## Public-key cryptography examples
+
+### Generic public-key cryptography (`pk`) examples
+
+* [`pkey/gen_key.c`](pkey/gen_key.c): generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs.
+
+* [`pkey/key_app.c`](pkey/key_app.c): loads a PEM or DER public key or private key file and dumps its content.
+
+* [`pkey/key_app_writer.c`](pkey/key_app_writer.c): loads a PEM or DER public key or private key file and writes it to a new PEM or DER file.
+
+* [`pkey/pk_encrypt.c`](pkey/pk_encrypt.c), [`pkey/pk_decrypt.c`](pkey/pk_decrypt.c): loads a PEM or DER public/private key file and uses the key to encrypt/decrypt a short string through the generic public-key interface.
+
+* [`pkey/pk_sign.c`](pkey/pk_sign.c), [`pkey/pk_verify.c`](pkey/pk_verify.c): loads a PEM or DER private/public key file and uses the key to sign/verify a short string.
+
+### ECDSA and RSA signature examples
+
+* [`pkey/ecdsa.c`](pkey/ecdsa.c): generates an ECDSA key, signs a fixed message and verifies the signature.
+
+* [`pkey/rsa_encrypt.c`](pkey/rsa_encrypt.c), [`pkey/rsa_decrypt.c`](pkey/rsa_decrypt.c): loads an RSA public/private key and uses it to encrypt/decrypt a short string through the low-level RSA interface.
+
+* [`pkey/rsa_genkey.c`](pkey/rsa_genkey.c): generates an RSA key and writes it to a file that can be used with the other RSA sample programs.
+
+* [`pkey/rsa_sign.c`](pkey/rsa_sign.c), [`pkey/rsa_verify.c`](pkey/rsa_verify.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSA PKCS#1 v1.5 algorithm.
+
+* [`pkey/rsa_sign_pss.c`](pkey/rsa_sign_pss.c), [`pkey/rsa_verify_pss.c`](pkey/rsa_verify_pss.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm.
+
+### Diffie-Hellman key exchange examples
+
+* [`pkey/dh_client.c`](pkey/dh_client.c), [`pkey/dh_server.c`](pkey/dh_server.c): secure channel demonstrators (client, server). This pair of programs illustrates how to set up a secure channel using RSA for authentication and Diffie-Hellman to generate a shared AES session key.
+
+* [`pkey/ecdh_curve25519.c`](pkey/ecdh_curve25519.c): demonstration of a elliptic curve Diffie-Hellman (ECDH) key agreement.
+
+### Bignum (`mpi`) usage examples
+
+* [`pkey/dh_genprime.c`](pkey/dh_genprime.c): shows how to use the bignum (`mpi`) interface to generate Diffie-Hellman parameters.
+
+* [`pkey/mpi_demo.c`](pkey/mpi_demo.c): demonstrates operations on big integers.
+
+## Random number generator (RNG) examples
+
+* [`random/gen_entropy.c`](random/gen_entropy.c): shows how to use the default entropy sources to generate random data.  
+  Note: most applications should only use the entropy generator to seed a cryptographic pseudorandom generator, as illustrated by `random/gen_random_ctr_drbg.c`.
+
+* [`random/gen_random_ctr_drbg.c`](random/gen_random_ctr_drbg.c): shows how to use the default entropy sources to seed a pseudorandom generator, and how to use the resulting random generator to generate random data.
+
+* [`random/gen_random_havege.c`](random/gen_random_havege.c): demonstrates the HAVEGE entropy collector.
+
+## SSL/TLS examples
+
+### SSL/TLS sample applications
+
+* [`ssl/dtls_client.c`](ssl/dtls_client.c): a simple DTLS client program, which sends one datagram to the server and reads one datagram in response.
+
+* [`ssl/dtls_server.c`](ssl/dtls_server.c): a simple DTLS server program, which expects one datagram from the client and writes one datagram in response. This program supports DTLS cookies for hello verification.
+
+* [`ssl/mini_client.c`](ssl/mini_client.c): a minimalistic SSL client, which sends a short string and disconnects. This is primarily intended as a benchmark; for a better example of a typical TLS client, see `ssl/ssl_client1.c`.
+
+* [`ssl/ssl_client1.c`](ssl/ssl_client1.c): a simple HTTPS client that sends a fixed request and displays the response.
+
+* [`ssl/ssl_fork_server.c`](ssl/ssl_fork_server.c): a simple HTTPS server using one process per client to send a fixed response. This program requires a Unix/POSIX environment implementing the `fork` system call.
+
+* [`ssl/ssl_mail_client.c`](ssl/ssl_mail_client.c): a simple SMTP-over-TLS or SMTP-STARTTLS client. This client sends an email with fixed content.
+
+* [`ssl/ssl_pthread_server.c`](ssl/ssl_pthread_server.c): a simple HTTPS server using one thread per client to send a fixed response. This program requires the pthread library.
+
+* [`ssl/ssl_server.c`](ssl/ssl_server.c): a simple HTTPS server that sends a fixed response. It serves a single client at a time.
+
+### SSL/TLS feature demonstrators
+
+Note: unlike most of the other programs under the `programs/` directory, these two programs are not intended as a basis for writing an application. They combine most of the features supported by the library, and most applications require only a few features. To write a new application, we recommended that you start with `ssl_client1.c` or `ssl_server.c`, and then look inside `ssl/ssl_client2.c` or `ssl/ssl_server2.c` to see how to use the specific features that your application needs.
+
+* [`ssl/ssl_client2.c`](ssl/ssl_client2.c): an HTTPS client that sends a fixed request and displays the response, with options to select TLS protocol features and Mbed TLS library features.
+
+* [`ssl/ssl_server2.c`](ssl/ssl_server2.c): an HTTPS server that sends a fixed response, with options to select TLS protocol features and Mbed TLS library features.
+
+In addition to providing options for testing client-side features, the `ssl_client2` program has options that allow you to trigger certain behaviors in the server. For example, there are options to select ciphersuites, or to force a renegotiation. These options are useful for testing the corresponding features in a TLS server. Likewise, `ssl_server2` has options to activate certain behaviors that are useful for testing a TLS client.
+
+## Test utilities
+
+* [`test/benchmark.c`](test/benchmark.c): benchmark for cryptographic algorithms.
+
+* [`test/selftest.c`](test/selftest.c): runs the self-test function in each library module.
+
+* [`test/udp_proxy.c`](test/udp_proxy.c): a UDP proxy that can inject certain failures (delay, duplicate, drop). Useful for testing DTLS.
+
+* [`test/zeroize.c`](test/zeroize.c): a test program for `mbedtls_platform_zeroize`, used by [`tests/scripts/test_zeroize.gdb`](tests/scripts/test_zeroize.gdb).
+
+## Development utilities
+
+* [`util/pem2der.c`](util/pem2der.c): a PEM to DER converter. Mbed TLS can read PEM files directly, but this utility can be useful for interacting with other tools or with minimal Mbed TLS builds that lack PEM support.
+
+* [`util/strerror.c`](util/strerror.c): prints the error description corresponding to an integer status returned by an Mbed TLS function.
+
+## X.509 certificate examples
+
+* [`x509/cert_app.c`](x509/cert_app.c): connects to a TLS server and verifies its certificate chain.
+
+* [`x509/cert_req.c`](x509/cert_req.c): generates a certificate signing request (CSR) for a private key.
+
+* [`x509/cert_write.c`](x509/cert_write.c): signs a certificate signing request, or self-signs a certificate.
+
+* [`x509/crl_app.c`](x509/crl_app.c): loads and dumps a certificate revocation list (CRL).
+
+* [`x509/req_app.c`](x509/req_app.c): loads and dumps a certificate signing request (CSR).
+
diff --git a/3rdparty/mbedtls/mbedtls/programs/aes/aescrypt2.c b/3rdparty/mbedtls/mbedtls/programs/aes/aescrypt2.c
index 9e98f1df0a..bdeac3afc8 100644
--- a/3rdparty/mbedtls/mbedtls/programs/aes/aescrypt2.c
+++ b/3rdparty/mbedtls/mbedtls/programs/aes/aescrypt2.c
@@ -19,6 +19,11 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+/* Enable definition of fileno() even when compiling with -std=c99. Must be
+ * set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 1
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
@@ -32,12 +37,14 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
 
 #include "mbedtls/aes.h"
 #include "mbedtls/md.h"
+#include "mbedtls/platform_util.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -73,10 +80,17 @@ int main( void )
 }
 #else
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
 }
+#endif
 
 int main( int argc, char *argv[] )
 {
@@ -451,13 +465,13 @@ int main( int argc, char *argv[] )
        the case when the user has missed or reordered some,
        in which case the key might not be in argv[4]. */
     for( i = 0; i < (unsigned int) argc; i++ )
-        mbedtls_zeroize( argv[i], strlen( argv[i] ) );
+        mbedtls_platform_zeroize( argv[i], strlen( argv[i] ) );
 
-    mbedtls_zeroize( IV,     sizeof( IV ) );
-    mbedtls_zeroize( key,    sizeof( key ) );
-    mbedtls_zeroize( tmp,    sizeof( tmp ) );
-    mbedtls_zeroize( buffer, sizeof( buffer ) );
-    mbedtls_zeroize( digest, sizeof( digest ) );
+    mbedtls_platform_zeroize( IV,     sizeof( IV ) );
+    mbedtls_platform_zeroize( key,    sizeof( key ) );
+    mbedtls_platform_zeroize( tmp,    sizeof( tmp ) );
+    mbedtls_platform_zeroize( buffer, sizeof( buffer ) );
+    mbedtls_platform_zeroize( digest, sizeof( digest ) );
 
     mbedtls_aes_free( &aes_ctx );
     mbedtls_md_free( &sha_ctx );
diff --git a/3rdparty/mbedtls/mbedtls/programs/aes/crypt_and_hash.c b/3rdparty/mbedtls/mbedtls/programs/aes/crypt_and_hash.c
index 5024f4a6f1..f58e6166dc 100644
--- a/3rdparty/mbedtls/mbedtls/programs/aes/crypt_and_hash.c
+++ b/3rdparty/mbedtls/mbedtls/programs/aes/crypt_and_hash.c
@@ -20,6 +20,11 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+/* Enable definition of fileno() even when compiling with -std=c99. Must be
+ * set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 1
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
@@ -33,6 +38,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -41,6 +47,7 @@
  defined(MBEDTLS_FS_IO)
 #include "mbedtls/cipher.h"
 #include "mbedtls/md.h"
+#include "mbedtls/platform_util.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -75,10 +82,17 @@ int main( void )
 }
 #else
 
-/* Implementation that should never be optimized out by the compiler */
-static void mbedtls_zeroize( void *v, size_t n ) {
-    volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
 }
+#endif
 
 int main( int argc, char *argv[] )
 {
@@ -548,13 +562,13 @@ int main( int argc, char *argv[] )
        the case when the user has missed or reordered some,
        in which case the key might not be in argv[6]. */
     for( i = 0; i < argc; i++ )
-        mbedtls_zeroize( argv[i], strlen( argv[i] ) );
+        mbedtls_platform_zeroize( argv[i], strlen( argv[i] ) );
 
-    mbedtls_zeroize( IV,     sizeof( IV ) );
-    mbedtls_zeroize( key,    sizeof( key ) );
-    mbedtls_zeroize( buffer, sizeof( buffer ) );
-    mbedtls_zeroize( output, sizeof( output ) );
-    mbedtls_zeroize( digest, sizeof( digest ) );
+    mbedtls_platform_zeroize( IV,     sizeof( IV ) );
+    mbedtls_platform_zeroize( key,    sizeof( key ) );
+    mbedtls_platform_zeroize( buffer, sizeof( buffer ) );
+    mbedtls_platform_zeroize( output, sizeof( output ) );
+    mbedtls_platform_zeroize( digest, sizeof( digest ) );
 
     mbedtls_cipher_free( &cipher_ctx );
     mbedtls_md_free( &md_ctx );
diff --git a/3rdparty/mbedtls/mbedtls/programs/hash/generic_sum.c b/3rdparty/mbedtls/mbedtls/programs/hash/generic_sum.c
index bbe8d92a20..4b7fe37be5 100644
--- a/3rdparty/mbedtls/mbedtls/programs/hash/generic_sum.c
+++ b/3rdparty/mbedtls/mbedtls/programs/hash/generic_sum.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -50,6 +51,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static int generic_wrapper( const mbedtls_md_info_t *md_info, char *filename, unsigned char *sum )
 {
     int ret = mbedtls_md_file( md_info, filename, sum );
diff --git a/3rdparty/mbedtls/mbedtls/programs/hash/hello.c b/3rdparty/mbedtls/mbedtls/programs/hash/hello.c
index 2e8c2244d7..6046f868cd 100644
--- a/3rdparty/mbedtls/mbedtls/programs/hash/hello.c
+++ b/3rdparty/mbedtls/mbedtls/programs/hash/hello.c
@@ -31,6 +31,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #define mbedtls_printf       printf
+#define mbedtls_exit         exit
 #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
 #endif
@@ -46,6 +47,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     int i, ret;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_client.c b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_client.c
index 3dadf48e6f..1dce31aa7b 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_client.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_client.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_printf          printf
 #define mbedtls_time_t          time_t
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -70,6 +71,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_genprime.c b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_genprime.c
index dbe9153386..cca43ca59a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_genprime.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_genprime.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_printf          printf
 #define mbedtls_time_t          time_t
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -68,6 +69,18 @@ int main( void )
  */
 #define GENERATOR "4"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char **argv )
 {
     int ret = 1;
@@ -156,7 +169,7 @@ int main( int argc, char **argv )
         goto exit;
     }
 
-    if( ( ret = mbedtls_mpi_is_prime( &Q, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
+    if( ( ret = mbedtls_mpi_is_prime_ext( &Q, 50, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_mpi_is_prime returned %d\n\n", ret );
         goto exit;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_server.c b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_server.c
index c4e2c391e2..a797e60702 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/dh_server.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/dh_server.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_printf          printf
 #define mbedtls_time_t          time_t
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -70,6 +71,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/ecdh_curve25519.c b/3rdparty/mbedtls/mbedtls/programs/pkey/ecdh_curve25519.c
index 5db04088f9..9267c7ef5a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/ecdh_curve25519.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/ecdh_curve25519.c
@@ -31,16 +31,17 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
 
-#if !defined(MBEDTLS_ECDH_C) || \
+#if !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDH_LEGACY_CONTEXT) || \
     !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C)
 int main( void )
 {
-    mbedtls_printf( "MBEDTLS_ECDH_C and/or "
+    mbedtls_printf( "MBEDTLS_ECDH_C and/or MBEDTLS_ECDH_LEGACY_CONTEXT and/or "
                     "MBEDTLS_ECP_DP_CURVE25519_ENABLED and/or "
                     "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
                     "not defined\n" );
@@ -52,6 +53,18 @@ int main( void )
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/ecdh.h"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     int ret = 1;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/ecdsa.c b/3rdparty/mbedtls/mbedtls/programs/pkey/ecdsa.c
index c653df9e42..4471a201e5 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/ecdsa.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/ecdsa.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -99,6 +100,18 @@ static void dump_pubkey( const char *title, mbedtls_ecdsa_context *key )
 #define dump_pubkey( a, b )
 #endif
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     int ret = 1;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/gen_key.c b/3rdparty/mbedtls/mbedtls/programs/pkey/gen_key.c
index 31abb0cb8e..35fc1498fb 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/gen_key.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/gen_key.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -135,6 +136,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app.c b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app.c
index 027b95f9d1..0bd61e481b 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -73,6 +74,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
index 0450a17101..b81530cebc 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/key_app_writer.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -96,6 +97,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/mpi_demo.c b/3rdparty/mbedtls/mbedtls/programs/pkey/mpi_demo.c
index 365bdc4806..80573c0ed0 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/mpi_demo.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/mpi_demo.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -48,6 +49,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     int ret = 1;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_decrypt.c b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_decrypt.c
index 1d8c959a09..978f39ef1d 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_decrypt.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_decrypt.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_encrypt.c b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_encrypt.c
index 22dedba103..806c59aae8 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_encrypt.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_encrypt.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_sign.c b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_sign.c
index 7ec46752ad..7354082f11 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_sign.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_sign.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_snprintf        snprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_verify.c b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_verify.c
index 3c7709f9d5..9fcf029b8a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/pk_verify.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/pk_verify.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_snprintf        snprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -55,6 +56,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_decrypt.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_decrypt.c
index 0a252d2ada..dc8a9200d5 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_decrypt.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_decrypt.c
@@ -58,6 +58,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_encrypt.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_encrypt.c
index 411657a07c..e9effe806a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_encrypt.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_encrypt.c
@@ -58,6 +58,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_genkey.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_genkey.c
index 3359e14074..81867ee9e5 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_genkey.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_genkey.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -62,6 +63,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     int ret = 1;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign.c
index b16fe5d226..f014872027 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign.c
@@ -33,6 +33,7 @@
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
 #define mbedtls_snprintf        snprintf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -55,6 +56,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
index e1c8ef6fe1..51317457b3 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_sign_pss.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_snprintf        snprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify.c
index 6f88345f2e..5d1c0851e1 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_printf          printf
 #define mbedtls_snprintf        snprintf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -54,6 +55,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify_pss.c b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify_pss.c
index 7c9c68f229..34122ca4f3 100644
--- a/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify_pss.c
+++ b/3rdparty/mbedtls/mbedtls/programs/pkey/rsa_verify_pss.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_snprintf        snprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,18 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/random/gen_entropy.c b/3rdparty/mbedtls/mbedtls/programs/random/gen_entropy.c
index a1eb3868a4..3b350ede2f 100644
--- a/3rdparty/mbedtls/mbedtls/programs/random/gen_entropy.c
+++ b/3rdparty/mbedtls/mbedtls/programs/random/gen_entropy.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -49,6 +50,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/random/gen_random_ctr_drbg.c b/3rdparty/mbedtls/mbedtls/programs/random/gen_random_ctr_drbg.c
index 5ade946a74..a50402f19f 100644
--- a/3rdparty/mbedtls/mbedtls/programs/random/gen_random_ctr_drbg.c
+++ b/3rdparty/mbedtls/mbedtls/programs/random/gen_random_ctr_drbg.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -52,6 +53,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/random/gen_random_havege.c b/3rdparty/mbedtls/mbedtls/programs/random/gen_random_havege.c
index 3fb3f01963..ef888ff61b 100644
--- a/3rdparty/mbedtls/mbedtls/programs/random/gen_random_havege.c
+++ b/3rdparty/mbedtls/mbedtls/programs/random/gen_random_havege.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -50,6 +51,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     FILE *f;
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/programs/ssl/CMakeLists.txt
index 1e65633412..803920cde6 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/CMakeLists.txt
@@ -34,12 +34,14 @@ add_executable(ssl_client1 ssl_client1.c)
 target_link_libraries(ssl_client1 ${libs})
 
 add_executable(ssl_client2 ssl_client2.c)
+target_sources(ssl_client2 PUBLIC query_config.c)
 target_link_libraries(ssl_client2 ${libs})
 
 add_executable(ssl_server ssl_server.c)
 target_link_libraries(ssl_server ${libs})
 
 add_executable(ssl_server2 ssl_server2.c)
+target_sources(ssl_server2 PUBLIC query_config.c)
 target_link_libraries(ssl_server2 ${libs})
 
 add_executable(ssl_fork_server ssl_fork_server.c)
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_client.c b/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_client.c
index c29ab34a60..90db06ca9d 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_client.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_client.c
@@ -31,6 +31,9 @@
 #include <stdio.h>
 #define mbedtls_printf     printf
 #define mbedtls_fprintf    fprintf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) ||    \
@@ -79,6 +82,18 @@ int main( void )
 
 #define DEBUG_LEVEL 0
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_server.c b/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_server.c
index b4ad6b53aa..dd21fbf47b 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_server.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/dtls_server.c
@@ -32,6 +32,9 @@
 #define mbedtls_printf     printf
 #define mbedtls_fprintf    fprintf
 #define mbedtls_time_t     time_t
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 /* Uncomment out the following line to default to IPv4 and disable IPv6 */
@@ -88,6 +91,18 @@ int main( void )
 #define READ_TIMEOUT_MS 10000   /* 5 seconds */
 #define DEBUG_LEVEL 0
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/mini_client.c b/3rdparty/mbedtls/mbedtls/programs/ssl/mini_client.c
index 290455e9ae..ff3612885c 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/mini_client.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/mini_client.c
@@ -26,6 +26,17 @@
 #include MBEDTLS_CONFIG_FILE
 #endif
 
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf          printf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
+#endif
+
 /*
  * We're creating and connecting the socket "manually" rather than using the
  * NET module, in order to avoid the overhead of getaddrinfo() which tends to
@@ -44,13 +55,6 @@
     !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_CLI_C) || \
     !defined(UNIX)
 
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif
-
 int main( void )
 {
     mbedtls_printf( "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_ENTROPY_C and/or "
@@ -60,12 +64,6 @@ int main( void )
 }
 #else
 
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#endif
-
 #include <string.h>
 
 #include "mbedtls/net_sockets.h"
@@ -168,6 +166,18 @@ enum exit_codes
     ssl_write_failed,
 };
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( void )
 {
     int ret = exit_ok;
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/query_config.c b/3rdparty/mbedtls/mbedtls/programs/ssl/query_config.c
new file mode 100644
index 0000000000..6e281977e8
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/query_config.c
@@ -0,0 +1,2515 @@
+/*
+ *  Query Mbed TLS compile time configurations from config.h
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+
+/*
+ * Include all the headers with public APIs in case they define a macro to its
+ * default value when that configuration is not set in the config.h.
+ */
+#include "mbedtls/aes.h"
+#include "mbedtls/aesni.h"
+#include "mbedtls/arc4.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/blowfish.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/des.h"
+#include "mbedtls/dhm.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/havege.h"
+#include "mbedtls/hkdf.h"
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/md.h"
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/memory_buffer_alloc.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/padlock.h"
+#include "mbedtls/pem.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/pkcs11.h"
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/platform_time.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/version.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/xtea.h"
+
+#include <string.h>
+
+/*
+ * Helper macros to convert a macro or its expansion into a string
+ * WARNING: This does not work for expanding function-like macros. However,
+ * Mbed TLS does not currently have configuration options used in this fashion.
+ */
+#define MACRO_EXPANSION_TO_STR(macro)   MACRO_NAME_TO_STR(macro)
+#define MACRO_NAME_TO_STR(macro)                                        \
+    mbedtls_printf( "%s", strlen( #macro "" ) > 0 ? #macro "\n" : "" )
+
+#if defined(_MSC_VER)
+/*
+ * Visual Studio throws the warning 4003 because many Mbed TLS feature macros
+ * are defined empty. This means that from the preprocessor's point of view
+ * the macro MBEDTLS_EXPANSION_TO_STR is being invoked without arguments as
+ * some macros expand to nothing. We suppress that specific warning to get a
+ * clean build and to ensure that tests treating warnings as errors do not
+ * fail.
+ */
+#pragma warning(push)
+#pragma warning(disable:4003)
+#endif /* _MSC_VER */
+
+int query_config( const char *config )
+{
+#if defined(MBEDTLS_HAVE_ASM)
+    if( strcmp( "MBEDTLS_HAVE_ASM", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HAVE_ASM );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+    if( strcmp( "MBEDTLS_NO_UDBL_DIVISION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NO_UDBL_DIVISION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+    if( strcmp( "MBEDTLS_NO_64BIT_MULTIPLICATION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NO_64BIT_MULTIPLICATION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
+
+#if defined(MBEDTLS_HAVE_SSE2)
+    if( strcmp( "MBEDTLS_HAVE_SSE2", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HAVE_SSE2 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HAVE_SSE2 */
+
+#if defined(MBEDTLS_HAVE_TIME)
+    if( strcmp( "MBEDTLS_HAVE_TIME", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HAVE_TIME );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    if( strcmp( "MBEDTLS_HAVE_TIME_DATE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HAVE_TIME_DATE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+    if( strcmp( "MBEDTLS_PLATFORM_MEMORY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_MEMORY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+    if( strcmp( "MBEDTLS_PLATFORM_NO_STD_FUNCTIONS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_NO_STD_FUNCTIONS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_EXIT_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_EXIT_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_TIME_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_TIME_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_FPRINTF_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_FPRINTF_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_PRINTF_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_PRINTF_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_SNPRINTF_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_SNPRINTF_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_NV_SEED_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_NV_SEED_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+    if( strcmp( "MBEDTLS_DEPRECATED_WARNING", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DEPRECATED_WARNING );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+    if( strcmp( "MBEDTLS_DEPRECATED_REMOVED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DEPRECATED_REMOVED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+    if( strcmp( "MBEDTLS_CHECK_PARAMS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CHECK_PARAMS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+#if defined(MBEDTLS_TIMING_ALT)
+    if( strcmp( "MBEDTLS_TIMING_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_TIMING_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_TIMING_ALT */
+
+#if defined(MBEDTLS_AES_ALT)
+    if( strcmp( "MBEDTLS_AES_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_ARC4_ALT)
+    if( strcmp( "MBEDTLS_ARC4_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ARC4_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ARC4_ALT */
+
+#if defined(MBEDTLS_ARIA_ALT)
+    if( strcmp( "MBEDTLS_ARIA_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ARIA_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_BLOWFISH_ALT)
+    if( strcmp( "MBEDTLS_BLOWFISH_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_BLOWFISH_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_BLOWFISH_ALT */
+
+#if defined(MBEDTLS_CAMELLIA_ALT)
+    if( strcmp( "MBEDTLS_CAMELLIA_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CAMELLIA_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_CCM_ALT)
+    if( strcmp( "MBEDTLS_CCM_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CCM_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_CHACHA20_ALT)
+    if( strcmp( "MBEDTLS_CHACHA20_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CHACHA20_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+    if( strcmp( "MBEDTLS_CHACHAPOLY_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CHACHAPOLY_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_CMAC_ALT)
+    if( strcmp( "MBEDTLS_CMAC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CMAC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_DES_ALT)
+    if( strcmp( "MBEDTLS_DES_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DES_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_DHM_ALT)
+    if( strcmp( "MBEDTLS_DHM_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DHM_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_ECJPAKE_ALT)
+    if( strcmp( "MBEDTLS_ECJPAKE_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECJPAKE_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_GCM_ALT)
+    if( strcmp( "MBEDTLS_GCM_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_GCM_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_NIST_KW_ALT)
+    if( strcmp( "MBEDTLS_NIST_KW_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NIST_KW_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_MD2_ALT)
+    if( strcmp( "MBEDTLS_MD2_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD2_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD2_ALT */
+
+#if defined(MBEDTLS_MD4_ALT)
+    if( strcmp( "MBEDTLS_MD4_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD4_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD4_ALT */
+
+#if defined(MBEDTLS_MD5_ALT)
+    if( strcmp( "MBEDTLS_MD5_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD5_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD5_ALT */
+
+#if defined(MBEDTLS_POLY1305_ALT)
+    if( strcmp( "MBEDTLS_POLY1305_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_POLY1305_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_RIPEMD160_ALT)
+    if( strcmp( "MBEDTLS_RIPEMD160_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RIPEMD160_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+#if defined(MBEDTLS_RSA_ALT)
+    if( strcmp( "MBEDTLS_RSA_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RSA_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RSA_ALT */
+
+#if defined(MBEDTLS_SHA1_ALT)
+    if( strcmp( "MBEDTLS_SHA1_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA1_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA1_ALT */
+
+#if defined(MBEDTLS_SHA256_ALT)
+    if( strcmp( "MBEDTLS_SHA256_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA256_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA256_ALT */
+
+#if defined(MBEDTLS_SHA512_ALT)
+    if( strcmp( "MBEDTLS_SHA512_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA512_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA512_ALT */
+
+#if defined(MBEDTLS_XTEA_ALT)
+    if( strcmp( "MBEDTLS_XTEA_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_XTEA_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_XTEA_ALT */
+
+#if defined(MBEDTLS_ECP_ALT)
+    if( strcmp( "MBEDTLS_ECP_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_ALT */
+
+#if defined(MBEDTLS_MD2_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_MD2_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD2_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD2_PROCESS_ALT */
+
+#if defined(MBEDTLS_MD4_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_MD4_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD4_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD4_PROCESS_ALT */
+
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_MD5_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD5_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_RIPEMD160_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RIPEMD160_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_SHA1_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA1_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_SHA256_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA256_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+    if( strcmp( "MBEDTLS_SHA512_PROCESS_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA512_PROCESS_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+    if( strcmp( "MBEDTLS_DES_SETKEY_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DES_SETKEY_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+    if( strcmp( "MBEDTLS_DES_CRYPT_ECB_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DES_CRYPT_ECB_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+    if( strcmp( "MBEDTLS_DES3_CRYPT_ECB_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DES3_CRYPT_ECB_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+    if( strcmp( "MBEDTLS_AES_SETKEY_ENC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_SETKEY_ENC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+    if( strcmp( "MBEDTLS_AES_SETKEY_DEC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_SETKEY_DEC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+    if( strcmp( "MBEDTLS_AES_ENCRYPT_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_ENCRYPT_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+    if( strcmp( "MBEDTLS_AES_DECRYPT_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_DECRYPT_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+    if( strcmp( "MBEDTLS_ECDH_GEN_PUBLIC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDH_GEN_PUBLIC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+    if( strcmp( "MBEDTLS_ECDH_COMPUTE_SHARED_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDH_COMPUTE_SHARED_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    if( strcmp( "MBEDTLS_ECDSA_VERIFY_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDSA_VERIFY_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    if( strcmp( "MBEDTLS_ECDSA_SIGN_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDSA_SIGN_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+    if( strcmp( "MBEDTLS_ECDSA_GENKEY_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDSA_GENKEY_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( strcmp( "MBEDTLS_ECP_INTERNAL_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_INTERNAL_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    if( strcmp( "MBEDTLS_ECP_RANDOMIZE_JAC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_RANDOMIZE_JAC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    if( strcmp( "MBEDTLS_ECP_ADD_MIXED_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_ADD_MIXED_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    if( strcmp( "MBEDTLS_ECP_DOUBLE_JAC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DOUBLE_JAC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    if( strcmp( "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    if( strcmp( "MBEDTLS_ECP_NORMALIZE_JAC_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_NORMALIZE_JAC_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    if( strcmp( "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    if( strcmp( "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_RANDOMIZE_MXZ_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    if( strcmp( "MBEDTLS_ECP_NORMALIZE_MXZ_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_NORMALIZE_MXZ_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    if( strcmp( "MBEDTLS_TEST_NULL_ENTROPY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_TEST_NULL_ENTROPY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_TEST_NULL_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    if( strcmp( "MBEDTLS_ENTROPY_HARDWARE_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_HARDWARE_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+    if( strcmp( "MBEDTLS_AES_ROM_TABLES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_ROM_TABLES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+    if( strcmp( "MBEDTLS_AES_FEWER_TABLES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_FEWER_TABLES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+    if( strcmp( "MBEDTLS_CAMELLIA_SMALL_MEMORY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CAMELLIA_SMALL_MEMORY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( strcmp( "MBEDTLS_CIPHER_MODE_CBC", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_MODE_CBC );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    if( strcmp( "MBEDTLS_CIPHER_MODE_CFB", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_MODE_CFB );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if( strcmp( "MBEDTLS_CIPHER_MODE_CTR", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_MODE_CTR );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    if( strcmp( "MBEDTLS_CIPHER_MODE_OFB", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_MODE_OFB );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( strcmp( "MBEDTLS_CIPHER_MODE_XTS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_MODE_XTS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( strcmp( "MBEDTLS_CIPHER_NULL_CIPHER", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_NULL_CIPHER );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    if( strcmp( "MBEDTLS_CIPHER_PADDING_PKCS7", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_PADDING_PKCS7 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    if( strcmp( "MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    if( strcmp( "MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    if( strcmp( "MBEDTLS_CIPHER_PADDING_ZEROS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_PADDING_ZEROS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+    if( strcmp( "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENABLE_WEAK_CIPHERSUITES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if( strcmp( "MBEDTLS_REMOVE_ARC4_CIPHERSUITES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_REMOVE_ARC4_CIPHERSUITES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_REMOVE_3DES_CIPHERSUITES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP192R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP192R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP224R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP224R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP256R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP256R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP384R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP384R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP521R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP521R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP192K1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP192K1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP224K1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP224K1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_SECP256K1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_SECP256K1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_BP256R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_BP256R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_BP384R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_BP384R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_BP512R1_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_BP512R1_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_CURVE25519_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_CURVE25519_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    if( strcmp( "MBEDTLS_ECP_DP_CURVE448_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_DP_CURVE448_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+    if( strcmp( "MBEDTLS_ECP_NIST_OPTIM", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_NIST_OPTIM );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( strcmp( "MBEDTLS_ECP_RESTARTABLE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_RESTARTABLE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    if( strcmp( "MBEDTLS_ECDSA_DETERMINISTIC", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDSA_DETERMINISTIC );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_PSK_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_RSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( strcmp( "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+    if( strcmp( "MBEDTLS_PK_PARSE_EC_EXTENDED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_PARSE_EC_EXTENDED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+    if( strcmp( "MBEDTLS_ERROR_STRERROR_DUMMY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ERROR_STRERROR_DUMMY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+
+#if defined(MBEDTLS_GENPRIME)
+    if( strcmp( "MBEDTLS_GENPRIME", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_GENPRIME );
+        return( 0 );
+    }
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_FS_IO)
+    if( strcmp( "MBEDTLS_FS_IO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_FS_IO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    if( strcmp( "MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    if( strcmp( "MBEDTLS_NO_PLATFORM_ENTROPY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NO_PLATFORM_ENTROPY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+    if( strcmp( "MBEDTLS_ENTROPY_FORCE_SHA256", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_FORCE_SHA256 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    if( strcmp( "MBEDTLS_ENTROPY_NV_SEED", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_NV_SEED );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    if( strcmp( "MBEDTLS_MEMORY_DEBUG", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MEMORY_DEBUG );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    if( strcmp( "MBEDTLS_MEMORY_BACKTRACE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MEMORY_BACKTRACE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    if( strcmp( "MBEDTLS_PK_RSA_ALT_SUPPORT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_RSA_ALT_SUPPORT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#if defined(MBEDTLS_PKCS1_V15)
+    if( strcmp( "MBEDTLS_PKCS1_V15", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS1_V15 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PKCS1_V15 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+    if( strcmp( "MBEDTLS_PKCS1_V21", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS1_V21 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    if( strcmp( "MBEDTLS_RSA_NO_CRT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RSA_NO_CRT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_SELF_TEST)
+    if( strcmp( "MBEDTLS_SELF_TEST", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SELF_TEST );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SELF_TEST */
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+    if( strcmp( "MBEDTLS_SHA256_SMALLER", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA256_SMALLER );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+    if( strcmp( "MBEDTLS_SSL_ALL_ALERT_MESSAGES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_ALL_ALERT_MESSAGES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( strcmp( "MBEDTLS_SSL_ASYNC_PRIVATE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_ASYNC_PRIVATE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    if( strcmp( "MBEDTLS_SSL_DEBUG_ALL", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DEBUG_ALL );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    if( strcmp( "MBEDTLS_SSL_ENCRYPT_THEN_MAC", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_ENCRYPT_THEN_MAC );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( strcmp( "MBEDTLS_SSL_EXTENDED_MASTER_SECRET", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_EXTENDED_MASTER_SECRET );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    if( strcmp( "MBEDTLS_SSL_FALLBACK_SCSV", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_FALLBACK_SCSV );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( strcmp( "MBEDTLS_SSL_HW_RECORD_ACCEL", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_HW_RECORD_ACCEL );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    if( strcmp( "MBEDTLS_SSL_CBC_RECORD_SPLITTING", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CBC_RECORD_SPLITTING );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( strcmp( "MBEDTLS_SSL_RENEGOTIATION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_RENEGOTIATION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+    if( strcmp( "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    if( strcmp( "MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    if( strcmp( "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_MAX_FRAGMENT_LENGTH );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( strcmp( "MBEDTLS_SSL_PROTO_SSL3", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_SSL3 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+    if( strcmp( "MBEDTLS_SSL_PROTO_TLS1", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS1 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( strcmp( "MBEDTLS_SSL_PROTO_TLS1_1", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS1_1 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( strcmp( "MBEDTLS_SSL_PROTO_TLS1_2", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS1_2 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( strcmp( "MBEDTLS_SSL_PROTO_DTLS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_DTLS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_ALPN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_ALPN */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if( strcmp( "MBEDTLS_SSL_DTLS_ANTI_REPLAY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DTLS_ANTI_REPLAY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    if( strcmp( "MBEDTLS_SSL_DTLS_HELLO_VERIFY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DTLS_HELLO_VERIFY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    if( strcmp( "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    if( strcmp( "MBEDTLS_SSL_DTLS_BADMAC_LIMIT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DTLS_BADMAC_LIMIT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if( strcmp( "MBEDTLS_SSL_SESSION_TICKETS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_TICKETS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_EXPORT_KEYS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( strcmp( "MBEDTLS_SSL_SERVER_NAME_INDICATION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SERVER_NAME_INDICATION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    if( strcmp( "MBEDTLS_SSL_TRUNCATED_HMAC", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TRUNCATED_HMAC );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+    if( strcmp( "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
+
+#if defined(MBEDTLS_THREADING_ALT)
+    if( strcmp( "MBEDTLS_THREADING_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_THREADING_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_THREADING_ALT */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    if( strcmp( "MBEDTLS_THREADING_PTHREAD", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_THREADING_PTHREAD );
+        return( 0 );
+    }
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_VERSION_FEATURES)
+    if( strcmp( "MBEDTLS_VERSION_FEATURES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_VERSION_FEATURES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_VERSION_FEATURES */
+
+#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    if( strcmp( "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
+
+#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    if( strcmp( "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( strcmp( "MBEDTLS_X509_CHECK_KEY_USAGE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_KEY_USAGE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( strcmp( "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_RSASSA_PSS_SUPPORT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( strcmp( "MBEDTLS_ZLIB_SUPPORT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ZLIB_SUPPORT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_AESNI_C)
+    if( strcmp( "MBEDTLS_AESNI_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AESNI_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AESNI_C */
+
+#if defined(MBEDTLS_AES_C)
+    if( strcmp( "MBEDTLS_AES_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    if( strcmp( "MBEDTLS_ARC4_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ARC4_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    if( strcmp( "MBEDTLS_ASN1_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ASN1_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+    if( strcmp( "MBEDTLS_ASN1_WRITE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ASN1_WRITE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ASN1_WRITE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+    if( strcmp( "MBEDTLS_BASE64_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_BASE64_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+    if( strcmp( "MBEDTLS_BIGNUM_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_BIGNUM_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    if( strcmp( "MBEDTLS_BLOWFISH_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_BLOWFISH_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    if( strcmp( "MBEDTLS_CAMELLIA_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CAMELLIA_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    if( strcmp( "MBEDTLS_ARIA_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ARIA_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+    if( strcmp( "MBEDTLS_CCM_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CCM_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CERTS_C)
+    if( strcmp( "MBEDTLS_CERTS_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CERTS_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CERTS_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if( strcmp( "MBEDTLS_CHACHA20_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CHACHA20_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if( strcmp( "MBEDTLS_CHACHAPOLY_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CHACHAPOLY_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CIPHER_C)
+    if( strcmp( "MBEDTLS_CIPHER_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CIPHER_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_CMAC_C)
+    if( strcmp( "MBEDTLS_CMAC_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CMAC_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if( strcmp( "MBEDTLS_CTR_DRBG_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DEBUG_C)
+    if( strcmp( "MBEDTLS_DEBUG_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DEBUG_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+#if defined(MBEDTLS_DES_C)
+    if( strcmp( "MBEDTLS_DES_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DES_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_DHM_C)
+    if( strcmp( "MBEDTLS_DHM_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_DHM_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECDH_C)
+    if( strcmp( "MBEDTLS_ECDH_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDH_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDH_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+    if( strcmp( "MBEDTLS_ECDSA_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECDSA_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_ECJPAKE_C)
+    if( strcmp( "MBEDTLS_ECJPAKE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECJPAKE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECJPAKE_C */
+
+#if defined(MBEDTLS_ECP_C)
+    if( strcmp( "MBEDTLS_ECP_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+    if( strcmp( "MBEDTLS_ENTROPY_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_ERROR_C)
+    if( strcmp( "MBEDTLS_ERROR_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ERROR_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_GCM_C)
+    if( strcmp( "MBEDTLS_GCM_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_GCM_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HAVEGE_C)
+    if( strcmp( "MBEDTLS_HAVEGE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HAVEGE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HAVEGE_C */
+
+#if defined(MBEDTLS_HKDF_C)
+    if( strcmp( "MBEDTLS_HKDF_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HKDF_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    if( strcmp( "MBEDTLS_HMAC_DRBG_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HMAC_DRBG_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_NIST_KW_C)
+    if( strcmp( "MBEDTLS_NIST_KW_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NIST_KW_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_MD_C)
+    if( strcmp( "MBEDTLS_MD_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_MD2_C)
+    if( strcmp( "MBEDTLS_MD2_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD2_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+    if( strcmp( "MBEDTLS_MD4_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD4_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+    if( strcmp( "MBEDTLS_MD5_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MD5_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+    if( strcmp( "MBEDTLS_MEMORY_BUFFER_ALLOC_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MEMORY_BUFFER_ALLOC_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+
+#if defined(MBEDTLS_NET_C)
+    if( strcmp( "MBEDTLS_NET_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_NET_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+    if( strcmp( "MBEDTLS_OID_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_OID_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+    if( strcmp( "MBEDTLS_PADLOCK_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PADLOCK_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( strcmp( "MBEDTLS_PEM_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PEM_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+    if( strcmp( "MBEDTLS_PEM_WRITE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PEM_WRITE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+    if( strcmp( "MBEDTLS_PK_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+    if( strcmp( "MBEDTLS_PK_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+    if( strcmp( "MBEDTLS_PK_WRITE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_WRITE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_WRITE_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+    if( strcmp( "MBEDTLS_PKCS5_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS5_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_PKCS11_C)
+    if( strcmp( "MBEDTLS_PKCS11_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS11_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PKCS11_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+    if( strcmp( "MBEDTLS_PKCS12_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PKCS12_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+    if( strcmp( "MBEDTLS_PLATFORM_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+    if( strcmp( "MBEDTLS_POLY1305_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_POLY1305_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( strcmp( "MBEDTLS_RIPEMD160_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RIPEMD160_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_RSA_C)
+    if( strcmp( "MBEDTLS_RSA_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_RSA_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    if( strcmp( "MBEDTLS_SHA1_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA1_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    if( strcmp( "MBEDTLS_SHA256_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA256_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    if( strcmp( "MBEDTLS_SHA512_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SHA512_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+    if( strcmp( "MBEDTLS_SSL_CACHE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CACHE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CACHE_C */
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+    if( strcmp( "MBEDTLS_SSL_COOKIE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_COOKIE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_COOKIE_C */
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+    if( strcmp( "MBEDTLS_SSL_TICKET_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TICKET_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_TICKET_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( strcmp( "MBEDTLS_SSL_CLI_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CLI_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( strcmp( "MBEDTLS_SSL_SRV_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SRV_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+    if( strcmp( "MBEDTLS_SSL_TLS_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TLS_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_THREADING_C)
+    if( strcmp( "MBEDTLS_THREADING_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_THREADING_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_TIMING_C)
+    if( strcmp( "MBEDTLS_TIMING_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_TIMING_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_TIMING_C */
+
+#if defined(MBEDTLS_VERSION_C)
+    if( strcmp( "MBEDTLS_VERSION_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_VERSION_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_VERSION_C */
+
+#if defined(MBEDTLS_X509_USE_C)
+    if( strcmp( "MBEDTLS_X509_USE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_USE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_USE_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( strcmp( "MBEDTLS_X509_CRT_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    if( strcmp( "MBEDTLS_X509_CRL_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRL_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+    if( strcmp( "MBEDTLS_X509_CSR_PARSE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_PARSE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+
+#if defined(MBEDTLS_X509_CREATE_C)
+    if( strcmp( "MBEDTLS_X509_CREATE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CREATE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CREATE_C */
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+    if( strcmp( "MBEDTLS_X509_CRT_WRITE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_WRITE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+    if( strcmp( "MBEDTLS_X509_CSR_WRITE_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CSR_WRITE_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+
+#if defined(MBEDTLS_XTEA_C)
+    if( strcmp( "MBEDTLS_XTEA_C", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_XTEA_C );
+        return( 0 );
+    }
+#endif /* MBEDTLS_XTEA_C */
+
+#if defined(MBEDTLS_MPI_WINDOW_SIZE)
+    if( strcmp( "MBEDTLS_MPI_WINDOW_SIZE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MPI_WINDOW_SIZE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MPI_WINDOW_SIZE */
+
+#if defined(MBEDTLS_MPI_MAX_SIZE)
+    if( strcmp( "MBEDTLS_MPI_MAX_SIZE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MPI_MAX_SIZE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MPI_MAX_SIZE */
+
+#if defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
+    if( strcmp( "MBEDTLS_CTR_DRBG_ENTROPY_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_ENTROPY_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_ENTROPY_LEN */
+
+#if defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
+    if( strcmp( "MBEDTLS_CTR_DRBG_RESEED_INTERVAL", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_RESEED_INTERVAL );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_RESEED_INTERVAL */
+
+#if defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
+    if( strcmp( "MBEDTLS_CTR_DRBG_MAX_INPUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_MAX_INPUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_MAX_INPUT */
+
+#if defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
+    if( strcmp( "MBEDTLS_CTR_DRBG_MAX_REQUEST", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_MAX_REQUEST );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_MAX_REQUEST */
+
+#if defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+    if( strcmp( "MBEDTLS_CTR_DRBG_MAX_SEED_INPUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_MAX_SEED_INPUT */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+    if( strcmp( "MBEDTLS_CTR_DRBG_USE_128_BIT_KEY", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_CTR_DRBG_USE_128_BIT_KEY );
+        return( 0 );
+    }
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+
+#if defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+    if( strcmp( "MBEDTLS_HMAC_DRBG_RESEED_INTERVAL", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HMAC_DRBG_RESEED_INTERVAL );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HMAC_DRBG_RESEED_INTERVAL */
+
+#if defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+    if( strcmp( "MBEDTLS_HMAC_DRBG_MAX_INPUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HMAC_DRBG_MAX_INPUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HMAC_DRBG_MAX_INPUT */
+
+#if defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+    if( strcmp( "MBEDTLS_HMAC_DRBG_MAX_REQUEST", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HMAC_DRBG_MAX_REQUEST );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HMAC_DRBG_MAX_REQUEST */
+
+#if defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+    if( strcmp( "MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT */
+
+#if defined(MBEDTLS_ECP_MAX_BITS)
+    if( strcmp( "MBEDTLS_ECP_MAX_BITS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_MAX_BITS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_MAX_BITS */
+
+#if defined(MBEDTLS_ECP_WINDOW_SIZE)
+    if( strcmp( "MBEDTLS_ECP_WINDOW_SIZE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_WINDOW_SIZE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_WINDOW_SIZE */
+
+#if defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
+    if( strcmp( "MBEDTLS_ECP_FIXED_POINT_OPTIM", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ECP_FIXED_POINT_OPTIM );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
+
+#if defined(MBEDTLS_ENTROPY_MAX_SOURCES)
+    if( strcmp( "MBEDTLS_ENTROPY_MAX_SOURCES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_MAX_SOURCES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_MAX_SOURCES */
+
+#if defined(MBEDTLS_ENTROPY_MAX_GATHER)
+    if( strcmp( "MBEDTLS_ENTROPY_MAX_GATHER", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_MAX_GATHER );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_MAX_GATHER */
+
+#if defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+    if( strcmp( "MBEDTLS_ENTROPY_MIN_HARDWARE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_ENTROPY_MIN_HARDWARE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_ENTROPY_MIN_HARDWARE */
+
+#if defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+    if( strcmp( "MBEDTLS_MEMORY_ALIGN_MULTIPLE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_MEMORY_ALIGN_MULTIPLE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_MEMORY_ALIGN_MULTIPLE */
+
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_MEM_HDR", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_MEM_HDR );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_MEM_HDR */
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_CALLOC", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_CALLOC );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if defined(MBEDTLS_PLATFORM_STD_FREE)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_FREE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_FREE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_FREE */
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_EXIT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_EXIT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_EXIT */
+
+#if defined(MBEDTLS_PLATFORM_STD_TIME)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_TIME", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_TIME );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_TIME */
+
+#if defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_FPRINTF", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_FPRINTF );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_FPRINTF */
+
+#if defined(MBEDTLS_PLATFORM_STD_PRINTF)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_PRINTF", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_PRINTF );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_PRINTF */
+
+#if defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_SNPRINTF", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_SNPRINTF );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_EXIT_SUCCESS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_EXIT_SUCCESS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_EXIT_SUCCESS */
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_EXIT_FAILURE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_EXIT_FAILURE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_EXIT_FAILURE */
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_NV_SEED_READ", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_NV_SEED_READ );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_NV_SEED_WRITE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_NV_SEED_WRITE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
+    if( strcmp( "MBEDTLS_PLATFORM_STD_NV_SEED_FILE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_STD_NV_SEED_FILE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_STD_NV_SEED_FILE */
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_CALLOC_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_CALLOC_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_CALLOC_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_FREE_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_FREE_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_FREE_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_EXIT_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_EXIT_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_TIME_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_TIME_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_TIME_TYPE_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_TIME_TYPE_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_FPRINTF_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_FPRINTF_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_PRINTF_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_PRINTF_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_SNPRINTF_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_SNPRINTF_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_NV_SEED_READ_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_NV_SEED_READ_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_NV_SEED_READ_MACRO */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
+    if( strcmp( "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO */
+
+#if defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
+    if( strcmp( "MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT */
+
+#if defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
+    if( strcmp( "MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES */
+
+#if defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
+    if( strcmp( "MBEDTLS_SSL_MAX_CONTENT_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_MAX_CONTENT_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_MAX_CONTENT_LEN */
+
+#if defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+    if( strcmp( "MBEDTLS_SSL_IN_CONTENT_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_IN_CONTENT_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_IN_CONTENT_LEN */
+
+#if defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+    if( strcmp( "MBEDTLS_SSL_OUT_CONTENT_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_OUT_CONTENT_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_OUT_CONTENT_LEN */
+
+#if defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+    if( strcmp( "MBEDTLS_SSL_DTLS_MAX_BUFFERING", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DTLS_MAX_BUFFERING );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DTLS_MAX_BUFFERING */
+
+#if defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
+    if( strcmp( "MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME */
+
+#if defined(MBEDTLS_PSK_MAX_LEN)
+    if( strcmp( "MBEDTLS_PSK_MAX_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PSK_MAX_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PSK_MAX_LEN */
+
+#if defined(MBEDTLS_SSL_COOKIE_TIMEOUT)
+    if( strcmp( "MBEDTLS_SSL_COOKIE_TIMEOUT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_COOKIE_TIMEOUT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_COOKIE_TIMEOUT */
+
+#if defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
+    if( strcmp( "MBEDTLS_X509_MAX_INTERMEDIATE_CA", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_MAX_INTERMEDIATE_CA );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_MAX_INTERMEDIATE_CA */
+
+#if defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
+    if( strcmp( "MBEDTLS_X509_MAX_FILE_PATH_LEN", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_MAX_FILE_PATH_LEN );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_MAX_FILE_PATH_LEN */
+
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
+    if( strcmp( "MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES );
+        return( 0 );
+    }
+#endif /* MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES */
+
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
+    if( strcmp( "MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE */
+
+#if defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_ZEROIZE_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_ZEROIZE_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+#if defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+    if( strcmp( "MBEDTLS_PLATFORM_GMTIME_R_ALT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_GMTIME_R_ALT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+    /* If the symbol is not found, return an error */
+    return( 1 );
+}
+
+#if defined(_MSC_VER)
+#pragma warning(pop)
+#endif /* _MSC_VER */
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client1.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client1.c
index bf7c0132af..646909f114 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client1.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client1.c
@@ -34,6 +34,7 @@
 #define mbedtls_time_t          time_t
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -70,6 +71,18 @@ int main( void )
 
 #define DEBUG_LEVEL 1
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
index c63c4f75a1..255d4b2f0b 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_client2.c
@@ -35,6 +35,9 @@
 #define mbedtls_printf     printf
 #define mbedtls_fprintf    fprintf
 #define mbedtls_snprintf   snprintf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_ENTROPY_C) || \
@@ -73,6 +76,7 @@ int main( void )
 #define DFL_REQUEST_SIZE        -1
 #define DFL_DEBUG_LEVEL         0
 #define DFL_NBIO                0
+#define DFL_EVENT               0
 #define DFL_READ_TIMEOUT        0
 #define DFL_MAX_RESEND          0
 #define DFL_CA_FILE             ""
@@ -82,6 +86,7 @@ int main( void )
 #define DFL_PSK                 ""
 #define DFL_PSK_IDENTITY        "Client_identity"
 #define DFL_ECJPAKE_PW          NULL
+#define DFL_EC_MAX_OPS          -1
 #define DFL_FORCE_CIPHER        0
 #define DFL_RENEGOTIATION       MBEDTLS_SSL_RENEGOTIATION_DISABLED
 #define DFL_ALLOW_LEGACY        -2
@@ -105,6 +110,8 @@ int main( void )
 #define DFL_TRANSPORT           MBEDTLS_SSL_TRANSPORT_STREAM
 #define DFL_HS_TO_MIN           0
 #define DFL_HS_TO_MAX           0
+#define DFL_DTLS_MTU            -1
+#define DFL_DGRAM_PACKING        1
 #define DFL_FALLBACK            -1
 #define DFL_EXTENDED_MS         -1
 #define DFL_ETM                 -1
@@ -117,8 +124,10 @@ int main( void )
 #define USAGE_IO \
     "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
     "                        default: \"\" (pre-loaded)\n" \
+    "                        use \"none\" to skip loading any top-level CAs.\n" \
     "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
     "                        default: \"\" (pre-loaded) (overrides ca_file)\n" \
+    "                        use \"none\" to skip loading any top-level CAs.\n" \
     "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
     "                        default: \"\" (pre-loaded)\n" \
     "    key_file=%%s         default: \"\" (pre-loaded)\n"
@@ -197,7 +206,11 @@ int main( void )
 #define USAGE_DTLS \
     "    dtls=%%d             default: 0 (TLS)\n"                           \
     "    hs_timeout=%%d-%%d    default: (library default: 1000-60000)\n"    \
-    "                        range of DTLS handshake timeouts in millisecs\n"
+    "                        range of DTLS handshake timeouts in millisecs\n" \
+    "    mtu=%%d              default: (library default: unlimited)\n"  \
+    "    dgram_packing=%%d    default: 1 (allowed)\n"                   \
+    "                        allow or forbid packing of multiple\n" \
+    "                        records within a single datgram.\n"
 #else
 #define USAGE_DTLS ""
 #endif
@@ -238,6 +251,13 @@ int main( void )
 #define USAGE_ECJPAKE ""
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#define USAGE_ECRESTART \
+    "    ec_max_ops=%%s       default: library default (restart disabled)\n"
+#else
+#define USAGE_ECRESTART ""
+#endif
+
 #define USAGE \
     "\n usage: ssl_client2 param=<>...\n"                   \
     "\n acceptable parameters:\n"                           \
@@ -251,22 +271,25 @@ int main( void )
     "                        application data message is sent followed by\n" \
     "                        a second non-empty message before attempting\n" \
     "                        to read a response from the server\n"           \
-    "    debug_level=%%d      default: 0 (disabled)\n"      \
-    "    nbio=%%d             default: 0 (blocking I/O)\n"  \
-    "                        options: 1 (non-blocking), 2 (added delays)\n" \
-    "    read_timeout=%%d     default: 0 ms (no timeout)\n"    \
+    "    debug_level=%%d      default: 0 (disabled)\n"             \
+    "    nbio=%%d             default: 0 (blocking I/O)\n"         \
+    "                        options: 1 (non-blocking), 2 (added delays)\n"   \
+    "    event=%%d            default: 0 (loop)\n"                            \
+    "                        options: 1 (level-triggered, implies nbio=1),\n" \
+    "    read_timeout=%%d     default: 0 ms (no timeout)\n"        \
     "    max_resend=%%d       default: 0 (no resend on timeout)\n" \
     "\n"                                                    \
     USAGE_DTLS                                              \
     "\n"                                                    \
-    "    auth_mode=%%s        default: (library default: none)\n"      \
+    "    auth_mode=%%s        default: (library default: none)\n" \
     "                        options: none, optional, required\n" \
     USAGE_IO                                                \
     "\n"                                                    \
     USAGE_PSK                                               \
     USAGE_ECJPAKE                                           \
+    USAGE_ECRESTART                                         \
     "\n"                                                    \
-    "    allow_legacy=%%d     default: (library default: no)\n"      \
+    "    allow_legacy=%%d     default: (library default: no)\n"   \
     USAGE_RENEGO                                            \
     "    exchanges=%%d        default: 1\n"                 \
     "    reconnect=%%d        default: 0 (disabled)\n"      \
@@ -291,11 +314,27 @@ int main( void )
     "                        options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
     "\n"                                                    \
     "    force_ciphersuite=<name>    default: all enabled\n"\
+    "    query_config=<name>         return 0 if the specified\n"       \
+    "                                configuration macro is defined and 1\n"  \
+    "                                otherwise. The expansion of the macro\n" \
+    "                                is printed if it is defined\n"     \
     " acceptable ciphersuite names:\n"
 
 #define ALPN_LIST_SIZE  10
 #define CURVE_LIST_SIZE 20
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
@@ -306,7 +345,8 @@ struct options
     const char *server_port;    /* port on which the ssl service runs       */
     int debug_level;            /* level of debugging                       */
     int nbio;                   /* should I/O be blocking?                  */
-    uint32_t read_timeout;      /* timeout on mbedtls_ssl_read() in milliseconds    */
+    int event;                  /* loop or event-driven IO? level or edge triggered? */
+    uint32_t read_timeout;      /* timeout on mbedtls_ssl_read() in milliseconds     */
     int max_resend;             /* DTLS times to resend on read timeout     */
     const char *request_page;   /* page on server to request                */
     int request_size;           /* pad request with header to requested size */
@@ -317,6 +357,7 @@ struct options
     const char *psk;            /* the pre-shared key                       */
     const char *psk_identity;   /* the pre-shared key identity              */
     const char *ecjpake_pw;     /* the EC J-PAKE password                   */
+    int ec_max_ops;             /* EC consecutive operations limit          */
     int force_ciphersuite[2];   /* protocol/ciphersuite to use, or all      */
     int renegotiation;          /* enable / disable renegotiation           */
     int allow_legacy;           /* allow legacy renegotiation               */
@@ -341,11 +382,15 @@ struct options
     int transport;              /* TLS or DTLS?                             */
     uint32_t hs_to_min;         /* Initial value of DTLS handshake timer    */
     uint32_t hs_to_max;         /* Max value of DTLS handshake timer        */
+    int dtls_mtu;               /* UDP Maximum tranport unit for DTLS       */
     int fallback;               /* is this a fallback connection?           */
+    int dgram_packing;          /* allow/forbid datagram packing            */
     int extended_ms;            /* negotiate extended master secret?        */
     int etm;                    /* negotiate encrypt then mac?              */
 } opt;
 
+int query_config( const char *config );
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
@@ -357,7 +402,8 @@ static void my_debug( void *ctx, int level,
         if( *p == '/' || *p == '\\' )
             basename = p + 1;
 
-    mbedtls_fprintf( (FILE *) ctx, "%s:%04d: |%d| %s", basename, line, level, str );
+    mbedtls_fprintf( (FILE *) ctx, "%s:%04d: |%d| %s",
+                     basename, line, level, str );
     fflush(  (FILE *) ctx  );
 }
 
@@ -403,7 +449,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
 /*
  * Enabled if debug_level > 1 in code below
  */
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt,
+                      int depth, uint32_t *flags )
 {
     char buf[1024];
     ((void) data);
@@ -440,6 +487,57 @@ static int ssl_sig_hashes_for_test[] = {
 };
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+/*
+ * Wait for an event from the underlying transport or the timer
+ * (Used in event-driven IO mode).
+ */
+#if !defined(MBEDTLS_TIMING_C)
+int idle( mbedtls_net_context *fd,
+          int idle_reason )
+#else
+int idle( mbedtls_net_context *fd,
+          mbedtls_timing_delay_context *timer,
+          int idle_reason )
+#endif
+{
+
+    int ret;
+    int poll_type = 0;
+
+    if( idle_reason == MBEDTLS_ERR_SSL_WANT_WRITE )
+        poll_type = MBEDTLS_NET_POLL_WRITE;
+    else if( idle_reason == MBEDTLS_ERR_SSL_WANT_READ )
+        poll_type = MBEDTLS_NET_POLL_READ;
+#if !defined(MBEDTLS_TIMING_C)
+    else
+        return( 0 );
+#endif
+
+    while( 1 )
+    {
+        /* Check if timer has expired */
+#if defined(MBEDTLS_TIMING_C)
+        if( timer != NULL &&
+            mbedtls_timing_get_delay( timer ) == 2 )
+        {
+            break;
+        }
+#endif /* MBEDTLS_TIMING_C */
+
+        /* Check if underlying transport became available */
+        if( poll_type != 0 )
+        {
+            ret = mbedtls_net_poll( fd, poll_type, 0 );
+            if( ret < 0 )
+                return( ret );
+            if( ret == poll_type )
+                break;
+        }
+    }
+
+    return( 0 );
+}
+
 int main( int argc, char *argv[] )
 {
     int ret = 0, len, tail_len, i, written, frags, retry_left;
@@ -525,6 +623,7 @@ int main( int argc, char *argv[] )
     opt.server_port         = DFL_SERVER_PORT;
     opt.debug_level         = DFL_DEBUG_LEVEL;
     opt.nbio                = DFL_NBIO;
+    opt.event               = DFL_EVENT;
     opt.read_timeout        = DFL_READ_TIMEOUT;
     opt.max_resend          = DFL_MAX_RESEND;
     opt.request_page        = DFL_REQUEST_PAGE;
@@ -536,6 +635,7 @@ int main( int argc, char *argv[] )
     opt.psk                 = DFL_PSK;
     opt.psk_identity        = DFL_PSK_IDENTITY;
     opt.ecjpake_pw          = DFL_ECJPAKE_PW;
+    opt.ec_max_ops          = DFL_EC_MAX_OPS;
     opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
     opt.renegotiation       = DFL_RENEGOTIATION;
     opt.allow_legacy        = DFL_ALLOW_LEGACY;
@@ -559,9 +659,11 @@ int main( int argc, char *argv[] )
     opt.transport           = DFL_TRANSPORT;
     opt.hs_to_min           = DFL_HS_TO_MIN;
     opt.hs_to_max           = DFL_HS_TO_MAX;
+    opt.dtls_mtu            = DFL_DTLS_MTU;
     opt.fallback            = DFL_FALLBACK;
     opt.extended_ms         = DFL_EXTENDED_MS;
     opt.etm                 = DFL_ETM;
+    opt.dgram_packing       = DFL_DGRAM_PACKING;
 
     for( i = 1; i < argc; i++ )
     {
@@ -598,6 +700,12 @@ int main( int argc, char *argv[] )
             if( opt.nbio < 0 || opt.nbio > 2 )
                 goto usage;
         }
+        else if( strcmp( p, "event" ) == 0 )
+        {
+            opt.event = atoi( q );
+            if( opt.event < 0 || opt.event > 2 )
+                goto usage;
+        }
         else if( strcmp( p, "read_timeout" ) == 0 )
             opt.read_timeout = atoi( q );
         else if( strcmp( p, "max_resend" ) == 0 )
@@ -629,6 +737,8 @@ int main( int argc, char *argv[] )
             opt.psk_identity = q;
         else if( strcmp( p, "ecjpake_pw" ) == 0 )
             opt.ecjpake_pw = q;
+        else if( strcmp( p, "ec_max_ops" ) == 0 )
+            opt.ec_max_ops = atoi( q );
         else if( strcmp( p, "force_ciphersuite" ) == 0 )
         {
             opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( q );
@@ -642,16 +752,23 @@ int main( int argc, char *argv[] )
         }
         else if( strcmp( p, "renegotiation" ) == 0 )
         {
-            opt.renegotiation = (atoi( q )) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED :
-                                              MBEDTLS_SSL_RENEGOTIATION_DISABLED;
+            opt.renegotiation = (atoi( q )) ?
+                MBEDTLS_SSL_RENEGOTIATION_ENABLED :
+                MBEDTLS_SSL_RENEGOTIATION_DISABLED;
         }
         else if( strcmp( p, "allow_legacy" ) == 0 )
         {
             switch( atoi( q ) )
             {
-                case -1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE; break;
-                case 0:  opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; break;
-                case 1:  opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION; break;
+                case -1:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE;
+                    break;
+                case 0:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+                    break;
+                case 1:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION;
+                    break;
                 default: goto usage;
             }
         }
@@ -708,8 +825,12 @@ int main( int argc, char *argv[] )
         {
             switch( atoi( q ) )
             {
-                case 0: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED; break;
-                case 1: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; break;
+                case 0:
+                    opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED;
+                    break;
+                case 1:
+                    opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+                    break;
                 default: goto usage;
             }
         }
@@ -852,6 +973,21 @@ int main( int argc, char *argv[] )
             if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min )
                 goto usage;
         }
+        else if( strcmp( p, "mtu" ) == 0 )
+        {
+            opt.dtls_mtu = atoi( q );
+            if( opt.dtls_mtu < 0 )
+                goto usage;
+        }
+        else if( strcmp( p, "dgram_packing" ) == 0 )
+        {
+            opt.dgram_packing = atoi( q );
+            if( opt.dgram_packing != 0 &&
+                opt.dgram_packing != 1 )
+            {
+                goto usage;
+            }
+        }
         else if( strcmp( p, "recsplit" ) == 0 )
         {
             opt.recsplit = atoi( q );
@@ -864,10 +1000,23 @@ int main( int argc, char *argv[] )
             if( opt.dhmlen < 0 )
                 goto usage;
         }
+        else if( strcmp( p, "query_config" ) == 0 )
+        {
+            return query_config( q );
+        }
         else
             goto usage;
     }
 
+    /* Event-driven IO is incompatible with the above custom
+     * receive and send functions, as the polling builds on
+     * refers to the underlying net_context. */
+    if( opt.event == 1 && opt.nbio != 1 )
+    {
+        mbedtls_printf( "Warning: event-driven IO mandates nbio=1 - overwrite\n" );
+        opt.nbio = 1;
+    }
+
 #if defined(MBEDTLS_DEBUG_C)
     mbedtls_debug_set_threshold( opt.debug_level );
 #endif
@@ -875,19 +1024,20 @@ int main( int argc, char *argv[] )
     if( opt.force_ciphersuite[0] > 0 )
     {
         const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
+        ciphersuite_info =
+            mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
 
         if( opt.max_version != -1 &&
             ciphersuite_info->min_minor_ver > opt.max_version )
         {
-            mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+            mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
         if( opt.min_version != -1 &&
             ciphersuite_info->max_minor_ver < opt.min_version )
         {
-            mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+            mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
@@ -913,7 +1063,7 @@ int main( int argc, char *argv[] )
         {
             if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
             {
-                mbedtls_printf("forced RC4 ciphersuite with RC4 disabled\n");
+                mbedtls_printf( "forced RC4 ciphersuite with RC4 disabled\n" );
                 ret = 2;
                 goto usage;
             }
@@ -933,7 +1083,7 @@ int main( int argc, char *argv[] )
 
         if( strlen( opt.psk ) % 2 != 0 )
         {
-            mbedtls_printf("pre-shared key not valid hex\n");
+            mbedtls_printf( "pre-shared key not valid hex\n" );
             goto exit;
         }
 
@@ -950,7 +1100,7 @@ int main( int argc, char *argv[] )
                 c -= 'A' - 10;
             else
             {
-                mbedtls_printf("pre-shared key not valid hex\n");
+                mbedtls_printf( "pre-shared key not valid hex\n" );
                 goto exit;
             }
             psk[ j / 2 ] = c << 4;
@@ -964,7 +1114,7 @@ int main( int argc, char *argv[] )
                 c -= 'A' - 10;
             else
             {
-                mbedtls_printf("pre-shared key not valid hex\n");
+                mbedtls_printf( "pre-shared key not valid hex\n" );
                 goto exit;
             }
             psk[ j / 2 ] |= c;
@@ -1055,11 +1205,12 @@ int main( int argc, char *argv[] )
     fflush( stdout );
 
     mbedtls_entropy_init( &entropy );
-    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
-                               (const unsigned char *) pers,
-                               strlen( pers ) ) ) != 0 )
+    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+                                       &entropy, (const unsigned char *) pers,
+                                       strlen( pers ) ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+                        -ret );
         goto exit;
     }
 
@@ -1085,7 +1236,9 @@ int main( int argc, char *argv[] )
         ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
+#if defined(MBEDTLS_CERTS_C)
+    {
+#if defined(MBEDTLS_PEM_PARSE_C)
         for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
         {
             ret = mbedtls_x509_crt_parse( &cacert,
@@ -1094,19 +1247,27 @@ int main( int argc, char *argv[] )
             if( ret != 0 )
                 break;
         }
+        if( ret == 0 )
+#endif /* MBEDTLS_PEM_PARSE_C */
+        for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ )
+        {
+            ret = mbedtls_x509_crt_parse_der( &cacert,
+                         (const unsigned char *) mbedtls_test_cas_der[i],
+                         mbedtls_test_cas_der_len[i] );
+            if( ret != 0 )
+                break;
+        }
+    }
 #else
     {
         ret = 1;
-#if !defined(MBEDTLS_CERTS_C)
         mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
-#else
-        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
 #endif /* MBEDTLS_CERTS_C */
-#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret < 0 )
     {
-        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1128,22 +1289,20 @@ int main( int argc, char *argv[] )
         ret = mbedtls_x509_crt_parse_file( &clicert, opt.crt_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
-        ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
+#if defined(MBEDTLS_CERTS_C)
+        ret = mbedtls_x509_crt_parse( &clicert,
+                (const unsigned char *) mbedtls_test_cli_crt,
                 mbedtls_test_cli_crt_len );
 #else
     {
         ret = 1;
-#if !defined(MBEDTLS_CERTS_C)
         mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
-#else
-        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif /* MBEDTLS_CERTS_C */
-#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
+#endif
     if( ret != 0 )
     {
-        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1155,22 +1314,20 @@ int main( int argc, char *argv[] )
         ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
-        ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key,
+#if defined(MBEDTLS_CERTS_C)
+        ret = mbedtls_pk_parse_key( &pkey,
+                (const unsigned char *) mbedtls_test_cli_key,
                 mbedtls_test_cli_key_len, NULL, 0 );
 #else
     {
         ret = 1;
-#if !defined(MBEDTLS_CERTS_C)
         mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
-#else
-        mbedtls_printf( "All test keys loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
-#endif /* MBEDTLS_CERTS_C */
-#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
+#endif
     if( ret != 0 )
     {
-        mbedtls_printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1188,11 +1345,13 @@ int main( int argc, char *argv[] )
             opt.server_addr, opt.server_port );
     fflush( stdout );
 
-    if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port,
-                             opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
-                             MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
+    if( ( ret = mbedtls_net_connect( &server_fd,
+                       opt.server_addr, opt.server_port,
+                       opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
+                       MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_net_connect returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  ! mbedtls_net_connect returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1202,7 +1361,8 @@ int main( int argc, char *argv[] )
         ret = mbedtls_net_set_block( &server_fd );
     if( ret != 0 )
     {
-        mbedtls_printf( " failed\n  ! net_set_(non)block() returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  ! net_set_(non)block() returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1219,7 +1379,8 @@ int main( int argc, char *argv[] )
                     opt.transport,
                     MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
@@ -1242,13 +1403,18 @@ int main( int argc, char *argv[] )
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
-        mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
+        mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min,
+                                            opt.hs_to_max );
+
+    if( opt.dgram_packing != DFL_DGRAM_PACKING )
+        mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
     if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_max_frag_len returned %d\n\n",
+                        ret );
         goto exit;
     }
 #endif
@@ -1271,8 +1437,8 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
     if( opt.recsplit != DFL_RECSPLIT )
         mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit
-                                    ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
-                                    : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
+                                  ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+                                  : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
 #endif
 
 #if defined(MBEDTLS_DHM_C)
@@ -1284,7 +1450,8 @@ int main( int argc, char *argv[] )
     if( opt.alpn_string != NULL )
         if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n",
+                            ret );
             goto exit;
         }
 #endif
@@ -1323,7 +1490,8 @@ int main( int argc, char *argv[] )
     {
         if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n",
+                            ret );
             goto exit;
         }
     }
@@ -1342,16 +1510,19 @@ int main( int argc, char *argv[] )
                              (const unsigned char *) opt.psk_identity,
                              strlen( opt.psk_identity ) ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_psk returned %d\n\n", ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_psk returned %d\n\n",
+                        ret );
         goto exit;
     }
 #endif
 
     if( opt.min_version != DFL_MIN_VERSION )
-        mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
+        mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                      opt.min_version );
 
     if( opt.max_version != DFL_MAX_VERSION )
-        mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
+        mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                      opt.max_version );
 
 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
     if( opt.fallback != DFL_FALLBACK )
@@ -1360,14 +1531,16 @@ int main( int argc, char *argv[] )
 
     if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned -0x%x\n\n",
+                        -ret );
         goto exit;
     }
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n",
+                        ret );
         goto exit;
     }
 #endif
@@ -1379,7 +1552,8 @@ int main( int argc, char *argv[] )
                         (const unsigned char *) opt.ecjpake_pw,
                                         strlen( opt.ecjpake_pw ) ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n",
+                            ret );
             goto exit;
         }
     }
@@ -1388,14 +1562,25 @@ int main( int argc, char *argv[] )
     if( opt.nbio == 2 )
         mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
     else
-        mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
+        mbedtls_ssl_set_bio( &ssl, &server_fd,
+                             mbedtls_net_send, mbedtls_net_recv,
                              opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL );
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( opt.dtls_mtu != DFL_DTLS_MTU )
+        mbedtls_ssl_set_mtu( &ssl, opt.dtls_mtu );
+#endif
+
 #if defined(MBEDTLS_TIMING_C)
     mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
                                             mbedtls_timing_get_delay );
 #endif
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( opt.ec_max_ops != DFL_EC_MAX_OPS )
+        mbedtls_ecp_set_max_ops( opt.ec_max_ops );
+#endif
+
     mbedtls_printf( " ok\n" );
 
     /*
@@ -1406,9 +1591,12 @@ int main( int argc, char *argv[] )
 
     while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
     {
-        if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+        if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+            ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+            ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n",
+                            -ret );
             if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
                 mbedtls_printf(
                     "    Unable to verify the server's certificate. "
@@ -1420,10 +1608,28 @@ int main( int argc, char *argv[] )
             mbedtls_printf( "\n" );
             goto exit;
         }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
+            continue;
+#endif
+
+        /* For event-driven IO, wait for socket to become available */
+        if( opt.event == 1 /* level triggered IO */ )
+        {
+#if defined(MBEDTLS_TIMING_C)
+            ret = idle( &server_fd, &timer, ret );
+#else
+            ret = idle( &server_fd, ret );
+#endif
+            if( ret != 0 )
+                goto exit;
+        }
     }
 
     mbedtls_printf( " ok\n    [ Protocol is %s ]\n    [ Ciphersuite is %s ]\n",
-            mbedtls_ssl_get_version( &ssl ), mbedtls_ssl_get_ciphersuite( &ssl ) );
+                    mbedtls_ssl_get_version( &ssl ),
+                    mbedtls_ssl_get_ciphersuite( &ssl ) );
 
     if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 )
         mbedtls_printf( "    [ Record expansion is %d ]\n", ret );
@@ -1451,7 +1657,8 @@ int main( int argc, char *argv[] )
 
         if( ( ret = mbedtls_ssl_get_session( &ssl, &saved_session ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_get_session returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_get_session returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
 
@@ -1470,7 +1677,8 @@ int main( int argc, char *argv[] )
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
+                                      "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
     }
@@ -1498,11 +1706,29 @@ int main( int argc, char *argv[] )
         while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
         {
             if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+                ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
             {
-                mbedtls_printf( " failed\n  ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
+                mbedtls_printf( " failed\n  ! mbedtls_ssl_renegotiate returned %d\n\n",
+                                ret );
                 goto exit;
             }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
+                continue;
+#endif
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &server_fd, &timer, ret );
+#else
+                idle( &server_fd, ret );
+#endif
+            }
+
         }
         mbedtls_printf( " ok\n" );
     }
@@ -1553,11 +1779,23 @@ int main( int argc, char *argv[] )
                                               len - written ) ) < 0 )
             {
                 if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                    ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                    ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+                    ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
                 {
-                    mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned -0x%x\n\n", -ret );
+                    mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned -0x%x\n\n",
+                                    -ret );
                     goto exit;
                 }
+
+                /* For event-driven IO, wait for socket to become available */
+                if( opt.event == 1 /* level triggered IO */ )
+                {
+#if defined(MBEDTLS_TIMING_C)
+                    idle( &server_fd, &timer, ret );
+#else
+                    idle( &server_fd, ret );
+#endif
+                }
             }
 
             frags++;
@@ -1567,13 +1805,34 @@ int main( int argc, char *argv[] )
     }
     else /* Not stream, so datagram */
     {
-        do ret = mbedtls_ssl_write( &ssl, buf, len );
-        while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-               ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+        while( 1 )
+        {
+            ret = mbedtls_ssl_write( &ssl, buf, len );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
+                continue;
+#endif
+
+            if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                break;
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &server_fd, &timer, ret );
+#else
+                idle( &server_fd, ret );
+#endif
+            }
+        }
 
         if( ret < 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n",
+                            ret );
             goto exit;
         }
 
@@ -1588,7 +1847,8 @@ int main( int argc, char *argv[] )
     }
 
     buf[written] = '\0';
-    mbedtls_printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
+    mbedtls_printf( " %d bytes written in %d fragments\n\n%s\n",
+                    written, frags, (char *) buf );
 
     /* Send a non-empty request if request_size == 0 */
     if ( len == 0 )
@@ -1614,9 +1874,25 @@ int main( int argc, char *argv[] )
             memset( buf, 0, sizeof( buf ) );
             ret = mbedtls_ssl_read( &ssl, buf, len );
 
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
+                continue;
+#endif
+
             if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
                 ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+            {
+                /* For event-driven IO, wait for socket to become available */
+                if( opt.event == 1 /* level triggered IO */ )
+                {
+#if defined(MBEDTLS_TIMING_C)
+                    idle( &server_fd, &timer, ret );
+#else
+                    idle( &server_fd, ret );
+#endif
+                }
                 continue;
+            }
 
             if( ret <= 0 )
             {
@@ -1634,7 +1910,8 @@ int main( int argc, char *argv[] )
                         goto reconnect;
 
                     default:
-                        mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n", -ret );
+                        mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n",
+                                        -ret );
                         goto exit;
                 }
             }
@@ -1658,9 +1935,29 @@ int main( int argc, char *argv[] )
         len = sizeof( buf ) - 1;
         memset( buf, 0, sizeof( buf ) );
 
-        do ret = mbedtls_ssl_read( &ssl, buf, len );
-        while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-               ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+        while( 1 )
+        {
+            ret = mbedtls_ssl_read( &ssl, buf, len );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
+                continue;
+#endif
+
+            if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                break;
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &server_fd, &timer, ret );
+#else
+                idle( &server_fd, ret );
+#endif
+            }
+        }
 
         if( ret <= 0 )
         {
@@ -1701,18 +1998,31 @@ int main( int argc, char *argv[] )
 
         if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_session_reset returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
 
         while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
         {
             if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+                ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
             {
-                mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+                mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n",
+                                -ret );
                 goto exit;
             }
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &server_fd, &timer, ret );
+#else
+                idle( &server_fd, ret );
+#endif
+            }
         }
 
         mbedtls_printf( " ok\n" );
@@ -1759,21 +2069,25 @@ int main( int argc, char *argv[] )
 
         if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_session_reset returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
 
         if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_session returned %d\n\n", ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_session returned %d\n\n",
+                            ret );
             goto exit;
         }
 
-        if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port,
-                                 opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
-                                 MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
+        if( ( ret = mbedtls_net_connect( &server_fd,
+                        opt.server_addr, opt.server_port,
+                        opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
+                        MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! mbedtls_net_connect returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_net_connect returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
 
@@ -1784,16 +2098,18 @@ int main( int argc, char *argv[] )
         if( ret != 0 )
         {
             mbedtls_printf( " failed\n  ! net_set_(non)block() returned -0x%x\n\n",
-                    -ret );
+                            -ret );
             goto exit;
         }
 
         while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
         {
             if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+                ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
             {
-                mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+                mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n",
+                                -ret );
                 goto exit;
             }
         }
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_fork_server.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_fork_server.c
index 1c3a80600c..b6f1cc4fdd 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_fork_server.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_fork_server.c
@@ -33,6 +33,7 @@
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
 #define mbedtls_time_t          time_t
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -86,6 +87,18 @@ int main( void )
 
 #define DEBUG_LEVEL 0
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
index 8ec6079d59..c73297c2ab 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_mail_client.c
@@ -19,6 +19,11 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+/* Enable definition of gethostname() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
 #else
@@ -34,6 +39,7 @@
 #define mbedtls_time_t          time_t
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -136,6 +142,18 @@ int main( void )
     "    force_ciphersuite=<name>    default: all enabled\n"  \
     " acceptable ciphersuite names:\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_pthread_server.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_pthread_server.c
index 9a05ad8fd3..b5026959a6 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_pthread_server.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_pthread_server.c
@@ -30,9 +30,13 @@
 #include "mbedtls/platform.h"
 #else
 #include <stdio.h>
+#include <stdlib.h>
 #define mbedtls_fprintf    fprintf
 #define mbedtls_printf     printf
 #define mbedtls_snprintf   snprintf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_CERTS_C) ||            \
@@ -77,6 +81,18 @@ int main( void )
 #include "mbedtls/memory_buffer_alloc.h"
 #endif
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 #define HTTP_RESPONSE \
     "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
     "<h2>mbed TLS Test Server</h2>\r\n" \
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server.c
index dcdafbb869..1852b2badf 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server.c
@@ -34,6 +34,9 @@
 #define mbedtls_time_t     time_t
 #define mbedtls_fprintf    fprintf
 #define mbedtls_printf     printf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_CERTS_C) ||    \
@@ -80,6 +83,18 @@ int main( void )
 
 #define DEBUG_LEVEL 0
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
diff --git a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
index ae57f1fda0..a4c5fab4b6 100644
--- a/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
+++ b/3rdparty/mbedtls/mbedtls/programs/ssl/ssl_server2.c
@@ -36,6 +36,9 @@
 #define mbedtls_calloc    calloc
 #define mbedtls_fprintf    fprintf
 #define mbedtls_printf     printf
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_ENTROPY_C) || \
@@ -106,6 +109,7 @@ int main( void )
 #define DFL_RESPONSE_SIZE       -1
 #define DFL_DEBUG_LEVEL         0
 #define DFL_NBIO                0
+#define DFL_EVENT               0
 #define DFL_READ_TIMEOUT        0
 #define DFL_CA_FILE             ""
 #define DFL_CA_PATH             ""
@@ -113,6 +117,10 @@ int main( void )
 #define DFL_KEY_FILE            ""
 #define DFL_CRT_FILE2           ""
 #define DFL_KEY_FILE2           ""
+#define DFL_ASYNC_OPERATIONS    "-"
+#define DFL_ASYNC_PRIVATE_DELAY1 ( -1 )
+#define DFL_ASYNC_PRIVATE_DELAY2 ( -1 )
+#define DFL_ASYNC_PRIVATE_ERROR  ( 0 )
 #define DFL_PSK                 ""
 #define DFL_PSK_IDENTITY        "Client_identity"
 #define DFL_ECJPAKE_PW          NULL
@@ -146,7 +154,9 @@ int main( void )
 #define DFL_ANTI_REPLAY         -1
 #define DFL_HS_TO_MIN           0
 #define DFL_HS_TO_MAX           0
+#define DFL_DTLS_MTU            -1
 #define DFL_BADMAC_LIMIT        -1
+#define DFL_DGRAM_PACKING        1
 #define DFL_EXTENDED_MS         -1
 #define DFL_ETM                 -1
 
@@ -178,8 +188,10 @@ int main( void )
 #define USAGE_IO \
     "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
     "                        default: \"\" (pre-loaded)\n" \
+    "                        use \"none\" to skip loading any top-level CAs.\n" \
     "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
     "                        default: \"\" (pre-loaded) (overrides ca_file)\n" \
+    "                        use \"none\" to skip loading any top-level CAs.\n" \
     "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
     "                        default: see note after key_file2\n" \
     "    key_file=%%s         default: see note after key_file2\n" \
@@ -200,6 +212,18 @@ int main( void )
 #define USAGE_IO ""
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#define USAGE_SSL_ASYNC \
+    "    async_operations=%%c...   d=decrypt, s=sign (default: -=off)\n" \
+    "    async_private_delay1=%%d  Asynchronous delay for key_file or preloaded key\n" \
+    "    async_private_delay2=%%d  Asynchronous delay for key_file2 and sni\n" \
+    "                              default: -1 (not asynchronous)\n" \
+    "    async_private_error=%%d   Async callback error injection (default=0=none,\n" \
+    "                              1=start, 2=cancel, 3=resume, negative=first time only)"
+#else
+#define USAGE_SSL_ASYNC ""
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 #define USAGE_PSK                                                       \
     "    psk=%%s              default: \"\" (in hex, without 0x)\n"     \
@@ -291,7 +315,11 @@ int main( void )
 #define USAGE_DTLS \
     "    dtls=%%d             default: 0 (TLS)\n"                           \
     "    hs_timeout=%%d-%%d    default: (library default: 1000-60000)\n"    \
-    "                        range of DTLS handshake timeouts in millisecs\n"
+    "                        range of DTLS handshake timeouts in millisecs\n" \
+    "    mtu=%%d              default: (library default: unlimited)\n"  \
+    "    dgram_packing=%%d    default: 1 (allowed)\n"                   \
+    "                        allow or forbid packing of multiple\n" \
+    "                        records within a single datgram.\n"
 #else
 #define USAGE_DTLS ""
 #endif
@@ -351,6 +379,8 @@ int main( void )
     "                          increases buffer_size if bigger\n"\
     "    nbio=%%d             default: 0 (blocking I/O)\n"  \
     "                        options: 1 (non-blocking), 2 (added delays)\n" \
+    "    event=%%d            default: 0 (loop)\n"                            \
+    "                        options: 1 (level-triggered, implies nbio=1),\n" \
     "    read_timeout=%%d     default: 0 ms (no timeout)\n"    \
     "\n"                                                    \
     USAGE_DTLS                                              \
@@ -363,6 +393,7 @@ int main( void )
     "    cert_req_ca_list=%%d default: 1 (send ca list)\n"  \
     "                        options: 1 (send ca list), 0 (don't send)\n" \
     USAGE_IO                                                \
+    USAGE_SSL_ASYNC                                         \
     USAGE_SNI                                               \
     "\n"                                                    \
     USAGE_PSK                                               \
@@ -392,6 +423,10 @@ int main( void )
     "                                in order from ssl3 to tls1_2\n"    \
     "                                default: all enabled\n"            \
     "    force_ciphersuite=<name>    default: all enabled\n"            \
+    "    query_config=<name>         return 0 if the specified\n"       \
+    "                                configuration macro is defined and 1\n"  \
+    "                                otherwise. The expansion of the macro\n" \
+    "                                is printed if it is defined\n"     \
     " acceptable ciphersuite names:\n"
 
 
@@ -410,6 +445,18 @@ int main( void )
     (out_be)[(i) + 7] = (unsigned char)( ( (in_le) >> 0  ) & 0xFF );    \
 }
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
@@ -419,6 +466,7 @@ struct options
     const char *server_port;    /* port on which the ssl service runs       */
     int debug_level;            /* level of debugging                       */
     int nbio;                   /* should I/O be blocking?                  */
+    int event;                  /* loop or event-driven IO? level or edge triggered? */
     uint32_t read_timeout;      /* timeout on mbedtls_ssl_read() in milliseconds    */
     int response_size;          /* pad response with header to requested size */
     uint16_t buffer_size;       /* IO buffer size */
@@ -428,6 +476,10 @@ struct options
     const char *key_file;       /* the file with the server key             */
     const char *crt_file2;      /* the file with the 2nd server certificate */
     const char *key_file2;      /* the file with the 2nd server key         */
+    const char *async_operations; /* supported SSL asynchronous operations  */
+    int async_private_delay1;   /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
+    int async_private_delay2;   /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
+    int async_private_error;    /* inject error in async private callback */
     const char *psk;            /* the pre-shared key                       */
     const char *psk_identity;   /* the pre-shared key identity              */
     char *psk_list;             /* list of PSK id/key pairs for callback    */
@@ -463,9 +515,13 @@ struct options
     int anti_replay;            /* Use anti-replay for DTLS? -1 for default */
     uint32_t hs_to_min;         /* Initial value of DTLS handshake timer    */
     uint32_t hs_to_max;         /* Max value of DTLS handshake timer        */
+    int dtls_mtu;               /* UDP Maximum tranport unit for DTLS       */
+    int dgram_packing;          /* allow/forbid datagram packing            */
     int badmac_limit;           /* Limit of records with bad MAC            */
 } opt;
 
+int query_config( const char *config );
+
 static void my_debug( void *ctx, int level,
                       const char *file, int line,
                       const char *str )
@@ -538,11 +594,14 @@ static int get_auth_mode( const char *s )
  * Used by sni_parse and psk_parse to handle coma-separated lists
  */
 #define GET_ITEM( dst )         \
-    dst = p;                    \
-    while( *p != ',' )          \
-        if( ++p > end )         \
-            goto error;         \
-    *p++ = '\0';
+    do                          \
+    {                           \
+        (dst) = p;              \
+        while( *p != ',' )      \
+            if( ++p > end )     \
+                goto error;     \
+        *p++ = '\0';            \
+    } while( 0 )
 
 #if defined(SNI_OPTION)
 typedef struct _sni_entry sni_entry;
@@ -706,15 +765,18 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 
-#define HEX2NUM( c )                    \
-        if( c >= '0' && c <= '9' )      \
-            c -= '0';                   \
-        else if( c >= 'a' && c <= 'f' ) \
-            c -= 'a' - 10;              \
-        else if( c >= 'A' && c <= 'F' ) \
-            c -= 'A' - 10;              \
-        else                            \
-            return( -1 );
+#define HEX2NUM( c )                        \
+    do                                      \
+    {                                       \
+        if( (c) >= '0' && (c) <= '9' )      \
+            (c) -= '0';                     \
+        else if( (c) >= 'a' && (c) <= 'f' ) \
+            (c) -= 'a' - 10;                \
+        else if( (c) >= 'A' && (c) <= 'F' ) \
+            (c) -= 'A' - 10;                \
+        else                                \
+            return( -1 );                   \
+    } while( 0 )
 
 /*
  * Convert a hex string to bytes.
@@ -866,6 +928,294 @@ static int ssl_sig_hashes_for_test[] = {
 };
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+/** Return true if \p ret is a status code indicating that there is an
+ * operation in progress on an SSL connection, and false if it indicates
+ * success or a fatal error.
+ *
+ * The possible operations in progress are:
+ *
+ * - A read, when the SSL input buffer does not contain a full message.
+ * - A write, when the SSL output buffer contains some data that has not
+ *   been sent over the network yet.
+ * - An asynchronous callback that has not completed yet. */
+static int mbedtls_status_is_ssl_in_progress( int ret )
+{
+    return( ret == MBEDTLS_ERR_SSL_WANT_READ ||
+            ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
+            ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+}
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+typedef struct
+{
+    mbedtls_x509_crt *cert; /*!< Certificate corresponding to the key */
+    mbedtls_pk_context *pk; /*!< Private key */
+    unsigned delay; /*!< Number of resume steps to go through */
+    unsigned pk_owned : 1; /*!< Whether to free the pk object on exit */
+} ssl_async_key_slot_t;
+
+typedef enum {
+    SSL_ASYNC_INJECT_ERROR_NONE = 0, /*!< Let the callbacks succeed */
+    SSL_ASYNC_INJECT_ERROR_START, /*!< Inject error during start */
+    SSL_ASYNC_INJECT_ERROR_CANCEL, /*!< Close the connection after async start */
+    SSL_ASYNC_INJECT_ERROR_RESUME, /*!< Inject error during resume */
+#define SSL_ASYNC_INJECT_ERROR_MAX SSL_ASYNC_INJECT_ERROR_RESUME
+} ssl_async_inject_error_t;
+
+typedef struct
+{
+    ssl_async_key_slot_t slots[4]; /* key, key2, sni1, sni2 */
+    size_t slots_used;
+    ssl_async_inject_error_t inject_error;
+    int (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;
+} ssl_async_key_context_t;
+
+int ssl_async_set_key( ssl_async_key_context_t *ctx,
+                       mbedtls_x509_crt *cert,
+                       mbedtls_pk_context *pk,
+                       int pk_take_ownership,
+                       unsigned delay )
+{
+    if( ctx->slots_used >= sizeof( ctx->slots ) / sizeof( *ctx->slots ) )
+        return( -1 );
+    ctx->slots[ctx->slots_used].cert = cert;
+    ctx->slots[ctx->slots_used].pk = pk;
+    ctx->slots[ctx->slots_used].delay = delay;
+    ctx->slots[ctx->slots_used].pk_owned = pk_take_ownership;
+    ++ctx->slots_used;
+    return( 0 );
+}
+
+#define SSL_ASYNC_INPUT_MAX_SIZE 512
+
+typedef enum
+{
+    ASYNC_OP_SIGN,
+    ASYNC_OP_DECRYPT,
+} ssl_async_operation_type_t;
+/* Note that the enum above and the array below need to be kept in sync!
+ * `ssl_async_operation_names[op]` is the name of op for each value `op`
+ * of type `ssl_async_operation_type_t`. */
+static const char *const ssl_async_operation_names[] =
+{
+    "sign",
+    "decrypt",
+};
+
+typedef struct
+{
+    unsigned slot;
+    ssl_async_operation_type_t operation_type;
+    mbedtls_md_type_t md_alg;
+    unsigned char input[SSL_ASYNC_INPUT_MAX_SIZE];
+    size_t input_len;
+    unsigned remaining_delay;
+} ssl_async_operation_context_t;
+
+static int ssl_async_start( mbedtls_ssl_context *ssl,
+                            mbedtls_x509_crt *cert,
+                            ssl_async_operation_type_t op_type,
+                            mbedtls_md_type_t md_alg,
+                            const unsigned char *input,
+                            size_t input_len )
+{
+    ssl_async_key_context_t *config_data =
+        mbedtls_ssl_conf_get_async_config_data( ssl->conf );
+    unsigned slot;
+    ssl_async_operation_context_t *ctx = NULL;
+    const char *op_name = ssl_async_operation_names[op_type];
+
+    {
+        char dn[100];
+        if( mbedtls_x509_dn_gets( dn, sizeof( dn ), &cert->subject ) > 0 )
+            mbedtls_printf( "Async %s callback: looking for DN=%s\n",
+                            op_name, dn );
+    }
+
+    /* Look for a private key that matches the public key in cert.
+     * Since this test code has the private key inside Mbed TLS,
+     * we call mbedtls_pk_check_pair to match a private key with the
+     * public key. */
+    for( slot = 0; slot < config_data->slots_used; slot++ )
+    {
+        if( mbedtls_pk_check_pair( &cert->pk,
+                                   config_data->slots[slot].pk ) == 0 )
+            break;
+    }
+    if( slot == config_data->slots_used )
+    {
+        mbedtls_printf( "Async %s callback: no key matches this certificate.\n",
+                        op_name );
+        return( MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH );
+    }
+    mbedtls_printf( "Async %s callback: using key slot %u, delay=%u.\n",
+                    op_name, slot, config_data->slots[slot].delay );
+
+    if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_START )
+    {
+        mbedtls_printf( "Async %s callback: injected error\n", op_name );
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+    }
+
+    if( input_len > SSL_ASYNC_INPUT_MAX_SIZE )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    ctx = mbedtls_calloc( 1, sizeof( *ctx ) );
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    ctx->slot = slot;
+    ctx->operation_type = op_type;
+    ctx->md_alg = md_alg;
+    memcpy( ctx->input, input, input_len );
+    ctx->input_len = input_len;
+    ctx->remaining_delay = config_data->slots[slot].delay;
+    mbedtls_ssl_set_async_operation_data( ssl, ctx );
+
+    if( ctx->remaining_delay == 0 )
+        return( 0 );
+    else
+        return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+}
+
+static int ssl_async_sign( mbedtls_ssl_context *ssl,
+                           mbedtls_x509_crt *cert,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash,
+                           size_t hash_len )
+{
+    return( ssl_async_start( ssl, cert,
+                             ASYNC_OP_SIGN, md_alg,
+                             hash, hash_len ) );
+}
+
+static int ssl_async_decrypt( mbedtls_ssl_context *ssl,
+                              mbedtls_x509_crt *cert,
+                              const unsigned char *input,
+                              size_t input_len )
+{
+    return( ssl_async_start( ssl, cert,
+                             ASYNC_OP_DECRYPT, MBEDTLS_MD_NONE,
+                             input, input_len ) );
+}
+
+static int ssl_async_resume( mbedtls_ssl_context *ssl,
+                             unsigned char *output,
+                             size_t *output_len,
+                             size_t output_size )
+{
+    ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data( ssl );
+    ssl_async_key_context_t *config_data =
+        mbedtls_ssl_conf_get_async_config_data( ssl->conf );
+    ssl_async_key_slot_t *key_slot = &config_data->slots[ctx->slot];
+    int ret;
+    const char *op_name;
+
+    if( ctx->remaining_delay > 0 )
+    {
+        --ctx->remaining_delay;
+        mbedtls_printf( "Async resume (slot %u): call %u more times.\n",
+                        ctx->slot, ctx->remaining_delay );
+        return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+    }
+
+    switch( ctx->operation_type )
+    {
+        case ASYNC_OP_DECRYPT:
+            ret = mbedtls_pk_decrypt( key_slot->pk,
+                                      ctx->input, ctx->input_len,
+                                      output, output_len, output_size,
+                                      config_data->f_rng, config_data->p_rng );
+            break;
+        case ASYNC_OP_SIGN:
+            ret = mbedtls_pk_sign( key_slot->pk,
+                                   ctx->md_alg,
+                                   ctx->input, ctx->input_len,
+                                   output, output_len,
+                                   config_data->f_rng, config_data->p_rng );
+            break;
+        default:
+            mbedtls_printf( "Async resume (slot %u): unknown operation type %ld. This shouldn't happen.\n",
+                            ctx->slot, (long) ctx->operation_type );
+            mbedtls_free( ctx );
+            return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+            break;
+    }
+
+    op_name = ssl_async_operation_names[ctx->operation_type];
+
+    if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME )
+    {
+        mbedtls_printf( "Async resume callback: %s done but injected error\n",
+                        op_name );
+        mbedtls_free( ctx );
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+    }
+
+    mbedtls_printf( "Async resume (slot %u): %s done, status=%d.\n",
+                    ctx->slot, op_name, ret );
+    mbedtls_free( ctx );
+    return( ret );
+}
+
+static void ssl_async_cancel( mbedtls_ssl_context *ssl )
+{
+    ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data( ssl );
+    mbedtls_printf( "Async cancel callback.\n" );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * Wait for an event from the underlying transport or the timer
+ * (Used in event-driven IO mode).
+ */
+#if !defined(MBEDTLS_TIMING_C)
+int idle( mbedtls_net_context *fd,
+          int idle_reason )
+#else
+int idle( mbedtls_net_context *fd,
+          mbedtls_timing_delay_context *timer,
+          int idle_reason )
+#endif
+{
+    int ret;
+    int poll_type = 0;
+
+    if( idle_reason == MBEDTLS_ERR_SSL_WANT_WRITE )
+        poll_type = MBEDTLS_NET_POLL_WRITE;
+    else if( idle_reason == MBEDTLS_ERR_SSL_WANT_READ )
+        poll_type = MBEDTLS_NET_POLL_READ;
+#if !defined(MBEDTLS_TIMING_C)
+    else
+        return( 0 );
+#endif
+
+    while( 1 )
+    {
+        /* Check if timer has expired */
+#if defined(MBEDTLS_TIMING_C)
+        if( timer != NULL &&
+            mbedtls_timing_get_delay( timer ) == 2 )
+        {
+            break;
+        }
+#endif /* MBEDTLS_TIMING_C */
+
+        /* Check if underlying transport became available */
+        if( poll_type != 0 )
+        {
+            ret = mbedtls_net_poll( fd, poll_type, 0 );
+            if( ret < 0 )
+                return( ret );
+            if( ret == poll_type )
+                break;
+        }
+    }
+
+    return( 0 );
+}
+
 int main( int argc, char *argv[] )
 {
     int ret = 0, len, written, frags, exchanges_left;
@@ -904,7 +1254,10 @@ int main( int argc, char *argv[] )
     mbedtls_x509_crt srvcert2;
     mbedtls_pk_context pkey2;
     int key_cert_init = 0, key_cert_init2 = 0;
-#endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    ssl_async_key_context_t ssl_async_keys;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
     mbedtls_dhm_context dhm;
 #endif
@@ -950,6 +1303,9 @@ int main( int argc, char *argv[] )
     mbedtls_pk_init( &pkey );
     mbedtls_x509_crt_init( &srvcert2 );
     mbedtls_pk_init( &pkey2 );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) );
+#endif
 #endif
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
     mbedtls_dhm_init( &dhm );
@@ -999,6 +1355,7 @@ int main( int argc, char *argv[] )
     opt.server_addr         = DFL_SERVER_ADDR;
     opt.server_port         = DFL_SERVER_PORT;
     opt.debug_level         = DFL_DEBUG_LEVEL;
+    opt.event               = DFL_EVENT;
     opt.response_size       = DFL_RESPONSE_SIZE;
     opt.nbio                = DFL_NBIO;
     opt.read_timeout        = DFL_READ_TIMEOUT;
@@ -1008,6 +1365,10 @@ int main( int argc, char *argv[] )
     opt.key_file            = DFL_KEY_FILE;
     opt.crt_file2           = DFL_CRT_FILE2;
     opt.key_file2           = DFL_KEY_FILE2;
+    opt.async_operations    = DFL_ASYNC_OPERATIONS;
+    opt.async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1;
+    opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
+    opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
     opt.psk                 = DFL_PSK;
     opt.psk_identity        = DFL_PSK_IDENTITY;
     opt.psk_list            = DFL_PSK_LIST;
@@ -1041,6 +1402,8 @@ int main( int argc, char *argv[] )
     opt.anti_replay         = DFL_ANTI_REPLAY;
     opt.hs_to_min           = DFL_HS_TO_MIN;
     opt.hs_to_max           = DFL_HS_TO_MAX;
+    opt.dtls_mtu            = DFL_DTLS_MTU;
+    opt.dgram_packing       = DFL_DGRAM_PACKING;
     opt.badmac_limit        = DFL_BADMAC_LIMIT;
     opt.extended_ms         = DFL_EXTENDED_MS;
     opt.etm                 = DFL_ETM;
@@ -1078,6 +1441,12 @@ int main( int argc, char *argv[] )
             if( opt.nbio < 0 || opt.nbio > 2 )
                 goto usage;
         }
+        else if( strcmp( p, "event" ) == 0 )
+        {
+            opt.event = atoi( q );
+            if( opt.event < 0 || opt.event > 2 )
+                goto usage;
+        }
         else if( strcmp( p, "read_timeout" ) == 0 )
             opt.read_timeout = atoi( q );
         else if( strcmp( p, "buffer_size" ) == 0 )
@@ -1108,6 +1477,25 @@ int main( int argc, char *argv[] )
             opt.key_file2 = q;
         else if( strcmp( p, "dhm_file" ) == 0 )
             opt.dhm_file = q;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        else if( strcmp( p, "async_operations" ) == 0 )
+            opt.async_operations = q;
+        else if( strcmp( p, "async_private_delay1" ) == 0 )
+            opt.async_private_delay1 = atoi( q );
+        else if( strcmp( p, "async_private_delay2" ) == 0 )
+            opt.async_private_delay2 = atoi( q );
+        else if( strcmp( p, "async_private_error" ) == 0 )
+        {
+            int n = atoi( q );
+            if( n < -SSL_ASYNC_INJECT_ERROR_MAX ||
+                n > SSL_ASYNC_INJECT_ERROR_MAX )
+            {
+                ret = 2;
+                goto usage;
+            }
+            opt.async_private_error = n;
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
         else if( strcmp( p, "psk" ) == 0 )
             opt.psk = q;
         else if( strcmp( p, "psk_identity" ) == 0 )
@@ -1133,16 +1521,23 @@ int main( int argc, char *argv[] )
             opt.version_suites = q;
         else if( strcmp( p, "renegotiation" ) == 0 )
         {
-            opt.renegotiation = (atoi( q )) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED :
-                                              MBEDTLS_SSL_RENEGOTIATION_DISABLED;
+            opt.renegotiation = (atoi( q )) ?
+                MBEDTLS_SSL_RENEGOTIATION_ENABLED :
+                MBEDTLS_SSL_RENEGOTIATION_DISABLED;
         }
         else if( strcmp( p, "allow_legacy" ) == 0 )
         {
             switch( atoi( q ) )
             {
-                case -1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE; break;
-                case 0:  opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; break;
-                case 1:  opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION; break;
+                case -1:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE;
+                    break;
+                case 0:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+                    break;
+                case 1:
+                    opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION;
+                    break;
                 default: goto usage;
             }
         }
@@ -1299,8 +1694,12 @@ int main( int argc, char *argv[] )
         {
             switch( atoi( q ) )
             {
-                case 0: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED; break;
-                case 1: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; break;
+                case 0:
+                    opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED;
+                    break;
+                case 1:
+                    opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+                    break;
                 default: goto usage;
             }
         }
@@ -1365,14 +1764,42 @@ int main( int argc, char *argv[] )
             if( opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min )
                 goto usage;
         }
+        else if( strcmp( p, "mtu" ) == 0 )
+        {
+            opt.dtls_mtu = atoi( q );
+            if( opt.dtls_mtu < 0 )
+                goto usage;
+        }
+        else if( strcmp( p, "dgram_packing" ) == 0 )
+        {
+            opt.dgram_packing = atoi( q );
+            if( opt.dgram_packing != 0 &&
+                opt.dgram_packing != 1 )
+            {
+                goto usage;
+            }
+        }
         else if( strcmp( p, "sni" ) == 0 )
         {
             opt.sni = q;
         }
+        else if( strcmp( p, "query_config" ) == 0 )
+        {
+            return query_config( q );
+        }
         else
             goto usage;
     }
 
+    /* Event-driven IO is incompatible with the above custom
+     * receive and send functions, as the polling builds on
+     * refers to the underlying net_context. */
+    if( opt.event == 1 && opt.nbio != 1 )
+    {
+        mbedtls_printf( "Warning: event-driven IO mandates nbio=1 - overwrite\n" );
+        opt.nbio = 1;
+    }
+
 #if defined(MBEDTLS_DEBUG_C)
     mbedtls_debug_set_threshold( opt.debug_level );
 #endif
@@ -1387,19 +1814,20 @@ int main( int argc, char *argv[] )
     if( opt.force_ciphersuite[0] > 0 )
     {
         const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
+        ciphersuite_info =
+            mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
 
         if( opt.max_version != -1 &&
             ciphersuite_info->min_minor_ver > opt.max_version )
         {
-            mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+            mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
         if( opt.min_version != -1 &&
             ciphersuite_info->max_minor_ver < opt.min_version )
         {
-            mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+            mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
             ret = 2;
             goto usage;
         }
@@ -1578,11 +2006,12 @@ int main( int argc, char *argv[] )
     fflush( stdout );
 
     mbedtls_entropy_init( &entropy );
-    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
-                               (const unsigned char *) pers,
-                               strlen( pers ) ) ) != 0 )
+    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+                                       &entropy, (const unsigned char *) pers,
+                                       strlen( pers ) ) ) != 0 )
     {
-        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret );
+        mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+                        -ret );
         goto exit;
     }
 
@@ -1608,7 +2037,9 @@ int main( int argc, char *argv[] )
         ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file );
     else
 #endif
-#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_PEM_PARSE_C)
+#if defined(MBEDTLS_CERTS_C)
+    {
+#if defined(MBEDTLS_PEM_PARSE_C)
         for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
         {
             ret = mbedtls_x509_crt_parse( &cacert,
@@ -1617,16 +2048,23 @@ int main( int argc, char *argv[] )
             if( ret != 0 )
                 break;
         }
+        if( ret == 0 )
+#endif /* MBEDTLS_PEM_PARSE_C */
+        for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ )
+        {
+            ret = mbedtls_x509_crt_parse_der( &cacert,
+                         (const unsigned char *) mbedtls_test_cas_der[i],
+                         mbedtls_test_cas_der_len[i] );
+            if( ret != 0 )
+                break;
+        }
+    }
 #else
     {
         ret = 1;
-#if !defined(MBEDTLS_CERTS_C)
         mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
-#else
-        mbedtls_printf( "All test CRTs loaded via MBEDTLS_CERTS_C are PEM-encoded, but MBEDTLS_PEM_PARSE_C is disabled." );
     }
 #endif /* MBEDTLS_CERTS_C */
-#endif /* MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C */
     if( ret < 0 )
     {
         mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
@@ -1683,7 +2121,7 @@ int main( int argc, char *argv[] )
         if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 )
         {
             mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n",
-                    -ret );
+                            -ret );
             goto exit;
         }
     }
@@ -1701,8 +2139,7 @@ int main( int argc, char *argv[] )
         strcmp( opt.key_file2, "none" ) != 0 )
     {
 #if !defined(MBEDTLS_CERTS_C)
-        mbedtls_printf( "Not certificated or key provided, and \n"
-                "MBEDTLS_CERTS_C not defined!\n" );
+        mbedtls_printf( "Not certificated or key provided, and \nMBEDTLS_CERTS_C not defined!\n" );
         goto exit;
 #else
 #if defined(MBEDTLS_RSA_C)
@@ -1710,14 +2147,16 @@ int main( int argc, char *argv[] )
                                     (const unsigned char *) mbedtls_test_srv_crt_rsa,
                                     mbedtls_test_srv_crt_rsa_len ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
         if( ( ret = mbedtls_pk_parse_key( &pkey,
                                   (const unsigned char *) mbedtls_test_srv_key_rsa,
                                   mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
         key_cert_init = 2;
@@ -1727,14 +2166,16 @@ int main( int argc, char *argv[] )
                                     (const unsigned char *) mbedtls_test_srv_crt_ec,
                                     mbedtls_test_srv_crt_ec_len ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  !  x509_crt_parse2 returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  !  x509_crt_parse2 returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
         if( ( ret = mbedtls_pk_parse_key( &pkey2,
                                   (const unsigned char *) mbedtls_test_srv_key_ec,
                                   mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  !  pk_parse_key2 returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  !  pk_parse_key2 returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
         key_cert_init2 = 2;
@@ -1833,6 +2274,9 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
         mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
+
+    if( opt.dgram_packing != DFL_DGRAM_PACKING )
+        mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
@@ -1988,22 +2432,109 @@ int main( int argc, char *argv[] )
         mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
     }
     if( key_cert_init )
-        if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
+    {
+        mbedtls_pk_context *pk = &pkey;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( opt.async_private_delay1 >= 0 )
+        {
+            ret = ssl_async_set_key( &ssl_async_keys, &srvcert, pk, 0,
+                                     opt.async_private_delay1 );
+            if( ret < 0 )
+            {
+                mbedtls_printf( "  Test error: ssl_async_set_key failed (%d)\n",
+                                ret );
+                goto exit;
+            }
+            pk = NULL;
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+        if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, pk ) ) != 0 )
         {
             mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
             goto exit;
         }
+    }
     if( key_cert_init2 )
-        if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 )
+    {
+        mbedtls_pk_context *pk = &pkey2;
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( opt.async_private_delay2 >= 0 )
+        {
+            ret = ssl_async_set_key( &ssl_async_keys, &srvcert2, pk, 0,
+                                     opt.async_private_delay2 );
+            if( ret < 0 )
+            {
+                mbedtls_printf( "  Test error: ssl_async_set_key failed (%d)\n",
+                                ret );
+                goto exit;
+            }
+            pk = NULL;
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+        if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, pk ) ) != 0 )
         {
             mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
             goto exit;
         }
-#endif
+    }
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( opt.async_operations[0] != '-' )
+    {
+        mbedtls_ssl_async_sign_t *sign = NULL;
+        mbedtls_ssl_async_decrypt_t *decrypt = NULL;
+        const char *r;
+        for( r = opt.async_operations; *r; r++ )
+        {
+            switch( *r )
+            {
+            case 'd':
+                decrypt = ssl_async_decrypt;
+                break;
+            case 's':
+                sign = ssl_async_sign;
+                break;
+            }
+        }
+        ssl_async_keys.inject_error = ( opt.async_private_error < 0 ?
+                                        - opt.async_private_error :
+                                        opt.async_private_error );
+        ssl_async_keys.f_rng = mbedtls_ctr_drbg_random;
+        ssl_async_keys.p_rng = &ctr_drbg;
+        mbedtls_ssl_conf_async_private_cb( &conf,
+                                           sign,
+                                           decrypt,
+                                           ssl_async_resume,
+                                           ssl_async_cancel,
+                                           &ssl_async_keys );
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(SNI_OPTION)
     if( opt.sni != NULL )
+    {
         mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info );
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( opt.async_private_delay2 >= 0 )
+        {
+            sni_entry *cur;
+            for( cur = sni_info; cur != NULL; cur = cur->next )
+            {
+                ret = ssl_async_set_key( &ssl_async_keys,
+                                         cur->cert, cur->key, 1,
+                                         opt.async_private_delay2 );
+                if( ret < 0 )
+                {
+                    mbedtls_printf( "  Test error: ssl_async_set_key failed (%d)\n",
+                                    ret );
+                    goto exit;
+                }
+                cur->key = NULL;
+            }
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+    }
 #endif
 
 #if defined(MBEDTLS_ECP_C)
@@ -2064,6 +2595,11 @@ int main( int argc, char *argv[] )
         mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv,
                              opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL );
 
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( opt.dtls_mtu != DFL_DTLS_MTU )
+        mbedtls_ssl_set_mtu( &ssl, opt.dtls_mtu );
+#endif
+
 #if defined(MBEDTLS_TIMING_C)
     mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
                                             mbedtls_timing_get_delay );
@@ -2144,8 +2680,8 @@ int main( int argc, char *argv[] )
         if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl,
                         client_ip, cliip_len ) ) != 0 )
         {
-            mbedtls_printf( " failed\n  ! "
-                    "mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n",
+                            -ret );
             goto exit;
         }
     }
@@ -2173,9 +2709,32 @@ int main( int argc, char *argv[] )
     mbedtls_printf( "  . Performing the SSL/TLS handshake..." );
     fflush( stdout );
 
-    do ret = mbedtls_ssl_handshake( &ssl );
-    while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-           ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+    while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
+            ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
+        {
+            mbedtls_printf( " cancelling on injected error\n" );
+            break;
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+        if( ! mbedtls_status_is_ssl_in_progress( ret ) )
+            break;
+
+        /* For event-driven IO, wait for socket to become available */
+        if( opt.event == 1 /* level triggered IO */ )
+        {
+#if defined(MBEDTLS_TIMING_C)
+            ret = idle( &client_fd, &timer, ret );
+#else
+            ret = idle( &client_fd, ret );
+#endif
+            if( ret != 0 )
+                goto reset;
+        }
+    }
 
     if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
     {
@@ -2199,6 +2758,11 @@ int main( int argc, char *argv[] )
         }
 #endif
 
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( opt.async_private_error < 0 )
+            /* Injected error only the first time round, to test reset */
+            ssl_async_keys.inject_error = SSL_ASYNC_INJECT_ERROR_NONE;
+#endif
         goto reset;
     }
     else /* ret == 0 */
@@ -2279,9 +2843,19 @@ int main( int argc, char *argv[] )
             memset( buf, 0, opt.buffer_size );
             ret = mbedtls_ssl_read( &ssl, buf, len );
 
-            if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-                ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+            if( mbedtls_status_is_ssl_in_progress( ret ) )
+            {
+                if( opt.event == 1 /* level triggered IO */ )
+                {
+#if defined(MBEDTLS_TIMING_C)
+                    idle( &client_fd, &timer, ret );
+#else
+                    idle( &client_fd, ret );
+#endif
+                }
+
                 continue;
+            }
 
             if( ret <= 0 )
             {
@@ -2369,9 +2943,38 @@ int main( int argc, char *argv[] )
         len = opt.buffer_size - 1;
         memset( buf, 0, opt.buffer_size );
 
-        do ret = mbedtls_ssl_read( &ssl, buf, len );
-        while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-               ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+        do
+        {
+            /* Without the call to `mbedtls_ssl_check_pending`, it might
+             * happen that the client sends application data in the same
+             * datagram as the Finished message concluding the handshake.
+             * In this case, the application data would be ready to be
+             * processed while the underlying transport wouldn't signal
+             * any further incoming data.
+             *
+             * See the test 'Event-driven I/O: session-id resume, UDP packing'
+             * in tests/ssl-opt.sh.
+             */
+
+            /* For event-driven IO, wait for socket to become available */
+            if( mbedtls_ssl_check_pending( &ssl ) == 0 &&
+                opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &client_fd, &timer, MBEDTLS_ERR_SSL_WANT_READ );
+#else
+                idle( &client_fd, MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+            }
+
+            ret = mbedtls_ssl_read( &ssl, buf, len );
+
+            /* Note that even if `mbedtls_ssl_check_pending` returns true,
+             * it can happen that the subsequent call to `mbedtls_ssl_read`
+             * returns `MBEDTLS_ERR_SSL_WANT_READ`, because the pending messages
+             * might be discarded (e.g. because they are retransmissions). */
+        }
+        while( mbedtls_status_is_ssl_in_progress( ret ) );
 
         if( ret <= 0 )
         {
@@ -2406,12 +3009,21 @@ int main( int argc, char *argv[] )
 
         while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 )
         {
-            if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+            if( ! mbedtls_status_is_ssl_in_progress( ret ) )
             {
                 mbedtls_printf( " failed\n  ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
                 goto reset;
             }
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &client_fd, &timer, ret );
+#else
+                idle( &client_fd, ret );
+#endif
+            }
         }
 
         mbedtls_printf( " ok\n" );
@@ -2459,20 +3071,43 @@ int main( int argc, char *argv[] )
                     goto reset;
                 }
 
-                if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
-                    ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+                if( ! mbedtls_status_is_ssl_in_progress( ret ) )
                 {
                     mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
                     goto reset;
                 }
+
+                /* For event-driven IO, wait for socket to become available */
+                if( opt.event == 1 /* level triggered IO */ )
+                {
+#if defined(MBEDTLS_TIMING_C)
+                    idle( &client_fd, &timer, ret );
+#else
+                    idle( &client_fd, ret );
+#endif
+                }
             }
         }
     }
     else /* Not stream, so datagram */
     {
-        do ret = mbedtls_ssl_write( &ssl, buf, len );
-        while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
-               ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+        while( 1 )
+        {
+            ret = mbedtls_ssl_write( &ssl, buf, len );
+
+            if( ! mbedtls_status_is_ssl_in_progress( ret ) )
+                break;
+
+            /* For event-driven IO, wait for socket to become available */
+            if( opt.event == 1 /* level triggered IO */ )
+            {
+#if defined(MBEDTLS_TIMING_C)
+                idle( &client_fd, &timer, ret );
+#else
+                idle( &client_fd, ret );
+#endif
+            }
+        }
 
         if( ret < 0 )
         {
@@ -2538,6 +3173,17 @@ int main( int argc, char *argv[] )
     mbedtls_x509_crt_free( &srvcert2 );
     mbedtls_pk_free( &pkey2 );
 #endif
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ )
+    {
+        if( ssl_async_keys.slots[i].pk_owned )
+        {
+            mbedtls_pk_free( ssl_async_keys.slots[i].pk );
+            mbedtls_free( ssl_async_keys.slots[i].pk );
+            ssl_async_keys.slots[i].pk = NULL;
+        }
+    }
+#endif
 #if defined(SNI_OPTION)
     sni_free( sni_info );
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
index 64b963719a..282ef58aaf 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/programs/test/CMakeLists.txt
@@ -16,10 +16,21 @@ target_link_libraries(selftest ${libs})
 add_executable(benchmark benchmark.c)
 target_link_libraries(benchmark ${libs})
 
+if(TEST_CPP)
+    add_executable(cpp_dummy_build cpp_dummy_build.cpp)
+    target_link_libraries(cpp_dummy_build ${libs})
+endif()
 
 add_executable(udp_proxy udp_proxy.c)
 target_link_libraries(udp_proxy ${libs})
 
-install(TARGETS selftest benchmark udp_proxy
+add_executable(zeroize zeroize.c)
+target_link_libraries(zeroize ${libs})
+
+add_executable(query_compile_time_config query_compile_time_config.c)
+target_sources(query_compile_time_config PUBLIC ../ssl/query_config.c)
+target_link_libraries(query_compile_time_config ${libs})
+
+install(TARGETS selftest benchmark udp_proxy query_compile_time_config
         DESTINATION "bin"
         PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/benchmark.c b/3rdparty/mbedtls/mbedtls/programs/test/benchmark.c
index 20e3c2e391..e31faafeb3 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/benchmark.c
+++ b/3rdparty/mbedtls/mbedtls/programs/test/benchmark.c
@@ -29,10 +29,14 @@
 #include "mbedtls/platform.h"
 #else
 #include <stdio.h>
+#include <stdlib.h>
 #define mbedtls_exit       exit
 #define mbedtls_printf     printf
 #define mbedtls_snprintf   snprintf
 #define mbedtls_free       free
+#define mbedtls_exit            exit
+#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif
 
 #if !defined(MBEDTLS_TIMING_C)
@@ -54,21 +58,29 @@ int main( void )
 #include "mbedtls/sha1.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/sha512.h"
+
 #include "mbedtls/arc4.h"
 #include "mbedtls/des.h"
 #include "mbedtls/aes.h"
+#include "mbedtls/aria.h"
 #include "mbedtls/blowfish.h"
 #include "mbedtls/camellia.h"
+#include "mbedtls/chacha20.h"
 #include "mbedtls/gcm.h"
 #include "mbedtls/ccm.h"
+#include "mbedtls/chachapoly.h"
 #include "mbedtls/cmac.h"
+#include "mbedtls/poly1305.h"
+
 #include "mbedtls/havege.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/hmac_drbg.h"
+
 #include "mbedtls/rsa.h"
 #include "mbedtls/dhm.h"
 #include "mbedtls/ecdsa.h"
 #include "mbedtls/ecdh.h"
+
 #include "mbedtls/error.h"
 
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
@@ -93,8 +105,9 @@ int main( void )
 
 #define OPTIONS                                                         \
     "md4, md5, ripemd160, sha1, sha256, sha512,\n"                      \
-    "arc4, des3, des, camellia, blowfish,\n"                            \
-    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,\n"                 \
+    "arc4, des3, des, camellia, blowfish, chacha20,\n"                  \
+    "aes_cbc, aes_gcm, aes_ccm, aes_ctx, chachapoly,\n"                 \
+    "aes_cmac, des3_cmac, poly1305\n"                                   \
     "havege, ctr_drbg, hmac_drbg\n"                                     \
     "rsa, dhm, ecdsa, ecdh.\n"
 
@@ -110,25 +123,34 @@ int main( void )
 #define TIME_AND_TSC( TITLE, CODE )                                     \
 do {                                                                    \
     unsigned long ii, jj, tsc;                                          \
+    int ret = 0;                                                        \
                                                                         \
     mbedtls_printf( HEADER_FORMAT, TITLE );                             \
     fflush( stdout );                                                   \
                                                                         \
     mbedtls_set_alarm( 1 );                                             \
-    for( ii = 1; ! mbedtls_timing_alarmed; ii++ )                       \
+    for( ii = 1; ret == 0 && ! mbedtls_timing_alarmed; ii++ )           \
     {                                                                   \
-        CODE;                                                           \
+        ret = CODE;                                                     \
     }                                                                   \
                                                                         \
     tsc = mbedtls_timing_hardclock();                                   \
-    for( jj = 0; jj < 1024; jj++ )                                      \
+    for( jj = 0; ret == 0 && jj < 1024; jj++ )                          \
     {                                                                   \
-        CODE;                                                           \
+        ret = CODE;                                                     \
     }                                                                   \
                                                                         \
-    mbedtls_printf( "%9lu KiB/s,  %9lu cycles/byte\n",                   \
-                     ii * BUFSIZE / 1024,                               \
-                     ( mbedtls_timing_hardclock() - tsc ) / ( jj * BUFSIZE ) );         \
+    if( ret != 0 )                                                      \
+    {                                                                   \
+        PRINT_ERROR;                                                    \
+    }                                                                   \
+    else                                                                \
+    {                                                                   \
+        mbedtls_printf( "%9lu KiB/s,  %9lu cycles/byte\n",              \
+                         ii * BUFSIZE / 1024,                           \
+                         ( mbedtls_timing_hardclock() - tsc )           \
+                         / ( jj * BUFSIZE ) );                          \
+    }                                                                   \
 } while( 0 )
 
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
@@ -141,7 +163,7 @@ do {                                                                    \
 
 #define MEMORY_MEASURE_PRINT( title_len )                               \
     mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks );      \
-    for( ii = 12 - title_len; ii != 0; ii-- ) mbedtls_printf( " " );    \
+    for( ii = 12 - (title_len); ii != 0; ii-- ) mbedtls_printf( " " );  \
     max_used -= prv_used;                                               \
     max_blocks -= prv_blocks;                                           \
     max_bytes = max_used + MEM_BLOCK_OVERHEAD * max_blocks;             \
@@ -228,12 +250,26 @@ unsigned char buf[BUFSIZE];
 typedef struct {
     char md4, md5, ripemd160, sha1, sha256, sha512,
          arc4, des3, des,
-         aes_cbc, aes_gcm, aes_ccm, aes_cmac, des3_cmac,
-         camellia, blowfish,
+         aes_cbc, aes_gcm, aes_ccm, aes_xts, chachapoly,
+         aes_cmac, des3_cmac,
+         aria, camellia, blowfish, chacha20,
+         poly1305,
          havege, ctr_drbg, hmac_drbg,
          rsa, dhm, ecdsa, ecdh;
 } todo_list;
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 int main( int argc, char *argv[] )
 {
     int i;
@@ -274,18 +310,28 @@ int main( int argc, char *argv[] )
                 todo.des = 1;
             else if( strcmp( argv[i], "aes_cbc" ) == 0 )
                 todo.aes_cbc = 1;
+            else if( strcmp( argv[i], "aes_xts" ) == 0 )
+                todo.aes_xts = 1;
             else if( strcmp( argv[i], "aes_gcm" ) == 0 )
                 todo.aes_gcm = 1;
             else if( strcmp( argv[i], "aes_ccm" ) == 0 )
                 todo.aes_ccm = 1;
+            else if( strcmp( argv[i], "chachapoly" ) == 0 )
+                todo.chachapoly = 1;
             else if( strcmp( argv[i], "aes_cmac" ) == 0 )
                 todo.aes_cmac = 1;
             else if( strcmp( argv[i], "des3_cmac" ) == 0 )
                 todo.des3_cmac = 1;
+            else if( strcmp( argv[i], "aria" ) == 0 )
+                todo.aria = 1;
             else if( strcmp( argv[i], "camellia" ) == 0 )
                 todo.camellia = 1;
             else if( strcmp( argv[i], "blowfish" ) == 0 )
                 todo.blowfish = 1;
+            else if( strcmp( argv[i], "chacha20" ) == 0 )
+                todo.chacha20 = 1;
+            else if( strcmp( argv[i], "poly1305" ) == 0 )
+                todo.poly1305 = 1;
             else if( strcmp( argv[i], "havege" ) == 0 )
                 todo.havege = 1;
             else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
@@ -419,6 +465,29 @@ int main( int argc, char *argv[] )
         mbedtls_aes_free( &aes );
     }
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( todo.aes_xts )
+    {
+        int keysize;
+        mbedtls_aes_xts_context ctx;
+
+        mbedtls_aes_xts_init( &ctx );
+        for( keysize = 128; keysize <= 256; keysize += 128 )
+        {
+            mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
+
+            memset( buf, 0, sizeof( buf ) );
+            memset( tmp, 0, sizeof( tmp ) );
+            mbedtls_aes_xts_setkey_enc( &ctx, tmp, keysize * 2 );
+
+            TIME_AND_TSC( title,
+                    mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE,
+                                           tmp, buf, buf ) );
+
+            mbedtls_aes_xts_free( &ctx );
+        }
+    }
+#endif
 #if defined(MBEDTLS_GCM_C)
     if( todo.aes_gcm )
     {
@@ -465,6 +534,26 @@ int main( int argc, char *argv[] )
         }
     }
 #endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if( todo.chachapoly )
+    {
+        mbedtls_chachapoly_context chachapoly;
+
+        mbedtls_chachapoly_init( &chachapoly );
+        memset( buf, 0, sizeof( buf ) );
+        memset( tmp, 0, sizeof( tmp ) );
+
+        mbedtls_snprintf( title, sizeof( title ), "ChaCha20-Poly1305" );
+
+        mbedtls_chachapoly_setkey( &chachapoly, tmp );
+
+        TIME_AND_TSC( title,
+                mbedtls_chachapoly_encrypt_and_tag( &chachapoly,
+                    BUFSIZE, tmp, NULL, 0, buf, buf, tmp ) );
+
+        mbedtls_chachapoly_free( &chachapoly );
+    }
+#endif
 #if defined(MBEDTLS_CMAC_C)
     if( todo.aes_cmac )
     {
@@ -498,6 +587,28 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_CMAC_C */
 #endif /* MBEDTLS_AES_C */
 
+#if defined(MBEDTLS_ARIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( todo.aria )
+    {
+        int keysize;
+        mbedtls_aria_context aria;
+        mbedtls_aria_init( &aria );
+        for( keysize = 128; keysize <= 256; keysize += 64 )
+        {
+            mbedtls_snprintf( title, sizeof( title ), "ARIA-CBC-%d", keysize );
+
+            memset( buf, 0, sizeof( buf ) );
+            memset( tmp, 0, sizeof( tmp ) );
+            mbedtls_aria_setkey_enc( &aria, tmp, keysize );
+
+            TIME_AND_TSC( title,
+                    mbedtls_aria_crypt_cbc( &aria, MBEDTLS_ARIA_ENCRYPT,
+                        BUFSIZE, tmp, buf, buf ) );
+        }
+        mbedtls_aria_free( &aria );
+    }
+#endif
+
 #if defined(MBEDTLS_CAMELLIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
     if( todo.camellia )
     {
@@ -520,6 +631,20 @@ int main( int argc, char *argv[] )
     }
 #endif
 
+#if defined(MBEDTLS_CHACHA20_C)
+    if ( todo.chacha20 )
+    {
+        TIME_AND_TSC( "ChaCha20", mbedtls_chacha20_crypt( buf, buf, 0U, BUFSIZE, buf, buf ) );
+    }
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+    if ( todo.poly1305 )
+    {
+        TIME_AND_TSC( "Poly1305", mbedtls_poly1305_mac( buf, buf, BUFSIZE, buf ) );
+    }
+#endif
+
 #if defined(MBEDTLS_BLOWFISH_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
     if( todo.blowfish )
     {
@@ -564,15 +689,13 @@ int main( int argc, char *argv[] )
         if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         TIME_AND_TSC( "CTR_DRBG (NOPR)",
-                if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) );
 
         if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
         TIME_AND_TSC( "CTR_DRBG (PR)",
-                if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) );
         mbedtls_ctr_drbg_free( &ctr_drbg );
     }
 #endif
@@ -592,16 +715,14 @@ int main( int argc, char *argv[] )
         if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
 
         if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
                                              MBEDTLS_HMAC_DRBG_PR_ON );
         TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
 #endif
 
 #if defined(MBEDTLS_SHA256_C)
@@ -611,16 +732,14 @@ int main( int argc, char *argv[] )
         if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
 
         if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
                                              MBEDTLS_HMAC_DRBG_PR_ON );
         TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
+                mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
 #endif
         mbedtls_hmac_drbg_free( &hmac_drbg );
     }
@@ -759,13 +878,20 @@ int main( int argc, char *argv[] )
     }
 #endif
 
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
     if( todo.ecdh )
     {
         mbedtls_ecdh_context ecdh;
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
         mbedtls_mpi z;
+        const mbedtls_ecp_curve_info montgomery_curve_list[] = {
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+            { MBEDTLS_ECP_DP_CURVE25519, 0, 0, "Curve25519" },
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+            { MBEDTLS_ECP_DP_CURVE448, 0, 0, "Curve448" },
 #endif
+            { MBEDTLS_ECP_DP_NONE, 0, 0, 0 }
+        };
         const mbedtls_ecp_curve_info *curve_info;
         size_t olen;
 
@@ -794,26 +920,31 @@ int main( int argc, char *argv[] )
             mbedtls_ecdh_free( &ecdh );
         }
 
-        /* Curve25519 needs to be handled separately */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        mbedtls_ecdh_init( &ecdh );
-        mbedtls_mpi_init( &z );
-
-        if( mbedtls_ecp_group_load( &ecdh.grp, MBEDTLS_ECP_DP_CURVE25519 ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp, myrand, NULL ) != 0 )
+        /* Montgomery curves need to be handled separately */
+        for ( curve_info = montgomery_curve_list;
+              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+              curve_info++ )
         {
-            mbedtls_exit( 1 );
-        }
+            mbedtls_ecdh_init( &ecdh );
+            mbedtls_mpi_init( &z );
 
-        TIME_PUBLIC(  "ECDHE-Curve25519", "handshake",
-                ret |= mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q,
-                                        myrand, NULL );
-                ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
-                                            myrand, NULL ) );
+            if( mbedtls_ecp_group_load( &ecdh.grp, curve_info->grp_id ) != 0 ||
+                mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp, myrand, NULL ) != 0 )
+            {
+                mbedtls_exit( 1 );
+            }
 
-        mbedtls_ecdh_free( &ecdh );
-        mbedtls_mpi_free( &z );
-#endif
+            mbedtls_snprintf( title, sizeof(title), "ECDHE-%s",
+                              curve_info->name );
+            TIME_PUBLIC(  title, "handshake",
+                    ret |= mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q,
+                                            myrand, NULL );
+                    ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
+                                                myrand, NULL ) );
+
+            mbedtls_ecdh_free( &ecdh );
+            mbedtls_mpi_free( &z );
+        }
 
         for( curve_info = mbedtls_ecp_curve_list();
              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
@@ -840,26 +971,31 @@ int main( int argc, char *argv[] )
             mbedtls_ecdh_free( &ecdh );
         }
 
-        /* Curve25519 needs to be handled separately */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        mbedtls_ecdh_init( &ecdh );
-        mbedtls_mpi_init( &z );
-
-        if( mbedtls_ecp_group_load( &ecdh.grp, MBEDTLS_ECP_DP_CURVE25519 ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp,
-                             myrand, NULL ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q, myrand, NULL ) != 0 )
+        /* Montgomery curves need to be handled separately */
+        for ( curve_info = montgomery_curve_list;
+              curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+              curve_info++)
         {
-            mbedtls_exit( 1 );
-        }
+            mbedtls_ecdh_init( &ecdh );
+            mbedtls_mpi_init( &z );
 
-        TIME_PUBLIC(  "ECDH-Curve25519", "handshake",
-                ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
-                                            myrand, NULL ) );
+            if( mbedtls_ecp_group_load( &ecdh.grp, curve_info->grp_id ) != 0 ||
+                mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp,
+                                 myrand, NULL ) != 0 ||
+                mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q, myrand, NULL ) != 0 )
+            {
+                mbedtls_exit( 1 );
+            }
 
-        mbedtls_ecdh_free( &ecdh );
-        mbedtls_mpi_free( &z );
-#endif
+            mbedtls_snprintf( title, sizeof(title), "ECDH-%s",
+                              curve_info->name );
+            TIME_PUBLIC(  title, "handshake",
+                    ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
+                                                myrand, NULL ) );
+
+            mbedtls_ecdh_free( &ecdh );
+            mbedtls_mpi_free( &z );
+        }
     }
 #endif
 
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/cpp_dummy_build.cpp b/3rdparty/mbedtls/mbedtls/programs/test/cpp_dummy_build.cpp
new file mode 100644
index 0000000000..c652884046
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/test/cpp_dummy_build.cpp
@@ -0,0 +1,119 @@
+/*
+ *  This program is a dummy C++ program to ensure Mbed TLS library header files
+ *  can be included and built with a C++ compiler.
+ *
+ *  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/aes.h"
+#include "mbedtls/aesni.h"
+#include "mbedtls/arc4.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/blowfish.h"
+#include "mbedtls/bn_mul.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/check_config.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/cipher_internal.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/compat-1.3.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/des.h"
+#include "mbedtls/dhm.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/ecp_internal.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/havege.h"
+#include "mbedtls/hkdf.h"
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/md.h"
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/md_internal.h"
+#include "mbedtls/net.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/padlock.h"
+#include "mbedtls/pem.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+#include "mbedtls/pkcs11.h"
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/platform_time.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/version.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/xtea.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+#endif
+
+int main()
+{
+    mbedtls_platform_context *ctx = NULL;
+    mbedtls_platform_setup(ctx);
+    mbedtls_printf("CPP Build test\n");
+    mbedtls_platform_teardown(ctx);
+}
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/query_compile_time_config.c b/3rdparty/mbedtls/mbedtls/programs/test/query_compile_time_config.c
new file mode 100644
index 0000000000..17becf27f1
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/test/query_compile_time_config.c
@@ -0,0 +1,56 @@
+/*
+ *  Query the Mbed TLS compile time configuration
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf       printf
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
+#define USAGE                                                                \
+    "usage: %s <MBEDTLS_CONFIG>\n\n"                                         \
+    "This program takes one command line argument which corresponds to\n"    \
+    "the string representation of a Mbed TLS compile time configuration.\n"  \
+    "The value 0 will be returned if this configuration is defined in the\n" \
+    "Mbed TLS build and the macro expansion of that configuration will be\n" \
+    "printed (if any). Otherwise, 1 will be returned.\n"
+
+int query_config( const char *config );
+
+int main( int argc, char *argv[] )
+{
+    if ( argc != 2 )
+    {
+        mbedtls_printf( USAGE, argv[0] );
+        return( MBEDTLS_EXIT_FAILURE );
+    }
+
+    return( query_config( argv[1] ) );
+}
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/selftest.c b/3rdparty/mbedtls/mbedtls/programs/test/selftest.c
index 72a37342fd..9d3ea7ec0a 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/selftest.c
+++ b/3rdparty/mbedtls/mbedtls/programs/test/selftest.c
@@ -44,6 +44,10 @@
 #include "mbedtls/des.h"
 #include "mbedtls/aes.h"
 #include "mbedtls/camellia.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/chachapoly.h"
 #include "mbedtls/base64.h"
 #include "mbedtls/bignum.h"
 #include "mbedtls/rsa.h"
@@ -53,6 +57,7 @@
 #include "mbedtls/ecp.h"
 #include "mbedtls/ecjpake.h"
 #include "mbedtls/timing.h"
+#include "mbedtls/nist_kw.h"
 
 #include <string.h>
 
@@ -72,6 +77,18 @@
 #include "mbedtls/memory_buffer_alloc.h"
 #endif
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret )
 {
     int ret;
@@ -204,9 +221,21 @@ const selftest_t selftests[] =
 #if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)
     {"ccm", mbedtls_ccm_self_test},
 #endif
+#if defined(MBEDTLS_NIST_KW_C) && defined(MBEDTLS_AES_C)
+    {"nist_kw", mbedtls_nist_kw_self_test},
+#endif
 #if defined(MBEDTLS_CMAC_C)
     {"cmac", mbedtls_cmac_self_test},
 #endif
+#if defined(MBEDTLS_CHACHA20_C)
+    {"chacha20", mbedtls_chacha20_self_test},
+#endif
+#if defined(MBEDTLS_POLY1305_C)
+    {"poly1305", mbedtls_poly1305_self_test},
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    {"chacha20-poly1305", mbedtls_chachapoly_self_test},
+#endif
 #if defined(MBEDTLS_BASE64_C)
     {"base64", mbedtls_base64_self_test},
 #endif
@@ -225,6 +254,9 @@ const selftest_t selftests[] =
 #if defined(MBEDTLS_CAMELLIA_C)
     {"camellia", mbedtls_camellia_self_test},
 #endif
+#if defined(MBEDTLS_ARIA_C)
+    {"aria", mbedtls_aria_self_test},
+#endif
 #if defined(MBEDTLS_CTR_DRBG_C)
     {"ctr_drbg", mbedtls_ctr_drbg_self_test},
 #endif
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
index 02428b9dd0..e96e91bf56 100644
--- a/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
+++ b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy.c
@@ -40,6 +40,8 @@
 #define mbedtls_time            time
 #define mbedtls_time_t          time_t
 #define mbedtls_printf          printf
+#define mbedtls_calloc          calloc
+#define mbedtls_free            free
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -55,6 +57,7 @@ int main( void )
 #include "mbedtls/net_sockets.h"
 #include "mbedtls/error.h"
 #include "mbedtls/ssl.h"
+#include "mbedtls/timing.h"
 
 #include <string.h>
 
@@ -76,17 +79,21 @@ int main( void )
 #include <unistd.h>
 #endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
 
-/* For gettimeofday() */
-#if !defined(_WIN32)
-#include <sys/time.h>
-#endif
-
 #define MAX_MSG_SIZE            16384 + 2048 /* max record/datagram size */
 
 #define DFL_SERVER_ADDR         "localhost"
 #define DFL_SERVER_PORT         "4433"
 #define DFL_LISTEN_ADDR         "localhost"
 #define DFL_LISTEN_PORT         "5556"
+#define DFL_PACK                0
+
+#if defined(MBEDTLS_TIMING_C)
+#define USAGE_PACK                                                          \
+    "    pack=%%d             default: 0     (don't pack)\n"                \
+    "                         options: t > 0 (pack for t milliseconds)\n"
+#else
+#define USAGE_PACK
+#endif
 
 #define USAGE                                                               \
     "\n usage: udp_proxy param=<>...\n"                                     \
@@ -101,20 +108,39 @@ int main( void )
     "    delay=%%d            default: 0 (no delayed packets)\n"            \
     "                        delay about 1:N packets randomly\n"            \
     "    delay_ccs=0/1       default: 0 (don't delay ChangeCipherSpec)\n"   \
+    "    delay_cli=%%s        Handshake message from client that should be\n"\
+    "                        delayed. Possible values are 'ClientHello',\n" \
+    "                        'Certificate', 'CertificateVerify', and\n"     \
+    "                        'ClientKeyExchange'.\n"                        \
+    "                        May be used multiple times, even for the same\n"\
+    "                        message, in which case the respective message\n"\
+    "                        gets delayed multiple times.\n"                 \
+    "    delay_srv=%%s        Handshake message from server that should be\n"\
+    "                        delayed. Possible values are 'HelloRequest',\n"\
+    "                        'ServerHello', 'ServerHelloDone', 'Certificate'\n"\
+    "                        'ServerKeyExchange', 'NewSessionTicket',\n"\
+    "                        'HelloVerifyRequest' and ''CertificateRequest'.\n"\
+    "                        May be used multiple times, even for the same\n"\
+    "                        message, in which case the respective message\n"\
+    "                        gets delayed multiple times.\n"                 \
     "    drop=%%d             default: 0 (no dropped packets)\n"            \
     "                        drop about 1:N packets randomly\n"             \
     "    mtu=%%d              default: 0 (unlimited)\n"                     \
     "                        drop packets larger than N bytes\n"            \
     "    bad_ad=0/1          default: 0 (don't add bad ApplicationData)\n"  \
     "    protect_hvr=0/1     default: 0 (don't protect HelloVerifyRequest)\n" \
-    "    protect_len=%%d     default: (don't protect packets of this size)\n" \
+    "    protect_len=%%d      default: (don't protect packets of this size)\n" \
     "\n"                                                                    \
     "    seed=%%d             default: (use current time)\n"                \
+    USAGE_PACK                                                              \
     "\n"
 
 /*
  * global options
  */
+
+#define MAX_DELAYED_HS 10
+
 static struct options
 {
     const char *server_addr;    /* address to forward packets to            */
@@ -125,12 +151,19 @@ static struct options
     int duplicate;              /* duplicate 1 in N packets (none if 0)     */
     int delay;                  /* delay 1 packet in N (none if 0)          */
     int delay_ccs;              /* delay ChangeCipherSpec                   */
+    char* delay_cli[MAX_DELAYED_HS];  /* handshake types of messages from
+                                       * client that should be delayed.     */
+    uint8_t delay_cli_cnt;      /* Number of entries in delay_cli.          */
+    char* delay_srv[MAX_DELAYED_HS];  /* handshake types of messages from
+                                       * server that should be delayed.     */
+    uint8_t delay_srv_cnt;      /* Number of entries in delay_srv.          */
     int drop;                   /* drop 1 packet in N (none if 0)           */
     int mtu;                    /* drop packets larger than this            */
     int bad_ad;                 /* inject corrupted ApplicationData record  */
     int protect_hvr;            /* never drop or delay HelloVerifyRequest   */
     int protect_len;            /* never drop/delay packet of the given size*/
-
+    unsigned pack;              /* merge packets into single datagram for
+                                 * at most \c merge milliseconds if > 0     */
     unsigned int seed;          /* seed for "random" events                 */
 } opt;
 
@@ -154,8 +187,14 @@ static void get_options( int argc, char *argv[] )
     opt.server_port    = DFL_SERVER_PORT;
     opt.listen_addr    = DFL_LISTEN_ADDR;
     opt.listen_port    = DFL_LISTEN_PORT;
+    opt.pack           = DFL_PACK;
     /* Other members default to 0 */
 
+    opt.delay_cli_cnt = 0;
+    opt.delay_srv_cnt = 0;
+    memset( opt.delay_cli, 0, sizeof( opt.delay_cli ) );
+    memset( opt.delay_srv, 0, sizeof( opt.delay_srv ) );
+
     for( i = 1; i < argc; i++ )
     {
         p = argv[i];
@@ -189,12 +228,58 @@ static void get_options( int argc, char *argv[] )
             if( opt.delay_ccs < 0 || opt.delay_ccs > 1 )
                 exit_usage( p, q );
         }
+        else if( strcmp( p, "delay_cli" ) == 0 ||
+                 strcmp( p, "delay_srv" ) == 0 )
+        {
+            uint8_t *delay_cnt;
+            char **delay_list;
+            size_t len;
+            char *buf;
+
+            if( strcmp( p, "delay_cli" ) == 0 )
+            {
+                delay_cnt  = &opt.delay_cli_cnt;
+                delay_list = opt.delay_cli;
+            }
+            else
+            {
+                delay_cnt  = &opt.delay_srv_cnt;
+                delay_list = opt.delay_srv;
+            }
+
+            if( *delay_cnt == MAX_DELAYED_HS )
+            {
+                mbedtls_printf( " too many uses of %s: only %d allowed\n",
+                                p, MAX_DELAYED_HS );
+                exit_usage( p, NULL );
+            }
+
+            len = strlen( q );
+            buf = mbedtls_calloc( 1, len + 1 );
+            if( buf == NULL )
+            {
+                mbedtls_printf( " Allocation failure\n" );
+                exit( 1 );
+            }
+            memcpy( buf, q, len + 1 );
+
+            delay_list[ (*delay_cnt)++ ] = buf;
+        }
         else if( strcmp( p, "drop" ) == 0 )
         {
             opt.drop = atoi( q );
             if( opt.drop < 0 || opt.drop > 20 || opt.drop == 1 )
                 exit_usage( p, q );
         }
+        else if( strcmp( p, "pack" ) == 0 )
+        {
+#if defined(MBEDTLS_TIMING_C)
+            opt.pack = (unsigned) atoi( q );
+#else
+            mbedtls_printf( " option pack only defined if MBEDTLS_TIMING_C is enabled\n" );
+            exit( 1 );
+#endif
+        }
         else if( strcmp( p, "mtu" ) == 0 )
         {
             opt.mtu = atoi( q );
@@ -269,25 +354,122 @@ static const char *msg_type( unsigned char *msg, size_t len )
     }
 }
 
+#if defined(MBEDTLS_TIMING_C)
 /* Return elapsed time in milliseconds since the first call */
-static unsigned long ellapsed_time( void )
+static unsigned ellapsed_time( void )
 {
-#if defined(_WIN32)
-    return( 0 );
-#else
-    static struct timeval ref = { 0, 0 };
-    struct timeval now;
+    static int initialized = 0;
+    static struct mbedtls_timing_hr_time hires;
 
-    if( ref.tv_sec == 0 && ref.tv_usec == 0 )
+    if( initialized == 0 )
     {
-        gettimeofday( &ref, NULL );
+        (void) mbedtls_timing_get_timer( &hires, 1 );
+        initialized = 1;
         return( 0 );
     }
 
-    gettimeofday( &now, NULL );
-    return( 1000 * ( now.tv_sec  - ref.tv_sec )
-                 + ( now.tv_usec - ref.tv_usec ) / 1000 );
-#endif
+    return( mbedtls_timing_get_timer( &hires, 0 ) );
+}
+
+typedef struct
+{
+    mbedtls_net_context *ctx;
+
+    const char *description;
+
+    unsigned packet_lifetime;
+    unsigned num_datagrams;
+
+    unsigned char data[MAX_MSG_SIZE];
+    size_t len;
+
+} ctx_buffer;
+
+static ctx_buffer outbuf[2];
+
+static int ctx_buffer_flush( ctx_buffer *buf )
+{
+    int ret;
+
+    mbedtls_printf( "  %05u flush    %s: %u bytes, %u datagrams, last %u ms\n",
+                    ellapsed_time(), buf->description,
+                    (unsigned) buf->len, buf->num_datagrams,
+                    ellapsed_time() - buf->packet_lifetime );
+
+    ret = mbedtls_net_send( buf->ctx, buf->data, buf->len );
+
+    buf->len           = 0;
+    buf->num_datagrams = 0;
+
+    return( ret );
+}
+
+static unsigned ctx_buffer_time_remaining( ctx_buffer *buf )
+{
+    unsigned const cur_time = ellapsed_time();
+
+    if( buf->num_datagrams == 0 )
+        return( (unsigned) -1 );
+
+    if( cur_time - buf->packet_lifetime >= opt.pack )
+        return( 0 );
+
+    return( opt.pack - ( cur_time - buf->packet_lifetime ) );
+}
+
+static int ctx_buffer_append( ctx_buffer *buf,
+                              const unsigned char * data,
+                              size_t len )
+{
+    int ret;
+
+    if( len > (size_t) INT_MAX )
+        return( -1 );
+
+    if( len > sizeof( buf->data ) )
+    {
+        mbedtls_printf( "  ! buffer size %u too large (max %u)\n",
+                        (unsigned) len, (unsigned) sizeof( buf->data ) );
+        return( -1 );
+    }
+
+    if( sizeof( buf->data ) - buf->len < len )
+    {
+        if( ( ret = ctx_buffer_flush( buf ) ) <= 0 )
+            return( ret );
+    }
+
+    memcpy( buf->data + buf->len, data, len );
+
+    buf->len += len;
+    if( ++buf->num_datagrams == 1 )
+        buf->packet_lifetime = ellapsed_time();
+
+    return( (int) len );
+}
+#endif /* MBEDTLS_TIMING_C */
+
+static int dispatch_data( mbedtls_net_context *ctx,
+                          const unsigned char * data,
+                          size_t len )
+{
+#if defined(MBEDTLS_TIMING_C)
+    ctx_buffer *buf = NULL;
+    if( opt.pack > 0 )
+    {
+        if( outbuf[0].ctx == ctx )
+            buf = &outbuf[0];
+        else if( outbuf[1].ctx == ctx )
+            buf = &outbuf[1];
+
+        if( buf == NULL )
+            return( -1 );
+
+        return( ctx_buffer_append( buf, data, len ) );
+    }
+#endif /* MBEDTLS_TIMING_C */
+
+    return( mbedtls_net_send( ctx, data, len ) );
 }
 
 typedef struct
@@ -302,12 +484,22 @@ typedef struct
 /* Print packet. Outgoing packets come with a reason (forward, dupl, etc.) */
 void print_packet( const packet *p, const char *why )
 {
+#if defined(MBEDTLS_TIMING_C)
     if( why == NULL )
-        mbedtls_printf( "  %05lu %s %s (%u bytes)\n",
+        mbedtls_printf( "  %05u dispatch %s %s (%u bytes)\n",
                 ellapsed_time(), p->way, p->type, p->len );
     else
-        mbedtls_printf( "        %s %s (%u bytes): %s\n",
+        mbedtls_printf( "  %05u dispatch %s %s (%u bytes): %s\n",
+                ellapsed_time(), p->way, p->type, p->len, why );
+#else
+    if( why == NULL )
+        mbedtls_printf( "        dispatch %s %s (%u bytes)\n",
+                p->way, p->type, p->len );
+    else
+        mbedtls_printf( "        dispatch %s %s (%u bytes): %s\n",
                 p->way, p->type, p->len, why );
+#endif
+
     fflush( stdout );
 }
 
@@ -322,20 +514,28 @@ int send_packet( const packet *p, const char *why )
     {
         unsigned char buf[MAX_MSG_SIZE];
         memcpy( buf, p->buf, p->len );
-        ++buf[p->len - 1];
 
-        print_packet( p, "corrupted" );
-        if( ( ret = mbedtls_net_send( dst, buf, p->len ) ) <= 0 )
+        if( p->len <= 13 )
+        {
+            mbedtls_printf( "  ! can't corrupt empty AD record" );
+        }
+        else
+        {
+            ++buf[13];
+            print_packet( p, "corrupted" );
+        }
+
+        if( ( ret = dispatch_data( dst, buf, p->len ) ) <= 0 )
         {
-            mbedtls_printf( "  ! mbedtls_net_send returned %d\n", ret );
+            mbedtls_printf( "  ! dispatch returned %d\n", ret );
             return( ret );
         }
     }
 
     print_packet( p, why );
-    if( ( ret = mbedtls_net_send( dst, p->buf, p->len ) ) <= 0 )
+    if( ( ret = dispatch_data( dst, p->buf, p->len ) ) <= 0 )
     {
-        mbedtls_printf( "  ! mbedtls_net_send returned %d\n", ret );
+        mbedtls_printf( "  ! dispatch returned %d\n", ret );
         return( ret );
     }
 
@@ -346,9 +546,9 @@ int send_packet( const packet *p, const char *why )
     {
         print_packet( p, "duplicated" );
 
-        if( ( ret = mbedtls_net_send( dst, p->buf, p->len ) ) <= 0 )
+        if( ( ret = dispatch_data( dst, p->buf, p->len ) ) <= 0 )
         {
-            mbedtls_printf( "  ! mbedtls_net_send returned %d\n", ret );
+            mbedtls_printf( "  ! dispatch returned %d\n", ret );
             return( ret );
         }
     }
@@ -356,11 +556,37 @@ int send_packet( const packet *p, const char *why )
     return( 0 );
 }
 
-static packet prev;
+#define MAX_DELAYED_MSG 5
+static size_t prev_len;
+static packet prev[MAX_DELAYED_MSG];
 
 void clear_pending( void )
 {
-    memset( &prev, 0, sizeof( packet ) );
+    memset( &prev, 0, sizeof( prev ) );
+    prev_len = 0;
+}
+
+void delay_packet( packet *delay )
+{
+    if( prev_len == MAX_DELAYED_MSG )
+        return;
+
+    memcpy( &prev[prev_len++], delay, sizeof( packet ) );
+}
+
+int send_delayed()
+{
+    uint8_t offset;
+    int ret;
+    for( offset = 0; offset < prev_len; offset++ )
+    {
+        ret = send_packet( &prev[offset], "delayed" );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    clear_pending();
+    return( 0 );
 }
 
 /*
@@ -393,6 +619,10 @@ int handle_message( const char *way,
     packet cur;
     size_t id;
 
+    uint8_t delay_idx;
+    char ** delay_list;
+    uint8_t delay_list_len;
+
     /* receive packet */
     if( ( ret = mbedtls_net_recv( src, cur.buf, sizeof( cur.buf ) ) ) <= 0 )
     {
@@ -408,6 +638,37 @@ int handle_message( const char *way,
 
     id = cur.len % sizeof( dropped );
 
+    if( strcmp( way, "S <- C" ) == 0 )
+    {
+        delay_list     = opt.delay_cli;
+        delay_list_len = opt.delay_cli_cnt;
+    }
+    else
+    {
+        delay_list     = opt.delay_srv;
+        delay_list_len = opt.delay_srv_cnt;
+    }
+
+    /* Check if message type is in the list of messages
+     * that should be delayed */
+    for( delay_idx = 0; delay_idx < delay_list_len; delay_idx++ )
+    {
+        if( delay_list[ delay_idx ] == NULL )
+            continue;
+
+        if( strcmp( delay_list[ delay_idx ], cur.type ) == 0 )
+        {
+            /* Delay message */
+            delay_packet( &cur );
+
+            /* Remove entry from list */
+            mbedtls_free( delay_list[delay_idx] );
+            delay_list[delay_idx] = NULL;
+
+            return( 0 );
+        }
+    }
+
     /* do we want to drop, delay, or forward it? */
     if( ( opt.mtu != 0 &&
           cur.len > (unsigned) opt.mtu ) ||
@@ -427,12 +688,11 @@ int handle_message( const char *way,
                strcmp( cur.type, "ApplicationData" ) != 0 &&
                ! ( opt.protect_hvr &&
                    strcmp( cur.type, "HelloVerifyRequest" ) == 0 ) &&
-               prev.dst == NULL &&
                cur.len != (size_t) opt.protect_len &&
                dropped[id] < DROP_MAX &&
                rand() % opt.delay == 0 ) )
     {
-        memcpy( &prev, &cur, sizeof( packet ) );
+        delay_packet( &cur );
     }
     else
     {
@@ -440,14 +700,10 @@ int handle_message( const char *way,
         if( ( ret = send_packet( &cur, "forwarded" ) ) != 0 )
             return( ret );
 
-        /* send previously delayed message if any */
-        if( prev.dst != NULL )
-        {
-            ret = send_packet( &prev, "delayed" );
-            memset( &prev, 0, sizeof( packet ) );
-            if( ret != 0 )
-                return( ret );
-        }
+        /* send previously delayed messages if any */
+        ret = send_delayed();
+        if( ret != 0 )
+            return( ret );
     }
 
     return( 0 );
@@ -457,9 +713,16 @@ int main( int argc, char *argv[] )
 {
     int ret = 1;
     int exit_code = MBEDTLS_EXIT_FAILURE;
+    uint8_t delay_idx;
 
     mbedtls_net_context listen_fd, client_fd, server_fd;
 
+#if defined( MBEDTLS_TIMING_C )
+    struct timeval tm;
+#endif
+
+    struct timeval *tm_ptr = NULL;
+
     int nb_fds;
     fd_set read_fds;
 
@@ -548,14 +811,65 @@ int main( int argc, char *argv[] )
         nb_fds = listen_fd.fd;
     ++nb_fds;
 
+#if defined(MBEDTLS_TIMING_C)
+    if( opt.pack > 0 )
+    {
+        outbuf[0].ctx = &server_fd;
+        outbuf[0].description = "S <- C";
+        outbuf[0].num_datagrams = 0;
+        outbuf[0].len = 0;
+
+        outbuf[1].ctx = &client_fd;
+        outbuf[1].description = "S -> C";
+        outbuf[1].num_datagrams = 0;
+        outbuf[1].len = 0;
+    }
+#endif /* MBEDTLS_TIMING_C */
+
     while( 1 )
     {
+#if defined(MBEDTLS_TIMING_C)
+        if( opt.pack > 0 )
+        {
+            unsigned max_wait_server, max_wait_client, max_wait;
+            max_wait_server = ctx_buffer_time_remaining( &outbuf[0] );
+            max_wait_client = ctx_buffer_time_remaining( &outbuf[1] );
+
+            max_wait = (unsigned) -1;
+
+            if( max_wait_server == 0 )
+                ctx_buffer_flush( &outbuf[0] );
+            else
+                max_wait = max_wait_server;
+
+            if( max_wait_client == 0 )
+                ctx_buffer_flush( &outbuf[1] );
+            else
+            {
+                if( max_wait_client < max_wait )
+                    max_wait = max_wait_client;
+            }
+
+            if( max_wait != (unsigned) -1 )
+            {
+                tm.tv_sec  = max_wait / 1000;
+                tm.tv_usec = ( max_wait % 1000 ) * 1000;
+
+                tm_ptr = &tm;
+            }
+            else
+            {
+                tm_ptr = NULL;
+            }
+        }
+#endif /* MBEDTLS_TIMING_C */
+
         FD_ZERO( &read_fds );
         FD_SET( server_fd.fd, &read_fds );
         FD_SET( client_fd.fd, &read_fds );
         FD_SET( listen_fd.fd, &read_fds );
 
-        if( ( ret = select( nb_fds, &read_fds, NULL, NULL, NULL ) ) <= 0 )
+        if( ( ret = select( nb_fds, &read_fds, NULL, NULL, tm_ptr ) ) < 0 )
         {
             perror( "select" );
             goto exit;
@@ -577,6 +891,7 @@ int main( int argc, char *argv[] )
                                         &client_fd, &server_fd ) ) != 0 )
                 goto accept;
         }
+
     }
 
     exit_code = MBEDTLS_EXIT_SUCCESS;
@@ -593,6 +908,12 @@ int main( int argc, char *argv[] )
     }
 #endif
 
+    for( delay_idx = 0; delay_idx < MAX_DELAYED_HS; delay_idx++ )
+    {
+        mbedtls_free( opt.delay_cli + delay_idx );
+        mbedtls_free( opt.delay_srv + delay_idx );
+    }
+
     mbedtls_net_free( &client_fd );
     mbedtls_net_free( &server_fd );
     mbedtls_net_free( &listen_fd );
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy_wrapper.sh b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy_wrapper.sh
new file mode 100755
index 0000000000..29033d5d17
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/test/udp_proxy_wrapper.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+# -*-sh-basic-offset: 4-*-
+# Usage: udp_proxy_wrapper.sh [PROXY_PARAM...] -- [SERVER_PARAM...]
+
+set -u
+
+MBEDTLS_BASE="$(dirname -- "$0")/../.."
+TPXY_BIN="$MBEDTLS_BASE/programs/test/udp_proxy"
+SRV_BIN="$MBEDTLS_BASE/programs/ssl/ssl_server2"
+
+: ${VERBOSE:=0}
+
+stop_proxy() {
+    if [ -n "${tpxy_pid:-}" ]; then
+        echo
+        echo "  * Killing proxy (pid $tpxy_pid) ..."
+        kill $tpxy_pid
+    fi
+}
+
+stop_server() {
+    if [ -n "${srv_pid:-}" ]; then
+        echo
+        echo "  * Killing server (pid $srv_pid) ..."
+        kill $srv_pid >/dev/null 2>/dev/null
+    fi
+}
+
+cleanup() {
+    stop_server
+    stop_proxy
+    exit 129
+}
+
+trap cleanup INT TERM HUP
+
+# Extract the proxy parameters
+tpxy_cmd_snippet='"$TPXY_BIN"'
+while [ $# -ne 0 ] && [ "$1" != "--" ]; do
+    tail="$1" quoted=""
+    while [ -n "$tail" ]; do
+        case "$tail" in
+            *\'*) quoted="${quoted}${tail%%\'*}'\\''" tail="${tail#*\'}";;
+            *) quoted="${quoted}${tail}"; tail=; false;;
+        esac
+    done
+    tpxy_cmd_snippet="$tpxy_cmd_snippet '$quoted'"
+    shift
+done
+unset tail quoted
+if [ $# -eq 0 ]; then
+    echo "  * No server arguments (must be preceded by \" -- \") - exit"
+    exit 3
+fi
+shift
+
+dtls_enabled=
+ipv6_in_use=
+server_port_orig=
+server_addr_orig=
+for param; do
+    case "$param" in
+        server_port=*) server_port_orig="${param#*=}";;
+        server_addr=*:*) server_addr_orig="${param#*=}"; ipv6_in_use=1;;
+        server_addr=*) server_addr_orig="${param#*=}";;
+        dtls=[!0]*) dtls_enabled=1;;
+    esac
+done
+
+if [ -z "$dtls_enabled" ] || [ -n "$ipv6_in_use" ]; then
+    echo >&2 "$0: Couldn't find DTLS enabling, or IPv6 is in use - immediate fallback to server application..."
+    if [ $VERBOSE -gt 0 ]; then
+        echo "[ $SRV_BIN $* ]"
+    fi
+    exec "$SRV_BIN" "$@"
+fi
+
+if [ -z "$server_port_orig" ]; then
+    server_port_orig=4433
+fi
+echo "  * Server port:       $server_port_orig"
+tpxy_cmd_snippet="$tpxy_cmd_snippet \"listen_port=\$server_port_orig\""
+tpxy_cmd_snippet="$tpxy_cmd_snippet \"server_port=\$server_port\""
+
+if [ -n "$server_addr_orig" ]; then
+    echo "  * Server address:    $server_addr_orig"
+    tpxy_cmd_snippet="$tpxy_cmd_snippet \"server_addr=\$server_addr_orig\""
+    tpxy_cmd_snippet="$tpxy_cmd_snippet \"listen_addr=\$server_addr_orig\""
+fi
+
+server_port=$(( server_port_orig + 1 ))
+set -- "$@" "server_port=$server_port"
+echo "  * Intermediate port: $server_port"
+
+echo "  * Start proxy in background ..."
+if [ $VERBOSE -gt 0 ]; then
+    echo "[ $tpxy_cmd_snippet ]"
+fi
+eval exec "$tpxy_cmd_snippet" >/dev/null 2>&1 &
+tpxy_pid=$!
+
+if [ $VERBOSE -gt 0 ]; then
+    echo "  * Proxy ID:          $TPXY_PID"
+fi
+
+echo "  * Starting server ..."
+if [ $VERBOSE -gt 0 ]; then
+    echo "[ $SRV_BIN $* ]"
+fi
+
+exec "$SRV_BIN" "$@" >&2 &
+srv_pid=$!
+
+wait $srv_pid
+
+stop_proxy
+return 0
diff --git a/3rdparty/mbedtls/mbedtls/programs/test/zeroize.c b/3rdparty/mbedtls/mbedtls/programs/test/zeroize.c
new file mode 100644
index 0000000000..29cc0ac3c1
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/programs/test/zeroize.c
@@ -0,0 +1,101 @@
+/*
+ * Zeroize application for debugger-driven testing
+ *
+ * This is a simple test application used for debugger-driven testing to check
+ * whether calls to mbedtls_platform_zeroize() are being eliminated by compiler
+ * optimizations. This application is used by the GDB script at
+ * tests/scripts/test_zeroize.gdb under the assumption that the code does not
+ * change often (as opposed to the library code) because the script sets a
+ * breakpoint at the last return statement in the main() function of this
+ * program. The debugger facilities are then used to manually inspect the
+ * memory and verify that the call to mbedtls_platform_zeroize() was not
+ * eliminated.
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdio.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_printf     printf
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
+#include "mbedtls/platform_util.h"
+
+#define BUFFER_LEN 1024
+
+void usage( void )
+{
+    mbedtls_printf( "Zeroize is a simple program to assist with testing\n" );
+    mbedtls_printf( "the mbedtls_platform_zeroize() function by using the\n" );
+    mbedtls_printf( "debugger. This program takes a file as input and\n" );
+    mbedtls_printf( "prints the first %d characters. Usage:\n\n", BUFFER_LEN );
+    mbedtls_printf( "       zeroize <FILE>\n" );
+}
+
+int main( int argc, char** argv )
+{
+    int exit_code = MBEDTLS_EXIT_FAILURE;
+    FILE *fp;
+    char buf[BUFFER_LEN];
+    char *p = buf;
+    char *end = p + BUFFER_LEN;
+    int c;
+
+    if( argc != 2 )
+    {
+        mbedtls_printf( "This program takes exactly 1 agument\n" );
+        usage();
+        return( exit_code );
+    }
+
+    fp = fopen( argv[1], "r" );
+    if( fp == NULL )
+    {
+        mbedtls_printf( "Could not open file '%s'\n", argv[1] );
+        return( exit_code );
+    }
+
+    while( ( c = fgetc( fp ) ) != EOF && p < end - 1 )
+        *p++ = (char)c;
+    *p = '\0';
+
+    if( p - buf != 0 )
+    {
+        mbedtls_printf( "%s\n", buf );
+        exit_code = MBEDTLS_EXIT_SUCCESS;
+    }
+    else
+        mbedtls_printf( "The file is empty!\n" );
+
+    fclose( fp );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( exit_code );
+}
diff --git a/3rdparty/mbedtls/mbedtls/programs/util/pem2der.c b/3rdparty/mbedtls/mbedtls/programs/util/pem2der.c
index 73a9fb5e09..0cc9d06644 100644
--- a/3rdparty/mbedtls/mbedtls/programs/util/pem2der.c
+++ b/3rdparty/mbedtls/mbedtls/programs/util/pem2der.c
@@ -33,6 +33,7 @@
 #define mbedtls_free            free
 #define mbedtls_calloc          calloc
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -63,6 +64,19 @@ int main( void )
     return( 0 );
 }
 #else
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+#define mbedtls_exit            exit
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/cert_app.c b/3rdparty/mbedtls/mbedtls/programs/x509/cert_app.c
index c57ecca031..626c4d101e 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/cert_app.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/cert_app.c
@@ -34,6 +34,7 @@
 #define mbedtls_time_t          time_t
 #define mbedtls_fprintf         fprintf
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -99,6 +100,18 @@ int main( void )
     "    permissive=%%d       default: 0 (disabled)\n"  \
     "\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#define mbedtls_exit            exit
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c b/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
index 784f719330..b2052ecf16 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/cert_req.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -59,6 +60,7 @@ int main( void )
 #include <string.h>
 
 #define DFL_FILENAME            "keyfile.key"
+#define DFL_PASSWORD            NULL
 #define DFL_DEBUG_LEVEL         0
 #define DFL_OUTPUT_FILENAME     "cert.req"
 #define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
@@ -72,6 +74,7 @@ int main( void )
     "\n usage: cert_req param=<>...\n"                  \
     "\n acceptable parameters:\n"                       \
     "    filename=%%s         default: keyfile.key\n"   \
+    "    password=%%s         default: NULL\n"          \
     "    debug_level=%%d      default: 0 (disabled)\n"  \
     "    output_file=%%s      default: cert.req\n"      \
     "    subject_name=%%s     default: CN=Cert,O=mbed TLS,C=UK\n"   \
@@ -104,12 +107,24 @@ int main( void )
     "                          SHA384, SHA512\n"       \
     "\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
 struct options
 {
     const char *filename;       /* filename of the key file             */
+    const char *password;       /* password for the key file            */
     int debug_level;            /* level of debugging                   */
     const char *output_file;    /* where to store the constructed key file  */
     const char *subject_name;   /* subject name for certificate request */
@@ -178,6 +193,7 @@ int main( int argc, char *argv[] )
     }
 
     opt.filename            = DFL_FILENAME;
+    opt.password            = DFL_PASSWORD;
     opt.debug_level         = DFL_DEBUG_LEVEL;
     opt.output_file         = DFL_OUTPUT_FILENAME;
     opt.subject_name        = DFL_SUBJECT_NAME;
@@ -197,6 +213,8 @@ int main( int argc, char *argv[] )
 
         if( strcmp( p, "filename" ) == 0 )
             opt.filename = q;
+        else if( strcmp( p, "password" ) == 0 )
+            opt.password = q;
         else if( strcmp( p, "output_file" ) == 0 )
             opt.output_file = q;
         else if( strcmp( p, "debug_level" ) == 0 )
@@ -385,7 +403,7 @@ int main( int argc, char *argv[] )
     mbedtls_printf( "  . Loading the private key ..." );
     fflush( stdout );
 
-    ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL );
+    ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password );
 
     if( ret != 0 )
     {
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c b/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
index adade1c868..497c3376b6 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/cert_write.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -153,6 +154,18 @@ int main( void )
     "                            object_signing_ca\n"     \
     "\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#define mbedtls_exit            exit
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
@@ -614,11 +627,7 @@ int main( int argc, char *argv[] )
     //
     if( strlen( opt.issuer_crt ) )
     {
-        if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) ||
-            mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,
-                         &mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||
-            mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
-                         &mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
+        if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
         {
             mbedtls_printf( " failed\n  !  issuer_key does not match "
                             "issuer certificate\n\n" );
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/crl_app.c b/3rdparty/mbedtls/mbedtls/programs/x509/crl_app.c
index f8316835fb..a95157067e 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/crl_app.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/crl_app.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -60,6 +61,18 @@ int main( void )
     "    filename=%%s         default: crl.pem\n"      \
     "\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#define mbedtls_exit            exit
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/programs/x509/req_app.c b/3rdparty/mbedtls/mbedtls/programs/x509/req_app.c
index 0f20c85f59..04ad119f79 100644
--- a/3rdparty/mbedtls/mbedtls/programs/x509/req_app.c
+++ b/3rdparty/mbedtls/mbedtls/programs/x509/req_app.c
@@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #define mbedtls_printf          printf
+#define mbedtls_exit            exit
 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
 #endif /* MBEDTLS_PLATFORM_C */
@@ -60,6 +61,18 @@ int main( void )
     "    filename=%%s         default: cert.req\n"      \
     "\n"
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#define mbedtls_exit            exit
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    mbedtls_printf( "%s:%i: Input param failed - %s\n",
+                    file, line, failure_condition );
+    mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+}
+#endif
+
 /*
  * global options
  */
diff --git a/3rdparty/mbedtls/mbedtls/scripts/bump_version.sh b/3rdparty/mbedtls/mbedtls/scripts/bump_version.sh
index fc8b800c44..c39a86a5e7 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/bump_version.sh
+++ b/3rdparty/mbedtls/mbedtls/scripts/bump_version.sh
@@ -132,6 +132,9 @@ done
 [ $VERBOSE ] && echo "Re-generating library/error.c"
 scripts/generate_errors.pl
 
+[ $VERBOSE ] && echo "Re-generating programs/ssl/query_config.c"
+scripts/generate_query_config.pl
+
 [ $VERBOSE ] && echo "Re-generating library/version_features.c"
 scripts/generate_features.pl
 
diff --git a/3rdparty/mbedtls/mbedtls/scripts/config.pl b/3rdparty/mbedtls/mbedtls/scripts/config.pl
index ab4322bab3..42ec6f81b5 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/config.pl
+++ b/3rdparty/mbedtls/mbedtls/scripts/config.pl
@@ -97,6 +97,7 @@
 MBEDTLS_ZLIB_SUPPORT
 MBEDTLS_PKCS11_C
 MBEDTLS_NO_UDBL_DIVISION
+MBEDTLS_NO_64BIT_MULTIPLICATION
 _ALT\s*$
 );
 
diff --git a/3rdparty/mbedtls/mbedtls/scripts/data_files/query_config.fmt b/3rdparty/mbedtls/mbedtls/scripts/data_files/query_config.fmt
new file mode 100644
index 0000000000..064da4c388
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/scripts/data_files/query_config.fmt
@@ -0,0 +1,139 @@
+/*
+ *  Query Mbed TLS compile time configurations from config.h
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+
+/*
+ * Include all the headers with public APIs in case they define a macro to its
+ * default value when that configuration is not set in the config.h.
+ */
+#include "mbedtls/aes.h"
+#include "mbedtls/aesni.h"
+#include "mbedtls/arc4.h"
+#include "mbedtls/aria.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/blowfish.h"
+#include "mbedtls/camellia.h"
+#include "mbedtls/ccm.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/chacha20.h"
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/des.h"
+#include "mbedtls/dhm.h"
+#include "mbedtls/ecdh.h"
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/error.h"
+#include "mbedtls/gcm.h"
+#include "mbedtls/havege.h"
+#include "mbedtls/hkdf.h"
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/md.h"
+#include "mbedtls/md2.h"
+#include "mbedtls/md4.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/memory_buffer_alloc.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/padlock.h"
+#include "mbedtls/pem.h"
+#include "mbedtls/pk.h"
+#include "mbedtls/pkcs11.h"
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/pkcs5.h"
+#include "mbedtls/platform_time.h"
+#include "mbedtls/platform_util.h"
+#include "mbedtls/poly1305.h"
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/sha256.h"
+#include "mbedtls/sha512.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/version.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/xtea.h"
+
+#include <string.h>
+
+/*
+ * Helper macros to convert a macro or its expansion into a string
+ * WARNING: This does not work for expanding function-like macros. However,
+ * Mbed TLS does not currently have configuration options used in this fashion.
+ */
+#define MACRO_EXPANSION_TO_STR(macro)   MACRO_NAME_TO_STR(macro)
+#define MACRO_NAME_TO_STR(macro)                                        \
+    mbedtls_printf( "%s", strlen( #macro "" ) > 0 ? #macro "\n" : "" )
+
+#if defined(_MSC_VER)
+/*
+ * Visual Studio throws the warning 4003 because many Mbed TLS feature macros
+ * are defined empty. This means that from the preprocessor's point of view
+ * the macro MBEDTLS_EXPANSION_TO_STR is being invoked without arguments as
+ * some macros expand to nothing. We suppress that specific warning to get a
+ * clean build and to ensure that tests treating warnings as errors do not
+ * fail.
+ */
+#pragma warning(push)
+#pragma warning(disable:4003)
+#endif /* _MSC_VER */
+
+int query_config( const char *config )
+{
+CHECK_CONFIG    /* If the symbol is not found, return an error */
+    return( 1 );
+}
+
+#if defined(_MSC_VER)
+#pragma warning(pop)
+#endif /* _MSC_VER */
diff --git a/3rdparty/mbedtls/mbedtls/scripts/data_files/vs2010-app-template.vcxproj b/3rdparty/mbedtls/mbedtls/scripts/data_files/vs2010-app-template.vcxproj
index de18f9d85d..fac9812e63 100644
--- a/3rdparty/mbedtls/mbedtls/scripts/data_files/vs2010-app-template.vcxproj
+++ b/3rdparty/mbedtls/mbedtls/scripts/data_files/vs2010-app-template.vcxproj
@@ -18,8 +18,7 @@
       <Platform>x64</Platform>
     </ProjectConfiguration>
   </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="..\..\programs\<PATHNAME>.c" />
+  <ItemGroup>
<SOURCES>
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">
diff --git a/3rdparty/mbedtls/mbedtls/scripts/footprint.sh b/3rdparty/mbedtls/mbedtls/scripts/footprint.sh
index d38e50af27..c08ef1c902 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/footprint.sh
+++ b/3rdparty/mbedtls/mbedtls/scripts/footprint.sh
@@ -11,7 +11,6 @@
 #
 # Configurations included:
 #   default    include/mbedtls/config.h
-#   yotta      yotta/module/mbedtls/config.h
 #   thread     configs/config-thread.h
 #   suite-b    configs/config-suite-b.h
 #   psk        configs/config-ccm-psk-tls1_2.h
@@ -102,11 +101,7 @@ log "mbed TLS $MBEDTLS_VERSION$GIT_VERSION"
 log "$( arm-none-eabi-gcc --version | head -n1 )"
 log "CFLAGS=$ARMGCC_FLAGS"
 
-# creates the yotta config
-yotta/create-module.sh >/dev/null
-
 doit default    include/mbedtls/config.h
-doit yotta      yotta/module/mbedtls/config.h
 doit thread     configs/config-thread.h
 doit suite-b    configs/config-suite-b.h
 doit psk        configs/config-ccm-psk-tls1_2.h
diff --git a/3rdparty/mbedtls/mbedtls/scripts/generate_errors.pl b/3rdparty/mbedtls/mbedtls/scripts/generate_errors.pl
index 4f0ad31f1b..0c1f7e16ec 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/generate_errors.pl
+++ b/3rdparty/mbedtls/mbedtls/scripts/generate_errors.pl
@@ -29,10 +29,10 @@
 
 my $error_format_file = $data_dir.'/error.fmt';
 
-my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
-                            CAMELLIA CCM CMAC CTR_DRBG DES
-                            ENTROPY GCM HMAC_DRBG MD2 MD4 MD5
-                            NET OID PADLOCK PBKDF2 RIPEMD160
+my @low_level_modules = qw( AES ARC4 ARIA ASN1 BASE64 BIGNUM BLOWFISH
+                            CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
+                            ENTROPY GCM HKDF HMAC_DRBG MD2 MD4 MD5
+                            NET OID PADLOCK PBKDF2 PLATFORM POLY1305 RIPEMD160
                             SHA1 SHA256 SHA512 THREADING XTEA );
 my @high_level_modules = qw( CIPHER DHM ECP MD
                              PEM PK PKCS12 PKCS5
diff --git a/3rdparty/mbedtls/mbedtls/scripts/generate_query_config.pl b/3rdparty/mbedtls/mbedtls/scripts/generate_query_config.pl
new file mode 100755
index 0000000000..f15e03a358
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/scripts/generate_query_config.pl
@@ -0,0 +1,75 @@
+#! /usr/bin/env perl
+
+# Generate query_config.c
+#
+# The file query_config.c contains a C function that can be used to check if
+# a configuration macro is defined and to retrieve its expansion in string
+# form (if any). This facilitates querying the compile time configuration of
+# the library, for example, for testing.
+#
+# The query_config.c is generated from the current configuration at
+# include/mbedtls/config.h. The idea is that the config.h contains ALL the
+# compile time configurations available in Mbed TLS (commented or uncommented).
+# This script extracts the configuration macros from the config.h and this
+# information is used to automatically generate the body of the query_config()
+# function by using the template in scripts/data_files/query_config.fmt.
+#
+# Usage: ./scripts/generate_query_config.pl without arguments
+
+use strict;
+
+my $config_file = "./include/mbedtls/config.h";
+
+my $query_config_format_file = "./scripts/data_files/query_config.fmt";
+my $query_config_file = "./programs/ssl/query_config.c";
+
+# Excluded macros from the generated query_config.c. For example, macros that
+# have commas or function-like macros cannot be transformed into strings easily
+# using the preprocessor, so they should be excluded or the preprocessor will
+# throw errors.
+my @excluded = qw(
+MBEDTLS_SSL_CIPHERSUITES
+MBEDTLS_PARAM_FAILED
+);
+my $excluded_re = join '|', @excluded;
+
+open(CONFIG_FILE, "$config_file") or die "Opening config file '$config_file': $!";
+
+# This variable will contain the string to replace in the CHECK_CONFIG of the
+# format file
+my $config_check = "";
+
+while (my $line = <CONFIG_FILE>) {
+    if ($line =~ /^(\/\/)?\s*#\s*define\s+(MBEDTLS_\w+).*/) {
+        my $name = $2;
+
+        # Skip over the macro that prevents multiple inclusion
+        next if "MBEDTLS_CONFIG_H" eq $name;
+
+        # Skip over the macro if it is in the ecluded list
+        next if $name =~ /$excluded_re/;
+
+        $config_check .= "#if defined($name)\n";
+        $config_check .= "    if( strcmp( \"$name\", config ) == 0 )\n";
+        $config_check .= "    {\n";
+        $config_check .= "        MACRO_EXPANSION_TO_STR( $name );\n";
+        $config_check .= "        return( 0 );\n";
+        $config_check .= "    }\n";
+        $config_check .= "#endif /* $name */\n";
+        $config_check .= "\n";
+    }
+}
+
+# Read the full format file into a string
+local $/;
+open(FORMAT_FILE, "$query_config_format_file") or die "Opening query config format file '$query_config_format_file': $!";
+my $query_config_format = <FORMAT_FILE>;
+close(FORMAT_FILE);
+
+# Replace the body of the query_config() function with the code we just wrote
+$query_config_format =~ s/CHECK_CONFIG/$config_check/g;
+
+# Rewrite the query_config.c file
+open(QUERY_CONFIG_FILE, ">$query_config_file") or die "Opening destination file '$query_config_file': $!";
+print QUERY_CONFIG_FILE $query_config_format;
+close(QUERY_CONFIG_FILE);
diff --git a/3rdparty/mbedtls/mbedtls/scripts/generate_visualc_files.pl b/3rdparty/mbedtls/mbedtls/scripts/generate_visualc_files.pl
index 811c71f474..9913976749 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/generate_visualc_files.pl
+++ b/3rdparty/mbedtls/mbedtls/scripts/generate_visualc_files.pl
@@ -93,8 +93,14 @@ sub gen_app {
     $path =~ s!/!\\!g;
     (my $appname = $path) =~ s/.*\\//;
 
+    my $srcs = "\n    <ClCompile Include=\"..\\..\\programs\\$path.c\" \/>\r";
+    if( $appname eq "ssl_client2" or $appname eq "ssl_server2" or
+        $appname eq "query_compile_time_config" ) {
+        $srcs .= "\n    <ClCompile Include=\"..\\..\\programs\\ssl\\query_config.c\" \/>\r";
+    }
+
     my $content = $template;
-    $content =~ s/<PATHNAME>/$path/g;
+    $content =~ s/<SOURCES>/$srcs/g;
     $content =~ s/<APPNAME>/$appname/g;
     $content =~ s/<GUID>/$guid/g;
 
diff --git a/3rdparty/mbedtls/mbedtls/scripts/output_env.sh b/3rdparty/mbedtls/mbedtls/scripts/output_env.sh
index e9ad8c5d7a..c809d46fe3 100755
--- a/3rdparty/mbedtls/mbedtls/scripts/output_env.sh
+++ b/3rdparty/mbedtls/mbedtls/scripts/output_env.sh
@@ -83,6 +83,11 @@ if [ -n "${OPENSSL_LEGACY+set}" ]; then
     echo
 fi
 
+if [ -n "${OPENSSL_NEXT+set}" ]; then
+    print_version "$OPENSSL_NEXT" "version" "openssl next version not found!"
+    echo
+fi
+
 : ${GNUTLS_CLI:=gnutls-cli}
 print_version "$GNUTLS_CLI" "--version" "gnuTLS client not found!" "head -n 1"
 echo
diff --git a/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt b/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
index 0f3c58f6a8..a8e7523e50 100644
--- a/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
+++ b/3rdparty/mbedtls/mbedtls/tests/CMakeLists.txt
@@ -15,6 +15,11 @@ if(NOT PERL_FOUND)
     message(FATAL_ERROR "Cannot build test suites without Perl")
 endif()
 
+# Enable definition of various functions used throughout the testsuite
+# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
+# on non-POSIX platforms.
+add_definitions("-D_POSIX_C_SOURCE=200809L")
+
 # Test suites caught by SKIP_TEST_SUITES are built but not executed.
 # "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar"
 # but not "test_suite_foobar".
@@ -31,8 +36,8 @@ function(add_test_suite suite_name)
 
     add_custom_command(
         OUTPUT test_suite_${data_name}.c
-        COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_code.pl ${CMAKE_CURRENT_SOURCE_DIR}/suites test_suite_${suite_name} test_suite_${data_name}
-        DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_code.pl mbedtls suites/helpers.function suites/main_test.function suites/test_suite_${suite_name}.function suites/test_suite_${data_name}.data
+        COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function -d ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function -p ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function -s ${CMAKE_CURRENT_SOURCE_DIR}/suites --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function -o .
+        DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py mbedtls ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data
     )
 
     include_directories(${CMAKE_CURRENT_SOURCE_DIR})
@@ -58,20 +63,28 @@ endif(MSVC)
 add_test_suite(aes aes.ecb)
 add_test_suite(aes aes.cbc)
 add_test_suite(aes aes.cfb)
+add_test_suite(aes aes.ofb)
 add_test_suite(aes aes.rest)
+add_test_suite(aes aes.xts)
 add_test_suite(arc4)
+add_test_suite(aria)
 add_test_suite(asn1write)
 add_test_suite(base64)
 add_test_suite(blowfish)
 add_test_suite(camellia)
 add_test_suite(ccm)
+add_test_suite(chacha20)
+add_test_suite(chachapoly)
 add_test_suite(cipher cipher.aes)
 add_test_suite(cipher cipher.arc4)
 add_test_suite(cipher cipher.blowfish)
 add_test_suite(cipher cipher.camellia)
 add_test_suite(cipher cipher.ccm)
+add_test_suite(cipher cipher.chacha20)
+add_test_suite(cipher cipher.chachapoly)
 add_test_suite(cipher cipher.des)
 add_test_suite(cipher cipher.gcm)
+add_test_suite(cipher cipher.misc)
 add_test_suite(cipher cipher.null)
 add_test_suite(cipher cipher.padding)
 add_test_suite(cmac)
@@ -92,6 +105,8 @@ add_test_suite(gcm gcm.aes128_de)
 add_test_suite(gcm gcm.aes192_de)
 add_test_suite(gcm gcm.aes256_de)
 add_test_suite(gcm gcm.camellia)
+add_test_suite(gcm gcm.misc)
+add_test_suite(hkdf)
 add_test_suite(hmac_drbg hmac_drbg.misc)
 add_test_suite(hmac_drbg hmac_drbg.no_reseed)
 add_test_suite(hmac_drbg hmac_drbg.nopr)
@@ -100,6 +115,7 @@ add_test_suite(md)
 add_test_suite(mdx)
 add_test_suite(memory_buffer_alloc)
 add_test_suite(mpi)
+add_test_suite(nist_kw)
 add_test_suite(pem)
 add_test_suite(pkcs1_v15)
 add_test_suite(pkcs1_v21)
@@ -107,6 +123,7 @@ add_test_suite(pkcs5)
 add_test_suite(pk)
 add_test_suite(pkparse)
 add_test_suite(pkwrite)
+add_test_suite(poly1305)
 add_test_suite(shax)
 add_test_suite(ssl)
 add_test_suite(timing)
diff --git a/3rdparty/mbedtls/mbedtls/tests/Makefile b/3rdparty/mbedtls/mbedtls/tests/Makefile
index 03f1a7f2fc..4ef74177b9 100644
--- a/3rdparty/mbedtls/mbedtls/tests/Makefile
+++ b/3rdparty/mbedtls/mbedtls/tests/Makefile
@@ -7,11 +7,16 @@ WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wno-unused-function -W
 LDFLAGS ?=
 
 LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = -L../library 			\
+LOCAL_LDFLAGS = -L../library			\
 		-lmbedtls$(SHARED_SUFFIX)	\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
 
+# Enable definition of various functions used throughout the testsuite
+# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
+# on non-POSIX platforms.
+LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L
+
 ifndef SHARED
 DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
 else
@@ -34,10 +39,13 @@ LOCAL_LDFLAGS += -lws2_32
 ifdef SHARED
 SHARED_SUFFIX=.$(DLEXT)
 endif
+PYTHON ?= python
 else
 DLEXT ?= so
 EXEXT=
 SHARED_SUFFIX=
+# python2 for POSIX since FreeBSD has only python2 as default.
+PYTHON ?= python2
 endif
 
 # Zlib shared library extensions:
@@ -45,407 +53,87 @@ ifdef ZLIB
 LOCAL_LDFLAGS += -lz
 endif
 
-APPS =	test_suite_aes.ecb$(EXEXT)	test_suite_aes.cbc$(EXEXT)	\
-	test_suite_aes.cfb$(EXEXT)	test_suite_aes.rest$(EXEXT)	\
-	test_suite_arc4$(EXEXT)		test_suite_asn1write$(EXEXT)	\
-	test_suite_base64$(EXEXT)	test_suite_blowfish$(EXEXT)	\
-	test_suite_camellia$(EXEXT)	test_suite_ccm$(EXEXT)		\
-	test_suite_cmac$(EXEXT)						\
-	test_suite_cipher.aes$(EXEXT)					\
-	test_suite_cipher.arc4$(EXEXT)	test_suite_cipher.ccm$(EXEXT)	\
-	test_suite_cipher.gcm$(EXEXT)					\
-	test_suite_cipher.blowfish$(EXEXT)				\
-	test_suite_cipher.camellia$(EXEXT)				\
-	test_suite_cipher.des$(EXEXT)	test_suite_cipher.null$(EXEXT)	\
-	test_suite_cipher.padding$(EXEXT)				\
-	test_suite_ctr_drbg$(EXEXT)	test_suite_debug$(EXEXT)	\
-	test_suite_des$(EXEXT)		test_suite_dhm$(EXEXT)		\
-	test_suite_ecdh$(EXEXT)		test_suite_ecdsa$(EXEXT)	\
-	test_suite_ecjpake$(EXEXT)	test_suite_ecp$(EXEXT)		\
-	test_suite_error$(EXEXT)	test_suite_entropy$(EXEXT)	\
-	test_suite_gcm.aes128_de$(EXEXT)				\
-	test_suite_gcm.aes192_de$(EXEXT)				\
-	test_suite_gcm.aes256_de$(EXEXT)				\
-	test_suite_gcm.aes128_en$(EXEXT)				\
-	test_suite_gcm.aes192_en$(EXEXT)				\
-	test_suite_gcm.aes256_en$(EXEXT)				\
-	test_suite_gcm.camellia$(EXEXT)					\
-	test_suite_hmac_drbg.misc$(EXEXT)				\
-	test_suite_hmac_drbg.no_reseed$(EXEXT)				\
-	test_suite_hmac_drbg.nopr$(EXEXT)				\
-	test_suite_hmac_drbg.pr$(EXEXT)					\
-	test_suite_md$(EXEXT)		test_suite_mdx$(EXEXT)		\
-	test_suite_memory_buffer_alloc$(EXEXT)				\
-	test_suite_mpi$(EXEXT)						\
-	test_suite_pem$(EXEXT)			test_suite_pkcs1_v15$(EXEXT)	\
-	test_suite_pkcs1_v21$(EXEXT)	test_suite_pkcs5$(EXEXT)	\
-	test_suite_pkparse$(EXEXT)	test_suite_pkwrite$(EXEXT)	\
-	test_suite_pk$(EXEXT)						\
-	test_suite_rsa$(EXEXT)		test_suite_shax$(EXEXT)		\
-	test_suite_ssl$(EXEXT)		test_suite_timing$(EXEXT)			\
-	test_suite_x509parse$(EXEXT)	test_suite_x509write$(EXEXT)	\
-	test_suite_xtea$(EXEXT)		test_suite_version$(EXEXT)
+# A test application is built for each suites/test_suite_*.data file.
+# Application name is same as .data file's base name and can be
+# constructed by stripping path 'suites/' and extension .data.
+APPS = $(basename $(subst suites/,,$(wildcard suites/test_suite_*.data)))
+
+# Construct executable name by adding OS specific suffix $(EXEXT).
+BINARIES := $(addsuffix $(EXEXT),$(APPS))
 
 .SILENT:
 
 .PHONY: all check test clean
 
-all: $(APPS)
+all: $(BINARIES)
 
 $(DEP):
 	$(MAKE) -C ../library
 
-# invoke perl explicitly for the sake of mingw32-make
-
-test_suite_aes.ecb.c : suites/test_suite_aes.function suites/test_suite_aes.ecb.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.ecb
-
-test_suite_aes.cbc.c : suites/test_suite_aes.function suites/test_suite_aes.cbc.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.cbc
-
-test_suite_aes.cfb.c : suites/test_suite_aes.function suites/test_suite_aes.cfb.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.cfb
-
-test_suite_aes.rest.c : suites/test_suite_aes.function suites/test_suite_aes.rest.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_aes test_suite_aes.rest
-
-test_suite_cipher.aes.c : suites/test_suite_cipher.function suites/test_suite_cipher.aes.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.aes
-
-test_suite_cipher.arc4.c : suites/test_suite_cipher.function suites/test_suite_cipher.arc4.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.arc4
-
-test_suite_cipher.ccm.c : suites/test_suite_cipher.function suites/test_suite_cipher.ccm.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.ccm
-
-test_suite_cipher.gcm.c : suites/test_suite_cipher.function suites/test_suite_cipher.gcm.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.gcm
-
-test_suite_cipher.blowfish.c : suites/test_suite_cipher.function suites/test_suite_cipher.blowfish.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.blowfish
-
-test_suite_cipher.camellia.c : suites/test_suite_cipher.function suites/test_suite_cipher.camellia.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.camellia
-
-test_suite_cipher.des.c : suites/test_suite_cipher.function suites/test_suite_cipher.des.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.des
-
-test_suite_cipher.null.c : suites/test_suite_cipher.function suites/test_suite_cipher.null.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.null
-
-test_suite_cipher.padding.c : suites/test_suite_cipher.function suites/test_suite_cipher.padding.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_cipher test_suite_cipher.padding
-
-test_suite_gcm.aes128_de.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes128_de.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes128_de
-
-test_suite_gcm.aes192_de.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes192_de.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes192_de
-
-test_suite_gcm.aes256_de.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes256_de.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes256_de
-
-test_suite_gcm.aes128_en.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes128_en.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes128_en
-
-test_suite_gcm.aes192_en.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes192_en.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes192_en
-
-test_suite_gcm.aes256_en.c : suites/test_suite_gcm.function suites/test_suite_gcm.aes256_en.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.aes256_en
-
-test_suite_gcm.camellia.c : suites/test_suite_gcm.function suites/test_suite_gcm.camellia.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_gcm test_suite_gcm.camellia
-
-test_suite_hmac_drbg.misc.c : suites/test_suite_hmac_drbg.function suites/test_suite_hmac_drbg.misc.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_hmac_drbg test_suite_hmac_drbg.misc
+C_FILES := $(addsuffix .c,$(APPS))
 
-test_suite_hmac_drbg.no_reseed.c : suites/test_suite_hmac_drbg.function suites/test_suite_hmac_drbg.no_reseed.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
+# Wildcard target for test code generation:
+# A .c file is generated for each .data file in the suites/ directory. Each .c
+# file depends on a .data and .function file from suites/ directory. Following
+# nameing convention is followed:
+#
+#     C file        |        Depends on
+#-----------------------------------------------------------------------------
+#  foo.c            | suites/foo.function suites/foo.data
+#  foo.bar.c        | suites/foo.function suites/foo.bar.data
+#
+# Note above that .c and .data files have same base name.
+# However, corresponding .function file's base name is the word before first
+# dot in .c file's base name.
+#
+.SECONDEXPANSION:
+%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function
 	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_hmac_drbg test_suite_hmac_drbg.no_reseed
-
-test_suite_hmac_drbg.nopr.c : suites/test_suite_hmac_drbg.function suites/test_suite_hmac_drbg.nopr.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_hmac_drbg test_suite_hmac_drbg.nopr
-
-test_suite_hmac_drbg.pr.c : suites/test_suite_hmac_drbg.function suites/test_suite_hmac_drbg.pr.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites test_suite_hmac_drbg test_suite_hmac_drbg.pr
-
-%.c : suites/%.function suites/%.data scripts/generate_code.pl suites/helpers.function suites/main_test.function
-	echo "  Gen   $@"
-	perl scripts/generate_code.pl suites $* $*
-
-test_suite_aes.ecb$(EXEXT): test_suite_aes.ecb.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_aes.cbc$(EXEXT): test_suite_aes.cbc.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_aes.cfb$(EXEXT): test_suite_aes.cfb.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_aes.rest$(EXEXT): test_suite_aes.rest.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_arc4$(EXEXT): test_suite_arc4.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_asn1write$(EXEXT): test_suite_asn1write.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_base64$(EXEXT): test_suite_base64.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_blowfish$(EXEXT): test_suite_blowfish.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_camellia$(EXEXT): test_suite_camellia.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ccm$(EXEXT): test_suite_ccm.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cmac$(EXEXT): test_suite_cmac.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.aes$(EXEXT): test_suite_cipher.aes.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.arc4$(EXEXT): test_suite_cipher.arc4.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.ccm$(EXEXT): test_suite_cipher.ccm.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(PYTHON) scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
+		-d suites/$*.data \
+		-t suites/main_test.function \
+		-p suites/host_test.function \
+		-s suites  \
+		--helpers-file suites/helpers.function \
+		-o .
 
-test_suite_cipher.gcm$(EXEXT): test_suite_cipher.gcm.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-test_suite_cipher.blowfish$(EXEXT): test_suite_cipher.blowfish.c $(DEP)
+$(BINARIES): %$(EXEXT): %.c $(DEP)
 	echo "  CC    $<"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-test_suite_cipher.camellia$(EXEXT): test_suite_cipher.camellia.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.des$(EXEXT): test_suite_cipher.des.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.null$(EXEXT): test_suite_cipher.null.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_cipher.padding$(EXEXT): test_suite_cipher.padding.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ctr_drbg$(EXEXT): test_suite_ctr_drbg.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_des$(EXEXT): test_suite_des.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_dhm$(EXEXT): test_suite_dhm.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ecdh$(EXEXT): test_suite_ecdh.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ecdsa$(EXEXT): test_suite_ecdsa.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ecjpake$(EXEXT): test_suite_ecjpake.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ecp$(EXEXT): test_suite_ecp.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_entropy$(EXEXT): test_suite_entropy.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_error$(EXEXT): test_suite_error.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes128_de$(EXEXT): test_suite_gcm.aes128_de.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes192_de$(EXEXT): test_suite_gcm.aes192_de.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes256_de$(EXEXT): test_suite_gcm.aes256_de.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes128_en$(EXEXT): test_suite_gcm.aes128_en.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes192_en$(EXEXT): test_suite_gcm.aes192_en.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.aes256_en$(EXEXT): test_suite_gcm.aes256_en.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_gcm.camellia$(EXEXT): test_suite_gcm.camellia.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_hmac_drbg.misc$(EXEXT): test_suite_hmac_drbg.misc.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_hmac_drbg.no_reseed$(EXEXT): test_suite_hmac_drbg.no_reseed.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_hmac_drbg.nopr$(EXEXT): test_suite_hmac_drbg.nopr.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_hmac_drbg.pr$(EXEXT): test_suite_hmac_drbg.pr.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_md$(EXEXT): test_suite_md.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_mdx$(EXEXT): test_suite_mdx.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_memory_buffer_alloc$(EXEXT): test_suite_memory_buffer_alloc.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_mpi$(EXEXT): test_suite_mpi.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pem$(EXEXT): test_suite_pem.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pkcs1_v15$(EXEXT): test_suite_pkcs1_v15.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pkcs1_v21$(EXEXT): test_suite_pkcs1_v21.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pkcs5$(EXEXT): test_suite_pkcs5.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pkparse$(EXEXT): test_suite_pkparse.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pkwrite$(EXEXT): test_suite_pkwrite.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_pk$(EXEXT): test_suite_pk.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_rsa$(EXEXT): test_suite_rsa.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_shax$(EXEXT): test_suite_shax.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_ssl$(EXEXT): test_suite_ssl.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_timing$(EXEXT): test_suite_timing.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_x509parse$(EXEXT): test_suite_x509parse.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_x509write$(EXEXT): test_suite_x509write.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_xtea$(EXEXT): test_suite_xtea.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_debug$(EXEXT): test_suite_debug.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
-test_suite_version$(EXEXT): test_suite_version.c $(DEP)
-	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $<	$(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 clean:
 ifndef WINDOWS
-	rm -f $(APPS) *.c
+	rm -rf $(BINARIES) *.c *.datax TESTS
 else
-	del /Q /F *.c *.exe
+	del /Q /F *.c *.exe *.datax
+ifneq ($(wildcard TESTS/.*),)
+	rmdir /Q /S TESTS
+endif
 endif
 
 # Test suites caught by SKIP_TEST_SUITES are built but not executed.
-check: $(APPS)
+check: $(BINARIES)
 	perl scripts/run-test-suites.pl --skip=$(SKIP_TEST_SUITES)
 
 test: check
+
+# Create separate targets for generating embedded tests.
+EMBEDDED_TESTS := $(addprefix embedded_,$(APPS))
+
+# Generate test code for target.
+
+.SECONDEXPANSION:
+$(EMBEDDED_TESTS): embedded_%: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/target_test.function
+	echo "  Gen  ./TESTS/mbedtls/$*/$*.c"
+	$(PYTHON) scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
+		-d suites/$*.data \
+		-t suites/main_test.function \
+		-p suites/target_test.function \
+		-s suites  \
+		--helpers-file suites/helpers.function \
+		-o ./TESTS/mbedtls/$*
+
+generate-target-tests: $(EMBEDDED_TESTS)
+
diff --git a/3rdparty/mbedtls/mbedtls/tests/compat.sh b/3rdparty/mbedtls/mbedtls/tests/compat.sh
index df499dcf01..35983cd7ec 100755
--- a/3rdparty/mbedtls/mbedtls/tests/compat.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/compat.sh
@@ -42,6 +42,9 @@ if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
             PEER_GNUTLS=""
         else
             PEER_GNUTLS=" GnuTLS"
+            if [ $MINOR -lt 4 ]; then
+                GNUTLS_MINOR_LT_FOUR='x'
+            fi
         fi
     fi
 else
@@ -57,8 +60,10 @@ FILTER=""
 # - NULL: excluded from our default config
 # - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
 #   avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
+# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
+# - ChachaPoly: requires OpenSSL >= 1.1.0
 # - 3DES: not in default config
-EXCLUDE='NULL\|DES\|RC4\|ARCFOUR'
+EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
 VERBOSE=""
 MEMCHECK=0
 PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@@ -231,6 +236,9 @@ reset_ciphersuites()
     G_CIPHERS=""
 }
 
+# Ciphersuites that can be used with all peers.
+# Since we currently have three possible peers, each ciphersuite should appear
+# three times: in each peer's list (with the name that this peer uses).
 add_common_ciphersuites()
 {
     case $TYPE in
@@ -427,6 +435,16 @@ add_common_ciphersuites()
     esac
 }
 
+# Ciphersuites usable only with Mbed TLS and OpenSSL
+# Each ciphersuite should appear two times, once with its OpenSSL name, once
+# with its Mbed TLS name.
+#
+# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
+# so RSA-PSK ciphersuites need to go in other sections, see
+# https://github.com/ARMmbed/mbedtls/issues/1419
+#
+# ChachaPoly suites are here rather than in "common", as they were added in
+# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
 add_openssl_ciphersuites()
 {
     case $TYPE in
@@ -456,12 +474,18 @@ add_openssl_ciphersuites()
                     TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384          \
                     TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256          \
                     TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384          \
+                    TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384        \
+                    TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256        \
+                    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256   \
                     "
                 O_CIPHERS="$O_CIPHERS               \
                     ECDH-ECDSA-AES128-SHA256        \
                     ECDH-ECDSA-AES256-SHA384        \
                     ECDH-ECDSA-AES128-GCM-SHA256    \
                     ECDH-ECDSA-AES256-GCM-SHA384    \
+                    ECDHE-ECDSA-ARIA256-GCM-SHA384  \
+                    ECDHE-ECDSA-ARIA128-GCM-SHA256  \
+                    ECDHE-ECDSA-CHACHA20-POLY1305   \
                     "
             fi
             ;;
@@ -475,13 +499,60 @@ add_openssl_ciphersuites()
                 DES-CBC-SHA                     \
                 EDH-RSA-DES-CBC-SHA             \
                 "
+            if [ `minor_ver "$MODE"` -ge 3 ]
+            then
+                M_CIPHERS="$M_CIPHERS                               \
+                    TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384          \
+                    TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384            \
+                    TLS-RSA-WITH-ARIA-256-GCM-SHA384                \
+                    TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256          \
+                    TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256            \
+                    TLS-RSA-WITH-ARIA-128-GCM-SHA256                \
+                    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256       \
+                    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256     \
+                    "
+                O_CIPHERS="$O_CIPHERS               \
+                    ECDHE-ARIA256-GCM-SHA384        \
+                    DHE-RSA-ARIA256-GCM-SHA384      \
+                    ARIA256-GCM-SHA384              \
+                    ECDHE-ARIA128-GCM-SHA256        \
+                    DHE-RSA-ARIA128-GCM-SHA256      \
+                    ARIA128-GCM-SHA256              \
+                    DHE-RSA-CHACHA20-POLY1305       \
+                    ECDHE-RSA-CHACHA20-POLY1305     \
+                    "
+            fi
             ;;
 
         "PSK")
+            if [ `minor_ver "$MODE"` -ge 3 ]
+            then
+                M_CIPHERS="$M_CIPHERS                               \
+                    TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384            \
+                    TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256            \
+                    TLS-PSK-WITH-ARIA-256-GCM-SHA384                \
+                    TLS-PSK-WITH-ARIA-128-GCM-SHA256                \
+                    TLS-PSK-WITH-CHACHA20-POLY1305-SHA256           \
+                    TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256     \
+                    TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256       \
+                    "
+                O_CIPHERS="$O_CIPHERS               \
+                    DHE-PSK-ARIA256-GCM-SHA384      \
+                    DHE-PSK-ARIA128-GCM-SHA256      \
+                    PSK-ARIA256-GCM-SHA384          \
+                    PSK-ARIA128-GCM-SHA256          \
+                    DHE-PSK-CHACHA20-POLY1305       \
+                    ECDHE-PSK-CHACHA20-POLY1305     \
+                    PSK-CHACHA20-POLY1305           \
+                    "
+            fi
             ;;
     esac
 }
 
+# Ciphersuites usable only with Mbed TLS and GnuTLS
+# Each ciphersuite should appear two times, once with its GnuTLS name, once
+# with its Mbed TLS name.
 add_gnutls_ciphersuites()
 {
     case $TYPE in
@@ -494,12 +565,20 @@ add_gnutls_ciphersuites()
                     TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384    \
                     TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256    \
                     TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384    \
+                    TLS-ECDHE-ECDSA-WITH-AES-128-CCM                \
+                    TLS-ECDHE-ECDSA-WITH-AES-256-CCM                \
+                    TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8              \
+                    TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8              \
                    "
                 G_CIPHERS="$G_CIPHERS                               \
                     +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256          \
                     +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384          \
                     +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD            \
                     +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD            \
+                    +ECDHE-ECDSA:+AES-128-CCM:+AEAD                 \
+                    +ECDHE-ECDSA:+AES-256-CCM:+AEAD                 \
+                    +ECDHE-ECDSA:+AES-128-CCM-8:+AEAD               \
+                    +ECDHE-ECDSA:+AES-256-CCM-8:+AEAD               \
                    "
             fi
             ;;
@@ -529,6 +608,14 @@ add_gnutls_ciphersuites()
                     TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384    \
                     TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256        \
                     TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384        \
+                    TLS-RSA-WITH-AES-128-CCM                    \
+                    TLS-RSA-WITH-AES-256-CCM                    \
+                    TLS-DHE-RSA-WITH-AES-128-CCM                \
+                    TLS-DHE-RSA-WITH-AES-256-CCM                \
+                    TLS-RSA-WITH-AES-128-CCM-8                  \
+                    TLS-RSA-WITH-AES-256-CCM-8                  \
+                    TLS-DHE-RSA-WITH-AES-128-CCM-8              \
+                    TLS-DHE-RSA-WITH-AES-256-CCM-8              \
                     "
                 G_CIPHERS="$G_CIPHERS                           \
                     +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256        \
@@ -543,6 +630,14 @@ add_gnutls_ciphersuites()
                     +DHE-RSA:+CAMELLIA-256-GCM:+AEAD            \
                     +RSA:+CAMELLIA-128-GCM:+AEAD                \
                     +RSA:+CAMELLIA-256-GCM:+AEAD                \
+                    +RSA:+AES-128-CCM:+AEAD                     \
+                    +RSA:+AES-256-CCM:+AEAD                     \
+                    +RSA:+AES-128-CCM-8:+AEAD                   \
+                    +RSA:+AES-256-CCM-8:+AEAD                   \
+                    +DHE-RSA:+AES-128-CCM:+AEAD                 \
+                    +DHE-RSA:+AES-256-CCM:+AEAD                 \
+                    +DHE-RSA:+AES-128-CCM-8:+AEAD               \
+                    +DHE-RSA:+AES-256-CCM-8:+AEAD               \
                     "
             fi
             ;;
@@ -614,6 +709,14 @@ add_gnutls_ciphersuites()
                     TLS-PSK-WITH-AES-256-GCM-SHA384             \
                     TLS-DHE-PSK-WITH-AES-128-GCM-SHA256         \
                     TLS-DHE-PSK-WITH-AES-256-GCM-SHA384         \
+                    TLS-PSK-WITH-AES-128-CCM                    \
+                    TLS-PSK-WITH-AES-256-CCM                    \
+                    TLS-DHE-PSK-WITH-AES-128-CCM                \
+                    TLS-DHE-PSK-WITH-AES-256-CCM                \
+                    TLS-PSK-WITH-AES-128-CCM-8                  \
+                    TLS-PSK-WITH-AES-256-CCM-8                  \
+                    TLS-DHE-PSK-WITH-AES-128-CCM-8              \
+                    TLS-DHE-PSK-WITH-AES-256-CCM-8              \
                     TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256    \
                     TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384    \
                     TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256        \
@@ -644,6 +747,14 @@ add_gnutls_ciphersuites()
                     +PSK:+AES-256-GCM:+AEAD                     \
                     +DHE-PSK:+AES-128-GCM:+AEAD                 \
                     +DHE-PSK:+AES-256-GCM:+AEAD                 \
+                    +PSK:+AES-128-CCM:+AEAD                     \
+                    +PSK:+AES-256-CCM:+AEAD                     \
+                    +DHE-PSK:+AES-128-CCM:+AEAD                 \
+                    +DHE-PSK:+AES-256-CCM:+AEAD                 \
+                    +PSK:+AES-128-CCM-8:+AEAD                   \
+                    +PSK:+AES-256-CCM-8:+AEAD                   \
+                    +DHE-PSK:+AES-128-CCM-8:+AEAD               \
+                    +DHE-PSK:+AES-256-CCM-8:+AEAD               \
                     +RSA-PSK:+CAMELLIA-128-GCM:+AEAD            \
                     +RSA-PSK:+CAMELLIA-256-GCM:+AEAD            \
                     +PSK:+CAMELLIA-128-GCM:+AEAD                \
@@ -666,6 +777,9 @@ add_gnutls_ciphersuites()
     esac
 }
 
+# Ciphersuites usable only with Mbed TLS (not currently supported by another
+# peer usable in this script). This provide only very rudimentaty testing, as
+# this is not interop testing, but it's better than nothing.
 add_mbedtls_ciphersuites()
 {
     case $TYPE in
@@ -683,26 +797,26 @@ add_mbedtls_ciphersuites()
                 M_CIPHERS="$M_CIPHERS                               \
                     TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256     \
                     TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384     \
-                    TLS-ECDHE-ECDSA-WITH-AES-128-CCM                \
-                    TLS-ECDHE-ECDSA-WITH-AES-256-CCM                \
-                    TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8              \
-                    TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8              \
+                    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384        \
+                    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256        \
+                    TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384         \
+                    TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256         \
+                    TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384         \
+                    TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256         \
                     "
             fi
             ;;
 
         "RSA")
-            if [ "$MODE" = "tls1_2" ];
+            if [ `minor_ver "$MODE"` -ge 3 ]
             then
                 M_CIPHERS="$M_CIPHERS                               \
-                    TLS-RSA-WITH-AES-128-CCM                        \
-                    TLS-RSA-WITH-AES-256-CCM                        \
-                    TLS-DHE-RSA-WITH-AES-128-CCM                    \
-                    TLS-DHE-RSA-WITH-AES-256-CCM                    \
-                    TLS-RSA-WITH-AES-128-CCM-8                      \
-                    TLS-RSA-WITH-AES-256-CCM-8                      \
-                    TLS-DHE-RSA-WITH-AES-128-CCM-8                  \
-                    TLS-DHE-RSA-WITH-AES-256-CCM-8                  \
+                    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384          \
+                    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384            \
+                    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256          \
+                    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256            \
+                    TLS-RSA-WITH-ARIA-256-CBC-SHA384                \
+                    TLS-RSA-WITH-ARIA-128-CBC-SHA256                \
                     "
             fi
             ;;
@@ -720,17 +834,20 @@ add_mbedtls_ciphersuites()
                     TLS-RSA-PSK-WITH-NULL-SHA            \
                     "
             fi
-            if [ "$MODE" = "tls1_2" ];
+            if [ `minor_ver "$MODE"` -ge 3 ]
             then
                 M_CIPHERS="$M_CIPHERS                               \
-                    TLS-PSK-WITH-AES-128-CCM                        \
-                    TLS-PSK-WITH-AES-256-CCM                        \
-                    TLS-DHE-PSK-WITH-AES-128-CCM                    \
-                    TLS-DHE-PSK-WITH-AES-256-CCM                    \
-                    TLS-PSK-WITH-AES-128-CCM-8                      \
-                    TLS-PSK-WITH-AES-256-CCM-8                      \
-                    TLS-DHE-PSK-WITH-AES-128-CCM-8                  \
-                    TLS-DHE-PSK-WITH-AES-256-CCM-8                  \
+                    TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384            \
+                    TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256            \
+                    TLS-PSK-WITH-ARIA-256-CBC-SHA384                \
+                    TLS-PSK-WITH-ARIA-128-CBC-SHA256                \
+                    TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384            \
+                    TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256            \
+                    TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384          \
+                    TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256          \
+                    TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384            \
+                    TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256            \
+                    TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256       \
                     "
             fi
             ;;
@@ -766,10 +883,17 @@ setup_arguments()
             exit 1;
     esac
 
+    # GnuTLS < 3.4 will choke if we try to allow CCM-8
+    if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
+        G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
+    else
+        G_PRIO_CCM=""
+    fi
+
     M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
     O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
     G_SERVER_ARGS="-p $PORT --http $G_MODE"
-    G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
+    G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
 
     # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
     if is_dtls "$MODE"; then
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile b/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
index c10020c040..09db60c83f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/Makefile
@@ -38,16 +38,38 @@ test_ca_key_file_rsa = test-ca.key
 test_ca_pwd_rsa = PolarSSLTest
 test_ca_config_file = test-ca.opensslconf
 
-test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
-	$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
-all_intermediate += test-ca.csr
-test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
+test-ca.req.sha256: $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$(test_ca_key_file_rsa) password=$(test_ca_pwd_rsa) subject_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" md=SHA256
+all_intermediate += test-ca.req.sha256
+
+test-ca.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
+	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144400 not_after=20210212144400 md=SHA1 version=3 output_file=$@
+all_final += test-ca.crt
+
+test-ca.crt.der: test-ca.crt
+	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += test-ca.crt.der
+
+test-ca.key.der: $(test_ca_key_file_rsa)
+	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER -passin "pass:$(test_ca_pwd_rsa)"
+all_final += test-ca.key.der
+
+test-ca-sha1.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
+	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144400 not_after=20210212144400 md=SHA1 version=3 output_file=$@
 all_final += test-ca-sha1.crt
-test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
-	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
+
+test-ca-sha1.crt.der: test-ca-sha1.crt
+	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
+all_final += test-ca-sha1.crt.der
+
+test-ca-sha256.crt: $(test_ca_key_file_rsa) test-ca.req.sha256
+	$(MBEDTLS_CERT_WRITE) is_ca=1 serial=3 request_file=test-ca.req.sha256 selfsign=1 issuer_name="C=NL,O=PolarSSL,CN=PolarSSL Test CA" issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144400 not_after=20210212144400 md=SHA256 version=3 output_file=$@
 all_final += test-ca-sha256.crt
 
+test-ca-sha256.crt.der: test-ca-sha256.crt
+	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
+all_final += test-ca-sha256.crt.der
+
 test_ca_key_file_rsa_alt = test-ca-alt.key
 
 $(test_ca_key_file_rsa_alt):
@@ -68,6 +90,24 @@ all_final += test-ca-good-alt.crt
 test_ca_crt_file_ec = test-ca2.crt
 test_ca_key_file_ec = test-ca2.key
 
+test-ca2.crt.der: $(test_ca_crt_file_ec)
+	$(OPENSSL) x509 -in $(test_ca_crt_file_ec) -out $@ -inform PEM -outform DER
+all_final += test-ca2.crt.der
+
+ test-ca2.key.der: $(test_ca_key_file_ec)
+	$(OPENSSL) pkey -in $(test_ca_key_file_ec) -out $@ -inform PEM -outform DER
+all_final += test-ca2.key.der
+
+test_ca_crt_cat12 = test-ca_cat12.crt
+$(test_ca_crt_cat12): $(test_ca_crt) $(test_ca_crt_file_ec)
+	cat $(test_ca_crt) $(test_ca_crt_file_ec) > $@
+all_final += $(test_ca_crt_cat12)
+
+test_ca_crt_cat21 = test-ca_cat21.crt
+$(test_ca_crt_cat21): $(test_ca_crt) $(test_ca_crt_file_ec)
+	cat $(test_ca_crt_file_ec) $(test_ca_crt) > $@
+all_final += $(test_ca_crt_cat21)
+
 test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
 	$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
 all_intermediate += test-int-ca.csr
@@ -86,21 +126,23 @@ cli_crt_key_file_rsa = cli-rsa.key
 cli_crt_extensions_file = cli.opensslconf
 
 cli-rsa.csr: $(cli_crt_key_file_rsa)
-	$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Client 2" md=SHA1
 all_intermediate += cli-rsa.csr
-cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
-all_final += cli-rsa-sha1.crt
-cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
+
+cli-rsa-sha1.crt: cli-rsa.csr
+	$(MBEDTLS_CERT_WRITE) request_file=$< serial=4 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
+
+cli-rsa-sha256.crt: cli-rsa.csr
+	$(MBEDTLS_CERT_WRITE) request_file=$< serial=4 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA256 version=3 output_file=$@
 all_final += cli-rsa-sha256.crt
 
-server2-rsa.csr: server2.key
-	$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
-all_intermediate += server2-rsa.csr
-server2-sha256.crt: server2-rsa.csr
-	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
-all_final += server2-sha256.crt
+cli-rsa-sha256.crt.der: cli-rsa-sha256.crt
+	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
+all_final += cli-rsa-sha256.crt.der
+
+ cli-rsa.key.der: $(cli_crt_key_file_rsa)
+	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
+all_final += cli-rsa.key.der
 
 test_ca_int_rsa1 = test-int-ca.crt
 
@@ -114,12 +156,28 @@ server7-future.crt: server7.csr $(test_ca_int_rsa1)
 	$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
 all_final += server7-future.crt
 server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
-	{ head -n-2 server7.crt; tail -n-2 server7.crt | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat test-int-ca.crt; } > server7-badsign.crt
+	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
 all_final += server7-badsign.crt
 server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
 	cat server7.crt test-int-ca-exp.crt > $@
 all_final += server7_int-ca-exp.crt
 
+cli2.crt.der: cli2.crt
+	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
+all_final += cli2.crt.der
+
+ cli2.key.der: cli2.key
+	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
+all_final += cli2.key.der
+
+ server5.crt.der: server5.crt
+	$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
+all_final += server5.crt.der
+
+ server5.key.der: server5.key
+	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
+all_final += server5.key.der
+
 server5-ss-expired.crt: server5.key
 	$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
 all_final += server5-ss-expired.crt
@@ -129,8 +187,34 @@ server5-ss-forgeca.crt: server5.key
 	$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
 all_final += server5-ss-forgeca.crt
 
-
-
+server10-badsign.crt: server10.crt
+	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
+all_final += server10-badsign.crt
+server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
+	cat server10-badsign.crt test-int-ca3.crt > $@
+all_final += server10-bs_int3.pem
+test-int-ca3-badsign.crt: test-int-ca3.crt
+	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
+all_final += test-int-ca3-badsign.crt
+server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
+	cat server10.crt test-int-ca3-badsign.crt > $@
+all_final += server10_int3-bs.pem
+
+rsa_pkcs1_2048_public.pem: server8.key
+	$(OPENSSL)  rsa -in $< -outform PEM -RSAPublicKey_out -out $@
+all_final += rsa_pkcs1_2048_public.pem
+
+rsa_pkcs1_2048_public.der: rsa_pkcs1_2048_public.pem
+	$(OPENSSL) rsa -RSAPublicKey_in -in $< -outform DER -RSAPublicKey_out -out $@
+all_final += rsa_pkcs1_2048_public.der
+
+rsa_pkcs8_2048_public.pem: server8.key
+	$(OPENSSL)  rsa -in $< -outform PEM -pubout -out $@
+all_final += rsa_pkcs8_2048_public.pem
+
+rsa_pkcs8_2048_public.der: rsa_pkcs8_2048_public.pem
+	$(OPENSSL) rsa -pubin -in $< -outform DER -pubout -out $@
+all_final += rsa_pkcs8_2048_public.der
 
 ################################################################
 #### Generate various RSA keys
@@ -733,6 +817,75 @@ server1.req.cert_type_empty: server1.key
 	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1 force_ns_cert_type=1
 all_final += server1.req.cert_type_empty
 
+################################################################
+### Generate CSRs for X.509 write test suite
+################################################################
+
+server1.req.sha1: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.sha1
+
+server1.req.md4: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=MD4
+all_final += server1.req.md4
+
+server1.req.md5: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=MD5
+all_final += server1.req.md5
+
+server1.req.sha224: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA224
+all_final += server1.req.sha224
+
+server1.req.sha256: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA256
+all_final += server1.req.sha256
+
+server1.req.sha384: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA384
+all_final += server1.req.sha384
+
+server1.req.sha512: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA512
+all_final += server1.req.sha512
+
+server1.req.cert_type: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.cert_type
+
+server1.req.key_usage: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.key_usage
+
+server1.req.ku-ct: server1.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation,key_encipherment ns_cert_type=ssl_server subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server1.req.ku-ct
+
+# server2*
+
+server2.req.sha256: server2.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=localhost" md=SHA256
+all_intermediate += server2.req.sha256
+
+server2.crt.der: server2.crt
+	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server2.crt.der
+
+server2-sha256.crt.der: server2-sha256.crt
+	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
+all_final += server2-sha256.crt.der
+
+server2.key.der: server2.key
+	$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
+all_final += server2.key.der
+
+# server5*
+
+# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
+server5.req.ku.sha1: server5.key
+	$(MBEDTLS_CERT_REQ) output_file=$@ filename=$< key_usage=digital_signature,non_repudiation subject_name="C=NL,O=PolarSSL,CN=PolarSSL Server 1" md=SHA1
+all_final += server5.req.ku.sha1
+
 ################################################################
 ### Generate certificates for CRT write check tests
 ################################################################
@@ -749,36 +902,34 @@ test_ca_server1_db = test-ca.server1.db
 test_ca_server1_serial = test-ca.server1.serial
 test_ca_server1_config_file = test-ca.server1.opensslconf
 
-server1.csr: server1.key server1_csr.opensslconf
-	$(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new
-all_final += server1.csr
+# server1*
 
-server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
-server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
-server1.der: server1.crt
+server1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
+server1.noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
+server1.crt.der: server1.crt
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
-all_final += server1.crt server1.noauthid.crt server1.der
+all_final += server1.crt server1.noauthid.crt server1.crt.der
 
-server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
-server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
+server1.key_usage.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
+server1.key_usage_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
 server1.key_usage.der: server1.key_usage.crt
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
 
-server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
-server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
+server1.cert_type.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
+server1.cert_type_noauthid.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
 server1.cert_type.der: server1.cert_type.crt
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
 
-server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
-	$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
+server1.v1.crt: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa)
+	$(MBEDTLS_CERT_WRITE) request_file=server1.req.sha256 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
 server1.v1.der: server1.v1.crt
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 all_final += server1.v1.crt server1.v1.der
@@ -786,11 +937,11 @@ all_final += server1.v1.crt server1.v1.der
 # OpenSSL-generated certificates for comparison
 # Also provide certificates in DER format to allow
 # direct binary comparison using e.g. dumpasn1
-server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
+server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
 	echo "01" > $(test_ca_server1_serial)
 	rm -f $(test_ca_server1_db)
 	touch $(test_ca_server1_db)
-	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@
+	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.req.sha256 -extensions v3_ext -extfile $@.v3_ext -out $@
 server1.der.openssl: server1.crt.openssl
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 server1.key_usage.der.openssl: server1.key_usage.crt.openssl
@@ -798,15 +949,25 @@ server1.key_usage.der.openssl: server1.key_usage.crt.openssl
 server1.cert_type.der.openssl: server1.cert_type.crt.openssl
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 
-server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
+server1.v1.crt.openssl: server1.key server1.req.sha256 $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
 	echo "01" > $(test_ca_server1_serial)
 	rm -f $(test_ca_server1_db)
 	touch $(test_ca_server1_db)
-	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@
+	$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.req.sha256 -out $@
 server1.v1.der.openssl: server1.v1.crt.openssl
 	$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
 
-server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
+server1_all: server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
+
+# server2*
+
+server2.crt: server2.req.sha256
+	$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
+all_final += server2.crt
+
+server2-sha256.crt: server2.req.sha256
+	$(MBEDTLS_CERT_WRITE) request_file=server2.req.sha256 serial=2 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA256 version=3 output_file=$@
+all_final += server2-sha256.crt
 
 # MD2, MD4, MD5 test certificates
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/Readme-x509.txt b/3rdparty/mbedtls/mbedtls/tests/data_files/Readme-x509.txt
index b56346ab37..6f54ed0c1c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/Readme-x509.txt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/Readme-x509.txt
@@ -16,11 +16,13 @@ The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
 Two intermediate CAs are signed by them:
 - test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
   uses RSA-4096, signed by test-ca2
+    - test-int-ca-exp.crt is a copy that is expired
 - test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
-  uses an EC key with NIST P-256, signed by test-ca
+  uses an EC key with NIST P-384, signed by test-ca
 
 A third intermediate CA is signed by test-int-ca2.crt:
 - test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
+  uses an EC key with NIST P-256, signed by test-int-ca2
 
 Finally, other CAs for specific purposes:
 - enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
@@ -65,21 +67,41 @@ List of certificates:
 - server2*.crt: 1 R L: misc
 - server3.crt: 1 E L: EC cert signed by RSA CA
 - server4.crt: 2 R L: RSA cert signed by EC CA
-- server5*.crt: 2* E L: misc *(except server5-selfsigned)
+- server5*.crt: 2* E L: misc *(except -selfsigned and -ss-*)
     -sha*: hashes
-    -eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
-    -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
+    .eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
+    .ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
+    .req*: CSR, not certificate
+    -der*: trailing bytes in der (?)
+    -badsign.crt: S5 with corrupted signature
+    -expired.crt: S5 with "not after" date in the past
+    -future.crt: S5 with "not before" date in the future
+    -selfsigned.crt: Self-signed cert with S5 key
+    -ss-expired.crt: Self-signed cert with S5 key, expired
+    -ss-forgeca.crt: Copy of test-int-ca3 self-signed with S5 key
 - server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
 - server6.crt, server6.pem: 2 E L C: revoked
-- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC
-    *P1 except 7.crt, P2 _int-ca_ca2.crt
-    *_space: with PEM error(s)
-    _spurious: has spurious cert in its chain (S7 + I2 + I1)
+- server7.crt: I1 E L P1(usually): EC signed by RSA signed by EC
+    -badsign.crt: S7 with corrupted signature + I1
+    -expired.crt: S7 with "not after" date in the past + I1
+    -future.crt: S7 with "not before" date in the future + I1
+    _int-ca-exp.crt: S7 + expired I1
+    _int-ca.crt: S7 + I1
+    _int-ca_ca2.crt: S7 + I1 + 2
+    _all_space.crt: S7 + I1 both with misplaced spaces (invalid PEM)
+    _pem_space.crt: S7 with misplace space (invalid PEM) + I1
+    _trailing_space.crt: S7 + I1 both with trainling space (valid PEM)
+    _spurious_int-ca.crt: S7 + I2(spurious) + I1
 - server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
 - server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
     *CRL for: 9.crt, -badsign, -with-ca (P1)
-- server10*.crt: I3 E L P2/P3
-    _spurious: S10 + I3 + I1(spurious) + I2
+- server10.crt: I3 E L
+    -badsign.crt: S10 with corrupted signature
+    -bs_int3.pem: S10-badsign + I3
+    _int3-bs.pem: S10 + I3-badsign
+    _int3_int-ca2.crt: S10 + I3 + I2
+    _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
+    _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
 
 Certificate revocation lists
 ----------------------------
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha1.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha1.crt
index 906f6dfa77..ffbe21a175 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha1.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha1.crt
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA1MTMwNzEwWhcNMjcwNTA2MTMwNzEwWjA8MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
 M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
@@ -9,13 +9,12 @@ M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
 MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
 4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
 /DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
-gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
-BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
-EwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAE/yq2fOqjI0jm52TwdVsTUvZ+B2s16u
-C4Qj/c89iZ7VfplpOAEV9+G6gHm/gf2O7Jgj0yXfFugQ2d+lR70cH64JFn9N1Rg9
-gCo5EDBLourI8R0Kkg9zdlShBv7giwqg667Qjsu+oEWVerICOqNQGolotYSZvmtJ
-7RiD8I4MXB4Qt0sSjxE897pvc4ODem10zXzvedv/q11q1mUn2L1fFc1dGIguk1fn
-I/XP87FCapRobUTYrF6IvdqFaUMQ7lF3GiUIvjDPb4Wt1CyHhi/tu/SfV3fmX3rs
-19UeGnvC7AdQ+OwLt3nEIlSpqVKPXHKfRKZg1WzZNgCQtNB1SrZAzFc=
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
+AQEAX0vLL6qw6zYaO7a1ZXXJhWL8/vm1+yz5HrnXPX62xBD7P+cVGrOoNbD1QAj9
+otOpUsWYmHRvhotO42oqPsnoPA0JpGRR2elbTrcK9uDxg6PWwoix3uHPRuXdRIsU
+jee2TcGilXgJw1HDvJ04E5qowAtAgOcE41ZraAN43GHO2PjxcXEEoWzqSqvlUrv3
+AOaCTn9X73izMRgPbQBnJjknIzoYwWgVFaDEW/lZE0+LLa99/mxFFUBhYzAY+h/R
+rmtslJIyIzTd3sLo+XZ0hNtlBM0u1okOspSWtmoNdSiJDZMJ4LL71xuJYG46Sl/0
+1hH/1pZigeufZgYrQgqG8oHT4A==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt
index a0fc11e202..c81f98fb31 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDhTCCAm2gAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA1MTMwNzU5WhcNMjcwNTA2MTMwNzU5WjA8MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f
 M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
@@ -9,13 +9,12 @@ M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu
 MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v
 4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/
 /DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB
-o4GSMIGPMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITBjBgNVHSMEXDBa
-gBS0WuSls97SUva51aaVD+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNV
-BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBggEAMAkGA1Ud
-EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAC7yO786NvcHpK8UovKIG9cB32oSQQom
-LoR0eHDRzdqEkoq7yGZufHFiRAAzbMqJfogRtxlrWAeB4y/jGaMBV25IbFOIcH2W
-iCEaMMbG+VQLKNvuC63kmw/Zewc9ThM6Pa1Hcy0axT0faf1B/U01j0FIcw/6mTfK
-D8w48OIwc1yr0JtutCVjig5DC0yznGMt32RyseOLcUe+lfq005v2PAiCozr5X8rE
-ofGZpiM2NqRPePgYy+Vc75Zk28xkRQq1ncprgQb3S4vTsZdScpM9hLf+eMlrgqlj
-c5PLSkXBeLE5+fedkyfTaLxxQlgCpuoOhKBm04/R1pWNzUHyqagjO9Q=
+o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf
+BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC
+AQEAlHabem2Tu69VUN7EipwnQn1dIHdgvT5i+iQHpSxY1crPnBbAeSdAXwsVEqLQ
+gOOIAQD5VIITNuoGgo4i+4OpNh9u7ZkpRHla+/swsfrFWRRbBNP5Bcu74AGLstwU
+zM8gIkBiyfM1Q1qDQISV9trlCG6O8vh8dp/rbI3rfzo99BOHXgFCrzXjCuW4vDsF
+r+Dao26bX3sJ6UnEWg1H3o2x6PpUcvQ36h71/bz4TEbbUUEpe02V4QWuL+wrhHJL
+U7o3SVE3Og7jPF8sat0a50YUWhwEFI256m02KAXLg89ueUyYKEr6rNwhcvXJpvU9
+giIVvd0Sbjjnn7NC4VDbcXV8vw==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..8fa3d1b5f0b1052e4cbbe0b32dc4c1dd8fddb7e7
GIT binary patch
literal 835
zcmXqLVzxJEVp3ng%*4pV#K>a6%f_kI=F#?@mywa1mBGN;klTQhjX9KsO_<5g$57CK
zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4Gj&942=v;OiT>SqQrTP
zkhumn1PzxmkboF22shk0Co?s#M8U|QiBSpJwT!F`%uS5^3_x)%rY1&4h7%=6&g}fT
zweqFwO_78RwYw*O%9fjNyq34W%O))K=^dAwXVO~Pul`Wq;AMItc^+4u^!8gH>Q=ww
z5t!WODPi(?h1R9;uX<PX%QagPeVYRMmrwO5_?qXt>8kMIOHyy2Ilpoed0q1Az+3q%
z;eIPWuXuau!9jyU10#d0m%njb2=jOA`xO7vHhp4;fu7T*`?bHH@|6F7V|bvVfB&KS
zQ)_b+ul3&S&g#p5F#Cr<*qP0J!lKViSkjKa`)S6PHT4_kEVlG7sf9mIE!n90;Ga#m
zDNFjU2mWQPf9n63Wp90XR+l-+Z?i4K`SoQBGQ*m)F0HuoJfQH|Rx{Re*4*k7PmcWc
zxvCh?#LURRxY*ag8ytbM!YoV%3<k2m;FRTK5n~Z4T*y#d<e(o?7H9k?sDIDLyV-7v
z2J#?jWflnou?CSXQBRg`zIQ3;+s>=Yrt-hG+jIQyf8+oMCJ$hMGcrsmn_ZPVdH4Fz
zfO|)}=BPW>#wwI2?6ph!rNX{cC*ta<^K--wRH{3~bBhWsy3p{rgOTB9NRzPHE4HRS
zrQgjf&E)gm&eU|NjQaiCVB@c&ks{G7mw&RJ-u-~Fd($0}Gv^hQ9Fk6cHg%3_c4(RU
z?bcI{yuMFAYRcxn&gp$!Z)N*MxIK>1X}#%VuBSWpShKEwaBFei?D%TVm!3zWc-`;y
zZhY}8r09$JE4i<K_x$j2yB+ALS?xRZA?rH*H`*;l-od-fJp;|H_#WHD>tx-PdhR9?
zCBq`pyYp49nFj0W=JR=#J~K4DeyzEqSoHPevahyHN}_x33guZmpTF7ZVZiOe(whAM
Dj%H8F

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa-sha256.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..8ef5a0464a6f427cfd0f08512855e1faa0556d7c
GIT binary patch
literal 1192
zcmV;Z1Xueof&`=j0RRGm0RaHWbi~ZL`L%iJMcEW!uzkCe@@pQSGp!Aeiab_j<=jNs
z%w~lL)%Yi{N;S}9o(gUox7zT2tL_XClZHtcH1nt`(pU8^)Gv1_gkepBP>-jTNO1LT
zO|sP!!_pe<=0oa26zg>A!0jK@S5B$(sO{3=!7y<!GBDNC_6X2cPezXNU->;}k%%xZ
zLbBg|`{fLG|Lifqc#prrf6A?FA=ZuAi)xN<;G6gmR?M@G6BXt(1ZKzX`8Ez}mG%jm
z250nTarnxlu_fUCJc~61XS(1|c7^<Z{5ET~>CG(zVotL?0MD;>plMcvYSO6G=TLFx
zwKfHJ1#NrC<i!0<)gfO30|5X50)hbmXHB*C1Bt47Z#yl@5TYZ=y-wQUXATUC#)N3!
z<(GBRjiZLy+tuq683@IG<u{iMbAV=cHSvhG^8EAROLk6kMb0e35GD<14WCIp)_{rU
z#Yq+2g}})Ef;SRc3TyUg4KfzJq!m=2XrZmjYvqjEb~RZqo3!Ea@K6Nq$m|8-&yD2L
zWP4s?;ClzW0+vo2cx<*qnlkp*0`-8*CT^wB<7J4>CaFN-;Q-)&Kf|$n-o8S*2Z0m9
z;1LlcEcmi|I@IKSU%9au`W+pYk=X>EyvelJeGXLikI*O$-FHi91V~|Z6$2YJt&aR8
z5eMoQTHYCG|F(yJfGS@MSh`<90)c@5;{&h$n9>V-a_KvcyruT6<st^M*IxaJOBQD`
zgCbatVx+V!`4$sY_Mb2LyAFPgZwT7R=^SPdaFdXY&yYGpiAn2&D*jrB&U8XS4UBV9
zyn7(U{q_rG?Wr#O5A{&_jW;%$Am78|C%l+)!4ykz>4OyiB;phmwr>wIo!OYt0)c@5
z;tc!4Gn+?<C-NrV>t60a_G4Q$BlXn>Vc(*kSTF=4E410#Mt?~4PtfYuphb#ei;S#u
zUivm=KDunWUTcymUTP24(xsJ#+H%F7$!j-WOPhD$XBr+b*g<GO)10*S>nbAOcq!6k
zl3Oo$WJ;o@Yd%o1da;dJv{kyck%gl#0)c=K9vSDnm*pbOq|1u6&>pm9%tfbq?GBkK
z(41iuxMGVjYq~QnWhmG-ZdB~4AU#pxEJDOm@TNL)ledPc{`PbS5>0zinIC#q=^!r{
zG%1(c2JY*>y)jSvP_ep6v&0<(uCUy`io}qkD4VuI2^-can;GechuNPs1*?&dZG4de
zfq?*&SMcB{{k`*?Lrp&YH%}u{jp0oGOjUq_x<CF=;V{)Z*>fGsCA_;orP_C<wfq{d
zd7-itq8|`a8U;W|wof$Hz{8|Am~)5=(?#6wQEmitnUfM&mdiOpv8lM>CH0&Xw~{Lq
zuw7xIsx*AfR4r);_uKrOhv+)?9ZYJ26)*t;fq?*=Q=zsmzy|f-T+vES$h~bc@m}RS
zaL}mbL04>tQxEGXpkj|hV(cz#aaCJt^mG*JdIR?Sq|U^w+8yw<sr?ZcI~1UhjV8Bs
za|!}1Zx7f(c*Apntg5f_?lQHF1^HQ8o<3!pblRYFl^0))Sp1GoEFQdp0vN0k#`$E6
Ghr<AUz)#))

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/cli-rsa.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..8ef5a0464a6f427cfd0f08512855e1faa0556d7c
GIT binary patch
literal 1192
zcmV;Z1Xueof&`=j0RRGm0RaHWbi~ZL`L%iJMcEW!uzkCe@@pQSGp!Aeiab_j<=jNs
z%w~lL)%Yi{N;S}9o(gUox7zT2tL_XClZHtcH1nt`(pU8^)Gv1_gkepBP>-jTNO1LT
zO|sP!!_pe<=0oa26zg>A!0jK@S5B$(sO{3=!7y<!GBDNC_6X2cPezXNU->;}k%%xZ
zLbBg|`{fLG|Lifqc#prrf6A?FA=ZuAi)xN<;G6gmR?M@G6BXt(1ZKzX`8Ez}mG%jm
z250nTarnxlu_fUCJc~61XS(1|c7^<Z{5ET~>CG(zVotL?0MD;>plMcvYSO6G=TLFx
zwKfHJ1#NrC<i!0<)gfO30|5X50)hbmXHB*C1Bt47Z#yl@5TYZ=y-wQUXATUC#)N3!
z<(GBRjiZLy+tuq683@IG<u{iMbAV=cHSvhG^8EAROLk6kMb0e35GD<14WCIp)_{rU
z#Yq+2g}})Ef;SRc3TyUg4KfzJq!m=2XrZmjYvqjEb~RZqo3!Ea@K6Nq$m|8-&yD2L
zWP4s?;ClzW0+vo2cx<*qnlkp*0`-8*CT^wB<7J4>CaFN-;Q-)&Kf|$n-o8S*2Z0m9
z;1LlcEcmi|I@IKSU%9au`W+pYk=X>EyvelJeGXLikI*O$-FHi91V~|Z6$2YJt&aR8
z5eMoQTHYCG|F(yJfGS@MSh`<90)c@5;{&h$n9>V-a_KvcyruT6<st^M*IxaJOBQD`
zgCbatVx+V!`4$sY_Mb2LyAFPgZwT7R=^SPdaFdXY&yYGpiAn2&D*jrB&U8XS4UBV9
zyn7(U{q_rG?Wr#O5A{&_jW;%$Am78|C%l+)!4ykz>4OyiB;phmwr>wIo!OYt0)c@5
z;tc!4Gn+?<C-NrV>t60a_G4Q$BlXn>Vc(*kSTF=4E410#Mt?~4PtfYuphb#ei;S#u
zUivm=KDunWUTcymUTP24(xsJ#+H%F7$!j-WOPhD$XBr+b*g<GO)10*S>nbAOcq!6k
zl3Oo$WJ;o@Yd%o1da;dJv{kyck%gl#0)c=K9vSDnm*pbOq|1u6&>pm9%tfbq?GBkK
z(41iuxMGVjYq~QnWhmG-ZdB~4AU#pxEJDOm@TNL)ledPc{`PbS5>0zinIC#q=^!r{
zG%1(c2JY*>y)jSvP_ep6v&0<(uCUy`io}qkD4VuI2^-can;GechuNPs1*?&dZG4de
zfq?*&SMcB{{k`*?Lrp&YH%}u{jp0oGOjUq_x<CF=;V{)Z*>fGsCA_;orP_C<wfq{d
zd7-itq8|`a8U;W|wof$Hz{8|Am~)5=(?#6wQEmitnUfM&mdiOpv8lM>CH0&Xw~{Lq
zuw7xIsx*AfR4r);_uKrOhv+)?9ZYJ26)*t;fq?*=Q=zsmzy|f-T+vES$h~bc@m}RS
zaL}mbL04>tQxEGXpkj|hV(cz#aaCJt^mG*JdIR?Sq|U^w+8yw<sr?ZcI~1UhjV8Bs
za|!}1Zx7f(c*Apntg5f_?lQHF1^HQ8o<3!pblRYFl^0))Sp1GoEFQdp0vN0k#`$E6
Ghr<AUz)#))

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli2.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/cli2.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..6ad236e2f0ac6c798ef27050b07f25ab6ecdbca2
GIT binary patch
literal 560
zcmXqLV$v~aV%)TVnTe5!iILZUi;Y98&EuRc3p0~}ogudYCmVAp3!5;LpO2xS0Y8Yt
zCCm|!pOaV=9PDE#V;}_*Vipz#3l$gVD1@XImngV8D>yqE$cghB8XH&|nHZXy8X1^G
ziSrtPxJFQ}fg?fl<qc#Z=8M6sgqZJ~lbM=VqF`hYX&}tT4t6jTBh=;0jO@%#3@qVK
z*KI7me|gRB$vYbV3$1(iEO^bi(BN+-d}s6?C#!PbpYiB(OoG|816L(P3ZB-_zv}HO
z@pMDZ)tDdC`r8W@KRLd*ajrq*EU^D&g;|&k7{E@E<zo?J5vgK`Z%g^}Aoi)Cfc2(l
z)<@Lr&p$HA1G-dJnI+vIwLxTVu7ZjuqrLX&imj4+>QqkN{%uyX&}oSSr9s-n$#Bs5
zQC*VrnHR`0#hk%lkjiA>mC9SK(7b5o&K3NBdf)Zi?k@0|#=NGlqTuc)z6G1aPN()s
zowV0Utovc}eyz+qGX*9?hPj{Amt8H{p|b8_mc8M^Qz7~s7kc0M^CaFcuc+Pf_m7k3
UyQiD74xLpiPwLaCnHTN~0N4|><^TWy

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/cli2.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/cli2.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..acba6a027604b8c80da7e9179c04a4316477e9fa
GIT binary patch
literal 121
zcmV-<0EYiCcLD(c1R(bJhGg+)f97P3@5)Z;-A(WX|CS<(dW1M+7cya(w<@3t1_&yK
zNX|V20SBQ(13~}<SLLp;bKldfyOX$q{}Qh5=2NWBRa5pf4$Lm&V<ijUnBwzXU^bS(
b)fg0T<$s^mOGOyvux!;__?C}{aHHhMGDtfT

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.der b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.der
new file mode 100644
index 0000000000000000000000000000000000000000..b6865144ab245817b04e3507d4aaec3dcff605fb
GIT binary patch
literal 270
zcmV+p0rCDYf&mHwf&l>l+Z=x`3(ddI(RC1@qPWg|s^SIUde}r`kF~wPuo<~GxEV?g
z@m+L)XGVtx-dleL1HHkGUI!J_TlC!J&pr9U5iG81xr)6VXJ!}bPQBX|nu3Sq@OZ<c
zg@>^HpQ)K&<1_5c>I=1DUhzqOKcg+`0SwGSns%GS&^Obu7Xe`b7Fm8A7sFHi(Q?a7
zU=`YZ;_9tX?~dY&)M|HC)^OQtyYcQh1URF;;?dw{YvP<ondvCzw)`&2XG4VO)q~cZ
zm}>z(f!sWL%K7u0_tq#ICwP3r(A8t7fi#J&C2GC$>h1bh{N*&p!4GjQ(g+Y6twcfK
U{&}EdlZvrj>9Fo^0s{d60Wn65O8@`>

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem
new file mode 100644
index 0000000000..9040cb04d4
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs1_2048_public.pem
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA2xx/LgvNv87RdRCgorjOfariBeB62ERjj7W9wLAZuTe4GUoO8V10
+gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35wREsrmq5ir0dZ2YX6k692xWagofk8HjD
+o4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt6gEMzEKadpvE0DfTsRcBYQEWWX4cF8NT
+/dFyy0xgFdp94uqtUO+O4ovUandV1nDZa7vx7jkEOKO94tHgZmvinEeZ6Sjmtvwu
+ymdDhOjVg9admGsBPoHcPHrK+fOc99YoGyd4fMPQ1WOngTSJrSVqvfLq7fpX/OU0
+xsEPcS3SCBAbrURB4P55oGOTirFd6bDubwIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_1024_public.der b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_1024_public.der
new file mode 100644
index 0000000000000000000000000000000000000000..fe429985bf29b545b3d52a24b692807062a827b5
GIT binary patch
literal 162
zcmV;T0A2qufuAr91_>&LNQU<f0RaI800V)I05E}x0)c@5z|l)HjS(gInI%&vuV~*N
zZ$YWoaPx19Slqy<B&~S`Y966MKp|W1BS5@u8NZ8Dj^Go0wIpjsHNH#FSZ$283%$=$
z0+~tZ<D5Z2;mBM_;*N!xOz5uuJ<8n2>m7(YwGJ1K49Joe8Zo!w`XNif5NQbH1%<nl
Q13$baQ}7vm0s{d60ns=_2mk;8

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.der b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.der
new file mode 100644
index 0000000000000000000000000000000000000000..8644a5647e63e647adedd78acc7c631b3bd0a4cb
GIT binary patch
literal 294
zcmV+>0ondAf&n5h4F(A+hDe6@4FLfG1potr0S^E$f&mHwf&l>l+Z=x`3(ddI(RC1@
zqPWg|s^SIUde}r`kF~wPuo<~GxEV?g@m+L)XGVtx-dleL1HHkGUI!J_TlC!J&pr9U
z5iG81xr)6VXJ!}bPQBX|nu3Sq@OZ<cg@>^HpQ)K&<1_5c>I=1DUhzqOKcg+`0SwGS
zns%GS&^Obu7Xe`b7Fm8A7sFHi(Q?a7U=`YZ;_9tX?~dY&)M|HC)^OQtyYcQh1URF;
z;?dw{YvP<ondvCzw)`&2XG4VO)q~cZm}>z(f!sWL%K7u0_tq#ICwP3r(A8t7fi#J&
sC2GC$>h1bh{N*&p!4GjQ(g+Y6twcfK{&}EdlZvrj>9Fo^0s{d60qM1nivR!s

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem
new file mode 100644
index 0000000000..f1e29cc6e1
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/rsa_pkcs8_2048_public.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2xx/LgvNv87RdRCgorjO
+fariBeB62ERjj7W9wLAZuTe4GUoO8V10gGdGhwbeW38GA73BjV4HFdRb9Nzlzz35
+wREsrmq5ir0dZ2YX6k692xWagofk8HjDo4WHsP2fqZlf4zPszOoLtWFe8Ul+P6Mt
+6gEMzEKadpvE0DfTsRcBYQEWWX4cF8NT/dFyy0xgFdp94uqtUO+O4ovUandV1nDZ
+a7vx7jkEOKO94tHgZmvinEeZ6SjmtvwuymdDhOjVg9admGsBPoHcPHrK+fOc99Yo
+Gyd4fMPQ1WOngTSJrSVqvfLq7fpX/OU0xsEPcS3SCBAbrURB4P55oGOTirFd6bDu
+bwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
index 107328edf0..fb59ab8bd6 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 o2AwXjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zARBglghkgBhvhCAQEEBAMC
-BkAwDQYJKoZIhvcNAQEFBQADggEBAL+IvLnq101fUrpfWA1s9HhyOrnJH+N2gO1F
-6UnLmDw4NuX9pttIK60Xesb5pEhtU76y2hP2EAICe8tTQgGgZG4MW4TxIvAliuHl
-qvUB/lfmAAGJoQ9WrKriL90IxcKnH3I4aIzNyG2TSIHYo6L8FXVoSrPAuL3X133D
-JF6Ie0H8GUK7UOY0pZ0c6x8LCium4Ho/1UNfouSW3x7uq8gEz8lUn2blWUr0HlQr
-HDyxTV4tjZ1jKPh0VHYBmcpxdNbObK4NRZanYRKAUCIUCD+kHi67akMAukv0qjbm
-Y8DPy+gTLyl89BHnXDR/xCzlta5KkG1oKh3jgV7QQ6BS2+mR7+4=
+BkAwDQYJKoZIhvcNAQEFBQADggEBAK1WXZYd6k7/zE2NcszT6rxNaSixPZrDYzRt
+Iz5rpH33IHkCdR956/ExCcDMqGNVtKtBdr8kw3+jzyPQhwyHVPNv4C/cgt0C89Pf
+qZLQGuEPVp1X4tzEY2Kno9c1tllLVzJdvz1mRhSb9z5CWQKNMT+8MMl3k+0NZ4LT
+NEx4gTZxYEsAGEuO/Yij9ctxp4RdSP585FXgiMC00ieMe/aJxlOIgpIhuWdu0KPP
+G5guYd4hQ9ZrGVOGdjv2cZbh4DuQOsCwU9in/e1RKFV6eMmyOdvLJ4jkTauwkGJG
+lCclZZQwzGawOiMl2OYPUia5bkaEsdE/0QW/lf36lco8CNjpUfY=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
index 0f71ecb141..0082b148ca 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.cert_type_noauthid.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDMTCCAhmgAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 oz8wPTAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAR
-BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBADAWS7qdGNShzKm+
-AO7vfM3/+6YyIq7Jelm4T7n1GkmiGJ0bf2KhX3ohvaRz5gl0165teWVhLAivaIqB
-lK3wLU9TSEaLAtgCMxw+TZhq11qq07FuaawH3nbdMAo4qA2UT0eu2CM1NJjgg8iL
-b5FYGwsNcaCmmQYWVRbKlqkA1VNY2p/4PDn8xgRcgVgmqrHf7BUrEPoRA5RXBAhM
-huceZxFpA+15x789xKUZHmMoOYvDeZNYw2Fg6Dk4jV403kxzrcP8sSx8Abu6aROb
-b2ktuUS5hS8FjrbhDgeosDTU10PQR0Ov9LpMYO4WshkYUBpgC3pSR81pGOKxJuuH
-8EV3rhc=
+BglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAGl6bYCGKvDCvfSU
+PTyaiFPNGXV98AnIG0Hu4EJjs1owBU/Yf8UdFbWJtOymR80SbzmeQ6rEIoY1oXDA
+o9Y8yRgW8t25Wmq/0DCu/5P0/L6asstLTxLG4qajClVwqDLEqZNixmq8QorAOtK1
+JngFA+A5jzc70Ikl9+Hbx/2SEMrCpo0QLSco7KDK7XpNOHbkRz2AqSm0se4jDMP1
+Cwd2UtcpctIZEbECZo6S9WrVMqIhRF1Y5FeauBA2ORvGIHohaYJ9VzYWYXIp7N8d
+QXGv+M7ffpZiERcRr8lxtboPnTXKlv1mLCEX7g+KuiJQUm4OGfTCd5VHzWM7O5Id
+b+IvZD0=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt
index d81b26afcf..dfc92b3ee3 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC
-AQEAvc+WwZUemsJu2IiI2Cp6liA+UAvIx98dQe3kZs2zAoF9VwQbXcYzWQ/BILkj
-NImKbPL9x0g2jIDn4ZvGYFywMwIO/d++YbwYiQw42/v7RiMy94zBPnzeHi86dy/0
-jpOOJUx3IXRsGLdyjb/1T11klcFqGnARiK+8VYolMPP6afKvLXX7K4kiUpsFQhUp
-E5VeM5pV1Mci2ETOJau2cO40FJvI/C9W/wR+GAArMaw2fxG77E3laaa0LAOlexM6
-A4KOb5f5cGTM5Ih6tEF5FVq3/9vzNIYMa1FqzacBLZF8zSHYLEimXBdzjBoN4qDU
-/WzRyYRBRjAI49mzHX6raleqnw==
+AQEAm9GKWy4Z6eS483GoR5omwx32meCStm/vFuW+nozRwqwTG5d2Etx4TPnz73s8
+fMtM1QB0QbfBDDHxfGymEsKwICmCkJszKE7c03j3mkddrrvN2eIYiL6358S3yHMj
+iLVCraRUoEm01k7iytjxrcKb//hxFvHoxD1tdMqbuvjMlTS86kJSrkUMDw68UzfL
+jvo3oVjiexfasjsICXFNoncjthKtS7v4zrsgXNPz92h58NgXnDtQU+Eb9tVA9kUs
+Ln/az3v5DdgrNoAO60zK1zYAmekLil7pgba/jBLPeAQ2fZVgFxttKv33nUnUBzKA
+Od8i323fM5dQS1qQpBjBc/5fPw==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..fcf45cd7cc3886757acfafa089118900184195e4
GIT binary patch
literal 835
zcmXqLVzxJEVp3ng%*4pV#K>sC%f_kI=F#?@mywZ`mBGN;klTQhjX9KsO_<5g$57CK
zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4Gj&942=v;OiT>SqQrTP
zkhumn1PzxmkboF22sb=9wWut$NWsvciBSpJwT!F`%uS5^3_x)%rY1&4hLue6whmcW
zLxa2jn!RgE)e}vO>)gNNh3kad?>fYSE`M|maGxd=nbMy9SNnn6&*FV|&rf<dG5T%V
zg8WX+O4o)9%~@9+oy+4bYdBfln>K`77Q9{jMpRO6g)xWwK~|@ge|-*bxqp{U-d7;d
zA-!0b-{D7YqiQ_Y#^7THb)uGQen!2kpEPe7YxHyB>8)FpC*8cF!giHYwX>A{?lP%<
zdrrxHYg2VnUQeBU=bvMo__A9$(V1tMc8TbSsm$@ZbN0gbp!DL8x(k&5)_pNNrCV^S
zlbhwX-ZKA!ym{yLMsz+3j+~blH7WH`hds{}$;Ee{zL+~z_^syc)dfO#qE2OtuMTPo
z*~rAq$iTSR*T5SbfwICZOa=@FvcTY!<zo?J5s@#sX0Lg$q{P*lRY=En#a`z~rey~5
zAZcY52?MbPku6bAmTtaxDd^kItIMYHzqZ?R{O^C{00$-yV1P3+%)Zzatta{N$&Sy3
zE8J(P9hUtz^TDKT`R~P^?wi+h@z5G!>FH%ccPe~-etutVQ*+wqDnp6m_JcfzA8T@!
z2_4#?pxHEGwy}oaoy!&9XSv6&+kN)tBZ-cE+n*oVexg{pW2@8JB_Rtuw_Njkbn3>(
zwTEW^|4}IR@x>9_+>%qXcl|gs)nv~rr=WGNJp6ong3V9&{W4z|@u*t-)+TEX&O+Zs
z<;vTH)_U*$ac;Ll%;nGDGb%sa5T9cm5d2X3+f|2et~z@4x6W7p<h`M7*1-4L=hSsG
zhM6z9yW(CpZrk4@biRVctafUGxOA@8-|urhudo|6Sl(B<pL^eUdVqJ-ge4LOi~q&j
F0|2+KNo4>4

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
index 303a222077..b5a2532c2e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDTzCCAjegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -11,10 +11,10 @@ lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 o10wWzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf
 BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zAOBgNVHQ8BAf8EBAMCBeAw
-DQYJKoZIhvcNAQEFBQADggEBAFqG4NbAqtsec3lFOiUDKQiGmMCO4Yq3NHhnRWkD
-e9r9jWo+gfLgfUJKe02a76ciE5forJRFxG4+pa3Lo38WsF5/2YRz3IfQLOjcK6c6
-DdHrTEsPXgdqhVYJZgZbCeD5Yu5YBXlegGOrlXB9+71BKX0H+AkrR2oXsdg/31Kn
-R17yP84tLucQpLdh079ecE8QTZ/21n0VTag6fQFHMeMY35MWkT4K6eRrz/Dta2tm
-keHSq/coKsmm0poYPzoMPcbh/D+kSa05Ut03NL2Y+2Q9uTjv5/K/zOgGef/mJbV2
-QxB+1as+WLTtpwc20IqAz3PVBoxbRyN2Z6vjiqqAzGlfB4M=
+DQYJKoZIhvcNAQEFBQADggEBAE6xegEHvwuQ8I4YCLX7oXmDJiDb7m2nMin+um0v
+TMqHAE3B9GvdWGUgMIEMf76ee7OMDzxfzM2vyNGemB0rn1djEv+knJBSdMQKD9X8
+tkT8cPqMHlRMYYbFFkkZEOeqeihZXQdUORao9ZSXrokYwv+Fr+PAmiUJEmkZHbA1
+Gqp6tPfGxJ2ah50Og9oAPwyND6kvE2o++Dth2evjljPCPM2Gw5kjQGw3V9CAUyUo
+KtLrtZdOeRHRCWCf3UQ/tYkG70tY/+grftrHqKB2E4qkmDiCPS9sEpa7jOGT6e4k
+jGVeZFNZZ10mD2Svr3xl/60++c7yLxrquujo8NOTCVcshfs=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
index 7ff26924a7..c82a979729 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.key_usage_noauthid.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -10,11 +10,11 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 ozwwOjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAO
-BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBALIkgZjEfQcV7d7zovec
-tNVvaPO5hSE8kDVjMCdUZsKgZjMxpY8gJ4CLNIOamkIqN8sSd1zdhdexMdn3iE/O
-z5y3rQBQLs8UjLippm3abKksKrpTEkM9x7Z1X8KS7GOrnOgBWLzoE9D4F/2ay7yk
-H57qRUXEw1NlnAwKYS6hmEwf497szNKXvgr7MGbahQ/N+WfQbILW6+OSUttuoDrD
-t2uBZsGAVQGDzcQGyOuo7k8CE0D62HHZqA+ZPo/xicvyTbkk+lUfY6q6QA8sojaU
-2LuU0nBtd+LmY8odaUsQItwbIyfYZrZbXKruevVHfMKb9VuoYj6anA5jEl0pe7wN
-Tu0=
+BgNVHQ8BAf8EBAMCBeAwDQYJKoZIhvcNAQEFBQADggEBAKuveVlnjgJIkiH6HqZk
++oGpLPxpcoMEMskzyFxTfjP4L2Mj798qydBbobyVJdH5p/sIpcHsI0xajM/dcZKS
+7b28KVwxOk+87DtwCikFT+jzWPe8fzowqsNAaKtvtDQnLYh8u2tDT1vhABwgTVAy
+aHCzs+nm3o36NPSN9K+wmI+r1KFnhjtyOQ++7M8wRRT5jrC+1tYicjsnVMu07yB5
+04C99Fa3MToilg66Jos95U3gBF5GbSfDXYtd3/etNMkUiG8FEZJlkhKbTO+4E03a
+X6+z2VojrAroYyO/F5ZlaC3/CsMQ8Zcate64nH/Lu/U78XAo8iKz5DLLOPBqodER
+z4A=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.noauthid.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.noauthid.crt
index 99c004f623..f778ae9e49 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.noauthid.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.noauthid.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
 MIIDHjCCAgagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
+A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
 BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
 uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
 d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
@@ -10,10 +10,10 @@ CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
 lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
 bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
 oywwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAN
-BgkqhkiG9w0BAQUFAAOCAQEAUMDKviuchRc4ICoVwi9LFyfQjxFQLgjnX1UYSqc5
-UptiJsDpbJ+TMbOhNBs7YRV7ju61J33ax1fqgcFWkc2M2Vsqzz9+3zJlQoQuOLxH
-5C6v5/rhUEV9HMy3K5SIa/BVem9osWvMwDnB8g5k3wCZAnOuFcT6ttvzRqz6Oh9d
-avozrYHsATzPXBal41Gf95cNVcJ1pn/JgE4EOijMqmAPldVbCqfXLl6TB0nJS6dm
-q9z73DGrVQlOwmCVI+qD2POJI67LuQ0g6Y0WVMxsWilMppt+UrEknMzk4O4qOaUs
-1B20vI/bN4XPDnw58psazdoBxFL+fAk5MbTNKETNHjBsIg==
+BgkqhkiG9w0BAQUFAAOCAQEAaf6oVaFgPEUYjT6cNoMf3p4Ja7EKr2Lp9jX0aV0D
+Q4WwTg/QG3OVBX9IdK+ezAPuBRE7YWFKfbUR5MajWQt0MQPKXh0u7Tr4Z5JG3lXH
+P/QzYZqTkSD9zlb0MHvYUl1T/Ulc4Ws7qSvf3iocvtSAZJIxNi9hxu2nXk2N4OGY
+zyTONjlBtKjXa1THHKZzA5o1e4n2crtCDzXJFVqLeeIwW4zAqepXhGU1nepbazNP
+B3IYzD+JM36XiDPAlci7ZDwpXHrT6fqlBOtfrUH+NAHXCSG2WT+6B4nVZW/P/Qrv
+Hxrq4lP5fgpyX4jxa4UFW9YwRaUN7IAWuZL5dWINbiJZbg==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
index 3feb1fc9bf..39ff3fdba3 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICpTCCAY0CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICpTCCAY0CAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAkMCIGCSqGSIb3DQEJDjEV
-MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBfm+BA0PSA
-9EFSFgdVODuBtjVoe+RzjiwrHVjja9/GAMurams5WSeJ0g3n0QJuNPf4m3vpSgQE
-qXZrkn2aNYSRPipiPYFUj0NMvji2gmyzmvy6VJyyerZ/saPfuySiVSJbCycA88/V
-vSv93qVHQ7QGwXlwg5dkhw4VNn1NK5CtA0DSEsGITKhdLZUZKkEdylwdjFdi+NTf
-Qx/LQ+cEECBM31s/88C6+ynd4ni42/YYRRcpj5+4TAyKt+nl9a0osrR1y3MmBeo3
-/9s9QEIpXPHMJnJDVq0q03FZwAkgGTaKI8bRsf125eh1CSBynvC6vC+LJSkPrW9g
-HUYYkPMQiQ2C
+MBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBBQUAA4IBAQBErZcEaEEO
+hLbRVuB3+N5by0mogdJsatJFSgW2/VztLvQBYu0O+VmTbZwCAWejA8U+cr6uPlyf
+b4lDqj3W+XykeK9bSzoSr1yNO2VAcE74Y0ZrSz2yXMfT5R9IyKqQZspaKD8MOmYH
+BqUH9o/phnGcaEG5xeSfhM1O/YNZuGnlLDQBGwT5puHOaLfjECvs8eZLopIWEBlD
+QkRlhYqZBwhGZ8D/TxqG4teFtnBX5FG7UoSSVuneBrkREQM7ElhtD9jCWjfMnqm1
+59G84OycClwaKU7/Dm6zeMGDyFoMksBud7lyDHMhxvwSbzb1JR5v8iBsmVY2dhHt
+Ot3Fx2be0gIr
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
index d61ef6bcf4..70fd11133c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.cert_type_empty
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICpDCCAYwCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAjMCEGCSqGSIb3DQEJDjEU
-MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAFsbkVHizurV
-Ub9uDSTEEFm7R/TcCYjqAbP243sEOVfyCwZh49E7hrjq7lp1n/myILHX+keaxKEY
-hUq9B0Rpa61H5lTJPG3Iy1mDHcF0et4cPkDEsQw4GgjZ/A0RCNfYD+OZLATsDKMy
-AgGCZcYhjoL/8iZaYljfuE+a8Bo3xMePo+jignUhB+hEK2cNmUN2m7HqT22Ba4ag
-eJQtY0NUmBoXGJlNaDbzO79mwLl0HHxDmanLVnSzKXqzrH4U0fuoGZFuxY7Dn7AM
-vJujuWOxN1FtHOfJIimnVepuEG6wvDXMLgEPJTXSKbW6CMTgaz6fudEZzgVB6OKR
-zIbUGFi6kLg=
+MBIwEAYJYIZIAYb4QgEBBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBACU0LLDBIMgG
+B7gyNANHv42RovhQdzmUulqJPHNHx3v9G17F00bEykJb/r3awW6l5fhY/6oPydsY
+hnWEM6VVCUkJ6Zqm2/wE49uaNTbFd9JU4OywRBfjHHSTOGnYFg+BYSfwaIkSCkx2
+kVhyklFm7My5wkyDPpFSU2tTfgsgaQMyTm93a2kxM7qJ/X3gFDG8o7R0vyojFVSI
+mwsF9QsC6N9cygdFx23zCB0KsJ9KfmBqaTsdbKh8BsocYm5FJCw4WS/CBrCWBj+z
+N7yEJj4SR5F+P7sFc5I0HANov5wQe8E3+WxxQt8jcqIje6DlaaGja44cXOzvFQyx
+Hg/6H5EtBQc=
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
index 5df41e1d25..30e4812437 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICnzCCAYcCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICnzCCAYcCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAeMBwGCSqGSIb3DQEJDjEP
-MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQCn0RjrgOyNn5ZQ9Hfn
-zhN5q7EAMBYdKBQayeJQQkmreqTdzG/rCHZtt3bIZ/8SWIPNiIOkvsnsGzdBLp8B
-zAAwINhcDIQtIQVObgTLZmvC1syjXfjdH02mYKAccP9OxlnWIVivSPRp9jr9IwYO
-cnT6pzGvP/RWoQen+DougM2WwiZ8YJTrtoe8DlzDq+hbTgoGeQuEGhOnxMlkiLzs
-+g6yoi/1F3nsUwJI+QhBxG7Xf74gCCHZckCtSs2MBEavhcPu7o9QjuWR0YFRTaCf
-5uBL7/gNIVmrWnsQLcH1+DexxzW7lPBN1iFXUXNcweoo0fX3ykkvBYdKKicF7bM1
-zZzQ
+MA0wCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBsJ3v1Ar2X28GJsRSJ
+WRQwFQwIbR/D0cHrwTf0ZfZttClytuc18JZlwkH3EG/rNkWaFp6MKIZoRMOBuSPc
+MNvvKIo4nPaeouDPruymx0gNenlyRL3D4OZpBO/BmQIQjbUKWFbzEnEqvwvMDUnG
+8w7UjPSFcxj2HzENr62HLPKKnVpL3nDXWK1a2A77KF9aMxyoWQ6FXb2xPD9cJjdo
+c1jwskQbgosQzKKwwp5yxq0zRD3EAGw4A78mgHMfgFprq9e9azaB0JeyFG2Vn0t0
+L+vfiDEVQ3eJXSCen1kEVyHRju8g53UcSgd+JicWFboFj2/mJBuyW6yM++RGA9B5
+Zd62
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
index 1ac1bc3d4e..47e56bf1ef 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.key_usage_empty
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICnjCCAYYCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAdMBsGCSqGSIb3DQEJDjEO
-MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAHkw230TfJnAoc+6j/5R
-oGfXR92g/k2DTlDaFQywO2j03h97isp47bEq/peOlKhAuMA+aHt5n8J1w6eWsr8B
-VpoQ079jDnMtlLVAtgsEAjhwEPZchB9oZzfGztzBC4kVKchMGiSHLVQptIM3DiOT
-/5JBlfGkAfap4V4V6qRYiNESBSpEdU/wGctg4ELgQgdpRSlqRud2LgClmMy3+A3o
-rHjyAY+1oANNNOV+TBwA58OKqwsniyqmSWkhlj4c0O4n8FdE+o1eKyrsQfH9LBx7
-DBo2ilAkp0O/+G0n9Wisov2i6QuOraxW3g5/YBdfrqoVpJ5+8YZvoSGJFYDYoWvN
-CvU=
+MAwwCgYDVR0PBAMDAQAwDQYJKoZIhvcNAQEFBQADggEBAAqQ/EU/3oMt7YW4vWgm
+0Q7F4v7DrFEoVMWfBzNWhMNIijzoaWKY8jwseZMzu8aCNQlJnM7c9FJF+OCgS7L5
+0ctwzjfCOi5I5cKgqv8WpuMZWHXNtB7YtjUWIZVri/RazCncZEwJGCKQjmQYrGJm
+Qmu2+D+DWY+nEW47ZfDH9jOJtatnREjSNsKzc44L9zUaEy3bi+m455XGH+ABmeb7
+Iqmguh10xUyY6rEOFEuqvFyFr5g1eb53Rr5CQxGfw1j+2bbSh+rVb6Ehf9LAijyu
+Ygqa91hGab/CjykS6HMrD91ouWtt2Rt3zCKo4Xxe8dlAszKB4W83M9OgDVVpiCfC
+t3A=
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
index 4a0eab88ed..ebd01f5cca 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.ku-ct
@@ -1,6 +1,6 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICsjCCAZoCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICsjCCAZoCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
@@ -8,10 +8,10 @@ W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAxMC8GCSqGSIb3DQEJDjEi
 MCAwCwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQUF
-AAOCAQEAKIF06WMMbkfDi6z3FzG0OVqGVgCIdQjJUK2S8VrVXJ74goM8SD7jp2RC
-2d5nszk0do3ruAqaI3YOk5U9HQR0qHMSXEcAeB/qqIYWXrlZKacdzSk6vd88VC01
-uAWBSE2IQ4TWPSiWLCN54VtO8AXuF5wJgjGOh4yixVqKzcQh5b+mJs3e7cgMsC5a
-3iPt0EemCT+irT4cXtcJe9/DAvnvvvCZ5UCcvc3shBIA5pBsOOmd1yCYCbxrq3aL
-PhFf/vbbf9eORMwWsqOWopnRgBkPpVnTu9G27t/Nyjencjfk8NEaM9q8YnF0x5lD
-elCFyt+HGwoCeOBN9odfQmKQpW+eGg==
+AAOCAQEAWUMyIXHi4BbIxOeCD/Vtu9LGV8ENMV7dwYVEQcwrt1AHahtYgUtkoGcP
+lOPqg1lbg22bu8dLPoY4HAzxCOAGs27otWL5LlE9M5QPH1RedEycmOuYrMl6K988
+hfDBJ+OkgCShcM91+udrc0gpDEI7N01A+fmukQ6EiaQjIf7HME/EKQqhEuEQMXHC
+GBvdNuEF5BfV3aAYuT+xfdXDU2ZWwXXWAHGmVh3ntnhtEG6SnXSnBATU2wa4tpBd
+KLbEbcsiy2uj0OLJlvG6LqsNggtkD58GCGpLpaVxdW80yw+f/krwLpeyocE1KGcT
+7eX+9yhLe9NIZojvevw+53dNE7BUfw==
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md4 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md4
index 44c53d7606..15585499c8 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md4
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md4
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBAwUA
-A4IBAQAPPUzYvUA+HQTteMhkGcuD6XtsZ3i2gQdDGgLUxtMAVFw+/5ZS6l+WqPgq
-WQIOsEINPHnjUAMz5pjbFdFqu7X5G29THa2da0Ua2bJO/bu3CZ6EksGmclqaQ2Zl
-vfkWaI3bfPFh8eKHF+F5oaVp0gHviCakNqxot4rrZdL8pnJC5JJ+f76y6SgHYOao
-SGCv1gYURhIsX0gWCqldsCwxJQFEig9HISUcXViGGVnLdshUtuKL9yNZ/HNAOuOk
-7N7a7ur8KMmvar1jkTq+zKSSuSrzmU2JvxFdqU0Gr7A35jgnVG8sj66L4lAcwdoG
-sP8OmC1hWh4U3avH6EHdEG8lw0U7
+A4IBAQAu8SbWDi5udXrs/lljV+jdHky2BFuVFNxZgj5QvLslffdx2/Tj4MVCsqkY
+tAcy5g/urW1WwHcnJ20PRgt60m3BSUJffdKF/kgRyTN1oBFpApHGAJEHPahR/3Mz
+hMBk4D/r6lga60iUhIfky8o8KU+ovHXROHzGfYaVySatpyJW6tkJOz/1ZKLI4s4K
+HGLFxKBd6bvyuMSCpV31J7ZHPQfSH38VEEaTLJ2QOltWDX5k4DlL/F3I5K4VFWOm
+DMndMXkb7LhL9jcaJJRzEmbX3aMdt2aXhQt2LDFMnMCeSHI014URnQd6IzRQYZPp
+qGZf2UmuJdLeIMzSNX2rZ+SVDX9o
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md5 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md5
index 950f5c4bd7..57714ede37 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md5
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.md5
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBAUA
-A4IBAQAQx+EjsPUUYac3t1v24lPOYqrKM52XYDwSnwW5Okjn+YxJowZyd8gfzmfp
-vp4+//h5P3VlQDwaXeMTgKCizjf+jdACNJe60/RxYpYFKrvy67ZSr/h7fhdm52Jz
-/tSCbh6FwH1075loBuWLuzD7Pvm1X1FJmbp2ceaJozDnXTAKFdVTqdiRYwyg4iPl
-krhONGNe132aYZtFssdjSCim+bB+/sagR3SuJPoQ+8EjDXYG75n4ZVa4dAcjVoYk
-pg0YK5cuH1FHCXOBO4N1+G0skL8AZwlv+rhKQk6lpGt+AQ8LSjCz2zHUnfpaXXWp
-s1dq9ufjbJdaHDjkBY1gZ3BMmXPw
+A4IBAQCEiv3QM4xyKhYTsoOjyzQdXMhsXK3Kpw+Rh874Hf6pXHxUaYy7xLUZUx6K
+x5Bvem1HMHAdmOqYTzsE9ZblAMZNRwv/CKGS3pvMkx/VZwXQhFGlHLFG//fPrgl3
+j4dt20QsWP8LnL4LweYSYI1wt1rjgYRHeF6bG/VIck6BIYQhKOGlzIwWUmfAGym6
+q4SYrd+ObZullSarGGSfNKjIUEpYtfQBz31f5tRsyzSps7oG4uc7Xba4qnl2o9FN
+lWOMEER79QGwr7+T41FTHFztFddfJ06CCjoRCfEn0Tcsg11tSMS0851oLkMm8RyY
+aozIzO82R3Em7aPhZBiBDy3wZC2l
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha1 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha1
index f4c61bc578..578ec7f79a 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha1
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha1
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBBQUA
-A4IBAQCACO1GoBxMdGoWLtk0USbZIJkJidvraTyuuVMMvTaRHAseepNZWtbI2VjZ
-8BYFKnY9uSX4uozODi5Tkv2dCSwAFFJs7bsALqpjqfU1kwQSbfLoT8twf7o51Zw8
-LAEKW0GpifhI4NJAaIeh5EyfMeXH5RFAz31T95Eat56eLcewDK5nWUdQx/KkkSIb
-AFKqPKz8F9KS1tEty5UYmC1QV+q7NG1aOrWcuqvszpyUbsz/u32QH0Lp7E3lXMt1
-vyFfAsA6KBLTUmyTVQHz4snQAb5CFNLOrXnHbtjem7ZmhDzE1DS/7o8NK49zuXUW
-YUMPRpZDSNUpIBmZs2NBTARSEc04
+A4IBAQCiYQMOv2ALPUeg8wHKn9L5SdDbNxOzuMwhYsCYTw2TJMQO7NLUq6icEzxY
+pUIIFt60JUQjZHxQSY3y9cSivwKXQA7pPfaPaFC/aMA2GxG23t2eaIWNQX8MfcWf
+XAa8bl/vmC1MTov+mP2DGoXRiKYORrEInyDS2RaTathvHckcAv25nCIx7wYO9tC9
+LUwyoE9bhiQ7fo3KFlz4dK1HukyCM/FoPbJuL7NgdzmKVPyYCLh5Ah+TTD6+sltz
+dFc4fj28w1v3jsBXz+tLrgFQidzuUI2poxt5UwU9TKY0dAJaTCtfIRcXW3h6DGG7
+EDR6rim6sbIQkGzYvGqs4TNoJOR+
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha224 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha224
index e52196dbce..a4f2af4c1d 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha224
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha224
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDgUA
-A4IBAQAed2cYY9P/xJNHBrHDxjeh5uFyDskCvw06Kvy8FJt6G/0ncnfhSpPnevao
-UPf2jk07iMIFiaDDKc3yg4H2Uh44+Ud2YdAxHYWttKnvj43XSoWSnmUDEiUqgPAP
-C4EmgPEfsxtj+nI5fwIGEvfb3mJ31FJxnSJREcaH8uqyXW4vfF8e0o+9gdM+aTw/
-OJj+dYvepfIpB+1jIq1srr9NLJjKlvHBhQFbIcIgQXJKcw5z04hgjdoSuQckMO5z
-3gVaaHfjCJQT1tDWfjLTCceDoJPskeo7xbDvXnCho+ZLtyMesoCvOEeZLJhDYTlw
-H5jw6f9GW8Q9XP+EQcf6ZhtmYLrU
+A4IBAQArYR2mLKU5lsHyAyGHr4PlmC/cfePmCRyC/mj1riGTjDlNC2X3J1VZDqKb
+U/uUxLudP7sbuttRksIAREATT74Pa40bMWiPUlBfA/M2mFTmKb/91uXeIISW8DL3
+xM/5BCDrhnZ/cjP23gKDgJRk+IGBNhYZDGz50TIBbDJ2e4GDkFjzANngUW64UcCQ
+7hZOYtnYLBnoRvPwtal5jZqHwsgaPPePXu+SQ8mfuAJwJ78MOCAaKw0IP1h1OnPG
+iubdl34lSIaYWwbHTdjaqUSQG3SSs4oxEvluYymrpZ6XGKXtphJXEPdTRiLu9d9l
+A5NYVgvqHFQPmuXS92zrGzB788pV
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha256 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha256
index 804c4a5510..6d21dc5d94 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha256
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha256
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQBY/1nnYQ3ThVyeZb1Z2wLYoHZ5rfeJCedyP7N/gjJZjhrMbwioUft2uHpb
-+OZQfxRXJTbtj/1wpRMCoUMLWzapS7/xGx3IjoPtl42aM4M+xVYvbLjExL13kUAr
-eE4JWcMIbTEPol2zSdX/LuB+m27jEp5VsvM2ty9qOw/T4iKwjFSe6pcYZ2spks19
-3ltgjnaamwqKcN9zUA3IERTsWjr5exKYgfXm2OeeuSP0tHr7Dh+w/2XA9dGcLhrm
-TA4P8QjIgSDlyzmhYYmsrioFPuCfdi1uzs8bxmbLXbiCGZ8TDMy5oLqLo1K+j2pF
-ox+ATHKxQ/XpRQP+2OTb9sw1kM59
+A4IBAQCVlSU7qeKri7E3u8JCZbCyjsGJTH9iHYyeDZ/nDLig7iKGYvyNmyzJ76Qu
++EntSmL2OtL95Yqooc6h1AQHzoCs+SO2wPoTUs3Ypi9r7vNNVO3ZnnxVtGgqCRVA
+W+z9W4p2mHXQhgW1HkuLa5JD1SvJViyZbx9z3ie1BQ9NVKfv++ArPIv70zBtA7O3
+PZNG1JYN30Esz7RsCDRHbz6Npvu9ggUQL/U3mvQQ+Yo+xhwu1yFV+dRH7PebBeQv
+vjcD2fXDabeofK3zztIpUIyUULX0GGClM9jslgJ/ZHUlArWKpLZph0AgF1Dzts//
+M6c/sRw7gtjXmV0zq2tf2fL4+e2b
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha384 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha384
index 7c764f7a8d..b857af7f15 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha384
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha384
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDAUA
-A4IBAQA/XVYxhCWWWExy+O5y/zI1121L5MPjrlLypgP+ZDU8TUq8fusryYAgVATo
-njpff6RF9QTKZhouFmgwicEnE6Xuw1LZt4SWskEyISMsTemx3eiY3YSu7uqpMIIh
-h5ht1qGxkFZaLG0REIlUWqVTKk9oWLOg6pv+qees00SAn031Vc2C3++ctQONUrko
-fc8aAGAi9DvSuFkfjhZkp8Fr4d7buHQPmJiYxRp27K5NbVxrr0GCB3wh7ruGc8Mc
-K+PNQvoz425dHK3dHzeoIWD2Ka25mbjglbW1rqAdTkZSYH2QqZTHsKCr0u5iPtSD
-gF7K0AMuT2LIeSs1p82n+cLF78fz
+A4IBAQBy35zHYLiYaScq1niQkzQ/BScUbdiWd2V90isBsB5Q3NjVoJl/yCaMrla3
+2XfrutpFpdqwenl5jM0o6+enKCmfur+z2/ije69Dju2aBd6A62cx1AEvFiMq7lyF
+4DYJ32+2ty6KA8EhzE3NFs7zKXxmD5ybp+oXNEvXoeU3W8a+Ld5c1K/n+Ipa0TUy
+cFBs6dCsbYO9wI6npwWqC5Hc9r/0zziMFO+4N5VORdYUFqObq4vCYOMXETpl8ryu
+lGZorNUoJ7vV55T31CDqEtb0EE+nO+nT4agfDobncYjvc3WpQuLtUB4UwR5gpZl6
+ZI+j4uwikOgGO9gcx4IjaRP3q63F
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha512 b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha512
index 43d709533f..85d52460db 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha512
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.req.sha512
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRow
-GAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+MIICgTCCAWkCAQAwPDELMAkGA1UEBhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRow
+GAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 ADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb7ogWUtPxQ1BHlhJZ
 ZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJBEeCsFc5cO2j7BUZ
 HqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8YwfhU5rPla7n+SnqYF
 W+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5BXhem2mxbacwCuhQs
 FiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1YieJTWZ5uWpJl4og/
 DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAAaAAMA0GCSqGSIb3DQEBDQUA
-A4IBAQBH78JrIboWUlOiUzEwxuYkaRBr22DfdSHlNVjnenrTsSsSdfPenfrUbs42
-NfzhJtvLBnDMs9olsiyPNKZnROmjl/4Da5ScVBfdA7oSImwdsaL0krAju8lJosy7
-ypqNejQQDgjL00HkaVyqjnEWY68enAkaK64suQ4w0pkGmtdZyg0nBiH1VI72PcPR
-Fu2wxSkvvYj+BcHVAY/GWRMTHw1mkmsQna7AsZ1MFIF3ycIW5Fom6d0wpB6clJ3M
-vNTBc7kZIR1BQyblyU96acesxJURJn5xO9Yf9OSsTbd7Xm5xK6DpQWxFFEgdVtir
-hSAqtp54nVnLe4QihmVAlM8zt2ON
+A4IBAQBb8jNpt0nkNVWstVoOCepQSF5R1R9hF0yEr7mk3HB9oO/nK07R1Oamgjw+
+CHQReTSjIKUX53o7ZwNZB5E+jBDsGz/2Yyj/vxNHJFk2exELtW30he8K2omVHE1F
+XESbftCssWLNpTSDq6ME12+llkEDtgCtkv69oRUkuuF5ESUSZRGIZN4Vledm8SM1
+uGFtaG/PXbBbtUaNwNISDeIWDKRtbuca5web+QEi1djiUH21ZWIGEpOy7mtkYmRs
+Qt1D32FoaqFNhafiaxNIXO11yd4lgpaDDlmrOSBsELcTIF9916o3DwMeVXy0GONW
+BrwaO8q8rg+C+xvMY7858Kk8kwjb
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.v1.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.v1.crt
index b13be43516..e85ed30fc4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server1.v1.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server1.v1.crt
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
 MIIC6zCCAdMCAQEwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UEBhMCTkwxETAPBgNV
-BAoTCFBvbGFyU1NMMRkwFwYDVQQDExBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx
-MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoT
-CFBvbGFyU1NMMRowGAYDVQQDExFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
+BAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMB4XDTExMDIx
+MjE0NDQwNloXDTIxMDIxMjE0NDQwNlowPDELMAkGA1UEBhMCTkwxETAPBgNVBAoM
+CFBvbGFyU1NMMRowGAYDVQQDDBFQb2xhclNTTCBTZXJ2ZXIgMTCCASIwDQYJKoZI
 hvcNAQEBBQADggEPADCCAQoCggEBAKkCHz1AatVVU4v9Nu6CZS4VYV6Jv7joRZDb
 7ogWUtPxQ1BHlhJZZIdr/SvgRvlzvt3PkuGRW+1moG+JKXlFgNCDatVBQ3dfOXwJ
 BEeCsFc5cO2j7BUZHqgzCEfBBUKp/UzDtN/dBh9NEFFAZ3MTD0D4bYElXwqxU8Yw
 fhU5rPla7n+SnqYFW+cTl4W1I5LZ1CQG1QkliXUH3aYajz8JGb6tZSxk65Wb3P5B
 Xhem2mxbacwCuhQsFiScStzN0PdSZ3PxLaAj/X70McotcMqJCwTbLqZPcG6ezr1Y
 ieJTWZ5uWpJl4og/DJQZo93l6J2VE+0p26twEtxaymsXq1KCVLECAwEAATANBgkq
-hkiG9w0BAQUFAAOCAQEAPMRfR9ql7b06b5DdNyJhD96lBzuVSUOW2MgVHT2Vs7NB
-tk5L1htpA5N4uaIeyt6YM0xU0nHdHUKaywNcDiXcnzvRoctGWiWdpcEvdA0rYRF5
-T4MGPpjEuLJcG3aTU8mV8wUEbrY6IEnSpC1G9iasjhkwAF7pb/Ic8+/riwmPD/Fh
-zBrRfBCgi5VXbX9IvY+yQHRVRal8y+n4eh9/hFxBKDbvuidFropGzcuparEwCIRi
-U7L/7aZ3A5wsQp9GPDliSjpeYCf5tok/bvjG4xU041pGQ7yVNpu2mEIoqDz9v+Ay
-IKqsWradEnFG/1ov78a2RB+2+iIPE4iCDtmKUkgPjQ==
+hkiG9w0BAQUFAAOCAQEAOKzKoIMPjmKis0WH0t9/Bn5cMAPsBAgeqROeWqAs1N7j
+FIpCoyQW43t1rAtga946X6/IanTuLKScPkhNrcX4ASn0+DzaNxVelumjjfD6NEcn
+/Fnq0a+5oNcqXrM9lCBtqFnGcDoFJq3VMA3P+YCqZ9ZaYy30mOkZRVlddMQCpk7g
+RxVBLEaPL1DlSmR1hIvsHQ51DGU6xEnbrxGn19dFf1yfC+vnf5mhKPB8XGWd+IjZ
+WkYsfmBe2hwH58XNvVf0suX9aQS16vwqpPbPi3wQ2d3cX1/vCCW4cCYW7Pytc3Op
+pBjHEIkmil2/30+Rqk4SbZvo99MMPGIOREOJ81sNRw==
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server10-badsign.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server10-badsign.crt
new file mode 100644
index 0000000000..eca171f351
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server10-badsign.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
+YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
+VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
+oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
+Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
+rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
+AzO3pJx7WJAApZuBX10=
+-----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server10-bs_int3.pem b/3rdparty/mbedtls/mbedtls/tests/data_files/server10-bs_int3.pem
new file mode 100644
index 0000000000..b84cee7c32
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server10-bs_int3.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
+YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
+VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
+oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
+Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
+rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
+AzO3pJx7WJAApZuBX10=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
+ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
+Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
+pz590JvGWfM=
+-----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server10.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server10.crt
new file mode 100644
index 0000000000..96a4040cef
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server10.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
+YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
+VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
+oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
+Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
+rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
+AzO3pJx7WJAApZuBX1Q=
+-----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server10_int3-bs.pem b/3rdparty/mbedtls/mbedtls/tests/data_files/server10_int3-bs.pem
new file mode 100644
index 0000000000..a9e06150bd
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server10_int3-bs.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G
+A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp
+YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD
+VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq
+oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY
+Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io
+rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ
+AzO3pJx7WJAApZuBX1Q=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
+ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
+Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
+pz590JvGWf0=
+-----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt
index 006d9dbed1..f8a5b8b979 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt
@@ -1,21 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDfTCCAmWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA5MTM1MTA1WhcNMjcwNTEwMTM1MTA1WjA0MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
 owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
 NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
 tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
 hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
-HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaOBkjCBjzAd
-BgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwYwYDVR0jBFwwWoAUtFrkpbPe
-0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNVBAYTAk5MMREwDwYDVQQKDAhQb2xh
-clNTTDEZMBcGA1UEAwwQUG9sYXJTU0wgVGVzdCBDQYIBADAJBgNVHRMEAjAAMA0G
-CSqGSIb3DQEBCwUAA4IBAQAQf85QSjAeP+l6hirPorUL+k/3BznAh/6RXdveBO3K
-uwtqK5qI59+3N+ZLXP7fr2Z5eO8qpchRgNNwT0LKglAEXGWn30PYI1GKSiqAaK0X
-CUNIrxV3qKqOLbtqP1dMdiwsmiHYrN8E9UdysObedE2yDNLpTMHPJBZ+k6FowTyZ
-IpUuabkxMBFxmLv+nOBDOiaCzintEcdJdY4F6p5j8jwMvVNVAXNfxAEwa0MoVRTt
-/GORvq4ZEfsatVA+HRi602m+dZETTWKSODrj8AuQcG8/i1AOhk3C1WNOFKj/ZSfB
-2P6EQmhLeRp4bO+3rG73T3R2yn0PZYQ7ZrjFPPKqgu+n
+HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
+VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
+FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5
+kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5
+DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A
+3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr
+ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v
+eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm
+e4K1cVANRPN2o9Y=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server2-sha256.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..e66ad3676a8b7d7f1003413fe9f2178634a73e75
GIT binary patch
literal 827
zcmXqLVm3EuVv=9L%*4n9L<YQUoLX%jZQpqr8M#>*46F^g4LI4DLs{5_nf!bV1r7K?
z94;P?fc%`qqTpa3LrDX1kPtJE08B_BB(=Ci!P(J3PMp`!(7?#h$k4>Z#K0^{oYx4M
zYhXgqa3KQ$h~b<$`N@en8TrK}22G4g$gX5$WngY%<Yxeib1^kBGBO<WU3~ZXS=oy$
z*FB4N%v{4)@x;o;>%5h)*oCMkXBRVcEPp4LJ#Bf=mI?25i>mBYX8qY_vPR`=`2)3-
zo;e#dY8T#m)${D6%(OlK4zdJoHoLO;*TaovHzpiR+>#b#wn!~_)#{Qs_FBoN+gdl|
z7u@8P(e+IG9<5sJ_JX_1Ka*!G!-R*ongr5n*M(?zr&dl}_$cx4SqD#!cNsh%yW1|g
z?Z2>Nl_0ZReb@>qITs0j{?_hW-7ayDB#tHNA5ZK36?>!hvwEi{<IxFx_Ua!EPI&RX
zzjp8VarNxuthQB0m~3Xr+VQ_InGt=u*gI(24Z%e^4IP=5QJ48Q+>6u~JpTQa5Tn6#
zCT2zk#>Kt{-r$In6=q>FU@(vc2BRz=ix`W@Qq~tKJMP?1;13Y;O<0k#-nZL%vVlBE
zTA4+{K&(MzOVpF4o9|r;`nL1xvZ?&9?e-l1`yV;Lfyn|G;EW83Et^DsPWpLq#@3+1
z@F{|KIM#jLU2S$O*Zbthm^k(Q^|BgI^%Q3tp3@6lop|WZkuv?j{|!5N3w$e_FHhW1
zS0}hN+Ha9;$A7;0c9{!z*FE^C8Ppy+WffcH1iiZNr*h^@o$TJF=Wws&(#KRO8J>^k
zzi#!s&M@BAe&v5|z%KW7@w;W7cN@(Kna^Z;bJom^O~yyJ%c_QJuU*@E*=;&UrbNi@
zPkXm{tlo6!w`$SG7e5=+CnVTi6?v$#+2f&@)uqcT_%DBb9`$d1g%p3aee4f~#glgA
zRH<%`d9k{qnS-;=MktE!kJTGP0o{EuT5lXaKjiSxx0_#Ao>twowJ?C!<#XBMYXC0O
BLc0I}

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt
index dca4c24230..33393ee1b1 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt
@@ -1,65 +1,8 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:06 2011 GMT
-            Not After : Feb 12 14:44:06 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c1:4d:a3:dd:e7:cd:1d:d1:04:d7:49:72:b8:99:
-                    ac:0e:78:e4:3a:3c:4a:cf:3a:13:16:d0:5a:e4:cd:
-                    a3:00:88:a7:ee:1e:6b:96:a7:52:b4:90:ef:2d:72:
-                    7a:3e:24:9a:fc:b6:34:ac:24:f5:77:e0:26:64:8c:
-                    9c:b0:28:7d:a1:da:ea:8c:e6:c9:1c:96:bc:fe:c1:
-                    04:52:b3:36:d4:a3:fa:e1:b1:76:d8:90:c1:61:b4:
-                    66:52:36:a2:26:53:aa:ab:74:5e:07:7d:19:82:db:
-                    2a:d8:1f:a0:d9:0d:1c:2d:49:66:f7:5b:25:73:46:
-                    e8:0b:8a:4f:69:0c:b5:00:90:e1:da:82:10:66:7d:
-                    ae:54:2b:8b:65:79:91:a1:e2:61:c3:cd:40:49:08:
-                    ee:68:0c:f1:8b:86:d2:46:bf:d0:b8:aa:11:03:1e:
-                    7f:56:a8:1a:1e:44:18:0f:0f:85:8b:da:8b:44:5e:
-                    e2:18:c6:62:2f:c7:66:8d:fa:5d:d8:7d:f3:27:89:
-                    29:01:c5:90:0e:3f:27:f1:30:c8:4a:0e:ef:d6:de:
-                    c7:c7:27:6b:c7:05:3d:7a:c4:02:3c:9a:1d:3e:0f:
-                    e8:34:98:5b:cb:73:4b:52:96:d8:11:a2:2c:80:88:
-                    69:39:5a:d3:0f:b0:de:59:2f:11:c7:f7:ea:12:01:
-                    30:97
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                A5:05:E8:64:B8:DC:DF:60:0F:50:12:4D:60:A8:64:AF:4D:8B:43:93
-            X509v3 Authority Key Identifier: 
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-
-    Signature Algorithm: sha1WithRSAEncryption
-        9c:67:5c:29:58:a0:79:1b:a7:bd:1c:a8:1a:ec:19:72:f2:6c:
-        0e:f8:73:36:ce:e5:17:4b:12:01:6c:ee:b1:d5:4b:da:fe:73:
-        6f:77:96:e4:bf:29:d9:62:2d:27:19:a8:0c:d8:57:29:70:51:
-        f4:56:bc:a3:28:5a:11:d8:2a:9d:dd:10:84:b8:c5:35:e4:eb:
-        fe:73:5f:18:6f:f5:1c:3c:48:67:3c:aa:7e:af:21:31:e4:d5:
-        2d:66:3d:eb:ed:7a:48:1a:b1:8e:58:89:64:2e:33:78:78:61:
-        59:51:1f:71:c7:10:c0:03:d5:39:c0:7b:17:d7:1c:70:c5:40:
-        67:be:05:dd:62:01:bc:f5:fe:c1:fd:1f:c9:78:4a:dc:17:e9:
-        e8:2f:4c:ad:cc:c1:74:70:90:a9:2f:8c:a6:84:0c:0f:40:4d:
-        b6:71:d2:62:3c:2c:6b:31:4a:e0:aa:7b:da:fd:77:28:e6:b6:
-        d7:78:ec:9d:69:d5:1b:a5:cf:70:8b:cd:a4:5c:54:8b:92:45:
-        14:1f:68:3f:27:78:cf:5c:d5:2f:e2:27:f6:a6:4d:5a:89:c4:
-        0d:4a:39:d3:92:e7:bf:34:5a:13:df:48:0a:c0:fa:0e:2a:02:
-        64:a3:7a:57:37:a7:8c:16:a6:16:bc:ce:1b:98:c2:35:6e:5f:
-        a2:47:1b:47
 -----BEGIN CERTIFICATE-----
 MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN
 owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz
 NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM
@@ -67,11 +10,11 @@ tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P
 hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya
 HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD
 VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw
-FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY
-oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw
-UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y
-iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M
-wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS
-RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8
-zhuYwjVuX6JHG0c=
+FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF
+y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF
+kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd
+dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu
+UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1
+fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r
+4mN4lW7gLdenN6g=
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server2.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..ec03190e12610688838c1ff3f27b0fb26632885d
GIT binary patch
literal 827
zcmXqLVm3EuVv=9L%*4n9L<YQUoLX%jZQpqr8Ch8w46F^g4LI4DLs{5_nf!bV1r7K?
z94;P?fc%`qqTpa3LrDX1kPtJE08B_BB(=Ci!P(J3PMp`!(7?#h$k4>Z#K0^{oYx4M
zYhXgqa3KQ$h~b<$`N@en8TrK}22G4g$gX5$WngY%<Yxeib1^kBGBO<WU3~ZXS=oy$
z*FB4N%v{4)@x;o;>%5h)*oCMkXBRVcEPp4LJ#Bf=mI?25i>mBYX8qY_vPR`=`2)3-
zo;e#dY8T#m)${D6%(OlK4zdJoHoLO;*TaovHzpiR+>#b#wn!~_)#{Qs_FBoN+gdl|
z7u@8P(e+IG9<5sJ_JX_1Ka*!G!-R*ongr5n*M(?zr&dl}_$cx4SqD#!cNsh%yW1|g
z?Z2>Nl_0ZReb@>qITs0j{?_hW-7ayDB#tHNA5ZK36?>!hvwEi{<IxFx_Ua!EPI&RX
zzjp8VarNxuthQB0m~3Xr+VQ_InGt=u*gI(24Z%e^4IP=5QJ48Q+>6u~JpTQa5Tn6#
zCT2zk#>Kt{-r$In6=q>FU@(vc2BRz=ix`W@Qq~tKJMP?1;13Y;O<0k#-nZL%vVlBE
zTA4+{K&(MzOVpF4o9|r;`nL1xvZ?&9?e-l1`yV;Lfyn|G;6OWyxxJ2_UU2VYvP>C^
zwlMF37Qv(aR?CmhF|8`!p&-)qF66_f4MC?X&PB5O2WI}etpAepdF!MbyEeW)S{9qA
z`?788J*}Vi!5U6&&Be|SSmN0yh@{TX6R6q~A*poewPjJ@r0ZK`OZ6{XX)`{*9kA}v
z$1A?kHoG0QwU#{cVtSe&qBBQ+*%>x()lR=@21;{cB76_ux{wzj*OU77rnu>{2<J_j
z+gHSy-usZ?B*l38H1`d@gA?vAyd-r|hv`e1<C4?fqB9DAn$~W3{>Wt7#C=BTy4jaQ
zS-KblwmeR%$PpA>swH^PQ)c!Nfz*Wdn{t_ve*M|65B|%3lw2`2?}6_1<>o5@#6dhp

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server2.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server2.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..9905ce76bf764b584ef3edb883b1f46be89eb2f3
GIT binary patch
literal 1192
zcmV;Z1Xueof&`=j0RRGm0RaHPO{3lC%^lGM*GY1?nXC?Y<T^Y`&pHzp&|2ipqX3Af
z?jCEFr&6?#?=5nAJ|vp_wlu6H^>^SVWQ?4!D1D*Y>Wt>e9G1NP!30vXHq@i~;jwnu
zkilWJW>PkyCR3`bbY2I28G_p?*dL(T4IC{=X7^hqb4KV3ice__wE&Re+JX>feXdk1
zi)DF{q2gh~%|J;A?r040i-yuhztFg<5d$87R;U^tL>Lbbg^SvYL|)<;#$qqWW{vt?
z*nRUSi75fakPbg5@i53r4)509$HymY#|1rl!~#5;9X=1}G?-h<b4yZ|*b$;EfQV^1
zTGJ1(-dQgZ$M@<I0Wg;W0|5X50)hbn0GCHZybyuK801;|;4L~1o)Fwa`xR`_{YZFh
z`RzF9-3ixUwLxUpWBQ#$3iv`3@w;AmAXAu2Wq*ceNaWA^Y9!(`y%e1+7UHCN)}riz
zLx;ZuT!<yvLAIswCsKs|D{dVY&2xzOkiQxJzNx<n(<4LD$6+e7PCQ}Mz1Xz+s0;Xh
zR?QC+C)(yavy7ZeggnDiSDYuB0(K@@f;qzzzHanHEgg(=K0}#V%kngGnqH;rpEhkP
z`J(61cv2h4_FF+|SAmJ?yP@70H#-wt%3%S9|KEc_Nq^S#E(rRN!hE!~3K!cBZFP!W
zG1X@KISaM6qs`Rsh>}`OY|H9fc>;lf0N*<KC0-;qCP0@j;7Ynu8&R)>1~McJ&qSzq
zr>(V&Sj@;Vw+*}qir}V<!gJ*sWRmFZOm7ROr}LWiZ)wUrBG476ASXfiLqdPClc5BK
z+MpcP#`lVz>RfoIRm5uri@<}+&VvQ`vKA}f20ys$7TQBI!H=-Gtgh6QxY}=O!vcYU
z0Nt(t&7g7`1&Z!3)NxDjKIOsTDT}6OFqr2O@7)pskR({}c9Q2kyCdPw`JvP}8$Tek
z4`phPRaZ9dvV=tZk%-}>-8)J^O?-y!;k82Vxna#%8FvD%Sb*CTJ;xuN?f<Np{LT4d
z1cQ-@4TeLE496RgO};P1e9c1j)2)vEodSV?7fX36Y#WVX!G*<YJAxbqTg}`OC39Pz
z*@RaRIdNl_^smEsUB`@osg~EnhXR&yeqSy;Hm+Hc*E$J!x$1Ai7DC)hmaQzZAR}Qd
zjkN+E;cS5cJYCD(n-0J)loGQ3b#;q$9(pDWw}F;{d2ZXhI>erb32vaK?2Dv@an1y<
z0)c@5!ly?ENNUK`vmoJ^?*CeEFnXm&K-?B$Lh&rzxW`rA2Rxmz(BA@rut-?pG^@|F
zg(D_-PkLEz`;0x`J!}F;oaJ6g@dXPXzeo?<5V<`a5O*qb`QN?G^B?POWXdaePxy1f
z5bt@FGah+03IB*2v_4GXCoXk>SP=suBbJ)A0)c=95@d0M0381BgX-NZ$SeS29*;WP
z9IMtei_x-LPdzs{0^rwh!LUc*2pWX!NX2}1gA!+}e4mh)$d3o~vtaT+Nf_HMlxtI-
zqGR4;*{dNgEehb!=(@yA9;NkBsKk=^e<9~(zYFF8ubdrQY(E??rVnU1j)lZ*crR}T
GAud+Y;XMKX

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..08d8dd311b525fd51171a1019ad3194dad91580a
GIT binary patch
literal 547
zcmXqLVv;v#VqCg_nTe5!iILNQi;Y98&EuRc3p0~}ogudYCmVAp3!5;LpO2xS0Y8Yt
zCCm|!pOaV=9PDE#V;}_*Vipz#3l$gVD1@XImngV8D>yqE$cghB8XH&|nHZXy8X1^G
ziSrtPxJFQ}feAtLg$x8B=5yxcCnx4)<QJD1L>dUQv4h>n#0YgPGb1~*69bF+nXsE>
zoN`e`cE=-i|10FZtNF<`vE;&9k*(h|lp>QR`8{R0p)C0SmHs7@*jTZ>T^)zA%Xvf3
zc4_hbVmz_s?f=D%a}642fxRp%%)(^AU?2;$U6zkUj720MacTb*_M6w67<rzi*7qd4
zEf?NrkOz`hW=S_lZ4jB8tDxe^Xs>;`VyonyI+c^Rf1A}TbXwv-X(%>vG8}Y%RF~v@
z<^^)(FlR6rq%s*Y%+iUuzU=m*rzyN2cKY4Do_I~z@c8QDhTWGh7Ym21ox~lx`of;?
z>-3*3RMa$`y2{Ry$w1Mpe(tf@W8ACNKdH)Ee?0%uR8{2p(~r})Mm~-ctx4NCq53$Z
RfPe8Z2E`yPzK_SR0ss?|s)_&r

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..6bd4ebb81c1f833140b5a097ef464bc9deffeb75
GIT binary patch
literal 121
zcmV-<0EYiCcLD(c1R(J$6Cid1aHu@L{ZsY>9`|ZphRC7>^1}?N>-8TG4yT|B1_&yK
zNX|V20SBQ(13~}<H_TSqb_pI@az4jdE&m{H?tJ+Mk#x|l6t(wgB3WXRPUQgDBN6}V
bFVZw!T^7BHh{9`k4OPvGDh~Pq$h7VMBnLAL

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1 b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
index 6f3b7aaf4e..3281c94608 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/server5.req.ku.sha1
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBFzCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGjAY
-BgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+MIIBFjCBvAIBADA8MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGjAY
+BgNVBAMMEVBvbGFyU1NMIFNlcnZlciAxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
 QgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/6i/SNF1d
 Fr2KiMJrdw1VzYoqDvoByLTt/6AeMBwGCSqGSIb3DQEJDjEPMA0wCwYDVR0PBAQD
-AgbAMAsGByqGSM49BAEFAANJADBGAiEAmhkNVnF6mGzzyHxGMMuUM2tYw5/y5tlF
-3424Bs7DbG8CIQCJteTtpZ8RJ7PjpxcmVpP4fcYHFTR50zoc9jOV0AYPLQ==
+AgbAMAsGByqGSM49BAEFAANIADBFAiEAnIKF+xKk0iEuN4MHd4FZWNvrznLQgkeg
+2n8ejjreTzcCIAH34z2TycuMpWQRhpV+YT988pBWR67LAg7REyZnjSAB
 -----END CERTIFICATE REQUEST-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-alt-good.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-alt-good.crt
index 50c1453582..f9beba0329 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-alt-good.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-alt-good.crt
@@ -20,9 +20,9 @@ QHOkQQQJM9UoV0fEA1N5lsc9uSQxPmZCVMw/W+MFIEkH6nbgh0bM/qjcaqDsWXyT
 n5RutVDPESLLKaZxeR7J8srX/0nzhOiPIX+hDRWqhwQLxVkkRs6MxVDoiw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
@@ -30,13 +30,12 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j
-4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w
-XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB
-G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57
-ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY
-n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
+A4IBAQB2W2dIy4q4KysbrTL4HIaOqu62RceGuQ/KhyiI6O0ndCtQ/PgCBqHHTP8u
+8F1X2ivb60ynHV6baMLPI4Kf1k4MONtLSf/++1qh0Gdycd3A8IDAfy0YnC1F3OPK
+vWO/cZGitKoTbEpP4y4Rng3sFCDndRCWIRIDOEEW/H3lCcfL7sOQojdLl85ajFkh
+YvcDqjmnTcspUnuq9Y00C7porXJthZwz1S18qVjcFNk0zEhVMUbupSrdXVmKtOJW
+MWZjgcA+OXzcnb2hSKWbhjykH/u6/PqkuHPkD723rwXbmHdxRVS9CW57kDkn5ezJ
+5pE6Sam4qFsCNFJNBV9FRf3ZBMFi
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-good-alt.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-good-alt.crt
index 9edf4c228a..f360a7696c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-good-alt.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-good-alt.crt
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
@@ -9,15 +9,14 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j
-4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w
-XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB
-G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57
-ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY
-n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
+A4IBAQB2W2dIy4q4KysbrTL4HIaOqu62RceGuQ/KhyiI6O0ndCtQ/PgCBqHHTP8u
+8F1X2ivb60ynHV6baMLPI4Kf1k4MONtLSf/++1qh0Gdycd3A8IDAfy0YnC1F3OPK
+vWO/cZGitKoTbEpP4y4Rng3sFCDndRCWIRIDOEEW/H3lCcfL7sOQojdLl85ajFkh
+YvcDqjmnTcspUnuq9Y00C7porXJthZwz1S18qVjcFNk0zEhVMUbupSrdXVmKtOJW
+MWZjgcA+OXzcnb2hSKWbhjykH/u6/PqkuHPkD723rwXbmHdxRVS9CW57kDkn5ezJ
+5pE6Sam4qFsCNFJNBV9FRf3ZBMFi
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt
index 7cb35d48b2..e8b537c727 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
@@ -9,13 +9,12 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAfDd5khSv/+K3De9qmH/ID3CVapGS
-EN5MlXS5vvGCjZSA41MuXkUl11akKHXQ9aLlp85OZUdGbfQ5wwCoj/MymbT4fES2
-1dI8O1oI3PZI/0dqEvQETlIwSoZV2c/oaPRfh2E99v2+8FNIaZOfV2MX1n9+6AdO
-W2nlK2oklozXSYg6KWtISr8N8Ofew2LQ9+riFlrrdaxsr8CoJqPqMDTq7FUmkDmO
-oHize/h9bFksIunKoVQHa8P4w/W9bnR69nziyhZotbwOOkAWVnIyEM9QnaKWXeIy
-rP6ewcTQjNYkguHJ8RY9rW+5bdaSY4EljSqZ3P3F+zo8P6sVi3qSlai5lQ==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
+A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI
+yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv
+czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST
+S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM
+iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS
+NWqiX9GyusBZjezaCaHabjDLU0qQ
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha1.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..039fb9e43004e622bd1404116f68208800005c6d
GIT binary patch
literal 837
zcmXqLVs<oWV$xi|%*4pV#K>&G%f_kI=F#?@mywZ`mBGN;klTQhjX9KsO_<5g$57CK
zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4Gj&942=v;OiT<6qQrTP
zkhzo@-o&Vc>{v!t2IeM4eg=akMlPl%Mn;AM_s#!^?|v|Cu6^6RX-2g!OT`wPRs1;f
z%9~fGYa}8#rYwCk`)K!lDY=;zGu!2=5A<5zw}>sMV81-?=HwSUivo|HTWk=t^3!vN
z0+G`$i;B1pJ$3kL_jDQG=AUo8k`L_AWGI;vZoOhD%Y?#@dz)|CUt9XfMyvn5dcxsj
z^H1-3lTf?;S&Pv=|KAa6O3cw$wp{)F_3<>lf&)+V_Wsd(_sB8yfQeqMN>S!%_l+VB
z&9&)Y+P)dC{#dzW(^fs9pDp4alJeE<gd;YF@G8zKHeYCPK7Z1kZ!iC>xvi&hv5v`G
zd4cFBi_{d(S3G%r(&7sWPi&rja`nr@pU$^W>u+E(nm02df6-MYW=00a#Q_F>20Xy{
zkrifPHDG3B{BIx&;_<PFv50Jmda`u$y-Pvgc3xdJmH)Nfp5uT28_0vCm02VV#2T<G
zKusXPFb7&AT-;*&QTFe4&gf~e!Sz=gJ_kLzY}|fAUFHAP8{zt57dK5g6|j1lx_}tR
z3Bd#U4Hx$XOFY|oT|%nd!lcG%Ry+3st(_u=^erwu-!Y^1|Nn=K0W0&<zvtZ9b}GNv
zQp#q9@~U3n#id#o%Qj#4x^rCRirw~~2d)ODr<Q2_Ox?pE>TP!7QC4hV&D%ba$=(yp
zSf5T{U|xOMYODB`ORhngYUdu$ke${2W5Fa@4<>WHgK<+21^?T)$E3-`#B5?uM^*ZC
z6Nm2K9(kA78#MN@`c78-w(<XrS65ev9G})d(=IrIqtoVb|EsvdxPlKyp9z^}EsDRm
VY1e_s-Z!^67v9P<I34UY0RSLGRcrtN

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt
index b14e405dd2..9b08fe20a6 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
 MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
-MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G
+MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
 A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
@@ -9,13 +9,12 @@ mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA
-FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE
-CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T
-BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j
-4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w
-XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB
-G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57
-ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY
-n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA
+A4IBAQB2W2dIy4q4KysbrTL4HIaOqu62RceGuQ/KhyiI6O0ndCtQ/PgCBqHHTP8u
+8F1X2ivb60ynHV6baMLPI4Kf1k4MONtLSf/++1qh0Gdycd3A8IDAfy0YnC1F3OPK
+vWO/cZGitKoTbEpP4y4Rng3sFCDndRCWIRIDOEEW/H3lCcfL7sOQojdLl85ajFkh
+YvcDqjmnTcspUnuq9Y00C7porXJthZwz1S18qVjcFNk0zEhVMUbupSrdXVmKtOJW
+MWZjgcA+OXzcnb2hSKWbhjykH/u6/PqkuHPkD723rwXbmHdxRVS9CW57kDkn5ezJ
+5pE6Sam4qFsCNFJNBV9FRf3ZBMFi
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca-sha256.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..80a47e8d32e71d42d1e6d91a0182132e4d41de7b
GIT binary patch
literal 837
zcmXqLVs<oWV$xi|%*4pV#K>&G%f_kI=F#?@mywa1mBGN;klTQhjX9KsO_<5g$57CK
zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4Gj&942=v;OiT<6qQrTP
zkhzo@-o&Vc>{v!t2IeM4eg=akMlPl%Mn;AM_s#!^?|v|Cu6^6RX-2g!OT`wPRs1;f
z%9~fGYa}8#rYwCk`)K!lDY=;zGu!2=5A<5zw}>sMV81-?=HwSUivo|HTWk=t^3!vN
z0+G`$i;B1pJ$3kL_jDQG=AUo8k`L_AWGI;vZoOhD%Y?#@dz)|CUt9XfMyvn5dcxsj
z^H1-3lTf?;S&Pv=|KAa6O3cw$wp{)F_3<>lf&)+V_Wsd(_sB8yfQeqMN>S!%_l+VB
z&9&)Y+P)dC{#dzW(^fs9pDp4alJeE<gd;YF@G8zKHeYCPK7Z1kZ!iC>xvi&hv5v`G
zd4cFBi_{d(S3G%r(&7sWPi&rja`nr@pU$^W>u+E(nm02df6-MYW=00a#Q_F>20Xy{
zkrifPHDG3B{BIx&;_<PFv50Jmda`u$y-Pvgc3xdJmH)Nfp5uT28_0vCm02VV#2T<G
zKusXPFlS^ai%$1A-L*qoTY9b051F>URqwXB9&g*pf2v)h<HcL`677ILKbY7S9{2gL
z_aQd?miFz}KFej}W@j8auiP~MnjeqFZEw&2|9(d;ypUd0c=y1Eh6DAw5_5E2?>s)W
zH+g^I#6??H3FmnEKh_hR$NNS^;d!aRG({n13rDd(wNE*ZpMH0E!Xk6;>F1()A{CRq
zGq18-?t5A@sCw1cUK8$J8EcDjTjv;G)vZ|>aYy8)$r+DOL$`NJweH47c5QhSW|)@T
zc)-rG=FZ%`3q6+3ZnIe;|9jV;UrTlrKjGiIeLd^#8RdnpA$vLVswY^gKYerZ*+eVP
Wl{;2MGnoYWvc|i*{=La^FbM!-?pDnJ

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt
index f0eee2b829..e8b537c727 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt
@@ -1,80 +1,20 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier: 
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
+A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI
+yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv
+czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST
+S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM
+iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS
+NWqiX9GyusBZjezaCaHabjDLU0qQ
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..039fb9e43004e622bd1404116f68208800005c6d
GIT binary patch
literal 837
zcmXqLVs<oWV$xi|%*4pV#K>&G%f_kI=F#?@mywZ`mBGN;klTQhjX9KsO_<5g$57CK
zAH?C};RwjjNh}Hu_A!(+5C;h{^9aC%6hcyqOB9?P4dldm4Gj&942=v;OiT<6qQrTP
zkhzo@-o&Vc>{v!t2IeM4eg=akMlPl%Mn;AM_s#!^?|v|Cu6^6RX-2g!OT`wPRs1;f
z%9~fGYa}8#rYwCk`)K!lDY=;zGu!2=5A<5zw}>sMV81-?=HwSUivo|HTWk=t^3!vN
z0+G`$i;B1pJ$3kL_jDQG=AUo8k`L_AWGI;vZoOhD%Y?#@dz)|CUt9XfMyvn5dcxsj
z^H1-3lTf?;S&Pv=|KAa6O3cw$wp{)F_3<>lf&)+V_Wsd(_sB8yfQeqMN>S!%_l+VB
z&9&)Y+P)dC{#dzW(^fs9pDp4alJeE<gd;YF@G8zKHeYCPK7Z1kZ!iC>xvi&hv5v`G
zd4cFBi_{d(S3G%r(&7sWPi&rja`nr@pU$^W>u+E(nm02df6-MYW=00a#Q_F>20Xy{
zkrifPHDG3B{BIx&;_<PFv50Jmda`u$y-Pvgc3xdJmH)Nfp5uT28_0vCm02VV#2T<G
zKusXPFb7&AT-;*&QTFe4&gf~e!Sz=gJ_kLzY}|fAUFHAP8{zt57dK5g6|j1lx_}tR
z3Bd#U4Hx$XOFY|oT|%nd!lcG%Ry+3st(_u=^erwu-!Y^1|Nn=K0W0&<zvtZ9b}GNv
zQp#q9@~U3n#id#o%Qj#4x^rCRirw~~2d)ODr<Q2_Ox?pE>TP!7QC4hV&D%ba$=(yp
zSf5T{U|xOMYODB`ORhngYUdu$ke${2W5Fa@4<>WHgK<+21^?T)$E3-`#B5?uM^*ZC
z6Nm2K9(kA78#MN@`c78-w(<XrS65ev9G})d(=IrIqtoVb|EsvdxPlKyp9z^}EsDRm
VY1e_s-Z!^67v9P<I34UY0RSLGRcrtN

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..4678a1ab399d782c4e472d95f679000231120e75
GIT binary patch
literal 1192
zcmV;Z1Xueof&`=j0RRGm0RaHO-#7dhyWp0cKZf3xGJQm)7NE@`@tM@@>dSl>SO}D*
z?3=}l-x?m7IGKkYd%%r3-#A@xcn8y-*^}tGa#6+3qcBpb^5;Ns6w5@Satp%cK>0r9
zrVg|D>`G(6xG4a1oL4)jr38?1@x6oDKh~w<JSvaxCt$<IpUb-JV12jdgfhNQ`&cF-
z16$Oz)%*41mM(C><SxDZF7Dz%RlqbZeI#;e%SW*kK!bf}^oI5^tMPfHvb8P}`Ggnn
zVs9rt6IiiS4I!FyH=!`kZ<5^h>HMtQE-2A{0!t&H74kS`WC`jFZjKulpmE5vo5`!`
z!}8CEmXCk}GM<@OZ=%%#0|5X50)hbmKlcaIG;iC<H@Ae`H$~xNt+=*zvBx#EcPd+V
z`F`NRqtUm^sanB@+FJS-<kdI>-e{PC?6vYLjp;1&rsXmhe=~vTIC9mT`cC^M^%V=R
zgl4M(;271BeAbW2OLhn=9f4>t;reiF6HX8VH9p14SRjfa7&xF0?Zmr9Z}o&*u+L7N
zSQBeCHEE&J#PY#N1RznlYouMJON59+NSQ3Vq?gv#820R3(J@KM@{bEm?+F6_ef_(y
zD}$6G#HT)H_25_B^6e}>fpm5rmTz<(G7c0m&~)(h2ff45BEqPZk_LZ60+GDkBLRt&
zAVg&K9cR*y=xL=XCFW3^<LS$F0)c@5;we6=Yt>mEoaRT>w%6nFj-Kg*Ul5;T>;y#2
zKls@?7vN9+*iFqwRCK=z#AlqR*okFK{a7kT5A-*-Rj?iHr#bvjqr`POqnM{f^=8X_
zW&405=KuYfAC7DPUXy0uY;VK%I4=KbwXCkY#&H&F(D)+R_@Z(k(&9RBOWvz50)c@5
z+EJUhvMLmHSU`;@aQZPwupl8c`b<}-5s34rt|95RE78rT_}C1Jb|N)I&Oaq7gME3Y
zG1ly|zuGjm_Od(kcv=L5Gd`l?fr1m%H5X%>p2UrjOaphvaa-<#ZPj>)_AGhAO0;>9
zaKGO)R+e$&4rr0Q>dQ00zD3vkF#Q2L0)c@5(w{1~I2p$mm2-Hm^~-gGe;G^5hWknt
znzk1NNe7MgW=aP31*hL;f;|7W9ao7nUz`PXfAd}3G-YyyBBT@>LBr(Go@v$VICOAB
z+}Tj%mu+*_`^cyIw8F%lT@2Nqd9zf)w`@Iq%PsiC^LSb_D!2@72Kw@1(?Za_$V#OR
z0)c@5)Txja-oGrwjh*|U!sLVFd1WHgw@GYGlpi9oVCOmju{ffu543Em=bkj<d_Z_p
zviT$GpqlDn$d9J4-zf=81|Bi37uwj-=`*Wa7zkU3_@y8HyWH6AmsjM&bJp;l0j8Ts
zj(W7a<%p5RD&I@G(2G6;mv=8meo+jrWsTm40)c=aBoETB!YDhJAhME4>j`K;vcA#7
zgOoHl*2(NN3Hd>7Ttbxh1pG2NX}lc!K4F-^fY>%i!)?MY=Yc90G-NPNmb)evxj{Dm
ziq=zns_Z#JQ19cj0Vp!cZS|TSpEth#I3OaCjLnq-@=b3Vv_tS2-(|p(=bbMJ=j>^y
G!jBEQxnExZ

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.crt.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.crt.der
new file mode 100644
index 0000000000000000000000000000000000000000..bb0b51f9dcf5d8750011d43d0799034b8dd5107f
GIT binary patch
literal 598
zcmXqLVhS>7V!Xb9nTe5!iId@=^P{>X=QA%1xY#(f+C0wLvM@6l*coygaI!Invaks=
z`S}<M8t{WST*4dy`8kP2!NER;G6qs0A!cD=uuySvjzUOkafyPfvx2juft)z6p|OFb
zk%^(HiKU4}lsK;uh-(DpQfz*ifdCsj*tJZIY^>UiEDTD_NenE9Z)ux2nn&ojhyDB0
zxl7a8+wVc%VZQKSW6OvuL0cwHwd7X5A1|(w<nc#ps^&Qz-S$HrK@ID#Wvy1cyW_G<
zUc`=5FE(ZNeRf={d3Z~F>2mk{tCE_bnX`he6}F^_B^b*sZd_o{IM+ZH=yO><7BLo)
zxw#4|o{aX|rz^Hf?x|BbdHc6njX@qrTA3x?AhiLjf`v{?94HNeCZvet0of<a!fL?G
z$oL;Q8ksX04APhk84hnrDh|__%1~P&q;{#WTJlHN47*AHjORV6y!5YXdwYqE_KxeB
zQ@9tWm+#oT@1mIzP|M%+Ia8F=4}|UVHWp<#_V|n;ht8btTPsVI^>=7I|1?L$%7HOv
RJ<q1|CG`gLIh@xj003IoyI=qS

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.der b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.der
new file mode 100644
index 0000000000000000000000000000000000000000..bf64141aaef8c4820c385bf55303706db2846d4d
GIT binary patch
literal 167
zcmV;Y09gMpfusTf0R%9E*%c0;aqw3VGov`ThQX#0U2U`j;VE`S*N1N-t3)8`WP63N
zcISnas&v-Tq+aTv2L=Tzfdl{|p=1MM00hI@D>OkjSTBcG{``r$DML$6;BLbXS5q@N
zSkzLqk(D_MBi~;aBw|SX8kH%|EG>t^h*E&B)@rLE-MG^nZdka==(1^!^FggC!?a&@
Vr$=wq87Wn1no~O<v}P7yGaeU<NG<>X

literal 0
HcmV?d00001

diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.enc b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.enc
new file mode 100644
index 0000000000..bb70990126
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca2.key.enc
@@ -0,0 +1,9 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,307EAB469933D64E
+
+IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG
+ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq
+UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb
+a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm
+-----END EC PRIVATE KEY-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat12.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat12.crt
index 5e4bf063d9..d989e3b133 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat12.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat12.crt
@@ -1,82 +1,22 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier:
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
+A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI
+yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv
+czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST
+S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM
+iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS
+NWqiX9GyusBZjezaCaHabjDLU0qQ
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat21.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat21.crt
index 5630789eb8..97b4d2c9e7 100644
--- a/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat21.crt
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-ca_cat21.crt
@@ -13,83 +13,23 @@ CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56
 t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv
 uCjn8pwUOkABXK8Mss90fzCfCEOtIA==
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Validity
-            Not Before: Feb 12 14:44:00 2011 GMT
-            Not After : Feb 12 14:44:00 2021 GMT
-        Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32:
-                    7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18:
-                    58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87:
-                    1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93:
-                    e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14:
-                    cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9:
-                    ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90:
-                    71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60:
-                    c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb:
-                    58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0:
-                    e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72:
-                    69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1:
-                    79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13:
-                    58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6:
-                    e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38:
-                    65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9:
-                    ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f:
-                    a2:d5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints:
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-            X509v3 Authority Key Identifier:
-                keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF
-                DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA
-                serial:00
-
-    Signature Algorithm: sha1WithRSAEncryption
-        b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07:
-        1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a:
-        32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9:
-        37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62:
-        09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26:
-        8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d:
-        2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5:
-        e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7:
-        e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f:
-        66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5:
-        35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce:
-        09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6:
-        08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca:
-        e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de:
-        f7:e0:e9:54
 -----BEGIN CERTIFICATE-----
-MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
-MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
+MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER
+MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
 MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G
-A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
+A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G
 CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx
 mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny
 50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n
 YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL
 R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu
 KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj
-gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH
-/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV
-BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz
-dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ
-SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H
-DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF
-pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf
-m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ
-7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==
+UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/
+MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA
+A4IBAQABE3OEPfEd/bcJW5ZdU3/VgPNS4tMzh8gnJP/V2FcvFtGylMpQq6YnEBYI
+yBHAL4DRvlMY5rnXGBp3ODR8MpqHC6AquRTCLzjS57iYff//4QFQqW9n92zctspv
+czkaPKgjqo1No3Uq0Xaz10rcxyTUPrf5wNVRZ2V0KvllvAAVSzbI4mpdUXztjhST
+S5A2BeWQAAOr0zq1F7TSRVJpJs7jmB2ai/igkh1IAjcuwV6VwlP+sbw0gjQ0NpGM
+iHpnlzRAi/tIbtOvMIGOBU2TIfax/5jq1agUx5aPmT5TWAiJPOOP6l5xXnDwxeYS
+NWqiX9GyusBZjezaCaHabjDLU0qQ
 -----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/data_files/test-int-ca3-badsign.crt b/3rdparty/mbedtls/mbedtls/tests/data_files/test-int-ca3-badsign.crt
new file mode 100644
index 0000000000..2087056e8e
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/data_files/test-int-ca3-badsign.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G
+A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp
+YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG
+A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU
+ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9
+2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo
+ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt
+Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt
+pz590JvGWf0=
+-----END CERTIFICATE-----
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
index 30e6d5f424..7eaefe9995 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/all.sh
@@ -35,9 +35,9 @@
 #   * GNU Make
 #   * CMake
 #   * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind)
+#   * G++
 #   * arm-gcc and mingw-gcc
 #   * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
-#   * Yotta build dependencies, unless invoked with --no-yotta
 #   * OpenSSL and GnuTLS command line tools, recent enough for the
 #     interoperability tests. If they don't support SSLv3 then a legacy
 #     version of these tools must be present as well (search for LEGACY
@@ -119,11 +119,11 @@ pre_initialize_variables () {
     MEMORY=0
     FORCE=0
     KEEP_GOING=0
-    YOTTA=1
 
     # Default commands, can be overriden by the environment
     : ${OPENSSL:="openssl"}
     : ${OPENSSL_LEGACY:="$OPENSSL"}
+    : ${OPENSSL_NEXT:="$OPENSSL"}
     : ${GNUTLS_CLI:="gnutls-cli"}
     : ${GNUTLS_SERV:="gnutls-serv"}
     : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
@@ -196,12 +196,10 @@ General options:
      --no-force         Refuse to overwrite modified files (default).
      --no-keep-going    Stop at the first error (default).
      --no-memory        No additional memory tests (default).
-     --no-yotta         Skip yotta module build.
      --out-of-source-dir=<path>  Directory used for CMake out-of-source build tests.
      --random-seed      Use a random seed value for randomized tests (default).
   -r|--release-test     Run this script in release mode. This fixes the seed value to 1.
   -s|--seed             Integer seed value to use for this test run.
-     --yotta            Build yotta module (on by default).
 
 Tool path options:
      --armc5-bin-dir=<ARMC5_bin_dir_path>       ARM Compiler 5 bin directory.
@@ -212,6 +210,7 @@ Tool path options:
      --gnutls-legacy-serv=<GnuTLS_serv_path>    GnuTLS server executable to use for legacy tests.
      --openssl=<OpenSSL_path>                   OpenSSL executable to use for most tests.
      --openssl-legacy=<OpenSSL_path>            OpenSSL executable to use for legacy tests e.g. SSLv3.
+     --openssl-next=<OpenSSL_path>              OpenSSL executable to use for recent things like ARIA
 EOF
 }
 
@@ -225,7 +224,7 @@ cleanup()
     command make clean
 
     # Remove CMake artefacts
-    find . -name .git -prune -o -name yotta -prune -o \
+    find . -name .git -prune \
            -iname CMakeFiles -exec rm -rf {} \+ -o \
            \( -iname cmake_install.cmake -o \
               -iname CTestTestfile.cmake -o \
@@ -295,6 +294,14 @@ check_tools()
     done
 }
 
+check_headers_in_cpp () {
+    ls include/mbedtls | grep "\.h$" >headers.txt
+    <programs/test/cpp_dummy_build.cpp sed -n 's/"$//; s!^#include "mbedtls/!!p' |
+    sort |
+    diff headers.txt -
+    rm headers.txt
+}
+
 pre_parse_command_line () {
     COMMAND_LINE_COMPONENTS=
     all_except=0
@@ -320,14 +327,13 @@ pre_parse_command_line () {
             --no-force) FORCE=0;;
             --no-keep-going) KEEP_GOING=0;;
             --no-memory) MEMORY=0;;
-            --no-yotta) YOTTA=0;;
             --openssl) shift; OPENSSL="$1";;
             --openssl-legacy) shift; OPENSSL_LEGACY="$1";;
+            --openssl-next) shift; OPENSSL_NEXT="$1";;
             --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
             --random-seed) unset SEED;;
             --release-test|-r) SEED=1;;
             --seed|-s) shift; SEED="$1";;
-            --yotta) YOTTA=1;;
             -*)
                 echo >&2 "Unknown option: $1"
                 echo >&2 "Run $0 --help for usage."
@@ -347,8 +353,6 @@ pre_parse_command_line () {
     # Ignore it if components are listed explicitly on the command line.
     if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then
         COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*"
-        # --no-armcc also disables yotta.
-        COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_yotta*"
     fi
 
     # Build the list of components to run.
@@ -366,20 +370,10 @@ pre_parse_command_line () {
 pre_check_git () {
     if [ $FORCE -eq 1 ]; then
         rm -rf "$OUT_OF_SOURCE_DIR"
-        if [ $YOTTA -eq 1 ]; then
-            rm -rf yotta/module
-        fi
         git checkout-index -f -q $CONFIG_H
         cleanup
     else
 
-        if [ $YOTTA -ne 0 ] && [ -d yotta/module ]; then
-            err_msg "Warning - there is an existing yotta module in the directory 'yotta/module'"
-            echo "You can either delete your work and retry, or force the test to overwrite the"
-            echo "test by rerunning the script as: $0 --force"
-            exit 1
-        fi
-
         if [ -d "$OUT_OF_SOURCE_DIR" ]; then
             echo "Warning - there is an existing directory at '$OUT_OF_SOURCE_DIR'" >&2
             echo "You can either delete this directory manually, or force the test by rerunning"
@@ -464,7 +458,6 @@ not() {
     ! "$@"
 }
 
-
 pre_print_configuration () {
     msg "info: $0 configuration"
     echo "MEMORY: $MEMORY"
@@ -472,6 +465,7 @@ pre_print_configuration () {
     echo "SEED: ${SEED-"UNSET"}"
     echo "OPENSSL: $OPENSSL"
     echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
+    echo "OPENSSL_NEXT: $OPENSSL_NEXT"
     echo "GNUTLS_CLI: $GNUTLS_CLI"
     echo "GNUTLS_SERV: $GNUTLS_SERV"
     echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
@@ -503,7 +497,7 @@ pre_check_tools () {
             set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
             set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
             set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
-            check_tools "$OPENSSL" "$OPENSSL_LEGACY" \
+            check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
                         "$GNUTLS_CLI" "$GNUTLS_SERV" \
                         "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
             ;;
@@ -522,7 +516,11 @@ pre_check_tools () {
     esac
 
     case " $RUN_COMPONENTS " in
-        *_armcc*|*_yotta*)
+        *" test_zeroize "*) check_tools "gdb";;
+    esac
+
+    case " $RUN_COMPONENTS " in
+        *_armcc*)
             ARMC5_CC="$ARMC5_BIN_DIR/armcc"
             ARMC5_AR="$ARMC5_BIN_DIR/armar"
             ARMC6_CC="$ARMC6_BIN_DIR/armclang"
@@ -532,7 +530,7 @@ pre_check_tools () {
 
     msg "info: output_env.sh"
     case $RUN_COMPONENTS in
-        *_armcc*|*_yotta*)
+        *_armcc*)
             set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
         *) set "$@" RUN_ARMCC=0;;
     esac
@@ -587,6 +585,7 @@ component_check_doxygen_warnings () {
 }
 
 
+
 ################################################################
 #### Build and test many configurations and targets
 ################################################################
@@ -602,16 +601,6 @@ component_test_default_out_of_box () {
     programs/test/selftest
 }
 
-component_build_yotta () {
-    # Note - use of yotta is deprecated, and yotta also requires armcc to be on the
-    # path, and uses whatever version of armcc it finds there.
-    msg "build: create and build yotta module" # ~ 30s
-    record_status tests/scripts/yotta-build.sh
-}
-support_build_yotta () {
-    [ $YOTTA -ne 0 ]
-}
-
 component_test_default_cmake_gcc_asan () {
     msg "build: cmake, gcc, ASan" # ~ 1 min 50s
     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
@@ -663,6 +652,20 @@ component_test_no_renegotiation () {
     if_build_succeeded tests/ssl-opt.sh
 }
 
+component_test_no_pem_no_fs () {
+    msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)"
+    scripts/config.pl unset MBEDTLS_PEM_PARSE_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s
+    make test
+
+    msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min
+    if_build_succeeded tests/ssl-opt.sh
+}
+
 component_test_rsa_no_crt () {
     msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min
     scripts/config.pl set MBEDTLS_RSA_NO_CRT
@@ -679,6 +682,48 @@ component_test_rsa_no_crt () {
     if_build_succeeded tests/compat.sh -t RSA
 }
 
+component_test_small_ssl_out_content_len () {
+    msg "build: small SSL_OUT_CONTENT_LEN (ASan build)"
+    scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
+    scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests"
+    if_build_succeeded tests/ssl-opt.sh -f "Max fragment\|Large packet"
+}
+
+component_test_small_ssl_in_content_len () {
+    msg "build: small SSL_IN_CONTENT_LEN (ASan build)"
+    scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 4096
+    scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 16384
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests"
+    if_build_succeeded tests/ssl-opt.sh -f "Max fragment"
+}
+
+component_test_small_ssl_dtls_max_buffering () {
+    msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0"
+    scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test"
+    if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg"
+}
+
+component_test_small_mbedtls_ssl_dtls_max_buffering () {
+    msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1"
+    scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 240
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test"
+    if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket"
+}
+
 component_test_full_cmake_clang () {
     msg "build: cmake, full config, clang" # ~ 50s
     scripts/config.pl full
@@ -689,11 +734,14 @@ component_test_full_cmake_clang () {
     msg "test: main suites (full config)" # ~ 5s
     make test
 
-    msg "test: ssl-opt.sh default (full config)" # ~ 1s
-    if_build_succeeded tests/ssl-opt.sh -f Default
+    msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
+    if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
 
     msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
     if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
+
+    msg "test: compat.sh ARIA + ChachaPoly"
+    if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
 }
 
 component_build_deprecated () {
@@ -714,6 +762,7 @@ component_build_deprecated () {
     make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
 }
 
+
 component_test_depends_curves () {
     msg "test/build: curves.pl (gcc)" # ~ 4 min
     record_status tests/scripts/curves.pl
@@ -734,9 +783,39 @@ component_build_key_exchanges () {
     record_status tests/scripts/key-exchanges.pl
 }
 
-component_build_default_make_gcc () {
+component_build_default_make_gcc_and_cxx () {
     msg "build: Unix make, -Os (gcc)" # ~ 30s
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
+
+    msg "test: verify header list in cpp_dummy_build.cpp"
+    record_status check_headers_in_cpp
+
+    msg "build: Unix make, incremental g++"
+    make TEST_CPP=1
+}
+
+component_test_check_params_without_platform () {
+    msg "build+test: MBEDTLS_CHECK_PARAMS without MBEDTLS_PLATFORM_C"
+    scripts/config.pl full # includes CHECK_PARAMS
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+    scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY
+    scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT
+    scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl unset MBEDTLS_PLATFORM_C
+    make CC=gcc CFLAGS='-Werror -O1' all test
+}
+
+component_test_check_params_silent () {
+    msg "build+test: MBEDTLS_CHECK_PARAMS with alternative MBEDTLS_PARAM_FAILED()"
+    scripts/config.pl full # includes CHECK_PARAMS
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+    sed -i 's/.*\(#define MBEDTLS_PARAM_FAILED( cond )\).*/\1/' "$CONFIG_H"
+    make CC=gcc CFLAGS='-Werror -O1' all test
 }
 
 component_test_no_platform () {
@@ -796,6 +875,7 @@ component_build_no_sockets () {
 }
 
 component_test_no_max_fragment_length () {
+    # Run max fragment length tests with MFL disabled
     msg "build: default config except MFL extension (ASan build)" # ~ 30s
     scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
     CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
@@ -805,6 +885,18 @@ component_test_no_max_fragment_length () {
     if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
 }
 
+component_test_no_max_fragment_length_small_ssl_out_content_len () {
+    msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
+    scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+    scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384
+    scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: MFL tests (disabled MFL extension case) & large packet tests"
+    if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
+}
+
 component_test_null_entropy () {
     msg "build: default config with  MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
     scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
@@ -832,6 +924,34 @@ component_test_platform_calloc_macro () {
     make test
 }
 
+component_test_aes_fewer_tables () {
+    msg "build: default config with AES_FEWER_TABLES enabled"
+    scripts/config.pl set MBEDTLS_AES_FEWER_TABLES
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+
+    msg "test: AES_FEWER_TABLES"
+    make test
+}
+
+component_test_aes_rom_tables () {
+    msg "build: default config with AES_ROM_TABLES enabled"
+    scripts/config.pl set MBEDTLS_AES_ROM_TABLES
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+
+    msg "test: AES_ROM_TABLES"
+    make test
+}
+
+component_test_aes_fewer_tables_and_rom_tables () {
+    msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled"
+    scripts/config.pl set MBEDTLS_AES_FEWER_TABLES
+    scripts/config.pl set MBEDTLS_AES_ROM_TABLES
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra'
+
+    msg "test: AES_FEWER_TABLES + AES_ROM_TABLES"
+    make test
+}
+
 component_test_make_shared () {
     msg "build/test: make shared" # ~ 40s
     make SHARED=1 all check
@@ -919,6 +1039,28 @@ component_test_have_int64 () {
     make test
 }
 
+component_test_no_udbl_division () {
+    msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+    scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+    make CFLAGS='-Werror -O1'
+
+    msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
+    make test
+}
+
+component_test_no_64bit_multiplication () {
+    msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+    scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+    make CFLAGS='-Werror -O1'
+
+    msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
+    make test
+}
+
 component_build_arm_none_eabi_gcc () {
     msg "build: arm-none-eabi-gcc, make" # ~ 10s
     scripts/config.pl full
@@ -956,6 +1098,26 @@ component_build_arm_none_eabi_gcc_no_udbl_division () {
     if_build_succeeded not grep __aeabi_uldiv library/*.o
 }
 
+component_build_arm_none_eabi_gcc_no_64bit_multiplication () {
+    msg "build: arm-none-eabi-gcc MBEDTLS_NO_64BIT_MULTIPLICATION, make" # ~ 10s
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_NET_C
+    scripts/config.pl unset MBEDTLS_TIMING_C
+    scripts/config.pl unset MBEDTLS_FS_IO
+    scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY
+    # following things are not in the default config
+    scripts/config.pl unset MBEDTLS_HAVEGE_C # depends on timing.c
+    scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
+    scripts/config.pl unset MBEDTLS_THREADING_C
+    scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+    scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+    make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib
+    echo "Checking that software 64-bit multiplication is not required"
+    if_build_succeeded not grep __aeabi_lmul library/*.o
+}
+
 component_build_armcc () {
     msg "build: ARM Compiler 5, make"
     scripts/config.pl full
@@ -1084,7 +1246,48 @@ component_test_cmake_out_of_source () {
     unset MBEDTLS_ROOT_DIR
 }
 
+component_test_zeroize () {
+    # Test that the function mbedtls_platform_zeroize() is not optimized away by
+    # different combinations of compilers and optimization flags by using an
+    # auxiliary GDB script. Unfortunately, GDB does not return error values to the
+    # system in all cases that the script fails, so we must manually search the
+    # output to check whether the pass string is present and no failure strings
+    # were printed.
+
+    # Don't try to disable ASLR. We don't care about ASLR here. We do care
+    # about a spurious message if Gdb tries and fails, so suppress that.
+    gdb_disable_aslr=
+    if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then
+        gdb_disable_aslr='set disable-randomization off'
+    fi
+
+    for optimization_flag in -O2 -O3 -Ofast -Os; do
+        for compiler in clang gcc; do
+            msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
+            make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
+            if_build_succeeded gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
+            if_build_succeeded grep "The buffer was correctly zeroized" test_zeroize.log
+            if_build_succeeded not grep -i "error" test_zeroize.log
+            rm -f test_zeroize.log
+            make clean
+        done
+    done
+
+    unset gdb_disable_aslr
+}
+
+support_check_python_files () {
+    type pylint3 >/dev/null 2>/dev/null
+}
+component_check_python_files () {
+    msg "Lint: Python scripts"
+    record_status tests/scripts/check-python-files.sh
+}
 
+component_check_generate_test_code () {
+    msg "uint test: generate_test_code.py"
+    record_status ./tests/scripts/test_generate_test_code.py
+}
 
 ################################################################
 #### Termination
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
index 97120ea84d..8990dfbea6 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/basic-build-test.sh
@@ -93,6 +93,9 @@ OPENSSL_CMD="$OPENSSL_LEGACY"                                       \
     GNUTLS_SERV="$GNUTLS_LEGACY_SERV"                               \
     sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'         |     \
     tee -a compat-test-$TEST_OUTPUT
+OPENSSL_CMD="$OPENSSL_NEXT"                     \
+    sh compat.sh -e '^$' -f 'ARIA\|CHACHA' |    \
+    tee -a compat-test-$TEST_OUTPUT
 echo
 
 # Step 3 - Process the coverage report
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py b/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
index 0bf01206e4..00fd0edfb7 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-files.py
@@ -202,7 +202,6 @@ def __init__(self, log_file):
         self.excluded_paths = list(map(os.path.normpath, [
             'cov-int',
             'examples',
-            'yotta/module'
         ]))
         self.issues_to_check = [
             PermissionIssueTracker(),
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-generated-files.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/check-generated-files.sh
index 4976bacf5c..065ea33a2a 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/check-generated-files.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-generated-files.sh
@@ -65,5 +65,6 @@ check()
 }
 
 check scripts/generate_errors.pl library/error.c
+check scripts/generate_query_config.pl programs/ssl/query_config.c
 check scripts/generate_features.pl library/version_features.c
 check scripts/generate_visualc_files.pl visualc/VS2010
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
index 66c487cffd..90ecfd2726 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-names.sh
@@ -56,7 +56,7 @@ diff macros identifiers | sed -n -e 's/< //p' > actual-macros
 for THING in actual-macros enum-consts; do
     printf "Names of $THING: "
     test -r $THING
-    BAD=$( grep -v '^MBEDTLS_[0-9A-Z_]*[0-9A-Z]$\|^YOTTA_[0-9A-Z_]*[0-9A-Z]$' $THING || true )
+    BAD=$( grep -v '^MBEDTLS_[0-9A-Z_]*[0-9A-Z]$' $THING || true )
     if [ "x$BAD" = "x" ]; then
         echo "PASS"
     else
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/check-python-files.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/check-python-files.sh
new file mode 100755
index 0000000000..9290418224
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/check-python-files.sh
@@ -0,0 +1,12 @@
+#! /usr/bin/env sh
+
+# This file is part of Mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2018, Arm Limited, All Rights Reserved
+#
+# Purpose:
+#
+# Run 'pylint' on Python files for programming errors and helps enforcing
+# PEP8 coding standards.
+
+pylint3 -j 2 scripts/*.py tests/scripts/*.py
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/generate_code.pl b/3rdparty/mbedtls/mbedtls/tests/scripts/generate_code.pl
deleted file mode 100755
index e489a0055e..0000000000
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/generate_code.pl
+++ /dev/null
@@ -1,411 +0,0 @@
-#!/usr/bin/env perl
-
-# generate_code.pl
-#
-# This file is part of mbed TLS (https://tls.mbed.org)
-#
-# Copyright (c) 2009-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# Generates the test suite code given inputs of the test suite directory that
-# contain the test suites, and the test suite file names for the test code and
-# test data.
-#
-# Usage: generate_code.pl <suite dir> <code file> <data file> [main code file]
-#
-# Structure of files
-#
-#   - main code file - 'main_test.function'
-#       Template file that contains the main() function for the test suite,
-#       test dispatch code as well as support functions. It contains the
-#       following symbols which are substituted by this script during
-#       processing:
-#           TESTCASE_FILENAME
-#           TESTCODE_FILENAME
-#           SUITE_PRE_DEP
-#           MAPPING_CODE
-#           FUNCTION CODE
-#           SUITE_POST_DEP
-#           DEP_CHECK_CODE
-#           DISPATCH_FUNCTION
-#           !LINE_NO!
-#
-#   - common helper code file - 'helpers.function'
-#       Common helper functions
-#
-#   - test suite code file - file name in the form 'test_suite_xxx.function'
-#       Code file that contains the actual test cases. The file contains a
-#       series of code sequences delimited by the following:
-#           BEGIN_HEADER / END_HEADER - list of headers files
-#           BEGIN_SUITE_HELPERS / END_SUITE_HELPERS - helper functions common to
-#               the test suite
-#           BEGIN_CASE / END_CASE - the test cases in the test suite. Each test
-#               case contains at least one function that is used to create the
-#               dispatch code.
-#
-#   - test data file - file name in the form 'test_suite_xxxx.data'
-#       The test case parameters to to be used in execution of the test. The
-#       file name is used to replace the symbol 'TESTCASE_FILENAME' in the main
-#       code file above.
-#
-#       A test data file consists of a sequence of paragraphs separated by
-#       a single empty line. Line breaks may be in Unix (LF) or Windows (CRLF)
-#       format. Lines starting with the character '#' are ignored
-#       (the parser behaves as if they were not present).
-#
-#       Each paragraph describes one test case and must consist of: (1) one
-#       line which is the test case name; (2) an optional line starting with
-#       the 11-character prefix "depends_on:"; (3) a line containing the test
-#       function to execute and its parameters.
-#
-#       A depends_on: line consists of a list of compile-time options
-#       separated by the character ':', with no whitespace. The test case
-#       is executed only if this compilation option is enabled in config.h.
-#
-#       The last line of each paragraph contains a test function name and
-#       a list of parameters separated by the character ':'. Running the
-#       test case calls this function with the specified parameters. Each
-#       parameter may either be an integer written in decimal or hexadecimal,
-#       or a string surrounded by double quotes which may not contain the
-#       ':' character.
-#
-
-use strict;
-
-my $suite_dir = shift or die "Missing suite directory";
-my $suite_name = shift or die "Missing suite name";
-my $data_name = shift or die "Missing data name";
-my $test_main_file = do { my $arg = shift; defined($arg) ? $arg :  $suite_dir."/main_test.function" };
-my $test_file = $data_name.".c";
-my $test_common_helper_file = $suite_dir."/helpers.function";
-my $test_case_file = $suite_dir."/".$suite_name.".function";
-my $test_case_data = $suite_dir."/".$data_name.".data";
-
-my $line_separator = $/;
-undef $/;
-
-
-#
-# Open and read in the input files
-#
-
-open(TEST_HELPERS, "$test_common_helper_file") or die "Opening test helpers
-'$test_common_helper_file': $!";
-my $test_common_helpers = <TEST_HELPERS>;
-close(TEST_HELPERS);
-
-open(TEST_MAIN, "$test_main_file") or die "Opening test main '$test_main_file': $!";
-my @test_main_lines = split/^/,  <TEST_MAIN>;
-my $test_main;
-my $index = 2;
-for my $line (@test_main_lines) {
-    $line =~ s/!LINE_NO!/$index/;
-    $test_main = $test_main.$line;
-    $index++;
-}
-close(TEST_MAIN);
-
-open(TEST_CASES, "$test_case_file") or die "Opening test cases '$test_case_file': $!";
-my @test_cases_lines = split/^/,  <TEST_CASES>;
-my $test_cases;
-my $index = 2;
-for my $line (@test_cases_lines) {
-    if ($line =~ /^\/\* BEGIN_SUITE_HELPERS .*\*\//)
-    {
-        $line = $line."#line $index \"$test_case_file\"\n";
-    }
-
-    if ($line =~ /^\/\* BEGIN_CASE .*\*\//)
-    {
-        $line = $line."#line $index \"$test_case_file\"\n";
-    }
-
-    $line =~ s/!LINE_NO!/$index/;
-
-    $test_cases = $test_cases.$line;
-    $index++;
-}
-
-close(TEST_CASES);
-
-open(TEST_DATA, "$test_case_data") or die "Opening test data '$test_case_data': $!";
-my $test_data = <TEST_DATA>;
-close(TEST_DATA);
-
-
-#
-# Find the headers, dependencies, and suites in the test cases file
-#
-
-my ( $suite_header ) = $test_cases =~ /\/\* BEGIN_HEADER \*\/\n(.*?)\n\/\* END_HEADER \*\//s;
-my ( $suite_defines ) = $test_cases =~ /\/\* BEGIN_DEPENDENCIES\n \* (.*?)\n \* END_DEPENDENCIES/s;
-my ( $suite_helpers ) = $test_cases =~ /\/\* BEGIN_SUITE_HELPERS \*\/\n(.*?)\n\/\* END_SUITE_HELPERS \*\//s;
-
-my $requirements;
-if ($suite_defines =~ /^depends_on:/)
-{
-    ( $requirements ) = $suite_defines =~ /^depends_on:(.*)$/;
-}
-
-my @var_req_arr = split(/:/, $requirements);
-my $suite_pre_code;
-my $suite_post_code;
-my $dispatch_code;
-my $mapping_code;
-my %mapping_values;
-
-while (@var_req_arr)
-{
-    my $req = shift @var_req_arr;
-    $req =~ s/(!?)(.*)/$1defined($2)/;
-
-    $suite_pre_code .= "#if $req\n";
-    $suite_post_code .= "#endif /* $req */\n";
-}
-
-$/ = $line_separator;
-
-open(TEST_FILE, ">$test_file") or die "Opening destination file '$test_file': $!";
-print TEST_FILE << "END";
-/*
- * *** THIS FILE HAS BEEN MACHINE GENERATED ***
- *
- * This file has been machine generated using the script: $0
- *
- * Test file      : $test_file
- *
- * The following files were used to create this file.
- *
- *      Main code file  : $test_main_file
- *      Helper file     : $test_common_helper_file
- *      Test suite file : $test_case_file
- *      Test suite data : $test_case_data
- *
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include <mbedtls/config.h>
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-
-/*----------------------------------------------------------------------------*/
-/* Common helper code */
-
-$test_common_helpers
-
-
-/*----------------------------------------------------------------------------*/
-/* Test Suite Code */
-
-$suite_pre_code
-$suite_header
-$suite_helpers
-$suite_post_code
-
-END
-
-$test_main =~ s/SUITE_PRE_DEP/$suite_pre_code/;
-$test_main =~ s/SUITE_POST_DEP/$suite_post_code/;
-
-while($test_cases =~ /\/\* BEGIN_CASE *([\w:]*) \*\/\n(.*?)\n\/\* END_CASE \*\//msg)
-{
-    my $function_deps = $1;
-    my $function_decl = $2;
-
-    # Sanity checks of function
-    if ($function_decl !~ /^#line\s*.*\nvoid /)
-    {
-        die "Test function does not have 'void' as return type.\n" .
-            "Function declaration:\n" .
-            $function_decl;
-    }
-    if ($function_decl !~ /^(#line\s*.*)\nvoid (\w+)\(\s*(.*?)\s*\)\s*{(.*)}/ms)
-    {
-        die "Function declaration not in expected format\n";
-    }
-    my $line_directive = $1;
-    my $function_name = $2;
-    my $function_params = $3;
-    my $function_pre_code;
-    my $function_post_code;
-    my $param_defs;
-    my $param_checks;
-    my @dispatch_params;
-    my @var_def_arr = split(/,\s*/, $function_params);
-    my $i = 1;
-    my $mapping_regex = "".$function_name;
-    my $mapping_count = 0;
-
-    $function_decl =~ s/(^#line\s*.*)\nvoid /$1\nvoid test_suite_/;
-
-    # Add exit label if not present
-    if ($function_decl !~ /^exit:$/m)
-    {
-        $function_decl =~ s/}\s*$/\nexit:\n    return;\n}/;
-    }
-
-    if ($function_deps =~ /^depends_on:/)
-    {
-        ( $function_deps ) = $function_deps =~ /^depends_on:(.*)$/;
-    }
-
-    foreach my $req (split(/:/, $function_deps))
-    {
-        $function_pre_code .= "#ifdef $req\n";
-        $function_post_code .= "#endif /* $req */\n";
-    }
-
-    foreach my $def (@var_def_arr)
-    {
-        # Handle the different parameter types
-        if( substr($def, 0, 4) eq "int " )
-        {
-            $param_defs .= "    int param$i;\n";
-            $param_checks .= "    if( verify_int( params[$i], &param$i ) != 0 ) return( DISPATCH_INVALID_TEST_DATA );\n";
-            push @dispatch_params, "param$i";
-
-            $mapping_regex .= ":([\\d\\w |\\+\\-\\(\\)]+)";
-            $mapping_count++;
-        }
-        elsif( substr($def, 0, 6) eq "char *" )
-        {
-            $param_defs .= "    char *param$i = params[$i];\n";
-            $param_checks .= "    if( verify_string( &param$i ) != 0 ) return( DISPATCH_INVALID_TEST_DATA );\n";
-            push @dispatch_params, "param$i";
-            $mapping_regex .= ":(?:\\\\.|[^:\n])+";
-        }
-        else
-        {
-            die "Parameter declaration not of supported type (int, char *)\n";
-        }
-        $i++;
-
-    }
-
-    # Find non-integer values we should map for this function
-    if( $mapping_count)
-    {
-        my @res = $test_data =~ /^$mapping_regex/msg;
-        foreach my $value (@res)
-        {
-            next unless ($value !~ /^\d+$/);
-            if ( $mapping_values{$value} ) {
-                ${ $mapping_values{$value} }{$function_pre_code} = 1;
-            } else {
-                $mapping_values{$value} = { $function_pre_code => 1 };
-            }
-        }
-    }
-
-    my $call_params = join ", ", @dispatch_params;
-    my $param_count = @var_def_arr + 1;
-    $dispatch_code .= << "END";
-if( strcmp( params[0], "$function_name" ) == 0 )
-{
-$function_pre_code
-$param_defs
-    if( cnt != $param_count )
-    {
-        mbedtls_fprintf( stderr, "\\nIncorrect argument count (%d != %d)\\n", cnt, $param_count );
-        return( DISPATCH_INVALID_TEST_DATA );
-    }
-
-$param_checks
-    test_suite_$function_name( $call_params );
-    return ( DISPATCH_TEST_SUCCESS );
-$function_post_code
-    return ( DISPATCH_UNSUPPORTED_SUITE );
-}
-else
-END
-
-    my $function_code = $function_pre_code . $function_decl . "\n" .
-                        $function_post_code;
-    $test_main =~ s/FUNCTION_CODE/$function_code\nFUNCTION_CODE/;
-}
-
-# Find specific case dependencies that we should be able to check
-# and make check code
-my $dep_check_code;
-
-my @res = $test_data =~ /^depends_on:([!:\w]+)/msg;
-my %case_deps;
-foreach my $deps (@res)
-{
-    foreach my $dep (split(/:/, $deps))
-    {
-        $case_deps{$dep} = 1;
-    }
-}
-while( my ($key, $value) = each(%case_deps) )
-{
-    if( substr($key, 0, 1) eq "!" )
-    {
-        my $key = substr($key, 1);
-        $dep_check_code .= << "END";
-    if( strcmp( str, "!$key" ) == 0 )
-    {
-#if !defined($key)
-        return( DEPENDENCY_SUPPORTED );
-#else
-        return( DEPENDENCY_NOT_SUPPORTED );
-#endif
-    }
-END
-    }
-    else
-    {
-        $dep_check_code .= << "END";
-    if( strcmp( str, "$key" ) == 0 )
-    {
-#if defined($key)
-        return( DEPENDENCY_SUPPORTED );
-#else
-        return( DEPENDENCY_NOT_SUPPORTED );
-#endif
-    }
-END
-    }
-}
-
-# Make mapping code
-while( my ($key, $value) = each(%mapping_values) )
-{
-    my $key_mapping_code = << "END";
-    if( strcmp( str, "$key" ) == 0 )
-    {
-        *value = ( $key );
-        return( KEY_VALUE_MAPPING_FOUND );
-    }
-END
-
-    # handle depenencies, unless used at least one without depends
-    if ($value->{""}) {
-        $mapping_code .= $key_mapping_code;
-        next;
-    }
-    for my $ifdef ( keys %$value ) {
-        (my $endif = $ifdef) =~ s!ifdef!endif //!g;
-        $mapping_code .= $ifdef . $key_mapping_code . $endif;
-    }
-}
-
-$dispatch_code =~ s/^(.+)/    $1/mg;
-
-$test_main =~ s/TESTCASE_FILENAME/$test_case_data/g;
-$test_main =~ s/TESTCODE_FILENAME/$test_case_file/g;
-$test_main =~ s/FUNCTION_CODE//;
-$test_main =~ s/DEP_CHECK_CODE/$dep_check_code/;
-$test_main =~ s/DISPATCH_FUNCTION/$dispatch_code/;
-$test_main =~ s/MAPPING_CODE/$mapping_code/;
-
-print TEST_FILE << "END";
-$test_main
-END
-
-close(TEST_FILE);
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/generate_test_code.py b/3rdparty/mbedtls/mbedtls/tests/scripts/generate_test_code.py
new file mode 100755
index 0000000000..1fff09992c
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/generate_test_code.py
@@ -0,0 +1,1152 @@
+#!/usr/bin/env python3
+# Test suites code generator.
+#
+# Copyright (C) 2018, Arm Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file is part of Mbed TLS (https://tls.mbed.org)
+
+"""
+This script is a key part of Mbed TLS test suites framework. For
+understanding the script it is important to understand the
+framework. This doc string contains a summary of the framework
+and explains the function of this script.
+
+Mbed TLS test suites:
+=====================
+Scope:
+------
+The test suites focus on unit testing the crypto primitives and also
+include x509 parser tests. Tests can be added to test any Mbed TLS
+module. However, the framework is not capable of testing SSL
+protocol, since that requires full stack execution and that is best
+tested as part of the system test.
+
+Test case definition:
+---------------------
+Tests are defined in a test_suite_<module>[.<optional sub module>].data
+file. A test definition contains:
+ test name
+ optional build macro dependencies
+ test function
+ test parameters
+
+Test dependencies are build macros that can be specified to indicate
+the build config in which the test is valid. For example if a test
+depends on a feature that is only enabled by defining a macro. Then
+that macro should be specified as a dependency of the test.
+
+Test function is the function that implements the test steps. This
+function is specified for different tests that perform same steps
+with different parameters.
+
+Test parameters are specified in string form separated by ':'.
+Parameters can be of type string, binary data specified as hex
+string and integer constants specified as integer, macro or
+as an expression. Following is an example test definition:
+
+ AES 128 GCM Encrypt and decrypt 8 bytes
+ depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C
+ enc_dec_buf:MBEDTLS_CIPHER_AES_128_GCM:"AES-128-GCM":128:8:-1
+
+Test functions:
+---------------
+Test functions are coded in C in test_suite_<module>.function files.
+Functions file is itself not compilable and contains special
+format patterns to specify test suite dependencies, start and end
+of functions and function dependencies. Check any existing functions
+file for example.
+
+Execution:
+----------
+Tests are executed in 3 steps:
+- Generating test_suite_<module>[.<optional sub module>].c file
+  for each corresponding .data file.
+- Building each source file into executables.
+- Running each executable and printing report.
+
+Generating C test source requires more than just the test functions.
+Following extras are required:
+- Process main()
+- Reading .data file and dispatching test cases.
+- Platform specific test case execution
+- Dependency checking
+- Integer expression evaluation
+- Test function dispatch
+
+Build dependencies and integer expressions (in the test parameters)
+are specified as strings in the .data file. Their run time value is
+not known at the generation stage. Hence, they need to be translated
+into run time evaluations. This script generates the run time checks
+for dependencies and integer expressions.
+
+Similarly, function names have to be translated into function calls.
+This script also generates code for function dispatch.
+
+The extra code mentioned here is either generated by this script
+or it comes from the input files: helpers file, platform file and
+the template file.
+
+Helper file:
+------------
+Helpers file contains common helper/utility functions and data.
+
+Platform file:
+--------------
+Platform file contains platform specific setup code and test case
+dispatch code. For example, host_test.function reads test data
+file from host's file system and dispatches tests.
+In case of on-target target_test.function tests are not dispatched
+on target. Target code is kept minimum and only test functions are
+dispatched. Test case dispatch is done on the host using tools like
+Greentea.
+
+Template file:
+---------
+Template file for example main_test.function is a template C file in
+which generated code and code from input files is substituted to
+generate a compilable C file. It also contains skeleton functions for
+dependency checks, expression evaluation and function dispatch. These
+functions are populated with checks and return codes by this script.
+
+Template file contains "replacement" fields that are formatted
+strings processed by Python string.Template.substitute() method.
+
+This script:
+============
+Core function of this script is to fill the template file with
+code that is generated or read from helpers and platform files.
+
+This script replaces following fields in the template and generates
+the test source file:
+
+$test_common_helpers        <-- All common code from helpers.function
+                                is substituted here.
+$functions_code             <-- Test functions are substituted here
+                                from the input test_suit_xyz.function
+                                file. C preprocessor checks are generated
+                                for the build dependencies specified
+                                in the input file. This script also
+                                generates wrappers for the test
+                                functions with code to expand the
+                                string parameters read from the data
+                                file.
+$expression_code            <-- This script enumerates the
+                                expressions in the .data file and
+                                generates code to handle enumerated
+                                expression Ids and return the values.
+$dep_check_code             <-- This script enumerates all
+                                build dependencies and generate
+                                code to handle enumerated build
+                                dependency Id and return status: if
+                                the dependency is defined or not.
+$dispatch_code              <-- This script enumerates the functions
+                                specified in the input test data file
+                                and generates the initializer for the
+                                function table in the template
+                                file.
+$platform_code              <-- Platform specific setup and test
+                                dispatch code.
+
+"""
+
+
+import io
+import os
+import re
+import sys
+import string
+import argparse
+
+
+BEGIN_HEADER_REGEX = r'/\*\s*BEGIN_HEADER\s*\*/'
+END_HEADER_REGEX = r'/\*\s*END_HEADER\s*\*/'
+
+BEGIN_SUITE_HELPERS_REGEX = r'/\*\s*BEGIN_SUITE_HELPERS\s*\*/'
+END_SUITE_HELPERS_REGEX = r'/\*\s*END_SUITE_HELPERS\s*\*/'
+
+BEGIN_DEP_REGEX = r'BEGIN_DEPENDENCIES'
+END_DEP_REGEX = r'END_DEPENDENCIES'
+
+BEGIN_CASE_REGEX = r'/\*\s*BEGIN_CASE\s*(?P<depends_on>.*?)\s*\*/'
+END_CASE_REGEX = r'/\*\s*END_CASE\s*\*/'
+
+DEPENDENCY_REGEX = r'depends_on:(?P<dependencies>.*)'
+C_IDENTIFIER_REGEX = r'!?[a-z_][a-z0-9_]*'
+CONDITION_OPERATOR_REGEX = r'[!=]=|[<>]=?'
+# forbid 0ddd which might be accidentally octal or accidentally decimal
+CONDITION_VALUE_REGEX = r'[-+]?(0x[0-9a-f]+|0|[1-9][0-9]*)'
+CONDITION_REGEX = r'({})(?:\s*({})\s*({}))?$'.format(C_IDENTIFIER_REGEX,
+                                                     CONDITION_OPERATOR_REGEX,
+                                                     CONDITION_VALUE_REGEX)
+TEST_FUNCTION_VALIDATION_REGEX = r'\s*void\s+(?P<func_name>\w+)\s*\('
+INT_CHECK_REGEX = r'int\s+.*'
+CHAR_CHECK_REGEX = r'char\s*\*\s*.*'
+DATA_T_CHECK_REGEX = r'data_t\s*\*\s*.*'
+FUNCTION_ARG_LIST_END_REGEX = r'.*\)'
+EXIT_LABEL_REGEX = r'^exit:'
+
+
+class GeneratorInputError(Exception):
+    """
+    Exception to indicate error in the input files to this script.
+    This includes missing patterns, test function names and other
+    parsing errors.
+    """
+    pass
+
+
+class FileWrapper(io.FileIO, object):
+    """
+    This class extends built-in io.FileIO class with attribute line_no,
+    that indicates line number for the line that is read.
+    """
+
+    def __init__(self, file_name):
+        """
+        Instantiate the base class and initialize the line number to 0.
+
+        :param file_name: File path to open.
+        """
+        super(FileWrapper, self).__init__(file_name, 'r')
+        self._line_no = 0
+
+    def next(self):
+        """
+        Python 2 iterator method. This method overrides base class's
+        next method and extends the next method to count the line
+        numbers as each line is read.
+
+        It works for both Python 2 and Python 3 by checking iterator
+        method name in the base iterator object.
+
+        :return: Line read from file.
+        """
+        parent = super(FileWrapper, self)
+        if hasattr(parent, '__next__'):
+            line = parent.__next__()  # Python 3
+        else:
+            line = parent.next()  # Python 2 # pylint: disable=no-member
+        if line is not None:
+            self._line_no += 1
+            # Convert byte array to string with correct encoding and
+            # strip any whitespaces added in the decoding process.
+            return line.decode(sys.getdefaultencoding()).rstrip() + '\n'
+        return None
+
+    # Python 3 iterator method
+    __next__ = next
+
+    def get_line_no(self):
+        """
+        Gives current line number.
+        """
+        return self._line_no
+
+    line_no = property(get_line_no)
+
+
+def split_dep(dep):
+    """
+    Split NOT character '!' from dependency. Used by gen_dependencies()
+
+    :param dep: Dependency list
+    :return: string tuple. Ex: ('!', MACRO) for !MACRO and ('', MACRO) for
+             MACRO.
+    """
+    return ('!', dep[1:]) if dep[0] == '!' else ('', dep)
+
+
+def gen_dependencies(dependencies):
+    """
+    Test suite data and functions specifies compile time dependencies.
+    This function generates C preprocessor code from the input
+    dependency list. Caller uses the generated preprocessor code to
+    wrap dependent code.
+    A dependency in the input list can have a leading '!' character
+    to negate a condition. '!' is separated from the dependency using
+    function split_dep() and proper preprocessor check is generated
+    accordingly.
+
+    :param dependencies: List of dependencies.
+    :return: if defined and endif code with macro annotations for
+             readability.
+    """
+    dep_start = ''.join(['#if %sdefined(%s)\n' % (x, y) for x, y in
+                         map(split_dep, dependencies)])
+    dep_end = ''.join(['#endif /* %s */\n' %
+                       x for x in reversed(dependencies)])
+
+    return dep_start, dep_end
+
+
+def gen_dependencies_one_line(dependencies):
+    """
+    Similar to gen_dependencies() but generates dependency checks in one line.
+    Useful for generating code with #else block.
+
+    :param dependencies: List of dependencies.
+    :return: Preprocessor check code
+    """
+    defines = '#if ' if dependencies else ''
+    defines += ' && '.join(['%sdefined(%s)' % (x, y) for x, y in map(
+        split_dep, dependencies)])
+    return defines
+
+
+def gen_function_wrapper(name, local_vars, args_dispatch):
+    """
+    Creates test function wrapper code. A wrapper has the code to
+    unpack parameters from parameters[] array.
+
+    :param name: Test function name
+    :param local_vars: Local variables declaration code
+    :param args_dispatch: List of dispatch arguments.
+           Ex: ['(char *)params[0]', '*((int *)params[1])']
+    :return: Test function wrapper.
+    """
+    # Then create the wrapper
+    wrapper = '''
+void {name}_wrapper( void ** params )
+{{
+{unused_params}{locals}
+    {name}( {args} );
+}}
+'''.format(name=name,
+           unused_params='' if args_dispatch else '    (void)params;\n',
+           args=', '.join(args_dispatch),
+           locals=local_vars)
+    return wrapper
+
+
+def gen_dispatch(name, dependencies):
+    """
+    Test suite code template main_test.function defines a C function
+    array to contain test case functions. This function generates an
+    initializer entry for a function in that array. The entry is
+    composed of a compile time check for the test function
+    dependencies. At compile time the test function is assigned when
+    dependencies are met, else NULL is assigned.
+
+    :param name: Test function name
+    :param dependencies: List of dependencies
+    :return: Dispatch code.
+    """
+    if dependencies:
+        preprocessor_check = gen_dependencies_one_line(dependencies)
+        dispatch_code = '''
+{preprocessor_check}
+    {name}_wrapper,
+#else
+    NULL,
+#endif
+'''.format(preprocessor_check=preprocessor_check, name=name)
+    else:
+        dispatch_code = '''
+    {name}_wrapper,
+'''.format(name=name)
+
+    return dispatch_code
+
+
+def parse_until_pattern(funcs_f, end_regex):
+    """
+    Matches pattern end_regex to the lines read from the file object.
+    Returns the lines read until end pattern is matched.
+
+    :param funcs_f: file object for .function file
+    :param end_regex: Pattern to stop parsing
+    :return: Lines read before the end pattern
+    """
+    headers = '#line %d "%s"\n' % (funcs_f.line_no + 1, funcs_f.name)
+    for line in funcs_f:
+        if re.search(end_regex, line):
+            break
+        headers += line
+    else:
+        raise GeneratorInputError("file: %s - end pattern [%s] not found!" %
+                                  (funcs_f.name, end_regex))
+
+    return headers
+
+
+def validate_dependency(dependency):
+    """
+    Validates a C macro and raises GeneratorInputError on invalid input.
+    :param dependency: Input macro dependency
+    :return: input dependency stripped of leading & trailing white spaces.
+    """
+    dependency = dependency.strip()
+    if not re.match(CONDITION_REGEX, dependency, re.I):
+        raise GeneratorInputError('Invalid dependency %s' % dependency)
+    return dependency
+
+
+def parse_dependencies(inp_str):
+    """
+    Parses dependencies out of inp_str, validates them and returns a
+    list of macros.
+
+    :param inp_str: Input string with macros delimited by ':'.
+    :return: list of dependencies
+    """
+    dependencies = [dep for dep in map(validate_dependency,
+                                       inp_str.split(':'))]
+    return dependencies
+
+
+def parse_suite_dependencies(funcs_f):
+    """
+    Parses test suite dependencies specified at the top of a
+    .function file, that starts with pattern BEGIN_DEPENDENCIES
+    and end with END_DEPENDENCIES. Dependencies are specified
+    after pattern 'depends_on:' and are delimited by ':'.
+
+    :param funcs_f: file object for .function file
+    :return: List of test suite dependencies.
+    """
+    dependencies = []
+    for line in funcs_f:
+        match = re.search(DEPENDENCY_REGEX, line.strip())
+        if match:
+            try:
+                dependencies = parse_dependencies(match.group('dependencies'))
+            except GeneratorInputError as error:
+                raise GeneratorInputError(
+                    str(error) + " - %s:%d" % (funcs_f.name, funcs_f.line_no))
+        if re.search(END_DEP_REGEX, line):
+            break
+    else:
+        raise GeneratorInputError("file: %s - end dependency pattern [%s]"
+                                  " not found!" % (funcs_f.name,
+                                                   END_DEP_REGEX))
+
+    return dependencies
+
+
+def parse_function_dependencies(line):
+    """
+    Parses function dependencies, that are in the same line as
+    comment BEGIN_CASE. Dependencies are specified after pattern
+    'depends_on:' and are delimited by ':'.
+
+    :param line: Line from .function file that has dependencies.
+    :return: List of dependencies.
+    """
+    dependencies = []
+    match = re.search(BEGIN_CASE_REGEX, line)
+    dep_str = match.group('depends_on')
+    if dep_str:
+        match = re.search(DEPENDENCY_REGEX, dep_str)
+        if match:
+            dependencies += parse_dependencies(match.group('dependencies'))
+
+    return dependencies
+
+
+def parse_function_arguments(line):
+    """
+    Parses test function signature for validation and generates
+    a dispatch wrapper function that translates input test vectors
+    read from the data file into test function arguments.
+
+    :param line: Line from .function file that has a function
+                 signature.
+    :return: argument list, local variables for
+             wrapper function and argument dispatch code.
+    """
+    args = []
+    local_vars = ''
+    args_dispatch = []
+    arg_idx = 0
+    # Remove characters before arguments
+    line = line[line.find('(') + 1:]
+    # Process arguments, ex: <type> arg1, <type> arg2 )
+    # This script assumes that the argument list is terminated by ')'
+    # i.e. the test functions will not have a function pointer
+    # argument.
+    for arg in line[:line.find(')')].split(','):
+        arg = arg.strip()
+        if arg == '':
+            continue
+        if re.search(INT_CHECK_REGEX, arg.strip()):
+            args.append('int')
+            args_dispatch.append('*( (int *) params[%d] )' % arg_idx)
+        elif re.search(CHAR_CHECK_REGEX, arg.strip()):
+            args.append('char*')
+            args_dispatch.append('(char *) params[%d]' % arg_idx)
+        elif re.search(DATA_T_CHECK_REGEX, arg.strip()):
+            args.append('hex')
+            # create a structure
+            pointer_initializer = '(uint8_t *) params[%d]' % arg_idx
+            len_initializer = '*( (uint32_t *) params[%d] )' % (arg_idx+1)
+            local_vars += """    data_t data%d = {%s, %s};
+""" % (arg_idx, pointer_initializer, len_initializer)
+
+            args_dispatch.append('&data%d' % arg_idx)
+            arg_idx += 1
+        else:
+            raise ValueError("Test function arguments can only be 'int', "
+                             "'char *' or 'data_t'\n%s" % line)
+        arg_idx += 1
+
+    return args, local_vars, args_dispatch
+
+
+def generate_function_code(name, code, local_vars, args_dispatch,
+                           dependencies):
+    """
+    Generate function code with preprocessor checks and parameter dispatch
+    wrapper.
+
+    :param name: Function name
+    :param code: Function code
+    :param local_vars: Local variables for function wrapper
+    :param args_dispatch: Argument dispatch code
+    :param dependencies: Preprocessor dependencies list
+    :return: Final function code
+    """
+    # Add exit label if not present
+    if code.find('exit:') == -1:
+        split_code = code.rsplit('}', 1)
+        if len(split_code) == 2:
+            code = """exit:
+    ;
+}""".join(split_code)
+
+    code += gen_function_wrapper(name, local_vars, args_dispatch)
+    preprocessor_check_start, preprocessor_check_end = \
+        gen_dependencies(dependencies)
+    return preprocessor_check_start + code + preprocessor_check_end
+
+
+def parse_function_code(funcs_f, dependencies, suite_dependencies):
+    """
+    Parses out a function from function file object and generates
+    function and dispatch code.
+
+    :param funcs_f: file object of the functions file.
+    :param dependencies: List of dependencies
+    :param suite_dependencies: List of test suite dependencies
+    :return: Function name, arguments, function code and dispatch code.
+    """
+    line_directive = '#line %d "%s"\n' % (funcs_f.line_no + 1, funcs_f.name)
+    code = ''
+    has_exit_label = False
+    for line in funcs_f:
+        # Check function signature. Function signature may be split
+        # across multiple lines. Here we try to find the start of
+        # arguments list, then remove '\n's and apply the regex to
+        # detect function start.
+        up_to_arg_list_start = code + line[:line.find('(') + 1]
+        match = re.match(TEST_FUNCTION_VALIDATION_REGEX,
+                         up_to_arg_list_start.replace('\n', ' '), re.I)
+        if match:
+            # check if we have full signature i.e. split in more lines
+            name = match.group('func_name')
+            if not re.match(FUNCTION_ARG_LIST_END_REGEX, line):
+                for lin in funcs_f:
+                    line += lin
+                    if re.search(FUNCTION_ARG_LIST_END_REGEX, line):
+                        break
+            args, local_vars, args_dispatch = parse_function_arguments(
+                line)
+            code += line
+            break
+        code += line
+    else:
+        raise GeneratorInputError("file: %s - Test functions not found!" %
+                                  funcs_f.name)
+
+    # Prefix test function name with 'test_'
+    code = code.replace(name, 'test_' + name, 1)
+    name = 'test_' + name
+
+    for line in funcs_f:
+        if re.search(END_CASE_REGEX, line):
+            break
+        if not has_exit_label:
+            has_exit_label = \
+                re.search(EXIT_LABEL_REGEX, line.strip()) is not None
+        code += line
+    else:
+        raise GeneratorInputError("file: %s - end case pattern [%s] not "
+                                  "found!" % (funcs_f.name, END_CASE_REGEX))
+
+    code = line_directive + code
+    code = generate_function_code(name, code, local_vars, args_dispatch,
+                                  dependencies)
+    dispatch_code = gen_dispatch(name, suite_dependencies + dependencies)
+    return (name, args, code, dispatch_code)
+
+
+def parse_functions(funcs_f):
+    """
+    Parses a test_suite_xxx.function file and returns information
+    for generating a C source file for the test suite.
+
+    :param funcs_f: file object of the functions file.
+    :return: List of test suite dependencies, test function dispatch
+             code, function code and a dict with function identifiers
+             and arguments info.
+    """
+    suite_helpers = ''
+    suite_dependencies = []
+    suite_functions = ''
+    func_info = {}
+    function_idx = 0
+    dispatch_code = ''
+    for line in funcs_f:
+        if re.search(BEGIN_HEADER_REGEX, line):
+            suite_helpers += parse_until_pattern(funcs_f, END_HEADER_REGEX)
+        elif re.search(BEGIN_SUITE_HELPERS_REGEX, line):
+            suite_helpers += parse_until_pattern(funcs_f,
+                                                 END_SUITE_HELPERS_REGEX)
+        elif re.search(BEGIN_DEP_REGEX, line):
+            suite_dependencies += parse_suite_dependencies(funcs_f)
+        elif re.search(BEGIN_CASE_REGEX, line):
+            try:
+                dependencies = parse_function_dependencies(line)
+            except GeneratorInputError as error:
+                raise GeneratorInputError(
+                    "%s:%d: %s" % (funcs_f.name, funcs_f.line_no,
+                                   str(error)))
+            func_name, args, func_code, func_dispatch =\
+                parse_function_code(funcs_f, dependencies, suite_dependencies)
+            suite_functions += func_code
+            # Generate dispatch code and enumeration info
+            if func_name in func_info:
+                raise GeneratorInputError(
+                    "file: %s - function %s re-declared at line %d" %
+                    (funcs_f.name, func_name, funcs_f.line_no))
+            func_info[func_name] = (function_idx, args)
+            dispatch_code += '/* Function Id: %d */\n' % function_idx
+            dispatch_code += func_dispatch
+            function_idx += 1
+
+    func_code = (suite_helpers +
+                 suite_functions).join(gen_dependencies(suite_dependencies))
+    return suite_dependencies, dispatch_code, func_code, func_info
+
+
+def escaped_split(inp_str, split_char):
+    """
+    Split inp_str on character split_char but ignore if escaped.
+    Since, return value is used to write back to the intermediate
+    data file, any escape characters in the input are retained in the
+    output.
+
+    :param inp_str: String to split
+    :param split_char: Split character
+    :return: List of splits
+    """
+    if len(split_char) > 1:
+        raise ValueError('Expected split character. Found string!')
+    out = re.sub(r'(\\.)|' + split_char,
+                 lambda m: m.group(1) or '\n', inp_str,
+                 len(inp_str)).split('\n')
+    out = [x for x in out if x]
+    return out
+
+
+def parse_test_data(data_f):
+    """
+    Parses .data file for each test case name, test function name,
+    test dependencies and test arguments. This information is
+    correlated with the test functions file for generating an
+    intermediate data file replacing the strings for test function
+    names, dependencies and integer constant expressions with
+    identifiers. Mainly for optimising space for on-target
+    execution.
+
+    :param data_f: file object of the data file.
+    :return: Generator that yields test name, function name,
+             dependency list and function argument list.
+    """
+    __state_read_name = 0
+    __state_read_args = 1
+    state = __state_read_name
+    dependencies = []
+    name = ''
+    for line in data_f:
+        line = line.strip()
+        # Skip comments
+        if line.startswith('#'):
+            continue
+
+        # Blank line indicates end of test
+        if not line:
+            if state == __state_read_args:
+                raise GeneratorInputError("[%s:%d] Newline before arguments. "
+                                          "Test function and arguments "
+                                          "missing for %s" %
+                                          (data_f.name, data_f.line_no, name))
+            continue
+
+        if state == __state_read_name:
+            # Read test name
+            name = line
+            state = __state_read_args
+        elif state == __state_read_args:
+            # Check dependencies
+            match = re.search(DEPENDENCY_REGEX, line)
+            if match:
+                try:
+                    dependencies = parse_dependencies(
+                        match.group('dependencies'))
+                except GeneratorInputError as error:
+                    raise GeneratorInputError(
+                        str(error) + " - %s:%d" %
+                        (data_f.name, data_f.line_no))
+            else:
+                # Read test vectors
+                parts = escaped_split(line, ':')
+                test_function = parts[0]
+                args = parts[1:]
+                yield name, test_function, dependencies, args
+                dependencies = []
+                state = __state_read_name
+    if state == __state_read_args:
+        raise GeneratorInputError("[%s:%d] Newline before arguments. "
+                                  "Test function and arguments missing for "
+                                  "%s" % (data_f.name, data_f.line_no, name))
+
+
+def gen_dep_check(dep_id, dep):
+    """
+    Generate code for checking dependency with the associated
+    identifier.
+
+    :param dep_id: Dependency identifier
+    :param dep: Dependency macro
+    :return: Dependency check code
+    """
+    if dep_id < 0:
+        raise GeneratorInputError("Dependency Id should be a positive "
+                                  "integer.")
+    _not, dep = ('!', dep[1:]) if dep[0] == '!' else ('', dep)
+    if not dep:
+        raise GeneratorInputError("Dependency should not be an empty string.")
+
+    dependency = re.match(CONDITION_REGEX, dep, re.I)
+    if not dependency:
+        raise GeneratorInputError('Invalid dependency %s' % dep)
+
+    _defined = '' if dependency.group(2) else 'defined'
+    _cond = dependency.group(2) if dependency.group(2) else ''
+    _value = dependency.group(3) if dependency.group(3) else ''
+
+    dep_check = '''
+        case {id}:
+            {{
+#if {_not}{_defined}({macro}{_cond}{_value})
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }}
+            break;'''.format(_not=_not, _defined=_defined,
+                             macro=dependency.group(1), id=dep_id,
+                             _cond=_cond, _value=_value)
+    return dep_check
+
+
+def gen_expression_check(exp_id, exp):
+    """
+    Generates code for evaluating an integer expression using
+    associated expression Id.
+
+    :param exp_id: Expression Identifier
+    :param exp: Expression/Macro
+    :return: Expression check code
+    """
+    if exp_id < 0:
+        raise GeneratorInputError("Expression Id should be a positive "
+                                  "integer.")
+    if not exp:
+        raise GeneratorInputError("Expression should not be an empty string.")
+    exp_code = '''
+        case {exp_id}:
+            {{
+                *out_value = {expression};
+            }}
+            break;'''.format(exp_id=exp_id, expression=exp)
+    return exp_code
+
+
+def write_dependencies(out_data_f, test_dependencies, unique_dependencies):
+    """
+    Write dependencies to intermediate test data file, replacing
+    the string form with identifiers. Also, generates dependency
+    check code.
+
+    :param out_data_f: Output intermediate data file
+    :param test_dependencies: Dependencies
+    :param unique_dependencies: Mutable list to track unique dependencies
+           that are global to this re-entrant function.
+    :return: returns dependency check code.
+    """
+    dep_check_code = ''
+    if test_dependencies:
+        out_data_f.write('depends_on')
+        for dep in test_dependencies:
+            if dep not in unique_dependencies:
+                unique_dependencies.append(dep)
+                dep_id = unique_dependencies.index(dep)
+                dep_check_code += gen_dep_check(dep_id, dep)
+            else:
+                dep_id = unique_dependencies.index(dep)
+            out_data_f.write(':' + str(dep_id))
+        out_data_f.write('\n')
+    return dep_check_code
+
+
+def write_parameters(out_data_f, test_args, func_args, unique_expressions):
+    """
+    Writes test parameters to the intermediate data file, replacing
+    the string form with identifiers. Also, generates expression
+    check code.
+
+    :param out_data_f: Output intermediate data file
+    :param test_args: Test parameters
+    :param func_args: Function arguments
+    :param unique_expressions: Mutable list to track unique
+           expressions that are global to this re-entrant function.
+    :return: Returns expression check code.
+    """
+    expression_code = ''
+    for i, _ in enumerate(test_args):
+        typ = func_args[i]
+        val = test_args[i]
+
+        # check if val is a non literal int val (i.e. an expression)
+        if typ == 'int' and not re.match(r'(\d+|0x[0-9a-f]+)$',
+                                         val, re.I):
+            typ = 'exp'
+            if val not in unique_expressions:
+                unique_expressions.append(val)
+                # exp_id can be derived from len(). But for
+                # readability and consistency with case of existing
+                # let's use index().
+                exp_id = unique_expressions.index(val)
+                expression_code += gen_expression_check(exp_id, val)
+                val = exp_id
+            else:
+                val = unique_expressions.index(val)
+        out_data_f.write(':' + typ + ':' + str(val))
+    out_data_f.write('\n')
+    return expression_code
+
+
+def gen_suite_dep_checks(suite_dependencies, dep_check_code, expression_code):
+    """
+    Generates preprocessor checks for test suite dependencies.
+
+    :param suite_dependencies: Test suite dependencies read from the
+            .function file.
+    :param dep_check_code: Dependency check code
+    :param expression_code: Expression check code
+    :return: Dependency and expression code guarded by test suite
+             dependencies.
+    """
+    if suite_dependencies:
+        preprocessor_check = gen_dependencies_one_line(suite_dependencies)
+        dep_check_code = '''
+{preprocessor_check}
+{code}
+#endif
+'''.format(preprocessor_check=preprocessor_check, code=dep_check_code)
+        expression_code = '''
+{preprocessor_check}
+{code}
+#endif
+'''.format(preprocessor_check=preprocessor_check, code=expression_code)
+    return dep_check_code, expression_code
+
+
+def gen_from_test_data(data_f, out_data_f, func_info, suite_dependencies):
+    """
+    This function reads test case name, dependencies and test vectors
+    from the .data file. This information is correlated with the test
+    functions file for generating an intermediate data file replacing
+    the strings for test function names, dependencies and integer
+    constant expressions with identifiers. Mainly for optimising
+    space for on-target execution.
+    It also generates test case dependency check code and expression
+    evaluation code.
+
+    :param data_f: Data file object
+    :param out_data_f: Output intermediate data file
+    :param func_info: Dict keyed by function and with function id
+           and arguments info
+    :param suite_dependencies: Test suite dependencies
+    :return: Returns dependency and expression check code
+    """
+    unique_dependencies = []
+    unique_expressions = []
+    dep_check_code = ''
+    expression_code = ''
+    for test_name, function_name, test_dependencies, test_args in \
+            parse_test_data(data_f):
+        out_data_f.write(test_name + '\n')
+
+        # Write dependencies
+        dep_check_code += write_dependencies(out_data_f, test_dependencies,
+                                             unique_dependencies)
+
+        # Write test function name
+        test_function_name = 'test_' + function_name
+        if test_function_name not in func_info:
+            raise GeneratorInputError("Function %s not found!" %
+                                      test_function_name)
+        func_id, func_args = func_info[test_function_name]
+        out_data_f.write(str(func_id))
+
+        # Write parameters
+        if len(test_args) != len(func_args):
+            raise GeneratorInputError("Invalid number of arguments in test "
+                                      "%s. See function %s signature." %
+                                      (test_name, function_name))
+        expression_code += write_parameters(out_data_f, test_args, func_args,
+                                            unique_expressions)
+
+        # Write a newline as test case separator
+        out_data_f.write('\n')
+
+    dep_check_code, expression_code = gen_suite_dep_checks(
+        suite_dependencies, dep_check_code, expression_code)
+    return dep_check_code, expression_code
+
+
+def add_input_info(funcs_file, data_file, template_file,
+                   c_file, snippets):
+    """
+    Add generator input info in snippets.
+
+    :param funcs_file: Functions file object
+    :param data_file: Data file object
+    :param template_file: Template file object
+    :param c_file: Output C file object
+    :param snippets: Dictionary to contain code pieces to be
+                     substituted in the template.
+    :return:
+    """
+    snippets['test_file'] = c_file
+    snippets['test_main_file'] = template_file
+    snippets['test_case_file'] = funcs_file
+    snippets['test_case_data_file'] = data_file
+
+
+def read_code_from_input_files(platform_file, helpers_file,
+                               out_data_file, snippets):
+    """
+    Read code from input files and create substitutions for replacement
+    strings in the template file.
+
+    :param platform_file: Platform file object
+    :param helpers_file: Helper functions file object
+    :param out_data_file: Output intermediate data file object
+    :param snippets: Dictionary to contain code pieces to be
+                     substituted in the template.
+    :return:
+    """
+    # Read helpers
+    with open(helpers_file, 'r') as help_f, open(platform_file, 'r') as \
+            platform_f:
+        snippets['test_common_helper_file'] = helpers_file
+        snippets['test_common_helpers'] = help_f.read()
+        snippets['test_platform_file'] = platform_file
+        snippets['platform_code'] = platform_f.read().replace(
+            'DATA_FILE', out_data_file.replace('\\', '\\\\'))  # escape '\'
+
+
+def write_test_source_file(template_file, c_file, snippets):
+    """
+    Write output source file with generated source code.
+
+    :param template_file: Template file name
+    :param c_file: Output source file
+    :param snippets: Generated and code snippets
+    :return:
+    """
+    with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f:
+        for line_no, line in enumerate(template_f.readlines(), 1):
+            # Update line number. +1 as #line directive sets next line number
+            snippets['line_no'] = line_no + 1
+            code = string.Template(line).substitute(**snippets)
+            c_f.write(code)
+
+
+def parse_function_file(funcs_file, snippets):
+    """
+    Parse function file and generate function dispatch code.
+
+    :param funcs_file: Functions file name
+    :param snippets: Dictionary to contain code pieces to be
+                     substituted in the template.
+    :return:
+    """
+    with FileWrapper(funcs_file) as funcs_f:
+        suite_dependencies, dispatch_code, func_code, func_info = \
+            parse_functions(funcs_f)
+        snippets['functions_code'] = func_code
+        snippets['dispatch_code'] = dispatch_code
+        return suite_dependencies, func_info
+
+
+def generate_intermediate_data_file(data_file, out_data_file,
+                                    suite_dependencies, func_info, snippets):
+    """
+    Generates intermediate data file from input data file and
+    information read from functions file.
+
+    :param data_file: Data file name
+    :param out_data_file: Output/Intermediate data file
+    :param suite_dependencies: List of suite dependencies.
+    :param func_info: Function info parsed from functions file.
+    :param snippets: Dictionary to contain code pieces to be
+                     substituted in the template.
+    :return:
+    """
+    with FileWrapper(data_file) as data_f, \
+            open(out_data_file, 'w') as out_data_f:
+        dep_check_code, expression_code = gen_from_test_data(
+            data_f, out_data_f, func_info, suite_dependencies)
+        snippets['dep_check_code'] = dep_check_code
+        snippets['expression_code'] = expression_code
+
+
+def generate_code(**input_info):
+    """
+    Generates C source code from test suite file, data file, common
+    helpers file and platform file.
+
+    input_info expands to following parameters:
+    funcs_file: Functions file object
+    data_file: Data file object
+    template_file: Template file object
+    platform_file: Platform file object
+    helpers_file: Helper functions file object
+    suites_dir: Test suites dir
+    c_file: Output C file object
+    out_data_file: Output intermediate data file object
+    :return:
+    """
+    funcs_file = input_info['funcs_file']
+    data_file = input_info['data_file']
+    template_file = input_info['template_file']
+    platform_file = input_info['platform_file']
+    helpers_file = input_info['helpers_file']
+    suites_dir = input_info['suites_dir']
+    c_file = input_info['c_file']
+    out_data_file = input_info['out_data_file']
+    for name, path in [('Functions file', funcs_file),
+                       ('Data file', data_file),
+                       ('Template file', template_file),
+                       ('Platform file', platform_file),
+                       ('Helpers code file', helpers_file),
+                       ('Suites dir', suites_dir)]:
+        if not os.path.exists(path):
+            raise IOError("ERROR: %s [%s] not found!" % (name, path))
+
+    snippets = {'generator_script': os.path.basename(__file__)}
+    read_code_from_input_files(platform_file, helpers_file,
+                               out_data_file, snippets)
+    add_input_info(funcs_file, data_file, template_file,
+                   c_file, snippets)
+    suite_dependencies, func_info = parse_function_file(funcs_file, snippets)
+    generate_intermediate_data_file(data_file, out_data_file,
+                                    suite_dependencies, func_info, snippets)
+    write_test_source_file(template_file, c_file, snippets)
+
+
+def main():
+    """
+    Command line parser.
+
+    :return:
+    """
+    parser = argparse.ArgumentParser(
+        description='Dynamically generate test suite code.')
+
+    parser.add_argument("-f", "--functions-file",
+                        dest="funcs_file",
+                        help="Functions file",
+                        metavar="FUNCTIONS_FILE",
+                        required=True)
+
+    parser.add_argument("-d", "--data-file",
+                        dest="data_file",
+                        help="Data file",
+                        metavar="DATA_FILE",
+                        required=True)
+
+    parser.add_argument("-t", "--template-file",
+                        dest="template_file",
+                        help="Template file",
+                        metavar="TEMPLATE_FILE",
+                        required=True)
+
+    parser.add_argument("-s", "--suites-dir",
+                        dest="suites_dir",
+                        help="Suites dir",
+                        metavar="SUITES_DIR",
+                        required=True)
+
+    parser.add_argument("--helpers-file",
+                        dest="helpers_file",
+                        help="Helpers file",
+                        metavar="HELPERS_FILE",
+                        required=True)
+
+    parser.add_argument("-p", "--platform-file",
+                        dest="platform_file",
+                        help="Platform code file",
+                        metavar="PLATFORM_FILE",
+                        required=True)
+
+    parser.add_argument("-o", "--out-dir",
+                        dest="out_dir",
+                        help="Dir where generated code and scripts are copied",
+                        metavar="OUT_DIR",
+                        required=True)
+
+    args = parser.parse_args()
+
+    data_file_name = os.path.basename(args.data_file)
+    data_name = os.path.splitext(data_file_name)[0]
+
+    out_c_file = os.path.join(args.out_dir, data_name + '.c')
+    out_data_file = os.path.join(args.out_dir, data_name + '.datax')
+
+    out_c_file_dir = os.path.dirname(out_c_file)
+    out_data_file_dir = os.path.dirname(out_data_file)
+    for directory in [out_c_file_dir, out_data_file_dir]:
+        if not os.path.exists(directory):
+            os.makedirs(directory)
+
+    generate_code(funcs_file=args.funcs_file, data_file=args.data_file,
+                  template_file=args.template_file,
+                  platform_file=args.platform_file,
+                  helpers_file=args.helpers_file, suites_dir=args.suites_dir,
+                  c_file=out_c_file, out_data_file=out_data_file)
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except GeneratorInputError as err:
+        sys.exit("%s: input error: %s" %
+                 (os.path.basename(sys.argv[0]), str(err)))
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/mbedtls_test.py b/3rdparty/mbedtls/mbedtls/tests/scripts/mbedtls_test.py
new file mode 100755
index 0000000000..ac2912d4c9
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/mbedtls_test.py
@@ -0,0 +1,379 @@
+# Greentea host test script for Mbed TLS on-target test suite testing.
+#
+# Copyright (C) 2018, Arm Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file is part of Mbed TLS (https://tls.mbed.org)
+
+
+"""
+Mbed TLS on-target test suite tests are implemented as Greentea
+tests. Greentea tests are implemented in two parts: target test and
+host test. Target test is a C application that is built for the
+target platform and executes on the target. Host test is a Python
+class derived from mbed_host_tests.BaseHostTest. Target communicates
+with the host over serial for the test data and sends back the result.
+
+Python tool mbedgt (Greentea) is responsible for flashing the test
+binary on to the target and dynamically loading this host test module.
+
+Greentea documentation can be found here:
+https://github.com/ARMmbed/greentea
+"""
+
+
+import re
+import os
+import binascii
+
+from mbed_host_tests import BaseHostTest, event_callback # pylint: disable=import-error
+
+
+class TestDataParserError(Exception):
+    """Indicates error in test data, read from .data file."""
+    pass
+
+
+class TestDataParser(object):
+    """
+    Parses test name, dependencies, test function name and test parameters
+    from the data file.
+    """
+
+    def __init__(self):
+        """
+        Constructor
+        """
+        self.tests = []
+
+    def parse(self, data_file):
+        """
+        Data file parser.
+
+        :param data_file: Data file path
+        """
+        with open(data_file, 'r') as data_f:
+            self.__parse(data_f)
+
+    @staticmethod
+    def __escaped_split(inp_str, split_char):
+        """
+        Splits inp_str on split_char except when escaped.
+
+        :param inp_str: String to split
+        :param split_char: Split character
+        :return: List of splits
+        """
+        split_colon_fn = lambda x: re.sub(r'\\' + split_char, split_char, x)
+        if len(split_char) > 1:
+            raise ValueError('Expected split character. Found string!')
+        out = map(split_colon_fn, re.split(r'(?<!\\)' + split_char, inp_str))
+        out = [x for x in out if x]
+        return out
+
+    def __parse(self, data_f):
+        """
+        Parses data file using supplied file object.
+
+        :param data_f: Data file object
+        :return:
+        """
+        for line in data_f:
+            line = line.strip()
+            if not line:
+                continue
+            # Read test name
+            name = line
+
+            # Check dependencies
+            dependencies = []
+            line = data_f.next().strip()
+            match = re.search('depends_on:(.*)', line)
+            if match:
+                dependencies = [int(x) for x in match.group(1).split(':')]
+                line = data_f.next().strip()
+
+            # Read test vectors
+            line = line.replace('\\n', '\n')
+            parts = self.__escaped_split(line, ':')
+            function_name = int(parts[0])
+            args = parts[1:]
+            args_count = len(args)
+            if args_count % 2 != 0:
+                err_str_fmt = "Number of test arguments({}) should be even: {}"
+                raise TestDataParserError(err_str_fmt.format(args_count, line))
+            grouped_args = [(args[i * 2], args[(i * 2) + 1])
+                            for i in range(len(args)/2)]
+            self.tests.append((name, function_name, dependencies,
+                               grouped_args))
+
+    def get_test_data(self):
+        """
+        Returns test data.
+        """
+        return self.tests
+
+
+class MbedTlsTest(BaseHostTest):
+    """
+    Host test for Mbed TLS unit tests. This script is loaded at
+    run time by Greentea for executing Mbed TLS test suites. Each
+    communication from the target is received in this object as
+    an event, which is then handled by the event handler method
+    decorated by the associated event. Ex: @event_callback('GO').
+
+    Target test sends requests for dispatching next test. It reads
+    tests from the intermediate data file and sends test function
+    identifier, dependency identifiers, expression identifiers and
+    the test data in binary form. Target test checks dependencies
+    , evaluate integer constant expressions and dispatches the test
+    function with received test parameters. After test function is
+    finished, target sends the result. This class handles the result
+    event and prints verdict in the form that Greentea understands.
+
+    """
+    # status/error codes from suites/helpers.function
+    DEPENDENCY_SUPPORTED = 0
+    KEY_VALUE_MAPPING_FOUND = DEPENDENCY_SUPPORTED
+    DISPATCH_TEST_SUCCESS = DEPENDENCY_SUPPORTED
+
+    KEY_VALUE_MAPPING_NOT_FOUND = -1    # Expression Id not found.
+    DEPENDENCY_NOT_SUPPORTED = -2       # Dependency not supported.
+    DISPATCH_TEST_FN_NOT_FOUND = -3     # Test function not found.
+    DISPATCH_INVALID_TEST_DATA = -4     # Invalid parameter type.
+    DISPATCH_UNSUPPORTED_SUITE = -5     # Test suite not supported/enabled.
+
+    def __init__(self):
+        """
+        Constructor initialises test index to 0.
+        """
+        super(MbedTlsTest, self).__init__()
+        self.tests = []
+        self.test_index = -1
+        self.dep_index = 0
+        self.suite_passed = True
+        self.error_str = dict()
+        self.error_str[self.DEPENDENCY_SUPPORTED] = \
+            'DEPENDENCY_SUPPORTED'
+        self.error_str[self.KEY_VALUE_MAPPING_NOT_FOUND] = \
+            'KEY_VALUE_MAPPING_NOT_FOUND'
+        self.error_str[self.DEPENDENCY_NOT_SUPPORTED] = \
+            'DEPENDENCY_NOT_SUPPORTED'
+        self.error_str[self.DISPATCH_TEST_FN_NOT_FOUND] = \
+            'DISPATCH_TEST_FN_NOT_FOUND'
+        self.error_str[self.DISPATCH_INVALID_TEST_DATA] = \
+            'DISPATCH_INVALID_TEST_DATA'
+        self.error_str[self.DISPATCH_UNSUPPORTED_SUITE] = \
+            'DISPATCH_UNSUPPORTED_SUITE'
+
+    def setup(self):
+        """
+        Setup hook implementation. Reads test suite data file and parses out
+        tests.
+        """
+        binary_path = self.get_config_item('image_path')
+        script_dir = os.path.split(os.path.abspath(__file__))[0]
+        suite_name = os.path.splitext(os.path.basename(binary_path))[0]
+        data_file = ".".join((suite_name, 'datax'))
+        data_file = os.path.join(script_dir, '..', 'mbedtls',
+                                 suite_name, data_file)
+        if os.path.exists(data_file):
+            self.log("Running tests from %s" % data_file)
+            parser = TestDataParser()
+            parser.parse(data_file)
+            self.tests = parser.get_test_data()
+            self.print_test_info()
+        else:
+            self.log("Data file not found: %s" % data_file)
+            self.notify_complete(False)
+
+    def print_test_info(self):
+        """
+        Prints test summary read by Greentea to detect test cases.
+        """
+        self.log('{{__testcase_count;%d}}' % len(self.tests))
+        for name, _, _, _ in self.tests:
+            self.log('{{__testcase_name;%s}}' % name)
+
+    @staticmethod
+    def align_32bit(data_bytes):
+        """
+        4 byte aligns input byte array.
+
+        :return:
+        """
+        data_bytes += bytearray((4 - (len(data_bytes))) % 4)
+
+    @staticmethod
+    def hex_str_bytes(hex_str):
+        """
+        Converts Hex string representation to byte array
+
+        :param hex_str: Hex in string format.
+        :return: Output Byte array
+        """
+        if hex_str[0] != '"' or hex_str[len(hex_str) - 1] != '"':
+            raise TestDataParserError("HEX test parameter missing '\"':"
+                                      " %s" % hex_str)
+        hex_str = hex_str.strip('"')
+        if len(hex_str) % 2 != 0:
+            raise TestDataParserError("HEX parameter len should be mod of "
+                                      "2: %s" % hex_str)
+
+        data_bytes = binascii.unhexlify(hex_str)
+        return data_bytes
+
+    @staticmethod
+    def int32_to_big_endian_bytes(i):
+        """
+        Coverts i to byte array in big endian format.
+
+        :param i: Input integer
+        :return: Output bytes array in big endian or network order
+        """
+        data_bytes = bytearray([((i >> x) & 0xff) for x in [24, 16, 8, 0]])
+        return data_bytes
+
+    def test_vector_to_bytes(self, function_id, dependencies, parameters):
+        """
+        Converts test vector into a byte array that can be sent to the target.
+
+        :param function_id: Test Function Identifier
+        :param dependencies: Dependency list
+        :param parameters: Test function input parameters
+        :return: Byte array and its length
+        """
+        data_bytes = bytearray([len(dependencies)])
+        if dependencies:
+            data_bytes += bytearray(dependencies)
+        data_bytes += bytearray([function_id, len(parameters)])
+        for typ, param in parameters:
+            if typ == 'int' or typ == 'exp':
+                i = int(param)
+                data_bytes += 'I' if typ == 'int' else 'E'
+                self.align_32bit(data_bytes)
+                data_bytes += self.int32_to_big_endian_bytes(i)
+            elif typ == 'char*':
+                param = param.strip('"')
+                i = len(param) + 1  # + 1 for null termination
+                data_bytes += 'S'
+                self.align_32bit(data_bytes)
+                data_bytes += self.int32_to_big_endian_bytes(i)
+                data_bytes += bytearray(list(param))
+                data_bytes += '\0'   # Null terminate
+            elif typ == 'hex':
+                binary_data = self.hex_str_bytes(param)
+                data_bytes += 'H'
+                self.align_32bit(data_bytes)
+                i = len(binary_data)
+                data_bytes += self.int32_to_big_endian_bytes(i)
+                data_bytes += binary_data
+        length = self.int32_to_big_endian_bytes(len(data_bytes))
+        return data_bytes, length
+
+    def run_next_test(self):
+        """
+        Fetch next test information and execute the test.
+
+        """
+        self.test_index += 1
+        self.dep_index = 0
+        if self.test_index < len(self.tests):
+            name, function_id, dependencies, args = self.tests[self.test_index]
+            self.run_test(name, function_id, dependencies, args)
+        else:
+            self.notify_complete(self.suite_passed)
+
+    def run_test(self, name, function_id, dependencies, args):
+        """
+        Execute the test on target by sending next test information.
+
+        :param name: Test name
+        :param function_id: function identifier
+        :param dependencies: Dependencies list
+        :param args: test parameters
+        :return:
+        """
+        self.log("Running: %s" % name)
+
+        param_bytes, length = self.test_vector_to_bytes(function_id,
+                                                        dependencies, args)
+        self.send_kv(length, param_bytes)
+
+    @staticmethod
+    def get_result(value):
+        """
+        Converts result from string type to integer
+        :param value: Result code in string
+        :return: Integer result code. Value is from the test status
+                 constants defined under the MbedTlsTest class.
+        """
+        try:
+            return int(value)
+        except ValueError:
+            ValueError("Result should return error number. "
+                       "Instead received %s" % value)
+
+    @event_callback('GO')
+    def on_go(self, _key, _value, _timestamp):
+        """
+        Sent by the target to start first test.
+
+        :param _key: Event key
+        :param _value: Value. ignored
+        :param _timestamp: Timestamp ignored.
+        :return:
+        """
+        self.run_next_test()
+
+    @event_callback("R")
+    def on_result(self, _key, value, _timestamp):
+        """
+        Handle result. Prints test start, finish required by Greentea
+        to detect test execution.
+
+        :param _key: Event key
+        :param value: Value. ignored
+        :param _timestamp: Timestamp ignored.
+        :return:
+        """
+        int_val = self.get_result(value)
+        name, _, _, _ = self.tests[self.test_index]
+        self.log('{{__testcase_start;%s}}' % name)
+        self.log('{{__testcase_finish;%s;%d;%d}}' % (name, int_val == 0,
+                                                     int_val != 0))
+        if int_val != 0:
+            self.suite_passed = False
+        self.run_next_test()
+
+    @event_callback("F")
+    def on_failure(self, _key, value, _timestamp):
+        """
+        Handles test execution failure. That means dependency not supported or
+        Test function not supported. Hence marking test as skipped.
+
+        :param _key: Event key
+        :param value: Value. ignored
+        :param _timestamp: Timestamp ignored.
+        :return:
+        """
+        int_val = self.get_result(value)
+        if int_val in self.error_str:
+            err = self.error_str[int_val]
+        else:
+            err = 'Unknown error'
+        # For skip status, do not write {{__testcase_finish;...}}
+        self.log("Error: %s" % err)
+        self.run_next_test()
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/test-ref-configs.pl b/3rdparty/mbedtls/mbedtls/tests/scripts/test-ref-configs.pl
index e1d2184ce1..80d5f38751 100755
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/test-ref-configs.pl
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/test-ref-configs.pl
@@ -23,8 +23,6 @@
     'config-suite-b.h' => {
         'compat' => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
     },
-    'config-picocoin.h' => {
-    },
     'config-ccm-psk-tls1_2.h' => {
         'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
     },
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/test_generate_test_code.py b/3rdparty/mbedtls/mbedtls/tests/scripts/test_generate_test_code.py
new file mode 100755
index 0000000000..6d7113e18b
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/test_generate_test_code.py
@@ -0,0 +1,1755 @@
+#!/usr/bin/env python3
+# Unit test for generate_test_code.py
+#
+# Copyright (C) 2018, Arm Limited, All Rights Reserved
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file is part of Mbed TLS (https://tls.mbed.org)
+
+"""
+Unit tests for generate_test_code.py
+"""
+
+# pylint: disable=wrong-import-order
+try:
+    # Python 2
+    from StringIO import StringIO
+except ImportError:
+    # Python 3
+    from io import StringIO
+from unittest import TestCase, main as unittest_main
+try:
+    # Python 2
+    from mock import patch
+except ImportError:
+    # Python 3
+    from unittest.mock import patch
+# pylint: enable=wrong-import-order
+from generate_test_code import gen_dependencies, gen_dependencies_one_line
+from generate_test_code import gen_function_wrapper, gen_dispatch
+from generate_test_code import parse_until_pattern, GeneratorInputError
+from generate_test_code import parse_suite_dependencies
+from generate_test_code import parse_function_dependencies
+from generate_test_code import parse_function_arguments, parse_function_code
+from generate_test_code import parse_functions, END_HEADER_REGEX
+from generate_test_code import END_SUITE_HELPERS_REGEX, escaped_split
+from generate_test_code import parse_test_data, gen_dep_check
+from generate_test_code import gen_expression_check, write_dependencies
+from generate_test_code import write_parameters, gen_suite_dep_checks
+from generate_test_code import gen_from_test_data
+
+
+class GenDep(TestCase):
+    """
+    Test suite for function gen_dep()
+    """
+
+    def test_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['DEP1', 'DEP2']
+        dep_start, dep_end = gen_dependencies(dependencies)
+        preprocessor1, preprocessor2 = dep_start.splitlines()
+        endif1, endif2 = dep_end.splitlines()
+        self.assertEqual(preprocessor1, '#if defined(DEP1)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(preprocessor2, '#if defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif1, '#endif /* DEP2 */',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif2, '#endif /* DEP1 */',
+                         'Preprocessor generated incorrectly')
+
+    def test_disabled_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['!DEP1', '!DEP2']
+        dep_start, dep_end = gen_dependencies(dependencies)
+        preprocessor1, preprocessor2 = dep_start.splitlines()
+        endif1, endif2 = dep_end.splitlines()
+        self.assertEqual(preprocessor1, '#if !defined(DEP1)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(preprocessor2, '#if !defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif1, '#endif /* !DEP2 */',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif2, '#endif /* !DEP1 */',
+                         'Preprocessor generated incorrectly')
+
+    def test_mixed_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['!DEP1', 'DEP2']
+        dep_start, dep_end = gen_dependencies(dependencies)
+        preprocessor1, preprocessor2 = dep_start.splitlines()
+        endif1, endif2 = dep_end.splitlines()
+        self.assertEqual(preprocessor1, '#if !defined(DEP1)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(preprocessor2, '#if defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif1, '#endif /* DEP2 */',
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(endif2, '#endif /* !DEP1 */',
+                         'Preprocessor generated incorrectly')
+
+    def test_empty_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = []
+        dep_start, dep_end = gen_dependencies(dependencies)
+        self.assertEqual(dep_start, '', 'Preprocessor generated incorrectly')
+        self.assertEqual(dep_end, '', 'Preprocessor generated incorrectly')
+
+    def test_large_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = []
+        count = 10
+        for i in range(count):
+            dependencies.append('DEP%d' % i)
+        dep_start, dep_end = gen_dependencies(dependencies)
+        self.assertEqual(len(dep_start.splitlines()), count,
+                         'Preprocessor generated incorrectly')
+        self.assertEqual(len(dep_end.splitlines()), count,
+                         'Preprocessor generated incorrectly')
+
+
+class GenDepOneLine(TestCase):
+    """
+    Test Suite for testing gen_dependencies_one_line()
+    """
+
+    def test_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['DEP1', 'DEP2']
+        dep_str = gen_dependencies_one_line(dependencies)
+        self.assertEqual(dep_str, '#if defined(DEP1) && defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+
+    def test_disabled_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['!DEP1', '!DEP2']
+        dep_str = gen_dependencies_one_line(dependencies)
+        self.assertEqual(dep_str, '#if !defined(DEP1) && !defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+
+    def test_mixed_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = ['!DEP1', 'DEP2']
+        dep_str = gen_dependencies_one_line(dependencies)
+        self.assertEqual(dep_str, '#if !defined(DEP1) && defined(DEP2)',
+                         'Preprocessor generated incorrectly')
+
+    def test_empty_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = []
+        dep_str = gen_dependencies_one_line(dependencies)
+        self.assertEqual(dep_str, '', 'Preprocessor generated incorrectly')
+
+    def test_large_dependencies_list(self):
+        """
+        Test that gen_dep() correctly creates dependencies for given
+        dependency list.
+        :return:
+        """
+        dependencies = []
+        count = 10
+        for i in range(count):
+            dependencies.append('DEP%d' % i)
+        dep_str = gen_dependencies_one_line(dependencies)
+        expected = '#if ' + ' && '.join(['defined(%s)' %
+                                         x for x in dependencies])
+        self.assertEqual(dep_str, expected,
+                         'Preprocessor generated incorrectly')
+
+
+class GenFunctionWrapper(TestCase):
+    """
+    Test Suite for testing gen_function_wrapper()
+    """
+
+    def test_params_unpack(self):
+        """
+        Test that params are properly unpacked in the function call.
+
+        :return:
+        """
+        code = gen_function_wrapper('test_a', '', ('a', 'b', 'c', 'd'))
+        expected = '''
+void test_a_wrapper( void ** params )
+{
+
+    test_a( a, b, c, d );
+}
+'''
+        self.assertEqual(code, expected)
+
+    def test_local(self):
+        """
+        Test that params are properly unpacked in the function call.
+
+        :return:
+        """
+        code = gen_function_wrapper('test_a',
+                                    'int x = 1;', ('x', 'b', 'c', 'd'))
+        expected = '''
+void test_a_wrapper( void ** params )
+{
+int x = 1;
+    test_a( x, b, c, d );
+}
+'''
+        self.assertEqual(code, expected)
+
+    def test_empty_params(self):
+        """
+        Test that params are properly unpacked in the function call.
+
+        :return:
+        """
+        code = gen_function_wrapper('test_a', '', ())
+        expected = '''
+void test_a_wrapper( void ** params )
+{
+    (void)params;
+
+    test_a(  );
+}
+'''
+        self.assertEqual(code, expected)
+
+
+class GenDispatch(TestCase):
+    """
+    Test suite for testing gen_dispatch()
+    """
+
+    def test_dispatch(self):
+        """
+        Test that dispatch table entry is generated correctly.
+        :return:
+        """
+        code = gen_dispatch('test_a', ['DEP1', 'DEP2'])
+        expected = '''
+#if defined(DEP1) && defined(DEP2)
+    test_a_wrapper,
+#else
+    NULL,
+#endif
+'''
+        self.assertEqual(code, expected)
+
+    def test_empty_dependencies(self):
+        """
+        Test empty dependency list.
+        :return:
+        """
+        code = gen_dispatch('test_a', [])
+        expected = '''
+    test_a_wrapper,
+'''
+        self.assertEqual(code, expected)
+
+
+class StringIOWrapper(StringIO, object):
+    """
+    file like class to mock file object in tests.
+    """
+    def __init__(self, file_name, data, line_no=0):
+        """
+        Init file handle.
+
+        :param file_name:
+        :param data:
+        :param line_no:
+        """
+        super(StringIOWrapper, self).__init__(data)
+        self.line_no = line_no
+        self.name = file_name
+
+    def next(self):
+        """
+        Iterator method. This method overrides base class's
+        next method and extends the next method to count the line
+        numbers as each line is read.
+
+        :return: Line read from file.
+        """
+        parent = super(StringIOWrapper, self)
+        if getattr(parent, 'next', None):
+            # Python 2
+            line = parent.next()
+        else:
+            # Python 3
+            line = parent.__next__()
+        return line
+
+    # Python 3
+    __next__ = next
+
+    def readline(self, length=0):
+        """
+        Wrap the base class readline.
+
+        :param length:
+        :return:
+        """
+        # pylint: disable=unused-argument
+        line = super(StringIOWrapper, self).readline()
+        if line is not None:
+            self.line_no += 1
+        return line
+
+
+class ParseUntilPattern(TestCase):
+    """
+    Test Suite for testing parse_until_pattern().
+    """
+
+    def test_suite_headers(self):
+        """
+        Test that suite headers are parsed correctly.
+
+        :return:
+        """
+        data = '''#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+/* END_HEADER */
+'''
+        expected = '''#line 1 "test_suite_ut.function"
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data, line_no=0)
+        headers = parse_until_pattern(stream, END_HEADER_REGEX)
+        self.assertEqual(headers, expected)
+
+    def test_line_no(self):
+        """
+        Test that #line is set to correct line no. in source .function file.
+
+        :return:
+        """
+        data = '''#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+/* END_HEADER */
+'''
+        offset_line_no = 5
+        expected = '''#line %d "test_suite_ut.function"
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+''' % (offset_line_no + 1)
+        stream = StringIOWrapper('test_suite_ut.function', data,
+                                 offset_line_no)
+        headers = parse_until_pattern(stream, END_HEADER_REGEX)
+        self.assertEqual(headers, expected)
+
+    def test_no_end_header_comment(self):
+        """
+        Test that InvalidFileFormat is raised when end header comment is
+        missing.
+        :return:
+        """
+        data = '''#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(GeneratorInputError, parse_until_pattern, stream,
+                          END_HEADER_REGEX)
+
+
+class ParseSuiteDependencies(TestCase):
+    """
+    Test Suite for testing parse_suite_dependencies().
+    """
+
+    def test_suite_dependencies(self):
+        """
+
+        :return:
+        """
+        data = '''
+ * depends_on:MBEDTLS_ECP_C
+ * END_DEPENDENCIES
+ */
+'''
+        expected = ['MBEDTLS_ECP_C']
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        dependencies = parse_suite_dependencies(stream)
+        self.assertEqual(dependencies, expected)
+
+    def test_no_end_dep_comment(self):
+        """
+        Test that InvalidFileFormat is raised when end dep comment is missing.
+        :return:
+        """
+        data = '''
+* depends_on:MBEDTLS_ECP_C
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(GeneratorInputError, parse_suite_dependencies,
+                          stream)
+
+    def test_dependencies_split(self):
+        """
+        Test that InvalidFileFormat is raised when end dep comment is missing.
+        :return:
+        """
+        data = '''
+ * depends_on:MBEDTLS_ECP_C:A:B:   C  : D :F : G: !H
+ * END_DEPENDENCIES
+ */
+'''
+        expected = ['MBEDTLS_ECP_C', 'A', 'B', 'C', 'D', 'F', 'G', '!H']
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        dependencies = parse_suite_dependencies(stream)
+        self.assertEqual(dependencies, expected)
+
+
+class ParseFuncDependencies(TestCase):
+    """
+    Test Suite for testing parse_function_dependencies()
+    """
+
+    def test_function_dependencies(self):
+        """
+        Test that parse_function_dependencies() correctly parses function
+        dependencies.
+        :return:
+        """
+        line = '/* BEGIN_CASE ' \
+               'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */'
+        expected = ['MBEDTLS_ENTROPY_NV_SEED', 'MBEDTLS_FS_IO']
+        dependencies = parse_function_dependencies(line)
+        self.assertEqual(dependencies, expected)
+
+    def test_no_dependencies(self):
+        """
+        Test that parse_function_dependencies() correctly parses function
+        dependencies.
+        :return:
+        """
+        line = '/* BEGIN_CASE */'
+        dependencies = parse_function_dependencies(line)
+        self.assertEqual(dependencies, [])
+
+    def test_tolerance(self):
+        """
+        Test that parse_function_dependencies() correctly parses function
+        dependencies.
+        :return:
+        """
+        line = '/* BEGIN_CASE depends_on:MBEDTLS_FS_IO: A : !B:C : F*/'
+        dependencies = parse_function_dependencies(line)
+        self.assertEqual(dependencies, ['MBEDTLS_FS_IO', 'A', '!B', 'C', 'F'])
+
+
+class ParseFuncSignature(TestCase):
+    """
+    Test Suite for parse_function_arguments().
+    """
+
+    def test_int_and_char_params(self):
+        """
+        Test int and char parameters parsing
+        :return:
+        """
+        line = 'void entropy_threshold( char * a, int b, int result )'
+        args, local, arg_dispatch = parse_function_arguments(line)
+        self.assertEqual(args, ['char*', 'int', 'int'])
+        self.assertEqual(local, '')
+        self.assertEqual(arg_dispatch, ['(char *) params[0]',
+                                        '*( (int *) params[1] )',
+                                        '*( (int *) params[2] )'])
+
+    def test_hex_params(self):
+        """
+        Test hex parameters parsing
+        :return:
+        """
+        line = 'void entropy_threshold( char * a, data_t * h, int result )'
+        args, local, arg_dispatch = parse_function_arguments(line)
+        self.assertEqual(args, ['char*', 'hex', 'int'])
+        self.assertEqual(local,
+                         '    data_t data1 = {(uint8_t *) params[1], '
+                         '*( (uint32_t *) params[2] )};\n')
+        self.assertEqual(arg_dispatch, ['(char *) params[0]',
+                                        '&data1',
+                                        '*( (int *) params[3] )'])
+
+    def test_unsupported_arg(self):
+        """
+        Test unsupported arguments (not among int, char * and data_t)
+        :return:
+        """
+        line = 'void entropy_threshold( char * a, data_t * h, char result )'
+        self.assertRaises(ValueError, parse_function_arguments, line)
+
+    def test_no_params(self):
+        """
+        Test no parameters.
+        :return:
+        """
+        line = 'void entropy_threshold()'
+        args, local, arg_dispatch = parse_function_arguments(line)
+        self.assertEqual(args, [])
+        self.assertEqual(local, '')
+        self.assertEqual(arg_dispatch, [])
+
+
+class ParseFunctionCode(TestCase):
+    """
+    Test suite for testing parse_function_code()
+    """
+
+    def assert_raises_regex(self, exp, regex, func, *args):
+        """
+        Python 2 & 3 portable wrapper of assertRaisesRegex(p)? function.
+
+        :param exp: Exception type expected to be raised by cb.
+        :param regex: Expected exception message
+        :param func: callable object under test
+        :param args: variable positional arguments
+        """
+        parent = super(ParseFunctionCode, self)
+
+        # Pylint does not appreciate that the super method called
+        # conditionally can be available in other Python version
+        # then that of Pylint.
+        # Workaround is to call the method via getattr.
+        # Pylint ignores that the method got via getattr is
+        # conditionally executed. Method has to be a callable.
+        # Hence, using a dummy callable for getattr default.
+        dummy = lambda *x: None
+        # First Python 3 assertRaisesRegex is checked, since Python 2
+        # assertRaisesRegexp is also available in Python 3 but is
+        # marked deprecated.
+        for name in ('assertRaisesRegex', 'assertRaisesRegexp'):
+            method = getattr(parent, name, dummy)
+            if method is not dummy:
+                method(exp, regex, func, *args)
+                break
+        else:
+            raise AttributeError(" 'ParseFunctionCode' object has no attribute"
+                                 " 'assertRaisesRegex' or 'assertRaisesRegexp'"
+                                )
+
+    def test_no_function(self):
+        """
+        Test no test function found.
+        :return:
+        """
+        data = '''
+No
+test
+function
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        err_msg = 'file: test_suite_ut.function - Test functions not found!'
+        self.assert_raises_regex(GeneratorInputError, err_msg,
+                                 parse_function_code, stream, [], [])
+
+    def test_no_end_case_comment(self):
+        """
+        Test missing end case.
+        :return:
+        """
+        data = '''
+void test_func()
+{
+}
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        err_msg = r'file: test_suite_ut.function - '\
+                  'end case pattern .*? not found!'
+        self.assert_raises_regex(GeneratorInputError, err_msg,
+                                 parse_function_code, stream, [], [])
+
+    @patch("generate_test_code.parse_function_arguments")
+    def test_function_called(self,
+                             parse_function_arguments_mock):
+        """
+        Test parse_function_code()
+        :return:
+        """
+        parse_function_arguments_mock.return_value = ([], '', [])
+        data = '''
+void test_func()
+{
+}
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(GeneratorInputError, parse_function_code,
+                          stream, [], [])
+        self.assertTrue(parse_function_arguments_mock.called)
+        parse_function_arguments_mock.assert_called_with('void test_func()\n')
+
+    @patch("generate_test_code.gen_dispatch")
+    @patch("generate_test_code.gen_dependencies")
+    @patch("generate_test_code.gen_function_wrapper")
+    @patch("generate_test_code.parse_function_arguments")
+    def test_return(self, parse_function_arguments_mock,
+                    gen_function_wrapper_mock,
+                    gen_dependencies_mock,
+                    gen_dispatch_mock):
+        """
+        Test generated code.
+        :return:
+        """
+        parse_function_arguments_mock.return_value = ([], '', [])
+        gen_function_wrapper_mock.return_value = ''
+        gen_dependencies_mock.side_effect = gen_dependencies
+        gen_dispatch_mock.side_effect = gen_dispatch
+        data = '''
+void func()
+{
+    ba ba black sheep
+    have you any wool
+}
+/* END_CASE */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        name, arg, code, dispatch_code = parse_function_code(stream, [], [])
+
+        self.assertTrue(parse_function_arguments_mock.called)
+        parse_function_arguments_mock.assert_called_with('void func()\n')
+        gen_function_wrapper_mock.assert_called_with('test_func', '', [])
+        self.assertEqual(name, 'test_func')
+        self.assertEqual(arg, [])
+        expected = '''#line 1 "test_suite_ut.function"
+
+void test_func()
+{
+    ba ba black sheep
+    have you any wool
+exit:
+    ;
+}
+'''
+        self.assertEqual(code, expected)
+        self.assertEqual(dispatch_code, "\n    test_func_wrapper,\n")
+
+    @patch("generate_test_code.gen_dispatch")
+    @patch("generate_test_code.gen_dependencies")
+    @patch("generate_test_code.gen_function_wrapper")
+    @patch("generate_test_code.parse_function_arguments")
+    def test_with_exit_label(self, parse_function_arguments_mock,
+                             gen_function_wrapper_mock,
+                             gen_dependencies_mock,
+                             gen_dispatch_mock):
+        """
+        Test when exit label is present.
+        :return:
+        """
+        parse_function_arguments_mock.return_value = ([], '', [])
+        gen_function_wrapper_mock.return_value = ''
+        gen_dependencies_mock.side_effect = gen_dependencies
+        gen_dispatch_mock.side_effect = gen_dispatch
+        data = '''
+void func()
+{
+    ba ba black sheep
+    have you any wool
+exit:
+    yes sir yes sir
+    3 bags full
+}
+/* END_CASE */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        _, _, code, _ = parse_function_code(stream, [], [])
+
+        expected = '''#line 1 "test_suite_ut.function"
+
+void test_func()
+{
+    ba ba black sheep
+    have you any wool
+exit:
+    yes sir yes sir
+    3 bags full
+}
+'''
+        self.assertEqual(code, expected)
+
+    def test_non_void_function(self):
+        """
+        Test invalid signature (non void).
+        :return:
+        """
+        data = 'int entropy_threshold( char * a, data_t * h, int result )'
+        err_msg = 'file: test_suite_ut.function - Test functions not found!'
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assert_raises_regex(GeneratorInputError, err_msg,
+                                 parse_function_code, stream, [], [])
+
+    @patch("generate_test_code.gen_dispatch")
+    @patch("generate_test_code.gen_dependencies")
+    @patch("generate_test_code.gen_function_wrapper")
+    @patch("generate_test_code.parse_function_arguments")
+    def test_functio_name_on_newline(self, parse_function_arguments_mock,
+                                     gen_function_wrapper_mock,
+                                     gen_dependencies_mock,
+                                     gen_dispatch_mock):
+        """
+        Test when exit label is present.
+        :return:
+        """
+        parse_function_arguments_mock.return_value = ([], '', [])
+        gen_function_wrapper_mock.return_value = ''
+        gen_dependencies_mock.side_effect = gen_dependencies
+        gen_dispatch_mock.side_effect = gen_dispatch
+        data = '''
+void
+
+
+func()
+{
+    ba ba black sheep
+    have you any wool
+exit:
+    yes sir yes sir
+    3 bags full
+}
+/* END_CASE */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        _, _, code, _ = parse_function_code(stream, [], [])
+
+        expected = '''#line 1 "test_suite_ut.function"
+
+void
+
+
+test_func()
+{
+    ba ba black sheep
+    have you any wool
+exit:
+    yes sir yes sir
+    3 bags full
+}
+'''
+        self.assertEqual(code, expected)
+
+
+class ParseFunction(TestCase):
+    """
+    Test Suite for testing parse_functions()
+    """
+
+    @patch("generate_test_code.parse_until_pattern")
+    def test_begin_header(self, parse_until_pattern_mock):
+        """
+        Test that begin header is checked and parse_until_pattern() is called.
+        :return:
+        """
+        def stop(*_unused):
+            """Stop when parse_until_pattern is called."""
+            raise Exception
+        parse_until_pattern_mock.side_effect = stop
+        data = '''/* BEGIN_HEADER */
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+/* END_HEADER */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(Exception, parse_functions, stream)
+        parse_until_pattern_mock.assert_called_with(stream, END_HEADER_REGEX)
+        self.assertEqual(stream.line_no, 1)
+
+    @patch("generate_test_code.parse_until_pattern")
+    def test_begin_helper(self, parse_until_pattern_mock):
+        """
+        Test that begin helper is checked and parse_until_pattern() is called.
+        :return:
+        """
+        def stop(*_unused):
+            """Stop when parse_until_pattern is called."""
+            raise Exception
+        parse_until_pattern_mock.side_effect = stop
+        data = '''/* BEGIN_SUITE_HELPERS */
+void print_hello_world()
+{
+    printf("Hello World!\n");
+}
+/* END_SUITE_HELPERS */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(Exception, parse_functions, stream)
+        parse_until_pattern_mock.assert_called_with(stream,
+                                                    END_SUITE_HELPERS_REGEX)
+        self.assertEqual(stream.line_no, 1)
+
+    @patch("generate_test_code.parse_suite_dependencies")
+    def test_begin_dep(self, parse_suite_dependencies_mock):
+        """
+        Test that begin dep is checked and parse_suite_dependencies() is
+        called.
+        :return:
+        """
+        def stop(*_unused):
+            """Stop when parse_until_pattern is called."""
+            raise Exception
+        parse_suite_dependencies_mock.side_effect = stop
+        data = '''/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ECP_C
+ * END_DEPENDENCIES
+ */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(Exception, parse_functions, stream)
+        parse_suite_dependencies_mock.assert_called_with(stream)
+        self.assertEqual(stream.line_no, 1)
+
+    @patch("generate_test_code.parse_function_dependencies")
+    def test_begin_function_dep(self, func_mock):
+        """
+        Test that begin dep is checked and parse_function_dependencies() is
+        called.
+        :return:
+        """
+        def stop(*_unused):
+            """Stop when parse_until_pattern is called."""
+            raise Exception
+        func_mock.side_effect = stop
+
+        dependencies_str = '/* BEGIN_CASE ' \
+            'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n'
+        data = '''%svoid test_func()
+{
+}
+''' % dependencies_str
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(Exception, parse_functions, stream)
+        func_mock.assert_called_with(dependencies_str)
+        self.assertEqual(stream.line_no, 1)
+
+    @patch("generate_test_code.parse_function_code")
+    @patch("generate_test_code.parse_function_dependencies")
+    def test_return(self, func_mock1, func_mock2):
+        """
+        Test that begin case is checked and parse_function_code() is called.
+        :return:
+        """
+        func_mock1.return_value = []
+        in_func_code = '''void test_func()
+{
+}
+'''
+        func_dispatch = '''
+    test_func_wrapper,
+'''
+        func_mock2.return_value = 'test_func', [],\
+            in_func_code, func_dispatch
+        dependencies_str = '/* BEGIN_CASE ' \
+            'depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */\n'
+        data = '''%svoid test_func()
+{
+}
+''' % dependencies_str
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        suite_dependencies, dispatch_code, func_code, func_info = \
+            parse_functions(stream)
+        func_mock1.assert_called_with(dependencies_str)
+        func_mock2.assert_called_with(stream, [], [])
+        self.assertEqual(stream.line_no, 5)
+        self.assertEqual(suite_dependencies, [])
+        expected_dispatch_code = '''/* Function Id: 0 */
+
+    test_func_wrapper,
+'''
+        self.assertEqual(dispatch_code, expected_dispatch_code)
+        self.assertEqual(func_code, in_func_code)
+        self.assertEqual(func_info, {'test_func': (0, [])})
+
+    def test_parsing(self):
+        """
+        Test case parsing.
+        :return:
+        """
+        data = '''/* BEGIN_HEADER */
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ECP_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
+void func1()
+{
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
+void func2()
+{
+}
+/* END_CASE */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        suite_dependencies, dispatch_code, func_code, func_info = \
+            parse_functions(stream)
+        self.assertEqual(stream.line_no, 23)
+        self.assertEqual(suite_dependencies, ['MBEDTLS_ECP_C'])
+
+        expected_dispatch_code = '''/* Function Id: 0 */
+
+#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_FS_IO)
+    test_func1_wrapper,
+#else
+    NULL,
+#endif
+/* Function Id: 1 */
+
+#if defined(MBEDTLS_ECP_C) && defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_FS_IO)
+    test_func2_wrapper,
+#else
+    NULL,
+#endif
+'''
+        self.assertEqual(dispatch_code, expected_dispatch_code)
+        expected_func_code = '''#if defined(MBEDTLS_ECP_C)
+#line 2 "test_suite_ut.function"
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if defined(MBEDTLS_FS_IO)
+#line 13 "test_suite_ut.function"
+void test_func1()
+{
+exit:
+    ;
+}
+
+void test_func1_wrapper( void ** params )
+{
+    (void)params;
+
+    test_func1(  );
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if defined(MBEDTLS_FS_IO)
+#line 19 "test_suite_ut.function"
+void test_func2()
+{
+exit:
+    ;
+}
+
+void test_func2_wrapper( void ** params )
+{
+    (void)params;
+
+    test_func2(  );
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#endif /* MBEDTLS_ECP_C */
+'''
+        self.assertEqual(func_code, expected_func_code)
+        self.assertEqual(func_info, {'test_func1': (0, []),
+                                     'test_func2': (1, [])})
+
+    def test_same_function_name(self):
+        """
+        Test name conflict.
+        :return:
+        """
+        data = '''/* BEGIN_HEADER */
+#include "mbedtls/ecp.h"
+
+#define ECP_PF_UNKNOWN     -1
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ECP_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
+void func()
+{
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
+void func()
+{
+}
+/* END_CASE */
+'''
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        self.assertRaises(GeneratorInputError, parse_functions, stream)
+
+
+class EscapedSplit(TestCase):
+    """
+    Test suite for testing escaped_split().
+    Note: Since escaped_split() output is used to write back to the
+    intermediate data file. Any escape characters in the input are
+    retained in the output.
+    """
+
+    def test_invalid_input(self):
+        """
+        Test when input split character is not a character.
+        :return:
+        """
+        self.assertRaises(ValueError, escaped_split, '', 'string')
+
+    def test_empty_string(self):
+        """
+        Test empty string input.
+        :return:
+        """
+        splits = escaped_split('', ':')
+        self.assertEqual(splits, [])
+
+    def test_no_escape(self):
+        """
+        Test with no escape character. The behaviour should be same as
+        str.split()
+        :return:
+        """
+        test_str = 'yahoo:google'
+        splits = escaped_split(test_str, ':')
+        self.assertEqual(splits, test_str.split(':'))
+
+    def test_escaped_input(self):
+        """
+        Test input that has escaped delimiter.
+        :return:
+        """
+        test_str = r'yahoo\:google:facebook'
+        splits = escaped_split(test_str, ':')
+        self.assertEqual(splits, [r'yahoo\:google', 'facebook'])
+
+    def test_escaped_escape(self):
+        """
+        Test input that has escaped delimiter.
+        :return:
+        """
+        test_str = r'yahoo\\:google:facebook'
+        splits = escaped_split(test_str, ':')
+        self.assertEqual(splits, [r'yahoo\\', 'google', 'facebook'])
+
+    def test_all_at_once(self):
+        """
+        Test input that has escaped delimiter.
+        :return:
+        """
+        test_str = r'yahoo\\:google:facebook\:instagram\\:bbc\\:wikipedia'
+        splits = escaped_split(test_str, ':')
+        self.assertEqual(splits, [r'yahoo\\', r'google',
+                                  r'facebook\:instagram\\',
+                                  r'bbc\\', r'wikipedia'])
+
+
+class ParseTestData(TestCase):
+    """
+    Test suite for parse test data.
+    """
+
+    def test_parser(self):
+        """
+        Test that tests are parsed correctly from data file.
+        :return:
+        """
+        data = """
+Diffie-Hellman full exchange #1
+dhm_do_dhm:10:"23":10:"5"
+
+Diffie-Hellman full exchange #2
+dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
+
+Diffie-Hellman full exchange #3
+dhm_do_dhm:10:"9345098382739712938719287391879381271":10:"9345098792137312973297123912791271"
+
+Diffie-Hellman selftest
+dhm_selftest:
+"""
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        tests = [(name, test_function, dependencies, args)
+                 for name, test_function, dependencies, args in
+                 parse_test_data(stream)]
+        test1, test2, test3, test4 = tests
+        self.assertEqual(test1[0], 'Diffie-Hellman full exchange #1')
+        self.assertEqual(test1[1], 'dhm_do_dhm')
+        self.assertEqual(test1[2], [])
+        self.assertEqual(test1[3], ['10', '"23"', '10', '"5"'])
+
+        self.assertEqual(test2[0], 'Diffie-Hellman full exchange #2')
+        self.assertEqual(test2[1], 'dhm_do_dhm')
+        self.assertEqual(test2[2], [])
+        self.assertEqual(test2[3], ['10', '"93450983094850938450983409623"',
+                                    '10', '"9345098304850938450983409622"'])
+
+        self.assertEqual(test3[0], 'Diffie-Hellman full exchange #3')
+        self.assertEqual(test3[1], 'dhm_do_dhm')
+        self.assertEqual(test3[2], [])
+        self.assertEqual(test3[3], ['10',
+                                    '"9345098382739712938719287391879381271"',
+                                    '10',
+                                    '"9345098792137312973297123912791271"'])
+
+        self.assertEqual(test4[0], 'Diffie-Hellman selftest')
+        self.assertEqual(test4[1], 'dhm_selftest')
+        self.assertEqual(test4[2], [])
+        self.assertEqual(test4[3], [])
+
+    def test_with_dependencies(self):
+        """
+        Test that tests with dependencies are parsed.
+        :return:
+        """
+        data = """
+Diffie-Hellman full exchange #1
+depends_on:YAHOO
+dhm_do_dhm:10:"23":10:"5"
+
+Diffie-Hellman full exchange #2
+dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
+
+"""
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        tests = [(name, function_name, dependencies, args)
+                 for name, function_name, dependencies, args in
+                 parse_test_data(stream)]
+        test1, test2 = tests
+        self.assertEqual(test1[0], 'Diffie-Hellman full exchange #1')
+        self.assertEqual(test1[1], 'dhm_do_dhm')
+        self.assertEqual(test1[2], ['YAHOO'])
+        self.assertEqual(test1[3], ['10', '"23"', '10', '"5"'])
+
+        self.assertEqual(test2[0], 'Diffie-Hellman full exchange #2')
+        self.assertEqual(test2[1], 'dhm_do_dhm')
+        self.assertEqual(test2[2], [])
+        self.assertEqual(test2[3], ['10', '"93450983094850938450983409623"',
+                                    '10', '"9345098304850938450983409622"'])
+
+    def test_no_args(self):
+        """
+        Test GeneratorInputError is raised when test function name and
+        args line is missing.
+        :return:
+        """
+        data = """
+Diffie-Hellman full exchange #1
+depends_on:YAHOO
+
+
+Diffie-Hellman full exchange #2
+dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622"
+
+"""
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        err = None
+        try:
+            for _, _, _, _ in parse_test_data(stream):
+                pass
+        except GeneratorInputError as err:
+            self.assertEqual(type(err), GeneratorInputError)
+
+    def test_incomplete_data(self):
+        """
+        Test GeneratorInputError is raised when test function name
+        and args line is missing.
+        :return:
+        """
+        data = """
+Diffie-Hellman full exchange #1
+depends_on:YAHOO
+"""
+        stream = StringIOWrapper('test_suite_ut.function', data)
+        err = None
+        try:
+            for _, _, _, _ in parse_test_data(stream):
+                pass
+        except GeneratorInputError as err:
+            self.assertEqual(type(err), GeneratorInputError)
+
+
+class GenDepCheck(TestCase):
+    """
+    Test suite for gen_dep_check(). It is assumed this function is
+    called with valid inputs.
+    """
+
+    def test_gen_dep_check(self):
+        """
+        Test that dependency check code generated correctly.
+        :return:
+        """
+        expected = """
+        case 5:
+            {
+#if defined(YAHOO)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;"""
+        out = gen_dep_check(5, 'YAHOO')
+        self.assertEqual(out, expected)
+
+    def test_not_defined_dependency(self):
+        """
+        Test dependency with !.
+        :return:
+        """
+        expected = """
+        case 5:
+            {
+#if !defined(YAHOO)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;"""
+        out = gen_dep_check(5, '!YAHOO')
+        self.assertEqual(out, expected)
+
+    def test_empty_dependency(self):
+        """
+        Test invalid dependency input.
+        :return:
+        """
+        self.assertRaises(GeneratorInputError, gen_dep_check, 5, '!')
+
+    def test_negative_dep_id(self):
+        """
+        Test invalid dependency input.
+        :return:
+        """
+        self.assertRaises(GeneratorInputError, gen_dep_check, -1, 'YAHOO')
+
+
+class GenExpCheck(TestCase):
+    """
+    Test suite for gen_expression_check(). It is assumed this function
+    is called with valid inputs.
+    """
+
+    def test_gen_exp_check(self):
+        """
+        Test that expression check code generated correctly.
+        :return:
+        """
+        expected = """
+        case 5:
+            {
+                *out_value = YAHOO;
+            }
+            break;"""
+        out = gen_expression_check(5, 'YAHOO')
+        self.assertEqual(out, expected)
+
+    def test_invalid_expression(self):
+        """
+        Test invalid expression input.
+        :return:
+        """
+        self.assertRaises(GeneratorInputError, gen_expression_check, 5, '')
+
+    def test_negative_exp_id(self):
+        """
+        Test invalid expression id.
+        :return:
+        """
+        self.assertRaises(GeneratorInputError, gen_expression_check,
+                          -1, 'YAHOO')
+
+
+class WriteDependencies(TestCase):
+    """
+    Test suite for testing write_dependencies.
+    """
+
+    def test_no_test_dependencies(self):
+        """
+        Test when test dependencies input is empty.
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_dependencies = []
+        dep_check_code = write_dependencies(stream, [], unique_dependencies)
+        self.assertEqual(dep_check_code, '')
+        self.assertEqual(len(unique_dependencies), 0)
+        self.assertEqual(stream.getvalue(), '')
+
+    def test_unique_dep_ids(self):
+        """
+
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_dependencies = []
+        dep_check_code = write_dependencies(stream, ['DEP3', 'DEP2', 'DEP1'],
+                                            unique_dependencies)
+        expect_dep_check_code = '''
+        case 0:
+            {
+#if defined(DEP3)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;
+        case 1:
+            {
+#if defined(DEP2)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;
+        case 2:
+            {
+#if defined(DEP1)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;'''
+        self.assertEqual(dep_check_code, expect_dep_check_code)
+        self.assertEqual(len(unique_dependencies), 3)
+        self.assertEqual(stream.getvalue(), 'depends_on:0:1:2\n')
+
+    def test_dep_id_repeat(self):
+        """
+
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_dependencies = []
+        dep_check_code = ''
+        dep_check_code += write_dependencies(stream, ['DEP3', 'DEP2'],
+                                             unique_dependencies)
+        dep_check_code += write_dependencies(stream, ['DEP2', 'DEP1'],
+                                             unique_dependencies)
+        dep_check_code += write_dependencies(stream, ['DEP1', 'DEP3'],
+                                             unique_dependencies)
+        expect_dep_check_code = '''
+        case 0:
+            {
+#if defined(DEP3)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;
+        case 1:
+            {
+#if defined(DEP2)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;
+        case 2:
+            {
+#if defined(DEP1)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;'''
+        self.assertEqual(dep_check_code, expect_dep_check_code)
+        self.assertEqual(len(unique_dependencies), 3)
+        self.assertEqual(stream.getvalue(),
+                         'depends_on:0:1\ndepends_on:1:2\ndepends_on:2:0\n')
+
+
+class WriteParams(TestCase):
+    """
+    Test Suite for testing write_parameters().
+    """
+
+    def test_no_params(self):
+        """
+        Test with empty test_args
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_expressions = []
+        expression_code = write_parameters(stream, [], [], unique_expressions)
+        self.assertEqual(len(unique_expressions), 0)
+        self.assertEqual(expression_code, '')
+        self.assertEqual(stream.getvalue(), '\n')
+
+    def test_no_exp_param(self):
+        """
+        Test when there is no macro or expression in the params.
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_expressions = []
+        expression_code = write_parameters(stream, ['"Yahoo"', '"abcdef00"',
+                                                    '0'],
+                                           ['char*', 'hex', 'int'],
+                                           unique_expressions)
+        self.assertEqual(len(unique_expressions), 0)
+        self.assertEqual(expression_code, '')
+        self.assertEqual(stream.getvalue(),
+                         ':char*:"Yahoo":hex:"abcdef00":int:0\n')
+
+    def test_hex_format_int_param(self):
+        """
+        Test int parameter in hex format.
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_expressions = []
+        expression_code = write_parameters(stream,
+                                           ['"Yahoo"', '"abcdef00"', '0xAA'],
+                                           ['char*', 'hex', 'int'],
+                                           unique_expressions)
+        self.assertEqual(len(unique_expressions), 0)
+        self.assertEqual(expression_code, '')
+        self.assertEqual(stream.getvalue(),
+                         ':char*:"Yahoo":hex:"abcdef00":int:0xAA\n')
+
+    def test_with_exp_param(self):
+        """
+        Test when there is macro or expression in the params.
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_expressions = []
+        expression_code = write_parameters(stream,
+                                           ['"Yahoo"', '"abcdef00"', '0',
+                                            'MACRO1', 'MACRO2', 'MACRO3'],
+                                           ['char*', 'hex', 'int',
+                                            'int', 'int', 'int'],
+                                           unique_expressions)
+        self.assertEqual(len(unique_expressions), 3)
+        self.assertEqual(unique_expressions, ['MACRO1', 'MACRO2', 'MACRO3'])
+        expected_expression_code = '''
+        case 0:
+            {
+                *out_value = MACRO1;
+            }
+            break;
+        case 1:
+            {
+                *out_value = MACRO2;
+            }
+            break;
+        case 2:
+            {
+                *out_value = MACRO3;
+            }
+            break;'''
+        self.assertEqual(expression_code, expected_expression_code)
+        self.assertEqual(stream.getvalue(),
+                         ':char*:"Yahoo":hex:"abcdef00":int:0:exp:0:exp:1'
+                         ':exp:2\n')
+
+    def test_with_repeat_calls(self):
+        """
+        Test when write_parameter() is called with same macro or expression.
+        :return:
+        """
+        stream = StringIOWrapper('test_suite_ut.data', '')
+        unique_expressions = []
+        expression_code = ''
+        expression_code += write_parameters(stream,
+                                            ['"Yahoo"', 'MACRO1', 'MACRO2'],
+                                            ['char*', 'int', 'int'],
+                                            unique_expressions)
+        expression_code += write_parameters(stream,
+                                            ['"abcdef00"', 'MACRO2', 'MACRO3'],
+                                            ['hex', 'int', 'int'],
+                                            unique_expressions)
+        expression_code += write_parameters(stream,
+                                            ['0', 'MACRO3', 'MACRO1'],
+                                            ['int', 'int', 'int'],
+                                            unique_expressions)
+        self.assertEqual(len(unique_expressions), 3)
+        self.assertEqual(unique_expressions, ['MACRO1', 'MACRO2', 'MACRO3'])
+        expected_expression_code = '''
+        case 0:
+            {
+                *out_value = MACRO1;
+            }
+            break;
+        case 1:
+            {
+                *out_value = MACRO2;
+            }
+            break;
+        case 2:
+            {
+                *out_value = MACRO3;
+            }
+            break;'''
+        self.assertEqual(expression_code, expected_expression_code)
+        expected_data_file = ''':char*:"Yahoo":exp:0:exp:1
+:hex:"abcdef00":exp:1:exp:2
+:int:0:exp:2:exp:0
+'''
+        self.assertEqual(stream.getvalue(), expected_data_file)
+
+
+class GenTestSuiteDependenciesChecks(TestCase):
+    """
+    Test suite for testing gen_suite_dep_checks()
+    """
+    def test_empty_suite_dependencies(self):
+        """
+        Test with empty suite_dependencies list.
+
+        :return:
+        """
+        dep_check_code, expression_code = \
+            gen_suite_dep_checks([], 'DEP_CHECK_CODE', 'EXPRESSION_CODE')
+        self.assertEqual(dep_check_code, 'DEP_CHECK_CODE')
+        self.assertEqual(expression_code, 'EXPRESSION_CODE')
+
+    def test_suite_dependencies(self):
+        """
+        Test with suite_dependencies list.
+
+        :return:
+        """
+        dep_check_code, expression_code = \
+            gen_suite_dep_checks(['SUITE_DEP'], 'DEP_CHECK_CODE',
+                                 'EXPRESSION_CODE')
+        expected_dep_check_code = '''
+#if defined(SUITE_DEP)
+DEP_CHECK_CODE
+#endif
+'''
+        expected_expression_code = '''
+#if defined(SUITE_DEP)
+EXPRESSION_CODE
+#endif
+'''
+        self.assertEqual(dep_check_code, expected_dep_check_code)
+        self.assertEqual(expression_code, expected_expression_code)
+
+    def test_no_dep_no_exp(self):
+        """
+        Test when there are no dependency and expression code.
+        :return:
+        """
+        dep_check_code, expression_code = gen_suite_dep_checks([], '', '')
+        self.assertEqual(dep_check_code, '')
+        self.assertEqual(expression_code, '')
+
+
+class GenFromTestData(TestCase):
+    """
+    Test suite for gen_from_test_data()
+    """
+
+    @staticmethod
+    @patch("generate_test_code.write_dependencies")
+    @patch("generate_test_code.write_parameters")
+    @patch("generate_test_code.gen_suite_dep_checks")
+    def test_intermediate_data_file(func_mock1,
+                                    write_parameters_mock,
+                                    write_dependencies_mock):
+        """
+        Test that intermediate data file is written with expected data.
+        :return:
+        """
+        data = '''
+My test
+depends_on:DEP1
+func1:0
+'''
+        data_f = StringIOWrapper('test_suite_ut.data', data)
+        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
+        func_info = {'test_func1': (1, ('int',))}
+        suite_dependencies = []
+        write_parameters_mock.side_effect = write_parameters
+        write_dependencies_mock.side_effect = write_dependencies
+        func_mock1.side_effect = gen_suite_dep_checks
+        gen_from_test_data(data_f, out_data_f, func_info, suite_dependencies)
+        write_dependencies_mock.assert_called_with(out_data_f,
+                                                   ['DEP1'], ['DEP1'])
+        write_parameters_mock.assert_called_with(out_data_f, ['0'],
+                                                 ('int',), [])
+        expected_dep_check_code = '''
+        case 0:
+            {
+#if defined(DEP1)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;'''
+        func_mock1.assert_called_with(
+            suite_dependencies, expected_dep_check_code, '')
+
+    def test_function_not_found(self):
+        """
+        Test that AssertError is raised when function info in not found.
+        :return:
+        """
+        data = '''
+My test
+depends_on:DEP1
+func1:0
+'''
+        data_f = StringIOWrapper('test_suite_ut.data', data)
+        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
+        func_info = {'test_func2': (1, ('int',))}
+        suite_dependencies = []
+        self.assertRaises(GeneratorInputError, gen_from_test_data,
+                          data_f, out_data_f, func_info, suite_dependencies)
+
+    def test_different_func_args(self):
+        """
+        Test that AssertError is raised when no. of parameters and
+        function args differ.
+        :return:
+        """
+        data = '''
+My test
+depends_on:DEP1
+func1:0
+'''
+        data_f = StringIOWrapper('test_suite_ut.data', data)
+        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
+        func_info = {'test_func2': (1, ('int', 'hex'))}
+        suite_dependencies = []
+        self.assertRaises(GeneratorInputError, gen_from_test_data, data_f,
+                          out_data_f, func_info, suite_dependencies)
+
+    def test_output(self):
+        """
+        Test that intermediate data file is written with expected data.
+        :return:
+        """
+        data = '''
+My test 1
+depends_on:DEP1
+func1:0:0xfa:MACRO1:MACRO2
+
+My test 2
+depends_on:DEP1:DEP2
+func2:"yahoo":88:MACRO1
+'''
+        data_f = StringIOWrapper('test_suite_ut.data', data)
+        out_data_f = StringIOWrapper('test_suite_ut.datax', '')
+        func_info = {'test_func1': (0, ('int', 'int', 'int', 'int')),
+                     'test_func2': (1, ('char*', 'int', 'int'))}
+        suite_dependencies = []
+        dep_check_code, expression_code = \
+            gen_from_test_data(data_f, out_data_f, func_info,
+                               suite_dependencies)
+        expected_dep_check_code = '''
+        case 0:
+            {
+#if defined(DEP1)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;
+        case 1:
+            {
+#if defined(DEP2)
+                ret = DEPENDENCY_SUPPORTED;
+#else
+                ret = DEPENDENCY_NOT_SUPPORTED;
+#endif
+            }
+            break;'''
+        expected_data = '''My test 1
+depends_on:0
+0:int:0:int:0xfa:exp:0:exp:1
+
+My test 2
+depends_on:0:1
+1:char*:"yahoo":int:88:exp:0
+
+'''
+        expected_expression_code = '''
+        case 0:
+            {
+                *out_value = MACRO1;
+            }
+            break;
+        case 1:
+            {
+                *out_value = MACRO2;
+            }
+            break;'''
+        self.assertEqual(dep_check_code, expected_dep_check_code)
+        self.assertEqual(out_data_f.getvalue(), expected_data)
+        self.assertEqual(expression_code, expected_expression_code)
+
+
+if __name__ == '__main__':
+    unittest_main()
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/test_zeroize.gdb b/3rdparty/mbedtls/mbedtls/tests/scripts/test_zeroize.gdb
new file mode 100644
index 0000000000..2f995d2a3b
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/scripts/test_zeroize.gdb
@@ -0,0 +1,71 @@
+# test_zeroize.gdb
+#
+# This file is part of Mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2018, Arm Limited, All Rights Reserved
+#
+# Purpose
+#
+# Run a test using the debugger to check that the mbedtls_platform_zeroize()
+# function in platform_util.h is not being optimized out by the compiler. To do
+# so, the script loads the test program at programs/test/zeroize.c and sets a
+# breakpoint at the last return statement in main(). When the breakpoint is
+# hit, the debugger manually checks the contents to be zeroized and checks that
+# it is actually cleared.
+#
+# The mbedtls_platform_zeroize() test is debugger driven because there does not
+# seem to be a mechanism to reliably check whether the zeroize calls are being
+# eliminated by compiler optimizations from within the compiled program. The
+# problem is that a compiler would typically remove what it considers to be
+# "unecessary" assignments as part of redundant code elimination. To identify
+# such code, the compilar will create some form dependency graph between
+# reads and writes to variables (among other situations). It will then use this
+# data structure to remove redundant code that does not have an impact on the
+# program's observable behavior. In the case of mbedtls_platform_zeroize(), an
+# intelligent compiler could determine that this function clears a block of
+# memory that is not accessed later in the program, so removing the call to
+# mbedtls_platform_zeroize() does not have an observable behavior. However,
+# inserting a test after a call to mbedtls_platform_zeroize() to check whether
+# the block of memory was correctly zeroed would force the compiler to not
+# eliminate the mbedtls_platform_zeroize() call. If this does not occur, then
+# the compiler potentially has a bug.
+#
+# Note: This test requires that the test program is compiled with -g3.
+#
+# WARNING: There does not seem to be a mechanism in GDB scripts to set a
+# breakpoint at the end of a function (probably because there are a lot of
+# complications as function can have multiple exit points, etc). Therefore, it
+# was necessary to hard-code the line number of the breakpoint in the zeroize.c
+# test app. The assumption is that zeroize.c is a simple test app that does not
+# change often (as opposed to the actual library code), so the breakpoint line
+# number does not need to be updated often.
+
+set confirm off
+
+file ./programs/test/zeroize
+break zeroize.c:100
+
+set args ./programs/test/zeroize.c
+run
+
+set $i = 0
+set $len = sizeof(buf)
+set $buf = buf
+
+while $i < $len
+    if $buf[$i++] != 0
+        echo The buffer at was not zeroized\n
+        quit 1
+    end
+end
+
+echo The buffer was correctly zeroized\n
+
+continue
+
+if $_exitcode != 0
+    echo The program did not terminate correctly\n
+    quit 1
+end
+
+quit 0
diff --git a/3rdparty/mbedtls/mbedtls/tests/scripts/yotta-build.sh b/3rdparty/mbedtls/mbedtls/tests/scripts/yotta-build.sh
deleted file mode 100755
index 4bae34aa34..0000000000
--- a/3rdparty/mbedtls/mbedtls/tests/scripts/yotta-build.sh
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-
-# yotta-build.sh
-#
-# This file is part of mbed TLS (https://tls.mbed.org)
-#
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# To run test builds of the yotta module for all supported targets.
-
-set -eu
-
-check_tools()
-{
-    for TOOL in "$@"; do
-        if ! `hash "$TOOL" >/dev/null 2>&1`; then
-            echo "$TOOL not found!" >&2
-            exit 1
-        fi
-    done
-}
-
-yotta_build()
-{
-    TARGET=$1
-
-    echo; echo "*** $TARGET (release) ***"
-    yt -t $TARGET build
-
-    echo; echo "*** $TARGET (debug) ***"
-    yt -t $TARGET build -d
-}
-
-# Make sure the tools we need are available.
-check_tools "arm-none-eabi-gcc" "armcc" "yotta"
-
-yotta/create-module.sh
-cd yotta/module
-yt update || true # needs network
-
-if uname -a | grep 'Linux.*x86' >/dev/null; then
-    yotta_build x86-linux-native
-fi
-if uname -a | grep 'Darwin.*x86' >/dev/null; then
-    yotta_build x86-osx-native
-fi
-
-# armcc build tests.
-yotta_build frdm-k64f-armcc
-#yotta_build nordic-nrf51822-16k-armcc
-
-# arm-none-eabi-gcc build tests.
-yotta_build frdm-k64f-gcc
-#yotta_build st-nucleo-f401re-gcc # dirent
-#yotta_build stm32f429i-disco-gcc # fails in mbed-hal-st-stm32f4
-#yotta_build nordic-nrf51822-16k-gcc # fails in minar-platform
-#yotta_build bbc-microbit-classic-gcc # fails in minar-platform
-#yotta_build st-stm32f439zi-gcc # fails in mbed-hal-st-stm32f4
-#yotta_build st-stm32f429i-disco-gcc # fails in mbed-hal-st-stm32f4
diff --git a/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh b/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
index fbd03673cf..d2f36e6933 100755
--- a/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
+++ b/3rdparty/mbedtls/mbedtls/tests/ssl-opt.sh
@@ -21,6 +21,11 @@
 
 set -u
 
+if cd $( dirname $0 ); then :; else
+    echo "cd $( dirname $0 ) failed" >&2
+    exit 1
+fi
+
 # default values, can be overriden by the environment
 : ${P_SRV:=../programs/ssl/ssl_server2}
 : ${P_CLI:=../programs/ssl/ssl_client2}
@@ -36,6 +41,28 @@ G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_fil
 G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
 TCP_CLIENT="$PERL scripts/tcp_client.pl"
 
+# alternative versions of OpenSSL and GnuTLS (no default path)
+
+if [ -n "${OPENSSL_LEGACY:-}" ]; then
+    O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
+    O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
+else
+    O_LEGACY_SRV=false
+    O_LEGACY_CLI=false
+fi
+
+if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
+    G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
+else
+    G_NEXT_SRV=false
+fi
+
+if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
+    G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
+else
+    G_NEXT_CLI=false
+fi
+
 TESTS=0
 FAILS=0
 SKIPS=0
@@ -115,6 +142,14 @@ get_options() {
     done
 }
 
+# Skip next test; use this macro to skip tests which are legitimate
+# in theory and expected to be re-introduced at some point, but
+# aren't expected to succeed at the moment due to problems outside
+# our control (such as bugs in other TLS implementations).
+skip_next_test() {
+    SKIP_NEXT="YES"
+}
+
 # skip next test if the flag is not enabled in config.h
 requires_config_enabled() {
     if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
@@ -129,6 +164,39 @@ requires_config_disabled() {
     fi
 }
 
+get_config_value_or_default() {
+    # This function uses the query_config command line option to query the
+    # required Mbed TLS compile time configuration from the ssl_server2
+    # program. The command will always return a success value if the
+    # configuration is defined and the value will be printed to stdout.
+    #
+    # Note that if the configuration is not defined or is defined to nothing,
+    # the output of this function will be an empty string.
+    ${P_SRV} "query_config=${1}"
+}
+
+requires_config_value_at_least() {
+    VAL="$( get_config_value_or_default "$1" )"
+    if [ -z "$VAL" ]; then
+        # Should never happen
+        echo "Mbed TLS configuration $1 is not defined"
+        exit 1
+    elif [ "$VAL" -lt "$2" ]; then
+       SKIP_NEXT="YES"
+    fi
+}
+
+requires_config_value_at_most() {
+    VAL=$( get_config_value_or_default "$1" )
+    if [ -z "$VAL" ]; then
+        # Should never happen
+        echo "Mbed TLS configuration $1 is not defined"
+        exit 1
+    elif [ "$VAL" -gt "$2" ]; then
+       SKIP_NEXT="YES"
+    fi
+}
+
 # skip next test if OpenSSL doesn't support FALLBACK_SCSV
 requires_openssl_with_fallback_scsv() {
     if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@@ -158,6 +226,34 @@ requires_gnutls() {
     fi
 }
 
+# skip next test if GnuTLS-next isn't available
+requires_gnutls_next() {
+    if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
+        if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
+            GNUTLS_NEXT_AVAILABLE="YES"
+        else
+            GNUTLS_NEXT_AVAILABLE="NO"
+        fi
+    fi
+    if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
+        SKIP_NEXT="YES"
+    fi
+}
+
+# skip next test if OpenSSL-legacy isn't available
+requires_openssl_legacy() {
+    if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
+        if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
+            OPENSSL_LEGACY_AVAILABLE="YES"
+        else
+            OPENSSL_LEGACY_AVAILABLE="NO"
+        fi
+    fi
+    if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
+        SKIP_NEXT="YES"
+    fi
+}
+
 # skip next test if IPv6 isn't available on this host
 requires_ipv6() {
     if [ -z "${HAS_IPV6:-}" ]; then
@@ -178,6 +274,40 @@ requires_ipv6() {
     fi
 }
 
+# skip next test if it's i686 or uname is not available
+requires_not_i686() {
+    if [ -z "${IS_I686:-}" ]; then
+        IS_I686="YES"
+        if which "uname" >/dev/null 2>&1; then
+            if [ -z "$(uname -a | grep i686)" ]; then
+                IS_I686="NO"
+            fi
+        fi
+    fi
+    if [ "$IS_I686" = "YES" ]; then
+        SKIP_NEXT="YES"
+    fi
+}
+
+# Calculate the input & output maximum content lengths set in the config
+MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
+MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
+MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
+
+if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+    MAX_CONTENT_LEN="$MAX_IN_LEN"
+fi
+if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
+    MAX_CONTENT_LEN="$MAX_OUT_LEN"
+fi
+
+# skip the next test if the SSL output buffer is less than 16KB
+requires_full_size_output_buffer() {
+    if [ "$MAX_OUT_LEN" -ne 16384 ]; then
+        SKIP_NEXT="YES"
+    fi
+}
+
 # skip the next test if valgrind is in use
 not_with_valgrind() {
     if [ "$MEMCHECK" -gt 0 ]; then
@@ -423,6 +553,20 @@ run_test() {
     CLI_EXPECT="$3"
     shift 3
 
+    # Check if test uses files
+    TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
+    if [ ! -z "$TEST_USES_FILES" ]; then
+       requires_config_enabled MBEDTLS_FS_IO
+    fi
+
+    # should we skip?
+    if [ "X$SKIP_NEXT" = "XYES" ]; then
+        SKIP_NEXT="NO"
+        echo "SKIP"
+        SKIPS=$(( $SKIPS + 1 ))
+        return
+    fi
+
     # fix client port
     if [ -n "$PXY_CMD" ]; then
         CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
@@ -465,9 +609,12 @@ run_test() {
         eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
         wait_client_done
 
+        sleep 0.05
+
         # terminate the server (and the proxy)
         kill $SRV_PID
         wait $SRV_PID
+
         if [ -n "$PXY_CMD" ]; then
             kill $PXY_PID >/dev/null 2>&1
             wait $PXY_PID
@@ -626,24 +773,22 @@ cleanup() {
 # MAIN
 #
 
-if cd $( dirname $0 ); then :; else
-    echo "cd $( dirname $0 ) failed" >&2
-    exit 1
-fi
-
 get_options "$@"
 
 # sanity checks, avoid an avalanche of errors
-if [ ! -x "$P_SRV" ]; then
-    echo "Command '$P_SRV' is not an executable file"
+P_SRV_BIN="${P_SRV%%[  ]*}"
+P_CLI_BIN="${P_CLI%%[  ]*}"
+P_PXY_BIN="${P_PXY%%[  ]*}"
+if [ ! -x "$P_SRV_BIN" ]; then
+    echo "Command '$P_SRV_BIN' is not an executable file"
     exit 1
 fi
-if [ ! -x "$P_CLI" ]; then
-    echo "Command '$P_CLI' is not an executable file"
+if [ ! -x "$P_CLI_BIN" ]; then
+    echo "Command '$P_CLI_BIN' is not an executable file"
     exit 1
 fi
-if [ ! -x "$P_PXY" ]; then
-    echo "Command '$P_PXY' is not an executable file"
+if [ ! -x "$P_PXY_BIN" ]; then
+    echo "Command '$P_PXY_BIN' is not an executable file"
     exit 1
 fi
 if [ "$MEMCHECK" -gt 0 ]; then
@@ -693,7 +838,20 @@ P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1
 O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
 O_CLI="$O_CLI -connect localhost:+SRV_PORT"
 G_SRV="$G_SRV -p $SRV_PORT"
-G_CLI="$G_CLI -p +SRV_PORT localhost"
+G_CLI="$G_CLI -p +SRV_PORT"
+
+if [ -n "${OPENSSL_LEGACY:-}" ]; then
+    O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
+    O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
+fi
+
+if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
+    G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
+fi
+
+if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
+    G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
+fi
 
 # Allow SHA-1, because many of our test certificates use it
 P_SRV="$P_SRV allow_sha1=1"
@@ -720,7 +878,7 @@ run_test    "Default" \
             "$P_CLI" \
             0 \
             -s "Protocol is TLSv1.2" \
-            -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
+            -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
             -s "client hello v3, signature_algorithm ext: 6" \
             -s "ECDHE curve: secp521r1" \
             -S "error" \
@@ -731,20 +889,14 @@ run_test    "Default, DTLS" \
             "$P_CLI dtls=1" \
             0 \
             -s "Protocol is DTLSv1.2" \
-            -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
+            -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
 
 # Test current time in ServerHello
 requires_config_enabled MBEDTLS_HAVE_TIME
-run_test    "Default, ServerHello contains gmt_unix_time" \
+run_test    "ServerHello contains gmt_unix_time" \
             "$P_SRV debug_level=3" \
             "$P_CLI debug_level=3" \
             0 \
-            -s "Protocol is TLSv1.2" \
-            -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
-            -s "client hello v3, signature_algorithm ext: 6" \
-            -s "ECDHE curve: secp521r1" \
-            -S "error" \
-            -C "error" \
             -f "check_server_hello_time" \
             -F "check_server_hello_time"
 
@@ -849,6 +1001,35 @@ run_test    "SHA-256 allowed by default in client certificate" \
             "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
             0
 
+# Tests for datagram packing
+run_test    "DTLS: multiple records in same datagram, client and server" \
+            "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
+            0 \
+            -c "next record in same datagram" \
+            -s "next record in same datagram"
+
+run_test    "DTLS: multiple records in same datagram, client only" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
+            0 \
+            -s "next record in same datagram" \
+            -C "next record in same datagram"
+
+run_test    "DTLS: multiple records in same datagram, server only" \
+            "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
+            0 \
+            -S "next record in same datagram" \
+            -c "next record in same datagram"
+
+run_test    "DTLS: multiple records in same datagram, neither client nor server" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
+            0 \
+            -S "next record in same datagram" \
+            -C "next record in same datagram"
+
 # Tests for Truncated HMAC extension
 
 run_test    "Truncated HMAC: client default, server default" \
@@ -1621,28 +1802,22 @@ run_test    "Session resume using cache, DTLS: openssl server" \
 
 # Tests for Max Fragment Length extension
 
-MAX_CONTENT_LEN_EXPECT='16384'
-MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
-
-if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
-    printf "The ${CONFIG_H} file contains a value for the configuration of\n"
-    printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
-    printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
-    printf "\n"
-    printf "The tests assume this value and if it changes, the tests in this\n"
-    printf "script should also be adjusted.\n"
-    printf "\n"
-
+if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
+    printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
     exit 1
 fi
 
+if [ $MAX_CONTENT_LEN -ne 16384 ]; then
+    printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
+fi
+
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 run_test    "Max fragment length: enabled, default" \
             "$P_SRV debug_level=3" \
             "$P_CLI debug_level=3" \
             0 \
-            -c "Maximum fragment length is 16384" \
-            -s "Maximum fragment length is 16384" \
+            -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+            -s "Maximum fragment length is $MAX_CONTENT_LEN" \
             -C "client hello, adding max_fragment_length extension" \
             -S "found max fragment length extension" \
             -S "server hello, max_fragment_length extension" \
@@ -1651,46 +1826,50 @@ run_test    "Max fragment length: enabled, default" \
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 run_test    "Max fragment length: enabled, default, larger message" \
             "$P_SRV debug_level=3" \
-            "$P_CLI debug_level=3 request_size=16385" \
+            "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
-            -c "Maximum fragment length is 16384" \
-            -s "Maximum fragment length is 16384" \
+            -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+            -s "Maximum fragment length is $MAX_CONTENT_LEN" \
             -C "client hello, adding max_fragment_length extension" \
             -S "found max fragment length extension" \
             -S "server hello, max_fragment_length extension" \
             -C "found max_fragment_length extension" \
-            -c "16385 bytes written in 2 fragments" \
-            -s "16384 bytes read" \
+            -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
+            -s "$MAX_CONTENT_LEN bytes read" \
             -s "1 bytes read"
 
 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 run_test    "Max fragment length, DTLS: enabled, default, larger message" \
             "$P_SRV debug_level=3 dtls=1" \
-            "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+            "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             1 \
-            -c "Maximum fragment length is 16384" \
-            -s "Maximum fragment length is 16384" \
+            -c "Maximum fragment length is $MAX_CONTENT_LEN" \
+            -s "Maximum fragment length is $MAX_CONTENT_LEN" \
             -C "client hello, adding max_fragment_length extension" \
             -S "found max fragment length extension" \
             -S "server hello, max_fragment_length extension" \
             -C "found max_fragment_length extension" \
             -c "fragment larger than.*maximum "
 
+# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
+# (session fragment length will be 16384 regardless of mbedtls
+# content length configuration.)
+
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 run_test    "Max fragment length: disabled, larger message" \
             "$P_SRV debug_level=3" \
-            "$P_CLI debug_level=3 request_size=16385" \
+            "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             0 \
             -C "Maximum fragment length is 16384" \
             -S "Maximum fragment length is 16384" \
-            -c "16385 bytes written in 2 fragments" \
-            -s "16384 bytes read" \
+            -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
+            -s "$MAX_CONTENT_LEN bytes read" \
             -s "1 bytes read"
 
 requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 run_test    "Max fragment length DTLS: disabled, larger message" \
             "$P_SRV debug_level=3 dtls=1" \
-            "$P_CLI debug_level=3 dtls=1 request_size=16385" \
+            "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
             1 \
             -C "Maximum fragment length is 16384" \
             -S "Maximum fragment length is 16384" \
@@ -1713,7 +1892,7 @@ run_test    "Max fragment length: used by server" \
             "$P_SRV debug_level=3 max_frag_len=4096" \
             "$P_CLI debug_level=3" \
             0 \
-            -c "Maximum fragment length is 16384" \
+            -c "Maximum fragment length is $MAX_CONTENT_LEN" \
             -s "Maximum fragment length is 4096" \
             -C "client hello, adding max_fragment_length extension" \
             -S "found max fragment length extension" \
@@ -2217,7 +2396,7 @@ run_test    "Renego ext: gnutls server unsafe, client break legacy" \
 requires_gnutls
 run_test    "Renego ext: gnutls client strict, server default" \
             "$P_SRV debug_level=3" \
-            "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
+            "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
             0 \
             -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -s "server hello, secure renegotiation extension"
@@ -2225,7 +2404,7 @@ run_test    "Renego ext: gnutls client strict, server default" \
 requires_gnutls
 run_test    "Renego ext: gnutls client unsafe, server default" \
             "$P_SRV debug_level=3" \
-            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
             0 \
             -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -S "server hello, secure renegotiation extension"
@@ -2233,7 +2412,7 @@ run_test    "Renego ext: gnutls client unsafe, server default" \
 requires_gnutls
 run_test    "Renego ext: gnutls client unsafe, server break legacy" \
             "$P_SRV debug_level=3 allow_legacy=-1" \
-            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
             1 \
             -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
             -S "server hello, secure renegotiation extension"
@@ -2244,7 +2423,7 @@ requires_gnutls
 run_test    "DER format: no trailing bytes" \
             "$P_SRV crt_file=data_files/server5-der0.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2252,7 +2431,7 @@ requires_gnutls
 run_test    "DER format: with a trailing zero byte" \
             "$P_SRV crt_file=data_files/server5-der1a.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2260,7 +2439,7 @@ requires_gnutls
 run_test    "DER format: with a trailing random byte" \
             "$P_SRV crt_file=data_files/server5-der1b.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2268,7 +2447,7 @@ requires_gnutls
 run_test    "DER format: with 2 trailing random bytes" \
             "$P_SRV crt_file=data_files/server5-der2.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2276,7 +2455,7 @@ requires_gnutls
 run_test    "DER format: with 4 trailing random bytes" \
             "$P_SRV crt_file=data_files/server5-der4.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2284,7 +2463,7 @@ requires_gnutls
 run_test    "DER format: with 8 trailing random bytes" \
             "$P_SRV crt_file=data_files/server5-der8.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2292,7 +2471,7 @@ requires_gnutls
 run_test    "DER format: with 9 trailing random bytes" \
             "$P_SRV crt_file=data_files/server5-der9.crt \
              key_file=data_files/server5.key" \
-            "$G_CLI " \
+            "$G_CLI localhost" \
             0 \
             -c "Handshake was completed" \
 
@@ -2581,6 +2760,7 @@ if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
     exit 1
 fi
 
+requires_full_size_output_buffer
 run_test    "Authentication: server max_int chain, client default" \
             "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
                     key_file=data_files/dir-maxpath/09.key" \
@@ -2588,6 +2768,7 @@ run_test    "Authentication: server max_int chain, client default" \
             0 \
             -C "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client default" \
             "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
                     key_file=data_files/dir-maxpath/10.key" \
@@ -2595,6 +2776,7 @@ run_test    "Authentication: server max_int+1 chain, client default" \
             1 \
             -c "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client optional" \
             "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
                     key_file=data_files/dir-maxpath/10.key" \
@@ -2603,6 +2785,7 @@ run_test    "Authentication: server max_int+1 chain, client optional" \
             1 \
             -c "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: server max_int+1 chain, client none" \
             "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
                     key_file=data_files/dir-maxpath/10.key" \
@@ -2611,6 +2794,7 @@ run_test    "Authentication: server max_int+1 chain, client none" \
             0 \
             -C "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server default" \
             "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
             "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2618,6 +2802,7 @@ run_test    "Authentication: client max_int+1 chain, server default" \
             0 \
             -S "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server optional" \
             "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
             "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2625,6 +2810,7 @@ run_test    "Authentication: client max_int+1 chain, server optional" \
             1 \
             -s "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: client max_int+1 chain, server required" \
             "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
             "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
@@ -2632,6 +2818,7 @@ run_test    "Authentication: client max_int+1 chain, server required" \
             1 \
             -s "X509 - A fatal error occured"
 
+requires_full_size_output_buffer
 run_test    "Authentication: client max_int chain, server required" \
             "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
             "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
@@ -3051,6 +3238,118 @@ run_test    "Non-blocking I/O: session-id resume" \
             -C "mbedtls_ssl_handshake returned" \
             -c "Read from server: .* bytes read"
 
+# Tests for event-driven I/O: exercise a variety of handshake flows
+
+run_test    "Event-driven I/O: basic handshake" \
+            "$P_SRV event=1 tickets=0 auth_mode=none" \
+            "$P_CLI event=1 tickets=0" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: client auth" \
+            "$P_SRV event=1 tickets=0 auth_mode=required" \
+            "$P_CLI event=1 tickets=0" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: ticket" \
+            "$P_SRV event=1 tickets=1 auth_mode=none" \
+            "$P_CLI event=1 tickets=1" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: ticket + client auth" \
+            "$P_SRV event=1 tickets=1 auth_mode=required" \
+            "$P_CLI event=1 tickets=1" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: ticket + client auth + resume" \
+            "$P_SRV event=1 tickets=1 auth_mode=required" \
+            "$P_CLI event=1 tickets=1 reconnect=1" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: ticket + resume" \
+            "$P_SRV event=1 tickets=1 auth_mode=none" \
+            "$P_CLI event=1 tickets=1 reconnect=1" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O: session-id resume" \
+            "$P_SRV event=1 tickets=0 auth_mode=none" \
+            "$P_CLI event=1 tickets=0 reconnect=1" \
+            0 \
+            -S "mbedtls_ssl_handshake returned" \
+            -C "mbedtls_ssl_handshake returned" \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: basic handshake" \
+            "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
+            "$P_CLI dtls=1 event=1 tickets=0" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: client auth" \
+            "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
+            "$P_CLI dtls=1 event=1 tickets=0" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: ticket" \
+            "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
+            "$P_CLI dtls=1 event=1 tickets=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: ticket + client auth" \
+            "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
+            "$P_CLI dtls=1 event=1 tickets=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: ticket + client auth + resume" \
+            "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
+            "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: ticket + resume" \
+            "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
+            "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+run_test    "Event-driven I/O, DTLS: session-id resume" \
+            "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
+            "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
+# This test demonstrates the need for the mbedtls_ssl_check_pending function.
+# During session resumption, the client will send its ApplicationData record
+# within the same datagram as the Finished messages. In this situation, the
+# server MUST NOT idle on the underlying transport after handshake completion,
+# because the ApplicationData request has already been queued internally.
+run_test    "Event-driven I/O, DTLS: session-id resume, UDP packing" \
+            -p "$P_PXY pack=50" \
+            "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
+            "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
+            0 \
+            -c "Read from server: .* bytes read"
+
 # Tests for version negotiation
 
 run_test    "Version check: all -> 1.2" \
@@ -3748,14 +4047,14 @@ run_test    "Per-version suites: TLS 1.2" \
 requires_gnutls
 run_test    "ClientHello without extensions, SHA-1 allowed" \
             "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
-            "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
             0 \
             -s "dumping 'client hello extensions' (0 bytes)"
 
 requires_gnutls
 run_test    "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
             "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
-            "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
+            "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
             0 \
             -s "dumping 'client hello extensions' (0 bytes)"
 
@@ -4363,14 +4662,19 @@ run_test    "SSLv3 with extensions, server side" \
 
 # Test for large client packets
 
+# How many fragments do we expect to write $1 bytes?
+fragments_for_write() {
+    echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
+}
+
 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
 run_test    "Large client packet SSLv3 BlockCipher" \
             "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
 run_test    "Large client packet SSLv3 StreamCipher" \
@@ -4378,23 +4682,23 @@ run_test    "Large client packet SSLv3 StreamCipher" \
             "$P_CLI request_size=16384 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.0 BlockCipher" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.0 BlockCipher, without EtM" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
@@ -4402,8 +4706,8 @@ run_test    "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
@@ -4411,21 +4715,21 @@ run_test    "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC
             "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.0 StreamCipher" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.0 StreamCipher, without EtM" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
@@ -4433,7 +4737,7 @@ run_test    "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
@@ -4441,23 +4745,23 @@ run_test    "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MA
             "$P_CLI request_size=16384 force_version=tls1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.1 BlockCipher" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.1 BlockCipher, without EtM" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
@@ -4465,7 +4769,7 @@ run_test    "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
@@ -4473,23 +4777,23 @@ run_test    "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.1 StreamCipher" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.1 StreamCipher, without EtM" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
@@ -4497,7 +4801,7 @@ run_test    "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
@@ -4505,31 +4809,31 @@ run_test    "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MA
             "$P_CLI request_size=16384 force_version=tls1_1 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 BlockCipher" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 BlockCipher, without EtM" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 BlockCipher larger MAC" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
@@ -4537,7 +4841,7 @@ run_test    "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
@@ -4545,23 +4849,23 @@ run_test    "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 StreamCipher" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 StreamCipher, without EtM" \
             "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
@@ -4569,7 +4873,7 @@ run_test    "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
             0 \
-            -s "Read from client: 16384 bytes read"
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
 run_test    "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
@@ -4577,74 +4881,24 @@ run_test    "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MA
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 AEAD" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 run_test    "Large client packet TLS 1.2 AEAD shorter tag" \
             "$P_SRV" \
             "$P_CLI request_size=16384 force_version=tls1_2 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
             0 \
-            -c "16384 bytes written in 1 fragments" \
-            -s "Read from client: 16384 bytes read"
-
-# Tests for ECC extensions (rfc 4492)
-
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
-requires_config_enabled MBEDTLS_SHA256_C
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-run_test    "Force a non ECC ciphersuite in the client side" \
-            "$P_SRV debug_level=3" \
-            "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
-            0 \
-            -C "client hello, adding supported_elliptic_curves extension" \
-            -C "client hello, adding supported_point_formats extension" \
-            -S "found supported elliptic curves extension" \
-            -S "found supported point formats extension"
-
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
-requires_config_enabled MBEDTLS_SHA256_C
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-run_test    "Force a non ECC ciphersuite in the server side" \
-            "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
-            "$P_CLI debug_level=3" \
-            0 \
-            -C "found supported_point_formats extension" \
-            -S "server hello, supported_point_formats extension"
-
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
-requires_config_enabled MBEDTLS_SHA256_C
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Force an ECC ciphersuite in the client side" \
-            "$P_SRV debug_level=3" \
-            "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
-            0 \
-            -c "client hello, adding supported_elliptic_curves extension" \
-            -c "client hello, adding supported_point_formats extension" \
-            -s "found supported elliptic curves extension" \
-            -s "found supported point formats extension"
-
-requires_config_enabled MBEDTLS_AES_C
-requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
-requires_config_enabled MBEDTLS_SHA256_C
-requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-run_test    "Force an ECC ciphersuite in the server side" \
-            "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
-            "$P_CLI debug_level=3" \
-            0 \
-            -c "found supported_point_formats extension" \
-            -s "server hello, supported_point_formats extension"
+            -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
+            -s "Read from client: $MAX_CONTENT_LEN bytes read"
 
 # Test for large server packets
 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@@ -4891,52 +5145,585 @@ run_test    "Large server packet TLS 1.2 AEAD shorter tag" \
             0 \
             -c "Read from server: 16384 bytes read"
 
-# Tests for DTLS HelloVerifyRequest
+# Tests for restartable ECC
 
-run_test    "DTLS cookie: enabled" \
-            "$P_SRV dtls=1 debug_level=2" \
-            "$P_CLI dtls=1 debug_level=2" \
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, default" \
+            "$P_SRV auth_mode=required" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1" \
             0 \
-            -s "cookie verification failed" \
-            -s "cookie verification passed" \
-            -S "cookie verification skipped" \
-            -c "received hello verify request" \
-            -s "hello verification requested" \
-            -S "SSL - The requested feature is not available"
+            -C "x509_verify_cert.*4b00" \
+            -C "mbedtls_pk_verify.*4b00" \
+            -C "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00"
 
-run_test    "DTLS cookie: disabled" \
-            "$P_SRV dtls=1 debug_level=2 cookies=0" \
-            "$P_CLI dtls=1 debug_level=2" \
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=0" \
+            "$P_SRV auth_mode=required" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=0" \
             0 \
-            -S "cookie verification failed" \
-            -S "cookie verification passed" \
-            -s "cookie verification skipped" \
-            -C "received hello verify request" \
-            -S "hello verification requested" \
-            -S "SSL - The requested feature is not available"
-
-run_test    "DTLS cookie: default (failing)" \
-            "$P_SRV dtls=1 debug_level=2 cookies=-1" \
-            "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
-            1 \
-            -s "cookie verification failed" \
-            -S "cookie verification passed" \
-            -S "cookie verification skipped" \
-            -C "received hello verify request" \
-            -S "hello verification requested" \
-            -s "SSL - The requested feature is not available"
+            -C "x509_verify_cert.*4b00" \
+            -C "mbedtls_pk_verify.*4b00" \
+            -C "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00"
 
-requires_ipv6
-run_test    "DTLS cookie: enabled, IPv6" \
-            "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
-            "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=65535" \
+            "$P_SRV auth_mode=required" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=65535" \
             0 \
-            -s "cookie verification failed" \
-            -s "cookie verification passed" \
-            -S "cookie verification skipped" \
-            -c "received hello verify request" \
-            -s "hello verification requested" \
-            -S "SSL - The requested feature is not available"
+            -C "x509_verify_cert.*4b00" \
+            -C "mbedtls_pk_verify.*4b00" \
+            -C "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000" \
+            "$P_SRV auth_mode=required" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=1000" \
+            0 \
+            -c "x509_verify_cert.*4b00" \
+            -c "mbedtls_pk_verify.*4b00" \
+            -c "mbedtls_ecdh_make_public.*4b00" \
+            -c "mbedtls_pk_sign.*4b00"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000, badsign" \
+            "$P_SRV auth_mode=required \
+             crt_file=data_files/server5-badsign.crt \
+             key_file=data_files/server5.key" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=1000" \
+            1 \
+            -c "x509_verify_cert.*4b00" \
+            -C "mbedtls_pk_verify.*4b00" \
+            -C "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00" \
+            -c "! The certificate is not correctly signed by the trusted CA" \
+            -c "! mbedtls_ssl_handshake returned" \
+            -c "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
+            "$P_SRV auth_mode=required \
+             crt_file=data_files/server5-badsign.crt \
+             key_file=data_files/server5.key" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=1000 auth_mode=optional" \
+            0 \
+            -c "x509_verify_cert.*4b00" \
+            -c "mbedtls_pk_verify.*4b00" \
+            -c "mbedtls_ecdh_make_public.*4b00" \
+            -c "mbedtls_pk_sign.*4b00" \
+            -c "! The certificate is not correctly signed by the trusted CA" \
+            -C "! mbedtls_ssl_handshake returned" \
+            -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
+            "$P_SRV auth_mode=required \
+             crt_file=data_files/server5-badsign.crt \
+             key_file=data_files/server5.key" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             debug_level=1 ec_max_ops=1000 auth_mode=none" \
+            0 \
+            -C "x509_verify_cert.*4b00" \
+            -c "mbedtls_pk_verify.*4b00" \
+            -c "mbedtls_ecdh_make_public.*4b00" \
+            -c "mbedtls_pk_sign.*4b00" \
+            -C "! The certificate is not correctly signed by the trusted CA" \
+            -C "! mbedtls_ssl_handshake returned" \
+            -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: DTLS, max_ops=1000" \
+            "$P_SRV auth_mode=required dtls=1" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt  \
+             dtls=1 debug_level=1 ec_max_ops=1000" \
+            0 \
+            -c "x509_verify_cert.*4b00" \
+            -c "mbedtls_pk_verify.*4b00" \
+            -c "mbedtls_ecdh_make_public.*4b00" \
+            -c "mbedtls_pk_sign.*4b00"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000 no client auth" \
+            "$P_SRV" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             debug_level=1 ec_max_ops=1000" \
+            0 \
+            -c "x509_verify_cert.*4b00" \
+            -c "mbedtls_pk_verify.*4b00" \
+            -c "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00"
+
+requires_config_enabled MBEDTLS_ECP_RESTARTABLE
+run_test    "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
+            "$P_SRV psk=abc123" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
+             psk=abc123 debug_level=1 ec_max_ops=1000" \
+            0 \
+            -C "x509_verify_cert.*4b00" \
+            -C "mbedtls_pk_verify.*4b00" \
+            -C "mbedtls_ecdh_make_public.*4b00" \
+            -C "mbedtls_pk_sign.*4b00"
+
+# Tests of asynchronous private key support in SSL
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, delay=0" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=0 async_private_delay2=0" \
+            "$P_CLI" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, delay=1" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1" \
+            "$P_CLI" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): call 0 more times." \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, delay=2" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=2 async_private_delay2=2" \
+            "$P_CLI" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -U "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): call 1 more times." \
+            -s "Async resume (slot [0-9]): call 0 more times." \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
+# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+run_test    "SSL async private: sign, RSA, TLS 1.1" \
+            "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
+             async_operations=s async_private_delay1=0 async_private_delay2=0" \
+            "$P_CLI force_version=tls1_1" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, SNI" \
+            "$P_SRV debug_level=3 \
+             async_operations=s async_private_delay1=0 async_private_delay2=0 \
+             crt_file=data_files/server5.crt key_file=data_files/server5.key \
+             sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
+            "$P_CLI server_name=polarssl.example" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): sign done, status=0" \
+            -s "parse ServerName extension" \
+            -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
+            -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt, delay=0" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=0 async_private_delay2=0" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt, delay=1" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): call 0 more times." \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt RSA-PSK, delay=0" \
+            "$P_SRV psk=abc123 \
+             async_operations=d async_private_delay1=0 async_private_delay2=0" \
+            "$P_CLI psk=abc123 \
+             force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt RSA-PSK, delay=1" \
+            "$P_SRV psk=abc123 \
+             async_operations=d async_private_delay1=1 async_private_delay2=1" \
+            "$P_CLI psk=abc123 \
+             force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): call 0 more times." \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign callback not present" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1" \
+            "$P_CLI; [ \$? -eq 1 ] &&
+             $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            0 \
+            -S "Async sign callback" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "The own private key or pre-shared key is not set, but needed" \
+            -s "Async resume (slot [0-9]): decrypt done, status=0" \
+            -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt callback not present" \
+            "$P_SRV debug_level=1 \
+             async_operations=s async_private_delay1=1 async_private_delay2=1" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
+             [ \$? -eq 1 ] && $P_CLI" \
+            0 \
+            -S "Async decrypt callback" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "got no RSA private key" \
+            -s "Async resume (slot [0-9]): sign done, status=0" \
+            -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: slot 0 used with key1" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async sign callback: using key slot 0," \
+            -s "Async resume (slot 0): call 0 more times." \
+            -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 0
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: slot 0 used with key2" \
+            "$P_SRV \
+             async_operations=s async_private_delay2=1 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async sign callback: using key slot 0," \
+            -s "Async resume (slot 0): call 0 more times." \
+            -s "Async resume (slot 0): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 from slot 1
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: slot 1 used with key2" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async sign callback: using key slot 1," \
+            -s "Async resume (slot 1): call 0 more times." \
+            -s "Async resume (slot 1): sign done, status=0"
+
+# key1: ECDSA, key2: RSA; use key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: fall back to transparent key" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async sign callback: no key matches this certificate."
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, error in start" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=1" \
+            "$P_CLI" \
+            1 \
+            -s "Async sign callback: injected error" \
+            -S "Async resume" \
+            -S "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, cancel after start" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=2" \
+            "$P_CLI" \
+            1 \
+            -s "Async sign callback: using key slot " \
+            -S "Async resume" \
+            -s "Async cancel"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, error in resume" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=3" \
+            "$P_CLI" \
+            1 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume callback: sign done but injected error" \
+            -S "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt, error in start" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=1" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            1 \
+            -s "Async decrypt callback: injected error" \
+            -S "Async resume" \
+            -S "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt, cancel after start" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=2" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            1 \
+            -s "Async decrypt callback: using key slot " \
+            -S "Async resume" \
+            -s "Async cancel"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: decrypt, error in resume" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=3" \
+            "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            1 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume callback: decrypt done but injected error" \
+            -S "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: cancel after start then operate correctly" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=-2" \
+            "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+            0 \
+            -s "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async resume" \
+            -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: error in resume then operate correctly" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             async_private_error=-3" \
+            "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+            0 \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async resume" \
+            -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: cancel after start then fall back to transparent key" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_error=-2 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+             [ \$? -eq 1 ] &&
+             $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async sign callback: using key slot 0" \
+            -S "Async resume" \
+            -s "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async sign callback: no key matches this certificate." \
+            -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+run_test    "SSL async private: sign, error in resume then fall back to transparent key" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_error=-3 \
+             key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+             [ \$? -eq 1 ] &&
+             $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async resume" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async sign callback: no key matches this certificate." \
+            -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test    "SSL async private: renegotiation: client-initiated; sign" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             exchanges=2 renegotiation=1" \
+            "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test    "SSL async private: renegotiation: server-initiated; sign" \
+            "$P_SRV \
+             async_operations=s async_private_delay1=1 async_private_delay2=1 \
+             exchanges=2 renegotiation=1 renegotiate=1" \
+            "$P_CLI exchanges=2 renegotiation=1" \
+            0 \
+            -s "Async sign callback: using key slot " \
+            -s "Async resume (slot [0-9]): sign done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test    "SSL async private: renegotiation: client-initiated; decrypt" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1 \
+             exchanges=2 renegotiation=1" \
+            "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+run_test    "SSL async private: renegotiation: server-initiated; decrypt" \
+            "$P_SRV \
+             async_operations=d async_private_delay1=1 async_private_delay2=1 \
+             exchanges=2 renegotiation=1 renegotiate=1" \
+            "$P_CLI exchanges=2 renegotiation=1 \
+             force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
+            0 \
+            -s "Async decrypt callback: using key slot " \
+            -s "Async resume (slot [0-9]): decrypt done, status=0"
+
+# Tests for ECC extensions (rfc 4492)
+
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+run_test    "Force a non ECC ciphersuite in the client side" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -C "client hello, adding supported_elliptic_curves extension" \
+            -C "client hello, adding supported_point_formats extension" \
+            -S "found supported elliptic curves extension" \
+            -S "found supported point formats extension"
+
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+run_test    "Force a non ECC ciphersuite in the server side" \
+            "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -C "found supported_point_formats extension" \
+            -S "server hello, supported_point_formats extension"
+
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Force an ECC ciphersuite in the client side" \
+            "$P_SRV debug_level=3" \
+            "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -c "client hello, adding supported_elliptic_curves extension" \
+            -c "client hello, adding supported_point_formats extension" \
+            -s "found supported elliptic curves extension" \
+            -s "found supported point formats extension"
+
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+run_test    "Force an ECC ciphersuite in the server side" \
+            "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
+            "$P_CLI debug_level=3" \
+            0 \
+            -c "found supported_point_formats extension" \
+            -s "server hello, supported_point_formats extension"
+
+# Tests for DTLS HelloVerifyRequest
+
+run_test    "DTLS cookie: enabled" \
+            "$P_SRV dtls=1 debug_level=2" \
+            "$P_CLI dtls=1 debug_level=2" \
+            0 \
+            -s "cookie verification failed" \
+            -s "cookie verification passed" \
+            -S "cookie verification skipped" \
+            -c "received hello verify request" \
+            -s "hello verification requested" \
+            -S "SSL - The requested feature is not available"
+
+run_test    "DTLS cookie: disabled" \
+            "$P_SRV dtls=1 debug_level=2 cookies=0" \
+            "$P_CLI dtls=1 debug_level=2" \
+            0 \
+            -S "cookie verification failed" \
+            -S "cookie verification passed" \
+            -s "cookie verification skipped" \
+            -C "received hello verify request" \
+            -S "hello verification requested" \
+            -S "SSL - The requested feature is not available"
+
+run_test    "DTLS cookie: default (failing)" \
+            "$P_SRV dtls=1 debug_level=2 cookies=-1" \
+            "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
+            1 \
+            -s "cookie verification failed" \
+            -S "cookie verification passed" \
+            -S "cookie verification skipped" \
+            -C "received hello verify request" \
+            -S "hello verification requested" \
+            -s "SSL - The requested feature is not available"
+
+requires_ipv6
+run_test    "DTLS cookie: enabled, IPv6" \
+            "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
+            "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
+            0 \
+            -s "cookie verification failed" \
+            -s "cookie verification passed" \
+            -S "cookie verification skipped" \
+            -c "received hello verify request" \
+            -s "hello verification requested" \
+            -S "SSL - The requested feature is not available"
 
 run_test    "DTLS cookie: enabled, nbio" \
             "$P_SRV dtls=1 nbio=2 debug_level=2" \
@@ -5111,6 +5898,951 @@ run_test    "DTLS reassembly: fragmentation, nbio (openssl server)" \
             -c "found fragmented DTLS handshake message" \
             -C "error"
 
+# Tests for sending fragmented handshake messages with DTLS
+#
+# Use client auth when we need the client to send large messages,
+# and use large cert chains on both sides too (the long chains we have all use
+# both RSA and ECDSA, but ideally we should have long chains with either).
+# Sizes reached (UDP payload):
+# - 2037B for server certificate
+# - 1542B for client certificate
+# - 1013B for newsessionticket
+# - all others below 512B
+# All those tests assume MAX_CONTENT_LEN is at least 2048
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: none (for reference)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=4096" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=4096" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -C "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: server only (max_frag_len)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=2048" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# With the MFL extension, the server has no way of forcing
+# the client to not exceed a certain MTU; hence, the following
+# test can't be replicated with an MTU proxy such as the one
+# `client-initiated, server only (max_frag_len)` below.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: server only (more) (max_frag_len)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=4096" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=none \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=2048" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=1024" \
+             0 \
+            -S "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# While not required by the standard defining the MFL extension
+# (according to which it only applies to records, not to datagrams),
+# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
+# as otherwise there wouldn't be any means to communicate MTU restrictions
+# to the peer.
+# The next test checks that no datagrams significantly larger than the
+# negotiated MFL are sent.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
+            -p "$P_PXY mtu=1110" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=none \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=2048" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=1024" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: client-initiated, both (max_frag_len)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=2048" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=1024" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# While not required by the standard defining the MFL extension
+# (according to which it only applies to records, not to datagrams),
+# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
+# as otherwise there wouldn't be any means to communicate MTU restrictions
+# to the peer.
+# The next test checks that no datagrams significantly larger than the
+# negotiated MFL are sent.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+run_test    "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
+            -p "$P_PXY mtu=1110" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=2048" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             max_frag_len=1024" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: none (for reference) (MTU)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             mtu=4096" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             mtu=4096" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -C "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: client (MTU)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=3500-60000 \
+             mtu=4096" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=3500-60000 \
+             mtu=1024" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -C "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: server (MTU)" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             mtu=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             mtu=2048" \
+            0 \
+            -S "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: both (MTU=1024)" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             mtu=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=2500-60000 \
+             mtu=1024" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: both (MTU=512)" \
+            -p "$P_PXY mtu=512" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=2500-60000 \
+             mtu=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=2500-60000 \
+             mtu=512" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Test for automatic MTU reduction on repeated resend.
+# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
+# The ratio of max/min timeout should ideally equal 4 to accept two
+# retransmissions, but in some cases (like both the server and client using
+# fragmentation and auto-reduction) an extra retransmission might occur,
+# hence the ratio of 8.
+not_with_valgrind
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU: auto-reduction" \
+            -p "$P_PXY mtu=508" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=400-3200" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=400-3200" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
+only_with_valgrind
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU: auto-reduction" \
+            -p "$P_PXY mtu=508" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-10000" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=250-10000" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
+# OTOH the client might resend if the server is to slow to reset after sending
+# a HelloVerifyRequest, so only check for no retransmission server-side
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
+# OTOH the client might resend if the server is to slow to reset after sending
+# a HelloVerifyRequest, so only check for no retransmission server-side
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
+            -p "$P_PXY mtu=512" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=10000-60000 \
+             mtu=1024 nbio=2" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=10000-60000 \
+             mtu=1024 nbio=2" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
+            -p "$P_PXY mtu=512" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=10000-60000 \
+             mtu=512 nbio=2" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=10000-60000 \
+             mtu=512 nbio=2" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
+# This ensures things still work after session_reset().
+# It also exercises the "resumed handshake" flow.
+# Since we don't support reading fragmented ClientHello yet,
+# up the MTU to 1450 (larger than ClientHello with session ticket,
+# but still smaller than client's Certificate to ensure fragmentation).
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+# reco_delay avoids races where the client reconnects before the server has
+# resumed listening, which would result in a spurious autoreduction.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU, resumed handshake" \
+            -p "$P_PXY mtu=1450" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=10000-60000 \
+             mtu=1450" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=10000-60000 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             mtu=1450 reconnect=1 reco_delay=1" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+requires_config_enabled MBEDTLS_CHACHAPOLY_C
+run_test    "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
+            -p "$P_PXY mtu=512" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             exchanges=2 renegotiation=1 \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             exchanges=2 renegotiation=1 renegotiate=1 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+run_test    "DTLS fragmenting: proxy MTU, AES-GCM renego" \
+            -p "$P_PXY mtu=512" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             exchanges=2 renegotiation=1 \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             exchanges=2 renegotiation=1 renegotiate=1 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=10000-60000 \
+             mtu=512" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CCM_C
+run_test    "DTLS fragmenting: proxy MTU, AES-CCM renego" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             exchanges=2 renegotiation=1 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             exchanges=2 renegotiation=1 renegotiate=1 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
+run_test    "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             exchanges=2 renegotiation=1 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             exchanges=2 renegotiation=1 renegotiate=1 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# An autoreduction on the client-side might happen if the server is
+# slow to reset, therefore omitting '-C "autoreduction"' below.
+not_with_valgrind # spurious autoreduction due to timeout
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SHA256_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
+run_test    "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
+            -p "$P_PXY mtu=1024" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             exchanges=2 renegotiation=1 \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             exchanges=2 renegotiation=1 renegotiate=1 \
+             hs_timeout=10000-60000 \
+             mtu=1024" \
+            0 \
+            -S "autoreduction" \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+client_needs_more_time 2
+run_test    "DTLS fragmenting: proxy MTU + 3d" \
+            -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
+            "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-10000 mtu=512" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=250-10000 mtu=512" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+requires_config_enabled MBEDTLS_AES_C
+requires_config_enabled MBEDTLS_GCM_C
+client_needs_more_time 2
+run_test    "DTLS fragmenting: proxy MTU + 3d, nbio" \
+            -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
+            "$P_SRV dtls=1 debug_level=2 auth_mode=required \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-10000 mtu=512 nbio=2" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
+             hs_timeout=250-10000 mtu=512 nbio=2" \
+            0 \
+            -s "found fragmented DTLS handshake message" \
+            -c "found fragmented DTLS handshake message" \
+            -C "error"
+
+# interop tests for DTLS fragmentating with reliable connection
+#
+# here and below we just want to test that the we fragment in a way that
+# pleases other implementations, so we don't need the peer to fragment
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_gnutls
+run_test    "DTLS fragmenting: gnutls server, DTLS 1.2" \
+            "$G_SRV -u" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             mtu=512 force_version=dtls1_2" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+requires_gnutls
+run_test    "DTLS fragmenting: gnutls server, DTLS 1.0" \
+            "$G_SRV -u" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             mtu=512 force_version=dtls1" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+# We use --insecure for the GnuTLS client because it expects
+# the hostname / IP it connects to to be the name used in the
+# certificate obtained from the server. Here, however, it
+# connects to 127.0.0.1 while our test certificates use 'localhost'
+# as the server name in the certificate. This will make the
+# certifiate validation fail, but passing --insecure makes
+# GnuTLS continue the connection nonetheless.
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_gnutls
+requires_not_i686
+run_test    "DTLS fragmenting: gnutls client, DTLS 1.2" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             mtu=512 force_version=dtls1_2" \
+            "$G_CLI -u --insecure 127.0.0.1" \
+            0 \
+            -s "fragmenting handshake message"
+
+# See previous test for the reason to use --insecure
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+requires_gnutls
+requires_not_i686
+run_test    "DTLS fragmenting: gnutls client, DTLS 1.0" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             mtu=512 force_version=dtls1" \
+            "$G_CLI -u --insecure 127.0.0.1" \
+            0 \
+            -s "fragmenting handshake message"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "DTLS fragmenting: openssl server, DTLS 1.2" \
+            "$O_SRV -dtls1_2 -verify 10" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             mtu=512 force_version=dtls1_2" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+run_test    "DTLS fragmenting: openssl server, DTLS 1.0" \
+            "$O_SRV -dtls1 -verify 10" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             mtu=512 force_version=dtls1" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+run_test    "DTLS fragmenting: openssl client, DTLS 1.2" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             mtu=512 force_version=dtls1_2" \
+            "$O_CLI -dtls1_2" \
+            0 \
+            -s "fragmenting handshake message"
+
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+run_test    "DTLS fragmenting: openssl client, DTLS 1.0" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             mtu=512 force_version=dtls1" \
+            "$O_CLI -dtls1" \
+            0 \
+            -s "fragmenting handshake message"
+
+# interop tests for DTLS fragmentating with unreliable connection
+#
+# again we just want to test that the we fragment in a way that
+# pleases other implementations, so we don't need the peer to fragment
+requires_gnutls_next
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$G_NEXT_SRV -u" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+requires_gnutls_next
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$G_NEXT_SRV -u" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+requires_gnutls_next
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
+           "$G_NEXT_CLI -u --insecure 127.0.0.1" \
+            0 \
+            -s "fragmenting handshake message"
+
+requires_gnutls_next
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1" \
+           "$G_NEXT_CLI -u --insecure 127.0.0.1" \
+            0 \
+            -s "fragmenting handshake message"
+
+## Interop test with OpenSSL might trigger a bug in recent versions (including
+## all versions installed on the CI machines), reported here:
+## Bug report: https://github.com/openssl/openssl/issues/6902
+## They should be re-enabled once a fixed version of OpenSSL is available
+## (this should happen in some 1.1.1_ release according to the ticket).
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$O_SRV -dtls1_2 -verify 10" \
+            "$P_CLI dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$O_SRV -dtls1 -verify 10" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+             crt_file=data_files/server8_int-ca2.crt \
+             key_file=data_files/server8.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1" \
+            0 \
+            -c "fragmenting handshake message" \
+            -C "error"
+
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$P_SRV dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
+            "$O_CLI -dtls1_2" \
+            0 \
+            -s "fragmenting handshake message"
+
+# -nbio is added to prevent s_client from blocking in case of duplicated
+# messages at the end of the handshake
+skip_next_test
+requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
+requires_config_enabled MBEDTLS_RSA_C
+requires_config_enabled MBEDTLS_ECDSA_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
+client_needs_more_time 4
+run_test    "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
+            -p "$P_PXY drop=8 delay=8 duplicate=8" \
+            "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
+             crt_file=data_files/server7_int-ca.crt \
+             key_file=data_files/server7.key \
+             hs_timeout=250-60000 mtu=512 force_version=dtls1" \
+            "$O_CLI -nbio -dtls1" \
+            0 \
+            -s "fragmenting handshake message"
+
 # Tests for specific things with "unreliable" UDP connection
 
 not_with_valgrind # spurious resend due to timeout
@@ -5132,8 +6864,8 @@ run_test    "DTLS proxy: reference" \
 not_with_valgrind # spurious resend due to timeout
 run_test    "DTLS proxy: duplicate every packet" \
             -p "$P_PXY duplicate=1" \
-            "$P_SRV dtls=1 debug_level=2" \
-            "$P_CLI dtls=1 debug_level=2" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
             0 \
             -c "replayed record" \
             -s "replayed record" \
@@ -5145,8 +6877,8 @@ run_test    "DTLS proxy: duplicate every packet" \
 
 run_test    "DTLS proxy: duplicate every packet, server anti-replay off" \
             -p "$P_PXY duplicate=1" \
-            "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
-            "$P_CLI dtls=1 debug_level=2" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
             0 \
             -c "replayed record" \
             -S "replayed record" \
@@ -5157,10 +6889,26 @@ run_test    "DTLS proxy: duplicate every packet, server anti-replay off" \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
 
+run_test    "DTLS proxy: multiple records in same datagram" \
+            -p "$P_PXY pack=50" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
+            0 \
+            -c "next record in same datagram" \
+            -s "next record in same datagram"
+
+run_test    "DTLS proxy: multiple records in same datagram, duplicate every packet" \
+            -p "$P_PXY pack=50 duplicate=1" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
+            0 \
+            -c "next record in same datagram" \
+            -s "next record in same datagram"
+
 run_test    "DTLS proxy: inject invalid AD record, default badmac_limit" \
             -p "$P_PXY bad_ad=1" \
-            "$P_SRV dtls=1 debug_level=1" \
-            "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
             0 \
             -c "discarding invalid record (mac)" \
             -s "discarding invalid record (mac)" \
@@ -5171,8 +6919,8 @@ run_test    "DTLS proxy: inject invalid AD record, default badmac_limit" \
 
 run_test    "DTLS proxy: inject invalid AD record, badmac_limit 1" \
             -p "$P_PXY bad_ad=1" \
-            "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
-            "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
             1 \
             -C "discarding invalid record (mac)" \
             -S "discarding invalid record (mac)" \
@@ -5183,8 +6931,8 @@ run_test    "DTLS proxy: inject invalid AD record, badmac_limit 1" \
 
 run_test    "DTLS proxy: inject invalid AD record, badmac_limit 2" \
             -p "$P_PXY bad_ad=1" \
-            "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
-            "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
             0 \
             -c "discarding invalid record (mac)" \
             -s "discarding invalid record (mac)" \
@@ -5195,8 +6943,8 @@ run_test    "DTLS proxy: inject invalid AD record, badmac_limit 2" \
 
 run_test    "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
             -p "$P_PXY bad_ad=1" \
-            "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
-            "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
+            "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
+            "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
             1 \
             -c "discarding invalid record (mac)" \
             -s "discarding invalid record (mac)" \
@@ -5207,22 +6955,190 @@ run_test    "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
 
 run_test    "DTLS proxy: delay ChangeCipherSpec" \
             -p "$P_PXY delay_ccs=1" \
-            "$P_SRV dtls=1 debug_level=1" \
-            "$P_CLI dtls=1 debug_level=1" \
+            "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
+            "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
             0 \
             -c "record from another epoch" \
             -s "record from another epoch" \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
 
+# Tests for reordering support with DTLS
+
+run_test    "DTLS reordering: Buffer out-of-order handshake message on client" \
+            -p "$P_PXY delay_srv=ServerHello" \
+            "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -c "Buffering HS message" \
+            -c "Next handshake message has been buffered - load"\
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load"\
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+run_test    "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
+            -p "$P_PXY delay_srv=ServerHello" \
+            "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -c "Buffering HS message" \
+            -c "found fragmented DTLS handshake message"\
+            -c "Next handshake message 1 not or only partially bufffered" \
+            -c "Next handshake message has been buffered - load"\
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load"\
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+# The client buffers the ServerKeyExchange before receiving the fragmented
+# Certificate message; at the time of writing, together these are aroudn 1200b
+# in size, so that the bound below ensures that the certificate can be reassembled
+# while keeping the ServerKeyExchange.
+requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
+run_test    "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
+            -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
+            "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -c "Buffering HS message" \
+            -c "Next handshake message has been buffered - load"\
+            -C "attempt to make space by freeing buffered messages" \
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load"\
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+# The size constraints ensure that the delayed certificate message can't
+# be reassembled while keeping the ServerKeyExchange message, but it can
+# when dropping it first.
+requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
+requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
+run_test    "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
+            -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
+            "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -c "Buffering HS message" \
+            -c "attempt to make space by freeing buffered future messages" \
+            -c "Enough space available after freeing buffered HS messages" \
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load"\
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+run_test    "DTLS reordering: Buffer out-of-order handshake message on server" \
+            -p "$P_PXY delay_cli=Certificate" \
+            "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -C "Buffering HS message" \
+            -C "Next handshake message has been buffered - load"\
+            -s "Buffering HS message" \
+            -s "Next handshake message has been buffered - load" \
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+run_test    "DTLS reordering: Buffer out-of-order CCS message on client"\
+            -p "$P_PXY delay_srv=NewSessionTicket" \
+            "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -C "Buffering HS message" \
+            -C "Next handshake message has been buffered - load"\
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load" \
+            -c "Injecting buffered CCS message" \
+            -c "Remember CCS message" \
+            -S "Injecting buffered CCS message" \
+            -S "Remember CCS message"
+
+run_test    "DTLS reordering: Buffer out-of-order CCS message on server"\
+            -p "$P_PXY delay_cli=ClientKeyExchange" \
+            "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -C "Buffering HS message" \
+            -C "Next handshake message has been buffered - load"\
+            -S "Buffering HS message" \
+            -S "Next handshake message has been buffered - load" \
+            -C "Injecting buffered CCS message" \
+            -C "Remember CCS message" \
+            -s "Injecting buffered CCS message" \
+            -s "Remember CCS message"
+
+run_test    "DTLS reordering: Buffer encrypted Finished message" \
+            -p "$P_PXY delay_ccs=1" \
+            "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
+            hs_timeout=2500-60000" \
+            0 \
+            -s "Buffer record from epoch 1" \
+            -s "Found buffered record from current epoch - load" \
+            -c "Buffer record from epoch 1" \
+            -c "Found buffered record from current epoch - load"
+
+# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
+# from the server are delayed, so that the encrypted Finished message
+# is received and buffered. When the fragmented NewSessionTicket comes
+# in afterwards, the encrypted Finished message must be freed in order
+# to make space for the NewSessionTicket to be reassembled.
+# This works only in very particular circumstances:
+# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
+#   of the NewSessionTicket, but small enough to also allow buffering of
+#   the encrypted Finished message.
+# - The MTU setting on the server must be so small that the NewSessionTicket
+#   needs to be fragmented.
+# - All messages sent by the server must be small enough to be either sent
+#   without fragmentation or be reassembled within the bounds of
+#   MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
+#   handshake, omitting CRTs.
+requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 240
+requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 280
+run_test    "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
+            -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
+            "$P_SRV mtu=190 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
+            "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
+            0 \
+            -s "Buffer record from epoch 1" \
+            -s "Found buffered record from current epoch - load" \
+            -c "Buffer record from epoch 1" \
+            -C "Found buffered record from current epoch - load" \
+            -c "Enough space available after freeing future epoch record"
+
 # Tests for "randomly unreliable connection": try a variety of flows and peers
 
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
             -s "Extra-header:" \
@@ -5231,8 +7147,8 @@ run_test    "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, \"short\" RSA handshake" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
             0 \
             -s "Extra-header:" \
@@ -5241,8 +7157,8 @@ run_test    "DTLS proxy: 3d, \"short\" RSA handshake" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
             0 \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5250,8 +7166,8 @@ run_test    "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, FS, client auth" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
             0 \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5259,8 +7175,8 @@ run_test    "DTLS proxy: 3d, FS, client auth" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, FS, ticket" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
             0 \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5268,8 +7184,8 @@ run_test    "DTLS proxy: 3d, FS, ticket" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
             0 \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5277,9 +7193,9 @@ run_test    "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
 client_needs_more_time 2
 run_test    "DTLS proxy: 3d, max handshake, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
              auth_mode=required" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
             0 \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
@@ -5287,9 +7203,9 @@ run_test    "DTLS proxy: 3d, max handshake, nbio" \
 client_needs_more_time 4
 run_test    "DTLS proxy: 3d, min handshake, resumption" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 debug_level=3" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -5301,9 +7217,9 @@ run_test    "DTLS proxy: 3d, min handshake, resumption" \
 client_needs_more_time 4
 run_test    "DTLS proxy: 3d, min handshake, resumption, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 debug_level=3 nbio=2" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
             0 \
@@ -5316,9 +7232,9 @@ client_needs_more_time 4
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, client-initiated renego" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 renegotiation=1 debug_level=2" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              renegotiate=1 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -5331,9 +7247,9 @@ client_needs_more_time 4
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 renegotiation=1 debug_level=2" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              renegotiate=1 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -5346,10 +7262,10 @@ client_needs_more_time 4
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, server-initiated renego" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
              debug_level=2" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              renegotiation=1 exchanges=4 debug_level=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -5362,10 +7278,10 @@ client_needs_more_time 4
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
+            "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
              psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
              debug_level=2 nbio=2" \
-            "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
+            "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
              renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
              force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
             0 \
@@ -5374,30 +7290,38 @@ run_test    "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
             -s "Extra-header:" \
             -c "HTTP/1.0 200 OK"
 
+## Interop tests with OpenSSL might trigger a bug in recent versions (including
+## all versions installed on the CI machines), reported here:
+## Bug report: https://github.com/openssl/openssl/issues/6902
+## They should be re-enabled once a fixed version of OpenSSL is available
+## (this should happen in some 1.1.1_ release according to the ticket).
+skip_next_test
 client_needs_more_time 6
 not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, openssl server" \
             -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
             "$O_SRV -dtls1 -mtu 2048" \
-            "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
             0 \
             -c "HTTP/1.0 200 OK"
 
+skip_next_test # see above
 client_needs_more_time 8
 not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, openssl server, fragmentation" \
             -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
             "$O_SRV -dtls1 -mtu 768" \
-            "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
             0 \
             -c "HTTP/1.0 200 OK"
 
+skip_next_test # see above
 client_needs_more_time 8
 not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
             "$O_SRV -dtls1 -mtu 768" \
-            "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
             0 \
             -c "HTTP/1.0 200 OK"
 
@@ -5407,29 +7331,29 @@ not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, gnutls server" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
             "$G_SRV -u --mtu 2048 -a" \
-            "$P_CLI dtls=1 hs_timeout=250-60000" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
             0 \
             -s "Extra-header:" \
             -c "Extra-header:"
 
-requires_gnutls
+requires_gnutls_next
 client_needs_more_time 8
 not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, gnutls server, fragmentation" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$G_SRV -u --mtu 512" \
-            "$P_CLI dtls=1 hs_timeout=250-60000" \
+            "$G_NEXT_SRV -u --mtu 512" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
             0 \
             -s "Extra-header:" \
             -c "Extra-header:"
 
-requires_gnutls
+requires_gnutls_next
 client_needs_more_time 8
 not_with_valgrind # risk of non-mbedtls peer timing out
 run_test    "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
             -p "$P_PXY drop=5 delay=5 duplicate=5" \
-            "$G_SRV -u --mtu 512" \
-            "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
+            "$G_NEXT_SRV -u --mtu 512" \
+            "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
             0 \
             -s "Extra-header:" \
             -c "Extra-header:"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function b/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
index 755c3eabd4..1255ff4be4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/helpers.function
@@ -1,4 +1,4 @@
-#line 1 "helpers.function"
+#line 2 "suites/helpers.function"
 /*----------------------------------------------------------------------------*/
 /* Headers */
 
@@ -23,8 +23,15 @@
 #include "mbedtls/memory_buffer_alloc.h"
 #endif
 
+#if defined(MBEDTLS_CHECK_PARAMS)
+#include "mbedtls/platform_util.h"
+#include <setjmp.h>
+#endif
+
 #ifdef _MSC_VER
 #include <basetsd.h>
+typedef UINT8 uint8_t;
+typedef INT32 int32_t;
 typedef UINT32 uint32_t;
 #define strncasecmp _strnicmp
 #define strcasecmp _stricmp
@@ -36,35 +43,170 @@ typedef UINT32 uint32_t;
 
 #if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
 #include <unistd.h>
+#include <strings.h>
 #endif
 
-/*----------------------------------------------------------------------------*/
-/* Constants */
-
-#define DEPENDENCY_SUPPORTED        0
-#define DEPENDENCY_NOT_SUPPORTED    1
-
-#define KEY_VALUE_MAPPING_FOUND     0
-#define KEY_VALUE_MAPPING_NOT_FOUND -1
+/* Type for Hex parameters */
+typedef struct data_tag
+{
+    uint8_t *   x;
+    uint32_t    len;
+} data_t;
 
-#define DISPATCH_TEST_SUCCESS       0
-#define DISPATCH_TEST_FN_NOT_FOUND  1
-#define DISPATCH_INVALID_TEST_DATA  2
-#define DISPATCH_UNSUPPORTED_SUITE  3
+/*----------------------------------------------------------------------------*/
+/* Status and error constants */
+
+#define DEPENDENCY_SUPPORTED            0   /* Dependency supported by build */
+#define KEY_VALUE_MAPPING_FOUND         0   /* Integer expression found */
+#define DISPATCH_TEST_SUCCESS           0   /* Test dispatch successful */
+
+#define KEY_VALUE_MAPPING_NOT_FOUND     -1  /* Integer expression not found */
+#define DEPENDENCY_NOT_SUPPORTED        -2  /* Dependency not supported */
+#define DISPATCH_TEST_FN_NOT_FOUND      -3  /* Test function not found */
+#define DISPATCH_INVALID_TEST_DATA      -4  /* Invalid test parameter type.
+                                               Only int, string, binary data
+                                               and integer expressions are
+                                               allowed */
+#define DISPATCH_UNSUPPORTED_SUITE      -5  /* Test suite not supported by the
+                                               build */
+
+typedef enum
+{
+    PARAMFAIL_TESTSTATE_IDLE = 0,           /* No parameter failure call test */
+    PARAMFAIL_TESTSTATE_PENDING,            /* Test call to the parameter failure
+                                             * is pending */
+    PARAMFAIL_TESTSTATE_CALLED              /* The test call to the parameter
+                                             * failure function has been made */
+} paramfail_test_state_t;
 
 
 /*----------------------------------------------------------------------------*/
 /* Macros */
 
-#define TEST_ASSERT( TEST )                         \
-    do {                                            \
-        if( ! (TEST) )                              \
-        {                                           \
-            test_fail( #TEST, __LINE__, __FILE__ ); \
-            goto exit;                              \
-        }                                           \
+/**
+ * \brief   This macro tests the expression passed to it as a test step or
+ *          individual test in a test case.
+ *
+ *          It allows a library function to return a value and return an error
+ *          code that can be tested.
+ *
+ *          When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure
+ *          callback, MBEDTLS_PARAM_FAILED(), will be assumed to be a test
+ *          failure.
+ *
+ *          This macro is not suitable for negative parameter validation tests,
+ *          as it assumes the test step will not create an error.
+ *
+ * \param   TEST    The test expression to be tested.
+ */
+#define TEST_ASSERT( TEST )                                 \
+    do {                                                    \
+       if( ! (TEST) )                                       \
+       {                                                    \
+          test_fail( #TEST, __LINE__, __FILE__ );           \
+          goto exit;                                        \
+       }                                                    \
     } while( 0 )
 
+#if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT)
+/**
+ * \brief   This macro tests the statement passed to it as a test step or
+ *          individual test in a test case. The macro assumes the test will fail
+ *          and will generate an error.
+ *
+ *          It allows a library function to return a value and tests the return
+ *          code on return to confirm the given error code was returned.
+ *
+ *          When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure
+ *          callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the
+ *          expected failure, and the test will pass.
+ *
+ *          This macro is intended for negative parameter validation tests,
+ *          where the failing function may return an error value or call
+ *          MBEDTLS_PARAM_FAILED() to indicate the error.
+ *
+ * \param   PARAM_ERROR_VALUE   The expected error code.
+ *
+ * \param   TEST                The test expression to be tested.
+ */
+#define TEST_INVALID_PARAM_RET( PARAM_ERR_VALUE, TEST )                     \
+    do {                                                                    \
+        test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_PENDING;       \
+        if( (TEST) != (PARAM_ERR_VALUE) ||                                  \
+            test_info.paramfail_test_state != PARAMFAIL_TESTSTATE_CALLED )  \
+        {                                                                   \
+            test_fail( #TEST, __LINE__, __FILE__ );                         \
+            goto exit;                                                      \
+        }                                                                   \
+   } while( 0 )
+
+/**
+ * \brief   This macro tests the statement passed to it as a test step or
+ *          individual test in a test case. The macro assumes the test will fail
+ *          and will generate an error.
+ *
+ *          It assumes the library function under test cannot return a value and
+ *          assumes errors can only be indicated byt calls to
+ *          MBEDTLS_PARAM_FAILED().
+ *
+ *          When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure
+ *          callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the
+ *          expected failure. If MBEDTLS_CHECK_PARAMS is not enabled, no test
+ *          can be made.
+ *
+ *          This macro is intended for negative parameter validation tests,
+ *          where the failing function can only return an error by calling
+ *          MBEDTLS_PARAM_FAILED() to indicate the error.
+ *
+ * \param   TEST                The test expression to be tested.
+ */
+#define TEST_INVALID_PARAM( TEST )                                          \
+    do {                                                                    \
+        memcpy(jmp_tmp, param_fail_jmp, sizeof(jmp_buf));                   \
+        if( setjmp( param_fail_jmp ) == 0 )                                 \
+        {                                                                   \
+            TEST;                                                           \
+            test_fail( #TEST, __LINE__, __FILE__ );                         \
+            goto exit;                                                      \
+        }                                                                   \
+        memcpy(param_fail_jmp, jmp_tmp, sizeof(jmp_buf));                   \
+    } while( 0 )
+#endif /* MBEDTLS_CHECK_PARAMS && !MBEDTLS_PARAM_FAILED_ALT */
+
+/**
+ * \brief   This macro tests the statement passed to it as a test step or
+ *          individual test in a test case. The macro assumes the test will not fail.
+ *
+ *          It assumes the library function under test cannot return a value and
+ *          assumes errors can only be indicated by calls to
+ *          MBEDTLS_PARAM_FAILED().
+ *
+ *          When MBEDTLS_CHECK_PARAMS is enabled, calls to the parameter failure
+ *          callback, MBEDTLS_PARAM_FAILED(), are assumed to indicate the
+ *          expected failure. If MBEDTLS_CHECK_PARAMS is not enabled, no test
+ *          can be made.
+ *
+ *          This macro is intended to test that functions returning void
+ *          accept all of the parameter values they're supposed to accept - eg
+ *          that they don't call MBEDTLS_PARAM_FAILED() when a parameter
+ *          that's allowed to be NULL happens to be NULL.
+ *
+ *          Note: for functions that return something other that void,
+ *          checking that they accept all the parameters they're supposed to
+ *          accept is best done by using TEST_ASSERT() and checking the return
+ *          value as well.
+ *
+ *          Note: this macro is available even when #MBEDTLS_CHECK_PARAMS is
+ *          disabled, as it makes sense to check that the functions accept all
+ *          legal values even if this option is disabled - only in that case,
+ *          the test is more about whether the function segfaults than about
+ *          whether it invokes MBEDTLS_PARAM_FAILED().
+ *
+ * \param   TEST                The test expression to be tested.
+ */
+#define TEST_VALID_PARAM( TEST )                                    \
+    TEST_ASSERT( ( TEST, 1 ) );
+
 #define assert(a) if( !( a ) )                                      \
 {                                                                   \
     mbedtls_fprintf( stderr, "Assertion Failed at %s:%d - %s\n",   \
@@ -99,9 +241,9 @@ typedef UINT32 uint32_t;
 /*----------------------------------------------------------------------------*/
 /* Global variables */
 
-
 static struct
 {
+    paramfail_test_state_t paramfail_test_state;
     int failed;
     const char *test;
     const char *filename;
@@ -109,6 +251,14 @@ static struct
 }
 test_info;
 
+#if defined(MBEDTLS_PLATFORM_C)
+mbedtls_platform_context platform_ctx;
+#endif
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+jmp_buf param_fail_jmp;
+jmp_buf jmp_tmp;
+#endif
 
 /*----------------------------------------------------------------------------*/
 /* Helper flags for complex dependencies */
@@ -128,6 +278,54 @@ test_info;
 /*----------------------------------------------------------------------------*/
 /* Helper Functions */
 
+static void test_fail( const char *test, int line_no, const char* filename )
+{
+    test_info.failed = 1;
+    test_info.test = test;
+    test_info.line_no = line_no;
+    test_info.filename = filename;
+}
+
+static int platform_setup()
+{
+    int ret = 0;
+#if defined(MBEDTLS_PLATFORM_C)
+    ret = mbedtls_platform_setup( &platform_ctx );
+#endif /* MBEDTLS_PLATFORM_C */
+    return( ret );
+}
+
+static void platform_teardown()
+{
+#if defined(MBEDTLS_PLATFORM_C)
+    mbedtls_platform_teardown( &platform_ctx );
+#endif /* MBEDTLS_PLATFORM_C */
+}
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line )
+{
+    /* If we are testing the callback function...  */
+    if( test_info.paramfail_test_state == PARAMFAIL_TESTSTATE_PENDING )
+    {
+        test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_CALLED;
+    }
+    else
+    {
+        /* ...else we treat this as an error */
+
+        /* Record the location of the failure, but not as a failure yet, in case
+         * it was part of the test */
+        test_fail( failure_condition, line, file );
+        test_info.failed = 0;
+
+        longjmp( param_fail_jmp, 1 );
+    }
+}
+#endif
+
 #if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
 static int redirect_output( FILE** out_stream, const char* path )
 {
@@ -417,10 +615,21 @@ static int rnd_pseudo_rand( void *rng_state, unsigned char *output, size_t len )
     return( 0 );
 }
 
-static void test_fail( const char *test, int line_no, const char* filename )
+int hexcmp( uint8_t * a, uint8_t * b, uint32_t a_len, uint32_t b_len )
 {
-    test_info.failed = 1;
-    test_info.test = test;
-    test_info.line_no = line_no;
-    test_info.filename = filename;
+    int ret = 0;
+    uint32_t i = 0;
+
+    if( a_len != b_len )
+        return( -1 );
+
+    for( i = 0; i < a_len; i++ )
+    {
+        if( a[i] != b[i] )
+        {
+            ret = -1;
+            break;
+        }
+    }
+    return ret;
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/host_test.function b/3rdparty/mbedtls/mbedtls/tests/suites/host_test.function
new file mode 100644
index 0000000000..3c43032083
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/host_test.function
@@ -0,0 +1,672 @@
+#line 2 "suites/host_test.function"
+
+/**
+ * \brief       Verifies that string is in string parameter format i.e. "<str>"
+ *              It also strips enclosing '"' from the input string.
+ *
+ * \param str   String parameter.
+ *
+ * \return      0 if success else 1
+ */
+int verify_string( char **str )
+{
+    if( ( *str )[0] != '"' ||
+        ( *str )[strlen( *str ) - 1] != '"' )
+    {
+        mbedtls_fprintf( stderr,
+            "Expected string (with \"\") for parameter and got: %s\n", *str );
+        return( -1 );
+    }
+
+    ( *str )++;
+    ( *str )[strlen( *str ) - 1] = '\0';
+
+    return( 0 );
+}
+
+/**
+ * \brief       Verifies that string is an integer. Also gives the converted
+ *              integer value.
+ *
+ * \param str   Input string.
+ * \param value Pointer to int for output value.
+ *
+ * \return      0 if success else 1
+ */
+int verify_int( char *str, int *value )
+{
+    size_t i;
+    int minus = 0;
+    int digits = 1;
+    int hex = 0;
+
+    for( i = 0; i < strlen( str ); i++ )
+    {
+        if( i == 0 && str[i] == '-' )
+        {
+            minus = 1;
+            continue;
+        }
+
+        if( ( ( minus && i == 2 ) || ( !minus && i == 1 ) ) &&
+            str[i - 1] == '0' && ( str[i] == 'x' || str[i] == 'X' ) )
+        {
+            hex = 1;
+            continue;
+        }
+
+        if( ! ( ( str[i] >= '0' && str[i] <= '9' ) ||
+                ( hex && ( ( str[i] >= 'a' && str[i] <= 'f' ) ||
+                           ( str[i] >= 'A' && str[i] <= 'F' ) ) ) ) )
+        {
+            digits = 0;
+            break;
+        }
+    }
+
+    if( digits )
+    {
+        if( hex )
+            *value = strtol( str, NULL, 16 );
+        else
+            *value = strtol( str, NULL, 10 );
+
+        return( 0 );
+    }
+
+    mbedtls_fprintf( stderr,
+                    "Expected integer for parameter and got: %s\n", str );
+    return( KEY_VALUE_MAPPING_NOT_FOUND );
+}
+
+
+/**
+ * \brief       Usage string.
+ *
+ */
+#define USAGE \
+    "Usage: %s [OPTIONS] files...\n\n" \
+    "   Command line arguments:\n" \
+    "     files...          One or more test data files. If no file is\n" \
+    "                       specified the following default test case\n" \
+    "                       file is used:\n" \
+    "                           %s\n\n" \
+    "   Options:\n" \
+    "     -v | --verbose    Display full information about each test\n" \
+    "     -h | --help       Display this information\n\n", \
+    argv[0], \
+    "TESTCASE_FILENAME"
+
+
+/**
+ * \brief       Read a line from the passed file pointer.
+ *
+ * \param f     FILE pointer
+ * \param buf   Pointer to memory to hold read line.
+ * \param len   Length of the buf.
+ *
+ * \return      0 if success else -1
+ */
+int get_line( FILE *f, char *buf, size_t len )
+{
+    char *ret;
+    int i = 0, str_len = 0, has_string = 0;
+
+    /* Read until we get a valid line */
+    do
+    {
+        ret = fgets( buf, len, f );
+        if( ret == NULL )
+            return( -1 );
+
+        str_len = strlen( buf );
+
+        /* Skip empty line and comment */
+        if ( str_len == 0 || buf[0] == '#' )
+            continue;
+        has_string = 0;
+        for ( i = 0; i < str_len; i++ )
+        {
+            char c = buf[i];
+            if ( c != ' ' && c != '\t' && c != '\n' &&
+                 c != '\v' && c != '\f' && c != '\r' )
+            {
+                has_string = 1;
+                break;
+            }
+        }
+    } while( !has_string );
+
+    /* Strip new line and carriage return */
+    ret = buf + strlen( buf );
+    if( ret-- > buf && *ret == '\n' )
+        *ret = '\0';
+    if( ret-- > buf && *ret == '\r' )
+        *ret = '\0';
+
+    return( 0 );
+}
+
+/**
+ * \brief       Splits string delimited by ':'. Ignores '\:'.
+ *
+ * \param buf           Input string
+ * \param len           Input string length
+ * \param params        Out params found
+ * \param params_len    Out params array len
+ *
+ * \return      Count of strings found.
+ */
+static int parse_arguments( char *buf, size_t len, char **params,
+                            size_t params_len )
+{
+    size_t cnt = 0, i;
+    char *cur = buf;
+    char *p = buf, *q;
+
+    params[cnt++] = cur;
+
+    while( *p != '\0' && p < ( buf + len ) )
+    {
+        if( *p == '\\' )
+        {
+            p++;
+            p++;
+            continue;
+        }
+        if( *p == ':' )
+        {
+            if( p + 1 < buf + len )
+            {
+                cur = p + 1;
+                assert( cnt < params_len );
+                params[cnt++] = cur;
+            }
+            *p = '\0';
+        }
+
+        p++;
+    }
+
+    /* Replace newlines, question marks and colons in strings */
+    for( i = 0; i < cnt; i++ )
+    {
+        p = params[i];
+        q = params[i];
+
+        while( *p != '\0' )
+        {
+            if( *p == '\\' && *( p + 1 ) == 'n' )
+            {
+                p += 2;
+                *( q++ ) = '\n';
+            }
+            else if( *p == '\\' && *( p + 1 ) == ':' )
+            {
+                p += 2;
+                *( q++ ) = ':';
+            }
+            else if( *p == '\\' && *( p + 1 ) == '?' )
+            {
+                p += 2;
+                *( q++ ) = '?';
+            }
+            else
+                *( q++ ) = *( p++ );
+        }
+        *q = '\0';
+    }
+
+    return( cnt );
+}
+
+/**
+ * \brief       Converts parameters into test function consumable parameters.
+ *              Example: Input:  {"int", "0", "char*", "Hello",
+ *                                "hex", "abef", "exp", "1"}
+ *                      Output:  {
+ *                                0,                // Verified int
+ *                                "Hello",          // Verified string
+ *                                2, { 0xab, 0xef },// Converted len,hex pair
+ *                                9600              // Evaluated expression
+ *                               }
+ *
+ *
+ * \param cnt               Parameter array count.
+ * \param params            Out array of found parameters.
+ * \param int_params_store  Memory for storing processed integer parameters.
+ *
+ * \return      0 for success else 1
+ */
+static int convert_params( size_t cnt , char ** params , int * int_params_store )
+{
+    char ** cur = params;
+    char ** out = params;
+    int ret = DISPATCH_TEST_SUCCESS;
+
+    while ( cur < params + cnt )
+    {
+        char * type = *cur++;
+        char * val = *cur++;
+
+        if ( strcmp( type, "char*" ) == 0 )
+        {
+            if ( verify_string( &val ) == 0 )
+            {
+              *out++ = val;
+            }
+            else
+            {
+                ret = ( DISPATCH_INVALID_TEST_DATA );
+                break;
+            }
+        }
+        else if ( strcmp( type, "int" ) == 0 )
+        {
+            if ( verify_int( val, int_params_store ) == 0 )
+            {
+              *out++ = (char *) int_params_store++;
+            }
+            else
+            {
+                ret = ( DISPATCH_INVALID_TEST_DATA );
+                break;
+            }
+        }
+        else if ( strcmp( type, "hex" ) == 0 )
+        {
+            if ( verify_string( &val ) == 0 )
+            {
+                *int_params_store = unhexify( (unsigned char *) val, val );
+                *out++ = val;
+                *out++ = (char *)(int_params_store++);
+            }
+            else
+            {
+                ret = ( DISPATCH_INVALID_TEST_DATA );
+                break;
+            }
+        }
+        else if ( strcmp( type, "exp" ) == 0 )
+        {
+            int exp_id = strtol( val, NULL, 10 );
+            if ( get_expression ( exp_id, int_params_store ) == 0 )
+            {
+              *out++ = (char *)int_params_store++;
+            }
+            else
+            {
+              ret = ( DISPATCH_INVALID_TEST_DATA );
+              break;
+            }
+        }
+        else
+        {
+          ret = ( DISPATCH_INVALID_TEST_DATA );
+          break;
+        }
+    }
+    return( ret );
+}
+
+/**
+ * \brief       Tests snprintf implementation with test input.
+ *
+ * \note
+ * At high optimization levels (e.g. gcc -O3), this function may be
+ * inlined in run_test_snprintf. This can trigger a spurious warning about
+ * potential misuse of snprintf from gcc -Wformat-truncation (observed with
+ * gcc 7.2). This warning makes tests in run_test_snprintf redundant on gcc
+ * only. They are still valid for other compilers. Avoid this warning by
+ * forbidding inlining of this function by gcc.
+ *
+ * \param n         Buffer test length.
+ * \param ref_buf   Expected buffer.
+ * \param ref_ret   Expected snprintf return value.
+ *
+ * \return      0 for success else 1
+ */
+#if defined(__GNUC__)
+__attribute__((__noinline__))
+#endif
+static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret )
+{
+    int ret;
+    char buf[10] = "xxxxxxxxx";
+    const char ref[10] = "xxxxxxxxx";
+
+    if( n >= sizeof( buf ) )
+        return( -1 );
+    ret = mbedtls_snprintf( buf, n, "%s", "123" );
+    if( ret < 0 || (size_t) ret >= n )
+        ret = -1;
+
+    if( strncmp( ref_buf, buf, sizeof( buf ) ) != 0 ||
+        ref_ret != ret ||
+        memcmp( buf + n, ref + n, sizeof( buf ) - n ) != 0 )
+    {
+        return( 1 );
+    }
+
+    return( 0 );
+}
+
+/**
+ * \brief       Tests snprintf implementation.
+ *
+ * \param none
+ *
+ * \return      0 for success else 1
+ */
+static int run_test_snprintf( void )
+{
+    return( test_snprintf( 0, "xxxxxxxxx",  -1 ) != 0 ||
+            test_snprintf( 1, "",           -1 ) != 0 ||
+            test_snprintf( 2, "1",          -1 ) != 0 ||
+            test_snprintf( 3, "12",         -1 ) != 0 ||
+            test_snprintf( 4, "123",         3 ) != 0 ||
+            test_snprintf( 5, "123",         3 ) != 0 );
+}
+
+
+/**
+ * \brief       Desktop implementation of execute_tests().
+ *              Parses command line and executes tests from
+ *              supplied or default data file.
+ *
+ * \param argc  Command line argument count.
+ * \param argv  Argument array.
+ *
+ * \return      Program exit status.
+ */
+int execute_tests( int argc , const char ** argv )
+{
+    /* Local Configurations and options */
+    const char *default_filename = "DATA_FILE";
+    const char *test_filename = NULL;
+    const char **test_files = NULL;
+    int testfile_count = 0;
+    int option_verbose = 0;
+    int function_id = 0;
+
+    /* Other Local variables */
+    int arg_index = 1;
+    const char *next_arg;
+    int testfile_index, ret, i, cnt;
+    int total_errors = 0, total_tests = 0, total_skipped = 0;
+    FILE *file;
+    char buf[5000];
+    char *params[50];
+    /* Store for proccessed integer params. */
+    int int_params[50];
+    void *pointer;
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+    int stdout_fd = -1;
+#endif /* __unix__ || __APPLE__ __MACH__ */
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
+    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
+    unsigned char alloc_buf[1000000];
+    mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof( alloc_buf ) );
+#endif
+
+    /*
+     * The C standard doesn't guarantee that all-bits-0 is the representation
+     * of a NULL pointer. We do however use that in our code for initializing
+     * structures, which should work on every modern platform. Let's be sure.
+     */
+    memset( &pointer, 0, sizeof( void * ) );
+    if( pointer != NULL )
+    {
+        mbedtls_fprintf( stderr, "all-bits-zero is not a NULL pointer\n" );
+        return( 1 );
+    }
+
+    /*
+     * Make sure we have a snprintf that correctly zero-terminates
+     */
+    if( run_test_snprintf() != 0 )
+    {
+        mbedtls_fprintf( stderr, "the snprintf implementation is broken\n" );
+        return( 1 );
+    }
+
+    while( arg_index < argc )
+    {
+        next_arg = argv[arg_index];
+
+        if( strcmp( next_arg, "--verbose" ) == 0 ||
+                 strcmp( next_arg, "-v" ) == 0 )
+        {
+            option_verbose = 1;
+        }
+        else if( strcmp(next_arg, "--help" ) == 0 ||
+                 strcmp(next_arg, "-h" ) == 0 )
+        {
+            mbedtls_fprintf( stdout, USAGE );
+            mbedtls_exit( EXIT_SUCCESS );
+        }
+        else
+        {
+            /* Not an option, therefore treat all further arguments as the file
+             * list.
+             */
+            test_files = &argv[ arg_index ];
+            testfile_count = argc - arg_index;
+        }
+
+        arg_index++;
+    }
+
+    /* If no files were specified, assume a default */
+    if ( test_files == NULL || testfile_count == 0 )
+    {
+        test_files = &default_filename;
+        testfile_count = 1;
+    }
+
+    /* Initialize the struct that holds information about the last test */
+    memset( &test_info, 0, sizeof( test_info ) );
+
+    /* Now begin to execute the tests in the testfiles */
+    for ( testfile_index = 0;
+          testfile_index < testfile_count;
+          testfile_index++ )
+    {
+        int unmet_dep_count = 0;
+        char *unmet_dependencies[20];
+
+        test_filename = test_files[ testfile_index ];
+
+        file = fopen( test_filename, "r" );
+        if( file == NULL )
+        {
+            mbedtls_fprintf( stderr, "Failed to open test file: %s\n",
+                             test_filename );
+            return( 1 );
+        }
+
+        while( !feof( file ) )
+        {
+            if( unmet_dep_count > 0 )
+            {
+                mbedtls_fprintf( stderr,
+                    "FATAL: Dep count larger than zero at start of loop\n" );
+                mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+            }
+            unmet_dep_count = 0;
+
+            if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
+                break;
+            mbedtls_fprintf( stdout, "%s%.66s", test_info.failed ? "\n" : "", buf );
+            mbedtls_fprintf( stdout, " " );
+            for( i = strlen( buf ) + 1; i < 67; i++ )
+                mbedtls_fprintf( stdout, "." );
+            mbedtls_fprintf( stdout, " " );
+            fflush( stdout );
+
+            total_tests++;
+
+            if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 )
+                break;
+            cnt = parse_arguments( buf, strlen( buf ), params,
+                                   sizeof( params ) / sizeof( params[0] ) );
+
+            if( strcmp( params[0], "depends_on" ) == 0 )
+            {
+                for( i = 1; i < cnt; i++ )
+                {
+                    int dep_id = strtol( params[i], NULL, 10 );
+                    if( dep_check( dep_id ) != DEPENDENCY_SUPPORTED )
+                    {
+                        if( 0 == option_verbose )
+                        {
+                            /* Only one count is needed if not verbose */
+                            unmet_dep_count++;
+                            break;
+                        }
+
+                        unmet_dependencies[ unmet_dep_count ] = strdup( params[i] );
+                        if(  unmet_dependencies[ unmet_dep_count ] == NULL )
+                        {
+                            mbedtls_fprintf( stderr, "FATAL: Out of memory\n" );
+                            mbedtls_exit( MBEDTLS_EXIT_FAILURE );
+                        }
+                        unmet_dep_count++;
+                    }
+                }
+
+                if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 )
+                    break;
+                cnt = parse_arguments( buf, strlen( buf ), params,
+                                       sizeof( params ) / sizeof( params[0] ) );
+            }
+
+            // If there are no unmet dependencies execute the test
+            if( unmet_dep_count == 0 )
+            {
+                test_info.failed = 0;
+                test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
+
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+                /* Suppress all output from the library unless we're verbose
+                 * mode
+                 */
+                if( !option_verbose )
+                {
+                    stdout_fd = redirect_output( &stdout, "/dev/null" );
+                    if( stdout_fd == -1 )
+                    {
+                        /* Redirection has failed with no stdout so exit */
+                        exit( 1 );
+                    }
+                }
+#endif /* __unix__ || __APPLE__ __MACH__ */
+
+                function_id = strtol( params[0], NULL, 10 );
+                if ( (ret = check_test( function_id )) == DISPATCH_TEST_SUCCESS )
+                {
+                    ret = convert_params( cnt - 1, params + 1, int_params );
+                    if ( DISPATCH_TEST_SUCCESS == ret )
+                    {
+                        ret = dispatch_test( function_id, (void **)( params + 1 ) );
+                    }
+                }
+
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+                if( !option_verbose && restore_output( &stdout, stdout_fd ) )
+                {
+                        /* Redirection has failed with no stdout so exit */
+                        exit( 1 );
+                }
+#endif /* __unix__ || __APPLE__ __MACH__ */
+
+            }
+
+            if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE )
+            {
+                total_skipped++;
+                mbedtls_fprintf( stdout, "----" );
+
+                if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE )
+                {
+                    mbedtls_fprintf( stdout, "\n   Test Suite not enabled" );
+                }
+
+                if( 1 == option_verbose && unmet_dep_count > 0 )
+                {
+                    mbedtls_fprintf( stdout, "\n   Unmet dependencies: " );
+                    for( i = 0; i < unmet_dep_count; i++ )
+                    {
+                        mbedtls_fprintf( stdout, "%s  ",
+                                        unmet_dependencies[i] );
+                        free( unmet_dependencies[i] );
+                    }
+                }
+                mbedtls_fprintf( stdout, "\n" );
+                fflush( stdout );
+
+                unmet_dep_count = 0;
+            }
+            else if( ret == DISPATCH_TEST_SUCCESS )
+            {
+                if( test_info.failed == 0 )
+                {
+                    mbedtls_fprintf( stdout, "PASS\n" );
+                }
+                else
+                {
+                    total_errors++;
+                    mbedtls_fprintf( stdout, "FAILED\n" );
+                    mbedtls_fprintf( stdout, "  %s\n  at line %d, %s\n",
+                                     test_info.test, test_info.line_no,
+                                     test_info.filename );
+                }
+                fflush( stdout );
+            }
+            else if( ret == DISPATCH_INVALID_TEST_DATA )
+            {
+                mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" );
+                fclose( file );
+                mbedtls_exit( 2 );
+            }
+            else if( ret == DISPATCH_TEST_FN_NOT_FOUND )
+            {
+                mbedtls_fprintf( stderr, "FAILED: FATAL TEST FUNCTION NOT FUND\n" );
+                fclose( file );
+                mbedtls_exit( 2 );
+            }
+            else
+                total_errors++;
+        }
+        fclose( file );
+
+        /* In case we encounter early end of file */
+        for( i = 0; i < unmet_dep_count; i++ )
+            free( unmet_dependencies[i] );
+    }
+
+    mbedtls_fprintf( stdout, "\n----------------------------------------------------------------------------\n\n");
+    if( total_errors == 0 )
+        mbedtls_fprintf( stdout, "PASSED" );
+    else
+        mbedtls_fprintf( stdout, "FAILED" );
+
+    mbedtls_fprintf( stdout, " (%d / %d tests (%d skipped))\n",
+             total_tests - total_errors, total_tests, total_skipped );
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
+    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    mbedtls_memory_buffer_alloc_status();
+#endif
+    mbedtls_memory_buffer_alloc_free();
+#endif
+
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+    if( stdout_fd != -1 )
+        close_output( stdout );
+#endif /* __unix__ || __APPLE__ __MACH__ */
+
+    return( total_errors != 0 );
+}
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/main_test.function b/3rdparty/mbedtls/mbedtls/tests/suites/main_test.function
index 042085f0ba..ca4783dcf7 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/main_test.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/main_test.function
@@ -1,537 +1,258 @@
-#line 1 "main_test.function"
-SUITE_PRE_DEP
-#define TEST_SUITE_ACTIVE
-
-int verify_string( char **str )
-{
-    if( (*str)[0] != '"' ||
-        (*str)[strlen( *str ) - 1] != '"' )
-    {
-        mbedtls_fprintf( stderr,
-            "Expected string (with \"\") for parameter and got: %s\n", *str );
-        return( -1 );
-    }
-
-    (*str)++;
-    (*str)[strlen( *str ) - 1] = '\0';
+#line 2 "suites/main_test.function"
+/*
+ * *** THIS FILE HAS BEEN MACHINE GENERATED ***
+ *
+ * This file has been machine generated using the script:
+ * $generator_script
+ *
+ * Test file      : $test_file
+ *
+ * The following files were used to create this file.
+ *
+ *      Main code file      : $test_main_file
+ *      Platform code file  : $test_platform_file
+ *      Helper file         : $test_common_helper_file
+ *      Test suite file     : $test_case_file
+ *      Test suite data     : $test_case_data_file
+ *
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
 
-    return( 0 );
-}
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include <mbedtls/config.h>
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
-int verify_int( char *str, int *value )
-{
-    size_t i;
-    int minus = 0;
-    int digits = 1;
-    int hex = 0;
 
-    for( i = 0; i < strlen( str ); i++ )
-    {
-        if( i == 0 && str[i] == '-' )
-        {
-            minus = 1;
-            continue;
-        }
-
-        if( ( ( minus && i == 2 ) || ( !minus && i == 1 ) ) &&
-            str[i - 1] == '0' && str[i] == 'x' )
-        {
-            hex = 1;
-            continue;
-        }
-
-        if( ! ( ( str[i] >= '0' && str[i] <= '9' ) ||
-                ( hex && ( ( str[i] >= 'a' && str[i] <= 'f' ) ||
-                           ( str[i] >= 'A' && str[i] <= 'F' ) ) ) ) )
-        {
-            digits = 0;
-            break;
-        }
-    }
+/*----------------------------------------------------------------------------*/
+/* Common helper code */
 
-    if( digits )
-    {
-        if( hex )
-            *value = strtol( str, NULL, 16 );
-        else
-            *value = strtol( str, NULL, 10 );
+$test_common_helpers
 
-        return( 0 );
-    }
+#line $line_no "suites/main_test.function"
 
-MAPPING_CODE
 
-    mbedtls_fprintf( stderr,
-                    "Expected integer for parameter and got: %s\n", str );
-    return( KEY_VALUE_MAPPING_NOT_FOUND );
-}
+/*----------------------------------------------------------------------------*/
+/* Test Suite Code */
 
 
-/*----------------------------------------------------------------------------*/
-/* Test Case code */
+#define TEST_SUITE_ACTIVE
 
-FUNCTION_CODE
-SUITE_POST_DEP
+$functions_code
 
-#line !LINE_NO! "main_test.function"
+#line $line_no "suites/main_test.function"
 
 
 /*----------------------------------------------------------------------------*/
 /* Test dispatch code */
 
-int dep_check( char *str )
-{
-    if( str == NULL )
-        return( 1 );
-
-DEP_CHECK_CODE
-#line !LINE_NO! "main_test.function"
 
-    return( DEPENDENCY_NOT_SUPPORTED );
-}
-
-int dispatch_test(int cnt, char *params[50])
+/**
+ * \brief       Evaluates an expression/macro into its literal integer value.
+ *              For optimizing space for embedded targets each expression/macro
+ *              is identified by a unique identifier instead of string literals.
+ *              Identifiers and evaluation code is generated by script:
+ *              $generator_script
+ *
+ * \param exp_id    Expression identifier.
+ * \param out_value Pointer to int to hold the integer.
+ *
+ * \return       0 if exp_id is found. 1 otherwise.
+ */
+int get_expression( int32_t exp_id, int32_t * out_value )
 {
-    int ret;
-    ((void) cnt);
-    ((void) params);
+    int ret = KEY_VALUE_MAPPING_FOUND;
 
-#if defined(TEST_SUITE_ACTIVE)
-    ret = DISPATCH_TEST_SUCCESS;
+    (void) exp_id;
+    (void) out_value;
 
-    // Cast to void to avoid compiler warnings
-    (void)ret;
-
-DISPATCH_FUNCTION
+    switch( exp_id )
     {
-#line !LINE_NO! "main_test.function"
-        mbedtls_fprintf( stdout,
-                         "FAILED\nSkipping unknown test function '%s'\n",
-                         params[0] );
-        fflush( stdout );
-        ret = DISPATCH_TEST_FN_NOT_FOUND;
+$expression_code
+#line $line_no "suites/main_test.function"
+        default:
+           {
+                ret = KEY_VALUE_MAPPING_NOT_FOUND;
+           }
+           break;
     }
-#else
-    ret = DISPATCH_UNSUPPORTED_SUITE;
-#endif
     return( ret );
 }
 
 
-/*----------------------------------------------------------------------------*/
-/* Main Test code */
-
-#line !LINE_NO! "main_test.function"
-
-#define USAGE \
-    "Usage: %s [OPTIONS] files...\n\n" \
-    "   Command line arguments:\n" \
-    "     files...          One or more test data file. If no file is specified\n" \
-    "                       the followimg default test case is used:\n" \
-    "                           %s\n\n" \
-    "   Options:\n" \
-    "     -v | --verbose    Display full information about each test\n" \
-    "     -h | --help       Display this information\n\n", \
-    argv[0], \
-    "TESTCASE_FILENAME"
-
-
-/** Retrieve one input line into buf, which must have room for len
- * bytes. The trailing line break (if any) is stripped from the result.
- * Lines beginning with the character '#' are skipped. Lines that are
- * more than len-1 bytes long including the trailing line break are
- * truncated; note that the following bytes remain in the input stream.
+/**
+ * \brief       Checks if the dependency i.e. the compile flag is set.
+ *              For optimizing space for embedded targets each dependency
+ *              is identified by a unique identifier instead of string literals.
+ *              Identifiers and check code is generated by script:
+ *              $generator_script
  *
- * \return 0 on success, -1 on error or end of file
+ * \param exp_id    Dependency identifier.
+ *
+ * \return       DEPENDENCY_SUPPORTED if set else DEPENDENCY_NOT_SUPPORTED
  */
-int get_line( FILE *f, char *buf, size_t len )
+int dep_check( int dep_id )
 {
-    char *ret;
+    int ret = DEPENDENCY_NOT_SUPPORTED;
+
+    (void) dep_id;
 
-    do
+    switch( dep_id )
     {
-        ret = fgets( buf, len, f );
-        if( ret == NULL )
-            return( -1 );
+$dep_check_code
+#line $line_no "suites/main_test.function"
+        default:
+            break;
     }
-    while( buf[0] == '#' );
+    return( ret );
+}
 
-    ret = buf + strlen( buf );
-    if( ret-- > buf && *ret == '\n' )
-        *ret = '\0';
-    if( ret-- > buf && *ret == '\r' )
-        *ret = '\0';
 
-    return( 0 );
-}
+/**
+ * \brief       Function pointer type for test function wrappers.
+ *
+ *
+ * \param void **   Pointer to void pointers. Represents an array of test
+ *                  function parameters.
+ *
+ * \return       void
+ */
+typedef void (*TestWrapper_t)( void ** );
 
-int parse_arguments( char *buf, size_t len, char *params[50] )
-{
-    int cnt = 0, i;
-    char *cur = buf;
-    char *p = buf, *q;
 
-    params[cnt++] = cur;
+/**
+ * \brief       Table of test function wrappers. Used by dispatch_test().
+ *              This table is populated by script:
+ *              $generator_script
+ *
+ */
+TestWrapper_t test_funcs[] =
+{
+$dispatch_code
+#line $line_no "suites/main_test.function"
+};
 
-    while( *p != '\0' && p < buf + len )
+/**
+ * \brief        Execute the test function.
+ *
+ *               This is a wrapper function around the test function execution
+ *               to allow the setjmp() call used to catch any calls to the
+ *               parameter failure callback, to be used. Calls to setjmp()
+ *               can invalidate the state of any local auto variables.
+ *
+ * \param fp     Function pointer to the test function
+ * \param params Parameters to pass
+ *
+ */
+void execute_function_ptr(TestWrapper_t fp, void **params)
+{
+#if defined(MBEDTLS_CHECK_PARAMS)
+    if ( setjmp( param_fail_jmp ) == 0 )
     {
-        if( *p == '\\' )
-        {
-            p++;
-            p++;
-            continue;
-        }
-        if( *p == ':' )
-        {
-            if( p + 1 < buf + len )
-            {
-                cur = p + 1;
-                params[cnt++] = cur;
-            }
-            *p = '\0';
-        }
-
-        p++;
+        fp( params );
     }
-
-    /* Replace newlines, question marks and colons in strings */
-    for( i = 0; i < cnt; i++ )
+    else
     {
-        p = params[i];
-        q = params[i];
-
-        while( *p != '\0' )
-        {
-            if( *p == '\\' && *(p + 1) == 'n' )
-            {
-                p += 2;
-                *(q++) = '\n';
-            }
-            else if( *p == '\\' && *(p + 1) == ':' )
-            {
-                p += 2;
-                *(q++) = ':';
-            }
-            else if( *p == '\\' && *(p + 1) == '?' )
-            {
-                p += 2;
-                *(q++) = '?';
-            }
-            else
-                *(q++) = *(p++);
-        }
-        *q = '\0';
+        /* Unexpected parameter validation error */
+        test_info.failed = 1;
     }
 
-    return( cnt );
+    memset( param_fail_jmp, 0, sizeof(jmp_buf) );
+#else
+    fp( params );
+#endif
 }
 
-static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret )
+/**
+ * \brief        Dispatches test functions based on function index.
+ *
+ * \param exp_id    Test function index.
+ *
+ * \return       DISPATCH_TEST_SUCCESS if found
+ *               DISPATCH_TEST_FN_NOT_FOUND if not found
+ *               DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
+ */
+int dispatch_test( int func_idx, void ** params )
 {
-    int ret;
-    char buf[10] = "xxxxxxxxx";
-    const char ref[10] = "xxxxxxxxx";
+    int ret = DISPATCH_TEST_SUCCESS;
+    TestWrapper_t fp = NULL;
 
-    ret = mbedtls_snprintf( buf, n, "%s", "123" );
-    if( ret < 0 || (size_t) ret >= n )
-        ret = -1;
-
-    if( strncmp( ref_buf, buf, sizeof( buf ) ) != 0 ||
-        ref_ret != ret ||
-        memcmp( buf + n, ref + n, sizeof( buf ) - n ) != 0 )
+    if ( func_idx < (int)( sizeof( test_funcs ) / sizeof( TestWrapper_t ) ) )
     {
-        return( 1 );
+        fp = test_funcs[func_idx];
+        if ( fp )
+            execute_function_ptr(fp, params);
+        else
+            ret = DISPATCH_UNSUPPORTED_SUITE;
+    }
+    else
+    {
+        ret = DISPATCH_TEST_FN_NOT_FOUND;
     }
 
-    return( 0 );
+    return( ret );
 }
 
-static int run_test_snprintf( void )
-{
-    return( test_snprintf( 0, "xxxxxxxxx",  -1 ) != 0 ||
-            test_snprintf( 1, "",           -1 ) != 0 ||
-            test_snprintf( 2, "1",          -1 ) != 0 ||
-            test_snprintf( 3, "12",         -1 ) != 0 ||
-            test_snprintf( 4, "123",         3 ) != 0 ||
-            test_snprintf( 5, "123",         3 ) != 0 );
-}
 
-int main(int argc, const char *argv[])
+/**
+ * \brief       Checks if test function is supported
+ *
+ * \param exp_id    Test function index.
+ *
+ * \return       DISPATCH_TEST_SUCCESS if found
+ *               DISPATCH_TEST_FN_NOT_FOUND if not found
+ *               DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
+ */
+int check_test( int func_idx )
 {
-    /* Local Configurations and options */
-    const char *default_filename = "TESTCASE_FILENAME";
-    const char *test_filename = NULL;
-    const char **test_files = NULL;
-    int testfile_count = 0;
-    int option_verbose = 0;
-
-    /* Other Local variables */
-    int arg_index = 1;
-    const char *next_arg;
-    int testfile_index, ret, i, cnt;
-    int total_errors = 0, total_tests = 0, total_skipped = 0;
-    FILE *file;
-    char buf[5000];
-    char *params[50];
-    void *pointer;
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-    int stdout_fd = -1;
-#endif /* __unix__ || __APPLE__ __MACH__ */
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
-    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
-    unsigned char alloc_buf[1000000];
-    mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
-#endif
-
-    /*
-     * The C standard doesn't guarantee that all-bits-0 is the representation
-     * of a NULL pointer. We do however use that in our code for initializing
-     * structures, which should work on every modern platform. Let's be sure.
-     */
-    memset( &pointer, 0, sizeof( void * ) );
-    if( pointer != NULL )
-    {
-        mbedtls_fprintf( stderr, "all-bits-zero is not a NULL pointer\n" );
-        return( 1 );
-    }
+    int ret = DISPATCH_TEST_SUCCESS;
+    TestWrapper_t fp = NULL;
 
-    /*
-     * Make sure we have a snprintf that correctly zero-terminates
-     */
-    if( run_test_snprintf() != 0 )
+    if ( func_idx < (int)( sizeof(test_funcs)/sizeof( TestWrapper_t ) ) )
     {
-        mbedtls_fprintf( stderr, "the snprintf implementation is broken\n" );
-        return( 0 );
+        fp = test_funcs[func_idx];
+        if ( fp == NULL )
+            ret = DISPATCH_UNSUPPORTED_SUITE;
     }
-
-    while( arg_index < argc)
-    {
-        next_arg = argv[ arg_index ];
-
-        if( strcmp(next_arg, "--verbose" ) == 0 ||
-                 strcmp(next_arg, "-v" ) == 0 )
-        {
-            option_verbose = 1;
-        }
-        else if( strcmp(next_arg, "--help" ) == 0 ||
-                 strcmp(next_arg, "-h" ) == 0 )
-        {
-            mbedtls_fprintf( stdout, USAGE );
-            mbedtls_exit( EXIT_SUCCESS );
-        }
-        else
-        {
-            /* Not an option, therefore treat all further arguments as the file
-             * list.
-             */
-            test_files = &argv[ arg_index ];
-            testfile_count = argc - arg_index;
-        }
-
-        arg_index++;
-    }
-
-    /* If no files were specified, assume a default */
-    if ( test_files == NULL || testfile_count == 0 )
+    else
     {
-        test_files = &default_filename;
-        testfile_count = 1;
+        ret = DISPATCH_TEST_FN_NOT_FOUND;
     }
 
-    /* Initialize the struct that holds information about the last test */
-    memset( &test_info, 0, sizeof( test_info ) );
+    return( ret );
+}
 
-    /* Now begin to execute the tests in the testfiles */
-    for ( testfile_index = 0;
-          testfile_index < testfile_count;
-          testfile_index++ )
-    {
-        int unmet_dep_count = 0;
-        char *unmet_dependencies[20];
-
-        test_filename = test_files[ testfile_index ];
-
-        file = fopen( test_filename, "r" );
-        if( file == NULL )
-        {
-            mbedtls_fprintf( stderr, "Failed to open test file: %s\n",
-                             test_filename );
-            return( 1 );
-        }
-
-        while( !feof( file ) )
-        {
-            if( unmet_dep_count > 0 )
-            {
-                mbedtls_fprintf( stderr,
-                    "FATAL: Dep count larger than zero at start of loop\n" );
-                mbedtls_exit( MBEDTLS_EXIT_FAILURE );
-            }
-            unmet_dep_count = 0;
-
-            if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
-                break;
-            mbedtls_fprintf( stdout, "%s%.66s", test_info.failed ? "\n" : "", buf );
-            mbedtls_fprintf( stdout, " " );
-            for( i = strlen( buf ) + 1; i < 67; i++ )
-                mbedtls_fprintf( stdout, "." );
-            mbedtls_fprintf( stdout, " " );
-            fflush( stdout );
-
-            total_tests++;
-
-            if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
-                break;
-            cnt = parse_arguments( buf, strlen(buf), params );
-
-            if( strcmp( params[0], "depends_on" ) == 0 )
-            {
-                for( i = 1; i < cnt; i++ )
-                {
-                    if( dep_check( params[i] ) != DEPENDENCY_SUPPORTED )
-                    {
-                        if( 0 == option_verbose )
-                        {
-                            /* Only one count is needed if not verbose */
-                            unmet_dep_count++;
-                            break;
-                        }
-
-                        unmet_dependencies[ unmet_dep_count ] = strdup(params[i]);
-                        if(  unmet_dependencies[ unmet_dep_count ] == NULL )
-                        {
-                            mbedtls_fprintf( stderr, "FATAL: Out of memory\n" );
-                            mbedtls_exit( MBEDTLS_EXIT_FAILURE );
-                        }
-                        unmet_dep_count++;
-                    }
-                }
-
-                if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
-                    break;
-                cnt = parse_arguments( buf, strlen(buf), params );
-            }
-
-            // If there are no unmet dependencies execute the test
-            if( unmet_dep_count == 0 )
-            {
-                test_info.failed = 0;
-
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-                /* Suppress all output from the library unless we're verbose
-                 * mode
-                 */
-                if( !option_verbose )
-                {
-                    stdout_fd = redirect_output( &stdout, "/dev/null" );
-                    if( stdout_fd == -1 )
-                    {
-                        /* Redirection has failed with no stdout so exit */
-                        exit( 1 );
-                    }
-                }
-#endif /* __unix__ || __APPLE__ __MACH__ */
-
-                ret = dispatch_test( cnt, params );
-
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-                if( !option_verbose && restore_output( &stdout, stdout_fd ) )
-                {
-                        /* Redirection has failed with no stdout so exit */
-                        exit( 1 );
-                }
-#endif /* __unix__ || __APPLE__ __MACH__ */
-
-            }
-
-            if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE )
-            {
-                total_skipped++;
-                mbedtls_fprintf( stdout, "----" );
-
-                if( 1 == option_verbose && ret == DISPATCH_UNSUPPORTED_SUITE )
-                {
-                    mbedtls_fprintf( stdout, "\n   Test Suite not enabled" );
-                }
-
-                if( 1 == option_verbose && unmet_dep_count > 0 )
-                {
-                    mbedtls_fprintf( stdout, "\n   Unmet dependencies: " );
-                    for( i = 0; i < unmet_dep_count; i++ )
-                    {
-                        mbedtls_fprintf(stdout, "%s  ",
-                                        unmet_dependencies[i]);
-                        free(unmet_dependencies[i]);
-                    }
-                }
-                mbedtls_fprintf( stdout, "\n" );
-                fflush( stdout );
-
-                unmet_dep_count = 0;
-            }
-            else if( ret == DISPATCH_TEST_SUCCESS )
-            {
-                if( test_info.failed == 0 )
-                {
-                    mbedtls_fprintf( stdout, "PASS\n" );
-                }
-                else
-                {
-                    total_errors++;
-                    mbedtls_fprintf( stdout, "FAILED\n" );
-                    mbedtls_fprintf( stdout, "  %s\n  at line %d, %s\n",
-                                     test_info.test, test_info.line_no,
-                                     test_info.filename );
-                }
-                fflush( stdout );
-            }
-            else if( ret == DISPATCH_INVALID_TEST_DATA )
-            {
-                mbedtls_fprintf( stderr, "FAILED: FATAL PARSE ERROR\n" );
-                fclose( file );
-                mbedtls_exit( 2 );
-            }
-            else
-                total_errors++;
-
-            if( ( ret = get_line( file, buf, sizeof( buf ) ) ) != 0 )
-                break;
-            if( strlen( buf ) != 0 )
-            {
-                mbedtls_fprintf( stderr, "Should be empty %d\n",
-                                 (int) strlen( buf ) );
-                return( 1 );
-            }
-        }
-        fclose( file );
-
-        /* In case we encounter early end of file */
-        for( i = 0; i < unmet_dep_count; i++ )
-            free( unmet_dependencies[i] );
-    }
 
-    mbedtls_fprintf( stdout, "\n----------------------------------------------------------------------------\n\n");
-    if( total_errors == 0 )
-        mbedtls_fprintf( stdout, "PASSED" );
-    else
-        mbedtls_fprintf( stdout, "FAILED" );
+$platform_code
 
-    mbedtls_fprintf( stdout, " (%d / %d tests (%d skipped))\n",
-             total_tests - total_errors, total_tests, total_skipped );
+#line $line_no "suites/main_test.function"
 
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
-    !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
-#if defined(MBEDTLS_MEMORY_DEBUG)
-    mbedtls_memory_buffer_alloc_status();
-#endif
-    mbedtls_memory_buffer_alloc_free();
-#endif
+/*----------------------------------------------------------------------------*/
+/* Main Test code */
 
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-    if( stdout_fd != -1 )
-        close_output( stdout );
-#endif /* __unix__ || __APPLE__ __MACH__ */
 
-    return( total_errors != 0 );
+/**
+ * \brief       Program main. Invokes platform specific execute_tests().
+ *
+ * \param argc      Command line arguments count.
+ * \param argv      Array of command line arguments.
+ *
+ * \return       Exit code.
+ */
+int main( int argc, const char *argv[] )
+{
+    int ret = platform_setup();
+    if( ret != 0 )
+    {
+        mbedtls_fprintf( stderr,
+                         "FATAL: Failed to initialize platform - error %d\n",
+                         ret );
+        return( -1 );
+    }
+    ret = execute_tests( argc, argv );
+    platform_teardown();
+    return( ret );
 }
+
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/target_test.function b/3rdparty/mbedtls/mbedtls/tests/suites/target_test.function
new file mode 100644
index 0000000000..56abf29489
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/target_test.function
@@ -0,0 +1,413 @@
+#line 2 "suites/target_test.function"
+
+#include "greentea-client/test_env.h"
+
+/**
+ * \brief       Increments pointer and asserts that it does not overflow.
+ *
+ * \param p     Pointer to byte array
+ * \param start Pointer to start of byte array
+ * \param len   Length of byte array
+ * \param step  Increment size
+ *
+ */
+#define INCR_ASSERT(p, start, len, step) do                     \
+{                                                               \
+    assert( ( p ) >= ( start ) );                               \
+    assert( sizeof( *( p ) ) == sizeof( *( start ) ) );         \
+    /* <= is checked to support use inside a loop where         \
+       pointer is incremented after reading data.       */      \
+    assert( (uint32_t)( ( ( p ) - ( start ) ) + ( step ) ) <= ( len ) );\
+    ( p ) += ( step );                                          \
+}                                                               \
+while( 0 )
+
+
+/**
+ * \brief       4 byte align unsigned char pointer
+ *
+ * \param p     Pointer to byte array
+ * \param start Pointer to start of byte array
+ * \param len   Length of byte array
+ *
+ */
+#define ALIGN_32BIT(p, start, len) do               \
+{                                                   \
+    uint32_t align = ( - (uintptr_t)( p ) ) % 4;    \
+    INCR_ASSERT( ( p ), ( start ), ( len ), align );\
+}                                                   \
+while( 0 )
+
+
+/**
+ * \brief       Verify dependencies. Dependency identifiers are
+ *              encoded in the buffer as 8 bit unsigned integers.
+ *
+ * \param count     Number of dependencies.
+ * \param dep_p     Pointer to buffer.
+ *
+ * \return          DEPENDENCY_SUPPORTED if success else DEPENDENCY_NOT_SUPPORTED.
+ */
+int verify_dependencies( uint8_t count, uint8_t * dep_p )
+{
+    uint8_t i;
+    for ( i = 0; i < count; i++ )
+    {
+        if ( dep_check( (int)(dep_p[i]) ) != DEPENDENCY_SUPPORTED )
+            return( DEPENDENCY_NOT_SUPPORTED );
+    }
+    return( DEPENDENCY_SUPPORTED );
+}
+
+
+/**
+ * \brief       Receives unsigned integer on serial interface.
+ *              Integers are encoded in network order.
+ *
+ * \param none
+ *
+ * \return      unsigned int
+ */
+uint32_t receive_uint32()
+{
+    uint32_t value;
+    value =  (uint8_t)greentea_getc() << 24;
+    value |= (uint8_t)greentea_getc() << 16;
+    value |= (uint8_t)greentea_getc() << 8;
+    value |= (uint8_t)greentea_getc();
+    return( (uint32_t)value );
+}
+
+/**
+ * \brief       Parses out an unsigned 32 int value from the byte array.
+ *              Integers are encoded in network order.
+ *
+ * \param p     Pointer to byte array
+ *
+ * \return      unsigned int
+ */
+uint32_t parse_uint32( uint8_t * p )
+{
+    uint32_t value;
+    value =  *p++ << 24;
+    value |= *p++ << 16;
+    value |= *p++ << 8;
+    value |= *p;
+    return( value );
+}
+
+
+/**
+ * \brief       Receives test data on serial as greentea key,value pair:
+ *              {{<length>;<byte array>}}
+ *
+ * \param data_len  Out pointer to hold received data length.
+ *
+ * \return      Byte array.
+ */
+uint8_t * receive_data( uint32_t * data_len )
+{
+    uint32_t i = 0, errors = 0;
+    char c;
+    uint8_t * data = NULL;
+
+    /* Read opening braces */
+    i = 0;
+    while ( i < 2 )
+    {
+        c = greentea_getc();
+        /* Ignore any prevous CR LF characters */
+        if ( c == '\n' || c == '\r' )
+            continue;
+        i++;
+        if ( c != '{' )
+            return( NULL );
+    }
+
+    /* Read data length */
+    *data_len = receive_uint32();
+    data = (uint8_t *)malloc( *data_len );
+    assert( data != NULL );
+
+    greentea_getc(); // read ';' received after key i.e. *data_len
+
+    for( i = 0; i < *data_len; i++ )
+        data[i] = greentea_getc();
+
+    /* Read closing braces */
+    for( i = 0; i < 2; i++ )
+    {
+        c = greentea_getc();
+        if ( c != '}' )
+        {
+            errors++;
+            break;
+        }
+    }
+
+    if ( errors )
+    {
+        free( data );
+        data = NULL;
+        *data_len = 0;
+    }
+
+    return( data );
+}
+
+/**
+ * \brief       Parse the received byte array and count the number of arguments
+ *              to the test function passed as type hex.
+ *
+ * \param count     Parameter count
+ * \param data      Received Byte array
+ * \param data_len  Byte array length
+ *
+ * \return      count of hex params
+ */
+uint32_t find_hex_count( uint8_t count, uint8_t * data, uint32_t data_len )
+{
+    uint32_t i = 0, sz = 0;
+    char c;
+    uint8_t * p = NULL;
+    uint32_t hex_count = 0;
+
+    p = data;
+
+    for( i = 0; i < count; i++ )
+    {
+        c = (char)*p;
+        INCR_ASSERT( p, data, data_len, 1 );
+
+        /* Align p to 4 bytes for int, expression, string len or hex length */
+        ALIGN_32BIT( p, data, data_len );
+
+        /* Network to host conversion */
+        sz = (int32_t)parse_uint32( p );
+
+        INCR_ASSERT( p, data, data_len, sizeof( int32_t ) );
+
+        if ( c == 'H' || c == 'S' )
+        {
+            INCR_ASSERT( p, data, data_len, sz );
+            hex_count += ( c == 'H' )?1:0;
+        }
+    }
+
+    return( hex_count );
+}
+
+/**
+ * \brief       Parses received byte array for test parameters.
+ *
+ * \param count     Parameter count
+ * \param data      Received Byte array
+ * \param data_len  Byte array length
+ * \param error     Parsing error out variable.
+ *
+ * \return      Array of parsed parameters allocated on heap.
+ *              Note: Caller has the responsibility to delete
+ *                    the memory after use.
+ */
+void ** parse_parameters( uint8_t count, uint8_t * data, uint32_t data_len,
+                          int * error )
+{
+    uint32_t i = 0, hex_count = 0;
+    char c;
+    void ** params = NULL;
+    void ** cur = NULL;
+    uint8_t * p = NULL;
+
+    hex_count = find_hex_count(count, data, data_len);
+
+    params = (void **)malloc( sizeof( void *) * ( count + hex_count ) );
+    assert( params != NULL );
+    cur = params;
+
+    p = data;
+
+    /* Parameters */
+    for( i = 0; i < count; i++ )
+    {
+        c = (char)*p;
+        INCR_ASSERT( p, data, data_len, 1 );
+
+        /* Align p to 4 bytes for int, expression, string len or hex length */
+        ALIGN_32BIT( p, data, data_len );
+
+        /* Network to host conversion */
+        *( (int32_t *)p ) = (int32_t)parse_uint32( p );
+
+        switch( c )
+        {
+            case 'E':
+                {
+                    if ( get_expression( *( (int32_t *)p ), (int32_t *)p ) )
+                    {
+                        *error = KEY_VALUE_MAPPING_NOT_FOUND;
+                        goto exit;
+                    }
+                } /* Intentional fall through */
+            case 'I':
+                {
+                    *cur++ = (void *)p;
+                    INCR_ASSERT( p, data, data_len, sizeof( int32_t ) );
+                }
+                break;
+            case 'H': /* Intentional fall through */
+            case 'S':
+                {
+                    uint32_t * sz = (uint32_t *)p;
+                    INCR_ASSERT( p, data, data_len, sizeof( int32_t ) );
+                    *cur++ = (void *)p;
+                    if ( c == 'H' )
+                        *cur++ = (void *)sz;
+                    INCR_ASSERT( p, data, data_len, ( *sz ) );
+                }
+                break;
+            default:
+                    {
+                        *error = DISPATCH_INVALID_TEST_DATA;
+                        goto exit;
+                    }
+                break;
+        }
+    }
+
+exit:
+    if ( *error )
+    {
+        free( params );
+        params = NULL;
+    }
+
+    return( params );
+}
+
+/**
+ * \brief       Sends greentea key and int value pair to host.
+ *
+ * \param key   key string
+ * \param value integer value
+ *
+ * \return      void
+ */
+void send_key_integer( char * key, int value )
+{
+    char str[50];
+    snprintf( str, sizeof( str ), "%d", value );
+    greentea_send_kv( key, str );
+}
+
+/**
+ * \brief       Sends test setup failure to the host.
+ *
+ * \param failure   Test set failure
+ *
+ * \return      void
+ */
+void send_failure( int failure )
+{
+    send_key_integer( "F", failure );
+}
+
+/**
+ * \brief       Sends test status to the host.
+ *
+ * \param status    Test status (PASS=0/FAIL=!0)
+ *
+ * \return      void
+ */
+void send_status( int status )
+{
+    send_key_integer( "R", status );
+}
+
+
+/**
+ * \brief       Embedded implementation of execute_tests().
+ *              Ignores command line and received test data
+ *              on serial.
+ *
+ * \param argc  not used
+ * \param argv  not used
+ *
+ * \return      Program exit status.
+ */
+int execute_tests( int args, const char ** argv )
+{
+    int ret = 0;
+    uint32_t data_len = 0;
+    uint8_t count = 0, function_id;
+    void ** params = NULL;
+    uint8_t * data = NULL, * p = NULL;
+
+    GREENTEA_SETUP( 180, "mbedtls_test" );
+    greentea_send_kv( "GO", " " );
+
+    while ( 1 )
+    {
+        ret = 0;
+        test_info.failed = 0;
+        data_len = 0;
+
+        data = receive_data( &data_len );
+        if ( data == NULL )
+            continue;
+        p = data;
+
+        do
+        {
+            /* Read dependency count */
+            count = *p;
+            assert( count < data_len );
+            INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) );
+            ret = verify_dependencies( count, p );
+            if ( ret != DEPENDENCY_SUPPORTED )
+                break;
+
+            if ( count )
+                INCR_ASSERT( p, data, data_len, count );
+
+            /* Read function id */
+            function_id = *p;
+            INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) );
+            if ( ( ret = check_test( function_id ) ) != DISPATCH_TEST_SUCCESS )
+                break;
+
+            /* Read number of parameters */
+            count = *p;
+            INCR_ASSERT( p, data, data_len, sizeof( uint8_t ) );
+
+            /* Parse parameters if present */
+            if ( count )
+            {
+                params = parse_parameters( count, p, data_len - ( p - data ), &ret );
+                if ( ret )
+                    break;
+            }
+
+            ret = dispatch_test( function_id, params );
+        }
+        while ( 0 );
+
+        if ( data )
+        {
+            free( data );
+            data = NULL;
+        }
+
+        if ( params )
+        {
+            free( params );
+            params = NULL;
+        }
+
+        if ( ret )
+            send_failure( ret );
+        else
+            send_status( test_info.failed );
+    }
+    return( 0 );
+}
+
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.function
index c5f0eaac97..da8c1e9359 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.function
@@ -8,32 +8,22 @@
  */
 
 /* BEGIN_CASE */
-void aes_encrypt_ecb( char *hex_key_string, char *hex_src_string,
-                      char *hex_dst_string, int setkey_result )
+void aes_encrypt_ecb( data_t * key_str, data_t * src_str,
+                      data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
-    mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
+    mbedtls_aes_init( &ctx );
 
-    TEST_ASSERT( mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx, MBEDTLS_AES_ENCRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 16 );
+        TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx, MBEDTLS_AES_ENCRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -42,32 +32,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void aes_decrypt_ecb( char *hex_key_string, char *hex_src_string,
-                      char *hex_dst_string, int setkey_result )
+void aes_decrypt_ecb( data_t * key_str, data_t * src_str,
+                      data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
-    mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
+    mbedtls_aes_init( &ctx );
 
-    TEST_ASSERT( mbedtls_aes_setkey_dec( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_aes_setkey_dec( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx, MBEDTLS_AES_DECRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 16 );
+        TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx, MBEDTLS_AES_DECRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -76,36 +56,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void aes_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                      char *hex_src_string, char *hex_dst_string,
+void aes_encrypt_cbc( data_t * key_str, data_t * iv_str,
+                      data_t * src_str, data_t * hex_dst_string,
                       int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
-    mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
+    mbedtls_aes_init( &ctx );
 
-    mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_ENCRYPT, data_len, iv_str, src_str, output ) == cbc_result );
+    mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_ENCRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -114,36 +81,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void aes_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                      char *hex_src_string, char *hex_dst_string,
+void aes_decrypt_cbc( data_t * key_str, data_t * iv_str,
+                      data_t * src_str, data_t * hex_dst_string,
                       int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
-
-    mbedtls_aes_setkey_dec( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, data_len, iv_str, src_str, output ) == cbc_result );
+    mbedtls_aes_setkey_dec( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cbc( &ctx, MBEDTLS_AES_DECRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0)
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -151,35 +104,144 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_encrypt_xts( char *hex_key_string, char *hex_data_unit_string,
+                      char *hex_src_string, char *hex_dst_string )
+{
+    enum { AES_BLOCK_SIZE = 16 };
+    unsigned char *data_unit = NULL;
+    unsigned char *key = NULL;
+    unsigned char *src = NULL;
+    unsigned char *dst = NULL;
+    unsigned char *output = NULL;
+    mbedtls_aes_xts_context ctx;
+    size_t key_len, src_len, dst_len, data_unit_len;
+
+    mbedtls_aes_xts_init( &ctx );
+
+    data_unit = unhexify_alloc( hex_data_unit_string, &data_unit_len );
+    TEST_ASSERT( data_unit_len == AES_BLOCK_SIZE );
+
+    key = unhexify_alloc( hex_key_string, &key_len );
+    TEST_ASSERT( key_len % 2 == 0 );
+
+    src = unhexify_alloc( hex_src_string, &src_len );
+    dst = unhexify_alloc( hex_dst_string, &dst_len );
+    TEST_ASSERT( src_len == dst_len );
+
+    output = zero_alloc( dst_len );
+
+    TEST_ASSERT( mbedtls_aes_xts_setkey_enc( &ctx, key, key_len * 8 ) == 0 );
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, src_len,
+                                        data_unit, src, output ) == 0 );
+
+    TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
+
+exit:
+    mbedtls_aes_xts_free( &ctx );
+    mbedtls_free( data_unit );
+    mbedtls_free( key );
+    mbedtls_free( src );
+    mbedtls_free( dst );
+    mbedtls_free( output );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_decrypt_xts( char *hex_key_string, char *hex_data_unit_string,
+                      char *hex_dst_string, char *hex_src_string )
+{
+    enum { AES_BLOCK_SIZE = 16 };
+    unsigned char *data_unit = NULL;
+    unsigned char *key = NULL;
+    unsigned char *src = NULL;
+    unsigned char *dst = NULL;
+    unsigned char *output = NULL;
+    mbedtls_aes_xts_context ctx;
+    size_t key_len, src_len, dst_len, data_unit_len;
+
+    mbedtls_aes_xts_init( &ctx );
+
+    data_unit = unhexify_alloc( hex_data_unit_string, &data_unit_len );
+    TEST_ASSERT( data_unit_len == AES_BLOCK_SIZE );
+
+    key = unhexify_alloc( hex_key_string, &key_len );
+    TEST_ASSERT( key_len % 2 == 0 );
+
+    src = unhexify_alloc( hex_src_string, &src_len );
+    dst = unhexify_alloc( hex_dst_string, &dst_len );
+    TEST_ASSERT( src_len == dst_len );
+
+    output = zero_alloc( dst_len );
+
+    TEST_ASSERT( mbedtls_aes_xts_setkey_dec( &ctx, key, key_len * 8 ) == 0 );
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_DECRYPT, src_len,
+                                        data_unit, src, output ) == 0 );
+
+    TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
+
+exit:
+    mbedtls_aes_xts_free( &ctx );
+    mbedtls_free( data_unit );
+    mbedtls_free( key );
+    mbedtls_free( src );
+    mbedtls_free( dst );
+    mbedtls_free( output );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_crypt_xts_size( int size, int retval )
+{
+    mbedtls_aes_xts_context ctx;
+    const unsigned char src[16] = { 0 };
+    unsigned char output[16];
+    unsigned char data_unit[16];
+    size_t length = size;
+
+    mbedtls_aes_xts_init( &ctx );
+    memset( data_unit, 0x00, sizeof( data_unit ) );
+
+
+    /* Valid pointers are passed for builds with MBEDTLS_CHECK_PARAMS, as
+     * otherwise we wouldn't get to the size check we're interested in. */
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, length, data_unit, src, output ) == retval );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_crypt_xts_keysize( int size, int retval )
+{
+    mbedtls_aes_xts_context ctx;
+    const unsigned char key[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+    size_t key_len = size;
+
+    mbedtls_aes_xts_init( &ctx );
+
+    TEST_ASSERT( mbedtls_aes_xts_setkey_enc( &ctx, key, key_len * 8 ) == retval );
+    TEST_ASSERT( mbedtls_aes_xts_setkey_dec( &ctx, key, key_len * 8 ) == retval );
+exit:
+    mbedtls_aes_xts_free( &ctx );
+}
+/* END_CASE */
+
+
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
-                         char *hex_src_string, char *hex_dst_string )
+void aes_encrypt_cfb128( data_t * key_str, data_t * iv_str,
+                         data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
     size_t iv_offset = 0;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cfb128( &ctx, MBEDTLS_AES_ENCRYPT, 16, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, 16 );
+    mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cfb128( &ctx, MBEDTLS_AES_ENCRYPT, 16, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_aes_free( &ctx );
@@ -187,34 +249,21 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void aes_decrypt_cfb128( char *hex_key_string, char *hex_iv_string,
-                         char *hex_src_string, char *hex_dst_string )
+void aes_decrypt_cfb128( data_t * key_str, data_t * iv_str,
+                         data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
     size_t iv_offset = 0;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cfb128( &ctx, MBEDTLS_AES_DECRYPT, 16, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, 16 );
+    mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cfb128( &ctx, MBEDTLS_AES_DECRYPT, 16, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_aes_free( &ctx );
@@ -222,33 +271,20 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void aes_encrypt_cfb8( char *hex_key_string, char *hex_iv_string,
-                       char *hex_src_string, char *hex_dst_string )
+void aes_encrypt_cfb8( data_t * key_str, data_t * iv_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len, src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_aes_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cfb8( &ctx, MBEDTLS_AES_ENCRYPT, src_len, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, src_len );
+    mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cfb8( &ctx, MBEDTLS_AES_ENCRYPT, src_str->len, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_aes_free( &ctx );
@@ -256,41 +292,338 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void aes_decrypt_cfb8( char *hex_key_string, char *hex_iv_string,
-                       char *hex_src_string, char *hex_dst_string )
+void aes_decrypt_cfb8( data_t * key_str, data_t * iv_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_aes_context ctx;
-    int key_len, src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_aes_init( &ctx );
 
+
+    mbedtls_aes_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_aes_crypt_cfb8( &ctx, MBEDTLS_AES_DECRYPT, src_str->len, iv_str->x, src_str->x, output ) == 0 );
+
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
+
+exit:
+    mbedtls_aes_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_OFB */
+void aes_encrypt_ofb( int fragment_size, char *hex_key_string,
+                      char *hex_iv_string, char *hex_src_string,
+                      char *hex_dst_string )
+{
+    unsigned char key_str[32];
+    unsigned char iv_str[16];
+    unsigned char src_str[64];
+    unsigned char dst_str[64];
+    unsigned char output[32];
+    mbedtls_aes_context ctx;
+    size_t iv_offset = 0;
+    int in_buffer_len;
+    unsigned char* src_str_next;
+    int key_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aes_init( &ctx );
+
+    TEST_ASSERT( strlen( hex_key_string ) <= ( 32 * 2 ) );
+    TEST_ASSERT( strlen( hex_iv_string ) <= ( 16 * 2 ) );
+    TEST_ASSERT( strlen( hex_src_string ) <= ( 64 * 2 ) );
+    TEST_ASSERT( strlen( hex_dst_string ) <= ( 64 * 2 ) );
+
     key_len = unhexify( key_str, hex_key_string );
     unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
+    in_buffer_len = unhexify( src_str, hex_src_string );
+
+    TEST_ASSERT( mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 ) == 0 );
+    src_str_next = src_str;
+
+    while( in_buffer_len > 0 )
+    {
+        TEST_ASSERT( mbedtls_aes_crypt_ofb( &ctx, fragment_size, &iv_offset,
+                                            iv_str, src_str_next, output ) == 0 );
 
-    mbedtls_aes_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_aes_crypt_cfb8( &ctx, MBEDTLS_AES_DECRYPT, src_len, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, src_len );
+        hexify( dst_str, output, fragment_size );
+        TEST_ASSERT( strncmp( (char *) dst_str, hex_dst_string,
+                              ( 2 * fragment_size ) ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        in_buffer_len -= fragment_size;
+        hex_dst_string += ( fragment_size * 2 );
+        src_str_next += fragment_size;
+
+        if( in_buffer_len < fragment_size )
+            fragment_size = in_buffer_len;
+    }
 
 exit:
     mbedtls_aes_free( &ctx );
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void aes_check_params( )
+{
+    mbedtls_aes_context aes_ctx;
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    mbedtls_aes_xts_context xts_ctx;
+#endif
+    const unsigned char key[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+    const unsigned char in[16] = { 0 };
+    unsigned char out[16];
+    size_t size;
+    const int valid_mode = MBEDTLS_AES_ENCRYPT;
+    const int invalid_mode = 42;
+
+    TEST_INVALID_PARAM( mbedtls_aes_init( NULL ) );
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    TEST_INVALID_PARAM( mbedtls_aes_xts_init( NULL ) );
+#endif
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_setkey_enc( NULL, key, 128 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_setkey_enc( &aes_ctx, NULL, 128 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_setkey_dec( NULL, key, 128 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_setkey_dec( &aes_ctx, NULL, 128 ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_xts_setkey_enc( NULL, key, 128 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_xts_setkey_enc( &xts_ctx, NULL, 128 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_xts_setkey_dec( NULL, key, 128 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_xts_setkey_dec( &xts_ctx, NULL, 128 ) );
+#endif
+
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ecb( NULL,
+                                                   valid_mode, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ecb( &aes_ctx,
+                                                   invalid_mode, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ecb( &aes_ctx,
+                                                   valid_mode, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ecb( &aes_ctx,
+                                                   valid_mode, in, NULL ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cbc( NULL,
+                                                   valid_mode, 16,
+                                                   out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cbc( &aes_ctx,
+                                                   invalid_mode, 16,
+                                                   out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cbc( &aes_ctx,
+                                                   valid_mode, 16,
+                                                   NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cbc( &aes_ctx,
+                                                   valid_mode, 16,
+                                                   out, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cbc( &aes_ctx,
+                                                   valid_mode, 16,
+                                                   out, in, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_xts( NULL,
+                                                   valid_mode, 16,
+                                                   in, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_xts( &xts_ctx,
+                                                   invalid_mode, 16,
+                                                   in, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_xts( &xts_ctx,
+                                                   valid_mode, 16,
+                                                   NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_xts( &xts_ctx,
+                                                   valid_mode, 16,
+                                                   in, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_xts( &xts_ctx,
+                                                   valid_mode, 16,
+                                                   in, in, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( NULL,
+                                                      valid_mode, 16,
+                                                      &size, out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( &aes_ctx,
+                                                      invalid_mode, 16,
+                                                      &size, out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( &aes_ctx,
+                                                      valid_mode, 16,
+                                                      NULL, out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( &aes_ctx,
+                                                      valid_mode, 16,
+                                                      &size, NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( &aes_ctx,
+                                                      valid_mode, 16,
+                                                      &size, out, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb128( &aes_ctx,
+                                                      valid_mode, 16,
+                                                      &size, out, in, NULL ) );
+
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb8( NULL,
+                                                    valid_mode, 16,
+                                                    out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb8( &aes_ctx,
+                                                    invalid_mode, 16,
+                                                    out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb8( &aes_ctx,
+                                                    valid_mode, 16,
+                                                    NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb8( &aes_ctx,
+                                                    valid_mode, 16,
+                                                    out, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_cfb8( &aes_ctx,
+                                                    valid_mode, 16,
+                                                    out, in, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ofb( NULL, 16,
+                                                   &size, out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ofb( &aes_ctx, 16,
+                                                   NULL, out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ofb( &aes_ctx, 16,
+                                                   &size, NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ofb( &aes_ctx, 16,
+                                                   &size, out, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ofb( &aes_ctx, 16,
+                                                   &size, out, in, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( NULL, 16, &size, out,
+                                                   out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( &aes_ctx, 16, NULL, out,
+                                                   out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, NULL,
+                                                   out, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out,
+                                                   NULL, in, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out,
+                                                   out, NULL, out ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_AES_BAD_INPUT_DATA,
+                            mbedtls_aes_crypt_ctr( &aes_ctx, 16, &size, out,
+                                                   out, in, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void aes_misc_params( )
+{
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || \
+    defined(MBEDTLS_CIPHER_MODE_XTS) || \
+    defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    mbedtls_aes_context aes_ctx;
+    const unsigned char in[16] = { 0 };
+    unsigned char out[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    mbedtls_aes_xts_context xts_ctx;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    size_t size;
+#endif
+
+    /* These calls accept NULL */
+    TEST_VALID_PARAM( mbedtls_aes_free( NULL ) );
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    TEST_VALID_PARAM( mbedtls_aes_xts_free( NULL ) );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    TEST_ASSERT( mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                        15,
+                                        out, in, out )
+                 == MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+    TEST_ASSERT( mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_ENCRYPT,
+                                        17,
+                                        out, in, out )
+                 == MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &xts_ctx, MBEDTLS_AES_ENCRYPT,
+                                        15,
+                                        in, in, out )
+                 == MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &xts_ctx, MBEDTLS_AES_ENCRYPT,
+                                        (1 << 24) + 1,
+                                        in, in, out )
+                 == MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    size = 16;
+    TEST_ASSERT( mbedtls_aes_crypt_cfb128( &aes_ctx, MBEDTLS_AES_ENCRYPT, 16,
+                                           &size, out, in, out )
+                 == MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    size = 16;
+    TEST_ASSERT( mbedtls_aes_crypt_ofb( &aes_ctx, 16, &size, out, in, out )
+                 == MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+#endif
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void aes_selftest()
+void aes_selftest(  )
 {
     TEST_ASSERT( mbedtls_aes_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.ofb.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.ofb.data
new file mode 100644
index 0000000000..4b9d80e8d9
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.ofb.data
@@ -0,0 +1,35 @@
+# NIST Special Publication 800-38A
+# Recommendation for Block Cipher Modes of Operation
+# Test Vectors - Appendix F, Section F.4
+OFB-AES128.Encrypt - Single block
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172a":"3b3fd92eb72dad20333449f8e83cfb4a"
+
+OFB-AES128.Encrypt - Partial blocks - 7 bytes
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:5:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e"
+
+OFB-AES128.Encrypt - Test NIST SP800-38A - F.4.1
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e"
+
+OFB-AES128.Decrypt - Test NIST SP800-38A - F.4.2
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"2b7e151628aed2a6abf7158809cf4f3c":"000102030405060708090a0b0c0d0e0f":"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
+OFB-AES192.Encrypt - Test NIST SP800-38A - F.4.3
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"cdc80d6fddf18cab34c25909c99a4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a"
+
+OFB-AES192.Decrypt - Test NIST SP800-38A - F.4.4
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b":"000102030405060708090a0b0c0d0e0f":"cdc80d6fddf18cab34c25909c99a4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
+OFB-AES256.Encrypt - Test NIST SP800-38A - F.4.5
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"000102030405060708090a0b0c0d0e0f":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710":"dc7e84bfda79164b7ecd8486985d38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484"
+
+OFB-AES256.Decrypt - Test NIST SP800-38A - F.4.6
+depends_on:MBEDTLS_CIPHER_MODE_OFB
+aes_encrypt_ofb:16:"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4":"000102030405060708090a0b0c0d0e0f":"dc7e84bfda79164b7ecd8486985d38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484":"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"
+
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.rest.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.rest.data
index bbb222f101..6a76b43eb8 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.rest.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.rest.data
@@ -10,6 +10,12 @@ aes_encrypt_cbc:"000000000000000000000000000000000000000000000000000000000000000
 AES-256-CBC Decrypt (Invalid input length)
 aes_decrypt_cbc:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"623a52fcea5d443e48d9181ab32c74":"":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
 
+AES - Optional Parameter Validation (MBEDTLS_CHECK_PARAMS)
+aes_check_params:
+
+AES - Mandatory Parameter Validation and Valid Parameters
+aes_misc_params:
+
 AES Selftest
 depends_on:MBEDTLS_SELF_TEST
 aes_selftest:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.xts.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.xts.data
new file mode 100644
index 0000000000..647819e0de
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aes.xts.data
@@ -0,0 +1,158 @@
+#
+# Tests for expected errors (negative tests)
+#
+AES-128-XTS Encrypt Fail Sector Too Small (by 16 bytes)
+aes_crypt_xts_size:0:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Small (by 1 byte)
+aes_crypt_xts_size:15:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Large (by 1 byte)
+aes_crypt_xts_size:16777217:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-128-XTS Encrypt Fail Sector Too Large (by 1 block)
+aes_crypt_xts_size:16777232:MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+
+AES-0-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:0:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-4-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:1:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-64-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:16:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-192-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:48:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+AES-384-XTS Setkey Fail Invalid Key Length
+aes_crypt_xts_keysize:96:MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+
+#
+# IEEE P1619/D16 Annex B Test Vectors
+# http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+#
+# 128-bit keys with 32 byte sector
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 1
+aes_encrypt_xts:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"0000000000000000000000000000000000000000000000000000000000000000":"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 2
+aes_encrypt_xts:"1111111111111111111111111111111122222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 3
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f022222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"af85336b597afc1a900b2eb21ec949d292df4c047e0b21532186a5971a227a89"
+
+#
+# 128-bit keys with 512 byte sector
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 4
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 5
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"01000000000000000000000000000000":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 6
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"02000000000000000000000000000000":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd":"fa762a3680b76007928ed4a4f49a9456031b704782e65e16cecb54ed7d017b5e18abd67b338e81078f21edb7868d901ebe9c731a7c18b5e6dec1d6a72e078ac9a4262f860beefa14f4e821018272e411a951502b6e79066e84252c3346f3aa62344351a291d4bedc7a07618bdea2af63145cc7a4b8d4070691ae890cd65733e7946e9021a1dffc4c59f159425ee6d50ca9b135fa6162cea18a939838dc000fb386fad086acce5ac07cb2ece7fd580b00cfa5e98589631dc25e8e2a3daf2ffdec26531659912c9d8f7a15e5865ea8fb5816d6207052bd7128cd743c12c8118791a4736811935eb982a532349e31dd401e0b660a568cb1a4711f552f55ded59f1f15bf7196b3ca12a91e488ef59d64f3a02bf45239499ac6176ae321c4a211ec545365971c5d3f4f09d4eb139bfdf2073d33180b21002b65cc9865e76cb24cd92c874c24c18350399a936ab3637079295d76c417776b94efce3a0ef7206b15110519655c956cbd8b2489405ee2b09a6b6eebe0c53790a12a8998378b33a5b71159625f4ba49d2a2fdba59fbf0897bc7aabd8d707dc140a80f0f309f835d3da54ab584e501dfa0ee977fec543f74186a802b9a37adb3e8291eca04d66520d229e60401e7282bef486ae059aa70696e0e305d777140a7a883ecdcb69b9ff938e8a4231864c69ca2c2043bed007ff3e605e014bcf518138dc3a25c5e236171a2d01d6"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 7
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fd000000000000000000000000000000":"8e41b78c390b5af9d758bb214a67e9f6bf7727b09ac6124084c37611398fa45daad94868600ed391fb1acd4857a95b466e62ef9f4b377244d1c152e7b30d731aad30c716d214b707aed99eb5b5e580b3e887cf7497465651d4b60e6042051da3693c3b78c14489543be8b6ad0ba629565bba202313ba7b0d0c94a3252b676f46cc02ce0f8a7d34c0ed229129673c1f61aed579d08a9203a25aac3a77e9db60267996db38df637356d9dcd1632e369939f2a29d89345c66e05066f1a3677aef18dea4113faeb629e46721a66d0a7e785d3e29af2594eb67dfa982affe0aac058f6e15864269b135418261fc3afb089472cf68c45dd7f231c6249ba0255e1e033833fc4d00a3fe02132d7bc3873614b8aee34273581ea0325c81f0270affa13641d052d36f0757d484014354d02d6883ca15c24d8c3956b1bd027bcf41f151fd8023c5340e5606f37e90fdb87c86fb4fa634b3718a30bace06a66eaf8f63c4aa3b637826a87fe8cfa44282e92cb1615af3a28e53bc74c7cba1a0977be9065d0c1a5dec6c54ae38d37f37aa35283e048e5530a85c4e7a29d7b92ec0c3169cdf2a805c7604bce60049b9fb7b8eaac10f51ae23794ceba68bb58112e293b9b692ca721b37c662f8574ed4dba6f88e170881c82cddc1034a0ca7e284bf0962b6b26292d836fa9f73c1ac770eef0f2d3a1eaf61d3e03555fd424eedd67e18a18094f888":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 8
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fe000000000000000000000000000000":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 9
+aes_encrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"ff000000000000000000000000000000":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a":"3260ae8dad1f4a32c5cafe3ab0eb95549d461a67ceb9e5aa2d3afb62dece0553193ba50c75be251e08d1d08f1088576c7efdfaaf3f459559571e12511753b07af073f35da06af0ce0bbf6b8f5ccc5cea500ec1b211bd51f63b606bf6528796ca12173ba39b8935ee44ccce646f90a45bf9ccc567f0ace13dc2d53ebeedc81f58b2e41179dddf0d5a5c42f5d8506c1a5d2f8f59f3ea873cbcd0eec19acbf325423bd3dcb8c2b1bf1d1eaed0eba7f0698e4314fbeb2f1566d1b9253008cbccf45a2b0d9c5c9c21474f4076e02be26050b99dee4fd68a4cf890e496e4fcae7b70f94ea5a9062da0daeba1993d2ccd1dd3c244b8428801495a58b216547e7e847c46d1d756377b6242d2e5fb83bf752b54e0df71e889f3a2bb0f4c10805bf3c590376e3c24e22ff57f7fa965577375325cea5d920db94b9c336b455f6e894c01866fe9fbb8c8d3f70a2957285f6dfb5dcd8cbf54782f8fe7766d4723819913ac773421e3a31095866bad22c86a6036b2518b2059b4229d18c8c2ccbdf906c6cc6e82464ee57bddb0bebcb1dc645325bfb3e665ef7251082c88ebb1cf203bd779fdd38675713c8daadd17e1cabee432b09787b6ddf3304e38b731b45df5df51b78fcfb3d32466028d0ba36555e7e11ab0ee0666061d1645d962444bc47a38188930a84b4d561395c73c087021927ca638b7afc8a8679ccb84c26555440ec7f10445cd"
+
+#
+# 256-bit keys with 512 byte sector
+#
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 10
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ff000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 11
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffff0000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d0225438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa794e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b546179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d744223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474afb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c63094f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed50cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a7ab1f9868294a4f9e27b42af8100cb9d59cef9645803"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 12
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffff00000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"e387aaa58ba483afa7e8eb469778317ecf4cf573aa9d4eac23f2cdf914e4e200a8b490e42ee646802dc6ee2b471b278195d60918ececb44bf79966f83faba0499298ebc699c0c8634715a320bb4f075d622e74c8c932004f25b41e361025b5a87815391f6108fc4afa6a05d9303c6ba68a128a55705d415985832fdeaae6c8e19110e84d1b1f199a2692119edc96132658f09da7c623efcec712537a3d94c0bf5d7e352ec94ae5797fdb377dc1551150721adf15bd26a8efc2fcaad56881fa9e62462c28f30ae1ceaca93c345cf243b73f542e2074a705bd2643bb9f7cc79bb6e7091ea6e232df0f9ad0d6cf502327876d82207abf2115cdacf6d5a48f6c1879a65b115f0f8b3cb3c59d15dd8c769bc014795a1837f3901b5845eb491adfefe097b1fa30a12fc1f65ba22905031539971a10f2f36c321bb51331cdefb39e3964c7ef079994f5b69b2edd83a71ef549971ee93f44eac3938fcdd61d01fa71799da3a8091c4c48aa9ed263ff0749df95d44fef6a0bb578ec69456aa5408ae32c7af08ad7ba8921287e3bbee31b767be06a0e705c864a769137df28292283ea81a2480241b44d9921cdbec1bc28dc1fda114bd8e5217ac9d8ebafa720e9da4f9ace231cc949e5b96fe76ffc21063fddc83a6b8679c00d35e09576a875305bed5f36ed242c8900dd1fa965bc950dfce09b132263a1eef52dd6888c309f5a7d712826"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 13
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffff000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d350875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f569768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed90fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e75d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc0077ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a41556cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88cf6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220"
+
+AES-256-XTS Encrypt IEEE P1619/D16 Vector 14
+aes_encrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffffff0000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"64497e5a831e4a932c09be3e5393376daa599548b816031d224bbf50a818ed2350eae7e96087c8a0db51ad290bd00c1ac1620857635bf246c176ab463be30b808da548081ac847b158e1264be25bb0910bbc92647108089415d45fab1b3d2604e8a8eff1ae4020cfa39936b66827b23f371b92200be90251e6d73c5f86de5fd4a950781933d79a28272b782a2ec313efdfcc0628f43d744c2dc2ff3dcb66999b50c7ca895b0c64791eeaa5f29499fb1c026f84ce5b5c72ba1083cddb5ce45434631665c333b60b11593fb253c5179a2c8db813782a004856a1653011e93fb6d876c18366dd8683f53412c0c180f9c848592d593f8609ca736317d356e13e2bff3a9f59cd9aeb19cd482593d8c46128bb32423b37a9adfb482b99453fbe25a41bf6feb4aa0bef5ed24bf73c762978025482c13115e4015aac992e5613a3b5c2f685b84795cb6e9b2656d8c88157e52c42f978d8634c43d06fea928f2822e465aa6576e9bf419384506cc3ce3c54ac1a6f67dc66f3b30191e698380bc999b05abce19dc0c6dcc2dd001ec535ba18deb2df1a101023108318c75dc98611a09dc48a0acdec676fabdf222f07e026f059b672b56e5cbc8e1d21bbd867dd927212054681d70ea737134cdfce93b6f82ae22423274e58a0821cc5502e2d0ab4585e94de6975be5e0b4efce51cd3e70c25a1fbbbd609d273ad5b0d59631c531f6a0a57b9"
+
+#
+# 128-bit keys with sector size not evenly divisible by 16 bytes
+#
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 15
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10":"6c1625db4671522d3d7599601de7ca09ed"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 16
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f1011":"d069444b7a7e0cab09e24447d24deb1fedbf"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 17
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f101112":"e5df1351c0544ba1350b3363cd8ef4beedbf9d"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 18
+aes_encrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10111213":"9d84c813f719aa2c7be3f66171c7c5c2edbf9dac"
+
+AES-128-XTS Encrypt IEEE P1619/D16 Vector 19
+aes_encrypt_xts:"e0e1e2e3e4e5e6e7e8e9eaebecedeeefc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"21436587a90000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be68b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42ccbd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad38549c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a17741990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee39936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d48b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b883342729e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf92cefc151b5cc1611a167893819b63fb8a6b18e86de60290fa72b797b0ce59f3"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 1
+aes_decrypt_xts:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"0000000000000000000000000000000000000000000000000000000000000000":"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 2
+aes_decrypt_xts:"1111111111111111111111111111111122222222222222222222222222222222":"33333333330000000000000000000000":"4444444444444444444444444444444444444444444444444444444444444444":"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 3
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 4
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"00000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 5
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"01000000000000000000000000000000":"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 6
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"02000000000000000000000000000000":"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd":"fa762a3680b76007928ed4a4f49a9456031b704782e65e16cecb54ed7d017b5e18abd67b338e81078f21edb7868d901ebe9c731a7c18b5e6dec1d6a72e078ac9a4262f860beefa14f4e821018272e411a951502b6e79066e84252c3346f3aa62344351a291d4bedc7a07618bdea2af63145cc7a4b8d4070691ae890cd65733e7946e9021a1dffc4c59f159425ee6d50ca9b135fa6162cea18a939838dc000fb386fad086acce5ac07cb2ece7fd580b00cfa5e98589631dc25e8e2a3daf2ffdec26531659912c9d8f7a15e5865ea8fb5816d6207052bd7128cd743c12c8118791a4736811935eb982a532349e31dd401e0b660a568cb1a4711f552f55ded59f1f15bf7196b3ca12a91e488ef59d64f3a02bf45239499ac6176ae321c4a211ec545365971c5d3f4f09d4eb139bfdf2073d33180b21002b65cc9865e76cb24cd92c874c24c18350399a936ab3637079295d76c417776b94efce3a0ef7206b15110519655c956cbd8b2489405ee2b09a6b6eebe0c53790a12a8998378b33a5b71159625f4ba49d2a2fdba59fbf0897bc7aabd8d707dc140a80f0f309f835d3da54ab584e501dfa0ee977fec543f74186a802b9a37adb3e8291eca04d66520d229e60401e7282bef486ae059aa70696e0e305d777140a7a883ecdcb69b9ff938e8a4231864c69ca2c2043bed007ff3e605e014bcf518138dc3a25c5e236171a2d01d6"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 7
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fd000000000000000000000000000000":"8e41b78c390b5af9d758bb214a67e9f6bf7727b09ac6124084c37611398fa45daad94868600ed391fb1acd4857a95b466e62ef9f4b377244d1c152e7b30d731aad30c716d214b707aed99eb5b5e580b3e887cf7497465651d4b60e6042051da3693c3b78c14489543be8b6ad0ba629565bba202313ba7b0d0c94a3252b676f46cc02ce0f8a7d34c0ed229129673c1f61aed579d08a9203a25aac3a77e9db60267996db38df637356d9dcd1632e369939f2a29d89345c66e05066f1a3677aef18dea4113faeb629e46721a66d0a7e785d3e29af2594eb67dfa982affe0aac058f6e15864269b135418261fc3afb089472cf68c45dd7f231c6249ba0255e1e033833fc4d00a3fe02132d7bc3873614b8aee34273581ea0325c81f0270affa13641d052d36f0757d484014354d02d6883ca15c24d8c3956b1bd027bcf41f151fd8023c5340e5606f37e90fdb87c86fb4fa634b3718a30bace06a66eaf8f63c4aa3b637826a87fe8cfa44282e92cb1615af3a28e53bc74c7cba1a0977be9065d0c1a5dec6c54ae38d37f37aa35283e048e5530a85c4e7a29d7b92ec0c3169cdf2a805c7604bce60049b9fb7b8eaac10f51ae23794ceba68bb58112e293b9b692ca721b37c662f8574ed4dba6f88e170881c82cddc1034a0ca7e284bf0962b6b26292d836fa9f73c1ac770eef0f2d3a1eaf61d3e03555fd424eedd67e18a18094f888":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 8
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"fe000000000000000000000000000000":"d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 9
+aes_decrypt_xts:"2718281828459045235360287471352631415926535897932384626433832795":"ff000000000000000000000000000000":"72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a":"3260ae8dad1f4a32c5cafe3ab0eb95549d461a67ceb9e5aa2d3afb62dece0553193ba50c75be251e08d1d08f1088576c7efdfaaf3f459559571e12511753b07af073f35da06af0ce0bbf6b8f5ccc5cea500ec1b211bd51f63b606bf6528796ca12173ba39b8935ee44ccce646f90a45bf9ccc567f0ace13dc2d53ebeedc81f58b2e41179dddf0d5a5c42f5d8506c1a5d2f8f59f3ea873cbcd0eec19acbf325423bd3dcb8c2b1bf1d1eaed0eba7f0698e4314fbeb2f1566d1b9253008cbccf45a2b0d9c5c9c21474f4076e02be26050b99dee4fd68a4cf890e496e4fcae7b70f94ea5a9062da0daeba1993d2ccd1dd3c244b8428801495a58b216547e7e847c46d1d756377b6242d2e5fb83bf752b54e0df71e889f3a2bb0f4c10805bf3c590376e3c24e22ff57f7fa965577375325cea5d920db94b9c336b455f6e894c01866fe9fbb8c8d3f70a2957285f6dfb5dcd8cbf54782f8fe7766d4723819913ac773421e3a31095866bad22c86a6036b2518b2059b4229d18c8c2ccbdf906c6cc6e82464ee57bddb0bebcb1dc645325bfb3e665ef7251082c88ebb1cf203bd779fdd38675713c8daadd17e1cabee432b09787b6ddf3304e38b731b45df5df51b78fcfb3d32466028d0ba36555e7e11ab0ee0666061d1645d962444bc47a38188930a84b4d561395c73c087021927ca638b7afc8a8679ccb84c26555440ec7f10445cd"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 10
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ff000000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 11
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffff0000000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d0225438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa794e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b546179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d744223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474afb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c63094f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed50cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a7ab1f9868294a4f9e27b42af8100cb9d59cef9645803"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 12
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffff00000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"e387aaa58ba483afa7e8eb469778317ecf4cf573aa9d4eac23f2cdf914e4e200a8b490e42ee646802dc6ee2b471b278195d60918ececb44bf79966f83faba0499298ebc699c0c8634715a320bb4f075d622e74c8c932004f25b41e361025b5a87815391f6108fc4afa6a05d9303c6ba68a128a55705d415985832fdeaae6c8e19110e84d1b1f199a2692119edc96132658f09da7c623efcec712537a3d94c0bf5d7e352ec94ae5797fdb377dc1551150721adf15bd26a8efc2fcaad56881fa9e62462c28f30ae1ceaca93c345cf243b73f542e2074a705bd2643bb9f7cc79bb6e7091ea6e232df0f9ad0d6cf502327876d82207abf2115cdacf6d5a48f6c1879a65b115f0f8b3cb3c59d15dd8c769bc014795a1837f3901b5845eb491adfefe097b1fa30a12fc1f65ba22905031539971a10f2f36c321bb51331cdefb39e3964c7ef079994f5b69b2edd83a71ef549971ee93f44eac3938fcdd61d01fa71799da3a8091c4c48aa9ed263ff0749df95d44fef6a0bb578ec69456aa5408ae32c7af08ad7ba8921287e3bbee31b767be06a0e705c864a769137df28292283ea81a2480241b44d9921cdbec1bc28dc1fda114bd8e5217ac9d8ebafa720e9da4f9ace231cc949e5b96fe76ffc21063fddc83a6b8679c00d35e09576a875305bed5f36ed242c8900dd1fa965bc950dfce09b132263a1eef52dd6888c309f5a7d712826"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 13
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffff000000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d350875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f569768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed90fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e75d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc0077ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a41556cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88cf6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220"
+
+AES-256-XTS Decrypt IEEE P1619/D16 Vector 14
+aes_decrypt_xts:"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592":"ffffffffff0000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"64497e5a831e4a932c09be3e5393376daa599548b816031d224bbf50a818ed2350eae7e96087c8a0db51ad290bd00c1ac1620857635bf246c176ab463be30b808da548081ac847b158e1264be25bb0910bbc92647108089415d45fab1b3d2604e8a8eff1ae4020cfa39936b66827b23f371b92200be90251e6d73c5f86de5fd4a950781933d79a28272b782a2ec313efdfcc0628f43d744c2dc2ff3dcb66999b50c7ca895b0c64791eeaa5f29499fb1c026f84ce5b5c72ba1083cddb5ce45434631665c333b60b11593fb253c5179a2c8db813782a004856a1653011e93fb6d876c18366dd8683f53412c0c180f9c848592d593f8609ca736317d356e13e2bff3a9f59cd9aeb19cd482593d8c46128bb32423b37a9adfb482b99453fbe25a41bf6feb4aa0bef5ed24bf73c762978025482c13115e4015aac992e5613a3b5c2f685b84795cb6e9b2656d8c88157e52c42f978d8634c43d06fea928f2822e465aa6576e9bf419384506cc3ce3c54ac1a6f67dc66f3b30191e698380bc999b05abce19dc0c6dcc2dd001ec535ba18deb2df1a101023108318c75dc98611a09dc48a0acdec676fabdf222f07e026f059b672b56e5cbc8e1d21bbd867dd927212054681d70ea737134cdfce93b6f82ae22423274e58a0821cc5502e2d0ab4585e94de6975be5e0b4efce51cd3e70c25a1fbbbd609d273ad5b0d59631c531f6a0a57b9"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 15
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10":"6c1625db4671522d3d7599601de7ca09ed"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 16
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f1011":"d069444b7a7e0cab09e24447d24deb1fedbf"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 17
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f101112":"e5df1351c0544ba1350b3363cd8ef4beedbf9d"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 18
+aes_decrypt_xts:"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0":"9a785634120000000000000000000000":"000102030405060708090a0b0c0d0e0f10111213":"9d84c813f719aa2c7be3f66171c7c5c2edbf9dac"
+
+AES-128-XTS Decrypt IEEE P1619/D16 Vector 19
+aes_decrypt_xts:"e0e1e2e3e4e5e6e7e8e9eaebecedeeefc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"21436587a90000000000000000000000":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be68b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42ccbd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad38549c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a17741990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee39936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d48b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b883342729e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf92cefc151b5cc1611a167893819b63fb8a6b18e86de60290fa72b797b0ce59f3"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_arc4.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_arc4.function
index a4b401b62b..ae3b032b3b 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_arc4.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_arc4.function
@@ -8,30 +8,20 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_arc4_crypt( char *hex_src_string, char *hex_key_string,
-                 char *hex_dst_string )
+void mbedtls_arc4_crypt( data_t * src_str, data_t * key_str,
+                         data_t * hex_dst_string )
 {
-    unsigned char src_str[1000];
-    unsigned char key_str[1000];
     unsigned char dst_str[1000];
-    unsigned char dst_hexstr[2000];
-    int src_len, key_len;
     mbedtls_arc4_context ctx;
 
-    memset(src_str, 0x00, 1000);
-    memset(key_str, 0x00, 1000);
     memset(dst_str, 0x00, 1000);
-    memset(dst_hexstr, 0x00, 2000);
     mbedtls_arc4_init( &ctx );
 
-    src_len = unhexify( src_str, hex_src_string );
-    key_len = unhexify( key_str, hex_key_string );
 
-    mbedtls_arc4_setup(&ctx, key_str, key_len);
-    TEST_ASSERT( mbedtls_arc4_crypt(&ctx, src_len, src_str, dst_str ) == 0 );
-    hexify( dst_hexstr, dst_str, src_len );
+    mbedtls_arc4_setup(&ctx, key_str->x, key_str->len);
+    TEST_ASSERT( mbedtls_arc4_crypt(&ctx, src_str->len, src_str->x, dst_str ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_hexstr, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( dst_str, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_arc4_free( &ctx );
@@ -39,7 +29,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void arc4_selftest()
+void arc4_selftest(  )
 {
     TEST_ASSERT( mbedtls_arc4_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.data
new file mode 100644
index 0000000000..2da0b30c20
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.data
@@ -0,0 +1,104 @@
+ARIA - Valid parameters
+aria_valid_param:
+
+ARIA - Invalid parameters
+aria_invalid_param:
+
+ARIA-128-ECB Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f":"00112233445566778899aabbccddeeff":"d718fbd6ab644c739da95f3be6451778":0
+
+ARIA-128-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0
+
+ARIA-192-ECB Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"00112233445566778899aabbccddeeff":"26449c1805dbe7aa25a468ce263a9e79":0
+
+ARIA-192-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0
+
+ARIA-256-ECB_Encrypt - RFC 5794
+aria_encrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"00112233445566778899aabbccddeeff":"f92bd7c79fb72e2f2b8f80c1972d24fc":0
+
+ARIA-256-ECB_Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0
+
+ARIA-128-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f":"d718fbd6ab644c739da95f3be6451778":"00112233445566778899aabbccddeeff":0
+
+ARIA-192-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f1011121314151617":"26449c1805dbe7aa25a468ce263a9e79":"00112233445566778899aabbccddeeff":0
+
+ARIA-256-ECB Decrypt - RFC 5794
+aria_decrypt_ecb:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"f92bd7c79fb72e2f2b8f80c1972d24fc":"00112233445566778899aabbccddeeff":0
+
+ARIA-128-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":0
+
+ARIA-128-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff":"c6ecd08e22c30abdb215cf74e2075e6e29ccaac63448708d331b2f816c51b17d9e133d1528dbf0af5787c7f3a3f5c2bf6b6f345907a3055612ce072ff54de7d788424da6e8ccfe8172b391be499354165665ba7864917000a6eeb2ecb4a698edfc7887e7f556377614ab0a282293e6d884dbb84206cdb16ed1754e77a1f243fd086953f752cc1e46c7c794ae85537dcaec8dd721f55c93b6edfe2adea43873e8":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":0
+
+ARIA-192-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff0011223344556677":"8d1470625f59ebacb0e55b534b3e462b5f23d33bff78f46c3c15911f4a21809aaccad80b4bda915aa9dae6bcebe06a6c83f77fd5391acfe61de2f646b5d447edbfd5bb49b12fbb9145b227895a757b2af1f7188734863d7b8b6ede5a5b2f06a0a233c8523d2db778fb31b0e311f32700152f33861e9d040c83b5eb40cd88ea49975709dc629365a189f78a3ec40345fc6a5a307a8f9a4413091e007eca5645a0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-ECB Encrypt - Official Test Vectors 1.0
+aria_encrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":0
+
+ARIA-256-ECB Decrypt - Official Test Vectors 1.0
+aria_decrypt_ecb:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"58a875e6044ad7fffa4f58420f7f442d8e191016f28e79aefc01e204773280d7018e5f7a938ec30711719953bae86542cd7ebc752474c1a5f6eaaace2a7e29462ee7dfa5afdb84177ead95ccd4b4bb6e1ed17b9534cff0a5fc2941429cfee2ee49c7adbeb7e9d1b0d2a8531d942079596a27ed79f5b1dd13ecd604b07a48885a3afa0627a0e4e60a3c703af292f1baa77b702f16c54aa74bc727ea95c7468b00":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":0
+
+ARIA-128-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"49d61860b14909109cef0d22a9268134fadf9fb23151e9645fba75018bdb1538b53334634bbf7d4cd4b5377033060c155fe3948ca75de1031e1d85619e0ad61eb419a866b3c2dbfd10a4ed18b22149f75897f0b8668b0c1c542c687778835fb7cd46e45f85eaa7072437dd9fa6793d6f8d4ccefc4eb1ac641ac1bd30b18c6d64c49bca137eb21c2e04da62712ca2b4f540c57112c38791852cfac7a5d19ed83a":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":0
+
+ARIA-192-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"afe6cf23974b533c672a826264ea785f4e4f7f780dc7f3f1e0962b80902386d514e9c3e77259de92dd1102ffab086c1ea52a71260db5920a83295c25320e421147ca45d532f327b856ea947cd2196ae2e040826548b4c891b0ed0ca6e714dbc4631998d548110d666b3d54c2a091955c6f05beb4f62309368696c9791fc4c551564a2637f194346ec45fbca6c72a5b4612e208d531d6c34cc5c64eac6bd0cf8c":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CBC Encrypt - Official Test Vectors 1.0
+aria_encrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":0
+
+ARIA-256-CBC Decrypt - Official Test Vectors 1.0
+aria_decrypt_cbc:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"523a8a806ae621f155fdd28dbc34e1ab7b9b42432ad8b2efb96e23b13f0a6e52f36185d50ad002c5f601bee5493f118b243ee2e313642bffc3902e7b2efd9a12fa682edd2d23c8b9c5f043c18b17c1ec4b5867918270fbec1027c19ed6af833da5d620994668ca22f599791d292dd6273b2959082aafb7a996167cce1eec5f0cfd15f610d87e2dda9ba68ce1260ca54b222491418374294e7909b1e8551cd8de":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"ac5d7de805a0bf1c57c854501af60fa11497e2a34519dea1569e91e5b5ccae2ff3bfa1bf975f4571f48be191613546c3911163c085f871f0e7ae5f2a085b81851c2a3ddf20ecb8fa51901aec8ee4ba32a35dab67bb72cd9140ad188a967ac0fbbdfa94ea6cce47dcf8525ab5a814cfeb2bb60ee2b126e2d9d847c1a9e96f9019e3e6a7fe40d3829afb73db1cc245646addb62d9b907baaafbe46a73dbc131d3d":0
+
+ARIA-192-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":0
+
+ARIA-192-CTR Decrypt - Official Test Vectors 1.0
+aria_decrypt_ctr:"00112233445566778899aabbccddeeff0011223344556677":"00000000000000000000000000000000":"08625ca8fe569c19ba7af3760a6ed1cef4d199263e999dde14082dbba7560b79a4c6b456b8707dce751f9854f18893dfdb3f4e5afa539733e6f1e70b98ba37891f8f81e95df8efc26c7ce043504cb18958b865e4e316cd2aa1c97f31bf23dc046ef326b95a692a191ba0f2a41c5fe9ae070f236ff7078e703b42666caafbdd20bad74ac4c20c0f46c7ca24c151716575c947da16c90cfe1bf217a41cfebe7531":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CTR Encrypt - Official Test Vectors 1.0
+aria_encrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":0
+
+ARIA-256-CTR Decrypt - Official Test Vectors 1.0
+aria_decrypt_ctr:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"00000000000000000000000000000000":"30026c329666141721178b99c0a1f1b2f06940253f7b3089e2a30ea86aa3c88f5940f05ad7ee41d71347bb7261e348f18360473fdf7d4e7723bffb4411cc13f6cdd89f3bc7b9c768145022c7a74f14d7c305cd012a10f16050c23f1ae5c23f45998d13fbaa041e51619577e0772764896a5d4516d8ffceb3bf7e05f613edd9a60cdcedaff9cfcaf4e00d445a54334f73ab2cad944e51d266548e61c6eb0aa1cd":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-128-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":0
+
+ARIA-128-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"3720e53ba7d615383406b09f0a05a200c07c21e6370f413a5d132500a68285017c61b434c7b7ca9685a51071861e4d4bb873b599b479e2d573dddeafba89f812ac6a9e44d554078eb3be94839db4b33da3f59c063123a7ef6f20e10579fa4fd239100ca73b52d4fcafeadee73f139f78f9b7614c2b3b9dbe010f87db06a89a9435f79ce8121431371f4e87b984e0230c22a6dacb32fc42dcc6accef33285bf11":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-192-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":0
+
+ARIA-192-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff0011223344556677":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"4171f7192bf4495494d2736129640f5c4d87a9a213664c9448477c6ecc2013598d9766952dd8c3868f17e36ef66fd84bfa45d1593d2d6ee3ea2115047d710d4fb66187caa3a315b3c8ea2d313962edcfe5a3e2028d5ba9a09fd5c65c19d3440e477f0cab0628ec6902c73ee02f1afee9f80115be7b9df82d1e28228e28581a20560e195cbb9e2b327bf56fd2d0ae5502e42c13e9b4015d4da42dc859252e7da4":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA-256-CFB128 Encrypt - Official Test Vectors 1.0
+aria_encrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":0
+
+ARIA-256-CFB128 Decrypt - Official Test Vectors 1.0
+aria_decrypt_cfb128:"00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff":"0f1e2d3c4b5a69788796a5b4c3d2e1f0":"26834705b0f2c0e2588d4a7f09009635f28bb93d8c31f870ec1e0bdb082b66fa402dd9c202be300c4517d196b14d4ce11dce97f7aaba54341b0d872cc9b63753a3e8556a14be6f7b3e27e3cfc39caf80f2a355aa50dc83c09c7b11828694f8e4aa726c528976b53f2c877f4991a3a8d28adb63bd751846ffb2350265e179d4990753ae8485ff9b4133ddad5875b84a90cbcfa62a045d726df71b6bda0eeca0be":"11111111aaaaaaaa11111111bbbbbbbb11111111cccccccc11111111dddddddd22222222aaaaaaaa22222222bbbbbbbb22222222cccccccc22222222dddddddd33333333aaaaaaaa33333333bbbbbbbb33333333cccccccc33333333dddddddd44444444aaaaaaaa44444444bbbbbbbb44444444cccccccc44444444dddddddd55555555aaaaaaaa55555555bbbbbbbb55555555cccccccc55555555dddddddd":0
+
+ARIA Selftest
+aria_selftest:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.function
new file mode 100644
index 0000000000..7e35f154b5
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_aria.function
@@ -0,0 +1,527 @@
+/* BEGIN_HEADER */
+#include "mbedtls/aria.h"
+
+/* Maxium size of data used by test vectors
+ * WARNING: to be adapted if and when adding larger test cases */
+#define ARIA_MAX_DATASIZE  160
+
+/* Maximum sizes of hexified things */
+#define ARIA_MAX_KEY_STR    ( 2 * MBEDTLS_ARIA_MAX_KEYSIZE + 1 )
+#define ARIA_BLOCK_STR      ( 2 * MBEDTLS_ARIA_BLOCKSIZE + 1 )
+#define ARIA_MAX_DATA_STR   ( 2 * ARIA_MAX_DATASIZE + 1 )
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_ARIA_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void aria_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_aria_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void aria_invalid_param( )
+{
+    mbedtls_aria_context ctx;
+    unsigned char key[128 / 8] = { 0 };
+    unsigned char input[MBEDTLS_ARIA_BLOCKSIZE] = { 0 };
+    unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] = { 0 };
+    unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE] = { 0 };
+    size_t iv_off = 0;
+
+    ((void) iv_off);
+    ((void) iv);
+
+    TEST_INVALID_PARAM( mbedtls_aria_init( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_setkey_enc( NULL, key,
+                                                     sizeof( key ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_setkey_enc( &ctx, NULL,
+                                                     sizeof( key ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_setkey_dec( NULL, key,
+                                                     sizeof( key ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_setkey_dec( &ctx, NULL,
+                                                     sizeof( key ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ecb( NULL, input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ecb( &ctx, NULL, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ecb( &ctx, input, NULL ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cbc( NULL,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cbc( &ctx,
+                                                    42 /* invalid mode */,
+                                                    sizeof( input ),
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cbc( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    NULL,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cbc( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    iv,
+                                                    NULL,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cbc( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    iv,
+                                                    input,
+                                                    NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( NULL,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( &ctx,
+                                                    42, /* invalid mode */
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    NULL,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    NULL,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    NULL,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_cfb128( &ctx,
+                                                    MBEDTLS_ARIA_ENCRYPT,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    input,
+                                                    NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( NULL,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( &ctx,
+                                                    sizeof( input ),
+                                                    NULL,
+                                                    iv,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( &ctx,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    NULL,
+                                                    iv,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( &ctx,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    NULL,
+                                                    input,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( &ctx,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    iv,
+                                                    NULL,
+                                                    output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA,
+                            mbedtls_aria_crypt_ctr( &ctx,
+                                                    sizeof( input ),
+                                                    &iv_off,
+                                                    iv,
+                                                    iv,
+                                                    input,
+                                                    NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+exit:
+    return;
+
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void aria_encrypt_ecb( char *hex_key_string, char *hex_src_string,
+                       char *hex_dst_string, int setkey_result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    int key_len, data_len, i;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    TEST_ASSERT( mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 )
+                 == setkey_result );
+    if( setkey_result == 0 )
+    {
+        for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE )
+        {
+            TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i )
+                                                 == 0 );
+        }
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void aria_decrypt_ecb( char *hex_key_string, char *hex_src_string,
+                       char *hex_dst_string, int setkey_result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    int key_len, data_len, i;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    TEST_ASSERT( mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 )
+                 == setkey_result );
+    if( setkey_result == 0 )
+    {
+        for( i = 0; i < data_len; i += MBEDTLS_ARIA_BLOCKSIZE )
+        {
+            TEST_ASSERT( mbedtls_aria_crypt_ecb( &ctx, src_str + i, output + i )
+                         == 0 );
+        }
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
+void aria_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
+                       char *hex_src_string, char *hex_dst_string,
+                       int cbc_result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, data_len,
+                                         iv_str, src_str, output )
+                 == cbc_result );
+    if( cbc_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
+void aria_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
+                       char *hex_src_string, char *hex_dst_string,
+                       int cbc_result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_dec( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, data_len,
+                                         iv_str, src_str, output )
+                 == cbc_result );
+    if( cbc_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
+void aria_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
+                          char *hex_src_string, char *hex_dst_string,
+                          int result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    size_t iv_offset = 0;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT,
+                                            data_len, &iv_offset, iv_str,
+                                            src_str, output )
+                 == result );
+    hexify( dst_str, output, data_len );
+
+    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
+void aria_decrypt_cfb128( char *hex_key_string, char *hex_iv_string,
+                          char *hex_src_string, char *hex_dst_string,
+                          int result  )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    mbedtls_aria_context ctx;
+    size_t iv_offset = 0;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT,
+                                            data_len, &iv_offset, iv_str,
+                                            src_str, output )
+                 == result );
+    hexify( dst_str, output, data_len );
+
+    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aria_encrypt_ctr( char *hex_key_string, char *hex_iv_string,
+                       char *hex_src_string, char *hex_dst_string,
+                       int result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+    size_t iv_offset = 0;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str,
+                                         blk, src_str, output )
+                 == result );
+    hexify( dst_str, output, data_len );
+
+    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
+void aria_decrypt_ctr( char *hex_key_string, char *hex_iv_string,
+                       char *hex_src_string, char *hex_dst_string,
+                       int result )
+{
+    unsigned char key_str[ARIA_MAX_KEY_STR];
+    unsigned char iv_str[ARIA_BLOCK_STR];
+    unsigned char src_str[ARIA_MAX_DATA_STR];
+    unsigned char dst_str[ARIA_MAX_DATA_STR];
+    unsigned char output[ARIA_MAX_DATASIZE];
+    unsigned char blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+    size_t iv_offset = 0;
+    int key_len, data_len;
+
+    memset( key_str, 0x00, sizeof( key_str ) );
+    memset( iv_str, 0x00, sizeof( iv_str ) );
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( dst_str, 0x00, sizeof( dst_str ) );
+    memset( output, 0x00, sizeof( output ) );
+    mbedtls_aria_init( &ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aria_setkey_enc( &ctx, key_str, key_len * 8 );
+    TEST_ASSERT( mbedtls_aria_crypt_ctr( &ctx, data_len, &iv_offset, iv_str,
+                                         blk, src_str, output )
+                 == result );
+    hexify( dst_str, output, data_len );
+
+    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+
+exit:
+    mbedtls_aria_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void aria_selftest()
+{
+    TEST_ASSERT( mbedtls_aria_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_asn1write.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_asn1write.function
index 2ff9398a54..57a9741254 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_asn1write.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_asn1write.function
@@ -11,24 +11,20 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_asn1_write_octet_string( char *hex_str, char *hex_asn1,
-                              int buf_len, int result )
+void mbedtls_asn1_write_octet_string( data_t * str, data_t * asn1,
+                                      int buf_len, int result )
 {
     int ret;
     unsigned char buf[150];
-    unsigned char str[150] = { 0 };
-    unsigned char asn1[150] = { 0 };
-    size_t str_len, asn1_len, i;
+    size_t i;
     unsigned char *p;
 
     memset( buf, GUARD_VAL, sizeof( buf ) );
 
-    str_len = unhexify( str, hex_str );
-    asn1_len = unhexify( asn1, hex_asn1 );
 
     p = buf + GUARD_LEN + buf_len;
 
-    ret = mbedtls_asn1_write_octet_string( &p, buf + GUARD_LEN, str, str_len );
+    ret = mbedtls_asn1_write_octet_string( &p, buf + GUARD_LEN, str->x, str->len );
 
     /* Check for buffer overwrite on both sides */
     for( i = 0; i < GUARD_LEN; i++ )
@@ -39,28 +35,27 @@ void mbedtls_asn1_write_octet_string( char *hex_str, char *hex_asn1,
 
     if( result >= 0 )
     {
-        TEST_ASSERT( (size_t) ret == asn1_len );
-        TEST_ASSERT( p + asn1_len == buf + GUARD_LEN + buf_len );
+        TEST_ASSERT( (size_t) ret == asn1->len );
+        TEST_ASSERT( p + asn1->len == buf + GUARD_LEN + buf_len );
 
-        TEST_ASSERT( memcmp( p, asn1, asn1_len ) == 0 );
+        TEST_ASSERT( memcmp( p, asn1->x, asn1->len ) == 0 );
     }
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_asn1_write_ia5_string( char *str, char *hex_asn1,
-                            int buf_len, int result )
+void mbedtls_asn1_write_ia5_string( char * str, data_t * asn1,
+                                    int buf_len, int result )
 {
     int ret;
     unsigned char buf[150];
-    unsigned char asn1[150] = { 0 };
-    size_t str_len, asn1_len, i;
+    size_t str_len;
+    size_t i;
     unsigned char *p;
 
     memset( buf, GUARD_VAL, sizeof( buf ) );
 
     str_len = strlen( str );
-    asn1_len = unhexify( asn1, hex_asn1 );
 
     p = buf + GUARD_LEN + buf_len;
 
@@ -75,27 +70,25 @@ void mbedtls_asn1_write_ia5_string( char *str, char *hex_asn1,
 
     if( result >= 0 )
     {
-        TEST_ASSERT( (size_t) ret == asn1_len );
-        TEST_ASSERT( p + asn1_len == buf + GUARD_LEN + buf_len );
+        TEST_ASSERT( (size_t) ret == asn1->len );
+        TEST_ASSERT( p + asn1->len == buf + GUARD_LEN + buf_len );
 
-        TEST_ASSERT( memcmp( p, asn1, asn1_len ) == 0 );
+        TEST_ASSERT( memcmp( p, asn1->x, asn1->len ) == 0 );
     }
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ASN1PARSE_C */
-void mbedtls_asn1_write_len( int len, char *check_str, int buf_len,
+void mbedtls_asn1_write_len( int len, data_t * asn1, int buf_len,
                              int result )
 {
     int ret;
     unsigned char buf[150];
-    unsigned char asn1[150];
     unsigned char *p;
-    size_t asn1_len, i, read_len;
+    size_t i;
+    size_t read_len;
 
     memset( buf, GUARD_VAL, sizeof( buf ) );
-    memset( asn1, 0, sizeof( asn1 ) );
-    asn1_len = unhexify( asn1, check_str );
 
     p = buf + GUARD_LEN + buf_len;
 
@@ -112,10 +105,9 @@ void mbedtls_asn1_write_len( int len, char *check_str, int buf_len,
 
     if( result >= 0 )
     {
-        TEST_ASSERT( (size_t) ret == asn1_len );
-        TEST_ASSERT( p + asn1_len == buf + GUARD_LEN + buf_len );
+        TEST_ASSERT( p + asn1->len == buf + GUARD_LEN + buf_len );
 
-        TEST_ASSERT( memcmp( p, asn1, asn1_len ) == 0 );
+        TEST_ASSERT( memcmp( p, asn1->x, asn1->len ) == 0 );
 
         /* Read back with mbedtls_asn1_get_len() to check */
         ret = mbedtls_asn1_get_len( &p, buf + GUARD_LEN + buf_len, &read_len );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_base64.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_base64.function
index 77fa7fdedf..3a8bf430f3 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_base64.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_base64.function
@@ -8,8 +8,8 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_base64_encode( char *src_string, char *dst_string, int dst_buf_size,
-                    int result )
+void mbedtls_base64_encode( char * src_string, char * dst_string,
+                            int dst_buf_size, int result )
 {
     unsigned char src_str[1000];
     unsigned char dst_str[1000];
@@ -28,7 +28,7 @@ void mbedtls_base64_encode( char *src_string, char *dst_string, int dst_buf_size
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_base64_decode( char *src_string, char *dst_string, int result )
+void mbedtls_base64_decode( char * src_string, char * dst_string, int result )
 {
     unsigned char src_str[1000];
     unsigned char dst_str[1000];
@@ -49,16 +49,15 @@ void mbedtls_base64_decode( char *src_string, char *dst_string, int result )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void base64_encode_hex( char *src_hex, char *dst, int dst_buf_size,
+void base64_encode_hex( data_t * src, char * dst, int dst_buf_size,
                         int result )
 {
-    unsigned char *src = NULL, *res = NULL;
-    size_t len, src_len;
+    unsigned char *res = NULL;
+    size_t len;
 
-    src = unhexify_alloc( src_hex, &src_len );
     res = zero_alloc( dst_buf_size );
 
-    TEST_ASSERT( mbedtls_base64_encode( res, dst_buf_size, &len, src, src_len ) == result );
+    TEST_ASSERT( mbedtls_base64_encode( res, dst_buf_size, &len, src->x, src->len ) == result );
     if( result == 0 )
     {
         TEST_ASSERT( len == strlen( dst ) );
@@ -66,45 +65,39 @@ void base64_encode_hex( char *src_hex, char *dst, int dst_buf_size,
     }
 
 exit:
-    mbedtls_free( src );
     mbedtls_free( res );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void base64_decode_hex( char *src, char *dst_hex, int dst_buf_size,
+void base64_decode_hex( char * src, data_t * dst, int dst_buf_size,
                         int result )
 {
-    unsigned char *dst = NULL, *res = NULL;
-    size_t len, dst_len;
+    unsigned char *res = NULL;
+    size_t len;
 
-    dst = unhexify_alloc( dst_hex, &dst_len );
     res = zero_alloc( dst_buf_size );
 
     TEST_ASSERT( mbedtls_base64_decode( res, dst_buf_size, &len, (unsigned char *) src,
                                 strlen( src ) ) == result );
     if( result == 0 )
     {
-        TEST_ASSERT( len == dst_len );
-        TEST_ASSERT( memcmp( dst, res, len ) == 0 );
+        TEST_ASSERT( len == dst->len );
+        TEST_ASSERT( memcmp( dst->x, res, len ) == 0 );
     }
 
 exit:
-    mbedtls_free( dst );
     mbedtls_free( res );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void base64_decode_hex_src( char *src_hex, char *dst_ref, int result )
+void base64_decode_hex_src( data_t * src, char * dst_ref, int result )
 {
     unsigned char dst[1000] = { 0 };
-    unsigned char *src;
-    size_t src_len, len;
-
-    src = unhexify_alloc( src_hex, &src_len );
+    size_t len;
 
-    TEST_ASSERT( mbedtls_base64_decode( dst, sizeof( dst ), &len, src, src_len ) == result );
+    TEST_ASSERT( mbedtls_base64_decode( dst, sizeof( dst ), &len, src->x, src->len ) == result );
     if( result == 0 )
     {
         TEST_ASSERT( len == strlen( dst_ref ) );
@@ -112,12 +105,12 @@ void base64_decode_hex_src( char *src_hex, char *dst_ref, int result )
     }
 
 exit:
-    mbedtls_free( src );
+    ;;
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void base64_selftest()
+void base64_selftest(  )
 {
     TEST_ASSERT( mbedtls_base64_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.data
index 1ba311f590..fd172d3b2c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.data
@@ -1,3 +1,9 @@
+BLOWFISH - Valid parameters
+blowfish_valid_param:
+
+BLOWFISH - Invalid parameters
+blowfish_invalid_param:
+
 BLOWFISH-ECB Encrypt SSLeay reference #1
 blowfish_encrypt_ecb:"0000000000000000":"0000000000000000":"4ef997456198dd78":0
 
@@ -203,13 +209,13 @@ BLOWFISH-ECB Decrypt SSLeay reference #34
 blowfish_decrypt_ecb:"fedcba9876543210":"6b5c5a9c5d9e0a5a":"ffffffffffffffff":0
 
 BLOWFISH-SETKEY Setkey SSLeay reference #1
-blowfish_encrypt_ecb:"f0":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+blowfish_encrypt_ecb:"f0":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA
 
 BLOWFISH-SETKEY Setkey SSLeay reference #2
-blowfish_encrypt_ecb:"f0e1":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+blowfish_encrypt_ecb:"f0e1":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA
 
 BLOWFISH-SETKEY Setkey SSLeay reference #3
-blowfish_encrypt_ecb:"f0e1d2":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+blowfish_encrypt_ecb:"f0e1d2":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA
 
 BLOWFISH-SETKEY Setkey SSLeay reference #4
 blowfish_encrypt_ecb:"f0e1d2c3":"fedcba9876543210":"be1e639408640f05":0
@@ -281,7 +287,7 @@ BLOWFISH-SETKEY Setkey 448 bits
 blowfish_encrypt_ecb:"f0e1d2c3b4a5968778695a4b3c2d1e0f00112233445566778899aabbccddeeff0123456789abcdef0102030405060708090a0b0c0d0e0fff":"fedcba9876543210":"2fb3ab7f0ee91b69":0
 
 BLOWFISH-SETKEY Setkey 456 bits
-blowfish_encrypt_ecb:"f0e1d2c3b4a5968778695a4b3c2d1e0f00112233445566778899aabbccddeeff0123456789abcdef0102030405060708090a0b0c0d0e0fffff":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+blowfish_encrypt_ecb:"f0e1d2c3b4a5968778695a4b3c2d1e0f00112233445566778899aabbccddeeff0123456789abcdef0102030405060708090a0b0c0d0e0fffff":"fedcba9876543210":"":MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA
 
 BLOWFISH-CBC Encrypt
 blowfish_encrypt_cbc:"0123456789ABCDEFF0E1D2C3B4A59687":"FEDCBA9876543210":"37363534333231204E6F77206973207468652074696D6520666F722000000000":"6b77b4d63006dee605b156e27403979358deb9e7154616d959f1652bd5ff92cc":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.function
index e3c2252906..7a93cd1395 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_blowfish.function
@@ -8,32 +8,180 @@
  */
 
 /* BEGIN_CASE */
-void blowfish_encrypt_ecb( char *hex_key_string, char *hex_src_string,
-                           char *hex_dst_string, int setkey_result )
+void blowfish_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_blowfish_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void blowfish_invalid_param( )
+{
+    mbedtls_blowfish_context ctx;
+    unsigned char buf[16] = { 0 };
+    size_t const valid_keylength = sizeof( buf ) * 8;
+    size_t valid_mode = MBEDTLS_BLOWFISH_ENCRYPT;
+    size_t invalid_mode = 42;
+    size_t off;
+    ((void) off);
+
+    TEST_INVALID_PARAM( mbedtls_blowfish_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_blowfish_free( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_setkey( NULL,
+                                                     buf,
+                                                     valid_keylength ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_setkey( &ctx,
+                                                     NULL,
+                                                     valid_keylength ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ecb( NULL,
+                                                     valid_mode,
+                                                     buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ecb( &ctx,
+                                                        invalid_mode,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ecb( &ctx,
+                                                        valid_mode,
+                                                        NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ecb( &ctx,
+                                                        valid_mode,
+                                                        buf, NULL ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cbc( NULL,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cbc( &ctx,
+                                                        invalid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        NULL, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( NULL,
+                                                          valid_mode,
+                                                          sizeof( buf ),
+                                                          &off, buf,
+                                                          buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( &ctx,
+                                                          invalid_mode,
+                                                          sizeof( buf ),
+                                                          &off, buf,
+                                                          buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( &ctx,
+                                                          valid_mode,
+                                                          sizeof( buf ),
+                                                          NULL, buf,
+                                                          buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( &ctx,
+                                                          valid_mode,
+                                                          sizeof( buf ),
+                                                          &off, NULL,
+                                                          buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( &ctx,
+                                                          valid_mode,
+                                                          sizeof( buf ),
+                                                          &off, buf,
+                                                          NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_cfb64( &ctx,
+                                                          valid_mode,
+                                                          sizeof( buf ),
+                                                          &off, buf,
+                                                          buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( NULL,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        NULL,
+                                                        buf, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        NULL, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, NULL,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA,
+                            mbedtls_blowfish_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void blowfish_encrypt_ecb( data_t * key_str, data_t * src_str,
+                           data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_blowfish_crypt_ecb( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 8 );
+        TEST_ASSERT( mbedtls_blowfish_crypt_ecb( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -42,32 +190,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void blowfish_decrypt_ecb( char *hex_key_string, char *hex_src_string,
-                           char *hex_dst_string, int setkey_result )
+void blowfish_decrypt_ecb( data_t * key_str, data_t * src_str,
+                           data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_blowfish_crypt_ecb( &ctx, MBEDTLS_BLOWFISH_DECRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 8 );
+        TEST_ASSERT( mbedtls_blowfish_crypt_ecb( &ctx, MBEDTLS_BLOWFISH_DECRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -76,37 +214,24 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void blowfish_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                           char *hex_src_string, char *hex_dst_string,
+void blowfish_encrypt_cbc( data_t * key_str, data_t * iv_str,
+                           data_t * src_str, data_t * hex_dst_string,
                            int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 );
+    mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 );
 
-    TEST_ASSERT( mbedtls_blowfish_crypt_cbc( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, data_len , iv_str, src_str, output ) == cbc_result );
+    TEST_ASSERT( mbedtls_blowfish_crypt_cbc( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, src_str->len , iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -115,36 +240,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void blowfish_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                           char *hex_src_string, char *hex_dst_string,
+void blowfish_decrypt_cbc( data_t * key_str, data_t * iv_str,
+                           data_t * src_str, data_t * hex_dst_string,
                            int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_blowfish_crypt_cbc( &ctx, MBEDTLS_BLOWFISH_DECRYPT, data_len , iv_str, src_str, output ) == cbc_result );
+    mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_blowfish_crypt_cbc( &ctx, MBEDTLS_BLOWFISH_DECRYPT, src_str->len , iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0)
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -153,34 +265,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void blowfish_encrypt_cfb64( char *hex_key_string, char *hex_iv_string,
-                             char *hex_src_string, char *hex_dst_string )
+void blowfish_encrypt_cfb64( data_t * key_str, data_t * iv_str,
+                             data_t * src_str, data_t * hex_dst_string
+                             )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
     size_t iv_offset = 0;
-    int key_len, src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_blowfish_crypt_cfb64( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, src_len, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, src_len );
+    mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_blowfish_crypt_cfb64( &ctx, MBEDTLS_BLOWFISH_ENCRYPT, src_str->len, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_blowfish_free( &ctx );
@@ -188,34 +288,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void blowfish_decrypt_cfb64( char *hex_key_string, char *hex_iv_string,
-                             char *hex_src_string, char *hex_dst_string )
+void blowfish_decrypt_cfb64( data_t * key_str, data_t * iv_str,
+                             data_t * src_str, data_t * hex_dst_string
+                             )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
     size_t iv_offset = 0;
-    int key_len, src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_blowfish_crypt_cfb64( &ctx, MBEDTLS_BLOWFISH_DECRYPT, src_len, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, src_len );
+    mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_blowfish_crypt_cfb64( &ctx, MBEDTLS_BLOWFISH_DECRYPT, src_str->len, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_blowfish_free( &ctx );
@@ -223,36 +311,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CTR */
-void blowfish_encrypt_ctr( char *hex_key_string, char *hex_iv_string,
-                           char *hex_src_string, char *hex_dst_string )
+void blowfish_encrypt_ctr( data_t * key_str, data_t * iv_str,
+                           data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
     unsigned char stream_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_blowfish_context ctx;
     size_t iv_offset = 0;
-    int key_len, src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
     memset(stream_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_blowfish_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_blowfish_setkey( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_blowfish_crypt_ctr( &ctx, src_len, &iv_offset, iv_str, stream_str, src_str, output ) == 0 );
-    hexify( dst_str, output, src_len );
+    mbedtls_blowfish_setkey( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_blowfish_crypt_ctr( &ctx, src_str->len, &iv_offset, iv_str->x, stream_str, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_blowfish_free( &ctx );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.data
index 14298387a0..671d57002a 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.data
@@ -1,3 +1,9 @@
+Camellia - Valid parameters
+camellia_valid_param:
+
+Camellia - Invalid parameters
+camellia_invalid_param:
+
 Camellia-128-ECB Encrypt RFC3713 #1
 camellia_encrypt_ecb:"0123456789abcdeffedcba9876543210":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43":0
 
@@ -185,10 +191,10 @@ depends_on:MBEDTLS_CIPHER_MODE_CFB
 camellia_decrypt_cfb128:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"555FC3F34BDD2D54C62D9E3BF338C1C4":"F69F2445DF4F9B17AD2B417BE66C3710":"5953ADCE14DB8C7F39F1BD39F359BFFA"
 
 Camellia-ECB Encrypt (Invalid key length)
-camellia_encrypt_ecb:"0123456789abcdeffedcba98765432":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43":MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+camellia_encrypt_ecb:"0123456789abcdeffedcba98765432":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43":MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA
 
 Camellia-ECB Decrypt (Invalid key length)
-camellia_decrypt_ecb:"0123456789abcdeffedcba98765432":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43":MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+camellia_decrypt_ecb:"0123456789abcdeffedcba98765432":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43":MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA
 
 Camellia-256-CBC Encrypt (Invalid input length)
 camellia_encrypt_cbc:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"ffffffffffffffe000000000000000":"":MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.function
index 9df6482a8d..9408348151 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_camellia.function
@@ -8,32 +8,188 @@
  */
 
 /* BEGIN_CASE */
-void camellia_encrypt_ecb( char *hex_key_string, char *hex_src_string,
-                           char *hex_dst_string, int setkey_result )
+void camellia_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_camellia_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void camellia_invalid_param( )
+{
+    mbedtls_camellia_context ctx;
+    unsigned char buf[16] = { 0 };
+    const size_t valid_keybits   = 128;
+    const int invalid_mode = 42;
+    const int valid_mode = MBEDTLS_CAMELLIA_ENCRYPT;
+    size_t off;
+    ((void) off);
+
+    TEST_INVALID_PARAM( mbedtls_camellia_init( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_setkey_enc( NULL,
+                                                         buf,
+                                                         valid_keybits ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_setkey_enc( &ctx,
+                                                         NULL,
+                                                         valid_keybits ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_setkey_dec( NULL,
+                                                         buf,
+                                                         valid_keybits ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_setkey_dec( &ctx,
+                                                         NULL,
+                                                         valid_keybits ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ecb( NULL,
+                                                        valid_mode,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ecb( &ctx,
+                                                        invalid_mode,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ecb( &ctx,
+                                                        valid_mode,
+                                                        NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ecb( &ctx,
+                                                        valid_mode,
+                                                        buf, NULL ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cbc( NULL,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cbc( &ctx,
+                                                        invalid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        NULL, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cbc( &ctx,
+                                                        valid_mode,
+                                                        sizeof( buf ),
+                                                        buf, buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( NULL,
+                                                           valid_mode,
+                                                           sizeof( buf ),
+                                                           &off, buf,
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( &ctx,
+                                                           invalid_mode,
+                                                           sizeof( buf ),
+                                                           &off, buf,
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( &ctx,
+                                                           valid_mode,
+                                                           sizeof( buf ),
+                                                           NULL, buf,
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( &ctx,
+                                                           valid_mode,
+                                                           sizeof( buf ),
+                                                           &off, NULL,
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( &ctx,
+                                                           valid_mode,
+                                                           sizeof( buf ),
+                                                           &off, buf,
+                                                           NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_cfb128( &ctx,
+                                                           valid_mode,
+                                                           sizeof( buf ),
+                                                           &off, buf,
+                                                           buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( NULL,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        NULL,
+                                                        buf, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        NULL, buf,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, NULL,
+                                                        buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA,
+                            mbedtls_camellia_crypt_ctr( &ctx,
+                                                        sizeof( buf ),
+                                                        &off,
+                                                        buf, buf,
+                                                        buf, NULL ) );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void camellia_encrypt_ecb( data_t * key_str, data_t * src_str,
+                           data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_camellia_setkey_enc( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_camellia_setkey_enc( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_camellia_crypt_ecb( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 16 );
+        TEST_ASSERT( mbedtls_camellia_crypt_ecb( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -42,32 +198,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void camellia_decrypt_ecb( char *hex_key_string, char *hex_src_string,
-                           char *hex_dst_string, int setkey_result )
+void camellia_decrypt_ecb( data_t * key_str, data_t * src_str,
+                           data_t * hex_dst_string, int setkey_result )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_camellia_setkey_dec( &ctx, key_str, key_len * 8 ) == setkey_result );
+    TEST_ASSERT( mbedtls_camellia_setkey_dec( &ctx, key_str->x, key_str->len * 8 ) == setkey_result );
     if( setkey_result == 0 )
     {
-        TEST_ASSERT( mbedtls_camellia_crypt_ecb( &ctx, MBEDTLS_CAMELLIA_DECRYPT, src_str, output ) == 0 );
-        hexify( dst_str, output, 16 );
+        TEST_ASSERT( mbedtls_camellia_crypt_ecb( &ctx, MBEDTLS_CAMELLIA_DECRYPT, src_str->x, output ) == 0 );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -76,36 +222,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void camellia_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                           char *hex_src_string, char *hex_dst_string,
+void camellia_encrypt_cbc( data_t * key_str, data_t * iv_str,
+                           data_t * src_str, data_t * hex_dst_string,
                            int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_camellia_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_camellia_crypt_cbc( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, data_len, iv_str, src_str, output) == cbc_result );
+    mbedtls_camellia_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_camellia_crypt_cbc( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, src_str->len, iv_str->x, src_str->x, output) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -114,36 +247,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void camellia_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                           char *hex_src_string, char *hex_dst_string,
+void camellia_decrypt_cbc( data_t * key_str, data_t * iv_str,
+                           data_t * src_str, data_t * hex_dst_string,
                            int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
-    int key_len, data_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    data_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_camellia_setkey_dec( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_camellia_crypt_cbc( &ctx, MBEDTLS_CAMELLIA_DECRYPT, data_len, iv_str, src_str, output ) == cbc_result );
+    mbedtls_camellia_setkey_dec( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_camellia_crypt_cbc( &ctx, MBEDTLS_CAMELLIA_DECRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, data_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -152,34 +272,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void camellia_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
-                              char *hex_src_string, char *hex_dst_string )
+void camellia_encrypt_cfb128( data_t * key_str, data_t * iv_str,
+                              data_t * src_str,
+                              data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
     size_t iv_offset = 0;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_camellia_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_camellia_crypt_cfb128( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, 16, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, 16 );
+    mbedtls_camellia_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_camellia_crypt_cfb128( &ctx, MBEDTLS_CAMELLIA_ENCRYPT, 16, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_camellia_free( &ctx );
@@ -187,34 +295,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
-void camellia_decrypt_cfb128( char *hex_key_string, char *hex_iv_string,
-                              char *hex_src_string, char *hex_dst_string )
+void camellia_decrypt_cfb128( data_t * key_str, data_t * iv_str,
+                              data_t * src_str,
+                              data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_camellia_context ctx;
     size_t iv_offset = 0;
-    int key_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_camellia_init( &ctx );
 
-    key_len = unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_camellia_setkey_enc( &ctx, key_str, key_len * 8 );
-    TEST_ASSERT( mbedtls_camellia_crypt_cfb128( &ctx, MBEDTLS_CAMELLIA_DECRYPT, 16, &iv_offset, iv_str, src_str, output ) == 0 );
-    hexify( dst_str, output, 16 );
+    mbedtls_camellia_setkey_enc( &ctx, key_str->x, key_str->len * 8 );
+    TEST_ASSERT( mbedtls_camellia_crypt_cfb128( &ctx, MBEDTLS_CAMELLIA_DECRYPT, 16, &iv_offset, iv_str->x, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 16, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_camellia_free( &ctx );
@@ -222,7 +318,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void camellia_selftest()
+void camellia_selftest(  )
 {
     TEST_ASSERT( mbedtls_camellia_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
index 65dc382432..ac9c565da2 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.data
@@ -1,6 +1,12 @@
 CCM self test
 mbedtls_ccm_self_test:
 
+CCM - Invalid parameters
+ccm_invalid_param:
+
+CCM - Valid parameters
+ccm_valid_param:
+
 CCM init #1 AES-128: OK
 depends_on:MBEDTLS_AES_C
 mbedtls_ccm_setkey:MBEDTLS_CIPHER_ID_AES:128:0
@@ -42,6 +48,39 @@ ccm_lengths:5:10:65281:8:MBEDTLS_ERR_CCM_BAD_INPUT
 CCM lengths #8 msg too long for this IV length (2^16, q = 2)
 ccm_lengths:65536:13:5:8:MBEDTLS_ERR_CCM_BAD_INPUT
 
+CCM lengths #9 tag length 0
+ccm_lengths:5:10:5:0:MBEDTLS_ERR_CCM_BAD_INPUT
+
+CCM* fixed tag lengths #1 all OK
+ccm_star_lengths:5:10:5:8:0
+
+CCM* fixed tag lengths #2 all OK - tag length 0
+ccm_star_lengths:5:10:5:0:0
+
+CCM* encrypt and tag #1
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"223BC1EC841AB553":0
+
+CCM* encrypt and tag #2
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"61626364":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"D43E022B":0
+
+CCM* encrypt and tag #3
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"CE":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"D84FDE529061F9C6F1":0
+
+CCM* auth decrypt tag #1
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"223BC1EC841AB553":"ACDE480000000001":"00000005":2:"08D0842143010000000048DEAC020500000055CF000051525354":"":0
+
+CCM* auth decrypt tag #2
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D43E022B":"ACDE480000000001":"00000005":4:"69DC842143020000000048DEAC010000000048DEAC0405000000":"61626364":0
+
+CCM* auth decrypt tag #3
+depends_on:MBEDTLS_AES_C
+mbedtls_ccm_star_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"D84FDE529061F9C6F1":"ACDE480000000001":"00000005":6:"2BDC842143020000000048DEACFFFF010000000048DEAC060500000001":"CE":0
+
 CCM encrypt and tag RFC 3610 #1
 depends_on:MBEDTLS_AES_C
 mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E":"00000003020100A0A1A2A3A4A5":"0001020304050607":"588C979A61C663D2F066D0C2C0F989806D5F6B61DAC38417E8D12CFDF926E0"
@@ -1004,387 +1043,387 @@ mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"2e6e34070caf1b8820ed39edfa834
 
 CCM auth decrypt tag NIST DVPT AES-128 #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"02209f55":"5a8aa485c316e9":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"02209f55":"5a8aa485c316e9":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"9a04c241":"3796cf51b87266":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4ae701103c63deca5b5a3939d7d05992":"9a04c241":"3796cf51b87266":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"75d582db43ce9b13ab4b6f7f14341330":"5a8aa485c316e9":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"75d582db43ce9b13ab4b6f7f14341330":"5a8aa485c316e9":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"3a65e03af37b81d05acc7ec1bc39deb0":"3796cf51b87266":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"3a65e03af37b81d05acc7ec1bc39deb0":"3796cf51b87266":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"90156f3f":"5a8aa485c316e9403aff859fbb":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"90156f3f":"5a8aa485c316e9403aff859fbb":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"88909016":"a16a2e741f1cd9717285b6d882":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3":"88909016":"a16a2e741f1cd9717285b6d882":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"fb04dc5a44c6bb000f2440f5154364b4":"5a8aa485c316e9403aff859fbb":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"fb04dc5a44c6bb000f2440f5154364b4":"5a8aa485c316e9403aff859fbb":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5447075bf42a59b91f08064738b015ab":"a16a2e741f1cd9717285b6d882":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5447075bf42a59b91f08064738b015ab":"a16a2e741f1cd9717285b6d882":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"a90e8ea44085ced791b2fdb7fd44b5cf0bd7d27718029bb703e1fa6b":"5a8aa485c316e9":"":4:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"a90e8ea44085ced791b2fdb7fd44b5cf0bd7d27718029bb703e1fa6b":"5a8aa485c316e9":"":4:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-128 #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"50aafe0578c115c4a8e126ff7b3ccb64dce8ccaa8ceda69f23e5d81c":"31f8fa25827d48":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd":"50aafe0578c115c4a8e126ff7b3ccb64dce8ccaa8ceda69f23e5d81c":"31f8fa25827d48":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"24ab9eeb0e5508cae80074f1070ee188a637171860881f1f2d9a3fbc210595b7b8b1b41523111a8e":"5a8aa485c316e9":"":16:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"24ab9eeb0e5508cae80074f1070ee188a637171860881f1f2d9a3fbc210595b7b8b1b41523111a8e":"5a8aa485c316e9":"":16:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-128 #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"7ebfda6fa5da1dbffd82dc29b875798fbcef8ba0084fbd2463af747cc88a001fa94e060290f209c4":"31f8fa25827d48":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"7ebfda6fa5da1dbffd82dc29b875798fbcef8ba0084fbd2463af747cc88a001fa94e060290f209c4":"31f8fa25827d48":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134a3e138b9":"5a8aa485c316e9403aff859fbb":"":4:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134a3e138b9":"5a8aa485c316e9403aff859fbb":"":4:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-128 #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"118ec53dd1bfbe52d5b9fe5dfebecf2ee674ec983eada654091a5ae9":"49004912fdd7269279b1f06a89":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d5243":"118ec53dd1bfbe52d5b9fe5dfebecf2ee674ec983eada654091a5ae9":"49004912fdd7269279b1f06a89":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb6a9a970b9beb2ac1bd4fd62168f8378a":"5a8aa485c316e9403aff859fbb":"":16:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb6a9a970b9beb2ac1bd4fd62168f8378a":"5a8aa485c316e9403aff859fbb":"":16:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-128 #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"0c56a503aa2c12e87450d45a7b714db980fd348f327c0065a65666144994bad0c8195bcb4ade1337":"49004912fdd7269279b1f06a89":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"0c56a503aa2c12e87450d45a7b714db980fd348f327c0065a65666144994bad0c8195bcb4ade1337":"49004912fdd7269279b1f06a89":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"782e4318":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"782e4318":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"a04f270a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe4829":"a04f270a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"41b476013f45e4a781f253a6f3b1e530":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"41b476013f45e4a781f253a6f3b1e530":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"f9f018fcd125822616083fffebc4c8e6":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"f9f018fcd125822616083fffebc4c8e6":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"9f69f24f":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"9f69f24f":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"e17afaa4":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b":"e17afaa4":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"1859ac36a40a6b28b34266253627797a":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"1859ac36a40a6b28b34266253627797a":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"edf8b46eb69ac0044116019dec183072":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"edf8b46eb69ac0044116019dec183072":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"6be31860ca271ef448de8f8d8b39346daf4b81d7e92d65b338f125fa":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"6be31860ca271ef448de8f8d8b39346daf4b81d7e92d65b338f125fa":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-128 #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"4cc57a9927a6bc401441870d3193bf89ebd163f5c01501c728a66b69":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c7571":"4cc57a9927a6bc401441870d3193bf89ebd163f5c01501c728a66b69":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"b351ab96b2e45515254558d5212673ee6c776d42dbca3b512cf3a20b7fd7c49e6e79bef475c2906f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"b351ab96b2e45515254558d5212673ee6c776d42dbca3b512cf3a20b7fd7c49e6e79bef475c2906f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-128 #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"df1a5285caa41b4bb47f6e5ceceba4e82721828d68427a3081d18ca149d6766bfaccec88f194eb5b":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"df1a5285caa41b4bb47f6e5ceceba4e82721828d68427a3081d18ca149d6766bfaccec88f194eb5b":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"934f893824e880f743d196b22d1f340a52608155087bd28ac25e5329":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"934f893824e880f743d196b22d1f340a52608155087bd28ac25e5329":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-128 #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"f43ba9d834ad85dfab3f1c0c27c3441fe4e411a38a261a6559b3b3ee":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728c":"f43ba9d834ad85dfab3f1c0c27c3441fe4e411a38a261a6559b3b3ee":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-128 #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"50038b5fdd364ee747b70d00bd36840ece4ea19998123375c0a458bfcafa3b2609afe0f825cbf503":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"50038b5fdd364ee747b70d00bd36840ece4ea19998123375c0a458bfcafa3b2609afe0f825cbf503":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-128 #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"78ed8ff6b5a1255d0fbd0a719a9c27b059ff5f83d0c4962c390042ba8bb5f6798dab01c5afad7306":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0e":"78ed8ff6b5a1255d0fbd0a719a9c27b059ff5f83d0c4962c390042ba8bb5f6798dab01c5afad7306":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"9d4b7f3b":"5a8aa485c316e9":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"9d4b7f3b":"5a8aa485c316e9":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"80745de9":"3796cf51b87266":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"80745de9":"3796cf51b87266":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"17223038fa99d53681ca1beabe78d1b4":"5a8aa485c316e9":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"17223038fa99d53681ca1beabe78d1b4":"5a8aa485c316e9":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"d0e1eeef4d2a264536bb1c2c1bde7c35":"3796cf51b87266":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"d0e1eeef4d2a264536bb1c2c1bde7c35":"3796cf51b87266":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"fe69ed84":"5a8aa485c316e9403aff859fbb":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"fe69ed84":"5a8aa485c316e9403aff859fbb":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"db7ffc82":"a16a2e741f1cd9717285b6d882":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"db7ffc82":"a16a2e741f1cd9717285b6d882":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"0c66a8e547ed4f8c2c9a9a1eb5d455b9":"5a8aa485c316e9403aff859fbb":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"0c66a8e547ed4f8c2c9a9a1eb5d455b9":"5a8aa485c316e9403aff859fbb":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"38757b3a61a4dc97ca3ab88bf1240695":"a16a2e741f1cd9717285b6d882":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"38757b3a61a4dc97ca3ab88bf1240695":"a16a2e741f1cd9717285b6d882":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138cddc93a54":"5a8aa485c316e9":"":4:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138cddc93a54":"5a8aa485c316e9":"":4:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-192 #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"32b649ab56162e55d4148a1292d6a225a988eb1308298273b6889036":"31f8fa25827d48":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"32b649ab56162e55d4148a1292d6a225a988eb1308298273b6889036":"31f8fa25827d48":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"cba4b4aeb85f0492fd8d905c4a6d8233139833373ef188a8c5a5ebecf7ac8607fe412189e83d9d20":"5a8aa485c316e9":"":16:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"cba4b4aeb85f0492fd8d905c4a6d8233139833373ef188a8c5a5ebecf7ac8607fe412189e83d9d20":"5a8aa485c316e9":"":16:0:"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 CCM auth decrypt tag NIST DVPT AES-192 #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"ca62713728b5c9d652504b0ae8fd4fee5d297ee6a8d19cb6e699f15f14d34dcaf9ba8ed4b877c97d":"31f8fa25827d48":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"ca62713728b5c9d652504b0ae8fd4fee5d297ee6a8d19cb6e699f15f14d34dcaf9ba8ed4b877c97d":"31f8fa25827d48":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"042653c674ef2a90f7fb11d30848e530ae59478f1051633a34fad277":"5a8aa485c316e9403aff859fbb":"":4:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"042653c674ef2a90f7fb11d30848e530ae59478f1051633a34fad277":"5a8aa485c316e9403aff859fbb":"":4:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-192 #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"1902d9769a7ba3d3268e1257395c8c2e5f98eef295dcbfa5a35df775":"49004912fdd7269279b1f06a89":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"1902d9769a7ba3d3268e1257395c8c2e5f98eef295dcbfa5a35df775":"49004912fdd7269279b1f06a89":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671ea7ade30a07d185692ab0ebdf4c78cf7a":"5a8aa485c316e9403aff859fbb":"":16:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671ea7ade30a07d185692ab0ebdf4c78cf7a":"5a8aa485c316e9403aff859fbb":"":16:0:"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 CCM auth decrypt tag NIST DVPT AES-192 #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"9a98617fb97a0dfe466be692272dcdaec1c5443a3b51312ef042c86363cc05afb98c66e16be8a445":"49004912fdd7269279b1f06a89":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"9a98617fb97a0dfe466be692272dcdaec1c5443a3b51312ef042c86363cc05afb98c66e16be8a445":"49004912fdd7269279b1f06a89":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"1d089a5f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"1d089a5f":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"2f46022a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"2f46022a":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5280a2137fee3deefcfe9b63a1199fb3":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5280a2137fee3deefcfe9b63a1199fb3":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"d40a7318c5f2d82f838c0beeefe0d598":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"d40a7318c5f2d82f838c0beeefe0d598":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5e0eaebd":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5e0eaebd":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"71b7fc33":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"71b7fc33":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"d07ccf9fdc3d33aa94cda3d230da707c":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"d07ccf9fdc3d33aa94cda3d230da707c":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"65fe32b649dc328c9f531584897e85b3":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"65fe32b649dc328c9f531584897e85b3":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"9f6ca4af9b159148c889a6584d1183ea26e2614874b0504575dea8d1":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"9f6ca4af9b159148c889a6584d1183ea26e2614874b0504575dea8d1":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":4:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-192 #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"84d8212e9cfc2121252baa3b065b1edcf50497b9594db1ebd7965825":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"84d8212e9cfc2121252baa3b065b1edcf50497b9594db1ebd7965825":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"6aab64c4787599d8f213446beadb16e08dba60e97f56dbd14d1d980d6fe0fb44b421992662b97975":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"6aab64c4787599d8f213446beadb16e08dba60e97f56dbd14d1d980d6fe0fb44b421992662b97975":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":16:0:"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 CCM auth decrypt tag NIST DVPT AES-192 #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"4980b2ee49b1aaf393175f5ab9bae95ec7904557dfa206603c51d36c826f01384100886198a7f6a3":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"4980b2ee49b1aaf393175f5ab9bae95ec7904557dfa206603c51d36c826f01384100886198a7f6a3":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"16e543d0e20615ff0df15acd9927ddfe40668a54bb854cccc25e9fce":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"16e543d0e20615ff0df15acd9927ddfe40668a54bb854cccc25e9fce":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":4:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-192 #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"df35b109caf690656ae278bbd8f8bba687a2ce11b105dae98ecedb3e":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"df35b109caf690656ae278bbd8f8bba687a2ce11b105dae98ecedb3e":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-192 #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"c5b0b2ef17498c5570eb335df4588032958ba3d69bf6f3178464a6f7fa2b76744e8e8d95691cecb8":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"c5b0b2ef17498c5570eb335df4588032958ba3d69bf6f3178464a6f7fa2b76744e8e8d95691cecb8":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":16:0:"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 CCM auth decrypt tag NIST DVPT AES-192 #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"d1f0518929f4ae2f0543de2a7dfe4bb0110bb3057e524a1c06bd6dc2e6bcc3436cffb969ae900388":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"d1f0518929f4ae2f0543de2a7dfe4bb0110bb3057e524a1c06bd6dc2e6bcc3436cffb969ae900388":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"469c90bb":"a544218dadd3c1":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"469c90bb":"a544218dadd3c1":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"46a908ed":"d3d5424e20fbec":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"46a908ed":"d3d5424e20fbec":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8207eb14d33855a52acceed17dbcbf6e":"a544218dadd3c1":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8207eb14d33855a52acceed17dbcbf6e":"a544218dadd3c1":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"60f8e127cb4d30db6df0622158cd931d":"d3d5424e20fbec":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"60f8e127cb4d30db6df0622158cd931d":"d3d5424e20fbec":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8a19a133":"a544218dadd3c10583db49cf39":"":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"8a19a133":"a544218dadd3c10583db49cf39":"":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"2e317f1b":"3c0e2815d37d844f7ac240ba9d":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"2e317f1b":"3c0e2815d37d844f7ac240ba9d":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"97e1a8dd4259ccd2e431e057b0397fcf":"a544218dadd3c10583db49cf39":"":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"97e1a8dd4259ccd2e431e057b0397fcf":"a544218dadd3c10583db49cf39":"":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"5a9596c511ea6a8671adefc4f2157d8b":"3c0e2815d37d844f7ac240ba9d":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"5a9596c511ea6a8671adefc4f2157d8b":"3c0e2815d37d844f7ac240ba9d":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"64a1341679972dc5869fcf69b19d5c5ea50aa0b5e985f5b722aa8d59":"a544218dadd3c1":"":4:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"64a1341679972dc5869fcf69b19d5c5ea50aa0b5e985f5b722aa8d59":"a544218dadd3c1":"":4:0:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 CCM auth decrypt tag NIST DVPT AES-256 #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"c5b7f802bffc498c1626e3774f1d9f94045dfd8e1a10a20277d00a75":"bfcda8b5a2d0d2":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"c5b7f802bffc498c1626e3774f1d9f94045dfd8e1a10a20277d00a75":"bfcda8b5a2d0d2":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bc51c3925a960e7732533e4ef3a4f69ee6826de952bcb0fd374f3bb6db8377ebfc79674858c4f305":"a544218dadd3c1":"":16:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bc51c3925a960e7732533e4ef3a4f69ee6826de952bcb0fd374f3bb6db8377ebfc79674858c4f305":"a544218dadd3c1":"":16:0:"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 CCM auth decrypt tag NIST DVPT AES-256 #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"afa1fa8e8a70e26b02161150556d604101fdf423f332c3363275f2a4907d51b734fe7238cebbd48f":"bfcda8b5a2d0d2":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"afa1fa8e8a70e26b02161150556d604101fdf423f332c3363275f2a4907d51b734fe7238cebbd48f":"bfcda8b5a2d0d2":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f4123d14fb3f":"a544218dadd3c10583db49cf39":"":4:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f4123d14fb3f":"a544218dadd3c10583db49cf39":"":4:0:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 CCM auth decrypt tag NIST DVPT AES-256 #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bb5425b3869b76856ec58e39886fb6f6f2ac13fe44cb132d8d0c0099":"894dcaa61008eb8fb052c60d41":"":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bb5425b3869b76856ec58e39886fb6f6f2ac13fe44cb132d8d0c0099":"894dcaa61008eb8fb052c60d41":"":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"f0050ad16392021a3f40207bed3521fb1e9f808f49830c423a578d179902f912f9ea1afbce1120b3":"a544218dadd3c10583db49cf39":"":16:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"f0050ad16392021a3f40207bed3521fb1e9f808f49830c423a578d179902f912f9ea1afbce1120b3":"a544218dadd3c10583db49cf39":"":16:0:"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 CCM auth decrypt tag NIST DVPT AES-256 #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"c408190d0fbf5034f83b24a8ed9657331a7ce141de4fae769084607b83bd06e6442eac8dacf583cc":"894dcaa61008eb8fb052c60d41":"":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"c408190d0fbf5034f83b24a8ed9657331a7ce141de4fae769084607b83bd06e6442eac8dacf583cc":"894dcaa61008eb8fb052c60d41":"":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"92d00fbe":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"92d00fbe":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"9143e5c4":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"9143e5c4":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"93af11a08379eb37a16aa2837f09d69d":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"93af11a08379eb37a16aa2837f09d69d":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"d19b0c14ec686a7961ca7c386d125a65":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"d19b0c14ec686a7961ca7c386d125a65":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"866d4227":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"866d4227":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"94cb1127":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"94cb1127":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"867b0d87cf6e0f718200a97b4f6d5ad5":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:""
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"867b0d87cf6e0f718200a97b4f6d5ad5":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:0:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"677a040d46ee3f2b7838273bdad14f16":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"677a040d46ee3f2b7838273bdad14f16":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"c2fe12658139f5d0dd22cadf2e901695b579302a72fc56083ebc7720":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"c2fe12658139f5d0dd22cadf2e901695b579302a72fc56083ebc7720":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":4:0:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"94748ba81229e53c38583a8564b23ebbafc6f6efdf4c2a81c44db2c9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"94748ba81229e53c38583a8564b23ebbafc6f6efdf4c2a81c44db2c9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"3341168eb8c48468c414347fb08f71d2086f7c2d1bd581ce1ac68bd42f5ec7fa7e068cc0ecd79c2a":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"3341168eb8c48468c414347fb08f71d2086f7c2d1bd581ce1ac68bd42f5ec7fa7e068cc0ecd79c2a":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":16:0:"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"d543acda712b898cbb27b8f598b2e4438ce587a836e2785147c3338a2400809e739b63ba8227d2f9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"d543acda712b898cbb27b8f598b2e4438ce587a836e2785147c3338a2400809e739b63ba8227d2f9":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"c0ea400b599561e7905b99262b4565d5c3dc49fad84d7c69ef891339":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"c0ea400b599561e7905b99262b4565d5c3dc49fad84d7c69ef891339":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":4:0:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"60871e03ea0eb968536c99f926ea24ef43d41272ad9fb7f63d488623":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":4:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"60871e03ea0eb968536c99f926ea24ef43d41272ad9fb7f63d488623":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":4:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM auth decrypt tag NIST DVPT AES-256 #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"8d34cdca37ce77be68f65baf3382e31efa693e63f914a781367f30f2eaad8c063ca50795acd90203":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"8d34cdca37ce77be68f65baf3382e31efa693e63f914a781367f30f2eaad8c063ca50795acd90203":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":16:0:"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 CCM auth decrypt tag NIST DVPT AES-256 #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C
-mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"516c0095cc3d85fd55e48da17c592e0c7014b9daafb82bdc4b41096dfdbe9cc1ab610f8f3e038d16":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":16:"FAIL"
+mbedtls_ccm_auth_decrypt:MBEDTLS_CIPHER_ID_AES:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"516c0095cc3d85fd55e48da17c592e0c7014b9daafb82bdc4b41096dfdbe9cc1ab610f8f3e038d16":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":16:MBEDTLS_ERR_CCM_AUTH_FAILED:""
 
 CCM-Camellia encrypt and tag RFC 5528 #1
 depends_on:MBEDTLS_CAMELLIA_C
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.function
index 2f5c77c2c7..16f9f8e3ba 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ccm.function
@@ -8,7 +8,7 @@
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
-void mbedtls_ccm_self_test( )
+void mbedtls_ccm_self_test(  )
 {
     TEST_ASSERT( mbedtls_ccm_self_test( 1 ) == 0 );
 }
@@ -74,19 +74,139 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void ccm_star_lengths( int msg_len, int iv_len, int add_len, int tag_len,
+                       int res )
+{
+    mbedtls_ccm_context ctx;
+    unsigned char key[16];
+    unsigned char msg[10];
+    unsigned char iv[14];
+    unsigned char add[10];
+    unsigned char out[10];
+    unsigned char tag[18];
+    int decrypt_ret;
+
+    mbedtls_ccm_init( &ctx );
+
+    memset( key, 0, sizeof( key ) );
+    memset( msg, 0, sizeof( msg ) );
+    memset( iv, 0, sizeof( iv ) );
+    memset( add, 0, sizeof( add ) );
+    memset( out, 0, sizeof( out ) );
+    memset( tag, 0, sizeof( tag ) );
+
+    TEST_ASSERT( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                 key, 8 * sizeof( key ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ccm_star_encrypt_and_tag( &ctx, msg_len, iv, iv_len,
+                 add, add_len, msg, out, tag, tag_len ) == res );
+
+    decrypt_ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg_len, iv, iv_len, add,
+                  add_len, msg, out, tag, tag_len );
+
+    if( res == 0 && tag_len != 0 )
+        TEST_ASSERT( decrypt_ret == MBEDTLS_ERR_CCM_AUTH_FAILED );
+    else
+        TEST_ASSERT( decrypt_ret == res );
+
+exit:
+    mbedtls_ccm_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key,
+                                  data_t * msg, data_t * iv,
+                                  data_t * add, data_t * result )
+{
+    mbedtls_ccm_context ctx;
+    size_t tag_len;
+    uint8_t * msg_n_tag = (uint8_t *)malloc( result->len + 2 );
+
+    mbedtls_ccm_init( &ctx );
+
+    memset( msg_n_tag, 0, result->len + 2 );
+    memcpy( msg_n_tag, msg->x, msg->len );
+
+    tag_len = result->len - msg->len;
+
+    TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 );
+
+    /* Test with input == output */
+    TEST_ASSERT( mbedtls_ccm_encrypt_and_tag( &ctx, msg->len, iv->x, iv->len, add->x, add->len,
+                 msg_n_tag, msg_n_tag, msg_n_tag + msg->len, tag_len ) == 0 );
+
+    TEST_ASSERT( memcmp( msg_n_tag, result->x, result->len ) == 0 );
+
+    /* Check we didn't write past the end */
+    TEST_ASSERT( msg_n_tag[result->len] == 0 && msg_n_tag[result->len + 1] == 0 );
+
+exit:
+    mbedtls_ccm_free( &ctx );
+    free( msg_n_tag );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
-void mbedtls_ccm_encrypt_and_tag( int cipher_id,
-                          char *key_hex, char *msg_hex,
-                          char *iv_hex, char *add_hex,
-                          char *result_hex )
+void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key,
+                               data_t * msg, data_t * iv,
+                               data_t * add, int tag_len, int result,
+                               data_t * hex_msg )
+{
+    unsigned char tag[16];
+    mbedtls_ccm_context ctx;
+
+    mbedtls_ccm_init( &ctx );
+
+    memset( tag, 0x00, sizeof( tag ) );
+
+    msg->len -= tag_len;
+    memcpy( tag, msg->x + msg->len, tag_len );
+
+    TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 );
+
+    /* Test with input == output */
+    TEST_ASSERT( mbedtls_ccm_auth_decrypt( &ctx, msg->len, iv->x, iv->len, add->x, add->len,
+                 msg->x, msg->x, msg->x + msg->len, tag_len ) == result );
+
+    if( result == 0 )
+    {
+        TEST_ASSERT( memcmp( msg->x, hex_msg->x, hex_msg->len ) == 0 );
+    }
+    else
+    {
+        size_t i;
+
+        for( i = 0; i < msg->len; i++ )
+            TEST_ASSERT( msg->x[i] == 0 );
+    }
+
+    /* Check we didn't write past the end (where the original tag is) */
+    TEST_ASSERT( memcmp( msg->x + msg->len, tag, tag_len ) == 0 );
+
+exit:
+    mbedtls_ccm_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_ccm_star_encrypt_and_tag( int cipher_id,
+                            char *key_hex, char *msg_hex,
+                            char *source_address_hex, char *frame_counter_hex,
+                            int sec_level, char *add_hex,
+                            char *result_hex, int output_ret )
 {
     unsigned char key[32];
     unsigned char msg[50];
     unsigned char iv[13];
     unsigned char add[32];
     unsigned char result[50];
+    unsigned char source_address[8];
+    unsigned char frame_counter[4];
     mbedtls_ccm_context ctx;
-    size_t key_len, msg_len, iv_len, add_len, tag_len, result_len;
+    size_t i, key_len, msg_len, iv_len, add_len, result_len, source_address_len, frame_counter_len, tag_len;
+    int ret;
 
     mbedtls_ccm_init( &ctx );
 
@@ -95,19 +215,36 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id,
     memset( iv, 0x00, sizeof( iv ) );
     memset( add, 0x00, sizeof( add ) );
     memset( result, 0x00, sizeof( result ) );
+    memset( source_address, 0x00, sizeof( source_address ) );
+    memset( frame_counter, 0x00, sizeof( frame_counter ) );
 
     key_len = unhexify( key, key_hex );
     msg_len = unhexify( msg, msg_hex );
-    iv_len = unhexify( iv, iv_hex );
     add_len = unhexify( add, add_hex );
     result_len = unhexify( result, result_hex );
-    tag_len = result_len - msg_len;
+    source_address_len = unhexify( source_address, source_address_hex );
+    frame_counter_len = unhexify( frame_counter, frame_counter_hex );
+
+    if( sec_level % 4 == 0)
+        tag_len = 0;
+    else
+        tag_len = 1 << ( sec_level % 4 + 1);
+
+    for( i = 0; i < source_address_len; i++ )
+        iv[i] = source_address[i];
+
+    for( i = 0; i < frame_counter_len; i++ )
+        iv[source_address_len + i] = frame_counter[i];
+
+    iv[source_address_len + frame_counter_len] = sec_level;
+    iv_len = sizeof( iv );
 
     TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key, key_len * 8 ) == 0 );
 
-    /* Test with input == output */
-    TEST_ASSERT( mbedtls_ccm_encrypt_and_tag( &ctx, msg_len, iv, iv_len, add, add_len,
-                 msg, msg, msg + msg_len, tag_len ) == 0 );
+    ret = mbedtls_ccm_star_encrypt_and_tag( &ctx, msg_len, iv, iv_len,
+                 add, add_len, msg, msg, msg + msg_len, tag_len );
+
+    TEST_ASSERT( ret == output_ret );
 
     TEST_ASSERT( memcmp( msg, result, result_len ) == 0 );
 
@@ -120,10 +257,11 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ccm_auth_decrypt( int cipher_id,
-                       char *key_hex, char *msg_hex,
-                       char *iv_hex, char *add_hex,
-                       int tag_len, char *result_hex )
+void mbedtls_ccm_star_auth_decrypt( int cipher_id,
+                            char *key_hex, char *msg_hex,
+                            char *source_address_hex, char *frame_counter_hex,
+                            int sec_level, char *add_hex,
+                            char *result_hex, int output_ret )
 {
     unsigned char key[32];
     unsigned char msg[50];
@@ -131,8 +269,10 @@ void mbedtls_ccm_auth_decrypt( int cipher_id,
     unsigned char add[32];
     unsigned char tag[16];
     unsigned char result[50];
+    unsigned char source_address[8];
+    unsigned char frame_counter[4];
     mbedtls_ccm_context ctx;
-    size_t key_len, msg_len, iv_len, add_len, result_len;
+    size_t i, key_len, msg_len, iv_len, add_len, tag_len, result_len, source_address_len, frame_counter_len;
     int ret;
 
     mbedtls_ccm_init( &ctx );
@@ -141,44 +281,43 @@ void mbedtls_ccm_auth_decrypt( int cipher_id,
     memset( msg, 0x00, sizeof( msg ) );
     memset( iv, 0x00, sizeof( iv ) );
     memset( add, 0x00, sizeof( add ) );
-    memset( tag, 0x00, sizeof( tag ) );
     memset( result, 0x00, sizeof( result ) );
+    memset( source_address, 0x00, sizeof( source_address ) );
+    memset( frame_counter, 0x00, sizeof( frame_counter ) );
+    memset( tag, 0x00, sizeof( tag ) );
 
     key_len = unhexify( key, key_hex );
     msg_len = unhexify( msg, msg_hex );
-    iv_len = unhexify( iv, iv_hex );
     add_len = unhexify( add, add_hex );
-    msg_len -= tag_len;
-    memcpy( tag, msg + msg_len, tag_len );
+    result_len = unhexify( result, result_hex );
+    source_address_len = unhexify( source_address, source_address_hex );
+    frame_counter_len = unhexify( frame_counter, frame_counter_hex );
 
-    if( strcmp( "FAIL", result_hex ) == 0 )
-    {
-        ret = MBEDTLS_ERR_CCM_AUTH_FAILED;
-        result_len = -1;
-    }
+    if( sec_level % 4 == 0)
+        tag_len = 0;
     else
-    {
-        ret = 0;
-        result_len = unhexify( result, result_hex );
-    }
+        tag_len = 1 << ( sec_level % 4 + 1);
+
+    for( i = 0; i < source_address_len; i++ )
+        iv[i] = source_address[i];
+
+    for( i = 0; i < frame_counter_len; i++ )
+        iv[source_address_len + i] = frame_counter[i];
+
+    iv[source_address_len + frame_counter_len] = sec_level;
+    iv_len = sizeof( iv );
+
+    msg_len -= tag_len;
+    memcpy( tag, msg + msg_len, tag_len );
 
     TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key, key_len * 8 ) == 0 );
 
-    /* Test with input == output */
-    TEST_ASSERT( mbedtls_ccm_auth_decrypt( &ctx, msg_len, iv, iv_len, add, add_len,
-                 msg, msg, msg + msg_len, tag_len ) == ret );
+    ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg_len, iv, iv_len,
+                 add, add_len, msg, msg, msg + msg_len, tag_len );
 
-    if( ret == 0 )
-    {
-        TEST_ASSERT( memcmp( msg, result, result_len ) == 0 );
-    }
-    else
-    {
-        size_t i;
+    TEST_ASSERT( ret == output_ret );
 
-        for( i = 0; i < msg_len; i++ )
-            TEST_ASSERT( msg[i] == 0 );
-    }
+    TEST_ASSERT( memcmp( msg, result, result_len ) == 0 );
 
     /* Check we didn't write past the end (where the original tag is) */
     TEST_ASSERT( memcmp( msg + msg_len, tag, tag_len ) == 0 );
@@ -187,3 +326,216 @@ exit:
     mbedtls_ccm_free( &ctx );
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void ccm_invalid_param( )
+{
+    struct mbedtls_ccm_context ctx;
+    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+    mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
+    int valid_len = sizeof(valid_buffer);
+    int valid_bitlen = valid_len * 8;
+
+    mbedtls_ccm_init( &ctx );
+
+    /* mbedtls_ccm_init() */
+    TEST_INVALID_PARAM( mbedtls_ccm_init( NULL ) );
+
+    /* mbedtls_ccm_setkey() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_setkey( NULL, valid_cipher, valid_buffer, valid_bitlen ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_setkey( &ctx, valid_cipher, NULL, valid_bitlen ) );
+
+    /* mbedtls_ccm_encrypt_and_tag() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( NULL, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_buffer,
+                                     valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( &ctx, valid_len,
+                                     NULL, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_buffer,
+                                     valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( &ctx, valid_len,
+                                     valid_buffer, valid_len,
+                                     NULL, valid_len,
+                                     valid_buffer, valid_buffer,
+                                     valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( &ctx, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_len,
+                                     NULL, valid_buffer,
+                                     valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( &ctx, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, NULL,
+                                     valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_encrypt_and_tag( &ctx, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_len,
+                                     valid_buffer, valid_buffer,
+                                     NULL, valid_len ) );
+
+    /* mbedtls_ccm_star_encrypt_and_tag() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( NULL, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_buffer,
+                                          valid_buffer, valid_len) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len,
+                                          NULL, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_buffer,
+                                          valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len,
+                                          valid_buffer, valid_len,
+                                          NULL, valid_len,
+                                          valid_buffer, valid_buffer,
+                                          valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_len,
+                                          NULL, valid_buffer,
+                                          valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, NULL,
+                                          valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_encrypt_and_tag( &ctx, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_len,
+                                          valid_buffer, valid_buffer,
+                                          NULL, valid_len ) );
+
+    /* mbedtls_ccm_auth_decrypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( NULL, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer,
+                                  valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( &ctx, valid_len,
+                                  NULL, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer,
+                                  valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  NULL, valid_len,
+                                  valid_buffer, valid_buffer,
+                                  valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  NULL, valid_buffer,
+                                  valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, NULL,
+                                  valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer,
+                                  NULL, valid_len ) );
+
+    /* mbedtls_ccm_star_auth_decrypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( NULL, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_buffer,
+                                       valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( &ctx, valid_len,
+                                       NULL, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_buffer,
+                                       valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( &ctx, valid_len,
+                                       valid_buffer, valid_len,
+                                       NULL, valid_len,
+                                       valid_buffer, valid_buffer,
+                                       valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( &ctx, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_len,
+                                       NULL, valid_buffer,
+                                       valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( &ctx, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, NULL,
+                                       valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CCM_BAD_INPUT,
+        mbedtls_ccm_star_auth_decrypt( &ctx, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_len,
+                                       valid_buffer, valid_buffer,
+                                       NULL, valid_len ) );
+
+exit:
+    mbedtls_ccm_free( &ctx );
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ccm_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_ccm_free( NULL ) );
+exit:
+    return;
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.data
new file mode 100644
index 0000000000..3f9033eeb2
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.data
@@ -0,0 +1,29 @@
+ChaCha20 RFC 7539 Example and Test Vector (Encrypt)
+chacha20_crypt:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":1:"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d"
+
+ChaCha20 RFC 7539 Example and Test Vector (Decrypt)
+chacha20_crypt:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"000000000000004a00000000":1:"6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e"
+
+ChaCha20 RFC 7539 Test Vector #1 (Encrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":0:"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586"
+
+ChaCha20 RFC 7539 Test Vector #1 (Decrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":0:"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+ChaCha20 RFC 7539 Test Vector #2 (Encrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000001":"000000000000000000000002":1:"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f":"a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221"
+
+ChaCha20 RFC 7539 Test Vector #2 (Decrypt)
+chacha20_crypt:"0000000000000000000000000000000000000000000000000000000000000001":"000000000000000000000002":1:"a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+ChaCha20 RFC 7539 Test Vector #3 (Encrypt)
+chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000000000000000002":42:"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e":"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1"
+
+ChaCha20 RFC 7539 Test Vector #3 (Decrypt)
+chacha20_crypt:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000000000000000002":42:"62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1":"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e"
+
+ChaCha20 Paremeter Validation
+chacha20_bad_params:
+
+ChaCha20 Selftest
+chacha20_self_test:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.function
new file mode 100644
index 0000000000..49b389c7f0
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chacha20.function
@@ -0,0 +1,136 @@
+/* BEGIN_HEADER */
+#include "mbedtls/chacha20.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_CHACHA20_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void chacha20_crypt( char *hex_key_string,
+                     char *hex_nonce_string,
+                     int counter,
+                     char *hex_src_string,
+                     char *hex_dst_string )
+{
+    unsigned char key_str[32]; /* size set by the standard */
+    unsigned char nonce_str[12]; /* size set by the standard */
+    unsigned char src_str[375]; /* max size of binary input */
+    unsigned char dst_str[751]; /* hex expansion of the above */
+    unsigned char output[751];
+    size_t key_len;
+    size_t nonce_len;
+    size_t src_len;
+    size_t dst_len;
+    mbedtls_chacha20_context ctx;
+
+    memset( key_str,    0x00, sizeof( key_str ) );
+    memset( nonce_str,  0x00, sizeof( nonce_str ) );
+    memset( src_str,    0x00, sizeof( src_str ) );
+    memset( dst_str,    0x00, sizeof( dst_str ) );
+    memset( output,     0x00, sizeof( output ) );
+
+    key_len   = unhexify( key_str, hex_key_string );
+    nonce_len = unhexify( nonce_str, hex_nonce_string );
+    src_len   = unhexify( src_str, hex_src_string );
+    dst_len   = unhexify( dst_str, hex_dst_string );
+
+    TEST_ASSERT( src_len   == dst_len );
+    TEST_ASSERT( key_len   == 32U );
+    TEST_ASSERT( nonce_len == 12U );
+
+    /*
+     * Test the integrated API
+     */
+    TEST_ASSERT( mbedtls_chacha20_crypt( key_str, nonce_str, counter, src_len, src_str, output ) == 0 );
+
+    hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+    /*
+     * Test the streaming API
+     */
+    mbedtls_chacha20_init( &ctx );
+
+    TEST_ASSERT( mbedtls_chacha20_setkey( &ctx, key_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+    memset( output, 0x00, sizeof( output ) );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len, src_str, output ) == 0 );
+
+    hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+    /*
+     * Test the streaming API again, piecewise
+     */
+
+    /* Don't free/init the context nor set the key again,
+     * in order to test that starts() does the right thing. */
+    TEST_ASSERT( mbedtls_chacha20_starts( &ctx, nonce_str, counter ) == 0 );
+
+    memset( output, 0x00, sizeof( output ) );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, 1, src_str, output ) == 0 );
+    TEST_ASSERT( mbedtls_chacha20_update( &ctx, src_len - 1, src_str + 1, output + 1 ) == 0 );
+
+    hexify( dst_str, output, src_len );
+    TEST_ASSERT( strcmp( (char*) dst_str, hex_dst_string ) == 0 );
+
+    mbedtls_chacha20_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void chacha20_bad_params()
+{
+    unsigned char key[32];
+    unsigned char nonce[12];
+    unsigned char src[1];
+    unsigned char dst[1];
+    uint32_t counter = 0;
+    size_t len = sizeof( src );
+    mbedtls_chacha20_context ctx;
+
+    TEST_INVALID_PARAM( mbedtls_chacha20_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_chacha20_free( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_setkey( NULL, key ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_setkey( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_starts( NULL, nonce, counter ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_starts( &ctx, NULL, counter ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_update( NULL, 0, src, dst ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_update( &ctx, len, NULL, dst ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_update( &ctx, len, src, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_crypt( NULL, nonce, counter, 0, src, dst ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_crypt( key, NULL, counter, 0, src, dst ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_crypt( key, nonce, counter, len, NULL, dst ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA,
+                            mbedtls_chacha20_crypt( key, nonce, counter, len, src, NULL ) );
+
+exit:
+    return;
+
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void chacha20_self_test()
+{
+    TEST_ASSERT( mbedtls_chacha20_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.data
new file mode 100644
index 0000000000..34cb568311
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.data
@@ -0,0 +1,27 @@
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
+mbedtls_chachapoly_enc:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600691"
+
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Decrypt)
+mbedtls_chachapoly_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600691":0
+
+ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Decrypt, not authentic)
+mbedtls_chachapoly_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600690":MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Encrypt)
+mbedtls_chachapoly_enc:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38"
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt)
+mbedtls_chachapoly_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"eead9d67890cbb22392336fea1851f38":0
+
+ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt, not authentic)
+mbedtls_chachapoly_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"fead9d67890cbb22392336fea1851f38":MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+
+ChaCha20-Poly1305 State Flow
+chachapoly_state:
+
+ChaCha20-Poly1305 Parameter Validation
+chachapoly_bad_params:
+
+ChaCha20-Poly1305 Selftest
+depends_on:MBEDTLS_SELF_TEST
+chachapoly_selftest:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.function
new file mode 100644
index 0000000000..8e56bf69a3
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_chachapoly.function
@@ -0,0 +1,337 @@
+/* BEGIN_HEADER */
+#include "mbedtls/chachapoly.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_CHACHAPOLY_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mbedtls_chachapoly_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
+{
+    unsigned char key_str[32]; /* size set by the standard */
+    unsigned char nonce_str[12]; /* size set by the standard */
+    unsigned char aad_str[12]; /* max size of test data so far */
+    unsigned char input_str[265]; /* max size of binary input/output so far */
+    unsigned char output_str[265];
+    unsigned char output[265];
+    unsigned char mac_str[16]; /* size set by the standard */
+    unsigned char mac[16]; /* size set by the standard */
+    size_t input_len;
+    size_t output_len;
+    size_t aad_len;
+    size_t key_len;
+    size_t nonce_len;
+    size_t mac_len;
+    mbedtls_chachapoly_context ctx;
+
+    memset( key_str,    0x00, sizeof( key_str ) );
+    memset( nonce_str,  0x00, sizeof( nonce_str ) );
+    memset( aad_str,    0x00, sizeof( aad_str ) );
+    memset( input_str,  0x00, sizeof( input_str ) );
+    memset( output_str, 0x00, sizeof( output_str ) );
+    memset( mac_str,    0x00, sizeof( mac_str ) );
+
+    aad_len    = unhexify( aad_str,    hex_aad_string    );
+    input_len  = unhexify( input_str,  hex_input_string  );
+    output_len = unhexify( output_str, hex_output_string );
+    key_len    = unhexify( key_str,    hex_key_string    );
+    nonce_len  = unhexify( nonce_str,  hex_nonce_string  );
+    mac_len    = unhexify( mac_str,    hex_mac_string    );
+
+    TEST_ASSERT( key_len   == 32 );
+    TEST_ASSERT( nonce_len == 12 );
+    TEST_ASSERT( mac_len   == 16 );
+
+    mbedtls_chachapoly_init( &ctx );
+
+    TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      input_len, nonce_str,
+                                      aad_str, aad_len,
+                                      input_str, output, mac ) == 0 );
+
+    TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+    TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
+
+exit:
+    mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_chachapoly_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string, int ret_exp )
+{
+    unsigned char key_str[32]; /* size set by the standard */
+    unsigned char nonce_str[12]; /* size set by the standard */
+    unsigned char aad_str[12]; /* max size of test data so far */
+    unsigned char input_str[265]; /* max size of binary input/output so far */
+    unsigned char output_str[265];
+    unsigned char output[265];
+    unsigned char mac_str[16]; /* size set by the standard */
+    size_t input_len;
+    size_t output_len;
+    size_t aad_len;
+    size_t key_len;
+    size_t nonce_len;
+    size_t mac_len;
+    int ret;
+    mbedtls_chachapoly_context ctx;
+
+    memset( key_str,    0x00, sizeof( key_str ) );
+    memset( nonce_str,  0x00, sizeof( nonce_str ) );
+    memset( aad_str,    0x00, sizeof( aad_str ) );
+    memset( input_str,  0x00, sizeof( input_str ) );
+    memset( output_str, 0x00, sizeof( output_str ) );
+    memset( mac_str,    0x00, sizeof( mac_str ) );
+
+    aad_len    = unhexify( aad_str,    hex_aad_string    );
+    input_len  = unhexify( input_str,  hex_input_string  );
+    output_len = unhexify( output_str, hex_output_string );
+    key_len    = unhexify( key_str,    hex_key_string    );
+    nonce_len  = unhexify( nonce_str,  hex_nonce_string  );
+    mac_len    = unhexify( mac_str,    hex_mac_string    );
+
+    TEST_ASSERT( key_len   == 32 );
+    TEST_ASSERT( nonce_len == 12 );
+    TEST_ASSERT( mac_len   == 16 );
+
+    mbedtls_chachapoly_init( &ctx );
+
+    TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key_str ) == 0 );
+
+    ret = mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           input_len, nonce_str,
+                                           aad_str, aad_len,
+                                           mac_str, input_str, output );
+
+    TEST_ASSERT( ret == ret_exp );
+    if( ret_exp == 0 )
+    {
+        TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
+    }
+
+exit:
+    mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void chachapoly_bad_params()
+{
+    unsigned char key[32];
+    unsigned char nonce[12];
+    unsigned char aad[1];
+    unsigned char input[1];
+    unsigned char output[1];
+    unsigned char mac[16];
+    size_t input_len = sizeof( input );
+    size_t aad_len = sizeof( aad );
+    mbedtls_chachapoly_context ctx;
+
+    memset( key,    0x00, sizeof( key ) );
+    memset( nonce,  0x00, sizeof( nonce ) );
+    memset( aad,    0x00, sizeof( aad ) );
+    memset( input,  0x00, sizeof( input ) );
+    memset( output, 0x00, sizeof( output ) );
+    memset( mac,    0x00, sizeof( mac ) );
+
+    TEST_INVALID_PARAM( mbedtls_chachapoly_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_chachapoly_free( NULL ) );
+
+    /* setkey */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_setkey( NULL, key ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_setkey( &ctx, NULL ) );
+
+    /* encrypt_and_tag */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( NULL,
+                                      0, nonce,
+                                      aad, 0,
+                                      input, output, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      0, NULL,
+                                      aad, 0,
+                                      input, output, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      0, nonce,
+                                      NULL, aad_len,
+                                      input, output, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      input_len, nonce,
+                                      aad, 0,
+                                      NULL, output, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      input_len, nonce,
+                                      aad, 0,
+                                      input, NULL, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                      0, nonce,
+                                      aad, 0,
+                                      input, output, NULL ) );
+
+    /* auth_decrypt */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( NULL,
+                                           0, nonce,
+                                           aad, 0,
+                                           mac, input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           0, NULL,
+                                           aad, 0,
+                                           mac, input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           0, nonce,
+                                           NULL, aad_len,
+                                           mac, input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           0, nonce,
+                                           aad, 0,
+                                           NULL, input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           input_len, nonce,
+                                           aad, 0,
+                                           mac, NULL, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_auth_decrypt( &ctx,
+                                           input_len, nonce,
+                                           aad, 0,
+                                           mac, input, NULL ) );
+
+    /* starts */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_starts( NULL, nonce,
+                                               MBEDTLS_CHACHAPOLY_ENCRYPT ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_starts( &ctx, NULL,
+                                               MBEDTLS_CHACHAPOLY_ENCRYPT ) );
+
+    /* update_aad */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_update_aad( NULL, aad,
+                                                           aad_len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_update_aad( &ctx, NULL,
+                                                           aad_len ) );
+
+    /* update */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_update( NULL, input_len,
+                                                       input, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_update( &ctx, input_len,
+                                                       NULL, output ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_update( &ctx, input_len,
+                                                       input, NULL ) );
+
+    /* finish */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_finish( NULL, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                            mbedtls_chachapoly_finish( &ctx, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void chachapoly_state()
+{
+    unsigned char key[32];
+    unsigned char nonce[12];
+    unsigned char aad[1];
+    unsigned char input[1];
+    unsigned char output[1];
+    unsigned char mac[16];
+    size_t input_len = sizeof( input );
+    size_t aad_len = sizeof( aad );
+    mbedtls_chachapoly_context ctx;
+
+    memset( key,    0x00, sizeof( key ) );
+    memset( nonce,  0x00, sizeof( nonce ) );
+    memset( aad,    0x00, sizeof( aad ) );
+    memset( input,  0x00, sizeof( input ) );
+    memset( output, 0x00, sizeof( output ) );
+    memset( mac,    0x00, sizeof( mac ) );
+
+    /* Initial state: finish, update, update_aad forbidden */
+    mbedtls_chachapoly_init( &ctx );
+
+    TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    /* Still initial state: finish, update, update_aad forbidden */
+    TEST_ASSERT( mbedtls_chachapoly_setkey( &ctx, key )
+                 == 0 );
+
+    TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    /* Starts -> finish OK */
+    TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+                 == 0 );
+
+    /* After finish: update, update_aad forbidden */
+    TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    /* Starts -> update* OK */
+    TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_update( &ctx, input_len, input, output )
+                 == 0 );
+
+    /* After update: update_aad forbidden */
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    /* Starts -> update_aad* -> finish OK */
+    TEST_ASSERT( mbedtls_chachapoly_starts( &ctx, nonce, MBEDTLS_CHACHAPOLY_ENCRYPT )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_update_aad( &ctx, aad, aad_len )
+                 == 0 );
+    TEST_ASSERT( mbedtls_chachapoly_finish( &ctx, mac )
+                 == 0 );
+
+exit:
+    mbedtls_chachapoly_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void chachapoly_selftest()
+{
+    TEST_ASSERT( mbedtls_chachapoly_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.aes.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.aes.data
index b93d4de9a9..1b3450128f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.aes.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.aes.data
@@ -1,6 +1,6 @@
 Decrypt empty buffer
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
-dec_empty_buf:
+dec_empty_buf:MBEDTLS_CIPHER_AES_128_CBC
 
 AES-128 CBC - Encrypt and decrypt 0 bytes with PKCS7 padding
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
@@ -414,7 +414,7 @@ AES-128 CFB - Encrypt and decrypt 32 bytes
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
 enc_dec_buf:MBEDTLS_CIPHER_AES_128_CFB128:"AES-128-CFB128":128:32:-1
 
-AES-128 CFB - Encrypt and decrypt 32 bytes
+AES-128 CFB - Encrypt and decrypt 33 bytes
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
 enc_dec_buf:MBEDTLS_CIPHER_AES_128_CFB128:"AES-128-CFB128":128:33:-1
 
@@ -474,6 +474,382 @@ AES-128 CFB - Encrypt and decrypt 32 bytes in multiple parts 1
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
 enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_CFB128:128:16:16:-1:16:16:16:16
 
+AES-128 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:0:-1
+
+AES-128 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:1:-1
+
+AES-128 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:2:-1
+
+AES-128 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:7:-1
+
+AES-128 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:8:-1
+
+AES-128 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:9:-1
+
+AES-128 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:15:-1
+
+AES-128 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:16:-1
+
+AES-128 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:17:-1
+
+AES-128 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:31:-1
+
+AES-128 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:32:-1
+
+AES-128 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:33:-1
+
+AES-128 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:47:-1
+
+AES-128 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:48:-1
+
+AES-128 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_OFB:"AES-128-OFB":128:49:-1
+
+AES-128 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:0:-1:0:0:0:0
+
+AES-128 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:1:0:-1:1:0:1:0
+
+AES-128 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:1:-1:0:1:0:1
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:0:-1:16:0:16:0
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:0:16:-1:0:16:0:16
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:1:15:-1:1:15:1:15
+
+AES-128 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:15:1:-1:15:1:15:1
+
+AES-128 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:15:7:-1:15:7:15:7
+
+AES-128 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:6:-1:16:6:16:6
+
+AES-128 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:17:6:-1:17:6:17:6
+
+AES-128 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_128_OFB:128:16:16:-1:16:16:16:16
+
+AES-192 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:0:-1
+
+AES-192 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:1:-1
+
+AES-192 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:2:-1
+
+AES-192 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:7:-1
+
+AES-192 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:8:-1
+
+AES-192 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:9:-1
+
+AES-192 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:15:-1
+
+AES-192 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:16:-1
+
+AES-192 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:17:-1
+
+AES-192 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:31:-1
+
+AES-192 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:32:-1
+
+AES-192 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:33:-1
+
+AES-192 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:47:-1
+
+AES-192 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:48:-1
+
+AES-192 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_192_OFB:"AES-192-OFB":192:49:-1
+
+AES-192 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:0:-1:0:0:0:0
+
+AES-192 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:1:0:-1:1:0:1:0
+
+AES-192 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:1:-1:0:1:0:1
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:0:-1:16:0:16:0
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:0:16:-1:0:16:0:16
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:1:15:-1:1:15:1:15
+
+AES-192 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:15:1:-1:15:1:15:1
+
+AES-192 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:15:7:-1:15:7:15:7
+
+AES-192 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:6:-1:16:6:16:6
+
+AES-192 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:17:6:-1:17:6:17:6
+
+AES-192 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_192_OFB:192:16:16:-1:16:16:16:16
+
+AES-256 OFB - Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:0:-1
+
+AES-256 OFB - Encrypt and decrypt 1 byte
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:1:-1
+
+AES-256 OFB - Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:2:-1
+
+AES-256 OFB - Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:7:-1
+
+AES-256 OFB - Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:8:-1
+
+AES-256 OFB - Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:9:-1
+
+AES-256 OFB - Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:15:-1
+
+AES-256 OFB - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:16:-1
+
+AES-256 OFB - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:17:-1
+
+AES-256 OFB - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:31:-1
+
+AES-256 OFB - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:32:-1
+
+AES-256 OFB - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:33:-1
+
+AES-256 OFB - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:47:-1
+
+AES-256 OFB - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:48:-1
+
+AES-256 OFB - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_OFB:"AES-256-OFB":256:49:-1
+
+AES-256 OFB - Encrypt and decrypt 0 bytes in multiple parts
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:0:-1:0:0:0:0
+
+AES-256 OFB - Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:1:0:-1:1:0:1:0
+
+AES-256 OFB - Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:1:-1:0:1:0:1
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:0:-1:16:0:16:0
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:0:16:-1:0:16:0:16
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:1:15:-1:1:15:1:15
+
+AES-256 OFB - Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:15:1:-1:15:1:15:1
+
+AES-256 OFB - Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:15:7:-1:15:7:15:7
+
+AES-256 OFB - Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:6:-1:16:6:16:6
+
+AES-256 OFB - Encrypt and decrypt 23 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:17:6:-1:17:6:17:6
+
+AES-256 OFB - Encrypt and decrypt 32 bytes in multiple parts 1
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+enc_dec_buf_multipart:MBEDTLS_CIPHER_AES_256_OFB:256:16:16:-1:16:16:16:16
+
+AES-128 XTS - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:16:-1
+
+AES-128 XTS - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:17:-1
+
+AES-128 XTS - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:31:-1
+
+AES-128 XTS - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:32:-1
+
+AES-128 XTS - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:33:-1
+
+AES-128 XTS - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:47:-1
+
+AES-128 XTS - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:48:-1
+
+AES-128 XTS - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_128_XTS:"AES-128-XTS":256:49:-1
+
+AES-256 XTS - Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:16:-1
+
+AES-256 XTS - Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:17:-1
+
+AES-256 XTS - Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:31:-1
+
+AES-256 XTS - Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:32:-1
+
+AES-256 XTS - Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:33:-1
+
+AES-256 XTS - Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:47:-1
+
+AES-256 XTS - Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:48:-1
+
+AES-256 XTS - Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_XTS
+enc_dec_buf:MBEDTLS_CIPHER_AES_256_XTS:"AES-256-XTS":512:49:-1
+
 AES-128 CTR - Encrypt and decrypt 0 bytes
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:0:-1
@@ -518,7 +894,7 @@ AES-128 CTR - Encrypt and decrypt 32 bytes
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:32:-1
 
-AES-128 CTR - Encrypt and decrypt 32 bytes
+AES-128 CTR - Encrypt and decrypt 33 bytes
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CTR
 enc_dec_buf:MBEDTLS_CIPHER_AES_128_CTR:"AES-128-CTR":128:33:-1
 
@@ -814,6 +1190,18 @@ AES Decrypt test vector #6
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CFB
 decrypt_test_vec:MBEDTLS_CIPHER_AES_256_CFB128:-1:"ffffffffff800000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"be66cfea2fecd6bf0ec7b4352c99bcaa":"00000000000000000000000000000000":"":"":0:0
 
+AES Decrypt test vector #7
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_128_OFB:-1:"2B7E151628AED2A6ABF7158809CF4F3C":"000102030405060708090A0B0C0D0E0F":"3B3FD92EB72DAD20333449F8E83CFB4A7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
+AES Decrypt test vector #8
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_192_OFB:-1:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"000102030405060708090A0B0C0D0E0F":"CDC80D6FDDF18CAB34C25909C99A4174fcc28b8d4c63837c09e81700c11004018d9a9aeac0f6596f559c6d4daf59a5f26d9f200857ca6c3e9cac524bd9acc92a":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
+AES Decrypt test vector #9
+depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_OFB
+decrypt_test_vec:MBEDTLS_CIPHER_AES_256_OFB:-1:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"000102030405060708090A0B0C0D0E0F":"DC7E84BFDA79164B7ECD8486985D38604febdc6740d20b3ac88f6ad82a4fb08d71ab47a086e86eedf39d1c5bba97c4080126141d67f37be8538f5a8be740e484":"6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E5130C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17AD2B417BE66C3710":"":"":0:0:
+
 AES-128-ECB Encrypt NIST KAT #1
 depends_on:MBEDTLS_AES_C
 test_vec_ecb:MBEDTLS_CIPHER_AES_128_ECB:MBEDTLS_ENCRYPT:"00000000000000000000000000000000":"f34481ec3cc627bacd5dc3fb08f273e6":"0336763e966d92595a567cc9ce537f5e":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.ccm.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.ccm.data
index dc44091927..264ce9925e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.ccm.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.ccm.data
@@ -1,480 +1,480 @@
 AES-128-CCM test vector NIST #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4ae701103c63deca5b5a3939d7d05992":"5a8aa485c316e9":"":"":"02209f55":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4ae701103c63deca5b5a3939d7d05992":"5a8aa485c316e9":"":"":"02209f55":"":""
 
 AES-128-CCM test vector NIST #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4ae701103c63deca5b5a3939d7d05992":"3796cf51b87266":"":"":"9a04c241":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4ae701103c63deca5b5a3939d7d05992":"3796cf51b87266":"":"":"9a04c241":"FAIL":""
 
 AES-128-CCM test vector NIST #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"5a8aa485c316e9":"":"":"75d582db43ce9b13ab4b6f7f14341330":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"5a8aa485c316e9":"":"":"75d582db43ce9b13ab4b6f7f14341330":"":""
 
 AES-128-CCM test vector NIST #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"3796cf51b87266":"":"":"3a65e03af37b81d05acc7ec1bc39deb0":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"3796cf51b87266":"":"":"3a65e03af37b81d05acc7ec1bc39deb0":"FAIL":""
 
 AES-128-CCM test vector NIST #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"5a8aa485c316e9403aff859fbb":"":"":"90156f3f":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"5a8aa485c316e9403aff859fbb":"":"":"90156f3f":"":""
 
 AES-128-CCM test vector NIST #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"a16a2e741f1cd9717285b6d882":"":"":"88909016":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3":"a16a2e741f1cd9717285b6d882":"":"":"88909016":"FAIL":""
 
 AES-128-CCM test vector NIST #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9403aff859fbb":"":"":"fb04dc5a44c6bb000f2440f5154364b4":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9403aff859fbb":"":"":"fb04dc5a44c6bb000f2440f5154364b4":"":""
 
 AES-128-CCM test vector NIST #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"a16a2e741f1cd9717285b6d882":"":"":"5447075bf42a59b91f08064738b015ab":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"a16a2e741f1cd9717285b6d882":"":"":"5447075bf42a59b91f08064738b015ab":"FAIL":""
 
 AES-128-CCM test vector NIST #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"":"a90e8ea44085ced791b2fdb7fd44b5cf0bd7d27718029bb7":"03e1fa6b":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"":"a90e8ea44085ced791b2fdb7fd44b5cf0bd7d27718029bb7":"03e1fa6b":"":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 AES-128-CCM test vector NIST #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"31f8fa25827d48":"":"50aafe0578c115c4a8e126ff7b3ccb64dce8ccaa8ceda69f":"23e5d81c":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"19ebfde2d5468ba0a3031bde629b11fd":"31f8fa25827d48":"":"50aafe0578c115c4a8e126ff7b3ccb64dce8ccaa8ceda69f":"23e5d81c":"FAIL":""
 
 AES-128-CCM test vector NIST #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9":"":"24ab9eeb0e5508cae80074f1070ee188a637171860881f1f":"2d9a3fbc210595b7b8b1b41523111a8e":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9":"":"24ab9eeb0e5508cae80074f1070ee188a637171860881f1f":"2d9a3fbc210595b7b8b1b41523111a8e":"":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 AES-128-CCM test vector NIST #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"31f8fa25827d48":"":"7ebfda6fa5da1dbffd82dc29b875798fbcef8ba0084fbd24":"63af747cc88a001fa94e060290f209c4":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"31f8fa25827d48":"":"7ebfda6fa5da1dbffd82dc29b875798fbcef8ba0084fbd24":"63af747cc88a001fa94e060290f209c4":"FAIL":""
 
 AES-128-CCM test vector NIST #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9403aff859fbb":"":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134":"a3e138b9":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"5a8aa485c316e9403aff859fbb":"":"4a550134f94455979ec4bf89ad2bd80d25a77ae94e456134":"a3e138b9":"":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 AES-128-CCM test vector NIST #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"49004912fdd7269279b1f06a89":"":"118ec53dd1bfbe52d5b9fe5dfebecf2ee674ec983eada654":"091a5ae9":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"197afb02ffbd8f699dacae87094d5243":"49004912fdd7269279b1f06a89":"":"118ec53dd1bfbe52d5b9fe5dfebecf2ee674ec983eada654":"091a5ae9":"FAIL":""
 
 AES-128-CCM test vector NIST #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"6a9a970b9beb2ac1bd4fd62168f8378a":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9403aff859fbb":"":"4bfe4e35784f0a65b545477e5e2f4bae0e1e6fa717eaf2cb":"6a9a970b9beb2ac1bd4fd62168f8378a":"":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 AES-128-CCM test vector NIST #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"49004912fdd7269279b1f06a89":"":"0c56a503aa2c12e87450d45a7b714db980fd348f327c0065":"a65666144994bad0c8195bcb4ade1337":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"49004912fdd7269279b1f06a89":"":"0c56a503aa2c12e87450d45a7b714db980fd348f327c0065":"a65666144994bad0c8195bcb4ade1337":"FAIL":""
 
 AES-128-CCM test vector NIST #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"782e4318":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"782e4318":"":""
 
 AES-128-CCM test vector NIST #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"a04f270a":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"90929a4b0ac65b350ad1591611fe4829":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"a04f270a":"FAIL":""
 
 AES-128-CCM test vector NIST #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"41b476013f45e4a781f253a6f3b1e530":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"41b476013f45e4a781f253a6f3b1e530":"":""
 
 AES-128-CCM test vector NIST #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"f9f018fcd125822616083fffebc4c8e6":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"f9f018fcd125822616083fffebc4c8e6":"FAIL":""
 
 AES-128-CCM test vector NIST #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"9f69f24f":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"9f69f24f":"":""
 
 AES-128-CCM test vector NIST #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"e17afaa4":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"e17afaa4":"FAIL":""
 
 AES-128-CCM test vector NIST #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"1859ac36a40a6b28b34266253627797a":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"1859ac36a40a6b28b34266253627797a":"":""
 
 AES-128-CCM test vector NIST #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"edf8b46eb69ac0044116019dec183072":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"edf8b46eb69ac0044116019dec183072":"FAIL":""
 
 AES-128-CCM test vector NIST #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"6be31860ca271ef448de8f8d8b39346daf4b81d7e92d65b3":"38f125fa":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"6be31860ca271ef448de8f8d8b39346daf4b81d7e92d65b3":"38f125fa":"":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 AES-128-CCM test vector NIST #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"4cc57a9927a6bc401441870d3193bf89ebd163f5c01501c7":"28a66b69":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"f9fdca4ac64fe7f014de0f43039c7571":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"4cc57a9927a6bc401441870d3193bf89ebd163f5c01501c7":"28a66b69":"FAIL":""
 
 AES-128-CCM test vector NIST #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"b351ab96b2e45515254558d5212673ee6c776d42dbca3b51":"2cf3a20b7fd7c49e6e79bef475c2906f":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"b351ab96b2e45515254558d5212673ee6c776d42dbca3b51":"2cf3a20b7fd7c49e6e79bef475c2906f":"":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 AES-128-CCM test vector NIST #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"df1a5285caa41b4bb47f6e5ceceba4e82721828d68427a30":"81d18ca149d6766bfaccec88f194eb5b":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"df1a5285caa41b4bb47f6e5ceceba4e82721828d68427a30":"81d18ca149d6766bfaccec88f194eb5b":"FAIL":""
 
 AES-128-CCM test vector NIST #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"934f893824e880f743d196b22d1f340a52608155087bd28a":"c25e5329":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"934f893824e880f743d196b22d1f340a52608155087bd28a":"c25e5329":"":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 AES-128-CCM test vector NIST #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"f43ba9d834ad85dfab3f1c0c27c3441fe4e411a38a261a65":"59b3b3ee":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"a7aa635ea51b0bb20a092bd5573e728c":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"f43ba9d834ad85dfab3f1c0c27c3441fe4e411a38a261a65":"59b3b3ee":"FAIL":""
 
 AES-128-CCM test vector NIST #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"26511fb51fcfa75cb4b44da75a6e5a0e":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"50038b5fdd364ee747b70d00bd36840ece4ea19998123375":"c0a458bfcafa3b2609afe0f825cbf503":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"26511fb51fcfa75cb4b44da75a6e5a0e":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"50038b5fdd364ee747b70d00bd36840ece4ea19998123375":"c0a458bfcafa3b2609afe0f825cbf503":"":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 AES-128-CCM test vector NIST #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"26511fb51fcfa75cb4b44da75a6e5a0e":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"78ed8ff6b5a1255d0fbd0a719a9c27b059ff5f83d0c4962c":"390042ba8bb5f6798dab01c5afad7306":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_128_CCM:"26511fb51fcfa75cb4b44da75a6e5a0e":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"78ed8ff6b5a1255d0fbd0a719a9c27b059ff5f83d0c4962c":"390042ba8bb5f6798dab01c5afad7306":"FAIL":""
 
 AES-192-CCM test vector NIST #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"5a8aa485c316e9":"":"":"9d4b7f3b":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"5a8aa485c316e9":"":"":"9d4b7f3b":"":""
 
 AES-192-CCM test vector NIST #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"3796cf51b87266":"":"":"80745de9":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c":"3796cf51b87266":"":"":"80745de9":"FAIL":""
 
 AES-192-CCM test vector NIST #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"5a8aa485c316e9":"":"":"17223038fa99d53681ca1beabe78d1b4":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"5a8aa485c316e9":"":"":"17223038fa99d53681ca1beabe78d1b4":"":""
 
 AES-192-CCM test vector NIST #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"3796cf51b87266":"":"":"d0e1eeef4d2a264536bb1c2c1bde7c35":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"3796cf51b87266":"":"":"d0e1eeef4d2a264536bb1c2c1bde7c35":"FAIL":""
 
 AES-192-CCM test vector NIST #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"5a8aa485c316e9403aff859fbb":"":"":"fe69ed84":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"5a8aa485c316e9403aff859fbb":"":"":"fe69ed84":"":""
 
 AES-192-CCM test vector NIST #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"a16a2e741f1cd9717285b6d882":"":"":"db7ffc82":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"4bb3c4a4f893ad8c9bdc833c325d62b3d3ad1bccf9282a65":"a16a2e741f1cd9717285b6d882":"":"":"db7ffc82":"FAIL":""
 
 AES-192-CCM test vector NIST #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"5a8aa485c316e9403aff859fbb":"":"":"0c66a8e547ed4f8c2c9a9a1eb5d455b9":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"5a8aa485c316e9403aff859fbb":"":"":"0c66a8e547ed4f8c2c9a9a1eb5d455b9":"":""
 
 AES-192-CCM test vector NIST #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"a16a2e741f1cd9717285b6d882":"":"":"38757b3a61a4dc97ca3ab88bf1240695":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"a16a2e741f1cd9717285b6d882":"":"":"38757b3a61a4dc97ca3ab88bf1240695":"FAIL":""
 
 AES-192-CCM test vector NIST #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"5a8aa485c316e9":"":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"ddc93a54":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"5a8aa485c316e9":"":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"ddc93a54":"":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 AES-192-CCM test vector NIST #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"31f8fa25827d48":"":"32b649ab56162e55d4148a1292d6a225a988eb1308298273":"b6889036":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"31f8fa25827d48":"":"32b649ab56162e55d4148a1292d6a225a988eb1308298273":"b6889036":"FAIL":""
 
 AES-192-CCM test vector NIST #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"5a8aa485c316e9":"":"cba4b4aeb85f0492fd8d905c4a6d8233139833373ef188a8":"c5a5ebecf7ac8607fe412189e83d9d20":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"5a8aa485c316e9":"":"cba4b4aeb85f0492fd8d905c4a6d8233139833373ef188a8":"c5a5ebecf7ac8607fe412189e83d9d20":"":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22"
 
 AES-192-CCM test vector NIST #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"31f8fa25827d48":"":"ca62713728b5c9d652504b0ae8fd4fee5d297ee6a8d19cb6":"e699f15f14d34dcaf9ba8ed4b877c97d":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"31f8fa25827d48":"":"ca62713728b5c9d652504b0ae8fd4fee5d297ee6a8d19cb6":"e699f15f14d34dcaf9ba8ed4b877c97d":"FAIL":""
 
 AES-192-CCM test vector NIST #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"5a8aa485c316e9403aff859fbb":"":"042653c674ef2a90f7fb11d30848e530ae59478f1051633a":"34fad277":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"5a8aa485c316e9403aff859fbb":"":"042653c674ef2a90f7fb11d30848e530ae59478f1051633a":"34fad277":"":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 AES-192-CCM test vector NIST #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"49004912fdd7269279b1f06a89":"":"1902d9769a7ba3d3268e1257395c8c2e5f98eef295dcbfa5":"a35df775":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"197afb02ffbd8f699dacae87094d524324576b99844f75e1":"49004912fdd7269279b1f06a89":"":"1902d9769a7ba3d3268e1257395c8c2e5f98eef295dcbfa5":"a35df775":"FAIL":""
 
 AES-192-CCM test vector NIST #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9403aff859fbb":"":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671e":"a7ade30a07d185692ab0ebdf4c78cf7a":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9403aff859fbb":"":"a5b7d8cca2069908d1ed88e6a9fe2c9bede3131dad54671e":"a7ade30a07d185692ab0ebdf4c78cf7a":"":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697"
 
 AES-192-CCM test vector NIST #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"49004912fdd7269279b1f06a89":"":"9a98617fb97a0dfe466be692272dcdaec1c5443a3b51312e":"f042c86363cc05afb98c66e16be8a445":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"49004912fdd7269279b1f06a89":"":"9a98617fb97a0dfe466be692272dcdaec1c5443a3b51312e":"f042c86363cc05afb98c66e16be8a445":"FAIL":""
 
 AES-192-CCM test vector NIST #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"1d089a5f":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"1d089a5f":"":""
 
 AES-192-CCM test vector NIST #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"2f46022a":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"90929a4b0ac65b350ad1591611fe48297e03956f6083e451":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"2f46022a":"FAIL":""
 
 AES-192-CCM test vector NIST #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"5280a2137fee3deefcfe9b63a1199fb3":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"":"5280a2137fee3deefcfe9b63a1199fb3":"":""
 
 AES-192-CCM test vector NIST #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"d40a7318c5f2d82f838c0beeefe0d598":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"a265480ca88d5f":"a2248a882ecbf850daf91933a389e78e81623d233dfd47bf8321361a38f138fe":"":"d40a7318c5f2d82f838c0beeefe0d598":"FAIL":""
 
 AES-192-CCM test vector NIST #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"5e0eaebd":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"5e0eaebd":"":""
 
 AES-192-CCM test vector NIST #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"71b7fc33":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"6a798d7c5e1a72b43e20ad5c7b08567b12ab744b61c070e2":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"71b7fc33":"FAIL":""
 
 AES-192-CCM test vector NIST #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"d07ccf9fdc3d33aa94cda3d230da707c":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"":"d07ccf9fdc3d33aa94cda3d230da707c":"":""
 
 AES-192-CCM test vector NIST #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"65fe32b649dc328c9f531584897e85b3":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"8739b4bea1a099fe547499cbc6":"f6107696edb332b2ea059d8860fee26be42e5e12e1a4f79a8d0eafce1b2278a7":"":"65fe32b649dc328c9f531584897e85b3":"FAIL":""
 
 AES-192-CCM test vector NIST #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"9f6ca4af9b159148c889a6584d1183ea26e2614874b05045":"75dea8d1":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"9f6ca4af9b159148c889a6584d1183ea26e2614874b05045":"75dea8d1":"":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 AES-192-CCM test vector NIST #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"84d8212e9cfc2121252baa3b065b1edcf50497b9594db1eb":"d7965825":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"f9fdca4ac64fe7f014de0f43039c757194d544ce5d15eed4":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"84d8212e9cfc2121252baa3b065b1edcf50497b9594db1eb":"d7965825":"FAIL":""
 
 AES-192-CCM test vector NIST #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"6aab64c4787599d8f213446beadb16e08dba60e97f56dbd1":"4d1d980d6fe0fb44b421992662b97975":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22ec22b1a268f88e2c":"6aab64c4787599d8f213446beadb16e08dba60e97f56dbd1":"4d1d980d6fe0fb44b421992662b97975":"":"a265480ca88d5f536db0dc6abc40faf0d05be7a966977768"
 
 AES-192-CCM test vector NIST #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"4980b2ee49b1aaf393175f5ab9bae95ec7904557dfa20660":"3c51d36c826f01384100886198a7f6a3":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"fdd2d6f503c915":"5b92394f21ddc3ad49d9b0881b829a5935cb3a4d23e292a62fb66b5e7ab7020e":"4980b2ee49b1aaf393175f5ab9bae95ec7904557dfa20660":"3c51d36c826f01384100886198a7f6a3":"FAIL":""
 
 AES-192-CCM test vector NIST #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"16e543d0e20615ff0df15acd9927ddfe40668a54bb854ccc":"c25e9fce":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"16e543d0e20615ff0df15acd9927ddfe40668a54bb854ccc":"c25e9fce":"":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 AES-192-CCM test vector NIST #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"df35b109caf690656ae278bbd8f8bba687a2ce11b105dae9":"8ecedb3e":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"a7aa635ea51b0bb20a092bd5573e728ccd4b3e8cdd2ab33d":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"df35b109caf690656ae278bbd8f8bba687a2ce11b105dae9":"8ecedb3e":"FAIL":""
 
 AES-192-CCM test vector NIST #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"c5b0b2ef17498c5570eb335df4588032958ba3d69bf6f317":"8464a6f7fa2b76744e8e8d95691cecb8":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"5a8aa485c316e9403aff859fbb":"a16a2e741f1cd9717285b6d882c1fc53655e9773761ad697a7ee6410184c7982":"c5b0b2ef17498c5570eb335df4588032958ba3d69bf6f317":"8464a6f7fa2b76744e8e8d95691cecb8":"":"8739b4bea1a099fe547499cbc6d1b13d849b8084c9b6acc5"
 
 AES-192-CCM test vector NIST #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"d1f0518929f4ae2f0543de2a7dfe4bb0110bb3057e524a1c":"06bd6dc2e6bcc3436cffb969ae900388":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_192_CCM:"26511fb51fcfa75cb4b44da75a6e5a0eb8d9c8f3b906f886":"0812757ad0cc4d17c4cfe7a642":"ec6c44a7e94e51a3ca6dee229098391575ec7213c85267fbf7492fdbeee61b10":"d1f0518929f4ae2f0543de2a7dfe4bb0110bb3057e524a1c":"06bd6dc2e6bcc3436cffb969ae900388":"FAIL":""
 
 AES-256-CCM test vector NIST #1 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"a544218dadd3c1":"":"":"469c90bb":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"a544218dadd3c1":"":"":"469c90bb":"":""
 
 AES-256-CCM test vector NIST #2 (P=0, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"d3d5424e20fbec":"":"":"46a908ed":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6":"d3d5424e20fbec":"":"":"46a908ed":"FAIL":""
 
 AES-256-CCM test vector NIST #3 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"a544218dadd3c1":"":"":"8207eb14d33855a52acceed17dbcbf6e":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"a544218dadd3c1":"":"":"8207eb14d33855a52acceed17dbcbf6e":"":""
 
 AES-256-CCM test vector NIST #4 (P=0, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"d3d5424e20fbec":"":"":"60f8e127cb4d30db6df0622158cd931d":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"d3d5424e20fbec":"":"":"60f8e127cb4d30db6df0622158cd931d":"FAIL":""
 
 AES-256-CCM test vector NIST #5 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"a544218dadd3c10583db49cf39":"":"":"8a19a133":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"a544218dadd3c10583db49cf39":"":"":"8a19a133":"":""
 
 AES-256-CCM test vector NIST #6 (P=0, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"3c0e2815d37d844f7ac240ba9d":"":"":"2e317f1b":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"e1b8a927a95efe94656677b692662000278b441c79e879dd5c0ddc758bdc9ee8":"3c0e2815d37d844f7ac240ba9d":"":"":"2e317f1b":"FAIL":""
 
 AES-256-CCM test vector NIST #7 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"a544218dadd3c10583db49cf39":"":"":"97e1a8dd4259ccd2e431e057b0397fcf":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"a544218dadd3c10583db49cf39":"":"":"97e1a8dd4259ccd2e431e057b0397fcf":"":""
 
 AES-256-CCM test vector NIST #8 (P=0, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"3c0e2815d37d844f7ac240ba9d":"":"":"5a9596c511ea6a8671adefc4f2157d8b":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"3c0e2815d37d844f7ac240ba9d":"":"":"5a9596c511ea6a8671adefc4f2157d8b":"FAIL":""
 
 AES-256-CCM test vector NIST #9 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"a544218dadd3c1":"":"64a1341679972dc5869fcf69b19d5c5ea50aa0b5e985f5b7":"22aa8d59":"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"a544218dadd3c1":"":"64a1341679972dc5869fcf69b19d5c5ea50aa0b5e985f5b7":"22aa8d59":"":"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 AES-256-CCM test vector NIST #10 (P=24, N=7, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"bfcda8b5a2d0d2":"":"c5b7f802bffc498c1626e3774f1d9f94045dfd8e1a10a202":"77d00a75":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"af063639e66c284083c5cf72b70d8bc277f5978e80d9322d99f2fdc718cda569":"bfcda8b5a2d0d2":"":"c5b7f802bffc498c1626e3774f1d9f94045dfd8e1a10a202":"77d00a75":"FAIL":""
 
 AES-256-CCM test vector NIST #11 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c1":"":"bc51c3925a960e7732533e4ef3a4f69ee6826de952bcb0fd":"374f3bb6db8377ebfc79674858c4f305":"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c1":"":"bc51c3925a960e7732533e4ef3a4f69ee6826de952bcb0fd":"374f3bb6db8377ebfc79674858c4f305":"":"d3d5424e20fbec43ae495353ed830271515ab104f8860c98"
 
 AES-256-CCM test vector NIST #12 (P=24, N=7, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bfcda8b5a2d0d2":"":"afa1fa8e8a70e26b02161150556d604101fdf423f332c336":"3275f2a4907d51b734fe7238cebbd48f":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"bfcda8b5a2d0d2":"":"afa1fa8e8a70e26b02161150556d604101fdf423f332c336":"3275f2a4907d51b734fe7238cebbd48f":"FAIL":""
 
 AES-256-CCM test vector NIST #13 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c10583db49cf39":"":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f412":"3d14fb3f":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"a544218dadd3c10583db49cf39":"":"63e00d30e4b08fd2a1cc8d70fab327b2368e77a93be4f412":"3d14fb3f":"":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 AES-256-CCM test vector NIST #14 (P=24, N=13, A=0, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"894dcaa61008eb8fb052c60d41":"":"bb5425b3869b76856ec58e39886fb6f6f2ac13fe44cb132d":"8d0c0099":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"f7079dfa3b5c7b056347d7e437bcded683abd6e2c9e069d333284082cbb5d453":"894dcaa61008eb8fb052c60d41":"":"bb5425b3869b76856ec58e39886fb6f6f2ac13fe44cb132d":"8d0c0099":"FAIL":""
 
 AES-256-CCM test vector NIST #15 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"a544218dadd3c10583db49cf39":"":"f0050ad16392021a3f40207bed3521fb1e9f808f49830c42":"3a578d179902f912f9ea1afbce1120b3":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"a544218dadd3c10583db49cf39":"":"f0050ad16392021a3f40207bed3521fb1e9f808f49830c42":"3a578d179902f912f9ea1afbce1120b3":"":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e"
 
 AES-256-CCM test vector NIST #16 (P=24, N=13, A=0, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"894dcaa61008eb8fb052c60d41":"":"c408190d0fbf5034f83b24a8ed9657331a7ce141de4fae76":"9084607b83bd06e6442eac8dacf583cc":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"894dcaa61008eb8fb052c60d41":"":"c408190d0fbf5034f83b24a8ed9657331a7ce141de4fae76":"9084607b83bd06e6442eac8dacf583cc":"FAIL":""
 
 AES-256-CCM test vector NIST #17 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"":"92d00fbe":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"":"92d00fbe":"":""
 
 AES-256-CCM test vector NIST #18 (P=0, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":"":"9143e5c4":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"1b0e8df63c57f05d9ac457575ea764524b8610ae5164e6215f426f5a7ae6ede4":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":"":"9143e5c4":"FAIL":""
 
 AES-256-CCM test vector NIST #19 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"":"93af11a08379eb37a16aa2837f09d69d":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"":"93af11a08379eb37a16aa2837f09d69d":"":""
 
 AES-256-CCM test vector NIST #20 (P=0, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":"":"d19b0c14ec686a7961ca7c386d125a65":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"78c46e3249ca28":"232e957c65ffa11988e830d4617d500f1c4a35c1221f396c41ab214f074ca2dc":"":"d19b0c14ec686a7961ca7c386d125a65":"FAIL":""
 
 AES-256-CCM test vector NIST #21 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"":"866d4227":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"":"866d4227":"":""
 
 AES-256-CCM test vector NIST #22 (P=0, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":"":"94cb1127":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"a4bc10b1a62c96d459fbaf3a5aa3face7313bb9e1253e696f96a7a8e36801088":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":"":"94cb1127":"FAIL":""
 
 AES-256-CCM test vector NIST #23 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"":"867b0d87cf6e0f718200a97b4f6d5ad5":""
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"":"867b0d87cf6e0f718200a97b4f6d5ad5":"":""
 
 AES-256-CCM test vector NIST #24 (P=0, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":"":"677a040d46ee3f2b7838273bdad14f16":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"e8de970f6ee8e80ede933581b5":"89f8b068d34f56bc49d839d8e47b347e6dae737b903b278632447e6c0485d26a":"":"677a040d46ee3f2b7838273bdad14f16":"FAIL":""
 
 AES-256-CCM test vector NIST #25 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"c2fe12658139f5d0dd22cadf2e901695b579302a72fc5608":"3ebc7720":"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"c2fe12658139f5d0dd22cadf2e901695b579302a72fc5608":"3ebc7720":"":"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 AES-256-CCM test vector NIST #26 (P=24, N=7, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":"94748ba81229e53c38583a8564b23ebbafc6f6efdf4c2a81":"c44db2c9":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":"94748ba81229e53c38583a8564b23ebbafc6f6efdf4c2a81":"c44db2c9":"FAIL":""
 
 AES-256-CCM test vector NIST #27 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"3341168eb8c48468c414347fb08f71d2086f7c2d1bd581ce":"1ac68bd42f5ec7fa7e068cc0ecd79c2a":"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"a544218dadd3c1":"d3d5424e20fbec43ae495353ed830271515ab104f8860c988d15b6d36c038eab":"3341168eb8c48468c414347fb08f71d2086f7c2d1bd581ce":"1ac68bd42f5ec7fa7e068cc0ecd79c2a":"":"78c46e3249ca28e1ef0531d80fd37c124d9aecb7be6668e3"
 
 AES-256-CCM test vector NIST #28 (P=24, N=7, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":"d543acda712b898cbb27b8f598b2e4438ce587a836e27851":"47c3338a2400809e739b63ba8227d2f9":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"6ba004fd176791":"5a053b2a1bb87e85d56527bfcdcd3ecafb991bb10e4c862bb0751c700a29f54b":"d543acda712b898cbb27b8f598b2e4438ce587a836e27851":"47c3338a2400809e739b63ba8227d2f9":"FAIL":""
 
 AES-256-CCM test vector NIST #29 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"c0ea400b599561e7905b99262b4565d5c3dc49fad84d7c69":"ef891339":"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"c0ea400b599561e7905b99262b4565d5c3dc49fad84d7c69":"ef891339":"":"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 AES-256-CCM test vector NIST #30 (P=24, N=13, A=32, T=4)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":"60871e03ea0eb968536c99f926ea24ef43d41272ad9fb7f6":"3d488623":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"705334e30f53dd2f92d190d2c1437c8772f940c55aa35e562214ed45bd458ffe":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":"60871e03ea0eb968536c99f926ea24ef43d41272ad9fb7f6":"3d488623":"FAIL":""
 
 AES-256-CCM test vector NIST #31 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"8d34cdca37ce77be68f65baf3382e31efa693e63f914a781":"367f30f2eaad8c063ca50795acd90203":"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"8d34cdca37ce77be68f65baf3382e31efa693e63f914a781":"367f30f2eaad8c063ca50795acd90203":"":"e8de970f6ee8e80ede933581b5bcf4d837e2b72baa8b00c3"
 
 AES-256-CCM test vector NIST #32 (P=24, N=13, A=32, T=16)
 depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":"516c0095cc3d85fd55e48da17c592e0c7014b9daafb82bdc":"4b41096dfdbe9cc1ab610f8f3e038d16":"FAIL"
+auth_crypt_tv:MBEDTLS_CIPHER_AES_256_CCM:"314a202f836f9f257e22d8c11757832ae5131d357a72df88f3eff0ffcee0da4e":"8fa501c5dd9ac9b868144c9fa5":"5bb40e3bb72b4509324a7edc852f72535f1f6283156e63f6959ffaf39dcde800":"516c0095cc3d85fd55e48da17c592e0c7014b9daafb82bdc":"4b41096dfdbe9cc1ab610f8f3e038d16":"FAIL":""
 
 Camellia-CCM test vector RFC 5528 #1
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"0001020304050607":"BA737185E719310492F38A5F1251DA55FAFBC949848A0D":"FCAECE746B3DB9AD":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000003020100A0A1A2A3A4A5":"0001020304050607":"BA737185E719310492F38A5F1251DA55FAFBC949848A0D":"FCAECE746B3DB9AD":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E"
 
 Camellia-CCM test vector RFC 5528 #2
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000004030201A0A1A2A3A4A5":"0001020304050607":"5D2564BF8EAFE1D99526EC016D1BF0424CFBD2CD62848F33":"60B2295DF24283E8":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000004030201A0A1A2A3A4A5":"0001020304050607":"5D2564BF8EAFE1D99526EC016D1BF0424CFBD2CD62848F33":"60B2295DF24283E8":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
 
 Camellia-CCM test vector RFC 5528 #3
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000005040302A0A1A2A3A4A5":"0001020304050607":"81F663D6C7787817F9203608B982AD15DC2BBD87D756F79204":"F551D6682F23AA46":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000005040302A0A1A2A3A4A5":"0001020304050607":"81F663D6C7787817F9203608B982AD15DC2BBD87D756F79204":"F551D6682F23AA46":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20"
 
 Camellia-CCM test vector RFC 5528 #4
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000006050403A0A1A2A3A4A5":"000102030405060708090A0B":"CAEF1E827211B08F7BD90F08C77288C070A4A0":"8B3A933A63E497A0":"0C0D0E0F101112131415161718191A1B1C1D1E"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000006050403A0A1A2A3A4A5":"000102030405060708090A0B":"CAEF1E827211B08F7BD90F08C77288C070A4A0":"8B3A933A63E497A0":"":"0C0D0E0F101112131415161718191A1B1C1D1E"
 
 Camellia-CCM test vector RFC 5528 #5
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000007060504A0A1A2A3A4A5":"000102030405060708090A0B":"2AD3BAD94FC52E92BE438E827C1023B96A8A7725":"8FA17BA7F331DB09":"0C0D0E0F101112131415161718191A1B1C1D1E1F"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000007060504A0A1A2A3A4A5":"000102030405060708090A0B":"2AD3BAD94FC52E92BE438E827C1023B96A8A7725":"8FA17BA7F331DB09":"":"0C0D0E0F101112131415161718191A1B1C1D1E1F"
 
 Camellia-CCM test vector RFC 5528 #6
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000008070605A0A1A2A3A4A5":"000102030405060708090A0B":"FEA5480BA53FA8D3C34422AACE4DE67FFA3BB73BAB":"AB36A1EE4FE0FE28":"0C0D0E0F101112131415161718191A1B1C1D1E1F20"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000008070605A0A1A2A3A4A5":"000102030405060708090A0B":"FEA5480BA53FA8D3C34422AACE4DE67FFA3BB73BAB":"AB36A1EE4FE0FE28":"":"0C0D0E0F101112131415161718191A1B1C1D1E1F20"
 
 Camellia-CCM test vector RFC 5528 #7
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000009080706A0A1A2A3A4A5":"0001020304050607":"54532026E54C119A8D36D9EC6E1ED97416C8708C4B5C2C":"ACAFA3BCCF7A4EBF9573":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"00000009080706A0A1A2A3A4A5":"0001020304050607":"54532026E54C119A8D36D9EC6E1ED97416C8708C4B5C2C":"ACAFA3BCCF7A4EBF9573":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E"
 
 Camellia-CCM test vector RFC 5528 #8
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000A090807A0A1A2A3A4A5":"0001020304050607":"8AD19B001A87D148F4D92BEF34525CCCE3A63C6512A6F575":"7388E4913EF14701F441":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000A090807A0A1A2A3A4A5":"0001020304050607":"8AD19B001A87D148F4D92BEF34525CCCE3A63C6512A6F575":"7388E4913EF14701F441":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
 
 Camellia-CCM test vector RFC 5528 #9
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000B0A0908A0A1A2A3A4A5":"0001020304050607":"5DB08D62407E6E31D60F9CA2C60474219AC0BE50C0D4A57787":"94D6E230CD25C9FEBF87":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000B0A0908A0A1A2A3A4A5":"0001020304050607":"5DB08D62407E6E31D60F9CA2C60474219AC0BE50C0D4A57787":"94D6E230CD25C9FEBF87":"":"08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20"
 
 Camellia-CCM test vector RFC 5528 #10
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000C0B0A09A0A1A2A3A4A5":"000102030405060708090A0B":"DB118CCEC1B8761C877CD8963A67D6F3BBBC5C":"D09299EB11F312F23237":"0C0D0E0F101112131415161718191A1B1C1D1E"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000C0B0A09A0A1A2A3A4A5":"000102030405060708090A0B":"DB118CCEC1B8761C877CD8963A67D6F3BBBC5C":"D09299EB11F312F23237":"":"0C0D0E0F101112131415161718191A1B1C1D1E"
 
 Camellia-CCM test vector RFC 5528 #11
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000D0C0B0AA0A1A2A3A4A5":"000102030405060708090A0B":"7CC83D8DC49103525B483DC5CA7EA9AB812B7056":"079DAFFADA16CCCF2C4E":"0C0D0E0F101112131415161718191A1B1C1D1E1F"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000D0C0B0AA0A1A2A3A4A5":"000102030405060708090A0B":"7CC83D8DC49103525B483DC5CA7EA9AB812B7056":"079DAFFADA16CCCF2C4E":"":"0C0D0E0F101112131415161718191A1B1C1D1E1F"
 
 Camellia-CCM test vector RFC 5528 #12
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000E0D0C0BA0A1A2A3A4A5":"000102030405060708090A0B":"2CD35B8820D23E7AA351B0E92FC79367238B2CC748":"CBB94C2947793D64AF75":"0C0D0E0F101112131415161718191A1B1C1D1E1F20"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"C0C1C2C3C4C5C6C7C8C9CACBCCCDCECF":"0000000E0D0C0BA0A1A2A3A4A5":"000102030405060708090A0B":"2CD35B8820D23E7AA351B0E92FC79367238B2CC748":"CBB94C2947793D64AF75":"":"0C0D0E0F101112131415161718191A1B1C1D1E1F20"
 
 Camellia-CCM test vector RFC 5528 #13
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00A970110E1927B160B6A31C1C":"6B7F464507FAE496":"A435D727348DDD22907F7EB8F5FDBB4D939DA6524DB4F6":"4558C02D25B127EE":"C6B5F3E6CA2311AEF7472B203E735EA561ADB17D56C5A3"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00A970110E1927B160B6A31C1C":"6B7F464507FAE496":"A435D727348DDD22907F7EB8F5FDBB4D939DA6524DB4F6":"4558C02D25B127EE":"":"C6B5F3E6CA2311AEF7472B203E735EA561ADB17D56C5A3"
 
 Camellia-CCM test vector RFC 5528 #14
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"0083CD8CE0CB42B160B6A31C1C":"986605B43DF15DE7":"8AE052508FBECA932E346F05E0DC0DFBCF939EAFFA3E587C":"867D6E1C48703806":"01F6CE6764C574483BB02E6BBF1E0ABD26A22572B4D80EE7"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"0083CD8CE0CB42B160B6A31C1C":"986605B43DF15DE7":"8AE052508FBECA932E346F05E0DC0DFBCF939EAFFA3E587C":"867D6E1C48703806":"":"01F6CE6764C574483BB02E6BBF1E0ABD26A22572B4D80EE7"
 
 Camellia-CCM test vector RFC 5528 #15
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"005F54950B18F2B160B6A31C1C":"48F2E7E1A7671A51":"08B67EE21C8BF26E473E408599E9C0836D6AF0BB18DF55466C":"A80878A790476DE5":"CDF1D8406FC2E9014953897005FBFB8BA57276F92404608E08"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"005F54950B18F2B160B6A31C1C":"48F2E7E1A7671A51":"08B67EE21C8BF26E473E408599E9C0836D6AF0BB18DF55466C":"A80878A790476DE5":"":"CDF1D8406FC2E9014953897005FBFB8BA57276F92404608E08"
 
 Camellia-CCM test vector RFC 5528 #16
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00EC600863319AB160B6A31C1C":"DE97DF3B8CBD6D8E5030DA4C":"63B78B4967B19EDBB733CD1114F64EB2260893":"68C354828D950CC5":"B005DCFA0B59181426A961685A993D8C43185B"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00EC600863319AB160B6A31C1C":"DE97DF3B8CBD6D8E5030DA4C":"63B78B4967B19EDBB733CD1114F64EB2260893":"68C354828D950CC5":"":"B005DCFA0B59181426A961685A993D8C43185B"
 
 Camellia-CCM test vector RFC 5528 #17
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"0060CFF1A31EA1B160B6A31C1C":"A5EE93E457DF05466E782DCF":"0BC6BBE2A8B909F4629EE6DC148DA44410E18AF4":"3147383276F66A9F":"2E20211298105F129D5ED95B93F72D30B2FACCD7"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"0060CFF1A31EA1B160B6A31C1C":"A5EE93E457DF05466E782DCF":"0BC6BBE2A8B909F4629EE6DC148DA44410E18AF4":"3147383276F66A9F":"":"2E20211298105F129D5ED95B93F72D30B2FACCD7"
 
 Camellia-CCM test vector RFC 5528 #18
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"000F85CD995C97B160B6A31C1C":"24AA1BF9A5CD876182A25074":"222AD632FA31D6AF970C345F7E77CA3BD0DC25B340":"A1A3D31F8D4B44B7":"2645941E75632D3491AF0FC0C9876C3BE4AA7468C9"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"000F85CD995C97B160B6A31C1C":"24AA1BF9A5CD876182A25074":"222AD632FA31D6AF970C345F7E77CA3BD0DC25B340":"A1A3D31F8D4B44B7":"":"2645941E75632D3491AF0FC0C9876C3BE4AA7468C9"
 
 Camellia-CCM test vector RFC 5528 #19
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00C29B2CAAC4CDB160B6A31C1C":"691946B9CA07BE87":"05B8E1B9C49CFD56CF130AA6251DC2ECC06CCC508FE697":"A0066D57C84BEC182768":"070135A6437C9DB120CD61D8F6C39C3EA125FD95A0D23D"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00C29B2CAAC4CDB160B6A31C1C":"691946B9CA07BE87":"05B8E1B9C49CFD56CF130AA6251DC2ECC06CCC508FE697":"A0066D57C84BEC182768":"":"070135A6437C9DB120CD61D8F6C39C3EA125FD95A0D23D"
 
 Camellia-CCM test vector RFC 5528 #20
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"002C6B7595EE62B160B6A31C1C":"D0C54ECB84627DC4":"54CEB968DEE23611575EC003DFAA1CD48849BDF5AE2EDB6B":"7FA775B150ED4383C5A9":"C8C0880E6C636E20093DD6594217D2E18877DB264E71A5CC"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"002C6B7595EE62B160B6A31C1C":"D0C54ECB84627DC4":"54CEB968DEE23611575EC003DFAA1CD48849BDF5AE2EDB6B":"7FA775B150ED4383C5A9":"":"C8C0880E6C636E20093DD6594217D2E18877DB264E71A5CC"
 
 Camellia-CCM test vector RFC 5528 #21
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00C53CD4C2AA24B160B6A31C1C":"E285E0E4808CDA3D":"B1404546BF667210CA28E309B39BD6CA7E9FC8285FE698D43C":"D20A02E0BDCAED2010D3":"F75DAA0710C4E64297794DC2B7D2A20757B1AA4E448002FFAB"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00C53CD4C2AA24B160B6A31C1C":"E285E0E4808CDA3D":"B1404546BF667210CA28E309B39BD6CA7E9FC8285FE698D43C":"D20A02E0BDCAED2010D3":"":"F75DAA0710C4E64297794DC2B7D2A20757B1AA4E448002FFAB"
 
 Camellia-CCM test vector RFC 5528 #22
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00BEE9267FBADCB160B6A31C1C":"6CAEF9941141570D7C813405":"94C8959C11569A297831A721005857AB61B87A":"2DEA0936B6EB5F625F5D":"C238822FAC5F98FF929405B0AD127A4E41854E"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00BEE9267FBADCB160B6A31C1C":"6CAEF9941141570D7C813405":"94C8959C11569A297831A721005857AB61B87A":"2DEA0936B6EB5F625F5D":"":"C238822FAC5F98FF929405B0AD127A4E41854E"
 
 Camellia-CCM test vector RFC 5528 #23
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00DFA8B1245007B160B6A31C1C":"36A52CF16B19A2037AB7011E":"5869E3AAD2447C74E0FC05F9A4EA74577F4DE8CA":"8924764296AD04119CE7":"4DBF3E774AD245E5D5891F9D1C32A0AE022C85D7"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"00DFA8B1245007B160B6A31C1C":"36A52CF16B19A2037AB7011E":"5869E3AAD2447C74E0FC05F9A4EA74577F4DE8CA":"8924764296AD04119CE7":"":"4DBF3E774AD245E5D5891F9D1C32A0AE022C85D7"
 
 Camellia-CCM test vector RFC 5528 #24
 depends_on:MBEDTLS_CAMELLIA_C:MBEDTLS_CCM_C
-auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966":"945F1FCEA7E11BEE6A2F":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D"
+auth_crypt_tv:MBEDTLS_CIPHER_CAMELLIA_128_CCM:"D75C2778078CA93D971F96FDE720F4CD":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966":"945F1FCEA7E11BEE6A2F":"":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D"
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chacha20.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chacha20.data
new file mode 100644
index 0000000000..11de1038af
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chacha20.data
@@ -0,0 +1,111 @@
+Chacha20 RFC 7539 Test Vector #1
+depends_on:MBEDTLS_CHACHA20_C
+decrypt_test_vec:MBEDTLS_CIPHER_CHACHA20:-1:"0000000000000000000000000000000000000000000000000000000000000000":"000000000000000000000000":"76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"":"":0:0
+
+ChaCha20 Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:0:-1
+
+ChaCha20 Encrypt and decrypt 1 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:1:-1
+
+ChaCha20 Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:2:-1
+
+ChaCha20 Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:7:-1
+
+ChaCha20 Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:8:-1
+
+ChaCha20 Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:9:-1
+
+ChaCha20 Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:15:-1
+
+ChaCha20 Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:16:-1
+
+ChaCha20 Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:17:-1
+
+ChaCha20 Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:31:-1
+
+ChaCha20 Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:32:-1
+
+ChaCha20 Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:33:-1
+
+ChaCha20 Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:47:-1
+
+ChaCha20 Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:48:-1
+
+ChaCha20 Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20:"CHACHA20":256:49:-1
+
+ChaCha20 Encrypt and decrypt 0 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:0:-1:0:0:0:0
+
+ChaCha20 Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:1:0:-1:1:0:1:0
+
+ChaCha20 Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:1:-1:0:1:0:1
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:0:-1:16:0:16:0
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:0:16:-1:0:16:0:16
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:1:15:-1:1:15:1:15
+
+ChaCha20 Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:15:1:-1:15:1:15:1
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:15:7:-1:15:7:15:7
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:7:15:-1:7:15:7:15
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:6:-1:16:6:16:6
+
+ChaCha20 Encrypt and decrypt 22 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:6:16:-1:6:16:6:16
+
+ChaCha20 Encrypt and decrypt 32 bytes in multiple parts
+depends_on:MBEDTLS_CHACHA20_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20:256:16:16:-1:16:16:16:16
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chachapoly.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chachapoly.data
new file mode 100644
index 0000000000..61c485125c
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.chachapoly.data
@@ -0,0 +1,123 @@
+Decrypt empty buffer
+depends_on:MBEDTLS_CHACHAPOLY_C
+dec_empty_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305
+
+ChaCha20+Poly1305 Encrypt and decrypt 0 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:0:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:1:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 2 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:2:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 7 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:7:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 8 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:8:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 9 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:9:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 15 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:15:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:16:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 17 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:17:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 31 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:31:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 32 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:32:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 33 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:33:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 47 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:47:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 48 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:48:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 49 bytes
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf:MBEDTLS_CIPHER_CHACHA20_POLY1305:"CHACHA20-POLY1305":256:49:-1
+
+ChaCha20+Poly1305 Encrypt and decrypt 0 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:0:-1:0:0:0:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:1:0:-1:1:0:1:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 1 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:1:-1:0:1:0:1
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:0:-1:16:0:16:0
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:0:16:-1:0:16:0:16
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:1:15:-1:1:15:1:15
+
+ChaCha20+Poly1305 Encrypt and decrypt 16 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:15:1:-1:15:1:15:1
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 1
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:15:7:-1:15:7:15:7
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 2
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:7:15:-1:7:15:7:15
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 3
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:6:-1:16:6:16:6
+
+ChaCha20+Poly1305 Encrypt and decrypt 22 bytes in multiple parts 4
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:6:16:-1:6:16:6:16
+
+ChaCha20+Poly1305 Encrypt and decrypt 32 bytes in multiple parts
+depends_on:MBEDTLS_CHACHAPOLY_C
+enc_dec_buf_multipart:MBEDTLS_CIPHER_CHACHA20_POLY1305:256:16:16:-1:16:16:16:16
+
+ChaCha20+Poly1305 RFC 7539 Test Vector #1
+depends_on:MBEDTLS_CHACHAPOLY_C
+auth_crypt_tv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38":"":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d"
+
+ChaCha20+Poly1305 RFC 7539 Test Vector #1 Unauthentic (1st bit flipped)
+depends_on:MBEDTLS_CHACHAPOLY_C
+auth_crypt_tv:MBEDTLS_CIPHER_CHACHA20_POLY1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"6ead9d67890cbb22392336fea1851f38":"FAIL":""
+
+Chacha20+Poly1305 RFC 7539 Test Vector #1 (streaming)
+depends_on:MBEDTLS_CHACHAPOLY_C
+decrypt_test_vec:MBEDTLS_CIPHER_CHACHA20_POLY1305:-1:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"f33388860000000000004e91":"eead9d67890cbb22392336fea1851f38":0:0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
index 2518ba5761..02bf5f7ee1 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.function
@@ -12,7 +12,7 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_cipher_list( )
+void mbedtls_cipher_list(  )
 {
     const int *cipher_type;
 
@@ -22,77 +22,469 @@ void mbedtls_cipher_list( )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void cipher_null_args( )
+void cipher_invalid_param_unconditional( )
 {
-    mbedtls_cipher_context_t ctx;
-    const mbedtls_cipher_info_t *info = mbedtls_cipher_info_from_type( *( mbedtls_cipher_list() ) );
-    unsigned char buf[1] = { 0 };
-    size_t olen;
-
-    mbedtls_cipher_init( &ctx );
-
-    TEST_ASSERT( mbedtls_cipher_get_block_size( NULL ) == 0 );
-    TEST_ASSERT( mbedtls_cipher_get_block_size( &ctx ) == 0 );
-
-    TEST_ASSERT( mbedtls_cipher_get_cipher_mode( NULL ) == MBEDTLS_MODE_NONE );
-    TEST_ASSERT( mbedtls_cipher_get_cipher_mode( &ctx ) == MBEDTLS_MODE_NONE );
-
-    TEST_ASSERT( mbedtls_cipher_get_iv_size( NULL ) == 0 );
-    TEST_ASSERT( mbedtls_cipher_get_iv_size( &ctx ) == 0 );
-
-    TEST_ASSERT( mbedtls_cipher_info_from_string( NULL ) == NULL );
-
-    TEST_ASSERT( mbedtls_cipher_setup( &ctx, NULL )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_setup( NULL, info )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    mbedtls_cipher_context_t valid_ctx;
+    mbedtls_cipher_context_t invalid_ctx;
+    mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT;
+    mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS;
+    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+    int valid_size = sizeof(valid_buffer);
+    int valid_bitlen = valid_size * 8;
+    const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type(
+        *( mbedtls_cipher_list() ) );
+    size_t size_t_var;
+
+    (void)valid_mode; /* In some configurations this is unused */
+
+    mbedtls_cipher_init( &valid_ctx );
+    mbedtls_cipher_setup( &valid_ctx, valid_info );
+    mbedtls_cipher_init( &invalid_ctx );
+
+    /* mbedtls_cipher_setup() */
+    TEST_ASSERT( mbedtls_cipher_setup( &valid_ctx, NULL ) ==
+                 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* mbedtls_cipher_get_block_size() */
+    TEST_ASSERT( mbedtls_cipher_get_block_size( &invalid_ctx ) == 0 );
+
+    /* mbedtls_cipher_get_cipher_mode() */
+    TEST_ASSERT( mbedtls_cipher_get_cipher_mode( &invalid_ctx ) ==
+                 MBEDTLS_MODE_NONE );
+
+    /* mbedtls_cipher_get_iv_size() */
+    TEST_ASSERT( mbedtls_cipher_get_iv_size( &invalid_ctx ) == 0 );
+
+    /* mbedtls_cipher_get_type() */
+    TEST_ASSERT(
+        mbedtls_cipher_get_type( &invalid_ctx ) ==
+        MBEDTLS_CIPHER_NONE);
+
+    /* mbedtls_cipher_get_name() */
+    TEST_ASSERT( mbedtls_cipher_get_name( &invalid_ctx ) == 0 );
+
+    /* mbedtls_cipher_get_key_bitlen() */
+    TEST_ASSERT( mbedtls_cipher_get_key_bitlen( &invalid_ctx ) ==
+                 MBEDTLS_KEY_LENGTH_NONE );
+
+    /* mbedtls_cipher_get_operation() */
+    TEST_ASSERT( mbedtls_cipher_get_operation( &invalid_ctx ) ==
+                 MBEDTLS_OPERATION_NONE );
+
+    /* mbedtls_cipher_setkey() */
+    TEST_ASSERT(
+        mbedtls_cipher_setkey( &invalid_ctx,
+                               valid_buffer,
+                               valid_bitlen,
+                               valid_operation ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* mbedtls_cipher_set_iv() */
+    TEST_ASSERT(
+        mbedtls_cipher_set_iv( &invalid_ctx,
+                               valid_buffer,
+                               valid_size ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* mbedtls_cipher_reset() */
+    TEST_ASSERT( mbedtls_cipher_reset( &invalid_ctx ) ==
+                 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    /* mbedtls_cipher_update_ad() */
+    TEST_ASSERT(
+        mbedtls_cipher_update_ad( &invalid_ctx,
+                                  valid_buffer,
+                                  valid_size ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
 
-    TEST_ASSERT( mbedtls_cipher_setkey( NULL, buf, 0, MBEDTLS_ENCRYPT )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_setkey( &ctx, buf, 0, MBEDTLS_ENCRYPT )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-
-    TEST_ASSERT( mbedtls_cipher_set_iv( NULL, buf, 0 )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_set_iv( &ctx, buf, 0 )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-
-    TEST_ASSERT( mbedtls_cipher_reset( NULL ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_reset( &ctx ) == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-
-#if defined(MBEDTLS_GCM_C)
-    TEST_ASSERT( mbedtls_cipher_update_ad( NULL, buf, 0 )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_update_ad( &ctx, buf, 0 )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /* mbedtls_cipher_set_padding_mode() */
+    TEST_ASSERT( mbedtls_cipher_set_padding_mode( &invalid_ctx, valid_mode ) ==
+                 MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 #endif
 
-    TEST_ASSERT( mbedtls_cipher_update( NULL, buf, 0, buf, &olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_update( &ctx, buf, 0, buf, &olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    /* mbedtls_cipher_update() */
+    TEST_ASSERT(
+        mbedtls_cipher_update( &invalid_ctx,
+                               valid_buffer,
+                               valid_size,
+                               valid_buffer,
+                               &size_t_var ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* mbedtls_cipher_finish() */
+    TEST_ASSERT(
+        mbedtls_cipher_finish( &invalid_ctx,
+                               valid_buffer,
+                               &size_t_var ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    /* mbedtls_cipher_write_tag() */
+    TEST_ASSERT(
+        mbedtls_cipher_write_tag( &invalid_ctx,
+                                  valid_buffer,
+                                  valid_size ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* mbedtls_cipher_check_tag() */
+    TEST_ASSERT(
+        mbedtls_cipher_check_tag( &invalid_ctx,
+                                  valid_buffer,
+                                  valid_size ) ==
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
 
-    TEST_ASSERT( mbedtls_cipher_finish( NULL, buf, &olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_finish( &ctx, buf, &olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+exit:
+    mbedtls_cipher_free( &invalid_ctx );
+    mbedtls_cipher_free( &valid_ctx );
+}
+/* END_CASE */
 
-#if defined(MBEDTLS_GCM_C)
-    TEST_ASSERT( mbedtls_cipher_write_tag( NULL, buf, olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_write_tag( &ctx, buf, olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void cipher_invalid_param_conditional( )
+{
+    mbedtls_cipher_context_t valid_ctx;
+
+    mbedtls_operation_t valid_operation = MBEDTLS_ENCRYPT;
+    mbedtls_operation_t invalid_operation = 100;
+    mbedtls_cipher_padding_t valid_mode = MBEDTLS_PADDING_ZEROS;
+    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+    int valid_size = sizeof(valid_buffer);
+    int valid_bitlen = valid_size * 8;
+    const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type(
+        *( mbedtls_cipher_list() ) );
+
+    size_t size_t_var;
+
+    (void)valid_mode; /* In some configurations this is unused */
+
+    /* mbedtls_cipher_init() */
+    TEST_VALID_PARAM( mbedtls_cipher_init( &valid_ctx ) );
+    TEST_INVALID_PARAM( mbedtls_cipher_init( NULL ) );
+
+    /* mbedtls_cipher_setup() */
+    TEST_VALID_PARAM( mbedtls_cipher_setup( &valid_ctx, valid_info ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_setup( NULL, valid_info ) );
+
+    /* mbedtls_cipher_get_block_size() */
+    TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_block_size( NULL ) );
+
+    /* mbedtls_cipher_get_cipher_mode() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_MODE_NONE,
+        mbedtls_cipher_get_cipher_mode( NULL ) );
+
+    /* mbedtls_cipher_get_iv_size() */
+    TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_iv_size( NULL ) );
+
+    /* mbedtls_cipher_get_type() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_CIPHER_NONE,
+        mbedtls_cipher_get_type( NULL ) );
+
+    /* mbedtls_cipher_get_name() */
+    TEST_INVALID_PARAM_RET( 0, mbedtls_cipher_get_name( NULL ) );
+
+    /* mbedtls_cipher_get_key_bitlen() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_KEY_LENGTH_NONE,
+        mbedtls_cipher_get_key_bitlen( NULL ) );
+
+    /* mbedtls_cipher_get_operation() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_OPERATION_NONE,
+        mbedtls_cipher_get_operation( NULL ) );
+
+    /* mbedtls_cipher_setkey() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_setkey( NULL,
+                               valid_buffer,
+                               valid_bitlen,
+                               valid_operation ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_setkey( &valid_ctx,
+                               NULL,
+                               valid_bitlen,
+                               valid_operation ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_setkey( &valid_ctx,
+                               valid_buffer,
+                               valid_bitlen,
+                               invalid_operation ) );
+
+    /* mbedtls_cipher_set_iv() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_set_iv( NULL,
+                               valid_buffer,
+                               valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_set_iv( &valid_ctx,
+                               NULL,
+                               valid_size ) );
+
+    /* mbedtls_cipher_reset() */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+                            mbedtls_cipher_reset( NULL ) );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    /* mbedtls_cipher_update_ad() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update_ad( NULL,
+                                  valid_buffer,
+                                  valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update_ad( &valid_ctx,
+                                  NULL,
+                                  valid_size ) );
+#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
 
-    TEST_ASSERT( mbedtls_cipher_check_tag( NULL, buf, olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
-    TEST_ASSERT( mbedtls_cipher_check_tag( &ctx, buf, olen )
-                 == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /* mbedtls_cipher_set_padding_mode() */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+                            mbedtls_cipher_set_padding_mode( NULL, valid_mode ) );
 #endif
+
+    /* mbedtls_cipher_update() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update( NULL,
+                               valid_buffer,
+                               valid_size,
+                               valid_buffer,
+                               &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update( &valid_ctx,
+                               NULL, valid_size,
+                               valid_buffer,
+                               &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update( &valid_ctx,
+                               valid_buffer, valid_size,
+                               NULL,
+                               &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_update( &valid_ctx,
+                               valid_buffer, valid_size,
+                               valid_buffer,
+                               NULL ) );
+
+    /* mbedtls_cipher_finish() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_finish( NULL,
+                               valid_buffer,
+                               &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_finish( &valid_ctx,
+                               NULL,
+                               &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_finish( &valid_ctx,
+                               valid_buffer,
+                               NULL ) );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    /* mbedtls_cipher_write_tag() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_write_tag( NULL,
+                                  valid_buffer,
+                                  valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_write_tag( &valid_ctx,
+                                  NULL,
+                                  valid_size ) );
+
+    /* mbedtls_cipher_check_tag() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_check_tag( NULL,
+                                  valid_buffer,
+                                  valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_check_tag( &valid_ctx,
+                                  NULL,
+                                  valid_size ) );
+#endif /* defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) */
+
+    /* mbedtls_cipher_crypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_crypt( NULL,
+                              valid_buffer, valid_size,
+                              valid_buffer, valid_size,
+                              valid_buffer, &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_crypt( &valid_ctx,
+                              NULL, valid_size,
+                              valid_buffer, valid_size,
+                              valid_buffer, &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_crypt( &valid_ctx,
+                              valid_buffer, valid_size,
+                              NULL, valid_size,
+                              valid_buffer, &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_crypt( &valid_ctx,
+                              valid_buffer, valid_size,
+                              valid_buffer, valid_size,
+                              NULL, &size_t_var ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_crypt( &valid_ctx,
+                              valid_buffer, valid_size,
+                              valid_buffer, valid_size,
+                              valid_buffer, NULL ) );
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+    /* mbedtls_cipher_auth_encrypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( NULL,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     NULL, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     NULL, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     NULL, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     NULL, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, NULL,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_encrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     NULL, valid_size ) );
+
+    /* mbedtls_cipher_auth_decrypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( NULL,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     NULL, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     NULL, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     NULL, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     NULL, &size_t_var,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, NULL,
+                                     valid_buffer, valid_size ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
+        mbedtls_cipher_auth_decrypt( &valid_ctx,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, valid_size,
+                                     valid_buffer, &size_t_var,
+                                     NULL, valid_size ) );
+#endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */
+
+    /* mbedtls_cipher_free() */
+    TEST_VALID_PARAM( mbedtls_cipher_free( NULL ) );
+exit:
+    TEST_VALID_PARAM( mbedtls_cipher_free( &valid_ctx ) );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_AES_C */
-void cipher_special_behaviours( )
+void cipher_special_behaviours(  )
 {
     const mbedtls_cipher_info_t *cipher_info;
     mbedtls_cipher_context_t ctx;
@@ -141,11 +533,11 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void enc_dec_buf( int cipher_id, char *cipher_string, int key_len,
+void enc_dec_buf( int cipher_id, char * cipher_string, int key_len,
                   int length_val, int pad_mode )
 {
     size_t length = length_val, outlen, total_len, i, block_size;
-    unsigned char key[32];
+    unsigned char key[64];
     unsigned char iv[16];
     unsigned char ad[13];
     unsigned char tag[16];
@@ -206,7 +598,7 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len,
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, ad, sizeof( ad ) - i ) );
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, ad, sizeof( ad ) - i ) );
 #endif
@@ -226,7 +618,7 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len,
     TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_enc, encbuf + outlen, &outlen ) );
     total_len += outlen;
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_write_tag( &ctx_enc, tag, sizeof( tag ) ) );
 #endif
 
@@ -247,7 +639,7 @@ void enc_dec_buf( int cipher_id, char *cipher_string, int key_len,
     TEST_ASSERT( 0 == mbedtls_cipher_finish( &ctx_dec, decbuf + outlen, &outlen ) );
     total_len += outlen;
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_check_tag( &ctx_dec, tag, sizeof( tag ) ) );
 #endif
 
@@ -266,8 +658,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void enc_fail( int cipher_id, int pad_mode, int key_len,
-               int length_val, int ret )
+void enc_fail( int cipher_id, int pad_mode, int key_len, int length_val,
+               int ret )
 {
     size_t length = length_val;
     unsigned char key[32];
@@ -303,7 +695,7 @@ void enc_fail( int cipher_id, int pad_mode, int key_len,
 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
     TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, 16 ) );
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, NULL, 0 ) );
 #endif
 
@@ -318,7 +710,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void dec_empty_buf()
+void dec_empty_buf( int cipher )
 {
     unsigned char key[32];
     unsigned char iv[16];
@@ -331,6 +723,8 @@ void dec_empty_buf()
 
     size_t outlen = 0;
 
+    int expected_ret;
+
     memset( key, 0, 32 );
     memset( iv , 0, 16 );
 
@@ -340,26 +734,44 @@ void dec_empty_buf()
     memset( decbuf, 0, 64 );
 
     /* Initialise context */
-    cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_CBC );
+    cipher_info = mbedtls_cipher_info_from_type( cipher );
     TEST_ASSERT( NULL != cipher_info);
+    TEST_ASSERT( sizeof(key) * 8 >= cipher_info->key_bitlen );
 
     TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) );
 
-    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_dec, key, 128, MBEDTLS_DECRYPT ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx_dec,
+                                             key, cipher_info->key_bitlen,
+                                             MBEDTLS_DECRYPT ) );
 
     TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx_dec, iv, 16 ) );
 
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
 #endif
 
     /* decode 0-byte string */
     TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx_dec, encbuf, 0, decbuf, &outlen ) );
     TEST_ASSERT( 0 == outlen );
-    TEST_ASSERT( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED == mbedtls_cipher_finish(
-                 &ctx_dec, decbuf + outlen, &outlen ) );
+
+    if ( cipher_info->mode == MBEDTLS_MODE_CBC ||
+         cipher_info->mode == MBEDTLS_MODE_ECB )
+    {
+        /* CBC and ECB ciphers need a full block of input. */
+        expected_ret = MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
+    }
+    else
+    {
+        /* Non-CBC and non-ECB ciphers are OK with decrypting empty buffers and
+         * return success, not MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED, when
+         * decrypting an empty buffer. */
+        expected_ret = 0;
+    }
+
+    TEST_ASSERT( expected_ret == mbedtls_cipher_finish(
+                                    &ctx_dec, decbuf + outlen, &outlen ) );
     TEST_ASSERT( 0 == outlen );
 
 exit:
@@ -427,7 +839,7 @@ void enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_val,
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_dec ) );
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx_enc ) );
 
-#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_dec, NULL, 0 ) );
     TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx_enc, NULL, 0 ) );
 #endif
@@ -482,80 +894,56 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void decrypt_test_vec( int cipher_id, int pad_mode,
-                       char *hex_key, char *hex_iv,
-                       char *hex_cipher, char *hex_clear,
-                       char *hex_ad, char *hex_tag,
+void decrypt_test_vec( int cipher_id, int pad_mode, data_t * key,
+                       data_t * iv, data_t * cipher,
+                       data_t * clear, data_t * ad, data_t * tag,
                        int finish_result, int tag_result )
 {
-    unsigned char key[50];
-    unsigned char iv[50];
-    unsigned char cipher[200];
-    unsigned char clear[200];
-    unsigned char ad[200];
-    unsigned char tag[20];
-    size_t key_len, iv_len, cipher_len, clear_len;
-#if defined(MBEDTLS_GCM_C)
-    size_t ad_len, tag_len;
-#endif
+    unsigned char output[265];
     mbedtls_cipher_context_t ctx;
-    unsigned char output[200];
     size_t outlen, total_len;
 
     mbedtls_cipher_init( &ctx );
 
-    memset( key, 0x00, sizeof( key ) );
-    memset( iv, 0x00, sizeof( iv ) );
-    memset( cipher, 0x00, sizeof( cipher ) );
-    memset( clear, 0x00, sizeof( clear ) );
-    memset( ad, 0x00, sizeof( ad ) );
-    memset( tag, 0x00, sizeof( tag ) );
     memset( output, 0x00, sizeof( output ) );
 
-    key_len = unhexify( key, hex_key );
-    iv_len = unhexify( iv, hex_iv );
-    cipher_len = unhexify( cipher, hex_cipher );
-    clear_len = unhexify( clear, hex_clear );
-#if defined(MBEDTLS_GCM_C)
-    ad_len = unhexify( ad, hex_ad );
-    tag_len = unhexify( tag, hex_tag );
-#else
-    ((void) hex_ad);
-    ((void) hex_tag);
+#if !defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CHACHAPOLY_C)
+    ((void) ad);
+    ((void) tag);
 #endif
 
     /* Prepare context */
     TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx,
                                        mbedtls_cipher_info_from_type( cipher_id ) ) );
-    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, 8 * key_len, MBEDTLS_DECRYPT ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT ) );
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
     if( pad_mode != -1 )
         TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) );
 #else
     (void) pad_mode;
 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
-    TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv, iv_len ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_set_iv( &ctx, iv->x, iv->len ) );
     TEST_ASSERT( 0 == mbedtls_cipher_reset( &ctx ) );
-#if defined(MBEDTLS_GCM_C)
-    TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad, ad_len ) );
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    TEST_ASSERT( 0 == mbedtls_cipher_update_ad( &ctx, ad->x, ad->len ) );
 #endif
 
-    /* decode buffer and check tag */
+    /* decode buffer and check tag->x */
     total_len = 0;
-    TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, cipher, cipher_len, output, &outlen ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, cipher->x, cipher->len, output, &outlen ) );
     total_len += outlen;
     TEST_ASSERT( finish_result == mbedtls_cipher_finish( &ctx, output + outlen,
                                                  &outlen ) );
     total_len += outlen;
-#if defined(MBEDTLS_GCM_C)
-    TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag, tag_len ) );
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+    TEST_ASSERT( tag_result == mbedtls_cipher_check_tag( &ctx, tag->x, tag->len ) );
 #endif
 
     /* check plaintext only if everything went fine */
     if( 0 == finish_result && 0 == tag_result )
     {
-        TEST_ASSERT( total_len == clear_len );
-        TEST_ASSERT( 0 == memcmp( output, clear, clear_len ) );
+        TEST_ASSERT( total_len == clear->len );
+        TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) );
     }
 
 exit:
@@ -564,56 +952,38 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_AEAD */
-void auth_crypt_tv( int cipher_id, char *hex_key, char *hex_iv,
-                    char *hex_ad, char *hex_cipher,
-                    char *hex_tag, char *hex_clear )
+void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
+                    data_t * ad, data_t * cipher, data_t * tag,
+                    char * result, data_t * clear )
 {
     int ret;
-    unsigned char key[50];
-    unsigned char iv[50];
-    unsigned char cipher[200];
-    unsigned char clear[200];
-    unsigned char ad[200];
-    unsigned char tag[20];
+    unsigned char output[267]; /* above + 2 (overwrite check) */
     unsigned char my_tag[20];
-    size_t key_len, iv_len, cipher_len, clear_len, ad_len, tag_len;
     mbedtls_cipher_context_t ctx;
-    unsigned char output[200];
     size_t outlen;
 
     mbedtls_cipher_init( &ctx );
 
-    memset( key,    0x00, sizeof( key    ) );
-    memset( iv,     0x00, sizeof( iv     ) );
-    memset( cipher, 0x00, sizeof( cipher ) );
-    memset( clear,  0x00, sizeof( clear  ) );
-    memset( ad,     0x00, sizeof( ad     ) );
-    memset( tag,    0x00, sizeof( tag    ) );
-    memset( my_tag, 0xFF, sizeof( my_tag ) );
     memset( output, 0xFF, sizeof( output ) );
+    memset( my_tag, 0xFF, sizeof( my_tag ) );
 
-    key_len     = unhexify( key,    hex_key     );
-    iv_len      = unhexify( iv,     hex_iv      );
-    cipher_len  = unhexify( cipher, hex_cipher  );
-    ad_len      = unhexify( ad,     hex_ad      );
-    tag_len     = unhexify( tag,    hex_tag     );
 
     /* Prepare context */
     TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx,
                                        mbedtls_cipher_info_from_type( cipher_id ) ) );
-    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, 8 * key_len, MBEDTLS_DECRYPT ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, MBEDTLS_DECRYPT ) );
 
-    /* decode buffer and check tag */
-    ret = mbedtls_cipher_auth_decrypt( &ctx, iv, iv_len, ad, ad_len,
-                               cipher, cipher_len, output, &outlen,
-                               tag, tag_len );
+    /* decode buffer and check tag->x */
+    ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
+                               cipher->x, cipher->len, output, &outlen,
+                               tag->x, tag->len );
 
     /* make sure we didn't overwrite */
     TEST_ASSERT( output[outlen + 0] == 0xFF );
     TEST_ASSERT( output[outlen + 1] == 0xFF );
 
     /* make sure the message is rejected if it should be */
-    if( strcmp( hex_clear, "FAIL" ) == 0 )
+    if( strcmp( result, "FAIL" ) == 0 )
     {
         TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
         goto exit;
@@ -622,31 +992,30 @@ void auth_crypt_tv( int cipher_id, char *hex_key, char *hex_iv,
     /* otherwise, make sure it was decrypted properly */
     TEST_ASSERT( ret == 0 );
 
-    clear_len = unhexify( clear,  hex_clear   );
-    TEST_ASSERT( outlen == clear_len );
-    TEST_ASSERT( memcmp( output, clear, clear_len ) == 0 );
+    TEST_ASSERT( outlen == clear->len );
+    TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 );
 
-    /* then encrypt the clear and make sure we get the same ciphertext and tag */
-    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, 8 * key_len,
+    /* then encrypt the clear->x and make sure we get the same ciphertext and tag->x */
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len,
                                              MBEDTLS_ENCRYPT ) );
 
     memset( output, 0xFF, sizeof( output ) );
     outlen = 0;
 
-    ret = mbedtls_cipher_auth_encrypt( &ctx, iv, iv_len, ad, ad_len,
-                               clear, clear_len, output, &outlen,
-                               my_tag, tag_len );
+    ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
+                               clear->x, clear->len, output, &outlen,
+                               my_tag, tag->len );
     TEST_ASSERT( ret == 0 );
 
-    TEST_ASSERT( outlen == cipher_len );
-    TEST_ASSERT( memcmp( output, cipher, cipher_len ) == 0 );
-    TEST_ASSERT( memcmp( my_tag, tag, tag_len ) == 0 );
+    TEST_ASSERT( outlen == cipher->len );
+    TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 );
+    TEST_ASSERT( memcmp( my_tag, tag->x, tag->len ) == 0 );
 
     /* make sure we didn't overwrite */
     TEST_ASSERT( output[outlen + 0] == 0xFF );
     TEST_ASSERT( output[outlen + 1] == 0xFF );
-    TEST_ASSERT( my_tag[tag_len + 0] == 0xFF );
-    TEST_ASSERT( my_tag[tag_len + 1] == 0xFF );
+    TEST_ASSERT( my_tag[tag->len + 0] == 0xFF );
+    TEST_ASSERT( my_tag[tag->len + 1] == 0xFF );
 
 
 exit:
@@ -655,38 +1024,26 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void test_vec_ecb( int cipher_id, int operation, char *hex_key,
-                   char *hex_input, char *hex_result,
-                   int finish_result )
+void test_vec_ecb( int cipher_id, int operation, data_t * key,
+                   data_t * input, data_t * result, int finish_result
+                   )
 {
-    unsigned char key[50];
-    unsigned char input[16];
-    unsigned char result[16];
-    size_t key_len;
     mbedtls_cipher_context_t ctx;
     unsigned char output[32];
     size_t outlen;
 
     mbedtls_cipher_init( &ctx );
 
-    memset( key, 0x00, sizeof( key ) );
-    memset( input, 0x00, sizeof( input ) );
-    memset( result, 0x00, sizeof( result ) );
     memset( output, 0x00, sizeof( output ) );
 
     /* Prepare context */
     TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx,
                                        mbedtls_cipher_info_from_type( cipher_id ) ) );
 
-    key_len = unhexify( key, hex_key );
-    TEST_ASSERT( unhexify( input, hex_input ) ==
-                 (int) mbedtls_cipher_get_block_size( &ctx ) );
-    TEST_ASSERT( unhexify( result, hex_result ) ==
-                 (int) mbedtls_cipher_get_block_size( &ctx ) );
 
-    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key, 8 * key_len, operation ) );
+    TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, operation ) );
 
-    TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, input,
+    TEST_ASSERT( 0 == mbedtls_cipher_update( &ctx, input->x,
                                      mbedtls_cipher_get_block_size( &ctx ),
                                      output, &outlen ) );
     TEST_ASSERT( outlen == mbedtls_cipher_get_block_size( &ctx ) );
@@ -696,7 +1053,7 @@ void test_vec_ecb( int cipher_id, int operation, char *hex_key,
 
     /* check plaintext only if everything went fine */
     if( 0 == finish_result )
-        TEST_ASSERT( 0 == memcmp( output, result,
+        TEST_ASSERT( 0 == memcmp( output, result->x,
                                   mbedtls_cipher_get_block_size( &ctx ) ) );
 
 exit:
@@ -773,12 +1130,12 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void check_padding( int pad_mode, char *input_str, int ret, int dlen_check )
+void check_padding( int pad_mode, data_t * input, int ret, int dlen_check
+                    )
 {
     mbedtls_cipher_info_t cipher_info;
     mbedtls_cipher_context_t ctx;
-    unsigned char input[16];
-    size_t ilen, dlen;
+    size_t dlen;
 
     /* build a fake context just for getting access to get_padding */
     mbedtls_cipher_init( &ctx );
@@ -787,9 +1144,8 @@ void check_padding( int pad_mode, char *input_str, int ret, int dlen_check )
 
     TEST_ASSERT( 0 == mbedtls_cipher_set_padding_mode( &ctx, pad_mode ) );
 
-    ilen = unhexify( input, input_str );
 
-    TEST_ASSERT( ret == ctx.get_padding( input, ilen, &dlen ) );
+    TEST_ASSERT( ret == ctx.get_padding( input->x, input->len, &dlen ) );
     if( 0 == ret )
         TEST_ASSERT( dlen == (size_t) dlen_check );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.misc.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.misc.data
new file mode 100644
index 0000000000..25bfd407df
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.misc.data
@@ -0,0 +1,5 @@
+CIPHER - Conditional invalid parameter checks
+cipher_invalid_param_conditional:
+
+CIPHER - Unconditional invalid parameter checks
+cipher_invalid_param_unconditional:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.padding.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.padding.data
index 1c0ba09801..dc4c9d70b5 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.padding.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cipher.padding.data
@@ -1,9 +1,6 @@
 Cipher list
 mbedtls_cipher_list:
 
-Cipher null/uninitialised arguments
-cipher_null_args:
-
 Set padding with AES-CBC
 depends_on:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_CIPHER_PADDING_PKCS7
 set_padding:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_PADDING_PKCS7:0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cmac.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cmac.function
index 4b31ab2ffd..cabf1070c1 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cmac.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_cmac.function
@@ -9,14 +9,14 @@
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void mbedtls_cmac_self_test( )
+void mbedtls_cmac_self_test(  )
 {
     TEST_ASSERT( mbedtls_cmac_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_cmac_null_args( )
+void mbedtls_cmac_null_args(  )
 {
     mbedtls_cipher_context_t ctx;
     const mbedtls_cipher_info_t *cipher_info;
@@ -99,8 +99,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_cmac_setkey( int cipher_type, int key_size,
-                          int result )
+void mbedtls_cmac_setkey( int cipher_type, int key_size, int result )
 {
     const mbedtls_cipher_info_t *cipher_info;
     unsigned char key[32];
@@ -120,32 +119,19 @@ void mbedtls_cmac_setkey( int cipher_type, int key_size,
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_cmac_multiple_blocks( int cipher_type,
-                                   char *key_string, int keybits,
-                                   int block_size,
-                                   char *block1_string, int block1_len,
-                                   char *block2_string, int block2_len,
-                                   char *block3_string, int block3_len,
-                                   char *block4_string, int block4_len,
-                                   char *expected_result_string )
+void mbedtls_cmac_multiple_blocks( int cipher_type, data_t * key,
+                                   int keybits, int block_size,
+                                   data_t * block1, int block1_len,
+                                   data_t * block2, int block2_len,
+                                   data_t * block3, int block3_len,
+                                   data_t * block4, int block4_len,
+                                   data_t * expected_result )
 {
-    unsigned char key[100];
-    unsigned char block1[100];
-    unsigned char block2[100];
-    unsigned char block3[100];
-    unsigned char block4[100];
-    unsigned char expected_result[100];
     const mbedtls_cipher_info_t *cipher_info;
     mbedtls_cipher_context_t ctx;
     unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
 
     /* Convert the test parameters to binary data */
-    unhexify( key, key_string );
-    unhexify( block1, block1_string );
-    unhexify( block2, block2_string );
-    unhexify( block3, block3_string );
-    unhexify( block4, block4_string );
-    unhexify( expected_result, expected_result_string );
 
     mbedtls_cipher_init( &ctx );
 
@@ -162,34 +148,34 @@ void mbedtls_cmac_multiple_blocks( int cipher_type,
     TEST_ASSERT( mbedtls_cipher_setup( &ctx, cipher_info ) == 0 );
 
     TEST_ASSERT( mbedtls_cipher_cmac_starts( &ctx,
-                                             (const unsigned char*)key,
+                                             (const unsigned char*)key->x,
                                              keybits ) == 0 );
 
     /* Multiple partial and complete blocks. A negative length means skip the
      * update operation */
     if( block1_len >= 0)
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block1,
+                                                 (unsigned char*)block1->x,
                                                  block1_len ) == 0);
 
     if( block2_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block2,
+                                                 (unsigned char*)block2->x,
                                                  block2_len ) == 0);
 
     if( block3_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block3,
+                                                 (unsigned char*)block3->x,
                                                  block3_len ) == 0);
 
     if( block4_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block4,
+                                                 (unsigned char*)block4->x,
                                                  block4_len ) == 0);
 
     TEST_ASSERT( mbedtls_cipher_cmac_finish( &ctx, output ) == 0 );
 
-    TEST_ASSERT( memcmp( output, expected_result, block_size )  == 0 );
+    TEST_ASSERT( memcmp( output, expected_result->x, block_size )  == 0 );
 
 exit:
     mbedtls_cipher_free( &ctx );
@@ -198,41 +184,31 @@ exit:
 
 /* BEGIN_CASE */
 void mbedtls_cmac_multiple_operations_same_key( int cipher_type,
-                                   char *key_string, int keybits,
-                                   int block_size,
-                                   char *block_a1_string, int block_a1_len,
-                                   char *block_a2_string, int block_a2_len,
-                                   char *block_a3_string, int block_a3_len,
-                                   char *expected_result_a_string,
-                                   char *block_b1_string, int block_b1_len,
-                                   char *block_b2_string, int block_b2_len,
-                                   char *block_b3_string, int block_b3_len,
-                                   char *expected_result_b_string )
+                                                data_t * key, int keybits,
+                                                int block_size,
+                                                data_t * block_a1,
+                                                int block_a1_len,
+                                                data_t * block_a2,
+                                                int block_a2_len,
+                                                data_t * block_a3,
+                                                int block_a3_len,
+                                                data_t * expected_result_a,
+                                                data_t * block_b1,
+                                                int block_b1_len,
+                                                data_t * block_b2,
+                                                int block_b2_len,
+                                                data_t * block_b3,
+                                                int block_b3_len,
+                                                data_t * expected_result_b
+                                                )
 {
-    unsigned char key[100];
-    unsigned char block_a1[100];
-    unsigned char block_a2[100];
-    unsigned char block_a3[100];
-    unsigned char block_b1[100];
-    unsigned char block_b2[100];
-    unsigned char block_b3[100];
-    unsigned char expected_result_a[100], expected_result_b[100];
     const mbedtls_cipher_info_t *cipher_info;
     mbedtls_cipher_context_t ctx;
     unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
 
     /* Convert the test parameters to binary data */
-    unhexify( key, key_string );
-    unhexify( block_a1, block_a1_string );
-    unhexify( block_a2, block_a2_string );
-    unhexify( block_a3, block_a3_string );
 
-    unhexify( block_b1, block_b1_string );
-    unhexify( block_b2, block_b2_string );
-    unhexify( block_b3, block_b3_string );
 
-    unhexify( expected_result_a, expected_result_a_string );
-    unhexify( expected_result_b, expected_result_b_string );
 
     mbedtls_cipher_init( &ctx );
 
@@ -252,7 +228,7 @@ void mbedtls_cmac_multiple_operations_same_key( int cipher_type,
     TEST_ASSERT( mbedtls_cipher_setup( &ctx, cipher_info ) == 0 );
 
     TEST_ASSERT( mbedtls_cipher_cmac_starts( &ctx,
-                                             (const unsigned char*)key,
+                                             (const unsigned char*)key->x,
                                              keybits ) == 0 );
 
     /* Sequence A */
@@ -261,22 +237,22 @@ void mbedtls_cmac_multiple_operations_same_key( int cipher_type,
      * update operation */
     if( block_a1_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_a1,
+                                                 (unsigned char*)block_a1->x,
                                                  block_a1_len ) == 0);
 
     if( block_a2_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_a2,
+                                                 (unsigned char*)block_a2->x,
                                                  block_a2_len ) == 0);
 
     if( block_a3_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_a3,
+                                                 (unsigned char*)block_a3->x,
                                                   block_a3_len ) == 0);
 
     TEST_ASSERT( mbedtls_cipher_cmac_finish( &ctx, output ) == 0 );
 
-    TEST_ASSERT( memcmp( output, expected_result_a, block_size )  == 0 );
+    TEST_ASSERT( memcmp( output, expected_result_a->x, block_size )  == 0 );
 
     TEST_ASSERT( mbedtls_cipher_cmac_reset( &ctx ) == 0 );
 
@@ -286,22 +262,22 @@ void mbedtls_cmac_multiple_operations_same_key( int cipher_type,
      * update operation */
     if( block_b1_len >= 0)
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_b1,
+                                                 (unsigned char*)block_b1->x,
                                                  block_b1_len ) == 0);
 
     if( block_b2_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_b2,
+                                                 (unsigned char*)block_b2->x,
                                                  block_b2_len ) == 0);
 
     if( block_b3_len >= 0 )
         TEST_ASSERT( mbedtls_cipher_cmac_update( &ctx,
-                                                 (unsigned char*)block_b3,
+                                                 (unsigned char*)block_b3->x,
                                                  block_b3_len ) == 0);
 
     TEST_ASSERT( mbedtls_cipher_cmac_finish( &ctx, output ) == 0 );
 
-    TEST_ASSERT( memcmp( output, expected_result_b, block_size )  == 0 );
+    TEST_ASSERT( memcmp( output, expected_result_b->x, block_size )  == 0 );
 
 exit:
     mbedtls_cipher_free( &ctx );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.data
index 666165851e..d2307bf109 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.data
@@ -1,722 +1,1074 @@
+CTR_DRBG_withDF.pdf: AES-256, PR=no, perso=no, add=no
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"202122232425262728292a2b2c2d2e2f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"":"":"8da6cc59e703ced07d58d96e5b6d7836c32599735b734f88c1a73b53c7a6d82e"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=no, perso=no, add=yes
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"202122232425262728292a2b2c2d2e2f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f":"a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"81daaf9800c34ff0a104e51d87e36f5b17eb14b9abc5064cadda976ec4f77d34"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=no, perso=yes, add=no
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"202122232425262728292a2b2c2d2e2f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"":"":"bb2a0f5f0ca6d30634ba6068eb94aae8701437db7223a1b5afe8771547da3cee"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=no, perso=yes, add=yes
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"202122232425262728292a2b2c2d2e2f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f":"a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"98a28e3b1ba363c9daf0f6887a1cf52b833d3354d77a7c10837dd63dd2e645f8"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=yes, perso=no, add=no
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"202122232425262728292a2b2c2d2e2f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef":"":"":"259dc78ccfaec4210c30af815e4f75a5662b7da4b41013bdc00302dfb6076492"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=yes, perso=no, add=yes
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"202122232425262728292a2b2c2d2e2f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f":"a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"386debbbf091bbf0502957b0329938fb836b82e594a2f5fdd5eb28d4e35528f4"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=yes, perso=yes, add=no
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"202122232425262728292a2b2c2d2e2f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef":"":"":"601f95384f0d85946301d1eace8f645a825ce38f1e2565b0c0c439448e9ca8ac"
+
+CTR_DRBG_withDF.pdf: AES-256, PR=yes, perso=yes, add=yes
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"202122232425262728292a2b2c2d2e2f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f":"a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf":"738e99c95af59519aad37ff3d5180986adebab6e95836725097e50a8d1d0bd28"
+
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"d254fcff021e69d229c9cfad85fa486c":"c18081a65d44021619b3f180b1c920026a546f0c7081498b6ea662526d51b1cb583bfad5375ffbc9ff46d219c7223e95459d82e1e7229f633169d26b57474fa337c9981c0bfb91314d55b9e91c5a5ee49392cfc52312d5562c4a6effdc10d068":"":"":"34011656b429008f3563ecb5f2590723"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #1
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"7be87545266dadd1d73546c0927afc8d":"a7f38c750bd6ff41c4e79f5b7dd3024d58ca3f1f4c096486c4a73c4f74a2410c4c9c5143eb8c09df842ba4427f385bbf65c350b0bf2c87242c7a23c8c2e0e419e44e500c250f6bc0dc25ec0ce929c4ad5ffb7a87950c618f8cee1af4831b4b8e":"":"":"d5b1da77f36ce58510b75dfde71dbd5d"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #2
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"3771416b162f4d9c5f48a05b7aa73938":"d20a0e5cdb714f01b48e00bae51909f345af05de13217e5d55fc6c2d705aea550420d9a458594d825b71e16b36130020cf5948fe813462061c1a222d1ff0e1e4b3d21ae8eee31d3260330d668d24ef3c8941b8720e8591b7deec4bd35a3a1f1a":"":"":"3cbd7d53ac1772c959311419adad836e"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #3
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"f2bad8f7dab3f5886faa1cf6e1f52c87":"4df54a483b4510ed76049faae14b962fbb16459d1f6b4f4dbeca85deded6018361223c893f9442719c51eb5695e1304a1c2be8c05d0846b6510a9525a28831a8efcbd82aa50540d7e7864e2b8a42d44380cdc6e02eebb48d0b5a840b7cdd6e04":"":"":"0062d822bc549bea292c37846340789b"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #4
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"1c5760aa0fd4ce308735b28682b67246":"89defd4445061c080e4762afac194b9f79c4bb1ed88c961af41d9d37bd388a1d45c82ca46f404348a2ae5e22ce00aa35ebc7c5051d8800890d44d25284489efcbd1f5e2b16e403f6921f71bbdfcf7b9aeddef65bc92fbd1cb9e4ea389aee5179":"":"":"3baf81155548afca67d57c503d00a5b4"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #5
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"b72b9451a5e866e226978623d36b3491":"2713d74affed98e3433559e17d240288bb1a1790904cd7754cad97007e205a157b8ddca704a3624413f2ec8361ccd85442fb0b7cc60a247f0fd102cef44677321514ea4186d0203ab7387925d0222800ce2078c4588bc50cdfccbc04fbecd593":"":"":"047a50890c282e26bfede4c0904f5369"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #6
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"91b955a3e7eccd7f07290cba4464baff":"b160465448894c7d5ee1963bb3e1a2f3f75fcd167ffa332c41c4c91c1830b7c07413bd580302958aa6fa81588ad2b3173698a4afafda468acb368dbbd524207196b9a3be37ac21ba7a072b4c8223492ee18b48551524d5c3449c5c8d3517212e":"":"":"af2c062fedb98ee599ae1f47fc202071"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #7
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"d08114670c4f6016a4cf9d2da3e3a674":"38dfbfb52c185acf74de00b5a50f0cd9688286747ab340cfe9ad30d38b390fd2443bfd7ea93941d8262ae0f66b0eab4ff64ba59a2ff940c3c26fda103e0d798dbcaa1318e842143975673af8408b5af48dfbaa56ca4f9ddc87100028b4a95549":"":"":"55030fef65c679ecaffb0dc070bfd4d2"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #8
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"e2af9abe8770e33798a5f05b22057d24":"88fb2a8020e604ea64a620f4704078857062cc97e24604c30de4c70cbf5e5bea0f0db79d16f4db636a2d6cd992c5890389a40cfe93967eac609e5b9f66788944285758547c7136ef2ee3b38724ed340d61763d0d5991ece4924bb72483b96945":"":"":"a44f0cfa383916811fffb2e0cfc9bfc3"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #9
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"ae30f1642753c5cb6e118d7ff5d59f1d":"340def3420b608420d81b4ea8252a3d86d3e1dd7597e6063ed923a73a7b8e981e6079f7f0c42deb9f4ef11d2f3581abadf44b06d882afdc47896777ce8dafd85ec040f7873d0e25c4be709c614a28b708e547266ac8f07f5fdb450d63bc0c999":"":"":"c7e7670145573581842bd1f3e0c6e90b"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #10
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"711ecfe467d6f83bcc82e566729669af":"21d6c822706d1af09e4d233c0ebac7f4ec60c7be2500dd41a85a19b2dc5c7da27f8a82164bd2a644218cb5ac283c547da1064784413eed5ecf32fadd00357abaae81225ac8d0391ead533362cff56798825445d639b0b45e0312aa7047c00b4d":"":"":"d3a0d2c457f5e9d1328a9e1d22b6eaf6"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #11
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"f9b22152bc0eff1ebf0bfafeea40aecf":"4ee32f0aeadb3936e17f1aa3b18c10f773def5f83500c2ba96f84408a2521c1258f6be9aa5cee528746629aa2b8118ac41dd98ef1b3de31d26b8c2ad3442081203f5ef21df409df3381fbf2e064fbaec64d731dc93b3218e34bb3b03bfd88373":"":"":"86009b14c4906a409abe6ca9b0718cbe"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #12
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"5174e76e904ff1471367ccace9c66ed9":"fa81535670275e8ab74121377cf88a4742dd0d7a99cf06eb9c2b4fe2b03423dbe441201144c22a9fc0ca49f5ef614987a2271cc1089d10ee01b25163c090a1f263797e4f130920cdc3b890a078e8abbb070ded2e8fd717f4389f06ff2c10d180":"":"":"18d6fcd35457d2678175df36df5e215d"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #13
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"73c372f60519e8eca371eaa13fb54f88":"930c290a797b85d58b52d0d92356436977b2f636f07d5a80c987fb7eea6b750cceb9eb87860547ab4029865a6810fc5c3663c4e369f290994461d2e9c7160a8b5985853bd9088b3e969f988fe6923b3994040eeee09ad353b969d58938237cfe":"":"":"f62c7cfbe74555744790bcc7930e03c3"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,0) #14
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"75ba8ddeef24f9f5b00b426a362c4f02":"7065d128ddb2fc6ea31f4110b6c0934ed112c51d74a4a0741a0843d8befac22902a01353322674c3d58935144a0f8f171a99dbeab71272ff7518c46cc7ebb573adbf95bff8ec68eeba5e8ec1221655aed8420086bda89c7de34f217dce73ccab":"":"":"700761857ea2763e8739b8f6f6481d1c"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"14051b57277bc3d3bbae51bdecfb9f5d":"82c80d922c47bbec0f664dd623e22a11a3b84d308351e45e30ee286e89547d22c43e17b3ca0fa08f77eef1001ba696932e9ee890e7aac4661c138e5b5ce36773d3120c35f8c94e0a78ffbf407a63ca435392e17c07461522fdc1f63f037aacff":"b70e7c1c4b8e0f1770e05b29a93f9d7a6540f23ab84136b05b161d85e5f19251":"5a737c128bd69f927f8f3ad68f93f6356d5f4ec0e36b6b50ced43dcd5c44dbc2":"a4e6c754194a09614994b36ecce33b55"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #1
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"4526b268128ea35f8558b4e1d08388f2":"952f3f179cbbda27ebd30f4fc31bf96baccb2adbaa9c090bc0f37044a44e85b3bc668cd3533faaf56b5da9242844d65733f7ac1f55c38b175749b88e18d19672b7bdab54e0ababdd4519fb07e0c25578f64ad40d0beb0a26275d5e2f4906aa70":"6b167c7cebea2e585ab974b60c4d305a113102ca8c3dc87651665728c4c675ad":"a038f1ca1f420eae449791f13be4901bfb91e41e052e02635b1f1817bd8969b1":"745ec376282e20fd1f9151f7040ed94a"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #2
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"c1aafa90f394e0ba9a528032dc6780d3":"75fd042bfd994de2c92e5aa505945ec93bd7cf366d86a356723fca3c9479ee17fb59c6ca8ba89784d43f06cdad113e5081e02427ee0714439d88dc1a6257fc91d99c1a15e92527847ab10883cc8f471cad8cf0882f5b6d33a846a00dee154012":"c704164ce80a400cb2f54d1b2d7efa20f32b699fa881bfc7b56cfd7c4bee1ea6":"f3baff4b6f42c8e75b70c2a72a027b14a99ae49a5a47c7af0f538843c94e1a69":"7af9113cd607cdb4c6534f401fe4e96c"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #3
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"e6e726b72e7b264a36ec0cd60d4578b5":"0c3c6dd706076d6484478347559b495d7ee898c39cde06027bc99f7bf69ce1140ca04602265e1308af6dd6446a1cf151749b22a99e8a05d30cc3ccd00e663bc1bc37e08ee62834fcc52a4bc8c1d6442544187484f81dc729417d5bedfcab5a54":"d84b978483c0bd8f8c231d92ea88ac21e6e667215804b15725a7ed32f7fc5dd7":"9a8971f6c559f7f197c73a94a92f957d1919ad305f4167c56fe729d50e5754a5":"e16ee5bceca30f1fbcadb5de2d7cfc42"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #4
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"0272d86db283244eb7ee0ed8c8054b89":"a08ce39f2f671e1f934821a8db9070f39a734a7a20e70307fccca17db15bb4e8a421600df11d1a6e7806a14826739322c8043649ea707180f1d00dea752c2c36398030519465864c4d38163f5b0dd5be07dbc0ae29693ad4a67ca69f28414634":"aa97055cf46ba26465dfb3ef1cf93191625c352768b2d8e34459499a27502e50":"dddd0007eb29fdf942220e920ca0637db4b91cbf898efd2696576ff6bfacb9d1":"9db0057e39ca6e0f16e79b4f8a0ed5c7"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #5
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"4ad8f72a0d0e28a758722b20e3017d7e":"89af36a1c53f730c1b818b26aa510627b17e6f9da51c8e53930de883b7cc7a3e8c3c463c910646ac3ff08f05bca8e340daf9a322d133ae453fdf7e6860a27ff4495c89875431ba9de3e4f3247cda8c62acc86f7066448f639d8ba8b5249337f8":"9d060b7ed63bdb59263c75ebe6a54bf3a4ac9c9926ca8fb49caa905a2651eead":"016099232dc44bb7cdb492f4955ab1aabc5dc0b5731447cea2eb1d92e41482d1":"4b658e95adae4bf0c418fded4431c27f"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #6
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"aa19b944c2e1b9d27933bc87322bdf14":"dc8c60dd42c85fed86cb32af035bbde5737526eb07991397c853256f2f0cb311bce70e1c5e32fc3510402d7d7e3de36fa5e584234daf391bc53cc651e001ab7fcf760679b3c82057f9d09bfdcab8e158d4daa63b20c0e1102f7a06bf5a2788dd":"6b98fec5f7de8098ff9df80f62473c73831edace832a767abf5965ea8bf789ba":"cc998bd5752f9c96ec35d9658cc8b3833dd6ab80c7accd6777c06c2cf7c01e59":"fc58833e0e27f7705e4937dd2aadb238"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #7
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"10c8c17a25041e2ef0d3cc80671e4cfe":"513fb96b6164ece801e52855aad28cb80131e7872d8432d27a974fb62d8d0100bb7ebcb8f5c066e230377a8847d6798c3d8090469b9719a80ac956ac33186b00eb8ca64c5530421f93932bc7c98ee92651e85dab562483bdb189676802726647":"240f36a0a598fe2116ffa682824f25acc35132f137f5221bc0ff05b501f5fd97":"22a5eb5aa00309a762ab60a8c2647eebe1083f8905104b5d375ed1661b4c8478":"145a16109ec39b0615a9916d07f0854e"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #8
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"cea0c3c12be683c0f27693650a6a3d7d":"df8bc70e45fe14abb02c1b9a9754c37497fc2f67709edd854196fc4d074b12797ce7cb292f14cb1d6904abf32bf229299db5ccf5a791a3b8cd3e40a64f38f6b57df759a863e09d7676d2f3ff2762cdab221151000dba32a67f38cab93d5b7a55":"bf2ac545d94e318066ff88f39791a8385e1a8539e99ac4fa5a6b97a4caead9d4":"846efef8672d256c63aa05a61de86a1bbc6950de8bfb9808d1c1066aef7f7d70":"8d8f0389d41adcac8ca7b61fc02409c3"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #9
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"1b782af2545352631983dc89945ffc37":"51930fb7095edef3fc20aca2a24127f03d3c4b983329e013ad8a35016f581dd7b2d11bafbf971c1fdefd95a0024195e6e90a60ec39b1a8dbe0cb0c3aabf9cf56b662efc722b2dffa6c3be651f199cbc3da2315b4d55aeafd1492283889e1c34f":"1b6295986f6fb55dc4c4c19a3dba41066fdc0297d50fb14e9501ba4378d662ed":"6e66ff63fc457014550b85210a18f00beab765f9e12aa16818f29d1449620d28":"78dfcb662736a831efaa592153a9aff9"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #10
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"6580f6df5c8de7c4a105c11ed44435c2":"d37403db6f84a7ba162e1cc351fe2e44d674ae8606280c9dac3e3975f30cbe1c9925e502a9804b91aada5cc97b259b90ccb5b8103394d9a28f0709fc9b5ffe9d73ad3672e02064ea68cebe3face5d823ee605c46c173db591135f564558dab4c":"97486a5e6ce6c6cf9d3f9a313d346cbc34b2bd54db80c5f8d74d6f6939f89519":"8377fcb52556f9974f1aa325d6e141d7b81355bd160abbc86e0007571b3c1904":"77031d3474303470dca9336b1692c504"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #11
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"f5303f148d6d6faca90aa88b07ab2ba9":"a0de51b8efa44b8245dba31d78f7840b2b7abced4e265b4cd9628eabc6ebbccb0f118dd8cc958b36dc959e22c4a03dafa212eeedec7d25ee6c5961187bee83b1ed3a75c7bdd9d0713b16cc67e68231f4cb274c8f3dfcc7e5d288c426a0d43b8f":"8d1fddc11dbad007e9b14679a5599e5e8a836197f14d010f3329d164c02d46d6":"9ceb6570568455d42a7397f8ca8b8af7a961a33a73770544cca563c04bc919ca":"9882f0bd1f6129a78b51d108e752b2d9"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #12
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"5a799c58985aa2898cc8fe8e5bc4a9f8":"dbdbef9d217e9051025c321b628c1cc823d508ffdd13fc4edbe8677658a57ef5b64395a6b7d62c0e93dc0956ee0217ec48ae054f1d4680023cc1b2af666efa9e1458cf6b0dae72eef2392e93687bd1fb5f366bb2cdd12937ad09724e39db4189":"8c179b35739e75719e74f7c3e038bc06eb3e212d6ade85275cfebf12b2dce2a2":"af617f2e228adde3edaf52a7e5979476dbb9cd2956a1737d93a16563bbbb4888":"49a04f3b4ef052747c7f4e77c91603e8"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #13
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"8f5b51983a8156a529f559ac3afebbf0":"bf22b182d39622e941017285adbdfe446c3d1a72601d0e5a15674f3b1b260170b1b2ab6b588a0267d86776a5d4ce80e132d7135a581af75ea6de65153680e28ce35ce78d0917b4932000d62260149e5a3ae72bc250548390b664f53c697dac45":"4cbb5b2d6e666d5dd3dd99b951ea435cae5a75d2e1eb41a48c775829b860e98b":"a4b4171c2592516404434932ad0a8ee67bd776a03479b507c406405b3d8962bc":"cab49631733f06e3fb3e0898e5ad22e7"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,0,256) #14
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"9f305a77cbaec1ab408cfc0eb89c6cbb":"1e50fada1e76a0d243e6f64c36a173ddc1f47a1dab834f5cd492568792958d5be22cce3110c8e8958b47f07b5c63f86b254942361d4d553e47d36103f47cd7f0bbee27d2e238b1d85671afe8284ee1fd2a431a5f69b2df73e95341c3a2e4fe4b":"c254f3b40e773eb09053b226820f68cafa3458ad403ad36f715245a854752a93":"699e177b7be3353c45ce7b7a0d573b00087d700a9f2c1cd2e370e05d4ddadc86":"bb6b02b25a496f29245315f58a16febc"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"e09f65dcffc0d3a4d84bacc41617a4e46ce5184eca011049ab657566f728e4aa28315ffac166ebe50e1269b01c95b3a2":"545a783ae97d827ed0b81d9752ad0f7e965f511b1f5dae0f872e9ec37cfe63af86c1d15e153887989b605773b16ad5505e65f617cfa8ef46547c4c3f9d0c4fd0b6e1cff5ca0f1929266fe43ba8f45ad664cfe5e90903a9cb722b42ae8989c148":"":"":"1e77d7cc18775fef9a3d3e00903da01b"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #1
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"056cd44c8847d89da05fbef95e9660d589046b0c02f9b42c17fd8b069f831c73cd896005ec080113589b6f07be6e42ea":"dde6c0850fe642602eb222ca7371213c598cef8c3e71e0593ea8edb54e1bed130b9b0aebe0893093b950c52f56eb9b338aa4bd01dae030515726ece1bf751660b4a3602da6400e4b94edebba646b5c3d4e64ceea1c4f14b7a19f0142783247df":"":"":"a790ab939e63555d02ea1e9696051725"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #2
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"73c72c7dfe138ef4b9817d41b9722b3940762b59bda26b3f6bb8b30583e01d088a29726b71d36ffeebdb387010cb1bb6":"6fe09520e26f5abece0fceadc54913c650a9f55725af45a9a5f373d09b9970b8706b9041d0189a204f6a4eb527dfa86584a3bee3265b809c3932ae5e7228194a3cf7592fc9301c833b45a53be32b9caec9f0f91ba86519f12b0b235f68419c1e":"":"":"798d997f46ff7cc4206994085340325e"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #3
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"cdba7c7033c34852b7bc1a6b33edab36f41d563bd0395d1001c02ffc0c42ec8595ed2b5ddabc923372e3b6bb457833fa":"532960c23c8c8b2146576dde52fadc985134914abf42ca1c5f47206937fda41289ae5d9f935dc4ce45f77cad230a4f345599e3bae4071188324483a0b93593c96d8b6ac6c0d8b52f8795c44171f0d8cd0b1e85dc75ce8abe65d5f25460166ba0":"":"":"9d48160aca60f1a82baaa8a7d804a3d8"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #4
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"02cef01aca992f60aa12db4b2c441689e4972a6f9deaf3663082afed642c1502b67b42d490af1c52c7e6eaf459882eca":"9216c9a833f81953792260a688eb7c3dfc85565ae6a6033203741a763db056247808e0ecd5ba1fc4549c3a757eba535adc786e810ddaae9a2714d31f5154f2c3ee81108669f1239f4f4efd6e18aabfa2d88f0ac25f4740108f6cfebffeb2d857":"":"":"d6378bcf43be1ad42da83780c1dab314"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #5
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"d7d80084e9d1fbb9315c3bce1510dbf22cf11fa54177d913a3b04b64cb30957395bd6f3d7e3d866d1be41b29db9ed81d":"80d4741e4e646748bb65e1289f1f9b3c21bffec4d0a666b301f199d76b4a83464583057079b069946b03d6ac81ebf9e6fa8d4081120f18bf58286a0c4de7576f36f3c7c353126f481a065ac28bdf28e13cd0c1e7911db6343c47d613f1750dc6":"":"":"9165a92ed92248b2d237d9f46d39bde8"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #6
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"df5a68d3bede467fd69716f5f8fbac297594b8573921afb864ba76aaa6dd89e83b89e359a5a0dd1aac9b4acb9573d218":"52df6336f93781115c2a77bd8f99cb717871fe14707947a21f6093dd9205bc378acf61329f8831369b4b1af0a9edfb25d74f5863f26859ad9c920767b113c47ed2690053bf9a2f7c7a67a8d680e08865720b9e9f7b6ae697e3c93e66f24b6ddc":"":"":"c542cf248a163bbceee7b9f1453bd90b"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #7
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"2945527372ff71edfa5776f55f7e4a247544aa6de974e81b2eba5552843ab6dfa248695f4f3225a43d4bf3672c3a6b2e":"aa560af2132cbd0624a69c7a7e733cd59a4f2d4e61d2b830087bd88f30fa792c7e4d3168fa86a10f7619d5b9dcf4f7bb08b350ba6a6bfc0fdfb7ee7aca07260c9a11abe49963c36efaefa94d2978ed09472bf93cc873d0f24c000762bb1402cd":"":"":"33af0134eeca279dce5e69c2cda3f3f4"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #8
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"b30cb767125674f6099a5cf7cb2e4f5b6c1cd1e32ffc1e393b1c5698b52b37f971f12521a7c1ffaaf3233d5391bc4c86":"2d42b00248d95d9378a2aece40d636bc1ab22edaaa64daa34335195a9efa4c1b58f13ac184ca2be52e15c3a977abde2aa505243fc106c4ea6f0671fe0f209b106ea8965645af73d8ebb8a80251db2967149c701cfe1d157cc189b03bf1bff1ac":"":"":"1e10eff9ceebc7e5f66e5213cb07fca4"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #9
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"c962a2da4524f08adcdd5ceddc04e669ad6154aee06164645e80c832506b98f9919451c7ec1d3a6a9704f83def8f6e2d":"a1ff68a85e437475b1b518821dbaac1730071a4ddd3255361778194fb0cfe3293e38df81527d8b8da15d03acb26467b6b53d7952441b79f95b633f4a979d998fd0417b9193023288b657d30c0cb2dada264addf9d13f1f8ed10b74e2dd2b56b3":"":"":"58990069b72b7557c234d5caf4334853"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #10
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"a3cc1fe561d03a055e8eedaa0e713be490c4bd4c6839a5b98c2ac0139bf215bdc46783d2a3e6b9d15d9b7a8bfe15104b":"207267911c12125cb3012230e4fafd257777ccbfb91653f77e4c1287574f9b79d81af7fb304790349dd457983cc99b48d5f4677ccd979fcc6e545cbf5b5c8b98102c9a89ae354349dbdee31a362d47c7cdae128034c0f4c3e71e298fe1af33c6":"":"":"ffd1d259acd79111a6fb508181272831"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #11
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"ecf186071b81e0ed384d4ebfb5bf261b4054e2e6072b51d21dfb6817adc51ff1c8956ff3612767538cdc8d73fade78b3":"3b9aec9f8bf8495004c5e4e731e5c347988e787caf003f001e68584e3510a6abdedffa15895702c2d57c304300f4f0af80a89bcc36b3cea2f08a0740236b80cfd2ea6e5cfe4144bc4ae09270fb6bc58c313dbaaedc16d643fc0565171f963222":"":"":"a2d917f5ec39a090b55d51713006e49d"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #12
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"3fcedba86089709aa638d00713150df781d4a93e85f155338e90ff537bcbf017f37a2d62259f5d8cc40ddfb041592539":"6b1e9d45c2ec598de7527b6414a339f26192fc4e3f5eff4b3a3e2a80ee0f2e9743031804d1be12b3c7ff6fbc222db1d97226890addeef0e1579a860e2279292c2f769416b7068f582f6ffc192ae4c4f1eeb41d5f77f0a612b059c47aef8e3d8e":"":"":"aa414799c51957de97c0070fb00eb919"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #13
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"f4c45fb8f58b7ebf73a0cd81c6a26686977558d4b8bf1cedfc6bd3754de6aaed5008fd72208437c54d8feb9a16ce3224":"6d170cf472ea07da6146a7087ed15d3f5b6ad72b8c99e46bae3b89e49a6e63467199ee16096516c2362dbd181bf5343a29fd0932d72eeb019fc3bfea3a3b01ffc2b985e341cfb6479d9dc71e2197b5cffc402587182e5fe93b5a8cf75eac2e42":"":"":"f557f627688fe63c119cf0f25274aa74"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,0) #14
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"7120742a7807b66c5a9b50995d5494a5b9451bb795393c0d8a30ae665879269408f8297d49ab87410a7f16a65a54b1cb":"c08a6f9797ea668cd14ba6338cb5d23c0921e637e66a96259f78e33e45aafd035edb44394cb459453b9b48beac1e32d3b6f281473cda42fb6fd6c6b9858e7a4143d81bfc2faf4ef4b632c473be50a87b982815be589a91ca750dc875a0808b89":"":"":"521973eac38e81de4e41ccc35db6193d"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"add2bbbab76589c3216c55332b36ffa46ecae72072d3845a32d34b2472c4632b9d12240c23268e8316370bd1064f686d":"6168fc1af0b5956b85099b743f1378493b85ec93133ba94f96ab2ce4c88fdd6a0b23afdff162d7d34397f87704a84220bdf60fc1172f9f54bb561786680ebaa9bf6c592a0d440fae9a5e0373d8a6e1cf25613824869e53e8a4df56f406079c0f":"7e084abbe3217cc923d2f8b07398ba847423ab068ae222d37bce9bd24a76b8de":"946bc99fab8dc5ec71881d008c8968e4c8077736176d7978c7064e99042829c3":"224ab4b8b6ee7db19ec9f9a0d9e29700"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #1
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"8964ebde61f0c4e23f8e91244ae9682ed0b17e424edd4c025b461a2d209a538583f29465df3f89cf04f703b771ff5c90":"4db8e8a27fe7a0378e37d4cc01b6a465d34be91f48c52fdc1023ef2ea1241082f522805bc8777fda6c10e3d441b58f648edcd7d4df3df8c8a398d7b005c4fd6f41c9b033bd38fc5f577069251529b58273f6a9175feb3978798fdeb78a043232":"5eb3fb44784f181852d80fcf7c2e3b8414ae797f7b9b013b59cf86b9d3a19006":"3eec358f7f9e789e4ad5a78dd73987addbf3ae5b06d826cec2d54425289dc9af":"9a66c015d2550e3f78c44b901075fabb"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #2
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"98784aa794df5400890e6803f06d886aeb0833b1fea28a5f7952397aa21092ceafdb9194079f3609bc68233147c778e7":"7338521e8e127e70da259b37f5f5cdf83079bdb4024234b8ceecfba8d8c3f1c8510ff91f3bd08f2c54f11b534048a320a15ba0fccec8da34d4ef7f49ade4847814c859831907992d0adab27046324d4d9a853eb986b8de25b34ea74eb3d11048":"b14c5314aac11cb43f45730e474b84fbf5d1480d94d0699b80e3570f6636aa72":"d6208912348236feee1d258092283dd9db75899769dd109cc2f0f26d88dcc6bf":"5ec75fdd1ed3a742328e11344784b681"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #3
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"fe9b7df306c4ccd02afd6142c6650418325617945147de436a55e78aa45866116d6678e013a0e2c5a13e0d01fbd84039":"c4da56f4239fde0bc49b1d852cb36c80205f9e99e5995a80be04bbbba15f25b8d054c397a34cff1326a71f0acc4f7942795cabc3fa46339dc54b4bf7f11c095af8503004d97c485acec8815d1404674592c896ecfabefcbf222f4fe5a3ced0af":"086d09a6ee20c69bf5c054ebc6250f06097c8da1a932fb3d4b1fb5f40af6268a":"44e64b14c49ebb75c536329bb41ab198848849ca121c960db99f7b26330b1f6d":"7aa3a7e159d194399fc8ef9eb531a704"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #4
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"c0d47ee2328185df2c299d270e11fee26df753a5b4f899fdc0dff79eb50748232f9f79cf3f5e9bd4a26a48e743843b02":"a6b5dd5f1bad95331caae5852be50a26267af655c98feb8b66c45a8ae2ddfca270ab0d8023e43e6e22a7b5904d63482f045e85556b9c105cde0f3eb7b1fff1026086c80b195196803b5f664362b659578894d6551fb7c4566eec02202fdc298f":"3b575d028046e7f6005dfcdfcdcf03ff77a9cacd2516bcdff7f3601a9a951317":"f13b58daed46f5bf3c62b518ab5c508dd2bc3e33d132939049421ff29c31c4f0":"8469dfa89453d1481abedd6cc62e4e44"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #5
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"a0db812a939fbf3942b00be018cff4578b9fb62629c766a50f3518fe634100b1cbc4244ae843fe32125c53b653705457":"7e3dca20a7a977b6616a684e309015cf6a37edd0d85819fe91d074c915b0c9540a8aa486f58685b064851d6164150b1c1b0e2e545c6358d28b2f5263b2fd12c503d271ab6de76d4fa4c604cae469335840328008d8ce5545586b9ea6b21da4f9":"554b297bc32866a52884fabfc6d837690de30467b8f9158b258869e6f4ed0831":"4f688cba5908e0699b33b508847f7dac32f233e6f02cf093efdacae74259f3b6":"9696dd6ed5875cdef4a918a6686455a8"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #6
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"ff6cd20443a32c9e938f2a617bbb969ba54040b12723b0d452a669b584ba16ffaacbe38af62b5a62e0c67d165d022344":"efcf7536f32932526fe82b3a2333508404727878723fc09cbd902581d82463cf6acf1ddf4217ea6404469193e8db0e7e8c864ae655b49c6a095f80f1ab16985453f0fb729c119d8a3b820034626a93b1f70eb99b6cd8c990dda34a1c6a4b6eea":"8d412208091b987ee0781ff679c50dbab9ef389156f570f27aaf3e699bdade48":"501381ce5e7718c92ee73e9c247965dd5f0bbde013c4b5e625e9af8907e40566":"4f323934adb8a2096f17d5c4d7444078"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #7
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"bd14779153ed9696d3e5143c50b2050b6acd3ea2f8b670ef0e5f4bedf01705727bf9e64ae859214abe6ef497163f0236":"bfb0931b05a3fe232614e1b1c3060b3b07fb75d23ac10190a47a7245a6ecad5f3834e6727b75acc37e9d512d01a4a9cef6cb17eb97e4d1d7c1df572296972f0437a89c19894f721cbe085cf3b89767291a82b999bf3925357d860f181a3681ce":"0b5dc1cdfc40cfdc225798da773411dc9a8779316ceb18d1e8f13809466c6366":"843eb7297570e536b5760c3158adb27c0c426c77d798c08314f53b59aa72d08b":"1e703f3122455a40536c39f9ea3ceaa6"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #8
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"64b155fd4b8634663a7e8a602e2b9fe2477be74692643ccfd0b316a025ea6f1fc0dfd0833248cb011082be36cba3c5d1":"a5b15cb1e039d7bbe2db80a32d4f402c7d3c59a45b05255401d1122770dbdb9894841964d5cadc9ae9af007d63e870d0510078885ca402bd222f16d2d27892e23292b65cf370b15d5e5a739ddd13e3e27f7c2e2b945f8e21897c3bbf05d8b043":"aea2fe995be77dfdca6ebaa1c05ba4c84d0e6b9a87905c398a3dfe08aeb26d38":"f4e9e7eb0eea4e2d419de6ad2909d36ec06c79097884bf98981e86dedae366ba":"4a28955dc97936b1c0aed0751a1afed5"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #9
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"e6c08e8b8d8e418477087911610096f7e0422083a376a77198e9c60fb2dc8c14aff33d7835878b65322f1561738b1ebb":"d4e0347c2158b882eb1e165f7f2aa1324d6606fe259ca730b2a3367435cb93b89108e49bd97355215063f63e78e8926b264c8a97571fd4d55882364915b7bd544254c25c2b67cdd979737c7811bcdeef5b052d8fe05a89b3291ef669d5579a61":"6607541177bc0c5f278c11cb2dcb187fc9f2c9a9e8eefa657ba92dee12d84b07":"7a439c8593b927867cfa853949e592baea0eeb394b0e2fe9ab0876243b7e11e2":"420888122f2e0334757c4af87bbc28a4"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #10
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"4413ff775c9b7d9a3003e0b727e34554e0f615471d52aeb4a059777b372d60332a1a4bcaf906e598581bc5a369b2c933":"a21cf567362fed0edddfd0b1c2d85ff6d2db5484fca8bf90a82da2ab76efcac9286e417628496f37effda150ef4912125aac68aac72e6f900a70192d4ef0b4cc4e9419c93ffb245965ae30c5f8abe20f732d76080bde5a1c6b3f075eb35622d1":"b924d145fc3ecd76f000f12638ef0a49a5d4cf887aa93fc9e5c536febc454f2d":"73dbb40b257e6598744f9107c8e7ff51a080407fc9e80d39d9a4db94f167c116":"84457ea753771ad7c97ce9c03ab08f43"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #11
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"5e409d56afb6940f9ffa45e0f92ef4972acedd3557b8e0f5418e302f2720ae5289294176045ad3096ea68db634cf5597":"c5a63c886af7ed7496473a6ae2f27f056c7e61c9aca8c5d095af11b2efe1a6b43344f92b37c7b6977ddbef1273e9511d9305fcbe7f32bc6a62f28d34841350362d2717dd00467224a35985b9fecc2739acd198743849dbfa97f458e2e7d6b1dc":"7fda133a23e929b17548a05013ff9c7085c5af9c979057b8f961ba7514509ff3":"bd061292b6bc3d3e71ed01af091f0169f70f23862efccd9e76345ff607dff3ec":"75b35dab3ad5e35c10ee39529a7f840f"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #12
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"ed2a52169791d7c7d332cf258ea4847c359335f9a6839ee767a8f76800ba28e94858cc9b7f526e62a93603fa2b1caa6b":"0a6155ff422ff6ae9814f81bf353bd3454d0c9892f9f3d730dcd8c87626f813cbe1dff1922fe73e4a319be53f4ec05e965c27f239b1e51869069a7e7cdd916fc1fd6f640bfe4b761a8040f8db37fb5ee7508e7d226c7695fb2a8bd791fe49ef2":"14073a1b4f07f3b594fa43d0c8781b8089dd2d9b8ad266e0321aaa6b71a0d058":"4247fc6886e8657b84369cf14469b42aa371d57d27093ee724f87bf20fa9e4e6":"f2aea2bc23e7c70f4ee2f7b60c59d24d"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #13
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"f0d3a46501da7ab23d8688725f53f4289ce3bfa627646fe301533ec585f866caafb8131e95460566270f68cd25e1f153":"223d49f99a56cfcf2eb8cca39a8a82ee306c6272d521257f3d7d2a87699111e442fc55a399994d57373141f2207d43a8bbc1e086d67343b7dc2a891853c860fe43fb6be32cf035aca582bf5590cb5001b09b4976ea617fa7bd56da81fdef2df9":"7d12673cad5ad5003400fb94547e2b987e934acf6b930c0e7aec72634bfb8388":"e8583b9983b3ac589a6bb7a8405edfc05d7aa5874a8643f9ac30a3d8945a9f96":"ce72c0ea0e76be6bc82331c9bddd7ffb"
 
 CTR_DRBG NIST Validation (AES-256 use df,True,256,128,256,256) #14
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"1e4644df1d01f9a0f31d1d0c67bc9fb9a1ee2223fbfb25520d3881cde2b183b73fe1a8cc5f17796cf22aaaed57607420":"cdac62b5e4ccee8609b1f4b7a8733e69068c71219b6292ecb318b9d3479516807af280cfa20e455d5e96eb6794a3b963957f3c099fd1e1199706d36a06011836af890f3b7b15cda6346a06fdd0f194de40bfbec12b021b02eeabaa34d35b30a3":"8169251ea55cce534c6efd0e8a2956d32ed73be71d12477cea8e0f1ab8251b50":"865d14cb37dd160a3f02f56ac32738f9e350da9e789a1f280ee7b7961ec918a7":"ff11ba8349daa9b9c87cf6ab4c2adfd7"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #0
-ctr_drbg_validate_nopr:"1b54b8ff0642bff521f15c1c0b665f3f":"5a194d5e2b31581454def675fb7958fec7db873e5689fc9d03217c68d8033820f9e65e04d856f3a9c44a4cbdc1d00846f5983d771c1b137e4e0f9d8ef409f92e":"":"":"":"a054303d8a7ea9889d903e077c6f218f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1b54b8ff0642bff521f15c1c0b665f3f":"5a194d5e2b31581454def675fb7958fec7db873e5689fc9d03217c68d8033820f9e65e04d856f3a9c44a4cbdc1d00846f5983d771c1b137e4e0f9d8ef409f92e":"":"":"":"a054303d8a7ea9889d903e077c6f218f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #1
-ctr_drbg_validate_nopr:"90bc3b555b9d6b6aeb1774a583f98cad":"93b7055d7888ae234bfb431e379069d00ae810fbd48f2e06c204beae3b0bfaf091d1d0e853525ead0e7f79abb0f0bf68064576339c3585cfd6d9b55d4f39278d":"":"":"":"aaf27fc2bf64b0320dd3564bb9b03377"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"90bc3b555b9d6b6aeb1774a583f98cad":"93b7055d7888ae234bfb431e379069d00ae810fbd48f2e06c204beae3b0bfaf091d1d0e853525ead0e7f79abb0f0bf68064576339c3585cfd6d9b55d4f39278d":"":"":"":"aaf27fc2bf64b0320dd3564bb9b03377"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #2
-ctr_drbg_validate_nopr:"4a2a7dcbde58b8b3c3f4697beb67bba2":"58364ceefad37581c518b7d42ac4f9aae22befd84cbc986c08d1fb20d3bd2400a899bafd470278fad8f0a50f8490af29f938471b4075654fda577dad20fa01ca":"":"":"":"20c5117a8aca72ee5ab91468daf44f29"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"4a2a7dcbde58b8b3c3f4697beb67bba2":"58364ceefad37581c518b7d42ac4f9aae22befd84cbc986c08d1fb20d3bd2400a899bafd470278fad8f0a50f8490af29f938471b4075654fda577dad20fa01ca":"":"":"":"20c5117a8aca72ee5ab91468daf44f29"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #3
-ctr_drbg_validate_nopr:"911faab1347ae2b3093a607c8bc77bfe":"2f044b8651e1c9d99317084cc6c4fa1f502dd62466a57d4b88bc0d703cabc562708201ac19cdb5cf918fae29c009fb1a2cf42fd714cc9a53ca5acb715482456a":"":"":"":"aae0c0ac97f53d222b83578a2b3dd05d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"911faab1347ae2b3093a607c8bc77bfe":"2f044b8651e1c9d99317084cc6c4fa1f502dd62466a57d4b88bc0d703cabc562708201ac19cdb5cf918fae29c009fb1a2cf42fd714cc9a53ca5acb715482456a":"":"":"":"aae0c0ac97f53d222b83578a2b3dd05d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #4
-ctr_drbg_validate_nopr:"f959f1bc100ae30088017fae51289d8e":"77d0f0efbc7ca794a51dff96e85b8e7dfd4875fbfb6e5593ae17908bfbddc313e051cb7d659c838180d834fdd987ae3c7f605aaa1b3a936575384b002a35dd98":"":"":"":"5d80bc3fffa42b89ccb390e8447e33e5"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f959f1bc100ae30088017fae51289d8e":"77d0f0efbc7ca794a51dff96e85b8e7dfd4875fbfb6e5593ae17908bfbddc313e051cb7d659c838180d834fdd987ae3c7f605aaa1b3a936575384b002a35dd98":"":"":"":"5d80bc3fffa42b89ccb390e8447e33e5"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #5
-ctr_drbg_validate_nopr:"45a8bb33062783eede09b05a35bd44dd":"6bb14dc34f669759f8fa5453c4899eb5ac4e33a69e35e89b19a46dbd0888429d1367f7f3191e911b3b355b6e3b2426e242ef4140ddcc9676371101209662f253":"":"":"":"0dfa9955a13a9c57a3546a04108b8e9e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"45a8bb33062783eede09b05a35bd44dd":"6bb14dc34f669759f8fa5453c4899eb5ac4e33a69e35e89b19a46dbd0888429d1367f7f3191e911b3b355b6e3b2426e242ef4140ddcc9676371101209662f253":"":"":"":"0dfa9955a13a9c57a3546a04108b8e9e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #6
-ctr_drbg_validate_nopr:"0ada129f9948073d628c11274cec3f69":"b3d01bcb1ec747fdb7feb5a7de92807afa4338aba1c81ce1eb50955e125af46b19aed891366ec0f70b079037a5aeb33f07f4c894fdcda3ff41e2867ace1aa05c":"":"":"":"f34710c9ebf9d5aaa5f797fd85a1c413"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0ada129f9948073d628c11274cec3f69":"b3d01bcb1ec747fdb7feb5a7de92807afa4338aba1c81ce1eb50955e125af46b19aed891366ec0f70b079037a5aeb33f07f4c894fdcda3ff41e2867ace1aa05c":"":"":"":"f34710c9ebf9d5aaa5f797fd85a1c413"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #7
-ctr_drbg_validate_nopr:"052a5ad4cd38de90e5d3c2fc430fa51e":"98482e58e44b8e4a6b09fa02c05fcc491da03a479a7fad13a83b6080d30b3b255e01a43568a9d6dd5cecf99b0ce9fd594d69eff8fa88159b2da24c33ba81a14d":"":"":"":"3f55144eec263aed50f9c9a641538e55"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"052a5ad4cd38de90e5d3c2fc430fa51e":"98482e58e44b8e4a6b09fa02c05fcc491da03a479a7fad13a83b6080d30b3b255e01a43568a9d6dd5cecf99b0ce9fd594d69eff8fa88159b2da24c33ba81a14d":"":"":"":"3f55144eec263aed50f9c9a641538e55"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #8
-ctr_drbg_validate_nopr:"004cd2f28f083d1cee68975d5cbbbe4f":"6238d448015e86aa16af62cdc287f1c17b78a79809fa00b8c655e06715cd2b935bf4df966e3ec1f14b28cc1d080f882a7215e258430c91a4a0a2aa98d7cd8053":"":"":"":"b137119dbbd9d752a8dfceec05b884b6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"004cd2f28f083d1cee68975d5cbbbe4f":"6238d448015e86aa16af62cdc287f1c17b78a79809fa00b8c655e06715cd2b935bf4df966e3ec1f14b28cc1d080f882a7215e258430c91a4a0a2aa98d7cd8053":"":"":"":"b137119dbbd9d752a8dfceec05b884b6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #9
-ctr_drbg_validate_nopr:"f985b3ea2d8b15db26a71895a2ff57cd":"50d3c4ecb1d6e95aebb87e9e8a5c869c11fb945dfad2e45ee90fb61931fcedd47d6005aa5df24bb9efc11bbb96bb21065d44e2532a1e17493f974a4bf8f8b580":"":"":"":"eb419628fbc441ae6a03e26aeecb34a6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f985b3ea2d8b15db26a71895a2ff57cd":"50d3c4ecb1d6e95aebb87e9e8a5c869c11fb945dfad2e45ee90fb61931fcedd47d6005aa5df24bb9efc11bbb96bb21065d44e2532a1e17493f974a4bf8f8b580":"":"":"":"eb419628fbc441ae6a03e26aeecb34a6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #10
-ctr_drbg_validate_nopr:"100f196991b6e96f8b96a3456f6e2baf":"d27cbeac39a6c899938197f0e61dc90be3a3a20fa5c5e1f7a76adde00598e59555c1e9fd102d4b52e1ae9fb004be8944bad85c58e341d1bee014057da98eb3bc":"":"":"":"e3e09d0ed827e4f24a20553fd1087c9d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"100f196991b6e96f8b96a3456f6e2baf":"d27cbeac39a6c899938197f0e61dc90be3a3a20fa5c5e1f7a76adde00598e59555c1e9fd102d4b52e1ae9fb004be8944bad85c58e341d1bee014057da98eb3bc":"":"":"":"e3e09d0ed827e4f24a20553fd1087c9d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #11
-ctr_drbg_validate_nopr:"88f55d9ba8fef7828483298321133fec":"16f9f5354d624c5ab1f82c750e05f51f2a2eeca7e5b774fd96148ddba3b38d34ba7f1472567c52087252480d305ad1c69e4aac8472a154ae03511d0e8aac905a":"":"":"":"07cd821012ef03f16d8510c23b86baf3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"88f55d9ba8fef7828483298321133fec":"16f9f5354d624c5ab1f82c750e05f51f2a2eeca7e5b774fd96148ddba3b38d34ba7f1472567c52087252480d305ad1c69e4aac8472a154ae03511d0e8aac905a":"":"":"":"07cd821012ef03f16d8510c23b86baf3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #12
-ctr_drbg_validate_nopr:"126479abd70b25acd891e1c4c92044f9":"70afbc83bf9ff09535d6f0ddc51278ad7909f11e6f198b59132c9e269deb41ba901c62346283e293b8714fd3241ae870f974ff33c35f9aff05144be039d24e50":"":"":"":"0f90df350741d88552a5b03b6488e9fb"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"126479abd70b25acd891e1c4c92044f9":"70afbc83bf9ff09535d6f0ddc51278ad7909f11e6f198b59132c9e269deb41ba901c62346283e293b8714fd3241ae870f974ff33c35f9aff05144be039d24e50":"":"":"":"0f90df350741d88552a5b03b6488e9fb"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #13
-ctr_drbg_validate_nopr:"a45f2fca553089fe04e7832059dc7976":"5e5a9e1e3cb80738c238464ede1b6b6a321261a3b006a98a79265ad1f635573bba48dccf17b12f6868478252f556b77c3ec57a3bf6bb6599429453db2d050352":"":"":"":"6eb85ae2406c43814b687f74f4e942bc"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a45f2fca553089fe04e7832059dc7976":"5e5a9e1e3cb80738c238464ede1b6b6a321261a3b006a98a79265ad1f635573bba48dccf17b12f6868478252f556b77c3ec57a3bf6bb6599429453db2d050352":"":"":"":"6eb85ae2406c43814b687f74f4e942bc"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #14
-ctr_drbg_validate_nopr:"52dbb43241002415966eaec2615aba27":"31cfe60e5ed12ff37d7f2270963def598726320c02b910b5c6c795e2209b4b4a95866c64cb097af1d6404d1e6182edf9600e1855345375b201801d6f4c4e4b32":"":"":"":"2a270f5ef815665ddd07527c48719ab1"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"52dbb43241002415966eaec2615aba27":"31cfe60e5ed12ff37d7f2270963def598726320c02b910b5c6c795e2209b4b4a95866c64cb097af1d6404d1e6182edf9600e1855345375b201801d6f4c4e4b32":"":"":"":"2a270f5ef815665ddd07527c48719ab1"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #0
-ctr_drbg_validate_nopr:"176200bb44808b5400b24e1b5f56cf73":"f84d395b1734eac4600dbc36f6b1e1599bc7f2608dc8ecb3a55369d7b1b122a09f5ac9c16d9a2be37d2ff70a9bba732fc3785b23ff4ade3c8404da3f09f95a8f":"aef28c9169e9af74c73432d4aa6f5dff9ea4a53433de2ecb9bf380a8868c86e1":"0626ae19763c5313b627a8d65cf1cfba46dfd6773242738b9b81fde8d566ade1":"63c160ed6a6c1fffd0586f52fa488a9055533930b36d4fa5ea3467cda9ffe198":"e8f91633725d786081625fb99336a993"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"176200bb44808b5400b24e1b5f56cf73":"f84d395b1734eac4600dbc36f6b1e1599bc7f2608dc8ecb3a55369d7b1b122a09f5ac9c16d9a2be37d2ff70a9bba732fc3785b23ff4ade3c8404da3f09f95a8f":"aef28c9169e9af74c73432d4aa6f5dff9ea4a53433de2ecb9bf380a8868c86e1":"0626ae19763c5313b627a8d65cf1cfba46dfd6773242738b9b81fde8d566ade1":"63c160ed6a6c1fffd0586f52fa488a9055533930b36d4fa5ea3467cda9ffe198":"e8f91633725d786081625fb99336a993"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #1
-ctr_drbg_validate_nopr:"19c3d16197ac93bf58c4110c9e864804":"50755cc0178c68ae70befd7744f6f1e3f6a59b3bbe484a744436079c7fae8d83c4965516fb952c63e1d0561d92cccc56037465815c9e549c9adce4a064877128":"5cb82d2c297404f3db1909480c597dd081d94ca282ba9370786a50f3cbab6a9b":"96d130faf1a971920c2bf57bcd6c02d5a4af7d3c840706081e4a50e55f38bf96":"1b0d04f179690a30d501e8f6f82201dbab6d972ece2a0edfb5ca66a8c9bcf47d":"4628b26492e5cb3b21956d4160f0b911"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"19c3d16197ac93bf58c4110c9e864804":"50755cc0178c68ae70befd7744f6f1e3f6a59b3bbe484a744436079c7fae8d83c4965516fb952c63e1d0561d92cccc56037465815c9e549c9adce4a064877128":"5cb82d2c297404f3db1909480c597dd081d94ca282ba9370786a50f3cbab6a9b":"96d130faf1a971920c2bf57bcd6c02d5a4af7d3c840706081e4a50e55f38bf96":"1b0d04f179690a30d501e8f6f82201dbab6d972ece2a0edfb5ca66a8c9bcf47d":"4628b26492e5cb3b21956d4160f0b911"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #2
-ctr_drbg_validate_nopr:"4b1edd0f53bf4e012def80efd740140b":"e50c31ebbb735c4a53fc0535647ae1fff7a5ac4fa4068ba90f1fa03ca4ddedecd5b1898d5e38185054b0de7e348034b57067a82a478b0057e0c46de4a7280cd9":"e7154ec1f7ac369d0bd41238f603b5315314d1dc82f71191de9e74364226eb09":"9444238bd27c45128a25d55e0734d3adafecccb2c24abdaa50ac2ca479c3830b":"ab2488c8b7e819d8ce5ec1ffb77efc770453970d6b852b496426d5db05c03947":"a488a87c04eb1c7586b8141ed45e7761"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"4b1edd0f53bf4e012def80efd740140b":"e50c31ebbb735c4a53fc0535647ae1fff7a5ac4fa4068ba90f1fa03ca4ddedecd5b1898d5e38185054b0de7e348034b57067a82a478b0057e0c46de4a7280cd9":"e7154ec1f7ac369d0bd41238f603b5315314d1dc82f71191de9e74364226eb09":"9444238bd27c45128a25d55e0734d3adafecccb2c24abdaa50ac2ca479c3830b":"ab2488c8b7e819d8ce5ec1ffb77efc770453970d6b852b496426d5db05c03947":"a488a87c04eb1c7586b8141ed45e7761"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #3
-ctr_drbg_validate_nopr:"1f89c914649ae8a234c0e9230f3460f9":"5e029c173dc28ab19851a8db008efbcf862f4187fca84e4e6f5ba686e3005dba5b95c5a0bcf78fb35ada347af58ec0aca09ed4799cd8a734739f3c425273e441":"b51f5fd5888552af0e9b667c2750c79106ce37c00c850afbe3776746d8c3bce1":"9b132a2cbffb8407aa06954ae6ebee265f986666757b5453601207e0cbb4871b":"f1c435e2ebf083a222218ee4602263872a2d3e097b536a8cc32a5a2220b8065f":"a065cc203881254ca81bd9595515e705"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1f89c914649ae8a234c0e9230f3460f9":"5e029c173dc28ab19851a8db008efbcf862f4187fca84e4e6f5ba686e3005dba5b95c5a0bcf78fb35ada347af58ec0aca09ed4799cd8a734739f3c425273e441":"b51f5fd5888552af0e9b667c2750c79106ce37c00c850afbe3776746d8c3bce1":"9b132a2cbffb8407aa06954ae6ebee265f986666757b5453601207e0cbb4871b":"f1c435e2ebf083a222218ee4602263872a2d3e097b536a8cc32a5a2220b8065f":"a065cc203881254ca81bd9595515e705"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #4
-ctr_drbg_validate_nopr:"0ef2be2d00a16051404fc2a0faa74fdc":"b66c882ae02c5215ed3bcd9e9a40934b09bf48a15fe7558c9d9ceb0ebec63625ea18f7c3ab341d9f7edd8e1d8816edecb34dbd71ae02771327b5ebc74613dadd":"1ebe9893957a5c4a707793906d31bb201e88d88a22abd6baa6461fc61def7ffb":"f81e26744834413cb95af8d438d0050c7c968f929a33e35ee5c6715a0a520950":"687a848b2b6c715a0e613b3f3bb16cf2f056543eb9dd6b8aee8de8aa6fd8a1e6":"a6c4a7e99d08cc847ac0b8c8bcf22ec0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0ef2be2d00a16051404fc2a0faa74fdc":"b66c882ae02c5215ed3bcd9e9a40934b09bf48a15fe7558c9d9ceb0ebec63625ea18f7c3ab341d9f7edd8e1d8816edecb34dbd71ae02771327b5ebc74613dadd":"1ebe9893957a5c4a707793906d31bb201e88d88a22abd6baa6461fc61def7ffb":"f81e26744834413cb95af8d438d0050c7c968f929a33e35ee5c6715a0a520950":"687a848b2b6c715a0e613b3f3bb16cf2f056543eb9dd6b8aee8de8aa6fd8a1e6":"a6c4a7e99d08cc847ac0b8c8bcf22ec0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #5
-ctr_drbg_validate_nopr:"eb2439d156c4f51fb1943c26f27de8af":"ad153fd266d9f73b21f4e5e88d3d13ba8325abdec427d5d8f671cfccdbd3510e9774d59a14d9b5472b217b7bcf355436a51965d2dff7c4ac586ab812f20d326e":"e24bd6b69a40fa0a02cefbbaa282f8f63a80e154be338d1b913418d4ff7a810d":"fd40baf11d7cdd77641a2b46916cb0c12980e02612ef59fb6fe7dabbbe7a85c0":"a40019e3b85d7d5775e793dd4c09b2bdc8253694b1dcb73e63a18b066a7f7d0c":"7cd8d2710147a0b7f053bb271edf07b5"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"eb2439d156c4f51fb1943c26f27de8af":"ad153fd266d9f73b21f4e5e88d3d13ba8325abdec427d5d8f671cfccdbd3510e9774d59a14d9b5472b217b7bcf355436a51965d2dff7c4ac586ab812f20d326e":"e24bd6b69a40fa0a02cefbbaa282f8f63a80e154be338d1b913418d4ff7a810d":"fd40baf11d7cdd77641a2b46916cb0c12980e02612ef59fb6fe7dabbbe7a85c0":"a40019e3b85d7d5775e793dd4c09b2bdc8253694b1dcb73e63a18b066a7f7d0c":"7cd8d2710147a0b7f053bb271edf07b5"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #6
-ctr_drbg_validate_nopr:"b23796d88ee5ae75ff2ba4fbbd5e2de8":"b249d2d9b269b58c5355710aaae98be12d8fb2e79046b4e6deeec28adad7e789999847e20de11f7c3277216374f117e3e006bdf99bb8631aa4c4c542cd482840":"79f0214b6b0c5ffb21b1d521498b71d22c67be4607c16300ab8dde3b52498097":"582be1e080264b3e68ec184347a5b6db1e8be1811578206e14ad84029fe39f71":"f5e9c3356810793f461f889d8c5003b1c0b20a284cb348301ce7b2dd7a1c7dd7":"1aa8cf54994be6b329e9eb897007abf0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b23796d88ee5ae75ff2ba4fbbd5e2de8":"b249d2d9b269b58c5355710aaae98be12d8fb2e79046b4e6deeec28adad7e789999847e20de11f7c3277216374f117e3e006bdf99bb8631aa4c4c542cd482840":"79f0214b6b0c5ffb21b1d521498b71d22c67be4607c16300ab8dde3b52498097":"582be1e080264b3e68ec184347a5b6db1e8be1811578206e14ad84029fe39f71":"f5e9c3356810793f461f889d8c5003b1c0b20a284cb348301ce7b2dd7a1c7dd7":"1aa8cf54994be6b329e9eb897007abf0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #7
-ctr_drbg_validate_nopr:"081db0b1620a56afd87c2fd2bebb1db3":"3f1e90d88870a0bd03364036b655495e3e7d51bf67fb64ba0cbf003430af5585f5936b84ab3b8a55c02b8b6c54bea09cf2d77691858c5818991383add5f0c644":"5b98bc83ae8bed5c49cb71689dc39fee38d5d08bdfa2a01cee9d61e9f3d1e115":"aad3e58fdd98aa60fc2cae0df3fc734fff01a07f29f69c5ffeb96d299200d0d8":"bad9039ebb7c3a44061353542a2b1c1a89b3e9b493e9f59e438bfc80de3d1836":"8d01e3dc48b28f016fc34655c54be81f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"081db0b1620a56afd87c2fd2bebb1db3":"3f1e90d88870a0bd03364036b655495e3e7d51bf67fb64ba0cbf003430af5585f5936b84ab3b8a55c02b8b6c54bea09cf2d77691858c5818991383add5f0c644":"5b98bc83ae8bed5c49cb71689dc39fee38d5d08bdfa2a01cee9d61e9f3d1e115":"aad3e58fdd98aa60fc2cae0df3fc734fff01a07f29f69c5ffeb96d299200d0d8":"bad9039ebb7c3a44061353542a2b1c1a89b3e9b493e9f59e438bfc80de3d1836":"8d01e3dc48b28f016fc34655c54be81f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #8
-ctr_drbg_validate_nopr:"a8427443d9c34abcdcca061a2bbcff52":"b0e9b2192adc8912653d90a634d5d40c53ca4383290a8764bdf92667f859d833c3e72ad0ff41e07fe257b1ead11649be655c58a5df233114e7eda2558b7214d7":"c6cad9fb17ada437d195d1f8b6a7fa463e20050e94024170d2ffc34b80a50108":"be461a9c1a72ebaf28ee732219e3ca54cbee36921daaa946917a7c63279a6b0e":"b6d110d6b746d7ccf7a48a4337ba341d52508d0336d017ae20377977163c1a20":"16ccd63dbf7b24b6b427126b863f7c86"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a8427443d9c34abcdcca061a2bbcff52":"b0e9b2192adc8912653d90a634d5d40c53ca4383290a8764bdf92667f859d833c3e72ad0ff41e07fe257b1ead11649be655c58a5df233114e7eda2558b7214d7":"c6cad9fb17ada437d195d1f8b6a7fa463e20050e94024170d2ffc34b80a50108":"be461a9c1a72ebaf28ee732219e3ca54cbee36921daaa946917a7c63279a6b0e":"b6d110d6b746d7ccf7a48a4337ba341d52508d0336d017ae20377977163c1a20":"16ccd63dbf7b24b6b427126b863f7c86"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #9
-ctr_drbg_validate_nopr:"86bd02976e6c50656372b8c212cf0a7a":"89900b0febf6b4e19ab8fc5babb4122a8aad86d658d0c2f98988c99fbd8530ff4ad365bd5fddaa15f96537bd72deb5384405b610e6ebae83e848307051fd6c82":"41bf3794ee54647a48a2588fdfdea686f1af6792e957d42f181f2631b207ac0c":"c4478afbea4eecb225448f069b02a74c2a222698c68e37eb144aff9e457f9610":"41a99e0d3f5b767f9bedcb2f878a5d99d42856bed29042d568b04e347624bf7f":"863337529aac9ab1e9f7f8187ea7aa7d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"86bd02976e6c50656372b8c212cf0a7a":"89900b0febf6b4e19ab8fc5babb4122a8aad86d658d0c2f98988c99fbd8530ff4ad365bd5fddaa15f96537bd72deb5384405b610e6ebae83e848307051fd6c82":"41bf3794ee54647a48a2588fdfdea686f1af6792e957d42f181f2631b207ac0c":"c4478afbea4eecb225448f069b02a74c2a222698c68e37eb144aff9e457f9610":"41a99e0d3f5b767f9bedcb2f878a5d99d42856bed29042d568b04e347624bf7f":"863337529aac9ab1e9f7f8187ea7aa7d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #10
-ctr_drbg_validate_nopr:"e809ef8d4c3d82575833d51ac69481b2":"3e831b7715ce202c95ec85337e2c0061d972169955bd96fbe1f758508c0336b3226260ea5e66f943b538eb115ffe4d5e534cbe58262a610528641629bc12fc75":"4d40c6a961168445c1691fea02ebd693cb4b3f74b03d45a350c65f0aaccb118b":"b07dc50e6ca7544ed6fdebd8f00ed5fa9b1f2213b477de8568eb92dddaabfe3f":"cbac982aa9f1830d0dc7373d9907670f561642adb1888f66b4150d3487bf0b8d":"2814be767d79778ebb82a096976f30db"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e809ef8d4c3d82575833d51ac69481b2":"3e831b7715ce202c95ec85337e2c0061d972169955bd96fbe1f758508c0336b3226260ea5e66f943b538eb115ffe4d5e534cbe58262a610528641629bc12fc75":"4d40c6a961168445c1691fea02ebd693cb4b3f74b03d45a350c65f0aaccb118b":"b07dc50e6ca7544ed6fdebd8f00ed5fa9b1f2213b477de8568eb92dddaabfe3f":"cbac982aa9f1830d0dc7373d9907670f561642adb1888f66b4150d3487bf0b8d":"2814be767d79778ebb82a096976f30db"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #11
-ctr_drbg_validate_nopr:"ad71caa50420d213b25f5558e0dc1170":"6a3fd23e7dc934e6de6eb4cc846c0dc3cf35ea4be3f561c34666aed1bbd6331004afba5a5b83fff1e7b8a957fbee7cd9f8142326c796ca129ec9fbacf295b882":"3042dd041b89aaa61f185fdda706c77667515c037f2a88c6d47f23ddadc828ae":"9b1e3f72aaab66b202f17c5cc075cfba7242817b2b38c19fe8924ca325b826ea":"8660b503329aaea56acdb73ca83763299bac0f30264702cb9d52cbaf3d71d69d":"c204a3174784d82b664e9a1c0a13ffa6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ad71caa50420d213b25f5558e0dc1170":"6a3fd23e7dc934e6de6eb4cc846c0dc3cf35ea4be3f561c34666aed1bbd6331004afba5a5b83fff1e7b8a957fbee7cd9f8142326c796ca129ec9fbacf295b882":"3042dd041b89aaa61f185fdda706c77667515c037f2a88c6d47f23ddadc828ae":"9b1e3f72aaab66b202f17c5cc075cfba7242817b2b38c19fe8924ca325b826ea":"8660b503329aaea56acdb73ca83763299bac0f30264702cb9d52cbaf3d71d69d":"c204a3174784d82b664e9a1c0a13ffa6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #12
-ctr_drbg_validate_nopr:"5fd6606b08e7e625af788814bef7f263":"baf8750e07194fc7172c736e0fdea0a632810d45602dff17ce37adf106d652f87e31b6bd24d21481c86444d8109586118672a6f93731b7438a3f0f39648b83a3":"3c37193d40e79ce8d569d8aa7ef80aabaa294f1b6d5a8341805f5ac67a6abf42":"c7033b3b68be178d120379e7366980d076c73280e629dd6e82f5af1af258931b":"452218a426a58463940785a67cb34799a1787f39d376c9e56e4a3f2215785dad":"561e16a8b297e458c4ec39ba43f0b67e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"5fd6606b08e7e625af788814bef7f263":"baf8750e07194fc7172c736e0fdea0a632810d45602dff17ce37adf106d652f87e31b6bd24d21481c86444d8109586118672a6f93731b7438a3f0f39648b83a3":"3c37193d40e79ce8d569d8aa7ef80aabaa294f1b6d5a8341805f5ac67a6abf42":"c7033b3b68be178d120379e7366980d076c73280e629dd6e82f5af1af258931b":"452218a426a58463940785a67cb34799a1787f39d376c9e56e4a3f2215785dad":"561e16a8b297e458c4ec39ba43f0b67e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #13
-ctr_drbg_validate_nopr:"08def734914ecf74b9eccb5dfaa045b8":"6697f889fcf6dae16881dc1e540e5c07f9461d409acee31842b04f93c00efbba670dfbf6040c1c2e29ad89064eae283fd6d431832f356e492bc5b2049f229892":"a6ac87af21efd3508990aac51d36243d46237b3755a0e68680adb59e19e8ae23":"0052152872b21615775431eb51889a264fed6ca44fa0436b72a419b91f92604c":"ebadf71565d9a8cc2621403c36e6411e7bed67193a843b90ccf2f7aa9f229ca2":"c83fa5df210b63f4bf4a0aca63650aab"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"08def734914ecf74b9eccb5dfaa045b8":"6697f889fcf6dae16881dc1e540e5c07f9461d409acee31842b04f93c00efbba670dfbf6040c1c2e29ad89064eae283fd6d431832f356e492bc5b2049f229892":"a6ac87af21efd3508990aac51d36243d46237b3755a0e68680adb59e19e8ae23":"0052152872b21615775431eb51889a264fed6ca44fa0436b72a419b91f92604c":"ebadf71565d9a8cc2621403c36e6411e7bed67193a843b90ccf2f7aa9f229ca2":"c83fa5df210b63f4bf4a0aca63650aab"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #14
-ctr_drbg_validate_nopr:"6437862e93060def199029ff2182f1e5":"719d1afcb6dc8ca26cba6a7c10f59cf82345b2a0c631a7879812d6f2d2663b49f9e92daecb81ff7c0790205d66694526477d6de54a269f542cb5e77fe4bc8db3":"5c961db0ac2ea8caf62c9acc44465dcfb4d721fcb2cd3e1c76cdcb61bfaa7e75":"24eabd392d37493e306705d0b287be11a4d72dd4b9577ac4098ef0dae69b0000":"9e4f05c1b85613e97958bc3863e521331b2bd78fdf2585f84607bf2238e82415":"21aaae76dc97c9bf7cf858054839653e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6437862e93060def199029ff2182f1e5":"719d1afcb6dc8ca26cba6a7c10f59cf82345b2a0c631a7879812d6f2d2663b49f9e92daecb81ff7c0790205d66694526477d6de54a269f542cb5e77fe4bc8db3":"5c961db0ac2ea8caf62c9acc44465dcfb4d721fcb2cd3e1c76cdcb61bfaa7e75":"24eabd392d37493e306705d0b287be11a4d72dd4b9577ac4098ef0dae69b0000":"9e4f05c1b85613e97958bc3863e521331b2bd78fdf2585f84607bf2238e82415":"21aaae76dc97c9bf7cf858054839653e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #0
-ctr_drbg_validate_nopr:"cd7a1981c1b7079c1c38f5aeee86db22207cb9faed8c576b1724ca7817aa6abfb26c42a019eb4c2f4064f0587ea2b952":"7f88c3805ae0857c5cbb085a5d6259d26fb3a88dfe7084172ec959066f26296a800953ce19a24785b6acef451c4ce4c2dfb565cbe057f21b054a28633afbdd97":"":"":"":"76c1cdb0b95af271b52ac3b0c9289146"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"cd7a1981c1b7079c1c38f5aeee86db22207cb9faed8c576b1724ca7817aa6abfb26c42a019eb4c2f4064f0587ea2b952":"7f88c3805ae0857c5cbb085a5d6259d26fb3a88dfe7084172ec959066f26296a800953ce19a24785b6acef451c4ce4c2dfb565cbe057f21b054a28633afbdd97":"":"":"":"76c1cdb0b95af271b52ac3b0c9289146"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #1
-ctr_drbg_validate_nopr:"0ccdac2fd65a86bf8f8e9ddcabffb9d29a935139f627c165a815b23137eeee94cbb21be86ac5117379177d37728db6fd":"6f61703f92d3192cd982b2e52a8683e0d62918d51b12e084deae06c4a8e08ecfb3d2d30a980a70b083710bc45d9d407966b52829cf3813cc970b859aa4c871fe":"":"":"":"e6c73e159d73c2ba8950cd77acb39c10"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0ccdac2fd65a86bf8f8e9ddcabffb9d29a935139f627c165a815b23137eeee94cbb21be86ac5117379177d37728db6fd":"6f61703f92d3192cd982b2e52a8683e0d62918d51b12e084deae06c4a8e08ecfb3d2d30a980a70b083710bc45d9d407966b52829cf3813cc970b859aa4c871fe":"":"":"":"e6c73e159d73c2ba8950cd77acb39c10"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #2
-ctr_drbg_validate_nopr:"fbbcc4abfd671296de3e0dcf409a139e35deae126c1941bf1afcc8d3da3a2d65f54a6d317bb6d683a3a77f6266b007ff":"c662ed723e7041877542fdcf629533d4a74393eb4dae4f3ec06d2d1c0d37ed7f519609a8485cb8deb578ae4cbb45c98ef7f2f2e677363e89fb3744286db6bfc1":"":"":"":"9d934d34417c6d0858f4a3faacbe759e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"fbbcc4abfd671296de3e0dcf409a139e35deae126c1941bf1afcc8d3da3a2d65f54a6d317bb6d683a3a77f6266b007ff":"c662ed723e7041877542fdcf629533d4a74393eb4dae4f3ec06d2d1c0d37ed7f519609a8485cb8deb578ae4cbb45c98ef7f2f2e677363e89fb3744286db6bfc1":"":"":"":"9d934d34417c6d0858f4a3faacbe759e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #3
-ctr_drbg_validate_nopr:"1b824790b6b22b246bcc1bcfbbb61a76045476672f917b72e79cca358e650eb29ed49fb0a5739e097f5f5336d46fc619":"c57a5686486ebacc2422236b19110c754795a869a8157901cf71303de1adc6af16a952190a395d6c20e155e690f41922f6f721dc8e93da81afb844f68714cba7":"":"":"":"13e7bf23d88f3bb5a5106a8227c8c456"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1b824790b6b22b246bcc1bcfbbb61a76045476672f917b72e79cca358e650eb29ed49fb0a5739e097f5f5336d46fc619":"c57a5686486ebacc2422236b19110c754795a869a8157901cf71303de1adc6af16a952190a395d6c20e155e690f41922f6f721dc8e93da81afb844f68714cba7":"":"":"":"13e7bf23d88f3bb5a5106a8227c8c456"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #4
-ctr_drbg_validate_nopr:"2ea7861e374232cb8ceecbbd9a18fc1f63c31f833fe394f1e19c8ef61092a56f28342fa5b591f7b951583d50c12ef081":"6a0873634094be7028b885c345cd5016295eec5e524f069de6510ae8ac843dba2cc05c10baa8aad75eac8e8d1a8570f4d2a3cf718914a199deb3edf8c993a822":"":"":"":"c008f46a242ae0babad17268c9e0839a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2ea7861e374232cb8ceecbbd9a18fc1f63c31f833fe394f1e19c8ef61092a56f28342fa5b591f7b951583d50c12ef081":"6a0873634094be7028b885c345cd5016295eec5e524f069de6510ae8ac843dba2cc05c10baa8aad75eac8e8d1a8570f4d2a3cf718914a199deb3edf8c993a822":"":"":"":"c008f46a242ae0babad17268c9e0839a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #5
-ctr_drbg_validate_nopr:"39caa986b82b5303d98e07b211ddc5ce89a67506095cad1aeed63b8bfe0d9c3d3c906f0c05cfb6b26bab4af7d03c9e1a":"f2059f7fb797e8e22de14dac783c56942a33d092c1ab68a762528ae8d74b7ad0690694ede462edbd6527550677b6d080d80cdabe51c963d5d6830a4ae04c993f":"":"":"":"202d3b2870be8f29b518f2e3e52f1564"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"39caa986b82b5303d98e07b211ddc5ce89a67506095cad1aeed63b8bfe0d9c3d3c906f0c05cfb6b26bab4af7d03c9e1a":"f2059f7fb797e8e22de14dac783c56942a33d092c1ab68a762528ae8d74b7ad0690694ede462edbd6527550677b6d080d80cdabe51c963d5d6830a4ae04c993f":"":"":"":"202d3b2870be8f29b518f2e3e52f1564"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #6
-ctr_drbg_validate_nopr:"a4e25102c1b04bafd66bfe1ce4a4b340797f776f54a2b3afe351eede44e75c28e3525155f837e7974269d398048c83c3":"0a03b7d026fab3773e9724dacb436197954b770eca3060535f2f8152aa136942915304dede1de0f5e89bd91d8e92531b5e39373013628fea4ee7622b9255d179":"":"":"":"be21cab637218ddffa3510c86271db7f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a4e25102c1b04bafd66bfe1ce4a4b340797f776f54a2b3afe351eede44e75c28e3525155f837e7974269d398048c83c3":"0a03b7d026fab3773e9724dacb436197954b770eca3060535f2f8152aa136942915304dede1de0f5e89bd91d8e92531b5e39373013628fea4ee7622b9255d179":"":"":"":"be21cab637218ddffa3510c86271db7f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #7
-ctr_drbg_validate_nopr:"6de33a116425ebfe01f0a0124ad3fad382ca28473f5fc53885639788f9b1a470ab523b649bad87e76dee768f6abacb55":"d88312da6acbe792d087012c0bf3c83f363fa6b7a9dd45c3501009fb47b4cfcfeb7b31386155fe3b967f46e2898a00ecf51ec38b6e420852bef0a16081d778cc":"":"":"":"2c285bfd758f0156e782bb4467f6832c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6de33a116425ebfe01f0a0124ad3fad382ca28473f5fc53885639788f9b1a470ab523b649bad87e76dee768f6abacb55":"d88312da6acbe792d087012c0bf3c83f363fa6b7a9dd45c3501009fb47b4cfcfeb7b31386155fe3b967f46e2898a00ecf51ec38b6e420852bef0a16081d778cc":"":"":"":"2c285bfd758f0156e782bb4467f6832c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #8
-ctr_drbg_validate_nopr:"b8ab42fd3f6306426602cae0c48eb02ffa7053940389900c17846e1d9726251762095383f2ec3406b3381d94a6d53dd8":"6a7873ccb7afb140e923acbec8256fa78232f40c0c8ba3dcbcf7074d26d6d18a7e78fffda328f097706b6d358048ee6a4728c92a6f62b3f2730a753b7bf5ec1f":"":"":"":"13504a2b09474f90d2e9ef40d1f2d0d5"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b8ab42fd3f6306426602cae0c48eb02ffa7053940389900c17846e1d9726251762095383f2ec3406b3381d94a6d53dd8":"6a7873ccb7afb140e923acbec8256fa78232f40c0c8ba3dcbcf7074d26d6d18a7e78fffda328f097706b6d358048ee6a4728c92a6f62b3f2730a753b7bf5ec1f":"":"":"":"13504a2b09474f90d2e9ef40d1f2d0d5"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #9
-ctr_drbg_validate_nopr:"042b524444b9903c1ecb80af21eef0e884115561a15a1ab2f9f3a322edcbf14174f54d315196a632940c2c6f56612c09":"31ba5f801aeaac790f2480fbd2373a76ba1685ebebc5ae7cd4844733ec3cfb112634b3899104dcc16050e1206f8b3fb787d43d54de2c804fd3d8eb98e512bb00":"":"":"":"0a0484c14e7868178e68d6d5c5f57c5c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"042b524444b9903c1ecb80af21eef0e884115561a15a1ab2f9f3a322edcbf14174f54d315196a632940c2c6f56612c09":"31ba5f801aeaac790f2480fbd2373a76ba1685ebebc5ae7cd4844733ec3cfb112634b3899104dcc16050e1206f8b3fb787d43d54de2c804fd3d8eb98e512bb00":"":"":"":"0a0484c14e7868178e68d6d5c5f57c5c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #10
-ctr_drbg_validate_nopr:"632758f92efaca39615862177c267906ab0424230d481ee0a5aa1a5f66697d3918d4aab3f310b72a7f2d71c0a96b9247":"46dc837620872a5ffa642399213b4eebfb28ca069c5eaaf2a636f5bd647de365c11402b10ecd7780c56d464f56b653e17af8550b90a54adb38173a0b2f9e2ea7":"":"":"":"90432ce3f7b580961abecde259aa5af6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"632758f92efaca39615862177c267906ab0424230d481ee0a5aa1a5f66697d3918d4aab3f310b72a7f2d71c0a96b9247":"46dc837620872a5ffa642399213b4eebfb28ca069c5eaaf2a636f5bd647de365c11402b10ecd7780c56d464f56b653e17af8550b90a54adb38173a0b2f9e2ea7":"":"":"":"90432ce3f7b580961abecde259aa5af6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #11
-ctr_drbg_validate_nopr:"7b389118af3d0f8336b41cf58c2d810f0e5f9940703fd56a46c10a315fb09aafd7670c9e96ffa61e0cb750cb2aa6a7fe":"76e92e9f00fc7d0c525c48739a8b3601c51f8f5996117a7e07497afee36829636e714dbcb84c8f8d57e0850a361a5bdfc21084a1c30fb7797ce6280e057309b7":"":"":"":"7243964051082c0617e200fcbbe7ff45"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"7b389118af3d0f8336b41cf58c2d810f0e5f9940703fd56a46c10a315fb09aafd7670c9e96ffa61e0cb750cb2aa6a7fe":"76e92e9f00fc7d0c525c48739a8b3601c51f8f5996117a7e07497afee36829636e714dbcb84c8f8d57e0850a361a5bdfc21084a1c30fb7797ce6280e057309b7":"":"":"":"7243964051082c0617e200fcbbe7ff45"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #12
-ctr_drbg_validate_nopr:"e50d38434e9dfe3601e7ea1765d9fe777d467d9918974b5599ec19f42d7054b70ff6db63a3403d2fd09333eda17a5e76":"c9aa4739011c60f8e99db0580b3cad4269874d1dda1c81ffa872f01669e8f75215aaad1ccc301c12f90cd240bf99ad42bb06965afb0aa2bd3fcb681c710aa375":"":"":"":"28499495c94c6ceec1bd494e364ad97c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e50d38434e9dfe3601e7ea1765d9fe777d467d9918974b5599ec19f42d7054b70ff6db63a3403d2fd09333eda17a5e76":"c9aa4739011c60f8e99db0580b3cad4269874d1dda1c81ffa872f01669e8f75215aaad1ccc301c12f90cd240bf99ad42bb06965afb0aa2bd3fcb681c710aa375":"":"":"":"28499495c94c6ceec1bd494e364ad97c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #13
-ctr_drbg_validate_nopr:"3253cb074d610db602b0a0d2836df1f20c3ee162d80b90b31660bb86ef3f0789fa857af4f45a5897bdd73c2295f879b6":"b06960a92d32a9e9658d9800de87a3800f3595e173fdc46bef22966264953672e2d7c638cc7b1cada747026726baf6cea4c64ba956be8bb1d1801158bee5e5d4":"":"":"":"b6608d6e5fcb4591a718f9149b79f8f1"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"3253cb074d610db602b0a0d2836df1f20c3ee162d80b90b31660bb86ef3f0789fa857af4f45a5897bdd73c2295f879b6":"b06960a92d32a9e9658d9800de87a3800f3595e173fdc46bef22966264953672e2d7c638cc7b1cada747026726baf6cea4c64ba956be8bb1d1801158bee5e5d4":"":"":"":"b6608d6e5fcb4591a718f9149b79f8f1"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #14
-ctr_drbg_validate_nopr:"83e4733566f90c8d69e6bcbe9fb52521ff3e26f806d9b7b86e9344cca0305dbf106de855240f1d35492cc6d651b8b6ae":"0e0105b12af35ac87cb23cf9ca8fb6a44307c3dcdc5bc890eb5253f4034c1533392a1760c98ba30d7751af93dd865d4bd66fbbeb215d7ff239b700527247775d":"":"":"":"68d64d1522c09a859b9b85b528d0d912"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"83e4733566f90c8d69e6bcbe9fb52521ff3e26f806d9b7b86e9344cca0305dbf106de855240f1d35492cc6d651b8b6ae":"0e0105b12af35ac87cb23cf9ca8fb6a44307c3dcdc5bc890eb5253f4034c1533392a1760c98ba30d7751af93dd865d4bd66fbbeb215d7ff239b700527247775d":"":"":"":"68d64d1522c09a859b9b85b528d0d912"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #0
-ctr_drbg_validate_nopr:"a94da55afdc50ce51c9a3b8a4c4484408b52a24a93c34ea71e1ca705eb829ba65de4d4e07fa3d86b37845ff1c7d5f6d2":"a53e371017439193591e475087aaddd5c1c386cdca0ddb68e002d80fdc401a47dd40e5987b2716731568d276bf0c6715757903d3dede914642ddd467c879c81e":"20f422edf85ca16a01cfbe5f8d6c947fae12a857db2aa9bfc7b36581808d0d46":"7fd81fbd2ab51c115d834e99f65ca54020ed388ed59ee07593fe125e5d73fb75":"cd2cff14693e4c9efdfe260de986004930bab1c65057772a62392c3b74ebc90d":"4f78beb94d978ce9d097feadfafd355e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a94da55afdc50ce51c9a3b8a4c4484408b52a24a93c34ea71e1ca705eb829ba65de4d4e07fa3d86b37845ff1c7d5f6d2":"a53e371017439193591e475087aaddd5c1c386cdca0ddb68e002d80fdc401a47dd40e5987b2716731568d276bf0c6715757903d3dede914642ddd467c879c81e":"20f422edf85ca16a01cfbe5f8d6c947fae12a857db2aa9bfc7b36581808d0d46":"7fd81fbd2ab51c115d834e99f65ca54020ed388ed59ee07593fe125e5d73fb75":"cd2cff14693e4c9efdfe260de986004930bab1c65057772a62392c3b74ebc90d":"4f78beb94d978ce9d097feadfafd355e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #1
-ctr_drbg_validate_nopr:"e8649d4f86b3de85fe39ff04d7afe6e4dd00770931330b27e975a7b1e7b5206ee2f247d50401a372c3a27197fec5da46":"78d7d65c457218a63e2eb1eba287f121c5466728ac4f963aeaabf593b9d72b6376daea6436e55415ad097dee10c40a1ff61fca1c30b8ab51ed11ff090d19ef9a":"cc57adc98b2540664403ad6fd50c9042f0bf0e0b54ed33584ee189e072d0fb8f":"ab2f99e2d983aa8dd05336a090584f4f84d485a4763e00ced42ddda72483cd84":"0ecd7680e2e9f0250a43e28f2f8936d7ef16f45d79c0fa3f69e4fafce4aeb362":"08e38625611bb0fb844f43439550bd7a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e8649d4f86b3de85fe39ff04d7afe6e4dd00770931330b27e975a7b1e7b5206ee2f247d50401a372c3a27197fec5da46":"78d7d65c457218a63e2eb1eba287f121c5466728ac4f963aeaabf593b9d72b6376daea6436e55415ad097dee10c40a1ff61fca1c30b8ab51ed11ff090d19ef9a":"cc57adc98b2540664403ad6fd50c9042f0bf0e0b54ed33584ee189e072d0fb8f":"ab2f99e2d983aa8dd05336a090584f4f84d485a4763e00ced42ddda72483cd84":"0ecd7680e2e9f0250a43e28f2f8936d7ef16f45d79c0fa3f69e4fafce4aeb362":"08e38625611bb0fb844f43439550bd7a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #2
-ctr_drbg_validate_nopr:"6c79e1556889b3c074fc083a120d73784b888c5acb877899f17ce52e424b84178d144441aa9f328c730a951b02b048df":"c78ff6b9fc91cbce246c9fcc2366d5f7dd6d99fb1325d8997f36819232d5fcd12ccafdcbefd01409d90acd0e0ffb7427c820b2d729fe7e845e6a6168fc1af0b5":"60cba10826de22c5e85d06357de63d6b2ff0719694dafca6ab33283f3a4aacdd":"8943c22fb68b30811790a99b9cbb056e1a2c329185a199c76ba5aeceb2fcd769":"70671a50e8387bf232989d904c19215c7535ad2d0c5dec30a744c8d2706be6ec":"f6b94b671cae8dfa8387719bfd75ee84"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6c79e1556889b3c074fc083a120d73784b888c5acb877899f17ce52e424b84178d144441aa9f328c730a951b02b048df":"c78ff6b9fc91cbce246c9fcc2366d5f7dd6d99fb1325d8997f36819232d5fcd12ccafdcbefd01409d90acd0e0ffb7427c820b2d729fe7e845e6a6168fc1af0b5":"60cba10826de22c5e85d06357de63d6b2ff0719694dafca6ab33283f3a4aacdd":"8943c22fb68b30811790a99b9cbb056e1a2c329185a199c76ba5aeceb2fcd769":"70671a50e8387bf232989d904c19215c7535ad2d0c5dec30a744c8d2706be6ec":"f6b94b671cae8dfa8387719bfd75ee84"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #3
-ctr_drbg_validate_nopr:"f5ab77b2a8e370548b88febfd79772144cd5fc8d78062582addd4ff1e5c10094b390e66b3c4efb087510de1b9d25703f":"21a21c9314b37d4ade4a50a5d85995e0be07e358ed9bca19daa867a8d47847105dca7a424f32f715adb8fea5d3a41cfe388872a42ab18aa5cbcd7bde4adc3f8b":"023d582569a7ff1405e44cf09ceebb9d3254eef72286e4b87e6577a8ab091a06":"39597519872d49fbd186704241ba1dc10b1f84f9296fb61d597dbd655a18f997":"3091c9fe96109b41da63aa5fa00d716b5fa20e96d4f3e0f9c97666a706fa56f1":"1fb57058b3ba8751df5a99f018798983"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f5ab77b2a8e370548b88febfd79772144cd5fc8d78062582addd4ff1e5c10094b390e66b3c4efb087510de1b9d25703f":"21a21c9314b37d4ade4a50a5d85995e0be07e358ed9bca19daa867a8d47847105dca7a424f32f715adb8fea5d3a41cfe388872a42ab18aa5cbcd7bde4adc3f8b":"023d582569a7ff1405e44cf09ceebb9d3254eef72286e4b87e6577a8ab091a06":"39597519872d49fbd186704241ba1dc10b1f84f9296fb61d597dbd655a18f997":"3091c9fe96109b41da63aa5fa00d716b5fa20e96d4f3e0f9c97666a706fa56f1":"1fb57058b3ba8751df5a99f018798983"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #4
-ctr_drbg_validate_nopr:"f0b79e292d0e393e78b6d6117e06d2e725823fe35bde1146502967a78d99d6bca564f0e2f324272f968be5baab4aeb29":"192054dddac02157a35eb7f75ae8ebdb43d6b969e33942fb16ff06cd6d8a602506c41e4e743b8230e8239b71b31b2d5e3614e3a65d79e91d5b9fc9d2a66f8553":"b12241e90d80f129004287c5b9911a70f7159794e6f9c1023b3b68da9237e8b7":"59e9c3c0f90e91f22c35a3be0c65f16157c569c7e3c78a545d9840f648c60069":"089a59af69f47ddb4191bd27720bb4c29216f738c48c0e14d2b8afd68de63c17":"15287156e544617529e7eede4aa9c70e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f0b79e292d0e393e78b6d6117e06d2e725823fe35bde1146502967a78d99d6bca564f0e2f324272f968be5baab4aeb29":"192054dddac02157a35eb7f75ae8ebdb43d6b969e33942fb16ff06cd6d8a602506c41e4e743b8230e8239b71b31b2d5e3614e3a65d79e91d5b9fc9d2a66f8553":"b12241e90d80f129004287c5b9911a70f7159794e6f9c1023b3b68da9237e8b7":"59e9c3c0f90e91f22c35a3be0c65f16157c569c7e3c78a545d9840f648c60069":"089a59af69f47ddb4191bd27720bb4c29216f738c48c0e14d2b8afd68de63c17":"15287156e544617529e7eede4aa9c70e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #5
-ctr_drbg_validate_nopr:"e3f33843aecb35d01001ff92ab9a0f1a5431ba9de3e4f3247cda8c62acc86f7066448f639d8ba8b5249337f8c353bbbd":"ef081af1f62400a3d193969d689a40234998afb646d99a7c4b9cbbf47e650cda93a90e754a16fffa25fc2a2edab09720b4520c47309ec4f6d9f76f0162af6cae":"e7cc55b72862544a8661b5034e15587b1e5a45eb5dc744f5fa1db9b267f1c3ff":"882d30c888eb8e344b1d17057074606fe232ceb42eb71055264ede7bb638f2a2":"9ce65e95c1e735fe950e52c324e7551403d0ef70ad865bd31fef1e22b129fdd6":"205e3a53367c4a5183be74bb875fa717"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e3f33843aecb35d01001ff92ab9a0f1a5431ba9de3e4f3247cda8c62acc86f7066448f639d8ba8b5249337f8c353bbbd":"ef081af1f62400a3d193969d689a40234998afb646d99a7c4b9cbbf47e650cda93a90e754a16fffa25fc2a2edab09720b4520c47309ec4f6d9f76f0162af6cae":"e7cc55b72862544a8661b5034e15587b1e5a45eb5dc744f5fa1db9b267f1c3ff":"882d30c888eb8e344b1d17057074606fe232ceb42eb71055264ede7bb638f2a2":"9ce65e95c1e735fe950e52c324e7551403d0ef70ad865bd31fef1e22b129fdd6":"205e3a53367c4a5183be74bb875fa717"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #6
-ctr_drbg_validate_nopr:"f30a18d597d8591a22dee908de95c5af74884b025f39b4f6707d28447d9d0a3114a57bc2d9eed8e621ec75e8ce389a16":"fae3d554d12a14e29de1b622922f27559559ca1518c9f800375a37a212e8b9a653cc3700223e9404d5bf781d15fccf638050a1394592caba001cfc65d61ef90b":"54240edd89016ed27e3bb3977a206836f5ef1fba0f000af95337d79caca9cf71":"250611e51852d933ff1a177b509c05e3228cb9f46dfb7b26848a68aad2ce4779":"f8b602d89fa1a0bfb31d0bd49246b458200a1adb28b64a68f7c197f335d69706":"7b63bfb325bafe7d9ef342cd14ea40a4"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f30a18d597d8591a22dee908de95c5af74884b025f39b4f6707d28447d9d0a3114a57bc2d9eed8e621ec75e8ce389a16":"fae3d554d12a14e29de1b622922f27559559ca1518c9f800375a37a212e8b9a653cc3700223e9404d5bf781d15fccf638050a1394592caba001cfc65d61ef90b":"54240edd89016ed27e3bb3977a206836f5ef1fba0f000af95337d79caca9cf71":"250611e51852d933ff1a177b509c05e3228cb9f46dfb7b26848a68aad2ce4779":"f8b602d89fa1a0bfb31d0bd49246b458200a1adb28b64a68f7c197f335d69706":"7b63bfb325bafe7d9ef342cd14ea40a4"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #7
-ctr_drbg_validate_nopr:"c8dbc3d39beb612811c52e2b46ef76d2b7bd5d3a90ceddf9fb864fe6f44e36687d88158d61014e192f9a3cd474338e13":"8e60115b4af9c8e5606223792539e9ba87e9ef46cd16fcc09046db1ef8d3c036241cae5d61141711818e9e861dbd833632069ebf5af1bd6d4e513f059ab1efd3":"9b56eba0838457f736fc5efa2cfbe698908340f07d4680e279d21dd530fdc8c8":"62c47ece469a7a409e4b2b76d1c793aaf11654e177cc8bf63faff3e6c5a5395c":"4251597013d0c949c53bbd945477b78aa91baa95f1ff757c3a039ccc4e1f4789":"af2f37160940f0cc27d144a043ddf79b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c8dbc3d39beb612811c52e2b46ef76d2b7bd5d3a90ceddf9fb864fe6f44e36687d88158d61014e192f9a3cd474338e13":"8e60115b4af9c8e5606223792539e9ba87e9ef46cd16fcc09046db1ef8d3c036241cae5d61141711818e9e861dbd833632069ebf5af1bd6d4e513f059ab1efd3":"9b56eba0838457f736fc5efa2cfbe698908340f07d4680e279d21dd530fdc8c8":"62c47ece469a7a409e4b2b76d1c793aaf11654e177cc8bf63faff3e6c5a5395c":"4251597013d0c949c53bbd945477b78aa91baa95f1ff757c3a039ccc4e1f4789":"af2f37160940f0cc27d144a043ddf79b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #8
-ctr_drbg_validate_nopr:"a37f9ed6c4e8f74ff16046b0678ef7bd24fcdca247b771ea1ce1fd48e3f5d2067e38aaf64ec59f1f49d96fa85e60ef03":"95da91f4185b254322ef0fc852473a9b9e4c274b242ded8a4eae6f1e2badde0664cf57f2128aa3dc83e436f7e80928a01d93bf25011eedf0190d0bf3619cd555":"b4a22f5598f79d34f0b9600763c081b0200ba489da7028ad0283828545c6d594":"fa3edc0962b20a9d9e1d0afcad907c8097c21d7a65c0e47c63d65cea94bf43bd":"49ba791a227e9e391e04225ad67f43f64754daac0b0bb4c6db77320943231ec3":"32f313ded225289793c14a71d1d32c9f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a37f9ed6c4e8f74ff16046b0678ef7bd24fcdca247b771ea1ce1fd48e3f5d2067e38aaf64ec59f1f49d96fa85e60ef03":"95da91f4185b254322ef0fc852473a9b9e4c274b242ded8a4eae6f1e2badde0664cf57f2128aa3dc83e436f7e80928a01d93bf25011eedf0190d0bf3619cd555":"b4a22f5598f79d34f0b9600763c081b0200ba489da7028ad0283828545c6d594":"fa3edc0962b20a9d9e1d0afcad907c8097c21d7a65c0e47c63d65cea94bf43bd":"49ba791a227e9e391e04225ad67f43f64754daac0b0bb4c6db77320943231ec3":"32f313ded225289793c14a71d1d32c9f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #9
-ctr_drbg_validate_nopr:"87f85b9c19eba1d953b6613cf555c21bc74428d9a8fee15e6cd717e240506f3e80860423973a66c61820d4ce1c6bb77d":"f22dd3517350176e35e1b7ecc8c00bea4747f0ac17bda1b1ddf8cdf7be53ff8c326268366e89cf3b023a9646177a0dcca902f0c98bf3840c9cbdf5c0494bee3c":"611caa00f93d4456fd2abb90de4dbcd934afbf1a56c2c4633b704c998f649960":"cba68367dc2fc92250e23e2b1a547fb3231b2beaab5e5a2ee39c5c74c9bab5f5":"f4895c9653b44a96152b893b7c94db80057fb67824d61c5c4186b9d8f16d3d98":"a05de6531a1aa1b2ba3faea8ad6ac209"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"87f85b9c19eba1d953b6613cf555c21bc74428d9a8fee15e6cd717e240506f3e80860423973a66c61820d4ce1c6bb77d":"f22dd3517350176e35e1b7ecc8c00bea4747f0ac17bda1b1ddf8cdf7be53ff8c326268366e89cf3b023a9646177a0dcca902f0c98bf3840c9cbdf5c0494bee3c":"611caa00f93d4456fd2abb90de4dbcd934afbf1a56c2c4633b704c998f649960":"cba68367dc2fc92250e23e2b1a547fb3231b2beaab5e5a2ee39c5c74c9bab5f5":"f4895c9653b44a96152b893b7c94db80057fb67824d61c5c4186b9d8f16d3d98":"a05de6531a1aa1b2ba3faea8ad6ac209"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #10
-ctr_drbg_validate_nopr:"9670deb707caabc888a3b0df7270942934732e02be728a4bedb5fc9ca4d675b2f3b47c7132c364ce6292cef7c19b60c7":"bba34e6f4ee27e5d4e885e59f8bbb0dc7353a8912e66637d7515a66e5398d9a8cbd328fed32f71bdd34c73cdf97e0d211be6dabfb0144e1011fd136cf01ea4e4":"9f55da36babd6ea42082f5f5d4330f023440bb864f8ad5498a29cf89757eaeab":"8013a309058c91c80f4d966f98bce1d4291003ad547e915777a3fce8ae2eaf77":"c83106272d44e832e94c7096c9c11f6342e12ec06d5db336424af73d12451406":"bc8d4d00609662c1163dca930901821d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9670deb707caabc888a3b0df7270942934732e02be728a4bedb5fc9ca4d675b2f3b47c7132c364ce6292cef7c19b60c7":"bba34e6f4ee27e5d4e885e59f8bbb0dc7353a8912e66637d7515a66e5398d9a8cbd328fed32f71bdd34c73cdf97e0d211be6dabfb0144e1011fd136cf01ea4e4":"9f55da36babd6ea42082f5f5d4330f023440bb864f8ad5498a29cf89757eaeab":"8013a309058c91c80f4d966f98bce1d4291003ad547e915777a3fce8ae2eaf77":"c83106272d44e832e94c7096c9c11f6342e12ec06d5db336424af73d12451406":"bc8d4d00609662c1163dca930901821d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #11
-ctr_drbg_validate_nopr:"6d984c8ab923a7e118447fd53ad287b8f01d1e6112cff12bfb338ecd3ed16bafdd634677c600bdd68f852a946f45c3d9":"ed0e524ed2990ef348dbb15b3f964b12ad3109978d6952ae193b21e94510a47406926620798e71a0ffcbdd2e54ec45509d784a8bfc9d59cb733f9f11fc474b5e":"0a3a32260d04dd7a82fb0873ecae7db5e5a4b6a51b09f4bf8a989e1afacbda3b":"3cbcabb83aab5a3e54836bbf12d3a7862a18e2dffeeb8bdd5770936d61fd839a":"f63b30a3efc0273eba03bf3cf90b1e4ac20b00e53a317dbf77b0fe70960e7c60":"ab9af144e8fad6a978a636ad84e0469e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6d984c8ab923a7e118447fd53ad287b8f01d1e6112cff12bfb338ecd3ed16bafdd634677c600bdd68f852a946f45c3d9":"ed0e524ed2990ef348dbb15b3f964b12ad3109978d6952ae193b21e94510a47406926620798e71a0ffcbdd2e54ec45509d784a8bfc9d59cb733f9f11fc474b5e":"0a3a32260d04dd7a82fb0873ecae7db5e5a4b6a51b09f4bf8a989e1afacbda3b":"3cbcabb83aab5a3e54836bbf12d3a7862a18e2dffeeb8bdd5770936d61fd839a":"f63b30a3efc0273eba03bf3cf90b1e4ac20b00e53a317dbf77b0fe70960e7c60":"ab9af144e8fad6a978a636ad84e0469e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #12
-ctr_drbg_validate_nopr:"2c59520d6f8ce946dcc5222f4fc80ba83f38df9dce2861412eebb1614245331626e7fb93eedbad33a12e94c276deff0a":"2882d4a30b22659b87ad2d71db1d7cf093ffca80079a4ef21660de9223940969afec70b0384a54b1de9bcca6b43fb182e58d8dfcad82b0df99a8929201476ae9":"d3c17a2d9c5da051b2d1825120814eaee07dfca65ab4df01195c8b1fcea0ed41":"dcc39555b87f31973ae085f83eaf497441d22ab6d87b69e47296b0ab51733687":"9a8a1b4ccf8230e3d3a1be79e60ae06c393fe6b1ca245281825317468ca114c7":"fba523a09c587ecad4e7e7fd81e5ca39"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2c59520d6f8ce946dcc5222f4fc80ba83f38df9dce2861412eebb1614245331626e7fb93eedbad33a12e94c276deff0a":"2882d4a30b22659b87ad2d71db1d7cf093ffca80079a4ef21660de9223940969afec70b0384a54b1de9bcca6b43fb182e58d8dfcad82b0df99a8929201476ae9":"d3c17a2d9c5da051b2d1825120814eaee07dfca65ab4df01195c8b1fcea0ed41":"dcc39555b87f31973ae085f83eaf497441d22ab6d87b69e47296b0ab51733687":"9a8a1b4ccf8230e3d3a1be79e60ae06c393fe6b1ca245281825317468ca114c7":"fba523a09c587ecad4e7e7fd81e5ca39"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #13
-ctr_drbg_validate_nopr:"1c1207f50b645aaed5c16fe36f6aae83af4924e6b98a7e2a2533a584c1bac123f8b6f0e05109e0132950ae97b389001a":"8ae9a5903da32a38b7c6fed92dd0c6a035ca5104a3528d71a3eacc2f1681379724991a0053e8dac65e35f3deee0435e99f86364577c8ebdba321872973dc9790":"568bfee681d7f9be23a175a3cbf441b513829a9cbdf0706c145fdcd7803ce099":"e32cb5fec72c068894aaeabfc1b8d5e0de0b5acdf287a82e130a46e846770dc2":"d4418c333687a1c15cac7d4021f7d8823a114bb98f92c8a6dccc59ff8ad51c1f":"194e3018377cef71610794006b95def5"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1c1207f50b645aaed5c16fe36f6aae83af4924e6b98a7e2a2533a584c1bac123f8b6f0e05109e0132950ae97b389001a":"8ae9a5903da32a38b7c6fed92dd0c6a035ca5104a3528d71a3eacc2f1681379724991a0053e8dac65e35f3deee0435e99f86364577c8ebdba321872973dc9790":"568bfee681d7f9be23a175a3cbf441b513829a9cbdf0706c145fdcd7803ce099":"e32cb5fec72c068894aaeabfc1b8d5e0de0b5acdf287a82e130a46e846770dc2":"d4418c333687a1c15cac7d4021f7d8823a114bb98f92c8a6dccc59ff8ad51c1f":"194e3018377cef71610794006b95def5"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #14
-ctr_drbg_validate_nopr:"28254014c5d6ebf9bd9e5f3946fc98e55fe351deee8fc70333e4f20f1f7719a522b3ea9a4424afe68208d1cc6c128c47":"98a0db985544c33990aee0f69655dba7198e6720ce56ff9d4662e26f0c6b4ee7ab599932c05295f6c5a4011085c5b2c861a5a8ae4f572ce614ff2dafc0fddb34":"64215cbe384f1f4cf548078ffd51f91eee9a8bae5aacdd19ca16bcaaf354f8ad":"2e21df638dabe24aebf62d97e25f701f781d12d0064f2f5a4a44d320c90b7260":"7f936274f74a466cbf69dbfe46db79f3c349377df683cb461f2da3b842ad438e":"25c469cc8407b82f42e34f11db3d8462"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"28254014c5d6ebf9bd9e5f3946fc98e55fe351deee8fc70333e4f20f1f7719a522b3ea9a4424afe68208d1cc6c128c47":"98a0db985544c33990aee0f69655dba7198e6720ce56ff9d4662e26f0c6b4ee7ab599932c05295f6c5a4011085c5b2c861a5a8ae4f572ce614ff2dafc0fddb34":"64215cbe384f1f4cf548078ffd51f91eee9a8bae5aacdd19ca16bcaaf354f8ad":"2e21df638dabe24aebf62d97e25f701f781d12d0064f2f5a4a44d320c90b7260":"7f936274f74a466cbf69dbfe46db79f3c349377df683cb461f2da3b842ad438e":"25c469cc8407b82f42e34f11db3d8462"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #0
-ctr_drbg_validate_nopr:"e26c8a13dae5c2da81023f27ab10b878":"fea104f90c5881df7ad1c863307bad22c98770ecd0d717513a2807682582e3e18e81d7935c8a7bacddd5176e7ca4911b9f8f5b1d9c349152fa215393eb006384":"":"":"":"fd87337c305a0a8ef8eef797601732c2"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e26c8a13dae5c2da81023f27ab10b878":"fea104f90c5881df7ad1c863307bad22c98770ecd0d717513a2807682582e3e18e81d7935c8a7bacddd5176e7ca4911b9f8f5b1d9c349152fa215393eb006384":"":"":"":"fd87337c305a0a8ef8eef797601732c2"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #1
-ctr_drbg_validate_nopr:"8d7dda20a9807804bfc37bd7472d3b0c":"1d723cbc2ff2c115160e7240340adbf31c717696d0fdfecf3ec21150fca00cde477d37e2abbe32f399a505b74d82e502fbff94cecac87e87127d1397d3d76532":"":"":"":"7221761b913b1f50125abca6c3b2f229"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"8d7dda20a9807804bfc37bd7472d3b0c":"1d723cbc2ff2c115160e7240340adbf31c717696d0fdfecf3ec21150fca00cde477d37e2abbe32f399a505b74d82e502fbff94cecac87e87127d1397d3d76532":"":"":"":"7221761b913b1f50125abca6c3b2f229"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #2
-ctr_drbg_validate_nopr:"c02e3b6fd4fea7ec517a232f48aaa8cb":"0820fc21cecba6b2fe053a269a34e6a7637dedaf55ef46d266f672ca7cfd9cc21cd807e2b7f6a1c640b4f059952ae6da7282c5c32959fed39f734a5e88a408d2":"":"":"":"667d4dbefe938d6a662440a17965a334"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c02e3b6fd4fea7ec517a232f48aaa8cb":"0820fc21cecba6b2fe053a269a34e6a7637dedaf55ef46d266f672ca7cfd9cc21cd807e2b7f6a1c640b4f059952ae6da7282c5c32959fed39f734a5e88a408d2":"":"":"":"667d4dbefe938d6a662440a17965a334"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #3
-ctr_drbg_validate_nopr:"9aee0326f9b16f88a4114e8d49b8e282":"ef0aae3f9c425253205215e5bf0ad70f141ad8cc72a332247cfe989601ca4fc52ba48b82db4d00fe1f279979b5aed1ae2ec2b02d2c921ee2d9cb89e3a900b97d":"":"":"":"651ad783fe3def80a8456552e405b98d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9aee0326f9b16f88a4114e8d49b8e282":"ef0aae3f9c425253205215e5bf0ad70f141ad8cc72a332247cfe989601ca4fc52ba48b82db4d00fe1f279979b5aed1ae2ec2b02d2c921ee2d9cb89e3a900b97d":"":"":"":"651ad783fe3def80a8456552e405b98d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #4
-ctr_drbg_validate_nopr:"1e7a4961d1cd2fd30f571b92a763c2c5":"a9262ed5b54880cc8ecd4119cce9afe3de8875d403f7ca6b8ed8c88559470b29e644fddd83e127c5f938bc8a425db169c33c5c2d0b0c5133c8f87bbc0b0a7d79":"":"":"":"1124c509ca52693977cf461b0f0a0da9"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1e7a4961d1cd2fd30f571b92a763c2c5":"a9262ed5b54880cc8ecd4119cce9afe3de8875d403f7ca6b8ed8c88559470b29e644fddd83e127c5f938bc8a425db169c33c5c2d0b0c5133c8f87bbc0b0a7d79":"":"":"":"1124c509ca52693977cf461b0f0a0da9"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #5
-ctr_drbg_validate_nopr:"ae0b0d2e84f48c632f031356cdea60ac":"554cf6fad1c376ad6148cd40b53105c16e2f5dd5fa564865b26faa8c318150bfb2294e711735df5eb86ff4b4e778531793bad42403d93a80d05c5421229a53da":"":"":"":"1212e5d3070b1cdf52c0217866481c58"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ae0b0d2e84f48c632f031356cdea60ac":"554cf6fad1c376ad6148cd40b53105c16e2f5dd5fa564865b26faa8c318150bfb2294e711735df5eb86ff4b4e778531793bad42403d93a80d05c5421229a53da":"":"":"":"1212e5d3070b1cdf52c0217866481c58"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #6
-ctr_drbg_validate_nopr:"16b8c7495d43cd2ff5f65ad2ab48ecef":"7cffe2bef0d42374f7263a386b67fba991e59cefd73590cbcde3a4dc635a5a328f1a8e5edd3ada75854f251ee9f2de6cd247f64c6ca4f6c983805aa0fe9d3106":"":"":"":"d3869a9c5004b8a6ae8d8f0f461b602b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"16b8c7495d43cd2ff5f65ad2ab48ecef":"7cffe2bef0d42374f7263a386b67fba991e59cefd73590cbcde3a4dc635a5a328f1a8e5edd3ada75854f251ee9f2de6cd247f64c6ca4f6c983805aa0fe9d3106":"":"":"":"d3869a9c5004b8a6ae8d8f0f461b602b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #7
-ctr_drbg_validate_nopr:"a2d5eff6f73f98e5b04c01967dffa69b":"59759bb91b3c4feb18c0f086269ec52e097b67698f4dfe91ebe8bef851caa35cadb3fd22d1309f13510e1252856c71394a8e210fdbf3c7aae7998865f98e8744":"":"":"":"a1f99bd9522342e963af2ec8eed25c08"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a2d5eff6f73f98e5b04c01967dffa69b":"59759bb91b3c4feb18c0f086269ec52e097b67698f4dfe91ebe8bef851caa35cadb3fd22d1309f13510e1252856c71394a8e210fdbf3c7aae7998865f98e8744":"":"":"":"a1f99bd9522342e963af2ec8eed25c08"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #8
-ctr_drbg_validate_nopr:"ea1f47fe5e281136706419ea9b652967":"0ec7c617f85bec74044111020c977be32ab8050b326ebc03715bbbffa5a34622f2264d4b5141b7883281c21ea91981155a64fb7b902e674e9a41a8a86c32052b":"":"":"":"daf75b8288fc66802b23af5fd04a9434"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ea1f47fe5e281136706419ea9b652967":"0ec7c617f85bec74044111020c977be32ab8050b326ebc03715bbbffa5a34622f2264d4b5141b7883281c21ea91981155a64fb7b902e674e9a41a8a86c32052b":"":"":"":"daf75b8288fc66802b23af5fd04a9434"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #9
-ctr_drbg_validate_nopr:"6f072c681a82c00dcd0d9dd5b7ffa2af":"cd7ce90f0141e80f6bd6ff3d981d8a0a877d0ddae7c98f9091763b5946fc38b64c1ef698485007d53251ad278daf5d4ae94a725d617fc9a45a919a9e785a9849":"":"":"":"39c0144f28c5a490eff6221b62384602"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6f072c681a82c00dcd0d9dd5b7ffa2af":"cd7ce90f0141e80f6bd6ff3d981d8a0a877d0ddae7c98f9091763b5946fc38b64c1ef698485007d53251ad278daf5d4ae94a725d617fc9a45a919a9e785a9849":"":"":"":"39c0144f28c5a490eff6221b62384602"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #10
-ctr_drbg_validate_nopr:"9d730655366e2aa89ee09332bd0a5053":"854766e842eb165a31551f96008354bca1628a9520d29c3cc4f6a41068bf76d8054b75b7d69f5865266c310b5e9f0290af37c5d94535cb5dc9c854ea1cb36eb7":"":"":"":"baa2a3ed6fdc049d0f158693db8c70ef"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9d730655366e2aa89ee09332bd0a5053":"854766e842eb165a31551f96008354bca1628a9520d29c3cc4f6a41068bf76d8054b75b7d69f5865266c310b5e9f0290af37c5d94535cb5dc9c854ea1cb36eb7":"":"":"":"baa2a3ed6fdc049d0f158693db8c70ef"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #11
-ctr_drbg_validate_nopr:"3363881611bfd5d16814360e83d8544f":"6abfab14cbf222d553d0e930a38941f6f271b48943ea6f69e796e30135bc9eb30204b77ab416ac066da0a649c8558e5a0eac62f54f2f6e66c207cab461c71510":"":"":"":"5be410ce54288e881acd3e566964df78"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"3363881611bfd5d16814360e83d8544f":"6abfab14cbf222d553d0e930a38941f6f271b48943ea6f69e796e30135bc9eb30204b77ab416ac066da0a649c8558e5a0eac62f54f2f6e66c207cab461c71510":"":"":"":"5be410ce54288e881acd3e566964df78"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #12
-ctr_drbg_validate_nopr:"14e589065423528ff84a1f89507ab519":"0d2e446cad387a962ff2217c7cf4826dcabb997ab7f74f64aa18fbcb69151993f263925ae71f9dfdff122bb61802480f2803930efce01a3f37c97101893c140f":"":"":"":"fc2d3df6c9aae68fb01d8382fcd82104"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"14e589065423528ff84a1f89507ab519":"0d2e446cad387a962ff2217c7cf4826dcabb997ab7f74f64aa18fbcb69151993f263925ae71f9dfdff122bb61802480f2803930efce01a3f37c97101893c140f":"":"":"":"fc2d3df6c9aae68fb01d8382fcd82104"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #13
-ctr_drbg_validate_nopr:"974c5ae90347d839475f0f994f2bf01d":"aa04d9fc56349fdd31d868e9efc2938f9104c0291e55ac0aa0c24ec4609731b8e0ac04b42180bde1af6ad1b26faff8a6de60a8a4a828cd6f8758c54b6037a0ee":"":"":"":"3caec482015003643d5a319a2af48fb4"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"974c5ae90347d839475f0f994f2bf01d":"aa04d9fc56349fdd31d868e9efc2938f9104c0291e55ac0aa0c24ec4609731b8e0ac04b42180bde1af6ad1b26faff8a6de60a8a4a828cd6f8758c54b6037a0ee":"":"":"":"3caec482015003643d5a319a2af48fb4"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #14
-ctr_drbg_validate_nopr:"b3a110587a16c1eafe51128a66816ecf":"203bba645fb5ccee3383cf402e04c713b7a6b6cca8b154e827520daac4ea3a0247bbdc3b2cd853e170587d22c70fb96c320ea71cb80c04826316c7317c797b8a":"":"":"":"9af4f67a30a4346e0cfcf51c45fd2589"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b3a110587a16c1eafe51128a66816ecf":"203bba645fb5ccee3383cf402e04c713b7a6b6cca8b154e827520daac4ea3a0247bbdc3b2cd853e170587d22c70fb96c320ea71cb80c04826316c7317c797b8a":"":"":"":"9af4f67a30a4346e0cfcf51c45fd2589"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #0
-ctr_drbg_validate_nopr:"55546068cd524c51496c5fc9622b64c6":"951e712d057028158831ca8c74d4ae303c6e4641c344a1c80292260bdd9d8e2f5b97606370e95903e3124659de3e3f6e021cd9ccc86aa4a619c0e94b2a9aa3cc":"2d6de8661c7a30a0ca6a20c13c4c04421ba200fbef4f6eb499c17aee1561faf1":"41797b2eeaccb8a002538d3480cb0b76060ee5ba9d7e4a2bb2b201154f61c975":"b744980bb0377e176b07f48e7994fffd7b0d8a539e1f02a5535d2f4051f054f3":"65b9f7382ed578af03efa2008dbdd56f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"55546068cd524c51496c5fc9622b64c6":"951e712d057028158831ca8c74d4ae303c6e4641c344a1c80292260bdd9d8e2f5b97606370e95903e3124659de3e3f6e021cd9ccc86aa4a619c0e94b2a9aa3cc":"2d6de8661c7a30a0ca6a20c13c4c04421ba200fbef4f6eb499c17aee1561faf1":"41797b2eeaccb8a002538d3480cb0b76060ee5ba9d7e4a2bb2b201154f61c975":"b744980bb0377e176b07f48e7994fffd7b0d8a539e1f02a5535d2f4051f054f3":"65b9f7382ed578af03efa2008dbdd56f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #1
-ctr_drbg_validate_nopr:"a0c92565640a3315cac8da6d0458fb07":"6e9b31755c1f45df7d685f86044ab3bc25433a3ff08ab5de7154e06b0867f4e3531ed2e2a15ab63c611fc2894240fdac1d3292d1b36da87caa2080d1c41bcf24":"c6c74690bdee26288d2f87a06435d664431206b23b24f426e847fb892d40d5d5":"4e7dc1adbc8bc16ba7b584c18a0d7e4383c470bff2f320af54ad5ade5f43265b":"c6fb8ee194a339726f5051b91925c6a214079a661ec78358e98fc4f41e8c4724":"c3f849ee7d87291301e11b467fa2162f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a0c92565640a3315cac8da6d0458fb07":"6e9b31755c1f45df7d685f86044ab3bc25433a3ff08ab5de7154e06b0867f4e3531ed2e2a15ab63c611fc2894240fdac1d3292d1b36da87caa2080d1c41bcf24":"c6c74690bdee26288d2f87a06435d664431206b23b24f426e847fb892d40d5d5":"4e7dc1adbc8bc16ba7b584c18a0d7e4383c470bff2f320af54ad5ade5f43265b":"c6fb8ee194a339726f5051b91925c6a214079a661ec78358e98fc4f41e8c4724":"c3f849ee7d87291301e11b467fa2162f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #2
-ctr_drbg_validate_nopr:"63e143bd6a87065a00eea930593f9b29":"62c2c790cb56518ed2d8d65952bbd4ab85a56463495c940b94f403a93338bdc96129feea9335b1a3e0ada7cf4c207f4732013bc6a52db41407bf5d6fe9183b3c":"7b4e9ff0c8f8c90f8b324c7189226d3adccd79df2d0c22b52fb31dbb5dfefba6":"49e1aecf2b96a366325dc1892c016a5535dd2480360a382e9cc78bf75b2bba37":"f4ce1d27e759f3ba4a56aaab713642b4c56810c9995fbfc04ce285429f95a8f4":"513111abaae3069e599b56f7e5fb91d1"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"63e143bd6a87065a00eea930593f9b29":"62c2c790cb56518ed2d8d65952bbd4ab85a56463495c940b94f403a93338bdc96129feea9335b1a3e0ada7cf4c207f4732013bc6a52db41407bf5d6fe9183b3c":"7b4e9ff0c8f8c90f8b324c7189226d3adccd79df2d0c22b52fb31dbb5dfefba6":"49e1aecf2b96a366325dc1892c016a5535dd2480360a382e9cc78bf75b2bba37":"f4ce1d27e759f3ba4a56aaab713642b4c56810c9995fbfc04ce285429f95a8f4":"513111abaae3069e599b56f7e5fb91d1"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #3
-ctr_drbg_validate_nopr:"98dc16e95f97b5b9d8287875774d9d19":"2fab4a629e4b21f27488a0c9ed36fc8e75bee0c386346c6ec59a6f045975e29818440a6638eb3b9e952e19df82d6dc7b8b9c18530aef763d0709b3b55433ddc6":"2e9d2f52a55df05fb8b9549947f8690c9ce410268d1d3aa7d69e63cbb28e4eb8":"57ecdad71d709dcdb1eba6cf36e0ecf04aaccd7527ca44c6f96768968027274f":"7b2da3d1ae252a71bccbb318e0eec95493a236f0dec97f2600de9f0743030529":"841882e4d9346bea32b1216eebc06aac"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"98dc16e95f97b5b9d8287875774d9d19":"2fab4a629e4b21f27488a0c9ed36fc8e75bee0c386346c6ec59a6f045975e29818440a6638eb3b9e952e19df82d6dc7b8b9c18530aef763d0709b3b55433ddc6":"2e9d2f52a55df05fb8b9549947f8690c9ce410268d1d3aa7d69e63cbb28e4eb8":"57ecdad71d709dcdb1eba6cf36e0ecf04aaccd7527ca44c6f96768968027274f":"7b2da3d1ae252a71bccbb318e0eec95493a236f0dec97f2600de9f0743030529":"841882e4d9346bea32b1216eebc06aac"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #4
-ctr_drbg_validate_nopr:"5dbac5c313527d4d0e5ca9b6f5596ed7":"c00b28c78da4f9ce159741437fe7f90e4e23ecd01cd292f197202decbbc823d9ce46b8191c11e8f8d007d38e2ecd93b8bd9bbad5812aaf547ddf4c7a6738b777":"460c54f4c3fe49d9b25b069ff6664517ed3b234890175a59cde5c3bc230c0a9e":"bf5187f1f55ae6711c2bc1884324490bf2d29d29e95cad7a1c295045eed5a310":"28fd8277dcb807741d4d5cb255a8d9a32ef56a880ccf2b3dcca54645bd6f1013":"b488f5c13bb017b0d9de2092d577c76e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"5dbac5c313527d4d0e5ca9b6f5596ed7":"c00b28c78da4f9ce159741437fe7f90e4e23ecd01cd292f197202decbbc823d9ce46b8191c11e8f8d007d38e2ecd93b8bd9bbad5812aaf547ddf4c7a6738b777":"460c54f4c3fe49d9b25b069ff6664517ed3b234890175a59cde5c3bc230c0a9e":"bf5187f1f55ae6711c2bc1884324490bf2d29d29e95cad7a1c295045eed5a310":"28fd8277dcb807741d4d5cb255a8d9a32ef56a880ccf2b3dcca54645bd6f1013":"b488f5c13bb017b0d9de2092d577c76e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #5
-ctr_drbg_validate_nopr:"254d5f5044415c694a89249b0b6e1a2c":"4c1cc9ebe7a03cde31860637d8222faeefa9cbf789fab62e99a98d83084fef29eafcf7177d62d55435a1acb77e7a61ad86c47d1950b8683e167fe3ece3f8c9e8":"71af584657160f0f0b81740ef93017a37c174bee5a02c8967f087fdbfd33bfde":"96e8522f6ed8e8a9772ffb19e9416a1c6293ad6d1ecd317972e2f6258d7d68dd":"3aaa5e4d6af79055742150e630c5e3a46288e216d6607793c021d6705349f96a":"66629af4a0e90550b9bd3811243d6b86"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"254d5f5044415c694a89249b0b6e1a2c":"4c1cc9ebe7a03cde31860637d8222faeefa9cbf789fab62e99a98d83084fef29eafcf7177d62d55435a1acb77e7a61ad86c47d1950b8683e167fe3ece3f8c9e8":"71af584657160f0f0b81740ef93017a37c174bee5a02c8967f087fdbfd33bfde":"96e8522f6ed8e8a9772ffb19e9416a1c6293ad6d1ecd317972e2f6258d7d68dd":"3aaa5e4d6af79055742150e630c5e3a46288e216d6607793c021d6705349f96a":"66629af4a0e90550b9bd3811243d6b86"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #6
-ctr_drbg_validate_nopr:"b46fceed0fcc29665815cc9459971913":"ff62d52aed55d8e966044f7f7c5013b4915197c73668e01b4487c3243bbf5f9248a4fdd6ef0f63b87fc8d1c5d514ff243319b2fbdfa474d5f83b935399655e15":"994d6b5393fbf0351f0bcfb48e1e763b377b732c73bf8e28dec720a2cadcb8a5":"118bb8c7a43b9c30afaf9ce4db3e6a60a3f9d01c30b9ab3572662955808b41e4":"bb47e443090afc32ee34873bd106bf867650adf5b5d90a2e7d0e58ed0ae83e8a":"1865fee6024db510690725f16b938487"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b46fceed0fcc29665815cc9459971913":"ff62d52aed55d8e966044f7f7c5013b4915197c73668e01b4487c3243bbf5f9248a4fdd6ef0f63b87fc8d1c5d514ff243319b2fbdfa474d5f83b935399655e15":"994d6b5393fbf0351f0bcfb48e1e763b377b732c73bf8e28dec720a2cadcb8a5":"118bb8c7a43b9c30afaf9ce4db3e6a60a3f9d01c30b9ab3572662955808b41e4":"bb47e443090afc32ee34873bd106bf867650adf5b5d90a2e7d0e58ed0ae83e8a":"1865fee6024db510690725f16b938487"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #7
-ctr_drbg_validate_nopr:"e1a5dd32fc7cefb281d5d6ce3200f4ca":"bf1ba4166007b53fcaee41f9c54771c8a0b309a52ea7894a005783c1e3e43e2eb9871d7909a1c3567953aabdf75e38c8f5578c51a692d883755102a0c82c7c12":"32e9922bd780303828091a140274d04f879cd821f352bd18bcaa49ffef840010":"01830ddd2f0e323c90830beddedf1480e6c23b0d99c2201871f18cc308ab3139":"f36d792dbde7609b8bf4724d7d71362840b309c5f2961e2537c8b5979a569ae8":"7080e8379a43c2e28e07d0c7ed9705a8"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e1a5dd32fc7cefb281d5d6ce3200f4ca":"bf1ba4166007b53fcaee41f9c54771c8a0b309a52ea7894a005783c1e3e43e2eb9871d7909a1c3567953aabdf75e38c8f5578c51a692d883755102a0c82c7c12":"32e9922bd780303828091a140274d04f879cd821f352bd18bcaa49ffef840010":"01830ddd2f0e323c90830beddedf1480e6c23b0d99c2201871f18cc308ab3139":"f36d792dbde7609b8bf4724d7d71362840b309c5f2961e2537c8b5979a569ae8":"7080e8379a43c2e28e07d0c7ed9705a8"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #8
-ctr_drbg_validate_nopr:"d1b7be857a422b425ae62c61e90a192a":"6ac34c4ce22b644632283ab13e294df2093e939d32411340b046c26fcc449d0fd6d14132c7205df303dbb663190e6e86ad12e14e145b6603308241f38d94eb5d":"aacfe8553d5ffef6abc3fd8f94d796cae2079ff04f7ab1b41982003f02427c7a":"01d2d1bc29d6a6b52bb29bd6652be772096ca23c838c40730d5b4a4f8f735daa":"27af728ee07d3f5902f4e56453b6a9feb308ef14795eb5630b2651debdd36d5b":"b03fbcd03fa1cc69db0a4e3492a52bad"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"d1b7be857a422b425ae62c61e90a192a":"6ac34c4ce22b644632283ab13e294df2093e939d32411340b046c26fcc449d0fd6d14132c7205df303dbb663190e6e86ad12e14e145b6603308241f38d94eb5d":"aacfe8553d5ffef6abc3fd8f94d796cae2079ff04f7ab1b41982003f02427c7a":"01d2d1bc29d6a6b52bb29bd6652be772096ca23c838c40730d5b4a4f8f735daa":"27af728ee07d3f5902f4e56453b6a9feb308ef14795eb5630b2651debdd36d5b":"b03fbcd03fa1cc69db0a4e3492a52bad"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #9
-ctr_drbg_validate_nopr:"a2c49aa6f3f92e36266bf267af5877ed":"5684c3eb99314127078484959314d52b3bc50cb3615c0eef6b48850d98aee04c528b0693be13ed1bb4040e8e96cb13c316143f0815cd68d1bb7931a3d9b88a3d":"566522085426b76bdef152adefd73ef0f76eee4614bc5a4391629ec49e0acffb":"30ef9585148dd2270c41540a4235328de8952f28cf5472df463e88e837419e99":"adc46e0afcf69302f62c84c5c4bfcbb7132f8db118d1a84dc2b910753fe86a2d":"4edc4383977ee91aaa2f5b9ac4257570"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a2c49aa6f3f92e36266bf267af5877ed":"5684c3eb99314127078484959314d52b3bc50cb3615c0eef6b48850d98aee04c528b0693be13ed1bb4040e8e96cb13c316143f0815cd68d1bb7931a3d9b88a3d":"566522085426b76bdef152adefd73ef0f76eee4614bc5a4391629ec49e0acffb":"30ef9585148dd2270c41540a4235328de8952f28cf5472df463e88e837419e99":"adc46e0afcf69302f62c84c5c4bfcbb7132f8db118d1a84dc2b910753fe86a2d":"4edc4383977ee91aaa2f5b9ac4257570"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #10
-ctr_drbg_validate_nopr:"43852c53041a3a4f710435dbd3e4382b":"ab7bca5595084bccdba80ade7ac3df2a0ce198fa49d29414c0249ec3d1c50d271ca74ba5c3521576a89a1964e6deded2d5ba7ff28a364a8f9235981bec1bedfa":"c5612a9540b64fc134074cb36f4c9ea62fff993938709b5d354a917e5265adee":"eee2258aba665aa6d3f5b8c2207f135276f597adb2a0fbfb16a20460e8cc3c68":"a6d6d126bed13dbcf2b327aa884b7260a9c388cb03751dbe9feb28a3fe351d62":"e04c3de51a1ffe8cda89e881c396584b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"43852c53041a3a4f710435dbd3e4382b":"ab7bca5595084bccdba80ade7ac3df2a0ce198fa49d29414c0249ec3d1c50d271ca74ba5c3521576a89a1964e6deded2d5ba7ff28a364a8f9235981bec1bedfa":"c5612a9540b64fc134074cb36f4c9ea62fff993938709b5d354a917e5265adee":"eee2258aba665aa6d3f5b8c2207f135276f597adb2a0fbfb16a20460e8cc3c68":"a6d6d126bed13dbcf2b327aa884b7260a9c388cb03751dbe9feb28a3fe351d62":"e04c3de51a1ffe8cda89e881c396584b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #11
-ctr_drbg_validate_nopr:"52628551ce90c338ed94b655d4f05811":"b3a4a3c4d3d53ffa41b85ce3b8f292b1cc8e5af7488286d4c581005f8c02c5545c09bb08d8470b8cffdf62731b1d4b75c036af7dc4f2f1fc7e9a496f3d235f2d":"f5f9d5b51075b12aa300afdc7b8ea3944fc8cf4d1e95625cc4e42fdfdcbeb169":"60bccbc7345f23733fe8f8eb9760975057238705d9cee33b3269f9bfedd72202":"c0fa3afd6e9decfbffa7ea6678d2481c5f55ec0a35172ff93214b997400e97c3":"5a113906e1ef76b7b75fefbf20d78ef8"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"52628551ce90c338ed94b655d4f05811":"b3a4a3c4d3d53ffa41b85ce3b8f292b1cc8e5af7488286d4c581005f8c02c5545c09bb08d8470b8cffdf62731b1d4b75c036af7dc4f2f1fc7e9a496f3d235f2d":"f5f9d5b51075b12aa300afdc7b8ea3944fc8cf4d1e95625cc4e42fdfdcbeb169":"60bccbc7345f23733fe8f8eb9760975057238705d9cee33b3269f9bfedd72202":"c0fa3afd6e9decfbffa7ea6678d2481c5f55ec0a35172ff93214b997400e97c3":"5a113906e1ef76b7b75fefbf20d78ef8"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #12
-ctr_drbg_validate_nopr:"0e4873c4cbcde280abc6711a66dbb81a":"1ab7c7d8fe8f505e1dd7ddb8e7cda962572f7004b2a14c7a7c5bcf24bd16616e2c42c50ae5db9981ccd7d0c79062ac572d3893486bd0ae1f99cbc1d28a9e4c1e":"e4b89e28663e853f8b380c8a4491b54121fe6927340a74342362c37d8d615b66":"619775878879eff9ee2189790ff6f187baed4ed1b156029b80e7a070a1072a09":"ba3d673e5e41bd1abbc7191cc4b9a945201b8fef0016e4774047ee2abf499e74":"4758fd021c34a5cf6bea760ad09438a0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0e4873c4cbcde280abc6711a66dbb81a":"1ab7c7d8fe8f505e1dd7ddb8e7cda962572f7004b2a14c7a7c5bcf24bd16616e2c42c50ae5db9981ccd7d0c79062ac572d3893486bd0ae1f99cbc1d28a9e4c1e":"e4b89e28663e853f8b380c8a4491b54121fe6927340a74342362c37d8d615b66":"619775878879eff9ee2189790ff6f187baed4ed1b156029b80e7a070a1072a09":"ba3d673e5e41bd1abbc7191cc4b9a945201b8fef0016e4774047ee2abf499e74":"4758fd021c34a5cf6bea760ad09438a0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #13
-ctr_drbg_validate_nopr:"0684e8ef93c3363ba535c4e573af1c24":"748a5f5fde271c563a8f8d15520d6818f7ed0efb9b434adf2ff9471b391dd225b37868179ffa9a6e58df3b1b765b8945685a2f966d29648dd86a42078339650b":"e90c82153d2280f1ddb55bd65e7752bf6717fbe08c49414f6c129bf608578db7":"c17e97c93cfabe0b925ca5d22615a06430a201b7595ad0d9967cc89a4777947d":"3d554c430c8928dcdb1f6d5e5a4306b309856a9b78c5f431c55d7ebd519443bb":"d3da71af70e196483c951d95eb3f0135"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0684e8ef93c3363ba535c4e573af1c24":"748a5f5fde271c563a8f8d15520d6818f7ed0efb9b434adf2ff9471b391dd225b37868179ffa9a6e58df3b1b765b8945685a2f966d29648dd86a42078339650b":"e90c82153d2280f1ddb55bd65e7752bf6717fbe08c49414f6c129bf608578db7":"c17e97c93cfabe0b925ca5d22615a06430a201b7595ad0d9967cc89a4777947d":"3d554c430c8928dcdb1f6d5e5a4306b309856a9b78c5f431c55d7ebd519443bb":"d3da71af70e196483c951d95eb3f0135"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #14
-ctr_drbg_validate_nopr:"89b885ddb12abc4f7422334f27c00439":"e2366eec626bfd9cb932bcaa0569de6a7a37cf1dfde1f25d00d1a0c89fe25fea592cbd2af7c8202521fa48e15f7cc7e97e431b222b516a3ad2bb7b55b7fcf7f4":"c77ee92bd17939efe9bee48af66589aee1d9fe4cd6c8ae26b74b3799e35342a6":"23e80d36ca72ecc38551e7e0a4f9502bed0e160f382d802f48fb2714ec6e3315":"6b83f7458dc813ce0b963b231c424e8bced599d002c0ef91a9c20dcc3f172ea5":"81d13a6b79f05137e233e3c3a1091360"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"89b885ddb12abc4f7422334f27c00439":"e2366eec626bfd9cb932bcaa0569de6a7a37cf1dfde1f25d00d1a0c89fe25fea592cbd2af7c8202521fa48e15f7cc7e97e431b222b516a3ad2bb7b55b7fcf7f4":"c77ee92bd17939efe9bee48af66589aee1d9fe4cd6c8ae26b74b3799e35342a6":"23e80d36ca72ecc38551e7e0a4f9502bed0e160f382d802f48fb2714ec6e3315":"6b83f7458dc813ce0b963b231c424e8bced599d002c0ef91a9c20dcc3f172ea5":"81d13a6b79f05137e233e3c3a1091360"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #0
-ctr_drbg_validate_nopr:"ff568be02a46343113f06949a16cc7d9da315aef82f5681f0459650e5e180e65d1d77b00e5ce3e3f9eb6c18efff4db36":"77de4e5db3b308c38c814228583dfd1eb415771f4ae30f9cc2d35b48075286a4e8c2c6f441d1aac496d0d4be395d078519e31cb77d06d6f7fd4c033bc40fd659":"":"":"":"448ac707ba934c909335425de62944d6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ff568be02a46343113f06949a16cc7d9da315aef82f5681f0459650e5e180e65d1d77b00e5ce3e3f9eb6c18efff4db36":"77de4e5db3b308c38c814228583dfd1eb415771f4ae30f9cc2d35b48075286a4e8c2c6f441d1aac496d0d4be395d078519e31cb77d06d6f7fd4c033bc40fd659":"":"":"":"448ac707ba934c909335425de62944d6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #1
-ctr_drbg_validate_nopr:"6f092b85eb9f96427642f69467911172cba6df86e0db08d04e824cde6fb91d9b9af2cea53f42d53c45ee3e69a2327172":"667d3ed9f41a154ea33b55182b8bee4d7d46eff8e890c7036cf7c2665d44c28f9e3a8cff166dabfaf262933d337e729e0b6a60a51d00ba18f877bdc9d0cc659e":"":"":"":"16a200f683ab862947e061cddaac5597"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"6f092b85eb9f96427642f69467911172cba6df86e0db08d04e824cde6fb91d9b9af2cea53f42d53c45ee3e69a2327172":"667d3ed9f41a154ea33b55182b8bee4d7d46eff8e890c7036cf7c2665d44c28f9e3a8cff166dabfaf262933d337e729e0b6a60a51d00ba18f877bdc9d0cc659e":"":"":"":"16a200f683ab862947e061cddaac5597"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #2
-ctr_drbg_validate_nopr:"26e635a6a2b6402b968c1eea13c6a980a0ee9b8497abc14fccdc5bf8439008861f74de2c200505185bf5907d3adc9de2":"80e56f9893beb9f22b2b03caa8f1861d5b31b37f636f2ccbc7e4040ad3073aa20f2f3c6bfefc041df8e57e7100794c42732b6d4b63d8bb51329ca99671d53c7c":"":"":"":"807586c977febcf2ad28fcd45e1a1deb"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"26e635a6a2b6402b968c1eea13c6a980a0ee9b8497abc14fccdc5bf8439008861f74de2c200505185bf5907d3adc9de2":"80e56f9893beb9f22b2b03caa8f1861d5b31b37f636f2ccbc7e4040ad3073aa20f2f3c6bfefc041df8e57e7100794c42732b6d4b63d8bb51329ca99671d53c7c":"":"":"":"807586c977febcf2ad28fcd45e1a1deb"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #3
-ctr_drbg_validate_nopr:"b239c485d319ce964d69bd3dbc5b7ab9cc72ac9134a25e641bcd3c8b6f89e7e08ef2d0a45cf67667a4e2e634b32d73ff":"c963e17ef46b7b2c68756019704ec7435ec093c423600b3f2f99dd8989f8539a11b1b0598e93e84d50b65e816e794421ab546b202e4b224a8494538dda85da82":"":"":"":"2a3218b4d59f99bd3825631a6eefb09c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b239c485d319ce964d69bd3dbc5b7ab9cc72ac9134a25e641bcd3c8b6f89e7e08ef2d0a45cf67667a4e2e634b32d73ff":"c963e17ef46b7b2c68756019704ec7435ec093c423600b3f2f99dd8989f8539a11b1b0598e93e84d50b65e816e794421ab546b202e4b224a8494538dda85da82":"":"":"":"2a3218b4d59f99bd3825631a6eefb09c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #4
-ctr_drbg_validate_nopr:"0239545a23735b803ae7cb7766194917d6cce164f7ec4f65c6ccd5ec1db5297722d4b7466589da4d39f4585856bc1d7e":"71a440b70a2b5ce41b85de27d987fa2a0628d7990dd7cd1460fddc5410ce6e9bb0ae4f90231f45bc71188fd94e4170389a8bbe4a7e781c95c9a97ad78ba7d07b":"":"":"":"9dafaa8b727c4829dda10a831e67419d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0239545a23735b803ae7cb7766194917d6cce164f7ec4f65c6ccd5ec1db5297722d4b7466589da4d39f4585856bc1d7e":"71a440b70a2b5ce41b85de27d987fa2a0628d7990dd7cd1460fddc5410ce6e9bb0ae4f90231f45bc71188fd94e4170389a8bbe4a7e781c95c9a97ad78ba7d07b":"":"":"":"9dafaa8b727c4829dda10a831e67419d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #5
-ctr_drbg_validate_nopr:"237e8916eadd65e3422fe59ab257b7e6957fe24f760b499fbd052241879e8294b01d2169ec2b98f52660d9f5170dee22":"d8908cfc1ea8518c1442e46731f30fdad85399894db262b8f4fdc0dbcbf11b60b60b25d3108f4b169fcbef621a14c635525fa3af8ccef6b91f808479509967f4":"":"":"":"593c39c56bb9e476550299ee8d85d2fc"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"237e8916eadd65e3422fe59ab257b7e6957fe24f760b499fbd052241879e8294b01d2169ec2b98f52660d9f5170dee22":"d8908cfc1ea8518c1442e46731f30fdad85399894db262b8f4fdc0dbcbf11b60b60b25d3108f4b169fcbef621a14c635525fa3af8ccef6b91f808479509967f4":"":"":"":"593c39c56bb9e476550299ee8d85d2fc"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #6
-ctr_drbg_validate_nopr:"28b6639b415c79012c749dc2a0d18433ec36eda55815f0841241453fa11b9d572b7c29208e01dbb0be91e1075f305d7f":"6767c3eb6ba1b19412c32bfe44e4d0317beba10f3abea328cda7b7c14109b72046c8691c1c7b28487037d381f77a3bbc8464a51b87de68bdc50ec9c658f915ab":"":"":"":"e390806219fa727e74a90011b4835ed6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"28b6639b415c79012c749dc2a0d18433ec36eda55815f0841241453fa11b9d572b7c29208e01dbb0be91e1075f305d7f":"6767c3eb6ba1b19412c32bfe44e4d0317beba10f3abea328cda7b7c14109b72046c8691c1c7b28487037d381f77a3bbc8464a51b87de68bdc50ec9c658f915ab":"":"":"":"e390806219fa727e74a90011b4835ed6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #7
-ctr_drbg_validate_nopr:"ce735a8549fc3f9dfc7b96bf0d48936a711439ac7271d715a278718aca9e2fe3c801030bc74b048ac1e40852345e87cc":"510b0dc06e84ceb901c7195c2f00ad7a04bdd75e0ab52b3d2cd47ddfcd89248dd58e3f1aa8c1ffe306f493905f65369eaed2a5b337dff8ac81c4c1e8903a6ad5":"":"":"":"ba871ba5843083b553a57cf8defa39d7"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ce735a8549fc3f9dfc7b96bf0d48936a711439ac7271d715a278718aca9e2fe3c801030bc74b048ac1e40852345e87cc":"510b0dc06e84ceb901c7195c2f00ad7a04bdd75e0ab52b3d2cd47ddfcd89248dd58e3f1aa8c1ffe306f493905f65369eaed2a5b337dff8ac81c4c1e8903a6ad5":"":"":"":"ba871ba5843083b553a57cf8defa39d7"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #8
-ctr_drbg_validate_nopr:"841ea92fa42c06769c5c52fe152d07837b8ff0048392caa5dd045054353d363b25439eb5885e96771dded4005f2baf42":"97511ae52590a0b64b75c37e10b89671880d2d6e8f90780ac27263dbc0e32d0824be5e80a88cf8fc3d4c607eb873c0322d09b9ca3498c4015c53ca6fee890093":"":"":"":"a8fb31362bd997adf4d9116e23dbaf10"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"841ea92fa42c06769c5c52fe152d07837b8ff0048392caa5dd045054353d363b25439eb5885e96771dded4005f2baf42":"97511ae52590a0b64b75c37e10b89671880d2d6e8f90780ac27263dbc0e32d0824be5e80a88cf8fc3d4c607eb873c0322d09b9ca3498c4015c53ca6fee890093":"":"":"":"a8fb31362bd997adf4d9116e23dbaf10"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #9
-ctr_drbg_validate_nopr:"55cd76fa5f004b97bb8e14170f79f52715d18c60f142b06d16e8e06c274798190a79c8b325163989d86323c03dbe0d68":"bafc0ba64669c9a36514bde6169034101f29e2a0a4b9a55c0aae7dff0c5aca2371b523e26dc44bf75493bdaa023d1555294178288b70f1ae72150d9f7265b4e6":"":"":"":"fa16dbdaf01b3c202426adabf61fa64a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"55cd76fa5f004b97bb8e14170f79f52715d18c60f142b06d16e8e06c274798190a79c8b325163989d86323c03dbe0d68":"bafc0ba64669c9a36514bde6169034101f29e2a0a4b9a55c0aae7dff0c5aca2371b523e26dc44bf75493bdaa023d1555294178288b70f1ae72150d9f7265b4e6":"":"":"":"fa16dbdaf01b3c202426adabf61fa64a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #10
-ctr_drbg_validate_nopr:"ff3f3098fa3d2b23b38ed982e7afb61d46b4848c878b9280f8e5ed6bd81176e76f0a2a85071a411829cf84421c22f23e":"92194e2c700fa724489683d0b6ddcf72c89b9c3f3ff584e802ae426be4908b1ade093bcf9baf7738b988dc0fde1739498a97c9610da853a7c83981c6a7b68096":"":"":"":"f85490426dc243ba09f9719bff73545a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ff3f3098fa3d2b23b38ed982e7afb61d46b4848c878b9280f8e5ed6bd81176e76f0a2a85071a411829cf84421c22f23e":"92194e2c700fa724489683d0b6ddcf72c89b9c3f3ff584e802ae426be4908b1ade093bcf9baf7738b988dc0fde1739498a97c9610da853a7c83981c6a7b68096":"":"":"":"f85490426dc243ba09f9719bff73545a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #11
-ctr_drbg_validate_nopr:"7242c1020a63770cccf6f8100970990232a9d11d61c9b0d38fe5e7a568a86252a66481212e5d53c868561298dd5bdeec":"7c3806a32ccf3252ac27a92a07209cd7000b160faa70b9024420b903587d1d77f002d3abe28b563d32ccc502b88f83bc5996f3dbbf0f57835839eadd94563b9d":"":"":"":"2232181f08c1569efaad1a82bcb5f3ba"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"7242c1020a63770cccf6f8100970990232a9d11d61c9b0d38fe5e7a568a86252a66481212e5d53c868561298dd5bdeec":"7c3806a32ccf3252ac27a92a07209cd7000b160faa70b9024420b903587d1d77f002d3abe28b563d32ccc502b88f83bc5996f3dbbf0f57835839eadd94563b9d":"":"":"":"2232181f08c1569efaad1a82bcb5f3ba"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #12
-ctr_drbg_validate_nopr:"a2e445290fed8187df6d2a57e68385bb62d700cb8f140410766b53e69e6a0f2939bbfa7ce091525c9051f064e383a2e1":"fdae5f1ea253108fcb255d215a3ce1dc1d101acf89de4423b75a74619e95f3feaa35b5e0bec430b0ad9567df818989c36c77742129af335c90ceb6dd79c7d2c4":"":"":"":"3841e2d795b17cb9a2081d6016a1a71d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a2e445290fed8187df6d2a57e68385bb62d700cb8f140410766b53e69e6a0f2939bbfa7ce091525c9051f064e383a2e1":"fdae5f1ea253108fcb255d215a3ce1dc1d101acf89de4423b75a74619e95f3feaa35b5e0bec430b0ad9567df818989c36c77742129af335c90ceb6dd79c7d2c4":"":"":"":"3841e2d795b17cb9a2081d6016a1a71d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #13
-ctr_drbg_validate_nopr:"bc885454e385d911336dda9b7a609a6a7079a4a5a860fcd704161c34658bd98685bb03418b7f24f2ed9475eb8ceb232e":"77bef884a91126564b3214029ac6842d86e4c1fa283e33d6828d428377416f66947e39a4a6708e10bfdae8337a6f302420a6649fc109d0f094c18c1e9361375a":"":"":"":"ea20780ed280d8109f811a6a398c3e76"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"bc885454e385d911336dda9b7a609a6a7079a4a5a860fcd704161c34658bd98685bb03418b7f24f2ed9475eb8ceb232e":"77bef884a91126564b3214029ac6842d86e4c1fa283e33d6828d428377416f66947e39a4a6708e10bfdae8337a6f302420a6649fc109d0f094c18c1e9361375a":"":"":"":"ea20780ed280d8109f811a6a398c3e76"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #14
-ctr_drbg_validate_nopr:"c1825cf00cdc2da93adb3e7a33c1f3a76c49166887883744ea2683ddca23f31900f25c434364c992a6d913f753a9c42a":"56940a6fc4823c9e42e8ffed63fc3cf46d0a2b305c236a511b0b5ec7005ecd8989bf2006ebe52ed55845f7cc25d3d0086cece95f0bff6fa7e17ddf474704abfe":"":"":"":"b037c7f0f85f4d7eaeeb17f4c8643a74"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c1825cf00cdc2da93adb3e7a33c1f3a76c49166887883744ea2683ddca23f31900f25c434364c992a6d913f753a9c42a":"56940a6fc4823c9e42e8ffed63fc3cf46d0a2b305c236a511b0b5ec7005ecd8989bf2006ebe52ed55845f7cc25d3d0086cece95f0bff6fa7e17ddf474704abfe":"":"":"":"b037c7f0f85f4d7eaeeb17f4c8643a74"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #0
-ctr_drbg_validate_nopr:"19b83c0deea6463a3912d21ffc8d8041a5b30640352abc9652770cfca99dc53c9c09942ddd67b91f4da50a8615462ce4":"5d85c56d0d20ee39958a90f301d2f8bb136fa34d09b41a0c9375114a0df9c1dcdb2a62c4be398d9eaf2440949b806f0e5a977da608eeb652a41711d1e9b72655":"9c1db928b95c84cb674060a6d2f6b7a6a5d43e9ee967e9f821bf309ca5f8821f":"a3111cb57365c617df0b0bb3a1aada49ca789bc75903eeb21e42a7d3d0dd0825":"ce7f557c70676987d13aca60bc4585147efeed97be139871a1b29caa1e180af9":"4a49430277d64446e2fa75763eb79ec6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"19b83c0deea6463a3912d21ffc8d8041a5b30640352abc9652770cfca99dc53c9c09942ddd67b91f4da50a8615462ce4":"5d85c56d0d20ee39958a90f301d2f8bb136fa34d09b41a0c9375114a0df9c1dcdb2a62c4be398d9eaf2440949b806f0e5a977da608eeb652a41711d1e9b72655":"9c1db928b95c84cb674060a6d2f6b7a6a5d43e9ee967e9f821bf309ca5f8821f":"a3111cb57365c617df0b0bb3a1aada49ca789bc75903eeb21e42a7d3d0dd0825":"ce7f557c70676987d13aca60bc4585147efeed97be139871a1b29caa1e180af9":"4a49430277d64446e2fa75763eb79ec6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #1
-ctr_drbg_validate_nopr:"239f21be6cda23e8660c8a5e04c79f6dad6f363ac6dcffd9228699ae43fbce5ac3c51645500cb3eae68f0b604dc4472c":"2975a099f7e6530e5576534c25171f39131d6bffb99259f7f2bbf7d77de9fb1e829052b54a9631a733113021692eba1097438347c6de82307a0c2bb308edf065":"d451a54584e6d1d634217379e7e60e67303e19dd4ba63b097899c7349a5a7433":"a33dc24c6a656eb26275415581d568b7c2424a9c5fb9e2944ca35ecbf641f713":"8dfccc62379af46844df136122b72a878d9d61b40ccaa029b09e6b9f0b4d0192":"005e91760d89ecb64b5fc3b0e222fca3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"239f21be6cda23e8660c8a5e04c79f6dad6f363ac6dcffd9228699ae43fbce5ac3c51645500cb3eae68f0b604dc4472c":"2975a099f7e6530e5576534c25171f39131d6bffb99259f7f2bbf7d77de9fb1e829052b54a9631a733113021692eba1097438347c6de82307a0c2bb308edf065":"d451a54584e6d1d634217379e7e60e67303e19dd4ba63b097899c7349a5a7433":"a33dc24c6a656eb26275415581d568b7c2424a9c5fb9e2944ca35ecbf641f713":"8dfccc62379af46844df136122b72a878d9d61b40ccaa029b09e6b9f0b4d0192":"005e91760d89ecb64b5fc3b0e222fca3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #2
-ctr_drbg_validate_nopr:"e326abbe1db3ead3738d2ca4d9f1d62080cd23ff3396f43a0af992bed2420cec6661dfaac83c3c4d83347ac840f7dc14":"37c94d11ed0e93b8199d43d6eb242165dddd12fe39c0bea4cdef6bcfeb5d17bb866f080a9daef128f685fb3bc59c945927fb0aa3e17068515c3c92fbdf04a228":"1ff41405dbb3b12b8ddc973069edc2d2801af0e0dc9bde2cdd35c5b2d4091509":"138b6d2eabef4b32174afb0156ad1df570cf6e5f6ebde5d19cc30daffd9ca4f2":"f27cf7422808c54c58fcdde1cece92f5342c7a10ac43ab3b2e53362b2272e3ad":"506d6fae6fff9f222e65ac86df61a832"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e326abbe1db3ead3738d2ca4d9f1d62080cd23ff3396f43a0af992bed2420cec6661dfaac83c3c4d83347ac840f7dc14":"37c94d11ed0e93b8199d43d6eb242165dddd12fe39c0bea4cdef6bcfeb5d17bb866f080a9daef128f685fb3bc59c945927fb0aa3e17068515c3c92fbdf04a228":"1ff41405dbb3b12b8ddc973069edc2d2801af0e0dc9bde2cdd35c5b2d4091509":"138b6d2eabef4b32174afb0156ad1df570cf6e5f6ebde5d19cc30daffd9ca4f2":"f27cf7422808c54c58fcdde1cece92f5342c7a10ac43ab3b2e53362b2272e3ad":"506d6fae6fff9f222e65ac86df61a832"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #3
-ctr_drbg_validate_nopr:"cb0229d2bb72d910b0169e8f93318905aef8dd93ed91a2f8388545db32db3f2489e7988b50de64c49a9f7feb5abe8630":"514ec8c02439290853434e75e3d0bd159eacd5ac13b8f202cfd5c36cdc0fe99b53a1b7a1619e94eb661ac825a48ea5ef8bb9120dd6efc351e39eb7cc5223f637":"a6ed69c9216c551793107f1bdaa04944f6d76fe4474f64bb08b0ebc10a18f337":"e0bc1cc56fdfeef686e0c7ec359e2e8bd48d76c8643c40d12325328170bbf702":"87c5b23aa3c100ff9e368fc47534ff8fa2f9e2bfd3599519ee6f60164485cf6d":"bd419968f636e374268ccdd62403f79c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"cb0229d2bb72d910b0169e8f93318905aef8dd93ed91a2f8388545db32db3f2489e7988b50de64c49a9f7feb5abe8630":"514ec8c02439290853434e75e3d0bd159eacd5ac13b8f202cfd5c36cdc0fe99b53a1b7a1619e94eb661ac825a48ea5ef8bb9120dd6efc351e39eb7cc5223f637":"a6ed69c9216c551793107f1bdaa04944f6d76fe4474f64bb08b0ebc10a18f337":"e0bc1cc56fdfeef686e0c7ec359e2e8bd48d76c8643c40d12325328170bbf702":"87c5b23aa3c100ff9e368fc47534ff8fa2f9e2bfd3599519ee6f60164485cf6d":"bd419968f636e374268ccdd62403f79c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #4
-ctr_drbg_validate_nopr:"bdd156ef3c4e09b77fe8781c446eac55b562e4ee1b7d15515a966882d4c7fadb0fc7b37554ba03908838db40499ded5b":"9facd9f4587819acb358e4936d9f44b67ddf82616e79a44ffd6a2510f652f6b9cebc1424b5c642362b19f63c615f49686df66a8f80ddffb56ce0c0d8540150fb":"35ea316fe302786f626e3831530622b62eb33a3608d4af3384ecfcbd198f3f05":"8d4fae22290b6ef8618ded1c3412e85fab7b8d17fb9cbd09dbc87f97279cc72d":"2f54928372e4ce447201427a3ae05769ae1c54b2e83bdc86d380a90b07f2890c":"8045e8da88b1bc126785c8a771db5354"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"bdd156ef3c4e09b77fe8781c446eac55b562e4ee1b7d15515a966882d4c7fadb0fc7b37554ba03908838db40499ded5b":"9facd9f4587819acb358e4936d9f44b67ddf82616e79a44ffd6a2510f652f6b9cebc1424b5c642362b19f63c615f49686df66a8f80ddffb56ce0c0d8540150fb":"35ea316fe302786f626e3831530622b62eb33a3608d4af3384ecfcbd198f3f05":"8d4fae22290b6ef8618ded1c3412e85fab7b8d17fb9cbd09dbc87f97279cc72d":"2f54928372e4ce447201427a3ae05769ae1c54b2e83bdc86d380a90b07f2890c":"8045e8da88b1bc126785c8a771db5354"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #5
-ctr_drbg_validate_nopr:"154876298a1b63334624b367da984eb31d7260abe79ced41de35ba68a716233a5df0937b90f89dde7fd55a9693c9031f":"36895f574e9e9d08e6c885d305eb4764c1e5689d1f99c2462b3ebdf659e8ce43818dfc886ec797843bfee361b554cd5f969b0c7b0381b53f4afc1bcadbf7eb1c":"c3a46105c50a167a5b0391053f3814a06c90cea2c1fa9329d97fdbc62887ff6d":"54c7d66c65dbddb4665981bff0f503de37d724362aeb67abce6a870fd6a7398a":"58204ca953cbd46dd6c8870b358cba77c436870db49bcd3e2f92697bb580b460":"cd903c0f11ea701214f91715cfec11a3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"154876298a1b63334624b367da984eb31d7260abe79ced41de35ba68a716233a5df0937b90f89dde7fd55a9693c9031f":"36895f574e9e9d08e6c885d305eb4764c1e5689d1f99c2462b3ebdf659e8ce43818dfc886ec797843bfee361b554cd5f969b0c7b0381b53f4afc1bcadbf7eb1c":"c3a46105c50a167a5b0391053f3814a06c90cea2c1fa9329d97fdbc62887ff6d":"54c7d66c65dbddb4665981bff0f503de37d724362aeb67abce6a870fd6a7398a":"58204ca953cbd46dd6c8870b358cba77c436870db49bcd3e2f92697bb580b460":"cd903c0f11ea701214f91715cfec11a3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #6
-ctr_drbg_validate_nopr:"94e273fde1e699f84aeef343eb0277c50d169bb5496575301021a2be50df6a555d1422ea88e0e4d905158e93fd8d0089":"1cd97b6e6e7f19401e409aea7b3ec33a8faefd71402b8f34a73c1cb1af215e0e87debe68bce590d41c1f90c6ad9db3d30b3901862e076d765ffdf58776e5fb7e":"6ee75e9f9aee6ac93e20f742f20427e5eb9b4ad2ed06fbba8c7b7870a96941ac":"0ba60399893ede284372bc4e0a37702a23b16aa8e5fe70ea95429af87ff291aa":"94bd2b51c32d29cd14e2123221e45ec0cf1f38766fb6bb0716856d0138f6fa39":"831793686abd406f7b385cd59e497b18"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"94e273fde1e699f84aeef343eb0277c50d169bb5496575301021a2be50df6a555d1422ea88e0e4d905158e93fd8d0089":"1cd97b6e6e7f19401e409aea7b3ec33a8faefd71402b8f34a73c1cb1af215e0e87debe68bce590d41c1f90c6ad9db3d30b3901862e076d765ffdf58776e5fb7e":"6ee75e9f9aee6ac93e20f742f20427e5eb9b4ad2ed06fbba8c7b7870a96941ac":"0ba60399893ede284372bc4e0a37702a23b16aa8e5fe70ea95429af87ff291aa":"94bd2b51c32d29cd14e2123221e45ec0cf1f38766fb6bb0716856d0138f6fa39":"831793686abd406f7b385cd59e497b18"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #7
-ctr_drbg_validate_nopr:"5a699113ebf98bff9cb780ce29747a61ba2d7581a5716065d018c89348d7c2ed3f5bba32442cd192c1e37b77b98f5791":"de6d2a3b6ad9af07058d3b1d1976cf61d49566b965eb4e9b74a4cad8e286e7a40b254b860e2e209a8cb4cff3a8e615b84f5ae7505957a758e266a4c3e915d251":"ed18c16a61ba5ecc0755f94c286390a6d46e6e26439dadd36c83ebdee42b4b4c":"7c4550d058b85580be2053fd9d933c87041c5c3f62a5b6b303259dafc90d9041":"ebebfcb9b4b3595e516939ca0688422bbdfc4b9f67b0d6619757cb315b7d7908":"1a5a496aa2268483444b3740c9cc4104"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"5a699113ebf98bff9cb780ce29747a61ba2d7581a5716065d018c89348d7c2ed3f5bba32442cd192c1e37b77b98f5791":"de6d2a3b6ad9af07058d3b1d1976cf61d49566b965eb4e9b74a4cad8e286e7a40b254b860e2e209a8cb4cff3a8e615b84f5ae7505957a758e266a4c3e915d251":"ed18c16a61ba5ecc0755f94c286390a6d46e6e26439dadd36c83ebdee42b4b4c":"7c4550d058b85580be2053fd9d933c87041c5c3f62a5b6b303259dafc90d9041":"ebebfcb9b4b3595e516939ca0688422bbdfc4b9f67b0d6619757cb315b7d7908":"1a5a496aa2268483444b3740c9cc4104"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #8
-ctr_drbg_validate_nopr:"42450f2689b87a3dd940f3b9e3b32d4654c725a24ddd2c22f006694321dacf1980b50f7ac0401626453ec836039bfdc9":"4765399ccbbf3d33433bb992ee29e4381f28d800b05431f1c5b3e949c5db72c582bfe8ba08db1575b866816cabbe5e1d31d8a870ceed49fb75676c97020d1f22":"6ee5a7613c25ecec263a2fd2288948b2df9a05d50040c4031b0653878fdb067f":"68a1038481be7412d6a7c8474d4b2a2535c9b55ea301ee800d5a846127d345cb":"7a1915cf78e6da2dc7840cba40390d668d07571608b77857d2224c4531c17bb8":"80a6c622e64495f9a391f5a8a9c76818"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"42450f2689b87a3dd940f3b9e3b32d4654c725a24ddd2c22f006694321dacf1980b50f7ac0401626453ec836039bfdc9":"4765399ccbbf3d33433bb992ee29e4381f28d800b05431f1c5b3e949c5db72c582bfe8ba08db1575b866816cabbe5e1d31d8a870ceed49fb75676c97020d1f22":"6ee5a7613c25ecec263a2fd2288948b2df9a05d50040c4031b0653878fdb067f":"68a1038481be7412d6a7c8474d4b2a2535c9b55ea301ee800d5a846127d345cb":"7a1915cf78e6da2dc7840cba40390d668d07571608b77857d2224c4531c17bb8":"80a6c622e64495f9a391f5a8a9c76818"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #9
-ctr_drbg_validate_nopr:"873869e194201b822b140bdd7797dd1ed408f2190b759c068b7019e6707f60751e101d3465c4ec57dbf9d1ea7597fa44":"d2f92706ca3fb9ced8183c74704440d7eedee1542c2e812f65afc83f4b62dadf1c51fa68f8d5f457a893211c8afc82c93e6a1e15822eff0d4ada6efd25d271a0":"8d0393d2a1ae8930ea88773adfa47b49060f0bf2d3def2acc57786bfbd1e2d6f":"5bcf5ff4fbd9eaabf8bf82ec7c59b043fd64b0025ad1ab2b384e399b9e13147a":"6e2d05e286c90502a3abf2ee72ab7ffb520ce5facfb27e095787a09a412abec3":"e1ceda71b8feb4b0d14d35bbb57a79a2"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"873869e194201b822b140bdd7797dd1ed408f2190b759c068b7019e6707f60751e101d3465c4ec57dbf9d1ea7597fa44":"d2f92706ca3fb9ced8183c74704440d7eedee1542c2e812f65afc83f4b62dadf1c51fa68f8d5f457a893211c8afc82c93e6a1e15822eff0d4ada6efd25d271a0":"8d0393d2a1ae8930ea88773adfa47b49060f0bf2d3def2acc57786bfbd1e2d6f":"5bcf5ff4fbd9eaabf8bf82ec7c59b043fd64b0025ad1ab2b384e399b9e13147a":"6e2d05e286c90502a3abf2ee72ab7ffb520ce5facfb27e095787a09a412abec3":"e1ceda71b8feb4b0d14d35bbb57a79a2"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #10
-ctr_drbg_validate_nopr:"1fecb5fe87c2a208b4f193e9c3ff810954c554150d544baea1685fb4774320315d5cb651be493ef120ef6966e3e7518c":"34bc292809674352ffb60786dca59ec799188aa401b366a48cdeddf37c12ee4c666f8fb3a0d53df4cd7191166d50ff01d992f94cd92da7a385ffe5795b197ced":"38249fed34a907768eac49267c2c613a65154eec5b73b541d7d7b314b5080061":"115be9cb914b50480fffe078d8170870b56129a0a74271dee063f8b2049e1be3":"69fa6faf7223f5bb1b55f35a544f78181579b1745990053357916fe507e51db6":"60cc92d3ba3ff0715f5627182334ed1b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1fecb5fe87c2a208b4f193e9c3ff810954c554150d544baea1685fb4774320315d5cb651be493ef120ef6966e3e7518c":"34bc292809674352ffb60786dca59ec799188aa401b366a48cdeddf37c12ee4c666f8fb3a0d53df4cd7191166d50ff01d992f94cd92da7a385ffe5795b197ced":"38249fed34a907768eac49267c2c613a65154eec5b73b541d7d7b314b5080061":"115be9cb914b50480fffe078d8170870b56129a0a74271dee063f8b2049e1be3":"69fa6faf7223f5bb1b55f35a544f78181579b1745990053357916fe507e51db6":"60cc92d3ba3ff0715f5627182334ed1b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #11
-ctr_drbg_validate_nopr:"4d283eb5ecd85a1613c975e24832770643613c9a5aee0d8649bc0d68c89cf1ea6ec3a1a22eefd9e212d602c338d64c6e":"4aa6917a5c9f370590d70536fdd89c916fec5e5bcbade8c6a6cfcf5b232c98a6b3e6b79a2dfb0778fbc3f1da7b06044d7b0fa2c04ffc3b71324aca1ee19f936b":"05a7092a684ba7a7fbd33533f9be58a4140a3855d4c5f44a31d665a0720c1739":"557ef1bedc890d1543de6cfeb25642782683d77a46bc8aa0836b07157599c7c3":"e87e45073ff8e36c38b128cd2275a160e431787b5e81f6c2fd7a37909eb72ea5":"31ecfb1bcf3253ba5f71b185a66c7cff"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"4d283eb5ecd85a1613c975e24832770643613c9a5aee0d8649bc0d68c89cf1ea6ec3a1a22eefd9e212d602c338d64c6e":"4aa6917a5c9f370590d70536fdd89c916fec5e5bcbade8c6a6cfcf5b232c98a6b3e6b79a2dfb0778fbc3f1da7b06044d7b0fa2c04ffc3b71324aca1ee19f936b":"05a7092a684ba7a7fbd33533f9be58a4140a3855d4c5f44a31d665a0720c1739":"557ef1bedc890d1543de6cfeb25642782683d77a46bc8aa0836b07157599c7c3":"e87e45073ff8e36c38b128cd2275a160e431787b5e81f6c2fd7a37909eb72ea5":"31ecfb1bcf3253ba5f71b185a66c7cff"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #12
-ctr_drbg_validate_nopr:"a6f488104a6c03e354d5d1805c62dcd3016322d218747fa83f9199e20f6ab1cfbc2b889536bda1187f59b7294d557ff2":"22f8ad57a2dfa8010e2865ad6263823652917b84dfea61f639efdb0fdbb35c6341ca7721095d69686212dffe78410c0d0db94f04756d52e7d76165d5a1d516d9":"fb9951d563f7aa88db545874b1a3049c5f79774d486e7a28aed1ed75f59224a5":"b1ea7c6b53e79e4e947e63086dee32dcc17bc4f27fba6142f8215ec081cdd5c9":"0d12cc0a39bfbf87194e4070f6b54caaabbe48fa192b96cfed2a794d95fa299d":"62a1c5678e6e8fc738d375e2ca48751f"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a6f488104a6c03e354d5d1805c62dcd3016322d218747fa83f9199e20f6ab1cfbc2b889536bda1187f59b7294d557ff2":"22f8ad57a2dfa8010e2865ad6263823652917b84dfea61f639efdb0fdbb35c6341ca7721095d69686212dffe78410c0d0db94f04756d52e7d76165d5a1d516d9":"fb9951d563f7aa88db545874b1a3049c5f79774d486e7a28aed1ed75f59224a5":"b1ea7c6b53e79e4e947e63086dee32dcc17bc4f27fba6142f8215ec081cdd5c9":"0d12cc0a39bfbf87194e4070f6b54caaabbe48fa192b96cfed2a794d95fa299d":"62a1c5678e6e8fc738d375e2ca48751f"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #13
-ctr_drbg_validate_nopr:"9d67e017e0abdd7c079bc0354f33dab696ad64146802f06d6cefd9cdefbf55b197f5899e5efaa269cc0432c87648ce18":"d8be0ec1119ff959c32c9cf29914e3f7bf2b01bdbf806c2d9ba119ae2a2cfb565871762b02ee7bf68f1d280532fd7ae7368517f6f751739b228d23df2f207f35":"74a5e24477e8759bedfbaa196f398777108392efb8c64c65c0c9ecd6cd3b5f04":"70cbc6cfe1d6ab4bc30d66fa162d5d4b3029e4b1b9d759f3eae17fb508e91a46":"d3c538e042f0eb796b4af9b4e65cd850425c72e2c896fcea741c17172faf27d9":"559a5e04b75cec250aac2433176a725e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9d67e017e0abdd7c079bc0354f33dab696ad64146802f06d6cefd9cdefbf55b197f5899e5efaa269cc0432c87648ce18":"d8be0ec1119ff959c32c9cf29914e3f7bf2b01bdbf806c2d9ba119ae2a2cfb565871762b02ee7bf68f1d280532fd7ae7368517f6f751739b228d23df2f207f35":"74a5e24477e8759bedfbaa196f398777108392efb8c64c65c0c9ecd6cd3b5f04":"70cbc6cfe1d6ab4bc30d66fa162d5d4b3029e4b1b9d759f3eae17fb508e91a46":"d3c538e042f0eb796b4af9b4e65cd850425c72e2c896fcea741c17172faf27d9":"559a5e04b75cec250aac2433176a725e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #14
-ctr_drbg_validate_nopr:"10914608a6d373a26c53ab83014283b678d73dfea65b4a3540af17f2fafa3b3cf698925b423edb9f946b906f43110795":"9ded87d289412dfda8935e5b08ec66b68abd1bae1fc5363e4341f58db954f1f9bc4b681c0d930ba080f85f8fd04c173cb2b77723ce67692efa7ade48b82b6926":"225159b4c679094f277516b2335b1e8b7d0a7ea33fd56822906d481fe412586d":"4967cd401cd466aba0be5f55615ca0d9fb8adbde5cb4e6ae3a0159fcd6c36bf0":"fec14f325b8b458ddf3e7f2e10938f4c2d04c8d9885bb5b9277bdc229c70b354":"1cd5c0bdeb87c79235bead416c565d32"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"10914608a6d373a26c53ab83014283b678d73dfea65b4a3540af17f2fafa3b3cf698925b423edb9f946b906f43110795":"9ded87d289412dfda8935e5b08ec66b68abd1bae1fc5363e4341f58db954f1f9bc4b681c0d930ba080f85f8fd04c173cb2b77723ce67692efa7ade48b82b6926":"225159b4c679094f277516b2335b1e8b7d0a7ea33fd56822906d481fe412586d":"4967cd401cd466aba0be5f55615ca0d9fb8adbde5cb4e6ae3a0159fcd6c36bf0":"fec14f325b8b458ddf3e7f2e10938f4c2d04c8d9885bb5b9277bdc229c70b354":"1cd5c0bdeb87c79235bead416c565d32"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #0
-ctr_drbg_validate_nopr:"b023f6a6f73d4749b36eb54867994432":"2462ad760ddbca4e013688bf61381f190c7b2de57cbeeec81d6ab7b6f067b75adc3545887f8d2aa5d9b9dfcbfa425d610faa9c247eb5d71145f302918e908ae5":"":"":"":"c0620c68515a4618e572db6e4c14473d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b023f6a6f73d4749b36eb54867994432":"2462ad760ddbca4e013688bf61381f190c7b2de57cbeeec81d6ab7b6f067b75adc3545887f8d2aa5d9b9dfcbfa425d610faa9c247eb5d71145f302918e908ae5":"":"":"":"c0620c68515a4618e572db6e4c14473d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #1
-ctr_drbg_validate_nopr:"7e0fcd953c1c8bb8d03d7a0e918fb59d":"56b2e11d5c2d87d2c9c90c285e0041beb4594a6efdd577580095612e50cf47c0b76208337e1e18453082d725629667d86226ab22944bbfb40c38b7986e489adb":"":"":"":"7194eee0d333fa5282dc44db964ecf5b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"7e0fcd953c1c8bb8d03d7a0e918fb59d":"56b2e11d5c2d87d2c9c90c285e0041beb4594a6efdd577580095612e50cf47c0b76208337e1e18453082d725629667d86226ab22944bbfb40c38b7986e489adb":"":"":"":"7194eee0d333fa5282dc44db964ecf5b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #2
-ctr_drbg_validate_nopr:"0130217d4a3945402ed99d7b8504fe4b":"28e592fd9db72b40ae4888078aedde260f6de4f0472a7601258e694d7bb6af6810ff4eabdffb332932765fa1d66650fb78cc2be484c0ba803eb9a2502020e865":"":"":"":"4652f0545385fdbe02d05aec21668608"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0130217d4a3945402ed99d7b8504fe4b":"28e592fd9db72b40ae4888078aedde260f6de4f0472a7601258e694d7bb6af6810ff4eabdffb332932765fa1d66650fb78cc2be484c0ba803eb9a2502020e865":"":"":"":"4652f0545385fdbe02d05aec21668608"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #3
-ctr_drbg_validate_nopr:"07854447e33521d2d997d90c0887f42d":"c561ab6acfbfb98879982ac7add92b80471e0154b77ccc9fd98e7c2013c411e8075948e97ab4db7505797a99d456e54e6585042efeff7e3970e399ea0d27537c":"":"":"":"1a14a810c11b4f0af23c6467c47bbde0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"07854447e33521d2d997d90c0887f42d":"c561ab6acfbfb98879982ac7add92b80471e0154b77ccc9fd98e7c2013c411e8075948e97ab4db7505797a99d456e54e6585042efeff7e3970e399ea0d27537c":"":"":"":"1a14a810c11b4f0af23c6467c47bbde0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #4
-ctr_drbg_validate_nopr:"68a8ec01581d6066391f3e5977465026":"747c7e9aace6d4f840c7b5261e0af796c516477421d52850a7072a0ab2c768fcc80c9ba8d18b228e77a7f6131c788a76515fe31aef4ed67376568231a4700fac":"":"":"":"a5723c43743442fae3637bb553891aeb"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"68a8ec01581d6066391f3e5977465026":"747c7e9aace6d4f840c7b5261e0af796c516477421d52850a7072a0ab2c768fcc80c9ba8d18b228e77a7f6131c788a76515fe31aef4ed67376568231a4700fac":"":"":"":"a5723c43743442fae3637bb553891aeb"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #5
-ctr_drbg_validate_nopr:"1459038c60b70bae7af0da6cfab707a2":"9f7d839310846bd452827a185539c0eb0f106acc7bc4de80d3521a970b23483d57826b1484d329a2d1c2ecfeaf8eeffbaa6e1a305e3f1e47b96ad48a711ad1aa":"":"":"":"5fcd6bf108fe68b85f61f85c0556f5c0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1459038c60b70bae7af0da6cfab707a2":"9f7d839310846bd452827a185539c0eb0f106acc7bc4de80d3521a970b23483d57826b1484d329a2d1c2ecfeaf8eeffbaa6e1a305e3f1e47b96ad48a711ad1aa":"":"":"":"5fcd6bf108fe68b85f61f85c0556f5c0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #6
-ctr_drbg_validate_nopr:"a3357db173df98da4dd02ee24ce5c303":"f1ce08587ac0338b4d0b8e075b42b6501e77758b30087de028a8622fb7abd7f65e3b4f802d1a472dedb9c1a6dc9263c65918d8b7fafd0ae7e9c39e2e8684af3f":"":"":"":"8a5fa11d8e78fbf1ca4e4ca3e1ae82b8"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a3357db173df98da4dd02ee24ce5c303":"f1ce08587ac0338b4d0b8e075b42b6501e77758b30087de028a8622fb7abd7f65e3b4f802d1a472dedb9c1a6dc9263c65918d8b7fafd0ae7e9c39e2e8684af3f":"":"":"":"8a5fa11d8e78fbf1ca4e4ca3e1ae82b8"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #7
-ctr_drbg_validate_nopr:"212f4c80c7e9287c8d25e3b965f91a3c":"bf1d715b3f56c433827c9cb429bee5ca61c80a8d9b2fd4498e1c86ce703637f8f7f34056ab0039e0baa63320df0ec61de60354f2ece06356d9be3c6d1cdcc4cf":"":"":"":"04ac2f969e828f375b03ee16317e8572"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"212f4c80c7e9287c8d25e3b965f91a3c":"bf1d715b3f56c433827c9cb429bee5ca61c80a8d9b2fd4498e1c86ce703637f8f7f34056ab0039e0baa63320df0ec61de60354f2ece06356d9be3c6d1cdcc4cf":"":"":"":"04ac2f969e828f375b03ee16317e8572"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #8
-ctr_drbg_validate_nopr:"46e85752e0af82fc63932950120e4b5d":"ae4316424fa765179404188eb8839ce84ad8db92cb12f39089a93a2dbdc371e2fdbef1ad080eb354eecdda3a10ea66ef647aa095afa1786c01bd1c9f70d8da4f":"":"":"":"de576284d8ad36b31bd4f8f3da633e36"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"46e85752e0af82fc63932950120e4b5d":"ae4316424fa765179404188eb8839ce84ad8db92cb12f39089a93a2dbdc371e2fdbef1ad080eb354eecdda3a10ea66ef647aa095afa1786c01bd1c9f70d8da4f":"":"":"":"de576284d8ad36b31bd4f8f3da633e36"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #9
-ctr_drbg_validate_nopr:"ec2459b1dd7f50df63e14e40aa4a4e66":"b964a24bf98264327c0b9e2e1c99ed1b35f534be801c996f318bc2074ed2500ba8488c4feb442b507c3220523c0041c9543133379365e65e092850a5e3f96cc9":"":"":"":"4d466e2f388aae40d1b31ce1f8ddc5e8"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ec2459b1dd7f50df63e14e40aa4a4e66":"b964a24bf98264327c0b9e2e1c99ed1b35f534be801c996f318bc2074ed2500ba8488c4feb442b507c3220523c0041c9543133379365e65e092850a5e3f96cc9":"":"":"":"4d466e2f388aae40d1b31ce1f8ddc5e8"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #10
-ctr_drbg_validate_nopr:"acf480d54f4c66d611519b72f2c0dca6":"d5b3277cf8badf6be86af27dd36f23ffc580847c5fcb56c4d8a42339336f185c38ffb86f4d8aa7646c1aaed6c2b0c7ae7e4d435f481d62bb01e632f6bbb2abf9":"":"":"":"746aaa5423ef77ea6b1eda47410262dd"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"acf480d54f4c66d611519b72f2c0dca6":"d5b3277cf8badf6be86af27dd36f23ffc580847c5fcb56c4d8a42339336f185c38ffb86f4d8aa7646c1aaed6c2b0c7ae7e4d435f481d62bb01e632f6bbb2abf9":"":"":"":"746aaa5423ef77ea6b1eda47410262dd"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #11
-ctr_drbg_validate_nopr:"edb80fddc595b234e3c5c03b2be3d721":"94aad8c772201435543efd9013c9f5f022038db6864e9ed4141ea75beb236844da6e6a17109262bc80f528427b37d9da6df03c7dd25be233774384a7f53197ea":"":"":"":"511927f10f800445b705ea3cfe6ec823"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"edb80fddc595b234e3c5c03b2be3d721":"94aad8c772201435543efd9013c9f5f022038db6864e9ed4141ea75beb236844da6e6a17109262bc80f528427b37d9da6df03c7dd25be233774384a7f53197ea":"":"":"":"511927f10f800445b705ea3cfe6ec823"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #12
-ctr_drbg_validate_nopr:"c7790c9888b0e731ca6ccd60c32bb98a":"967050c11050a6d99a5da428d1f0fc8068b29ba4c66965addbfd31b745cb07d2439d268ab32a5fa2b1934bf277ff586506a941768468905ed980537d8baa1d07":"":"":"":"978493f0cece6f94d21863a519e06dbe"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c7790c9888b0e731ca6ccd60c32bb98a":"967050c11050a6d99a5da428d1f0fc8068b29ba4c66965addbfd31b745cb07d2439d268ab32a5fa2b1934bf277ff586506a941768468905ed980537d8baa1d07":"":"":"":"978493f0cece6f94d21863a519e06dbe"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #13
-ctr_drbg_validate_nopr:"58c75625771df61c48a82590eeed3378":"be3120e8515a98701b4b2fb0667de2bad3f32bcbf10fb9b820956f9aa7ffa1bbbafb70002a9c7fdd1cf7e76a735261798dc60a1163919d58e39ef0c38b54b27b":"":"":"":"90f5c486e7efe932258610e744506487"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"58c75625771df61c48a82590eeed3378":"be3120e8515a98701b4b2fb0667de2bad3f32bcbf10fb9b820956f9aa7ffa1bbbafb70002a9c7fdd1cf7e76a735261798dc60a1163919d58e39ef0c38b54b27b":"":"":"":"90f5c486e7efe932258610e744506487"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,0) #14
-ctr_drbg_validate_nopr:"d3f64c11aa21bb2d12278847547fb11b":"855c0e3a7567730b11e197c136e5c22b1dc7271d4dbe04bcdfd2fc0ef806b3c05b4264ee6c60d526506622ebf6130738dba4bf35c13ce33db19487312ee691fe":"":"":"":"33ed7089ebae738c6a7e6e2390d573e4"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"d3f64c11aa21bb2d12278847547fb11b":"855c0e3a7567730b11e197c136e5c22b1dc7271d4dbe04bcdfd2fc0ef806b3c05b4264ee6c60d526506622ebf6130738dba4bf35c13ce33db19487312ee691fe":"":"":"":"33ed7089ebae738c6a7e6e2390d573e4"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #0
-ctr_drbg_validate_nopr:"132ad1c40afb066620f004f08409c59e":"2e5beadd89b663b3903d3a63c3ab5605bfb1a0045a42430e0220243c51a69f7ff7678c2f8edb7bb4a29b646f3edfaca2463f9defd342da87d22b1b8fdb012fd5":"150deb841d1a4d90e66e85b036d9f5a7efca726b907ae3e8f05e1d1338cdfd32":"fb199beeeaf3939be2a5f9e6ba22f97cdd2c7576e81eccc686facbdf8bb4f2aa":"4293341721f57e4548ce8c003531d38622446c8825904e1b868dcddc626c5164":"66d8f3bfb78186b57136ec2c1602e1ef"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"132ad1c40afb066620f004f08409c59e":"2e5beadd89b663b3903d3a63c3ab5605bfb1a0045a42430e0220243c51a69f7ff7678c2f8edb7bb4a29b646f3edfaca2463f9defd342da87d22b1b8fdb012fd5":"150deb841d1a4d90e66e85b036d9f5a7efca726b907ae3e8f05e1d1338cdfd32":"fb199beeeaf3939be2a5f9e6ba22f97cdd2c7576e81eccc686facbdf8bb4f2aa":"4293341721f57e4548ce8c003531d38622446c8825904e1b868dcddc626c5164":"66d8f3bfb78186b57136ec2c1602e1ef"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #1
-ctr_drbg_validate_nopr:"1c1502ca97c109399a72a77c8d6cc22b":"1d33b1b257a3ae1210fa2099307916a73dd92270769697ea2d7901f56865e3cae1be94b5024d0da3880bce06f0b31231c5a889f8ba3d92a20844b61009db672d":"23eede46eff4a04b08dcc2133e4537b332351f8469630f11b0c8853fb762a4bc":"6fd9f9da108e68aea9d1cecd81c49bcd0e7bedb348890f2248cb31c4277369f7":"76bcc11bd952123f78dd2ba60dd932d49203e418bb832d60b45c083e1e129834":"a1eee46001616f2bf87729895da0d0d1"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"1c1502ca97c109399a72a77c8d6cc22b":"1d33b1b257a3ae1210fa2099307916a73dd92270769697ea2d7901f56865e3cae1be94b5024d0da3880bce06f0b31231c5a889f8ba3d92a20844b61009db672d":"23eede46eff4a04b08dcc2133e4537b332351f8469630f11b0c8853fb762a4bc":"6fd9f9da108e68aea9d1cecd81c49bcd0e7bedb348890f2248cb31c4277369f7":"76bcc11bd952123f78dd2ba60dd932d49203e418bb832d60b45c083e1e129834":"a1eee46001616f2bf87729895da0d0d1"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #2
-ctr_drbg_validate_nopr:"c79c0a1db75e83af258cdf9ead81264d":"5e8cc0fdadc170ed0f5e12f79a6b9e585f9d7c2926c163686a6a724495d88fabcec940d752545cae63f1792dcb966a7325f61997ba8883559ad6f6f8fc09898a":"a2cf6c1c9e4489f504e17f385f08aa82775aa2b0a84abd0b7ee3c6b393d7fd50":"c7529b874e07d4b876196786d510cc038c9e1ab93c461df2474eba484ae6876f":"63c6e7f3548529386c9f47c5aece52ce8454da5db9a807a1b960f7730a61582b":"43b7931e0b3b3769ef8972d0026896a3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c79c0a1db75e83af258cdf9ead81264d":"5e8cc0fdadc170ed0f5e12f79a6b9e585f9d7c2926c163686a6a724495d88fabcec940d752545cae63f1792dcb966a7325f61997ba8883559ad6f6f8fc09898a":"a2cf6c1c9e4489f504e17f385f08aa82775aa2b0a84abd0b7ee3c6b393d7fd50":"c7529b874e07d4b876196786d510cc038c9e1ab93c461df2474eba484ae6876f":"63c6e7f3548529386c9f47c5aece52ce8454da5db9a807a1b960f7730a61582b":"43b7931e0b3b3769ef8972d0026896a3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #3
-ctr_drbg_validate_nopr:"b44d1dd914e88840bc65a94ee199b3ac":"c3dae1863d323cc78f43ccb3f632fde29130e6b23b843ff5a8d79fddc3c1f92b55cd3dcaf7848d40d189c0de7790bebb889e01be05980dcdf30d2b3333426c50":"41e2fce9b48642a1b9bd1695314adcdd38e1a8afe4891e633c5088c6753438a2":"1eb3f8bbacb0c6b901718bfd7eba29f6f87e1fe056ad442d6d38c1351a684e1f":"85570db773f3f5202967376f91a0a9c09c89cd4eddd58cdc6210335fd5e7acef":"bd53036538d9ed904a49966b5428a2a8"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"b44d1dd914e88840bc65a94ee199b3ac":"c3dae1863d323cc78f43ccb3f632fde29130e6b23b843ff5a8d79fddc3c1f92b55cd3dcaf7848d40d189c0de7790bebb889e01be05980dcdf30d2b3333426c50":"41e2fce9b48642a1b9bd1695314adcdd38e1a8afe4891e633c5088c6753438a2":"1eb3f8bbacb0c6b901718bfd7eba29f6f87e1fe056ad442d6d38c1351a684e1f":"85570db773f3f5202967376f91a0a9c09c89cd4eddd58cdc6210335fd5e7acef":"bd53036538d9ed904a49966b5428a2a8"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #4
-ctr_drbg_validate_nopr:"5ef97f7af7df5cc6fa94f8428ec7be5c":"be67434ac4d77f0f50ec5bacc8112d1480bd9f20d6b4ea768d9b51bb69c1dffcd8c30e4412127644aaa6fc453e59fb633f6a5a8c2f69e40d1863e35d4d4c0227":"a64195b1e56cf97fd81e99fa1833d191faf62f534c874def4b8bed0ae7195ac7":"353cd3a8d9cd92bce82cd8d1cc198baa9276db478b0cfe50249e30c3042ee9db":"393ab4726f088fdfeb4df752e1b2aec678e41fa60781bc5e914296227d6b3dfc":"24bdc2cad5dccd2309425f11a24c8c39"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"5ef97f7af7df5cc6fa94f8428ec7be5c":"be67434ac4d77f0f50ec5bacc8112d1480bd9f20d6b4ea768d9b51bb69c1dffcd8c30e4412127644aaa6fc453e59fb633f6a5a8c2f69e40d1863e35d4d4c0227":"a64195b1e56cf97fd81e99fa1833d191faf62f534c874def4b8bed0ae7195ac7":"353cd3a8d9cd92bce82cd8d1cc198baa9276db478b0cfe50249e30c3042ee9db":"393ab4726f088fdfeb4df752e1b2aec678e41fa60781bc5e914296227d6b3dfc":"24bdc2cad5dccd2309425f11a24c8c39"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #5
-ctr_drbg_validate_nopr:"567130da4e7ecc4db0f035d7ecb11878":"cc070df6aa3623f74afd85b59d1bef2b1fcd9c8093362512ff109ebfe992ed75bd58b5ae1561d702b69065eb3cc0bd328ab698d4c6ca274e96d673309b5df5df":"42033054cefa1f20b3443f8ab7d9635ae8f047b833c8529245ba8b4aa07edba3":"72972fb947bff60df291888ddbfd91e698e0c1c26a346b95fc7c5dac596d0073":"af29b6a13602ba9c6b11f8dbdeb6cb52e211f9cd2fc96e63b61e3c1ec631d2ea":"b0849f8317e043271a3fc5f2eaaaaba2"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"567130da4e7ecc4db0f035d7ecb11878":"cc070df6aa3623f74afd85b59d1bef2b1fcd9c8093362512ff109ebfe992ed75bd58b5ae1561d702b69065eb3cc0bd328ab698d4c6ca274e96d673309b5df5df":"42033054cefa1f20b3443f8ab7d9635ae8f047b833c8529245ba8b4aa07edba3":"72972fb947bff60df291888ddbfd91e698e0c1c26a346b95fc7c5dac596d0073":"af29b6a13602ba9c6b11f8dbdeb6cb52e211f9cd2fc96e63b61e3c1ec631d2ea":"b0849f8317e043271a3fc5f2eaaaaba2"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #6
-ctr_drbg_validate_nopr:"2c20ae36f1e74542ed8b0a177b8050aa":"c4bf7a39caf26dc3f61311f54ab3095493c626a988f5abee2826c67a4f4b4d6a02329c99a6bcb5e387fa160741c871acc2929c1cc07f2f0a7ce1619eb7da1ec4":"97c148dd10c3dd72b1eaaafbe37a9310ed15b23872e9f2b62d1feb91ea81ffe3":"23df0c30c68bf2eeb55d273a596f1f54ed916271595b906e4f7793b7a52f2573":"22f120fa09215105116919aaf8eebcb69eccd5da42feb737018a05268bf08e46":"b7c73b9ceea2e6ca0be6a3773cdd6886"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2c20ae36f1e74542ed8b0a177b8050aa":"c4bf7a39caf26dc3f61311f54ab3095493c626a988f5abee2826c67a4f4b4d6a02329c99a6bcb5e387fa160741c871acc2929c1cc07f2f0a7ce1619eb7da1ec4":"97c148dd10c3dd72b1eaaafbe37a9310ed15b23872e9f2b62d1feb91ea81ffe3":"23df0c30c68bf2eeb55d273a596f1f54ed916271595b906e4f7793b7a52f2573":"22f120fa09215105116919aaf8eebcb69eccd5da42feb737018a05268bf08e46":"b7c73b9ceea2e6ca0be6a3773cdd6886"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #7
-ctr_drbg_validate_nopr:"2076f9e116a2648e1e664b815b1b3674":"979b5aeafe555aeba152ed66e32e30e110df20ee1f227932a72acfb8218aec767941efaefa091c0128dad9b93b06b28fc76e01f275e8ce1c02f0eb567c914f89":"d12fb10b9fa6d2fd0f39cf76294cd44dcbfa80dca7c2f8537c75453d985ef551":"4228a99faf35547a58c1a4d842301dca374f1f13c6fd067b7c1b815863b73158":"a3a7d5f1e2dcf95a90715ec5fd32e7f88c38b0a452b6ccd1f107458db4f74fd6":"8a63a5002a3636b241f0bec14fd9c2ac"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2076f9e116a2648e1e664b815b1b3674":"979b5aeafe555aeba152ed66e32e30e110df20ee1f227932a72acfb8218aec767941efaefa091c0128dad9b93b06b28fc76e01f275e8ce1c02f0eb567c914f89":"d12fb10b9fa6d2fd0f39cf76294cd44dcbfa80dca7c2f8537c75453d985ef551":"4228a99faf35547a58c1a4d842301dca374f1f13c6fd067b7c1b815863b73158":"a3a7d5f1e2dcf95a90715ec5fd32e7f88c38b0a452b6ccd1f107458db4f74fd6":"8a63a5002a3636b241f0bec14fd9c2ac"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #8
-ctr_drbg_validate_nopr:"a71015cf06ddd0a6cd72fa014cf0aee6":"c810cb9db0f169dbc30fda85ccb6d4c40db68d429eeb3653070db7641fbbaba60ef0ff970eaf40887b7e154e2ecd5331de7004689ec604e69927da630a8dd7a7":"5f99f45d8770041703e5a14521c501904fd05ff3340835ac0c41b86442e4939c":"eb7efa6e46ab926ea04c87eb9ce454f5b10717bd9d85305f27d71bea1bc991b3":"cbc80c6171d098fc81023486d327efe2415a0f32e5fa6f6793ce1d0e98783258":"a353f6b350404f3f7b4fb724f84a948a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a71015cf06ddd0a6cd72fa014cf0aee6":"c810cb9db0f169dbc30fda85ccb6d4c40db68d429eeb3653070db7641fbbaba60ef0ff970eaf40887b7e154e2ecd5331de7004689ec604e69927da630a8dd7a7":"5f99f45d8770041703e5a14521c501904fd05ff3340835ac0c41b86442e4939c":"eb7efa6e46ab926ea04c87eb9ce454f5b10717bd9d85305f27d71bea1bc991b3":"cbc80c6171d098fc81023486d327efe2415a0f32e5fa6f6793ce1d0e98783258":"a353f6b350404f3f7b4fb724f84a948a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #9
-ctr_drbg_validate_nopr:"395931837614c322d8488ec6a2c4c919":"831fc8d63592b6ce358c08aeac39d67c3e48b4c2617735b6fe5e9fa44d7aee9d60f2fcf549db239d5bed9c608c94e8f8c23b32901442ac53442127377bdcf205":"eb261c737c0a17c8cb1ae055c143f701b74c96c852e4a76ca3ea045e7efdf5ee":"153276007b3843a897efbf022bd1bcabcf655c7eb8acef9baac710b339ecfd99":"a8a5cb17a2945e5b41ff370cc88ac498389b89b6cd82bb3bbde81c212f7c17d4":"537fc2b73183d2c0c106886937a6609c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"395931837614c322d8488ec6a2c4c919":"831fc8d63592b6ce358c08aeac39d67c3e48b4c2617735b6fe5e9fa44d7aee9d60f2fcf549db239d5bed9c608c94e8f8c23b32901442ac53442127377bdcf205":"eb261c737c0a17c8cb1ae055c143f701b74c96c852e4a76ca3ea045e7efdf5ee":"153276007b3843a897efbf022bd1bcabcf655c7eb8acef9baac710b339ecfd99":"a8a5cb17a2945e5b41ff370cc88ac498389b89b6cd82bb3bbde81c212f7c17d4":"537fc2b73183d2c0c106886937a6609c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #10
-ctr_drbg_validate_nopr:"9a1983859dd6c4cb602970d705952b2b":"68c5cf31f7959ffaa83af9dd55a75ec001befbf835e42a789ac42d39d96128eb6d9b3f07ced15e57e39760390c065fb4425c19ef7184635c18e5ed28256937e1":"e06497a181a5362980579c91d263f630ad4794519a64261ede8b36cf0ac5e713":"714e4fc52aea763e23a1f5b18949ab8fd949f1768560559bccb49d78d51dfab5":"6b6b7f65fd472ad428df2bbb86b85067d0a6f89d9233eea92f5189a9163d0419":"e32af8a81c59dc44540ed8845b447fdb"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9a1983859dd6c4cb602970d705952b2b":"68c5cf31f7959ffaa83af9dd55a75ec001befbf835e42a789ac42d39d96128eb6d9b3f07ced15e57e39760390c065fb4425c19ef7184635c18e5ed28256937e1":"e06497a181a5362980579c91d263f630ad4794519a64261ede8b36cf0ac5e713":"714e4fc52aea763e23a1f5b18949ab8fd949f1768560559bccb49d78d51dfab5":"6b6b7f65fd472ad428df2bbb86b85067d0a6f89d9233eea92f5189a9163d0419":"e32af8a81c59dc44540ed8845b447fdb"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #11
-ctr_drbg_validate_nopr:"230576e9518fb9a6a8391a84919b0d97":"6193f0e7b33ce19fde922aec9c93f1271ebcdd296d9c8c77029b59afa2064e3159088e07e91c14a4a3dc23b6005dd8ef1425d7d2ae8282a5b30b7498b6754234":"ffaca30a256d18836a0d49bbaad599a28fc7821d71aa91b97158a492d84a6280":"a3da13852d0717afed7c58c52530d2ae047b645a5e7aa8cfabc11478444151ac":"e15fdaeea31c95555fc509d2a266abf78d86ca11aa2f87ce1041142eb9f82bae":"7906f8da1e140345c191dbc2de5ead1b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"230576e9518fb9a6a8391a84919b0d97":"6193f0e7b33ce19fde922aec9c93f1271ebcdd296d9c8c77029b59afa2064e3159088e07e91c14a4a3dc23b6005dd8ef1425d7d2ae8282a5b30b7498b6754234":"ffaca30a256d18836a0d49bbaad599a28fc7821d71aa91b97158a492d84a6280":"a3da13852d0717afed7c58c52530d2ae047b645a5e7aa8cfabc11478444151ac":"e15fdaeea31c95555fc509d2a266abf78d86ca11aa2f87ce1041142eb9f82bae":"7906f8da1e140345c191dbc2de5ead1b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #12
-ctr_drbg_validate_nopr:"e08a3a33adb4399a9be72fead224155f":"cfbe8b1464b00bb9e0d18b04d2040ed9bd822741188812b98a440fbc66ff018ddf6c0ea20c62d01b8237bc7c3da9e3f9fb874fca79a360b4f0f967d8d02083ba":"56f975849197e2eae5a2e6fb445a93c1fadf57280ac27e27c7cbea2cb00c10cc":"0a6d9e2d6e181addab0ea1ee89c65ce557e10fb8e8d43a24cdd27033d3fff507":"823e9400a9f563cc1fa5daf10f4ff1ab8affa18d8371f9cd0e067fcddce8caed":"5ded298f98cffb2e7f5ea97bd50c7e3e"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e08a3a33adb4399a9be72fead224155f":"cfbe8b1464b00bb9e0d18b04d2040ed9bd822741188812b98a440fbc66ff018ddf6c0ea20c62d01b8237bc7c3da9e3f9fb874fca79a360b4f0f967d8d02083ba":"56f975849197e2eae5a2e6fb445a93c1fadf57280ac27e27c7cbea2cb00c10cc":"0a6d9e2d6e181addab0ea1ee89c65ce557e10fb8e8d43a24cdd27033d3fff507":"823e9400a9f563cc1fa5daf10f4ff1ab8affa18d8371f9cd0e067fcddce8caed":"5ded298f98cffb2e7f5ea97bd50c7e3e"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #13
-ctr_drbg_validate_nopr:"11c13b917d9f94fd7a008566d8598e89":"f53343a5a455132df3d1b03db39e44d933855b375d7422ad0d07dfdfb352af28946eb29980793456ec8634bf113e75783246bbd05aa8a7cb5886d372fa012f58":"ff1d8d33083023ffbe28f153bddfa9d9f3c221da16f8f20967d2508fa7752b55":"66a98c7d778d798617e1d31d4bdfabf8d381d38b82125838ddf43fb7f5b27dc6":"407c72d7c890c00b249be00a53ae722e5d8033c84b1e1a6a69d4b278ba5db9eb":"67ab88156f20d03b3a1bc363daefc0c6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"11c13b917d9f94fd7a008566d8598e89":"f53343a5a455132df3d1b03db39e44d933855b375d7422ad0d07dfdfb352af28946eb29980793456ec8634bf113e75783246bbd05aa8a7cb5886d372fa012f58":"ff1d8d33083023ffbe28f153bddfa9d9f3c221da16f8f20967d2508fa7752b55":"66a98c7d778d798617e1d31d4bdfabf8d381d38b82125838ddf43fb7f5b27dc6":"407c72d7c890c00b249be00a53ae722e5d8033c84b1e1a6a69d4b278ba5db9eb":"67ab88156f20d03b3a1bc363daefc0c6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,0,256) #14
-ctr_drbg_validate_nopr:"7b95343a4ac0f8c8b2645c33757a3146":"3d7e2987860cbcba14a12594e1a394ee754c9a7a65cecc990bc79b5e86e672e12f8c144d843e1abca46b4759a11b3d29f4e219077a8696efadee618f254cb80a":"16297534a79c4ae7493178226b29e42a6f1e0066aeaee8b5af65bcefa2ee3ebb":"b429ee986f16fb35fe2c47c03c0918870b4560f4ec4678f9df471cbd7ca6a887":"2b14d612eb00c7fba0d8e23bf91df91daef6f8e279e0050d5497ddf0f3466c76":"8f72c17405163090fe0bd795b65811c6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"7b95343a4ac0f8c8b2645c33757a3146":"3d7e2987860cbcba14a12594e1a394ee754c9a7a65cecc990bc79b5e86e672e12f8c144d843e1abca46b4759a11b3d29f4e219077a8696efadee618f254cb80a":"16297534a79c4ae7493178226b29e42a6f1e0066aeaee8b5af65bcefa2ee3ebb":"b429ee986f16fb35fe2c47c03c0918870b4560f4ec4678f9df471cbd7ca6a887":"2b14d612eb00c7fba0d8e23bf91df91daef6f8e279e0050d5497ddf0f3466c76":"8f72c17405163090fe0bd795b65811c6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #0
-ctr_drbg_validate_nopr:"327290da2e9a19c840de8d33e425efaa5aa7a7afa4e5a812065965478d640f78520cf3c670b098943fec1914d4c8c411":"80bdf18288cb8adb6e3dacb09c553af2e7317c194d37f433eec27e324a0bad752899bda91fd41e5a08acdfd76007aecabc19c95a8bcede310f7320ce97aaad0e":"":"":"":"c26222662ed3a649a1745dee5df4eef0"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"327290da2e9a19c840de8d33e425efaa5aa7a7afa4e5a812065965478d640f78520cf3c670b098943fec1914d4c8c411":"80bdf18288cb8adb6e3dacb09c553af2e7317c194d37f433eec27e324a0bad752899bda91fd41e5a08acdfd76007aecabc19c95a8bcede310f7320ce97aaad0e":"":"":"":"c26222662ed3a649a1745dee5df4eef0"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #1
-ctr_drbg_validate_nopr:"be14f473472db07a43b7f9a517735d7f7ede2aa70dbdb729bc4f578a0dce9d7fe9fd97939cd1ef731262417b5213bd7f":"ac71ff53140c1383eb379e5311e37637af933db494e5e689d065661e9095b8302e4174c392f324fac43695d9381e3cf4626a5347938ed9e21502cbd789cca363":"":"":"":"4bab95f9f05fc36a337b6f2582c2ce98"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"be14f473472db07a43b7f9a517735d7f7ede2aa70dbdb729bc4f578a0dce9d7fe9fd97939cd1ef731262417b5213bd7f":"ac71ff53140c1383eb379e5311e37637af933db494e5e689d065661e9095b8302e4174c392f324fac43695d9381e3cf4626a5347938ed9e21502cbd789cca363":"":"":"":"4bab95f9f05fc36a337b6f2582c2ce98"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #2
-ctr_drbg_validate_nopr:"88c31e24f4f859b668946ce73f8600621a70731440762b3c267ceab52a9d77a23d6f70ddba0e46a786697a906ccb18a3":"bf9bf25a949d447274a8c72f1ae51399521f8aca39b1b37bb7b4d5cf3c67d55ef8dbacfb71aa9c5949416e2868b968883e517215bc20292894f8406ab39c1ea1":"":"":"":"841aaa0b171d1526ef365b9201adbff3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"88c31e24f4f859b668946ce73f8600621a70731440762b3c267ceab52a9d77a23d6f70ddba0e46a786697a906ccb18a3":"bf9bf25a949d447274a8c72f1ae51399521f8aca39b1b37bb7b4d5cf3c67d55ef8dbacfb71aa9c5949416e2868b968883e517215bc20292894f8406ab39c1ea1":"":"":"":"841aaa0b171d1526ef365b9201adbff3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #3
-ctr_drbg_validate_nopr:"8545a0de5ea028c8e5976d5b58fa50079b20ba716f0856cc1af7b98537c895f0266b956542d2b8ca661aef5da1f7f8c5":"686f4f9ee74c3402845fbad9353d7dfeff727584d892eb64bd84b764110cbe4ac8581e7e23acb95caf12979983e8947c570264aec292f1c7b756f7184007dcba":"":"":"":"f6d6ae6449b2984df8bcb69584fb16f3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"8545a0de5ea028c8e5976d5b58fa50079b20ba716f0856cc1af7b98537c895f0266b956542d2b8ca661aef5da1f7f8c5":"686f4f9ee74c3402845fbad9353d7dfeff727584d892eb64bd84b764110cbe4ac8581e7e23acb95caf12979983e8947c570264aec292f1c7b756f7184007dcba":"":"":"":"f6d6ae6449b2984df8bcb69584fb16f3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #4
-ctr_drbg_validate_nopr:"d6cd4b4fb9105374605deac7bb49ad792eb225daa560f2a86f66269bf9afc2ea01b6ee6f0eb4926d2f09329df6e90d79":"5d1b8fa0ca2ee127d1bd41423c17b9a8c736715cc2906818e9216dfd81b7637b66c89b772b55ae707c6effa2d9ce7425df26f966646ab613d5599143cf51e5e8":"":"":"":"c36ab451116d733eb4377de3511db5ce"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"d6cd4b4fb9105374605deac7bb49ad792eb225daa560f2a86f66269bf9afc2ea01b6ee6f0eb4926d2f09329df6e90d79":"5d1b8fa0ca2ee127d1bd41423c17b9a8c736715cc2906818e9216dfd81b7637b66c89b772b55ae707c6effa2d9ce7425df26f966646ab613d5599143cf51e5e8":"":"":"":"c36ab451116d733eb4377de3511db5ce"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #5
-ctr_drbg_validate_nopr:"e73ebae0d0834fdff1829ac3d9722fe9f1bc65b5f652fae5f7615af116440e3d5709b5cddd6065d568c246820de46b09":"2026cf7c1b1fe9645ab8759958ac04fb1d8938b9913c3b7f22da81e398b2c00b1921e1d4edb5d21c4531515cb0f9644fe8068685b9fca813176e6780796e8ded":"":"":"":"98d1dce30593de8a8d5b4d956f6c684b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"e73ebae0d0834fdff1829ac3d9722fe9f1bc65b5f652fae5f7615af116440e3d5709b5cddd6065d568c246820de46b09":"2026cf7c1b1fe9645ab8759958ac04fb1d8938b9913c3b7f22da81e398b2c00b1921e1d4edb5d21c4531515cb0f9644fe8068685b9fca813176e6780796e8ded":"":"":"":"98d1dce30593de8a8d5b4d956f6c684b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #6
-ctr_drbg_validate_nopr:"a53c1813c06b609eff9ddc77204b085ca985f22170b8ecfcbbf45ea11c45c24fcf25bc33150f9f97ce48244d5beb685c":"1d0dd1a87d59c69f28e118e1083d65f1ee0df31f6308a92dcc47503ec4d20a018d9821c6a7d64385724f0e941231426e028efe6d75e53ff8edf095ef1baf2656":"":"":"":"035cec3a24ba7c44e5c19436c2689a75"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a53c1813c06b609eff9ddc77204b085ca985f22170b8ecfcbbf45ea11c45c24fcf25bc33150f9f97ce48244d5beb685c":"1d0dd1a87d59c69f28e118e1083d65f1ee0df31f6308a92dcc47503ec4d20a018d9821c6a7d64385724f0e941231426e028efe6d75e53ff8edf095ef1baf2656":"":"":"":"035cec3a24ba7c44e5c19436c2689a75"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #7
-ctr_drbg_validate_nopr:"16d5b8290693a5c40c5a526dd6d653ac54cabb5608d77bb2cb7d6270b96c2fe2de076716ae8cf0a5c781edbde861dc70":"aa82a5ea33439d0c16a1cc13cbae53b169f4d369bcbdae81a9a38129c65ae0ea4f720576c012f8d7eb1c0202003c39d28453a22e502b4949cf5ba23a727721bf":"":"":"":"de4ed9d163d11e9b52470d078df4c869"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"16d5b8290693a5c40c5a526dd6d653ac54cabb5608d77bb2cb7d6270b96c2fe2de076716ae8cf0a5c781edbde861dc70":"aa82a5ea33439d0c16a1cc13cbae53b169f4d369bcbdae81a9a38129c65ae0ea4f720576c012f8d7eb1c0202003c39d28453a22e502b4949cf5ba23a727721bf":"":"":"":"de4ed9d163d11e9b52470d078df4c869"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #8
-ctr_drbg_validate_nopr:"68bfabdbb821cb978527ff18ce37c96c79ad751756551f36b6991981285a68854ec7f72f548c3395ad3ee40410064d4b":"3da9e9518eb1f1b6268e4597f158844ff672ddb414f7ec23fa66d6c86b90a732a7b3016a3387ec3dbed34eb479413d017932ebf9f2a2fea0b35d2bf4e06718f9":"":"":"":"ec4e3e2b6b8763deb17b8611d1fe7953"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"68bfabdbb821cb978527ff18ce37c96c79ad751756551f36b6991981285a68854ec7f72f548c3395ad3ee40410064d4b":"3da9e9518eb1f1b6268e4597f158844ff672ddb414f7ec23fa66d6c86b90a732a7b3016a3387ec3dbed34eb479413d017932ebf9f2a2fea0b35d2bf4e06718f9":"":"":"":"ec4e3e2b6b8763deb17b8611d1fe7953"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #9
-ctr_drbg_validate_nopr:"171a74ab694a7d7c2baa3ccf103ad94f11094e07a955ae9ac3bad370f1448753e99b63cc23d1878ab66f94136ec2ecac":"72ebeda7342770d03bc0e531754f946ca5cca684c41f9d089fe9147fad93b6154919c5cb2e6d162fbfde7b9ff0aa590a17993ca6c80bd59eee4134fc2ce944d8":"":"":"":"582ab4f105c3e1fed9593f58fc335fc3"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"171a74ab694a7d7c2baa3ccf103ad94f11094e07a955ae9ac3bad370f1448753e99b63cc23d1878ab66f94136ec2ecac":"72ebeda7342770d03bc0e531754f946ca5cca684c41f9d089fe9147fad93b6154919c5cb2e6d162fbfde7b9ff0aa590a17993ca6c80bd59eee4134fc2ce944d8":"":"":"":"582ab4f105c3e1fed9593f58fc335fc3"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #10
-ctr_drbg_validate_nopr:"caed30015b34064762591eba9a59f440566a6621832f650572362229e8a38cd0f5d6d322afd8444132056690d6fa5540":"8e27f0dbeae4613bcf0011105f824ed2ecb150a83a0994f8f6607833755216e016fb175e51d42370afe27b11c18477886b530c95bc31bd1c0f8fe00f61fc15a0":"":"":"":"d42787e97147d457f1590c742443ad92"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"caed30015b34064762591eba9a59f440566a6621832f650572362229e8a38cd0f5d6d322afd8444132056690d6fa5540":"8e27f0dbeae4613bcf0011105f824ed2ecb150a83a0994f8f6607833755216e016fb175e51d42370afe27b11c18477886b530c95bc31bd1c0f8fe00f61fc15a0":"":"":"":"d42787e97147d457f1590c742443ad92"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #11
-ctr_drbg_validate_nopr:"c58d62f8145622cd86cfbda66bc26d2ce4c5610cd9cd1c326b99b60355a6fe751783c07f2cc21ba68f1f20ca70f0ad31":"38a8b685e6bbab67824f4cc72995043ea2854f067f2afaec762c9e78ff9d585a25bc63c8d0d075d06d43f3f694733982d26cbe0648b2d0cf8053918b912c303a":"":"":"":"84001709f15a2fd167c161b5d376d86d"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"c58d62f8145622cd86cfbda66bc26d2ce4c5610cd9cd1c326b99b60355a6fe751783c07f2cc21ba68f1f20ca70f0ad31":"38a8b685e6bbab67824f4cc72995043ea2854f067f2afaec762c9e78ff9d585a25bc63c8d0d075d06d43f3f694733982d26cbe0648b2d0cf8053918b912c303a":"":"":"":"84001709f15a2fd167c161b5d376d86d"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #12
-ctr_drbg_validate_nopr:"dc9719050d5257152d8a7d60d3ef1fc5b8cb1700bafc7de863c019f244779c464b6214f21a2f6d0aa3ca282007615ce5":"f188a1ba21b1791ebf8a08d8ba555e49423d9178a561bcc1672539c3a7ba1d856eae9922c4d96c181ed045d6f1d15e855690cdae451edac60f1ca2021f1fec57":"":"":"":"7540fed313c96261cac255bf83b5ae99"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"dc9719050d5257152d8a7d60d3ef1fc5b8cb1700bafc7de863c019f244779c464b6214f21a2f6d0aa3ca282007615ce5":"f188a1ba21b1791ebf8a08d8ba555e49423d9178a561bcc1672539c3a7ba1d856eae9922c4d96c181ed045d6f1d15e855690cdae451edac60f1ca2021f1fec57":"":"":"":"7540fed313c96261cac255bf83b5ae99"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #13
-ctr_drbg_validate_nopr:"ff057781af4a4a1eefeb26ab38f82a2efb6f065de290ebf225bd693dfb1f97455b49143bdb430324c9d945c48824f6cc":"0ddd0f4a43a7b54d9abb0928a2242c378db7a95a0b206baa642afe5cd55108f412f1d727fd591bca2c76355aa62aa8638cfa1916739bc66e02b9459ccd0881ba":"":"":"":"8b6e74a94fcac0d2f212d3594213fbb6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ff057781af4a4a1eefeb26ab38f82a2efb6f065de290ebf225bd693dfb1f97455b49143bdb430324c9d945c48824f6cc":"0ddd0f4a43a7b54d9abb0928a2242c378db7a95a0b206baa642afe5cd55108f412f1d727fd591bca2c76355aa62aa8638cfa1916739bc66e02b9459ccd0881ba":"":"":"":"8b6e74a94fcac0d2f212d3594213fbb6"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,0) #14
-ctr_drbg_validate_nopr:"ef027327e47fc5875c01cb17d798fdc2b27a5c78000727842f8a516f4e8dd34afc167ae145b1e763bebdca51e2f461a7":"128566fe6c5b5595742190519445c25db85ee0ce29371f4cab213400d479d2bfe27655155be0fa237173abb214f0226a2f1770802dd69485adb25e6d837485e1":"":"":"":"76cd1553b2b73d4ef6043a09fb90d679"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"ef027327e47fc5875c01cb17d798fdc2b27a5c78000727842f8a516f4e8dd34afc167ae145b1e763bebdca51e2f461a7":"128566fe6c5b5595742190519445c25db85ee0ce29371f4cab213400d479d2bfe27655155be0fa237173abb214f0226a2f1770802dd69485adb25e6d837485e1":"":"":"":"76cd1553b2b73d4ef6043a09fb90d679"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #0
-ctr_drbg_validate_nopr:"8e1a59210f876d017109cb90c7d5dd669b375d971266b7320ba8db9bd79b373bcc895974460e08eadd07a00ce7bdade9":"23677c04a2d6ab446b7b3c582a8071654d27859441b10799f08b788378b926ca4306e7cb5c0f9f104c607fbf0c379be49426e53bf5637225b551f0cc694d6593":"19e914ffbc6d872be010d66b17874010ec8b036a3d60d7f7dda5accc6962a542":"bd7a0c09e780e0ad783fd708355b8df77b4454c3d606fb8de053bffa5ecf9021":"d284dc2caf6d214f8909efc9a75297bccfc04353c2788a96f8b752749c7fec0c":"129d256e7db6269e5a0a160d2278f305"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"8e1a59210f876d017109cb90c7d5dd669b375d971266b7320ba8db9bd79b373bcc895974460e08eadd07a00ce7bdade9":"23677c04a2d6ab446b7b3c582a8071654d27859441b10799f08b788378b926ca4306e7cb5c0f9f104c607fbf0c379be49426e53bf5637225b551f0cc694d6593":"19e914ffbc6d872be010d66b17874010ec8b036a3d60d7f7dda5accc6962a542":"bd7a0c09e780e0ad783fd708355b8df77b4454c3d606fb8de053bffa5ecf9021":"d284dc2caf6d214f8909efc9a75297bccfc04353c2788a96f8b752749c7fec0c":"129d256e7db6269e5a0a160d2278f305"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #1
-ctr_drbg_validate_nopr:"00674e633670c9971be7af789d37d5a4ef567b3ca4766722cd8f67e09d21cbbfa08d43ea1aa259999c6a307ae6347d62":"ec47b029643f85ea19388b6e9de6ab22705b060ae10cee71262027d0bdff5efd7393af619bc6658612fabc78439a0bd5a01255563a96013fa130dd06fd0f5442":"5b92bce3f87645126daa4704fd7df98b880aa07743a57399b985ad1a00b1f2fc":"8199de1338c688234c77262ef35423f4695b277726c76d8b5f426399c14d83b5":"eb95f5a4d8400cec2d4e0f548b6e92636b5e284fb6b61766a1f35bb9cdc5df0a":"9fbe95817578eb272aa9da2f509c2a06"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"00674e633670c9971be7af789d37d5a4ef567b3ca4766722cd8f67e09d21cbbfa08d43ea1aa259999c6a307ae6347d62":"ec47b029643f85ea19388b6e9de6ab22705b060ae10cee71262027d0bdff5efd7393af619bc6658612fabc78439a0bd5a01255563a96013fa130dd06fd0f5442":"5b92bce3f87645126daa4704fd7df98b880aa07743a57399b985ad1a00b1f2fc":"8199de1338c688234c77262ef35423f4695b277726c76d8b5f426399c14d83b5":"eb95f5a4d8400cec2d4e0f548b6e92636b5e284fb6b61766a1f35bb9cdc5df0a":"9fbe95817578eb272aa9da2f509c2a06"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #2
-ctr_drbg_validate_nopr:"2553423c3cb0fae8ca54af56f496e9935d5af4738898f77f789a9bee867dfbc6010c4e5bc68da2b922cdd84eea68e1da":"a9bebd13711c0c22c94b3252654854515a9dc015fe69e688fbac9676b3d77ab67e19b020cd2427ac789ca17f656e499be3ba3ab2075ff95247c6355157eebc79":"e74e45fa28697a06dab08545fde0cc26e7eca31c40aa68ee41c4de402fdcc961":"5aa8abf7062079929d6a131cd3844a5fb6514c07061e25cad67677d867297685":"84819109b2e09b46ba3f5464c34b28ce25a186f0e0fd83fe5fa0ab026c01292a":"3846f3406e49040c48b5cfc9cbc75d1a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2553423c3cb0fae8ca54af56f496e9935d5af4738898f77f789a9bee867dfbc6010c4e5bc68da2b922cdd84eea68e1da":"a9bebd13711c0c22c94b3252654854515a9dc015fe69e688fbac9676b3d77ab67e19b020cd2427ac789ca17f656e499be3ba3ab2075ff95247c6355157eebc79":"e74e45fa28697a06dab08545fde0cc26e7eca31c40aa68ee41c4de402fdcc961":"5aa8abf7062079929d6a131cd3844a5fb6514c07061e25cad67677d867297685":"84819109b2e09b46ba3f5464c34b28ce25a186f0e0fd83fe5fa0ab026c01292a":"3846f3406e49040c48b5cfc9cbc75d1a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #3
-ctr_drbg_validate_nopr:"856f1371454bb9aa06be897dcda9b295817c6eeb865a9acb3a89d145bfe29ce5e1b3b12b714571afdfaca7951cd47e33":"a691b8bf6a407c93a36d18aeced4c75f76d8397d4ecbcd4e8f820cb393186897f05c1ef668b027fc78ba6da9bd554cc31a467d47b5e534b5340c7799383ec05c":"2c81d1e94b33164a177d0183d182fe7d23ef4f88444246464e58bdd0de38d82c":"1b5dae81c96771bea091521c0973c5af76a03e3624160e2511e57ff43a1d32a9":"bf5878e2bd139f8f058f3d834acd771514da6d4c5b9ef84466e5a4e0e4b2eaaf":"6a5ea73aad476ce201e173d4d5a7ffcc"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"856f1371454bb9aa06be897dcda9b295817c6eeb865a9acb3a89d145bfe29ce5e1b3b12b714571afdfaca7951cd47e33":"a691b8bf6a407c93a36d18aeced4c75f76d8397d4ecbcd4e8f820cb393186897f05c1ef668b027fc78ba6da9bd554cc31a467d47b5e534b5340c7799383ec05c":"2c81d1e94b33164a177d0183d182fe7d23ef4f88444246464e58bdd0de38d82c":"1b5dae81c96771bea091521c0973c5af76a03e3624160e2511e57ff43a1d32a9":"bf5878e2bd139f8f058f3d834acd771514da6d4c5b9ef84466e5a4e0e4b2eaaf":"6a5ea73aad476ce201e173d4d5a7ffcc"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #4
-ctr_drbg_validate_nopr:"0436075cf8cf62ce623c2301ebd45203c98282611cfa5a12dd7c04525ffa7eb343a607af2f57feb7ce3af97e0abc2285":"1ab9ada5eeebc3fc8e53f358b643476fcfd4dd9f092f21d2bc1c4bb1ffd01a0c5b207aaa09ff76a9cab0aa6ce62b6a65b2650ab448b8bb2e8696a7aa4b6f4e8d":"62f07d1f49e40f7f472985947ac4d8ef2d58216d918f7942b9c70f43daff8972":"37ae758141fbc890ee7e1d0854426b2984fb1c094677e6a61546e9315bab0898":"353d1dd0c8d8656bc418a6a3ace138ecd62819d4e21b8bd87694ea683ec0cc37":"bfee6bb4afc228da981bfe7f0d17578b"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"0436075cf8cf62ce623c2301ebd45203c98282611cfa5a12dd7c04525ffa7eb343a607af2f57feb7ce3af97e0abc2285":"1ab9ada5eeebc3fc8e53f358b643476fcfd4dd9f092f21d2bc1c4bb1ffd01a0c5b207aaa09ff76a9cab0aa6ce62b6a65b2650ab448b8bb2e8696a7aa4b6f4e8d":"62f07d1f49e40f7f472985947ac4d8ef2d58216d918f7942b9c70f43daff8972":"37ae758141fbc890ee7e1d0854426b2984fb1c094677e6a61546e9315bab0898":"353d1dd0c8d8656bc418a6a3ace138ecd62819d4e21b8bd87694ea683ec0cc37":"bfee6bb4afc228da981bfe7f0d17578b"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #5
-ctr_drbg_validate_nopr:"d004a0893bf326d50ee52e04cb3e64409f204f4e9af780d5dd092d04162d088385b1f243000914c62cba3dadf9827c81":"c36004075f5fd078137ea08de6cb15f71aeb9eca21c891cfdf7a8c0d21790c94ffa93be5fa06beb5e82d9fbf173ef9b29c18511fee2455dbbe61d6b01baf024a":"7d313ada131650c7a506d2c194444ed202d568544caa75bbc60e57a0b74c9a10":"791d60238677ff53150cf7074061eac68335c0a7cec7de43ea63a5df0f312cd8":"6754366be264deb9e94f39e92ac2894bd93c1d7e1198d39e6eddccb0ea486f4d":"1c29795f03e3c771603293473e347ab4"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"d004a0893bf326d50ee52e04cb3e64409f204f4e9af780d5dd092d04162d088385b1f243000914c62cba3dadf9827c81":"c36004075f5fd078137ea08de6cb15f71aeb9eca21c891cfdf7a8c0d21790c94ffa93be5fa06beb5e82d9fbf173ef9b29c18511fee2455dbbe61d6b01baf024a":"7d313ada131650c7a506d2c194444ed202d568544caa75bbc60e57a0b74c9a10":"791d60238677ff53150cf7074061eac68335c0a7cec7de43ea63a5df0f312cd8":"6754366be264deb9e94f39e92ac2894bd93c1d7e1198d39e6eddccb0ea486f4d":"1c29795f03e3c771603293473e347ab4"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #6
-ctr_drbg_validate_nopr:"9a8c79b48ada409183f7260aa1415c9ee4e0b662e0fb81b5c56f85d76ed75efac5751dd4de7e7f8b53a36ee0dce2bc9e":"c4d68b76dc0e785823be2da9d339dc900132f12721e8a63ebe92e36d740c5a5e5564c367bff4a52bc70b1c60c86f0bcb7c1d99c414956a259963207184f01246":"04c7060f36569a5d9578c718627fc2695e8d783c0c8aefca2744da6664e67c8c":"1d4b7d587421dea4f7f3e77fcf997607ecfeb6e665a9a184138eb5736b16f516":"8cb8daf9cda230d8d39b829b968aaa5f5d3e3106d8b693227ab1b6201b78a7b8":"faa146098526546927a43fa4a5073e46"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"9a8c79b48ada409183f7260aa1415c9ee4e0b662e0fb81b5c56f85d76ed75efac5751dd4de7e7f8b53a36ee0dce2bc9e":"c4d68b76dc0e785823be2da9d339dc900132f12721e8a63ebe92e36d740c5a5e5564c367bff4a52bc70b1c60c86f0bcb7c1d99c414956a259963207184f01246":"04c7060f36569a5d9578c718627fc2695e8d783c0c8aefca2744da6664e67c8c":"1d4b7d587421dea4f7f3e77fcf997607ecfeb6e665a9a184138eb5736b16f516":"8cb8daf9cda230d8d39b829b968aaa5f5d3e3106d8b693227ab1b6201b78a7b8":"faa146098526546927a43fa4a5073e46"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #7
-ctr_drbg_validate_nopr:"a0736a5a8b0a394625d8985b05e3a9f277c7ba03b253c0e783359a8c4c086121cb46ea469c7756d5f099f5ee8ed16243":"ea7a046fa1760866bcb37fecf9ade7bcea4444662ea782d6f2820b22a96bab97b4c5adcb0a50ced885121b6b85a5074444b1555d9655f4f6ded31fe15281b30e":"47f3655dd05c42454fad68e330aabca49f27c76ba05ef07b6d77fba41153c0ab":"a5d07da3e399cc51d136096599fcbd9779e839b1fd86f21d7d1e23acd91f9fa7":"150b028b64a988fc1ffdfc9e66b4c8dfe4fcd8538ee976c89923638ebad33802":"6ffdc685169b174ad0dd84cdeed050a7"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"a0736a5a8b0a394625d8985b05e3a9f277c7ba03b253c0e783359a8c4c086121cb46ea469c7756d5f099f5ee8ed16243":"ea7a046fa1760866bcb37fecf9ade7bcea4444662ea782d6f2820b22a96bab97b4c5adcb0a50ced885121b6b85a5074444b1555d9655f4f6ded31fe15281b30e":"47f3655dd05c42454fad68e330aabca49f27c76ba05ef07b6d77fba41153c0ab":"a5d07da3e399cc51d136096599fcbd9779e839b1fd86f21d7d1e23acd91f9fa7":"150b028b64a988fc1ffdfc9e66b4c8dfe4fcd8538ee976c89923638ebad33802":"6ffdc685169b174ad0dd84cdeed050a7"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #8
-ctr_drbg_validate_nopr:"d445a3d9332c8577715c1e93f119521bd31a464db08cdbd73d50080d62d5a48fba4cef2dd097ec749973037e33e8d6fa":"da5f9b2db13d0555846c00da96115036bb75ace66d56fc582d6cd0171e3e23335c5c2b8691e58af8899ed0204316479f849ca6f47309cae571ccb42d3d35c166":"79346394f795f05c5a5199423649b8b5345355ef11eb4239db1c767c68afa70a":"c22810de9987b228c19680eb044da22a08032148a6015f358849d6d608a214b9":"7747d68ca8bcb43931f1edce4f8c9727dd56c1d1d2600ad1fb767eb4fbc7b2d6":"f5c40babbec97cb60ba65200e82d7a68"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"d445a3d9332c8577715c1e93f119521bd31a464db08cdbd73d50080d62d5a48fba4cef2dd097ec749973037e33e8d6fa":"da5f9b2db13d0555846c00da96115036bb75ace66d56fc582d6cd0171e3e23335c5c2b8691e58af8899ed0204316479f849ca6f47309cae571ccb42d3d35c166":"79346394f795f05c5a5199423649b8b5345355ef11eb4239db1c767c68afa70a":"c22810de9987b228c19680eb044da22a08032148a6015f358849d6d608a214b9":"7747d68ca8bcb43931f1edce4f8c9727dd56c1d1d2600ad1fb767eb4fbc7b2d6":"f5c40babbec97cb60ba65200e82d7a68"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #9
-ctr_drbg_validate_nopr:"2728be06796e2a77c60a401752cd36e4a051724aa3276a146b4b351017eee79c8257398c612fc1129c0e74ecef455cd3":"d663d2cfcddf40ff61377c3811266d927a5dfc7b73cf549e673e5a15f4056ad1f9733c8ed875ff77928284dc1cdb33accc47971d3626615a45b9a16d9baf426e":"62349efbac4a4747d0e92727c67a6bc7f8404cf746002e7d3eeffb9a9be0bbdc":"381c0cffbdfa61a6af3f11ccd0e543208b584c3f520130e33617564ec7a48cf7":"6974043362f834fd793de07ceebd051599163d50489441005afc9db09a9ab44f":"df7894746c599e02d985b195ca3b4863"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2728be06796e2a77c60a401752cd36e4a051724aa3276a146b4b351017eee79c8257398c612fc1129c0e74ecef455cd3":"d663d2cfcddf40ff61377c3811266d927a5dfc7b73cf549e673e5a15f4056ad1f9733c8ed875ff77928284dc1cdb33accc47971d3626615a45b9a16d9baf426e":"62349efbac4a4747d0e92727c67a6bc7f8404cf746002e7d3eeffb9a9be0bbdc":"381c0cffbdfa61a6af3f11ccd0e543208b584c3f520130e33617564ec7a48cf7":"6974043362f834fd793de07ceebd051599163d50489441005afc9db09a9ab44f":"df7894746c599e02d985b195ca3b4863"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #10
-ctr_drbg_validate_nopr:"2b65b56de410ee82e55bd2bf80e6cee356a37c3a3aa7042df45fa750a74e097b071fc18d6eed96523dd4fbb677b8c729":"bf03a6b3e8e23ff53369b971217dc3d3f4c1211329c94847347b3aa77dc7a3e0670381573527844a1ade786f18631944558defffb9a00900ca55f97ec726126b":"59255e5cd2221316c945bd614471df76d5b2f394b8829de82e5c30bc178565e2":"5739bc14f0f2ef9d3393928aee67b0908adaf587650928916d8ae78b0077a3b3":"6b236cf0ee0dba0c92b26c60235d3868715a80c0efbc0c898b6f0b1ace8146e9":"8374b571d7f2d94ce2bdadeb9d815397"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"2b65b56de410ee82e55bd2bf80e6cee356a37c3a3aa7042df45fa750a74e097b071fc18d6eed96523dd4fbb677b8c729":"bf03a6b3e8e23ff53369b971217dc3d3f4c1211329c94847347b3aa77dc7a3e0670381573527844a1ade786f18631944558defffb9a00900ca55f97ec726126b":"59255e5cd2221316c945bd614471df76d5b2f394b8829de82e5c30bc178565e2":"5739bc14f0f2ef9d3393928aee67b0908adaf587650928916d8ae78b0077a3b3":"6b236cf0ee0dba0c92b26c60235d3868715a80c0efbc0c898b6f0b1ace8146e9":"8374b571d7f2d94ce2bdadeb9d815397"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #11
-ctr_drbg_validate_nopr:"8756ee2c5e381c7c1dc530748b76a6274ef6583090e555d85210e2356feb2974a8f15119a04e9b481cd3bc557a197b8e":"19705743eaaaa0e8890a0faa2e0df37c820d556c7a45f04d76276f9f9ce2e7c133258ae6d1ba9cdf7745d01745763d18dcd1af2c9e9b0bed2806e60f0f9b636c":"2b4a92b682e9a557466af97b735e2ffdbac3bfc31fd5be2cd212cfbd4b8d690a":"e86504f10317bbeab346f3b9e4b310cbe9fbd81a42054f358eacd08cccab6eff":"19ffad856a6675268cc464ca6fdb8afd0912143e552668528d1484c9a54592cf":"f347fd58aff2999530e258be77591701"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"8756ee2c5e381c7c1dc530748b76a6274ef6583090e555d85210e2356feb2974a8f15119a04e9b481cd3bc557a197b8e":"19705743eaaaa0e8890a0faa2e0df37c820d556c7a45f04d76276f9f9ce2e7c133258ae6d1ba9cdf7745d01745763d18dcd1af2c9e9b0bed2806e60f0f9b636c":"2b4a92b682e9a557466af97b735e2ffdbac3bfc31fd5be2cd212cfbd4b8d690a":"e86504f10317bbeab346f3b9e4b310cbe9fbd81a42054f358eacd08cccab6eff":"19ffad856a6675268cc464ca6fdb8afd0912143e552668528d1484c9a54592cf":"f347fd58aff2999530e258be77591701"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #12
-ctr_drbg_validate_nopr:"f58be57e5035d5c455b17a41ccf7542ffd77f5c009e0a737118ed6c4188f78fcbdbe946bf82e1fa50fd81691de82dcf3":"f9939592ab2b31d92ac72673da013a588ea17bbf02cfd6e79d79f8296601633d04ceb005110f266e6100040ef33194858def8b535314c73caa0e48fc4d2f6e2d":"bb1cb21a316d4b88093cbfc7917d614dca97090cdc8bb340d864547cb3e1fef6":"7e42d5439d81680c8edf5c571d548699730cfada33b650a4d510172a42b298bb":"e9e3cf180f72ba2c1a45d0a94b822943612143e0b642398796b0428ae1af6cf5":"d0c83a4bf3517648b441d411ddcb808c"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"f58be57e5035d5c455b17a41ccf7542ffd77f5c009e0a737118ed6c4188f78fcbdbe946bf82e1fa50fd81691de82dcf3":"f9939592ab2b31d92ac72673da013a588ea17bbf02cfd6e79d79f8296601633d04ceb005110f266e6100040ef33194858def8b535314c73caa0e48fc4d2f6e2d":"bb1cb21a316d4b88093cbfc7917d614dca97090cdc8bb340d864547cb3e1fef6":"7e42d5439d81680c8edf5c571d548699730cfada33b650a4d510172a42b298bb":"e9e3cf180f72ba2c1a45d0a94b822943612143e0b642398796b0428ae1af6cf5":"d0c83a4bf3517648b441d411ddcb808c"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #13
-ctr_drbg_validate_nopr:"898064243e44ff67151736ce8bb6f1c759cab4aaca9b87543a1ac984ef955cd5db76c1aa56aff83f1f6799f18fe531cc":"b8d6be3036eeb5657fb10766354d4be897bd27973b3530270ccc02a08169a2e437b30a3635eb6ccb310f319257f58d8aa030c8aab616418e0914a46131306a0c":"37572428df5826e6ae5ce95db4ef63f41e908f685204a7b64edb9f473c41e45c":"28beda0e0e346b447d32208c6b4c42dcd567acfe1e483fb4a95ea82cb8ce55a5":"7a0fffa541d723e16340eeb960b1b9c9aae912477e0ebfac03f8f1a3a8bdc531":"611c9f6fc5193dbe3db96cbcd276168a"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"898064243e44ff67151736ce8bb6f1c759cab4aaca9b87543a1ac984ef955cd5db76c1aa56aff83f1f6799f18fe531cc":"b8d6be3036eeb5657fb10766354d4be897bd27973b3530270ccc02a08169a2e437b30a3635eb6ccb310f319257f58d8aa030c8aab616418e0914a46131306a0c":"37572428df5826e6ae5ce95db4ef63f41e908f685204a7b64edb9f473c41e45c":"28beda0e0e346b447d32208c6b4c42dcd567acfe1e483fb4a95ea82cb8ce55a5":"7a0fffa541d723e16340eeb960b1b9c9aae912477e0ebfac03f8f1a3a8bdc531":"611c9f6fc5193dbe3db96cbcd276168a"
 
 CTR_DRBG NIST Validation (AES-256 use df,False,256,128,256,256) #14
-ctr_drbg_validate_nopr:"50de72903b9d99764123ffaa0c721e14ad1ab5c46a34c040f25324ba1d937b8ef10467161fcf2978c2a680ac5570c6d2":"5c9954fd0143e62c3bf2d5734052e3c9370f7b9d75c70f58fe33b12e3997ee2c8db84f8467affd7cfd9a9e7ec60da6f31bf9bf32aedf644e4934bd1fc916bc8d":"d5dc4c9fc7171fcbfdaead558a565ffd55d245a58b22ad1666ee05131e33f49e":"ea3114e92e6a19f53b207a0a54cd363a6d053fed0a827f92556f0a8580f7a342":"53686f069b455af4692888d11fac15cf7b4bd38e198de4e62b7098f875198a75":"9fb0df053e0345e5640aa97fedef50a6"
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_between:"50de72903b9d99764123ffaa0c721e14ad1ab5c46a34c040f25324ba1d937b8ef10467161fcf2978c2a680ac5570c6d2":"5c9954fd0143e62c3bf2d5734052e3c9370f7b9d75c70f58fe33b12e3997ee2c8db84f8467affd7cfd9a9e7ec60da6f31bf9bf32aedf644e4934bd1fc916bc8d":"d5dc4c9fc7171fcbfdaead558a565ffd55d245a58b22ad1666ee05131e33f49e":"ea3114e92e6a19f53b207a0a54cd363a6d053fed0a827f92556f0a8580f7a342":"53686f069b455af4692888d11fac15cf7b4bd38e198de4e62b7098f875198a75":"9fb0df053e0345e5640aa97fedef50a6"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,0) block 1 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"496f25b0f1301b4f501be30380a137eb":"36401940fa8b1fba91a1661f211d78a0b9389a74e5bccfece8d766af1a6d3b14":"":"":"5862eb38bd558dd978a696e6df164782ddd887e7e9a6c9f3f1fbafb78941b535a64912dfd224c6dc7454e5250b3d97165e16260c2faf1cc7735cb75fb4f07e1d"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,256) block 1 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"41c71a24d17d974190982bb7515ce7f5":"8148d65d86513ce7d38923ec2f26b9e7c677dcc8997e325b7372619e753ed944":"55b446046c2d14bdd0cdba4b71873fd4762650695a11507949462da8d964ab6a":"91468f1a097d99ee339462ca916cb4a10f63d53850a4f17f598eac490299b02e":"54603d1a506132bbfa05b153a04f22a1d516cc46323cef15111af221f030f38d6841d4670518b4914a4631af682e7421dffaac986a38e94d92bfa758e2eb101f"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,0) block 2 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"bac0fdc0c417aa269bbdea77e928f9f8":"8b0bcb3f932170416739ea42e7dcdc6fa960645bc018820134f714b3c6912b56":"":"":"d9c4fd81f6621a8cf06d612e9a84b80fa13d098dceaf2c083dc81cd80caedd105c7f2789963a167d72f76e81178001fd93de4623c260fe9eebced89f7b4b047a"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,256) block 2 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"69ff3310141dbf3ece409ade58745113":"d67439abf1e162e5b25941605a8aeba7d686dec133257f6c220e1c595e954a07":"03e795be8379c481cb32534011ca6bf524dc754978ee5ebee475129ad39eca98":"5685c7330f33004515f8c0ab27f2a1cbe0c8a4a6806d6c8486e0217b43e859f2":"a6d22a4370251c51978fedc7e7753c78179ed1943d2ff1b5a374860106041a304b124d47cfa304c909f7d417843846d52dcc7ebcf5c93afef885c893b40c81ed"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,0) block 3 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"aaa46610681167ff8d4d2c51e77911d4":"58a5f79da44b9f23a98a39352972ad16031fe13637bd18d6cb6c9f5269d8e240":"":"":"c1714f89459ce746b151509e5066d4811a06ad06c1e9b13b50c0fc7cdd77ceedc233908ebe1ea8140ec2dc262a43201be667008e081e5476b19b27214111d325"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,256) block 3 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"6ca848651d420fb02f9b66f06b377e59":"001ec3b192ddc765553e15742dffeb21cc7d97a4bcf866e3664d8a5ecb4c2463":"99f139ab5ee4f7eed6148e82d79ad5f2b9fa638d574e5db79b650c0e682ca466":"6e7bf0ae28a797ccbb47101f26bfe5a0b1e450c57aedf731272411fa7b6c4ed4":"865b6dd4363c5940d6228cc90ba8f1a21efbaa99b0c7b37361f7fed7e969a97b68d550dd6ad4bbfaf6626779bfb43c66845c2923df9f55307c8bc9f0a3872fa7"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,0) block 4 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"1c6a80d82012c39c9f14a808643f08e7":"4ee68b3352b874e1cc29375028851dee9d5dfd88a40664c79e2b724fb11b2808":"":"":"7c58d2a5522a88341fb55facefdb6e24840cae283948d53148a384e13b5407d7712c33434bd3d19448b43270c54860bf3495579057c70bff3084dddff08a091d"
+
+CTR_DRBG CAVS 14.3 (AES-256 no df,no reseed,256,128,0,256) block 4 #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"70bdedbc6825c4fe0a9f7e45290ddd51":"481e505bf7a36f9d96690d49154d98d6a247c14a703dbfed7cf1b7a71bee737f":"5b07610c2c946eda2975a26ddadf7d73e3d287e923d9b1a2d2070776a446d8e6":"2792a988ebb2e768eee0d5c263bcd76a675d6f339e5f1ab2ca595e6b3b4d024a":"303448a355fc0a69a130b6ab194997b220970bf680914913da904e92109dee3d9f23871130c407045cf463ce783a5dfafd603a8384790573af385d479acd7206"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,0) block 1 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"aad471ef3ef1d203":"890eb067acf7382eff80b0c73bc872c6":"":"":"a5514ed7095f64f3d0d3a5760394ab42062f373a25072a6ea6bcfd8489e94af6cf18659fea22ed1ca0a9e33f718b115ee536b12809c31b72b08ddd8be1910fa3"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,128) block 1 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"026c768fd577b92a":"b408cefb5bc7157d3f26cb95a8b1d7ac":"5737ef81dee365b6dadb3feebf5d1084":"3368a516b3431a3daaa60dc8743c8297":"4e909ebb24147a0004063a5e47ee044fead610d62324bd0f963f756fb91361e8b87e3a76a398143fe88130fe1b547b661a6480c711b739f18a9df3ae51d41bc9"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,0) block 2 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"259195269ec11af6":"2d2ab564202918c4ef5b102dda385a18":"":"":"2c5cd79ed87622a91b8654c8903d852242cd49cb5df2d4b4150584301c59f01fd95a702ac157c84cc15f42c8211335672d8ce1291ef9b1def78149a04fa2697c"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,128) block 2 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"b25716931b6e3cc1":"adf5711f93d8c8997349429ccaedae0a":"abf8cd66dd39758b01d7dbb99ab17dc3":"4be0f6b2755377c6e881fbb261b56beb":"d420604dee6467492db5957c86207a708fd242ed67942aed299425335c83b41437418582f41bc7fc0ef0d6927f34d83acd67c70133644fd711dd5a65731f9f02"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,0) block 3 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"38aa5590f6bfaa4b":"2e1724db482232a3e61f92c1c266faf8":"":"":"4438b48a45fb0141e31f0a9624dfe6fcc2f9edc075c0a52bc5fc46d85a966c853feee6af913234b3f9a679f667898dc15a24aaed89f035bfa5da516e435bbad1"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,128) block 3 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"111d8612a0f04e2a":"9bfaefb698b1b5fcc62db2c16498c33a":"aedbe02847b1b08b6a673bdf25b0224c":"9901ead62ce56573b0f71cd020fe3469":"dff8bf2aec531f8532607e738bd79f91d6085cb19568b7b0240ce6a6b371a282bafcdba02137df990535d9ebf0ba77117751626b2678aca7be4decfd6b9d4b38"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,0) block 4 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"e78c5571c5f926f9":"6bdf5332bdce4655d45c2cfea897b000":"":"":"e0715688765a3285e7b7db555f277924e7171f7541bf26122b13dbaaa39f9e2b0345c659583ff8c9cfd888f1abd2f3b36a7c9d47c687b01c819a9f9888542e0f"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,no reseed,128,64,0,128) block 4 #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_no_reseed:"7ee2614ead3c128e":"8b80936e69c67edb771c28f9b9452124":"fc35cba97a1e211bc420e8af53f8e13c":"fba438aaa75a3cd4cd0cce399bfec74a":"6721cc1ada5ebc1713f74c759000765652eeb5f3f9c24fb9341b36a369cec1d27ea80d6b73b56047af07138c5a43c99a87753115c471b8587ea65fa2065e3ce0"
+
+CTR_DRBG CAVS 14.3 (AES-256 use df,False,256,128,0,0) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_first:"0bf814b411f65ec4866be1abb59d3c32":"2d4c9f46b981c6a0b2b5d8c69391e569ff13851437ebc0fc00d616340252fed593500fae4fa32b86033b7a7bac9d37e710dcc67ca266bc8607d665937766d207":"":"":"":"322dd28670e75c0ea638f3cb68d6a9d6e50ddfd052b772a7b1d78263a7b8978b6740c2b65a9550c3a76325866fa97e16d74006bc96f26249b9f0a90d076f08e5"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,False,128,64,0,0) #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_reseed_first:"5209e5b4ed82a234":"0f65da13dca407999d4773c2b4a11d851dea0a12c52bf64339dd291c80d8ca89":"":"":"":"2859cc468a76b08661ffd23b28547ffd0997ad526a0f51261b99ed3a37bd407bf418dbe6c6c3e26ed0ddefcb7474d899bd99f3655427519fc5b4057bcaf306d4"
+
+CTR_DRBG CAVS 14.3 (AES-256 use df,True,256,128,0,0) #0
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"a2d015f22d854e29de278d910c573de5":"16a1f035388cd8d956026e3b0117cb524dd3eb563f9a7720bb7dcb0fc6fbe743cf140bcd4d7130e7e3ea14046c56442b57c43b34ad219553e7105c18f6e561afe27c9f0be60d82d6cc474efb7fc737b16a6895d9a3a45b971d19b743c1a4ac8f":"":"":"b4e8395bcb7503410a94633f70e9904a5b30e62c35bc6dd2a03496c4a49932e184fbffdbcf1de1c72c50d36dc2ae8f04f40f96aae159c3fb816ca16df99b6c3e"
+
+CTR_DRBG CAVS 14.3 (AES-128 use df,True,128,64,0,0) #0
+depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ctr_drbg_validate_pr:"d4f1f4ae08bcb3e1":"5d4041942bcf68864a4997d8171f1f9fef55a769b7eaf03fe082029bb32a2b9d8239e865c0a42e14b964b9c09de85a20":"":"":"4155320287eedcf7d484c2c2a1e2eb64b9c9ce77c87202a1ae1616c7a5cfd1c687c7a0bfcc85bda48fdd4629fd330c22d0a76076f88fc7cd04037ee06b7af602"
 
 CTR_DRBG entropy usage
 ctr_drbg_entropy_usage:
@@ -731,5 +1083,6 @@ CTR_DRBG Special Behaviours
 ctr_drbg_special_behaviours:
 
 CTR_DRBG self test
+depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_selftest:
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.function
index f17bd3be00..4a97826f63 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ctr_drbg.function
@@ -1,14 +1,97 @@
 /* BEGIN_HEADER */
+#include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
+#include "string.h"
 
-static int test_offset_idx;
+/* Modes for ctr_drbg_validate */
+enum reseed_mode
+{
+    RESEED_NEVER, /* never reseed */
+    RESEED_FIRST, /* instantiate, reseed, generate, generate */
+    RESEED_SECOND, /* instantiate, generate, reseed, generate */
+    RESEED_ALWAYS /* prediction resistance, no explicit reseed */
+};
+
+static size_t test_offset_idx = 0;
+static size_t test_max_idx  = 0;
 static int mbedtls_test_entropy_func( void *data, unsigned char *buf, size_t len )
 {
     const unsigned char *p = (unsigned char *) data;
+    if( test_offset_idx + len > test_max_idx )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
     memcpy( buf, p + test_offset_idx, len );
     test_offset_idx += len;
     return( 0 );
 }
+
+static void ctr_drbg_validate_internal( int reseed_mode, data_t * nonce,
+                        int entropy_len_arg, data_t * entropy,
+                        data_t * reseed,
+                        data_t * add1, data_t * add2,
+                        data_t * result )
+{
+    mbedtls_ctr_drbg_context ctx;
+    unsigned char buf[64];
+
+    size_t entropy_chunk_len = (size_t) entropy_len_arg;
+
+    TEST_ASSERT( entropy_chunk_len <= sizeof( buf ) );
+
+    test_offset_idx = 0;
+    mbedtls_ctr_drbg_init( &ctx );
+
+    test_max_idx = entropy->len;
+
+    /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>)
+     * where nonce||perso = nonce[nonce->len] */
+    TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len(
+                     &ctx,
+                     mbedtls_test_entropy_func, entropy->x,
+                     nonce->x, nonce->len,
+                     entropy_chunk_len ) == 0 );
+    if( reseed_mode == RESEED_ALWAYS )
+        mbedtls_ctr_drbg_set_prediction_resistance(
+            &ctx,
+            MBEDTLS_CTR_DRBG_PR_ON );
+
+    if( reseed_mode == RESEED_FIRST )
+    {
+        /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
+         *                 reseed[:reseed->len]) */
+        TEST_ASSERT( mbedtls_ctr_drbg_reseed(
+                         &ctx,
+                         reseed->x, reseed->len ) == 0 );
+    }
+
+    /* CTR_DRBG_Generate(result->len * 8 bits, add1[:add1->len]) -> buf */
+    /* Then reseed if prediction resistance is enabled. */
+    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add(
+                     &ctx,
+                     buf, result->len,
+                     add1->x, add1->len ) == 0 );
+
+
+    if( reseed_mode == RESEED_SECOND )
+    {
+        /* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
+         *                 reseed[:reseed->len]) */
+        TEST_ASSERT( mbedtls_ctr_drbg_reseed(
+                         &ctx,
+                         reseed->x, reseed->len ) == 0 );
+    }
+
+    /* CTR_DRBG_Generate(result->len * 8 bits, add2->x[:add2->len]) -> buf */
+    /* Then reseed if prediction resistance is enabled. */
+    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add(
+                     &ctx,
+                     buf, result->len,
+                     add2->x, add2->len ) == 0 );
+    TEST_ASSERT( memcmp( buf, result->x, result->len ) == 0 );
+
+exit:
+    mbedtls_ctr_drbg_free( &ctx );
+}
+
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -49,92 +132,76 @@ exit:
 }
 /* END_CASE */
 
+
 /* BEGIN_CASE */
-void ctr_drbg_validate_pr( char *add_init_string, char *entropy_string,
-                           char *add1_string, char *add2_string,
-                           char *result_str )
+void ctr_drbg_validate_no_reseed( data_t * add_init, data_t * entropy,
+                                  data_t * add1, data_t * add2,
+                                  data_t * result_string )
 {
-    unsigned char entropy[512];
-    unsigned char add_init[512];
-    unsigned char add1[512];
-    unsigned char add2[512];
-    mbedtls_ctr_drbg_context ctx;
-    unsigned char buf[512];
-    unsigned char output_str[512];
-    int add_init_len, add1_len, add2_len;
-
-    mbedtls_ctr_drbg_init( &ctx );
-    memset( output_str, 0, 512 );
-
-    unhexify( entropy, entropy_string );
-    add_init_len = unhexify( add_init, add_init_string );
-    add1_len = unhexify( add1, add1_string );
-    add2_len = unhexify( add2, add2_string );
-
-    test_offset_idx = 0;
-    TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 );
-    mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
-
-    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add2, add2_len ) == 0 );
-    hexify( output_str, buf, 16 );
-    TEST_ASSERT( strcmp( (char *) output_str, result_str ) == 0 );
-
-exit:
-    mbedtls_ctr_drbg_free( &ctx );
+    data_t empty = { 0, 0 };
+    ctr_drbg_validate_internal( RESEED_NEVER, add_init,
+                                entropy->len, entropy,
+                                &empty, add1, add2,
+                                result_string );
+    goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ctr_drbg_validate_nopr( char *add_init_string, char *entropy_string,
-                             char *add1_string, char *add_reseed_string,
-                             char *add2_string, char *result_str )
+void ctr_drbg_validate_pr( data_t * add_init, data_t * entropy,
+                           data_t * add1, data_t * add2,
+                           data_t * result_string )
 {
-    unsigned char entropy[512];
-    unsigned char add_init[512];
-    unsigned char add1[512];
-    unsigned char add_reseed[512];
-    unsigned char add2[512];
-    mbedtls_ctr_drbg_context ctx;
-    unsigned char buf[512];
-    unsigned char output_str[512];
-    int add_init_len, add1_len, add_reseed_len, add2_len;
-
-    mbedtls_ctr_drbg_init( &ctx );
-    memset( output_str, 0, 512 );
-
-    unhexify( entropy, entropy_string );
-    add_init_len = unhexify( add_init, add_init_string );
-    add1_len = unhexify( add1, add1_string );
-    add_reseed_len = unhexify( add_reseed, add_reseed_string );
-    add2_len = unhexify( add2, add2_string );
-
-    test_offset_idx = 0;
-    TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 );
+    data_t empty = { 0, 0 };
+    ctr_drbg_validate_internal( RESEED_ALWAYS, add_init,
+                                entropy->len / 3, entropy,
+                                &empty, add1, add2,
+                                result_string );
+    goto exit; // goto is needed to avoid warning ( no test assertions in func)
+}
+/* END_CASE */
 
-    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, add_reseed, add_reseed_len ) == 0 );
-    TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add2, add2_len ) == 0 );
-    hexify( output_str, buf, 16 );
-    TEST_ASSERT( strcmp( (char *) output_str, result_str ) == 0 );
+/* BEGIN_CASE */
+void ctr_drbg_validate_reseed_between( data_t * add_init, data_t * entropy,
+                             data_t * add1, data_t * add_reseed,
+                             data_t * add2, data_t * result_string )
+{
+    ctr_drbg_validate_internal( RESEED_SECOND, add_init,
+                                entropy->len / 2, entropy,
+                                add_reseed, add1, add2,
+                                result_string );
+    goto exit; // goto is needed to avoid warning ( no test assertions in func)
+}
+/* END_CASE */
 
-exit:
-    mbedtls_ctr_drbg_free( &ctx );
+/* BEGIN_CASE */
+void ctr_drbg_validate_reseed_first( data_t * add_init, data_t * entropy,
+                             data_t * add1, data_t * add_reseed,
+                             data_t * add2, data_t * result_string )
+{
+    ctr_drbg_validate_internal( RESEED_FIRST, add_init,
+                                entropy->len / 2, entropy,
+                                add_reseed, add1, add2,
+                                result_string );
+    goto exit; // goto is needed to avoid warning ( no test assertions in func)
 }
 /* END_CASE */
 
+
+
 /* BEGIN_CASE */
-void ctr_drbg_entropy_usage( )
+void ctr_drbg_entropy_usage(  )
 {
     unsigned char out[16];
     unsigned char add[16];
     unsigned char entropy[1024];
     mbedtls_ctr_drbg_context ctx;
     size_t i, reps = 10;
-    int last_idx;
+    size_t last_idx;
 
     mbedtls_ctr_drbg_init( &ctx );
     test_offset_idx = 0;
+    test_max_idx = sizeof( entropy );
     memset( entropy, 0, sizeof( entropy ) );
     memset( out, 0, sizeof( out ) );
     memset( add, 0, sizeof( add ) );
@@ -205,7 +272,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void ctr_drbg_seed_file( char *path, int ret )
+void ctr_drbg_seed_file( char * path, int ret )
 {
     mbedtls_ctr_drbg_context ctx;
 
@@ -221,7 +288,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void ctr_drbg_selftest( )
+void ctr_drbg_selftest(  )
 {
     TEST_ASSERT( mbedtls_ctr_drbg_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_debug.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_debug.function
index 98f98b061b..377d630d90 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_debug.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_debug.function
@@ -1,5 +1,6 @@
 /* BEGIN_HEADER */
 #include "mbedtls/debug.h"
+#include "string.h"
 
 struct buffer_data
 {
@@ -47,8 +48,8 @@ void string_debug(void *data, int level, const char *file, int line, const char
  */
 
 /* BEGIN_CASE */
-void debug_print_msg_threshold( int threshold, int level, char *file, int line,
-                                char *result_str )
+void debug_print_msg_threshold( int threshold, int level, char * file,
+                                int line, char * result_str )
 {
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
@@ -76,8 +77,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_debug_print_ret( char *file, int line, char *text, int value,
-                      char *result_str )
+void mbedtls_debug_print_ret( char * file, int line, char * text, int value,
+                              char * result_str )
 {
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
@@ -103,28 +104,24 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_debug_print_buf( char *file, int line, char *text,
-                      char *data_string, char *result_str )
+void mbedtls_debug_print_buf( char * file, int line, char * text,
+                              data_t * data, char * result_str )
 {
-    unsigned char data[10000];
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
     struct buffer_data buffer;
-    size_t data_len;
 
     mbedtls_ssl_init( &ssl );
     mbedtls_ssl_config_init( &conf );
-    memset( &data, 0, sizeof( data ) );
     memset( buffer.buf, 0, 2000 );
     buffer.ptr = buffer.buf;
 
-    data_len = unhexify( data, data_string );
 
     TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
 
     mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
 
-    mbedtls_debug_print_buf( &ssl, 0, file, line, text, data, data_len );
+    mbedtls_debug_print_buf( &ssl, 0, file, line, text, data->x, data->len );
 
     TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
 
@@ -135,8 +132,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_debug_print_crt( char *crt_file, char *file, int line,
-                      char *prefix, char *result_str )
+void mbedtls_debug_print_crt( char * crt_file, char * file, int line,
+                              char * prefix, char * result_str )
 {
     mbedtls_x509_crt   crt;
     mbedtls_ssl_context ssl;
@@ -166,8 +163,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_BIGNUM_C */
-void mbedtls_debug_print_mpi( int radix, char *value, char *file, int line,
-                      char *prefix, char *result_str )
+void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line,
+                              char * prefix, char * result_str )
 {
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_des.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_des.function
index 2e73a77681..b5acb7b0ff 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_des.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_des.function
@@ -8,42 +8,27 @@
  */
 
 /* BEGIN_CASE */
-void des_check_weak( char *key_hex, int ret )
+void des_check_weak( data_t * key, int ret )
 {
-    unsigned char key[MBEDTLS_DES_KEY_SIZE];
-
-    memset( key, 0, sizeof key );
-
-    unhexify( key, key_hex );
-
-    TEST_ASSERT( mbedtls_des_key_check_weak( key ) == ret );
+    TEST_ASSERT( mbedtls_des_key_check_weak( key->x ) == ret );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void des_encrypt_ecb( char *hex_key_string, char *hex_src_string,
-                      char *hex_dst_string )
+void des_encrypt_ecb( data_t * key_str, data_t * src_str,
+                      data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_des_setkey_enc( &ctx, key_str );
-    TEST_ASSERT( mbedtls_des_crypt_ecb( &ctx, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    mbedtls_des_setkey_enc( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_des_crypt_ecb( &ctx, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_des_free( &ctx );
@@ -51,29 +36,20 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void des_decrypt_ecb( char *hex_key_string, char *hex_src_string,
-                      char *hex_dst_string )
+void des_decrypt_ecb( data_t * key_str, data_t * src_str,
+                      data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_des_setkey_dec( &ctx, key_str );
-    TEST_ASSERT( mbedtls_des_crypt_ecb( &ctx, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    mbedtls_des_setkey_dec( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_des_crypt_ecb( &ctx, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_des_free( &ctx );
@@ -81,35 +57,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void des_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                      char *hex_src_string, char *hex_dst_string, int cbc_result )
+void des_encrypt_cbc( data_t * key_str, data_t * iv_str,
+                      data_t * src_str, data_t * hex_dst_string,
+                      int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des_context ctx;
-    int src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_des_setkey_enc( &ctx, key_str );
-    TEST_ASSERT( mbedtls_des_crypt_cbc( &ctx, MBEDTLS_DES_ENCRYPT, src_len, iv_str, src_str, output ) == cbc_result );
+    mbedtls_des_setkey_enc( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_des_crypt_cbc( &ctx, MBEDTLS_DES_ENCRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, src_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -118,35 +82,23 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void des_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                      char *hex_src_string, char *hex_dst_string, int cbc_result )
+void des_decrypt_cbc( data_t * key_str, data_t * iv_str,
+                      data_t * src_str, data_t * hex_dst_string,
+                      int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des_context ctx;
-    int src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    mbedtls_des_setkey_dec( &ctx, key_str );
-    TEST_ASSERT( mbedtls_des_crypt_cbc( &ctx, MBEDTLS_DES_DECRYPT, src_len, iv_str, src_str, output ) == cbc_result );
+    mbedtls_des_setkey_dec( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_des_crypt_cbc( &ctx, MBEDTLS_DES_DECRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, src_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -155,35 +107,26 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void des3_encrypt_ecb( int key_count, char *hex_key_string,
-                       char *hex_src_string, char *hex_dst_string )
+void des3_encrypt_ecb( int key_count, data_t * key_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des3_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des3_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
     if( key_count == 2 )
-        mbedtls_des3_set2key_enc( &ctx, key_str );
+        mbedtls_des3_set2key_enc( &ctx, key_str->x );
     else if( key_count == 3 )
-        mbedtls_des3_set3key_enc( &ctx, key_str );
+        mbedtls_des3_set3key_enc( &ctx, key_str->x );
     else
         TEST_ASSERT( 0 );
 
-    TEST_ASSERT( mbedtls_des3_crypt_ecb( &ctx, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    TEST_ASSERT( mbedtls_des3_crypt_ecb( &ctx, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_des3_free( &ctx );
@@ -191,35 +134,26 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void des3_decrypt_ecb( int key_count, char *hex_key_string,
-                       char *hex_src_string, char *hex_dst_string )
+void des3_decrypt_ecb( int key_count, data_t * key_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des3_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des3_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
     if( key_count == 2 )
-        mbedtls_des3_set2key_dec( &ctx, key_str );
+        mbedtls_des3_set2key_dec( &ctx, key_str->x );
     else if( key_count == 3 )
-        mbedtls_des3_set3key_dec( &ctx, key_str );
+        mbedtls_des3_set3key_dec( &ctx, key_str->x );
     else
         TEST_ASSERT( 0 );
 
-    TEST_ASSERT( mbedtls_des3_crypt_ecb( &ctx, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    TEST_ASSERT( mbedtls_des3_crypt_ecb( &ctx, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 
 exit:
     mbedtls_des3_free( &ctx );
@@ -227,43 +161,30 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void des3_encrypt_cbc( int key_count, char *hex_key_string,
-                       char *hex_iv_string, char *hex_src_string,
-                       char *hex_dst_string, int cbc_result )
+void des3_encrypt_cbc( int key_count, data_t * key_str,
+                       data_t * iv_str, data_t * src_str,
+                       data_t * hex_dst_string, int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des3_context ctx;
-    int src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des3_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
     if( key_count == 2 )
-        mbedtls_des3_set2key_enc( &ctx, key_str );
+        mbedtls_des3_set2key_enc( &ctx, key_str->x );
     else if( key_count == 3 )
-        mbedtls_des3_set3key_enc( &ctx, key_str );
+        mbedtls_des3_set3key_enc( &ctx, key_str->x );
     else
         TEST_ASSERT( 0 );
 
-    TEST_ASSERT( mbedtls_des3_crypt_cbc( &ctx, MBEDTLS_DES_ENCRYPT, src_len, iv_str, src_str, output ) == cbc_result );
+    TEST_ASSERT( mbedtls_des3_crypt_cbc( &ctx, MBEDTLS_DES_ENCRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
 
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, src_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -272,43 +193,30 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void des3_decrypt_cbc( int key_count, char *hex_key_string,
-                       char *hex_iv_string, char *hex_src_string,
-                       char *hex_dst_string, int cbc_result )
+void des3_decrypt_cbc( int key_count, data_t * key_str,
+                       data_t * iv_str, data_t * src_str,
+                       data_t * hex_dst_string, int cbc_result )
 {
-    unsigned char key_str[100];
-    unsigned char iv_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_des3_context ctx;
-    int src_len;
 
-    memset(key_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
     mbedtls_des3_init( &ctx );
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    src_len = unhexify( src_str, hex_src_string );
 
     if( key_count == 2 )
-        mbedtls_des3_set2key_dec( &ctx, key_str );
+        mbedtls_des3_set2key_dec( &ctx, key_str->x );
     else if( key_count == 3 )
-        mbedtls_des3_set3key_dec( &ctx, key_str );
+        mbedtls_des3_set3key_dec( &ctx, key_str->x );
     else
         TEST_ASSERT( 0 );
 
-    TEST_ASSERT( mbedtls_des3_crypt_cbc( &ctx, MBEDTLS_DES_DECRYPT, src_len, iv_str, src_str, output ) == cbc_result );
+    TEST_ASSERT( mbedtls_des3_crypt_cbc( &ctx, MBEDTLS_DES_DECRYPT, src_str->len, iv_str->x, src_str->x, output ) == cbc_result );
 
     if( cbc_result == 0 )
     {
-        hexify( dst_str, output, src_len );
 
-        TEST_ASSERT( strcasecmp( (char *) dst_str, hex_dst_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
     }
 
 exit:
@@ -317,7 +225,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void des_key_parity_run()
+void des_key_parity_run(  )
 {
     int i, j, cnt;
     unsigned char key[MBEDTLS_DES_KEY_SIZE];
@@ -360,7 +268,7 @@ void des_key_parity_run()
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void des_selftest()
+void des_selftest(  )
 {
     TEST_ASSERT( mbedtls_des_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.data
index 734fd97ac1..edebce087c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.data
@@ -1,3 +1,6 @@
+Diffie-Hellman parameter validation
+dhm_invalid_params:
+
 Diffie-Hellman full exchange #1
 dhm_do_dhm:10:"23":10:"5":0
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.function
index 4fd8fff237..8a05a38dfb 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_dhm.function
@@ -7,6 +7,113 @@
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void dhm_invalid_params( )
+{
+    mbedtls_dhm_context ctx;
+    unsigned char buf[42] = { 0 };
+    unsigned char *buf_null = NULL;
+    mbedtls_mpi X;
+    size_t const buflen = sizeof( buf );
+    size_t len;
+
+    TEST_INVALID_PARAM( mbedtls_dhm_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_dhm_free( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_params( NULL,
+                                                     (unsigned char**) &buf,
+                                                     buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_params( &ctx, &buf_null, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_params( &ctx, NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_params( &ctx,
+                                                     (unsigned char**) &buf,
+                                                     NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_params( NULL, buflen,
+                                                     buf, &len,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_params( &ctx, buflen,
+                                                     NULL, &len,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_params( &ctx, buflen,
+                                                     buf, NULL,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_params( &ctx, buflen,
+                                                     buf, &len,
+                                                     NULL,
+                                                     NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_set_group( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_set_group( &ctx, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_set_group( &ctx, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_public( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_read_public( &ctx, NULL, buflen ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_public( NULL, buflen,
+                                                     buf, buflen,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_public( &ctx, buflen,
+                                                     NULL, buflen,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_make_public( &ctx, buflen,
+                                                     buf, buflen,
+                                                     NULL,
+                                                     NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_calc_secret( NULL, buf, buflen,
+                                                     &len, rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_calc_secret( &ctx, NULL, buflen,
+                                                     &len, rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_calc_secret( &ctx, buf, buflen,
+                                                     NULL, rnd_std_rand,
+                                                     NULL ) );
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_parse_dhm( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_parse_dhm( &ctx, NULL, buflen ) );
+
+#if defined(MBEDTLS_FS_IO)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_parse_dhmfile( NULL, "" ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_DHM_BAD_INPUT_DATA,
+                            mbedtls_dhm_parse_dhmfile( &ctx, NULL ) );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void dhm_do_dhm( int radix_P, char *input_P,
                  int radix_G, char *input_G, int result )
@@ -100,7 +207,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void dhm_file( char *filename, char *p, char *g, int len )
+void dhm_file( char * filename, char * p, char * g, int len )
 {
     mbedtls_dhm_context ctx;
     mbedtls_mpi P, G;
@@ -124,7 +231,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void dhm_selftest()
+void dhm_selftest(  )
 {
     TEST_ASSERT( mbedtls_dhm_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
index 4ed32219b7..af25359d33 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.data
@@ -1,3 +1,9 @@
+ECDH - Valid parameters
+ecdh_valid_param:
+
+ECDH - Invalid parameters
+ecdh_invalid_param:
+
 ECDH primitive random #1
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 ecdh_primitive_random:MBEDTLS_ECP_DP_SECP192R1
@@ -38,6 +44,42 @@ ECDH exchange #2
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
 ecdh_exchange:MBEDTLS_ECP_DP_SECP521R1
 
+ECDH restartable rfc 5903 p256 restart enabled max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":1:0:0:0
+
+ECDH restartable rfc 5903 p256 restart enabled max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":1:1:1:10000
+
+ECDH restartable rfc 5903 p256 restart enabled max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":1:10000:0:0
+
+ECDH restartable rfc 5903 p256 restart enabled max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":1:250:2:32
+
+ECDH restartable rfc 5903 p256 restart disabled max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":0:0:0:0
+
+ECDH restartable rfc 5903 p256 restart disabled max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":0:1:0:0
+
+ECDH restartable rfc 5903 p256 restart disabled max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":0:10000:0:0
+
+ECDH restartable rfc 5903 p256 restart disabled max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdh_restart:MBEDTLS_ECP_DP_SECP256R1:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE":0:250:0:0
+
+ECDH exchange legacy context
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecdh_exchange_legacy:MBEDTLS_ECP_DP_SECP192R1
+
 ECDH calc_secret: ours first, SECP256R1 (RFC 5903)
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
 ecdh_exchange_calc_secret:MBEDTLS_ECP_DP_SECP256R1:"c6ef9c5d78ae012a011164acb397ce2088685d8f06bf9be0b283ab46476bee53":"04dad0b65394221cf9b051e1feca5787d098dfe637fc90b9ef945d0c37725811805271a0461cdb8252d61f1c456fa3e59ab1f45b33accf5f58389e0577b8990bb3":0:"d6840f6b42f6edafd13116e0e12565202fef8e9ece7dce03812464d04b9442de"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
index 0645ce798b..9a9cf5f7fa 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdh.function
@@ -1,18 +1,15 @@
 /* BEGIN_HEADER */
 #include "mbedtls/ecdh.h"
 
-static int load_public_key( int grp_id, const char *point_str,
+static int load_public_key( int grp_id, data_t *point,
                             mbedtls_ecp_keypair *ecp )
 {
     int ok = 0;
-    unsigned char point_buf[MBEDTLS_ECP_MAX_PT_LEN];
-    size_t point_len = unhexify( point_buf, point_str );
-
     TEST_ASSERT( mbedtls_ecp_group_load( &ecp->grp, grp_id ) == 0 );
     TEST_ASSERT( mbedtls_ecp_point_read_binary( &ecp->grp,
                                                 &ecp->Q,
-                                                point_buf,
-                                                point_len ) == 0 );
+                                                point->x,
+                                                point->len ) == 0 );
     TEST_ASSERT( mbedtls_ecp_check_pubkey( &ecp->grp,
                                            &ecp->Q ) == 0 );
     ok = 1;
@@ -20,18 +17,15 @@ exit:
     return( ok );
 }
 
-static int load_private_key( int grp_id, const char *private_key_str,
+static int load_private_key( int grp_id, data_t *private_key,
                              mbedtls_ecp_keypair *ecp,
                              rnd_pseudo_info *rnd_info )
 {
     int ok = 0;
-    unsigned char private_key_buf[MBEDTLS_ECP_MAX_BYTES];
-    size_t private_key_len = unhexify( private_key_buf, private_key_str );
-
     TEST_ASSERT( mbedtls_ecp_group_load( &ecp->grp, grp_id ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_binary( &ecp->d,
-                                          private_key_buf,
-                                          private_key_len ) == 0 );
+                                          private_key->x,
+                                          private_key->len ) == 0 );
     TEST_ASSERT( mbedtls_ecp_check_privkey( &ecp->grp, &ecp->d ) == 0 );
     /* Calculate the public key from the private key. */
     TEST_ASSERT( mbedtls_ecp_mul( &ecp->grp, &ecp->Q, &ecp->d,
@@ -49,6 +43,148 @@ exit:
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE */
+void ecdh_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_ecdh_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void ecdh_invalid_param( )
+{
+    mbedtls_ecp_group grp;
+    mbedtls_ecdh_context ctx;
+    mbedtls_mpi m;
+    mbedtls_ecp_point P;
+    mbedtls_ecp_keypair kp;
+    size_t olen;
+    unsigned char buf[42] = { 0 };
+    const unsigned char *buf_null = NULL;
+    size_t const buflen = sizeof( buf );
+    int invalid_side = 42;
+    mbedtls_ecp_group_id valid_grp = MBEDTLS_ECP_DP_SECP192R1;
+
+    TEST_INVALID_PARAM( mbedtls_ecdh_init( NULL ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_INVALID_PARAM( mbedtls_ecdh_enable_restart( NULL ) );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_gen_public( NULL, &m, &P,
+                                                     rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_gen_public( &grp, NULL, &P,
+                                                     rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_gen_public( &grp, &m, NULL,
+                                                     rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_gen_public( &grp, &m, &P,
+                                                     NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_compute_shared( NULL, &m, &P, &m,
+                                                         rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_compute_shared( &grp, NULL, &P, &m,
+                                                         rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_compute_shared( &grp, &m, NULL, &m,
+                                                         rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_compute_shared( &grp, &m, &P, NULL,
+                                                         rnd_std_rand, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_setup( NULL, valid_grp ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_params( NULL, &olen,
+                                                      buf, buflen,
+                                                      rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_params( &ctx, NULL,
+                                                      buf, buflen,
+                                                      rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_params( &ctx, &olen,
+                                                      NULL, buflen,
+                                                      rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_params( &ctx, &olen,
+                                                      buf, buflen,
+                                                      NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_params( NULL,
+                                                  (const unsigned char**) &buf,
+                                                  buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_params( &ctx, &buf_null,
+                                                      buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_params( &ctx, NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_params( &ctx,
+                                                  (const unsigned char**) &buf,
+                                                  NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_get_params( NULL, &kp,
+                                                     MBEDTLS_ECDH_OURS ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_get_params( &ctx, NULL,
+                                                     MBEDTLS_ECDH_OURS ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_get_params( &ctx, &kp,
+                                                     invalid_side ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_public( NULL, &olen,
+                                                      buf, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_public( &ctx, NULL,
+                                                      buf, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_public( &ctx, &olen,
+                                                      NULL, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_make_public( &ctx, &olen,
+                                                      buf, buflen,
+                                                      NULL,
+                                                      NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_public( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_read_public( &ctx, NULL, buflen ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_calc_secret( NULL, &olen, buf, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_calc_secret( &ctx, NULL, buf, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdh_calc_secret( &ctx, &olen, NULL, buflen,
+                                                      rnd_std_rand,
+                                                      NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void ecdh_primitive_random( int id )
 {
@@ -85,15 +221,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecdh_primitive_testvec( int id, char *dA_str, char *xA_str, char *yA_str,
-                             char *dB_str, char *xB_str, char *yB_str,
-                             char *z_str )
+void ecdh_primitive_testvec( int id, data_t * rnd_buf_A, char * xA_str,
+                             char * yA_str, data_t * rnd_buf_B,
+                             char * xB_str, char * yB_str, char * z_str )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point qA, qB;
     mbedtls_mpi dA, dB, zA, zB, check;
-    unsigned char rnd_buf_A[MBEDTLS_ECP_MAX_BYTES];
-    unsigned char rnd_buf_B[MBEDTLS_ECP_MAX_BYTES];
     rnd_buf_info rnd_info_A, rnd_info_B;
 
     mbedtls_ecp_group_init( &grp );
@@ -103,36 +237,36 @@ void ecdh_primitive_testvec( int id, char *dA_str, char *xA_str, char *yA_str,
 
     TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
 
-    rnd_info_A.buf = rnd_buf_A;
-    rnd_info_A.length = unhexify( rnd_buf_A, dA_str );
+    rnd_info_A.buf = rnd_buf_A->x;
+    rnd_info_A.length = rnd_buf_A->len;
 
-    /* Fix rnd_buf_A by shifting it left if necessary */
+    /* Fix rnd_buf_A->x by shifting it left if necessary */
     if( grp.nbits % 8 != 0 )
     {
         unsigned char shift = 8 - ( grp.nbits % 8 );
         size_t i;
 
         for( i = 0; i < rnd_info_A.length - 1; i++ )
-            rnd_buf_A[i] = rnd_buf_A[i] << shift
-                         | rnd_buf_A[i+1] >> ( 8 - shift );
+            rnd_buf_A->x[i] = rnd_buf_A->x[i] << shift
+                         | rnd_buf_A->x[i+1] >> ( 8 - shift );
 
-        rnd_buf_A[rnd_info_A.length-1] <<= shift;
+        rnd_buf_A->x[rnd_info_A.length-1] <<= shift;
     }
 
-    rnd_info_B.buf = rnd_buf_B;
-    rnd_info_B.length = unhexify( rnd_buf_B, dB_str );
+    rnd_info_B.buf = rnd_buf_B->x;
+    rnd_info_B.length = rnd_buf_B->len;
 
-    /* Fix rnd_buf_B by shifting it left if necessary */
+    /* Fix rnd_buf_B->x by shifting it left if necessary */
     if( grp.nbits % 8 != 0 )
     {
         unsigned char shift = 8 - ( grp.nbits % 8 );
         size_t i;
 
         for( i = 0; i < rnd_info_B.length - 1; i++ )
-            rnd_buf_B[i] = rnd_buf_B[i] << shift
-                         | rnd_buf_B[i+1] >> ( 8 - shift );
+            rnd_buf_B->x[i] = rnd_buf_B->x[i] << shift
+                         | rnd_buf_B->x[i+1] >> ( 8 - shift );
 
-        rnd_buf_B[rnd_info_B.length-1] <<= shift;
+        rnd_buf_B->x[rnd_info_B.length-1] <<= shift;
     }
 
     TEST_ASSERT( mbedtls_ecdh_gen_public( &grp, &dA, &qA,
@@ -172,6 +306,171 @@ void ecdh_exchange( int id )
     unsigned char buf[1000];
     const unsigned char *vbuf;
     size_t len;
+    rnd_pseudo_info rnd_info;
+    unsigned char res_buf[1000];
+    size_t res_len;
+
+    mbedtls_ecdh_init( &srv );
+    mbedtls_ecdh_init( &cli );
+    memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
+
+    TEST_ASSERT( mbedtls_ecdh_setup( &srv, id ) == 0 );
+
+    memset( buf, 0x00, sizeof( buf ) ); vbuf = buf;
+    TEST_ASSERT( mbedtls_ecdh_make_params( &srv, &len, buf, 1000,
+                                           &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( mbedtls_ecdh_read_params( &cli, &vbuf, buf + len ) == 0 );
+
+    memset( buf, 0x00, sizeof( buf ) );
+    TEST_ASSERT( mbedtls_ecdh_make_public( &cli, &len, buf, 1000,
+                                           &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( mbedtls_ecdh_read_public( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecdh_calc_secret( &srv, &len, buf, 1000,
+                                           &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( mbedtls_ecdh_calc_secret( &cli, &res_len, res_buf, 1000,
+                                           NULL, NULL ) == 0 );
+    TEST_ASSERT( len == res_len );
+    TEST_ASSERT( memcmp( buf, res_buf, len ) == 0 );
+
+exit:
+    mbedtls_ecdh_free( &srv );
+    mbedtls_ecdh_free( &cli );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void ecdh_restart( int id, char *dA_str, char *dB_str, char *z_str,
+                   int enable, int max_ops, int min_restart, int max_restart )
+{
+    int ret;
+    mbedtls_ecdh_context srv, cli;
+    unsigned char buf[1000];
+    const unsigned char *vbuf;
+    size_t len;
+    unsigned char z[MBEDTLS_ECP_MAX_BYTES];
+    size_t z_len;
+    unsigned char rnd_buf_A[MBEDTLS_ECP_MAX_BYTES];
+    unsigned char rnd_buf_B[MBEDTLS_ECP_MAX_BYTES];
+    rnd_buf_info rnd_info_A, rnd_info_B;
+    int cnt_restart;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecdh_init( &srv );
+    mbedtls_ecdh_init( &cli );
+
+    z_len = unhexify( z, z_str );
+
+    rnd_info_A.buf = rnd_buf_A;
+    rnd_info_A.length = unhexify( rnd_buf_A, dA_str );
+
+    rnd_info_B.buf = rnd_buf_B;
+    rnd_info_B.length = unhexify( rnd_buf_B, dB_str );
+
+    /* The ECDH context is not guaranteed ot have an mbedtls_ecp_group structure
+     * in every configuration, therefore we load it separately. */
+    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+
+    /* Otherwise we would have to fix the random buffer,
+     * as in ecdh_primitive_testvec. */
+    TEST_ASSERT( grp.nbits % 8 == 0 );
+
+    TEST_ASSERT( mbedtls_ecdh_setup( &srv, id ) == 0 );
+
+    /* set up restart parameters */
+    mbedtls_ecp_set_max_ops( max_ops );
+
+    if( enable )
+    {
+        mbedtls_ecdh_enable_restart( &srv );
+        mbedtls_ecdh_enable_restart( &cli );
+    }
+
+    /* server writes its paramaters */
+    memset( buf, 0x00, sizeof( buf ) );
+    len = 0;
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdh_make_params( &srv, &len, buf, sizeof( buf ),
+                                        rnd_buffer_rand, &rnd_info_A );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    /* client read server params */
+    vbuf = buf;
+    TEST_ASSERT( mbedtls_ecdh_read_params( &cli, &vbuf, buf + len ) == 0 );
+
+    /* client writes its key share */
+    memset( buf, 0x00, sizeof( buf ) );
+    len = 0;
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdh_make_public( &cli, &len, buf, sizeof( buf ),
+                                        rnd_buffer_rand, &rnd_info_B );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    /* server reads client key share */
+    TEST_ASSERT( mbedtls_ecdh_read_public( &srv, buf, len ) == 0 );
+
+    /* server computes shared secret */
+    memset( buf, 0, sizeof( buf ) );
+    len = 0;
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdh_calc_secret( &srv, &len, buf, sizeof( buf ),
+                                              NULL, NULL );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    TEST_ASSERT( len == z_len );
+    TEST_ASSERT( memcmp( buf, z, len ) == 0 );
+
+    /* client computes shared secret */
+    memset( buf, 0, sizeof( buf ) );
+    len = 0;
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdh_calc_secret( &cli, &len, buf, sizeof( buf ),
+                                              NULL, NULL );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    TEST_ASSERT( len == z_len );
+    TEST_ASSERT( memcmp( buf, z, len ) == 0 );
+
+exit:
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecdh_free( &srv );
+    mbedtls_ecdh_free( &cli );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECDH_LEGACY_CONTEXT */
+void ecdh_exchange_legacy( int id )
+{
+    mbedtls_ecdh_context srv, cli;
+    unsigned char buf[1000];
+    const unsigned char *vbuf;
+    size_t len;
+
     rnd_pseudo_info rnd_info;
 
     mbedtls_ecdh_init( &srv );
@@ -187,12 +486,13 @@ void ecdh_exchange( int id )
 
     memset( buf, 0x00, sizeof( buf ) );
     TEST_ASSERT( mbedtls_ecdh_make_public( &cli, &len, buf, 1000,
-                                   &rnd_pseudo_rand, &rnd_info ) == 0 );
+                                           &rnd_pseudo_rand, &rnd_info ) == 0 );
     TEST_ASSERT( mbedtls_ecdh_read_public( &srv, buf, len ) == 0 );
 
     TEST_ASSERT( mbedtls_ecdh_calc_secret( &srv, &len, buf, 1000,
-                                   &rnd_pseudo_rand, &rnd_info ) == 0 );
-    TEST_ASSERT( mbedtls_ecdh_calc_secret( &cli, &len, buf, 1000, NULL, NULL ) == 0 );
+                                           &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( mbedtls_ecdh_calc_secret( &cli, &len, buf, 1000, NULL,
+                                           NULL ) == 0 );
     TEST_ASSERT( mbedtls_mpi_cmp_mpi( &srv.z, &cli.z ) == 0 );
 
 exit:
@@ -203,14 +503,12 @@ exit:
 
 /* BEGIN_CASE */
 void ecdh_exchange_calc_secret( int grp_id,
-                                char *our_private_key,
-                                char *their_point,
+                                data_t *our_private_key,
+                                data_t *their_point,
                                 int ours_first,
-                                char *expected_str )
+                                data_t *expected )
 {
     rnd_pseudo_info rnd_info;
-    unsigned char expected_buf[MBEDTLS_ECP_MAX_BYTES];
-    size_t expected_len;
     mbedtls_ecp_keypair our_key;
     mbedtls_ecp_keypair their_key;
     mbedtls_ecdh_context ecdh;
@@ -222,8 +520,6 @@ void ecdh_exchange_calc_secret( int grp_id,
     mbedtls_ecp_keypair_init( &our_key );
     mbedtls_ecp_keypair_init( &their_key );
 
-    expected_len = unhexify( expected_buf, expected_str );
-
     if( ! load_private_key( grp_id, our_private_key, &our_key, &rnd_info ) )
         goto exit;
     if( ! load_public_key( grp_id, their_point, &their_key ) )
@@ -251,8 +547,8 @@ void ecdh_exchange_calc_secret( int grp_id,
                      &shared_secret_length,
                      shared_secret, sizeof( shared_secret ),
                      &rnd_pseudo_rand, &rnd_info ) == 0 );
-    TEST_ASSERT( shared_secret_length == expected_len );
-    TEST_ASSERT( memcmp( expected_buf, shared_secret,
+    TEST_ASSERT( shared_secret_length == expected->len );
+    TEST_ASSERT( memcmp( expected->x, shared_secret,
                          shared_secret_length ) == 0 );
 
 exit:
@@ -264,9 +560,9 @@ exit:
 
 /* BEGIN_CASE */
 void ecdh_exchange_get_params_fail( int our_grp_id,
-                                    char *our_private_key,
+                                    data_t *our_private_key,
                                     int their_grp_id,
-                                    char *their_point,
+                                    data_t *their_point,
                                     int ours_first,
                                     int expected_ret )
 {
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.data
index 19c51d35b5..59e209b362 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.data
@@ -1,3 +1,6 @@
+ECDSA Parameter validation
+ecdsa_invalid_param:
+
 ECDSA primitive random #1
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 ecdsa_prim_random:MBEDTLS_ECP_DP_SECP192R1
@@ -50,7 +53,7 @@ ECDSA write-read random #5
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
 ecdsa_write_read_random:MBEDTLS_ECP_DP_SECP521R1
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p192 sha1
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA1:"sample":"98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF":"57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64"
 
@@ -58,7 +61,7 @@ ECDSA deterministic test vector rfc 6979 p192 sha224
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA224:"sample":"A1F00DAD97AEEC91C95585F36200C65F3C01812AA60378F5":"E07EC1304C7C6C9DEBBE980B9692668F81D4DE7922A0F97A"
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p192 sha256
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA256:"sample":"4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55":"CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85"
 
@@ -66,11 +69,11 @@ ECDSA deterministic test vector rfc 6979 p192 sha384
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA384:"sample":"DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5":"C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E"
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p192 sha512
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA512:"sample":"4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8":"3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67"
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p192 sha1
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA1:"test":"0F2141A0EBBC44D2E1AF90A50EBCFCE5E197B3B7D4DE036D":"EB18BC9E1F3D7387500CB99CF5F7C157070A8961E38700B7"
 
@@ -78,7 +81,7 @@ ECDSA deterministic test vector rfc 6979 p192 sha224
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA224:"test":"6945A1C1D1B2206B8145548F633BB61CEF04891BAF26ED34":"B7FB7FDFC339C0B9BD61A9F5A8EAF9BE58FC5CBA2CB15293"
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p192 sha256
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA256:"test":"3A718BD8B4926C3B52EE6BBE67EF79B18CB6EB62B1AD97AE":"5662E6848A4A19B1F1AE2F72ACD4B8BBE50F1EAC65D9124F"
 
@@ -86,11 +89,11 @@ ECDSA deterministic test vector rfc 6979 p192 sha384
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA384:"test":"B234B60B4DB75A733E19280A7A6034BD6B1EE88AF5332367":"7994090B2D59BB782BE57E74A44C9A1C700413F8ABEFE77A"
 
-ECDSA deterministic test vector rfc 6979 p192 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p192 sha512
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"6FAB034934E4C0FC9AE67F5B5659A9D7D1FEFD187EE09FD4":MBEDTLS_MD_SHA512:"test":"FE4F4AE86A58B6507946715934FE2D8FF9D95B6B098FE739":"74CF5605C98FBA0E1EF34D4B5A1577A7DCF59457CAE52290"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p224 sha1
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA1:"sample":"22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC":"66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69"
 
@@ -98,7 +101,7 @@ ECDSA deterministic test vector rfc 6979 p224 sha224
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA224:"sample":"1CDFE6662DDE1E4A1EC4CDEDF6A1F5A2FB7FBD9145C12113E6ABFD3E":"A6694FD7718A21053F225D3F46197CA699D45006C06F871808F43EBC"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p224 sha256
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA256:"sample":"61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA":"BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101"
 
@@ -106,11 +109,11 @@ ECDSA deterministic test vector rfc 6979 p224 sha384
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA384:"sample":"0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953":"830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p224 sha512
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA512:"sample":"074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397":"A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p224 sha1
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA1:"test":"DEAA646EC2AF2EA8AD53ED66B2E2DDAA49A12EFD8356561451F3E21C":"95987796F6CF2062AB8135271DE56AE55366C045F6D9593F53787BD2"
 
@@ -118,7 +121,7 @@ ECDSA deterministic test vector rfc 6979 p224 sha224
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA224:"test":"C441CE8E261DED634E4CF84910E4C5D1D22C5CF3B732BB204DBEF019":"902F42847A63BDC5F6046ADA114953120F99442D76510150F372A3F4"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p224 sha256
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA256:"test":"AD04DDE87B84747A243A631EA47A1BA6D1FAA059149AD2440DE6FBA6":"178D49B1AE90E3D8B629BE3DB5683915F4E8C99FDF6E666CF37ADCFD"
 
@@ -126,11 +129,11 @@ ECDSA deterministic test vector rfc 6979 p224 sha384
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA384:"test":"389B92682E399B26518A95506B52C03BC9379A9DADF3391A21FB0EA4":"414A718ED3249FF6DBC5B50C27F71F01F070944DA22AB1F78F559AAB"
 
-ECDSA deterministic test vector rfc 6979 p224 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p224 sha512
 depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP224R1:"F220266E1105BFE3083E03EC7A3A654651F45E37167E88600BF257C1":MBEDTLS_MD_SHA512:"test":"049F050477C5ADD858CAC56208394B5A55BAEBBE887FDF765047C17C":"077EB13E7005929CEFA3CD0403C7CDCC077ADF4E44F3C41B2F60ECFF"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p256 sha1
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA1:"sample":"61340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D32":"6D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB"
 
@@ -138,7 +141,7 @@ ECDSA deterministic test vector rfc 6979 p256 sha224
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA224:"sample":"53B2FFF5D1752B2C689DF257C04C40A587FABABB3F6FC2702F1343AF7CA9AA3F":"B9AFB64FDC03DC1A131C7D2386D11E349F070AA432A4ACC918BEA988BF75C74C"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p256 sha256
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"sample":"EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716":"F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8"
 
@@ -146,11 +149,11 @@ ECDSA deterministic test vector rfc 6979 p256 sha384
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA384:"sample":"0EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF7719":"4861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p256 sha512
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA512:"sample":"8496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F00":"2362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p256 sha1
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA1:"test":"0CBCC86FD6ABD1D99E703E1EC50069EE5C0B4BA4B9AC60E409E8EC5910D81A89":"01B9D7B73DFAA60D5651EC4591A0136F87653E0FD780C3B1BC872FFDEAE479B1"
 
@@ -158,7 +161,7 @@ ECDSA deterministic test vector rfc 6979 p256 sha224
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA224:"test":"C37EDB6F0AE79D47C3C27E962FA269BB4F441770357E114EE511F662EC34A692":"C820053A05791E521FCAAD6042D40AEA1D6B1A540138558F47D0719800E18F2D"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p256 sha256
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"F1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D38367":"019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083"
 
@@ -166,11 +169,11 @@ ECDSA deterministic test vector rfc 6979 p256 sha384
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA384:"test":"83910E8B48BB0C74244EBDF7F07A1C5413D61472BD941EF3920E623FBCCEBEB6":"8DDBEC54CF8CD5874883841D712142A56A8D0F218F5003CB0296B6B509619F2C"
 
-ECDSA deterministic test vector rfc 6979 p256 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p256 sha512
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA512:"test":"461D93F31B6540894788FD206C07CFA0CC35F46FA3C91816FFF1040AD1581A04":"39AF9F15DE0DB8D97E72719C74820D304CE5226E32DEDAE67519E840D1194E55"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p384 sha1
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA1:"sample":"EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2":"A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443"
 
@@ -178,7 +181,7 @@ ECDSA deterministic test vector rfc 6979 p384 sha224
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA224:"sample":"42356E76B55A6D9B4631C865445DBE54E056D3B3431766D0509244793C3F9366450F76EE3DE43F5A125333A6BE060122":"9DA0C81787064021E78DF658F2FBB0B042BF304665DB721F077A4298B095E4834C082C03D83028EFBF93A3C23940CA8D"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p384 sha256
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA256:"sample":"21B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD":"F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0"
 
@@ -186,11 +189,11 @@ ECDSA deterministic test vector rfc 6979 p384 sha384
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA384:"sample":"94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE46":"99EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p384 sha512
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA512:"sample":"ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD7882433709":"512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p384 sha1
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA1:"test":"4BC35D3A50EF4E30576F58CD96CE6BF638025EE624004A1F7789A8B8E43D0678ACD9D29876DAF46638645F7F404B11C7":"D5A6326C494ED3FF614703878961C0FDE7B2C278F9A65FD8C4B7186201A2991695BA1C84541327E966FA7B50F7382282"
 
@@ -198,7 +201,7 @@ ECDSA deterministic test vector rfc 6979 p384 sha224
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA224:"test":"E8C9D0B6EA72A0E7837FEA1D14A1A9557F29FAA45D3E7EE888FC5BF954B5E62464A9A817C47FF78B8C11066B24080E72":"07041D4A7A0379AC7232FF72E6F77B6DDB8F09B16CCE0EC3286B2BD43FA8C6141C53EA5ABEF0D8231077A04540A96B66"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p384 sha256
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA256:"test":"6D6DEFAC9AB64DABAFE36C6BF510352A4CC27001263638E5B16D9BB51D451559F918EEDAF2293BE5B475CC8F0188636B":"2D46F3BECBCC523D5F1A1256BF0C9B024D879BA9E838144C8BA6BAEB4B53B47D51AB373F9845C0514EEFB14024787265"
 
@@ -206,11 +209,11 @@ ECDSA deterministic test vector rfc 6979 p384 sha384
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA384:"test":"8203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB":"DDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5"
 
-ECDSA deterministic test vector rfc 6979 p384 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p384 sha512
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP384R1:"6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5":MBEDTLS_MD_SHA512:"test":"A0D5D090C9980FAF3C2CE57B7AE951D31977DD11C775D314AF55F76C676447D06FB6495CD21B4B6E340FC236584FB277":"976984E59B4C77B0E8E4460DCA3D9F20E07B9BB1F63BEEFAF576F6B2E8B224634A2092CD3792E0159AD9CEE37659C736"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p521 sha1
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA1:"sample":"0343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D":"0E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16"
 
@@ -218,7 +221,7 @@ ECDSA deterministic test vector rfc 6979 p521 sha224
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA224:"sample":"1776331CFCDF927D666E032E00CF776187BC9FDD8E69D0DABB4109FFE1B5E2A30715F4CC923A4A5E94D2503E9ACFED92857B7F31D7152E0F8C00C15FF3D87E2ED2E":"050CB5265417FE2320BBB5A122B8E1A32BD699089851128E360E620A30C7E17BA41A666AF126CE100E5799B153B60528D5300D08489CA9178FB610A2006C254B41F"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p521 sha256
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA256:"sample":"1511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A7":"04A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC"
 
@@ -226,11 +229,11 @@ ECDSA deterministic test vector rfc 6979 p521 sha384
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA384:"sample":"1EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451":"1F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p521 sha512
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA512:"sample":"0C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA":"0617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha1
+ECDSA deterministic test vector rfc 6979 p521 sha1
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA1_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA1:"test":"13BAD9F29ABE20DE37EBEB823C252CA0F63361284015A3BF430A46AAA80B87B0693F0694BD88AFE4E661FC33B094CD3B7963BED5A727ED8BD6A3A202ABE009D0367":"1E9BB81FF7944CA409AD138DBBEE228E1AFCC0C890FC78EC8604639CB0DBDC90F717A99EAD9D272855D00162EE9527567DD6A92CBD629805C0445282BBC916797FF"
 
@@ -238,7 +241,7 @@ ECDSA deterministic test vector rfc 6979 p521 sha224
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA224:"test":"1C7ED902E123E6815546065A2C4AF977B22AA8EADDB68B2C1110E7EA44D42086BFE4A34B67DDC0E17E96536E358219B23A706C6A6E16BA77B65E1C595D43CAE17FB":"177336676304FCB343CE028B38E7B4FBA76C1C1B277DA18CAD2A8478B2A9A9F5BEC0F3BA04F35DB3E4263569EC6AADE8C92746E4C82F8299AE1B8F1739F8FD519A4"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha256
+ECDSA deterministic test vector rfc 6979 p521 sha256
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA256_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA256:"test":"00E871C4A14F993C6C7369501900C4BC1E9C7B0B4BA44E04868B30B41D8071042EB28C4C250411D0CE08CD197E4188EA4876F279F90B3D8D74A3C76E6F1E4656AA8":"0CD52DBAA33B063C3A6CD8058A1FB0A46A4754B034FCC644766CA14DA8CA5CA9FDE00E88C1AD60CCBA759025299079D7A427EC3CC5B619BFBC828E7769BCD694E86"
 
@@ -246,10 +249,42 @@ ECDSA deterministic test vector rfc 6979 p521 sha384
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA384:"test":"14BEE21A18B6D8B3C93FAB08D43E739707953244FDBE924FA926D76669E7AC8C89DF62ED8975C2D8397A65A49DCC09F6B0AC62272741924D479354D74FF6075578C":"133330865C067A0EAF72362A65E2D7BC4E461E8C8995C3B6226A21BD1AA78F0ED94FE536A0DCA35534F0CD1510C41525D163FE9D74D134881E35141ED5E8E95B979"
 
-ECDSA deterministic test vector rfc 6979 p521 mbedtls_sha512
+ECDSA deterministic test vector rfc 6979 p521 sha512
 depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED:MBEDTLS_SHA512_C
 ecdsa_det_test_vectors:MBEDTLS_ECP_DP_SECP521R1:"0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538":MBEDTLS_MD_SHA512:"test":"13E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D":"1FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3"
 
+ECDSA restartable read-verify: max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":0:0:0
+
+ECDSA restartable read-verify: max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":1:42:10000
+
+ECDSA restartable read-verify: max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":10000:0:0
+
+ECDSA restartable read-verify: max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecdsa_read_restart:MBEDTLS_ECP_DP_SECP256R1:"04e8f573412a810c5f81ecd2d251bb94387e72f28af70dced90ebe75725c97a6428231069c2b1ef78509a22c59044319f6ed3cb750dfe64c2a282b35967a458ad6":"dee9d4d8b0e40a034602d6e638197998060f6e9f353ae1d10c94cd56476d3c92":"304502210098a5a1392abe29e4b0a4da3fefe9af0f8c32e5b839ab52ba6a05da9c3b7edd0f0220596f0e195ae1e58c1e53e9e7f0f030b274348a8c11232101778d89c4943f5ad2":250:4:64
+
+ECDSA restartable sign-write: secp256r1 max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":0:0:0
+
+ECDSA restartable sign-write: secp256r1 restart max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":1:1:10000
+
+ECDSA restartable sign-write: secp256r1 restart max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":10000:0:0
+
+ECDSA restartable sign-write: secp256r1 restart max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+ecdsa_write_restart:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":250:2:32
+
 ECDSA zero private parameter p192
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 ecdsa_prim_test_vectors:MBEDTLS_ECP_DP_SECP192R1:"0":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945":"9E56F509196784D963D1C0A401510EE7ADA3DCC5DEE04B15":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9C":"98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF":"57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64":MBEDTLS_ERR_ECP_INVALID_KEY
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.function
index 9b1315fbe3..22d92b6dfe 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecdsa.function
@@ -7,6 +7,201 @@
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void ecdsa_invalid_param( )
+{
+    mbedtls_ecdsa_context ctx;
+    mbedtls_ecp_keypair key;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1;
+    mbedtls_ecp_point P;
+    mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
+    mbedtls_mpi m;
+    size_t slen;
+    unsigned char buf[42] = { 0 };
+
+    TEST_INVALID_PARAM( mbedtls_ecdsa_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_ecdsa_free( NULL ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_INVALID_PARAM( mbedtls_ecdsa_restart_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_ecdsa_restart_free( NULL ) );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdsa_sign( NULL, &m, &m, &m,
+                                                buf, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecdsa_sign( &grp, NULL, &m, &m,
+                                                buf, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign( &grp, &m, NULL, &m,
+                                                buf, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign( &grp, &m, &m, NULL,
+                                                buf, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign( &grp, &m, &m, &m,
+                                                NULL, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign( &grp, &m, &m, &m,
+                                                buf, sizeof( buf ),
+                                                NULL, NULL ) );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign_det( NULL, &m, &m, &m,
+                                                buf, sizeof( buf ),
+                                                valid_md ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign_det( &grp, NULL, &m, &m,
+                                                buf, sizeof( buf ),
+                                                valid_md ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign_det( &grp, &m, NULL, &m,
+                                                buf, sizeof( buf ),
+                                                valid_md ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign_det( &grp, &m, &m, NULL,
+                                                buf, sizeof( buf ),
+                                                valid_md ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_sign_det( &grp, &m, &m, &m,
+                                                NULL, sizeof( buf ),
+                                                valid_md ) );
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_verify( NULL,
+                                                  buf, sizeof( buf ),
+                                                  &P, &m, &m ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_verify( &grp,
+                                                  NULL, sizeof( buf ),
+                                                  &P, &m, &m ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_verify( &grp,
+                                                  buf, sizeof( buf ),
+                                                  NULL, &m, &m ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_verify( &grp,
+                                                  buf, sizeof( buf ),
+                                                  &P, NULL, &m ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_verify( &grp,
+                                                  buf, sizeof( buf ),
+                                                  &P, &m, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature( NULL,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           buf, &slen,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature( &ctx,
+                                                           valid_md,
+                                                           NULL, sizeof( buf ),
+                                                           buf, &slen,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature( &ctx,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           NULL, &slen,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature( &ctx,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           buf, NULL,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature_restartable( NULL,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           buf, &slen,
+                                                           rnd_std_rand,
+                                                           NULL, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature_restartable( &ctx,
+                                                           valid_md,
+                                                           NULL, sizeof( buf ),
+                                                           buf, &slen,
+                                                           rnd_std_rand,
+                                                           NULL, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature_restartable( &ctx,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           NULL, &slen,
+                                                           rnd_std_rand,
+                                                           NULL, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_write_signature_restartable( &ctx,
+                                                           valid_md,
+                                                           buf, sizeof( buf ),
+                                                           buf, NULL,
+                                                           rnd_std_rand,
+                                                           NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature( NULL,
+                                                        buf, sizeof( buf ),
+                                                        buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature( &ctx,
+                                                        NULL, sizeof( buf ),
+                                                        buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature( &ctx,
+                                                        buf, sizeof( buf ),
+                                                        NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature_restartable( NULL,
+                                                        buf, sizeof( buf ),
+                                                        buf, sizeof( buf ),
+                                                        NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature_restartable( &ctx,
+                                                        NULL, sizeof( buf ),
+                                                        buf, sizeof( buf ),
+                                                        NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_read_signature_restartable( &ctx,
+                                                        buf, sizeof( buf ),
+                                                        NULL, sizeof( buf ),
+                                                        NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_genkey( NULL, valid_group,
+                                                  rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_genkey( &ctx, valid_group,
+                                                  NULL, NULL ) );
+
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_from_keypair( NULL, &key ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                       mbedtls_ecdsa_from_keypair( &ctx, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void ecdsa_prim_random( int id )
 {
@@ -14,7 +209,7 @@ void ecdsa_prim_random( int id )
     mbedtls_ecp_point Q;
     mbedtls_mpi d, r, s;
     rnd_pseudo_info rnd_info;
-    unsigned char buf[66];
+    unsigned char buf[MBEDTLS_MD_MAX_SIZE];
 
     mbedtls_ecp_group_init( &grp );
     mbedtls_ecp_point_init( &Q );
@@ -40,46 +235,42 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecdsa_prim_test_vectors( int id, char *d_str, char *xQ_str, char *yQ_str,
-                              char *k_str, char *hash_str, char *r_str,
-                              char *s_str, int result )
+void ecdsa_prim_test_vectors( int id, char * d_str, char * xQ_str,
+                              char * yQ_str, data_t * rnd_buf,
+                              data_t * hash, char * r_str, char * s_str,
+                              int result )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point Q;
     mbedtls_mpi d, r, s, r_check, s_check;
-    unsigned char hash[66], rnd_buf[66];
-    size_t hlen;
     rnd_buf_info rnd_info;
 
     mbedtls_ecp_group_init( &grp );
     mbedtls_ecp_point_init( &Q );
     mbedtls_mpi_init( &d ); mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
     mbedtls_mpi_init( &r_check ); mbedtls_mpi_init( &s_check );
-    memset( hash, 0, sizeof( hash ) );
-    memset( rnd_buf, 0, sizeof( rnd_buf ) );
 
     TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
     TEST_ASSERT( mbedtls_ecp_point_read_string( &Q, 16, xQ_str, yQ_str ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &d, 16, d_str ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &r_check, 16, r_str ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &s_check, 16, s_str ) == 0 );
-    hlen = unhexify(hash, hash_str);
-    rnd_info.buf = rnd_buf;
-    rnd_info.length = unhexify( rnd_buf, k_str );
+    rnd_info.buf = rnd_buf->x;
+    rnd_info.length = rnd_buf->len;
 
-    /* Fix rnd_buf by shifting it left if necessary */
+    /* Fix rnd_buf->x by shifting it left if necessary */
     if( grp.nbits % 8 != 0 )
     {
         unsigned char shift = 8 - ( grp.nbits % 8 );
         size_t i;
 
         for( i = 0; i < rnd_info.length - 1; i++ )
-            rnd_buf[i] = rnd_buf[i] << shift | rnd_buf[i+1] >> ( 8 - shift );
+            rnd_buf->x[i] = rnd_buf->x[i] << shift | rnd_buf->x[i+1] >> ( 8 - shift );
 
-        rnd_buf[rnd_info.length-1] <<= shift;
+        rnd_buf->x[rnd_info.length-1] <<= shift;
     }
 
-    TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, hash, hlen,
+    TEST_ASSERT( mbedtls_ecdsa_sign( &grp, &r, &s, &d, hash->x, hash->len,
                  rnd_buffer_rand, &rnd_info ) == result );
 
     if ( result == 0)
@@ -87,7 +278,17 @@ void ecdsa_prim_test_vectors( int id, char *d_str, char *xQ_str, char *yQ_str,
         TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 );
         TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 );
 
-        TEST_ASSERT( mbedtls_ecdsa_verify( &grp, hash, hlen, &Q, &r_check, &s_check ) == 0 );
+        TEST_ASSERT( mbedtls_ecdsa_verify( &grp, hash->x, hash->len, &Q, &r_check, &s_check ) == 0 );
+
+        TEST_ASSERT( mbedtls_mpi_sub_int( &r, &r, 1 ) == 0 );
+        TEST_ASSERT( mbedtls_mpi_add_int( &s, &s, 1 ) == 0 );
+
+        TEST_ASSERT( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
+                     &Q, &r, &s_check ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+        TEST_ASSERT( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
+                     &Q, &r_check, &s ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+        TEST_ASSERT( mbedtls_ecdsa_verify( &grp, hash->x, hash->len,
+                     &grp.G, &r_check, &s_check ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
     }
 
 exit:
@@ -99,8 +300,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECDSA_DETERMINISTIC */
-void ecdsa_det_test_vectors( int id, char *d_str, int md_alg,
-                             char *msg, char *r_str, char *s_str )
+void ecdsa_det_test_vectors( int id, char * d_str, int md_alg, char * msg,
+                             char * r_str, char * s_str )
 {
     mbedtls_ecp_group grp;
     mbedtls_mpi d, r, s, r_check, s_check;
@@ -182,17 +383,144 @@ void ecdsa_write_read_random( int id )
     /* try modifying r */
     sig[10]++;
     TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
-                 sig, sig_len ) != 0 );
+                 sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
     sig[10]--;
 
     /* try modifying s */
     sig[sig_len - 1]++;
     TEST_ASSERT( mbedtls_ecdsa_read_signature( &ctx, hash, sizeof( hash ),
-                 sig, sig_len ) != 0 );
+                 sig, sig_len ) == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+    sig[sig_len - 1]--;
+
+exit:
+    mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void ecdsa_read_restart( int id, char *k_str, char *h_str, char *s_str,
+                         int max_ops, int min_restart, int max_restart )
+{
+    mbedtls_ecdsa_context ctx;
+    mbedtls_ecdsa_restart_ctx rs_ctx;
+    unsigned char hash[64];
+    unsigned char sig[200];
+    unsigned char pk[65];
+    size_t sig_len, hash_len, pk_len;
+    int ret, cnt_restart;
+
+    mbedtls_ecdsa_init( &ctx );
+    mbedtls_ecdsa_restart_init( &rs_ctx );
+
+    hash_len = unhexify(hash, h_str);
+    sig_len = unhexify(sig, s_str);
+    pk_len = unhexify(pk, k_str);
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_point_read_binary( &ctx.grp, &ctx.Q, pk, pk_len ) == 0 );
+
+    mbedtls_ecp_set_max_ops( max_ops );
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+                            hash, hash_len, sig, sig_len, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    /* try modifying r */
+    sig[10]++;
+    do {
+        ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+                            hash, hash_len, sig, sig_len, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
+    sig[10]--;
+
+    /* try modifying s */
+    sig[sig_len - 1]++;
+    do {
+        ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+                            hash, hash_len, sig, sig_len, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    TEST_ASSERT( ret == MBEDTLS_ERR_ECP_VERIFY_FAILED );
     sig[sig_len - 1]--;
 
+    /* Do we leak memory when aborting an operation?
+     * This test only makes sense when we actually restart */
+    if( min_restart > 0 )
+    {
+        ret = mbedtls_ecdsa_read_signature_restartable( &ctx,
+                            hash, hash_len, sig, sig_len, &rs_ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    }
+
 exit:
     mbedtls_ecdsa_free( &ctx );
+    mbedtls_ecdsa_restart_free( &rs_ctx );
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_DETERMINISTIC */
+void ecdsa_write_restart( int id, char *d_str, int md_alg,
+                          char *msg, char *sig_str,
+                          int max_ops, int min_restart, int max_restart )
+{
+    int ret, cnt_restart;
+    mbedtls_ecdsa_restart_ctx rs_ctx;
+    mbedtls_ecdsa_context ctx;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
+    unsigned char sig_check[MBEDTLS_ECDSA_MAX_LEN];
+    size_t hlen, slen, slen_check;
+    const mbedtls_md_info_t *md_info;
+
+    mbedtls_ecdsa_restart_init( &rs_ctx );
+    mbedtls_ecdsa_init( &ctx );
+    memset( hash, 0, sizeof( hash ) );
+    memset( sig, 0, sizeof( sig ) );
+    memset( sig_check, 0, sizeof( sig_check ) );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &ctx.grp, id ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &ctx.d, 16, d_str ) == 0 );
+    slen_check = unhexify( sig_check, sig_str );
+
+    md_info = mbedtls_md_info_from_type( md_alg );
+    TEST_ASSERT( md_info != NULL );
+
+    hlen = mbedtls_md_get_size( md_info );
+    mbedtls_md( md_info, (const unsigned char *) msg, strlen( msg ), hash );
+
+    mbedtls_ecp_set_max_ops( max_ops );
+
+    slen = sizeof( sig );
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+                md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( slen == slen_check );
+    TEST_ASSERT( memcmp( sig, sig_check, slen ) == 0 );
+
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    /* Do we leak memory when aborting an operation?
+     * This test only makes sense when we actually restart */
+    if( min_restart > 0 )
+    {
+        ret = mbedtls_ecdsa_write_signature_restartable( &ctx,
+                md_alg, hash, hlen, sig, &slen, NULL, NULL, &rs_ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    }
+
+exit:
+    mbedtls_ecdsa_restart_free( &rs_ctx );
+    mbedtls_ecdsa_free( &ctx );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.data
index 1a772a9658..84c99c9854 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.data
@@ -1,3 +1,6 @@
+ECJPAKE parameter validation
+ecjpake_invalid_param:
+
 ECJPAKE selftest
 ecjpake_selftest:
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.function
index 5c8856b16d..d26729522e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecjpake.function
@@ -98,56 +98,172 @@ cleanup:
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void ecjpake_invalid_param( )
+{
+    mbedtls_ecjpake_context ctx;
+    unsigned char buf[42] = { 0 };
+    size_t olen;
+    size_t const len = sizeof( buf );
+    mbedtls_ecjpake_role valid_role = MBEDTLS_ECJPAKE_SERVER;
+    mbedtls_ecjpake_role invalid_role = (mbedtls_ecjpake_role) 42;
+    mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
+    mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1;
+
+    TEST_INVALID_PARAM( mbedtls_ecjpake_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_ecjpake_free( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_setup( NULL,
+                                                   valid_role,
+                                                   valid_md,
+                                                   valid_group,
+                                                   buf, len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_setup( &ctx,
+                                                   invalid_role,
+                                                   valid_md,
+                                                   valid_group,
+                                                   buf, len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_setup( &ctx,
+                                                   valid_role,
+                                                   valid_md,
+                                                   valid_group,
+                                                   NULL, len ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_check( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_one( NULL,
+                                                             buf, len,
+                                                             &olen,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_one( &ctx,
+                                                             NULL, len,
+                                                             &olen,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_one( &ctx,
+                                                             buf, len,
+                                                             NULL,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_one( &ctx,
+                                                             buf, len,
+                                                             &olen,
+                                                             NULL,
+                                                             NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_two( NULL,
+                                                             buf, len,
+                                                             &olen,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_two( &ctx,
+                                                             NULL, len,
+                                                             &olen,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_two( &ctx,
+                                                             buf, len,
+                                                             NULL,
+                                                             rnd_std_rand,
+                                                             NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_write_round_two( &ctx,
+                                                             buf, len,
+                                                             &olen,
+                                                             NULL,
+                                                             NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_read_round_one( NULL,
+                                                            buf, len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_read_round_one( &ctx,
+                                                            NULL, len ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_read_round_two( NULL,
+                                                            buf, len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_read_round_two( &ctx,
+                                                            NULL, len ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_derive_secret( NULL,
+                                                           buf, len,
+                                                           &olen,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_derive_secret( &ctx,
+                                                           NULL, len,
+                                                           &olen,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_derive_secret( &ctx,
+                                                           buf, len,
+                                                           NULL,
+                                                           rnd_std_rand,
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecjpake_derive_secret( &ctx,
+                                                           buf, len,
+                                                           &olen,
+                                                           NULL,
+                                                           NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void ecjpake_selftest()
+void ecjpake_selftest(  )
 {
     TEST_ASSERT( mbedtls_ecjpake_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
-void read_round_one( int role, char *data, int ref_ret )
+void read_round_one( int role, data_t * msg, int ref_ret )
 {
     mbedtls_ecjpake_context ctx;
-
     const unsigned char * pw = NULL;
     const size_t pw_len = 0;
 
-    unsigned char *msg;
-    size_t len;
-
     mbedtls_ecjpake_init( &ctx );
 
-    msg = unhexify_alloc( data, &len );
-    TEST_ASSERT( msg != NULL );
-
     TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, role,
                  MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
 
-    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &ctx, msg, len ) == ref_ret );
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &ctx, msg->x, msg->len ) == ref_ret );
 
 exit:
     mbedtls_ecjpake_free( &ctx );
-    mbedtls_free( msg );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
-void read_round_two_cli( char *data, int ref_ret )
+void read_round_two_cli( data_t * msg, int ref_ret )
 {
     mbedtls_ecjpake_context ctx;
-
     const unsigned char * pw = NULL;
     const size_t pw_len = 0;
 
-    unsigned char *msg;
-    size_t len;
-
     mbedtls_ecjpake_init( &ctx );
 
-    msg = unhexify_alloc( data, &len );
-    TEST_ASSERT( msg != NULL );
-
     TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_CLIENT,
                  MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
 
@@ -157,30 +273,22 @@ void read_round_two_cli( char *data, int ref_ret )
                  ADD_SIZE( ecjpake_test_X3 ), ADD_SIZE( ecjpake_test_X4 ) )
             == 0 );
 
-    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg, len ) == ref_ret );
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg->x, msg->len ) == ref_ret );
 
 exit:
     mbedtls_ecjpake_free( &ctx );
-    mbedtls_free( msg );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
-void read_round_two_srv( char *data, int ref_ret )
+void read_round_two_srv( data_t * msg, int ref_ret )
 {
     mbedtls_ecjpake_context ctx;
-
     const unsigned char * pw = NULL;
     const size_t pw_len = 0;
 
-    unsigned char *msg;
-    size_t len;
-
     mbedtls_ecjpake_init( &ctx );
 
-    msg = unhexify_alloc( data, &len );
-    TEST_ASSERT( msg != NULL );
-
     TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_SERVER,
                  MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
 
@@ -190,10 +298,9 @@ void read_round_two_srv( char *data, int ref_ret )
                  ADD_SIZE( ecjpake_test_X1 ), ADD_SIZE( ecjpake_test_X2 ) )
             == 0 );
 
-    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg, len ) == ref_ret );
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg->x, msg->len ) == ref_ret );
 
 exit:
     mbedtls_ecjpake_free( &ctx );
-    mbedtls_free( msg );
 }
 /* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.data
index a43e7d75dd..30d5ec6f1e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.data
@@ -1,3 +1,9 @@
+ECP valid params
+ecp_valid_param:
+
+ECP invalid params
+ecp_invalid_param:
+
 ECP curve info #1
 depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
 mbedtls_ecp_curve_info:MBEDTLS_ECP_DP_BP512R1:28:512:"brainpoolP512r1"
@@ -46,10 +52,6 @@ ECP check pubkey Koblitz #2 (coordinate not affine)
 depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
 ecp_check_pub:MBEDTLS_ECP_DP_SECP224K1:"E2000000000000BB3A13D43B323337383935321F0603551D":"100101FF040830060101FF02010A30220603551D0E041B04636FC0C0":"101":MBEDTLS_ERR_ECP_INVALID_KEY
 
-ECP write binary #0 (zero, bad format)
-depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
-ecp_write_binary:MBEDTLS_ECP_DP_SECP192R1:"01":"01":"00":ECP_PF_UNKNOWN:"00":1:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
-
 ECP write binary #1 (zero, uncompressed, buffer just fits)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
 ecp_write_binary:MBEDTLS_ECP_DP_SECP192R1:"01":"01":"00":MBEDTLS_ECP_PF_UNCOMPRESSED:"00":1:0
@@ -135,21 +137,21 @@ depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
 ecp_tls_write_read_point:MBEDTLS_ECP_DP_SECP521R1
 
 ECP tls read group #1 (record too short)
-mbedtls_ecp_tls_read_group:"0313":MBEDTLS_ERR_ECP_BAD_INPUT_DATA:0
+mbedtls_ecp_tls_read_group:"0313":MBEDTLS_ERR_ECP_BAD_INPUT_DATA:0:0
 
 ECP tls read group #2 (bad curve_type)
-mbedtls_ecp_tls_read_group:"010013":MBEDTLS_ERR_ECP_BAD_INPUT_DATA:0
+mbedtls_ecp_tls_read_group:"010013":MBEDTLS_ERR_ECP_BAD_INPUT_DATA:0:0
 
 ECP tls read group #3 (unknown curve)
-mbedtls_ecp_tls_read_group:"030010":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0
+mbedtls_ecp_tls_read_group:"030010":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE:0:0
 
 ECP tls read group #4 (OK, buffer just fits)
 depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
-mbedtls_ecp_tls_read_group:"030017":0:256
+mbedtls_ecp_tls_read_group:"030017":0:256:3
 
 ECP tls read group #5 (OK, buffer continues)
 depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
-mbedtls_ecp_tls_read_group:"0300180000":0:384
+mbedtls_ecp_tls_read_group:"0300180000":0:384:3
 
 ECP tls write-read group #1
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -330,6 +332,10 @@ ECP test vectors Curve25519
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
 ecp_test_vec_x:MBEDTLS_ECP_DP_CURVE25519:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA514FDA863":"47DC3D214174820E1154B49BC6CDB2ABD45EE95817055D255AA35831B70D3260":"6EB89DA91989AE37C7EAC7618D9E5C4951DBA1D73C285AE1CD26A855020EEF04":"61450CD98E36016B58776A897A9F0AEF738B99F09468B8D6B8511184D53494AB"
 
+ECP test vectors Curve448 (RFC 7748 6.2, after decodeUCoordinate)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_test_vec_x:MBEDTLS_ECP_DP_CURVE448:"eb7298a5c0d8c29a1dab27f1a6826300917389449741a974f5bac9d98dc298d46555bce8bae89eeed400584bb046cf75579f51d125498f98":"a01fc432e5807f17530d1288da125b0cd453d941726436c8bbd9c5222c3da7fa639ce03db8d23b274a0721a1aed5227de6e3b731ccf7089b":"ad997351b6106f36b0d1091b929c4c37213e0d2b97e85ebb20c127691d0dad8f1d8175b0723745e639a3cb7044290b99e0e2a0c27a6a301c":"0936f37bc6c1bd07ae3dec7ab5dc06a73ca13242fb343efc72b9d82730b445f3d4b0bd077162a46dcfec6f9b590bfcbcf520cdb029a8b73e":"9d874a5137509a449ad5853040241c5236395435c36424fd560b0cb62b281d285275a740ce32a22dd1740f4aa9161cec95ccc61a18f4ff07"
+
 ECP test vectors secp192k1
 depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
 ecp_test_vect:MBEDTLS_ECP_DP_SECP192K1:"D1E13A359F6E0F0698791938E6D60246030AE4B0D8D4E9DE":"281BCA982F187ED30AD5E088461EBE0A5FADBB682546DF79":"3F68A8E9441FB93A4DD48CB70B504FCC9AA01902EF5BE0F3":"BE97C5D2A1A94D081E3FACE53E65A27108B7467BDF58DE43":"5EB35E922CD693F7947124F5920022C4891C04F6A8B8DCB2":"60ECF73D0FC43E0C42E8E155FFE39F9F0B531F87B34B6C3C":"372F5C5D0E18313C82AEF940EC3AFEE26087A46F1EBAE923":"D5A9F9182EC09CEAEA5F57EA10225EC77FA44174511985FD"
@@ -344,3 +350,35 @@ ecp_test_vect:MBEDTLS_ECP_DP_SECP256K1:"923C6D4756CD940CD1E13A359F6E0F0698791938
 
 ECP selftest
 ecp_selftest:
+
+ECP restartable mul secp256r1 max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_test_vect_restart:MBEDTLS_ECP_DP_SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF":"2AF502F3BE8952F2C9B5A8D4160D09E97165BE50BC42AE4A5E8D3B4BA83AEB15":"EB0FAF4CA986C4D38681A0F9872D79D56795BD4BFF6E6DE3C0F5015ECE5EFD85":"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41":"DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788":"0357DCCD4C804D0D8D33AA42B848834AA5605F9AB0D37239A115BBB647936F50":0:0:0
+
+ECP restartable mul secp256r1 max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_test_vect_restart:MBEDTLS_ECP_DP_SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF":"2AF502F3BE8952F2C9B5A8D4160D09E97165BE50BC42AE4A5E8D3B4BA83AEB15":"EB0FAF4CA986C4D38681A0F9872D79D56795BD4BFF6E6DE3C0F5015ECE5EFD85":"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41":"DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788":"0357DCCD4C804D0D8D33AA42B848834AA5605F9AB0D37239A115BBB647936F50":1:1:5000
+
+ECP restartable mul secp256r1 max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_test_vect_restart:MBEDTLS_ECP_DP_SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF":"2AF502F3BE8952F2C9B5A8D4160D09E97165BE50BC42AE4A5E8D3B4BA83AEB15":"EB0FAF4CA986C4D38681A0F9872D79D56795BD4BFF6E6DE3C0F5015ECE5EFD85":"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41":"DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788":"0357DCCD4C804D0D8D33AA42B848834AA5605F9AB0D37239A115BBB647936F50":10000:0:0
+
+ECP restartable mul secp256r1 max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_test_vect_restart:MBEDTLS_ECP_DP_SECP256R1:"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF":"2AF502F3BE8952F2C9B5A8D4160D09E97165BE50BC42AE4A5E8D3B4BA83AEB15":"EB0FAF4CA986C4D38681A0F9872D79D56795BD4BFF6E6DE3C0F5015ECE5EFD85":"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41":"DD0F5396219D1EA393310412D19A08F1F5811E9DC8EC8EEA7F80D21C820C2788":"0357DCCD4C804D0D8D33AA42B848834AA5605F9AB0D37239A115BBB647936F50":250:2:32
+
+ECP restartable muladd secp256r1 max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_muladd_restart:MBEDTLS_ECP_DP_SECP256R1:"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"2B57C0235FB7489768D058FF4911C20FDBE71E3699D91339AFBB903EE17255DC":"C3875E57C85038A0D60370A87505200DC8317C8C534948BEA6559C7C18E6D4CE":"3B4E49C4FDBFC006FF993C81A50EAE221149076D6EC09DDD9FB3B787F85B6483":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":0:0:0
+
+ECP restartable muladd secp256r1 max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_muladd_restart:MBEDTLS_ECP_DP_SECP256R1:"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"2B57C0235FB7489768D058FF4911C20FDBE71E3699D91339AFBB903EE17255DC":"C3875E57C85038A0D60370A87505200DC8317C8C534948BEA6559C7C18E6D4CE":"3B4E49C4FDBFC006FF993C81A50EAE221149076D6EC09DDD9FB3B787F85B6483":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":1:1:10000
+
+ECP restartable muladd secp256r1 max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_muladd_restart:MBEDTLS_ECP_DP_SECP256R1:"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"2B57C0235FB7489768D058FF4911C20FDBE71E3699D91339AFBB903EE17255DC":"C3875E57C85038A0D60370A87505200DC8317C8C534948BEA6559C7C18E6D4CE":"3B4E49C4FDBFC006FF993C81A50EAE221149076D6EC09DDD9FB3B787F85B6483":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":10000:0:0
+
+ECP restartable muladd secp256r1 max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_muladd_restart:MBEDTLS_ECP_DP_SECP256R1:"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"2B57C0235FB7489768D058FF4911C20FDBE71E3699D91339AFBB903EE17255DC":"C3875E57C85038A0D60370A87505200DC8317C8C534948BEA6559C7C18E6D4CE":"3B4E49C4FDBFC006FF993C81A50EAE221149076D6EC09DDD9FB3B787F85B6483":"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":250:4:64
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.function
index 99780c0dec..0b2e029915 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ecp.function
@@ -2,6 +2,10 @@
 #include "mbedtls/ecp.h"
 
 #define ECP_PF_UNKNOWN     -1
+
+#define ECP_PT_RESET( x )           \
+    mbedtls_ecp_point_free( x );    \
+    mbedtls_ecp_point_init( x );
 /* END_HEADER */
 
 /* BEGIN_DEPENDENCIES
@@ -10,7 +14,352 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_curve_info( int id, int tls_id, int size, char *name )
+void ecp_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_ecp_group_free( NULL ) );
+    TEST_VALID_PARAM( mbedtls_ecp_keypair_free( NULL ) );
+    TEST_VALID_PARAM( mbedtls_ecp_point_free( NULL ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_VALID_PARAM( mbedtls_ecp_restart_free( NULL ) );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void ecp_invalid_param( )
+{
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_keypair kp;
+    mbedtls_ecp_point P;
+    mbedtls_mpi m;
+    const char *x = "deadbeef";
+    int valid_fmt   = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    int invalid_fmt = 42;
+    size_t olen;
+    unsigned char buf[42] = { 0 };
+    const unsigned char *null_buf = NULL;
+    mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP192R1;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx restart_ctx;
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    TEST_INVALID_PARAM( mbedtls_ecp_point_init( NULL ) );
+    TEST_INVALID_PARAM( mbedtls_ecp_keypair_init( NULL ) );
+    TEST_INVALID_PARAM( mbedtls_ecp_group_init( NULL ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_INVALID_PARAM( mbedtls_ecp_restart_init( NULL ) );
+    TEST_INVALID_PARAM( mbedtls_ecp_check_budget( NULL, &restart_ctx, 42 ) );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_copy( NULL, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_copy( &P, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_group_copy( NULL, &grp ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_group_copy( &grp, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_privkey( NULL,
+                                                     &m,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_privkey( &grp,
+                                                     NULL,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_privkey( &grp,
+                                                     &m,
+                                                     NULL,
+                                                     NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_set_zero( NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_is_zero( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_cmp( NULL, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_cmp( &P, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_string( NULL, 2,
+                                                           x, x ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_string( &P, 2,
+                                                           NULL, x ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_string( &P, 2,
+                                                           x, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_write_binary( NULL, &P,
+                                                      valid_fmt,
+                                                      &olen,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_write_binary( &grp, NULL,
+                                                      valid_fmt,
+                                                      &olen,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_write_binary( &grp, &P,
+                                                      invalid_fmt,
+                                                      &olen,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_write_binary( &grp, &P,
+                                                      valid_fmt,
+                                                      NULL,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_write_binary( &grp, &P,
+                                                      valid_fmt,
+                                                      &olen,
+                                                      NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_binary( NULL, &P, buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_binary( &grp, NULL, buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_point_read_binary( &grp, &P, NULL,
+                                                     sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_point( NULL, &P,
+                                                 (const unsigned char **) &buf,
+                                                 sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_point( &grp, NULL,
+                                                 (const unsigned char **) &buf,
+                                                 sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_point( &grp, &P, &null_buf,
+                                                        sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_point( &grp, &P, NULL,
+                                                    sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_point( NULL, &P,
+                                                     valid_fmt,
+                                                     &olen,
+                                                     buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_point( &grp, NULL,
+                                                     valid_fmt,
+                                                     &olen,
+                                                     buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_point( &grp, &P,
+                                                     invalid_fmt,
+                                                     &olen,
+                                                     buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_point( &grp, &P,
+                                                     valid_fmt,
+                                                     NULL,
+                                                     buf,
+                                                     sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_point( &grp, &P,
+                                                     valid_fmt,
+                                                     &olen,
+                                                     NULL,
+                                                     sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_group_load( NULL, valid_group ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group( NULL,
+                                                 (const unsigned char **) &buf,
+                                                 sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group( &grp, NULL,
+                                                        sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group( &grp, &null_buf,
+                                                        sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group_id( NULL,
+                                                 (const unsigned char **) &buf,
+                                                 sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group_id( &valid_group, NULL,
+                                                        sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_read_group_id( &valid_group,
+                                                           &null_buf,
+                                                           sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_group( NULL, &olen,
+                                                       buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_group( &grp, NULL,
+                                                       buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_tls_write_group( &grp, &olen,
+                                                       NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul( NULL, &P, &m, &P,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul( &grp, NULL, &m, &P,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul( &grp, &P, NULL, &P,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul( &grp, &P, &m, NULL,
+                                             rnd_std_rand, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul_restartable( NULL, &P, &m, &P,
+                                                 rnd_std_rand, NULL , NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul_restartable( &grp, NULL, &m, &P,
+                                                 rnd_std_rand, NULL , NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul_restartable( &grp, &P, NULL, &P,
+                                                 rnd_std_rand, NULL , NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_mul_restartable( &grp, &P, &m, NULL,
+                                                 rnd_std_rand, NULL , NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( NULL, &P, &m, &P,
+                                                &m, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( &grp, NULL, &m, &P,
+                                                &m, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( &grp, &P, NULL, &P,
+                                                &m, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( &grp, &P, &m, NULL,
+                                                &m, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( &grp, &P, &m, &P,
+                                                NULL, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd( &grp, &P, &m, &P,
+                                                &m, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( NULL, &P, &m, &P,
+                                                            &m, &P, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( &grp, NULL, &m, &P,
+                                                            &m, &P, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( &grp, &P, NULL, &P,
+                                                            &m, &P, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( &grp, &P, &m, NULL,
+                                                            &m, &P, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( &grp, &P, &m, &P,
+                                                            NULL, &P, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_muladd_restartable( &grp, &P, &m, &P,
+                                                            &m, NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_pubkey( NULL, &P ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_pubkey( &grp, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_pub_priv( NULL, &kp ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_pub_priv( &kp, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_privkey( NULL, &m ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_check_privkey( &grp, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair_base( NULL, &P,
+                                                          &m, &P,
+                                                          rnd_std_rand,
+                                                          NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair_base( &grp, NULL,
+                                                          &m, &P,
+                                                          rnd_std_rand,
+                                                          NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair_base( &grp, &P,
+                                                          NULL, &P,
+                                                          rnd_std_rand,
+                                                          NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair_base( &grp, &P,
+                                                          &m, NULL,
+                                                          rnd_std_rand,
+                                                          NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair_base( &grp, &P,
+                                                          &m, &P,
+                                                          NULL,
+                                                          NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair( NULL,
+                                                     &m, &P,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair( &grp,
+                                                     NULL, &P,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair( &grp,
+                                                     &m, NULL,
+                                                     rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_keypair( &grp,
+                                                     &m, &P,
+                                                     NULL,
+                                                     NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_key( valid_group, NULL,
+                                                 rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+                            mbedtls_ecp_gen_key( valid_group, &kp,
+                                                 NULL, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_ecp_curve_info( int id, int tls_id, int size, char * name )
 {
     const mbedtls_ecp_curve_info *by_id, *by_tls, *by_name;
 
@@ -29,7 +378,8 @@ void mbedtls_ecp_curve_info( int id, int tls_id, int size, char *name )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecp_check_pub( int grp_id, char *x_hex, char *y_hex, char *z_hex, int ret )
+void ecp_check_pub( int grp_id, char * x_hex, char * y_hex, char * z_hex,
+                    int ret )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point P;
@@ -51,10 +401,177 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void ecp_test_vect_restart( int id,
+                            char *dA_str, char *xA_str, char *yA_str,
+                            char *dB_str,  char *xZ_str, char *yZ_str,
+                            int max_ops, int min_restarts, int max_restarts )
+{
+    /*
+     * Test for early restart. Based on test vectors like ecp_test_vect(),
+     * but for the sake of simplicity only does half of each side. It's
+     * important to test both base point and random point, though, as memory
+     * management is different in each case.
+     *
+     * Don't try using too precise bounds for restarts as the exact number
+     * will depend on settings such as MBEDTLS_ECP_FIXED_POINT_OPTIM and
+     * MBEDTLS_ECP_WINDOW_SIZE, as well as implementation details that may
+     * change in the future. A factor 2 is a minimum safety margin.
+     *
+     * For reference, with mbed TLS 2.4 and default settings, for P-256:
+     * - Random point mult:     ~3250M
+     * - Cold base point mult:  ~3300M
+     * - Hot base point mult:   ~1100M
+     * With MBEDTLS_ECP_WINDOW_SIZE set to 2 (minimum):
+     * - Random point mult:     ~3850M
+     */
+    mbedtls_ecp_restart_ctx ctx;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, P;
+    mbedtls_mpi dA, xA, yA, dB, xZ, yZ;
+    int cnt_restarts;
+    int ret;
+
+    mbedtls_ecp_restart_init( &ctx );
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &R ); mbedtls_ecp_point_init( &P );
+    mbedtls_mpi_init( &dA ); mbedtls_mpi_init( &xA ); mbedtls_mpi_init( &yA );
+    mbedtls_mpi_init( &dB ); mbedtls_mpi_init( &xZ ); mbedtls_mpi_init( &yZ );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+
+    TEST_ASSERT( mbedtls_mpi_read_string( &dA, 16, dA_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &xA, 16, xA_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &yA, 16, yA_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_mpi_read_string( &dB, 16, dB_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &xZ, 16, xZ_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &yZ, 16, yZ_str ) == 0 );
+
+    mbedtls_ecp_set_max_ops( (unsigned) max_ops );
+
+    /* Base point case */
+    cnt_restarts = 0;
+    do {
+        ECP_PT_RESET( &R );
+        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dA, &grp.G, NULL, NULL, &ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xA ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yA ) == 0 );
+
+    TEST_ASSERT( cnt_restarts >= min_restarts );
+    TEST_ASSERT( cnt_restarts <= max_restarts );
+
+    /* Non-base point case */
+    mbedtls_ecp_copy( &P, &R );
+    cnt_restarts = 0;
+    do {
+        ECP_PT_RESET( &R );
+        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P, NULL, NULL, &ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xZ ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yZ ) == 0 );
+
+    TEST_ASSERT( cnt_restarts >= min_restarts );
+    TEST_ASSERT( cnt_restarts <= max_restarts );
+
+    /* Do we leak memory when aborting an operation?
+     * This test only makes sense when we actually restart */
+    if( min_restarts > 0 )
+    {
+        ret = mbedtls_ecp_mul_restartable( &grp, &R, &dB, &P, NULL, NULL, &ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    }
+
+exit:
+    mbedtls_ecp_restart_free( &ctx );
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &R ); mbedtls_ecp_point_free( &P );
+    mbedtls_mpi_free( &dA ); mbedtls_mpi_free( &xA ); mbedtls_mpi_free( &yA );
+    mbedtls_mpi_free( &dB ); mbedtls_mpi_free( &xZ ); mbedtls_mpi_free( &yZ );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void ecp_muladd_restart( int id, char *xR_str, char *yR_str,
+                         char *u1_str, char *u2_str,
+                         char *xQ_str, char *yQ_str,
+                         int max_ops, int min_restarts, int max_restarts )
+{
+    /*
+     * Compute R = u1 * G + u2 * Q
+     * (test vectors mostly taken from ECDSA intermediate results)
+     *
+     * See comments at the top of ecp_test_vect_restart()
+     */
+    mbedtls_ecp_restart_ctx ctx;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, Q;
+    mbedtls_mpi u1, u2, xR, yR;
+    int cnt_restarts;
+    int ret;
+
+    mbedtls_ecp_restart_init( &ctx );
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &R );
+    mbedtls_ecp_point_init( &Q );
+    mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
+    mbedtls_mpi_init( &xR ); mbedtls_mpi_init( &yR );
+
+    TEST_ASSERT( mbedtls_ecp_group_load( &grp, id ) == 0 );
+
+    TEST_ASSERT( mbedtls_mpi_read_string( &u1, 16, u1_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &u2, 16, u2_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &xR, 16, xR_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &yR, 16, yR_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_mpi_read_string( &Q.X, 16, xQ_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &Q.Y, 16, yQ_str ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_lset( &Q.Z, 1 ) == 0 );
+
+    mbedtls_ecp_set_max_ops( (unsigned) max_ops );
+
+    cnt_restarts = 0;
+    do {
+        ECP_PT_RESET( &R );
+        ret = mbedtls_ecp_muladd_restartable( &grp, &R,
+                                              &u1, &grp.G, &u2, &Q, &ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restarts );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.X, &xR ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_cmp_mpi( &R.Y, &yR ) == 0 );
+
+    TEST_ASSERT( cnt_restarts >= min_restarts );
+    TEST_ASSERT( cnt_restarts <= max_restarts );
+
+    /* Do we leak memory when aborting an operation?
+     * This test only makes sense when we actually restart */
+    if( min_restarts > 0 )
+    {
+        ret = mbedtls_ecp_muladd_restartable( &grp, &R,
+                                              &u1, &grp.G, &u2, &Q, &ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    }
+
+exit:
+    mbedtls_ecp_restart_free( &ctx );
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &R );
+    mbedtls_ecp_point_free( &Q );
+    mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+    mbedtls_mpi_free( &xR ); mbedtls_mpi_free( &yR );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
-void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
-                    char *dB_str, char *xB_str, char *yB_str, char *xZ_str,
-                    char *yZ_str )
+void ecp_test_vect( int id, char * dA_str, char * xA_str, char * yA_str,
+                    char * dB_str, char * xB_str, char * yB_str,
+                    char * xZ_str, char * yZ_str )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point R;
@@ -107,8 +624,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecp_test_vec_x( int id, char *dA_hex, char *xA_hex,
-                     char *dB_hex, char *xB_hex, char *xS_hex )
+void ecp_test_vec_x( int id, char * dA_hex, char * xA_hex, char * dB_hex,
+                     char * xB_hex, char * xS_hex )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point R;
@@ -158,7 +675,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecp_fast_mod( int id, char *N_str )
+void ecp_fast_mod( int id, char * N_str )
 {
     mbedtls_ecp_group grp;
     mbedtls_mpi N, R;
@@ -191,16 +708,15 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecp_write_binary( int id, char *x, char *y, char *z, int format,
-                       char *out, int blen, int ret )
+void ecp_write_binary( int id, char * x, char * y, char * z, int format,
+                       data_t * out, int blen, int ret )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point P;
-    unsigned char buf[256], str[512];
+    unsigned char buf[256];
     size_t olen;
 
     memset( buf, 0, sizeof( buf ) );
-    memset( str, 0, sizeof( str ) );
 
     mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
 
@@ -215,8 +731,7 @@ void ecp_write_binary( int id, char *x, char *y, char *z, int format,
 
     if( ret == 0 )
     {
-        hexify( str, buf, olen );
-        TEST_ASSERT( strcasecmp( (char *) str, out ) == 0 );
+        TEST_ASSERT( hexcmp( buf, out->x, olen, out->len ) == 0 );
     }
 
 exit:
@@ -225,16 +740,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void ecp_read_binary( int id, char *input, char *x, char *y, char *z,
+void ecp_read_binary( int id, data_t * buf, char * x, char * y, char * z,
                       int ret )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point P;
     mbedtls_mpi X, Y, Z;
-    int ilen;
-    unsigned char buf[256];
 
-    memset( buf, 0, sizeof( buf ) );
 
     mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
@@ -245,9 +757,7 @@ void ecp_read_binary( int id, char *input, char *x, char *y, char *z,
     TEST_ASSERT( mbedtls_mpi_read_string( &Y, 16, y ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &Z, 16, z ) == 0 );
 
-    ilen = unhexify( buf, input );
-
-    TEST_ASSERT( mbedtls_ecp_point_read_binary( &grp, &P, buf, ilen ) == ret );
+    TEST_ASSERT( mbedtls_ecp_point_read_binary( &grp, &P, buf->x, buf->len ) == ret );
 
     if( ret == 0 )
     {
@@ -263,17 +773,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_tls_read_point( int id, char *input, char *x, char *y, char *z,
-                         int ret )
+void mbedtls_ecp_tls_read_point( int id, data_t * buf, char * x, char * y,
+                                 char * z, int ret )
 {
     mbedtls_ecp_group grp;
     mbedtls_ecp_point P;
     mbedtls_mpi X, Y, Z;
-    size_t ilen;
-    unsigned char buf[256];
-    const unsigned char *vbuf = buf;
+    const unsigned char *vbuf = buf->x;
 
-    memset( buf, 0, sizeof( buf ) );
 
     mbedtls_ecp_group_init( &grp ); mbedtls_ecp_point_init( &P );
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
@@ -284,16 +791,14 @@ void mbedtls_ecp_tls_read_point( int id, char *input, char *x, char *y, char *z,
     TEST_ASSERT( mbedtls_mpi_read_string( &Y, 16, y ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &Z, 16, z ) == 0 );
 
-    ilen = unhexify( buf, input );
-
-    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &P, &vbuf, ilen ) == ret );
+    TEST_ASSERT( mbedtls_ecp_tls_read_point( &grp, &P, &vbuf, buf->len ) == ret );
 
     if( ret == 0 )
     {
         TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.X, &X ) == 0 );
         TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Y, &Y ) == 0 );
         TEST_ASSERT( mbedtls_mpi_cmp_mpi( &P.Z, &Z ) == 0 );
-        TEST_ASSERT( *vbuf == 0x00 );
+        TEST_ASSERT( (uint32_t)( vbuf - buf->x ) == buf->len );
     }
 
 exit:
@@ -355,25 +860,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_tls_read_group( char *record, int result, int bits )
+void mbedtls_ecp_tls_read_group( data_t * buf, int result, int bits,
+                                 int record_len )
 {
     mbedtls_ecp_group grp;
-    unsigned char buf[10];
-    const unsigned char *vbuf = buf;
-    int len, ret;
+    const unsigned char *vbuf = buf->x;
+    int ret;
 
     mbedtls_ecp_group_init( &grp );
-    memset( buf, 0x00, sizeof( buf ) );
-
-    len = unhexify( buf, record );
 
-    ret = mbedtls_ecp_tls_read_group( &grp, &vbuf, len );
+    ret = mbedtls_ecp_tls_read_group( &grp, &vbuf, buf->len );
 
     TEST_ASSERT( ret == result );
     if( ret == 0)
     {
         TEST_ASSERT( mbedtls_mpi_bitlen( &grp.P ) == (size_t) bits );
-        TEST_ASSERT( *vbuf == 0x00 );
+        TEST_ASSERT( vbuf - buf->x ==  record_len);
     }
 
 exit:
@@ -413,7 +915,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_check_privkey( int id, char *key_hex, int ret )
+void mbedtls_ecp_check_privkey( int id, char * key_hex, int ret )
 {
     mbedtls_ecp_group grp;
     mbedtls_mpi d;
@@ -433,8 +935,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_ecp_check_pub_priv( int id_pub, char *Qx_pub, char *Qy_pub,
-                         int id, char *d, char *Qx, char *Qy, int ret )
+void mbedtls_ecp_check_pub_priv( int id_pub, char * Qx_pub, char * Qy_pub,
+                                 int id, char * d, char * Qx, char * Qy,
+                                 int ret )
 {
     mbedtls_ecp_keypair pub, prv;
 
@@ -506,7 +1009,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void ecp_selftest()
+void ecp_selftest(  )
 {
     TEST_ASSERT( mbedtls_ecp_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_entropy.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_entropy.function
index 2bab796d1c..0b1cfe80d4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_entropy.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_entropy.function
@@ -1,6 +1,7 @@
 /* BEGIN_HEADER */
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
+#include "string.h"
 
 /*
  * Number of calls made to entropy_dummy_source()
@@ -124,7 +125,7 @@ static int read_nv_seed( unsigned char *buf, size_t buf_len )
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void entropy_seed_file( char *path, int ret )
+void entropy_seed_file( char * path, int ret )
 {
     mbedtls_entropy_context ctx;
 
@@ -139,7 +140,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void entropy_too_many_sources( )
+void entropy_too_many_sources(  )
 {
     mbedtls_entropy_context ctx;
     size_t i;
@@ -193,7 +194,7 @@ void entropy_func_len( int len, int ret )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void entropy_source_fail( char *path )
+void entropy_source_fail( char * path )
 {
     mbedtls_entropy_context ctx;
     int fail = -1;
@@ -260,7 +261,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO */
-void nv_seed_file_create()
+void nv_seed_file_create(  )
 {
     unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
 
@@ -271,7 +272,7 @@ void nv_seed_file_create()
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_FS_IO:MBEDTLS_PLATFORM_NV_SEED_ALT */
-void entropy_nv_seed_std_io()
+void entropy_nv_seed_std_io(  )
 {
     unsigned char io_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
     unsigned char check_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
@@ -301,7 +302,7 @@ void entropy_nv_seed_std_io()
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PLATFORM_NV_SEED_ALT:MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
-void entropy_nv_seed( char *read_seed_str )
+void entropy_nv_seed( data_t * read_seed )
 {
     mbedtls_sha512_context accumulator;
     mbedtls_entropy_context ctx;
@@ -310,7 +311,6 @@ void entropy_nv_seed( char *read_seed_str )
     unsigned char entropy[MBEDTLS_ENTROPY_BLOCK_SIZE];
     unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
     unsigned char empty[MBEDTLS_ENTROPY_BLOCK_SIZE];
-    unsigned char read_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
     unsigned char check_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
     unsigned char check_entropy[MBEDTLS_ENTROPY_BLOCK_SIZE];
 
@@ -322,8 +322,7 @@ void entropy_nv_seed( char *read_seed_str )
     memset( check_entropy, 3, MBEDTLS_ENTROPY_BLOCK_SIZE );
 
     // Set the initial NV seed to read
-    unhexify( read_seed, read_seed_str );
-    memcpy( buffer_seed, read_seed, MBEDTLS_ENTROPY_BLOCK_SIZE );
+    memcpy( buffer_seed, read_seed->x, read_seed->len );
 
     // Make sure we read/write NV seed from our buffers
     mbedtls_platform_set_nv_seed( buffer_nv_seed_read, buffer_nv_seed_write );
@@ -348,7 +347,7 @@ void entropy_nv_seed( char *read_seed_str )
     // First run for updating write_seed
     header[0] = 0;
     mbedtls_sha512_update( &accumulator, header, 2 );
-    mbedtls_sha512_update( &accumulator, read_seed, MBEDTLS_ENTROPY_BLOCK_SIZE );
+    mbedtls_sha512_update( &accumulator, read_seed->x, read_seed->len );
     mbedtls_sha512_finish( &accumulator, buf );
 
     memset( &accumulator, 0, sizeof( mbedtls_sha512_context ) );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_error.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_error.function
index c99b1fd15c..68831ce51d 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_error.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_error.function
@@ -8,7 +8,7 @@
  */
 
 /* BEGIN_CASE */
-void error_strerror( int code, char *result_str )
+void error_strerror( int code, char * result_str )
 {
     char buf[500];
 
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes128_de.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes128_de.data
index 2a2e32f0d3..a42fe859d8 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes128_de.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes128_de.data
@@ -1,674 +1,674 @@
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d785dafea3e966731ef6fc6202262584":"":"d91a46205ee94058b3b8403997592dd2":"":128:"3b92a17c1b9c3578a68cffea5a5b6245":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d785dafea3e966731ef6fc6202262584":"":"d91a46205ee94058b3b8403997592dd2":"":128:"3b92a17c1b9c3578a68cffea5a5b6245":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aec963833b9098de1ababc853ab74d96":"":"4e0ffd93beffd732c6f7d6ad606a2d24":"":128:"e9fcedc176dfe587dc61b2011010cdf1":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aec963833b9098de1ababc853ab74d96":"":"4e0ffd93beffd732c6f7d6ad606a2d24":"":128:"e9fcedc176dfe587dc61b2011010cdf1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4fb9e3393681da9cec5ec96f87c5c31":"":"845e910bc055d895879f62101d08b4c7":"":128:"99fb783c497416e4b6e2a5de7c782057":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4fb9e3393681da9cec5ec96f87c5c31":"":"845e910bc055d895879f62101d08b4c7":"":128:"99fb783c497416e4b6e2a5de7c782057":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a930f2e09beceacd9919cb76f2ac8d3":"":"340d9af44f6370eff534c653033a785a":"":120:"0c1e5e9c8fe5edfd11f114f3503d63":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a930f2e09beceacd9919cb76f2ac8d3":"":"340d9af44f6370eff534c653033a785a":"":120:"0c1e5e9c8fe5edfd11f114f3503d63":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe71177e02073b1c407b5724e2263a5e":"":"83c23d20d2a9d4b8f92da96587c96b18":"":120:"43b2ca795420f35f6cb39f5dfa47a2":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe71177e02073b1c407b5724e2263a5e":"":"83c23d20d2a9d4b8f92da96587c96b18":"":120:"43b2ca795420f35f6cb39f5dfa47a2":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b02392fd7f228888c281e59d1eaa15fb":"":"2726344ba8912c737e195424e1e6679e":"":120:"a10b601ca8053536a2af2cc255d2b6":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b02392fd7f228888c281e59d1eaa15fb":"":"2726344ba8912c737e195424e1e6679e":"":120:"a10b601ca8053536a2af2cc255d2b6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"21895cbafc16b7b8bf5867e88e0853d4":"":"f987ce1005d9bbd31d2452fb80957753":"":112:"952a7e265830d58a6778d68b9450":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"21895cbafc16b7b8bf5867e88e0853d4":"":"f987ce1005d9bbd31d2452fb80957753":"":112:"952a7e265830d58a6778d68b9450":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb9742bf47f68caf64963d7c10a97b0":"":"34a85669de64e1cd44731905fddbcbc5":"":112:"e9b6be928aa77b2de28b480ae74c":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb9742bf47f68caf64963d7c10a97b0":"":"34a85669de64e1cd44731905fddbcbc5":"":112:"e9b6be928aa77b2de28b480ae74c":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e9708e4b37e2e1b5feaf4f5ab54e2a6":"":"1c53a9fdd23919b036d99560619a9939":"":112:"6611b50d6fbca83047f9f5fe1768":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e9708e4b37e2e1b5feaf4f5ab54e2a6":"":"1c53a9fdd23919b036d99560619a9939":"":112:"6611b50d6fbca83047f9f5fe1768":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"82fede79db25f00be96eb050a22cea87":"":"e9c50b517ab26c89b83c1f0cac50162c":"":104:"d0c0ce9db60b77b0e31d05e048":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"82fede79db25f00be96eb050a22cea87":"":"e9c50b517ab26c89b83c1f0cac50162c":"":104:"d0c0ce9db60b77b0e31d05e048":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1d98566fca5201abb12914311a8bd532":"":"590aef4b46a9023405d075edab7e6849":"":104:"a1cfd1a27b341f49eda2ca8305":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1d98566fca5201abb12914311a8bd532":"":"590aef4b46a9023405d075edab7e6849":"":104:"a1cfd1a27b341f49eda2ca8305":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3038771820c2e1319f02a74b8a7a0c08":"":"e556d9f07fb69d7e9a644261c80fac92":"":104:"4d2f005d662b6a8787f231c5e1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3038771820c2e1319f02a74b8a7a0c08":"":"e556d9f07fb69d7e9a644261c80fac92":"":104:"4d2f005d662b6a8787f231c5e1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0fb7eef50de598d7d8b508d019a30d5a":"":"a2a2617040116c2c7e4236d2d8278213":"":96:"68413c58df7bb5f067197ca0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0fb7eef50de598d7d8b508d019a30d5a":"":"a2a2617040116c2c7e4236d2d8278213":"":96:"68413c58df7bb5f067197ca0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cc58b609204215c8ab4908286e56e5c":"":"fb83ea637279332677b5f68081173e99":"":96:"a2a9160d82739a55d8cd419f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cc58b609204215c8ab4908286e56e5c":"":"fb83ea637279332677b5f68081173e99":"":96:"a2a9160d82739a55d8cd419f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81a5fd184742a478432963f6477e8f92":"":"da297cbb53b11d7c379e0566299b4d5a":"":96:"200bee49466fdda2f21f0062":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81a5fd184742a478432963f6477e8f92":"":"da297cbb53b11d7c379e0566299b4d5a":"":96:"200bee49466fdda2f21f0062":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f604ac66d626959e595cbb7b4128e096":"":"269d2a49d533c6bb38008711f38e0b39":"":64:"468200fa4683e8be":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f604ac66d626959e595cbb7b4128e096":"":"269d2a49d533c6bb38008711f38e0b39":"":64:"468200fa4683e8be":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2e308ba7903e925f768c1d00ff3eb623":"":"335acd2aa48a47a37cfe21e491f1b141":"":64:"4872bfd5e2ff55f6":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2e308ba7903e925f768c1d00ff3eb623":"":"335acd2aa48a47a37cfe21e491f1b141":"":64:"4872bfd5e2ff55f6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1304e2a5a3520454a5109df61a67da7a":"":"dbe8b452acf4fa1444c3668e9ee72d26":"":64:"83a0d3440200ca95":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1304e2a5a3520454a5109df61a67da7a":"":"dbe8b452acf4fa1444c3668e9ee72d26":"":64:"83a0d3440200ca95":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ecf1ec2c9a8f2e9cc799f9b9fddb3232":"":"ddf0b695aef5df2b594fcaae72b7e41c":"":32:"2819aedf":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ecf1ec2c9a8f2e9cc799f9b9fddb3232":"":"ddf0b695aef5df2b594fcaae72b7e41c":"":32:"2819aedf":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9ab5c8ca905b5fe50461f4a68941144b":"":"96dd3927a96e16123f2e9d6b367d303f":"":32:"6e0c53ef":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9ab5c8ca905b5fe50461f4a68941144b":"":"96dd3927a96e16123f2e9d6b367d303f":"":32:"6e0c53ef":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fc7af605721a9cfe61c1ee6a4b3e22":"":"6b757d4055823d1035d01077666037d6":"":32:"e8c09ddd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fc7af605721a9cfe61c1ee6a4b3e22":"":"6b757d4055823d1035d01077666037d6":"":32:"e8c09ddd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03c0b4a6e508a8490db0d086a82c9db7":"":"ac52f6c1a05030321fa39f87e89fdb5e":"33316ca79d10a79f4fd038593e8eef09625089dc4e0ffe4bc1f2871554fa6666ab3e7fe7885edef694b410456f3ec0e513bb25f1b48d95e4820c5972c1aabb25c84c08566002dadc36df334c1ce86847964a122016d389ac873bca8c335a7a99bcef91e1b985ae5d488a2d7f78b4bf14e0c2dc715e814f4e24276057cf668172":128:"756292d8b4653887edef51679b161812":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03c0b4a6e508a8490db0d086a82c9db7":"":"ac52f6c1a05030321fa39f87e89fdb5e":"33316ca79d10a79f4fd038593e8eef09625089dc4e0ffe4bc1f2871554fa6666ab3e7fe7885edef694b410456f3ec0e513bb25f1b48d95e4820c5972c1aabb25c84c08566002dadc36df334c1ce86847964a122016d389ac873bca8c335a7a99bcef91e1b985ae5d488a2d7f78b4bf14e0c2dc715e814f4e24276057cf668172":128:"756292d8b4653887edef51679b161812":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b228d3d15219ea9ad5651fce02c8374d":"":"5c7eafaead029c3fe3cf3835fe758d0e":"8c35dd805c08686b9b4d460f81b4dcb8c46c6d57842dc3e72ba90952e2bebf17fe7184445b02f801800a944486d662a127d01d3b7f42679052cdc73ce533129af8d13957415c5495142157d6ce8a68aa977e56f562fed98e468e42522767656ce50369471060381bb752dd5e77c79677a4cadffa39e518e30a789e793b07ea21":128:"a4dde1ab93c84937c3bbc3ad5237818d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b228d3d15219ea9ad5651fce02c8374d":"":"5c7eafaead029c3fe3cf3835fe758d0e":"8c35dd805c08686b9b4d460f81b4dcb8c46c6d57842dc3e72ba90952e2bebf17fe7184445b02f801800a944486d662a127d01d3b7f42679052cdc73ce533129af8d13957415c5495142157d6ce8a68aa977e56f562fed98e468e42522767656ce50369471060381bb752dd5e77c79677a4cadffa39e518e30a789e793b07ea21":128:"a4dde1ab93c84937c3bbc3ad5237818d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"776afcbabedd5577fe660a60f920b536":"":"5bbb7f1b14084e520408dd87b97705e9":"44631fc9d4a07416b0dfb4e2b42071e3e2be45502c9ddf72b3e61810eeda31a7d685ebb2ee43a2c06af374569f439ee1668c550067de2dece9ec46ee72b260858d6033f814e85275c5ae669b60803a8c516de32804fa34d3a213ccfaf6689046e25eeb30b9e1608e689f4d31cc664b83a468a51165f5625f12f098a6bf7ddab2":128:"a5347d41d93b587240651bcd5230264f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"776afcbabedd5577fe660a60f920b536":"":"5bbb7f1b14084e520408dd87b97705e9":"44631fc9d4a07416b0dfb4e2b42071e3e2be45502c9ddf72b3e61810eeda31a7d685ebb2ee43a2c06af374569f439ee1668c550067de2dece9ec46ee72b260858d6033f814e85275c5ae669b60803a8c516de32804fa34d3a213ccfaf6689046e25eeb30b9e1608e689f4d31cc664b83a468a51165f5625f12f098a6bf7ddab2":128:"a5347d41d93b587240651bcd5230264f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20abeafa25fc4ea7d0592cb3e9b4d5fe":"":"3aba79a58c5aa664856b41d552c7a8d3":"98cfecaae9eb9a7c3b17e6bc5f80d8a4bf7a9f4fa5e01b74cae15ee6af14633205aafe3b28fb7b7918e12322ea27352056a603746d728a61361134a561619400ff2bf679045bac2e0fbc2c1d41f8faba4b27c7827bceda4e9bf505df4185515dd3a5e26f7639c8ad5a38bc5906a44be062f02cc53862678ae36fa3de3c02c982":120:"2a67ad1471a520fe09a304f0975f31":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20abeafa25fc4ea7d0592cb3e9b4d5fe":"":"3aba79a58c5aa664856b41d552c7a8d3":"98cfecaae9eb9a7c3b17e6bc5f80d8a4bf7a9f4fa5e01b74cae15ee6af14633205aafe3b28fb7b7918e12322ea27352056a603746d728a61361134a561619400ff2bf679045bac2e0fbc2c1d41f8faba4b27c7827bceda4e9bf505df4185515dd3a5e26f7639c8ad5a38bc5906a44be062f02cc53862678ae36fa3de3c02c982":120:"2a67ad1471a520fe09a304f0975f31":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bc73fba942ff105823b5dccf6befb1c":"":"902c3e3b69b1ef8395d7281ff74cce38":"4adec0b4ac00325a860044d9f9519daa4f7c163229a75819b0fd7d8e23319f030e61dfa8eadabff42ea27bc36bdb6cad249e801ca631b656836448b7172c11126bad2781e6a1aa4f62c4eda53409408b008c057e0b81215cc13ddabbb8f1915f4bbab854f8b00763a530ad5055d265778cd3080d0bd35b76a329bdd5b5a2d268":120:"ebdd7c8e87fe733138a433543542d1":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bc73fba942ff105823b5dccf6befb1c":"":"902c3e3b69b1ef8395d7281ff74cce38":"4adec0b4ac00325a860044d9f9519daa4f7c163229a75819b0fd7d8e23319f030e61dfa8eadabff42ea27bc36bdb6cad249e801ca631b656836448b7172c11126bad2781e6a1aa4f62c4eda53409408b008c057e0b81215cc13ddabbb8f1915f4bbab854f8b00763a530ad5055d265778cd3080d0bd35b76a329bdd5b5a2d268":120:"ebdd7c8e87fe733138a433543542d1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"356a4c245868243d61756cabe86da887":"":"b442f2ec6d45a17144c258fd59fe5b3b":"12cccc3c60474b0a1579c5006c2134850724fa6c9da3a7022d4f65fd238b052bdf34ea34aa7dbadad64996065acee588ab6bd29726d07ed24ffae2d33aadf3e66ebb87f57e689fd85128be1c9e3d8362fad1f8096ee391f75b576fb213d394cef6f091fc5488d9aa152be69475b9167abd6dd4fd93bbbc7b8ca316c952eb19c6":120:"ed26080dcb670590613d97d7c47cf4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"356a4c245868243d61756cabe86da887":"":"b442f2ec6d45a17144c258fd59fe5b3b":"12cccc3c60474b0a1579c5006c2134850724fa6c9da3a7022d4f65fd238b052bdf34ea34aa7dbadad64996065acee588ab6bd29726d07ed24ffae2d33aadf3e66ebb87f57e689fd85128be1c9e3d8362fad1f8096ee391f75b576fb213d394cef6f091fc5488d9aa152be69475b9167abd6dd4fd93bbbc7b8ca316c952eb19c6":120:"ed26080dcb670590613d97d7c47cf4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfa7e93aff73600fc552324253066e2c":"":"c20001e93f1cd05253c277a9445d61e4":"a64d1e20058a1f7e698622a02f7ff8dc11886717ede17bbdc3c4645a66a71d8b04346fb389a251ffb0a7f445a25faf642bb7e4697d2cacf925e78c4be98457996afb25b0516b50f179441d1923312364947f8f1e0f5715b43bd537727bf943d7b4679b0b0b28b94e56e7bbf554d9cf79fcee4387f32bb6f91efdd23620035be6":112:"6ba5e4dace9a54b50b901d9b73ad":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfa7e93aff73600fc552324253066e2c":"":"c20001e93f1cd05253c277a9445d61e4":"a64d1e20058a1f7e698622a02f7ff8dc11886717ede17bbdc3c4645a66a71d8b04346fb389a251ffb0a7f445a25faf642bb7e4697d2cacf925e78c4be98457996afb25b0516b50f179441d1923312364947f8f1e0f5715b43bd537727bf943d7b4679b0b0b28b94e56e7bbf554d9cf79fcee4387f32bb6f91efdd23620035be6":112:"6ba5e4dace9a54b50b901d9b73ad":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2ecea80b48d2ecd194a7699aa7d8ccfc":"":"8b4db08bafc23b65ae50a2d20661d270":"efc2ca1a3b41b90f8ddf74291d68f072a6e025d0c91c3ce2b133525943c73ebadc71f150be20afeb097442fa51be31a641df65d90ebd81dcbaf32711ed31f5e0271421377ffe14ddafea3ca60a600588d484856a98de73f56a766ae60bae384a4ae01a1a06821cf0c7a6b4ee4c8f413748457b3777283d3310218fb55c107293":112:"246a9d37553088b6411ebb62aa16":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2ecea80b48d2ecd194a7699aa7d8ccfc":"":"8b4db08bafc23b65ae50a2d20661d270":"efc2ca1a3b41b90f8ddf74291d68f072a6e025d0c91c3ce2b133525943c73ebadc71f150be20afeb097442fa51be31a641df65d90ebd81dcbaf32711ed31f5e0271421377ffe14ddafea3ca60a600588d484856a98de73f56a766ae60bae384a4ae01a1a06821cf0c7a6b4ee4c8f413748457b3777283d3310218fb55c107293":112:"246a9d37553088b6411ebb62aa16":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d38fee3fd3d6d08224c3c83529a25d08":"":"a942ccb11cf9468186fabfc18c899801":"1c92a4ce0a1dae27e720d6f9b1e460276538de437f3812ab1177cf0273b05908f296f33ba0f4c790abe2ce958b1d92b930a0d81243e6ad09ef86ee8e3270243095096537cb1054fcfcf537d828b65af9b6cf7c50f5b8470f7908f314d0859107eed772ee1732c78e8a2e35b2493f3e8c1e601b08aeab8d9729e0294dca168c62":112:"803a08700ec86fdeb88f7a388921":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d38fee3fd3d6d08224c3c83529a25d08":"":"a942ccb11cf9468186fabfc18c899801":"1c92a4ce0a1dae27e720d6f9b1e460276538de437f3812ab1177cf0273b05908f296f33ba0f4c790abe2ce958b1d92b930a0d81243e6ad09ef86ee8e3270243095096537cb1054fcfcf537d828b65af9b6cf7c50f5b8470f7908f314d0859107eed772ee1732c78e8a2e35b2493f3e8c1e601b08aeab8d9729e0294dca168c62":112:"803a08700ec86fdeb88f7a388921":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1899b0cbae41d705c6eed3226afb5bc0":"":"82d0910aa53e300a487d880d018d0dea":"6bf5583cc1007d74f3529db63b8d4e085400ccf3725eab8e19cb145f3910c61465a21486740a26f74691866a9f632af9fae81f5f0bffedf0c28a6ce0fd520bb4db04a3cd1a7d29d8801e05e4b9c9374fd89bcb539489c2f7f1f801c253a1cc737408669bcd133b62da357f7399a52179125aa59fae6707d340846886d730a835":104:"c5d58870fee9ce157f5ec1fa8f":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1899b0cbae41d705c6eed3226afb5bc0":"":"82d0910aa53e300a487d880d018d0dea":"6bf5583cc1007d74f3529db63b8d4e085400ccf3725eab8e19cb145f3910c61465a21486740a26f74691866a9f632af9fae81f5f0bffedf0c28a6ce0fd520bb4db04a3cd1a7d29d8801e05e4b9c9374fd89bcb539489c2f7f1f801c253a1cc737408669bcd133b62da357f7399a52179125aa59fae6707d340846886d730a835":104:"c5d58870fee9ce157f5ec1fa8f":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b95323d86d02754f4c2874b42ec6eb0":"":"4f76084acbdef9999c71dcc794238d7c":"ebc75788377c0b264818a6f97c19cf92c29f1c7cdeb6b5f0a92d238fa4614bc35d0cfe4ec9d045cd628ff6262c460679ac15b0c6366d9289bbd217e5012279e0af0fb2cfcbdf51fe16935968cbb727f725fe5bcd4428905849746c8493600ce8b2cfc1b61b04c8b752b915fed611d6b54ef73ec4e3950d6db1807b1ce7ed1dcc":104:"c4724ff1d2c57295eb733e9cad":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b95323d86d02754f4c2874b42ec6eb0":"":"4f76084acbdef9999c71dcc794238d7c":"ebc75788377c0b264818a6f97c19cf92c29f1c7cdeb6b5f0a92d238fa4614bc35d0cfe4ec9d045cd628ff6262c460679ac15b0c6366d9289bbd217e5012279e0af0fb2cfcbdf51fe16935968cbb727f725fe5bcd4428905849746c8493600ce8b2cfc1b61b04c8b752b915fed611d6b54ef73ec4e3950d6db1807b1ce7ed1dcc":104:"c4724ff1d2c57295eb733e9cad":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30da555559eb11cf7e0eff9d99e9607d":"":"7799275bf12335f281ec94a870f90a0b":"e735d556e15aec78d9736016c8c99db753ed14d4e4adaaa1dd7eaad702ea5dc337433f8c2b45afdf2f385fdf6c55574425571e079ca759b6235f877ed11618ff212bafd865a22b80b76b3b5cf1acfd24d92fd41607bbb7382f26cd703757088d497b16b32de80e1256c734a9b83356b6fced207177de75458481eaef59a431d7":104:"3c82272130e17c4a0a007a908e":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30da555559eb11cf7e0eff9d99e9607d":"":"7799275bf12335f281ec94a870f90a0b":"e735d556e15aec78d9736016c8c99db753ed14d4e4adaaa1dd7eaad702ea5dc337433f8c2b45afdf2f385fdf6c55574425571e079ca759b6235f877ed11618ff212bafd865a22b80b76b3b5cf1acfd24d92fd41607bbb7382f26cd703757088d497b16b32de80e1256c734a9b83356b6fced207177de75458481eaef59a431d7":104:"3c82272130e17c4a0a007a908e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ed2ac74af896c5190c271cfa6af02fd2":"":"e0226e2d8da47badad1fb78b9a797f27":"8f11353ae476ff923013e6e736ffc9d23101a1c471ccc07ad372a8430d6559c376075efce2e318cdf4c9443dbf132e7e6da5524045028c97e904633b44c4d189a4b64237ac7692dd03c0e751ce9f04d0fdbd8a96074cd7dfa2fd441a52328b4ac3974b4902db45663f7b6f24947dba618f8b9769e927faf84c9f49ad8239b9fb":96:"db8af7a0d548fc54d9457c73":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ed2ac74af896c5190c271cfa6af02fd2":"":"e0226e2d8da47badad1fb78b9a797f27":"8f11353ae476ff923013e6e736ffc9d23101a1c471ccc07ad372a8430d6559c376075efce2e318cdf4c9443dbf132e7e6da5524045028c97e904633b44c4d189a4b64237ac7692dd03c0e751ce9f04d0fdbd8a96074cd7dfa2fd441a52328b4ac3974b4902db45663f7b6f24947dba618f8b9769e927faf84c9f49ad8239b9fb":96:"db8af7a0d548fc54d9457c73":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0225b73fe5fbbe52f838d873173959d8":"":"02a048764f48d9aed1147ee922395bbf":"9b46a57b06e156c877e94c089814493ead879397dab3dfcab2db349ef387efcd0cc339a7e79131a2c580188fc7429044a465b8329d74cd8f47272a4ed32582b1c5c7e3d32341ae902ea4923dc33df8062bc24bb51a11d2ecc82f464f615041387f9c82bd2135d4e240fe56fa8a68e6a9a417e6702430a434b14d70cf02db3181":96:"e2c2ce4022c49a95c9ac9026":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0225b73fe5fbbe52f838d873173959d8":"":"02a048764f48d9aed1147ee922395bbf":"9b46a57b06e156c877e94c089814493ead879397dab3dfcab2db349ef387efcd0cc339a7e79131a2c580188fc7429044a465b8329d74cd8f47272a4ed32582b1c5c7e3d32341ae902ea4923dc33df8062bc24bb51a11d2ecc82f464f615041387f9c82bd2135d4e240fe56fa8a68e6a9a417e6702430a434b14d70cf02db3181":96:"e2c2ce4022c49a95c9ac9026":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"89ca3771a0ef3287568b4ac036120198":"":"7e83d2ffa8af8c554cfd71a0db56ef5b":"1bd7a9d6262882bd12c62bd50942965b3cdcadf5e0fab2dc4d0daf0ee4b16e92c6e2464c0caa423cdce88e4d843490609716ec5e44c41672c656ac0e444d3622557ea8420c94deae3ad190ddaf859f6f8c23e4e2e32a46d28df23de4f99bd6c34f69e06eddfdfa5f263dbe8baf9d4296b2c543e4c4847271e7590374edf46234":96:"06b2bf62591dc7ec1b814705":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"89ca3771a0ef3287568b4ac036120198":"":"7e83d2ffa8af8c554cfd71a0db56ef5b":"1bd7a9d6262882bd12c62bd50942965b3cdcadf5e0fab2dc4d0daf0ee4b16e92c6e2464c0caa423cdce88e4d843490609716ec5e44c41672c656ac0e444d3622557ea8420c94deae3ad190ddaf859f6f8c23e4e2e32a46d28df23de4f99bd6c34f69e06eddfdfa5f263dbe8baf9d4296b2c543e4c4847271e7590374edf46234":96:"06b2bf62591dc7ec1b814705":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a41a297bd96e224942998fe2192934a1":"":"6827f2c5a0b7ecd6bbc696abb0adf556":"f32041abd8543415cbac423d945dda5378a16a7e94d9ab5dbd2d32eb1c5048cc7c8e4df3ca84ec725f18c34cfdeaa7595392aabfd66d9e2f37c1165369cd806cd9d2110def6f5fad4345e5a6e2326c9300199438fcc078cd9fcf4d76872cac77fc9a0a8ac7e4d63995078a9addecf798460ff5910861b76c71bccfb6b629d722":64:"49a4917eef61f78e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a41a297bd96e224942998fe2192934a1":"":"6827f2c5a0b7ecd6bbc696abb0adf556":"f32041abd8543415cbac423d945dda5378a16a7e94d9ab5dbd2d32eb1c5048cc7c8e4df3ca84ec725f18c34cfdeaa7595392aabfd66d9e2f37c1165369cd806cd9d2110def6f5fad4345e5a6e2326c9300199438fcc078cd9fcf4d76872cac77fc9a0a8ac7e4d63995078a9addecf798460ff5910861b76c71bccfb6b629d722":64:"49a4917eef61f78e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9372c058f42e0a1d019bdb528313919":"":"8d03f423230c8f00a5b6b712d426a2af":"cfef4e70fcc1821eeccf7c7b5eb3c0c3b5f72dc762426e0bd26242f8aa68c5b716ab97eded5e5720caccc1965da603d556d8214d5828f2cf276d95bf552d47313876796221f62ccb818a6d801088755d58cfb751bfed0d5a19718d4e0f94b850e0279b3a69295d1837cba958a6cc56e7594080b9e5b954a199fdc9e54ddc8583":64:"b82cd11cd3575c8d":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9372c058f42e0a1d019bdb528313919":"":"8d03f423230c8f00a5b6b712d426a2af":"cfef4e70fcc1821eeccf7c7b5eb3c0c3b5f72dc762426e0bd26242f8aa68c5b716ab97eded5e5720caccc1965da603d556d8214d5828f2cf276d95bf552d47313876796221f62ccb818a6d801088755d58cfb751bfed0d5a19718d4e0f94b850e0279b3a69295d1837cba958a6cc56e7594080b9e5b954a199fdc9e54ddc8583":64:"b82cd11cd3575c8d":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6302b7338f8fa84195ad9abbacd89b4e":"":"e1bed5c53547cbc85f3411fbb43bb08b":"bcd329c076e8da2797d50dcdcf271cecf3ce12f3c136ed746edc722f907be6133276ee099038fdc5d73eec812739c7489d4bcc275f95451b44890416e3ffe5a1b6fa3986b84eee3adad774c6feaecb1f785053eeda2cfc18953b8547866d98918dbe0a6abc168ac7d77467a367f11c284924d9d186ef64ef0fd54eacd75156d2":64:"5222d092e9e8bd6c":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6302b7338f8fa84195ad9abbacd89b4e":"":"e1bed5c53547cbc85f3411fbb43bb08b":"bcd329c076e8da2797d50dcdcf271cecf3ce12f3c136ed746edc722f907be6133276ee099038fdc5d73eec812739c7489d4bcc275f95451b44890416e3ffe5a1b6fa3986b84eee3adad774c6feaecb1f785053eeda2cfc18953b8547866d98918dbe0a6abc168ac7d77467a367f11c284924d9d186ef64ef0fd54eacd75156d2":64:"5222d092e9e8bd6c":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78b5c28d62e4b2097873a1180bd5a3a5":"":"c93902c2819ee494f0fc4b259ee65dd8":"e6b1192674a02083a6cf36d4ba93ba40a5331fadf63fd1eb2efa2ee9c0d8818472aaaf2b4705746011753f30f447c8f58dd34d29606daf57eadc172529837058cb78a378b19da8d63c321f550dfa256b5fd9f30e93d8f377443bfcd125f86a079a1765d2010be73d060f24eebae8d05e644688b2149bc39e18bd527bc066f2ba":32:"eae48137":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78b5c28d62e4b2097873a1180bd5a3a5":"":"c93902c2819ee494f0fc4b259ee65dd8":"e6b1192674a02083a6cf36d4ba93ba40a5331fadf63fd1eb2efa2ee9c0d8818472aaaf2b4705746011753f30f447c8f58dd34d29606daf57eadc172529837058cb78a378b19da8d63c321f550dfa256b5fd9f30e93d8f377443bfcd125f86a079a1765d2010be73d060f24eebae8d05e644688b2149bc39e18bd527bc066f2ba":32:"eae48137":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d84130578070e036c9e3df5b5509473":"":"3b9b4950523a19c6866fd2b0cde541fd":"a764931e1b21a140c54a8619aacdb4358834987fb6e263cec525f888f9e9764c165aaa7db74f2c42273f912daeae6d72b232a872ac2c652d7cd3af3a5753f58331c11b6c866475697876dbc4c6ca0e52a00ba015ee3c3b7fb444c6e50a4b4b9bbe135fc0632d32a3f79f333d8f487771ed12522e664b9cf90e66da267f47a74d":32:"79987692":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d84130578070e036c9e3df5b5509473":"":"3b9b4950523a19c6866fd2b0cde541fd":"a764931e1b21a140c54a8619aacdb4358834987fb6e263cec525f888f9e9764c165aaa7db74f2c42273f912daeae6d72b232a872ac2c652d7cd3af3a5753f58331c11b6c866475697876dbc4c6ca0e52a00ba015ee3c3b7fb444c6e50a4b4b9bbe135fc0632d32a3f79f333d8f487771ed12522e664b9cf90e66da267f47a74d":32:"79987692":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08428605ab4742a3e8a55354d4764620":"":"128f5f4a817e4af04113847a223adeb0":"464b484ed79d93a48e0f804e04df69d7ca10ad04ba7188d69e6549ab50503baaec67e0acba5537d1163c868fd3e350e9d0ae9123046bc76815c201a947aa4a7e4ed239ce889d4ff9c8d043877de06df5fc27cf67442b729b02e9c30287c0821ef9fa15d4cccbc53a95fa9ec3ed432ca960ebbf5a169ccada95a5bf4c7c968830":32:"3eb3e3a2":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08428605ab4742a3e8a55354d4764620":"":"128f5f4a817e4af04113847a223adeb0":"464b484ed79d93a48e0f804e04df69d7ca10ad04ba7188d69e6549ab50503baaec67e0acba5537d1163c868fd3e350e9d0ae9123046bc76815c201a947aa4a7e4ed239ce889d4ff9c8d043877de06df5fc27cf67442b729b02e9c30287c0821ef9fa15d4cccbc53a95fa9ec3ed432ca960ebbf5a169ccada95a5bf4c7c968830":32:"3eb3e3a2":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd358bc3f992f26e81e3a2f3aa2d517":"87cc4fd75788c9d5cc83bae5d764dd249d178ab23224049795d4288b5ed9ea3f317068a39a7574b300c8544226e87b08e008fbe241d094545c211d56ac44437d41491a438272738968c8d371aa7787b5f606c8549a9d868d8a71380e9657d3c0337979feb01de5991fc1470dfc59eb02511efbbff3fcb479a862ba3844a25aaa":"d8c750bb443ee1a169dfe97cfe4d855b":"":128:"a81d13973baa22a751833d7d3f94b3b1":"77949b29f085bb3abb71a5386003811233056d3296eb093370f7777dadd306d93d59dcb9754d3857cf2758091ba661f845ef0582f6ae0e134328106f0d5d16b541cd74fdc756dc7b53f4f8a194daeea9369ebb1630c01ccb307b848e9527da20a39898d748fd59206f0b79d0ed946a8958033a45bd9ae673518b32606748eb65":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd358bc3f992f26e81e3a2f3aa2d517":"87cc4fd75788c9d5cc83bae5d764dd249d178ab23224049795d4288b5ed9ea3f317068a39a7574b300c8544226e87b08e008fbe241d094545c211d56ac44437d41491a438272738968c8d371aa7787b5f606c8549a9d868d8a71380e9657d3c0337979feb01de5991fc1470dfc59eb02511efbbff3fcb479a862ba3844a25aaa":"d8c750bb443ee1a169dfe97cfe4d855b":"":128:"a81d13973baa22a751833d7d3f94b3b1":"":"77949b29f085bb3abb71a5386003811233056d3296eb093370f7777dadd306d93d59dcb9754d3857cf2758091ba661f845ef0582f6ae0e134328106f0d5d16b541cd74fdc756dc7b53f4f8a194daeea9369ebb1630c01ccb307b848e9527da20a39898d748fd59206f0b79d0ed946a8958033a45bd9ae673518b32606748eb65":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"43b5f18227e5c74288dbeff03801acd6":"f58d630f10cfca61d4644d4f6505bab629e8e8faf1673e64417f9b79e622966a7011cfb3ff74db5cebf09ad3f41643d4437d213204a6c8397e7d59b8a5b1970aed2b6bb5ea1933c72c351f6ba96c0b0b98188f6e373f5db6c5ebece911ec7a1848abd3ae335515c774e0027dab7d1c07d047d3b8825ff94222dbaf6f9ab597ee":"08ee12246cf7edb81da3d610f3ebd167":"":128:"82d83b2f7da218d1d1441a5b37bcb065":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"43b5f18227e5c74288dbeff03801acd6":"f58d630f10cfca61d4644d4f6505bab629e8e8faf1673e64417f9b79e622966a7011cfb3ff74db5cebf09ad3f41643d4437d213204a6c8397e7d59b8a5b1970aed2b6bb5ea1933c72c351f6ba96c0b0b98188f6e373f5db6c5ebece911ec7a1848abd3ae335515c774e0027dab7d1c07d047d3b8825ff94222dbaf6f9ab597ee":"08ee12246cf7edb81da3d610f3ebd167":"":128:"82d83b2f7da218d1d1441a5b37bcb065":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a433c612d7e1bdff881e4d63ba8b141":"ce10758332f423228b5e4ae31efda7677586934a1d8f05d9b7a0dc4e2010ec3eaacb71a527a5fff8e787d75ebd24ad163394c891b33477ed9e2a2d853c364cb1c5d0bc317fcaf4010817dbe5f1fd1037c701b291b3a66b164bc818bf5c00a4c210a1671faa574d74c7f3543f6c09aaf117e12e2eb3dae55edb1cc5b4086b617d":"8b670cf31f470f79a6c0b79e73863ca1":"":128:"8526fd25daf890e79946a205b698f287":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a433c612d7e1bdff881e4d63ba8b141":"ce10758332f423228b5e4ae31efda7677586934a1d8f05d9b7a0dc4e2010ec3eaacb71a527a5fff8e787d75ebd24ad163394c891b33477ed9e2a2d853c364cb1c5d0bc317fcaf4010817dbe5f1fd1037c701b291b3a66b164bc818bf5c00a4c210a1671faa574d74c7f3543f6c09aaf117e12e2eb3dae55edb1cc5b4086b617d":"8b670cf31f470f79a6c0b79e73863ca1":"":128:"8526fd25daf890e79946a205b698f287":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e9d75c781d63b29f1816859f7a0e0a0":"a9f1883f58e4ef78377992101ab86da0dafcefa827904dd94dff6f6704b1e45517165a34c5555a55b04c6992fb6d0840a71bd262fe59815e5c7b80fe803b47d5ba44982a3f72cb42f591d8b62df38c9f56a5868af8f68242e3a15f97be8ef2399dbace1273f509623b6f9e4d27a97436aebf2d044e75f1c62694db77ceac05de":"748a3b486b62a164cedcf1bab9325add":"":120:"131e0e4ce46d768674a7bcacdcef9c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e9d75c781d63b29f1816859f7a0e0a0":"a9f1883f58e4ef78377992101ab86da0dafcefa827904dd94dff6f6704b1e45517165a34c5555a55b04c6992fb6d0840a71bd262fe59815e5c7b80fe803b47d5ba44982a3f72cb42f591d8b62df38c9f56a5868af8f68242e3a15f97be8ef2399dbace1273f509623b6f9e4d27a97436aebf2d044e75f1c62694db77ceac05de":"748a3b486b62a164cedcf1bab9325add":"":120:"131e0e4ce46d768674a7bcacdcef9c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe6b8553002c69396d9976bb48d30779":"786f4801b16de7a4931ab143b269c7acc68f1ed9b17a95e8929ccec7d53413059fd4267bedbf079d9d69e90314c1345bc9cb9132f1af69323157ddf7533ced42b4b7bd39004f14d326f5b03bc19084d231d93bcab328312d99b426c1e86e8e049d380bb492e2e32ad690af4cf86838d89a0dfdcbc30e8c9e9039e423a234e113":"595b17d0d76b83780235f5e0c92bd21f":"":120:"8879de07815a88877b0623de9be411":"b15dc7cd44adcb0783f30f592e5e03ccd47851725af9fe45bfc5b01ae35779b9a8b3f26fec468b188ec3cad40785c608d6bfd867b0ccf07a836ec20d2d9b8451636df153a32b637e7dcdbd606603d9e53f6e4c4cc8396286ce64b0ea638c10e5a567c0bc8e808080b71be51381e051336e60bf1663f6d2d7640a575e0752553b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe6b8553002c69396d9976bb48d30779":"786f4801b16de7a4931ab143b269c7acc68f1ed9b17a95e8929ccec7d53413059fd4267bedbf079d9d69e90314c1345bc9cb9132f1af69323157ddf7533ced42b4b7bd39004f14d326f5b03bc19084d231d93bcab328312d99b426c1e86e8e049d380bb492e2e32ad690af4cf86838d89a0dfdcbc30e8c9e9039e423a234e113":"595b17d0d76b83780235f5e0c92bd21f":"":120:"8879de07815a88877b0623de9be411":"":"b15dc7cd44adcb0783f30f592e5e03ccd47851725af9fe45bfc5b01ae35779b9a8b3f26fec468b188ec3cad40785c608d6bfd867b0ccf07a836ec20d2d9b8451636df153a32b637e7dcdbd606603d9e53f6e4c4cc8396286ce64b0ea638c10e5a567c0bc8e808080b71be51381e051336e60bf1663f6d2d7640a575e0752553b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14898c56009b459172fef9c17993b54f":"e7ba6ef722273238b975d551f95d3e77e9b75b24c547b86eafb457d409803bdf6e1443839d8604ee497020e1a3dbd687a819b17fdde0fcf240ce2129792792a58bfcd825773001ee959bf9ec8d228e27ce1cd93d7fb86769a3793361b6f82bf7daf284afc1ece657a1ee6346ea9294880755b9b623563ad2657ba2286488a2ef":"0862f8f87289988711a877d3231d44eb":"":120:"36938974301ae733760f83439437c4":"3fd56897a62743e0ab4a465bcc9777d5fd21ad2c9a59d7e4e1a60feccdc722b9820ec65cb47e1d1160d12ff2ea93abe11bc101b82514ead7d542007fee7b4e2dd6822849cd3e82d761ff7cf5ce4f40ad9fec54050a632a401451b426812cf03c2b16a8667a88bb3f7497e3308a91de6fd646d6a3562c92c24272411229a90802":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14898c56009b459172fef9c17993b54f":"e7ba6ef722273238b975d551f95d3e77e9b75b24c547b86eafb457d409803bdf6e1443839d8604ee497020e1a3dbd687a819b17fdde0fcf240ce2129792792a58bfcd825773001ee959bf9ec8d228e27ce1cd93d7fb86769a3793361b6f82bf7daf284afc1ece657a1ee6346ea9294880755b9b623563ad2657ba2286488a2ef":"0862f8f87289988711a877d3231d44eb":"":120:"36938974301ae733760f83439437c4":"":"3fd56897a62743e0ab4a465bcc9777d5fd21ad2c9a59d7e4e1a60feccdc722b9820ec65cb47e1d1160d12ff2ea93abe11bc101b82514ead7d542007fee7b4e2dd6822849cd3e82d761ff7cf5ce4f40ad9fec54050a632a401451b426812cf03c2b16a8667a88bb3f7497e3308a91de6fd646d6a3562c92c24272411229a90802":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5253d4b071793b081ebc122cc2a5f8":"b57a0bd7714ae95e77fa9452e11a7ed4a2bec60f81ad6ddb956d4b1cb5dfc277dcb4034d501801b26733b5e08c710c3cfdccc1b208dc7a92cd7ebe166320582bcaff64cc943c36fbe7008f004e5db70c40de05fa68b0c9d4c16c8f976130f20702b99674cd2f4c93aeaeb3abca4b1114dbc3a4b33e1226ad801aa0e21f7cc49b":"49e82d86804e196421ec19ddc8541066":"":112:"e8b8ae34f842277fe92729e891e3":"c4a31c7ec820469f895d57579f987733337ec6547d78d17c44a18fab91f0322cfe05f23f9afaf019cf9531dec2d420f3591d334f40d78643fd957b91ab588a7e392447bd702652017ede7fb0d61d444a3b3cc4136e1d4df13d9532eb71bcf3ff0ae65e847e1c572a2f90632362bc424da2249b36a84be2c2bb216ae7708f745c":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5253d4b071793b081ebc122cc2a5f8":"b57a0bd7714ae95e77fa9452e11a7ed4a2bec60f81ad6ddb956d4b1cb5dfc277dcb4034d501801b26733b5e08c710c3cfdccc1b208dc7a92cd7ebe166320582bcaff64cc943c36fbe7008f004e5db70c40de05fa68b0c9d4c16c8f976130f20702b99674cd2f4c93aeaeb3abca4b1114dbc3a4b33e1226ad801aa0e21f7cc49b":"49e82d86804e196421ec19ddc8541066":"":112:"e8b8ae34f842277fe92729e891e3":"":"c4a31c7ec820469f895d57579f987733337ec6547d78d17c44a18fab91f0322cfe05f23f9afaf019cf9531dec2d420f3591d334f40d78643fd957b91ab588a7e392447bd702652017ede7fb0d61d444a3b3cc4136e1d4df13d9532eb71bcf3ff0ae65e847e1c572a2f90632362bc424da2249b36a84be2c2bb216ae7708f745c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3502d6f0d172246e16503cdf5793296":"09268b8046f1558794e35cdc4945b94227a176dd8cb77f92f883542b1c4be698c379541fd1d557c2a07c7206afdd49506d6a1559123de1783c7a60006df06d87f9119fb105e9b278eb93f81fd316b6fdc38ef702a2b9feaa878a0d1ea999db4c593438f32e0f849f3adabf277a161afb5c1c3460039156eec78944d5666c2563":"6ce994689ff72f9df62f386a187c1a13":"":112:"21cdf44ff4993eb54b55d58e5a8f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3502d6f0d172246e16503cdf5793296":"09268b8046f1558794e35cdc4945b94227a176dd8cb77f92f883542b1c4be698c379541fd1d557c2a07c7206afdd49506d6a1559123de1783c7a60006df06d87f9119fb105e9b278eb93f81fd316b6fdc38ef702a2b9feaa878a0d1ea999db4c593438f32e0f849f3adabf277a161afb5c1c3460039156eec78944d5666c2563":"6ce994689ff72f9df62f386a187c1a13":"":112:"21cdf44ff4993eb54b55d58e5a8f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5fb33dd73db309b9dfd3aee605cd94bf":"f4e011f8c99038c46854b427475f23488077ebf051c4b705a1adfdd493a0a10af7a7e9453965b94f52f61ae62ce9243a82a2dbf9c5a285db3fe34ed34ed08b5926f34c48171195f7062d02a6e6e795322a0475017371cb8f645cdcac94afc66dc43e7583bdf1c25790f4235076a53de6c64f3bc5004e5a9ce4783fbf639fad97":"3f6486f9e9e645292e0e425bac232268":"":112:"7ee5e0e2082b18d09abf141f902e":"0503cb531f1c967dae24f16dd651d544988a732020134896a0f109222e8639bf29ff69877c6ef4ac3df1b260842f909384e3d4409b99a47112681c4b17430041ca447a903a6c1b138f0efbb3b850d8290fceac9723a32edbf8e2d6e8143b1cbc7bf2d28d1b6c7f341a69918758cc82bbab5d898fa0f572d4ceaa11234cb511ec":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5fb33dd73db309b9dfd3aee605cd94bf":"f4e011f8c99038c46854b427475f23488077ebf051c4b705a1adfdd493a0a10af7a7e9453965b94f52f61ae62ce9243a82a2dbf9c5a285db3fe34ed34ed08b5926f34c48171195f7062d02a6e6e795322a0475017371cb8f645cdcac94afc66dc43e7583bdf1c25790f4235076a53de6c64f3bc5004e5a9ce4783fbf639fad97":"3f6486f9e9e645292e0e425bac232268":"":112:"7ee5e0e2082b18d09abf141f902e":"":"0503cb531f1c967dae24f16dd651d544988a732020134896a0f109222e8639bf29ff69877c6ef4ac3df1b260842f909384e3d4409b99a47112681c4b17430041ca447a903a6c1b138f0efbb3b850d8290fceac9723a32edbf8e2d6e8143b1cbc7bf2d28d1b6c7f341a69918758cc82bbab5d898fa0f572d4ceaa11234cb511ec":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a958fe3b520081b638d9e4c7d5da7ac7":"dfa9487378c7d8af9c8dbd9e533cd81503d9e4e7dab43133bad11fd3050a53a833df9cc3208af1a86110567d311d5fc54b0d627de433c381b10e113898203ac5225140f951cdb64c6494592b6453f9b6f952ec5ece732fb46c09a324f26b27cdad63588006bb5c6c00b9aa10d5d3b2f9eaab69beeddd6f93966654f964260018":"c396109e96afde6f685d3c38aa3c2fae":"":104:"06ca91004be43cf46ed4599e23":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a958fe3b520081b638d9e4c7d5da7ac7":"dfa9487378c7d8af9c8dbd9e533cd81503d9e4e7dab43133bad11fd3050a53a833df9cc3208af1a86110567d311d5fc54b0d627de433c381b10e113898203ac5225140f951cdb64c6494592b6453f9b6f952ec5ece732fb46c09a324f26b27cdad63588006bb5c6c00b9aa10d5d3b2f9eaab69beeddd6f93966654f964260018":"c396109e96afde6f685d3c38aa3c2fae":"":104:"06ca91004be43cf46ed4599e23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec319fb143eac8215b51541daec268f2":"d298d988e74927736237eb8ab09d7a86b854fa2fd1f7f3be83b417ac10aa9291f4af5b3fbaf75a296ac32369ad57ded3984b84711953e477de3035ba430a30ffb84c941936e6c8d2cae8d80159876f87dd682747f2dccc36d7c32ab227032b8ac70b313fa4202ea236e3ec4d9e4d8b48cf3b90b378edc5b1dbeec929549344f8":"8a4684f42a1775b03806574f401cff78":"":104:"e91acb1bfda191630b560debc9":"27ce4a622959930f4059f247d29d1438257093cc973bf1bae4e0515da88b9a7e21ec59c7e4d062035cdf88b91254d856b11c8c1944865fa12922227ded3eecccaa36341ecf5405c708e9ea173f1e6cdf090499d3bb079910771080814607a1efe62ec6835dc0333d19dd39dd9ea9f31cd3632128536149a122050bb9365b521d":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec319fb143eac8215b51541daec268f2":"d298d988e74927736237eb8ab09d7a86b854fa2fd1f7f3be83b417ac10aa9291f4af5b3fbaf75a296ac32369ad57ded3984b84711953e477de3035ba430a30ffb84c941936e6c8d2cae8d80159876f87dd682747f2dccc36d7c32ab227032b8ac70b313fa4202ea236e3ec4d9e4d8b48cf3b90b378edc5b1dbeec929549344f8":"8a4684f42a1775b03806574f401cff78":"":104:"e91acb1bfda191630b560debc9":"":"27ce4a622959930f4059f247d29d1438257093cc973bf1bae4e0515da88b9a7e21ec59c7e4d062035cdf88b91254d856b11c8c1944865fa12922227ded3eecccaa36341ecf5405c708e9ea173f1e6cdf090499d3bb079910771080814607a1efe62ec6835dc0333d19dd39dd9ea9f31cd3632128536149a122050bb9365b521d":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14a3e69f351ac39b4297749a90c1365c":"051224f7b208549dcfda5f9d56ce5f0a072ef1f23f3810c693516c92622be6ed4d7a9e0f9450980ba490b2e9e3468ea7eef10bc9ebd673d91f32b748c1bf2c50cc4ebb59fc409c6d780bba00700d563ce1dc9927a6c860095a42ed053f3d640debfbfa7a4e6d5de234af19755000d95e7f414f1f78285ee165410c020038286b":"eb1c6c04437aa5a32bcc208bb3c01724":"":104:"e418815960559aefee8e0c3831":"797310a6ed9ce47cdc25f7f88f5dbbf6f8f4837701704d7afced250585922744598d6f95ba2eecf86e030cc5ee71b328fc1c4f2d4df945d1b91a2803d6ae8eba6881be5fe0f298dd0c0279e12720ede60b9e857ccca5abe9b4d7ee7f25108beebbfe33f05c0d9903bf613c2e7ed6a87b71b5e386d81b3ae53efd01055bbcccc2":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"14a3e69f351ac39b4297749a90c1365c":"051224f7b208549dcfda5f9d56ce5f0a072ef1f23f3810c693516c92622be6ed4d7a9e0f9450980ba490b2e9e3468ea7eef10bc9ebd673d91f32b748c1bf2c50cc4ebb59fc409c6d780bba00700d563ce1dc9927a6c860095a42ed053f3d640debfbfa7a4e6d5de234af19755000d95e7f414f1f78285ee165410c020038286b":"eb1c6c04437aa5a32bcc208bb3c01724":"":104:"e418815960559aefee8e0c3831":"":"797310a6ed9ce47cdc25f7f88f5dbbf6f8f4837701704d7afced250585922744598d6f95ba2eecf86e030cc5ee71b328fc1c4f2d4df945d1b91a2803d6ae8eba6881be5fe0f298dd0c0279e12720ede60b9e857ccca5abe9b4d7ee7f25108beebbfe33f05c0d9903bf613c2e7ed6a87b71b5e386d81b3ae53efd01055bbcccc2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c34827771fc3918d1cee09ba9401b832":"ce79701b661066e53191c9acdaf677ad41622314898d7216e3f113e2e6e215d26d8bd139827f06ab3ea5c4105694e87db1dd6cec10e1f86a8744d4c541f08e40319e22ab42fc1a6c89edfd486b6f142c6bbbf84a73912e0b2e55b79db306ccabf839855afdd889e52ae981520c89e7dc29bb2adb1906cca8c93fcb21290a095b":"2379bbd39a1c22bc93b9b9cc45f3840b":"":96:"26e1f6cf0d9e0f36dfd669eb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c34827771fc3918d1cee09ba9401b832":"ce79701b661066e53191c9acdaf677ad41622314898d7216e3f113e2e6e215d26d8bd139827f06ab3ea5c4105694e87db1dd6cec10e1f86a8744d4c541f08e40319e22ab42fc1a6c89edfd486b6f142c6bbbf84a73912e0b2e55b79db306ccabf839855afdd889e52ae981520c89e7dc29bb2adb1906cca8c93fcb21290a095b":"2379bbd39a1c22bc93b9b9cc45f3840b":"":96:"26e1f6cf0d9e0f36dfd669eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b1f9bd2006ec550b7b9913d383200b5d":"6d9fc8f586d50d6e0128172ae147844e80136905d3a297497a9566ca7c7445029028f14c9950acee92a5c12a9150f5e024e01c7505dd83937542b0b1288de9c292ae8ad918a09b2edf8493540b74c73d2794f2eb6eed18eba520ddea9567462c83330f33d7892fcde0b10c73a4e26ab1bef037cec7e0190b95188e9a752fee6f":"ca28fa6b64bb3b32ef7d211f1c8be759":"":96:"c87aac7ad0e85dbb103c0733":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b1f9bd2006ec550b7b9913d383200b5d":"6d9fc8f586d50d6e0128172ae147844e80136905d3a297497a9566ca7c7445029028f14c9950acee92a5c12a9150f5e024e01c7505dd83937542b0b1288de9c292ae8ad918a09b2edf8493540b74c73d2794f2eb6eed18eba520ddea9567462c83330f33d7892fcde0b10c73a4e26ab1bef037cec7e0190b95188e9a752fee6f":"ca28fa6b64bb3b32ef7d211f1c8be759":"":96:"c87aac7ad0e85dbb103c0733":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b2cef1a92aa0af2b00fb2a99855d5bc":"fd09525ef3c65ab5823e1b6c36b4a9449a3975c5d3a9e7e33c61fb32edcbb8e8c915b6202e3fbce87d73cc3b66d83d9ea7e1e353cc7468f08626932cf0235563e2a28953ee5a0afadb1c3cb513b1f1fc9a8a6cf326174b877448672f7731dd6430a51619da1a169ab302da5af5b38802f8bbf5890b5d9b45deda799679501dc4":"08d87b7acee87d884667f6b1e32e34d0":"":96:"3bd7685318010b0c5fe3308b":"583e64631c218549923e8ad33b728d07f23b0f19d2aff1ad7e20d564c591db0e117caa8f21e3f3345e3d84f0ccbb27274cddf9274410fc342cb2a5d4aea4e925d0dd5350389ee0dea23a842ff3f5c1198374a96f41e055f999cfbc2f47ceaa883da8eb6ff729f583eff1f91bd3f3254d4e81e60d9993b3455e67f405708e4422":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8b2cef1a92aa0af2b00fb2a99855d5bc":"fd09525ef3c65ab5823e1b6c36b4a9449a3975c5d3a9e7e33c61fb32edcbb8e8c915b6202e3fbce87d73cc3b66d83d9ea7e1e353cc7468f08626932cf0235563e2a28953ee5a0afadb1c3cb513b1f1fc9a8a6cf326174b877448672f7731dd6430a51619da1a169ab302da5af5b38802f8bbf5890b5d9b45deda799679501dc4":"08d87b7acee87d884667f6b1e32e34d0":"":96:"3bd7685318010b0c5fe3308b":"":"583e64631c218549923e8ad33b728d07f23b0f19d2aff1ad7e20d564c591db0e117caa8f21e3f3345e3d84f0ccbb27274cddf9274410fc342cb2a5d4aea4e925d0dd5350389ee0dea23a842ff3f5c1198374a96f41e055f999cfbc2f47ceaa883da8eb6ff729f583eff1f91bd3f3254d4e81e60d9993b3455e67f405708e4422":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"175c306f8644b0c4b894ae3d0971505e":"fbe7ced7048f83e3a075661c4924eb77da1b4d6019d504afb942d728b31fd3b17557bd101c08453540a5e28d3505aeb8801a448afac2d9f68d20c0a31c7ef22bd95438851789eef1bebe8d96ac29607025b7e1366fecd3690ba90c315528dc435d9a786d36a16808d4b3e2c7c5175a1279792f1daccf51b2f91ac839465bb89a":"9860268ca2e10974f3726a0e5b9b310f":"":64:"f809105e5fc5b13c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"175c306f8644b0c4b894ae3d0971505e":"fbe7ced7048f83e3a075661c4924eb77da1b4d6019d504afb942d728b31fd3b17557bd101c08453540a5e28d3505aeb8801a448afac2d9f68d20c0a31c7ef22bd95438851789eef1bebe8d96ac29607025b7e1366fecd3690ba90c315528dc435d9a786d36a16808d4b3e2c7c5175a1279792f1daccf51b2f91ac839465bb89a":"9860268ca2e10974f3726a0e5b9b310f":"":64:"f809105e5fc5b13c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08c0edcfe342a676ccdc04bdf854b4b0":"1fc8ef8480c32d908b4bcbfa7074a38e915c20ed7a1c608422087e89442d7c5af6fe9c9a716c55793248062d8e6c6e8e904e2804da3a43701e4c78ecdb67e0b25308afc6d9b463356439cd095cff1bdf0fd91ab301c79fd257046cba79a5d5cd99f2502ad968420e4d499110106072dc687f434db0955c756a174a9024373c48":"4a7b70753930fe659f8cc38e5833f0c7":"":64:"9ab1e2f3c4606376":"983458c3f198bc685d98cea2b23cf71f0eb126e90937cab3492a46d9dc85d76bbb8035c6e209c34b2a7187df007faabe9f3064dc63f1cb15bf5a10655e39b94732e0c6583d56327e9701344e048887a81b256181cdfa9ec42ebc990875e4852240ddcb3cbc4ea4e6307075fd314f7190f3553267bd68b19e954e310ec3f8dbab":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08c0edcfe342a676ccdc04bdf854b4b0":"1fc8ef8480c32d908b4bcbfa7074a38e915c20ed7a1c608422087e89442d7c5af6fe9c9a716c55793248062d8e6c6e8e904e2804da3a43701e4c78ecdb67e0b25308afc6d9b463356439cd095cff1bdf0fd91ab301c79fd257046cba79a5d5cd99f2502ad968420e4d499110106072dc687f434db0955c756a174a9024373c48":"4a7b70753930fe659f8cc38e5833f0c7":"":64:"9ab1e2f3c4606376":"":"983458c3f198bc685d98cea2b23cf71f0eb126e90937cab3492a46d9dc85d76bbb8035c6e209c34b2a7187df007faabe9f3064dc63f1cb15bf5a10655e39b94732e0c6583d56327e9701344e048887a81b256181cdfa9ec42ebc990875e4852240ddcb3cbc4ea4e6307075fd314f7190f3553267bd68b19e954e310ec3f8dbab":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"241067a0301edf0f825d793e03383ea1":"6984bb9830843529fad7f5e7760db89c778d62c764fcd2136ffb35d7d869f62f61d7fef64f65b7136398c1b5a792844528a18a13fba40b186ae08d1153b538007fc460684e2add8a9ed8dd82acbb8d357240daaa0c4deb979e54715545db03fe22e6d3906e89bdc81d535dae53075a58f65099434bfeed943dbc6024a92aa06a":"a30994261f48a66bb6c1fc3d69659228":"":64:"36c3b4a732ba75ae":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"241067a0301edf0f825d793e03383ea1":"6984bb9830843529fad7f5e7760db89c778d62c764fcd2136ffb35d7d869f62f61d7fef64f65b7136398c1b5a792844528a18a13fba40b186ae08d1153b538007fc460684e2add8a9ed8dd82acbb8d357240daaa0c4deb979e54715545db03fe22e6d3906e89bdc81d535dae53075a58f65099434bfeed943dbc6024a92aa06a":"a30994261f48a66bb6c1fc3d69659228":"":64:"36c3b4a732ba75ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03cccb5357bd2848332d1696f2ff90cb":"5e2f18cbc1e773df9f28be08abb3d0b64d545c870c5778ac8bb396bef857d2ac1342ae1afb3bf5d64e667bf837458415d48396204fe560e3b635eb10e560e437f2d0396952998fd36e116cd047c1d7f6fc9901094454d24165c557a8816e0d0a8e0ce41e040ba6f26ca567c74fc47d9738b8cd8dae5dfc831c65bc1ba9603a07":"e0754022dfb1f813ccaf321558790806":"":32:"c75f0246":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"03cccb5357bd2848332d1696f2ff90cb":"5e2f18cbc1e773df9f28be08abb3d0b64d545c870c5778ac8bb396bef857d2ac1342ae1afb3bf5d64e667bf837458415d48396204fe560e3b635eb10e560e437f2d0396952998fd36e116cd047c1d7f6fc9901094454d24165c557a8816e0d0a8e0ce41e040ba6f26ca567c74fc47d9738b8cd8dae5dfc831c65bc1ba9603a07":"e0754022dfb1f813ccaf321558790806":"":32:"c75f0246":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e5e53c84a05d5a5348bac7b2611cf62":"489c00c05dec06f282924c680f621ab99ac87f7d33ebbb4ca0eee187ec177d30d2b4afb4ee9f0dc019cf1a4da16d84b7f5f5c7fce72a32461db115b5a5a433024fd5ed3d47161836bb057a0189ed768f95e45fa967d0cc512fc91b555808c4033c945e8f2f7d36428dcb61f697e791b74e5c79b2bcb9cb81bec70d8119cd8d76":"47e40543b7d16bc9122c40b106d31d43":"":32:"81eec75d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4e5e53c84a05d5a5348bac7b2611cf62":"489c00c05dec06f282924c680f621ab99ac87f7d33ebbb4ca0eee187ec177d30d2b4afb4ee9f0dc019cf1a4da16d84b7f5f5c7fce72a32461db115b5a5a433024fd5ed3d47161836bb057a0189ed768f95e45fa967d0cc512fc91b555808c4033c945e8f2f7d36428dcb61f697e791b74e5c79b2bcb9cb81bec70d8119cd8d76":"47e40543b7d16bc9122c40b106d31d43":"":32:"81eec75d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c94008bf377f90b7a1c0d2ea38f730c":"7b3d619d115de9970b2df4e1f25194940b3f3da04c653231e8e6946de9dc08ae5ba37e2a93c232e1f9445f31c01333045f22bd832e3b5f9833f37070fafb0ef1c44cc5637058ab64d9e07bb81b32852d4cf749a3ddbfdb494f8de8bb4e31f46033f8a16bc22e2595d023845505ea5db74dd69ab4ca940078b09efb4ff19bdb66":"abfe92931a8411a39986b74560a38211":"":32:"47d42e78":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c94008bf377f90b7a1c0d2ea38f730c":"7b3d619d115de9970b2df4e1f25194940b3f3da04c653231e8e6946de9dc08ae5ba37e2a93c232e1f9445f31c01333045f22bd832e3b5f9833f37070fafb0ef1c44cc5637058ab64d9e07bb81b32852d4cf749a3ddbfdb494f8de8bb4e31f46033f8a16bc22e2595d023845505ea5db74dd69ab4ca940078b09efb4ff19bdb66":"abfe92931a8411a39986b74560a38211":"":32:"47d42e78":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"69eedf3777e594c30e94e9c5e2bce467":"5114e9983c96fecec3f7304ca42f52aa16cb7c6aadfb62ad537c93a3188835ca0703dad34c73cf96435b668b68a7a1d056931959316e8d3ab956bf64c4e07479c7767f9d488b0c0c351333ccf400b7e0be19a0fd173e3f2a1ae313f27e516952260fd2da9ab9daca478ebb93cd07d0b7503b32364d8e308d904d966c58f226bb":"a3330638a809ba358d6c098e4342b81e":"df4e3f2b47cf0e8590228fcf9913fb8a5eb9751bba318fd2d57be68c7e788e04fabf303699b99f26313d1c4956105cd2817aad21b91c28f3b9251e9c0b354490fa5abfcea0065aa3cc9b96772eb8af06a1a9054bf12d3ae698dfb01a13f989f8b8a4bb61686cf3adf58f05873a24d403a62a092290c2481e4159588fea6b9a09":128:"5de3068e1e20eed469265000077b1db9":"208e6321238bf5c6e2ef55a4b8f531cbbfb0d77374fe32df6dd663486cf79beeed39bb6910c3c78dd0cc30707a0a12b226b2d06024db25dcd8a4e620f009cafa5242121e864c7f3f4360aaf1e9d4e548d99615156f156008418c1c41ff2bbc007cecf8f209c73203e6df89b32871de637b3d6af2e277d146ae03f3404d387b77":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"69eedf3777e594c30e94e9c5e2bce467":"5114e9983c96fecec3f7304ca42f52aa16cb7c6aadfb62ad537c93a3188835ca0703dad34c73cf96435b668b68a7a1d056931959316e8d3ab956bf64c4e07479c7767f9d488b0c0c351333ccf400b7e0be19a0fd173e3f2a1ae313f27e516952260fd2da9ab9daca478ebb93cd07d0b7503b32364d8e308d904d966c58f226bb":"a3330638a809ba358d6c098e4342b81e":"df4e3f2b47cf0e8590228fcf9913fb8a5eb9751bba318fd2d57be68c7e788e04fabf303699b99f26313d1c4956105cd2817aad21b91c28f3b9251e9c0b354490fa5abfcea0065aa3cc9b96772eb8af06a1a9054bf12d3ae698dfb01a13f989f8b8a4bb61686cf3adf58f05873a24d403a62a092290c2481e4159588fea6b9a09":128:"5de3068e1e20eed469265000077b1db9":"":"208e6321238bf5c6e2ef55a4b8f531cbbfb0d77374fe32df6dd663486cf79beeed39bb6910c3c78dd0cc30707a0a12b226b2d06024db25dcd8a4e620f009cafa5242121e864c7f3f4360aaf1e9d4e548d99615156f156008418c1c41ff2bbc007cecf8f209c73203e6df89b32871de637b3d6af2e277d146ae03f3404d387b77":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45cc35311eedf0ba093bf901931a7036":"5dc8d7525eaad035c19714ae1b1e538cb66a4089027245351e0ad9297410fb3a0c1155407c10a8bb95a9ca624a9c9925dac003ee78926c6e90ff4ccdba10e8a78bda1c4478162a0e302de5ff05fb0f94c89c3c7429fb94828bdcd97d21333c2ee72963ee6f056ce272b8bab007e653a42b01d1d2041ba627f169c8c0d32e6dae":"fed5084de3c348f5a0adf4c2fd4e848a":"6e210914e4aed188d576f5ad7fc7e4cf7dd8d82f34ea3bcbdb7267cfd9045f806978dbff3460c4e8ff8c4edb6ad2edba405a8d915729d89aab2116b36a70b54f5920a97f5a571977e0329eda6c696749be940eabfc6d8b0bbd6fbdb87657b3a7695da9f5d3a7384257f20e0becd8512d3705cc246ee6ca1e610921cf92603d79":128:"266a895fc21da5176b44b446d7d1921d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45cc35311eedf0ba093bf901931a7036":"5dc8d7525eaad035c19714ae1b1e538cb66a4089027245351e0ad9297410fb3a0c1155407c10a8bb95a9ca624a9c9925dac003ee78926c6e90ff4ccdba10e8a78bda1c4478162a0e302de5ff05fb0f94c89c3c7429fb94828bdcd97d21333c2ee72963ee6f056ce272b8bab007e653a42b01d1d2041ba627f169c8c0d32e6dae":"fed5084de3c348f5a0adf4c2fd4e848a":"6e210914e4aed188d576f5ad7fc7e4cf7dd8d82f34ea3bcbdb7267cfd9045f806978dbff3460c4e8ff8c4edb6ad2edba405a8d915729d89aab2116b36a70b54f5920a97f5a571977e0329eda6c696749be940eabfc6d8b0bbd6fbdb87657b3a7695da9f5d3a7384257f20e0becd8512d3705cc246ee6ca1e610921cf92603d79":128:"266a895fc21da5176b44b446d7d1921d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9edb5231ca4a136b4df4ae22b8588f9f":"493df801c57f8bb591955712d92d3fc34518f0599fec8533b2b4473364e1df4f560c12444cf50eeb584676b7e955c742189de6b50b8e012dfa6642f3679fb02bc6d8e08d1db88c8ae955a7946263e06494e17f8df246b672942661e5563302252208f2e00a0d77068a020e26082c291a75a06f63c41e2830292a418b2b5fd9dd":"c342e9bdabe7be922b2695f5894e032c":"a45c7f8032ac5144deef8d5380f033aea2786b0592720a867f4831eaccc6b85d3fd568aedc6e472e017455b0b5b30cf7a08ea43ca587f35e1646ecd9b4dc774d11e350c82c65692be1e9541cbd72a283bdcf93dc7115545f373747b4f8d5915ed0c42fbeefd3e9bd86003d65efc2361fde5b874ddabcf8265e6b884615102eff":128:"5ed3ea75c8172fa0e8755fef7b4c90f1":"56696e501fac1e8d5b83ef911ed11337d5d51ff5342a82993dd5340bb9632e6606eef68ec5fe8cec6b34ebbc596c279e6cbc9221c4cde933f6d93ae014e3c4ca49593f35eaa638606d059519bac3a3373519e6184e7227d2aa62170c36479fe239cb698bfca863925a4c9fb1338685a55a6dfd3bd9c52d8ae12be8551fce6e1a":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9edb5231ca4a136b4df4ae22b8588f9f":"493df801c57f8bb591955712d92d3fc34518f0599fec8533b2b4473364e1df4f560c12444cf50eeb584676b7e955c742189de6b50b8e012dfa6642f3679fb02bc6d8e08d1db88c8ae955a7946263e06494e17f8df246b672942661e5563302252208f2e00a0d77068a020e26082c291a75a06f63c41e2830292a418b2b5fd9dd":"c342e9bdabe7be922b2695f5894e032c":"a45c7f8032ac5144deef8d5380f033aea2786b0592720a867f4831eaccc6b85d3fd568aedc6e472e017455b0b5b30cf7a08ea43ca587f35e1646ecd9b4dc774d11e350c82c65692be1e9541cbd72a283bdcf93dc7115545f373747b4f8d5915ed0c42fbeefd3e9bd86003d65efc2361fde5b874ddabcf8265e6b884615102eff":128:"5ed3ea75c8172fa0e8755fef7b4c90f1":"":"56696e501fac1e8d5b83ef911ed11337d5d51ff5342a82993dd5340bb9632e6606eef68ec5fe8cec6b34ebbc596c279e6cbc9221c4cde933f6d93ae014e3c4ca49593f35eaa638606d059519bac3a3373519e6184e7227d2aa62170c36479fe239cb698bfca863925a4c9fb1338685a55a6dfd3bd9c52d8ae12be8551fce6e1a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5fdcb8f5225090e63fae9b68f92c7cb":"d39b9cba95e3a3aab9bc1d03ff475c04faeb5b7f0510777f39e5a05756606eb7ddd154aac035d9ddaf3535629821dd8f014dedd52cd184f52fc706e3c89a3a271398c9125d9a624dafb297a56022ca2ea331ea7359ab5e65f8e14814788e64e0a886a9b1a0144bf268fdcf9d94c3d10a0452f40111da9df108252e9039eacea3":"581c818282a0905df5ffff652e5604e9":"f1ae6cd7b07f261105f555cf812a1d5bf8dd9aac07666318acffa11abb77d0238156663acbf7543825b45c6e9cddb481a40995ecd78bb5f4cba5df7c7efb00fc19c7f45e94d37697aca8ef368b99165393b6107f900194c797cd3289cb097eb5915f2abfd6aa52dd1effffdde448e30075a1c053246db54b0ec16eadca1c0071":120:"827e66b5b70dce56215cfb86c9a642":"cec11a12e47fd443f878e8e9fe23c65f29dd2d53cec59b799bcb0928de8e2f92fe85c27cec5c842ef30967b919accafe0c0d731b57f0bb5685d90a3061cb473e50e8aeca1346d1f47f7db06941f83f21ba5976d97c28cab547d8c1f38387a04b8a0b212da55b75fbaf9562eeeabd78eadcbab66457f0cd4e0d28133a64cb063f":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5fdcb8f5225090e63fae9b68f92c7cb":"d39b9cba95e3a3aab9bc1d03ff475c04faeb5b7f0510777f39e5a05756606eb7ddd154aac035d9ddaf3535629821dd8f014dedd52cd184f52fc706e3c89a3a271398c9125d9a624dafb297a56022ca2ea331ea7359ab5e65f8e14814788e64e0a886a9b1a0144bf268fdcf9d94c3d10a0452f40111da9df108252e9039eacea3":"581c818282a0905df5ffff652e5604e9":"f1ae6cd7b07f261105f555cf812a1d5bf8dd9aac07666318acffa11abb77d0238156663acbf7543825b45c6e9cddb481a40995ecd78bb5f4cba5df7c7efb00fc19c7f45e94d37697aca8ef368b99165393b6107f900194c797cd3289cb097eb5915f2abfd6aa52dd1effffdde448e30075a1c053246db54b0ec16eadca1c0071":120:"827e66b5b70dce56215cfb86c9a642":"":"cec11a12e47fd443f878e8e9fe23c65f29dd2d53cec59b799bcb0928de8e2f92fe85c27cec5c842ef30967b919accafe0c0d731b57f0bb5685d90a3061cb473e50e8aeca1346d1f47f7db06941f83f21ba5976d97c28cab547d8c1f38387a04b8a0b212da55b75fbaf9562eeeabd78eadcbab66457f0cd4e0d28133a64cb063f":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036198cd3a3ab9319684d0f811cf2992":"6b95b9e82a695fb7b466ce3adb536f525d8314f95eada39efb49baf121093ce7d5439f0d8223e03530b85accd388a70650ca9f7e63eb32afecb7b1916ed9b762128cc641caf3e08e027c3d88481d653b6b15172e977dfb9b3f88465911aee162501cbf8501ce2b66ee151bbfdc23225f638f18750c239d62471663e5ee2a5856":"47dffc6b3b80ffef4b943bde87b9cf3c":"ec4de476cd337f564a3facb544d0ff31cd89af4c3d9a28543e45156189f8eff8f804494dda83a1fb2c30ce858884a01ec63db59268452b1eea0f0d48280bb7340eaacc84509469dd94d303774d053d7ab4fb5f6c26581efeb19165f8cb09d58ec314d09ab8356731e87fd081f661e7b2d1a7c3aa4af5448a12b742e7b210b0b0":120:"6cf68a374bea08a977ec8a04b92e8b":"5c2f7c408167be3d266ff634e1993fe291aef7efae245fa0b6b5bde886a810c866ae6a078286684d1b66116e636e285f03646e09f3c4ed7b184e7c171ba84f3bfd9500c6f35964a404892b4cdcdd3f697fc5b01934a86019810987a9fea7efca016049873f1072f62df3c17f57ea1d88ccd8757f7e3c5d96e8a18d5366a39ea9":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036198cd3a3ab9319684d0f811cf2992":"6b95b9e82a695fb7b466ce3adb536f525d8314f95eada39efb49baf121093ce7d5439f0d8223e03530b85accd388a70650ca9f7e63eb32afecb7b1916ed9b762128cc641caf3e08e027c3d88481d653b6b15172e977dfb9b3f88465911aee162501cbf8501ce2b66ee151bbfdc23225f638f18750c239d62471663e5ee2a5856":"47dffc6b3b80ffef4b943bde87b9cf3c":"ec4de476cd337f564a3facb544d0ff31cd89af4c3d9a28543e45156189f8eff8f804494dda83a1fb2c30ce858884a01ec63db59268452b1eea0f0d48280bb7340eaacc84509469dd94d303774d053d7ab4fb5f6c26581efeb19165f8cb09d58ec314d09ab8356731e87fd081f661e7b2d1a7c3aa4af5448a12b742e7b210b0b0":120:"6cf68a374bea08a977ec8a04b92e8b":"":"5c2f7c408167be3d266ff634e1993fe291aef7efae245fa0b6b5bde886a810c866ae6a078286684d1b66116e636e285f03646e09f3c4ed7b184e7c171ba84f3bfd9500c6f35964a404892b4cdcdd3f697fc5b01934a86019810987a9fea7efca016049873f1072f62df3c17f57ea1d88ccd8757f7e3c5d96e8a18d5366a39ea9":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c9fbbff8f25f951ba874dfc5ff38584e":"ca401071396da00376add467490abc6e6a7d8a85852026979f7013a09cf689113c8d833560cd6c5b8fdaa8fdd818e773ac13954839a0a2c91efeaf4e0e14de43308419a8b86fa2ae600a88a6bd39dfaabc16a3c7c1b77a5c2aab7f7caceb2f8595324125efbb7c96ba16c47d0bd10568b24bf445d72d683268466e68e46df500":"1c1fc752673be6d4ff4cc749fc11e0fe":"abfde0b60acfe265b62ed68ebebc1f5f725f155c4b8a8aeec8d704701c51ff7817060c1b0ce6b80d6efc9836c9ea2bc022ec67db4cd34e945e3a1b153fd2e0f7ac84bb4b07e04cbb529ee24014b16067f9f082b940c9d5e54024d3e5e910310457478560721587da7b5343d89eec5a8fce389c01185db15e7faa9a3fa32e8ab9":120:"ff0b2c384e03b50e7e829c7a9f95aa":"239637fac6e180e71b2c9fa63ce8805f453d81499623ec2deba9b033350250662897867bffaf0c314244baf9e1fe3e1bb7c626d616bfbf3e0ac09a32aaf718b432337c9dc57c2d6fc4a0a09bdc05b9184d1b90c7193b7869f91e2caa8b3b35c10c6621ffae4c609bdf4e4e3f06e930541c381451ef58f4f30a559d2b79b0e6b6":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c9fbbff8f25f951ba874dfc5ff38584e":"ca401071396da00376add467490abc6e6a7d8a85852026979f7013a09cf689113c8d833560cd6c5b8fdaa8fdd818e773ac13954839a0a2c91efeaf4e0e14de43308419a8b86fa2ae600a88a6bd39dfaabc16a3c7c1b77a5c2aab7f7caceb2f8595324125efbb7c96ba16c47d0bd10568b24bf445d72d683268466e68e46df500":"1c1fc752673be6d4ff4cc749fc11e0fe":"abfde0b60acfe265b62ed68ebebc1f5f725f155c4b8a8aeec8d704701c51ff7817060c1b0ce6b80d6efc9836c9ea2bc022ec67db4cd34e945e3a1b153fd2e0f7ac84bb4b07e04cbb529ee24014b16067f9f082b940c9d5e54024d3e5e910310457478560721587da7b5343d89eec5a8fce389c01185db15e7faa9a3fa32e8ab9":120:"ff0b2c384e03b50e7e829c7a9f95aa":"":"239637fac6e180e71b2c9fa63ce8805f453d81499623ec2deba9b033350250662897867bffaf0c314244baf9e1fe3e1bb7c626d616bfbf3e0ac09a32aaf718b432337c9dc57c2d6fc4a0a09bdc05b9184d1b90c7193b7869f91e2caa8b3b35c10c6621ffae4c609bdf4e4e3f06e930541c381451ef58f4f30a559d2b79b0e6b6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a314ec178da96311e42334a616fb38b":"518b3f5384ab54f80497d55be7a5d6902bc7718386212c2ec7537db331514b3838f104bf9054e03039a4cfb73f41e5d0a9648e569ed738cea8d33917430dff6afa8f07a75e324b9262fa196a4439dcd66b0535ee5bea0d292600227c2a79ed03be0671740e5cb7b306d855612bd3abcbf02cf7e7cecbb6cdbb33d57b4e3234a2":"d7ea27c819e3eb2666611bb1c7fc068d":"db8dcc31a5681f13d56abd51bd2dcb0d2b171628186e215a68bf16167b4acd00c3441973c3fa62fa2698ee5c6749fc20e542364d63c40756d8bcff780269e5201bafdced3cdc97931d8203873431882c84522c151b775285d0a3c5d7667254c74724ff0ea9d417aa6c62835865dfded34edd331c0c235a089427672c5a9211c9":112:"1e774647b1ca406e0ed7141a8e1e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a314ec178da96311e42334a616fb38b":"518b3f5384ab54f80497d55be7a5d6902bc7718386212c2ec7537db331514b3838f104bf9054e03039a4cfb73f41e5d0a9648e569ed738cea8d33917430dff6afa8f07a75e324b9262fa196a4439dcd66b0535ee5bea0d292600227c2a79ed03be0671740e5cb7b306d855612bd3abcbf02cf7e7cecbb6cdbb33d57b4e3234a2":"d7ea27c819e3eb2666611bb1c7fc068d":"db8dcc31a5681f13d56abd51bd2dcb0d2b171628186e215a68bf16167b4acd00c3441973c3fa62fa2698ee5c6749fc20e542364d63c40756d8bcff780269e5201bafdced3cdc97931d8203873431882c84522c151b775285d0a3c5d7667254c74724ff0ea9d417aa6c62835865dfded34edd331c0c235a089427672c5a9211c9":112:"1e774647b1ca406e0ed7141a8e1e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e818372a63b7e2c23b524e29ba752bdb":"c1bf1b702a95ceaa6b48a1cdd888ae51f58a9fc3232bd6c784529a83301c6d0cdda6e605ad9a2563f54a8d59f624ae7c589e48b85041a010dcb6fb8739d43e79a456fc0e8574af086df78680460c3cdc4e00dc3b9d4e76b0de26e9aec546705249fa7e7466c01001c2667eaf2813be1f0f116916f34843a06b201d653aa1b27e":"36e617e787cb25e154f73af1da68cb06":"71801d69796c2ce36b043c157aec9fd2e06fd1ec596126d10c26b6d44e3dc36c4fa30a030d65c382b6ddfd958e71fe9c16732e595137a3d6764c15480fc3358e9a113ba492b31274663f5842df5d1cc6bad70e83b34675a4411e2e70755aede0ff5035601be130562e27a20283d6f144ff1bdb5276dec05fad80d51b28d50688":112:"3744262bc76f283964c1c15dc069":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e818372a63b7e2c23b524e29ba752bdb":"c1bf1b702a95ceaa6b48a1cdd888ae51f58a9fc3232bd6c784529a83301c6d0cdda6e605ad9a2563f54a8d59f624ae7c589e48b85041a010dcb6fb8739d43e79a456fc0e8574af086df78680460c3cdc4e00dc3b9d4e76b0de26e9aec546705249fa7e7466c01001c2667eaf2813be1f0f116916f34843a06b201d653aa1b27e":"36e617e787cb25e154f73af1da68cb06":"71801d69796c2ce36b043c157aec9fd2e06fd1ec596126d10c26b6d44e3dc36c4fa30a030d65c382b6ddfd958e71fe9c16732e595137a3d6764c15480fc3358e9a113ba492b31274663f5842df5d1cc6bad70e83b34675a4411e2e70755aede0ff5035601be130562e27a20283d6f144ff1bdb5276dec05fad80d51b28d50688":112:"3744262bc76f283964c1c15dc069":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a04f16882ff45816739d1b6697ce8b7":"6a4f3dbb3371f64258fd1f831349e745a4e19a33aad794b1de3788729618beed619586092120e9e5dc3ac6e0d52f991f7be61afbfaa4399ac716ad79a2734827254b1627791dc92a128a6f43426b8085dee94242e83176a3d762658f18ecc1e37e3e1531648c9caed212ea2cf3b3843cb92cb07730f30fe2dca3925470fadd06":"66f504d9a9128ad7fb7f1430d37c4784":"f641c53c83c4fb1ff8044bfa97cdf63fe75d8159d65b3e5ad585b89c083a53cf4a2f7a58eaeaf45fa71f2c07bc5725a6b03307d7f32884a133a4c803700bf1e12564b98b71f63b434ddf13ad2c467dda25ffa6effcafa72452b20c34cfae71e47096f8745b487e9f1945f5bec83f7ec2709a13b504d92315b1b727a78902be84":112:"fbb37084396394fecd9581741f3c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a04f16882ff45816739d1b6697ce8b7":"6a4f3dbb3371f64258fd1f831349e745a4e19a33aad794b1de3788729618beed619586092120e9e5dc3ac6e0d52f991f7be61afbfaa4399ac716ad79a2734827254b1627791dc92a128a6f43426b8085dee94242e83176a3d762658f18ecc1e37e3e1531648c9caed212ea2cf3b3843cb92cb07730f30fe2dca3925470fadd06":"66f504d9a9128ad7fb7f1430d37c4784":"f641c53c83c4fb1ff8044bfa97cdf63fe75d8159d65b3e5ad585b89c083a53cf4a2f7a58eaeaf45fa71f2c07bc5725a6b03307d7f32884a133a4c803700bf1e12564b98b71f63b434ddf13ad2c467dda25ffa6effcafa72452b20c34cfae71e47096f8745b487e9f1945f5bec83f7ec2709a13b504d92315b1b727a78902be84":112:"fbb37084396394fecd9581741f3c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38cf029a4b20607030586cd2d82146e6":"f4c9f4476561c9ebdac71b282ae6e2f9f03547da98e66d4d857720db2fcc9ed1f363858db34c9dcaca0109d7c81db24150493115f2bb6985efa8686e3d2ab719d33b230aa4c5c70696bf42f225fb3c6704711c054a882d89b320884a78cb59cd2100496edf4010487597fb9135d8ca79693a43843e9626fd6c64a8722b3a27dc":"6330084319e2bf32cd5240f4826944bc":"80746cfb0127c592f8164d751b0e14a5b379056a884cece7ee4e9b80538d7ff6be56a3b19c135786722aaf315123b47672b0251e87ea45f0fd3601cf93f9efa6cbd9ad537f54d57f1e187f821faac24096ecec19d137c9f4cf145c278af4cd8de01c7758784fda06f1cc62d92ae1977786f3d0645714ab4ab6f48c8794b12f73":104:"7b021de5cda915ba58f90ceef4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38cf029a4b20607030586cd2d82146e6":"f4c9f4476561c9ebdac71b282ae6e2f9f03547da98e66d4d857720db2fcc9ed1f363858db34c9dcaca0109d7c81db24150493115f2bb6985efa8686e3d2ab719d33b230aa4c5c70696bf42f225fb3c6704711c054a882d89b320884a78cb59cd2100496edf4010487597fb9135d8ca79693a43843e9626fd6c64a8722b3a27dc":"6330084319e2bf32cd5240f4826944bc":"80746cfb0127c592f8164d751b0e14a5b379056a884cece7ee4e9b80538d7ff6be56a3b19c135786722aaf315123b47672b0251e87ea45f0fd3601cf93f9efa6cbd9ad537f54d57f1e187f821faac24096ecec19d137c9f4cf145c278af4cd8de01c7758784fda06f1cc62d92ae1977786f3d0645714ab4ab6f48c8794b12f73":104:"7b021de5cda915ba58f90ceef4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cf4d81fc5997c744a572bed71f4ae609":"f3d65d70326e641fbe7fd945fe9cf66c74f17d0d1020ae8ac488f39b7285c99d8632bc2201960f3d77daccfecc04428abe0853aa8d82b90a93127c72b2d2af53f7f1bd0afb99d50f0b3b24e934ec98eddb278b2c65866442cebf10208c7ce1b7ecf764858480b2a269b106fa6d2428d5ad17612e53e62ccc7ad1184663aeb9a7":"bc4e20c56931c967ce8e3b8f5f1c392f":"b6b8294abf7da5703f864721f7904d3821f5568bf4b269e44edef4f1c95ddc172d83a06c0ad9f7f1fd2e292c17a876392bc5bb705d370b2f16ff721bef7648f423346fd3a4d762676e6fcf2d690553a47224af29afed0f452d263be90eb8150a13d720f1db6f1abc1c2ec18cfbf93b8ed3c5aa7cfc1dcb514d69f90409687a4d":104:"0a86142a0af81c8df64ba689f4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cf4d81fc5997c744a572bed71f4ae609":"f3d65d70326e641fbe7fd945fe9cf66c74f17d0d1020ae8ac488f39b7285c99d8632bc2201960f3d77daccfecc04428abe0853aa8d82b90a93127c72b2d2af53f7f1bd0afb99d50f0b3b24e934ec98eddb278b2c65866442cebf10208c7ce1b7ecf764858480b2a269b106fa6d2428d5ad17612e53e62ccc7ad1184663aeb9a7":"bc4e20c56931c967ce8e3b8f5f1c392f":"b6b8294abf7da5703f864721f7904d3821f5568bf4b269e44edef4f1c95ddc172d83a06c0ad9f7f1fd2e292c17a876392bc5bb705d370b2f16ff721bef7648f423346fd3a4d762676e6fcf2d690553a47224af29afed0f452d263be90eb8150a13d720f1db6f1abc1c2ec18cfbf93b8ed3c5aa7cfc1dcb514d69f90409687a4d":104:"0a86142a0af81c8df64ba689f4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d88ad40b42ead744f1b7a36685658be1":"e99d2566fe6bcb2a04d167605db7c0f1e5567ff2d8d3292c15bbccc5d1e872bcb15a30b3bb8b1eb45e02fba15946e6bca310583a6740845a0f74f4ebfd5c59ced46875823e369e0447cc3e5d03dae530adf3c9846362c94e7f9d17207bf92d4d59981d8fd904eb8b96a0a23eb0f8d7e7a87e8e8892a2451524da6841ce575c27":"52c3158f5bd65a0a7ce1c5b57b9b295e":"dde2663335c40e5550ae192b843fa9fb4ef357b5c09d9f39dafda3296a4d14031817ee4dc1a201d677597d81e37050cd3dc86c25adbd551e947a080b6c47ec7be8a927ef7920bd1bb81f2c59801a2b9d745d33344cbe4838bcf2eb8dce53ab82c75c9bbab8e406597f6908aaa81fbbdef25aa69116c8f7a8cdc9958435aa32ac":104:"7643b3534eb5cb38331ed2e572":"6f87f6be2f4e7421aa26fe321045d1e23066a02158634bef35890581c92367d0bc232940de30974c70a66c60137a9f3924d12db1e5bc1b0e7131ea3620a25eb805b7d670263b82c8bbfcd6839305025390fc17d42d82daebe1b24f73ff9aa4617e3866785dded88f8b55ef89b2798ea2641a592a46428d9020f9bf853c194576":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d88ad40b42ead744f1b7a36685658be1":"e99d2566fe6bcb2a04d167605db7c0f1e5567ff2d8d3292c15bbccc5d1e872bcb15a30b3bb8b1eb45e02fba15946e6bca310583a6740845a0f74f4ebfd5c59ced46875823e369e0447cc3e5d03dae530adf3c9846362c94e7f9d17207bf92d4d59981d8fd904eb8b96a0a23eb0f8d7e7a87e8e8892a2451524da6841ce575c27":"52c3158f5bd65a0a7ce1c5b57b9b295e":"dde2663335c40e5550ae192b843fa9fb4ef357b5c09d9f39dafda3296a4d14031817ee4dc1a201d677597d81e37050cd3dc86c25adbd551e947a080b6c47ec7be8a927ef7920bd1bb81f2c59801a2b9d745d33344cbe4838bcf2eb8dce53ab82c75c9bbab8e406597f6908aaa81fbbdef25aa69116c8f7a8cdc9958435aa32ac":104:"7643b3534eb5cb38331ed2e572":"":"6f87f6be2f4e7421aa26fe321045d1e23066a02158634bef35890581c92367d0bc232940de30974c70a66c60137a9f3924d12db1e5bc1b0e7131ea3620a25eb805b7d670263b82c8bbfcd6839305025390fc17d42d82daebe1b24f73ff9aa4617e3866785dded88f8b55ef89b2798ea2641a592a46428d9020f9bf853c194576":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3ce86a212a30e724b4c624057db4e79":"3582ef7a9565c9a8e4496750ee5ca3e3a80df6238f7b7608e3394ec56d1360777921da039ede34abcedd01081babd496ba4de74a7de501181d6bb2022a6cc7f79d89a4c6a97676fb0f2b42f70e2d0bc1eaac364c3646df4f611c1d6b09737451b81b5a4da73c05fb58391c74e44498b80b26f1c29562d23c39b5d3f086b280cb":"9e03f0dd4cb2b3d830a6925e4400ed89":"92c48a39d93ea3308f55f6650d33fdf17a902076d582a94a82ac99496de9f62312292b844bbca5a683ef0f0710bbc1c7f89cbcca8f9c0299f154590d32059bd99fca5d78c450ede0d11d55075947caf2151218ce7a06c1e81985a7781a3444054170b457fd7ba816026310112abb47c8eddfd3ab7f679a0f60efc6c6dd3b759e":96:"3230fe94b6ccd63e605f87d0":"052347a4273cddba65b2a0b961477f07edee440a9117ab204359d2dd45ad2a6dad3b60ead891e7da6d79f3017ac90f95725a0089f04d25ce537bf53b7ea8e1ea58692d34c221db141e2a9fd7211adcee03ef8b5bf3c5d36311d20bb3d81f70f7e7272d0e2b6d12293b1a2c31b70f140a8f08d98c6231a3c429c3d0a10b2e1c1c":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3ce86a212a30e724b4c624057db4e79":"3582ef7a9565c9a8e4496750ee5ca3e3a80df6238f7b7608e3394ec56d1360777921da039ede34abcedd01081babd496ba4de74a7de501181d6bb2022a6cc7f79d89a4c6a97676fb0f2b42f70e2d0bc1eaac364c3646df4f611c1d6b09737451b81b5a4da73c05fb58391c74e44498b80b26f1c29562d23c39b5d3f086b280cb":"9e03f0dd4cb2b3d830a6925e4400ed89":"92c48a39d93ea3308f55f6650d33fdf17a902076d582a94a82ac99496de9f62312292b844bbca5a683ef0f0710bbc1c7f89cbcca8f9c0299f154590d32059bd99fca5d78c450ede0d11d55075947caf2151218ce7a06c1e81985a7781a3444054170b457fd7ba816026310112abb47c8eddfd3ab7f679a0f60efc6c6dd3b759e":96:"3230fe94b6ccd63e605f87d0":"":"052347a4273cddba65b2a0b961477f07edee440a9117ab204359d2dd45ad2a6dad3b60ead891e7da6d79f3017ac90f95725a0089f04d25ce537bf53b7ea8e1ea58692d34c221db141e2a9fd7211adcee03ef8b5bf3c5d36311d20bb3d81f70f7e7272d0e2b6d12293b1a2c31b70f140a8f08d98c6231a3c429c3d0a10b2e1c1c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0155360b84420b5bf4fb410ea02f31e":"ecdb51522fc440f7471ea6a31f7c1ef1ec2153e5bcf6303297dbf8ddb3830b45ed9866157375ce4bdeb5e32fcbc6607984fccd7e6552628736608ab13072856d432ceccd3e90d1bb52ca9ada9cee90eb89ac10e887a1978fd0fb3d7bb20caaf35539e150be8044b725b8427c4c4a910f79980865d36344a8784bcc3d58460acb":"46f0386be7363887e7e357376305eab5":"611bc290f91798ad84f0a5ecb5a7cb8fa35e9ab6a5a51c9869a68a076e96f92c9c117595f92cbac5d33343fa2accd2541473907cbc54792c5e215ae857424c921b04ca4b81376bbedbfcc0e565c118f2aced08f247698eed5e2d202c48245161cabeac9fa195219f9799fa253e339561e13012167f1d02b4012b7791b7c863ba":96:"ac5addcc10cae6c1345520f1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0155360b84420b5bf4fb410ea02f31e":"ecdb51522fc440f7471ea6a31f7c1ef1ec2153e5bcf6303297dbf8ddb3830b45ed9866157375ce4bdeb5e32fcbc6607984fccd7e6552628736608ab13072856d432ceccd3e90d1bb52ca9ada9cee90eb89ac10e887a1978fd0fb3d7bb20caaf35539e150be8044b725b8427c4c4a910f79980865d36344a8784bcc3d58460acb":"46f0386be7363887e7e357376305eab5":"611bc290f91798ad84f0a5ecb5a7cb8fa35e9ab6a5a51c9869a68a076e96f92c9c117595f92cbac5d33343fa2accd2541473907cbc54792c5e215ae857424c921b04ca4b81376bbedbfcc0e565c118f2aced08f247698eed5e2d202c48245161cabeac9fa195219f9799fa253e339561e13012167f1d02b4012b7791b7c863ba":96:"ac5addcc10cae6c1345520f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"694f621f594d96b16c32254ff06f3f9c":"e61476b8b7f101ca6005f25af2b9bee795d62720bbbf59357057ca7cd473e00f0d465255fce8d6164657603323549fb4e3d33fa51054b1a70cc7e492916dea85453e9107fe781bfeb4a622c5b2306a8dddef99386dc50745003aa7220cd7f32fb0a060fa7682576769a48f9169c7d11fe0a8a61b95f5d6dfcf216f7d0c652a84":"542db4e107485a3cd24c7ad337a4f1b5":"27b7bfa5eb34ba376e515e58ab8b6556c396820d0074a1fe3b984945dcf5251ca450456ccb4bb66ec739b03fdc5f72d24553e843255adc012d1f1c95aa3cdac5d12926465354217203052cbd4869a8b5be2e01d0fe66b5a6a8da0a2ce351557e2991ce77baa812b9c67b8e1c5a1fc348710e1a73a0fd49acfd538b7db6bef8b3":96:"0bdef4d771a1740381e7db97":"8b27a338fd2153d304f04655e09bd9bdf4468890ecce1e3b51de2c9a25a8d9336a9acd753ce270b1fe8d50196feac68145e0fd59c9cb3aa7c1e8af03494bc4279c6e287c849f3c775ada584ae173100946ae6921ef7c96bbc6f216093548702cf1867bb1bf1f4c9e90a34230a2b2aeb584622dd615023a43a406e64428bd9170":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"694f621f594d96b16c32254ff06f3f9c":"e61476b8b7f101ca6005f25af2b9bee795d62720bbbf59357057ca7cd473e00f0d465255fce8d6164657603323549fb4e3d33fa51054b1a70cc7e492916dea85453e9107fe781bfeb4a622c5b2306a8dddef99386dc50745003aa7220cd7f32fb0a060fa7682576769a48f9169c7d11fe0a8a61b95f5d6dfcf216f7d0c652a84":"542db4e107485a3cd24c7ad337a4f1b5":"27b7bfa5eb34ba376e515e58ab8b6556c396820d0074a1fe3b984945dcf5251ca450456ccb4bb66ec739b03fdc5f72d24553e843255adc012d1f1c95aa3cdac5d12926465354217203052cbd4869a8b5be2e01d0fe66b5a6a8da0a2ce351557e2991ce77baa812b9c67b8e1c5a1fc348710e1a73a0fd49acfd538b7db6bef8b3":96:"0bdef4d771a1740381e7db97":"":"8b27a338fd2153d304f04655e09bd9bdf4468890ecce1e3b51de2c9a25a8d9336a9acd753ce270b1fe8d50196feac68145e0fd59c9cb3aa7c1e8af03494bc4279c6e287c849f3c775ada584ae173100946ae6921ef7c96bbc6f216093548702cf1867bb1bf1f4c9e90a34230a2b2aeb584622dd615023a43a406e64428bd9170":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78826a5215a1d5e1b39cad5a06861f8f":"0fe2c798d7015d3e2f8725648d95729c45d357dc0c89fc63b9df5a68d3e65419540f663e9190793a29c58c495d5c6a731782acf119e2df8a96fb180ad772c301d098dbc5e3560ac45b6631a01cef7eed6db51f223775d601d2e11b9baa55e2f0651344777e5a03f6738a2013626a891b5f134f07b16598b8cbe3aeaefa1c2a26":"feb9d740fd1e221e328b5ef5ed19eff5":"ca9411b368d8295210d7a04da05a351d287f2f67d978ef1bb936de9f8065473f6fa11495da2eab13a1002231c86411d5409bbc718e2042ee99e013b1df1ef786e9fc1f2d43293c854128184efb9317c4ef82a002eac8b28fcd91d8a714a3aa25fc3c0ae4af9f4bcf5ad19a30cd8ec4b1785df70aa92074da419abe433dd4c435":64:"a724bbb295a02883":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78826a5215a1d5e1b39cad5a06861f8f":"0fe2c798d7015d3e2f8725648d95729c45d357dc0c89fc63b9df5a68d3e65419540f663e9190793a29c58c495d5c6a731782acf119e2df8a96fb180ad772c301d098dbc5e3560ac45b6631a01cef7eed6db51f223775d601d2e11b9baa55e2f0651344777e5a03f6738a2013626a891b5f134f07b16598b8cbe3aeaefa1c2a26":"feb9d740fd1e221e328b5ef5ed19eff5":"ca9411b368d8295210d7a04da05a351d287f2f67d978ef1bb936de9f8065473f6fa11495da2eab13a1002231c86411d5409bbc718e2042ee99e013b1df1ef786e9fc1f2d43293c854128184efb9317c4ef82a002eac8b28fcd91d8a714a3aa25fc3c0ae4af9f4bcf5ad19a30cd8ec4b1785df70aa92074da419abe433dd4c435":64:"a724bbb295a02883":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d450f5253251121606e56687952bf2f1":"479b4f421bd8ac7f615c4a507da187cb5d4b1f1e2c6113d1f9678c1ba92dc5e17c5b525d7f3208733223eb82af0820b8476e9b08ca714ce044417b24d2238720cb8ffdc69db558cbaff52e3651b400e16c9d5ac8ed8949a19c35516f80394a04bd1cfdced7b204f779d792086e00b2ebca2f55a1140e85f5ee9ac7cfc5a31747":"fe7ff90b020fc77d7fcd90bc583850ac":"a3bca9ff25a60006eb18f993dcdc99681e414e27605264dfd25652195d7fe1489550afd07fc7346b88d93b59eb6642913646e93bf50ee1db5dd30106cf181124d8ad01c72ed99038c9798620abdf5c78c419b08c97f982b34d9e9105d9aa4538afcd37f62e2412f14f7a248fcd60abaf2b66cd4554767f99030f1a495d56a5ae":64:"6446398aff73ed23":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d450f5253251121606e56687952bf2f1":"479b4f421bd8ac7f615c4a507da187cb5d4b1f1e2c6113d1f9678c1ba92dc5e17c5b525d7f3208733223eb82af0820b8476e9b08ca714ce044417b24d2238720cb8ffdc69db558cbaff52e3651b400e16c9d5ac8ed8949a19c35516f80394a04bd1cfdced7b204f779d792086e00b2ebca2f55a1140e85f5ee9ac7cfc5a31747":"fe7ff90b020fc77d7fcd90bc583850ac":"a3bca9ff25a60006eb18f993dcdc99681e414e27605264dfd25652195d7fe1489550afd07fc7346b88d93b59eb6642913646e93bf50ee1db5dd30106cf181124d8ad01c72ed99038c9798620abdf5c78c419b08c97f982b34d9e9105d9aa4538afcd37f62e2412f14f7a248fcd60abaf2b66cd4554767f99030f1a495d56a5ae":64:"6446398aff73ed23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90a59f6b0abf932311f0b65623c17740":"be5a948a771a8df12adaf74d702f064a75f6483c03203365fbde7d184844fe6dee0b84cf344be05b1d163817ba1516fcb87b9167ed81f884ada73b0058e2b38cba515bbbe462f4c21f8de1d41bca2cf4340aa659f9f07886c2bb620d9c3295318c07fa3c17fe8242409359c08bcb337e5cf268880839b6a20f4ee4b3f04e7024":"20778bea82a6717038e7064f48a31981":"4022d04f1454a72d2efe57533bd32757595220b20f3a37d166cec0412fb1eb2588f939ecd906c805f4827338669888e9f730905001eb1b136b95e306edf70d9ba1e5cd0aa13a25a1f28ab55cff36f9cd7036c735e3b285d26002ad2ed1074b566e252ea3ec8a9ce10882375dc3f1d9676e301dcb179eaae991120b796cc35648":64:"dc77c1d7e0902d48":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90a59f6b0abf932311f0b65623c17740":"be5a948a771a8df12adaf74d702f064a75f6483c03203365fbde7d184844fe6dee0b84cf344be05b1d163817ba1516fcb87b9167ed81f884ada73b0058e2b38cba515bbbe462f4c21f8de1d41bca2cf4340aa659f9f07886c2bb620d9c3295318c07fa3c17fe8242409359c08bcb337e5cf268880839b6a20f4ee4b3f04e7024":"20778bea82a6717038e7064f48a31981":"4022d04f1454a72d2efe57533bd32757595220b20f3a37d166cec0412fb1eb2588f939ecd906c805f4827338669888e9f730905001eb1b136b95e306edf70d9ba1e5cd0aa13a25a1f28ab55cff36f9cd7036c735e3b285d26002ad2ed1074b566e252ea3ec8a9ce10882375dc3f1d9676e301dcb179eaae991120b796cc35648":64:"dc77c1d7e0902d48":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be4ef629f0b38194c74f7b66418922d":"b67ea20a320f4ec0e4185c62a4ad79a3c97a8189a5e4d1deff9d3edff0f9a9323532853c1a2a2c1e62e4d1afebfcdf1d8461921ea601750380e63b912d8b7389198f976851d88a19f1aa32c97143668ad00838d98da1c4f2be0e6e2dc964d170d7f7ad2e2997982e5ca110e744b6e10c24ca18eadff6b129b1f290c8a7e0a593":"fb77a4b9b246271abfc656433f87628c":"e5d5227725a19a3050fbf2a97a6e854bc1218b94a4a3403b721ace3447daff68fff5553a26edd41219e68fb61fb9e964d0a3c29796251ae4eb942187cdc55d13a09dfb487e93d9e2072d7271456a77c6ccb81154443eea176314d6e3a08619b52cd880f1c28ae5214ac0090a3855dbd74f87389fe8afebd464330fb683dff81a":32:"3d8fc6fb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be4ef629f0b38194c74f7b66418922d":"b67ea20a320f4ec0e4185c62a4ad79a3c97a8189a5e4d1deff9d3edff0f9a9323532853c1a2a2c1e62e4d1afebfcdf1d8461921ea601750380e63b912d8b7389198f976851d88a19f1aa32c97143668ad00838d98da1c4f2be0e6e2dc964d170d7f7ad2e2997982e5ca110e744b6e10c24ca18eadff6b129b1f290c8a7e0a593":"fb77a4b9b246271abfc656433f87628c":"e5d5227725a19a3050fbf2a97a6e854bc1218b94a4a3403b721ace3447daff68fff5553a26edd41219e68fb61fb9e964d0a3c29796251ae4eb942187cdc55d13a09dfb487e93d9e2072d7271456a77c6ccb81154443eea176314d6e3a08619b52cd880f1c28ae5214ac0090a3855dbd74f87389fe8afebd464330fb683dff81a":32:"3d8fc6fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c50e37244931e8debc12b3d561c83ba2":"b9abf0796f2d2f774735546cf809030f65ed0c7f6bd469ef2fe0ef32aa0225b57fbce07c36017bbc1806a81ff1a429278160a07643f864485b4e0e35d57553dc1a131e32aa10f1f91d663b10f0a418f472ed7b4bca54fd7ffdbb22c4d7764d94a7ffd04730614459431eb64335b9b65363de292c04275d40a7b968c0f5c486e9":"6c0b1fd7ab424a6883c36457d1b5521f":"516dc25f6452ae169ce293c5cee440de47353ca5ba770dca0f04175950e87a2d4c3f84fbc6eeacaac436853492929680066f959e74de4b736ab924d8367b90aaa6e9492561ad4b5aa78b6737d562e960edc3b983e2e01a186e9f22896f48d8dfcfb6a42cfe2c6006c687a27772820a1e8875bdf09e8104248ce4db883376bc04":32:"7d4393f0":"962509e494f10269b70ebad02b0cd799d1d41191a734863ef502aff3d3ba48dc2acf9da9a3fc3f40be4d210dc5e128bc00499aec57aa0a4669863165428687b88d46fad41e36af8ea6605586eaa5c0736d0d53b9d523e0cb5a0b285048e060a73cbf4b587d2cd787debdb2b4c8cda731a61a15b19fe8b561fbdd3a7373853ae1":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c50e37244931e8debc12b3d561c83ba2":"b9abf0796f2d2f774735546cf809030f65ed0c7f6bd469ef2fe0ef32aa0225b57fbce07c36017bbc1806a81ff1a429278160a07643f864485b4e0e35d57553dc1a131e32aa10f1f91d663b10f0a418f472ed7b4bca54fd7ffdbb22c4d7764d94a7ffd04730614459431eb64335b9b65363de292c04275d40a7b968c0f5c486e9":"6c0b1fd7ab424a6883c36457d1b5521f":"516dc25f6452ae169ce293c5cee440de47353ca5ba770dca0f04175950e87a2d4c3f84fbc6eeacaac436853492929680066f959e74de4b736ab924d8367b90aaa6e9492561ad4b5aa78b6737d562e960edc3b983e2e01a186e9f22896f48d8dfcfb6a42cfe2c6006c687a27772820a1e8875bdf09e8104248ce4db883376bc04":32:"7d4393f0":"":"962509e494f10269b70ebad02b0cd799d1d41191a734863ef502aff3d3ba48dc2acf9da9a3fc3f40be4d210dc5e128bc00499aec57aa0a4669863165428687b88d46fad41e36af8ea6605586eaa5c0736d0d53b9d523e0cb5a0b285048e060a73cbf4b587d2cd787debdb2b4c8cda731a61a15b19fe8b561fbdd3a7373853ae1":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8531ddb03977383405baf2ee9ca7d64b":"d90c9e26509bdba9b1dea8d2b94f2b1881d22c2bd756ad23cd61944710a1c1f2807170ed47a6870ae654e44757fcb3822ef28b37946cafc07284f8a0c22ae3552954f0d87b8d8c825bd546935b494cacb4262d9e2a88f254f200ad31367d8b3715afbabea5f34214ffedb14d7c84806022aba2dc8f88a314ffbb24017d1a9b9f":"baf623867d6a25fd85d1f08e599c0566":"18f92cdd37dcd7f99b06838f3f68748aba367baabaebd0da9ee787d70e752fa07dea553a43b643b8d8f460175c0746675205e20a7a98acfcac864d7c4cf5ab4c41c031738c76882acda003c5af47b1c4df8894a827a317935d970d4afaee17715c9cfd1883e8c345f19d1f89e229b8edba6b4f53b86d8da1c0f159afb83b6b33":32:"2fc9de46":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8531ddb03977383405baf2ee9ca7d64b":"d90c9e26509bdba9b1dea8d2b94f2b1881d22c2bd756ad23cd61944710a1c1f2807170ed47a6870ae654e44757fcb3822ef28b37946cafc07284f8a0c22ae3552954f0d87b8d8c825bd546935b494cacb4262d9e2a88f254f200ad31367d8b3715afbabea5f34214ffedb14d7c84806022aba2dc8f88a314ffbb24017d1a9b9f":"baf623867d6a25fd85d1f08e599c0566":"18f92cdd37dcd7f99b06838f3f68748aba367baabaebd0da9ee787d70e752fa07dea553a43b643b8d8f460175c0746675205e20a7a98acfcac864d7c4cf5ab4c41c031738c76882acda003c5af47b1c4df8894a827a317935d970d4afaee17715c9cfd1883e8c345f19d1f89e229b8edba6b4f53b86d8da1c0f159afb83b6b33":32:"2fc9de46":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"862dd5b362cfa556ca37e73cff7f4a0e":"":"81530a243655a60d22d9ab40d2520447":"":128:"3b9b2af54e610ed0b3dda96961dd8783":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"862dd5b362cfa556ca37e73cff7f4a0e":"":"81530a243655a60d22d9ab40d2520447":"":128:"3b9b2af54e610ed0b3dda96961dd8783":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3452b7bc100c334292e08343f139b9d0":"":"8f92739a30fe4ba24079f5d42753d6ac":"":128:"0eeca69f8b95e1a902cc3ab1aaa8e2af":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3452b7bc100c334292e08343f139b9d0":"":"8f92739a30fe4ba24079f5d42753d6ac":"":128:"0eeca69f8b95e1a902cc3ab1aaa8e2af":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"31a0cbaf21b943f8badc939e94eac7eb":"":"d5bb2c4eaec47088230972ae34fcda9c":"":128:"580e728512c8e44fbb3fe2c498e05323":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"31a0cbaf21b943f8badc939e94eac7eb":"":"d5bb2c4eaec47088230972ae34fcda9c":"":128:"580e728512c8e44fbb3fe2c498e05323":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e8fca537746e7cbff97f1dcd40a3392":"":"43e9f2bf186b2af8cc022e7c7412d641":"":120:"4465a3f9d9751789bcef5c7c58cbc5":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e8fca537746e7cbff97f1dcd40a3392":"":"43e9f2bf186b2af8cc022e7c7412d641":"":120:"4465a3f9d9751789bcef5c7c58cbc5":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"35b5854ca83792ad691dbda1a66790fb":"":"cff61cf9b32ea30cf7e3692aa6e74bed":"":120:"726793199df533dd9055b0ac7c939d":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"35b5854ca83792ad691dbda1a66790fb":"":"cff61cf9b32ea30cf7e3692aa6e74bed":"":120:"726793199df533dd9055b0ac7c939d":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"07259267c1c6a015437a5d8cfa92f9e6":"":"18b9cf2ad7ace6ec1c8366b72878cf20":"":120:"4340f6263f0ba2d82c2eb79cb0cc7e":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"07259267c1c6a015437a5d8cfa92f9e6":"":"18b9cf2ad7ace6ec1c8366b72878cf20":"":120:"4340f6263f0ba2d82c2eb79cb0cc7e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa1df8955aa3ef191900b06e7c1b7d46":"":"6928c138c98a4350c318fbdccd3f44ba":"":112:"7c89d9e77515d271b6ed54c9c4e3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa1df8955aa3ef191900b06e7c1b7d46":"":"6928c138c98a4350c318fbdccd3f44ba":"":112:"7c89d9e77515d271b6ed54c9c4e3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c04200ce41ce77d772babb206315ec7d":"":"a885d58f0f38f9ff26d906fa1bfb12f4":"":112:"9ee0d025421f2bf18caf563953fb":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c04200ce41ce77d772babb206315ec7d":"":"a885d58f0f38f9ff26d906fa1bfb12f4":"":112:"9ee0d025421f2bf18caf563953fb":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"650df049461be341c3099bd1613dcead":"":"8a4ff6327b49d297248ce2d5bd38afa8":"":112:"13f067ef0d7b448d56e70d282fed":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"650df049461be341c3099bd1613dcead":"":"8a4ff6327b49d297248ce2d5bd38afa8":"":112:"13f067ef0d7b448d56e70d282fed":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee61b5bf5060fcc637dc833926898508":"":"b2dcf21f9ffa4a883044d29f087f9b85":"":104:"9ab1d66666d4dea3cbb5982238":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee61b5bf5060fcc637dc833926898508":"":"b2dcf21f9ffa4a883044d29f087f9b85":"":104:"9ab1d66666d4dea3cbb5982238":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"01cc56ca7e64db7fbef66236a5c49493":"":"8ea5b63004189792cc040ef18b37e550":"":104:"d685aeb54aa129a21bed17766e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"01cc56ca7e64db7fbef66236a5c49493":"":"8ea5b63004189792cc040ef18b37e550":"":104:"d685aeb54aa129a21bed17766e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"134dd72ac8e28ab46720c2f42284a303":"":"c6368e4c0ba0ec90fa7488af9997a4c7":"":104:"4ad9cdf19ff7d7fd7e273efced":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"134dd72ac8e28ab46720c2f42284a303":"":"c6368e4c0ba0ec90fa7488af9997a4c7":"":104:"4ad9cdf19ff7d7fd7e273efced":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"180c04b2bde6901edcda66085f73ecd9":"":"9193b206beade4cb036f01a9db187cb8":"":96:"530f5e9ed0879ccef3a7b360":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"180c04b2bde6901edcda66085f73ecd9":"":"9193b206beade4cb036f01a9db187cb8":"":96:"530f5e9ed0879ccef3a7b360":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaac85742a55ffa07e98106d6d6b1004":"":"630cd8ab849253c4da95ac80324ecc28":"":96:"37911820c810e3700c3a9321":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaac85742a55ffa07e98106d6d6b1004":"":"630cd8ab849253c4da95ac80324ecc28":"":96:"37911820c810e3700c3a9321":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ab663c4f8f2fdc7d5eabf6ef26169b4e":"":"86e6100669929e329a1d258cd3552dc9":"":96:"958d6141f7fb2b2dc7d851a6":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ab663c4f8f2fdc7d5eabf6ef26169b4e":"":"86e6100669929e329a1d258cd3552dc9":"":96:"958d6141f7fb2b2dc7d851a6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd756d49fd25380c4026ea03cafc2da":"":"6a6f7e39b0d730ea1670e13d16c12c28":"":64:"872ef05a28da5ea1":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dd756d49fd25380c4026ea03cafc2da":"":"6a6f7e39b0d730ea1670e13d16c12c28":"":64:"872ef05a28da5ea1":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bd8a834b288bdc7578b6c6ab36f5d068":"":"aa77de0af5fa4dd1ed2ada5cb94813a0":"":64:"c5c094e83755f2b6":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bd8a834b288bdc7578b6c6ab36f5d068":"":"aa77de0af5fa4dd1ed2ada5cb94813a0":"":64:"c5c094e83755f2b6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"020d280dbd06939bbb5e6edc6f6d39c6":"":"09aea6f0e57598452719d6f63b6fe5a0":"":64:"05d6c56ba601e85b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"020d280dbd06939bbb5e6edc6f6d39c6":"":"09aea6f0e57598452719d6f63b6fe5a0":"":64:"05d6c56ba601e85b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e47f41a27a2722df293c1431badc0f90":"":"227c036fca03171a890806b9fa0c250d":"":32:"86c22189":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e47f41a27a2722df293c1431badc0f90":"":"227c036fca03171a890806b9fa0c250d":"":32:"86c22189":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9d3e112114b94e26e93d3855d4be26bd":"":"99b98525160c4bb2029da5553ff82b59":"":32:"33bee715":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9d3e112114b94e26e93d3855d4be26bd":"":"99b98525160c4bb2029da5553ff82b59":"":32:"33bee715":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b4b7688588125349fbb66004a30d5d4":"":"b4ae363edb529d8b927c051cf21a2d9d":"":32:"6a920617":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b4b7688588125349fbb66004a30d5d4":"":"b4ae363edb529d8b927c051cf21a2d9d":"":32:"6a920617":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4b6c5b8e21c32f36b0ae4ef3b75d5cd":"":"3d1036bf0000e6f1b77a799f2ef32dec":"1cf2b6cbe86a87b4b5bb3cc50024aeb27c48143658d47b41f2f20b87ed67bd6fc3b85a3a803f66d3576608f5d6ce6cad11e02fe12de5390722dccb8242e1dd140051bef51aa9716c860d45d45bca6effbb1a4797e6e7406a04db5d823766c0f011ebc28e9a8cd4446ec8a75ea8bdc1b2fdbb5cc364fa9877886e30404593df34":128:"a49725014c214ef7cc2d28b9b2b53da7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c4b6c5b8e21c32f36b0ae4ef3b75d5cd":"":"3d1036bf0000e6f1b77a799f2ef32dec":"1cf2b6cbe86a87b4b5bb3cc50024aeb27c48143658d47b41f2f20b87ed67bd6fc3b85a3a803f66d3576608f5d6ce6cad11e02fe12de5390722dccb8242e1dd140051bef51aa9716c860d45d45bca6effbb1a4797e6e7406a04db5d823766c0f011ebc28e9a8cd4446ec8a75ea8bdc1b2fdbb5cc364fa9877886e30404593df34":128:"a49725014c214ef7cc2d28b9b2b53da7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":128:"c53d01e53ee4a6ea106ea4a66538265e":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63c3f81500746eaf383fe3975d84f849":"":"0799d4152fd73c1604b4610cf7171fe1":"cb8248e5f904cc9ccccf6f273fe621eee1b4d7ed98480f9e806a48b84e2d6a733772ecf8fb7fe91805715cddab2b462b89f6e6c7cf873f65031f13c357d5f57b00b7c391c39e78ad1ed94be236ca0ae316bce11bc33c5d701fdfc58abbe918b9c42f7b3d6e89d46f9784b388a6e6daf47730b9fa665d755a17e89932fa669c44":128:"c53d01e53ee4a6ea106ea4a66538265e":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c88b191ce6e8e4a3941f7960b7eae5":"":"e2a899961c332c815685c553351fa519":"308bf10570af48d632911f3641dea60d78046211c01a63bb8e4e5cbddfff8841d2f2b11e18ccb2170805ef4cacf7804d64e0feef40731a1704907f33b77788c18ccf35b224ec3046a67664ac9a3481d2385b6ddeec6da4f32423f94ea9663a5c51cc388cef33744a8159b4fb654dfdb5092718bf926c824be31197f07f276b5f":128:"92604d37407aff33f8b677326cbb94fc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c88b191ce6e8e4a3941f7960b7eae5":"":"e2a899961c332c815685c553351fa519":"308bf10570af48d632911f3641dea60d78046211c01a63bb8e4e5cbddfff8841d2f2b11e18ccb2170805ef4cacf7804d64e0feef40731a1704907f33b77788c18ccf35b224ec3046a67664ac9a3481d2385b6ddeec6da4f32423f94ea9663a5c51cc388cef33744a8159b4fb654dfdb5092718bf926c824be31197f07f276b5f":128:"92604d37407aff33f8b677326cbb94fc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c818dfa0885a09f65ef78712f5ce6609":"":"ca279284723530fdd68ae880e0ce775c":"2a562abdbb483ca5f355f9cc1c5e607bdd624a078a76b717ce0f8f35d0d4c54b629f372f15d20c848d01420c6af5a7040d42063704a17b46259dcc53723caf2d4bf556143ff9117c752fa4f22c9c155c99b7bf5949d089cdafd562165b9cbf53ff51cec21f49128c8a599718bbcdb4a5d705d20509c44c8945e2a133164b9942":120:"20e9a3a98d71d460743e1efaab13c6":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c818dfa0885a09f65ef78712f5ce6609":"":"ca279284723530fdd68ae880e0ce775c":"2a562abdbb483ca5f355f9cc1c5e607bdd624a078a76b717ce0f8f35d0d4c54b629f372f15d20c848d01420c6af5a7040d42063704a17b46259dcc53723caf2d4bf556143ff9117c752fa4f22c9c155c99b7bf5949d089cdafd562165b9cbf53ff51cec21f49128c8a599718bbcdb4a5d705d20509c44c8945e2a133164b9942":120:"20e9a3a98d71d460743e1efaab13c6":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2354c6b6afaa883e7ce91faca4981f8b":"":"604f2730c756c8c39a0527093bc2feb5":"959b4b0b9ce2e9120b327d2d090117553999ee10bdd384a546fc6de0957ef4b447daf07b3d07ef7dbc811f36b0fc09a175d26e4d1263cb5e21eda5ecab85d763807bb20b3cb6ac3f31d548dff00aae058d434ebcf6f7e3a37f11324134f453dd0ea7f51094863486426ff1706129a5a93c53d8c5ccb56cafa5881981fe233cb0":120:"3588c9aa769897dfa328549fbbd10a":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2354c6b6afaa883e7ce91faca4981f8b":"":"604f2730c756c8c39a0527093bc2feb5":"959b4b0b9ce2e9120b327d2d090117553999ee10bdd384a546fc6de0957ef4b447daf07b3d07ef7dbc811f36b0fc09a175d26e4d1263cb5e21eda5ecab85d763807bb20b3cb6ac3f31d548dff00aae058d434ebcf6f7e3a37f11324134f453dd0ea7f51094863486426ff1706129a5a93c53d8c5ccb56cafa5881981fe233cb0":120:"3588c9aa769897dfa328549fbbd10a":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0af48e6aebbb6ff5b7c92bd140b085f":"":"d210d6502a5221ac1274a9c7f5a81725":"d725311ca10eb4b4aa24e6dd19c5e72dc34fc1ff53feb25d924a9b7d8d72205790ca4b1275bd93ad60c27a5587a45659bca07c111e9748fb683a03465153ffd735b7d134b479674ab8596f0596496fe2090f623fd1e4dd730c5283d8b172db8a25df42d9b34f388ed32676a56b8ba03347e47379702654508ccd0a21ff03516e":120:"e6222f068a1e18f09ba6c771eabd86":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0af48e6aebbb6ff5b7c92bd140b085f":"":"d210d6502a5221ac1274a9c7f5a81725":"d725311ca10eb4b4aa24e6dd19c5e72dc34fc1ff53feb25d924a9b7d8d72205790ca4b1275bd93ad60c27a5587a45659bca07c111e9748fb683a03465153ffd735b7d134b479674ab8596f0596496fe2090f623fd1e4dd730c5283d8b172db8a25df42d9b34f388ed32676a56b8ba03347e47379702654508ccd0a21ff03516e":120:"e6222f068a1e18f09ba6c771eabd86":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a05fe482fe164b2eca7f6c3e377b39d8":"":"145327bcc10335fccb93afbf4b17e6e7":"ea6f2e93b5e1bf127d40440b8d6397405246b1b48eebe16964f18928f6b4b8ee2c36322d7126905c1a5b816996e340404b586edc2d77afac11a6c1266511f9eff1a320b035442d4078f8e42ca63cf26d12a971a7adf4645d1bd9a8e4d0a20722f7c2d529beaecc4033f7738075e1cdc6d8a929da5582540678935b82e7b7ba68":112:"3900bde9fa9ae2cbeee54d04f224":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a05fe482fe164b2eca7f6c3e377b39d8":"":"145327bcc10335fccb93afbf4b17e6e7":"ea6f2e93b5e1bf127d40440b8d6397405246b1b48eebe16964f18928f6b4b8ee2c36322d7126905c1a5b816996e340404b586edc2d77afac11a6c1266511f9eff1a320b035442d4078f8e42ca63cf26d12a971a7adf4645d1bd9a8e4d0a20722f7c2d529beaecc4033f7738075e1cdc6d8a929da5582540678935b82e7b7ba68":112:"3900bde9fa9ae2cbeee54d04f224":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dacbadf819eb16a63f6f091d13ed04d4":"":"b9ebce724b0dcb0989ac2d8e7ff8aaec":"7dc6e2189d8a96f3507e352e05e8fd1b4bab988c2f1c706115887119f63b78084f015d85f6b460901a02880103e4d36e8f6527dfd74e4a3acd3f578c0cc726b528875f701ff8b66e5c11b4689c346a098e123bebfa253362cb86829be73c2b85a6881fa976aa730fabb76775027feec7fd920a6c8965a4a509ea812d7c413a95":112:"8988fca83c8cfb1f8feefac46f04":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dacbadf819eb16a63f6f091d13ed04d4":"":"b9ebce724b0dcb0989ac2d8e7ff8aaec":"7dc6e2189d8a96f3507e352e05e8fd1b4bab988c2f1c706115887119f63b78084f015d85f6b460901a02880103e4d36e8f6527dfd74e4a3acd3f578c0cc726b528875f701ff8b66e5c11b4689c346a098e123bebfa253362cb86829be73c2b85a6881fa976aa730fabb76775027feec7fd920a6c8965a4a509ea812d7c413a95":112:"8988fca83c8cfb1f8feefac46f04":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"969244c7444f3f3bf193b28f8e8e96dc":"":"49b2845a1a1c87fa66eb8f78c05ac029":"1414a07e86d8b61d1eff43e1ff4ab42c1c95e159058b74c731e3007d21a5eb78bc17b7e920363a3974aeb8608813dc9a4655199b6703ed337450702d8ab16a89776831b2c7c811fec3acc23598a0aa01680a7bf42a4e258145beb08c9f0eacf2bb5f56d26bea3ad11e1a956a630b80f3d22bf35592b4704f7c464b08b06dd7f8":112:"a291c7527385f037f62e60fd8a96":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"969244c7444f3f3bf193b28f8e8e96dc":"":"49b2845a1a1c87fa66eb8f78c05ac029":"1414a07e86d8b61d1eff43e1ff4ab42c1c95e159058b74c731e3007d21a5eb78bc17b7e920363a3974aeb8608813dc9a4655199b6703ed337450702d8ab16a89776831b2c7c811fec3acc23598a0aa01680a7bf42a4e258145beb08c9f0eacf2bb5f56d26bea3ad11e1a956a630b80f3d22bf35592b4704f7c464b08b06dd7f8":112:"a291c7527385f037f62e60fd8a96":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"525abe490c8434802b69439c590a5290":"":"141f79f0501316e66451c41c7af0f0cd":"be440db66d3f81be467605a7b2805ec1df5e71e1b1b04bd7a4d05e912f5aa1912ba08de72df18613b32b7edf78963c48c80c25178b3b19262b85bb829f5377e0b368b500d6d3b442f54172d4ca4500eb5b4d478b602e5dc11d090539455087ce1e5b9ea74355fc06e9b60cbf25a9804d3f8c623fff130abc48bc2d8d116b8366":104:"038c7e95f790e6ca5ce73f9551":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"525abe490c8434802b69439c590a5290":"":"141f79f0501316e66451c41c7af0f0cd":"be440db66d3f81be467605a7b2805ec1df5e71e1b1b04bd7a4d05e912f5aa1912ba08de72df18613b32b7edf78963c48c80c25178b3b19262b85bb829f5377e0b368b500d6d3b442f54172d4ca4500eb5b4d478b602e5dc11d090539455087ce1e5b9ea74355fc06e9b60cbf25a9804d3f8c623fff130abc48bc2d8d116b8366":104:"038c7e95f790e6ca5ce73f9551":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51644e025659de983f5c8156516b812e":"":"614837c743d0974e9cca497f13038c02":"60c5d062ade2c5c2dec68b734dd3e58ec474a586d1c4797fdfa2337800510134cb27a10d501927632af3c1febc275010c0d2e5abee630cd2bc792963fa82a42286ab047b934a261927311b40f5f953bfd661427921147cac7613d95ee86e16326ef67c1ed097e8fb87a78753d785de34e03a182232786079cb6be00182e41c9e":104:"77e3deba2c7f9386f85bc4a801":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51644e025659de983f5c8156516b812e":"":"614837c743d0974e9cca497f13038c02":"60c5d062ade2c5c2dec68b734dd3e58ec474a586d1c4797fdfa2337800510134cb27a10d501927632af3c1febc275010c0d2e5abee630cd2bc792963fa82a42286ab047b934a261927311b40f5f953bfd661427921147cac7613d95ee86e16326ef67c1ed097e8fb87a78753d785de34e03a182232786079cb6be00182e41c9e":104:"77e3deba2c7f9386f85bc4a801":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08566ca7310302dfb84d76ea0525ba20":"":"5f20ec9c35c08aa7f1c0e8a20fdbd2b3":"5d84e32768b8d1e7e3c426b3118d48e35491bf1bb454b359c8429220216efd8826be94fe1919409a128ccd8125a594f1691c9421fc3dbbb3f757bf2355bb0d074ceec165eb70e26eb53fa2cb5d84dfae06babb557805ef7b8c61c1bc76137571bcc5e84bf5987dc49013831d78bd497ccc49cde7dca2cb75e7ab967da8c6ce81":104:"873f037fc05252a44dc76f8155":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"08566ca7310302dfb84d76ea0525ba20":"":"5f20ec9c35c08aa7f1c0e8a20fdbd2b3":"5d84e32768b8d1e7e3c426b3118d48e35491bf1bb454b359c8429220216efd8826be94fe1919409a128ccd8125a594f1691c9421fc3dbbb3f757bf2355bb0d074ceec165eb70e26eb53fa2cb5d84dfae06babb557805ef7b8c61c1bc76137571bcc5e84bf5987dc49013831d78bd497ccc49cde7dca2cb75e7ab967da8c6ce81":104:"873f037fc05252a44dc76f8155":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfb54db96383fa911bf5b4fa1218ef9a":"":"7e849e24983f63f1194b396bbd2d55e0":"d3fb689c5818810dd104693f3306a10b27178444af26798a194f7c2ab31ff3a172904b951942b1a26c8ae5b5b1ee2d86dc78bb72a335fde350766d7d9aef6f549871dd46b04b2cc319fcdd47be437d431ad18cab82d51ca9fa57f4108a8de622a92f87d28c0349fab27757fd773413f559a8c00d30e258c1f6cd96f9759bd957":96:"dada7fc7fed58db462854ef6":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dfb54db96383fa911bf5b4fa1218ef9a":"":"7e849e24983f63f1194b396bbd2d55e0":"d3fb689c5818810dd104693f3306a10b27178444af26798a194f7c2ab31ff3a172904b951942b1a26c8ae5b5b1ee2d86dc78bb72a335fde350766d7d9aef6f549871dd46b04b2cc319fcdd47be437d431ad18cab82d51ca9fa57f4108a8de622a92f87d28c0349fab27757fd773413f559a8c00d30e258c1f6cd96f9759bd957":96:"dada7fc7fed58db462854ef6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"389cf888474e9403e5f4d0e22ffec439":"":"ef57794cf6fac9f9cea3e8499b53b1d6":"7ea7f7f4763ad208eb6199285b6b2819756c4e3caf2d0ac6f5076ae6785fecdcc4b138a51860ff8b87aaac3a18c2df778a4818308d458dba28f5017513e1454f60be20dae68736ea6d48b1f9deadb517df63140acbd329fbfbc9b82f3ca1862c9e998f0faff1d3ae60b005bf66829f5cf0c5fa03efbdd92d39351e3954be0257":96:"92726d90ad26130e65f2beb4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"389cf888474e9403e5f4d0e22ffec439":"":"ef57794cf6fac9f9cea3e8499b53b1d6":"7ea7f7f4763ad208eb6199285b6b2819756c4e3caf2d0ac6f5076ae6785fecdcc4b138a51860ff8b87aaac3a18c2df778a4818308d458dba28f5017513e1454f60be20dae68736ea6d48b1f9deadb517df63140acbd329fbfbc9b82f3ca1862c9e998f0faff1d3ae60b005bf66829f5cf0c5fa03efbdd92d39351e3954be0257":96:"92726d90ad26130e65f2beb4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e55abb2ca36c822bf2a030ac703cb8b4":"":"d86f7177e8ec90f9e9edf10175d5012d":"777a9d93091de56324c10712243f5541722e0b27e1f303fef6faa387a8666161ab354dbea6c43c82a24e8623bfec39aab13164add6be0dfd55d23204c0975b4ba6fbda51363befde482a9ccc1eb9f151e6ad59c77a1e24dd268389e4686f198a936dd603044a3fb653d63cff80597f5a2913c8a2ec1b7d9dce5728dd56c78c2c":96:"65025250343ed8c09b3fceed":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e55abb2ca36c822bf2a030ac703cb8b4":"":"d86f7177e8ec90f9e9edf10175d5012d":"777a9d93091de56324c10712243f5541722e0b27e1f303fef6faa387a8666161ab354dbea6c43c82a24e8623bfec39aab13164add6be0dfd55d23204c0975b4ba6fbda51363befde482a9ccc1eb9f151e6ad59c77a1e24dd268389e4686f198a936dd603044a3fb653d63cff80597f5a2913c8a2ec1b7d9dce5728dd56c78c2c":96:"65025250343ed8c09b3fceed":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"586114f3b1dc087e1b2739b28c592dfe":"":"ae5a38ddd455505284434a4bcfe81ef2":"531ff8c285e532d961f49bd210a5523cd9b19a697a3a3fb26db940a496f253862405b1e825daeda7eb0445c98022b8342c8f8ea20301618483f8ab04b6ebccd7e7fc57878fb544a5bf78fa896f50ac30126ff8afca8a86388666b64c643d16812729bfd7e5c03ba52f7e6ea4c6a685404f7bcbd956964417fa0ea9a6d7290c41":64:"467a815610faeb82":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"586114f3b1dc087e1b2739b28c592dfe":"":"ae5a38ddd455505284434a4bcfe81ef2":"531ff8c285e532d961f49bd210a5523cd9b19a697a3a3fb26db940a496f253862405b1e825daeda7eb0445c98022b8342c8f8ea20301618483f8ab04b6ebccd7e7fc57878fb544a5bf78fa896f50ac30126ff8afca8a86388666b64c643d16812729bfd7e5c03ba52f7e6ea4c6a685404f7bcbd956964417fa0ea9a6d7290c41":64:"467a815610faeb82":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbfe806bddb7f06b3826b097550c68f5":"":"04c1b6c9fd2ab76fc2adfe15d3421bbb":"cfa86d02599652cb4ffff027b9c6ef2336dc9fe946f64fa5ce83f624e144563d4738381bc5371c3cb55cf41ceda07e62cb635ff37246bfa428785229c6e869d5df69d7949a8577889a29e3d05b788ddd43608d9c14e3f1b51ce2085b9a976fe843e3396a74922babe6797d5f01c37ead623b5b582505bcd29edf8a6ea36b0fc7":64:"0697ac372a9acafd":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbfe806bddb7f06b3826b097550c68f5":"":"04c1b6c9fd2ab76fc2adfe15d3421bbb":"cfa86d02599652cb4ffff027b9c6ef2336dc9fe946f64fa5ce83f624e144563d4738381bc5371c3cb55cf41ceda07e62cb635ff37246bfa428785229c6e869d5df69d7949a8577889a29e3d05b788ddd43608d9c14e3f1b51ce2085b9a976fe843e3396a74922babe6797d5f01c37ead623b5b582505bcd29edf8a6ea36b0fc7":64:"0697ac372a9acafd":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"96ce3a095a91effdd91d616f1f02ddcd":"":"579d6633ec6687afa24ef874899b58e0":"3ff3c0038148ed391b6a10aad623a82fe9209c5ba74482f11506d597b5fc7af977235d8ee9e28cf2160346ddd0e33a5bd1fb67b87dad7167fdd4b2b4000d8460ef7b3e1b59b9d61d06cfbe7945379ed6b650de86f396a38cc70d47b8a349f067d00144c903c276b323be6a929a7d7dd8ae7d254d640cdc1176f98e01a1d8c82f":64:"55a0f61032e048f3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"96ce3a095a91effdd91d616f1f02ddcd":"":"579d6633ec6687afa24ef874899b58e0":"3ff3c0038148ed391b6a10aad623a82fe9209c5ba74482f11506d597b5fc7af977235d8ee9e28cf2160346ddd0e33a5bd1fb67b87dad7167fdd4b2b4000d8460ef7b3e1b59b9d61d06cfbe7945379ed6b650de86f396a38cc70d47b8a349f067d00144c903c276b323be6a929a7d7dd8ae7d254d640cdc1176f98e01a1d8c82f":64:"55a0f61032e048f3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24ece168c2971cf2b404ea206dc9e29d":"":"e9db62a42491664a6c46cbb0b2bafc92":"3579f6c0cb3d2a5d0c4548855c7c052d36b6a8dfc60f4ca1b4bbe28ed87306119e71982dd84c4205ceba918d675472753df1b5192d3693dbf6a061c6056e312135ffc5ff426895a7e30f7f675d2cb21de06eea5e3761b94deef7537b985d324864c9ff6ab6e230a1006720f98c958912b604a6d03e3979887c07be3ceaafc78f":32:"d2b15a23":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24ece168c2971cf2b404ea206dc9e29d":"":"e9db62a42491664a6c46cbb0b2bafc92":"3579f6c0cb3d2a5d0c4548855c7c052d36b6a8dfc60f4ca1b4bbe28ed87306119e71982dd84c4205ceba918d675472753df1b5192d3693dbf6a061c6056e312135ffc5ff426895a7e30f7f675d2cb21de06eea5e3761b94deef7537b985d324864c9ff6ab6e230a1006720f98c958912b604a6d03e3979887c07be3ceaafc78f":32:"d2b15a23":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d3c3cf993f6740a019e61ce13c29955c":"":"af900ac348082ff32d2e0ab886079516":"2ddd0e8c99661f0757f04aa79a1ffa24ad48fbe5da68b9e71f7a0cf1b4f2ca9b757695900b7549d48847ae49950dc9b270b1569d29dcbef412216737bd83509c17ae41c34ccda318939cb37a0a380762993a7568c0b07794e78746173dd5c0d921cd50de4b548c1589e142c3dadbad42161aaeda2310f3c6d5c722d9ac69e96d":32:"f2d3a6ff":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d3c3cf993f6740a019e61ce13c29955c":"":"af900ac348082ff32d2e0ab886079516":"2ddd0e8c99661f0757f04aa79a1ffa24ad48fbe5da68b9e71f7a0cf1b4f2ca9b757695900b7549d48847ae49950dc9b270b1569d29dcbef412216737bd83509c17ae41c34ccda318939cb37a0a380762993a7568c0b07794e78746173dd5c0d921cd50de4b548c1589e142c3dadbad42161aaeda2310f3c6d5c722d9ac69e96d":32:"f2d3a6ff":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f1e5bd45ee8bb207ebbd730510ff218":"":"8846424a194f5de858556e6be5b65d7f":"e968947fc0e49136e730b97f6b16e393d5e4fdf3e4803a23af79211ef59f29167c60ead72fd489da32d2ffa43b2bca2074f9d1b4f5396ca65004b0806cb7c6dfa751fb6afbee3e443f3c9b0e3df6722e0d1320441400c5ca508afb657c2b7f1669b0de21761dccab9a40fc513768bd1f552692626ce35078a2e0e12f5d930647":32:"0d6c15da":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f1e5bd45ee8bb207ebbd730510ff218":"":"8846424a194f5de858556e6be5b65d7f":"e968947fc0e49136e730b97f6b16e393d5e4fdf3e4803a23af79211ef59f29167c60ead72fd489da32d2ffa43b2bca2074f9d1b4f5396ca65004b0806cb7c6dfa751fb6afbee3e443f3c9b0e3df6722e0d1320441400c5ca508afb657c2b7f1669b0de21761dccab9a40fc513768bd1f552692626ce35078a2e0e12f5d930647":32:"0d6c15da":"":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3997050377cfbb802cc438d973661688":"b02f0dd373e42c65e8e1db2dd76a432e0b2bf6e630c8aaf0d48af51b3709b175de9a19b3245ae75818274c771c06fae225c4f8b002236712336e805ab006449eb29cc5e29abd82b06c32d4c36ee99acb9a6d7d9eae6ec6ec263c002a22c4a898c74f6abd6d92112367ca7ffe82787c5b39e7012ba22825d3612af3d41e8008a8":"c95c84c263bdfd5f1de66e7e616cf3fb":"":128:"b35b3cf6ed59ccb69dbc9b47a3f284ae":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3997050377cfbb802cc438d973661688":"b02f0dd373e42c65e8e1db2dd76a432e0b2bf6e630c8aaf0d48af51b3709b175de9a19b3245ae75818274c771c06fae225c4f8b002236712336e805ab006449eb29cc5e29abd82b06c32d4c36ee99acb9a6d7d9eae6ec6ec263c002a22c4a898c74f6abd6d92112367ca7ffe82787c5b39e7012ba22825d3612af3d41e8008a8":"c95c84c263bdfd5f1de66e7e616cf3fb":"":128:"b35b3cf6ed59ccb69dbc9b47a3f284ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"cee448b48d3506ff3ecc227a87987846":"":128:"361fc2896d7ee986ecef7cbe665bc60c":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c58583f6479d9bc9f1bffddefee66e59":"564a9f700cbc1f895e4f4fa6426f73b4956896a15e6127e7560d74e3fd0b980d2ee45b7a6a3884fa613d91d13921e3f90967d7132bdafcd146dd8ff7147ed1964c2bdb3e12f4133d3dbbc3bf030ff37b1d2147c493ce885068d9ba5bebae24903aaac004aa0ab73fe789e4150e75ddc2bde2700db02e6398d53e88ac652964ac":"cee448b48d3506ff3ecc227a87987846":"":128:"361fc2896d7ee986ecef7cbe665bc60c":"":"9cce7db3fc087d8cb384f6b1a81f03b3fafa2e3281e9f0fcf08a8283929f32439bb0d302516f0ab65b79181fc223a42345bad6e46ff8bcb55add90207f74481227f71a6230a3e13739ef2d015f5003638234b01e58537b7cfab5a8edac19721f41d46948987d1bb1b1d9485a672647bb3b5cb246a1d753a0d107bff036ac7d95":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc2bde877e881aea512068105694968":"1a6369a45e8ef2846c42d54f92d0d140a94f9633432782dcbf094f1444a1d006acd07ef6076cd0faee226f9ff14adc1fb23e3c63ed818c9a743efbe16624981663e5a64f03f411dcd326e0c259bcadca3b3dd7660ed985c1b77f13a3b232a5934f8b54e46f8368c6e6eb75f933196fa973e7413e4b1442b9dee5e265b44255ed":"05f0c34ab2e8e8026b0a23719344b71f":"":128:"46bab9fc2dbe87b8f6ca0ed4d73e5368":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc2bde877e881aea512068105694968":"1a6369a45e8ef2846c42d54f92d0d140a94f9633432782dcbf094f1444a1d006acd07ef6076cd0faee226f9ff14adc1fb23e3c63ed818c9a743efbe16624981663e5a64f03f411dcd326e0c259bcadca3b3dd7660ed985c1b77f13a3b232a5934f8b54e46f8368c6e6eb75f933196fa973e7413e4b1442b9dee5e265b44255ed":"05f0c34ab2e8e8026b0a23719344b71f":"":128:"46bab9fc2dbe87b8f6ca0ed4d73e5368":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e14f45ba5d1eb52e0412240da5d7b5f9":"9a85fda19ce923f093a0c25b0c52f5d9534828af7c7687d22307004ae2d10c4592242c0f2704070307ab55b137780d1e2013a19396ab43ff6a295b63fdcf323456d149758f9a2bb37f1418d62ea6368b24d5067b9c63d2968e06d6586c7e3275faffa005f7c7bfef51303e4c2b2ed4564acd17d50efac9f5e3e7f16ce589c39b":"d7f8ef12f66f8b7c60aea02ef6ff688f":"":120:"beede05e4928c808bc660f3de95634":"4ad5b9ace0c0c7c07df2900faf37a902899471e7aa4a0a1ad5387f8f56d73f78f619be79a4e253f95b15d52895a05bae9ecffa916d35efacd8baf1c704d2aa4a38c234efc4dcfb191ec0fa0b522328fa5b5dff55e8c443fee660ebe3d8ad85de157a889aefc823720030a4cd6ba94a6309dd61806f0abb27772432018bc61701":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e14f45ba5d1eb52e0412240da5d7b5f9":"9a85fda19ce923f093a0c25b0c52f5d9534828af7c7687d22307004ae2d10c4592242c0f2704070307ab55b137780d1e2013a19396ab43ff6a295b63fdcf323456d149758f9a2bb37f1418d62ea6368b24d5067b9c63d2968e06d6586c7e3275faffa005f7c7bfef51303e4c2b2ed4564acd17d50efac9f5e3e7f16ce589c39b":"d7f8ef12f66f8b7c60aea02ef6ff688f":"":120:"beede05e4928c808bc660f3de95634":"":"4ad5b9ace0c0c7c07df2900faf37a902899471e7aa4a0a1ad5387f8f56d73f78f619be79a4e253f95b15d52895a05bae9ecffa916d35efacd8baf1c704d2aa4a38c234efc4dcfb191ec0fa0b522328fa5b5dff55e8c443fee660ebe3d8ad85de157a889aefc823720030a4cd6ba94a6309dd61806f0abb27772432018bc61701":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a64579f3601b0022d357b601cd876ab":"88be1f4bc8c81b8a9d7abc073cb2751e209ab6b912c15dc094002f95a57a660b9f08b1b34f5947223205b579e704d70a9ecb54520ce3491e52965be643f729516f5cb018beeedc68a7d66c0d40a3f392ec7729c566ce1e9f964c4c0bd61b291ccb96e3d1fac18a401a302f3775697c71edb8ff5a8275a815eba9dd3b912e3759":"515efc6d036f95db7df56b1bbec0aff2":"":120:"13ea92ba35fced366d1e47c97ca5c9":"7fc8565760c168d640f24896c69758355b17310dbc359f38b73fc7b57fe3f4b6ecad3f298be931c96a639df3c5744f7e932b32d222f5534efb8eb5d5b98d218dce3efef5c8c7ce65738bf63412d0a8ed209071218a6fa2f7be79b38d0b2f5b571ec73f1a91721bd409b1722b313683e97d53df19ded95fd471124fa5f294a4bb":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a64579f3601b0022d357b601cd876ab":"88be1f4bc8c81b8a9d7abc073cb2751e209ab6b912c15dc094002f95a57a660b9f08b1b34f5947223205b579e704d70a9ecb54520ce3491e52965be643f729516f5cb018beeedc68a7d66c0d40a3f392ec7729c566ce1e9f964c4c0bd61b291ccb96e3d1fac18a401a302f3775697c71edb8ff5a8275a815eba9dd3b912e3759":"515efc6d036f95db7df56b1bbec0aff2":"":120:"13ea92ba35fced366d1e47c97ca5c9":"":"7fc8565760c168d640f24896c69758355b17310dbc359f38b73fc7b57fe3f4b6ecad3f298be931c96a639df3c5744f7e932b32d222f5534efb8eb5d5b98d218dce3efef5c8c7ce65738bf63412d0a8ed209071218a6fa2f7be79b38d0b2f5b571ec73f1a91721bd409b1722b313683e97d53df19ded95fd471124fa5f294a4bb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bda4acfd10ab635f357935bb0ab7020":"c9ac8d4ef7d83848fdc03664957c28b9b76710797d5db1c21e713e85eb0898892223e52be1644fc7362c95026ebb9c9ca74d7d3739eff10cab1eda00c36628dae0b98d119a14635800e37cd340faa6fbba9c3d41d52722cc3969612b1a8c5ca9a68773f5ee654506cb88ea65fb1eddf5ab6312d0170dc03324e483342448b854":"48b77c587616ffaa449533a91230b449":"":120:"8325e4394c91719691145e68e56439":"1287ad3719508a9be70c19e3b134a2eaa4415d736c55922e9abcfd7f621ea07ffb9b78d8a9668c74bbd548b5e6519ea12609d2d6197c8bd3da9c13c46628f218e7ff81884ff7eb34664ab00f86e09cd623bec248d8898ef054fce8f718a0e0978e8b5d037709c524114ec37809ac3fd1604e223e08f594e7aa12097f7dc1850b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bda4acfd10ab635f357935bb0ab7020":"c9ac8d4ef7d83848fdc03664957c28b9b76710797d5db1c21e713e85eb0898892223e52be1644fc7362c95026ebb9c9ca74d7d3739eff10cab1eda00c36628dae0b98d119a14635800e37cd340faa6fbba9c3d41d52722cc3969612b1a8c5ca9a68773f5ee654506cb88ea65fb1eddf5ab6312d0170dc03324e483342448b854":"48b77c587616ffaa449533a91230b449":"":120:"8325e4394c91719691145e68e56439":"":"1287ad3719508a9be70c19e3b134a2eaa4415d736c55922e9abcfd7f621ea07ffb9b78d8a9668c74bbd548b5e6519ea12609d2d6197c8bd3da9c13c46628f218e7ff81884ff7eb34664ab00f86e09cd623bec248d8898ef054fce8f718a0e0978e8b5d037709c524114ec37809ac3fd1604e223e08f594e7aa12097f7dc1850b":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d21cf24bc5bd176b4b0fd4c8477bb70d":"2e7108fd25c88b799263791940594ec80b26ccd53455c837b2e6cf4e27fcf9707af3f0fe311355e1b03ac3b5ee0af09fb6fb9f0311f8545d40a658119e6a87ba8ba72cc5fdb1386bc455c8fec51a7c0fec957bed4d6441180741197962d51b17c393b57553e53602f2a343a0871ea2dc4b1506663b2768ce271b89c4ed99eec6":"208cb9dced20b18edddb91596e902124":"":112:"7edfb9daf8ca2babcc02537463e9":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d21cf24bc5bd176b4b0fd4c8477bb70d":"2e7108fd25c88b799263791940594ec80b26ccd53455c837b2e6cf4e27fcf9707af3f0fe311355e1b03ac3b5ee0af09fb6fb9f0311f8545d40a658119e6a87ba8ba72cc5fdb1386bc455c8fec51a7c0fec957bed4d6441180741197962d51b17c393b57553e53602f2a343a0871ea2dc4b1506663b2768ce271b89c4ed99eec6":"208cb9dced20b18edddb91596e902124":"":112:"7edfb9daf8ca2babcc02537463e9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d02e2b02170986944487cba8448f998":"bc1d7553f4a28754cf59ed6f7a901901f04ce62a449db2b45ad60329d0341bb9ba421c783c28a9200b41da8ab6328d826293134a7d0c9a5775dd2735e7767efda4ad183566e0847d6d978abd1a8ab13b16b8323acef05ced3b571631e1e24ad44d65e6ffa64e03c9970e94bacb9f721aba06cda6a08806a3be63dddd8029301d":"6336077bb83eff1c9ea715de99b372cd":"":112:"0466bb2957281f64b59eafed3509":"5f395958f2f7acafb1bca6d3a6ec48b717f2ceeac1b77e1b0edc09a09e4a299d2ec722cc7daf34c8f4121a93c80b2adb20a2fc95afd09320f91085c93c8b082dd703814c9777501d23bf9b328f07f04652592dc5a3f4321626a695b8db8e65c8617c809eb2978d8c9a882ffa82a4bb707c1a8f9a965bdacce5c041bafc94a1c6":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d02e2b02170986944487cba8448f998":"bc1d7553f4a28754cf59ed6f7a901901f04ce62a449db2b45ad60329d0341bb9ba421c783c28a9200b41da8ab6328d826293134a7d0c9a5775dd2735e7767efda4ad183566e0847d6d978abd1a8ab13b16b8323acef05ced3b571631e1e24ad44d65e6ffa64e03c9970e94bacb9f721aba06cda6a08806a3be63dddd8029301d":"6336077bb83eff1c9ea715de99b372cd":"":112:"0466bb2957281f64b59eafed3509":"":"5f395958f2f7acafb1bca6d3a6ec48b717f2ceeac1b77e1b0edc09a09e4a299d2ec722cc7daf34c8f4121a93c80b2adb20a2fc95afd09320f91085c93c8b082dd703814c9777501d23bf9b328f07f04652592dc5a3f4321626a695b8db8e65c8617c809eb2978d8c9a882ffa82a4bb707c1a8f9a965bdacce5c041bafc94a1c6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd1ad1de0521d41645d13c97a18f4a20":"588c2617517329f3e1e7ba6206a183dc9232e6a4fa8c8b89532d46235af1e542acaa7eae4d034f139b00449076ba2ef9a692cae422998878dabdac60993dce9880d280bec1419803ba937366e5285c4a7f31a5f232f8d3ef73efe7267b3ef82a02f97d320ebc9db6219fbdf1c7f611e8e5164e9ecf25b32f9c07dfa12aa705af":"413873a0b063ad039da5513896233286":"":112:"d4dbe9cae116553b0cbe1984d176":"bd519b7e6921e6026784cd7b836c89bc1fa98e4013b41d2bf091ef0d602e44a70df89816c068d37f0c6377af46c8bfa73ec0d5bc0b61966f23e55a15a83cea49f37cc02213b4996f9353ee2b73a798b626e524b9c15937ecf98a4eded83fb62e6deea1de31e0a7f1d210f6d964bc3e69b269da834720fd33487874489b8932a8":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd1ad1de0521d41645d13c97a18f4a20":"588c2617517329f3e1e7ba6206a183dc9232e6a4fa8c8b89532d46235af1e542acaa7eae4d034f139b00449076ba2ef9a692cae422998878dabdac60993dce9880d280bec1419803ba937366e5285c4a7f31a5f232f8d3ef73efe7267b3ef82a02f97d320ebc9db6219fbdf1c7f611e8e5164e9ecf25b32f9c07dfa12aa705af":"413873a0b063ad039da5513896233286":"":112:"d4dbe9cae116553b0cbe1984d176":"":"bd519b7e6921e6026784cd7b836c89bc1fa98e4013b41d2bf091ef0d602e44a70df89816c068d37f0c6377af46c8bfa73ec0d5bc0b61966f23e55a15a83cea49f37cc02213b4996f9353ee2b73a798b626e524b9c15937ecf98a4eded83fb62e6deea1de31e0a7f1d210f6d964bc3e69b269da834720fd33487874489b8932a8":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cb120e9cd718b5119b4a58af0644eff":"4c8e8fb8c87ff6b994ae71bfbf0fa4529f03bad86edf9d27cf899ea93a32972640697e00546136c1dbc7e63662200951b6479c58ae26b1bd8c3b4f507c0d945d615183196868ec4f4865d1d00bb919a00184e9663f6cb9a7a0ddfc73ee2901f7a56ef2074d554f48cef254be558fca35651be405f91c39e0367762b4715d05fa":"5a7087989bfe2f6eddcb56fde4d72529":"":104:"95d8bd12af8a5ab677309df0fb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cb120e9cd718b5119b4a58af0644eff":"4c8e8fb8c87ff6b994ae71bfbf0fa4529f03bad86edf9d27cf899ea93a32972640697e00546136c1dbc7e63662200951b6479c58ae26b1bd8c3b4f507c0d945d615183196868ec4f4865d1d00bb919a00184e9663f6cb9a7a0ddfc73ee2901f7a56ef2074d554f48cef254be558fca35651be405f91c39e0367762b4715d05fa":"5a7087989bfe2f6eddcb56fde4d72529":"":104:"95d8bd12af8a5ab677309df0fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"315b206778c28ed0bfdd6e66088a5c39":"6186f57a85b65f54efbf9974a193012b1396fc0ca887227e1865f1c915ac2af9bbd55969f7de57ce9fb87604cf11c7bc822b542f745be8a101877a810ed72bf4544d0acb91f0f9d3c30b6a18c48b82557433d0db930e03bcecc6fb53530bfd99ee89f9e154aa1a3e2a2c2a7a9e08c9aed1deab7fae8ea5a31158b50bca2f5e79":"7ec6f47ec56dda5b52bbdaa6ad2eb6da":"":104:"930750c53effc7b84aa10b2276":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"315b206778c28ed0bfdd6e66088a5c39":"6186f57a85b65f54efbf9974a193012b1396fc0ca887227e1865f1c915ac2af9bbd55969f7de57ce9fb87604cf11c7bc822b542f745be8a101877a810ed72bf4544d0acb91f0f9d3c30b6a18c48b82557433d0db930e03bcecc6fb53530bfd99ee89f9e154aa1a3e2a2c2a7a9e08c9aed1deab7fae8ea5a31158b50bca2f5e79":"7ec6f47ec56dda5b52bbdaa6ad2eb6da":"":104:"930750c53effc7b84aa10b2276":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e886de1c907c97e7db8ec80a79df90f8":"c64cc9596d7c738746ab800f688eec190a4c802c55b2528931d74d294496892b81f53d3073d48f9bef1d58ce3be26547474cdda2868abeab71aff566fff613b4e5bfed1be1d2fff35d8ffa33302d3da1c82e421aa3a23848f31e26d90c0cb2ac2ae136ada73404ed3e0e1d3e7cb355a11cd2a4f9393b4d5eac988104fe1cf959":"612cacbf33266353d0a29a24532f3c0c":"":104:"76634e58d8f3a48f15875ac1d6":"7001d7395efb432e2804cc65c0ba5d4719ce84177ce46292c4fd62a5596bd2bab1d5c44217ac43235bd94489c43d01618a11f047d2e247062c3b88d6e59adaa1f46514fb33b7843483920bee60a41f3cb312322c305d25251b4704fb66da58637c95a9d539731434f60ef44fe3cd6d37e2c8e7089880a563938dcc98b43f08fd":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e886de1c907c97e7db8ec80a79df90f8":"c64cc9596d7c738746ab800f688eec190a4c802c55b2528931d74d294496892b81f53d3073d48f9bef1d58ce3be26547474cdda2868abeab71aff566fff613b4e5bfed1be1d2fff35d8ffa33302d3da1c82e421aa3a23848f31e26d90c0cb2ac2ae136ada73404ed3e0e1d3e7cb355a11cd2a4f9393b4d5eac988104fe1cf959":"612cacbf33266353d0a29a24532f3c0c":"":104:"76634e58d8f3a48f15875ac1d6":"":"7001d7395efb432e2804cc65c0ba5d4719ce84177ce46292c4fd62a5596bd2bab1d5c44217ac43235bd94489c43d01618a11f047d2e247062c3b88d6e59adaa1f46514fb33b7843483920bee60a41f3cb312322c305d25251b4704fb66da58637c95a9d539731434f60ef44fe3cd6d37e2c8e7089880a563938dcc98b43f08fd":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b936e09a6477f3bd52030a29df5001d":"65cf11d1afad19b34f282f98f140315992392f5d4eed4265085b29e1e5553f4783fec681ba2d368486ba6a54c00e71c82c08ca3d097904f021ce4b0acba2d2a7005e28e5f8750ea3d18a4f78363c37583e85104234498942c639a0564b0d80055c21cb7735dd44348298291ab602f345b1d74d624750c0177fbd5cca6f99223b":"f93105be83fa5e315d73acfdcf578de7":"":96:"91b55bb5e3f3f1abcf335db5":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b936e09a6477f3bd52030a29df5001d":"65cf11d1afad19b34f282f98f140315992392f5d4eed4265085b29e1e5553f4783fec681ba2d368486ba6a54c00e71c82c08ca3d097904f021ce4b0acba2d2a7005e28e5f8750ea3d18a4f78363c37583e85104234498942c639a0564b0d80055c21cb7735dd44348298291ab602f345b1d74d624750c0177fbd5cca6f99223b":"f93105be83fa5e315d73acfdcf578de7":"":96:"91b55bb5e3f3f1abcf335db5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc9e2095de7b1b48481b56bf6a3604cd":"ed61ff94a3f84c72147faefa615e2df00324fb01790cf9764c72c1b8ba47f17866a1fd64ee5c2f53865d1bc24ec93165a6774466a59603199ee476c1f2da7d932c8943d126aa172d532d8475a484d42bb45fcf92766feafd7f3e2e3d42d22f6f84a90e7e688232f799d80cd2cc152ddd21ecfb137701ecafcb2b65abe2e4e6f4":"9e5268db19a1b51c0496a160ca76f8f7":"":96:"0fa9588536fca71bb44260f7":"ef562e301fcf923ff1a1acd3aff9b1c963058228655fe8a66cab01396547dbd2aa1f79a22eefc62944b86d1a31ebe2d17130175b8c003d6755b0eb8b79895b0f7f8046c5ae888a067ba17bc8e11a8f6e5023a9cd42f6461966c28e505b371c0f72a2606bff430a58016e99713d25ce11f10391fb4a922e27989422c6a64f9107":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc9e2095de7b1b48481b56bf6a3604cd":"ed61ff94a3f84c72147faefa615e2df00324fb01790cf9764c72c1b8ba47f17866a1fd64ee5c2f53865d1bc24ec93165a6774466a59603199ee476c1f2da7d932c8943d126aa172d532d8475a484d42bb45fcf92766feafd7f3e2e3d42d22f6f84a90e7e688232f799d80cd2cc152ddd21ecfb137701ecafcb2b65abe2e4e6f4":"9e5268db19a1b51c0496a160ca76f8f7":"":96:"0fa9588536fca71bb44260f7":"":"ef562e301fcf923ff1a1acd3aff9b1c963058228655fe8a66cab01396547dbd2aa1f79a22eefc62944b86d1a31ebe2d17130175b8c003d6755b0eb8b79895b0f7f8046c5ae888a067ba17bc8e11a8f6e5023a9cd42f6461966c28e505b371c0f72a2606bff430a58016e99713d25ce11f10391fb4a922e27989422c6a64f9107":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3f93901fd7cc88db3ba76a158d658c7b":"16402fded879fcbfe9405902aa63ca2a520889e0045f687455469b7bb867829a01208b8dc5dcc852d8ee478993c30e6d9ec6408773b367821310a0ae171d38d71e06981ff6e845acffbc794142b87c748e12484c0636419d79be3d798cde59e9dae0a4a4a4346596427e6b235ad52e6a1b02d6f4df0c7de35fc390cae36aef14":"7e98de461e6d96c0ce6c8d8b3854cf49":"":96:"86c9a70e4bab304ae46e6542":"1b4c09569b42c469b3ab6b39312c214502ec09f5fe2fed1d1933d13cdc6a7b77a5d135123fa69d9207d6844b0357b26b7a2f53b33a5cd218dacda87b78b09cf259e48e74076812c432e2d0833fb269721f9347c96e158500f9b2283342a35c8de0a022edce711118d72d8fbaa354bfb0ffee465844ef2d37e24ec2cea8556648":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3f93901fd7cc88db3ba76a158d658c7b":"16402fded879fcbfe9405902aa63ca2a520889e0045f687455469b7bb867829a01208b8dc5dcc852d8ee478993c30e6d9ec6408773b367821310a0ae171d38d71e06981ff6e845acffbc794142b87c748e12484c0636419d79be3d798cde59e9dae0a4a4a4346596427e6b235ad52e6a1b02d6f4df0c7de35fc390cae36aef14":"7e98de461e6d96c0ce6c8d8b3854cf49":"":96:"86c9a70e4bab304ae46e6542":"":"1b4c09569b42c469b3ab6b39312c214502ec09f5fe2fed1d1933d13cdc6a7b77a5d135123fa69d9207d6844b0357b26b7a2f53b33a5cd218dacda87b78b09cf259e48e74076812c432e2d0833fb269721f9347c96e158500f9b2283342a35c8de0a022edce711118d72d8fbaa354bfb0ffee465844ef2d37e24ec2cea8556648":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"42289f3d3cd5838e250ef54b128e60d1":"3edae1d554b67d2036f5fdbdb2945cc112f100adc1b47009c2e23f6a2eaee78d1f39ce8a98f715853cc29fc793fb6981ec3036834188dea7d668185ccc8642071b15de1332f6a59c8a9b4399733eb4b3d8f224af57ba6b4a8e64494bb6630b9d28e7ec3349064350febcef6a3ad1d6cca1b1da74f3d2921c2b28a2dd399c3416":"e557389a216ad724aafdab0180e1892e":"":64:"6f78bc809f31393e":"25c476659cc7b343a69088baf868a811ba37daca85c4093105bf98235a90aeca015ab034da008af0982f9b2e80df804c186a9b2e97f74cffd70ebb7771d874fcaf12f6d01c44a8b0ec2898cf4493cf09a16a88a65cd77909bbf0430c9603869bd5f20d56cb51d8a3f0a032fc30d925c96599d296b1ec41c2912bda426adea4fb":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"42289f3d3cd5838e250ef54b128e60d1":"3edae1d554b67d2036f5fdbdb2945cc112f100adc1b47009c2e23f6a2eaee78d1f39ce8a98f715853cc29fc793fb6981ec3036834188dea7d668185ccc8642071b15de1332f6a59c8a9b4399733eb4b3d8f224af57ba6b4a8e64494bb6630b9d28e7ec3349064350febcef6a3ad1d6cca1b1da74f3d2921c2b28a2dd399c3416":"e557389a216ad724aafdab0180e1892e":"":64:"6f78bc809f31393e":"":"25c476659cc7b343a69088baf868a811ba37daca85c4093105bf98235a90aeca015ab034da008af0982f9b2e80df804c186a9b2e97f74cffd70ebb7771d874fcaf12f6d01c44a8b0ec2898cf4493cf09a16a88a65cd77909bbf0430c9603869bd5f20d56cb51d8a3f0a032fc30d925c96599d296b1ec41c2912bda426adea4fb":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d772eabb7f19475665ca2a7e693bcfc":"e9fc4d86f5b857fa6057b73f967351e06f87288c40a95b9e378c84f1a4c0f4b80ed0a0b44ff90a8973be4199c0c4006fc4f5ea19d5f1fe8b9c8c01f4675ab85afab0592bb3daba36bb4fc7ed9eea867e9d8cc50c19fb62a5a57956e9efacebac5e9f849649d35a329bd68de97bb6e5ff7bef477a86765c2c9ec15e24cbba5c6e":"0747cbb486a013453fde1ca6abb11dbe":"":64:"8e761ffaea68f967":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d772eabb7f19475665ca2a7e693bcfc":"e9fc4d86f5b857fa6057b73f967351e06f87288c40a95b9e378c84f1a4c0f4b80ed0a0b44ff90a8973be4199c0c4006fc4f5ea19d5f1fe8b9c8c01f4675ab85afab0592bb3daba36bb4fc7ed9eea867e9d8cc50c19fb62a5a57956e9efacebac5e9f849649d35a329bd68de97bb6e5ff7bef477a86765c2c9ec15e24cbba5c6e":"0747cbb486a013453fde1ca6abb11dbe":"":64:"8e761ffaea68f967":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fb7fd753ee6eaaf283a42a121dab4e43":"fd5cecb2c0287cb8229e97d9cc4b9885f428710528884ce663ed1728cd44cb2df93e56ef17ace0678d1e341366c652f4ba7ee45797d39be4a05c1151e5cde499e13e5d45549b5d95a174d03616d06ef96e9d7b2b6bb0d79a726b253dd64223a5f09611671b234ccf9b383952f8888814b2c167e774cfbf54e9c6b99a753f4fa9":"8164929fb54485377ecccc9b9621af5e":"":64:"40a2fa7f4370afb2":"6208d068be60f7b04b80fc611062e6caaef9a5cf59f850d174b7446c78c039ea9aefe4885e19c2b33911d32ce1fe3c48ddffa4b03e450fd35da03f40c4e7c5bb3b1c3f3049dbfad3ac81ca1b79cafbaa172f4900e3829d38edea3b64000f93924a801259bc4b2523445c64bc23bfee190b952468507fa4baf6dc2bec66fcf0d8":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fb7fd753ee6eaaf283a42a121dab4e43":"fd5cecb2c0287cb8229e97d9cc4b9885f428710528884ce663ed1728cd44cb2df93e56ef17ace0678d1e341366c652f4ba7ee45797d39be4a05c1151e5cde499e13e5d45549b5d95a174d03616d06ef96e9d7b2b6bb0d79a726b253dd64223a5f09611671b234ccf9b383952f8888814b2c167e774cfbf54e9c6b99a753f4fa9":"8164929fb54485377ecccc9b9621af5e":"":64:"40a2fa7f4370afb2":"":"6208d068be60f7b04b80fc611062e6caaef9a5cf59f850d174b7446c78c039ea9aefe4885e19c2b33911d32ce1fe3c48ddffa4b03e450fd35da03f40c4e7c5bb3b1c3f3049dbfad3ac81ca1b79cafbaa172f4900e3829d38edea3b64000f93924a801259bc4b2523445c64bc23bfee190b952468507fa4baf6dc2bec66fcf0d8":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30d757fd73a0fd5fa49159ad0653296d":"17d485b258f80d8924e35291118cfdcffd86c47851b65f0b06a7c1f5202de82f3f460fc61b1aa38fdba7c8ded375c92cf005afe63e59d362c0960044af39241b81ca24e85c5faa43903229355b7313fee21b992ef3931d9d2407b32b3cf72dd7acbc7948395eb513cb2fd428b215ba2bd1e29c62f45d0ce231884f62480c6d8f":"b35b8df0aebd0608517f2830e0e70cd0":"":32:"954c0e99":"022618d2598f79104e918a09c937a82b3db59243b5e13de731fcb912e4366105797ce47f6dce7f08073f2f41e5c15fd6b1ec4b5861469a4880c3b0bd769b78c696ff29c28c9349d5a46a6e5ad9211bd4b708a8c0b6928ebbb0dac1c0a5f5ce6b05de6a50073128566a23f09cc1b826aa5803f9f750aa4debf59f24ae9f98c9b5":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30d757fd73a0fd5fa49159ad0653296d":"17d485b258f80d8924e35291118cfdcffd86c47851b65f0b06a7c1f5202de82f3f460fc61b1aa38fdba7c8ded375c92cf005afe63e59d362c0960044af39241b81ca24e85c5faa43903229355b7313fee21b992ef3931d9d2407b32b3cf72dd7acbc7948395eb513cb2fd428b215ba2bd1e29c62f45d0ce231884f62480c6d8f":"b35b8df0aebd0608517f2830e0e70cd0":"":32:"954c0e99":"":"022618d2598f79104e918a09c937a82b3db59243b5e13de731fcb912e4366105797ce47f6dce7f08073f2f41e5c15fd6b1ec4b5861469a4880c3b0bd769b78c696ff29c28c9349d5a46a6e5ad9211bd4b708a8c0b6928ebbb0dac1c0a5f5ce6b05de6a50073128566a23f09cc1b826aa5803f9f750aa4debf59f24ae9f98c9b5":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9d3cfd5900de5d5e2109e7721cfeef6":"e4243cc37cc32dfcedf9bb76890e706af6ab1e06b290b8ccfe2a55e5dabe68cb390f7636dc9676b431d4dc8ad3f6d989e510194294ab7ab0556789046743cf374d8b6462f5f95a17f3f44337d6c69ee47b0e1ad7e5ce6f9b224c54099a104e70d2d06af869b921ea47febe08f90c591ed49c1f12003afceabd2c7bba458a0111":"b4b9dfb013de6f7c44779e5a9daaf5e5":"":32:"2b81e8ce":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9d3cfd5900de5d5e2109e7721cfeef6":"e4243cc37cc32dfcedf9bb76890e706af6ab1e06b290b8ccfe2a55e5dabe68cb390f7636dc9676b431d4dc8ad3f6d989e510194294ab7ab0556789046743cf374d8b6462f5f95a17f3f44337d6c69ee47b0e1ad7e5ce6f9b224c54099a104e70d2d06af869b921ea47febe08f90c591ed49c1f12003afceabd2c7bba458a0111":"b4b9dfb013de6f7c44779e5a9daaf5e5":"":32:"2b81e8ce":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"68dc138f19354d73eaa1cf0e79231d74":"ce345567a76bc30d8b4fd2239788221cfa75e1a310aeeeb8c355f8eea57d80967f3047fbd4e6173fac5caeb22151fa607065953c4c35e0537b9e3788cc80de9eedf2a340698bde99a6a1bdc81265319da3e52f7a53883b7f21749237fcfd3cd4f149bb2be7a4ddd9ef0544cfe0789040d1dc951b6447304942f03ab0beae8866":"e7147749560f491420a2d893c075bb76":"":32:"70a83f6f":"64b021612c78b3e192e8349d48b77d02927e7fd70c7160d37cb8ef472f6bcd9df9d93431627c1c80875e208724ae05f94fdd2e005e9707b78a1bf3bbca7beec4b03ddd4d9de6235ffd6d84a8b9a1842e104c1e22df4566f6c4d3d4e3d96a56b9b8a5cdce9da70aa236109b289266036f285564060b204dfd7ac915eea0dd0b1e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"68dc138f19354d73eaa1cf0e79231d74":"ce345567a76bc30d8b4fd2239788221cfa75e1a310aeeeb8c355f8eea57d80967f3047fbd4e6173fac5caeb22151fa607065953c4c35e0537b9e3788cc80de9eedf2a340698bde99a6a1bdc81265319da3e52f7a53883b7f21749237fcfd3cd4f149bb2be7a4ddd9ef0544cfe0789040d1dc951b6447304942f03ab0beae8866":"e7147749560f491420a2d893c075bb76":"":32:"70a83f6f":"":"64b021612c78b3e192e8349d48b77d02927e7fd70c7160d37cb8ef472f6bcd9df9d93431627c1c80875e208724ae05f94fdd2e005e9707b78a1bf3bbca7beec4b03ddd4d9de6235ffd6d84a8b9a1842e104c1e22df4566f6c4d3d4e3d96a56b9b8a5cdce9da70aa236109b289266036f285564060b204dfd7ac915eea0dd0b1e":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7362c86344e0aefb0cf0d04768f9c05d":"8baffc7836004deb87c0111d47c182512bf861874021ddfcd559acf2c4a51cf5bc4bfdee2d039b9c005b6af95a2607643dcf4d9cd9d62412f709334556db22fc91d7b40438505d6806ccb2f2c21ae731bc1f1c825d28a71ab27095a39985e96ccd07cfb2e75243ccafd474494a2338c324ef533ca5f17d2ac1b1883140342ced":"7e8d12c2f0dcf4f792247134234ac94b":"86d2b5debc3b10495da353d6821f6cad380776d805bd8660b08dcdb1acd87026e4f344b547a4db47b5f44cded314bec4ce9a417ce40a2acd5a21460c42dfcd27483abf3f38dd8cc5fa523b6768a26513df5896435baa97781cff1966e2e3d6ec6d0a9cdc013de5a50e4d46831667055bad04f784024a82f9cd087ae4cd37dd64":128:"9594da428fd8c1b13ecb23afa2c1af2e":"e2c424f42aedd56f0e17a39d43ad19c8e2731efc7a25f077aef51d55280b10e667e338bd981b82a975ef62bf53bc52496b6995d33c90c7ae14767c126826e3f32bd23f444ddcfd7a0dd323b0ae2c22defad04ce63892b45c176bd0b86f5fa057a3dc371359744cb80bbfb4a195755136a0ea90b4044a45bc1b069f3cb3695c04":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7362c86344e0aefb0cf0d04768f9c05d":"8baffc7836004deb87c0111d47c182512bf861874021ddfcd559acf2c4a51cf5bc4bfdee2d039b9c005b6af95a2607643dcf4d9cd9d62412f709334556db22fc91d7b40438505d6806ccb2f2c21ae731bc1f1c825d28a71ab27095a39985e96ccd07cfb2e75243ccafd474494a2338c324ef533ca5f17d2ac1b1883140342ced":"7e8d12c2f0dcf4f792247134234ac94b":"86d2b5debc3b10495da353d6821f6cad380776d805bd8660b08dcdb1acd87026e4f344b547a4db47b5f44cded314bec4ce9a417ce40a2acd5a21460c42dfcd27483abf3f38dd8cc5fa523b6768a26513df5896435baa97781cff1966e2e3d6ec6d0a9cdc013de5a50e4d46831667055bad04f784024a82f9cd087ae4cd37dd64":128:"9594da428fd8c1b13ecb23afa2c1af2e":"":"e2c424f42aedd56f0e17a39d43ad19c8e2731efc7a25f077aef51d55280b10e667e338bd981b82a975ef62bf53bc52496b6995d33c90c7ae14767c126826e3f32bd23f444ddcfd7a0dd323b0ae2c22defad04ce63892b45c176bd0b86f5fa057a3dc371359744cb80bbfb4a195755136a0ea90b4044a45bc1b069f3cb3695c04":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"58748bb204ccb7bdafdbf739b6c19a3e":"b72902c9ebb72a86be539b19a52fd9af00aa4de081d90c0d8ad580ebb5900177a036f40a1e9b43e3a07d715466526d6d7544e5a5551805b62463f956cd519fc99182c2d54bd62fc7ffc6e5ebf1503859b706da11a1b6c707a67a70789dbfc10ef726bd360f9f2347326e068e757c8443ddc9308a171e682359ae1bfe87194ab5":"93ac298c73c88e127a4d9dd81bf24e3d":"8f168fc4d1da13bdbefae3f9d6ac1d8cb19fcec1f43f727951af0a466d8826649a46c3cb50c045ea83849fce0eedbc042a1a435e6d9d59017997a2d5459b940078b8a7f3b6b0ff279ff8c560248296a17240ff1b0643d1f436b6e3f2079363fc49fb45f410debbdde083b92057916368cb807d603cb82e2c0dc01658bff7f1ab":128:"efba4589d4a03555766bbc3b421dd60f":"d5c97a659f016904ff76286f810e8e92da6f8db2c63d8a42e617760780637e32105503440cdf04d1fe67813312f1479fda8d746c8b0b080591eba83850382f600e9d8680516c6579669f0b3d0a30323510f9de1c92512790b8347751994d022156cae64da0808a649d163a0e99e869fdf224b7c1a6a8fbc613d5917eca8ee08c":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"58748bb204ccb7bdafdbf739b6c19a3e":"b72902c9ebb72a86be539b19a52fd9af00aa4de081d90c0d8ad580ebb5900177a036f40a1e9b43e3a07d715466526d6d7544e5a5551805b62463f956cd519fc99182c2d54bd62fc7ffc6e5ebf1503859b706da11a1b6c707a67a70789dbfc10ef726bd360f9f2347326e068e757c8443ddc9308a171e682359ae1bfe87194ab5":"93ac298c73c88e127a4d9dd81bf24e3d":"8f168fc4d1da13bdbefae3f9d6ac1d8cb19fcec1f43f727951af0a466d8826649a46c3cb50c045ea83849fce0eedbc042a1a435e6d9d59017997a2d5459b940078b8a7f3b6b0ff279ff8c560248296a17240ff1b0643d1f436b6e3f2079363fc49fb45f410debbdde083b92057916368cb807d603cb82e2c0dc01658bff7f1ab":128:"efba4589d4a03555766bbc3b421dd60f":"":"d5c97a659f016904ff76286f810e8e92da6f8db2c63d8a42e617760780637e32105503440cdf04d1fe67813312f1479fda8d746c8b0b080591eba83850382f600e9d8680516c6579669f0b3d0a30323510f9de1c92512790b8347751994d022156cae64da0808a649d163a0e99e869fdf224b7c1a6a8fbc613d5917eca8ee08c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6cc13cbd62428bb8658dd3954fe9181f":"2c9ec982d1cfb644ddbc53c0759b10493206d5186affc6882fbb2ba3aa430f9bae1209db2d78dcc125f3c909a54dd84fdff96c71e678216a58390ef4308bdd90f94f7109c4edefa76a74fda64b201b7a435bbabc27298f3eaa4c2d1393bd584f811fff52638f6ad2f6d86a8c3c9c030d9d4264c8c079592a36178d25991cff09":"86740da7ce4efbed70af55e1d6c10fdf":"be561ac15e3cfda624b422af97c26719c140bb50e4a993d636efe9c7f1963fb9047a0762169b571a698ff310bc417e34d4039b7562a95af710ccc1b197964a376c986fd2ed8ac4b0c7b4e843c37a41366f2f483c821a1823f317416c7e4f32eed9b9dc2ae1a2f3ed32c4b3187358a2329aa42191b7c2fe87b6e27ff20303cb29":128:"76b990a1e010e5f088f6ae90bec40b32":"0b9a5f5d2e6852b75b9cf26c1b310b2200e56dafcf3c941478862cdf9737ac8e2cb9b38d41bd4a1872ea1b4cfd51a1a0b9b743aca439eefa10de8459a0a7a221c5429b3dee393f17031ca6c399df8e05657c3db55be9c9dd29e690042a4ed8db732efce7c58d6b20a2a0f7c79e42e5ada43b87ab00f481c20cac1b35514dcdc9":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6cc13cbd62428bb8658dd3954fe9181f":"2c9ec982d1cfb644ddbc53c0759b10493206d5186affc6882fbb2ba3aa430f9bae1209db2d78dcc125f3c909a54dd84fdff96c71e678216a58390ef4308bdd90f94f7109c4edefa76a74fda64b201b7a435bbabc27298f3eaa4c2d1393bd584f811fff52638f6ad2f6d86a8c3c9c030d9d4264c8c079592a36178d25991cff09":"86740da7ce4efbed70af55e1d6c10fdf":"be561ac15e3cfda624b422af97c26719c140bb50e4a993d636efe9c7f1963fb9047a0762169b571a698ff310bc417e34d4039b7562a95af710ccc1b197964a376c986fd2ed8ac4b0c7b4e843c37a41366f2f483c821a1823f317416c7e4f32eed9b9dc2ae1a2f3ed32c4b3187358a2329aa42191b7c2fe87b6e27ff20303cb29":128:"76b990a1e010e5f088f6ae90bec40b32":"":"0b9a5f5d2e6852b75b9cf26c1b310b2200e56dafcf3c941478862cdf9737ac8e2cb9b38d41bd4a1872ea1b4cfd51a1a0b9b743aca439eefa10de8459a0a7a221c5429b3dee393f17031ca6c399df8e05657c3db55be9c9dd29e690042a4ed8db732efce7c58d6b20a2a0f7c79e42e5ada43b87ab00f481c20cac1b35514dcdc9":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"286d3f5080cfe88538571188fbeb2dd5":"55135928997711360622eda1820c815aa22115204b1e9bb567e231ac6ea2594b4d652627b6816bdc6c40a4411fd6b12fab9a1f169d81c476dbf77151bff13f98ca0d1dc0a68ea681652be089fadbc66c604284eebfc8ce4cf10f4ca6bda0e0f6634023db6e3f0f1de626c3249a28a642ecc9ec5ff401e941fa8a3c691566c0ae":"da6140bd4dc6456ddab19069e86efb35":"5d350a04562a605e9082ebd8faec6c27e561425849e7f0f05f5049859c2c1bd2c4682ebf9773fab6177d2601fd5a086cefc3adef5a2f8f6b5dc9e649e98dd0a3d1a2524419f01305bd0fcfff52d84a20d1b14dea2138dcc54eea2bf263c6fe27c3e7255f1f359d0d00fb1b350d7a04965af30027632520197e85eb41de6bb286":120:"d90d34094d740214dd3de685010ce3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"286d3f5080cfe88538571188fbeb2dd5":"55135928997711360622eda1820c815aa22115204b1e9bb567e231ac6ea2594b4d652627b6816bdc6c40a4411fd6b12fab9a1f169d81c476dbf77151bff13f98ca0d1dc0a68ea681652be089fadbc66c604284eebfc8ce4cf10f4ca6bda0e0f6634023db6e3f0f1de626c3249a28a642ecc9ec5ff401e941fa8a3c691566c0ae":"da6140bd4dc6456ddab19069e86efb35":"5d350a04562a605e9082ebd8faec6c27e561425849e7f0f05f5049859c2c1bd2c4682ebf9773fab6177d2601fd5a086cefc3adef5a2f8f6b5dc9e649e98dd0a3d1a2524419f01305bd0fcfff52d84a20d1b14dea2138dcc54eea2bf263c6fe27c3e7255f1f359d0d00fb1b350d7a04965af30027632520197e85eb41de6bb286":120:"d90d34094d740214dd3de685010ce3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"726ae113a096769b657f973ea6d2d5dd":"90636012ba8c51d16f8f6df3d3bcabc3f09aeffbe2a762f62e677913188045b861b2e7d9a7bd93dcee46e9e4832e497a6f79db52b4e45c8dab20fa568ff9c4ace55be3216f514a3284768a25d86b1c7da5377622f3e90ed4c7bd4571715af4d0a2ab5181d0475f699202e4406bb9cfdbd4fa7f22d0dd744d36b3223134658496":"2f9900226c97585d200dd20a279c154a":"761663c3fcbf1db12bc25546b2425b8229b3153e75f79fa63958819caee3febff74603d99264b5a82ef5980439bef89301ae3206a1d01a3bbd7a6c99d27d1e934cc725daeb483f826c2c9d788fd1f67a627864cf8b5f94df777bb59ef90cb6781a2000e6f0baa4f1ea4754b47bb7cbd2699f83634e4d8ab16b325b2c49f13499":120:"d095bfb8990d4fd64752ee24f3de1e":"9f7759c6d24fd9aa0df02a7c0cc5f17e61622c63195f85dfafa5d820d3ad218c7288ec017821100f1fade10f9bb447a4a01e3698b045548c7619a08f2304e2818a9bf55e70b40f8b994b7dcf0cb243848cf3f6fdfec3ebbb147d01df84a3ec62cd8fa5d78ad9f2f28cd288a35eb49a5172339e9872e8e7e3350b0d69f59acd07":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"726ae113a096769b657f973ea6d2d5dd":"90636012ba8c51d16f8f6df3d3bcabc3f09aeffbe2a762f62e677913188045b861b2e7d9a7bd93dcee46e9e4832e497a6f79db52b4e45c8dab20fa568ff9c4ace55be3216f514a3284768a25d86b1c7da5377622f3e90ed4c7bd4571715af4d0a2ab5181d0475f699202e4406bb9cfdbd4fa7f22d0dd744d36b3223134658496":"2f9900226c97585d200dd20a279c154a":"761663c3fcbf1db12bc25546b2425b8229b3153e75f79fa63958819caee3febff74603d99264b5a82ef5980439bef89301ae3206a1d01a3bbd7a6c99d27d1e934cc725daeb483f826c2c9d788fd1f67a627864cf8b5f94df777bb59ef90cb6781a2000e6f0baa4f1ea4754b47bb7cbd2699f83634e4d8ab16b325b2c49f13499":120:"d095bfb8990d4fd64752ee24f3de1e":"":"9f7759c6d24fd9aa0df02a7c0cc5f17e61622c63195f85dfafa5d820d3ad218c7288ec017821100f1fade10f9bb447a4a01e3698b045548c7619a08f2304e2818a9bf55e70b40f8b994b7dcf0cb243848cf3f6fdfec3ebbb147d01df84a3ec62cd8fa5d78ad9f2f28cd288a35eb49a5172339e9872e8e7e3350b0d69f59acd07":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73a9eeda721c6f292e6b399e2647f8a6":"215fc7e52abe4c751ca2f7f9a5cbde9ab8b44b8d4054bb62dcea6df5b936145ca6ec83a2b78b070638fd6e5ea3bad5d0caf1b8f755f391c3e0962a92337e3eba575585eb83680075fc818860388c587746af78d5fc75ccd0a63f1612abb1ba0f04a2228ca27fbddba4878f9b2683683f516b6d6fe4f6622e603bd3c5ad45e332":"c1e80eb723960049cc4448b66433f1cf":"fb2a0b1f817404e74aee0a6ec8f2cd86f0c9114ed367b2690c44ad80f9d3377d7fd5066beaf1daa739d27ed3fba98379188016b1fe901204a174f9ffca370c181aece5e5d40939a0d460913b40b895e78a3b80ddf3d613c05e4e27bfd161ea2ef42271a2679f2cdca5b728ffb2319781c946a4f3ecacf486b754b30bb04ea60b":120:"e08161262234d0d5be22f09e5646bf":"b5e286183f16dd9403bec6786bd4836cc6add47947ef111fb1d5503c18c333c8fe60959502f58390d0e0f69fbe5fee13c72aed65fe6e32f6ea45877fe44f8a556aa5157b112e572197c1c350b7943c6cf2e9146018599524d27599f09c86027f2c5927e4a20c63833870e8369baa36ecc07cdb3ced520b5ae46869ff357ca089":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73a9eeda721c6f292e6b399e2647f8a6":"215fc7e52abe4c751ca2f7f9a5cbde9ab8b44b8d4054bb62dcea6df5b936145ca6ec83a2b78b070638fd6e5ea3bad5d0caf1b8f755f391c3e0962a92337e3eba575585eb83680075fc818860388c587746af78d5fc75ccd0a63f1612abb1ba0f04a2228ca27fbddba4878f9b2683683f516b6d6fe4f6622e603bd3c5ad45e332":"c1e80eb723960049cc4448b66433f1cf":"fb2a0b1f817404e74aee0a6ec8f2cd86f0c9114ed367b2690c44ad80f9d3377d7fd5066beaf1daa739d27ed3fba98379188016b1fe901204a174f9ffca370c181aece5e5d40939a0d460913b40b895e78a3b80ddf3d613c05e4e27bfd161ea2ef42271a2679f2cdca5b728ffb2319781c946a4f3ecacf486b754b30bb04ea60b":120:"e08161262234d0d5be22f09e5646bf":"":"b5e286183f16dd9403bec6786bd4836cc6add47947ef111fb1d5503c18c333c8fe60959502f58390d0e0f69fbe5fee13c72aed65fe6e32f6ea45877fe44f8a556aa5157b112e572197c1c350b7943c6cf2e9146018599524d27599f09c86027f2c5927e4a20c63833870e8369baa36ecc07cdb3ced520b5ae46869ff357ca089":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90dbda7397d8fc46215a1218a6ffd0d8":"4f82a1eca6c9184240f50f7e0cfec07ec772cad5276d93043c462d8364addd9a652eed385ccc6b0faa6ca679ab3a4c3d0be6a759425fd38316ee6a1b1b0c52c1bb3b57a9bd7c8a3be95c82f37800c2e3b42dde031851937398811f8f8dc2a15bfd2d6be99a572d56f536e62bc5b041d3944da666081cd755ec347f464214bf33":"7be477d14df5dc15877ae537b62e1a56":"7358ddf1310a58871a2f76705f1cf64223c015c4d1574104d2e38783bb866205042f05c86e76c47a2516ce284911f1d2cbee079982dd77167e328b8324eec47c9244cc5668cf908c679bb586d4dd32c6c99ed99a6b571cf18b00689463e7a88cea6ea32d288301a10a9139ed6092ffe298e25b8cfb6b4be8217f16076dcd0a90":112:"776d871944159c51b2f5ec1980a6":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90dbda7397d8fc46215a1218a6ffd0d8":"4f82a1eca6c9184240f50f7e0cfec07ec772cad5276d93043c462d8364addd9a652eed385ccc6b0faa6ca679ab3a4c3d0be6a759425fd38316ee6a1b1b0c52c1bb3b57a9bd7c8a3be95c82f37800c2e3b42dde031851937398811f8f8dc2a15bfd2d6be99a572d56f536e62bc5b041d3944da666081cd755ec347f464214bf33":"7be477d14df5dc15877ae537b62e1a56":"7358ddf1310a58871a2f76705f1cf64223c015c4d1574104d2e38783bb866205042f05c86e76c47a2516ce284911f1d2cbee079982dd77167e328b8324eec47c9244cc5668cf908c679bb586d4dd32c6c99ed99a6b571cf18b00689463e7a88cea6ea32d288301a10a9139ed6092ffe298e25b8cfb6b4be8217f16076dcd0a90":112:"776d871944159c51b2f5ec1980a6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c85174d428fc1c7c89ca5d1b8aaba25":"3735cbfb8000260021d1938d2a18e7737f378ecddb11a46ce387bf04e20bbfcc902457637fd152ab87017185601f32a7f906057123b6c2da31a1069c93e3cacc59a359aebd3e31b302e1a1f7d5d8f1b2917a8fe79181fa633b925ce03a1198dac48f4c959076b55bc6b3d50188af2c6aa33d83698aa8db22649f39825ba54775":"b3c9dfa4c55388a128fbf62aa5927361":"3f552d45b61cf05ae2aa92668e89f3338a15ec7c5b7113b6571cfcd9e4c4a962043ccd9323f828dd645e8a91b007ce2112b7f978ad22ee9821698a4f2559d987ae4421452ad2e8d180953297156426d4540aff2104d8637b56b034a3a1823cf962bffbc465fe6148097975a8821ca7487e6e6c7ff4ee4de899fe67345676bb1c":112:"1e7dec83830183d56f443a16471d":"3d98cabca4afb7c1f6b8eeed521f4666ae252ac12d17ebf4a710b9a22d839b69458387ba4bbec2f6400e0cff80fbe4682c24efcd3b8c594d9b515ca7842c9d5988c42b59b6526c29a99256451e2927f5b956ef262f97c733dfa8bff73644473b9a8562bdfca748f4733ddce94a60024dfbfcde62fb3cbd7c3d955012d5338b91":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c85174d428fc1c7c89ca5d1b8aaba25":"3735cbfb8000260021d1938d2a18e7737f378ecddb11a46ce387bf04e20bbfcc902457637fd152ab87017185601f32a7f906057123b6c2da31a1069c93e3cacc59a359aebd3e31b302e1a1f7d5d8f1b2917a8fe79181fa633b925ce03a1198dac48f4c959076b55bc6b3d50188af2c6aa33d83698aa8db22649f39825ba54775":"b3c9dfa4c55388a128fbf62aa5927361":"3f552d45b61cf05ae2aa92668e89f3338a15ec7c5b7113b6571cfcd9e4c4a962043ccd9323f828dd645e8a91b007ce2112b7f978ad22ee9821698a4f2559d987ae4421452ad2e8d180953297156426d4540aff2104d8637b56b034a3a1823cf962bffbc465fe6148097975a8821ca7487e6e6c7ff4ee4de899fe67345676bb1c":112:"1e7dec83830183d56f443a16471d":"":"3d98cabca4afb7c1f6b8eeed521f4666ae252ac12d17ebf4a710b9a22d839b69458387ba4bbec2f6400e0cff80fbe4682c24efcd3b8c594d9b515ca7842c9d5988c42b59b6526c29a99256451e2927f5b956ef262f97c733dfa8bff73644473b9a8562bdfca748f4733ddce94a60024dfbfcde62fb3cbd7c3d955012d5338b91":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d89f06eb07744d43d44734faf9751d07":"36cc3b2f563305208a03378f7dc036119f7de3fee77cefac06515853d36609a622382ed026c59783fbc0d9910767874c516e10c7bf3e3d104f73b3463c8d93a63418c76cb0d05e62e9c8642cb4f32caced2620912cb6c79e5110a27d5fba1ef3b4d0578077858526c5e4254365f2b2ab47a45df4af08980b3b7a9b66dff5b38c":"185f8d033713ee629e93561cf8d5acb8":"743bcb671d0aa1c547b5448d64d7c6b290777625ba28f25ca0fbf1fc66495a2fde0648a8db51039b0e7340d993aef8afb48269e660cb599837d1e46f72727762d887ee84c073d6136d1b0bc7d4c78f5673a4a6b73375937e8d54a47304845f38ca6b4f51cf14136a0826016535dc5ed003e38c3ac362b9d58ba8b555a05a1412":112:"fcad48076eb03ebe85c6d64f6357":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d89f06eb07744d43d44734faf9751d07":"36cc3b2f563305208a03378f7dc036119f7de3fee77cefac06515853d36609a622382ed026c59783fbc0d9910767874c516e10c7bf3e3d104f73b3463c8d93a63418c76cb0d05e62e9c8642cb4f32caced2620912cb6c79e5110a27d5fba1ef3b4d0578077858526c5e4254365f2b2ab47a45df4af08980b3b7a9b66dff5b38c":"185f8d033713ee629e93561cf8d5acb8":"743bcb671d0aa1c547b5448d64d7c6b290777625ba28f25ca0fbf1fc66495a2fde0648a8db51039b0e7340d993aef8afb48269e660cb599837d1e46f72727762d887ee84c073d6136d1b0bc7d4c78f5673a4a6b73375937e8d54a47304845f38ca6b4f51cf14136a0826016535dc5ed003e38c3ac362b9d58ba8b555a05a1412":112:"fcad48076eb03ebe85c6d64f6357":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6150f14dc53f391e815acfabed9f9e20":"fd8f337017e1b60d6618e6e4ad37c1f230cdeb78891579c2c63d4e6a4f7d2cb7252e99de333c73db45958808c08e91359c885a7385ab6f9ed98a27927a5b83c3a456ce2e01869712675e527155ba1e339ac14a3ccd7a4b87360902f2b8381308fe5a4eac5c90d0b84da4bf5b907de6ff3139cffd23b49a78750006100183032a":"7e92dd558bd2662c3a539dfe21a352cf":"9b4624e9118e6aa5dc65b69856638f77fd3f9f562046f50ba92a64e988258637932af7979f000505b84a71ff5dd7b60bad62586b1a8837a61c15a1a1ba7f06668272c28169915d7f06297b6c2a96c8c44203a422bfd25500c82e11274ffe07706365bfd3da34af4c4dd8ad7b620de7284a5af729bea9c4ed2631bdcba2ebdb7d":104:"922a7b48ad5bf61e6d70751cfe":"f272a3ee9b981f97785cc6fad350e516d72d402dae0d8a531c064ec64598b2a5760f9b279c10aa1ff71bec07300ab0373187138e7a103fc4130105afa6b6346f3d368b40d6f542375de97878ad4d976d64c5c4968a17be2b1757a17c03100231c34721250cd37cc596678764083ade89ae3b1a2151ff9151edcd7ba0eb8a4649":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6150f14dc53f391e815acfabed9f9e20":"fd8f337017e1b60d6618e6e4ad37c1f230cdeb78891579c2c63d4e6a4f7d2cb7252e99de333c73db45958808c08e91359c885a7385ab6f9ed98a27927a5b83c3a456ce2e01869712675e527155ba1e339ac14a3ccd7a4b87360902f2b8381308fe5a4eac5c90d0b84da4bf5b907de6ff3139cffd23b49a78750006100183032a":"7e92dd558bd2662c3a539dfe21a352cf":"9b4624e9118e6aa5dc65b69856638f77fd3f9f562046f50ba92a64e988258637932af7979f000505b84a71ff5dd7b60bad62586b1a8837a61c15a1a1ba7f06668272c28169915d7f06297b6c2a96c8c44203a422bfd25500c82e11274ffe07706365bfd3da34af4c4dd8ad7b620de7284a5af729bea9c4ed2631bdcba2ebdb7d":104:"922a7b48ad5bf61e6d70751cfe":"":"f272a3ee9b981f97785cc6fad350e516d72d402dae0d8a531c064ec64598b2a5760f9b279c10aa1ff71bec07300ab0373187138e7a103fc4130105afa6b6346f3d368b40d6f542375de97878ad4d976d64c5c4968a17be2b1757a17c03100231c34721250cd37cc596678764083ade89ae3b1a2151ff9151edcd7ba0eb8a4649":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e8216072ed6fcde0fe0f636b27ed718":"3b50f2a8dca9f70178503d861d9e37f5edfafc80ee023bfed390a477372986e4794175ec22ac038c3461aba50c9b2379cab48512946efdfe2cb9c12a858b373a5309324f410e6a05e88ba892759dbee6e486dc9665f66cb5950ea7e71317fa94abbebd67a3948746a998173fbbb4f14f9effbdf66d3b6e346053496a4b1934ce":"23a122cf363c3117b8c663388c760ee4":"28ce0b4a44fa83323e060f3ff6436b8829d4f842090296bdc952b6d4a6b1b1a66be06168c63c4643e6ac186f7ffd8d144f603b2d4bc0d65be48121676f9fa1f359029c512bebfd75075ff357bc55f20fc76d9f2477c9930f16408f9f09c5ae86efa2529d2f1449ceeb635b83ca13662860ef9ac04a3d8ab4605eccd2d9ae5a71":104:"531a65cc5dfeca671cc64078d1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e8216072ed6fcde0fe0f636b27ed718":"3b50f2a8dca9f70178503d861d9e37f5edfafc80ee023bfed390a477372986e4794175ec22ac038c3461aba50c9b2379cab48512946efdfe2cb9c12a858b373a5309324f410e6a05e88ba892759dbee6e486dc9665f66cb5950ea7e71317fa94abbebd67a3948746a998173fbbb4f14f9effbdf66d3b6e346053496a4b1934ce":"23a122cf363c3117b8c663388c760ee4":"28ce0b4a44fa83323e060f3ff6436b8829d4f842090296bdc952b6d4a6b1b1a66be06168c63c4643e6ac186f7ffd8d144f603b2d4bc0d65be48121676f9fa1f359029c512bebfd75075ff357bc55f20fc76d9f2477c9930f16408f9f09c5ae86efa2529d2f1449ceeb635b83ca13662860ef9ac04a3d8ab4605eccd2d9ae5a71":104:"531a65cc5dfeca671cc64078d1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1af434b73a1210b08595ffa686079832":"13f6c1c2d4edcf1438a7b4e85bcd1c84a989831a64d205e7854fce8817ddfceab67d10506ccf6ed9ce50080ef809e28e46cba7b0c96be6a811f59cd09cb3b7b3fe5073ee6763f40aee61e3e65356093f97deef5a8721d995e71db27a51f60a50e34ac3348852c445188cfc64337455f317f87535d465c6f96006f4079396eba3":"ae318f3cb881d1680f6afbf6713a9a2f":"3763c9241be0d9d9a9e46e64b12e107d16cca267ff87844c2325af910cc9a485c7015d95bbe62398864d079fb2b577ba0cfad923c24fa30691ad7d767d651eed4a33d0be8f06fed43f58b2e0bb04959f10b9e8e73bd80d3a6a8c8ce637bfbdb9d02c2b0a3dd8317c4997822031a35d34b3b61819b425c10c64e839b29874ddfb":104:"2ae7350dd3d1909a73f8d64255":"3cd2a770300ce4c85740666640936a0fe48888788702fc37e7a8296adb40b862ec799f257a16821adaa7315bd31e8dec60e4a8faeb8ba2ee606340f0219a6440e9c1d3168425e58fac02e8a88865f30649913d988353ab81f42a5ad43f960055f0877acda20f493208c2c40754fbf4ccee040975aa358ea3fe62cbd028c1611a":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1af434b73a1210b08595ffa686079832":"13f6c1c2d4edcf1438a7b4e85bcd1c84a989831a64d205e7854fce8817ddfceab67d10506ccf6ed9ce50080ef809e28e46cba7b0c96be6a811f59cd09cb3b7b3fe5073ee6763f40aee61e3e65356093f97deef5a8721d995e71db27a51f60a50e34ac3348852c445188cfc64337455f317f87535d465c6f96006f4079396eba3":"ae318f3cb881d1680f6afbf6713a9a2f":"3763c9241be0d9d9a9e46e64b12e107d16cca267ff87844c2325af910cc9a485c7015d95bbe62398864d079fb2b577ba0cfad923c24fa30691ad7d767d651eed4a33d0be8f06fed43f58b2e0bb04959f10b9e8e73bd80d3a6a8c8ce637bfbdb9d02c2b0a3dd8317c4997822031a35d34b3b61819b425c10c64e839b29874ddfb":104:"2ae7350dd3d1909a73f8d64255":"":"3cd2a770300ce4c85740666640936a0fe48888788702fc37e7a8296adb40b862ec799f257a16821adaa7315bd31e8dec60e4a8faeb8ba2ee606340f0219a6440e9c1d3168425e58fac02e8a88865f30649913d988353ab81f42a5ad43f960055f0877acda20f493208c2c40754fbf4ccee040975aa358ea3fe62cbd028c1611a":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04036d2f5273c6ff5b8364aa595359c9":"acf79b6099490af938fb5fd8913255b3daa22786b03356cdf3e0ffaf570f9f866047b8e15c9953f893d97e7098265297396868ebc383be8547e8ec9d974b6a65b5dc5147cdadef2e2ad96696e84e44f364c2ba18c8aabe21f99489957b2b5484bf3fb4fecaf5ddaa1d373e910059c978918a3d01b955de2adb475914bf2c2067":"edc433c381140dff929d9df9f62f4cb6":"404acfeeea342aeea8c8b7449af9e20ddf5b85dc7770d2144a4dd05959613d04d0cfece5a21cbb1a9175ddc9443ffacd2085332eb4c337a12a7bb294c95960e7c0bde4b8ab30a91e50267bbd0b8d2a4ed381409ea2e4c84f9a2070a793ce3c90ea8a4b140651b452674f85d5b76d0055df115608bf3a3c60996108023ebabe65":96:"71f818f1a2b789fabbda8ec1":"4729cb642304de928b9dca32bb3d7b7836dd3973bbccf3f013c8ff4b59eca56f5d34d1b8f030a7b581b2f8fdc1e22b76a4cbc10095559876736d318d6c96c5c64cbd9fbd1d8eb4df38a2d56640d67d490d03acc1cd32d3f377eb1907bbd600f21d740b578080ba9c6ddc7dc6c50cdcee41fec51499cb944713c0961fc64f5a70":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04036d2f5273c6ff5b8364aa595359c9":"acf79b6099490af938fb5fd8913255b3daa22786b03356cdf3e0ffaf570f9f866047b8e15c9953f893d97e7098265297396868ebc383be8547e8ec9d974b6a65b5dc5147cdadef2e2ad96696e84e44f364c2ba18c8aabe21f99489957b2b5484bf3fb4fecaf5ddaa1d373e910059c978918a3d01b955de2adb475914bf2c2067":"edc433c381140dff929d9df9f62f4cb6":"404acfeeea342aeea8c8b7449af9e20ddf5b85dc7770d2144a4dd05959613d04d0cfece5a21cbb1a9175ddc9443ffacd2085332eb4c337a12a7bb294c95960e7c0bde4b8ab30a91e50267bbd0b8d2a4ed381409ea2e4c84f9a2070a793ce3c90ea8a4b140651b452674f85d5b76d0055df115608bf3a3c60996108023ebabe65":96:"71f818f1a2b789fabbda8ec1":"":"4729cb642304de928b9dca32bb3d7b7836dd3973bbccf3f013c8ff4b59eca56f5d34d1b8f030a7b581b2f8fdc1e22b76a4cbc10095559876736d318d6c96c5c64cbd9fbd1d8eb4df38a2d56640d67d490d03acc1cd32d3f377eb1907bbd600f21d740b578080ba9c6ddc7dc6c50cdcee41fec51499cb944713c0961fc64f5a70":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59fe44c6e28d025b2ad05e6e867051ab":"20e66bae1215de9a87a0b878d39015d17e0d4542a1aaba2000cefbd5f892c26a410f55f0d7dc2f6b66690f2997032985e5516e068bfc6ec8a3669f566e280b0cefded519023b735ee3bcbfc5b6ce8203b727933a750f9bd515ec448c1f3a030aa0f40e607727a3239ebbe655d46b38a3d867e481ccf0fadbf0d59b665d2ed6b5":"eb0c30320029433f66d29b3fd5c6563b":"49b7418b87374b462d25309b1c06e3132a3c8f4a4fcf29fed58e0902509426be712639db21c076df7b83dcfcc2c2c8fcc88576f4622a4366eb42f84ebf760e3eb22b14f8b5ff83f06a6f04a924eaab05b912e126e80da22461abf7f1925fd72ebdf2aea335a044726e7c2ebbb2b8aeebab4f7de5e186b50f275b700794d895d8":96:"296c4cdaeb94beb2847dc53d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59fe44c6e28d025b2ad05e6e867051ab":"20e66bae1215de9a87a0b878d39015d17e0d4542a1aaba2000cefbd5f892c26a410f55f0d7dc2f6b66690f2997032985e5516e068bfc6ec8a3669f566e280b0cefded519023b735ee3bcbfc5b6ce8203b727933a750f9bd515ec448c1f3a030aa0f40e607727a3239ebbe655d46b38a3d867e481ccf0fadbf0d59b665d2ed6b5":"eb0c30320029433f66d29b3fd5c6563b":"49b7418b87374b462d25309b1c06e3132a3c8f4a4fcf29fed58e0902509426be712639db21c076df7b83dcfcc2c2c8fcc88576f4622a4366eb42f84ebf760e3eb22b14f8b5ff83f06a6f04a924eaab05b912e126e80da22461abf7f1925fd72ebdf2aea335a044726e7c2ebbb2b8aeebab4f7de5e186b50f275b700794d895d8":96:"296c4cdaeb94beb2847dc53d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c314264cee0e6db30ebe9b2f6d4991b2":"d436ff9abfb044a332c4e009b591719a67b12a5366da0a66edf19605c34daa37588e15dd3da0d1a097215e469439de79cca74e04cd4904e5b4a6cb4e0ea54e6ba4e624ed6bd48be32d1ef68ffea1639a14e91a5914c2346ea526df95cbd4ad1b8ee842da210b35b6315c3075ecc267d51643c4b39202d0ad793cbb0045ebdc19":"4cd4431bb6dea8eb18ae74e4c35a6698":"0eeafbfd04f9a0ea18e5bdc688c7df27183f346187e9574b61222006f2b3e12e8d9d9bf1f0f15949ee1a7ee8e5c80ee903b8ba2860e15ccb999929f280200b159c2adca481748d0632a7b40601c45055f8cb5126148e6cbab2c76f543537ab54eb276188343cea3c4ab0d7b65b8754e55cfe3f6a5c41b6ea3c08b81fcecc968a":96:"fda18d2f795d900f057fe872":"cb9e0fb0ac13ca730b79e34745584b362d0716c344e4de90d8352b21117471ba12c97f193150b33774baee5e4a0f11b10428eaf0106c958e16aa46c5f6f3d99eed93d1b9ba3957bed05a8b9cc8c5511cf813a66dc7d773cb735b0523d8d6b0b80639b031ddc375f714c6dd50055320cd7ed44a471c8d5645c938a9005d0b5050":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c314264cee0e6db30ebe9b2f6d4991b2":"d436ff9abfb044a332c4e009b591719a67b12a5366da0a66edf19605c34daa37588e15dd3da0d1a097215e469439de79cca74e04cd4904e5b4a6cb4e0ea54e6ba4e624ed6bd48be32d1ef68ffea1639a14e91a5914c2346ea526df95cbd4ad1b8ee842da210b35b6315c3075ecc267d51643c4b39202d0ad793cbb0045ebdc19":"4cd4431bb6dea8eb18ae74e4c35a6698":"0eeafbfd04f9a0ea18e5bdc688c7df27183f346187e9574b61222006f2b3e12e8d9d9bf1f0f15949ee1a7ee8e5c80ee903b8ba2860e15ccb999929f280200b159c2adca481748d0632a7b40601c45055f8cb5126148e6cbab2c76f543537ab54eb276188343cea3c4ab0d7b65b8754e55cfe3f6a5c41b6ea3c08b81fcecc968a":96:"fda18d2f795d900f057fe872":"":"cb9e0fb0ac13ca730b79e34745584b362d0716c344e4de90d8352b21117471ba12c97f193150b33774baee5e4a0f11b10428eaf0106c958e16aa46c5f6f3d99eed93d1b9ba3957bed05a8b9cc8c5511cf813a66dc7d773cb735b0523d8d6b0b80639b031ddc375f714c6dd50055320cd7ed44a471c8d5645c938a9005d0b5050":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"26072018bd0bda524b5beb66a622c63e":"91c524b359dae3bc49117eebfa610672af1e7754054607317d4c417e7b1a68453f72d355468f825aeb7fde044b20049aed196ec6646cce1eeeccf06cb394286272b573220cdb846613ebc4683442dccc7a19ec86ef1ec971c115726584ae1f4008f94e47d1290d8b6b7a932cfe07165fd2b94e8f96d15f73bf72939c73f4bd11":"c783d6d3b8392160e3b68038b43cf1f4":"8ae7c809a9dc40a6732a7384e3c64abb359c1b09dcb752e5a6b584873e3890230c6fc572b9ad24d849766f849c73f060fc48f664c1af9e6707e223691b77e170966ed164e0cc25ede3fbc3541c480f75b71e7be88fe730d8b361ea2733c6f37e6a59621de6004e020894b51dfb525973d641efe8d5fd9077a0bbc9dc7933a5de":64:"edffe55c60235556":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"26072018bd0bda524b5beb66a622c63e":"91c524b359dae3bc49117eebfa610672af1e7754054607317d4c417e7b1a68453f72d355468f825aeb7fde044b20049aed196ec6646cce1eeeccf06cb394286272b573220cdb846613ebc4683442dccc7a19ec86ef1ec971c115726584ae1f4008f94e47d1290d8b6b7a932cfe07165fd2b94e8f96d15f73bf72939c73f4bd11":"c783d6d3b8392160e3b68038b43cf1f4":"8ae7c809a9dc40a6732a7384e3c64abb359c1b09dcb752e5a6b584873e3890230c6fc572b9ad24d849766f849c73f060fc48f664c1af9e6707e223691b77e170966ed164e0cc25ede3fbc3541c480f75b71e7be88fe730d8b361ea2733c6f37e6a59621de6004e020894b51dfb525973d641efe8d5fd9077a0bbc9dc7933a5de":64:"edffe55c60235556":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"201751d3da98bd39ff4e5990a56cfea7":"2965af0bde3565a00e61cebbfe0b51b5b5ee98dbbfff7b1b5bf61da5ba537e6f4cf5fa07d2b20e518232c4961e6bc3ae247b797429da5d7eee2fc675b07066ac2e670261c6e9a91d920c7076101d86d5ef422b58e74bdc1e0b1d58298d3ee0f510ee3a3f63a3bbc24a55be556e465c20525dd100e33815c2a128ac89574884c1":"6172468634bf4e5dda96f67d433062d7":"ae2d770f40706e1eaa36e087b0093ec11ed58afbde4695794745e7523be0a1e4e54daade393f68ba770956d1cfb267b083431851d713249ffe4b61227f1784769ce8c9127f54271526d54181513aca69dc013b2dfb4a5277f4798b1ff674bca79b3dec4a7a27fcf2905ae0ce03f727c315662cd906e57aa557d1023cce2acd84":64:"66c247e5ad4e1d6a":"efd064d4b4ef4c37b48ddf2fa6f5facc5e9cc4c3255b23a1e3765fabb5a339fa0eda754a5381b72989fc1323ff9a6bbaecd904eb4835e5a511b922927574673061ed8de23299ea1456054e7ebb62869878c34fb95e48c8385b5ebceecb962654cf1586b3f54e7887ce31850363e9a22be9e6fbc22e694db81aa055490495dbf2":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"201751d3da98bd39ff4e5990a56cfea7":"2965af0bde3565a00e61cebbfe0b51b5b5ee98dbbfff7b1b5bf61da5ba537e6f4cf5fa07d2b20e518232c4961e6bc3ae247b797429da5d7eee2fc675b07066ac2e670261c6e9a91d920c7076101d86d5ef422b58e74bdc1e0b1d58298d3ee0f510ee3a3f63a3bbc24a55be556e465c20525dd100e33815c2a128ac89574884c1":"6172468634bf4e5dda96f67d433062d7":"ae2d770f40706e1eaa36e087b0093ec11ed58afbde4695794745e7523be0a1e4e54daade393f68ba770956d1cfb267b083431851d713249ffe4b61227f1784769ce8c9127f54271526d54181513aca69dc013b2dfb4a5277f4798b1ff674bca79b3dec4a7a27fcf2905ae0ce03f727c315662cd906e57aa557d1023cce2acd84":64:"66c247e5ad4e1d6a":"":"efd064d4b4ef4c37b48ddf2fa6f5facc5e9cc4c3255b23a1e3765fabb5a339fa0eda754a5381b72989fc1323ff9a6bbaecd904eb4835e5a511b922927574673061ed8de23299ea1456054e7ebb62869878c34fb95e48c8385b5ebceecb962654cf1586b3f54e7887ce31850363e9a22be9e6fbc22e694db81aa055490495dbf2":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bc0dcb5261a641a08e6cb00d23e4deb":"d533ad89a1a578db330c01b4e04d08238b020e36aebe87cf2b0bf0b01f1ce4197be8b0596e475a95946918152e8b334ba89f60486c31f0bd8773ca4ff1319fe92197088b131e728d64405441c4fb5466641f0b8682e6cb371f8a8936140b16677f6def8b3dd9cbf47a73f553f1dca4320ad76f387e92f910f9434543f0df0626":"16fa19f69fceed9e97173207158755a5":"92ddd3b98f08fc8538f6106f6434a1efa0a7441cc7f6fd0841103c2e4dd181ea0c9a4811b3cb1bad1986a44d8addabc02dd6980daf7d60405b38dadc836bb1d0620ceab84e0134aca7c30f9f9490436b27acfd7052f9d7f0379b8e7116571017add46b9976f4b41431d47bae6f5f34dc42410793bc26c84bfe84fb53ae138c85":64:"f5289e1204ace3b2":"be0c30deeffbe51706247928132002b24d29272eee6b9d618483868e67280236632fa1ae06f3ef793f67bd01b1b01f70a827367c1cd28f778910457c7cbd977dfefff1f84a522247e19b2fd01fa22ce67cef9503d45c80a5084741f04108f2462b7cdd06a8f1f044fea2b05e920bcc061fbc6910175d732f45102a63c76ae48c":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bc0dcb5261a641a08e6cb00d23e4deb":"d533ad89a1a578db330c01b4e04d08238b020e36aebe87cf2b0bf0b01f1ce4197be8b0596e475a95946918152e8b334ba89f60486c31f0bd8773ca4ff1319fe92197088b131e728d64405441c4fb5466641f0b8682e6cb371f8a8936140b16677f6def8b3dd9cbf47a73f553f1dca4320ad76f387e92f910f9434543f0df0626":"16fa19f69fceed9e97173207158755a5":"92ddd3b98f08fc8538f6106f6434a1efa0a7441cc7f6fd0841103c2e4dd181ea0c9a4811b3cb1bad1986a44d8addabc02dd6980daf7d60405b38dadc836bb1d0620ceab84e0134aca7c30f9f9490436b27acfd7052f9d7f0379b8e7116571017add46b9976f4b41431d47bae6f5f34dc42410793bc26c84bfe84fb53ae138c85":64:"f5289e1204ace3b2":"":"be0c30deeffbe51706247928132002b24d29272eee6b9d618483868e67280236632fa1ae06f3ef793f67bd01b1b01f70a827367c1cd28f778910457c7cbd977dfefff1f84a522247e19b2fd01fa22ce67cef9503d45c80a5084741f04108f2462b7cdd06a8f1f044fea2b05e920bcc061fbc6910175d732f45102a63c76ae48c":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"239c15492d6deec979e79236baca4635":"d64886ce5f5b4adb7fe8f95904bc1461749c931655b02819ffdd0ae31bad4175125aa68962f8e36ec834a7d53a191a74c937e81ec93ad9ce0d3b286d3c11ff1733c0b7780130768c120b1833933561cf07399ca49b912370ae34f0e49b9c8cb9920eddc6816ab2ae261c6d7f70058a9b83a494026f249e58c4c613eefafe6974":"916b8b5417578fa83d2e9e9b8e2e7f6b":"b39eb732bc296c555cc9f00cf4caaf37d012329f344a6b74a873baf0d8dde9631f5e57b45b957d6aec0f7978e573dd78b43d459b77756037cd64d10d49966eb3a2a08d0f4d5e4f5dcb8713f4e4756acdf9925c5fc6120c477f6dffc59b0b47a3d5efd32b8c9052b321bb9b5129e5c6a095d8de563601b34608456f58d7221f2d":32:"fc08cbbe":"95c169721ea007c3f292e4ec7562a426d9baa7d374fd82e1e48d1eaca93d891d5ffa9acf5e3bd82e713ac627141e26a8b654920baffab948401cc3c390d6eea9d7b78c4fcb080b0aa9222e4d51bf201ccfd9328995831435e065d92ad37ee41c7c4366cc1efe15c07fc0470608866aeea96997772ecf926934c5d02efe05f250":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"239c15492d6deec979e79236baca4635":"d64886ce5f5b4adb7fe8f95904bc1461749c931655b02819ffdd0ae31bad4175125aa68962f8e36ec834a7d53a191a74c937e81ec93ad9ce0d3b286d3c11ff1733c0b7780130768c120b1833933561cf07399ca49b912370ae34f0e49b9c8cb9920eddc6816ab2ae261c6d7f70058a9b83a494026f249e58c4c613eefafe6974":"916b8b5417578fa83d2e9e9b8e2e7f6b":"b39eb732bc296c555cc9f00cf4caaf37d012329f344a6b74a873baf0d8dde9631f5e57b45b957d6aec0f7978e573dd78b43d459b77756037cd64d10d49966eb3a2a08d0f4d5e4f5dcb8713f4e4756acdf9925c5fc6120c477f6dffc59b0b47a3d5efd32b8c9052b321bb9b5129e5c6a095d8de563601b34608456f58d7221f2d":32:"fc08cbbe":"":"95c169721ea007c3f292e4ec7562a426d9baa7d374fd82e1e48d1eaca93d891d5ffa9acf5e3bd82e713ac627141e26a8b654920baffab948401cc3c390d6eea9d7b78c4fcb080b0aa9222e4d51bf201ccfd9328995831435e065d92ad37ee41c7c4366cc1efe15c07fc0470608866aeea96997772ecf926934c5d02efe05f250":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db68a96e216b0dd9945f14b878487e03":"5634196a32d4cbfa7a2f874a1e0f86287d2942090e0cc6a82bd5caf40136a27ddf524a17713ce4af04ca6cb640a7205cce4ac9cb2d0ab380d533e1e968089ea5740c0fcbfa51f2424008e0b89dc7b3396b224cfaed53b3ac0604879983d3e6e6d36053de4866f52976890f72b8f4b9505e4ebdd04c0497048c3ce19336133ea4":"8a1a72e7bb740ec37ea4619c3007f8ae":"1b4f37190a59a4fff41d348798d1829031204fd7ac2a1be7b5ea385567e95e2ace25bf9e324488dd3ab8ce7f29d4c9a4f4b1a8a97f774871ee825e2c17700128d3c55908d3b684a1f550fdb8b38149ff759c21debdd54e49d64d3e8aac803dfd81600464ed484749bb993f89d4224b3d7d55c756b454466ff9fd609019ed5e83":32:"9251d3e3":"0c6bb3ee5de5cbb4b39d85d509bcacb3dda63fa50897936531339882962e8dc54c285c8944768d12096d4a3c2b42ffa92603cee2da9b435ec52908fca6d38ed74f898fe0ffa761f96038ff7dfeccc65bb841c3457b8de1e97d9bee82e2911602ee2dc555b33a227424dea86d610d37c447776295b412b412903ad2cede5170b6":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db68a96e216b0dd9945f14b878487e03":"5634196a32d4cbfa7a2f874a1e0f86287d2942090e0cc6a82bd5caf40136a27ddf524a17713ce4af04ca6cb640a7205cce4ac9cb2d0ab380d533e1e968089ea5740c0fcbfa51f2424008e0b89dc7b3396b224cfaed53b3ac0604879983d3e6e6d36053de4866f52976890f72b8f4b9505e4ebdd04c0497048c3ce19336133ea4":"8a1a72e7bb740ec37ea4619c3007f8ae":"1b4f37190a59a4fff41d348798d1829031204fd7ac2a1be7b5ea385567e95e2ace25bf9e324488dd3ab8ce7f29d4c9a4f4b1a8a97f774871ee825e2c17700128d3c55908d3b684a1f550fdb8b38149ff759c21debdd54e49d64d3e8aac803dfd81600464ed484749bb993f89d4224b3d7d55c756b454466ff9fd609019ed5e83":32:"9251d3e3":"":"0c6bb3ee5de5cbb4b39d85d509bcacb3dda63fa50897936531339882962e8dc54c285c8944768d12096d4a3c2b42ffa92603cee2da9b435ec52908fca6d38ed74f898fe0ffa761f96038ff7dfeccc65bb841c3457b8de1e97d9bee82e2911602ee2dc555b33a227424dea86d610d37c447776295b412b412903ad2cede5170b6":0
 
 AES-GCM NIST Validation (AES-128,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"659b9e729d12f68b73fdc2f7260ab114":"fd0732a38224c3f16f58de3a7f333da2ecdb6eec92b469544a891966dd4f8fb64a711a793f1ef6a90e49765eacaccdd8cc438c2b57c51902d27a82ee4f24925a864a9513a74e734ddbf77204a99a3c0060fcfbaccae48fe509bc95c3d6e1b1592889c489801265715e6e4355a45357ce467c1caa2f1c3071bd3a9168a7d223e3":"459df18e2dfbd66d6ad04978432a6d97":"ee0b0b52a729c45b899cc924f46eb1908e55aaaeeaa0c4cdaacf57948a7993a6debd7b6cd7aa426dc3b3b6f56522ba3d5700a820b1697b8170bad9ca7caf1050f13d54fb1ddeb111086cb650e1c5f4a14b6a927205a83bf49f357576fd0f884a83b068154352076a6e36a5369436d2c8351f3e6bfec65b4816e3eb3f144ed7f9":32:"8e5a6a79":"FAIL":"":0
 
 AES-GCM Bad IV (AES-128,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes192_de.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes192_de.data
index 9e7bad00f7..34f74ac061 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes192_de.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes192_de.data
@@ -1,674 +1,674 @@
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"806766a4d2b6507cc4113bc0e46eebe120eacd948c24dc7f":"":"4f801c772395c4519ec830980c8ca5a4":"":128:"8fa16452b132bebc6aa521e92cb3b0ea":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"806766a4d2b6507cc4113bc0e46eebe120eacd948c24dc7f":"":"4f801c772395c4519ec830980c8ca5a4":"":128:"8fa16452b132bebc6aa521e92cb3b0ea":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c2abdcd2e4ae4137509761a38e6ca436b99c21b141f28f5":"":"335ca01a07081fea4e605eb5f23a778e":"":128:"d7f475dfcb92a75bc8521c12bb2e8b86":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0c2abdcd2e4ae4137509761a38e6ca436b99c21b141f28f5":"":"335ca01a07081fea4e605eb5f23a778e":"":128:"d7f475dfcb92a75bc8521c12bb2e8b86":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"eef490a0c2ecb32472e1654184340cc7433c34da981c062d":"":"d9172c3344d37ff93d2dcb2170ea5d01":"":128:"017fef05260a496654896d4703db3888":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"eef490a0c2ecb32472e1654184340cc7433c34da981c062d":"":"d9172c3344d37ff93d2dcb2170ea5d01":"":128:"017fef05260a496654896d4703db3888":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe0c3490f1f0dba23cf5c64e6e1740d06f85e0afec6772f3":"":"f47e915163fa3df7f6c15b9d69f53907":"":120:"14e1a057a2e7ffbd2208e9c25dbba1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe0c3490f1f0dba23cf5c64e6e1740d06f85e0afec6772f3":"":"f47e915163fa3df7f6c15b9d69f53907":"":120:"14e1a057a2e7ffbd2208e9c25dbba1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4356b3b1f308df3573509945afe5268984f9d953f01096de":"":"a35b397b34a14a8e24d05a37be4d1822":"":120:"e045ecba220d22c80826b77a21b013":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4356b3b1f308df3573509945afe5268984f9d953f01096de":"":"a35b397b34a14a8e24d05a37be4d1822":"":120:"e045ecba220d22c80826b77a21b013":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2898937cc575c8bb7444413884deafe8eaf326be8849e42":"":"169a449ccb3eb29805b15304d603b132":"":120:"3a807251f3d6242849a69972b14f6d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2898937cc575c8bb7444413884deafe8eaf326be8849e42":"":"169a449ccb3eb29805b15304d603b132":"":120:"3a807251f3d6242849a69972b14f6d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75683c7df0442e10b5368fcd6bb481f0bff8d95aae90487e":"":"538641f7d1cc5c68715971cee607da73":"":112:"07d68fffe417adc3397706d73b95":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75683c7df0442e10b5368fcd6bb481f0bff8d95aae90487e":"":"538641f7d1cc5c68715971cee607da73":"":112:"07d68fffe417adc3397706d73b95":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0724ee1f317997ce77bb659446fcb5a557490f40597341c7":"":"0d8eb78032d83c676820b2ef5ccc2cc8":"":112:"7da181563b26c7aefeb29e71cc69":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0724ee1f317997ce77bb659446fcb5a557490f40597341c7":"":"0d8eb78032d83c676820b2ef5ccc2cc8":"":112:"7da181563b26c7aefeb29e71cc69":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be2f0f4ae4ab851b258ec5602628df261b6a69e309ff9043":"":"646a91d83ae72b9b9e9fce64135cbf73":"":112:"169e717e2bae42e3eb61d0a1a29b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be2f0f4ae4ab851b258ec5602628df261b6a69e309ff9043":"":"646a91d83ae72b9b9e9fce64135cbf73":"":112:"169e717e2bae42e3eb61d0a1a29b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"583c328daecd18c2ac5c83a0c263de194a4c73aa4700fe76":"":"55e10d5e9b438b02505d30f211b16fea":"":104:"95c0a4ea9e80f91a4acce500f7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"583c328daecd18c2ac5c83a0c263de194a4c73aa4700fe76":"":"55e10d5e9b438b02505d30f211b16fea":"":104:"95c0a4ea9e80f91a4acce500f7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b40857e7e6f26050f1e9a6cbe05e15a0ba07c2055634ad47":"":"e25ef162a4295d7d24de75a673172346":"":104:"89ea4d1f34edb716b322ea7f6f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b40857e7e6f26050f1e9a6cbe05e15a0ba07c2055634ad47":"":"e25ef162a4295d7d24de75a673172346":"":104:"89ea4d1f34edb716b322ea7f6f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"627008956e31fea497fb120b438a2a043c23b1b38dc6bc10":"":"08ea464baac54469b0498419d83820e6":"":104:"ab064a8d380fe2cda38e61f9e1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"627008956e31fea497fb120b438a2a043c23b1b38dc6bc10":"":"08ea464baac54469b0498419d83820e6":"":104:"ab064a8d380fe2cda38e61f9e1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c386d67d7c2bfd46b8571d8685b35741e87a3ed4a46c9db":"":"766996fb67ace9e6a22d7f802455d4ef":"":96:"9a641be173dc3557ea015372":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c386d67d7c2bfd46b8571d8685b35741e87a3ed4a46c9db":"":"766996fb67ace9e6a22d7f802455d4ef":"":96:"9a641be173dc3557ea015372":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"711bc5aa6b94fa3287fad0167ac1a9ef5e8e01c16a79e95a":"":"75cdb8b83017f3dc5ac8733016ab47c7":"":96:"81e3a5580234d8e0b2204bc3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"711bc5aa6b94fa3287fad0167ac1a9ef5e8e01c16a79e95a":"":"75cdb8b83017f3dc5ac8733016ab47c7":"":96:"81e3a5580234d8e0b2204bc3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c74620828402e0bdf3f7a5353668505dc1550a31debce59a":"":"cfbefe265583ab3a2285e8080141ba48":"":96:"355a43bcebbe7f72b6cd27ea":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c74620828402e0bdf3f7a5353668505dc1550a31debce59a":"":"cfbefe265583ab3a2285e8080141ba48":"":96:"355a43bcebbe7f72b6cd27ea":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1eb53aa548b41bfdc85c657ebdebdae0c7e525a6432bc012":"":"37ffc64d4b2d9c82dd17d1ad3076d82b":"":64:"34b8e037084b3f2d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1eb53aa548b41bfdc85c657ebdebdae0c7e525a6432bc012":"":"37ffc64d4b2d9c82dd17d1ad3076d82b":"":64:"34b8e037084b3f2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"50d077575f6db91024a8e564db83324539e9b7add7bb98e4":"":"118d0283294d4084127cce4b0cd5b5fa":"":64:"507a361d8ac59882":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"50d077575f6db91024a8e564db83324539e9b7add7bb98e4":"":"118d0283294d4084127cce4b0cd5b5fa":"":64:"507a361d8ac59882":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9ddca0807305025d61919ed7893d7d5c5a3c9f012f4842f":"":"b78d518b6c41a9e031a00b10fb178327":"":64:"f401d546c8b739ff":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d9ddca0807305025d61919ed7893d7d5c5a3c9f012f4842f":"":"b78d518b6c41a9e031a00b10fb178327":"":64:"f401d546c8b739ff":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ed8d8afde4dc3872cbc274d7c47b719205518496dd7951d":"":"14eb280288740d464e3b8f296c642daa":"":32:"39e64d7a":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ed8d8afde4dc3872cbc274d7c47b719205518496dd7951d":"":"14eb280288740d464e3b8f296c642daa":"":32:"39e64d7a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"80aace5ab74f261bc09ac6f66898f69e7f348f805d52404d":"":"f54bf4aac8fb631c8b6ff5e96465fae6":"":32:"1ec1c1a1":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"80aace5ab74f261bc09ac6f66898f69e7f348f805d52404d":"":"f54bf4aac8fb631c8b6ff5e96465fae6":"":32:"1ec1c1a1":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23b76efd0dbc8d501885ab7d43a7dacde91edd9cde1e1048":"":"75532d15e582e6c477b411e727d4171e":"":32:"76a0e017":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23b76efd0dbc8d501885ab7d43a7dacde91edd9cde1e1048":"":"75532d15e582e6c477b411e727d4171e":"":32:"76a0e017":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94c50453dd3ef7f7ea763ae13fa34debb9c1198abbf32326":"":"1afe962bc46e36099165552ddb329ac6":"b2920dd9b0325a87e8edda8db560bfe287e44df79cf61edba3b2c95e34629638ecb86584f05a303603065e63323523f6ccc5b605679d1722cde5561f89d268d5f8db8e6bdffda4839c4a04982e8314da78e89f8f8ad9c0fee86332906bf78d2f20afcaabdc282008c6d09df2bfe9be2c9027bb49268b8be8936be39fa8b1ae03":128:"51e1f19a7dea5cfe9b9ca9d09096c3e7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94c50453dd3ef7f7ea763ae13fa34debb9c1198abbf32326":"":"1afe962bc46e36099165552ddb329ac6":"b2920dd9b0325a87e8edda8db560bfe287e44df79cf61edba3b2c95e34629638ecb86584f05a303603065e63323523f6ccc5b605679d1722cde5561f89d268d5f8db8e6bdffda4839c4a04982e8314da78e89f8f8ad9c0fee86332906bf78d2f20afcaabdc282008c6d09df2bfe9be2c9027bb49268b8be8936be39fa8b1ae03":128:"51e1f19a7dea5cfe9b9ca9d09096c3e7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c6a98102af3d875bcdebe594661d3a6b376970c02b11d019":"":"bea8cd85a28a2c05bf7406b8eef1efcc":"f2f80e2c042092cc7240b598ab30fad055bce85408aa0f8cefaf8a7204f0e2acb87c78f46a5867b1f1c19461cbf5ed5d2ca21c96a63fb1f42f10f394952e63520795c56df77d6a04cb5ad006ee865a47dc2349a814a630b3d4c4e0fd149f51e8fa846656ea569fd29a1ebafc061446eb80ec182f833f1f6d9083545abf52fa4c":128:"04b80f25ae9d07f5fd8220263ac3f2f7":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c6a98102af3d875bcdebe594661d3a6b376970c02b11d019":"":"bea8cd85a28a2c05bf7406b8eef1efcc":"f2f80e2c042092cc7240b598ab30fad055bce85408aa0f8cefaf8a7204f0e2acb87c78f46a5867b1f1c19461cbf5ed5d2ca21c96a63fb1f42f10f394952e63520795c56df77d6a04cb5ad006ee865a47dc2349a814a630b3d4c4e0fd149f51e8fa846656ea569fd29a1ebafc061446eb80ec182f833f1f6d9083545abf52fa4c":128:"04b80f25ae9d07f5fd8220263ac3f2f7":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec3cc45a22fdc7cc79ed658d9e9dbc138dcc7d6e795cba1a":"":"b10d9c70205e142704f9d1f74caee0f6":"714994017c169c574aaff2f8bad15f8fa6a385117f5405f74846eca873ca4a8f4876adf704f2fcaff2dfa75c17afefd08a4707292debc6d9fafda6244ca509bc52b0c6b70f09b14c0d7c667583c091d4064e241ba1f82dd43dc3ea4b8922be65faf5583f6b21ff5b22d3632eb4a426675648250e4b3e37c688d6129b954ef6a8":128:"d22407fd3ae1921d1b380461d2e60210":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec3cc45a22fdc7cc79ed658d9e9dbc138dcc7d6e795cba1a":"":"b10d9c70205e142704f9d1f74caee0f6":"714994017c169c574aaff2f8bad15f8fa6a385117f5405f74846eca873ca4a8f4876adf704f2fcaff2dfa75c17afefd08a4707292debc6d9fafda6244ca509bc52b0c6b70f09b14c0d7c667583c091d4064e241ba1f82dd43dc3ea4b8922be65faf5583f6b21ff5b22d3632eb4a426675648250e4b3e37c688d6129b954ef6a8":128:"d22407fd3ae1921d1b380461d2e60210":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a32ebc7a2338038ced36d2b85cbc6c45cca9845a7c5aa99":"":"9afe0882e418c9af205eeb90e131d212":"61ff8a8bc22803f17e8e9f01aff865bc7d3083ff413ce392a989e46ebed5114894de906f7d36439024d8f2e69cc815ac043fff2f75169f6c9aa9761ff32d10a1353213ac756cb84bd3613f8261ef390e1d00c3a8fb82764b0cda4e0049219e87d2e92c38f78ffac242391f838a248f608bb2b56b31bbb453d1098e99d079ea1b":120:"fcbb932ddb0128df78a71971c52838":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a32ebc7a2338038ced36d2b85cbc6c45cca9845a7c5aa99":"":"9afe0882e418c9af205eeb90e131d212":"61ff8a8bc22803f17e8e9f01aff865bc7d3083ff413ce392a989e46ebed5114894de906f7d36439024d8f2e69cc815ac043fff2f75169f6c9aa9761ff32d10a1353213ac756cb84bd3613f8261ef390e1d00c3a8fb82764b0cda4e0049219e87d2e92c38f78ffac242391f838a248f608bb2b56b31bbb453d1098e99d079ea1b":120:"fcbb932ddb0128df78a71971c52838":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bf22885e7f13bcc63bb0a2ca90c20e5c86001f05edf85d8":"":"99dec21f4781284722b5074ea567c171":"9f4176dacf26e27aa0e669cd4d44bca41f83468c70b54c745a601408a214bf876941ae2ae4d26929113f5de2e7d15a7bb656541292137bf2129fdc31f06f070e3cfaf0a7b30d93d8d3c76a981d75cd0ffa0bcacb34597d5be1a055c35eefeddc07ee098603e48ad88eb7a2ec19c1aefc5c7be9a237797397aa27590d5261f67a":120:"18fd1feec5e3bbf0985312dd6100d1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bf22885e7f13bcc63bb0a2ca90c20e5c86001f05edf85d8":"":"99dec21f4781284722b5074ea567c171":"9f4176dacf26e27aa0e669cd4d44bca41f83468c70b54c745a601408a214bf876941ae2ae4d26929113f5de2e7d15a7bb656541292137bf2129fdc31f06f070e3cfaf0a7b30d93d8d3c76a981d75cd0ffa0bcacb34597d5be1a055c35eefeddc07ee098603e48ad88eb7a2ec19c1aefc5c7be9a237797397aa27590d5261f67a":120:"18fd1feec5e3bbf0985312dd6100d1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cfd75a9d3788d965895553ab5fb7a8ff0aa383b7594850a6":"":"a6df69e5f77f4d99d5318c45c87451b2":"041aeb2fa0f7df027cd7709a992e041179d499f5dbccd389035bf7e514a38b5f8368379d2d7b5015d4fa6fadfd7c75abd2d855f5ea4220315fad2c2d435d910253bf76f252a21c57fe74f7247dac32f4276d793d30d48dd61d0e14a4b7f07a56c94d3799d04324dfb2b27a22a5077e280422d4f014f253d138e74c9ac3428a7b":120:"fd78b9956e4e4522605db410f97e84":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cfd75a9d3788d965895553ab5fb7a8ff0aa383b7594850a6":"":"a6df69e5f77f4d99d5318c45c87451b2":"041aeb2fa0f7df027cd7709a992e041179d499f5dbccd389035bf7e514a38b5f8368379d2d7b5015d4fa6fadfd7c75abd2d855f5ea4220315fad2c2d435d910253bf76f252a21c57fe74f7247dac32f4276d793d30d48dd61d0e14a4b7f07a56c94d3799d04324dfb2b27a22a5077e280422d4f014f253d138e74c9ac3428a7b":120:"fd78b9956e4e4522605db410f97e84":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0b21ae138485591c6bef7b3d5a0aa0e9762c30a50e4bba2":"":"56dc980e1cba1bc2e3b4a0733d7897ca":"a38458e5cc71f22f6f5880dc018c5777c0e6c8a1301e7d0300c02c976423c2b65f522db4a90401035346d855c892cbf27092c81b969e99cb2b6198e450a95c547bb0145652c9720aaf72a975e4cb5124b483a42f84b5cd022367802c5f167a7dfc885c1f983bb4525a88c8257df3067b6d36d2dbf6323df80c3eaeffc2d176a5":112:"b11f5c0e8cb6fea1a170c9342437":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0b21ae138485591c6bef7b3d5a0aa0e9762c30a50e4bba2":"":"56dc980e1cba1bc2e3b4a0733d7897ca":"a38458e5cc71f22f6f5880dc018c5777c0e6c8a1301e7d0300c02c976423c2b65f522db4a90401035346d855c892cbf27092c81b969e99cb2b6198e450a95c547bb0145652c9720aaf72a975e4cb5124b483a42f84b5cd022367802c5f167a7dfc885c1f983bb4525a88c8257df3067b6d36d2dbf6323df80c3eaeffc2d176a5":112:"b11f5c0e8cb6fea1a170c9342437":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8775665aba345b1c3e626128b5afa3d0da8f4d36b8cf1ca6":"":"cd17f761670e1f104f8ea4fb0cec7166":"2ee08a51ceaca1dbbb3ee09b72f57427fd34bd95da5b4c0933cbb0fc2f7270cffd3476aa05deeb892a7e6a8a3407e61f8631d1a00e47d46efb918393ee5099df7d65c12ab8c9640bfcb3a6cce00c3243d0b3f316f0822cfeae05ee67b419393cc81846b60c42aeb5c53f0ede1280dc36aa8ef59addd10668dd61557ce760c544":112:"6cdf60e62c91a6a944fa80da1854":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8775665aba345b1c3e626128b5afa3d0da8f4d36b8cf1ca6":"":"cd17f761670e1f104f8ea4fb0cec7166":"2ee08a51ceaca1dbbb3ee09b72f57427fd34bd95da5b4c0933cbb0fc2f7270cffd3476aa05deeb892a7e6a8a3407e61f8631d1a00e47d46efb918393ee5099df7d65c12ab8c9640bfcb3a6cce00c3243d0b3f316f0822cfeae05ee67b419393cc81846b60c42aeb5c53f0ede1280dc36aa8ef59addd10668dd61557ce760c544":112:"6cdf60e62c91a6a944fa80da1854":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc9922299b47725952f06272168b728218d2443028d81597":"":"9b2f1a40717afcdbb6a95d6e335c9e4d":"bcfca8420bc7b9df0290d8c1bcf4e3e66d3a4be1c947af82dd541336e44e2c4fa7c6b456980b174948de30b694232b03f8eb990f849b5f57762886b449671e4f0b5e7a173f12910393bdf5c162163584c774ad3bba39794767a4cc45f4a582d307503960454631cdf551e528a863f2e014b1fca4955a78bd545dec831e4d71c7":112:"dd515e5a8b41ecc441443a749b31":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc9922299b47725952f06272168b728218d2443028d81597":"":"9b2f1a40717afcdbb6a95d6e335c9e4d":"bcfca8420bc7b9df0290d8c1bcf4e3e66d3a4be1c947af82dd541336e44e2c4fa7c6b456980b174948de30b694232b03f8eb990f849b5f57762886b449671e4f0b5e7a173f12910393bdf5c162163584c774ad3bba39794767a4cc45f4a582d307503960454631cdf551e528a863f2e014b1fca4955a78bd545dec831e4d71c7":112:"dd515e5a8b41ecc441443a749b31":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a27d718f21c5cbdc52a745b931bc77bd1afa8b1231f8815":"":"59661051912fba45023aef4e6f9380a5":"2b7ce5cea81300ed23501493310f1316581ef8a50e37eaadd4bb5f527add6deb09e7dcc67652e44ac889b48726d8c0ae80e2b3a89dd34232eb1da32f7f4fcd5bf8e920d286db8604f23ab06eab3e6f99beb55fe3725107e9d67a491cdada1580717bbf64c28799c9ab67922da9194747f32fd84197070a86838d1c9ebae379b7":104:"f33e8f42b58f45a0456f83a13e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a27d718f21c5cbdc52a745b931bc77bd1afa8b1231f8815":"":"59661051912fba45023aef4e6f9380a5":"2b7ce5cea81300ed23501493310f1316581ef8a50e37eaadd4bb5f527add6deb09e7dcc67652e44ac889b48726d8c0ae80e2b3a89dd34232eb1da32f7f4fcd5bf8e920d286db8604f23ab06eab3e6f99beb55fe3725107e9d67a491cdada1580717bbf64c28799c9ab67922da9194747f32fd84197070a86838d1c9ebae379b7":104:"f33e8f42b58f45a0456f83a13e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b83e933cf54ac58f8c7e5ed18e4ed2213059158ed9cb2c30":"":"8710af55dd79da45a4b24f6e972bc60a":"b7a428bc68696cee06f2f8b43f63b47914e29f04a4a40c0eec6193a9a24bbe012d68bea5573382dd579beeb0565b0e0334cce6724997138b198fce8325f07069d6890ac4c052e127aa6e70a6248e6536d1d3c6ac60d8cd14d9a45200f6540305f882df5fca2cac48278f94fe502b5abe2992fa2719b0ce98b7ef1b5582e0151c":104:"380128ad7f35be87a17c9590fa":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b83e933cf54ac58f8c7e5ed18e4ed2213059158ed9cb2c30":"":"8710af55dd79da45a4b24f6e972bc60a":"b7a428bc68696cee06f2f8b43f63b47914e29f04a4a40c0eec6193a9a24bbe012d68bea5573382dd579beeb0565b0e0334cce6724997138b198fce8325f07069d6890ac4c052e127aa6e70a6248e6536d1d3c6ac60d8cd14d9a45200f6540305f882df5fca2cac48278f94fe502b5abe2992fa2719b0ce98b7ef1b5582e0151c":104:"380128ad7f35be87a17c9590fa":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d2f85f92092385f15da43a086cff64c7448b4ee5a83ed72e":"":"9026dfd09e4553cd51c4c13ce70830de":"3c8de64c14df73c1b470a9d8aa693af96e487d548d03a92ce59c0baec8576129945c722586a66f03deb5029cbda029fb22d355952c3dadfdede20b63f4221f27c8e5d710e2b335c2d9a9b7ca899597a03c41ee6508e40a6d74814441ac3acb64a20f48a61e8a18f4bbcbd3e7e59bb3cd2be405afd6ac80d47ce6496c4b9b294c":104:"e9e5beea7d39c9250347a2a33d":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d2f85f92092385f15da43a086cff64c7448b4ee5a83ed72e":"":"9026dfd09e4553cd51c4c13ce70830de":"3c8de64c14df73c1b470a9d8aa693af96e487d548d03a92ce59c0baec8576129945c722586a66f03deb5029cbda029fb22d355952c3dadfdede20b63f4221f27c8e5d710e2b335c2d9a9b7ca899597a03c41ee6508e40a6d74814441ac3acb64a20f48a61e8a18f4bbcbd3e7e59bb3cd2be405afd6ac80d47ce6496c4b9b294c":104:"e9e5beea7d39c9250347a2a33d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"de7df44ce007c99f7baad6a6955195f14e60999ed9818707":"":"4d209e414965fe99636c1c6493bba3a3":"da3bc6bdd414a1e07e00981cf9199371192a1fb2eaae20f7091e5fe5368e26d61b981f7f1d29f1a9085ad2789d101155a980de98d961c093941502268adb70537ad9783e6c7d5157c939f59b8ad474c3d7fc1fcc91165cdf8dd9d6ec70d6400086d564b68ebead0d03ebd3aa66ded555692b8de0baf43bc0ddef42e3a9eb34ab":96:"24483a57c20826a709b7d10a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"de7df44ce007c99f7baad6a6955195f14e60999ed9818707":"":"4d209e414965fe99636c1c6493bba3a3":"da3bc6bdd414a1e07e00981cf9199371192a1fb2eaae20f7091e5fe5368e26d61b981f7f1d29f1a9085ad2789d101155a980de98d961c093941502268adb70537ad9783e6c7d5157c939f59b8ad474c3d7fc1fcc91165cdf8dd9d6ec70d6400086d564b68ebead0d03ebd3aa66ded555692b8de0baf43bc0ddef42e3a9eb34ab":96:"24483a57c20826a709b7d10a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1dfa5ff20046c775b5e768c2bd9775066ae766345b7befc3":"":"2d49409b869b8b9fc5b67767979ca8cd":"e35d34478b228bc903ea2423697e603cc077967d7cfb062e95bc11d89fbe0a1f1d4569f89b2a7047300c1f5131d91564ec9bce014d18ba605a1c1e4e15e3e5c18413b8b59cbb25ab8f088885225de1235c16c7d9a8d06a23cb0b38fd1d5c6c19617fe08fd6bf01c965ed593149a1c6295435e98463e4f03a511d1a7e82c11f01":96:"23012503febbf26dc2d872dc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1dfa5ff20046c775b5e768c2bd9775066ae766345b7befc3":"":"2d49409b869b8b9fc5b67767979ca8cd":"e35d34478b228bc903ea2423697e603cc077967d7cfb062e95bc11d89fbe0a1f1d4569f89b2a7047300c1f5131d91564ec9bce014d18ba605a1c1e4e15e3e5c18413b8b59cbb25ab8f088885225de1235c16c7d9a8d06a23cb0b38fd1d5c6c19617fe08fd6bf01c965ed593149a1c6295435e98463e4f03a511d1a7e82c11f01":96:"23012503febbf26dc2d872dc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2df3ee3a6484c48fdd0d37bab443228c7d873c984529dfb4":"":"dc6aeb41415c115d66443fbd7acdfc8f":"eafc6007fafb461d3b151bdff459e56dd09b7b48b93ea730c85e5424f762b4a9080de44497a7c56dd7855628ffc61c7b4faeb7d6f413d464fe5ec6401f3028427ae3e62db3ff39cd0f5333a664d3505ff42caa8899b96a92ec01934d4b59556feb9055e8dfb81f55e60135345bfce3e4199bfcdb3ce42523e7d24be2a04cdb67":96:"e8e80bf6e5c4a55e7964f455":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2df3ee3a6484c48fdd0d37bab443228c7d873c984529dfb4":"":"dc6aeb41415c115d66443fbd7acdfc8f":"eafc6007fafb461d3b151bdff459e56dd09b7b48b93ea730c85e5424f762b4a9080de44497a7c56dd7855628ffc61c7b4faeb7d6f413d464fe5ec6401f3028427ae3e62db3ff39cd0f5333a664d3505ff42caa8899b96a92ec01934d4b59556feb9055e8dfb81f55e60135345bfce3e4199bfcdb3ce42523e7d24be2a04cdb67":96:"e8e80bf6e5c4a55e7964f455":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce0787f65e6c24a1c444c35dcd38195197530aa20f1f6f3b":"":"55300431b1eaac0375681d7821e1eb7a":"84a699a34a1e597061ef95e8ec3c21b592e9236ddb98c68d7e05f1e709937b48ec34a4b88d99708d133a2cc33f5cf6819d5e7b82888e49faa5d54147d36c9e486630aa68fef88d55537119db1d57df0402f56e219f7ece7b4bb5f996dbe1c664a75174c880a00b0f2a56e35d17b69c550921961505afabf4bfd66cf04dc596d1":64:"74264163131d16ac":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce0787f65e6c24a1c444c35dcd38195197530aa20f1f6f3b":"":"55300431b1eaac0375681d7821e1eb7a":"84a699a34a1e597061ef95e8ec3c21b592e9236ddb98c68d7e05f1e709937b48ec34a4b88d99708d133a2cc33f5cf6819d5e7b82888e49faa5d54147d36c9e486630aa68fef88d55537119db1d57df0402f56e219f7ece7b4bb5f996dbe1c664a75174c880a00b0f2a56e35d17b69c550921961505afabf4bfd66cf04dc596d1":64:"74264163131d16ac":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a15541b5857a668dc9899b2e198d2416e83bac13282ca46":"":"89bf8ab0cea6f59616eeb9b314d7c333":"4d2843f34f9ea13a1ac521479457005178bcf8b2ebeaeb09097ea4471da9f6cc60a532bcda1c18cab822af541de3b87de606999e994ace3951f58a02de0d6620c9ae04549326da449a3e90364a17b90b6b17debc0f454bb0e7e98aef56a1caccf8c91614d1616db30fc8223dbcd8e77bf55d8253efe034fd66f7191e0303c52f":64:"8f4877806daff10e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a15541b5857a668dc9899b2e198d2416e83bac13282ca46":"":"89bf8ab0cea6f59616eeb9b314d7c333":"4d2843f34f9ea13a1ac521479457005178bcf8b2ebeaeb09097ea4471da9f6cc60a532bcda1c18cab822af541de3b87de606999e994ace3951f58a02de0d6620c9ae04549326da449a3e90364a17b90b6b17debc0f454bb0e7e98aef56a1caccf8c91614d1616db30fc8223dbcd8e77bf55d8253efe034fd66f7191e0303c52f":64:"8f4877806daff10e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b61cdfd19c136ee2acbe09b7993a4683a713427518f8e559":"":"4066118061c904ed1e866d4f31d11234":"153c075ecdd184fd8a0fca25cae8f720201361ef84f3c638b148ca32c51d091a0e394236d0b51c1d2ee601914120c56dfea1289af470dbc9ef462ec5f974e455e6a83e215a2c8e27c0c5b5b45b662b7f58635a29866e8f76ab41ee628c12a24ab4d5f7954665c3e4a3a346739f20393fc5700ec79d2e3c2722c3fb3c77305337":64:"4eff7227b42f9a7d":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b61cdfd19c136ee2acbe09b7993a4683a713427518f8e559":"":"4066118061c904ed1e866d4f31d11234":"153c075ecdd184fd8a0fca25cae8f720201361ef84f3c638b148ca32c51d091a0e394236d0b51c1d2ee601914120c56dfea1289af470dbc9ef462ec5f974e455e6a83e215a2c8e27c0c5b5b45b662b7f58635a29866e8f76ab41ee628c12a24ab4d5f7954665c3e4a3a346739f20393fc5700ec79d2e3c2722c3fb3c77305337":64:"4eff7227b42f9a7d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce175a7df7e429fcc233540e6b8524323e91f40f592ba144":"":"c34484b4857b93e309df8e1a0e1ec9a3":"ce8d8775f047b543a6cc0d9ef9bc0db5ac5d610dc3ff6e12e0ad7cd3a399ebb762331e3c1101a189b3433a7ff4cd880a0639d2581b71e398dd982f55a11bf0f4e6ee95bacd897e8ec34649e1c256ee6ccecb33e36c76927cc5124bc2962713ad44cbd435ae3c1143796d3037fa1d659e5dad7ebf3c8cbdb5b619113d7ce8c483":32:"ff355f10":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce175a7df7e429fcc233540e6b8524323e91f40f592ba144":"":"c34484b4857b93e309df8e1a0e1ec9a3":"ce8d8775f047b543a6cc0d9ef9bc0db5ac5d610dc3ff6e12e0ad7cd3a399ebb762331e3c1101a189b3433a7ff4cd880a0639d2581b71e398dd982f55a11bf0f4e6ee95bacd897e8ec34649e1c256ee6ccecb33e36c76927cc5124bc2962713ad44cbd435ae3c1143796d3037fa1d659e5dad7ebf3c8cbdb5b619113d7ce8c483":32:"ff355f10":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f659ed236ba60494e9bf1ee2cb40edcf3f25a2bac2e5bc5":"":"ad49f12f202320255406c2f40e55b034":"6da62892f436dfe9790e72d26f4858ca156d1d655c9cc4336fcf282b0f3f0b201e47f799c3019109af89ef5fd48a4811980930e82cd95f86b1995d977c847bbb06ecdcc98b1aae100b23c9c2f0dcf317a1fb36f14e90e396e6c0c594bcc0dc5f3ebf86ce7ecd4b06d1c43202734d53f55751a6e6bbda982104102af240def4eb":32:"cb4d8c1d":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5f659ed236ba60494e9bf1ee2cb40edcf3f25a2bac2e5bc5":"":"ad49f12f202320255406c2f40e55b034":"6da62892f436dfe9790e72d26f4858ca156d1d655c9cc4336fcf282b0f3f0b201e47f799c3019109af89ef5fd48a4811980930e82cd95f86b1995d977c847bbb06ecdcc98b1aae100b23c9c2f0dcf317a1fb36f14e90e396e6c0c594bcc0dc5f3ebf86ce7ecd4b06d1c43202734d53f55751a6e6bbda982104102af240def4eb":32:"cb4d8c1d":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a73f318b1e298ba4ac0ab2aed74f73543b1017cccbd1b240":"":"abe33b7e8d88bd30deb96d1e90c4e951":"6de616b000047b14b6759015183dd753c61499c0e665d06a89e4fb0cd0dd3064ff8651582e901ef5d0cdf3344c29c70c3aabc2aaf83cb3f284c6fe4104906d389b027e7d9ca60d010f06ef8cd9e55db2483d06552ddbe3fc43b24c55085cd998eae3edec36673445bf626e933c15b6af08ea21cbace4720b0b68fe1a374877d5":32:"4a28ec97":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a73f318b1e298ba4ac0ab2aed74f73543b1017cccbd1b240":"":"abe33b7e8d88bd30deb96d1e90c4e951":"6de616b000047b14b6759015183dd753c61499c0e665d06a89e4fb0cd0dd3064ff8651582e901ef5d0cdf3344c29c70c3aabc2aaf83cb3f284c6fe4104906d389b027e7d9ca60d010f06ef8cd9e55db2483d06552ddbe3fc43b24c55085cd998eae3edec36673445bf626e933c15b6af08ea21cbace4720b0b68fe1a374877d5":32:"4a28ec97":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73d5be74615bc5b627eedfb95746fb5f17cbf25b500a597f":"fc40993eb8559e6b127315c03103ce31b70fc0e07a766d9eecf2e4e8d973faa4afd3053c9ebef0282c9e3d2289d21b6c339748273fa1edf6d6ef5c8f1e1e9301b250297092d9ac4f4843125ea7299d5370f7f49c258eac2a58cc9df14c162604ba0801728994dc82cb625981130c3ca8cdb3391658d4e034691e62ece0a6e407":"eb16ed8de81efde2915a901f557fba95":"":128:"804056dca9f102c4a13a930c81d77eca":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"73d5be74615bc5b627eedfb95746fb5f17cbf25b500a597f":"fc40993eb8559e6b127315c03103ce31b70fc0e07a766d9eecf2e4e8d973faa4afd3053c9ebef0282c9e3d2289d21b6c339748273fa1edf6d6ef5c8f1e1e9301b250297092d9ac4f4843125ea7299d5370f7f49c258eac2a58cc9df14c162604ba0801728994dc82cb625981130c3ca8cdb3391658d4e034691e62ece0a6e407":"eb16ed8de81efde2915a901f557fba95":"":128:"804056dca9f102c4a13a930c81d77eca":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a249135c9f2f5a8b1af66442a4d4e101771a918ef8acee05":"c62b39b937edbdc9b644321d5d284e62eaa4154010c7a3208c1ef4706fba90223da04b2f686a28b975eff17386598ba77e212855692f384782c1f3c00be011e466e145f6f8b65c458e41409e01a019b290773992e19334ffaca544e28fc9044a5e86bcd2fa5ad2e76f2be3f014d8c387456a8fcfded3ae4d1194d0e3e53a2031":"80b6e48fe4a3b08d40c1636b25dfd2c4":"":128:"951c1c89b6d95661630d739dd9120a73":"b865f8dd64a6f51a500bcfc8cadbc9e9f5d54d2d27d815ecfe3d5731e1b230c587b46958c6187e41b52ff187a14d26aa41c5f9909a3b77859429232e5bd6c6dc22cf5590402476d033a32682e8ab8dc7ed0b089c5ab20ab9a8c5d6a3be9ea7aa56c9d3ab08de4a4a019abb447db448062f16a533d416951a8ff6f13ed5608f77":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a249135c9f2f5a8b1af66442a4d4e101771a918ef8acee05":"c62b39b937edbdc9b644321d5d284e62eaa4154010c7a3208c1ef4706fba90223da04b2f686a28b975eff17386598ba77e212855692f384782c1f3c00be011e466e145f6f8b65c458e41409e01a019b290773992e19334ffaca544e28fc9044a5e86bcd2fa5ad2e76f2be3f014d8c387456a8fcfded3ae4d1194d0e3e53a2031":"80b6e48fe4a3b08d40c1636b25dfd2c4":"":128:"951c1c89b6d95661630d739dd9120a73":"":"b865f8dd64a6f51a500bcfc8cadbc9e9f5d54d2d27d815ecfe3d5731e1b230c587b46958c6187e41b52ff187a14d26aa41c5f9909a3b77859429232e5bd6c6dc22cf5590402476d033a32682e8ab8dc7ed0b089c5ab20ab9a8c5d6a3be9ea7aa56c9d3ab08de4a4a019abb447db448062f16a533d416951a8ff6f13ed5608f77":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa832a4b37dcb3c0879a771bb8ae734f0d88b9be497797a8":"0f1105f9ec24121232b60b6ef3c3e8ca9eec1a3d7625004b857d1d77f292b6ec065d92f5bb97e0dc2fdfdf823a5db275109a9472690caea04730e4bd732c33548718e9f7658bbf3e30b8d07790cd540c5754486ed8e4d6920cefaeb1c182c4d67ebed0d205ba0bd9441a599d55e45094b380f3478bcfca9646a0d7aa18d08e52":"70835abab9f945c84ef4e97cdcf2a694":"":128:"a459be0b349f6e8392c2a86edd8a9da5":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa832a4b37dcb3c0879a771bb8ae734f0d88b9be497797a8":"0f1105f9ec24121232b60b6ef3c3e8ca9eec1a3d7625004b857d1d77f292b6ec065d92f5bb97e0dc2fdfdf823a5db275109a9472690caea04730e4bd732c33548718e9f7658bbf3e30b8d07790cd540c5754486ed8e4d6920cefaeb1c182c4d67ebed0d205ba0bd9441a599d55e45094b380f3478bcfca9646a0d7aa18d08e52":"70835abab9f945c84ef4e97cdcf2a694":"":128:"a459be0b349f6e8392c2a86edd8a9da5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dda216287910d1f5c0a312f63c243612388bc510cb76c5ba":"d6617d583344d4fe472099d2a688297857215a3e31b47d1bf355ccfe9cf2398a3eba362c670c88f8c7162903275dfd4761d095900bd97eba72200d4045d72bd239bda156829c36b38b1ff5e4230125e5695f623e129829721e889da235bb7d4b9da07cce8c3ceb96964fd2f9dd1ff0997e1a3e253a688ceb1bfec76a7c567266":"7f770140df5b8678bc9c4b962b8c9034":"":120:"9823e3242b3f890c6a456f1837e039":"b4910277224025f58a5d0f37385b03fcd488dfef7580eb5c270c10bd7a6f6d9c7ddc2d1368d68d4e04f90e3df029ed028432a09f710be1610b2a75bd05f31bae83920573929573affd0eb03c63e0cec7a027deab792f43ee6307fd3c5078d43d5b1407ac023824d41c9437d66eeec172488f28d700aa4b54931aad7cd458456f":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dda216287910d1f5c0a312f63c243612388bc510cb76c5ba":"d6617d583344d4fe472099d2a688297857215a3e31b47d1bf355ccfe9cf2398a3eba362c670c88f8c7162903275dfd4761d095900bd97eba72200d4045d72bd239bda156829c36b38b1ff5e4230125e5695f623e129829721e889da235bb7d4b9da07cce8c3ceb96964fd2f9dd1ff0997e1a3e253a688ceb1bfec76a7c567266":"7f770140df5b8678bc9c4b962b8c9034":"":120:"9823e3242b3f890c6a456f1837e039":"":"b4910277224025f58a5d0f37385b03fcd488dfef7580eb5c270c10bd7a6f6d9c7ddc2d1368d68d4e04f90e3df029ed028432a09f710be1610b2a75bd05f31bae83920573929573affd0eb03c63e0cec7a027deab792f43ee6307fd3c5078d43d5b1407ac023824d41c9437d66eeec172488f28d700aa4b54931aad7cd458456f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5afa1e61d4594b1c2fa637f64f18dd557e4df3255b47f24":"5c772cdf19571cd51d71fc166d33a0b892fbca4eae36ab0ac94e6164d51acb2d4e60d4f3a19c3757a93960e7fd90b9a6cdf98bdf259b370ed6c7ef8cb96dba7e3a875e6e7fe6abc76aabad30c8743b3e47c8de5d604c748eeb16806c2e75180a96af7741904eca61769d39e943eb4c4c25f2afd68e9472043de2bb03e9edae20":"151fd3ba32f5bde72adce6291bcf63ea":"":120:"f0626cc07f2ed1a7570386a4110fc1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5afa1e61d4594b1c2fa637f64f18dd557e4df3255b47f24":"5c772cdf19571cd51d71fc166d33a0b892fbca4eae36ab0ac94e6164d51acb2d4e60d4f3a19c3757a93960e7fd90b9a6cdf98bdf259b370ed6c7ef8cb96dba7e3a875e6e7fe6abc76aabad30c8743b3e47c8de5d604c748eeb16806c2e75180a96af7741904eca61769d39e943eb4c4c25f2afd68e9472043de2bb03e9edae20":"151fd3ba32f5bde72adce6291bcf63ea":"":120:"f0626cc07f2ed1a7570386a4110fc1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"febd4ff0fedd9f16bccb62380d59cd41b8eff1834347d8fa":"dc971c8f65ece2ea4130afd4db38fc657c085ea19c76fef50f5bd0f8dd364cc22471c2fa36be8cde78529f58a78888e9de10961760a01af005e42fc5b03e6f64962e6b18eaedea979d33d1b06e2038b1aad8993e5b20cae6cc93f3f7cf2ad658fbba633d74f21a2003dded5f5dda3b46ed7424845c11bab439fbb987f0be09f8":"743699d3759781e82a3d21c7cd7991c8":"":120:"1da347f9b6341049e63140395ad445":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"febd4ff0fedd9f16bccb62380d59cd41b8eff1834347d8fa":"dc971c8f65ece2ea4130afd4db38fc657c085ea19c76fef50f5bd0f8dd364cc22471c2fa36be8cde78529f58a78888e9de10961760a01af005e42fc5b03e6f64962e6b18eaedea979d33d1b06e2038b1aad8993e5b20cae6cc93f3f7cf2ad658fbba633d74f21a2003dded5f5dda3b46ed7424845c11bab439fbb987f0be09f8":"743699d3759781e82a3d21c7cd7991c8":"":120:"1da347f9b6341049e63140395ad445":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d280d079110c1c826cc77f490d807dd8d508eb579a160c49":"a286d19610a990d64f3accd329fc005d468465a98cfa2f3606c6d0fbeb9732879bad3ca8094322a334a43155baed02d8e13a2fbf259d80066c6f418a1a74b23e0f6238f505b2b3dc906ffcb4910ce6c878b595bb4e5f8f3e2ede912b38dbafdf4659a93b056a1a67cb0ec1dbf00d93223f3b20b3f64a157105c5445b61628abf":"85b241d516b94759c9ef975f557bccea":"":112:"bbf289df539f78c3a912b141da3a":"b9286ab91645c20de040a805020fed53c612d493a8ce9c71649ae16bd50eab6fb7f3a9180e1651d5413aa542608d7ecbf9fc7378c0bef4d439bc35434b6cf803976b8783aecc83a91e95cea72c2a26a883b710252e0c2a6baa115739a0692c85f6d34ff06234fbdc79b8c4a8ea0a7056fb48c18f73aaf5084868abb0dfaa287d":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d280d079110c1c826cc77f490d807dd8d508eb579a160c49":"a286d19610a990d64f3accd329fc005d468465a98cfa2f3606c6d0fbeb9732879bad3ca8094322a334a43155baed02d8e13a2fbf259d80066c6f418a1a74b23e0f6238f505b2b3dc906ffcb4910ce6c878b595bb4e5f8f3e2ede912b38dbafdf4659a93b056a1a67cb0ec1dbf00d93223f3b20b3f64a157105c5445b61628abf":"85b241d516b94759c9ef975f557bccea":"":112:"bbf289df539f78c3a912b141da3a":"":"b9286ab91645c20de040a805020fed53c612d493a8ce9c71649ae16bd50eab6fb7f3a9180e1651d5413aa542608d7ecbf9fc7378c0bef4d439bc35434b6cf803976b8783aecc83a91e95cea72c2a26a883b710252e0c2a6baa115739a0692c85f6d34ff06234fbdc79b8c4a8ea0a7056fb48c18f73aaf5084868abb0dfaa287d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e80f87fa2156c62df7be2ad16c4890de5ee5868a684fcf9":"c829073efd5c5150d2b7e2cdaeff979830d1aa983c747724ade6472c647a6e8e5033046e0359ea62fc26b4c95bccb3ac416fdf54e95815c35bf86d3fdd7856abbb618fe8fcd35a9295114926a0c9df92317d44ba1885a0c67c10b9ba24b8b2f3a464308c5578932247bf9c79d939aa3576376d2d6b4f14a378ab775531fe8abf":"9769f71c76b5b6c60462a845d2c123ad":"":112:"394b6c631a69be3ed8c90770f3d4":"f886bd92ca9d73a52e626b0c63a3daa138faaacf7809086d04f5c0c899362aa22e25d8659653b59c3103668461d9785bb425c6c1026ad9c924271cec9f27a9b341f708ca86f1d82a77aae88b25da9061b78b97276f3216720352629bd1a27ebf890da6f42d8c63d68342a93c382442d49dd4b62219504785cee89dffdc36f868":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e80f87fa2156c62df7be2ad16c4890de5ee5868a684fcf9":"c829073efd5c5150d2b7e2cdaeff979830d1aa983c747724ade6472c647a6e8e5033046e0359ea62fc26b4c95bccb3ac416fdf54e95815c35bf86d3fdd7856abbb618fe8fcd35a9295114926a0c9df92317d44ba1885a0c67c10b9ba24b8b2f3a464308c5578932247bf9c79d939aa3576376d2d6b4f14a378ab775531fe8abf":"9769f71c76b5b6c60462a845d2c123ad":"":112:"394b6c631a69be3ed8c90770f3d4":"":"f886bd92ca9d73a52e626b0c63a3daa138faaacf7809086d04f5c0c899362aa22e25d8659653b59c3103668461d9785bb425c6c1026ad9c924271cec9f27a9b341f708ca86f1d82a77aae88b25da9061b78b97276f3216720352629bd1a27ebf890da6f42d8c63d68342a93c382442d49dd4b62219504785cee89dffdc36f868":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d8a7b99e53f5e5b197364d4516cace4b928de50e571315e3":"d0db0ac5e14bf03729125f3137d4854b4d8ce2d264f8646da17402bdad7034c0d84d7a80f107eb202aeadbfdf063904ae9793c6ae91ee8bcc0fc0674d8111f6aea6607633f92e4be3cfbb64418101db8b0a9225c83e60ffcf7a7f71f77149a13f8c5227cd92855241e11ee363062a893a76ac282fb47b523b306cd8235cd81c2":"4b12c6701534098e23e1b4659f684d6f":"":112:"729b31c65d8699c93d741caac8e3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d8a7b99e53f5e5b197364d4516cace4b928de50e571315e3":"d0db0ac5e14bf03729125f3137d4854b4d8ce2d264f8646da17402bdad7034c0d84d7a80f107eb202aeadbfdf063904ae9793c6ae91ee8bcc0fc0674d8111f6aea6607633f92e4be3cfbb64418101db8b0a9225c83e60ffcf7a7f71f77149a13f8c5227cd92855241e11ee363062a893a76ac282fb47b523b306cd8235cd81c2":"4b12c6701534098e23e1b4659f684d6f":"":112:"729b31c65d8699c93d741caac8e3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c874b427b7181b0c90b887147c36f242827149324fd5c945":"bdd90190d587a564af022f06c8bd1a68735b6f18f04113fdcec24c6027aaf0271b183336fb713d247a173d9e095dae6e9badb0ab069712302875406f14320151fd43b90a3d6f35cc856636b1a6f98afc797cb5259567e2e9b7ce62d7b3370b5ee852722faf740edf815b3af460cdd7de90ca6ab6cd173844216c064b16ea3696":"4b8dda046a5b7c46abeeca2f2f9bcaf8":"":104:"fe1e427bcb15ce026413a0da87":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c874b427b7181b0c90b887147c36f242827149324fd5c945":"bdd90190d587a564af022f06c8bd1a68735b6f18f04113fdcec24c6027aaf0271b183336fb713d247a173d9e095dae6e9badb0ab069712302875406f14320151fd43b90a3d6f35cc856636b1a6f98afc797cb5259567e2e9b7ce62d7b3370b5ee852722faf740edf815b3af460cdd7de90ca6ab6cd173844216c064b16ea3696":"4b8dda046a5b7c46abeeca2f2f9bcaf8":"":104:"fe1e427bcb15ce026413a0da87":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"56543cd6e2ebb1e3dc136a826bfc37eddb12f7a26430a1b4":"d541dd3acec2da042e6ea26fb90ff9a3861191926423b6dc99c5110b3bf150b362017159d0b85ffea397106a0d8299ec22791cb06103cd44036eed0d6d9f953724fb003068b3c3d97da129c28d97f09e6300cbea06ba66f410ca61c3311ce334c55f077c37acb3b7129c481748f79c958bc3bbeb2d3ff445ad361ed4bbc79f0a":"927ce8a596ed28c85d9cb8e688a829e6":"":104:"3a98f471112a8a646460e8efd0":"a602d61e7a35cbe0e463119bb66fd4bb6c75d1fe0b211b9d6a0a6e9e84b0794282318f0d33ec053f2cfba1623e865681affeaf29f3da3113995e87d51a5ab4872bb05b5be8ef2b14dfc3df5a48cbc9b10853a708ee4886a7390e8e4d286740a0dd41c025c8d72eda3f73f3cec5c33d5e50b643afd7691213cccccc2c41b9bd7a":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"56543cd6e2ebb1e3dc136a826bfc37eddb12f7a26430a1b4":"d541dd3acec2da042e6ea26fb90ff9a3861191926423b6dc99c5110b3bf150b362017159d0b85ffea397106a0d8299ec22791cb06103cd44036eed0d6d9f953724fb003068b3c3d97da129c28d97f09e6300cbea06ba66f410ca61c3311ce334c55f077c37acb3b7129c481748f79c958bc3bbeb2d3ff445ad361ed4bbc79f0a":"927ce8a596ed28c85d9cb8e688a829e6":"":104:"3a98f471112a8a646460e8efd0":"":"a602d61e7a35cbe0e463119bb66fd4bb6c75d1fe0b211b9d6a0a6e9e84b0794282318f0d33ec053f2cfba1623e865681affeaf29f3da3113995e87d51a5ab4872bb05b5be8ef2b14dfc3df5a48cbc9b10853a708ee4886a7390e8e4d286740a0dd41c025c8d72eda3f73f3cec5c33d5e50b643afd7691213cccccc2c41b9bd7a":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"caaf81cd380f3af7885ef0d6196a1688c9372c5850dc5b0b":"6f269929b92c6281e00672eaec183f187b2ddecc11c9045319521d245b595ab154dd50f045a660c4d53ae07d1b7a7fd6b21da10976eb5ffcddda08c1e9075a3b4d785faa003b4dd243f379e0654740b466704d9173bc43292ae0e279a903a955ce33b299bf2842b3461f7c9a2bd311f3e87254b5413d372ec543d6efa237b95a":"508c55f1726896f5b9f0a7024fe2fad0":"":104:"3b8026268caf599ee677ecfd70":"c4a96fb08d7c2eebd17046172b98569bc2441929fc0d6876aa1f389b80c05e2ede74dc6f8c3896a2ccf518e1b375ee75e4967f7cca21fa81ee176f8fb8753381ce03b2df873897131adc62a0cbebf718c8e0bb8eeed3104535f17a9c706d178d95a1b232e9dac31f2d1bdb3a1b098f3056f0e3d18be36bd746675779c0f80a10":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"caaf81cd380f3af7885ef0d6196a1688c9372c5850dc5b0b":"6f269929b92c6281e00672eaec183f187b2ddecc11c9045319521d245b595ab154dd50f045a660c4d53ae07d1b7a7fd6b21da10976eb5ffcddda08c1e9075a3b4d785faa003b4dd243f379e0654740b466704d9173bc43292ae0e279a903a955ce33b299bf2842b3461f7c9a2bd311f3e87254b5413d372ec543d6efa237b95a":"508c55f1726896f5b9f0a7024fe2fad0":"":104:"3b8026268caf599ee677ecfd70":"":"c4a96fb08d7c2eebd17046172b98569bc2441929fc0d6876aa1f389b80c05e2ede74dc6f8c3896a2ccf518e1b375ee75e4967f7cca21fa81ee176f8fb8753381ce03b2df873897131adc62a0cbebf718c8e0bb8eeed3104535f17a9c706d178d95a1b232e9dac31f2d1bdb3a1b098f3056f0e3d18be36bd746675779c0f80a10":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2fc9d9ac8469cfc718add2b03a4d8c8dcc2eeca08e5ff7bc":"bc84d8a962a9cfd179d242788473d980d177abd0af9edccb14c6dc41535439a1768978158eeed99466574ea820dbedea68c819ffd9f9915ca8392c2e03049d7198baeca1d3491fe2345e64c1012aff03985b86c831ad516d4f5eb538109fff25383c7b0fa6b940ae19b0987d8c3e4a37ccbbd2034633c1eb0df1e9ddf3a8239e":"b2a7c0d52fc60bacc3d1a94f33087095":"":96:"0a7a36ec128d0deb60869893":"fc3cd6486dfe944f7cb035787573a554f4fe010c15bd08d6b09f73066f6f272ff84474f3845337b6e429c947d419c511c2945ffb181492c5465940cef85077e8a6a272a07e310a2f3808f11be03d96162913c613d9c3f25c3893c2bd2a58a619a9757fd16cc20c1308f2140557330379f07dbfd8979b26b075977805f1885acc":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2fc9d9ac8469cfc718add2b03a4d8c8dcc2eeca08e5ff7bc":"bc84d8a962a9cfd179d242788473d980d177abd0af9edccb14c6dc41535439a1768978158eeed99466574ea820dbedea68c819ffd9f9915ca8392c2e03049d7198baeca1d3491fe2345e64c1012aff03985b86c831ad516d4f5eb538109fff25383c7b0fa6b940ae19b0987d8c3e4a37ccbbd2034633c1eb0df1e9ddf3a8239e":"b2a7c0d52fc60bacc3d1a94f33087095":"":96:"0a7a36ec128d0deb60869893":"":"fc3cd6486dfe944f7cb035787573a554f4fe010c15bd08d6b09f73066f6f272ff84474f3845337b6e429c947d419c511c2945ffb181492c5465940cef85077e8a6a272a07e310a2f3808f11be03d96162913c613d9c3f25c3893c2bd2a58a619a9757fd16cc20c1308f2140557330379f07dbfd8979b26b075977805f1885acc":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81ff729efa4a9aa2eccc37c5f846235b53d3b93c79c709c8":"3992ad29eeb97d17bd5c0f04d8589903ee23ccb2b1adc2992a48a2eb62c2644c0df53b4afe4ace60dc5ec249c0c083473ebac3323539a575c14fa74c8381d1ac90cb501240f96d1779b287f7d8ba8775281d453aae37c803185f2711d21f5c00eb45cad37587ed196d1633f1eb0b33abef337447d03ec09c0e3f7fd32e8c69f0":"1bd17f04d1dc2e447b41665952ad9031":"":96:"01b0a815dc6da3e32851e1fb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81ff729efa4a9aa2eccc37c5f846235b53d3b93c79c709c8":"3992ad29eeb97d17bd5c0f04d8589903ee23ccb2b1adc2992a48a2eb62c2644c0df53b4afe4ace60dc5ec249c0c083473ebac3323539a575c14fa74c8381d1ac90cb501240f96d1779b287f7d8ba8775281d453aae37c803185f2711d21f5c00eb45cad37587ed196d1633f1eb0b33abef337447d03ec09c0e3f7fd32e8c69f0":"1bd17f04d1dc2e447b41665952ad9031":"":96:"01b0a815dc6da3e32851e1fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"068500e8d4f8d4af9035cdaa8e005a648352e8f28bdafc8a":"98e32428d9d21c4b60e690a2ce1cf70bee90df31302d1819b7d27fd577dd990f7ffe6ba5ef117caac718cc1880b4ca98f72db281c9609e189307302dc2866f20be3a545a565521368a6881e2642cba63b3cf4c8b5e5a8eabeb3e8b004618b8f77667c111e5402c5d7c66afd297c575ce5092e898d5831031d225cee668c186a1":"5ea9198b860679759357befdbb106b62":"":96:"d58752f66b2cb9bb2bc388eb":"2ef3a17fcdb154f60d5e80263b7301a8526d2de451ea49adb441aa2541986b868dab24027178f48759dbe874ae7aa7b27fb19461c6678a0ba84bbcd8567ba2412a55179e15e7c1a1392730ac392b59c51d48f8366d45b933880095800e1f36ff1ac00753f6363b0e854f494552f1f2efe028d969e6b1a8080149dd853aa6751e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"068500e8d4f8d4af9035cdaa8e005a648352e8f28bdafc8a":"98e32428d9d21c4b60e690a2ce1cf70bee90df31302d1819b7d27fd577dd990f7ffe6ba5ef117caac718cc1880b4ca98f72db281c9609e189307302dc2866f20be3a545a565521368a6881e2642cba63b3cf4c8b5e5a8eabeb3e8b004618b8f77667c111e5402c5d7c66afd297c575ce5092e898d5831031d225cee668c186a1":"5ea9198b860679759357befdbb106b62":"":96:"d58752f66b2cb9bb2bc388eb":"":"2ef3a17fcdb154f60d5e80263b7301a8526d2de451ea49adb441aa2541986b868dab24027178f48759dbe874ae7aa7b27fb19461c6678a0ba84bbcd8567ba2412a55179e15e7c1a1392730ac392b59c51d48f8366d45b933880095800e1f36ff1ac00753f6363b0e854f494552f1f2efe028d969e6b1a8080149dd853aa6751e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7474d9b07739001b25baf6867254994e06e54c578508232f":"1cbab2b6e4274caa80987072914f667b887198f7aaf4574608b91b5274f5afc3eb05a457554ff5d346d460f92c068bc626fd301d0bb15cb3726504b3d88ecd46a15077728ddc2b698a2e8c5ea5885fc534ac227b8f103d193f1977badf4f853a0931398da01f8019a9b1ff271b3a783ff0fae6f54db425af6e3a345ba7512cbf":"3ade6c92fe2dc575c136e3fbbba5c484":"":64:"67c25240b8e39b63":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7474d9b07739001b25baf6867254994e06e54c578508232f":"1cbab2b6e4274caa80987072914f667b887198f7aaf4574608b91b5274f5afc3eb05a457554ff5d346d460f92c068bc626fd301d0bb15cb3726504b3d88ecd46a15077728ddc2b698a2e8c5ea5885fc534ac227b8f103d193f1977badf4f853a0931398da01f8019a9b1ff271b3a783ff0fae6f54db425af6e3a345ba7512cbf":"3ade6c92fe2dc575c136e3fbbba5c484":"":64:"67c25240b8e39b63":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d50d4c7d442d8a92d0489a96e897d50dda6fbe47ca7713ee":"b36b4caf1d47b0d10652824bd57b603ec1c16f4720ce7d43edde8af1b9737f61b68b882566e04da50136f27d9af4c4c57fff4c8465c8a85f0aeadc17e02709cc9ba818d9a272709e5fb65dd5612a5c5d700da399b3668a00041a51c23de616ea3f72093d85ecbfd9dd0b5d02b541fb605dcffe81e9f45a5c0c191cc0b92ac56d":"41b37c04ab8a80f5a8d9d82a3a444772":"":64:"4ee54d280829e6ef":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d50d4c7d442d8a92d0489a96e897d50dda6fbe47ca7713ee":"b36b4caf1d47b0d10652824bd57b603ec1c16f4720ce7d43edde8af1b9737f61b68b882566e04da50136f27d9af4c4c57fff4c8465c8a85f0aeadc17e02709cc9ba818d9a272709e5fb65dd5612a5c5d700da399b3668a00041a51c23de616ea3f72093d85ecbfd9dd0b5d02b541fb605dcffe81e9f45a5c0c191cc0b92ac56d":"41b37c04ab8a80f5a8d9d82a3a444772":"":64:"4ee54d280829e6ef":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38f3ec3ec775dac76ae484d5b6ca61c695c7beafba4606ca":"49726b8cefc842a02f2d7bef099871f38257cc8ea096c9ac50baced6d940acb4e8baf932bec379a973a2c3a3bc49f60f7e9eef45eafdd15bda1dd1557f068e81226af503934eb96564d14c03f0f351974c8a54fb104fb07417fe79272e4b0c0072b9f89b770326562e4e1b14cad784a2cd1b4ae1dc43623ec451a1cae55f6f84":"9af53cf6891a749ab286f5c34238088a":"":64:"6f6f344dd43b0d20":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"38f3ec3ec775dac76ae484d5b6ca61c695c7beafba4606ca":"49726b8cefc842a02f2d7bef099871f38257cc8ea096c9ac50baced6d940acb4e8baf932bec379a973a2c3a3bc49f60f7e9eef45eafdd15bda1dd1557f068e81226af503934eb96564d14c03f0f351974c8a54fb104fb07417fe79272e4b0c0072b9f89b770326562e4e1b14cad784a2cd1b4ae1dc43623ec451a1cae55f6f84":"9af53cf6891a749ab286f5c34238088a":"":64:"6f6f344dd43b0d20":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6db4ef061513ef6690d57aef50d8011e0dd7eb4432d82374":"b7f9206995bc97311855ee832e2b40c41ab2d1a40d9263683c95b14dcc51c74d2de7b6198f9d4766c659e7619fe2693a5b188fac464ccbd5e632c5fd248cedba4028a92de12ed91415077e94cfe7a60f117052dea8916dfe0a51d92c1c03927e93012dbacd29bbbc50ce537a8173348ca904ac86df55940e9394c2895a9fe563":"623df5a0922d1e8c883debb2e0e5e0b1":"":32:"14f690d7":"a6414daa9be693e7ebb32480a783c54292e57feef4abbb3636bebbc3074bfc608ad55896fe9bd5ab875e52a43f715b98f52c07fc9fa6194ea0cd8ed78404f251639069c5a313ccfc6b94fb1657153ff48f16f6e22b3c4a0b7f88e188c90176447fe27fa7ddc2bac3d2b7edecad5f7605093ac4280b38ae6a4c040d2d4d491b42":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6db4ef061513ef6690d57aef50d8011e0dd7eb4432d82374":"b7f9206995bc97311855ee832e2b40c41ab2d1a40d9263683c95b14dcc51c74d2de7b6198f9d4766c659e7619fe2693a5b188fac464ccbd5e632c5fd248cedba4028a92de12ed91415077e94cfe7a60f117052dea8916dfe0a51d92c1c03927e93012dbacd29bbbc50ce537a8173348ca904ac86df55940e9394c2895a9fe563":"623df5a0922d1e8c883debb2e0e5e0b1":"":32:"14f690d7":"":"a6414daa9be693e7ebb32480a783c54292e57feef4abbb3636bebbc3074bfc608ad55896fe9bd5ab875e52a43f715b98f52c07fc9fa6194ea0cd8ed78404f251639069c5a313ccfc6b94fb1657153ff48f16f6e22b3c4a0b7f88e188c90176447fe27fa7ddc2bac3d2b7edecad5f7605093ac4280b38ae6a4c040d2d4d491b42":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8901bec4d3c64071d8c30c720c093221e05efed71da280bf":"7c447e700db7367260dffa42050e612eff062eb0c8a6b4fe34858800bcb8ec2f622cb5213767b5771433783e9b0fa617c9ffb7fde09845dafc16dfc0df61215c0ca1191eabf43293db6603d5285859de7ef3329f5e71201586fb0188f0840ed5b877043ca06039768c77ff8687c5cfc2fd013a0b8da48344c568fce6b39e2b19":"9265abe966cb83838d7fd9302938f49d":"":32:"6f6c38bc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8901bec4d3c64071d8c30c720c093221e05efed71da280bf":"7c447e700db7367260dffa42050e612eff062eb0c8a6b4fe34858800bcb8ec2f622cb5213767b5771433783e9b0fa617c9ffb7fde09845dafc16dfc0df61215c0ca1191eabf43293db6603d5285859de7ef3329f5e71201586fb0188f0840ed5b877043ca06039768c77ff8687c5cfc2fd013a0b8da48344c568fce6b39e2b19":"9265abe966cb83838d7fd9302938f49d":"":32:"6f6c38bc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c57eb763f886154d3846cc333fc8ae8b3c7c9c3705f9872":"9fe7d210221773ba4a163850bab290ba9b7bf5e825760ac940c290a1b40cd6dd5b9fb6385ae1a79d35ee7b355b34275857d5b847bef4ac7a58f6f0e9de68687807009f5dc26244935d7bcafc7aed18316ce6c375192d2a7bf0bee8a632fe4f412440292e39339b94b28281622842f88048be4640486f2b21a119658c294ce32e":"9b3781165e7ff113ecd1d83d1df2366d":"":32:"62f32d4e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c57eb763f886154d3846cc333fc8ae8b3c7c9c3705f9872":"9fe7d210221773ba4a163850bab290ba9b7bf5e825760ac940c290a1b40cd6dd5b9fb6385ae1a79d35ee7b355b34275857d5b847bef4ac7a58f6f0e9de68687807009f5dc26244935d7bcafc7aed18316ce6c375192d2a7bf0bee8a632fe4f412440292e39339b94b28281622842f88048be4640486f2b21a119658c294ce32e":"9b3781165e7ff113ecd1d83d1df2366d":"":32:"62f32d4e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"307d31a594e54f673bea2f977835670aca4f3d45c9c376cc":"d7385a7bd0cb76e1e242fa547c474370bcc7cc7cf3e3fa37b00fe08a56383ca31d023d8c493f6d42e482b0f32e4f244dd100ea08eee6535e5bb8d27f76dbb7eead6ba8e031ccd0eaeb649edee92aeaf0f027d59efd4e39b1f34b15ceb8b592ee0f171b1773b308c0e747790b0e6ace90fc661caa5f942bdc197067f28fbe87d1":"0bdaa353c4904d32432926f27534c73c":"aa39f04559ccc2cae3d563dda831fb238b2582cb2c2bb28cff20cc20200724c8771b9805ef7464b8fc06c7b8060c6920fd2779fbc807c2292c8c1f88f8088755609a1732ff8c0b06606452b970c79997b985889404fd907c4668a0bcc11ba617175f4525523494a244da60b238468c863055f04db20ea489adf545d56c0a71d8":128:"2ddda790aae2ca427f5fb032c29673e6":"0b92262759897f4bd5624a891187eba6040d79322a2a5a60fb75c6c6a5badd117abe40c6d963931bbc72dca1a1bf1f5388030fe323b3b24bd408334b95908177fb59af57c5cc6b31825bc7097eec7fec19f9cdb41c0264fd22f71893bcf881c1510feb8057e64880f1ea2df8dc60bb300fd06b0a582f7be534e522caadc4a2c7":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"307d31a594e54f673bea2f977835670aca4f3d45c9c376cc":"d7385a7bd0cb76e1e242fa547c474370bcc7cc7cf3e3fa37b00fe08a56383ca31d023d8c493f6d42e482b0f32e4f244dd100ea08eee6535e5bb8d27f76dbb7eead6ba8e031ccd0eaeb649edee92aeaf0f027d59efd4e39b1f34b15ceb8b592ee0f171b1773b308c0e747790b0e6ace90fc661caa5f942bdc197067f28fbe87d1":"0bdaa353c4904d32432926f27534c73c":"aa39f04559ccc2cae3d563dda831fb238b2582cb2c2bb28cff20cc20200724c8771b9805ef7464b8fc06c7b8060c6920fd2779fbc807c2292c8c1f88f8088755609a1732ff8c0b06606452b970c79997b985889404fd907c4668a0bcc11ba617175f4525523494a244da60b238468c863055f04db20ea489adf545d56c0a71d8":128:"2ddda790aae2ca427f5fb032c29673e6":"":"0b92262759897f4bd5624a891187eba6040d79322a2a5a60fb75c6c6a5badd117abe40c6d963931bbc72dca1a1bf1f5388030fe323b3b24bd408334b95908177fb59af57c5cc6b31825bc7097eec7fec19f9cdb41c0264fd22f71893bcf881c1510feb8057e64880f1ea2df8dc60bb300fd06b0a582f7be534e522caadc4a2c7":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23c201968def551817f20e49b09dbb5aae0033305bef68a0":"77bc8af42d1b64ee39012df5fc33c554af32bfef6d9182804dcfe370dfc4b9d059bdbc55f6ba4eacb8e3a491d96a65360d790864ba60acf1a605f6b28a6591513ea3cfd768ff47aee242a8e9bdfac399b452231bfd59d81c9b91f8dc589ad751d8f9fdad01dd00631f0cb51cb0248332f24194b577e5571ceb5c037a6d0bcfe8":"bd2952d215aed5e915d863e7f7696b3e":"23f35fac583897519b94998084ad6d77666e13595109e874625bc6ccc6d0c7816a62d64b02e670fa664e3bb52c276b1bafbeb44e5f9cc3ae028daf1d787344482f31fce5d2800020732b381a8b11c6837f428204b7ed2f4c4810067f2d4da99987b66e6525fc6b9217a8f6933f1681b7cfa857e102f616a7c84adc2f676e3a8f":128:"bb9ba3a9ac7d63e67bd78d71dc3133b3":"17d93c921009c6b0b3ecf243d08b701422983f2dcaec9c8d7604a2d5565ed96ce5cddcb183cd5882f8d61d3202c9015d207fed16a4c1195ba712428c727601135315fc504e80c253c3a2e4a5593fc6c4a206edce1fd7104e8a888385bbb396d3cdf1eb2b2aa4d0c9e45451e99550d9cfa05aafe6e7b5319c73c33fd6f98db3c5":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"23c201968def551817f20e49b09dbb5aae0033305bef68a0":"77bc8af42d1b64ee39012df5fc33c554af32bfef6d9182804dcfe370dfc4b9d059bdbc55f6ba4eacb8e3a491d96a65360d790864ba60acf1a605f6b28a6591513ea3cfd768ff47aee242a8e9bdfac399b452231bfd59d81c9b91f8dc589ad751d8f9fdad01dd00631f0cb51cb0248332f24194b577e5571ceb5c037a6d0bcfe8":"bd2952d215aed5e915d863e7f7696b3e":"23f35fac583897519b94998084ad6d77666e13595109e874625bc6ccc6d0c7816a62d64b02e670fa664e3bb52c276b1bafbeb44e5f9cc3ae028daf1d787344482f31fce5d2800020732b381a8b11c6837f428204b7ed2f4c4810067f2d4da99987b66e6525fc6b9217a8f6933f1681b7cfa857e102f616a7c84adc2f676e3a8f":128:"bb9ba3a9ac7d63e67bd78d71dc3133b3":"":"17d93c921009c6b0b3ecf243d08b701422983f2dcaec9c8d7604a2d5565ed96ce5cddcb183cd5882f8d61d3202c9015d207fed16a4c1195ba712428c727601135315fc504e80c253c3a2e4a5593fc6c4a206edce1fd7104e8a888385bbb396d3cdf1eb2b2aa4d0c9e45451e99550d9cfa05aafe6e7b5319c73c33fd6f98db3c5":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6baec0669add30acb8f678ce477a2b171f89d1f41935c491":"5712b84c4c97d75f84edd50561bc1d3f1ba451cc3b358b2403b5e528290954348cf7a235b4dc11a72ddbc503191204e98a9744d85419508c8ca76438c13305f716f1e239a6d9f6423c27217a0057aa75f6d7e2fb356e7194f271459ab5482589ea311b33e3d3845952ff4067dd2b9bcc2e8f83630b0a219e904040abd643d839":"b1472f92f552ca0d62496b8fa622c569":"5ae64edf11b4dbc7294d3d01bc9faf310dc08a92b28e664e0a7525f938d32ef033033f1de8931f39a58df0eabc8784423f0a6355efcff008cae62c1d8e5b7baefd360a5a2aa1b7068522faf8e437e6419be305ada05715bf21d73bd227531fea4bc31a6ce1662aec49f1961ee28e33ae00eb20013fd84b51cfe0d5adbdaff592":128:"29a2d607b2d2d9c96d093000b401a94f":"beb687f062ae7f5159d07609dd58d7b81c478d180bc0b4c07ae799626ff1da2be2e0d78b2a2a1f563257f161491a5ac500cd719da6379e30d0f6d0a7a33203381e058f487fc60989923afbee76e703c03abc73bb01bd262ff6f0ac931f771e9b4f2980e7d8c0a9e939fa6e1094796894f2c78f453e4abe64cb285016435ef0e8":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6baec0669add30acb8f678ce477a2b171f89d1f41935c491":"5712b84c4c97d75f84edd50561bc1d3f1ba451cc3b358b2403b5e528290954348cf7a235b4dc11a72ddbc503191204e98a9744d85419508c8ca76438c13305f716f1e239a6d9f6423c27217a0057aa75f6d7e2fb356e7194f271459ab5482589ea311b33e3d3845952ff4067dd2b9bcc2e8f83630b0a219e904040abd643d839":"b1472f92f552ca0d62496b8fa622c569":"5ae64edf11b4dbc7294d3d01bc9faf310dc08a92b28e664e0a7525f938d32ef033033f1de8931f39a58df0eabc8784423f0a6355efcff008cae62c1d8e5b7baefd360a5a2aa1b7068522faf8e437e6419be305ada05715bf21d73bd227531fea4bc31a6ce1662aec49f1961ee28e33ae00eb20013fd84b51cfe0d5adbdaff592":128:"29a2d607b2d2d9c96d093000b401a94f":"":"beb687f062ae7f5159d07609dd58d7b81c478d180bc0b4c07ae799626ff1da2be2e0d78b2a2a1f563257f161491a5ac500cd719da6379e30d0f6d0a7a33203381e058f487fc60989923afbee76e703c03abc73bb01bd262ff6f0ac931f771e9b4f2980e7d8c0a9e939fa6e1094796894f2c78f453e4abe64cb285016435ef0e8":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b882a2df81fdb9275fb05d120f32417e8ffedd07457e938":"0aae7213da279b34d6dcf2a691b2d0333112ea22de0c3c68d47cf9f9f4ed8ad4e03d4a60ec18c3a04ac9c2abb73e1023051029b5e8705bb69c4c50afc84deb0379db5077be1f663652f8bd8958271af2c1ac4a87e08cb526bab8a030652f2a29af8055d0f31e35475caee27f84c156ef8642e5bfef89192f5bde3c54279ffe06":"5c064d3418b89388fb21c61d8c74d2c5":"5bfa7113d34e00f34713cf07c386d055e889bb42d7f6c8631ffce5668e98cb19bed8820b90ecb2b35df7134f975700347e5514287cfef7ffa2b0ff48b1de0769b03dca6610995d67cb80052cb2e5914eb4ed43ef5861f4b9364314fde6ad2b82fbba7fd849dfa6e46ecc12edc8cabfff28d9bd23c2bcc8ab3661c9ba4d5fee06":120:"0943abb85adee47741540900cc833f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b882a2df81fdb9275fb05d120f32417e8ffedd07457e938":"0aae7213da279b34d6dcf2a691b2d0333112ea22de0c3c68d47cf9f9f4ed8ad4e03d4a60ec18c3a04ac9c2abb73e1023051029b5e8705bb69c4c50afc84deb0379db5077be1f663652f8bd8958271af2c1ac4a87e08cb526bab8a030652f2a29af8055d0f31e35475caee27f84c156ef8642e5bfef89192f5bde3c54279ffe06":"5c064d3418b89388fb21c61d8c74d2c5":"5bfa7113d34e00f34713cf07c386d055e889bb42d7f6c8631ffce5668e98cb19bed8820b90ecb2b35df7134f975700347e5514287cfef7ffa2b0ff48b1de0769b03dca6610995d67cb80052cb2e5914eb4ed43ef5861f4b9364314fde6ad2b82fbba7fd849dfa6e46ecc12edc8cabfff28d9bd23c2bcc8ab3661c9ba4d5fee06":120:"0943abb85adee47741540900cc833f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51d94d21482c00bb5bc7e7e03aa017ba58f5a23494b72c2a":"3a9c69c1ed2340bfde1495658dbf4f54731a19b3922a1d535df8d0b2582f5e803b5891e8ad1aa256c923956dcda2430d0c0696bce63295fb61183e040566e459338f908d23ae51f64020c1ef3d192428f23312b285fc4111d50d1add58f4a49008a22c90d3365230e9158cd56f9d84f079bdd673555d4dc76c74b02fa9920e7d":"fb21cd763e6f25540f8ad455deaccdf0":"019d1db5569eeff83306f65d653b01064854c1be8446cd2516336667c6557e7844fc349adea64a12dc19ac7e8e40b0520a48fac64571a93d669045607085ac9fa78fed99bbf644908d7763fe5f7f503947a9fe8661b7c6aef8da101acca0aed758ca1580eeb2f26ae3bf2de06ce8827a91a694179991a993cdf814efbcc61ca5":120:"a93bd682b57e1d1bf4af97e93b8927":"7093f44703f2cbb3d12d9872b07a8cd44deb62dae48bc573b11a1ee1c9f3105223423fac3181c312a8a61757a432d92719f486c21e311b840aa63cf530710c873df27fecda0956075923f1ecc39bffb862706f48bde2de15612930fc8630d2036e9e4cfc1c69779171bd23d9e1d5de50a9e0a0de4bd82ed3efc45299980bb4cc":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51d94d21482c00bb5bc7e7e03aa017ba58f5a23494b72c2a":"3a9c69c1ed2340bfde1495658dbf4f54731a19b3922a1d535df8d0b2582f5e803b5891e8ad1aa256c923956dcda2430d0c0696bce63295fb61183e040566e459338f908d23ae51f64020c1ef3d192428f23312b285fc4111d50d1add58f4a49008a22c90d3365230e9158cd56f9d84f079bdd673555d4dc76c74b02fa9920e7d":"fb21cd763e6f25540f8ad455deaccdf0":"019d1db5569eeff83306f65d653b01064854c1be8446cd2516336667c6557e7844fc349adea64a12dc19ac7e8e40b0520a48fac64571a93d669045607085ac9fa78fed99bbf644908d7763fe5f7f503947a9fe8661b7c6aef8da101acca0aed758ca1580eeb2f26ae3bf2de06ce8827a91a694179991a993cdf814efbcc61ca5":120:"a93bd682b57e1d1bf4af97e93b8927":"":"7093f44703f2cbb3d12d9872b07a8cd44deb62dae48bc573b11a1ee1c9f3105223423fac3181c312a8a61757a432d92719f486c21e311b840aa63cf530710c873df27fecda0956075923f1ecc39bffb862706f48bde2de15612930fc8630d2036e9e4cfc1c69779171bd23d9e1d5de50a9e0a0de4bd82ed3efc45299980bb4cc":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6756470937f5d9af76f2abe6df2d0bc15ff8e39b5154071":"afae92bd56c426c095d76633701aa9bea5ce05490482c6c64ac24468c3e1af6e6030a6bb6649745b011c6729bde985b9242e22105322fbb8853dcabbd00165d0b07d7b499e0238b6513bf6351eb40635a798f7e6e2d31125dda45ffe8964596fdbff55df22d4e9025bd4f39e7c9b90e74b3ee58d6901f113900ee47a4df5afd7":"4500193711a5d817a9f48deafda39772":"92fa22dba0eee6b1de1ddd24713b1be44c7105df90e6e7a54dcbf19025e560eb4986ee080cf613898a1a69d5ab460a3b8aa2723a95ac4a4af48224b011b55fb7582ae18f6746591eab2bd33d82a8dbbae3f7877e28afef9857a623530b31d8198b2df43f903d6e48ddae0848741f9eaae7b5504c67ad13791818f3c55c9b3d1e":120:"7d9f97c97c3424c79966f5b45af090":"62258d60f0138c0405df4b2ec1e308b374603a9eace45932fdc2999e9e2261de8b1099473d1fc741c46c334023aa5d9359f7ef966240aaf7e310d874b5956fd180fb1124cbeb91cf86020c78a1a0335f5f029bd34677dd2d5076482f3b3e85808f54998f4bac8b8fa968febceec3458fb882fc0530271f144fb3e2ab8c1a6289":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6756470937f5d9af76f2abe6df2d0bc15ff8e39b5154071":"afae92bd56c426c095d76633701aa9bea5ce05490482c6c64ac24468c3e1af6e6030a6bb6649745b011c6729bde985b9242e22105322fbb8853dcabbd00165d0b07d7b499e0238b6513bf6351eb40635a798f7e6e2d31125dda45ffe8964596fdbff55df22d4e9025bd4f39e7c9b90e74b3ee58d6901f113900ee47a4df5afd7":"4500193711a5d817a9f48deafda39772":"92fa22dba0eee6b1de1ddd24713b1be44c7105df90e6e7a54dcbf19025e560eb4986ee080cf613898a1a69d5ab460a3b8aa2723a95ac4a4af48224b011b55fb7582ae18f6746591eab2bd33d82a8dbbae3f7877e28afef9857a623530b31d8198b2df43f903d6e48ddae0848741f9eaae7b5504c67ad13791818f3c55c9b3d1e":120:"7d9f97c97c3424c79966f5b45af090":"":"62258d60f0138c0405df4b2ec1e308b374603a9eace45932fdc2999e9e2261de8b1099473d1fc741c46c334023aa5d9359f7ef966240aaf7e310d874b5956fd180fb1124cbeb91cf86020c78a1a0335f5f029bd34677dd2d5076482f3b3e85808f54998f4bac8b8fa968febceec3458fb882fc0530271f144fb3e2ab8c1a6289":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30db73d46b518669c45b81bc67b93bed3d0864f7e9e8e789":"750bc1d2f91d786bb1e621192a376f552538ba8c07d50d9e10b9345f31b3e5f9d8ad7c719c03d8548a3b184b741cd06c49d7fb6fe80258d60c01c2987c337c823211cee7c1cf82077266889bc7767475e0eeabb2ef6b5a1de2089aaef77565d40a1c2c470a880c911e77a186eacca173b25970574f05c0bdcd5428b39b52af7f":"5069e2d2f82b36de8c2eb171f301135d":"ef781dce556b84188adee2b6e1d64dac2751dd8592abc6c72af7b998dfae40cbe692a4cae0b4aa2c95910e270600550fca1e83640c64efb1eb0e0a90a6fc475ae1db863a64ce9cc272f00abac8a63d48dd9f1c0a5f4586224befed05be4afae5bd92249833d565cc6b65fd8955cb8a7d7bd9f4b6a229e3881212871a52c15d1c":112:"a5100c5e9a16aedf0e1bd8604335":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30db73d46b518669c45b81bc67b93bed3d0864f7e9e8e789":"750bc1d2f91d786bb1e621192a376f552538ba8c07d50d9e10b9345f31b3e5f9d8ad7c719c03d8548a3b184b741cd06c49d7fb6fe80258d60c01c2987c337c823211cee7c1cf82077266889bc7767475e0eeabb2ef6b5a1de2089aaef77565d40a1c2c470a880c911e77a186eacca173b25970574f05c0bdcd5428b39b52af7f":"5069e2d2f82b36de8c2eb171f301135d":"ef781dce556b84188adee2b6e1d64dac2751dd8592abc6c72af7b998dfae40cbe692a4cae0b4aa2c95910e270600550fca1e83640c64efb1eb0e0a90a6fc475ae1db863a64ce9cc272f00abac8a63d48dd9f1c0a5f4586224befed05be4afae5bd92249833d565cc6b65fd8955cb8a7d7bd9f4b6a229e3881212871a52c15d1c":112:"a5100c5e9a16aedf0e1bd8604335":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"209f0478f1a62cb54c551181cbd4d24b796e95f3a06b6cb9":"66db7cc97b4a8266c0a2228e8028e38d8986e79fcbcc3caff3050fdd2de87b7ff7a6895b988b0bdb7fcc4d6e2d538dcfaad43ce2f98b6d32500f5a6e6183d84cb19157a699cdde1266d6d75a251ee1a2eb97bfe6405d50be2b17a58ba6eafaee0a023a28d568fd1c914f06041a49c79b9df9efe63d56883cbbbeaba809273d2e":"7be1768f6ffb31599eb6def7d1daa41c":"9cb49357536ebe087e1475a5387907a9e51ad1550697f13c6cc04384ec8a67dea13376bdd5e26b815c84a78f921b506b9e2086de50f849185f05ba7c3041e49e42c0673df856da109a78b8e0ce918c25836f7e781e6b16168e4e5976d27ebc83f20b7bf4beadecb9b4f17a7a0d3a3db27fc65288a754b5031a2f5a1394801e6e":112:"4d2ac05bfd4b59b15a6f70ea7cd0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"209f0478f1a62cb54c551181cbd4d24b796e95f3a06b6cb9":"66db7cc97b4a8266c0a2228e8028e38d8986e79fcbcc3caff3050fdd2de87b7ff7a6895b988b0bdb7fcc4d6e2d538dcfaad43ce2f98b6d32500f5a6e6183d84cb19157a699cdde1266d6d75a251ee1a2eb97bfe6405d50be2b17a58ba6eafaee0a023a28d568fd1c914f06041a49c79b9df9efe63d56883cbbbeaba809273d2e":"7be1768f6ffb31599eb6def7d1daa41c":"9cb49357536ebe087e1475a5387907a9e51ad1550697f13c6cc04384ec8a67dea13376bdd5e26b815c84a78f921b506b9e2086de50f849185f05ba7c3041e49e42c0673df856da109a78b8e0ce918c25836f7e781e6b16168e4e5976d27ebc83f20b7bf4beadecb9b4f17a7a0d3a3db27fc65288a754b5031a2f5a1394801e6e":112:"4d2ac05bfd4b59b15a6f70ea7cd0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bfa30b315e7b908263330140fa2d66ed57104784a43cc70":"8eeee9865e23fa51dbbf197fa41776b7edbdb9381a22c935299cd959a46190788ae82f4e645b0362df89bfc00241964784bc7ef70f6f97e81687d52e552a33af20ae34a3005e0a7b85d094368d707c3c4cd3ef31c0daf3ccaa1676609ed199327f4139d0c120977e6babceed28896d2cb3129630f3ee135572dc39433057e26a":"b7081a3010b524218390ba6dd460a1ec":"8c1f42b5931d69ae351fcde7d2b4136d4898a4fa8ba62d55cef721dadf19beaabf9d1900bdf2e58ee568b808684eecbf7aa3c890f65c54b967b94484be082193b2d8393007389abaa9debbb49d727a2ac16b4dab2c8f276840e9c65a47974d9b04f2e63adf38b6aad763f0d7cdb2c3d58691adde6e51e0a85093a4c4944f5bf2":112:"4da85b8ec861dd8be54787bb83f1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1bfa30b315e7b908263330140fa2d66ed57104784a43cc70":"8eeee9865e23fa51dbbf197fa41776b7edbdb9381a22c935299cd959a46190788ae82f4e645b0362df89bfc00241964784bc7ef70f6f97e81687d52e552a33af20ae34a3005e0a7b85d094368d707c3c4cd3ef31c0daf3ccaa1676609ed199327f4139d0c120977e6babceed28896d2cb3129630f3ee135572dc39433057e26a":"b7081a3010b524218390ba6dd460a1ec":"8c1f42b5931d69ae351fcde7d2b4136d4898a4fa8ba62d55cef721dadf19beaabf9d1900bdf2e58ee568b808684eecbf7aa3c890f65c54b967b94484be082193b2d8393007389abaa9debbb49d727a2ac16b4dab2c8f276840e9c65a47974d9b04f2e63adf38b6aad763f0d7cdb2c3d58691adde6e51e0a85093a4c4944f5bf2":112:"4da85b8ec861dd8be54787bb83f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc47156a693e59a1dea0618c41441fe669fc65dcfb7d0726":"3e4f0a586bad532a08c8863ebba01fd25014baa907e6032ee43d4a7dfc7c3171916dcdf9faee0531f27527872ae4e127b6b9aaee93f5e74d0ab23f3874aa0e291564bc97f17085dd7d5eb9a85d9f44574e5952929eda08863b64c85dd395c91b01fe5bef66e3fa8f9ee5bf62c25d80dc84fbe002ecfd218430b26f3549f734a1":"ea1935ed014883cc427983d7962d9992":"0d85b8513becfe8c91d0f6ffb65ec31f2cf406c51c0da88893c43d1327fd8ad1f4bab2d7b5e27438d643397034a72f8666bf641b6781bc90f764db387eae6720b5723d510194570ccd773e1b3bebfc333cc099d078583e8dac60d174d332925a24a45110c8d2abe8924ea677ac74db66ea789e2838efc96c78bceaa6236c0a67":104:"8781b045a509c4239b9f44624e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc47156a693e59a1dea0618c41441fe669fc65dcfb7d0726":"3e4f0a586bad532a08c8863ebba01fd25014baa907e6032ee43d4a7dfc7c3171916dcdf9faee0531f27527872ae4e127b6b9aaee93f5e74d0ab23f3874aa0e291564bc97f17085dd7d5eb9a85d9f44574e5952929eda08863b64c85dd395c91b01fe5bef66e3fa8f9ee5bf62c25d80dc84fbe002ecfd218430b26f3549f734a1":"ea1935ed014883cc427983d7962d9992":"0d85b8513becfe8c91d0f6ffb65ec31f2cf406c51c0da88893c43d1327fd8ad1f4bab2d7b5e27438d643397034a72f8666bf641b6781bc90f764db387eae6720b5723d510194570ccd773e1b3bebfc333cc099d078583e8dac60d174d332925a24a45110c8d2abe8924ea677ac74db66ea789e2838efc96c78bceaa6236c0a67":104:"8781b045a509c4239b9f44624e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fcd780a03ba80341081ef96b440c0e4348afde4d60c1d5":"6316f3beb32f6f3bf8f2ff6a2c160b432bafd3036d3eefa1e4ec204f24892e37dc4d75c7ce9a24b5c49fb4df901f35ef9d5955f7dc289c56cb74753f4d6b2982267d5269d12237e21202a65061849c65e90e6702dda03a35ace3a3a098d16b4bfbb85b7232404baee37776a9b51af6b3059a5f170f4ebe4ecf11061ca3c1f1f3":"ad20cce056e74ec5d0a76d6280998f15":"28f8fcf23b9c1ba40c19ffc1092632e35f234c1e8b82bcd5309d37bf849a2ce401413d1f242cf255ed597f9a93a1d6e50676997f95aa612e580d88234a86ddc404292746f0b2f5cf15abebcea6659f998ec6a1cb5a9914fee5aa1aa5d04b3c20914e45095e4141ce9c173653dd91c3ebe4ed4a9a28f3915d7b2edba34c2a58d8":104:"2ad4520ddc3b907414d934cc1d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5fcd780a03ba80341081ef96b440c0e4348afde4d60c1d5":"6316f3beb32f6f3bf8f2ff6a2c160b432bafd3036d3eefa1e4ec204f24892e37dc4d75c7ce9a24b5c49fb4df901f35ef9d5955f7dc289c56cb74753f4d6b2982267d5269d12237e21202a65061849c65e90e6702dda03a35ace3a3a098d16b4bfbb85b7232404baee37776a9b51af6b3059a5f170f4ebe4ecf11061ca3c1f1f3":"ad20cce056e74ec5d0a76d6280998f15":"28f8fcf23b9c1ba40c19ffc1092632e35f234c1e8b82bcd5309d37bf849a2ce401413d1f242cf255ed597f9a93a1d6e50676997f95aa612e580d88234a86ddc404292746f0b2f5cf15abebcea6659f998ec6a1cb5a9914fee5aa1aa5d04b3c20914e45095e4141ce9c173653dd91c3ebe4ed4a9a28f3915d7b2edba34c2a58d8":104:"2ad4520ddc3b907414d934cc1d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4382507dddccf1385fc831da8924147563416d0656e168ec":"e5c5430b960aa35dc8540215c2772d66811270859e33dd4477904759e7e5eb2986a52a4ccc9f592e614147b5ea2ead6636a15c6426336b2995d9a31ab36d76578c3540bc6693842a4bc0491c7963ee9cda2317951cf93244bd30bcdfec69a4767004636fe7d1be7300c35e80627bab9236a075a803e9e1080b9159060c643a78":"a37687c9cd4bdc1ead4e6b8f78bee7f5":"fa9ae30509cbb6fe104c21480ae7b8ec9f12f1afb17320d77b77cdf32ce8c5a3f7f927e501118c7ccd6975b79225059cef530a4fcb0a9719f5e2d3bebe7bb6ec0855e495a31e5075eb50aa6c1227e48b03e3fdf780084ac4912eb3a5674cca9dd6ac037366b230ae631a8580d2d117942dee5d5ddbbb2233afeca53289cc4f68":104:"4221818d4be45306e205813789":"b5b36719bc4d13a5fbf37188ea814cdf3c97a430784330540325c899570e15482300bc82c5b8163074e0544c5132e3ce93bba68bd7a8d2db81d1431b424b697c1158c4d70625666d5ff99145ca34856815c905b5a0fd95806df56b9cd5b384bda3e394b409048eb1037144cc071539c02397e931da28a43cc354d584643afd4f":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4382507dddccf1385fc831da8924147563416d0656e168ec":"e5c5430b960aa35dc8540215c2772d66811270859e33dd4477904759e7e5eb2986a52a4ccc9f592e614147b5ea2ead6636a15c6426336b2995d9a31ab36d76578c3540bc6693842a4bc0491c7963ee9cda2317951cf93244bd30bcdfec69a4767004636fe7d1be7300c35e80627bab9236a075a803e9e1080b9159060c643a78":"a37687c9cd4bdc1ead4e6b8f78bee7f5":"fa9ae30509cbb6fe104c21480ae7b8ec9f12f1afb17320d77b77cdf32ce8c5a3f7f927e501118c7ccd6975b79225059cef530a4fcb0a9719f5e2d3bebe7bb6ec0855e495a31e5075eb50aa6c1227e48b03e3fdf780084ac4912eb3a5674cca9dd6ac037366b230ae631a8580d2d117942dee5d5ddbbb2233afeca53289cc4f68":104:"4221818d4be45306e205813789":"":"b5b36719bc4d13a5fbf37188ea814cdf3c97a430784330540325c899570e15482300bc82c5b8163074e0544c5132e3ce93bba68bd7a8d2db81d1431b424b697c1158c4d70625666d5ff99145ca34856815c905b5a0fd95806df56b9cd5b384bda3e394b409048eb1037144cc071539c02397e931da28a43cc354d584643afd4f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7a66db3450dac9a1e63d2639f34c5c6a3fbfb3c8e8230199":"6463a7eb2496379bc8a5635541525926a6f9fa718e338221952118ae4cf03a85f2074b4ebaf108b9c725809be1e6309c3a444b66f12286f6ea9d80c3413706b234b26372e8f00783819314a994c9e3ecf6abdd255cbfe01b3865e1390a35dcd2853a3d99ed992e82ec67ba245f088cb090adade74bdbc8a1bad0f06cbea766a6":"21f8341529b210ade7f2c6055e13007a":"1699bc8c198ab03e22d9bc4f3682aad335c6e35f3f616bb69769a9d5a202511797e770ae0d8d8528ef7b2bb25b4294d47427b43f0580fa71d93fdef667f4f4196f84e41c0b1978796d0de74a94420fb8571bff39137fa231c572b31be9ae72338288bef5f8c992121dc918538551f346e279a9047df14ec9fc0fd399cd3bd8d8":96:"4af02b81b26104d1d31e295a":"53fe6a34d280f2c96d1ae2b2e8baf6abd67cedf7d214312f75dd4a1bec28a641dda3e71aa398726b2b0b1f515e1f4259ee97acaf17f122db9ec7814c2de6a88d36c3ac106396ad03d337c2cd2d2b9b4b7170e23a5848ca7ea129838f967dfdfe83b45ff2a9be699bfb2346115465d59f074f09e24d8fcbd9ece0018c92776c43":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7a66db3450dac9a1e63d2639f34c5c6a3fbfb3c8e8230199":"6463a7eb2496379bc8a5635541525926a6f9fa718e338221952118ae4cf03a85f2074b4ebaf108b9c725809be1e6309c3a444b66f12286f6ea9d80c3413706b234b26372e8f00783819314a994c9e3ecf6abdd255cbfe01b3865e1390a35dcd2853a3d99ed992e82ec67ba245f088cb090adade74bdbc8a1bad0f06cbea766a6":"21f8341529b210ade7f2c6055e13007a":"1699bc8c198ab03e22d9bc4f3682aad335c6e35f3f616bb69769a9d5a202511797e770ae0d8d8528ef7b2bb25b4294d47427b43f0580fa71d93fdef667f4f4196f84e41c0b1978796d0de74a94420fb8571bff39137fa231c572b31be9ae72338288bef5f8c992121dc918538551f346e279a9047df14ec9fc0fd399cd3bd8d8":96:"4af02b81b26104d1d31e295a":"":"53fe6a34d280f2c96d1ae2b2e8baf6abd67cedf7d214312f75dd4a1bec28a641dda3e71aa398726b2b0b1f515e1f4259ee97acaf17f122db9ec7814c2de6a88d36c3ac106396ad03d337c2cd2d2b9b4b7170e23a5848ca7ea129838f967dfdfe83b45ff2a9be699bfb2346115465d59f074f09e24d8fcbd9ece0018c92776c43":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f5c818f24d201f9fb23fcca211b0545eee5c5c9b440810d":"9a7566817a06f792e96a6a2ba8e0a01f8837e2de06796e68b0782cc54ed0b04fc5e24a1ad37d5ffb035548b882d88150e89915b89f57cde2bf3c43ab9dae356927daef6bd61cc9edd5e1b7a4abea2f71313677f1b2fdf3d8d4a7e9814ea820fbc3e5c83947db961839a985a57ced7f5e4a1efffcfd17a2c806d4cdc1e79162da":"3a163067bdd90fce0406d1c198a88771":"a5e94e233d04fe0c4b6c4684b386902fe05096702237dfbe76f73befa69b6f30394cf9fe3358997942df65842748fb4f075a3dc06e147bd8d67fc4371113a4d75c70219257c650a6f38a136659e20a1cf3a119397835c304e0fb2a33aa3c3019175c86463043d5edc6992874f61e81cd0d26af8b62cf8c8626901d4f16d84236":96:"b124eea927e2a62a875494a1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f5c818f24d201f9fb23fcca211b0545eee5c5c9b440810d":"9a7566817a06f792e96a6a2ba8e0a01f8837e2de06796e68b0782cc54ed0b04fc5e24a1ad37d5ffb035548b882d88150e89915b89f57cde2bf3c43ab9dae356927daef6bd61cc9edd5e1b7a4abea2f71313677f1b2fdf3d8d4a7e9814ea820fbc3e5c83947db961839a985a57ced7f5e4a1efffcfd17a2c806d4cdc1e79162da":"3a163067bdd90fce0406d1c198a88771":"a5e94e233d04fe0c4b6c4684b386902fe05096702237dfbe76f73befa69b6f30394cf9fe3358997942df65842748fb4f075a3dc06e147bd8d67fc4371113a4d75c70219257c650a6f38a136659e20a1cf3a119397835c304e0fb2a33aa3c3019175c86463043d5edc6992874f61e81cd0d26af8b62cf8c8626901d4f16d84236":96:"b124eea927e2a62a875494a1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a301f7edf83da63bcf37216a3a33d7613331c3210281dd7":"e09cc8543db7804870004706a26e94b457c125bd648b581a196f962f2ae8fa55d9bc66530ba5020e22d282080b4720dc9a2096a11c0fcc3d9a67cd1cf95cd7cd2417ba308c761e64be24347a14c9423447094a5c72a0043c288b35e753ba0aa748f208381249fb1c8d195a472192404b6c8172663ee4b4d4ecfa426e1fb003f2":"d73a546b0fa307633ac89506fa86138b":"f57fe548cf4a551a216ffb24a1dcf1b79c95f9abf06443fd58af042d287c2165db373c82a94172db517840f22e45e966e3ead91ce1ddad132bcb844e406e84b76a0b5b0ee23064b66a229f32a2d3b9c71103f020c4ba57fc0f0608b7114914cf2ada0c5a9bc4afbfa9ce5da320f34beb2211d569a142f53bfd262f6d149c4350":96:"f536a3b8c333b1aa520d6440":"124a327a8c22b7652886dac2c84b8997ca8a6f61c9ba9c094b5aea41eaa050a6df6cbf280259e5466071bcfa53b4ebc76c3cc4afc8c0385189a5382933aa57c89aab78dca84331e0fe8f0aab3a7857d3e13f08dcd90ec5f0684f82088ef8eb7fd67e75de43b67afc3a0beb458f5ebd61b2c779e6c539d795c667bb7dcc2b762e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a301f7edf83da63bcf37216a3a33d7613331c3210281dd7":"e09cc8543db7804870004706a26e94b457c125bd648b581a196f962f2ae8fa55d9bc66530ba5020e22d282080b4720dc9a2096a11c0fcc3d9a67cd1cf95cd7cd2417ba308c761e64be24347a14c9423447094a5c72a0043c288b35e753ba0aa748f208381249fb1c8d195a472192404b6c8172663ee4b4d4ecfa426e1fb003f2":"d73a546b0fa307633ac89506fa86138b":"f57fe548cf4a551a216ffb24a1dcf1b79c95f9abf06443fd58af042d287c2165db373c82a94172db517840f22e45e966e3ead91ce1ddad132bcb844e406e84b76a0b5b0ee23064b66a229f32a2d3b9c71103f020c4ba57fc0f0608b7114914cf2ada0c5a9bc4afbfa9ce5da320f34beb2211d569a142f53bfd262f6d149c4350":96:"f536a3b8c333b1aa520d6440":"":"124a327a8c22b7652886dac2c84b8997ca8a6f61c9ba9c094b5aea41eaa050a6df6cbf280259e5466071bcfa53b4ebc76c3cc4afc8c0385189a5382933aa57c89aab78dca84331e0fe8f0aab3a7857d3e13f08dcd90ec5f0684f82088ef8eb7fd67e75de43b67afc3a0beb458f5ebd61b2c779e6c539d795c667bb7dcc2b762e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd40e8226fd13cb95ba50b7cdf0f07f7ab7037cf8705ca50":"75aa7df5c3c443d48ee998064b6fd112c20d2d90c98e00d025ef08d1ad3595385be99de47fa627549b827c48bc79eb1dcaf2f1be95a45f7e55755b952aee5ae0748e68bee1b014a628f3f7dc88e0ebac1d1d00e268355f5101838ce125c57003aebc02a1c9d6ae2cd6e2592f52c0be38cef21a680ae35c909cab99dce9837aef":"3406e70cbe16b047fedaa537eb892279":"390b18d22d5ecc0b5a524ae9afac6fd948ac72d1360775a88b385aa862cce8a27f3e4b420e539bec6e8958f8c1b5416c313fa0a16f921149a2bfeae29ad2348949b29a73970e5be925ec0c35218b82a020cf21bb68c6931f86b29e01b85500a73f3ee7eb78da60078f42550da83b2e301d151d69b273a050f89e57dfc4787cbf":64:"69e06c72ead69501":"6e8d661cd320b1b39f8494836fcf738b0ab82873d3903c9ee34d74f618aea36099926b54c1589225ec9a9d48ca53657f10d9289c31f199c37c48fb9cbe1cda1e790aaeedf73871f66a3761625cca3c4f642bc4f254868f6b903e80ceeeb015569ace23376567d3712ad16d1289dc504f15d9b2751b23e7722b9e6d8e0827859f":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd40e8226fd13cb95ba50b7cdf0f07f7ab7037cf8705ca50":"75aa7df5c3c443d48ee998064b6fd112c20d2d90c98e00d025ef08d1ad3595385be99de47fa627549b827c48bc79eb1dcaf2f1be95a45f7e55755b952aee5ae0748e68bee1b014a628f3f7dc88e0ebac1d1d00e268355f5101838ce125c57003aebc02a1c9d6ae2cd6e2592f52c0be38cef21a680ae35c909cab99dce9837aef":"3406e70cbe16b047fedaa537eb892279":"390b18d22d5ecc0b5a524ae9afac6fd948ac72d1360775a88b385aa862cce8a27f3e4b420e539bec6e8958f8c1b5416c313fa0a16f921149a2bfeae29ad2348949b29a73970e5be925ec0c35218b82a020cf21bb68c6931f86b29e01b85500a73f3ee7eb78da60078f42550da83b2e301d151d69b273a050f89e57dfc4787cbf":64:"69e06c72ead69501":"":"6e8d661cd320b1b39f8494836fcf738b0ab82873d3903c9ee34d74f618aea36099926b54c1589225ec9a9d48ca53657f10d9289c31f199c37c48fb9cbe1cda1e790aaeedf73871f66a3761625cca3c4f642bc4f254868f6b903e80ceeeb015569ace23376567d3712ad16d1289dc504f15d9b2751b23e7722b9e6d8e0827859f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a85ab87563b809b01725764d64ba4cc6a143e2e0362f0c52":"ef43629721b50bd3656b7ae31b6e4b4ba1cf2c72ed0460ee7d9fb416631ddc597e5f9aebbcf4442b95cc46e28476a464dd87caf9c1c1d6c99d3e3e059dc23f8d2fe155ff5e59c50d640bc052c62adee3aa1295b38732e3458f379e98a8dbdfed04c22a5761792e87fa67ecbcbf3b90eb1bcd1d3f49e60132452f28afece83e90":"9f991ff16a3e3eb164a4f819c9f1821a":"df289511f78d8fa2505afc4c71ab1d7c31a8d15d1e5fcbb29d70f0e56f89c4d7b30f1b3b4745b5d2cc7af34fb4c95461372bf516ec192b400dc8fdb0ca9fe1f30f5320d0fadf20155cfcddcf09233c6f591c1c89917e38a003f56b94a1e2429d1f2b6297db790d7dce84d9fa13d2d86a0e4d100e154050b07178bee4cdf18126":64:"dc4c97fe8cc53350":"ff0e531c7344f0425d62d5fbedf4bc8d3d5cc80647e67b852c1a58ad1516d376d954cb8dda739f6a4df3cf1507e59696610bcb6b34340d6313028e00d7197845d392e73331aaf168b474a67364d8f9dab740509fabf92af75045f0afabc1b5829264d138820952bbc484d1100d058a4de32b4ece82746b2b4a85fb2993d4add8":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a85ab87563b809b01725764d64ba4cc6a143e2e0362f0c52":"ef43629721b50bd3656b7ae31b6e4b4ba1cf2c72ed0460ee7d9fb416631ddc597e5f9aebbcf4442b95cc46e28476a464dd87caf9c1c1d6c99d3e3e059dc23f8d2fe155ff5e59c50d640bc052c62adee3aa1295b38732e3458f379e98a8dbdfed04c22a5761792e87fa67ecbcbf3b90eb1bcd1d3f49e60132452f28afece83e90":"9f991ff16a3e3eb164a4f819c9f1821a":"df289511f78d8fa2505afc4c71ab1d7c31a8d15d1e5fcbb29d70f0e56f89c4d7b30f1b3b4745b5d2cc7af34fb4c95461372bf516ec192b400dc8fdb0ca9fe1f30f5320d0fadf20155cfcddcf09233c6f591c1c89917e38a003f56b94a1e2429d1f2b6297db790d7dce84d9fa13d2d86a0e4d100e154050b07178bee4cdf18126":64:"dc4c97fe8cc53350":"":"ff0e531c7344f0425d62d5fbedf4bc8d3d5cc80647e67b852c1a58ad1516d376d954cb8dda739f6a4df3cf1507e59696610bcb6b34340d6313028e00d7197845d392e73331aaf168b474a67364d8f9dab740509fabf92af75045f0afabc1b5829264d138820952bbc484d1100d058a4de32b4ece82746b2b4a85fb2993d4add8":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f4f1e03abb927ffd0b081b9dce83a56a6dd419a6313ac34f":"0e70421499bc4bcb3851afa34cdf5be374722815abdd9bcee5f332dbe890bdc1c0210ab10667e5bb924bf3c1120e25a0c074da620076f143940989e222086d1b34a1200d09aea1f810ef6de7d8520c65eef9539fde5a6422606c588fce6264e5f91f934ede6397c4b307d2d7e07a518fce577a427fa92923cbba637ae495afad":"d1e29bb51a3c4e871d15bb0cd86257e2":"ae2911cdaaad1194c5d7868b6d8f30287105df132eb0cecca14b6e23ec7ac39cc01da1c567a0219cca7b902cc2e825e30f9524a473eb6e1d4d1beff5ab4f29103b2c7522a33dd33182fa955c4f09a75196b1072a6f0340fc55a802d29c7067f05219c21857ebff89ada11f648c1f28dfbfdaab56028f05509de17e2381457ebc":64:"44f760787f7bc3c0":"2199fa5051461b67581429ab19de2ccb50b8b02e12c0e1d81a8a14929f84e09d9715b7d198e77e632de4af1c08c5041276204a7ed76646385e288e96e1a4b0b0f2b1a9df7f0892beaea3cb58d9632720158f6daa4cbbfc0ebdc56ff6a5175768ff2abd24cb7669bc3fe40f8aba7869d2dd7dac86b6ebc4e4ce261edbec88db17":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f4f1e03abb927ffd0b081b9dce83a56a6dd419a6313ac34f":"0e70421499bc4bcb3851afa34cdf5be374722815abdd9bcee5f332dbe890bdc1c0210ab10667e5bb924bf3c1120e25a0c074da620076f143940989e222086d1b34a1200d09aea1f810ef6de7d8520c65eef9539fde5a6422606c588fce6264e5f91f934ede6397c4b307d2d7e07a518fce577a427fa92923cbba637ae495afad":"d1e29bb51a3c4e871d15bb0cd86257e2":"ae2911cdaaad1194c5d7868b6d8f30287105df132eb0cecca14b6e23ec7ac39cc01da1c567a0219cca7b902cc2e825e30f9524a473eb6e1d4d1beff5ab4f29103b2c7522a33dd33182fa955c4f09a75196b1072a6f0340fc55a802d29c7067f05219c21857ebff89ada11f648c1f28dfbfdaab56028f05509de17e2381457ebc":64:"44f760787f7bc3c0":"":"2199fa5051461b67581429ab19de2ccb50b8b02e12c0e1d81a8a14929f84e09d9715b7d198e77e632de4af1c08c5041276204a7ed76646385e288e96e1a4b0b0f2b1a9df7f0892beaea3cb58d9632720158f6daa4cbbfc0ebdc56ff6a5175768ff2abd24cb7669bc3fe40f8aba7869d2dd7dac86b6ebc4e4ce261edbec88db17":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"33efe20433c6a1ad261a1fed494961749e5bf9d35809b59d":"cfbeb61be50def25f513346498f75984bfe797a8ad56be34f2461e2d673f6ce14e7479a59777267b75dadc6b9522599ebe5d7b079495a58ca187ec47796f6ee8c322278ad7451b038c938928adcff6105a8ea3780aedc45b6a3323d3ae6fbce5da4fb59ca5ec0a16a70494c3c4859672348532505e44f915e0b9b8a296ef5225":"dc94673b0c49c6d3b4611e278212c748":"919f7397a6d03836423b7cac53177fcfbe457d4aa4348646f646aae1bc5a15568cdb8c96fabef278ace248aca531110a4f4f9e8ab0c32525ad816ae3facf03175232dc84addcd6065f9cc1f513966b63fd27e91a09f1921b95d6bd8f08f1dbce073bcf827847f774514b478b9d7fb5426847dd4dee6f39b5768c1fb729b32d03":32:"c5098340":"c5e47d8c60b04df1974b68a14095d9bc8429a413d21960b15bae4fd7356bf7872e0da0a1a385ca2982d3aa3182e63ea4bb8ca01410cd4e71ddad34aa1f12c1387902b3d56634f89c619a2e6756648ab3bf90e9bc945afc9140eb935b633bae96bb067e9ee421697bcf80b14b1b88dbf13e010b472a7ca5411db36848b9c7a37f":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"33efe20433c6a1ad261a1fed494961749e5bf9d35809b59d":"cfbeb61be50def25f513346498f75984bfe797a8ad56be34f2461e2d673f6ce14e7479a59777267b75dadc6b9522599ebe5d7b079495a58ca187ec47796f6ee8c322278ad7451b038c938928adcff6105a8ea3780aedc45b6a3323d3ae6fbce5da4fb59ca5ec0a16a70494c3c4859672348532505e44f915e0b9b8a296ef5225":"dc94673b0c49c6d3b4611e278212c748":"919f7397a6d03836423b7cac53177fcfbe457d4aa4348646f646aae1bc5a15568cdb8c96fabef278ace248aca531110a4f4f9e8ab0c32525ad816ae3facf03175232dc84addcd6065f9cc1f513966b63fd27e91a09f1921b95d6bd8f08f1dbce073bcf827847f774514b478b9d7fb5426847dd4dee6f39b5768c1fb729b32d03":32:"c5098340":"":"c5e47d8c60b04df1974b68a14095d9bc8429a413d21960b15bae4fd7356bf7872e0da0a1a385ca2982d3aa3182e63ea4bb8ca01410cd4e71ddad34aa1f12c1387902b3d56634f89c619a2e6756648ab3bf90e9bc945afc9140eb935b633bae96bb067e9ee421697bcf80b14b1b88dbf13e010b472a7ca5411db36848b9c7a37f":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ed5dadefa0f6d14fedd1a3cdbab109f6660896a952ac5ab":"aef617f69724e020309ec39d9587520efda68a8e303686c3a41ef700cba05b7c6e43e95aadb1a566f61650c87845835e789eb2366941e3bfef6d9846af0e0dbc43249117ad6f299bbc40669ac383cdf79289ada6ccd8ccfe329a0dc6a38eea1a99550457102d10f641cda50c21f533b1f981663f74a0a7c657c04d9fc6696ff4":"553a14f1e1619f9d7bd07cd823961f25":"eb8ea81d3e328a1113942cd5efd0f2b5e7f088791c8fc05690a34584101c4d493628ee7d0099a2865ac194b9124c3fb924de0c4428d0a1c26ea3ad9a0bc89187a16673e3b6f7e370dfb2dc26e8a56a9cf91f9c2088c020a766efe0d0c91689743a603f2cd1e300a6a84828b3b515a4b9a06e6bb20457bf124cd6ce4ac8b83d51":32:"dc413c4c":"bc1f34991a48aabb0fea513f790f0d223e9feac4c99fa1e8427f01ab8b4b2827cfaf239342de36051a846af0306a3f82e7aed98dd0416fb078bc7f3b617b00ceb2cea4ddafc22dd022efa8303e9804510e0e888065d8427345156d823f796f74130c06db9f9934435552b4fefd051953e20ecba3a4514ac121d7d2097d597439":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ed5dadefa0f6d14fedd1a3cdbab109f6660896a952ac5ab":"aef617f69724e020309ec39d9587520efda68a8e303686c3a41ef700cba05b7c6e43e95aadb1a566f61650c87845835e789eb2366941e3bfef6d9846af0e0dbc43249117ad6f299bbc40669ac383cdf79289ada6ccd8ccfe329a0dc6a38eea1a99550457102d10f641cda50c21f533b1f981663f74a0a7c657c04d9fc6696ff4":"553a14f1e1619f9d7bd07cd823961f25":"eb8ea81d3e328a1113942cd5efd0f2b5e7f088791c8fc05690a34584101c4d493628ee7d0099a2865ac194b9124c3fb924de0c4428d0a1c26ea3ad9a0bc89187a16673e3b6f7e370dfb2dc26e8a56a9cf91f9c2088c020a766efe0d0c91689743a603f2cd1e300a6a84828b3b515a4b9a06e6bb20457bf124cd6ce4ac8b83d51":32:"dc413c4c":"":"bc1f34991a48aabb0fea513f790f0d223e9feac4c99fa1e8427f01ab8b4b2827cfaf239342de36051a846af0306a3f82e7aed98dd0416fb078bc7f3b617b00ceb2cea4ddafc22dd022efa8303e9804510e0e888065d8427345156d823f796f74130c06db9f9934435552b4fefd051953e20ecba3a4514ac121d7d2097d597439":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6d97e8bff3923a778504fb917dbc1428a1328587047697d9":"dc1a81efd51e967767f5bdd7e2e425732c1d28451f2bf5bdf3f5a6492279330594d360dd8a193e5dbde1be49bf143a35c38bcd059f762ada65c5119e097f0976891347f4d829b087bd72daa3494b344cbd3370c4459ca243bd57aeda4cb86cdd0bf274f07830cdbf5e5be4eb9b742ddffef8aa35626d2b9ea0a29d3c3d058b28":"0c28dc4cd53725091c2fb68a476c2e40":"f3932f5e82d75a1e3eba1591c17769e1a45819ccf057c31e76fa810b93678766d25905e859775c244e96bcafbc75c4a2d95e7d02868ccb2f65e49276f0b645ac8cf6e3758402304a3c25ce2de0a49f401b1acadaff8b57589b45cc79130ddc8387f41cc383e33ef38eec019152051c756198d6f782ccf56297b9fe944269a65a":32:"e6d6df7a":"39327836e9d8cfb59397adcf045a85644c52c3563290795811f26350c8bce8f55ca779cbcd15479efd8144b8a39ef611153955c70bf3a7da9d4d944c2407a0d735784fcb68de1083eebf6940ebc9cf92f9f139c01404b503ff64e61126a94e881351473507884357040fd32714b872c254349071069644e2bd642905521b944e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6d97e8bff3923a778504fb917dbc1428a1328587047697d9":"dc1a81efd51e967767f5bdd7e2e425732c1d28451f2bf5bdf3f5a6492279330594d360dd8a193e5dbde1be49bf143a35c38bcd059f762ada65c5119e097f0976891347f4d829b087bd72daa3494b344cbd3370c4459ca243bd57aeda4cb86cdd0bf274f07830cdbf5e5be4eb9b742ddffef8aa35626d2b9ea0a29d3c3d058b28":"0c28dc4cd53725091c2fb68a476c2e40":"f3932f5e82d75a1e3eba1591c17769e1a45819ccf057c31e76fa810b93678766d25905e859775c244e96bcafbc75c4a2d95e7d02868ccb2f65e49276f0b645ac8cf6e3758402304a3c25ce2de0a49f401b1acadaff8b57589b45cc79130ddc8387f41cc383e33ef38eec019152051c756198d6f782ccf56297b9fe944269a65a":32:"e6d6df7a":"":"39327836e9d8cfb59397adcf045a85644c52c3563290795811f26350c8bce8f55ca779cbcd15479efd8144b8a39ef611153955c70bf3a7da9d4d944c2407a0d735784fcb68de1083eebf6940ebc9cf92f9f139c01404b503ff64e61126a94e881351473507884357040fd32714b872c254349071069644e2bd642905521b944e":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c78e29971e90a01bb65973f81260b9344fa835751f5f142":"":"f1a23ce6e2bc9088a62c887abecd30ae":"":128:"d4d5c22f993c8c610145fcbe4e021687":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c78e29971e90a01bb65973f81260b9344fa835751f5f142":"":"f1a23ce6e2bc9088a62c887abecd30ae":"":128:"d4d5c22f993c8c610145fcbe4e021687":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c582d5b6a40ef0e4048ec20f0263572d7cc82704e380851":"":"ef221a1c66fda17906190b7c99ab60b8":"":128:"6327dcb46ffb3d0fd8fbf3d2848a8f01":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8c582d5b6a40ef0e4048ec20f0263572d7cc82704e380851":"":"ef221a1c66fda17906190b7c99ab60b8":"":128:"6327dcb46ffb3d0fd8fbf3d2848a8f01":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a58abadd29e946e23ca9eb09af059913d5394971bda6a4f":"":"7c29b3196d44df78fa514a1967fcd3a6":"":128:"fc123944bbea6c5075a5f987aed9cf99":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3a58abadd29e946e23ca9eb09af059913d5394971bda6a4f":"":"7c29b3196d44df78fa514a1967fcd3a6":"":128:"fc123944bbea6c5075a5f987aed9cf99":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04bdde4c35c385783715d8a883640851b860ce0e8436ec19":"":"783f9a3c36b6d0c9fd57c15105316535":"":120:"23e21a803cac5237777014686564f2":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"04bdde4c35c385783715d8a883640851b860ce0e8436ec19":"":"783f9a3c36b6d0c9fd57c15105316535":"":120:"23e21a803cac5237777014686564f2":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4ba5fba0c22fbe10c2d1690c5d99938522de9c5186721bac":"":"2acc2073089a34d4651eee39a262e8ae":"":120:"7ac742c859a02a543b50464c66dcf5":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4ba5fba0c22fbe10c2d1690c5d99938522de9c5186721bac":"":"2acc2073089a34d4651eee39a262e8ae":"":120:"7ac742c859a02a543b50464c66dcf5":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f12890b0a8819faa5a8e0e487f7f064af42fa6d5519d009f":"":"c937615675738f4b3227c799833d1e61":"":120:"88300bd65b12dcb341f1f6d8a15584":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f12890b0a8819faa5a8e0e487f7f064af42fa6d5519d009f":"":"c937615675738f4b3227c799833d1e61":"":120:"88300bd65b12dcb341f1f6d8a15584":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51878f3630298a81297f4a21514fea637faa3815d4f26fae":"":"1f939226feab012dabfc2193637d15b1":"":112:"eed5fcb7607c038b354746d91c5b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"51878f3630298a81297f4a21514fea637faa3815d4f26fae":"":"1f939226feab012dabfc2193637d15b1":"":112:"eed5fcb7607c038b354746d91c5b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ae596e74840a600556a06f97b13b89e38f67c152f1a1b930":"":"e2076e1050070d468659885ea77e88d0":"":112:"b4586bdbd4b6b899648f2333eee0":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ae596e74840a600556a06f97b13b89e38f67c152f1a1b930":"":"e2076e1050070d468659885ea77e88d0":"":112:"b4586bdbd4b6b899648f2333eee0":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd33b7a0efae34339ca987b5eb8075385fd1276e63cc8530":"":"2d07bb8616fc0bbb71755a1bd256e7fb":"":112:"6b60d645220cfde42d88296ac193":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fd33b7a0efae34339ca987b5eb8075385fd1276e63cc8530":"":"2d07bb8616fc0bbb71755a1bd256e7fb":"":112:"6b60d645220cfde42d88296ac193":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5685b12a6617d554c36b62af5b8ff2239cb3ffb1d2c40e14":"":"6c31194df99d08881fa5b1dd33b45a92":"":104:"69431593c376c9f8052bf10747":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5685b12a6617d554c36b62af5b8ff2239cb3ffb1d2c40e14":"":"6c31194df99d08881fa5b1dd33b45a92":"":104:"69431593c376c9f8052bf10747":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036ae037410dae9f0741608516d03b855c9c1851df8c54a4":"":"73599275f8237f14c4a52b283c07275d":"":104:"6f7249d25c9f273434c4720275":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"036ae037410dae9f0741608516d03b855c9c1851df8c54a4":"":"73599275f8237f14c4a52b283c07275d":"":104:"6f7249d25c9f273434c4720275":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ac144f39ebd6124bad85c9c7fb4f75bff389ece2e8085d83":"":"d0871bfc3693245be478e6a257c79efb":"":104:"5a99d59631d0e12f58b7b95ccd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ac144f39ebd6124bad85c9c7fb4f75bff389ece2e8085d83":"":"d0871bfc3693245be478e6a257c79efb":"":104:"5a99d59631d0e12f58b7b95ccd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a8a541ff11a1b8548e832d9e015edeccc94b87dadc156065":"":"c72bb300b624c27cded863eba56e7587":"":96:"ea2528e7439be2ed0a0d6b2a":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a8a541ff11a1b8548e832d9e015edeccc94b87dadc156065":"":"c72bb300b624c27cded863eba56e7587":"":96:"ea2528e7439be2ed0a0d6b2a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30dd8f400335e9c688e13cc0b1007bd21736a6d395d152e2":"":"28899601fa95f532b030f11bbeb87011":"":96:"35625638589bb7f6ccdb0222":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30dd8f400335e9c688e13cc0b1007bd21736a6d395d152e2":"":"28899601fa95f532b030f11bbeb87011":"":96:"35625638589bb7f6ccdb0222":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb8f672b04d706d7d4125d6830fff5d2ec069569bea050ce":"":"375d4134e8649367f4db9bdb07aa8594":"":96:"70610bf329683e15ecf8c79f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb8f672b04d706d7d4125d6830fff5d2ec069569bea050ce":"":"375d4134e8649367f4db9bdb07aa8594":"":96:"70610bf329683e15ecf8c79f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bf71e5b1cd6eb363ecd89a4958675a1166c10749e1ff1f44":"":"9f502fb5ac90ff5f5616dd1fa837387d":"":64:"a4b5138122e1209d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bf71e5b1cd6eb363ecd89a4958675a1166c10749e1ff1f44":"":"9f502fb5ac90ff5f5616dd1fa837387d":"":64:"a4b5138122e1209d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b9d1dfb2303b66848e363793bdca0e5ada8599cb2c09e24":"":"2ee96384dd29f8a4c4a6102549a026ab":"":64:"3b33a10189338c3b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5b9d1dfb2303b66848e363793bdca0e5ada8599cb2c09e24":"":"2ee96384dd29f8a4c4a6102549a026ab":"":64:"3b33a10189338c3b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a35ae271f70ebacb28173b37b921f5abcad1712a1cf5d5db":"":"8d97f354564d8185b57f7727626850a0":"":64:"813d2f98a760130c":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a35ae271f70ebacb28173b37b921f5abcad1712a1cf5d5db":"":"8d97f354564d8185b57f7727626850a0":"":64:"813d2f98a760130c":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bdd0cb826d5d28c2ab9777d5a0c1558e7c8227c53ed4c4f":"":"daf13501a47ee73c0197d8b774eec399":"":32:"a6d108c0":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bdd0cb826d5d28c2ab9777d5a0c1558e7c8227c53ed4c4f":"":"daf13501a47ee73c0197d8b774eec399":"":32:"a6d108c0":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81b4d5ee4e1cbee1d8966fb3946409e6e64319a4b83231f5":"":"bc2f9320d6b62eea29ebc9cf7fc9f04a":"":32:"a47cdadd":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"81b4d5ee4e1cbee1d8966fb3946409e6e64319a4b83231f5":"":"bc2f9320d6b62eea29ebc9cf7fc9f04a":"":32:"a47cdadd":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5813627d26d568dfe5a0f8184cf561fe455eb98b98841fe0":"":"817199254a912880405c9729d75ed391":"":32:"d81d9b41":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5813627d26d568dfe5a0f8184cf561fe455eb98b98841fe0":"":"817199254a912880405c9729d75ed391":"":32:"d81d9b41":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94f160e2325da2330fbe4e15910d33c2014f01ace58e5b24":"":"80a1b99750980bf2be84a17032fc2721":"066fdd980cf043a732403ee5f65c82ca81e3fc858ad3cfa343014a8426fd3806770f127e2041efb42e31506ce83390ac5d76de2fe1806df24ce6e4bb894972a107ef99e51e4acfb0e325ab053f9824514b5941ab1ec598fbb57a5d18ed34d72992a19215d914e34ad1a22326e493d1ff2da7bc271c96ad3ab66d0c32bd711293":128:"dd153cfd7aa946280660c445f586fa28":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94f160e2325da2330fbe4e15910d33c2014f01ace58e5b24":"":"80a1b99750980bf2be84a17032fc2721":"066fdd980cf043a732403ee5f65c82ca81e3fc858ad3cfa343014a8426fd3806770f127e2041efb42e31506ce83390ac5d76de2fe1806df24ce6e4bb894972a107ef99e51e4acfb0e325ab053f9824514b5941ab1ec598fbb57a5d18ed34d72992a19215d914e34ad1a22326e493d1ff2da7bc271c96ad3ab66d0c32bd711293":128:"dd153cfd7aa946280660c445f586fa28":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4785846f7c0524e78f3eb137fd433e1808af64549af69183":"":"5334476a5fa3fa50dcc4b12f8ac00b51":"e70f82d1e3361ac5a5c9a087e47984d5533ba296f9b7e4a192a4ab28a833cdbbd5cece3415cf6fbb2f8055560b5c31c98d83d139954e1c03a464739f1eb5ad982c4371cf20b8984bbd97d5f40b336f5e96df3d272b95f7547be15c3bc05b3caac7d08c5eb5de8bdd246e74f6caa6bff76ea0417730ce72b911867f88fdcf73a0":128:"c59231ddaae98e0e8db6b3fe8f4d3427":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4785846f7c0524e78f3eb137fd433e1808af64549af69183":"":"5334476a5fa3fa50dcc4b12f8ac00b51":"e70f82d1e3361ac5a5c9a087e47984d5533ba296f9b7e4a192a4ab28a833cdbbd5cece3415cf6fbb2f8055560b5c31c98d83d139954e1c03a464739f1eb5ad982c4371cf20b8984bbd97d5f40b336f5e96df3d272b95f7547be15c3bc05b3caac7d08c5eb5de8bdd246e74f6caa6bff76ea0417730ce72b911867f88fdcf73a0":128:"c59231ddaae98e0e8db6b3fe8f4d3427":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"49b085fe1a8e1ae769ed09fc585d29eb24d589689992e6c5":"":"899878b0684fb865d30190821817b88c":"f789eafe3d02826b619ca4fbca7bb1919e5c6f7c33824a2f7f815dc50e329979705f7ef61e9adf7899d34f1b8840384ff62ef6d29eea38c45d12be9249aca69a02222cd744d81958c6816304ff0d81d6714a2023b3dd9d940db5c50afd89c52774d28d6afde2b6c68425b6acbe34682531a2e57e2b9a7729b3e8d96a729b15cc":128:"2c84bf7a8947ab93b10ae408243b4993":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"49b085fe1a8e1ae769ed09fc585d29eb24d589689992e6c5":"":"899878b0684fb865d30190821817b88c":"f789eafe3d02826b619ca4fbca7bb1919e5c6f7c33824a2f7f815dc50e329979705f7ef61e9adf7899d34f1b8840384ff62ef6d29eea38c45d12be9249aca69a02222cd744d81958c6816304ff0d81d6714a2023b3dd9d940db5c50afd89c52774d28d6afde2b6c68425b6acbe34682531a2e57e2b9a7729b3e8d96a729b15cc":128:"2c84bf7a8947ab93b10ae408243b4993":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75847588760ecb6ca548747b743914c89fea367a5ccb81b6":"":"7d8a9fd254e2061c01e39eb574951924":"b03c57dfd49152401a225357f1d6e533f3a423e5cfce07b8ae7ca9daf68645e5bd67b3ca2421eac447530b27c6dc6bd9c7f1b22441b8cc8c4ac26cec2c9c0d665a35b66d779a3772d714f802d6b6272984808d0740344b6abdb63e626ef4e1ab0469da521c7908b2c95a0fd07437c0e9d4d2451ae189ad61ff19f4efb405127c":120:"e8aac14b53cdbc2028d330fc8d92a7":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"75847588760ecb6ca548747b743914c89fea367a5ccb81b6":"":"7d8a9fd254e2061c01e39eb574951924":"b03c57dfd49152401a225357f1d6e533f3a423e5cfce07b8ae7ca9daf68645e5bd67b3ca2421eac447530b27c6dc6bd9c7f1b22441b8cc8c4ac26cec2c9c0d665a35b66d779a3772d714f802d6b6272984808d0740344b6abdb63e626ef4e1ab0469da521c7908b2c95a0fd07437c0e9d4d2451ae189ad61ff19f4efb405127c":120:"e8aac14b53cdbc2028d330fc8d92a7":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e3a18a96d2e45d2f60780dc39cee7160e28cb810bf09858c":"":"26a4d659665ded39b7a1583de756d0ad":"83f8d9c58169b4c68032321197077ff5c8ee4ebb732b040748e1b55dcf53375ae86fb9646a672b5c5bc805a92c475cbb6d0ed689a58abdf2230250a7d3fbd8cfab07835fa85e738a7f74bc3e93616d844b1ec61b79f23dfea62e1815f295d43f61d7b5956103b31ca88afb0b3d37eb42cf77232dbf2258065232971c397dcbcb":120:"dc034564d4be7de243ff059b5f9160":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e3a18a96d2e45d2f60780dc39cee7160e28cb810bf09858c":"":"26a4d659665ded39b7a1583de756d0ad":"83f8d9c58169b4c68032321197077ff5c8ee4ebb732b040748e1b55dcf53375ae86fb9646a672b5c5bc805a92c475cbb6d0ed689a58abdf2230250a7d3fbd8cfab07835fa85e738a7f74bc3e93616d844b1ec61b79f23dfea62e1815f295d43f61d7b5956103b31ca88afb0b3d37eb42cf77232dbf2258065232971c397dcbcb":120:"dc034564d4be7de243ff059b5f9160":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7be3909170ea7a2ff76f9f28241d8cc48ddeafa8517c6f8c":"":"8dee7e29350c60c5bcfec89da6617d2e":"f6e9e7a7f9716760eb43060d5c80236a0f118b0f750ebd5df01fd2dba95c556ecd2e54a3f337767321abf569c8137a8e48c5b44037ba62951e9f9f709e6e4540a36d769f3945d01a20a2ed1891c415a16d95cab7ddf9bcebf18842c830067509a2a5d49a9684324c433d53824d2f8fd326b149af17f40e5bf5e49185738fba60":120:"942b52277e9dc0a30d737d00f5e597":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7be3909170ea7a2ff76f9f28241d8cc48ddeafa8517c6f8c":"":"8dee7e29350c60c5bcfec89da6617d2e":"f6e9e7a7f9716760eb43060d5c80236a0f118b0f750ebd5df01fd2dba95c556ecd2e54a3f337767321abf569c8137a8e48c5b44037ba62951e9f9f709e6e4540a36d769f3945d01a20a2ed1891c415a16d95cab7ddf9bcebf18842c830067509a2a5d49a9684324c433d53824d2f8fd326b149af17f40e5bf5e49185738fba60":120:"942b52277e9dc0a30d737d00f5e597":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1fe413bafc4753e1511b580c830449bee56e0e5b9acb852c":"":"e30829f64f3eda13bfb2ac572aceb3de":"6c772d08b4d7507e35804572fa697c646c77301954cc5c160941e49e230697ed8c23338b9f30c3ead69b1c1a2329ff025dcd3c0d0a9cc83fee4979448aa71ddb9d569bedc8c497a2a4ac3b60d087d7872f0a110bf90493ae7da03b0953734223156cd2d6c562e4a978a6dd5cdb229dd58dd4d0f50ac015f2f5e89dac4aa29a19":112:"87737873b82586bb29b406946cae":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1fe413bafc4753e1511b580c830449bee56e0e5b9acb852c":"":"e30829f64f3eda13bfb2ac572aceb3de":"6c772d08b4d7507e35804572fa697c646c77301954cc5c160941e49e230697ed8c23338b9f30c3ead69b1c1a2329ff025dcd3c0d0a9cc83fee4979448aa71ddb9d569bedc8c497a2a4ac3b60d087d7872f0a110bf90493ae7da03b0953734223156cd2d6c562e4a978a6dd5cdb229dd58dd4d0f50ac015f2f5e89dac4aa29a19":112:"87737873b82586bb29b406946cae":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4bc4378d423931f9b320bb57df584c641406c1daa7448ad":"":"eca70e10c0358838a3f4a45c4b016ccd":"68d1c045c1604e3c3dd4f7c7543240aca8dbc5266dc18c5a8071e8b09e3700b7cf819044b2722d8db92021f42a0afb295d7b16ecf4e4704a50a527a2e72d7f53617c358e3b7be3d7fecda612ce6842fcfaa68f2d1b8a59d8b8391779f2fab99f820862c94029f444abe62367c5de0a4becc359660e4a5366f7d482bdc362b866":112:"06f95ca69c222a8985887925b15e":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4bc4378d423931f9b320bb57df584c641406c1daa7448ad":"":"eca70e10c0358838a3f4a45c4b016ccd":"68d1c045c1604e3c3dd4f7c7543240aca8dbc5266dc18c5a8071e8b09e3700b7cf819044b2722d8db92021f42a0afb295d7b16ecf4e4704a50a527a2e72d7f53617c358e3b7be3d7fecda612ce6842fcfaa68f2d1b8a59d8b8391779f2fab99f820862c94029f444abe62367c5de0a4becc359660e4a5366f7d482bdc362b866":112:"06f95ca69c222a8985887925b15e":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cd4414ffd24e830e2dc49727efa592e430a6a75391cf111":"":"a08e32ad7d63f975de314ad2c0fa13fc":"20a271f1f4c6bea8f1584ab39a7179ec448650e2ff67a7338d1bc9fab7f73b2ce5222cd07ded947d135d9d0670dc368f0a4b50ece85cbf641877f9fe0ac6a7e6afb32fdb1b3cd35360bb80cfffc34cfb94dbcbee9ca5be98a0ca846394a135860fba57c6f0125dcb9fb8b61be681ada31a997638ee172525c03dd13171534a91":112:"c68842cafc50070799f7c8acd62a":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cd4414ffd24e830e2dc49727efa592e430a6a75391cf111":"":"a08e32ad7d63f975de314ad2c0fa13fc":"20a271f1f4c6bea8f1584ab39a7179ec448650e2ff67a7338d1bc9fab7f73b2ce5222cd07ded947d135d9d0670dc368f0a4b50ece85cbf641877f9fe0ac6a7e6afb32fdb1b3cd35360bb80cfffc34cfb94dbcbee9ca5be98a0ca846394a135860fba57c6f0125dcb9fb8b61be681ada31a997638ee172525c03dd13171534a91":112:"c68842cafc50070799f7c8acd62a":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e0ef9ed5e6f00a721a9893e1f0d9079c5aa667a4cdd2a52":"":"5f015fd556e87ff0d0df586fb452306d":"b82986135e49e03f6f8f3ce4048ded2e63ee0c31ddc84929e022ee8561159179b3bb4403ebdafdf6beae51ac5bf4abed4dbc251433417ece3228b260eca5134e5390cba49a0b6fcbbbabb085378374e4e671d9ba265298e9864bfce256884247c36f9bddceb79b6a3e700cb3dd40088ba7bb6ab6aa11b6be261a7e5348f4a7d1":104:"ec9a79a88a164e1a6253d8312e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9e0ef9ed5e6f00a721a9893e1f0d9079c5aa667a4cdd2a52":"":"5f015fd556e87ff0d0df586fb452306d":"b82986135e49e03f6f8f3ce4048ded2e63ee0c31ddc84929e022ee8561159179b3bb4403ebdafdf6beae51ac5bf4abed4dbc251433417ece3228b260eca5134e5390cba49a0b6fcbbbabb085378374e4e671d9ba265298e9864bfce256884247c36f9bddceb79b6a3e700cb3dd40088ba7bb6ab6aa11b6be261a7e5348f4a7d1":104:"ec9a79a88a164e1a6253d8312e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bc8f15d98e089d60d4db00808700053f78b33c31652c3e4":"":"5cc0ff9bb7d5b9b2aa06f6ecf669d5bb":"24ac95a6ed2f78853f9ab20f53de47e7f662f72aea454141e2131aace7ed2daeb395bbccdbf004e23ce04ad85909f30151b6526c1ce7934726f99997bbab27055b379e5e43b80ad546e2d1655d1adad4cbe51282643bb4df086deb1b48c1bd3ac3b53c4a406be2687174028ecf7e7976e5c7a11c9a3827813ade32baef9f15ec":104:"9779b7c3ece6c23d5813e243ec":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bc8f15d98e089d60d4db00808700053f78b33c31652c3e4":"":"5cc0ff9bb7d5b9b2aa06f6ecf669d5bb":"24ac95a6ed2f78853f9ab20f53de47e7f662f72aea454141e2131aace7ed2daeb395bbccdbf004e23ce04ad85909f30151b6526c1ce7934726f99997bbab27055b379e5e43b80ad546e2d1655d1adad4cbe51282643bb4df086deb1b48c1bd3ac3b53c4a406be2687174028ecf7e7976e5c7a11c9a3827813ade32baef9f15ec":104:"9779b7c3ece6c23d5813e243ec":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"19afc43a4481f796d77561f80b5b2e1514c96c5d1d86e64c":"":"d4c06595fefd4a81bbbd4b40c2e1989d":"98fcca51352998d0126b5539e3fb9a238ac31c05954fc206d381909aee70983b6ab99d3f3efe8530a1c3cfe3b62756321b1d0771a5940055eba1e71fa64f29291aa5e5b0af0fcc8e6f5a02688d9e93417225eded791a35217822ffb346d3fa2809b65abe729448316be30cf661137d3c0e49846cb0df598d90eda545afb64a5e":104:"ca82448429106009094c21d70b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"19afc43a4481f796d77561f80b5b2e1514c96c5d1d86e64c":"":"d4c06595fefd4a81bbbd4b40c2e1989d":"98fcca51352998d0126b5539e3fb9a238ac31c05954fc206d381909aee70983b6ab99d3f3efe8530a1c3cfe3b62756321b1d0771a5940055eba1e71fa64f29291aa5e5b0af0fcc8e6f5a02688d9e93417225eded791a35217822ffb346d3fa2809b65abe729448316be30cf661137d3c0e49846cb0df598d90eda545afb64a5e":104:"ca82448429106009094c21d70b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4fc31dcfef6203fdb296cc928c13b7df56bfe6f32583057":"":"6308a78dc8f3c90442dc52196649c38e":"2567d80c253b080c0158102558551445d8ce4d5ddee2014a2be5cbad62e1717a0fd4d2059447c3151192951eb11a4a7b19a952f6ba261c87f10f4c9032028de3cc5a2a573a4e993a690fc8954daa3ec92743e7343e75b646c4fa9cbc3fceb4f5d59bb439c23754c4d9666fbc16c90c0cac91679b6ad1bfe5dcf6bd1a8a67c6b5":96:"9d1603799e2485a03e7b05a0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b4fc31dcfef6203fdb296cc928c13b7df56bfe6f32583057":"":"6308a78dc8f3c90442dc52196649c38e":"2567d80c253b080c0158102558551445d8ce4d5ddee2014a2be5cbad62e1717a0fd4d2059447c3151192951eb11a4a7b19a952f6ba261c87f10f4c9032028de3cc5a2a573a4e993a690fc8954daa3ec92743e7343e75b646c4fa9cbc3fceb4f5d59bb439c23754c4d9666fbc16c90c0cac91679b6ad1bfe5dcf6bd1a8a67c6b5":96:"9d1603799e2485a03e7b05a0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c2d9412486c381440213e1588b6bb58b0da53300b9d3089":"":"727ed8846daab874d5a9918b47d016f4":"656430f0c1423018b5e2efbb1e32a5385c1a9a1779c4dbd585dea91edc39ea8752ebfc2d8064251a8a5ae71e1845f24a7e42c6371c2ecb31e2229d5f4923bffc21d4804575a84836f3cf90ec6047bb360b558a41a975ece111b5284dfa2441705a6df54fc66ca6cc1af9163ecc46902fac337d5f67f563fde8e8e7e64b8588b7":96:"05ee6ce13711535864674a5b":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c2d9412486c381440213e1588b6bb58b0da53300b9d3089":"":"727ed8846daab874d5a9918b47d016f4":"656430f0c1423018b5e2efbb1e32a5385c1a9a1779c4dbd585dea91edc39ea8752ebfc2d8064251a8a5ae71e1845f24a7e42c6371c2ecb31e2229d5f4923bffc21d4804575a84836f3cf90ec6047bb360b558a41a975ece111b5284dfa2441705a6df54fc66ca6cc1af9163ecc46902fac337d5f67f563fde8e8e7e64b8588b7":96:"05ee6ce13711535864674a5b":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"abf7a97569427225a4bd5143c716a22e62f84c145bb51511":"":"e255088cdfe8ae5c9fea86d74d2f1b7d":"b850993300f54d078f83ceb9aef7345bbf758f92365b6625c210f61dad4f2a2319f51d883a383a706392d3dfca1706eba585a6fac8bd4294c0bb2cb3f6b454d5c97819e8e5c926754840261b07ec4ef1f87cf281d75c187839689944230306e1903047915e086043990745864819ad713d34a244aa4e9d755fdb137105d7eed8":96:"0c9c17388d0610f99d0a093f":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"abf7a97569427225a4bd5143c716a22e62f84c145bb51511":"":"e255088cdfe8ae5c9fea86d74d2f1b7d":"b850993300f54d078f83ceb9aef7345bbf758f92365b6625c210f61dad4f2a2319f51d883a383a706392d3dfca1706eba585a6fac8bd4294c0bb2cb3f6b454d5c97819e8e5c926754840261b07ec4ef1f87cf281d75c187839689944230306e1903047915e086043990745864819ad713d34a244aa4e9d755fdb137105d7eed8":96:"0c9c17388d0610f99d0a093f":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45a6df655e88bc880acff41520aafd0cc8aa8aeb8952fd06":"":"1125e1de94970c9e7be70e58e7626ef4":"fe9838a445b8edef19b3e9f33c8c0c265b3a12c97b8ec57ceb94f65ae5227177de38f1e338dccb2b24e5bd0f0eb8127f83eba0f1ddfa55198789df0cdd1d977fcb985ad9c7d51b96e749d2cf3cc7a1ec4dfcbc641a1a022d55def328e081af890a7e699f2dbafdf506389e045aa1219239d5868ba675a3925602b6fb6f6e6d37":64:"1c3bd1e0d4918e36":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"45a6df655e88bc880acff41520aafd0cc8aa8aeb8952fd06":"":"1125e1de94970c9e7be70e58e7626ef4":"fe9838a445b8edef19b3e9f33c8c0c265b3a12c97b8ec57ceb94f65ae5227177de38f1e338dccb2b24e5bd0f0eb8127f83eba0f1ddfa55198789df0cdd1d977fcb985ad9c7d51b96e749d2cf3cc7a1ec4dfcbc641a1a022d55def328e081af890a7e699f2dbafdf506389e045aa1219239d5868ba675a3925602b6fb6f6e6d37":64:"1c3bd1e0d4918e36":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"279f4f2ab4b70778fdb9ca7800cd20e323601d7aa2c75366":"":"0f7b402560735cf03d5da58de5b6c685":"7dd9a8c848bbcf5127161c8a419a436a0dad559f7c1613cdf41594e177016acb1ccf44be852185c42e7120902a42efe83855995ab52cf5c190d499fcfd698c671fd72949dc3ea7ddb874e586a3aa455a021cec7b5f8608462ca66f926aba76e60a5846d4eb204155cd3c1328da51ba35c3007b8bb394f34e3a8b81ddd2ea1115":64:"dab612351f75e2cb":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"279f4f2ab4b70778fdb9ca7800cd20e323601d7aa2c75366":"":"0f7b402560735cf03d5da58de5b6c685":"7dd9a8c848bbcf5127161c8a419a436a0dad559f7c1613cdf41594e177016acb1ccf44be852185c42e7120902a42efe83855995ab52cf5c190d499fcfd698c671fd72949dc3ea7ddb874e586a3aa455a021cec7b5f8608462ca66f926aba76e60a5846d4eb204155cd3c1328da51ba35c3007b8bb394f34e3a8b81ddd2ea1115":64:"dab612351f75e2cb":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6716ab937755684af7403e6fba5452c1b11568a9047bb50f":"":"2fd5a446dd564619ef75b6e00905ffe0":"20d261d3192996c21da69e979c26f5f937e6ea4cb7b05c6ef556ce4d86ca0fe85ec2425d274c43b5212fe9d27bb48b04e887461a9f45f524059b87eaea2e287a8d4537f338b0212012a9d4b6610e8c97dd554e0b3c3133e05c14d0ddab3524c93fd527e223b1996b4cff0a4a7438f1d54890bf573cd803941b69e5fc6212c5d2":64:"f1d743b7e1b73af5":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6716ab937755684af7403e6fba5452c1b11568a9047bb50f":"":"2fd5a446dd564619ef75b6e00905ffe0":"20d261d3192996c21da69e979c26f5f937e6ea4cb7b05c6ef556ce4d86ca0fe85ec2425d274c43b5212fe9d27bb48b04e887461a9f45f524059b87eaea2e287a8d4537f338b0212012a9d4b6610e8c97dd554e0b3c3133e05c14d0ddab3524c93fd527e223b1996b4cff0a4a7438f1d54890bf573cd803941b69e5fc6212c5d2":64:"f1d743b7e1b73af5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dc94b5bbd6315ad8d2b67f0c683d10cf456f822a3ebb024":"":"6f3eedeb57dcf12bfb3cd80849893c90":"ee1ff367f4b23c156e3dccff84ae4bf2b8ecec1fb5ffd25ccaa93b6c6834389bd79655bd4bac75238eb0f65d3603ecc57c8774798309e85b6677e78ed2077b712cf28795d0dc8fee994f97373a82338ef67c62378136a79a990ecbcd6367445e805efa98f9168826e57cb8dd7e7b1d5c89ad98358646fa56dd2a71c40e0275a1":32:"4dc74971":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dc94b5bbd6315ad8d2b67f0c683d10cf456f822a3ebb024":"":"6f3eedeb57dcf12bfb3cd80849893c90":"ee1ff367f4b23c156e3dccff84ae4bf2b8ecec1fb5ffd25ccaa93b6c6834389bd79655bd4bac75238eb0f65d3603ecc57c8774798309e85b6677e78ed2077b712cf28795d0dc8fee994f97373a82338ef67c62378136a79a990ecbcd6367445e805efa98f9168826e57cb8dd7e7b1d5c89ad98358646fa56dd2a71c40e0275a1":32:"4dc74971":"":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bbe223e253bf272599e28af6861013ecd0c88710947ed41":"":"4fbf09ffaffb600f0de38fb12315cab5":"5388146f6479f7b3b280f45655a95b847ee27c734fb2fd91f6c009b1ab1810c772c7435d3221069f9490d251b76e740147906ac1db1c209c175b21aa10881c44fb307d4d2900aa3b1d56fb0edb9f2a58505653a17fee350e12755b9656bc65c78c1593d5cb7178e29f82209caf53e60fddf725f6957cc9718bf410c4a0229ed4":32:"fb845ab7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bbe223e253bf272599e28af6861013ecd0c88710947ed41":"":"4fbf09ffaffb600f0de38fb12315cab5":"5388146f6479f7b3b280f45655a95b847ee27c734fb2fd91f6c009b1ab1810c772c7435d3221069f9490d251b76e740147906ac1db1c209c175b21aa10881c44fb307d4d2900aa3b1d56fb0edb9f2a58505653a17fee350e12755b9656bc65c78c1593d5cb7178e29f82209caf53e60fddf725f6957cc9718bf410c4a0229ed4":32:"fb845ab7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"461877813acfe6e9979eab729b52e3d192b3236758bb6563":"":"6985cf77b75a47a3978dd6412d59200b":"385551854a89ab37063ba0ed911501b3d632153c5c2992e154c0a334bc36620476f11495437b842409e0954f7352cbf288d158bdbbaf72621ea2ce75b708bc276f796c5aa7fd0071e522c5f175a9e7787deef79f6362101aa3607b4588f2e1df7127f617c6073593a1c792b959e201e4a7a43ea8b1c3af026376439ef629266c":32:"c840d994":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"461877813acfe6e9979eab729b52e3d192b3236758bb6563":"":"6985cf77b75a47a3978dd6412d59200b":"385551854a89ab37063ba0ed911501b3d632153c5c2992e154c0a334bc36620476f11495437b842409e0954f7352cbf288d158bdbbaf72621ea2ce75b708bc276f796c5aa7fd0071e522c5f175a9e7787deef79f6362101aa3607b4588f2e1df7127f617c6073593a1c792b959e201e4a7a43ea8b1c3af026376439ef629266c":32:"c840d994":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09770f9114120a2c1c3cc416fe0eb8699e07141158a5bdff":"875e2e5b5c02e0a33e71b678aa29c15ce18ec259cf4b41874893ed3112daa56ff2a7475681b8b3d9028ef184d30658e881c908f3588f69899962074db4ddfc0597f8debb66c8388a1bccf0ffe2cf9f078dc1c93f8191f920754442ad4a325985c62de1a57a25de4e9ed5c2fd0f2c8af33f3b140bac12bf60fdb33e0ec557955b":"cff291d2364fc06a3a89e867b0e67e56":"":128:"81f1eb568d0af29680518df7378ba3e8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09770f9114120a2c1c3cc416fe0eb8699e07141158a5bdff":"875e2e5b5c02e0a33e71b678aa29c15ce18ec259cf4b41874893ed3112daa56ff2a7475681b8b3d9028ef184d30658e881c908f3588f69899962074db4ddfc0597f8debb66c8388a1bccf0ffe2cf9f078dc1c93f8191f920754442ad4a325985c62de1a57a25de4e9ed5c2fd0f2c8af33f3b140bac12bf60fdb33e0ec557955b":"cff291d2364fc06a3a89e867b0e67e56":"":128:"81f1eb568d0af29680518df7378ba3e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4fbf1c785c087ad06b43d4163cf9b9396deffd3712856379":"96a690e5319c94d94923988025307e543f16fd970aec24524cf9808dc62b093359287251503f4231bf52cd1a16a80bfa82d8f585d96855dc1932f4919a92da2618d6448fc18a234f9acb386ab4ab4a9e38ea341e7c54faceff38c162d74e7fabbca13aadb71e9c8ae6072e7bef4073cf08aa7faaa6d639f98d15bad4ed183ced":"1c8f41424acaf009996ceaa815b24ad4":"":128:"9f3c0349c5a4a740a82d6d63bf00fb17":"6100b091e52366fb422251d9b68974b6c666a62a8bb77a1ffd7c7d1ae586a6ee763b84dc11aace02a25af91d194b70b3265ec46872fded54275b7ddb26ee1f20c857328f46a694fb1dce68bcaecbd587ece5b505d658d57d50333e30b639eea1f6537b37c175f62497c6c84e3cfddae214285d2d68d90dd5cd8ce2273d25c8ca":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4fbf1c785c087ad06b43d4163cf9b9396deffd3712856379":"96a690e5319c94d94923988025307e543f16fd970aec24524cf9808dc62b093359287251503f4231bf52cd1a16a80bfa82d8f585d96855dc1932f4919a92da2618d6448fc18a234f9acb386ab4ab4a9e38ea341e7c54faceff38c162d74e7fabbca13aadb71e9c8ae6072e7bef4073cf08aa7faaa6d639f98d15bad4ed183ced":"1c8f41424acaf009996ceaa815b24ad4":"":128:"9f3c0349c5a4a740a82d6d63bf00fb17":"":"6100b091e52366fb422251d9b68974b6c666a62a8bb77a1ffd7c7d1ae586a6ee763b84dc11aace02a25af91d194b70b3265ec46872fded54275b7ddb26ee1f20c857328f46a694fb1dce68bcaecbd587ece5b505d658d57d50333e30b639eea1f6537b37c175f62497c6c84e3cfddae214285d2d68d90dd5cd8ce2273d25c8ca":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e0ce4fb4fe4bb2fdf97b23084ff5671b9b899624184acef":"df89974b1534f0ba262bbea5efe39d8b72820cc8a720cc99520fedbf667515c3f6d8c3e25c72c48c1cff042171df58421741aacb2a49f23167257be7d7004d56b14901b2075eaca85946e9fbf1bbf4ae98227efc62bf255a25dd0402d37c67ba553531c699dd89ff797e7a5b5b9a9aa51e73ca2dacfda0f814152aa8ed8c79f9":"a950ab0dd84115e3829ab0ad3bbb1193":"":128:"25cfde73e7a29115828dfe1617f8b53e":"847b54e176ccc83081cb966efc4b4a3bf7809ce0b4885009f620f61fafcaa78feee91a835ae6c1a942571811108b1e81b4c4ddac46aaff599c14988c9a1fb9f387ab7f1357b581568b7b34e167ac2c8c2b2b8a4df3fd7ad8947a363c1c0cb782ec54b1901e928821cf319669dd77eb37b15c67f13ad787ff74312812731ca3e6":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e0ce4fb4fe4bb2fdf97b23084ff5671b9b899624184acef":"df89974b1534f0ba262bbea5efe39d8b72820cc8a720cc99520fedbf667515c3f6d8c3e25c72c48c1cff042171df58421741aacb2a49f23167257be7d7004d56b14901b2075eaca85946e9fbf1bbf4ae98227efc62bf255a25dd0402d37c67ba553531c699dd89ff797e7a5b5b9a9aa51e73ca2dacfda0f814152aa8ed8c79f9":"a950ab0dd84115e3829ab0ad3bbb1193":"":128:"25cfde73e7a29115828dfe1617f8b53e":"":"847b54e176ccc83081cb966efc4b4a3bf7809ce0b4885009f620f61fafcaa78feee91a835ae6c1a942571811108b1e81b4c4ddac46aaff599c14988c9a1fb9f387ab7f1357b581568b7b34e167ac2c8c2b2b8a4df3fd7ad8947a363c1c0cb782ec54b1901e928821cf319669dd77eb37b15c67f13ad787ff74312812731ca3e6":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be3c66b20e5e66ababbfba1b38e5a716eafce23a1767b69":"de1cd978354a499415176f260021abe0a8c5bc34d166f53d20e02e413e1377ce4ef5d7f58337c62251a3b4ddea0dea23c40e5de037fd5dd8a558eb53bffa4e8ce94899afa8284afab503c1a485999a154d23777f9d8a031b7ad5c6d23d6abbe3b775c77876ad50f6bed14ac0b2b88fb19c438e4b7eb03f7d4d3fcca90dd01260":"3a2acf69bba19f5d1d1947af2cfda781":"":120:"f826d212f7c1212fb8a8bf23996826":"fd1f7b56e5664cf4c91e58f7c50f6c5e98e42ca2e4adcc00348cee6f662b382ad4022da54a47d8faeb9b76a24dfc4f493c27fc0bc421a4648fad7b14b0df95d8752013feb033b1fd971daa2c9a5df898bece6a3b8fa078dd130071df20a68cd0f394be25dcbb3e85bdfa0df4797fa6f01f5f0da7a6e86320207ddb5b3be53ae0":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6be3c66b20e5e66ababbfba1b38e5a716eafce23a1767b69":"de1cd978354a499415176f260021abe0a8c5bc34d166f53d20e02e413e1377ce4ef5d7f58337c62251a3b4ddea0dea23c40e5de037fd5dd8a558eb53bffa4e8ce94899afa8284afab503c1a485999a154d23777f9d8a031b7ad5c6d23d6abbe3b775c77876ad50f6bed14ac0b2b88fb19c438e4b7eb03f7d4d3fcca90dd01260":"3a2acf69bba19f5d1d1947af2cfda781":"":120:"f826d212f7c1212fb8a8bf23996826":"":"fd1f7b56e5664cf4c91e58f7c50f6c5e98e42ca2e4adcc00348cee6f662b382ad4022da54a47d8faeb9b76a24dfc4f493c27fc0bc421a4648fad7b14b0df95d8752013feb033b1fd971daa2c9a5df898bece6a3b8fa078dd130071df20a68cd0f394be25dcbb3e85bdfa0df4797fa6f01f5f0da7a6e86320207ddb5b3be53ae0":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d16abb9f5b38d7f5abba9dc36995ce6ce928ed822a07b7c4":"e72f29b1fc1dbfc2d93a0f3b79ea4b9806ce9b2c4d490ac5c0c3c793df9dc7df5471e834b84d18afa5a7516f9a6a813a9b65ae2f083a854730547e28a1f60fe97d8dba1d2d433e11847b9bffd8873ec634e64365530c905dd6f274e45c9795ac127a6f356f63cc6c116c5dd8c628e7e17e1fadc58f8452bf21f53c4133198118":"3cd95429c6de1d327b9eb3c45424a87c":"":120:"13521236f190f78e75c0897c5fb237":"cd8bb97c28df092b6783ef653fd26f2bdc27c442bab0a4c7bee2789f389dcd1b280c0231672721bfbbc939a0449557678ec61ba0afb2e5817e6f7d94387f84ecafbfa1216d65e7f5025f47b0d2905cff7c99adf8306a3d9850c5908be05f87cb1d36a4837dba428aac97d7fbc18e3778f8d81a319259504c87fc94bd0766ed93":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d16abb9f5b38d7f5abba9dc36995ce6ce928ed822a07b7c4":"e72f29b1fc1dbfc2d93a0f3b79ea4b9806ce9b2c4d490ac5c0c3c793df9dc7df5471e834b84d18afa5a7516f9a6a813a9b65ae2f083a854730547e28a1f60fe97d8dba1d2d433e11847b9bffd8873ec634e64365530c905dd6f274e45c9795ac127a6f356f63cc6c116c5dd8c628e7e17e1fadc58f8452bf21f53c4133198118":"3cd95429c6de1d327b9eb3c45424a87c":"":120:"13521236f190f78e75c0897c5fb237":"":"cd8bb97c28df092b6783ef653fd26f2bdc27c442bab0a4c7bee2789f389dcd1b280c0231672721bfbbc939a0449557678ec61ba0afb2e5817e6f7d94387f84ecafbfa1216d65e7f5025f47b0d2905cff7c99adf8306a3d9850c5908be05f87cb1d36a4837dba428aac97d7fbc18e3778f8d81a319259504c87fc94bd0766ed93":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc344b1a4078807e5f53a6e7e1e36fa83108473ae2fb4c2":"8bd73f94c71e3765bc7d17fdc90a9ba6aff9648b46300e4048985fbbd7c60c39c3766f7c524780bfc2296dc11e1132134921760a373104edc376eab6e91e9a60a5c4a5972935df12eadae074722bdc0147c3caf6a62fd449ef37d76b65f6d210283c94ac524cf13186e444d80a70b01e4373cc0462546f1caee6b49e738a742c":"bd505fcba464e6e2c58fdf29f5695fb9":"":120:"8510fff71bb879f56ea2fe43f6ff50":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0bc344b1a4078807e5f53a6e7e1e36fa83108473ae2fb4c2":"8bd73f94c71e3765bc7d17fdc90a9ba6aff9648b46300e4048985fbbd7c60c39c3766f7c524780bfc2296dc11e1132134921760a373104edc376eab6e91e9a60a5c4a5972935df12eadae074722bdc0147c3caf6a62fd449ef37d76b65f6d210283c94ac524cf13186e444d80a70b01e4373cc0462546f1caee6b49e738a742c":"bd505fcba464e6e2c58fdf29f5695fb9":"":120:"8510fff71bb879f56ea2fe43f6ff50":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8097398fc21f93eea6a95aa93a3231096817b65520bc549":"80b0abbaebbd537a0810ed75cd172d29d50f5982e4d01f8664ddb2dfda8f57fa0ed87e64a779a1d7f5e568b6acfdc739572a7176752307b430fb1fa1c3c2c346477cebe7d01b16745ca6c8929a7f446c03ad9a9e8a5a935de78ca6c701e8c1c5e6d2550c42949cf5342fb5ef4c6ab9bb02ace8388b16edf72a1237e5d1d0e820":"776248381941e16908f52d19207881f5":"":112:"7fc4388b2f8eab0f0c2d6a08527e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8097398fc21f93eea6a95aa93a3231096817b65520bc549":"80b0abbaebbd537a0810ed75cd172d29d50f5982e4d01f8664ddb2dfda8f57fa0ed87e64a779a1d7f5e568b6acfdc739572a7176752307b430fb1fa1c3c2c346477cebe7d01b16745ca6c8929a7f446c03ad9a9e8a5a935de78ca6c701e8c1c5e6d2550c42949cf5342fb5ef4c6ab9bb02ace8388b16edf72a1237e5d1d0e820":"776248381941e16908f52d19207881f5":"":112:"7fc4388b2f8eab0f0c2d6a08527e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"76d4bb5694faaf344db83bc6d6c47d56bb6ab52700826f2d":"9e31fda6a171f0d4a5f2af2c4f827b1312d9dda5d78fa329b8f1b6373b9b29be358601e5bb0d0c615aef4b9e441c811219f1f2ff2d0ab23e0cd829a88b5b615ee72e5e3ea604fa26cc6438ec4c30e90f7348e9116adf8e8efb7498320d2da16679fa546b1aa9afc7720b074c4e48e06862d41428c9e71a4772c2e195a6f36978":"603977845d82faccb401817ecce6e2fe":"":112:"c955a3bc316841be07e406d289c8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"76d4bb5694faaf344db83bc6d6c47d56bb6ab52700826f2d":"9e31fda6a171f0d4a5f2af2c4f827b1312d9dda5d78fa329b8f1b6373b9b29be358601e5bb0d0c615aef4b9e441c811219f1f2ff2d0ab23e0cd829a88b5b615ee72e5e3ea604fa26cc6438ec4c30e90f7348e9116adf8e8efb7498320d2da16679fa546b1aa9afc7720b074c4e48e06862d41428c9e71a4772c2e195a6f36978":"603977845d82faccb401817ecce6e2fe":"":112:"c955a3bc316841be07e406d289c8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a3e5020695587984074d78d9c98b8e1a5719e5f88372740e":"c0bfe3b2dc4dad17ec5a7662d86847fb67e582cc0baf469bc9baa7a075d48a8b97521a1072c2798bfbdae5ca3752eda1cb96fe5cf24af989eb77a2948aae3d8b70d83d93f84c49347f788480f34051621c358c03cf8159a70fc72cb8bc02876234ffe76b181da8b22b8796c87b0904da1af46de519c20d8d1b1dc7cc24e39ba5":"4cd56de54e5140a587be7dfd02d3a39e":"":112:"1a29527a41330259f918d99d7509":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a3e5020695587984074d78d9c98b8e1a5719e5f88372740e":"c0bfe3b2dc4dad17ec5a7662d86847fb67e582cc0baf469bc9baa7a075d48a8b97521a1072c2798bfbdae5ca3752eda1cb96fe5cf24af989eb77a2948aae3d8b70d83d93f84c49347f788480f34051621c358c03cf8159a70fc72cb8bc02876234ffe76b181da8b22b8796c87b0904da1af46de519c20d8d1b1dc7cc24e39ba5":"4cd56de54e5140a587be7dfd02d3a39e":"":112:"1a29527a41330259f918d99d7509":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"afe986ead799727063958e2ce13ca846f76c51605439f839":"7c1b354a5bb214bd95147e32d81e658705089c38035d0ea423eb1a5c82f97443c6903d2cf1ba7a007eec7c8ff98b8f82b073d9636a79bd47c7f2f639a8eb4e92076f9ed615766f43ac3a4f1687301ed7d507766605e0e332880ae740ab72e861a2cb6dce1df1ff8be1873d25845ee7c665e712c5bbe029a1788634bce122836c":"f85a95ed10b69623162ab68d1098de94":"":104:"3cf1cdb4a4fdc48da78a8b4e81":"a7f252ad7983e7083260598051bffd83f40f4d4a8b580cc2388d720a0979dde71549ddcb86b0a62c4964fca591d0982f3a203f2f8884ff4991f17e20f759ea7125ba2bb4d993722f23938994eb2709c850f33ed9889e5a3966f9d7b76add46aedf230e8f417425f9db79ccd46b5660361de7c5d87f71a9d82c491c0c3daaf56c":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"afe986ead799727063958e2ce13ca846f76c51605439f839":"7c1b354a5bb214bd95147e32d81e658705089c38035d0ea423eb1a5c82f97443c6903d2cf1ba7a007eec7c8ff98b8f82b073d9636a79bd47c7f2f639a8eb4e92076f9ed615766f43ac3a4f1687301ed7d507766605e0e332880ae740ab72e861a2cb6dce1df1ff8be1873d25845ee7c665e712c5bbe029a1788634bce122836c":"f85a95ed10b69623162ab68d1098de94":"":104:"3cf1cdb4a4fdc48da78a8b4e81":"":"a7f252ad7983e7083260598051bffd83f40f4d4a8b580cc2388d720a0979dde71549ddcb86b0a62c4964fca591d0982f3a203f2f8884ff4991f17e20f759ea7125ba2bb4d993722f23938994eb2709c850f33ed9889e5a3966f9d7b76add46aedf230e8f417425f9db79ccd46b5660361de7c5d87f71a9d82c491c0c3daaf56c":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2cfaa215841826a977ae6adfdd993346210c49dd04d5d493":"e8eb3b6edd0ca4201b49a6a83036445aba1a1db040f3e74511363bce769760a9914e05a067f555ca15a57c6e02e66fbe4e04dd8c8db8d6d14ebc01cc7d84a20ff0aacb69bb3679d6b7d9d2e07deda7c2d4fe4c584fe1166e78d21dc56b9cdad93709c03b9145b887f87b4f605f24f989d5e0534fc71a58e8a8619ee99f69e5f5":"537a4ee307af3072e745570aaaadce34":"":104:"df01cffbd3978850e07328e6b8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2cfaa215841826a977ae6adfdd993346210c49dd04d5d493":"e8eb3b6edd0ca4201b49a6a83036445aba1a1db040f3e74511363bce769760a9914e05a067f555ca15a57c6e02e66fbe4e04dd8c8db8d6d14ebc01cc7d84a20ff0aacb69bb3679d6b7d9d2e07deda7c2d4fe4c584fe1166e78d21dc56b9cdad93709c03b9145b887f87b4f605f24f989d5e0534fc71a58e8a8619ee99f69e5f5":"537a4ee307af3072e745570aaaadce34":"":104:"df01cffbd3978850e07328e6b8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"128ddc83d2170c403a517615056dceec0d19d6fd7632e738":"cfe9f7797ee37bfc4f564419bf2268c964479efa7435970874154432930f3b2736438da4dc9c76200009651340e23044bc9d200a32acfd4df2e1b98b0bae3e9ff9d6e8181d926d2d03f89768edc35b963d341931ac57d2739b270ce254f042b64ceac4b75223b233602c9a4bdc925967b051440c28805d816abe76fc9d593f5a":"5124b410c43d875eca6ce298c45994a7":"":104:"56ad9c1653f11a41fd649cccd8":"cf91f087fd7faf362caacf4a68cff51ec57b3075563e4ad0955df20b366e92bd75c3762cf4a6f0eb859872667a5c55aa5d94f5ac9479b1b9c9345b50f82379d551506a2ab02b0441b14b28b78a12b38500d703a8c19888fe612d4710eec7cd18c16d6a4b55d3c69760e2bed99efc8b551dbe2ac9b9b64715f87180b8e14d1795":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"128ddc83d2170c403a517615056dceec0d19d6fd7632e738":"cfe9f7797ee37bfc4f564419bf2268c964479efa7435970874154432930f3b2736438da4dc9c76200009651340e23044bc9d200a32acfd4df2e1b98b0bae3e9ff9d6e8181d926d2d03f89768edc35b963d341931ac57d2739b270ce254f042b64ceac4b75223b233602c9a4bdc925967b051440c28805d816abe76fc9d593f5a":"5124b410c43d875eca6ce298c45994a7":"":104:"56ad9c1653f11a41fd649cccd8":"":"cf91f087fd7faf362caacf4a68cff51ec57b3075563e4ad0955df20b366e92bd75c3762cf4a6f0eb859872667a5c55aa5d94f5ac9479b1b9c9345b50f82379d551506a2ab02b0441b14b28b78a12b38500d703a8c19888fe612d4710eec7cd18c16d6a4b55d3c69760e2bed99efc8b551dbe2ac9b9b64715f87180b8e14d1795":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"98581c28983c4da321ce0c419cc0d476d539e77da513c894":"bdef5b65b5111b29e781a6b71a0160179c52b5bccb1ac5c0377b26cf3f61432f3ccd67633a836357c24b5099db0510a7f8110f59e8227cacd11f17ea1798b5d4d68902ca6c6eccd319fef14545edd135078b38d43b61c9af269fc72f7a209ba7897e4c6dbd21bb71d7e93d2d2426ffa1557cae28e74059d3baf06ba419a47b39":"ff10234524433b871202c2cca6acb194":"":96:"984943355a7aef15c4fb8033":"808e28bfd441cb8890416a757d252c986daa8d607ac9cadd2f4fd29eddbcf3b859ba298e14a4ccefe2c2752b123f87b98d6708fde48faca4bc7dd818a7ea76cfa4357932e59cb6be0e9283bdfb49454b86b9fd04aa8cdef503c65d13fcff42e9cd8f142f8c06cf7daa6d8ef8b9c9d69c39e8afd980048fecf731fd674b2a814b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"98581c28983c4da321ce0c419cc0d476d539e77da513c894":"bdef5b65b5111b29e781a6b71a0160179c52b5bccb1ac5c0377b26cf3f61432f3ccd67633a836357c24b5099db0510a7f8110f59e8227cacd11f17ea1798b5d4d68902ca6c6eccd319fef14545edd135078b38d43b61c9af269fc72f7a209ba7897e4c6dbd21bb71d7e93d2d2426ffa1557cae28e74059d3baf06ba419a47b39":"ff10234524433b871202c2cca6acb194":"":96:"984943355a7aef15c4fb8033":"":"808e28bfd441cb8890416a757d252c986daa8d607ac9cadd2f4fd29eddbcf3b859ba298e14a4ccefe2c2752b123f87b98d6708fde48faca4bc7dd818a7ea76cfa4357932e59cb6be0e9283bdfb49454b86b9fd04aa8cdef503c65d13fcff42e9cd8f142f8c06cf7daa6d8ef8b9c9d69c39e8afd980048fecf731fd674b2a814b":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"167b8b6df8014c8f3de912b77f5a0c113580aa42d785298f":"4f787de12ba907a589edf74c8e7a6cdaaabebddd465a86e170e1efc289240298b516fddc43c7fd9bb1c51720a4455db4dd630b59aebaa82bd578eb3cb19f8b23ee6897c1fefaef820430efa6eb7d6ff04de4d8b079605fb520b0d33e96c28f0cd71983c4ce76c0ea62fd7209d21ec7b416881d545824a73d1f9f8d3323fdb90c":"49da91e926091a448d57d521cc90f3c0":"":96:"99198f55f9fa763651bba58e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"167b8b6df8014c8f3de912b77f5a0c113580aa42d785298f":"4f787de12ba907a589edf74c8e7a6cdaaabebddd465a86e170e1efc289240298b516fddc43c7fd9bb1c51720a4455db4dd630b59aebaa82bd578eb3cb19f8b23ee6897c1fefaef820430efa6eb7d6ff04de4d8b079605fb520b0d33e96c28f0cd71983c4ce76c0ea62fd7209d21ec7b416881d545824a73d1f9f8d3323fdb90c":"49da91e926091a448d57d521cc90f3c0":"":96:"99198f55f9fa763651bba58e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"71f5f8505fba62f08fa0557dd5407fc83a852c6007ccecc8":"3e19ec02365e450e946123a3362f9859352eb52902a6bcb8a782285dfac9d2b282f56302b60d6e9f53fddd16bbf04976cf4eb84ef3b6583e9dc2f805276a7b7340dec7abde4916fb94b0ed9c9af6d4917b27e44d25f3952d0444cd32a4a574e165a23fa8c93229ceb48345171a4f20d610b5be7d9e40dcf7209128f029fed6bf":"b5efb9feae3de41b5ce9aa75583b8d21":"":96:"9604d031fa43dcd0853e641c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"71f5f8505fba62f08fa0557dd5407fc83a852c6007ccecc8":"3e19ec02365e450e946123a3362f9859352eb52902a6bcb8a782285dfac9d2b282f56302b60d6e9f53fddd16bbf04976cf4eb84ef3b6583e9dc2f805276a7b7340dec7abde4916fb94b0ed9c9af6d4917b27e44d25f3952d0444cd32a4a574e165a23fa8c93229ceb48345171a4f20d610b5be7d9e40dcf7209128f029fed6bf":"b5efb9feae3de41b5ce9aa75583b8d21":"":96:"9604d031fa43dcd0853e641c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4cdb38f8185a4186fc983e58a776a6454b92ecf0bffefe98":"1ca72c50a093076e9a9dfa09888b9c89eb36a942072fc536a81713f05a2669b39fdb2871b82ca47dcaf18393ca81dcb499aafcc4ed57ea79f8d4f9bd63540610215b2c65481b294638cec41264a7fdca4230df5fe1e7e3d8d26dcd0c435fec8e9bf778f9e6f13482157a9722761601e08425f6160d3bb626ae39ee1117b0353c":"aef257dd44d14d0bc75f9311ef24e85a":"":64:"d951becb0d55f9fb":"2eaa7e922dbd8963e2078aae216636276f3f7cb5d7f35fa759e91bddb6e247a93c388241ba1d0d37040c0b9e447c67d35b4991c1acce97914f3bc22ee50171bc5922299983ee70af79303265bc1ae1e7334202460618b4a8891d1a7eaaac5cac1e4dce024ce662d14849993f89e771fb873644b552120fd346250df39aaaa403":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4cdb38f8185a4186fc983e58a776a6454b92ecf0bffefe98":"1ca72c50a093076e9a9dfa09888b9c89eb36a942072fc536a81713f05a2669b39fdb2871b82ca47dcaf18393ca81dcb499aafcc4ed57ea79f8d4f9bd63540610215b2c65481b294638cec41264a7fdca4230df5fe1e7e3d8d26dcd0c435fec8e9bf778f9e6f13482157a9722761601e08425f6160d3bb626ae39ee1117b0353c":"aef257dd44d14d0bc75f9311ef24e85a":"":64:"d951becb0d55f9fb":"":"2eaa7e922dbd8963e2078aae216636276f3f7cb5d7f35fa759e91bddb6e247a93c388241ba1d0d37040c0b9e447c67d35b4991c1acce97914f3bc22ee50171bc5922299983ee70af79303265bc1ae1e7334202460618b4a8891d1a7eaaac5cac1e4dce024ce662d14849993f89e771fb873644b552120fd346250df39aaaa403":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee8d3aced3aa3cb2166aa66c4a252c12dc0978830d0bc75b":"ee69b2421d43a9f383d99f9802ba4d6cf1c537b42041c86cce681049bb475e5098d4181f1902b0a49c202bf34ef70ea7b787fa685ab8f824fcc27282146d8158925bfef47ccba89aa81c0565eacb087b46b8706c9f886b7edf863701003051d6fb57e45e61d33412591ec818d016eec7dee4254636615a43dacb4f1e6ec35702":"c15c9c0b0b70c7321df044bfde2b15fb":"":64:"c5c9851a6bf686d0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ee8d3aced3aa3cb2166aa66c4a252c12dc0978830d0bc75b":"ee69b2421d43a9f383d99f9802ba4d6cf1c537b42041c86cce681049bb475e5098d4181f1902b0a49c202bf34ef70ea7b787fa685ab8f824fcc27282146d8158925bfef47ccba89aa81c0565eacb087b46b8706c9f886b7edf863701003051d6fb57e45e61d33412591ec818d016eec7dee4254636615a43dacb4f1e6ec35702":"c15c9c0b0b70c7321df044bfde2b15fb":"":64:"c5c9851a6bf686d0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a8538d609444e3197ab740cd33b66db1cf53600096b94e0":"8c2b8fb775d1b21c41a3dcf48ad6d68ab05be3879f9b94b305a6ce4d799e3a992c1c3a65a3e4eab563edb57424927c90c76e49386e29dd5e7de2800fcc0eefbc8b4f977f71be3754c006ee93dc09b1cfa59c424b6b3987aeb56feefc21004c63e8284b6845e395bc8843cca0917267fb4a8f2db1f7daafe7a9da95083a44de70":"0bd64d222532dae8ab63dc299355bf2a":"":64:"3477cad1fd4098b2":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a8538d609444e3197ab740cd33b66db1cf53600096b94e0":"8c2b8fb775d1b21c41a3dcf48ad6d68ab05be3879f9b94b305a6ce4d799e3a992c1c3a65a3e4eab563edb57424927c90c76e49386e29dd5e7de2800fcc0eefbc8b4f977f71be3754c006ee93dc09b1cfa59c424b6b3987aeb56feefc21004c63e8284b6845e395bc8843cca0917267fb4a8f2db1f7daafe7a9da95083a44de70":"0bd64d222532dae8ab63dc299355bf2a":"":64:"3477cad1fd4098b2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"447f0f065771b6129952e52206a64fe0844658ed685e39cd":"fea5d227869e527882c63a68a6623f4a699df82b3dc715c7260a5554336df8376744c05ae89ec27d40da02d9f1c5e9e29405579fd4132143cb21cdbe3edfaaab62128ecc28018725c8dd309d2376223d2e2edfea9765699b2630ff5d9fe9bec416c0ca6418b938d195d31a08e4034c49d79e3a249edd65f985230b33c444dd02":"37e3a300542d9caf3975c6429cb8a2e8":"":32:"06bfca29":"e1bdd1c212b159b87e41a5f64dcba6b27aa0f5c8871fabfb588df0e06bd7730ec1beb0e3388f96c992a573ff69b34870f83c53fb65b420c1c6f92e2aa6f03917e8203d77c7f5ee08baf9fab12f9d38fc0ffb83807ba781c3dd7b62edca2121f68ef230b42b8adbd4cea072209d02713789ed559b83739a54cfde69e68bdc4128":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"447f0f065771b6129952e52206a64fe0844658ed685e39cd":"fea5d227869e527882c63a68a6623f4a699df82b3dc715c7260a5554336df8376744c05ae89ec27d40da02d9f1c5e9e29405579fd4132143cb21cdbe3edfaaab62128ecc28018725c8dd309d2376223d2e2edfea9765699b2630ff5d9fe9bec416c0ca6418b938d195d31a08e4034c49d79e3a249edd65f985230b33c444dd02":"37e3a300542d9caf3975c6429cb8a2e8":"":32:"06bfca29":"":"e1bdd1c212b159b87e41a5f64dcba6b27aa0f5c8871fabfb588df0e06bd7730ec1beb0e3388f96c992a573ff69b34870f83c53fb65b420c1c6f92e2aa6f03917e8203d77c7f5ee08baf9fab12f9d38fc0ffb83807ba781c3dd7b62edca2121f68ef230b42b8adbd4cea072209d02713789ed559b83739a54cfde69e68bdc4128":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f465e95f6fc19fe6968b98319b547104d0c01c17105f8fc0":"2426f108368a00d2a49670a3b64b4f0569c6da9660163e7b209ec3f8d058ee11f7818a8c5030c5f4ce6e1e5a93faa3e5ae3d0bd5d712fbc891cfeb20845707edcf5e29719a5246a3b024fb12d37bd1b81df3812fd50b1dfb3e948ce546dd165cc77f903c07fe32bc7da7fbc25036679017317ce94cd8a00c1bce7379774f1714":"6cba4efc8d4840aa044a92d03d6b4d69":"":32:"92750ac9":"2e59b104c1a6f6d651000396adbfa009bf4cf8cbf714da8e4d3b4a62bd7f522d614decf090c7552a4b9e8d7ee457ba642d5100c0c81c14cbba8c8ff49b12827f6ebd41504ccb6dfc97cdf8532d1f7f7e603c609efa72d2ae0dce036ec4ab36849a0c06f8737d9710075a1daaed3867ca0a7e22111c0e7afae91f553b6fd66c6e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f465e95f6fc19fe6968b98319b547104d0c01c17105f8fc0":"2426f108368a00d2a49670a3b64b4f0569c6da9660163e7b209ec3f8d058ee11f7818a8c5030c5f4ce6e1e5a93faa3e5ae3d0bd5d712fbc891cfeb20845707edcf5e29719a5246a3b024fb12d37bd1b81df3812fd50b1dfb3e948ce546dd165cc77f903c07fe32bc7da7fbc25036679017317ce94cd8a00c1bce7379774f1714":"6cba4efc8d4840aa044a92d03d6b4d69":"":32:"92750ac9":"":"2e59b104c1a6f6d651000396adbfa009bf4cf8cbf714da8e4d3b4a62bd7f522d614decf090c7552a4b9e8d7ee457ba642d5100c0c81c14cbba8c8ff49b12827f6ebd41504ccb6dfc97cdf8532d1f7f7e603c609efa72d2ae0dce036ec4ab36849a0c06f8737d9710075a1daaed3867ca0a7e22111c0e7afae91f553b6fd66c6e":0
 
 AES-GCM NIST Validation (AES-192,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f08e3e9f7b3a20ccdc4d98b56f2b567399a28a6b3908deab":"a986e816f1eafb532c716a555cca1839a1b0523410134ea0426ab309520b339fc1fdeb40478ae76823cee4e03b8d3450e6be92d5ff17b2f78400f0176e6d6a3930bd076a7a3c87c3397dcc0520c6b7b4ff9059ea21e71c91912a74aac2ca70eec422b507cc5c60860bb8baca01eec2a3003970ba84011efe576804b2820e306c":"4f4636d1b283bfa72c82809eb4f12519":"":32:"16c80a62":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f08e3e9f7b3a20ccdc4d98b56f2b567399a28a6b3908deab":"a986e816f1eafb532c716a555cca1839a1b0523410134ea0426ab309520b339fc1fdeb40478ae76823cee4e03b8d3450e6be92d5ff17b2f78400f0176e6d6a3930bd076a7a3c87c3397dcc0520c6b7b4ff9059ea21e71c91912a74aac2ca70eec422b507cc5c60860bb8baca01eec2a3003970ba84011efe576804b2820e306c":"4f4636d1b283bfa72c82809eb4f12519":"":32:"16c80a62":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87b5372571fb244648053c99405999130f87a7c178052297":"ae078d1554fc6a14447a28c3dd753e790f7ef9b53e35c3e0fe63a7b1b326bc56034847f8a31c2d6358049aae990bfe7575b439db370aa515e225e0ec730488c700a7b0a96a7b8e4e8e4c6afec20decd16fe3c0f3f8d7a6cf7a8711d170829d14c706cceb00e133b8c65c8e08cd984b884662eddd2258ce629abf6b9dd28688c9":"a1cc81b87bd36affe3af50546e361c9e":"684ce23f59632308d7db14f7f6eddaf4d83271fb0c27401b09518a775b36252540f14305f0dae13ff6c0dc565c9e570759e070c8ac73dfb97abd3285689a7cdcfc941f6271be3b418740b42ba4a114421065a785be3dfa944c86af56da8209779e8736e62529c418b507c6d8ae002cbc0431747722afd64521734f99273de455":128:"98177b3428e64bc98631375905c0100f":"8be7df33a86b1162464af738de582a357d0ce8e213bba1b7913c0d13ad759d62c3bf4366f5130b3af2b255b7ad530b4977627f9e76b07e360c079d0f763dabbd22e976b98cd5495c6182f95bc963aad4b719446f49d3a448d11cac5bfcba4b675b8e4d88a389e2580e8f383f95bf85c72e698680d2a2bc993c9ee1ce0d1f1ac3":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87b5372571fb244648053c99405999130f87a7c178052297":"ae078d1554fc6a14447a28c3dd753e790f7ef9b53e35c3e0fe63a7b1b326bc56034847f8a31c2d6358049aae990bfe7575b439db370aa515e225e0ec730488c700a7b0a96a7b8e4e8e4c6afec20decd16fe3c0f3f8d7a6cf7a8711d170829d14c706cceb00e133b8c65c8e08cd984b884662eddd2258ce629abf6b9dd28688c9":"a1cc81b87bd36affe3af50546e361c9e":"684ce23f59632308d7db14f7f6eddaf4d83271fb0c27401b09518a775b36252540f14305f0dae13ff6c0dc565c9e570759e070c8ac73dfb97abd3285689a7cdcfc941f6271be3b418740b42ba4a114421065a785be3dfa944c86af56da8209779e8736e62529c418b507c6d8ae002cbc0431747722afd64521734f99273de455":128:"98177b3428e64bc98631375905c0100f":"":"8be7df33a86b1162464af738de582a357d0ce8e213bba1b7913c0d13ad759d62c3bf4366f5130b3af2b255b7ad530b4977627f9e76b07e360c079d0f763dabbd22e976b98cd5495c6182f95bc963aad4b719446f49d3a448d11cac5bfcba4b675b8e4d88a389e2580e8f383f95bf85c72e698680d2a2bc993c9ee1ce0d1f1ac3":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2d069b826455d5e79e65db4f1d2b6a29ae9f401bc623917":"acd6225dc5b9109d56ea565ab38dd4db432a7ec08f0db04f1c6b691c96d2eaaa6be62da7cc7fd75f931716c7f39705ea7cf828f1a5a325955e9b2c77e7fb2d562be6a89b3351b1b3d1355b43b73ed425049430314c16bf0836ed580e9390a3b8e2a652fddbfa939ca4c3c99765b09db7f30bf2ef88e1aa030e68958722cb0da3":"6d40a0c7813bc0410ff73f19bb5d89c9":"9960376b1898618d98c327c1761959d045488cc6198238bbe72662f276d47b41e8aebc06dbce63da5adcb302a61ade140c72b9cf9f6dfad6ecedd7401c9509fae349d3c7debe35117776227ba167f2b75921d7321d79f4ebca13d20af1638a1567043365f179f4162795fe4fd80b5d832e4ca70e7bf9830bc272b82182f70d2e":128:"010195091d4e1684029e58439039d91e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2d069b826455d5e79e65db4f1d2b6a29ae9f401bc623917":"acd6225dc5b9109d56ea565ab38dd4db432a7ec08f0db04f1c6b691c96d2eaaa6be62da7cc7fd75f931716c7f39705ea7cf828f1a5a325955e9b2c77e7fb2d562be6a89b3351b1b3d1355b43b73ed425049430314c16bf0836ed580e9390a3b8e2a652fddbfa939ca4c3c99765b09db7f30bf2ef88e1aa030e68958722cb0da3":"6d40a0c7813bc0410ff73f19bb5d89c9":"9960376b1898618d98c327c1761959d045488cc6198238bbe72662f276d47b41e8aebc06dbce63da5adcb302a61ade140c72b9cf9f6dfad6ecedd7401c9509fae349d3c7debe35117776227ba167f2b75921d7321d79f4ebca13d20af1638a1567043365f179f4162795fe4fd80b5d832e4ca70e7bf9830bc272b82182f70d2e":128:"010195091d4e1684029e58439039d91e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3252351fe8e7c628c418c1a49709bf1f8e20add82539948":"7e8d2816d280c91d232bad43b6610e2d0532a9f670f221a3a975fb16472c2e83b168115e87a487bcd14b37f075e1faa59c42515c353cdefc728ac617b7d273fa96778e3fb5f7a1132f8e2add4a57015b15d1984338b7862356243d1c5aa628406f4a507498eda12d2f652c55e8e58113ed828783b82505790654f036b610f89a":"eacd2b1c3cf01bf4ea7582d8ee2675d5":"141cb39a2fb8e735e0c97207f1b618a4b98f6b9bf8c44a1c8e9ea575a7759cc2a02301274553e7744408b2c577b4c8c2a00e18f8717fd8a6d2f46a44eeb05d685fbef7edeb4229e7ea9b8e419ffcb504d33583b3ae421c84caeca9f9789047dd7b1810318d3765307233567bc40e003401c9f4e1b07a2a7162889e1a092aedc1":128:"63a310b4f43b421a863fb00fafd7eac4":"699c146927ae29025e5b20088b20af27bc75449e4725ee6b7d5dc60b44ba8a06f7d265330c16060fbd6def244630d056c82676be2dc85d891c63d005804085c93ce88f3f57c2d2c0371c31027d0a4a0031e3f473cb373db63d4ff8f65be9ebe74045de813a4e6c688110d000f6b12406881c08085c9348e1f0315038907e33f7":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3252351fe8e7c628c418c1a49709bf1f8e20add82539948":"7e8d2816d280c91d232bad43b6610e2d0532a9f670f221a3a975fb16472c2e83b168115e87a487bcd14b37f075e1faa59c42515c353cdefc728ac617b7d273fa96778e3fb5f7a1132f8e2add4a57015b15d1984338b7862356243d1c5aa628406f4a507498eda12d2f652c55e8e58113ed828783b82505790654f036b610f89a":"eacd2b1c3cf01bf4ea7582d8ee2675d5":"141cb39a2fb8e735e0c97207f1b618a4b98f6b9bf8c44a1c8e9ea575a7759cc2a02301274553e7744408b2c577b4c8c2a00e18f8717fd8a6d2f46a44eeb05d685fbef7edeb4229e7ea9b8e419ffcb504d33583b3ae421c84caeca9f9789047dd7b1810318d3765307233567bc40e003401c9f4e1b07a2a7162889e1a092aedc1":128:"63a310b4f43b421a863fb00fafd7eac4":"":"699c146927ae29025e5b20088b20af27bc75449e4725ee6b7d5dc60b44ba8a06f7d265330c16060fbd6def244630d056c82676be2dc85d891c63d005804085c93ce88f3f57c2d2c0371c31027d0a4a0031e3f473cb373db63d4ff8f65be9ebe74045de813a4e6c688110d000f6b12406881c08085c9348e1f0315038907e33f7":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e462957f2c500bf2d6bfa9af97938fdd8930e360ea4175e7":"82a7a6dd82a5ea3d9a8e9541d854978487eda298b483df02b45c76b8b38bac98ffd969dd160a2765595b19d4ea3e64351ce95764a903f595dd673d13facf5a5594e01be1d60a0c6d28b866a1f93a63a74fecb6d73ac6fb26b20c008b93db53e9dc1d3e3902359fd47734fe22a5c6958f97e9001cc4e8b6484d9542dbbdfcfcdc":"b380584a3f4e0e59add4753c282f2cf7":"682b0af6592eef173e559407e7f56574c069251b92092570cbb7f5a2f05e88bed0af48dcda45b2930b1ee7d5da78dc43ec3598a38593df7c548058eda3c9275c1304489aff95f33a6cd79e724e8d12ca0ae92b20273eb3736efcd50dc49e803ad631dcbf64376a45a687eb4e417aef08a3f5f8230d3f0b266ea732c21ed2eed7":120:"28a43253d8b37795433140641e9ffd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e462957f2c500bf2d6bfa9af97938fdd8930e360ea4175e7":"82a7a6dd82a5ea3d9a8e9541d854978487eda298b483df02b45c76b8b38bac98ffd969dd160a2765595b19d4ea3e64351ce95764a903f595dd673d13facf5a5594e01be1d60a0c6d28b866a1f93a63a74fecb6d73ac6fb26b20c008b93db53e9dc1d3e3902359fd47734fe22a5c6958f97e9001cc4e8b6484d9542dbbdfcfcdc":"b380584a3f4e0e59add4753c282f2cf7":"682b0af6592eef173e559407e7f56574c069251b92092570cbb7f5a2f05e88bed0af48dcda45b2930b1ee7d5da78dc43ec3598a38593df7c548058eda3c9275c1304489aff95f33a6cd79e724e8d12ca0ae92b20273eb3736efcd50dc49e803ad631dcbf64376a45a687eb4e417aef08a3f5f8230d3f0b266ea732c21ed2eed7":120:"28a43253d8b37795433140641e9ffd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a62ddd87f41c6df756e8da0985dcd8c91e73ba395b3d79b":"37a83ee6dbdece212446739ea353cb957b9aa409c88bee042bbc3a6e5199aeb28f2b4b00ff433c0c68d6db5a197566019db8a4c7a792e2839a19a302ee02bee046adce04c1fbbd5b0c457d7cbe277992ce2c153d132269e2d1f12b084cf3026a202b4664bc9d11832e9b99c7cc5035dcfde5991dd41aeb4fbf8bec5126a9f524":"1d1843e2118772d76a0244a2c33c60bd":"028b92727b75b14cb8dfeb7a86a7fec50cd5de46aa4a34645754918b8606819d4bf8a2e7531a05ae5505492ca6cbc8c0e6d6ab2dea23bff1fdf581bb780b4a3312aa39639383fd10bcf92489801954733f16b021c2e84809345216f8f28a99773341e40c4a64305a2098eaa39f26a93bd556c97f02090e1a6c181a4e13e17d3a":120:"ab738073228bdf1e8fd4430b5c7d79":"e702f1bb9a1f395c74fca0ce9cdf29e7332c14acaca45200cd432a5767be38929ef8de43d0e1a5e7300c1eb669ac1ab997b31cb1403af8451e77e63505920af0f8c3abf5a9450ea47371039ba1cf2d65a14fa5f013b7ce1d175859404dcf6461a36e8bc260e7abf739d8951ddf1a3754e2d65e0aa31320a5ffca822023bc0906":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4a62ddd87f41c6df756e8da0985dcd8c91e73ba395b3d79b":"37a83ee6dbdece212446739ea353cb957b9aa409c88bee042bbc3a6e5199aeb28f2b4b00ff433c0c68d6db5a197566019db8a4c7a792e2839a19a302ee02bee046adce04c1fbbd5b0c457d7cbe277992ce2c153d132269e2d1f12b084cf3026a202b4664bc9d11832e9b99c7cc5035dcfde5991dd41aeb4fbf8bec5126a9f524":"1d1843e2118772d76a0244a2c33c60bd":"028b92727b75b14cb8dfeb7a86a7fec50cd5de46aa4a34645754918b8606819d4bf8a2e7531a05ae5505492ca6cbc8c0e6d6ab2dea23bff1fdf581bb780b4a3312aa39639383fd10bcf92489801954733f16b021c2e84809345216f8f28a99773341e40c4a64305a2098eaa39f26a93bd556c97f02090e1a6c181a4e13e17d3a":120:"ab738073228bdf1e8fd4430b5c7d79":"":"e702f1bb9a1f395c74fca0ce9cdf29e7332c14acaca45200cd432a5767be38929ef8de43d0e1a5e7300c1eb669ac1ab997b31cb1403af8451e77e63505920af0f8c3abf5a9450ea47371039ba1cf2d65a14fa5f013b7ce1d175859404dcf6461a36e8bc260e7abf739d8951ddf1a3754e2d65e0aa31320a5ffca822023bc0906":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc46976d38a581a7042a94ea4b5bfe3587ddc65d1162d71e":"4b9e858fc8f01903e426112192d4ae4686b1ae4d683b75afb2b8c63590275943d0d6d6a23b6d35796a2f101203acba107474ca6f4ff6dd87d6b77785ad1d160ef2755d84092dc70c86db5e639b689943b15efa646aff44b3f51f5d3f4cf6c8f7fc5adfe7bf2d72f75b93b8ee94ef3fa69ea0fc0bb77b3983901fdcd30bcd36f5":"b5e92563dd0339df00b7ffa2239d21bc":"7b6f6e104acbcd7188161477d8e425ff99add22df4d22de7f28d0a0075ca4ef848f68d07ed22d3165c08e40890ce04d1bd05b1a6ccb2fec8193d5f7dffc93d97a0c036b3748f708b011b68247a0249b9e1a60b652164e5c2fd7210377de804ac010c8aa08a11f40af97e8370a59f936cd14c22ea7a236d904145adc04a241fc0":120:"d4356cb417953b01f7b1110c8aa3eb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fc46976d38a581a7042a94ea4b5bfe3587ddc65d1162d71e":"4b9e858fc8f01903e426112192d4ae4686b1ae4d683b75afb2b8c63590275943d0d6d6a23b6d35796a2f101203acba107474ca6f4ff6dd87d6b77785ad1d160ef2755d84092dc70c86db5e639b689943b15efa646aff44b3f51f5d3f4cf6c8f7fc5adfe7bf2d72f75b93b8ee94ef3fa69ea0fc0bb77b3983901fdcd30bcd36f5":"b5e92563dd0339df00b7ffa2239d21bc":"7b6f6e104acbcd7188161477d8e425ff99add22df4d22de7f28d0a0075ca4ef848f68d07ed22d3165c08e40890ce04d1bd05b1a6ccb2fec8193d5f7dffc93d97a0c036b3748f708b011b68247a0249b9e1a60b652164e5c2fd7210377de804ac010c8aa08a11f40af97e8370a59f936cd14c22ea7a236d904145adc04a241fc0":120:"d4356cb417953b01f7b1110c8aa3eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"403e49feadd4db763652ed5c4b1e12680cfe0abc30f4696d":"221c61d769febce3913bfead9a201a805f11005ddcac185cbae00ce749de9c4362889b1b0d9546e91598e0ddedb88b673a90acca65d7e71a85636be052f361839a646dc8b834c02f3e2261d370e6bac9636b7536225b5ea77881200c8a3450d21bfd1e11afb3a470e178ecfe944a25a7cd0254e04a42b67723aac8afffd56fee":"1a60258a56e15f92814b4d372255a80d":"a4ffa9e3c612103224c86515dad4343cbca7a7daf277f5828670834f4d9af67b9a935c71b2130dfbc929c4409bffb7974ffa87523b58890770439c33342880b33319c626bf776c1c0aeb9c2a348a7681572f4ff711d94c192f3450e8b1275f9d02c742a2c9f1da316e9918bf787f22699172986cb9b10fc56d5f6b8392ff92b8":112:"62646fc8bfe38b3ba6d62f9011e3":"5c76c90dea7d659804ad873960906259fbdda3614277ec575d9eec730e747a2e7b9df6716b4c38d3451e319eeecee74d1f4918266fc9239de87080f1ad437b47c6904ed2d5514161ad25e3e237655e00e53fe18d452576580e89b2f1f0f6aa7e40a337fd8c48d690fe013a67264a80e9b5dfd009a9152d559aa02a68f401a09b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"403e49feadd4db763652ed5c4b1e12680cfe0abc30f4696d":"221c61d769febce3913bfead9a201a805f11005ddcac185cbae00ce749de9c4362889b1b0d9546e91598e0ddedb88b673a90acca65d7e71a85636be052f361839a646dc8b834c02f3e2261d370e6bac9636b7536225b5ea77881200c8a3450d21bfd1e11afb3a470e178ecfe944a25a7cd0254e04a42b67723aac8afffd56fee":"1a60258a56e15f92814b4d372255a80d":"a4ffa9e3c612103224c86515dad4343cbca7a7daf277f5828670834f4d9af67b9a935c71b2130dfbc929c4409bffb7974ffa87523b58890770439c33342880b33319c626bf776c1c0aeb9c2a348a7681572f4ff711d94c192f3450e8b1275f9d02c742a2c9f1da316e9918bf787f22699172986cb9b10fc56d5f6b8392ff92b8":112:"62646fc8bfe38b3ba6d62f9011e3":"":"5c76c90dea7d659804ad873960906259fbdda3614277ec575d9eec730e747a2e7b9df6716b4c38d3451e319eeecee74d1f4918266fc9239de87080f1ad437b47c6904ed2d5514161ad25e3e237655e00e53fe18d452576580e89b2f1f0f6aa7e40a337fd8c48d690fe013a67264a80e9b5dfd009a9152d559aa02a68f401a09b":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3471259512d1f03ce44c1ddac186e9a56c1434a6ac567c6":"dd5b98b3b3cf03fb92be579068a885afd984630692eb5f155fa6b49f2b1690b803d34b90e8de3cc39c2e61650ffffb51e7ef36d35ad17dc4d91f336363b0734996b162b509c9954cab3dd959bde7e437e9100d84c44104c61e29dbe12492a0272ce6eea2906d390de7808d337e8c650b3301af04a9ed52ab9ea208f3c7439d6c":"50164c63d466148ab371376d5c2b6b72":"11d1f523888bea1fbc680d34bc9b66957d651efa59e788db3d3f6f50e72184b9d14e9ff9bc05fb687520cf423d681812e007025eedf0e78e7e8191e6b62404e8eb400cf837d762a31aa248553367263d6de091fcf7abedc3e69fc118b7efb0594c89b96c387b7c28ed9a7b75db60b6b5133949b891ff81eca5790a265f12a58c":112:"6c5f38232e8a43871ab72a3419ad":"50438ee712720abf2089331e4c058b30c30c3d17834c507c0010ac3f974a256d01b14a45e9ce5193c5cede41330cf31e1a07a1f5e3ceca515cc971bfda0fbe0b823450efc30563e8ed941b0350f146ec75cd31a2c7e1e469c2dd860c0fd5b286219018d4fbacda164a40d2980aa3a27aa95f8b8e2cd8e2f5f20d79a22c3ff028":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3471259512d1f03ce44c1ddac186e9a56c1434a6ac567c6":"dd5b98b3b3cf03fb92be579068a885afd984630692eb5f155fa6b49f2b1690b803d34b90e8de3cc39c2e61650ffffb51e7ef36d35ad17dc4d91f336363b0734996b162b509c9954cab3dd959bde7e437e9100d84c44104c61e29dbe12492a0272ce6eea2906d390de7808d337e8c650b3301af04a9ed52ab9ea208f3c7439d6c":"50164c63d466148ab371376d5c2b6b72":"11d1f523888bea1fbc680d34bc9b66957d651efa59e788db3d3f6f50e72184b9d14e9ff9bc05fb687520cf423d681812e007025eedf0e78e7e8191e6b62404e8eb400cf837d762a31aa248553367263d6de091fcf7abedc3e69fc118b7efb0594c89b96c387b7c28ed9a7b75db60b6b5133949b891ff81eca5790a265f12a58c":112:"6c5f38232e8a43871ab72a3419ad":"":"50438ee712720abf2089331e4c058b30c30c3d17834c507c0010ac3f974a256d01b14a45e9ce5193c5cede41330cf31e1a07a1f5e3ceca515cc971bfda0fbe0b823450efc30563e8ed941b0350f146ec75cd31a2c7e1e469c2dd860c0fd5b286219018d4fbacda164a40d2980aa3a27aa95f8b8e2cd8e2f5f20d79a22c3ff028":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec326a1e0fe6a99421398df4fc7d8fea67b67e5f5fcd50ad":"6d5016c434a0f4b4a5d9e0b6b8e2d848a94f132f055d2d847e54601a4c9cfc5966a654d696f8a3529a48a90b491ea0d31c08eae8ef364f71f8ec7ae7f7e39bb9c331137b2578362ff165628099944ba8deb0d99ac660d5ed2215b9a7626ff1fa6173cd8dd676c988d16c9cf750a0d793f584c3c8f5fd5d167bc278f4d77a629c":"c94aa4baa840a044dbd5942787a0c951":"f8401c578f20d9c250ea86eb945184e007a0190462c7abddf238ce1ceddcc230756aa222386d8ba66ebbba13de008ced140896ac55bc47c231cc81370ca9feadc225e017d59890e6291cc4cca27db3078c0cd6cbb51afb62210226a76837c5454728cb5ce3afe7352e7fe75421f94986e6b7b26321bbca15c75ac7c13dc15f50":112:"3269922affb9d767f5abe041cc8e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ec326a1e0fe6a99421398df4fc7d8fea67b67e5f5fcd50ad":"6d5016c434a0f4b4a5d9e0b6b8e2d848a94f132f055d2d847e54601a4c9cfc5966a654d696f8a3529a48a90b491ea0d31c08eae8ef364f71f8ec7ae7f7e39bb9c331137b2578362ff165628099944ba8deb0d99ac660d5ed2215b9a7626ff1fa6173cd8dd676c988d16c9cf750a0d793f584c3c8f5fd5d167bc278f4d77a629c":"c94aa4baa840a044dbd5942787a0c951":"f8401c578f20d9c250ea86eb945184e007a0190462c7abddf238ce1ceddcc230756aa222386d8ba66ebbba13de008ced140896ac55bc47c231cc81370ca9feadc225e017d59890e6291cc4cca27db3078c0cd6cbb51afb62210226a76837c5454728cb5ce3afe7352e7fe75421f94986e6b7b26321bbca15c75ac7c13dc15f50":112:"3269922affb9d767f5abe041cc8e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a7ef81652f604e88a72416924c53979dc73cadd3575eda1c":"9ecd19a8eba9fba843486e1bbfb8d9053c5e04b24e30174d4aa89d8307439d653f8630edddafd51719c744bcb4bce3e444847567bd2cdde2995870d0634cc0ba2bde4b6bc2bc583062fb83874a1c25b50aeb945bd109a151772c077438c4d1caaeb5b0c56390ac23c6d117f3a00fd616306fc2ffc4c1e76f934b30fbbc52eec2":"0cc9ae54c9a85f3e9325c5f3658ab3b2":"d0195b744351aa25a57a99df9573dfa3cebe9850139149b64f7e4af37756a430dda8af98e4ed480e913aa82821c01c1f75b187e105a8f39621757d522c083a8d81d7d8bfe6cf15c439d0692b6affd655a11bcd2457046fae996a1075c66029867b88cd23c503ae04037dd41f27bafd5000d1f516002f9fcc0f2500e8c1b27de0":104:"22c2efeddfd5d9cb528861c4eb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a7ef81652f604e88a72416924c53979dc73cadd3575eda1c":"9ecd19a8eba9fba843486e1bbfb8d9053c5e04b24e30174d4aa89d8307439d653f8630edddafd51719c744bcb4bce3e444847567bd2cdde2995870d0634cc0ba2bde4b6bc2bc583062fb83874a1c25b50aeb945bd109a151772c077438c4d1caaeb5b0c56390ac23c6d117f3a00fd616306fc2ffc4c1e76f934b30fbbc52eec2":"0cc9ae54c9a85f3e9325c5f3658ab3b2":"d0195b744351aa25a57a99df9573dfa3cebe9850139149b64f7e4af37756a430dda8af98e4ed480e913aa82821c01c1f75b187e105a8f39621757d522c083a8d81d7d8bfe6cf15c439d0692b6affd655a11bcd2457046fae996a1075c66029867b88cd23c503ae04037dd41f27bafd5000d1f516002f9fcc0f2500e8c1b27de0":104:"22c2efeddfd5d9cb528861c4eb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"605271a41e263c92dc14fe9df5203e79d58cc2d1289dc361":"2bda3448a283ecba31e0299c0a9e44628cb2b41fa7b1a41107e107cabc381083bdbe048f2804568fdd5fe016f4d607f694042a459ba03a2deda4cccc8cbe4612d8ed0d4575e48bc9f59843369dbe2af6d048e65ff4250e1eef61d7b1b378fe2f3305b133ddc7e37d95ca6de89a971730fc80da943a767ff137707a8d8a24329c":"7f128092a777fc503adc7f6b85eb2006":"aef9f984fb645e08d5f0aa07a31c114d2f8e9eca047e4a8d5471378cfc2ced1159dc093d174788e58447a854be58942ed9a3fd45f3f4a1af7351e087369a267797c525f134e79709097e733b9003b9be0c569fc70ee3462b815b6410e19954ce2efac121300c06fd9e00542a9c6a5a682fe1010c145acbbb8b82333bdb5ddfd9":104:"673afea592b2ce16bd058469f1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"605271a41e263c92dc14fe9df5203e79d58cc2d1289dc361":"2bda3448a283ecba31e0299c0a9e44628cb2b41fa7b1a41107e107cabc381083bdbe048f2804568fdd5fe016f4d607f694042a459ba03a2deda4cccc8cbe4612d8ed0d4575e48bc9f59843369dbe2af6d048e65ff4250e1eef61d7b1b378fe2f3305b133ddc7e37d95ca6de89a971730fc80da943a767ff137707a8d8a24329c":"7f128092a777fc503adc7f6b85eb2006":"aef9f984fb645e08d5f0aa07a31c114d2f8e9eca047e4a8d5471378cfc2ced1159dc093d174788e58447a854be58942ed9a3fd45f3f4a1af7351e087369a267797c525f134e79709097e733b9003b9be0c569fc70ee3462b815b6410e19954ce2efac121300c06fd9e00542a9c6a5a682fe1010c145acbbb8b82333bdb5ddfd9":104:"673afea592b2ce16bd058469f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa076f36cb678e2275561e9553ebdf397360e5a5e44791c4":"513305e86c0cb046c5d3720b25a406392766bd1fb7de2758de370ff2e68281e211922890c61f3659460f22c45a57895b424441262a3ba0606df4e2701f38281fd3436a4d0e0f8efecd231808a9ea063dfb725015a91f27cadfe7909a0ee109eac391ac807afed1767ae0515b9c1b51ae9a48b38fe7fec7fe0ddee562c945e5ae":"1ecd53d94fe287047ff184e8b9b71a26":"5ff25f7bac5f76f533f9edffdfd2b2991d7fc4cd5a0452a1031da6094cd498297fb2a05ae8db71cb3451e4ac33a01172619035a9621d2d54f812ef5343e14b9dedc93838e4cf30e223d215b4d2476ea961a17ac7295069f25b2a12d6e2efe76d91f45632c6d4e61ff19a95d5ae36af960d95050ce98b5791df0b7e322411c884":104:"079e8db9c3e6eddb0335b1cf64":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fa076f36cb678e2275561e9553ebdf397360e5a5e44791c4":"513305e86c0cb046c5d3720b25a406392766bd1fb7de2758de370ff2e68281e211922890c61f3659460f22c45a57895b424441262a3ba0606df4e2701f38281fd3436a4d0e0f8efecd231808a9ea063dfb725015a91f27cadfe7909a0ee109eac391ac807afed1767ae0515b9c1b51ae9a48b38fe7fec7fe0ddee562c945e5ae":"1ecd53d94fe287047ff184e8b9b71a26":"5ff25f7bac5f76f533f9edffdfd2b2991d7fc4cd5a0452a1031da6094cd498297fb2a05ae8db71cb3451e4ac33a01172619035a9621d2d54f812ef5343e14b9dedc93838e4cf30e223d215b4d2476ea961a17ac7295069f25b2a12d6e2efe76d91f45632c6d4e61ff19a95d5ae36af960d95050ce98b5791df0b7e322411c884":104:"079e8db9c3e6eddb0335b1cf64":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce9dafa0e7e53a8766fc0bc38fba807d04e14e5ed61bc234":"b585b8bf634757dac015f2f69f2ae674372a664f2115ad2d03bd3e0c335306b02d0947d3cda5991f5c0c25f12ead2c3cc2d65d575fd67091c70bc93ddb4b1e21f7b0fc6e6ae652dea93a6564ff13489f927942e64dd94bf8f821c7ffdef16df58bd8306a957821ac256da6f19c9d96e48eee87f88acb83bae05d693b70b9337b":"fd0751af49814ee98b2b0cdf730adaa6":"1cba488a0fc8a012f9a336cc7b01cbcc504178eeb08237dbedbc6c7ac68fdf3a6742751a207e43d43068abf6ef4e12a5e3c17e5a2f9398fc04ced67377cbb858fd6020fad675a880adb249e4aba94b96efa515d1cdf5c0c3071a27a3245968867ea94b2bfc2028a67be34c84c3f475944497aa8ca1ab009f8e4b11c8308c1996":96:"e5dc92f4ad4000e9b62fb637":"95f4324b0656bef19eca5570548fc6a7a9923f4e2a7e42066891bc132fd73bc1c9089755d996756de0072824e69c43f2db8ba2bf6f90d3c4eafc0721ceaccce1af896f9fb15fb19c4746979b6d945f593fad61d550f81d12b5945ed728c02931d7f8d917285c22a3af748d75a6bf163fddd84b941d8564c1a63192c816ad6d6d":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ce9dafa0e7e53a8766fc0bc38fba807d04e14e5ed61bc234":"b585b8bf634757dac015f2f69f2ae674372a664f2115ad2d03bd3e0c335306b02d0947d3cda5991f5c0c25f12ead2c3cc2d65d575fd67091c70bc93ddb4b1e21f7b0fc6e6ae652dea93a6564ff13489f927942e64dd94bf8f821c7ffdef16df58bd8306a957821ac256da6f19c9d96e48eee87f88acb83bae05d693b70b9337b":"fd0751af49814ee98b2b0cdf730adaa6":"1cba488a0fc8a012f9a336cc7b01cbcc504178eeb08237dbedbc6c7ac68fdf3a6742751a207e43d43068abf6ef4e12a5e3c17e5a2f9398fc04ced67377cbb858fd6020fad675a880adb249e4aba94b96efa515d1cdf5c0c3071a27a3245968867ea94b2bfc2028a67be34c84c3f475944497aa8ca1ab009f8e4b11c8308c1996":96:"e5dc92f4ad4000e9b62fb637":"":"95f4324b0656bef19eca5570548fc6a7a9923f4e2a7e42066891bc132fd73bc1c9089755d996756de0072824e69c43f2db8ba2bf6f90d3c4eafc0721ceaccce1af896f9fb15fb19c4746979b6d945f593fad61d550f81d12b5945ed728c02931d7f8d917285c22a3af748d75a6bf163fddd84b941d8564c1a63192c816ad6d6d":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a328554fed68dc4838fbc89fd162c99ec105b36651abbc9":"75986f56972c045c850ed68aeb229f203b228fdfc36cad6b16d9bd12037c48700d20d8062a983ffeca76b8d36a67ef51bc8853706e83a34e4e23ff4f4a4eb943f19dbe85e454043d7906be6587a85079f9ccd27962d2905117d2dbeaf725d6ffe87bef52b2138da153ef29b18065b3342b3f9d07837d57b8bc5f2597de06c54f":"e4f7c69a1d026eeebfc45e77bd7b3538":"e349dcedb0bfcc771c820f0d510b80cef32ae3326484e25aa183015941e7844bc46f617d5e61fd64fa71759e90fcb72ae220bcd507f0fb389b689dd3fa29b3b937eded85f26ada9e0f3f5109f82fef47c7eba7313049750ad17969e7550c0d4093ed18ee27843d082bcee8bf3fc7833d569b7723998595a5a1d871089fd238da":96:"8e8320912fff628f47e92430":"a1ed65cfc7e1aeccd0531bce1dc749c7aa84451ec0f29856f12f22c4105888c7d62e2e2fc8ad7a62748610b16e57490f061ad063c88800037d7244ee59e109d445205280473390336d7b6089f3a78218447b1b2398c4d0b3aac8b57a35891ad60dc1b69ad75e2e86248ceac7bb4cf3caade4a896e5ee8c76893ef990f6f65266":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a328554fed68dc4838fbc89fd162c99ec105b36651abbc9":"75986f56972c045c850ed68aeb229f203b228fdfc36cad6b16d9bd12037c48700d20d8062a983ffeca76b8d36a67ef51bc8853706e83a34e4e23ff4f4a4eb943f19dbe85e454043d7906be6587a85079f9ccd27962d2905117d2dbeaf725d6ffe87bef52b2138da153ef29b18065b3342b3f9d07837d57b8bc5f2597de06c54f":"e4f7c69a1d026eeebfc45e77bd7b3538":"e349dcedb0bfcc771c820f0d510b80cef32ae3326484e25aa183015941e7844bc46f617d5e61fd64fa71759e90fcb72ae220bcd507f0fb389b689dd3fa29b3b937eded85f26ada9e0f3f5109f82fef47c7eba7313049750ad17969e7550c0d4093ed18ee27843d082bcee8bf3fc7833d569b7723998595a5a1d871089fd238da":96:"8e8320912fff628f47e92430":"":"a1ed65cfc7e1aeccd0531bce1dc749c7aa84451ec0f29856f12f22c4105888c7d62e2e2fc8ad7a62748610b16e57490f061ad063c88800037d7244ee59e109d445205280473390336d7b6089f3a78218447b1b2398c4d0b3aac8b57a35891ad60dc1b69ad75e2e86248ceac7bb4cf3caade4a896e5ee8c76893ef990f6f65266":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e7f6feb4022312de5c804ed1d7a37580d74499107f8cc8b":"4f5bbdf575ab8f778549f749f2265e17dc7225713e73ee6d7be163ff7071557dcc2240b0705c079008605f81396414ac64f06b1b637876e04c3fca8d0fa576cef4dd3dc553fd6808eaf120f837f9bb1d9dbbd5cf67ed497167fc7db89d3a84151b81aeab0e921057f121583df5ed7f976b206ece17a913f23485385f64c462a8":"6ce13485ffbc80567b02dd542344d7ef":"c6804a2bd8c34de14fe485c8b7caa2564adaf9fcbb754bd2cc1d88ba9183f13d110c762a3c5d2afc0fbc80aedcb91e45efe43d9320075420ee85ab22505f20e77fa4624b0387346c1bd944e9cd54055b5135c7fc92e85390ecf45a7091136b47e3d68d9076594cfad36c36047538e652178c375a2fe59a246a79784577860189":96:"974bd0c4a8cac1563a0e0ce0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e7f6feb4022312de5c804ed1d7a37580d74499107f8cc8b":"4f5bbdf575ab8f778549f749f2265e17dc7225713e73ee6d7be163ff7071557dcc2240b0705c079008605f81396414ac64f06b1b637876e04c3fca8d0fa576cef4dd3dc553fd6808eaf120f837f9bb1d9dbbd5cf67ed497167fc7db89d3a84151b81aeab0e921057f121583df5ed7f976b206ece17a913f23485385f64c462a8":"6ce13485ffbc80567b02dd542344d7ef":"c6804a2bd8c34de14fe485c8b7caa2564adaf9fcbb754bd2cc1d88ba9183f13d110c762a3c5d2afc0fbc80aedcb91e45efe43d9320075420ee85ab22505f20e77fa4624b0387346c1bd944e9cd54055b5135c7fc92e85390ecf45a7091136b47e3d68d9076594cfad36c36047538e652178c375a2fe59a246a79784577860189":96:"974bd0c4a8cac1563a0e0ce0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"46d6e982feff0e7d04a84384c56739b69626dde500e4b7fb":"a5160fb2d397b55a7eba02df33a042404188f02f4492d46f4edc03fc67723d64f5f7fed3a60728438703c60454a30f473ac918ffc8f98be5c5e9779ee984415e415ce3c71f9acc3f808d215be58535d3144cebe7982b9b527edbe41446161094d6fc74dec2e0a1c644bbc2cf5779a22bd4117a7edb11d13e35e95feeb418d3f0":"71a6d1e022a6bdff6460c674fb0cf048":"67a8455c7d3fbfdba3c5ec5f40e0be935fbb9417e805771832ffad06ba38a61b8377997af1f586dc0fa1e3da0b39facd520db1f0ec2bdf1904a3a897f0b507c901fab30a85de51effa9f7d4703ceeb2ca72abe0bd146ba0bd3ffdee11628310db7d65ea1343b018084ea2414995f86fefb45ba91a9dc2236d92078b4305671b5":64:"84f1efd34ff84e83":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"46d6e982feff0e7d04a84384c56739b69626dde500e4b7fb":"a5160fb2d397b55a7eba02df33a042404188f02f4492d46f4edc03fc67723d64f5f7fed3a60728438703c60454a30f473ac918ffc8f98be5c5e9779ee984415e415ce3c71f9acc3f808d215be58535d3144cebe7982b9b527edbe41446161094d6fc74dec2e0a1c644bbc2cf5779a22bd4117a7edb11d13e35e95feeb418d3f0":"71a6d1e022a6bdff6460c674fb0cf048":"67a8455c7d3fbfdba3c5ec5f40e0be935fbb9417e805771832ffad06ba38a61b8377997af1f586dc0fa1e3da0b39facd520db1f0ec2bdf1904a3a897f0b507c901fab30a85de51effa9f7d4703ceeb2ca72abe0bd146ba0bd3ffdee11628310db7d65ea1343b018084ea2414995f86fefb45ba91a9dc2236d92078b4305671b5":64:"84f1efd34ff84e83":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"991dcaa2e8fdad2b4e6e462a3c06c96067ef5e9fb133496a":"9cd0c27f0c2011c1ab947400d28516c7f46d22a409a18fd35c1babf693b8030dfd7822d9ba03bb8fd56a00f9c7149c056640dde690889d2f23978eeeb28ccc26e2fc251220a3682c963f5580c654c1a6736cccb1b8ed104ec7390021d244bd9f92abde89e39a4b83eff8211c8a6259bd6ac2af1da7dfb8cf1355238056c60381":"978913d2c822ba7cc758041d5ee46759":"5a94dc81af011a8af263318b60215b9752292b194b89f6fc013b0fe8e29133de631d981862f2c131ee34905bd93caffc3b8f91aeb0264b27a509e5c6a41ae781209f8c5895d0d35b3c5e1ae34a1a92a2b979e0e62132051394940ea4d9bfffb8d89ba1e8331b15bdf05c41db83a57745a4a651a757cc8648acdcf850a2f25367":64:"15d456da7645abf2":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"991dcaa2e8fdad2b4e6e462a3c06c96067ef5e9fb133496a":"9cd0c27f0c2011c1ab947400d28516c7f46d22a409a18fd35c1babf693b8030dfd7822d9ba03bb8fd56a00f9c7149c056640dde690889d2f23978eeeb28ccc26e2fc251220a3682c963f5580c654c1a6736cccb1b8ed104ec7390021d244bd9f92abde89e39a4b83eff8211c8a6259bd6ac2af1da7dfb8cf1355238056c60381":"978913d2c822ba7cc758041d5ee46759":"5a94dc81af011a8af263318b60215b9752292b194b89f6fc013b0fe8e29133de631d981862f2c131ee34905bd93caffc3b8f91aeb0264b27a509e5c6a41ae781209f8c5895d0d35b3c5e1ae34a1a92a2b979e0e62132051394940ea4d9bfffb8d89ba1e8331b15bdf05c41db83a57745a4a651a757cc8648acdcf850a2f25367":64:"15d456da7645abf2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f29cff00781f5916930f125489c87d21f6593324d1506f65":"a3e8595747b7147d471ac4fe38014bf4a409931e3f419ff88ae249ba7a7f51bd0ede371bf153bab4b28020b7a82a8ca30b75f1e3bcfee3c13db813cbc85138ef05874dedb14a6e5b6d06d7589a83bd5e052dc64433a8e24c1188b9470ddb2536d13b4b7bff0c5afcfaa9aa0157c3aae3b1774df2df14f965d6dee4332edba67e":"50db7ee25a9f815c784236f908bfd7f2":"ec1482e18692bcd6894a364c4a6abb9c3b9818bb17e5e1fc9ec0b41702c423f3a60907e94c888fad8e78f51e1f724b39969ba7b11d31b503504b304d5c4b4cbd42634f4ec5080a9fe51c82e121ae191270dd2c307af84c82d892d982413a50ccce33698054f761a3fa93da9a1fca321296b378a50d458ba78e57a70da4676150":64:"a1e19ef2f0d4b9f1":"eea18261a4de31d8619e77005ebbb3998c5dcfac2bc120ae465e29d6b4c46de7e6c044c8b148ffe4eda7629c243df8af4e7ceb512d5751a3ee58defb0690b6f26b51086dedfde38748f6f0bbe6b495f4304373188e5d2dc93461bd51bf720149a7d3aa543623b122b9af0123b2cdc9020136b041a49498ec4aa696c2d3c46d06":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f29cff00781f5916930f125489c87d21f6593324d1506f65":"a3e8595747b7147d471ac4fe38014bf4a409931e3f419ff88ae249ba7a7f51bd0ede371bf153bab4b28020b7a82a8ca30b75f1e3bcfee3c13db813cbc85138ef05874dedb14a6e5b6d06d7589a83bd5e052dc64433a8e24c1188b9470ddb2536d13b4b7bff0c5afcfaa9aa0157c3aae3b1774df2df14f965d6dee4332edba67e":"50db7ee25a9f815c784236f908bfd7f2":"ec1482e18692bcd6894a364c4a6abb9c3b9818bb17e5e1fc9ec0b41702c423f3a60907e94c888fad8e78f51e1f724b39969ba7b11d31b503504b304d5c4b4cbd42634f4ec5080a9fe51c82e121ae191270dd2c307af84c82d892d982413a50ccce33698054f761a3fa93da9a1fca321296b378a50d458ba78e57a70da4676150":64:"a1e19ef2f0d4b9f1":"":"eea18261a4de31d8619e77005ebbb3998c5dcfac2bc120ae465e29d6b4c46de7e6c044c8b148ffe4eda7629c243df8af4e7ceb512d5751a3ee58defb0690b6f26b51086dedfde38748f6f0bbe6b495f4304373188e5d2dc93461bd51bf720149a7d3aa543623b122b9af0123b2cdc9020136b041a49498ec4aa696c2d3c46d06":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2087e14092dad6df8996715cb1cfca90094f030328080ffd":"6d039513061980fb195bdf2f7c7079ca4b7e0fdd50d948cbfab5ba10b99e3aea27f08abd000c428851de82cacb0d64c146cd9567e9d55b89819876d6a635bd68bcaf47ffa41e02d9ee97f5a2363bfe6131ae7a21ea5130ae953a64d57d6cbfd45260c5f1946388d445ce97d23ab7ba31a5069a4896bc940a71de32bde02bc18d":"d30504afb6f8b6ac444b4a76115d79d1":"d95845d268c8d8f9135d310c39e30f55f83ef7ffee69e6ba1f80d08e92ed473b5ac12cc8f7a872bfc8b325e6b8e374609c90beaf52d975f71caeef5ee4c13de08dce80d358ee1cd091faea209a24e3392adcfe01aeb2b2e1738bc75d4a9b7cd31df7f878141cf278d150f6faa83fb3a2fd1225542a39c900606c602f15c06a4f":32:"5412f25c":"1e81a4c10a3440d0002ddc1bfa42ebb08e504fcc8f0497915c51b6f5f75fee3f0cd3e9c5a81ff6528e0fecd68a36192114f17fa1a4cfe21918dac46e3ba1383c2678c7a6889a980024ee2a21bcf737f7723b5735e1ebe78996f7c7eace2802ebb8284216867d73b53a370a57d5b587d070a96db34b5b4f5afe7f39830498c112":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2087e14092dad6df8996715cb1cfca90094f030328080ffd":"6d039513061980fb195bdf2f7c7079ca4b7e0fdd50d948cbfab5ba10b99e3aea27f08abd000c428851de82cacb0d64c146cd9567e9d55b89819876d6a635bd68bcaf47ffa41e02d9ee97f5a2363bfe6131ae7a21ea5130ae953a64d57d6cbfd45260c5f1946388d445ce97d23ab7ba31a5069a4896bc940a71de32bde02bc18d":"d30504afb6f8b6ac444b4a76115d79d1":"d95845d268c8d8f9135d310c39e30f55f83ef7ffee69e6ba1f80d08e92ed473b5ac12cc8f7a872bfc8b325e6b8e374609c90beaf52d975f71caeef5ee4c13de08dce80d358ee1cd091faea209a24e3392adcfe01aeb2b2e1738bc75d4a9b7cd31df7f878141cf278d150f6faa83fb3a2fd1225542a39c900606c602f15c06a4f":32:"5412f25c":"":"1e81a4c10a3440d0002ddc1bfa42ebb08e504fcc8f0497915c51b6f5f75fee3f0cd3e9c5a81ff6528e0fecd68a36192114f17fa1a4cfe21918dac46e3ba1383c2678c7a6889a980024ee2a21bcf737f7723b5735e1ebe78996f7c7eace2802ebb8284216867d73b53a370a57d5b587d070a96db34b5b4f5afe7f39830498c112":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3fc76d627c775de2f789279dc7b67979a9f1cc23c8dcabc9":"92a60d38fc687b92d44635aafee416a142d11a025680e5aa42e9ba5aa010462991ad3dd7328ca4a693673410f9bba37f05a551b949ab0d43fc61ef3b8996dd3fc1b325e66eec6cc61ea667500f82a83e699756a139d14be6ca9747ed38cd9b1d9da032ece311331bdcd698666ddc970b8be2b746ec55fe60e65d7ae47c6f853c":"8f6fd53eb97e12dcd4d40f2843e25365":"e56995df73e52606a11de9df6c7bfb0ef93b86bf6766e319aea59372060294b0e1b13c6288c2310a4bef725a2dddb174f3e1228649861757903c4497a0eec9c141454fc75f101439a2150e368857c4f0f6e5161c42c77f632bf1c229a52595cbf16e9018de9a8f6a1e6b8b18bd244f93f001eb2eb315405d223c0d27ece9d4d9":32:"613ba486":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3fc76d627c775de2f789279dc7b67979a9f1cc23c8dcabc9":"92a60d38fc687b92d44635aafee416a142d11a025680e5aa42e9ba5aa010462991ad3dd7328ca4a693673410f9bba37f05a551b949ab0d43fc61ef3b8996dd3fc1b325e66eec6cc61ea667500f82a83e699756a139d14be6ca9747ed38cd9b1d9da032ece311331bdcd698666ddc970b8be2b746ec55fe60e65d7ae47c6f853c":"8f6fd53eb97e12dcd4d40f2843e25365":"e56995df73e52606a11de9df6c7bfb0ef93b86bf6766e319aea59372060294b0e1b13c6288c2310a4bef725a2dddb174f3e1228649861757903c4497a0eec9c141454fc75f101439a2150e368857c4f0f6e5161c42c77f632bf1c229a52595cbf16e9018de9a8f6a1e6b8b18bd244f93f001eb2eb315405d223c0d27ece9d4d9":32:"613ba486":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-192,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"e3dc64e3c02731fe6e6ec0e899183018da347bf8bd476aa7746d7a7729d83a95f64bb732ba987468d0cede154e28169f7bafa36559200795037ee38279e0e4ca40f9cfa85aa0c8035df9649345c8fdffd1c31528b485dfe443c1923180cc8fae5196d16f822be4ad07e3f1234e1d218e7c8fb37a0e4480dc6717c9c09ff5c45f":"ca362e615024a1fe11286668646cc1de":"237d95d86a5ad46035870f576a1757eded636c7234d5ed0f8039f6f59f1333cc31cb893170d1baa98bd4e79576de920120ead0fdecfb343edbc2fcc556540a91607388a05d43bdb8b55f1327552feed3b620614dfcccb2b342083896cbc81dc9670b761add998913ca813163708a45974e6d7b56dfd0511a72eb879f239d6a6d":32:"28d730ea":"dafde27aa8b3076bfa16ab1d89207d339c4997f8a756cc3eb62c0b023976de808ab640ba4467f2b2ea83d238861229c73387594cd43770386512ea595a70888b4c38863472279e06b923e7cf32438199b3e054ac4bc21baa8df39ddaa207ebb17fa4cad6e83ea58c3a92ec74e6e01b0a8979af145dd31d5df29750bb91b42d45":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b10979797fb8f418a126120d45106e1779b4538751a19bf6":"e3dc64e3c02731fe6e6ec0e899183018da347bf8bd476aa7746d7a7729d83a95f64bb732ba987468d0cede154e28169f7bafa36559200795037ee38279e0e4ca40f9cfa85aa0c8035df9649345c8fdffd1c31528b485dfe443c1923180cc8fae5196d16f822be4ad07e3f1234e1d218e7c8fb37a0e4480dc6717c9c09ff5c45f":"ca362e615024a1fe11286668646cc1de":"237d95d86a5ad46035870f576a1757eded636c7234d5ed0f8039f6f59f1333cc31cb893170d1baa98bd4e79576de920120ead0fdecfb343edbc2fcc556540a91607388a05d43bdb8b55f1327552feed3b620614dfcccb2b342083896cbc81dc9670b761add998913ca813163708a45974e6d7b56dfd0511a72eb879f239d6a6d":32:"28d730ea":"":"dafde27aa8b3076bfa16ab1d89207d339c4997f8a756cc3eb62c0b023976de808ab640ba4467f2b2ea83d238861229c73387594cd43770386512ea595a70888b4c38863472279e06b923e7cf32438199b3e054ac4bc21baa8df39ddaa207ebb17fa4cad6e83ea58c3a92ec74e6e01b0a8979af145dd31d5df29750bb91b42d45":0
 
 AES-GCM Bad IV (AES-192,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes256_de.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes256_de.data
index 9696a62be3..d207212276 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes256_de.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.aes256_de.data
@@ -1,674 +1,674 @@
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c186654406b2b92c9639a7189d4ab5ab0b9bb87c43005027f3fa832fd3507b1":"":"3a0324d63a70400490c92e7604a3ba97":"":128:"4c61cd2e28a13d78a4e87ea7374dd01a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c186654406b2b92c9639a7189d4ab5ab0b9bb87c43005027f3fa832fd3507b1":"":"3a0324d63a70400490c92e7604a3ba97":"":128:"4c61cd2e28a13d78a4e87ea7374dd01a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"747d01d82d7382b4263e7cbf25bd198a8a92faabf8d7367584c7e2fa506e9c5f":"":"7156358b203a44ef173706fdc81900f8":"":128:"9687fb231c4742a74d6bf78c62b8ac53":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"747d01d82d7382b4263e7cbf25bd198a8a92faabf8d7367584c7e2fa506e9c5f":"":"7156358b203a44ef173706fdc81900f8":"":128:"9687fb231c4742a74d6bf78c62b8ac53":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cbe30216136b7eaf223e6a7b46c06625176d9a08182fa806a63d8b143aa768b":"":"4fe6ace582c4e26ce71ee7f756fb7a88":"":128:"d5bdf8ec2896acafb7022708d74646c7":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cbe30216136b7eaf223e6a7b46c06625176d9a08182fa806a63d8b143aa768b":"":"4fe6ace582c4e26ce71ee7f756fb7a88":"":128:"d5bdf8ec2896acafb7022708d74646c7":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f31194c83bb8da979a1eabb3337ceb3d38a663790da74380d8f94142ab8b8797":"":"404efd26b665c97ea75437892cf676b6":"":120:"e491075851eec28c723159cc1b2c76":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f31194c83bb8da979a1eabb3337ceb3d38a663790da74380d8f94142ab8b8797":"":"404efd26b665c97ea75437892cf676b6":"":120:"e491075851eec28c723159cc1b2c76":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"daeed52ae4bf5cbe1ad58ae4ccb3da81fb9c0b6f7619ca21979313ad9d3e83c1":"":"4037eadb11249884b6b38b5525ba2df4":"":120:"360c6ef41cbd9cd4a4e649712d2930":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"daeed52ae4bf5cbe1ad58ae4ccb3da81fb9c0b6f7619ca21979313ad9d3e83c1":"":"4037eadb11249884b6b38b5525ba2df4":"":120:"360c6ef41cbd9cd4a4e649712d2930":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ad81c34389406a965c60edb3214663ac4a6bd5cfd154ae8d9dc86dae93def64":"":"cebbce06a88852d3bb2978dbe2b5995a":"":120:"bd7ca9f6bd1099cde87c0f0d7cc887":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ad81c34389406a965c60edb3214663ac4a6bd5cfd154ae8d9dc86dae93def64":"":"cebbce06a88852d3bb2978dbe2b5995a":"":120:"bd7ca9f6bd1099cde87c0f0d7cc887":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c152ba30aefa5b2a08b0b4d9bf3f16fc208bb0bc4c4eca9411dc262d9276bad":"":"008d040fbd7342464209f330cf56722c":"":112:"c87107585751e666bedae2b1b7e8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c152ba30aefa5b2a08b0b4d9bf3f16fc208bb0bc4c4eca9411dc262d9276bad":"":"008d040fbd7342464209f330cf56722c":"":112:"c87107585751e666bedae2b1b7e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9aed4ae6b1d857fdcbe5aec6db38440613dcc49f24aa31fba1f300b2585723f1":"":"947c5f0432723f2d7b560eca90842df1":"":112:"7d331fedcea0fd1e9e6a84385467":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9aed4ae6b1d857fdcbe5aec6db38440613dcc49f24aa31fba1f300b2585723f1":"":"947c5f0432723f2d7b560eca90842df1":"":112:"7d331fedcea0fd1e9e6a84385467":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc80bc031676eff5f34dd076388a5130e985f9e06df4b4bf8490ff9ff20aae73":"":"51f639467083377795111d44f7d16592":"":112:"02d31f29e15f60ae3bee1ad7ea65":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cc80bc031676eff5f34dd076388a5130e985f9e06df4b4bf8490ff9ff20aae73":"":"51f639467083377795111d44f7d16592":"":112:"02d31f29e15f60ae3bee1ad7ea65":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db7a40213b5b4b07e9900dc28f599403b0579cbce13fcd44dff090062f952686":"":"aea6f8690f865bca9f77a5ff843d2365":"":104:"7f2280776d6cd6802b3c85083c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"db7a40213b5b4b07e9900dc28f599403b0579cbce13fcd44dff090062f952686":"":"aea6f8690f865bca9f77a5ff843d2365":"":104:"7f2280776d6cd6802b3c85083c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"299b874eaa8b7baf769f81f4988a41e2708ae928e69a5ba7b893e8e6b2db5c3b":"":"2aa04d85d2c0dc6f5294cb71c0d89ac1":"":104:"ea01723a22838ed65ceb80b1cf":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"299b874eaa8b7baf769f81f4988a41e2708ae928e69a5ba7b893e8e6b2db5c3b":"":"2aa04d85d2c0dc6f5294cb71c0d89ac1":"":104:"ea01723a22838ed65ceb80b1cf":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6c7b4c8175db4cf23d0593ed8ea949043880fc02e2725f0ab90ae638f9dcfce":"":"ae07f8c7ac82c4f4c086e04a20db12bc":"":104:"1132e4fff06db51ff135ed9ced":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6c7b4c8175db4cf23d0593ed8ea949043880fc02e2725f0ab90ae638f9dcfce":"":"ae07f8c7ac82c4f4c086e04a20db12bc":"":104:"1132e4fff06db51ff135ed9ced":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b98e1bf76828b65a81005449971fdc8b11be546d31de6616cd73c5813050c326":"":"929b006eb30d69b49a7f52392d7d3f11":"":96:"33940d330f7c019a57b74f2d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b98e1bf76828b65a81005449971fdc8b11be546d31de6616cd73c5813050c326":"":"929b006eb30d69b49a7f52392d7d3f11":"":96:"33940d330f7c019a57b74f2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09ccef64ae761a70fe16772cba462b058a69477c91595de26a5f1bd637c3816f":"":"e34b19381f05693f7606ce043626664d":"":96:"2adc2c45947bfa7faa5c464a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"09ccef64ae761a70fe16772cba462b058a69477c91595de26a5f1bd637c3816f":"":"e34b19381f05693f7606ce043626664d":"":96:"2adc2c45947bfa7faa5c464a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"654cf46598e5ad3e243472a459bcd80f1e026a65429352dbd56e73fcc5895d1c":"":"a56f27709e670b85e5917d5c1d5b0cc2":"":96:"177b9a5e6d9731419dd33c5c":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"654cf46598e5ad3e243472a459bcd80f1e026a65429352dbd56e73fcc5895d1c":"":"a56f27709e670b85e5917d5c1d5b0cc2":"":96:"177b9a5e6d9731419dd33c5c":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84bca1b2768b9202bf194f2d5e5a0a5f51fd8bb725f2bab8a3fccbdb64a4ea70":"":"c45b2708c5bdf65ec6cc66b6dfb3623b":"":64:"fe82300adffd8c17":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84bca1b2768b9202bf194f2d5e5a0a5f51fd8bb725f2bab8a3fccbdb64a4ea70":"":"c45b2708c5bdf65ec6cc66b6dfb3623b":"":64:"fe82300adffd8c17":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8ae011795c9a60ad7660a31fe354fa6f7e9c2724d7a126436291680cd95c007":"":"1bd9ea6186450f9cd253ccfed2812b1c":"":64:"35214bbc510430e3":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c8ae011795c9a60ad7660a31fe354fa6f7e9c2724d7a126436291680cd95c007":"":"1bd9ea6186450f9cd253ccfed2812b1c":"":64:"35214bbc510430e3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df2f0a8a3849f497d12bda44e12ce30a6957f3febcd5ec9bc134171326ca66d3":"":"728cb9608b67a489a382aa677b1f4f5b":"":64:"e2ef5d9cc5791c01":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df2f0a8a3849f497d12bda44e12ce30a6957f3febcd5ec9bc134171326ca66d3":"":"728cb9608b67a489a382aa677b1f4f5b":"":64:"e2ef5d9cc5791c01":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78e8a8ad1ecd17446cf9cd9c56facfd4e10faf5762da0fd0da177f6a9b9c3a71":"":"f169ce6f3ccc58f6434ae2b8ad1a63a1":"":32:"0fe57572":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"78e8a8ad1ecd17446cf9cd9c56facfd4e10faf5762da0fd0da177f6a9b9c3a71":"":"f169ce6f3ccc58f6434ae2b8ad1a63a1":"":32:"0fe57572":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"02ca6d8a862e25db9d68e4404abc107e700135df4157cfb135ce98eaa33151c9":"":"7b722fdd43cff20832812f9baf2d6791":"":32:"72dea6cc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"02ca6d8a862e25db9d68e4404abc107e700135df4157cfb135ce98eaa33151c9":"":"7b722fdd43cff20832812f9baf2d6791":"":32:"72dea6cc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a2b709dbcc3a4fb15b3ad541fb008c381b7e985b57df52f07ca7cd26ab1ecc4":"":"729baa4c0ef75ed8aae746376b39fe3c":"":32:"2a0d607c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9a2b709dbcc3a4fb15b3ad541fb008c381b7e985b57df52f07ca7cd26ab1ecc4":"":"729baa4c0ef75ed8aae746376b39fe3c":"":32:"2a0d607c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"449d39f863e4909984b37f2e5c09ea4d4b3e9fac67bd57c299e4e1d1f084aaa3":"":"d8e9118f331bb5a359f0aa8882861b72":"4ddcae0bc24d622e12bdeaac73e8d1ab7957af051d27dfaafce53aeed4cdd3f989ea25989a2f41cfb3c38dbd841c5560b0b5ab1861b1fbcd236865d13da55b50219462e021f8a21848a64a85326031fcec8fe47a6ef4a435dd2b2fff637644ffcf3914ef2dfa5dd556421bfd297be150b31db039f0f2cc422b282e659e70cceb":128:"c595b9d99414891228c9fa5edb5fcce3":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"449d39f863e4909984b37f2e5c09ea4d4b3e9fac67bd57c299e4e1d1f084aaa3":"":"d8e9118f331bb5a359f0aa8882861b72":"4ddcae0bc24d622e12bdeaac73e8d1ab7957af051d27dfaafce53aeed4cdd3f989ea25989a2f41cfb3c38dbd841c5560b0b5ab1861b1fbcd236865d13da55b50219462e021f8a21848a64a85326031fcec8fe47a6ef4a435dd2b2fff637644ffcf3914ef2dfa5dd556421bfd297be150b31db039f0f2cc422b282e659e70cceb":128:"c595b9d99414891228c9fa5edb5fcce3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e70e66813fc48f984dcda4d1c9c24f1d5d1b71ecfc8bb9581782e7cca5a5cc6":"":"d804f1051e72c9b7117002b862eb45ff":"0b1ab2b7a87cebac668c7a532fa8fa56a22cabf0c41fc1e6744ffe07c857c6865d623f508351f98f3f0c577d1eb94300a30a445472218c8ac626b0bee7d4c122d33f8130436a89add341e8ef7e00694afb4ad80d314d87ad3f921c7105eed05431b8151df7cff2c8e3790efd4acd3f60332dc7f34fdd90beef70f9093361d65b":128:"c09c2e3fdfefa222f7345ae4efb978fc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3e70e66813fc48f984dcda4d1c9c24f1d5d1b71ecfc8bb9581782e7cca5a5cc6":"":"d804f1051e72c9b7117002b862eb45ff":"0b1ab2b7a87cebac668c7a532fa8fa56a22cabf0c41fc1e6744ffe07c857c6865d623f508351f98f3f0c577d1eb94300a30a445472218c8ac626b0bee7d4c122d33f8130436a89add341e8ef7e00694afb4ad80d314d87ad3f921c7105eed05431b8151df7cff2c8e3790efd4acd3f60332dc7f34fdd90beef70f9093361d65b":128:"c09c2e3fdfefa222f7345ae4efb978fc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e534041090b45b80f287dc5fa20ebda017ad81b0530e680f62c6280fd8881af":"":"ead675b019ef5c6bbf4985f2a382d6c1":"b1db220052c4bebcef27eed6db0dc91be481179d71160c5a2ddb2fe497a05484840b04cce48980057d770fbbd0d5f3d5c633b55470617ad2cab5767188283310337825c4b0eafe13b5b11293dec230dad43b220885105767938c7ec4600fe063f98aa14bc6afb886fc874c10546749da295f571e696305bd9165486e29f43f52":128:"9aa0cdad5686ca515cd58aed94938ef4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8e534041090b45b80f287dc5fa20ebda017ad81b0530e680f62c6280fd8881af":"":"ead675b019ef5c6bbf4985f2a382d6c1":"b1db220052c4bebcef27eed6db0dc91be481179d71160c5a2ddb2fe497a05484840b04cce48980057d770fbbd0d5f3d5c633b55470617ad2cab5767188283310337825c4b0eafe13b5b11293dec230dad43b220885105767938c7ec4600fe063f98aa14bc6afb886fc874c10546749da295f571e696305bd9165486e29f43f52":128:"9aa0cdad5686ca515cd58aed94938ef4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2de18874470c09db683cf45cd752bdfa8bf33e7967220b1a69f41f2a02da1d80":"":"af30eb2d0a0c2a50ea413f3285aa88d4":"22889b868d8ccc9f488406813caed199b23091ddd796c8632f564e7cf5a39dfb725266a931fec958659b6fc5b6b9343b8217edb0acb010afc9416601155262b57bd398d62f555953f0e15958e19ae004fbc9cb25e0269a9eaa38a4635a27bfa719fb249fa49337796bcf5f416bba87fbf3b19f0d8c11290c25ca50bbdc822f01":120:"646bbc9b14681af65b0d1c4c9f1d0d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2de18874470c09db683cf45cd752bdfa8bf33e7967220b1a69f41f2a02da1d80":"":"af30eb2d0a0c2a50ea413f3285aa88d4":"22889b868d8ccc9f488406813caed199b23091ddd796c8632f564e7cf5a39dfb725266a931fec958659b6fc5b6b9343b8217edb0acb010afc9416601155262b57bd398d62f555953f0e15958e19ae004fbc9cb25e0269a9eaa38a4635a27bfa719fb249fa49337796bcf5f416bba87fbf3b19f0d8c11290c25ca50bbdc822f01":120:"646bbc9b14681af65b0d1c4c9f1d0d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1a1bb9122e762ecd7ff861a1d65e52607d98e7ae5bd1c3a944e443710f3b0599":"":"32f99ea4cbf52c2701c2252e5e6c863d":"91b7a70c3a06c1f7f2ea584acb5dd76177ba07323c94f2e8f7cbe93fc0bb7c389c3c88e16aa53174f0fc373bc778a6ccf91bf61b6e92c2969d3441eb17a0a835d30dcf882472a6d3cb036533b04d79f05ebfaadf221ae1c14af3f02fa41867acfdfa35f81e8a9d11d42b9a63288c759063c0c3040c3e6ee69cf7c75f9c33fea1":120:"a8e29e08623a3efdbbe8b111de30a4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1a1bb9122e762ecd7ff861a1d65e52607d98e7ae5bd1c3a944e443710f3b0599":"":"32f99ea4cbf52c2701c2252e5e6c863d":"91b7a70c3a06c1f7f2ea584acb5dd76177ba07323c94f2e8f7cbe93fc0bb7c389c3c88e16aa53174f0fc373bc778a6ccf91bf61b6e92c2969d3441eb17a0a835d30dcf882472a6d3cb036533b04d79f05ebfaadf221ae1c14af3f02fa41867acfdfa35f81e8a9d11d42b9a63288c759063c0c3040c3e6ee69cf7c75f9c33fea1":120:"a8e29e08623a3efdbbe8b111de30a4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bfad1e8f9850577f9ba3f290e9a5e91b494c2d99534220362e171a7543177ac":"":"8410886b70c57d7ded8596443bd1b157":"ca801c83596795515ea931edba00e06e332bf84246b7036e10b317e2d09a51b2981fcb664ee3bf4180bb0b12ed1cda221abc6790b27c26914f5ef9cea9536e2453cd5b247cb054e295c2687b725a97cbc484b8eb86c6ceee03bd07a54a9301a3ac0ddb23aecb825a238252e7575329058b40e75575a7f16439edf5be163ce5f5":120:"e3645db0c600dba52044efcecfc331":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3bfad1e8f9850577f9ba3f290e9a5e91b494c2d99534220362e171a7543177ac":"":"8410886b70c57d7ded8596443bd1b157":"ca801c83596795515ea931edba00e06e332bf84246b7036e10b317e2d09a51b2981fcb664ee3bf4180bb0b12ed1cda221abc6790b27c26914f5ef9cea9536e2453cd5b247cb054e295c2687b725a97cbc484b8eb86c6ceee03bd07a54a9301a3ac0ddb23aecb825a238252e7575329058b40e75575a7f16439edf5be163ce5f5":120:"e3645db0c600dba52044efcecfc331":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"65debdf2f2191a6cd8de8ad4d5d4d0d8f731f67744e2545df6b2a7cba89c1ee0":"":"fdab2ee547dd8b6f5a4ea2dd19697b3e":"d2b0a0438ee0f145aec9a7ca452b788ecb473152b78fb75f6ace721afc7b0ae1942049b790f3a5b6221a8760295659756d35347cc04029be03459f3e23a71209b4e0bbe13a253a888c83db23376d3a6d9a539f7c9fa4a12dc64297e7c93dfa0ab53ef76b6e1d95bf6f3d5e6ee8f08662fc03ec9d40eff0a43f23ac313671bfd9":112:"c25fc157c3f2474885e2eea48aea":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"65debdf2f2191a6cd8de8ad4d5d4d0d8f731f67744e2545df6b2a7cba89c1ee0":"":"fdab2ee547dd8b6f5a4ea2dd19697b3e":"d2b0a0438ee0f145aec9a7ca452b788ecb473152b78fb75f6ace721afc7b0ae1942049b790f3a5b6221a8760295659756d35347cc04029be03459f3e23a71209b4e0bbe13a253a888c83db23376d3a6d9a539f7c9fa4a12dc64297e7c93dfa0ab53ef76b6e1d95bf6f3d5e6ee8f08662fc03ec9d40eff0a43f23ac313671bfd9":112:"c25fc157c3f2474885e2eea48aea":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"496ae810380460d40cd2fdae8c0739f16b87205cc7f57db0a71a473eb361d570":"":"77233de96f5e1744337778212b411bd5":"85f5b54b4c4af5c808120bd28d98e44e96f4126623e57684957e9fc4fd1a2d0583940b8fc8314a249325476e8d05247831b04709580ae714e8187cd38f9559419e14c9fc4f8c454ec191b8ef2a3610988fe3339d0dc6b72f5978f9eff9d596dfabf27056e3a908c6497267461386e860f6b9d65526294bcb92908b5661b06b5a":112:"4ed91af6340e70b0c2b94ab6f82e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"496ae810380460d40cd2fdae8c0739f16b87205cc7f57db0a71a473eb361d570":"":"77233de96f5e1744337778212b411bd5":"85f5b54b4c4af5c808120bd28d98e44e96f4126623e57684957e9fc4fd1a2d0583940b8fc8314a249325476e8d05247831b04709580ae714e8187cd38f9559419e14c9fc4f8c454ec191b8ef2a3610988fe3339d0dc6b72f5978f9eff9d596dfabf27056e3a908c6497267461386e860f6b9d65526294bcb92908b5661b06b5a":112:"4ed91af6340e70b0c2b94ab6f82e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aca188183b46139cc7cffc82a6aaaeb2fd73cecad14e75c663bd62daf1ec711d":"":"7bbf7fb55eb70cce94cc6a2b67de55ba":"015cfba90f069545fed60f31992ff3d3c3592eb91e7a53df5978ded64291954cb99a57de82d5398ce782b68d14ac04a8b425395bd076ead59eb445721bdb2f45e19fa089117800cbbac7b8313fb165ccb1122acb654e1242dc7fe6885ea1cbb7281b1270cfa1549cdfe9b47caf47b4ac3807e562e48c066566f5e606b5023b47":112:"3bcb5c2a4261d75bfa106fb25ee1":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aca188183b46139cc7cffc82a6aaaeb2fd73cecad14e75c663bd62daf1ec711d":"":"7bbf7fb55eb70cce94cc6a2b67de55ba":"015cfba90f069545fed60f31992ff3d3c3592eb91e7a53df5978ded64291954cb99a57de82d5398ce782b68d14ac04a8b425395bd076ead59eb445721bdb2f45e19fa089117800cbbac7b8313fb165ccb1122acb654e1242dc7fe6885ea1cbb7281b1270cfa1549cdfe9b47caf47b4ac3807e562e48c066566f5e606b5023b47":112:"3bcb5c2a4261d75bfa106fb25ee1":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cd6815f6ec15f03b7a53f159e877a5981e0ab7f6e6c261ddde4b47cbb2f2366":"":"c431c07d9adf5f61204a017259cddd75":"4e1a835402bde4f5227e64b46a1f8d0f23a9434e189377fcdf1b9621ba1987eb86a7f3b97ed0babfd674e74c5604a03dd016d71000a72bbbd00a7f7fe56ad0fcb36a3e24dd0fdb63bd66d4db415f35012416ed599796ca3f678df7eb5a1b17f75abb348ddd3b366369a7b362c9488aedab836b61f9a158f0b129c8ca0a53a81e":104:"0e463806ff34e206f703dd96b3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8cd6815f6ec15f03b7a53f159e877a5981e0ab7f6e6c261ddde4b47cbb2f2366":"":"c431c07d9adf5f61204a017259cddd75":"4e1a835402bde4f5227e64b46a1f8d0f23a9434e189377fcdf1b9621ba1987eb86a7f3b97ed0babfd674e74c5604a03dd016d71000a72bbbd00a7f7fe56ad0fcb36a3e24dd0fdb63bd66d4db415f35012416ed599796ca3f678df7eb5a1b17f75abb348ddd3b366369a7b362c9488aedab836b61f9a158f0b129c8ca0a53a81e":104:"0e463806ff34e206f703dd96b3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8f0a72abcda104aa7fae501f9a3b686d00d3f6fe984731db8a2865bfec587073":"":"ab8acd063775d1b1314f14e90fddd1be":"02c6d426e7f20b725d8cde0a6382e49b029b52126889013ef45251f27b2fadb95ca4a9a3b16ad06999eeca4a473e813045db4942e9b9ff2e5a5e429d9bac298372344d1b781d5facabf6d779643f31ada6124eb50aad599044b54279ec9b25714ac8a3b9ad2487cec7f4b1ee245d7be3d496d6af1d4cbee1c8201312541f3064":104:"3f0ccc134091e0c0425887b1b9":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8f0a72abcda104aa7fae501f9a3b686d00d3f6fe984731db8a2865bfec587073":"":"ab8acd063775d1b1314f14e90fddd1be":"02c6d426e7f20b725d8cde0a6382e49b029b52126889013ef45251f27b2fadb95ca4a9a3b16ad06999eeca4a473e813045db4942e9b9ff2e5a5e429d9bac298372344d1b781d5facabf6d779643f31ada6124eb50aad599044b54279ec9b25714ac8a3b9ad2487cec7f4b1ee245d7be3d496d6af1d4cbee1c8201312541f3064":104:"3f0ccc134091e0c0425887b1b9":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"417135cad74280e6f8597dc791431c95cb8fa63bbf7197e3ab37c4b1d6d9438a":"":"0fe22d9ba1d0e32656e3a9f07a517a27":"a0b2712e81d329d5b076a4be2ad6823cee6dbd17d9a592d065bdebb92b1ff37a56bf2f5e5341f39c574246ccda19e5f35fede49c9ba958f3920cc5440fb404fab7846884ca0c2a3af5b51f4fe97a1395571319cc5b40f8aac986d77de280db82343983982638326ef003e0c013af19c34672975dc99ccc0853a1acf7c617d965":104:"888b836c9111073924a9b43069":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"417135cad74280e6f8597dc791431c95cb8fa63bbf7197e3ab37c4b1d6d9438a":"":"0fe22d9ba1d0e32656e3a9f07a517a27":"a0b2712e81d329d5b076a4be2ad6823cee6dbd17d9a592d065bdebb92b1ff37a56bf2f5e5341f39c574246ccda19e5f35fede49c9ba958f3920cc5440fb404fab7846884ca0c2a3af5b51f4fe97a1395571319cc5b40f8aac986d77de280db82343983982638326ef003e0c013af19c34672975dc99ccc0853a1acf7c617d965":104:"888b836c9111073924a9b43069":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"304824914e32ea0efd61be6972586093349bd2cc2cf0cff44be943682b2dbff5":"":"b6d927a71929029f6766be42746f7cb1":"7281c81c7514f4b17cb125c4649006ef8959a400a1e4d609d277e363e433725fa32346a10bcbd826b6afc8222158920d0a2db1e6fc915e81231c34c3941ecf3c6f94ffe2136190cae3dc39a4277acbc247f36291b5614a8433b1a0780434a6c50521b72ec25145bbd3b192647155d5dd9df9e66762d39592602ea99bf9bfff49":96:"b6044c4d7f59491f68b2c61e":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"304824914e32ea0efd61be6972586093349bd2cc2cf0cff44be943682b2dbff5":"":"b6d927a71929029f6766be42746f7cb1":"7281c81c7514f4b17cb125c4649006ef8959a400a1e4d609d277e363e433725fa32346a10bcbd826b6afc8222158920d0a2db1e6fc915e81231c34c3941ecf3c6f94ffe2136190cae3dc39a4277acbc247f36291b5614a8433b1a0780434a6c50521b72ec25145bbd3b192647155d5dd9df9e66762d39592602ea99bf9bfff49":96:"b6044c4d7f59491f68b2c61e":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a10e9abe9389738e12a4bb6f553ae81e8bd320e0dfbc05fbae2128c1fde7a23":"":"6da44354e198e3beb54792718becbcc1":"199d754630135b669bf2ec581d3027a569412ab39a78dd9d482e87b778ec65c6473656260c27827e00e566f1e3728fd7bc1853a39d00e43752c6f62c6f9b542a302eea4fd314473674f6926a878ec1e4b475d889126ce6317115aea7660b86ab7f7595695787f6954903f72361c917523615a86d6ce724bd4a20c9257984c0c6":96:"5c5683e587baf2bd32de3df5":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"8a10e9abe9389738e12a4bb6f553ae81e8bd320e0dfbc05fbae2128c1fde7a23":"":"6da44354e198e3beb54792718becbcc1":"199d754630135b669bf2ec581d3027a569412ab39a78dd9d482e87b778ec65c6473656260c27827e00e566f1e3728fd7bc1853a39d00e43752c6f62c6f9b542a302eea4fd314473674f6926a878ec1e4b475d889126ce6317115aea7660b86ab7f7595695787f6954903f72361c917523615a86d6ce724bd4a20c9257984c0c6":96:"5c5683e587baf2bd32de3df5":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d164ffde5dd684becaf73e9667e3e6acb316682c41aea247899e104a54dd7a7f":"":"1d388e19e9d7a9750e2fc1187d4b075a":"f166a5b6f91261cda56f1a537f42ffb8aed10af5e0248f8910034b92dbc58d25953f1497f571d31fbf5ec30d92234b440161703851f0e43530418147ce6270fbcb5db33ab819ba8973051908704b6bea8aaca0718947e6aa82498a6e26a813981783ed9bf9d02eb1ea60927530c4700ff21f00179002b27903dd4103bbc5c645":96:"52e10495105799ead991547b":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d164ffde5dd684becaf73e9667e3e6acb316682c41aea247899e104a54dd7a7f":"":"1d388e19e9d7a9750e2fc1187d4b075a":"f166a5b6f91261cda56f1a537f42ffb8aed10af5e0248f8910034b92dbc58d25953f1497f571d31fbf5ec30d92234b440161703851f0e43530418147ce6270fbcb5db33ab819ba8973051908704b6bea8aaca0718947e6aa82498a6e26a813981783ed9bf9d02eb1ea60927530c4700ff21f00179002b27903dd4103bbc5c645":96:"52e10495105799ead991547b":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2854188c28b15af4b8e528ab25c0950fc1384976f242716c91bddeec06f2fdea":"":"075af9c31f5252b8920092cbd999e7a0":"e9452f71093843a025bb5f655eb6a4e8316ab5946484b11818f22b62f4df75d5891fa3397537093a261dc9a7648b7477ea1f5fc761716e302763364bcab7992595edd0fc1c7f7ac719c879e6616e2007948eb8530065a6cccf73d0fe4a0598819b471b0856e6d90ea0fc0e5d36a30ee925b6b8e5dbf40e77f01efe782c0bb4f7":64:"6ff8fd87e5a31eb6":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2854188c28b15af4b8e528ab25c0950fc1384976f242716c91bddeec06f2fdea":"":"075af9c31f5252b8920092cbd999e7a0":"e9452f71093843a025bb5f655eb6a4e8316ab5946484b11818f22b62f4df75d5891fa3397537093a261dc9a7648b7477ea1f5fc761716e302763364bcab7992595edd0fc1c7f7ac719c879e6616e2007948eb8530065a6cccf73d0fe4a0598819b471b0856e6d90ea0fc0e5d36a30ee925b6b8e5dbf40e77f01efe782c0bb4f7":64:"6ff8fd87e5a31eb6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bfc445ac0365ae6c3c3815fd18bbd0c60ea224f6620d9b6ac442a500221f104":"":"43c5f3367a9955aaee1a0c4d4a330059":"db0bae8ce7c66a8ba2fedec22f236212e9a7ad72b371de285c7dc6d2f6c22df0ce4920e0f03f91eb1653c4490050b9f18a2a047115796f0adc41707d1ffcbf148aed5c82013f557e6c28f49434fc4eb20112f43566f212c48cec9894ac40772fcd9b611ee9444df7b73e35b8a38428ccb064c9c50491d2535e0b539f424db83e":64:"49aaa806cb2eeadd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2bfc445ac0365ae6c3c3815fd18bbd0c60ea224f6620d9b6ac442a500221f104":"":"43c5f3367a9955aaee1a0c4d4a330059":"db0bae8ce7c66a8ba2fedec22f236212e9a7ad72b371de285c7dc6d2f6c22df0ce4920e0f03f91eb1653c4490050b9f18a2a047115796f0adc41707d1ffcbf148aed5c82013f557e6c28f49434fc4eb20112f43566f212c48cec9894ac40772fcd9b611ee9444df7b73e35b8a38428ccb064c9c50491d2535e0b539f424db83e":64:"49aaa806cb2eeadd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b828f99aaf751bf22d993ed682e488595617a607ed74aaacbb6b60457453080":"":"d48dac1d8d77e245420feb2598812418":"f50f785f4e7c848a55a616ecf4b6b1e1ca85e16de7100c7e4273d411bd95c1380ee157ba501ba9616980195f34e39f43e335f33253342feb8ed64443483c721b85241a0320b3cac83104de2db47188c61a373fba592ea16feeefdee1f2bb43927396f58151418672ebb74afff5c029503a0d0be81430e81ed443e08b74c03183":64:"a5b71ecf845b25d0":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b828f99aaf751bf22d993ed682e488595617a607ed74aaacbb6b60457453080":"":"d48dac1d8d77e245420feb2598812418":"f50f785f4e7c848a55a616ecf4b6b1e1ca85e16de7100c7e4273d411bd95c1380ee157ba501ba9616980195f34e39f43e335f33253342feb8ed64443483c721b85241a0320b3cac83104de2db47188c61a373fba592ea16feeefdee1f2bb43927396f58151418672ebb74afff5c029503a0d0be81430e81ed443e08b74c03183":64:"a5b71ecf845b25d0":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b6da11d69fca3e4c907628d3eb63d95c7e502fc901372fd097e064e70831432":"":"6fe2148f250ea178d4c8ca8423ead87d":"a8097bb74ded776f578eb7588f5ef8915db9bfa7262af700c8e76ee114e07557b6786dd5a60a66b2703e7c9de5d6b42aca92568aec5d1ecc298dbd0edb150b8cc13c9a78698f7674caa94da6cacd1f3ef4ca4238c59830ea725ab3a6284e28966c8c32d9bccfb0cfd6583a5ca309debe86549a6f317d15c5f928cbc7f473310c":32:"e9cdbc52":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b6da11d69fca3e4c907628d3eb63d95c7e502fc901372fd097e064e70831432":"":"6fe2148f250ea178d4c8ca8423ead87d":"a8097bb74ded776f578eb7588f5ef8915db9bfa7262af700c8e76ee114e07557b6786dd5a60a66b2703e7c9de5d6b42aca92568aec5d1ecc298dbd0edb150b8cc13c9a78698f7674caa94da6cacd1f3ef4ca4238c59830ea725ab3a6284e28966c8c32d9bccfb0cfd6583a5ca309debe86549a6f317d15c5f928cbc7f473310c":32:"e9cdbc52":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5ae9328be49e761064080fc213e53e373fd86359a09d0355e2d438d9b8e68f1":"":"a7e3f8660ff925d5c88c5aceffbd7026":"2ddddba7a56cc808aec4602f09ae9bd78887827bf0315d8dbe16821606ef9d117746dd138bf1f23565d1ab8f4cee36d53fe3730632c5df9f12109b16edbeae285bb49dfdd155f5dc97b319a85362d53cc86817b7c1c31e5e87c9f37422f133d00dd0776bd92ab05ce6860573cd911645cfe3fbe515e85f744899a447fe443653":32:"e35dbac8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c5ae9328be49e761064080fc213e53e373fd86359a09d0355e2d438d9b8e68f1":"":"a7e3f8660ff925d5c88c5aceffbd7026":"2ddddba7a56cc808aec4602f09ae9bd78887827bf0315d8dbe16821606ef9d117746dd138bf1f23565d1ab8f4cee36d53fe3730632c5df9f12109b16edbeae285bb49dfdd155f5dc97b319a85362d53cc86817b7c1c31e5e87c9f37422f133d00dd0776bd92ab05ce6860573cd911645cfe3fbe515e85f744899a447fe443653":32:"e35dbac8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e4f8ca13ba86c658cc7f42d4f029422209efbd101bc10a1df81a42cfb3a0f79f":"":"1a362fa0e4054ba11e4b06d59c8bc9cf":"e7ad5c75aa13659f8ce4b1650c46382645ec67418199b84ea445b8ceef619ef3fbde59ed3d313c459e36fcf87d26ef2b453409b32f1086934c3072c1ef0aac83762d28b1193b9afff2c083ce4300b768b0ae23ff9d3dcf65bc1693f1350da65180620aab205aceacfc683c8be53a332e2d0337a7518d2a5204f9c8d7325a4799":32:"e7a37f15":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e4f8ca13ba86c658cc7f42d4f029422209efbd101bc10a1df81a42cfb3a0f79f":"":"1a362fa0e4054ba11e4b06d59c8bc9cf":"e7ad5c75aa13659f8ce4b1650c46382645ec67418199b84ea445b8ceef619ef3fbde59ed3d313c459e36fcf87d26ef2b453409b32f1086934c3072c1ef0aac83762d28b1193b9afff2c083ce4300b768b0ae23ff9d3dcf65bc1693f1350da65180620aab205aceacfc683c8be53a332e2d0337a7518d2a5204f9c8d7325a4799":32:"e7a37f15":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"00050a21ca1e72cd0924be31b943c60854be6744577de3dd9d1f4fada4a19ea6":"693ffd3d92294857a99c702a0799eeca28ab066dd90917b9ea5ef8f6547f1d90b106cbec8ef2c22af9f8efa6c652f2f97c2baf33af14fe9def230d49524bd65909c3df1490f637f99e788dcc042b40e00bd524c91e2427ef991bf77e7b2f770cda6e90076c5dac4cac7ee3958b53ff8ce846c3a96281f53c2c52f5f3e523536f":"2fc1afc1395d8409919248709f468496":"":128:"e39b6a7fd5ac67a2a1cc24d5eb9d9c74":"cfcd6b9ff7641829cbadeaa2e56f1f150a099eccf3e378fa4da59794dcc4490aa4f9c5db0ab245bec36a7d4557a572008e42f03bc1baff3c946f23f54a4dc9828f106cf4264e4ab40165839d1085e7795b1ae0950f0ee4a08e46ada501b6b51dee0e518129c9426e5bd44c66674a9f99cfe676f002cfd344c5bbd22d3d91e600":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"00050a21ca1e72cd0924be31b943c60854be6744577de3dd9d1f4fada4a19ea6":"693ffd3d92294857a99c702a0799eeca28ab066dd90917b9ea5ef8f6547f1d90b106cbec8ef2c22af9f8efa6c652f2f97c2baf33af14fe9def230d49524bd65909c3df1490f637f99e788dcc042b40e00bd524c91e2427ef991bf77e7b2f770cda6e90076c5dac4cac7ee3958b53ff8ce846c3a96281f53c2c52f5f3e523536f":"2fc1afc1395d8409919248709f468496":"":128:"e39b6a7fd5ac67a2a1cc24d5eb9d9c74":"":"cfcd6b9ff7641829cbadeaa2e56f1f150a099eccf3e378fa4da59794dcc4490aa4f9c5db0ab245bec36a7d4557a572008e42f03bc1baff3c946f23f54a4dc9828f106cf4264e4ab40165839d1085e7795b1ae0950f0ee4a08e46ada501b6b51dee0e518129c9426e5bd44c66674a9f99cfe676f002cfd344c5bbd22d3d91e600":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f10965a66255f0c3515af497ccbb257a09f22ec2d57c5edae322a3e6d2d188ef":"91598690edf2de8b27f9bc7461a84e80811cee544f0542923898328cf157590251f0342cb81d359b5dccc5391a12320d1444c26f24178977dd6705c2b365dc1ece0152c42e2f0ee3162cf886ef5529f4f16a77f3bdd2aeccd405b59addf098521d0d38cc25f1991e11be7ecf24caedb48a2a286d2e560a38fa9001c5a228c4d1":"c571ce0e911de5d883dc4a0787483235":"":128:"6d9d3a5dbc8dce385f092fff14bfffda":"2867996e389e09ec0da94d42e77b1e436b50065b09ca4adf1cd03240444ee699dbb7b3fc081a1869ca607d77d5ff9754fc3c997ff0a4ee17543a2ba77886b88a7128bcc51d3450df58ff3a26671b02c1d213df6adb6f7e853080eb46b504517cbaea162710a9bbc2da8b552eb6b0e0cb98e44fcab0a157312be67974678d143e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f10965a66255f0c3515af497ccbb257a09f22ec2d57c5edae322a3e6d2d188ef":"91598690edf2de8b27f9bc7461a84e80811cee544f0542923898328cf157590251f0342cb81d359b5dccc5391a12320d1444c26f24178977dd6705c2b365dc1ece0152c42e2f0ee3162cf886ef5529f4f16a77f3bdd2aeccd405b59addf098521d0d38cc25f1991e11be7ecf24caedb48a2a286d2e560a38fa9001c5a228c4d1":"c571ce0e911de5d883dc4a0787483235":"":128:"6d9d3a5dbc8dce385f092fff14bfffda":"":"2867996e389e09ec0da94d42e77b1e436b50065b09ca4adf1cd03240444ee699dbb7b3fc081a1869ca607d77d5ff9754fc3c997ff0a4ee17543a2ba77886b88a7128bcc51d3450df58ff3a26671b02c1d213df6adb6f7e853080eb46b504517cbaea162710a9bbc2da8b552eb6b0e0cb98e44fcab0a157312be67974678d143e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4437ee7d16d8c3ca1aa01e20b66749efa901614d4bb4bee786ad5a5f1bfde2e6":"ff80727a3485cdbc7fab4ee9fadfdc621c538e2055706629046078f1aa3fb687fc728d3a7ffa52ae457b7b5649613eab7bafa464bb435314c49e5900750f7ad39ca9b75df6b2eaa755439e101f67b7ae4cd80dc4a9dea0027048253f2d0a6014056ca69b8c85605b00cf75fa7634a0ddf464270a8c79ce1a1324c4a4c513b24b":"275393276745bc43bae4af1e5d43a31e":"":128:"a82ff1e87d26e4d6e417b60fb2d3ce23":"88f994d276ed20be3932d16f551c4b7e2ed80411f2e72ce098fa0b70c22157a59edab30649fec447dd63f0c87dceca7238ef0d9561b58489ba7bd86f2892743099f40af63c432f78ac0ad0b5c2be47b9e3045e7237b096ee400f430af63a6f309de785caf190f3f4aabbe79f727a741590de542bd343df68d13db55a5f8bab41":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4437ee7d16d8c3ca1aa01e20b66749efa901614d4bb4bee786ad5a5f1bfde2e6":"ff80727a3485cdbc7fab4ee9fadfdc621c538e2055706629046078f1aa3fb687fc728d3a7ffa52ae457b7b5649613eab7bafa464bb435314c49e5900750f7ad39ca9b75df6b2eaa755439e101f67b7ae4cd80dc4a9dea0027048253f2d0a6014056ca69b8c85605b00cf75fa7634a0ddf464270a8c79ce1a1324c4a4c513b24b":"275393276745bc43bae4af1e5d43a31e":"":128:"a82ff1e87d26e4d6e417b60fb2d3ce23":"":"88f994d276ed20be3932d16f551c4b7e2ed80411f2e72ce098fa0b70c22157a59edab30649fec447dd63f0c87dceca7238ef0d9561b58489ba7bd86f2892743099f40af63c432f78ac0ad0b5c2be47b9e3045e7237b096ee400f430af63a6f309de785caf190f3f4aabbe79f727a741590de542bd343df68d13db55a5f8bab41":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe4ec037ce563dadee435cfcb2bf090f1f7ccc7d1b5b4fab2f1b738348f8ed2f":"64eb8a4bda9804c09b04cfcd89094928c21480908b81ee19d6c29c2a3631b1a5bdc8e7f8ea56f7b8b8e14a5208296026785cac3a6afa54be8af4d5faedcd12b6621bde0f8ec5a2635fe72a89468ca7704c73aa40cd2ba97aef08886b27a694d339b00e7d12a31308672f87c06a7388a1432f869eb4cc1da864140b1b33931925":"47f5264f7a5b65b671892a05fa556f63":"":120:"660462b4088f6628a630f2e4170b21":"4a310e035361f98b8c54fb4cef70b1a9c910552ece056ca8fdab54c52308ec0ad7fe9dd1dae92badab5010577de522088768fa6466fbccce22e14c51ca7986c4063d0f06bf578dab16a91856713198a7138395c49c78b6314b57ab72fd079028c8dc351952d90b04a7cd2b245df0c0522447cdb7d3329fd9425fe5cb40a8e7c9":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe4ec037ce563dadee435cfcb2bf090f1f7ccc7d1b5b4fab2f1b738348f8ed2f":"64eb8a4bda9804c09b04cfcd89094928c21480908b81ee19d6c29c2a3631b1a5bdc8e7f8ea56f7b8b8e14a5208296026785cac3a6afa54be8af4d5faedcd12b6621bde0f8ec5a2635fe72a89468ca7704c73aa40cd2ba97aef08886b27a694d339b00e7d12a31308672f87c06a7388a1432f869eb4cc1da864140b1b33931925":"47f5264f7a5b65b671892a05fa556f63":"":120:"660462b4088f6628a630f2e4170b21":"":"4a310e035361f98b8c54fb4cef70b1a9c910552ece056ca8fdab54c52308ec0ad7fe9dd1dae92badab5010577de522088768fa6466fbccce22e14c51ca7986c4063d0f06bf578dab16a91856713198a7138395c49c78b6314b57ab72fd079028c8dc351952d90b04a7cd2b245df0c0522447cdb7d3329fd9425fe5cb40a8e7c9":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6e1ada628ca76eb9832cc6b5efc5c9d2686bb587366a6de2d734233fa95279e":"a0ac738e0fb35246b84a6fbe319f827039515df25d0c0fc6de7c048253ae63d3c561e44a12672ffeae1cb925610b482aa422bbee0e1784fc69baac3a97d69f51e6d2a17957b44b318624ea7ec680a559f4d3f2761d09bee66efb3a312ae6b3ecb673e756b2a0f654671e82500e7ace91f2be2a74bc3bc1ec1a4b6877a53c27c8":"5a100b451e3a63a3e6d4b8a9e59c6bce":"":120:"88df9a1ea54e5bd2ef24da6880b79d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6e1ada628ca76eb9832cc6b5efc5c9d2686bb587366a6de2d734233fa95279e":"a0ac738e0fb35246b84a6fbe319f827039515df25d0c0fc6de7c048253ae63d3c561e44a12672ffeae1cb925610b482aa422bbee0e1784fc69baac3a97d69f51e6d2a17957b44b318624ea7ec680a559f4d3f2761d09bee66efb3a312ae6b3ecb673e756b2a0f654671e82500e7ace91f2be2a74bc3bc1ec1a4b6877a53c27c8":"5a100b451e3a63a3e6d4b8a9e59c6bce":"":120:"88df9a1ea54e5bd2ef24da6880b79d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd5c1e90d78213155c51767c52c290b3d657db8414ee0a7604a2ec7b48105667":"8e987693da0fb77b6d1282eebd3a03e05d9955ff81929b1a2c721574862a067ddee392c7ece52ca1451f3e6e321d7208882d97b4149af6d78d65c054e1bfcdfa62bd2202de32dea8363f8d7f041891ce281840f3cd906ab46ca748e5b3b11890b4014bf0271c9427c874097782d1c13dbb40e78fc8276fc134f3c29923a43a01":"4e022d8d86efbd347e8cbab7e979771f":"":120:"e7df79af0aef011299c3b882e3a45b":"3b20473d9b5018d089e7f74d3fef22ec2805948a9e07689831973c704a6d8db4d090af88d696ab8c3aae9740a2bbd7f03e0b18b2b591e59c335c1043a2578a89b1a9f20fd0dd53f12e00e9bfdb27de8caac772bbfc4de9e4a255a5d1b04e59625a87b8279babe613def58d890d5502abf2f709aab625dcc20c58772832c7bbab":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd5c1e90d78213155c51767c52c290b3d657db8414ee0a7604a2ec7b48105667":"8e987693da0fb77b6d1282eebd3a03e05d9955ff81929b1a2c721574862a067ddee392c7ece52ca1451f3e6e321d7208882d97b4149af6d78d65c054e1bfcdfa62bd2202de32dea8363f8d7f041891ce281840f3cd906ab46ca748e5b3b11890b4014bf0271c9427c874097782d1c13dbb40e78fc8276fc134f3c29923a43a01":"4e022d8d86efbd347e8cbab7e979771f":"":120:"e7df79af0aef011299c3b882e3a45b":"":"3b20473d9b5018d089e7f74d3fef22ec2805948a9e07689831973c704a6d8db4d090af88d696ab8c3aae9740a2bbd7f03e0b18b2b591e59c335c1043a2578a89b1a9f20fd0dd53f12e00e9bfdb27de8caac772bbfc4de9e4a255a5d1b04e59625a87b8279babe613def58d890d5502abf2f709aab625dcc20c58772832c7bbab":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e3dfc07003bb6a2d82bd5263b2832f47db4e73279266c7a9ea21f4f18eddf83":"a960da222af9d4da5797e6957d59b00f6d3893599c70e95c0984b56eb3329b191703c2532f3288b15ebf655b9b5ee4617484e5ac9c39bb06731d03ebe4fef9495d003b0ed694cf540b4dc759d32629e55512680badd81234bd71ffd55fcb5e6a85031c1dc31ee1ed198939582d8336c905717cc87101dcfcf9d833fac815c8ea":"7c0f49fb54f5e68c84e81add009284e6":"":112:"b2ec0f3da02a9eb3132fb4ebe3b8":"a40b6f70f0572fe0bc70d83368e7c154f7dbd501f52501630a2e523d18e216e07368521f6040d806299397722b99bcf7f85d36b8bed934b49aa1fa76d38783e6a2e392d6d0786d467f7bc894a739ecf94f0fe884a9c391154f8326bf31ea5242a18aa263d04da4b63b11de23b42d3e10a2d5460cb32700cdf50a0d89165ba22a":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6e3dfc07003bb6a2d82bd5263b2832f47db4e73279266c7a9ea21f4f18eddf83":"a960da222af9d4da5797e6957d59b00f6d3893599c70e95c0984b56eb3329b191703c2532f3288b15ebf655b9b5ee4617484e5ac9c39bb06731d03ebe4fef9495d003b0ed694cf540b4dc759d32629e55512680badd81234bd71ffd55fcb5e6a85031c1dc31ee1ed198939582d8336c905717cc87101dcfcf9d833fac815c8ea":"7c0f49fb54f5e68c84e81add009284e6":"":112:"b2ec0f3da02a9eb3132fb4ebe3b8":"":"a40b6f70f0572fe0bc70d83368e7c154f7dbd501f52501630a2e523d18e216e07368521f6040d806299397722b99bcf7f85d36b8bed934b49aa1fa76d38783e6a2e392d6d0786d467f7bc894a739ecf94f0fe884a9c391154f8326bf31ea5242a18aa263d04da4b63b11de23b42d3e10a2d5460cb32700cdf50a0d89165ba22a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4103b1ddff87a508a219c808a04ad4750668688f4c2ee75b92d28d70b98a2c94":"a00a196193ff07006b7df524824bd0971d63f447a3a7bb1b75c1e2d11789482c115cff677b54948d36dc4de34200bce97be0101d88cee39b177857dd5da3cb0d2f9d6e1150f72a3bd655e0bace1d25a657ba9a7f8dff082b4460432075afb20173da22b49beeb6a030d72ba07869ff4389fc1c28d87018d7c1a9829c21932197":"5cea906737518c2cb901016e30206276":"":112:"3a3a771dd5f31c977e154ef5c73a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4103b1ddff87a508a219c808a04ad4750668688f4c2ee75b92d28d70b98a2c94":"a00a196193ff07006b7df524824bd0971d63f447a3a7bb1b75c1e2d11789482c115cff677b54948d36dc4de34200bce97be0101d88cee39b177857dd5da3cb0d2f9d6e1150f72a3bd655e0bace1d25a657ba9a7f8dff082b4460432075afb20173da22b49beeb6a030d72ba07869ff4389fc1c28d87018d7c1a9829c21932197":"5cea906737518c2cb901016e30206276":"":112:"3a3a771dd5f31c977e154ef5c73a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd8c2f0c330d5db316dae7a16b57d681ca058864f7bd60f3d0de174442283f77":"e2a5ad295d35031535bf13c2993bd0b292e8a9465b9dab738e59ba03670248a1ecc92b38a55bae34729162271cc1572c35fcccb27417b48dfcbff852a7a8845cc829a4461061b558ac8b5930a5c6491ffba04a9d0dff220b3cd5e4fc2e0f3db3b2ddd90328f2cad819573a7856299620b02f5ee0267f3b56981afbf1b7d9e3e1":"387ee8c1e7f047e94d06d0322eec02fc":"":112:"62356850d12b54e39872357cfa03":"17b7f6bdfc1993c56dd9bd674cc276a55a46fdd9fd5fe435b9e4b7ebc7052a9dc76a99e4e43aba7d486603189c90d10a21ad3722c86bf5bc856a0f930ff5bca65be708b76bb8a29105da67f31eebcec81f28aaf526d2f8f0feac393a24959dcd612e2b93b4463f61957d2b3046bcdf855e346601e4c7760c0ca618ee7bf55381":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cd8c2f0c330d5db316dae7a16b57d681ca058864f7bd60f3d0de174442283f77":"e2a5ad295d35031535bf13c2993bd0b292e8a9465b9dab738e59ba03670248a1ecc92b38a55bae34729162271cc1572c35fcccb27417b48dfcbff852a7a8845cc829a4461061b558ac8b5930a5c6491ffba04a9d0dff220b3cd5e4fc2e0f3db3b2ddd90328f2cad819573a7856299620b02f5ee0267f3b56981afbf1b7d9e3e1":"387ee8c1e7f047e94d06d0322eec02fc":"":112:"62356850d12b54e39872357cfa03":"":"17b7f6bdfc1993c56dd9bd674cc276a55a46fdd9fd5fe435b9e4b7ebc7052a9dc76a99e4e43aba7d486603189c90d10a21ad3722c86bf5bc856a0f930ff5bca65be708b76bb8a29105da67f31eebcec81f28aaf526d2f8f0feac393a24959dcd612e2b93b4463f61957d2b3046bcdf855e346601e4c7760c0ca618ee7bf55381":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7e19e400872eed721d560202cd757d3eb99729496b6e3a6d38dd8afe1066045a":"3fb9abc7aba654dfb174e8899c17db222ffbb387b7260fc6f015b54f1cd74284c516e21aae3b72338e5e8dc643cfafca0678f5bda3a7539f1612dddb04366031b5a3eda55f3232c1b176cc9be7cc07e0ebca674a272224929c401a2530efc6d4eed0087b544b12d172a01bc8340d9c2a2ebcb5af8b07d96073a879fda140c196":"d2b277f78e98f1fa16f977ce72ee22a7":"":104:"4c81c044101f458fdfac9ca3b9":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7e19e400872eed721d560202cd757d3eb99729496b6e3a6d38dd8afe1066045a":"3fb9abc7aba654dfb174e8899c17db222ffbb387b7260fc6f015b54f1cd74284c516e21aae3b72338e5e8dc643cfafca0678f5bda3a7539f1612dddb04366031b5a3eda55f3232c1b176cc9be7cc07e0ebca674a272224929c401a2530efc6d4eed0087b544b12d172a01bc8340d9c2a2ebcb5af8b07d96073a879fda140c196":"d2b277f78e98f1fa16f977ce72ee22a7":"":104:"4c81c044101f458fdfac9ca3b9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0653934a16fd36c27d54488a1829302b931bed6e26ca26047242b85b50bfb61":"c02347e1add9178d830d8baaad9aeee37e958bedf2cc846e2561fe8c83481d0a8a85911e7f1f6e444b28f30bd96c13c390e80f616feb6844ee6fa486543a2e3f38c138f45b4405e3fb331b64648219aaf1d574be948ccfca6afc18d12488db19c35b05601e47c0af5d49a93a5dd4420f38585c1eb033e173376fa390d3f948df":"94886a1845aebba5ed6b86f580be47f9":"":104:"4be34ff42085ef4443c8b6042d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0653934a16fd36c27d54488a1829302b931bed6e26ca26047242b85b50bfb61":"c02347e1add9178d830d8baaad9aeee37e958bedf2cc846e2561fe8c83481d0a8a85911e7f1f6e444b28f30bd96c13c390e80f616feb6844ee6fa486543a2e3f38c138f45b4405e3fb331b64648219aaf1d574be948ccfca6afc18d12488db19c35b05601e47c0af5d49a93a5dd4420f38585c1eb033e173376fa390d3f948df":"94886a1845aebba5ed6b86f580be47f9":"":104:"4be34ff42085ef4443c8b6042d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0f0ccb88c7cec9496f26a59ddc67dc59ebe49ae3dd89ef3be008598727e214c":"7845e155f4f28021291e7c814a1ace8f42b239990831aa82758fc1e376cace0b6f668f7f2f224dede1ef5b1df7ae74b2c01483701044acbbb72a9216eec6b7ef0190f114b3c73c6985c4653f11601c774d10b7f9df1f1e1f3ff4fafa20d6525edb37d9e5acfafe6d3468ee068d407fdb56dc718c98425926831253978d727854":"e5ca84b907ac761a5e68a9080da0a88a":"":104:"c8f78e4139dd3eaf2baef8aafb":"0cc3ede50b0d3fb9ada11300a3239a383c98f968ad65266d57a195bb18d3e568fe6cabba258da4bee9e923c7c838e06dc887a6c49cc1453ea6a227c6a83e651a8742e0316cad5efc93739393e3603446b5c920a206db1434adbb8ebde4d1a7a8699c7f6c61b2d57c9709b564338423b4f526d6c157647a6c45da9dd521061f05":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d0f0ccb88c7cec9496f26a59ddc67dc59ebe49ae3dd89ef3be008598727e214c":"7845e155f4f28021291e7c814a1ace8f42b239990831aa82758fc1e376cace0b6f668f7f2f224dede1ef5b1df7ae74b2c01483701044acbbb72a9216eec6b7ef0190f114b3c73c6985c4653f11601c774d10b7f9df1f1e1f3ff4fafa20d6525edb37d9e5acfafe6d3468ee068d407fdb56dc718c98425926831253978d727854":"e5ca84b907ac761a5e68a9080da0a88a":"":104:"c8f78e4139dd3eaf2baef8aafb":"":"0cc3ede50b0d3fb9ada11300a3239a383c98f968ad65266d57a195bb18d3e568fe6cabba258da4bee9e923c7c838e06dc887a6c49cc1453ea6a227c6a83e651a8742e0316cad5efc93739393e3603446b5c920a206db1434adbb8ebde4d1a7a8699c7f6c61b2d57c9709b564338423b4f526d6c157647a6c45da9dd521061f05":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e35dcea17cbf391491ae5ba6056d0dd13b348183474dd4b614742751bdebfc32":"5213542beb044910d7fdeec8bb89de93f350760e493286eaef1140485380d429f74a4279c1842a5c64f3ca3381cb5dbb0621de48821bded650cb59703e0ca88f4e9c3d15875f9dc87d85ba7e4bae9986ef8c203fce6f0ce52c28e3a93befb4cc4ba3d963d2283cd30f9bf6ab99d92f2f4f3aff0b022f1751b89d43ea10bbb28a":"fa549b33b5a43d85f012929a4816297a":"":96:"afa61e843cee615c97de42a7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e35dcea17cbf391491ae5ba6056d0dd13b348183474dd4b614742751bdebfc32":"5213542beb044910d7fdeec8bb89de93f350760e493286eaef1140485380d429f74a4279c1842a5c64f3ca3381cb5dbb0621de48821bded650cb59703e0ca88f4e9c3d15875f9dc87d85ba7e4bae9986ef8c203fce6f0ce52c28e3a93befb4cc4ba3d963d2283cd30f9bf6ab99d92f2f4f3aff0b022f1751b89d43ea10bbb28a":"fa549b33b5a43d85f012929a4816297a":"":96:"afa61e843cee615c97de42a7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"844c50ddc0ac1d9364b21003287d6ae6360d12bbb17a85351362420ee4ca588e":"3a3bf4ccaf05f7c02f5e158dd2c5cb08c6aed4b1ba404a6d8ef9a0737fe2f350b3e22188fc330ea63e35df82f996e3cf94d331c4246cdb25bb2c409762e05ddc21f337edee51b64f1766ad18f520b3f34735b24278d9d647c533a743e0c1e9c81e9dee975cdc47e8582113fd250ef59353605b64acb7c025a97854c1a5c03237":"2f8512bb7e214db774a217a4615139e1":"":96:"f1da1cebe00d80eb4e025feb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"844c50ddc0ac1d9364b21003287d6ae6360d12bbb17a85351362420ee4ca588e":"3a3bf4ccaf05f7c02f5e158dd2c5cb08c6aed4b1ba404a6d8ef9a0737fe2f350b3e22188fc330ea63e35df82f996e3cf94d331c4246cdb25bb2c409762e05ddc21f337edee51b64f1766ad18f520b3f34735b24278d9d647c533a743e0c1e9c81e9dee975cdc47e8582113fd250ef59353605b64acb7c025a97854c1a5c03237":"2f8512bb7e214db774a217a4615139e1":"":96:"f1da1cebe00d80eb4e025feb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2aae1aa047a20ed2d6d8336d923864cee9404f924031ae327fbfe2d293e1d93c":"8e5b6b9e4e7d01de9a919dd33c0c1eb94dcfebf28847c754c62c1c00642d9e96f15b5d28ad103ff6969be750aadfd02fc146935562c83ec459a932a2fd5fda32eb851e6cff33335abd5c2434ae4f5524d6bc74a38094ced360f4606a1a17096ff06604952c8ca94a9a6dc4a251e13b0e0c54bd8a6dff5f397a1eb1cf186fa518":"3da9af3567d70553ca3a9636f0b26470":"":96:"e1026b3d15d261b2fb47632e":"58c52ea9f3b162511160eed1a68b6f52b3c4f5834af728de97a3d9e4ba337b29aad12636003cf5be9ffbeae0f383f7cf32f645a8f6fc5cdc1cde91c625c69a92bc434ed671e52a0044a48f3fce55cae49a7d065c2a72603a7efe58b5a7b18ac500d1a51420e820357e7a439b1c02198ebe3d4e62d5573a3aa5f40900a21e3b41":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2aae1aa047a20ed2d6d8336d923864cee9404f924031ae327fbfe2d293e1d93c":"8e5b6b9e4e7d01de9a919dd33c0c1eb94dcfebf28847c754c62c1c00642d9e96f15b5d28ad103ff6969be750aadfd02fc146935562c83ec459a932a2fd5fda32eb851e6cff33335abd5c2434ae4f5524d6bc74a38094ced360f4606a1a17096ff06604952c8ca94a9a6dc4a251e13b0e0c54bd8a6dff5f397a1eb1cf186fa518":"3da9af3567d70553ca3a9636f0b26470":"":96:"e1026b3d15d261b2fb47632e":"":"58c52ea9f3b162511160eed1a68b6f52b3c4f5834af728de97a3d9e4ba337b29aad12636003cf5be9ffbeae0f383f7cf32f645a8f6fc5cdc1cde91c625c69a92bc434ed671e52a0044a48f3fce55cae49a7d065c2a72603a7efe58b5a7b18ac500d1a51420e820357e7a439b1c02198ebe3d4e62d5573a3aa5f40900a21e3b41":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3d69208cb0d27474e9a231cd46eac7c1574fff950c48bbd1ba03fad16f563df":"0d1f06eef5e8f2c81d1a73bb1dca93c22cfb6e40e9948bc75b0d84830fb9216330424f580b89050c3fb3f620eca8f9fd09fb86d2e8b3a0869c6022d8a705fc280d66fd16d3aba7395d6be4bed44145d51d42d56285f3675726d62d94c081364a6d440511de83a613c598b03078e2ec7648c6302defbbea66aafd33e1a4b1686c":"b957f05921d21f2192f587768dc12b4f":"":64:"322374fbb192abbc":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f3d69208cb0d27474e9a231cd46eac7c1574fff950c48bbd1ba03fad16f563df":"0d1f06eef5e8f2c81d1a73bb1dca93c22cfb6e40e9948bc75b0d84830fb9216330424f580b89050c3fb3f620eca8f9fd09fb86d2e8b3a0869c6022d8a705fc280d66fd16d3aba7395d6be4bed44145d51d42d56285f3675726d62d94c081364a6d440511de83a613c598b03078e2ec7648c6302defbbea66aafd33e1a4b1686c":"b957f05921d21f2192f587768dc12b4f":"":64:"322374fbb192abbc":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb2cdeb17fa6bcb006c7fc60858a12a411804464458db351957e8caf42f1ee6c":"296504131354b2c1928982f12d408ba2377f2d4bbe87e4c69f92a15bf6003910a43bda6c8929df66b3ab1d202a5258cad199f32f36cc30d2dc06199c2a52f7ccadad1fce50123c5f8434dec57cc60cc780263d7aace8f59cc8a6c54bddbaded3adb12ae2ee0bacf6a8da635ff85b51a4e8a1b3dc404863b90059de4ad0f158dd":"31bd7c971a6d330b566567ab19590545":"":64:"efc5a1acf433aaa3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cb2cdeb17fa6bcb006c7fc60858a12a411804464458db351957e8caf42f1ee6c":"296504131354b2c1928982f12d408ba2377f2d4bbe87e4c69f92a15bf6003910a43bda6c8929df66b3ab1d202a5258cad199f32f36cc30d2dc06199c2a52f7ccadad1fce50123c5f8434dec57cc60cc780263d7aace8f59cc8a6c54bddbaded3adb12ae2ee0bacf6a8da635ff85b51a4e8a1b3dc404863b90059de4ad0f158dd":"31bd7c971a6d330b566567ab19590545":"":64:"efc5a1acf433aaa3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f94170790fadab3240df568197f9d6f6855afaed8d07eceeaa2380121872529f":"ed231b78db082f652bc6310c396993b52de804a82464fa3fac602a1286535f59c67fc2b1b420c7321eb42b971edde24cd4cb9e75c843f2ac6fb8ecdad612d2e5049cf39327aa7a8d43ec821161c385f3fdc92284a764a5d1cbae886f07f93017f83a105bb7c3cc4fc51e2781516a2471b65c940ddae6b550ad37b35f53d7cc64":"2f9c0647a4af7f61ced45f28d45c43f1":"":64:"ab74877a0b223e1c":"1cb5ed0c10cee98ff8ecfa5a1b6592391bbd9f9b1dc1ff351e0af23920d546b5e27d62b94daabd32f7f96a2632dc9fd7c19bf55f3b9b7cd492e76f4d6b0f5b437c155c14a75e65bfc4120bef186da05e06a2fd3696f210292ee422ddbce6e63d99ee766b68363139438733c5e567177f72e52ef2df6a7dd33fc0376d12ec3005":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f94170790fadab3240df568197f9d6f6855afaed8d07eceeaa2380121872529f":"ed231b78db082f652bc6310c396993b52de804a82464fa3fac602a1286535f59c67fc2b1b420c7321eb42b971edde24cd4cb9e75c843f2ac6fb8ecdad612d2e5049cf39327aa7a8d43ec821161c385f3fdc92284a764a5d1cbae886f07f93017f83a105bb7c3cc4fc51e2781516a2471b65c940ddae6b550ad37b35f53d7cc64":"2f9c0647a4af7f61ced45f28d45c43f1":"":64:"ab74877a0b223e1c":"":"1cb5ed0c10cee98ff8ecfa5a1b6592391bbd9f9b1dc1ff351e0af23920d546b5e27d62b94daabd32f7f96a2632dc9fd7c19bf55f3b9b7cd492e76f4d6b0f5b437c155c14a75e65bfc4120bef186da05e06a2fd3696f210292ee422ddbce6e63d99ee766b68363139438733c5e567177f72e52ef2df6a7dd33fc0376d12ec3005":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"797c0091ff8787fe7cd0427c02922620e7f6fb71c52ddcc03a9f25c89ba33490":"2d3efc8900315c3691a8e3c9de3319d4deaf538fcf41aa0e295b861d0ac85baf56d149a6437747dd6976f44016e012b88de542fb8e5b9e4ad10c19deec4b7c0b69bc1b2e33d44a981ded66127dea354b072010b8dc24b85ed2ffeea3b9c0e931619dbbf22677691f0d54fc03eaa162e0ab0d760ad41021f67057c0d6ac19ca8f":"69d81c73008a6827a692fa636fbab8bb":"":32:"be2dda5c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"797c0091ff8787fe7cd0427c02922620e7f6fb71c52ddcc03a9f25c89ba33490":"2d3efc8900315c3691a8e3c9de3319d4deaf538fcf41aa0e295b861d0ac85baf56d149a6437747dd6976f44016e012b88de542fb8e5b9e4ad10c19deec4b7c0b69bc1b2e33d44a981ded66127dea354b072010b8dc24b85ed2ffeea3b9c0e931619dbbf22677691f0d54fc03eaa162e0ab0d760ad41021f67057c0d6ac19ca8f":"69d81c73008a6827a692fa636fbab8bb":"":32:"be2dda5c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90ce1afb5500489b9edbad987f4009509c847b3e55cdf0c764ef2fb085e3d033":"98482b54edce2bac1cd64d44917dcf117ebfbfe26ad17a9b263447028304f1cf5a69559c05b5d833420f4fddb6e308277d01eb4b3235f1c4b47d33d3899325b55e7be19d43187a5b1b1354ce02a529b3df1c13b4883902ae9fc565079dee825e705f3e580371e4fd86c3b0d31bae98adb529901f346ca07127314152b4370edd":"e119e166471ecf44bc3a070639619931":"":32:"b2f54b3a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90ce1afb5500489b9edbad987f4009509c847b3e55cdf0c764ef2fb085e3d033":"98482b54edce2bac1cd64d44917dcf117ebfbfe26ad17a9b263447028304f1cf5a69559c05b5d833420f4fddb6e308277d01eb4b3235f1c4b47d33d3899325b55e7be19d43187a5b1b1354ce02a529b3df1c13b4883902ae9fc565079dee825e705f3e580371e4fd86c3b0d31bae98adb529901f346ca07127314152b4370edd":"e119e166471ecf44bc3a070639619931":"":32:"b2f54b3a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29264a90f114a800c0fc3247b3bda00981a12a8f85cf3a19ea4c7ffdd005f4bb":"587c8e53ab5ae8c31e16160b4a41d88798e27f4ad61c573c023c62d4dbb3952eef5026ad7b453fa9e0694347ab8fe50a6cf20da566202b81e325cee9c07ab2d4d53ed45b3ec2d2135936515f8a24f2a8116807dce9df3c44edf64c32647145152ff241d9e018e4101e400af070192dc3b498b5a213d265b4cfc8c8d4d7deccb5":"cf296aa43cb7b328e09c8975e067404e":"":32:"56015c1e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29264a90f114a800c0fc3247b3bda00981a12a8f85cf3a19ea4c7ffdd005f4bb":"587c8e53ab5ae8c31e16160b4a41d88798e27f4ad61c573c023c62d4dbb3952eef5026ad7b453fa9e0694347ab8fe50a6cf20da566202b81e325cee9c07ab2d4d53ed45b3ec2d2135936515f8a24f2a8116807dce9df3c44edf64c32647145152ff241d9e018e4101e400af070192dc3b498b5a213d265b4cfc8c8d4d7deccb5":"cf296aa43cb7b328e09c8975e067404e":"":32:"56015c1e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84ff9a8772815b929d55f6052c0354cf3e02bcc8336fcfe5794952b4c45d5d96":"a87de56d49725a1625baf12fd15931fe1a6783dce5d1e744eba108f45e0c105d8141dc027d0e33ad7efb6752b43729715e2f3e2c42ebdab4d5f72f886bd821c4372244699ddded99a63dbe7763a5a3bc21cbfc253cdc2514eba2a4f54e24dca7c207cb3f6ae80153d77fe0641f357d5a073dcd425c38deb77c45f27427345516":"5c044a66e488b853baf479f7dee2aadb":"00304e3d40cbc6d2bee0778462884f4ec047a8c74bb3dd7e100f2b9d0e529fd24730063986117b56ca876b208a3691425ac63afc3d504ccb499c76622eade09717023fcb7d956b01ce24a3e53cb5da472be3fcf5b278b5d9e377de22fab75bc74afa9670f5fe9691aa0ed77e43f6abc67a61ec409ec39fd66ac0307bf195f36f":128:"72ddd9966ede9b684bc981cbb2113313":"aadb8537309940422f67ca393aa6182d67fe7c52092538a15e98a4254f0a9087c7f10903d5e78078c2e55de914dec8b6b35cb720e3e55963c0ac9901e44b83a0e7c5b2d3f002aec0a4a08354febe47b2abb955f2a21107626ef0b8e1e099650812a6fecf36908fce2d078c2735cf7c2b970a309e5c6d6ff29c26a05720c57105":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84ff9a8772815b929d55f6052c0354cf3e02bcc8336fcfe5794952b4c45d5d96":"a87de56d49725a1625baf12fd15931fe1a6783dce5d1e744eba108f45e0c105d8141dc027d0e33ad7efb6752b43729715e2f3e2c42ebdab4d5f72f886bd821c4372244699ddded99a63dbe7763a5a3bc21cbfc253cdc2514eba2a4f54e24dca7c207cb3f6ae80153d77fe0641f357d5a073dcd425c38deb77c45f27427345516":"5c044a66e488b853baf479f7dee2aadb":"00304e3d40cbc6d2bee0778462884f4ec047a8c74bb3dd7e100f2b9d0e529fd24730063986117b56ca876b208a3691425ac63afc3d504ccb499c76622eade09717023fcb7d956b01ce24a3e53cb5da472be3fcf5b278b5d9e377de22fab75bc74afa9670f5fe9691aa0ed77e43f6abc67a61ec409ec39fd66ac0307bf195f36f":128:"72ddd9966ede9b684bc981cbb2113313":"":"aadb8537309940422f67ca393aa6182d67fe7c52092538a15e98a4254f0a9087c7f10903d5e78078c2e55de914dec8b6b35cb720e3e55963c0ac9901e44b83a0e7c5b2d3f002aec0a4a08354febe47b2abb955f2a21107626ef0b8e1e099650812a6fecf36908fce2d078c2735cf7c2b970a309e5c6d6ff29c26a05720c57105":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5ca3991d0160b1729ae1a622dcf4b03b1f4ba86150bd66bf35cbbee9258af10":"62aad5854a238f096bdde0711ac6f5763e7fea29db068ea8c911f17ba91e6d7807883e6fc5ba7db17af33da2b00973008a3425e65cc786ce1b97360019ee2cef74563d54752be436b905705b507c3d62689df4edf0356d26b693eb43d8a2a927a9f3866b7e0e19e84a90447bd6f47e31070fa7c2a71e3f78229ee19fa47e848f":"f8402184d1cc36df07b68ecb1ab42047":"d378cfd29758bcbd21e26a324239c42c992941b3ad68d9f2b3d2def3a051fd172ee882562970ef59798ff8d9eb5f724ff17626156f4cf5d93e41ffef6e525919af6194ea9bbb58c67563d3ffd90e5a6e2a3a33bd1fa3d55eff5dba7cd439d571f7e08014c4780e3d10904ef22b660897e78258da20b2600e88d71c35ecb6329a":128:"9e8b59b4971130557aa84ec3ac7e4133":"556dd32edc0af3c64186fe8c000ddad1516cd14721c93c228e379d4f87e32c79e734539cec930322048f34a2b34931c585d44f09966caf187ec4b9244c991a8a5f263e9da1d08d6086e52535afdb36c7662307521cbceb9ecb470a76970243723fbc1613b6ebbcae261ac2f1936e66ce29ec7350b2e6b2f73a910ade645154f7":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5ca3991d0160b1729ae1a622dcf4b03b1f4ba86150bd66bf35cbbee9258af10":"62aad5854a238f096bdde0711ac6f5763e7fea29db068ea8c911f17ba91e6d7807883e6fc5ba7db17af33da2b00973008a3425e65cc786ce1b97360019ee2cef74563d54752be436b905705b507c3d62689df4edf0356d26b693eb43d8a2a927a9f3866b7e0e19e84a90447bd6f47e31070fa7c2a71e3f78229ee19fa47e848f":"f8402184d1cc36df07b68ecb1ab42047":"d378cfd29758bcbd21e26a324239c42c992941b3ad68d9f2b3d2def3a051fd172ee882562970ef59798ff8d9eb5f724ff17626156f4cf5d93e41ffef6e525919af6194ea9bbb58c67563d3ffd90e5a6e2a3a33bd1fa3d55eff5dba7cd439d571f7e08014c4780e3d10904ef22b660897e78258da20b2600e88d71c35ecb6329a":128:"9e8b59b4971130557aa84ec3ac7e4133":"":"556dd32edc0af3c64186fe8c000ddad1516cd14721c93c228e379d4f87e32c79e734539cec930322048f34a2b34931c585d44f09966caf187ec4b9244c991a8a5f263e9da1d08d6086e52535afdb36c7662307521cbceb9ecb470a76970243723fbc1613b6ebbcae261ac2f1936e66ce29ec7350b2e6b2f73a910ade645154f7":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df867d1dd8a287821a54479cab6f88636d2aca30e1bf01a5dffc735e17590356":"6517272cac85d7f38902bcb4b96a0c59c4bdc46bfefa6ebacd7f2fb1629b87ca91de2ffefc42ce3cfd34dcbf01b3f7cadcea3f99e6addf35d36c51f2ceb1f85c1f56a04ec9c9fff60cd7fc238674992183ea3de72ef778561b906202b7b83fe6562a0bca9c1e0a18638e8685b998b4192f5120435809ad6e93a0422d00725262":"35019826c51dd1ef07ff915d9ac4ea96":"0375ed93f287eefe414ab2968844bd10148860c528dbf571a77aa74f98cc669a7fc317adc9f7cf2d80dda29b19db635b30a044399f3665b6176ed669146d28f5ada03b3d32d53fe46575a8afcd37f20386d9e36f7e090b4fefadfab7f008e02f1b5022c0eeb81d03443a276eae48c038ed173631687d2450b913b02c97243edb":128:"e49beb083a9b008ae97a17e3825692f0":"723be39bc13adbc48c861b07753f64fac1ae28fc8933acba888b6538721df0a8b91c040a26522fe0dbb7335d8f63d209e89f7cde23afa9ca3c584b336d63a91e07fdd8808b14c3214c96a202e665bbaaa34248ff30348f3d79c9f16e66ad6c5903305acd887a89b6244eb7c2d96e18b13a686de935bf3821444ee20f48678be5":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"df867d1dd8a287821a54479cab6f88636d2aca30e1bf01a5dffc735e17590356":"6517272cac85d7f38902bcb4b96a0c59c4bdc46bfefa6ebacd7f2fb1629b87ca91de2ffefc42ce3cfd34dcbf01b3f7cadcea3f99e6addf35d36c51f2ceb1f85c1f56a04ec9c9fff60cd7fc238674992183ea3de72ef778561b906202b7b83fe6562a0bca9c1e0a18638e8685b998b4192f5120435809ad6e93a0422d00725262":"35019826c51dd1ef07ff915d9ac4ea96":"0375ed93f287eefe414ab2968844bd10148860c528dbf571a77aa74f98cc669a7fc317adc9f7cf2d80dda29b19db635b30a044399f3665b6176ed669146d28f5ada03b3d32d53fe46575a8afcd37f20386d9e36f7e090b4fefadfab7f008e02f1b5022c0eeb81d03443a276eae48c038ed173631687d2450b913b02c97243edb":128:"e49beb083a9b008ae97a17e3825692f0":"":"723be39bc13adbc48c861b07753f64fac1ae28fc8933acba888b6538721df0a8b91c040a26522fe0dbb7335d8f63d209e89f7cde23afa9ca3c584b336d63a91e07fdd8808b14c3214c96a202e665bbaaa34248ff30348f3d79c9f16e66ad6c5903305acd887a89b6244eb7c2d96e18b13a686de935bf3821444ee20f48678be5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e8e9ce6294b7fbc534a96bdd060120976a6e08315d2ea73ac61d085cd462a44":"9855f186b51358f0e2111c06bfaaeaec9bf95c55e246375c614fad9883d86c82a20c86538dc5f42a0ea69677d59a20c5112d15d2a8396f12096242ad5d7b838d16ee0679fc4017af75bc15e8ad2f77b0e802c864031cbfb0bacd95c828d1db4b7bab0713619e9e5e8fe6902aac7a9e6c42eb05f5b156f7e663ee43e6fdb62480":"4edc6be20f904b4789e5bee0a80a3fc8":"db28ce076b360816cd1e04b7729f8ab080e0a07f35204350f3bd056945aab8638c0e8311ab056f3e5debdbfbb03fae700770264faf73e0f3a05a5812aee84ab613c82f4a76da276250675f6a663f85e2c26d4f4a8666a7f4cedaffc1a7218dec11ca4e72b8b5d5b620d1efbd3d3b94a5ae0d118b9860dfd543b04c78d13a94c3":120:"03cfe6c36c3f54b3188a6ef3866b84":"e10142f852a0d680c983aad2b4609ccbd35ff61bb3eb66442aee6e01d4cc1cd70f45210acbd506395d6ca0cfebc195a196c94b94fc2afb9ffa3b1714653e07e048804746955e2070e1e96bff58f9bc56f3862aaa5fe23a6a57b5e764666ddec9e3e5a6af063f2c150889268619d0128b3b5562d27070e58e41aadd471d92d07e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e8e9ce6294b7fbc534a96bdd060120976a6e08315d2ea73ac61d085cd462a44":"9855f186b51358f0e2111c06bfaaeaec9bf95c55e246375c614fad9883d86c82a20c86538dc5f42a0ea69677d59a20c5112d15d2a8396f12096242ad5d7b838d16ee0679fc4017af75bc15e8ad2f77b0e802c864031cbfb0bacd95c828d1db4b7bab0713619e9e5e8fe6902aac7a9e6c42eb05f5b156f7e663ee43e6fdb62480":"4edc6be20f904b4789e5bee0a80a3fc8":"db28ce076b360816cd1e04b7729f8ab080e0a07f35204350f3bd056945aab8638c0e8311ab056f3e5debdbfbb03fae700770264faf73e0f3a05a5812aee84ab613c82f4a76da276250675f6a663f85e2c26d4f4a8666a7f4cedaffc1a7218dec11ca4e72b8b5d5b620d1efbd3d3b94a5ae0d118b9860dfd543b04c78d13a94c3":120:"03cfe6c36c3f54b3188a6ef3866b84":"":"e10142f852a0d680c983aad2b4609ccbd35ff61bb3eb66442aee6e01d4cc1cd70f45210acbd506395d6ca0cfebc195a196c94b94fc2afb9ffa3b1714653e07e048804746955e2070e1e96bff58f9bc56f3862aaa5fe23a6a57b5e764666ddec9e3e5a6af063f2c150889268619d0128b3b5562d27070e58e41aadd471d92d07e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"886c77b80f5f3a21c01932685a540b23629f6d41d5574fc527227ed0bdf2e21b":"53a17d7b69f607f08676d6f6dd4e8db08e01333a8355d8c87616e84cdf10ef5b041fc6ddc3f6a245c0f534c2b167064af82f45e4702a5e8dede59579fdecf6713353392433950c9b97c38d9ee515ac97d0970ccf03981954540088567a30941bb2cca08cbed680500f8342faa7aebbc6c143e2ea57ba6b4ac1fd975dcc5d0871":"5ec506edb1890a5a63b464490450d419":"05b8d820c9f439d7aeae5c7da0ee25fb0dad47cc3e6f3a47e8b984e856201546975f8214531fc3c2e504d2ac10fa49cb948596b9a8fab01b95c49d6f04d1589f93b77b899e803dd20e1f00a51c0b5953e85be639109b14b100e35ca26d84ea629964b0db8260dfa5a150a66261bf37e79de2ec49e9f1b082a7c58ecd3d39b6c9":120:"ffdf56e1c1a7252b88422787536484":"79ee27adfa9698a97d217c5010ec807806feda37db811e398c3b82abf698aece08561fffc6c601d2691738e279eeb57e5804e1405a9913830e3ba0d7b979213ef40d733a19497d4bb1b8b2c609a8f904e29771fa230c39a48ebb8c3376f07c8013fff6e34f10fe53988a6ec87a9296c0a7cfba769adefe599ec6671012965973":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"886c77b80f5f3a21c01932685a540b23629f6d41d5574fc527227ed0bdf2e21b":"53a17d7b69f607f08676d6f6dd4e8db08e01333a8355d8c87616e84cdf10ef5b041fc6ddc3f6a245c0f534c2b167064af82f45e4702a5e8dede59579fdecf6713353392433950c9b97c38d9ee515ac97d0970ccf03981954540088567a30941bb2cca08cbed680500f8342faa7aebbc6c143e2ea57ba6b4ac1fd975dcc5d0871":"5ec506edb1890a5a63b464490450d419":"05b8d820c9f439d7aeae5c7da0ee25fb0dad47cc3e6f3a47e8b984e856201546975f8214531fc3c2e504d2ac10fa49cb948596b9a8fab01b95c49d6f04d1589f93b77b899e803dd20e1f00a51c0b5953e85be639109b14b100e35ca26d84ea629964b0db8260dfa5a150a66261bf37e79de2ec49e9f1b082a7c58ecd3d39b6c9":120:"ffdf56e1c1a7252b88422787536484":"":"79ee27adfa9698a97d217c5010ec807806feda37db811e398c3b82abf698aece08561fffc6c601d2691738e279eeb57e5804e1405a9913830e3ba0d7b979213ef40d733a19497d4bb1b8b2c609a8f904e29771fa230c39a48ebb8c3376f07c8013fff6e34f10fe53988a6ec87a9296c0a7cfba769adefe599ec6671012965973":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5231ca6d772edd9ea2d251e22d7d455928c22474b4b44130dad57e6511fed6ee":"2767c808410ee132291585ea74a48ad3102f883f07d060c91c5f10abd37fe0996d2210dc490260238ae15f5d74c7be2a1e15d80db09079c520047f88488a7802857a3fc3b81d85a96949997430a880177880a31d4d0c9c9045247804f057a4f2756d6e40375a4a3187c4376d6bf573ce334cda1ed88d8a50db499e7cdb89d8db":"048698a4a0feabc1f336112e2794795a":"3a81b6b0b722899ff931cb73c39222d555b83ae3f8880b982593cbc1ab8be90d1ee32fd7dfe697cf24c95b7309d82c3fed3aa6b3d5740cc86a28174ac8f17d860ebb251ac0d71751c2ff47b48bfb0b3beb4f51494464cda34feaecddb1dbbe5fa36c681ada0787d6ed728afc4008b95929a1905787917adc95f1034fedcd817a":120:"ba61edeb7b8966188854fc7926aad2":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5231ca6d772edd9ea2d251e22d7d455928c22474b4b44130dad57e6511fed6ee":"2767c808410ee132291585ea74a48ad3102f883f07d060c91c5f10abd37fe0996d2210dc490260238ae15f5d74c7be2a1e15d80db09079c520047f88488a7802857a3fc3b81d85a96949997430a880177880a31d4d0c9c9045247804f057a4f2756d6e40375a4a3187c4376d6bf573ce334cda1ed88d8a50db499e7cdb89d8db":"048698a4a0feabc1f336112e2794795a":"3a81b6b0b722899ff931cb73c39222d555b83ae3f8880b982593cbc1ab8be90d1ee32fd7dfe697cf24c95b7309d82c3fed3aa6b3d5740cc86a28174ac8f17d860ebb251ac0d71751c2ff47b48bfb0b3beb4f51494464cda34feaecddb1dbbe5fa36c681ada0787d6ed728afc4008b95929a1905787917adc95f1034fedcd817a":120:"ba61edeb7b8966188854fc7926aad2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a3f516a7898e04e5da4efd6c7c5989b77552d195464620c2b35b9a4fda29cce":"5cc28b61ae97557774bdcd7ff653f4aa349df68d53c7e5a65263883ef1fe224ad40e86bffc2d38f28a2ed9ae1fc08563e2a1e46246106546eb8e6064c06baa0046fa137421734b7f0f94656a4f459d9d981717557d843700d116b6e5e2dd3af5f67c34edf31b40b71fd3c6f2475f9310feb70bcb973be52d41e86792c49d54c0":"9310af6974890c0a0364231f9cc8103d":"2103af8356bcb9dfc2a4f1d4ed09cbcd8e1990d23865605e19f87feb50bf8d10d0257740e5557a9297f0499c01e29a1a513ca18e6f43f7406c865cbe3951a7771128f3110c8da3bd696368901944549552842a1f6fd96cc681b45da098f3c1acb3d237d2363285f520d0b6714b698790b7660c52ac84a42c9721ac7e9d38a2ef":112:"993fc8e7176557ee9eb8dd944691":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a3f516a7898e04e5da4efd6c7c5989b77552d195464620c2b35b9a4fda29cce":"5cc28b61ae97557774bdcd7ff653f4aa349df68d53c7e5a65263883ef1fe224ad40e86bffc2d38f28a2ed9ae1fc08563e2a1e46246106546eb8e6064c06baa0046fa137421734b7f0f94656a4f459d9d981717557d843700d116b6e5e2dd3af5f67c34edf31b40b71fd3c6f2475f9310feb70bcb973be52d41e86792c49d54c0":"9310af6974890c0a0364231f9cc8103d":"2103af8356bcb9dfc2a4f1d4ed09cbcd8e1990d23865605e19f87feb50bf8d10d0257740e5557a9297f0499c01e29a1a513ca18e6f43f7406c865cbe3951a7771128f3110c8da3bd696368901944549552842a1f6fd96cc681b45da098f3c1acb3d237d2363285f520d0b6714b698790b7660c52ac84a42c9721ac7e9d38a2ef":112:"993fc8e7176557ee9eb8dd944691":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59c9258554363d8a885fc0f5d112fee08eadfc7ce52a0e7e73e3d0d41d9a0290":"79c491411402ea7878e480519fd984dde44bce6459303bb76d4eaf97d4e345d1aafaa68ceb0590b41cfed0f411b675d9344c7e888cccfc9eb6fe6b229d198f94ba516ee850ee7f078a4f5f32a23f92f72264e3a76a31ebd042564315ac4f2ec0bb49ba6d08cfd2d3a6308688e39f28e3ecd669c588368cee8210edf5dbefb925":"77e51e89dc47bbcac79cca21e81a61de":"25a6f8800a9b914c0ebf9a45d72355c03ee72a138eb81b2980f332645ce1d7aa4659805821866aee2b276e2c032776b4eaf36f93b5f9a72b791be24e31eff105ca6d0700e3069ee327983dd7fe1c7465d6c6d77837aff69055149988e7199847fad98605c377d997dbd40f3e2ff1a4f978a493684e401249e69540fbde96323c":112:"ee6d85d3f3703b45adb4f9b2f155":"44ca68deed5478074adfddc97f06f44c08bf7bca4dee8707d621fc7396fe2efcdad0a167d1708a9ff59ce4cddb86920bf1dbdf41b2109a1815ffc4e596787319114cad8adab46cf7f080c9ef20bcf67a8441ba55eac449f979280319524c74cf247818a8c5478ea6f6770996026a43781285dd89c36212050afc88faa56135fb":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"59c9258554363d8a885fc0f5d112fee08eadfc7ce52a0e7e73e3d0d41d9a0290":"79c491411402ea7878e480519fd984dde44bce6459303bb76d4eaf97d4e345d1aafaa68ceb0590b41cfed0f411b675d9344c7e888cccfc9eb6fe6b229d198f94ba516ee850ee7f078a4f5f32a23f92f72264e3a76a31ebd042564315ac4f2ec0bb49ba6d08cfd2d3a6308688e39f28e3ecd669c588368cee8210edf5dbefb925":"77e51e89dc47bbcac79cca21e81a61de":"25a6f8800a9b914c0ebf9a45d72355c03ee72a138eb81b2980f332645ce1d7aa4659805821866aee2b276e2c032776b4eaf36f93b5f9a72b791be24e31eff105ca6d0700e3069ee327983dd7fe1c7465d6c6d77837aff69055149988e7199847fad98605c377d997dbd40f3e2ff1a4f978a493684e401249e69540fbde96323c":112:"ee6d85d3f3703b45adb4f9b2f155":"":"44ca68deed5478074adfddc97f06f44c08bf7bca4dee8707d621fc7396fe2efcdad0a167d1708a9ff59ce4cddb86920bf1dbdf41b2109a1815ffc4e596787319114cad8adab46cf7f080c9ef20bcf67a8441ba55eac449f979280319524c74cf247818a8c5478ea6f6770996026a43781285dd89c36212050afc88faa56135fb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e9eae594cb54c8089330e4404ff79abb1c0841b0be5347a14633ad1e1ff44fa":"32abc1eb6077555a85a0a6fd1c78cccca6c8b375842e2eb8eee45ee6c38dc0837443d16c647252e8124639dd01c808ac5e857a25d927c2a75e2fa8955cad5beb5c206fc050cd933fc4621f5718936f01f39dd700ae1aee7537cc595df8789c5d1a6e1e87b1c7a60e3ce5d57c80dd65dee3801798e1481b1963bcc78cc69f8c50":"0917b486da754f48bb43ecc8766a7ce3":"2aa1ef2f91aeba5da10b48a882dbd4574df4e9157a18abf8cecd03e4176712ba171b6ecb0e745841ff84e35063e47b08101afc44cfd9cededb913a82f00b9d4bac922f23a22f200642270399896405d00fa5271718eefb4cd5fe7e5f32097766ebff36ff1898a1c8a1a01cc18e6121e470805c37ff298fc65ef2fb1b336d09fd":112:"92282b022e393924ab9c65b258c2":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5e9eae594cb54c8089330e4404ff79abb1c0841b0be5347a14633ad1e1ff44fa":"32abc1eb6077555a85a0a6fd1c78cccca6c8b375842e2eb8eee45ee6c38dc0837443d16c647252e8124639dd01c808ac5e857a25d927c2a75e2fa8955cad5beb5c206fc050cd933fc4621f5718936f01f39dd700ae1aee7537cc595df8789c5d1a6e1e87b1c7a60e3ce5d57c80dd65dee3801798e1481b1963bcc78cc69f8c50":"0917b486da754f48bb43ecc8766a7ce3":"2aa1ef2f91aeba5da10b48a882dbd4574df4e9157a18abf8cecd03e4176712ba171b6ecb0e745841ff84e35063e47b08101afc44cfd9cededb913a82f00b9d4bac922f23a22f200642270399896405d00fa5271718eefb4cd5fe7e5f32097766ebff36ff1898a1c8a1a01cc18e6121e470805c37ff298fc65ef2fb1b336d09fd":112:"92282b022e393924ab9c65b258c2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaf03c3055a35362212b9b059931e7a24fc71e32bc9a533428c9dc31077f2ebc":"c0e12cdd8233878505e025d52427536be7b6bf1887d2dd20eac7092db80b22417a3a4ca83cdf5bc5e36161be1ff9b73f7ceb297c6d07c9cb2a75035a5dc079e48283daea60596f4b356ca28c243e628cbe459f069709fe193394c9b1a31d8ccc5a3a4eba30056c415e68571a2c34bb5c32efff12e9aa483c4a68be5e76aba4cd":"7dfccd077b29e6ed5720244bb76bde9f":"21edd1c6056f51fd5f314e5c26728182edcd9df92877f30498949098dcde8089eed84e76d774ef8874d77125669a302d268b99dcd66b349d0271dde6f8cc94dc4f2df3787887b1173cad94d067e346846befb108005387102854d9387d2c0fbc9636cdf73a10d145f4b612c201b46e1ff4465f6a7654ce3da5792daf9a27fb35":104:"6154c6799ad7cdc2d89801943a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"aaf03c3055a35362212b9b059931e7a24fc71e32bc9a533428c9dc31077f2ebc":"c0e12cdd8233878505e025d52427536be7b6bf1887d2dd20eac7092db80b22417a3a4ca83cdf5bc5e36161be1ff9b73f7ceb297c6d07c9cb2a75035a5dc079e48283daea60596f4b356ca28c243e628cbe459f069709fe193394c9b1a31d8ccc5a3a4eba30056c415e68571a2c34bb5c32efff12e9aa483c4a68be5e76aba4cd":"7dfccd077b29e6ed5720244bb76bde9f":"21edd1c6056f51fd5f314e5c26728182edcd9df92877f30498949098dcde8089eed84e76d774ef8874d77125669a302d268b99dcd66b349d0271dde6f8cc94dc4f2df3787887b1173cad94d067e346846befb108005387102854d9387d2c0fbc9636cdf73a10d145f4b612c201b46e1ff4465f6a7654ce3da5792daf9a27fb35":104:"6154c6799ad7cdc2d89801943a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"60c775971a9eac7950ed2bdd85bd60fe948ba04c419f6743fb67f37557e46c6e":"8abb2e66a4d08074916056bb8e925551372f737f0e1b597c5d08ee102989743a273b29d7281013f8b3aee2934399cb427370d70370ee86eb41584b653660c633506a53cae747826bb7d93909f069d5aacf058b7f2bbdc58ea08653db857bda83a979fc22a4f126dfef7aac45177f4cdb802fab0c812fb35d12a8176ec21336d7":"9b92ad7079b0de09c94091386577338b":"1f6a84b0df75bd99a2a64849e9686957c6a60932ebe898d033128be9b757e9890225925d856bfdc33ff514c63145f357730bb0435c65342bc5e025267b410af6fd388a5eca01b7efc87fd3b1b791df791bd47dfab736350d7b7f368b4100e04c939d5af957bab95ed502dac904e969876674602a0f0790da2d7351b686e46590":104:"1d6cd4ab3914e109f22668867f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"60c775971a9eac7950ed2bdd85bd60fe948ba04c419f6743fb67f37557e46c6e":"8abb2e66a4d08074916056bb8e925551372f737f0e1b597c5d08ee102989743a273b29d7281013f8b3aee2934399cb427370d70370ee86eb41584b653660c633506a53cae747826bb7d93909f069d5aacf058b7f2bbdc58ea08653db857bda83a979fc22a4f126dfef7aac45177f4cdb802fab0c812fb35d12a8176ec21336d7":"9b92ad7079b0de09c94091386577338b":"1f6a84b0df75bd99a2a64849e9686957c6a60932ebe898d033128be9b757e9890225925d856bfdc33ff514c63145f357730bb0435c65342bc5e025267b410af6fd388a5eca01b7efc87fd3b1b791df791bd47dfab736350d7b7f368b4100e04c939d5af957bab95ed502dac904e969876674602a0f0790da2d7351b686e46590":104:"1d6cd4ab3914e109f22668867f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b426e449337a14bc0663246ab61b671b523c9a3130c21ed59c93fa6a5aa5ae3":"291bd5a00d71eb7d547b7c94e7030ba4a947418eaeb378a3bacd304b08c6f92f6958eaba968ac6aa23e0512a2a8ad7c1ca2f8fcf623bfc1281f5b7b598c08d2aebcd447668b23238c5e338b4c2ac7f8fd381714c596ea3e0c17aca4317a08563e58f0f52a8af08e078dc242ae54ee0fe3869f8c9687b004a4ded0aa27d8f4c5d":"e6efc96acd105fe4a48d1ac931eea096":"0902cf7a0685444126369712ac47962bc2f7a3a5837f1b6190d9ab1adb4cd35e7f0892eee628b8e07fcf2b598cebe1ec07d8c4823172ae66a135bb51cc71590707b691a66b56af1ffe38772911d11685da355728eaddd83752d21c119d7b59f4c17c2403629fa55cd70cd331aed7b0de673c85f25c2e9e0267f53f0b7480c8ca":104:"ca4bfeedcd19d301d3f08cb729":"bcef3f2fd101b828d36cb38530cf9a0a7a285ac1c55ee1069cc78466327e85887534c98a8891d579effd832c0f7d6e7e822fb1eea85a39317a547591def4aeed6660872859fc9d1df9725d3c40e9ccaa900e0f1426a55d20ac4f2e8e07bd3bbc687f8e059ab93e7604c97e75ac94be1c8c24f4c4da0080a4d77953fb090cbb62":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3b426e449337a14bc0663246ab61b671b523c9a3130c21ed59c93fa6a5aa5ae3":"291bd5a00d71eb7d547b7c94e7030ba4a947418eaeb378a3bacd304b08c6f92f6958eaba968ac6aa23e0512a2a8ad7c1ca2f8fcf623bfc1281f5b7b598c08d2aebcd447668b23238c5e338b4c2ac7f8fd381714c596ea3e0c17aca4317a08563e58f0f52a8af08e078dc242ae54ee0fe3869f8c9687b004a4ded0aa27d8f4c5d":"e6efc96acd105fe4a48d1ac931eea096":"0902cf7a0685444126369712ac47962bc2f7a3a5837f1b6190d9ab1adb4cd35e7f0892eee628b8e07fcf2b598cebe1ec07d8c4823172ae66a135bb51cc71590707b691a66b56af1ffe38772911d11685da355728eaddd83752d21c119d7b59f4c17c2403629fa55cd70cd331aed7b0de673c85f25c2e9e0267f53f0b7480c8ca":104:"ca4bfeedcd19d301d3f08cb729":"":"bcef3f2fd101b828d36cb38530cf9a0a7a285ac1c55ee1069cc78466327e85887534c98a8891d579effd832c0f7d6e7e822fb1eea85a39317a547591def4aeed6660872859fc9d1df9725d3c40e9ccaa900e0f1426a55d20ac4f2e8e07bd3bbc687f8e059ab93e7604c97e75ac94be1c8c24f4c4da0080a4d77953fb090cbb62":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ceaf204ff504ea8e7fade1a2097f2b527a44766860447322fa5ad346cd810217":"1c8e4cf6018211518494d46c2e0607fa42e236abc28d58f8175c530f84b1f030572f5f6a74cb5517e1fb999a637d352afcbeadea9121e695675859b66b499a3a351ecba5226e58ebbb59fe12e359e4c89cd51c8703d4643c49921ae495801c73627df404b91e828e1d0e03ae09a39defb5aa5f2c8106953772ba0713d3261329":"cfdb8183251f4b61c64e73243594fdc6":"a60f3969fd1b14793dd1425aa0b1f742a4861e0b50eaffd1525cd209ba6d1252176763bb5bee59aaa55f92341cdc0705899aba44cf0ec05cbf80274ebef65cd9507fd4224b25cac19610968d6a37e2daf9ddf046ef158ef512401f8fd0e4f95662eebdee09dd4a7894cc8c409be086d41280bd78d6bc04c35a4e8cd3a2e83be3":96:"9e45029f4f13a4767ee05cec":"5cdc66b587ed5eebb04f42b83a6ab7017093514881c598cce332d74fa3fab927493ac15bff26835296e080b5b45ef907c0529fc2f4ed2fc09db179ef598e5d193ea60c301d3f8d823404814e3e74de0e1d2417c963e9246c353201c7a42659d447376e7d05c579dd4c3ae51c2436407b8eff16ec31f592f04b8013efcfd0f367":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ceaf204ff504ea8e7fade1a2097f2b527a44766860447322fa5ad346cd810217":"1c8e4cf6018211518494d46c2e0607fa42e236abc28d58f8175c530f84b1f030572f5f6a74cb5517e1fb999a637d352afcbeadea9121e695675859b66b499a3a351ecba5226e58ebbb59fe12e359e4c89cd51c8703d4643c49921ae495801c73627df404b91e828e1d0e03ae09a39defb5aa5f2c8106953772ba0713d3261329":"cfdb8183251f4b61c64e73243594fdc6":"a60f3969fd1b14793dd1425aa0b1f742a4861e0b50eaffd1525cd209ba6d1252176763bb5bee59aaa55f92341cdc0705899aba44cf0ec05cbf80274ebef65cd9507fd4224b25cac19610968d6a37e2daf9ddf046ef158ef512401f8fd0e4f95662eebdee09dd4a7894cc8c409be086d41280bd78d6bc04c35a4e8cd3a2e83be3":96:"9e45029f4f13a4767ee05cec":"":"5cdc66b587ed5eebb04f42b83a6ab7017093514881c598cce332d74fa3fab927493ac15bff26835296e080b5b45ef907c0529fc2f4ed2fc09db179ef598e5d193ea60c301d3f8d823404814e3e74de0e1d2417c963e9246c353201c7a42659d447376e7d05c579dd4c3ae51c2436407b8eff16ec31f592f04b8013efcfd0f367":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"15652abe38cd09777bba21d0db04637f5737d3cb3922181b9f2d07bfdafd327a":"1d6c153dec3b4738a09c9fbdfe31a093eb7ea79b8fa49f83e5e1f46893590f074fb171fb66e30ef887767014e3a10a3aa05da2bd50dd7b7936e1d7f6f31af9030e31e76bdf147f4396464db0f6a72511c4885c6c2305d339906e3c761a3249d7ebea3bf463e8b79c3706e684575550e964b8047979f7aed6ea05056c4b5840b1":"3a5e0d223ae981efb405566264e3e776":"cd755437cb61b539908e0cfaaa36c0123f8f17d1e6539783cb61d4b56cac3bc1e971c1ea558b12669b025cb6b9ad55991c6e2f8ee8b0b7901790193e226a0fbbfff7ff0bee6a554660b9f32e061b6c04bf048484ff9ebd492f7e50e744edd72d02c8fd32f87f9421bf18a5a20ebb4d9dbe39a13c34b7296232470e8be587ba09":96:"01a573d8e99c884563310954":"162430c23f7adcf98575a2d9249b4b5cec42efae33776360ebfa6a19c8eee4bd6b07cbd274deadc3292b7cdbb7803e99d9f67ccc5077f3ad5808f339a05b3213dbfd11377673d4f9b486a67a72a9ac8ea9ba699861dce0de7e2fd83d3ba2a2ec7fabf18b95a2bbe2184ff7bddd63111b560b3afe7f2c76807614ba36c1b011fb":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"15652abe38cd09777bba21d0db04637f5737d3cb3922181b9f2d07bfdafd327a":"1d6c153dec3b4738a09c9fbdfe31a093eb7ea79b8fa49f83e5e1f46893590f074fb171fb66e30ef887767014e3a10a3aa05da2bd50dd7b7936e1d7f6f31af9030e31e76bdf147f4396464db0f6a72511c4885c6c2305d339906e3c761a3249d7ebea3bf463e8b79c3706e684575550e964b8047979f7aed6ea05056c4b5840b1":"3a5e0d223ae981efb405566264e3e776":"cd755437cb61b539908e0cfaaa36c0123f8f17d1e6539783cb61d4b56cac3bc1e971c1ea558b12669b025cb6b9ad55991c6e2f8ee8b0b7901790193e226a0fbbfff7ff0bee6a554660b9f32e061b6c04bf048484ff9ebd492f7e50e744edd72d02c8fd32f87f9421bf18a5a20ebb4d9dbe39a13c34b7296232470e8be587ba09":96:"01a573d8e99c884563310954":"":"162430c23f7adcf98575a2d9249b4b5cec42efae33776360ebfa6a19c8eee4bd6b07cbd274deadc3292b7cdbb7803e99d9f67ccc5077f3ad5808f339a05b3213dbfd11377673d4f9b486a67a72a9ac8ea9ba699861dce0de7e2fd83d3ba2a2ec7fabf18b95a2bbe2184ff7bddd63111b560b3afe7f2c76807614ba36c1b011fb":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a43f6d07042a15cd49f6f52a2a3a67c6c2ff420d95bb94b9fe03b287c3abcaf8":"b67e58c8b608724fd20aa097ee483bc4c804490cc79de635170944af75c87ae0ad8261365c1dc80d852553bcba18da9fbc3fbe61d27550a03003ef0c60202054626655509a9e1ab54677e537a4e761df011d6c6dd041c795446b384161ae9eab441afd24d19b58eb4fe5116cd7b11b751ebbd0a2adba7afc380d9d775177099a":"3b6fad21f0034bba8b1f7a344edf7a3c":"2e01c0523c8293fc51388281dccdb8d0a2d215d729289deb327b8142d716c2bb849e9476545b82f3882ba7961b70c5da2a925ba18b6b121e9215d52ac479c9129c9cd28f81584ff84509d5f9dcb7eaae66911b303cc388efa5020ac26a9cd9ea953f61992a306eb4b35bcd8447eea63cef37bb0c95c1e37811115cf26c53e8c5":96:"43470bc3d7c573cb3a5230f5":"e1720d451fa7ab9db4988567187244b15b6fe795dd4fef579fb72e41b21aaa436d2e5d8735a4abd232a3fb9188c75c247f6034cdebb07fd7f260f8e54efefa4f2981cafa510dd5c482a27753a7c015b3cae1c18c7c99a6d6daa4781b80f18bbe6620bfc1518a32531017a1a52aadb96a7794887c11ad6bdd68187ba14f72a4b5":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a43f6d07042a15cd49f6f52a2a3a67c6c2ff420d95bb94b9fe03b287c3abcaf8":"b67e58c8b608724fd20aa097ee483bc4c804490cc79de635170944af75c87ae0ad8261365c1dc80d852553bcba18da9fbc3fbe61d27550a03003ef0c60202054626655509a9e1ab54677e537a4e761df011d6c6dd041c795446b384161ae9eab441afd24d19b58eb4fe5116cd7b11b751ebbd0a2adba7afc380d9d775177099a":"3b6fad21f0034bba8b1f7a344edf7a3c":"2e01c0523c8293fc51388281dccdb8d0a2d215d729289deb327b8142d716c2bb849e9476545b82f3882ba7961b70c5da2a925ba18b6b121e9215d52ac479c9129c9cd28f81584ff84509d5f9dcb7eaae66911b303cc388efa5020ac26a9cd9ea953f61992a306eb4b35bcd8447eea63cef37bb0c95c1e37811115cf26c53e8c5":96:"43470bc3d7c573cb3a5230f5":"":"e1720d451fa7ab9db4988567187244b15b6fe795dd4fef579fb72e41b21aaa436d2e5d8735a4abd232a3fb9188c75c247f6034cdebb07fd7f260f8e54efefa4f2981cafa510dd5c482a27753a7c015b3cae1c18c7c99a6d6daa4781b80f18bbe6620bfc1518a32531017a1a52aadb96a7794887c11ad6bdd68187ba14f72a4b5":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f0f0191e18db07c0501dbab4ed952c5603a4cd249d2d8d17e62e10b96ae713f":"aad40e7866c26e486b6f6e8eb14a130d5f88891bf0d09aa8fe32f447ab8dea7bee5d3eda4499c0103a010483f2b64fdf1155499d31decf528c77dd7627884f9995c213cf7402143dbb7561d69c86886734260ac94ffac7eb33598d25714228ef43f744ec1af2a87e789f1e5d6fff0fbd5082dcc49328f194e8f8a14a5bfc962d":"ab8be16b4db809c81be4684b726c05ab":"a5a6e828352a44bd438ad58de80011be0408d410f6e762e3145f8b264a70c593476b41bb87875746c97de7d5fab120bd2f716b37c343608ee48d197a46c7546fafcdbe3e7688b7e9d2f5b6319c91d3881d804546b5f3dbe480996968dd046f406c11f0dc671be0421cbc8b4ea6811dd504281518bb96148dddf9f0dc4e2e2436":64:"d8bd7d8773893519":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1f0f0191e18db07c0501dbab4ed952c5603a4cd249d2d8d17e62e10b96ae713f":"aad40e7866c26e486b6f6e8eb14a130d5f88891bf0d09aa8fe32f447ab8dea7bee5d3eda4499c0103a010483f2b64fdf1155499d31decf528c77dd7627884f9995c213cf7402143dbb7561d69c86886734260ac94ffac7eb33598d25714228ef43f744ec1af2a87e789f1e5d6fff0fbd5082dcc49328f194e8f8a14a5bfc962d":"ab8be16b4db809c81be4684b726c05ab":"a5a6e828352a44bd438ad58de80011be0408d410f6e762e3145f8b264a70c593476b41bb87875746c97de7d5fab120bd2f716b37c343608ee48d197a46c7546fafcdbe3e7688b7e9d2f5b6319c91d3881d804546b5f3dbe480996968dd046f406c11f0dc671be0421cbc8b4ea6811dd504281518bb96148dddf9f0dc4e2e2436":64:"d8bd7d8773893519":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6cf7d83137f57f2310ee6bf31e8883952bb07ccdc12f516233ed533ea967e5d":"83ab20698fd7573fd121976a72b45a7f03aad84702fc8ac73d6926eabd8a546895aeffe4ba81d117507e2cd37d58eeff71cc3afa8a4449be85f228ea52f6dc6395bb43c1c9f795343720841682d9b2f00602eafa4d4cbe297bfc62467e526b9d823cc8eeecd9e5f8dbc2f65610663c6f37b3d896651b254bd60215629ade3b2a":"f17e37e73a28c682366bfe619cc673bb":"0f4dd201b18e20230b6233e0d7add6f96537dd4e82d3d0704c047fab41af5faf6bd52bd14fa9a072f81d92a2ce04352f0b66f088c67102d2d127a9850b09ff6087f194a6e8ccaba24091feb303eebb65f1203b2d22af44e7be4de71f03e6f6cbadf28e15af58f58eb62e5bddfae06df773cc3f0942520de20078dda752e3270f":64:"74110471ccd75912":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a6cf7d83137f57f2310ee6bf31e8883952bb07ccdc12f516233ed533ea967e5d":"83ab20698fd7573fd121976a72b45a7f03aad84702fc8ac73d6926eabd8a546895aeffe4ba81d117507e2cd37d58eeff71cc3afa8a4449be85f228ea52f6dc6395bb43c1c9f795343720841682d9b2f00602eafa4d4cbe297bfc62467e526b9d823cc8eeecd9e5f8dbc2f65610663c6f37b3d896651b254bd60215629ade3b2a":"f17e37e73a28c682366bfe619cc673bb":"0f4dd201b18e20230b6233e0d7add6f96537dd4e82d3d0704c047fab41af5faf6bd52bd14fa9a072f81d92a2ce04352f0b66f088c67102d2d127a9850b09ff6087f194a6e8ccaba24091feb303eebb65f1203b2d22af44e7be4de71f03e6f6cbadf28e15af58f58eb62e5bddfae06df773cc3f0942520de20078dda752e3270f":64:"74110471ccd75912":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c85ac6b3887639838ddca94c5c69f38115aa00122322c8114642d12ea1b8fe":"0210fce418e7e2199cb8f899c81b9be74a630d00269755f882fc4db27632e99685cc12c426a7503473646df1288d0ede28408be9add5713628700f8e2b2e27d7522520ed00ac47239084651eb99e7d03e1520aae137b768f3144232c16b72158fd5da4a26a2525b9b27791bf06d1eb2e671c54daf64fddc1420bc2a30a324ba5":"14f68e533ecf02bceb9a504d452e78c7":"796a46236fd0ff6572b1d6257c874038f870aa71cbb06b39046d0fb6489d6ae8622b5154292ae5c4e1d5ff706daedb2e812533ae3a635d339a7fbe53780e3e8204924a5deb4b6856618f4c7465d125a3edffe1ab8f88b31d49537791c0f3171f08dbb5ed1d9ed863dafbae4ecb46824a4922862fe0954ee2caa09ab0e77ed8fc":64:"6fb0b5c83b5212bf":"5e6c362f7587936bcb306673713a6f1fb080783a20e9bbb906456973e529cfa0298206184509c30e1d3793eaaa5d564edd4488f04311821eb652e0a1f4adaf6971505ca014788c8ce085ceb3523d70284ed2bb0aebeba7af83d484df69c87f55a93b3d87baa43bd301c4e55eb8c45dcf3e4612535ea1bd5fdb4c3b9056d0cae9":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b0c85ac6b3887639838ddca94c5c69f38115aa00122322c8114642d12ea1b8fe":"0210fce418e7e2199cb8f899c81b9be74a630d00269755f882fc4db27632e99685cc12c426a7503473646df1288d0ede28408be9add5713628700f8e2b2e27d7522520ed00ac47239084651eb99e7d03e1520aae137b768f3144232c16b72158fd5da4a26a2525b9b27791bf06d1eb2e671c54daf64fddc1420bc2a30a324ba5":"14f68e533ecf02bceb9a504d452e78c7":"796a46236fd0ff6572b1d6257c874038f870aa71cbb06b39046d0fb6489d6ae8622b5154292ae5c4e1d5ff706daedb2e812533ae3a635d339a7fbe53780e3e8204924a5deb4b6856618f4c7465d125a3edffe1ab8f88b31d49537791c0f3171f08dbb5ed1d9ed863dafbae4ecb46824a4922862fe0954ee2caa09ab0e77ed8fc":64:"6fb0b5c83b5212bf":"":"5e6c362f7587936bcb306673713a6f1fb080783a20e9bbb906456973e529cfa0298206184509c30e1d3793eaaa5d564edd4488f04311821eb652e0a1f4adaf6971505ca014788c8ce085ceb3523d70284ed2bb0aebeba7af83d484df69c87f55a93b3d87baa43bd301c4e55eb8c45dcf3e4612535ea1bd5fdb4c3b9056d0cae9":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e61b1a6b40e2ab1245ff65dcfb9948318ac4fe55e9ed600cec301dae32ae0e93":"8d67fa9fcf078e421cb63abeb25dba739ab0e09a091dd06b0c616e1e888f350edb2d73a42f57f115266ea20c7f8fc143ac746649612df06a5e29b4a15934dc049be1ab49d018ab86c4f37d8c3d9c714f038029e74d8ee3dbe61d81adc63712ea413b37f7604da12107aa1695d9b0981e5a92cdfaa5fbda0e31b22c6fd6f3b499":"c356244b3034d288e4d4fe901b8e27c1":"bdcfeb09d5b97bab05a7acd9849e7de2c5beb7a4dc573c7e1c1d0c0409245a6584023114fdcc6413c800ca16847bde750b27c4d590248e2ce457c19b0f614f6aff4d78d4a19b3251531e5e852fbb05d09412cc1ff8988d1955ca6f5fe2d820f20a7642e3ae69e8122b06ba0918e806400b9b615e1abe6fdd4f56a7d02d649083":32:"86acc02f":"7c73182eca97d9617abb478a6ce62e3491a7e9951981c89c3071b161a4c80440614c3f24d0155073e28dcccee96bc8303dab4901ef77318df522d16d9da47770ef022395d6104cd623d93d67090a27507fc8ca04157e7939e639c62cd0e7d8a472314833c0eaa9ba2fd54a25b02854e3bff25cccd638885c082374ae520ed392":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e61b1a6b40e2ab1245ff65dcfb9948318ac4fe55e9ed600cec301dae32ae0e93":"8d67fa9fcf078e421cb63abeb25dba739ab0e09a091dd06b0c616e1e888f350edb2d73a42f57f115266ea20c7f8fc143ac746649612df06a5e29b4a15934dc049be1ab49d018ab86c4f37d8c3d9c714f038029e74d8ee3dbe61d81adc63712ea413b37f7604da12107aa1695d9b0981e5a92cdfaa5fbda0e31b22c6fd6f3b499":"c356244b3034d288e4d4fe901b8e27c1":"bdcfeb09d5b97bab05a7acd9849e7de2c5beb7a4dc573c7e1c1d0c0409245a6584023114fdcc6413c800ca16847bde750b27c4d590248e2ce457c19b0f614f6aff4d78d4a19b3251531e5e852fbb05d09412cc1ff8988d1955ca6f5fe2d820f20a7642e3ae69e8122b06ba0918e806400b9b615e1abe6fdd4f56a7d02d649083":32:"86acc02f":"":"7c73182eca97d9617abb478a6ce62e3491a7e9951981c89c3071b161a4c80440614c3f24d0155073e28dcccee96bc8303dab4901ef77318df522d16d9da47770ef022395d6104cd623d93d67090a27507fc8ca04157e7939e639c62cd0e7d8a472314833c0eaa9ba2fd54a25b02854e3bff25cccd638885c082374ae520ed392":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4f5a02e9843d28c8c226ed70d44b8fced8fb757ab6ece4d4f06e3c3cec79e44f":"3ec13950d329f24074714c583bdc35686b811f775b76b0a8fcfa66fc56426c9d022f8ab0af38f8d2f71a068548330cdbe891670181ed7491bf40c739ef4dd93689fd35929b225089d2b151f83d9b3cd767300611144586767354c0491112c205409f3168092d27f9b9f433afb79820a2811984d48e70c1fb2a13bbb3ddbc53fb":"099e5d9aae89fb6391a18adf844a758e":"ad93e8662c3196e48cfdb5aa3bc923cd204151aa980cbec78f0d592b701f779c1c49f9e8686d7e2385a4146b21a643a59c18c8b82214f42560bcd686fad7c7c8e8c1944ce6b20ec9537dd14b6cf2592740ca112f4cd582250d69f240d3e957040e1f7e19c60b3c8f2bd00cb666604c38946eb9b2f17336d281b4794f71e538a2":32:"30298885":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4f5a02e9843d28c8c226ed70d44b8fced8fb757ab6ece4d4f06e3c3cec79e44f":"3ec13950d329f24074714c583bdc35686b811f775b76b0a8fcfa66fc56426c9d022f8ab0af38f8d2f71a068548330cdbe891670181ed7491bf40c739ef4dd93689fd35929b225089d2b151f83d9b3cd767300611144586767354c0491112c205409f3168092d27f9b9f433afb79820a2811984d48e70c1fb2a13bbb3ddbc53fb":"099e5d9aae89fb6391a18adf844a758e":"ad93e8662c3196e48cfdb5aa3bc923cd204151aa980cbec78f0d592b701f779c1c49f9e8686d7e2385a4146b21a643a59c18c8b82214f42560bcd686fad7c7c8e8c1944ce6b20ec9537dd14b6cf2592740ca112f4cd582250d69f240d3e957040e1f7e19c60b3c8f2bd00cb666604c38946eb9b2f17336d281b4794f71e538a2":32:"30298885":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cdb218e0bd0e02156e5b48182990f778889793ef6018a8928e61164ac047c8e":"4d039618a0eb640329f90fe97de18bc928fc3fc7a0db42c97774bec2e882e872fc1097c8319f7837a16516bf387b1bae321c565e8fc1cb8480f051158e4685f0adba310d2c6253bc1300403cbd3f7ddcb2796a69f8bf9e73d47aada9a02673c1a3d5ecdac838abf22b385906236529a1b7dd5b8af2611a04cf4f83b15ba41cfc":"d2ffbb176f86bee958e08e5c7c6357c7":"bc580c4223f34e4f867d97febf9b03629d1c00c73df94436852cafd1408c945c5474c554cb0faf2bae35d3160c823d339a64ebd607cf765fa91f416fc6db042bc2bd7445c129b4a0e04b6f92a7b7b669eb70be9f9b2569e774db7cb7ae83943e3a12d29221356e08e5bf1b09e65f193d00d9fe89f82b84b3b8b062e649163dc8":32:"1997daa9":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1cdb218e0bd0e02156e5b48182990f778889793ef6018a8928e61164ac047c8e":"4d039618a0eb640329f90fe97de18bc928fc3fc7a0db42c97774bec2e882e872fc1097c8319f7837a16516bf387b1bae321c565e8fc1cb8480f051158e4685f0adba310d2c6253bc1300403cbd3f7ddcb2796a69f8bf9e73d47aada9a02673c1a3d5ecdac838abf22b385906236529a1b7dd5b8af2611a04cf4f83b15ba41cfc":"d2ffbb176f86bee958e08e5c7c6357c7":"bc580c4223f34e4f867d97febf9b03629d1c00c73df94436852cafd1408c945c5474c554cb0faf2bae35d3160c823d339a64ebd607cf765fa91f416fc6db042bc2bd7445c129b4a0e04b6f92a7b7b669eb70be9f9b2569e774db7cb7ae83943e3a12d29221356e08e5bf1b09e65f193d00d9fe89f82b84b3b8b062e649163dc8":32:"1997daa9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc1a145c18bdbca760f35eea0d4a5992de04a0615964ec8b419c8288ab1470f0":"":"7f8368254955e1b6d55b5c64458f3e66":"":128:"8ddaa2c3ed09d53731834fa932d9d3af":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"dc1a145c18bdbca760f35eea0d4a5992de04a0615964ec8b419c8288ab1470f0":"":"7f8368254955e1b6d55b5c64458f3e66":"":128:"8ddaa2c3ed09d53731834fa932d9d3af":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b4766d3a6615ee58b390daa228ae7a541c46ce80a1efe227cc43cb777df3232":"":"274367f31ec16601fe87a8e35b7a22dd":"":128:"5f3a757b596e06e9b246ed9bac9397f9":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7b4766d3a6615ee58b390daa228ae7a541c46ce80a1efe227cc43cb777df3232":"":"274367f31ec16601fe87a8e35b7a22dd":"":128:"5f3a757b596e06e9b246ed9bac9397f9":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d19b04055bf6e7ff82e89daef66c9d8319ab25f9197e559444c5729b92c4f338":"":"796efaff4f172bef78453d36a237cd36":"":128:"3b445f38bf4db94f1a9ec771173a29e8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d19b04055bf6e7ff82e89daef66c9d8319ab25f9197e559444c5729b92c4f338":"":"796efaff4f172bef78453d36a237cd36":"":128:"3b445f38bf4db94f1a9ec771173a29e8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7ca68e300534a90a7a87ca9906e4ac614a6aa51f769b6e6129753a4f83d10317":"":"45e6b23f8b3feefd4b0ea06880b2c324":"":120:"6c0a1c9c2cf5a40407bfa1d5958612":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7ca68e300534a90a7a87ca9906e4ac614a6aa51f769b6e6129753a4f83d10317":"":"45e6b23f8b3feefd4b0ea06880b2c324":"":120:"6c0a1c9c2cf5a40407bfa1d5958612":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2b7cd693239bbc93599d3d12c9876e7303b227b8ae718e2c62e689e1fd62903":"":"548c9c8fcc16416a9d2b35c29f0dacb3":"":120:"3aa21f221266e7773eeba4440d1d01":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a2b7cd693239bbc93599d3d12c9876e7303b227b8ae718e2c62e689e1fd62903":"":"548c9c8fcc16416a9d2b35c29f0dacb3":"":120:"3aa21f221266e7773eeba4440d1d01":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"156b854beb0c276a5e724f5da72f0d1ca4ae7cbd5f93a2257d95c2e5bfd78ad4":"":"a5129e2530f47bcad42fc5774ee09fe7":"":120:"6bb09ed183527c5d5ed46f568af35f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"156b854beb0c276a5e724f5da72f0d1ca4ae7cbd5f93a2257d95c2e5bfd78ad4":"":"a5129e2530f47bcad42fc5774ee09fe7":"":120:"6bb09ed183527c5d5ed46f568af35f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d824330c60141264e1f709d63227a9a731bcc42b4adec1d8f0161b10b4fdb2ab":"":"c5afaa45312c64ab3c3cf9d6c4e0cc47":"":112:"55952a01eee29d8a1734bbdf3f8f":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d824330c60141264e1f709d63227a9a731bcc42b4adec1d8f0161b10b4fdb2ab":"":"c5afaa45312c64ab3c3cf9d6c4e0cc47":"":112:"55952a01eee29d8a1734bbdf3f8f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5517589948d8aea778df6fd66c17a170d327f69e504f0a4bd504c4286a9f578":"":"6404b111c6289eefa0d88ed6117bb730":"":112:"637f82e592831531a8e877adfc2c":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5517589948d8aea778df6fd66c17a170d327f69e504f0a4bd504c4286a9f578":"":"6404b111c6289eefa0d88ed6117bb730":"":112:"637f82e592831531a8e877adfc2c":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f6137b2bcbd327fbcc7f313efa10f6ffaed30e4782e222e1225c87103fcae905":"":"3b87b08337a82272b192bd067e3245ec":"":112:"1f2dda372f20ffddd9dd4810e05f":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"f6137b2bcbd327fbcc7f313efa10f6ffaed30e4782e222e1225c87103fcae905":"":"3b87b08337a82272b192bd067e3245ec":"":112:"1f2dda372f20ffddd9dd4810e05f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5e70d1b78e931abf44bba3f937dbc344858516a8a8afe605818dc67d0c3e4c4":"":"58e70095c6f3a0cda2cdc7775e2f383d":"":104:"1763573f7dab8b46bc177e6147":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b5e70d1b78e931abf44bba3f937dbc344858516a8a8afe605818dc67d0c3e4c4":"":"58e70095c6f3a0cda2cdc7775e2f383d":"":104:"1763573f7dab8b46bc177e6147":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90de0c047d1dd01d521f2dedec7eb81bc0ace7a5a693a7869eaafbb6e725ad7b":"":"d565c9cdfb5d0a25c4083b51729626bd":"":104:"78738d3e9f5e00b49635ac9a2d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"90de0c047d1dd01d521f2dedec7eb81bc0ace7a5a693a7869eaafbb6e725ad7b":"":"d565c9cdfb5d0a25c4083b51729626bd":"":104:"78738d3e9f5e00b49635ac9a2d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c43e8dbeafb079692483a9fcbab964b76fccca6ca99e1388a1aa9bf78dfd2f02":"":"f2bd4fe0d30c0e8d429cac90c8a7b1c8":"":104:"ea7b52490943380ccc902ca5ae":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c43e8dbeafb079692483a9fcbab964b76fccca6ca99e1388a1aa9bf78dfd2f02":"":"f2bd4fe0d30c0e8d429cac90c8a7b1c8":"":104:"ea7b52490943380ccc902ca5ae":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13540919fdb95559e37b535a427efeee334309e34c4608459e204d931b8087e7":"":"c993c1802df0f075ce92963eb9bff9bd":"":96:"edfab013213591beb53e6419":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13540919fdb95559e37b535a427efeee334309e34c4608459e204d931b8087e7":"":"c993c1802df0f075ce92963eb9bff9bd":"":96:"edfab013213591beb53e6419":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a7b2e07c148ff0f627ae28c241a395876bbed0c20f3fd637330e986db025714":"":"8f7e1621c2227839da4ea60548290ffa":"":96:"f9da62f59c080160ec30b43d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2a7b2e07c148ff0f627ae28c241a395876bbed0c20f3fd637330e986db025714":"":"8f7e1621c2227839da4ea60548290ffa":"":96:"f9da62f59c080160ec30b43d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3e7837a75b38ae6d4299a1ae4af3c2460dfca558708de0874d6b1a5689b8360":"":"05d363b2452beff4b47afb052ac3c973":"":96:"6b4a16d1ea1c21b22bdcb235":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b3e7837a75b38ae6d4299a1ae4af3c2460dfca558708de0874d6b1a5689b8360":"":"05d363b2452beff4b47afb052ac3c973":"":96:"6b4a16d1ea1c21b22bdcb235":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9df3ccd95f7570f6ecf5e5329dcb79bcd46cbcf083fe03aa8f5bd0f645c6a607":"":"774f4e70a7577b5101c0c3d019655d3e":"":64:"98ff89a8e28c03fd":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9df3ccd95f7570f6ecf5e5329dcb79bcd46cbcf083fe03aa8f5bd0f645c6a607":"":"774f4e70a7577b5101c0c3d019655d3e":"":64:"98ff89a8e28c03fd":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c7123e2e8d3774c8f1bdbb2272f19129e04f29b4351ae19c3b9d24e6ea1fe87":"":"99f25cebd6cfa7f41390b42df6a65f48":"":64:"8e14a0a4853a156a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c7123e2e8d3774c8f1bdbb2272f19129e04f29b4351ae19c3b9d24e6ea1fe87":"":"99f25cebd6cfa7f41390b42df6a65f48":"":64:"8e14a0a4853a156a":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"490090323e9257517e2453469caa3414045cacb4d05d5cebc6b9c06fa6d19291":"":"c1beff1ff6cdd62339aa21149c4da1e6":"":64:"f998d7c08d609b3a":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"490090323e9257517e2453469caa3414045cacb4d05d5cebc6b9c06fa6d19291":"":"c1beff1ff6cdd62339aa21149c4da1e6":"":64:"f998d7c08d609b3a":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"360e48dd38d9e7f5bf29a2994ab5b3c9c70247102d94049ae791850807a4c845":"":"88126c350dfc079c569210ee44a0e31a":"":32:"f2ebe5e4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"360e48dd38d9e7f5bf29a2994ab5b3c9c70247102d94049ae791850807a4c845":"":"88126c350dfc079c569210ee44a0e31a":"":32:"f2ebe5e4":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1562b32e4dd843edaf4474b62cadd8f46d50461f5b22c9f1a8eae7367d35d71b":"":"af29fdb96f726c76f76c473c873b9e08":"":32:"13fd6dfd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1562b32e4dd843edaf4474b62cadd8f46d50461f5b22c9f1a8eae7367d35d71b":"":"af29fdb96f726c76f76c473c873b9e08":"":32:"13fd6dfd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5160d0c98ffcb1c26aad755f67589000e2bb25fa940e6b1d81d780f421353d9":"":"1552604763453b48a57cea1aed8113f4":"":32:"660c5175":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d5160d0c98ffcb1c26aad755f67589000e2bb25fa940e6b1d81d780f421353d9":"":"1552604763453b48a57cea1aed8113f4":"":32:"660c5175":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3a3ea3a097c0c2b3a4cb78462d87fd5a8f348687c4150e9d3354b388ab13d17":"":"f77945979241fb3a454d8e3da193e169":"a69bac31241a2c07d3f7e331b77f662b1e67ccb81c07f52578b01f5785de9437f02eb7627ca7b9af09c1cb428fe93d6deb31f4d6dd2f0729f87480bdeb92d985de1aaad4bcebc6fbad83bede9a5dd1ca6a15bf5d8a96d4edb5bee1f7d195e9b2e5fb2221a596d69f257c18a143eda870e22d3f2ed20c9b3b0d8c8a229c462fff":128:"6b4b1a84f49befe3897d59ce85598a9f":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c3a3ea3a097c0c2b3a4cb78462d87fd5a8f348687c4150e9d3354b388ab13d17":"":"f77945979241fb3a454d8e3da193e169":"a69bac31241a2c07d3f7e331b77f662b1e67ccb81c07f52578b01f5785de9437f02eb7627ca7b9af09c1cb428fe93d6deb31f4d6dd2f0729f87480bdeb92d985de1aaad4bcebc6fbad83bede9a5dd1ca6a15bf5d8a96d4edb5bee1f7d195e9b2e5fb2221a596d69f257c18a143eda870e22d3f2ed20c9b3b0d8c8a229c462fff":128:"6b4b1a84f49befe3897d59ce85598a9f":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e1626327d987342cba5c8c63b75b4ed65463a2b9c831f4f9f80325fa867d1d73":"":"4e25800deab7ecec2a2311f8fb44eb7d":"ebaffd558f24dae03117c69ac4b2b4aaeaffe7e0e7599eaba678bfce23a9914dc9f80b69f4a1c837a5544cba08064a8f924064cba4d783623600d8b61837a08b4e0d4eb9218c29bc3edb8dd0e78c1534ab52331f949b09b25fbf73bece7054179817bc15b4e869c5df1af569c2b19cb6d060855be9a15f2cf497c168c4e683f2":128:"8faa0ffb91311a1a2827b86fec01788d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e1626327d987342cba5c8c63b75b4ed65463a2b9c831f4f9f80325fa867d1d73":"":"4e25800deab7ecec2a2311f8fb44eb7d":"ebaffd558f24dae03117c69ac4b2b4aaeaffe7e0e7599eaba678bfce23a9914dc9f80b69f4a1c837a5544cba08064a8f924064cba4d783623600d8b61837a08b4e0d4eb9218c29bc3edb8dd0e78c1534ab52331f949b09b25fbf73bece7054179817bc15b4e869c5df1af569c2b19cb6d060855be9a15f2cf497c168c4e683f2":128:"8faa0ffb91311a1a2827b86fec01788d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"938da64b837275b0c80c442bdf2301aa75e387fe65a775d10a8ec840f62ff429":"":"dec6adeb60216cbb8a6c3afba49fa201":"4ac144bd95f405649444f01ab67ef3e4c0a54fdbd933b6ba00518c79db45c22c90030c45aadcfdb53ec8199be0cbb22dbb9ab938a871f4b3b0c98ed32590a051abb946c42726b3e9701f183b2092985e3457943a6350fbcaece2e6b111b179ea3fd10ac080a577a1481785111d5f294bc28519c470ff94392a51a2c40a42d8b5":128:"2211ca91a809adb8cf55f001745c0563":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"938da64b837275b0c80c442bdf2301aa75e387fe65a775d10a8ec840f62ff429":"":"dec6adeb60216cbb8a6c3afba49fa201":"4ac144bd95f405649444f01ab67ef3e4c0a54fdbd933b6ba00518c79db45c22c90030c45aadcfdb53ec8199be0cbb22dbb9ab938a871f4b3b0c98ed32590a051abb946c42726b3e9701f183b2092985e3457943a6350fbcaece2e6b111b179ea3fd10ac080a577a1481785111d5f294bc28519c470ff94392a51a2c40a42d8b5":128:"2211ca91a809adb8cf55f001745c0563":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2436484ea1f454d6451ad8dbd1574b208d7a3ab4fa34869299b85c24348b43d":"":"97040d2ec094fe1c64fa35b35b7451a7":"bc198677513ce0e66697dfe52b22315fa5d8f92042f34cc9f373a01f94607df1a599132f60af010ed9b5e52162dd7b162912b68b11700e08f5fdafd84d10f760fc05ec97c05b83e55155194f399594015b90a19c04fb992e228940fe1b54ba59c4bb8318b33cc0df1cb1d71c389473dfb3eefabfe269ca95db59a7bc0201c253":120:"2e080ba16011e22a779da1922345c2":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e2436484ea1f454d6451ad8dbd1574b208d7a3ab4fa34869299b85c24348b43d":"":"97040d2ec094fe1c64fa35b35b7451a7":"bc198677513ce0e66697dfe52b22315fa5d8f92042f34cc9f373a01f94607df1a599132f60af010ed9b5e52162dd7b162912b68b11700e08f5fdafd84d10f760fc05ec97c05b83e55155194f399594015b90a19c04fb992e228940fe1b54ba59c4bb8318b33cc0df1cb1d71c389473dfb3eefabfe269ca95db59a7bc0201c253":120:"2e080ba16011e22a779da1922345c2":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7fb3fc72eb8a3aa5b102f90039f852cc3fd64f46915f5e49f1d9e02fe9cc13b1":"":"f6120fea313362524917c53d90bafb4f":"60c2be7fbd15faf895fd19a9ce775fe2b183b45cffafe4fcbf50d421bea97347e41a9418cfa129b2dda63b889a70063010215dbe38c37feae18bc31b34f31b726f22177f2b4b9d648dd4aa80edfd12dafaee10baa83224354432d1cb62ccabe38bb8448d162cd0d30e988d2e1a2458ffdafaacbdff928756390f66dc60d7ea45":120:"83de3f521fcfdaff902386f359e683":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7fb3fc72eb8a3aa5b102f90039f852cc3fd64f46915f5e49f1d9e02fe9cc13b1":"":"f6120fea313362524917c53d90bafb4f":"60c2be7fbd15faf895fd19a9ce775fe2b183b45cffafe4fcbf50d421bea97347e41a9418cfa129b2dda63b889a70063010215dbe38c37feae18bc31b34f31b726f22177f2b4b9d648dd4aa80edfd12dafaee10baa83224354432d1cb62ccabe38bb8448d162cd0d30e988d2e1a2458ffdafaacbdff928756390f66dc60d7ea45":120:"83de3f521fcfdaff902386f359e683":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"697c96d80d0a3fa9af35b86f31fb71a17aed30ce841c79896bbc8863b3b3ee04":"":"3a5163ec7e007061838d755ac219855e":"de50c12da63232768d5eb9920d49683b5b7114cb77448fa10b9d63552ec5d9c2eac94b375d11f944959f903bb20c696639b6e7f108ec1e873870098c631ddacb2c25268cfc26d2a4cacfb7dda7383374c5456bcf4daa887a887f4293f8caa14419472a8bf7ffd214dfb2743091238b6d1142b116c2b9f4360c6fe0015cd7de81":120:"cd4542b26094a1c8e058648874f06f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"697c96d80d0a3fa9af35b86f31fb71a17aed30ce841c79896bbc8863b3b3ee04":"":"3a5163ec7e007061838d755ac219855e":"de50c12da63232768d5eb9920d49683b5b7114cb77448fa10b9d63552ec5d9c2eac94b375d11f944959f903bb20c696639b6e7f108ec1e873870098c631ddacb2c25268cfc26d2a4cacfb7dda7383374c5456bcf4daa887a887f4293f8caa14419472a8bf7ffd214dfb2743091238b6d1142b116c2b9f4360c6fe0015cd7de81":120:"cd4542b26094a1c8e058648874f06f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"66c1d9ce3feb0e966c33e3fd542ec11cc32f18c2514b953103d32abcdc72633a":"":"46fdb88fdde9b7d74e893802a0303256":"55d2f263d2e3cf0b390fce1dd1ebd5f666086f26e1ce2f08002bedbb810ada3922c6bfcf6a6adaa556e9e326c9766f02b3eb6e278da2fa3baa7dbdb6373be3c6ecfbe646b1a39e27c5a449db9b559e7ea3496366b8cdbca00ee7a3dea7fdfbea1665bbf58bd69bb961c33a0fd7d37b580b6a82804f394f9d5d4366772cee3115":112:"96ca402b16b0f2cd0cdff77935d3":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"66c1d9ce3feb0e966c33e3fd542ec11cc32f18c2514b953103d32abcdc72633a":"":"46fdb88fdde9b7d74e893802a0303256":"55d2f263d2e3cf0b390fce1dd1ebd5f666086f26e1ce2f08002bedbb810ada3922c6bfcf6a6adaa556e9e326c9766f02b3eb6e278da2fa3baa7dbdb6373be3c6ecfbe646b1a39e27c5a449db9b559e7ea3496366b8cdbca00ee7a3dea7fdfbea1665bbf58bd69bb961c33a0fd7d37b580b6a82804f394f9d5d4366772cee3115":112:"96ca402b16b0f2cd0cdff77935d3":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d7c949420dc9497232cd5810f316d11f9e85d36c430b5943ba79836d88c1eb92":"":"7ef9788ff09cbeedd9569d49083a4097":"ca1de5cc3fcde2638eb72210e551e9c0e0a3f5570d5be83a9a4406b545d854bf17e75b9cd0f4c45722fbd71319a317b72a8798485e9316a1c8102432b83bc95af42f6d50700ba68f6f2e19b6af609b73ad643dfa43da94be32cc09b024e087c120e4d2c20f96f8e9ddfe7eae186a540a22131cedfe556d1ebd9306684e345fd1":112:"8233588fca3ad1698d07b25fa3c4":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d7c949420dc9497232cd5810f316d11f9e85d36c430b5943ba79836d88c1eb92":"":"7ef9788ff09cbeedd9569d49083a4097":"ca1de5cc3fcde2638eb72210e551e9c0e0a3f5570d5be83a9a4406b545d854bf17e75b9cd0f4c45722fbd71319a317b72a8798485e9316a1c8102432b83bc95af42f6d50700ba68f6f2e19b6af609b73ad643dfa43da94be32cc09b024e087c120e4d2c20f96f8e9ddfe7eae186a540a22131cedfe556d1ebd9306684e345fd1":112:"8233588fca3ad1698d07b25fa3c4":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe7c70815aa12326cdcbb2d2d3e088bbaaef98b730f87fe8510b33d30e12afe":"":"e0253bd1f19e99a7f8848206fb8ac4a4":"397897eca4856f90d14c3cdfe1ad3cba47e23174ae2dab7d2a6320898584e03bffa3ffd526f416d7b3c579b0f3628744e36eebb5df519240c81d8bbbf5c5966519c5da083ab30a7aa42deae6180e517cdd764b7f77d19cc1a84141817758887a8d7265e7e62279b9d33cd2f1ba10fd54c6c96d4b8a5dbe2318fef629c8e2af0f":112:"477b0a884d788d1905646bd66084":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe7c70815aa12326cdcbb2d2d3e088bbaaef98b730f87fe8510b33d30e12afe":"":"e0253bd1f19e99a7f8848206fb8ac4a4":"397897eca4856f90d14c3cdfe1ad3cba47e23174ae2dab7d2a6320898584e03bffa3ffd526f416d7b3c579b0f3628744e36eebb5df519240c81d8bbbf5c5966519c5da083ab30a7aa42deae6180e517cdd764b7f77d19cc1a84141817758887a8d7265e7e62279b9d33cd2f1ba10fd54c6c96d4b8a5dbe2318fef629c8e2af0f":112:"477b0a884d788d1905646bd66084":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbeefb3817cb02d617f385cf2371d52c8bcbc29e5e7a55cd2da131ca184c6e89":"":"f74156d6400ae46b612531848bffe18f":"1abe2ab05ceccf2391273126fe4a4426b94d2c3b97a7f1cd2ee6bb952bf4a546e972b5a1701d5ddb0e5bb7a248fcb47107a9fc77e4b9806b68a11850119aa239fa8be1370e3a2e1a8b168f7323afdfc4b8917d92570167848a56132d68876abc386c258a9233dc8a9eb73443b052e842c3d63e8b5369acdd038404e4e9a4b038":104:"0cb67cec1820339fa0552702dd":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"cbeefb3817cb02d617f385cf2371d52c8bcbc29e5e7a55cd2da131ca184c6e89":"":"f74156d6400ae46b612531848bffe18f":"1abe2ab05ceccf2391273126fe4a4426b94d2c3b97a7f1cd2ee6bb952bf4a546e972b5a1701d5ddb0e5bb7a248fcb47107a9fc77e4b9806b68a11850119aa239fa8be1370e3a2e1a8b168f7323afdfc4b8917d92570167848a56132d68876abc386c258a9233dc8a9eb73443b052e842c3d63e8b5369acdd038404e4e9a4b038":104:"0cb67cec1820339fa0552702dd":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6f5f65ce2fc8ec3f602f5df90eb7d506dd771337913680ac16bdcd15c56583d":"":"9212a548c597677d1747e98ce6fb18a4":"55ca486c0183d0134925880d2e21dde0af51c4c77c6038a5a9c0497884e0aa4715bdb5b4bb864acc708ac00b511a24fa08496df6a0ca83259110e97a011b876e748a1d0eae2951ce7c22661a3e2ecf50633c50e3d26fa33c2319c139b288825b7aa5efbd133a5ce7483feecb11167099565e3131d5f0cb360f2174f46cb6b37c":104:"08d7cc52d1637db2a43c399310":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e6f5f65ce2fc8ec3f602f5df90eb7d506dd771337913680ac16bdcd15c56583d":"":"9212a548c597677d1747e98ce6fb18a4":"55ca486c0183d0134925880d2e21dde0af51c4c77c6038a5a9c0497884e0aa4715bdb5b4bb864acc708ac00b511a24fa08496df6a0ca83259110e97a011b876e748a1d0eae2951ce7c22661a3e2ecf50633c50e3d26fa33c2319c139b288825b7aa5efbd133a5ce7483feecb11167099565e3131d5f0cb360f2174f46cb6b37c":104:"08d7cc52d1637db2a43c399310":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e9a0391435acb57eae2e6217e0941c79a3ff938ec6a19b8a7db2ea972e49f54":"":"27cd1d7af7e491e30c8110cc01392529":"79140d32bb32dace0779e2d37a0f744d6d973e99a279962b43a6c0af63772e8a0a21d5d9dd3c33d4b218cb2f6f24dd8d93bb4e1e6a788cb93135321ecfed455e747fa919b85b63b9e98b4980a8ccb3b19d50d735742cb5853720c2ad37fa5b0e655149583585830f8d799c0d2e67c0dc24fc9273d9730f3bb367c487a5f89a25":104:"fbb477dd4b9898a9abc5a45c63":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0e9a0391435acb57eae2e6217e0941c79a3ff938ec6a19b8a7db2ea972e49f54":"":"27cd1d7af7e491e30c8110cc01392529":"79140d32bb32dace0779e2d37a0f744d6d973e99a279962b43a6c0af63772e8a0a21d5d9dd3c33d4b218cb2f6f24dd8d93bb4e1e6a788cb93135321ecfed455e747fa919b85b63b9e98b4980a8ccb3b19d50d735742cb5853720c2ad37fa5b0e655149583585830f8d799c0d2e67c0dc24fc9273d9730f3bb367c487a5f89a25":104:"fbb477dd4b9898a9abc5a45c63":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55a12eeca637654252e3e40b371667e3f308b00f2fd2af696223e4cd89e3fd4e":"":"8a3793b6441258360f7f4801b03d0b26":"f5810dc5f25e49bd6d94bc63c2494aa7a579a4056a25f1dd9b2734d0b8731ee52523edd54ff475651d45c213e1bf254327fb0e2c41a7d85345b02bcc9d27b08915d332e1659671991a4bb74055967bebbba6ecceb182f57977130623d5a7b2175fa5a84b334868661c1f450b95562928b4791759796a177d59ed18bbf141e2ad":96:"99230019630647aedebbb24b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55a12eeca637654252e3e40b371667e3f308b00f2fd2af696223e4cd89e3fd4e":"":"8a3793b6441258360f7f4801b03d0b26":"f5810dc5f25e49bd6d94bc63c2494aa7a579a4056a25f1dd9b2734d0b8731ee52523edd54ff475651d45c213e1bf254327fb0e2c41a7d85345b02bcc9d27b08915d332e1659671991a4bb74055967bebbba6ecceb182f57977130623d5a7b2175fa5a84b334868661c1f450b95562928b4791759796a177d59ed18bbf141e2ad":96:"99230019630647aedebbb24b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d353f870a9c088de5674efd97646b9c5420b2bcdfcffefcadd81682847e5331":"":"f267fa982af5c85359b6447f9b7715ea":"7cf55630867af5dff747c8dd25bcc531d94a7730a20b6c03d46059ea93fcaa00d07ee17dad0e0dff814b02dfef0cbe00b37fd2f5f95ead7c72be60016f2934d7683fc1e47185c7211c49cb03e209b088edb14e533dbcb792ab7033728904f7ff12381a236dba97894ec1fafcf853ab15fff343f9265d0283acef10168ffd1271":96:"9553b583d4f9a1a8946fe053":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3d353f870a9c088de5674efd97646b9c5420b2bcdfcffefcadd81682847e5331":"":"f267fa982af5c85359b6447f9b7715ea":"7cf55630867af5dff747c8dd25bcc531d94a7730a20b6c03d46059ea93fcaa00d07ee17dad0e0dff814b02dfef0cbe00b37fd2f5f95ead7c72be60016f2934d7683fc1e47185c7211c49cb03e209b088edb14e533dbcb792ab7033728904f7ff12381a236dba97894ec1fafcf853ab15fff343f9265d0283acef10168ffd1271":96:"9553b583d4f9a1a8946fe053":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d227c9ff5d17a984983056fb96f3991932ae8132377529c29238cf7db94a359d":"":"b8f6536f376a7efe0e684acf350bae70":"1cc25da31f90de7fa47ebce92754d3faa99f88d4e25ccab45645c1acdf850d55d7f02f61a0bfdc3125f29259d7da8abef532fe0966c63d3486753c8a2cb63a39349a0641b2f2b9526a03b97d58ca60fbb054c6c164ff2836688b0cad54df2b165bc082eeae660e768dde5130e30f8edc863446661c74da69b9e56de8ae388da0":96:"44b95a37fab232c2efb11231":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d227c9ff5d17a984983056fb96f3991932ae8132377529c29238cf7db94a359d":"":"b8f6536f376a7efe0e684acf350bae70":"1cc25da31f90de7fa47ebce92754d3faa99f88d4e25ccab45645c1acdf850d55d7f02f61a0bfdc3125f29259d7da8abef532fe0966c63d3486753c8a2cb63a39349a0641b2f2b9526a03b97d58ca60fbb054c6c164ff2836688b0cad54df2b165bc082eeae660e768dde5130e30f8edc863446661c74da69b9e56de8ae388da0":96:"44b95a37fab232c2efb11231":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b2a57ef85ffcf0548c3d087012b336c46f6574cf1d97ca087bfad042ee83eec2":"":"3d580402d2a8dc4d7466e5dcb456be7a":"c2b9e95c16e55028794a63ef82d11fb83a2a75dc34a81f238e472c33264534bdd54cd07d02a0ecf9019ad1a6d6c779f339dd479e37940486950f183bade24fca2f24f06d4037b3555b09fc80279ea311769473eb0630b694a29823324cdf780d7d1a50d89f7a23b05f7a8c3ad04b7949aa9e6a55978ba48d8078b5a2fd3c1bbb":64:"072d4118e70cd5ab":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b2a57ef85ffcf0548c3d087012b336c46f6574cf1d97ca087bfad042ee83eec2":"":"3d580402d2a8dc4d7466e5dcb456be7a":"c2b9e95c16e55028794a63ef82d11fb83a2a75dc34a81f238e472c33264534bdd54cd07d02a0ecf9019ad1a6d6c779f339dd479e37940486950f183bade24fca2f24f06d4037b3555b09fc80279ea311769473eb0630b694a29823324cdf780d7d1a50d89f7a23b05f7a8c3ad04b7949aa9e6a55978ba48d8078b5a2fd3c1bbb":64:"072d4118e70cd5ab":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63889ed5bf2c27d518a696b71c0f85592e3337aae95b5bf07289e4c5dfdc088d":"":"1ad534280a0fac7dce31f2ae4fb73f5a":"be1b9dabea33bb9443e27f674b27931c0fba699a33dc86fab29e50b76a9441030444b465317bbf2949faf908bc1b501d11a5ea2042e4b460a85f3be5836729e523d99b56ef39231d5c6d8ae2c2ab36ef44e2aa02a1f2c559c6e333216c7f9ed5f9b880a88e920219204c99a3ae8f90afd1396563bc59a691a93e0070b0b5fd90":64:"1bcea0ac2c1a0c73":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"63889ed5bf2c27d518a696b71c0f85592e3337aae95b5bf07289e4c5dfdc088d":"":"1ad534280a0fac7dce31f2ae4fb73f5a":"be1b9dabea33bb9443e27f674b27931c0fba699a33dc86fab29e50b76a9441030444b465317bbf2949faf908bc1b501d11a5ea2042e4b460a85f3be5836729e523d99b56ef39231d5c6d8ae2c2ab36ef44e2aa02a1f2c559c6e333216c7f9ed5f9b880a88e920219204c99a3ae8f90afd1396563bc59a691a93e0070b0b5fd90":64:"1bcea0ac2c1a0c73":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94e3e2c17cfb6f52d4fdba3ba6d18bba891b6662e85df14d7e61f04adb69e0e5":"":"8a80efb3bfe220526997543409fddb4d":"05da1b0f7ac6eef488d3f087ecae7f35abe3ef36d339709dc3fcb5b471979268ee894c3b6c7f984300d70bc5ea5fba923bfb41d88652bdaecc710964c51f3e2ae2c280b7d6c8e3b9a8a8991d19d92d46c8a158123187f19397ad1ad9080b4ffd04b82b5d68d89dacd3e76439013728c1395263e722b28e45dabf1ef46b8e70b5":64:"faa5c13d899f17ea":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"94e3e2c17cfb6f52d4fdba3ba6d18bba891b6662e85df14d7e61f04adb69e0e5":"":"8a80efb3bfe220526997543409fddb4d":"05da1b0f7ac6eef488d3f087ecae7f35abe3ef36d339709dc3fcb5b471979268ee894c3b6c7f984300d70bc5ea5fba923bfb41d88652bdaecc710964c51f3e2ae2c280b7d6c8e3b9a8a8991d19d92d46c8a158123187f19397ad1ad9080b4ffd04b82b5d68d89dacd3e76439013728c1395263e722b28e45dabf1ef46b8e70b5":64:"faa5c13d899f17ea":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5e479ad0d79dbf717a1f51f5250d467819e444b79cb3def1e0033c80ddadd8":"":"47ce838083fd070d8544c0ad5337cdc6":"98476bf05a18c4ff1b6024dd779c1ac06d838705a0a83fe42bee5fc6ebf3b2a1a5049b67f4aabc8239cd6ff56504bcbad1e2498c159bbec2a6635933945f6ea49e5bc763dcf94f4b3643d3888f16105abb0965e24f51cb4949406124145e9ae31cc76535b4178492f38b311099df2751f674363ae7a58f6f93019653b7e6a6f0":32:"a3958500":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"fe5e479ad0d79dbf717a1f51f5250d467819e444b79cb3def1e0033c80ddadd8":"":"47ce838083fd070d8544c0ad5337cdc6":"98476bf05a18c4ff1b6024dd779c1ac06d838705a0a83fe42bee5fc6ebf3b2a1a5049b67f4aabc8239cd6ff56504bcbad1e2498c159bbec2a6635933945f6ea49e5bc763dcf94f4b3643d3888f16105abb0965e24f51cb4949406124145e9ae31cc76535b4178492f38b311099df2751f674363ae7a58f6f93019653b7e6a6f0":32:"a3958500":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"27d4dedb71a8f68ca5ce2b9e56da772bf5a09b7981d41cd29f485bd2d1adb8d4":"":"7e6f0343c54539717a97b6c8b9f7dec4":"d386db78043f719b7e137cbf79a7f53dda2fe3baccbebb57d499f6eb168e5151f10081d76b72ae0f30165efbdda469e826f9246e59dbcad5c0b27691c00d6c192c24073e99c19cf8c142087c0b83c4ce2fc7ba1e696394e5620ab2d117d5dcd2ac2298997407fd5de07d008de8f9941a4a5f8074736a59404118afac0700be6c":32:"50fd1798":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"27d4dedb71a8f68ca5ce2b9e56da772bf5a09b7981d41cd29f485bd2d1adb8d4":"":"7e6f0343c54539717a97b6c8b9f7dec4":"d386db78043f719b7e137cbf79a7f53dda2fe3baccbebb57d499f6eb168e5151f10081d76b72ae0f30165efbdda469e826f9246e59dbcad5c0b27691c00d6c192c24073e99c19cf8c142087c0b83c4ce2fc7ba1e696394e5620ab2d117d5dcd2ac2298997407fd5de07d008de8f9941a4a5f8074736a59404118afac0700be6c":32:"50fd1798":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,0,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a7aa836a469d28542d0d24d3232fad266da8fc889c6b6038b726d3da25f7b20":"":"9faf7cd805803e143ec8f3f13475efd2":"1006c707f608728b2bf64734062b12a5625062bcdcb80a3ce2058352a2922d5e6fbe19681b4f0d79ad3c837f81e72f2fbf8df669894e802a39072b26c286f4b05188c708f7c6edd5f5bb90b87ffa95b86d84d6c1c4591b11d22c772a8ad7f2fe6bd8b46be0e93672df2e8bff8ba80629e1846cfd4603e75f2d98874665c1a089":32:"07764143":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"5a7aa836a469d28542d0d24d3232fad266da8fc889c6b6038b726d3da25f7b20":"":"9faf7cd805803e143ec8f3f13475efd2":"1006c707f608728b2bf64734062b12a5625062bcdcb80a3ce2058352a2922d5e6fbe19681b4f0d79ad3c837f81e72f2fbf8df669894e802a39072b26c286f4b05188c708f7c6edd5f5bb90b87ffa95b86d84d6c1c4591b11d22c772a8ad7f2fe6bd8b46be0e93672df2e8bff8ba80629e1846cfd4603e75f2d98874665c1a089":32:"07764143":"":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9444fd176acbe061d0221fde3ddfcc4ff74e995d981a831297c4cbda51c22a1":"c146ff5a988496cad7eced7a2ea471e0117d5d6bd2562c23ce9db4bf36d83ba3fc22e90486ec288a627d208e0b2fd3b65f8301cf7fc41d97959981a95cd1cf37effc46db99b94b21c941c3613c26a10b1a6b7793f467d58ff5134612230f1c49d7e1fcf664fe52fc6eca46273982f6fe729b009d90eb8d8e4a0b0dbe907b76da":"5714732145470da1c42452e10cd274b5":"":128:"db85b830a03357f408587410ebafd10d":"a3cad9a57fa28e6f6aaa37150a803bf8b77e765f0702e492c4e5ebb31ae6b12d791149153e469a92bb625784a699fd7ca517500ee3f2851840ba67063b28b481e24ba441314e8b7128f5aaccaf4c4e2c92258eb27310bf031422b7fc2f220f621d4c64837c9377222aced2411628018a409a744902c9e95c14b77d5bb7f5846b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a9444fd176acbe061d0221fde3ddfcc4ff74e995d981a831297c4cbda51c22a1":"c146ff5a988496cad7eced7a2ea471e0117d5d6bd2562c23ce9db4bf36d83ba3fc22e90486ec288a627d208e0b2fd3b65f8301cf7fc41d97959981a95cd1cf37effc46db99b94b21c941c3613c26a10b1a6b7793f467d58ff5134612230f1c49d7e1fcf664fe52fc6eca46273982f6fe729b009d90eb8d8e4a0b0dbe907b76da":"5714732145470da1c42452e10cd274b5":"":128:"db85b830a03357f408587410ebafd10d":"":"a3cad9a57fa28e6f6aaa37150a803bf8b77e765f0702e492c4e5ebb31ae6b12d791149153e469a92bb625784a699fd7ca517500ee3f2851840ba67063b28b481e24ba441314e8b7128f5aaccaf4c4e2c92258eb27310bf031422b7fc2f220f621d4c64837c9377222aced2411628018a409a744902c9e95c14b77d5bb7f5846b":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"686d3bd071e3f46f180611bc4ec8d7726fe72b6c617e7d42b3339f53918c9e36":"21983ad66449c557263aef299da6eef8f31d576fc17ed2dac3e836f7c2ceaff3094b2695452680e188df10c174810efd1fbaa6c832baedce0b92e4c7121447f6461ac909b4302cdf658095b1de532b536faa4fb38cfdf4192eb5c3fe090d979a343492f841b1edc6eb24b24bdcb90bbbe36d5f8409ce7d27194a7bb995ecc387":"a714e51e43aecfe2fda8f824ea1dc4b7":"":128:"cd30c3618c10d57e9a4477b4a44c5c36":"9610908a0eb2ee885981c9e512e1a55075a212d311073bbb2fb9248cce07af16ee4c58bdc8dbe806d28480f9065838146f3e1eb3ae97012cfe53863a13d487f061a49a6c78ca22a321fa25157dbe68c47d78f2359540cc9031ee42d78855ed90e6b8ea3d67725bfffcb6db3d438c982b5f88d9b660f7d82cb300c1fa1edebb6b":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"686d3bd071e3f46f180611bc4ec8d7726fe72b6c617e7d42b3339f53918c9e36":"21983ad66449c557263aef299da6eef8f31d576fc17ed2dac3e836f7c2ceaff3094b2695452680e188df10c174810efd1fbaa6c832baedce0b92e4c7121447f6461ac909b4302cdf658095b1de532b536faa4fb38cfdf4192eb5c3fe090d979a343492f841b1edc6eb24b24bdcb90bbbe36d5f8409ce7d27194a7bb995ecc387":"a714e51e43aecfe2fda8f824ea1dc4b7":"":128:"cd30c3618c10d57e9a4477b4a44c5c36":"":"9610908a0eb2ee885981c9e512e1a55075a212d311073bbb2fb9248cce07af16ee4c58bdc8dbe806d28480f9065838146f3e1eb3ae97012cfe53863a13d487f061a49a6c78ca22a321fa25157dbe68c47d78f2359540cc9031ee42d78855ed90e6b8ea3d67725bfffcb6db3d438c982b5f88d9b660f7d82cb300c1fa1edebb6b":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe81f15a02e2ecf46e61199c057102d160e6b5d447d4a275972323fff908c3e":"0b4ee0385e6665da8fd2ae47f2d0cf1c5bd395a3bb447047ab5a3ae0b95355bf83d0381119a8d4c01acbe60cd7885da650502f73498a682fdc94f7b14f4c753226064fa15e3a90a6083e053f52f404b0d22394e243b187f913ee2c6bb16c3033f79d794852071970523a67467ce63c35390c163775de2be68b505a63f60245e8":"91d55cfdcdcd7d735d48100ff82227c3":"":128:"cd7da82e890b6d7480c7186b2ea7e6f1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6fe81f15a02e2ecf46e61199c057102d160e6b5d447d4a275972323fff908c3e":"0b4ee0385e6665da8fd2ae47f2d0cf1c5bd395a3bb447047ab5a3ae0b95355bf83d0381119a8d4c01acbe60cd7885da650502f73498a682fdc94f7b14f4c753226064fa15e3a90a6083e053f52f404b0d22394e243b187f913ee2c6bb16c3033f79d794852071970523a67467ce63c35390c163775de2be68b505a63f60245e8":"91d55cfdcdcd7d735d48100ff82227c3":"":128:"cd7da82e890b6d7480c7186b2ea7e6f1":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c2095e1379389dc3810e8819314f5a2f87d1494213c5b1de1a402f7f4f746c4":"26ec8ebac0560538a948afbc18fb730e9a91f21392bde24b88b200f96114b229a5b57fa9d02cf10e6592d4dfb28bf0f00740c61157ce28784e9066ea3afd44ecf3a494723610cb593c0feffc6897e3435c6f448697ad3e241685c4e133eff53bdd0fe44dd8a033cfb1e1ea37a493934eb5303ae6ef47ce6478f767ef9e3301ab":"19788b2e0bd757947596676436e22df1":"":120:"f26a20bea561004267a0bfbf01674e":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"4c2095e1379389dc3810e8819314f5a2f87d1494213c5b1de1a402f7f4f746c4":"26ec8ebac0560538a948afbc18fb730e9a91f21392bde24b88b200f96114b229a5b57fa9d02cf10e6592d4dfb28bf0f00740c61157ce28784e9066ea3afd44ecf3a494723610cb593c0feffc6897e3435c6f448697ad3e241685c4e133eff53bdd0fe44dd8a033cfb1e1ea37a493934eb5303ae6ef47ce6478f767ef9e3301ab":"19788b2e0bd757947596676436e22df1":"":120:"f26a20bea561004267a0bfbf01674e":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be5351efc0277afc9759ec2464a22cb4401f7a17efd1a205e7af023c7ed30ee1":"1eca91406f338fc09c2988b1d7dc8c409d719300c03840a497d7b680cdd5e09b144903477f7116a934e1d931cf368af1fc2a0a0e7caa95475a3cd7bf585a16fda31eb3f8201db0216b37a1635c1c030836b3dd05ca5b0194388fa198e717822131d5d4318690ef82d35ac80b27fff19aec8f020dc6c6ce28f0813bbbf8230ad9":"c6b26117d9dbd80c1c242ad41abe2acc":"":120:"61051d6c0801b4a6b6ca0124c019f3":"95447aded336d6c20d483a6f062d533efed0261ad321d37bf8b7321b98f55c0f0082ce7f3d341b18fea29a72fc909d30cd8c84a1640227227287674a9b2f16a81b191ecf3b6232d656c32d7b38bea82a1b27d5897694a2be56d7e39aa1e725f326b91bad20455f58a94a545170cb43d13d4b91e1cee82abb6a6e0d95d4de0567":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"be5351efc0277afc9759ec2464a22cb4401f7a17efd1a205e7af023c7ed30ee1":"1eca91406f338fc09c2988b1d7dc8c409d719300c03840a497d7b680cdd5e09b144903477f7116a934e1d931cf368af1fc2a0a0e7caa95475a3cd7bf585a16fda31eb3f8201db0216b37a1635c1c030836b3dd05ca5b0194388fa198e717822131d5d4318690ef82d35ac80b27fff19aec8f020dc6c6ce28f0813bbbf8230ad9":"c6b26117d9dbd80c1c242ad41abe2acc":"":120:"61051d6c0801b4a6b6ca0124c019f3":"":"95447aded336d6c20d483a6f062d533efed0261ad321d37bf8b7321b98f55c0f0082ce7f3d341b18fea29a72fc909d30cd8c84a1640227227287674a9b2f16a81b191ecf3b6232d656c32d7b38bea82a1b27d5897694a2be56d7e39aa1e725f326b91bad20455f58a94a545170cb43d13d4b91e1cee82abb6a6e0d95d4de0567":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"814c2cdfdeecf39d43bb141fbfc62dac44f7552c5e5dac2d4913303fc860119b":"0d3013a1d7132f685d001420daa6c7b643bc36b887511acc4588237d3b412c79e4ebba29c08248ad46c7239e8daa232b7483c9c4e3d1c0bbebc696401efe21f7fd6fc0525a4ab81bd9a893d5f7ab23b70ed07c00f33649b8a996a006de6c94f7793f72848793f4d5b31311c68aae1e715b37409fbe506dac038a0950f05fe82b":"0db3ade15cb0dea98a47d1377e034d63":"":120:"e62f910b6046ba4e934d3cfc6e024c":"374d03cfe4dacf668df5e703902cc784f011f418b43887702972dcc3f021bcb9bdd61ed5425f2975b6da7052c4859501eb2f295eb95d10ba6b2d74e7decc1acacebf8568e93a70a7f40be41ac38db6f751518c2f44a69c01c44745c51ad9a333eda9c89d001aa644f1e4063a8eb2a3592e21c6abc515b5aacaec8c32bcf1d3c4":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"814c2cdfdeecf39d43bb141fbfc62dac44f7552c5e5dac2d4913303fc860119b":"0d3013a1d7132f685d001420daa6c7b643bc36b887511acc4588237d3b412c79e4ebba29c08248ad46c7239e8daa232b7483c9c4e3d1c0bbebc696401efe21f7fd6fc0525a4ab81bd9a893d5f7ab23b70ed07c00f33649b8a996a006de6c94f7793f72848793f4d5b31311c68aae1e715b37409fbe506dac038a0950f05fe82b":"0db3ade15cb0dea98a47d1377e034d63":"":120:"e62f910b6046ba4e934d3cfc6e024c":"":"374d03cfe4dacf668df5e703902cc784f011f418b43887702972dcc3f021bcb9bdd61ed5425f2975b6da7052c4859501eb2f295eb95d10ba6b2d74e7decc1acacebf8568e93a70a7f40be41ac38db6f751518c2f44a69c01c44745c51ad9a333eda9c89d001aa644f1e4063a8eb2a3592e21c6abc515b5aacaec8c32bcf1d3c4":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1ae4541110f2bc4f83cd720b5c40c8315413d896e034b75007f172baa13d29ec":"5ea811e7fbfc0e00bf2a6abfac50cad9efd90041c5f7fb8f046a0fecbd193b70a2de8a774d01dd3cd54f848cb3e9f5152ee1b052ba698bebfba1fbbdae44a260447d6e6482640ae4d01c9cac3d37d4ffe9a0de0b6001de504a33ef7620efe3ce48ecd6f5b1b3a89185c86d4d662a843ff730e040e3668d6170be4cced8a18a1c":"83f98eec51ee4cae4cb7fe28b64d1355":"":112:"df47eef69ba2faab887aa8f48e4b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1ae4541110f2bc4f83cd720b5c40c8315413d896e034b75007f172baa13d29ec":"5ea811e7fbfc0e00bf2a6abfac50cad9efd90041c5f7fb8f046a0fecbd193b70a2de8a774d01dd3cd54f848cb3e9f5152ee1b052ba698bebfba1fbbdae44a260447d6e6482640ae4d01c9cac3d37d4ffe9a0de0b6001de504a33ef7620efe3ce48ecd6f5b1b3a89185c86d4d662a843ff730e040e3668d6170be4cced8a18a1c":"83f98eec51ee4cae4cb7fe28b64d1355":"":112:"df47eef69ba2faab887aa8f48e4b":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20c9b662ec4bd13bf58d64cb0a7159b0e7fee4703af66292bf75c8bd6e42e8dc":"45b64f2ed5ac707890c0c1726adf338770ce6a728fe86bb372c4c49409a32705f881bc4d31a27c455c7c7df9dd2c541743523e7d32f88930d988857847f011be5f5f31a31e8812745147cbff5c1294d0fd4a7285db4833f22bf1975250da99c4d0dd2c9688d7f8001bb6ef2bc898ce4d42c5b78e74645b56ce992338f49d4183":"2bc0847d46f3d1064bbf8fe8567f54a2":"":112:"5a1bf25aa8d5c3fe5cf1be8e54a1":"9079d6275db076625e8474c2914fe483d413d5339202f98f06c3b0ef063d8f3d31029deaf7f9349bfec57e5cf11f46f02d5a6520c7992efc951adbbea6d08e53faeb10dfe8b67ee4685da9ea4fe932551a65821147d06d4c462338e6ddda52017c2bc187fd6d02b7d5193f77da809d4e59a9061efad2f9cadbc4cd9b29728d32":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"20c9b662ec4bd13bf58d64cb0a7159b0e7fee4703af66292bf75c8bd6e42e8dc":"45b64f2ed5ac707890c0c1726adf338770ce6a728fe86bb372c4c49409a32705f881bc4d31a27c455c7c7df9dd2c541743523e7d32f88930d988857847f011be5f5f31a31e8812745147cbff5c1294d0fd4a7285db4833f22bf1975250da99c4d0dd2c9688d7f8001bb6ef2bc898ce4d42c5b78e74645b56ce992338f49d4183":"2bc0847d46f3d1064bbf8fe8567f54a2":"":112:"5a1bf25aa8d5c3fe5cf1be8e54a1":"":"9079d6275db076625e8474c2914fe483d413d5339202f98f06c3b0ef063d8f3d31029deaf7f9349bfec57e5cf11f46f02d5a6520c7992efc951adbbea6d08e53faeb10dfe8b67ee4685da9ea4fe932551a65821147d06d4c462338e6ddda52017c2bc187fd6d02b7d5193f77da809d4e59a9061efad2f9cadbc4cd9b29728d32":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0a1554db37f2e275732a77e521cbd8170729d8677a85db73feacf3c66a89d689":"5421d93b7e6e0091978c673df4f3a406aef5f13eb5e6f95da19b0783308cbe26d4fd6c669cc4a9f069d7e62e4c6fad14b80e918fe91556a9a941a28b3dbf776a68ac7c42df7059b5ed713e78120aec84e7b68e96226c2b5e11a994864ed61b122e7e42ef6cfdae278fadbae1b3ea3362f4e6dc68eef6a70477b8a3ffcfba0df9":"b9194a4d42b139f04c29178467955f1d":"":112:"05949d591793ca52e679bfdf64f3":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0a1554db37f2e275732a77e521cbd8170729d8677a85db73feacf3c66a89d689":"5421d93b7e6e0091978c673df4f3a406aef5f13eb5e6f95da19b0783308cbe26d4fd6c669cc4a9f069d7e62e4c6fad14b80e918fe91556a9a941a28b3dbf776a68ac7c42df7059b5ed713e78120aec84e7b68e96226c2b5e11a994864ed61b122e7e42ef6cfdae278fadbae1b3ea3362f4e6dc68eef6a70477b8a3ffcfba0df9":"b9194a4d42b139f04c29178467955f1d":"":112:"05949d591793ca52e679bfdf64f3":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ab1d9bb571c4bdc9f3ef340914bddcfe0c8e7718d4a2530334372cec86e5fcb":"80bcea307e009745724d5f15d21f3b61a5d5a8401530346b34a2adfa13e3e8c9c9327d6fad914b081e554fbe6c1c6fe070b566620e559555c702c0ab5becf61ea1d9de64351ce43b2276ef4e20b5af7ce43db6d21286af4e740ef00c6d790705afcf0ee4850fffc12c662f2bd8212feb21db31065ab8f717a7509c213352b869":"6a5335901284dd3b64dc4a7f810bab96":"":104:"04b8e5423aee8c06539f435edd":"36b9602eee20b8f18dce0783cd1e01a799f81ae0a1ce6d293a26c62f47e7dad85c8446697cc09c81d3d9ead6f9e55c4147211660c8aea9536cc5516e9883c7d6854be580af8cd47ba38fa8451f0dad9c904e0e7f9997eff7e29bf880cd7cedd79493a0e299efe644046e4a46bf6645dfb2397b3a482a346b215deb778c9b7636":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"3ab1d9bb571c4bdc9f3ef340914bddcfe0c8e7718d4a2530334372cec86e5fcb":"80bcea307e009745724d5f15d21f3b61a5d5a8401530346b34a2adfa13e3e8c9c9327d6fad914b081e554fbe6c1c6fe070b566620e559555c702c0ab5becf61ea1d9de64351ce43b2276ef4e20b5af7ce43db6d21286af4e740ef00c6d790705afcf0ee4850fffc12c662f2bd8212feb21db31065ab8f717a7509c213352b869":"6a5335901284dd3b64dc4a7f810bab96":"":104:"04b8e5423aee8c06539f435edd":"":"36b9602eee20b8f18dce0783cd1e01a799f81ae0a1ce6d293a26c62f47e7dad85c8446697cc09c81d3d9ead6f9e55c4147211660c8aea9536cc5516e9883c7d6854be580af8cd47ba38fa8451f0dad9c904e0e7f9997eff7e29bf880cd7cedd79493a0e299efe644046e4a46bf6645dfb2397b3a482a346b215deb778c9b7636":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dddbd5657e22750bfe6baa70a1f4ac46c1ef8bee573a57cfcef50b66f85e593":"2bf5aba83a8161b9d21ff29251fb0efa697b1ea9c1b3de8481d5fd4d6b57afda0b098decdc8278cc855f25da4116ed558fc4e665a49a8fff3aef11115757a99c10b5a73b1f794f9502186c13dc79442f9226bbf4df19a6440281f76184933aeae438a25f85dbd0781e020a9f7e29fb8e517f597719e639cbd6061ea3b4b67fb0":"fcb962c39e4850efc8ffd43d9cd960a6":"":104:"1d8cdadcf1872fb2b697e82ef6":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7dddbd5657e22750bfe6baa70a1f4ac46c1ef8bee573a57cfcef50b66f85e593":"2bf5aba83a8161b9d21ff29251fb0efa697b1ea9c1b3de8481d5fd4d6b57afda0b098decdc8278cc855f25da4116ed558fc4e665a49a8fff3aef11115757a99c10b5a73b1f794f9502186c13dc79442f9226bbf4df19a6440281f76184933aeae438a25f85dbd0781e020a9f7e29fb8e517f597719e639cbd6061ea3b4b67fb0":"fcb962c39e4850efc8ffd43d9cd960a6":"":104:"1d8cdadcf1872fb2b697e82ef6":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6916b93b2712421f1f4582de7ec4237c4e42e2b32c7dced2f8bb5bd2e0598312":"3739cca20279a36ddb857ac22beae901a49529b3182463ab81a7c46e437eb0b0571e8c16f7b626ecd9f2ca0cd83debe3f83e5d58ed3738899f4b616755eb57fb965208f261736bdf7648b1f8595c6b6a779768115e3077dfee7a42d44b555a51675fb1ce9961d0e21b2b9b477c0541184350e70decf7c14a4c24b8a6cd5fed8e":"b4d9248bb500e40de99ca2a13e743f1c":"":104:"090d03446d65adcc0a42387e8e":"0255be7ac7ac6feb3a21f572f6a593cc8a97f17af7064c80e478f4a6c469cf94d604bc014b003bf284d216161a9c8a493af43c6a0d8caf813a9e6f83c7ed56dd57543876b11f76aa2be80dcd79d19ac61f00fa423ac2f52fae7a8327cd91494ca4116feb735980ad0a4b1445cb7f38cc712b8aee72179e65b97fca38694e3670":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6916b93b2712421f1f4582de7ec4237c4e42e2b32c7dced2f8bb5bd2e0598312":"3739cca20279a36ddb857ac22beae901a49529b3182463ab81a7c46e437eb0b0571e8c16f7b626ecd9f2ca0cd83debe3f83e5d58ed3738899f4b616755eb57fb965208f261736bdf7648b1f8595c6b6a779768115e3077dfee7a42d44b555a51675fb1ce9961d0e21b2b9b477c0541184350e70decf7c14a4c24b8a6cd5fed8e":"b4d9248bb500e40de99ca2a13e743f1c":"":104:"090d03446d65adcc0a42387e8e":"":"0255be7ac7ac6feb3a21f572f6a593cc8a97f17af7064c80e478f4a6c469cf94d604bc014b003bf284d216161a9c8a493af43c6a0d8caf813a9e6f83c7ed56dd57543876b11f76aa2be80dcd79d19ac61f00fa423ac2f52fae7a8327cd91494ca4116feb735980ad0a4b1445cb7f38cc712b8aee72179e65b97fca38694e3670":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b751c8b724165009a8bd97a9d2a0e22cae5a95c4743c55eeeef0a6fe7d946bec":"e8546a5af1e38114822e60e75563a9399c88796f303c99c69d1f3c50379da81e1cd5b5a4a721e23c59da58ea4361b7ff58408e506a27fea24f9a235c6af7f7a5bd93fa31e90edfc322821c08d6324134830b7fe160b4a3e6d27866a10e6e60762a31618ef92f5c67ccb1deb1f1b188f0e687165e7c366c7418920df4f4fcdcae":"160c50c0621c03fd1572df6ba49f0d1e":"":96:"9fef9becf21901496772996f":"175fa6b7cd781ec057ff78ba410f2897a920739b5fc4f04bc9b998fbc7cc18e327ad44d59b167e4627256aaecd97dc3e4a7c9baaf51d177787a7f4a0a2d207a855753c4754d41348982d9418b6b24b590632d5115dc186b0ba3bec16b41fa47c0077c5d091ec705e554475024814c5167121dd224c544686398df3f33c210e82":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b751c8b724165009a8bd97a9d2a0e22cae5a95c4743c55eeeef0a6fe7d946bec":"e8546a5af1e38114822e60e75563a9399c88796f303c99c69d1f3c50379da81e1cd5b5a4a721e23c59da58ea4361b7ff58408e506a27fea24f9a235c6af7f7a5bd93fa31e90edfc322821c08d6324134830b7fe160b4a3e6d27866a10e6e60762a31618ef92f5c67ccb1deb1f1b188f0e687165e7c366c7418920df4f4fcdcae":"160c50c0621c03fd1572df6ba49f0d1e":"":96:"9fef9becf21901496772996f":"":"175fa6b7cd781ec057ff78ba410f2897a920739b5fc4f04bc9b998fbc7cc18e327ad44d59b167e4627256aaecd97dc3e4a7c9baaf51d177787a7f4a0a2d207a855753c4754d41348982d9418b6b24b590632d5115dc186b0ba3bec16b41fa47c0077c5d091ec705e554475024814c5167121dd224c544686398df3f33c210e82":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0faf32c22c2a4ee38fe4b5ce08f98fdf6f83b5038dcba5ec8332b3eeb5c710c7":"8a556cc30075753c6e94c2f669bca2058ff6abcbffffc82da7cfca0a45af82dfb4cf487ceb4ede72be87ee4c8b72db1e96459de1dc96721464c544c001d785f2188b9fccaec4b1a37970d38b326f30163d2fdfdf8a2ce74aec55abcd823772b54f8081d086a2e7b17b4086d6c4a5ea67828ef0b593ea1387b2c61f5dfe8f2bb0":"04885a5846f5f75a760193de7f07853c":"":96:"0c13506ed9f082dd08434342":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0faf32c22c2a4ee38fe4b5ce08f98fdf6f83b5038dcba5ec8332b3eeb5c710c7":"8a556cc30075753c6e94c2f669bca2058ff6abcbffffc82da7cfca0a45af82dfb4cf487ceb4ede72be87ee4c8b72db1e96459de1dc96721464c544c001d785f2188b9fccaec4b1a37970d38b326f30163d2fdfdf8a2ce74aec55abcd823772b54f8081d086a2e7b17b4086d6c4a5ea67828ef0b593ea1387b2c61f5dfe8f2bb0":"04885a5846f5f75a760193de7f07853c":"":96:"0c13506ed9f082dd08434342":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dddc3d2f82bdcdbc37648a6b9b416af28753740f8e998cd1a52a0b665369f1c":"07bf84b15b21951fd22049be6991a672503ae243b8d285fb1e515e1d2c36bfd5b0d0bcce85791f2cea8f616aed68a7d9cf4eaf76418e8b1ec27751de67cbfd9d9f7905b2667904f10d598503f04c04ea00a681ff89a9c446d5763898430bd7a9dfebfe544e3ed3e639b362683a651e087626ffa63c0c2b3e0dd088b81b07f75e":"0a93b883cbd42998ae2e39aab342cb28":"":96:"5c37918edb7aa65b246fd5a6":"ff7b7b2f88b8c6f9f9bad7152874e995eea0ff1ce1ecd9b8d563642a37a31499f14d70f0dd835b7adf80928497f845fd8c2786cd53af25f8c9fe1bba24e3c3860162635bbed58f06cf6c9966bb9b570987a48329279bb84afb9e464bb4ad19ae6600175086e28929569027c5285d2ed97615e5a7dada40ba03c440861f524475":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0dddc3d2f82bdcdbc37648a6b9b416af28753740f8e998cd1a52a0b665369f1c":"07bf84b15b21951fd22049be6991a672503ae243b8d285fb1e515e1d2c36bfd5b0d0bcce85791f2cea8f616aed68a7d9cf4eaf76418e8b1ec27751de67cbfd9d9f7905b2667904f10d598503f04c04ea00a681ff89a9c446d5763898430bd7a9dfebfe544e3ed3e639b362683a651e087626ffa63c0c2b3e0dd088b81b07f75e":"0a93b883cbd42998ae2e39aab342cb28":"":96:"5c37918edb7aa65b246fd5a6":"":"ff7b7b2f88b8c6f9f9bad7152874e995eea0ff1ce1ecd9b8d563642a37a31499f14d70f0dd835b7adf80928497f845fd8c2786cd53af25f8c9fe1bba24e3c3860162635bbed58f06cf6c9966bb9b570987a48329279bb84afb9e464bb4ad19ae6600175086e28929569027c5285d2ed97615e5a7dada40ba03c440861f524475":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0b1a62e46e7712277fc711e19d0c0c865ee77b42ac964b7202dbcaf428086c2":"7dd7c0787fdbea4aacf929341659dcf4b75cbca8f92001e8b62a4d7b40272c5755fa9c445857db05328dc11ce5221f044f4b3dafbf0e2d72a1ad0d3e4c804148db578218690ccc620d8b97b4450ff83400a6caaa959617611446a6627138a4067be9ea410d4b0581022ab621928205b4a4480560fc4c2c3b39a2805684006f35":"e20957a49a27e247d00379850f934d6c":"":64:"c99751516620bf89":"9307620479f076c39f53965c87d20c2aff11c736c040dba74cd690d275591a5defc57a02f6806de82eb7051548589484364f6c9b91f233a87258ede1ee276cb2c93b4fc76f4d7e60cbd29ba2c54cb479c178fa462c1c2fb6eeb3f1df0edfb894c9222b994c4931dedf7c6e8ddecbde385ddf4481807f52322a47bf5ff7272991":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"a0b1a62e46e7712277fc711e19d0c0c865ee77b42ac964b7202dbcaf428086c2":"7dd7c0787fdbea4aacf929341659dcf4b75cbca8f92001e8b62a4d7b40272c5755fa9c445857db05328dc11ce5221f044f4b3dafbf0e2d72a1ad0d3e4c804148db578218690ccc620d8b97b4450ff83400a6caaa959617611446a6627138a4067be9ea410d4b0581022ab621928205b4a4480560fc4c2c3b39a2805684006f35":"e20957a49a27e247d00379850f934d6c":"":64:"c99751516620bf89":"":"9307620479f076c39f53965c87d20c2aff11c736c040dba74cd690d275591a5defc57a02f6806de82eb7051548589484364f6c9b91f233a87258ede1ee276cb2c93b4fc76f4d7e60cbd29ba2c54cb479c178fa462c1c2fb6eeb3f1df0edfb894c9222b994c4931dedf7c6e8ddecbde385ddf4481807f52322a47bf5ff7272991":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ffcc1c88fba1723b3ab57b458d9bffb98b878c967fb43b9db2ae0753d32a3bb1":"19b6dec86d93c466307de3a36c0791ed1010b1b9cf8d30347ae46e0f9283c9fda43da8cb491dd17cc4298b1f0b876d6a0f4bcbc9667fe34564bc08f8f7b67045057d19f4bf027bc839e590822fa09a5cef1af18e64a0116aa2a01a3f246c2b5272c18c9aa23efe674ba53d533ae8f0695cb78c1155cdc7a9d7fae2c4567dc07c":"d533c2170c5dc203512c81c34eff4077":"":64:"167ec8675e7f9e12":"0539287ac546fe5342e4c3c0ec07127dcd22899abfe8cdd6e89d08f1374d76e877bec4844d06e0a9f32d181c8d945ba16a54ce3725fae21d8245c070a4da0c646203d6b91325b665ab98c30295851c59265b4ab567b968b6e98536b7850738d92e9627b4c9c6f5d9ae2520944783d8f788a1aa11f3f5245660d41f388e26e0a1":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ffcc1c88fba1723b3ab57b458d9bffb98b878c967fb43b9db2ae0753d32a3bb1":"19b6dec86d93c466307de3a36c0791ed1010b1b9cf8d30347ae46e0f9283c9fda43da8cb491dd17cc4298b1f0b876d6a0f4bcbc9667fe34564bc08f8f7b67045057d19f4bf027bc839e590822fa09a5cef1af18e64a0116aa2a01a3f246c2b5272c18c9aa23efe674ba53d533ae8f0695cb78c1155cdc7a9d7fae2c4567dc07c":"d533c2170c5dc203512c81c34eff4077":"":64:"167ec8675e7f9e12":"":"0539287ac546fe5342e4c3c0ec07127dcd22899abfe8cdd6e89d08f1374d76e877bec4844d06e0a9f32d181c8d945ba16a54ce3725fae21d8245c070a4da0c646203d6b91325b665ab98c30295851c59265b4ab567b968b6e98536b7850738d92e9627b4c9c6f5d9ae2520944783d8f788a1aa11f3f5245660d41f388e26e0a1":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55e94b339c3bafe068ef9cc30787cc6705850114976843777c92b4b331801650":"147cc7bc4008dadf1956520b5998d961499bdf3d8b168591adbfd99411ad7b34eb4b2a5c1bb0522b810fec12dd7c775784d7ecdc741e6dec8191361e6abf473b219221801951b4d5ffe955ab50eef9cffdfee65ba29ddfa943fb52d722825338c307870a48a35f51db340aa946c71904d03174b1e4a498238b9d631a6982c68d":"2e2b31214d61276a54daf2ccb98baa36":"":64:"5266e9c67c252164":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"55e94b339c3bafe068ef9cc30787cc6705850114976843777c92b4b331801650":"147cc7bc4008dadf1956520b5998d961499bdf3d8b168591adbfd99411ad7b34eb4b2a5c1bb0522b810fec12dd7c775784d7ecdc741e6dec8191361e6abf473b219221801951b4d5ffe955ab50eef9cffdfee65ba29ddfa943fb52d722825338c307870a48a35f51db340aa946c71904d03174b1e4a498238b9d631a6982c68d":"2e2b31214d61276a54daf2ccb98baa36":"":64:"5266e9c67c252164":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13c9572bdef62510d84f2d415cc481cd1e71b9c1132b43e63b21ba4e16de9b39":"7c78e634dec811173ff3c4a9a48ae3ae794fbd2aefd4b31701777ff6fcb670744c592a1d298d319717870dca364b2a3562a4ffa422bf7173c4f7ea9b0edf675e948f8370ffd0fd0d5703a9d33e8f9f375b8b641a1b1eecd1692ad1d461a68d97f91f9087f213aff23db1246ee16f403969c238f99eed894658277da23ced11ee":"a8339ba505a14786ad05edfe8cebb8d0":"":32:"df3cab08":"91f9780daefd2c1010c458054ac6e35baa885cdd2c95e28e13f84451064e31e0739f27bf259cb376ab951e1c7048e1252f0849ccb5453fc97b319666ebbfbc7ef3055212a61582d1b69158f3b1629950a41bc756bded20498492ebc49a1535d1bd915e59c49b87ffebea2f4ad4516ecdd63fa5afda9cce9dc730d6ab2757384a":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"13c9572bdef62510d84f2d415cc481cd1e71b9c1132b43e63b21ba4e16de9b39":"7c78e634dec811173ff3c4a9a48ae3ae794fbd2aefd4b31701777ff6fcb670744c592a1d298d319717870dca364b2a3562a4ffa422bf7173c4f7ea9b0edf675e948f8370ffd0fd0d5703a9d33e8f9f375b8b641a1b1eecd1692ad1d461a68d97f91f9087f213aff23db1246ee16f403969c238f99eed894658277da23ced11ee":"a8339ba505a14786ad05edfe8cebb8d0":"":32:"df3cab08":"":"91f9780daefd2c1010c458054ac6e35baa885cdd2c95e28e13f84451064e31e0739f27bf259cb376ab951e1c7048e1252f0849ccb5453fc97b319666ebbfbc7ef3055212a61582d1b69158f3b1629950a41bc756bded20498492ebc49a1535d1bd915e59c49b87ffebea2f4ad4516ecdd63fa5afda9cce9dc730d6ab2757384a":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30a14ca53913acbb215b4e4159083106db3fff83cbedd1e5425f65af1e94f5dd":"8c5f73ee1544553b712ad7a14f31379c8d54a4e432fb6c5112436988d83c4e94954b0249b470538fb977b756fbee70b811d4dc047a869e207bb0b495f1e271d0034e912000e97594033e0dedde0591b297f8a84bafcc93a46268a5bba117b558f1c73513e971c80a7083e1718fc12d0cc0d996a8e09603d564f0b8e81eea28bc":"4f23f04904de76d6decd4bd380ff56b1":"":32:"18e92b96":"bb4b3f8061edd6fa418dd71fe22eb0528547050b3bfbaa1c74e82148470d557499ce856de3e988384c0a73671bf370e560d8fda96dabe4728b5f72a6f9efd5023b07a96a631cafdf2c878b2567104c466f82b89f429915cf3331845febcff008558f836b4c12d53e94d363eae43a50fc6cb36f4ca183be92ca5f299704e2c8cf":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"30a14ca53913acbb215b4e4159083106db3fff83cbedd1e5425f65af1e94f5dd":"8c5f73ee1544553b712ad7a14f31379c8d54a4e432fb6c5112436988d83c4e94954b0249b470538fb977b756fbee70b811d4dc047a869e207bb0b495f1e271d0034e912000e97594033e0dedde0591b297f8a84bafcc93a46268a5bba117b558f1c73513e971c80a7083e1718fc12d0cc0d996a8e09603d564f0b8e81eea28bc":"4f23f04904de76d6decd4bd380ff56b1":"":32:"18e92b96":"":"bb4b3f8061edd6fa418dd71fe22eb0528547050b3bfbaa1c74e82148470d557499ce856de3e988384c0a73671bf370e560d8fda96dabe4728b5f72a6f9efd5023b07a96a631cafdf2c878b2567104c466f82b89f429915cf3331845febcff008558f836b4c12d53e94d363eae43a50fc6cb36f4ca183be92ca5f299704e2c8cf":0
 
 AES-GCM NIST Validation (AES-256,128,1024,0,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e69f419140289ac25fb0e2ef9cc4f7e06777ac20f7d631918d1af0c8883b7d6a":"ff8dfa4e70490ea9c84cb894dc5d7e1b935ebcdea80a39c4161d4db42cbb269cc86abd381af15ec9a4a42ed18c1eed540decec19722df46f22aa06883297cb393fb23e4bb31a817e88357aa923c7ecbcf24c28a09f622dd21fa70c0a02193024fdcefeaa96cc1b50f81a65dfa9e1bb5126f0c9766a861eed096ec15fb07b0f81":"531248afdaaf1b86cf34d2394900afd9":"":32:"c6885cdd":"f75299e0ead3834fc7ebd4b2051541b598ad57cc908fdcd4324cf4ccf7dcf7b3f0737ad6c026399a8b1b6d3d50011b3c48ea2c89833b4b44c437677f230b75d36848781d4af14546894eecd873a2b1c3d2fcdd676b10bd55112038c0fdaa7b5598fe4db273a1b6744cba47189b7e2a973651bfc2aaa9e9abea4494047b957a80":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"e69f419140289ac25fb0e2ef9cc4f7e06777ac20f7d631918d1af0c8883b7d6a":"ff8dfa4e70490ea9c84cb894dc5d7e1b935ebcdea80a39c4161d4db42cbb269cc86abd381af15ec9a4a42ed18c1eed540decec19722df46f22aa06883297cb393fb23e4bb31a817e88357aa923c7ecbcf24c28a09f622dd21fa70c0a02193024fdcefeaa96cc1b50f81a65dfa9e1bb5126f0c9766a861eed096ec15fb07b0f81":"531248afdaaf1b86cf34d2394900afd9":"":32:"c6885cdd":"":"f75299e0ead3834fc7ebd4b2051541b598ad57cc908fdcd4324cf4ccf7dcf7b3f0737ad6c026399a8b1b6d3d50011b3c48ea2c89833b4b44c437677f230b75d36848781d4af14546894eecd873a2b1c3d2fcdd676b10bd55112038c0fdaa7b5598fe4db273a1b6744cba47189b7e2a973651bfc2aaa9e9abea4494047b957a80":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"404a5d1ac9e32f9caabffbfa485ce9c27edc9e5cde0f2aab4f32ce3121449b88":"b63ec4d28854b7fe2d4d13973f5bcb16f78494ce25cc2820de9d0dc1d8d91db1f19bc9e01cee8418c9e88a69b2f30cdbb0dbdbb50be71e1e666c111c126f2b7197c02f69a1b2ec5e1bf4062b2d0b22fb0fa1585b4e6286b29f6ac98d1b1319dd99851fa6921607077d2947140fdeeea145b56ea7b6af276c9f65393bc43ede33":"b6e6c078e6869df156faa9ac32f057c3":"6ebc75fc9304f2b139abc7d3f68b253228009c503a08b7be77852da9e1afbe72c9ab374740b0dc391fa4d7e17de6a0aa08c69e6f5c5f05411e71e70c69dfbcf693df84c30f7a8e6c7949ea1e734297c0ea3df9b7e905faa6bbdcaf1ff2625a39363308331d74892cf531cb3f6d7db31bbe9a039fca87100367747024f68c5b77":128:"94c1b9b70f9c48e7efd40ecab320c2d3":"56a0ac94f3ec7be2608154f779c434ee96db5ed4f5a6e1acfb32361ce04e16e1337be5978df06d7c4f6012385fb9d45bb397dc00f165883714b4a5b2f72f69c018ffa6d4420ad1b772e94575f035ad203be3d34b5b789a99389f295b43f004de3daaef7fa918712d3a23ca44329595e08da190e3678bc6ad9b500b9f885abe23":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"404a5d1ac9e32f9caabffbfa485ce9c27edc9e5cde0f2aab4f32ce3121449b88":"b63ec4d28854b7fe2d4d13973f5bcb16f78494ce25cc2820de9d0dc1d8d91db1f19bc9e01cee8418c9e88a69b2f30cdbb0dbdbb50be71e1e666c111c126f2b7197c02f69a1b2ec5e1bf4062b2d0b22fb0fa1585b4e6286b29f6ac98d1b1319dd99851fa6921607077d2947140fdeeea145b56ea7b6af276c9f65393bc43ede33":"b6e6c078e6869df156faa9ac32f057c3":"6ebc75fc9304f2b139abc7d3f68b253228009c503a08b7be77852da9e1afbe72c9ab374740b0dc391fa4d7e17de6a0aa08c69e6f5c5f05411e71e70c69dfbcf693df84c30f7a8e6c7949ea1e734297c0ea3df9b7e905faa6bbdcaf1ff2625a39363308331d74892cf531cb3f6d7db31bbe9a039fca87100367747024f68c5b77":128:"94c1b9b70f9c48e7efd40ecab320c2d3":"":"56a0ac94f3ec7be2608154f779c434ee96db5ed4f5a6e1acfb32361ce04e16e1337be5978df06d7c4f6012385fb9d45bb397dc00f165883714b4a5b2f72f69c018ffa6d4420ad1b772e94575f035ad203be3d34b5b789a99389f295b43f004de3daaef7fa918712d3a23ca44329595e08da190e3678bc6ad9b500b9f885abe23":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b56f0c980acf7875cf7f27d53ad4a276adc126d0b93a5774ac4277eecad4309e":"2c94299e36b7c4a825ecbc5a7809061e0a6761764a5a655ffdb0c20e5c3fcb10f4e93c68aa0a38c2acc5d06f2b7c4ff4fcf814b551bfefa248dbe06a09a0f153213538a31fa7cf7d646b5b53908d8978f514c9c4d6d66f2b3738024b5f9c3fd86b6da0c818203183f4205f186ea44a54edb911b1a17c424c95852c8d271b2e93":"b004c049decfb43d6f3ec13c56f839ef":"b2045b97fbb52a5fc6ff03d74e59dd696f3f442c0b555add8e6d111f835df420f45e970c4b32a84f0c45ba3710b5cd574001862b073efa5c9c4bd50127b2ce72d2c736c5e2723956da5a0acb82041a609386d07b50551c1d1fa4678886bac54b0bd080cc5ef607dca2a0d6a1e71f0e3833678bf8560bc059dae370ec94d43af6":128:"fce7234f7f76b5d502fd2b96fc9b1ce7":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"b56f0c980acf7875cf7f27d53ad4a276adc126d0b93a5774ac4277eecad4309e":"2c94299e36b7c4a825ecbc5a7809061e0a6761764a5a655ffdb0c20e5c3fcb10f4e93c68aa0a38c2acc5d06f2b7c4ff4fcf814b551bfefa248dbe06a09a0f153213538a31fa7cf7d646b5b53908d8978f514c9c4d6d66f2b3738024b5f9c3fd86b6da0c818203183f4205f186ea44a54edb911b1a17c424c95852c8d271b2e93":"b004c049decfb43d6f3ec13c56f839ef":"b2045b97fbb52a5fc6ff03d74e59dd696f3f442c0b555add8e6d111f835df420f45e970c4b32a84f0c45ba3710b5cd574001862b073efa5c9c4bd50127b2ce72d2c736c5e2723956da5a0acb82041a609386d07b50551c1d1fa4678886bac54b0bd080cc5ef607dca2a0d6a1e71f0e3833678bf8560bc059dae370ec94d43af6":128:"fce7234f7f76b5d502fd2b96fc9b1ce7":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,128) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c5027c36e6caa1b3e5e45fead32b5e3126ac41f106c491b0b3a7c16502f4fe6":"58f0ceaa31c0025d2e6bb58720cce4b64f5f6c657c847ae42936eb1e343fea397c8a8cf2f5ef02ffaec25f431900dcb0910cf32cea9eca3b78aed1c451c7af51066489f87b2a5f8cf28d6fdb6ce49d898b6167b590a3907be7618be11fb0922a3cfd18e73efef19e5cdc250fa33f61e3940c6482ae35f339e8c0a85a17379a4e":"3ee660f03858669e557e3effdd7df6bd":"93e803c79de6ad652def62cf3cd34f9addc9dd1774967a0f69e1d28361eb2cacc177c63c07657389ce23bbe65d73e0460946d31be495424655c7724eac044cafafe1540fcbd4218921367054e43e3d21e0fa6a0da9f8b20c5cdbd019c944a2d2ee6aa6760ee1131e58fec9da30790f5a873e792098a82ddf18c3813611d9242a":128:"ac33f5ffca9df4efc09271ff7a4f58e2":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"1c5027c36e6caa1b3e5e45fead32b5e3126ac41f106c491b0b3a7c16502f4fe6":"58f0ceaa31c0025d2e6bb58720cce4b64f5f6c657c847ae42936eb1e343fea397c8a8cf2f5ef02ffaec25f431900dcb0910cf32cea9eca3b78aed1c451c7af51066489f87b2a5f8cf28d6fdb6ce49d898b6167b590a3907be7618be11fb0922a3cfd18e73efef19e5cdc250fa33f61e3940c6482ae35f339e8c0a85a17379a4e":"3ee660f03858669e557e3effdd7df6bd":"93e803c79de6ad652def62cf3cd34f9addc9dd1774967a0f69e1d28361eb2cacc177c63c07657389ce23bbe65d73e0460946d31be495424655c7724eac044cafafe1540fcbd4218921367054e43e3d21e0fa6a0da9f8b20c5cdbd019c944a2d2ee6aa6760ee1131e58fec9da30790f5a873e792098a82ddf18c3813611d9242a":128:"ac33f5ffca9df4efc09271ff7a4f58e2":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"34c3019810d72b5e584f0758f2f5888a42729a33610aafa9824badade4136bbd":"22deef66cbb7db240c399b6c83407f090d6999ba25e560b2087fed0467904bb5c40cbaa05b8bf0ff5a77c53fa229478d8e0736414daf9c420417c391c9a523fd85954533f1304d81359bdcc2c4ac90d9f5f8a67a517d7f05ba0409b718159baf11cd9154e815d5745179beb59954a45a8676a375d5af7fae4d0da05c4ea91a13":"f315ea36c17fc57dab3a2737d687cd4f":"f33c5a3a9e546ad5b35e4febf2ae557ca767b55d93bb3c1cf62d862d112dbd26f8fe2a3f54d347c1bc30029e55118bab2662b99b984b8b8e2d76831f94e48587de2709e32f16c26695f07e654b703eba6428f30070e23ed40b61d04dd1430e33c629117d945d9c0e4d36c79a8b8ab555d85083a898e7e7fbeb64a45cc3511d99":120:"0bae9403888efb4d8ec97df604cd5d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"34c3019810d72b5e584f0758f2f5888a42729a33610aafa9824badade4136bbd":"22deef66cbb7db240c399b6c83407f090d6999ba25e560b2087fed0467904bb5c40cbaa05b8bf0ff5a77c53fa229478d8e0736414daf9c420417c391c9a523fd85954533f1304d81359bdcc2c4ac90d9f5f8a67a517d7f05ba0409b718159baf11cd9154e815d5745179beb59954a45a8676a375d5af7fae4d0da05c4ea91a13":"f315ea36c17fc57dab3a2737d687cd4f":"f33c5a3a9e546ad5b35e4febf2ae557ca767b55d93bb3c1cf62d862d112dbd26f8fe2a3f54d347c1bc30029e55118bab2662b99b984b8b8e2d76831f94e48587de2709e32f16c26695f07e654b703eba6428f30070e23ed40b61d04dd1430e33c629117d945d9c0e4d36c79a8b8ab555d85083a898e7e7fbeb64a45cc3511d99":120:"0bae9403888efb4d8ec97df604cd5d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29397d98fc5a7f04b5c8b6aa3a1dd975b6e4678457ae7f0691eee40b5397503a":"0bbf1079cb5569c32257bc7e52371db46f3961b457402b816588243b4523543430d5ca56b52de6632724c51e6c3af310b28822c749a12bdd58dee58bbc3266631562a998ec3acdc8a2567a9f07f7f9759c3f50b1d1dcdd529256b80c0d227fc1fe8b58c62d1c643f1ac2996809fd061afcf4a9af184c14db9e63ec885c49de61":"885543a45fd1163e34ef9276145b0f8c":"d88beaa0664bcef178cbdbfab17ff526b5c0f8ad9543c6a312d93c336707fbf87c0448b07a550580953279f552f368225cc6971f1eecc718d6aad1729c8d8873081357752bd09d77075fa680cb2dc4139171e4a0aaa50b28c262c14fd10b8d799ca1c6641bb7dfdfdf3dea69aa2b9e4e4726dc18b0784afa4228e5ccb1eb2422":120:"7b334d7af54b916821f6136e977a1f":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"29397d98fc5a7f04b5c8b6aa3a1dd975b6e4678457ae7f0691eee40b5397503a":"0bbf1079cb5569c32257bc7e52371db46f3961b457402b816588243b4523543430d5ca56b52de6632724c51e6c3af310b28822c749a12bdd58dee58bbc3266631562a998ec3acdc8a2567a9f07f7f9759c3f50b1d1dcdd529256b80c0d227fc1fe8b58c62d1c643f1ac2996809fd061afcf4a9af184c14db9e63ec885c49de61":"885543a45fd1163e34ef9276145b0f8c":"d88beaa0664bcef178cbdbfab17ff526b5c0f8ad9543c6a312d93c336707fbf87c0448b07a550580953279f552f368225cc6971f1eecc718d6aad1729c8d8873081357752bd09d77075fa680cb2dc4139171e4a0aaa50b28c262c14fd10b8d799ca1c6641bb7dfdfdf3dea69aa2b9e4e4726dc18b0784afa4228e5ccb1eb2422":120:"7b334d7af54b916821f6136e977a1f":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,120) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7555dfcf354da07fd70f951d94ec1d86a635edfdb7929460207b2a39cc0cf4a3":"a1351cfffd1b0cbf80c3318cc432d3238cb647e996b7b53c527783594683f535950cd08788687c77226b2d3f095955884adc2e475ca1e1eab04e37d5e901ae8934a9d3a0cb37b80612ca25d989856dfa7607b03039b64d7dcd468204f03e0f2c55cb41c5367c56ca6c561425992b40e2d4f380b3d8419f681e88ebe2d4bdad36":"e1b30b6a47e8c21228e41a21b1a004f0":"bf986d3842378440f8924bb7f117d1a86888a666915a93ba65d486d14c580501e736d3418cebee572439318b21b6e4e504a7b075b8c2300c014e87e04fa842b6a2a3ebd9e6134b9ddd78e0a696223b1dc775f3288a6a9569c64b4d8fc5e04f2047c70115f692d2c2cefe7488de42ff862d7c0f542e58d69f0f8c9bf67ef48aea":120:"d8ef5438b7cf5dc11209a635ce1095":"95e8db7c8ecab8a60ceb49726153a7c5553cf571bc40515944d833485e19bf33cb954e2555943778040165a6cfffecef79eb7d82fef5a2f136f004bb5e7c35ae827fac3da292a185b5b8fc262012c05caeda5453ede3303cfeb0c890db1facadaa2895bdbb33265ada0bb46030607b6cf94f86961178e2e2deeb53c63900f1ec":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"7555dfcf354da07fd70f951d94ec1d86a635edfdb7929460207b2a39cc0cf4a3":"a1351cfffd1b0cbf80c3318cc432d3238cb647e996b7b53c527783594683f535950cd08788687c77226b2d3f095955884adc2e475ca1e1eab04e37d5e901ae8934a9d3a0cb37b80612ca25d989856dfa7607b03039b64d7dcd468204f03e0f2c55cb41c5367c56ca6c561425992b40e2d4f380b3d8419f681e88ebe2d4bdad36":"e1b30b6a47e8c21228e41a21b1a004f0":"bf986d3842378440f8924bb7f117d1a86888a666915a93ba65d486d14c580501e736d3418cebee572439318b21b6e4e504a7b075b8c2300c014e87e04fa842b6a2a3ebd9e6134b9ddd78e0a696223b1dc775f3288a6a9569c64b4d8fc5e04f2047c70115f692d2c2cefe7488de42ff862d7c0f542e58d69f0f8c9bf67ef48aea":120:"d8ef5438b7cf5dc11209a635ce1095":"":"95e8db7c8ecab8a60ceb49726153a7c5553cf571bc40515944d833485e19bf33cb954e2555943778040165a6cfffecef79eb7d82fef5a2f136f004bb5e7c35ae827fac3da292a185b5b8fc262012c05caeda5453ede3303cfeb0c890db1facadaa2895bdbb33265ada0bb46030607b6cf94f86961178e2e2deeb53c63900f1ec":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bbeafe86c72ab0354b733b69b09e4d3462feb1658fe404004d81503f3a6e132f":"a033c2051e425d01d97d563572e42c5113860e5dedcd24c76e3e357559ba3250f1fc5d4a931a9d0900ac025400f0158621f0b1215b2907467bfc874bcabbb28e28de81fe1ee5b79985261c512afec2327c8c5957df90c9eb77950de4a4860b57a9e6e145ea15eb52da63f217f94a5c8e5fcb5d361b86e0e67637a450cdbcb06f":"ee1caba93cb549054ca29715a536393e":"e44b0e0d275ae7c38a7dc2f768e899c1c11a4c4cb5b5bd25cd2132e3ecbaa5a63654312603e1c5b393c0ce6253c55986ee45bb1daac78a26749d88928f9b9908690fc148a656b78e3595319432763efbcf6957c9b2150ccabfd4833d0dcee01758c5efb47321a948b379a2ec0abcd6b6cbf41a8883f0f5d5bf7b240cb35f0777":112:"a4809e072f93deb7b77c52427095":"e62adf9bbd92dd03cc5250251691f724c6ece1cb89d8c4daf31cc732a5420f6bedab71aab0238ba23bd7165ed1f692561ef457fd1d47413949405b6fc8e17922b17026d89d5830b383546ea516a56f3a1c45ec1251583ae880fa8985bd3dcc1d6a57b746971937bf370e76482238cc08c2c3b13258151e0a6475cc017f8a3d0e":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"bbeafe86c72ab0354b733b69b09e4d3462feb1658fe404004d81503f3a6e132f":"a033c2051e425d01d97d563572e42c5113860e5dedcd24c76e3e357559ba3250f1fc5d4a931a9d0900ac025400f0158621f0b1215b2907467bfc874bcabbb28e28de81fe1ee5b79985261c512afec2327c8c5957df90c9eb77950de4a4860b57a9e6e145ea15eb52da63f217f94a5c8e5fcb5d361b86e0e67637a450cdbcb06f":"ee1caba93cb549054ca29715a536393e":"e44b0e0d275ae7c38a7dc2f768e899c1c11a4c4cb5b5bd25cd2132e3ecbaa5a63654312603e1c5b393c0ce6253c55986ee45bb1daac78a26749d88928f9b9908690fc148a656b78e3595319432763efbcf6957c9b2150ccabfd4833d0dcee01758c5efb47321a948b379a2ec0abcd6b6cbf41a8883f0f5d5bf7b240cb35f0777":112:"a4809e072f93deb7b77c52427095":"":"e62adf9bbd92dd03cc5250251691f724c6ece1cb89d8c4daf31cc732a5420f6bedab71aab0238ba23bd7165ed1f692561ef457fd1d47413949405b6fc8e17922b17026d89d5830b383546ea516a56f3a1c45ec1251583ae880fa8985bd3dcc1d6a57b746971937bf370e76482238cc08c2c3b13258151e0a6475cc017f8a3d0e":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ad06c88dd4f3becf35eed95bb859be2406a1803a66e4332a74c5f75c09b9a01":"2219c11672884b93d0290b6a7140feafe416461f1cdaf0b3aa64693d7db2eb10feae46aac7af549fa1b0abc78c11f8df7ee803ef70310fc3e67769f8b4bc64f81143a6ebf8bee9d386a8ede5d2cc0ed17985a3b7bb95191ef55e684690ccdc5ca504bc6eb28442b353861a034a43532c025f666e80be967a6b05b9dd3a91ff58":"07d8b4a6e77aef9018828b61e0fdf2a4":"cca1fd0278045dda80b847f0975b6cbf31e1910d2c99b4eb78c360d89133a1c52e66c5c3801824afc1f079d2b2b1c827199e83f680e59b9a7de9b15fa7b6848b5bf4e16a12ac1af4cf2b4d7bb45673c5e1241e9996440860a9204fc27cae46a991607bc5e7120d6c115ddcbdd02c022b262602139081e61eee4aba7193f13992":112:"e3ede170386e76321a575c095966":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"6ad06c88dd4f3becf35eed95bb859be2406a1803a66e4332a74c5f75c09b9a01":"2219c11672884b93d0290b6a7140feafe416461f1cdaf0b3aa64693d7db2eb10feae46aac7af549fa1b0abc78c11f8df7ee803ef70310fc3e67769f8b4bc64f81143a6ebf8bee9d386a8ede5d2cc0ed17985a3b7bb95191ef55e684690ccdc5ca504bc6eb28442b353861a034a43532c025f666e80be967a6b05b9dd3a91ff58":"07d8b4a6e77aef9018828b61e0fdf2a4":"cca1fd0278045dda80b847f0975b6cbf31e1910d2c99b4eb78c360d89133a1c52e66c5c3801824afc1f079d2b2b1c827199e83f680e59b9a7de9b15fa7b6848b5bf4e16a12ac1af4cf2b4d7bb45673c5e1241e9996440860a9204fc27cae46a991607bc5e7120d6c115ddcbdd02c022b262602139081e61eee4aba7193f13992":112:"e3ede170386e76321a575c095966":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,112) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87bbf7c15689e8c99a5a32a8ba0dfebcfe1989159807428cdd1f382c3ea95178":"b77d3bf3b30b3e6e5c86cbfb7e5455f6480f423cc76834b4663d28d9f1eb5c40212634e3347668427f7848352ab789886f96682a568260bdaeb7de0aae2af36f5ae04f06c332b158d923706c1c6255c673feeadb6d30bfc901e60b92acd9ddd83ef98686c4d492f4a60e97af2541d470a6a6b21903441020ea7619cf28a06986":"2f19aa1f3a82a7398706953f01739da7":"590dbd230854aa2b5ac19fc3dc9453e5bb9637e47d97b92486a599bdafdfb27c3852e3d06a91429bb820eb12a5318ed8861ffe87d659c462ef167be22604facfa3afb601b2167989b9e3b2e5b59e7d07fda27ffccd450869d528410b0aff468f70cc10ef6723a74af6eebc1572c123a9b5a9aab748a31fa764716d3293ff5de7":112:"5c43fc4dc959fabeebb188dbf3a5":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"87bbf7c15689e8c99a5a32a8ba0dfebcfe1989159807428cdd1f382c3ea95178":"b77d3bf3b30b3e6e5c86cbfb7e5455f6480f423cc76834b4663d28d9f1eb5c40212634e3347668427f7848352ab789886f96682a568260bdaeb7de0aae2af36f5ae04f06c332b158d923706c1c6255c673feeadb6d30bfc901e60b92acd9ddd83ef98686c4d492f4a60e97af2541d470a6a6b21903441020ea7619cf28a06986":"2f19aa1f3a82a7398706953f01739da7":"590dbd230854aa2b5ac19fc3dc9453e5bb9637e47d97b92486a599bdafdfb27c3852e3d06a91429bb820eb12a5318ed8861ffe87d659c462ef167be22604facfa3afb601b2167989b9e3b2e5b59e7d07fda27ffccd450869d528410b0aff468f70cc10ef6723a74af6eebc1572c123a9b5a9aab748a31fa764716d3293ff5de7":112:"5c43fc4dc959fabeebb188dbf3a5":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24095a66b6eb0320ca75e2ab78e8496a45f4b000fc43436904c3e386fb852ed2":"4690edc843e23d9d9b9a4dab8fa8193f8bf03897d3d29759e9dc9e0f8a970c0f5d4399b9f60461fe5cf439f9b0d54bbc075695e4d76b76298cc2b75bb3e0b516ee9ada93f77c4c002ba9fd163a1e4b377befb76c1e5ab8b3901f214c0a4c48bd2aa2f33560d46e2721a060d4671dc97633ff9bcd703bb0fbed9a4a2c259b53f3":"0955c1f0e271edca279e016074886f60":"f5160c75c449e6bb971e73b7d04ab9b9a85879f6eb2d67354af94a4f0ca339c0a03a5b9ede87a4ff6823b698113a38ae5327e6878c3ccc0e36d74fe07aa51c027c3b334812862bc660178f5d0f3e764c0b828a5e3f2e7d7a1185b7e79828304a7ad3ddcd724305484177e66f4f81e66afdc5bbee0ec174bff5eb3719482bd2d8":104:"75a31347598f09fceeea6736fe":"0dd2dca260325967267667ff3ccdc6d6b35648821a42090abba46282869bac4bdc20a8bee024bea18a07396c38dbb45d9481fedcc423a3928cfa78a2f0ae8eedb062add810bdbee77ddc26c29e4f9fda1ab336d04ef42947b05fbdb9bc4df79e37af951d19d6bf5e5cb34eef898f23642a9c4a9111ed0b7a08abeeefbbd45c23":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"24095a66b6eb0320ca75e2ab78e8496a45f4b000fc43436904c3e386fb852ed2":"4690edc843e23d9d9b9a4dab8fa8193f8bf03897d3d29759e9dc9e0f8a970c0f5d4399b9f60461fe5cf439f9b0d54bbc075695e4d76b76298cc2b75bb3e0b516ee9ada93f77c4c002ba9fd163a1e4b377befb76c1e5ab8b3901f214c0a4c48bd2aa2f33560d46e2721a060d4671dc97633ff9bcd703bb0fbed9a4a2c259b53f3":"0955c1f0e271edca279e016074886f60":"f5160c75c449e6bb971e73b7d04ab9b9a85879f6eb2d67354af94a4f0ca339c0a03a5b9ede87a4ff6823b698113a38ae5327e6878c3ccc0e36d74fe07aa51c027c3b334812862bc660178f5d0f3e764c0b828a5e3f2e7d7a1185b7e79828304a7ad3ddcd724305484177e66f4f81e66afdc5bbee0ec174bff5eb3719482bd2d8":104:"75a31347598f09fceeea6736fe":"":"0dd2dca260325967267667ff3ccdc6d6b35648821a42090abba46282869bac4bdc20a8bee024bea18a07396c38dbb45d9481fedcc423a3928cfa78a2f0ae8eedb062add810bdbee77ddc26c29e4f9fda1ab336d04ef42947b05fbdb9bc4df79e37af951d19d6bf5e5cb34eef898f23642a9c4a9111ed0b7a08abeeefbbd45c23":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"086b77b5731f971f0bf5b8227361b216746daf8b08c583ad38f114a64aa7877b":"629317212ff8bd8a7676e4c00b81a9577de6397c832f99ac974fa2bbbccb6e3b8aa776db6922eed0b014bf3923799da7d9d0854c8817470e1e2f7fc7a572f9d0316ee60cde7ef025d59b897d29a6fee721aeb2f7bb44f9afb471e8a7b0b43a39b5497a3b4d6beb4b511f0cefa12ce5e6d843609d3e06999acfbee50a22ca1eee":"164058e5e425f9da40d22c9098a16204":"6633eae08a1df85f2d36e162f2d7ddd92b0c56b7477f3c6cdb9919d0e4b1e54ea7635c202dcf52d1c688afbbb15552adda32b4cd30aa462b367f02ded02e0d64eeee2a6b95462b191784143c25607fd08a23a2fbc75cf6bee294daf2042587fdd8fe3d22c3a242c624cf0a51a7c14db4f0f766ec437de4c83b64f23706a24437":104:"2eb6eb6d516ed4cf1778b4e378":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"086b77b5731f971f0bf5b8227361b216746daf8b08c583ad38f114a64aa7877b":"629317212ff8bd8a7676e4c00b81a9577de6397c832f99ac974fa2bbbccb6e3b8aa776db6922eed0b014bf3923799da7d9d0854c8817470e1e2f7fc7a572f9d0316ee60cde7ef025d59b897d29a6fee721aeb2f7bb44f9afb471e8a7b0b43a39b5497a3b4d6beb4b511f0cefa12ce5e6d843609d3e06999acfbee50a22ca1eee":"164058e5e425f9da40d22c9098a16204":"6633eae08a1df85f2d36e162f2d7ddd92b0c56b7477f3c6cdb9919d0e4b1e54ea7635c202dcf52d1c688afbbb15552adda32b4cd30aa462b367f02ded02e0d64eeee2a6b95462b191784143c25607fd08a23a2fbc75cf6bee294daf2042587fdd8fe3d22c3a242c624cf0a51a7c14db4f0f766ec437de4c83b64f23706a24437":104:"2eb6eb6d516ed4cf1778b4e378":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,104) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0f9e806b0d937268561c0eafbbdd14ec715b7e9cef4118d6eb28abbb91266745":"2ae4baef22ace26f464a9b0c75802303f2d7c0f9a1ed1d0180135189765bdd347fea0cc2b73ee7fbbf95ea1fda22597b8aad826f63e744069a9c349488b2cc1cf9372f423cc650302082125724730ae5a4d878e07385ddc99034c6b6b46748f02c80b179fe6406b1d33581950cb9bcd1d1ea1ec7b5becfd6c1f5b279412c433a":"8657996634e74d4689f292645f103a2e":"2ca253355e893e58cb1a900fbb62d61595de5c4186dc8a9129da3657a92b4a631bbdc3d5f86395385a9aa8557b67f886e3bb807620e558c93aea8e65826eadeb21544418ee40f5420c2d2b8270491be6fc2dcbfd12847fa350910dd615e9a1881bc2ced3b0ac3bde445b735e43c0c84f9d120ca5edd655779fc13c6f88b484f7":104:"83155ebb1a42112dd1c474f37b":"87d69fc3cbc757b2b57b180c6ba34db4e20dde19976bfb3d274d32e7cea13f0c7d9e840d59ce857718c985763b7639e448516ddbbda559457cd8cb364fa99addd5ba44ef45c11060d9be82b4ebe1f0711ac95433074649b6c08eeab539fdfc99c77498b420427e4d70e316111845793de1f67fb0d04e3389a8862f46f4582dc8":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"0f9e806b0d937268561c0eafbbdd14ec715b7e9cef4118d6eb28abbb91266745":"2ae4baef22ace26f464a9b0c75802303f2d7c0f9a1ed1d0180135189765bdd347fea0cc2b73ee7fbbf95ea1fda22597b8aad826f63e744069a9c349488b2cc1cf9372f423cc650302082125724730ae5a4d878e07385ddc99034c6b6b46748f02c80b179fe6406b1d33581950cb9bcd1d1ea1ec7b5becfd6c1f5b279412c433a":"8657996634e74d4689f292645f103a2e":"2ca253355e893e58cb1a900fbb62d61595de5c4186dc8a9129da3657a92b4a631bbdc3d5f86395385a9aa8557b67f886e3bb807620e558c93aea8e65826eadeb21544418ee40f5420c2d2b8270491be6fc2dcbfd12847fa350910dd615e9a1881bc2ced3b0ac3bde445b735e43c0c84f9d120ca5edd655779fc13c6f88b484f7":104:"83155ebb1a42112dd1c474f37b":"":"87d69fc3cbc757b2b57b180c6ba34db4e20dde19976bfb3d274d32e7cea13f0c7d9e840d59ce857718c985763b7639e448516ddbbda559457cd8cb364fa99addd5ba44ef45c11060d9be82b4ebe1f0711ac95433074649b6c08eeab539fdfc99c77498b420427e4d70e316111845793de1f67fb0d04e3389a8862f46f4582dc8":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c24c17911f6db4b3e37c46bcc6fa35efc1a55f7754f0bb99f2eea93398116447":"0bd92cb106867e25ad427ff6e5f384d2d0f432fc389852187fcc7b0bf9f6d11a102a872b99ed1ad9a05dab0f79fa634745535efed804ff42b0af8dad20ba44709391fb263f245e5a2c52d9ce904179633282f57a1229b0a9c4557a5c0aeda29bbc5a7a871fa8b62d58100c3722c21e51e3b3e913185235526e7a5a91c559717d":"5098cc52a69ee044197e2c000c2d4ab8":"9ad4dee311d854925fc7f10eca4f5dd4e6990cb2d4325da2ef25a9a23690f5c5590be285d33aaeba76506c59edec64b8c3ff8e62716d1c385fbce2a42bc7bd5d8e8584de1944543ab6f340c20911f8b7b3be1a1db18a4bb94119333339de95815cae09365b016edc184e11f3c5b851f1fa92b1b63cfa3872a127109c1294b677":96:"f7930e3fab74a91cb6543e72":"6124ede608d416baa5e653a898ca76e9f47f08403c1984feec112e670ded2226e0073f8881ab2161cfda541dccae19691285f7391a729f07aba18f340bb452c1da39cbe83cf476cfc105b64187e0d2227dd283dcba8b6a350f9956b18861fa131d3f00c034443e8f60e0fdfcfaabbed93381ae374a8bf66523d33646183e1379":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c24c17911f6db4b3e37c46bcc6fa35efc1a55f7754f0bb99f2eea93398116447":"0bd92cb106867e25ad427ff6e5f384d2d0f432fc389852187fcc7b0bf9f6d11a102a872b99ed1ad9a05dab0f79fa634745535efed804ff42b0af8dad20ba44709391fb263f245e5a2c52d9ce904179633282f57a1229b0a9c4557a5c0aeda29bbc5a7a871fa8b62d58100c3722c21e51e3b3e913185235526e7a5a91c559717d":"5098cc52a69ee044197e2c000c2d4ab8":"9ad4dee311d854925fc7f10eca4f5dd4e6990cb2d4325da2ef25a9a23690f5c5590be285d33aaeba76506c59edec64b8c3ff8e62716d1c385fbce2a42bc7bd5d8e8584de1944543ab6f340c20911f8b7b3be1a1db18a4bb94119333339de95815cae09365b016edc184e11f3c5b851f1fa92b1b63cfa3872a127109c1294b677":96:"f7930e3fab74a91cb6543e72":"":"6124ede608d416baa5e653a898ca76e9f47f08403c1984feec112e670ded2226e0073f8881ab2161cfda541dccae19691285f7391a729f07aba18f340bb452c1da39cbe83cf476cfc105b64187e0d2227dd283dcba8b6a350f9956b18861fa131d3f00c034443e8f60e0fdfcfaabbed93381ae374a8bf66523d33646183e1379":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d267a8379260036ff3d1ec07a7b086ff75706bad12d37d9656f04776f3d8b85c":"80c68a330ef50e3e516681f1e535868b03466e7edbb86cb385d01db487da3dd3edad940fdc98d918b7db9b59f8d61369eee2928c88557306c4a13e366af0708d94cb90a15f1c3bc45544bdb05ff964da5e06c5ae965f20adb504620aed7bce2e82f4e408d00219c15ef85fae1ff13fea53deb78afa5f2a50edbd622446e4a894":"674dc34e8c74c51fa42aacd625a1bd5b":"6a9a8af732ae96d0b5a9730ad792e296150d59770a20a3fdbbc2a3a035a88ac445d64f37d684e22003c214b771c1995719da72f3ed24a96618284dd414f0cac364640b23c680dc80492a435c8ec10add53b0d9e3374f1cf5bfc663e3528fa2f6209846421ea6f481b7ecf57714f7bc2527edc4e0466b13e750dd4d4c0cc0cdfc":96:"bea660e963b08fc657741bc8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"d267a8379260036ff3d1ec07a7b086ff75706bad12d37d9656f04776f3d8b85c":"80c68a330ef50e3e516681f1e535868b03466e7edbb86cb385d01db487da3dd3edad940fdc98d918b7db9b59f8d61369eee2928c88557306c4a13e366af0708d94cb90a15f1c3bc45544bdb05ff964da5e06c5ae965f20adb504620aed7bce2e82f4e408d00219c15ef85fae1ff13fea53deb78afa5f2a50edbd622446e4a894":"674dc34e8c74c51fa42aacd625a1bd5b":"6a9a8af732ae96d0b5a9730ad792e296150d59770a20a3fdbbc2a3a035a88ac445d64f37d684e22003c214b771c1995719da72f3ed24a96618284dd414f0cac364640b23c680dc80492a435c8ec10add53b0d9e3374f1cf5bfc663e3528fa2f6209846421ea6f481b7ecf57714f7bc2527edc4e0466b13e750dd4d4c0cc0cdfc":96:"bea660e963b08fc657741bc8":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,96) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c86cb637753010f639fa3aa3bff7c28b74f012ad6090f2a31b0801d086f183ad":"6b7858557e0fd0f957842fb30e8d54dedbc127eb4bbf9de319f731fa28a606df2c046a0bce8ecda4e75d3596e4e988efd6bc279aa005bc52fad92ba07f5b1dfda4cc417029f9778c88d6fe5341a0fd48893dcb7c68d0df310a060f2a5235aee422d380f7209bc0909b2aa7e876044056f0b915dab0bc13cbea5a3b86d40ca802":"87ff6e0bb313502fedf3d2696bff99b5":"2816f1132724f42e40deabab25e325b282f8c615a79e0c98c00d488ee56237537240234966565e46bfb0c50f2b10366d1589620e6e78bd90ade24d38a272f3fff53c09466aa2d3ef793d7f814a064b713821850a6e6a058f5139a1088347a9fa0f54e38abd51ddfc7ef040bf41d188f3f86c973551ced019812c1fc668649621":96:"7859f047f32b51833333accf":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"c86cb637753010f639fa3aa3bff7c28b74f012ad6090f2a31b0801d086f183ad":"6b7858557e0fd0f957842fb30e8d54dedbc127eb4bbf9de319f731fa28a606df2c046a0bce8ecda4e75d3596e4e988efd6bc279aa005bc52fad92ba07f5b1dfda4cc417029f9778c88d6fe5341a0fd48893dcb7c68d0df310a060f2a5235aee422d380f7209bc0909b2aa7e876044056f0b915dab0bc13cbea5a3b86d40ca802":"87ff6e0bb313502fedf3d2696bff99b5":"2816f1132724f42e40deabab25e325b282f8c615a79e0c98c00d488ee56237537240234966565e46bfb0c50f2b10366d1589620e6e78bd90ade24d38a272f3fff53c09466aa2d3ef793d7f814a064b713821850a6e6a058f5139a1088347a9fa0f54e38abd51ddfc7ef040bf41d188f3f86c973551ced019812c1fc668649621":96:"7859f047f32b51833333accf":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c31ca0cac3efe467168198f06beacf39565a6f57f82e1048a5c06a231315882":"65261d6e29b2369b1828a7cef2df9873d6e6057c499301afedd6cb65b5036ddb95f9e353fbf38e54c4f46f88164325b33620ce183beb2e411fbb89a0e0002e542fc161cad32a61ee6f1e1717e0b4dcd0340b116f795bc1009dbbc65bc31c9b549bf03c40bc204cd0d02ec884be907777ebeed8b527ec3af7cbb508193c0745de":"95cae6e85f33f3043182460589be3639":"67523751a9b1b643d00de4511b55e4268cb2d18e79e01a55fc7b677d529bd6400940fb25ea6ae135c1a816e61b69e90b966981aeda685934b107066e1467db78973492ad791e20aef430db3a047447141def8be6e6a9a15089607c3af9368cdb11b7b5fbf90691505d0c33664766945d387904e7089b915a3c28886ba1763bb5":64:"21309d0351cac45e":"1d5f2cb921f54aeb552b4304142facd49497837deb1f00d26fbeddbab922fd80b00dba782961f8fce84f1f7973e81eed6ee168b1760c575c891f40a1dae0fa1a08738025d13ef6e0b30be4f054d874f1b8a2427a19ebb071d98365c32316a88a68c2b40daf1ea831a64519ac3679acb4e04986ecc614ec673c498c6fee459e40":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2c31ca0cac3efe467168198f06beacf39565a6f57f82e1048a5c06a231315882":"65261d6e29b2369b1828a7cef2df9873d6e6057c499301afedd6cb65b5036ddb95f9e353fbf38e54c4f46f88164325b33620ce183beb2e411fbb89a0e0002e542fc161cad32a61ee6f1e1717e0b4dcd0340b116f795bc1009dbbc65bc31c9b549bf03c40bc204cd0d02ec884be907777ebeed8b527ec3af7cbb508193c0745de":"95cae6e85f33f3043182460589be3639":"67523751a9b1b643d00de4511b55e4268cb2d18e79e01a55fc7b677d529bd6400940fb25ea6ae135c1a816e61b69e90b966981aeda685934b107066e1467db78973492ad791e20aef430db3a047447141def8be6e6a9a15089607c3af9368cdb11b7b5fbf90691505d0c33664766945d387904e7089b915a3c28886ba1763bb5":64:"21309d0351cac45e":"":"1d5f2cb921f54aeb552b4304142facd49497837deb1f00d26fbeddbab922fd80b00dba782961f8fce84f1f7973e81eed6ee168b1760c575c891f40a1dae0fa1a08738025d13ef6e0b30be4f054d874f1b8a2427a19ebb071d98365c32316a88a68c2b40daf1ea831a64519ac3679acb4e04986ecc614ec673c498c6fee459e40":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca9fa36ca2159dff9723f6cfdb13280446eb6bc3688043c7e2e2504184791596":"ac04c4293554cd832aa400c811cb202d815d6178aa1343b4628592b7f3ae45dc5f12ea47be4b43e1865f40b06ab67b3a9fb3644248a9b3efe131a8addb7447978bb51ccf749e75574fea60e8781677200af023b2f8c415f4e6d8c575a9e374916d9ec3a612b16e37beb589444b588e0b770d9f8e818ad83f83aa4ecf386d17a7":"d13ca73365e57114fc698ee60ba0ad84":"2aa510b7f1620bfce90080e0e25f5468dbc5314b50914e793b5278369c51ac017eace9fd15127fca5a726ad9e67bdee5af298988d9a57ec4bbc43d4eb849535eb10521ac7cd7ed647479a42876af2ebc9e2108b539febdaa9127c49bda1bda800f6034050b8576e944311dfbca59d64d259571b6d2ed5b2fc07127239b03f4b7":64:"2111d55d96a4d84d":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca9fa36ca2159dff9723f6cfdb13280446eb6bc3688043c7e2e2504184791596":"ac04c4293554cd832aa400c811cb202d815d6178aa1343b4628592b7f3ae45dc5f12ea47be4b43e1865f40b06ab67b3a9fb3644248a9b3efe131a8addb7447978bb51ccf749e75574fea60e8781677200af023b2f8c415f4e6d8c575a9e374916d9ec3a612b16e37beb589444b588e0b770d9f8e818ad83f83aa4ecf386d17a7":"d13ca73365e57114fc698ee60ba0ad84":"2aa510b7f1620bfce90080e0e25f5468dbc5314b50914e793b5278369c51ac017eace9fd15127fca5a726ad9e67bdee5af298988d9a57ec4bbc43d4eb849535eb10521ac7cd7ed647479a42876af2ebc9e2108b539febdaa9127c49bda1bda800f6034050b8576e944311dfbca59d64d259571b6d2ed5b2fc07127239b03f4b7":64:"2111d55d96a4d84d":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,64) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2f802e838250064c15fdee28d7bd4872850355870847701ad9742b2d6eb4b0c0":"e2ca8c8d172ff90232879f510d1225af91bc323bdf636363c2903fcd1790692c8bcb03a1cccb18814678852c6b3a441552e541b843ee5e4f86a152fa73d05aea659fe08aa6428bb257eaa2a7b579fdc4022c1dec359a854253c1aefc983c5ede8c97517ea69fc4606e25f13ffb0f5f49160691454fbb74e704326738353525f7":"2dd550cfd97f8e1d8d31ba5537ae4710":"72b9630dda40306e785b961934c56e20948f8eac0e981f49787eb3dbd6e4607f7d08d10ca643746bf1efa7e5066993683d527a90f2d45ec9cf73113f1f17bb67958be669acd4e2927f1dacfde902cd3048056d7f6dfdd8630ff054efce4526db7c9321d6d2be2236f4d60e27b89d8ec94f65a06dc0953c8c4533a51b6a29bd2c":64:"bd6c8823c9005c85":"f6dd0b5f3d1a393a1837112962dba175a13c2d1e525ef95734caf34949d8b2d63b4fe5603226b5f632f2d7f927361ba639dc0e3c63414f45462342695916d5792133b4a24c7c4cbe2b97c712bf27ab62d3d68b3875d58ffe4b7c30a8171bff1a9e2f3995768faacda2ea9213ff35798b9e4513f6a87bd3f5a9d93e847e768359":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"2f802e838250064c15fdee28d7bd4872850355870847701ad9742b2d6eb4b0c0":"e2ca8c8d172ff90232879f510d1225af91bc323bdf636363c2903fcd1790692c8bcb03a1cccb18814678852c6b3a441552e541b843ee5e4f86a152fa73d05aea659fe08aa6428bb257eaa2a7b579fdc4022c1dec359a854253c1aefc983c5ede8c97517ea69fc4606e25f13ffb0f5f49160691454fbb74e704326738353525f7":"2dd550cfd97f8e1d8d31ba5537ae4710":"72b9630dda40306e785b961934c56e20948f8eac0e981f49787eb3dbd6e4607f7d08d10ca643746bf1efa7e5066993683d527a90f2d45ec9cf73113f1f17bb67958be669acd4e2927f1dacfde902cd3048056d7f6dfdd8630ff054efce4526db7c9321d6d2be2236f4d60e27b89d8ec94f65a06dc0953c8c4533a51b6a29bd2c":64:"bd6c8823c9005c85":"":"f6dd0b5f3d1a393a1837112962dba175a13c2d1e525ef95734caf34949d8b2d63b4fe5603226b5f632f2d7f927361ba639dc0e3c63414f45462342695916d5792133b4a24c7c4cbe2b97c712bf27ab62d3d68b3875d58ffe4b7c30a8171bff1a9e2f3995768faacda2ea9213ff35798b9e4513f6a87bd3f5a9d93e847e768359":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #0
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84dd53ce0146cb71c32776033bb243098d78a22ac17f52a62a122f5653fb4e33":"68222bffa782dcfe4f328fc20eb520e75a9a5fedbe13ec7fcf0e82fba08bb87a8a8e02902638e32fe0e2294344b380797f8028426ffcc0531c739c884892394c48ff0779c5f5edf0a36a3fb8aa91213347774ec4bf0fe1049bd53746b13beef3c637169826c367056cb1aa0a3868e23f886a9c7b8015c26af9e40794662f6b21":"f0c90a1bca52f30fab3670df0d3beab0":"a3ea8032f36a5ca3d7a1088fd08ac50ae6bdc06ad3a534b773ac3e3d4a3d524499e56274a0062c58c3b0685cc850f4725e5c221af8f51c6df2bbd5fbcff4a93ba4c1054f7f9c67fd9285511a08d328d76a642f067227d378f95a1e67587b90251f9103ed3cacdb6bf69e0794e366d8b92d8de37b4e028de0778841f356ac044d":32:"b1ece9fb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"84dd53ce0146cb71c32776033bb243098d78a22ac17f52a62a122f5653fb4e33":"68222bffa782dcfe4f328fc20eb520e75a9a5fedbe13ec7fcf0e82fba08bb87a8a8e02902638e32fe0e2294344b380797f8028426ffcc0531c739c884892394c48ff0779c5f5edf0a36a3fb8aa91213347774ec4bf0fe1049bd53746b13beef3c637169826c367056cb1aa0a3868e23f886a9c7b8015c26af9e40794662f6b21":"f0c90a1bca52f30fab3670df0d3beab0":"a3ea8032f36a5ca3d7a1088fd08ac50ae6bdc06ad3a534b773ac3e3d4a3d524499e56274a0062c58c3b0685cc850f4725e5c221af8f51c6df2bbd5fbcff4a93ba4c1054f7f9c67fd9285511a08d328d76a642f067227d378f95a1e67587b90251f9103ed3cacdb6bf69e0794e366d8b92d8de37b4e028de0778841f356ac044d":32:"b1ece9fb":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #1
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb36fe25e966a075ae2c3bb43b5877679ebc379d5123c8eda3fa0e30b95cae0":"fb3a4be643c10343251c6f0745aaa54349463f622ca04a792e9b4780866844b30aeef3269fc60cac0ea031c5f3780b535e15154f7c76eb4a371b8ae368550f3fa2ce693c34511ec96b839cac567f1b0de0e7e3116d729b45d1b16e453703a43db73f5d0c3e430f16b142420b5f0d26d72ac3dba543d7d813603b0bfdca3dd63e":"59869df4ef5754b406478a2fb608ee99":"ecd125682e8a8e26757c888b0c8b95dec5e7ed7ac991768f93e8af5bcf6f21ed4d4d38699ee7984ed13635fff72f938150157c9a27fcda121ffced7b492d2b18dad299cb6495ed5f68441aefc8219d2cf717d15d5cd2dbce4606fcf90fe45f3601127cf6acee210bd7df97309f773974a35bef1d33df984101c2fc9d4b55259e":32:"cb3f5338":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"9bb36fe25e966a075ae2c3bb43b5877679ebc379d5123c8eda3fa0e30b95cae0":"fb3a4be643c10343251c6f0745aaa54349463f622ca04a792e9b4780866844b30aeef3269fc60cac0ea031c5f3780b535e15154f7c76eb4a371b8ae368550f3fa2ce693c34511ec96b839cac567f1b0de0e7e3116d729b45d1b16e453703a43db73f5d0c3e430f16b142420b5f0d26d72ac3dba543d7d813603b0bfdca3dd63e":"59869df4ef5754b406478a2fb608ee99":"ecd125682e8a8e26757c888b0c8b95dec5e7ed7ac991768f93e8af5bcf6f21ed4d4d38699ee7984ed13635fff72f938150157c9a27fcda121ffced7b492d2b18dad299cb6495ed5f68441aefc8219d2cf717d15d5cd2dbce4606fcf90fe45f3601127cf6acee210bd7df97309f773974a35bef1d33df984101c2fc9d4b55259e":32:"cb3f5338":"FAIL":"":0
 
 AES-GCM NIST Validation (AES-256,128,1024,1024,32) #2
 depends_on:MBEDTLS_AES_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"8d03cf6fac31182ad3e6f32e4c823e3b421aef786d5651afafbf70ef14c00524ab814bc421b1d4181b4d3d82d6ae4e8032e43a6c4e0691184425b37320798f865c88b9b306466311d79e3e42076837474c37c9f6336ed777f05f70b0c7d72bd4348a4cd754d0f0c3e4587f9a18313ea2d2bace502a24ea417d3041b709a0471f":"4763a4e37b806a5f4510f69fd8c63571":"07daeba37a66ebe15f3d6451d1176f3a7107a302da6966680c425377e621fd71610d1fc9c95122da5bf85f83b24c4b783b1dcd6b508d41e22c09b5c43693d072869601fc7e3f5a51dbd3bc6508e8d095b9130fb6a7f2a043f3a432e7ce68b7de06c1379e6bab5a1a48823b76762051b4e707ddc3201eb36456e3862425cb011a":32:"3105dddb":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_AES:"ca264e7caecad56ee31c8bf8dde9592f753a6299e76c60ac1e93cff3b3de8ce9":"8d03cf6fac31182ad3e6f32e4c823e3b421aef786d5651afafbf70ef14c00524ab814bc421b1d4181b4d3d82d6ae4e8032e43a6c4e0691184425b37320798f865c88b9b306466311d79e3e42076837474c37c9f6336ed777f05f70b0c7d72bd4348a4cd754d0f0c3e4587f9a18313ea2d2bace502a24ea417d3041b709a0471f":"4763a4e37b806a5f4510f69fd8c63571":"07daeba37a66ebe15f3d6451d1176f3a7107a302da6966680c425377e621fd71610d1fc9c95122da5bf85f83b24c4b783b1dcd6b508d41e22c09b5c43693d072869601fc7e3f5a51dbd3bc6508e8d095b9130fb6a7f2a043f3a432e7ce68b7de06c1379e6bab5a1a48823b76762051b4e707ddc3201eb36456e3862425cb011a":32:"3105dddb":"FAIL":"":0
 
 AES-GCM Bad IV (AES-256,128,0,0,32) #0
 depends_on:MBEDTLS_AES_C
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.camellia.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.camellia.data
index 5f739d5464..9b71d7c0bb 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.camellia.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.camellia.data
@@ -72,144 +72,144 @@ gcm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #1 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df9":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df9":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #2 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f6210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"00000000000000000000000000000000":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f6210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #3 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf888":"":128:"86e318012dd8329dc9dae6a170f61b24":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf888":"":128:"86e318012dd8329dc9dae6a170f61b24":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #4 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8101":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8101":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #5 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #6 (128-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #7 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce587":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce587":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #8 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d41":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"00000000000000000000000000000000":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d41":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #9 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #10 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"01b15bb5ab6fac0c422014e91eacbf2b":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"01b15bb5ab6fac0c422014e91eacbf2b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #11 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"f876143d933214a5035ff0bb96ff650b":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"f876143d933214a5035ff0bb96ff650b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #12 (192-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #13 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #14 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000000":"":128:"284b63bb143c40ce100fb4dea6bb617b":"00000000000000000000000000000000":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000000":"":128:"284b63bb143c40ce100fb4dea6bb617b":"":"00000000000000000000000000000000":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #15 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #16 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #17 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094461":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094461":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #18 (256-de)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"":"d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #1 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df8":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"":"000000000000000000000000":"":128:"f5574acc3148dfcb9015200631024df8":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #2 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f7210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"00000000000000000000000000000000":"defe3e0b5c54c94b4f2a0f5a46f7210d":"000000000000000000000000":"":128:"f672b94d192266c7c8c8dbb427cc989a":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #3 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf889":"":128:"86e318012dd8329dc9dae6a170f61b24":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815":"cafebabefacedbaddecaf889":"":128:"86e318012dd8329dc9dae6a170f61b24":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #4 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8100":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"9f458869431576ea6a095456ec6b8100":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #5 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfadedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd":"cafebabefacedbad":"feedfadedeadbeeffeedfacedeadbeefabaddad2":128:"e86f8f2e730c49d536f00fb5225d28b1":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #6 (128-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c83f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308":"2e582b8417c83f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"ceae5569b2af8641572622731aed3e53":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #7 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce586":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"":"000000000000000000000000":"":128:"ba9ae89fddce4b51131e17c4d65ce586":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #8 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d42":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"000000000000000000000000000000000000000000000000":"8f9c0aa2549714c88bb2665e8af86d42":"000000000000000000000000":"":128:"783cff5c5aca7197320658a74279ab37":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #9 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"ffffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"ffffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6a60bb2e9":"cafebabefacedbaddecaf888":"":128:"8d645a0b0e48d3c3b60a014157cb49b4":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #10 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"11b15bb5ab6fac0c422014e91eacbf2b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"0f009e88410d84ad93c90d55efbe20ffa855492f4dfd0fb485c4f02f536feffbb4d967729e5c67f1de0750255cc500716ba483eb3b0a2bf607af28f6":"cafebabefacedbaddecaf888":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"11b15bb5ab6fac0c422014e91eacbf2b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #11 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad3":128:"f876143d933214a5035ff0bb96ff650b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"678b3dcb270faa206dc5f6fbb5014996e86d6f3e35cdcdfeb03b37b9b06ff4ff2682248823bd3c84124dc76af7bde3dd440c228b5efbc795dd80dfb6":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad3":128:"f876143d933214a5035ff0bb96ff650b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #12 (192-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a328a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c":"9733ea567c3bad2259ccd63ef7012f5de709e50b1fdc31f1a16db02ede1b66f11dcc4d953f2d4d4671587b65882afbf9545fdb6deab22413d091b703":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a328a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4b72e520b2521e63d240ed5c903216fa":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #13 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000001":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000001":"":"000000000000000000000000":"":128:"9cdb269b5d293bc5db9c55b057d9b591":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #14 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000001":"":128:"284b63bb143c40ce100fb4dea6bb617b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"0000000000000000000000000000000000000000000000000000000000000000":"3d4b2cde666761ba5dfb305178e667fb":"000000000000000000000001":"":128:"284b63bb143c40ce100fb4dea6bb617b":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #15 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4949d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4949d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092":"cafebabefacedbaddecaf888":"":128:"c912686270a2b9966415fca3be75c468":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #16 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"ffedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77":"cafebabefacedbaddecaf888":"ffedfacedeadbeeffeedfacedeadbeefabaddad2":128:"4e4b178d8fe26fdc95e2e7246dd94bec":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #17 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094462":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308":"6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652":"cafebabefacedbad":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"e6472b8ebd331bfcc7c0fa63ce094462":"FAIL":"":0
 
 Camellia-GCM test vect draft-kato-ipsec-camellia-gcm #18 (256-bad)
 depends_on:MBEDTLS_CAMELLIA_C
-gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a9f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"FAIL":0
+gcm_decrypt_and_verify:MBEDTLS_CIPHER_ID_CAMELLIA:"feffe9928665731c6d6a9f9467308308feffe9928665731c6d6a8f9467308308":"e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862":"9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b":"feedfacedeadbeeffeedfacedeadbeefabaddad2":128:"5791883f822013f8bd136fc36fb9946b":"FAIL":"":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.function
index 3d0830e98e..1fcb681b98 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.function
@@ -9,41 +9,23 @@
 
 /* BEGIN_CASE */
 void gcm_bad_parameters( int cipher_id, int direction,
-                         char *hex_key_string, char *hex_src_string,
-                         char *hex_iv_string, char *hex_add_string,
+                         data_t *key_str, data_t *src_str,
+                         data_t *iv_str, data_t *add_str,
                          int tag_len_bits, int gcm_result )
 {
-    unsigned char key_str[128];
-    unsigned char src_str[128];
-    unsigned char dst_str[257];
-    unsigned char iv_str[128];
-    unsigned char add_str[128];
-    unsigned char tag_str[128];
     unsigned char output[128];
     unsigned char tag_output[16];
     mbedtls_gcm_context ctx;
-    unsigned int key_len;
-    size_t pt_len, iv_len, add_len, tag_len = tag_len_bits / 8;
+    size_t tag_len = tag_len_bits / 8;
 
     mbedtls_gcm_init( &ctx );
 
-    memset( key_str, 0x00, sizeof( key_str ) );
-    memset( src_str, 0x00, sizeof( src_str ) );
-    memset( dst_str, 0x00, sizeof( dst_str ) );
-    memset( iv_str, 0x00, sizeof( iv_str ) );
-    memset( add_str, 0x00, sizeof( add_str ) );
-    memset( tag_str, 0x00, sizeof( tag_str ) );
     memset( output, 0x00, sizeof( output ) );
     memset( tag_output, 0x00, sizeof( tag_output ) );
 
-    key_len = unhexify( key_str, hex_key_string );
-    pt_len = unhexify( src_str, hex_src_string );
-    iv_len = unhexify( iv_str, hex_iv_string );
-    add_len = unhexify( add_str, hex_add_string );
-
-    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str, key_len * 8 ) == 0 );
-    TEST_ASSERT( mbedtls_gcm_crypt_and_tag( &ctx, direction, pt_len, iv_str, iv_len,
-                 add_str, add_len, src_str, output, tag_len, tag_output ) == gcm_result );
+    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == 0 );
+    TEST_ASSERT( mbedtls_gcm_crypt_and_tag( &ctx, direction, src_str->len, iv_str->x, iv_str->len,
+                 add_str->x, add_str->len, src_str->x, output, tag_len, tag_output ) == gcm_result );
 
 exit:
     mbedtls_gcm_free( &ctx );
@@ -51,49 +33,30 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void gcm_encrypt_and_tag( int cipher_id,
-                          char *hex_key_string, char *hex_src_string,
-                          char *hex_iv_string, char *hex_add_string,
-                          char *hex_dst_string, int tag_len_bits,
-                          char *hex_tag_string, int  init_result )
+void gcm_encrypt_and_tag( int cipher_id, data_t * key_str,
+                          data_t * src_str, data_t * iv_str,
+                          data_t * add_str, data_t * hex_dst_string,
+                          int tag_len_bits, data_t * hex_tag_string,
+                          int init_result )
 {
-    unsigned char key_str[128];
-    unsigned char src_str[128];
-    unsigned char dst_str[257];
-    unsigned char iv_str[128];
-    unsigned char add_str[128];
-    unsigned char tag_str[128];
     unsigned char output[128];
     unsigned char tag_output[16];
     mbedtls_gcm_context ctx;
-    unsigned int key_len;
-    size_t pt_len, iv_len, add_len, tag_len = tag_len_bits / 8;
+    size_t tag_len = tag_len_bits / 8;
 
     mbedtls_gcm_init( &ctx );
 
-    memset(key_str, 0x00, 128);
-    memset(src_str, 0x00, 128);
-    memset(dst_str, 0x00, 257);
-    memset(iv_str, 0x00, 128);
-    memset(add_str, 0x00, 128);
-    memset(tag_str, 0x00, 128);
     memset(output, 0x00, 128);
     memset(tag_output, 0x00, 16);
 
-    key_len = unhexify( key_str, hex_key_string );
-    pt_len = unhexify( src_str, hex_src_string );
-    iv_len = unhexify( iv_str, hex_iv_string );
-    add_len = unhexify( add_str, hex_add_string );
 
-    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str, key_len * 8 ) == init_result );
+    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result );
     if( init_result == 0 )
     {
-        TEST_ASSERT( mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, pt_len, iv_str, iv_len, add_str, add_len, src_str, output, tag_len, tag_output ) == 0 );
-        hexify( dst_str, output, pt_len );
-        hexify( tag_str, tag_output, tag_len );
+        TEST_ASSERT( mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, src_str->len, iv_str->x, iv_str->len, add_str->x, add_str->len, src_str->x, output, tag_len, tag_output ) == 0 );
 
-        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
-        TEST_ASSERT( strcmp( (char *) tag_str, hex_tag_string ) == 0 );
+        TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
+        TEST_ASSERT( hexcmp( tag_output, hex_tag_string->x, tag_len, hex_tag_string->len ) == 0 );
     }
 
 exit:
@@ -102,55 +65,36 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void gcm_decrypt_and_verify( int cipher_id,
-                             char *hex_key_string, char *hex_src_string,
-                             char *hex_iv_string, char *hex_add_string,
-                             int tag_len_bits, char *hex_tag_string,
-                             char *pt_result, int init_result )
+void gcm_decrypt_and_verify( int cipher_id, data_t * key_str,
+                             data_t * src_str, data_t * iv_str,
+                             data_t * add_str, int tag_len_bits,
+                             data_t * tag_str, char * result,
+                             data_t * pt_result, int init_result )
 {
-    unsigned char key_str[128];
-    unsigned char src_str[128];
-    unsigned char dst_str[257];
-    unsigned char iv_str[128];
-    unsigned char add_str[128];
-    unsigned char tag_str[128];
     unsigned char output[128];
     mbedtls_gcm_context ctx;
-    unsigned int key_len;
-    size_t pt_len, iv_len, add_len, tag_len = tag_len_bits / 8;
     int ret;
+    size_t tag_len = tag_len_bits / 8;
 
     mbedtls_gcm_init( &ctx );
 
-    memset(key_str, 0x00, 128);
-    memset(src_str, 0x00, 128);
-    memset(dst_str, 0x00, 257);
-    memset(iv_str, 0x00, 128);
-    memset(add_str, 0x00, 128);
-    memset(tag_str, 0x00, 128);
     memset(output, 0x00, 128);
 
-    key_len = unhexify( key_str, hex_key_string );
-    pt_len = unhexify( src_str, hex_src_string );
-    iv_len = unhexify( iv_str, hex_iv_string );
-    add_len = unhexify( add_str, hex_add_string );
-    unhexify( tag_str, hex_tag_string );
 
-    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str, key_len * 8 ) == init_result );
+    TEST_ASSERT( mbedtls_gcm_setkey( &ctx, cipher_id, key_str->x, key_str->len * 8 ) == init_result );
     if( init_result == 0 )
     {
-        ret = mbedtls_gcm_auth_decrypt( &ctx, pt_len, iv_str, iv_len, add_str, add_len, tag_str, tag_len, src_str, output );
+        ret = mbedtls_gcm_auth_decrypt( &ctx, src_str->len, iv_str->x, iv_str->len, add_str->x, add_str->len, tag_str->x, tag_len, src_str->x, output );
 
-        if( strcmp( "FAIL", pt_result ) == 0 )
+        if( strcmp( "FAIL", result ) == 0 )
         {
             TEST_ASSERT( ret == MBEDTLS_ERR_GCM_AUTH_FAILED );
         }
         else
         {
             TEST_ASSERT( ret == 0 );
-            hexify( dst_str, output, pt_len );
 
-            TEST_ASSERT( strcmp( (char *) dst_str, pt_result ) == 0 );
+            TEST_ASSERT( hexcmp( output, pt_result->x, src_str->len, pt_result->len ) == 0 );
         }
     }
 
@@ -159,8 +103,177 @@ exit:
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void gcm_invalid_param( )
+{
+    mbedtls_gcm_context ctx;
+    unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+    mbedtls_cipher_id_t valid_cipher = MBEDTLS_CIPHER_ID_AES;
+    int valid_mode = MBEDTLS_GCM_ENCRYPT;
+    int valid_len = sizeof(valid_buffer);
+    int valid_bitlen = 128, invalid_bitlen = 1;
+
+    mbedtls_gcm_init( &ctx );
+
+    /* mbedtls_gcm_init() */
+    TEST_INVALID_PARAM( mbedtls_gcm_init( NULL ) );
+
+    /* mbedtls_gcm_setkey */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_setkey( NULL, valid_cipher, valid_buffer, valid_bitlen ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_setkey( &ctx, valid_cipher, NULL, valid_bitlen ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_setkey( &ctx, valid_cipher, valid_buffer, invalid_bitlen ) );
+
+    /* mbedtls_gcm_crypt_and_tag() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( NULL, valid_mode, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_buffer,
+                                   valid_len, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len,
+                                   NULL, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_buffer,
+                                   valid_len, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len,
+                                   valid_buffer, valid_len,
+                                   NULL, valid_len,
+                                   valid_buffer, valid_buffer,
+                                   valid_len, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_len,
+                                   NULL, valid_buffer,
+                                   valid_len, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, NULL,
+                                   valid_len, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_crypt_and_tag( &ctx, valid_mode, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_len,
+                                   valid_buffer, valid_buffer,
+                                   valid_len, NULL ) );
+
+    /* mbedtls_gcm_auth_decrypt() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( NULL, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( &ctx, valid_len,
+                                  NULL, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  NULL, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_buffer) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  NULL, valid_len,
+                                  valid_buffer, valid_buffer) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  NULL, valid_buffer) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_auth_decrypt( &ctx, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, valid_len,
+                                  valid_buffer, NULL) );
+
+    /* mbedtls_gcm_starts() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_starts( NULL, valid_mode,
+                            valid_buffer, valid_len,
+                            valid_buffer, valid_len ) );
+
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_starts( &ctx, valid_mode,
+                            NULL, valid_len,
+                            valid_buffer, valid_len ) );
+
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_starts( &ctx, valid_mode,
+                            valid_buffer, valid_len,
+                            NULL, valid_len ) );
+
+    /* mbedtls_gcm_update() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_update( NULL, valid_len,
+                            valid_buffer, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_update( &ctx, valid_len,
+                            NULL, valid_buffer ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_update( &ctx, valid_len,
+                            valid_buffer, NULL ) );
+
+    /* mbedtls_gcm_finish() */
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_finish( NULL, valid_buffer, valid_len ) );
+    TEST_INVALID_PARAM_RET(
+        MBEDTLS_ERR_GCM_BAD_INPUT,
+        mbedtls_gcm_finish( &ctx, NULL, valid_len ) );
+
+exit:
+    mbedtls_gcm_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void gcm_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_gcm_free( NULL ) );
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void gcm_selftest()
+void gcm_selftest(  )
 {
     TEST_ASSERT( mbedtls_gcm_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.misc.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.misc.data
new file mode 100644
index 0000000000..cf01526535
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_gcm.misc.data
@@ -0,0 +1,5 @@
+GCM - Invalid parameters
+gcm_invalid_param:
+
+GCM - Valid parameters
+gcm_valid_param:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.data
new file mode 100644
index 0000000000..15837365fe
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.data
@@ -0,0 +1,98 @@
+HKDF extract fails with hash_len of 0
+test_hkdf_extract_ret:0:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with NULL okm
+test_hkdf_expand_ret:32:32:0:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with hash_len of 0
+test_hkdf_expand_ret:0:32:32:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with prk_len < hash_len
+test_hkdf_expand_ret:32:16:32:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF expand fails with okm_len / hash_len > 255
+test_hkdf_expand_ret:32:32:8192:MBEDTLS_ERR_HKDF_BAD_INPUT_DATA
+
+HKDF RFC5869 Test Vector #1
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+
+HKDF RFC5869 Test Vector #2
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"
+
+HKDF RFC5869 Test Vector #3
+depends_on:MBEDTLS_SHA256_C
+test_hkdf:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"
+
+HKDF RFC5869 Test Vector #4
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"
+
+HKDF RFC5869 Test Vector #5
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"
+
+HKDF RFC5869 Test Vector #6
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"":"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"
+
+HKDF RFC5869 Test Vector #7
+depends_on:MBEDTLS_SHA1_C
+test_hkdf:4:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"":"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"
+
+HKDF RFC5869 Test Vector #1 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"
+
+HKDF RFC5869 Test Vector #2 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"
+
+HKDF RFC5869 Test Vector #3 Extract
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_extract:6:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"
+
+HKDF RFC5869 Test Vector #4 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"
+
+HKDF RFC5869 Test Vector #5 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f":"606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf":"8adae09a2a307059478d309b26c4115a224cfaf6"
+
+HKDF RFC5869 Test Vector #6 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"
+
+HKDF RFC5869 Test Vector #7 Extract
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_extract:4:"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c":"":"2adccada18779e7c2077ad2eb19d3f3e731385dd"
+
+HKDF RFC5869 Test Vector #1 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"f0f1f2f3f4f5f6f7f8f9":"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5":"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"
+
+HKDF RFC5869 Test Vector #2 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244":"b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87"
+
+HKDF RFC5869 Test Vector #3 Expand
+depends_on:MBEDTLS_SHA256_C
+test_hkdf_expand:6:"":"19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04":"8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8"
+
+HKDF RFC5869 Test Vector #4 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"f0f1f2f3f4f5f6f7f8f9":"9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243":"085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896"
+
+HKDF RFC5869 Test Vector #5 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff":"8adae09a2a307059478d309b26c4115a224cfaf6":"0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4"
+
+HKDF RFC5869 Test Vector #6 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"":"da8c8a73c7fa77288ec6f5e7c297786aa0d32d01":"0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918"
+
+HKDF RFC5869 Test Vector #7 Expand
+depends_on:MBEDTLS_SHA1_C
+test_hkdf_expand:4:"":"2adccada18779e7c2077ad2eb19d3f3e731385dd":"2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.function
new file mode 100644
index 0000000000..3e8720734e
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hkdf.function
@@ -0,0 +1,174 @@
+/* BEGIN_HEADER */
+#include "mbedtls/hkdf.h"
+#include "mbedtls/md_internal.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_HKDF_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void test_hkdf( int md_alg, char *hex_ikm_string, char *hex_salt_string,
+                char *hex_info_string, char *hex_okm_string )
+{
+    int ret;
+    size_t ikm_len, salt_len, info_len, okm_len;
+    unsigned char ikm[128] = { '\0' };
+    unsigned char salt[128] = { '\0' };
+    unsigned char info[128] = { '\0' };
+    unsigned char expected_okm[128] = { '\0' };
+    unsigned char okm[128] = { '\0' };
+    /*
+     * okm_hex is the string representation of okm,
+     * so its size is twice the size of okm, and an extra null-termination.
+     */
+    unsigned char okm_hex[257] = { '\0' };
+
+    const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+    TEST_ASSERT( md != NULL );
+
+    ikm_len = unhexify( ikm, hex_ikm_string );
+    salt_len = unhexify( salt, hex_salt_string );
+    info_len = unhexify( info, hex_info_string );
+    okm_len = unhexify( expected_okm, hex_okm_string );
+
+    ret = mbedtls_hkdf( md, salt, salt_len, ikm, ikm_len, info, info_len, okm,
+                        okm_len);
+    TEST_ASSERT( ret == 0 );
+
+    // Run hexify on it so that it looks nicer if the assertion fails
+    hexify( okm_hex, okm, okm_len );
+    TEST_ASSERT( !strcmp( (char *)okm_hex, hex_okm_string ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_extract( int md_alg, char *hex_ikm_string,
+                        char *hex_salt_string, char *hex_prk_string )
+{
+    int ret;
+    unsigned char *ikm = NULL;
+    unsigned char *salt = NULL;
+    unsigned char *prk = NULL;
+    unsigned char *output_prk = NULL;
+    size_t ikm_len, salt_len, prk_len, output_prk_len;
+
+    const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+    TEST_ASSERT( md != NULL );
+
+    output_prk_len = mbedtls_md_get_size( md );
+    output_prk = mbedtls_calloc( 1, output_prk_len );
+
+    ikm = unhexify_alloc( hex_ikm_string, &ikm_len );
+    salt = unhexify_alloc( hex_salt_string, &salt_len );
+    prk = unhexify_alloc( hex_prk_string, &prk_len );
+    TEST_ASSERT( prk_len == output_prk_len );
+
+    ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, output_prk );
+    TEST_ASSERT( ret == 0 );
+
+    TEST_ASSERT( !memcmp( output_prk, prk, prk_len ) );
+
+exit:
+    mbedtls_free(ikm);
+    mbedtls_free(salt);
+    mbedtls_free(prk);
+    mbedtls_free(output_prk);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_expand( int md_alg, char *hex_info_string,
+                       char *hex_prk_string, char *hex_okm_string )
+{
+    enum { OKM_LEN  = 1024 };
+    int ret;
+    unsigned char *info = NULL;
+    unsigned char *prk = NULL;
+    unsigned char *okm = NULL;
+    unsigned char *output_okm = NULL;
+    size_t info_len, prk_len, okm_len;
+
+    const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
+    TEST_ASSERT( md != NULL );
+
+    output_okm = mbedtls_calloc( OKM_LEN, 1 );
+
+    prk = unhexify_alloc( hex_prk_string, &prk_len );
+    info = unhexify_alloc( hex_info_string, &info_len );
+    okm = unhexify_alloc( hex_okm_string, &okm_len );
+    TEST_ASSERT( prk_len == mbedtls_md_get_size( md ) );
+    TEST_ASSERT( okm_len < OKM_LEN );
+
+    ret = mbedtls_hkdf_expand( md, prk, prk_len, info, info_len,
+                               output_okm, OKM_LEN );
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( !memcmp( output_okm, okm, okm_len ) );
+
+exit:
+    mbedtls_free(info);
+    mbedtls_free(prk);
+    mbedtls_free(okm);
+    mbedtls_free(output_okm);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_extract_ret( int hash_len, int ret )
+{
+    int output_ret;
+    unsigned char *salt = NULL;
+    unsigned char *ikm = NULL;
+    unsigned char *prk = NULL;
+    size_t salt_len, ikm_len;
+    struct mbedtls_md_info_t fake_md_info;
+
+    memset( &fake_md_info, 0, sizeof( fake_md_info ) );
+    fake_md_info.type = MBEDTLS_MD_NONE;
+    fake_md_info.size = hash_len;
+
+    prk = mbedtls_calloc( MBEDTLS_MD_MAX_SIZE, 1 );
+    salt_len = 0;
+    ikm_len = 0;
+
+    output_ret = mbedtls_hkdf_extract( &fake_md_info, salt, salt_len,
+                                       ikm, ikm_len, prk );
+    TEST_ASSERT( output_ret == ret );
+
+exit:
+    mbedtls_free(prk);
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void test_hkdf_expand_ret( int hash_len, int prk_len, int okm_len, int ret )
+{
+    int output_ret;
+    unsigned char *info = NULL;
+    unsigned char *prk = NULL;
+    unsigned char *okm = NULL;
+    size_t info_len;
+    struct mbedtls_md_info_t fake_md_info;
+
+    memset( &fake_md_info, 0, sizeof( fake_md_info ) );
+    fake_md_info.type = MBEDTLS_MD_NONE;
+    fake_md_info.size = hash_len;
+
+    info_len = 0;
+
+    if (prk_len > 0)
+        prk = mbedtls_calloc( prk_len, 1 );
+
+    if (okm_len > 0)
+        okm = mbedtls_calloc( okm_len, 1 );
+
+    output_ret = mbedtls_hkdf_expand( &fake_md_info, prk, prk_len,
+                                      info, info_len, okm, okm_len );
+    TEST_ASSERT( output_ret == ret );
+
+exit:
+    mbedtls_free(prk);
+    mbedtls_free(okm);
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hmac_drbg.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hmac_drbg.function
index a413f5e182..13bc400623 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hmac_drbg.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_hmac_drbg.function
@@ -1,5 +1,6 @@
 /* BEGIN_HEADER */
 #include "mbedtls/hmac_drbg.h"
+#include "string.h"
 
 typedef struct
 {
@@ -109,7 +110,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void hmac_drbg_seed_file( int md_alg, char *path, int ret )
+void hmac_drbg_seed_file( int md_alg, char * path, int ret )
 {
     const mbedtls_md_info_t *md_info;
     mbedtls_hmac_drbg_context ctx;
@@ -160,59 +161,47 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void hmac_drbg_no_reseed( int md_alg,
-                          char *entropy_hex, char *custom_hex,
-                          char *add1_hex, char *add2_hex,
-                          char *output_hex )
+void hmac_drbg_no_reseed( int md_alg, data_t * entropy,
+                          data_t * custom, data_t * add1,
+                          data_t * add2, data_t * output )
 {
     unsigned char data[1024];
-    unsigned char entropy[512];
-    unsigned char custom[512];
-    unsigned char add1[512];
-    unsigned char add2[512];
-    unsigned char output[512];
     unsigned char my_output[512];
-    size_t custom_len, add1_len, add2_len, out_len;
     entropy_ctx p_entropy;
     const mbedtls_md_info_t *md_info;
     mbedtls_hmac_drbg_context ctx;
 
     mbedtls_hmac_drbg_init( &ctx );
-    memset( my_output, 0, sizeof my_output );
 
-    custom_len = unhexify( custom, custom_hex );
-    add1_len = unhexify( add1, add1_hex );
-    add2_len = unhexify( add2, add2_hex );
-    out_len = unhexify( output, output_hex );
-    p_entropy.len = unhexify( entropy, entropy_hex );
-    p_entropy.p = entropy;
+    p_entropy.p = entropy->x;
+    p_entropy.len = entropy->len;
 
     md_info = mbedtls_md_info_from_type( md_alg );
     TEST_ASSERT( md_info != NULL );
 
     /* Test the simplified buffer-based variant */
-    memcpy( data, entropy, p_entropy.len );
-    memcpy( data + p_entropy.len, custom, custom_len );
+    memcpy( data, entropy->x, p_entropy.len );
+    memcpy( data + p_entropy.len, custom->x, custom->len );
     TEST_ASSERT( mbedtls_hmac_drbg_seed_buf( &ctx, md_info,
-                                     data, p_entropy.len + custom_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add2, add2_len ) == 0 );
+                                     data, p_entropy.len + custom->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add1->x, add1->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add2->x, add2->len ) == 0 );
 
     /* clear for second run */
     mbedtls_hmac_drbg_free( &ctx );
 
-    TEST_ASSERT( memcmp( my_output, output, out_len ) == 0 );
+    TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
 
     /* And now the normal entropy-based variant */
     TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy,
-                                 custom, custom_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add2, add2_len ) == 0 );
-    TEST_ASSERT( memcmp( my_output, output, out_len ) == 0 );
+                                 custom->x, custom->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add1->x, add1->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add2->x, add2->len ) == 0 );
+    TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
 
 exit:
     mbedtls_hmac_drbg_free( &ctx );
@@ -220,46 +209,32 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void hmac_drbg_nopr( int md_alg,
-                     char *entropy_hex, char *custom_hex,
-                     char *add1_hex, char *add2_hex, char *add3_hex,
-                     char *output_hex )
+void hmac_drbg_nopr( int md_alg, data_t * entropy, data_t * custom,
+                     data_t * add1, data_t * add2, data_t * add3,
+                     data_t * output )
 {
-    unsigned char entropy[512];
-    unsigned char custom[512];
-    unsigned char add1[512];
-    unsigned char add2[512];
-    unsigned char add3[512];
-    unsigned char output[512];
     unsigned char my_output[512];
-    size_t custom_len, add1_len, add2_len, add3_len, out_len;
     entropy_ctx p_entropy;
     const mbedtls_md_info_t *md_info;
     mbedtls_hmac_drbg_context ctx;
 
     mbedtls_hmac_drbg_init( &ctx );
-    memset( my_output, 0, sizeof my_output );
 
-    custom_len = unhexify( custom, custom_hex );
-    add1_len = unhexify( add1, add1_hex );
-    add2_len = unhexify( add2, add2_hex );
-    add3_len = unhexify( add3, add3_hex );
-    out_len = unhexify( output, output_hex );
-    p_entropy.len = unhexify( entropy, entropy_hex );
-    p_entropy.p = entropy;
+    p_entropy.p = entropy->x;
+    p_entropy.len = entropy->len;
 
     md_info = mbedtls_md_info_from_type( md_alg );
     TEST_ASSERT( md_info != NULL );
 
     TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy,
-                                 custom, custom_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_reseed( &ctx, add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add2, add2_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add3, add3_len ) == 0 );
+                                 custom->x, custom->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_reseed( &ctx, add1->x, add1->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add2->x, add2->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add3->x, add3->len ) == 0 );
 
-    TEST_ASSERT( memcmp( my_output, output, out_len ) == 0 );
+    TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
 
 exit:
     mbedtls_hmac_drbg_free( &ctx );
@@ -267,44 +242,31 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void hmac_drbg_pr( int md_alg,
-                   char *entropy_hex, char *custom_hex,
-                   char *add1_hex, char *add2_hex,
-                   char *output_hex )
+void hmac_drbg_pr( int md_alg, data_t * entropy, data_t * custom,
+                   data_t * add1, data_t * add2, data_t * output )
 {
-    unsigned char entropy[512];
-    unsigned char custom[512];
-    unsigned char add1[512];
-    unsigned char add2[512];
-    unsigned char output[512];
     unsigned char my_output[512];
-    size_t custom_len, add1_len, add2_len, out_len;
     entropy_ctx p_entropy;
     const mbedtls_md_info_t *md_info;
     mbedtls_hmac_drbg_context ctx;
 
     mbedtls_hmac_drbg_init( &ctx );
-    memset( my_output, 0, sizeof my_output );
 
-    custom_len = unhexify( custom, custom_hex );
-    add1_len = unhexify( add1, add1_hex );
-    add2_len = unhexify( add2, add2_hex );
-    out_len = unhexify( output, output_hex );
-    p_entropy.len = unhexify( entropy, entropy_hex );
-    p_entropy.p = entropy;
+    p_entropy.p = entropy->x;
+    p_entropy.len = entropy->len;
 
     md_info = mbedtls_md_info_from_type( md_alg );
     TEST_ASSERT( md_info != NULL );
 
     TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy,
-                                 custom, custom_len ) == 0 );
+                                 custom->x, custom->len ) == 0 );
     mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add1, add1_len ) == 0 );
-    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len,
-                                            add2, add2_len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add1->x, add1->len ) == 0 );
+    TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
+                                            add2->x, add2->len ) == 0 );
 
-    TEST_ASSERT( memcmp( my_output, output, out_len ) == 0 );
+    TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
 
 exit:
     mbedtls_hmac_drbg_free( &ctx );
@@ -312,7 +274,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void hmac_drbg_selftest( )
+void hmac_drbg_selftest(  )
 {
     TEST_ASSERT( mbedtls_hmac_drbg_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_md.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_md.function
index 6ac834e1e0..11cf88ae77 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_md.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_md.function
@@ -8,7 +8,7 @@
  */
 
 /* BEGIN_CASE */
-void mbedtls_md_process( )
+void mbedtls_md_process(  )
 {
     const int *md_type_ptr;
     const mbedtls_md_info_t *info;
@@ -40,7 +40,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_null_args( )
+void md_null_args(  )
 {
     mbedtls_md_context_t ctx;
     const mbedtls_md_info_t *info = mbedtls_md_info_from_type( *( mbedtls_md_list() ) );
@@ -103,7 +103,7 @@ void md_null_args( )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_info( int md_type, char *md_name, int md_size )
+void md_info( int md_type, char * md_name, int md_size )
 {
     const mbedtls_md_info_t *md_info;
     const int *md_type_ptr;
@@ -126,17 +126,16 @@ void md_info( int md_type, char *md_name, int md_size )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_text( char *text_md_name, char *text_src_string, char *hex_hash_string )
+void md_text( char * text_md_name, char * text_src_string,
+              data_t * hex_hash_string )
 {
     char md_name[100];
     unsigned char src_str[1000];
-    unsigned char hash_str[1000];
     unsigned char output[100];
     const mbedtls_md_info_t *md_info = NULL;
 
     memset( md_name, 0x00, 100 );
     memset( src_str, 0x00, 1000 );
-    memset( hash_str, 0x00, 1000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) src_str, text_src_string, sizeof( src_str ) - 1 );
@@ -145,47 +144,40 @@ void md_text( char *text_md_name, char *text_src_string, char *hex_hash_string )
     TEST_ASSERT( md_info != NULL );
 
     TEST_ASSERT ( 0 == mbedtls_md( md_info, src_str, strlen( (char *) src_str ), output ) );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_hex( char *text_md_name, char *hex_src_string, char *hex_hash_string )
+void md_hex( char * text_md_name, data_t * src_str,
+             data_t * hex_hash_string )
 {
     char md_name[100];
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[100];
-    int src_len;
     const mbedtls_md_info_t *md_info = NULL;
 
     memset( md_name, 0x00, 100 );
-    memset( src_str, 0x00, 10000 );
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) md_name, text_md_name, sizeof( md_name ) - 1 );
     md_info = mbedtls_md_info_from_string( md_name );
     TEST_ASSERT( md_info != NULL );
 
-    src_len = unhexify( src_str, hex_src_string );
-    TEST_ASSERT ( 0 == mbedtls_md( md_info, src_str, src_len, output ) );
+    TEST_ASSERT ( 0 == mbedtls_md( md_info, src_str->x, src_str->len, output ) );
 
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x,
+                 mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_text_multi( char *text_md_name, char *text_src_string,
-                    char *hex_hash_string )
+void md_text_multi( char * text_md_name, char * text_src_string,
+                    data_t * hex_hash_string )
 {
     char md_name[100];
     unsigned char src_str[1000];
-    unsigned char hash_str[1000];
     unsigned char output[100];
     int halfway, len;
 
@@ -197,7 +189,6 @@ void md_text_multi( char *text_md_name, char *text_src_string,
 
     memset( md_name, 0x00, 100 );
     memset( src_str, 0x00, 1000 );
-    memset( hash_str, 0x00, 1000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 );
@@ -217,17 +208,15 @@ void md_text_multi( char *text_md_name, char *text_src_string,
 
     TEST_ASSERT ( 0 == mbedtls_md_update( &ctx, src_str + halfway, len - halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_finish( &ctx, output ) );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x,
+                 mbedtls_md_get_size( md_info ), hex_hash_string->len) == 0 );
 
     /* Test clone */
-    memset( hash_str, 0x00, 1000 );
     memset( output, 0x00, 100 );
 
     TEST_ASSERT ( 0 == mbedtls_md_update( &ctx_copy, src_str + halfway, len - halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_finish( &ctx_copy, output ) );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 
 exit:
     mbedtls_md_free( &ctx );
@@ -236,23 +225,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_hex_multi( char *text_md_name, char *hex_src_string,
-                   char *hex_hash_string )
+void md_hex_multi( char * text_md_name, data_t * src_str,
+                   data_t * hex_hash_string )
 {
     char md_name[100];
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[100];
-    int src_len, halfway;
     const mbedtls_md_info_t *md_info = NULL;
     mbedtls_md_context_t ctx, ctx_copy;
+    int halfway;
 
     mbedtls_md_init( &ctx );
     mbedtls_md_init( &ctx_copy );
 
     memset( md_name, 0x00, 100 );
-    memset( src_str, 0x00, 10000 );
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) md_name, text_md_name, sizeof( md_name ) - 1 );
@@ -261,27 +246,23 @@ void md_hex_multi( char *text_md_name, char *hex_src_string,
     TEST_ASSERT ( 0 == mbedtls_md_setup( &ctx, md_info, 0 ) );
     TEST_ASSERT ( 0 == mbedtls_md_setup( &ctx_copy, md_info, 0 ) );
 
-    src_len = unhexify( src_str, hex_src_string );
-    halfway = src_len / 2;
+    halfway = src_str->len / 2;
 
     TEST_ASSERT ( 0 == mbedtls_md_starts( &ctx ) );
     TEST_ASSERT ( ctx.md_ctx != NULL );
-    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx, src_str, halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx, src_str->x, halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_clone( &ctx_copy, &ctx ) );
 
-    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx, src_str + halfway, src_len - halfway) );
+    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx, src_str->x + halfway, src_str->len - halfway) );
     TEST_ASSERT ( 0 == mbedtls_md_finish( &ctx, output ) );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 
     /* Test clone */
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
-    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx_copy, src_str + halfway, src_len - halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_update( &ctx_copy, src_str->x + halfway, src_str->len - halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_finish( &ctx_copy, output ) );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 
 exit:
     mbedtls_md_free( &ctx );
@@ -290,56 +271,41 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_md_hmac( char *text_md_name, int trunc_size, char *hex_key_string,
-              char *hex_src_string, char *hex_hash_string )
+void mbedtls_md_hmac( char * text_md_name, int trunc_size,
+                      data_t * key_str, data_t * src_str,
+                      data_t * hex_hash_string )
 {
     char md_name[100];
-    unsigned char src_str[10000];
-    unsigned char key_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[100];
-    int key_len, src_len;
     const mbedtls_md_info_t *md_info = NULL;
 
     memset( md_name, 0x00, 100 );
-    memset( src_str, 0x00, 10000 );
-    memset( key_str, 0x00, 10000 );
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) md_name, text_md_name, sizeof( md_name ) - 1 );
     md_info = mbedtls_md_info_from_string( md_name );
     TEST_ASSERT( md_info != NULL );
 
-    key_len = unhexify( key_str, hex_key_string );
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT ( mbedtls_md_hmac( md_info, key_str, key_len, src_str, src_len, output ) == 0 );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
+    TEST_ASSERT ( mbedtls_md_hmac( md_info, key_str->x, key_str->len, src_str->x, src_str->len, output ) == 0 );
 
-    TEST_ASSERT( strncmp( (char *) hash_str, hex_hash_string, trunc_size * 2 ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, trunc_size, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void md_hmac_multi( char *text_md_name, int trunc_size, char *hex_key_string,
-                    char *hex_src_string, char *hex_hash_string )
+void md_hmac_multi( char * text_md_name, int trunc_size, data_t * key_str,
+                    data_t * src_str, data_t * hex_hash_string )
 {
     char md_name[100];
-    unsigned char src_str[10000];
-    unsigned char key_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[100];
-    int key_len, src_len, halfway;
     const mbedtls_md_info_t *md_info = NULL;
     mbedtls_md_context_t ctx;
+    int halfway;
 
     mbedtls_md_init( &ctx );
 
     memset( md_name, 0x00, 100 );
-    memset( src_str, 0x00, 10000 );
-    memset( key_str, 0x00, 10000 );
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) md_name, text_md_name, sizeof( md_name ) - 1 );
@@ -347,30 +313,25 @@ void md_hmac_multi( char *text_md_name, int trunc_size, char *hex_key_string,
     TEST_ASSERT( md_info != NULL );
     TEST_ASSERT ( 0 == mbedtls_md_setup( &ctx, md_info, 1 ) );
 
-    key_len = unhexify( key_str, hex_key_string );
-    src_len = unhexify( src_str, hex_src_string );
-    halfway = src_len / 2;
+    halfway = src_str->len / 2;
 
-    TEST_ASSERT ( 0 == mbedtls_md_hmac_starts( &ctx, key_str, key_len ) );
+    TEST_ASSERT ( 0 == mbedtls_md_hmac_starts( &ctx, key_str->x, key_str->len ) );
     TEST_ASSERT ( ctx.md_ctx != NULL );
-    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str, halfway ) );
-    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str + halfway, src_len - halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str->x, halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str->x + halfway, src_str->len - halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_hmac_finish( &ctx, output ) );
 
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strncmp( (char *) hash_str, hex_hash_string, trunc_size * 2 ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, trunc_size, hex_hash_string->len ) == 0 );
 
     /* Test again, for reset() */
-    memset( hash_str, 0x00, 10000 );
     memset( output, 0x00, 100 );
 
     TEST_ASSERT ( 0 == mbedtls_md_hmac_reset( &ctx ) );
-    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str, halfway ) );
-    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str + halfway, src_len - halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str->x, halfway ) );
+    TEST_ASSERT ( 0 == mbedtls_md_hmac_update( &ctx, src_str->x + halfway, src_str->len - halfway ) );
     TEST_ASSERT ( 0 == mbedtls_md_hmac_finish( &ctx, output ) );
 
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
-    TEST_ASSERT( strncmp( (char *) hash_str, hex_hash_string, trunc_size * 2 ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, trunc_size, hex_hash_string->len ) == 0 );
 
 exit:
     mbedtls_md_free( &ctx );
@@ -378,15 +339,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void mbedtls_md_file( char *text_md_name, char *filename, char *hex_hash_string )
+void mbedtls_md_file( char * text_md_name, char * filename,
+                      data_t * hex_hash_string )
 {
     char md_name[100];
-    unsigned char hash_str[1000];
     unsigned char output[100];
     const mbedtls_md_info_t *md_info = NULL;
 
     memset( md_name, 0x00, 100 );
-    memset( hash_str, 0x00, 1000 );
     memset( output, 0x00, 100 );
 
     strncpy( (char *) md_name, text_md_name, sizeof( md_name ) - 1 );
@@ -394,8 +354,7 @@ void mbedtls_md_file( char *text_md_name, char *filename, char *hex_hash_string
     TEST_ASSERT( md_info != NULL );
 
     TEST_ASSERT( mbedtls_md_file( md_info, filename, output ) == 0 );
-    hexify( hash_str, output, mbedtls_md_get_size( md_info ) );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, mbedtls_md_get_size( md_info ), hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mdx.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mdx.function
index 648a9cc35d..02004efa84 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mdx.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mdx.function
@@ -6,116 +6,104 @@
 /* END_HEADER */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD2_C */
-void md2_text( char *text_src_string, char *hex_hash_string )
+void md2_text( char * text_src_string, data_t * hex_hash_string )
 {
     int ret;
     unsigned char src_str[100];
-    unsigned char hash_str[33];
     unsigned char output[16];
 
     memset( src_str, 0x00, sizeof src_str );
-    memset( hash_str, 0x00, sizeof hash_str );
     memset( output, 0x00, sizeof output );
 
     strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 );
 
     ret = mbedtls_md2_ret( src_str, strlen( (char *) src_str ), output );
     TEST_ASSERT( ret == 0 ) ;
-    hexify( hash_str, output, sizeof  output );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, sizeof  output, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD4_C */
-void md4_text( char *text_src_string, char *hex_hash_string )
+void md4_text( char * text_src_string, data_t * hex_hash_string )
 {
     int ret;
     unsigned char src_str[100];
-    unsigned char hash_str[33];
     unsigned char output[16];
 
     memset( src_str, 0x00, sizeof src_str );
-    memset( hash_str, 0x00, sizeof hash_str );
     memset( output, 0x00, sizeof output );
 
     strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 );
 
     ret = mbedtls_md4_ret( src_str, strlen( (char *) src_str ), output );
     TEST_ASSERT( ret == 0 );
-    hexify( hash_str, output, sizeof  output );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, sizeof  output, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD5_C */
-void md5_text( char *text_src_string, char *hex_hash_string )
+void md5_text( char * text_src_string, data_t * hex_hash_string )
 {
     int ret;
     unsigned char src_str[100];
-    unsigned char hash_str[33];
     unsigned char output[16];
 
     memset( src_str, 0x00, sizeof src_str );
-    memset( hash_str, 0x00, sizeof hash_str );
     memset( output, 0x00, sizeof output );
 
     strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 );
 
     ret = mbedtls_md5_ret( src_str, strlen( (char *) src_str ), output );
     TEST_ASSERT( ret == 0 );
-    hexify( hash_str, output, sizeof  output );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, sizeof  output, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RIPEMD160_C */
-void ripemd160_text( char *text_src_string, char *hex_hash_string )
+void ripemd160_text( char * text_src_string, data_t * hex_hash_string )
 {
     int ret;
     unsigned char src_str[100];
-    unsigned char hash_str[41];
     unsigned char output[20];
 
     memset(src_str, 0x00, sizeof src_str);
-    memset(hash_str, 0x00, sizeof hash_str);
     memset(output, 0x00, sizeof output);
 
     strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 );
 
     ret = mbedtls_ripemd160_ret( src_str, strlen( (char *) src_str ), output );
     TEST_ASSERT( ret == 0 );
-    hexify( hash_str, output, sizeof output );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, sizeof output, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD2_C:MBEDTLS_SELF_TEST */
-void md2_selftest()
+void md2_selftest(  )
 {
     TEST_ASSERT( mbedtls_md2_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD4_C:MBEDTLS_SELF_TEST */
-void md4_selftest()
+void md4_selftest(  )
 {
     TEST_ASSERT( mbedtls_md4_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MD5_C:MBEDTLS_SELF_TEST */
-void md5_selftest()
+void md5_selftest(  )
 {
     TEST_ASSERT( mbedtls_md5_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RIPEMD160_C:MBEDTLS_SELF_TEST */
-void ripemd160_selftest()
+void ripemd160_selftest(  )
 {
     TEST_ASSERT( mbedtls_ripemd160_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_memory_buffer_alloc.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_memory_buffer_alloc.function
index 09684c1d41..bc034367a6 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_memory_buffer_alloc.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_memory_buffer_alloc.function
@@ -23,7 +23,7 @@ static int check_pointer( void *p )
 /* END_SUITE_HELPERS */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void mbedtls_memory_buffer_alloc_self_test( )
+void mbedtls_memory_buffer_alloc_self_test(  )
 {
     TEST_ASSERT( mbedtls_memory_buffer_alloc_self_test( 1 ) == 0 );
 }
@@ -31,10 +31,9 @@ void mbedtls_memory_buffer_alloc_self_test( )
 
 /* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
 void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes,
-                                        int d_bytes,
-                                     int free_a, int free_b, int free_c,
-                                        int free_d,
-                                     int e_bytes, int f_bytes )
+                                     int d_bytes, int free_a, int free_b,
+                                     int free_c, int free_d, int e_bytes,
+                                     int f_bytes )
 {
     unsigned char buf[1024];
     unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL, *ptr_d = NULL,
@@ -190,7 +189,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
-void memory_buffer_alloc_oom_test()
+void memory_buffer_alloc_oom_test(  )
 {
     unsigned char buf[1024];
     unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL;
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
index b8d7ad14ce..425e93ad20 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.data
@@ -1,3 +1,9 @@
+MPI - Valid parameters
+mpi_valid_param:
+
+MPI - Invalid parameters
+mpi_invalid_param:
+
 Arguments with no value
 mpi_null:
 
@@ -62,7 +68,7 @@ Test mbedtls_mpi_write_binary #1 (Buffer just fits)
 mbedtls_mpi_write_binary:16:"123123123123123123123123123":"0123123123123123123123123123":14:0
 
 Test mbedtls_mpi_write_binary #2 (Buffer too small)
-mbedtls_mpi_write_binary:16:"123123123123123123123123123":"123123123123123123123123123":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+mbedtls_mpi_write_binary:16:"123123123123123123123123123":"23123123123123123123123123":13:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 
 Base test mbedtls_mpi_read_file #1
 mbedtls_mpi_read_file:10:"data_files/mpi_10":"01f55332c3a48b910f9942f6c914e58bef37a47ee45cb164a5b6b8d1006bf59a059c21449939ebebfdf517d2e1dbac88010d7b1f141e997bd6801ddaec9d05910f4f2de2b2c4d714e2c14a72fc7f17aa428d59c531627f09":0
@@ -685,11 +691,11 @@ mbedtls_mpi_is_prime:10:"49979687":0
 
 Test mbedtls_mpi_is_prime_det (4 non-witnesses)
 depends_on:MBEDTLS_GENPRIME
-mbedtls_mpi_is_prime_det:"043BD64BA10B11DA83FBD296B04BCA9E0552FAF6E09CAC74E2D7E735ED0DB09FC47ED76145644203EE0C826013BC602F560BCDAAED557D04683859A65D659FF828A245A2C5B1AC41E01E4669A525A45E23AF":"040EA852F7935ACCECC0E87B845281F047D10DC9AAFEF990AF9D3D66770DA30B0C5B5E03EEA8C0CB79B936FE0BB8EE5389EC1D34EB16C58AA3F2E11AF084160CDF6400BE1CC179867AB074866952D9F34EE7042D27F960E715A97FCB93F3182247D0A6AE51BD21CC2F6B0651F9E572C5FB86F3137053FA85FD7A51816D69B3A53A5A438C17754836D04E98CA240B901F828332F2D72D88C497DA45F533F99A6E53EDEA6B0424EC8951B048FA9A80134B37D0A67014597934E3CFC52C5A4DD4751ADF8D66FC79E84E2A3148C4B15C17E12CB659390FD275F39A331FFC80EC699BC3F6FAB868E30E9B14575FCDAB6FAED01E00112DD28704177E09C335AD43A696FEA761E8DF3B0663277A5C3637F9060CB5E5654F72E9A6B0F369E660AD4CF7ABF4195493545B367BD55271CD4BB7D9C15D3F508FE8F7409C2126FC8E73B43A67CD4EFB21E9F15DBF040A2A8D5F5ED75CEAC12B595C0051F3EC9D5A58ACE82A9506E64F780E9836728260FFE1BFD73E8A9869E3D46A35A856D3028F7FEAB9F4F1A04449AEDC80017EE1014080D87F0B50C8EF255324CD89F7D039":82:MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+mbedtls_mpi_is_prime_det:"043BD64BA10B11DA83FBD296B04BCA9E0552FAF6E09CAC74E2D7E735ED0DB09FC47ED76145644203EE0C826013BC602F560BCDAAED557D04683859A65D659FF828A245A2C5B1AC41E01E4669A525A45E23AF":"040EA852F7935ACCECC0E87B845281F047D10DC9AAFEF990AF9D3D66770DA30B0C5B5E03EEA8C0CB79B936FE0BB8EE5389EC1D34EB16C58AA3F2E11AF084160CDF6400BE1CC179867AB074866952D9F34EE7042D27F960E715A97FCB93F3182247D0A6AE51BD21CC2F6B0651F9E572C5FB86F3137053FA85FD7A51816D69B3A53A5A438C17754836D04E98CA240B901F828332F2D72D88C497DA45F533F99A6E53EDEA6B0424EC8951B048FA9A80134B37D0A67014597934E3CFC52C5A4DD4751ADF8D66FC79E84E2A3148C4B15C17E12CB659390FD275F39A331FFC80EC699BC3F6FAB868E30E9B14575FCDAB6FAED01E00112DD28704177E09C335AD43A696FEA761E8DF3B0663277A5C3637F9060CB5E5654F72E9A6B0F369E660AD4CF7ABF4195493545B367BD55271CD4BB7D9C15D3F508FE8F7409C2126FC8E73B43A67CD4EFB21E9F15DBF040A2A8D5F5ED75CEAC12B595C0051F3EC9D5A58ACE82A9506E64F780E9836728260FFE1BFD73E8A9869E3D46A35A856D3028F7FEAB9F4F1A04449AEDC80017EE1014080D87F0B50C8EF255324CD89F7D039":82:5
 
 Test mbedtls_mpi_is_prime_det (39 non-witnesses)
 depends_on:MBEDTLS_GENPRIME
-mbedtls_mpi_is_prime_det:"155102B67930FBE8858DF6C0642D77D419A7B7968E622CC7500F3E3F2C5168368C50E0083187":"119B3E2C721834D83416239B04447AA18AE0163E61DCAE97054563D79E094A6FA4485BD6A0501445BF57FE9C058926CDB862E04CC1A95D79D61D9AB3466857A53E04F8D7470C9C86649B226A13DDC534E18DFD5C22FAEA317CA4D4960F18457FD6D2FFB5F3273F74C89980DC774590D8D30D1159CA81999ED94A042D67DA68C82616AD46C2C88288A8EBD0B37AC7C152D9522CA4544642AD1210F6B642FEBF43563FA872B0DEFAFC69D0B6570E8FEA9570D0AADCFA9B06CC8BFD62CEDC221541210EEEF9762448C6D49F26AA767A4D66CB168589E0201923015314E6CD4A480E5936E7CF145F73A564C5B782635B3AFC3028E2632C5D3458224A7C9E8BA1876E8F690463C878292D3DC011E9640331E7F7621F2B5E0F6713DD8C9D6767521C4BA880DA8D11C67753C8493D2C4C4F1443147550D0B25B7FAD04EAFA9F8AA60974C1365C8A794CFEECEB4279B1150909A97E5A7A10B5D91186CA5B25A612036631FE73529C8CFAE51E76FB704A772DE5320EFC1212E7A399B1FEBF57D014AF9129DFF5D2C5DFBBEEAC55F360CF6D22FA90B8E2E9AD0C71AB6495A9452A58D653B8CC26128C66B43EFBA6E39AEC5717A1A3C2AE1449FCABAFE1180B159DA55190CD81A3D9E8D798647E11B827F0A057D6DA5AAD78AB5112EE65E10E8B8B369BA24E1B8AD2CD8548C497016C07A143DE1232F8059BE303572456FA92E76A0F23D1340629228B7D27C02D3833A72745B91A3DBEB5E081117A9F19597F00E4277B414FAEA8C8CEB895C37F956A5A22F8D7A10ADA50B22BAB312504904511AA0EFDD4D3BF20ECB17E8A684564FFB5BBD5E22C429F9A75A4FB4AE468FE7612ED53C7A11212E7EF3435CC9CA6E7DB167B8CCE2BECF35F89013F8F876223C77FA81570970858663C6E32B91080AA47F9C90177F51E6FD7747B910C9489C7B6ACB070996198AD9A40A69711274159210A9A12DBAAA4FB4632446066AB70D735DC95F7C2BCE517E88C064D728DE82B1B043DF4AEE0EFF5131120A4E5B9B4180EB6F6B8A0D1491ABDA069058A9966B1A517D8E7B4997DC52A1E698FD79E271153DF1913FE6787A5D99DE69F39C3F22D26DC731CFBB33FF5C267D85D7A3DAE8E1C87E1DB2F1236212EF1942EA756967FB3D07D629E59EA4034D9A9B5E270DD4A31C8A3DFDA99C1094B5537132C196DA2AEAF5253A019B9AF25B5DCB0D4DD75C7C9C353DA9DAABFB23959A5455312E7E1C21268C1BC14E83DCFDF50C27FD3E8B4EDC04C5F3CB5FCFFF2B57151E1B1EE1A6456DC006BC43E1158674AA4CF7D146DE4A57103BE43ED130C8007294ED2418C7A2B769A7D20EBB5A8367A77B313F81BB119B9954305FF160FF83EED7F808EE6D340A5CCC000CF81AA497D315D350CCE4E86A31456B8AA85B677491FC662933DFA55EB5BFF64B8D85430D676A85D1CAFAFF383E68C4E6C22A51063739EC03FC58C36C07C44E54828BE2152B2E9AFB0F179B157D09B64C147B524BB5424BB1914419424D9100D06EDCFC718F4DF3D562E9E16C446663F35273CA7BC5426B868A80C8D415C9A12A1619CDB7CDB5BEBC70313150BDF8C3AB26B809FE62D28E798EF1EF98C410A2DA0A9071F82154AC569078B0E647E2C085D1D907E634453442803D0492D3D0C78CACB762020C0E589C8B0981321EA2771305FD0413F3B2963FCE9A232F6641DB7E12ADC009A032063C41756E5E19E5711DE12711F07AFE7545B4D83F3EFD7BFD0435297C89DF3D4AF96EBE2CE8D64B93E36EA5D7E5A0492151D0CAEE7449A7D35E1A3C83E22C3B35162C073CC3B1CF76FBDEE84270721FC042EAAEB7325110181415E2031CFB7462F15111291CDAC0560FF9F4C7341F2FA261B97CEF348D074AA2EB4DB153FE6B1410519DA4213B611999868F3B867A2B6D758D333C4989DE80782683CA26ECDE373C71524F01B76349CE8A07A5EBECBB42259CF970DDA756EC996B189FEA045FEE45F23D476960913106ECA2510B8517AA75D56FA4152B2BDDC212014E5D07FD964D6EE532F0616DF74E104659955132331FABF2D2AD265E71C93C648A956FA0A3DB21FF103D516527F2DA0E870340B61EE8A8ED913B60605EB5A67B834D0FC90564386012585609870FEF6530B3E3C037B55506F0B5694F6B0FC":38:MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+mbedtls_mpi_is_prime_det:"155102B67930FBE8858DF6C0642D77D419A7B7968E622CC7500F3E3F2C5168368C50E0083187":"119B3E2C721834D83416239B04447AA18AE0163E61DCAE97054563D79E094A6FA4485BD6A0501445BF57FE9C058926CDB862E04CC1A95D79D61D9AB3466857A53E04F8D7470C9C86649B226A13DDC534E18DFD5C22FAEA317CA4D4960F18457FD6D2FFB5F3273F74C89980DC774590D8D30D1159CA81999ED94A042D67DA68C82616AD46C2C88288A8EBD0B37AC7C152D9522CA4544642AD1210F6B642FEBF43563FA872B0DEFAFC69D0B6570E8FEA9570D0AADCFA9B06CC8BFD62CEDC221541210EEEF9762448C6D49F26AA767A4D66CB168589E0201923015314E6CD4A480E5936E7CF145F73A564C5B782635B3AFC3028E2632C5D3458224A7C9E8BA1876E8F690463C878292D3DC011E9640331E7F7621F2B5E0F6713DD8C9D6767521C4BA880DA8D11C67753C8493D2C4C4F1443147550D0B25B7FAD04EAFA9F8AA60974C1365C8A794CFEECEB4279B1150909A97E5A7A10B5D91186CA5B25A612036631FE73529C8CFAE51E76FB704A772DE5320EFC1212E7A399B1FEBF57D014AF9129DFF5D2C5DFBBEEAC55F360CF6D22FA90B8E2E9AD0C71AB6495A9452A58D653B8CC26128C66B43EFBA6E39AEC5717A1A3C2AE1449FCABAFE1180B159DA55190CD81A3D9E8D798647E11B827F0A057D6DA5AAD78AB5112EE65E10E8B8B369BA24E1B8AD2CD8548C497016C07A143DE1232F8059BE303572456FA92E76A0F23D1340629228B7D27C02D3833A72745B91A3DBEB5E081117A9F19597F00E4277B414FAEA8C8CEB895C37F956A5A22F8D7A10ADA50B22BAB312504904511AA0EFDD4D3BF20ECB17E8A684564FFB5BBD5E22C429F9A75A4FB4AE468FE7612ED53C7A11212E7EF3435CC9CA6E7DB167B8CCE2BECF35F89013F8F876223C77FA81570970858663C6E32B91080AA47F9C90177F51E6FD7747B910C9489C7B6ACB070996198AD9A40A69711274159210A9A12DBAAA4FB4632446066AB70D735DC95F7C2BCE517E88C064D728DE82B1B043DF4AEE0EFF5131120A4E5B9B4180EB6F6B8A0D1491ABDA069058A9966B1A517D8E7B4997DC52A1E698FD79E271153DF1913FE6787A5D99DE69F39C3F22D26DC731CFBB33FF5C267D85D7A3DAE8E1C87E1DB2F1236212EF1942EA756967FB3D07D629E59EA4034D9A9B5E270DD4A31C8A3DFDA99C1094B5537132C196DA2AEAF5253A019B9AF25B5DCB0D4DD75C7C9C353DA9DAABFB23959A5455312E7E1C21268C1BC14E83DCFDF50C27FD3E8B4EDC04C5F3CB5FCFFF2B57151E1B1EE1A6456DC006BC43E1158674AA4CF7D146DE4A57103BE43ED130C8007294ED2418C7A2B769A7D20EBB5A8367A77B313F81BB119B9954305FF160FF83EED7F808EE6D340A5CCC000CF81AA497D315D350CCE4E86A31456B8AA85B677491FC662933DFA55EB5BFF64B8D85430D676A85D1CAFAFF383E68C4E6C22A51063739EC03FC58C36C07C44E54828BE2152B2E9AFB0F179B157D09B64C147B524BB5424BB1914419424D9100D06EDCFC718F4DF3D562E9E16C446663F35273CA7BC5426B868A80C8D415C9A12A1619CDB7CDB5BEBC70313150BDF8C3AB26B809FE62D28E798EF1EF98C410A2DA0A9071F82154AC569078B0E647E2C085D1D907E634453442803D0492D3D0C78CACB762020C0E589C8B0981321EA2771305FD0413F3B2963FCE9A232F6641DB7E12ADC009A032063C41756E5E19E5711DE12711F07AFE7545B4D83F3EFD7BFD0435297C89DF3D4AF96EBE2CE8D64B93E36EA5D7E5A0492151D0CAEE7449A7D35E1A3C83E22C3B35162C073CC3B1CF76FBDEE84270721FC042EAAEB7325110181415E2031CFB7462F15111291CDAC0560FF9F4C7341F2FA261B97CEF348D074AA2EB4DB153FE6B1410519DA4213B611999868F3B867A2B6D758D333C4989DE80782683CA26ECDE373C71524F01B76349CE8A07A5EBECBB42259CF970DDA756EC996B189FEA045FEE45F23D476960913106ECA2510B8517AA75D56FA4152B2BDDC212014E5D07FD964D6EE532F0616DF74E104659955132331FABF2D2AD265E71C93C648A956FA0A3DB21FF103D516527F2DA0E870340B61EE8A8ED913B60605EB5A67B834D0FC90564386012585609870FEF6530B3E3C037B55506F0B5694F6B0FC":38:40
 
 Test mbedtls_mpi_gen_prime (Too small)
 depends_on:MBEDTLS_GENPRIME
@@ -699,13 +705,37 @@ Test mbedtls_mpi_gen_prime (OK, minimum size)
 depends_on:MBEDTLS_GENPRIME
 mbedtls_mpi_gen_prime:3:0:0
 
+Test mbedtls_mpi_gen_prime (corner case limb size -1 bits)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:63:0:0
+
+Test mbedtls_mpi_gen_prime (corner case limb size)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:64:0:0
+
+Test mbedtls_mpi_gen_prime (corner case limb size +1 bits)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:65:0:0
+
 Test mbedtls_mpi_gen_prime (Larger)
 depends_on:MBEDTLS_GENPRIME
 mbedtls_mpi_gen_prime:128:0:0
 
 Test mbedtls_mpi_gen_prime (Safe)
 depends_on:MBEDTLS_GENPRIME
-mbedtls_mpi_gen_prime:128:1:0
+mbedtls_mpi_gen_prime:128:MBEDTLS_MPI_GEN_PRIME_FLAG_DH:0
+
+Test mbedtls_mpi_gen_prime (Safe with lower error rate)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:128:MBEDTLS_MPI_GEN_PRIME_FLAG_DH | MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR:0
+
+Test mbedtls_mpi_gen_prime standard RSA #1 (lower error rate)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:1024:MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR:0
+
+Test mbedtls_mpi_gen_prime standard RSA #2 (lower error rate)
+depends_on:MBEDTLS_GENPRIME
+mbedtls_mpi_gen_prime:1536:MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR:0
 
 Test bit getting (Value bit 25)
 mbedtls_mpi_get_bit:10:"49979687":25:1
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
index aa3c332bbc..f982385e13 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_mpi.function
@@ -3,10 +3,9 @@
 
 typedef struct mbedtls_test_mpi_random
 {
-    uint8_t     *data;
-    uint32_t    data_len;
-    size_t      pos;
-    size_t      chunk_len;
+    data_t *data;
+    size_t  pos;
+    size_t  chunk_len;
 } mbedtls_test_mpi_random;
 
 /*
@@ -21,10 +20,10 @@ int mbedtls_test_mpi_miller_rabin_determinizer( void* state,
 {
     mbedtls_test_mpi_random *random = (mbedtls_test_mpi_random*) state;
 
-    if( random == NULL || random->data == NULL || buf == NULL )
+    if( random == NULL || random->data->x == NULL || buf == NULL )
         return( -1 );
 
-    if( random->pos + random->chunk_len > random->data_len
+    if( random->pos + random->chunk_len > random->data->len
             || random->chunk_len > len )
     {
         return( -1 );
@@ -37,7 +36,7 @@ int mbedtls_test_mpi_miller_rabin_determinizer( void* state,
      * Writing the witness to the start of the buffer would result in the
      * buffer being 'witness 000...000', which would be treated as
      * witness * 2^n for some n. */
-    memcpy( buf + len - random->chunk_len, &random->data[random->pos],
+    memcpy( buf + len - random->chunk_len, &random->data->x[random->pos],
             random->chunk_len );
 
     random->pos += random->chunk_len;
@@ -52,7 +51,221 @@ int mbedtls_test_mpi_miller_rabin_determinizer( void* state,
  */
 
 /* BEGIN_CASE */
-void mpi_null( )
+void mpi_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_mpi_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void mpi_invalid_param( )
+{
+    mbedtls_mpi X;
+    const char *s_in = "00101000101010";
+    char s_out[16] = { 0 };
+    unsigned char u_out[16] = { 0 };
+    unsigned char u_in[16] = { 0 };
+    size_t olen;
+    mbedtls_mpi_uint mpi_uint;
+
+    TEST_INVALID_PARAM( mbedtls_mpi_init( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_grow( NULL, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_copy( NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_copy( &X, NULL ) );
+
+    TEST_INVALID_PARAM( mbedtls_mpi_swap( NULL, &X ) );
+    TEST_INVALID_PARAM( mbedtls_mpi_swap( &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_safe_cond_assign( NULL, &X, 0 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_safe_cond_assign( &X, NULL, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_safe_cond_swap( NULL, &X, 0 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_safe_cond_swap( &X, NULL, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_lset( NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_get_bit( NULL, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_set_bit( NULL, 42, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_string( NULL, 2, s_in ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_string( &X, 2, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_string( NULL, 2,
+                                                      s_out, sizeof( s_out ),
+                                                      &olen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_string( &X, 2,
+                                                      NULL, sizeof( s_out ),
+                                                      &olen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_string( &X, 2,
+                                                      s_out, sizeof( s_out ),
+                                                      NULL ) );
+
+#if defined(MBEDTLS_FS_IO)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_file( NULL, 2, stdin ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_file( &X, 2, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_file( "", NULL, 2, NULL ) );
+#endif /* MBEDTLS_FS_IO */
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_binary( NULL, u_in,
+                                                     sizeof( u_in ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_read_binary( &X, NULL,
+                                                     sizeof( u_in ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_binary( NULL, u_out,
+                                                      sizeof( u_out ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_write_binary( &X, NULL,
+                                                      sizeof( u_out ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_shift_l( NULL, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_shift_r( NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_cmp_abs( NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_cmp_abs( &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_cmp_mpi( NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_cmp_mpi( &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_cmp_int( NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_abs( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_abs( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_abs( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_abs( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_abs( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_abs( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_mpi( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_mpi( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_mpi( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_mpi( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_mpi( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_mpi( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_int( NULL, &X, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_add_int( &X, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_int( NULL, &X, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_sub_int( &X, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mul_mpi( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mul_mpi( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mul_mpi( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mul_int( NULL, &X, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mul_int( &X, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_div_mpi( &X, &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_div_mpi( &X, &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_div_int( &X, &X, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( 0, mbedtls_mpi_lsb( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mod_mpi( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mod_mpi( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mod_mpi( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mod_int( NULL, &X, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_mod_int( &mpi_uint, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_exp_mod( NULL, &X, &X, &X, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_exp_mod( &X, NULL, &X, &X, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_exp_mod( &X, &X, NULL, &X, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_exp_mod( &X, &X, &X, NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_fill_random( NULL, 42, rnd_std_rand,
+                                                     NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_fill_random( &X, 42, NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_gcd( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_gcd( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_gcd( &X, &X, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_inv_mod( NULL, &X, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_inv_mod( &X, NULL, &X ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_MPI_BAD_INPUT_DATA,
+                            mbedtls_mpi_inv_mod( &X, &X, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mpi_null(  )
 {
     mbedtls_mpi X, Y, Z;
 
@@ -71,8 +284,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mpi_read_write_string( int radix_X, char *input_X, int radix_A,
-                            char *input_A, int output_size, int result_read,
+void mpi_read_write_string( int radix_X, char * input_X, int radix_A,
+                            char * input_A, int output_size, int result_read,
                             int result_write )
 {
     mbedtls_mpi X;
@@ -100,19 +313,16 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_read_binary( char *input_X, int radix_A, char *input_A )
+void mbedtls_mpi_read_binary( data_t * buf, int radix_A, char * input_A )
 {
     mbedtls_mpi X;
     unsigned char str[1000];
-    unsigned char buf[1000];
     size_t len;
-    size_t input_len;
 
     mbedtls_mpi_init( &X );
 
-    input_len = unhexify( buf, input_X );
 
-    TEST_ASSERT( mbedtls_mpi_read_binary( &X, buf, input_len ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_binary( &X, buf->x, buf->len ) == 0 );
     TEST_ASSERT( mbedtls_mpi_write_string( &X, radix_A, (char *) str, sizeof( str ), &len ) == 0 );
     TEST_ASSERT( strcmp( (char *) str, input_A ) == 0 );
 
@@ -122,16 +332,15 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_write_binary( int radix_X, char *input_X, char *input_A,
-                       int output_size, int result )
+void mbedtls_mpi_write_binary( int radix_X, char * input_X,
+                               data_t * input_A, int output_size,
+                               int result )
 {
     mbedtls_mpi X;
-    unsigned char str[1000];
     unsigned char buf[1000];
     size_t buflen;
 
     memset( buf, 0x00, 1000 );
-    memset( str, 0x00, 1000 );
 
     mbedtls_mpi_init( &X );
 
@@ -144,9 +353,8 @@ void mbedtls_mpi_write_binary( int radix_X, char *input_X, char *input_A,
     TEST_ASSERT( mbedtls_mpi_write_binary( &X, buf, buflen ) == result );
     if( result == 0)
     {
-        hexify( str, buf, buflen );
 
-        TEST_ASSERT( strcasecmp( (char *) str, input_A ) == 0 );
+        TEST_ASSERT( hexcmp( buf, input_A->x, buflen, input_A->len ) == 0 );
     }
 
 exit:
@@ -155,18 +363,16 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void mbedtls_mpi_read_file( int radix_X, char *input_file, char *input_A,
-                    int result )
+void mbedtls_mpi_read_file( int radix_X, char * input_file,
+                            data_t * input_A, int result )
 {
     mbedtls_mpi X;
-    unsigned char str[1000];
     unsigned char buf[1000];
     size_t buflen;
     FILE *file;
     int ret;
 
     memset( buf, 0x00, 1000 );
-    memset( str, 0x00, 1000 );
 
     mbedtls_mpi_init( &X );
 
@@ -181,9 +387,8 @@ void mbedtls_mpi_read_file( int radix_X, char *input_file, char *input_A,
         buflen = mbedtls_mpi_size( &X );
         TEST_ASSERT( mbedtls_mpi_write_binary( &X, buf, buflen ) == 0 );
 
-        hexify( str, buf, buflen );
 
-        TEST_ASSERT( strcasecmp( (char *) str, input_A ) == 0 );
+        TEST_ASSERT( hexcmp( buf, input_A->x, buflen, input_A->len ) == 0 );
     }
 
 exit:
@@ -192,8 +397,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
-void mbedtls_mpi_write_file( int radix_X, char *input_X, int output_radix,
-                     char *output_file )
+void mbedtls_mpi_write_file( int radix_X, char * input_X, int output_radix,
+                             char * output_file )
 {
     mbedtls_mpi X, Y;
     FILE *file_out, *file_in;
@@ -223,7 +428,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_get_bit( int radix_X, char *input_X, int pos, int val )
+void mbedtls_mpi_get_bit( int radix_X, char * input_X, int pos, int val )
 {
     mbedtls_mpi X;
     mbedtls_mpi_init( &X );
@@ -236,8 +441,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_set_bit( int radix_X, char *input_X, int pos, int val,
-                          int radix_Y, char *output_Y, int result )
+void mbedtls_mpi_set_bit( int radix_X, char * input_X, int pos, int val,
+                          int radix_Y, char * output_Y, int result )
 {
     mbedtls_mpi X, Y;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y );
@@ -257,7 +462,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_lsb( int radix_X, char *input_X, int nr_bits )
+void mbedtls_mpi_lsb( int radix_X, char * input_X, int nr_bits )
 {
     mbedtls_mpi X;
     mbedtls_mpi_init( &X );
@@ -271,7 +476,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_bitlen( int radix_X, char *input_X, int nr_bits )
+void mbedtls_mpi_bitlen( int radix_X, char * input_X, int nr_bits )
 {
     mbedtls_mpi X;
     mbedtls_mpi_init( &X );
@@ -285,8 +490,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_gcd( int radix_X, char *input_X, int radix_Y, char *input_Y,
-              int radix_A, char *input_A )
+void mbedtls_mpi_gcd( int radix_X, char * input_X, int radix_Y,
+                      char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi A, X, Y, Z;
     mbedtls_mpi_init( &A ); mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
@@ -317,8 +522,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_cmp_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int input_A )
+void mbedtls_mpi_cmp_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int input_A )
 {
     mbedtls_mpi X, Y;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y );
@@ -333,8 +538,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_cmp_abs( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int input_A )
+void mbedtls_mpi_cmp_abs( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int input_A )
 {
     mbedtls_mpi X, Y;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y );
@@ -401,8 +606,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_safe_cond_assign( int x_sign, char *x_str,
-                           int y_sign, char *y_str )
+void mbedtls_mpi_safe_cond_assign( int x_sign, char * x_str, int y_sign,
+                                   char * y_str )
 {
     mbedtls_mpi X, Y, XX;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &XX );
@@ -425,8 +630,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_safe_cond_swap( int x_sign, char *x_str,
-                         int y_sign, char *y_str )
+void mbedtls_mpi_safe_cond_swap( int x_sign, char * x_str, int y_sign,
+                                 char * y_str )
 {
     mbedtls_mpi X, Y, XX, YY;
 
@@ -456,7 +661,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_swap( int input_X,  int input_Y )
+void mbedtls_mpi_swap( int input_X, int input_Y )
 {
     mbedtls_mpi X, Y, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &A );
@@ -476,8 +681,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_add_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A )
+void mbedtls_mpi_add_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -494,7 +699,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_add_mpi_inplace( int radix_X, char *input_X, int radix_A, char *input_A )
+void mbedtls_mpi_add_mpi_inplace( int radix_X, char * input_X, int radix_A,
+                                  char * input_A )
 {
     mbedtls_mpi X, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &A );
@@ -520,8 +726,8 @@ exit:
 
 
 /* BEGIN_CASE */
-void mbedtls_mpi_add_abs( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A )
+void mbedtls_mpi_add_abs( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -538,8 +744,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mpi_add_abs_add_first( int radix_X, char *input_X, int radix_Y,
-                            char *input_Y, int radix_A, char *input_A )
+void mpi_add_abs_add_first( int radix_X, char * input_X, int radix_Y,
+                            char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &A );
@@ -556,8 +762,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mpi_add_abs_add_second( int radix_X, char *input_X, int radix_Y,
-                             char *input_Y, int radix_A, char *input_A )
+void mpi_add_abs_add_second( int radix_X, char * input_X, int radix_Y,
+                             char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &A );
@@ -574,8 +780,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_add_int( int radix_X, char *input_X, int input_Y, int radix_A,
-                  char *input_A )
+void mbedtls_mpi_add_int( int radix_X, char * input_X, int input_Y,
+                          int radix_A, char * input_A )
 {
     mbedtls_mpi X, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -591,8 +797,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_sub_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A )
+void mbedtls_mpi_sub_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -609,8 +815,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_sub_abs( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A, int sub_result )
+void mbedtls_mpi_sub_abs( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A,
+                          int sub_result )
 {
     mbedtls_mpi X, Y, Z, A;
     int res;
@@ -631,8 +838,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_sub_int( int radix_X, char *input_X, int input_Y, int radix_A,
-                  char *input_A )
+void mbedtls_mpi_sub_int( int radix_X, char * input_X, int input_Y,
+                          int radix_A, char * input_A )
 {
     mbedtls_mpi X, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -648,8 +855,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_mul_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A )
+void mbedtls_mpi_mul_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A )
 {
     mbedtls_mpi X, Y, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -666,8 +873,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_mul_int( int radix_X, char *input_X, int input_Y, int radix_A,
-                  char *input_A, char *result_comparison )
+void mbedtls_mpi_mul_int( int radix_X, char * input_X, int input_Y,
+                          int radix_A, char * input_A,
+                          char * result_comparison )
 {
     mbedtls_mpi X, Z, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Z ); mbedtls_mpi_init( &A );
@@ -688,9 +896,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_div_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A, int radix_B, char *input_B,
-                  int div_result )
+void mbedtls_mpi_div_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A,
+                          int radix_B, char * input_B, int div_result )
 {
     mbedtls_mpi X, Y, Q, R, A, B;
     int res;
@@ -716,8 +924,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_div_int( int radix_X, char *input_X, int input_Y, int radix_A,
-                  char *input_A, int radix_B, char *input_B, int div_result )
+void mbedtls_mpi_div_int( int radix_X, char * input_X, int input_Y,
+                          int radix_A, char * input_A, int radix_B,
+                          char * input_B, int div_result )
 {
     mbedtls_mpi X, Q, R, A, B;
     int res;
@@ -742,8 +951,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_mod_mpi( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A, int div_result )
+void mbedtls_mpi_mod_mpi( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A,
+                          int div_result )
 {
     mbedtls_mpi X, Y, A;
     int res;
@@ -765,8 +975,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_mod_int( int radix_X, char *input_X, int input_Y, int input_A,
-                  int div_result )
+void mbedtls_mpi_mod_int( int radix_X, char * input_X, int input_Y,
+                          int input_A, int div_result )
 {
     mbedtls_mpi X;
     int res;
@@ -787,9 +997,10 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_exp_mod( int radix_A, char *input_A, int radix_E, char *input_E,
-                  int radix_N, char *input_N, int radix_RR, char *input_RR,
-                  int radix_X, char *input_X, int div_result )
+void mbedtls_mpi_exp_mod( int radix_A, char * input_A, int radix_E,
+                          char * input_E, int radix_N, char * input_N,
+                          int radix_RR, char * input_RR, int radix_X,
+                          char * input_X, int div_result )
 {
     mbedtls_mpi A, E, N, RR, Z, X;
     int res;
@@ -818,8 +1029,9 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_inv_mod( int radix_X, char *input_X, int radix_Y, char *input_Y,
-                  int radix_A, char *input_A, int div_result )
+void mbedtls_mpi_inv_mod( int radix_X, char * input_X, int radix_Y,
+                          char * input_Y, int radix_A, char * input_A,
+                          int div_result )
 {
     mbedtls_mpi X, Y, Z, A;
     int res;
@@ -841,14 +1053,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
-void mbedtls_mpi_is_prime( int radix_X, char *input_X, int div_result )
+void mbedtls_mpi_is_prime( int radix_X, char * input_X, int div_result )
 {
     mbedtls_mpi X;
     int res;
     mbedtls_mpi_init( &X );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &X, radix_X, input_X ) == 0 );
-    res = mbedtls_mpi_is_prime( &X, rnd_std_rand, NULL );
+    res = mbedtls_mpi_is_prime_ext( &X, 40, rnd_std_rand, NULL );
     TEST_ASSERT( res == div_result );
 
 exit:
@@ -857,47 +1069,47 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
-void mbedtls_mpi_is_prime_det( char *input_X, char *witnesses,
-                               int chunk_len, int div_result )
+void mbedtls_mpi_is_prime_det( data_t * input_X, data_t * witnesses,
+                               int chunk_len, int rounds )
 {
     mbedtls_mpi X;
     int res;
     mbedtls_test_mpi_random rand;
-    uint8_t *witness_buf = NULL;
-    uint8_t *input_buf = NULL;
-    size_t witness_len;
-    size_t input_len;
-
-    witness_buf = unhexify_alloc( witnesses, &witness_len );
-    input_buf = unhexify_alloc( input_X, &input_len );
 
     mbedtls_mpi_init( &X );
-    rand.data = witness_buf;
-    rand.data_len = witness_len;
+    rand.data = witnesses;
     rand.pos = 0;
     rand.chunk_len = chunk_len;
 
-    TEST_ASSERT( mbedtls_mpi_read_binary( &X, input_buf, input_len ) == 0 );
-    res = mbedtls_mpi_is_prime( &X, mbedtls_test_mpi_miller_rabin_determinizer,
+    TEST_ASSERT( mbedtls_mpi_read_binary( &X, input_X->x, input_X->len ) == 0 );
+    res = mbedtls_mpi_is_prime_ext( &X, rounds - 1,
+                                    mbedtls_test_mpi_miller_rabin_determinizer,
                                     &rand );
-    TEST_ASSERT( res == div_result );
+    TEST_ASSERT( res == 0 );
+
+    rand.data = witnesses;
+    rand.pos = 0;
+    rand.chunk_len = chunk_len;
+
+    res = mbedtls_mpi_is_prime_ext( &X, rounds,
+                                    mbedtls_test_mpi_miller_rabin_determinizer,
+                                    &rand );
+    TEST_ASSERT( res == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
 
 exit:
     mbedtls_mpi_free( &X );
-    mbedtls_free( witness_buf );
-    mbedtls_free( input_buf );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
-void mbedtls_mpi_gen_prime( int bits, int safe, int ref_ret )
+void mbedtls_mpi_gen_prime( int bits, int flags, int ref_ret )
 {
     mbedtls_mpi X;
     int my_ret;
 
     mbedtls_mpi_init( &X );
 
-    my_ret = mbedtls_mpi_gen_prime( &X, bits, safe, rnd_std_rand, NULL );
+    my_ret = mbedtls_mpi_gen_prime( &X, bits, flags, rnd_std_rand, NULL );
     TEST_ASSERT( my_ret == ref_ret );
 
     if( ref_ret == 0 )
@@ -907,12 +1119,14 @@ void mbedtls_mpi_gen_prime( int bits, int safe, int ref_ret )
         TEST_ASSERT( actual_bits >= (size_t) bits );
         TEST_ASSERT( actual_bits <= (size_t) bits + 1 );
 
-        TEST_ASSERT( mbedtls_mpi_is_prime( &X, rnd_std_rand, NULL ) == 0 );
-        if( safe )
+        TEST_ASSERT( mbedtls_mpi_is_prime_ext( &X, 40, rnd_std_rand, NULL )
+                     == 0 );
+        if( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH )
         {
             /* X = ( X - 1 ) / 2 */
             TEST_ASSERT( mbedtls_mpi_shift_r( &X, 1 ) == 0 );
-            TEST_ASSERT( mbedtls_mpi_is_prime( &X, rnd_std_rand, NULL ) == 0 );
+            TEST_ASSERT( mbedtls_mpi_is_prime_ext( &X, 40, rnd_std_rand, NULL )
+                         == 0 );
         }
     }
 
@@ -922,8 +1136,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_shift_l( int radix_X, char *input_X, int shift_X, int radix_A,
-                  char *input_A)
+void mbedtls_mpi_shift_l( int radix_X, char * input_X, int shift_X,
+                          int radix_A, char * input_A )
 {
     mbedtls_mpi X, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &A );
@@ -939,8 +1153,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_mpi_shift_r( int radix_X, char *input_X, int shift_X, int radix_A,
-                  char *input_A )
+void mbedtls_mpi_shift_r( int radix_X, char * input_X, int shift_X,
+                          int radix_A, char * input_A )
 {
     mbedtls_mpi X, A;
     mbedtls_mpi_init( &X ); mbedtls_mpi_init( &A );
@@ -956,7 +1170,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void mpi_selftest()
+void mpi_selftest(  )
 {
     TEST_ASSERT( mbedtls_mpi_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.data
new file mode 100644
index 0000000000..446255857b
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.data
@@ -0,0 +1,483 @@
+NIST KW self test
+mbedtls_nist_kw_self_test:
+
+NIST KW mix contexts and modes
+mbedtls_nist_kw_mix_contexts:
+
+NIST KW init #1 wrapping AES-128: OK
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:128:1:0
+
+NIST KW init #2 unwrapping AES-128: OK
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:128:1:0
+
+NIST KW init #3 CAMELLIA-256: unsupported cipher
+depends_on:MBEDTLS_CAMELLIA_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:256:0:MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+
+NIST KW init #4 AES-224: bad key size
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_AES:224:1:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW init #5 BLOWFISH-128: bad cipher
+depends_on:MBEDTLS_BLOWFISH_C
+mbedtls_nist_kw_setkey:MBEDTLS_CIPHER_ID_BLOWFISH:128:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #1 KW plaintext OK (2 to 2^54 - 1 semiblocks)
+nist_kw_plaintext_lengths:16:24:MBEDTLS_KW_MODE_KW:0
+
+NIST KW lengths #2 KWP plaintext OK (1 to 2^32 - 1 octets)
+nist_kw_plaintext_lengths:5:16:MBEDTLS_KW_MODE_KWP:0
+
+NIST KW lengths #3 KW ciphertext OK (3 to 2^54 semiblocks)
+nist_kw_ciphertext_lengths:32:24:MBEDTLS_KW_MODE_KW:0
+
+NIST KW lengths #4 KWP ciphertext OK (2 to 2^29 semiblocks)
+nist_kw_ciphertext_lengths:24:16:MBEDTLS_KW_MODE_KWP:0
+
+NIST KW lengths #5 KW plaintext too short (2 to 2^54 - 1 semiblocks)
+nist_kw_plaintext_lengths:5:13:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #6 KWP plaintext too short (1 to 2^32 - 1 octets)
+nist_kw_plaintext_lengths:0:8:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #8 KW ciphertext too short (3 to 2^54 semiblocks)
+nist_kw_ciphertext_lengths:16:8:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #9 KWP ciphertext too short (2 to 2^29 semiblocks)
+nist_kw_ciphertext_lengths:8:8:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #10 KW plaintext not a multiple of semiblocks.
+nist_kw_plaintext_lengths:21:29:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #11 KW ciphertext not a multiple of semiblocks.
+nist_kw_ciphertext_lengths:34:26:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #12 KWP ciphertext not a multiple of semiblocks.
+nist_kw_ciphertext_lengths:30:22:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #13 KW wrapping output buffer too short
+nist_kw_plaintext_lengths:16:16:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #14 KWP wrapping output buffer too short
+nist_kw_plaintext_lengths:5:10:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #15 KW unwrapping output buffer too short
+nist_kw_ciphertext_lengths:32:16:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #16 KWP unwrapping output buffer too short
+nist_kw_ciphertext_lengths:24:12:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #17 KW plaintext NULL (2 to 2^54 - 1 semiblocks)
+nist_kw_plaintext_lengths:0:8:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #18 KW wrapping output NULL
+nist_kw_plaintext_lengths:8:0:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #19 KWP wrapping output NULL
+nist_kw_plaintext_lengths:8:0:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #20 KW ciphertext NULL
+nist_kw_ciphertext_lengths:0:8:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #21 KWP ciphertext NULL
+nist_kw_ciphertext_lengths:0:8:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #15 KW unwrapping output NULL
+nist_kw_ciphertext_lengths:32:0:MBEDTLS_KW_MODE_KW:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW lengths #16 KWP unwrapping output NULL
+nist_kw_ciphertext_lengths:24:0:MBEDTLS_KW_MODE_KWP:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"095e293f31e317ba6861114b95c90792":"64349d506ae85ecd84459c7a5c423f55":"97de4425572274bd7fb2d6688d5afd4454d992348d42a643"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ca8f6c56a9c9300549e9eae75a4604b8":"1542b8662136245162c64d45af1a982302f69f1d01a1a6bc29ef8facafbeaea0":"4d340c10bbbddf5b2014ded264bffce49901bd22adaee074b0f25a2d19c134eb3c7f38c5d0444766"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"b4902b13ea73f17829b4e334fb359ec4":"2073399c7794c8b73dd782dc250dab31c80a8cba33477ab2":"37eda4eec3096135f5193c37bdeaf498b71e3a205c5638682fe746f236566b11"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"579448a3d638f093742ae6b24d729849":"464d3162469899955d8bc8bfc0a22555bce609b2415bedf17a942abfe96ad4e124d4a832fbcff49f":"dadd1440a06946eabddf18e784b7719d36caa33cb626aa03aca057585584ea07a8714ecb90ceb232d6b0760845105fbb"
+
+NIST KW wrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"98311985c4661d7e811ee56070e6fecf":"18840c96813864ef3093b48cdde6ac5d78248b96d4a2cd1f15f0b56f98213dbf87e1ccad04e0d4f1954c233ea3e48fdad8f2b1156e54e19e3b5f4a66d2e9149032b876c51249165fe8c28e112a685b2d228a8ac308017574274af36a4ea3877bcc9850bafe8fc0e0a712faca0dea98396f9143bc5819fe4933a806e9b965133e3c695a45f0fbd6961798c400d7477287df64798b651e0d3009c13f7a2246c28f983509b9e5339919f2cdffcdfc550693cba9491c00334c4a62d878c4d0ca57b1104bc0174968ea8e3730b9e68db49678b23cd508ebe3e12e94b0ad3791023a8ef95473f0b32f906738f34e94e45a4480ad768072e1853adb63996b9ac27a1dade70804b82290a2274c6dcc3ccd40a8b38a56a5eb03f59075de015e8f9096f53549f6374e02da947fb849287a447f757cc340b6bded71d480988b6d2fcd984fba841470519830304667fef0a577b4cf84f76aef9deb84dde36abfbd76673c17113dbea7a3e24bf9b57a8fd17173a1ef91497b732b3fa8889bed58a503a0d3e20bc27ec4dbf5d13a93cbad05495e3df15e1fe34a3a6d6f648ea4aa60b2f114f30944ae593675dac2db188f90a3c483fb82cec0f0d295544d798b62cdcb51c6c036af1a341d78babf87b92609c1d866e311a46abccc8ba8c6a41420359bb061d7e752c0ed25990eef57c9f9e190572203f8c473edf8cfc8c26d34e37240f45ded97":"625aea9122b7b57b9f36446f9053acc42c6435a7f69d91b41547026f833291d488e477c7ccba698c143633a304f463d6af4a3e72c189234fcfc360013e65b07b7f7a36c529d3fdbbdbd6224bf100c14bc5354893b44790f54c739a2b1f5bda82d70fb600ed9b0606dbddea52e508b492b72d8779856274aaaaddc0a3edb6cfc788b603101bedfcc3f44baa62336bd950c2e349d5daf04f2e23ec2628893d214e277569c565e5e6aa8b72ffa14118a3b57f814b4deb179980b5eeefa4fd93f1751850466e929be537801babc2120f3ff1ffe5fea813ec7788eaf43f5ef657e5af48395c3ad11aaf741549090b58670695f7c95c68e00576ca18ef0313f2b4b757219fc8db3dc2db28721d6f912547ebfebcd96935c3100aa4e4df9955acae1b4e2c10df1166d46c4285ab631c6d2ce58ad3ae99c07c019dcd15958694055281ccd6f803af290431f188cc4c429e84a4c30fd9c63968dfd0951c417efb71921c207de172a9546bdd3e2bb35b45e140892c649f88c31a438f864e801a69f8010aa3d77a26601a7a89067c81b0f7e70d8e82f21f88c7d0bb0c8ca0db875d6c3f8c6f6d709bbb31c7da2e31f3571daa2c5ab13bfc16624cf35abd526e84269fb45bbd2fcd8c383d6fbb700bc4b5205b3ef8c4323dc0d9e0370e56a3d1e5e76aa4de082e4c2a0afd092845bd5dab52a45943181461b76e3984b95f48bea80a94944241d04b5634c86274e7"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"13df8fa68a6e096b9b5bbaebb64ace2e6a05485b5cb7e43f":"3ee9367f631fb375ba47241966ad4ab8":"d0309b1291a06c595fcaa6dcf97817dbd7b7ad2cf48ddec2"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"17c25023ac76a8af777a6f71c0c0f97931554b0a15a79222":"15227ef52412346e83a18c54a75374f69a24de6a07cfba9082596eeb5d758bb0":"0f8e2fe4f3a28c1fcebf20fef2bfd3489deb284e03d057337496285f4ffe62f074bafa0a0a6e44e4"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"49d1c4ec51f2695ad7e47554efd24170ab03f628eba7d5fb":"8bf961097a6fa75694cf0ea47cfda23928fc433d5fc762e6":"dc72c58faca0dd662e5fefd05cd714987cc2470219db77baf779fca865f31529"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e06ebf0145b178ea45687abe366fdec559877dbc9300a653":"f0104e9546628d801c4f7e875f1ca4f385e915b0c7bd52ed158b6b42d7301f1df6dd5bfc80d0318a":"5b4b1d4ef349fcf5eb7d720d84b2e79fbabf3db18277ada0752b9883c21f0e24281854420e6751af8fbcc4b98be0c1d7"
+
+NIST KW wrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"932ed6ee1db1c4cf7fd81efce5609641cb5f3409563089dc":"da8dd9c1dc8cbf95b0fa280747c1007ecb086b7c944b0db4dfa3bdf6ed0c9725901cb838c2e30131250188c22bd92b068aa0871ce58a0c22307671612fc4884a655329851d54afd48a9d3a7f97976850d6fd842034548aee67df1272b06f155eb21966858731c3c35d4bb94a1ea351ef5a8c4779c077d648ec1c4f27cfaa48f47541a8f36831e35a961b076307bea928e1856e448d7695a0f7fbcd8c82800d12f530c2086f3b67bc5081d384010b47d327120def5c92f815aaae31d32893cdd18a71ba4e208445ff3a2f68a0a46689458b0f2d6d9cd3726284e56b4c020b97a82d4463f74098cfd7bd7a5f12157a0bc812266b8f2c215933cb67518f900602f0825538e05765318b6d31150007e410b92d5d957e119c5d94aadba193cf6da230387b1c5e6448515f9789a8867571ea82ad34dc5b912d6cd243bd4fc2f19d132bd8f1f5cef00a141e30ec4d3f7a546a215d5b0c7e70c3b0ec4fc34b66c4170bf403ef910dd3897caef33405827a55f943904c4e1b1aee4cc3ffd0ad27e316c164e2b5bbcf73df60d8859201b6602be01ba638aff468f3136120c117ca848ae161ecafade668e2d04b227437d4b91c6fc40ebd9490f211bcd21fd7005d200ef584f37aa2c4c769174551cec0d7f2936ae78f6c389382212703d0e7c82aef1a736056ed9c45e71439731537a2edb8a63741825c678a11c42e5b2281b43e203b0523":"76b6772984932bb6314d1eab8f625e044920f9494789e9a0ac2affd9a209cabb72ee83331a30472934e02ef28697d541a071eff9eb5c7dd49862f11384d46e8f4c2ddb084e76ef382117a285993e4a9f89e1e0ba6612f63b3c8a54784f940d7e6baf12cb67d27038e91d1ad4feceb5bc44daf7444f76fd140ec7a94869b4f99b9fcf6dd68e78c6a0a4794d55a1c91756ceb9d28b43d9c72b26fafc25c71e63dc175b29282d4a70813b833c35354983f29796909a9ba515cc5c37c58e95aa6f35b850500ea933b27a5922188c2da64680362602d71d169f853af0564b53bc613c15772ed82f89c2f8625670179a83536972332509e7ae4e0726271c5381501d3d88a3cc34a56d80e3e553b9b595e358615e92f361d695837734cdaddd7068c441b310aa511407b53806f1fed984a73862ea2ded1ee67d14feb5d8661ed94a62f5768829d6feea30db392bf24f0ea103fd2a60acf1fcd4bb2465641712113375bc2c8d73650795689f9061608b65e0e608f9948f5efcc0fba62c50b8cd97f67df2b0eec4f5a0cd354e982ae6a62070f4127b6556714bb2267d558112638f10c78be201ba165e57ac9cab6f3e35a762b7fe83b3c7c050b77174a4bf14eb2cac4d6d58a94f0c02727ad020a6a05d9ed145151d4f1ed41d5a6d06c50c0e1d5c24d09100d4f06c50d06a332a95845f4192ef577dc484e7acb91f0b2a57c1f8bef97c23294c59099eea13b3"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e823c6ef53b110eeb3f178871cf436887cca9df061d1f26409ec3b410033d967":"f90c279e9e6423804a6505e8effd924c":"0abb50b222af66058646156d106df7c85c28b708395eb9dd"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 11
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e5cca71056548467bc9c2849aba67cfe0fd74c44d514535d2314022a3f3e6ec8":"326b6da4dce95c94226b63c2d38c4e005c566191b00028b59cc788e0af5261cc":"2a4f331f451589fd103d9a9cbbeae5d5f5be7acf15aa6e21c45e09362263cf34b0ccab7c8a28dfed"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"6a077f95496aba1bb80831280e7563f3a187e6d014342028349f766b791108ce":"a77b3ddac0e78c9176b7445f9ec349b2d85aa2f57e6cb362":"7c065be0a2173e0f14a3418779e7f3eb6eb7fbb7a3c20fd6c08b37d408bd9423"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 14
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"752b21422647f1006de116360e88e2f6601eeb5aafd27cba56c20193fc1b941a":"a5948c20bc611187d688cb03caa04fb17774aa4f99ae3da5d821bcccfae950d72ca74b3a870008aa":"d71109224edc4233db8819aaca4db9c61ab5aad2806d0e985f1830acd8adde23ce75046b2057e0a23dec7a053bac6c4c"
+
+NIST KW wrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"931bf2c55eac657ae56fc0a9505a6ea7cc9af5162d844ccf01f19debfad09cbe":"aa8074a195abd88930825b947cbf3cca9810eb829d2e7a09f9e9cb1f8271986d00c5be478150fbbe990de8c61af879495274a60d83f98cfecb2473a35d86fba6ce839d259ede318a362e7abc1f8a18168606d5e680f456f1ca19942e67e5aee382536df7c28204b7842b99023336b735a861cf28363e7773d7b0bcf32b5fab14cb524249863fd7ce49a7a7882b53728f7ecd020393852494df09d9a69189ea713e730e002252af18864b948a642d7c0fb17b0cd5671f14ae340fb0e83b4bda920445927b8de8a82ac93158edbbd57fddcc1d908688770a07c27d2bdb7151d986e85cdf1606b0c1c959542e75090d8fdce9c2a9c162e6fd988746c9bc916ff3f20f054690173d143212b74c5a8961cd46663958744ca1334f6c1dfc13fa83c0a9cc229a1030c6c84d01751ffef54d0f9edb2a4851a187d02f097a5c716f8fbae29eae76738239516ed08c14f24f9378451e9e696742a4bcdd9e0ecba49fd05eb93698afaa1b0d5558521c7b4e77b15ca2612619bbd78f670a1562a9a0a0215fe64211115e60476525444b351a4f8ff5551dd198655423f3fcfb5967c4f77e25d3911504de1d034176d3ccecaeb31bd29677c7569c858ea24d7017ce0b31f1911f4fa14b2afa429c06115bc285ea8b90bbedbcc63f5f0829dddcb17e8f9d21bd71501679e514147e1957ccf986e7e96a0e63ded70a9d017162658a901f55b1001d":"6b75fa8070291ef7c89f5cc2060c56270f5077a6df65a8095cc76b717167e67af70dcce96de4aa32293c17d0812f666e1f42e7e662cef7a3148486d2be7f314631ed6606f326e9781c3ed6be1735bef8cd5d3ac7d2b45c4419ea61462baccc0ff87b83b9b6cc85278c0b20bc15e6baa0a15eedd9e99df82c8e61476529c98aebbc9d40d417f9af26e6da5d115acdd6007d83206c616a39fbe21c6331cc45af11c578532a7cac50aaba21f3cf317534564c2ee093ef127484aea62c7a90327fe9bbe8e45627974306d8cc7452e96033f0c8c30ba2d7fb644796a49c9b502d3db7d4995f920fe21962fd2b634c15be0d82e9cf0ae3fd2b6d45524e1003ab9788ee56cff3e2e62c5784061a5ff586b5907098b8ab54bb70fbc6cb066b071fedce10e013014d82162e3cc6f9be3b4067555907a4df55012a9b1001888c55dd94b4f8528bb29e7985ecb8a7958fc8559831db05002479b1f39e5de3659f3a6e8289d9b8ff4eaa3f864b1ea101d84b4c6138aa6ffb95dea4f825d23f5d368727ca0a8cacb74f7bfd70fccbc951db99f2f4a580425c31a8552fa27397cf8b7f420f13fdcddca553a5f31d8645615b98a88795fb4472bc7cd6e8e54707d7be1f3dd7d4871725f6bc0e65762f1e42e22c411fee6dfd8139068798c7ae9781c8e5bcf4732a83f9142edce36e1ee6e20142adf46c5abaea0ca78f61e16b6875927d4141f6b215da1f48748bd33c"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"d060e5faa705b6c600ecfcd5252bbfba":"3d":"28ccc6da03cd79b78c7207946fcee402"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"663ee3d40628059fe01a9766d5c1c31f":"1c6ccd67438f20de":"c2717ed6e51bb4314388cd26464f4d18"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"7865e20f3c21659ab4690b629cdf3cc4":"bd6843d420378dc896":"41eca956d4aa047eb5cf4efe659661e74db6f8c564e23500"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"02a92285d0baa874ac94f6648988d44f":"6ac78aff505805e3145fac44eaeb6ac92945ca12d9bc0b6fee8b1e5b983f37":"18b251cf54d2a51ac903af2fd008f6aa2b1bf491fa2e0458dba272866821e98ad037eae4af654811"
+
+NIST KWP wrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"6b8ba9cc9b31068ba175abfcc60c1338":"8af887c58dfbc38ee0423eefcc0e032dcc79dd116638ca65ad75dca2a2459f13934dbe61a62cb26d8bbddbabf9bf52bbe137ef1d3e30eacf0fe456ec808d6798dc29fe54fa1f784aa3c11cf39405009581d3f1d596843813a6685e503fac8535e0c06ecca8561b6a1f22c578eefb691912be2e1667946101ae8c3501e6c66eb17e14f2608c9ce6fbab4a1597ed49ccb3930b1060f98c97d8dc4ce81e35279c4d30d1bf86c9b919a3ce4f0109e77929e58c4c3aeb5de1ec5e0afa38ae896df9121c72c255141f2f5c9a51be5072547cf8a3b067404e62f9615a02479cf8c202e7feb2e258314e0ebe62878a5c4ecd4e9df7dab2e1fa9a7b532c2169acedb7998d5cd8a7118848ce7ee9fb2f68e28c2b279ddc064db70ad73c6dbe10c5e1c56a709c1407f93a727cce1075103a4009ae2f7731b7d71756eee119b828ef4ed61eff164935532a94fa8fe62dc2e22cf20f168ae65f4b6785286c253f365f29453a479dc2824b8bdabd962da3b76ae9c8a720155e158fe389c8cc7fa6ad522c951b5c236bf964b5b1bfb098a39835759b95404b72b17f7dbcda936177ae059269f41ecdac81a49f5bbfd2e801392a043ef06873550a67fcbc039f0b5d30ce490baa979dbbaf9e53d45d7e2dff26b2f7e6628ded694217a39f454b288e7906b79faf4a407a7d207646f93096a157f0d1dca05a7f92e318fc1ff62ce2de7f129b187053":"aea19443d7f8ad7d4501c1ecadc6b5e3f1c23c29eca608905f9cabdd46e34a55e1f7ac8308e75c903675982bda99173a2ba57d2ccf2e01a02589f89dfd4b3c7fd229ec91c9d0c46ea5dee3c048cd4611bfeadc9bf26daa1e02cb72e222cf3dab120dd1e8c2dd9bd58bbefa5d14526abd1e8d2170a6ba8283c243ec2fd5ef07030b1ef5f69f9620e4b17a3639341005887b9ffc793533594703e5dcae67bd0ce7a3c98ca65815a4d067f27e6e66d6636cebb789732566a52ac3970e14c37310dc2fcee0e739a16291029fd2b4d534e30445474b26711a8b3e1ee3cc88b09e8b1745b6cc0f067624ecb232db750b01fe5457fdea77b251b10fe95d3eeedb083bdf109c41dba26cc9654f787bf95735ff07070b175cea8b62302e6087b91a0415474605691099f1a9e2b626c4b3bb7aeb8ead9922bc3617cb427c669b88be5f98aea7edb8b0063bec80af4c081f89778d7c7242ddae88e8d3aff1f80e575e1aab4a5d115bc27636fd14d19bc59433f697635ecd870d17e7f5b004dee4001cddc34ab6e377eeb3fb08e9476970765105d93e4558fe3d4fc6fe053aab9c6cf032f1116e70c2d65f7c8cdeb6ad63ac4291f93d467ebbb29ead265c05ac684d20a6bef09b71830f717e08bcb4f9d3773bec928f66eeb64dc451e958e357ebbfef5a342df28707ac4b8e3e8c854e8d691cb92e87c0d57558e44cd754424865c229c9e1abb28e003b6819400b"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"959b4595778d7b860e08fcb5e24b11f118fd5d67089f2ea4":"65":"1cf986a0fb2208977c37a4c3830eba72"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"02dfb6662e0c1b95d34aaba7eb6c1fdd41c52b89213d5b18":"27361c34c2601fe6":"089f835f3210734aa1a2282c6ff30ef9"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"9464f1af6aabad076661328bcfd15777da16a288a2660009":"431527c3a644c106bb":"d9b257b400d808a0b0386af3be9154fc7f2fb2d7edc06201"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"df419ca84650ef28a1c5d1cb47917e4480a3aca4bd29dd5e":"3d84df372bc0b854c058441e952738ec79474b673c94e32dc78d23745fb5e7":"497e966414475938204c3b3d606d5160461c54dfdfe903b6624208d7cfc90bb403f384bfd54d1ed2"
+
+NIST KWP wrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"a85b4359ebd240012ec749459bc928eaa52c84e887ababb9":"9db71e2a2d40f6fcc1b8311167ae13fb101bdf7b5c4e078373c0c3cb3f3a3ca39a91a6985d3fdd48d93f2b5a09b2a69350da2846ce6a37d018dda95ddac93a92fda7b7c3bb6518dd78f367f70e34e0bf19dbba46fd13d3f3e0a1776350f27138c64b177aa39c54dc06184b320016b6305c2dea19fa6da634cd613d5a4f71bc045f555a1ccee39b8f1ab90840b5bae555932e08719bf38f72bc1057875e8c077a70629f46be91281b977ed6f2a71171a7cbaf8e0566e55da6220a85a7655758de3b372144ef76d0337d3133004c0db096b2c41f524f95706247a331d08a6ff72b425395fee8e1ad308ccfe5b0525c40803e529db72063731fe1644891bdc0d5961397006e1f5d6521ad4e5aee3544da101fd3cf6bcf879220a612b7016e5eefe7369f136086e8f5109ae83e8687519f2008406d20992b64ba1d27b436ea5db1fd734340f3b2279e026a96e3f9c5c7b99553e35ada9e1d7d708a73774718f9b7073c0889a298f212d47ff5960e04743070338f99b11687396da2120b8f132535c0911b04505c0e6c32590c82bf59486fadfbdc0f16a224b2f52082eb66201f041d64b34809e5e91cda89d80d78fe1e15862bcf84f65a301ae68d097c9be09f3411c11cf83225733dbc9306ad2630eb7994a0d112ba83dc542966414137fd008fbb7995f649edf844fe5ee86b94acade1a04f42dae21928b9b0cdde8cc66095772d":"72880f9f173f0ef4d99e3ae71f6f3b94f66a08aaa22be1d206faf431718c1a29bd0a574b1a28b69f0e64d56d3e43617dc73506a939b7de9005ef0ee3f02b9265e91a32aaec58b7ab990f39774f6769c9be9ced3339f6bf0159055abe237c4c755613a6c03271abea3bc89527f284a3e1557ae26b3910b779a77a128e773d11d7d641479d02f4888c989cbb8d928da0136b965531730a3c0c32404351f4c2390d996dff58985ed1d4f4021a5d6ccedf4555066a826a04055cdf8c9c44bdae26619390b3e22b064f86b28382094a3e299d55ab335ade601699e85f19d6f6f12407caf84ad47f03d75198691f1a9b2aa9ed95e508d8551b19601418922f3289fc1efc3abb1ebc2f4886dfe325cddfe25dd908e5aef8ad197ce2703e692b9c46a12201fa71ebc2e323ff8926ecc059ffeeacc0446d3f28496f17f1b4ad6504e4e24188862e25f3dfc36adc7f79920d88e6c53269cc4e5dbbebbba1a2347154683c840d178476ae11d6ce574c26b8b895957b8623807e8831b87b5639aeb415adf1bbef394046deb3bbe91a5c17f2f67131ae5f696352a488e3bed40df025e0a0846e0037847350fe8ae3cf73141d0ec550d82b89c05bbff7337bfe846411d3f0bd012e4de2fe5b83c7210214c0404b40e08abdd3f4bc441f9b6e1efdaa4ac13b85d139f670a6060a1ba8d2528bcd19f241d9ee5077d20c120f2b484c67c9c598b1b209824c3b8aec2b7b"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0070492ff3aaa190496c72bb0affdb6fac7fa9cb32e6e91a46ea34863422f807":"39":"643a9706af6bd06410b70ee38f546bc2"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"c6e882f5b8e361e43bb3e54d5a7b8c690f485bcbec2dd2183c7e623f6b02c5fc":"99ae80eec64630ed":"de0680b34f7374539ad9b75f08f4d8e6"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"70da43aac823c6dd37d1109f5b18feb4503c973288989745e2cc1cc21d9570c6":"edf17d966ed896aee3":"d67b5b2ad15c645450e23b5e7b6d682f8ae20e716d470db7"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"e941febe4b683c02dce56194a86b72d4c569e1fc84bc7a6f24c3ae2b39bf5440":"c168cf12acb6679c24d424baa62ed56559caee163a4efa946478ad43d7dbd6":"4ad9979caa72fddff0876c0295a57fcf74e5980fec2cf622191ec6b5aebb75e0adebb12d0862ffae"
+
+NIST KWP wrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"20f31cded60b8ed8d9d3fd1e1fa6244e76c7cb7628bfd28a5d63ce8aa2c9494d":"f07225202842c8dede42215301e44b9bb7e625d3812f74f9b6ddbcd024ebd1f33e2cbf280b9004941f3cbf86c880a2357f88f92a6dcf8dad9da7dddcd00f3635efdff0af4382024e93c2af66b991e565eacca6b886f07178c9b4adad6f0d6ada5ff6aa7cd0712519a947a8089cea5e1e3e40ffe1806010b0149f9ffc7c4dd3c31b3d08d5ae1997c52369393d58611dff9bec501c1ab35e6ed3e7f9445a34e211010a8236686f154e0a5ae3433d6a844eb3884961aa6592216d93952b46bb58a4195aa80966ad0ccd4a7e23823912556a90d5ee9c3bb952ecbb9d895dabd3b11ab4f2e3a6c2582de50403289230ef4dc46e7c0d870a3f0cba9d643a0349503c1b162ddb6350e699589eb47bd563999f55a1adb6b78b52f006901b0427ea7d3394bb0adae4637b4f1ad5d5425e2c8ff3083506d7ad7ba4c7405a778b0a3a11760c96900a5256956cc9710091d073a19f46a985d004651fe2b6448ed761bf9bc81619cf273a6783d868d090753bf01318be21afd88d9f3a961a69f93e9d9fb822c80acc7b48cf14a08b5b7ef15c66975721b7cde9761a145b679155472a44dea8fedc0f86ae7ebf6283ecfde5f2444b51569e6723a7a19e28cdf8dec6791ccc14af95abad018f741575b343cb1a20a2a9adf4248f99728069a1e2e78ad8966c41c9918fb7019ef56c153a183a6247d22d9956564bb03075cbfd1b43d96818b28484":"a5b63618fc0c4512960f00a1f226d9837a90480baea75265453b9553b12a58c72153080842d7f8710f317f88fbbbf97caf879ab4bf416ba767ee9aeb34357f4a2d0e8b9571054d98e28804a70bc4d74807f2bfd95ee955bfdbb6f4d6969a0c3c3b541a514647d5cd8c9740ac3496095c3f145c50c97ec98b935158fbdf89705d5330015e48ece89188b8c1bcb2ad6825d865b375a9b9056b743dac720feeac033c9f757f6fe73dd7c4a747661b64cf490a0dd43b547cd791a5d78dac97efcd355f7ebac248fa2a33e4fad640dc34e0d40b0d36588aa32f0864c9446739a6b44ff84666d723bd7d646c5172cda932fec34ddaaba342b02a9604087ef042a2be4774194b5d32cb3fb112438fbf2801050b5424635fa2d3d3fb10332965c73e6669e65195310a3a30602640e9809179cdfc50de585aa1c0072423c626815d281a06eac3b6ffa137716318e288e3f9970e415ef0451bdc557968febf9eb6772c1f77cb8e95701246d9c567048142bb25e340351b87d7391822d9ee7fe51378bc0d08135f9f39cf44b348b87937939dc61f430dfe308cada632722e23aed5a0699e039cf0563ab8025163744b136a13ce3c62c748c89f5e17540f105e7c6ec9ba13515b504342f9e6dc7d65b9a633d8c0b5c9fa858dbb9b3a594406d478a81bb9abfa289730408c1e303c663a61d5caca00f615065312580042862397b9aa8c80ca812887664c439c8c68"
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e63c2cb1a2c1282d473b66753494a591":"084532f86949dfb7be2cdf09d2b7505418e7bca5185661e1":"a26e8ee007ab90f599a1bc31cdabd5fe":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"83da6e02404d5abfd47d15da591840e2":"3f4cbf3a98029243da87a756b3c52553f91366f4ff4b103b2c73e68aa8ca81f01ebda35d718741ac":"67dfd627346ebd217849a5ba5bca6e9ce07a7747bed1ba119ec01503202a075a":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e5c2fc20f9263da4f15b817874dd987d":"0538fdca42f1fd72afadbe689fa8a396996d734e4f082c8c4ef41ef11dc6246e":"35a261169f240dffe4701ce41f6dff986764afa6e84f63c9":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"3f5501341f617cae30dd0afbfa247c09":"72fcc9e5942344d11c3b23503b170e39cd635da3a83aa9ffb196cfb1d6eeae6dc5f5683238da6e9b49edbf95819bbbdf":"e2a34da9ea2ad66e130251f8a7798b87d7bd7601abc5ae8f7305b024ddb4b3e00351484165e16d25":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"adf44a10a05e64f2df87db52f3ae18d3":"a940cfea67b90c81b4ccd793f186dd7c6a3c0ff5a6feb5bbef99eaae2b14a979f1acee92b5e4cd750f40571804d380f470e1f5201a389476f97bf29f6699053f468bf102975895f4c1a679a46cf627b22c8d956679ce53775702899afa223c87621f859dccb876d317f2a486d0a4d4ad6ab7e2d9ebf7a956c394ffcff423377e21b274f8ca3a379273dc8de738c97bfd318871330abfe2539a49d4f03d0eef65856c01ebd426f2e76fab90466acbed8c4c9dc09898929d80244eed4fd51e7eff567c2b340e928f298ec00cc8839e1ce9ccdff40a7edd04e01440f2288c384c673de8a758ba50f6f910b8002e0786d2eb633da0ef7eff025f37b45f7c9b918863a56e2da1f3fcd12b990f959051289a1113054c38c135336f19672c86a51200763678cc4ef50ed290d96fec4afaa53af165aa7ebc11d787ab1c535a0abd00b477b914855759477df2afd516a85a66f8b91fb5f5e98232e601e249b3faa856bc6b26f1945f48542601bb4ff1c0dc46f44ae023c0a33ec9faa7467b1cdf1c08df7d00b800ef28e2f77f1e6941db9ce8e71fcf82a14cc8983614e2ce3cb4b3e976a8dec76e4309492ca68486d119cd566b9692d1a513ff30675737d1777a3a1a95b6588685b5a64d890cb8f79578fae8f1d22b83747bf876da582e56e5267ee8e734e0fa9271f5455c40fd599082c0acb442927643aeefffa5bca0a88c38671db14899adbb4819dd1e2d":"a2b43c25c5f530a6a29c5314319bee95e0ad5a630aa8dd614b3751205118e35117c31de7d1ac41f9d782ae8456ef0387cff49eecfbcedf2d9c0b18182f5e043e3202c527be77e6f0404a9746ea1b18978a916cd47d40093813a3b0ba1cb22280fd7f00a7fb4f8def6a0cc1ef848a45106fc389e0ea00652151b1e61dff2cf2be83fccfbccd4fdce86f19859ac927a3dd08645cf072c3525624b3845a532e5a37d99db5cc943a0a9d42be4bc81134f314fd9e22ebd386e7a896bc2d56c933326edb18120c072579989c5bbb1991993a698f2a19387612b25a303e699d12003072fbea6e45569444107ff9a17675f5454440a6c3cc02c1ba513e26502b74a0cb6d397ff6d7d11877100fbfb5370fd882892ba09635fa3fa78d5344fa00008f488395f04a7185ec7819dbf3b165ee52b35bb4ebd10354f2d85514b2fdc1f825a4a2968ba44b3ff2812d1acc13c24ac49c22343b6080f2a7e7efafe86c6435195cb742c35d8178fe20ede0ca08278db49faeca90f95b9b17fc1ffb9d7b1d064f2266d32bbb6f3e28f3b17deeb9faa64f7c127c90241579399294eaf1dac93346943a3cadfd84d7cae1aec66877e892cfa31b5ae35eaf7c35faa6f4cd9212ef7cb2cf9df5748ed8194c380c3298734e1ccb87d0feaf49be1d275142f8421727b5a6c3415fb30ca44ab598597d136bd6d12435ae6ec3db72f6b85462878d833dfe5e6f":0
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 128 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"5d4899ee66beff1bda1fc717a1ad4c50":"bb7fd0bce778bd775e4e88d904d26a7134364c53a6c493a0":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 256 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"84bc6ce7ee4fd9db512536669d0686da":"c383db930ffd02c0073ac2cc79ec289e6866bdcc6a135a3b776aa42f14ee04f9cca06ed6c0b22901":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 192 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"266b009e911bb55f9aa0661539a6fdd5":"db9c94e7236ec56982d7ddeb9427c24580bc1fb96db98ab19340e03670045b7a":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 320 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"51c2e3d090a74bfa10db090b63ae53aa":"598a16c226e6c848a78ca30fa514edc9467f704b529c02c5522d1890b4dc21588ed6c3b070ed952adc733d865eb9d468":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-128 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"6a7814a80acae9d03eda69cad200ffe5":"e1ebfaad7f6d46cd03c50ce4e9543ff01150e9a9a69c4bc8198fc08601ed71203e39375d600f69fd762b196bf50a7dee2be55574196005c8ad53234d789a9fa6f2f0eb7d7b53c7e39a7c70e9ef93c58bcd45c0f592fbcda19b5ea9a118bc2a0d49c8cf367d4c90823eafab86165db3aaa22eee9323de7d23b7729f7f088be9db421fc8256c20e5874bd0c8348c4a6e50436fc94136e568d0aa4c29d7b65136bb378ef010db091085c9c0802466d565eace2c0bd91648fa82f8045c57cc25c46bd8c9e4060ceb00e092f7beeaece1d4f8a2a01b5b1dc9de3c7d2ada7a44d4600085b7e76929198b9823b5ae0f74c652fb8793cae7c16cf062f39136789b213d1d500d560bda89bfc0df0e6bcb07fb4a48914e1af9058b73751aa4d98ef0363e48f9d1ed42230eca1b7b24631cbad80b2d4bfbc00ad1ab797c1c459214be8f64470b4d267ab576fc1d3c86a42610b8282437dc071336c325e606c2d36de1b24595f4888cfb2ddffb46557c964a4ac53ccc1d214d44ac84b8322c93db03bdf2a04b303de4f8482b8e7ee25030aa5ad8a8bfc5dd683726a0286486356f5a965599313a2c39034774ebf646fa7ccbda35316c54d443c6da466d9c95d716016326603c3989bd7545e3506333ab3e2ad7b45b225bc43ecb37e4c301b389e06b95f09b1a10beb5fd5320234fd6d488d5691ae2e078630f9f57dd0870cd617c30bd67ac8dbf4b3a8cf61067f7":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"26045402548ee6196fc0a60208ffde21137ddb1c6c5d2ba0":"fcd55c2c60ff6de19ec3e6b13490c2821f0c565abf10be2d":"94b8276743184d086962ce6c4e63bd53":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"b3a0aa60fb14b658e1eb1c1a5a8e1f60307c9b9faa2f1587":"fdeda2a10e51da1817af2ba4c9f200414aec67545f5e71c608e85d14da8c5567bf51dec4ff2d8c05":"65986b3a6a3658a66cb5beb302540bb032b36c76d040b24fe278a1473ad4c32f":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 6
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"f0ee8ab6f804a2629e163b58c1a9e9039b53ac60493df11d":"3593dda0daead2dcf850f8670b7d0692332f57068213a772a8244d058e5634d7":"401df0c06aa4c58a71b9438e11a11a239f577b6037adf350":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"579e58b2bf9c34c31e8c644faef6b698131624063fb2d795":"b39acd09d9bf9daaa89304f76402065cc3d863e12df8a966f037146db9619e7be5ccbf50206773c5eca35e36492ef4b7":"9c1f66267c2083a42f3da4e754a073c1ff151681e2bc070e6e4682065fd109088a096e72024fdcb0":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"366af2c7a1d7a1ee5a7c239fd526024472f674ab039bba25":"36fb77bd3890aa0a4a4d6f65d671156683c48214a327e5b2b0916c0031f9f4f2c643ca721aa22e84853096bcedd7ef57ab2ae05628099bdbb55111358a06c1e99233b94a568a3f59b06d8a64332acf888cb5bd1fe8ed344937137eff629bee3ad57c73344df80b303994889bbfcd0ec08b13b687ec909cc847f383d3ba91d108c84254af4ab4c22df19897fef44b62d88b0c1b269163de9a2db56a26c4dbd0481026d27e5003153eec761f21c02f4d04898dd3ed961ab158e572aaf3b828a30eedf62a8a7b0911eff27db48ce1b7bb79b14ba43d7ecc1f87c82664c99ea857746c99a993db5807f0fb06114c00428b85ddeb9cfb698d282b1d70eb7c17d4d12575e58103ef1ed37c558d7c312f0fb1d72cbadb84561a41e4745492c8b1eea557efb9f1e9664ee995aa82e7f2a1c86dabed0b2fecd9e938c796dbf2f9b4dc269545ece94e354ca3436e4c6936b51cea7abcd2e49fa263f79757c4b5a8d18c2c6a26435fbbaf3fc759bb323ffb962bdd445dc7e5c84f9d98812e7eae254d19a06ea378b1b262daf22b634dc30aaf9d911cfff0905e5e2cfdd7dde4dbca75729bf33ef6d27d5993f19c9a3e60fccf5fa201963cea0e7caec99d79f83435d11e3a90905103c302851c8d33cef77b39c104ad4d8f45abdb111780c46784e6fd6a78e57862350a671ecbf01dd936b8dae4ce4a91d86efad8b04724d7c17a89b1d43d8abd650f88e17f5df1":"40bc409ed0ba1966e733be4b2ff9d23691e6a9f44b0abebe971a47b4ebd51bb13bcf70bc1359f6b5e670be2e6b008ce9d219abd61ad20edd97aff7458b81e6114ea6d9c85a03400477b1a32f09ac5cd1a963731246011ef4908bacdbfae5e5921cba143b9395d17386e924db6ce40361740c6ae5acfdc979d45c8af70b443878adbb04bad439c9937a30bbecfc50b7005782bd01e3a87538220ca149286855129bd189f9bdb55ed1f7ab786f99c289032123c814e683db2f10970db79d2ef87f5a8a2cbbf7b9e2c447cb22d2a9d0f8c2b093a4d8aee57f0b05c2ac4f4ef780bad406b847d3c9d175f659105795236b072e96738043cbb8499292ad45acf7e576d8decdb635aeda6611da6c00a1badc11962dfa0643a83b865099de79416c86448280aad32f6797ef2fd879ba46abf36c9da45da4d0c936f6e25240cf30ffc79647720bf10ee18743f1ee3397dc0ed967445bb7b0df8eff0887d3f84abf20f0b2036837dd0308ed4a01f9d6447a9eccc9c471e75bd32f7d760216c326901ecd8590afcc2e697311e29f9d704dbeec409cc8c7fecc12fcf70cf9f718c12579fd17cef1e6bb44f89ad418005c2629a96275965f08c54a53e31cabcd4fb17021889bdcd4851ad33bb0d5438e55ba3b759dbf3c50fe20e6f3b8f1989f560818db1f2079b91b1e2d8bb22a7523c3137e9a30ab970f6019eca225e4b42bbe061f3b7b43":0
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"9200a0f688d86c0b6bfd9abeff66341684a373fe3f9a3057":"5c685c8596e374710fe327bafc45cd09190215fdcc03d010":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 256 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"95c9e644559919cace6f93f545dbfe48b130808ed66d0964":"7b8d1307e992221f6ffdcc7909d972d5f02e92187139cfd77f79345cb998bbdbabedb3ac00a6cdc4":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ffdbcbd0abc94c7f15e5b6e8a7190f1ed4f01be11f4f7ccb":"e9ad95c8e9185a001509c50ae0098d45f7032575c7b8fd90a561716d2e5804fb":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 320 count 9
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"253a5cbe79a291c0af1a3d7460e7f284bd672cd026753fc4":"f71014ba711602df5cff2b93e86253775ea308bf83fde65fbc9a9a7852f87357330450072aaa3d6ef8dffbee20d2de7c":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-192 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"ff8666e4e538a6cf0a2a002b63716b06ec5f187785c2fc1b":"f5bfda19b535cf39e240d5b42db06f385fb002be273e46d9e5ceed6be4b5f636031bd0622ea0b3abd0087a7280844ce7260594201214e601ada0f686da6e9b45fedbe36c7d13db025746fa6bba2e540a417a29cdde32f9a7ff56325233bf60929bfd49f80e21acc23f3abf572d81e96b556f6f4f20a7e00c1cacd6fad07df30d40de593c99f73dbd61bf9d9d5269a56006ae85d588324f7e140d9775403af631e695f7856b1bcaa377aa7f4f12c68096a974ef703435102d7110f4eeaca787744c942be1186d132bff2b39f160157617bcead75ae59288880fc0e7db9877d854f553e90e1c917a99b8f357082c50bf3b71cd30d016f164ccb85bff50212bab13cca8dcfff0be984daead905ab13054eb12908a73f37ed42c5638a5a410ba182a2bee2caa84e76af2a715ddd24e837988ec475e506faa130f0241e08d92567a69c9645fc2be3945d65a77387cfa307562c9b6c7055f98956c547ccc109da9277292f47cf43e3cbc0d2e91c916e4fbd70df4a980e9430f5c1c8cfbd6c83f0f756c436bc07e86d5c75aec7e4c039349f71fbb959db709427a33869c523c3486be0095c1fd61ac912cafb9065b94916afd9166d73678ffbcc396a037ebe75e44cd824b2196903950b528f537c8baa70530251bfd8a6f37b202453993534c06aada0d1dbf760879d0898026997f1baf63e343e94ae076da7d41ea325dd23ff2a9cbee74baca05a538543d":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e594f0067cedb74e883e7746d29ba725c884c25375323f367cf49d17ad0f567b":"3b51ae2b0e3ddeed94efd7bfdc22630187e1f7624d15ed78":"587e3f6c75644bb5c3db9c74714f5556":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"049c7bcba03e04395c2a22e6a9215cdae0f762b077b1244b443147f5695799fa":"776b1e91e935d1f80a537902186d6b00dfc6afc12000f1bde913df5d67407061db8227fcd08953d4":"e617831c7db8038fda4c59403775c3d435136a566f3509c273e1da1ef9f50aea":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"e86b9c1f74cc87ab8ca6a2fa1723fef173077e684345b90dacd3d485f587d320":"c97e8c25d498430300982cdcef592e34176e33e45cd59b19f7605f52e3c7b997":"261313cbea4b246e53affe1f84bd4c900c9b1d1842d79337":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 8
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"5b7f48b8ce77007481667e9900f3077a0c9407a70082b0de29bbfbd716a07149":"3ed16c7e4fed98d76092936e94fa5696c787ab63cb764e930fd37f917be4e7e60c90f327f0865d279e6c449b96301ed7":"4e0e6c45137efbf858ce896c815268a10d9869ef5668a90739b7eff99617691fe63b911afa53feca":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"9e92fc974e09541e6cdf1415575511436ac04a56db186bc0e60f0fac9bd58c6a":"201010a2a33fac1d20230bf5254204801de29e66cc44eb391b8e77284b3dbcfa3fabbdd4d9423d96af64ee0dde35786d79b7433021da27d6be753f91d2c1d63b40e9dc265b4a27cb2a61018a60ba5e29813c012b6acbf7d7d101ce227e45b5bc8a16c604c83a99ef35aaaa44fcd2033cddb6122db2dfb944d4b5c16dce911c5f4a1d8db46785534e7a090e31fd2192be64fe5b72efaa8b7965552bab4a20c8eac9a9e7b35e77df0277a90b0b1167e14a8be8d0bc37757354eff920ef93ad65c5a49b04bd553883efe9376811986002d4270d25c5749ee1454270a191084fdca53ae693f5a31b13929fbfd68b331a4fdd2259031f812ecf50d042a55fab302375057cb5b36735bcd2d75f745fd4a92580ecfd0fec44313ba9ca8cb1893f7a329638c17608c170de0ef68123c2233fea878fb1b49ec7478d9cf70591101bfd2d6b0328a27f7c497061b79289b6db4e46199c5db8121e9e1adcc8d64c85c27e329883775073d5f61b0bc470169ce8837b61fc23bbbe7e07d265b32cda5a94acea4bb2e52af17e13818a7ea424ca7fae7677caf405f04e37c2cad0c77eadfb4ead593f79ecbd8292e47b7838d775af9d9e252c6ceb147ccc2aadb01f8541871e5080109f9d94afc9103579bc9dbfcff8791d5eaa68521806590eeea74f411731b920a91c4f4542a60e6ffccb1285dd30e74292d5f37f33d4cb74742ac98c7a0475e069828dcd7d8301fc":"4b6f2257197b0692e6026d531bbe2f222a6764fe1cf277b0320a6bdf9efea0a3f304e94fd22372712f751aa377264b1600f3c1e7e0ada846082ab4885a5c9a51b1b25a593a269a7ca1b62a28f1a11b80fde57f0b9c0fc0e38e8edea8a294e18b4b1e0e24a5ae0e9d9fa0d8cf02378e592b322ff04c5a487332b5f58ad3fe9a0c20a205f6872c9e2d0c52c5b29c5c2f008444a3e8400b4822d39f646f9ed390c352615c4cca8cc0099ac1ec23ad7ef581ed33f9fd4a8a58eb240fc79bfc2df7c1606cc52fb97493fa59a0dc8dc01fdd9fc9fb51a2f1e9fd6a89cba67f001d105c456d99c3b1fd68dc9d01b1b8e0e4c2ed4eed63c0110ea6ee96b54eebcd56c5446dda210a9e143366014e72d5e4bf78bacc230641789ae7caa0e37682190d8007aad0a0983e7c970a6feb1112ee5920f628ba03493cc3b340aa9452e6698f818e6e409cd0a7f660094df05646ea0e6c6aa94e933f4fa4feae6207eb473f9d80e335d6020138f1fcd085a336bdea158823cd47079a89ac18bc8541918ccb6bbbe1aab5ba7d9c6b5fc9ba17cae707a556c2bf7d1f991f9a8ebe0f9aa6e395defecbb508cbbf68db8da443ce8fc40149c3c84314986615ca5685e5e2162ebc617929a7e402a6262a28e646d7f503253c30ff2e37ed6580676a9978aa2f5b4fe82e1c2fb83754fa855ee54a61e64a16b64a680732b14671ff55b3f2a6415233206188":0
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 128 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"08c936b25b567a0aa679c29f201bf8b190327df0c2563e39cee061f149f4d91b":"e227eb8ae9d239ccd8928adec39c28810ca9b3dc1f366444":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 256 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"605b22935f1eee56ba884bc7a869febc159ac306b66fb9767a7cc6ab7068dffa":"6607f5a64c8f9fd96dc6f9f735b06a193762cdbacfc367e410926c1bfe6dd715490adbad5b9697a6":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 192 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"81c93da5baa5157bf700fd38d7d67662670778b690cfbca9fe11e06268b35605":"875e1ca385586f83d1e23e44ca201006df04e1854e41b933fd607a7383ae1a39":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 320 count 4
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"c42c53da9bd5393e63818ecc1336ec6dfcf1d633e51ebb51c68fb0997c979e7a":"52f7b481f72bc2d41edade5388d38c2ff75765939576e49bab400040a14ff488848bef57d1502c06a3faad471f5c3178":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KW unwrap AES-256 CAVS 17.4 PLAINTEXT LENGTH = 4096 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"7b51259246dd7252f6a7215fb11fbeabfabafb0f8856afae525af8feb81d3490":"c625853da9fdb8665264c30539a258ba61da8bbd214f3f493e292f686dce73c003aea5c4070ea94b19e486019b18a2f3f1d836b85414bab14eb99baa283cafffabc8498cf1151489a6a6a0d01e7041633c94f9cc6cc3dfcd661c9c4a0bf77d9be168eec29cb0efef33c74d2dad18ae2ac2b5efb519f4c1f12eaa7a7d7959e7a6dec681e4d1878b20054b7925d2da0b2f8730604445ff3fca3a06285a4a2d86648f10a2bc3cd422646f70224ec9025e7ce701c8b521c0392fd7d2ac883f2a37bb7e4d53a92a620e65e090b91dbcdd616a13b3948eb1b5a6b1bde80f03dad61aba3223fd91ca3df68b0749fd049813a7ab0268445793b16677bc1af00f877097cb14798777ac817d0df82507aec246f755ddf95b19bb56ef9f2e730bcf2863648d8b164656df37977d54eaf05063b0ee8ba61c2a2ba7dda8fae337d5f6ba965d9e643b4534ed9f4eea7b2b26680fff50260e245fa0d63139b40e2f152da3a976589e957be22cb0885cd582aa9468b08f08a22b486767a6b99c1778ecbd763ebfe2bd83c6191f4e8a84972e4920452b2b2dd28be5d7bda05dc3422419793ca8c26defd3b42b2cc99bbad98e7461f034abf137d7b3166c94e20bdba091653c6a17ccc4faf86a7ba6d2abc0ecada9103e73d9ee4659b6e991a1a209d2ebd96c24759c69ad13a03431ddc05abc20dc8581b1e526f4d98f6352ca4c77f5479db234125fa585ba275fbcbdbf":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"20501013aa1578ab32704a4287029098":"382179a39d75756f57763486d038b50f":"14":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"a099fff482dbaeb53aad84f81b916da0":"b831c7137facaed059cbf268767e230f":"0d24299443bcc444":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4d49e260348172c38a79eb925b189b12":"54755a93ff5173aec60d1eaa8fd7d4090f00f638c2831aa9":"2bbe64479da7c45976":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"6a5a5ac4ccedf055d7562ac58ee7819c":"46904a5583e8a22f4b2f5aa8d071f5cbfc938130f1b33f2e6401aee7cccdef2159a89c9b682cfaf4":"33ac6837955300e569b29958985cdbd434c18208779a949d20b110b0b719e1":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1dd51f0d3a0a784174ba81b2c9f89005":"e1bde6d2df3b8e48ca127f97b56b5dc2672b3736cc3157c7b80a0316ef1efbdbbce19fea23da831836ccd2e002b2c1dfad206b5cec358446b8434d7f4c39e65b0e0b50897642ffc34bfb3cb3e233aa9c1058ff0d4fd48e98bc8cc3d214c06d514dd97db2278093a308f91f4ae92626d85771fb1447b36a3467fff02ac7e81ddbd0fdbcd02d1acd4f053c989ef3dcc2c01e23bc2f6090f3e8c0ba5f0082341200b1c37b99daa9cb6fec78bce3429aec5badb9fd28fdbdbdc5d53570675a9e39535b4594095658ef950ecd79a162223b60d2eb91765e022dc6e1bbdd86f1bcc280ed9df350da08a801fa16a1bf2701947acfb08f19fdfcaa1d76f466a5de2458a78fb82f6af3e1be68f405a4289f25896f4c9830005c9e895c86e67eceab0ad544856071b8d9585835b5e85a07ab01515f7ab54f98dffb4ca49a15068eefc6a01f7f52fd1adbe3631c59f6f43f79d2b4f2a691e2b30bb1d43a848dc3ee39c7f2e50f0c9deb7ab51e33bf40903ac255bb1510fd61676a6c13c3c776b8aacc6cefb95e24973ebb11192e2692dd0c6a085b58f86e11cc28ee2194988c123e3666da7339c0a4ac6afbacc83f1f100fbb39efff7cc605c9213828224a17c476395aeb9bb0a3150fb8889a8c2a494c8c526203f261642bfa69a94b86de9e6d3d932fe20fffe4bd76d502c0d437a3e1d0d8727b7a8dc0e361967109e93566326b6c517663731c4c9bdd0295d8":"1a4eed4bf5b8d2e2a58f1f1277f164cc32cdadaed848f76fe634034082ff9aa1711870bf3936d01a2aa48de30de5143b9148cf56f4490f9d480dda0b672e8e17a012cd26cec3c68837bd5b2f9beb13e0110f21c6c36343e09e027f39557d1596d4ca406e3e7aa113e9bb8623106bae25f0ea23d46bc29970ba2596f83fe4f73a6f978a4d949fa7c271570a2ae5d2b50792d5ab5c43d455f359fb83c35ca3da37cd73cd66b6adce94d78ecdeabf667daa47ea70799af299e1d898ccf3fca6c42c6fff8cf2ec992f596fed4a0cdb502a00f9b5689302931d15cba691e2f8079a0411332438b714ace5234b91e4aebee8f8dda0e1968c2016fed350430a65d8d206c9436f40b79ce03083b8dc207d6960be1ce97007ed22a388ebb7b3d8f7d2b7d9f8f49731fbcb21e21db0cdd15674c795d5af2b2cd727f83e634e8c47157ed0c6873a5c9419e683f16f4a7827b444967812f9d1adb9201b89a0e66bbcf0591465f5d7036a21cdda0e10099feb819dfc37fdd3105120044dab716882d3971f312e3f4459006fd5a1eab08ff63edf6718f47ddaa37f7f40c9c372995f3aec97bc45e287b64fc8cf5559ab04a4d4d3ed482f5d61d3abd99cc87ee406da3ab9c9cd22ba3b8d191b26754aa94a2412f39e332d77fe72210adb0cbb5c96adebdbde036f1f1aaafad74a7ac2594f81efa734054e2e16dc931d49b970b81756862705fcd4":0
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 8 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"30be7ff51227f0eef786cb7be2482510":"7f61a0a8b2fe7803f2947d233ec3a255":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 64 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"9ad15907cd05d77b844816b1dd806c92":"7aa0e5d322363afbdd71b531e50d4935":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 72 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"2005cbe9cc66a35cafdff1af119ae6ce":"60f9c736ec3619efdcc7cccc6b90ae5cdb8bb9eceea5dd96":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 248 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"2c3b49efbf60ed01a3ef27ee24ac90b0":"5fa5a87bec09a3e05864656f8966cd38e1c4af48a06b1dab4ec9cca35dd0f92b54015fe5332bdef9":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-128 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4b4c43c9de4fb4a2a7a7adafeabe2dbd":"6e4d08b8124f7d3e23303fac1a842014f95e3d71c438f8f1990307842796dc5e404ad81802e35c183fe000390a12c81ee684c5cf26c1d90e414cfffe6931b0f352936fcf0b31429eb5c7612cc359a15371390e518cf5c6a6bff1bb0348d14e2c39b98c9f30672ed2af1d96296df8b5567db25b9510a2083461810e119735490058ed1b46b7fdfa885041d8749f90a072b43ba49f2f51fbcda0dbf3cf99fca1d8f46330e5f6fe079d6679cfa26214c8831b782aaa023a2e0ea91050d277dab876aa6865f2bb3fc1a4a77db52f6179d5e5325993280948b6b7002b572829641d35ed3d735d8423e5b24673c4570ca25064fc2c2ad4840632536bcfaf2a7a814f3eaed92b4d501bc51c1719a0d8d8f420b66db845682bb41c88038cfedf13417143a3a701b521a9bf0bb639875a728c3b5ce6ca7e7a45bc75285c193902e6b5e7a4c6e720493d3937bf485e587bff894f70fd6165a1d0129cc673a992e0a4f5489d228a066b1df60002ec0521924f8d672cd1452fec927e58e75807b2a390256f920743fa4d0fc8f59f2469a595ef65095ca0c80adfc843e9e69b6d4a3f824af47b2bfbf2a7a6c1b650378f096f6f0bfabc752c8f279d4f45d56d09dce97962c119de3a64d83b93ea55066f24d4238a229ae86e6a7857af1d8aba823370a72fe358046049a84a70213ef31d9e77a722def8e21480e79b71299438070946bd459a7251707446c911e381":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"716da5cce5877d8f305b5478d671f6c73eb1bff4de15df07":"dbd5247ad2445575cafb00ee7707c218":"bf":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"b94bc10b85a8c2f74a66fa723a25ea1b398a4f627efe1ce0":"18eef64a022b2c7db27648cbb5f1d5e6":"19c0f2f78606fae7":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"f61cde8e515d59a8ca95efb1a98ed4216c4a9649151babf2":"83fce85e9bfc6ed784b052472e5780fee662f17a91faf1a9":"1c6883862ede37b31b":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1c883af75147bae6f34205cd656ad30ec97e617456591ce6":"f24f6747711cf72fab0422026c6d548ccdba786d77ab900ac3fb8f39f116d38e92c82d5fd9a045dd":"bdd793f086d8733f69055bd79bbc448be857286e918fd4c54be4acf4eca5e4":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1b38d4b366f844e71a8db6be2b77a05a9e81720d2d3f31ee":"62ddc158ecb048250bde439dc7aad34dbe7667d330a349026266c24cee9742953b623d1e247e501641b45b60cfbab665e68040ce06ebce478d9d77f5f344943a1edb14f0d9f165ecfe407031707961fedcd016559228bff5761cd6542944a5d86f9acf4e0a4114682c2312b8d4e8285d3efe1a7c1526642c73c332a9e484377a1c86714e3cb687781928c8a5fe28b4aa74e79f53ecd00793e00041b39b172e5fedef3d4164dcc6b2d2e47994e73f2ab048a4adb8cd94fcd7767314ae40f8cdbef2b26d25f74277a2f88f1de56342a0ec97fde4df2d052e6ebc62622f65725d845f670a647808666c7325725a3428e26fefe725c2badb8a8b8f04e30456bd1fd39fd0f7c782b7a2bc9d8c53922a54c5f103551271af6d7243133b96cd1c108811e4beb9a56472c1f9823a1e88832c5505e07cb93b9041f4b8d69cd27403680a18bb3848c269babbc52aaf568ee8245f4f72e177257103dd4bdffeee9b48e0660d6c2f4dfdce52462d0ed5cc5114dc0aa5a35601c9a644a1fdd3c57c3153e65a108eb94eea3bc9979a67a2f569eb7398a4bd24547c15faa361bb2950a379a1cad1737f56e7c210652aaea7581f39f07ee09a101fde8c34c3cfc404f2b8f682735fc4c721eceb4bd2295d8a74ee3cb858329509eba9049e7e791e04d8452b50c6e6225b94a8cc10ec1d262588fd2f05eee08113414e770c83caa84d310559286c393799117c177089a2":"b1c88d3e5648218ee085abcfcaf7f362f33e4d6de363cb84182af9f18a31475f0e14ae8eff76ca67455726392a110ca262b90d040abf49beb036db096be053d493787a67e983b63945277044acf648172c75b38d7f81dcd58e3bbcecb963dc95863877784ac04eba83481152c30b1ca9e9b78fe537deee6c95933e1b5fb414cfaf7ca1dbbae8b114f0538f4cbf433ef214b776faec9ce1d29f680f4c88ff7b9ba0e964898dd253f5f82ec9f25663ece9dbff5e284f63b0e0fd07fb13b41aa8359f1ba1666bcb26e65d28b1f899952beb28b8f902f048e31efb6ab4817cafc6d84c7f4676b50936715667a67df7ca965b3ab2a5fc472375b1446c810242eb1cb78b9ac496ed4715e0f89a4e1ae0e2724edd59c954f54196ab55ac1947528fa14e716b7707aeb023bd0a2242da7ac97f3feb7795d9be05cd5b1cc33095599ab4c4d8d583c9e2a4d4ed12b836722370569737fae2d6fa60c8a5b8a80fd71129fe29395746eb746528a8845c5a9d50e7bc4372e7f3f9c6333feec791529a6ae1bc0f620feb604f56969e4ea3445810c72dd0772856feb58f09796f461f7ab1b454c303c810eec7526aeb397520b6114f57a4d906e974e8d4a910afafbb0f030b18887b951052d18578022cb7e33408578cdca34f32012f62d3dd35cb74e9d0fecac52231c5cf5a34d470d3b5413644c4e2af1f1613093a3b0550f8df26d033a35b9b":0
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 8 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"df8f5124b1e03228f2b96f0df31924bac1d3b5d094da22e6":"230bb26c1ea9d5c8fcf7c122ea994f41":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 64 count 7
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"94c8dae772a43b5e00468e0947699b239dfe30ab5f90e2f6":"239c6bceee3583fe7825011e02f01cc0":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 72 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"d81b7162dc6e9e18bea6e258bddb53a1c9f22a4a7177d9dd":"4f3a2b7b229a665776f9cfa42e0c2a615a81f69cc0f0f465":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 248 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"688833d56cf1a0f492bf1f7e35c2fa6299a2b1b5ca2a2823":"4b7c17d7a7189e7955c03abb0ca95fc0c780953787972097ae596d46fe2a8cd75995e6309780ae5f":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-192 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"4b0faa630930b0ff8e624aeb4ddfa018a858cfa653132675":"1640db081e87ef7797a9f17509f5bc67d40beaef096131748f413cac3d2500462b61140b31bc3965958af51351903549e4a71db589a6bc67d72ec33b8605a25a539a2043704389e3e0781152dffa9b64d6ec186ed144847434345e6dccefbe26626eebc4c22e3957b2145c46fa11d7819d4195cb43a9db8d2de507c023607548b56a07628ce4c706939fde1bdef8364b2b8fb7db30fc5c8e99f29876130d9f71a8486d99f2c7fc09f646918d4c60e53c7b9f9a8a1e9a023d70448f6b79c3f35cc6b9ace0535147f7f27be66d918895b9106cc83eda1aacdc2bfb7daa75b2867ae63109ecbf9423526511c64c4261e395d9b5a68dd2503ada57cf1b8a18336b8d63d248ec4dedb6e30662336546c86ef83b53504bc3bedd85a027b6b9f0323bd9380d9ba696b77072d98f96b77f9b3ad9e219715122b2dd033529eaf7ecced8be6d1e6467b8e4a61105be9b7a7ce208b6dd6bd34481f80b3bf534fb87904d45986931a088480a8040047c681dc4e8ec1c625a5449d9ab28709d04989c4b1a4ef0f1e379d37fe6f0641b9e705207e9a0652463cd5da71cd50321116d4ff1cbae08063df336482eadc0d117bf119e01f2577afe182e7fa477ec53b754e347a2c742960b9bd355f969e6ae1df2210e75bb44c598b683dd4c8692f4cd1b92125ac9ed10ec4cef6289d3f815cb894e74dff0bb72d51c43cb420d74a31c681c10ad7f9258d77f1f186c926a":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"da862b25a629d328cf9fac7be0d6ead1cb2404e9bab87a2381a46eb1a81187c5":"5e01a2b9b8413f303a3578d2cc255fda":"d4":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"362586d516d38e4d58b50a441443e75064cf6d6cdb6420862932ba7b0480b0fd":"ea7ee0f5af3a271a9777838ed13c61af":"f1b92d0db744bfee":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 1
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0e6d542f960c7e61ca190d7fd719fda157030a0a013164613a8c522b52ae685d":"b5cae8a82095abb3478ab167dbc0201d2f4dfc5f81bbe44e":"a957eb4ea02e68ba8b":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"0445b86d13b7b76c0089a63dec70c32fded9607af63714b7c3cc724f49c1c6e2":"7f63167976e71e43b7b135c8cd12148f826f56e73f6fb6e7f6cefa23c34302ff374d44dd66b6bb01":"7af8c3b32e61f8b5c027383a273927b8fd09b75692bd0b713ec8ecec0bdd2c":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"08f5c088acec18e6cf1f03a8f85d772e327e7fb07f8c2939eb554e84c42ab93d":"dff30fd43647d4be54cf2dfd6187e2ddffb55267313f980fb09c833a9c2bfa558a95861711f0acb2a5c7e731ba22f24a9c4dfdd9e9b0216e9088f817a175b9835b0e17615687a20f68c067205626494cd04fbabc0b3eea7c0a4cd6236bc8b3e52e721dfc357fb8a3722bfcc4c690d8f63dbb864bb6e3a15805aea7270f8eb748deebaa2d066fcda11c2e67221f9a91d2c29a6c79ffae76aa80a2590b4f9e35f623fbf2f8ceb2a205493077556a186e25e5bd52dcff7bcc6909b37a66c1d1431be1b363bb40da25386eaaf5fcabc7be6422a04434a21d1d3105328e7c56770b9f59b03395e4138f5f06fc7e6b80dab87b08caa7bfffc45a095c15263efd3f06c651ded6f58074efc20620d704997fc84721a0a8e9e5b9f5cd330bbb156b31d9d1b1c260e4a24535f30404dc5b2dd6b35d916a1391b25a7d8790be09d85483ed1522074a2785812005bda10dd55acb245b3bd3d9bb777dd23f9b02538ba1a114ba53386d7ca4d9524b2f8a18e0ffb21580b560540bb2146f08f04974b90eb324547d56222df95f44bc6e5f183bef283e4816fb1b2933f9c7c6726a245a495e304d8318d0008c51b0be8090f8f668fbc3f31e073be4b9e97468f4dd8c798e9d682868df493db8a85738b58cfd005190f365849072577772672c6f82555c65046eb34e86fe61103327a063bacbbe33cea7eaa3d1de45471b7269e1b6b38608626e323447a3d5fe0599a6":"8b68f66a3d2f59d419851b94d9a6f2f0e667f8125e11d463a6bc2cea46b12dcc40ce8018b204972c735fdd6d2d05b628f4905c6690f5ac5b1b51e12f3af2dc3ae9b9dab616f0a2a66a1ac197592fd5b15900547f32f54110b58d51a0340aa80e9eeb7b2e0eb97e80aa22ba918f2fe1c678c730ed5c3d8d24774f17d8ab6e01a06243d36e764df1dbb8af1faadbc55281f0242abd7a162c984fd0b05ab8b0bcaedffb2962024f009a8d7c9e71281c09f52ec0707ee3bbeb1ecb918be6ae3e9c1fabbcd3512af928db3ba6c109ff9e9839a616b2a53f092160a48222b84d53cd52490515ef93e1ebb33897263492ab8ec6fad2e633276ae367f76d7f926309478c0205d4f22506a451795dc98f5410d8f5d3e049cbedf381620861e7b4ae08f2d8a71abc1f230248cb636a2d7b4e7717ab2b7b5f2dc6e5b5a18e8043254208b50fd6f8929eaf974c48551233661ad67321b64d69245d536d9a8ca2a6a10966dddb9d2ce36641c9281c460ae524b077867258f638e6ac872cb5f5c6fb216b1ae60a9d0c5ea0dbcd060f255da26111175af4e9935df59ddade6a2a70cddff8cae6a98e4f3843c2dd59d09053b07b648a46f5de0eb21ebb192828279a386ea3eedf2cdc355d73d51111e8c1d522e059752bc56226a4225bcab713bfaaaec78167d7cfd33e913b26fda93ca7524aa8a8b17977c88ff9bc23ea810b4de59eac18d1523b":0
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 8 count 5
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5fc3ef43eef256993fb00e6ccc90f60319f10a3bc9fe5ca4ec876c165e2a7720":"f3d922a948969acca293bc3daa027e48":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 64 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"398444df32841be9e699c64faa92630c834564b8384876dceb471c4056fc8299":"30032c9a3ed00d29512d8c725fa86a4b":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 72 count 0
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"64b69233fe392c0bcda28a931cc3527b1a8f29235c1adf6256556c685cb89b9f":"6b5fd75ad16eda04a8b29f1bc0411ae28befbad9e474f2d8":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 248 count 2
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"8c35fb77766d04f48d5b52275c5c5f31f568078419e5c2335918965fbe53cedd":"bacccb1714dbaa4908c2654aa8dbb1ddbddd8ab819429b026619fb1c0fa75a8247372b2feeab1e1d":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+NIST KWP unwrap AES-256 CAVS 21.4 PLAINTEXT LENGTH = 4096 count 3
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"1726706350c11e6883955f24ea11ab247ce3b2ab54d05e67ad9770b5564483dd":"b006f26a67d0e1e2cbeb5c23b6b300adc1526d1f17bbe964fe8237ae244878158e6b04cb488786b5258ac973c3a2eafd7fcf3a7ca6c825155659fbc53d112bc78b3a770cf059fdd5e68f2b4bfa36de3721231102e5041c947fba3d906bff39592ec3901a398da23035f1190e99b58659330cc2e856ee87ad4197dcc7d16e1f062275bced1ed5cd82163ae3e58da7368dc2aadac855385bd4fa0b8baadef608d0a5c27172d12b88c70b136eeccf37f36364361a990dc50815743cab1636e661bff04ca8345520c30b935a060b450526b1d6ac09170e5b0a327b88f42327b85c9a621d2ca745963c2815a2bfcf509d50b6058ed6e67f369b5608d2aa885238b67d1b8e0d83f9464aa473bf109350fcc02e360c2619236cbfbf895b607895530d8d3d2e41450750dad05b1c37ef15db7fb4707597ac252e8e58d4c1ab2713b427643d198164c908b5d8ff36e9700157284009c7b283633d8b27b378bb65eff8aa59b5fe5e6437a1d53a99c106c2c4d033d3d23950e313a10eb31d68524ae9f8e4f56437acf66db3e8f77407a15bbff4b393e5559908993146d93c673d2aeb7d4cb8fc8d0169de7ed6e2bbe6ce9958a0f5d201419e7acb17e47da827ba380d6b3ad3b5a8c2101c5fb501110c727169065f23297947f538ab3ec165d61edc1f6a9e1735e9b7fc06d4d3406cf8f9c6a68b196cf262324a986705fbc802cdd2e6b4ebcf68e6bb9e793ae644":"":MBEDTLS_ERR_CIPHER_AUTH_FAILED
+
+KW AES-128 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F":"00112233445566778899AABBCCDDEEFF":"1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5"
+
+KW AES-192 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F1011121314151617":"00112233445566778899AABBCCDDEEFF":"96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D"
+
+KW AES-256 wrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00112233445566778899AABBCCDDEEFF":"64E8C3F9CE0F5BA263E9777905818A2A93C8191E7D6E8AE7"
+
+KW AES-128 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F":"1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5":"00112233445566778899AABBCCDDEEFF":0
+
+KW AES-192 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F1011121314151617":"031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2":"00112233445566778899AABBCCDDEEFF0001020304050607":0
+
+KW AES-256 unwrap rfc 3394
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_unwrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KW:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1":"00112233445566778899AABBCCDDEEFF0001020304050607":0
+
+KWP AES-192 wrap rfc 5649
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8":"c37b7e6492584340bed12207808941155068f738":"138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a"
+
+KWP AES-192 wrap rfc 5649
+depends_on:MBEDTLS_AES_C
+mbedtls_nist_kw_wrap:MBEDTLS_CIPHER_ID_AES:MBEDTLS_KW_MODE_KWP:"5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8":"466f7250617369":"afbeb0f07dfbf5419200f2ccb50bb24f"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.function
new file mode 100644
index 0000000000..ae3ef80623
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_nist_kw.function
@@ -0,0 +1,347 @@
+/* BEGIN_HEADER */
+#include "mbedtls/nist_kw.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_NIST_KW_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST:MBEDTLS_AES_C */
+void mbedtls_nist_kw_self_test( )
+{
+    TEST_ASSERT( mbedtls_nist_kw_self_test( 1 ) == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void mbedtls_nist_kw_mix_contexts( )
+{
+    mbedtls_nist_kw_context ctx1, ctx2;
+    unsigned char key[16];
+    unsigned char plaintext[32];
+    unsigned char ciphertext1[40];
+    unsigned char ciphertext2[40];
+    size_t output_len, i;
+
+    memset( plaintext, 0, sizeof( plaintext ) );
+    memset( ciphertext1, 0, sizeof( ciphertext1 ) );
+    memset( ciphertext2, 0, sizeof( ciphertext2 ) );
+    memset( key, 0, sizeof( key ) );
+
+    /*
+     * 1. Check wrap and unwrap with two seperate contexts
+     */
+    mbedtls_nist_kw_init( &ctx1 );
+    mbedtls_nist_kw_init( &ctx2 );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx1,
+                                         MBEDTLS_CIPHER_ID_AES,
+                                         key, sizeof( key ) * 8,
+                                         1 ) == 0 );
+
+    TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KW,
+                                       plaintext, sizeof( plaintext ),
+                                       ciphertext1, &output_len,
+                                       sizeof( ciphertext1 ) ) == 0 );
+    TEST_ASSERT( output_len == sizeof( ciphertext1 ) );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx2,
+                                         MBEDTLS_CIPHER_ID_AES,
+                                         key, sizeof( key ) * 8,
+                                         0 ) == 0 );
+
+    TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KW,
+                                         ciphertext1, output_len,
+                                         plaintext, &output_len,
+                                         sizeof( plaintext ) ) == 0 );
+
+    TEST_ASSERT( output_len == sizeof( plaintext ) );
+    for( i = 0; i < sizeof( plaintext ); i++ )
+    {
+        TEST_ASSERT( plaintext[i] == 0 );
+    }
+    mbedtls_nist_kw_free( &ctx1 );
+    mbedtls_nist_kw_free( &ctx2 );
+
+    /*
+     * 2. Check wrapping with two modes, on same context
+     */
+    mbedtls_nist_kw_init( &ctx1 );
+    mbedtls_nist_kw_init( &ctx2 );
+    output_len = sizeof( ciphertext1 );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx1,
+                                         MBEDTLS_CIPHER_ID_AES,
+                                         key, sizeof( key ) * 8,
+                                         1 ) == 0 );
+
+    TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KW,
+                                       plaintext, sizeof( plaintext ),
+                                       ciphertext1, &output_len,
+                                       sizeof( ciphertext1 ) ) == 0 );
+    TEST_ASSERT( output_len == sizeof( ciphertext1 ) );
+
+    TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx1, MBEDTLS_KW_MODE_KWP,
+                                       plaintext, sizeof( plaintext ),
+                                       ciphertext2, &output_len,
+                                       sizeof( ciphertext2 ) ) == 0 );
+
+    TEST_ASSERT( output_len == sizeof( ciphertext2 ) );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx2,
+                                         MBEDTLS_CIPHER_ID_AES,
+                                         key, sizeof( key ) * 8,
+                                         0 ) == 0 );
+
+    TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KW,
+                                         ciphertext1, sizeof( ciphertext1 ),
+                                         plaintext, &output_len,
+                                         sizeof( plaintext ) ) == 0 );
+
+    TEST_ASSERT( output_len == sizeof( plaintext ) );
+
+    for( i = 0; i < sizeof( plaintext ); i++ )
+    {
+        TEST_ASSERT( plaintext[i] == 0 );
+    }
+
+    TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx2, MBEDTLS_KW_MODE_KWP,
+                                         ciphertext2, sizeof( ciphertext2 ),
+                                         plaintext, &output_len,
+                                         sizeof( plaintext ) ) == 0 );
+
+    TEST_ASSERT( output_len == sizeof( plaintext ) );
+
+    for( i = 0; i < sizeof( plaintext ); i++ )
+    {
+        TEST_ASSERT( plaintext[i] == 0 );
+    }
+
+exit:
+    mbedtls_nist_kw_free( &ctx1 );
+    mbedtls_nist_kw_free( &ctx2 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_setkey( int cipher_id, int key_size,
+                             int is_wrap, int result )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char key[32];
+    int ret;
+
+    mbedtls_nist_kw_init( &ctx );
+
+    memset( key, 0x2A, sizeof( key ) );
+    TEST_ASSERT( (unsigned) key_size <= 8 * sizeof( key ) );
+
+    ret = mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_size, is_wrap );
+    TEST_ASSERT( ret == result );
+
+exit:
+    mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void nist_kw_plaintext_lengths( int in_len, int out_len, int mode, int res )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char key[16];
+    unsigned char *plaintext = NULL;
+    unsigned char *ciphertext = NULL;
+    size_t output_len = out_len;
+
+    mbedtls_nist_kw_init( &ctx );
+
+    memset( key, 0, sizeof( key ) );
+
+    if( in_len != 0 )
+    {
+        plaintext = mbedtls_calloc( 1, in_len );
+        TEST_ASSERT( plaintext != NULL );
+    }
+
+    if( out_len != 0 )
+    {
+        ciphertext = mbedtls_calloc( 1, output_len );
+        TEST_ASSERT( ciphertext != NULL );
+    }
+
+    memset( plaintext, 0, in_len );
+    memset( ciphertext, 0, output_len );
+
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                         key, 8 * sizeof( key ), 1 ) == 0 );
+
+    TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx, mode, plaintext, in_len,
+                                      ciphertext, &output_len,
+                                      output_len ) == res );
+    if( res == 0 )
+    {
+        if( mode == MBEDTLS_KW_MODE_KWP )
+            TEST_ASSERT( output_len == (size_t) in_len + 8 -
+                         ( in_len % 8 ) + 8 );
+        else
+            TEST_ASSERT( output_len == (size_t) in_len + 8 );
+    }
+    else
+    {
+        TEST_ASSERT( output_len == 0 );
+    }
+
+exit:
+    mbedtls_free( ciphertext );
+    mbedtls_free( plaintext );
+    mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_AES_C */
+void nist_kw_ciphertext_lengths( int in_len, int out_len, int mode, int res )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char key[16];
+    unsigned char *plaintext = NULL;
+    unsigned char *ciphertext = NULL;
+    int unwrap_ret;
+    size_t output_len = out_len;
+
+    mbedtls_nist_kw_init( &ctx );
+
+    memset( key, 0, sizeof( key ) );
+
+    if( out_len != 0 )
+    {
+        plaintext = mbedtls_calloc( 1, output_len );
+        TEST_ASSERT( plaintext != NULL );
+    }
+    if( in_len != 0 )
+    {
+        ciphertext = mbedtls_calloc( 1, in_len );
+        TEST_ASSERT( ciphertext != NULL );
+    }
+
+    memset( plaintext, 0, output_len );
+    memset( ciphertext, 0, in_len );
+
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                         key, 8 * sizeof( key ), 0 ) == 0 );
+    unwrap_ret = mbedtls_nist_kw_unwrap( &ctx, mode, ciphertext, in_len,
+                                         plaintext, &output_len,
+                                         output_len );
+
+    if( res == 0 )
+        TEST_ASSERT( unwrap_ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+    else
+        TEST_ASSERT( unwrap_ret == res );
+
+    TEST_ASSERT( output_len == 0 );
+
+exit:
+    mbedtls_free( ciphertext );
+    mbedtls_free( plaintext );
+    mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_wrap( int cipher_id, int mode,
+                           char *key_hex, char *msg_hex,
+                           char *result_hex )
+{
+    unsigned char key[32];
+    unsigned char msg[512];
+    unsigned char result[528];
+    unsigned char expected_result[528];
+    mbedtls_nist_kw_context ctx;
+    size_t key_len, msg_len, output_len, result_len, i, padlen;
+
+    mbedtls_nist_kw_init( &ctx );
+
+    memset( key, 0x00, sizeof( key ) );
+    memset( msg, 0x00, sizeof( msg ) );
+    memset( result, '+', sizeof( result ) );
+
+    key_len = unhexify( key, key_hex );
+    msg_len = unhexify( msg, msg_hex );
+    result_len = unhexify( expected_result, result_hex );
+    output_len = sizeof( result );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_len * 8, 1 )
+                 == 0 );
+
+    /* Test with input == output */
+    TEST_ASSERT( mbedtls_nist_kw_wrap( &ctx, mode, msg, msg_len,
+                 result, &output_len, sizeof( result ) ) == 0 );
+
+    TEST_ASSERT( output_len == result_len );
+
+    TEST_ASSERT( memcmp( expected_result, result, result_len ) == 0 );
+
+    padlen = ( msg_len % 8 != 0 ) ? 8 - (msg_len % 8 ) : 0;
+    /* Check that the function didn't write beyond the end of the buffer. */
+    for( i = msg_len + 8 + padlen; i < sizeof( result ); i++ )
+    {
+        TEST_ASSERT( result[i] == '+' );
+    }
+
+exit:
+    mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void mbedtls_nist_kw_unwrap( int cipher_id, int mode,
+                             char *key_hex, char *msg_hex,
+                             char *result_hex, int expected_ret )
+{
+    unsigned char key[32];
+    unsigned char msg[528];
+    unsigned char result[528];
+    unsigned char expected_result[528];
+    mbedtls_nist_kw_context ctx;
+    size_t key_len, msg_len, output_len, result_len, i;
+
+    mbedtls_nist_kw_init( &ctx );
+
+    memset( key, 0x00, sizeof( key ) );
+    memset( msg, 0x00, sizeof( msg ) );
+    memset( result, '+', sizeof( result ) );
+    memset( expected_result, 0x00, sizeof( expected_result ) );
+
+    key_len = unhexify( key, key_hex );
+    msg_len = unhexify( msg, msg_hex );
+    result_len = unhexify( expected_result, result_hex );
+    output_len = sizeof( result );
+
+    TEST_ASSERT( mbedtls_nist_kw_setkey( &ctx, cipher_id, key, key_len * 8, 0 )
+                 == 0 );
+
+    /* Test with input == output */
+    TEST_ASSERT( mbedtls_nist_kw_unwrap( &ctx, mode, msg, msg_len,
+                 result, &output_len, sizeof( result ) ) == expected_ret );
+    if( expected_ret == 0 )
+    {
+        TEST_ASSERT( output_len == result_len );
+        TEST_ASSERT( memcmp( expected_result, result, result_len ) == 0 );
+    }
+    else
+    {
+        TEST_ASSERT( output_len == 0 );
+    }
+
+    /* Check that the function didn't write beyond the end of the buffer. */
+    for( i = msg_len - 8; i < sizeof( result ); i++ )
+    {
+        TEST_ASSERT( result[i] == '+' );
+    }
+
+exit:
+    mbedtls_nist_kw_free( &ctx );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pem.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pem.function
index c24595d47c..947f1fb25d 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pem.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pem.function
@@ -6,25 +6,21 @@
 /* END_HEADER */
 
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
-void mbedtls_pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
+void mbedtls_pem_write_buffer( char * start, char * end, data_t * buf,
+                               char * result_str )
 {
-    unsigned char buf[5000];
     unsigned char *check_buf = NULL;
     int ret;
-    size_t buf_len, olen = 0, olen2 = 0;
+    size_t olen = 0, olen2 = 0;
 
-    memset( buf, 0, sizeof( buf ) );
 
-    buf_len = unhexify( buf, buf_str );
-
-    ret = mbedtls_pem_write_buffer( start, end, buf, buf_len, NULL, 0, &olen );
+    ret = mbedtls_pem_write_buffer( start, end, buf->x, buf->len, NULL, 0, &olen );
     TEST_ASSERT( ret == MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
 
     check_buf = (unsigned char *) mbedtls_calloc( 1, olen );
     TEST_ASSERT( check_buf != NULL );
 
-    memset( check_buf, 0, olen );
-    ret = mbedtls_pem_write_buffer( start, end, buf, buf_len, check_buf, olen, &olen2 );
+    ret = mbedtls_pem_write_buffer( start, end, buf->x, buf->len, check_buf, olen, &olen2 );
 
     TEST_ASSERT( olen2 <= olen );
     TEST_ASSERT( olen > strlen( (char*) result_str ) );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.data
index a066bd93e8..e41dfa7103 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.data
@@ -1,3 +1,13 @@
+PK invalid parameters
+invalid_parameters:
+
+PK valid parameters
+valid_parameters:
+
+PK write valid parameters
+depends_on:MBEDTLS_RSA_C
+valid_parameters_pkwrite:"308204a20201000282010100a9021f3d406ad555538bfd36ee82652e15615e89bfb8e84590dbee881652d3f143504796125964876bfd2be046f973beddcf92e1915bed66a06f8929794580d0836ad54143775f397c09044782b0573970eda3ec15191ea8330847c10542a9fd4cc3b4dfdd061f4d1051406773130f40f86d81255f0ab153c6307e1539acf95aee7f929ea6055be7139785b52392d9d42406d50925897507dda61a8f3f0919bead652c64eb959bdcfe415e17a6da6c5b69cc02ba142c16249c4adccdd0f7526773f12da023fd7ef431ca2d70ca890b04db2ea64f706e9ecebd5889e253599e6e5a9265e2883f0c9419a3dde5e89d9513ed29dbab7012dc5aca6b17ab528254b10203010001028201001689f5e89142ae18a6ffb0513715a4b0b4a13b9e5b3729a2bd62d738c6e15cea7bf3a4d85ab2193a0628c9452bb1f0c1af8b132789df1c95e72778bf5330f5b0d915d242d5e0818e85001ed5fa93d1ce13455deb0a15438562e8e3c8d60ec1e4c9ebff9f2b36b9cde9332cc79f0d17a7ae79cc1353cd75409ad9b4b6d7ee3d82af6f3207656cf2ac98947c15c398db0cebf8dc3eef5398269480cdd09411b960273ae3f364da09af849f24aa87346c58618ea91d9d6cd1d3932c80dbfc1f0a4166a9036911999ca27761079f0ce02db02c1c909ff9b4278578d7bb1b54b2b7082fc9e864b6b394e331c0d11a9a68255565b6dd477f4119c5809839520700711102818100d7db987ad86de6a9b0749fb5da80bacde3bebd72dcc83f60a27db74f927ac3661386577bfce5b4a00ad024682401d6aad29713c8e223b53415305ca07559821099b187fdd1bad3dc4dec9da96f5fa6128331e8f7d89f1e1a788698d1a27256dc7cd392f04e531a9e38e7265bf4fd7eec01e7835e9b1a0dd8923e440381be1c2702818100c87025fff7a493c623404966fbc8b32ed164ca620ad1a0ad11ef42fd12118456017856a8b42e5d4ad36104e9dc9f8a2f3003c3957ffddb20e2f4e3fc3cf2cdddae01f57a56de4fd24b91ab6d3e5cc0e8af0473659594a6bbfdaacf958f19c8d508eac12d8977616af6877106288093d37904a139220c1bc278ea56edc086976702818043e708685c7cf5fa9b4f948e1856366d5e1f3a694f9a8e954f884c89f3823ac5798ee12657bfcaba2dac9c47464c6dc2fecc17a531be19da706fee336bb6e47b645dbc71d3eff9856bddeb1ac9b644ffbdd58d7ba9e1240f1faaf797ba8a4d58becbaf85789e1bd979fcfccc209d3db7f0416bc9eef09b3a6d86b8ce8199d4310281804f4b86ccffe49d0d8ace98fb63ea9f708b284ba483d130b6a75cb76cb4e4372d6b41774f20912319420ca4cbfc1b25a8cb5f01d6381f6ebc50ed3ef08010327f5ba2acc1ac7220b3fa6f7399314db2879b0db0b5647abd87abb01295815a5b086491b2c0d81c616ed67ef8a8ce0727f446711d7323d4147b5828a52143c43b4b028180540756beba83c20a0bda11d6dec706a71744ff28090cec079dffb507d82828038fe657f61496a20317f779cb683ce8196c29a6fe28839a282eef4de57773be56808b0c3e2ac7747e2b200b2fbf20b55258cd24622a1ce0099de098ab0855106ae087f08b0c8c346d81619400c1b4838e33ed9ff90f05db8fccf8fb7ab881ca12"
+
 PK utils: RSA
 depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME
 pk_utils:MBEDTLS_PK_RSA:512:64:"RSA"
@@ -153,3 +163,35 @@ mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server1.key":MBEDT
 RSA hash_len overflow (size_t vs unsigned int)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_HAVE_INT64
 pk_rsa_overflow:
+
+ECDSA restartable sign/verify: ECDSA, max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":0:0:0
+
+ECDSA restartable sign/verify: ECKEY, max_ops=0 (disabled)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":0:0:0
+
+ECDSA restartable sign/verify: ECDSA, max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":1:1:10000
+
+ECDSA restartable sign/verify: ECKEY, max_ops=1
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":1:1:10000
+
+ECDSA restartable sign/verify: ECDSA, max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":10000:0:0
+
+ECDSA restartable sign/verify: ECKEY, max_ops=10000
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":10000:0:0
+
+ECDSA restartable sign/verify: ECDSA, max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":250:2:64
+
+ECDSA restartable sign/verify: ECKEY, max_ops=250
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
+pk_sign_verify_restart:MBEDTLS_PK_ECKEY:MBEDTLS_ECP_DP_SECP256R1:"C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721":"60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6":"7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299":MBEDTLS_MD_SHA256:"test":"3045022100f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d383670220019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083":250:2:64
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.function
index c0c987d5c3..4e6ab172c8 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pk.function
@@ -2,6 +2,8 @@
 #include "mbedtls/pk.h"
 
 /* For error codes */
+#include "mbedtls/asn1.h"
+#include "mbedtls/base64.h"
 #include "mbedtls/ecp.h"
 #include "mbedtls/rsa.h"
 
@@ -70,7 +72,427 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
  */
 
 /* BEGIN_CASE */
-void pk_utils( int type, int size, int len, char *name )
+void valid_parameters( )
+{
+    mbedtls_pk_context pk;
+    unsigned char buf[1];
+    size_t len;
+    void *options = NULL;
+
+    mbedtls_pk_init( &pk );
+
+    TEST_VALID_PARAM( mbedtls_pk_free( NULL ) );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_VALID_PARAM( mbedtls_pk_restart_free( NULL ) );
+#endif
+
+    TEST_ASSERT( mbedtls_pk_setup( &pk, NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* In informational functions, we accept NULL where a context pointer
+     * is expected because that's what the library has done forever.
+     * We do not document that NULL is accepted, so we may wish to change
+     * the behavior in a future version. */
+    TEST_ASSERT( mbedtls_pk_get_bitlen( NULL ) == 0 );
+    TEST_ASSERT( mbedtls_pk_get_len( NULL ) == 0 );
+    TEST_ASSERT( mbedtls_pk_can_do( NULL, MBEDTLS_PK_NONE ) == 0 );
+
+    TEST_ASSERT( mbedtls_pk_sign_restartable( &pk,
+                                              MBEDTLS_MD_NONE,
+                                              NULL, 0,
+                                              buf, &len,
+                                              rnd_std_rand, NULL,
+                                              NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_sign_restartable( &pk,
+                                              MBEDTLS_MD_NONE,
+                                              NULL, 0,
+                                              buf, &len,
+                                              rnd_std_rand, NULL,
+                                              NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_sign( &pk,
+                                  MBEDTLS_MD_NONE,
+                                  NULL, 0,
+                                  buf, &len,
+                                  rnd_std_rand, NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_verify_restartable( &pk,
+                                                MBEDTLS_MD_NONE,
+                                                NULL, 0,
+                                                buf, sizeof( buf ),
+                                                NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_verify( &pk,
+                                    MBEDTLS_MD_NONE,
+                                    NULL, 0,
+                                    buf, sizeof( buf ) ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options,
+                                        &pk,
+                                        MBEDTLS_MD_NONE,
+                                        NULL, 0,
+                                        buf, sizeof( buf ) ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_encrypt( &pk,
+                                     NULL, 0,
+                                     NULL, &len, 0,
+                                     rnd_std_rand, NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    TEST_ASSERT( mbedtls_pk_decrypt( &pk,
+                                     NULL, 0,
+                                     NULL, &len, 0,
+                                     rnd_std_rand, NULL ) ==
+                 MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_PK_PARSE_C)
+    TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1 ) ==
+                 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, NULL, 0 ) ==
+                 MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+#endif /* MBEDTLS_PK_PARSE_C */
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PK_WRITE_C */
+void valid_parameters_pkwrite( data_t *key_data )
+{
+    mbedtls_pk_context pk;
+
+    /* For the write tests to be effective, we need a valid key pair. */
+    mbedtls_pk_init( &pk );
+    TEST_ASSERT( mbedtls_pk_parse_key( &pk,
+                                       key_data->x, key_data->len,
+                                       NULL, 0 ) == 0 );
+
+    TEST_ASSERT( mbedtls_pk_write_key_der( &pk, NULL, 0 ) ==
+                 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    TEST_ASSERT( mbedtls_pk_write_pubkey_der( &pk, NULL, 0 ) ==
+                 MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+    TEST_ASSERT( mbedtls_pk_write_key_pem( &pk, NULL, 0 ) ==
+                 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+
+    TEST_ASSERT( mbedtls_pk_write_pubkey_pem( &pk, NULL, 0 ) ==
+                 MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+exit:
+    mbedtls_pk_free( &pk );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void invalid_parameters( )
+{
+    size_t len;
+    unsigned char *null_buf = NULL;
+    unsigned char buf[1];
+    unsigned char *p = buf;
+    char str[1] = {0};
+    mbedtls_pk_context pk;
+    mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
+    void *options = buf;
+
+    (void) null_buf;
+    (void) p;
+    (void) str;
+
+    mbedtls_pk_init( &pk );
+
+    TEST_INVALID_PARAM( mbedtls_pk_init( NULL ) );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    TEST_INVALID_PARAM( mbedtls_pk_restart_init( NULL ) );
+#endif
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_setup( NULL, NULL ) );
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_setup_rsa_alt( NULL, buf,
+                                                      NULL, NULL, NULL ) );
+#endif
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_restartable( NULL,
+                                                           MBEDTLS_MD_NONE,
+                                                           buf, sizeof( buf ),
+                                                           buf, sizeof( buf ),
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_restartable( &pk,
+                                                           MBEDTLS_MD_NONE,
+                                                           NULL, sizeof( buf ),
+                                                           buf, sizeof( buf ),
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_restartable( &pk,
+                                                           valid_md,
+                                                           NULL, 0,
+                                                           buf, sizeof( buf ),
+                                                           NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_restartable( &pk,
+                                                           MBEDTLS_MD_NONE,
+                                                           buf, sizeof( buf ),
+                                                           NULL, sizeof( buf ),
+                                                           NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify( NULL,
+                                               MBEDTLS_MD_NONE,
+                                               buf, sizeof( buf ),
+                                               buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify( &pk,
+                                               MBEDTLS_MD_NONE,
+                                               NULL, sizeof( buf ),
+                                               buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify( &pk,
+                                               valid_md,
+                                               NULL, 0,
+                                               buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify( &pk,
+                                               MBEDTLS_MD_NONE,
+                                               buf, sizeof( buf ),
+                                               NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options,
+                                                   NULL,
+                                                   MBEDTLS_MD_NONE,
+                                                   buf, sizeof( buf ),
+                                                   buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options,
+                                                   &pk,
+                                                   MBEDTLS_MD_NONE,
+                                                   NULL, sizeof( buf ),
+                                                   buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options,
+                                                   &pk,
+                                                   valid_md,
+                                                   NULL, 0,
+                                                   buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_verify_ext( MBEDTLS_PK_NONE, options,
+                                                   &pk,
+                                                   MBEDTLS_MD_NONE,
+                                                   buf, sizeof( buf ),
+                                                   NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign_restartable( NULL,
+                                                         MBEDTLS_MD_NONE,
+                                                         buf, sizeof( buf ),
+                                                         buf, &len,
+                                                         rnd_std_rand, NULL,
+                                                         NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign_restartable( &pk,
+                                                         MBEDTLS_MD_NONE,
+                                                         NULL, sizeof( buf ),
+                                                         buf, &len,
+                                                         rnd_std_rand, NULL,
+                                                         NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign_restartable( &pk,
+                                                         valid_md,
+                                                         NULL, 0,
+                                                         buf, &len,
+                                                         rnd_std_rand, NULL,
+                                                         NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign_restartable( &pk,
+                                                         MBEDTLS_MD_NONE,
+                                                         buf, sizeof( buf ),
+                                                         NULL, &len,
+                                                         rnd_std_rand, NULL,
+                                                         NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign( NULL,
+                                             MBEDTLS_MD_NONE,
+                                             buf, sizeof( buf ),
+                                             buf, &len,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign( &pk,
+                                             MBEDTLS_MD_NONE,
+                                             NULL, sizeof( buf ),
+                                             buf, &len,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign( &pk,
+                                             valid_md,
+                                             NULL, 0,
+                                             buf, &len,
+                                             rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_sign( &pk,
+                                             MBEDTLS_MD_NONE,
+                                             buf, sizeof( buf ),
+                                             NULL, &len,
+                                             rnd_std_rand, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_decrypt( NULL,
+                                                buf, sizeof( buf ),
+                                                buf, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_decrypt( &pk,
+                                                NULL, sizeof( buf ),
+                                                buf, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_decrypt( &pk,
+                                                buf, sizeof( buf ),
+                                                NULL, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_decrypt( &pk,
+                                                buf, sizeof( buf ),
+                                                buf, NULL, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_encrypt( NULL,
+                                                buf, sizeof( buf ),
+                                                buf, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_encrypt( &pk,
+                                                NULL, sizeof( buf ),
+                                                buf, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_encrypt( &pk,
+                                                buf, sizeof( buf ),
+                                                NULL, &len, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_encrypt( &pk,
+                                                buf, sizeof( buf ),
+                                                buf, NULL, sizeof( buf ),
+                                                rnd_std_rand, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_check_pair( NULL, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_check_pair( &pk, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_debug( NULL, NULL ) );
+
+#if defined(MBEDTLS_PK_PARSE_C)
+#if defined(MBEDTLS_FS_IO)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_load_file( NULL, &p, &len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_load_file( str, NULL, &len ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_load_file( str, &p, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_keyfile( NULL, str, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_keyfile( &pk, NULL, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_public_keyfile( NULL, str ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_public_keyfile( &pk, NULL ) );
+#endif
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_subpubkey( NULL, buf, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_subpubkey( &null_buf, buf, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_subpubkey( &p, NULL, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_subpubkey( &p, buf, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_key( NULL,
+                                                  buf, sizeof( buf ),
+                                                  buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_key( &pk,
+                                                  NULL, sizeof( buf ),
+                                                  buf, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_public_key( NULL,
+                                                         buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_parse_public_key( &pk,
+                                                         NULL, sizeof( buf ) ) );
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey( NULL, p, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey( &null_buf, p, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey( &p, NULL, &pk ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey( &p, p, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey_der( NULL,
+                                                         buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey_der( &pk,
+                                                         NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_key_der( NULL,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_key_der( &pk,
+                                                      NULL, sizeof( buf ) ) );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey_pem( NULL,
+                                                         buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_pubkey_pem( &pk,
+                                                         NULL, sizeof( buf ) ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_key_pem( NULL,
+                                                      buf, sizeof( buf ) ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_PK_BAD_INPUT_DATA,
+                            mbedtls_pk_write_key_pem( &pk,
+                                                      NULL, sizeof( buf ) ) );
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void pk_utils( int type, int size, int len, char * name )
 {
     mbedtls_pk_context pk;
 
@@ -91,7 +513,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_FS_IO */
-void mbedtls_pk_check_pair( char *pub_file, char *prv_file, int ret )
+void mbedtls_pk_check_pair( char * pub_file, char * prv_file, int ret )
 {
     mbedtls_pk_context pub, prv, alt;
 
@@ -121,22 +543,27 @@ void mbedtls_pk_check_pair( char *pub_file, char *prv_file, int ret )
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_verify_test_vec( char *message_hex_string, int digest,
-                       int mod, int radix_N, char *input_N, int radix_E,
-                       char *input_E, char *result_hex_str, int result )
+void pk_rsa_verify_test_vec( data_t * message_str, int digest, int mod,
+                             int radix_N, char * input_N, int radix_E,
+                             char * input_E, data_t * result_str,
+                             int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
-    int msg_len;
+    mbedtls_pk_restart_ctx *rs_ctx = NULL;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_pk_restart_ctx ctx;
+
+    rs_ctx = &ctx;
+    mbedtls_pk_restart_init( rs_ctx );
+    // this setting would ensure restart would happen if ECC was used
+    mbedtls_ecp_set_max_ops( 1 );
+#endif
 
     mbedtls_pk_init( &pk );
 
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == 0 );
     rsa = mbedtls_pk_rsa( pk );
@@ -145,42 +572,41 @@ void pk_rsa_verify_test_vec( char *message_hex_string, int digest,
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->E, radix_E, input_E ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
     TEST_ASSERT( mbedtls_pk_verify( &pk, digest, hash_result, 0,
-                            result_str, mbedtls_pk_get_len( &pk ) ) == result );
+                            result_str->x, mbedtls_pk_get_len( &pk ) ) == result );
+
+    TEST_ASSERT( mbedtls_pk_verify_restartable( &pk, digest, hash_result, 0,
+                    result_str->x, mbedtls_pk_get_len( &pk ), rs_ctx ) == result );
 
 exit:
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_pk_restart_free( rs_ctx );
+#endif
     mbedtls_pk_free( &pk );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_verify_ext_test_vec( char *message_hex_string, int digest,
-                       int mod, int radix_N, char *input_N, int radix_E,
-                       char *input_E, char *result_hex_str,
-                       int pk_type, int mgf1_hash_id, int salt_len,
-                       int result )
+void pk_rsa_verify_ext_test_vec( data_t * message_str, int digest,
+                                 int mod, int radix_N, char * input_N,
+                                 int radix_E, char * input_E,
+                                 data_t * result_str, int pk_type,
+                                 int mgf1_hash_id, int salt_len, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
     mbedtls_pk_rsassa_pss_options pss_opts;
     void *options;
-    int msg_len;
     size_t hash_len;
 
     mbedtls_pk_init( &pk );
 
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == 0 );
     rsa = mbedtls_pk_rsa( pk );
@@ -189,19 +615,17 @@ void pk_rsa_verify_ext_test_vec( char *message_hex_string, int digest,
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->E, radix_E, input_E ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( digest != MBEDTLS_MD_NONE )
     {
         TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ),
-                     message_str, msg_len, hash_result ) == 0 );
+                     message_str->x, message_str->len, hash_result ) == 0 );
         hash_len = 0;
     }
     else
     {
-        memcpy( hash_result, message_str, msg_len );
-        hash_len = msg_len;
+        memcpy( hash_result, message_str->x, message_str->len );
+        hash_len = message_str->len;
     }
 
     if( mgf1_hash_id < 0 )
@@ -218,7 +642,7 @@ void pk_rsa_verify_ext_test_vec( char *message_hex_string, int digest,
 
     TEST_ASSERT( mbedtls_pk_verify_ext( pk_type, options, &pk,
                                 digest, hash_result, hash_len,
-                                result_str, mbedtls_pk_get_len( &pk ) ) == result );
+                                result_str->x, mbedtls_pk_get_len( &pk ) ) == result );
 
 exit:
     mbedtls_pk_free( &pk );
@@ -226,19 +650,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */
-void pk_ec_test_vec( int type, int id, char *key_str,
-                     char *hash_str, char * sig_str, int ret )
+void pk_ec_test_vec( int type, int id, data_t * key, data_t * hash,
+                     data_t * sig, int ret )
 {
     mbedtls_pk_context pk;
     mbedtls_ecp_keypair *eckey;
-    unsigned char hash[100], sig[500], key[500];
-    size_t hash_len, sig_len, key_len;
 
     mbedtls_pk_init( &pk );
 
-    memset( hash, 0, sizeof( hash ) );  hash_len = unhexify(hash, hash_str);
-    memset( sig, 0, sizeof( sig ) );    sig_len = unhexify(sig, sig_str);
-    memset( key, 0, sizeof( key ) );    key_len = unhexify(key, key_str);
 
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( type ) ) == 0 );
 
@@ -247,22 +666,135 @@ void pk_ec_test_vec( int type, int id, char *key_str,
 
     TEST_ASSERT( mbedtls_ecp_group_load( &eckey->grp, id ) == 0 );
     TEST_ASSERT( mbedtls_ecp_point_read_binary( &eckey->grp, &eckey->Q,
-                                        key, key_len ) == 0 );
+                                        key->x, key->len ) == 0 );
 
     TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_NONE,
-                            hash, hash_len, sig, sig_len ) == ret );
+                            hash->x, hash->len, sig->x, sig->len ) == ret );
 
 exit:
     mbedtls_pk_free( &pk );
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC */
+void pk_sign_verify_restart( int pk_type, int grp_id, char *d_str,
+                              char *QX_str, char *QY_str,
+                              int md_alg, char *msg, char *sig_str,
+                              int max_ops, int min_restart, int max_restart )
+{
+    int ret, cnt_restart;
+    mbedtls_pk_restart_ctx rs_ctx;
+    mbedtls_pk_context prv, pub;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    unsigned char sig[MBEDTLS_ECDSA_MAX_LEN];
+    unsigned char sig_check[MBEDTLS_ECDSA_MAX_LEN];
+    size_t hlen, slen, slen_check;
+    const mbedtls_md_info_t *md_info;
+
+    mbedtls_pk_restart_init( &rs_ctx );
+    mbedtls_pk_init( &prv );
+    mbedtls_pk_init( &pub );
+    memset( hash, 0, sizeof( hash ) );
+    memset( sig, 0, sizeof( sig ) );
+    memset( sig_check, 0, sizeof( sig_check ) );
+
+    TEST_ASSERT( mbedtls_pk_setup( &prv, mbedtls_pk_info_from_type( pk_type ) ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_group_load( &mbedtls_pk_ec( prv )->grp, grp_id ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &mbedtls_pk_ec( prv )->d, 16, d_str ) == 0 );
+
+    TEST_ASSERT( mbedtls_pk_setup( &pub, mbedtls_pk_info_from_type( pk_type ) ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_group_load( &mbedtls_pk_ec( pub )->grp, grp_id ) == 0 );
+    TEST_ASSERT( mbedtls_ecp_point_read_string( &mbedtls_pk_ec( pub )->Q, 16, QX_str, QY_str ) == 0 );
+
+    slen_check = unhexify( sig_check, sig_str );
+
+    md_info = mbedtls_md_info_from_type( md_alg );
+    TEST_ASSERT( md_info != NULL );
+
+    hlen = mbedtls_md_get_size( md_info );
+    mbedtls_md( md_info, (const unsigned char *) msg, strlen( msg ), hash );
+
+    mbedtls_ecp_set_max_ops( max_ops );
+
+    slen = sizeof( sig );
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_pk_sign_restartable( &prv, md_alg, hash, hlen,
+                                            sig, &slen, NULL, NULL, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( slen == slen_check );
+    TEST_ASSERT( memcmp( sig, sig_check, slen ) == 0 );
+
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_pk_verify_restartable( &pub, md_alg,
+                                 hash, hlen, sig, slen, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == 0 );
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    hash[0]++;
+    do {
+        ret = mbedtls_pk_verify_restartable( &pub, md_alg,
+                                 hash, hlen, sig, slen, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    TEST_ASSERT( ret != 0 );
+    hash[0]--;
+
+    sig[0]++;
+    do {
+        ret = mbedtls_pk_verify_restartable( &pub, md_alg,
+                                 hash, hlen, sig, slen, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    TEST_ASSERT( ret != 0 );
+    sig[0]--;
+
+    /* Do we leak memory when aborting? try verify then sign
+     * This test only makes sense when we actually restart */
+    if( min_restart > 0 )
+    {
+        ret = mbedtls_pk_verify_restartable( &pub, md_alg,
+                                 hash, hlen, sig, slen, &rs_ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+        mbedtls_pk_restart_free( &rs_ctx );
+
+        slen = sizeof( sig );
+        ret = mbedtls_pk_sign_restartable( &prv, md_alg, hash, hlen,
+                                            sig, &slen, NULL, NULL, &rs_ctx );
+        TEST_ASSERT( ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+    }
+
+exit:
+    mbedtls_pk_restart_free( &rs_ctx );
+    mbedtls_pk_free( &prv );
+    mbedtls_pk_free( &pub );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
 void pk_sign_verify( int type, int sign_ret, int verify_ret )
 {
     mbedtls_pk_context pk;
     unsigned char hash[50], sig[5000];
     size_t sig_len;
+    void *rs_ctx = NULL;
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_pk_restart_ctx ctx;
+
+    rs_ctx = &ctx;
+    mbedtls_pk_restart_init( rs_ctx );
+    /* This value is large enough that the operation will complete in one run.
+     * See comments at the top of ecp_test_vect_restart in
+     * test_suite_ecp.function for estimates of operation counts. */
+    mbedtls_ecp_set_max_ops( 42000 );
+#endif
 
     mbedtls_pk_init( &pk );
 
@@ -272,38 +804,67 @@ void pk_sign_verify( int type, int sign_ret, int verify_ret )
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( type ) ) == 0 );
     TEST_ASSERT( pk_genkey( &pk ) == 0 );
 
-    TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256, hash, sizeof hash,
-                          sig, &sig_len, rnd_std_rand, NULL ) == sign_ret );
+    TEST_ASSERT( mbedtls_pk_sign_restartable( &pk, MBEDTLS_MD_SHA256,
+                 hash, sizeof hash, sig, &sig_len,
+                 rnd_std_rand, NULL, rs_ctx ) == sign_ret );
 
     TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256,
                             hash, sizeof hash, sig, sig_len ) == verify_ret );
 
+    if( verify_ret == 0 )
+    {
+        hash[0]++;
+        TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256,
+                                hash, sizeof hash, sig, sig_len ) != 0 );
+        hash[0]--;
+
+        sig[0]++;
+        TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_SHA256,
+                                hash, sizeof hash, sig, sig_len ) != 0 );
+        sig[0]--;
+    }
+
+    TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_SHA256, hash, sizeof hash,
+                          sig, &sig_len, rnd_std_rand, NULL ) == sign_ret );
+
+    TEST_ASSERT( mbedtls_pk_verify_restartable( &pk, MBEDTLS_MD_SHA256,
+                 hash, sizeof hash, sig, sig_len, rs_ctx ) == verify_ret );
+
+    if( verify_ret == 0 )
+    {
+        hash[0]++;
+        TEST_ASSERT( mbedtls_pk_verify_restartable( &pk, MBEDTLS_MD_SHA256,
+                     hash, sizeof hash, sig, sig_len, rs_ctx ) != 0 );
+        hash[0]--;
+
+        sig[0]++;
+        TEST_ASSERT( mbedtls_pk_verify_restartable( &pk, MBEDTLS_MD_SHA256,
+                     hash, sizeof hash, sig, sig_len, rs_ctx ) != 0 );
+        sig[0]--;
+    }
+
 exit:
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_pk_restart_free( rs_ctx );
+#endif
     mbedtls_pk_free( &pk );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_encrypt_test_vec( char *message_hex, int mod,
-                            int radix_N, char *input_N,
-                            int radix_E, char *input_E,
-                            char *result_hex, int ret )
+void pk_rsa_encrypt_test_vec( data_t * message, int mod, int radix_N,
+                              char * input_N, int radix_E, char * input_E,
+                              data_t * result, int ret )
 {
-    unsigned char message[1000];
     unsigned char output[1000];
-    unsigned char result[1000];
-    size_t msg_len, olen, res_len;
     rnd_pseudo_info rnd_info;
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
+    size_t olen;
 
     memset( &rnd_info,  0, sizeof( rnd_pseudo_info ) );
-    memset( message,    0, sizeof( message ) );
     memset( output,     0, sizeof( output ) );
-    memset( result,     0, sizeof( result ) );
 
-    msg_len = unhexify( message, message_hex );
-    res_len = unhexify( result, result_hex );
 
     mbedtls_pk_init( &pk );
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == 0 );
@@ -313,11 +874,11 @@ void pk_rsa_encrypt_test_vec( char *message_hex, int mod,
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &rsa->E, radix_E, input_E ) == 0 );
 
-    TEST_ASSERT( mbedtls_pk_encrypt( &pk, message, msg_len,
+    TEST_ASSERT( mbedtls_pk_encrypt( &pk, message->x, message->len,
                              output, &olen, sizeof( output ),
                              rnd_pseudo_rand, &rnd_info ) == ret );
-    TEST_ASSERT( olen == res_len );
-    TEST_ASSERT( memcmp( output, result, olen ) == 0 );
+    TEST_ASSERT( olen == result->len );
+    TEST_ASSERT( memcmp( output, result->x, olen ) == 0 );
 
 exit:
     mbedtls_pk_free( &pk );
@@ -325,32 +886,24 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
-void pk_rsa_decrypt_test_vec( char *cipher_hex, int mod,
-                            int radix_P, char *input_P,
-                            int radix_Q, char *input_Q,
-                            int radix_N, char *input_N,
-                            int radix_E, char *input_E,
-                            char *clear_hex, int ret )
+void pk_rsa_decrypt_test_vec( data_t * cipher, int mod, int radix_P,
+                              char * input_P, int radix_Q, char * input_Q,
+                              int radix_N, char * input_N, int radix_E,
+                              char * input_E, data_t * clear, int ret )
 {
-    unsigned char clear[1000];
     unsigned char output[1000];
-    unsigned char cipher[1000];
-    size_t clear_len, olen, cipher_len;
     rnd_pseudo_info rnd_info;
     mbedtls_mpi N, P, Q, E;
     mbedtls_rsa_context *rsa;
     mbedtls_pk_context pk;
+    size_t olen;
 
     mbedtls_pk_init( &pk );
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
 
     memset( &rnd_info,  0, sizeof( rnd_pseudo_info ) );
-    memset( clear,      0, sizeof( clear ) );
-    memset( cipher,     0, sizeof( cipher ) );
 
-    clear_len  = unhexify( clear,   clear_hex );
-    cipher_len = unhexify( cipher, cipher_hex );
 
     /* init pk-rsa context */
     TEST_ASSERT( mbedtls_pk_setup( &pk, mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == 0 );
@@ -370,13 +923,13 @@ void pk_rsa_decrypt_test_vec( char *cipher_hex, int mod,
     /* decryption test */
     memset( output, 0, sizeof( output ) );
     olen = 0;
-    TEST_ASSERT( mbedtls_pk_decrypt( &pk, cipher, cipher_len,
+    TEST_ASSERT( mbedtls_pk_decrypt( &pk, cipher->x, cipher->len,
                              output, &olen, sizeof( output ),
                              rnd_pseudo_rand, &rnd_info ) == ret );
     if( ret == 0 )
     {
-        TEST_ASSERT( olen == clear_len );
-        TEST_ASSERT( memcmp( output, clear, olen ) == 0 );
+        TEST_ASSERT( olen == clear->len );
+        TEST_ASSERT( memcmp( output, clear->x, olen ) == 0 );
     }
 
 exit:
@@ -453,7 +1006,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_PK_RSA_ALT_SUPPORT */
-void pk_rsa_alt( )
+void pk_rsa_alt(  )
 {
     /*
      * An rsa_alt context can only do private operations (decrypt, sign).
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v15.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v15.function
index 2b9cf297ae..0723623a5f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v15.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v15.function
@@ -9,28 +9,22 @@
  */
 
 /* BEGIN_CASE */
-void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E,
-                               char *input_E, int hash,
-                               char *message_hex_string, char *seed,
-                               char *result_hex_str, int result )
+void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N,
+                              int radix_E, char * input_E, int hash,
+                              data_t * message_str, data_t * rnd_buf,
+                              data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
-    unsigned char rnd_buf[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     rnd_buf_info info;
     mbedtls_mpi N, E;
 
-    info.length = unhexify( rnd_buf, seed );
-    info.buf = rnd_buf;
+    info.buf = rnd_buf->x;
+    info.length = rnd_buf->len;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -38,14 +32,12 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char *input_N, int radix_E,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -55,15 +47,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P,
-                               int radix_Q, char *input_Q, int radix_N,
-                               char *input_N, int radix_E, char *input_E,
-                               int hash, char *result_hex_str, char *seed,
-                               char *message_hex_string, int result )
+void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char * input_P,
+                              int radix_Q, char * input_Q, int radix_N,
+                              char * input_N, int radix_E, char * input_E,
+                              int hash, data_t * result_hex_str,
+                              char * seed, data_t * message_str,
+                              int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
     size_t output_len;
     rnd_pseudo_info rnd_info;
@@ -74,9 +65,7 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P,
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
 
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
@@ -89,14 +78,12 @@ void pkcs1_rsaes_v15_decrypt( int mod, int radix_P, char *input_P,
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len) == 0 );
     }
 
 exit:
@@ -108,12 +95,11 @@ exit:
 
 /* BEGIN_CASE */
 void pkcs1_v15_decode( int mode,
-                       char *input_hex,
+                       data_t *input,
                        int expected_plaintext_length_arg,
                        int output_size_arg,
                        int expected_result )
 {
-    size_t input_len;
     size_t expected_plaintext_length = expected_plaintext_length_arg;
     size_t output_size = output_size_arg;
     rnd_pseudo_info rnd_info;
@@ -196,8 +182,9 @@ void pkcs1_v15_decode( int mode,
                                      NULL, &Empi ) == 0 );
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
 
-    input_len = unhexify( original, input_hex );
-    memset( original + input_len, 'd', sizeof( original ) - input_len );
+    TEST_ASSERT( input->len <= sizeof( N ) );
+    memcpy( original, input->x, input->len );
+    memset( original + input->len, 'd', sizeof( original ) - input->len );
     if( mode == MBEDTLS_RSA_PRIVATE )
         TEST_ASSERT( mbedtls_rsa_public( &ctx, original, intermediate ) == 0 );
     else
@@ -255,33 +242,27 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsassa_v15_sign( int mod, int radix_P, char *input_P, int radix_Q,
-                            char *input_Q, int radix_N, char *input_N,
-                            int radix_E, char *input_E, int digest, int hash,
-                            char *message_hex_string, char *salt,
-                            char *result_hex_str, int result )
+void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q,
+                            char * input_Q, int radix_N, char * input_N,
+                            int radix_E, char * input_E, int digest, int hash,
+                            data_t * message_str, data_t * rnd_buf,
+                            data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
-    unsigned char rnd_buf[1000];
     mbedtls_rsa_context ctx;
     mbedtls_mpi N, P, Q, E;
-    size_t msg_len;
     rnd_buf_info info;
 
-    info.length = unhexify( rnd_buf, salt );
-    info.buf = rnd_buf;
+    info.buf = rnd_buf->x;
+    info.length = rnd_buf->len;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
 
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &Q, radix_Q, input_Q ) == 0 );
@@ -293,17 +274,15 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char *input_P, int radix_Q,
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len);
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -314,24 +293,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsassa_v15_verify( int mod, int radix_N, char *input_N, int radix_E,
-                              char *input_E, int digest, int hash,
-                              char *message_hex_string, char *salt,
-                              char *result_hex_str, int result )
+void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N,
+                              int radix_E, char * input_E, int digest,
+                              int hash, data_t * message_str, char * salt,
+                              data_t * result_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     mbedtls_mpi N, E;
     ((void) salt);
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, hash );
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -339,16 +313,11 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char *input_N, int radix_E,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ),
-                                 message_str, msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC,
-                                           digest, 0, hash_result,
-                                           result_str ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result );
 
 exit:
     mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.data
index 6258c62624..291c305a95 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.data
@@ -376,8 +376,17 @@ pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0
 RSASSA-PSS Verification Test Vector Int
 pkcs1_rsassa_pss_verify:1024:16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0
 
-RSASSA-PSS Signing Test Vector Hash too large
-pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+RSASSA-PSS Signature RSA-1016, SHA-512: minimum salt size not met
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:1016:16:"0e3cb6845e528229e19cfb24611e6859ac1cea7d35992b6e2e796823c52affa03400e42830f90697f084499c3e3587defc19e749e72433dd7b70c28b0c8280b7":16:"0c48f9e45ae38fdb4a5143be37d79a10cd4f1f9782ef26a4848a4449c72cfd712c68350818736385cb4a9ab6db5aef8e96c551039cfcc8915821aee069ed660d":16:"00aee7874a4db2f1510044405db29f14df0f37bbcf61fcbcc994a3d31caaf858a74cc8f2a40ac9a9ce7aa9a0680f62cf9d8d4b827114533fdbf86f16fc9dfe5cbf857d86135519a4611ffc59cb7473861619a78e3ec314715e804cff82d6f32e9f57ddf390563629883bd34f40e8db413209b151cee97d817a5d65c7da54734b":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSASSA-PSS Signature RSA-520, SHA-512: no possible salt size
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:520:16:"0feea5f6220fac291b9508ec2ba8ed281eb39aee4d5dc693254106816ebc700ecf":16:"0d68918785c3aafe31eaaa2d8d8156dce645940ff7734a457337a51bd00bc88811":16:"00d5a06f86e5b9d87428540165ca966fa8893a62e2a59d0bfd7617780bb039f9165a373a8e119d0766f8de556710f33f67019153bad8223775e797d451d48206f3bf":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+
+RSASSA-PSS Signature RSA-528, SHA-512: zero salt size
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:528:16:"00d272aa28ed2085ac6df3c05c6719eed5deb618afa2e4ca4a6f7330b430ad48672d":16:"00c578836bab27145db9dd66f17470b62d4a6100f8ca0dedf457ee3639c3b9596325":16:"00a2554eba715bf66e5ecdf3d6d718e3e5d907e8666e7bf5a76b415106e04eb827ec4cb2199cff66491d45419082059aa5b54b0cf5eef4443402f3047c0b0e6f025081":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
 RSASSA-PSS Signature Example 1_1
 pkcs1_rsassa_pss_sign:1024:16:"e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443":16:"b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd":16:"a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137":16:"010001":MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:"cdc87da223d786df3b45e0bbbc721326d1ee2af806cc315475cc6f0d9c66e1b62371d45ce2392e1ac92844c310102f156a0d8d52c1f4c40ba3aa65095786cb769757a6563ba958fed0bcc984e8b517a3d5f515b23b8a41e74aa867693f90dfb061a6e86dfaaee64472c00e5f20945729cbebe77f06ce78e08f4098fba41f9d6193c0317e8b60d4b6084acb42d29e3808a3bc372d85e331170fcbf7cc72d0b71c296648b3a4d10f416295d0807aa625cab2744fd9ea8fd223c42537029828bd16be02546f130fd2e33b936d2676e08aed1b73318b750a0167d0":"dee959c7e06411361420ff80185ed57f3e6776af":"9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c":0
@@ -831,3 +840,38 @@ RSASSA-PSS verify ext, all-zero padding, automatic salt length
 depends_on:MBEDTLS_SHA256_C
 pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING
 
+RSASSA-PSS Signature RSA-1024, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:1024:16:"00e8f95a716c127d5147dcc241a7c1fe8d5487b3e8b6e95e48a83334d21d00c79ad0a90e29941c0c53065b20059de95e9e406061416f7ac12edca1983b9ee28cc3":16:"00d72348b297e7e5dc4329f6ab874b17982584e0ab43174070a9be983c0f040320d6f893c40d2717cb3044380cb3230b7133621eb1c55a3ea56d0e7cee694b5df3":16:"00c3c9873548543591c1f947e412c33da56b9d1b94a58c2f410a8a620e9b4f1d9197643ebf527f5f62b202b9d67a32654d05f326a9b61e0106efdf4829673c4f3d23655996e2424059916ab47aa67e406c129679e5979ca46708866608ffa21f619843b959b4442e422598a2faab54a8cef1f131992677d2cf5bcaf2b5564f7419":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"655d1cf86a7af5113d1791ab7b6627845ea2aa7efbae82705a3563e5ba0337a1d033cb9283b38c042056e0a1d0529891173e3df6621dd8b184930caec8b3cbe4d1068524dab0ec6854f6638d86b77434cd792ddec0d02327a9eebffcd6911ffd32ad9bcb569d3237398c8169d9c62e7eea81c1b456fd36019aad1e4b268c604d":0
+
+RSASSA-PSS Verification RSA-1024, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_verify:1022:16:"00c3c9873548543591c1f947e412c33da56b9d1b94a58c2f410a8a620e9b4f1d9197643ebf527f5f62b202b9d67a32654d05f326a9b61e0106efdf4829673c4f3d23655996e2424059916ab47aa67e406c129679e5979ca46708866608ffa21f619843b959b4442e422598a2faab54a8cef1f131992677d2cf5bcaf2b5564f7419":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"655d1cf86a7af5113d1791ab7b6627845ea2aa7efbae82705a3563e5ba0337a1d033cb9283b38c042056e0a1d0529891173e3df6621dd8b184930caec8b3cbe4d1068524dab0ec6854f6638d86b77434cd792ddec0d02327a9eebffcd6911ffd32ad9bcb569d3237398c8169d9c62e7eea81c1b456fd36019aad1e4b268c604d":0
+
+RSASSA-PSS Signature RSA-1032, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:1032:16:"0dfaedb709ada2105223e5e7764a5f31d07ae7a37bdc7b4a56c2499e1173147bcdcb165b8fb01a2528190cb6874656a936491898fca330db8af5a9ed5417268ed7":16:"0c339c56797a90c641292560d0ef675f71ac2c99fcaba6260c38e4f167dfd179eb7a9e255f9bdbc549e4181f9a2a19b1f30a80b292d5ef1ad75b9e658eaa6fb0bb":16:"00aa94ab91b4c26be257e469528228c4b0b6b4c99e73a84a272b3101892c07406911372b83ec4a7b8191f0ba4b4cb4cb3b732074e96c668297e1323b8ad0822a7e151182def03871a66a47b704b92845c6194142d4eeda19903e04043581f7a835dc288117863d21944c3aeded518458f1a30a41c7638aa4e098a88fdf2c2097270d":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"13ad40169494129b907f061d885fbe50ab654fc7b4be657ff8629d7ca291838159e9a7b7adc93560dda2bb9127966eb8d57377fb19d5b043dca67a07ba3c23069b391ddd921b507a8cca2d5eb7ccc84b90089092ca88530e074e629c3cb6902b2d0475000269a28c4cd89cec0dca66571fa7fbe4976373abe905cbe4c66c8d5fbb":0
+
+RSASSA-PSS Verification RSA-1032, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_verify:1032:16:"00aa94ab91b4c26be257e469528228c4b0b6b4c99e73a84a272b3101892c07406911372b83ec4a7b8191f0ba4b4cb4cb3b732074e96c668297e1323b8ad0822a7e151182def03871a66a47b704b92845c6194142d4eeda19903e04043581f7a835dc288117863d21944c3aeded518458f1a30a41c7638aa4e098a88fdf2c2097270d":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"13ad40169494129b907f061d885fbe50ab654fc7b4be657ff8629d7ca291838159e9a7b7adc93560dda2bb9127966eb8d57377fb19d5b043dca67a07ba3c23069b391ddd921b507a8cca2d5eb7ccc84b90089092ca88530e074e629c3cb6902b2d0475000269a28c4cd89cec0dca66571fa7fbe4976373abe905cbe4c66c8d5fbb":0
+
+RSASSA-PSS Verification of OpenSSL-generated signature RSA-1032, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_verify:1032:16:"00aa94ab91b4c26be257e469528228c4b0b6b4c99e73a84a272b3101892c07406911372b83ec4a7b8191f0ba4b4cb4cb3b732074e96c668297e1323b8ad0822a7e151182def03871a66a47b704b92845c6194142d4eeda19903e04043581f7a835dc288117863d21944c3aeded518458f1a30a41c7638aa4e098a88fdf2c2097270d":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"1de40b1c452691dfd8ceb42ecf5f0cbda944d871141b4407c1e30a6657c58c2e496b2a3ad10e025d45ca9606d25602ac1de04af8e0d24aa06e57ec3fea5c961ecf1e0a4e442fda0cdaba42469288cde5d7d0c223facceaf4c7caabe93505acd5664c9b4fae64272af4d5b74326a01724a25fabdb10b177821d2273650a84426dbd":0
+
+RSASSA-PSS Signature RSA-1040, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:1040:16:"00fc7f4b490b4d3ef729db23fb5afbb5f2fc620a472342d8b8ff310cfdc124be76dc22ab6f4be35a38ddd31f24d7f64d310f67ab3a375e83f4e0559e4cb5dc43e875":16:"00d51e8680ab71dc01e1a8a68a298636bb1658cfab8d73ce528a62697722d485ab90cdafc5e27768b761839ff93420458ae55f15a69465dbc0c7b524dc9a385ff925":16:"00d2340538231dcd5a61edf83ab94b2e4b3a784394c4ed35a424c050c294157b7625f9aca8258c21e2d0a7aa9b7c9db576404e63090dba50d998f9a3ec72b1a5cf28d83251ab93341c7d2c1a90403d70f67bc1a9e413bc62facccb52441e24c3f2bc9fdeca1a783012e70b9528176260580c4e1026c58209e8dcc4de3bf3f5be5565e9":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"13e695948d59ded5a975cd9fb14bffc48e4ff9725576a96a6693da1a3c4c90d17d6811a97a633180d76dba5b957d2244e3b97e7bf3463a77d0b6c39b28a88e0b6739113726cd74937ad5f693ae5a8fd77febc270a115df05c344ddffebc2438ae67a5eea6572f434881bdf350aed4ec8f3a530d279d3fff07bb78e510807114e6ee7":0
+
+RSASSA-PSS Verification RSA-1040, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_verify:1040:16:"00d2340538231dcd5a61edf83ab94b2e4b3a784394c4ed35a424c050c294157b7625f9aca8258c21e2d0a7aa9b7c9db576404e63090dba50d998f9a3ec72b1a5cf28d83251ab93341c7d2c1a90403d70f67bc1a9e413bc62facccb52441e24c3f2bc9fdeca1a783012e70b9528176260580c4e1026c58209e8dcc4de3bf3f5be5565e9":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"13e695948d59ded5a975cd9fb14bffc48e4ff9725576a96a6693da1a3c4c90d17d6811a97a633180d76dba5b957d2244e3b97e7bf3463a77d0b6c39b28a88e0b6739113726cd74937ad5f693ae5a8fd77febc270a115df05c344ddffebc2438ae67a5eea6572f434881bdf350aed4ec8f3a530d279d3fff07bb78e510807114e6ee7":0
+
+RSASSA-PSS Signature RSA-1048, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_sign:1048:16:"0f39b79809516becc2e3481b6b47584aa2299bd2027ab8a303b9de5b0adcb4a5d38e38edb8c1fac3ea1dbd7e1d50b84323e362cff4df3f5a5182dafa9bb9217a73d7":16:"0d18164f8bd0d58d019998c8cb17c4c0354e62b8a9462acca30816894f982c2ae114e73993e30698930437b4eec44adec24d32ccbcbae7cc4c9f8911b1eb2100685b":16:"00c75d0f9fa17d1d24b939537a434017f390c6604444c35a13360d6b1fc986baf40159b84275d37b883278df5064dd9eb0f29b0d325acc790c4b59672737dbbf3acb88f5e2f2d54c919cafd072272c494591d52e158993315e71e2ca60b1c74feff8f3d77842b415d4e71734a498206a5cd9315c87b23e583e25eb4ca97056b45c96856d":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"9442a8ec48f87ebc81cc1273b03e528e7643c9e2fcc60ed85827d9341c5a36e5c76059baa8e9891df437e44c4047a266b46bcaaad3de1f1d4d3576defff080b791b013491636187fc45a930b70a533ed92abfd168f050df91b4c35d68d160a243ce589807a7d32661fc18b9547cdc0fd86d33acd349c98b34fb016ddd1bff23c58170e":0
+
+RSASSA-PSS Verification RSA-1048, SHA-512
+depends_on:MBEDTLS_SHA512_C
+pkcs1_rsassa_pss_verify:1048:16:"00c75d0f9fa17d1d24b939537a434017f390c6604444c35a13360d6b1fc986baf40159b84275d37b883278df5064dd9eb0f29b0d325acc790c4b59672737dbbf3acb88f5e2f2d54c919cafd072272c494591d52e158993315e71e2ca60b1c74feff8f3d77842b415d4e71734a498206a5cd9315c87b23e583e25eb4ca97056b45c96856d":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:"e35c6ed98f64a6d5a648fcab8adb16331db32e5d15c74a40edf94c3dc4a4de792d190889f20f1e24ed12054a6b28798fcb42d1c548769b734c96373142092aed277603f4738df4dc1446586d0ec64da4fb60536db2ae17fc7e3c04bbfbbbd907bf117c08636fa16f95f51a6216934d3e34f85030f17bbbc5ba69144058aff081e0b19cf03c17195c5e888ba58f6fe0a02e5c3bda9719a7":"653df9730e14e03f2ffb3374d6b75295aa4a52c38540b2d501adc1eb659a4d7a050769a3d11d0d5d6f3efb734200ade241fdc271c0f5eeed85b4bf00b2327bc8":"9442a8ec48f87ebc81cc1273b03e528e7643c9e2fcc60ed85827d9341c5a36e5c76059baa8e9891df437e44c4047a266b46bcaaad3de1f1d4d3576defff080b791b013491636187fc45a930b70a533ed92abfd168f050df91b4c35d68d160a243ce589807a7d32661fc18b9547cdc0fd86d33acd349c98b34fb016ddd1bff23c58170e":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.function
index 50da2ff1bb..99be08ac0c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs1_v21.function
@@ -9,28 +9,22 @@
  */
 
 /* BEGIN_CASE */
-void pkcs1_rsaes_oaep_encrypt( int mod, int radix_N, char *input_N, int radix_E,
-                               char *input_E, int hash,
-                               char *message_hex_string, char *seed,
-                               char *result_hex_str, int result )
+void pkcs1_rsaes_oaep_encrypt( int mod, int radix_N, char * input_N,
+                               int radix_E, char * input_E, int hash,
+                               data_t * message_str, data_t * rnd_buf,
+                               data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
-    unsigned char rnd_buf[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     rnd_buf_info info;
     mbedtls_mpi N, E;
 
-    info.length = unhexify( rnd_buf, seed );
-    info.buf = rnd_buf;
+    info.buf = rnd_buf->x;
+    info.length = rnd_buf->len;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash );
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -38,14 +32,12 @@ void pkcs1_rsaes_oaep_encrypt( int mod, int radix_N, char *input_N, int radix_E,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PUBLIC, message_str->len, message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -55,15 +47,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsaes_oaep_decrypt( int mod, int radix_P, char *input_P,
-                               int radix_Q, char *input_Q, int radix_N,
-                               char *input_N, int radix_E, char *input_E,
-                               int hash, char *result_hex_str, char *seed,
-                               char *message_hex_string, int result )
+void pkcs1_rsaes_oaep_decrypt( int mod, int radix_P, char * input_P,
+                               int radix_Q, char * input_Q, int radix_N,
+                               char * input_N, int radix_E, char * input_E,
+                               int hash, data_t * result_hex_str,
+                               char * seed, data_t * message_str,
+                               int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
     size_t output_len;
     rnd_pseudo_info rnd_info;
@@ -75,9 +66,7 @@ void pkcs1_rsaes_oaep_decrypt( int mod, int radix_P, char *input_P,
 
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash );
 
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
@@ -90,14 +79,12 @@ void pkcs1_rsaes_oaep_decrypt( int mod, int radix_P, char *input_P,
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, 1000 ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, 1000 ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -108,33 +95,27 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsassa_pss_sign( int mod, int radix_P, char *input_P, int radix_Q,
-                            char *input_Q, int radix_N, char *input_N,
-                            int radix_E, char *input_E, int digest, int hash,
-                            char *message_hex_string, char *salt,
-                            char *result_hex_str, int result )
+void pkcs1_rsassa_pss_sign( int mod, int radix_P, char * input_P, int radix_Q,
+                            char * input_Q, int radix_N, char * input_N,
+                            int radix_E, char * input_E, int digest, int hash,
+                            data_t * message_str, data_t * rnd_buf,
+                            data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
-    unsigned char rnd_buf[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     rnd_buf_info info;
     mbedtls_mpi N, P, Q, E;
 
-    info.length = unhexify( rnd_buf, salt );
-    info.buf = rnd_buf;
+    info.buf = rnd_buf->x;
+    info.length = rnd_buf->len;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash );
 
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &Q, radix_Q, input_Q ) == 0 );
@@ -146,19 +127,16 @@ void pkcs1_rsassa_pss_sign( int mod, int radix_P, char *input_P, int radix_Q,
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str,
-                                 msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_buffer_rand, &info, MBEDTLS_RSA_PRIVATE,
                                          digest, 0, hash_result, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len);
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -169,24 +147,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsassa_pss_verify( int mod, int radix_N, char *input_N, int radix_E,
-                              char *input_E, int digest, int hash,
-                              char *message_hex_string, char *salt,
-                              char *result_hex_str, int result )
+void pkcs1_rsassa_pss_verify( int mod, int radix_N, char * input_N,
+                              int radix_E, char * input_E, int digest,
+                              int hash, data_t * message_str, char * salt,
+                              data_t * result_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     mbedtls_mpi N, E;
     ((void) salt);
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, hash );
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -195,15 +168,11 @@ void pkcs1_rsassa_pss_verify( int mod, int radix_N, char *input_N, int radix_E,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str,
-                                 msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC,
-                                           digest, 0, hash_result, result_str ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result );
 
 exit:
     mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
@@ -212,28 +181,22 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void pkcs1_rsassa_pss_verify_ext( int mod,
-                                  int radix_N, char *input_N,
-                                  int radix_E, char *input_E,
+void pkcs1_rsassa_pss_verify_ext( int mod, int radix_N, char * input_N,
+                                  int radix_E, char * input_E,
                                   int msg_digest_id, int ctx_hash,
                                   int mgf_hash, int salt_len,
-                                  char *message_hex_string,
-                                  char *result_hex_str,
-                                  int result_simple,
+                                  data_t * message_str,
+                                  data_t * result_str, int result_simple,
                                   int result_full )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len, hash_len;
+    size_t hash_len;
     mbedtls_mpi N, E;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V21, ctx_hash );
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -242,29 +205,27 @@ void pkcs1_rsassa_pss_verify_ext( int mod,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( ( mod + 7 ) / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( msg_digest_id != MBEDTLS_MD_NONE )
     {
         TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( msg_digest_id ),
-                     message_str, msg_len, hash_result ) == 0 );
+                     message_str->x, message_str->len, hash_result ) == 0 );
         hash_len = 0;
     }
     else
     {
-        memcpy( hash_result, message_str, msg_len );
-        hash_len = msg_len;
+        memcpy( hash_result, message_str->x, message_str->len );
+        hash_len = message_str->len;
     }
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC,
                                    msg_digest_id, hash_len, hash_result,
-                                   result_str ) == result_simple );
+                                   result_str->x ) == result_simple );
 
     TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC,
                                         msg_digest_id, hash_len, hash_result,
                                         mgf_hash, salt_len,
-                                        result_str ) == result_full );
+                                        result_str->x ) == result_full );
 
 exit:
     mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs5.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs5.function
index 98546cb731..26f1d33312 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs5.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkcs5.function
@@ -8,38 +8,23 @@
  */
 
 /* BEGIN_CASE */
-void pbkdf2_hmac( int hash, char *hex_password_string,
-                  char *hex_salt_string, int it_cnt, int key_len,
-                  char *result_key_string )
+void pbkdf2_hmac( int hash, data_t * pw_str, data_t * salt_str,
+                  int it_cnt, int key_len, data_t * result_key_string )
 {
-    unsigned char pw_str[100];
-    unsigned char salt_str[100];
-    unsigned char dst_str[200];
-
     mbedtls_md_context_t ctx;
     const mbedtls_md_info_t *info;
 
-    int pw_len, salt_len;
     unsigned char key[100];
 
     mbedtls_md_init( &ctx );
 
-    memset(pw_str, 0x00, sizeof(pw_str));
-    memset(salt_str, 0x00, sizeof(salt_str));
-    memset(dst_str, 0x00, sizeof(dst_str));
-
-    pw_len = unhexify( pw_str, hex_password_string );
-    salt_len = unhexify( salt_str, hex_salt_string );
-
-
     info = mbedtls_md_info_from_type( hash );
     TEST_ASSERT( info != NULL );
     TEST_ASSERT( mbedtls_md_setup( &ctx, info, 1 ) == 0 );
-    TEST_ASSERT( mbedtls_pkcs5_pbkdf2_hmac( &ctx, pw_str, pw_len, salt_str, salt_len,
+    TEST_ASSERT( mbedtls_pkcs5_pbkdf2_hmac( &ctx, pw_str->x, pw_str->len, salt_str->x, salt_str->len,
                                      it_cnt, key_len, key ) == 0 );
 
-    hexify( dst_str, key, key_len );
-    TEST_ASSERT( strcmp( (char *) dst_str, result_key_string ) == 0 );
+    TEST_ASSERT( hexcmp( key, result_key_string->x, key_len, result_key_string->len ) == 0 );
 
 exit:
     mbedtls_md_free( &ctx );
@@ -47,40 +32,33 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */
-void mbedtls_pkcs5_pbes2( int params_tag, char *params_hex, char *pw_hex,
-                  char *data_hex, int ref_ret, char *ref_out_hex )
+void mbedtls_pkcs5_pbes2( int params_tag, data_t *params_hex, data_t *pw,
+                  data_t *data, int ref_ret, data_t *ref_out )
 {
     int my_ret;
     mbedtls_asn1_buf params;
-    unsigned char *my_out = NULL, *ref_out = NULL, *data = NULL, *pw = NULL;
-    size_t ref_out_len, data_len, pw_len;
+    unsigned char *my_out = NULL;
 
     params.tag = params_tag;
-    params.p = unhexify_alloc( params_hex, &params.len );
+    params.p = params_hex->x;
+    params.len = params_hex->len;
 
-    data = unhexify_alloc( data_hex, &data_len );
-    pw = unhexify_alloc( pw_hex, &pw_len );
-    ref_out = unhexify_alloc( ref_out_hex, &ref_out_len );
-    my_out = zero_alloc( ref_out_len );
+    my_out = zero_alloc( ref_out->len );
 
     my_ret = mbedtls_pkcs5_pbes2( &params, MBEDTLS_PKCS5_DECRYPT,
-                          pw, pw_len, data, data_len, my_out );
+                          pw->x, pw->len, data->x, data->len, my_out );
     TEST_ASSERT( my_ret == ref_ret );
 
     if( ref_ret == 0 )
-        TEST_ASSERT( memcmp( my_out, ref_out, ref_out_len ) == 0 );
+        TEST_ASSERT( memcmp( my_out, ref_out->x, ref_out->len ) == 0 );
 
 exit:
-    mbedtls_free( params.p );
-    mbedtls_free( data );
-    mbedtls_free( pw );
-    mbedtls_free( ref_out );
     mbedtls_free( my_out );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void pkcs5_selftest( )
+void pkcs5_selftest(  )
 {
     TEST_ASSERT( mbedtls_pkcs5_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.data
index 5ffb580361..4add252df7 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.data
@@ -939,8 +939,18 @@ depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:MBEDTLS_PKCS5_C
 pk_parse_keyfile_rsa:"data_files/rsa_pkcs8_pbes2_pbkdf2_4096_des_sha512.der":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
 
 Parse Public RSA Key #1 (PKCS#8 wrapped)
-depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C
-pk_parse_public_keyfile_rsa:"data_files/format_gen.pub":0
+depends_on:MBEDTLS_PEM_PARSE_C
+pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.pem":0
+
+Parse Public RSA Key #1 (PKCS#8 wrapped, DER)
+pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs8_2048_public.der":0
+
+Parse Public RSA Key #3 (PKCS#1 wrapped)
+depends_on:MBEDTLS_PEM_PARSE_C
+pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.pem":0
+
+Parse Public RSA Key #4 (PKCS#1 wrapped, DER)
+pk_parse_public_keyfile_rsa:"data_files/rsa_pkcs1_2048_public.der":0
 
 Parse Public EC Key #1 (RFC 5480, DER)
 depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.function
index 94d25e7eb0..3eb0397e6a 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkparse.function
@@ -10,7 +10,7 @@
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_FS_IO */
-void pk_parse_keyfile_rsa( char *key_file, char *password, int result )
+void pk_parse_keyfile_rsa( char * key_file, char * password, int result )
 {
     mbedtls_pk_context ctx;
     int res;
@@ -39,7 +39,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_FS_IO */
-void pk_parse_public_keyfile_rsa( char *key_file, int result )
+void pk_parse_public_keyfile_rsa( char * key_file, int result )
 {
     mbedtls_pk_context ctx;
     int res;
@@ -64,7 +64,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_ECP_C */
-void pk_parse_public_keyfile_ec( char *key_file, int result )
+void pk_parse_public_keyfile_ec( char * key_file, int result )
 {
     mbedtls_pk_context ctx;
     int res;
@@ -89,7 +89,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_ECP_C */
-void pk_parse_keyfile_ec( char *key_file, char *password, int result )
+void pk_parse_keyfile_ec( char * key_file, char * password, int result )
 {
     mbedtls_pk_context ctx;
     int res;
@@ -113,23 +113,19 @@ exit:
 }
 /* END_CASE */
 
-/* BEGIN_CASE */
-void pk_parse_key( char *key_data, char *result_str, int result )
+/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
+void pk_parse_key( data_t * buf, char * result_str, int result )
 {
     mbedtls_pk_context pk;
-    unsigned char buf[2000];
     unsigned char output[2000];
-    int data_len;
     ((void) result_str);
 
     mbedtls_pk_init( &pk );
 
-    memset( buf, 0, 2000 );
     memset( output, 0, 2000 );
 
-    data_len = unhexify( buf, key_data );
 
-    TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf, data_len, NULL, 0 ) == ( result ) );
+    TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf->x, buf->len, NULL, 0 ) == ( result ) );
     if( ( result ) == 0 )
     {
         TEST_ASSERT( 1 );
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkwrite.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkwrite.function
index 71aa595202..43c275ef25 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkwrite.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_pkwrite.function
@@ -10,7 +10,7 @@
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
-void pk_write_pubkey_check( char *key_file )
+void pk_write_pubkey_check( char * key_file )
 {
     mbedtls_pk_context key;
     unsigned char buf[5000];
@@ -42,7 +42,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
-void pk_write_key_check( char *key_file )
+void pk_write_key_check( char * key_file )
 {
     mbedtls_pk_context key;
     unsigned char buf[5000];
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.data
new file mode 100644
index 0000000000..13912e997a
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.data
@@ -0,0 +1,42 @@
+Poly1305 RFC 7539 Example And Test Vector
+mbedtls_poly1305:"85d6be7857556d337f4452fe42d506a80103808afb0db2fd4abff6af4149f51b":"a8061dc1305136c6c22b8baf0c0127a9":"43727970746f6772617068696320466f72756d2052657365617263682047726f7570"
+
+Poly1305 RFC 7539 Test Vector #1
+mbedtls_poly1305:"0000000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #2
+mbedtls_poly1305:"0000000000000000000000000000000036e5f6b5c5e06070f0efca96227a863e":"36e5f6b5c5e06070f0efca96227a863e":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+Poly1305 RFC 7539 Test Vector #3
+mbedtls_poly1305:"36e5f6b5c5e06070f0efca96227a863e00000000000000000000000000000000":"f3477e7cd95417af89a6b8794c310cf0":"416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f"
+
+Poly1305 RFC 7539 Test Vector #4
+mbedtls_poly1305:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"4541669a7eaaee61e708dc7cbcc5eb62":"2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e"
+
+Poly1305 RFC 7539 Test Vector #5
+mbedtls_poly1305:"0200000000000000000000000000000000000000000000000000000000000000":"03000000000000000000000000000000":"ffffffffffffffffffffffffffffffff"
+
+Poly1305 RFC 7539 Test Vector #6
+mbedtls_poly1305:"02000000000000000000000000000000ffffffffffffffffffffffffffffffff":"03000000000000000000000000000000":"02000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #7
+mbedtls_poly1305:"0100000000000000000000000000000000000000000000000000000000000000":"05000000000000000000000000000000":"fffffffffffffffffffffffffffffffff0ffffffffffffffffffffffffffffff11000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #8
+mbedtls_poly1305:"0100000000000000000000000000000000000000000000000000000000000000":"00000000000000000000000000000000":"fffffffffffffffffffffffffffffffffbfefefefefefefefefefefefefefefe01010101010101010101010101010101"
+
+Poly1305 RFC 7539 Test Vector #9
+mbedtls_poly1305:"0200000000000000000000000000000000000000000000000000000000000000":"faffffffffffffffffffffffffffffff":"fdffffffffffffffffffffffffffffff"
+
+Poly1305 RFC 7539 Test Vector #10
+mbedtls_poly1305:"0100000000000000040000000000000000000000000000000000000000000000":"14000000000000005500000000000000":"e33594d7505e43b900000000000000003394d7505e4379cd01000000000000000000000000000000000000000000000001000000000000000000000000000000"
+
+Poly1305 RFC 7539 Test Vector #11
+mbedtls_poly1305:"0100000000000000040000000000000000000000000000000000000000000000":"13000000000000000000000000000000":"e33594d7505e43b900000000000000003394d7505e4379cd010000000000000000000000000000000000000000000000"
+
+Poly1305 Parameter validation
+poly1305_bad_params:
+
+Poly1305 Selftest
+depends_on:MBEDTLS_SELF_TEST
+poly1305_selftest:
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.function
new file mode 100644
index 0000000000..066bb39425
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_poly1305.function
@@ -0,0 +1,135 @@
+/* BEGIN_HEADER */
+#include "mbedtls/poly1305.h"
+#include <stddef.h>
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_POLY1305_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void mbedtls_poly1305( char *hex_key_string, char *hex_mac_string, char *hex_src_string  )
+{
+    unsigned char src_str[375]; /* max size of binary input */
+    unsigned char key[32]; /* size set by the standard */
+    unsigned char mac[16]; /* size set by the standard */
+    unsigned char mac_str[33]; /* hex expansion of the above */
+    size_t src_len;
+    mbedtls_poly1305_context ctx;
+
+    memset( src_str, 0x00, sizeof( src_str ) );
+    memset( mac_str, 0x00, sizeof( mac_str ) );
+    memset( key,     0x00, sizeof( key ) );
+    memset( mac,     0x00, sizeof( mac ) );
+
+    src_len = unhexify( src_str, hex_src_string );
+    unhexify( key, hex_key_string );
+
+    /*
+     * Test the integrated API
+     */
+    TEST_ASSERT( mbedtls_poly1305_mac( key, src_str, src_len, mac ) == 0 );
+
+    hexify( mac_str, mac, 16 );
+    TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+
+    /*
+     * Test the streaming API
+     */
+    mbedtls_poly1305_init( &ctx );
+
+    TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+    TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, src_len ) == 0 );
+
+    TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+    hexify( mac_str, mac, 16 );
+    TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+
+    /*
+     * Test the streaming API again, piecewise
+     */
+
+    /* Don't free/init the context, in order to test that starts() does the
+     * right thing. */
+    if( src_len >= 1 )
+    {
+        TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+        TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, 1 ) == 0 );
+        TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 1, src_len - 1 ) == 0 );
+
+        TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+        hexify( mac_str, mac, 16 );
+        TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+    }
+
+    /*
+     * Again with more pieces
+     */
+    if( src_len >= 2 )
+    {
+        TEST_ASSERT( mbedtls_poly1305_starts( &ctx, key ) == 0 );
+
+        TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str, 1 ) == 0 );
+        TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 1, 1 ) == 0 );
+        TEST_ASSERT( mbedtls_poly1305_update( &ctx, src_str + 2, src_len - 2 ) == 0 );
+
+        TEST_ASSERT( mbedtls_poly1305_finish( &ctx, mac ) == 0 );
+
+        hexify( mac_str, mac, 16 );
+        TEST_ASSERT( strcmp( (char *) mac_str, hex_mac_string ) == 0 );
+    }
+
+    mbedtls_poly1305_free( &ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void poly1305_bad_params()
+{
+    unsigned char src[1];
+    unsigned char key[32];
+    unsigned char mac[16];
+    size_t src_len = sizeof( src );
+    mbedtls_poly1305_context ctx;
+
+    TEST_INVALID_PARAM( mbedtls_poly1305_init( NULL ) );
+    TEST_VALID_PARAM( mbedtls_poly1305_free( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_starts( NULL, key ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_starts( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_update( NULL, src, 0 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_update( &ctx, NULL, src_len ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_finish( NULL, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_finish( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_mac( NULL, src, 0, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_mac( key, NULL, src_len, mac ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA,
+                 mbedtls_poly1305_mac( key, src, 0, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
+void poly1305_selftest()
+{
+    TEST_ASSERT( mbedtls_poly1305_self_test( 1 ) == 0 );
+}
+/* END_CASE */
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.data
index 41149063ff..5f49ad671b 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.data
@@ -1,3 +1,6 @@
+RSA parameter validation
+rsa_invalid_param:
+
 RSA PKCS1 Verify v1.5 CAVS #1
 depends_on:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15
 # Good padding but wrong hash
@@ -237,15 +240,15 @@ mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e9
 
 RSA PKCS1 Sign #8 (RAW, 2048 bits RSA)
 depends_on:MBEDTLS_PKCS1_V15
-rsa_pkcs1_sign_raw:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":"1234567890deadbeef":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8"
+rsa_pkcs1_sign_raw:"1234567890deadbeef":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8"
 
 RSA PKCS1 Sign #8 Verify
 depends_on:MBEDTLS_PKCS1_V15
-rsa_pkcs1_verify_raw:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":"1234567890deadbeef":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":0
+rsa_pkcs1_verify_raw:"1234567890deadbeef":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":0
 
 RSA PKCS1 Sign #8 Verify (Wrong raw hash)
 depends_on:MBEDTLS_PKCS1_V15
-rsa_pkcs1_verify_raw:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":"1234567890deadcafe":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_VERIFY_FAILED
+rsa_pkcs1_verify_raw:"1234567890deadcafe":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_VERIFY_FAILED
 
 RSA PKCS1 Sign #9 (Invalid Digest type)
 depends_on:MBEDTLS_PKCS1_V15
@@ -255,12 +258,6 @@ RSA PKCS1 Sign #9 Verify (Invalid Digest type)
 depends_on:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":MBEDTLS_RSA_PKCS_V15:255:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"3bcf673c3b27f6e2ece4bb97c7a37161e6c6ee7419ef366efc3cfee0f15f415ff6d9d4390937386c6fec1771acba73f24ec6b0469ea8b88083f0b4e1b6069d7bf286e67cf94182a548663137e82a6e09c35de2c27779da0503f1f5bedfebadf2a875f17763a0564df4a6d945a5a3e46bc90fb692af3a55106aafc6b577587456ff8d49cfd5c299d7a2b776dbe4c1ae777b0f64aa3bab27689af32d6cc76157c7dc6900a3469e18a7d9b6bfe4951d1105a08864575e4f4ec05b3e053f9b7a2d5653ae085e50a63380d6bdd6f58ab378d7e0a2be708c559849891317089ab04c82d8bc589ea088b90b11dea5cf85856ff7e609cc1adb1d403beead4c126ff29021":MBEDTLS_ERR_RSA_BAD_INPUT_DATA
 
-RSA PKCS1 Sign #8 (Invalid padding type)
-mbedtls_rsa_pkcs1_sign:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2:MBEDTLS_MD_MD5:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"3bcf673c3b27f6e2ece4bb97c7a37161e6c6ee7419ef366efc3cfee0f15f415ff6d9d4390937386c6fec1771acba73f24ec6b0469ea8b88083f0b4e1b6069d7bf286e67cf94182a548663137e82a6e09c35de2c27779da0503f1f5bedfebadf2a875f17763a0564df4a6d945a5a3e46bc90fb692af3a55106aafc6b577587456ff8d49cfd5c299d7a2b776dbe4c1ae777b0f64aa3bab27689af32d6cc76157c7dc6900a3469e18a7d9b6bfe4951d1105a08864575e4f4ec05b3e053f9b7a2d5653ae085e50a63380d6bdd6f58ab378d7e0a2be708c559849891317089ab04c82d8bc589ea088b90b11dea5cf85856ff7e609cc1adb1d403beead4c126ff29021":MBEDTLS_ERR_RSA_INVALID_PADDING
-
-RSA PKCS1 Sign #8 Verify (Invalid padding type)
-mbedtls_rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":1:MBEDTLS_MD_MD5:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"3bcf673c3b27f6e2ece4bb97c7a37161e6c6ee7419ef366efc3cfee0f15f415ff6d9d4390937386c6fec1771acba73f24ec6b0469ea8b88083f0b4e1b6069d7bf286e67cf94182a548663137e82a6e09c35de2c27779da0503f1f5bedfebadf2a875f17763a0564df4a6d945a5a3e46bc90fb692af3a55106aafc6b577587456ff8d49cfd5c299d7a2b776dbe4c1ae777b0f64aa3bab27689af32d6cc76157c7dc6900a3469e18a7d9b6bfe4951d1105a08864575e4f4ec05b3e053f9b7a2d5653ae085e50a63380d6bdd6f58ab378d7e0a2be708c559849891317089ab04c82d8bc589ea088b90b11dea5cf85856ff7e609cc1adb1d403beead4c126ff29021":MBEDTLS_ERR_RSA_INVALID_PADDING
-
 RSA PKCS1 Encrypt #1
 depends_on:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_encrypt:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_RSA_PKCS_V15:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"b0c0b193ba4a5b4502bfacd1a9c2697da5510f3e3ab7274cf404418afd2c62c89b98d83bbc21c8c1bf1afe6d8bf40425e053e9c03e03a3be0edbe1eda073fade1cc286cc0305a493d98fe795634c3cad7feb513edb742d66d910c87d07f6b0055c3488bb262b5fd1ce8747af64801fb39d2d3a3e57086ffe55ab8d0a2ca86975629a0f85767a4990c532a7c2dab1647997ebb234d0b28a0008bfebfc905e7ba5b30b60566a5e0190417465efdbf549934b8f0c5c9f36b7c5b6373a47ae553ced0608a161b1b70dfa509375cf7a3598223a6d7b7a1d1a06ac74d345a9bb7c0e44c8388858a4f1d8115f2bd769ffa69020385fa286302c80e950f9e2751308666c":0
@@ -277,12 +274,6 @@ RSA PKCS1 Decrypt #2 (Data too small)
 depends_on:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_decrypt:"deadbeafcafedeadbeeffedcba9876":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":1000:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_PRIVATE_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA
 
-RSA PKCS1 Encrypt #3 (Invalid padding mode)
-mbedtls_rsa_pkcs1_encrypt:"4E636AF98E40F3ADCFCCB698F4E80B9F":2:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":MBEDTLS_ERR_RSA_INVALID_PADDING
-
-RSA PKCS1 Decrypt #3 (Invalid padding mode)
-mbedtls_rsa_pkcs1_decrypt:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":2:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":1000:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_INVALID_PADDING
-
 RSA PKCS1 Decrypt #4 (Output buffer too small)
 depends_on:MBEDTLS_PKCS1_V15
 mbedtls_rsa_pkcs1_decrypt:"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":15:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
@@ -339,6 +330,7 @@ RSA Check Public key #5 (N smaller than 128 bits)
 mbedtls_rsa_check_pubkey:16:"7edcba9876543210deadbeefcafe4321":16:"3":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
 
 RSA Check Public key #6 (N exactly 8192 bits)
+depends_on:MBEDTLS_MPI_MAX_SIZE>=1024
 mbedtls_rsa_check_pubkey:16:"88F48075BF29E95C1C6AE8716678B74E957B69CC2E49708C160C6343AAD2F076D25397ACE74220311ED18AEEB681F463611B3340C3945CAAEAD3ACC616E08A25A55683A32979BD55EA5DAB7630AF393886896F11DDC5F07E15EDF949324CF0F0B2A5C0E85DFA23167193182D1A43079DC8645F6C2C029629F475575802F7D326DE5BD891A9C5F84A433D45154181EC05685A4B368A5B6434775A00ABC6B0A04647D4598CEEE566B552230F691C98CA30B402A76C686A94B373CCD2F60EFA3878A867BB5F585D088E27C507937262D098A477B9218BE7C03B2E4C102D244CA701645F1827CD947E5E796446378B848862E689F0D1773F752056841A1F0EECE7CAB74921A42DBF2EF264ADCF4ABE05A1242E5F629A657A2D67958A2DAC9A2245074A37099B45064723ABE21241058252632C2BA6FE85AB1C75FF310891B84C9C40AB646FE1D90BC716FB3A4B56DA3EA25CA397C04B994F7C6AD1DD0CB9E994CA6B835F7830F4F4E0F976BBEA5AE8556BC7C90B3E50E21C19AD1F6BC4A8FF15F2909D9CC5F3DA533BADFF50F487869D631C3E34D69636B4C25A55127EF5B715F2FC0565734B38DF996D1970E56F7F64EBECB9D00A587AAEC608F2D3AAA51E66BF53E92C3096BF78D1DCBCE1A645FA4F0542E6F68E5A94AAA6E839F75620FABED5D2BCF40AB8EAF95F838BFA962429F281578882DF0F2721C27C8905C9E776B1D3251FC066A8BC64C0CE7FBA2B8E21F65EF6739AB6F19EC2AB07817DFF03DAB7C846AB5CC86C103642D7664A85DC2D846A8004CD6A144C72CCCAC86DB5901A047324927B80E281F5F7315FA2F9083BDE0DB7AA46DC055E36BB73FB6DBD3A14759D06CBBE8D57CBC213C4D55DE4478679E0A5902C8655BE1391C0E88D2B1FBD57E9232A2CEBC67569ECD94E4BF0FCC6C003F9AA51A2A5E6EE084A46DAE65E52400A727F9713D29E92CD6CA37FD599598B3F677624A2A484A8B36B98EFEAD662C0A23BC1D9280EF2A31F887065EB20A93B41F7A264ECFA65B3555F3E400927018186EAA2D4F00C6B7AB1BCED5F893D64478177592C7F2B945307AB474D7EC7FF2E7E55834CC763BEF81DA9BD70FB3D423AE5ADB86B336734C8A3BEC90CEB05438B5BA030D0D30DEC1442D2EB08450480FBAE090FFA1A5ADD748A415BDCDE45094E792420F0AF94BCA0A80A2096D1A478D3428A214A7E68C0F07F58C6FB232ECC3D8B821AE29AE76E13EB751193F6ECA670016D54F3D796937DDBB8900062EF116CCA3F5B3AECA618272875336C9C050FBC0FC7EDD5B88D85DA0061D21E176E1419CF573629BE7B0496E761EAD45FE32B59EB00D47CDD178AC8F8EC8D6F26DED34F7576CD938422E18E936F16A704B483A48EE3BEA59D95F688136119894930EC8E9282E5974740CF031DF8DBB07EB08F2DA0ACCADECE15A6A57502890F4A03740E60BD":16:"010001":0
 
 RSA Check Public key #7 (N larger than 8192 bits)
@@ -378,13 +370,13 @@ RSA Check Public-Private key #5 (E mismatch)
 rsa_check_pubpriv:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"17":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
 
 RSA Private (Correct)
-mbedtls_rsa_private:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"48ce62658d82be10737bd5d3579aed15bc82617e6758ba862eeb12d049d7bacaf2f62fce8bf6e980763d1951f7f0eae3a493df9890d249314b39d00d6ef791de0daebf2c50f46e54aeb63a89113defe85de6dbe77642aae9f2eceb420f3a47a56355396e728917f17876bb829fabcaeef8bf7ef6de2ff9e84e6108ea2e52bbb62b7b288efa0a3835175b8b08fac56f7396eceb1c692d419ecb79d80aef5bc08a75d89de9f2b2d411d881c0e3ffad24c311a19029d210d3d3534f1b626f982ea322b4d1cfba476860ef20d4f672f38c371084b5301b429b747ea051a619e4430e0dac33c12f9ee41ca4d81a4f6da3e495aa8524574bdc60d290dd1f7a62e90a67":0
+mbedtls_rsa_private:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f8700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"48ce62658d82be10737bd5d3579aed15bc82617e6758ba862eeb12d049d7bacaf2f62fce8bf6e980763d1951f7f0eae3a493df9890d249314b39d00d6ef791de0daebf2c50f46e54aeb63a89113defe85de6dbe77642aae9f2eceb420f3a47a56355396e728917f17876bb829fabcaeef8bf7ef6de2ff9e84e6108ea2e52bbb62b7b288efa0a3835175b8b08fac56f7396eceb1c692d419ecb79d80aef5bc08a75d89de9f2b2d411d881c0e3ffad24c311a19029d210d3d3534f1b626f982ea322b4d1cfba476860ef20d4f672f38c371084b5301b429b747ea051a619e4430e0dac33c12f9ee41ca4d81a4f6da3e495aa8524574bdc60d290dd1f7a62e90a67":0
 
 RSA Private (Data larger than N)
 mbedtls_rsa_private:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_PRIVATE_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA
 
 RSA Public (Correct)
-mbedtls_rsa_public:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"1f5e927c13ff231090b0f18c8c3526428ed0f4a7561457ee5afe4d22d5d9220c34ef5b9a34d0c07f7248a1f3d57f95d10f7936b3063e40660b3a7ca3e73608b013f85a6e778ac7c60d576e9d9c0c5a79ad84ceea74e4722eb3553bdb0c2d7783dac050520cb27ca73478b509873cb0dcbd1d51dd8fccb96c29ad314f36d67cc57835d92d94defa0399feb095fd41b9f0b2be10f6041079ed4290040449f8a79aba50b0a1f8cf83c9fb8772b0686ec1b29cb1814bb06f9c024857db54d395a8da9a2c6f9f53b94bec612a0cb306a3eaa9fc80992e85d9d232e37a50cabe48c9343f039601ff7d95d60025e582aec475d031888310e8ec3833b394a5cf0599101e":0
+mbedtls_rsa_public:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f8700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"1f5e927c13ff231090b0f18c8c3526428ed0f4a7561457ee5afe4d22d5d9220c34ef5b9a34d0c07f7248a1f3d57f95d10f7936b3063e40660b3a7ca3e73608b013f85a6e778ac7c60d576e9d9c0c5a79ad84ceea74e4722eb3553bdb0c2d7783dac050520cb27ca73478b509873cb0dcbd1d51dd8fccb96c29ad314f36d67cc57835d92d94defa0399feb095fd41b9f0b2be10f6041079ed4290040449f8a79aba50b0a1f8cf83c9fb8772b0686ec1b29cb1814bb06f9c024857db54d395a8da9a2c6f9f53b94bec612a0cb306a3eaa9fc80992e85d9d232e37a50cabe48c9343f039601ff7d95d60025e582aec475d031888310e8ec3833b394a5cf0599101e":0
 
 RSA Public (Data larger than N)
 mbedtls_rsa_public:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_PUBLIC_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.function
index fd632dad6a..89c84e8ca3 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_rsa.function
@@ -17,29 +17,473 @@
  * END_DEPENDENCIES
  */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void rsa_invalid_param( )
+{
+    mbedtls_rsa_context ctx;
+    const int valid_padding = MBEDTLS_RSA_PKCS_V21;
+    const int invalid_padding = 42;
+    const int valid_mode = MBEDTLS_RSA_PRIVATE;
+    const int invalid_mode = 42;
+    unsigned char buf[42] = { 0 };
+    size_t olen;
+
+    TEST_INVALID_PARAM( mbedtls_rsa_init( NULL, valid_padding, 0 ) );
+    TEST_INVALID_PARAM( mbedtls_rsa_init( &ctx, invalid_padding, 0 ) );
+    TEST_VALID_PARAM( mbedtls_rsa_free( NULL ) );
+
+    /* No more variants because only the first argument must be non-NULL. */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_import( NULL, NULL, NULL,
+                                                NULL, NULL, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_import_raw( NULL,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_complete( NULL ) );
+
+    /* No more variants because only the first argument must be non-NULL. */
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_export( NULL, NULL, NULL,
+                                                NULL, NULL, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_export_raw( NULL,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0,
+                                                    NULL, 0 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_export_crt( NULL, NULL, NULL, NULL ) );
+
+    TEST_INVALID_PARAM( mbedtls_rsa_set_padding( NULL,
+                                                 valid_padding, 0 ) );
+    TEST_INVALID_PARAM( mbedtls_rsa_set_padding( &ctx,
+                                                 invalid_padding, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_gen_key( NULL, rnd_std_rand,
+                                                 NULL, 0, 0 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_gen_key( &ctx, NULL,
+                                                 NULL, 0, 0 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_check_pubkey( NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_check_privkey( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_check_pub_priv( NULL, &ctx ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_check_pub_priv( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_public( NULL, buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_public( &ctx, NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_public( &ctx, buf, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_private( NULL, NULL, NULL,
+                                                 buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_private( &ctx, NULL, NULL,
+                                                 NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_private( &ctx, NULL, NULL,
+                                                 buf, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_encrypt( NULL, NULL, NULL,
+                                                       valid_mode,
+                                                       sizeof( buf ), buf,
+                                                       buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL,
+                                                       invalid_mode,
+                                                       sizeof( buf ), buf,
+                                                       buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL,
+                                                       valid_mode,
+                                                       sizeof( buf ), NULL,
+                                                       buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL,
+                                                       valid_mode,
+                                                       sizeof( buf ), buf,
+                                                       NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_encrypt( NULL, NULL,
+                                                           NULL,
+                                                           valid_mode,
+                                                           sizeof( buf ), buf,
+                                                           buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL,
+                                                           NULL,
+                                                           invalid_mode,
+                                                           sizeof( buf ), buf,
+                                                           buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL,
+                                                           NULL,
+                                                           valid_mode,
+                                                           sizeof( buf ), NULL,
+                                                           buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL,
+                                                           NULL,
+                                                           valid_mode,
+                                                           sizeof( buf ), buf,
+                                                           NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_encrypt( NULL, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            sizeof( buf ), buf,
+                                                            buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL,
+                                                            invalid_mode,
+                                                            buf, sizeof( buf ),
+                                                            sizeof( buf ), buf,
+                                                            buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            NULL, sizeof( buf ),
+                                                            sizeof( buf ), buf,
+                                                            buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            sizeof( buf ), NULL,
+                                                            buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            sizeof( buf ), buf,
+                                                            NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_decrypt( NULL, NULL, NULL,
+                                                       valid_mode, &olen,
+                                                       buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL,
+                                                       invalid_mode, &olen,
+                                                       buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL,
+                                                       valid_mode, NULL,
+                                                       buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL,
+                                                       valid_mode, &olen,
+                                                       NULL, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_decrypt( &ctx, NULL, NULL,
+                                                       valid_mode, &olen,
+                                                       buf, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_decrypt( NULL, NULL,
+                                                           NULL,
+                                                           valid_mode, &olen,
+                                                           buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL,
+                                                           NULL,
+                                                           invalid_mode, &olen,
+                                                           buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL,
+                                                           NULL,
+                                                           valid_mode, NULL,
+                                                           buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL,
+                                                           NULL,
+                                                           valid_mode, &olen,
+                                                           NULL, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL,
+                                                           NULL,
+                                                           valid_mode, &olen,
+                                                           buf, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_decrypt( NULL, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            &olen,
+                                                            buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL,
+                                                            invalid_mode,
+                                                            buf, sizeof( buf ),
+                                                            &olen,
+                                                            buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            NULL, sizeof( buf ),
+                                                            NULL,
+                                                            buf, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            &olen,
+                                                            NULL, buf, 42 ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsaes_oaep_decrypt( &ctx, NULL, NULL,
+                                                            valid_mode,
+                                                            buf, sizeof( buf ),
+                                                            &olen,
+                                                            buf, NULL, 42 ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_sign( NULL, NULL, NULL,
+                                                    valid_mode,
+                                                    0, sizeof( buf ), buf,
+                                                    buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL,
+                                                    invalid_mode,
+                                                    0, sizeof( buf ), buf,
+                                                    buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL,
+                                                    valid_mode,
+                                                    0, sizeof( buf ), NULL,
+                                                    buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL,
+                                                    valid_mode,
+                                                    0, sizeof( buf ), buf,
+                                                    NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL,
+                                                    valid_mode,
+                                                    MBEDTLS_MD_SHA1,
+                                                    0, NULL,
+                                                    buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_sign( NULL, NULL, NULL,
+                                                        valid_mode,
+                                                        0, sizeof( buf ), buf,
+                                                        buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL,
+                                                        invalid_mode,
+                                                        0, sizeof( buf ), buf,
+                                                        buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL,
+                                                        valid_mode,
+                                                        0, sizeof( buf ), NULL,
+                                                        buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL,
+                                                        valid_mode,
+                                                        0, sizeof( buf ), buf,
+                                                        NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL,
+                                                        valid_mode,
+                                                        MBEDTLS_MD_SHA1,
+                                                        0, NULL,
+                                                        buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_sign( NULL, NULL, NULL,
+                                                         valid_mode,
+                                                         0, sizeof( buf ), buf,
+                                                         buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL,
+                                                         invalid_mode,
+                                                         0, sizeof( buf ), buf,
+                                                         buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL,
+                                                         valid_mode,
+                                                         0, sizeof( buf ), NULL,
+                                                         buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL,
+                                                         valid_mode,
+                                                         0, sizeof( buf ), buf,
+                                                         NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL,
+                                                         valid_mode,
+                                                         MBEDTLS_MD_SHA1,
+                                                         0, NULL,
+                                                         buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_verify( NULL, NULL, NULL,
+                                                      valid_mode,
+                                                      0, sizeof( buf ), buf,
+                                                      buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL,
+                                                      invalid_mode,
+                                                      0, sizeof( buf ), buf,
+                                                      buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL,
+                                                      valid_mode,
+                                                      0, sizeof( buf ), NULL,
+                                                      buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL,
+                                                      valid_mode,
+                                                      0, sizeof( buf ), buf,
+                                                      NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL,
+                                                      valid_mode,
+                                                      MBEDTLS_MD_SHA1, 0, NULL,
+                                                      buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, NULL,
+                                                          NULL,
+                                                          valid_mode,
+                                                          0, sizeof( buf ), buf,
+                                                          buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL,
+                                                          NULL,
+                                                          invalid_mode,
+                                                          0, sizeof( buf ), buf,
+                                                          buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL,
+                                                          NULL,
+                                                          valid_mode,
+                                                          0, sizeof( buf ),
+                                                          NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL,
+                                                          NULL,
+                                                          valid_mode,
+                                                          0, sizeof( buf ), buf,
+                                                          NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL,
+                                                          NULL,
+                                                          valid_mode,
+                                                          MBEDTLS_MD_SHA1,
+                                                          0, NULL,
+                                                          buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify( NULL, NULL, NULL,
+                                                           valid_mode,
+                                                           0, sizeof( buf ),
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL,
+                                                           invalid_mode,
+                                                           0, sizeof( buf ),
+                                                           buf, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL,
+                                                           valid_mode,
+                                                           0, sizeof( buf ),
+                                                           NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL,
+                                                           valid_mode,
+                                                           0, sizeof( buf ),
+                                                           buf, NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL,
+                                                           valid_mode,
+                                                           MBEDTLS_MD_SHA1,
+                                                           0, NULL,
+                                                           buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify_ext( NULL, NULL, NULL,
+                                                               valid_mode,
+                                                               0, sizeof( buf ),
+                                                               buf,
+                                                               0, 0,
+                                                               buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL,
+                                                               invalid_mode,
+                                                               0, sizeof( buf ),
+                                                               buf,
+                                                               0, 0,
+                                                               buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL,
+                                                               valid_mode,
+                                                               0, sizeof( buf ),
+                                                               NULL, 0, 0,
+                                                               buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL,
+                                                               valid_mode,
+                                                               0, sizeof( buf ),
+                                                               buf, 0, 0,
+                                                               NULL ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL,
+                                                               valid_mode,
+                                                               MBEDTLS_MD_SHA1,
+                                                               0, NULL,
+                                                               0, 0,
+                                                               buf ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_copy( NULL, &ctx ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
+                            mbedtls_rsa_copy( &ctx, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
-void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int digest,
-                     int mod, int radix_P, char *input_P, int radix_Q,
-                     char *input_Q, int radix_N, char *input_N, int radix_E,
-                     char *input_E, char *result_hex_str, int result )
+void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode,
+                             int digest, int mod, int radix_P, char * input_P,
+                             int radix_Q, char * input_Q, int radix_N,
+                             char * input_N, int radix_E, char * input_E,
+                             data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
     mbedtls_mpi N, P, Q, E;
-    int msg_len;
     rnd_pseudo_info rnd_info;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
 
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
@@ -52,20 +496,17 @@ void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int dig
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ),
-                                 message_str, msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info,
                                          MBEDTLS_RSA_PRIVATE, digest, 0,
                                          hash_result, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -76,23 +517,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_pkcs1_verify( char *message_hex_string, int padding_mode, int digest,
-                       int mod, int radix_N, char *input_N, int radix_E,
-                       char *input_E, char *result_hex_str, int result )
+void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode,
+                               int digest, int mod, int radix_N,
+                               char * input_N, int radix_E, char * input_E,
+                               data_t * result_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     mbedtls_rsa_context ctx;
-    int msg_len;
 
     mbedtls_mpi N, E;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
-    memset( message_str, 0x00, 1000 );
     memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -100,13 +537,11 @@ void mbedtls_rsa_pkcs1_verify( char *message_hex_string, int padding_mode, int d
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
-    unhexify( result_str, result_hex_str );
 
     if( mbedtls_md_info_from_type( digest ) != NULL )
-        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 );
+        TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result );
 
 exit:
     mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E );
@@ -116,29 +551,22 @@ exit:
 
 
 /* BEGIN_CASE */
-void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string,
-                         int padding_mode, int mod, int radix_P, char *input_P,
-                         int radix_Q, char *input_Q, int radix_N,
-                         char *input_N, int radix_E, char *input_E,
-                         char *result_hex_str )
+void rsa_pkcs1_sign_raw( data_t * hash_result,
+                         int padding_mode, int mod, int radix_P,
+                         char * input_P, int radix_Q, char * input_Q,
+                         int radix_N, char * input_N, int radix_E,
+                         char * input_E, data_t * result_hex_str )
 {
-    unsigned char message_str[1000];
-    unsigned char hash_result[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
     mbedtls_mpi N, P, Q, E;
-    int hash_len;
     rnd_pseudo_info rnd_info;
 
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P );
     mbedtls_mpi_init( &Q ); mbedtls_mpi_init( &E );
 
-    memset( message_str, 0x00, 1000 );
-    memset( hash_result, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
@@ -151,16 +579,14 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string,
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
-    hash_len = unhexify( hash_result, hash_result_string );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info,
                                          MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE,
-                                         hash_len, hash_result, output ) == 0 );
+                                         hash_result->len, hash_result->x,
+                                         output ) == 0 );
 
-    hexify( output_str, output, ctx.len );
 
-    TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+    TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
 
 #if defined(MBEDTLS_PKCS1_V15)
     /* For PKCS#1 v1.5, there is an alternative way to generate signatures */
@@ -168,11 +594,10 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string,
     {
         int res;
         memset( output, 0x00, 1000 );
-        memset( output_str, 0x00, 1000 );
 
         res = mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx,
                     &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE,
-                    hash_len, hash_result, output );
+                    hash_result->len, hash_result->x, output );
 
 #if !defined(MBEDTLS_RSA_ALT)
         TEST_ASSERT( res == 0 );
@@ -183,8 +608,7 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string,
 
         if( res == 0 )
         {
-            hexify( output_str, output, ctx.len );
-            TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+            TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
         }
     }
 #endif /* MBEDTLS_PKCS1_V15 */
@@ -198,25 +622,18 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
+void rsa_pkcs1_verify_raw( data_t * hash_result,
                            int padding_mode, int mod, int radix_N,
-                           char *input_N, int radix_E, char *input_E,
-                           char *result_hex_str, int correct )
+                           char * input_N, int radix_E, char * input_E,
+                           data_t * result_str, int correct )
 {
-    unsigned char message_str[1000];
-    unsigned char hash_result[1000];
-    unsigned char result_str[1000];
     unsigned char output[1000];
     mbedtls_rsa_context ctx;
-    size_t hash_len;
 
     mbedtls_mpi N, E;
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
 
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
-    memset( message_str, 0x00, 1000 );
-    memset( hash_result, 0x00, 1000 );
-    memset( result_str, 0x00, 1000 );
     memset( output, 0x00, sizeof( output ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
@@ -226,14 +643,8 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
-    hash_len = unhexify( hash_result, hash_result_string );
-    unhexify( result_str, result_hex_str );
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL,
-                              MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE,
-                              hash_len, hash_result,
-                              result_str ) == correct );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct );
 
 #if defined(MBEDTLS_PKCS1_V15)
     /* For PKCS#1 v1.5, there is an alternative way to verify signatures */
@@ -245,7 +656,7 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
 
         res = mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx,
                     NULL, NULL, MBEDTLS_RSA_PUBLIC,
-                    &olen, result_str, output, sizeof( output ) );
+                    &olen, result_str->x, output, sizeof( output ) );
 
 #if !defined(MBEDTLS_RSA_ALT)
         TEST_ASSERT( res == 0 );
@@ -256,7 +667,7 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string,
 
         if( res == 0 )
         {
-            ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0;
+            ok = olen == hash_result->len && memcmp( output, hash_result->x, olen ) == 0;
             if( correct == 0 )
                 TEST_ASSERT( ok == 1 );
             else
@@ -272,15 +683,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_pkcs1_encrypt( char *message_hex_string, int padding_mode, int mod,
-                        int radix_N, char *input_N, int radix_E, char *input_E,
-                        char *result_hex_str, int result )
+void mbedtls_rsa_pkcs1_encrypt( data_t * message_str, int padding_mode,
+                                int mod, int radix_N, char * input_N,
+                                int radix_E, char * input_E,
+                                data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
     rnd_pseudo_info rnd_info;
 
     mbedtls_mpi N, E;
@@ -289,9 +698,7 @@ void mbedtls_rsa_pkcs1_encrypt( char *message_hex_string, int padding_mode, int
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -300,16 +707,14 @@ void mbedtls_rsa_pkcs1_encrypt( char *message_hex_string, int padding_mode, int
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info,
-                                            MBEDTLS_RSA_PUBLIC, msg_len,
-                                            message_str, output ) == result );
+                                            MBEDTLS_RSA_PUBLIC, message_str->len,
+                                            message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -319,24 +724,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void rsa_pkcs1_encrypt_bad_rng( char *message_hex_string, int padding_mode,
-                                int mod, int radix_N, char *input_N,
-                                int radix_E, char *input_E,
-                                char *result_hex_str, int result )
+void rsa_pkcs1_encrypt_bad_rng( data_t * message_str, int padding_mode,
+                                int mod, int radix_N, char * input_N,
+                                int radix_E, char * input_E,
+                                data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
-    size_t msg_len;
 
     mbedtls_mpi N, E;
 
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -345,16 +745,14 @@ void rsa_pkcs1_encrypt_bad_rng( char *message_hex_string, int padding_mode,
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    msg_len = unhexify( message_str, message_hex_string );
 
     TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL,
-                                            MBEDTLS_RSA_PUBLIC, msg_len,
-                                            message_str, output ) == result );
+                                            MBEDTLS_RSA_PUBLIC, message_str->len,
+                                            message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -364,14 +762,14 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_pkcs1_decrypt( char *message_hex_string, int padding_mode, int mod,
-                        int radix_P, char *input_P, int radix_Q, char *input_Q,
-                        int radix_N, char *input_N, int radix_E, char *input_E,
-                        int max_output, char *result_hex_str, int result )
+void mbedtls_rsa_pkcs1_decrypt( data_t * message_str, int padding_mode,
+                                int mod, int radix_P, char * input_P,
+                                int radix_Q, char * input_Q, int radix_N,
+                                char * input_N, int radix_E, char * input_E,
+                                int max_output, data_t * result_hex_str,
+                                int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx;
     size_t output_len;
     rnd_pseudo_info rnd_info;
@@ -382,9 +780,7 @@ void mbedtls_rsa_pkcs1_decrypt( char *message_hex_string, int padding_mode, int
 
     mbedtls_rsa_init( &ctx, padding_mode, 0 );
 
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
 
@@ -398,15 +794,13 @@ void mbedtls_rsa_pkcs1_decrypt( char *message_hex_string, int padding_mode, int
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
     output_len = 0;
 
-    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str, output, max_output ) == result );
+    TEST_ASSERT( mbedtls_rsa_pkcs1_decrypt( &ctx, rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, &output_len, message_str->x, output, max_output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strncasecmp( (char *) output_str, result_hex_str, strlen( result_hex_str ) ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, output_len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -417,12 +811,11 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_public( char *message_hex_string, int mod, int radix_N, char *input_N,
-                 int radix_E, char *input_E, char *result_hex_str, int result )
+void mbedtls_rsa_public( data_t * message_str, int mod, int radix_N,
+                         char * input_N, int radix_E, char * input_E,
+                         data_t * result_hex_str, int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx, ctx2; /* Also test mbedtls_rsa_copy() while at it */
 
     mbedtls_mpi N, E;
@@ -430,9 +823,7 @@ void mbedtls_rsa_public( char *message_hex_string, int mod, int radix_N, char *i
     mbedtls_mpi_init( &N ); mbedtls_mpi_init( &E );
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 );
     mbedtls_rsa_init( &ctx2, MBEDTLS_RSA_PKCS_V15, 0 );
-    memset( message_str, 0x00, 1000 );
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &N, radix_N, input_N ) == 0 );
     TEST_ASSERT( mbedtls_mpi_read_string( &E, radix_E, input_E ) == 0 );
@@ -441,14 +832,12 @@ void mbedtls_rsa_public( char *message_hex_string, int mod, int radix_N, char *i
     TEST_ASSERT( mbedtls_rsa_get_len( &ctx ) == (size_t) ( mod / 8 ) );
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
 
-    TEST_ASSERT( mbedtls_rsa_public( &ctx, message_str, output ) == result );
+    TEST_ASSERT( mbedtls_rsa_public( &ctx, message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
     /* And now with the copy */
@@ -459,13 +848,11 @@ void mbedtls_rsa_public( char *message_hex_string, int mod, int radix_N, char *i
     TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx2 ) == 0 );
 
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
-    TEST_ASSERT( mbedtls_rsa_public( &ctx2, message_str, output ) == result );
+    TEST_ASSERT( mbedtls_rsa_public( &ctx2, message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx2.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -476,13 +863,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_private( char *message_hex_string, int mod, int radix_P, char *input_P,
-                  int radix_Q, char *input_Q, int radix_N, char *input_N,
-                  int radix_E, char *input_E, char *result_hex_str, int result )
+void mbedtls_rsa_private( data_t * message_str, int mod, int radix_P,
+                          char * input_P, int radix_Q, char * input_Q,
+                          int radix_N, char * input_N, int radix_E,
+                          char * input_E, data_t * result_hex_str,
+                          int result )
 {
-    unsigned char message_str[1000];
     unsigned char output[1000];
-    unsigned char output_str[1000];
     mbedtls_rsa_context ctx, ctx2; /* Also test mbedtls_rsa_copy() while at it */
     mbedtls_mpi N, P, Q, E;
     rnd_pseudo_info rnd_info;
@@ -493,7 +880,6 @@ void mbedtls_rsa_private( char *message_hex_string, int mod, int radix_P, char *
     mbedtls_rsa_init( &ctx, MBEDTLS_RSA_PKCS_V15, 0 );
     mbedtls_rsa_init( &ctx2, MBEDTLS_RSA_PKCS_V15, 0 );
 
-    memset( message_str, 0x00, 1000 );
     memset( &rnd_info, 0, sizeof( rnd_pseudo_info ) );
 
     TEST_ASSERT( mbedtls_mpi_read_string( &P, radix_P, input_P ) == 0 );
@@ -506,21 +892,17 @@ void mbedtls_rsa_private( char *message_hex_string, int mod, int radix_P, char *
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx ) == 0 );
 
-    unhexify( message_str, message_hex_string );
 
     /* repeat three times to test updating of blinding values */
     for( i = 0; i < 3; i++ )
     {
         memset( output, 0x00, 1000 );
-        memset( output_str, 0x00, 1000 );
         TEST_ASSERT( mbedtls_rsa_private( &ctx, rnd_pseudo_rand, &rnd_info,
-                                  message_str, output ) == result );
+                                  message_str->x, output ) == result );
         if( result == 0 )
         {
-            hexify( output_str, output, ctx.len );
 
-            TEST_ASSERT( strcasecmp( (char *) output_str,
-                                              result_hex_str ) == 0 );
+            TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx.len, result_hex_str->len ) == 0 );
         }
     }
 
@@ -532,15 +914,12 @@ void mbedtls_rsa_private( char *message_hex_string, int mod, int radix_P, char *
     TEST_ASSERT( mbedtls_rsa_check_privkey( &ctx2 ) == 0 );
 
     memset( output, 0x00, 1000 );
-    memset( output_str, 0x00, 1000 );
     TEST_ASSERT( mbedtls_rsa_private( &ctx2, rnd_pseudo_rand, &rnd_info,
-                              message_str, output ) == result );
+                              message_str->x, output ) == result );
     if( result == 0 )
     {
-        hexify( output_str, output, ctx2.len );
 
-        TEST_ASSERT( strcasecmp( (char *) output_str,
-                                          result_hex_str ) == 0 );
+        TEST_ASSERT( hexcmp( output, result_hex_str->x, ctx2.len, result_hex_str->len ) == 0 );
     }
 
 exit:
@@ -552,7 +931,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void rsa_check_privkey_null()
+void rsa_check_privkey_null(  )
 {
     mbedtls_rsa_context ctx;
     memset( &ctx, 0x00, sizeof( mbedtls_rsa_context ) );
@@ -562,8 +941,8 @@ void rsa_check_privkey_null()
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_check_pubkey( int radix_N, char *input_N, int radix_E, char *input_E,
-                       int result )
+void mbedtls_rsa_check_pubkey( int radix_N, char * input_N, int radix_E,
+                               char * input_E, int result )
 {
     mbedtls_rsa_context ctx;
     mbedtls_mpi N, E;
@@ -590,12 +969,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void mbedtls_rsa_check_privkey( int mod, int radix_P, char *input_P, int radix_Q,
-                        char *input_Q, int radix_N, char *input_N,
-                        int radix_E, char *input_E, int radix_D, char *input_D,
-                        int radix_DP, char *input_DP, int radix_DQ,
-                        char *input_DQ, int radix_QP, char *input_QP,
-                        int result )
+void mbedtls_rsa_check_privkey( int mod, int radix_P, char * input_P,
+                                int radix_Q, char * input_Q, int radix_N,
+                                char * input_N, int radix_E, char * input_E,
+                                int radix_D, char * input_D, int radix_DP,
+                                char * input_DP, int radix_DQ,
+                                char * input_DQ, int radix_QP,
+                                char * input_QP, int result )
 {
     mbedtls_rsa_context ctx;
 
@@ -649,13 +1029,13 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE */
-void rsa_check_pubpriv( int mod, int radix_Npub, char *input_Npub,
-                        int radix_Epub, char *input_Epub,
-                        int radix_P, char *input_P, int radix_Q,
-                        char *input_Q, int radix_N, char *input_N,
-                        int radix_E, char *input_E, int radix_D, char *input_D,
-                        int radix_DP, char *input_DP, int radix_DQ,
-                        char *input_DQ, int radix_QP, char *input_QP,
+void rsa_check_pubpriv( int mod, int radix_Npub, char * input_Npub,
+                        int radix_Epub, char * input_Epub, int radix_P,
+                        char * input_P, int radix_Q, char * input_Q,
+                        int radix_N, char * input_N, int radix_E,
+                        char * input_E, int radix_D, char * input_D,
+                        int radix_DP, char * input_DP, int radix_DQ,
+                        char * input_DQ, int radix_QP, char * input_QP,
                         int result )
 {
     mbedtls_rsa_context pub, prv;
@@ -1191,64 +1571,29 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C */
-void mbedtls_rsa_export_raw( char *input_N, char *input_P,
-                             char *input_Q, char *input_D,
-                             char *input_E, int is_priv,
+void mbedtls_rsa_export_raw( data_t *input_N, data_t *input_P,
+                             data_t *input_Q, data_t *input_D,
+                             data_t *input_E, int is_priv,
                              int successive )
 {
-    /* Original raw buffers with which we set up the RSA context */
-    unsigned char bufN[1000];
-    unsigned char bufP[1000];
-    unsigned char bufQ[1000];
-    unsigned char bufD[1000];
-    unsigned char bufE[1000];
-
-    size_t lenN = 0;
-    size_t lenP = 0;
-    size_t lenQ = 0;
-    size_t lenD = 0;
-    size_t lenE = 0;
-
     /* Exported buffers */
-    unsigned char bufNe[ sizeof( bufN ) ];
-    unsigned char bufPe[ sizeof( bufP ) ];
-    unsigned char bufQe[ sizeof( bufQ ) ];
-    unsigned char bufDe[ sizeof( bufD ) ];
-    unsigned char bufEe[ sizeof( bufE ) ];
-
-    const int have_N = ( strlen( input_N ) > 0 );
-    const int have_P = ( strlen( input_P ) > 0 );
-    const int have_Q = ( strlen( input_Q ) > 0 );
-    const int have_D = ( strlen( input_D ) > 0 );
-    const int have_E = ( strlen( input_E ) > 0 );
+    unsigned char bufNe[1000];
+    unsigned char bufPe[1000];
+    unsigned char bufQe[1000];
+    unsigned char bufDe[1000];
+    unsigned char bufEe[1000];
 
     mbedtls_rsa_context ctx;
 
     mbedtls_rsa_init( &ctx, 0, 0 );
 
     /* Setup RSA context */
-
-    if( have_N )
-        lenN = unhexify( bufN, input_N );
-
-    if( have_P )
-        lenP = unhexify( bufP, input_P );
-
-    if( have_Q )
-        lenQ = unhexify( bufQ, input_Q );
-
-    if( have_D )
-        lenD = unhexify( bufD, input_D );
-
-    if( have_E )
-        lenE = unhexify( bufE, input_E );
-
     TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
-                               have_N ? bufN : NULL, lenN,
-                               have_P ? bufP : NULL, lenP,
-                               have_Q ? bufQ : NULL, lenQ,
-                               have_D ? bufD : NULL, lenD,
-                               have_E ? bufE : NULL, lenE ) == 0 );
+                               input_N->len ? input_N->x : NULL, input_N->len,
+                               input_P->len ? input_P->x : NULL, input_P->len,
+                               input_Q->len ? input_Q->x : NULL, input_Q->len,
+                               input_D->len ? input_D->x : NULL, input_D->len,
+                               input_E->len ? input_E->x : NULL, input_E->len ) == 0 );
 
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == 0 );
 
@@ -1259,21 +1604,21 @@ void mbedtls_rsa_export_raw( char *input_N, char *input_P,
     /* N and E must always be present. */
     if( !successive )
     {
-        TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, bufNe, lenN,
+        TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, bufNe, input_N->len,
                                              NULL, 0, NULL, 0, NULL, 0,
-                                             bufEe, lenE ) == 0 );
+                                             bufEe, input_E->len ) == 0 );
     }
     else
     {
-        TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, bufNe, lenN,
+        TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, bufNe, input_N->len,
                                              NULL, 0, NULL, 0, NULL, 0,
                                              NULL, 0 ) == 0 );
         TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0,
                                              NULL, 0, NULL, 0, NULL, 0,
-                                             bufEe, lenE ) == 0 );
+                                             bufEe, input_E->len ) == 0 );
     }
-    TEST_ASSERT( memcmp( bufN, bufNe, lenN ) == 0 );
-    TEST_ASSERT( memcmp( bufE, bufEe, lenE ) == 0 );
+    TEST_ASSERT( memcmp( input_N->x, bufNe, input_N->len ) == 0 );
+    TEST_ASSERT( memcmp( input_E->x, bufEe, input_E->len ) == 0 );
 
     /* If we were providing enough information to setup a complete private context,
      * we expect to be able to export all core parameters. */
@@ -1283,35 +1628,35 @@ void mbedtls_rsa_export_raw( char *input_N, char *input_P,
         if( !successive )
         {
             TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0,
-                                         bufPe, lenP ? lenP : sizeof( bufPe ),
-                                         bufQe, lenQ ? lenQ : sizeof( bufQe ),
-                                         bufDe, lenD ? lenD : sizeof( bufDe ),
+                                         bufPe, input_P->len ? input_P->len : sizeof( bufPe ),
+                                         bufQe, input_Q->len ? input_Q->len : sizeof( bufQe ),
+                                         bufDe, input_D->len ? input_D->len : sizeof( bufDe ),
                                          NULL, 0 ) == 0 );
         }
         else
         {
             TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0,
-                                         bufPe, lenP ? lenP : sizeof( bufPe ),
+                                         bufPe, input_P->len ? input_P->len : sizeof( bufPe ),
                                          NULL, 0, NULL, 0,
                                          NULL, 0 ) == 0 );
 
             TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0, NULL, 0,
-                                         bufQe, lenQ ? lenQ : sizeof( bufQe ),
+                                         bufQe, input_Q->len ? input_Q->len : sizeof( bufQe ),
                                          NULL, 0, NULL, 0 ) == 0 );
 
-            TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0, NULL, 0,
-                                         NULL, 0, bufDe, lenD ? lenD : sizeof( bufDe ),
+            TEST_ASSERT( mbedtls_rsa_export_raw( &ctx, NULL, 0, NULL, 0, NULL, 0,
+                                         bufDe, input_D->len ? input_D->len : sizeof( bufDe ),
                                          NULL, 0 ) == 0 );
         }
 
-        if( have_P )
-            TEST_ASSERT( memcmp( bufP, bufPe, lenP ) == 0 );
+        if( input_P->len )
+            TEST_ASSERT( memcmp( input_P->x, bufPe, input_P->len ) == 0 );
 
-        if( have_Q )
-            TEST_ASSERT( memcmp( bufQ, bufQe, lenQ ) == 0 );
+        if( input_Q->len )
+            TEST_ASSERT( memcmp( input_Q->x, bufQe, input_Q->len ) == 0 );
 
-        if( have_D )
-            TEST_ASSERT( memcmp( bufD, bufDe, lenD ) == 0 );
+        if( input_D->len )
+            TEST_ASSERT( memcmp( input_D->x, bufDe, input_D->len ) == 0 );
 
     }
 
@@ -1321,31 +1666,19 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CTR_DRBG_C:MBEDTLS_ENTROPY_C:ENTROPY_HAVE_STRONG */
-void mbedtls_rsa_import_raw( char *input_N,
-                             char *input_P, char *input_Q,
-                             char *input_D, char *input_E,
+void mbedtls_rsa_import_raw( data_t *input_N,
+                             data_t *input_P, data_t *input_Q,
+                             data_t *input_D, data_t *input_E,
                              int successive,
                              int is_priv,
                              int res_check,
                              int res_complete )
 {
-    unsigned char bufN[1000];
-    unsigned char bufP[1000];
-    unsigned char bufQ[1000];
-    unsigned char bufD[1000];
-    unsigned char bufE[1000];
-
     /* Buffers used for encryption-decryption test */
     unsigned char *buf_orig = NULL;
     unsigned char *buf_enc  = NULL;
     unsigned char *buf_dec  = NULL;
 
-    size_t lenN = 0;
-    size_t lenP = 0;
-    size_t lenQ = 0;
-    size_t lenD = 0;
-    size_t lenE = 0;
-
     mbedtls_rsa_context ctx;
     mbedtls_entropy_context entropy;
     mbedtls_ctr_drbg_context ctr_drbg;
@@ -1360,29 +1693,14 @@ void mbedtls_rsa_import_raw( char *input_N,
                                         &entropy, (const unsigned char *) pers,
                                         strlen( pers ) ) == 0 );
 
-    if( strlen( input_N ) )
-        lenN = unhexify( bufN, input_N );
-
-    if( strlen( input_P ) )
-        lenP = unhexify( bufP, input_P );
-
-    if( strlen( input_Q ) )
-        lenQ = unhexify( bufQ, input_Q );
-
-    if( strlen( input_D ) )
-        lenD = unhexify( bufD, input_D );
-
-    if( strlen( input_E ) )
-        lenE = unhexify( bufE, input_E );
-
     if( !successive )
     {
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
-                               ( lenN > 0 ) ? bufN : NULL, lenN,
-                               ( lenP > 0 ) ? bufP : NULL, lenP,
-                               ( lenQ > 0 ) ? bufQ : NULL, lenQ,
-                               ( lenD > 0 ) ? bufD : NULL, lenD,
-                               ( lenE > 0 ) ? bufE : NULL, lenE ) == 0 );
+                               ( input_N->len > 0 ) ? input_N->x : NULL, input_N->len,
+                               ( input_P->len > 0 ) ? input_P->x : NULL, input_P->len,
+                               ( input_Q->len > 0 ) ? input_Q->x : NULL, input_Q->len,
+                               ( input_D->len > 0 ) ? input_D->x : NULL, input_D->len,
+                               ( input_E->len > 0 ) ? input_E->x : NULL, input_E->len ) == 0 );
     }
     else
     {
@@ -1390,27 +1708,27 @@ void mbedtls_rsa_import_raw( char *input_N,
          * This should make no functional difference. */
 
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
-                               ( lenN > 0 ) ? bufN : NULL, lenN,
+                               ( input_N->len > 0 ) ? input_N->x : NULL, input_N->len,
                                NULL, 0, NULL, 0, NULL, 0, NULL, 0 ) == 0 );
 
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
                                NULL, 0,
-                               ( lenP > 0 ) ? bufP : NULL, lenP,
+                               ( input_P->len > 0 ) ? input_P->x : NULL, input_P->len,
                                NULL, 0, NULL, 0, NULL, 0 ) == 0 );
 
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
                                NULL, 0, NULL, 0,
-                               ( lenQ > 0 ) ? bufQ : NULL, lenQ,
+                               ( input_Q->len > 0 ) ? input_Q->x : NULL, input_Q->len,
                                NULL, 0, NULL, 0 ) == 0 );
 
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
                                NULL, 0, NULL, 0, NULL, 0,
-                               ( lenD > 0 ) ? bufD : NULL, lenD,
+                               ( input_D->len > 0 ) ? input_D->x : NULL, input_D->len,
                                NULL, 0 ) == 0 );
 
         TEST_ASSERT( mbedtls_rsa_import_raw( &ctx,
                                NULL, 0, NULL, 0, NULL, 0, NULL, 0,
-                               ( lenE > 0 ) ? bufE : NULL, lenE ) == 0 );
+                               ( input_E->len > 0 ) ? input_E->x : NULL, input_E->len ) == 0 );
     }
 
     TEST_ASSERT( mbedtls_rsa_complete( &ctx ) == res_complete );
@@ -1467,7 +1785,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void rsa_selftest()
+void rsa_selftest(  )
 {
     TEST_ASSERT( mbedtls_rsa_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.data
index ee8074dc08..2f65c230e4 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.data
@@ -1,3 +1,9 @@
+SHA-1 - Valid parameters
+sha1_valid_param:
+
+SHA-1 - Invalid parameters
+sha1_invalid_param:
+
 # Test the operation of SHA-1 and SHA-2
 SHA-1 Test Vector NIST CAVS #1
 depends_on:MBEDTLS_SHA1_C
@@ -39,6 +45,12 @@ SHA-1 Test Vector NIST CAVS #10
 depends_on:MBEDTLS_SHA1_C
 mbedtls_sha1:"8236153781bd2f1b81ffe0def1beb46f5a70191142926651503f1b3bb1016acdb9e7f7acced8dd168226f118ff664a01a8800116fd023587bfba52a2558393476f5fc69ce9c65001f23e70476d2cc81c97ea19caeb194e224339bcb23f77a83feac5096f9b3090c51a6ee6d204b735aa71d7e996d380b80822e4dfd43683af9c7442498cacbea64842dfda238cb099927c6efae07fdf7b23a4e4456e0152b24853fe0d5de4179974b2b9d4a1cdbefcbc01d8d311b5dda059136176ea698ab82acf20dd490be47130b1235cb48f8a6710473cfc923e222d94b582f9ae36d4ca2a32d141b8e8cc36638845fbc499bce17698c3fecae2572dbbd470552430d7ef30c238c2124478f1f780483839b4fb73d63a9460206824a5b6b65315b21e3c2f24c97ee7c0e78faad3df549c7ca8ef241876d9aafe9a309f6da352bec2caaa92ee8dca392899ba67dfed90aef33d41fc2494b765cb3e2422c8e595dabbfaca217757453fb322a13203f425f6073a9903e2dc5818ee1da737afc345f0057744e3a56e1681c949eb12273a3bfc20699e423b96e44bd1ff62e50a848a890809bfe1611c6787d3d741103308f849a790f9c015098286dbacfc34c1718b2c2b77e32194a75dda37954a320fa68764027852855a7e5b5274eb1e2cbcd27161d98b59ad245822015f48af82a45c0ed59be94f9af03d9736048570d6e3ef63b1770bc98dfb77de84b1bb1708d872b625d9ab9b06c18e5dbbf34399391f0f8aa26ec0dac7ff4cb8ec97b52bcb942fa6db2385dcd1b3b9d567aaeb425d567b0ebe267235651a1ed9bf78fd93d3c1dd077fe340bb04b00529c58f45124b717c168d07e9826e33376988bc5cf62845c2009980a4dfa69fbc7e5a0b1bb20a5958ca967aec68eb31dd8fccca9afcd30a26bab26279f1bf6724ff":"11863b483809ef88413ca9b0084ac4a5390640af"
 
+SHA-256 Valid parameters
+sha256_valid_param:
+
+SHA-256 Invalid parameters
+sha256_invalid_param:
+
 SHA-224 Test Vector NIST CAVS #1
 depends_on:MBEDTLS_SHA256_C
 sha224:"":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"
@@ -95,6 +107,12 @@ SHA-256 Test Vector NIST CAVS #7
 depends_on:MBEDTLS_SHA256_C
 mbedtls_sha256:"8390cf0be07661cc7669aac54ce09a37733a629d45f5d983ef201f9b2d13800e555d9b1097fec3b783d7a50dcb5e2b644b96a1e9463f177cf34906bf388f366db5c2deee04a30e283f764a97c3b377a034fefc22c259214faa99babaff160ab0aaa7e2ccb0ce09c6b32fe08cbc474694375aba703fadbfa31cf685b30a11c57f3cf4edd321e57d3ae6ebb1133c8260e75b9224fa47a2bb205249add2e2e62f817491482ae152322be0900355cdcc8d42a98f82e961a0dc6f537b7b410eff105f59673bfb787bf042aa071f7af68d944d27371c64160fe9382772372516c230c1f45c0d6b6cca7f274b394da9402d3eafdf733994ec58ab22d71829a98399574d4b5908a447a5a681cb0dd50a31145311d92c22a16de1ead66a5499f2dceb4cae694772ce90762ef8336afec653aa9b1a1c4820b221136dfce80dce2ba920d88a530c9410d0a4e0358a3a11052e58dd73b0b179ef8f56fe3b5a2d117a73a0c38a1392b6938e9782e0d86456ee4884e3c39d4d75813f13633bc79baa07c0d2d555afbf207f52b7dca126d015aa2b9873b3eb065e90b9b065a5373fe1fb1b20d594327d19fba56cb81e7b6696605ffa56eba3c27a438697cc21b201fd7e09f18deea1b3ea2f0d1edc02df0e20396a145412cd6b13c32d2e605641c948b714aec30c0649dc44143511f35ab0fd5dd64c34d06fe86f3836dfe9edeb7f08cfc3bd40956826356242191f99f53473f32b0cc0cf9321d6c92a112e8db90b86ee9e87cc32d0343db01e32ce9eb782cb24efbbbeb440fe929e8f2bf8dfb1550a3a2e742e8b455a3e5730e9e6a7a9824d17acc0f72a7f67eae0f0970f8bde46dcdefaed3047cf807e7f00a42e5fd11d40f5e98533d7574425b7d2bc3b3845c443008b58980e768e464e17cc6f6b3939eee52f713963d07d8c4abf02448ef0b889c9671e2f8a436ddeeffcca7176e9bf9d1005ecd377f2fa67c23ed1f137e60bf46018a8bd613d038e883704fc26e798969df35ec7bbc6a4fe46d8910bd82fa3cded265d0a3b6d399e4251e4d8233daa21b5812fded6536198ff13aa5a1cd46a5b9a17a4ddc1d9f85544d1d1cc16f3df858038c8e071a11a7e157a85a6a8dc47e88d75e7009a8b26fdb73f33a2a70f1e0c259f8f9533b9b8f9af9288b7274f21baeec78d396f8bacdcc22471207d9b4efccd3fedc5c5a2214ff5e51c553f35e21ae696fe51e8df733a8e06f50f419e599e9f9e4b37ce643fc810faaa47989771509d69a110ac916261427026369a21263ac4460fb4f708f8ae28599856db7cb6a43ac8e03d64a9609807e76c5f312b9d1863bfa304e8953647648b4f4ab0ed995e":"4109cdbec3240ad74cc6c37f39300f70fede16e21efc77f7865998714aad0b5e"
 
+SHA-512 Invalid parameters
+sha512_invalid_param:
+
+SHA-512 Valid parameters
+sha512_valid_param:
+
 SHA-384 Test Vector NIST CAVS #1
 depends_on:MBEDTLS_SHA512_C
 sha384:"":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.function
index d704b388b8..e621f49cdb 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_shax.function
@@ -5,126 +5,250 @@
 /* END_HEADER */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA1_C */
-void mbedtls_sha1( char *hex_src_string, char *hex_hash_string )
+void sha1_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_sha1_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA1_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void sha1_invalid_param( )
+{
+    mbedtls_sha1_context ctx;
+    unsigned char buf[64] = { 0 };
+    size_t const buflen = sizeof( buf );
+
+    TEST_INVALID_PARAM( mbedtls_sha1_init( NULL ) );
+
+    TEST_INVALID_PARAM( mbedtls_sha1_clone( NULL, &ctx ) );
+    TEST_INVALID_PARAM( mbedtls_sha1_clone( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_starts_ret( NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_update_ret( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_update_ret( &ctx, NULL, buflen ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_finish_ret( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_finish_ret( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_internal_sha1_process( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_internal_sha1_process( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_ret( NULL, buflen, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA1_BAD_INPUT_DATA,
+                            mbedtls_sha1_ret( buf, buflen, NULL ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA1_C */
+void mbedtls_sha1( data_t * src_str, data_t * hex_hash_string )
 {
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[41];
-    int src_len;
 
-    memset(src_str, 0x00, 10000);
-    memset(hash_str, 0x00, 10000);
     memset(output, 0x00, 41);
 
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_sha1_ret( src_str, src_len, output ) == 0 );
-    hexify( hash_str, output, 20 );
+    TEST_ASSERT( mbedtls_sha1_ret( src_str->x, src_str->len, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, 20, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
-void sha224(char *hex_src_string, char *hex_hash_string )
+void sha256_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_sha256_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void sha256_invalid_param( )
+{
+    mbedtls_sha256_context ctx;
+    unsigned char buf[64] = { 0 };
+    size_t const buflen = sizeof( buf );
+    int valid_type = 0;
+    int invalid_type = 42;
+
+    TEST_INVALID_PARAM( mbedtls_sha256_init( NULL ) );
+
+    TEST_INVALID_PARAM( mbedtls_sha256_clone( NULL, &ctx ) );
+    TEST_INVALID_PARAM( mbedtls_sha256_clone( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_starts_ret( NULL, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_starts_ret( &ctx, invalid_type ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_update_ret( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_update_ret( &ctx, NULL, buflen ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_finish_ret( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_finish_ret( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_internal_sha256_process( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_internal_sha256_process( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_ret( NULL, buflen,
+                                                buf, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_ret( buf, buflen,
+                                                NULL, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA256_BAD_INPUT_DATA,
+                            mbedtls_sha256_ret( buf, buflen,
+                                                buf, invalid_type ) );
+
+exit:
+    return;
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
+void sha224( data_t * src_str, data_t * hex_hash_string )
 {
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[57];
-    int src_len;
 
-    memset(src_str, 0x00, 10000);
-    memset(hash_str, 0x00, 10000);
     memset(output, 0x00, 57);
 
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_sha256_ret( src_str, src_len, output, 1 ) == 0 );
-    hexify( hash_str, output, 28 );
+    TEST_ASSERT( mbedtls_sha256_ret( src_str->x, src_str->len, output, 1 ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, 28, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
-void mbedtls_sha256(char *hex_src_string, char *hex_hash_string )
+void mbedtls_sha256( data_t * src_str, data_t * hex_hash_string )
 {
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[65];
-    int src_len;
 
-    memset(src_str, 0x00, 10000);
-    memset(hash_str, 0x00, 10000);
     memset(output, 0x00, 65);
 
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_sha256_ret( src_str, src_len, output, 0 ) == 0 );
-    hexify( hash_str, output, 32 );
+    TEST_ASSERT( mbedtls_sha256_ret( src_str->x, src_str->len, output, 0 ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, 32, hex_hash_string->len ) == 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA512_C */
+void sha512_valid_param( )
+{
+    TEST_VALID_PARAM( mbedtls_sha512_free( NULL ) );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA512_C:MBEDTLS_CHECK_PARAMS:!MBEDTLS_PARAM_FAILED_ALT */
+void sha512_invalid_param( )
+{
+    mbedtls_sha512_context ctx;
+    unsigned char buf[64] = { 0 };
+    size_t const buflen = sizeof( buf );
+    int valid_type = 0;
+    int invalid_type = 42;
+
+    TEST_INVALID_PARAM( mbedtls_sha512_init( NULL ) );
+
+    TEST_INVALID_PARAM( mbedtls_sha512_clone( NULL, &ctx ) );
+    TEST_INVALID_PARAM( mbedtls_sha512_clone( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_starts_ret( NULL, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_starts_ret( &ctx, invalid_type ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_update_ret( NULL, buf, buflen ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_update_ret( &ctx, NULL, buflen ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_finish_ret( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_finish_ret( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_internal_sha512_process( NULL, buf ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_internal_sha512_process( &ctx, NULL ) );
+
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_ret( NULL, buflen,
+                                                buf, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_ret( buf, buflen,
+                                                NULL, valid_type ) );
+    TEST_INVALID_PARAM_RET( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA,
+                            mbedtls_sha512_ret( buf, buflen,
+                                                buf, invalid_type ) );
+
+exit:
+    return;
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA512_C */
-void sha384(char *hex_src_string, char *hex_hash_string )
+void sha384( data_t * src_str, data_t * hex_hash_string )
 {
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[97];
-    int src_len;
 
-    memset(src_str, 0x00, 10000);
-    memset(hash_str, 0x00, 10000);
     memset(output, 0x00, 97);
 
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_sha512_ret( src_str, src_len, output, 1 ) == 0 );
-    hexify( hash_str, output, 48 );
+    TEST_ASSERT( mbedtls_sha512_ret( src_str->x, src_str->len, output, 1 ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, 48, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA512_C */
-void mbedtls_sha512(char *hex_src_string, char *hex_hash_string )
+void mbedtls_sha512( data_t * src_str, data_t * hex_hash_string )
 {
-    unsigned char src_str[10000];
-    unsigned char hash_str[10000];
     unsigned char output[129];
-    int src_len;
 
-    memset(src_str, 0x00, 10000);
-    memset(hash_str, 0x00, 10000);
     memset(output, 0x00, 129);
 
-    src_len = unhexify( src_str, hex_src_string );
 
-    TEST_ASSERT( mbedtls_sha512_ret( src_str, src_len, output, 0 ) == 0 );
-    hexify( hash_str, output, 64 );
+    TEST_ASSERT( mbedtls_sha512_ret( src_str->x, src_str->len, output, 0 ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_hash_string->x, 64, hex_hash_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA1_C:MBEDTLS_SELF_TEST */
-void sha1_selftest()
+void sha1_selftest(  )
 {
     TEST_ASSERT( mbedtls_sha1_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA256_C:MBEDTLS_SELF_TEST */
-void sha256_selftest()
+void sha256_selftest(  )
 {
     TEST_ASSERT( mbedtls_sha256_self_test( 1 ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SHA512_C:MBEDTLS_SELF_TEST */
-void sha512_selftest()
+void sha512_selftest(  )
 {
     TEST_ASSERT( mbedtls_sha512_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.data
index b92c1fe8a2..147350744f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.data
@@ -8,52 +8,52 @@ SSL DTLS replay: 0 seen, 0 replayed
 ssl_dtls_replay:"000000000000":"000000000000":-1
 
 SSL DTLS replay: 0-1 seen, 2 arriving
-ssl_dtls_replay:"000000000000,000000000001":"000000000002":0
+ssl_dtls_replay:"000000000000000000000001":"000000000002":0
 
 SSL DTLS replay: 0-1 seen, 1 replayed
-ssl_dtls_replay:"000000000000,000000000001":"000000000001":-1
+ssl_dtls_replay:"000000000000000000000001":"000000000001":-1
 
 SSL DTLS replay: 0-1 seen, 0 replayed
-ssl_dtls_replay:"000000000000,000000000001":"000000000000":-1
+ssl_dtls_replay:"000000000000000000000001":"000000000000":-1
 
 SSL DTLS replay: new
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd12340003":"abcd12340004":0
+ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340004":0
 
 SSL DTLS replay: way new
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd12340003":"abcd12350000":0
+ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12350000":0
 
 SSL DTLS replay: delayed
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd12340003":"abcd12340002":0
+ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340002":0
 
 SSL DTLS replay: lastest replayed
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd12340003":"abcd12340003":-1
+ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340003":-1
 
 SSL DTLS replay: older replayed
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd12340003":"abcd12340001":-1
+ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340001":-1
 
 SSL DTLS replay: most recent in window, replayed
-ssl_dtls_replay:"abcd12340000,abcd12340002,abcd12340003":"abcd12340002":-1
+ssl_dtls_replay:"abcd12340000abcd12340002abcd12340003":"abcd12340002":-1
 
 SSL DTLS replay: oldest in window, replayed
-ssl_dtls_replay:"abcd12340000,abcd12340001,abcd1234003f":"abcd12340000":-1
+ssl_dtls_replay:"abcd12340000abcd12340001abcd1234003f":"abcd12340000":-1
 
 SSL DTLS replay: oldest in window, not replayed
-ssl_dtls_replay:"abcd12340001,abcd12340002,abcd1234003f":"abcd12340000":0
+ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd12340000":0
 
 SSL DTLS replay: just out of the window
-ssl_dtls_replay:"abcd12340001,abcd12340002,abcd1234003f":"abcd1233ffff":-1
+ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd1233ffff":-1
 
 SSL DTLS replay: way out of the window
-ssl_dtls_replay:"abcd12340001,abcd12340002,abcd1234003f":"abcd12330000":-1
+ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd12330000":-1
 
 SSL DTLS replay: big jump then replay
-ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd12340100":-1
+ssl_dtls_replay:"abcd12340000abcd12340100":"abcd12340100":-1
 
 SSL DTLS replay: big jump then new
-ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd12340101":0
+ssl_dtls_replay:"abcd12340000abcd12340100":"abcd12340101":0
 
 SSL DTLS replay: big jump then just delayed
-ssl_dtls_replay:"abcd12340000,abcd12340100":"abcd123400ff":0
+ssl_dtls_replay:"abcd12340000abcd12340100":"abcd123400ff":0
 
 SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice
 ssl_set_hostname_twice:"server0":"server1"
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.function
index 1cd2ed5bb3..326f22d3b2 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_ssl.function
@@ -9,11 +9,11 @@
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */
-void ssl_dtls_replay( char *prevs, char *new, int ret )
+void ssl_dtls_replay( data_t * prevs, data_t * new, int ret )
 {
+    uint32_t len = 0;
     mbedtls_ssl_context ssl;
     mbedtls_ssl_config conf;
-    char *end_prevs = prevs + strlen( prevs ) + 1;
 
     mbedtls_ssl_init( &ssl );
     mbedtls_ssl_config_init( &conf );
@@ -25,15 +25,14 @@ void ssl_dtls_replay( char *prevs, char *new, int ret )
     TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
 
     /* Read previous record numbers */
-    for( ; end_prevs - prevs >= 13; prevs += 13 )
+    for( len = 0; len < prevs->len; len += 6 )
     {
-        prevs[12] = '\0';
-        unhexify( ssl.in_ctr + 2, prevs );
+        memcpy( ssl.in_ctr + 2, prevs->x + len, 6 );
         mbedtls_ssl_dtls_replay_update( &ssl );
     }
 
     /* Check new number */
-    unhexify( ssl.in_ctr + 2, new );
+    memcpy( ssl.in_ctr + 2, new->x, 6 );
     TEST_ASSERT( mbedtls_ssl_dtls_replay_check( &ssl ) == ret );
 
     mbedtls_ssl_free( &ssl );
@@ -53,4 +52,3 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
     mbedtls_ssl_free( &ssl );
 }
 /* END_CASE */
-
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
index 1aa9c5333a..cd1cee4616 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
 Check compiletime library version
-check_compiletime_version:"2.7.11"
+check_compiletime_version:"2.16.2"
 
 Check runtime library version
-check_runtime_version:"2.7.11"
+check_runtime_version:"2.16.2"
 
 Check for MBEDTLS_VERSION_C
 check_feature:"MBEDTLS_VERSION_C":0
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.function
index a4847f92c5..10f9e1154e 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_version.function
@@ -8,7 +8,7 @@
  */
 
 /* BEGIN_CASE */
-void check_compiletime_version( char *version_str )
+void check_compiletime_version( char * version_str )
 {
     char build_str[100];
     char build_str_full[100];
@@ -35,7 +35,7 @@ void check_compiletime_version( char *version_str )
 /* END_CASE */
 
 /* BEGIN_CASE */
-void check_runtime_version( char *version_str )
+void check_runtime_version( char * version_str )
 {
     char build_str[100];
     char get_str[100];
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
index 0fe68cb06f..b64414a67f 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.data
@@ -2,13 +2,25 @@ X509 Certificate information #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
 x509_cert_info:"data_files/server1.crt":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2011-02-12 14\:44\:06\nexpires on        \: 2021-02-12 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
+X509 Certificate information #1 (DER)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_cert_info:"data_files/server1.crt.der":"cert. version     \: 3\nserial number     \: 01\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued  on        \: 2011-02-12 14\:44\:06\nexpires on        \: 2021-02-12 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+
 X509 Certificate information #2
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
 x509_cert_info:"data_files/server2.crt":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2011-02-12 14\:44\:06\nexpires on        \: 2021-02-12 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
 
+X509 Certificate information #2 (DER)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_cert_info:"data_files/server2.crt.der":"cert. version     \: 3\nserial number     \: 02\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=localhost\nissued  on        \: 2011-02-12 14\:44\:06\nexpires on        \: 2021-02-12 14\:44\:06\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=false\n"
+
 X509 Certificate information #3
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/test-ca.crt":"cert. version     \: 3\nserial number     \: 00\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2011-02-12 14\:44\:00\nexpires on        \: 2021-02-12 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
+x509_cert_info:"data_files/test-ca.crt":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2011-02-12 14\:44\:00\nexpires on        \: 2021-02-12 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
+
+X509 Certificate information #3 (DER)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509_cert_info:"data_files/test-ca.crt.der":"cert. version     \: 3\nserial number     \: 03\nissuer name       \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name      \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued  on        \: 2011-02-12 14\:44\:00\nexpires on        \: 2021-02-12 14\:44\:00\nsigned using      \: RSA with SHA1\nRSA key size      \: 2048 bits\nbasic constraints \: CA=true\n"
 
 X509 Certificate information MD2 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD2_C
@@ -845,7 +857,7 @@ x509_verify_callback:"data_files/server5-ss-expired.crt":"data_files/server5-ss-
 
 X509 Certificate verification callback: simple
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 Certificate verification callback: simple, EE expired
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE
@@ -857,15 +869,15 @@ x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2-expired.crt":
 
 X509 Certificate verification callback: two trusted roots
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 Certificate verification callback: two trusted roots, reversed order
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
-x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 Certificate verification callback: root included
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C
-x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
+x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n"
 
 X509 Certificate verification callback: intermediate ca
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
@@ -893,11 +905,11 @@ x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca2-expire
 
 X509 Certificate verification callback: two intermediates
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
-x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 Certificate verification callback: two intermediates, root included
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C
-x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
+x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n"
 
 X509 Certificate verification callback: two intermediates, top int trusted
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C
@@ -1909,3 +1921,91 @@ x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0
 X509 Get time (Generalized Time invalid leap year not multiple of 4, 100 or 400)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
+
+X509 cert verify restart: trusted EE, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0
+
+X509 cert verify restart: trusted EE, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0
+
+X509 cert verify restart: no intermediate, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0
+
+X509 cert verify restart: no intermediate, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000
+
+X509 cert verify restart: no intermediate, max_ops=40000
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0
+
+X509 cert verify restart: no intermediate, max_ops=500
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80
+
+X509 cert verify restart: no intermediate, badsign, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+
+X509 cert verify restart: no intermediate, badsign, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+
+X509 cert verify restart: no intermediate, badsign, max_ops=40000
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0
+
+X509 cert verify restart: no intermediate, badsign, max_ops=500
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80
+
+X509 cert verify restart: one int, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0
+
+X509 cert verify restart: one int, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000
+
+X509 cert verify restart: one int, max_ops=30000
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0
+
+X509 cert verify restart: one int, max_ops=500
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100
+
+X509 cert verify restart: one int, EE badsign, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+
+X509 cert verify restart: one int, EE badsign, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+
+X509 cert verify restart: one int, EE badsign, max_ops=30000
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
+
+X509 cert verify restart: one int, EE badsign, max_ops=500
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
+
+X509 cert verify restart: one int, int badsign, max_ops=0 (disabled)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
+
+X509 cert verify restart: one int, int badsign, max_ops=1
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
+
+X509 cert verify restart: one int, int badsign, max_ops=30000
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
+
+X509 cert verify restart: one int, int badsign, max_ops=500
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
+x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
index 584ee822b6..e6b1b4783c 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509parse.function
@@ -1,4 +1,5 @@
 /* BEGIN_HEADER */
+#include "mbedtls/bignum.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_crl.h"
@@ -6,6 +7,7 @@
 #include "mbedtls/pem.h"
 #include "mbedtls/oid.h"
 #include "mbedtls/base64.h"
+#include "string.h"
 
 #if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
 #error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
@@ -170,7 +172,7 @@ int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint
  */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void x509_cert_info( char *crt_file, char *result_str )
+void x509_cert_info( char * crt_file, char * result_str )
 {
     mbedtls_x509_crt   crt;
     char buf[2000];
@@ -193,7 +195,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */
-void mbedtls_x509_crl_info( char *crl_file, char *result_str )
+void mbedtls_x509_crl_info( char * crl_file, char * result_str )
 {
     mbedtls_x509_crl   crl;
     char buf[2000];
@@ -216,7 +218,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */
-void mbedtls_x509_crl_parse( char *crl_file, int result )
+void mbedtls_x509_crl_parse( char * crl_file, int result )
 {
     mbedtls_x509_crl   crl;
     char buf[2000];
@@ -232,7 +234,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C */
-void mbedtls_x509_csr_info( char *csr_file, char *result_str )
+void mbedtls_x509_csr_info( char * csr_file, char * result_str )
 {
     mbedtls_x509_csr   csr;
     char buf[2000];
@@ -255,7 +257,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
-void x509_verify_info( int flags, char *prefix, char *result_str )
+void x509_verify_info( int flags, char * prefix, char * result_str )
 {
     char buf[2000];
     int res;
@@ -270,6 +272,62 @@ void x509_verify_info( int flags, char *prefix, char *result_str )
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */
+void x509_verify_restart( char *crt_file, char *ca_file,
+                          int result, int flags_result,
+                          int max_ops, int min_restart, int max_restart )
+{
+    int ret, cnt_restart;
+    mbedtls_x509_crt_restart_ctx rs_ctx;
+    mbedtls_x509_crt crt;
+    mbedtls_x509_crt ca;
+    uint32_t flags = 0;
+
+    /*
+     * See comments on ecp_test_vect_restart() for op count precision.
+     *
+     * For reference, with mbed TLS 2.6 and default settings:
+     * - ecdsa_verify() for P-256:  ~  6700
+     * - ecdsa_verify() for P-384:  ~ 18800
+     * - x509_verify() for server5 -> test-ca2:             ~ 18800
+     * - x509_verify() for server10 -> int-ca3 -> int-ca2:  ~ 25500
+     */
+
+    mbedtls_x509_crt_restart_init( &rs_ctx );
+    mbedtls_x509_crt_init( &crt );
+    mbedtls_x509_crt_init( &ca );
+
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
+    TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
+
+    mbedtls_ecp_set_max_ops( max_ops );
+
+    cnt_restart = 0;
+    do {
+        ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
+                &mbedtls_x509_crt_profile_default, NULL, &flags,
+                NULL, NULL, &rs_ctx );
+    } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
+
+    TEST_ASSERT( ret == result );
+    TEST_ASSERT( flags == (uint32_t) flags_result );
+
+    TEST_ASSERT( cnt_restart >= min_restart );
+    TEST_ASSERT( cnt_restart <= max_restart );
+
+    /* Do we leak memory when aborting? */
+    ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
+            &mbedtls_x509_crt_profile_default, NULL, &flags,
+            NULL, NULL, &rs_ctx );
+    TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
+
+exit:
+    mbedtls_x509_crt_restart_free( &rs_ctx );
+    mbedtls_x509_crt_free( &crt );
+    mbedtls_x509_crt_free( &ca );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */
 void x509_verify( char *crt_file, char *ca_file, char *crl_file,
                   char *cn_name_str, int result, int flags_result,
@@ -365,7 +423,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_x509_dn_gets( char *crt_file, char *entity, char *result_str )
+void mbedtls_x509_dn_gets( char * crt_file, char * entity, char * result_str )
 {
     mbedtls_x509_crt   crt;
     char buf[2000];
@@ -393,7 +451,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_x509_time_is_past( char *crt_file, char *entity, int result )
+void mbedtls_x509_time_is_past( char * crt_file, char * entity, int result )
 {
     mbedtls_x509_crt   crt;
 
@@ -414,7 +472,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_x509_time_is_future( char *crt_file, char *entity, int result )
+void mbedtls_x509_time_is_future( char * crt_file, char * entity, int result )
 {
     mbedtls_x509_crt   crt;
 
@@ -435,7 +493,7 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */
-void x509parse_crt_file( char *crt_file, int result )
+void x509parse_crt_file( char * crt_file, int result )
 {
     mbedtls_x509_crt crt;
 
@@ -449,20 +507,17 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
-void x509parse_crt( char *crt_data, char *result_str, int result )
+void x509parse_crt( data_t * buf, char * result_str, int result )
 {
     mbedtls_x509_crt   crt;
-    unsigned char buf[2000];
     unsigned char output[2000];
-    int data_len, res;
+    int res;
 
     mbedtls_x509_crt_init( &crt );
-    memset( buf, 0, 2000 );
     memset( output, 0, 2000 );
 
-    data_len = unhexify( buf, crt_data );
 
-    TEST_ASSERT( mbedtls_x509_crt_parse( &crt, buf, data_len ) == ( result ) );
+    TEST_ASSERT( mbedtls_x509_crt_parse( &crt, buf->x, buf->len ) == ( result ) );
     if( ( result ) == 0 )
     {
         res = mbedtls_x509_crt_info( (char *) output, 2000, "", &crt );
@@ -479,20 +534,17 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C */
-void x509parse_crl( char *crl_data, char *result_str, int result )
+void x509parse_crl( data_t * buf, char * result_str, int result )
 {
     mbedtls_x509_crl   crl;
-    unsigned char buf[2000];
     unsigned char output[2000];
-    int data_len, res;
+    int res;
 
     mbedtls_x509_crl_init( &crl );
-    memset( buf, 0, 2000 );
     memset( output, 0, 2000 );
 
-    data_len = unhexify( buf, crl_data );
 
-    TEST_ASSERT( mbedtls_x509_crl_parse( &crl, buf, data_len ) == ( result ) );
+    TEST_ASSERT( mbedtls_x509_crl_parse( &crl, buf->x, buf->len ) == ( result ) );
     if( ( result ) == 0 )
     {
         res = mbedtls_x509_crl_info( (char *) output, 2000, "", &crl );
@@ -509,19 +561,16 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C */
-void mbedtls_x509_csr_parse( char *csr_der_hex, char *ref_out, int ref_ret )
+void mbedtls_x509_csr_parse( data_t * csr_der, char * ref_out, int ref_ret )
 {
     mbedtls_x509_csr csr;
-    unsigned char *csr_der = NULL;
     char my_out[1000];
-    size_t csr_der_len;
     int my_ret;
 
     mbedtls_x509_csr_init( &csr );
     memset( my_out, 0, sizeof( my_out ) );
-    csr_der = unhexify_alloc( csr_der_hex, &csr_der_len );
 
-    my_ret = mbedtls_x509_csr_parse_der( &csr, csr_der, csr_der_len );
+    my_ret = mbedtls_x509_csr_parse_der( &csr, csr_der->x, csr_der->len );
     TEST_ASSERT( my_ret == ref_ret );
 
     if( ref_ret == 0 )
@@ -533,12 +582,11 @@ void mbedtls_x509_csr_parse( char *csr_der_hex, char *ref_out, int ref_ret )
 
 exit:
     mbedtls_x509_csr_free( &csr );
-    mbedtls_free( csr_der );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
-void mbedtls_x509_crt_parse_path( char *crt_path, int ret, int nb_crt )
+void mbedtls_x509_crt_parse_path( char * crt_path, int ret, int nb_crt )
 {
     mbedtls_x509_crt chain, *cur;
     int i;
@@ -640,18 +688,16 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */
-void x509_oid_desc( char *oid_str, char *ref_desc )
+void x509_oid_desc( data_t * buf, char * ref_desc )
 {
     mbedtls_x509_buf oid;
     const char *desc = NULL;
-    unsigned char buf[20];
     int ret;
 
-    memset( buf, 0, sizeof buf );
 
     oid.tag = MBEDTLS_ASN1_OID;
-    oid.len = unhexify( buf, oid_str );
-    oid.p   = buf;
+    oid.p   = buf->x;
+    oid.len   = buf->len;
 
     ret = mbedtls_oid_get_extended_key_usage( &oid, &desc );
 
@@ -670,18 +716,16 @@ void x509_oid_desc( char *oid_str, char *ref_desc )
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */
-void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret )
+void x509_oid_numstr( data_t * oid_buf, char * numstr, int blen, int ret )
 {
     mbedtls_x509_buf oid;
-    unsigned char oid_buf[20];
     char num_buf[100];
 
-    memset( oid_buf, 0x00, sizeof oid_buf );
     memset( num_buf, 0x2a, sizeof num_buf );
 
     oid.tag = MBEDTLS_ASN1_OID;
-    oid.len = unhexify( oid_buf, oid_str );
-    oid.p   = oid_buf;
+    oid.p   = oid_buf->x;
+    oid.len   = oid_buf->len;
 
     TEST_ASSERT( (size_t) blen <= sizeof num_buf );
 
@@ -696,7 +740,7 @@ void x509_oid_numstr( char *oid_str, char *numstr, int blen, int ret )
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_KEY_USAGE */
-void x509_check_key_usage( char *crt_file, int usage, int ret )
+void x509_check_key_usage( char * crt_file, int usage, int ret )
 {
     mbedtls_x509_crt crt;
 
@@ -712,19 +756,17 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
-void x509_check_extended_key_usage( char *crt_file, char *usage_hex, int ret )
+void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret
+                                    )
 {
     mbedtls_x509_crt crt;
-    char oid[50];
-    size_t len;
 
     mbedtls_x509_crt_init( &crt );
 
-    len = unhexify( (unsigned char *) oid, usage_hex );
 
     TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
 
-    TEST_ASSERT( mbedtls_x509_crt_check_extended_key_usage( &crt, oid, len ) == ret );
+    TEST_ASSERT( mbedtls_x509_crt_check_extended_key_usage( &crt, (const char *)oid->x, oid->len ) == ret );
 
 exit:
     mbedtls_x509_crt_free( &crt );
@@ -732,9 +774,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */
-void x509_get_time( int tag,  char *time_str, int ret,
-                    int year, int mon, int day,
-                    int hour, int min, int sec )
+void x509_get_time( int tag, char * time_str, int ret, int year, int mon,
+                    int day, int hour, int min, int sec )
 {
     mbedtls_x509_time time;
     unsigned char buf[21];
@@ -763,7 +804,7 @@ void x509_get_time( int tag,  char *time_str, int ret,
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
+void x509_parse_rsassa_pss_params( data_t * hex_params, int params_tag,
                                    int ref_msg_md, int ref_mgf_md,
                                    int ref_salt_len, int ref_ret )
 {
@@ -772,7 +813,8 @@ void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
     mbedtls_md_type_t my_msg_md, my_mgf_md;
     int my_salt_len;
 
-    params.p = unhexify_alloc( hex_params, &params.len );
+    params.p = hex_params->x;
+    params.len = hex_params->len;
     params.tag = params_tag;
 
     my_ret = mbedtls_x509_get_rsassa_pss_params( &params, &my_msg_md, &my_mgf_md,
@@ -788,12 +830,12 @@ void x509_parse_rsassa_pss_params( char *hex_params, int params_tag,
     }
 
 exit:
-    mbedtls_free( params.p );
+    ;;
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_SELF_TEST */
-void x509_selftest()
+void x509_selftest(  )
 {
     TEST_ASSERT( mbedtls_x509_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
index aba23d4c91..535807e3a2 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_x509write.function
@@ -1,4 +1,5 @@
 /* BEGIN_HEADER */
+#include "mbedtls/bignum.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/x509_csr.h"
 #include "mbedtls/pem.h"
@@ -211,7 +212,8 @@ exit:
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */
-void mbedtls_x509_string_to_names( char *name, char *parsed_name, int result )
+void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result
+                                   )
 {
     int ret;
     size_t len = 0;
diff --git a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_xtea.function b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_xtea.function
index cbc714a12f..a24a420657 100644
--- a/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_xtea.function
+++ b/3rdparty/mbedtls/mbedtls/tests/suites/test_suite_xtea.function
@@ -8,121 +8,77 @@
  */
 
 /* BEGIN_CASE */
-void xtea_encrypt_ecb( char *hex_key_string, char *hex_src_string,
-                       char *hex_dst_string )
+void xtea_encrypt_ecb( data_t * key_str, data_t * src_str,
+                       data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_xtea_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_xtea_setup( &ctx, key_str );
-    TEST_ASSERT( mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_ENCRYPT, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    mbedtls_xtea_setup( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_ENCRYPT, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE */
-void xtea_decrypt_ecb( char *hex_key_string, char *hex_src_string,
-                       char *hex_dst_string )
+void xtea_decrypt_ecb( data_t * key_str, data_t * src_str,
+                       data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
     unsigned char output[100];
     mbedtls_xtea_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
     memset(output, 0x00, 100);
 
-    unhexify( key_str, hex_key_string );
-    unhexify( src_str, hex_src_string );
 
-    mbedtls_xtea_setup( &ctx, key_str );
-    TEST_ASSERT( mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_DECRYPT, src_str, output ) == 0 );
-    hexify( dst_str, output, 8 );
+    mbedtls_xtea_setup( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_DECRYPT, src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, 8, hex_dst_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void xtea_encrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                       char *hex_src_string, char *hex_dst_string )
+void xtea_encrypt_cbc( data_t * key_str, data_t * iv_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
-    unsigned char iv_str[100];
     unsigned char output[100];
-    size_t len;
     mbedtls_xtea_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
     memset(output, 0x00, 100);
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    len = unhexify( src_str, hex_src_string );
 
-    mbedtls_xtea_setup( &ctx, key_str );
-    TEST_ASSERT( mbedtls_xtea_crypt_cbc( &ctx, MBEDTLS_XTEA_ENCRYPT, len, iv_str,
-                                 src_str, output ) == 0 );
-    hexify( dst_str, output, len );
+    mbedtls_xtea_setup( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_xtea_crypt_cbc( &ctx, MBEDTLS_XTEA_ENCRYPT, src_str->len, iv_str->x,
+                                 src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC */
-void xtea_decrypt_cbc( char *hex_key_string, char *hex_iv_string,
-                       char *hex_src_string, char *hex_dst_string )
+void xtea_decrypt_cbc( data_t * key_str, data_t * iv_str,
+                       data_t * src_str, data_t * hex_dst_string )
 {
-    unsigned char key_str[100];
-    unsigned char src_str[100];
-    unsigned char dst_str[100];
-    unsigned char iv_str[100];
     unsigned char output[100];
-    size_t len;
     mbedtls_xtea_context ctx;
 
-    memset(key_str, 0x00, 100);
-    memset(src_str, 0x00, 100);
-    memset(dst_str, 0x00, 100);
-    memset(iv_str, 0x00, 100);
     memset(output, 0x00, 100);
 
-    unhexify( key_str, hex_key_string );
-    unhexify( iv_str, hex_iv_string );
-    len = unhexify( src_str, hex_src_string );
 
-    mbedtls_xtea_setup( &ctx, key_str );
-    TEST_ASSERT( mbedtls_xtea_crypt_cbc( &ctx, MBEDTLS_XTEA_DECRYPT, len, iv_str,
-                                 src_str, output ) == 0 );
-    hexify( dst_str, output, len );
+    mbedtls_xtea_setup( &ctx, key_str->x );
+    TEST_ASSERT( mbedtls_xtea_crypt_cbc( &ctx, MBEDTLS_XTEA_DECRYPT, src_str->len, iv_str->x,
+                                 src_str->x, output ) == 0 );
 
-    TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    TEST_ASSERT( hexcmp( output, hex_dst_string->x, src_str->len, hex_dst_string->len ) == 0 );
 }
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
-void xtea_selftest()
+void xtea_selftest(  )
 {
     TEST_ASSERT( mbedtls_xtea_self_test( 1 ) == 0 );
 }
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
index 89178cc2d5..5d2c99cd36 100644
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.sln
@@ -198,6 +198,16 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "udp_proxy", "udp_proxy.vcxp
 		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
 	EndProjectSection
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "zeroize", "zeroize.vcxproj", "{10C01E94-4926-063E-9F56-C84ED190D349}"
+	ProjectSection(ProjectDependencies) = postProject
+		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "query_compile_time_config", "query_compile_time_config.vcxproj", "{D6F58AF2-9D80-562A-E2B0-F743281522B9}"
+	ProjectSection(ProjectDependencies) = postProject
+		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
+	EndProjectSection
+EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pem2der", "pem2der.vcxproj", "{D3C6FBD6-D78E-7180-8345-5E09B492DBEC}"
 	ProjectSection(ProjectDependencies) = postProject
 		{46CF2D25-6A36-4189-B59C-E4815388E554} = {46CF2D25-6A36-4189-B59C-E4815388E554}
@@ -561,6 +571,22 @@ Global
 		{7E2C80FE-3CC3-82B4-0CAD-65DC233DE13A}.Release|Win32.Build.0 = Release|Win32
 		{7E2C80FE-3CC3-82B4-0CAD-65DC233DE13A}.Release|x64.ActiveCfg = Release|x64
 		{7E2C80FE-3CC3-82B4-0CAD-65DC233DE13A}.Release|x64.Build.0 = Release|x64
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Debug|Win32.ActiveCfg = Debug|Win32
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Debug|Win32.Build.0 = Debug|Win32
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Debug|x64.ActiveCfg = Debug|x64
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Debug|x64.Build.0 = Debug|x64
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Release|Win32.ActiveCfg = Release|Win32
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Release|Win32.Build.0 = Release|Win32
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Release|x64.ActiveCfg = Release|x64
+		{10C01E94-4926-063E-9F56-C84ED190D349}.Release|x64.Build.0 = Release|x64
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Debug|Win32.ActiveCfg = Debug|Win32
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Debug|Win32.Build.0 = Debug|Win32
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Debug|x64.ActiveCfg = Debug|x64
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Debug|x64.Build.0 = Debug|x64
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Release|Win32.ActiveCfg = Release|Win32
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Release|Win32.Build.0 = Release|Win32
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Release|x64.ActiveCfg = Release|x64
+		{D6F58AF2-9D80-562A-E2B0-F743281522B9}.Release|x64.Build.0 = Release|x64
 		{D3C6FBD6-D78E-7180-8345-5E09B492DBEC}.Debug|Win32.ActiveCfg = Debug|Win32
 		{D3C6FBD6-D78E-7180-8345-5E09B492DBEC}.Debug|Win32.Build.0 = Debug|Win32
 		{D3C6FBD6-D78E-7180-8345-5E09B492DBEC}.Debug|x64.ActiveCfg = Debug|x64
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.vcxproj
index f13f83cc16..73c92bda55 100644
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.vcxproj
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/mbedTLS.vcxproj
@@ -149,6 +149,7 @@
     <ClInclude Include="..\..\include\mbedtls\aes.h" />
     <ClInclude Include="..\..\include\mbedtls\aesni.h" />
     <ClInclude Include="..\..\include\mbedtls\arc4.h" />
+    <ClInclude Include="..\..\include\mbedtls\aria.h" />
     <ClInclude Include="..\..\include\mbedtls\asn1.h" />
     <ClInclude Include="..\..\include\mbedtls\asn1write.h" />
     <ClInclude Include="..\..\include\mbedtls\base64.h" />
@@ -158,6 +159,8 @@
     <ClInclude Include="..\..\include\mbedtls\camellia.h" />
     <ClInclude Include="..\..\include\mbedtls\ccm.h" />
     <ClInclude Include="..\..\include\mbedtls\certs.h" />
+    <ClInclude Include="..\..\include\mbedtls\chacha20.h" />
+    <ClInclude Include="..\..\include\mbedtls\chachapoly.h" />
     <ClInclude Include="..\..\include\mbedtls\check_config.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher_internal.h" />
@@ -178,6 +181,7 @@
     <ClInclude Include="..\..\include\mbedtls\error.h" />
     <ClInclude Include="..\..\include\mbedtls\gcm.h" />
     <ClInclude Include="..\..\include\mbedtls\havege.h" />
+    <ClInclude Include="..\..\include\mbedtls\hkdf.h" />
     <ClInclude Include="..\..\include\mbedtls\hmac_drbg.h" />
     <ClInclude Include="..\..\include\mbedtls\md.h" />
     <ClInclude Include="..\..\include\mbedtls\md2.h" />
@@ -187,6 +191,7 @@
     <ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />
     <ClInclude Include="..\..\include\mbedtls\net.h" />
     <ClInclude Include="..\..\include\mbedtls\net_sockets.h" />
+    <ClInclude Include="..\..\include\mbedtls\nist_kw.h" />
     <ClInclude Include="..\..\include\mbedtls\oid.h" />
     <ClInclude Include="..\..\include\mbedtls\padlock.h" />
     <ClInclude Include="..\..\include\mbedtls\pem.h" />
@@ -197,6 +202,8 @@
     <ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
     <ClInclude Include="..\..\include\mbedtls\platform.h" />
     <ClInclude Include="..\..\include\mbedtls\platform_time.h" />
+    <ClInclude Include="..\..\include\mbedtls\platform_util.h" />
+    <ClInclude Include="..\..\include\mbedtls\poly1305.h" />
     <ClInclude Include="..\..\include\mbedtls\ripemd160.h" />
     <ClInclude Include="..\..\include\mbedtls\rsa.h" />
     <ClInclude Include="..\..\include\mbedtls\rsa_internal.h" />
@@ -222,6 +229,7 @@
     <ClCompile Include="..\..\library\aes.c" />
     <ClCompile Include="..\..\library\aesni.c" />
     <ClCompile Include="..\..\library\arc4.c" />
+    <ClCompile Include="..\..\library\aria.c" />
     <ClCompile Include="..\..\library\asn1parse.c" />
     <ClCompile Include="..\..\library\asn1write.c" />
     <ClCompile Include="..\..\library\base64.c" />
@@ -230,6 +238,8 @@
     <ClCompile Include="..\..\library\camellia.c" />
     <ClCompile Include="..\..\library\ccm.c" />
     <ClCompile Include="..\..\library\certs.c" />
+    <ClCompile Include="..\..\library\chacha20.c" />
+    <ClCompile Include="..\..\library\chachapoly.c" />
     <ClCompile Include="..\..\library\cipher.c" />
     <ClCompile Include="..\..\library\cipher_wrap.c" />
     <ClCompile Include="..\..\library\cmac.c" />
@@ -247,6 +257,7 @@
     <ClCompile Include="..\..\library\error.c" />
     <ClCompile Include="..\..\library\gcm.c" />
     <ClCompile Include="..\..\library\havege.c" />
+    <ClCompile Include="..\..\library\hkdf.c" />
     <ClCompile Include="..\..\library\hmac_drbg.c" />
     <ClCompile Include="..\..\library\md.c" />
     <ClCompile Include="..\..\library\md2.c" />
@@ -255,6 +266,7 @@
     <ClCompile Include="..\..\library\md_wrap.c" />
     <ClCompile Include="..\..\library\memory_buffer_alloc.c" />
     <ClCompile Include="..\..\library\net_sockets.c" />
+    <ClCompile Include="..\..\library\nist_kw.c" />
     <ClCompile Include="..\..\library\oid.c" />
     <ClCompile Include="..\..\library\padlock.c" />
     <ClCompile Include="..\..\library\pem.c" />
@@ -266,6 +278,8 @@
     <ClCompile Include="..\..\library\pkparse.c" />
     <ClCompile Include="..\..\library\pkwrite.c" />
     <ClCompile Include="..\..\library\platform.c" />
+    <ClCompile Include="..\..\library\platform_util.c" />
+    <ClCompile Include="..\..\library\poly1305.c" />
     <ClCompile Include="..\..\library\ripemd160.c" />
     <ClCompile Include="..\..\library\rsa.c" />
     <ClCompile Include="..\..\library\rsa_internal.c" />
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/query_compile_time_config.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/query_compile_time_config.vcxproj
new file mode 100644
index 0000000000..83a29f0679
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/query_compile_time_config.vcxproj
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\programs\test\query_compile_time_config.c" />
+    <ClCompile Include="..\..\programs\ssl\query_config.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="mbedTLS.vcxproj">
+      <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
+      <LinkLibraryDependencies>true</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D6F58AF2-9D80-562A-E2B0-F743281522B9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>query_compile_time_config</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>Windows7.1SDK</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ShowProgress>NotSet</ShowProgress>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
+    </Link>
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ShowProgress>NotSet</ShowProgress>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
+    </Link>
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
+      <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_client2.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_client2.vcxproj
index 1d44fa783c..a960facf07 100644
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_client2.vcxproj
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_client2.vcxproj
@@ -20,6 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\programs\ssl\ssl_client2.c" />
+    <ClCompile Include="..\..\programs\ssl\query_config.c" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_server2.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_server2.vcxproj
index d06e0628ef..06a91cb495 100644
--- a/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_server2.vcxproj
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/ssl_server2.vcxproj
@@ -20,6 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\programs\ssl\ssl_server2.c" />
+    <ClCompile Include="..\..\programs\ssl\query_config.c" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">
diff --git a/3rdparty/mbedtls/mbedtls/visualc/VS2010/zeroize.vcxproj b/3rdparty/mbedtls/mbedtls/visualc/VS2010/zeroize.vcxproj
new file mode 100644
index 0000000000..9d311c7217
--- /dev/null
+++ b/3rdparty/mbedtls/mbedtls/visualc/VS2010/zeroize.vcxproj
@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\programs\test\zeroize.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="mbedTLS.vcxproj">
+      <Project>{46cf2d25-6a36-4189-b59c-e4815388e554}</Project>
+      <LinkLibraryDependencies>true</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{10C01E94-4926-063E-9F56-C84ED190D349}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>zeroize</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>Windows7.1SDK</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <IntDir>$(Configuration)\$(TargetName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ShowProgress>NotSet</ShowProgress>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
+    </Link>
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ShowProgress>NotSet</ShowProgress>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>Debug</AdditionalLibraryDirectories>
+    </Link>
+    <ProjectReference>
+      <LinkLibraryDependencies>false</LinkLibraryDependencies>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
+      <AdditionalDependencies>kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>Release</AdditionalLibraryDirectories>
+      <AdditionalDependencies>%(AdditionalDependencies);</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/3rdparty/mbedtls/mbedtls/yotta/create-module.sh b/3rdparty/mbedtls/mbedtls/yotta/create-module.sh
deleted file mode 100755
index 4c79ebe510..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/create-module.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-# relative to the script's directory
-TREE=..
-DEST=module
-
-# make sure we're running in our own directory
-if [ -f create-module.sh ]; then :; else
-    cd $( dirname $0 )
-    if [ -f create-module.sh ]; then :; else
-        echo "Please run the script from is directory." >&2
-        exit 1
-    fi
-fi
-
-# use a temporary directory to build the module, then rsync to DEST
-# this allows touching only new files, for more efficient re-builds
-TMP=$DEST-tmp
-rm -rf $TMP
-
-mkdir -p $TMP/mbedtls $TMP/source
-cp $TREE/include/mbedtls/*.h $TMP/mbedtls
-cp $TREE/library/*.c $TMP/source
-
-# temporary, should depend on external module later
-cp data/entropy_hardware_poll.c $TMP/source
-cp data/target_config.h $TMP/mbedtls
-
-data/adjust-config.sh $TREE/scripts/config.pl $TMP/mbedtls/config.h
-
-mkdir -p $TMP/test
-cp -r data/example-* $TMP/test
-# later we should have the generated test suites here too
-
-cp data/module.json $TMP
-cp data/README.md $TMP
-
-cp ../LICENSE $TMP
-if [ -f ../apache-2.0.txt ]; then cp ../apache-2.0.txt $TMP; fi
-
-mkdir -p $DEST
-rsync -cr --delete --exclude build --exclude yotta_\* $TMP/ $DEST/
-rm -rf $TMP
-
-echo "mbed TLS yotta module created in '$PWD/$DEST'."
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/README.md b/3rdparty/mbedtls/mbedtls/yotta/data/README.md
deleted file mode 100644
index b748aac32b..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/README.md
+++ /dev/null
@@ -1,103 +0,0 @@
-# mbed TLS
-
-mbed TLS makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their embedded products, with a minimal code footprint. It offers an SSL library with an intuitive API and readable source code.
-
-**Note:** The current release is beta, and implements no secure source of random numbers, weakening its security.
-
-Currently the only supported yotta targets are:
-- `frdm-k64f-gcc`
-- `frdm-k64f-armcc`
-- `x86-linux-native`
-- `x86-osx-native`
-
-## Sample programs
-
-This release includes the following examples:
-
-1. [**Self test:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-selftest) Tests different basic functions in the mbed TLS library.
-
-2. [**Benchmark:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-benchmark) Measures the time taken to perform basic cryptographic functions used in the library.
-
-3. [**Hashing:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-hashing) Demonstrates the various APIs for computing hashes of data (also known as message digests) with SHA-256.
-
-4. [**Authenticated encryption:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-authcrypt) Demonstrates usage of the Cipher API for encrypting and authenticating data with AES-CCM.
-
-These examples are integrated as yotta tests, so that they are built automatically when you build mbed TLS. Each of them comes with complete usage instructions as a Readme file in the repository.
-
-## Performing TLS and DTLS connections
-
-A high-level API for performing TLS and DTLS connections with mbed TLS in mbed OS is provided in a separate yotta module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets). We recommend this API for TLS and DTLS connections. It is very similar to the API provided by the [sockets](https://github.com/ARMmbed/sockets) module for unencrypted TCP and UDP connections.
-
-The `mbed-tls-sockets` module includes a complete [example TLS client](https://github.com/ARMmbed/mbed-tls-sockets/blob/master/test/tls-client/main.cpp) with [usage instructions](https://github.com/ARMmbed/mbed-tls-sockets/blob/master/test/tls-client/README.md).
-
-## Configuring mbed TLS features
-
-mbed TLS makes it easy to disable any feature during compilation, if that feature isn't required for a particular project. The default configuration enables all modern and widely-used features, which should meet the needs of new projects, and disables all features that are older or less common, to minimize the code footprint.
-
-The list of available compilation flags is available in the fully documented [config.h file](https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h).
-
-If you need to adjust those flags, you can provide your own configuration-adjustment file with suitable `#define` and `#undef` statements. These will be included between the default definitions and the sanity checks. Your configuration file should be in your application's include directory, and can be named freely; you just need to let mbed TLS know the file's name. To do that, use yotta's [configuration system](http://docs.yottabuild.org/reference/config.html). The file's name should be in your `config.json` file, under mbedtls, as the key `user-config-file`.
-
-For example, in an application called `myapp`, if you want to enable the EC J-PAKE key exchange and disable the CBC cipher mode, you can create a file named  `mbedtls-config-changes.h` in the `myapp` directory containing the following lines:
-
-    #define MBEDTLS_ECJPAKE_C
-    #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-
-    #undef MBEDTLS_CIPHER_MODE_CBC
-
-And then create a file named `config.json` at the root of your application with the following contents:
-
-    {
-       "mbedtls": {
-          "user-config-file": "\"myapp/mbedtls-config-changes.h\""
-       }
-    }
-
-Please note: you need to provide the exact name that will be used in the `#include` directive, including the `<>` or quotes around the name.
-
-## Getting mbed TLS from GitHub
-
-Like most components of mbed OS, mbed TLS is developed in the open and its source can be found on GitHub: [ARMmbed/mbedtls](https://github.com/ARMmbed/mbedtls). Unlike most other mbed OS components, however, you cannot just clone the repository and run `yotta build` from its root. This is because mbed TLS also exists as an independent component, so its repository includes things that are not relevant for mbed OS, as well as other build systems.
-
-The way to use mbed TLS from a clone of the GitHub repository is to run the following commands from the root of a checkout:
-
-    yotta/create-module.sh
-    cd yotta/module
-
-You can then run any yotta command you would normally run, such as `yotta build` or `yotta link`.
-
-## Differences between the standalone and mbed OS editions
-
-While the two editions share the same code base, there are still a number of differences, mainly in configuration and integration. You should keep in mind those differences when reading some articles in our [knowledge base](https://tls.mbed.org/kb), as currently all the articles are about the standalone edition.
-
-* The mbed OS edition has a smaller set of features enabled by default in `config.h`, in order to reduce footprint. While the default configuration of the standalone edition puts more emphasize on maintaining interoperability with old peers, the mbed OS edition only enables the most modern ciphers and the latest version of (D)TLS.
-
-* The following components of mbed TLS are disabled in the mbed OS edition: `net_sockets.c` and `timing.c`. This is because mbed OS include their equivalents.
-
-* The mbed OS edition comes with a fully integrated API for (D)TLS connections in a companion module: [mbed-tls-sockets](https://github.com/ARMmbed/mbed-tls-sockets). See "Performing TLS and DTLS connections" above.
-
-## Other resources
-
-The [mbed TLS website](https://tls.mbed.org) contains many other useful
-resources for the developer, such as [developer
-documentation](https://tls.mbed.org/dev-corner), [knowledgebase
-articles](https://tls.mbed.org/kb), and a [support forum](https://tls.mbed.org/discussions).
-
-## Contributing
-
-We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions:
-
-* Simple bug fixes to existing code do not contain copyright themselves and we can integrate without issue. The same is true of trivial contributions.
-
-* For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will send to you in case you submit a contribution or pull request that we deem this necessary for.
-
-To contribute, please:
-
-* [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
-
-* Fork the [mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis.
-
-* Write a test that shows that the bug was fixed or that the feature works as expected.
-
-* Send a pull request and bug us until it gets merged and published. We will include your name in the ChangeLog.
-
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/adjust-config.sh b/3rdparty/mbedtls/mbedtls/yotta/data/adjust-config.sh
deleted file mode 100755
index 3fa84908f4..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/adjust-config.sh
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-if [ $# -ne 2 ]; then
-    echo "Usage: $0 path/to/config.pl path/to/config.h" >&2
-    exit 1
-fi
-
-SCRIPT=$1
-FILE=$2
-
-conf() {
-    $SCRIPT -f $FILE $@
-}
-
-
-# Set the target specific header
-conf set YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE \"mbedtls/target_config.h\"
-
-# not supported on mbed OS, nor used by mbed Client
-conf unset MBEDTLS_NET_C
-conf unset MBEDTLS_TIMING_C
-
-# not supported on all targets with mbed OS, nor used by mbed Client
-conf unset MBEDTLS_FS_IO
-
-conf unset MBEDTLS_CIPHER_MODE_CFB
-conf unset MBEDTLS_CIPHER_MODE_CTR
-conf unset MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-conf unset MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-conf unset MBEDTLS_CIPHER_PADDING_ZEROS
-conf unset MBEDTLS_ECP_DP_SECP192R1_ENABLED
-conf unset MBEDTLS_ECP_DP_SECP224R1_ENABLED
-conf unset MBEDTLS_ECP_DP_SECP521R1_ENABLED
-conf unset MBEDTLS_ECP_DP_SECP192K1_ENABLED
-conf unset MBEDTLS_ECP_DP_SECP224K1_ENABLED
-conf unset MBEDTLS_ECP_DP_SECP256K1_ENABLED
-conf unset MBEDTLS_ECP_DP_BP256R1_ENABLED
-conf unset MBEDTLS_ECP_DP_BP384R1_ENABLED
-conf unset MBEDTLS_ECP_DP_BP512R1_ENABLED
-conf unset MBEDTLS_PK_PARSE_EC_EXTENDED
-
-conf unset MBEDTLS_AESNI_C
-conf unset MBEDTLS_ARC4_C
-conf unset MBEDTLS_BLOWFISH_C
-conf unset MBEDTLS_CAMELLIA_C
-conf unset MBEDTLS_DES_C
-conf unset MBEDTLS_DHM_C
-conf unset MBEDTLS_GENPRIME
-conf unset MBEDTLS_MD5_C
-conf unset MBEDTLS_PADLOCK_C
-conf unset MBEDTLS_PEM_WRITE_C
-conf unset MBEDTLS_PKCS5_C
-conf unset MBEDTLS_PKCS12_C
-conf unset MBEDTLS_RIPEMD160_C
-conf unset MBEDTLS_SHA1_C
-conf unset MBEDTLS_XTEA_C
-
-conf unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
-
-conf unset MBEDTLS_X509_CSR_PARSE_C
-conf unset MBEDTLS_X509_CREATE_C
-conf unset MBEDTLS_X509_CRT_WRITE_C
-conf unset MBEDTLS_X509_CSR_WRITE_C
-
-conf unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-conf unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-conf unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-conf unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-conf unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-conf unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-conf unset MBEDTLS_SSL_FALLBACK_SCSV
-conf unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
-conf unset MBEDTLS_SSL_PROTO_TLS1
-conf unset MBEDTLS_SSL_PROTO_TLS1_1
-conf unset MBEDTLS_SSL_TRUNCATED_HMAC
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/entropy_hardware_poll.c b/3rdparty/mbedtls/mbedtls/yotta/data/entropy_hardware_poll.c
deleted file mode 100644
index 3a61e22aef..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/entropy_hardware_poll.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- *  Hardware entropy collector for the K64F, using Freescale's RNGA
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-/*
- * WARNING: this is temporary!
- * This should be in a separate yotta module which would be a target
- * dependency of mbedtls (see IOTSSL-313)
- */
-
-#if defined(TARGET_LIKE_K64F)
-
-/*
- * Reference: "K64 Sub-Family Reference Manual, Rev. 2", chapter 34
- */
-
-#include "fsl_clock_manager.h"
-
-/*
- * Get one byte of entropy from the RNG, assuming it is up and running.
- * As recommended (34.1.1), get only one bit of each output.
- */
-static void rng_get_byte( unsigned char *byte )
-{
-    size_t bit;
-
-    /* 34.5 Steps 3-4-5: poll SR and read from OR when ready */
-    for( bit = 0; bit < 8; bit++ )
-    {
-        while( ( RNG->SR & RNG_SR_OREG_LVL_MASK ) == 0 );
-        *byte |= ( RNG->OR & 1 ) << bit;
-    }
-}
-
-/*
- * Get len bytes of entropy from the hardware RNG.
- */
-int mbedtls_hardware_poll( void *data,
-                    unsigned char *output, size_t len, size_t *olen )
-{
-    size_t i;
-    int ret;
-    ((void) data);
-
-    CLOCK_SYS_EnableRngaClock( 0 );
-
-    /* Set "Interrupt Mask", "High Assurance" and "Go",
-     * unset "Clear interrupt" and "Sleep" */
-    RNG->CR = RNG_CR_INTM_MASK | RNG_CR_HA_MASK | RNG_CR_GO_MASK;
-
-    for( i = 0; i < len; i++ )
-        rng_get_byte( output + i );
-
-    /* Just be extra sure that we didn't do it wrong */
-    if( ( RNG->SR & RNG_SR_SECV_MASK ) != 0 )
-    {
-        ret = -1;
-        goto cleanup;
-    }
-
-    *olen = len;
-    ret = 0;
-
-cleanup:
-    /* Disable clock to save power - assume we're the only users of RNG */
-    CLOCK_SYS_DisableRngaClock( 0 );
-
-    return( ret );
-}
-
-#endif
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/README.md b/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/README.md
deleted file mode 100644
index 7ad685ff72..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/README.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# Authenticated Encryption Example
-
-This application performs authenticated encryption and authenticated decryption of a buffer. It serves as a tutorial for the basic authenticated encryption functions of mbed TLS.
-
-## Pre-requisites
-
-To build and run this example you must have:
-
-* A computer with the following software installed:
-  * [CMake](http://www.cmake.org/download/).
-  * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows).
-  * [Python](https://www.python.org/downloads/).
-  * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded).
-  * A serial terminal emulator (Like screen, pySerial and cu).
-* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below).
-* A micro-USB cable.
-* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration).
-
-## Getting started
-
-1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board.
-
-2. Navigate to the mbedtls directory supplied with your release and open a terminal.
-
-3. Set the yotta target:
-
-    ```
-    yotta target frdm-k64f-gcc
-    ```
-
-4. Build mbedtls and the examples. This may take a long time if this is your first compilation:
-
-    ```
-    $ yotta build
-    ```
-
-5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-authcrypt.bin` to your mbed board and wait until the LED next to the USB port stops blinking.
-
-6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
-
-    Use the following settings:
-
-    * 115200 baud (not 9600).
-    * 8N1.
-    * No flow control.
-
-7. Press the Reset button on the board.
-
-8. The output in the terminal window should look like:
-
-    ```
-    {{timeout;10}}
-    {{host_test_name;default}}
-    {{description;mbed TLS example authcrypt}}
-    {{test_id;MBEDTLS_EX_AUTHCRYPT}}
-    {{start}}
-
-
-    plaintext message: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
-    ciphertext: c57f7afb94f14c7977d785d08682a2596bd62ee9dcf216b8cccd997afee9b402f5de1739e8e6467aa363749ef39392e5c66622b01c7203ec0a3d14
-    decrypted: 536f6d65207468696e67732061726520626574746572206c65667420756e7265616400
-
-    DONE
-    {{success}}
-    {{end}}
-    ```
-
-The actual output for the ciphertext line will vary on each run because of the use of a random nonce in the encryption process.
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/main.cpp b/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/main.cpp
deleted file mode 100644
index 23fad27926..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-authcrypt/main.cpp
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- *  Hello world example of using the authenticated encryption with mbed TLS
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#include "mbedtls/cipher.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
-
-#include <stdio.h>
-#include <string.h>
-
-static void print_hex(const char *title, const unsigned char buf[], size_t len)
-{
-    printf("%s: ", title);
-
-    for (size_t i = 0; i < len; i++)
-        printf("%02x", buf[i]);
-
-    printf("\r\n");
-}
-
-/*
- * The pre-shared key. Should be generated randomly and be unique to the
- * device/channel/etc. Just used a fixed on here for simplicity.
- */
-static const unsigned char secret_key[16] = {
-    0xf4, 0x82, 0xc6, 0x70, 0x3c, 0xc7, 0x61, 0x0a,
-    0xb9, 0xa0, 0xb8, 0xe9, 0x87, 0xb8, 0xc1, 0x72,
-};
-
-static int example(void)
-{
-    /* message that should be protected */
-    const char message[] = "Some things are better left unread";
-    /* metadata transmitted in the clear but authenticated */
-    const char metadata[] = "eg sequence number, routing info";
-    /* ciphertext buffer large enough to hold message + nonce + tag */
-    unsigned char ciphertext[128] = { 0 };
-    int ret;
-
-    printf("\r\n\r\n");
-    print_hex("plaintext message", (unsigned char *) message, sizeof message);
-
-    /*
-     * Setup random number generator
-     * (Note: later this might be done automatically.)
-     */
-    mbedtls_entropy_context entropy;    /* entropy pool for seeding PRNG */
-    mbedtls_ctr_drbg_context drbg;      /* pseudo-random generator */
-
-    mbedtls_entropy_init(&entropy);
-    mbedtls_ctr_drbg_init(&drbg);
-
-    /* Seed the PRNG using the entropy pool, and throw in our secret key as an
-     * additional source of randomness. */
-    ret = mbedtls_ctr_drbg_seed(&drbg, mbedtls_entropy_func, &entropy,
-                                       secret_key, sizeof (secret_key));
-    if (ret != 0) {
-        printf("mbedtls_ctr_drbg_init() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-
-    /*
-     * Setup AES-CCM contex
-     */
-    mbedtls_cipher_context_t ctx;
-
-    mbedtls_cipher_init(&ctx);
-
-    ret = mbedtls_cipher_setup(&ctx, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CCM));
-    if (ret != 0) {
-        printf("mbedtls_cipher_setup() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-
-    ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_ENCRYPT);
-    if (ret != 0) {
-        printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-
-    /*
-     * Encrypt-authenticate the message and authenticate additional data
-     *
-     * First generate a random 8-byte nonce.
-     * Put it directly in the output buffer as the recipient will need it.
-     *
-     * Warning: you must never re-use the same (key, nonce) pair. One of the
-     * best ways to ensure this to use a counter for the nonce. However this
-     * means you should save the counter accross rebots, if the key is a
-     * long-term one. The alternative we choose here is to generate the nonce
-     * randomly. However it only works if you have a good source of
-     * randomness.
-     */
-    const size_t nonce_len = 8;
-    mbedtls_ctr_drbg_random(&drbg, ciphertext, nonce_len);
-
-    size_t ciphertext_len = 0;
-    /* Go for a conservative 16-byte (128-bit) tag
-     * and append it to the ciphertext */
-    const size_t tag_len = 16;
-    ret = mbedtls_cipher_auth_encrypt(&ctx, ciphertext, nonce_len,
-                              (const unsigned char *) metadata, sizeof metadata,
-                              (const unsigned char *) message, sizeof message,
-                              ciphertext + nonce_len, &ciphertext_len,
-                              ciphertext + nonce_len + sizeof message, tag_len );
-    if (ret != 0) {
-        printf("mbedtls_cipher_auth_encrypt() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-    ciphertext_len += nonce_len + tag_len;
-
-    /*
-     * The following information should now be transmitted:
-     * - first ciphertext_len bytes of ciphertext buffer
-     * - metadata if not already transmitted elsewhere
-     */
-    print_hex("ciphertext", ciphertext, ciphertext_len);
-
-    /*
-     * Decrypt-authenticate
-     */
-    unsigned char decrypted[128] = { 0 };
-    size_t decrypted_len = 0;
-
-    ret = mbedtls_cipher_setkey(&ctx, secret_key, 8 * sizeof secret_key, MBEDTLS_DECRYPT);
-    if (ret != 0) {
-        printf("mbedtls_cipher_setkey() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-
-    ret = mbedtls_cipher_auth_decrypt(&ctx,
-                              ciphertext, nonce_len,
-                              (const unsigned char *) metadata, sizeof metadata,
-                              ciphertext + nonce_len, ciphertext_len - nonce_len - tag_len,
-                              decrypted, &decrypted_len,
-                              ciphertext + ciphertext_len - tag_len, tag_len );
-    /* Checking the return code is CRITICAL for security here */
-    if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
-        printf("Something bad is happening! Data is not authentic!\r\n");
-        return 1;
-    }
-    if (ret != 0) {
-        printf("mbedtls_cipher_authdecrypt() returned -0x%04X\r\n", -ret);
-        return 1;
-    }
-
-    print_hex("decrypted", decrypted, decrypted_len);
-
-    printf("\r\nDONE\r\n");
-
-    return 0;
-}
-
-#if defined(TARGET_LIKE_MBED)
-
-#include "mbed-drivers/test_env.h"
-#include "minar/minar.h"
-
-static void run() {
-    MBED_HOSTTEST_TIMEOUT(10);
-    MBED_HOSTTEST_SELECT(default);
-    MBED_HOSTTEST_DESCRIPTION(mbed TLS example authcrypt);
-    MBED_HOSTTEST_START("MBEDTLS_EX_AUTHCRYPT");
-    MBED_HOSTTEST_RESULT(example() == 0);
-}
-
-void app_start(int, char*[]) {
-    /* Use 115200 bps for consistency with other examples */
-    get_stdio_serial().baud(115200);
-    minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
-}
-
-#else
-
-int main() {
-    return example();
-}
-
-#endif
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/README.md b/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/README.md
deleted file mode 100644
index 0b99d3d087..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/README.md
+++ /dev/null
@@ -1,100 +0,0 @@
-# mbed TLS Benchmark Example
-
-This application benchmarks the various cryptographic primitives offered by mbed TLS.
-
-## Pre-requisites
-
-To build and run this example you must have:
-
-* A computer with the following software installed:
-  * [CMake](http://www.cmake.org/download/).
-  * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows).
-  * [Python](https://www.python.org/downloads/).
-  * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded).
-  * A serial terminal emulator (Like screen, pySerial and cu).
-* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below).
-* A micro-USB cable.
-* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration).
-
-## Getting started
-
-1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board.
-
-2. Navigate to the mbedtls directory supplied with your release and open a terminal.
-
-3. Set the yotta target:
-
-    ```
-    yotta target frdm-k64f-gcc
-    ```
-
-4. Build mbedtls and the examples. This may take a long time if this is your first compilation:
-
-    ```
-    $ yotta build
-    ```
-
-5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-benchmark.bin` to your mbed board and wait until the LED next to the USB port stops blinking.
-
-6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
-
-    Use the following settings:
-
-    * 115200 baud (not 9600).
-    * 8N1.
-    * No flow control.
-
-7. Press the Reset button on the board.
-
-8. The output in the terminal window should look like:
-
-    ```
-    {{timeout;150}}
-    {{host_test_name;default}}
-    {{description;mbed TLS benchmark program}}
-    {{test_id;MBEDTLS_BENCHMARK}}
-    {{start}}
-
-
-      SHA-1                    :       3644 KiB/s,         32 cycles/byte
-      SHA-256                  :       1957 KiB/s,         59 cycles/byte
-      SHA-512                  :        587 KiB/s,        200 cycles/byte
-      AES-CBC-128              :       1359 KiB/s,         86 cycles/byte
-      AES-CBC-192              :       1183 KiB/s,         99 cycles/byte
-      AES-CBC-256              :       1048 KiB/s,        111 cycles/byte
-      AES-GCM-128              :        421 KiB/s,        279 cycles/byte
-      AES-GCM-192              :        403 KiB/s,        292 cycles/byte
-      AES-GCM-256              :        385 KiB/s,        305 cycles/byte
-      AES-CCM-128              :        542 KiB/s,        216 cycles/byte
-      AES-CCM-192              :        484 KiB/s,        242 cycles/byte
-      AES-CCM-256              :        437 KiB/s,        268 cycles/byte
-      CTR_DRBG (NOPR)          :       1002 KiB/s,        117 cycles/byte
-      CTR_DRBG (PR)            :        705 KiB/s,        166 cycles/byte
-      HMAC_DRBG SHA-1 (NOPR)   :        228 KiB/s,        517 cycles/byte
-      HMAC_DRBG SHA-1 (PR)     :        210 KiB/s,        561 cycles/byte
-      HMAC_DRBG SHA-256 (NOPR) :        212 KiB/s,        557 cycles/byte
-      HMAC_DRBG SHA-256 (PR)   :        185 KiB/s,        637 cycles/byte
-      RSA-2048                 :      41 ms/ public
-      RSA-2048                 :    1349 ms/private
-      RSA-4096                 :     134 ms/ public
-      RSA-4096                 :    7149 ms/private
-      ECDSA-secp384r1          :     640 ms/sign
-      ECDSA-secp256r1          :     387 ms/sign
-      ECDSA-secp384r1          :    1233 ms/verify
-      ECDSA-secp256r1          :     751 ms/verify
-      ECDHE-secp384r1          :    1191 ms/handshake
-      ECDHE-secp256r1          :     730 ms/handshake
-      ECDHE-Curve25519         :     611 ms/handshake
-      ECDH-secp384r1           :     584 ms/handshake
-      ECDH-secp256r1           :     365 ms/handshake
-      ECDH-Curve25519          :     303 ms/handshake
-
-    {{success}}
-    {{end}}
-    ```
-
-Any performance data generated by this example application are indicative only of the performance of the mbed TLS module on the platform it's executed on.
-
-Differences in the integration of mbed TLS into the platform, such as whether all available hardware accelerators have been used or not, can lead to significant differences in performance, and so results from the program are not intended to be used to meaningfully compare platforms.
-
-The figures may also slightly change from execution to execution due to variations in the timing functions.
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/main.cpp b/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/main.cpp
deleted file mode 100644
index d13cde550a..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-benchmark/main.cpp
+++ /dev/null
@@ -1,951 +0,0 @@
-/*
- *  Benchmark demonstration program
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if !defined(TARGET_LIKE_MBED)
-
-#include <stdio.h>
-
-int main() {
-    printf("this version of this program only works on mbed OS\n");
-    return 0;
-}
-
-#else
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_exit       exit
-#define mbedtls_printf     printf
-#define mbedtls_snprintf   snprintf
-#define mbedtls_free       free
-#endif
-
-#include <string.h>
-
-#include "mbedtls/md4.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/arc4.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/blowfish.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/havege.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/pk.h"
-#include "mbedtls/dhm.h"
-#include "mbedtls/ecdsa.h"
-#include "mbedtls/ecdh.h"
-#include "mbedtls/error.h"
-
-#include "mbed-drivers/mbed.h"
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-#endif
-
-#define RSA_PRIVATE_KEY_2048                                            \
-"-----BEGIN RSA PRIVATE KEY-----\r\n"                                   \
-"MIIEogIBAAKCAQEA2dwVr+IMGEtA2/MCP6fA5eb/6B18Bq6e7gw8brNPkm3E6LyR\r\n"  \
-"4DnMJVxZmw3bPDKBDoKzfntkMESi/Yw5UopLtVfjGfWeQWPClqffLZBsZ60BRAsg\r\n"  \
-"/g+ID5tgzxSuxzftypK59uexOVCAm7hCKZHGO3DbI7bLY27j7VAgEP7d/yuaz5Fx\r\n"  \
-"Kl/vu7shqrBoz6ABJVJD3KC8nUiMRUCXRINmxbyUUjA4DnicZv6+xrGKr36r6M8h\r\n"  \
-"VYLa5msKc8WzbnBWzpUsrpb4/r7ML+qp92gdSfVJ8/bLiU7h2C7faDA59uaqrFK9\r\n"  \
-"xmDdx7FaWhGQs3LWW6w1UNgkPS0FDYUslpsnsQIDAQABAoIBAC7IJNwM5V3+IuJY\r\n"  \
-"T35Nzo1PyloUosJokvY5KGz5Ejg2XBdCDu0gXCcVqqQyGIbXrYDpLhQV+RCoXHun\r\n"  \
-"tdN0oQdC5SB47s/J1Uo2qCUHo0+sBd6PqTkFKsl3KxWssk9TQjvCwC412IefMs69\r\n"  \
-"hW+ZvwCanmQP56LleApIr2oW4KLfW8Ry/QfZlua+dizctdN7+H1mWwgZQTY9T27J\r\n"  \
-"6RtGRA5NVkKVPzIHVJfdpKoO7xGg1g06aEbPB/VmGvZaaFWWnaf7uRvFjLZecBLu\r\n"  \
-"QSx2DA/GDjirlDYj99PJb7DtB4xRtKzsyw0o+xapC8w6OtIl/3xFt9moCu2jGrsx\r\n"  \
-"vpjHdfECgYEA7fSACRseIs9gAIVX8wq6gayTpA47DHYWAD6IQfIj35SJ+AgsvbFF\r\n"  \
-"4AmrwDhcJVPmDy1N4nLBfyGAMt/2CfiYkdkW6QFX/ULRMMBL/G7kWV8hYQDICB2g\r\n"  \
-"xaMRN1lPCmFq6BkSWjwIYTnYDFBDWVm1GVT8TMtJoM8Erej9qC0PeFUCgYEA6mF3\r\n"  \
-"bigO3t8f5sig+XepaftEUbkJMzo72TVRnIR2ycdR2ihelPQ+25g9dwV0ZA5XXhBS\r\n"  \
-"DKOABWjMM739Mwmy9v26Dlmu9R01zHQktMvtEAyfz7lk2NF0aMuj8285OJUBf9bz\r\n"  \
-"Cq3MjtMCD+4CZ6iaEqCdUKOuxfpx5cWVJV+qve0CgYBhD1YaYMFOGaBjFgDl1f51\r\n"  \
-"Xltqk5NqZdBbkSYrIAWZ8RDF5y+4wFJsLAWuhk6vuyUgE66tK3nZzWRpXAkT0B8L\r\n"  \
-"fq1lpXKqj1KcvBNCiEkEW1VWJ+dvyAYIF5eyJ++hoFLnETL3M32HivyhKSwPihPg\r\n"  \
-"nVW8TT9fJJIYDe1JZ/fjcQKBgHJfv7UsrR0LSvkG3K8AOtbx+8PZhOjPuRbk0v+L\r\n"  \
-"EKCkuIe5/XW4vtfQMeZb7hFJgk7vrepm+vkoy8VQKDf4urGW3W1VTHBmobM01hi4\r\n"  \
-"DuYvEul+Mf0wMRtWjJolo4m+BO5KiW2jpFfqFm6JmfjVqOIAKOSKC6am8V/MDF0h\r\n"  \
-"kyN9AoGAT9oOiEXMolbkDZw/QCaBiRoAGlGlNYUkJ+58U6OjIZLISw6aFv+Y2uE0\r\n"  \
-"mEImItjuYZtSYKblWikp6ldPoKlt9bwEFe3c6IZ8kJ3+xyEyAGrvjXjEY7PzP6dp\r\n"  \
-"Ajbjp9X9uocEBv9W/KsBLdQ7yizcL/toHwdBO4vQqmqTvAc5IIw=\r\n"              \
-"-----END RSA PRIVATE KEY-----\r\n"
-
-#define RSA_PRIVATE_KEY_4096                                            \
-"-----BEGIN RSA PRIVATE KEY-----\r\n"                                   \
-"MIIJKgIBAAKCAgEAmkdGjoIshJuOt2NO47qB3Z3yyvmLg2j351isItSNuFQU3qr+\r\n"  \
-"jXHIeANf03yw/K0Zvos8RPd+CqLjoxAQL3QDH4bZAl88bIo29i+SANbNSrKQmc0k\r\n"  \
-"pH+yzw3alDzO0GZaOPZjsbo6AwBrno5msi0vRuC2aY8vGLPsZWSyLai7tneS1j/o\r\n"  \
-"vYW6XIo8Cj61j2Ypy9HhVUW/4Wc+zAT25D/x7jTpkqJLWWT+YzibNbOY48M5eJcB\r\n"  \
-"6/sMyUIeI3/u/wXyMrooNyLiCpedkuHRA0m7u5cWPTUISTunSRlVFij/NHJjuU8e\r\n"  \
-"wA3B29yfZFsUqDEnyc+OxniIueAixTomVszxAaVn8zFEbYhFMPqziiFp99u3jfeG\r\n"  \
-"k1q9mmUi/uCfUC4e2IC5rqq1ZbKSduH7Ug/Vn2bGQahww0sZFRHDXFrnBcotcW+M\r\n"  \
-"bnC290VBDnYgzmdYrIOxuPb2aUwJo4ZlbKh5uBB1PigMuyhLKibQ1a+V5ZJGdpP6\r\n"  \
-"SE9PGIdgYWSmh2QEMuLE6v+wTO2LQ5JgqsvFfi3GIZvkn0s8jTS72Jq2uMkFkMer\r\n"  \
-"UBjPDYaSPy5kpo103KerWs+cMPOJ/3FtZzI++7MoSUTkWVr1ySQFt5i1EIZ/0Thi\r\n"  \
-"jut2jNe8a4AoA3TtC8Rkk/3AIIbg8MVNT4EnT+KHROTMu6gET1oJ3YfBRpUCAwEA\r\n"  \
-"AQKCAgEAhuNSmT7PVZH8kfLOAuYKrY1vvm+4v0iDl048Eqfs0QESziyLK3gUYnnw\r\n"  \
-"yqP2yrU+EQ8Dvvj0xq/sf6GHxTWVlXb9PcmutueRbmXhLcKg83J0Y0StiPXtjIL8\r\n"  \
-"XSddW3Bh6fPi7n14Qy+W6KZwu9AtybanRlvePabyRSRpdOpWVQ7u30w5XZsSed6S\r\n"  \
-"6BI0BBC68m2qqje1sInoqdCdXKtcB31TytUDNEHM+UuAyM8iGeGS2hCNqZlycHTS\r\n"  \
-"jQ9KEsdMH3YLu0lQgRpWtxmg+VL6ROWwmAtKF12EwbDYZ+uoVl69OkQnCpv8pxKa\r\n"  \
-"ec/4m6V+uEA1AOpaAMorHG3fH31IKWC/fTZstovgO/eG2XCtlbcCoWCQ7amFq16l\r\n"  \
-"Gh1UKeBHxMXpDj4oDmIUGUvgzSNnEeSN/v76losWvWYQDjXR/LMDa/CNYsD8BmJR\r\n"  \
-"PZidIjIXdVRlYOhA7ljtySQvp6RBujBfw3tsVMyZw2XzXFwM9O89b1xXC6+M5jf9\r\n"  \
-"DXs/U7Fw+J9qq/YpByABcPCwWdttwdQFRbOxwxaSOKarIqS87TW1JuFcNJ59Ut6G\r\n"  \
-"kMvAg6gC34U+0ktkG/AmI1hgjC+P7ErHCXBR2xARoGzcO/CMZF59S+Z2HFchpTSP\r\n"  \
-"5T2o4mGy3VfHSBidQQrcZRukg8ZP8M1NF3bXjpY6QZpeLHc4oHECggEBAMjdgzzk\r\n"  \
-"xp4mIYFxAEiXYt7tzuUXJk+0UpEJj5uboWLirUZqZmNUPyh6WDnzlREBH++Ms0LO\r\n"  \
-"+AWSfaGPDoMb0NE2j3c4FRWAhe7Vn6lj7nLVpF2RdwRo88yGerZ4uwGMY8NUQCtn\r\n"  \
-"zum3J7eCJ5DojiceRb6uMxTJ8xZmUC4W2f3J/lrR7wlYjyVnnHqH5HcemYUipWSw\r\n"  \
-"sM0/cHp3lrz2VWrbAEu8HVpklvDQpdAgl7cjXt/JHYawY+p426IF/PzQSRROnzgy\r\n"  \
-"4WI8FVYNV2tgu0TOFURbkkEvuj/duDKeooUIF0G0XHzha5oAX/j0iWiHbrOF6wHj\r\n"  \
-"0xeajL9msKBnmD8CggEBAMSgLWmv7G31x4tndJCcXnX4AyVL7KpygAx/ZwCcyTR8\r\n"  \
-"rY1rO07f/ta2noEra/xmEW/BW98qJFCHSU2nSLAQ5FpFSWyuQqrnffrMJnfWyvpr\r\n"  \
-"ceQ0yQ/MiA6/JIOvGAjabcspzZijxzGp+Qk3eTT0yOXLSVOCH9B9XVHLodcy4PQM\r\n"  \
-"KSCxy0vVHhVNl2SdPEwTXRmxk99Q/rw6IHVpQxBq1OhQt05nTKT+rZMD/grSK22e\r\n"  \
-"my2F0DodAJwLo063Zv3RXQZhDYodMmjcp9Hqrtvj9P3HD7J3z6ACiV3SCi8cZumL\r\n"  \
-"bSmnKCcd0bb45+aOWm31ieECJuIcJ9rOREEa/KDYTCsCggEBAMG5WkSVhLWsou37\r\n"  \
-"dUGNuA63nq42SH3gtS0q4nU6gUkkw+dA4ST1cMByVrr1oRQ4WHup4I4TnQOKyF3T\r\n"  \
-"4jQy1I+ipnVeAn+tZ/7zyzwMpEHeqNqRXA9FxbTBEoMAJ6QTqXgOvqDeSqIAQm7r\r\n"  \
-"OYu5rrgtqyh/S8bGCwvUe4ooAfCSKx2ekYMbBVwW9MT8YS09tuS/iHJ3Mt2RTMLg\r\n"  \
-"qeHvVmxrcXqZoFm44Ba7tN/pP0mi9HKyviZT4tmV3IYEbn3JyGGsfkUuVU9wEUfg\r\n"  \
-"MCrgrVxrwfketAzooiHMjkVL2ASjzAJTmEvdAPETYXxzJD9LN0ovY3t8JfAC37IN\r\n"  \
-"sVXS8/MCggEBALByOS59Y4Ktq1rLBQx8djwQyuneP0wZohUVAx7Gk7xZIfklQDyg\r\n"  \
-"v/R4PrcVezstcPpDnykdjScCsGJR+uWc0v667I/ttP/e6utz5hVmmBGu965dPAzE\r\n"  \
-"c1ggaSkOqFfRg/Nr2Qbf+fH0YPnHYSqHe/zSt0OMIvaaeXLcdKhEDSCUBRhE1HWB\r\n"  \
-"kxR046WzgBeYzNQwycz9xwqsctJKGpeR9ute+5ANHPd3X9XtID0fqz8ctI5eZaSw\r\n"  \
-"wApIW01ZQcAF8B+4WkkVuFXnpWW33yCOaRyPVOPHpnclr5WU1fS+3Q85QkW9rkej\r\n"  \
-"97zlkl0QY9AHJqrXnoML1ywAK7ns+MVyNK8CggEAf62xcKZhOb1djeF72Ms+i/i/\r\n"  \
-"WIAq4Q4YpsElgvJTHpNH2v9g4ngSTKe3ws3bGc502sWRlhcoTFMOW2rJNe/iqKkb\r\n"  \
-"3cdeTkseDbpqozmJWz9dJWSVtXas2bZjzBEa//gQ7nHGVeQdqZJQ9rxPsoOAkfpi\r\n"  \
-"qCFrmfUVUqC53e3XMt8+W+aSvKl+JZiB9ozkO9A6Q0vfQLKtjUMdQE3XaCFQT8DI\r\n"  \
-"smaLBlBmeRaBpc02ENeC4ADlWosm1SwgxqMhuh2Alba/GrHOoPlVl4hDs9Fb5a6R\r\n"  \
-"rmpXSt07GAxnG6j9jssA95E4rc1zO0CVKG5bvjVTxwi/sT0/VVX7VsJM4uTAQg==\r\n"  \
-"-----END RSA PRIVATE KEY-----\r\n"
-
-#if defined _MSC_VER && !defined snprintf
-#define snprintf _snprintf
-#endif
-
-/*
- * For heap usage estimates, we need an estimate of the overhead per allocated
- * block. ptmalloc2/3 (used in gnu libc for instance) uses 2 size_t per block,
- * so use that as our baseline.
- */
-#define MEM_BLOCK_OVERHEAD  ( 2 * sizeof( size_t ) )
-
-/*
- * Size to use for the malloc buffer if MEMORY_BUFFER_ALLOC_C is defined.
- */
-#define HEAP_SIZE       (1u << 16)  // 64k
-
-#define BUFSIZE         1024
-#define HEADER_FORMAT   "  %-24s :  "
-#define TITLE_LEN       25
-
-#define OPTIONS                                                         \
-    "md4, md5, ripemd160, sha1, sha256, sha512,\r\n"                      \
-    "arc4, des3, des, aes_cbc, aes_gcm, aes_ccm, camellia, blowfish,\r\n" \
-    "havege, ctr_drbg, hmac_drbg\r\n"                                     \
-    "rsa, dhm, ecdsa, ecdh.\r\n"
-
-#if defined(MBEDTLS_ERROR_C)
-#define PRINT_ERROR                                                     \
-        mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) );         \
-        mbedtls_printf( "FAILED: %s\r\n", tmp );
-#else
-#define PRINT_ERROR                                                     \
-        mbedtls_printf( "FAILED: -0x%04x\r\n", -ret );
-#endif
-
-static unsigned long mbedtls_timing_hardclock( void )
-{
-    static int dwt_started = 0;
-
-    if( dwt_started == 0 )
-    {
-        CoreDebug->DEMCR |= CoreDebug_DEMCR_TRCENA_Msk;
-        DWT->CTRL |= DWT_CTRL_CYCCNTENA_Msk;
-    }
-
-    return( DWT->CYCCNT );
-}
-
-static volatile int alarmed;
-static void alarm() { alarmed = 1; }
-
-#define TIME_AND_TSC( TITLE, CODE )                                     \
-do {                                                                    \
-    unsigned long i, j, tsc;                                            \
-    Timeout t; \
-                                                                        \
-    mbedtls_printf( HEADER_FORMAT, TITLE );                            \
-    fflush( stdout );                                                   \
-                                                                        \
-    for( i = 1, alarmed = 0, t.attach( alarm, 1.0 ); !alarmed; i++ )                                        \
-    {                                                                   \
-        CODE;                                                           \
-    }                                                                   \
-                                                                        \
-    tsc = mbedtls_timing_hardclock();                                                  \
-    for( j = 0; j < 1024; j++ )                                         \
-    {                                                                   \
-        CODE;                                                           \
-    }                                                                   \
-                                                                        \
-    mbedtls_printf( "%9lu KiB/s,  %9lu cycles/byte\r\n",                  \
-                     i * BUFSIZE / 1024,                                \
-                     ( mbedtls_timing_hardclock() - tsc ) / ( j * BUFSIZE ) );         \
-} while( 0 )
-
-#if defined(MBEDTLS_ERROR_C)
-#define PRINT_ERROR                                                     \
-        mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) );         \
-        mbedtls_printf( "FAILED: %s\r\n", tmp );
-#else
-#define PRINT_ERROR                                                     \
-        mbedtls_printf( "FAILED: -0x%04x\r\n", -ret );
-#endif
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
-
-#define MEMORY_MEASURE_INIT                                             \
-    size_t max_used, max_blocks, max_bytes;                             \
-    size_t prv_used, prv_blocks;                                        \
-    mbedtls_memory_buffer_alloc_cur_get( &prv_used, &prv_blocks );              \
-    mbedtls_memory_buffer_alloc_max_reset( );
-
-#define MEMORY_MEASURE_PRINT( title_len )                               \
-    mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks );              \
-    for( i = 12 - title_len; i != 0; i-- ) mbedtls_printf( " " );      \
-    max_used -= prv_used;                                               \
-    max_blocks -= prv_blocks;                                           \
-    max_bytes = max_used + MEM_BLOCK_OVERHEAD * max_blocks;             \
-    mbedtls_printf( "%6u heap bytes", (unsigned) max_bytes );
-
-#else
-#define MEMORY_MEASURE_INIT
-#define MEMORY_MEASURE_PRINT( title_len )
-#endif
-
-#define TIME_PUBLIC( TITLE, TYPE, CODE )                                \
-do {                                                                    \
-    unsigned long ms;                                                    \
-    int ret = 0;                                                            \
-    Timer t; \
-    MEMORY_MEASURE_INIT;                                                \
-                                                                        \
-    mbedtls_printf( HEADER_FORMAT, TITLE );                            \
-    fflush( stdout );                                                   \
-    \
-    t.start(); \
-    CODE; \
-    t.stop(); \
-    ms = t.read_ms(); \
-                                                                        \
-    if( ret != 0 )                                                      \
-    {                                                                   \
-        PRINT_ERROR;                                                    \
-    }                                                                   \
-    else                                                                \
-    {                                                                   \
-        mbedtls_printf( "%6lu ms/" TYPE, ms );                    \
-        MEMORY_MEASURE_PRINT( sizeof( TYPE ) + 1 );                     \
-        mbedtls_printf( "\r\n" );                                        \
-    }                                                                   \
-} while( 0 )
-
-static int myrand( void *rng_state, unsigned char *output, size_t len )
-{
-    size_t use_len;
-    int rnd;
-
-    if( rng_state != NULL )
-        rng_state  = NULL;
-
-    while( len > 0 )
-    {
-        use_len = len;
-        if( use_len > sizeof(int) )
-            use_len = sizeof(int);
-
-        rnd = rand();
-        memcpy( output, &rnd, use_len );
-        output += use_len;
-        len -= use_len;
-    }
-
-    return( 0 );
-}
-
-/*
- * Clear some memory that was used to prepare the context
- */
-#if defined(MBEDTLS_ECP_C)
-void ecp_clear_precomputed( mbedtls_ecp_group *grp )
-{
-    if( grp->T != NULL )
-    {
-        size_t i;
-        for( i = 0; i < grp->T_size; i++ )
-            mbedtls_ecp_point_free( &grp->T[i] );
-        mbedtls_free( grp->T );
-    }
-    grp->T = NULL;
-    grp->T_size = 0;
-}
-#else
-#define ecp_clear_precomputed( g )
-#endif
-
-unsigned char buf[BUFSIZE];
-
-typedef struct {
-    char md4, md5, ripemd160, sha1, sha256, sha512,
-         arc4, des3, des, aes_cbc, aes_gcm, aes_ccm, camellia, blowfish,
-         havege, ctr_drbg, hmac_drbg,
-         rsa, dhm, ecdsa, ecdh;
-} todo_list;
-
-int benchmark( int argc, char *argv[] )
-{
-    int i;
-    unsigned char tmp[200];
-    char title[TITLE_LEN];
-    todo_list todo;
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    unsigned char malloc_buf[HEAP_SIZE] = { 0 };
-#endif
-
-    if( argc <= 1 )
-    {
-        memset( &todo, 1, sizeof( todo ) );
-    }
-    else
-    {
-        memset( &todo, 0, sizeof( todo ) );
-
-        for( i = 1; i < argc; i++ )
-        {
-            if( strcmp( argv[i], "md4" ) == 0 )
-                todo.md4 = 1;
-            else if( strcmp( argv[i], "md5" ) == 0 )
-                todo.md5 = 1;
-            else if( strcmp( argv[i], "ripemd160" ) == 0 )
-                todo.ripemd160 = 1;
-            else if( strcmp( argv[i], "sha1" ) == 0 )
-                todo.sha1 = 1;
-            else if( strcmp( argv[i], "sha256" ) == 0 )
-                todo.sha256 = 1;
-            else if( strcmp( argv[i], "sha512" ) == 0 )
-                todo.sha512 = 1;
-            else if( strcmp( argv[i], "arc4" ) == 0 )
-                todo.arc4 = 1;
-            else if( strcmp( argv[i], "des3" ) == 0 )
-                todo.des3 = 1;
-            else if( strcmp( argv[i], "des" ) == 0 )
-                todo.des = 1;
-            else if( strcmp( argv[i], "aes_cbc" ) == 0 )
-                todo.aes_cbc = 1;
-            else if( strcmp( argv[i], "aes_gcm" ) == 0 )
-                todo.aes_gcm = 1;
-            else if( strcmp( argv[i], "aes_ccm" ) == 0 )
-                todo.aes_ccm = 1;
-            else if( strcmp( argv[i], "camellia" ) == 0 )
-                todo.camellia = 1;
-            else if( strcmp( argv[i], "blowfish" ) == 0 )
-                todo.blowfish = 1;
-            else if( strcmp( argv[i], "havege" ) == 0 )
-                todo.havege = 1;
-            else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
-                todo.ctr_drbg = 1;
-            else if( strcmp( argv[i], "hmac_drbg" ) == 0 )
-                todo.hmac_drbg = 1;
-            else if( strcmp( argv[i], "rsa" ) == 0 )
-                todo.rsa = 1;
-            else if( strcmp( argv[i], "dhm" ) == 0 )
-                todo.dhm = 1;
-            else if( strcmp( argv[i], "ecdsa" ) == 0 )
-                todo.ecdsa = 1;
-            else if( strcmp( argv[i], "ecdh" ) == 0 )
-                todo.ecdh = 1;
-            else
-            {
-                mbedtls_printf( "Unrecognized option: %s\r\n", argv[i] );
-                mbedtls_printf( "Available options: " OPTIONS );
-            }
-        }
-    }
-
-    mbedtls_printf( "\r\n\r\n" );
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    mbedtls_memory_buffer_alloc_init( malloc_buf, sizeof( malloc_buf ) );
-#endif
-    memset( buf, 0xAA, sizeof( buf ) );
-    memset( tmp, 0xBB, sizeof( tmp ) );
-
-#if defined(MBEDTLS_MD4_C)
-    if( todo.md4 )
-        TIME_AND_TSC( "MD4", mbedtls_md4( buf, BUFSIZE, tmp ) );
-#endif
-
-#if defined(MBEDTLS_MD5_C)
-    if( todo.md5 )
-        TIME_AND_TSC( "MD5", mbedtls_md5( buf, BUFSIZE, tmp ) );
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-    if( todo.ripemd160 )
-        TIME_AND_TSC( "RIPEMD160", mbedtls_ripemd160( buf, BUFSIZE, tmp ) );
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-    if( todo.sha1 )
-        TIME_AND_TSC( "SHA-1", mbedtls_sha1( buf, BUFSIZE, tmp ) );
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-    if( todo.sha256 )
-        TIME_AND_TSC( "SHA-256", mbedtls_sha256( buf, BUFSIZE, tmp, 0 ) );
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-    if( todo.sha512 )
-        TIME_AND_TSC( "SHA-512", mbedtls_sha512( buf, BUFSIZE, tmp, 0 ) );
-#endif
-
-#if defined(MBEDTLS_ARC4_C)
-    if( todo.arc4 )
-    {
-        mbedtls_arc4_context arc4;
-        mbedtls_arc4_init( &arc4 );
-        mbedtls_arc4_setup( &arc4, tmp, 32 );
-        TIME_AND_TSC( "ARC4", mbedtls_arc4_crypt( &arc4, BUFSIZE, buf, buf ) );
-        mbedtls_arc4_free( &arc4 );
-    }
-#endif
-
-#if defined(MBEDTLS_DES_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
-    if( todo.des3 )
-    {
-        mbedtls_des3_context des3;
-        mbedtls_des3_init( &des3 );
-        mbedtls_des3_set3key_enc( &des3, tmp );
-        TIME_AND_TSC( "3DES",
-                mbedtls_des3_crypt_cbc( &des3, MBEDTLS_DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
-        mbedtls_des3_free( &des3 );
-    }
-
-    if( todo.des )
-    {
-        mbedtls_des_context des;
-        mbedtls_des_init( &des );
-        mbedtls_des_setkey_enc( &des, tmp );
-        TIME_AND_TSC( "DES",
-                mbedtls_des_crypt_cbc( &des, MBEDTLS_DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
-        mbedtls_des_free( &des );
-    }
-#endif
-
-#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-    if( todo.aes_cbc )
-    {
-        int keysize;
-        mbedtls_aes_context aes;
-        mbedtls_aes_init( &aes );
-        for( keysize = 128; keysize <= 256; keysize += 64 )
-        {
-            mbedtls_snprintf( title, sizeof( title ), "AES-CBC-%d", keysize );
-
-            memset( buf, 0, sizeof( buf ) );
-            memset( tmp, 0, sizeof( tmp ) );
-            mbedtls_aes_setkey_enc( &aes, tmp, keysize );
-
-            TIME_AND_TSC( title,
-                mbedtls_aes_crypt_cbc( &aes, MBEDTLS_AES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
-        }
-        mbedtls_aes_free( &aes );
-    }
-#endif
-#if defined(MBEDTLS_GCM_C)
-    if( todo.aes_gcm )
-    {
-        int keysize;
-        mbedtls_gcm_context gcm;
-
-        mbedtls_gcm_init( &gcm );
-        for( keysize = 128; keysize <= 256; keysize += 64 )
-        {
-            mbedtls_snprintf( title, sizeof( title ), "AES-GCM-%d", keysize );
-
-            memset( buf, 0, sizeof( buf ) );
-            memset( tmp, 0, sizeof( tmp ) );
-            mbedtls_gcm_setkey( &gcm, MBEDTLS_CIPHER_ID_AES, tmp, keysize );
-
-            TIME_AND_TSC( title,
-                    mbedtls_gcm_crypt_and_tag( &gcm, MBEDTLS_GCM_ENCRYPT, BUFSIZE, tmp,
-                        12, NULL, 0, buf, buf, 16, tmp ) );
-
-            mbedtls_gcm_free( &gcm );
-        }
-    }
-#endif
-#if defined(MBEDTLS_CCM_C)
-    if( todo.aes_ccm )
-    {
-        int keysize;
-        mbedtls_ccm_context ccm;
-
-        mbedtls_ccm_init( &ccm );
-        for( keysize = 128; keysize <= 256; keysize += 64 )
-        {
-            mbedtls_snprintf( title, sizeof( title ), "AES-CCM-%d", keysize );
-
-            memset( buf, 0, sizeof( buf ) );
-            memset( tmp, 0, sizeof( tmp ) );
-            mbedtls_ccm_setkey( &ccm, MBEDTLS_CIPHER_ID_AES, tmp, keysize );
-
-            TIME_AND_TSC( title,
-                    mbedtls_ccm_encrypt_and_tag( &ccm, BUFSIZE, tmp,
-                        12, NULL, 0, buf, buf, tmp, 16 ) );
-
-            mbedtls_ccm_free( &ccm );
-        }
-    }
-#endif
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
-    if( todo.camellia )
-    {
-        int keysize;
-        mbedtls_camellia_context camellia;
-        mbedtls_camellia_init( &camellia );
-        for( keysize = 128; keysize <= 256; keysize += 64 )
-        {
-            mbedtls_snprintf( title, sizeof( title ), "CAMELLIA-CBC-%d", keysize );
-
-            memset( buf, 0, sizeof( buf ) );
-            memset( tmp, 0, sizeof( tmp ) );
-            mbedtls_camellia_setkey_enc( &camellia, tmp, keysize );
-
-            TIME_AND_TSC( title,
-                    mbedtls_camellia_crypt_cbc( &camellia, MBEDTLS_CAMELLIA_ENCRYPT,
-                        BUFSIZE, tmp, buf, buf ) );
-        }
-        mbedtls_camellia_free( &camellia );
-    }
-#endif
-
-#if defined(MBEDTLS_BLOWFISH_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
-    if( todo.blowfish )
-    {
-        int keysize;
-        mbedtls_blowfish_context blowfish;
-        mbedtls_blowfish_init( &blowfish );
-
-        for( keysize = 128; keysize <= 256; keysize += 64 )
-        {
-            mbedtls_snprintf( title, sizeof( title ), "BLOWFISH-CBC-%d", keysize );
-
-            memset( buf, 0, sizeof( buf ) );
-            memset( tmp, 0, sizeof( tmp ) );
-            mbedtls_blowfish_setkey( &blowfish, tmp, keysize );
-
-            TIME_AND_TSC( title,
-                    mbedtls_blowfish_crypt_cbc( &blowfish, MBEDTLS_BLOWFISH_ENCRYPT, BUFSIZE,
-                        tmp, buf, buf ) );
-        }
-
-        mbedtls_blowfish_free( &blowfish );
-    }
-#endif
-
-#if defined(MBEDTLS_HAVEGE_C)
-    if( todo.havege )
-    {
-        mbedtls_havege_state hs;
-        mbedtls_havege_init( &hs );
-        TIME_AND_TSC( "HAVEGE", mbedtls_havege_random( &hs, buf, BUFSIZE ) );
-        mbedtls_havege_free( &hs );
-    }
-#endif
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-    if( todo.ctr_drbg )
-    {
-        mbedtls_ctr_drbg_context ctr_drbg;
-
-        mbedtls_ctr_drbg_init( &ctr_drbg );
-
-        if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        TIME_AND_TSC( "CTR_DRBG (NOPR)",
-                if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-
-        if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
-        TIME_AND_TSC( "CTR_DRBG (PR)",
-                if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-        mbedtls_ctr_drbg_free( &ctr_drbg );
-    }
-#endif
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-    if( todo.hmac_drbg )
-    {
-        mbedtls_hmac_drbg_context hmac_drbg;
-        const mbedtls_md_info_t *md_info;
-
-        mbedtls_hmac_drbg_init( &hmac_drbg );
-
-#if defined(MBEDTLS_SHA1_C)
-        if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
-            mbedtls_exit(1);
-
-        if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-        mbedtls_hmac_drbg_free( &hmac_drbg );
-
-        if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
-                                             MBEDTLS_HMAC_DRBG_PR_ON );
-        TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-        mbedtls_hmac_drbg_free( &hmac_drbg );
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-        if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ) ) == NULL )
-            mbedtls_exit(1);
-
-        if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-        mbedtls_hmac_drbg_free( &hmac_drbg );
-
-        if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
-            mbedtls_exit(1);
-        mbedtls_hmac_drbg_set_prediction_resistance( &hmac_drbg,
-                                             MBEDTLS_HMAC_DRBG_PR_ON );
-        TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)",
-                if( mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) != 0 )
-                mbedtls_exit(1) );
-        mbedtls_hmac_drbg_free( &hmac_drbg );
-#endif
-    }
-#endif
-
-#if defined(MBEDTLS_RSA_C) && \
-    defined(MBEDTLS_PEM_PARSE_C) && defined(MBEDTLS_PK_PARSE_C)
-    if( todo.rsa )
-    {
-        mbedtls_pk_context pk;
-        mbedtls_rsa_context *rsa;
-        const char *rsa_keys[] = { RSA_PRIVATE_KEY_2048, RSA_PRIVATE_KEY_4096 };
-        size_t i;
-
-        for( i = 0; i < sizeof( rsa_keys ) / sizeof( rsa_keys[0] ); i++ )
-        {
-            mbedtls_pk_init( &pk );
-            mbedtls_pk_parse_key( &pk, (const unsigned char *) rsa_keys[i],
-                                                       strlen( rsa_keys[i] ) + 1, NULL, 0 );
-            rsa = mbedtls_pk_rsa( pk );
-
-            mbedtls_snprintf( title, sizeof( title ), "RSA-%d", mbedtls_pk_get_bitlen( &pk ) );
-
-            TIME_PUBLIC( title, " public",
-                    buf[0] = 0;
-                    ret = mbedtls_rsa_public( rsa, buf, buf ) );
-
-            TIME_PUBLIC( title, "private",
-                    buf[0] = 0;
-                    ret = mbedtls_rsa_private( rsa, myrand, NULL, buf, buf ) );
-
-            mbedtls_pk_free( &pk );
-        }
-    }
-#endif
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_BIGNUM_C)
-    if( todo.dhm )
-    {
-        int dhm_sizes[] = { 2048, 3072 };
-        const char *dhm_P[] = {
-            MBEDTLS_DHM_RFC3526_MODP_2048_P,
-            MBEDTLS_DHM_RFC3526_MODP_3072_P,
-        };
-        const char *dhm_G[] = {
-            MBEDTLS_DHM_RFC3526_MODP_2048_G,
-            MBEDTLS_DHM_RFC3526_MODP_3072_G,
-        };
-
-        mbedtls_dhm_context dhm;
-        size_t olen;
-        for( i = 0; (size_t) i < sizeof( dhm_sizes ) / sizeof( dhm_sizes[0] ); i++ )
-        {
-            mbedtls_dhm_init( &dhm );
-
-            if( mbedtls_mpi_read_string( &dhm.P, 16, dhm_P[i] ) != 0 ||
-                mbedtls_mpi_read_string( &dhm.G, 16, dhm_G[i] ) != 0 )
-            {
-                mbedtls_exit( 1 );
-            }
-
-            dhm.len = mbedtls_mpi_size( &dhm.P );
-            mbedtls_dhm_make_public( &dhm, (int) dhm.len, buf, dhm.len, myrand, NULL );
-            if( mbedtls_mpi_copy( &dhm.GY, &dhm.GX ) != 0 )
-                mbedtls_exit( 1 );
-
-            mbedtls_snprintf( title, sizeof( title ), "DHE-%d", dhm_sizes[i] );
-            TIME_PUBLIC( title, "handshake",
-                    ret |= mbedtls_dhm_make_public( &dhm, (int) dhm.len, buf, dhm.len,
-                                            myrand, NULL );
-                    ret |= mbedtls_dhm_calc_secret( &dhm, buf, sizeof( buf ), &olen, myrand, NULL ) );
-
-            mbedtls_snprintf( title, sizeof( title ), "DH-%d", dhm_sizes[i] );
-            TIME_PUBLIC( title, "handshake",
-                    ret |= mbedtls_dhm_calc_secret( &dhm, buf, sizeof( buf ), &olen, myrand, NULL ) );
-
-            mbedtls_dhm_free( &dhm );
-        }
-    }
-#endif
-
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C)
-    if( todo.ecdsa )
-    {
-        mbedtls_ecdsa_context ecdsa;
-        const mbedtls_ecp_curve_info *curve_info;
-        size_t sig_len;
-
-        memset( buf, 0x2A, sizeof( buf ) );
-
-        for( curve_info = mbedtls_ecp_curve_list();
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++ )
-        {
-            mbedtls_ecdsa_init( &ecdsa );
-
-            if( mbedtls_ecdsa_genkey( &ecdsa, curve_info->grp_id, myrand, NULL ) != 0 )
-                mbedtls_exit( 1 );
-            ecp_clear_precomputed( &ecdsa.grp );
-
-            mbedtls_snprintf( title, sizeof( title ), "ECDSA-%s",
-                                              curve_info->name );
-            TIME_PUBLIC( title, "sign",
-                    ret = mbedtls_ecdsa_write_signature( &ecdsa, MBEDTLS_MD_SHA256, buf, curve_info->bit_size,
-                                                tmp, &sig_len, myrand, NULL ) );
-
-            mbedtls_ecdsa_free( &ecdsa );
-        }
-
-        for( curve_info = mbedtls_ecp_curve_list();
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++ )
-        {
-            mbedtls_ecdsa_init( &ecdsa );
-
-            if( mbedtls_ecdsa_genkey( &ecdsa, curve_info->grp_id, myrand, NULL ) != 0 ||
-                mbedtls_ecdsa_write_signature( &ecdsa, MBEDTLS_MD_SHA256, buf, curve_info->bit_size,
-                                               tmp, &sig_len, myrand, NULL ) != 0 )
-            {
-                mbedtls_exit( 1 );
-            }
-            ecp_clear_precomputed( &ecdsa.grp );
-
-            mbedtls_snprintf( title, sizeof( title ), "ECDSA-%s",
-                                              curve_info->name );
-            TIME_PUBLIC( title, "verify",
-                    ret = mbedtls_ecdsa_read_signature( &ecdsa, buf, curve_info->bit_size,
-                                                tmp, sig_len ) );
-
-            mbedtls_ecdsa_free( &ecdsa );
-        }
-    }
-#endif
-
-#if defined(MBEDTLS_ECDH_C)
-    if( todo.ecdh )
-    {
-        mbedtls_ecdh_context ecdh;
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        mbedtls_mpi z;
-#endif
-        const mbedtls_ecp_curve_info *curve_info;
-        size_t olen;
-
-        for( curve_info = mbedtls_ecp_curve_list();
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++ )
-        {
-            mbedtls_ecdh_init( &ecdh );
-
-            if( mbedtls_ecp_group_load( &ecdh.grp, curve_info->grp_id ) != 0 ||
-                mbedtls_ecdh_make_public( &ecdh, &olen, buf, sizeof( buf),
-                                  myrand, NULL ) != 0 ||
-                mbedtls_ecp_copy( &ecdh.Qp, &ecdh.Q ) != 0 )
-            {
-                mbedtls_exit( 1 );
-            }
-            ecp_clear_precomputed( &ecdh.grp );
-
-            mbedtls_snprintf( title, sizeof( title ), "ECDHE-%s",
-                                              curve_info->name );
-            TIME_PUBLIC( title, "handshake",
-                    ret |= mbedtls_ecdh_make_public( &ecdh, &olen, buf, sizeof( buf),
-                                             myrand, NULL );
-                    ret |= mbedtls_ecdh_calc_secret( &ecdh, &olen, buf, sizeof( buf ),
-                                             myrand, NULL ) );
-            mbedtls_ecdh_free( &ecdh );
-        }
-
-        /* Curve25519 needs to be handled separately */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        mbedtls_ecdh_init( &ecdh );
-        mbedtls_mpi_init( &z );
-
-        if( mbedtls_ecp_group_load( &ecdh.grp, MBEDTLS_ECP_DP_CURVE25519 ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp, myrand, NULL ) != 0 )
-        {
-            mbedtls_exit( 1 );
-        }
-
-        TIME_PUBLIC(  "ECDHE-Curve25519", "handshake",
-                ret |= mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q,
-                                        myrand, NULL );
-                ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
-                                            myrand, NULL ) );
-
-        mbedtls_ecdh_free( &ecdh );
-        mbedtls_mpi_free( &z );
-#endif
-
-        for( curve_info = mbedtls_ecp_curve_list();
-             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
-             curve_info++ )
-        {
-            mbedtls_ecdh_init( &ecdh );
-
-            if( mbedtls_ecp_group_load( &ecdh.grp, curve_info->grp_id ) != 0 ||
-                mbedtls_ecdh_make_public( &ecdh, &olen, buf, sizeof( buf),
-                                  myrand, NULL ) != 0 ||
-                mbedtls_ecp_copy( &ecdh.Qp, &ecdh.Q ) != 0 ||
-                mbedtls_ecdh_make_public( &ecdh, &olen, buf, sizeof( buf),
-                                  myrand, NULL ) != 0 )
-            {
-                mbedtls_exit( 1 );
-            }
-            ecp_clear_precomputed( &ecdh.grp );
-
-            mbedtls_snprintf( title, sizeof( title ), "ECDH-%s",
-                                              curve_info->name );
-            TIME_PUBLIC( title, "handshake",
-                    ret |= mbedtls_ecdh_calc_secret( &ecdh, &olen, buf, sizeof( buf ),
-                                             myrand, NULL ) );
-            mbedtls_ecdh_free( &ecdh );
-        }
-
-        /* Curve25519 needs to be handled separately */
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-        mbedtls_ecdh_init( &ecdh );
-        mbedtls_mpi_init( &z );
-
-        if( mbedtls_ecp_group_load( &ecdh.grp, MBEDTLS_ECP_DP_CURVE25519 ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Qp,
-                             myrand, NULL ) != 0 ||
-            mbedtls_ecdh_gen_public( &ecdh.grp, &ecdh.d, &ecdh.Q, myrand, NULL ) != 0 )
-        {
-            mbedtls_exit( 1 );
-        }
-
-        TIME_PUBLIC(  "ECDH-Curve25519", "handshake",
-                ret |= mbedtls_ecdh_compute_shared( &ecdh.grp, &z, &ecdh.Qp, &ecdh.d,
-                                            myrand, NULL ) );
-
-        mbedtls_ecdh_free( &ecdh );
-        mbedtls_mpi_free( &z );
-#endif
-    }
-#endif
-
-    mbedtls_printf( "\r\n" );
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    mbedtls_memory_buffer_alloc_free();
-#endif
-
-#if defined(_WIN32)
-    mbedtls_printf( "  Press Enter to exit this program.\r\n" );
-    fflush( stdout ); getchar();
-#endif
-
-    return( 0 );
-}
-
-#include "mbed-drivers/test_env.h"
-#include "minar/minar.h"
-
-static void run() {
-    MBED_HOSTTEST_TIMEOUT(150);
-    MBED_HOSTTEST_SELECT(default);
-    MBED_HOSTTEST_DESCRIPTION(mbed TLS benchmark program);
-    MBED_HOSTTEST_START("MBEDTLS_BENCHMARK");
-    MBED_HOSTTEST_RESULT(benchmark(0, NULL) == 0);
-}
-
-void app_start(int, char*[]) {
-    /* Use 115200 bps for consistency with other examples */
-    get_stdio_serial().baud(115200);
-    minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
-}
-
-#endif /* TARGET_LIKE_MBED */
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/README.md b/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/README.md
deleted file mode 100644
index 1a5491cacc..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/README.md
+++ /dev/null
@@ -1,67 +0,0 @@
-# SHA-256 Hash Example
-
-This application performs hashing of a buffer with SHA-256 using various APIs. It serves as a tutorial for the basic hashing APIs of mbed TLS.
-
-## Pre-requisites
-
-To build and run this example you must have:
-
-* A computer with the following software installed:
-  * [CMake](http://www.cmake.org/download/).
-  * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows).
-  * [Python](https://www.python.org/downloads/).
-  * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded).
-  * A serial terminal emulator (Like screen, pySerial and cu).
-* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below).
-* A micro-USB cable.
-* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration).
-
-## Getting started
-
-1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board.
-
-2. Navigate to the mbedtls directory supplied with your release and open a terminal.
-
-3. Set the yotta target:
-
-    ```
-    yotta target frdm-k64f-gcc
-    ```
-
-4. Build mbedtls and the examples. This may take a long time if this is your first compilation:
-
-    ```
-    $ yotta build
-    ```
-
-5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-hashing.bin` to your mbed board and wait until the LED next to the USB port stops blinking.
-
-6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
-
-    Use the following settings:
-
-    * 115200 baud (not 9600).
-    * 8N1.
-    * No flow control.
-
-7. Press the Reset button on the board.
-
-8. The output in the terminal window should look like:
-
-    ```
-    {{timeout;10}}
-    {{host_test_name;default}}
-    {{description;mbed TLS example on hashing}}
-    {{test_id;MBEDTLS_EX_HASHING}}
-    {{start}}
-
-
-    Method 1: 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3
-    Method 2: 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3
-    Method 3: 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3
-    Method 4: 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3
-
-    DONE
-    {{success}}
-    {{end}}
-    ```
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/main.cpp b/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/main.cpp
deleted file mode 100644
index 574152ab83..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-hashing/main.cpp
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- *  Hello world example of using the hashing functions of mbed TLS
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-/*
- * This program illustrates various ways of hashing a buffer.
- * You normally need only one of these two includes.
- */
-#include "mbedtls/sha256.h" /* SHA-256 only */
-#include "mbedtls/md.h"     /* generic interface */
-
-#if defined(TARGET_LIKE_MBED)
-#include "mbed-drivers/mbed.h"
-#endif
-#include <cstdio>
-
-static void print_hex(const char *title, const unsigned char buf[], size_t len)
-{
-    printf("%s: ", title);
-
-    for (size_t i = 0; i < len; i++)
-        printf("%02x", buf[i]);
-
-    printf("\r\n");
-}
-
-static const char hello_str[] = "Hello, world!";
-static const unsigned char *hello_buffer = (const unsigned char *) hello_str;
-static const size_t hello_len = sizeof hello_str - 1;
-
-int example(void)
-{
-    printf( "\r\n\r\n" );
-
-    /*
-     * Method 1: use all-in-one function of a specific SHA-xxx module
-     */
-    unsigned char output1[32]; /* SHA-256 outputs 32 bytes */
-
-    /* 0 here means use the full SHA-256, not the SHA-224 variant */
-    mbedtls_sha256(hello_buffer, hello_len, output1, 0);
-
-    print_hex("Method 1", output1, sizeof output1);
-
-
-    /*
-     * Method 2: use the streaming interface of a specific SHA-xxx module
-     * This is useful if we get our input piecewise.
-     */
-    unsigned char output2[32];
-    mbedtls_sha256_context ctx2;
-
-    mbedtls_sha256_init(&ctx2);
-    mbedtls_sha256_starts(&ctx2, 0); /* SHA-256, not 224 */
-
-    /* Simulating multiple fragments */
-    mbedtls_sha256_update(&ctx2, hello_buffer, 1);
-    mbedtls_sha256_update(&ctx2, hello_buffer + 1, 1);
-    mbedtls_sha256_update(&ctx2, hello_buffer + 2, hello_len - 2);
-
-    mbedtls_sha256_finish(&ctx2, output2);
-    print_hex("Method 2", output2, sizeof output2);
-
-    /* Or you could re-use the context by doing mbedtls_sha256_starts() again */
-    mbedtls_sha256_free(&ctx2);
-
-    /*
-     * Method 3: use all-in-one function of the generice interface
-     */
-    unsigned char output3[MBEDTLS_MD_MAX_SIZE]; /* Enough for any hash */
-
-    /* Can easily pick any hash you want, by identifier */
-    const mbedtls_md_info_t *md_info3 = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-
-    if (md_info3 == NULL)
-    {
-        printf("SHA256 not available\r\n");
-        return 1;
-    }
-
-    int ret3 = mbedtls_md(md_info3, hello_buffer, hello_len, output3);
-
-    if (ret3 != 0)
-    {
-        printf("md() returned -0x%04X\r\n", -ret3);
-        return 1;
-    }
-
-    print_hex("Method 3", output3, mbedtls_md_get_size(md_info3));
-
-
-    /*
-     * Method 4: streaming & generic interface
-     */
-    unsigned char output4[MBEDTLS_MD_MAX_SIZE]; /* Enough for any hash */
-
-    const mbedtls_md_info_t *md_info4 = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-
-    if (md_info4 == NULL)
-    {
-        printf("SHA256 not available\r\n");
-        return 1;
-    }
-
-    mbedtls_md_context_t ctx4;
-
-    mbedtls_md_init(&ctx4);
-
-    int ret4 = mbedtls_md_init_ctx(&ctx4, md_info4);
-    if (ret4 != 0)
-    {
-        printf("md_init_ctx() returned -0x%04X\r\n", -ret4);
-        return 1;
-    }
-
-    mbedtls_md_starts(&ctx4);
-
-    /* Simulating multiple fragments */
-    mbedtls_md_update(&ctx4, hello_buffer, 1);
-    mbedtls_md_update(&ctx4, hello_buffer + 1, 1);
-    mbedtls_md_update(&ctx4, hello_buffer + 2, hello_len - 2);
-
-    mbedtls_md_finish(&ctx4, output4);
-    print_hex("Method 4", output4, mbedtls_md_get_size(md_info4));
-
-    /* Or you could re-use the context by doing mbedtls_md_starts() again */
-    mbedtls_md_free(&ctx4);
-
-
-    printf("\r\nDONE\r\n");
-
-    return 0;
-}
-
-#if defined(TARGET_LIKE_MBED)
-
-#include "mbed-drivers/test_env.h"
-#include "minar/minar.h"
-
-static void run() {
-    MBED_HOSTTEST_TIMEOUT(10);
-    MBED_HOSTTEST_SELECT(default);
-    MBED_HOSTTEST_DESCRIPTION(mbed TLS example on hashing);
-    MBED_HOSTTEST_START("MBEDTLS_EX_HASHING");
-    MBED_HOSTTEST_RESULT(example() == 0);
-}
-
-void app_start(int, char*[]) {
-    /* Use 115200 bps for consistency with other examples */
-    get_stdio_serial().baud(115200);
-    minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
-}
-
-#else
-
-int main() {
-    return example();
-}
-
-#endif
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/README.md b/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/README.md
deleted file mode 100644
index 0daf8200af..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/README.md
+++ /dev/null
@@ -1,82 +0,0 @@
-# mbed TLS Selftest Example
-
-This application runs the various selftest functions of individual mbed TLS components. It serves as a basic sanity check to verify operation of mbed TLS on your platform. In the future, a wider portion of the mbed TLS test suite will become part of this example application.
-
-## Pre-requisites
-
-To build and run this example you must have:
-
-* A computer with the following software installed:
-  * [CMake](http://www.cmake.org/download/).
-  * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows).
-  * [Python](https://www.python.org/downloads/).
-  * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded).
-  * A serial terminal emulator (Like screen, pySerial and cu).
-* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below).
-* A micro-USB cable.
-* If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration).
-
-## Getting started
-
-1. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board.
-
-2. Navigate to the mbedtls directory supplied with your release and open a terminal.
-
-3. Set the yotta target:
-
-    ```
-    yotta target frdm-k64f-gcc
-    ```
-
-4. Build mbedtls and the examples. This may take a long time if this is your first compilation:
-
-    ```
-    $ yotta build
-    ```
-
-5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-selftest.bin` to your mbed board and wait until the LED next to the USB port stops blinking.
-
-6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F.
-
-    Use the following settings:
-
-    * 115200 baud (not 9600).
-    * 8N1.
-    * No flow control.
-
-7. Press the Reset button on the board.
-
-8. The output in the terminal window should look like:
-
-    ```
-    {{timeout;40}}
-    {{host_test_name;default}}
-    {{description;mbed TLS selftest program}}
-    {{test_id;MBEDTLS_SELFTEST}}
-    {{start}}
-
-      SHA-224 test #1: passed
-      SHA-224 test #2: passed
-      SHA-224 test #3: passed
-      SHA-256 test #1: passed
-      SHA-256 test #2: passed
-      SHA-256 test #3: passed
-
-        [ ... several lines omitted ... ]
-
-      CTR_DRBG (PR = TRUE) : passed
-      CTR_DRBG (PR = FALSE): passed
-
-      HMAC_DRBG (PR = True) : passed
-      HMAC_DRBG (PR = False) : passed
-
-      ECP test #1 (constant op_count, base point G): passed
-      ECP test #2 (constant op_count, other point): passed
-
-      ENTROPY test: passed
-
-      [ All tests passed ]
-
-    {{success}}
-    {{end}}
-    ```
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/main.cpp b/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/main.cpp
deleted file mode 100644
index 0ff5b048ec..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/example-selftest/main.cpp
+++ /dev/null
@@ -1,268 +0,0 @@
-/*
- *  Self-test demonstration program
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if !defined(POLARSSL_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include "mbedtls/entropy.h"
-#include "mbedtls/hmac_drbg.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/dhm.h"
-#include "mbedtls/gcm.h"
-#include "mbedtls/ccm.h"
-#include "mbedtls/md2.h"
-#include "mbedtls/md4.h"
-#include "mbedtls/md5.h"
-#include "mbedtls/ripemd160.h"
-#include "mbedtls/sha1.h"
-#include "mbedtls/sha256.h"
-#include "mbedtls/sha512.h"
-#include "mbedtls/arc4.h"
-#include "mbedtls/des.h"
-#include "mbedtls/aes.h"
-#include "mbedtls/camellia.h"
-#include "mbedtls/base64.h"
-#include "mbedtls/bignum.h"
-#include "mbedtls/rsa.h"
-#include "mbedtls/x509.h"
-#include "mbedtls/xtea.h"
-#include "mbedtls/pkcs5.h"
-#include "mbedtls/ecp.h"
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdio.h>
-#define mbedtls_printf     printf
-#endif
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-#endif
-
-int selftest( int argc, char *argv[] )
-{
-    int ret = 0, v;
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    unsigned char buf[1000000];
-#endif
-
-    if( argc == 2 && strcmp( argv[1], "-quiet" ) == 0 )
-        v = 0;
-    else
-    {
-        v = 1;
-        mbedtls_printf( "\n" );
-    }
-
-#if defined(MBEDTLS_SELF_TEST)
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    mbedtls_memory_buffer_alloc_init( buf, sizeof(buf) );
-#endif
-
-#if defined(MBEDTLS_MD2_C)
-    if( ( ret = mbedtls_md2_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_MD4_C)
-    if( ( ret = mbedtls_md4_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_MD5_C)
-    if( ( ret = mbedtls_md5_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_RIPEMD160_C)
-    if( ( ret = mbedtls_ripemd160_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-    if( ( ret = mbedtls_sha1_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-    if( ( ret = mbedtls_sha256_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-    if( ( ret = mbedtls_sha512_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_ARC4_C)
-    if( ( ret = mbedtls_arc4_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_DES_C)
-    if( ( ret = mbedtls_des_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_AES_C)
-    if( ( ret = mbedtls_aes_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C)
-    if( ( ret = mbedtls_gcm_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)
-    if( ( ret = mbedtls_ccm_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_BASE64_C)
-    if( ( ret = mbedtls_base64_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_BIGNUM_C)
-    if( ( ret = mbedtls_mpi_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_RSA_C)
-    if( ( ret = mbedtls_rsa_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_X509_USE_C)
-    if( ( ret = mbedtls_x509_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_XTEA_C)
-    if( ( ret = mbedtls_xtea_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_CAMELLIA_C)
-    if( ( ret = mbedtls_camellia_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-    if( ( ret = mbedtls_ctr_drbg_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
-    if( ( ret = mbedtls_hmac_drbg_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-    if( ( ret = mbedtls_ecp_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_DHM_C)
-    if( ( ret = mbedtls_dhm_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_ENTROPY_C)
-    if( ( ret = mbedtls_entropy_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_PKCS5_C)
-    if( ( ret = mbedtls_pkcs5_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#if defined(MBEDTLS_TIMING_C)
-    if( ( ret = mbedtls_timing_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-#else
-    mbedtls_printf( " POLARSSL_SELF_TEST not defined.\n" );
-#endif
-
-    if( v != 0 )
-    {
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG)
-        mbedtls_memory_buffer_alloc_status();
-#endif
-    }
-
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-    mbedtls_memory_buffer_alloc_free();
-
-    if( ( ret = mbedtls_memory_buffer_alloc_self_test( v ) ) != 0 )
-        return( ret );
-#endif
-
-    if( v != 0 )
-    {
-        mbedtls_printf( "  [ All tests passed ]\n\n" );
-#if defined(_WIN32)
-        mbedtls_printf( "  Press Enter to exit this program.\n" );
-        fflush( stdout ); getchar();
-#endif
-    }
-
-    return( ret );
-}
-
-#if defined(TARGET_LIKE_MBED)
-
-#include "mbed-drivers/test_env.h"
-#include "minar/minar.h"
-
-static void run() {
-    MBED_HOSTTEST_TIMEOUT(40);
-    MBED_HOSTTEST_SELECT(default);
-    MBED_HOSTTEST_DESCRIPTION(mbed TLS selftest program);
-    MBED_HOSTTEST_START("MBEDTLS_SELFTEST");
-    MBED_HOSTTEST_RESULT(selftest(0, NULL) == 0);
-}
-
-void app_start(int, char*[]) {
-    /* Use 115200 bps for consistency with other examples */
-    get_stdio_serial().baud(115200);
-    minar::Scheduler::postCallback(mbed::util::FunctionPointer0<void>(run).bind());
-}
-
-#else
-
-int main() {
-    return selftest(0, NULL);
-}
-
-#endif
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/module.json b/3rdparty/mbedtls/mbedtls/yotta/data/module.json
deleted file mode 100644
index 0b8b822832..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/module.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-    "name": "mbedtls",
-    "version": "2.3.1",
-    "description": "The mbed TLS crypto/SSL/TLS library",
-    "licenses": [
-        {
-            "url": "https://spdx.org/licenses/Apache-2.0",
-            "type": "Apache-2.0"
-        }
-    ],
-    "dependencies": {},
-    "targetDependencies": {
-        "mbed": { "cmsis-core": "^1.0.0" }
-    },
-    "testTargetDependencies": {
-        "mbed": { "mbed-drivers": "^1.0.0" }
-    }
-}
diff --git a/3rdparty/mbedtls/mbedtls/yotta/data/target_config.h b/3rdparty/mbedtls/mbedtls/yotta/data/target_config.h
deleted file mode 100644
index f350ce3ecb..0000000000
--- a/3rdparty/mbedtls/mbedtls/yotta/data/target_config.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- *  Temporary target-specific config.h for entropy collection
- *
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- *
- *  This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#if defined(TARGET_LIKE_MBED)
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#endif
-
-/*
- * WARNING: this is temporary!
- * This should be in a separate yotta module which would be a target
- * dependency of mbedtls (see IOTSSL-313)
- */
-#if defined(TARGET_LIKE_K64F)
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
-#endif

From 90b578f11553419731904dc3b61d8db41b45492f Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Fri, 13 Sep 2019 17:23:41 +0000
Subject: [PATCH 031/420] Integrate mbedTLS v2.16.2 into OE SDK

- Update CHANGELOG.md to reflect new version of mbedTLS.
- Update 3rdparty/mbedtls/update.make to target v2.16.2.
    - This version no longer has a yotta/.gitignore that needs to be removed.
- Update mbed tests to use Python instead of Perl to build tests.
    - MbedTLS 2.16 no longer has the Perl script for building its tests.
    - Add Python dependency to install-windows-prereqs.ps1
- Update mbed tests to pass new .datax files from build folders to test.
    - MbedTLS 2.16 no longer parses .data files from the source folders
- Update add_enclave_test.cmake to copy /enc folder instead of just the
  enclave binary when under ADD_WINDOWS_ENCLAVE_TESTS.
    - Change the target dependency to the build folder instead of the test
      enclave binary to prevent file conflicts for tests like mbed that
      include multiple enclave test binaries under the same folder.
- Add LSEEK syscall test hook required by updated mbed test suite.
- Add platform_util.c to host and mbedtls build sources.
    - This provides symbols referenced by other mbedTLS source files.
- Apply patch to x509write_crt.c for attested TLS support.

Fixes #1457.

Co-authored-by: Marius Oprin <moprin@cloudbasesolutions.com>
Co-authored-by: John Kordich <johnkord@microsoft.com>
---
 3rdparty/mbedtls/CMakeLists.txt               |   1 +
 .../mbedtls/mbedtls/library/x509write_crt.c   | 143 +++++++++++-------
 3rdparty/mbedtls/update.make                  |   3 +-
 CHANGELOG.md                                  |   1 +
 cmake/add_enclave_test.cmake                  |  45 +++---
 host/CMakeLists.txt                           |   1 +
 scripts/install-windows-prereqs.ps1           |  19 +++
 tests/mbed/enc/CMakeLists.txt                 |  15 +-
 tests/mbed/enc/enc.c                          |   6 +
 tests/mbed/host/CMakeLists.txt                |   2 +-
 tests/mbed/host/host.c                        |  15 +-
 tests/mbed/host/ocalls.c                      |   5 +
 tests/mbed/mbed.edl                           |   5 +
 13 files changed, 178 insertions(+), 83 deletions(-)

diff --git a/3rdparty/mbedtls/CMakeLists.txt b/3rdparty/mbedtls/CMakeLists.txt
index a9a991e301..f0848162d5 100644
--- a/3rdparty/mbedtls/CMakeLists.txt
+++ b/3rdparty/mbedtls/CMakeLists.txt
@@ -103,6 +103,7 @@ add_library(mbedcrypto_static STATIC
   mbedtls/library/pkparse.c
   mbedtls/library/pkwrite.c
   mbedtls/library/platform.c
+  mbedtls/library/platform_util.c
   mbedtls/library/ripemd160.c
   mbedtls/library/rsa.c
   mbedtls/library/rsa_internal.c
diff --git a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
index 10497e752b..b42269f825 100644
--- a/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
+++ b/3rdparty/mbedtls/mbedtls/library/x509write_crt.c
@@ -325,9 +325,10 @@ static int x509_write_time( unsigned char **p, unsigned char *start,
     return( (int) len );
 }
 
-int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng )
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
+                               unsigned char *buf, size_t size,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
 {
     int ret;
     const char *sig_oid;
@@ -335,15 +336,14 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     unsigned char *c, *c2;
     unsigned char hash[64];
     unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
-    unsigned char tmp_buf[2048];
     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
     mbedtls_pk_type_t pk_alg;
 
     /*
-     * Prepare data to be signed in tmp_buf
+     * Prepare data to be signed at the end of the target buffer
      */
-    c = tmp_buf + sizeof( tmp_buf );
+    c = buf + size;
 
     /* Signature algorithm needed in TBS, and later for actual signature */
 
@@ -369,27 +369,36 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     /* Only for v3 */
     if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
     {
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                           MBEDTLS_ASN1_SEQUENCE ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_x509_write_extensions( &c,
+                                                      buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                                      MBEDTLS_ASN1_CONSTRUCTED |
+                                                      MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                               MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
     }
 
     /*
      *  SubjectPublicKeyInfo
      */
-    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
-                                                tmp_buf, c - tmp_buf ) );
+    MBEDTLS_ASN1_CHK_ADD( pub_len,
+                          mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                       buf, c - buf ) );
     c -= pub_len;
     len += pub_len;
 
     /*
      *  Subject  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_x509_write_names( &c, buf,
+                                                    ctx->subject ) );
 
     /*
      *  Validity ::= SEQUENCE {
@@ -398,32 +407,39 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
      */
     sub_len = 0;
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len,
+                          x509_write_time( &c, buf, ctx->not_after,
+                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
-    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
-                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+    MBEDTLS_ASN1_CHK_ADD( sub_len,
+                          x509_write_time( &c, buf, ctx->not_before,
+                                        MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
 
     len += sub_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                    MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_asn1_write_tag( &c, buf,
+                                                  MBEDTLS_ASN1_CONSTRUCTED |
+                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      *  Issuer  ::=  Name
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
+                                                         ctx->issuer ) );
 
     /*
      *  Signature   ::=  AlgorithmIdentifier
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
-                       sig_oid, strlen( sig_oid ), 0 ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                          mbedtls_asn1_write_algorithm_identifier( &c, buf,
+                                              sig_oid, strlen( sig_oid ), 0 ) );
 
     /*
      *  Serial   ::=  INTEGER
      */
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf,
+                                                       &ctx->serial ) );
 
     /*
      *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
@@ -433,48 +449,67 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
     if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
     {
         sub_len = 0;
-        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+        MBEDTLS_ASN1_CHK_ADD( sub_len,
+                              mbedtls_asn1_write_int( &c, buf, ctx->version ) );
         len += sub_len;
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
-        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
-                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_len( &c, buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len,
+                              mbedtls_asn1_write_tag( &c, buf,
+                                               MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                               MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
     }
 
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
-                                                       MBEDTLS_ASN1_SEQUENCE ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len,
+                mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                     MBEDTLS_ASN1_SEQUENCE ) );
 
     /*
      * Make signature
      */
+
+    /* Compute hash of CRT. */
     if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
                             len, hash ) ) != 0 )
     {
         return( ret );
     }
 
-    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
-                         f_rng, p_rng ) ) != 0 )
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
+                                 hash, 0, sig, &sig_len,
+                                 f_rng, p_rng ) ) != 0 )
     {
         return( ret );
     }
 
-    /*
-     * Write data to output buffer
-     */
+    /* Move CRT to the front of the buffer to have space
+     * for the signature. */
+    memmove( buf, c, len );
+    c = buf + len;
+
+    /* Add signature at the end of the buffer,
+     * making sure that it doesn't underflow
+     * into the CRT buffer. */
     c2 = buf + size;
-    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c,
                                         sig_oid, sig_oid_len, sig, sig_len ) );
 
-    if( len > (size_t)( c2 - buf ) )
-        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    /*
+     * Memory layout after this step:
+     *
+     * buf       c=buf+len                c2            buf+size
+     * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm]
+     */
 
-    c2 -= len;
-    memcpy( c2, c, len );
+    /* Move raw CRT to just before the signature. */
+    c = c2 - len;
+    memmove( c, buf, len );
 
     len += sig_and_oid_len;
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
-    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf,
+                                                 MBEDTLS_ASN1_CONSTRUCTED |
                                                  MBEDTLS_ASN1_SEQUENCE ) );
 
     return( (int) len );
@@ -484,23 +519,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
 #define PEM_END_CRT             "-----END CERTIFICATE-----\n"
 
 #if defined(MBEDTLS_PEM_WRITE_C)
-int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng )
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt,
+                               unsigned char *buf, size_t size,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
 {
     int ret;
-    unsigned char output_buf[4096];
-    size_t olen = 0;
+    size_t olen;
 
-    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
+    if( ( ret = mbedtls_x509write_crt_der( crt, buf, size,
                                    f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }
 
     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
-                                  output_buf + sizeof(output_buf) - ret,
-                                  ret, buf, size, &olen ) ) != 0 )
+                                          buf + size - ret, ret,
+                                          buf, size, &olen ) ) != 0 )
     {
         return( ret );
     }
diff --git a/3rdparty/mbedtls/update.make b/3rdparty/mbedtls/update.make
index 4b5c353837..b58323c3b6 100755
--- a/3rdparty/mbedtls/update.make
+++ b/3rdparty/mbedtls/update.make
@@ -4,7 +4,7 @@
 # Licensed under the MIT License.
 
 # mbedTLS library definitions
-VERSION=2.7.11
+VERSION=2.16.2
 BASE=mbedtls-$(VERSION)
 PKG=$(BASE)-apache.tgz
 
@@ -18,7 +18,6 @@ update-mbedtls:
 	mv $(BASE) mbedtls
 	rm -rf $(PKG)
 	rm mbedtls/.gitignore
-	rm mbedtls/yotta/.gitignore
 	rm mbedtls/programs/.gitignore
 	rm mbedtls/include/.gitignore
 	rm mbedtls/library/.gitignore
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e7adaa0ce..0df9803f56 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
          should enable it themselves after assessing its startup impact.
 - Removed support for the previously deprecated `OE_API_VERSION=1` APIs.
 - Update MUSL libc to version 1.1.21.
+- Update mbedTLS to version 2.16.2.
 
 [v0.5.0] - 2019-04-09
 ---------------------
diff --git a/cmake/add_enclave_test.cmake b/cmake/add_enclave_test.cmake
index b998659e45..d0a1dcb008 100644
--- a/cmake/add_enclave_test.cmake
+++ b/cmake/add_enclave_test.cmake
@@ -3,15 +3,15 @@
 
 
 ## This function is to add test for given host file and enclave file.
-## TEST_NAME	: test name for add test.
-## HOST_FILE	: Host application executable file name.
-## ENC_FILE 	: Signed/Unsigned enclave file name.
-## DESCRIPTION	: For ADD_WINDOWS_ENCLAVE_TESTS enabled function will copy signed
-##			enclave file from Linux build location to windows build location
-##			after checking if both host and enclave file exists at specified
-##			location.
-##			NOTE : Any additional arguments after ENC_FILE argument are passed
-##			directly to add_test.
+## TEST_NAME    : test name for add test.
+## HOST_FILE    : Host application executable file name.
+## ENC_FILE     : Signed/Unsigned enclave file name.
+## DESCRIPTION  : For ADD_WINDOWS_ENCLAVE_TESTS enabled function will copy signed
+##                      enclave file from Linux build location to windows build location
+##                      after checking if both host and enclave file exists at specified
+##                      location.
+##                      NOTE : Any additional arguments after ENC_FILE argument are passed
+##                      directly to add_test.
 
 function(add_enclave_test TEST_NAME HOST_FILE ENC_FILE)
 
@@ -39,7 +39,6 @@ function(add_enclave_test TEST_NAME HOST_FILE ENC_FILE)
         # enclave subpath and "host" as the default host subpath.
         # This hack can be removed when CMake on Windows produces ELF enclaves.
         set(TEST_ENCSUBPATH enc)
-        set(TEST_HOSTSUBPATH host)
 
         # (HACK2) This is a hack to figure out the target name for the linux enclave
         # Ideally, the name of the enclave is found by $<TARGET_FILE:${ENC_FILE}>
@@ -50,23 +49,27 @@ function(add_enclave_test TEST_NAME HOST_FILE ENC_FILE)
             string(REGEX REPLACE "_signed" ".signed" TEST_ENCFILE ${ENC_FILE})
         endif()
 
-        # custom rule to copy binary from linux
-        # take a dependency on host binary to make sure it exists in addition to
-        # enc binary in linux
-        add_custom_command(OUTPUT ${TEST_NAME}_windows_include
-            COMMAND ${CMAKE_COMMAND} -E copy ${LINUX_BIN_DIR}/${TEST_DIR}/${TEST_ENCSUBPATH}/${TEST_ENCFILE} ${CMAKE_CURRENT_BINARY_DIR}/${TEST_HOSTSUBPATH}/${TEST_ENCFILE}
-            DEPENDS $<TARGET_FILE:${HOST_FILE}> ${LINUX_BIN_DIR}/${TEST_DIR}/${TEST_ENCSUBPATH}/${TEST_ENCFILE}
-            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-            )
+        # Copy the enclave subfolder from Linux
+        # This takes a dependency on host binary to make sure it exists, in addition to
+        # enclave binary in linux. It should only be executed once for the target build
+        # directory so that multiple tests hosted in the same enclave folder are copied
+        # only once.
+        if (NOT TARGET ${CMAKE_CURRENT_BINARY_DIR}__windows_include)
+            add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}_windows_include
+                COMMAND ${CMAKE_COMMAND} -E copy_directory ${LINUX_BIN_DIR}/${TEST_DIR}/${TEST_ENCSUBPATH} ${CMAKE_CURRENT_BINARY_DIR}/${TEST_ENCSUBPATH}
+                DEPENDS $<TARGET_FILE:${HOST_FILE}> ${LINUX_BIN_DIR}/${TEST_DIR}/${TEST_ENCSUBPATH}/${TEST_ENCFILE}
+                WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+                )
+        endif()
 
-        # add a custom target to ALL so that this step always needs to be run if
+        # Add a custom target to ALL so that this step always needs to be run if
         # this function is invoked
         get_filename_component(TEST_NAME_WITHOUT_SLASH ${TEST_NAME} NAME)
         add_custom_target(${TEST_NAME_WITHOUT_SLASH}.windows ALL
-            DEPENDS ${TEST_NAME}_windows_include
+            DEPENDS ${CMAKE_CURRENT_BINARY_DIR}_windows_include
             )
 
-        add_test(NAME ${TEST_NAME} COMMAND $<TARGET_FILE:${HOST_FILE}> ${CMAKE_CURRENT_BINARY_DIR}/${TEST_HOSTSUBPATH}/${TEST_ENCFILE} ${ARGN})
+        add_test(NAME ${TEST_NAME} COMMAND $<TARGET_FILE:${HOST_FILE}> ${CMAKE_CURRENT_BINARY_DIR}/${TEST_ENCSUBPATH}/${TEST_ENCFILE} ${ARGN})
 
     elseif (UNIX OR USE_CLANGW)
         add_test(NAME ${TEST_NAME} COMMAND $<TARGET_FILE:${HOST_FILE}> $<TARGET_FILE:${ENC_FILE}> ${ARGN})
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 4a75a4e2c2..69bc336507 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -97,6 +97,7 @@ elseif (WIN32)
 
   set(PLATFORM_SDK_ONLY_SRC
     ../3rdparty/mbedtls/mbedtls/library/bignum.c
+    ../3rdparty/mbedtls/mbedtls/library/platform_util.c #Used by bignum.c
     ../common/asn1.c
     ../common/cert.c
     crypto/bcrypt/cert.c
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index a65318f790..e0c2d8b8bc 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -29,6 +29,8 @@ Param(
     [string]$VCRuntime2012Hash = '681BE3E5BA9FD3DA02C09D7E565ADFA078640ED66A0D58583EFAD2C1E3CC4064',
     [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.2',
     [string]$AzureDCAPNupkgHash = 'E319A6C2D136FE5EDB8799305F6151B71F4CE4E67D96CA74538D0AD5D2D793F1',
+    [string]$Python3URL = 'https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe',
+    [string]$Python3Hash = '9A30AB5568BA37BFBCAE5CDEE19E9DC30765C42CF066F605221563FF8B20EE34',
     [Parameter(mandatory=$true)][string]$InstallPath,
     [Parameter(mandatory=$true)][ValidateSet("SGX1FLC", "SGX1", "SGX1FLC-NoDriver")][string]$LaunchConfiguration,
     [Parameter(mandatory=$true)][ValidateSet("None", "Azure")][string]$DCAPClientType
@@ -114,8 +116,14 @@ $PACKAGES = @{
     }
     "openssl" = @{
         "url" = $OpenSSLURL
+        "hash" = $OpenSSLHash
         "local_file" = Join-Path $PACKAGES_DIRECTORY "Win64OpenSSL-1_1_1d.exe"
     }
+    "python3" = @{
+        "url" = $Python3URL
+        "hash" = $Python3Hash
+        "local_file" = Join-Path $PACKAGES_DIRECTORY "python-3.4.7.exe"
+    }
 }
 
 filter Timestamp { "[$(Get-Date -Format o)] $_" }
@@ -608,6 +616,16 @@ function Install-AzureDCAPWindows {
     popd
 }
 
+function Install-Python3 {
+    Write-Log "Installing Python3"
+    $tmpDir = Join-Path $PACKAGES_DIRECTORY "Python3"
+    $envPath = Join-Path "$PACKAGES_DIRECTORY\..\.." "Programs\Python\Python37-32"
+    Install-Tool -InstallerPath $PACKAGES["python3"]["local_file"] `
+                 -InstallDirectory $tmpDir `
+                 -ArgumentList @("/quiet", "/passive") `
+                 -EnvironmentPath @($envPath)
+}
+
 try {
     Start-LocalPackagesDownload
 
@@ -620,6 +638,7 @@ try {
     Install-OCaml
     Install-Shellcheck
     Install-PSW
+    Install-Python3
 
     if ($DCAPClientType -eq "Azure")
     {
diff --git a/tests/mbed/enc/CMakeLists.txt b/tests/mbed/enc/CMakeLists.txt
index dd17b9ed0d..b2ab5ec4b9 100644
--- a/tests/mbed/enc/CMakeLists.txt
+++ b/tests/mbed/enc/CMakeLists.txt
@@ -20,14 +20,23 @@ function(add_mbed_test_enclave NAME)
 
   set(MBEDTLS_TESTS_DIR "${PROJECT_SOURCE_DIR}/3rdparty/mbedtls/mbedtls/tests")
 
+ string(CONCAT GEN_TEST_CODE_SCRIPT "${MBEDTLS_TESTS_DIR}/scripts/generate_test_code.py"
+                                     " --suites-dir ${MBEDTLS_TESTS_DIR}/suites"
+                                     " --functions-file ${MBEDTLS_TESTS_DIR}/suites/test_suite_${suite_name}.function"
+                                     " --data-file ${MBEDTLS_TESTS_DIR}/suites/test_suite_${data_name}.data"
+                                     " --helpers-file ${MBEDTLS_TESTS_DIR}/suites/helpers.function"
+                                     " --template-file ${MBEDTLS_TESTS_DIR}/suites/main_test.function"
+                                     " --platform-file ${MBEDTLS_TESTS_DIR}/suites/host_test.function"
+                                     " --out-dir ${CMAKE_CURRENT_BINARY_DIR}")
   add_custom_command(
-    OUTPUT test_suite_${NAME}.c
-    COMMAND ${BASH} -c "perl ${MBEDTLS_TESTS_DIR}/scripts/generate_code.pl ${MBEDTLS_TESTS_DIR}/suites test_suite_${suite_name} test_suite_${data_name}"
+    OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/test_suite_${NAME}.c
+    COMMAND ${BASH} -c "python ${GEN_TEST_CODE_SCRIPT}"
     DEPENDS
     mbedcrypto
-    ${MBEDTLS_TESTS_DIR}/scripts/generate_code.pl
+    ${MBEDTLS_TESTS_DIR}/scripts/generate_test_code.py
     ${MBEDTLS_TESTS_DIR}/suites/helpers.function
     ${MBEDTLS_TESTS_DIR}/suites/main_test.function
+    ${MBEDTLS_TESTS_DIR}/suites/host_test.function
     ${MBEDTLS_TESTS_DIR}/suites/test_suite_${suite_name}.function
     ${MBEDTLS_TESTS_DIR}/suites/test_suite_${data_name}.data)
 
diff --git a/tests/mbed/enc/enc.c b/tests/mbed/enc/enc.c
index 2bdc686e79..f9faa87871 100644
--- a/tests/mbed/enc/enc.c
+++ b/tests/mbed/enc/enc.c
@@ -146,6 +146,12 @@ static oe_result_t _syscall_hook(
             result = mbed_test_close(&rval, (int)arg1);
             break;
         }
+        case SYS_lseek:
+        {
+            int rval = 0;
+            result = mbed_test_lseek(&rval, (int)arg1, (off_t)arg2, (int)arg3);
+            break;
+        }
         case SYS_readv:
         default:
         {
diff --git a/tests/mbed/host/CMakeLists.txt b/tests/mbed/host/CMakeLists.txt
index d076923ca2..20dea9a196 100644
--- a/tests/mbed/host/CMakeLists.txt
+++ b/tests/mbed/host/CMakeLists.txt
@@ -6,7 +6,7 @@ oeedl_file(../mbed.edl host gen)
 
 add_executable(libmbedtest_host host.c ocalls.c ${gen})
 
-target_compile_definitions(libmbedtest_host PRIVATE PROJECT_DIR="${CMAKE_SOURCE_DIR}/")
+target_compile_definitions(libmbedtest_host PRIVATE PROJECT_DIR="${CMAKE_CURRENT_BINARY_DIR}/")
 if (NOT WIN32)
   target_compile_options(libmbedtest_host PRIVATE -Wno-error)
 endif()
diff --git a/tests/mbed/host/host.c b/tests/mbed/host/host.c
index f5fbeffcac..4aa78b21ea 100644
--- a/tests/mbed/host/host.c
+++ b/tests/mbed/host/host.c
@@ -4,6 +4,7 @@
 #include <openenclave/host.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/error.h>
+#include <openenclave/internal/str.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -14,7 +15,7 @@
 
 char* find_data_file(char* str, size_t size)
 {
-    char* tail = ".data";
+    char* tail = ".datax";
     char* checker = "test_suite_";
     char* token;
 
@@ -37,7 +38,7 @@ char* find_data_file(char* str, size_t size)
 
 void datafileloc(char* data_file_name, char* path)
 {
-    char* tail = "3rdparty/mbedtls/mbedtls/tests/suites/";
+    char* tail = "../enc/";
 #ifdef PROJECT_DIR
     strcpy(path, PROJECT_DIR);
 #else
@@ -59,6 +60,14 @@ void datafileloc(char* data_file_name, char* path)
     strcat(path, tail);
     strcat(path, data_file_name);
 
+#if defined(_WIN32)
+    /* On Windows, replace forward slashes with backslashes in the path */
+    for (char* next = strchr(path, '/'); next; next = strchr(path, '/'))
+    {
+        *next = '\\';
+    }
+#endif
+
     printf("######## data_fileloc: %s ###### \n", path);
     return;
 }
@@ -78,6 +87,7 @@ void Test(oe_enclave_t* enclave, int selftest, char* data_file_name)
 
     oe_result_t result =
         test(enclave, &return_value, in_testname, out_testname, &args);
+
     OE_TEST(result == OE_OK);
     if (!selftest)
     {
@@ -109,6 +119,7 @@ int main(int argc, const char* argv[])
     int selftest = 0;
     uint32_t flags = oe_get_create_flags();
     char* data_file_name = NULL;
+
     // Check argument count:
     if (argc != 2)
     {
diff --git a/tests/mbed/host/ocalls.c b/tests/mbed/host/ocalls.c
index f3ce724b26..1202945c20 100644
--- a/tests/mbed/host/ocalls.c
+++ b/tests/mbed/host/ocalls.c
@@ -25,3 +25,8 @@ int mbed_test_close(int fd)
 {
     return close(fd);
 }
+
+int mbed_test_lseek(int fd, int offset, int whence)
+{
+    return lseek(fd, offset, whence);
+}
diff --git a/tests/mbed/mbed.edl b/tests/mbed/mbed.edl
index 535d153037..9ae5a4c174 100644
--- a/tests/mbed/mbed.edl
+++ b/tests/mbed/mbed.edl
@@ -37,6 +37,11 @@ enclave {
         int mbed_test_close(
             int fd);
 
+        int mbed_test_lseek(
+            int fd,
+            int offset,
+            int whence);
+
         void ocall_exit(
             int arg);
     };

From 517e7e8fd25811a4d923a3c5fac7634efe58c194 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 25 Sep 2019 21:41:22 +0000
Subject: [PATCH 032/420] Address review comments

---
 samples/README.md                    |  9 +--
 samples/switchless/README.md         | 85 ++++++++++++++++++----------
 samples/switchless/enclave/enc.c     | 19 ++++++-
 samples/switchless/host/host.c       | 61 ++++++++++++++++++--
 samples/switchless/switchless.edl    |  6 +-
 tests/switchless_threads/host/host.c |  3 +
 6 files changed, 138 insertions(+), 45 deletions(-)

diff --git a/samples/README.md b/samples/README.md
index fdcdd1c772..0810043fd5 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -150,7 +150,8 @@ The following samples demonstrate how to develop enclave applications using OE A
 #### [Switchless Calls](switchless/README.md)
 
 - Explain the concept of switchless calls
-- Demonstrate how to enable switchless calls in an enclave application in steps:
-  - Mark a function as `transition_using_threads`
-  - Enable and configure switchless for an enclave
-  - Making a switchless call
+- Identify cases where switchless calls are appropriate
+- Demonstrate how to mark a function as `transition_using_threads` in EDL
+- Demonstrate how to configure an enclave to enable switchless calls originated within it
+- Recommend the number of host worker threads required for switchless calls in practice
+- Demonstrate how to enable switchless calls in an enclave application
diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index e75900541b..e7fe10cad9 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -17,7 +17,8 @@ In an enclave application, the host makes **ECALL**s into functions exposed by t
 the enclaves may make **OCALL**s into functions exposed by the host that created them. In either case, the
 execution has to be transitioned from an untrusted environment to a trusted environment, or vice versa. Since the
 transition is costly due to heavy security checks, it might be more performance advantageous to make the calls
-**context-switchless**: the caller delegates the function call to a worker thread in the other environment, which does the real job of calling the function and post the result to the caller. Both the calling thread and the
+**context-switchless**: the caller delegates the function call to a worker thread in the other environment, which
+does the real job of calling the function and post the result to the caller. Both the calling thread and the
 worker thread never leave their respective execution contexts during the perceived function call.
 
 The calling thread and the worker thread need to exchange information twice during the call. When the switchless
@@ -32,32 +33,34 @@ good candidates for switchless calls are functions that are: 1) short, thus the
 percentage of the overall execution time of the call; and 2) called frequently, so the savings in transition time
 add up.
 
-## How does OpenEnclave support switchless OCALLs
+## How does Open Enclave support switchless OCALLs
 
-OpenEnclave only supports synchronous switchless OCALLs currently. When the caller within an enclave makes a
-switchless OCALL, the trusted OpenEnclave runtime creates a `job` out of the function call. The `job` object
+Open Enclave only supports synchronous switchless OCALLs currently. When the caller within an enclave makes a
+switchless OCALL, the trusted Open Enclave runtime creates a `job` out of the function call. The `job` object
 includes information such as the function ID, the parameters marshaled into a buffer, and a buffer for holding the
 return value(s). The job is posted to a shared memory region which both the enclave and the host can access.
 
-A host worker thread checks and retrieves `job` from the shared memory region. It uses the untrusted OpenEnclave
+A host worker thread checks and retrieves `job` from the shared memory region. It uses the untrusted Open Enclave
 runtime to process the `job` by unmarshaling the parameters, then dispatching to the callee function, and finally
-relaying the result back to the trusted OpenEnclave runtime, which is further forwarded back to the caller.
+relaying the result back to the trusted Open Enclave runtime, which is further forwarded back to the caller.
 
-To support simultaneous switchless OCALLs made from enclaves, the host workers are multi-threaded. OpenEnclave
+If an enclave supports multiple simultaneous ECALLs, multiple simultaneous switchless OCALLs could be made from the
+enclave. We use multi-threaded host workers in that scenario. Open Enclave
 allows users to configure how many host worker threads are to be created for servicing switchless OCALLs. The
 following example illustrates how to do that. A word of caution is that too many host worker threads might increase
 competition of cores between threads and degrade the performance. Therefore, if a enclave has switchless calls
-enabled, OpenEnclave caps the number of host worker threads for it to the number of enclave threads specified.
+enabled, Open Enclave caps the number of host worker threads for it to the number of enclave threads specified.
 
-With the current implementation, we recommend users to avoid using more host worker threads than the minimum of:
+With the current implementation, we recommend that users avoid using more host worker threads than the minimum of:
 
 1. the number of simultaneously active enclave threads, and
 2. the number of cores that are potentially available to host worker threads.
 
 For example, on a 4-core machine, if the number of the simultaneously active enclave threads is 2, and there is no
-host threads other than the two threads making ECALLs and the switchless worker threads, both 1) and 2) would be 2. So we recommend setting the number of host worker threads to 2.
+host threads other than the two threads making ECALLs and the switchless worker threads, both 1) and 2) would be 2.
+So we recommend setting the number of host worker threads to 2.
 
-The exception to the above rule happens when 1) or 2) is zero or negative. For example, if the host starts two more
+The exception to the above rule happens when 2) is zero or negative. For example, if the host starts two more
 additional threads that are expected to be active along with the two enclave threads, the number of cores available
 to the worker threads is actually 0, and the minimum of 1) and 2) would be 0. In this case, we recommend setting
 the number of host worker threads to 1 nevertheless, to ensure switchless calls are serviced by at least one thread.
@@ -66,27 +69,42 @@ The above recommendation may change when we modify the behavior of worker thread
 
 ## About the EDL
 
-In this sample, we pretend the enclave doesn't know addition. It relies on a host function `host_increment` to
-increment a number by 1, and repeat calling it `N` times to add `N` to a given number. Since `host_increment` is
+In this sample, we pretend the enclave doesn't know addition. It relies on a host function to
+increment a number by 1, and repeats  calling it `N` times to add `N` to a given number. Since the host function is
 short and called frequently, it is appropriate to make it a switchless function.
 
-First we need to define the functions we want to call between the host and the enclave. To do this we create a `switchless.edl` file:
+We want to compare the performance of switchless calls vs. regular calls. To that end, we define two variants of
+the host function: `host_increment_regular` which is a regular OCALL, and `host_increment_switchless`,
+which is called switchlessly.
+
+Additionally, We define two enclave functions `enclave_add_N_regular` and `enclave_add_N_switchless`, which call host function
+`host_increment_regular` and `host_increment_switchless` respectively. Both enclave functions call its host function
+in a loop repeatedly. The number of iterations is determined by parameter `n`.
+
+The host functions and enclave functions are defined in an EDL file `switchless.edl` as below:
 
 ```edl
 enclave {
     trusted {
-        public void enclave_add_N([in, out] int* m, int n);
+        public void enclave_add_N_switchless([in, out] int* m, int n);
+        public void enclave_add_N_regular([in, out] int* m, int n);
     };
 
     untrusted {
-        void host_increment([in, out] int* m) transition_using_threads;
+        void host_increment_switchless([in, out] int* m) transition_using_threads;
+        void host_increment_regular([in, out] int* m);
     };
 };
 ```
 
-Function `host_increment`'s declaration ends with keyword `transition_using_threads`, indicating it should be called switchlessly at run time. However, this a best-effort directive. OpenEnclave runtime may still choose to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs.
+Function `host_increment_switchless`'s declaration ends with keyword `transition_using_threads`, indicating it should be
+called switchlessly at run time. However, this a best-effort directive. Open Enclave runtime may still choose
+to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured
+as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs. In this example,
+`host_increment_switchless` is always called switchlessly because there is no simultaneous switchless OCALLs.
 
-To generate the functions with the marshaling code, the `oeedger8r` tool is called in both the host and enclave directories from their Makefiles. For example:
+To generate the functions with the marshaling code, the `oeedger8r` tool is called in both the host and enclave
+directories from their Makefiles. For example:
 
 ```bash
 cd host
@@ -99,16 +117,17 @@ oeedger8r ../switchless.edl --untrusted --experimental
 
 The host first defines a structure specifically for configuring switchless calls. In this case, we specify the
 first field `1` as the number of host worker threads for switchless OCALLs. In this example, 1) There is at most
-1 enclave thread all the time, and 2) The number of cores available to the host worker threads is  1 (assuming a
-2-core machine) or 3 (assuming a 4-core machine). In any case, The minimum of 1) and 2) is 1, which we choose to
-be the number of host worker threads. The 2nd field specifies the number of enclave threads for switchless ECALLs.
+1 enclave thread all the time, and 2) The number of cores available to the host worker threads is unknown, and
+so we use 1 as explained above. The 2nd field specifies the number of enclave threads for switchless ECALLs.
 Since switchless ECALL is not yet implemented, we require the 2nd field to be `0`.
 
 ```c
 oe_enclave_config_context_switchless_t config = {1, 0};
 ```
 
-The host then puts the structure address and the configuration type in an array of configurations for the enclave to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the flexibility of adding more than one configuration (with different types) for an enclave in the future.
+The host then puts the structure address and the configuration type in an array of configurations for the enclave
+to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the
+flexibility of adding more than one configuration (with different types) for an enclave in the future.
 
 ```c
 oe_enclave_config_t configs[] = {{
@@ -130,28 +149,32 @@ oe_create_switchless_enclave(
              &enclave);
 ```
 
-The host then makes an ECALL of `enclave_add_N` to transition into the enclave. After the ECALL returns, the
-host prints the returned value and terminates the enclave.
-
-As shown in the EDL file, the host exposes a host function `host_increment` which takes an integer `n`, and returns the result of `n+1`.
+The host then makes an ECALL of `enclave_add_N_regular` to transition into the enclave to compute the sum of
+two integers `m` and `n`. After that, the host makes an ECALL of `enclave_add_N_switchless` to perform the same
+computation except for using switchless OCALLs instead of regular OCALLs. We print out the time spent on both
+ECALLs to highlight the performance advantage of switchless calls in this case.
 
 ## About the enclave
 
-The enclave exposes only one function `enclave_add_N`. The function takes two parameter `m` and `n`. It calls
-the host function `host_increment` switchlessly in a loop of `n` iterations.
+The enclave exposes two functions `enclave_add_N_switchless` and `enclave_add_N_regular`, both taking
+two parameters `m` and `n`. The formal calls host function `host_increment_switchless`, while the latter
+calls `host_increment_regular`. Both host functions are called in a loop of `n` iterations.
 
 ## Build and run
 
 Note that there are two different build systems supported, one using GNU Make and
 `pkg-config`, the other using CMake.
 
-If the build and run succeed, the following output is expected:
+If the build and run succeed, output like the following is expected (the exact time spent on the enclave functions could vary):
 
 ```bash
 host/switchlesshost ./enclave/switchlessenc.signed
-enclave_add_N(): 10000 + 10000 = 20000
+enclave_add_N_switchless(): 1000000 + 1000000 = 2000000. Time spent: 923 ms
+enclave_add_N_regular(): 1000000 + 1000000 = 2000000. Time spent: 19167 ms
 ```
 
+We expect to see a speed up of the first ECALL over the 2nd one due to switchless calls.
+
 ### CMake
 
 This uses the CMake package provided by the Open Enclave SDK.
@@ -172,7 +195,7 @@ make run
 ```
 #### Note
 
-switchless sample can run under OpenEnclave simulation mode.
+switchless sample can run under Open Enclave simulation mode.
 
 To run the switchless sample in simulation mode from the command like, use the following:
 
diff --git a/samples/switchless/enclave/enc.c b/samples/switchless/enclave/enc.c
index 4d3442ebd7..91a987d733 100644
--- a/samples/switchless/enclave/enc.c
+++ b/samples/switchless/enclave/enc.c
@@ -4,15 +4,28 @@
 #include <stdio.h>
 #include "switchless_t.h"
 
-void enclave_add_N(int* m, int n)
+void enclave_add_N_switchless(int* m, int n)
+{
+    // Call back into the host switchlessly
+    for (int i = 0; i < n; i++)
+    {
+        oe_result_t result = host_increment_switchless(m);
+        if (result != OE_OK)
+        {
+            fprintf(stderr, "host_increment_switchless(): result=%u", result);
+        }
+    }
+}
+
+void enclave_add_N_regular(int* m, int n)
 {
     // Call back into the host
     for (int i = 0; i < n; i++)
     {
-        oe_result_t result = host_increment(m);
+        oe_result_t result = host_increment_regular(m);
         if (result != OE_OK)
         {
-            fprintf(stderr, "host_increment(): result=%u", result);
+            fprintf(stderr, "host_increment_regular(): result=%u", result);
         }
     }
 }
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index fbaa070b47..5befac78d0 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -4,9 +4,15 @@
 #include <openenclave/host.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <time.h>
 #include "switchless_u.h"
 
-void host_increment(int* n)
+void host_increment_switchless(int* n)
+{
+    *n = *n + 1;
+}
+
+void host_increment_regular(int* n)
 {
     *n = *n + 1;
 }
@@ -30,7 +36,7 @@ int main(int argc, const char* argv[])
 {
     oe_enclave_t* enclave = NULL;
     oe_result_t result;
-    int ret = 1, m = 10000, n = 10000;
+    int ret = 1, m = 1000000, n = 1000000;
     int oldm = m;
 
     if (argc != 2 && argc != 3)
@@ -61,13 +67,58 @@ int main(int argc, const char* argv[])
              &enclave)) != OE_OK)
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
+    double start, end;
+    struct timespec current_time;
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    start = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+
+    // Call into the enclave
+    result = enclave_add_N_switchless(enclave, &m, n);
+
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    end = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+
+    if (result != OE_OK)
+    {
+        fprintf(stderr, "enclave_add_N_switchless(): result=%u", result);
+        goto done;
+    }
+
+    fprintf(
+        stderr,
+        "enclave_add_N_switchless(): %d + %d = %d. Time spent: "
+        "%d ms\n",
+        oldm,
+        n,
+        m,
+        (int)(end - start) / 1000);
+
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    start = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+
     // Call into the enclave
-    result = enclave_add_N(enclave, &m, n);
+    m = oldm;
+    result = enclave_add_N_regular(enclave, &m, n);
+
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    end = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+
     if (result != OE_OK)
-        fprintf(stderr, "enclave_add_N(): result=%u", result);
+    {
+        fprintf(stderr, "enclave_add_N_regular(): result=%u", result);
+        goto done;
+    }
 
-    fprintf(stderr, "enclave_add_N(): %d + %d = %d\n", oldm, n, m);
+    fprintf(
+        stderr,
+        "enclave_add_N_regular(): %d + %d = %d. Time spent: "
+        "%d ms\n",
+        oldm,
+        n,
+        m,
+        (int)(end - start) / 1000);
 
+done:
     ret = result != OE_OK ? 1 : 0;
     oe_terminate_enclave(enclave);
 
diff --git a/samples/switchless/switchless.edl b/samples/switchless/switchless.edl
index c2753b0999..89ab289a39 100644
--- a/samples/switchless/switchless.edl
+++ b/samples/switchless/switchless.edl
@@ -3,10 +3,12 @@
 
 enclave {
     trusted {
-        public void enclave_add_N([in, out] int* m, int n);
+        public void enclave_add_N_switchless([in, out] int* m, int n);
+        public void enclave_add_N_regular([in, out] int* m, int n);
     };
 
     untrusted {
-        void host_increment([in, out] int* m) transition_using_threads;
+        void host_increment_switchless([in, out] int* m) transition_using_threads;
+        void host_increment_regular([in, out] int* m);
     };
 };
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index 0651601862..d057259487 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -16,6 +16,9 @@
 #endif
 #include "switchless_threads_u.h"
 
+// The enclave supports up to 8 concurrent threads in it. We have to reserve
+// one for the main host thread (calling into enc_echo_multiple). This leaves
+// us 7 host threads to call into enc_echo_single.
 #define NUM_HOST_THREADS 7
 #define STRING_LEN 100
 #define STRING_HELLO "Hello World"

From 1629a7311e176d23747fc3c7b7d1e2c960b01d26 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 25 Sep 2019 21:47:06 +0000
Subject: [PATCH 033/420] Fix build errors

---
 samples/switchless/host/host.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index 5befac78d0..f4c5edb052 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -70,13 +70,14 @@ int main(int argc, const char* argv[])
     double start, end;
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
-    start = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+    start =
+        current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
 
     // Call into the enclave
     result = enclave_add_N_switchless(enclave, &m, n);
 
     clock_gettime(CLOCK_REALTIME, &current_time);
-    end = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+    end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
 
     if (result != OE_OK)
     {
@@ -94,14 +95,15 @@ int main(int argc, const char* argv[])
         (int)(end - start) / 1000);
 
     clock_gettime(CLOCK_REALTIME, &current_time);
-    start = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+    start =
+        current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
 
     // Call into the enclave
     m = oldm;
     result = enclave_add_N_regular(enclave, &m, n);
 
     clock_gettime(CLOCK_REALTIME, &current_time);
-    end = current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+    end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
 
     if (result != OE_OK)
     {

From 87845cdab7a2852b21eff79741e45ad2e297c4f2 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 25 Sep 2019 23:18:28 +0000
Subject: [PATCH 034/420] Fix build errors and address review comments

---
 tests/switchless/host/host.c         | 5 +++--
 tests/switchless_threads/host/host.c | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index d6ff0290f9..222e536ce5 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -26,7 +26,8 @@ double get_relative_time_in_microseconds()
 #if __GNUC__
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
-    return current_time.tv_sec * 1000000 + current_time.tv_nsec / 1000.0;
+    return current_time.tv_sec * 1000000 +
+           (double)current_time.tv_nsec / 1000.0;
 #elif _MSC_VER
     double current_time;
     QueryPerformanceCounter(&current_time);
@@ -73,7 +74,7 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_config_context_switchless_t config = {1, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index d057259487..8800545910 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -16,9 +16,9 @@
 #endif
 #include "switchless_threads_u.h"
 
-// The enclave supports up to 8 concurrent threads in it. We have to reserve
-// one for the main host thread (calling into enc_echo_multiple). This leaves
-// us 7 host threads to call into enc_echo_single.
+// For SGX, the enclave supports up to 8 concurrent threads in it. We have
+// to reserve one for the main host thread (calling into enc_echo_multiple).
+// This leaves us 7 host threads to call into enc_echo_single.
 #define NUM_HOST_THREADS 7
 #define STRING_LEN 100
 #define STRING_HELLO "Hello World"

From ae51749b914fbf8fc45147e4e8bffe102b998daf Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 25 Sep 2019 23:24:12 +0000
Subject: [PATCH 035/420] Fix build errors

---
 tests/switchless/host/host.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index 222e536ce5..da8bb8c0d6 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -26,7 +26,7 @@ double get_relative_time_in_microseconds()
 #if __GNUC__
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
-    return current_time.tv_sec * 1000000 +
+    return (double)current_time.tv_sec * 1000000 +
            (double)current_time.tv_nsec / 1000.0;
 #elif _MSC_VER
     double current_time;

From 8848d67afde76932ce391f598e20426f73923352 Mon Sep 17 00:00:00 2001
From: Jay Chetty <jay.chetty@intel.com>
Date: Thu, 26 Sep 2019 08:48:33 -0700
Subject: [PATCH 036/420] Fixed the coding style issue

style: { should be on new line, here and in 232, for consistency with rest of file
---
 samples/file-encryptor/enclave/keys.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/samples/file-encryptor/enclave/keys.cpp b/samples/file-encryptor/enclave/keys.cpp
index b930c8f877..c4d4d6c694 100644
--- a/samples/file-encryptor/enclave/keys.cpp
+++ b/samples/file-encryptor/enclave/keys.cpp
@@ -226,10 +226,12 @@ int ecall_dispatcher::cipher_encryption_key(
     mbedtls_aes_init(&aescontext);
 
     // set aes key
-    if (encrypt){
+    if (encrypt)
+    {
         ret = mbedtls_aes_setkey_enc(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
     }
-    else {
+    else
+    {
         ret = mbedtls_aes_setkey_dec(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
     }
     if (ret != 0)

From 4c1c9eacf038e224e1eaade0e0bff1268be94237 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Fri, 27 Sep 2019 11:59:52 -0700
Subject: [PATCH 037/420] Rename CMC to CGC

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Committers.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/Committers.md b/docs/Committers.md
index 794ebd7017..e8ff31c008 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -13,13 +13,13 @@ but when that fails, the Committee calls for a vote where the super majority
 (two-thirds) wins. This is to prevent obstructionism by removing the possibility
 of a one person veto.
 
-Quorum for Community Maintenance Committee meetings requires at least two-thirds
-all members of the Community Maintenance Committee to be present. The
-Community Maintenance Committee may continue to meet if quorum is not met but will
+Quorum for Community Governance Committee meetings requires at least two-thirds
+all members of the Community Governance Committee to be present. The
+Community Governance Committee may continue to meet if quorum is not met but will
 be prevented from making any decisions at the meeting.
 
 All decisions by vote, whether during a meeting or otherwise, require a super majority
-vote of all members of the Community Maintenance Committee.
+vote of all members of the Community Governance Committee.
 
 
 Committee Members

From 8b2be5dad2edaad6641c811cfa90546a6b250033 Mon Sep 17 00:00:00 2001
From: Jay Chetty <jay.chetty@intel.com>
Date: Fri, 27 Sep 2019 13:58:11 -0700
Subject: [PATCH 038/420] Fixed code format issue

---
 samples/file-encryptor/enclave/keys.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/samples/file-encryptor/enclave/keys.cpp b/samples/file-encryptor/enclave/keys.cpp
index c4d4d6c694..dd3a02a2e6 100644
--- a/samples/file-encryptor/enclave/keys.cpp
+++ b/samples/file-encryptor/enclave/keys.cpp
@@ -228,15 +228,17 @@ int ecall_dispatcher::cipher_encryption_key(
     // set aes key
     if (encrypt)
     {
-        ret = mbedtls_aes_setkey_enc(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
+        ret = mbedtls_aes_setkey_enc(
+            &aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
     }
     else
     {
-        ret = mbedtls_aes_setkey_dec(&aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
+        ret = mbedtls_aes_setkey_dec(
+            &aescontext, encrypt_key, ENCRYPTION_KEY_SIZE);
     }
     if (ret != 0)
     {
-        TRACE_ENCLAVE("mbedtls_aes_setkey_enc failed with %d", ret);
+        TRACE_ENCLAVE("mbedtls_aes_setkey_enc/dec failed with %d", ret);
         goto exit;
     }
 

From d0b906cac297f93e0e5e39e29534718210e83980 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Thu, 26 Sep 2019 01:23:47 +0000
Subject: [PATCH 039/420] QE identity info is now required from the DCAP
 provider.

---
 common/sgx/collaterals.h                      | 10 +--
 common/sgx/qeidentity.c                       | 76 +------------------
 common/sgx/qeidentity.h                       | 22 +++---
 common/sgx/quote.c                            | 54 ++++---------
 common/sgx/quote.h                            | 32 ++++----
 common/sgx/revocation.c                       | 23 ------
 common/sgx/revocation.h                       | 40 ++++------
 .../GettingStarted.Windows.md                 |  2 +-
 scripts/install-windows-prereqs.ps1           |  4 +-
 tests/report/common/tests.cpp                 | 58 ++++++++++----
 10 files changed, 109 insertions(+), 212 deletions(-)

diff --git a/common/sgx/collaterals.h b/common/sgx/collaterals.h
index ba413efa7a..1e5743ce22 100644
--- a/common/sgx/collaterals.h
+++ b/common/sgx/collaterals.h
@@ -12,10 +12,10 @@ OE_EXTERNC_BEGIN
 /**
  * Get the collaterals for the respective remote report.
  *
- * @param remote_report[in] The remote report.
- * @param remote_report_size[in] The size of the remote report.
- * @param collaterals_buffer[out] The buffer where to store the collaterals.
- * @param collaterals_buffer_size[out] The size of the collaterals.
+ * @param[in] remote_report The remote report.
+ * @param[in] remote_report_size The size of the remote report.
+ * @param[out] collaterals_buffer The buffer where to store the collaterals.
+ * @param[out] collaterals_buffer_size The size of the collaterals.
  */
 oe_result_t oe_get_collaterals_internal(
     const uint8_t* remote_report,
@@ -26,7 +26,7 @@ oe_result_t oe_get_collaterals_internal(
 /**
  * Free up any resources allocated by oe_get_collateras()
  *
- * @param collaterals_buffer The buffer containing the collaterals.
+ * @param[in] collaterals_buffer The buffer containing the collaterals.
  */
 void oe_free_collaterals_internal(uint8_t* collaterals_buffer);
 
diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index 99a9cbf28a..23cb42845e 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -7,23 +7,12 @@
 #include "../common.h"
 #include "tcbinfo.h"
 
-// hardcoded property values used for validating quoting enclave when qe
-// identity info is not available
-// The mrsigner value of Intel's Production quoting enclave.
-static const uint8_t g_qe_mrsigner[32] = {
-    0x8c, 0x4f, 0x57, 0x75, 0xd7, 0x96, 0x50, 0x3e, 0x96, 0x13, 0x7f,
-    0x77, 0xc6, 0x8a, 0x82, 0x9a, 0x00, 0x56, 0xac, 0x8d, 0xed, 0x70,
-    0x14, 0x0b, 0x08, 0x1b, 0x09, 0x44, 0x90, 0xc5, 0x7b, 0xff};
-
-// The isvprodid value of Intel's Production quoting enclave.
-static const uint16_t g_qe_isvprodid = 1;
-
-// The isvsvn value of Intel's Production quoting enclave.
-static const uint32_t g_qeisvsvn = 2;
-
 extern oe_datetime_t _sgx_minimim_crl_tcb_issue_date;
 
-void dump_info(const char* title, const uint8_t* data, const uint8_t count)
+static void dump_info(
+    const char* title,
+    const uint8_t* data,
+    const uint8_t count)
 {
     OE_TRACE_INFO("%s\n", title);
     for (uint8_t i = 0; i < count; i++)
@@ -32,63 +21,6 @@ void dump_info(const char* title, const uint8_t* data, const uint8_t count)
     }
 }
 
-oe_result_t oe_validate_qe_report_body(sgx_report_body_t* qe_report_body)
-{
-    oe_result_t result = OE_UNEXPECTED;
-
-    if (qe_report_body == NULL)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    // No qe_identity info returned from the quote provider, this could be
-    // because either get_qe_identity_info API was not supported or
-    // unexpected error. In both cases, check against hardcoded quoting
-    // enclave properties instead Assert that the qe report's MRSIGNER
-    // matches Intel's quoting. We will remove these hardcoded values once
-    // the libdcap_quoteprov.so was updated to support qe identity feature.
-
-    // enclave's mrsigner.
-    if (!oe_constant_time_mem_equal(
-            qe_report_body->mrsigner, g_qe_mrsigner, sizeof(g_qe_mrsigner)))
-    {
-        dump_info("Expected mrsigner", g_qe_mrsigner, sizeof(g_qe_mrsigner));
-        dump_info(
-            "Actual mrsigner",
-            qe_report_body->mrsigner,
-            sizeof(qe_report_body->mrsigner));
-        OE_RAISE_MSG(
-            OE_QUOTE_ENCLAVE_IDENTITY_UNIQUEID_MISMATCH,
-            "mrsigner mismatch",
-            NULL);
-    }
-
-    if (qe_report_body->isvprodid != g_qe_isvprodid)
-        OE_RAISE_MSG(
-            QE_QUOTE_ENCLAVE_IDENTITY_PRODUCTID_MISMATCH,
-            "isvprodid mismatch. Expected 0x%04X, actual 0x%04X",
-            g_qe_isvprodid,
-            qe_report_body->isvprodid);
-
-    if (qe_report_body->isvsvn < g_qeisvsvn)
-        OE_RAISE_MSG(
-            OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
-            "isvsvn is out-of-date. Required SVN 0x%08X, actual SVN 0x%08X",
-            g_qeisvsvn,
-            qe_report_body->isvsvn);
-
-    // Ensure that the QE is not a debug supporting enclave.
-    if (qe_report_body->attributes.flags & SGX_FLAGS_DEBUG)
-        OE_RAISE_MSG(
-            OE_QUOTE_ENCLAVE_IDENTITY_VERIFICATION_FAILED,
-            "QE has SGX_FLAGS_DEBUG set!!",
-            NULL);
-
-    result = OE_OK;
-
-done:
-
-    return result;
-}
-
 oe_result_t oe_validate_qe_identity(
     sgx_report_body_t* qe_report_body,
     oe_get_qe_identity_info_args_t* qe_id_args,
diff --git a/common/sgx/qeidentity.h b/common/sgx/qeidentity.h
index 96c62a8472..1ccd4a4fa1 100644
--- a/common/sgx/qeidentity.h
+++ b/common/sgx/qeidentity.h
@@ -12,14 +12,6 @@
 
 OE_EXTERNC_BEGIN
 
-/**
- * This is needed to be backwards compatible
- * with providers that do not support QE identity.
- *
- * @param[in] qe_report_body The QE report body from the quote.
- */
-oe_result_t oe_validate_qe_report_body(sgx_report_body_t* qe_report_body);
-
 /**
  * Validate the QE identity information.  Returns the validity time range
  * for the caller to validate.
@@ -35,14 +27,20 @@ oe_result_t oe_validate_qe_identity(
     oe_datetime_t* validity_from,
     oe_datetime_t* validity_until);
 
-// Fetch qe identity info using the specified args structure.
+/**
+ * Fetch qe identity info using the specified args structure.
+ *
+ * @param[out] args The QE identity info structure.
+ */
 oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args);
 
-// Cleanup the args structure.
+/**
+ *  Cleanup the args structure.
+ *
+ * @param[int] args The QE identity info structure.
+ */
 void oe_free_qe_identity_info_args(oe_get_qe_identity_info_args_t* args);
 
-void dump_info(const char* title, const uint8_t* data, const uint8_t count);
-
 OE_EXTERNC_END
 
 #endif // _OE_COMMON_QE_IDENTITY_H
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index 01b735f04d..1e61a57c05 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -206,8 +206,7 @@ static oe_result_t _ecdsa_verify(
 
 static oe_result_t oe_verify_quote_internal(
     const uint8_t* quote,
-    size_t quote_size,
-    bool no_collaterals)
+    size_t quote_size)
 {
     oe_result_t result = OE_UNEXPECTED;
     sgx_quote_t* sgx_quote = NULL;
@@ -294,12 +293,6 @@ static oe_result_t oe_verify_quote_internal(
                 OE_QUOTE_VERIFICATION_ERROR,
                 "Failed to verify root public key.",
                 NULL);
-
-        if (no_collaterals)
-            OE_CHECK_MSG(
-                oe_enforce_revocation(&leaf_cert, &intermediate_cert),
-                "Failed when enforcing CRL",
-                NULL);
     }
 
     // Quote validations.
@@ -357,12 +350,6 @@ static oe_result_t oe_verify_quote_internal(
             NULL);
     }
 
-    if (no_collaterals)
-        OE_CHECK_MSG(
-            oe_validate_qe_report_body(&quote_auth_data->qe_report_body),
-            "Quoting enclave identity checking",
-            NULL);
-
     result = OE_OK;
 
 done:
@@ -451,45 +438,30 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
     oe_datetime_t validity_until = {0};
     oe_datetime_t creation_time = {0};
 
-    bool no_collaterals = false;
-
     if (quote == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     if (collaterals == NULL)
     {
-        result = oe_get_collaterals_internal(
-            quote,
-            quote_size,
-            (uint8_t**)&local_collaterals,
-            &local_collaterals_size);
+        OE_CHECK_MSG(
+            oe_get_collaterals_internal(
+                quote,
+                quote_size,
+                (uint8_t**)&local_collaterals,
+                &local_collaterals_size),
+            "Failed to get collaterals. %s",
+            oe_result_str(result));
 
-        if (result == OE_QUOTE_PROVIDER_CALL_ERROR)
-        {
-            // No qe_identity info returned from the quote provider, this could
-            // be because either get_qe_identity_info API was not supported or
-            // unexpected error. In both cases, check against hardcoded quoting
-            // enclave properties instead Assert that the qe report's MRSIGNER
-            // matches Intel's quoting. We will remove these hardcoded values
-            // once the libdcap_quoteprov.so was updated to support qe identity
-            // feature.
-            no_collaterals = true;
-        }
-        else
-        {
-            OE_CHECK_MSG(
-                result, "Failed to get collaterals. %s", oe_result_str(result));
-            collaterals = local_collaterals;
-            collaterals_size = local_collaterals_size;
-        }
+        collaterals = local_collaterals;
+        collaterals_size = local_collaterals_size;
     }
 
     OE_CHECK_MSG(
-        oe_verify_quote_internal(quote, quote_size, no_collaterals),
+        oe_verify_quote_internal(quote, quote_size),
         "Failed to verify remote quote.",
         NULL);
 
-    if (!no_collaterals)
+    // Collateral verification
     {
         oe_collaterals_t* collaterals_body =
             (oe_collaterals_t*)(collaterals + OE_COLLATERALS_HEADER_SIZE);
diff --git a/common/sgx/quote.h b/common/sgx/quote.h
index a1aa93357b..3596bce097 100644
--- a/common/sgx/quote.h
+++ b/common/sgx/quote.h
@@ -14,11 +14,11 @@ OE_EXTERNC_BEGIN
 /*!
  * Verify quote with optional collaterals.
  *
- * @param quote[in] Input quote.
- * @param quote_size[in] The size of the quote.
- * @param collaterals[in] Optional collaterals related to the quote.
- * @param collatterals_size[in] The size of the collaterals.
- * @param input_validation_time[in] Optional time to use for validation,
+ * @param[in] quote Input quote.
+ * @param[in] quote_size The size of the quote.
+ * @param[in] collaterals Optional collaterals related to a remote quote.
+ * @param[in] collatterals_size The size of the collaterals.
+ * @param[in] input_validation_time Optional time to use for validation,
  * defaults to the time the collaterals were created.
  */
 oe_result_t oe_verify_quote_internal_with_collaterals(
@@ -33,12 +33,12 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
  *
  * Caller is responsible for deallocating memory in pck_cert_chain.
  *
- * @param quote[in] Input quote.
- * @param quote_size[in] The size of the quote.
- * @param pem_pck_certifcate[out] Pointer to the quote where the certificate PCK
+ * @param[in] quote Input quote.
+ * @param[in] quote_size The size of the quote.
+ * @param[out] pem_pck_certifcate Pointer to the quote where the certificate PCK
  * starts.
- * @param pem_pck_certificate_size[out] Size of the PCK certificate.
- * @param pck_cert_chain[out] Reference to an instance of oe_cert_chain_t where
+ * @param[out] pem_pck_certificate_size Size of the PCK certificate.
+ * @param[out] pck_cert_chain Reference to an instance of oe_cert_chain_t where
  * to store the chain.  Caller needs to free resources by calling
  * oe_cert_chain_free()
  */
@@ -67,12 +67,12 @@ oe_result_t oe_get_quote_cert_chain_internal(
  *          a) QE identity cert.
  *          b) QE identity.
  *
- * @param quote[in] Input quote.
- * @param quote_size[in] The size of the quote.
- * @param collaterals[in] Optional collaterals related to the quote.
- * @param collatterals_size[in] The size of the collaterals.
- * @param valid_from[out] validity_from The date from which the quote is valid.
- * @param valid_until[out] validity_until The date which the quote expires.
+ * @param[in] quote Input quote.
+ * @param[in] quote_size The size of the quote.
+ * @param[in] collaterals Collaterals related to the quote.
+ * @param[in] collatterals_size The size of the collaterals.
+ * @param[out] valid_from validity_from The date from which the quote is valid.
+ * @param[out] valid_until validity_until The date which the quote expires.
  */
 oe_result_t oe_get_quote_validity_with_collaterals_internal(
     const uint8_t* quote,
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 3bd08d9608..8127a95c70 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -283,29 +283,6 @@ oe_result_t oe_get_revocation_info_from_certs(
     return result;
 }
 
-oe_result_t oe_enforce_revocation(
-    oe_cert_t* leaf_cert,
-    oe_cert_t* intermediate_cert)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    oe_get_revocation_info_args_t revocation_args = {0};
-    oe_datetime_t validity_from = {0};
-    oe_datetime_t validity_until = {0};
-
-    OE_CHECK(oe_get_revocation_info_from_certs(
-        leaf_cert, intermediate_cert, &revocation_args));
-
-    OE_CHECK(oe_validate_revocation_list(
-        leaf_cert, &revocation_args, &validity_from, &validity_until));
-
-    result = OE_OK;
-
-done:
-    oe_free_get_revocation_info_args(&revocation_args);
-
-    return result;
-}
-
 oe_result_t oe_validate_revocation_list(
     oe_cert_t* pck_cert,
     oe_get_revocation_info_args_t* revocation_args,
diff --git a/common/sgx/revocation.h b/common/sgx/revocation.h
index fc2e2436fe..1393c947ca 100644
--- a/common/sgx/revocation.h
+++ b/common/sgx/revocation.h
@@ -13,28 +13,18 @@
 OE_EXTERNC_BEGIN
 
 /**
- * This function gets the revocation information from the given
- * PCK Cert and CA cert and does validation.
- *
- * @param[in] leaf_cert The PCK certificate.
- * @param[in] revocation_args The revocation information.
- */
-oe_result_t oe_enforce_revocation(
-    oe_cert_t* leaf_cert,
-    oe_cert_t* intermediate_cert);
-
-/** Validate revocation info.  Make sure the following:
+ * Validate the revocation info.  Make sure the following:
  *
  *  1. TCB info.
  *  2. CRL.
  *
- * Are valid and returns the validity dates for this
- * revocation information for the caller to validate.
+ * Are valid and returns the validity dates for the given
+ * revocation info.
  *
- * @param pck_cert[in] The PCK certificate.
- * @param revocation_args[in] The revocation information.
- * @param validity_from[out] The date from which the revocation info is valid.
- * @param validity_until[out] The date which the revocation info expires.
+ * @param[in] pck_cert The PCK certificate.
+ * @param[in] revocation_args The revocation information.
+ * @param[out] validity_from The date from which the revocation info is valid.
+ * @param[out] validity_until The date which the revocation info expires.
  */
 oe_result_t oe_validate_revocation_list(
     oe_cert_t* pck_cert,
@@ -43,15 +33,15 @@ oe_result_t oe_validate_revocation_list(
     oe_datetime_t* validity_until);
 
 /**
- * Fetch revocation info for the PCK certificate and CA
- * certificate.
+ * Fetch revocation info from the quote provider given the PCK certificate and
+ * CA certificate.
  *
  * Caller is responsbile for freeing the revocation info resources
  * by calling oe_free_get_revocation_info_args().
  *
- * @param leaf_cert[in] the PCK certificate.
- * @param intermediate_cert[in] the CA certificate.
- * @param args[out] the revocation info.
+ * @param[in] leaf_cert The PCK certificate.
+ * @param[in] intermediate_cert The CA certificate.
+ * @param[out] args The revocation info.
  */
 oe_result_t oe_get_revocation_info_from_certs(
     oe_cert_t* leaf_cert,
@@ -59,10 +49,10 @@ oe_result_t oe_get_revocation_info_from_certs(
     oe_get_revocation_info_args_t* args);
 
 /**
- * Get the revocation info.  Caller is responsible for
+ * Get the revocation info from the quote provider.  Caller is responsible for
  * configuring the revocation info input parameters.
  *
- * @param args[in/out] the revocation info.
+ * @param[in,out] args The revocation info.
  */
 oe_result_t oe_get_revocation_info(oe_get_revocation_info_args_t* args);
 
@@ -70,7 +60,7 @@ oe_result_t oe_get_revocation_info(oe_get_revocation_info_args_t* args);
  * Free resources allocated by oe_get_revocation_info() and
  * oe_get_revocation_info_from_certs().
  *
- * @param args[in] the revocation info.
+ * @param[in] args The revocation info.
  */
 void oe_free_get_revocation_info_args(oe_get_revocation_info_args_t* args);
 
diff --git a/docs/GettingStartedDocs/GettingStarted.Windows.md b/docs/GettingStartedDocs/GettingStarted.Windows.md
index a72198c90a..47e28dca92 100644
--- a/docs/GettingStartedDocs/GettingStarted.Windows.md
+++ b/docs/GettingStartedDocs/GettingStarted.Windows.md
@@ -212,7 +212,7 @@ The Azure DCAP client for Windows is necessary if you would like to perform encl
 It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\openenclave\prereqs\nuget
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.3 -OutputDirectory C:\openenclave\prereqs\nuget
 ```
 
 ##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index e0c2d8b8bc..26da9a4444 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -27,8 +27,8 @@ Param(
     [string]$IntelDCAPHash = 'F31E4451CA32E19CA3DCB0AFC49AFE9F4963C47BF62AAF24A8AE436BDA14FD8B',
     [string]$VCRuntime2012URL = 'https://download.microsoft.com/download/1/6/B/16B06F60-3B20-4FF2-B699-5E9B7962F9AE/VSU_4/vcredist_x64.exe',
     [string]$VCRuntime2012Hash = '681BE3E5BA9FD3DA02C09D7E565ADFA078640ED66A0D58583EFAD2C1E3CC4064',
-    [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.2',
-    [string]$AzureDCAPNupkgHash = 'E319A6C2D136FE5EDB8799305F6151B71F4CE4E67D96CA74538D0AD5D2D793F1',
+    [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.3',
+    [string]$AzureDCAPNupkgHash = '79C698B61CADA32F56F26647B96BBB1C00B7409A6646597C7CC2908A57677256',
     [string]$Python3URL = 'https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe',
     [string]$Python3Hash = '9A30AB5568BA37BFBCAE5CDEE19E9DC30765C42CF066F605221563FF8B20EE34',
     [Parameter(mandatory=$true)][string]$InstallPath,
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index 13049adaa5..b1c0c13b72 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -22,8 +22,9 @@
  * Get collateral data which can be used with future function
  * oe_verify_report_with_collaterals().
  *
- * @param collaterals_buffer The buffer containing the collaterals to parse.
- * @param collaterals_buffer_size The size of the **collaterals_buffer**.
+ * @param[in] enclave The instance of the enclave that will be used.
+ * @param[in] collaterals_buffer The buffer containing the collaterals to parse.
+ * @param[in] collaterals_buffer_size The size of the **collaterals_buffer**.
  *
  * @retval OE_OK The collaterals were successfully retrieved.
  */
@@ -122,19 +123,21 @@ oe_result_t oe_get_collaterals(
  * Verify the integrity of the report and its signature,
  * with optional collateral data that is associated with the report.
  *
- * This function verifies that the report signature is valid. If the report is
- * local, it verifies that it is correctly signed by the enclave
- * platform. If the report is remote, it verifies that the signing authority is
- * rooted to a trusted authority such as the enclave platform manufacturer.
+ * This function verifies that the report signature is valid. This only applies
+ * to remote reports.  For remote reports it verifies that the signing authority
+ * is rooted to a trusted authority such as the enclave platform manufacturer.
  *
- * @param enclave The instance of the enclave that will be used to
- * verify a local report. For remote reports, this parameter can be NULL.
- * @param report The buffer containing the report to verify.
- * @param report_size The size of the **report** buffer.
- * @param collaterals The collateral data that is associated with the report.
- * @param collaterals_size The size of the **collaterals** buffer.
- * @param parsed_report Optional **oe_report_t** structure to populate with the
- * report properties in a standard format.
+ * @param[in] enclave The instance of the enclave that will be used.
+ * @param[in] report The buffer containing the report to verify.
+ * @param[in] report_size The size of the **report** buffer.
+ * @param[in] collaterals Optional The collateral data that is associated with
+ * the report.
+ * @param[in] collaterals_size The size of the **collaterals** buffer.
+ * @param[in] input_validation_time Optional datetime to use when validating
+ * collaterals. If not specified, it will used the creation_datetime of the
+ * collaterals (if any collaterals are provided).
+ * @param[out] parsed_report Optional **oe_report_t** structure to populate with
+ * the report properties in a standard format.
  *
  * @retval OE_OK The report was successfully created.
  * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
@@ -218,13 +221,38 @@ static oe_result_t oe_verify_report_with_collaterals(
 /**
  * Free up any resources allocated by oe_get_collateras()
  *
- * @param collaterals_buffer The buffer containing the collaterals.
+ * @param[in] collaterals_buffer The buffer containing the collaterals.
  */
 static void oe_free_collaterals(uint8_t* collaterals_buffer)
 {
     oe_free_collaterals_internal(collaterals_buffer);
 }
 
+/*!
+ * Find the valid datetime range for the given **remote report** and
+ * collaterals. This function accounts for the following items:
+ *
+ * 1. From the quote:
+ *          a) Root CA.
+ *          b) Intermediate CA.
+ *          b) PCK CA.
+ * 2. From the revocation info:
+ *          a) Root CA CRL.
+ *          b) Intermediate CA CRL.
+ *          c) PCK CA CRL.
+ *          d) TCB info cert.
+ *          e) TCB info.
+ * 3. From QE identity info
+ *          a) QE identity cert.
+ *          b) QE identity.
+ *
+ * @param[in] report The buffer containing the report to verify.
+ * @param[in] report_size The size of the **report** buffer.
+ * @param[in] collaterals Collaterals related to the quote.
+ * @param[in] collatterals_size The size of the collaterals.
+ * @param[out] valid_from validity_from The date from which the quote is valid.
+ * @param[out] valid_until validity_until The date which the quote expires.
+ */
 static oe_result_t oe_get_quote_validity_with_collaterals(
     const uint8_t* report,
     const size_t report_size,

From a5b98874deba8bd8f10abb6b78ba536cec99a4dd Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Sat, 21 Sep 2019 04:11:33 +0000
Subject: [PATCH 040/420] Remove vsbuildtools.exe hash check from iwp.ps1

---
 scripts/install-windows-prereqs.ps1 | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index e0c2d8b8bc..a33aade983 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -10,7 +10,7 @@ Param(
     [string]$SevenZipURL = 'https://www.7-zip.org/a/7z1806-x64.msi',
     [string]$SevenZipHash = 'F00E1588ED54DDF633D8652EB89D0A8F95BD80CCCFC3EED362D81927BEC05AA5',
     [string]$VSBuildToolsURL = 'https://aka.ms/vs/15/release/vs_buildtools.exe',
-    [string]$VSBuildToolsHash = '7D5B0220670BA1C174F0AE1FF2CE87D65A508E66C321431FBD4751F478037E12',
+    [string]$VSBuildToolsHash = '',
     [string]$OCamlURL = 'https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.zip',
     [string]$OCamlHash = '369F900F7CDA543ABF674520ED6004CC75008E10BEED0D34845E8A42866D0F3A',
     [string]$Clang7URL = 'http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe',
@@ -163,13 +163,16 @@ function Start-LocalPackagesDownload {
                            -Destination $PACKAGES[$pkg]["local_file"]
         $downloaded_hash = Get-FileHash $PACKAGES[$pkg]["local_file"]
         $expected_hash = $PACKAGES[$pkg]["hash"]
-        if ($downloaded_hash.Hash -ne $expected_hash)
+        if ($expected_hash -ne "")
         {
-            Throw "Error: Computed hash ($downloaded_hash) does not match expected hash ($expected_hash)"
-        }
-        else
-        {
-            Write-Output "Computed hash ($downloaded_hash) matches expected hash ($expected_hash)"
+            if ($downloaded_hash.Hash -ne $expected_hash)
+            {
+                Throw "Error: Computed hash ($downloaded_hash) does not match expected hash ($expected_hash)"
+            }
+            else
+            {
+                Write-Output "Computed hash ($downloaded_hash) matches expected hash ($expected_hash)"
+            }
         }
     }
     Write-Output "Finished downloading all the packages"

From f332935fd55eac5fe985c9582888c328707fecb3 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 24 Sep 2019 19:12:17 +0000
Subject: [PATCH 041/420] Add Python 3 to the Windows dependencies.

---
 scripts/install-windows-prereqs.ps1 | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index a33aade983..924a98d10f 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -29,8 +29,8 @@ Param(
     [string]$VCRuntime2012Hash = '681BE3E5BA9FD3DA02C09D7E565ADFA078640ED66A0D58583EFAD2C1E3CC4064',
     [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.2',
     [string]$AzureDCAPNupkgHash = 'E319A6C2D136FE5EDB8799305F6151B71F4CE4E67D96CA74538D0AD5D2D793F1',
-    [string]$Python3URL = 'https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe',
-    [string]$Python3Hash = '9A30AB5568BA37BFBCAE5CDEE19E9DC30765C42CF066F605221563FF8B20EE34',
+    [string]$Python3ZipURL = 'https://www.python.org/ftp/python/3.7.4/python-3.7.4-embed-amd64.zip',
+    [string]$Python3ZipHash = 'FB65E5CD595AD01049F73B47BC0EE23FD03F0CBADC56CB318990CEE83B37761B',
     [Parameter(mandatory=$true)][string]$InstallPath,
     [Parameter(mandatory=$true)][ValidateSet("SGX1FLC", "SGX1", "SGX1FLC-NoDriver")][string]$LaunchConfiguration,
     [Parameter(mandatory=$true)][ValidateSet("None", "Azure")][string]$DCAPClientType
@@ -120,9 +120,9 @@ $PACKAGES = @{
         "local_file" = Join-Path $PACKAGES_DIRECTORY "Win64OpenSSL-1_1_1d.exe"
     }
     "python3" = @{
-        "url" = $Python3URL
-        "hash" = $Python3Hash
-        "local_file" = Join-Path $PACKAGES_DIRECTORY "python-3.4.7.exe"
+        "url" = $Python3ZipURL
+        "hash" = $Python3ZipHash
+        "local_file" = Join-Path $PACKAGES_DIRECTORY "Python3.zip"
     }
 }
 
@@ -327,6 +327,21 @@ function Install-Nuget {
     Copy-Item -Force "$tempInstallDir\build\native\Nuget.exe" $PACKAGES_DIRECTORY
 }
 
+function Install-Python3 {
+    $tempInstallDir = "$PACKAGES_DIRECTORY\python3"
+    if(Test-Path -Path $tempInstallDir) {
+        Remove-Item -Path $tempInstallDir -Force -Recurse
+    }
+    Install-ZipTool -ZipPath $PACKAGES["python3"]["local_file"] `
+                    -InstallDirectory $tempInstallDir `
+                    -EnvironmentPath @("$tempInstallDir")
+
+    $installDir = Join-Path $env:ProgramFiles "python-3.7.4"
+    New-Directory -Path $installDir -RemoveExisting
+    Move-Item -Path "$tempInstallDir\*" -Destination $installDir
+    Add-ToSystemPath -Path $installDir
+}
+
 function Install-Git {
     $installDir = Join-Path $env:ProgramFiles "Git"
     Install-Tool -InstallerPath $PACKAGES["git"]["local_file"] `
@@ -634,6 +649,7 @@ try {
 
     Install-7Zip
     Install-Nuget
+    Install-Python3
     Install-VisualStudio
     Install-OpenSSL
     Install-LLVM

From 420dfb1dbac899856078c9e32eee14dd462f0a0d Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Wed, 25 Sep 2019 05:14:43 +0000
Subject: [PATCH 042/420] Update GettingStarted.Windows.md for Python 3
 prereqs.

---
 docs/GettingStartedDocs/GettingStarted.Windows.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/GettingStartedDocs/GettingStarted.Windows.md b/docs/GettingStartedDocs/GettingStarted.Windows.md
index a72198c90a..506ff4c169 100644
--- a/docs/GettingStartedDocs/GettingStarted.Windows.md
+++ b/docs/GettingStartedDocs/GettingStarted.Windows.md
@@ -28,6 +28,7 @@ Windows.
 - [Git for Windows 64-bit](https://git-scm.com/download/win)
 - [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
 - [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
+- [Python 3](https://www.python.org/downloads/windows/)
 
 To deploy all the prerequisities for building Open Enclave, you can run the ```scripts/install-windows-prereqs.ps1```
 
@@ -116,6 +117,12 @@ C:\> where ocaml
 C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
 ```
 
+Python 3
+---------------------------------
+Install [Python 3 for Windows](https://www.python.org/downloads/windows/) and ensure that python.exe is available in your PATH.
+
+Python 3 is used as part of the mbedtls tests.
+
 Obtaining the source distribution
 ---------------------------------
 

From 5bceb4f5afc32e1517deadf6607c606cc2cd1743 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Sat, 28 Sep 2019 01:34:31 +0000
Subject: [PATCH 043/420] Rework Python 3 install in i-w-p to zip from exe.

---
 scripts/install-windows-prereqs.ps1 | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 924a98d10f..2b25e2e36d 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -634,16 +634,6 @@ function Install-AzureDCAPWindows {
     popd
 }
 
-function Install-Python3 {
-    Write-Log "Installing Python3"
-    $tmpDir = Join-Path $PACKAGES_DIRECTORY "Python3"
-    $envPath = Join-Path "$PACKAGES_DIRECTORY\..\.." "Programs\Python\Python37-32"
-    Install-Tool -InstallerPath $PACKAGES["python3"]["local_file"] `
-                 -InstallDirectory $tmpDir `
-                 -ArgumentList @("/quiet", "/passive") `
-                 -EnvironmentPath @($envPath)
-}
-
 try {
     Start-LocalPackagesDownload
 
@@ -657,7 +647,6 @@ try {
     Install-OCaml
     Install-Shellcheck
     Install-PSW
-    Install-Python3
 
     if ($DCAPClientType -eq "Azure")
     {

From 81dab05b7919530cb4e038b80e1873299ea403a5 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Sat, 28 Sep 2019 01:39:41 +0000
Subject: [PATCH 044/420] Add comment to i-w-p noting the removal of the hash
 for vs_buildtools.

---
 scripts/install-windows-prereqs.ps1 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 2b25e2e36d..35eb111122 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -9,6 +9,7 @@ Param(
     [string]$OpenSSLHash = '6AFA17D0768CF91B6F69F31FBC67CAB1AC2E3F40CCAAADB7A9D6C7FC37B38492',
     [string]$SevenZipURL = 'https://www.7-zip.org/a/7z1806-x64.msi',
     [string]$SevenZipHash = 'F00E1588ED54DDF633D8652EB89D0A8F95BD80CCCFC3EED362D81927BEC05AA5',
+    # We skip the hash check for the vs_buildtools.exe file because it is regularly updated without a change to the URL, unfortunately.
     [string]$VSBuildToolsURL = 'https://aka.ms/vs/15/release/vs_buildtools.exe',
     [string]$VSBuildToolsHash = '',
     [string]$OCamlURL = 'https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.zip',

From 95a8479aee760fdcf85f69a9d2a935fcdb22c56a Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 20:34:04 +0000
Subject: [PATCH 045/420] add ansible runnable script for sgx1 installation and
 make sgx-driver and sgx-packages roles generic for both sgx1 and
 sgx1-with-flc

---
 .../ansible/oe-contributors-setup-sgx1.yml    | 21 +++++++++++++++++++
 .../roles/linux/intel/defaults/main.yml       |  5 +++++
 .../roles/linux/intel/tasks/sgx-driver.yml    |  2 +-
 .../roles/linux/intel/tasks/sgx-packages.yml  |  8 +++++++
 .../ansible/roles/linux/intel/vars/bionic.yml |  3 ++-
 .../ansible/roles/linux/intel/vars/ubuntu.yml |  2 ++
 .../ansible/roles/linux/intel/vars/xenial.yml |  3 ++-
 7 files changed, 41 insertions(+), 3 deletions(-)
 create mode 100644 scripts/ansible/oe-contributors-setup-sgx1.yml
 create mode 100644 scripts/ansible/roles/linux/intel/defaults/main.yml

diff --git a/scripts/ansible/oe-contributors-setup-sgx1.yml b/scripts/ansible/oe-contributors-setup-sgx1.yml
new file mode 100644
index 0000000000..515a91cae2
--- /dev/null
+++ b/scripts/ansible/oe-contributors-setup-sgx1.yml
@@ -0,0 +1,21 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+---
+- hosts: localhost
+  any_errors_fatal: true
+  become: yes
+  tasks:
+    - import_role:
+        name: linux/openenclave
+        tasks_from: environment-setup.yml
+
+    - import_role:
+        name: linux/intel
+        tasks_from: sgx-driver.yml
+
+    - import_role:
+        name: linux/intel
+        tasks_from: sgx-packages.yml
+  vars:
+    flc_enabled: false
\ No newline at end of file
diff --git a/scripts/ansible/roles/linux/intel/defaults/main.yml b/scripts/ansible/roles/linux/intel/defaults/main.yml
new file mode 100644
index 0000000000..37e1cdea86
--- /dev/null
+++ b/scripts/ansible/roles/linux/intel/defaults/main.yml
@@ -0,0 +1,5 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+---
+flc_enable: true
\ No newline at end of file
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
index 0396b060d9..12c9b5343d 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
@@ -29,7 +29,7 @@
 
 - name: Download Intel SGX DCAP Driver
   get_url:
-    url: "{{ intel_sgx_driver_url }}"
+    url: "{{ {{intel_sgx_w_flc_driver_url}} when {{flc_enable}} else {{intel_sgx1_driver_url}} }}"
     dest: /tmp/sgx_linux_x64_driver_dcap.bin
     mode: 0755
     timeout: 120
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
index c4968e4586..20fd03db79 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
@@ -33,3 +33,11 @@
     state: present
     update_cache: yes
     install_recommends: no
+
+- name: Install the Intel DCAP packages
+  apt:
+    name: "{{ intel_sgx_packages }}"
+    state: present
+    update_cache: yes
+    install_recommends: no
+  when: flc_enabled
diff --git a/scripts/ansible/roles/linux/intel/vars/bionic.yml b/scripts/ansible/roles/linux/intel/vars/bionic.yml
index f55469e7a2..6eef9fb8dc 100644
--- a/scripts/ansible/roles/linux/intel/vars/bionic.yml
+++ b/scripts/ansible/roles/linux/intel/vars/bionic.yml
@@ -2,6 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_driver_1.12_c110012.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_driver_1.12_c110012.bin"
+intel_sgx1_driver_url: "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf10"
diff --git a/scripts/ansible/roles/linux/intel/vars/ubuntu.yml b/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
index 69e86eccf2..4965cda3aa 100644
--- a/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
@@ -5,6 +5,8 @@
 intel_sgx_packages:
   - "libsgx-enclave-common"
   - "libsgx-enclave-common-dev"
+
+intel_dcap_packages:
   - "libsgx-dcap-ql"
   - "libsgx-dcap-ql-dev"
 
diff --git a/scripts/ansible/roles/linux/intel/vars/xenial.yml b/scripts/ansible/roles/linux/intel/vars/xenial.yml
index 20f07207e2..8bce765113 100644
--- a/scripts/ansible/roles/linux/intel/vars/xenial.yml
+++ b/scripts/ansible/roles/linux/intel/vars/xenial.yml
@@ -2,6 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer16.04/sgx_linux_x64_driver_1.12_c110012.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer16.04/sgx_linux_x64_driver_1.12_c110012.bin"
+intel_sgx1_driver_url: "https://download.01.org/intel-sgx/linux-2.6/ubuntu16.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf9v5"

From b6788d26699aff4768c047da2707cce19f5202b7 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 21:40:30 +0000
Subject: [PATCH 046/420] add type hint for flc_enabled boolean variable

---
 scripts/ansible/roles/linux/intel/defaults/main.yml  |  2 +-
 .../ansible/roles/linux/intel/tasks/sgx-driver.yml   | 12 +++++++++++-
 .../ansible/roles/linux/intel/tasks/sgx-packages.yml |  2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/scripts/ansible/roles/linux/intel/defaults/main.yml b/scripts/ansible/roles/linux/intel/defaults/main.yml
index 37e1cdea86..7ab721aa3b 100644
--- a/scripts/ansible/roles/linux/intel/defaults/main.yml
+++ b/scripts/ansible/roles/linux/intel/defaults/main.yml
@@ -2,4 +2,4 @@
 # Licensed under the MIT License.
 
 ---
-flc_enable: true
\ No newline at end of file
+flc_enabled: true
\ No newline at end of file
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
index 12c9b5343d..5316774127 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
@@ -29,11 +29,21 @@
 
 - name: Download Intel SGX DCAP Driver
   get_url:
-    url: "{{ {{intel_sgx_w_flc_driver_url}} when {{flc_enable}} else {{intel_sgx1_driver_url}} }}"
+    url: "{{intel_sgx_w_flc_driver_url}}"
     dest: /tmp/sgx_linux_x64_driver_dcap.bin
     mode: 0755
     timeout: 120
   retries: 3
+  when: flc_enabled|bool
+
+- name: Download Intel SGX1 Driver
+  get_url:
+    url: "{{intel_sgx1_driver_url}}"
+    dest: /tmp/sgx_linux_x64_driver_dcap.bin
+    mode: 0755
+    timeout: 120
+  retries: 3
+  when: not flc_enabled|bool
 
 - name: Install the Intel SGX DCAP Driver
   command: /tmp/sgx_linux_x64_driver_dcap.bin
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
index 20fd03db79..de7efb5ac0 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
@@ -40,4 +40,4 @@
     state: present
     update_cache: yes
     install_recommends: no
-  when: flc_enabled
+  when: flc_enabled|bool

From 0cea80738d7212a85cb5f00dd8b2e93ee98065fa Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 21:46:17 +0000
Subject: [PATCH 047/420] update getting started doc with the ansible script
 instead of prereqs make targets

---
 .../Contributors/SGX1GettingStarted.md        | 32 ++++---------------
 1 file changed, 7 insertions(+), 25 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index f487189d9d..a3048a23db 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -15,41 +15,23 @@ git clone https://github.com/openenclave/openenclave.git
 
 This creates a source tree under the directory called openenclave.
 
-## Install project prerequisites
-
-Ansible is required to install the project prerequisites. If not already installed, you can install it by running: `scripts/ansible/install-ansible.sh`. To install all the OpenEnclave prerequisites you can execute the `environment-setup.yml` tasks from `linux/openenclave` Ansible role:
-
+## Install project requirements
+First, change directory into the openenclave repository:
 ```bash
-cd openenclave/scripts/ansible
-ansible localhost -m import_role -a "name=linux/openenclave tasks_from=environment-setup.yml" --become --ask-become-pass
+cd openenclave
 ```
 
-## Install Intel SGX1 support software packages
-
-There are two Intel packages needed for SGX1:
-
-- Intel® SGX Driver (/dev/isgx)
-- Intel® SGX AESM Service (from the Intel® SGX SDK)
-
-Refer to the [Intel® SGX Driver](https://github.com/01org/linux-sgx-driver) and [Intel® SGX AESM Service](https://github.com/01org/linux-sgx) github repositories for detailed instructions on how to build and install these packages.
-
-As a convenience, Open Enclave provides a script for downloading, building and
-installing both the driver and the AESM service. To install these dependencies
-type the following commands from the root of the source distribution:
-
+Ansible is required to install the project requirements. If not already installed, you can install it by running:
 ```bash
-sudo make -C prereqs
-sudo make -C prereqs install
+sudo scripts/ansible/install-ansible.sh
 ```
 
-After this completes verify that the AESM service is running as follows:
+Run the following command from the root of the source tree:
 
 ```bash
-service aesmd status
+sudo ansible-playbook scripts/ansible/oe-contributors-setup-sgx1.yml
 ```
 
-Look for the string “active (running)”, usually highlighted in green.
-
 ## Build
 
 To build first create a build directory ("build/" in the example below) and change into it.

From 5f9102b6d463c827bf259bfa3e175d366f29d750 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 21:48:17 +0000
Subject: [PATCH 048/420] remove unnecessary word from task name

---
 scripts/ansible/roles/linux/common/tasks/apt-repo.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
index 21193b529f..62e1451c44 100644
--- a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
+++ b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
@@ -7,12 +7,12 @@
     name: apt-transport-https
     state: present
 
-- name: Add Microsoft APT repository key
+- name: Add APT repository key
   apt_key:
     url: "{{ apt_key_url }}"
     state: present
 
-- name: Add Microsoft APT repository
+- name: Add APT repository
   apt_repository:
     repo: "{{ apt_repository }}"
     state: present

From 3f9ed36b6b8fb9f72f7982310fd6dc2bb59d9d14 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 21:54:19 +0000
Subject: [PATCH 049/420] delete contents of prereqs/ folder

---
 prereqs/Makefile          |  24 ------
 prereqs/README.md         |  11 ---
 prereqs/aesm/Makefile     | 171 --------------------------------------
 prereqs/isgx/Makefile     | 102 -----------------------
 prereqs/packages/Makefile |  45 ----------
 5 files changed, 353 deletions(-)
 delete mode 100644 prereqs/Makefile
 delete mode 100644 prereqs/README.md
 delete mode 100644 prereqs/aesm/Makefile
 delete mode 100644 prereqs/isgx/Makefile
 delete mode 100644 prereqs/packages/Makefile

diff --git a/prereqs/Makefile b/prereqs/Makefile
deleted file mode 100644
index 48b4343aa0..0000000000
--- a/prereqs/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-DIRS = packages isgx aesm
-
-define NL
-
-
-endef
-
-all:
-	$(foreach i, $(DIRS), $(MAKE) -C $(i) $(NL) )
-
-install:
-	$(foreach i, $(DIRS), $(MAKE) -C $(i) install $(NL) )
-
-uninstall:
-	$(foreach i, $(DIRS), $(MAKE) -C $(i) uninstall $(NL) )
-
-clean:
-	$(foreach i, $(DIRS), $(MAKE) -C $(i) clean $(NL) )
-
-distclean:
-	$(foreach i, $(DIRS), $(MAKE) -C $(i) distclean $(NL) )
diff --git a/prereqs/README.md b/prereqs/README.md
deleted file mode 100644
index 6d189443b2..0000000000
--- a/prereqs/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-prereqs
-=======
-
-This directory contains a makefile to build and install Open Enclave
-prerequisites, including:
-
-- Package dependencies
-
-- Intel(R) SGX driver
-
-- Intel(R) SGX AESM service
diff --git a/prereqs/aesm/Makefile b/prereqs/aesm/Makefile
deleted file mode 100644
index 71c195f7ef..0000000000
--- a/prereqs/aesm/Makefile
+++ /dev/null
@@ -1,171 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-.PHONY: sgx1
-
-##==============================================================================
-##
-## SDK_VERSION - get the version from the se_version.h file:
-##
-##==============================================================================
-
-define SDK_VERSION_SCRIPT
-grep "^#define STRFILEVER[ \t]" ./linux-sgx/common/inc/internal/se_version.h 2> /dev/null | sed "s/^#define STRFILEVER[ \t][ \t]*\"\(.*\)\"/\1/g"
-endef
-
-##==============================================================================
-##
-## build:
-##
-##==============================================================================
-
-#INSTALL_SDK=1
-
-build: .build
-
-.build:
-	$(MAKE) linux-sgx
-	$(MAKE) dynamic-application-loader-host-interface
-	$(MAKE) .prebuilt
-	$(MAKE) .sdk
-	rm -f ./linux-sgx/linux/installer/bin/sgx_linux_x64_sdk_*.bin
-	$(MAKE) .sdk_installer
-	rm -f ./linux-sgx/linux/installer/bin/sgx_linux_x64_psw_*.bin
-	$(MAKE) .psw_installer
-	$(MAKE) build-dynamic-application-loader-host-interface
-	touch .build
-
-linux-sgx:
-	git clone https://github.com/01org/linux-sgx
-
-dynamic-application-loader-host-interface:
-	git clone https://github.com/01org/dynamic-application-loader-host-interface
-
-.prebuilt:
-	( cd linux-sgx; ./download_prebuilt.sh )
-	touch .prebuilt
-
-.sdk:
-	$(MAKE) -C linux-sgx
-	touch .sdk
-
-.sdk_installer:
-	$(MAKE) -C linux-sgx sdk_install_pkg
-	touch .sdk_installer
-
-.psw_installer:
-	$(MAKE) -C linux-sgx psw_install_pkg
-	touch .psw_installer
-
-build-dynamic-application-loader-host-interface:
-	( cd dynamic-application-loader-host-interface; cmake . )
-	$(MAKE) -C dynamic-application-loader-host-interface
-
-##==============================================================================
-##
-## clean:
-##
-##==============================================================================
-
-clean: clean-linux-sdk clean-dynamic-application-loader-host-interface
-
-clean-linux-sdk:
-	-@ $(MAKE) -C linux-sgx clean
-	rm -f .sdk .build .sdk_installer .psw_installer
-
-clean-dynamic-application-loader-host-interface:
-	-@ $(MAKE) -C dynamic-application-loader-host-interface clean
-
-##==============================================================================
-##
-## distclean:
-##
-##==============================================================================
-
-distclean: clean
-	rm -rf linux-sgx
-	rm -rf dynamic-application-loader-host-interface
-	rm -f .prebuilt
-
-##==============================================================================
-##
-## install:
-##
-##==============================================================================
-
-ICLS_CLIENT_DEB=$(wildcard ./packages/iclsclient_*_amd64.deb)
-SDK_VERSION=$(shell $(SDK_VERSION_SCRIPT) )
-SDK_INSTALLER=./linux-sgx/linux/installer/bin/sgx_linux_x64_sdk_$(SDK_VERSION).bin
-PSW_INSTALLER=./linux-sgx/linux/installer/bin/sgx_linux_x64_psw_$(SDK_VERSION).bin
-
-install:
-	$(MAKE) stop
-	$(MAKE) install-sdk
-	$(MAKE) install-build-dynamic-application-loader-host-interface
-	$(MAKE) install-psw
-	$(MAKE) start
-
-install-sdk:
-ifdef INSTALL_SDK
-	$(MAKE) /opt/intel/sgxsdk
-endif
-
-/opt/intel/sgxsdk:
-	echo "y" >> /tmp/answers
-	echo "/opt/intel" >> /tmp/answers
-	$(SDK_INSTALLER) < /tmp/answers
-
-install-psw: /opt/intel/sgxpsw
-
-/opt/intel/sgxpsw:
-	$(PSW_INSTALLER)
-
-install-build-dynamic-application-loader-host-interface:
-	$(MAKE) -C dynamic-application-loader-host-interface install
-	( cd dynamic-application-loader-host-interface; systemctl enable jhi )
-
-install-icls-client:
-	dpkg -i $(ICLS_CLIENT_DEB)
-
-##==============================================================================
-##
-## uninstall:
-##
-##==============================================================================
-
-uninstall:
-	$(MAKE) -s stop
-	$(MAKE) -s uninstall-sdk
-	$(MAKE) -s uninstall-psw
-
-uninstall-sdk:
-	- /opt/intel/sgxsdk/uninstall.sh 2> /dev/null > /dev/null
-
-uninstall-psw:
-	- /opt/intel/sgxpsw/uninstall.sh 2> /dev/null > /dev/null
-
-##==============================================================================
-##
-## start-aesmd:
-## stop-aesmd:
-##
-##==============================================================================
-
-start:
-	service aesmd start
-
-stop:
-	-@ service aesmd stop 2> /dev/null > /dev/null
-
-status:
-	service aesmd status
-
-##==============================================================================
-##
-## sdk-version: print the SDK version:
-##
-##==============================================================================
-
-sdk-version:
-	@ echo $(SDK_VERSION)
-
diff --git a/prereqs/isgx/Makefile b/prereqs/isgx/Makefile
deleted file mode 100644
index 0983cc1404..0000000000
--- a/prereqs/isgx/Makefile
+++ /dev/null
@@ -1,102 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-all: linux-sgx-driver build
-
-build:
-	$(MAKE) -C linux-sgx-driver
-
-linux-sgx-driver:
-	git clone https://github.com/01org/linux-sgx-driver
-
-clean:
-	$(MAKE) -C linux-sgx-driver clean
-
-distclean:
-	rm -rf linux-sgx-driver
-
-##==============================================================================
-##
-## install:
-##
-##==============================================================================
-
-MODULE=$(wildcard ./linux-sgx-driver/isgx.ko)
-
-UNAME_R=$(shell uname -r)
-
-DIR=/lib/modules/$(UNAME_R)/kernel/drivers/intel/sgx
-
-DEV=$(wildcard /dev/isgx)
-
-RUNNING=$(shell lsmod | grep isgx)
-
-install:
-	$(MAKE) -s stop-aesm
-	$(MAKE) -s run-rmmod
-	$(MAKE) mkdir
-	$(MAKE) check-module
-	$(MAKE) check-device
-	$(MAKE) copy-module
-	$(MAKE) update-modules
-	$(MAKE) run-depmod
-	$(MAKE) run-modprobe
-	$(MAKE) check-running
-	$(MAKE) -s start-aesm
-
-stop-aesm:
-	-@ service aesmd stop 2> /dev/null > /dev/null
-
-start-aesm:
-	-@ service aesmd start 2> /dev/null > /dev/null
-
-run-rmmod:
-	-@ /sbin/rmmod isgx 2> /dev/null > /dev/null
-
-mkdir:
-	mkdir -p $(DIR)
-
-check-module:
-ifeq ($(MODULE),)
-	@ echo "*** Module not found: $(MODULE)"
-	@ exit 1
-endif
-
-check-device:
-ifneq ($(DEV),)
-	@ echo "*** Device already exists: {$(DEV)}"
-	@ exit 1
-endif
-
-copy-module:
-	cp $(MODULE) $(DIR)
-
-update-modules:
-	( cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules )
-
-run-depmod:
-	/sbin/depmod
-
-run-modprobe:
-	/sbin/modprobe isgx
-
-check-running:
-ifeq ($(RUNNING),)
-	@ echo "*** Failed to start driver: isgx not found by lsmod"
-	@ exit 1
-endif
-ifeq ($(DEV),)
-	@ echo "*** Failed to start driver: /dev/isgx does not exist"
-	@ exit 1
-endif
-
-##==============================================================================
-##
-## uninstall:
-##
-##==============================================================================
-
-uninstall:
-	$(MAKE) -s stop-aesm
-	$(MAKE) -s run-rmmod
-
diff --git a/prereqs/packages/Makefile b/prereqs/packages/Makefile
deleted file mode 100644
index 5210dfcc79..0000000000
--- a/prereqs/packages/Makefile
+++ /dev/null
@@ -1,45 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-# Packages needed for building AESM and ISGX driver
-PACKAGES=build-essential \
-	ocaml \
-	automake \
-	autoconf \
-	libtool \
-	wget \
-	python \
-	libssl-dev \
-	libcurl4-openssl-dev \
-	protobuf-compiler \
-	libprotobuf-dev \
-	build-essential \
-	python \
-	libssl-dev \
-	libcurl4-openssl-dev \
-	libprotobuf-dev \
-	uuid-dev \
-	libxml2-dev \
-	cmake \
-	pkg-config \
-	subversion \
-	cloc \
-	libexpat1 \
-	libexpat1-dev \
-	ccache \
-	libsystemd-dev
-
-all: .packages
-
-.packages:
-	apt-get -y install $(PACKAGES)
-	touch .packages
-
-clean:
-
-distclean:
-	rm -f .packages
-
-install:
-
-uninstall:

From 87cb4927c27d04c65fe0161d5d5a1c6f46885795 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 21:59:23 +0000
Subject: [PATCH 050/420] add newline

---
 scripts/ansible/oe-contributors-setup-sgx1.yml      | 2 +-
 scripts/ansible/roles/linux/intel/defaults/main.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/ansible/oe-contributors-setup-sgx1.yml b/scripts/ansible/oe-contributors-setup-sgx1.yml
index 515a91cae2..6ca7fc673e 100644
--- a/scripts/ansible/oe-contributors-setup-sgx1.yml
+++ b/scripts/ansible/oe-contributors-setup-sgx1.yml
@@ -18,4 +18,4 @@
         name: linux/intel
         tasks_from: sgx-packages.yml
   vars:
-    flc_enabled: false
\ No newline at end of file
+    flc_enabled: false
diff --git a/scripts/ansible/roles/linux/intel/defaults/main.yml b/scripts/ansible/roles/linux/intel/defaults/main.yml
index 7ab721aa3b..34570068dc 100644
--- a/scripts/ansible/roles/linux/intel/defaults/main.yml
+++ b/scripts/ansible/roles/linux/intel/defaults/main.yml
@@ -2,4 +2,4 @@
 # Licensed under the MIT License.
 
 ---
-flc_enabled: true
\ No newline at end of file
+flc_enabled: true

From 86090e0db78fc956d6d87f5f8f8d623c1239e1f7 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Fri, 20 Sep 2019 22:03:18 +0000
Subject: [PATCH 051/420] use correct packages variable for dcap packages
 installation

---
 scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
index de7efb5ac0..0379955adb 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
@@ -36,7 +36,7 @@
 
 - name: Install the Intel DCAP packages
   apt:
-    name: "{{ intel_sgx_packages }}"
+    name: "{{ intel_dcap_packages }}"
     state: present
     update_cache: yes
     install_recommends: no

From 9f77b71c8d86d2a26ea4a569b54b7a3fc934033c Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Wed, 25 Sep 2019 23:31:18 +0000
Subject: [PATCH 052/420] rename temporary driver file to version agnostic name

---
 scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
index 5316774127..ed2dd755d2 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
@@ -30,7 +30,7 @@
 - name: Download Intel SGX DCAP Driver
   get_url:
     url: "{{intel_sgx_w_flc_driver_url}}"
-    dest: /tmp/sgx_linux_x64_driver_dcap.bin
+    dest: /tmp/sgx_linux_x64_driver.bin
     mode: 0755
     timeout: 120
   retries: 3
@@ -39,18 +39,18 @@
 - name: Download Intel SGX1 Driver
   get_url:
     url: "{{intel_sgx1_driver_url}}"
-    dest: /tmp/sgx_linux_x64_driver_dcap.bin
+    dest: /tmp/sgx_linux_x64_driver.bin
     mode: 0755
     timeout: 120
   retries: 3
   when: not flc_enabled|bool
 
 - name: Install the Intel SGX DCAP Driver
-  command: /tmp/sgx_linux_x64_driver_dcap.bin
+  command: /tmp/sgx_linux_x64_driver.bin
 
 - name: Remove the Intel SGX DCAP Driver installer
   file:
-    path: /tmp/sgx_linux_x64_driver_dcap.bin
+    path: /tmp/sgx_linux_x64_driver.bin
     state: absent
 
 - name: Ensure aesmd service running

From b5f77eb8a1c528d7260c30aaeca6b938aa0044dc Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Mon, 30 Sep 2019 20:36:08 +0000
Subject: [PATCH 053/420] keep prereqs around as windows builds depend on its
 existence for copying packages

---
 prereqs/README.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 prereqs/README.md

diff --git a/prereqs/README.md b/prereqs/README.md
new file mode 100644
index 0000000000..f9c9643f42
--- /dev/null
+++ b/prereqs/README.md
@@ -0,0 +1 @@
+This is a placeholder file specifically to keep this directory's existence around until we no longer expect NuGet packages to be installed to this directory.
\ No newline at end of file

From 0772300f3cd285236acbe005e29ed6656b7f2fec Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Mon, 30 Sep 2019 22:32:23 +0000
Subject: [PATCH 054/420] Address PR feedback: Remove --experimental flag

- Switchless ocalls are supported by edger8r
- Switchless ecalls are unsupported and edger8r will error out.
---
 samples/switchless/README.md                      |  4 +---
 samples/switchless/enclave/CMakeLists.txt         |  2 +-
 samples/switchless/enclave/Makefile               |  2 +-
 samples/switchless/host/CMakeLists.txt            |  2 +-
 samples/switchless/host/Makefile                  |  2 +-
 tests/oeedger8r/behavior/CMakeLists.txt           |  2 +-
 tests/oeedger8r/behavior/switchless_untrusted.edl |  9 ---------
 tests/oeedger8r/edl/switchless.edl                |  3 +--
 tests/oeedger8r/enc/testswitchless.cpp            | 10 ----------
 tests/oeedger8r/host/main.cpp                     |  2 --
 tests/oeedger8r/host/testswitchless.cpp           | 11 -----------
 tests/switchless/CMakeLists.txt                   |  2 --
 tests/switchless/enc/CMakeLists.txt               | 12 ++----------
 tests/switchless/host/CMakeLists.txt              | 12 ++----------
 tests/switchless_threads/CMakeLists.txt           |  4 +---
 tests/switchless_threads/enc/CMakeLists.txt       | 12 ++----------
 tests/switchless_threads/host/CMakeLists.txt      | 12 ++----------
 tools/oeedger8r/Emitter.ml                        | 11 +++--------
 18 files changed, 19 insertions(+), 95 deletions(-)
 delete mode 100644 tests/oeedger8r/behavior/switchless_untrusted.edl

diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index e7fe10cad9..6fdde7f207 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -108,11 +108,9 @@ directories from their Makefiles. For example:
 
 ```bash
 cd host
-oeedger8r ../switchless.edl --untrusted --experimental
+oeedger8r ../switchless.edl --untrusted
 ```
 
-`oeedger8r` needs the command line flag `--experimental` to be able to recognize the keyword `transition_using_threads`.
-
 ## About the host
 
 The host first defines a structure specifically for configuring switchless calls. In this case, we specify the
diff --git a/samples/switchless/enclave/CMakeLists.txt b/samples/switchless/enclave/CMakeLists.txt
index 51770083ef..2549868fef 100644
--- a/samples/switchless/enclave/CMakeLists.txt
+++ b/samples/switchless/enclave/CMakeLists.txt
@@ -4,7 +4,7 @@
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT switchless_t.h switchless_t.c switchless_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/switchless.edl
-  COMMAND openenclave::oeedger8r --experimental --trusted ${CMAKE_SOURCE_DIR}/switchless.edl)
+  COMMAND openenclave::oeedger8r --trusted ${CMAKE_SOURCE_DIR}/switchless.edl)
 
 add_executable(enclave enc.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_t.c)
 
diff --git a/samples/switchless/enclave/Makefile b/samples/switchless/enclave/Makefile
index 2fb5e4121f..c943748e67 100644
--- a/samples/switchless/enclave/Makefile
+++ b/samples/switchless/enclave/Makefile
@@ -24,7 +24,7 @@ all:
 
 build:
 	@ echo "Compilers used: $(CC), $(CXX)"
-	oeedger8r ../switchless.edl --trusted --experimental
+	oeedger8r ../switchless.edl --trusted
 	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 enc.c -o enc.o
 	$(CC) -g -c $(CFLAGS) -DOE_API_VERSION=2 switchless_t.c -o switchless_t.o
 	$(CC) -o switchlessenc switchless_t.o enc.o $(LDFLAGS)
diff --git a/samples/switchless/host/CMakeLists.txt b/samples/switchless/host/CMakeLists.txt
index 79ba9764e2..407ad4c1e0 100644
--- a/samples/switchless/host/CMakeLists.txt
+++ b/samples/switchless/host/CMakeLists.txt
@@ -3,7 +3,7 @@
 
 add_custom_command(OUTPUT switchless_u.h switchless_u.c switchless_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/switchless.edl
-  COMMAND openenclave::oeedger8r --experimental --untrusted ${CMAKE_SOURCE_DIR}/switchless.edl)
+  COMMAND openenclave::oeedger8r --untrusted ${CMAKE_SOURCE_DIR}/switchless.edl)
 
 add_executable(switchless_host host.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_u.c)
 
diff --git a/samples/switchless/host/Makefile b/samples/switchless/host/Makefile
index cceb1a40e5..b9780c6378 100644
--- a/samples/switchless/host/Makefile
+++ b/samples/switchless/host/Makefile
@@ -19,7 +19,7 @@ LDFLAGS=$(shell pkg-config oehost-$(COMPILER) --libs)
 
 build:
 	@ echo "Compilers used: $(CC), $(CXX)"
-	oeedger8r ../switchless.edl --untrusted --experimental
+	oeedger8r ../switchless.edl --untrusted
 	$(CC) -g -c $(CFLAGS) host.c
 	$(CC) -g -c $(CFLAGS) switchless_u.c
 	$(CC) -o switchlesshost switchless_u.o host.o $(LDFLAGS)
diff --git a/tests/oeedger8r/behavior/CMakeLists.txt b/tests/oeedger8r/behavior/CMakeLists.txt
index eb9221d265..6df0644a13 100644
--- a/tests/oeedger8r/behavior/CMakeLists.txt
+++ b/tests/oeedger8r/behavior/CMakeLists.txt
@@ -18,7 +18,7 @@ set_tests_properties(edger8r_allow_list_warning PROPERTIES
 # as the first instance is found.
 add_test(NAME edger8r_switchless_trusted_warning COMMAND edger8r ${EDGER8R_ARGS} switchless_trusted.edl)
 set_tests_properties(edger8r_switchless_trusted_warning PROPERTIES
-  PASS_REGULAR_EXPRESSION "error: Function 'foo': switchless ecalls are not yet supported by Open Enclave SDK.")
+  PASS_REGULAR_EXPRESSION "error: Function 'foo': trusted switchless ecalls are not yet supported by Open Enclave SDK.")
 
 # These need to be separate tests to ensure that each type, for both
 # trusted and untrusted functions, generate the appropriate warning,
diff --git a/tests/oeedger8r/behavior/switchless_untrusted.edl b/tests/oeedger8r/behavior/switchless_untrusted.edl
deleted file mode 100644
index 1226540a8f..0000000000
--- a/tests/oeedger8r/behavior/switchless_untrusted.edl
+++ /dev/null
@@ -1,9 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-enclave {
-    untrusted {
-        // Switchless functions not supported.
-        void switchless() transition_using_threads;
-    };
-};
diff --git a/tests/oeedger8r/edl/switchless.edl b/tests/oeedger8r/edl/switchless.edl
index afccbf8862..4c28af03ba 100644
--- a/tests/oeedger8r/edl/switchless.edl
+++ b/tests/oeedger8r/edl/switchless.edl
@@ -3,8 +3,7 @@
 
 enclave {
   trusted {
-    public int ecall_sum(int a, int b);
-    public int switchless_ecall_sum(int a, int b) transition_using_threads;
+    // OE SDK does not support trusted switchless ecalls.
 
     public void test_switchless_edl_ocalls();
   };
diff --git a/tests/oeedger8r/enc/testswitchless.cpp b/tests/oeedger8r/enc/testswitchless.cpp
index e4ce6b9408..32994bff68 100644
--- a/tests/oeedger8r/enc/testswitchless.cpp
+++ b/tests/oeedger8r/enc/testswitchless.cpp
@@ -16,13 +16,3 @@ void test_switchless_edl_ocalls()
 
     printf("=== test_switchless_edl_ocalls passed\n");
 }
-
-int ecall_sum(int a, int b)
-{
-    return a + b;
-}
-
-int switchless_ecall_sum(int a, int b)
-{
-    return a + b;
-}
diff --git a/tests/oeedger8r/host/main.cpp b/tests/oeedger8r/host/main.cpp
index 6013a66de9..c901edbee4 100644
--- a/tests/oeedger8r/host/main.cpp
+++ b/tests/oeedger8r/host/main.cpp
@@ -24,7 +24,6 @@ void test_enum_edl_ecalls(oe_enclave_t* enclave);
 void test_foreign_edl_ecalls(oe_enclave_t* enclave);
 void test_other_edl_ecalls(oe_enclave_t* enclave);
 void test_deepcopy_edl_ecalls(oe_enclave_t* enclave);
-void test_switchless_edl_ecalls(oe_enclave_t* enclave);
 
 int main(int argc, const char* argv[])
 {
@@ -98,7 +97,6 @@ int main(int argc, const char* argv[])
 
     test_deepcopy_edl_ecalls(enclave);
 
-    test_switchless_edl_ecalls(enclave);
     OE_TEST(test_switchless_edl_ocalls(enclave) == OE_OK);
 done:
     oe_terminate_enclave(enclave);
diff --git a/tests/oeedger8r/host/testswitchless.cpp b/tests/oeedger8r/host/testswitchless.cpp
index 55f33b8b26..e1414c54a9 100644
--- a/tests/oeedger8r/host/testswitchless.cpp
+++ b/tests/oeedger8r/host/testswitchless.cpp
@@ -6,17 +6,6 @@
 
 #include "all_u.h"
 
-void test_switchless_edl_ecalls(oe_enclave_t* enclave)
-{
-    int c = 0;
-    OE_TEST(ecall_sum(enclave, &c, 5, 6) == OE_OK);
-
-    // Switchless calls are not yet implemented
-    OE_TEST(switchless_ecall_sum(enclave, &c, 5, 6) == OE_UNSUPPORTED);
-
-    printf("=== test_switchless_edl_ecalls passed\n");
-}
-
 int ocall_sum(int a, int b)
 {
     return a + b;
diff --git a/tests/switchless/CMakeLists.txt b/tests/switchless/CMakeLists.txt
index b07a753795..95288c90cc 100644
--- a/tests/switchless/CMakeLists.txt
+++ b/tests/switchless/CMakeLists.txt
@@ -1,8 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_target(switchless_gen DEPENDS switchless_enc_gen switchless_host_gen)
-
 add_subdirectory(host)
 
 if (BUILD_ENCLAVES)
diff --git a/tests/switchless/enc/CMakeLists.txt b/tests/switchless/enc/CMakeLists.txt
index d60a56b861..750896937d 100644
--- a/tests/switchless/enc/CMakeLists.txt
+++ b/tests/switchless/enc/CMakeLists.txt
@@ -1,17 +1,9 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_command(
-  OUTPUT switchless_t.h switchless_t.c switchless_args.h
-  DEPENDS
-  edger8r
-  ../switchless.edl
-  COMMAND edger8r --experimental --trusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless.edl)
+oeedl_file(../switchless.edl enclave gen)
 
-# Dummy target used for generating from EDL on demand.
-add_custom_target(switchless_enc_gen DEPENDS switchless_t.h switchless_t.c switchless_args.h)
-
-add_enclave(TARGET switchless_enc UUID d497e154-9e8e-4029-a53d-c0a36533fb95 SOURCES enc.c switchless_t.c)
+add_enclave(TARGET switchless_enc UUID d497e154-9e8e-4029-a53d-c0a36533fb95 SOURCES enc.c ${gen})
 
 target_include_directories(switchless_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 target_link_libraries(switchless_enc oelibc)
diff --git a/tests/switchless/host/CMakeLists.txt b/tests/switchless/host/CMakeLists.txt
index bd9dcd8019..e38d76b2ae 100644
--- a/tests/switchless/host/CMakeLists.txt
+++ b/tests/switchless/host/CMakeLists.txt
@@ -1,17 +1,9 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_command(
-  OUTPUT switchless_u.h switchless_u.c switchless_args.h
-  DEPENDS
-  edger8r
-  ../switchless.edl
-  COMMAND edger8r --experimental --untrusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless.edl)
+oeedl_file(../switchless.edl host gen)
 
-# Dummy target used for generating from EDL on demand.
-add_custom_target(switchless_host_gen DEPENDS switchless_u.h switchless_u.c switchless_args.h)
-
-add_executable(switchless_host host.c switchless_u.c)
+add_executable(switchless_host host.c ${gen})
 
 target_include_directories(switchless_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 target_link_libraries(switchless_host oehostapp)
diff --git a/tests/switchless_threads/CMakeLists.txt b/tests/switchless_threads/CMakeLists.txt
index 3627f2c6ce..5036738e91 100644
--- a/tests/switchless_threads/CMakeLists.txt
+++ b/tests/switchless_threads/CMakeLists.txt
@@ -1,12 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_target(switchless_threads_gen DEPENDS switchless_threads_enc_gen switchless_threads_host_gen)
-
 add_subdirectory(host)
 
 if (BUILD_ENCLAVES)
 	add_subdirectory(enc)
 endif()
 
-add_enclave_test(tests/switchless_threads switchless_threads_host switchless_threads_enc)
\ No newline at end of file
+add_enclave_test(tests/switchless_threads switchless_threads_host switchless_threads_enc)
diff --git a/tests/switchless_threads/enc/CMakeLists.txt b/tests/switchless_threads/enc/CMakeLists.txt
index b6f6895238..2d5fd8f606 100644
--- a/tests/switchless_threads/enc/CMakeLists.txt
+++ b/tests/switchless_threads/enc/CMakeLists.txt
@@ -1,17 +1,9 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_command(
-  OUTPUT switchless_threads_t.h switchless_threads_t.c switchless_threads_args.h
-  DEPENDS
-  edger8r
-  ../switchless_threads.edl
-  COMMAND edger8r --experimental --trusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless_threads.edl)
+oeedl_file(../switchless_threads.edl enclave gen)
 
-# Dummy target used for generating from EDL on demand.
-add_custom_target(switchless_threads_enc_gen DEPENDS switchless_threads_t.h switchless_threads_t.c switchless_threads_args.h)
-
-add_enclave(TARGET switchless_threads_enc UUID 6e818629-0ce7-46cd-822a-6c7e081fc68b SOURCES enc.c switchless_threads_t.c)
+add_enclave(TARGET switchless_threads_enc UUID 6e818629-0ce7-46cd-822a-6c7e081fc68b SOURCES enc.c ${gen})
 
 target_include_directories(switchless_threads_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 target_link_libraries(switchless_threads_enc oelibc)
diff --git a/tests/switchless_threads/host/CMakeLists.txt b/tests/switchless_threads/host/CMakeLists.txt
index 99f3d8b81e..9ba1523c36 100644
--- a/tests/switchless_threads/host/CMakeLists.txt
+++ b/tests/switchless_threads/host/CMakeLists.txt
@@ -1,17 +1,9 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-add_custom_command(
-  OUTPUT switchless_threads_u.h switchless_threads_u.c switchless_threads_args.h
-  DEPENDS
-  edger8r
-  ../switchless_threads.edl
-  COMMAND edger8r --experimental --untrusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. switchless_threads.edl)
+oeedl_file(../switchless_threads.edl host gen)
 
-# Dummy target used for generating from EDL on demand.
-add_custom_target(switchless_threads_host_gen DEPENDS switchless_threads_u.h switchless_threads_u.c switchless_threads_args.h)
-
-add_executable(switchless_threads_host host.c switchless_threads_u.c)
+add_executable(switchless_threads_host host.c ${gen})
 
 target_include_directories(switchless_threads_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 target_link_libraries(switchless_threads_host oehostapp)
diff --git a/tools/oeedger8r/Emitter.ml b/tools/oeedger8r/Emitter.ml
index 76e0d71e1c..e9c1fd3364 100644
--- a/tools/oeedger8r/Emitter.ml
+++ b/tools/oeedger8r/Emitter.ml
@@ -472,9 +472,9 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         failwithf
           "Function '%s': 'private' specifier is not supported by oeedger8r"
           f.tf_fdecl.fname ;
-      if f.tf_is_switchless && not ep.experimental then
+      if f.tf_is_switchless then
         failwithf
-          "Function '%s': switchless ecalls are not yet supported \
+          "Function '%s': trusted switchless ecalls are not yet supported \
            by Open Enclave SDK."
           f.tf_fdecl.fname )
     tfs ;
@@ -493,12 +493,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         printf
           "Warning: Function '%s': Reentrant ocalls are not supported by Open \
            Enclave. Allow list ignored.\n"
-          f.uf_fdecl.fname ;
-      if f.uf_is_switchless && not ep.experimental then
-        failwithf
-          "Function '%s': switchless ocalls are not yet supported \
-           by Open Enclave SDK."
-           f.uf_fdecl.fname )
+          f.uf_fdecl.fname)
     ufs ;
   (* Map warning functions over trusted and untrusted function
      declarations *)

From b9d8ff75429ddf48b55ad7c89d4fc1d7700aa116 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Mon, 30 Sep 2019 22:59:41 +0000
Subject: [PATCH 055/420] Address PR feedback: Rename config type

---
 include/openenclave/host.h           | 7 ++++---
 samples/switchless/README.md         | 2 +-
 samples/switchless/host/host.c       | 2 +-
 tests/create-errors/host/host.c      | 2 +-
 tests/switchless/host/host.c         | 2 +-
 tests/switchless_threads/host/host.c | 2 +-
 6 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index c5bf4cc045..607b720083 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -76,7 +76,7 @@ typedef enum _oe_enclave_config_type
 /**
  * The configuration for context-switchless calls.
  */
-typedef struct _oe_enclave_config_context_switchless
+typedef struct _oe_enclave_setting_context_switchless
 {
     /**
      * The max number of worker threads for context-switchless ocalls.
@@ -89,7 +89,7 @@ typedef struct _oe_enclave_config_context_switchless
      * workers should be 0.
      */
     size_t max_enclave_workers;
-} oe_enclave_config_context_switchless_t;
+} oe_enclave_setting_context_switchless_t;
 
 /**
  * The uniform structure type containing a specific type of enclave
@@ -106,7 +106,8 @@ typedef struct _oe_enclave_config
      * context-switchless calls.
      */
     union {
-        const oe_enclave_config_context_switchless_t* context_switchless_config;
+        const oe_enclave_setting_context_switchless_t*
+            context_switchless_config;
         /* Add new configuration types here. */
     } u;
 } oe_enclave_config_t;
diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index 6fdde7f207..deb1ab39fc 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -120,7 +120,7 @@ so we use 1 as explained above. The 2nd field specifies the number of enclave th
 Since switchless ECALL is not yet implemented, we require the 2nd field to be `0`.
 
 ```c
-oe_enclave_config_context_switchless_t config = {1, 0};
+oe_enclave_setting_context_switchless_t config = {1, 0};
 ```
 
 The host then puts the structure address and the configuration type in an array of configurations for the enclave
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index f4c5edb052..f0af503f7d 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -52,7 +52,7 @@ int main(int argc, const char* argv[])
     }
 
     // Enable switchless and configure host worker number
-    oe_enclave_config_context_switchless_t config = {1, 0};
+    oe_enclave_setting_context_switchless_t config = {1, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
diff --git a/tests/create-errors/host/host.c b/tests/create-errors/host/host.c
index 7b0dc3af69..3e44afb6af 100644
--- a/tests/create-errors/host/host.c
+++ b/tests/create-errors/host/host.c
@@ -14,7 +14,7 @@ static void _test_invalid_param(const char* path, uint32_t flags)
     oe_enclave_t* enclave = NULL;
 
     oe_enclave_config_t invalid_config = {0, {NULL}};
-    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_setting_context_switchless_t config = {2, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index da8bb8c0d6..a6389bbd7d 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -74,7 +74,7 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_config_context_switchless_t config = {1, 0};
+    oe_enclave_setting_context_switchless_t config = {1, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index 8800545910..e81ea2f941 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -107,7 +107,7 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_config_context_switchless_t config = {2, 0};
+    oe_enclave_setting_context_switchless_t config = {2, 0};
     oe_enclave_config_t configs[] = {{
         .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
         .u.context_switchless_config = &config,

From c6774dfff791f56e21a3b96e4d2003768f16a77b Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 1 Oct 2019 00:08:02 +0000
Subject: [PATCH 056/420] Address PR feedback: Consistently rename config to
 setting

---
 host/sgx/create.c                    | 29 +++++++++++-----------
 include/openenclave/host.h           | 36 ++++++++++++++--------------
 samples/switchless/README.md         | 22 ++++++++---------
 samples/switchless/host/host.c       | 12 +++++-----
 tests/create-errors/host/host.c      | 16 ++++++-------
 tests/switchless/host/host.c         | 13 +++++-----
 tests/switchless_threads/host/host.c | 13 +++++-----
 tools/oeedger8r/Emitter.ml           | 12 +++++-----
 8 files changed, 76 insertions(+), 77 deletions(-)

diff --git a/host/sgx/create.c b/host/sgx/create.c
index 42c15f5d1a..acbdc215fb 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -405,27 +405,28 @@ static oe_result_t _initialize_enclave(oe_enclave_t* enclave)
 /*
 ** _config_enclave()
 **
-** Config the enclave with an array of configurations.
+** Config the enclave with an array of settings.
 */
 
 static oe_result_t _configure_enclave(
     oe_enclave_t* enclave,
-    const oe_enclave_config_t* configs,
-    uint32_t config_count)
+    const oe_enclave_setting_t* settings,
+    uint32_t setting_count)
 {
     oe_result_t result = OE_UNEXPECTED;
 
-    for (uint32_t i = 0; i < config_count; i++)
+    for (uint32_t i = 0; i < setting_count; i++)
     {
-        switch (configs[i].config_type)
+        switch (settings[i].setting_type)
         {
             // Configure the switchless ocalls, such as the number of workers.
-            case OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS:
+            case OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS:
             {
                 size_t max_host_workers =
-                    configs[i].u.context_switchless_config->max_host_workers;
+                    settings[i].u.context_switchless_setting->max_host_workers;
                 size_t max_enclave_workers =
-                    configs[i].u.context_switchless_config->max_enclave_workers;
+                    settings[i]
+                        .u.context_switchless_setting->max_enclave_workers;
 
                 // Switchless ecalls are not enabled yet. Make sure the max
                 // number of enclave workers is always 0.
@@ -689,8 +690,8 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
-    const oe_enclave_config_t* configs,
-    uint32_t config_count,
+    const oe_enclave_setting_t* settings,
+    uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
@@ -708,8 +709,8 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_SGX) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-        (config_count > 0 && configs == NULL) ||
-        (config_count == 0 && configs != NULL) ||
+        (setting_count > 0 && settings == NULL) ||
+        (setting_count == 0 && settings != NULL) ||
         (flags & OE_ENCLAVE_FLAG_RESERVED))
         OE_RAISE(OE_INVALID_PARAMETER);
 
@@ -799,8 +800,8 @@ oe_result_t oe_create_enclave(
     /* Invoke enclave initialization. */
     OE_CHECK(_initialize_enclave(enclave));
 
-    /* Apply the list of configurations to the enclave */
-    OE_CHECK(_configure_enclave(enclave, configs, config_count));
+    /* Apply the list of settings to the enclave */
+    OE_CHECK(_configure_enclave(enclave, settings, setting_count));
 
     /* Setup logging configuration */
     oe_log_enclave_init(enclave);
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 607b720083..3a3e0eb165 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -66,15 +66,15 @@ typedef void (*oe_ocall_func_t)(
     size_t* output_bytes_written);
 
 /**
- * Types of configurations passed into **oe_create_enclave**
+ * Types of settings passed into **oe_create_enclave**
  */
-typedef enum _oe_enclave_config_type
+typedef enum _oe_enclave_setting_type
 {
-    OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS = 0xdc73a628,
-} oe_enclave_config_type_t;
+    OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS = 0xdc73a628,
+} oe_enclave_setting_type_t;
 
 /**
- * The configuration for context-switchless calls.
+ * The setting for context-switchless calls.
  */
 typedef struct _oe_enclave_setting_context_switchless
 {
@@ -93,24 +93,24 @@ typedef struct _oe_enclave_setting_context_switchless
 
 /**
  * The uniform structure type containing a specific type of enclave
- * configuration.
+ * setting.
  */
-typedef struct _oe_enclave_config
+typedef struct _oe_enclave_setting
 {
     /**
-     * The type of the configuration in **u**
+     * The type of the setting in **u**
      */
-    oe_enclave_config_type_t config_type;
+    oe_enclave_setting_type_t setting_type;
     /**
-     * The specific configuration for the enclave, such as configuring
+     * The specific setting for the enclave, such as for configuring
      * context-switchless calls.
      */
     union {
         const oe_enclave_setting_context_switchless_t*
-            context_switchless_config;
-        /* Add new configuration types here. */
+            context_switchless_setting;
+        /* Add new setting types here. */
     } u;
-} oe_enclave_config_t;
+} oe_enclave_setting_t;
 
 /**
  * Create an enclave from an enclave image file.
@@ -131,10 +131,10 @@ typedef struct _oe_enclave_config
  *     - OE_ENCLAVE_FLAG_DEBUG - runs the enclave in debug mode.
  *                               DO NOT SHIP CODE with this flag
  *
- * @param configs Array of additional enclave creation configurations for
- * the specific enclave type.
+ * @param settings Array of additional enclave creation settings for the
+ * specific enclave type.
  *
- * @param config_count The number of configurations in the **configs**.
+ * @param setting_count The number of settings in the **settings**.
  *
  * @param ocall_table Pointer to table of ocall functions generated by
  * oeedger8r.
@@ -150,8 +150,8 @@ oe_result_t oe_create_enclave(
     const char* path,
     oe_enclave_type_t type,
     uint32_t flags,
-    const oe_enclave_config_t* configs,
-    uint32_t config_count,
+    const oe_enclave_setting_t* settings,
+    uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave);
diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index deb1ab39fc..9686285dd8 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -88,7 +88,7 @@ enclave {
     trusted {
         public void enclave_add_N_switchless([in, out] int* m, int n);
         public void enclave_add_N_regular([in, out] int* m, int n);
-    };
+    };t
 
     untrusted {
         void host_increment_switchless([in, out] int* m) transition_using_threads;
@@ -120,21 +120,21 @@ so we use 1 as explained above. The 2nd field specifies the number of enclave th
 Since switchless ECALL is not yet implemented, we require the 2nd field to be `0`.
 
 ```c
-oe_enclave_setting_context_switchless_t config = {1, 0};
+oe_enclave_setting_context_switchless_t switchless_setting = {1, 0};
 ```
 
-The host then puts the structure address and the configuration type in an array of configurations for the enclave
-to be created. Even though we only have one configuration (for switchless) for the enclave, we'd like the
-flexibility of adding more than one configuration (with different types) for an enclave in the future.
+The host then puts the structure address and the setting type in an array of settings for the enclave
+to be created. Even though we only have one setting (for switchless) for the enclave, we'd like the
+flexibility of adding more than one setting (with different types) for an enclave in the future.
 
 ```c
-oe_enclave_config_t configs[] = {{
-        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
-        .u.context_switchless_config = &config,
+oe_enclave_setting_t settings[] = {{
+        .setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
+        .u.context_switchless_setting = &setting,
     }};
 ```
 
-To make the configurations created above effective, we need to pass the array `configs` into `oe_create_enclave`
+To make the settings created above effective, we need to pass the array `settingss` into `oe_create_enclave`
 in the following way:
 
 ```c
@@ -142,8 +142,8 @@ oe_create_switchless_enclave(
              argv[1],
              OE_ENCLAVE_TYPE_SGX,
              flags,
-             configs,
-             OE_COUNTOF(configs),
+             settings,
+             OE_COUNTOF(settings),
              &enclave);
 ```
 
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index f0af503f7d..df8e657748 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -52,18 +52,18 @@ int main(int argc, const char* argv[])
     }
 
     // Enable switchless and configure host worker number
-    oe_enclave_setting_context_switchless_t config = {1, 0};
-    oe_enclave_config_t configs[] = {{
-        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
-        .u.context_switchless_config = &config,
+    oe_enclave_setting_context_switchless_t switchless_setting = {1, 0};
+    oe_enclave_setting_t settings[] = {{
+        .setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
+        .u.context_switchless_setting = &switchless_setting,
     }};
 
     if ((result = oe_create_switchless_enclave(
              argv[1],
              OE_ENCLAVE_TYPE_SGX,
              flags,
-             configs,
-             OE_COUNTOF(configs),
+             settings,
+             OE_COUNTOF(settings),
              &enclave)) != OE_OK)
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
diff --git a/tests/create-errors/host/host.c b/tests/create-errors/host/host.c
index 3e44afb6af..d7ca89df0d 100644
--- a/tests/create-errors/host/host.c
+++ b/tests/create-errors/host/host.c
@@ -13,11 +13,11 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 {
     oe_enclave_t* enclave = NULL;
 
-    oe_enclave_config_t invalid_config = {0, {NULL}};
-    oe_enclave_setting_context_switchless_t config = {2, 0};
-    oe_enclave_config_t configs[] = {{
-        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
-        .u.context_switchless_config = &config,
+    oe_enclave_setting_t invalid_setting = {0, {NULL}};
+    oe_enclave_setting_context_switchless_t switchless_setting = {2, 0};
+    oe_enclave_setting_t settings[] = {{
+        .setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
+        .u.context_switchless_setting = &switchless_setting,
     }};
 
     /* Null path. */
@@ -45,19 +45,19 @@ static void _test_invalid_param(const char* path, uint32_t flags)
 
     /* Invalid configuration with incorrect **config_count** */
     result = oe_create_create_errors_enclave(
-        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_config, 0, &enclave);
+        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_setting, 0, &enclave);
 
     OE_TEST(result == OE_INVALID_PARAMETER);
 
     /* Invalid configuration with correct **config_count** */
     result = oe_create_create_errors_enclave(
-        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_config, 1, &enclave);
+        path, OE_ENCLAVE_TYPE_SGX, flags, &invalid_setting, 1, &enclave);
 
     OE_TEST(result == OE_INVALID_PARAMETER);
 
     /* Valid configuration with incorrect **config_count** */
     result = oe_create_create_errors_enclave(
-        path, OE_ENCLAVE_TYPE_SGX, flags, configs, 0, &enclave);
+        path, OE_ENCLAVE_TYPE_SGX, flags, settings, 0, &enclave);
 
     OE_TEST(result == OE_INVALID_PARAMETER);
 
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index a6389bbd7d..f56198c40a 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -74,18 +74,17 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_setting_context_switchless_t config = {1, 0};
-    oe_enclave_config_t configs[] = {{
-        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
-        .u.context_switchless_config = &config,
-    }};
+    oe_enclave_setting_context_switchless_t switchless_setting = {1, 0};
+    oe_enclave_setting_t settings[] = {
+        {.setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
+         .u.context_switchless_setting = &switchless_setting}};
 
     if ((result = oe_create_switchless_enclave(
              argv[1],
              OE_ENCLAVE_TYPE_SGX,
              flags,
-             configs,
-             OE_COUNTOF(configs),
+             settings,
+             OE_COUNTOF(settings),
              &enclave)) != OE_OK)
         oe_put_err("oe_create_enclave(): result=%u", result);
 
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index e81ea2f941..c564917872 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -107,18 +107,17 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_setting_context_switchless_t config = {2, 0};
-    oe_enclave_config_t configs[] = {{
-        .config_type = OE_ENCLAVE_CONFIG_CONTEXT_SWITCHLESS,
-        .u.context_switchless_config = &config,
-    }};
+    oe_enclave_setting_context_switchless_t switchless_setting = {2, 0};
+    oe_enclave_setting_t settings[] = {
+        {.setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
+         .u.context_switchless_setting = &switchless_setting}};
 
     if ((result = oe_create_switchless_threads_enclave(
              argv[1],
              OE_ENCLAVE_TYPE_SGX,
              flags,
-             configs,
-             OE_COUNTOF(configs),
+             settings,
+             OE_COUNTOF(settings),
              &enclave)) != OE_OK)
         oe_put_err("oe_create_enclave(): result=%u", result);
 
diff --git a/tools/oeedger8r/Emitter.ml b/tools/oeedger8r/Emitter.ml
index e9c1fd3364..dfdc46c9b3 100644
--- a/tools/oeedger8r/Emitter.ml
+++ b/tools/oeedger8r/Emitter.ml
@@ -1363,8 +1363,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
-    ; "    const oe_enclave_config_t* configs,"
-    ; "    uint32_t config_count,"
+    ; "    const oe_enclave_setting_t* settings,"
+    ; "    uint32_t setting_count,"
     ; "    oe_enclave_t** enclave);"
     ; ""
     ; "/**** ECALL prototypes. ****/"
@@ -1422,16 +1422,16 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     ; "    const char* path,"
     ; "    oe_enclave_type_t type,"
     ; "    uint32_t flags,"
-    ; "    const oe_enclave_config_t* configs,"
-    ; "    uint32_t config_count,"
+    ; "    const oe_enclave_setting_t* settings,"
+    ; "    uint32_t setting_count,"
     ; "    oe_enclave_t** enclave)"
     ; "{"
     ; "    return oe_create_enclave("
     ; "               path,"
     ; "               type,"
     ; "               flags,"
-    ; "               configs,"
-    ; "               config_count,"
+    ; "               settings,"
+    ; "               setting_count,"
     ; sprintf "               __%s_ocall_function_table," ec.enclave_name
     ; sprintf "               %d," (List.length ufs)
     ; "               enclave);"

From a892d305650f3fe8d996a3f3a82ec232062dce94 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 1 Oct 2019 00:12:54 +0000
Subject: [PATCH 057/420] Fix missed out optee file

---
 host/optee/linux/enclave.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index bba574714d..cf4ed61282 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -399,8 +399,8 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
-    const oe_enclave_config_t* configs,
-    uint32_t config_count,
+    const oe_enclave_settings_t* settings,
+    uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
@@ -425,8 +425,8 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_OPTEE) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-        (config_count > 0 && configs == NULL) ||
-        (config_count == 0 && configs != NULL) ||
+        (setting_count > 0 && configs == NULL) ||
+        (setting_count == 0 && settings != NULL) ||
         (flags & OE_ENCLAVE_FLAG_RESERVED) ||
         (!(flags & OE_ENCLAVE_FLAG_SIMULATE) &&
          (flags & OE_ENCLAVE_FLAG_DEBUG)))

From bc69d0df4966ecea1042f8fac3e8251cecfa40ba Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 1 Oct 2019 00:59:30 +0000
Subject: [PATCH 058/420] Fix typo

---
 host/optee/linux/enclave.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index cf4ed61282..767e3910cb 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -425,7 +425,7 @@ oe_result_t oe_create_enclave(
     if (!enclave_path || !enclave_out ||
         ((enclave_type != OE_ENCLAVE_TYPE_OPTEE) &&
          (enclave_type != OE_ENCLAVE_TYPE_AUTO)) ||
-        (setting_count > 0 && configs == NULL) ||
+        (setting_count > 0 && settings == NULL) ||
         (setting_count == 0 && settings != NULL) ||
         (flags & OE_ENCLAVE_FLAG_RESERVED) ||
         (!(flags & OE_ENCLAVE_FLAG_SIMULATE) &&

From f0d6749a245fe0656a2618aea04a7bb2c93fb1ac Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 1 Oct 2019 01:21:52 +0000
Subject: [PATCH 059/420] Address PR feedback: Documentation suggestions.

---
 samples/switchless/README.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/samples/switchless/README.md b/samples/switchless/README.md
index 9686285dd8..e3f11caae0 100644
--- a/samples/switchless/README.md
+++ b/samples/switchless/README.md
@@ -27,11 +27,12 @@ call is initiated, the caller needs to pass the `job` (encapsulating information
 thread needs to pass the result back to the caller. Both exchanges need to be synchronized.
 
 While switchless calls save transition time, they require at least one additional thread to service the calls.
-More threads typically means more competition of the CPU cores and more context switches, hurting the performance.
-Whether to make a particular function switchless has to weigh the associated costs and savings. In general, the
-good candidates for switchless calls are functions that are: 1) short, thus the transition takes relatively high
-percentage of the overall execution time of the call; and 2) called frequently, so the savings in transition time
-add up.
+Currently, the worker threads that service the calls busy-wait for messages and therefore consume a lot of CPU.
+Thus more worker threads typically means more competition for the CPU cores and more thread context switches,
+hurting the performance. In order to determine whether to make a particular function switchless, one has to weigh
+the associated costs and savings. In general, the good candidates for switchless calls are functions that are:
+1) short, thus the transition takes relatively high percentage of the overall execution time of the call; and
+2) called frequently, so the savings in transition time add up.
 
 ## How does Open Enclave support switchless OCALLs
 
@@ -56,7 +57,7 @@ With the current implementation, we recommend that users avoid using more host w
 1. the number of simultaneously active enclave threads, and
 2. the number of cores that are potentially available to host worker threads.
 
-For example, on a 4-core machine, if the number of the simultaneously active enclave threads is 2, and there is no
+For example, on a 4-core machine, if the number of the simultaneously active enclave threads is 2, and there are no
 host threads other than the two threads making ECALLs and the switchless worker threads, both 1) and 2) would be 2.
 So we recommend setting the number of host worker threads to 2.
 
@@ -101,7 +102,7 @@ Function `host_increment_switchless`'s declaration ends with keyword `transition
 called switchlessly at run time. However, this a best-effort directive. Open Enclave runtime may still choose
 to fall back to a tradition OCALL if switchless call resources are unavailable, e.g., the enclave is not configured
 as switchless-capable, or the host worker threads are busy servicing other switchless OCALLs. In this example,
-`host_increment_switchless` is always called switchlessly because there is no simultaneous switchless OCALLs.
+`host_increment_switchless` is always called switchlessly because there are no simultaneous switchless OCALLs.
 
 To generate the functions with the marshaling code, the `oeedger8r` tool is called in both the host and enclave
 directories from their Makefiles. For example:

From 61b0bf69c938d6cb50b9d69854ce90c000acc6ae Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 1 Oct 2019 03:13:49 +0000
Subject: [PATCH 060/420] Fix typo

---
 host/optee/linux/enclave.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index 767e3910cb..3d82efa3c3 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -399,7 +399,7 @@ oe_result_t oe_create_enclave(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
-    const oe_enclave_settings_t* settings,
+    const oe_enclave_setting_t* settings,
     uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,

From 193c685ec5c72112b7cf014450df4b769e46dc92 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Tue, 6 Aug 2019 15:29:24 +0200
Subject: [PATCH 061/420] Add Windows support for building images with Packer

---
 .jenkins/build_vhd.Jenkinsfile                |  3 +-
 .jenkins/custom_label.Jenkinsfile             | 45 +++++++++-
 .../templates/oe-engine/win-2016.json         | 30 +++++++
 .../templates/packer/packer-win.json          | 87 +++++++++++++++++++
 .../templates/packer/win-2016-variables.json  | 13 +++
 .jenkins/test.Jenkinsfile                     | 19 +++-
 scripts/ansible/oe-windows-acc-setup.yml      |  1 +
 7 files changed, 193 insertions(+), 5 deletions(-)
 create mode 100644 .jenkins/provision/templates/oe-engine/win-2016.json
 create mode 100644 .jenkins/provision/templates/packer/packer-win.json
 create mode 100644 .jenkins/provision/templates/packer/win-2016-variables.json

diff --git a/.jenkins/build_vhd.Jenkinsfile b/.jenkins/build_vhd.Jenkinsfile
index 05d4e44c42..892726e24c 100644
--- a/.jenkins/build_vhd.Jenkinsfile
+++ b/.jenkins/build_vhd.Jenkinsfile
@@ -42,4 +42,5 @@ def buildVHD(String os_type, String version, String imageName) {
 }
 
 parallel "Build Ubuntu 16.04" : { buildVHD("ubuntu", "16.04", OE_DEPLOY_IMAGE) },
-         "Build Ubuntu 18.04" : { buildVHD("ubuntu", "18.04", OE_DEPLOY_IMAGE) }
+         "Build Ubuntu 18.04" : { buildVHD("ubuntu", "18.04", OE_DEPLOY_IMAGE) },
+         "Build Windows 2016" : { buildVHD("win", "2016", OE_DEPLOY_IMAGE) }
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index 3bac3ca3f4..83ce86537c 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -62,6 +62,45 @@ def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
     }
 }
 
+def win2016LinuxElfBuild(String version, String compiler, String build_type) {
+    def ubuntu_label = UBUNTU_1604_CUSTOM_LABEL
+    if ( version == "18.04" ) {
+      ubuntu_label = UBUNTU_1804_CUSTOM_LABEL
+    }
+    stage("Ubuntu ${version} SGX1 ${compiler} ${build_type}}") {
+        node(ubuntu_label) {
+            timeout(GLOBAL_TIMEOUT_MINUTES) {
+                cleanWs()
+                checkout scm
+                def task = """
+                           cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=ON -Wdev
+                           ninja -v
+                           """
+                oe.ContainerRun("oetools-full-${version}", compiler, task, "--cap-add=SYS_PTRACE")
+                stash includes: 'build/tests/**', name: "linux-${compiler}-${build_type}-${version}-${BUILD_NUMBER}"
+            }
+        }
+    }
+    stage("Windows ${build_type}") {
+        node(WINDOWS_2016_CUSTOM_LABEL) {
+            timeout(GLOBAL_TIMEOUT_MINUTES) {
+                cleanWs()
+                checkout scm
+                unstash "linux-${compiler}-${build_type}-${version}-${BUILD_NUMBER}"
+                bat 'move build linuxbin'
+                powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
+                dir('build') {
+                  bat """
+                      vcvars64.bat x64 && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -Wdev && \
+                      ninja -v && \
+                      ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
+                      """
+                }
+            }
+        }
+    }
+}
 
 properties([buildDiscarder(logRotator(artifactDaysToKeepStr: '90',
                                       artifactNumToKeepStr: '180',
@@ -74,4 +113,8 @@ parallel "ACC1604 clang-7 RelWithDebInfo" :                     { ACCTest(UBUNTU
          "ACC1604 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1604_CUSTOM_LABEL, '16.04') },
          "ACC1804 clang-7 RelWithDebInfo" :                     { ACCTest(UBUNTU_1804_CUSTOM_LABEL, 'clang-7', 'RelWithDebInfo') },
          "ACC1804 gcc RelWithDebInfo" :                         { ACCTest(UBUNTU_1804_CUSTOM_LABEL, 'gcc', 'RelWithDebInfo') },
-         "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1804_CUSTOM_LABEL, '18.04') }
+         "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1804_CUSTOM_LABEL, '18.04') },
+         "Win2016 Ubuntu1604 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('16.04', 'clang-7', 'Debug') },
+         "Win2016 Ubuntu1804 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('18.04', 'clang-7', 'Release') },
+         "Win2016 Ubuntu1804 gcc Debug Linux-Elf-build" :       { win2016LinuxElfBuild('18.04', 'gcc', 'Debug') },
+         "Win2016 Debug Cross Compile" :                        { win2016CrossCompile('Debug') }
diff --git a/.jenkins/provision/templates/oe-engine/win-2016.json b/.jenkins/provision/templates/oe-engine/win-2016.json
new file mode 100644
index 0000000000..abfba0a4d4
--- /dev/null
+++ b/.jenkins/provision/templates/oe-engine/win-2016.json
@@ -0,0 +1,30 @@
+{
+  "properties": {
+    "vmProfiles": [
+      {
+        "name": "${AGENT_NAME}",
+        "osType": "Windows",
+        "vmSize": "Standard_DC2s",
+        "ports": [3389, 5986],
+        "isVanilla": true,
+        "enableWinRM": true,
+        "hasDNSName": true
+      }
+    ],
+    "vnetProfile": {
+      "vnetResourceGroup": "OE-Jenkins-CI-westeurope",
+      "vnetName": "OE-Jenkins-CI-VNET",
+      "subnetName": "default"
+    },
+    "windowsProfile": {
+      "adminUsername": "azureuser",
+      "adminPassword":  "${WINDOWS_ADMIN_PASSWORD}",
+      "osImage": {
+        "url": "${VHD_URL}"
+      }
+    },
+    "diagnosticsProfile": {
+      "enabled": false
+    }
+  }
+}
diff --git a/.jenkins/provision/templates/packer/packer-win.json b/.jenkins/provision/templates/packer/packer-win.json
new file mode 100644
index 0000000000..9f4f72c41a
--- /dev/null
+++ b/.jenkins/provision/templates/packer/packer-win.json
@@ -0,0 +1,87 @@
+{
+  "variables": {
+    "resource_group": "{{env `RESOURCE_GROUP`}}",
+    "subscription_id": "{{env `SUBSCRIPTION_ID`}}",
+    "client_id": "{{env `SERVICE_PRINCIPAL_ID`}}",
+    "client_secret": "{{env `SERVICE_PRINCIPAL_PASSWORD`}}",
+    "tenant_id": "{{env `TENANT_ID`}}",
+    "location": "{{env `REGION`}}",
+    "storage_account": "",
+    "capture_container_name": "",
+    "capture_name_prefix": "",
+    "os_type": "",
+    "image_publisher": "",
+    "image_offer": "",
+    "image_sku": "",
+    "vm_size": ""
+  },
+  "builders": [{
+    "name": "{{user `os_type`}}",
+    "type": "azure-arm",
+
+    "client_id": "{{user `client_id`}}",
+    "client_secret": "{{user `client_secret`}}",
+    "tenant_id": "{{user `tennant_id`}}",
+    "resource_group_name": "{{user `resource_group`}}",
+    "storage_account": "{{user `storage_account`}}",
+    "subscription_id": "{{user `subscription_id`}}",
+
+    "capture_container_name": "{{user `capture_container_name`}}",
+    "capture_name_prefix": "{{user `capture_name_prefix`}}",
+
+    "os_type": "{{user `os_type`}}",
+    "image_publisher": "{{user `image_publisher`}}",
+    "image_offer": "{{user `image_offer`}}",
+    "image_sku": "{{user `image_sku`}}",
+
+    "communicator": "{{ user `communicator` }}",
+    "winrm_use_ssl": true,
+    "winrm_insecure": true,
+    "winrm_timeout": "5m",
+    "winrm_username": "Administrator",
+
+    "location": "{{user `location`}}",
+    "vm_size": "{{user `vm_size`}}"
+  }],
+  "provisioners": [
+    {
+        "type": "powershell",
+        "inline": [
+          "(Invoke-WebRequest -Headers @{\"Metadata\"=\"true\"} -UseBasicParsing \"http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text\").Content | Out-File -Append -Encoding utf8 C:/Windows/Temp/ip-address"
+        ]
+    },
+    {
+        "type": "file",
+        "direction": "download",
+        "source": "C:/Windows/Temp/ip-address",
+        "destination": "/ansible/inventory/hosts"
+    },
+    {
+        "type": "shell-local",
+        "inline": [
+            "IP=`cut -b 4- /ansible/inventory/hosts`",
+            "echo \"[{{ user `ansible_group` }}]\\n${IP}\" > /ansible/inventory/hosts"
+        ]
+    },
+    {
+      "type": "shell-local",
+      "environment_vars": [
+        "ANSIBLE_ROLES_PATH=/ansible/roles",
+        "ANSIBLE_CONFIG=/ansible/ansible.cfg",
+        "ANSIBLE_INVENTORY=/ansible/inventory/hosts",
+        "ANSIBLE_REMOTE_PORT=5986"
+      ],
+      "command": "ansible-playbook -e \"ansible_user=packer ansible_password={{.WinRMPassword}} ansible_become_pass={{.WinRMPassword}} ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ntlm\" {{ user `playbook_file` }}"
+    },
+    {
+      "type": "powershell",
+      "inline": [
+          "  while ((Get-Service RdAgent).Status -ne 'Running') { Start-Sleep -s 5 }",
+          "  while ((Get-Service WindowsAzureTelemetryService).Status -ne 'Running') { Start-Sleep -s 5 }",
+          "  while ((Get-Service WindowsAzureGuestAgent).Status -ne 'Running') { Start-Sleep -s 5 }",
+          "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit",
+          "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10  } else { break } }"
+      ]
+    }
+  ]
+}
diff --git a/.jenkins/provision/templates/packer/win-2016-variables.json b/.jenkins/provision/templates/packer/win-2016-variables.json
new file mode 100644
index 0000000000..4690d7386a
--- /dev/null
+++ b/.jenkins/provision/templates/packer/win-2016-variables.json
@@ -0,0 +1,13 @@
+{
+    "storage_account": "oejenkins",
+    "capture_container_name": "disks",
+    "capture_name_prefix": "packer",
+    "os_type": "Windows",
+    "image_publisher": "MicrosoftWindowsServer",
+    "image_offer": "confidential-compute-preview",
+    "image_sku": "acc-windows-server-2016-datacenter",
+    "vm_size": "Standard_DC2s",
+    "communicator": "winrm",
+    "ansible_group": "windows-agents",
+    "playbook_file": "/ansible/oe-windows-acc-setup.yml"
+}
diff --git a/.jenkins/test.Jenkinsfile b/.jenkins/test.Jenkinsfile
index f4bc5e13bb..99eae732bb 100644
--- a/.jenkins/test.Jenkinsfile
+++ b/.jenkins/test.Jenkinsfile
@@ -26,6 +26,18 @@ try {
   */
   stage("Deploy and register Jenkins Agent") {
       parallel (
+          "Windows" : {
+              build job: 'OpenEnclave-deploy-jenkins-agent-test',
+                    parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
+                                 string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
+                                 string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
+                                 string(name: 'VHD_URL', value: "https://oejenkinswesteurope.blob.core.windows.net/disks/${env.BUILD_TAG}-win-2016.vhd"),
+                                 string(name: 'REGION', value: "westeurope"),
+                                 string(name: 'RESOURCE_GROUP', value: "windows-${env.BUILD_TAG}"),
+                                 string(name: 'AGENT_NAME', value: "win-2016-${env.BUILD_NUMBER}-1"),
+                                 string(name: 'AGENT_LABEL', value: "windows-${env.BUILD_TAG}"),
+                                 string(name: 'AGENT_TYPE', value: 'windows')]
+          },
           "Ubuntu 16.04" : {
               build job: 'OpenEnclave-deploy-jenkins-agent-test',
                     parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
@@ -57,7 +69,8 @@ try {
             parameters: [string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
                          string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
                          string(name: 'UBUNTU_1604_CUSTOM_LABEL', value: "xenial-${env.BUILD_TAG}"),
-                         string(name: 'UBUNTU_1804_CUSTOM_LABEL', value: "bionic-${env.BUILD_TAG}")]
+                         string(name: 'UBUNTU_1804_CUSTOM_LABEL', value: "bionic-${env.BUILD_TAG}"),
+                         string(name: 'WINDOWS_2016_CUSTOM_LABEL', value: "windows-${env.BUILD_TAG}")]
   }
 
 } finally {
@@ -69,7 +82,7 @@ try {
               parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
                            string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
                            string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
-                           string(name: "AGENT_LABELS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG}"),
-                           string(name: "RESOURCE_GROUPS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG}")]
+                           string(name: "AGENT_LABELS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG}"),
+                           string(name: "RESOURCE_GROUPS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG}")]
     }
 }
diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 9a7bcae44d..387ee9153f 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -63,6 +63,7 @@
 
     - name: OE setup | Reboot the node
       win_reboot:
+      when: ansible_user != "packer"
 
     - import_role:
         name: windows/openenclave

From 52f8fdc6273554bdfdc053622764a4acd4248eb6 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Sun, 1 Sep 2019 09:58:41 +0300
Subject: [PATCH 062/420] Update oe-engine blob location

---
 .jenkins/Dockerfile.deploy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.jenkins/Dockerfile.deploy b/.jenkins/Dockerfile.deploy
index a47074e55a..dcaea9d239 100644
--- a/.jenkins/Dockerfile.deploy
+++ b/.jenkins/Dockerfile.deploy
@@ -20,7 +20,7 @@ RUN apt-get update && \
     apt-key add microsoft.asc && \
     apt-get update && \
     apt-get -y install apt-transport-https azure-cli unzip && \
-    curl https://oejenkins.blob.core.windows.net/oejenkins/oe-engine -o /usr/bin/oe-engine  && \
+    curl https://oejenkinsciartifacts.blob.core.windows.net/oe-engine/latest/bin/oe-engine -o /usr/bin/oe-engine && \
     chmod +x /usr/bin/oe-engine && \
     wget https://releases.hashicorp.com/packer/1.4.2/packer_1.4.2_linux_amd64.zip && \
     unzip packer_1.4.2_linux_amd64.zip -d /usr/sbin && \

From 1b362ea72e762f87fac56586f73e6add99e35245 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Tue, 3 Sep 2019 12:13:27 +0300
Subject: [PATCH 063/420] Fix shellcheck install

---
 scripts/install-windows-prereqs.ps1 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index c53f932cb1..763986d7fb 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -453,7 +453,9 @@ function Install-Shellcheck {
     Install-ZipTool -ZipPath $PACKAGES["shellcheck"]["local_file"] `
                     -InstallDirectory $installDir `
                     -EnvironmentPath @("$installDir")
-    Add-ToSystemPath -Path "${env:ProgramFiles}\shellcheck"
+    $filePath = Join-Path $installDir "shellcheck*.exe"
+    $scexe = Get-ChildItem $filePath
+    Rename-Item $scexe "shellcheck.exe"
 }
 
 function Get-DevconBinary {

From 13d8ec9a05c08432a630efc7b7435d6957190674 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Tue, 3 Sep 2019 15:49:37 +0300
Subject: [PATCH 064/420] Update ansible windows validation for Azure DCAP
 0.0.2

---
 scripts/ansible/oe-windows-acc-setup.yml              |  4 ++--
 .../roles/windows/az-dcap-client/tasks/validation.yml |  2 ++
 .../roles/windows/az-dcap-client/vars/windows.yml     | 11 -----------
 3 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 387ee9153f..5c3643b31a 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -36,8 +36,8 @@
     - name: OE setup | Run the install-windows-prereqs.ps1 script (this may take a while)
       script: ../install-windows-prereqs.ps1
         -InstallPath         "C:\openenclave"
-        -LaunchConfiguration "{{ SGX1FLC if dcap_testing_node is defined and dcap_testing_node == true else SGX1 }}"
-        -DCAPClientType      "{{ Azure }}"
+        -LaunchConfiguration "{{ 'SGX1FLC' if dcap_testing_node is defined and dcap_testing_node == true else 'SGX1' }}"
+        -DCAPClientType      "{{ 'Azure' }}"
         -IntelPSWURL         "{{ intel_psw_2_4_url if dcap_testing_node is defined and dcap_testing_node == true else intel_psw_2_2_url }}"
         -IntelPSWHash        "{{ intel_psw_2_4_hash if dcap_testing_node is defined and dcap_testing_node == true else intel_psw_2_2_hash }}"
         -IntelDCAPURL        "{{ intel_dcap_url }}"
diff --git a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
index 008451c9bf..2a551915cb 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
@@ -25,6 +25,7 @@
     name: '{{ lc_driver.reg_key }}'
   register: reg_key
   failed_when: reg_key.value != 1
+  when: dcap_testing_node is defined and dcap_testing_node == True
 
 - name: Azure DCAP Client | Download devcon.exe
   win_get_url:
@@ -40,6 +41,7 @@
   with_items:
     - 'root\SgxLCDevice'
     - 'root\SgxLCDevice_DCAP'
+  when: dcap_testing_node is defined and dcap_testing_node == True
 
 - name: Azure DCAP Client | Remove temp devcon.exe
   win_file:
diff --git a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
index bd3dae7cd8..32275ff0b7 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
@@ -11,20 +11,9 @@ lc_driver:
   reg_value: 1
 
 validation_directories:
-  - "C:\\openenclave\\prereqs\\nuget\\curl"
   - "C:\\openenclave\\prereqs\\nuget\\DCAP_Components"
   - "C:\\openenclave\\prereqs\\nuget\\EnclaveCommonAPI"
-  - "C:\\openenclave\\prereqs\\nuget\\Microsoft.Azure.DCAP.Client"
-  - "C:\\openenclave\\prereqs\\nuget\\openssl"
-  - "C:\\openenclave\\prereqs\\nuget\\zlib"
 
 validation_binaries:
-  - "C:\\openenclave\\prereqs\\nuget\\curl\\build\\native\\lib\\v110\\x64\\Release\\static\\libcurl.lib"
   - "C:\\openenclave\\prereqs\\nuget\\DCAP_Components\\build\\lib\\native\\Libraries\\sgx_dcap_ql.lib"
   - "C:\\openenclave\\prereqs\\nuget\\EnclaveCommonAPI\\lib\\native\\x64-Release\\sgx_enclave_common.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\libssh2\\build\\native\\lib\\v110\\x64\\Release\\static\\cdecl\\libssh2.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\Microsoft.Azure.DCAP.Client\\lib\\release\\dcap_quoteprov.dll"
-  - "C:\\openenclave\\prereqs\\nuget\\openssl\\build\\native\\lib\\v110\\x64\\Release\\static\\cdecl\\libeay32.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\openssl\\build\\native\\lib\\v110\\x64\\Release\\static\\cdecl\\ssleay32.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\zlib\\build\\native\\lib\\v110\\x64\\Release\\static\\stdcall\\zlib.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\curl\\build\\native\\lib\\v110\\x64\\Release\\static\\libcurl.lib"

From 3350739f5c89476e739294c50fbb24109104d28c Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Fri, 6 Sep 2019 09:45:57 +0300
Subject: [PATCH 065/420] Add stages to build_vhd.Jenkinsfile

---
 .jenkins/build_vhd.Jenkinsfile | 58 ++++++++++++++++++----------------
 1 file changed, 30 insertions(+), 28 deletions(-)

diff --git a/.jenkins/build_vhd.Jenkinsfile b/.jenkins/build_vhd.Jenkinsfile
index 892726e24c..52bdf149c1 100644
--- a/.jenkins/build_vhd.Jenkinsfile
+++ b/.jenkins/build_vhd.Jenkinsfile
@@ -5,35 +5,37 @@ GLOBAL_TIMEOUT_MINUTES = 240
 
 def buildVHD(String os_type, String version, String imageName) {
     node("nonSGX") {
-        timeout(GLOBAL_TIMEOUT_MINUTES) {
-            cleanWs()
-            checkout scm
+        stage("${os_type}-${version}") {
+            timeout(GLOBAL_TIMEOUT_MINUTES) {
+                cleanWs()
+                checkout scm
 
-            withCredentials([azureStorage(credentialsId: 'oe_jenkins_storage_account',
-                                          storageAccountKeyVariable: 'EASTUS_STORAGE_ACCOUNT_KEY',
-                                          storageAccountNameVariable: 'EASTUS_STORAGE_ACCOUNT_NAME'),
-                             azureStorage(credentialsId: 'oe_jenkins_storage_account_westeurope',
-                                          storageAccountKeyVariable: 'WESTEUROPE_STORAGE_ACCOUNT_KEY',
-                                          storageAccountNameVariable: 'WESTEUROPE_STORAGE_ACCOUNT_NAME')]) {
-                withEnv(["REGION=eastus", "DEST_VHD_NAME=${VHD_NAME_PREFIX}-${os_type}-${version}.vhd", "CONTAINER_NAME=disks"]) {
-                    dir("${WORKSPACE}/.jenkins/provision") {
-                        oe.azureEnvironment("""
-                                            packer build -var-file=templates/packer/${os_type}-${version}-variables.json templates/packer/packer-${os_type}.json 2>&1 | tee packer.log
-                                            export SOURCE_URI=\$(cat packer.log | grep OSDiskUri: | awk '{print \$2}')
-                                            az storage blob copy start --source-uri \$SOURCE_URI --destination-blob \$DEST_VHD_NAME --destination-container \$CONTAINER_NAME --account-key \$EASTUS_STORAGE_ACCOUNT_KEY --account-name \$EASTUS_STORAGE_ACCOUNT_NAME
-                                            az storage blob copy start --source-uri \$SOURCE_URI --destination-blob \$DEST_VHD_NAME --destination-container \$CONTAINER_NAME --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME
-                                            blob_status=\$(az storage blob show --name \$DEST_VHD_NAME --container-name \$CONTAINER_NAME \
-                                              --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME \
-                                              --output json | jq -r .properties.copy.status)
-                                            while [ "\${blob_status}" != "success" ]
-                                            do
-                                            echo Waiting for \$DEST_VHD_NAME to finish copying ...
-                                            sleep 10
-                                            blob_status=\$(az storage blob show --name \$DEST_VHD_NAME --container-name \$CONTAINER_NAME \
-                                              --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME \
-                                              --output json | jq -r .properties.copy.status)
-                                            done
-                                            """, imageName)
+                withCredentials([azureStorage(credentialsId: 'oe_jenkins_storage_account',
+                                              storageAccountKeyVariable: 'EASTUS_STORAGE_ACCOUNT_KEY',
+                                              storageAccountNameVariable: 'EASTUS_STORAGE_ACCOUNT_NAME'),
+                                 azureStorage(credentialsId: 'oe_jenkins_storage_account_westeurope',
+                                              storageAccountKeyVariable: 'WESTEUROPE_STORAGE_ACCOUNT_KEY',
+                                              storageAccountNameVariable: 'WESTEUROPE_STORAGE_ACCOUNT_NAME')]) {
+                    withEnv(["REGION=eastus", "DEST_VHD_NAME=${VHD_NAME_PREFIX}-${os_type}-${version}.vhd", "CONTAINER_NAME=disks"]) {
+                        dir("${WORKSPACE}/.jenkins/provision") {
+                            oe.azureEnvironment("""
+                                                packer build -var-file=templates/packer/${os_type}-${version}-variables.json templates/packer/packer-${os_type}.json 2>&1 | tee packer.log
+                                                export SOURCE_URI=\$(cat packer.log | grep OSDiskUri: | awk '{print \$2}')
+                                                az storage blob copy start --source-uri \$SOURCE_URI --destination-blob \$DEST_VHD_NAME --destination-container \$CONTAINER_NAME --account-key \$EASTUS_STORAGE_ACCOUNT_KEY --account-name \$EASTUS_STORAGE_ACCOUNT_NAME
+                                                az storage blob copy start --source-uri \$SOURCE_URI --destination-blob \$DEST_VHD_NAME --destination-container \$CONTAINER_NAME --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME
+                                                blob_status=\$(az storage blob show --name \$DEST_VHD_NAME --container-name \$CONTAINER_NAME \
+                                                  --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME \
+                                                  --output json | jq -r .properties.copy.status)
+                                                while [ "\${blob_status}" != "success" ]
+                                                do
+                                                echo Waiting for \$DEST_VHD_NAME to finish copying ...
+                                                sleep 10
+                                                blob_status=\$(az storage blob show --name \$DEST_VHD_NAME --container-name \$CONTAINER_NAME \
+                                                  --account-key \$WESTEUROPE_STORAGE_ACCOUNT_KEY --account-name \$WESTEUROPE_STORAGE_ACCOUNT_NAME \
+                                                  --output json | jq -r .properties.copy.status)
+                                                done
+                                                """, imageName)
+                        }
                     }
                 }
             }

From 2348e43655e9adfc07d598586265a17dc3c5c548 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Tue, 10 Sep 2019 12:46:26 +0300
Subject: [PATCH 066/420] Do not install Intel SGX PSW if NoDriver
 configuration on Windows.

---
 scripts/install-windows-prereqs.ps1 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 763986d7fb..d6d7bf469a 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -649,7 +649,11 @@ try {
     Install-Git
     Install-OCaml
     Install-Shellcheck
-    Install-PSW
+
+    if ($LaunchConfiguration -ne "SGX1FLC-NoDriver")
+    {
+        Install-PSW
+    }
 
     if ($DCAPClientType -eq "Azure")
     {

From 309b63450595ab14eed26ced746cbaf982a38efa Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Wed, 11 Sep 2019 18:23:36 +0300
Subject: [PATCH 067/420] Add DOCKER_TAG to custom_label tests

---
 .jenkins/custom_label.Jenkinsfile | 4 ++--
 .jenkins/test.Jenkinsfile         | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index 83ce86537c..20401bb987 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -32,7 +32,7 @@ def ACCContainerTest(String label, String version) {
                            ninja -v
                            ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                            """
-                oe.ContainerRun("oetools-full-${version}", "clang-7", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx")
+                oe.ContainerRun("oetools-full-${version}:${DOCKER_TAG}", "clang-7", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx")
             }
         }
     }
@@ -76,7 +76,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=ON -Wdev
                            ninja -v
                            """
-                oe.ContainerRun("oetools-full-${version}", compiler, task, "--cap-add=SYS_PTRACE")
+                oe.ContainerRun("oetools-full-${version}:${DOCKER_TAG}", compiler, task, "--cap-add=SYS_PTRACE")
                 stash includes: 'build/tests/**', name: "linux-${compiler}-${build_type}-${version}-${BUILD_NUMBER}"
             }
         }
diff --git a/.jenkins/test.Jenkinsfile b/.jenkins/test.Jenkinsfile
index 99eae732bb..66ee26204e 100644
--- a/.jenkins/test.Jenkinsfile
+++ b/.jenkins/test.Jenkinsfile
@@ -68,6 +68,7 @@ try {
       build job: 'OpenEnclave-custom_label-test',
             parameters: [string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
                          string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
+                         string(name: 'DOCKER_TAG', value: env.BUILD_TAG),
                          string(name: 'UBUNTU_1604_CUSTOM_LABEL', value: "xenial-${env.BUILD_TAG}"),
                          string(name: 'UBUNTU_1804_CUSTOM_LABEL', value: "bionic-${env.BUILD_TAG}"),
                          string(name: 'WINDOWS_2016_CUSTOM_LABEL', value: "windows-${env.BUILD_TAG}")]

From adca336b872186b6784fcb7fe09eae50c2471f2e Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Thu, 12 Sep 2019 12:40:58 +0300
Subject: [PATCH 068/420] Enable deployments of Windows nodes with DCAP
 Libraries

---
 .jenkins/deploy_agent.Jenkinsfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.jenkins/deploy_agent.Jenkinsfile b/.jenkins/deploy_agent.Jenkinsfile
index c9a9c8e91c..ecda5dc81f 100644
--- a/.jenkins/deploy_agent.Jenkinsfile
+++ b/.jenkins/deploy_agent.Jenkinsfile
@@ -55,6 +55,9 @@ def generateVariablesFile() {
          echo ansible_ssh_private_key_file: inventory/id-rsa-oe-test
          } > ${var_file} """
     }
+    if (DCAP_TESTING_NODE == "true") {
+      sh "echo dcap_testing_node: true >> ${var_file}"
+    }
 }
 
 def registerJenkinsSlave() {

From 3c788c3bf50c569c77b3db0cc353adb54e03ee81 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Thu, 12 Sep 2019 17:33:34 +0300
Subject: [PATCH 069/420] Add Windows agents with DCAP libraries support

---
 .jenkins/build_vhd.Jenkinsfile                |  3 ++-
 .jenkins/custom_label.Jenkinsfile             | 21 ++++++++++++-------
 .../templates/packer/packer-win.json          |  2 +-
 .../templates/packer/win-2016-variables.json  |  3 ++-
 .../templates/packer/win-dcap-variables.json  | 14 +++++++++++++
 .jenkins/test.Jenkinsfile                     | 19 ++++++++++++++---
 .../az-dcap-client/tasks/validation.yml       |  4 ++--
 7 files changed, 50 insertions(+), 16 deletions(-)
 create mode 100644 .jenkins/provision/templates/packer/win-dcap-variables.json

diff --git a/.jenkins/build_vhd.Jenkinsfile b/.jenkins/build_vhd.Jenkinsfile
index 52bdf149c1..9ff6938b7a 100644
--- a/.jenkins/build_vhd.Jenkinsfile
+++ b/.jenkins/build_vhd.Jenkinsfile
@@ -45,4 +45,5 @@ def buildVHD(String os_type, String version, String imageName) {
 
 parallel "Build Ubuntu 16.04" : { buildVHD("ubuntu", "16.04", OE_DEPLOY_IMAGE) },
          "Build Ubuntu 18.04" : { buildVHD("ubuntu", "18.04", OE_DEPLOY_IMAGE) },
-         "Build Windows 2016" : { buildVHD("win", "2016", OE_DEPLOY_IMAGE) }
+         "Build Windows 2016" : { buildVHD("win", "2016", OE_DEPLOY_IMAGE) },
+         "Build Windows 2016 DCAP" : { buildVHD("win", "dcap", OE_DEPLOY_IMAGE) }
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index 20401bb987..a0b8dca2f4 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -39,8 +39,12 @@ def ACCContainerTest(String label, String version) {
 }
 
 def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
+    def node_label = WINDOWS_2016_CUSTOM_LABEL
+    if (use_libsgx == "ON") {
+        node_label = WINDOWS_DCAP_CUSTOM_LABEL
+    }
     stage("Windows ${build_type} with SGX ${use_libsgx}") {
-        node(WINDOWS_2016_CUSTOM_LABEL) {
+        node(node_label) {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
                 checkout scm
@@ -82,7 +86,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
         }
     }
     stage("Windows ${build_type}") {
-        node(WINDOWS_2016_CUSTOM_LABEL) {
+        node(WINDOWS_DCAP_CUSTOM_LABEL) {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
                 checkout scm
@@ -108,13 +112,14 @@ properties([buildDiscarder(logRotator(artifactDaysToKeepStr: '90',
                                       numToKeepStr: '180')),
             [$class: 'JobRestrictionProperty']])
 
-parallel "ACC1604 clang-7 RelWithDebInfo" :                     { ACCTest(UBUNTU_1604_CUSTOM_LABEL, 'clang-7', 'RelWithDebInfo') },
+parallel "Win2016 Release Cross Compile with DCAP libs" :       { win2016CrossCompile('Release', 'ON') },
+         "Win2016 Debug Cross Compile" :                        { win2016CrossCompile('Debug') },
+         "Win2016 Ubuntu1604 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('16.04', 'clang-7', 'Debug') },
+         "Win2016 Ubuntu1804 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('18.04', 'clang-7', 'Release') },
+         "Win2016 Ubuntu1804 gcc Debug Linux-Elf-build" :       { win2016LinuxElfBuild('18.04', 'gcc', 'Debug') },
+         "ACC1604 clang-7 RelWithDebInfo" :                     { ACCTest(UBUNTU_1604_CUSTOM_LABEL, 'clang-7', 'RelWithDebInfo') },
          "ACC1604 gcc RelWithDebInfo" :                         { ACCTest(UBUNTU_1604_CUSTOM_LABEL, 'gcc', 'RelWithDebInfo') },
          "ACC1604 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1604_CUSTOM_LABEL, '16.04') },
          "ACC1804 clang-7 RelWithDebInfo" :                     { ACCTest(UBUNTU_1804_CUSTOM_LABEL, 'clang-7', 'RelWithDebInfo') },
          "ACC1804 gcc RelWithDebInfo" :                         { ACCTest(UBUNTU_1804_CUSTOM_LABEL, 'gcc', 'RelWithDebInfo') },
-         "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1804_CUSTOM_LABEL, '18.04') },
-         "Win2016 Ubuntu1604 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('16.04', 'clang-7', 'Debug') },
-         "Win2016 Ubuntu1804 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('18.04', 'clang-7', 'Release') },
-         "Win2016 Ubuntu1804 gcc Debug Linux-Elf-build" :       { win2016LinuxElfBuild('18.04', 'gcc', 'Debug') },
-         "Win2016 Debug Cross Compile" :                        { win2016CrossCompile('Debug') }
+         "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest(UBUNTU_1804_CUSTOM_LABEL, '18.04') }
diff --git a/.jenkins/provision/templates/packer/packer-win.json b/.jenkins/provision/templates/packer/packer-win.json
index 9f4f72c41a..79ffeabf18 100644
--- a/.jenkins/provision/templates/packer/packer-win.json
+++ b/.jenkins/provision/templates/packer/packer-win.json
@@ -71,7 +71,7 @@
         "ANSIBLE_INVENTORY=/ansible/inventory/hosts",
         "ANSIBLE_REMOTE_PORT=5986"
       ],
-      "command": "ansible-playbook -e \"ansible_user=packer ansible_password={{.WinRMPassword}} ansible_become_pass={{.WinRMPassword}} ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ntlm\" {{ user `playbook_file` }}"
+      "command": "ansible-playbook -e \"dcap_testing_node={{ user `dcap_testing_node` }} ansible_user=packer ansible_password={{.WinRMPassword}} ansible_become_pass={{.WinRMPassword}} ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_winrm_transport=ntlm\" {{ user `playbook_file` }}"
     },
     {
       "type": "powershell",
diff --git a/.jenkins/provision/templates/packer/win-2016-variables.json b/.jenkins/provision/templates/packer/win-2016-variables.json
index 4690d7386a..4405bbe597 100644
--- a/.jenkins/provision/templates/packer/win-2016-variables.json
+++ b/.jenkins/provision/templates/packer/win-2016-variables.json
@@ -9,5 +9,6 @@
     "vm_size": "Standard_DC2s",
     "communicator": "winrm",
     "ansible_group": "windows-agents",
-    "playbook_file": "/ansible/oe-windows-acc-setup.yml"
+    "playbook_file": "/ansible/oe-windows-acc-setup.yml",
+    "dcap_testing_node": "false"
 }
diff --git a/.jenkins/provision/templates/packer/win-dcap-variables.json b/.jenkins/provision/templates/packer/win-dcap-variables.json
new file mode 100644
index 0000000000..71e9ca45ba
--- /dev/null
+++ b/.jenkins/provision/templates/packer/win-dcap-variables.json
@@ -0,0 +1,14 @@
+{
+    "storage_account": "oejenkins",
+    "capture_container_name": "disks",
+    "capture_name_prefix": "packer",
+    "os_type": "Windows",
+    "image_publisher": "MicrosoftWindowsServer",
+    "image_offer": "confidential-compute-preview",
+    "image_sku": "acc-windows-server-2016-datacenter",
+    "vm_size": "Standard_DC2s",
+    "communicator": "winrm",
+    "ansible_group": "windows-agents",
+    "playbook_file": "/ansible/oe-windows-acc-setup.yml",
+    "dcap_testing_node": "true"
+}
diff --git a/.jenkins/test.Jenkinsfile b/.jenkins/test.Jenkinsfile
index 66ee26204e..baa92383c9 100644
--- a/.jenkins/test.Jenkinsfile
+++ b/.jenkins/test.Jenkinsfile
@@ -38,6 +38,18 @@ try {
                                  string(name: 'AGENT_LABEL', value: "windows-${env.BUILD_TAG}"),
                                  string(name: 'AGENT_TYPE', value: 'windows')]
           },
+          "Windows DCAP" : {
+              build job: 'OpenEnclave-deploy-jenkins-agent-test',
+                    parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
+                                 string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
+                                 string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
+                                 string(name: 'VHD_URL', value: "https://oejenkinswesteurope.blob.core.windows.net/disks/${env.BUILD_TAG}-win-dcap.vhd"),
+                                 string(name: 'REGION', value: "westeurope"),
+                                 string(name: 'RESOURCE_GROUP', value: "windows-dcap-${env.BUILD_TAG}"),
+                                 string(name: 'AGENT_NAME', value: "win-dcap-${env.BUILD_NUMBER}-1"),
+                                 string(name: 'AGENT_LABEL', value: "windows-dcap-${env.BUILD_TAG}"),
+                                 string(name: 'AGENT_TYPE', value: 'windows')]
+          },
           "Ubuntu 16.04" : {
               build job: 'OpenEnclave-deploy-jenkins-agent-test',
                     parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
@@ -71,7 +83,8 @@ try {
                          string(name: 'DOCKER_TAG', value: env.BUILD_TAG),
                          string(name: 'UBUNTU_1604_CUSTOM_LABEL', value: "xenial-${env.BUILD_TAG}"),
                          string(name: 'UBUNTU_1804_CUSTOM_LABEL', value: "bionic-${env.BUILD_TAG}"),
-                         string(name: 'WINDOWS_2016_CUSTOM_LABEL', value: "windows-${env.BUILD_TAG}")]
+                         string(name: 'WINDOWS_2016_CUSTOM_LABEL', value: "windows-${env.BUILD_TAG}"),
+                         string(name: 'WINDOWS_DCAP_CUSTOM_LABEL', value: "windows-dcap-${env.BUILD_TAG}")]
   }
 
 } finally {
@@ -83,7 +96,7 @@ try {
               parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.BUILD_TAG}"),
                            string(name: 'REPOSITORY_NAME', value: env.REPOSITORY),
                            string(name: 'BRANCH_SPECIFIER', value: env.BRANCH),
-                           string(name: "AGENT_LABELS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG}"),
-                           string(name: "RESOURCE_GROUPS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG}")]
+                           string(name: "AGENT_LABELS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG},windows-dcap-${env.BUILD_TAG}"),
+                           string(name: "RESOURCE_GROUPS", value: "xenial-${env.BUILD_TAG},bionic-${env.BUILD_TAG},windows-${env.BUILD_TAG},windows-dcap-${env.BUILD_TAG}")]
     }
 }
diff --git a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
index 2a551915cb..5277a1cfd6 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
@@ -25,7 +25,7 @@
     name: '{{ lc_driver.reg_key }}'
   register: reg_key
   failed_when: reg_key.value != 1
-  when: dcap_testing_node is defined and dcap_testing_node == True
+  when: dcap_testing_node is defined and dcap_testing_node == "true"
 
 - name: Azure DCAP Client | Download devcon.exe
   win_get_url:
@@ -41,7 +41,7 @@
   with_items:
     - 'root\SgxLCDevice'
     - 'root\SgxLCDevice_DCAP'
-  when: dcap_testing_node is defined and dcap_testing_node == True
+  when: dcap_testing_node is defined and dcap_testing_node == "true"
 
 - name: Azure DCAP Client | Remove temp devcon.exe
   win_file:

From 5e3af66aef0c05a3dec2915a5c11c1f6fb26a6d9 Mon Sep 17 00:00:00 2001
From: Marius Oprin <moprin@cloudbasesolutions.com>
Date: Wed, 18 Sep 2019 18:17:50 +0300
Subject: [PATCH 070/420] Update Windows ansible validation scripts

---
 scripts/ansible/oe-windows-acc-setup.yml                    | 6 +++---
 .../roles/windows/az-dcap-client/tasks/validation.yml       | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 5c3643b31a..27f5b8675c 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -36,10 +36,10 @@
     - name: OE setup | Run the install-windows-prereqs.ps1 script (this may take a while)
       script: ../install-windows-prereqs.ps1
         -InstallPath         "C:\openenclave"
-        -LaunchConfiguration "{{ 'SGX1FLC' if dcap_testing_node is defined and dcap_testing_node == true else 'SGX1' }}"
+        -LaunchConfiguration "{{ 'SGX1FLC' if dcap_testing_node is defined and dcap_testing_node == 'true' else 'SGX1' }}"
         -DCAPClientType      "{{ 'Azure' }}"
-        -IntelPSWURL         "{{ intel_psw_2_4_url if dcap_testing_node is defined and dcap_testing_node == true else intel_psw_2_2_url }}"
-        -IntelPSWHash        "{{ intel_psw_2_4_hash if dcap_testing_node is defined and dcap_testing_node == true else intel_psw_2_2_hash }}"
+        -IntelPSWURL         "{{ intel_psw_2_4_url if dcap_testing_node is defined and dcap_testing_node == 'true' else intel_psw_2_2_url }}"
+        -IntelPSWHash        "{{ intel_psw_2_4_hash if dcap_testing_node is defined and dcap_testing_node == 'true' else intel_psw_2_2_hash }}"
         -IntelDCAPURL        "{{ intel_dcap_url }}"
         -IntelDCAPHash       "{{ intel_dcap_hash }}"
         -GitURL              "{{ git_url }}"
diff --git a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
index 5277a1cfd6..45cb388ad9 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
@@ -25,7 +25,7 @@
     name: '{{ lc_driver.reg_key }}'
   register: reg_key
   failed_when: reg_key.value != 1
-  when: dcap_testing_node is defined and dcap_testing_node == "true"
+  when: dcap_testing_node is defined and dcap_testing_node == 'true'
 
 - name: Azure DCAP Client | Download devcon.exe
   win_get_url:
@@ -41,7 +41,7 @@
   with_items:
     - 'root\SgxLCDevice'
     - 'root\SgxLCDevice_DCAP'
-  when: dcap_testing_node is defined and dcap_testing_node == "true"
+  when: dcap_testing_node is defined and dcap_testing_node == 'true'
 
 - name: Azure DCAP Client | Remove temp devcon.exe
   win_file:

From c581ca8a5a954e62b6d6548bed6804cc59dd71b7 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 24 Sep 2019 00:25:36 +0000
Subject: [PATCH 071/420] Switchless Ocall Worker Waiting Strategy Improvement

Each host worker checks for a message in its call_arg slot.
If there is a message, the message is immediately removed from
the slot and processed.

If there is no message, then a spin counter is incremented.
If the spin counter reaches a particular threshold, then it means
that the thread has been spinning for sometime waiting for messages
and now can be put to sleep.

A simple strategy of putting the thread to sleep is to sleep for
a predetermined amount of time say 1 microsecond. This has the
benefit of letting other threads run; however it does not give
optimal performance since the worker threads keep waking up,
spinning and going back to sleep for ever, consuming enough CPU
to affect normal ocall performance.

A better strategy is to use a futex to wait.
Each thread has an int32_t event field, initially zero.

When a host thread has spun till the threshold,
    if atomically sets the value of event to 0 if it was 1

    if the previous value (returned from atomic operation) was 0,
    it means that there has been no wake notifications from the enclave,
    and therefore the host thread does a futex_wait while event's value
    is still zero.

    if the previous value (returned from atomic operation) was 1,
    if means that the enclave has just posted a message and therefore
    the worker thread continues to fetch the message instead of sleeping.

When an enclave thread wants to post a switchless ocall message,
   it first finds a host worker thread with a free slot
       The host worker thread could be active or doing a futex_wait

       The enclave thread atomically sets the value of the host thread's
       event to 1 if it was 0

       if the previous value(returned from atomic operation) was 0,
       it means that the host thread is doing a futex_wait and therefore
       an core ocall (OE_OCALL_WAKE_HOST_WORKER) is made to futex_wake the thread.
       The number of such ocalls will be less in an application that makes switchless
       calls with enough frequency. (If switchless calls are rare, the application may
       not benefit from switchless calls).

       If the previous value(returned from atomic operation) was 1,
       it means that we have already woken up the host and therefore don't need to
       wake up the host again.

   if no host worker thread with free slot is found, the post fails and
   subsquently a normal ocall is made

On the enclave side, an atomic compare and exchange operation suffices to determine
if the host must be woken up via a core ocall or not.

On the host side, in linux futex syscalls (__NR_futex FUTEX_WAIT_PRIVATE and FUTEX_WAKE_PRIVATE)
are used whereas on Windows WaitOnAddress and WakeByAddressSingle are used.
---
 enclave/core/switchlesscalls.c            |  13 +++
 host/CMakeLists.txt                       |   3 +-
 host/linux/hostthread.c                   |   4 +
 host/ocalls.h                             |   2 +
 host/optee/linux/enclave.c                |   3 +
 host/sgx/calls.c                          |   5 +
 host/sgx/switchless.c                     |  90 +++++++++++++++
 include/openenclave/internal/calls.h      |   1 +
 include/openenclave/internal/switchless.h |  13 ++-
 tests/switchless/enc/enc.c                |  10 +-
 tests/switchless/host/CMakeLists.txt      |   1 +
 tests/switchless/host/host.c              | 135 ++++++++++++++++++----
 tests/switchless/switchless.edl           |  12 +-
 13 files changed, 257 insertions(+), 35 deletions(-)

diff --git a/enclave/core/switchlesscalls.c b/enclave/core/switchlesscalls.c
index 40c5c38f0f..5d0624c481 100644
--- a/enclave/core/switchlesscalls.c
+++ b/enclave/core/switchlesscalls.c
@@ -71,6 +71,7 @@ oe_result_t oe_handle_init_switchless(uint64_t arg_in)
     // Copy the worker context array pointer and its size to avoid TOCTOU
     _host_worker_count = safe_manager.num_host_workers;
     _host_worker_contexts = safe_manager.host_worker_contexts;
+
     result = OE_OK;
 
 done:
@@ -105,6 +106,18 @@ oe_result_t oe_post_switchless_ocall(oe_call_host_function_args_t* args)
                     NULL,
                     args))
             {
+                // Set the worker's state to RUNNING.
+                if (__sync_val_compare_and_swap(
+                        &_host_worker_contexts[tries].event, 0, 1) == 0)
+                {
+                    // The worker was previously sleeping.
+                    // Wake it via an ocall.
+                    oe_ocall(
+                        OE_OCALL_WAKE_HOST_WORKER,
+                        (uint64_t)&_host_worker_contexts[tries],
+                        NULL);
+                }
+
                 return OE_OK;
             }
         }
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index b2c38e7101..f99fb14c1e 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -294,7 +294,7 @@ if (UNIX)
 elseif (WIN32)
   target_include_directories(oehost PRIVATE
     ${CMAKE_SOURCE_DIR}/3rdparty/mbedtls/mbedtls/include)
-  target_link_libraries(oehost PRIVATE bcrypt Crypt32)
+  target_link_libraries(oehost PRIVATE bcrypt Crypt32 Synchronization)
   target_include_directories(oehostverify PRIVATE
     ${CMAKE_SOURCE_DIR}/3rdparty/mbedtls/mbedtls/include)
   target_link_libraries(oehostverify PRIVATE bcrypt Crypt32)
@@ -351,6 +351,7 @@ target_compile_definitions(oehost
   # package.
   $<BUILD_INTERFACE:OE_API_VERSION=2>
   PRIVATE
+  OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
   OE_BUILD_UNTRUSTED
   OE_REPO_BRANCH_NAME="${GIT_BRANCH}"
   OE_REPO_LAST_COMMIT="${GIT_COMMIT}")
diff --git a/host/linux/hostthread.c b/host/linux/hostthread.c
index 65a87251fb..d7ec0e35ce 100644
--- a/host/linux/hostthread.c
+++ b/host/linux/hostthread.c
@@ -3,8 +3,12 @@
 
 #include "../hostthread.h"
 #include <assert.h>
+#include <linux/futex.h>
 #include <openenclave/host.h>
 #include <pthread.h>
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <unistd.h>
 
 /*
 **==============================================================================
diff --git a/host/ocalls.h b/host/ocalls.h
index c23873631f..6b9071b9bd 100644
--- a/host/ocalls.h
+++ b/host/ocalls.h
@@ -12,4 +12,6 @@ void HandleFree(uint64_t arg);
 void oe_handle_sleep(uint64_t arg_in);
 void oe_handle_get_time(uint64_t arg_in, uint64_t* arg_out);
 
+void oe_handle_wake_host_worker(uint64_t arg_in);
+
 #endif /* _OE_HOST_OCALLS_H */
diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index 3d82efa3c3..e5f75f1792 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -220,6 +220,9 @@ static TEEC_Result _handle_generic_rpc(
                 *(uint64_t*)input_buffer, (uint64_t*)output_buffer);
             break;
 
+        case OE_OCALL_WAKE_HOST_WORKER:
+            return TEEC_ERROR_NOT_SUPPORTED;
+
         default:
         {
             /* No function found with the number */
diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index a3fdb0f25f..984726139d 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -339,6 +339,7 @@ static const char* oe_ocall_str(oe_func_t ocall)
         "FREE",
         "SLEEP",
         "GET_TIME",
+        "WAKE_HOST_WORKER",
     };
     // clang-format on
 
@@ -436,6 +437,10 @@ static oe_result_t _handle_ocall(
             oe_handle_get_time(arg_in, arg_out);
             break;
 
+        case OE_OCALL_WAKE_HOST_WORKER:
+            oe_handle_wake_host_worker(arg_in);
+            break;
+
         default:
         {
             /* No function found with the number */
diff --git a/host/sgx/switchless.c b/host/sgx/switchless.c
index bd21754dd6..8ae6f702bb 100644
--- a/host/sgx/switchless.c
+++ b/host/sgx/switchless.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
+#include <openenclave/internal/atomic.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/switchless.h>
@@ -10,6 +11,68 @@
 #include "../ocalls.h"
 #include "enclave.h"
 
+#if __linux__
+#include <linux/futex.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+static void _worker_wait(oe_host_worker_context_t* context)
+{
+    if (__sync_val_compare_and_swap(&context->event, 1, 0) == 0)
+    {
+        do
+        {
+            syscall(
+                __NR_futex,
+                &context->event,
+                FUTEX_WAIT_PRIVATE,
+                0,
+                NULL,
+                NULL,
+                0);
+            // If context-> is still 0, then this is a spurious-wake.
+            // Spurious-wakes are ignored by going back to FUTEX_WAIT.
+            // Since FUTEX_WAIT uses atomic instructions to load event->value,
+            // it is safe to use a non-atomic operation here.
+        } while (context->event == 0);
+    }
+}
+
+static void _worker_wake(oe_host_worker_context_t* context)
+{
+    // context->event is expected to be set to 1 by the enclave.
+    // This function is called only when needed.
+    __sync_val_compare_and_swap(&context->event, 0, 1);
+    syscall(__NR_futex, &context->event, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
+}
+
+#else
+
+static void _worker_wait(oe_host_worker_context_t* context)
+{
+    // If the event value is 1, then set it to zero.
+    if (_InterlockedCompareExchange(&context->event, 0, 1) == 0)
+    {
+        // If the previous value was zero, then wait while value is zero.
+        uint32_t zero = 0;
+        WaitOnAddress(&context->event, &zero, sizeof(context->event), INFINITE);
+    }
+}
+
+static void _worker_wake(oe_host_worker_context_t* context)
+{
+    // Enclave sets context->value to 1.
+    // Wake up the waiting worker.
+    WakeByAddressSingle(&context->event);
+}
+
+#endif
+
+/**
+ * Number of iterations an ocall worker thread would spin before going to sleep
+ */
+#define OE_HOST_WORKER_SPIN_COUNT_THRESHOLD (4096U)
+
 /*
 ** The thread function that handles switchless ocalls
 **
@@ -24,8 +87,22 @@ static void* _switchless_ocall_worker(void* arg)
         if ((local_call_arg = context->call_arg) != NULL)
         {
             context->call_arg = NULL;
+
             oe_handle_call_host_function(
                 (uint64_t)local_call_arg, context->enclave);
+
+            context->total_spin_count += context->spin_count;
+            context->spin_count = 0;
+        }
+        else
+        {
+            if (++context->spin_count >= OE_HOST_WORKER_SPIN_COUNT_THRESHOLD)
+            {
+                context->total_spin_count += context->spin_count;
+                context->spin_count = 0;
+
+                _worker_wait(context);
+            }
         }
     }
     return NULL;
@@ -37,6 +114,12 @@ static oe_result_t oe_stop_worker_threads(oe_switchless_call_manager_t* manager)
     for (size_t i = 0; i < manager->num_host_workers; i++)
     {
         manager->host_worker_contexts[i].is_stopping = true;
+        _worker_wake(&manager->host_worker_contexts[i]);
+
+        OE_TRACE_INFO(
+            "Switchless host worker thread %d spun for %lu times",
+            i,
+            manager->host_worker_contexts[i].total_spin_count);
     }
 
     for (size_t i = 0; i < manager->num_host_workers; i++)
@@ -94,6 +177,7 @@ oe_result_t oe_start_switchless_manager(
     // Start the worker threads, and assign each one a private context.
     for (size_t i = 0; i < num_host_workers; i++)
     {
+        OE_TRACE_INFO("Creating switchless host worker thread %d\n", (int)i);
         manager->host_worker_contexts[i].enclave = enclave;
         if (oe_thread_create(
                 &manager->host_worker_threads[i],
@@ -133,3 +217,9 @@ oe_result_t oe_stop_switchless_manager(oe_enclave_t* enclave)
 done:
     return result;
 }
+
+void oe_handle_wake_host_worker(uint64_t arg)
+{
+    oe_host_worker_context_t* context = (oe_host_worker_context_t*)arg;
+    _worker_wake(context);
+}
diff --git a/include/openenclave/internal/calls.h b/include/openenclave/internal/calls.h
index 7cf7d91fce..7025e44843 100644
--- a/include/openenclave/internal/calls.h
+++ b/include/openenclave/internal/calls.h
@@ -86,6 +86,7 @@ typedef enum _oe_func
     OE_OCALL_FREE,
     OE_OCALL_SLEEP,
     OE_OCALL_GET_TIME,
+    OE_OCALL_WAKE_HOST_WORKER,
     /* Caution: always add new OCALL function numbers here */
     OE_OCALL_MAX, /* This value is never used */
 
diff --git a/include/openenclave/internal/switchless.h b/include/openenclave/internal/switchless.h
index 7b8d214231..8c8e5aeb3c 100644
--- a/include/openenclave/internal/switchless.h
+++ b/include/openenclave/internal/switchless.h
@@ -12,10 +12,21 @@
 typedef struct _host_worker_thread_context
 {
     volatile oe_call_host_function_args_t* call_arg;
-    volatile bool is_stopping;
+    uint64_t is_stopping;
     oe_enclave_t* enclave;
+
+    // Used as futex or for WaitOnAddress
+    int32_t event;
+
+    // Number of times the worker spinned without seeing a message.
+    uint64_t spin_count;
+
+    // Statistics.
+    uint64_t total_spin_count;
 } oe_host_worker_context_t;
 
+OE_STATIC_ASSERT(sizeof(oe_host_worker_context_t) == 48);
+
 typedef struct _oe_switchless_call_manager
 {
     oe_host_worker_context_t* host_worker_contexts;
diff --git a/tests/switchless/enc/enc.c b/tests/switchless/enc/enc.c
index 3c7041075e..7c1601cf77 100644
--- a/tests/switchless/enc/enc.c
+++ b/tests/switchless/enc/enc.c
@@ -11,7 +11,7 @@
 #define HOST_PARAM_STRING "host string parameter"
 #define HOST_STACK_STRING "host string on stack"
 
-int enc_echo_switchless(char* in, char out[STRING_LEN], int repeats)
+int enc_echo_switchless(const char* in, char out[STRING_LEN], int repeats)
 {
     oe_result_t result;
 
@@ -43,7 +43,7 @@ int enc_echo_switchless(char* in, char out[STRING_LEN], int repeats)
     return 0;
 }
 
-int enc_echo_regular(char* in, char out[STRING_LEN], int repeats)
+int enc_echo_regular(const char* in, char out[STRING_LEN], int repeats)
 {
     oe_result_t result;
 
@@ -79,6 +79,6 @@ OE_SET_ENCLAVE_SGX(
     1,    /* ProductID */
     1,    /* SecurityVersion */
     true, /* AllowDebug */
-    1024, /* HeapPageCount */
-    1024, /* StackPageCount */
-    2);   /* TCSCount */
+    64,   /* HeapPageCount */
+    64,   /* StackPageCount */
+    16);  /* TCSCount */
diff --git a/tests/switchless/host/CMakeLists.txt b/tests/switchless/host/CMakeLists.txt
index e38d76b2ae..3d64e99517 100644
--- a/tests/switchless/host/CMakeLists.txt
+++ b/tests/switchless/host/CMakeLists.txt
@@ -3,6 +3,7 @@
 
 oeedl_file(../switchless.edl host gen)
 
+
 add_executable(switchless_host host.c ${gen})
 
 target_include_directories(switchless_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index f56198c40a..6b40a7fea7 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -12,15 +12,46 @@
 #if _MSC_VER
 #include <Windows.h>
 #endif
+#include "../../../host/hostthread.h"
 #include "../../../host/strings.h"
 #include "switchless_u.h"
 
+// Increase this number to have a meaningful performance measurement
+#define NUM_OCALLS (100000)
+
 #define STRING_LEN 100
 
 #if _MSC_VER
 static double frequency;
 #endif
 
+static int thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
+{
+#if __GNUC__
+    return pthread_create(thread, NULL, func, arg);
+#elif _MSC_VER
+    typedef DWORD (*start_routine_t)(void*);
+    start_routine_t start_routine = (start_routine_t)func;
+    *thread = (oe_thread_t)CreateThread(NULL, 0, start_routine, arg, 0, NULL);
+    return *thread == (oe_thread_t)NULL ? 1 : 0;
+#endif
+}
+
+static int thread_join(oe_thread_t thread)
+{
+#if __GNUC__
+    return pthread_join(thread, NULL);
+#elif _MSC_VER
+    HANDLE handle = (HANDLE)thread;
+    if (WaitForSingleObject(handle, INFINITE) == WAIT_OBJECT_0)
+    {
+        CloseHandle(handle);
+        return 0;
+    }
+    return 1;
+#endif
+}
+
 double get_relative_time_in_microseconds()
 {
 #if __GNUC__
@@ -35,7 +66,11 @@ double get_relative_time_in_microseconds()
 #endif
 }
 
-int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
+int host_echo_switchless(
+    const char* in,
+    char* out,
+    const char* str1,
+    char str2[STRING_LEN])
 {
     OE_TEST(strcmp(str1, "host string parameter") == 0);
     OE_TEST(strcmp(str2, "host string on stack") == 0);
@@ -45,7 +80,11 @@ int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
     return 0;
 }
 
-int host_echo_regular(char* in, char* out, char* str1, char str2[STRING_LEN])
+int host_echo_regular(
+    const char* in,
+    char* out,
+    const char* str1,
+    char str2[STRING_LEN])
 {
     OE_TEST(strcmp(str1, "host string parameter") == 0);
     OE_TEST(strcmp(str2, "host string on stack") == 0);
@@ -55,17 +94,62 @@ int host_echo_regular(char* in, char* out, char* str1, char str2[STRING_LEN])
     return 0;
 }
 
+double make_repeated_switchless_ocalls(oe_enclave_t* enclave)
+{
+    char out[STRING_LEN];
+    int return_val;
+    double start, end;
+
+    double switchless_microseconds = 0.0;
+
+    start = get_relative_time_in_microseconds();
+    OE_TEST(
+        enc_echo_switchless(
+            enclave, &return_val, "Hello World", out, NUM_OCALLS) == OE_OK);
+    OE_TEST(return_val == 0);
+    end = get_relative_time_in_microseconds();
+    switchless_microseconds += end - start;
+
+    printf(
+        "%d switchless calls took %d msecs.\n",
+        NUM_OCALLS,
+        (int)(switchless_microseconds / 1000.0));
+    return switchless_microseconds;
+}
+
+void* launch_enclave_thread(void* e)
+{
+    make_repeated_switchless_ocalls((oe_enclave_t*)e);
+    return NULL;
+}
+
 int main(int argc, const char* argv[])
 {
     oe_enclave_t* enclave = NULL;
     oe_result_t result;
 
-    if (argc != 2)
+    if (argc < 2)
     {
-        fprintf(stderr, "Usage: %s ENCLAVE_PATH\n", argv[0]);
+        fprintf(
+            stderr,
+            "Usage: %s ENCLAVE_PATH [num-host-threads] [num-enclave-threads]\n",
+            argv[0]);
         return 1;
     }
 
+    uint64_t num_host_threads = 2;
+    uint64_t num_enclave_threads = 2;
+
+    if (argc >= 3)
+    {
+        sscanf(argv[2], "%lu", &num_host_threads);
+    }
+
+    if (argc == 4)
+    {
+        sscanf(argv[3], "%lu", &num_enclave_threads);
+    }
+
 #if _MSC_VER
     QueryPerformanceFrequency(&frequency);
     frequency /= 1000000; // convert to microseconds
@@ -74,7 +158,8 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
 
     // Enable switchless and configure host worker number
-    oe_enclave_setting_context_switchless_t switchless_setting = {1, 0};
+    oe_enclave_setting_context_switchless_t switchless_setting = {
+        num_host_threads, 0};
     oe_enclave_setting_t settings[] = {
         {.setting_type = OE_ENCLAVE_SETTING_CONTEXT_SWITCHLESS,
          .u.context_switchless_setting = &switchless_setting}};
@@ -91,38 +176,44 @@ int main(int argc, const char* argv[])
     char out[STRING_LEN];
     int return_val;
 
-    double switchless_microseconds = 0;
-    double start, end;
-
-    // Increase this number to have a meaningful performance measurement
-    int repeats = 10;
-
-    start = get_relative_time_in_microseconds();
-
-    OE_TEST(
-        enc_echo_switchless(
-            enclave, &return_val, "Hello World", out, repeats) == OE_OK);
-
-    end = get_relative_time_in_microseconds();
-    switchless_microseconds = end - start;
+    uint64_t num_extra_enc_threads = num_enclave_threads - 1;
+    oe_thread_t tid[32] = {0};
+    for (uint64_t i = 0; i < num_extra_enc_threads; ++i)
+    {
+        thread_create(&tid[i], launch_enclave_thread, enclave);
+        if (tid[i])
+        {
+            printf("Launched enclave producer thread %ld\n", i);
+        }
+    }
+    printf("Using main enclave thread\n");
+    double switchless_microseconds = make_repeated_switchless_ocalls(enclave);
 
+    printf("Making regular ocalls\n");
     double regular_microseconds = 0;
+    double start, end;
     start = get_relative_time_in_microseconds();
 
     OE_TEST(
-        enc_echo_regular(enclave, &return_val, "Hello World", out, repeats) ==
-        OE_OK);
+        enc_echo_regular(
+            enclave, &return_val, "Hello World", out, NUM_OCALLS) == OE_OK);
 
     end = get_relative_time_in_microseconds();
     regular_microseconds = end - start;
 
+    for (uint64_t i = 0; i < num_extra_enc_threads; ++i)
+    {
+        if (tid[i])
+            thread_join(tid[i]);
+    }
+
     result = oe_terminate_enclave(enclave);
     OE_TEST(result == OE_OK);
 
     printf(
         "Time spent in repeating OCALL %d times: switchless %d vs "
         "regular %d ms, speed up: %.2f\n",
-        repeats,
+        NUM_OCALLS,
         (int)switchless_microseconds / 1000,
         (int)regular_microseconds / 1000,
         (double)regular_microseconds / switchless_microseconds);
diff --git a/tests/switchless/switchless.edl b/tests/switchless/switchless.edl
index eeb038ffbb..d4f2dc8bb6 100644
--- a/tests/switchless/switchless.edl
+++ b/tests/switchless/switchless.edl
@@ -4,27 +4,27 @@
 enclave {
     trusted {
         public int enc_echo_switchless(
-            [string, in] char* in,
+            [string, in] const char* in,
             [out] char out[100],
             int repeats);
         public int enc_echo_regular(
-            [string, in] char* in,
+            [string, in] const char* in,
             [out] char out[100],
             int repeats);
     };
 
     untrusted {
         int host_echo_switchless(
-            [string, in] char* in,
+            [string, in] const char* in,
             [out] char out[100],
-            [string, in] char* str1,
+            [string, in] const char* str1,
             [in] char str2[100])
             transition_using_threads;
 
         int host_echo_regular(
-            [string, in] char* in,
+            [string, in] const char* in,
             [out] char out[100],
-            [string, in] char* str1,
+            [string, in] const char* str1,
             [in] char str2[100]);
     };
 };

From 80497bfbf3da541073b3a6b27947cd27c1dc597e Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 1 Oct 2019 21:21:09 +0000
Subject: [PATCH 072/420] Add maintainers for website and doxygen

---
 docs/CODEOWNERS    | 1 +
 docs/Committers.md | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
index a44e5aa0f8..f8220cbd1e 100644
--- a/docs/CODEOWNERS
+++ b/docs/CODEOWNERS
@@ -12,6 +12,7 @@
 /3rdparty/ @mikbras @CodeMonkeyLeet
 /cmake/ @andschwa @BRMcLaren
 /common/ @CodeMonkeyLeet @gupta-ak @mikbras
+/docs/refman @andschwa @radhikaj
 /debugger/ @anakrish @jxyang
 /enclave/ @CodeMonkeyLeet @gupta-ak @mikbras
 /host/ @CodeMonkeyLeet @gupta-ak @mikbras
diff --git a/docs/Committers.md b/docs/Committers.md
index e8ff31c008..6fe2acf193 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -83,7 +83,7 @@ instead, it should be brought up with the Community Governance Committee.
 |-----------------------|---------------------|--------------------------------|
 | Amaury Chamayou       | achamayou           | Build, CCF Integration         |
 | Anand Krishnamoorthi  | anakrish            | Debugging, SGX, EDL, Dev Tools |
-| Andrew Schwartzmeyer  | andschwa            | EDL, CMake, Git, Dev Tools     |
+| Andrew Schwartzmeyer  | andschwa            | EDL, CMake, Dev Tools, Website |
 | Brett McLaren         | BRMcLaren           | Build, CMake, CI               |
 | Brian Telfer          | Britel              | TrustZone, Attestation         |
 | Simon Leet            | CodeMonkeyLeet      | SGX, APIs                      |
@@ -98,7 +98,7 @@ instead, it should be brought up with the Community Governance Committee.
 | Mike Brasher          | mikbras             | SGX, APIs, EDL                 |
 | Marius Oprin          | oprinmarius         | Build, CMake, CI, Ansible      |
 | Paul Allen            | paulcallen          | TrustZone                      |
-| Radhika Jandhyala     | radhikaj            | SGX, APIs                      |
+| Radhika Jandhyala     | radhikaj            | SGX, APIs, Website             |
 | Shruti Ratnam         | shruti25ratnam      | Attestation                    |
 | Cheng-mean Liu        | soccerGB            | Attestation, SGX               |
 | Bruce Campbell        | yakman2020          | Windows, SGX                   |

From cb68ad35de7247efb8bc426a82a60afda8290a75 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 28 Aug 2019 02:16:38 +0000
Subject: [PATCH 073/420] Add example oesdk.nuspec [DROP]

---
 windows/README.md    | 20 ++++++++++++++++++++
 windows/oesdk.nuspec | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 windows/README.md
 create mode 100644 windows/oesdk.nuspec

diff --git a/windows/README.md b/windows/README.md
new file mode 100644
index 0000000000..2fe161c10b
--- /dev/null
+++ b/windows/README.md
@@ -0,0 +1,20 @@
+Windows
+================
+
+This folder contains an example `oesdk.nuspec` to illustrate what a nuspec for OE SDK on Windows might look like.
+It can be built from this folder with the `nuget.exe` tool, which can be downloaded from:
+https://www.nuget.org/api/v2/package/NuGet.exe/3.4.3.
+
+You can rename the `nuget.exe.3.4.3.nupkg` file to the `.zip` extension and manually extract the `nuget.exe`
+into this folder. You can then run:
+
+```cmd
+nuget pack oesdk.nuspec
+```
+
+This should produce `OpenEnclave.SDK.0.7.0.nupkg` in your local path. You can then also rename that to `.zip`
+to explore its contents, or install it into the file system:
+
+```cmd
+nuget.exe install OpenEnclave.SDK -source <full path to folder containing .nupkg> -OutputDirectory .\nuget
+```
\ No newline at end of file
diff --git a/windows/oesdk.nuspec b/windows/oesdk.nuspec
new file mode 100644
index 0000000000..33e7c98fa2
--- /dev/null
+++ b/windows/oesdk.nuspec
@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+    <!-- Refer to https://docs.microsoft.com/en-us/nuget/reference/nuspec for details -->
+    <metadata>
+        <id>OpenEnclave.SDK</id>
+        <version>0.7.0</version>
+        <description>
+            Open Enclave (OE) is an SDK for building Trusted Applications (TA) in C and C++. An enclave application partitions itself into two components:
+             - An untrusted component (called the host)
+             - A trusted component (called the enclave)
+
+            The enclave executes in a protected memory region that provides confidentiality both data and code execution. These protections are provided by a Trusted Execution Environment (TEE), which is usually secured by hardware such as Intel Software Guard Extensions (SGX).
+
+            This SDK aims to generalize the development of enclave applications across TEEs from different hardware vendors. While the current implementation is focused on Intel SGX, support for ARM TrustZone is already under development.
+            As an open source project, this SDK also strives to provide a transparent solution that is agnostic to specific vendors, service providers and choice of operating systems.
+        </description>
+        <authors>Microsoft,Confidential Computing Consortium</authors>
+        <owners>Microsoft,Confidential Computing Consortium</owners>
+        <copyright>&#169; Microsoft Corporation. All rights reserved.</copyright>
+        <projectUrl>https://github.com/openenclave/openenclave</projectUrl>
+        <license type="expression">MIT</license>
+        <requireLicenseAcceptance>false</requireLicenseAcceptance>
+        <!-- TODO: <releaseNotes>Open Enclave SDK v0.7.0 release notes</releaseNotes> -->
+    </metadata>
+
+    <files>
+        <!-- This does not have parity with the .deb package, partial includes just to illustrate the file inclusion syntax -->
+        <file src="..\build\x64-debug\output\bin\*.exe" target="bin" />
+        <file src="..\build\x64-debug\output\include\**" target="include" />
+        <file src="..\include\**" exclude="..\include\CMakeLists.txt;..\include\openenclave\corelibc\**;..\include\openenclave\internal\**" target="include" />
+        <file src="..\build\x64-debug\output\lib\**" target="lib" />
+    </files>
+</package>

From 0cd6da0034f2d7649572f833a270ffffdd2ff0ce Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 28 Aug 2019 02:18:33 +0000
Subject: [PATCH 074/420] Add prototype for CPACK Nuget settings [AMEND]

---
 CMakeLists.txt             |  3 ++-
 cmake/cpack_settings.cmake | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7413787987..062b980194 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -25,7 +25,8 @@ endif ()
 set(CMAKE_C_COMPILER_NAMES clang-7 cc)
 set(CMAKE_CXX_COMPILER_NAMES clang++-7 c++)
 
-project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM})
+project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM}
+  HOMEPAGE_URL "https://github.com/openenclave/openenclave")
 set(PROJECT_VERSION ${OE_VERSION})
 
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
index 64edf7c667..f0f35dbe12 100644
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@@ -10,6 +10,8 @@ set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/README.md")
 set(CPACK_RESOURCE_FILE_LICENSE "${PROJECT_SOURCE_DIR}/LICENSE")
 set(CPACK_PACKAGE_VERSION ${OE_VERSION})
 set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX})
+
+# CPack variables for Debian packages
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "libsgx-enclave-common (>=2.3.100.46354-1), libsgx-enclave-common-dev (>=2.3.100.0-1), libsgx-dcap-ql (>=1.0.100.46460-1.0), libsgx-dcap-ql-dev (>=1.0.100.46460-1.0)")
 set(CPACK_DEBIAN_PACKAGE_RECOMMENDS "pkg-config")
 set(CPACK_DEBIAN_FILE_NAME DEB-DEFAULT)
@@ -22,4 +24,19 @@ set(CPACK_DEBIAN_OEHOSTVERIFY_PACKAGE_DEPENDS "")
 set(CPACK_DEBIAN_OEHOSTVERIFY_PACKAGE_RECOMMENDS "pkg-config")
 set(CPACK_DEBIAN_OEHOSTVERIFY_FILE_NAME DEB-DEFAULT)
 set(CPACK_COMPONENT_OEHOSTVERIFY_DESCRIPTION "Open Enclave Report Verification Host Library")
+
+# CPack variables for Nuget packages
+set(CPACK_NUGET_PACKAGE_NAME "OpenEnclave.SDK")
+set(CPACK_NUGET_PACKAGE_AUTHORS "Microsoft, Confidential Computing Consortium")
+set(CPACK_NUGET_PACKAGE_DESCRIPTION
+    "Open Enclave (OE) is an SDK for building Trusted Applications (TA) in C and C++. An enclave application partitions itself into two components:
+ - An untrusted component (called the host)
+ - A trusted component (called the enclave)
+
+The enclave executes in a protected memory region that provides confidentiality both data and code execution. These protections are provided by a Trusted Execution Environment (TEE), which is usually secured by hardware such as Intel Software Guard Extensions (SGX).
+
+This SDK aims to generalize the development of enclave applications across TEEs from different hardware vendors. While the current implementation is focused on Intel SGX, support for ARM TrustZone is already under development.
+As an open source project, this SDK also strives to provide a transparent solution that is agnostic to specific vendors, service providers and choice of operating systems.")
+set(CPACK_NUGET_PACKAGE_LICENSEURL "https://github.com/openenclave/openenclave/blob/master/LICENSE")
+
 include(CPack)

From c3c6dc17ba57e69aeb21a1aa116e77d996bbeedf Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 26 Sep 2019 04:59:45 +0000
Subject: [PATCH 075/420] Add support for NuGet packages for Windows.

---
 CMakeLists.txt                                | 17 +++++-
 VERSION                                       |  2 +-
 cmake/add_dcap_client_target.cmake            |  2 +-
 cmake/cpack_settings.cmake                    | 12 +---
 cmake/maybe_build_using_clangw.cmake          | 12 ++--
 cmake/openenclave-config.cmake.in             | 57 +++++++++++++++++++
 cmake/package_settings.cmake                  | 15 +++--
 debugger/debugrt/host/CMakeLists.txt          |  3 +-
 host/CMakeLists.txt                           | 11 ++--
 .../attested_tls/client/enc/CMakeLists.txt    |  4 ++
 .../attested_tls/server/enc/CMakeLists.txt    |  4 ++
 samples/helloworld/enclave/CMakeLists.txt     |  4 ++
 12 files changed, 112 insertions(+), 31 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 062b980194..c2210a70de 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -28,6 +28,7 @@ set(CMAKE_CXX_COMPILER_NAMES clang++-7 c++)
 project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM}
   HOMEPAGE_URL "https://github.com/openenclave/openenclave")
 set(PROJECT_VERSION ${OE_VERSION})
+set(OE_SCRIPTSDIR "${PROJECT_SOURCE_DIR}/scripts")
 
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
 
@@ -140,6 +141,9 @@ if (WIN32)
   if (NOT BASH)
     message(FATAL_ERROR "Git Bash not found!")
   endif ()
+  if (NOT NUGET_PACKAGE_PATH)
+    message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the Intel and DCAP Client nuget packages.")
+  endif()
 else ()
   find_program(BASH bash)
   if (NOT BASH)
@@ -217,9 +221,20 @@ endif()
 if (UNIX)
   add_subdirectory(docs/refman)
   add_subdirectory(pkgconfig)
-  add_subdirectory(samples)
 endif()
 
+add_subdirectory(samples)
+
+if (WIN32)
+  install(FILES ./scripts/clangw ./scripts/llvm-arw
+    DESTINATION ${CMAKE_INSTALL_BINDIR}/scripts/)
+  install(FILES ./scripts/install-windows-prereqs.ps1
+    DESTINATION ${CMAKE_INSTALL_BINDIR}/scripts/)
+  install(FILES ./cmake/maybe_build_using_clangw.cmake
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
+endif ()
+
+
 install(FILES LICENSE THIRD_PARTY_NOTICES
   DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/licenses)
 
diff --git a/VERSION b/VERSION
index 4ad4b8602e..8b20e48523 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v0.7.x
+v0.7.0
diff --git a/cmake/add_dcap_client_target.cmake b/cmake/add_dcap_client_target.cmake
index cccd1baf14..d1ac981588 100644
--- a/cmake/add_dcap_client_target.cmake
+++ b/cmake/add_dcap_client_target.cmake
@@ -19,7 +19,7 @@ function(add_dcap_client_target TARGET_NAME)
     set(DEPENDENCIES "")
 
     # Define the DCAP provider path
-    set(AZURE_DCAP_QUOTEPROV ${CMAKE_SOURCE_DIR}/prereqs/nuget/Azure.DCAP.Windows/dll/dcap_quoteprov.dll)
+    set(AZURE_DCAP_QUOTEPROV ${NUGET_PACKAGE_PATH}/Azure.DCAP.Windows/dll/dcap_quoteprov.dll)
 
     # No-op if the DCAP provider is not found
     if (NOT EXISTS ${AZURE_DCAP_QUOTEPROV})
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
index f0f35dbe12..8cdd96664a 100644
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@@ -26,17 +26,9 @@ set(CPACK_DEBIAN_OEHOSTVERIFY_FILE_NAME DEB-DEFAULT)
 set(CPACK_COMPONENT_OEHOSTVERIFY_DESCRIPTION "Open Enclave Report Verification Host Library")
 
 # CPack variables for Nuget packages
-set(CPACK_NUGET_PACKAGE_NAME "OpenEnclave.SDK")
+set(CPACK_NUGET_PACKAGE_NAME "open-enclave")
 set(CPACK_NUGET_PACKAGE_AUTHORS "Microsoft, Confidential Computing Consortium")
-set(CPACK_NUGET_PACKAGE_DESCRIPTION
-    "Open Enclave (OE) is an SDK for building Trusted Applications (TA) in C and C++. An enclave application partitions itself into two components:
- - An untrusted component (called the host)
- - A trusted component (called the enclave)
-
-The enclave executes in a protected memory region that provides confidentiality both data and code execution. These protections are provided by a Trusted Execution Environment (TEE), which is usually secured by hardware such as Intel Software Guard Extensions (SGX).
-
-This SDK aims to generalize the development of enclave applications across TEEs from different hardware vendors. While the current implementation is focused on Intel SGX, support for ARM TrustZone is already under development.
-As an open source project, this SDK also strives to provide a transparent solution that is agnostic to specific vendors, service providers and choice of operating systems.")
+set(CPACK_NUGET_PACKAGE_VERSION ${OE_VERSION})
 set(CPACK_NUGET_PACKAGE_LICENSEURL "https://github.com/openenclave/openenclave/blob/master/LICENSE")
 
 include(CPack)
diff --git a/cmake/maybe_build_using_clangw.cmake b/cmake/maybe_build_using_clangw.cmake
index fab4d626fb..31ad69fdb9 100644
--- a/cmake/maybe_build_using_clangw.cmake
+++ b/cmake/maybe_build_using_clangw.cmake
@@ -45,30 +45,30 @@ function(maybe_build_using_clangw OE_TARGET)
 
     # Setup library tool variables
     set(CMAKE_C_CREATE_STATIC_LIBRARY 
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
         PARENT_SCOPE)
     set(CMAKE_CXX_CREATE_STATIC_LIBRARY 
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
         PARENT_SCOPE)
 
     # Setup linker variables.
     set(CMAKE_EXECUTABLE_SUFFIX "" PARENT_SCOPE)
     set(CMAKE_C_STANDARD_LIBRARIES "" PARENT_SCOPE)
     set(CMAKE_C_LINK_EXECUTABLE
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
         PARENT_SCOPE)
     set(CMAKE_CXX_STANDARD_LIBRARIES "" PARENT_SCOPE)
     set(CMAKE_CXX_LINK_EXECUTABLE
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
         PARENT_SCOPE)
 
     # Setup compiler variables.
     set(CMAKE_C_COMPILE_OBJECT
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
         PARENT_SCOPE)
 
     set(CMAKE_CXX_COMPILE_OBJECT
-        "\"${BASH}\" \"${PROJECT_SOURCE_DIR}/scripts/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
+        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
         PARENT_SCOPE)
 
     # Loop through assembly files in the list of sources in the
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 9f43d138f2..c7fe740c0c 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -12,6 +12,15 @@ set_and_check(OE_LIBDIR "@PACKAGE_CMAKE_INSTALL_LIBDIR@")
 set_and_check(OE_BINDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@")
 set_and_check(OE_DATADIR "@PACKAGE_CMAKE_INSTALL_DATADIR@")
 set_and_check(OE_INCLUDEDIR "@PACKAGE_CMAKE_INSTALL_INCLUDEDIR@")
+set(OE_SCRIPTSDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@/scripts")
+
+if (WIN32)
+  set(OE_SGX ON)
+  set(USE_CLANGW ON)
+  if (NOT BASH)
+    set(BASH bash)
+  endif()
+endif()
 
 # Dependencies.
 include(CMakeFindDependencyMacro)
@@ -38,6 +47,50 @@ if (UNIX)
       set_target_properties(dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
     endif ()
   endif ()
+elseif (WIN32)
+  if (NOT NUGET_PACKAGE_PATH)
+    message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the Intel and DCAP Client nuget packages.")
+  endif()
+endif ()
+
+if (NOT TARGET openenclave::sgx_enclave_common)
+  if (UNIX)
+    find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common)
+  elseif (WIN32)
+    find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common
+                 PATHS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
+  endif ()
+  if (NOT SGX_ENCLAVE_COMMON_LIB)
+    message(FATAL_ERROR "-- Looking for sgx_enclave_common library - not found")
+  else ()
+    message("-- Looking for sgx_enclave_common library - found")
+    add_library(openenclave::sgx_enclave_common SHARED IMPORTED)
+    if (UNIX)
+      set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION ${SGX_ENCLAVE_COMMON_LIB})
+    elseif (WIN32)
+      set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION $ENV{WINDIR}/System32 IMPORTED_IMPLIB ${SGX_ENCLAVE_COMMON_LIB})
+    endif ()
+  endif ()
+endif ()
+
+if (NOT TARGET openenclave::sgx_dcap_ql)
+  if (UNIX)
+    find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql)
+  elseif (WIN32)
+    find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql
+	    PATHS ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
+  endif ()
+  if (NOT SGX_DCAP_QL_LIB)
+    message(FATAL_ERROR "-- Looking for sgx_dcap_ql library - not found")
+  else ()
+    message("-- Looking for sgx_dcap_ql library - found")
+    add_library(openenclave::sgx_dcap_ql SHARED IMPORTED)
+    if (UNIX)
+      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${SGX_DCAP_QL_LIB})
+    elseif (WIN32)
+      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION $ENV{WINDIR}/System32 IMPORTED_IMPLIB ${SGX_DCAP_QL_LIB})
+    endif ()
+  endif ()
 endif ()
 
 # This target is an OCaml executable, not C++, so we have to manually
@@ -55,6 +108,10 @@ endif ()
 
 # Include the automatically exported targets.
 include("${CMAKE_CURRENT_LIST_DIR}/openenclave-targets.cmake")
+if (WIN32)
+  include("${CMAKE_CURRENT_LIST_DIR}/maybe_build_using_clangw.cmake")
+endif ()
+target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_enclave_common openenclave::sgx_dcap_ql)
 
 # Apply Spectre mitigations if available.
 set(OE_SPECTRE_MITIGATION_FLAGS "@SPECTRE_MITIGATION_FLAGS@")
diff --git a/cmake/package_settings.cmake b/cmake/package_settings.cmake
index 511a8a0853..3f4590110a 100644
--- a/cmake/package_settings.cmake
+++ b/cmake/package_settings.cmake
@@ -49,21 +49,28 @@ install(
   DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake
   FILE openenclave-targets.cmake
   COMPONENT OEHOSTVERIFY)
+if (WIN32)
+  install(
+    FILES ${CMAKE_SOURCE_DIR}/cmake/maybe_build_using_clangw.cmake
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
+endif ()
 install(
   FILES ${PROJECT_SOURCE_DIR}/cmake/sdk_cmake_targets_readme.md
   DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake
   RENAME README.md
   COMPONENT OEHOSTVERIFY)
 
-# Generate the openenclaverc script.
-configure_file(
+if (UNIX)
+  # Generate the openenclaverc script.
+  configure_file(
     ${PROJECT_SOURCE_DIR}/cmake/openenclaverc.in
     ${CMAKE_BINARY_DIR}/output/share/openenclave/openenclaverc
     @ONLY)
 
-# Install the openenclaverc script.
-install(FILES
+  # Install the openenclaverc script.
+  install(FILES
     ${CMAKE_BINARY_DIR}/output/share/openenclave/openenclaverc
     DESTINATION
     "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/openenclave"
     COMPONENT OEHOSTVERIFY)
+endif()
diff --git a/debugger/debugrt/host/CMakeLists.txt b/debugger/debugrt/host/CMakeLists.txt
index 2aa7c48fd2..9794626032 100644
--- a/debugger/debugrt/host/CMakeLists.txt
+++ b/debugger/debugrt/host/CMakeLists.txt
@@ -17,8 +17,7 @@ else()
     OE_BUILDING_DEBUGRT_SHARED_LIBRARY)
   
   install(TARGETS oedebugrt EXPORT openenclave-targets
-    # TODO:Determine DLL install location on Windows
-    ARCHIVE DESTINATION ${CMAKE_INSTALL_BINDIR})
+    RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
 endif()
 
 target_include_directories(oedebugrt PRIVATE
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index b2c38e7101..bf166ec45e 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -308,11 +308,11 @@ target_include_directories(oehost PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 if (USE_LIBSGX)
   if (WIN32)
     set(LIBPATHS
-      ${CMAKE_SOURCE_DIR}/prereqs/nuget/EnclaveCommonAPI/lib/native/x64-Release
-      ${CMAKE_SOURCE_DIR}/prereqs/nuget/DCAP_Components/build/lib/native/Libraries)
+      ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release
+      ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
     set(INCPATHS
-      "${CMAKE_SOURCE_DIR}/prereqs/nuget/EnclaveCommonAPI/Header Files"
-      "${CMAKE_SOURCE_DIR}/prereqs/nuget/DCAP_Components/build/Header Files")
+      "${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/Header Files"
+      "${NUGET_PACKAGE_PATH}/DCAP_Components/build/Header Files")
     set(WINSYSLOCATION
        $ENV{WINDIR}/System32)
   endif ()
@@ -338,8 +338,7 @@ if (USE_LIBSGX)
       IMPORTED_LOCATION ${WINSYSLOCATION}
       IMPORTED_IMPLIB ${LIBSGX_QE})
   endif ()
-
-  target_link_libraries(oehost PUBLIC sgx_enclave_common sgx_dcap_ql)
+  target_link_libraries(oehost PUBLIC $<BUILD_INTERFACE:sgx_dcap_ql> $<BUILD_INTERFACE:sgx_enclave_common>)
   target_compile_definitions(oehost PUBLIC OE_USE_LIBSGX)
 endif ()
 
diff --git a/samples/attested_tls/client/enc/CMakeLists.txt b/samples/attested_tls/client/enc/CMakeLists.txt
index 28ea9aa1b3..d076debcbb 100644
--- a/samples/attested_tls/client/enc/CMakeLists.txt
+++ b/samples/attested_tls/client/enc/CMakeLists.txt
@@ -20,6 +20,10 @@ add_executable(tls_client_enc
 	       ../../common/utility.cpp
 	       ${CMAKE_CURRENT_BINARY_DIR}/tls_client_t.c)
 
+if (WIN32)
+  maybe_build_using_clangw(tls_client_enc)
+endif ()
+
 target_compile_definitions(tls_client_enc PUBLIC OE_API_VERSION=2)
 
 target_include_directories(tls_client_enc PRIVATE
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index a788a187c5..c714158303 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -24,6 +24,10 @@ add_executable(tls_server_enc
 	       ../../common/utility.cpp
 	       ${CMAKE_CURRENT_BINARY_DIR}/tls_server_t.c)
 
+if (WIN32)
+  maybe_build_using_clangw(tls_server_enc)
+endif ()
+
 target_compile_definitions(tls_server_enc PUBLIC OE_API_VERSION=2)
 
 target_include_directories(tls_server_enc PRIVATE
diff --git a/samples/helloworld/enclave/CMakeLists.txt b/samples/helloworld/enclave/CMakeLists.txt
index 4e7149465a..caa2b1a440 100644
--- a/samples/helloworld/enclave/CMakeLists.txt
+++ b/samples/helloworld/enclave/CMakeLists.txt
@@ -8,6 +8,10 @@ add_custom_command(OUTPUT helloworld_t.h helloworld_t.c helloworld_args.h
 
 add_executable(enclave enc.c ${CMAKE_CURRENT_BINARY_DIR}/helloworld_t.c)
 
+if (WIN32)
+  maybe_build_using_clangw(enclave)
+endif ()
+
 target_compile_definitions(enclave PUBLIC OE_API_VERSION=2)
 
 # Need for the generated file helloworld_t.h

From 3f2d0ae9eced9907eb04576416689b8bb5aeb363 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Wed, 25 Sep 2019 23:30:22 -0700
Subject: [PATCH 076/420] Fix samples on Windows (#3)

* Add samples

Co-authored-by: Radhika Jandhyala <radhikaj@microsoft.com>
---
 samples/CMakeLists.txt                        |  2 +-
 samples/data-sealing/common/CMakeLists.txt    | 38 +++++++++++++------
 samples/data-sealing/common/dispatcher.cpp    | 17 +++++----
 .../data-sealing/enclave_a_v1/CMakeLists.txt  |  9 +++++
 .../data-sealing/enclave_a_v2/CMakeLists.txt  |  9 +++++
 samples/data-sealing/enclave_b/CMakeLists.txt |  9 +++++
 samples/data-sealing/host/host.cpp            |  5 ++-
 samples/file-encryptor/enclave/CMakeLists.txt |  7 ++++
 samples/file-encryptor/enclave/keys.cpp       |  1 +
 samples/file-encryptor/host/host.cpp          |  7 +++-
 samples/helloworld/enclave/CMakeLists.txt     |  6 +++
 samples/helloworld/host/CMakeLists.txt        |  1 -
 .../local_attestation/common/CMakeLists.txt   | 37 ++++++++++++------
 .../enclave_a/CMakeLists.txt                  | 10 ++++-
 .../enclave_b/CMakeLists.txt                  | 14 ++++++-
 .../local_attestation/gen_pubkey_header.sh    |  1 +
 .../remote_attestation/common/CMakeLists.txt  | 18 +++++++++
 .../enclave_a/CMakeLists.txt                  |  8 ++++
 .../enclave_b/CMakeLists.txt                  |  8 ++++
 .../remote_attestation/gen_pubkey_header.sh   |  1 +
 .../remote_attestation/host/CMakeLists.txt    |  9 ++++-
 samples/test-samples.cmake                    |  2 +-
 22 files changed, 180 insertions(+), 39 deletions(-)

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index edb5621b1f..1c331efded 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 if (USE_LIBSGX)
-  install(DIRECTORY remote_attestation local_attestation attested_tls
+   install(DIRECTORY remote_attestation local_attestation attested_tls
     DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
     PATTERN "gen_pubkey_header.sh"
     PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 8af836fd0d..86cd1ff95f 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/datasealing.edl
@@ -9,15 +13,27 @@ add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
 # Create a library common to each of our three enclaves.
 add_library(common STATIC dispatcher.cpp keys.cpp ${CMAKE_CURRENT_BINARY_DIR}/datasealing_t.c)
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
-target_link_libraries(common PUBLIC
-  # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
-  # function table. Because the libraries linking `libcommon` do not
-  # directly require this symbol, the linker skips the object in
-  # `libcommon` which defines them. So we manually require it.
-  #
-  # Alternatively we could use a CMake OBJECT library, but that
-  # requires a newish version of CMake.
-  -Wl,--require-defined=__oe_ecalls_table
-  openenclave::oeenclave
-  openenclave::oelibcxx)
+
+if(NOT WIN32)
+  target_link_libraries(common PUBLIC
+    # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
+    # function table. Because the libraries linking `libcommon` do not
+    # directly require this symbol, the linker skips the object in
+    # `libcommon` which defines them. So we manually require it.
+    #
+    # Alternatively we could use a CMake OBJECT library, but that
+    # requires a newish version of CMake.
+    -Wl,--require-defined=__oe_ecalls_table
+    openenclave::oeenclave
+    openenclave::oelibcxx)
+else()
+  target_link_libraries(common PUBLIC
+    openenclave::oeenclave
+    openenclave::oelibcxx)
+endif()
+
+if(WIN32)
+  maybe_build_using_clangw(common)
+endif()
+
 target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})
diff --git a/samples/data-sealing/common/dispatcher.cpp b/samples/data-sealing/common/dispatcher.cpp
index 676554f304..061e7edb95 100644
--- a/samples/data-sealing/common/dispatcher.cpp
+++ b/samples/data-sealing/common/dispatcher.cpp
@@ -90,9 +90,9 @@ int ecall_dispatcher::seal_data(
     ret = cipher_data(
         ENCRYPT_OPERATION,
         m_data,
-        m_data_size,
+        (unsigned int)m_data_size,
         seal_key,
-        seal_key_size,
+        (unsigned int)seal_key_size,
         iv,
         m_sealed_data->encrypted_data);
     if (ret != 0)
@@ -108,7 +108,7 @@ int ecall_dispatcher::seal_data(
     // generate signature by signing the hash of the sealed data with the seal
     // key
     ret = sign_sealed_data(
-        m_sealed_data, seal_key, seal_key_size, m_sealed_data->signature);
+        m_sealed_data, seal_key, (unsigned int)seal_key_size, m_sealed_data->signature);
     if (ret != 0)
     {
         TRACE_ENCLAVE("sign_sealed_data %d\n", ret);
@@ -145,7 +145,7 @@ int ecall_dispatcher::seal_data(
 
     if (ret)
         result = OE_FAILURE;
-    return result;
+    return (int)result;
 }
 
 int ecall_dispatcher::unseal_data(
@@ -161,6 +161,7 @@ int ecall_dispatcher::unseal_data(
     size_t seal_key_size = 0;
     uint8_t* key_info = NULL;
     size_t key_info_size = 0;
+    (void)sealed_data_size;
 
     unsigned char* data_buf = NULL;
     int ret = 0;
@@ -190,7 +191,7 @@ int ecall_dispatcher::unseal_data(
     // structure then comparing it with sealed_data.signature
 
     // regenerate signature
-    ret = sign_sealed_data(m_sealed_data, seal_key, seal_key_size, signature);
+    ret = sign_sealed_data(m_sealed_data, seal_key, (unsigned int)seal_key_size, signature);
     if (ret != 0)
     {
         ret = ERROR_SIGN_SEALED_DATA_FAIL;
@@ -222,9 +223,9 @@ int ecall_dispatcher::unseal_data(
     ret = cipher_data(
         DECRYPT_OPERATION,
         m_sealed_data->encrypted_data,
-        m_sealed_data->encrypted_data_len,
+        (unsigned int)m_sealed_data->encrypted_data_len,
         seal_key,
-        seal_key_size,
+        (unsigned int)seal_key_size,
         iv,
         data_buf);
     if (ret != 0)
@@ -303,7 +304,7 @@ oe_result_t ecall_dispatcher::get_seal_key_and_prep_sealed_data(
     // PKCS5 padding
     memset(
         (void*)(padded_data + m_data_size),
-        padded_byte_count,
+        (int)padded_byte_count,
         padded_byte_count);
     m_data_size += padded_byte_count;
 
diff --git a/samples/data-sealing/enclave_a_v1/CMakeLists.txt b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
index 2da430f4ff..a6d0feb78d 100644
--- a/samples/data-sealing/enclave_a_v1/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
@@ -1,5 +1,14 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_a_v1 ecalls.cpp)
+
+if(WIN32)
+  maybe_build_using_clangw(enclave_a_v1)
+endif()
+
 target_link_libraries(enclave_a_v1 common)
diff --git a/samples/data-sealing/enclave_a_v2/CMakeLists.txt b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
index 7545d3148d..019accbd41 100644
--- a/samples/data-sealing/enclave_a_v2/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
@@ -1,5 +1,14 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_a_v2 ecalls.cpp)
+
+if(WIN32)
+  maybe_build_using_clangw(enclave_a_v2)
+endif()
+
 target_link_libraries(enclave_a_v2 common)
diff --git a/samples/data-sealing/enclave_b/CMakeLists.txt b/samples/data-sealing/enclave_b/CMakeLists.txt
index ba547a20c6..7b22485945 100644
--- a/samples/data-sealing/enclave_b/CMakeLists.txt
+++ b/samples/data-sealing/enclave_b/CMakeLists.txt
@@ -1,5 +1,14 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_b ecalls.cpp)
+
+if(WIN32)
+  maybe_build_using_clangw(enclave_b)
+endif()
+
 target_link_libraries(enclave_b common)
diff --git a/samples/data-sealing/host/host.cpp b/samples/data-sealing/host/host.cpp
index ab1d3719c3..dc05b40b32 100644
--- a/samples/data-sealing/host/host.cpp
+++ b/samples/data-sealing/host/host.cpp
@@ -8,7 +8,10 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <unistd.h>
+#ifdef __linux__
+  #include <unistd.h>
+#endif
+
 #include <iostream>
 #include <vector>
 #include "datasealing_u.h"
diff --git a/samples/file-encryptor/enclave/CMakeLists.txt b/samples/file-encryptor/enclave/CMakeLists.txt
index 126bc7aab9..9e37949918 100644
--- a/samples/file-encryptor/enclave/CMakeLists.txt
+++ b/samples/file-encryptor/enclave/CMakeLists.txt
@@ -1,12 +1,19 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT fileencryptor_t.h fileencryptor_t.c fileencryptor_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/fileencryptor.edl
   COMMAND openenclave::oeedger8r --trusted ${CMAKE_SOURCE_DIR}/fileencryptor.edl)
 
 add_executable(enclave ecalls.cpp encryptor.cpp keys.cpp ${CMAKE_CURRENT_BINARY_DIR}/fileencryptor_t.c)
+if(WIN32)
+  maybe_build_using_clangw(enclave)
+endif()
 
 target_compile_definitions(enclave PUBLIC OE_API_VERSION=2)
 
diff --git a/samples/file-encryptor/enclave/keys.cpp b/samples/file-encryptor/enclave/keys.cpp
index 250e71b8fe..83fcbe00f2 100644
--- a/samples/file-encryptor/enclave/keys.cpp
+++ b/samples/file-encryptor/enclave/keys.cpp
@@ -201,6 +201,7 @@ int ecall_dispatcher::cipher_encryption_key(
     unsigned int output_data_size)
 {
     int ret = 0;
+    (void)output_data_size;
     mbedtls_aes_context aescontext;
     unsigned char iv[IV_SIZE] = {0xb2,
                                  0x4b,
diff --git a/samples/file-encryptor/host/host.cpp b/samples/file-encryptor/host/host.cpp
index 8e4ba1ea92..2875a4d9c9 100644
--- a/samples/file-encryptor/host/host.cpp
+++ b/samples/file-encryptor/host/host.cpp
@@ -7,7 +7,9 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#if defined(__linux__)
 #include <unistd.h>
+#endif
 #include <fstream>
 #include <iostream>
 #include <iterator>
@@ -74,6 +76,7 @@ int get_file_size(FILE* file, size_t* _file_size)
 
     *_file_size = (size_t)ftell(file);
     fseek(file, oldpos, SEEK_SET);
+
 exit:
     return ret;
 }
@@ -144,7 +147,7 @@ int encrypt_file(
     }
 
     // open source and dest files
-    src_file = fopen(input_file, "r");
+    src_file = fopen(input_file, "rb");
     if (!src_file)
     {
         cout << "Host: fopen " << input_file << " failed." << endl;
@@ -159,7 +162,7 @@ int encrypt_file(
         goto exit;
     }
     src_data_size = src_file_size;
-    dest_file = fopen(output_file, "w");
+    dest_file = fopen(output_file, "wb");
     if (!dest_file)
     {
         cerr << "Host: fopen " << output_file << " failed." << endl;
diff --git a/samples/helloworld/enclave/CMakeLists.txt b/samples/helloworld/enclave/CMakeLists.txt
index caa2b1a440..da5789d7a1 100644
--- a/samples/helloworld/enclave/CMakeLists.txt
+++ b/samples/helloworld/enclave/CMakeLists.txt
@@ -1,6 +1,12 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+# TODO: Where is the best place to set this
+
+if(WIN32)
+   include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT helloworld_t.h helloworld_t.c helloworld_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/helloworld.edl
diff --git a/samples/helloworld/host/CMakeLists.txt b/samples/helloworld/host/CMakeLists.txt
index ce67b3dc04..613c169fda 100644
--- a/samples/helloworld/host/CMakeLists.txt
+++ b/samples/helloworld/host/CMakeLists.txt
@@ -1,6 +1,5 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
-
 add_custom_command(OUTPUT helloworld_u.h helloworld_u.c helloworld_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/helloworld.edl
   COMMAND openenclave::oeedger8r --untrusted ${CMAKE_SOURCE_DIR}/helloworld.edl)
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index 3e47827a91..44f113f6f0 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT localattestation_t.h localattestation_t.c localattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/localattestation.edl
@@ -8,16 +12,27 @@ add_custom_command(OUTPUT localattestation_t.h localattestation_t.c localattesta
 
 # Create a library common to each of our two enclaves.
 add_library(common STATIC attestation.cpp crypto.cpp dispatcher.cpp ${CMAKE_CURRENT_BINARY_DIR}/localattestation_t.c)
+
+if(WIN32)
+  maybe_build_using_clangw(common)
+endif()
+
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
-target_link_libraries(common PUBLIC
-  # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
-  # function table. Because the libraries linking `libcommon` do not
-  # directly require this symbol, the linker skips the object in
-  # `libcommon` which defines them. So we manually require it.
-  #
-  # Alternatively we could use a CMake OBJECT library, but that
-  # requires a newish version of CMake.
-  -Wl,--require-defined=__oe_ecalls_table
-  openenclave::oeenclave
-  openenclave::oelibcxx)
+if(NOT WIN32)
+  target_link_libraries(common PUBLIC
+    # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
+    # function table. Because the libraries linking `libcommon` do not
+    # directly require this symbol, the linker skips the object in
+    # `libcommon` which defines them. So we manually require it.
+    #
+    # Alternatively we could use a CMake OBJECT library, but that
+    # requires a newish version of CMake.
+    -Wl,--require-defined=__oe_ecalls_table
+    openenclave::oeenclave
+    openenclave::oelibcxx)
+else()
+  target_link_libraries(common PUBLIC
+    openenclave::oeenclave
+    openenclave::oelibcxx)
+endif()
 target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index 2cc9ceac3c..df53d3ba03 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -1,13 +1,21 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
-  COMMAND ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_b_pubkey.h ${CMAKE_BINARY_DIR}/enclave_b/public_b.pem)
+  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_b_pubkey.h ${CMAKE_BINARY_DIR}/enclave_b/public_b.pem)
 
 add_executable(enclave_a ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_b_pubkey.h)
 
+if(WIN32)
+  maybe_build_using_clangw(enclave_a)
+endif()
+
 target_include_directories(enclave_a PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
 target_link_libraries(enclave_a common)
diff --git a/samples/local_attestation/enclave_b/CMakeLists.txt b/samples/local_attestation/enclave_b/CMakeLists.txt
index 8cd30cc378..9f3cae2533 100644
--- a/samples/local_attestation/enclave_b/CMakeLists.txt
+++ b/samples/local_attestation/enclave_b/CMakeLists.txt
@@ -2,12 +2,24 @@
 # Licensed under the MIT License.
 
 # Generate header with public key of enclave A
+
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
-  COMMAND ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
+  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
 
 add_executable(enclave_b ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_a_pubkey.h)
 
+if(WIN32)
+  maybe_build_using_clangw(enclave_b)
+endif()
+
 target_include_directories(enclave_b PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
 target_link_libraries(enclave_b common)
diff --git a/samples/local_attestation/gen_pubkey_header.sh b/samples/local_attestation/gen_pubkey_header.sh
index d96b2de78f..163f6fb343 100755
--- a/samples/local_attestation/gen_pubkey_header.sh
+++ b/samples/local_attestation/gen_pubkey_header.sh
@@ -18,6 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
+	p="$(echo $p | tr -d \"\\\r\")"
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"
diff --git a/samples/remote_attestation/common/CMakeLists.txt b/samples/remote_attestation/common/CMakeLists.txt
index db388e09a2..1220d81705 100644
--- a/samples/remote_attestation/common/CMakeLists.txt
+++ b/samples/remote_attestation/common/CMakeLists.txt
@@ -1,6 +1,13 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
+add_custom_command(OUTPUT enclave_a_pubkey.h
+  DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
+  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT remoteattestation_t.h remoteattestation_t.c remoteattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
@@ -8,7 +15,13 @@ add_custom_command(OUTPUT remoteattestation_t.h remoteattestation_t.c remoteatte
 
 # Create a library common to each of our two enclaves.
 add_library(common STATIC attestation.cpp crypto.cpp dispatcher.cpp ${CMAKE_CURRENT_BINARY_DIR}/remoteattestation_t.c)
+
+if(WIN32)
+  maybe_build_using_clangw(common)
+endif()
+
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
+if(NOT WIN32)
 target_link_libraries(common PUBLIC
   # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
   # function table. Because the libraries linking `libcommon` do not
@@ -20,4 +33,9 @@ target_link_libraries(common PUBLIC
   -Wl,--require-defined=__oe_ecalls_table
   openenclave::oeenclave
   openenclave::oelibcxx)
+else()
+target_link_libraries(common PUBLIC
+  openenclave::oeenclave
+  openenclave::oelibcxx)
+endif()
 target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})
diff --git a/samples/remote_attestation/enclave_a/CMakeLists.txt b/samples/remote_attestation/enclave_a/CMakeLists.txt
index 2cc9ceac3c..b227020d00 100644
--- a/samples/remote_attestation/enclave_a/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_a/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
@@ -8,6 +12,10 @@ add_custom_command(OUTPUT enclave_b_pubkey.h
 
 add_executable(enclave_a ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_b_pubkey.h)
 
+if(WIN32)
+  maybe_build_using_clangw(enclave_a)
+endif()
+
 target_include_directories(enclave_a PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
 target_link_libraries(enclave_a common)
diff --git a/samples/remote_attestation/enclave_b/CMakeLists.txt b/samples/remote_attestation/enclave_b/CMakeLists.txt
index 8cd30cc378..b45cf5f867 100644
--- a/samples/remote_attestation/enclave_b/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_b/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave A
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
@@ -8,6 +12,10 @@ add_custom_command(OUTPUT enclave_a_pubkey.h
 
 add_executable(enclave_b ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_a_pubkey.h)
 
+if(WIN32)
+  maybe_build_using_clangw(enclave_b)
+endif()
+
 target_include_directories(enclave_b PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
 target_link_libraries(enclave_b common)
diff --git a/samples/remote_attestation/gen_pubkey_header.sh b/samples/remote_attestation/gen_pubkey_header.sh
index e6f98353f9..15beea1787 100755
--- a/samples/remote_attestation/gen_pubkey_header.sh
+++ b/samples/remote_attestation/gen_pubkey_header.sh
@@ -18,6 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
+    p ="$(echo $p | tr -d \"\\\r\")"
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"
diff --git a/samples/remote_attestation/host/CMakeLists.txt b/samples/remote_attestation/host/CMakeLists.txt
index 37208d891c..c0960029b6 100644
--- a/samples/remote_attestation/host/CMakeLists.txt
+++ b/samples/remote_attestation/host/CMakeLists.txt
@@ -1,14 +1,21 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(remote_attestation_dcap_target)
+endif()
+
 add_custom_command(OUTPUT remoteattestation_u.h remoteattestation_u.c remoteattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
   COMMAND openenclave::oeedger8r --untrusted ${CMAKE_SOURCE_DIR}/remoteattestation.edl)
 
 add_executable(remote_attestation_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/remoteattestation_u.c)
-
 target_include_directories(remote_attestation_host PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR}/../ # For common/shared.h
   ${CMAKE_CURRENT_BINARY_DIR})
 
+if(WIN32)
+  add_dcap_client_target(remote_attestation_dcap_target)
+endif()
+
 target_link_libraries(remote_attestation_host openenclave::oehostapp)
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index d814ed795d..b88ce1811a 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -24,7 +24,7 @@ else ()
   # These tests can only run with SGX-FLC, meaning they were built
   # against SGX.
   if (USE_LIBSGX)
-    list(APPEND SAMPLES_LIST local_attestation remote_attestation attested_tls)
+     list(APPEND SAMPLES_LIST local_attestation remote_attestation attested_tls)
   endif ()
 endif ()
 

From 182e9c7914eaefb42e8a601b46454120df9c7114 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 26 Sep 2019 16:38:44 +0000
Subject: [PATCH 077/420] Rename BASH to OE_BASH.

---
 CMakeLists.txt                       |  4 ++++
 cmake/maybe_build_using_clangw.cmake | 12 ++++++------
 cmake/openenclave-config.cmake.in    | 11 +++++++----
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index c2210a70de..67b070f15f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -29,6 +29,10 @@ project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM}
   HOMEPAGE_URL "https://github.com/openenclave/openenclave")
 set(PROJECT_VERSION ${OE_VERSION})
 set(OE_SCRIPTSDIR "${PROJECT_SOURCE_DIR}/scripts")
+find_program(OE_BASH bash)
+if (NOT OE_BASH)
+  message(FATAL_ERROR "-- Unable to find bash")
+endif ()
 
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
 
diff --git a/cmake/maybe_build_using_clangw.cmake b/cmake/maybe_build_using_clangw.cmake
index 31ad69fdb9..04b65aca14 100644
--- a/cmake/maybe_build_using_clangw.cmake
+++ b/cmake/maybe_build_using_clangw.cmake
@@ -45,30 +45,30 @@ function(maybe_build_using_clangw OE_TARGET)
 
     # Setup library tool variables
     set(CMAKE_C_CREATE_STATIC_LIBRARY 
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
         PARENT_SCOPE)
     set(CMAKE_CXX_CREATE_STATIC_LIBRARY 
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/llvm-arw\" \"qc <TARGET> <OBJECTS>\""
         PARENT_SCOPE)
 
     # Setup linker variables.
     set(CMAKE_EXECUTABLE_SUFFIX "" PARENT_SCOPE)
     set(CMAKE_C_STANDARD_LIBRARIES "" PARENT_SCOPE)
     set(CMAKE_C_LINK_EXECUTABLE
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
         PARENT_SCOPE)
     set(CMAKE_CXX_STANDARD_LIBRARIES "" PARENT_SCOPE)
     set(CMAKE_CXX_LINK_EXECUTABLE
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"link <OBJECTS> -o <TARGET>  <LINK_LIBRARIES>\""
         PARENT_SCOPE)
 
     # Setup compiler variables.
     set(CMAKE_C_COMPILE_OBJECT
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
         PARENT_SCOPE)
 
     set(CMAKE_CXX_COMPILE_OBJECT
-        "\"${BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
+        "\"${OE_BASH}\" \"${OE_SCRIPTSDIR}/clangw\" \"<DEFINES> <INCLUDES> <FLAGS> -o <OBJECT> -c <SOURCE>\""
         PARENT_SCOPE)
 
     # Loop through assembly files in the list of sources in the
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index c7fe740c0c..b04b5b8d6a 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -17,10 +17,13 @@ set(OE_SCRIPTSDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@/scripts")
 if (WIN32)
   set(OE_SGX ON)
   set(USE_CLANGW ON)
-  if (NOT BASH)
-    set(BASH bash)
-  endif()
-endif()
+  if (NOT OE_BASH)
+    find_program(OE_BASH bash.exe)
+    if (NOT OE_BASH)
+      message(FATAL_ERROR "-- Looking for bash.exe - not found")
+    endif ()
+  endif ()
+endif ()
 
 # Dependencies.
 include(CMakeFindDependencyMacro)

From 385f0fe4f5a924f3856f51f35d22a290feeabda0 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 26 Sep 2019 17:19:54 +0000
Subject: [PATCH 078/420] Remove include(maybe_build_using_clangw) from
 samples.

---
 samples/data-sealing/common/CMakeLists.txt          | 4 ----
 samples/data-sealing/enclave_a_v1/CMakeLists.txt    | 4 ----
 samples/data-sealing/enclave_a_v2/CMakeLists.txt    | 4 ----
 samples/data-sealing/enclave_b/CMakeLists.txt       | 4 ----
 samples/file-encryptor/enclave/CMakeLists.txt       | 4 ----
 samples/helloworld/enclave/CMakeLists.txt           | 4 ----
 samples/local_attestation/common/CMakeLists.txt     | 4 ----
 samples/local_attestation/enclave_a/CMakeLists.txt  | 4 ----
 samples/local_attestation/enclave_b/CMakeLists.txt  | 4 ----
 samples/remote_attestation/common/CMakeLists.txt    | 4 ----
 samples/remote_attestation/enclave_a/CMakeLists.txt | 4 ----
 samples/remote_attestation/enclave_b/CMakeLists.txt | 4 ----
 12 files changed, 48 deletions(-)

diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 86cd1ff95f..0d28bdfa84 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/datasealing.edl
diff --git a/samples/data-sealing/enclave_a_v1/CMakeLists.txt b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
index a6d0feb78d..c3eeea9a74 100644
--- a/samples/data-sealing/enclave_a_v1/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_a_v1 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_a_v2/CMakeLists.txt b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
index 019accbd41..f9f93086e6 100644
--- a/samples/data-sealing/enclave_a_v2/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_a_v2 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_b/CMakeLists.txt b/samples/data-sealing/enclave_b/CMakeLists.txt
index 7b22485945..39c80dfffd 100644
--- a/samples/data-sealing/enclave_b/CMakeLists.txt
+++ b/samples/data-sealing/enclave_b/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_b ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/file-encryptor/enclave/CMakeLists.txt b/samples/file-encryptor/enclave/CMakeLists.txt
index 9e37949918..303e13790f 100644
--- a/samples/file-encryptor/enclave/CMakeLists.txt
+++ b/samples/file-encryptor/enclave/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT fileencryptor_t.h fileencryptor_t.c fileencryptor_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/fileencryptor.edl
diff --git a/samples/helloworld/enclave/CMakeLists.txt b/samples/helloworld/enclave/CMakeLists.txt
index da5789d7a1..049bc3d904 100644
--- a/samples/helloworld/enclave/CMakeLists.txt
+++ b/samples/helloworld/enclave/CMakeLists.txt
@@ -3,10 +3,6 @@
 
 # TODO: Where is the best place to set this
 
-if(WIN32)
-   include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT helloworld_t.h helloworld_t.c helloworld_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/helloworld.edl
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index 44f113f6f0..e6cb1bf4cb 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT localattestation_t.h localattestation_t.c localattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/localattestation.edl
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index df53d3ba03..0f36b215d6 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/local_attestation/enclave_b/CMakeLists.txt b/samples/local_attestation/enclave_b/CMakeLists.txt
index 9f3cae2533..1973fed919 100644
--- a/samples/local_attestation/enclave_b/CMakeLists.txt
+++ b/samples/local_attestation/enclave_b/CMakeLists.txt
@@ -6,10 +6,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
   COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
diff --git a/samples/remote_attestation/common/CMakeLists.txt b/samples/remote_attestation/common/CMakeLists.txt
index 1220d81705..24fc063508 100644
--- a/samples/remote_attestation/common/CMakeLists.txt
+++ b/samples/remote_attestation/common/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
   COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
diff --git a/samples/remote_attestation/enclave_a/CMakeLists.txt b/samples/remote_attestation/enclave_a/CMakeLists.txt
index b227020d00..341531342f 100644
--- a/samples/remote_attestation/enclave_a/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_a/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/remote_attestation/enclave_b/CMakeLists.txt b/samples/remote_attestation/enclave_b/CMakeLists.txt
index b45cf5f867..6dbe6a940b 100644
--- a/samples/remote_attestation/enclave_b/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_b/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave A
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh

From 6303b721be5fee14581c40a1a867ec1318bdf964 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 26 Sep 2019 15:27:38 -0700
Subject: [PATCH 079/420] Fix indentation and remove a comment.

Co-authored-by: Radhika Jandhyala <radhikaj@microsoft.com>
---
 CMakeLists.txt                                      | 1 +
 samples/data-sealing/common/CMakeLists.txt          | 4 ++++
 samples/data-sealing/enclave_a_v1/CMakeLists.txt    | 4 ++++
 samples/data-sealing/enclave_a_v2/CMakeLists.txt    | 4 ++++
 samples/data-sealing/enclave_b/CMakeLists.txt       | 4 ++++
 samples/file-encryptor/enclave/CMakeLists.txt       | 4 ++++
 samples/helloworld/enclave/CMakeLists.txt           | 2 --
 samples/local_attestation/common/CMakeLists.txt     | 4 ++++
 samples/local_attestation/enclave_a/CMakeLists.txt  | 4 ++++
 samples/local_attestation/gen_pubkey_header.sh      | 2 +-
 samples/remote_attestation/enclave_a/CMakeLists.txt | 4 ++++
 samples/remote_attestation/enclave_b/CMakeLists.txt | 4 ++++
 12 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 67b070f15f..66592e3c25 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -29,6 +29,7 @@ project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM}
   HOMEPAGE_URL "https://github.com/openenclave/openenclave")
 set(PROJECT_VERSION ${OE_VERSION})
 set(OE_SCRIPTSDIR "${PROJECT_SOURCE_DIR}/scripts")
+
 find_program(OE_BASH bash)
 if (NOT OE_BASH)
   message(FATAL_ERROR "-- Unable to find bash")
diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 0d28bdfa84..86cd1ff95f 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/datasealing.edl
diff --git a/samples/data-sealing/enclave_a_v1/CMakeLists.txt b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
index c3eeea9a74..a6d0feb78d 100644
--- a/samples/data-sealing/enclave_a_v1/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_a_v1 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_a_v2/CMakeLists.txt b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
index f9f93086e6..019accbd41 100644
--- a/samples/data-sealing/enclave_a_v2/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_a_v2 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_b/CMakeLists.txt b/samples/data-sealing/enclave_b/CMakeLists.txt
index 39c80dfffd..7b22485945 100644
--- a/samples/data-sealing/enclave_b/CMakeLists.txt
+++ b/samples/data-sealing/enclave_b/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 add_executable(enclave_b ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/file-encryptor/enclave/CMakeLists.txt b/samples/file-encryptor/enclave/CMakeLists.txt
index 303e13790f..9e37949918 100644
--- a/samples/file-encryptor/enclave/CMakeLists.txt
+++ b/samples/file-encryptor/enclave/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT fileencryptor_t.h fileencryptor_t.c fileencryptor_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/fileencryptor.edl
diff --git a/samples/helloworld/enclave/CMakeLists.txt b/samples/helloworld/enclave/CMakeLists.txt
index 049bc3d904..caa2b1a440 100644
--- a/samples/helloworld/enclave/CMakeLists.txt
+++ b/samples/helloworld/enclave/CMakeLists.txt
@@ -1,8 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-# TODO: Where is the best place to set this
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT helloworld_t.h helloworld_t.c helloworld_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/helloworld.edl
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index e6cb1bf4cb..44f113f6f0 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT localattestation_t.h localattestation_t.c localattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/localattestation.edl
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index 0f36b215d6..df53d3ba03 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/local_attestation/gen_pubkey_header.sh b/samples/local_attestation/gen_pubkey_header.sh
index 163f6fb343..f6d92d0d8b 100755
--- a/samples/local_attestation/gen_pubkey_header.sh
+++ b/samples/local_attestation/gen_pubkey_header.sh
@@ -18,7 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
-	p="$(echo $p | tr -d \"\\\r\")"
+    p="$(echo $p | tr -d \"\\\r\")"
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"
diff --git a/samples/remote_attestation/enclave_a/CMakeLists.txt b/samples/remote_attestation/enclave_a/CMakeLists.txt
index 341531342f..b227020d00 100644
--- a/samples/remote_attestation/enclave_a/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_a/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/remote_attestation/enclave_b/CMakeLists.txt b/samples/remote_attestation/enclave_b/CMakeLists.txt
index 6dbe6a940b..b45cf5f867 100644
--- a/samples/remote_attestation/enclave_b/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_b/CMakeLists.txt
@@ -1,6 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+if(WIN32)
+  include(maybe_build_using_clangw)
+endif()
+
 # Generate header with public key of enclave A
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh

From d5da8c46c4a8af418ba005998f92703e3f1ed725 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 17:10:39 +0000
Subject: [PATCH 080/420] Add support for samples test on Windows.

---
 CMakeLists.txt                                |   2 +
 cmake/openenclave-config.cmake.in             |   1 +
 samples/CMakeLists.txt                        |   2 +-
 samples/data-sealing/common/CMakeLists.txt    |   4 -
 .../data-sealing/enclave_a_v1/CMakeLists.txt  |   4 -
 .../data-sealing/enclave_a_v2/CMakeLists.txt  |   4 -
 samples/data-sealing/enclave_b/CMakeLists.txt |   4 -
 samples/file-encryptor/enclave/CMakeLists.txt |   4 -
 .../local_attestation/common/CMakeLists.txt   |   4 -
 .../enclave_a/CMakeLists.txt                  |   4 -
 .../enclave_a/CMakeLists.txt                  |   4 -
 .../enclave_b/CMakeLists.txt                  |   4 -
 .../remote_attestation/gen_pubkey_header.sh   |   2 +-
 .../remote_attestation/host/CMakeLists.txt    |   4 -
 samples/test-samples.cmake                    | 108 +++++++++++-------
 15 files changed, 71 insertions(+), 84 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 66592e3c25..adba6d6707 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -237,6 +237,8 @@ if (WIN32)
     DESTINATION ${CMAKE_INSTALL_BINDIR}/scripts/)
   install(FILES ./cmake/maybe_build_using_clangw.cmake
     DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
+  install(FILES ./cmake/add_dcap_client_target.cmake
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
 endif ()
 
 
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index b04b5b8d6a..5282c1d687 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -112,6 +112,7 @@ endif ()
 # Include the automatically exported targets.
 include("${CMAKE_CURRENT_LIST_DIR}/openenclave-targets.cmake")
 if (WIN32)
+  include("${CMAKE_CURRENT_LIST_DIR}/add_dcap_client_target.cmake")
   include("${CMAKE_CURRENT_LIST_DIR}/maybe_build_using_clangw.cmake")
 endif ()
 target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_enclave_common openenclave::sgx_dcap_ql)
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 1c331efded..6bc1fb6658 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -16,4 +16,4 @@ install(FILES README.md
   DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 add_test(NAME samples
-  COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+  COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 86cd1ff95f..0d28bdfa84 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/datasealing.edl
diff --git a/samples/data-sealing/enclave_a_v1/CMakeLists.txt b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
index a6d0feb78d..c3eeea9a74 100644
--- a/samples/data-sealing/enclave_a_v1/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_a_v1 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_a_v2/CMakeLists.txt b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
index 019accbd41..f9f93086e6 100644
--- a/samples/data-sealing/enclave_a_v2/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_a_v2 ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/data-sealing/enclave_b/CMakeLists.txt b/samples/data-sealing/enclave_b/CMakeLists.txt
index 7b22485945..39c80dfffd 100644
--- a/samples/data-sealing/enclave_b/CMakeLists.txt
+++ b/samples/data-sealing/enclave_b/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 add_executable(enclave_b ecalls.cpp)
 
 if(WIN32)
diff --git a/samples/file-encryptor/enclave/CMakeLists.txt b/samples/file-encryptor/enclave/CMakeLists.txt
index 9e37949918..303e13790f 100644
--- a/samples/file-encryptor/enclave/CMakeLists.txt
+++ b/samples/file-encryptor/enclave/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT fileencryptor_t.h fileencryptor_t.c fileencryptor_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/fileencryptor.edl
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index 44f113f6f0..e6cb1bf4cb 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT localattestation_t.h localattestation_t.c localattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/localattestation.edl
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index df53d3ba03..0f36b215d6 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/remote_attestation/enclave_a/CMakeLists.txt b/samples/remote_attestation/enclave_a/CMakeLists.txt
index b227020d00..341531342f 100644
--- a/samples/remote_attestation/enclave_a/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_a/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/remote_attestation/enclave_b/CMakeLists.txt b/samples/remote_attestation/enclave_b/CMakeLists.txt
index b45cf5f867..6dbe6a940b 100644
--- a/samples/remote_attestation/enclave_b/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_b/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(maybe_build_using_clangw)
-endif()
-
 # Generate header with public key of enclave A
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
diff --git a/samples/remote_attestation/gen_pubkey_header.sh b/samples/remote_attestation/gen_pubkey_header.sh
index 15beea1787..594384da2e 100755
--- a/samples/remote_attestation/gen_pubkey_header.sh
+++ b/samples/remote_attestation/gen_pubkey_header.sh
@@ -18,7 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
-    p ="$(echo $p | tr -d \"\\\r\")"
+    p="$(echo $p | tr -d \"\\\r\")"
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"
diff --git a/samples/remote_attestation/host/CMakeLists.txt b/samples/remote_attestation/host/CMakeLists.txt
index c0960029b6..af6b4018c7 100644
--- a/samples/remote_attestation/host/CMakeLists.txt
+++ b/samples/remote_attestation/host/CMakeLists.txt
@@ -1,10 +1,6 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if(WIN32)
-  include(remote_attestation_dcap_target)
-endif()
-
 add_custom_command(OUTPUT remoteattestation_u.h remoteattestation_u.c remoteattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
   COMMAND openenclave::oeedger8r --untrusted ${CMAKE_SOURCE_DIR}/remoteattestation.edl)
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index b88ce1811a..d32126566a 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -24,14 +24,27 @@ else ()
   # These tests can only run with SGX-FLC, meaning they were built
   # against SGX.
   if (USE_LIBSGX)
-     list(APPEND SAMPLES_LIST local_attestation remote_attestation attested_tls)
+    list(APPEND SAMPLES_LIST local_attestation remote_attestation)
+	# The attested_tls test is not supported on Windows at this time.
+	if (NOT WIN32)
+	  list(APPEND SAMPLES_LIST attested_tls)
+	endif ()
   endif ()
 endif ()
 
-execute_process(COMMAND ${CMAKE_COMMAND} -E env DESTDIR=${BUILD_DIR}/install ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
+if (WIN32)
+  # On Windows, DESTDIR is not supported by cmake for the install function. Must use a relative path for -DCMAKE_INSTALL_PREFIX:PATH
+  execute_process(COMMAND ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
+else ()
+  execute_process(COMMAND ${CMAKE_COMMAND} -E env DESTDIR=${BUILD_DIR}/install ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
+endif ()
 
-# The prefix is appended to the value given to DESTDIR, e.g. build/install/opt/openenclave/...
-set(INSTALL_DIR ${BUILD_DIR}/install${PREFIX_DIR})
+if (WIN32)
+  set(INSTALL_DIR ${BUILD_DIR}/${PREFIX_DIR})
+else ()
+  # The prefix is appended to the value given to DESTDIR, e.g. build/install/opt/openenclave/...
+  set(INSTALL_DIR ${BUILD_DIR}/install/${PREFIX_DIR})
+endif ()
 
 # A variable to know if all samples ran successfully
 set(ALL_TEST_RESULT 0)
@@ -43,9 +56,15 @@ foreach (SAMPLE ${SAMPLES_LIST})
   execute_process(COMMAND ${CMAKE_COMMAND} -E make_directory ${SAMPLE_BUILD_DIR})
 
   # Configure, build, and run the installed sample with CMake.
-  execute_process(
-    COMMAND ${CMAKE_COMMAND} -DCMAKE_PREFIX_PATH=${INSTALL_DIR} ${SAMPLE_SOURCE_DIR}
-    WORKING_DIRECTORY ${SAMPLE_BUILD_DIR})
+  if (WIN32)
+    execute_process(
+      COMMAND ${CMAKE_COMMAND} -DCMAKE_PREFIX_PATH=${INSTALL_DIR}/lib/openenclave/cmake -G Ninja -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} ${SAMPLE_SOURCE_DIR}
+      WORKING_DIRECTORY ${SAMPLE_BUILD_DIR})
+  else ()
+    execute_process(
+      COMMAND ${CMAKE_COMMAND} -DCMAKE_PREFIX_PATH=${INSTALL_DIR} ${SAMPLE_SOURCE_DIR}
+      WORKING_DIRECTORY ${SAMPLE_BUILD_DIR})
+  endif ()
 
   execute_process(
     COMMAND ${CMAKE_COMMAND} --build ${SOURCE_DIR}/${SAMPLE}
@@ -64,45 +83,50 @@ foreach (SAMPLE ${SAMPLES_LIST})
       message(STATUS "Samples test '${SAMPLE}' with CMake passed!")
     endif ()
 
-    # Build with pkg-config
-    message(STATUS "Samples test '${SAMPLE}' with pkg-config running...")
-    execute_process(
-      COMMAND ${CMAKE_COMMAND} -E env PATH=${INSTALL_DIR}/bin:$ENV{PATH} PKG_CONFIG_PATH=${INSTALL_DIR}/share/pkgconfig/ make -C ${SAMPLE_SOURCE_DIR} clean build run
-      RESULT_VARIABLE TEST_RESULT)
-      if (TEST_RESULT)
-        message(WARNING "Samples test '${SAMPLE}' with pkg-config failed!")
+    if (NOT WIN32)
+      # Build with pkg-config if not running on Windows.
+      message(STATUS "Samples test '${SAMPLE}' with pkg-config running...")
+      execute_process(
+        COMMAND ${CMAKE_COMMAND} -E env PATH=${INSTALL_DIR}/bin:$ENV{PATH} PKG_CONFIG_PATH=${INSTALL_DIR}/share/pkgconfig/ make -C ${SAMPLE_SOURCE_DIR} clean build run
+        RESULT_VARIABLE TEST_RESULT)
+        if (TEST_RESULT)
+          message(WARNING "Samples test '${SAMPLE}' with pkg-config failed!")
+          set(ALL_TEST_RESULT 1)
+        else ()
+	  message(STATUS "Samples test '${SAMPLE}' with pkg-config passed!")
+        endif ()
+	endif ()
+  endif ()
+
+  # Simulation mode is not supported on Windows currently.
+  if (NOT WIN32)
+    # The file-encryptor and helloworld are special cases which also
+    # work under simulation, so we test that additional scenario here.
+    if (${SAMPLE} MATCHES "(file-encryptor|helloworld)")
+      # Build with the CMake package
+      message(STATUS "Samples test '${SAMPLE}' in simulation with CMake running...")
+      execute_process(
+        COMMAND ${CMAKE_COMMAND} --build ${SAMPLE_BUILD_DIR} --target simulate
+        RESULT_VARIABLE TEST_SIMULATE_RESULT)
+      if (TEST_SIMULATE_RESULT)
+        message(WARNING "Samples test '${SAMPLE}' in simulation with CMake failed!")
         set(ALL_TEST_RESULT 1)
       else ()
-	message(STATUS "Samples test '${SAMPLE}' with pkg-config passed!")
+        message(STATUS "Samples test '${SAMPLE}' in simulation with CMake passed!")
       endif ()
-  endif ()
-
-  # The file-encryptor and helloworld are special cases which also
-  # work under simulation, so we test that additional scenario here.
-  if (${SAMPLE} MATCHES "(file-encryptor|helloworld)")
-    # Build with the CMake package
-    message(STATUS "Samples test '${SAMPLE}' in simulation with CMake running...")
-    execute_process(
-      COMMAND ${CMAKE_COMMAND} --build ${SAMPLE_BUILD_DIR} --target simulate
-      RESULT_VARIABLE TEST_SIMULATE_RESULT)
-    if (TEST_SIMULATE_RESULT)
-      message(WARNING "Samples test '${SAMPLE}' in simulation with CMake failed!")
-      set(ALL_TEST_RESULT 1)
-    else ()
-      message(STATUS "Samples test '${SAMPLE}' in simulation with CMake passed!")
-    endif ()
 
-    # Build with pkg-config
-    message(STATUS "Samples test '${SAMPLE}' in simulation with pkg-config running...")
-    message(WARNING "PKG_CONFIG_PATH=${INSTALL_DIR}")
-    execute_process(
-      COMMAND ${CMAKE_COMMAND} -E env PATH=${INSTALL_DIR}/bin:$ENV{PATH} PKG_CONFIG_PATH=${INSTALL_DIR}/share/pkgconfig make -C ${SAMPLE_SOURCE_DIR} clean build simulate
-      RESULT_VARIABLE TEST_SIMULATE_RESULT)
-    if (TEST_SIMULATE_RESULT)
-      message(WARNING "Samples test '${SAMPLE}' in simulation with pkg-config failed!")
-      set(TEST_SIMULATE_RESULT 1)
-    else ()
-      message(STATUS "Samples test '${SAMPLE}' in simulation with pkg-config passed!")
+      # Build with pkg-config
+      message(STATUS "Samples test '${SAMPLE}' in simulation with pkg-config running...")
+      message(WARNING "PKG_CONFIG_PATH=${INSTALL_DIR}")
+      execute_process(
+        COMMAND ${CMAKE_COMMAND} -E env PATH=${INSTALL_DIR}/bin:$ENV{PATH} PKG_CONFIG_PATH=${INSTALL_DIR}/share/pkgconfig make -C ${SAMPLE_SOURCE_DIR} clean build simulate
+        RESULT_VARIABLE TEST_SIMULATE_RESULT)
+      if (TEST_SIMULATE_RESULT)
+        message(WARNING "Samples test '${SAMPLE}' in simulation with pkg-config failed!")
+        set(TEST_SIMULATE_RESULT 1)
+      else ()
+        message(STATUS "Samples test '${SAMPLE}' in simulation with pkg-config passed!")
+      endif ()
     endif ()
   endif ()
 

From dc58695225234123dc35f3ee0ae4f1e767dfb972 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 18:36:57 +0000
Subject: [PATCH 081/420] Simplify CR deletion in gen_pubkey_header.sh

---
 samples/local_attestation/gen_pubkey_header.sh  | 3 ++-
 samples/remote_attestation/gen_pubkey_header.sh | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/samples/local_attestation/gen_pubkey_header.sh b/samples/local_attestation/gen_pubkey_header.sh
index f6d92d0d8b..66e0de512c 100755
--- a/samples/local_attestation/gen_pubkey_header.sh
+++ b/samples/local_attestation/gen_pubkey_header.sh
@@ -18,7 +18,8 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
-    p="$(echo $p | tr -d \"\\\r\")"
+    CR=$(printf "\r")
+    p=$(echo "$p" | tr -d "$CR")
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"
diff --git a/samples/remote_attestation/gen_pubkey_header.sh b/samples/remote_attestation/gen_pubkey_header.sh
index 594384da2e..9ea156d3f2 100755
--- a/samples/remote_attestation/gen_pubkey_header.sh
+++ b/samples/remote_attestation/gen_pubkey_header.sh
@@ -18,7 +18,8 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
-    p="$(echo $p | tr -d \"\\\r\")"
+    CR=$(printf "\r")
+    p=$(echo "$p" | tr -d "$CR")
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
 done < "$pubkey_file"
 printf ';\n' >> "$destfile"

From c084c9950041efb03dcb938267350a45eec89fbe Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 18:39:28 +0000
Subject: [PATCH 082/420] Set default install prefix on Windows to be relative
 path.

---
 cmake/package_settings.cmake | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmake/package_settings.cmake b/cmake/package_settings.cmake
index 3f4590110a..0604514f44 100644
--- a/cmake/package_settings.cmake
+++ b/cmake/package_settings.cmake
@@ -11,8 +11,13 @@
 #     $ cmake -DCMAKE_INSTALL_PREFIX=/opt/myplace ..
 #
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-  set(CMAKE_INSTALL_PREFIX
-    "/opt/openenclave" CACHE PATH "default install prefix" FORCE)
+  if (WIN32)
+    set(CMAKE_INSTALL_PREFIX
+      "./openenclave" CACHE PATH "default install prefix" FORCE)
+  else ()
+    set(CMAKE_INSTALL_PREFIX
+      "/opt/openenclave" CACHE PATH "default install prefix" FORCE)
+  endif ()
 endif()
 
 include(GNUInstallDirs)

From 21fa9d321394a023010d15f4ba5ec929e9070c99 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 18:54:36 +0000
Subject: [PATCH 083/420] Add linker flag generator expression to simplify
 samples CMakeList.txt

---
 cmake/openenclave-config.cmake.in             | 16 +++-------
 samples/data-sealing/common/CMakeLists.txt    | 29 +++++++------------
 .../local_attestation/common/CMakeLists.txt   | 28 +++++++-----------
 .../remote_attestation/common/CMakeLists.txt  |  8 +----
 4 files changed, 27 insertions(+), 54 deletions(-)

diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 5282c1d687..01c7340812 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -57,12 +57,8 @@ elseif (WIN32)
 endif ()
 
 if (NOT TARGET openenclave::sgx_enclave_common)
-  if (UNIX)
-    find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common)
-  elseif (WIN32)
-    find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common
-                 PATHS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
-  endif ()
+  find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common
+	       HINTS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
   if (NOT SGX_ENCLAVE_COMMON_LIB)
     message(FATAL_ERROR "-- Looking for sgx_enclave_common library - not found")
   else ()
@@ -77,12 +73,8 @@ if (NOT TARGET openenclave::sgx_enclave_common)
 endif ()
 
 if (NOT TARGET openenclave::sgx_dcap_ql)
-  if (UNIX)
-    find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql)
-  elseif (WIN32)
-    find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql
-	    PATHS ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
-  endif ()
+  find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql
+               HINTS ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
   if (NOT SGX_DCAP_QL_LIB)
     message(FATAL_ERROR "-- Looking for sgx_dcap_ql library - not found")
   else ()
diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 0d28bdfa84..8adb484176 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -10,24 +10,17 @@ add_custom_command(OUTPUT datasealing_t.h datasealing_t.c datasealing_args.h
 add_library(common STATIC dispatcher.cpp keys.cpp ${CMAKE_CURRENT_BINARY_DIR}/datasealing_t.c)
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
 
-if(NOT WIN32)
-  target_link_libraries(common PUBLIC
-    # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
-    # function table. Because the libraries linking `libcommon` do not
-    # directly require this symbol, the linker skips the object in
-    # `libcommon` which defines them. So we manually require it.
-    #
-    # Alternatively we could use a CMake OBJECT library, but that
-    # requires a newish version of CMake.
-    -Wl,--require-defined=__oe_ecalls_table
-    openenclave::oeenclave
-    openenclave::oelibcxx)
-else()
-  target_link_libraries(common PUBLIC
-    openenclave::oeenclave
-    openenclave::oelibcxx)
-endif()
-
+target_link_libraries(common PUBLIC
+  # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
+  # function table. Because the libraries linking `libcommon` do not
+  # directly require this symbol, the linker skips the object in
+  # `libcommon` which defines them. So we manually require it.
+  #
+  # Alternatively we could use a CMake OBJECT library, but that
+  # requires a newish version of CMake.
+  $<$<PLATFORM_ID:Linux>:-Wl,--require-defined=__oe_ecalls_table>
+  openenclave::oeenclave
+  openenclave::oelibcxx)
 if(WIN32)
   maybe_build_using_clangw(common)
 endif()
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index e6cb1bf4cb..fbc2b3dcbd 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -14,21 +14,15 @@ if(WIN32)
 endif()
 
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
-if(NOT WIN32)
-  target_link_libraries(common PUBLIC
-    # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
-    # function table. Because the libraries linking `libcommon` do not
-    # directly require this symbol, the linker skips the object in
-    # `libcommon` which defines them. So we manually require it.
-    #
-    # Alternatively we could use a CMake OBJECT library, but that
-    # requires a newish version of CMake.
-    -Wl,--require-defined=__oe_ecalls_table
-    openenclave::oeenclave
-    openenclave::oelibcxx)
-else()
-  target_link_libraries(common PUBLIC
-    openenclave::oeenclave
-    openenclave::oelibcxx)
-endif()
+target_link_libraries(common PUBLIC
+  # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
+  # function table. Because the libraries linking `libcommon` do not
+  # directly require this symbol, the linker skips the object in
+  # `libcommon` which defines them. So we manually require it.
+  #
+  # Alternatively we could use a CMake OBJECT library, but that
+  # requires a newish version of CMake.
+  $<$<PLATFORM_ID:Linux>:-Wl,--require-defined=__oe_ecalls_table>
+  openenclave::oeenclave
+  openenclave::oelibcxx)
 target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})
diff --git a/samples/remote_attestation/common/CMakeLists.txt b/samples/remote_attestation/common/CMakeLists.txt
index 24fc063508..1093e936b3 100644
--- a/samples/remote_attestation/common/CMakeLists.txt
+++ b/samples/remote_attestation/common/CMakeLists.txt
@@ -17,7 +17,6 @@ if(WIN32)
 endif()
 
 target_compile_definitions(common PUBLIC OE_API_VERSION=2)
-if(NOT WIN32)
 target_link_libraries(common PUBLIC
   # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
   # function table. Because the libraries linking `libcommon` do not
@@ -26,12 +25,7 @@ target_link_libraries(common PUBLIC
   #
   # Alternatively we could use a CMake OBJECT library, but that
   # requires a newish version of CMake.
-  -Wl,--require-defined=__oe_ecalls_table
+  $<$<PLATFORM_ID:Linux>:-Wl,--require-defined=__oe_ecalls_table>
   openenclave::oeenclave
   openenclave::oelibcxx)
-else()
-target_link_libraries(common PUBLIC
-  openenclave::oeenclave
-  openenclave::oelibcxx)
-endif()
 target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})

From ebab105e92347fb27e414a2cc8269a2e6714526f Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 20:18:14 +0000
Subject: [PATCH 084/420] Update Windows documents to include new
 NUGET_PACKAGE_PATH parameter.

---
 .../Contributors/WindowsSGX1FLCGettingStarted.md            | 4 ++--
 .../Contributors/WindowsSGX1GettingStarted.md               | 4 ++--
 docs/GettingStartedDocs/GettingStarted.Windows.md           | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 5bd69b082e..0144da4cf1 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 ..\..
+cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
 ninja
 ```
 
@@ -79,7 +79,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ../..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 2faa4d784b..8540dd7d5b 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -59,7 +59,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Debug
    cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 ..\..
+   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
    ninja
    ```
 
@@ -69,7 +69,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Release
    cd build\x64-Release
-   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ..\..
+   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
    ninja
    ```
 
diff --git a/docs/GettingStartedDocs/GettingStarted.Windows.md b/docs/GettingStartedDocs/GettingStarted.Windows.md
index ae6cbd3559..e1b5fe5dd5 100644
--- a/docs/GettingStartedDocs/GettingStarted.Windows.md
+++ b/docs/GettingStartedDocs/GettingStarted.Windows.md
@@ -187,7 +187,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Debug
    cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 ../..
+   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
    ninja
    ```
 
@@ -196,7 +196,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Release
    cd build\x64-Release
-   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 ../..
+   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
    ninja
    ```
 
@@ -293,7 +293,7 @@ build. For example, for the x64-Debug configuration:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 ../..
+cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
 ninja
 ```
 

From 7daf64a0fa7a821a971eb9b9a81dc3afd4a0c08b Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 20:22:55 +0000
Subject: [PATCH 085/420] Add 'installed' to failure message for not finding
 NUGET_PACKAGE_PATH.

---
 CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index adba6d6707..da196f7a6c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -147,7 +147,7 @@ if (WIN32)
     message(FATAL_ERROR "Git Bash not found!")
   endif ()
   if (NOT NUGET_PACKAGE_PATH)
-    message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the Intel and DCAP Client nuget packages.")
+    message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the installed Intel and DCAP Client nuget packages.")
   endif()
 else ()
   find_program(BASH bash)

From 76ca929c59939b47131fcd94425d6f59cd08ff9b Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 20:37:35 +0000
Subject: [PATCH 086/420] Update Jenkinsfiles to use NUGET_PACKAGE_PATH.

---
 .jenkins/Jenkinsfile              | 9 +++------
 .jenkins/custom_label.Jenkinsfile | 3 +--
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index b2d3c88658..f63a28d279 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -184,11 +184,10 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 checkout scm
                 unstash "linux-${compiler}-${build_type}-${version}-${BUILD_NUMBER}"
                 bat 'move build linuxbin'
-                powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
                 dir('build') {
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja -v && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -212,11 +211,10 @@ def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
 
                   /* We need to copy nuget into the expected location
                   https://github.com/microsoft/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
-                  powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -302,11 +300,10 @@ def ACCHostVerificationTest(String version, String build_type) {
                     cleanWs()
                     checkout scm
                     unstash "linux_host_verify-${build_type}-${BUILD_NUMBER}"
-                    powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
                     dir('build') {
                         bat """
                             vcvars64.bat x64 && \
-                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=OFF -DCMAKE_BUILD_TYPE=${build_type} -Wdev && \
+                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=OFF -DCMAKE_BUILD_TYPE=${build_type} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                             ninja -v && \
                             ctest.exe -V -C ${build_type} -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                             """
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index a0b8dca2f4..cb24bdadb4 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -52,11 +52,10 @@ def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
 
                   /* We need to copy nuget into the expected location
                   https://github.com/microsoft/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
-                  powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """

From 0c094fd112a0f8aa937932a153869cf9e4492009 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 20:49:52 +0000
Subject: [PATCH 087/420] Update samples with format-code.

---
 samples/data-sealing/common/dispatcher.cpp | 8 ++++++--
 samples/data-sealing/host/host.cpp         | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/samples/data-sealing/common/dispatcher.cpp b/samples/data-sealing/common/dispatcher.cpp
index 061e7edb95..a60501884c 100644
--- a/samples/data-sealing/common/dispatcher.cpp
+++ b/samples/data-sealing/common/dispatcher.cpp
@@ -108,7 +108,10 @@ int ecall_dispatcher::seal_data(
     // generate signature by signing the hash of the sealed data with the seal
     // key
     ret = sign_sealed_data(
-        m_sealed_data, seal_key, (unsigned int)seal_key_size, m_sealed_data->signature);
+        m_sealed_data,
+        seal_key,
+        (unsigned int)seal_key_size,
+        m_sealed_data->signature);
     if (ret != 0)
     {
         TRACE_ENCLAVE("sign_sealed_data %d\n", ret);
@@ -191,7 +194,8 @@ int ecall_dispatcher::unseal_data(
     // structure then comparing it with sealed_data.signature
 
     // regenerate signature
-    ret = sign_sealed_data(m_sealed_data, seal_key, (unsigned int)seal_key_size, signature);
+    ret = sign_sealed_data(
+        m_sealed_data, seal_key, (unsigned int)seal_key_size, signature);
     if (ret != 0)
     {
         ret = ERROR_SIGN_SEALED_DATA_FAIL;
diff --git a/samples/data-sealing/host/host.cpp b/samples/data-sealing/host/host.cpp
index dc05b40b32..5908780792 100644
--- a/samples/data-sealing/host/host.cpp
+++ b/samples/data-sealing/host/host.cpp
@@ -9,7 +9,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #ifdef __linux__
-  #include <unistd.h>
+#include <unistd.h>
 #endif
 
 #include <iostream>

From 8f43af5940bdba6a390d6e468de3022f46e14461 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 21:02:02 +0000
Subject: [PATCH 088/420] Add oesdk.nuspec to .check-license.ignore.

---
 scripts/.check-license.ignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index b0667ad985..7ccd0bdd32 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -67,3 +67,4 @@ tools/oeedger8r/main\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
 tests/host_verify/data/.*
+windows/oesdk.nuspec

From 9a37f86e1fcb956c578d43041554dbabcaacf968 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 21:50:50 +0000
Subject: [PATCH 089/420] Add generator expression for referencing
 NUGET_PACKAGE_PATH.

---
 samples/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 6bc1fb6658..4d873a220d 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -16,4 +16,4 @@ install(FILES README.md
   DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 add_test(NAME samples
-  COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+	COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} $<$<PLATFORM_ID:Windows>:-DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH}> -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)

From fa689fca1228ec885bcefcf07e17f78dccfced2a Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 30 Sep 2019 21:54:54 +0000
Subject: [PATCH 090/420] Only include samples tests if BUILD_ENCLAVES is ON.

---
 CMakeLists.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index da196f7a6c..fc29ac6b83 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -228,7 +228,9 @@ if (UNIX)
   add_subdirectory(pkgconfig)
 endif()
 
-add_subdirectory(samples)
+if (BUILD_ENCLAVES)
+  add_subdirectory(samples)
+endif ()
 
 if (WIN32)
   install(FILES ./scripts/clangw ./scripts/llvm-arw

From bb0fdeed1b9d69c8fe7b4e9e2a158b63d06ea908 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 1 Oct 2019 02:47:01 +0000
Subject: [PATCH 091/420] Remove NUGET_PACKAGE_PATH reference in
 samples/CMakeLists.txt on Linux.

---
 samples/CMakeLists.txt | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 4d873a220d..110cf584ff 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -15,5 +15,10 @@ install(DIRECTORY helloworld file-encryptor data-sealing switchless
 install(FILES README.md
   DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
-add_test(NAME samples
-	COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} $<$<PLATFORM_ID:Windows>:-DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH}> -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+if (WIN32)
+  add_test(NAME samples
+           COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+else ()
+  add_test(NAME samples
+           COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+endif ()

From 70c5e76ff1bbe0d2121da15d0e3e2ba4d663bb44 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 1 Oct 2019 02:54:14 +0000
Subject: [PATCH 092/420] Change NOT WIN32 to UNIX.

---
 cmake/add_dcap_client_target.cmake   | 2 +-
 cmake/maybe_build_using_clangw.cmake | 2 +-
 samples/test-samples.cmake           | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cmake/add_dcap_client_target.cmake b/cmake/add_dcap_client_target.cmake
index d1ac981588..f995a1e72f 100644
--- a/cmake/add_dcap_client_target.cmake
+++ b/cmake/add_dcap_client_target.cmake
@@ -11,7 +11,7 @@
 
 function(add_dcap_client_target TARGET_NAME)
 
-    if (NOT WIN32)
+    if (UNIX)
         message(WARNING "import_dcap_client is only intended for WIN32 build environments. Check if this invocation is needed.")
     endif ()
 
diff --git a/cmake/maybe_build_using_clangw.cmake b/cmake/maybe_build_using_clangw.cmake
index 04b65aca14..333d822eeb 100644
--- a/cmake/maybe_build_using_clangw.cmake
+++ b/cmake/maybe_build_using_clangw.cmake
@@ -22,7 +22,7 @@
 # rewrite of the build system CMakeLists.)
 #
 function(maybe_build_using_clangw OE_TARGET)
-    if (NOT WIN32)
+    if (UNIX)
         # Noop on Linux.
         return()
     endif()
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index d32126566a..5be7e5ae04 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -26,7 +26,7 @@ else ()
   if (USE_LIBSGX)
     list(APPEND SAMPLES_LIST local_attestation remote_attestation)
 	# The attested_tls test is not supported on Windows at this time.
-	if (NOT WIN32)
+	if (UNIX)
 	  list(APPEND SAMPLES_LIST attested_tls)
 	endif ()
   endif ()
@@ -83,7 +83,7 @@ foreach (SAMPLE ${SAMPLES_LIST})
       message(STATUS "Samples test '${SAMPLE}' with CMake passed!")
     endif ()
 
-    if (NOT WIN32)
+    if (UNIX)
       # Build with pkg-config if not running on Windows.
       message(STATUS "Samples test '${SAMPLE}' with pkg-config running...")
       execute_process(
@@ -99,7 +99,7 @@ foreach (SAMPLE ${SAMPLES_LIST})
   endif ()
 
   # Simulation mode is not supported on Windows currently.
-  if (NOT WIN32)
+  if (UNIX)
     # The file-encryptor and helloworld are special cases which also
     # work under simulation, so we test that additional scenario here.
     if (${SAMPLE} MATCHES "(file-encryptor|helloworld)")

From 149fd2468a6728ca0de469f76eebc876e5559d1b Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 1 Oct 2019 03:17:06 +0000
Subject: [PATCH 093/420] Address Simon's comments.

---
 3rdparty/musl/CMakeLists.txt                  |  8 ++---
 .../enclave_a/CMakeLists.txt                  |  2 +-
 .../enclave_b/CMakeLists.txt                  |  2 +-
 .../local_attestation/gen_pubkey_header.sh    |  1 +
 .../remote_attestation/common/CMakeLists.txt  |  2 +-
 .../remote_attestation/gen_pubkey_header.sh   |  1 +
 samples/test-samples.cmake                    |  8 ++---
 scripts/.check-license.ignore                 |  1 -
 tests/crypto/data/CMakeLists.txt              |  2 +-
 .../data/CMakeLists.txt                       |  2 +-
 tests/mbed/enc/CMakeLists.txt                 |  2 +-
 windows/README.md                             | 20 -----------
 windows/oesdk.nuspec                          | 33 -------------------
 13 files changed, 14 insertions(+), 70 deletions(-)
 delete mode 100644 windows/README.md
 delete mode 100644 windows/oesdk.nuspec

diff --git a/3rdparty/musl/CMakeLists.txt b/3rdparty/musl/CMakeLists.txt
index 037f5e33c0..d7b124fe66 100644
--- a/3rdparty/musl/CMakeLists.txt
+++ b/3rdparty/musl/CMakeLists.txt
@@ -57,7 +57,7 @@ ExternalProject_Add(musl_includes
       ${MUSL_DIR}/arch/${ARCH}/pthread_arch.h
   CONFIGURE_COMMAND
     ${CMAKE_COMMAND} -E chdir ${MUSL_DIR}
-    ${BASH} -x ./configure
+    ${OE_BASH} -x ./configure
       --includedir=${MUSL_INCLUDES}
       CFLAGS=${MUSL_CFLAGS}
       CC=${MUSL_CC}
@@ -73,12 +73,12 @@ ExternalProject_Add(musl_includes
         ${MUSL_DIR}/arch/${ARCH}/bits
         ${MUSL_INCLUDES}/bits
     # bash -c requires the command string to be in a single line
-    COMMAND ${BASH} -c "sed -f ${MUSL_DIR}/tools/mkalltypes.sed ${MUSL_DIR}/arch/${ARCH}/bits/alltypes.h.in ${MUSL_DIR}/include/alltypes.h.in > ${MUSL_INCLUDES}/bits/alltypes.h"
+    COMMAND ${OE_BASH} -c "sed -f ${MUSL_DIR}/tools/mkalltypes.sed ${MUSL_DIR}/arch/${ARCH}/bits/alltypes.h.in ${MUSL_DIR}/include/alltypes.h.in > ${MUSL_INCLUDES}/bits/alltypes.h"
     COMMAND ${CMAKE_COMMAND} -E copy
         ${MUSL_DIR}/arch/${ARCH}/bits/syscall.h.in
         ${MUSL_INCLUDES}/bits/syscall.h
     # bash -c requires the command string to be in a single line
-    COMMAND ${BASH} -c "sed -n -e s/__NR_/SYS_/p < ${MUSL_DIR}/arch/${ARCH}/bits/syscall.h.in >> ${MUSL_INCLUDES}/bits/syscall.h"
+    COMMAND ${OE_BASH} -c "sed -n -e s/__NR_/SYS_/p < ${MUSL_DIR}/arch/${ARCH}/bits/syscall.h.in >> ${MUSL_INCLUDES}/bits/syscall.h"
     COMMAND ${CMAKE_COMMAND} -E copy
       ${MUSL_INCLUDES}/endian.h
       ${MUSL_INCLUDES}/__endian.h
@@ -86,7 +86,7 @@ ExternalProject_Add(musl_includes
       ${PATCHES_DIR}/endian.h
       ${MUSL_INCLUDES}/endian.h
     # Append deprecations.h to all C header files.
-    COMMAND ${BASH} -c "${MUSL_APPEND_DEPRECATIONS}"
+    COMMAND ${OE_BASH} -c "${MUSL_APPEND_DEPRECATIONS}"
     # Copy local deprecations.h to include/bits/deprecated.h.
     COMMAND ${CMAKE_COMMAND} -E copy
       ${CMAKE_CURRENT_LIST_DIR}/deprecations.h
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index 0f36b215d6..baa1dd952b 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -4,7 +4,7 @@
 # Generate header with public key of enclave B (2)
 add_custom_command(OUTPUT enclave_b_pubkey.h
   DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
-  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_b_pubkey.h ${CMAKE_BINARY_DIR}/enclave_b/public_b.pem)
+  COMMAND ${OE_BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_b_pubkey.h ${CMAKE_BINARY_DIR}/enclave_b/public_b.pem)
 
 add_executable(enclave_a ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_b_pubkey.h)
 
diff --git a/samples/local_attestation/enclave_b/CMakeLists.txt b/samples/local_attestation/enclave_b/CMakeLists.txt
index 1973fed919..9a65f583b6 100644
--- a/samples/local_attestation/enclave_b/CMakeLists.txt
+++ b/samples/local_attestation/enclave_b/CMakeLists.txt
@@ -8,7 +8,7 @@
 
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
-  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
+  COMMAND ${OE_BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
 
 add_executable(enclave_b ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_a_pubkey.h)
 
diff --git a/samples/local_attestation/gen_pubkey_header.sh b/samples/local_attestation/gen_pubkey_header.sh
index 66e0de512c..4a51938fb4 100755
--- a/samples/local_attestation/gen_pubkey_header.sh
+++ b/samples/local_attestation/gen_pubkey_header.sh
@@ -18,6 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
+    # Sometimes openssl can insert carriage returns into the PEM files. Let's remove those!
     CR=$(printf "\r")
     p=$(echo "$p" | tr -d "$CR")
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
diff --git a/samples/remote_attestation/common/CMakeLists.txt b/samples/remote_attestation/common/CMakeLists.txt
index 1093e936b3..b3929ad559 100644
--- a/samples/remote_attestation/common/CMakeLists.txt
+++ b/samples/remote_attestation/common/CMakeLists.txt
@@ -3,7 +3,7 @@
 
 add_custom_command(OUTPUT enclave_a_pubkey.h
   DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
-  COMMAND ${BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
+  COMMAND ${OE_BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT remoteattestation_t.h remoteattestation_t.c remoteattestation_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
diff --git a/samples/remote_attestation/gen_pubkey_header.sh b/samples/remote_attestation/gen_pubkey_header.sh
index 9ea156d3f2..95a4402781 100755
--- a/samples/remote_attestation/gen_pubkey_header.sh
+++ b/samples/remote_attestation/gen_pubkey_header.sh
@@ -18,6 +18,7 @@ EOF
 printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
 while IFS="" read -r p || [ -n "$p" ]
 do
+    # Sometimes openssl can insert carriage returns into the PEM files. Let's remove those!
     CR=$(printf "\r")
     p=$(echo "$p" | tr -d "$CR")
     printf '\n    \"%s\\n\"' "$p" >> "$destfile"
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index 5be7e5ae04..f71624ba25 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -34,16 +34,12 @@ endif ()
 
 if (WIN32)
   # On Windows, DESTDIR is not supported by cmake for the install function. Must use a relative path for -DCMAKE_INSTALL_PREFIX:PATH
-  execute_process(COMMAND ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
-else ()
-  execute_process(COMMAND ${CMAKE_COMMAND} -E env DESTDIR=${BUILD_DIR}/install ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
-endif ()
-
-if (WIN32)
   set(INSTALL_DIR ${BUILD_DIR}/${PREFIX_DIR})
+  execute_process(COMMAND ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
 else ()
   # The prefix is appended to the value given to DESTDIR, e.g. build/install/opt/openenclave/...
   set(INSTALL_DIR ${BUILD_DIR}/install/${PREFIX_DIR})
+  execute_process(COMMAND ${CMAKE_COMMAND} -E env DESTDIR=${BUILD_DIR}/install ${CMAKE_COMMAND} --build ${BUILD_DIR} --target install)
 endif ()
 
 # A variable to know if all samples ran successfully
diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 7ccd0bdd32..b0667ad985 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -67,4 +67,3 @@ tools/oeedger8r/main\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
 tests/host_verify/data/.*
-windows/oesdk.nuspec
diff --git a/tests/crypto/data/CMakeLists.txt b/tests/crypto/data/CMakeLists.txt
index 46bec8e163..c6761e67a9 100644
--- a/tests/crypto/data/CMakeLists.txt
+++ b/tests/crypto/data/CMakeLists.txt
@@ -12,7 +12,7 @@ endif()
 
 add_custom_target(
     crypto_test_data ALL
-    COMMAND ${BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
+    COMMAND ${OE_BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
     # These are specifically the byproducts that will be directly consumed by crypto tests
     BYPRODUCTS
         asn1.cert.pem
diff --git a/tests/crypto_crls_cert_chains/data/CMakeLists.txt b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
index a2ffdad46c..07d4c2c448 100644
--- a/tests/crypto_crls_cert_chains/data/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
@@ -12,7 +12,7 @@ endif()
 
 add_custom_target(
     crypto_crls_cert_chains_test_data ALL
-    COMMAND ${BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
+    COMMAND ${OE_BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
     # These are specifically the byproducts that will be directly consumed by crypto_crls_cert_chains tests
     BYPRODUCTS
     root.cert.pem
diff --git a/tests/mbed/enc/CMakeLists.txt b/tests/mbed/enc/CMakeLists.txt
index b2ab5ec4b9..b934f3bbff 100644
--- a/tests/mbed/enc/CMakeLists.txt
+++ b/tests/mbed/enc/CMakeLists.txt
@@ -30,7 +30,7 @@ function(add_mbed_test_enclave NAME)
                                      " --out-dir ${CMAKE_CURRENT_BINARY_DIR}")
   add_custom_command(
     OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/test_suite_${NAME}.c
-    COMMAND ${BASH} -c "python ${GEN_TEST_CODE_SCRIPT}"
+    COMMAND ${OE_BASH} -c "python ${GEN_TEST_CODE_SCRIPT}"
     DEPENDS
     mbedcrypto
     ${MBEDTLS_TESTS_DIR}/scripts/generate_test_code.py
diff --git a/windows/README.md b/windows/README.md
deleted file mode 100644
index 2fe161c10b..0000000000
--- a/windows/README.md
+++ /dev/null
@@ -1,20 +0,0 @@
-Windows
-================
-
-This folder contains an example `oesdk.nuspec` to illustrate what a nuspec for OE SDK on Windows might look like.
-It can be built from this folder with the `nuget.exe` tool, which can be downloaded from:
-https://www.nuget.org/api/v2/package/NuGet.exe/3.4.3.
-
-You can rename the `nuget.exe.3.4.3.nupkg` file to the `.zip` extension and manually extract the `nuget.exe`
-into this folder. You can then run:
-
-```cmd
-nuget pack oesdk.nuspec
-```
-
-This should produce `OpenEnclave.SDK.0.7.0.nupkg` in your local path. You can then also rename that to `.zip`
-to explore its contents, or install it into the file system:
-
-```cmd
-nuget.exe install OpenEnclave.SDK -source <full path to folder containing .nupkg> -OutputDirectory .\nuget
-```
\ No newline at end of file
diff --git a/windows/oesdk.nuspec b/windows/oesdk.nuspec
deleted file mode 100644
index 33e7c98fa2..0000000000
--- a/windows/oesdk.nuspec
+++ /dev/null
@@ -1,33 +0,0 @@
-<?xml version="1.0"?>
-<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
-    <!-- Refer to https://docs.microsoft.com/en-us/nuget/reference/nuspec for details -->
-    <metadata>
-        <id>OpenEnclave.SDK</id>
-        <version>0.7.0</version>
-        <description>
-            Open Enclave (OE) is an SDK for building Trusted Applications (TA) in C and C++. An enclave application partitions itself into two components:
-             - An untrusted component (called the host)
-             - A trusted component (called the enclave)
-
-            The enclave executes in a protected memory region that provides confidentiality both data and code execution. These protections are provided by a Trusted Execution Environment (TEE), which is usually secured by hardware such as Intel Software Guard Extensions (SGX).
-
-            This SDK aims to generalize the development of enclave applications across TEEs from different hardware vendors. While the current implementation is focused on Intel SGX, support for ARM TrustZone is already under development.
-            As an open source project, this SDK also strives to provide a transparent solution that is agnostic to specific vendors, service providers and choice of operating systems.
-        </description>
-        <authors>Microsoft,Confidential Computing Consortium</authors>
-        <owners>Microsoft,Confidential Computing Consortium</owners>
-        <copyright>&#169; Microsoft Corporation. All rights reserved.</copyright>
-        <projectUrl>https://github.com/openenclave/openenclave</projectUrl>
-        <license type="expression">MIT</license>
-        <requireLicenseAcceptance>false</requireLicenseAcceptance>
-        <!-- TODO: <releaseNotes>Open Enclave SDK v0.7.0 release notes</releaseNotes> -->
-    </metadata>
-
-    <files>
-        <!-- This does not have parity with the .deb package, partial includes just to illustrate the file inclusion syntax -->
-        <file src="..\build\x64-debug\output\bin\*.exe" target="bin" />
-        <file src="..\build\x64-debug\output\include\**" target="include" />
-        <file src="..\include\**" exclude="..\include\CMakeLists.txt;..\include\openenclave\corelibc\**;..\include\openenclave\internal\**" target="include" />
-        <file src="..\build\x64-debug\output\lib\**" target="lib" />
-    </files>
-</package>

From e2790529c93d66c19fa02283c6eb64108742dbcf Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 1 Oct 2019 04:09:38 +0000
Subject: [PATCH 094/420] Disable switchless sample on Windows.

---
 samples/test-samples.cmake | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index f71624ba25..7d87e5ea02 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -7,7 +7,7 @@
 #     cmake -DUSE_LIBSGX=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
 
 # These two samples can run in simulation, and therefore run in every configuration.
-set(SAMPLES_LIST helloworld file-encryptor switchless)
+set(SAMPLES_LIST helloworld file-encryptor)
 
 if ($ENV{OE_SIMULATION})
   message(WARNING "Running only sample simulation tests due to OE_SIMULATION=$ENV{OE_SIMULATION}!")
@@ -25,10 +25,13 @@ else ()
   # against SGX.
   if (USE_LIBSGX)
     list(APPEND SAMPLES_LIST local_attestation remote_attestation)
-	# The attested_tls test is not supported on Windows at this time.
-	if (UNIX)
-	  list(APPEND SAMPLES_LIST attested_tls)
-	endif ()
+    # The attested_tls test is not supported on Windows at this time.
+    if (UNIX)
+	    list(APPEND SAMPLES_LIST attested_tls)
+    endif ()
+  endif ()
+  if (UNIX)
+    list(APPEND SAMPLES_LIST switchless)
   endif ()
 endif ()
 

From d4d03fa83d68d8a0133665ec8ca4077110a4bbe4 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 1 Oct 2019 23:40:50 +0000
Subject: [PATCH 095/420] Address more comments.

---
 CMakeLists.txt                                | 13 +++----
 cmake/cpack_settings.cmake                    |  2 +-
 cmake/openenclave-config.cmake.in             | 36 ++++++++++++++-----
 cmake/package_settings.cmake                  |  5 ---
 .../WindowsManualInstallPrereqs.md            |  9 ++++-
 samples/CMakeLists.txt                        | 14 ++++----
 samples/data-sealing/common/dispatcher.cpp    | 36 +++++++++++++++++++
 7 files changed, 84 insertions(+), 31 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index fc29ac6b83..a91f8c808b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -30,11 +30,6 @@ project("Open Enclave SDK" LANGUAGES C CXX ${OE_ASM}
 set(PROJECT_VERSION ${OE_VERSION})
 set(OE_SCRIPTSDIR "${PROJECT_SOURCE_DIR}/scripts")
 
-find_program(OE_BASH bash)
-if (NOT OE_BASH)
-  message(FATAL_ERROR "-- Unable to find bash")
-endif ()
-
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
 
 # Collect Git info
@@ -139,19 +134,19 @@ if (WIN32)
   # explicitly searching only for Git Bash. See #1302 for more.
   find_program(GIT git)
   get_filename_component(GIT_DIR ${GIT} DIRECTORY)
-  find_program(BASH bash
+  find_program(OE_BASH bash
     PATHS "C:/Program Files/Git/bin" "${GIT_DIR}/../bin"
     NO_DEFAULT_PATH) # Do not find WSL bash.
 
-  if (NOT BASH)
+  if (NOT OE_BASH)
     message(FATAL_ERROR "Git Bash not found!")
   endif ()
   if (NOT NUGET_PACKAGE_PATH)
     message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the installed Intel and DCAP Client nuget packages.")
   endif()
 else ()
-  find_program(BASH bash)
-  if (NOT BASH)
+  find_program(OE_BASH bash)
+  if (NOT OE_BASH)
     message(FATAL_ERROR "Bash not found!")
   endif ()
 endif ()
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
index 8cdd96664a..930fcb8b38 100644
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@@ -27,7 +27,7 @@ set(CPACK_COMPONENT_OEHOSTVERIFY_DESCRIPTION "Open Enclave Report Verification H
 
 # CPack variables for Nuget packages
 set(CPACK_NUGET_PACKAGE_NAME "open-enclave")
-set(CPACK_NUGET_PACKAGE_AUTHORS "Microsoft, Confidential Computing Consortium")
+set(CPACK_NUGET_PACKAGE_AUTHORS "Open Enclave SDK Contributors")
 set(CPACK_NUGET_PACKAGE_VERSION ${OE_VERSION})
 set(CPACK_NUGET_PACKAGE_LICENSEURL "https://github.com/openenclave/openenclave/blob/master/LICENSE")
 
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 01c7340812..02d3d84907 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -17,14 +17,30 @@ set(OE_SCRIPTSDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@/scripts")
 if (WIN32)
   set(OE_SGX ON)
   set(USE_CLANGW ON)
+
+  # NOTE: On Windows we have found that we must use Git Bash, not the
+  # Bash from the Windows Subsystem for Linux. Hence this is
+  # explicitly searching only for Git Bash. See #1302 for more.
+  find_program(GIT git)
+  get_filename_component(GIT_DIR ${GIT} DIRECTORY)
+  find_program(OE_BASH bash
+    PATHS "C:/Program Files/Git/bin" "${GIT_DIR}/../bin"
+    NO_DEFAULT_PATH) # Do not find WSL bash.
+
   if (NOT OE_BASH)
-    find_program(OE_BASH bash.exe)
-    if (NOT OE_BASH)
-      message(FATAL_ERROR "-- Looking for bash.exe - not found")
-    endif ()
+    message(FATAL_ERROR "-- Git Bash not found!")
+  endif ()
+  if (NOT NUGET_PACKAGE_PATH)
+    message(FATAL_ERROR "NUGET_PACKAGE_PATH not defined. Please define NUGET_PACKAGE_PATH as the path to the installed Intel and DCAP Client nuget packages.")
+  endif()
+else ()
+  find_program(OE_BASH bash)
+  if (NOT OE_BASH)
+    message(FATAL_ERROR "-- Bash not found!")
   endif ()
 endif ()
 
+
 # Dependencies.
 include(CMakeFindDependencyMacro)
 find_dependency(Threads)
@@ -62,12 +78,14 @@ if (NOT TARGET openenclave::sgx_enclave_common)
   if (NOT SGX_ENCLAVE_COMMON_LIB)
     message(FATAL_ERROR "-- Looking for sgx_enclave_common library - not found")
   else ()
-    message("-- Looking for sgx_enclave_common library - found")
+    message(VERBOSE "-- Looking for sgx_enclave_common library - found")
     add_library(openenclave::sgx_enclave_common SHARED IMPORTED)
     if (UNIX)
       set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION ${SGX_ENCLAVE_COMMON_LIB})
     elseif (WIN32)
-      set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION $ENV{WINDIR}/System32 IMPORTED_IMPLIB ${SGX_ENCLAVE_COMMON_LIB})
+      set_target_properties(openenclave::sgx_enclave_common PROPERTIES
+                            IMPORTED_LOCATION $ENV{WINDIR}/System32
+                            IMPORTED_IMPLIB ${SGX_ENCLAVE_COMMON_LIB})
     endif ()
   endif ()
 endif ()
@@ -78,12 +96,14 @@ if (NOT TARGET openenclave::sgx_dcap_ql)
   if (NOT SGX_DCAP_QL_LIB)
     message(FATAL_ERROR "-- Looking for sgx_dcap_ql library - not found")
   else ()
-    message("-- Looking for sgx_dcap_ql library - found")
+    message(VERBOSE "-- Looking for sgx_dcap_ql library - found")
     add_library(openenclave::sgx_dcap_ql SHARED IMPORTED)
     if (UNIX)
       set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${SGX_DCAP_QL_LIB})
     elseif (WIN32)
-      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION $ENV{WINDIR}/System32 IMPORTED_IMPLIB ${SGX_DCAP_QL_LIB})
+      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES
+                            IMPORTED_LOCATION $ENV{WINDIR}/System32
+                            IMPORTED_IMPLIB ${SGX_DCAP_QL_LIB})
     endif ()
   endif ()
 endif ()
diff --git a/cmake/package_settings.cmake b/cmake/package_settings.cmake
index 0604514f44..918b70efd7 100644
--- a/cmake/package_settings.cmake
+++ b/cmake/package_settings.cmake
@@ -54,11 +54,6 @@ install(
   DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake
   FILE openenclave-targets.cmake
   COMPONENT OEHOSTVERIFY)
-if (WIN32)
-  install(
-    FILES ${CMAKE_SOURCE_DIR}/cmake/maybe_build_using_clangw.cmake
-    DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
-endif ()
 install(
   FILES ${PROJECT_SOURCE_DIR}/cmake/sdk_cmake_targets_readme.md
   DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 6937210d5e..5465a994e9 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -15,6 +15,7 @@
 - [Git for Windows 64-bit](https://git-scm.com/download/win)
 - [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
 - [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
+- [Python 3](https://www.python.org/downloads/windows/)
 
 ## Prerequisites specific to SGX support on your system
 
@@ -78,4 +79,10 @@ Open up a command prompt and ensure that ocaml is added to PATH.
 ```cmd
 C:\> where ocaml
 C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
-```
\ No newline at end of file
+```
+
+## Python 3
+
+Install [Python 3 for Windows](https://www.python.org/downloads/windows/) and ensure that python.exe is available in your PATH.
+
+Python 3 is used as part of the mbedtls tests.
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 110cf584ff..08340e2edb 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -2,18 +2,18 @@
 # Licensed under the MIT License.
 
 if (USE_LIBSGX)
-   install(DIRECTORY remote_attestation local_attestation attested_tls
-    DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
-    PATTERN "gen_pubkey_header.sh"
-    PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
-        GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
+  install(DIRECTORY remote_attestation local_attestation attested_tls
+          DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+          PATTERN "gen_pubkey_header.sh"
+          PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+          GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
 endif ()
 
 install(DIRECTORY helloworld file-encryptor data-sealing switchless
-  DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
+        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 install(FILES README.md
-  DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
+        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 if (WIN32)
   add_test(NAME samples
diff --git a/samples/data-sealing/common/dispatcher.cpp b/samples/data-sealing/common/dispatcher.cpp
index a60501884c..6b4f5dbe2b 100644
--- a/samples/data-sealing/common/dispatcher.cpp
+++ b/samples/data-sealing/common/dispatcher.cpp
@@ -86,6 +86,21 @@ int ecall_dispatcher::seal_data(
     }
     memcpy(iv, m_sealed_data->iv, IV_SIZE);
 
+    // We need to cast these variables down to unsigned int.
+    // Check if that will cut off any significant bits.
+    if (m_data_size > UINT32_MAX)
+    {
+        TRACE_ENCLAVE(
+            "m_data_size is too large to fit into an unsigned int", 1);
+        goto exit;
+    }
+    if (seal_key_size > UINT32_MAX)
+    {
+        TRACE_ENCLAVE(
+            "seal_key_size is too large to fit into an unsigned int", 1);
+        goto exit;
+    }
+
     // seal data: encrypt data with the seal key
     ret = cipher_data(
         ENCRYPT_OPERATION,
@@ -189,6 +204,21 @@ int ecall_dispatcher::unseal_data(
     // read initialization vector values
     memcpy(iv, m_sealed_data->iv, IV_SIZE);
 
+    // We need to cast these variables down to unsigned int.
+    // Check if that will cut off any significant bits.
+    if (m_sealed_data->encrypted_data_len > UINT32_MAX)
+    {
+        TRACE_ENCLAVE(
+            "seal_key_size is too large to fit into an unsigned int", 1);
+        goto exit;
+    }
+    if (seal_key_size > UINT32_MAX)
+    {
+        TRACE_ENCLAVE(
+            "seal_key_size is too large to fit into an unsigned int", 1);
+        goto exit;
+    }
+
     // validate signature by re-generating a signature from the input
     // sealed_data
     // structure then comparing it with sealed_data.signature
@@ -296,6 +326,12 @@ oe_result_t ecall_dispatcher::get_seal_key_and_prep_sealed_data(
     else
         padded_byte_count = CIPHER_BLOCK_SIZE - bytes_left;
 
+    if (padded_byte_count > UINT32_MAX)
+    {
+        TRACE_ENCLAVE("padded_byte_count is too large to fit into an int", 1);
+        goto exit;
+    }
+
     padded_data = (unsigned char*)malloc(m_data_size + padded_byte_count);
     if (padded_data == NULL)
     {

From c0832e4989e83f42a63f7ffd19f2481cf5acaf12 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Wed, 2 Oct 2019 00:21:34 +0000
Subject: [PATCH 096/420] Change Windows docs to use forward slash path
 separators.

---
 .../Contributors/WindowsSGX1FLCGettingStarted.md              | 2 +-
 .../Contributors/WindowsSGX1GettingStarted.md                 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 0144da4cf1..1cce15df1d 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
+cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 8540dd7d5b..5ec8fd0f31 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -59,7 +59,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Debug
    cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
+   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
    ninja
    ```
 
@@ -69,7 +69,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
    cd C:\openenclave
    mkdir build\x64-Release
    cd build\x64-Release
-   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ..\..
+   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
    ninja
    ```
 

From 8764c3c3cdcd0b4e5f16d0deb9c7f4fbabf7f736 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Wed, 2 Oct 2019 04:11:14 +0000
Subject: [PATCH 097/420] Remove unistd.h include in file-encryptor and
 data-sealing.

---
 samples/data-sealing/host/host.cpp   | 3 ---
 samples/file-encryptor/host/host.cpp | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/samples/data-sealing/host/host.cpp b/samples/data-sealing/host/host.cpp
index 5908780792..905b610289 100644
--- a/samples/data-sealing/host/host.cpp
+++ b/samples/data-sealing/host/host.cpp
@@ -8,9 +8,6 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#ifdef __linux__
-#include <unistd.h>
-#endif
 
 #include <iostream>
 #include <vector>
diff --git a/samples/file-encryptor/host/host.cpp b/samples/file-encryptor/host/host.cpp
index 2875a4d9c9..1b5344ce8b 100644
--- a/samples/file-encryptor/host/host.cpp
+++ b/samples/file-encryptor/host/host.cpp
@@ -7,9 +7,6 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#if defined(__linux__)
-#include <unistd.h>
-#endif
 #include <fstream>
 #include <iostream>
 #include <iterator>

From 206204df4487b2b0520ca5a1199e3563c777a563 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Wed, 2 Oct 2019 22:21:27 +0000
Subject: [PATCH 098/420] Address PR feedback and add detailed comments.

- Move event handling to platform specific files
- Switch to __atomic primitives since __sync primitives are deprecated
- Locked down oe_host_worker_context_t layout since it is used both
  by host (windows/linux) and enclave (always linux elf)
- Added comments around event handling
---
 enclave/core/switchlesscalls.c            | 40 +++++++++++--
 host/CMakeLists.txt                       |  5 +-
 host/linux/hostthread.c                   |  4 --
 host/sgx/linux/switchless.c               | 63 ++++++++++++++++++++
 host/sgx/switchless.c                     | 70 +++--------------------
 host/sgx/windows/switchless.c             | 29 ++++++++++
 include/openenclave/internal/switchless.h | 21 +++++--
 7 files changed, 156 insertions(+), 76 deletions(-)
 create mode 100644 host/sgx/linux/switchless.c
 create mode 100644 host/sgx/windows/switchless.c

diff --git a/enclave/core/switchlesscalls.c b/enclave/core/switchlesscalls.c
index 5d0624c481..3628be5be4 100644
--- a/enclave/core/switchlesscalls.c
+++ b/enclave/core/switchlesscalls.c
@@ -71,7 +71,6 @@ oe_result_t oe_handle_init_switchless(uint64_t arg_in)
     // Copy the worker context array pointer and its size to avoid TOCTOU
     _host_worker_count = safe_manager.num_host_workers;
     _host_worker_contexts = safe_manager.host_worker_contexts;
-
     result = OE_OK;
 
 done:
@@ -99,18 +98,49 @@ oe_result_t oe_post_switchless_ocall(oe_call_host_function_args_t* args)
     size_t tries = _host_worker_count;
     while (tries--)
     {
+        // Check if the worker's slot is free.
         if (_host_worker_contexts[tries].call_arg == NULL)
         {
+            // Try to atomically grab the slot by placing args in the slot.
+            // If the atomic operation was successful, then the worker thread
+            // will execute this switchless ocall. If the atomic operation
+            // failed, this means that the slot was grabbed by another
+            // switchless ocall and therefore, we must scan for another worker
+            // thread with a free slot.
             if (oe_atomic_compare_and_swap_ptr(
                     (void* volatile*)&_host_worker_contexts[tries].call_arg,
                     NULL,
                     args))
             {
-                // Set the worker's state to RUNNING.
-                if (__sync_val_compare_and_swap(
-                        &_host_worker_contexts[tries].event, 0, 1) == 0)
+                // The worker thread has been marked to execute this switchless
+                // call. Determine if it needs to be woken up or not.
+                //
+                // If event is 0, it means that it has gone to sleep. Wake it by
+                // making an ocall (OE_OCALL_WAKE_HOST_WORKER).
+                // Note: it is important to use an atomic cas operation to set
+                // the value to 1 before making the ocall. Setting the value to
+                // 1 prevents the host worker from simulataneously going to
+                // sleep. If instead, just a compare operation is used to
+                // determine if the host thread is sleeping or not, the host
+                // thread could go to sleep after the enclave has determined
+                // that the host is not sleeping, causing a deadlock.
+                //
+                // If event is 1, that indicates a pending wake notification.
+                int32_t oldval = 0;
+                int32_t newval = 1;
+                // Weak operation could sporadically fail.
+                // We need a strong operation.
+                bool weak = false;
+                if (__atomic_compare_exchange_n(
+                        &_host_worker_contexts[tries].event,
+                        &oldval,
+                        newval,
+                        weak,
+                        __ATOMIC_ACQ_REL,
+                        __ATOMIC_ACQUIRE))
                 {
-                    // The worker was previously sleeping.
+                    // The pevious value of the event was 0 which means that the
+                    // worker was previously sleeping.
                     // Wake it via an ocall.
                     oe_ocall(
                         OE_OCALL_WAKE_HOST_WORKER,
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index f99fb14c1e..003d5057ce 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -165,6 +165,7 @@ if (OE_SGX)
       sgx/linux/entersim.S
       sgx/linux/exception.c
       sgx/linux/sgxioctl.c
+      sgx/linux/switchless.c
       sgx/linux/xstate.c)
   else()
     list(APPEND PLATFORM_HOST_ONLY_SRC
@@ -176,6 +177,7 @@ if (OE_SGX)
       sgx/windows/enter.asm
       sgx/windows/entersim.asm
       sgx/windows/exception.c
+      sgx/windows/switchless.c
       sgx/windows/xstate.c)
   endif()
 
@@ -294,6 +296,8 @@ if (UNIX)
 elseif (WIN32)
   target_include_directories(oehost PRIVATE
     ${CMAKE_SOURCE_DIR}/3rdparty/mbedtls/mbedtls/include)
+  # Synchronization library is needed for WaitOnAddress/WakeByAddress functions
+  # used by switchless ocalls worker threads.
   target_link_libraries(oehost PRIVATE bcrypt Crypt32 Synchronization)
   target_include_directories(oehostverify PRIVATE
     ${CMAKE_SOURCE_DIR}/3rdparty/mbedtls/mbedtls/include)
@@ -351,7 +355,6 @@ target_compile_definitions(oehost
   # package.
   $<BUILD_INTERFACE:OE_API_VERSION=2>
   PRIVATE
-  OE_CONTEXT_SWITCHLESS_EXPERIMENTAL_FEATURE
   OE_BUILD_UNTRUSTED
   OE_REPO_BRANCH_NAME="${GIT_BRANCH}"
   OE_REPO_LAST_COMMIT="${GIT_COMMIT}")
diff --git a/host/linux/hostthread.c b/host/linux/hostthread.c
index d7ec0e35ce..65a87251fb 100644
--- a/host/linux/hostthread.c
+++ b/host/linux/hostthread.c
@@ -3,12 +3,8 @@
 
 #include "../hostthread.h"
 #include <assert.h>
-#include <linux/futex.h>
 #include <openenclave/host.h>
 #include <pthread.h>
-#include <sys/syscall.h>
-#include <sys/time.h>
-#include <unistd.h>
 
 /*
 **==============================================================================
diff --git a/host/sgx/linux/switchless.c b/host/sgx/linux/switchless.c
new file mode 100644
index 0000000000..567472ca52
--- /dev/null
+++ b/host/sgx/linux/switchless.c
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/switchless.h>
+
+#include <linux/futex.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+void oe_host_worker_wait(oe_host_worker_context_t* context)
+{
+    // If event is 1, it means that there a pending wake notification from
+    // enclave. Consume it by setting event to 0. Don't wait.
+    //
+    // If event is 0, then wait until event is 1.
+    int32_t oldval = 1;
+    int32_t newval = 0;
+
+    // Weak operations can fail spuriously.
+    // We want a strong operation.
+    bool weak = false;
+    if (!__atomic_compare_exchange_n(
+            &context->event,
+            &oldval,
+            newval,
+            weak,
+            __ATOMIC_ACQ_REL,
+            __ATOMIC_ACQUIRE))
+    {
+        // The old value is 0. There is no pending wake notification from the
+        // enclave.
+        do
+        {
+            // Error codes from syscall are ignored since we wait until event
+            // is non-zero.
+            syscall(
+                __NR_futex,
+                &context->event,
+                FUTEX_WAIT_PRIVATE,
+                0,
+                NULL,
+                NULL,
+                0);
+            // If context->event is still 0, then this is a spurious-wake.
+            // Spurious-wakes are ignored by going back to FUTEX_WAIT.
+            // Since FUTEX_WAIT uses atomic instructions to load event->value,
+            // it is safe to use a non-atomic operation here.
+        } while (context->event == 0);
+    }
+}
+
+void oe_host_worker_wake(oe_host_worker_context_t* context)
+{
+    context->event = 1;
+    syscall(
+        __NR_futex,
+        &context->event,
+        FUTEX_WAKE_PRIVATE,
+        1 /* wake 1 thread */,
+        NULL,
+        NULL,
+        0);
+}
diff --git a/host/sgx/switchless.c b/host/sgx/switchless.c
index 8ae6f702bb..52261c91e9 100644
--- a/host/sgx/switchless.c
+++ b/host/sgx/switchless.c
@@ -11,63 +11,6 @@
 #include "../ocalls.h"
 #include "enclave.h"
 
-#if __linux__
-#include <linux/futex.h>
-#include <sys/syscall.h>
-#include <unistd.h>
-
-static void _worker_wait(oe_host_worker_context_t* context)
-{
-    if (__sync_val_compare_and_swap(&context->event, 1, 0) == 0)
-    {
-        do
-        {
-            syscall(
-                __NR_futex,
-                &context->event,
-                FUTEX_WAIT_PRIVATE,
-                0,
-                NULL,
-                NULL,
-                0);
-            // If context-> is still 0, then this is a spurious-wake.
-            // Spurious-wakes are ignored by going back to FUTEX_WAIT.
-            // Since FUTEX_WAIT uses atomic instructions to load event->value,
-            // it is safe to use a non-atomic operation here.
-        } while (context->event == 0);
-    }
-}
-
-static void _worker_wake(oe_host_worker_context_t* context)
-{
-    // context->event is expected to be set to 1 by the enclave.
-    // This function is called only when needed.
-    __sync_val_compare_and_swap(&context->event, 0, 1);
-    syscall(__NR_futex, &context->event, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
-}
-
-#else
-
-static void _worker_wait(oe_host_worker_context_t* context)
-{
-    // If the event value is 1, then set it to zero.
-    if (_InterlockedCompareExchange(&context->event, 0, 1) == 0)
-    {
-        // If the previous value was zero, then wait while value is zero.
-        uint32_t zero = 0;
-        WaitOnAddress(&context->event, &zero, sizeof(context->event), INFINITE);
-    }
-}
-
-static void _worker_wake(oe_host_worker_context_t* context)
-{
-    // Enclave sets context->value to 1.
-    // Wake up the waiting worker.
-    WakeByAddressSingle(&context->event);
-}
-
-#endif
-
 /**
  * Number of iterations an ocall worker thread would spin before going to sleep
  */
@@ -91,17 +34,20 @@ static void* _switchless_ocall_worker(void* arg)
             oe_handle_call_host_function(
                 (uint64_t)local_call_arg, context->enclave);
 
+            // Reset spin count for next message.
             context->total_spin_count += context->spin_count;
             context->spin_count = 0;
         }
         else
         {
+            // If there is no message, increment spin count until threshold is
+            // reached.
             if (++context->spin_count >= OE_HOST_WORKER_SPIN_COUNT_THRESHOLD)
             {
+                // Reset spin count and go to sleep until event is fired.
                 context->total_spin_count += context->spin_count;
                 context->spin_count = 0;
-
-                _worker_wait(context);
+                oe_host_worker_wait(context);
             }
         }
     }
@@ -114,11 +60,11 @@ static oe_result_t oe_stop_worker_threads(oe_switchless_call_manager_t* manager)
     for (size_t i = 0; i < manager->num_host_workers; i++)
     {
         manager->host_worker_contexts[i].is_stopping = true;
-        _worker_wake(&manager->host_worker_contexts[i]);
+        oe_host_worker_wake(&manager->host_worker_contexts[i]);
 
         OE_TRACE_INFO(
             "Switchless host worker thread %d spun for %lu times",
-            i,
+            (int)i,
             manager->host_worker_contexts[i].total_spin_count);
     }
 
@@ -221,5 +167,5 @@ oe_result_t oe_stop_switchless_manager(oe_enclave_t* enclave)
 void oe_handle_wake_host_worker(uint64_t arg)
 {
     oe_host_worker_context_t* context = (oe_host_worker_context_t*)arg;
-    _worker_wake(context);
+    oe_host_worker_wake(context);
 }
diff --git a/host/sgx/windows/switchless.c b/host/sgx/windows/switchless.c
new file mode 100644
index 0000000000..e845249390
--- /dev/null
+++ b/host/sgx/windows/switchless.c
@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <Windows.h>
+#include <openenclave/internal/switchless.h>
+
+void oe_host_worker_wait(oe_host_worker_context_t* context)
+{
+    // If event is 1, it means that there a pending wake notification from
+    // enclave. Consume it by setting event to 0. Don't wait.
+    //
+    // If event is 0, then wait until event is 1.
+    int32_t oldval = 1;
+    int32_t newval = 0;
+
+    if (_InterlockedCompareExchange(&context->event, newval, oldval) == 0)
+    {
+        // If the previous value was zero, then wait while value is zero.
+        uint32_t zero = 0;
+        WaitOnAddress(&context->event, &zero, sizeof(context->event), INFINITE);
+    }
+}
+
+void oe_host_worker_wake(oe_host_worker_context_t* context)
+{
+    // Set the event and wake up the worker.
+    context->event = 1;
+    WakeByAddressSingle(&context->event);
+}
diff --git a/include/openenclave/internal/switchless.h b/include/openenclave/internal/switchless.h
index 8c8e5aeb3c..43a87ddace 100644
--- a/include/openenclave/internal/switchless.h
+++ b/include/openenclave/internal/switchless.h
@@ -12,11 +12,10 @@
 typedef struct _host_worker_thread_context
 {
     volatile oe_call_host_function_args_t* call_arg;
-    uint64_t is_stopping;
     oe_enclave_t* enclave;
+    bool is_stopping;
 
-    // Used as futex or for WaitOnAddress
-    int32_t event;
+    volatile int32_t event;
 
     // Number of times the worker spinned without seeing a message.
     uint64_t spin_count;
@@ -25,7 +24,17 @@ typedef struct _host_worker_thread_context
     uint64_t total_spin_count;
 } oe_host_worker_context_t;
 
-OE_STATIC_ASSERT(sizeof(oe_host_worker_context_t) == 48);
+/**
+ * oe_host_worker_context_t is used both by the host (windows/linux) and the
+ * enclave (ELF). Lockdown the layout.
+ */
+OE_STATIC_ASSERT(sizeof(oe_host_worker_context_t) == 40);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, call_arg) == 0);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, enclave) == 8);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, is_stopping) == 16);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, event) == 20);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, spin_count) == 24);
+OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, total_spin_count) == 32);
 
 typedef struct _oe_switchless_call_manager
 {
@@ -40,4 +49,8 @@ oe_result_t oe_start_switchless_manager(
 
 oe_result_t oe_stop_switchless_manager(oe_enclave_t* enclave);
 
+void oe_host_worker_wait(oe_host_worker_context_t* context);
+
+void oe_host_worker_wake(oe_host_worker_context_t* context);
+
 #endif /* _OE_SWITCHLESS_H */

From a5189d5bfcdb160dcf698f06cd8090ffc2dbf7b7 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 2 Oct 2019 22:47:53 +0000
Subject: [PATCH 099/420] Fix incremental rebuild due to `add_custom_target`

No file dependencies were setup, so repeated invocations of the build
system would cause these keys to be regenerated each time.
---
 tests/crypto/data/CMakeLists.txt              | 60 ++++++++++---------
 .../data/CMakeLists.txt                       | 16 ++---
 2 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/tests/crypto/data/CMakeLists.txt b/tests/crypto/data/CMakeLists.txt
index c6761e67a9..070632932f 100644
--- a/tests/crypto/data/CMakeLists.txt
+++ b/tests/crypto/data/CMakeLists.txt
@@ -10,33 +10,35 @@ else()
     message(FATAL_ERROR "Unknown OS. Only supported OSes are Linux and Windows")
 endif()
 
-add_custom_target(
-    crypto_test_data ALL
+# These are specifically the byproducts that will be directly consumed by crypto tests
+set(CRYPTO_TEST_DATA
+    asn1.cert.pem
+    coordinates.bin
+    ec_cert_with_ext.pem
+    ec_cert_crl_distribution.pem
+    intermediate.crl.der
+    intermediate.cert.pem
+    intermediate.ec.cert.pem
+    intermediate2.cert.pem
+    leaf.key.pem
+    leaf.cert.pem
+    leaf.ec.cert.pem
+    leaf.public.key.pem
+    leaf_modulus.hex
+    leaf2.cert.pem
+    root.crl.der
+    root.cert.pem
+    root.ec.cert.pem
+    root.ec.key.pem
+    root.ec.public.key.pem
+    root2.cert.pem
+    self_signed.cert.der
+    test_ec_signature
+    test_rsa_signature
+    time.txt)
+
+add_custom_command(
     COMMAND ${OE_BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
-    # These are specifically the byproducts that will be directly consumed by crypto tests
-    BYPRODUCTS
-        asn1.cert.pem
-        coordinates.bin
-        ec_cert_with_ext.pem
-        ec_cert_crl_distribution.pem
-        intermediate.crl.der
-        intermediate.cert.pem
-        intermediate.ec.cert.pem
-        intermediate2.cert.pem
-        leaf.key.pem
-        leaf.cert.pem
-        leaf.ec.cert.pem
-        leaf.public.key.pem
-        leaf_modulus.hex
-        leaf2.cert.pem
-        root.crl.der
-        root.cert.pem
-        root.ec.cert.pem
-        root.ec.key.pem
-        root.ec.public.key.pem
-        root2.cert.pem
-        self_signed.cert.der
-        test_ec_signature
-        test_rsa_signature
-        time.txt
-    )
+    OUTPUT ${CRYPTO_TEST_DATA})
+
+add_custom_target(crypto_test_data DEPENDS ${CRYPTO_TEST_DATA})
diff --git a/tests/crypto_crls_cert_chains/data/CMakeLists.txt b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
index 07d4c2c448..bb09bb231e 100644
--- a/tests/crypto_crls_cert_chains/data/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
@@ -10,11 +10,8 @@ else()
     message(FATAL_ERROR "Unknown OS. Only supported OSes are Linux and Windows")
 endif()
 
-add_custom_target(
-    crypto_crls_cert_chains_test_data ALL
-    COMMAND ${OE_BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
-    # These are specifically the byproducts that will be directly consumed by crypto_crls_cert_chains tests
-    BYPRODUCTS
+# These are specifically the byproducts that will be directly consumed by crypto_crls_cert_chains tests
+set(CRYPTO_CRLS_DATA
     root.cert.pem
     intermediate.cert.pem
     leaf1.cert.pem
@@ -22,5 +19,10 @@ add_custom_target(
     root_crl1.der
     root_crl2.der
     intermediate_crl1.der
-    intermediate_crl2.der
-    )
+    intermediate_crl2.der)
+
+add_custom_command(
+    COMMAND ${OE_BASH} -c "${CMAKE_CURRENT_SOURCE_DIR}/make-test-certs ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${BUILD_OPT}"
+    OUTPUT ${CRYPTO_CRLS_DATA})
+
+add_custom_target(crypto_crls_cert_chains_test_data DEPENDS ${CRYPTO_CRLS_DATA})

From e7ed97fbb23b3a7dd5b644c8bbd2d6553d70c21e Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Thu, 12 Sep 2019 17:34:09 +0100
Subject: [PATCH 100/420] change log format and add support for user defined
 log format

---
 host/traceh.c                        | 151 ++++++++++++++-------------
 include/openenclave/internal/trace.h |  10 +-
 2 files changed, 85 insertions(+), 76 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 1d5bc2f9ff..3040e6c27a 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -14,11 +14,13 @@
 #include <time.h>
 #include "hostthread.h"
 
-#define LOGGING_FORMAT_STRING "%02d:%02d:%02d:%06ld tid(0x%lx) (%s)[%s]%s"
+#define LOGGING_FORMAT_STRING "%s.%06ldZ [(%s)%s] tid(0x%lx) | %s"
+
 static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
     {"NONE", "FATAL", "ERROR", "WARN", "INFO", "VERBOSE"};
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
 static const char* _log_file_name = NULL;
+static const char* _custom_log_format = NULL;
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
@@ -67,88 +69,55 @@ void initialize_log_config()
         // inititalize if not already
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
+        _custom_log_format = getenv("OE_LOG_FORMAT");
         _initialized = true;
     }
 }
 
-static void _write_header_info_to_stream(FILE* stream)
-{
-    time_t t = time(NULL);
-    struct tm* lt = localtime(&t);
-
-    fprintf(
-        stream, "================= New logging session =================\n");
-    fprintf(stream, "%s", asctime(lt));
-    fprintf(
-        stream,
-        "https://github.com/openenclave/openenclave branch:%s\n",
-        OE_REPO_BRANCH_NAME);
-    fprintf(stream, "Last commit:%s\n\n", OE_REPO_LAST_COMMIT);
-}
-
 static void _write_message_to_stream(
     FILE* stream,
     bool is_enclave,
+    const char* time,
+    long int usecs,
     oe_log_level_t level,
     const char* message)
 {
-#if defined(__linux__)
-    struct timeval time_now;
-    gettimeofday(&time_now, NULL);
-    struct tm* t = gmtime(&time_now.tv_sec);
-#else
-    time_t lt = time(NULL);
-    struct tm* t = localtime(&lt);
-#endif
-
-    oe_thread_t thread_id = oe_thread_self();
-
     fprintf(
         stream,
         LOGGING_FORMAT_STRING,
-        t->tm_hour,
-        t->tm_min,
-        t->tm_sec,
-#if defined(__linux__)
-        time_now.tv_usec,
-#else
-        0,
-#endif
-        thread_id,
+        time,
+        usecs,
         (is_enclave ? "E" : "H"),
         _log_level_strings[level],
+        oe_thread_self(),
         message);
 }
 
-static void _log_session_header()
+static void _write_custom_format_message_to_stream(
+    FILE* stream,
+    bool is_enclave,
+    const char* time,
+    long int usecs,
+    oe_log_level_t level,
+    const char* message,
+    const char* file,
+    const char* function,
+    const char* number,
+    const char* log_format)
 {
-    if (!_log_file_name)
-    {
-        return;
-    }
-
-    // Take the log file lock.
-    if (!_log_creation_failed_before)
-    {
-        if (oe_mutex_lock(&_log_lock) == OE_OK)
-        {
-            FILE* log_file = NULL;
-            log_file = fopen(_log_file_name, "a");
-            if (log_file == NULL)
-            {
-                fprintf(
-                    stderr, "Failed to create logfile %s\n", _log_file_name);
-                oe_mutex_unlock(&_log_lock);
-                _log_creation_failed_before = true;
-                return;
-            }
-
-            _write_header_info_to_stream(log_file);
-            fflush(log_file);
-            fclose(log_file);
-            oe_mutex_unlock(&_log_lock);
-        }
-    }
+    fprintf(
+        stream,
+        log_format,
+        time,
+        usecs,
+        (is_enclave ? "E" : "H"),
+        _log_level_strings[level],
+        oe_thread_self(),
+        message,
+        file,
+        function,
+        number);
+    fprintf(stream, "\n");
 }
 
 oe_result_t oe_log(oe_log_level_t level, const char* fmt, ...)
@@ -194,10 +163,27 @@ oe_result_t oe_log(oe_log_level_t level, const char* fmt, ...)
 // and file operation.
 void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
 {
+    // get timestamp for log
+#if defined(__linux__)
+    struct timeval time_now;
+    gettimeofday(&time_now, NULL);
+    struct tm* t = gmtime(&time_now.tv_sec);
+#else
+    time_t lt = time(NULL);
+    struct tm* t = localtime(&lt);
+#endif
+
+    char time[20];
+    strftime(time, sizeof(time), "%Y-%m-%dT%H:%M:%S", t);
+
+#if defined(__linux__)
+    long int usecs = time_now.tv_usec;
+#else
+    long int usecs = 0;
+#endif
     if (!_initialized)
     {
         initialize_log_config();
-        _log_session_header();
     }
     if (_initialized)
     {
@@ -208,11 +194,10 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
     // Take the log file lock.
     if (oe_mutex_lock(&_log_lock) == OE_OK)
     {
-        if (!_log_file_name)
-        {
-            _write_message_to_stream(stdout, is_enclave, level, message);
-        }
-        else if (!_log_creation_failed_before)
+        _write_message_to_stream(
+            stdout, is_enclave, time, usecs, level, message);
+
+        if (!_log_creation_failed_before)
         {
             FILE* log_file = NULL;
             log_file = fopen(_log_file_name, "a");
@@ -224,7 +209,31 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 _log_creation_failed_before = true;
                 return;
             }
-            _write_message_to_stream(log_file, is_enclave, level, message);
+
+            char* message_dup = strdup(message);
+            char* log_msg = strtok(message_dup, "[");
+            size_t len = strlen(log_msg);
+            if (log_msg[len - 1] == '\n')
+            {
+                log_msg[len - 1] = 0;
+            }
+            char* file_name = strtok(NULL, ":");
+            char* function = strtok(NULL, ":");
+            char* line_number = strtok(NULL, "]");
+
+            _write_custom_format_message_to_stream(
+                log_file,
+                is_enclave,
+                time,
+                usecs,
+                level,
+                log_msg,
+                file_name,
+                function,
+                line_number,
+                (_custom_log_format ? _custom_log_format
+                                    : LOGGING_FORMAT_STRING));
+
             fflush(log_file);
             fclose(log_file);
         }
diff --git a/include/openenclave/internal/trace.h b/include/openenclave/internal/trace.h
index ea85c6114e..5ea681209f 100644
--- a/include/openenclave/internal/trace.h
+++ b/include/openenclave/internal/trace.h
@@ -45,7 +45,7 @@ void initialize_log_config(void);
 #define OE_TRACE_FATAL(fmt, ...) \
     OE_TRACE(                    \
         OE_LOG_LEVEL_FATAL,      \
-        fmt "[%s %s:%d]\n",      \
+        fmt " [%s:%s:%d]\n",     \
         ##__VA_ARGS__,           \
         __FILE__,                \
         __FUNCTION__,            \
@@ -54,7 +54,7 @@ void initialize_log_config(void);
 #define OE_TRACE_ERROR(fmt, ...) \
     OE_TRACE(                    \
         OE_LOG_LEVEL_ERROR,      \
-        fmt "[%s %s:%d]\n",      \
+        fmt " [%s:%s:%d]\n",     \
         ##__VA_ARGS__,           \
         __FILE__,                \
         __FUNCTION__,            \
@@ -63,7 +63,7 @@ void initialize_log_config(void);
 #define OE_TRACE_WARNING(fmt, ...) \
     OE_TRACE(                      \
         OE_LOG_LEVEL_WARNING,      \
-        fmt "[%s %s:%d]\n",        \
+        fmt " [%s:%s:%d]\n",       \
         ##__VA_ARGS__,             \
         __FILE__,                  \
         __FUNCTION__,              \
@@ -72,7 +72,7 @@ void initialize_log_config(void);
 #define OE_TRACE_INFO(fmt, ...) \
     OE_TRACE(                   \
         OE_LOG_LEVEL_INFO,      \
-        fmt "[%s %s:%d]\n",     \
+        fmt " [%s:%s:%d]\n",    \
         ##__VA_ARGS__,          \
         __FILE__,               \
         __FUNCTION__,           \
@@ -81,7 +81,7 @@ void initialize_log_config(void);
 #define OE_TRACE_VERBOSE(fmt, ...) \
     OE_TRACE(                      \
         OE_LOG_LEVEL_VERBOSE,      \
-        fmt "[%s %s:%d]\n",        \
+        fmt " [%s:%s:%d]\n",       \
         ##__VA_ARGS__,             \
         __FILE__,                  \
         __FUNCTION__,              \

From c89780a9307cab8f95db32169e9efbc919a67014 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:34:47 +0100
Subject: [PATCH 101/420] use strtok_r and free message_dup

---
 host/traceh.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 3040e6c27a..7487b18d68 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -211,15 +211,20 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
             }
 
             char* message_dup = strdup(message);
-            char* log_msg = strtok(message_dup, "[");
-            size_t len = strlen(log_msg);
-            if (log_msg[len - 1] == '\n')
+            char* reentrant_ptr = NULL;
+            char* log_msg = strtok_r(message_dup, "[", &reentrant_ptr);
+
+            for (size_t i = 0; i < strlen(log_msg); i++)
             {
-                log_msg[len - 1] = 0;
+                if (log_msg[i] == '\n')
+                {
+                    log_msg[i] = '\0';
+                }
             }
-            char* file_name = strtok(NULL, ":");
-            char* function = strtok(NULL, ":");
-            char* line_number = strtok(NULL, "]");
+
+            char* file_name = strtok_r(NULL, ":", &reentrant_ptr);
+            char* function = strtok_r(NULL, ":", &reentrant_ptr);
+            char* line_number = strtok_r(NULL, "]", &reentrant_ptr);
 
             _write_custom_format_message_to_stream(
                 log_file,
@@ -236,6 +241,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
 
             fflush(log_file);
             fclose(log_file);
+            free(message_dup);
         }
         // Release the log file lock.
         oe_mutex_unlock(&_log_lock);

From 16ff5975e3ca8e7a68539c0ece8b4e0969f4dec9 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:35:42 +0100
Subject: [PATCH 102/420] change localtime to gmtime for all platforms

---
 host/traceh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/traceh.c b/host/traceh.c
index 7487b18d68..251a6560a3 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -170,7 +170,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
     struct tm* t = gmtime(&time_now.tv_sec);
 #else
     time_t lt = time(NULL);
-    struct tm* t = localtime(&lt);
+    struct tm* t = gmtime(&lt);
 #endif
 
     char time[20];

From b1bbfc3c83461f690963cae665716f58ab43ff5e Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:39:30 +0100
Subject: [PATCH 103/420] append line return to the end of custom log format
 instead of printing one for every message

---
 host/traceh.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 251a6560a3..0b3eb5fe8b 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -69,7 +69,17 @@ void initialize_log_config()
         // inititalize if not already
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
-        _custom_log_format = getenv("OE_LOG_FORMAT");
+        char* _oe_log_format = getenv("OE_LOG_FORMAT");
+        // check that custom log format string terminates with a line return
+        if (_oe_log_format)
+        {
+            size_t len = strlen(_oe_log_format);
+            if (_oe_log_format[len - 1] != '\n')
+            {
+                strcat(_oe_log_format, "\n");
+            }
+        }
+        _custom_log_format = _oe_log_format;
         _initialized = true;
     }
 }
@@ -117,7 +127,6 @@ static void _write_custom_format_message_to_stream(
         file,
         function,
         number);
-    fprintf(stream, "\n");
 }
 
 oe_result_t oe_log(oe_log_level_t level, const char* fmt, ...)

From dccab6a9dce31dfd3ffc1c13e4669b0c84433c42 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:46:29 +0100
Subject: [PATCH 104/420] if custom log format not set don't parse log line
 before printing to file

---
 host/traceh.c | 56 +++++++++++++++++++++++++++++----------------------
 1 file changed, 32 insertions(+), 24 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 0b3eb5fe8b..f9e80fc389 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -219,38 +219,46 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 return;
             }
 
-            char* message_dup = strdup(message);
-            char* reentrant_ptr = NULL;
-            char* log_msg = strtok_r(message_dup, "[", &reentrant_ptr);
-
-            for (size_t i = 0; i < strlen(log_msg); i++)
+            if (!_custom_log_format)
+            {
+                _write_message_to_stream(
+                    log_file, is_enclave, time, usecs, level, message);
+            }
+            else
             {
-                if (log_msg[i] == '\n')
+                char* message_dup = strdup(message);
+                char* reentrant_ptr = NULL;
+                char* log_msg = strtok_r(message_dup, "[", &reentrant_ptr);
+
+                for (size_t i = 0; i < strlen(log_msg); i++)
                 {
-                    log_msg[i] = '\0';
+                    if (log_msg[i] == '\n')
+                    {
+                        log_msg[i] = '\0';
+                    }
                 }
-            }
 
-            char* file_name = strtok_r(NULL, ":", &reentrant_ptr);
-            char* function = strtok_r(NULL, ":", &reentrant_ptr);
-            char* line_number = strtok_r(NULL, "]", &reentrant_ptr);
+                char* file_name = strtok_r(NULL, ":", &reentrant_ptr);
+                char* function = strtok_r(NULL, ":", &reentrant_ptr);
+                char* line_number = strtok_r(NULL, "]", &reentrant_ptr);
+
+                _write_custom_format_message_to_stream(
+                    log_file,
+                    is_enclave,
+                    time,
+                    usecs,
+                    level,
+                    log_msg,
+                    file_name,
+                    function,
+                    line_number,
+                    _custom_log_format);
 
-            _write_custom_format_message_to_stream(
-                log_file,
-                is_enclave,
-                time,
-                usecs,
-                level,
-                log_msg,
-                file_name,
-                function,
-                line_number,
-                (_custom_log_format ? _custom_log_format
-                                    : LOGGING_FORMAT_STRING));
+                free(message_dup);
+            }
 
             fflush(log_file);
             fclose(log_file);
-            free(message_dup);
         }
         // Release the log file lock.
         oe_mutex_unlock(&_log_lock);

From bb69c03da1bb1d5029cc09c071a65fc8873dc465 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 08:16:48 +0100
Subject: [PATCH 105/420] check for NULL after calling strtok_r and log fail
 message if so

---
 host/traceh.c | 56 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 36 insertions(+), 20 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index f9e80fc389..b6af470bf3 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -84,6 +84,17 @@ void initialize_log_config()
     }
 }
 
+static void _replace_newline(char* log_msg)
+{
+    for (size_t i = 0; i < strlen(log_msg); i++)
+    {
+        if (log_msg[i] == '\n')
+        {
+            log_msg[i] = '\0';
+        }
+    }
+}
+
 static void _write_message_to_stream(
     FILE* stream,
     bool is_enclave,
@@ -229,31 +240,36 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 char* message_dup = strdup(message);
                 char* reentrant_ptr = NULL;
                 char* log_msg = strtok_r(message_dup, "[", &reentrant_ptr);
-
-                for (size_t i = 0; i < strlen(log_msg); i++)
-                {
-                    if (log_msg[i] == '\n')
-                    {
-                        log_msg[i] = '\0';
-                    }
-                }
-
                 char* file_name = strtok_r(NULL, ":", &reentrant_ptr);
                 char* function = strtok_r(NULL, ":", &reentrant_ptr);
                 char* line_number = strtok_r(NULL, "]", &reentrant_ptr);
 
-                _write_custom_format_message_to_stream(
-                    log_file,
-                    is_enclave,
-                    time,
-                    usecs,
-                    level,
-                    log_msg,
-                    file_name,
-                    function,
-                    line_number,
-                    _custom_log_format);
+                if (!log_msg || !file_name || !function || !line_number)
+                {
+                    _write_message_to_stream(
+                        log_file,
+                        is_enclave,
+                        time,
+                        usecs,
+                        level,
+                        "Failed to apply custom formatter to message\n");
+                }
+                else
+                {
+                    _replace_newline(log_msg);
 
+                    _write_custom_format_message_to_stream(
+                        log_file,
+                        is_enclave,
+                        time,
+                        usecs,
+                        level,
+                        log_msg,
+                        file_name,
+                        function,
+                        line_number,
+                        _custom_log_format);
+                }
                 free(message_dup);
             }
 

From c3646215cf3e418ea13c464d23eec69091fc5a7d Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 10:58:58 +0100
Subject: [PATCH 106/420] enforce custom log ends in new line

---
 host/traceh.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index b6af470bf3..b9e067d7f7 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -69,17 +69,17 @@ void initialize_log_config()
         // inititalize if not already
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
-        char* _oe_log_format = getenv("OE_LOG_FORMAT");
+        _custom_log_format = getenv("OE_LOG_FORMAT");
         // check that custom log format string terminates with a line return
-        if (_oe_log_format)
+        size_t len = strlen(_custom_log_format);
+        if (_custom_log_format[len - 1] != '\n')
         {
-            size_t len = strlen(_oe_log_format);
-            if (_oe_log_format[len - 1] != '\n')
-            {
-                strcat(_oe_log_format, "\n");
-            }
+            fprintf(
+                stderr,
+                "%s\n",
+                "Custom log format does not end with a newline");
+            exit(1);
         }
-        _custom_log_format = _oe_log_format;
         _initialized = true;
     }
 }
@@ -90,7 +90,7 @@ static void _replace_newline(char* log_msg)
     {
         if (log_msg[i] == '\n')
         {
-            log_msg[i] = '\0';
+            log_msg[i] = ' ';
         }
     }
 }

From 21481ee258cbd4b8f9d0daf900ea1f133c25df3f Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 11:00:28 +0100
Subject: [PATCH 107/420] rename reentrant_ptr

---
 host/traceh.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index b9e067d7f7..c57f6b8df3 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -238,11 +238,11 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
             else
             {
                 char* message_dup = strdup(message);
-                char* reentrant_ptr = NULL;
-                char* log_msg = strtok_r(message_dup, "[", &reentrant_ptr);
-                char* file_name = strtok_r(NULL, ":", &reentrant_ptr);
-                char* function = strtok_r(NULL, ":", &reentrant_ptr);
-                char* line_number = strtok_r(NULL, "]", &reentrant_ptr);
+                char* message_cursor = NULL;
+                char* log_msg = strtok_r(message_dup, "[", &message_cursor);
+                char* file_name = strtok_r(NULL, ":", &message_cursor);
+                char* function = strtok_r(NULL, ":", &message_cursor);
+                char* line_number = strtok_r(NULL, "]", &message_cursor);
 
                 if (!log_msg || !file_name || !function || !line_number)
                 {

From 0beb4271dd85e64e8e50242560f696949f0c56b6 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 13:27:46 +0100
Subject: [PATCH 108/420] add null checks

---
 host/traceh.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index c57f6b8df3..3d2a4bbd32 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -70,15 +70,18 @@ void initialize_log_config()
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
         _custom_log_format = getenv("OE_LOG_FORMAT");
-        // check that custom log format string terminates with a line return
-        size_t len = strlen(_custom_log_format);
-        if (_custom_log_format[len - 1] != '\n')
+        if (_custom_log_format)
         {
-            fprintf(
-                stderr,
-                "%s\n",
-                "Custom log format does not end with a newline");
-            exit(1);
+            // check that custom log format string terminates with a line return
+            size_t len = strlen(_custom_log_format);
+            if (_custom_log_format[len - 1] != '\n')
+            {
+                fprintf(
+                    stderr,
+                    "%s\n",
+                    "Custom log format does not end with a newline");
+                exit(1);
+            }
         }
         _initialized = true;
     }
@@ -217,6 +220,13 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
         _write_message_to_stream(
             stdout, is_enclave, time, usecs, level, message);
 
+        if (!_log_file_name)
+        {
+            // Release the log file lock.
+            oe_mutex_unlock(&_log_lock);
+            return;
+        }
+
         if (!_log_creation_failed_before)
         {
             FILE* log_file = NULL;

From 3771aa3a7a6631b3bd5887d1daa49785bc4423d7 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 24 Sep 2019 11:32:14 +0100
Subject: [PATCH 109/420] escape string for JSON format when env var is set

---
 host/traceh.c | 128 +++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 112 insertions(+), 16 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 3d2a4bbd32..8ef09ffdd3 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+#include <ctype.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/trace.h>
@@ -21,6 +22,7 @@ static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
 static const char* _log_file_name = NULL;
 static const char* _custom_log_format = NULL;
+static const char* _json_escape = NULL;
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
@@ -70,6 +72,7 @@ void initialize_log_config()
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
         _custom_log_format = getenv("OE_LOG_FORMAT");
+        _json_escape = getenv("OE_JSON_ESCAPE");
         if (_custom_log_format)
         {
             // check that custom log format string terminates with a line return
@@ -87,14 +90,87 @@ void initialize_log_config()
     }
 }
 
-static void _replace_newline(char* log_msg)
+static void _escape_characters(
+    char* log_msg,
+    char* log_msg_escaped,
+    size_t msg_size)
 {
-    for (size_t i = 0; i < strlen(log_msg); i++)
+    size_t idx = 0;
+
+    for (size_t i = 0; i < msg_size; i++)
     {
-        if (log_msg[i] == '\n')
+        int c = log_msg[i];
+        if (log_msg[i] == '\"')
+        {
+            // single quotes are OK for JSON
+            log_msg_escaped[idx] = (char)putchar('\'');
+        }
+        else if (log_msg[i] == '\\')
+        {
+            log_msg_escaped[idx] = '\\';
+            idx++;
+            log_msg_escaped[idx] = '\\';
+        }
+        else if (!isprint(c))
+        {
+            log_msg_escaped[idx] = '\\';
+            idx++;
+            log_msg_escaped[idx] = '\\';
+            idx++;
+            switch (log_msg[i])
+            {
+                case '\a':
+                    log_msg_escaped[idx] = 'a';
+                    break;
+                case '\b':
+                    log_msg_escaped[idx] = 'b';
+                    break;
+                case '\e':
+                    log_msg_escaped[idx] = 'e';
+                    break;
+                case '\f':
+                    log_msg_escaped[idx] = 'f';
+                    break;
+                case '\n':
+                    log_msg_escaped[idx] = 'n';
+                    break;
+                case '\r':
+                    log_msg_escaped[idx] = 'r';
+                    break;
+                case '\t':
+                    log_msg_escaped[idx] = 't';
+                    break;
+                case '\v':
+                    log_msg_escaped[idx] = 'v';
+                    break;
+                case '\\':
+                    log_msg_escaped[idx] = '\\';
+                    break;
+                case '\'':
+                    log_msg_escaped[idx] = '\'';
+                    break;
+                case '\"':
+                    log_msg_escaped[idx] = '\"';
+                    break;
+                case '\?':
+                    log_msg_escaped[idx] = '?';
+                    break;
+                default:
+                    sprintf(&log_msg_escaped[idx], "u%04x", log_msg[i]);
+                    idx += 3;
+                    break;
+            }
+        }
+        else
         {
-            log_msg[i] = ' ';
+            log_msg_escaped[idx] = log_msg[i];
         }
+        idx++;
+    }
+    if (idx < 2 * msg_size)
+    {
+        log_msg_escaped[idx] = '\0';
+        idx++;
     }
 }
 
@@ -266,20 +342,40 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 }
                 else
                 {
-                    _replace_newline(log_msg);
+                    if (_json_escape)
+                    {
+                        size_t msg_size = strlen(log_msg);
+                        char log_msg_escaped[2 * msg_size];
+                        _escape_characters(log_msg, log_msg_escaped, msg_size);
 
-                    _write_custom_format_message_to_stream(
-                        log_file,
-                        is_enclave,
-                        time,
-                        usecs,
-                        level,
-                        log_msg,
-                        file_name,
-                        function,
-                        line_number,
-                        _custom_log_format);
+                        _write_custom_format_message_to_stream(
+                            log_file,
+                            is_enclave,
+                            time,
+                            usecs,
+                            level,
+                            log_msg_escaped,
+                            file_name,
+                            function,
+                            line_number,
+                            _custom_log_format);
+                    }
+                    else
+                    {
+                        _write_custom_format_message_to_stream(
+                            log_file,
+                            is_enclave,
+                            time,
+                            usecs,
+                            level,
+                            log_msg,
+                            file_name,
+                            function,
+                            line_number,
+                            _custom_log_format);
+                    }
                 }
+
                 free(message_dup);
             }
 

From 968031b7d03a6539edaecfeb877901c0bcb380c7 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 24 Sep 2019 11:34:22 +0100
Subject: [PATCH 110/420] Add design doc for PR

---
 docs/DesignDocs/LoggingFormat.md | 79 ++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 docs/DesignDocs/LoggingFormat.md

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
new file mode 100644
index 0000000000..386187d474
--- /dev/null
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -0,0 +1,79 @@
+Logging Format
+=====
+
+When using the OE SDK and in trying to make use of the logs (e.g. via uploading them to Azure Log Analytics) it is nice to be able to parse and display all of the available logs including the ones generated by OE.
+
+Motivation
+----------
+
+Users should be able to specify and control their own logging format so that they can further parse the log files as they see fit.
+
+User Experience
+---------------
+
+- The user can set the `OE_LOG_DEVICE` environmental variable to specify the log file location
+
+- The user can set the `OE_LOG_FORMAT` environmental variable to specify the log format. The user will be given the below information:
+
+        - time in string format
+        - microseconds
+        - is enclave (E|H)
+        - log level
+        - thread id
+        - log message
+        - file log initiated from
+        - function log initiated from
+        - file line number log initiated from
+
+        so for example a log foramt could be set like this:
+
+        `OE_LOG_FORMAT=$'{\"e_ts\":\"%s.%06ldZ\",\"level\":\"(%s)%s\",\"tid\":\"tid(0x%lx)\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number":\"%s\"}\n'`
+
+        and end up looking like this:
+
+        `
+        {
+                "e_ts": "2019-09-24T10:09:27.832475Z",
+                "file": "switchless/host/host.c",
+                "func": "main",
+                "level": "(H)ERROR",
+                "msg": "Hello 'world'!",
+                "number": "79",
+                "tid": "tid(0x7fc2698a6d40)"
+        }
+        `
+
+- The user can set the `OE_JSON_ESCAPE` environmental variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
+
+Specification
+-------------
+
+Users can specify their own format when logging to a user specified file via the existing `OE_LOG_DEVICE` environmental variable.
+If the var is not specified then logging goes on as usual.
+
+If the var is specified then we look for an extra environmental variable `OE_LOG_FORMAT`.
+If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line information and it is formatted by the `OE_LOG_FORMAT` string. If it is set it needs to end with a newlone.
+
+If it is not then we use the default format string to log in the file.
+
+In addition to the `OE_LOG_FORMAT` environmental variable, if the `OE_JSON_ESCAPE` environmental variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
+
+When logging to a separate file the normal logs are directed to stdout AND the log with the user specified format is directed to the file. This is useful if you want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
+
+OE logging format
+-----------------
+
+The OE logging format will be changed slightly to look like this:
+
+`2019-09-24T10:26:58.399458Z [(H)ERROR] tid(0x7fbddf4add40) | Hello 'world'! [switchless/host/host.c:main:78]`
+
+where timestamp is ISO 8601 UTC.
+
+Authors
+-------
+
+Name: Olga Vrousgou
+
+email: olga.vrousgou@microsoft.com
+
+github username: olgavrou
\ No newline at end of file

From 39f99e122107b71d9320683934a1ea22c20b1f3f Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Thu, 12 Sep 2019 17:34:09 +0100
Subject: [PATCH 111/420] change log format and add support for user defined
 log format

---
 host/traceh.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/host/traceh.c b/host/traceh.c
index 8ef09ffdd3..d66e5840b9 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -22,7 +22,10 @@ static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
 static const char* _log_file_name = NULL;
 static const char* _custom_log_format = NULL;
+<<<<<<< HEAD
 static const char* _json_escape = NULL;
+=======
+>>>>>>> change log format and add support for user defined log format
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;

From 537953e638ab9ed6fc66e7274b439b3f083d4713 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:34:47 +0100
Subject: [PATCH 112/420] use strtok_r and free message_dup

---
 host/traceh.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index d66e5840b9..9c4e20c478 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -22,10 +22,7 @@ static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
 static const char* _log_file_name = NULL;
 static const char* _custom_log_format = NULL;
-<<<<<<< HEAD
 static const char* _json_escape = NULL;
-=======
->>>>>>> change log format and add support for user defined log format
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
@@ -384,6 +381,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
 
             fflush(log_file);
             fclose(log_file);
+            free(message_dup);
         }
         // Release the log file lock.
         oe_mutex_unlock(&_log_lock);

From b175cedbef0af6fec8b4a22cb4521f34d1825863 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 17 Sep 2019 07:46:29 +0100
Subject: [PATCH 113/420] if custom log format not set don't parse log line
 before printing to file

---
 host/traceh.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/host/traceh.c b/host/traceh.c
index 9c4e20c478..8ef09ffdd3 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -381,7 +381,6 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
 
             fflush(log_file);
             fclose(log_file);
-            free(message_dup);
         }
         // Release the log file lock.
         oe_mutex_unlock(&_log_lock);

From 0ee805a285e2ad8d7bee3b3cfa0516135e2ed1be Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Sun, 29 Sep 2019 20:10:17 +0100
Subject: [PATCH 114/420] Add basic test for log file

---
 host/traceh.c                | 11 +++---
 tests/CMakeLists.txt         |  1 +
 tests/logging/CMakeLists.txt |  7 ++++
 tests/logging/main.c         | 65 ++++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+), 5 deletions(-)
 create mode 100644 tests/logging/CMakeLists.txt
 create mode 100644 tests/logging/main.c

diff --git a/host/traceh.c b/host/traceh.c
index 8ef09ffdd3..89f0396b08 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -93,7 +93,8 @@ void initialize_log_config()
 static void _escape_characters(
     char* log_msg,
     char* log_msg_escaped,
-    size_t msg_size)
+    size_t msg_size,
+    size_t max_msg_size)
 {
     size_t idx = 0;
 
@@ -156,8 +157,7 @@ static void _escape_characters(
                     log_msg_escaped[idx] = '?';
                     break;
                 default:
-                    sprintf(&log_msg_escaped[idx], "u%04x", log_msg[i]);
-                    idx += 3;
+                    log_msg_escaped[idx] = ' ';
                     break;
             }
         }
@@ -167,7 +167,7 @@ static void _escape_characters(
         }
         idx++;
     }
-    if (idx < 2 * msg_size)
+    if (idx < max_msg_size)
     {
         log_msg_escaped[idx] = '\0';
         idx++;
@@ -346,7 +346,8 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                     {
                         size_t msg_size = strlen(log_msg);
                         char log_msg_escaped[2 * msg_size];
-                        _escape_characters(log_msg, log_msg_escaped, msg_size);
+                        _escape_characters(
+                            log_msg, log_msg_escaped, msg_size, (2 * msg_size));
 
                         _write_custom_format_message_to_stream(
                             log_file,
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index cb4d4af8aa..b8ee0091fb 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -21,6 +21,7 @@ add_subdirectory(mem)
 add_subdirectory(safecrt)
 add_subdirectory(safemath)
 add_subdirectory(str)
+add_subdirectory(logging)
 add_subdirectory(tools)
 
 if (OE_SGX)
diff --git a/tests/logging/CMakeLists.txt b/tests/logging/CMakeLists.txt
new file mode 100644
index 0000000000..13a73bc95e
--- /dev/null
+++ b/tests/logging/CMakeLists.txt
@@ -0,0 +1,7 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_executable(logging main.c)
+target_link_libraries(logging oehost)
+
+add_test(NAME tests/logging COMMAND logging ${CMAKE_CURRENT_BINARY_DIR}/out.log WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/tests/logging/main.c b/tests/logging/main.c
new file mode 100644
index 0000000000..993820f182
--- /dev/null
+++ b/tests/logging/main.c
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/tests.h>
+#include <openenclave/internal/trace.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+void test_line_format(const char* line)
+{
+    OE_TEST(strstr(line, "e_ts") != NULL);
+    OE_TEST(strstr(line, "level") != NULL);
+    OE_TEST(strstr(line, "tid") != NULL);
+    OE_TEST(strstr(line, "msg") != NULL);
+    OE_TEST(strstr(line, "file") != NULL);
+    OE_TEST(strstr(line, "func") != NULL);
+    OE_TEST(strstr(line, "number") != NULL);
+}
+
+int TestLoggingFormat(const char* path)
+{
+    OE_TRACE_ERROR("Hey");
+    OE_TRACE_ERROR("Hello 'world'!");
+    OE_TRACE_ERROR("Hello \"world\"! \n \\n \r \\r \t \\t \f \\f \? \\?");
+    OE_TRACE_ERROR("\\u005C \u0024");
+    OE_TRACE_ERROR("\\\\\\\\");
+    FILE* log_file = fopen(path, "r");
+    char* line = NULL;
+    size_t len = 0;
+    if (log_file == NULL)
+    {
+        fprintf(stderr, "Failed to OPEN logfile %s\n", "out.log");
+        return 1;
+    }
+
+    while (getline(&line, &len, log_file) != -1)
+    {
+        test_line_format(line);
+    }
+    printf("=== passed TestLoggingFormat()\n");
+    return 0;
+}
+
+int main(int argc, const char* argv[])
+{
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s LOG_FILE_PATH\n", argv[0]);
+        return 1;
+    }
+
+    const char* path = argv[1];
+    OE_TEST(setenv("OE_LOG_DEVICE", path, true) == 0);
+    OE_TEST(
+        setenv(
+            "OE_LOG_FORMAT",
+            "{\"e_ts\":\"%s.%06ldZ\",\"level\":\"(%s)%s\",\"tid\":\"tid(0x%lx)"
+            "\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number\":\"%"
+            "s\"}\n",
+            true) == 0);
+    OE_TEST(setenv("OE_JSON_ESCAPE", "true", true) == 0);
+    return TestLoggingFormat(path);
+}

From 726a6430df428ea0c4952e90f08fb48e3ac32dd3 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Sun, 29 Sep 2019 20:33:17 +0100
Subject: [PATCH 115/420] rename OE_JSON_ESCAPE to OE_LOG_ESCAPE

---
 docs/DesignDocs/LoggingFormat.md | 4 ++--
 host/traceh.c                    | 2 +-
 tests/logging/main.c             | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
index 386187d474..6547bfafea 100644
--- a/docs/DesignDocs/LoggingFormat.md
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -43,7 +43,7 @@ User Experience
         }
         `
 
-- The user can set the `OE_JSON_ESCAPE` environmental variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
+- The user can set the `OE_LOG_ESCAPE` environmental variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
 
 Specification
 -------------
@@ -56,7 +56,7 @@ If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line i
 
 If it is not then we use the default format string to log in the file.
 
-In addition to the `OE_LOG_FORMAT` environmental variable, if the `OE_JSON_ESCAPE` environmental variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
+In addition to the `OE_LOG_FORMAT` environmental variable, if the `OE_LOG_ESCAPE` environmental variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
 
 When logging to a separate file the normal logs are directed to stdout AND the log with the user specified format is directed to the file. This is useful if you want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
 
diff --git a/host/traceh.c b/host/traceh.c
index 89f0396b08..fe5e0023a0 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -72,7 +72,7 @@ void initialize_log_config()
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
         _custom_log_format = getenv("OE_LOG_FORMAT");
-        _json_escape = getenv("OE_JSON_ESCAPE");
+        _json_escape = getenv("OE_LOG_ESCAPE");
         if (_custom_log_format)
         {
             // check that custom log format string terminates with a line return
diff --git a/tests/logging/main.c b/tests/logging/main.c
index 993820f182..35a87a9c77 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -60,6 +60,6 @@ int main(int argc, const char* argv[])
             "\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number\":\"%"
             "s\"}\n",
             true) == 0);
-    OE_TEST(setenv("OE_JSON_ESCAPE", "true", true) == 0);
+    OE_TEST(setenv("OE_LOG_ESCAPE", "true", true) == 0);
     return TestLoggingFormat(path);
 }

From bb55c9423b57624887b00fa36f97b17f6b29d739 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Sun, 29 Sep 2019 20:50:18 +0100
Subject: [PATCH 116/420] make logging to stdout AND file optional, default log
 only to file when file specified

---
 docs/DesignDocs/LoggingFormat.md |  2 +-
 host/traceh.c                    | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
index 6547bfafea..86bd813835 100644
--- a/docs/DesignDocs/LoggingFormat.md
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -58,7 +58,7 @@ If it is not then we use the default format string to log in the file.
 
 In addition to the `OE_LOG_FORMAT` environmental variable, if the `OE_LOG_ESCAPE` environmental variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
 
-When logging to a separate file the normal logs are directed to stdout AND the log with the user specified format is directed to the file. This is useful if you want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
+When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the users wants to keep the default logs directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environmental variable. This is useful if we want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
 
 OE logging format
 -----------------
diff --git a/host/traceh.c b/host/traceh.c
index fe5e0023a0..710123b185 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -22,7 +22,8 @@ static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
 static const char* _log_file_name = NULL;
 static const char* _custom_log_format = NULL;
-static const char* _json_escape = NULL;
+static const char* _log_all_streams = NULL;
+static const char* _log_escape = NULL;
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
@@ -72,7 +73,8 @@ void initialize_log_config()
         _log_level = _env2log_level();
         _log_file_name = getenv("OE_LOG_DEVICE");
         _custom_log_format = getenv("OE_LOG_FORMAT");
-        _json_escape = getenv("OE_LOG_ESCAPE");
+        _log_all_streams = getenv("OE_LOG_ALL_STREAMS");
+        _log_escape = getenv("OE_LOG_ESCAPE");
         if (_custom_log_format)
         {
             // check that custom log format string terminates with a line return
@@ -293,8 +295,11 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
     // Take the log file lock.
     if (oe_mutex_lock(&_log_lock) == OE_OK)
     {
-        _write_message_to_stream(
-            stdout, is_enclave, time, usecs, level, message);
+        if (_log_all_streams || !_log_file_name)
+        {
+            _write_message_to_stream(
+                stdout, is_enclave, time, usecs, level, message);
+        }
 
         if (!_log_file_name)
         {
@@ -342,7 +347,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 }
                 else
                 {
-                    if (_json_escape)
+                    if (_log_escape)
                     {
                         size_t msg_size = strlen(log_msg);
                         char log_msg_escaped[2 * msg_size];

From bc0db3d42cfd9bdd16a9d47e148834806c5240fa Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 30 Sep 2019 21:21:24 +0100
Subject: [PATCH 117/420] add another unicode char to test

---
 tests/logging/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 35a87a9c77..9a3af4c01c 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -24,7 +24,7 @@ int TestLoggingFormat(const char* path)
     OE_TRACE_ERROR("Hey");
     OE_TRACE_ERROR("Hello 'world'!");
     OE_TRACE_ERROR("Hello \"world\"! \n \\n \r \\r \t \\t \f \\f \? \\?");
-    OE_TRACE_ERROR("\\u005C \u0024");
+    OE_TRACE_ERROR("\\u005C \u0024 \u0040 @");
     OE_TRACE_ERROR("\\\\\\\\");
     FILE* log_file = fopen(path, "r");
     char* line = NULL;

From 8bd148aa1d84a3bd259b3965eab52d56d6cbe317 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 30 Sep 2019 21:31:32 +0100
Subject: [PATCH 118/420] close file in test and add more control characters to
 test

---
 tests/logging/main.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 9a3af4c01c..e369cd91d9 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -23,7 +23,9 @@ int TestLoggingFormat(const char* path)
 {
     OE_TRACE_ERROR("Hey");
     OE_TRACE_ERROR("Hello 'world'!");
-    OE_TRACE_ERROR("Hello \"world\"! \n \\n \r \\r \t \\t \f \\f \? \\?");
+    OE_TRACE_ERROR("Hello \"world\"!");
+    OE_TRACE_ERROR(
+        "\a \\a \b \\b \e \\e \f \\f \n \\n \r \\r \t \\t \v \\v \? \\?");
     OE_TRACE_ERROR("\\u005C \u0024 \u0040 @");
     OE_TRACE_ERROR("\\\\\\\\");
     FILE* log_file = fopen(path, "r");
@@ -39,6 +41,7 @@ int TestLoggingFormat(const char* path)
     {
         test_line_format(line);
     }
+    fclose(log_file);
     printf("=== passed TestLoggingFormat()\n");
     return 0;
 }

From f4d6e71cc7aca48150c82d8913dc66eba418a645 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Wed, 2 Oct 2019 17:52:26 +0100
Subject: [PATCH 119/420] escape properly and log specific message when
 extended ascii detected

---
 docs/DesignDocs/LoggingFormat.md |  8 ++--
 host/traceh.c                    | 66 ++++++++++++++++++++++----------
 tests/logging/main.c             | 61 ++++++++++++++++++++++++++++-
 3 files changed, 109 insertions(+), 26 deletions(-)

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
index 86bd813835..0f35df027d 100644
--- a/docs/DesignDocs/LoggingFormat.md
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -25,7 +25,7 @@ User Experience
         - function log initiated from
         - file line number log initiated from
 
-        so for example a log foramt could be set like this:
+        so for example a log format could be set like this:
 
         `OE_LOG_FORMAT=$'{\"e_ts\":\"%s.%06ldZ\",\"level\":\"(%s)%s\",\"tid\":\"tid(0x%lx)\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number":\"%s\"}\n'`
 
@@ -48,15 +48,15 @@ User Experience
 Specification
 -------------
 
-Users can specify their own format when logging to a user specified file via the existing `OE_LOG_DEVICE` environmental variable.
+Users can specify their own format when logging to a user specified file via the existing `OE_LOG_DEVICE` environment variable.
 If the var is not specified then logging goes on as usual.
 
-If the var is specified then we look for an extra environmental variable `OE_LOG_FORMAT`.
+If the var is specified then we look for an extra environment variable `OE_LOG_FORMAT`.
 If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line information and it is formatted by the `OE_LOG_FORMAT` string. If it is set it needs to end with a newlone.
 
 If it is not then we use the default format string to log in the file.
 
-In addition to the `OE_LOG_FORMAT` environmental variable, if the `OE_LOG_ESCAPE` environmental variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
+In addition to the `OE_LOG_FORMAT` environment variable, if the `OE_LOG_ESCAPE` environment variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
 
 When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the users wants to keep the default logs directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environmental variable. This is useful if we want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
 
diff --git a/host/traceh.c b/host/traceh.c
index 710123b185..87bbd15b1e 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -25,6 +25,7 @@ static const char* _custom_log_format = NULL;
 static const char* _log_all_streams = NULL;
 static const char* _log_escape = NULL;
 static bool _log_creation_failed_before = false;
+static const size_t MAX_ESCAPED_BYTE_LEN = 6;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
 
@@ -93,13 +94,12 @@ void initialize_log_config()
 }
 
 static void _escape_characters(
-    char* log_msg,
+    const char* log_msg,
     char* log_msg_escaped,
     size_t msg_size,
     size_t max_msg_size)
 {
     size_t idx = 0;
-
     for (size_t i = 0; i < msg_size; i++)
     {
         int c = log_msg[i];
@@ -159,7 +159,15 @@ static void _escape_characters(
                     log_msg_escaped[idx] = '?';
                     break;
                 default:
-                    log_msg_escaped[idx] = ' ';
+                    if ((unsigned int)log_msg[i] >= 128)
+                    {
+                        // extended ascii
+                        log_msg_escaped[0] = '\0';
+                        return;
+                    }
+                    sprintf(
+                        (char*)&log_msg_escaped[idx], "u%04hhx", log_msg[i]);
+                    idx += 5;
                     break;
             }
         }
@@ -328,9 +336,8 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
             }
             else
             {
-                char* message_dup = strdup(message);
                 char* message_cursor = NULL;
-                char* log_msg = strtok_r(message_dup, "[", &message_cursor);
+                char* log_msg = strtok_r((char*)message, "[", &message_cursor);
                 char* file_name = strtok_r(NULL, ":", &message_cursor);
                 char* function = strtok_r(NULL, ":", &message_cursor);
                 char* line_number = strtok_r(NULL, "]", &message_cursor);
@@ -350,21 +357,40 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                     if (_log_escape)
                     {
                         size_t msg_size = strlen(log_msg);
-                        char log_msg_escaped[2 * msg_size];
+                        size_t max_msg_size =
+                            MAX_ESCAPED_BYTE_LEN * msg_size + 1;
+                        char* log_msg_escaped = malloc(max_msg_size);
                         _escape_characters(
-                            log_msg, log_msg_escaped, msg_size, (2 * msg_size));
-
-                        _write_custom_format_message_to_stream(
-                            log_file,
-                            is_enclave,
-                            time,
-                            usecs,
-                            level,
-                            log_msg_escaped,
-                            file_name,
-                            function,
-                            line_number,
-                            _custom_log_format);
+                            log_msg, log_msg_escaped, msg_size, max_msg_size);
+                        if (log_msg_escaped[0] == '\0')
+                        {
+                            _write_custom_format_message_to_stream(
+                                log_file,
+                                is_enclave,
+                                time,
+                                usecs,
+                                level,
+                                "failed to escape log message",
+                                file_name,
+                                function,
+                                line_number,
+                                _custom_log_format);
+                        }
+                        else
+                        {
+                            _write_custom_format_message_to_stream(
+                                log_file,
+                                is_enclave,
+                                time,
+                                usecs,
+                                level,
+                                log_msg_escaped,
+                                file_name,
+                                function,
+                                line_number,
+                                _custom_log_format);
+                        }
+                        free(log_msg_escaped);
                     }
                     else
                     {
@@ -381,8 +407,6 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                             _custom_log_format);
                     }
                 }
-
-                free(message_dup);
             }
 
             fflush(log_file);
diff --git a/tests/logging/main.c b/tests/logging/main.c
index e369cd91d9..3648a273d5 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -1,12 +1,19 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+#define PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP \
+    {                                          \
+        {                                      \
+        }                                      \
+    }
+
 #include <openenclave/internal/tests.h>
 #include <openenclave/internal/trace.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include "../host/traceh.c"
 
 void test_line_format(const char* line)
 {
@@ -19,6 +26,14 @@ void test_line_format(const char* line)
     OE_TEST(strstr(line, "number") != NULL);
 }
 
+void test_escaped_msg(const char* msg, const char* expected)
+{
+    size_t msg_size = strlen(msg);
+    char msg_escaped[MAX_ESCAPED_BYTE_LEN * msg_size + 1];
+    _escape_characters(msg, msg_escaped, msg_size, (8 * msg_size + 1));
+    OE_TEST(strcmp(msg_escaped, expected) == 0);
+}
+
 int TestLoggingFormat(const char* path)
 {
     OE_TRACE_ERROR("Hey");
@@ -28,6 +43,12 @@ int TestLoggingFormat(const char* path)
         "\a \\a \b \\b \e \\e \f \\f \n \\n \r \\r \t \\t \v \\v \? \\?");
     OE_TRACE_ERROR("\\u005C \u0024 \u0040 @");
     OE_TRACE_ERROR("\\\\\\\\");
+    OE_TRACE_ERROR("\u2605");
+    OE_TRACE_ERROR("\01");
+    OE_TRACE_ERROR("\037");
+    OE_TRACE_ERROR("\024");
+    OE_TRACE_ERROR("\200");
+    OE_TRACE_ERROR("\u2605\u0024");
     FILE* log_file = fopen(path, "r");
     char* line = NULL;
     size_t len = 0;
@@ -46,6 +67,42 @@ int TestLoggingFormat(const char* path)
     return 0;
 }
 
+int TestEscapedCharachters()
+{
+    {
+        char msg[] = "Hey";
+        char expected[] = "Hey";
+        test_escaped_msg(msg, expected);
+    }
+    {
+        char msg[] = "\u2605";
+        char expected[] = "";
+        test_escaped_msg(msg, expected);
+    }
+    {
+        char msg[] = "\200";
+        char expected[] = "";
+        test_escaped_msg(msg, expected);
+    }
+    {
+        char msg[] = "\037";
+        char expected[] = "\\\\u001f";
+        test_escaped_msg(msg, expected);
+    }
+    {
+        char msg[] = "\u2605\u0024";
+        char expected[] = "";
+        test_escaped_msg(msg, expected);
+    }
+    {
+        char msg[] = "\\\\\\\\";
+        char expected[] = "\\\\\\\\\\\\\\\\";
+        test_escaped_msg(msg, expected);
+    }
+    printf("=== passed TestEscapedCharachters()\n");
+    return 0;
+}
+
 int main(int argc, const char* argv[])
 {
     if (argc != 2)
@@ -64,5 +121,7 @@ int main(int argc, const char* argv[])
             "s\"}\n",
             true) == 0);
     OE_TEST(setenv("OE_LOG_ESCAPE", "true", true) == 0);
-    return TestLoggingFormat(path);
+    TestEscapedCharachters();
+    TestLoggingFormat(path);
+    return 0;
 }

From 424a21c1826415b32fc1d3e78a8487c55e8b69db Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Wed, 2 Oct 2019 18:06:50 +0100
Subject: [PATCH 120/420] return and check boolean from escape characters
 method

---
 host/traceh.c        | 14 +++++++-------
 tests/logging/main.c | 25 ++++++++++++++-----------
 2 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 87bbd15b1e..1461b579af 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -93,7 +93,7 @@ void initialize_log_config()
     }
 }
 
-static void _escape_characters(
+static bool _escape_characters(
     const char* log_msg,
     char* log_msg_escaped,
     size_t msg_size,
@@ -162,8 +162,7 @@ static void _escape_characters(
                     if ((unsigned int)log_msg[i] >= 128)
                     {
                         // extended ascii
-                        log_msg_escaped[0] = '\0';
-                        return;
+                        return false;
                     }
                     sprintf(
                         (char*)&log_msg_escaped[idx], "u%04hhx", log_msg[i]);
@@ -182,6 +181,7 @@ static void _escape_characters(
         log_msg_escaped[idx] = '\0';
         idx++;
     }
+    return true;
 }
 
 static void _write_message_to_stream(
@@ -360,9 +360,9 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                         size_t max_msg_size =
                             MAX_ESCAPED_BYTE_LEN * msg_size + 1;
                         char* log_msg_escaped = malloc(max_msg_size);
-                        _escape_characters(
+                        bool escaped_ok = _escape_characters(
                             log_msg, log_msg_escaped, msg_size, max_msg_size);
-                        if (log_msg_escaped[0] == '\0')
+                        if (escaped_ok)
                         {
                             _write_custom_format_message_to_stream(
                                 log_file,
@@ -370,7 +370,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                                 time,
                                 usecs,
                                 level,
-                                "failed to escape log message",
+                                log_msg_escaped,
                                 file_name,
                                 function,
                                 line_number,
@@ -384,7 +384,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                                 time,
                                 usecs,
                                 level,
-                                log_msg_escaped,
+                                "failed to escape log message",
                                 file_name,
                                 function,
                                 line_number,
diff --git a/tests/logging/main.c b/tests/logging/main.c
index 3648a273d5..fd7c72d7ad 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -26,11 +26,17 @@ void test_line_format(const char* line)
     OE_TEST(strstr(line, "number") != NULL);
 }
 
-void test_escaped_msg(const char* msg, const char* expected)
+void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
 {
     size_t msg_size = strlen(msg);
     char msg_escaped[MAX_ESCAPED_BYTE_LEN * msg_size + 1];
-    _escape_characters(msg, msg_escaped, msg_size, (8 * msg_size + 1));
+    bool ok =
+        _escape_characters(msg, msg_escaped, msg_size, (8 * msg_size + 1));
+    if (!expect_ok)
+    {
+        OE_TEST(!ok);
+        return;
+    }
     OE_TEST(strcmp(msg_escaped, expected) == 0);
 }
 
@@ -72,32 +78,29 @@ int TestEscapedCharachters()
     {
         char msg[] = "Hey";
         char expected[] = "Hey";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, expected, true);
     }
     {
         char msg[] = "\u2605";
-        char expected[] = "";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\200";
-        char expected[] = "";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\037";
         char expected[] = "\\\\u001f";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, expected, true);
     }
     {
         char msg[] = "\u2605\u0024";
-        char expected[] = "";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\\\\\\\\";
         char expected[] = "\\\\\\\\\\\\\\\\";
-        test_escaped_msg(msg, expected);
+        test_escaped_msg(msg, expected, true);
     }
     printf("=== passed TestEscapedCharachters()\n");
     return 0;

From 24dcb5f3c9d2f8818448e4a4157668fdbc97d1d6 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Thu, 3 Oct 2019 15:16:26 +0100
Subject: [PATCH 121/420] tidy up

---
 host/traceh.c        | 57 +++++++++++++++++---------------------------
 tests/logging/main.c | 13 ++++++----
 2 files changed, 30 insertions(+), 40 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 1461b579af..7f67ee19b1 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -25,7 +25,9 @@ static const char* _custom_log_format = NULL;
 static const char* _log_all_streams = NULL;
 static const char* _log_escape = NULL;
 static bool _log_creation_failed_before = false;
-static const size_t MAX_ESCAPED_BYTE_LEN = 6;
+static const size_t MAX_ESCAPED_CHAR_LEN = 5; // e.g. u2605
+static const size_t MAX_ESCAPED_MSG_MULTIPLIER =
+    sizeof("\\\\") + MAX_ESCAPED_CHAR_LEN;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
 
@@ -85,7 +87,7 @@ void initialize_log_config()
                 fprintf(
                     stderr,
                     "%s\n",
-                    "Custom log format does not end with a newline");
+                    "[ERROR] Custom log format does not end with a newline");
                 exit(1);
             }
         }
@@ -159,14 +161,14 @@ static bool _escape_characters(
                     log_msg_escaped[idx] = '?';
                     break;
                 default:
-                    if ((unsigned int)log_msg[i] >= 128)
+                    if ((uint8_t)log_msg[i] > 127 /* max ASCII value */)
                     {
-                        // extended ascii
                         return false;
                     }
                     sprintf(
                         (char*)&log_msg_escaped[idx], "u%04hhx", log_msg[i]);
-                    idx += 5;
+                    // idx is also incremented after switch case
+                    idx += MAX_ESCAPED_CHAR_LEN - 1;
                     break;
             }
         }
@@ -179,7 +181,6 @@ static bool _escape_characters(
     if (idx < max_msg_size)
     {
         log_msg_escaped[idx] = '\0';
-        idx++;
     }
     return true;
 }
@@ -358,38 +359,24 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                     {
                         size_t msg_size = strlen(log_msg);
                         size_t max_msg_size =
-                            MAX_ESCAPED_BYTE_LEN * msg_size + 1;
+                            MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1;
                         char* log_msg_escaped = malloc(max_msg_size);
                         bool escaped_ok = _escape_characters(
                             log_msg, log_msg_escaped, msg_size, max_msg_size);
-                        if (escaped_ok)
-                        {
-                            _write_custom_format_message_to_stream(
-                                log_file,
-                                is_enclave,
-                                time,
-                                usecs,
-                                level,
-                                log_msg_escaped,
-                                file_name,
-                                function,
-                                line_number,
-                                _custom_log_format);
-                        }
-                        else
-                        {
-                            _write_custom_format_message_to_stream(
-                                log_file,
-                                is_enclave,
-                                time,
-                                usecs,
-                                level,
-                                "failed to escape log message",
-                                file_name,
-                                function,
-                                line_number,
-                                _custom_log_format);
-                        }
+
+                        _write_custom_format_message_to_stream(
+                            log_file,
+                            is_enclave,
+                            time,
+                            usecs,
+                            level,
+                            (escaped_ok ? log_msg_escaped
+                                        : "failed to escape log message"),
+                            file_name,
+                            function,
+                            line_number,
+                            _custom_log_format);
+
                         free(log_msg_escaped);
                     }
                     else
diff --git a/tests/logging/main.c b/tests/logging/main.c
index fd7c72d7ad..4c92edb732 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -29,9 +29,12 @@ void test_line_format(const char* line)
 void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
 {
     size_t msg_size = strlen(msg);
-    char msg_escaped[MAX_ESCAPED_BYTE_LEN * msg_size + 1];
-    bool ok =
-        _escape_characters(msg, msg_escaped, msg_size, (8 * msg_size + 1));
+    char msg_escaped[MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1];
+    bool ok = _escape_characters(
+        msg,
+        msg_escaped,
+        msg_size,
+        (MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1));
     if (!expect_ok)
     {
         OE_TEST(!ok);
@@ -73,7 +76,7 @@ int TestLoggingFormat(const char* path)
     return 0;
 }
 
-int TestEscapedCharachters()
+int TestEscapedCharacters()
 {
     {
         char msg[] = "Hey";
@@ -124,7 +127,7 @@ int main(int argc, const char* argv[])
             "s\"}\n",
             true) == 0);
     OE_TEST(setenv("OE_LOG_ESCAPE", "true", true) == 0);
-    TestEscapedCharachters();
+    TestEscapedCharacters();
     TestLoggingFormat(path);
     return 0;
 }

From 8071852b0c608835b67a4d30c709fc9e401d7ccd Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Thu, 3 Oct 2019 15:24:11 +0100
Subject: [PATCH 122/420] fix typos

---
 docs/DesignDocs/LoggingFormat.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
index 0f35df027d..15146244e2 100644
--- a/docs/DesignDocs/LoggingFormat.md
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -11,9 +11,9 @@ Users should be able to specify and control their own logging format so that the
 User Experience
 ---------------
 
-- The user can set the `OE_LOG_DEVICE` environmental variable to specify the log file location
+- The user can set the `OE_LOG_DEVICE` environment variable to specify the log file location
 
-- The user can set the `OE_LOG_FORMAT` environmental variable to specify the log format. The user will be given the below information:
+- The user can set the `OE_LOG_FORMAT` environment variable to specify the log format. The user will be given the below information:
 
         - time in string format
         - microseconds
@@ -43,7 +43,7 @@ User Experience
         }
         `
 
-- The user can set the `OE_LOG_ESCAPE` environmental variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
+- The user can set the `OE_LOG_ESCAPE` environment variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
 
 Specification
 -------------
@@ -52,13 +52,13 @@ Users can specify their own format when logging to a user specified file via the
 If the var is not specified then logging goes on as usual.
 
 If the var is specified then we look for an extra environment variable `OE_LOG_FORMAT`.
-If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line information and it is formatted by the `OE_LOG_FORMAT` string. If it is set it needs to end with a newlone.
+If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line information and it is formatted by the `OE_LOG_FORMAT` string. If it is set it needs to end with a newline.
 
 If it is not then we use the default format string to log in the file.
 
 In addition to the `OE_LOG_FORMAT` environment variable, if the `OE_LOG_ESCAPE` environment variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
 
-When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the users wants to keep the default logs directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environmental variable. This is useful if we want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
+When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the user wants to keep the default logs directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environment variable. This is useful if we want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
 
 OE logging format
 -----------------

From ec41db4a8d26d2aef552061200b3136c84880da8 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Thu, 3 Oct 2019 17:03:07 +0000
Subject: [PATCH 123/420] Fix typo in oe_get_qe_identity_info_ocall function
 name

Rename `oe_get_qe_identify_info_ocall` to `oe_qe_get_identity_info_ocall` for alignment with data structure name.
---
 common/sgx/sgx.edl     | 2 +-
 enclave/sgx/qeidinfo.c | 4 ++--
 host/sgx/ocalls.c      | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/common/sgx/sgx.edl b/common/sgx/sgx.edl
index 2b5b5199c4..c87ceaadd9 100644
--- a/common/sgx/sgx.edl
+++ b/common/sgx/sgx.edl
@@ -36,7 +36,7 @@ enclave
             size_t quote_size,
             [out] size_t* quote_size_out);
 
-        oe_result_t oe_get_qe_identify_info_ocall(
+        oe_result_t oe_get_qe_identity_info_ocall(
             [out, size=qe_id_info_size] void* qe_id_info,
             size_t qe_id_info_size,
             [out] size_t* qe_id_info_size_out,
diff --git a/enclave/sgx/qeidinfo.c b/enclave/sgx/qeidinfo.c
index 6f4bdd45a3..0017605926 100644
--- a/enclave/sgx/qeidinfo.c
+++ b/enclave/sgx/qeidinfo.c
@@ -40,7 +40,7 @@ oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args_out)
     args.issuer_chain_size = ISSUER_CHAIN_SIZE;
 
     /* First call (one or more buffers might be too small). */
-    if (oe_get_qe_identify_info_ocall(
+    if (oe_get_qe_identity_info_ocall(
             &retval,
             args.qe_id_info,
             args.qe_id_info_size,
@@ -76,7 +76,7 @@ oe_result_t oe_get_qe_identity_info(oe_get_qe_identity_info_args_t* args_out)
             OE_RAISE(OE_OUT_OF_MEMORY);
         }
 
-        if (oe_get_qe_identify_info_ocall(
+        if (oe_get_qe_identity_info_ocall(
                 &retval,
                 args.qe_id_info,
                 args.qe_id_info_size,
diff --git a/host/sgx/ocalls.c b/host/sgx/ocalls.c
index d11a3ae249..594a7efd59 100644
--- a/host/sgx/ocalls.c
+++ b/host/sgx/ocalls.c
@@ -271,7 +271,7 @@ oe_result_t oe_get_revocation_info_ocall(
     return result;
 }
 
-oe_result_t oe_get_qe_identify_info_ocall(
+oe_result_t oe_get_qe_identity_info_ocall(
     void* qe_id_info,
     size_t qe_id_info_size,
     size_t* qe_id_info_size_out,
@@ -384,7 +384,7 @@ oe_result_t oe_get_revocation_info_ocall(
     return OE_UNSUPPORTED;
 }
 
-oe_result_t oe_get_qe_identify_info_ocall(
+oe_result_t oe_get_qe_identity_info_ocall(
     void* qe_id_info,
     size_t qe_id_info_size,
     size_t* qe_id_info_size_out,

From ded1e304f3377eeace125c441a4022d1f6b690ab Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 3 Oct 2019 18:47:44 +0000
Subject: [PATCH 124/420] Set John Kordich as the Release Manager.

---
 docs/Committers.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Committers.md b/docs/Committers.md
index e8ff31c008..8ad3e558d3 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -93,7 +93,7 @@ instead, it should be brought up with the Community Governance Committee.
 | Hernan Gatta          | HernanGatta         | TrustZone                      |
 | Sergio Wong           | jazzybluesea        | Attestation, SGX               |
 | Jiri Appl             | jiria               | Attestation, TrustZone         |
-| John Kordich          | johnkord            | Build, CI, Dev Tools           |
+| John Kordich          | johnkord            | Build, CI, Dev Tools, Release  |
 | Xuejun Yang           | jxyang              | SGX                            |
 | Mike Brasher          | mikbras             | SGX, APIs, EDL                 |
 | Marius Oprin          | oprinmarius         | Build, CMake, CI, Ansible      |

From 3b25709608d30d0826319e9b9367cb641ec12f4f Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Thu, 3 Oct 2019 21:45:33 +0000
Subject: [PATCH 125/420] Address PR feedback

- Use __linux__/_Win32 instead of compiler versions.
- Use oe_thread_create/oe_thread_join and remove custom thread-creation logic.
---
 include/openenclave/internal/switchless.h |  2 +-
 tests/switchless/host/CMakeLists.txt      |  1 -
 tests/switchless/host/host.c              | 62 ++++++++---------------
 tests/switchless_threads/host/host.c      | 36 ++-----------
 4 files changed, 25 insertions(+), 76 deletions(-)

diff --git a/include/openenclave/internal/switchless.h b/include/openenclave/internal/switchless.h
index 43a87ddace..24b9e09ecc 100644
--- a/include/openenclave/internal/switchless.h
+++ b/include/openenclave/internal/switchless.h
@@ -26,7 +26,7 @@ typedef struct _host_worker_thread_context
 
 /**
  * oe_host_worker_context_t is used both by the host (windows/linux) and the
- * enclave (ELF). Lockdown the layout.
+ * enclave (ELF). Lock down the layout.
  */
 OE_STATIC_ASSERT(sizeof(oe_host_worker_context_t) == 40);
 OE_STATIC_ASSERT(OE_OFFSETOF(oe_host_worker_context_t, call_arg) == 0);
diff --git a/tests/switchless/host/CMakeLists.txt b/tests/switchless/host/CMakeLists.txt
index 3d64e99517..e38d76b2ae 100644
--- a/tests/switchless/host/CMakeLists.txt
+++ b/tests/switchless/host/CMakeLists.txt
@@ -3,7 +3,6 @@
 
 oeedl_file(../switchless.edl host gen)
 
-
 add_executable(switchless_host host.c ${gen})
 
 target_include_directories(switchless_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index 6b40a7fea7..a354ecba0c 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -3,15 +3,13 @@
 
 #include <limits.h>
 #include <openenclave/host.h>
+#include <openenclave/internal/atomic.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
-#if _MSC_VER
-#include <Windows.h>
-#endif
 #include "../../../host/hostthread.h"
 #include "../../../host/strings.h"
 #include "switchless_u.h"
@@ -21,51 +19,30 @@
 
 #define STRING_LEN 100
 
-#if _MSC_VER
-static double frequency;
-#endif
-
-static int thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
-{
-#if __GNUC__
-    return pthread_create(thread, NULL, func, arg);
-#elif _MSC_VER
-    typedef DWORD (*start_routine_t)(void*);
-    start_routine_t start_routine = (start_routine_t)func;
-    *thread = (oe_thread_t)CreateThread(NULL, 0, start_routine, arg, 0, NULL);
-    return *thread == (oe_thread_t)NULL ? 1 : 0;
-#endif
-}
-
-static int thread_join(oe_thread_t thread)
-{
-#if __GNUC__
-    return pthread_join(thread, NULL);
-#elif _MSC_VER
-    HANDLE handle = (HANDLE)thread;
-    if (WaitForSingleObject(handle, INFINITE) == WAIT_OBJECT_0)
-    {
-        CloseHandle(handle);
-        return 0;
-    }
-    return 1;
-#endif
-}
+#if defined(__linux__)
 
 double get_relative_time_in_microseconds()
 {
-#if __GNUC__
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
     return (double)current_time.tv_sec * 1000000 +
            (double)current_time.tv_nsec / 1000.0;
-#elif _MSC_VER
+}
+
+#elif defined(_WIN32)
+
+#include <Windows.h>
+
+static double frequency;
+double get_relative_time_in_microseconds()
+{
     double current_time;
     QueryPerformanceCounter(&current_time);
     return current_time / frequency;
-#endif
 }
 
+#endif
+
 int host_echo_switchless(
     const char* in,
     char* out,
@@ -137,7 +114,7 @@ int main(int argc, const char* argv[])
         return 1;
     }
 
-    uint64_t num_host_threads = 2;
+    uint64_t num_host_threads = 1;
     uint64_t num_enclave_threads = 2;
 
     if (argc >= 3)
@@ -150,7 +127,7 @@ int main(int argc, const char* argv[])
         sscanf(argv[3], "%lu", &num_enclave_threads);
     }
 
-#if _MSC_VER
+#if defined(__WIN32)
     QueryPerformanceFrequency(&frequency);
     frequency /= 1000000; // convert to microseconds
 #endif
@@ -180,11 +157,12 @@ int main(int argc, const char* argv[])
     oe_thread_t tid[32] = {0};
     for (uint64_t i = 0; i < num_extra_enc_threads; ++i)
     {
-        thread_create(&tid[i], launch_enclave_thread, enclave);
-        if (tid[i])
+        int ret = 0;
+        if ((ret = oe_thread_create(&tid[i], launch_enclave_thread, enclave)))
         {
-            printf("Launched enclave producer thread %ld\n", i);
+            oe_put_err("thread_create(host): ret=%u", ret);
         }
+        printf("Launched enclave producer thread %ld\n", i);
     }
     printf("Using main enclave thread\n");
     double switchless_microseconds = make_repeated_switchless_ocalls(enclave);
@@ -204,7 +182,7 @@ int main(int argc, const char* argv[])
     for (uint64_t i = 0; i < num_extra_enc_threads; ++i)
     {
         if (tid[i])
-            thread_join(tid[i]);
+            oe_thread_join(tid[i]);
     }
 
     result = oe_terminate_enclave(enclave);
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index c564917872..fc4938714a 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -9,11 +9,10 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if __GNUC__
-#include <pthread.h>
-#elif _MSC_VER
+#if _MSC_VER
 #include <windows.h>
 #endif
+#include "../../../host/hostthread.h"
 #include "switchless_threads_u.h"
 
 // For SGX, the enclave supports up to 8 concurrent threads in it. We have
@@ -25,33 +24,6 @@
 #define HOST_PARAM_STRING "host string parameter"
 #define HOST_STACK_STRING "host string on stack"
 
-static int thread_create(oe_thread_t* thread, void* (*func)(void*), void* arg)
-{
-#if __GNUC__
-    return pthread_create(thread, NULL, func, arg);
-#elif _MSC_VER
-    typedef DWORD (*start_routine_t)(void*);
-    start_routine_t start_routine = (start_routine_t)func;
-    *thread = (oe_thread_t)CreateThread(NULL, 0, start_routine, arg, 0, NULL);
-    return *thread == (oe_thread_t)NULL ? 1 : 0;
-#endif
-}
-
-static int thread_join(oe_thread_t thread)
-{
-#if __GNUC__
-    return pthread_join(thread, NULL);
-#elif _MSC_VER
-    HANDLE handle = (HANDLE)thread;
-    if (WaitForSingleObject(handle, INFINITE) == WAIT_OBJECT_0)
-    {
-        CloseHandle(handle);
-        return 0;
-    }
-    return 1;
-#endif
-}
-
 int host_echo_switchless(char* in, char* out, char* str1, char str2[STRING_LEN])
 {
     OE_TEST(strcmp(str1, HOST_PARAM_STRING) == 0);
@@ -128,7 +100,7 @@ int main(int argc, const char* argv[])
     for (int i = 0; i < NUM_HOST_THREADS; i++)
     {
         int ret = 0;
-        if ((ret = thread_create(&threads[i], thread_func, enclave)))
+        if ((ret = oe_thread_create(&threads[i], thread_func, enclave)))
         {
             oe_put_err("thread_create(host): ret=%u", ret);
         }
@@ -146,7 +118,7 @@ int main(int argc, const char* argv[])
     // Wait for the threads to complete.
     for (int i = 0; i < NUM_HOST_THREADS; i++)
     {
-        thread_join(threads[i]);
+        oe_thread_join(threads[i]);
     }
 
     result = oe_terminate_enclave(enclave);

From ea7f89e4fd77545f083877da46460bfa83bd6648 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 16:18:22 -0700
Subject: [PATCH 126/420] Fixing sample docs

---
 .../Contributors/InstallInfo.md               |   4 +-
 .../Contributors/WindowsInstallInfo.md        |  30 ++++
 .../Contributors/WindowsSamples.md            |  11 ++
 .../Contributors/building_oe_sdk.md           |  12 ++
 docs/GettingStartedDocs/using_oe_sdk.md       |  14 +-
 samples/CMakeLists.txt                        |  11 +-
 samples/README.md                             |  25 ++-
 samples/README_Linux.md                       | 156 ++++++++++++++++++
 samples/README_Windows.md                     | 146 ++++++++++++++++
 9 files changed, 388 insertions(+), 21 deletions(-)
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
 create mode 100644 docs/GettingStartedDocs/Contributors/WindowsSamples.md
 create mode 100644 samples/README_Linux.md
 create mode 100644 samples/README_Windows.md

diff --git a/docs/GettingStartedDocs/Contributors/InstallInfo.md b/docs/GettingStartedDocs/Contributors/InstallInfo.md
index 7680158bbc..e2910e77c5 100644
--- a/docs/GettingStartedDocs/Contributors/InstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/InstallInfo.md
@@ -1,5 +1,5 @@
-Basic Install
-=============
+Basic Install on Linux
+======================
 
 You can locally install the SDK from the compiled Open Enclave tree by specifying
 the install-prefix to the cmake call before calling "make install". The SDK does
diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
new file mode 100644
index 0000000000..3d7918f16f
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -0,0 +1,30 @@
+Basic Install on Windows
+========================
+
+You can locally install the SDK from the compiled Open Enclave tree by specifying
+the install-prefix to the cmake call before calling "ninja install".
+From the build subfolder in your source tree:
+
+```cmd
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclaveSDK" -DUSE_LIBSGX=ON
+ninja install
+```
+
+This will install the [resulting SDK layout](/docs/GettingStartedDocs/using_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclaveSDK
+Please note that Nuget_package_Path over here points to the directory where NuGet packackages are installed on your system.
+This is the global-packages folder which usually is  %userprofile%\.nuget\packages. For more information, please look [here](https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders).
+
+## Create a redistributable SDK package
+
+To create a redistributable NuGet package use the following command from your build subfolder:
+
+```cmd
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=[Nuget_Package_Path]  -DCPACK_GENERATOR=NuGet  -DUSE_LIBSGX=ON
+ninja package
+```
+
+This will result in a NuGet package being created in the build folder.
+
+## Create the host-only report verification package
+
+This is work in progress and is coming soon.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSamples.md b/docs/GettingStartedDocs/Contributors/WindowsSamples.md
new file mode 100644
index 0000000000..2a5f580d90
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/WindowsSamples.md
@@ -0,0 +1,11 @@
+# Installing SDK and using samples
+Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install))
+
+```bash
+cmake -DCMAKE_INSTALL_PREFIX=~/openenclave ..
+make install
+```
+
+Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
+
+See [Open Enclave samples](/samples/README.md) for details.
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 877627f1d0..74218f046a 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -54,6 +54,7 @@ On Windows:
 
 ## Samples
 
+### On Linux
 Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install))
 
 ```bash
@@ -65,6 +66,17 @@ Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
 
 See [Open Enclave samples](/samples/README.md) for details.
 
+### On Windows
+Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install))
+
+```bash
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclaveSDK" -DUSE_LIBSGX=ON
+ninja install
+```
+Open Enclave samples can be found in c:\openenclaveSDK\share\openenclave\samples
+
+See [Open Enclave samples](/samples/README.md) for details.
+
 ## Using the Open Enclave SDK
 
 Additional information such as the [API References](/docs/GettingStartedDocs/using_oe_sdk.md#api-references)
diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/using_oe_sdk.md
index bdff08ee7c..22503a0a9b 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/using_oe_sdk.md
@@ -5,7 +5,9 @@ once you have it installed.
 
 ## Open Enclave SDK Layout
 
-By default, the Open Enclave SDK is installed to `/opt/openenclave`. It contains the following subfolders:
+On Linux, by default, the Open Enclave SDK is installed to `/opt/openenclave`.
+On Windows, by default, the Open Enclave SDK is installed to `%NUGET_PACKAGE_PATH%`.
+It contains the following subfolders:
 
 | Path                         | Description                     |
 |------------------------------|---------------------------------|
@@ -17,12 +19,13 @@ By default, the Open Enclave SDK is installed to `/opt/openenclave`. It contains
 | lib/openenclave/host         | Library for linking into the host process of the enclave. |
 | lib/openenclave/debugger     | Libraries used by the gdb plug-in for debugging enclaves. |
 | share/openenclave/samples    | Sample code showing how to use the Open Enclave SDK. |
-| share/pkgconfig              | Pkg-config files for header and library includes when building Open Enclave apps. |
 
-## Configure environment variables for Open Enclave SDK
+On Linux, the Open Enclave SDK installation also contains the following folder:
+| share/pkgconfig              | Pkg-config files for header and library includes when building Open Enclave apps. |
 
+## Configure environment variables for Open Enclave SDK for Linux
 For ease of development, we recommend adding:
-- Open Enclave SDK `bin` folder to `PATH`, for use of our tools (such as `oegdb` and `oeedger8r`).
+- Open Enclave SDK `bin` folder to `PATH`, for use of our tools (such as `oegdb`, and `oeedger8r`).
 - Open Enclave SDK `install` folder to `CMAKE_PREFIX_PATH`, for use of the [CMake package](/cmake/sdk_cmake_targets_readme.md).
 - Open Enclave SDK `pkgconfig` folder to `PKG_CONFIG_PATH`, for use of `pkg-config`.
 
@@ -32,6 +35,9 @@ You can do this by sourcing the `openenclaverc` file that is distributed with th
 source /opt/openenclave/share/openenclave/openenclaverc
 ```
 
+## Configure environment variables for Open Enclave SDK for Windows
+Radhikaj : TODO
+
 ## Samples
 
 One way to determine if your machine is correctly configured to build and run
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 08340e2edb..c46b3fcb98 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -12,8 +12,15 @@ endif ()
 install(DIRECTORY helloworld file-encryptor data-sealing switchless
         DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
-install(FILES README.md
-        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
+if (WIN32)
+install(FILES README_Windows.md
+        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+        RENAME README.md)
+else ()
+install(FILES README_Linux.md
+        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+        RENAME README.md)
+endif ()
 
 if (WIN32)
   add_test(NAME samples
diff --git a/samples/README.md b/samples/README.md
index 0810043fd5..d050ac4a4e 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -1,21 +1,9 @@
-# Open Enclave SDK Samples
+# Building Open Enclave SDK Samples on Linux
 
 All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
 
 ## Common Sample information
 
-### Prepare samples
-
-Building samples involves writing files into the working directory, which is not allowed in `/opt` unless it's running in the context of superuser (`sudo`).
-
-To avoid this `sudo` requirement, you may want to first copy them to a user directory of your choice then build and run on those local copy.
-
-For example, assuming Open Enclave SDK is installed to the default location `/opt/openenclave`:
-
-```bash
-cp -r /opt/openenclave/share/openenclave/samples ~/mysamples
-```
-
 ### How Sample source code directories were structured
 
 Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave. 
@@ -40,6 +28,17 @@ drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 host
 -rw-r--r-- 1 yourusername yourusername  245 Aug 16 13:57 Makefile
 ```
 
+### Prepare samples
+
+Building samples involves writing files into the working directory, which is not allowed in `/opt` unless it's running in the context of superuser (`sudo`).
+
+To avoid this `sudo` requirement, you may want to first copy them to a user directory of your choice then build and run on those local copy.
+
+For example, assuming Open Enclave SDK is installed to the default location `/opt/openenclave`:
+
+```bash
+cp -r /opt/openenclave/share/openenclave/samples ~/mysamples
+```
 ### How to build and run samples
 
 Each sample comes with two different build systems: one using GNU Make and pkg-config, the other using CMake. They help simplify the sample building process, which involves building and signing
diff --git a/samples/README_Linux.md b/samples/README_Linux.md
new file mode 100644
index 0000000000..d050ac4a4e
--- /dev/null
+++ b/samples/README_Linux.md
@@ -0,0 +1,156 @@
+# Building Open Enclave SDK Samples on Linux
+
+All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
+
+## Common Sample information
+
+### How Sample source code directories were structured
+
+Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave. 
+
+![Sample components diagram](sampledirstructure.png)
+
+All the samples that come with the Open Enclave SDK installation are all structured into two subdirectories (one for enclave and one for host) accordingly.
+
+| Files/dir        |  contents                                   |
+|:-----------------|---------------------------------------------|
+| Makefile         | Makefile for the whole samples              |
+| ./enclave        | Files needed for building the sample enclave|
+| ./host           | Files needed for building the host          |
+
+For example:
+
+```bash
+/home/yourusername:~/openenclave/share/openenclave/samples/helloworld$ ls -l
+total 12
+drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 enclave
+drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 host
+-rw-r--r-- 1 yourusername yourusername  245 Aug 16 13:57 Makefile
+```
+
+### Prepare samples
+
+Building samples involves writing files into the working directory, which is not allowed in `/opt` unless it's running in the context of superuser (`sudo`).
+
+To avoid this `sudo` requirement, you may want to first copy them to a user directory of your choice then build and run on those local copy.
+
+For example, assuming Open Enclave SDK is installed to the default location `/opt/openenclave`:
+
+```bash
+cp -r /opt/openenclave/share/openenclave/samples ~/mysamples
+```
+### How to build and run samples
+
+Each sample comes with two different build systems: one using GNU Make and pkg-config, the other using CMake. They help simplify the sample building process, which involves building and signing
+binaries.
+
+#### Source the openenclaverc file (Required)
+
+Before building any samples, you need to source the `openenclaverc` file to setup environment variables for sample building. `openenclaverc` file can be found in  the `share/openenclave` subdirectory of the package installation destination.
+
+You can use `.` in Bash to `source`:
+
+```bash
+. <package_installation_destination>/share/openenclave/openenclaverc
+```
+
+For example, if your package_installation_destination is /opt/openenclave:
+
+```bash
+. /opt/openenclave/share/openenclave/openenclaverc
+```
+
+Note: You will get error messages like the following if this sourcing step was skipped.
+
+```sh
+make[2]: Entering directory '.../openenclave/samples/helloworld/enclave`
+Package oeenclave-clang was not found in the pkg-config search path.
+Perhaps you should add the directory containing `oeenclave-clang.pc`
+```
+
+#### Build and Run samples
+
+##### GNU Make
+
+To build a sample using GNU Make, change directory to your target sample directory and run `make build` to build the sample.
+Then execute "make run" to run the sample.
+
+For example:
+
+```bash
+~/openenclave/share/openenclave/samples$ cd helloworld/
+~/openenclave/share/openenclave/samples/helloworld$ make build
+~/openenclave/share/openenclave/samples/helloworld$ make run
+```
+
+##### CMake
+
+To build a sample using CMake, change directory to your target sample directory and execute the following commands:
+
+mkdir build && cd build
+cmake ..
+make
+
+Then execute "make run" to run the sample.
+
+For example:
+
+```bash
+~/openenclave/share/openenclave/samples$ cd helloworld/
+~/openenclave/share/openenclave/samples/helloworld$ mkdir build && cd build
+~/openenclave/share/openenclave/samples/helloworld/build$ cmake ..
+~/openenclave/share/openenclave/samples/helloworld/build$ make
+~/openenclave/share/openenclave/samples/helloworld/build$ make run
+```
+
+##### Note:
+For details on how to configure build and sign options, refer to [Enclave Building and Signing](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/buildandsign.md).
+
+## Samples
+
+The following samples demonstrate how to develop enclave applications using OE APIs. It's recommended to go through the following samples in the order listed.
+
+#### [HelloWorld](helloworld/README.md)
+
+- Minimum code needed for an OE app
+- Help understand the basic components an OE application
+- Demonstrate how to build, sign, and run an OE image
+
+#### [File-Encryptor](file-encryptor/README.md)
+
+- Shows how to encrypt and decrypt data inside an enclave
+- Uses AES mbedTLS API to perform encryption and decryption
+
+#### [Data-Sealing](data-sealing/README.md)
+
+- Introduce OE sealing and unsealing features 
+- Demonstrate how to use OE sealing APIs
+- Explore two supported seal polices
+  - OE_SEAL_POLICY_UNIQUE
+  - OE_SEAL_POLICY_PRODUCT
+
+#### [Remote Attestation](remote_attestation/README.md)
+
+- Explain how OE attestation works
+- Demonstrate an implementation of remote attestation between two enclaves running on different machines
+
+#### [Local Attestation](local_attestation/README.md)
+
+- Explain the concept of OE local attestation
+- Demonstrate an implementation of local attestation between two enclaves on the same VM
+
+#### [Attested TLS](attested_tls/README.md)
+
+- Explain what an Attested TLS channel is
+- Demonstrate an implementation for how to establish an Attested TLS channel
+  - between two enclaves
+  - between one non-enclave client and an enclave
+
+#### [Switchless Calls](switchless/README.md)
+
+- Explain the concept of switchless calls
+- Identify cases where switchless calls are appropriate
+- Demonstrate how to mark a function as `transition_using_threads` in EDL
+- Demonstrate how to configure an enclave to enable switchless calls originated within it
+- Recommend the number of host worker threads required for switchless calls in practice
+- Demonstrate how to enable switchless calls in an enclave application
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
new file mode 100644
index 0000000000..70e15d2214
--- /dev/null
+++ b/samples/README_Windows.md
@@ -0,0 +1,146 @@
+# Building Open Enclave SDK Samples on Windows
+
+All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
+
+## Common Sample information
+
+### How Sample source code directories were structured
+
+Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave. 
+
+![Sample components diagram](sampledirstructure.png)
+
+All the samples that come with the Open Enclave SDK installation are all structured into two subdirectories (one for enclave and one for host) accordingly.
+
+| Files/dir        |  contents                                   |
+|:-----------------|---------------------------------------------|
+| enclave        | Files needed for building the sample enclave|
+| host           | Files needed for building the host          |
+
+### Prepare samples
+
+Building samples involves writing files into the working directory. You can do this in the directory in which you have installed your samples.
+You can also copy the samples from the location they were installed to another directory.
+
+```cmd
+xcopy  C:\openenclavesdk\share\openenclave\samples c:\mysample
+```
+
+## Install the prerequisites
+
+### Platform requirements
+
+- A system with support for SGX1 or SGX1 with Flexible Launch Control (FLC).
+
+ Note: To check if your system has support for SGX1 with or without FLC, please look [here](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/SGXSupportLevel.md).
+ 
+- A version of Windows OS with native support for SGX features:
+   - For server: Windows Server 2016
+   - For client: Windows 10 64-bit version 1709 or newer
+   - To check your Windows version, run `winver` on the command line.
+
+### Software prerequisites
+
+- [Microsoft Visual Studio Build Tools 2019](https://aka.ms/vs/15/release/vs_buildtools.exe)
+- [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
+- [OpenSSL 1.1.1d](https://slproweb.com/download/Win64OpenSSL-1_1_1d.exe)
+
+### Prerequisites specific to SGX support on your system
+
+For systems with support for SGX1  - [Intel's PSW 2.2](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md)
+
+For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md)
+
+## Microsoft Visual Studio Build Tools 2019
+Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
+
+### Clang
+
+Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
+to PATH. Open Enclave SDK uses clang to build the enclave binaries.
+
+Open up a command prompt and ensure that clang is added to PATH.
+
+```cmd
+C:\> where clang
+C:\Program Files\LLVM\bin\clang.exe
+C:\> where llvm-ar
+C:\Program Files\LLVM\bin\llvm-ar.exe
+C:\> where ld.lld
+C:\Program Files\LLVM\bin\ld.lld.exe
+```
+
+### OpenSSL
+
+Install OpenSSL and add the bin directory to PATH.
+
+### How to build and run samples
+
+1. Launch the [x64 Native Tools Command Prompt for VS 2017](
+https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
+Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
+
+2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation. 
+
+As an example, if the Open Enclave SDK is installed to `c:\openenclavesdk`, then you would set OpenEnclaveDIR as shown below
+
+```cmd
+set OpenEnclaveDIR=C:\openenclavesdk\lib\openenclave\cmake
+```
+
+3. To build a sample using CMake, change directory to your target sample directory and execute the following commands:
+
+```cmd
+mkdir build
+cd build
+cmake .. -G Ninja -DNUGET_PACKAGE_PATH=c:\users\radhikaj\openenclave\prereqs\nuget
+ninja
+```
+
+4. To run the sample, use below:
+
+```cmd
+ninja run
+```
+
+## Samples
+
+The following samples demonstrate how to develop enclave applications using OE APIs. It's recommended to go through the following samples in the order listed.
+
+#### [HelloWorld](helloworld/README.md)
+
+- Minimum code needed for an OE app
+- Help understand the basic components an OE application
+- Demonstrate how to build, sign, and run an OE image
+
+#### [File-Encryptor](file-encryptor/README.md)
+
+- Shows how to encrypt and decrypt data inside an enclave
+- Uses AES mbedTLS API to perform encryption and decryption
+
+#### [Data-Sealing](data-sealing/README.md)
+
+- Introduce OE sealing and unsealing features 
+- Demonstrate how to use OE sealing APIs
+- Explore two supported seal polices
+  - OE_SEAL_POLICY_UNIQUE
+  - OE_SEAL_POLICY_PRODUCT
+
+#### [Remote Attestation](remote_attestation/README.md)
+
+- Explain how OE attestation works
+- Demonstrate an implementation of remote attestation between two enclaves running on different machines
+
+#### [Local Attestation](local_attestation/README.md)
+
+- Explain the concept of OE local attestation
+- Demonstrate an implementation of local attestation between two enclaves on the same VM
+
+#### [Switchless Calls](switchless/README.md)
+
+- Explain the concept of switchless calls
+- Identify cases where switchless calls are appropriate
+- Demonstrate how to mark a function as `transition_using_threads` in EDL
+- Demonstrate how to configure an enclave to enable switchless calls originated within it
+- Recommend the number of host worker threads required for switchless calls in practice
+- Demonstrate how to enable switchless calls in an enclave application

From 763c15450ff5a0a837559a5a1da42aa0500b40f1 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 16:29:05 -0700
Subject: [PATCH 127/420] Fix docs related to samples

---
 .../Contributors/WindowsSamples.md            |   2 +-
 docs/GettingStartedDocs/using_oe_sdk.md       |  10 +-
 samples/README.md                             | 157 +-----------------
 3 files changed, 13 insertions(+), 156 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSamples.md b/docs/GettingStartedDocs/Contributors/WindowsSamples.md
index 2a5f580d90..a0b520f6cf 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSamples.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSamples.md
@@ -1,5 +1,5 @@
 # Installing SDK and using samples
-Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install))
+Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-Windows))
 
 ```bash
 cmake -DCMAKE_INSTALL_PREFIX=~/openenclave ..
diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/using_oe_sdk.md
index 22503a0a9b..1262d8eee0 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/using_oe_sdk.md
@@ -6,7 +6,7 @@ once you have it installed.
 ## Open Enclave SDK Layout
 
 On Linux, by default, the Open Enclave SDK is installed to `/opt/openenclave`.
-On Windows, by default, the Open Enclave SDK is installed to `%NUGET_PACKAGE_PATH%`.
+On Windows, the Open Enclave SDK is installed to the location specified during installation.
 It contains the following subfolders:
 
 | Path                         | Description                     |
@@ -36,7 +36,13 @@ source /opt/openenclave/share/openenclave/openenclaverc
 ```
 
 ## Configure environment variables for Open Enclave SDK for Windows
-Radhikaj : TODO
+- Set `OpenEnclave_DIR` to the point to the cmake directory of the Open Enclave SDK installation
+
+As an example, if you installed the SDK to C:\openenclave, then you would set `OpenEnclave_DIR` as shown below.
+
+```cmd
+set OpenEnclave_DIR=C:\openenclave\lib\cmake
+```
 
 ## Samples
 
diff --git a/samples/README.md b/samples/README.md
index d050ac4a4e..24e010d1b8 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -1,156 +1,7 @@
-# Building Open Enclave SDK Samples on Linux
+# Building Open Enclave SDK Samples
 
-All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
+The process to build the SDK samples is different on Windows and Linux.
 
-## Common Sample information
+To build on Linux, please look at the [Linux specific instructions](README_Linux.md).
 
-### How Sample source code directories were structured
-
-Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave. 
-
-![Sample components diagram](sampledirstructure.png)
-
-All the samples that come with the Open Enclave SDK installation are all structured into two subdirectories (one for enclave and one for host) accordingly.
-
-| Files/dir        |  contents                                   |
-|:-----------------|---------------------------------------------|
-| Makefile         | Makefile for the whole samples              |
-| ./enclave        | Files needed for building the sample enclave|
-| ./host           | Files needed for building the host          |
-
-For example:
-
-```bash
-/home/yourusername:~/openenclave/share/openenclave/samples/helloworld$ ls -l
-total 12
-drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 enclave
-drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 host
--rw-r--r-- 1 yourusername yourusername  245 Aug 16 13:57 Makefile
-```
-
-### Prepare samples
-
-Building samples involves writing files into the working directory, which is not allowed in `/opt` unless it's running in the context of superuser (`sudo`).
-
-To avoid this `sudo` requirement, you may want to first copy them to a user directory of your choice then build and run on those local copy.
-
-For example, assuming Open Enclave SDK is installed to the default location `/opt/openenclave`:
-
-```bash
-cp -r /opt/openenclave/share/openenclave/samples ~/mysamples
-```
-### How to build and run samples
-
-Each sample comes with two different build systems: one using GNU Make and pkg-config, the other using CMake. They help simplify the sample building process, which involves building and signing
-binaries.
-
-#### Source the openenclaverc file (Required)
-
-Before building any samples, you need to source the `openenclaverc` file to setup environment variables for sample building. `openenclaverc` file can be found in  the `share/openenclave` subdirectory of the package installation destination.
-
-You can use `.` in Bash to `source`:
-
-```bash
-. <package_installation_destination>/share/openenclave/openenclaverc
-```
-
-For example, if your package_installation_destination is /opt/openenclave:
-
-```bash
-. /opt/openenclave/share/openenclave/openenclaverc
-```
-
-Note: You will get error messages like the following if this sourcing step was skipped.
-
-```sh
-make[2]: Entering directory '.../openenclave/samples/helloworld/enclave`
-Package oeenclave-clang was not found in the pkg-config search path.
-Perhaps you should add the directory containing `oeenclave-clang.pc`
-```
-
-#### Build and Run samples
-
-##### GNU Make
-
-To build a sample using GNU Make, change directory to your target sample directory and run `make build` to build the sample.
-Then execute "make run" to run the sample.
-
-For example:
-
-```bash
-~/openenclave/share/openenclave/samples$ cd helloworld/
-~/openenclave/share/openenclave/samples/helloworld$ make build
-~/openenclave/share/openenclave/samples/helloworld$ make run
-```
-
-##### CMake
-
-To build a sample using CMake, change directory to your target sample directory and execute the following commands:
-
-mkdir build && cd build
-cmake ..
-make
-
-Then execute "make run" to run the sample.
-
-For example:
-
-```bash
-~/openenclave/share/openenclave/samples$ cd helloworld/
-~/openenclave/share/openenclave/samples/helloworld$ mkdir build && cd build
-~/openenclave/share/openenclave/samples/helloworld/build$ cmake ..
-~/openenclave/share/openenclave/samples/helloworld/build$ make
-~/openenclave/share/openenclave/samples/helloworld/build$ make run
-```
-
-##### Note:
-For details on how to configure build and sign options, refer to [Enclave Building and Signing](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/buildandsign.md).
-
-## Samples
-
-The following samples demonstrate how to develop enclave applications using OE APIs. It's recommended to go through the following samples in the order listed.
-
-#### [HelloWorld](helloworld/README.md)
-
-- Minimum code needed for an OE app
-- Help understand the basic components an OE application
-- Demonstrate how to build, sign, and run an OE image
-
-#### [File-Encryptor](file-encryptor/README.md)
-
-- Shows how to encrypt and decrypt data inside an enclave
-- Uses AES mbedTLS API to perform encryption and decryption
-
-#### [Data-Sealing](data-sealing/README.md)
-
-- Introduce OE sealing and unsealing features 
-- Demonstrate how to use OE sealing APIs
-- Explore two supported seal polices
-  - OE_SEAL_POLICY_UNIQUE
-  - OE_SEAL_POLICY_PRODUCT
-
-#### [Remote Attestation](remote_attestation/README.md)
-
-- Explain how OE attestation works
-- Demonstrate an implementation of remote attestation between two enclaves running on different machines
-
-#### [Local Attestation](local_attestation/README.md)
-
-- Explain the concept of OE local attestation
-- Demonstrate an implementation of local attestation between two enclaves on the same VM
-
-#### [Attested TLS](attested_tls/README.md)
-
-- Explain what an Attested TLS channel is
-- Demonstrate an implementation for how to establish an Attested TLS channel
-  - between two enclaves
-  - between one non-enclave client and an enclave
-
-#### [Switchless Calls](switchless/README.md)
-
-- Explain the concept of switchless calls
-- Identify cases where switchless calls are appropriate
-- Demonstrate how to mark a function as `transition_using_threads` in EDL
-- Demonstrate how to configure an enclave to enable switchless calls originated within it
-- Recommend the number of host worker threads required for switchless calls in practice
-- Demonstrate how to enable switchless calls in an enclave application
+To build on Windows, please look at the ([Windows specific instructions](README_Windows.md).

From 53e3c131c8b2c9f5b3615b2b3ce97c0ad4004cc4 Mon Sep 17 00:00:00 2001
From: Andy Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 3 Oct 2019 16:47:48 -0700
Subject: [PATCH 128/420] Fix typo in log

s/llaunch/launch
---
 samples/attested_tls/client/host/host.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/attested_tls/client/host/host.cpp b/samples/attested_tls/client/host/host.cpp
index df99b14882..ee1f07671b 100644
--- a/samples/attested_tls/client/host/host.cpp
+++ b/samples/attested_tls/client/host/host.cpp
@@ -104,7 +104,7 @@ int main(int argc, const char* argv[])
         goto exit;
     }
 
-    printf("Host: llaunch TLS client to initiate TLS connection\n");
+    printf("Host: launch TLS client to initiate TLS connection\n");
     ret = launch_tls_client(enclave, &ret, server_name, server_port);
     if (ret != 0)
     {

From 5a5c0cabf898b1e810bb814569925f0ff458c454 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 16:48:40 -0700
Subject: [PATCH 129/420] Split using_oe_sdk to Windows and Linux

---
 .../Contributors/building_oe_sdk.md           |  8 +--
 .../GettingStartedDocs/Windowsusing_oe_sdk.md | 67 +++++++++++++++++++
 docs/GettingStartedDocs/using_oe_sdk.md       | 13 +---
 samples/README_Windows.md                     |  4 +-
 4 files changed, 75 insertions(+), 17 deletions(-)
 create mode 100644 docs/GettingStartedDocs/Windowsusing_oe_sdk.md

diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 74218f046a..ca786956e9 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -55,7 +55,7 @@ On Windows:
 ## Samples
 
 ### On Linux
-Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install))
+Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install-on-linux))
 
 ```bash
 cmake -DCMAKE_INSTALL_PREFIX=~/openenclave ..
@@ -67,13 +67,13 @@ Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
 See [Open Enclave samples](/samples/README.md) for details.
 
 ### On Windows
-Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install))
+Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclaveSDK" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
 ninja install
 ```
-Open Enclave samples can be found in c:\openenclaveSDK\share\openenclave\samples
+Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
 
 See [Open Enclave samples](/samples/README.md) for details.
 
diff --git a/docs/GettingStartedDocs/Windowsusing_oe_sdk.md b/docs/GettingStartedDocs/Windowsusing_oe_sdk.md
new file mode 100644
index 0000000000..a7ebc4ac35
--- /dev/null
+++ b/docs/GettingStartedDocs/Windowsusing_oe_sdk.md
@@ -0,0 +1,67 @@
+# Using the Open Enclave SDK on Windows
+
+This document provides a brief overview of how to start exploring the Open Enclave SDK
+once you have it installed.
+
+## Open Enclave SDK Layout
+
+On Windows, if you installed the SDK using the NuGet package, it is by default installed to `%userprofile%\.nuget\packages`.
+If you built the SDK from source and installed it, the SDK is installed to the location specified by CMAKE_INSTALL_PREFIX as described [here](Contributors/WindowsInstallInfo.md#basic-install-on-windows)
+
+It contains the following subfolders:
+
+| Path                         | Description                     |
+|------------------------------|---------------------------------|
+| bin                          | Developer tools such as oedebugrt.dll for debugging and oesign for signing your enclaves. |
+| include\openenclave          | Open Enclave runtime headers for use in your enclave (enclave.h) and its host (host.h). |
+| include\openenclave\3rdparty | Headers for libc, libcxx and mbedlts libraries for use inside the enclave.<br>See the API Reference section for supported functions. |
+| lib\openenclave/cmake        | Open Enclave SDK CMake Package for integration with your CMake projects. See [README.md](/cmake/sdk_cmake_targets_readme.md) for more details. |
+| lib\openenclave\enclave      | Libraries for linking into the enclave, including the libc, libcxx and mbedtls libraries for Open Enclave. |
+| lib\openenclave\host         | Library for linking into the host process of the enclave. |
+| lib\openenclave\debugger     | Libraries used by the gdb plug-in for debugging enclaves. |
+| share\openenclave\samples    | Sample code showing how to use the Open Enclave SDK. |
+
+## Configure environment variables for Open Enclave SDK for Windows
+
+- Set `OpenEnclave_DIR` to the point to the cmake directory of the Open Enclave SDK installation
+
+As an example, if you installed the SDK to C:\openenclave, then you would set `OpenEnclave_DIR` as shown below.
+
+```cmd
+set OpenEnclave_DIR=C:\openenclave\lib\cmake
+```
+
+## Samples
+
+One way to determine if your machine is correctly configured to build and run
+Open Enclave apps is to execute the samples. A description of all the included samples,
+what each one illustrates, and how to build and run them  can be found in
+[share/openenclave/samples/README.md](/samples/README_Windows.md).
+
+Additional documentation is also available for:
+- [Building and signing enclaves](/docs/GettingStartedDocs/buildandsign.md)
+- [Debugging enclave memory](/docs/GettingStartedDocs/Debugging.md)
+
+## API references
+
+One of the security principles of writing enclave applications is to minimize the
+Trusted Computing Base (TCB) of the enclave code. A consequence of this is that
+while the host application has full access to the range of libraries and API
+available to all normal mode applications, the enclave is restricted to a much
+more constrained set as described below:
+
+#### [Open Enclave API](https://openenclave.github.io/openenclave/api/index.html)
+
+The Doxygen documentation of the API exposed by Open Enclave SDK to both enclave and host.
+
+#### [Libc support](/docs/LibcSupport.md)
+
+The subset of libc functionality provided by oelibc for use inside an enclave.
+
+#### [Libcxx support](/docs/LibcxxSupport.md)
+
+The subset of libcxx functionality provided by oelibcxx for use inside an enclave.
+
+#### [mbedtls library](/docs/MbedtlsSupport.md)
+
+The subset of [mbedtls](https://tls.mbed.org/) functionality for use inside an enclave.
diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/using_oe_sdk.md
index 1262d8eee0..a7f5519354 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/using_oe_sdk.md
@@ -6,7 +6,7 @@ once you have it installed.
 ## Open Enclave SDK Layout
 
 On Linux, by default, the Open Enclave SDK is installed to `/opt/openenclave`.
-On Windows, the Open Enclave SDK is installed to the location specified during installation.
+
 It contains the following subfolders:
 
 | Path                         | Description                     |
@@ -35,21 +35,12 @@ You can do this by sourcing the `openenclaverc` file that is distributed with th
 source /opt/openenclave/share/openenclave/openenclaverc
 ```
 
-## Configure environment variables for Open Enclave SDK for Windows
-- Set `OpenEnclave_DIR` to the point to the cmake directory of the Open Enclave SDK installation
-
-As an example, if you installed the SDK to C:\openenclave, then you would set `OpenEnclave_DIR` as shown below.
-
-```cmd
-set OpenEnclave_DIR=C:\openenclave\lib\cmake
-```
-
 ## Samples
 
 One way to determine if your machine is correctly configured to build and run
 Open Enclave apps is to execute the samples. A description of all the included samples,
 what each one illustrates, and how to build and run them  can be found in
-[share/openenclave/samples/README.md](/samples/README.md).
+[share/openenclave/samples/README.md](/samples/README_Linux.md).
 
 Additional documentation is also available for:
 - [Building and signing enclaves](/docs/GettingStartedDocs/buildandsign.md)
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 70e15d2214..c0c570e4ad 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -23,7 +23,7 @@ Building samples involves writing files into the working directory. You can do t
 You can also copy the samples from the location they were installed to another directory.
 
 ```cmd
-xcopy  C:\openenclavesdk\share\openenclave\samples c:\mysample
+xcopy  C:\openenclave\share\openenclave\samples C:\mysample
 ```
 
 ## Install the prerequisites
@@ -82,7 +82,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 
 2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation. 
 
-As an example, if the Open Enclave SDK is installed to `c:\openenclavesdk`, then you would set OpenEnclaveDIR as shown below
+As an example, if the Open Enclave SDK is installed to `C:\openenclavesdk`, then you would set OpenEnclaveDIR as shown below
 
 ```cmd
 set OpenEnclaveDIR=C:\openenclavesdk\lib\openenclave\cmake

From 5ab048e234c6244997239ae25386be2d356ffee7 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 20:26:27 -0700
Subject: [PATCH 130/420] Fix NUGET_PACKAGE_PATH

---
 samples/README_Windows.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index c0c570e4ad..58c83af15f 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -82,10 +82,10 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 
 2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation. 
 
-As an example, if the Open Enclave SDK is installed to `C:\openenclavesdk`, then you would set OpenEnclaveDIR as shown below
+As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set OpenEnclaveDIR as shown below
 
 ```cmd
-set OpenEnclaveDIR=C:\openenclavesdk\lib\openenclave\cmake
+set OpenEnclaveDIR=C:\openenclave\lib\openenclave\cmake
 ```
 
 3. To build a sample using CMake, change directory to your target sample directory and execute the following commands:
@@ -93,7 +93,7 @@ set OpenEnclaveDIR=C:\openenclavesdk\lib\openenclave\cmake
 ```cmd
 mkdir build
 cd build
-cmake .. -G Ninja -DNUGET_PACKAGE_PATH=c:\users\radhikaj\openenclave\prereqs\nuget
+cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages
 ninja
 ```
 

From 5fa58472eab506983deaf5cdd3a03fdd95ed22f8 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 20:29:34 -0700
Subject: [PATCH 131/420] Clean up unnecessary files

---
 .../GettingStartedDocs/Contributors/WindowsSamples.md | 11 -----------
 samples/README.md                                     |  7 -------
 2 files changed, 18 deletions(-)
 delete mode 100644 docs/GettingStartedDocs/Contributors/WindowsSamples.md
 delete mode 100644 samples/README.md

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSamples.md b/docs/GettingStartedDocs/Contributors/WindowsSamples.md
deleted file mode 100644
index a0b520f6cf..0000000000
--- a/docs/GettingStartedDocs/Contributors/WindowsSamples.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Installing SDK and using samples
-Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-Windows))
-
-```bash
-cmake -DCMAKE_INSTALL_PREFIX=~/openenclave ..
-make install
-```
-
-Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
-
-See [Open Enclave samples](/samples/README.md) for details.
\ No newline at end of file
diff --git a/samples/README.md b/samples/README.md
deleted file mode 100644
index 24e010d1b8..0000000000
--- a/samples/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# Building Open Enclave SDK Samples
-
-The process to build the SDK samples is different on Windows and Linux.
-
-To build on Linux, please look at the [Linux specific instructions](README_Linux.md).
-
-To build on Windows, please look at the ([Windows specific instructions](README_Windows.md).

From cedf3893ef207c3dc45efff4e3e84f4f53498526 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 20:31:42 -0700
Subject: [PATCH 132/420] Using the SDK fixes

---
 docs/GettingStartedDocs/using_oe_sdk.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/using_oe_sdk.md
index a7f5519354..db305f1288 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/using_oe_sdk.md
@@ -1,4 +1,4 @@
-# Using the Open Enclave SDK
+# Using the Open Enclave SDK on Linux
 
 This document provides a brief overview of how to start exploring the Open Enclave SDK
 once you have it installed.

From a0af94a44b0a8db1a0448f19c28e563a090202ef Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 20:35:27 -0700
Subject: [PATCH 133/420] Fix docs

---
 docs/GettingStartedDocs/Contributors/InstallInfo.md        | 2 +-
 docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md | 4 ++--
 docs/GettingStartedDocs/Contributors/building_oe_sdk.md    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/InstallInfo.md b/docs/GettingStartedDocs/Contributors/InstallInfo.md
index e2910e77c5..da075c2372 100644
--- a/docs/GettingStartedDocs/Contributors/InstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/InstallInfo.md
@@ -16,7 +16,7 @@ cmake -G Ninja  -DCMAKE_INSTALL_PREFIX=~/openenclave-install ..
 ninja
 ```
 
-This would install the [resulting SDK layout](/docs/GettingStartedDocs/using_oe_sdk.md#open-enclave-sdk-layout)
+This would install the [resulting SDK layout](/docs/GettingStartedDocs/Windowsusing_oe_sdk.md#open-enclave-sdk-layout)
 under `~/openenclave-install` instead of the default `/opt/openenclave`.
 
 Optional Advanced Install
diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 3d7918f16f..94169a734a 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -6,11 +6,11 @@ the install-prefix to the cmake call before calling "ninja install".
 From the build subfolder in your source tree:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclaveSDK" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
 ninja install
 ```
 
-This will install the [resulting SDK layout](/docs/GettingStartedDocs/using_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclaveSDK
+This will install the [resulting SDK layout](/docs/GettingStartedDocs/Windowsusing_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclave
 Please note that Nuget_package_Path over here points to the directory where NuGet packackages are installed on your system.
 This is the global-packages folder which usually is  %userprofile%\.nuget\packages. For more information, please look [here](https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders).
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index ca786956e9..8714700b9c 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -64,7 +64,7 @@ make install
 
 Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
 
-See [Open Enclave samples](/samples/README.md) for details.
+See [Open Enclave samples](/samples/README_Linux.md) for details.
 
 ### On Windows
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
@@ -75,7 +75,7 @@ ninja install
 ```
 Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
 
-See [Open Enclave samples](/samples/README.md) for details.
+See [Open Enclave samples](/samples/README_Windows.md) for details.
 
 ## Using the Open Enclave SDK
 

From 9479dcccdcd5bb03ab6578b8ecb1d9cee41db724 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:10:00 -0700
Subject: [PATCH 134/420] Get consistency across documents

---
 .../Contributors/InstallInfo.md               |  2 +-
 .../WindowsSGX1FLCGettingStarted.md           |  8 ++--
 .../Contributors/WindowsSGX1GettingStarted.md | 38 ++++++++-------
 samples/README_Windows.md                     | 48 -------------------
 4 files changed, 26 insertions(+), 70 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/InstallInfo.md b/docs/GettingStartedDocs/Contributors/InstallInfo.md
index da075c2372..e2910e77c5 100644
--- a/docs/GettingStartedDocs/Contributors/InstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/InstallInfo.md
@@ -16,7 +16,7 @@ cmake -G Ninja  -DCMAKE_INSTALL_PREFIX=~/openenclave-install ..
 ninja
 ```
 
-This would install the [resulting SDK layout](/docs/GettingStartedDocs/Windowsusing_oe_sdk.md#open-enclave-sdk-layout)
+This would install the [resulting SDK layout](/docs/GettingStartedDocs/using_oe_sdk.md#open-enclave-sdk-layout)
 under `~/openenclave-install` instead of the default `/opt/openenclave`.
 
 Optional Advanced Install
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 1cce15df1d..9da98390ee 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -70,16 +70,18 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ../..
 ninja
 ```
 
+Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH
+
 Similarly, to build release enclaves:
 ```cmd
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ../..
 ninja
 ```
 
@@ -121,7 +123,7 @@ cd build\x64-Debug
 ninja install
 ```
 
-This installs the SDK in c:\opt\openenclave.
+This installs the SDK in `C:\openenclave`.
 
 ## Known Issues
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 5ec8fd0f31..7bb3a3918f 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -55,23 +55,25 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 
 2. At the x64 Native Tools command prompt, use CMake and ninja to build the debug version:
 
-   ```cmd
-   cd C:\openenclave
-   mkdir build\x64-Debug
-   cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
-   ninja
-   ```
-
-   Similarly, build the release version with:
-
-    ```cmd
-   cd C:\openenclave
-   mkdir build\x64-Release
-   cd build\x64-Release
-   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages ../..
-   ninja
-   ```
+```
+cd C:\openenclave
+mkdir build\x64-Debug
+cd build\x64-Debug
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave ../..
+ninja
+```
+
+Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH
+
+Similarly, to build release enclaves:
+
+```cmd
+cd C:\openenclave
+mkdir build\x64-Release
+cd build\x64-Release
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave ../..
+ninja
+```
 
 ## Run unit tests
 
@@ -111,7 +113,7 @@ cd build\x64-Debug
 ninja install
 ```
 
-This installs the SDK in c:\opt\openenclave.
+This installs the SDK in `C:\openenclave`.
 
 ## Known Issues
 
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 58c83af15f..8695eebb95 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -26,54 +26,6 @@ You can also copy the samples from the location they were installed to another d
 xcopy  C:\openenclave\share\openenclave\samples C:\mysample
 ```
 
-## Install the prerequisites
-
-### Platform requirements
-
-- A system with support for SGX1 or SGX1 with Flexible Launch Control (FLC).
-
- Note: To check if your system has support for SGX1 with or without FLC, please look [here](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/SGXSupportLevel.md).
- 
-- A version of Windows OS with native support for SGX features:
-   - For server: Windows Server 2016
-   - For client: Windows 10 64-bit version 1709 or newer
-   - To check your Windows version, run `winver` on the command line.
-
-### Software prerequisites
-
-- [Microsoft Visual Studio Build Tools 2019](https://aka.ms/vs/15/release/vs_buildtools.exe)
-- [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
-- [OpenSSL 1.1.1d](https://slproweb.com/download/Win64OpenSSL-1_1_1d.exe)
-
-### Prerequisites specific to SGX support on your system
-
-For systems with support for SGX1  - [Intel's PSW 2.2](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md)
-
-For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md)
-
-## Microsoft Visual Studio Build Tools 2019
-Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
-
-### Clang
-
-Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
-to PATH. Open Enclave SDK uses clang to build the enclave binaries.
-
-Open up a command prompt and ensure that clang is added to PATH.
-
-```cmd
-C:\> where clang
-C:\Program Files\LLVM\bin\clang.exe
-C:\> where llvm-ar
-C:\Program Files\LLVM\bin\llvm-ar.exe
-C:\> where ld.lld
-C:\Program Files\LLVM\bin\ld.lld.exe
-```
-
-### OpenSSL
-
-Install OpenSSL and add the bin directory to PATH.
-
 ### How to build and run samples
 
 1. Launch the [x64 Native Tools Command Prompt for VS 2017](

From a07f277527c773639da5037449edc2142e2f9552 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:20:10 -0700
Subject: [PATCH 135/420] Fix NUGET_PACKAGE_PATH

---
 .../Contributors/WindowsInstallInfo.md        |   4 +-
 .../WindowsSGX1FLCGettingStarted.md           |   2 +-
 .../GettingStarted.Windows.md                 | 322 ------------------
 samples/README_Windows.md                     |   2 +-
 4 files changed, 4 insertions(+), 326 deletions(-)
 delete mode 100644 docs/GettingStartedDocs/GettingStarted.Windows.md

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 94169a734a..da02a7d77d 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -6,7 +6,7 @@ the install-prefix to the cmake call before calling "ninja install".
 From the build subfolder in your source tree:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
 ninja install
 ```
 
@@ -19,7 +19,7 @@ This is the global-packages folder which usually is  %userprofile%\.nuget\packag
 To create a redistributable NuGet package use the following command from your build subfolder:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=[Nuget_Package_Path]  -DCPACK_GENERATOR=NuGet  -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages-DCPACK_GENERATOR=NuGet -DUSE_LIBSGX=ON
 ninja package
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 9da98390ee..77b0973d41 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -81,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ../..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/GettingStarted.Windows.md b/docs/GettingStartedDocs/GettingStarted.Windows.md
deleted file mode 100644
index e1b5fe5dd5..0000000000
--- a/docs/GettingStartedDocs/GettingStarted.Windows.md
+++ /dev/null
@@ -1,322 +0,0 @@
-Getting Started on Windows [Work in progress]
-=========================================
-
-Introduction
-------------
-
-This document is a work in progress. It describes how to use experimental
-support in the Open Enclave SDK to build Windows host applications that can
-load ELF enclaves built using clang.
-
-Please refer to the following [documentation](/docs/GettingStartedDocs/SGXSupportLevel.md) to determine the SGX support level for your target system. The instructions below work for systems with SGX1+FLC support. Instructions for systems with SGX1 but no FLC support are coming soon. 
-
-'Simulator' mode is not available in Windows.
-
-Prerequisites
--------------
-
-The following are prerequisites for building and running Open Enclave on
-Windows.
-
-- Intel® X86-64bit architecture with SGX1 or SGX2
-- A version of Windows OS with native support for SGX features:
-   - For server: Windows Server 2016 (or newer)
-   - For client: Windows 10 64-bit with Fall Creators Update (1709) or newer
-- [Intel® SGX Platform Software for Windows (PSW)](
-  https://software.intel.com/sites/default/files/managed/0f/c8/Intel-SGX-PSW-Release-Notes-for-Windows-OS.pdf)
-- [Microsoft Visual Studio 2017](https://visualstudio.microsoft.com/vs/older-downloads/)
-- [Git for Windows 64-bit](https://git-scm.com/download/win)
-- [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
-- [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
-- [Python 3](https://www.python.org/downloads/windows/)
-
-To deploy all the prerequisities for building Open Enclave, you can run the ```scripts/install-windows-prereqs.ps1```
-
-```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType Azure
-```
-
-To deploy each prerequisite individually, refer to the sections below.
-
-Intel® SGX Platform Software for Windows (PSW)
----------------------------------
-
-The PSW should be installed automatically on Windows 10 with the Fall Creators
-Update installed, or on a Windows Server 2016 image for an Azure Confidential
-Compute VM. You can verify that is the case on the command line as follows:
-
-```cmd
-sc query aesmservice
-```
-
-The state of the service should be "running" (4). Follow Intel's documentation for troubleshooting.
-
-Note that Open Enclave is only compatible with the Intel PSW 2.2.
-To use Intel PSW 2.3 and higher, please refer _Building with Intel Data Center Attestation
-Primitives (DCAP) libraries_ below.
-
-Microsoft Visual Studio 2017
----------------------------------
-Install [Microsoft Visual Studio 2017](https://visualstudio.microsoft.com/vs/older-downloads/).
-Visual Studio 2017's CMake support (ver 3.12 or above) is required for building the Open Enclave SDK.
-Note cmake in Visual Studio 2019 is not fully supported yet.
-For more information about cmake support, refer to
-https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/
-
-Git for Windows 64-bit
----------------------------------
-Install Git and add Git's bash to the path.
-Typically, Git's bash is located in C:\Program Files\Git\bin.
-Currently the Open Enclave SDK build system uses bash scripts to configure
-and build Linux-based 3rd-party libraries.
-
-Open a command prompt and ensure that bash is available in the path:
-```cmd
-C:\>where bash
-C:\Program Files\Git\bin\bash.exe
-```
-
-Tools available in the Git bash environment are also used for test and sample
-builds. For example, OpenSSL is used to generate test certificates, so it is
-also useful to have the `Git\mingw64\bin` folder pathed. This can be checked
-from the command prompt as well:
-
-```cmd
-C:\>where openssl
-C:\Program Files\Git\mingw64\bin\openssl.exe
-```
-
-Clang
----------------------------------
-Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
-to the path. Open Enclave SDK uses clang to build the enclave binaries.
-
-Open up a command prompt and ensure that clang is available in the path:
-```cmd
-C:\> where clang
-C:\Program Files\LLVM\bin\clang.exe
-C:\> where llvm-ar
-C:\Program Files\LLVM\bin\llvm-ar.exe
-C:\> where ld.lld
-C:\Program Files\LLVM\bin\ld.lld.exe
-```
-
-OCaml
----------------------------------
-Install [OCaml for Windows (64-bit)](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/).
-Please download and install the mingw64 exe for OCaml, for example, https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.exe.
-
-[Alternate OCaml Web-site](https://fdopen.github.io/opam-repository-mingw/installation/)
-
-OCaml is used to build the oeedger8r tool as part of the OE SDK.
-
-Open up a command prompt and ensure that ocaml is available in the path:
-```cmd
-C:\> where ocaml
-C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
-```
-
-Python 3
----------------------------------
-Install [Python 3 for Windows](https://www.python.org/downloads/windows/) and ensure that python.exe is available in your PATH.
-
-Python 3 is used as part of the mbedtls tests.
-
-Obtaining the source distribution
----------------------------------
-
-Open Enclave is available from GitHub.
-
-### In Visual Studio 2017:
-1. Under Team > Manage Connections... > Local Git Repositories, select the Clone
-   dropdown
-2. Set the URL to clone as: https://github.com/openenclave/openenclave.
-3. Set the local path you want to clone the repo to (e.g. C:/openenclave).
-4. Click the Clone button.
-
-### In Git shell:
-```
-git clone https://github.com/openenclave/openenclave
-```
-
-This creates a source tree under the directory called openenclave.
-
-Building
---------
-
-### Building on Windows using Visual Studio 2017
-[Visual Studio 2017 has integrated support for loading CMake projects](
-https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/):
-
-1. Under the File menu, select Open > CMake...
-2. Open the CMakeLists.txt at the root of your Open Enclave repo
-   (e.g. C:\openenclave\CMakeLists.txt)
-3. The CMake menu option should appear when it detects that a valid CMake project
-   is loaded. VS2017 will then recursively walk the repo directory structure and
-   generate a cache for the project to display Intellisense. This may take several minutes the first time.
-4. Open Enclave is only supported for 64-bit. By default the `x64-Debug` configuration is 
-   selected.
-5. Once cache generation is complete, you can build the project via the CMake >
-   Build All menu option.
-
-The results of the build will be displayed in the Output window and any build
-errors or warnings collated in the Error List window.
-
-You can change the build settings with the CMake > Change CMake Settings menu
-option. This opens the [CMakeSettings.json](https://blogs.msdn.microsoft.com/vcblog/2017/08/14/cmake-support-in-visual-studio-customizing-your-environment/)
-file which you can edit and change settings such as the target build location.
-
-By default, Open Enclave SDK will be built in the following location:
-```
-${workspaceRoot}\build\<configuration-name>
-```
-For example:
-```
-C:\openenclave\build\x64-Debug
-```
-### Building on Windows using Developer Command Prompt
-
-1. Launch the [x64 Native Tools Command Prompt for VS 2017](
-https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
-
-2. At the x64 Native Tools command prompt, use cmake and ninja to build the debug version:
-
-   ```cmd
-   cd C:\openenclave
-   mkdir build\x64-Debug
-   cd build\x64-Debug
-   cmake -G Ninja -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
-   ninja
-   ```
-
-   Similarly, build the release version with:
-    ```cmd
-   cd C:\openenclave
-   mkdir build\x64-Release
-   cd build\x64-Release
-   cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_ENCLAVES=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
-   ninja
-   ```
-
-### Building with Intel Data Center Attestation Primitives (DCAP) [Experimental]
-
-#### Installing additional dependencies for DCAP
-To use the Intel DCAP libraries for upcoming support for SGX attestation on Windows Server 2016,
-you will need to install the following dependencies:
-
-##### [Intel Platform Software for Windows (PSW) v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe)
-
-After unpacking the self-extracting ZIP executable, install the *PSW_EXE_RS2_and_before* version for Windows Server 2016:
-```cmd
-C:\Intel SGX PSW for Windows v2.3.100.49777\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.3.100.49777.exe
-```
-
-##### [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
-
-The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM.
-It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
-
-```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.3 -OutputDirectory C:\openenclave\prereqs\nuget
-```
-
-##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
-After unpacking the self-extracting ZIP executable, you can refer to the *Intel SGX DCAP Windows SW Installation Guide.pdf*
-for more details on how to install the contents of the package.
-
-The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
-
-1. Unzip the required drivers from the extracted subfolders:
-    - `LC_driver_WinServer2016\Signed_1152921504628095185.zip`
-    - `DCAP_INF\WinServer2016\Signed_1152921504628099289.zip`
-
-   The following instructions will assume that these have been unzipped into the `LC_driver` and `DCAP_INF` folders respectively.
-
-2. Allow the SGX Launch Configuration driver (LC_driver) to run:
-    - From an elevated command prompt:
-      ```cmd
-      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sgx_lc_msr\Parameters /v "SGX_Launch_Config_Optin" /t REG_DWORD /d 1
-      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sgx_lc_msr\Parameters /v "SGX_Launch_Config_Optin"
-      ```
-    - If the driver is already installed and running, the machine will need to be rebooted for the change to take effect.
-
-3. Install the drivers:
-    - `devcon.exe` from the [Windows Driver Kit for Windows 10](https://go.microsoft.com/fwlink/?linkid=2026156)
-      can be used to install the drivers from an elevated command prompt:
-      ```cmd
-      devcon.exe install LC_driver\drivers\b361e4d8-bc01-43fc-b8a6-8d101e659ed1\sgx_base_dev.inf root\SgxLCDevice
-      devcon.exe install DCAP_INF\drivers\226fdf07-49d3-46aa-a0ce-f21b6d4a05cf\sgx_dcap_dev.inf root\SgxLCDevice_DCAP
-      ```
-    - Note that `devcon.exe` is usually installed to `C:\Program Files (x86)\Windows Kits\10\tools\x64` and is *not* pathed by default.
-
-4. Install the DCAP nuget packages:
-    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
-      ```cmd
-      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C\openenclave\prereqs\nuget
-      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\openenclave\prereqs\nuget
-      ```
-    - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue.
-
-#### Building with DCAP libraries using Visual Studio 2017
-To build with the DCAP libraries in Visual Studio, you will need to add the
-`-DUSE_LIBSGX=1` to `cmakeCommandArgs` in the CMakeSettings.json file for each of the
-configurations you want to build with it.
-
-For example, to enable it for x64-Debug, do this in your json file:
-
-```json
-  "configurations": [
-    {
-      "name": "x64-Debug",
-      "generator": "Ninja",
-      "configurationType": "Debug",
-      "inheritEnvironments": [ "msvc_x64_x64" ],
-      "buildRoot": "${workspaceRoot}\\build\\x64-Debug",
-      "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1",
-      "buildCommandArgs": "-v",
-      "ctestCommandArgs": ""
-    },
-```
-
-The CMake > Build All menu option will work as usual once this is configured.
-
-#### Building with DCAP libraries using Developer Command Prompt
-
-To build with the DCAP libraries in the x64 Native Tools Command Prompt for VS 2017,
-just add the `-DUSE_LIBSGX=1` option to the `cmake` call before starting the `ninja`
-build. For example, for the x64-Debug configuration:
-
-```cmd
-cd C:\openenclave
-mkdir build\x64-Debug
-cd build\x64-Debug
-cmake -G Ninja -DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1 -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_and_dcap_nuget_packages ../..
-ninja
-```
-
-Testing
--------
-
-Note that the use of Simulation Mode via the `OE_SIMULATION` flag is _not_ supported on Windows.
-See [#1753](https://github.com/openenclave/openenclave/issues/1753) for details.
-
-### Running tests in Visual Studio 2017
-
-1. Open the CMake project in Visual Studio from menu File > Open > CMake...
-   and select top level CMakeLists.txt file which is present in openenclave folder.
-2. Select menu CMake > Tests > Run Open Enclave SDK CTests.
-
-### Running tests on the Developer Command Prompt
-On the x64 Native Tools Command Prompt for VS 2017:
-
-```cmd
-ctest
-```
-
-Known Issues
-------------
-* Samples have not yet been ported to Windows
-* Not all tests currently run on Windows. See tests/CMakeLists.txt for a list of supported tests.
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 8695eebb95..09bc41f2eb 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -45,7 +45,7 @@ set OpenEnclaveDIR=C:\openenclave\lib\openenclave\cmake
 ```cmd
 mkdir build
 cd build
-cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages
+cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages
 ninja
 ```
 

From cd83180b692365a97f91e37e22d2a18c0239f4f0 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:23:29 -0700
Subject: [PATCH 136/420] Renamed

---
 .../{Windowsusing_oe_sdk.md => Windows_using_oe_sdk.md}           | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/GettingStartedDocs/{Windowsusing_oe_sdk.md => Windows_using_oe_sdk.md} (100%)

diff --git a/docs/GettingStartedDocs/Windowsusing_oe_sdk.md b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
similarity index 100%
rename from docs/GettingStartedDocs/Windowsusing_oe_sdk.md
rename to docs/GettingStartedDocs/Windows_using_oe_sdk.md

From 101982082b41fdb37b635ca9ef792b7544af047f Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:23:35 -0700
Subject: [PATCH 137/420] Renaming

---
 docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index da02a7d77d..9d5d892691 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -10,7 +10,7 @@ cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_pac
 ninja install
 ```
 
-This will install the [resulting SDK layout](/docs/GettingStartedDocs/Windowsusing_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclave
+This will install the [resulting SDK layout](/docs/GettingStartedDocs/Windows_using_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclave
 Please note that Nuget_package_Path over here points to the directory where NuGet packackages are installed on your system.
 This is the global-packages folder which usually is  %userprofile%\.nuget\packages. For more information, please look [here](https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders).
 

From a3e3200091b4c6dfc4987690ff37a4680c40fe11 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:25:20 -0700
Subject: [PATCH 138/420] Fix path

---
 .../Contributors/WindowsSGX1FLCGettingStarted.md              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 77b0973d41..665d9a3fcf 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ../..
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
@@ -81,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 

From eddd5244d3829097d126f6637a660140fcbe93c3 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:27:24 -0700
Subject: [PATCH 139/420] Fix path

---
 .../Contributors/WindowsSGX1GettingStarted.md                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 7bb3a3918f..5bbad12233 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -59,7 +59,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave ../..
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -71,7 +71,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/your/path/to/intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:/openenclave ../..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 

From 8396fd30c0ad6156c7053e245f31ac3411bed3cf Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:29:48 -0700
Subject: [PATCH 140/420] Add punctuation

---
 .../Contributors/WindowsSGX1FLCGettingStarted.md                | 2 +-
 .../Contributors/WindowsSGX1GettingStarted.md                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 665d9a3fcf..028606ca2e 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -74,7 +74,7 @@ cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packag
 ninja
 ```
 
-Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH
+Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH.
 
 Similarly, to build release enclaves:
 ```cmd
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 5bbad12233..efc7a39f05 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -63,7 +63,7 @@ cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages  -DCMA
 ninja
 ```
 
-Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH
+Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH.
 
 Similarly, to build release enclaves:
 

From 5e93a26951f56a7efca45bc34b2aa9dcc1a65d9e Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Thu, 3 Oct 2019 21:34:32 -0700
Subject: [PATCH 141/420] Make consistent

---
 .../Contributors/WindowsManualInstallPrereqs.md           | 2 +-
 .../Contributors/WindowsSGX1FLCGettingStarted.md          | 6 ++++--
 .../Contributors/WindowsSGX1GettingStarted.md             | 8 +++++---
 samples/README_Windows.md                                 | 6 +++---
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 5465a994e9..88bdf02647 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -24,7 +24,7 @@ For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.
 For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
 ## Microsoft Visual Studio Build Tools 2019
-Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
+Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
 
 ## Git for Windows 64-bit
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 028606ca2e..446af1185b 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -125,8 +125,10 @@ ninja install
 
 This installs the SDK in `C:\openenclave`.
 
-## Known Issues
+### Build and run samples
+
+To build and run samples, please look [here](/samples/README_Windows.md)
 
-Samples have not yet been ported to Windows.
+## Known Issues
 
 Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index efc7a39f05..5be1fe56dd 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -113,10 +113,12 @@ cd build\x64-Debug
 ninja install
 ```
 
-This installs the SDK in `C:\openenclave`.
+This installs the SDK in `C:\openenclave`.'
 
-## Known Issues
+### Build and run samples
+
+To build and run samples, please look [here](/samples/README_Windows.md).
 
-Samples have not yet been ported to Windows.
+## Known Issues
 
 Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 09bc41f2eb..0ec4fa7b62 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -28,11 +28,11 @@ xcopy  C:\openenclave\share\openenclave\samples C:\mysample
 
 ### How to build and run samples
 
-1. Launch the [x64 Native Tools Command Prompt for VS 2017](
+1. [x64 Native Tools Command Prompt for VS(2017 or 2019)](
 https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
+Normally this is accessible under the `Visual Studio 2019 or 2017` folder in the Start Menu.
 
-2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation. 
+2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation.
 
 As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set OpenEnclaveDIR as shown below
 

From 320f199edb227d4ea2b4fece31440144851c210f Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Fri, 4 Oct 2019 16:15:03 +0100
Subject: [PATCH 142/420] apply PR cleanup comments

---
 docs/DesignDocs/LoggingFormat.md | 49 ++++++++++++++++++--------------
 host/traceh.c                    | 25 ++--------------
 tests/logging/main.c             |  6 ++--
 3 files changed, 32 insertions(+), 48 deletions(-)

diff --git a/docs/DesignDocs/LoggingFormat.md b/docs/DesignDocs/LoggingFormat.md
index 15146244e2..1dc23caa85 100644
--- a/docs/DesignDocs/LoggingFormat.md
+++ b/docs/DesignDocs/LoggingFormat.md
@@ -1,7 +1,8 @@
 Logging Format
 =====
 
-When using the OE SDK and in trying to make use of the logs (e.g. via uploading them to Azure Log Analytics) it is nice to be able to parse and display all of the available logs including the ones generated by OE.
+When using the openenclave SDK and in trying to make use of the logs (e.g., via uploading them to Azure Log Analytics)
+it is nice to be able to parse and display all of the available logs including the ones generated by OE.
 
 Motivation
 ----------
@@ -13,17 +14,18 @@ User Experience
 
 - The user can set the `OE_LOG_DEVICE` environment variable to specify the log file location
 
-- The user can set the `OE_LOG_FORMAT` environment variable to specify the log format. The user will be given the below information:
+- The user can set the `OE_LOG_FORMAT` environment variable to specify the log format. Log formats should expect the below values
+to be passed in the order presented below:
 
-        - time in string format
-        - microseconds
-        - is enclave (E|H)
-        - log level
-        - thread id
-        - log message
-        - file log initiated from
-        - function log initiated from
-        - file line number log initiated from
+        - timestamp ISO 8601 UTC [string]
+        - microseconds of precision in the logging timestamp [long int]
+        - is enclave (E|H) [string]
+        - log level [string]
+        - thread id [uint64_t]
+        - log message [string]
+        - file log initiated from [string]
+        - function log initiated from [string]
+        - file line number log initiated from [string]
 
         so for example a log format could be set like this:
 
@@ -34,31 +36,34 @@ User Experience
         `
         {
                 "e_ts": "2019-09-24T10:09:27.832475Z",
-                "file": "switchless/host/host.c",
-                "func": "main",
                 "level": "(H)ERROR",
+                "tid": "tid(0x7fc2698a6d40)",
                 "msg": "Hello 'world'!",
-                "number": "79",
-                "tid": "tid(0x7fc2698a6d40)"
+                "file": "switchless/host/host.c",
+                "func": "main",
+                "number": "79"
         }
         `
 
-- The user can set the `OE_LOG_ESCAPE` environment variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
+- The user can set the `OE_LOG_JSON_ESCAPE` environment variable and if it is set then the log message will be escaped in order to be compatible with the JSON standard.
 
 Specification
 -------------
 
 Users can specify their own format when logging to a user specified file via the existing `OE_LOG_DEVICE` environment variable.
-If the var is not specified then logging goes on as usual.
 
-If the var is specified then we look for an extra environment variable `OE_LOG_FORMAT`.
-If `OE_LOG_FORMAT` is specified we call a method where we pass in the log line information and it is formatted by the `OE_LOG_FORMAT` string. If it is set it needs to end with a newline.
+If the var is set then we look for an extra environment variable `OE_LOG_FORMAT`.
+If `OE_LOG_FORMAT` is set we call a method where we pass in the log line information to be formatted by the `OE_LOG_FORMAT` string.
+`OE_LOG_FORMAT` needs to end with a newline.
 
-If it is not then we use the default format string to log in the file.
+If `OE_LOG_FORMAT` is not set then we use the default format string to log in the file.
 
-In addition to the `OE_LOG_FORMAT` environment variable, if the `OE_LOG_ESCAPE` environment variable is set, then the log message will be processed accordingly in order to be compatible with the JSON standard.
+In addition to the `OE_LOG_FORMAT` environment variable, if the `OE_LOG_JSON_ESCAPE` environment variable is set, then the log message will be processed
+accordingly in order to be compatible with the JSON standard.
 
-When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the user wants to keep the default logs directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environment variable. This is useful if we want to keep the human readable logs, but also redirect a machine-readable format (e.g. JSON) to a file.
+When logging to a separate file the defaut logs are not sent to stdout and the custom logs are directed to the file. If the user wants to keep the default logs
+directed to stdout AND the custom logs sent to the file, they can set the `OE_LOG_ALL_STREAMS` environment variable. This is useful if we want to keep the human
+readable logs, but also redirect a machine-readable format (e.g., JSON) to a file.
 
 OE logging format
 -----------------
diff --git a/host/traceh.c b/host/traceh.c
index 7f67ee19b1..e6fce5da50 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -77,7 +77,7 @@ void initialize_log_config()
         _log_file_name = getenv("OE_LOG_DEVICE");
         _custom_log_format = getenv("OE_LOG_FORMAT");
         _log_all_streams = getenv("OE_LOG_ALL_STREAMS");
-        _log_escape = getenv("OE_LOG_ESCAPE");
+        _log_escape = getenv("OE_LOG_JSON_ESCAPE");
         if (_custom_log_format)
         {
             // check that custom log format string terminates with a line return
@@ -108,7 +108,7 @@ static bool _escape_characters(
         if (log_msg[i] == '\"')
         {
             // single quotes are OK for JSON
-            log_msg_escaped[idx] = (char)putchar('\'');
+            log_msg_escaped[idx] = '\'';
         }
         else if (log_msg[i] == '\\')
         {
@@ -124,15 +124,9 @@ static bool _escape_characters(
             idx++;
             switch (log_msg[i])
             {
-                case '\a':
-                    log_msg_escaped[idx] = 'a';
-                    break;
                 case '\b':
                     log_msg_escaped[idx] = 'b';
                     break;
-                case '\e':
-                    log_msg_escaped[idx] = 'e';
-                    break;
                 case '\f':
                     log_msg_escaped[idx] = 'f';
                     break;
@@ -145,21 +139,6 @@ static bool _escape_characters(
                 case '\t':
                     log_msg_escaped[idx] = 't';
                     break;
-                case '\v':
-                    log_msg_escaped[idx] = 'v';
-                    break;
-                case '\\':
-                    log_msg_escaped[idx] = '\\';
-                    break;
-                case '\'':
-                    log_msg_escaped[idx] = '\'';
-                    break;
-                case '\"':
-                    log_msg_escaped[idx] = '\"';
-                    break;
-                case '\?':
-                    log_msg_escaped[idx] = '?';
-                    break;
                 default:
                     if ((uint8_t)log_msg[i] > 127 /* max ASCII value */)
                     {
diff --git a/tests/logging/main.c b/tests/logging/main.c
index 4c92edb732..30c13070ea 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -48,8 +48,8 @@ int TestLoggingFormat(const char* path)
     OE_TRACE_ERROR("Hey");
     OE_TRACE_ERROR("Hello 'world'!");
     OE_TRACE_ERROR("Hello \"world\"!");
-    OE_TRACE_ERROR(
-        "\a \\a \b \\b \e \\e \f \\f \n \\n \r \\r \t \\t \v \\v \? \\?");
+    OE_TRACE_ERROR("/ \\/ \' \a \\a \b \\b \e \\e \f \\f \n \\n \r \\r \t \\t "
+                   "\v \\v \? \\?");
     OE_TRACE_ERROR("\\u005C \u0024 \u0040 @");
     OE_TRACE_ERROR("\\\\\\\\");
     OE_TRACE_ERROR("\u2605");
@@ -126,7 +126,7 @@ int main(int argc, const char* argv[])
             "\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number\":\"%"
             "s\"}\n",
             true) == 0);
-    OE_TEST(setenv("OE_LOG_ESCAPE", "true", true) == 0);
+    OE_TEST(setenv("OE_LOG_JSON_ESCAPE", "true", true) == 0);
     TestEscapedCharacters();
     TestLoggingFormat(path);
     return 0;

From 577adc69a3a4489b3a1a83630d832c0c969b6507 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Fri, 4 Oct 2019 16:40:36 +0000
Subject: [PATCH 143/420] Install nuget.exe to Program Files for building NuGet
 packages.

---
 scripts/install-windows-prereqs.ps1 | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index d6d7bf469a..308d653e3a 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -325,7 +325,10 @@ function Install-Nuget {
     Install-ZipTool -ZipPath $PACKAGES["nuget"]["local_file"] `
                     -InstallDirectory $tempInstallDir `
                     -EnvironmentPath @("$tempInstallDir")
-    Copy-Item -Force "$tempInstallDir\build\native\Nuget.exe" $PACKAGES_DIRECTORY
+    $installDir = Join-Path $env:ProgramFiles "nuget-3.4.3"
+    New-Directory -Path $installDir -RemoveExisting
+    Move-Item -Path "$tempInstallDir\build\native\Nuget.exe" -Destination $installDir
+    Add-ToSystemPath -Path $installDir
 }
 
 function Install-Python3 {
@@ -590,16 +593,16 @@ function Install-DCAP-Dependencies {
     # Note: the ordering of nuget installs below is important to preserve here until the issue with the EnclaveCommonAPI nuget package gets fixed.
     if ($DCAPClientType -eq "Azure")
     {
-        & "$PACKAGES_DIRECTORY\nuget.exe" install 'Azure.DCAP.Windows' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+        & nuget.exe install 'Azure.DCAP.Windows' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
         if($LASTEXITCODE -ne 0) {
             Throw "Failed to install nuget EnclaveCommonAPI"
         }
     }
-    & "$PACKAGES_DIRECTORY\nuget.exe" install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+    & nuget.exe install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
     if($LASTEXITCODE -ne 0) {
         Throw "Failed to install nuget DCAP_Components"
     }
-    & "$PACKAGES_DIRECTORY\nuget.exe" install 'EnclaveCommonAPI' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+    & nuget.exe install 'EnclaveCommonAPI' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
     if($LASTEXITCODE -ne 0) {
         Throw "Failed to install nuget EnclaveCommonAPI"
     }
@@ -625,7 +628,7 @@ function Install-AzureDCAPWindows {
 
     Copy-Item $PACKAGES['azure_dcap_client_nupkg']['local_file'] -Destination $TEMP_NUGET_DIR -Force
 
-    & "$PACKAGES_DIRECTORY\nuget.exe" install 'Azure.DCAP.Windows' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+    & nuget.exe install 'Azure.DCAP.Windows' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
     if($LASTEXITCODE -ne 0) {
         Throw "Failed to install nuget Azure.DCAP.Windows"
     }

From 44709ba520e1740c5f52c06859f9a9e7060c8464 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 10:27:24 -0700
Subject: [PATCH 144/420] Addressing comments

---
 .../Contributors/WindowsInstallInfo.md               |  5 ++---
 .../Contributors/WindowsManualInstallPrereqs.md      |  2 +-
 .../Contributors/WindowsManualSGX1FLCDCAPPrereqs.md  |  6 +++---
 .../Contributors/WindowsSGX1FLCGettingStarted.md     | 12 ++++++------
 .../Contributors/WindowsSGX1GettingStarted.md        | 12 ++++++------
 .../Contributors/building_oe_sdk.md                  |  2 +-
 docs/GettingStartedDocs/Windows_using_oe_sdk.md      |  2 +-
 samples/CMakeLists.txt                               |  4 ++--
 samples/README_Linux.md                              |  2 +-
 9 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 9d5d892691..33672181e0 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -11,15 +11,14 @@ ninja install
 ```
 
 This will install the [resulting SDK layout](/docs/GettingStartedDocs/Windows_using_oe_sdk.md#open-enclave-sdk-layout) to C:\openenclave
-Please note that Nuget_package_Path over here points to the directory where NuGet packackages are installed on your system.
-This is the global-packages folder which usually is  %userprofile%\.nuget\packages. For more information, please look [here](https://docs.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders).
+Please note that NUGET_PACKAGE_PATH in the above command points to the directory where where the Intel SGX & DCAP Client NuGet packages packackages are installed on your system.
 
 ## Create a redistributable SDK package
 
 To create a redistributable NuGet package use the following command from your build subfolder:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages-DCPACK_GENERATOR=NuGet -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet -DUSE_LIBSGX=ON
 ninja package
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 88bdf02647..609b53a633 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -24,7 +24,7 @@ For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.
 For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
 ## Microsoft Visual Studio Build Tools 2019
-Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the " C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
+Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the "C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
 
 ## Git for Windows 64-bit
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 5a00c6da70..2527582b34 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -13,7 +13,7 @@ Note that this is optional since you can choose an alternate implementation of t
 The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\openenclave\prereqs\nuget
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\path\to\where\you\would\like\to\l\intel_and_dcap_nuget_packages
 ```
 
 ##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
@@ -47,7 +47,7 @@ The following summary will assume that the contents were extracted to `C:\Intel
 4. Install the DCAP nuget packages:
     - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
       ```cmd
-      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C\openenclave\prereqs\nuget
-      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\openenclave\prereqs\nuget
+      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
+      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
       ```
     - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 446af1185b..e9efb23bc3 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -39,21 +39,21 @@ To install the prerequisites along with the Azure DCAP Client, use the below com
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
 If you would like to skip the installation of the Azure DCAP Client, use the command below.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath YOUR_WORKSPACE_PATH_HERE -LaunchConfiguration SGX1FLC -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType None
 ```
 
 As an example, if you cloned the Open Enclave SDK repo into C:\openenclave and want to install the Azure DCAP Client, you would run the following command.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\openenclave -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
 If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
@@ -81,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
@@ -127,7 +127,7 @@ This installs the SDK in `C:\openenclave`.
 
 ### Build and run samples
 
-To build and run samples, please look [here](/samples/README_Windows.md)
+To build and run the samples, please look [here](/samples/README_Windows.md).
 
 ## Known Issues
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 5be1fe56dd..95d3a21ed2 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -35,14 +35,14 @@ To deploy all the prerequisities for building Open Enclave, you can run the foll
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath PATH_TO_OE_REPO -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 As an example, if you cloned Open Enclave SDK repo into `C:\openenclave`, you would run the following:
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\openenclave -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
@@ -59,7 +59,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -71,7 +71,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages  -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -113,11 +113,11 @@ cd build\x64-Debug
 ninja install
 ```
 
-This installs the SDK in `C:\openenclave`.'
+This installs the SDK in `C:\openenclave`.
 
 ### Build and run samples
 
-To build and run samples, please look [here](/samples/README_Windows.md).
+To build and run the samples, please look [here](/samples/README_Windows.md).
 
 ## Known Issues
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 8714700b9c..dcc25b5b66 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -70,7 +70,7 @@ See [Open Enclave samples](/samples/README_Linux.md) for details.
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH= [NuGet_package_Path]   -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
 ninja install
 ```
 Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
diff --git a/docs/GettingStartedDocs/Windows_using_oe_sdk.md b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
index a7ebc4ac35..951b20b8f6 100644
--- a/docs/GettingStartedDocs/Windows_using_oe_sdk.md
+++ b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
@@ -15,7 +15,7 @@ It contains the following subfolders:
 | bin                          | Developer tools such as oedebugrt.dll for debugging and oesign for signing your enclaves. |
 | include\openenclave          | Open Enclave runtime headers for use in your enclave (enclave.h) and its host (host.h). |
 | include\openenclave\3rdparty | Headers for libc, libcxx and mbedlts libraries for use inside the enclave.<br>See the API Reference section for supported functions. |
-| lib\openenclave/cmake        | Open Enclave SDK CMake Package for integration with your CMake projects. See [README.md](/cmake/sdk_cmake_targets_readme.md) for more details. |
+| lib\openenclave\cmake        | Open Enclave SDK CMake Package for integration with your CMake projects. See [README.md](\cmake\sdk_cmake_targets_readme.md) for more details. |
 | lib\openenclave\enclave      | Libraries for linking into the enclave, including the libc, libcxx and mbedtls libraries for Open Enclave. |
 | lib\openenclave\host         | Library for linking into the host process of the enclave. |
 | lib\openenclave\debugger     | Libraries used by the gdb plug-in for debugging enclaves. |
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index c46b3fcb98..376d98845b 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -13,11 +13,11 @@ install(DIRECTORY helloworld file-encryptor data-sealing switchless
         DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
 if (WIN32)
-install(FILES README_Windows.md
+  install(FILES README_Windows.md
         DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
         RENAME README.md)
 else ()
-install(FILES README_Linux.md
+  install(FILES README_Linux.md
         DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
         RENAME README.md)
 endif ()
diff --git a/samples/README_Linux.md b/samples/README_Linux.md
index d050ac4a4e..3957739fd3 100644
--- a/samples/README_Linux.md
+++ b/samples/README_Linux.md
@@ -32,7 +32,7 @@ drwxr-xr-x 2 yourusername yourusername 4096 Aug 16 13:59 host
 
 Building samples involves writing files into the working directory, which is not allowed in `/opt` unless it's running in the context of superuser (`sudo`).
 
-To avoid this `sudo` requirement, you may want to first copy them to a user directory of your choice then build and run on those local copy.
+Before building any of the samples, please copy them out of the /opt/openenclave/share/openenclave/samples directory to a directory where your current user has write permissions. A normal user usually does not have permission to write files into a directory in /opt.
 
 For example, assuming Open Enclave SDK is installed to the default location `/opt/openenclave`:
 

From 90535ba529f34b9eeb373a3e6b15287836f50b30 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 14:09:03 -0700
Subject: [PATCH 145/420] Address Simon's comments

---
 .../{InstallInfo.md => LinuxInstallInfo.md}            |  0
 .../Contributors/SGX1FLCGettingStarted.md              |  2 +-
 .../Contributors/SGX1GettingStarted.md                 |  2 +-
 .../Contributors/SimulatorGettingStarted.md            |  2 +-
 .../Contributors/WindowsInstallInfo.md                 |  4 ++--
 .../Contributors/WindowsManualSGX1FLCDCAPPrereqs.md    |  2 +-
 .../Contributors/WindowsSGX1FLCGettingStarted.md       |  4 ++--
 .../Contributors/WindowsSGX1GettingStarted.md          |  4 ++--
 .../GettingStartedDocs/Contributors/building_oe_sdk.md |  2 --
 docs/GettingStartedDocs/Windows_using_oe_sdk.md        |  2 +-
 docs/GettingStartedDocs/using_oe_sdk.md                |  2 +-
 samples/README_Windows.md                              | 10 +++++++---
 samples/switchless/host/host.c                         |  9 +++++++++
 tests/README.md                                        |  5 -----
 14 files changed, 28 insertions(+), 22 deletions(-)
 rename docs/GettingStartedDocs/Contributors/{InstallInfo.md => LinuxInstallInfo.md} (100%)

diff --git a/docs/GettingStartedDocs/Contributors/InstallInfo.md b/docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md
similarity index 100%
rename from docs/GettingStartedDocs/Contributors/InstallInfo.md
rename to docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md
diff --git a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
index 8e5b1f21c4..e6d1cc7b66 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
@@ -101,4 +101,4 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 
 ## Install
 
-Follow the instructions in the [Install Info](InstallInfo.md) document to install the Open Enclave SDK built above.
+Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index a3048a23db..64a35c4894 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -92,4 +92,4 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 
 ## Install
 
- Follow the instructions in the [Install Info](InstallInfo.md) document to install the Open Enclave SDK built above.
+ Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
diff --git a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
index 01dd367ee5..c084b9ac98 100644
--- a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
@@ -106,4 +106,4 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 
 ## Install
 
- Follow the instructions in the [Install Info](InstallInfo.md) document to install the Open Enclave SDK built above.
+ Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 33672181e0..9b0bf20966 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -2,11 +2,11 @@ Basic Install on Windows
 ========================
 
 You can locally install the SDK from the compiled Open Enclave tree by specifying
-the install-prefix to the cmake call before calling "ninja install".
+the install-prefix to the cmake call before calling `ninja install`.
 From the build subfolder in your source tree:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON
 ninja install
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 2527582b34..6034ae1234 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -13,7 +13,7 @@ Note that this is optional since you can choose an alternate implementation of t
 The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\path\to\where\you\would\like\to\l\intel_and_dcap_nuget_packages
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
 ```
 
 ##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index e9efb23bc3..73ed32bb7c 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
@@ -81,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 95d3a21ed2..8cbbb65f41 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -59,7 +59,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G  Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -71,7 +71,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G  Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index dcc25b5b66..358570d9d0 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -1,7 +1,5 @@
 # Building the Open Enclave SDK
 
-This document contains the Linux build instructions. For the experimental Windows build instructions, see [here](/docs/GettingStartedDocs/GettingStarted.Windows.md).
-
 #### 1. Determine the SGX support level on your development/target system
 
 The Open Enclave SDK runs on Linux systems, whether those systems are inside virtual machines or directly on top of the bare metal machines.
diff --git a/docs/GettingStartedDocs/Windows_using_oe_sdk.md b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
index 951b20b8f6..59de9698ba 100644
--- a/docs/GettingStartedDocs/Windows_using_oe_sdk.md
+++ b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
@@ -28,7 +28,7 @@ It contains the following subfolders:
 As an example, if you installed the SDK to C:\openenclave, then you would set `OpenEnclave_DIR` as shown below.
 
 ```cmd
-set OpenEnclave_DIR=C:\openenclave\lib\cmake
+set OpenEnclave_DIR=C:\openenclave\lib\openenclave\cmake
 ```
 
 ## Samples
diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/using_oe_sdk.md
index db305f1288..94e2567d43 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/using_oe_sdk.md
@@ -25,7 +25,7 @@ On Linux, the Open Enclave SDK installation also contains the following folder:
 
 ## Configure environment variables for Open Enclave SDK for Linux
 For ease of development, we recommend adding:
-- Open Enclave SDK `bin` folder to `PATH`, for use of our tools (such as `oegdb`, and `oeedger8r`).
+- Open Enclave SDK `bin` folder to `PATH`, for use of our tools (such as `oegdb` and `oeedger8r`).
 - Open Enclave SDK `install` folder to `CMAKE_PREFIX_PATH`, for use of the [CMake package](/cmake/sdk_cmake_targets_readme.md).
 - Open Enclave SDK `pkgconfig` folder to `PKG_CONFIG_PATH`, for use of `pkg-config`.
 
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 0ec4fa7b62..96058b31e6 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -6,7 +6,11 @@ All the samples that come with the Open Enclave SDK installation share similar d
 
 ### How Sample source code directories were structured
 
-Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave. 
+Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave).
+
+An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. On Windows and Linux, enclaves are ELF binaries.
+
+A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave.
 
 ![Sample components diagram](sampledirstructure.png)
 
@@ -34,10 +38,10 @@ Normally this is accessible under the `Visual Studio 2019 or 2017` folder in the
 
 2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation.
 
-As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set OpenEnclaveDIR as shown below
+As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set OpenEnclave_DIR as shown below
 
 ```cmd
-set OpenEnclaveDIR=C:\openenclave\lib\openenclave\cmake
+set OpenEnclave_DIR=C:\openenclave\lib\openenclave\cmake
 ```
 
 3. To build a sample using CMake, change directory to your target sample directory and execute the following commands:
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index df8e657748..eb6bc491de 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -68,16 +68,21 @@ int main(int argc, const char* argv[])
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
     double start, end;
+#ifdef (_linux_)
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
     start =
         current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+#else
+
 
     // Call into the enclave
     result = enclave_add_N_switchless(enclave, &m, n);
 
+#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+#endif
 
     if (result != OE_OK)
     {
@@ -94,16 +99,20 @@ int main(int argc, const char* argv[])
         m,
         (int)(end - start) / 1000);
 
+#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     start =
         current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+#endif
 
     // Call into the enclave
     m = oldm;
     result = enclave_add_N_regular(enclave, &m, n);
 
+#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+#endif
 
     if (result != OE_OK)
     {
diff --git a/tests/README.md b/tests/README.md
index acdc8444ae..1615ae5afc 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -41,11 +41,6 @@ signalling a "did not run" state to ctest (rather than failing). To signal
 "did not run", such tests should return with an exit code of 2. ctest
 evaluates this specifically.
 
-# Testing on Windows [Work in progress]
-
-Refer to [Getting Started on Windows](/docs/GettingStartedDocs/GettingStarted.Windows.md) for
-instructions on testing Linux-built enclaves with Windows-built host apps.
-
 # On calls to add_enclave
 
 The test enclave targets are added by calling `add_enclave`, a CMake macro

From 469aca8d492b0e6eccd9dc1f752ebc54445bb1f3 Mon Sep 17 00:00:00 2001
From: Michael Huang <tehsiu.huang@gmail.com>
Date: Fri, 4 Oct 2019 21:33:46 +0000
Subject: [PATCH 146/420] [Problem] Error message is not clear when calling
 dlopen. Using "not found" as error message will mislead people because
 sometimes the issue is caused by missing dependency shared library.

[Solution]
Print out dlerror() string instead of using "not found"

[Test]
Tried to downgrade the openssl from 1.1.1 to 1.1.0. So
libdcap_quoteprov.so will not be able to link to openssl properly.
Instead of showing "libdcap_quoteprov.so not found", now it shows
"libdcap_quoteprov.so /usr/local/lib/libssl.so.1.1: version
`OPENSSL_1_1_1' not found (required by /usr/lib/x86_64-linux-gnu/libcurl.so.4)"
---
 host/sgx/linux/sgxquoteproviderloader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/sgx/linux/sgxquoteproviderloader.c b/host/sgx/linux/sgxquoteproviderloader.c
index 30610085f1..18e9029fa3 100644
--- a/host/sgx/linux/sgxquoteproviderloader.c
+++ b/host/sgx/linux/sgxquoteproviderloader.c
@@ -74,7 +74,7 @@ void oe_load_quote_provider()
         else
         {
             OE_TRACE_ERROR(
-                "sgxquoteprovider: libdcap_quoteprov.so not found \n");
+		"sgxquoteprovider: libdcap_quoteprov.so %s\n", dlerror());	    
         }
     }
 }

From b9d81d7078d71b89bf9f00f3b2297cad7a8ab3ab Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 15:57:19 -0700
Subject: [PATCH 147/420] Address more comments

---
 samples/CMakeLists.txt    |  8 +++++++-
 samples/README_Linux.md   |  2 +-
 samples/README_Windows.md | 18 ++++++++----------
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 376d98845b..6101fd858e 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -2,7 +2,13 @@
 # Licensed under the MIT License.
 
 if (USE_LIBSGX)
-  install(DIRECTORY remote_attestation local_attestation attested_tls
+  install(DIRECTORY remote_attestation local_attestation
+          DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+          PATTERN "gen_pubkey_header.sh"
+          PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+          GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
+  if(NOT WIN32)
+    install(DIRECTORY attested_tls
           DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
           PATTERN "gen_pubkey_header.sh"
           PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
diff --git a/samples/README_Linux.md b/samples/README_Linux.md
index 3957739fd3..8422bbc13c 100644
--- a/samples/README_Linux.md
+++ b/samples/README_Linux.md
@@ -14,7 +14,7 @@ All the samples that come with the Open Enclave SDK installation are all structu
 
 | Files/dir        |  contents                                   |
 |:-----------------|---------------------------------------------|
-| Makefile         | Makefile for the whole samples              |
+| Makefile         | Makefile for building all samples           |
 | ./enclave        | Files needed for building the sample enclave|
 | ./host           | Files needed for building the host          |
 
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 96058b31e6..5beef12171 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -1,6 +1,6 @@
 # Building Open Enclave SDK Samples on Windows
 
-All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
+All the samples that come with the Open Enclave SDK installation share a similar directory structure and build instructions. This document describes how to setup, build, sign and run these samples.
 
 ## Common Sample information
 
@@ -18,27 +18,25 @@ All the samples that come with the Open Enclave SDK installation are all structu
 
 | Files/dir        |  contents                                   |
 |:-----------------|---------------------------------------------|
-| enclave        | Files needed for building the sample enclave|
-| host           | Files needed for building the host          |
+| enclave        | Files needed for building the sample enclave  |
+| host           | Files needed for building the host            |
 
 ### Prepare samples
 
-Building samples involves writing files into the working directory. You can do this in the directory in which you have installed your samples.
-You can also copy the samples from the location they were installed to another directory.
+Building a sample will write intermediate and output files into the sample directory. If you would like to use a separate working directory for building samples, you can copy the samples to your working directory first. For example, if the SDK was installed to C:\openenclave:
 
 ```cmd
-xcopy  C:\openenclave\share\openenclave\samples C:\mysample
+xcopy C:\openenclave\share\openenclave\samples C:\mysample
 ```
 
 ### How to build and run samples
 
-1. [x64 Native Tools Command Prompt for VS(2017 or 2019)](
+1. [x64 Native Tools Command Prompt for VS2017 or 2019](
 https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-Normally this is accessible under the `Visual Studio 2019 or 2017` folder in the Start Menu.
 
-2. Set OpenEnclave_DIR to the cmake directory in the Open Enclave SDK installation.
+2. Set `OpenEnclave_DIR` to the cmake directory in the Open Enclave SDK installation.
 
-As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set OpenEnclave_DIR as shown below
+As an example, if the Open Enclave SDK is installed to `C:\openenclave`, then you would set `OpenEnclave_DIR` as shown below
 
 ```cmd
 set OpenEnclave_DIR=C:\openenclave\lib\openenclave\cmake

From c19831c1c01083fabebdaba9ea72766d4446a748 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:17:00 -0700
Subject: [PATCH 148/420] Add copy_oedebugrt_target

---
 cmake/copy_oedebugrt_target.cmake             | 32 +++++++++++++++++++
 samples/data-sealing/host/CMakeLists.txt      |  5 +++
 samples/local_attestation/host/CMakeLists.txt |  5 +++
 .../remote_attestation/host/CMakeLists.txt    |  5 +++
 samples/switchless/host/CMakeLists.txt        |  5 +++
 5 files changed, 52 insertions(+)
 create mode 100644 cmake/copy_oedebugrt_target.cmake

diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
new file mode 100644
index 0000000000..c978054bc5
--- /dev/null
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -0,0 +1,32 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+## This function adds a CMake target for oedebugrt.dll. This allows the caller to add a dependency on oedebugrt.dll so
+## that it will be copied to the output folder along with the target taking the dependency.
+##
+## TARGET_NAME: Name of the target to add for oe_debugrt. This should be unique for each caller.
+##
+
+function(copy_oedebugrt_target TARGET_NAME)
+
+    if (UNIX)
+        message(WARNING "copy_oedebugrt_target is only intended for WIN32 build environments. Check if this invocation is needed.")
+    endif ()
+
+    # Initialize the null list of dependencies for the target
+    set(DEPENDENCIES "")
+
+    # Add copy actions for the dependencies
+    add_custom_command(
+        OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll
+        DEPENDS oe:oedebugrt
+        COMMAND ${CMAKE_COMMAND} -E copy oe:oedebugrt ${CMAKE_CURRENT_BINARY_DIR})
+
+    # Add the dependencies to the custom target list of dependencies
+    list(APPEND DEPENDENCIES
+        ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll)
+
+    # Always create the requested target, which may have an empty dependency list
+    add_custom_target(${TARGET_NAME} DEPENDS ${DEPENDENCIES})
+
+endfunction( copy_oedebugrt_target )
diff --git a/samples/data-sealing/host/CMakeLists.txt b/samples/data-sealing/host/CMakeLists.txt
index 9ddeb55004..7d52b90bc2 100644
--- a/samples/data-sealing/host/CMakeLists.txt
+++ b/samples/data-sealing/host/CMakeLists.txt
@@ -7,6 +7,11 @@ add_custom_command(OUTPUT datasealing_u.h datasealing_u.c datasealing_args.h
 
 add_executable(data-sealing_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/datasealing_u.c)
 
+if(WIN32)
+  copy_oedebugrt_target(data-sealing_host-oedebugrt)
+  add_dependencies(data-sealing_host data-sealing_host-oedebugrt)
+endif()
+
 target_include_directories(data-sealing_host PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR}/../ # For common/shared.h
   ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/samples/local_attestation/host/CMakeLists.txt b/samples/local_attestation/host/CMakeLists.txt
index 1447a41467..4d39d473e6 100644
--- a/samples/local_attestation/host/CMakeLists.txt
+++ b/samples/local_attestation/host/CMakeLists.txt
@@ -7,6 +7,11 @@ add_custom_command(OUTPUT localattestation_u.h localattestation_u.c localattesta
 
 add_executable(local_attestation_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/localattestation_u.c)
 
+if(WIN32)
+  copy_oedebugrt_target(local_attestation_host_host_oedebugrt)
+  add_dependencies(local_attestation_host local_attestation_host_host_oedebugrt)
+endif()
+
 target_include_directories(local_attestation_host PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR}/../ # For common/shared.h
   ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/samples/remote_attestation/host/CMakeLists.txt b/samples/remote_attestation/host/CMakeLists.txt
index af6b4018c7..a82c1a779f 100644
--- a/samples/remote_attestation/host/CMakeLists.txt
+++ b/samples/remote_attestation/host/CMakeLists.txt
@@ -12,6 +12,11 @@ target_include_directories(remote_attestation_host PRIVATE
 
 if(WIN32)
   add_dcap_client_target(remote_attestation_dcap_target)
+  add_dependencies(remote_attestation_host remote_attestation_dcap_target)
+  copy_oedebugrt_target(remote_attestation_oedebugrt_target)
+  add_dependencies(remote_attestation_host remote_attestation_oedebugrt_target)
+endif()
+
 endif()
 
 target_link_libraries(remote_attestation_host openenclave::oehostapp)
diff --git a/samples/switchless/host/CMakeLists.txt b/samples/switchless/host/CMakeLists.txt
index 407ad4c1e0..edc22432e8 100644
--- a/samples/switchless/host/CMakeLists.txt
+++ b/samples/switchless/host/CMakeLists.txt
@@ -7,6 +7,11 @@ add_custom_command(OUTPUT switchless_u.h switchless_u.c switchless_args.h
 
 add_executable(switchless_host host.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_u.c)
 
+if(WIN32)
+  copy_oedebugrt_target(switchless_host_oedebugrt_target)
+  add_dependencies(switchless_host switchless_host_oedebugrt_target)
+endif()
+
 target_include_directories(switchless_host PRIVATE
   # Needed for the generated file switchless_u.h
   ${CMAKE_CURRENT_BINARY_DIR})

From 3976f9878a327c7c54236641c6b23c22b641d626 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:20:28 -0700
Subject: [PATCH 149/420] Fix oedebugrt target names

---
 samples/data-sealing/host/CMakeLists.txt      | 4 ++--
 samples/file-encryptor/host/CMakeLists.txt    | 5 +++++
 samples/local_attestation/host/CMakeLists.txt | 4 ++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/samples/data-sealing/host/CMakeLists.txt b/samples/data-sealing/host/CMakeLists.txt
index 7d52b90bc2..e2518e35f9 100644
--- a/samples/data-sealing/host/CMakeLists.txt
+++ b/samples/data-sealing/host/CMakeLists.txt
@@ -8,8 +8,8 @@ add_custom_command(OUTPUT datasealing_u.h datasealing_u.c datasealing_args.h
 add_executable(data-sealing_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/datasealing_u.c)
 
 if(WIN32)
-  copy_oedebugrt_target(data-sealing_host-oedebugrt)
-  add_dependencies(data-sealing_host data-sealing_host-oedebugrt)
+  copy_oedebugrt_target(data-sealing_host_oedebugrt)
+  add_dependencies(data-sealing_host data-sealing_host_oedebugrt)
 endif()
 
 target_include_directories(data-sealing_host PRIVATE
diff --git a/samples/file-encryptor/host/CMakeLists.txt b/samples/file-encryptor/host/CMakeLists.txt
index 177ccd1921..d9e9c966fe 100644
--- a/samples/file-encryptor/host/CMakeLists.txt
+++ b/samples/file-encryptor/host/CMakeLists.txt
@@ -7,6 +7,11 @@ add_custom_command(OUTPUT fileencryptor_u.h fileencryptor_u.c fileencryptor_args
 
 add_executable(file-encryptor_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/fileencryptor_u.c)
 
+if(WIN32)
+  copy_oedebugrt_target(file-encryptor_host_oedebugrt)
+  add_dependencies(file-encryptor_host file-encryptor_host_oedebugrt)
+endif()
+
 target_include_directories(file-encryptor_host PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR} # Needed for #include "../shared.h"
   ${CMAKE_CURRENT_BINARY_DIR})
diff --git a/samples/local_attestation/host/CMakeLists.txt b/samples/local_attestation/host/CMakeLists.txt
index 4d39d473e6..7d665f640a 100644
--- a/samples/local_attestation/host/CMakeLists.txt
+++ b/samples/local_attestation/host/CMakeLists.txt
@@ -8,8 +8,8 @@ add_custom_command(OUTPUT localattestation_u.h localattestation_u.c localattesta
 add_executable(local_attestation_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/localattestation_u.c)
 
 if(WIN32)
-  copy_oedebugrt_target(local_attestation_host_host_oedebugrt)
-  add_dependencies(local_attestation_host local_attestation_host_host_oedebugrt)
+  copy_oedebugrt_target(local_attestation_host_oedebugrt)
+  add_dependencies(local_attestation_host local_attestation_host_oedebugrt)
 endif()
 
 target_include_directories(local_attestation_host PRIVATE

From 64282a95270c135e1f5254c50c4dc64b06302269 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:23:14 -0700
Subject: [PATCH 150/420] Fix cmake module

---
 cmake/copy_oedebugrt_target.cmake | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
index c978054bc5..ca9a6a6605 100644
--- a/cmake/copy_oedebugrt_target.cmake
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -1,8 +1,10 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-## This function adds a CMake target for oedebugrt.dll. This allows the caller to add a dependency on oedebugrt.dll so
+## This function adds a CMake target for oedebugrt.dll. This allows the caller to :add a dependency on oedebugrt.dll so
 ## that it will be copied to the output folder along with the target taking the dependency.
+## When the host executable is launched under windbg, if edebugrt.dll is present in the same path as the host executable,
+## it gets automatically loaded into the debugger. This enables windbg to debug enclave applications.
 ##
 ## TARGET_NAME: Name of the target to add for oe_debugrt. This should be unique for each caller.
 ##
@@ -13,20 +15,16 @@ function(copy_oedebugrt_target TARGET_NAME)
         message(WARNING "copy_oedebugrt_target is only intended for WIN32 build environments. Check if this invocation is needed.")
     endif ()
 
-    # Initialize the null list of dependencies for the target
-    set(DEPENDENCIES "")
-
+    get_property(oedebugrtlocation TARGET openenclave::oedebugrt PROPERTY LOCATION)
     # Add copy actions for the dependencies
     add_custom_command(
         OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll
-        DEPENDS oe:oedebugrt
-        COMMAND ${CMAKE_COMMAND} -E copy oe:oedebugrt ${CMAKE_CURRENT_BINARY_DIR})
+        DEPENDS ${oedebugrtlocation}
+        COMMENT FOOBARBAZ
+        COMMAND ${CMAKE_COMMAND} -E copy ${oedebugrtlocation} ${CMAKE_CURRENT_BINARY_DIR})
 
-    # Add the dependencies to the custom target list of dependencies
-    list(APPEND DEPENDENCIES
-        ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll)
 
     # Always create the requested target, which may have an empty dependency list
-    add_custom_target(${TARGET_NAME} DEPENDS ${DEPENDENCIES})
+    add_custom_target(${TARGET_NAME} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll)
 
-endfunction( copy_oedebugrt_target )
+endfunction( copy_oedebugrt_target )
\ No newline at end of file

From dd060d6316c8307e2b9fd3294dbbb931d094abd2 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:24:05 -0700
Subject: [PATCH 151/420] Fix oe debugrt.dll location name

---
 cmake/copy_oedebugrt_target.cmake | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
index ca9a6a6605..29a3be367f 100644
--- a/cmake/copy_oedebugrt_target.cmake
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -15,13 +15,13 @@ function(copy_oedebugrt_target TARGET_NAME)
         message(WARNING "copy_oedebugrt_target is only intended for WIN32 build environments. Check if this invocation is needed.")
     endif ()
 
-    get_property(oedebugrtlocation TARGET openenclave::oedebugrt PROPERTY LOCATION)
+    get_property(OEDEBUGRTLOCATION TARGET openenclave::oedebugrt PROPERTY LOCATION)
     # Add copy actions for the dependencies
     add_custom_command(
         OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll
-        DEPENDS ${oedebugrtlocation}
+        DEPENDS ${OEDEBUGRTLOCATION}
         COMMENT FOOBARBAZ
-        COMMAND ${CMAKE_COMMAND} -E copy ${oedebugrtlocation} ${CMAKE_CURRENT_BINARY_DIR})
+        COMMAND ${CMAKE_COMMAND} -E copy ${OEDEBUGRTLOCATION} ${CMAKE_CURRENT_BINARY_DIR})
 
 
     # Always create the requested target, which may have an empty dependency list

From 46a166a52049c389a336edba9c14935ed4bf1934 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:25:06 -0700
Subject: [PATCH 152/420] Fix oe debugrt.dll location name

---
 cmake/copy_oedebugrt_target.cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
index 29a3be367f..109f46b151 100644
--- a/cmake/copy_oedebugrt_target.cmake
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -27,4 +27,4 @@ function(copy_oedebugrt_target TARGET_NAME)
     # Always create the requested target, which may have an empty dependency list
     add_custom_target(${TARGET_NAME} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll)
 
-endfunction( copy_oedebugrt_target )
\ No newline at end of file
+endfunction( copy_oedebugrt_target )

From d01a56ddbfe371c403491ed0dcba57ebe6d49695 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:29:32 -0700
Subject: [PATCH 153/420] Revert host.c

---
 samples/switchless/host/host.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index eb6bc491de..df8e657748 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -68,21 +68,16 @@ int main(int argc, const char* argv[])
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
     double start, end;
-#ifdef (_linux_)
     struct timespec current_time;
     clock_gettime(CLOCK_REALTIME, &current_time);
     start =
         current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
-#else
-
 
     // Call into the enclave
     result = enclave_add_N_switchless(enclave, &m, n);
 
-#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
-#endif
 
     if (result != OE_OK)
     {
@@ -99,20 +94,16 @@ int main(int argc, const char* argv[])
         m,
         (int)(end - start) / 1000);
 
-#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     start =
         current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
-#endif
 
     // Call into the enclave
     m = oldm;
     result = enclave_add_N_regular(enclave, &m, n);
 
-#ifdef (_linux_)
     clock_gettime(CLOCK_REALTIME, &current_time);
     end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
-#endif
 
     if (result != OE_OK)
     {

From b03ab7da756607150af0f7e8f1aca65f7708244a Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:44:28 -0700
Subject: [PATCH 154/420] Move using_oe_sdk to Linux_using_oe_sdk, split out
 APIs and lib docs from using_oe_sdk.md

---
 docs/GettingStartedDocs/APIs_and_Libs.md      | 23 ++++++++++++++++++
 .../Contributors/LinuxInstallInfo.md          |  2 +-
 .../Contributors/building_oe_sdk.md           |  6 ++---
 ...{using_oe_sdk.md => Linux_using_oe_sdk.md} | 24 ++-----------------
 .../Windows_using_oe_sdk.md                   | 24 ++-----------------
 .../install_oe_sdk-Ubuntu_16.04.md            |  2 +-
 .../install_oe_sdk-Ubuntu_18.04.md            |  2 +-
 samples/helloworld/README.md                  |  2 +-
 8 files changed, 34 insertions(+), 51 deletions(-)
 create mode 100644 docs/GettingStartedDocs/APIs_and_Libs.md
 rename docs/GettingStartedDocs/{using_oe_sdk.md => Linux_using_oe_sdk.md} (74%)

diff --git a/docs/GettingStartedDocs/APIs_and_Libs.md b/docs/GettingStartedDocs/APIs_and_Libs.md
new file mode 100644
index 0000000000..6d041fb218
--- /dev/null
+++ b/docs/GettingStartedDocs/APIs_and_Libs.md
@@ -0,0 +1,23 @@
+# API reference and supported libraries
+
+One of the security principles of writing enclave applications is to minimize the
+Trusted Computing Base (TCB) of the enclave code. A consequence of this is that
+while the host application has full access to the range of libraries and API
+available to all normal mode applications, the enclave is restricted to a much
+more constrained set as described below:
+
+## [Open Enclave API](https://openenclave.github.io/openenclave/api/index.html)
+
+The Doxygen documentation of the API exposed by Open Enclave SDK to both enclave and host.
+
+## [Libc support](/docs/LibcSupport.md)
+
+The subset of libc functionality provided by oelibc for use inside an enclave.
+
+## [Libcxx support](/docs/LibcxxSupport.md)
+
+The subset of libcxx functionality provided by oelibcxx for use inside an enclave.
+
+## [mbedtls library](/docs/MbedtlsSupport.md)
+
+The subset of [mbedtls](https://tls.mbed.org/) functionality for use inside an enclave.
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md b/docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md
index e2910e77c5..35a1f0c2f6 100644
--- a/docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/LinuxInstallInfo.md
@@ -16,7 +16,7 @@ cmake -G Ninja  -DCMAKE_INSTALL_PREFIX=~/openenclave-install ..
 ninja
 ```
 
-This would install the [resulting SDK layout](/docs/GettingStartedDocs/using_oe_sdk.md#open-enclave-sdk-layout)
+This would install the [resulting SDK layout](/docs/GettingStartedDocs/Linux_using_oe_sdk.md#open-enclave-sdk-layout)
 under `~/openenclave-install` instead of the default `/opt/openenclave`.
 
 Optional Advanced Install
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 358570d9d0..1a73857618 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -53,7 +53,7 @@ On Windows:
 ## Samples
 
 ### On Linux
-Assuming you install the SDK as below (also described in the [basic install section](InstallInfo.md#basic-install-on-linux))
+Assuming you install the SDK as below (also described in the [basic install section](LinuxInstallInfo.md#basic-install-on-linux))
 
 ```bash
 cmake -DCMAKE_INSTALL_PREFIX=~/openenclave ..
@@ -65,6 +65,7 @@ Open Enclave samples can be found in ~/openenclave/share/openenclave/samples
 See [Open Enclave samples](/samples/README_Linux.md) for details.
 
 ### On Windows
+
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
@@ -77,5 +78,4 @@ See [Open Enclave samples](/samples/README_Windows.md) for details.
 
 ## Using the Open Enclave SDK
 
-Additional information such as the [API References](/docs/GettingStartedDocs/using_oe_sdk.md#api-references)
-can be found in the [documentation on using the Open Enclave SDK](/docs/GettingStartedDocs/using_oe_sdk.md).
+Additional information such as the API Reference and supported libs can be found [here](/docs/GettingStartedDocs/APIs_and_Libs.md).
diff --git a/docs/GettingStartedDocs/using_oe_sdk.md b/docs/GettingStartedDocs/Linux_using_oe_sdk.md
similarity index 74%
rename from docs/GettingStartedDocs/using_oe_sdk.md
rename to docs/GettingStartedDocs/Linux_using_oe_sdk.md
index 94e2567d43..e2db5c8c5b 100644
--- a/docs/GettingStartedDocs/using_oe_sdk.md
+++ b/docs/GettingStartedDocs/Linux_using_oe_sdk.md
@@ -46,26 +46,6 @@ Additional documentation is also available for:
 - [Building and signing enclaves](/docs/GettingStartedDocs/buildandsign.md)
 - [Debugging enclave memory](/docs/GettingStartedDocs/Debugging.md)
 
-## API references
+## APIs and supported libraries
 
-One of the security principles of writing enclave applications is to minimize the
-Trusted Computing Base (TCB) of the enclave code. A consequence of this is that
-while the host application has full access to the range of libraries and API
-available to all normal mode applications, the enclave is restricted to a much
-more constrained set as described below:
-
-#### [Open Enclave API](https://openenclave.github.io/openenclave/api/index.html)
-
-The Doxygen documentation of the API exposed by Open Enclave SDK to both enclave and host.
-
-#### [Libc support](/docs/LibcSupport.md)
-
-The subset of libc functionality provided by oelibc for use inside an enclave.
-
-#### [Libcxx support](/docs/LibcxxSupport.md)
-
-The subset of libcxx functionality provided by oelibcxx for use inside an enclave.
-
-#### [mbedtls library](/docs/MbedtlsSupport.md)
-
-The subset of [mbedtls](https://tls.mbed.org/) functionality for use inside an enclave.
+Please look [here](/docs/GettingStartedDocs/APIs_and_Libs.md).
diff --git a/docs/GettingStartedDocs/Windows_using_oe_sdk.md b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
index 59de9698ba..5b250dcad0 100644
--- a/docs/GettingStartedDocs/Windows_using_oe_sdk.md
+++ b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
@@ -42,26 +42,6 @@ Additional documentation is also available for:
 - [Building and signing enclaves](/docs/GettingStartedDocs/buildandsign.md)
 - [Debugging enclave memory](/docs/GettingStartedDocs/Debugging.md)
 
-## API references
+## APIs and supported libraries
 
-One of the security principles of writing enclave applications is to minimize the
-Trusted Computing Base (TCB) of the enclave code. A consequence of this is that
-while the host application has full access to the range of libraries and API
-available to all normal mode applications, the enclave is restricted to a much
-more constrained set as described below:
-
-#### [Open Enclave API](https://openenclave.github.io/openenclave/api/index.html)
-
-The Doxygen documentation of the API exposed by Open Enclave SDK to both enclave and host.
-
-#### [Libc support](/docs/LibcSupport.md)
-
-The subset of libc functionality provided by oelibc for use inside an enclave.
-
-#### [Libcxx support](/docs/LibcxxSupport.md)
-
-The subset of libcxx functionality provided by oelibcxx for use inside an enclave.
-
-#### [mbedtls library](/docs/MbedtlsSupport.md)
-
-The subset of [mbedtls](https://tls.mbed.org/) functionality for use inside an enclave.
+Please look [here](/docs/GettingStartedDocs/APIs_and_Libs.md).
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
index 2c26397ac8..2c98286465 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
@@ -52,4 +52,4 @@ If you wish to make use of the Open Enclave CMake package, please install CMake
 
 ### 4. Verify the Open Enclave SDK install
 
-See [Using the Open Enclave SDK](using_oe_sdk.md) for verifying and using the installed SDK.
+See [Using the Open Enclave SDK](Linux_using_oe_sdk.md) for verifying and using the installed SDK.
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
index a2a1771889..f0c9a373dc 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
@@ -53,4 +53,4 @@ If you wish to make use of the Open Enclave CMake package, please install CMake
 
 ### 4. Verify the Open Enclave SDK install
 
-See [Using the Open Enclave SDK](using_oe_sdk.md) for verifying and using the installed SDK.
+See [Using the Open Enclave SDK](Linux_using_oe_sdk.md) for verifying and using the installed SDK.
diff --git a/samples/helloworld/README.md b/samples/helloworld/README.md
index 259cac97da..61695ceeec 100644
--- a/samples/helloworld/README.md
+++ b/samples/helloworld/README.md
@@ -166,7 +166,7 @@ Each line will now be described in turn.
 #include <stdio.h>
 ```
 
-An enclave library will be loaded into and run inside a host application which is a user-mode process. To keep the [trusted computing base](https://en.wikipedia.org/wiki/Trusted_computing_base) small, the decision was made to make only a specific set of APIs available to an enclave library. A complete list of APIs available to an enclave library can be found [here](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/using_oe_sdk.md#api-references)
+An enclave library will be loaded into and run inside a host application which is a user-mode process. To keep the [trusted computing base](https://en.wikipedia.org/wiki/Trusted_computing_base) small, the decision was made to make only a specific set of APIs available to an enclave library. A complete list of APIs available to an enclave library can be found [here](https://github.com/openenclave/openenclave/tree/master/docs/GettingStartedDocs/APIs_and_Libs.md)
 
 The `stdio.h` header file is included in this sample because we are calling the CRT function `fprintf` to print a message on the screen. However this function has a dependency on the kernel to print a message on the screen so this code cannot execute within the enclave itself. Instead this function marshals the call through to the host to carry out the call on the enclaves behalf. Only a subset of the CRT is made available through this open enclave library.
 

From fa73850c5c210ae534b2d81951fd9dfb4186ef79 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:54:10 -0700
Subject: [PATCH 155/420] Add samples information to the Linux side of things

---
 docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md | 4 ++++
 .../Contributors/WindowsSGX1GettingStarted.md                 | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
index e6d1cc7b66..c2346abf79 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1FLCGettingStarted.md
@@ -102,3 +102,7 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 ## Install
 
 Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
+
+## Build and run samples
+
+To build and run the samples, please look [here](/samples/README_Linux.md).
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 8cbbb65f41..fe50aa007a 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -115,7 +115,7 @@ ninja install
 
 This installs the SDK in `C:\openenclave`.
 
-### Build and run samples
+## Build and run samples
 
 To build and run the samples, please look [here](/samples/README_Windows.md).
 

From b9296efebbaa5b68d7b686df67f9b9563973095e Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 16:54:35 -0700
Subject: [PATCH 156/420] Add samples information to the Linux side of things

---
 .../Contributors/SimulatorGettingStarted.md                   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
index c084b9ac98..4e1223ffbb 100644
--- a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
@@ -107,3 +107,7 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 ## Install
 
  Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
+
+## Build and run samples
+
+To build and run the samples, please look [here](/samples/README_Linux.md).

From 9a6848414d5d3c497992e105ff9b574143c10d49 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 17:54:02 -0700
Subject: [PATCH 157/420] Fix CMakeLists.txt

---
 samples/CMakeLists.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 6101fd858e..ce3555197e 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -13,6 +13,7 @@ if (USE_LIBSGX)
           PATTERN "gen_pubkey_header.sh"
           PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
           GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
+  endif()
 endif ()
 
 install(DIRECTORY helloworld file-encryptor data-sealing switchless

From e1a047182357595d4a6de27ad778ff23626f27f1 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 19:37:49 -0700
Subject: [PATCH 158/420] Remove endif

---
 samples/remote_attestation/host/CMakeLists.txt | 2 --
 1 file changed, 2 deletions(-)

diff --git a/samples/remote_attestation/host/CMakeLists.txt b/samples/remote_attestation/host/CMakeLists.txt
index a82c1a779f..8bcc5edcf5 100644
--- a/samples/remote_attestation/host/CMakeLists.txt
+++ b/samples/remote_attestation/host/CMakeLists.txt
@@ -17,6 +17,4 @@ if(WIN32)
   add_dependencies(remote_attestation_host remote_attestation_oedebugrt_target)
 endif()
 
-endif()
-
 target_link_libraries(remote_attestation_host openenclave::oehostapp)

From a688cc55655fe4426b2fb10fb9ca54851a988752 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Fri, 4 Oct 2019 19:52:45 -0700
Subject: [PATCH 159/420] Fix samples test

---
 cmake/openenclave-config.cmake.in      | 1 +
 samples/helloworld/host/CMakeLists.txt | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 02d3d84907..44ef796003 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -125,6 +125,7 @@ endif ()
 include("${CMAKE_CURRENT_LIST_DIR}/openenclave-targets.cmake")
 if (WIN32)
   include("${CMAKE_CURRENT_LIST_DIR}/add_dcap_client_target.cmake")
+  include("${CMAKE_CURRENT_LIST_DIR}/copy_oedebugrt_target.cmake")
   include("${CMAKE_CURRENT_LIST_DIR}/maybe_build_using_clangw.cmake")
 endif ()
 target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_enclave_common openenclave::sgx_dcap_ql)
diff --git a/samples/helloworld/host/CMakeLists.txt b/samples/helloworld/host/CMakeLists.txt
index 613c169fda..af1065c22d 100644
--- a/samples/helloworld/host/CMakeLists.txt
+++ b/samples/helloworld/host/CMakeLists.txt
@@ -6,6 +6,11 @@ add_custom_command(OUTPUT helloworld_u.h helloworld_u.c helloworld_args.h
 
 add_executable(helloworld_host host.c ${CMAKE_CURRENT_BINARY_DIR}/helloworld_u.c)
 
+if(WIN32)
+  copy_oedebugrt_target(helloworld_host_oedebugrt)
+  add_dependencies(helloworld_host helloworld_host_oedebugrt)
+endif()
+
 target_include_directories(helloworld_host PRIVATE
   # Needed for the generated file helloworld_u.h
   ${CMAKE_CURRENT_BINARY_DIR})

From 75c41a66e7ec4bbfdd19cc0a3380c396d493d95d Mon Sep 17 00:00:00 2001
From: radhikaj <radhikaj@microsoft.com>
Date: Sat, 5 Oct 2019 03:11:14 +0000
Subject: [PATCH 160/420] Add copy_oedebugrt_target to install location

---
 CMakeLists.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a91f8c808b..28f232d7c0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -236,6 +236,8 @@ if (WIN32)
     DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
   install(FILES ./cmake/add_dcap_client_target.cmake
     DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
+  install(FILES ./cmake/copy_oedebugrt_target.cmake
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave/cmake)
 endif ()
 
 

From 1e0d28f85e8e7af93f1ccd5b720ef5cc7f83e64e Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 10:41:55 +0100
Subject: [PATCH 161/420] initialize const var with constant

---
 host/traceh.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/traceh.c b/host/traceh.c
index e6fce5da50..80dd11668b 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -27,7 +27,7 @@ static const char* _log_escape = NULL;
 static bool _log_creation_failed_before = false;
 static const size_t MAX_ESCAPED_CHAR_LEN = 5; // e.g. u2605
 static const size_t MAX_ESCAPED_MSG_MULTIPLIER =
-    sizeof("\\\\") + MAX_ESCAPED_CHAR_LEN;
+    7; // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
 

From 3e4d2d7dec618e3ffd71a5ff8be162b5ca85f551 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 11:25:16 +0100
Subject: [PATCH 162/420] using strtok_s when not in linux

---
 host/traceh.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/host/traceh.c b/host/traceh.c
index 80dd11668b..20a8398b14 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -317,11 +317,17 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
             else
             {
                 char* message_cursor = NULL;
+#if defined(__linux__)
                 char* log_msg = strtok_r((char*)message, "[", &message_cursor);
                 char* file_name = strtok_r(NULL, ":", &message_cursor);
                 char* function = strtok_r(NULL, ":", &message_cursor);
                 char* line_number = strtok_r(NULL, "]", &message_cursor);
-
+#else
+                char* log_msg = strtok_s((char*)message, "[", &message_cursor);
+                char* file_name = strtok_s(NULL, ":", &message_cursor);
+                char* function = strtok_s(NULL, ":", &message_cursor);
+                char* line_number = strtok_s(NULL, "]", &message_cursor);
+#endif
                 if (!log_msg || !file_name || !function || !line_number)
                 {
                     _write_message_to_stream(

From 1be48722af55f430f8222741fac442d25deb7f5f Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 11:35:03 +0100
Subject: [PATCH 163/420] remove unused include

---
 tests/logging/main.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 30c13070ea..34a101e0fe 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -12,7 +12,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <unistd.h>
 #include "../host/traceh.c"
 
 void test_line_format(const char* line)

From a834636d109bb8b992195ad3b1a97eb2e9ae1f97 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 11:53:29 +0100
Subject: [PATCH 164/420] use define instead of static const for array size
 constants

---
 host/traceh.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 20a8398b14..6d7e57b002 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -16,6 +16,8 @@
 #include "hostthread.h"
 
 #define LOGGING_FORMAT_STRING "%s.%06ldZ [(%s)%s] tid(0x%lx) | %s"
+#define MAX_ESCAPED_CHAR_LEN 5       // e.g. u2605
+#define MAX_ESCAPED_MSG_MULTIPLIER 7 // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
 
 static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
     {"NONE", "FATAL", "ERROR", "WARN", "INFO", "VERBOSE"};
@@ -25,9 +27,6 @@ static const char* _custom_log_format = NULL;
 static const char* _log_all_streams = NULL;
 static const char* _log_escape = NULL;
 static bool _log_creation_failed_before = false;
-static const size_t MAX_ESCAPED_CHAR_LEN = 5; // e.g. u2605
-static const size_t MAX_ESCAPED_MSG_MULTIPLIER =
-    7; // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;
 

From 475bd20357bebf21f2b9e66dbd5f81c75d54b81f Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 12:08:29 +0100
Subject: [PATCH 165/420] define size of array at compile time for logging test

---
 tests/logging/main.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 34a101e0fe..2f407d7e38 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -25,9 +25,12 @@ void test_line_format(const char* line)
     OE_TEST(strstr(line, "number") != NULL);
 }
 
-void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
+void test_escaped_msg(
+    const char* msg,
+    size_t msg_size,
+    const char* expected,
+    bool expect_ok)
 {
-    size_t msg_size = strlen(msg);
     char msg_escaped[MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1];
     bool ok = _escape_characters(
         msg,
@@ -80,29 +83,29 @@ int TestEscapedCharacters()
     {
         char msg[] = "Hey";
         char expected[] = "Hey";
-        test_escaped_msg(msg, expected, true);
+        test_escaped_msg(msg, 3, expected, true);
     }
     {
         char msg[] = "\u2605";
-        test_escaped_msg(msg, "", false);
+        test_escaped_msg(msg, 3, "", false);
     }
     {
         char msg[] = "\200";
-        test_escaped_msg(msg, "", false);
+        test_escaped_msg(msg, 2, "", false);
     }
     {
         char msg[] = "\037";
         char expected[] = "\\\\u001f";
-        test_escaped_msg(msg, expected, true);
+        test_escaped_msg(msg, 1, expected, true);
     }
     {
         char msg[] = "\u2605\u0024";
-        test_escaped_msg(msg, "", false);
+        test_escaped_msg(msg, 4, "", false);
     }
     {
         char msg[] = "\\\\\\\\";
         char expected[] = "\\\\\\\\\\\\\\\\";
-        test_escaped_msg(msg, expected, true);
+        test_escaped_msg(msg, 4, expected, true);
     }
     printf("=== passed TestEscapedCharachters()\n");
     return 0;

From 3c97d48ef08a9868b6bee61ba42b3af52c7b8f98 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 12:50:13 +0100
Subject: [PATCH 166/420] use malloc in test

---
 tests/logging/main.c | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 2f407d7e38..a7044a75a7 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -25,24 +25,20 @@ void test_line_format(const char* line)
     OE_TEST(strstr(line, "number") != NULL);
 }
 
-void test_escaped_msg(
-    const char* msg,
-    size_t msg_size,
-    const char* expected,
-    bool expect_ok)
+void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
 {
-    char msg_escaped[MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1];
-    bool ok = _escape_characters(
-        msg,
-        msg_escaped,
-        msg_size,
-        (MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1));
+    size_t msg_size = strlen(msg);
+    size_t max_msg_size = MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1;
+    char* msg_escaped = malloc(max_msg_size);
+    bool ok = _escape_characters(msg, msg_escaped, msg_size, max_msg_size);
     if (!expect_ok)
     {
+        free(msg_escaped);
         OE_TEST(!ok);
         return;
     }
     OE_TEST(strcmp(msg_escaped, expected) == 0);
+    free(msg_escaped);
 }
 
 int TestLoggingFormat(const char* path)
@@ -83,29 +79,29 @@ int TestEscapedCharacters()
     {
         char msg[] = "Hey";
         char expected[] = "Hey";
-        test_escaped_msg(msg, 3, expected, true);
+        test_escaped_msg(msg, expected, true);
     }
     {
         char msg[] = "\u2605";
-        test_escaped_msg(msg, 3, "", false);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\200";
-        test_escaped_msg(msg, 2, "", false);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\037";
         char expected[] = "\\\\u001f";
-        test_escaped_msg(msg, 1, expected, true);
+        test_escaped_msg(msg, expected, true);
     }
     {
         char msg[] = "\u2605\u0024";
-        test_escaped_msg(msg, 4, "", false);
+        test_escaped_msg(msg, "", false);
     }
     {
         char msg[] = "\\\\\\\\";
         char expected[] = "\\\\\\\\\\\\\\\\";
-        test_escaped_msg(msg, 4, expected, true);
+        test_escaped_msg(msg, expected, true);
     }
     printf("=== passed TestEscapedCharachters()\n");
     return 0;

From 11a74694a7d28ebf9435dcccdb224ff7681e7ea8 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 13:00:22 +0100
Subject: [PATCH 167/420] only test character escaping in test

---
 tests/logging/CMakeLists.txt |  2 +-
 tests/logging/main.c         | 67 +-----------------------------------
 2 files changed, 2 insertions(+), 67 deletions(-)

diff --git a/tests/logging/CMakeLists.txt b/tests/logging/CMakeLists.txt
index 13a73bc95e..7a8ca897e0 100644
--- a/tests/logging/CMakeLists.txt
+++ b/tests/logging/CMakeLists.txt
@@ -4,4 +4,4 @@
 add_executable(logging main.c)
 target_link_libraries(logging oehost)
 
-add_test(NAME tests/logging COMMAND logging ${CMAKE_CURRENT_BINARY_DIR}/out.log WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+add_test(NAME tests/logging COMMAND logging WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/tests/logging/main.c b/tests/logging/main.c
index a7044a75a7..ba82d4e983 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -8,23 +8,8 @@
     }
 
 #include <openenclave/internal/tests.h>
-#include <openenclave/internal/trace.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
 #include "../host/traceh.c"
 
-void test_line_format(const char* line)
-{
-    OE_TEST(strstr(line, "e_ts") != NULL);
-    OE_TEST(strstr(line, "level") != NULL);
-    OE_TEST(strstr(line, "tid") != NULL);
-    OE_TEST(strstr(line, "msg") != NULL);
-    OE_TEST(strstr(line, "file") != NULL);
-    OE_TEST(strstr(line, "func") != NULL);
-    OE_TEST(strstr(line, "number") != NULL);
-}
-
 void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
 {
     size_t msg_size = strlen(msg);
@@ -41,39 +26,6 @@ void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
     free(msg_escaped);
 }
 
-int TestLoggingFormat(const char* path)
-{
-    OE_TRACE_ERROR("Hey");
-    OE_TRACE_ERROR("Hello 'world'!");
-    OE_TRACE_ERROR("Hello \"world\"!");
-    OE_TRACE_ERROR("/ \\/ \' \a \\a \b \\b \e \\e \f \\f \n \\n \r \\r \t \\t "
-                   "\v \\v \? \\?");
-    OE_TRACE_ERROR("\\u005C \u0024 \u0040 @");
-    OE_TRACE_ERROR("\\\\\\\\");
-    OE_TRACE_ERROR("\u2605");
-    OE_TRACE_ERROR("\01");
-    OE_TRACE_ERROR("\037");
-    OE_TRACE_ERROR("\024");
-    OE_TRACE_ERROR("\200");
-    OE_TRACE_ERROR("\u2605\u0024");
-    FILE* log_file = fopen(path, "r");
-    char* line = NULL;
-    size_t len = 0;
-    if (log_file == NULL)
-    {
-        fprintf(stderr, "Failed to OPEN logfile %s\n", "out.log");
-        return 1;
-    }
-
-    while (getline(&line, &len, log_file) != -1)
-    {
-        test_line_format(line);
-    }
-    fclose(log_file);
-    printf("=== passed TestLoggingFormat()\n");
-    return 0;
-}
-
 int TestEscapedCharacters()
 {
     {
@@ -107,25 +59,8 @@ int TestEscapedCharacters()
     return 0;
 }
 
-int main(int argc, const char* argv[])
+int main()
 {
-    if (argc != 2)
-    {
-        fprintf(stderr, "Usage: %s LOG_FILE_PATH\n", argv[0]);
-        return 1;
-    }
-
-    const char* path = argv[1];
-    OE_TEST(setenv("OE_LOG_DEVICE", path, true) == 0);
-    OE_TEST(
-        setenv(
-            "OE_LOG_FORMAT",
-            "{\"e_ts\":\"%s.%06ldZ\",\"level\":\"(%s)%s\",\"tid\":\"tid(0x%lx)"
-            "\",\"msg\":\"%s\",\"file\":\"%s\",\"func\":\"%s\",\"number\":\"%"
-            "s\"}\n",
-            true) == 0);
-    OE_TEST(setenv("OE_LOG_JSON_ESCAPE", "true", true) == 0);
     TestEscapedCharacters();
-    TestLoggingFormat(path);
     return 0;
 }

From 2fcb2bfbc85c4be0d1e9ab85ff308b1bba40b42a Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 13:09:20 +0100
Subject: [PATCH 168/420] revert defines into static consts again

---
 host/traceh.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 6d7e57b002..d8288f8891 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -16,8 +16,6 @@
 #include "hostthread.h"
 
 #define LOGGING_FORMAT_STRING "%s.%06ldZ [(%s)%s] tid(0x%lx) | %s"
-#define MAX_ESCAPED_CHAR_LEN 5       // e.g. u2605
-#define MAX_ESCAPED_MSG_MULTIPLIER 7 // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
 
 static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
     {"NONE", "FATAL", "ERROR", "WARN", "INFO", "VERBOSE"};
@@ -26,6 +24,9 @@ static const char* _log_file_name = NULL;
 static const char* _custom_log_format = NULL;
 static const char* _log_all_streams = NULL;
 static const char* _log_escape = NULL;
+static const size_t MAX_ESCAPED_CHAR_LEN = 5; // e.g. u2605
+static const size_t MAX_ESCAPED_MSG_MULTIPLIER =
+    7; // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
 static bool _log_creation_failed_before = false;
 oe_log_level_t _log_level = OE_LOG_LEVEL_ERROR;
 static bool _initialized = false;

From c5f7d32326bb29fe367a70511085f9553ebc9f6a Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Mon, 7 Oct 2019 15:32:42 +0100
Subject: [PATCH 169/420] remove isprint and replace with ascii range checking

---
 host/traceh.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index d8288f8891..66857ff59e 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -1,7 +1,6 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-#include <ctype.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/trace.h>
@@ -104,7 +103,7 @@ static bool _escape_characters(
     size_t idx = 0;
     for (size_t i = 0; i < msg_size; i++)
     {
-        int c = log_msg[i];
+        uint8_t c = (uint8_t)log_msg[i];
         if (log_msg[i] == '\"')
         {
             // single quotes are OK for JSON
@@ -116,7 +115,7 @@ static bool _escape_characters(
             idx++;
             log_msg_escaped[idx] = '\\';
         }
-        else if (!isprint(c))
+        else if (c <= 31 || c > 126 /* non printable ASCII values */)
         {
             log_msg_escaped[idx] = '\\';
             idx++;
@@ -140,7 +139,7 @@ static bool _escape_characters(
                     log_msg_escaped[idx] = 't';
                     break;
                 default:
-                    if ((uint8_t)log_msg[i] > 127 /* max ASCII value */)
+                    if (c > 126 /* max ASCII value that we can escape*/)
                     {
                         return false;
                     }

From 0ddef5ee3fc08b564b9f3da54a311180b0486b25 Mon Sep 17 00:00:00 2001
From: Michael Huang <tehsiu.huang@gmail.com>
Date: Mon, 7 Oct 2019 17:12:43 +0000
Subject: [PATCH 170/420] reformat the code

---
 host/sgx/linux/sgxquoteproviderloader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/sgx/linux/sgxquoteproviderloader.c b/host/sgx/linux/sgxquoteproviderloader.c
index 18e9029fa3..a17074135e 100644
--- a/host/sgx/linux/sgxquoteproviderloader.c
+++ b/host/sgx/linux/sgxquoteproviderloader.c
@@ -74,7 +74,7 @@ void oe_load_quote_provider()
         else
         {
             OE_TRACE_ERROR(
-		"sgxquoteprovider: libdcap_quoteprov.so %s\n", dlerror());	    
+                "sgxquoteprovider: libdcap_quoteprov.so %s\n", dlerror());
         }
     }
 }

From f8729bc9959a30cd8b55896cf9ac0190cd4b4581 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 10:28:59 +0100
Subject: [PATCH 171/420] print error information on logging test failure

---
 host/traceh.c        |  1 +
 tests/logging/main.c | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/host/traceh.c b/host/traceh.c
index 66857ff59e..da2aec2a32 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -141,6 +141,7 @@ static bool _escape_characters(
                 default:
                     if (c > 126 /* max ASCII value that we can escape*/)
                     {
+                        log_msg_escaped[idx] = '\0';
                         return false;
                     }
                     sprintf(
diff --git a/tests/logging/main.c b/tests/logging/main.c
index ba82d4e983..f66417823e 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -7,6 +7,7 @@
         }                                      \
     }
 
+#include <openenclave/internal/error.h>
 #include <openenclave/internal/tests.h>
 #include "../host/traceh.c"
 
@@ -16,10 +17,20 @@ void test_escaped_msg(const char* msg, const char* expected, bool expect_ok)
     size_t max_msg_size = MAX_ESCAPED_MSG_MULTIPLIER * msg_size + 1;
     char* msg_escaped = malloc(max_msg_size);
     bool ok = _escape_characters(msg, msg_escaped, msg_size, max_msg_size);
-    if (!expect_ok)
+    if (!ok || !expect_ok)
     {
+        if (ok != expect_ok)
+        {
+            oe_put_err(
+                "Expected escape result \"%s\" does not match actual escape "
+                "result \"%s\". Original log: %s | escaped log: %s",
+                expect_ok ? "true" : "false",
+                ok ? "true" : "false",
+                msg,
+                msg_escaped);
+        }
         free(msg_escaped);
-        OE_TEST(!ok);
+        OE_TEST(!ok && !expect_ok);
         return;
     }
     OE_TEST(strcmp(msg_escaped, expected) == 0);

From 80e105abf1215e405d5fcea3c91e52ba186d9c53 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 15:06:05 +0100
Subject: [PATCH 172/420] test escaping depending on platform

---
 tests/logging/main.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index f66417823e..eacdc770ad 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -46,11 +46,21 @@ int TestEscapedCharacters()
     }
     {
         char msg[] = "\u2605";
+#if defined(__linux__)
         test_escaped_msg(msg, "", false);
+#else
+        char expected[] = "?";
+        test_escaped_msg(msg, expected, true);
+#endif
     }
     {
         char msg[] = "\200";
+#if defined(__linux__)
         test_escaped_msg(msg, "", false);
+#else
+        char expected[] = "?";
+        test_escaped_msg(msg, expected, true);
+#endif
     }
     {
         char msg[] = "\037";
@@ -59,7 +69,12 @@ int TestEscapedCharacters()
     }
     {
         char msg[] = "\u2605\u0024";
+#if defined(__linux__)
         test_escaped_msg(msg, "", false);
+#else
+        char expected = "?$";
+        test_escaped_msg(msg, escaped, true);
+#endif
     }
     {
         char msg[] = "\\\\\\\\";

From 9bc12b4e97f22fc44a897dbe6318bbad67d5c929 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 15:12:45 +0100
Subject: [PATCH 173/420] fix typo

---
 tests/logging/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index eacdc770ad..379b8b822e 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -72,7 +72,7 @@ int TestEscapedCharacters()
 #if defined(__linux__)
         test_escaped_msg(msg, "", false);
 #else
-        char expected = "?$";
+        char expected[] = "?$";
         test_escaped_msg(msg, escaped, true);
 #endif
     }

From 25dff534113a532d18f4a6dd6b31213f44134966 Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 15:19:43 +0100
Subject: [PATCH 174/420] fix typo

---
 tests/logging/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 379b8b822e..f46bd7120b 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -73,7 +73,7 @@ int TestEscapedCharacters()
         test_escaped_msg(msg, "", false);
 #else
         char expected[] = "?$";
-        test_escaped_msg(msg, escaped, true);
+        test_escaped_msg(msg, expected, true);
 #endif
     }
     {

From e7e1f5c662b66f3b039014f483d42918ae34246b Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 15:32:01 +0100
Subject: [PATCH 175/420] try to fix escaping on windows

---
 tests/logging/main.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index f46bd7120b..2013c05ed2 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -69,12 +69,7 @@ int TestEscapedCharacters()
     }
     {
         char msg[] = "\u2605\u0024";
-#if defined(__linux__)
         test_escaped_msg(msg, "", false);
-#else
-        char expected[] = "?$";
-        test_escaped_msg(msg, expected, true);
-#endif
     }
     {
         char msg[] = "\\\\\\\\";

From 2de3627a41fd16d9bb478bd2bad64d18d1772aae Mon Sep 17 00:00:00 2001
From: Olga Vrousgou <olgavrou@gmail.com>
Date: Tue, 8 Oct 2019 15:44:27 +0100
Subject: [PATCH 176/420] try to fix escaping on windows

---
 tests/logging/main.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/tests/logging/main.c b/tests/logging/main.c
index 2013c05ed2..63e01c3c62 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -53,14 +53,11 @@ int TestEscapedCharacters()
         test_escaped_msg(msg, expected, true);
 #endif
     }
+
+#if defined(__linux__)
     {
         char msg[] = "\200";
-#if defined(__linux__)
         test_escaped_msg(msg, "", false);
-#else
-        char expected[] = "?";
-        test_escaped_msg(msg, expected, true);
-#endif
     }
     {
         char msg[] = "\037";
@@ -71,6 +68,7 @@ int TestEscapedCharacters()
         char msg[] = "\u2605\u0024";
         test_escaped_msg(msg, "", false);
     }
+#endif
     {
         char msg[] = "\\\\\\\\";
         char expected[] = "\\\\\\\\\\\\\\\\";

From c705ef23aa6031ef642dab52e84aa4e3c3fb2f95 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Tue, 8 Oct 2019 15:38:53 +0000
Subject: [PATCH 177/420] Add nuget and hostverify packages to
 Packaging.Jenkinsfile.

---
 .jenkins/Packaging.Jenkinsfile | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index 0ab68f8e77..fec6b3e380 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -14,7 +14,8 @@ def packageUpload(String version, String build_type) {
                            cmake ${WORKSPACE} -DCMAKE_BUILD_TYPE=${build_type} -DCMAKE_INSTALL_PREFIX:PATH='/opt/openenclave' -DCPACK_GENERATOR=DEB
                            make
                            ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
-                           make package
+                           cpack
+                           cpack -D CPACK_DEB_COMPONENT_INSTALL=ON -DCPACK_COMPONENTS_ALL=OEHOSTVERIFY
                            """
                 oe.Run("clang-7", task)
                 azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.deb', storageType: 'blobstorage', virtualPath: "master/${BUILD_NUMBER}/ubuntu/${version}/${build_type}/SGX1FLC/", containerName: 'oejenkins')
@@ -26,17 +27,22 @@ def packageUpload(String version, String build_type) {
 
 def WindowsUpload() {
     stage('Windows Release') {
-        node('SGXFLC-Windows') {
+        node('SGXFLC-Windows-DCAP') {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
                 checkout scm
                 dir('build') {
-                    bat """vcvars64.bat x64 && \
-                           cmake.exe ${WORKSPACE} -G \"Visual Studio 15 2017 Win64\" && \
-                           msbuild tools\\oeedger8r\\oeedger8r_target.vcxproj -p:Configuration=Release"""
+                    bat """
+                        vcvars64.bat x64 && \
+                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RELEASE -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
+                        ninja.exe && \
+                        ctest.exe -V -C RELEASE --timeout ${CTEST_TIMEOUT_SECONDS} && \
+                        cpack && \
+                        cpack -D CPACK_NUGET_COMPONENT_INSTALL=ON -DCPACK_COMPONENTS_ALL=OEHOSTVERIFY
+                        """
                 }
-                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/tools/oeedger8r/oeedger8r.exe', storageType: 'blobstorage', virtualPath: "master/${BUILD_NUMBER}/windows/", containerName: 'oejenkins')
-                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/tools/oeedger8r/oeedger8r.exe', storageType: 'blobstorage', virtualPath: "master/latest/windows/", containerName: 'oejenkins')
+                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/${BUILD_NUMBER}/windows/", containerName: 'oejenkins')
+                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/latest/windows/", containerName: 'oejenkins')
             }
         }
     }

From a39476e5de854317a1a74ec3c08257a00c1625d5 Mon Sep 17 00:00:00 2001
From: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com>
Date: Tue, 8 Oct 2019 09:53:10 -0700
Subject: [PATCH 178/420] Merge pull request from GHSA-mg2p-657r-46cj

* Fix size-and-allocate OCALLs

- Enclave functions that make two OCALLs to size and allocate enclave buffers which are then returned to host can leak enclave heap information if the enclave is provided a larger size than necessary, then copies the larger size out to host.
- Functions that do this now require that the initial size matches the written data size before information based on that buffer size are copied back to host.

* Update SECURITY.md
---
 SECURITY.md                  |  6 +++---
 enclave/core/sgx/backtrace.c |  5 ++++-
 enclave/core/sgx/report.c    | 30 +++++++++++++++++++-----------
 3 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 661046e76f..3fadf0d133 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,9 +12,9 @@ supported versions of Open Enclave:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.6.x   | :white_check_mark: |
-| 0.6.0   | :white_check_mark: |
-| < 0.6   | :x:                |
+| 0.7.x   | :white_check_mark: |
+| 0.7.0   | :white_check_mark: |
+| < 0.7   | :x:                |
 
 ## Reporting a Vulnerability
 
diff --git a/enclave/core/sgx/backtrace.c b/enclave/core/sgx/backtrace.c
index 61aa9e3f4c..698f7b68bf 100644
--- a/enclave/core/sgx/backtrace.c
+++ b/enclave/core/sgx/backtrace.c
@@ -141,8 +141,11 @@ char** oe_backtrace_symbols(void* const* buffer, int size)
             goto done;
         }
 
-        if ((oe_result_t)retval != OE_OK)
+        if ((oe_result_t)retval != OE_OK ||
+            symbols_buffer_size_out != symbols_buffer_size)
+        {
             goto done;
+        }
     }
     else if ((oe_result_t)retval != OE_OK)
     {
diff --git a/enclave/core/sgx/report.c b/enclave/core/sgx/report.c
index b9c7c10467..2a2558f7aa 100644
--- a/enclave/core/sgx/report.c
+++ b/enclave/core/sgx/report.c
@@ -302,9 +302,10 @@ oe_result_t oe_get_report_v2(
     uint8_t** report_buffer,
     size_t* report_buffer_size)
 {
-    oe_result_t result;
+    oe_result_t result = OE_UNEXPECTED;
     uint8_t* tmp_buffer = NULL;
     size_t tmp_buffer_size = 0;
+    size_t out_buffer_size = 0;
 
     if ((report_buffer == NULL) || (report_buffer_size == NULL))
     {
@@ -324,7 +325,8 @@ oe_result_t oe_get_report_v2(
         &tmp_buffer_size);
     if (result != OE_BUFFER_TOO_SMALL)
     {
-        return result;
+        result = (result == OE_OK) ? OE_UNEXPECTED : result;
+        OE_RAISE(result);
     }
 
     tmp_buffer = oe_calloc(1, tmp_buffer_size);
@@ -333,24 +335,30 @@ oe_result_t oe_get_report_v2(
         return OE_OUT_OF_MEMORY;
     }
 
-    result = _oe_get_report_internal(
+    out_buffer_size = tmp_buffer_size;
+    OE_CHECK(_oe_get_report_internal(
         flags,
         report_data,
         report_data_size,
         opt_params,
         opt_params_size,
         tmp_buffer,
-        &tmp_buffer_size);
-    if (result != OE_OK)
-    {
-        oe_free(tmp_buffer);
-        return result;
-    }
+        &out_buffer_size));
+
+    if (out_buffer_size != tmp_buffer_size)
+        OE_RAISE(OE_UNEXPECTED);
 
-    *report_buffer = tmp_buffer;
     *report_buffer_size = tmp_buffer_size;
+    *report_buffer = tmp_buffer;
+    tmp_buffer = NULL;
+
+    result = OE_OK;
 
-    return OE_OK;
+done:
+    if (tmp_buffer)
+        oe_free(tmp_buffer);
+
+    return result;
 }
 
 void oe_free_report(uint8_t* report_buffer)

From 232f7f1db0f0191812a32ae1152aa61efb871472 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Tue, 8 Oct 2019 13:18:49 -0700
Subject: [PATCH 179/420] Remove Windows 10 as a supported OS

---
 docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md   | 4 ++++
 .../Contributors/WindowsManualInstallPrereqs.md              | 3 +--
 .../Contributors/WindowsManualSGX1Prereqs.md                 | 2 +-
 .../Contributors/WindowsSGX1FLCGettingStarted.md             | 5 ++---
 .../Contributors/WindowsSGX1GettingStarted.md                | 5 ++---
 samples/README_Linux.md                                      | 2 +-
 6 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index 64a35c4894..9772683a6f 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -93,3 +93,7 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 ## Install
 
  Follow the instructions in the [Install Info](LinuxInstallInfo.md) document to install the Open Enclave SDK built above.
+
+## Build and run samples
+
+To build and run the samples, please look [here](/samples/README_Linux.md).
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 609b53a633..d67bc24a9c 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -6,8 +6,7 @@
  Note: To check if your system has support for SGX1 with or without FLC, please look [here](../SGXSupportLevel.md).
  
 - A version of Windows OS with native support for SGX features:
-   - For server: Windows Server 2016
-   - For client: Windows 10 64-bit version 1709 or newer
+   - Windows Server 2016
    - To check your Windows version, run `winver` on the command line.
 
 ## Software prerequisites
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index e9fb083fef..4e8fe107ae 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -2,7 +2,7 @@
 
 ## Intel SGX Platform Software for Windows (PSW) v2.2
 
-The PSW should be installed automatically on Windows 10 version 1709 or newer, or on a Windows Server 2016 image for an Azure ConfidentialCompute VM. You can verify that is the case on the command line as follows:
+The PSW should be installed automatically on a Windows Server 2016 image for an Azure ConfidentialCompute VM. You can verify that is the case on the command line as follows:
 
 ```cmd
 sc query aesmservice
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 73ed32bb7c..0e8e756167 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -7,8 +7,7 @@ Intel® X86-64bit architecture with SGX1 and Flexible Launch Control (FLC) suppo
 Note: To check if your system has support for SGX1 with FLC, please look [here](../SGXSupportLevel.md).
 
 A version of Windows OS with native support for SGX features:
-- For server: Windows Server 2016
-- For client: Windows 10 64-bit version 1709 or newer
+- Windows Server 2016
 - To check your Windows version, run `winver` on the command line.
 
 ## Install Git and Clone the Open Enclave SDK repo
@@ -125,7 +124,7 @@ ninja install
 
 This installs the SDK in `C:\openenclave`.
 
-### Build and run samples
+## Build and run samples
 
 To build and run the samples, please look [here](/samples/README_Windows.md).
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index fe50aa007a..7afc0051f3 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -8,7 +8,6 @@ Note: To check if your system has support for SGX1, please look [here](../SGXSup
 
 A version of Windows OS with native support for SGX features:
 - For server: Windows Server 2016
-- For client: Windows 10 64-bit version 1709 or newer
 - To check your Windows version, run `winver` on the command line.
 
 ## Install Git and Clone the Open Enclave SDK repo
@@ -35,14 +34,14 @@ To deploy all the prerequisities for building Open Enclave, you can run the foll
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 As an example, if you cloned Open Enclave SDK repo into `C:\openenclave`, you would run the following:
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
diff --git a/samples/README_Linux.md b/samples/README_Linux.md
index 8422bbc13c..0850852136 100644
--- a/samples/README_Linux.md
+++ b/samples/README_Linux.md
@@ -1,6 +1,6 @@
 # Building Open Enclave SDK Samples on Linux
 
-All the samples that come with the Open Enclave SDK installation share similar directory structure and build instructions. The section contains general information on how to setup/build/sign/run all samples. It's important that you read information on this page before jumping into any individual sample.
+All the samples that come with the Open Enclave SDK installation share a similar directory structure and build instructions. This document describes how to setup, build, sign and run these samples.
 
 ## Common Sample information
 

From a1d19cddba5eafb0ab13045f99ada1f61c3c119d Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Tue, 8 Oct 2019 15:08:49 -0700
Subject: [PATCH 180/420] Address comments

---
 .../GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md | 2 +-
 .../Contributors/WindowsSGX1GettingStarted.md                   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 4e8fe107ae..e1ae13f007 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -2,7 +2,7 @@
 
 ## Intel SGX Platform Software for Windows (PSW) v2.2
 
-The PSW should be installed automatically on a Windows Server 2016 image for an Azure ConfidentialCompute VM. You can verify that is the case on the command line as follows:
+The PSW should be installed automatically on a Windows Server 2016 image for an Azure Confidential Compute VM. You can verify that is the case on the command line as follows:
 
 ```cmd
 sc query aesmservice
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 7afc0051f3..43aa9bc380 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -8,7 +8,6 @@ Note: To check if your system has support for SGX1, please look [here](../SGXSup
 
 A version of Windows OS with native support for SGX features:
 - For server: Windows Server 2016
-- To check your Windows version, run `winver` on the command line.
 
 ## Install Git and Clone the Open Enclave SDK repo
 

From 22a6e05c70244f270e48b2ce4f35ed1b43de65a3 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Tue, 8 Oct 2019 22:43:13 +0000
Subject: [PATCH 181/420] Enable the switchless sample on Windows

---
 samples/switchless/enclave/CMakeLists.txt |  4 ++
 samples/switchless/host/host.c            | 47 +++++++++++++++++------
 samples/test-samples.cmake                |  5 +--
 3 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/samples/switchless/enclave/CMakeLists.txt b/samples/switchless/enclave/CMakeLists.txt
index 2549868fef..90c8ab5b0f 100644
--- a/samples/switchless/enclave/CMakeLists.txt
+++ b/samples/switchless/enclave/CMakeLists.txt
@@ -8,6 +8,10 @@ add_custom_command(OUTPUT switchless_t.h switchless_t.c switchless_args.h
 
 add_executable(enclave enc.c ${CMAKE_CURRENT_BINARY_DIR}/switchless_t.c)
 
+if (WIN32)
+  maybe_build_using_clangw(enclave)
+endif ()
+
 target_compile_definitions(enclave PUBLIC OE_API_VERSION=2)
 
 # Need for the generated file switchless_t.h
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index df8e657748..d1e10abedc 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -7,6 +7,30 @@
 #include <time.h>
 #include "switchless_u.h"
 
+#if defined(__linux__)
+
+double get_relative_time_in_microseconds()
+{
+    struct timespec current_time;
+    clock_gettime(CLOCK_REALTIME, &current_time);
+    return (double)current_time.tv_sec * 1000000 +
+           (double)current_time.tv_nsec / 1000.0;
+}
+
+#elif defined(_WIN32)
+
+#include <Windows.h>
+
+static double frequency;
+double get_relative_time_in_microseconds()
+{
+    double current_time;
+    QueryPerformanceCounter(&current_time);
+    return current_time / frequency;
+}
+
+#endif
+
 void host_increment_switchless(int* n)
 {
     *n = *n + 1;
@@ -38,6 +62,8 @@ int main(int argc, const char* argv[])
     oe_result_t result;
     int ret = 1, m = 1000000, n = 1000000;
     int oldm = m;
+    double switchless_microseconds = 0;
+    double start, end;
 
     if (argc != 2 && argc != 3)
     {
@@ -45,6 +71,11 @@ int main(int argc, const char* argv[])
         return 1;
     }
 
+#if defined(_WIN32)
+    QueryPerformanceFrequency(&frequency);
+    frequency /= 1000000; // convert to microseconds
+#endif
+
     uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
     if (check_simulate_opt(&argc, argv))
     {
@@ -67,17 +98,12 @@ int main(int argc, const char* argv[])
              &enclave)) != OE_OK)
         fprintf(stderr, "oe_create_enclave(): result=%u", result);
 
-    double start, end;
-    struct timespec current_time;
-    clock_gettime(CLOCK_REALTIME, &current_time);
-    start =
-        current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+    start = get_relative_time_in_microseconds();
 
     // Call into the enclave
     result = enclave_add_N_switchless(enclave, &m, n);
 
-    clock_gettime(CLOCK_REALTIME, &current_time);
-    end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+    end = get_relative_time_in_microseconds();
 
     if (result != OE_OK)
     {
@@ -94,16 +120,13 @@ int main(int argc, const char* argv[])
         m,
         (int)(end - start) / 1000);
 
-    clock_gettime(CLOCK_REALTIME, &current_time);
-    start =
-        current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+    start = get_relative_time_in_microseconds();
 
     // Call into the enclave
     m = oldm;
     result = enclave_add_N_regular(enclave, &m, n);
 
-    clock_gettime(CLOCK_REALTIME, &current_time);
-    end = current_time.tv_sec * 1000000 + (double)current_time.tv_nsec / 1000.0;
+    end = get_relative_time_in_microseconds();
 
     if (result != OE_OK)
     {
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index 7d87e5ea02..9e090bc5f0 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -7,7 +7,7 @@
 #     cmake -DUSE_LIBSGX=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
 
 # These two samples can run in simulation, and therefore run in every configuration.
-set(SAMPLES_LIST helloworld file-encryptor)
+set(SAMPLES_LIST helloworld file-encryptor switchless)
 
 if ($ENV{OE_SIMULATION})
   message(WARNING "Running only sample simulation tests due to OE_SIMULATION=$ENV{OE_SIMULATION}!")
@@ -30,9 +30,6 @@ else ()
 	    list(APPEND SAMPLES_LIST attested_tls)
     endif ()
   endif ()
-  if (UNIX)
-    list(APPEND SAMPLES_LIST switchless)
-  endif ()
 endif ()
 
 if (WIN32)

From 18b71d565c96fe16c49e054014029eb748039fc0 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Tue, 8 Oct 2019 17:23:44 +0000
Subject: [PATCH 182/420] Update CHANGELOG.md for v0.7.0-rc1

- Update features added for v0.7
- Add deprecation notice for mbedTLS options per #2038
- Add security fix information
---
 CHANGELOG.md | 43 +++++++++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0df9803f56..2c05280e4d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,12 +10,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [Unreleased]
 ------------
 
+[v0.7.0-rc1] - 2019-10-08
+-------------------------
+
+### Added
+
+- Support Intel DCAP attestation on Windows.
+- Support enclave debugging on Windows with WinDBG/CDB.
+    - The new oedebugrt.dll binary needs to be copied to the app folder to enable this.
+- Support `transition_using_threads` EDL attribute in oeedger8r.
+    - This only applies to untrusted functions (ocalls) in this release.
+    - Using this attribute allows the ocall to be invoked without incurring the
+      performance cost of an enclave context switch.
+
 ### Changed
 
-- Transferred repository from [microsoft/openenclave](https://github.com/microsoft/openenclave) to [openenclave/openenclave](https://github.com/openenclave/openenclave).
-- Change debugging contract for oegdb. Enclaves and hosts built prior to this release cannot be debugged with this version of oegdb and vice versa.
+- Transferred repository from [microsoft/openenclave](https://github.com/microsoft/openenclave)
+  to [openenclave/openenclave](https://github.com/openenclave/openenclave).
+- Change debugging contract for oegdb. Enclaves and hosts built prior to this
+  release cannot be debugged with this version of oegdb and vice versa.
+- Update Intel DCAP library dependencies to 1.2.
+- Update Intel PSW dependencies to 2.6 on Linux and 2.4 on Windows.
 - Update LLVM libcxx to version 8.0.0.
-- Update mbedTLS to version 2.7.11.
+- Update mbedTLS to version 2.16.2.
+
+### Deprecated
+
+- The mbedTLS libraries used in Open Enclave will no longer be compiled with the
+  following config.h options in the next (v0.8) release:
+    - `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE`: Considerable advances
+      have been made in breaking SHA1 since our original review and we would
+      like to be more prescriptive in recommending the use of SHA256.
+    - `MBEDTLS_KEY_EXCHANGE_RSA_ENABLED`: This option provides no perfect
+      forward secrecy and is generally becoming less popular as this is
+      recognized. The ECDHE variants are also more performant.
+
+### Security
+
+- Fix enclave heap memory disclosure (CVE-2019-1369).
 
 [v0.6.0] - 2019-06-29
 ---------------------
@@ -36,7 +68,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
          should enable it themselves after assessing its startup impact.
 - Removed support for the previously deprecated `OE_API_VERSION=1` APIs.
 - Update MUSL libc to version 1.1.21.
-- Update mbedTLS to version 2.16.2.
+- Update mbedTLS to version 2.7.11.
 
 [v0.5.0] - 2019-04-09
 ---------------------
@@ -109,6 +141,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Check support for AVX in platform/OS before setting SECS.ATTRIBUTES.XFRM in enclave.
+
+### Security
+
 - Fix CVE-2019-0876
    - `_handle_sgx_get_report` will now write to the supplied argument if it lies in host memory.
    - Added check for missing null terminator in oeedger8r generated code.

From efe75044d215d43c2587ffd79a52074bf838368b Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 2 Oct 2019 02:16:47 +0000
Subject: [PATCH 183/420] Preserve Windows & Linux ABI expectations on ECALL

This changeset reconciles some of the ABI inconsistencies when calling from a
Windows host process into an Linux-based enclave. This includes:

- Initialize the MXCSR, RFLAGS and x87 FPU control word on ECALL to ensure that
  the enclave can expect the Linux x86_64 ABI-specified initial process state.

- Preserve the Windows x64 ABI-specified callee-preserved registers, x87 FPU,
  MMX, XMM and MXCSR states before each ECALL and restore them on return or
  OCALL.

- Update return_from_ecall to use r10 instead of callee-preserved rbx register
  as a temporary register.
---
 enclave/core/sgx/enter.S                     |  17 +++
 host/CMakeLists.txt                          |   1 +
 host/sgx/windows/enter.asm                   | 104 ++++++++++---------
 host/sgx/windows/host_context.asm            |  78 ++++++++++++++
 include/openenclave/internal/constants_x64.h |   6 ++
 5 files changed, 155 insertions(+), 51 deletions(-)
 create mode 100644 host/sgx/windows/host_context.asm

diff --git a/enclave/core/sgx/enter.S b/enclave/core/sgx/enter.S
index e071227db7..b130c34da6 100644
--- a/enclave/core/sgx/enter.S
+++ b/enclave/core/sgx/enter.S
@@ -119,6 +119,23 @@ oe_enter:
     mov %rsp, %rbp
 
 .call_function:
+    // Set the MXCSR according to the Linux x86_64 ABI
+    mov $ABI_MXCSR_INIT, %r10
+    push %r10
+    ldmxcsr (%rsp)
+    pop %r10
+
+    // Set the FPU Control Word according to the Linux x86_64 ABI
+    mov $ABI_FPUCW_INIT, %r10
+    push %r10
+    fldcw (%rsp)
+    pop %r10
+
+    // Initialize the RFLAGS prior to calling enclave functions
+    // This only clears the DF and state flag bits since
+    // the system flags and reserved bits are not writable here
+    push $0
+    popfq
 
     // Get the host stack pointer.
     mov %gs:td_host_rsp, %r8
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index b2c38e7101..cddef4271d 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -175,6 +175,7 @@ if (OE_SGX)
       sgx/windows/aesm.c
       sgx/windows/enter.asm
       sgx/windows/entersim.asm
+      sgx/windows/host_context.asm
       sgx/windows/exception.c
       sgx/windows/xstate.c)
   endif()
diff --git a/host/sgx/windows/enter.asm b/host/sgx/windows/enter.asm
index dff0dc25e4..2cb7881a62 100644
--- a/host/sgx/windows/enter.asm
+++ b/host/sgx/windows/enter.asm
@@ -4,6 +4,8 @@
 include ksamd64.inc
 
 extern __oe_dispatch_ocall:proc
+extern oe_save_host_context:proc
+extern oe_restore_host_context:proc
 
 ;;==============================================================================
 ;;
@@ -16,13 +18,14 @@ extern __oe_dispatch_ocall:proc
 ;;     [OUT] uint64_t* arg4,
 ;;     [OUT] oe_enclave_t* enclave);
 ;;
-;; Registers:
+;; Parameters passed on register and stack:
 ;;     RCX      - tcs: thread control structure (extended)
 ;;     RDX      - aep: asynchronous execution procedure
 ;;     R8       - arg1
 ;;     R9       - arg2
 ;;     [RBP+48] - arg3
 ;;     [RBP+56] - arg4
+;;     [RBP+64] - enclave
 ;;
 ;; These registers may be destroyed across function calls:
 ;;     RAX, RCX, RDX, R8, R9, R10, R11
@@ -33,7 +36,11 @@ extern __oe_dispatch_ocall:proc
 ;;==============================================================================
 
 ENCLU_EENTER    EQU 2
-PARAMS_SPACE    EQU 128
+
+ARG3_PARAM      EQU [rbp+48]
+ARG4_PARAM      EQU [rbp+56]
+ENCLAVE_PARAM   EQU [rbp+64]
+
 TCS             EQU [rbp-8]
 AEP             EQU [rbp-16]
 ARG1            EQU [rbp-24]
@@ -44,13 +51,21 @@ ENCLAVE         EQU [rbp-56]
 ARG1OUT         EQU [rbp-64]
 ARG2OUT         EQU [rbp-72]
 STACKPTR        EQU [rbp-80]
-MXCSR           EQU [rbp-88]
+HOST_CONTEXT    EQU [rbp-88]
+
+;; Reserve parameter space based on:
+;; + 88 bytes for 11*8-byte parameters TCS to HOST_CONTEXT
+;; HOST_CONTEXT points to the start of the context data consisting of:
+;; + 64 bytes for 8*8-byte callee-preserved registers
+;; + 512-byte OE_CONTEXT_FLOAT memory image used in fxsave/fxrstor
+;; + 8 bytes so that the stack remains 16-byte aligned.
+PARAMS_SPACE    EQU 672
 
 NESTED_ENTRY oe_enter, _TEXT$00
     END_PROLOGUE
 
     ;; Setup stack frame:
-    push rbp
+    push rbp ;; Stack is 16-byte aligned at this point
     mov rbp, rsp
 
     ;; Save parameters on stack for later reference:
@@ -58,38 +73,31 @@ NESTED_ENTRY oe_enter, _TEXT$00
     ;;     AEP  := [RBP-16] <- RDX
     ;;     ARG1 := [RBP-24] <- R8
     ;;     ARG2 := [RBP-32] <- R9
-    ;;     ARG3 := [RBP-40] <- [RBP+48]
-    ;;     ARG4 := [RBP-48] <- [RBP+56]
-    ;;     ENCLAVE := [RBP-56] <- [RBP+64]
-    ;;     MXCSR := [RBP-88]
+    ;;     ARG3 := [RBP-40] <- ARG3_PARAM := [RBP+48]
+    ;;     ARG4 := [RBP-48] <- ARG4_PARAM := [RBP+56]
+    ;;     ENCLAVE := [RBP-56] <- ENCLAVE_PARAM := [RBP+64]
+    ;;     HOST_CONTEXT := [RBP-88]
     sub rsp, PARAMS_SPACE
     mov TCS, rcx
     mov AEP, rdx
     mov ARG1, r8
     mov ARG2, r9
-    mov rax, [rbp+48]
+    mov rax, ARG3_PARAM
     mov ARG3, rax
-    mov rax, [rbp+56]
+    mov rax, ARG4_PARAM
     mov ARG4, rax
-    mov rax, [rbp+64]
+    mov rax, ENCLAVE_PARAM
     mov ENCLAVE, rax
 
-    ;;Save the current context
-
-    ;;Save the SSE status and control flags
-    stmxcsr MXCSR
-	
-    ;; Save registers:
-    push rbx
-    push rdi
-    push rsi
-    push r12
-    push r13
-    push r14
-    push r15
+    ;; Set the save location for the host context on the host stack
+    mov HOST_CONTEXT, rsp
 
 execute_eenter:
-	
+
+    ;; Save the current host context
+    mov rcx, HOST_CONTEXT
+    call oe_save_host_context
+
     ;; Save the stack pointer so enclave can use the stack.
     mov STACKPTR, rsp
 
@@ -103,10 +111,11 @@ execute_eenter:
 
     mov ARG1OUT, rdi
     mov ARG2OUT, rsi
-	
-    ;; Restore the saved MXCSR
-    ldmxcsr MXCSR
-	
+
+    ;; Restore the saved host context
+    mov rcx, HOST_CONTEXT
+    call oe_restore_host_context
+
 dispatch_ocall:
     ;; RAX = __oe_dispatch_ocall(
     ;;     RCX=arg1
@@ -115,7 +124,10 @@ dispatch_ocall:
     ;;     R9=arg2_out
     ;;     [RSP+32]=TCS,
     ;;     [RSP+40]=ENCLAVE);
-    sub rsp, 56
+    ;;
+    ;; Stack should already be 16-byte aligned, so only need
+    ;; shadow space (32 bytes) plus stack params size (16 bytes)
+    sub rsp, 48
     mov rcx, ARG1OUT
     mov rdx, ARG2OUT
     lea r8, qword ptr ARG1OUT
@@ -125,9 +137,9 @@ dispatch_ocall:
     mov rax, qword ptr ENCLAVE
     mov qword ptr [rsp+40], rax
     call __oe_dispatch_ocall ;; RAX contains return value
-    add rsp, 56
+    add rsp, 48
 
-    ;; Restore the stack pointer:
+    ;; Restore the stack pointer
     mov rsp, STACKPTR
 
     ;; If this was not an OCALL, then return from ECALL.
@@ -149,29 +161,19 @@ return_from_ecall:
     lfence
 
     ;; Set ARG3 (out)
-    mov rbx, ARG1OUT
-    mov rax, qword ptr [rbp+48]
-    mov qword ptr [rax], rbx
+    mov r10, ARG1OUT
+    mov rax, qword ptr ARG3_PARAM
+    mov qword ptr [rax], r10
 
     ;; Set ARG4 (out)
-    mov rbx, ARG2OUT
-    mov rax, qword ptr [rbp+56]
-    mov qword ptr [rax], rbx
-
-    ;; Restore registers:
-    pop r15
-    pop r14
-    pop r13
-    pop r12
-    pop rsi
-    pop rdi
-    pop rbx
-
+    mov r10, ARG2OUT
+    mov rax, qword ptr ARG4_PARAM
+    mov qword ptr [rax], r10
 
-    ;; Return parameters space:
-    add rsp, PARAMS_SPACE
+    ;; Return parameters space and restore the stack pointer
+    mov rsp, rbp
 
-    ;; Restore stack frame:
+    ;; Restore stack frame
     pop rbp
 
     BEGIN_EPILOGUE
diff --git a/host/sgx/windows/host_context.asm b/host/sgx/windows/host_context.asm
new file mode 100644
index 0000000000..d0aff41691
--- /dev/null
+++ b/host/sgx/windows/host_context.asm
@@ -0,0 +1,78 @@
+;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Licensed under the MIT License.
+
+OE_CONTEXT_FLAGS    EQU 00
+OE_CONTEXT_RBX      EQU 08
+OE_CONTEXT_RDI      EQU 16
+OE_CONTEXT_RSI      EQU 24
+OE_CONTEXT_R12      EQU 32
+OE_CONTEXT_R13      EQU 40
+OE_CONTEXT_R14      EQU 48
+OE_CONTEXT_R15      EQU 56
+OE_CONTEXT_FLOAT    EQU 64
+
+.CODE
+
+PUBLIC oe_save_host_context
+oe_save_host_context PROC
+    ;; Subroutine prologue
+    push rbp
+    mov rbp, rsp
+
+    ;; Save the flags to stack.
+    pushf
+    mov rax, [rsp]
+    mov [rcx+OE_CONTEXT_FLAGS], rax
+    popf
+
+    ;; Save general registers.
+    mov [rcx+OE_CONTEXT_RBX], rbx
+    mov [rcx+OE_CONTEXT_RDI], rdi
+    mov [rcx+OE_CONTEXT_RSI], rsi
+    mov [rcx+OE_CONTEXT_R12], r12
+    mov [rcx+OE_CONTEXT_R13], r13
+    mov [rcx+OE_CONTEXT_R14], r14
+    mov [rcx+OE_CONTEXT_R15], r15
+
+    ;; Save x87 FPU, MMX and SSE state (includes MXCSR and XMM registers).
+    fxsave [rcx+OE_CONTEXT_FLOAT]
+
+    ;; Subroutine epilogue
+    mov rsp, rbp
+    pop rbp
+    ret
+
+oe_save_host_context ENDP
+
+PUBLIC oe_restore_host_context
+oe_restore_host_context PROC
+
+    ;; Subroutine prologue
+    push rbp
+    mov rbp, rsp
+
+    ;; Restore the flags to stack.
+    push [rcx+OE_CONTEXT_FLAGS]
+    popfq
+
+    ;; Restore general registers.
+    mov rbx, [rcx+OE_CONTEXT_RBX]
+    mov rdi, [rcx+OE_CONTEXT_RDI]
+    mov rsi, [rcx+OE_CONTEXT_RSI]
+    mov r12, [rcx+OE_CONTEXT_R12]
+    mov r13, [rcx+OE_CONTEXT_R13]
+    mov r14, [rcx+OE_CONTEXT_R14]
+    mov r15, [rcx+OE_CONTEXT_R15]
+
+    ;; Restore x87 FPU, MMX and SSE state (includes MXCSR and XMM registers).
+    fxrstor [rcx+OE_CONTEXT_FLOAT]
+
+    ;; Subroutine epilogue
+    mov rsp, rbp
+    pop rbp
+    ret
+
+oe_restore_host_context ENDP
+
+END
+
diff --git a/include/openenclave/internal/constants_x64.h b/include/openenclave/internal/constants_x64.h
index 1ed966a656..b74ec90c41 100644
--- a/include/openenclave/internal/constants_x64.h
+++ b/include/openenclave/internal/constants_x64.h
@@ -71,4 +71,10 @@
 //  AMD64 ABI needs a 128 bytes red zone.
 #define ABI_REDZONE_BYTE_SIZE 0x80
 
+// MXCSR initialization value for Linux x86_64 ABI in enclave
+#define ABI_MXCSR_INIT 0x1F80
+
+// x87 FPU control word initialization value for Linux x86_64 ABI in enclave
+#define ABI_FPUCW_INIT 0x037F
+
 #endif /* _OE_INTERNAL_CONSTANTS_X64_H */

From 3ab7fab395337fe6d61536072dd5ff17daff5fdc Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 9 Oct 2019 17:31:52 +0000
Subject: [PATCH 184/420] Fix switchless_threads test for 2-core Windows
 machines

---
 samples/test-samples.cmake         | 2 +-
 tests/switchless_threads/enc/enc.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index 9e090bc5f0..7baf4becec 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -6,7 +6,7 @@
 #
 #     cmake -DUSE_LIBSGX=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
 
-# These two samples can run in simulation, and therefore run in every configuration.
+# These three samples can run in simulation, and therefore run in every configuration.
 set(SAMPLES_LIST helloworld file-encryptor switchless)
 
 if ($ENV{OE_SIMULATION})
diff --git a/tests/switchless_threads/enc/enc.c b/tests/switchless_threads/enc/enc.c
index bd582a528e..ec07302ac1 100644
--- a/tests/switchless_threads/enc/enc.c
+++ b/tests/switchless_threads/enc/enc.c
@@ -70,6 +70,6 @@ OE_SET_ENCLAVE_SGX(
     1,    /* ProductID */
     1,    /* SecurityVersion */
     true, /* AllowDebug */
-    1024, /* HeapPageCount */
-    1024, /* StackPageCount */
+    128,  /* HeapPageCount */
+    128,  /* StackPageCount */
     8);   /* TCSCount */

From bd84ad93b75a9898b69683e06180705c31451d04 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Wed, 9 Oct 2019 22:39:53 +0000
Subject: [PATCH 185/420] Add a release manager selection process to
 Releasing.md

---
 docs/Releasing.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/Releasing.md b/docs/Releasing.md
index 19fa1694ad..94c663649e 100644
--- a/docs/Releasing.md
+++ b/docs/Releasing.md
@@ -4,6 +4,13 @@ Open Enclave SDK Release Procedures
 This document covers how we handle creating a release. Let's look at it from an
 example:
 
+Selecting a Release Manager
+---------------------------
+
+The Community Governance Committee will select a release manager from one of the
+Committers by submitting a Pull Request that adds a "Release" tag to that
+Committer's "Area" in [Committers.md](Committers.md).
+
 Version Bump
 ------------
 
@@ -11,9 +18,6 @@ Version Bump
 > and branches are `v0.7.x`. We follow [Semantic
 > Versioning](https://semver.org/spec/v2.0.0.html).
 
-We want to release `v0.7.0` in about a week, so we choose a release manager from
-the committers.
-
 The initial announcement of the upcoming release will be a PR by the release
 manager to the `master` branch with the commit to bump the [VERSION
 file](../VERSION) to _next_ pre-release, e.g. `v0.7.x`, and the commit to update

From 3f170c78399d8833424f5113fe72940db94709b1 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 10 Oct 2019 16:57:13 +0000
Subject: [PATCH 186/420] Refactor function names, add Debug Windows package
 build in CD.

---
 .jenkins/Packaging.Jenkinsfile | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index fec6b3e380..3f900f080f 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -4,7 +4,7 @@ oe = new jenkins.common.Openenclave()
 GLOBAL_TIMEOUT_MINUTES = 240
 CTEST_TIMEOUT_SECONDS = 480
 
-def packageUpload(String version, String build_type) {
+def LinuxPackaging(String version, String build_type) {
     stage("Ubuntu${version} SGX1FLC Package ${build_type}") {
         node("ACC-${version}") {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
@@ -25,8 +25,8 @@ def packageUpload(String version, String build_type) {
     }
 }
 
-def WindowsUpload() {
-    stage('Windows Release') {
+def WindowsPackaging(String build_type) {
+    stage('Windows SGX1FLC ${build_type}') {
         node('SGXFLC-Windows-DCAP') {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
@@ -34,24 +34,25 @@ def WindowsUpload() {
                 dir('build') {
                     bat """
                         vcvars64.bat x64 && \
-                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RELEASE -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
+                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
                         ninja.exe && \
                         ctest.exe -V -C RELEASE --timeout ${CTEST_TIMEOUT_SECONDS} && \
                         cpack && \
                         cpack -D CPACK_NUGET_COMPONENT_INSTALL=ON -DCPACK_COMPONENTS_ALL=OEHOSTVERIFY
                         """
                 }
-                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/${BUILD_NUMBER}/windows/", containerName: 'oejenkins')
-                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/latest/windows/", containerName: 'oejenkins')
+                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/${BUILD_NUMBER}/windows/${build_type}/SGX1FLC/", containerName: 'oejenkins')
+                azureUpload(storageCredentialId: 'oe_jenkins_storage_account', filesPath: 'build/*.nupkg', storageType: 'blobstorage', virtualPath: "master/latest/windows/${build_type}/SGX1FLC/", containerName: 'oejenkins')
             }
         }
     }
 }
 
-parallel "1604 SGX1FLC Package Debug" :          { packageUpload('1604', 'Debug') },
-         "1604 SGX1FLC Package Release" :        { packageUpload('1604', 'Release') },
-         "1604 SGX1FLC Package RelWithDebInfo" : { packageUpload('1604', 'RelWithDebInfo') },
-         "1804 SGX1FLC Package Debug" :          { packageUpload('1804', 'Debug') },
-         "1804 SGX1FLC Package Release" :        { packageUpload('1804', 'Release') },
-         "1804 SGX1FLC Package RelWithDebInfo" : { packageUpload('1804', 'RelWithDebInfo') },
-         "Windows Release" :                     { WindowsUpload() }
+parallel "1604 SGX1FLC Package Debug" :          { LinuxPackaging('1604', 'Debug') },
+         "1604 SGX1FLC Package Release" :        { LinuxPackaging('1604', 'Release') },
+         "1604 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1604', 'RelWithDebInfo') },
+         "1804 SGX1FLC Package Debug" :          { LinuxPackaging('1804', 'Debug') },
+         "1804 SGX1FLC Package Release" :        { LinuxPackaging('1804', 'Release') },
+         "1804 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1804', 'RelWithDebInfo') },
+         "Windows Debug" :                       { WindowsPackaging('DEBUG') },
+         "Windows Release" :                     { WindowsPackaging('RELEASE') }

From 9233a958143de0a8734a0035245a1a6e4578a0dd Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Thu, 10 Oct 2019 17:28:29 +0000
Subject: [PATCH 187/420] Update CMakeSettings.json with NUGET_PACKAGE_PATH

Commit c3c6dc17 added a requirement to define the NUGET_PACKAGE_PATH variable
in CMake for WIN32 builds. This commit updates the CMakeSettings.json file for
Visual Studio users to provide the NUGET_PACKAGE_PATH parameter based on the
install path used when running install-windows-prereqs.ps1.
---
 CMakeSettings.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/CMakeSettings.json b/CMakeSettings.json
index 3d1dbb3a4b..537fee3d4f 100644
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@@ -31,7 +31,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-Debug",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     },
@@ -42,7 +42,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-RelWithDebInfo",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     },
@@ -53,7 +53,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-Release",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=1 -DUSE_LIBSGX=1",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     }

From 3ca1f4ca859dddddea85ef280af8af43e09fee4f Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <Radhikaj@microsoft.com>
Date: Mon, 14 Oct 2019 21:38:47 +0000
Subject: [PATCH 188/420] Revert "Lockless Queue Implementation"

This reverts commit 8a5690d27904045a932f6678d2024345aabfea06.

This reverts commit ec2f3c5004bef0cda4e04da82403468d6060873d.

This reverts commit 05ea7eae3289110ba2563571f1c98c9c2f509f48.
---
 common/lockless_queue.c                       | 122 -----
 enclave/CMakeLists.txt                        |   1 -
 host/CMakeLists.txt                           |   1 -
 include/openenclave/internal/lockless_queue.h | 149 -----
 tests/CMakeLists.txt                          |   1 -
 tests/lockless_queue/CMakeLists.txt           |  11 -
 tests/lockless_queue/enc/CMakeLists.txt       |   9 -
 tests/lockless_queue/enc/enc.c                | 116 ----
 tests/lockless_queue/host/CMakeLists.txt      |  10 -
 tests/lockless_queue/host/host.c              | 507 ------------------
 tests/lockless_queue/lockless_queue.edl       |  35 --
 11 files changed, 962 deletions(-)
 delete mode 100644 common/lockless_queue.c
 delete mode 100644 include/openenclave/internal/lockless_queue.h
 delete mode 100644 tests/lockless_queue/CMakeLists.txt
 delete mode 100644 tests/lockless_queue/enc/CMakeLists.txt
 delete mode 100644 tests/lockless_queue/enc/enc.c
 delete mode 100644 tests/lockless_queue/host/CMakeLists.txt
 delete mode 100644 tests/lockless_queue/host/host.c
 delete mode 100644 tests/lockless_queue/lockless_queue.edl

diff --git a/common/lockless_queue.c b/common/lockless_queue.c
deleted file mode 100644
index 330b906832..0000000000
--- a/common/lockless_queue.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved.
- * Licensed under the MIT License. */
-
-#include <openenclave/internal/lockless_queue.h>
-#include <stdlib.h>
-
-#if _MSC_VER
-#include <intrin.h>
-#endif /* _MSC_VER */
-
-/* functions for oe_lockless_queue_node */
-/*---------------------------------------------------------------------------*/
-void oe_lockless_queue_node_init(oe_lockless_queue_node* p_node)
-{
-    p_node->p_link = NULL;
-} /* init_oe_lockless_queue_node */
-
-/* functions for oe_lockless_queue */
-/*---------------------------------------------------------------------------*/
-void oe_lockless_queue_init(oe_lockless_queue* p_queue)
-{
-#ifdef _MSC_VER
-    _InterlockedExchangePointer(&(p_queue->p_tail), NULL);
-    _InterlockedExchangePointer(&(p_queue->p_head), NULL);
-#elif defined __GNUC__
-    __atomic_store_n(&(p_queue->p_tail), NULL, __ATOMIC_RELAXED);
-    __atomic_store_n(&(p_queue->p_head), NULL, __ATOMIC_RELAXED);
-#endif /* _MSC_VER or __GNUC__ */
-} /* init_oe_lockless_queue */
-
-void oe_lockless_queue_push_back(
-    oe_lockless_queue* p_queue,
-    oe_lockless_queue_node* p_node)
-{
-    oe_lockless_queue_node* p_expected = NULL;
-#ifdef _MSC_VER
-    oe_lockless_queue_node* p_actual = NULL;
-#endif /* _MSC_VER */
-    do
-    {
-#ifdef _MSC_VER
-        p_expected = p_actual;
-        p_node->p_link = p_expected;
-        p_actual = (oe_lockless_queue_node*)_InterlockedCompareExchangePointer(
-            &(p_queue->p_tail), p_node, p_expected);
-    } while (p_actual != p_expected);
-#elif defined __GNUC__
-        p_node->p_link = p_expected;
-    } while (!__atomic_compare_exchange_n(
-        &(p_queue->p_tail),
-        &p_expected,
-        p_node,
-        1,
-        __ATOMIC_ACQ_REL,
-        __ATOMIC_ACQUIRE));
-#endif /* _MSC_VER or __GNUC__ */
-} /* oe_lockless_queue_push */
-
-oe_lockless_queue_node* oe_lockless_queue_pop_front(oe_lockless_queue* p_queue)
-{
-    /* try to take a node from the head */
-    oe_lockless_queue_node* popped_node = NULL;
-#ifdef _MSC_VER
-    popped_node = (oe_lockless_queue_node*)_InterlockedCompareExchangePointer(
-        &(p_queue->p_head), NULL, NULL);
-#elif defined __GNUC__
-    popped_node = __atomic_load_n(&(p_queue->p_head), __ATOMIC_ACQUIRE);
-#endif /* _MSC_VER or __GNUC__ */
-
-    if (NULL != popped_node)
-    {
-        /* there was a node at the head
-         * pop the node from the head and replace it with the node that it
-         *     points to
-         * remove the reference from the popped node to the next node */
-        oe_lockless_queue_node* next_node = popped_node->p_link;
-        popped_node->p_link = NULL;
-#ifdef _MSC_VER
-        _InterlockedExchangePointer(&(p_queue->p_head), next_node);
-#elif defined __GNUC__
-        __atomic_store_n(&(p_queue->p_head), next_node, __ATOMIC_RELEASE);
-#endif /* _MSC_VER or __GNUC__ */
-    }
-    else
-    {
-        /* there wasn't a node at the head
-         * so refill the head with the nodes from the tail */
-
-        /* take all of the nodes off of the tail */
-#ifdef _MSC_VER
-        popped_node = (oe_lockless_queue_node*)_InterlockedExchangePointer(
-            &(p_queue->p_tail), NULL);
-#elif defined __GNUC__
-        popped_node =
-            __atomic_exchange_n(&(p_queue->p_tail), NULL, __ATOMIC_ACQ_REL);
-#endif /* _MSC_VER or __GNUC__ */
-
-        if (NULL != popped_node)
-        {
-            /* reverse the nodes from the tail */
-            oe_lockless_queue_node* prev_node = NULL;
-            oe_lockless_queue_node* next_node = NULL;
-            next_node = popped_node->p_link;
-            while (NULL != next_node)
-            {
-                popped_node->p_link = prev_node;
-                prev_node = popped_node;
-                popped_node = next_node;
-                next_node = popped_node->p_link;
-            }
-
-            /* move the nodes to the head */
-            popped_node->p_link = NULL;
-#if _MSC_VER
-            _InterlockedExchangePointer(&(p_queue->p_head), prev_node);
-#elif defined __GNUC__
-            __atomic_store_n(&(p_queue->p_head), prev_node, __ATOMIC_RELEASE);
-#endif /* _MSC_VER or __GNUC__ */
-        }
-    }
-    return popped_node;
-} /* oe_lockless_queue_pop */
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 30ce23569f..2948d60aa0 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -27,7 +27,6 @@ endif()
 
 add_library(oeenclave STATIC
     ../common/datetime.c
-    ../common/lockless_queue.c
     asym_keys.c
     link.c
     random.c
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index b2c38e7101..464feab3f3 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -213,7 +213,6 @@ list(APPEND PLATFORM_HOST_ONLY_SRC
 # Common files that are used in the OE SDK only.
 list(APPEND PLATFORM_SDK_ONLY_SRC
   ../common/kdf.c
-  ../common/lockless_queue.c
   ../common/argv.c
   asym_keys.c
   calls.c
diff --git a/include/openenclave/internal/lockless_queue.h b/include/openenclave/internal/lockless_queue.h
deleted file mode 100644
index 30bad0ffeb..0000000000
--- a/include/openenclave/internal/lockless_queue.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved.
- * Licensed under the MIT License. */
-
-#ifndef _LOCKLESS_QUEUE_H_
-#define _LOCKLESS_QUEUE_H_
-
-#include <openenclave/internal/defs.h>
-
-OE_EXTERNC_BEGIN
-
-/* forward declarations */
-struct _oe_lockless_queue_node;
-struct _oe_lockless_queue;
-
-/**
- * @typedef atomic_lockless_node_ptr
- *
- * @brief A platform abstract pointer to a lockless_queue_node.
- */
-#ifdef _MSC_VER
-typedef struct _oe_lockless_queue_node* volatile atomic_lockless_node_ptr;
-#elif defined __GNUC__
-typedef struct _oe_lockless_queue_node* atomic_lockless_node_ptr;
-#else
-#error "unsupported"
-#endif
-
-/**
- * @struct _oe_lockless_queue_node
- *
- * @brief The basic structure for a lockless queue node.
- *
- * This structure is the basic node used with struct _oe_lockless queue.
- *
- * @note This should be initialized with oe_lockless_queue_node_init() before
- *       use.
- *
- * @see _oe_lockless_queue
- * @see oe_lockless_queue_node_init()
- */
-typedef struct _oe_lockless_queue_node
-{
-    /**
-     * @internal
-     */
-    struct _oe_lockless_queue_node* p_link;
-} oe_lockless_queue_node;
-
-/**
- * @function oe_lockless_queue_node_init
- *
- * @brief Initializes an _oe_lockless_queue_node.
- *
- * Prepares a node for use with _oe_lockless_queue.
- *
- * @param p_node An uninitialized _oe_lockless_queue_node.
- *
- * @pre p_node is non-NULL and points to an unitialized node.
- * @post p_node is prepared to pass to oe_lockless_queue_push_back().
- */
-void oe_lockless_queue_node_init(oe_lockless_queue_node* p_node);
-
-/**
- * @struct _oe_lockless_queue
- *
- * @brief The structure for managing a multi-producer, single-consumer, FIFO
- *        queue data structure that is multithread stable.
- *
- * This structure is the basic control data type for a thread-safe lockless FIFO
- * queue.  This data structure allows any number of threads to call
- * oe_lockless_queue_push_back() and one thread to call
- * oe_lockless_queue_pop_front() concurrently without the use of any mutex while
- * maintaining a consistent and stable state.
- *
- * @note This should be initialized with oe_lockless_queue_init() before use.
- *
- * @see oe_lockless_queue_node_init()
- * @see oe_lockless_queue_push_front()
- * @see oe_lockless_queue_pop_back()
- */
-typedef struct _oe_lockless_queue
-{
-    /**
-     * @internal
-     */
-    atomic_lockless_node_ptr p_tail;
-    /**
-     * @internal
-     */
-    atomic_lockless_node_ptr p_head;
-} oe_lockless_queue;
-
-/**
- * @function oe_lockless_queue_init
- *
- * @brief Initializes an _oe_lockless_queue_node.
- *
- * Prepares an _oe_lockless_queue for use.
- *
- * @param p_queue An uninitialized _oe_lockless_queue.
- *
- * @pre p_queue is non-NULL and points to an unitialized queue.
- * @post p_queue is prepared to use with oe_lockless_queue_push_back() and
- * oe_lockless_queue_pop_front().
- */
-void oe_lockless_queue_init(oe_lockless_queue* p_queue);
-
-/**
- * @function oe_lockless_queue_push_back
- *
- * @brief Appends an _oe_lockless_queue node to the tail end of an
- *        _oe_lockless_queue.
- *
- * @param p_queue The _oe_lockless_queue to append the node.
- * @param p_node The _oe_lockless_queue_node to append to the queue.
- *
- * @pre p_queue is non-NULL and points to an initialized queue and p_node is
- *      non-NULL and points to an initialized node.
- * @post p_node has been appended to the end of p_queue.
- *
- * @note It is safe to call this method from any number of threads concurrently.
- *       It is also safe to call this method concurrently while also calling
- *       oe_lockless_queue_pop_front() from a single thread.
- */
-void oe_lockless_queue_push_back(
-    oe_lockless_queue* p_queue,
-    oe_lockless_queue_node* p_node);
-
-/**
- * @function oe_lockless_queue_pop_front
- *
- * @brief Attempts to remove and return an _oe_lockless_queue_node from the head
- *        of an _oe_lockless_queue.
- *
- * @param p_queue The _oe_lockless_queue to remove a node from.
- * @return A pointer to an _oe_lockless_queue_node if there was at least one in
- *         the queue or NULL if there was not a node in the queue.
- * @pre p_queue is non-NULL and points to an initialized queue and p_node is
- *      non-NULL and points to an initialized node.
- *
- * @note It is not safe to call this method concurrently from more than one
- *       thread.  However it is safe to call this method while concurrently
- *       calling oe_lockless_queue_push_back() from any number of threads.
- */
-oe_lockless_queue_node* oe_lockless_queue_pop_front(oe_lockless_queue* p_queue);
-
-OE_EXTERNC_END
-
-#endif /* _LOCKLESS_QUEUE_H_ */
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 04f5d7fbba..234be70b58 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -16,7 +16,6 @@ if (WIN32_SIMULATION)
     message("WIN32_SIMULATION set, failing tests are skipped")
 endif ()
 
-add_subdirectory(lockless_queue)
 add_subdirectory(mem)
 add_subdirectory(safecrt)
 add_subdirectory(safemath)
diff --git a/tests/lockless_queue/CMakeLists.txt b/tests/lockless_queue/CMakeLists.txt
deleted file mode 100644
index edb85a8bac..0000000000
--- a/tests/lockless_queue/CMakeLists.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-
-add_subdirectory(host)
-
-if (BUILD_ENCLAVES)
-   add_subdirectory(enc)
-endif()
-
-add_enclave_test(tests/lockless_queue lockless_queue_host lockless_queue_enc)
diff --git a/tests/lockless_queue/enc/CMakeLists.txt b/tests/lockless_queue/enc/CMakeLists.txt
deleted file mode 100644
index 3454e6b178..0000000000
--- a/tests/lockless_queue/enc/CMakeLists.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-oeedl_file(../lockless_queue.edl enclave gen)
-
-add_enclave(TARGET lockless_queue_enc UUID eb99d409-3d52-439c-b374-87f664136434 SOURCES enc.c ${gen})
-
-target_include_directories(lockless_queue_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
-target_link_libraries(lockless_queue_enc oelibc)
diff --git a/tests/lockless_queue/enc/enc.c b/tests/lockless_queue/enc/enc.c
deleted file mode 100644
index 20fd79bea6..0000000000
--- a/tests/lockless_queue/enc/enc.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved.
- * Licensed under the MIT License. */
-
-#include <lockless_queue_t.h>
-#include <openenclave/internal/tests.h>
-
-#ifdef _MSC_VER
-#include <intrin.h>
-#endif /* _MSC_VER */
-
-void enc_push_nodes(
-    oe_lockless_queue* p_queue,
-    test_node* p_nodes,
-    size_t count)
-{
-    /* push the nodes onto the queue */
-    for (size_t i = 0; i < count; ++i)
-    {
-        oe_lockless_queue_push_back(p_queue, &((p_nodes + i)->_node));
-    }
-} /* enc_push_nodes */
-
-void enc_writer_thread(
-    oe_lockless_queue* p_queue,
-    test_node* p_nodes,
-    size_t* p_barrier)
-{
-    size_t barrier_count;
-
-    /* wait for all of the threads to start */
-#ifdef _MSC_VER
-    barrier_count = _InterlockedIncrement64(data->p_barrier);
-    while (barrier_count < THREAD_COUNT)
-    {
-        barrier_count = _InterlockedCompareExchange64 (data->p_barrier, 0, 0));
-    }
-#elif defined __GNUC__
-    barrier_count = __atomic_add_fetch(p_barrier, 1, __ATOMIC_ACQ_REL);
-    while (THREAD_COUNT > barrier_count)
-    {
-        barrier_count = __atomic_load_n(p_barrier, __ATOMIC_ACQUIRE);
-    }
-#endif /* _MSC_VER or __GNUC__ */
-
-    /* push this thread's nodes onto the queue */
-    enc_push_nodes(p_queue, p_nodes, TEST_COUNT);
-} /* enc_writer_thread */
-
-void enc_pop_nodes(oe_lockless_queue* p_queue, size_t count)
-{
-    size_t node_count = 0;
-
-    /* pop the nodes off of the queue */
-    while (node_count < count)
-    {
-        oe_lockless_queue_node* p_node = oe_lockless_queue_pop_front(p_queue);
-        if (NULL != p_node)
-        {
-            test_node* p_test_node = (test_node*)p_node;
-            ++(p_test_node->count);
-            p_test_node->pop_order = node_count;
-            ++node_count;
-        }
-    }
-} /* enc_pop_nodes */
-
-void enc_test_queue_single_threaded()
-{
-    oe_lockless_queue queue;
-    oe_lockless_queue_node nodes[TEST_COUNT];
-    oe_lockless_queue_node* p_node = NULL;
-
-    oe_lockless_queue_init(&queue);
-
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    for (size_t i = 0; i < (TEST_COUNT); ++i)
-    {
-        oe_lockless_queue_node_init(nodes + i);
-    }
-
-    for (size_t i = 0; i < (TEST_COUNT); ++i)
-    {
-        oe_lockless_queue_push_back(&queue, nodes + i);
-    }
-
-    for (size_t i = 0; i < (TEST_COUNT); ++i)
-    {
-        p_node = oe_lockless_queue_pop_front(&queue);
-        OE_TEST(p_node == nodes + i);
-    }
-} /* enc_test_queue_single_threaded */
-
-OE_SET_ENCLAVE_SGX(
-    1,    /* ProductID */
-    1,    /* SecurityVersion */
-    true, /* AllowDebug */
-    1024, /* HeapPageCount */
-    128,  /* StackPageCount */
-    16);  /* TCSCount */
-
-#define TA_UUID                                            \
-    { /* eb99d409-3d52-439c-b374-87f664136434 */           \
-        0xeb99d409, 0x3d52, 0x439c,                        \
-        {                                                  \
-            0xb3, 0x74, 0x87, 0xf6, 0x64, 0x13, 0x64, 0x34 \
-        }                                                  \
-    }
-
-OE_SET_ENCLAVE_OPTEE(
-    TA_UUID,
-    1 * 1024 * 1024,
-    12 * 1024,
-    TA_FLAG_EXEC_DDR,
-    "1.0.0",
-    "Lockless Queue test")
diff --git a/tests/lockless_queue/host/CMakeLists.txt b/tests/lockless_queue/host/CMakeLists.txt
deleted file mode 100644
index a873708e7f..0000000000
--- a/tests/lockless_queue/host/CMakeLists.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-oeedl_file(../lockless_queue.edl host gen)
-
-add_executable(lockless_queue_host host.c ${gen})
-
-target_include_directories(lockless_queue_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
-
-target_link_libraries(lockless_queue_host oehostapp)
diff --git a/tests/lockless_queue/host/host.c b/tests/lockless_queue/host/host.c
deleted file mode 100644
index be20fdf342..0000000000
--- a/tests/lockless_queue/host/host.c
+++ /dev/null
@@ -1,507 +0,0 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved.
- * Licensed under the MIT License. */
-
-#include <lockless_queue_u.h>
-#include <openenclave/internal/error.h>
-#include <openenclave/internal/tests.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#ifdef _MSC_VER
-//#include <intrin.h>
-#include <Windows.h>
-#elif defined __GNUC__
-#include <pthread.h>
-#endif /* _MSC_VER or __GNUC__ */
-
-#ifdef _MSC_VER
-
-#define THREAD_RETURN_TYPE DWORD WINAPI
-#define THREAD_ARG_TYPE LPVOID
-#define THREAD_RETURN_VAL 0
-#define THREAD_TYPE HANDLE
-
-typedef DWORD (*thread_op_t)(THREAD_ARG_TYPE);
-
-int thread_create(THREAD_TYPE* thread, thread_op_t op, THREAD_ARG_TYPE arg)
-{
-    *thread = CreateThread(NULL, 0, op, arg, 0, NULL);
-    return NULL == *thread;
-} /* thread_create */
-
-void thread_join(THREAD_TYPE thread)
-{
-    WaitForSingleObject(thread, INFINITE);
-    CloseHandle(thread);
-} /* thread_join */
-
-#elif defined __GNUC__
-
-#define THREAD_RETURN_TYPE void*
-#define THREAD_ARG_TYPE void*
-#define THREAD_RETURN_VAL NULL
-#define THREAD_TYPE pthread_t
-
-typedef THREAD_RETURN_TYPE (*thread_op_t)(THREAD_ARG_TYPE);
-
-int thread_create(THREAD_TYPE* thread, thread_op_t op, THREAD_ARG_TYPE arg)
-{
-    return pthread_create(thread, NULL, op, arg);
-} /* thread_create */
-
-void thread_join(THREAD_TYPE thread)
-{
-    pthread_join(thread, NULL);
-} /* thread_join */
-
-#endif /* _MSC_VER or __GNUC__ */
-
-static void host_queue_single_thread_test()
-{
-    oe_lockless_queue queue;
-    oe_lockless_queue_node nodes[TEST_COUNT];
-    oe_lockless_queue_node* p_node = NULL;
-
-    printf("<host_queue_single_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        oe_lockless_queue_node_init(nodes + i);
-    }
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        oe_lockless_queue_push_back(&queue, nodes + i);
-    }
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        p_node = oe_lockless_queue_pop_front(&queue);
-        OE_TEST(p_node == nodes + i);
-    }
-
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</host_queue_single_thread_test>\n");
-} /* host_queue_single_thread_test */
-
-static void test_node_init(test_node* p_node)
-{
-    oe_lockless_queue_node_init(&(p_node->_node));
-    p_node->count = 0;
-    p_node->pop_order = 0;
-} /* test_node_init */
-
-typedef struct _thread_data
-{
-    oe_lockless_queue* p_queue;
-    test_node* p_nodes;
-    size_t* p_barrier;
-    THREAD_TYPE thread;
-    oe_enclave_t* enclave;
-} thread_data;
-
-THREAD_RETURN_TYPE host_writer_thread(THREAD_ARG_TYPE _data)
-{
-    size_t barrier_count;
-    thread_data* data = (thread_data*)_data;
-
-    printf("    host_writer_thread started\n");
-
-    /* wait for all threads to start */
-#ifdef _MSC_VER
-    barrier_count = _InterlockedIncrement64(data->p_barrier);
-    while (barrier_count < THREAD_COUNT)
-    {
-        barrier_count = _InterlockedCompareExchange64(data->p_barrier, 0, 0);
-    }
-#elif defined __GNUC__
-    barrier_count = __atomic_add_fetch(data->p_barrier, 1, __ATOMIC_ACQ_REL);
-    while (barrier_count < THREAD_COUNT)
-    {
-        barrier_count = __atomic_load_n(data->p_barrier, __ATOMIC_ACQUIRE);
-    }
-#endif /* _MSC_VER or __GNUC__ */
-
-    /* push this thread's nodes onto the queue */
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        oe_lockless_queue_push_back(
-            data->p_queue, (&(data->p_nodes + i)->_node));
-    }
-
-    printf("    host_writer_thread finished\n");
-
-    return THREAD_RETURN_VAL;
-} /* host_writer_thread */
-
-THREAD_RETURN_TYPE host_reader_thread(THREAD_ARG_TYPE _data)
-{
-    oe_lockless_queue* p_queue = (oe_lockless_queue*)_data;
-    size_t node_count = 0;
-
-    printf("    host_reader_thread - started\n");
-
-    /* pop the nodes off of the queue */
-    while (node_count < TEST_COUNT * THREAD_COUNT)
-    {
-        oe_lockless_queue_node* p_node = oe_lockless_queue_pop_front(p_queue);
-        if (NULL != p_node)
-        {
-            test_node* p_test_node = (test_node*)p_node;
-            ++(p_test_node->count);
-            p_test_node->pop_order = node_count;
-            ++node_count;
-        }
-    }
-    printf("    host_reader_thread - finished\n");
-    return THREAD_RETURN_VAL;
-} /* host_reader_thread */
-
-THREAD_RETURN_TYPE enc_writer_thread_wrapper(THREAD_ARG_TYPE _data)
-{
-    OE_UNUSED(_data);
-    thread_data* data = (thread_data*)_data;
-
-    printf("    enc_writer_thread - started\n");
-    OE_TEST(
-        OE_OK ==
-        enc_writer_thread(
-            data->enclave, data->p_queue, data->p_nodes, data->p_barrier));
-    printf("    enc_writer_thread - finished\n");
-    return THREAD_RETURN_VAL;
-} /* enc_writer_thread */
-
-THREAD_RETURN_TYPE enc_reader_thread_wrapper(THREAD_ARG_TYPE _data)
-{
-    thread_data* data = (thread_data*)_data;
-    printf("    enc_reader_thread started\n");
-    OE_TEST(
-        OE_OK ==
-        enc_pop_nodes(data->enclave, data->p_queue, TEST_COUNT * THREAD_COUNT));
-    printf("    enc_reader_thread finished\n");
-    return THREAD_RETURN_VAL;
-} /* host_reader_thread */
-
-static void host_queue_multi_thread_test()
-{
-    size_t barrier = 0;
-    thread_data threads[THREAD_COUNT];
-    test_node nodes[THREAD_COUNT * TEST_COUNT];
-    THREAD_TYPE reader;
-    oe_lockless_queue queue;
-
-    printf("<host_queue_multi_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-    for (size_t i = 0; i < THREAD_COUNT * TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    OE_TEST(0 == thread_create(&reader, host_reader_thread, &queue));
-
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        threads[i].p_barrier = &barrier;
-        threads[i].p_nodes = nodes + i * TEST_COUNT;
-        threads[i].p_queue = &queue;
-        threads[i].enclave = NULL;
-        OE_TEST(
-            0 == thread_create(
-                     &(threads[i].thread), host_writer_thread, threads + i));
-    }
-
-    thread_join(reader);
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        size_t last_pop_order = 0;
-        thread_join(threads[i].thread);
-        OE_TEST(1 == nodes[TEST_COUNT * i].count);
-        last_pop_order = nodes[TEST_COUNT * i].pop_order;
-        for (size_t j = 1; j < TEST_COUNT; ++j)
-        {
-            OE_TEST(1 == nodes[TEST_COUNT * i + j].count);
-            OE_TEST(last_pop_order <= nodes[TEST_COUNT * i + j].pop_order);
-            last_pop_order = nodes[TEST_COUNT * i + j].pop_order;
-        }
-    }
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</host_queue_multi_thread_test>\n");
-} /* host_queue_multi_thread_test */
-
-static void enc_queue_single_thread_test(oe_enclave_t* enclave)
-{
-    printf("<enc_queue_single_thread_test>\n");
-
-    OE_TEST(OE_OK == enc_test_queue_single_threaded(enclave));
-
-    printf("</enc_queue_single_thread_test>\n");
-} /* enc_queue_single_thread_test */
-
-static void enc_queue_multi_thread_test(oe_enclave_t* enclave)
-{
-    size_t barrier = 0;
-    thread_data threads[THREAD_COUNT];
-    test_node nodes[THREAD_COUNT * TEST_COUNT];
-    oe_lockless_queue queue;
-    thread_data reader_thread;
-
-    printf("<enc_queue_multi_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-    for (size_t i = 0; i < THREAD_COUNT * TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    reader_thread.enclave = enclave;
-    reader_thread.p_queue = &queue;
-
-    OE_TEST(
-        0 == thread_create(
-                 &(reader_thread.thread),
-                 enc_reader_thread_wrapper,
-                 &reader_thread));
-
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        threads[i].p_barrier = &barrier;
-        threads[i].p_nodes = nodes + i * TEST_COUNT;
-        threads[i].p_queue = &queue;
-        threads[i].enclave = enclave;
-        OE_TEST(
-            0 ==
-            thread_create(
-                &(threads[i].thread), enc_writer_thread_wrapper, threads + i));
-    }
-
-    thread_join(reader_thread.thread);
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        size_t last_pop_order = 0;
-        thread_join(threads[i].thread);
-        OE_TEST(1 == nodes[TEST_COUNT * i].count);
-        last_pop_order = nodes[TEST_COUNT * i].pop_order;
-        for (size_t j = 1; j < TEST_COUNT; ++j)
-        {
-            OE_TEST(1 == nodes[TEST_COUNT * i + j].count);
-            OE_TEST(last_pop_order <= nodes[TEST_COUNT * i + j].pop_order);
-            last_pop_order = nodes[TEST_COUNT * i + j].pop_order;
-        }
-    }
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</enc_queue_multi_thread_test>\n");
-} /*enc_queue_multi_thread_test */
-
-static void host_enq_enc_deq_single_thread_test(oe_enclave_t* enclave)
-{
-    oe_lockless_queue queue;
-    test_node nodes[TEST_COUNT];
-
-    printf("<host_enq_enc_deq_single_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        oe_lockless_queue_push_back(
-            &queue, (oe_lockless_queue_node*)&(nodes[i]._node));
-    }
-
-    OE_TEST(OE_OK == enc_pop_nodes(enclave, &queue, TEST_COUNT));
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        OE_TEST(1 == nodes[i].count);
-        OE_TEST(i == nodes[i].pop_order);
-    }
-
-    printf("<host_enq_enc_deq_single_thread_test>\n");
-} /* host_enq_enc_deq_single_thread_test */
-
-static void host_enq_enc_deq_multi_thread_test(oe_enclave_t* enclave)
-{
-    size_t barrier = 0;
-    thread_data threads[THREAD_COUNT];
-    test_node nodes[THREAD_COUNT * TEST_COUNT];
-    oe_lockless_queue queue;
-    thread_data reader_thread;
-
-    printf("<host_enq_enc_deq_multi_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-    for (size_t i = 0; i < THREAD_COUNT * TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    reader_thread.enclave = enclave;
-    reader_thread.p_queue = &queue;
-
-    OE_TEST(
-        0 == thread_create(
-                 &(reader_thread.thread),
-                 enc_reader_thread_wrapper,
-                 &reader_thread));
-
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        threads[i].p_barrier = &barrier;
-        threads[i].p_nodes = nodes + i * TEST_COUNT;
-        threads[i].p_queue = &queue;
-        threads[i].enclave = NULL;
-        OE_TEST(
-            0 == thread_create(
-                     &(threads[i].thread), host_writer_thread, threads + i));
-    }
-
-    thread_join(reader_thread.thread);
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        size_t last_pop_order = 0;
-        thread_join(threads[i].thread);
-        OE_TEST(1 == nodes[TEST_COUNT * i].count);
-        last_pop_order = nodes[TEST_COUNT * i].pop_order;
-        for (size_t j = 1; j < TEST_COUNT; ++j)
-        {
-            OE_TEST(1 == nodes[TEST_COUNT * i + j].count);
-            OE_TEST(last_pop_order <= nodes[TEST_COUNT * i + j].pop_order);
-            last_pop_order = nodes[TEST_COUNT * i + j].pop_order;
-        }
-    }
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</host_enq_enc_deq_multi_thread_test>\n");
-} /* host_enq_enc_deq_multi_thread_test */
-
-static void enc_enq_host_deq_single_thread_test(oe_enclave_t* enclave)
-{
-    test_node nodes[TEST_COUNT];
-    oe_lockless_queue queue;
-    test_node* p_node = NULL;
-
-    printf("<enc_enq_host_deq_single_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    OE_TEST(OE_OK == enc_push_nodes(enclave, &queue, nodes, TEST_COUNT));
-
-    for (size_t i = 0; i < TEST_COUNT; ++i)
-    {
-        p_node = (test_node*)oe_lockless_queue_pop_front(&queue);
-        OE_TEST(p_node == nodes + i);
-    }
-
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</enc_enq_host_deq_single_thread_test>\n");
-} /* enc_enq_host_deq_single_thread_test */
-
-static void enc_enq_host_deq_multi_thread_test(oe_enclave_t* enclave)
-{
-    size_t barrier = 0;
-    thread_data threads[THREAD_COUNT];
-    test_node nodes[THREAD_COUNT * TEST_COUNT];
-    THREAD_TYPE reader_thread;
-    oe_lockless_queue queue;
-
-    printf("<enc_enq_host_deq_multi_thread_test>\n");
-
-    oe_lockless_queue_init(&queue);
-    for (size_t i = 0; i < THREAD_COUNT * TEST_COUNT; ++i)
-    {
-        test_node_init(nodes + i);
-    }
-
-    OE_TEST(0 == thread_create(&reader_thread, host_reader_thread, &queue));
-
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        threads[i].p_barrier = &barrier;
-        threads[i].p_nodes = nodes + i * TEST_COUNT;
-        threads[i].p_queue = &queue;
-        threads[i].enclave = enclave;
-        OE_TEST(
-            0 ==
-            thread_create(
-                &(threads[i].thread), enc_writer_thread_wrapper, threads + i));
-    }
-
-    thread_join(reader_thread);
-    for (size_t i = 0; i < THREAD_COUNT; ++i)
-    {
-        size_t last_pop_order = 0;
-        thread_join(threads[i].thread);
-        OE_TEST(1 == nodes[TEST_COUNT * i].count);
-        last_pop_order = nodes[TEST_COUNT * i].pop_order;
-        for (size_t j = 1; j < TEST_COUNT; ++j)
-        {
-            OE_TEST(1 == nodes[TEST_COUNT * i + j].count);
-            OE_TEST(last_pop_order <= nodes[TEST_COUNT * i + j].pop_order);
-            last_pop_order = nodes[TEST_COUNT * i + j].pop_order;
-        }
-    }
-    OE_TEST(NULL == oe_lockless_queue_pop_front(&queue));
-
-    printf("</enc_enq_host_deq_multi_thread_test>\n");
-} /* enc_enq_host_deq_multi_thread_test */
-
-int main(int argc, const char** argv)
-{
-    oe_result_t result = OE_OK;
-    const uint32_t flags = oe_get_create_flags();
-    oe_enclave_t* enclave;
-
-    if (argc != 2)
-    {
-        fprintf(stderr, "Usage: %s ENCLAVE\n", argv[0]);
-        exit(1);
-    }
-
-    /* these tests are executed within the host */
-    host_queue_single_thread_test();
-    host_queue_multi_thread_test();
-
-    result = oe_create_lockless_queue_enclave(
-        argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave);
-    if (OE_OK != result)
-    {
-        oe_put_err("oe_create_lockless_queue_enclave(): result=%u", result);
-    }
-
-    /* these tests are executed within the enclave */
-    enc_queue_single_thread_test(enclave);
-    enc_queue_multi_thread_test(enclave);
-
-    /* these tests enqueue nodes from the host and dequeue nodes from the
-     * enclave */
-    host_enq_enc_deq_single_thread_test(enclave);
-    host_enq_enc_deq_multi_thread_test(enclave);
-
-    /* these tests enqueue nodes from the enclave and dequeue nodes from the
-     * host */
-    enc_enq_host_deq_single_thread_test(enclave);
-    enc_enq_host_deq_multi_thread_test(enclave);
-
-    oe_terminate_enclave(enclave);
-
-    return 0;
-}
diff --git a/tests/lockless_queue/lockless_queue.edl b/tests/lockless_queue/lockless_queue.edl
deleted file mode 100644
index 63b29c8428..0000000000
--- a/tests/lockless_queue/lockless_queue.edl
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-enclave {
-    include "openenclave/internal/lockless_queue.h"
-
-    enum constants {
-        TEST_COUNT = 1024,
-        THREAD_COUNT = 5
-    };
-
-    struct test_node{
-        oe_lockless_queue_node _node;
-        size_t count;
-        size_t pop_order;
-    };
-
-    trusted {
-        public void enc_push_nodes(
-            [user_check] oe_lockless_queue* p_queue,
-            [user_check] test_node* p_nodes,
-            size_t count);
-
-        public void enc_writer_thread(
-            [user_check] oe_lockless_queue* p_queue,
-            [user_check] test_node* p_nodes,
-            [user_check] size_t* p_barrier);
-
-        public void enc_pop_nodes(
-            [user_check] oe_lockless_queue* p_queue,
-            size_t count);
-
-        public void enc_test_queue_single_threaded();
-    };
-};

From a35e0b5bc2d431f8644a234dcbe70f5b57bb7417 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 8 Oct 2019 22:42:30 +0000
Subject: [PATCH 189/420] Document build, run, debug workflow using Visual
 Studio Code.

---
 CHANGELOG.md                                  |   5 +
 docs/GettingStartedDocs/Debugging.md          |   2 +
 docs/GettingStartedDocs/Windows_vscode.md     | 118 ++++++++++++++++++
 .../GettingStartedDocs/images/VSCodeBuild.png | Bin 0 -> 97894 bytes
 .../images/VSCodeCDBExtension.png             | Bin 0 -> 23391 bytes
 .../images/VSCodeCMakeConfigure.png           | Bin 0 -> 6165 bytes
 .../images/VSCodeCMakeConfigureArgs.png       | Bin 0 -> 26887 bytes
 .../images/VSCodeCMakeConfigureOutput.png     | Bin 0 -> 30693 bytes
 .../images/VSCodeCMakeToolsExtension.png      | Bin 0 -> 19063 bytes
 .../images/VSCodeCppExtension.png             | Bin 0 -> 18001 bytes
 .../images/VSCodeDebugConfiguration.png       | Bin 0 -> 71673 bytes
 .../images/VSCodeDebugConsole.png             | Bin 0 -> 30473 bytes
 .../images/VSCodeEditDebugConfiguration.png   | Bin 0 -> 83626 bytes
 .../images/VSCodeEnclaveBreakpoint.png        | Bin 0 -> 119304 bytes
 .../images/VSCodeHostBreakpoint.png           | Bin 0 -> 88949 bytes
 .../images/VSCodeLaunch.png                   | Bin 0 -> 15468 bytes
 .../images/VSCodeNativeToolsPrompt.png        | Bin 0 -> 29158 bytes
 .../images/VSCodeOpenWorkspaceSettings.png    | Bin 0 -> 11873 bytes
 docs/GettingStartedDocs/images/VSCodeRun.png  | Bin 0 -> 90414 bytes
 .../images/VSCodeStopAfterEnclaveCreation.png | Bin 0 -> 149041 bytes
 20 files changed, 125 insertions(+)
 create mode 100644 docs/GettingStartedDocs/Windows_vscode.md
 create mode 100644 docs/GettingStartedDocs/images/VSCodeBuild.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCDBExtension.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCMakeConfigure.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCMakeConfigureArgs.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCMakeConfigureOutput.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCMakeToolsExtension.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCppExtension.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeDebugConfiguration.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeDebugConsole.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeEditDebugConfiguration.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeEnclaveBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeHostBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLaunch.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeNativeToolsPrompt.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeOpenWorkspaceSettings.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeRun.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeStopAfterEnclaveCreation.png

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c05280e4d..d767ac86e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 [Unreleased]
 ------------
+### Added
+
+- Ability to debug ELF enclaves on Windows using
+    - [Visual Studio Code CDB Extension](https://aka.ms/CDBVSCode)
+    - [WinDbg Preview](https://aka.ms/WinDbgPreview)
 
 [v0.7.0-rc1] - 2019-10-08
 -------------------------
diff --git a/docs/GettingStartedDocs/Debugging.md b/docs/GettingStartedDocs/Debugging.md
index 237a1257d8..9cadf6b10e 100644
--- a/docs/GettingStartedDocs/Debugging.md
+++ b/docs/GettingStartedDocs/Debugging.md
@@ -1,5 +1,7 @@
 # Open Enclave Debugging
 
+For debugging enclaves on Windows see [Windows_vscode.md](./Windows_vscode.md)
+
 While you can use GDB to debug the host of the enclave app like any other normal process,
 you won’t be able to debug into the enclave’s execution state or memory. To enable that,
 you will need to launch the debugger with the **oegdb** plug-in.
diff --git a/docs/GettingStartedDocs/Windows_vscode.md b/docs/GettingStartedDocs/Windows_vscode.md
new file mode 100644
index 0000000000..9ade373e78
--- /dev/null
+++ b/docs/GettingStartedDocs/Windows_vscode.md
@@ -0,0 +1,118 @@
+# Building And Debugging Using Visual Studio Code
+
+This document provides a brief overview of how to build and debug Open Enclave applications using VS Code.
+
+## Install VS Code
+
+The latest version of Visual Studio Code can be installed from [https://code.visualstudio.com/](https://code.visualstudio.com/)
+
+
+## Install VS Code Extensions
+
+Install the following VS Code extensions. Click on an image to navigate to the Visual Studio Code Marketplace page for the extension.
+
+[![C/C++ Extension](images/VSCodeCppExtension.png)](https://marketplace.visualstudio.com/items?itemName=ms-vscode.cpptools)
+
+[![CMake Tools Extension](images/VSCodeCMakeToolsExtension.png)](https://marketplace.visualstudio.com/items?itemName=vector-of-bool.cmake-tools)
+
+[![CDB Extension](images/VSCodeCDBExtension.png)](https://marketplace.visualstudio.com/items?itemName=MicrosoftDebuggingPlatform.vscode-cdb)
+
+## Launch Visual Studio Code
+Open an instance of x64 Native Tools Command Prompt. This ensures that cmake is available in the path.
+
+![x64 Native Tools Command Prompt](images/VSCodeNativeToolsPrompt.png)
+
+Change to the directory containing your Open Enclave Application and launch VS Code in the current folder.
+
+```cmd
+cd YourApplicationFolder
+code .
+```
+
+![Launch VS Code](images/VSCodeLaunch.png)
+
+## Configure Your Workspace
+
+Open Workspace Settings by pressing Ctrl+Shift+P and typing "Open Workspace Settings" in the command palette.
+
+![Open Workspace Settings](images/VSCodeOpenWorkspaceSettings.png)
+
+Search for the setting "CMake Configure Args" and add an item `-DNUGET_PACKAGE_PATH=path-to-openenclave-nuget-packages\prereqs\nuget`.
+Add another item `-DOpenEnclave_DIR=YourOpenEnclaveInstallFolder\lib\openenclave\cmake`
+
+
+![CMake Configure Args](images/VSCodeCMakeConfigureArgs.png)
+
+Configure your workspace by typing "cmake configure" in the command palette
+
+![CMake Configure](images/VSCodeCMakeConfigure.png)
+
+Configuration should successfully complete.
+
+![CMake Configure Output](images/VSCodeCMakeConfigureOutput.png)
+
+## Build And Run Your Open Enclave Application
+
+Build the application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
+
+![Build](images/VSCodeBuild.png)
+
+Run your application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "run UTILITY" target.
+
+![Run](images/VSCodeRun.png)
+
+## Configuring Intellisense
+
+Intellisense should work out of the box for files within your workspace. However, Intellisense may not be aware of where to locate the Open Enclave SDK headers.
+Open settings.json (or create one) under the .vscode folder and add entries for "C_Cpp.default.includePath" and "C_Cpp.default.systemIncludePath".
+
+```json
+{
+    "cmake.configureArgs": [
+        "-DNUGET_PACKAGE_PATH=C:\\OpenEnclaveNugetPackages"
+    ],
+    "C_Cpp.default.includePath": ["your-openenclave-sdk-install-path\\include"],
+    "C_Cpp.default.systemIncludePath": [
+        "your-openenclave-sdk-install-path\\include\\openenclave\\3rdparty\\libc",
+        "your-openenclave-sdk-install-path\\include\\openenclave\\3rdparty\\libcxx"
+    ]
+}
+```
+
+## Debug Your Open Enclave Application
+
+Add a CDB Debug Configuration as shown below.
+
+![CDB Debug Configuration](images/VSCodeDebugConfiguration.png)
+
+Fill in program path, parameters and other values in the configuration.
+
+![Edit CDB Debug Configuration](images/VSCodeEditDebugConfiguration.png)
+
+Open host.c and add a breakpoint. Start debugging.
+
+![Host Breakpoint](images/VSCodeHostBreakpoint.png)
+
+Step over the line that creates the enclave. The Console pane should show that the enclave has been loaded.
+
+![Stop After Enclave Creation](images/VSCodeStopAfterEnclaveCreation.png)
+
+Note: CDB commands can be executed in the Console Prompt.
+
+![Debug Console](images/VSCodeDebugConsole.png)
+
+Open enc.c and put a breakpoint and continue execution.
+
+![Enclave Breakpoint](images/VSCodeEnclaveBreakpoint.png)
+
+
+## CDB Debugger Limitation
+
+The VS Code Debugger extension is currently released as an early preview.
+These issues are being worked on and will be fixed in an upcoming update.
+
+- It is recommended to clear all breakpoints and set them again every time the program is launched for debugging.
+- It is recommended to stop the debugging session by clicking on the stop button and starting a new debugging session each time.
+- The debug cursor often jumps to the start of the file when stepping and then jumps to the correct location on the next step. 
+This is due to the way ELF encodes lack of location information.
+
diff --git a/docs/GettingStartedDocs/images/VSCodeBuild.png b/docs/GettingStartedDocs/images/VSCodeBuild.png
new file mode 100644
index 0000000000000000000000000000000000000000..3b603b1584f11c7268f735338bf1bcb60023311d
GIT binary patch
literal 97894
zcmdqJcT`i|*Dh*DrP~k?qM(8xMN~ROiXcjtUIjsF0I5=vs5DUlktTv59i&PLO^AR<
z2~Cht0z{+}Lk}VS?BM%;-|yUe&l&fOasRq|3>7lmd(XAjTys9pGv`W-p}sczalYgG
z_U&WWxua>kZ{J~&eftiK96bVjB6H0|7x-ttpRu<3zViNa%fK&(T-5Z`_U-!|&q{ST
z4E%n~=Z>Y{zI`0+%s=}(y^Eao?PKKYXsVe!vHL>{^|3Y06bUgVR)mT;3N<eF<LiGI
z9X_@zVL6m=Y5c7-s>-=C7JGzWnDh)ZrUiSppA|FqR6<&6>+aXIv%+_z)8050Y&yTa
zSY6WH{VjQZHQjW!XmzQ-;rhsR+Yy10sl+J(qsK~$j<DP{MY2FybH8^M@t&f+km}<d
zI}dy<aoh#ujhFIR^GjR@(>ocvAjT}58qYYrZf|a$IvKXrr@40>ZYpkSvVQSjmssS?
zMectu)5GmLLjPW$jz=Z_y$AT)<TRT|%)d7kiJjFy@$WrGrqUS~|Gg*Ylc=@)_(<Jd
zx)f)a2A^P<TH_hQJIKE`z9@nvU&^rY>9it&^y#`@iiF7C-5GfDGL{kE8?yb@f9L9T
z%*p?HGVMyR{P^dP66%lHER>!IY_<0+t>Q|xHq2X6<G(B;6n^xn^2oN$9IG_<QkPy%
zqth5C93;%|Vi|OzfG(1<+El!3wb8~Zm4{gV7ISj5#GcmE9EJbnOkADXMA_4;@-TDo
z%e8EssKqR}WDpiwXK6rcb%}$zkBsCRhjF?uV{cITpTWh~y`xMG_TFo<R&I~XOjKH}
zZ?|c&nhstR7)L<TEm_3P%ahi^7L}@=Y&ce{+6PA`_64zb=}BSVSf+zsCJl^lzM1r=
zR===bRk}2cB-&pNvwH7yVuoA&A|t#;J^!w4m$1)v-C@Hsqv(mtP=m*)(?XL5N7btj
zAIm=~vO#y3NP5X?-18ZG?-=IQKpz+(c3R)EvzDOp>i(-vwcQWvdQs<VlNbdZH0y|f
zxhko%`uY+Lu+@>MS$6D9Sez0(O+7{GaF{)8GcoHO19qlSZ<ijmD7hU^cmU0(64g5d
zL}rj>`SK}Lc<#$!DSE@7l8P3wrM2{Wq5w<QrT(cIa-~EARU&1Le0~%fAxqk^^%}bz
zrWy(R4opie+hToYW-qdRbE6Y9Y9rqev}Q-zL`mf%k>E0~j+du>2`i?-8y!5uE60<A
z<Vl?R)LUMSKJ6r=YS?YXCLUA`J<)ggq4|CKQUd56>J!C=;)bP3aXY{x*BQHr71MHf
z(P{BjA?%4!Ge)I0)WZBIet>as`_Fi_C6Sl@AoJyn(<Hrv^1A6ksjMfzq$d^fJrK4#
z6McHz4rkG^_#W3`D<R0D`X##iOnLGqwx%Bbsxr<-wXVCKA!=8i6)O2VuFUxBMvC{F
zMXCE;oB3~+ZSF70T2d5-L+)N!l|RO4W_*`xnL%W~!(Zum95MgdJAn420}+X@>LyaS
ziD|#v4pM}z?MdYoNyn$w#_FDU@Aj6FJ$p!NN4U9-Zt9_ZPTctTg*Y90-+4?wW9uHT
zuKM(hlQ~g{#L@{rFW0;a527zo!KvwjyM|sNbA|nk<zLZ54Nk$IXf+0OR75-qq)&#Q
zpB-Unu;95%fBov3XV@%?4TDT9qT|Ba#p$AG#F(JXWR`;8<&h&)a2{(i3KTQOVOzL*
z-LnF?7XykiwqQY+Qg)Ye<At^w<7oqjq{|>w)qtrnZL&fKepEf8^WZM#4EkYH+w5WI
zu?jNjSM{jk2dNHOT+2GKt^=#JPW1cyd-`5|mUIP<h`JVg-ZVaDy_!R6a!?Sry;y61
z?xX|7(ZRaZrw?05cX>sO84$!g^9}R<tUR6TC4vA^gYi6T+F;OBG+B@a&4tu*mKwy@
z`Cxg3hZjpQ#~xGKv2exM0iC)g6O2wWH*B@zg%aZK{!Z%_#+hBzsj9Fmzm$GwDTPIP
zCDz(p0c*b+ffpd<WSZAJU#i5tv<wo((%hl4@4i!78KV6N+kX}#EiT+9X$#9PB$VUc
zR{O(=UBm&~0^KxVEQ15~UqWm|gQ?kHHhaV$VI1cK^xN95F}5_YDe0LE)UkM~34OFF
z?hY~Mb^@XfzKDE6_sc6cOr!5>1IdzE1ndZ$0#u`=Xq8>zqj33@-|^^raM7R~`dLWt
zLw=vf6_C#oA&)@_iNjyuVBMoQe<f-Fg>q%`vPWoueeR#yQ9Hk3x(io-ZbkjmgND(t
zAISbx_pDu9o3b6D*>M^x;vj(7kEw+-=v|+qrN4Ve&)@sp+^G78r9`leb`oaSp$={Y
zhtXkdb;FF(Yxrm{*ODxi2MS-@k@S`=Fl*UXe7f;EHaf*&f;_oFuhet+`VumP*R%!$
z(;>BBR8Bck;fh1r+j33_uWL5I3h2Ic*p(w_2q7|Hi7bQXgfkrYC|VTOx^#DtsyG9F
zd1>*rB2C$76*SwJVPB3tcvK^3@Zn)XWLV)3LCkNK8M4X&IE^gm&-;Zu><~I-cXgJb
zv<4!+>jcGHMHA1JbIy-RxfU|CJ~o5ykSOeUDx@cR)lWAX6C1Fvpp5ogihpO`JBy(}
zf|3o-z%s`;Xr=q12hq6@YOv=?1UuyOxj5}I*3nnK_)+XyOFhJtPX3CO{KEMKlr(!f
zD`Drf<l>qJJh*0q$TE@5c@;!wPj`ckNuFD?s-QiXV8mtXrnY)a5_xIMvL4`%^NJPF
z+*tTkYsl}N{E;*BPdZfhZNDPMBO1?fb0^#$xHA6Jsw*1uzIWy#8wW=tchb?zNIIb+
z9rDuDP(EhgCfqL6#w+Bvx$iIusY|lwv`LDbQj;hBfXA)lj-RG;A0o4`+tI-NHIrFK
zaGag$BzV{}Msx~;B^xn<{|a&md0eq}j4**X<&W`CH;gg|`|SGzTF15FJ4@(lWpE4f
znjR_Z85l$qG>Vt;XliSDnU8Dp-=$Xy{)`@e3em9svLfrCpo_a5(VrVDX)fw%T@P!P
z{xKjkspZk&_>GWH`Tav1q(@PvIj_Hj{8VIYjjB?ikvmpAf-Ghf$80!_?q*pqF!gDx
z?mFfR65Q5O3Ndo!ud}&USwVx>g+0c#?<~{T>&7Qw+wll8EoUNXK#`4aop+^1@Z`tN
zD!B44)Ik9!e_M&6WOQ`<8T=sNs`9|{Kmdo#(h6lvE`d6iSO}t>$c@G+`ljp2a)ZTd
z0y|}ky*|wjn6TZoaeI~p0_~yQz!bfT9$K@IymL}Ny7DTWHaKw5c}A9m;qRX{1$>LP
z^aW{${D3BH9d|}k_T#Z|Dc5*XB}W#kDyVFWcxh$($snwB(??-DpXOo(TKH@m680cC
z%%GN|f;@c<pK6VD!E+AJ$bMSCu5SOhvk)sA7GJcLs?h-N|GKj*8wmwqhh^aEWLlyz
z?bf~GUu(JDg8Gv7EjFr@KiB1+`=U}L9;G|ZgY+e>t}=WEtbK<QKs|ayn>S!ZdgSDG
zuYDdhUIZp7@QPxL_eO4J2@63_i&77EMT0%5;Qnn+0bL3Y_7}r`((xNj%{iIkOb5Bo
zfa3F`U<8^YbT|CkBxp?X=ko2dDaSDTdT2y$^#<4xdf4P*l;ZlR0Gfn<^$h<V_8sw{
zNxCAyBECgLH+s#QnAH-bI}74woL=LEdSpdz)(uN_st&z6=7CKL;rEB{`U{-B{StDF
zn23b8<A<TE$atHT(kjOp=n~NYB?Db8+9I-~Y{idyZqezL<V~!7y#RnZgjcsZ6sZIf
zW`8627BLH4M*CQ5(kYaj#b}^x?dm?x*v-m?A;{kQb_tI=&1@PtA=?(Ll*sj_-vid2
z;^@V?W0;3f7{fJQX3DIlU0f?Wn{7>iF^xk$E*f=iZ&AZh*EH(w;0hAM&g;;2$_v(L
znX=)mPDB)RDYSOsM?XVpe}E|GsDqjc;@H|vYS1lW31TGJ15SnnG>`8zrI1j&&c}hD
ztqL$N85?KNZuS<EREiEm?<a!G>wZ0uWIU{?5bY0)hFzK!MKptBu@+p)30-!{htO2p
zoz+r@i4~}W(}}CBS939C{!=sbr#{U9gt>pXKQ&Py<69tYNgMq3VP{-}brYPvm4!l=
zS@$72x|A}gEKSpI(m5DkN!m(wZx6FJ%^Mu)@6l^V-XrA}GSY5L*G|<U@!^bf+&ktk
z);Z6E=#@XfIqRR`OA&CJWaCMYi6|#yX$zR33Z8A(aKsGAH$RVZo;r(;mSH!Mp=G-^
z%gw`?>mI79(nAgK_~2EIZ8_V>F$IHz9;lFE*UNZN4=g7i<zvdW@+ZtZ>|GnY>X6OH
zF(*?_i<L_yIZUOsM8lLm5HXasc5hJ7xd(jCFp8rk)G>5cwcQ6EjY)${V?k#2kF&%V
zW>dtqCKvh34GJ~r^y(ewEAh9*kn7dx;IM+-b2K<^Bbd^9V1avZY4HQ<v#BVf=|q1g
zVU4-E)-=SJ7cJ;0UOE<z*$~{&&Xo)&#vxo?%0wp5z_XSWOXq8@f|fYrO^?-yOdk1p
z!J@sf6h9bTv&F!x^R7q>?6|36$==P37NbSt{D3v(tCcr`R_^?Cp3qF5e~MV@tQdx<
z!0BO5>1v~(x^lxY4wU=5LMr3O$vRcthe{iErLZ#SDgEdz82l;0g-j=-9Qi-PY^Sk-
zUvKpIE5KDg;t<n*^>#qUFLsoPPTVzJ&7yA?O1}Fkb0`V9+ac9!zagmw;4jpN^!b8t
zZ0fkjj#iI1a?z+^`48jFMkgjS8Ph_@5~ex>aeV(=JCN+PPcf5yO$TTmEz|Lm5`G-6
z?D&D)nbuFi<ne6JfWkV|v&fT*gY*FG1ODF#OR2kUcuq{VKBYZOav<ZIc#1}7FNLy?
z$|?j|Bbpu`6D$=8V_3weIPh0~pd&<8=u}7t`0@;bhZS=&uIsDn5bMdLTsv@<F-T)c
zWK#QGr(&ff04ivt$})x}1=0@b5U2k@2VcciDE%opRms>M+d}<T4Pxx>ySfNp7+?5&
zmHf44glC7vjuzOM^*cp8ia<Jm&c>l?z=j1B&SCj80SZYD3N+>79a2^k7$g|}3zXXf
zj%t6%IxLFvSDx>&H;|7Huwdx#LS$-*@ov4d*Z@zZp3k85wHBn;Ptw{+isoVf!%cuZ
zD18KX8~hH9KnE_~#j+qqr8w*MZ$lr18Wv(+1>|zlGN`m)$bov*4PsOa=xQNjhqT5Y
zkVgJqvJ<;Ari~7vIoI@OnLB`<5>^m7{XlGw4lZkN8Fa4nrYgb}SX0!LzBuwuEyDPx
zR&{ah$`iW*6HNHB#)%K$g)3$dDfeMWSk^D8S0OadS`O5VO2pbp+HPkpWBlO+ShA)W
z`PUPwq7qBY%6#j5L13728At0}7JWIZX9wS{7L)%bNd6dW6Fzj;rEFYWPK7Wa>;+xp
z<VO3FUQ#qT*P~<U+>z!C0PW4>GCKM060{A+q?TkK@IU?$Cqqq$;y&AG$Kbq)1kp4M
zC{m{otrM4T0jrC4J9>sbv+NDt#Y7>V7+6K)iK#!pcLC^4#cwiv*hkACH0OJ2#A>gK
zwh&(xyFoOT2S8-0#>a@jEduE1wc@ig6c$|dSJ(z-N%rG8M%T)<6RRL3yymd2tg`Ax
zb8FZYqSVd@2JQX~1wEjmtlBnv6Qi6mLUSSHuW|Zk%~W?F1AwT0aBX;n6*ovwo20K3
zv-D@T(19?J38igdDvKDe!#H~sMWB?-%flXfer!gQI`8j#t4j_}GwRM~bjo@#8uei5
zy7++509%VQ5CS&1hJd_2gS_uxJq3RXqe&m3E&1+F?_!dqu0}(PDHhAJ5tw33J}R57
z!ZjDVi-~rFVrMAE^u^;7@yJzAC<PNfaNt5t?X)gs>UYHec!5fIR?fN}yxedavd(Ks
zVJ{`*viEH8!FG<%(~;Q#4hdXt*`jnP_mn~B45GItKx6>cA~}+9#MYI2sjZYvY&x2R
z$%D|=QfmzWGOMY1Bl(x|F5VliB%BfIA(27t4{8w>G041udw@YeR=v}VRc5O{`p6_U
zpyW`X4|Esb;WYT_q~d0D62^Yl&yQCqN4J!f_mjYG*tQVnlZenK5r-Fd#;*ZtM^5o^
z@a05Sk8$^&Oa52q<2jR+Ga@wCY&XFf<g&@_Z{WlVTYC7U?=rZ%rq#QLx_aqRs8Ejl
z(Tk507UL&BPPF;Fec`GuPabsFILURFEG!8~D@F9AOBoTtDnVV0;Pr=T!Hi%_E<b*G
z0E9}JoRYF|=l@rl5i=QY`)`#dNB4iN#XOML`7fEov=w;gzt^Yd|4Y&5rHQ<P_q1|a
zZ-GIUnx>}dji6N<A(qZ?`ZKlr2D?)tOr=LGivFRS`M8&kktQZtKFYfeXY?dyg0h&;
zFFH#Oy3Djy?B!`=BWT;kuV~8~wGmh-^UfT{C2Sf~Nh%UGyK|dxtTP<+=*Q0!FyfxJ
z^fDXnBEy{C9E%I5M?}tX!rtA!fA9Z?FJ0+g=u4j`jM}H7Ql(I&t;P8k3b`*Ze;eTC
z-4$>eE+e~n#Gq^ld7T#!+Kh}!--v-icX|`e?Us|mSuppVm4f;cQ|(v%17OylAo7A#
z>5{YdP0+^PKNc6+RmA7eyw$z3CYFC!q$u;ojT=4XwoP;CSZV>QC>BP6C<Oj_H;ypj
zl26I`Vz!J;yTmSHUTSdxPN{>7kJB~yYih||se}b!HGP41o5!o5FW5tCHR;{p<%DR#
z_eVv7@b5*C)OknqXj!^UvW&9wAB%u||KHz^1=C53Q^7wzW$7~A!t8=q13qwhg7%^`
zbW5aaCOu0DCk4Cwic{s1eR@hL0|ebppq9W16}^oiKL-aNq_k%!`1NiY{$2A=+8;jH
zZW1csQ-_m$wwH{mZLdgYT>Xlq)iKNf0ZtOT`(4g)8J>S!v`o(Y_4IW9CT$IF4+8+3
z(z_PobQx2KVnVn3`2G({BHqmeGb;+G>h7(Hi3!_ub9?B`Dz=XtkQ$l+Ac)=J-*y|Z
z#6-$?MyIs?`qgS;uc?{*Akw5kF*LA+x*&INZtQc+1LJJA0N0b~)40KGjf7iV74Niz
z$5MQwXInX|HwhvS8w0^BZFeHx;-;y^r8IK<r2m@mK+~@wtN!N?HqDXbWXsfwZb5%p
zIXM(3Z2jQ!>Z*Q;b(K?0*jgyo57O57@3_r(n~sz88V=r#N<91(e)N2qVk85$oeS#5
z(x$M<7eCfa+g#(?o!K}1)ab(Y@GtIX7dTXPqwzOuzWJZkcbATlwTcQk6g$yx|J~kY
zGB8_;{o?0y>LxV=3>SBD;%Vdg<E^va@Fva75HXdf=lE9Mc#Hy4;bo>DiQ8YFXmlc=
zumKKp0tWVPF$=u`&*n33qvjEo-3jozKCj-8bYe4cS{zOrg-cX?*?ei4B^8m8e_XL7
zzp${AMyvH-9x~xAFhcmuwB5nT|Ko#pZt}s)L-}`ZH9Vfxs)lBt)jzY3F@Hior;kj)
z&2z$cHGb^RCoH_=<~eYnhx^b<$%x?o3kS4xqi6C!vhHaqxtzKb)JN}{PLIhz(#*w`
z^~m*69ZeH2vpdP+&1IP5=Z$to%vF4UYwlngAA4-4d$%m_);U_w!+4b`f2t+F4F$7H
z{1AkEW&^^SDt=|~2wn~{kz~c0sS<9j<R4r!;!JDwQMjc9Prp`%$$>`9!@y6Pff0<g
zgk7x_L?Z9*#W9lmRHcf7<7QdOkniXj^C%bnopS>EwU!~&=l=NMt2ez{K~cMu1Hys~
z44mS<>dgtZ`9>f1{o*J%fAr?(3_9_ZJyl4CVb8$91E3yYw2Vcez5P8dEdZE;ljl*X
zs86OPlQ-1wm6Tngt}=D-5#d9LyXpKS6yU)3hu8a+*1FJT#5C0D=QB?G*X<=|@}|i&
zK*JvDWAtIEvE#Bl=ydTT>R;<IHQeMGGY|F?wap+tM=NcusF{mBG^51h5Ff7Gc%Qkv
za&fPwwuHoq_#M5!)A&kQdt#mkx%7A-<<FY8UWqm@FiVj3kkfI`UyEx$D0Hy5h&J!d
zwMivn9`dz<o@;#=-DlXYRyHhs0u>c-2Ar{7*e*-oA!FhL&fBmq(ul@a{yNlA0dD=@
zW?m6*t9c|7o9w8F($Lw?A<7b~@8WQ(jmr7F8uGp`490dAJ&|7}W}WNVg#((pxf~aA
zkGwr9QOhwrgU5)*^G6o9<{im$4fpdOD^EH9kvcvAyPO4AMQ}D7B{dvHQkaR3koWnq
z*Tr`~joym3$IpKJljf2cfNyhVHO2d!a1cLboWe>|sur8cBV>*2O_bK;(c3RrMQDSA
z72+2&zHI`e2op)KX}&3z_@ZbM2z)#g;s8IT&f_!nkISq1>CoYJouq6InaISWbgq3u
zNy9SYp5JPYz+v?~qk<5ck8xqE{q*ruMn}w$7vLnHrmx54jo@@@u=%5rXpHqg)3L?E
zq1C37wA`gLISmcfsNVh%X4?n~Ynz%DkgVW3L(V<N&F5~&tNQ9h0AmA8*B(V57omk9
z&rt`jmzJ3F=^xm`0XdVdq9ih|Li@Q+WTP=l;#VJ;gEpr~b<!k;GpmS(YdoX0(Z<5N
z{Osck=NGu?%dT1iW$&)^)_CD|4r-U!q^cq5@#{{<MLvH)LSZW0Mh%u1Ov`0xOYA*#
z>OiPp$ihW+6{_0P^T!-ML_HVXa$Dz#dO9)9$xVAI#YW*eBy{eZuPA5uEu^ltj3dqL
zPD~)5{>m3*nT6o+6GCdc%+dg0G{O8t91FO&XLQoJWJ*-$P}14kF}F^DpXUx_YNmhB
z59<EYKV9Ptb=X%7b`5{ZttPC>S=L^2BvtXm5T|T_C1j0t^gfP?X?#`}z}ySYi}5KD
zoglb!8M{mxFl0l#Pu1l1TJQ6=?t1(A@9-zJDKWVy%YcSTAUgh5zXiUf`Jf1_oM<3l
zygvsVa)R&}{36_3z$i^3<J*mikMJ*Kpf1(ZeZ1H=64Xp0RD{m`EZ$zcduB6So=<Ug
z?6dIAD(U-8#*vAzde>SOam_;>!N^G~4qV?2U%=yW6^EGkB)OtOFZ}}4;LCEG4%Lyk
zIqa>oCM?xuD+T=n>##o9qst{7Rp;RG;>B0)nOyMkAwG%aR0l=Lr<&<ju<v>C;1|q7
zRuWSBU4$`XN$)b7$n~#qv!lG`nK}|tiFC+BeJo|JJJAjKJl2rQ!NJD$sOTu{D`=+3
z*&-EN5g=Y)E;1=uv(>Ki^#*w~SSZK0TK$vFg(u&-bY6dC!^y;cdL90hLrvg-QiLCD
z-?F%~e2m*62R@G9rdbNb_*VO9B&?>oO$W)oLc<eq1;+Bn*k7%^8R2P34?*NL;@U)H
zn#8wW=o~$GM}R$s%c$_C=eNZLFx;4wdx^I11T?3)KNqwOXx1$K0~6X3Ztm`HLDXL?
ztMRx>ukN>(Hk;R=27LUp-ihXavw*8uNuczxy)oXu$;5e73&86HLqvIRMS(-A{T7vp
zr8+;eW0AT?)dc9S`xx3D`?539`zLa2!qt(wl#PRG?7LLAuZlM^wo^v{{M5*OPN-%`
z5q}ULpdzZl5bdl%bog4>jV>d3Y|qT!m&k~)cIiuqqi}R>icBXZFM{8!LPc!SMr0#?
z86MQ=jdr-SQ$n~mWued5^2TZHi(w3Q@_T>bJ|=SW&o?;CzP2bkyY*_cf}by@?%xr#
zW2Z*gE<c-bI<gzj1kulcbo!}5K|y`9CwcXbd;<)s9u>{gm8r5Ngco5w6vG$t=ziJx
z&*%OpknAd^6tbQD=}6)_0QefdUNd*~CfqOCUeje(Tun}i=Y4WHda2zg{;~fdmvXg7
zW$ph7qH~H@zdk!?%6b|1>_1>QK{M-Gah*+cU5fRMB+by*RW%d3TFe0asvu>(X|HT)
z!bVd{WZHbX<9KnA>dce%_N(u$+SXK=1y`eM|MB`9as(67xVj(v8(1|v2LBt1zFaxU
z+}1h8|Kup{(;AHat8VfnIrx^GFO3{vo+@6$ATsFKLPD}Qt`B(j{Qm;aTMqebmN%{X
zsy$R?&}djjv*&o#rLqbeOYgWBFT^_kpRMeD8<m*$QH5T;^3tJMK}hJ+Iq|&zbAz3j
z-01dab+Jzd|A({03^?lWWQsRq$GeaI^7Dh%1Aq}i;4kNy3`a<)M_X;i=>oEc76c~-
zRXytCt42Cn@bmx+tAOr~{7b<^c@9S=)_!X=yeyQ{^I2c=ADY&%$JlQFzxsf%fEbS*
z8mv}-)MtOOZZfcGJnHYWhxQn1j)h2S*fxRCoqsQNu7$FC9fxv8ms)PFw{xN(byJVf
zi;f{%%9gMdc1!ri_3`z-fe$w;;_o`*p_?LF6vNu-P|3TW;eVf4<sk1iR_PEP24H*U
z0xtq(;kVh@7pgg=<9%z?tdXk?i<$S5t!YbDbn@rd*l0;2u=S;kIb8WAqelUXQ&@X=
z`x(MPWuZ39M};03O>hw49s%Lz-p2bL@?T<w=6ILbK`;nC!O%aSpC72lJi6H>V9@;G
z_@z-8O}lEfFH3Pt_K$SxG1IN)#hiDvzs3KgS66uTC2bpjUL_KCcHYmMxxSFr*Ql=)
zbS~1UUo@aV-4)uD*;&d6qF|?O)aO4HFoO7agI{6#=u@Ln7YUc->}HUdJ3qeD-k|=&
zOqGEO!NmRji<QIx-)`;NgN+i_i28l2Xlw7AxY?SiW>oCEh;o(q?mm0U`!L7^o7*4T
z<a0L_WZ|I?{k~(qc&KDVs1rGvJBiy!vcO561l-x(8qU(EC=YP0z1rf3(+d~!G%TVA
zCE0M)M$ef!DL4sbf^`7HLOuA;vx&5;md>}yz(Z@<ccIa^V>l{6vAYx-<}?mA&UVJ5
zSU_Rtv84W>x!)bHhNh=8-M5DBNj3PM<>iez<Xvcxr9YBA_3R*v@z&E22*1m4f!=19
zaQxi4uNT5>WVfsMuQjZY;+?GSmxycMNwdJL6%^j=O9Voq&p^(0D#3KNnF48}|DJ35
zXU%<YUTW`NUG*ZN>sl^p$DPwD(I|>yZ7nY^uTiXQlLH?L`}K@P=-Efmos}DHw+3NU
zS-x!nMSszucqBWY=%@NYE^3uco6ZN$gC=mzJgf*HL(?}OK$QNjJ7>hhqun=>hJzzq
zi?qKkump;Z2E!-Ts^9zw$Dzv-qXk2{N?E5AAEr!_wlDGM|31A1z^0ywQMjmw9qrlG
zNu@cjEwpvZ%}O>?a`Qu8@SAUxz5vjC^?w=foTbp<`a_7v&@m}5<%43tU1pPpWxbC>
zUfIC$ePuqz2Nef@^>bbb7_YP`gi~ihh2+<)A~y|9&<K(<+Seg%<Vc&(35dy<*};21
zmt_EmG{OV;E7R^_s&)Fc<6Ny7rqR-?%=)eKV>O$Cr;;3Pa@2jVO?k)@_+e+#@~Z@&
z6Z49`C+d6$ENg7cRN%L*RwsT>L_=@oW1Hg2*-(B71M~}jBgRM)UG3bVB=d5c$NT3S
z{1zu&6LecIp3h@FsK7pJxX6<1Q1tGed`z${%c+z4Q5Z)Fo|I*T>&H*h6|`O4kB>5w
zX9io^iT5-K9e}&EAD`jsce@q+<C(+YLbT@-c5kEpQ-hYr8z2p#3>_YQ#|Wp{p(Yz%
z^}Fn18`SO;Q(_myZ$T?%%XG7u(pq4j$vTbJ+Y3nZGWqQ~OUuhTw)HcC-X*aH;dj6{
zw%Z$}xwcdLZf5*c<@#eui+Gl^S*Ni`3q<>x@usxzJZLJFrHA;#my|PO3UGDg%Q@tS
zA8a-gBtEj@eyhtK3J6K}v$^Fm{w3H?4ZJH8I%90PwL-ML)v!P?ViGAP9yUW#ZHc+^
zXqoK0EkOVvIFjBV=Fi~T+g<aHJ<*Ag>+Krr2U`ILv*qBrW0jqs;(S~LDmpA}OxmA|
z%mAISa()WgplssWxlAxQ%9BTWalV=+S*3~hRAmnPzx#eijeS~rjpgx#Ak|P(@*^t{
zeEJT1*G&bcTV@@DopNd25oU&+f=r3x6pm)0I{hp+$;Fayp+o>Ula&2rMrpGZC%07`
zK3D{`JQLlsYlQP}@@9GoxOYef{PAFfKbdvd!J=^f>^Pp7joPK{KI(fvpP6lOM|wGZ
z<nx_IV%FQ!?ZUpD_q|bH*p=oMDxiIy{GYysavs!6vZO_Bj)N`a{*nE}4*k{C0(}4a
zj8M;Bua?-$|8GC&$m0|NVhL0Ei%9GSQ==JgzUyVFPF<~ta4%11rh}sQ1$|%oS_$1>
zF8Mi|ZLy^#zPnPrpr4u+JM6SG7N&u@>Sm9=TK0<HwrSbVD>dyQ;YkM->SERyC<^d`
zhvYw)DUZb-O?L%62r{Yoz0l=`t{-HOrRP!I#fsFA%@vk>3w{35-jI{%{D3j9y44NH
zk1A3SB9B~p8Ysag0=r{DFV$r)dy}*oOQ3|p{QQppG>?nzK$~PlG^#G38!cki)uZyt
zhD24eaw6Wt<%il@i=EF<f+JWDF9!AoZZ)SbHvP5h2U(W*a^L;bVfv3FxWVOEPGW=X
z(m`j7(Xu*dpG39eXwDsZw>_hRR4T{%W=Cq9t2^{6CYt0&T*^du;uQB*KZ)6LcP-e*
z5z!-_{T_FjxxGJKhR@BF7AzNYzc~we!TnnCxRJJ?kf)}?LV&+e54W!4Md2Rl_#a7U
z31hX5H$AXL720efv8>L(of%;IEcmiPP*9zv-LVlHB8ahZauW}xTqjju!@}ACO&Ykw
zK(8eaMcA^MT{IRxe{F(G_+-E-AuYiiJ?t%CC*i%9Tzk$vFWRoGbzdmsr#13A!PY~V
zPdsua?{T&+pmJ@Az&Axs*Z%oxsSp}C`OrH5k}+1u8nm^-d39?=EEiC9_NG^9z6G_3
zL+)lOLq_&IJ~`%eh>^2&#tq3NkM1}Dz0IL}Th7>)6cbB0Jn_q}V|2+D<^;E%7P>p%
zlYGSaNu_s~>IIrc`!u!h?Gos1HvQXfSQZ-xXXsY)XQ%EH)n870YFIsXP{tSk{xzFL
zz+MQtG4j)2KE@uW0HfB2ZU4~TTrSK~OqH~KyR|rg0z}k4=S^o@(b1RDg6_!`EmlHI
zO;X{Bbb=TbQ8u2O%>ki0i_Iq*s6H-jG;Vydkz>;wVj2>f`ktV9gJda^dROhNg7QzP
zW4RpUBe^rqm!vcHa3L@$L7u}JL)YqT7Y6We&{1ZVV?&qps^2^Ltxd^zdkRAMT=Y}p
z3KWJ$hD0H;)y`^u8Y=<QV;(^si5C}o`K)0n;@)RHki~Vw62mt<qDog+eP|!qw&-M>
zWnWZcJeXb|Mr^_c>>rbB*<cSQFBjSxl7MX9oh)u{W4H$$8Ut{>^L~3{yY4bECx^5Y
zism#plz1FKH|dq-76z&$lZ#y6#21VN5&1*oO+jm8k74Li;rBg2kjt0Oc<uOC{3onr
z$7;{5UP^ab{D5(GUOdjDuli-VD5GU9PkEdX;Za>Gd_lw79F;s9I+tdf?liEHUpzW8
zg_q0-!wo+5#Nz_zkBS*ZJMY9b=fEZ)b&XZ|_-+t7n~z<DTURKIN*+Z@LZQ${>8-75
zq}|zg+b0b!1A^6hlBKNkR?mKI)FEw!3JnTb-oz_EH%eAv6Dj11N;IhejJ$o3?Cko)
z;t1un;#Y}Z?HWT_(kneLX6E{Qy|$xl_<5yqd+4+0!e~OG;(-(U=colo<it({oMX4F
zf6pqyDWEv_yqk$ar-K$h1oecjH7`zhk5#sMCdLM2+lX%?yu_bs^0swrgZg0Ba$d15
zFk0g*_9X;py;%Rw@7<MZ4@-MLI(P#A;|%Hnd2>F<R$$^I?R#vxF;2mMX?+X<OSTe(
z1Xv;^Z8!$|v5$0d2v?9p1D4Ycx%-<nm@r~~AGbj%xx^+?YzMf~CTdf;+q2b~_gaRo
z`mNyEBie?{9$6#jIYnP%?OT~s4MvEo)=OHqeQ!8Db{EU|RuLg2-}XYMWcs;_flx-+
zOe9Y)*^@bI>%YQ}k$%7GSRH?xE;sOhQQ|sbqm@#r35l>!UEy7g!J@6FZtN_z`t5hF
z@}n)OK0{d?m|YCc8;pKdDU(6O-pgRhijk~RC_uAK7t?t1f@=e42uk!0n@x{9@)FS3
zSLJ{D)(kt>un}B&5b&)&xp|;T){-Lh{w1(R!I#3j$1t^>;oWx`Tyc)_F_=d0t|f&M
zfSv(Y!Ta~eMY#KchF9!kaKyurP6fY(*Q}ySii*8tpma8GRT&yo4Uh&Q(x2+vRgWKr
z$j8Y1R4ec~(F!_nE5g_6QDp2p^sfO<;_r#vGLZhtja`)WGohZZD{^yEATJ(^{UR&c
z+VG{GQnF9zb+x0%-f3CHe62*nzXFYM-me}QVaU#W@&|y8R{@BSTkl{y<6FgsCZi=#
zF1?#T&<S%_dUq%)F>GP4!P!WqxY%cNDhQhlwE0e#qMYy(wUQZMaOF+^7@M%H?QOWT
z2%q*qM{=!@>XbZ0i|W+G+39Uuh8W5PN5F2i^KEKZqc^3GZlnA!3ZuOvlUx_0)87&6
zPNN?3RnUDcj?gS;@{n{-E-oQaKz$OveDlsB-P{jHUces2C`QD>(h!)M<<%O+<}!Zg
zisqdV_n#LZIOQXR-@5~o-B1tuswU4nh^d?6{FOIizSEG%Cc-QLF&VU8dT@I9@=nX6
zv?&>lNBtip*|#3`Y%A2Es7lsO=rQFLYaY3~l&XcF$}2wv=dbe@HjtL9y@R$~!<}uB
zv#5^-??#k09s#+w!h*xu!TKkz@yB<2@QQS7)%Zi`gAeb#T+`<#9;W*%KwbsgYL^wI
z`JCW?{&WKnpB_Okzv7V!L;;dmd+7kcS<6rF{z$iHG-^jh4b@e@0e$;1_!vO##R-vV
z6Uky3+wHeYR4gtCS)eHMXkQEOf`mj1SsVB{fsT48C9ca=>+215jYBVCFP5eFdGxJv
zrD#4f|HLhohw^)MMS%Qs&Iml<n{gsG%JM8+kp9EJ^wu<#2W887HIN{x0q9PGTcX;a
zclI@^3h}ZQXYl^KN$r~u+p1-Ytk4c$QC5ssSiMxO*OY3Fh6;0#q@bGm0LKsj1K5V*
z52D<xdvS{HxBDUzgC-wGv!0CyfxXZ!L*wJiDIHQztO;oVVXr;VDy*gNcnFZ%+)SL$
z9r8cA!ZmgwW9#4@`z!4_x(}W5qQakyxahlwu8+=CfbgY0L*C&b@K9Q#dRw=&tETG<
z(s1EGUhT+vZs7|X@7Ewx6N0$5P0``yN~xUU9>s>A)s37YELw9Du|^6m|E5&1?+Ibn
zYh-R=j%z~P!d%z*xC0d3nLl7Ze^F5I^(_@>1H(-mM_0^7(V&sB2AKr+66h(J6>i+f
z{I$0G?Rs5^zS@FEZQVONfjlzJyT4xn>xUby2%4EgKrsKf`s4KnGEdpy+XYCZ4s55o
zqnw#1)sL=hBOpx8jbe@42QeyF%eF6|?LPZ>B#eIJfdHRA8MU%W_Lw@#K}hi$R2{S%
z4VT%D_to{VZoX~%kK_ilsdL}@E$cxu;`=aaU4A{;W3b5i9S7xh@NT#~P(k3B*Swz)
z;9KlM;MdPg{K3B)xytVgar#>H50Z%pRg~f08~@hXgcsZ|&c?n_jDRZ&ac>2A+AmGy
z2&`28VFI#|3pJY7a1-I4nz9|Et|INyp!v+(UVJmTh-aP{8xQxDw8RP|y)g{v{(fY8
znX-fTo4J^&;x^*q$OH>%*Il|2gpZMag_i@0ov(AaGQlMM&)APsZeYvvcYY3DPxn+4
z;?{!!F(h+@*0on`&k<YK)^|K5tR>oSEi>BJWb~@<`nf|;QNJy}!a}X<D=)NP`~R6z
z1{1>W$mKjP<)~21G0M^|hEj6*0<6Nn>kj1WmW76;ml~xds_8{0K6!Le{kv^bU>YF>
zDF31`-bjfxAVMdRYgdbpXFJKST#JkQ)qAt+VorBA;3?PtIf{`Sy^l*e*68)w?6D^2
zmUQj0=tcGCN1g$MMpK}#NLcWPwmsbClhkWhO#!<A&0N)ZW6F;9&6OKH0nKQ?E7uh7
zkCs6rb7cY!xs;U@`<#%psXvdU@6<VuS2;g|F7>8emmK`Iq*J2Gk5f;(tNlMIip}}y
zFA5}abH)Q_x%Li!m`;Dz<J9S#3`_&pX;|@FIXm1-z0v3Xwy!w|_2qMLjU_tajb8JI
zA+)@8qjh=)fR^6AyN+r`$oBd=TT>csDGTG>gIqu}n=Q}n5gYj!!xIj(bu9!5KuZek
zm96xdQ4d}zF0{e;E%v8Dd>w2>Pcnr>k<^gye>)k9HU%f1Xs+5-=>$$U*qQ~F`^?O>
zr^odyQ}lZhX$E-{c*|y!%<<YQr}a4?wh}y?ob{tA3fFDN$3O5-;Wk3eQ8gH^0Msrn
zrwD)(1|JlYkBe-)Oh};7XhWl;BD<zu)ZIQnP?@6<u|b5+IDzYw?&N?y#0(JH72bb{
z*(Z^Ps6>0J6ysh*O6rY_bLY<aKbuVu*0$kd!XZ=;l45IqCWJT@G{4%kCQIp#{`-j8
zEYBDJG+~USzCR|i*0iR|qp7;_?PS8H(%P5d*o;Xe9LXx-u(i;aAlvZ{3<uJHX#%_|
zdnGz?QOmn4mj9vFKpJ5WCEqtf2@rc;FOd365p(gwHFa_TRT9t3&F#?ho~W5jmXnja
z<Kj|s)xO2>M2yz*^70!rx}ge2lNmh&Idk>SouHs}aSu1Q1YQYNC#{_O3p=IBlr<!_
z*3A|F<~xEkgqY(<!%Q#tJRnaZ<`A!Ik<h?uYb{hdMHW>P6`|{q;j$BMPJM9WLGy%*
zL`jT~FOXaJitk$kU~hD4;(rZUEZf`1A}YF*op7(MVvRqeD7>|$t18)$Us#02X>Nj@
zSLL5TsHegjl$jEVF;L*sFSo8U;W$^XEomdaQUD6|jAj*LVX5o-`qjN5jFgn2+B}*Z
z`#K}A!u8eYb(fu<rKK&e5TMpP<huwRLcp?cloV^P$273aX4;L56Z6SnO3+aCs-2sc
zSKxfCipNyoM<^wVR*Y9u=phR>%pJH}l64xx@fw0tEUc>=9T{!>6rK1aWsWJo0WpO<
zc6%kPT2I09ucAxuF8ITxT5zB<Vw=<X`1wSF1}&Lp+HBQO7W!cB{ePp_0zPHCL9xQk
z5_kFWsVRw6Df^Ursge!$Sj0q9`hQQ4#1C+iYRFKyQ3{&~K7`5ca*CaRb4rgClI=&@
zbY8y=n~jy5tnhmHu6U&2MCl$$JjZal@0Qlyt;%~&@GU*U)LiwSqgtQ5aa9sS(_@!o
z6uK8>qXuF%)1uq~UC^(BMQ|$lJ-QL#(v9ZIAen?a^;g|Des>I^(P!LVxxKqO5OX!(
zroCJKaCG8;3NeF8yjEGfOUZXX160pw@$Km<S7tjFPB0BS;(@pz^#1jK;`y9;$;wiS
zi+-GfoS0mBY}Zp$ZKjvr=(q_)hllBcZ-I@!c#CPzIMAFig<}@I#oM~kX!IQcL6;YR
zMVt6KY~cQR0HI&;K$phU*fxjMUboCVX?fT57;~py$_m?z36(E2wbwyM`d+ze+t_wB
zdU{%^&-b1=mahS~e6NcB+vRV&$@Ff*)$zbPim!Jbx19T8pE+IAS}F{Xav+ky&Yn)A
zrQkj5ps5-F6nOe{^E-RoN9JL+oW^z+Lo<ETwr)Bd#(VaxG)}Cq(NHoHXd(UNIaaAq
zMg=x=a*26GL9(@C=xS0^X7B*(CHPewwsGa^6zNUFYiEr$84_H%(f)|}lrwq}7yiLo
zphOZ>5}MKz4;ovwD+>|&1PL!O>mDGky{X{9r`VqxyAr)B_6K_wu*|OeflQ%Mf|vjN
z$8F01XXATy0ob!DF6ceptrrk>#ChHXk65(=qGGB#oWTJA?5u7T;$*5=`!)b?S68Tr
z$0@5J-vH5iUc0}W+AnB1*sOcTdm@dgSz{Zv%S-Emg_EfG8I`Ipp)r<O6~?h`Ul?(x
zH<wrUTQ*kK;~RY$P+w1=coFxaXR&LgDG#~ELG(r`VOEo~lq+q`uJ$lKpJamU&7+q)
zf3Z9kgL=qiDeU!|nS?4XAet5p9r*?#J-xi%5OAqF*4By4sI)oHn%~saH*&Kk@XkX_
zn47h4bSQpl$!GsLyIQ2Pz{#M;H~ZdS*h=Sfa-&!vt6lE?CDd<6rUZaIf~g&GF<Pm<
zaxE6qRoHf2j8~tJrzih8*XGs$T#`85q<7@V>VWt=&E5KyUTd#!bMI4C6Z)OI*CC{Y
z>MAFUgWS|eotYVO9b#E?!7uCR32srxnpwuioDqqUsd$R_c1%c8J64(gk>4!_=-IGK
zRcLmwbr<wfrrxspwM=v#p>T-`S=6lfMm{*XU*x%dN#+Z&*{+q5O%h$8%Kb52IJ*o0
z@tT<;%Rd(N3r0pauK$DHx%KKpyDt;Z-PN5XC5DGv=M@%e0CCu|&a2p_CG4)2c2-b8
z{OhpG>@k7C^8@q`rDK6#RnS}m$=^Ku{5E-02Ic)4tAhx}<5iy7UmjQ5$6=c$A``s@
z_<Sk`{!GkGtW=9`gxzECrrw|7O=fCG^Tz6DNn2U)3-)0fk)Go+4-lXICG8|jvY=Q1
zdUS+gpWUxo#eq`-Dj0^V@```{5z}kVCsDB=r8kYIt;6r?3hQnk)cL74rk^dKt_>99
zDdg$Q{nZ~DE9bpf_RrfZ*Njg6F3S})ij!GCs0*QB+MDK=-Z#yeKg1N_YuLF>&DPok
z<$O1r1+1NC4m9aqW}+!(X$rVLsQ?~K+Eb410Yx18WVc9$O{GuTWWegw9r>8epIzPM
zc9u1;Tj(#_pRX>%2WvSgKKQ28dTFDB+P8ikwTd=0!bz723zqo|RS;2SEi!6HW28@H
z3uzgW2eLG!i`DWG8vGu4m$Y>4reWTBuV0Ae)|F_tG=+Xu@!Jf2Siv7c=?xrbf(bMJ
znYpL0ZJI9RE|w}XZOb78TR(-fU1wIk!35|&xR8ZuoQaDbX!1EBe31wHfsKdT*xfK@
z(Ll0c?WzAx`Rl8T?Oh$~ojzQOLYkVqE7TvcqNC?e&YwND9G$@D=^pA#NIs_CCB^aQ
z&Qx64%$&+S%8=JEnma|b{e=#L^wz3yOVh;i!$Ti&qBwC{A}bzRD0j6RkKLEW#K|KZ
zA_KA0KFC4n?8FPUvwzdQfAu7sp-6nKqwH5zU2WRfxX|EYm~(F6nI}+zuk{!`4m%Y>
zr;^Iqwi=Z)g%!dWmx-^t5BITiWGcms-Y)CLbOs0xr)A!Y*#tmYF~T*RR0f?|O-uG$
z)J-kl`Tnz7oRF4W`<$r{+8oCqrtG&lfBRQViFw%b3vi0UFNzx=FO_75Sfg9W(7!T0
zFnnsIOzA<7nmqdgpoYL{W}kN6bsNs6t$m9uELtm}b<h2LvGA3fZ?<tSibBv5mJ6^3
z{(;PzmFqyUlTd2r^;av+dGZ8(G4oo?=(A@dzQ4Yz6uTJyZb+mM*HUl4I@4V}pehbD
z@FtxU(XS6?q$S2f8c-?^eF4d8Z)En$e&0rL$_3X|QcuilSSQjxN=!VU|LKnfh89y`
zS>=76qzqNgt*WgZ(HjL0H-86G$N6`Yl@5MZBtRDsH?OeM6R-QF{g^DMECEFF_dpYb
zRqz6T)kh_YL=yeZopo*bm99JN{2MFa>&DBjI)~zqp8ugerus)5vvs-Mx+dU|lYGtz
z{Pr1dNJ;C$O2<9YLwQZpq2UqXPIP%f@~hB%??057ghXbjPfxw19k|&3AK1Q@6WKrY
z<Hv71ht}s2{I_FdUh4z4Y3L&-J`@YA1SCBS@-}x;D4nHK)>1WvW;V+@Uh%}2Atg*X
zmkt8QFc43g0aVuOYI%M*UGaMj3P6KHjqcGNa!{}I8$?Ko8~d>|wETcXxUcA<>%G6D
z-`<&aOVKD$yhr@h=iAvn(EWa~qRV#Ri^#no)r(t7p}mM~pNmds%^dCEwiwRKpI;M7
zFcxQ=6`v2;e_un{M_)R(u{1Di3ZFXyeiHum#CE5*kB8g=9f8}$17$y3UKCN!1WBfN
zb9g2&Fs+n%x#+-dgB?gJi`h4@qtMAcD)ILm`G_i2kr>IUJtdx@P;HKYSkLxI`)&fV
zZTGTy)Ad>n+R8}D6z+YfnN~`>qF2NGnP3XO&h{1wKnOkWZ+h5FO*Z&ViIWHIx3sLk
zAiT$<B!Z?F)w?oj1E@B9;oOdbL^<+%W-Sv9ZmalqA5OA3f=Ugoxy0P$Y0OT8|6B$s
zueqE!lL)I&#KSU2c{iK?8}HcZh_(49s`1+9fA@bbE!1><0d(V$2IKdSW>TxIo#>Nu
z*DoyYlm-lVe!~wvDHql@eDvLCsQ%v`0K)4Tr(iuS!+Jbyx#BzR4qvQnc9%?HRG%yp
zJ(<|QcacK@yr!!yMKbuwu#p^cs~=zPWrlGi_I@wNi%j_mC_I+|h~oE18GtFo1^8Ym
zY-x4i6%>?X3fz5taw2)~qmZaPu)|2|08r*hMT#I{)SKguBc|3AO4a6&cYfJa5$YK$
z5RsV#ZzSLG;Ek7^|6!r?u$*XnICOSvcE6K5Og#tgS{i0}gjau|BBj0iCirciREyMb
zS>w6CUkLEYz9|qdgDQRk@S{<1;}vz32vj~s;FhN52ta<s`Xb-VEOl!l*%}P1DmdD^
zL+AQB878VWu<8uu-NH?r%P*150wgDwYUAcd$&L46nPS9d5s|5?cvQ5Sy+tR`VE6=;
zD=`r(g^SFvCc}SE=zE&`D%Dol)cah!obh^k6%t?mno}e?U!?ZWJ0F3gx2w0IfUrDS
ze@$%hx$j;UigULw`I%@#yt!9eV`bv#<ryd68}o*6N6$uByUrmvA77*N`mfpU5T5fP
z`*T^vZia35^d=-WL?l|&A#|dW_-+YhY}cXs7Uk8eH<EbHg_x~kQ#^<1E!#`m@9Md(
zOJ-;?id)oY%H|}Cbm3^g<CrOCqAlTVaw0C^!hgNk$SY#5l5Hp0xgM`{+6?_zzS!a7
z6NlV5J2s5Amh>53eKM3pkbJ#eCw_CtHwP-4rlqe{f9smct=?1mkN6UJ*(K|AFt6a3
zR6KI<Olh_V;Y7Z<iZ)f6<edH$?d_E{)oVW|X<R-Uxz~Mvm71tGfBwl&?zgZskQSN<
znKEmJ->a?gpK%HsvzYdg;XSLRZMGn&ABCc{KAbGl`>Q|HmMOGXJjSXP-exi-Kx1O3
zkX}vR?jbY|a$Z(L{cTnU9_@TFyt@X})>@=PJH7U1BUfSG7&qhOKbPllA}Y~M7_@ax
zfp;e5!%@)n>CL@T^UYkv(aVP#RzvryXlDRcMRk0xb5dKsKyCf(q1SFUuCBG+RJLw_
ziWLtUX{((%s~^XZ*LQcy3;mu)6P9n8yDn1E-SyOVuhD6~!$sH3;PXFY6$OBY%_Qfq
zh+Lsg%}k}VHlHDY<S`Jd+fNO{J8MGV<Kgk6{gA2IT!H&_Hfuy}eXF{#c%8_kR;hq^
z9sVo4q*|{#oT@BZ<=wITa&r@1xAHQWQ|$Ule5divjMD>G*E=ob6>)%!`g)ENTZk$R
zFj`0t^UEYSmDit!MzZtEI{h)o?p@QyEXi1KF8lzIZ>IwyM}P9nNER08NTIHnBkvL-
z-I7Q&H-QLfG^UJZjpE`a0i;T$#7kbs)XytPc<<{siX=~m+R6i+89-Oh`}vmXX}fCW
zQJ*1B#(BxPSF9q};(dQUv}?bW1jues(oD|ItW*WQ{i{*kwaFvkvDX+cB>O^be5C;Q
zo(9Jzg6mV@ZEm%0WS+kG1exf?oYM^|^Ge=v?vrT>j?&G70_}f=fUw+1w)87(BK0R9
zOH*A8+*6?AlCuTzF0pE9$lljcZe9~BEEN;l?O)Q$@x9;OibHyH?SJm?89Xx&v+UfQ
z3o(@Q?zS<Hng`Cs$Kch|z_xlFc0BssKAUBA({ICBINt~O{299zJfCdd+bG>t-Sd)N
zq+QyGL?aI$J^CXW$z~T|3o|T+l5p&Gty%GyRq2dF9x9re{|PCTBZ8m09g3a8O*qj7
zB&uAY>45Fr2Xg4;EN2QQi0u9iGKXMA+LU?BTW7iqKWOz{<O>Jz69VNHhFM--krUug
z2jO@ECRiriv#bI;cOuK#0-CKCnq;m<xBNH)oD6_BzJJ*)neleU2`I>h;jFQ5g|*}I
zMlM)1`7giq4+zK~aZ@=Uf5`6wJCTcxJpXP$B;)6=0jYyv>Q>>+7u1b-_@4tkKqpV(
z^SibcN75!zK~JMFzla|U<lT~iv&a9bY*7;u{Z3q;dT|?GbD`(v7iPtpzwbpt(l0GZ
zMBm+5pFHX*zz_bnO)e+ff$=(=wYVeC8x;m~EkZ%pTUp8terBumNXwk6co%P7aa!N;
z!>_tn>*)!tlGn^uqyN?!7vnP~$={C4;p1gB6|{tZ2efOTCSA2&=N(E~gSj<}HxUpO
z`Q*Gwzzhq2`37&SYA}s3I<JH!#eD(3am9D%kELZxSi?BtT-z%r(19M{n^EeYZUSjq
zMn>lCwReZab=gqBBG<CfTzMbZrH=Y=51x7UQIg2)Wp4(k*VdvMhKzFH_qQ57SvO_I
z6*J#X-~#4|hZ(qqa_+uI%NsnpF^~!<Ru@0#V3Q%^RgQn&U%JrO#}4RPRVJ3&+OM{^
z{pE|iAs=vdn2Gl`z&Esb<N>V$8>4Cn#|qY0$3^NOn9Er(axrU}ex~vjsW0o#!>Ajb
zUQSsfEr8W?h6V=ltoq!#znQHs1Du<`nO=E;?NpgG7sRjtHx%%(*FL`dApRQ2>s~$k
zliQ#t?3k6tcKi>ZO@}+7>fffm<cM3oGduU0YE;z|Y_NGC0Be00{s&+09Y|&W{{c6p
z+luazofRP>dzLLL5!qyKj+JpJTlOZaY_iv}&mFRkksSvoS#j*mF`mz%?r*>6`+c7N
zt<Jg5bzPs&=ly=IcefrH<wW#f^eQgX&HaG0L3y8sdMGlG>yCwRP&<fKhtjALj!G<o
z_l=Du#S?Iia{wI<iCvj$L|%<g=Cyejn;`!>N{0=5AGx{JaEWNV_6<qb59SiR=abAP
z%Dvp~kg$j)ZljOCKO3bA@Dm((j@eAO4%0_w;3Lg!_C`U9fh^h2O-V^n^ephoVJi%|
z)YMcg&;&M4DgT%=h$TEzKOpKIE)x-rDCK>QgmpS>wS*9?J(uFVAi+Us&Z&8UwS4=Q
z(hs+Aj>hfhS=PsgJM1Z~70kzwm(|uuLN9OV{D`*~KIOEIDf#yUhU(u&SwUvn2x=W{
zBymE|pe{O=63m)D)8wShsz7vVYSF;3f45~4YkLJl^85E#x^4i4;sCtAt4ZSMT!J&h
z>^Bisz`Xl*TctdhEK&sMvb+|BsT}f~@c0Kxlf28Zc7VNh24KQO`KNlJtW1k=R^$+J
zF(=uy$9|4^3tg{8u6ue?4)a>Mt+CfJ5AtPn6WASH7Nq&Y=AMP`WS-VK=E!S!WO~rN
zwj0a==uRHx`SWOv=r-79u)Wz9(f3^fD~g<}M;#YWxGkhcRpYYu-~OE4{9qc8;!!RK
ze{n<uvs*dX$pv-@2odY+H6Oj?_IHB4$OZ&?5|5;sEcyA|C5prF6VLSyYND^bW&wh^
z>TF<8<pFvjreHT=WytBtF+0M2cg$>ZEiZ-Np}7Yjy19q1?T;a274G?ktG2G6QQCnx
zI{SOw#frt$bIgPP+?d0~Qvt}nIE<|;u)5gAB(Z&aY6B8`u%i*a76pKCdPHwp8vd<_
zsmA7=2rh53LYhIq&%8VhMcTzk4zi8$MK;`Su6U%atv%@^fL-Tm{K48a9C{6Ru2T{}
zUY)Gx8z7`%@7nk@h5LZh`}BCPzC1VGOK^Z!e_9G#fyRRhG`Z;shqZ$2>9ZT6bSe0k
z5tf1g5|r*6`}JeFZozp!#=hEvs!TIfR#kOE_a+y7<c>bz4J?!rG(Q~zU&jADT)P<s
z{z6u>=?KplU<bmWakw9R^6}?SxnHb^v&Cq!?(a7@Fy^o6nf^?fo;t8Q*Jw8aHkxj3
zpEET=^pN>^{D0m+wZDD=_!&zqyLF{>)3cz-&=v8*Z|7)##Dsc169&E!Y+m3S*}yjv
z&-5iwF3WQyzn-7{unlyZ<NpNd)Pq{`95tZJxc}iBy7?VI5s|QsP`RTZLTWDegH01Y
zZ@}xkUvcDt9^!+Kq5~i01?A!wW|KI+o@whtp{aTE;@mIPk&Y$vUj&}P+ri^t(|=%G
zkPj%-_rENaDoR)da#!~xR5QAEOzifm=?^YccY-djcx9y`S#?EaY67O2!^2>#H6y&|
z!2*u9FR3kWoGsH;$Fi<7ZOjM+64AK4WoQ75V7XxnPKAx=FZdW-(HY#RKkY()|I;0%
zAJwZ?^jrq#grrJm<%C;$Wf6+0V*Gaf0U|-Uv!i2ih{Jh??|C!tpP<!tVLkRr0itdK
zw!2~*ET+E8ETf5{PtbYnhIjzW+NpSjya+(ARA2p0>0>oMi)OjU{J}2Qh^V>Ic>m#d
zHaqDP8^-o|)}GEhI?o(q$*6FAHB0|Oy~jTWkCZ(YsP$^^l5Anc^Ice{*Z6m50C$+u
z_?NQBg4G5AtF4y7Zg6BlPU-7{QozobErwm_*Sm7-ElQxQEB^>6Ft96kGGfADJP=uf
zaz{VFnj-NyistZu>gJqlA|-GC#Wk_yz+hdKZk=YLQ)%WdgRmZ(NMtgFiS(YQMGdQ4
zU|bWOk)@qoLQc-Ty}}MGRxw^>WinoAkuTb*t~$-&xs{A^5`(CA^+#c;<zHIx=-#lY
zNGtlwrc`IRZk%#^CMFxbOwS(F(CAj2th79})TJ^nfsv%6#lrB*C^+gk@=>##xs8n?
zIys|&T8Zw(>e`y?=UHHjS*CtyS;b0<7O&N_nW&K~)@xkCg3K9^QUI{n0y1La9}Xwf
zoj6Bnk@IiU*hfrsL`E7Kax=_3OB%b{k;=&2&M%mrEjK~T0svkq?7bf#{=2}k=-Hh!
z0K_RPxQA*4zeVhM@0<1KN1~$c5Ck8*_@rJt%ClEE`?G`Y1y4$Y{j`rq8kRUquOp@D
zOKrt{dh|59N+BPxCjRCYa*1<I^YgbW8q`6jm|+Pn@azDR9G(?(Bq<qOfYoZaCc7dg
zh8&qyA{LbBkj>oE8gzq}R#uLhq~eOR%FM3Nu!wRU_kCwg`!&v_siEnit)GYj|Cs&A
z8wyR^1M*RuJLu7R;#efiE+RG|1n7Z+fZtQmWwilScv;x-JKz}k(4LKr^16@rXJeGJ
zy9lWS*)lW5oSg4yx&wv#HH<RyLu0%*Kp67h^xK^dYv|WDIgvf4(K=oFR08~4m0!3F
z(<LRdjZ<~7y#OemJH6+#Jf>!gJxqEFMEOu#hl2x^Cb|XGShxa4DXk&8{?BEs8vv-8
z!wrRdZ_MS55+{gY(i2uOeX_6ScyrTa^wohi=^b$>&?~b%pBfyTY3>Ajm}D2?3*a7F
zm&Y7uflA4wFRjtS8M~O_yrPctg_VMMm!!mAw+i2VBl$Wga=<PEA|@>CeImd|6;E${
z^dp4h`PQ`i!=jaoHay*-+I+++WrZ<#XRiS9aA3jI$T5h<>j3I0()-9p4;UVkLkLV?
zj~(zTAIZtdbsq<-L~FT#;+*snUBfog^hZQ2P_(e&lim`S@(c7Li^r2O@Tn$fk$IdH
zo`UZy4_8721wH-zyF^fd=2`LwV>XB-^_o02L7lbO{8ZR(vxg7GjZE+b&jlY8l<?Cg
zJZ9xI;kkgd`I`zpG_rKE+Y;j47#Ik-m^oZWIRBk<ix-H+GGQL9=xTf5BLBA#w5)?F
z$<LD3JD{Bh2f~V#ygyS!Fbpj`W!GzX`TqTTomx>b63tPg2$A`mjl*%PlG=7M7bm9<
zto<5Tc=Hdj<#-n$*w9_n-bW4^5h=^lfiy02svBdmF9?_}(#(QJOGh^N#%eHAnmtY7
za5W{+HNEOdMKS=f_I>6=HF7$wOuCCExFj&!$tArOUjNXP*2?hip&bl@ggDOkw>q~V
z2S7CR@NbjVE+v(Ao?jKw9Is)Om04-5!B33u<OM*W#SG1IS0c@QM?r;CZx1mrc-)&N
zf=-jl-}x{Hya}<%GW@~r+un!U78;_r(iJs#?90c&wOFqEK1r3S3F?o~x;;uwo3Yc~
zSt_h^&F87N+P$1Ak?~jLC0fdoYJ{LwN;$*{G<p4c;u)NwyozjD{?nQ0A|t=Z$hO{E
zxB81By`Qz6UHk)Wby*o1i2Gp9Tyb%2?Gr&EZ4+=3MayzORaOqHtnQ5igidX>d4<6f
z@w$4X4%y*2fGL+W8aRKDh>;hecMu!zc0cT>5}!fn<jvoo$%r0K(@G1sO}+}d`y5?L
z8Bc^b{y^eHrA2e11%r#O!~BEt)WD`awoTw}Xe53Z*u37)LVs51yF2bhD-Lk8x+U)p
zWXqdO)@5U1VaRl|3g7WJBO#p|0{k^nI5_HvIYjR4_F`kPwef7Fhm>|h8UPZp#LD1L
zyo0}_CFp`A)qVAMZ2{?v-b8Sgmjh~d17=eIoGt$Xd{5=JiKJwdrJLo?nv4RC^Lm*2
z50p^tDL5ZpRzCt#a7eqZ9e+2Q<BZ#sR7HY<s0YF#@(2Ew9|X`Xspj?#?Yh8g*~&-*
zhPm~~Z6?5tVE+tf*67dMT3fS?l{l`AS0Q?4WHL9<6Iu}vHojZl`4o4s<ktB?k$rSH
z@w4OOiJu0bg)`|Hi@44&kk0|$-ROC+8GS6cmnPz&b0^q<1m0V;^O7$<`5k<S;J1vJ
z^8AP&aIZGrtX{Q#%XoGHiq2nfOk=^h_#eP9ecxcf0p<`0bN1Le?+HllS*u<sW&eo+
z&i(MZaBbT79~v?;n-+ufP>H;hKQ8x|$7$*EA2;q-!=MV}B4c&dA<1n-1K&03qUfg+
z>X75(Is#s0+TKq*<__nIQ`wbkjsEjgel>iSb$~&$ct1Rw1H`{eUfC2E8NKp7dfxLC
zd(L+!<?Am|zcvWj-rdcK&z<1JDw5CZfb)G$g~!>&<^7zR`x!R|`Bs)Gr{`|bw2T~$
zW<jsnMU(0;+k+$px(xSM|8D0N=dAnL!>=8pcF%j!bZ8lTw3!ex_x-bEfhV%sR3kvJ
zaw8!>7D#bh%a)!l0$&a`;&O3C*K*{h%JIJ)VAbpiW>gMnEGnyb<bVvr$+;&6yM!R3
zR^|NXbe)i6j-uCAG9zSv9k5r=zz1JPzuN&PlhmarSogRgxH!vyZDCamQRcDz{R@+5
zpn(vu|4t1Q9rjzV?`2ov&jp;ZHkP>5-WVh!<j~3e!a)c9ofl&*ppaPtCHc8~pul85
zdlfK6Prbe2l`vQ?<X(|Jkn7MVtIG}+l3_ck+f}@B+B4R*J65ooLqNY46Am)#f1S9y
z)uvb9KK>DE)xxF`et4irP+r-{I6%~eZKl9ZFqG^mZHk!?SbbqgRp+_2oRoi37P^~>
z=t+H~TQ^QIS#9O^pE9;)G(4P8VErfi-aF#VL#w$j2H5AG@P2B<=4vFf1pmR$%rQH3
zTT%aLiN5QRc3BYwjz9H!hF~w`xnRjh#_`Mt@t?Qn5NmaUl}|7Lo68<?{P}gd%;uP-
zN_c#!+)KBH@<S@TCvn84U$hwlr)ls4>7$$A0M8kj*^`lsN%+t0_>*G7)>;@wJ9ArG
zr7D3jxcY9f9t$8_BLTl83G_sArpn3zZn!s90xe?K$ddIYCs&&#DpBL3D_xv$&~LfT
z7<gyV#Oez)wZ|EfBQi^PLIfwQX1W&%M?NBG;I7UE-VGTvmBVu+iWSDF$LYzVdm9}c
zW&@Gt2^uHMsLppb*Ni9YoIwlC>Xq71RmC$b1L6{}O!xNxpD_5$qR&pxbiA7=y&m{M
zWr63yko_|>cW7(5Vd@tmrsKuZFnHt1t`QY3Ym3`y<Bk4VP`oe~9Jh*;L-i+4qf+iQ
z_D#}LXlOehSVo4SUeY$Ms89NhVbnW(QOv`FnO$S9l(62L1g5%+3}Q?Te7VbL#4XXS
zvK6;tMbqS+7p3mYb{SgZX|d0}Mp@+H8dc8AbA+cjqUJ})*cB*ag8aKvzDmkAxJLMf
zoux;zwem1WybGK?x!g-E8mT+Mspor|1M(>Vzu}J+t$Y&HsMClwY-NzXL8sHg-1R(^
zuJFtlG537Dv0hX3)HBL+cZ_bVhEpU3(5`n?`Gda`UA!wU@SvhuTES|4A<)BNrGJEo
z$(j6UuIMqbiNOxVW&#lmukg*y9c-y*q7JQTl;jowz#C+Vf--)3+CkztT6UN*%e&)~
zJX!RKWM#xV2x%D^yWUpqGb!ZI)iPyFdKW;*OVxty2Z}PuNzs}S5tdi4lle4dv?S0;
zw0_%Bp0a=b;>Sylz#9AKCLa1pr`MDPOb+;Xknpwm3^+}anm`JhvG;623iPJR<bG#9
zO$QLsbplFf?;TfYVrz-J-DKTxSO(h{=4SU+EcL=(r6A_+TP}9GHI<Sk5d5qUKB+13
zq>(`DUrYWY5Jzx{nDCWAY~Yg*`Z@GuWnQdVl0sq=t^Z}nzu7-)lB&~{WA`lJS`6%d
zR&&Qt!^IVFIQ12Lx}oD_R+rZ%<$6LI-5JT)h?;2b?98v5HXd${D#sxMYg3aTh9{*v
zVA?o8mM(=2n?q2*`R@?|$)A?7^EyUTlaW8w*QXT=%KS(l?M9`Un6I1PEGMQ@IqrLl
z&ZnwD-}XV^jw!i7uu01fxE!FQV`1zU`#Ur(w3!+4@gz9#iH05-yLBqt^sME!kZ1uH
zgc!6Fis99jFoge=eBJ|{+4z#R*}P9qhbKJW){#;erPY$5a<@Ps2MiMT1zr06-Og{7
ztQ7jLTFk`O$?Ry3o16{}lDoM(Y0aVyKq|b(<dyyfvFm2OKd@?}U$d6c-rTwoUA3lA
zzWRuO>Db8mmABxxT{Yc+wc`7O4(hFC-{pj+o*(UT-y3cdbQwfsq{|$-E3P))u{mCU
zu$k1lM{(K|ZLc%ygzra}ZuU)PLUik+V!+H@TN>l%t$Xy0yHG}y>Qa3nMr`F}h15uL
zwHOyw%jYJAU|WxEOe%Ws6L=N+)nHbm>=h|bBYyARoInQ5+)}5I$ue{IgT%AIe+Z{j
zXdWLvB~yAuPEXH6+4@P;@j22LPUwAXZU!O>D26ad^eB*5ysra=RJJib)6HWpwac0J
z5RlI{ID{Wa9o)+(b@HUg$w=+|b<A_`YoI#!tgo88KPker^mvfYtY+{Sy}ZeUk#ZO}
zqjXCj6OEXyHWrkod!mew0ePNrDG|$=_M+_<=<lCw$zEluQ?#AJEVu9WOWU31mIz6p
zYJ(=tW-vlK2UpvDFv|@_d=sl|Tr_5k{I}b_rSpue*qK$XZ6Ajm?(ZdG%5H3D79OY1
zVQBW6)SjHG*X@~DqiPf|*5chBYW_#{^VJAUVap6Va*uunvpE%rhLx^G9lJ4L!o>pG
zjla=MW9+vMmI25NxFe~vS|MTlvv21GuA~0slaqS~V|};lu}AZD+Ppzz^)XG+ML&0~
zYvv&kg1?TrR@#ZK@O(%7{lDbQ1WcSoHaoYSb#qVkoHSz}{kok}HR}#opGqC)Fbz-A
z1A|UTf3nIQ&%ABXm5{?kXHo}Fp^rMy_O-rByu}VFwrZvt*{bH4&>y?5?C9Qgx0*;=
z#8oFk<ojv@t=sGiJ8^FHj#1P5O33*{Bk}AaA*3r)$Tw*GR0*8sA=Po{)>yc8yXN(9
zf6fszn_#asUuPp-JsNWgXoRL{$=}QA8!l63=C(%hGptBV`6(5G;b3g8BD68wGh&i5
ziz;2Snx{P6dJPXLwClFo!sYKBxZFpN;KVP(7<tyyA!GXXtP}(=z;~W;Rwv2Z%y*MP
zW@W`i_dl?bC>86B-BlJDz9;0uEj6xu8<&J<yE_1gp}&CQV{Vkmw}q@(hEzxWAkhBR
z<>)LO2^{T-tCobM5u7W}b!2_|IgPliy&E7qRNiGt)f~qmFZo28l=St`5kyzGiiHph
z)A2pkRGQ)RrQwWQ`<sVd4U@GU_8aNdJ=0#Y>=efeN6uzHg-FXVY>oQfV&5x*ZB?Hu
zA)|KqSwELOY&+8Vd}<rE6`|p+o0#@mdBp4@Cu;i5E{_N5)!6G-W!gB%#9iG^i07B4
z5{HxB1sseJ!YsigozY}}4}bGyDwH$4?<WSaecZ9z6ur}LvT5c`ofKin<l_Aj!`Zjy
z25w5meXBDPtWTRu!<1Jk2C!ZTz-|rH)$}W75)Q5)-m7lCPQ@B9!W((JlNZO)<>P!(
zXZP{GkYDt4UOT^_&!f@1F+ocq0R1d6ewefvXg|T>Zg%)F<*yD;PTggHRmg!3d)CTI
zDf|3@;h4^)m^^U1;C%z^S;ryY#G8G&9l&+hRY0lBXx}ph@~TIE@A8>DD(^<7hTyl`
zkMqjxNsODNSFh5+X@1?OZ>Ts*lSyyvQhNzRLzDe`al3lYkBx+$!b-|Skb69#JDej6
z-(0@C7#9i^!PzkFp89D=V##c4tO?M0<AXgm^n$G{rZ5xvZYAi{%NWy8+Sqwm>9uL#
zO|2Pj7&J+96B$>_=8Ii#s<*|Z{^4$xQ$X$f^J;A0J{^yWGfYsywZuxkXXe%x?gN#;
z-K{lixnb41_xMa03}z0r`mq3em2KK7vg<^bz}YEytsf$9BkG>zI30${HO>h(R83@j
zWEe+3n3R;H1+9wcm~ZF%J3L7%K0NJr>GU=)@g(3a`moou*WwK|z$!eU^&vL&|H#%y
z^0LoAx=J(lWo2z0%D@qnnVG@`rS9BShu>dqG@eQ~jr<<J#nBss9ysX6u<<#7jeCP?
zlBj>KO)TADvJARF=aQa%O(^R4%}Vd|w<;5%-lz6#p~0txjZKpnT#Wds5$1IvyG|hb
zQD2{);n)gh+&B}NQ|2tp=khrh=8mzcpwyqoY)bCEu;pqhN!caK^0p<u>S;I7L}NR7
z6Kag{GCpaDZdcj7)90elRv{L#4UIaf-A6}2)({>jTPnBI%Uxr9#ELIELdTKF?EHK=
zEiEnM{tT&dmlZ7yJ{zq~RLNC5k^!Iz%0VKNvx|y4dtm47clJ`XwdQn=hr1vpTOjZ2
zFI>zZ(lE>_#6?&4rE3MNjL-@x@-45bA^=Q*a6Lv@>{w0D>%au-qD&EX8@L*W3v*eU
zvSC-n2SWdI0ZeQN<|3tE%-i4vrF&UG*-_Y)d2a=;{yI1<WEeRF9cv@Q3$2bW30r1B
zH#0^{5HlI|DbQR74y7t0sJ;b8=)uFUct_hNjyGX&rlsiP@J9VT`Ng``366QD>IYD`
z<X-AXE}V(UMoeMo0NvBn2Ql=fwwRW$q48OHDoVql<EnrX=&I~{)gmV=6uvdaloVd^
zD%^iLy$a8)($gBXM}FGIuqWq4k>T7g3i->WZ7*SUaMnd(xuVi5RR^U}BNn|WaJw16
zE~XP^Zl@kN0@SQy;boLfG#hKIwSD)(9VP>7t+m<HWvY!{E6g5e!_xB*4&Dc6Pe3kM
zQasIL6%_m4a4fyzAM>W}4AR8v$$>6OH>k#Ta-htFeDbKH!$Kp+`5NIw%zGTRy%UVt
z1Z(^gENLhAz<2j2(biAA&x~E5M<pL?%g@LGlI=vvhqX}5Zsi#r@rLBu<Chx$x#>f&
zZM>QwAMx|(5EkkGS8ueqx&kQ~$GN-=f-yMx!bV5+JQPPt^w-9%ry4W?WEoq4s<KKD
z20;&-pjXW4`Z|wAubh9%W2BS<4E}zLZAmB1m5Q|gKuXOI-paUU=Q!|jNxyY*ad`^(
zodS;8SIq4}3RDDI1TXNIBB(`J0L&g5+qlt2vAI2{EYsy#(})3c7NW}QSL@^f8c2K}
z@yo{m3b=Cs)UuPFK3z^CLs##h!kdY;nkv#6J<<s@TXm!J^QNOXZ|N?{`gy+wnZ6Bp
zOxJL5bkh8vxM@W^zEL~W700S-V(y5AwgQ_f^&5+hu=;QK>D&Gkt<j28x5cK@PzH5d
z$4biSEG45-8tJ#cz|{9@`roKy_jY%mT3LOv(k1}v@Qoa?{qL7y^raG&ltNahCTLW3
z6F|o&j(=42&ggjyCv2jDbxq#uxVpCdzfgj1n}i}nb&Ul9$xPalU@j`RpAl)T+p5YU
zz#5lk{enUOP<*a+Z#Gk1r=rr*sQKQJz?{s;uLk$Wzr-1oO@kk=*a5F4=|nOva=xqX
zx3KFMxb5@{$-;1_?IbRe#Xd6YRS*drpb^QRX24mrfX5aW^rZ~FA^B)btM_{PYJ!$F
zbm6}~#Bbq|763A^*d)=lFC`8}YQ~~d&^=wZAHhuBqFev6D8FHoaRBLRDrIX7+n0a(
zB;SOYTr>6THKv?^N4yy*_#e;kc&{X8b(Pn`$|}0ISAB7*nf@9Us8B8E2Vc2ybFoGQ
zuu^mRTt{6|J2SjB8Z@xC=mz!>2wb=6Upna*oh%O|&SX^3sYXKl!uZSAR>2)3<clzS
zu7!AJTR^U~3NWv*lp(h(VP~NxV`k}LS7P_eQtSW@vKeOQN&g}sT}y_))_rG5O_LUj
zx&r9Y5jpnttNBR#SdBxBCurs&KffAQh~8uiNssp4?981I_S&I@TT)kFu55JQDe$OT
z3JzlF`He*na~+BEc@@=zc_f=2%<9@*g@Eh;5iN7z{fjEc=Dpaj0EGhkht?t#2#buz
zN<7|$mbP+u(x<dO`OcBf0mzk?K!6&JNI><leqg(of)6V0jLufU+GlE*U=L$VlZEMI
z51(?()WT|1*r%ep&BR7Kf8qVGuHqQ%D#?rgu2Ij~L3nw2opoxT2MaOqB2^m-0%G<p
zoV{nW2HtFfRkjJ-$yrxp-q2Q5kt;Qq8Aa5*0eT7nQz+IjG|UQ4NF}Im3&`BG&C@4I
zS^_Af6q>cTQL)<FsH{@kxzxQ(cwZ;EyLzcBE76|I@#|CU3&<_NhL)9;8KktZN?Dm-
z2s`s(Z3PQd7(2Vl6xgcT<tDG%+CWMv$G_h~e6Y6Chk?@s?>&W%H#0a*U~an#3nL|y
zKgKQH06<hsxl%S|0Rw=yN`TAjFAdenLS}VNReW`OZw@U#z2*;o%;|@$ZgBx;kNhxw
zAwGJo4qYruV-H+8l|Xh4pbP+X8Dd48j(;)poa-B~nL@y)Sbw7o=9>RW##}(~uw_VC
zk27NP;Wzvix$aD{$EQHMmKP6H+vSTCvD2TMHV%O6hQMQsPd>w&nQLvFi0Em0uf|26
ze-sR<o0~eheWK1CR*JW<4);g(ykUVpD+63+ImzC@+s-;zC-Mm}b{7%4!ouJ6%J92-
zS0@s+a8~+h=KD!~<YV`$VI9%crb!|q2YZ#pc55#&Gke8KJMi*PJy$cBC4|@l-6~r)
z&y~e)ld5?1BCOO(w%<x==iXkUw*UAeM=_bs#%XpIOHtZl+DafZyg-2EH9&=!0(49M
z35a95X%T}5UaHuK-K4N=ZD&zG|JSxzG_tQ~F67{W^;Q5iry9W`cb5J@4E{H%w0kBK
zrzIp0g@FeG2|)oc6WyhNm%Un!xc<pjp;{%*!XA(RPy)VJ(;q=39iLt!MM?Xrd`ce<
z*Ew{th!iYamb5R(d@z_|9<&`LR~dniVT_z8uHLYr@qpj4Aukjfcdb#5!7w&Wp*W11
zqYCSq91Ihe*Eo2Hze{6GOXb0Pq(%{We_Au<^)7=~5e4k^3|Z{iLV`KFIynLVvKz1p
zshW^0H0_RC+0Hx^C%MQdefN-_tuIAj#)mJJBNk9TPr)ps%L3}D9Qb!G4l+yV(oSa$
zGj;Jpz|RZ@KQs1Wib8lSB{e)w2x@GSUHcE4#Os7pW=Vpvdp;thq1hvx#LX7)es`0=
z9P;(Wa$8Z{rA^el!-`FLzjp7EkP@W6v~gyQ2yyVa7>|hQQhTW#pZ@y7!|IYF6JKYk
zg?1RnzVN+6C7iezi!3&Pg!ilYFUbGUjOl<XrSMNT%YA>uv<3D{lJ)P;gjGoff#a2<
zX+NVoT}*5k=i;0U4Rkh5Ecl?eSLt9E24Ar~9^v%|Cy9J^B(iSCr&YYA^I=eB7nTqd
ztX1=)xFujMtXi&&)1J;pMkb}{&}qOT8dQF{xjR&pI6T{@<{>2>`bB{Kfd0sxF-?1Z
zvM!^cpRF!#Ybb4M<lmEh{d)=cd^4kSmnJBE2TJW=g|I%l&&<`FKl!wuovrJ*GC;!!
z3TjO_0gFvC;5Q;AGgRE&1&xmnO^OLk5~V3ZOC@icgw?ciD<rG?z~h*bfQYgtn*wIG
zHc>m+Q=$(S-MqQ{7tERnAHQZ1o4j<@9?-r@Rtebc?r&<Z{g?e>K{MB){R3ju)0vGx
ztVC6_U~Q~E*Bb>qn#qn%+C^oB$}%tRT)OUO_Tq-LFBJI6LMK9qBwz3}cW!)lI@+Dj
zdhQpa4!;5QW|yQakw=}F(@dXiB`Chb6OB2}I&@7}tXaNu&d<Ma1=6Tm`{_J9I%3&Z
z?)LT}Xa2tXu@)3ZHI5TO2q1aP1p<B@l$!dEJ;^p{ZGBx`x4XW+emaG&05`Ys$O7mr
z*he~Ja&;b_ofX<QZvW7X#J$ZKu}(}+Nz7&0NW+~$DV7p*KV`^bMRnnz8{k-sfF5gT
zlW4C*R>i;^WG*9&k(NiVT<34};f-}4^0z_SIy$xRnRNeI2&|GuIY6#6IieC?uaQmp
zqFpoK=KHvxoA55no{E@W&%<gd^B}jY*<yFwc!B(TpfLmA7rovg?q_x9_+>;Uwfx7W
z=~-ZW(=`a_k0E8(iL9>Xt)Mb6+BlM~{1VYUOJZtjq{~d2S>>FDZ1ePy`}&6XW6nu=
zH4V$9OEN_g_15$NrJ&7aZ`ViP%g_S#R~Hj|;*}Y)n5d}OTd@ybv+`H|<y-U6oYk9u
zas2O6kmRATlRD8m5SmhXsZ}8w+Ip?96H0!asc|ovQYs(Ajy&ll@e7yVO+qY4V^0eI
z!~Yj7`KFbKmmb;tv)!F?=jC6Z4sej?^QqL(bCasJL$T9%AC)zLV3Sp{7<DA@G<E{#
z=$aR|nXz#zc<CrWCDih7CG?9rGI(V?`}%d#bAJPff>sA9v(xspWF8;wxN>}HcS8>#
z^aSMjld1{Grp#LRgCuorXPVe97Bgw{Ct1$yh!HdAtX2HvWx6a07p+sy-09RO=z9nu
zp_{gGKb>B{ZkFKwZ@(kxW_AU&?1r`6L|T}^bMGTlaLfZty+ig&1U7#~7&vWLWlWw0
z)G^A(*HnX$I#-xaX7}kvisvtDCwL{AXhWaU#3jDM@v7}25q<8jnJ!aaSh@~6Cctr<
zoQsb1hMPM<DJSV8M<cC7E#j`0<~C2}28081M+aN0*BqO*n}|(+Xw=hyY&%)E|A=nH
z=bG)ys~KdZq(vh(h%=5tu^*bJr}iL4^6Sgx2V<q~JC@<VF7>_@(DiY6EuHU;CPsSt
z0<r&WNe+A|*8KNNrgBCHW>~)G-QvAAxE0?WM@BH1WjLj9&7>mPtYbNz3?LXPreTVi
z_*e|XWMpE|mb%3Jk>m0$#K#B_-1K}W_6%(PKWT)+es_r<hS@`ATA)$(5TL0YXe{pO
z;XsYdb%8*Idg_<U^BeEn{NnQ@XwEx+lK<xWZgORU90F`GXng!_%}VpALf!h2Va4Ql
z{0BmUT3Mg)R^EfuXbCOt1<;4Yu*w_*+wuhWk^ykQSovyHN?=8sI;Sr+%*=8<@aab4
zWEq|#-?-~8sQs_YwO<Faj+kT29wPWAla2vyo_3XGoCip8&ZFeFk0{iJ4P6bRr_a^>
z76j?eRLY(1PHNo5HgHyS{Xe_(JU4=Xk94RA4G!-}9;=a>ordFGB#<1gb$NJrWCI?i
z9IAT#zklL?D9sKjV_66K`zkr~6hO>yKSE^prR8CMZW?5TQ<?V<n)Me2ms6i$9i5}8
zXiH8{@hB_{1fQE)ax-4)ln5lO6$D7+rV1w8=?@B5{7Z7vDXjcpKwqwpyk3td?T}To
z);n1<Vg3kj6N3_A7b>hPSc+qXV_u31*$vMbw9jnTqrBPRu6mJMPmaS`6WY*ip4Ifv
zHFSk$D~4S3qgjOtdD9et1YPA!h1pP!)nwWj-yO%syW}Z-KZsBli2IZNj#Wi{FU2Q{
zpjb+fOxub1k_EOz*+gnWQw?MO{PIGSe=N@}B^JL}DZiM@^pKS{9x^iAE;~`COg`I=
zpS7h}*}VA@R%HTOk~2y<jYafe_GT>zX3~_ARAW8Y0CcSzp!Pk13?QKKAQ?*zTxZaI
zwm7UTh0i47Or}KG(NRUQLC>ITFYrr!mmvr_Jw|5%W9f013m{lAajWP2Drj5I_|<&u
zyaPoXu%e%57#d?Urw|6|qxbqbBwBn2a<}42=VicsjmY9u)jV^;=+{O?_2y3pSMw3c
zD;KQ721bhKER!o6e?AbphqB*na82G?E0#=8cRYF2*z>J!_#2$SO@W0OuS*qzJ3$Fp
z1h3{u&bn~>`c&~2IoO0GDxcTk_$sa8k!UimF4Oo+41;J&=tMLjP#;Y6QVH_Cr)|Lc
zA`5QrJFooab@${a_N#2VXOdz^xMC@=uMdP)ON+#`wxqW93mXS1I4`-$KrQ@K4wziB
z#HL|oU0n~z*biYw_1cxH7mZ)0rzjKMQAwj#dX<$$V>&MaA-R|kU}x(^=jr$)k<^RP
zw=CHGinS?o-aASG0pbb91*VZ(y-dDcl~M5^oYYXi^I*2_mAC{)N_RuwHdN8N9`AmS
zO^{~9sh7{Qzaf87JK{dXo^?wEULPsoBa>jEfW%|Rd!HVdoVl9VTR}yCPsnx3Zsej@
z&*GWlY6zq&%_2D9v7pdL06`XGAR(2@-0Nc?QfeF7DEQ?2(5bay1h~Di8C^hSwf$DK
zst4G>=DJ!g+(f>a+bGzn!}nF9W4Q*JAYxm!S$pFw<JT0fn+Gv*gupRCLQlmcF0HZm
z1H(0GwI;0|V4}{yD6JzcV{+S78%FcapO#7?^r)o)Z^Xx*Eu#ZeU9JqWlJL*&Js-;6
z*mL2NrVe>EyM(RLl&l4Nm9JE6fPaxo{BV5Q_)t_%pVv*^b;RuH=7=qLRvFwKZtEcv
zeWI8`%q_d4_k7%Ze90^K&-DT~D$M$#K$93J;<1}EOeO01ati1RlLQ>qwNk|sgPuK;
zkRV_nCb29H`tS^W;}wXv#3kT~Y!w#oewZSeR1N0*2p_gp!rA7XMP91swye<8vD^Z`
z*sD{!Ch+j4Y3<3~UIUtWR!?odeOkJl#_ycuI^my^?76fb^HNtIi{2;i3cIhtAG|`X
zZzh@F+*wLvCq^6j#bu>t(+6;-c($hoN&8W8Cmx)aq*Xso8y5rjp34Z)JXWMJTw+3X
zJ!zC*o5ayn4!Ex$!SkQo=H~0jD6^>SKfwC1`?=fWs=^-la<PS&lzN`)06@-%trn&g
zVt%%1k2Kkix_s{iu`=i<0`U@)Mf&w$hOOX=6{fO45l~D}ZGsIF(}?{@rN>#aGT)oT
zuDcSpDw5GOamI7|Tbi3YU1S_^d?18XWFFkmJG7B7lnol~@29DIOw64(BnXHc7ccMc
zfia@qPFZ3_h!6VRMyX!#pNORhFo5K&n7iDe<Mk6Kll9YP$Yke&_>U1AzbLQQ=3yz^
zGO8mWAp4Vb3f?8(I!HiF)JnLDIX~I<N&=&A2bB?$Z)EM|X}a#B;??-EJ<Zw{IqWeE
za`xJmR$biCUmvr`P5>kJGDsKk+UO?MDA~%R7_S?T6REI@VQndAZr{ZHTP56WXt9#r
zbp!Z+Y?5N|@AR!s{5%wo44NyWjx`b(>PZvr8O{{x+6~`vJDM8K7u9g7s=e{IiTNmU
z>c@P)t(<lR!+X=trnj>@&l#nC=u(6|Ru>x<H}RP+<1z!U0F?Auny}l`DKE@QAqWb+
zF@(&8G6T=@x`d>d&Ng;H!cM%yR}k;7H0t}|=3BFGdLN76gg`iVz?8j-c$8S!{9uxW
z>?xr<GNk_@C)vXsF~<RK={ZTa{q9b4ZBonkeV;<3K#&>S2Km?OJ!8E2%_znc$~D&?
zNim#%;W7<MjQsSF1wnQQGuzs-I#lDsd!tZwQ1=U`Lp+6A`h5G&?-)K8qp%f8Us`L4
z^UQ5KVc!8u`J^+pB!tJ+Hb$ow!nj~Sa)Yq#s`prPr@db$3TN8*8_t&3hkW!d7+HYL
zXa6F0KQ0*{(`(f$!AMxqAq&_rqwq-vZKne^-V7X7+3X>vZaT~9$u5pY>`;YwcQecL
zUuVA|fjhtdM4zj2%kC3zi+CaZ@I4Xx3XqIX3qAIF^D}{Iv6=~^^l1+>^4(5n78(Yp
z(ba&QN?!iD4~=I`30-ELTYGdW60sAqg5UD$N`$7g)aK}!OKM>HAR1VdadK17VB&ww
zl;$H~&J?6w!*6cfpua`@cYt#eNWGPg%!By__NCw_v_noh<QiTbtnb>h5ec3v@%)2W
z7~QN~t@k_5tyc<ow;9gDT3}T?wTtufIC2c+*s=&fz4J@Y0xT*&<H{SWj0DLmv{YJj
zYL}zW%8*(u;4*^e6}>g8wtv3RqFu640CJ|5_9(*Nf$^T-fl5;$VaxkT%9*wfkN8C-
z-rXXahR&U9j$qdgTIx%B<T2OmpUEC1c{h0R^XCVU!)-l{oM$;U@c_LR`hiu*S=iX{
zjPk{uJ+fbdswfV3q$9I?2=}dy*Tu8{bnr~|VjX<kwuT6C3p?wW7pbh1tX&T;m1kzQ
z`2X&B-u{l7`~xjkRyuwhZsRU{yV|K1=sd2>0s)-~h!L~hHWCSUXS@183Z_?=A9Ydv
zcLg>GX4`cCU+LX>iIs8q&mZnpY;Obb3!48@s^z_pB%2<s*<hVW9M%6J3iL=PEUv+S
z{^&4@J5g4kh6$q>HU1q|l~FFsK(c!N-}JGCrWAjt{v3Oe+)X8F0f?mN@%G@$wI)pQ
z_V#un!W86A{faLtm)k~sT`$G|1dJe8Y)FnJZtj30gmg%w_bi5BR2nDrEQbIjzZinH
z87P=tFU|r#gHhwrCISK+1&#+GTMwHKik0=<KSKh)@u`gP-2r7%Be8*cn*iBd(D{I<
z_do7Q@dvLHPiMWzg;*GY^p;=p`0N^$=zM!FY#JxmP<o>IjI<V^ocF6&NnM8Lv5{)`
zUpE=c$OPhbt*3Nq+cgeb%bZti?AZb~sRM4Pi%D>kbcIJtDnP6D1X-E}?2r{o>~T@}
z^w%&>P0Bd*PZ;K7V6MuQ`3%35_i;W8@~cyg+SNcPoAyY+W7oQZDozhXtfUIL);;9x
z1^Q0<6%}61md>Vj{U`#|k<Litf$Ab9|DEg1oMBu;9|^_}5$Xu0bWb``4n1!4rZWJ4
zu>+<jKY_8_K+DwCHCZQeqR`p#07<TNPePu6(ZR~qnA;?~hNguq&QblB%6_;q2_}%3
z1~V?^?oK|7t_9tav5Wkspy^=>(nRT1PO`1;1T$!qbSb)LZmj^W_mw6aUxkBKftSk`
z{-RD&L+|6%_{_#?34y~e+aP}ruw4%Vy{eAYo^9B3A&HQW_h)!jX#tiGIT7)A?wmMc
zz%>f`s5V9R<$4f8>1z?Yv&)W6j}c4^*Je-nS{7-)*~yd+0mCcC?$%%>+Y`K6JMlWO
zvdE_3GxN|F$uv%juvmN<4RtUSXDX6nRNDBT!gKvDMB*WC;s^-RzjhnZ7Kq96&`oAt
z19^Ex%7ylWc`^dy2Gn3qQB9B_Ti_cN^a85?N3)`Wo#03Ui;PF1#%MNLw~9{_?y0R|
zETa143otzg;gS>y-l|SwnP$KaG0K9rxLh0b(yg{9xp?=IT!ST9GYr&j!&jrRDyoZF
z`Xx7J4K=aW04q?x&+Wq?6n!ZQ^~3c(SV#~2$+HA`Fo+Qo?FlD&`4EqLCZL-GZl79Y
z)6HN%MBKCRLwmRLbzK|FoucEtQNgJ(xm^b<7VO;oRLri;A8b!ROVP~xNw1|76jh3N
z*UQ+X)v%MjqaG8jI9<sR`!PUt(){>uG*+CilN3Ha<f0B-kG>~@WrQmzj*4*$Z$WW2
zbSXi5xCqI0lQN}lIGDnn?_ww>sV0P#%hb@cZrHB4Z0X%08_~G^JI3aLE5{fE2z{O4
zrWOk_d;T8*f72h0;oxt<sk~fE=P-x2Mx6^~SZI7Jch|E7(8{mhc17@-^Sd4GM|$i?
zDEL9h`7Iv@mfnE%q04`2qbrL7JjXTeL>?kz<@xiGQTYV(GvfzN6wXtq+i>>f<RHrk
zpd+9-b&D~$64CjFtEma{YuwxLyEAGyijo$%jk)+HM@AR`h7o&4+Pr5fDsohHHV@Q@
zg~9mbfol6xI~Q}G3HLlWK9F6xb#lZ?bRVT712z@PcdWp!Am2&Ev{31so%Sdn#HVN$
zPaEg_qtqhj=ipUC8jpFK)>qO}e#c}nLVAezg!k^c#ND7#5WOw-IMmAbpvFbCkkyle
zxurv;L0>n1nn7g+Yy?++Wl&ju`F+e7Ur}Hp2?HD0eX=_*9{>WC9`xd>&WG<dozd}i
zZbNp+>bAHAF7gV1?oGt!n}WUX4H1Ef!@A>|7e)tQGTDCvn#6x~EST`x;DKLE(j_4=
zzfe4a;|tFhijZmj)LVw%?o?l!_z~tjPXg@n`)gnRx={o!P9CQ5k;XeKHy&^`1vbFF
zV(?hHcrvp8_lD3v^w6TY6N0@B_dy8%p$_=rR=8tF-+LAUV-jWTb2D*|xd^t`mjL8W
z)m6sk^W*^@(howwbnCExH|dfjJe9~~y7~it`PFnuHEjUaggJ`6bCj^Pzw%3Gt#YpM
zWqHAW9e2hlD+A2pKCQAXYGEBed_omJ`WOVDK3lsMr4{&?h@QBL5*k2%^F`BimKX_l
zaTv-L9Eq#9wwU)|D7!$>BbTJZdl};fze(4E`<%H_^E{PZ1-)^rfesJFyln$NNu>EL
zh=Vh++BOYOQweaQ`hfZ;6>aOxCa~SAKI}`tV(^VbBJ@^zCu-`15gjRRcmuyTa#6pp
zJ@6u}%T2&yedRUzz(p`aVVnE4Bn>WSS>edRXPQHaMx2Q0!<nv&(EaJV^HqdkqL9RP
zCgSA^_v0N28Eev|bm*=p1NWCtVrzRvX!?wC!+)<f-_4~0n>x&9y%-(HN9DXFv^KH2
zwBEw=nw=r-rY1+9KU;2rUrhEJnhqdo<{XV8`d6MXQ~_|h#JTe`T=WZ$v09Cshqf#G
z|4s&USs6EpS3UUS43`JlqG#z;k~@BXR3m@H`27L3Jnyq)Oqp<)i#|Hpqlxf%(o13U
zSNV*?0oCD=b)c?(;TFehBvh_=S=R2+Lx`enXqr4LN0?siW_`q5#g@8mnC2MA>Cy0I
zh{aS71XX<5Xz+M5cDNWn&E44C8Y%}LA2zQ}@~oR3+}O*)@H`i@^FLyFp}*W@8!N9&
z)S1g#RL4Jq+}r-Ewy&_{5~XidrAUnIrcm-4=Q9MCxA*q3V1$#@lBHG}%Hs%`cw+Yo
zg35x9AT&DDy_+P`HV~WNPwUrC6bYL`_%-w>$b#4;B-Pme{B^v5J0ho!H{`(vgXp5}
zE&==?N>9U<hghlZLO<c|J5b68f8TJ8KoEZF9ivST+eziTBMh9IwxL}DpV)o3(xGhd
z`T?sEsW`zDHluGz_ftZ3o-KG8rgC7!J<BB`4g6xdR*-VHmEw()2~3EX@WzyHS|02J
z!juhxft;pYX%Bi4|6+bE!UL6!&omSMBsKveBH$Ic`4>~W@Ycx9%^B$8Ty4i~r76!X
zkWk<tA>DUiA}Kld`Hylg?uU5CXVH>EWt_l3lTsR5Q>wriO^JV4I;(Zr_q(~fD%SCe
zK$6KJDPsDndu?;xg_ch7TcmY!MLO*gIuF&jRQXcaa9ZS)CwMbFN&I5?){wNPKVn{#
zKVa+g-#ZSOECC2s(VNqcGLo?zf7GJ+v683H7*dugD2W&*aS?|EOp^~L)p3LD*DI)^
zw43PPrUnEG3Ub|{4Sv(7qm&SaMy_$t;nMZX1lV&8u1xeJzcDrcQ!32JwfRWk)nLh9
zOKVM&s<W5A-akug9QwAj7E$FovNPhhNx#}whEcq*(BZESISF=W#SbQs^D$9{YCjRz
z(%cjm9dv&b!cIfb7j2lJoBJ05lW)_YkB>op+bnq<ql~P{lB>1Hgi9DquCZj>`JNOi
z-J3EIR@qKQB$KvT&2iMgwMVu5$PO-@kQ|BFxG|<L>Ww<Uuofcdw)V{Eo~7pPp<t&;
zS!-wo=)!i>^Oeng%8$k<#mZoP7?RgYpY+hJ)srR@eZA@0$)0Fc!)V)~E3K)>VtZ+o
zKG#Z&wA<-Tt8IoZA_N9O+7%(@Eq>y!`t8AY5L?+gH5FDTzAAl}?yncZDGi<n<qe>$
zWq%p!`<*j^SIBjh`_DzMCXGb_O-lRnJ`LJ)S>2g$hL>>>4C+MAPo5O*klzT{ndw#u
zGDN9=4dSBb?s@Q-GBV1FGxJ{K<A+7II!7IyvmI^0bp}~R`=S#^t)iWOE8Rl?qLC}+
z8{Q%VfxtH1cn^kjmOZwE+V<{aPL9@N16mS$hRYYkVnYIOJMoT#MF){)@z!>M_g-qi
z_tKi3^A(;nCniGC%~{{}4Eq*NnxdBtm=4k&t;{I2OYDy^MTG4eF*QT0r!a)gh1O8y
zTD!(KujjiP*QZ6hJSY63*IKM-+)$l1yXegJfbxin(lvV;@gvOBr@K+d7z$!fmqn9l
zPHRfD{LOu5WV#!1dZ4$pkw-hG%{>}{L^Tfa*350VE%LTEl%zE6IiwSekinI!Q-#=0
ze-r^V4Oit6X*&Ifl*H35M}g&-8`OaithpXLnm~=^7D)VI*JZ)BBzUADZ{G|oiRq90
z8x{1a>2qOU%4|oc{02P}{ha!Zg}^A6(%TeD(uZy4t#`jESlzToN8ph;$nODA_u-Px
z-9&*4p#)5iR%2$JYEn=dHi0pnZx|TygOA?ag-lcFb+;pKM>9yZy!%<_8{%RubEEZ}
zVL(q6L4059s*q#NtH8fs-eZ<{mVx}CEYt~2vHKa1-pzrs&-41;YMm{!u~<W(;+LWI
zdq%biEY@QAH8X?4N&{2!4cmR6y}=C(A4-PidfP^hz&6I_b{i2ltNTy)=uA8(1-$uI
z_Oc62-eH9AjRYQNAVWkaMImdf{B1|jrJT(6#9Hs7wP(HQ1mVH^P{>x#9jbiVtfw?8
z7J-QZ--{+C)h>b?Wd#!Cv6B%%yUNmbH4e0A@sCovSyL4J?Z%p09Kew}`32CN*KNl(
zh!ffb-(6>V<X;ivK5J}!;g$c>>Y7LfGLroUJVzi@-Mt)C^M>KUg|gZmQ%m$nYSCKv
z^t)QSBCjVXZLP1*U;d1@x)Zxw`x3eQa*Zd#M&3i;%e!`Gg@)B7FXq(ixkGzyEsY~#
zOX1vxp0kkSq^Z@ZF~;`Zm&Ot>BR5TdKBv)0d+y-4Y!~W~9$0K=4Ht{{Y`w56vKxiL
zFZ4Qsl4B-uU#>t-tnC$A*KYnpG$Sb^75^}$ds}P|P*`Utp^j3;`vp096nPS|Q6Z=A
zy%7lXEMNi{8f5)4zcg;A{Q%*`M>r1ZjYTZe#?+)5-<s@2zWBxT&t;gXg1aJeqny1}
z7Zv3kX!u3))SN<7bm4KcX#nN@&I_IT>64<4HPKeG#8JCV5LA1U4vcTbF?h0RRy5c)
z@WpNV73cvn+78uO_j5xHEEEUYG-SkQ2h+GOa;KC>d#Pw%3_?K`joe@UF{Poht{KoC
zq#wWKI_Ra}B^VHb5iW(dkH8@Qp6{SO$2=oq*dJZqSYnORHK}5qGpq27J93*%ilzjy
zlreZ%+@O|{d|YTQoM|e0hg2*Ew3ri`m>rs@m^Lb|9&>=raQtcp%4}Cm`7Hw9Jh`zj
ze(*%Adfi^<^K=&8st=cbn>|;{Bc{tEn21TH&%Ct;gY{Aq6EahtmHNkqsXsmJq0(vT
zWO1JJ8isIjYF5Nm*Xj$c!wdGGZFPeJKVBO5>w`-q>#r<D%PR+>OD`1&*X%_J96cQl
zgY_^jhdkV~;fj2^W|g9Cn$b5a+9~EFkC{l>UQs;N@!4B-K>mR0O)n&<Xc^p^j6XV5
zT5VacaD}$6jIzBNO>jwRU89lT7m!4m9kg^>r$>G2bHdjy_kTTuVa8x@8OzG?6P5J#
zeTOY4NUJeq%<I5u`B4%GuNUI)?Ov<+Y)v}ZJL|=_+rN)NG^{m0Eccr>9x+pbs4)`X
z`sGWgc&}yhWz4nV+2*gQTx(-S?4Y{9-nX&+zGUt+0pRb2Pvu+7YHnd?lUn<kC$-2C
zOl3T$HDRBgO*H<Ni=aRgA%s^)>%#B~&C{jfN{}l?1!1JO4-qrRcNMl}1f?-Vs2J4R
z%gF=#Sq8~HU9Hj(ympEWc#c-&M#yx>O2U-CbMM6<*ioy$^QO;42}14klP+u9d`s!8
zhA=Y0?7ehtSx$D(HADXR0(64>iI@G8P*}>NvdQTa+0DJN*N+#6F@}C{;VxqHxtmS<
z$AbCLz~ft!@Sj2taDyA*+q*ZN1+MV002pxtO0mWoI77PvHTk=cekGBk5LIbJTTT>>
z4n4MZ6zCnOesrY3)lkCOxf0?<s43;sQB#hO>Iq$AMRE$~eD9OMq<!n1<y?TD8q`;;
zqONPgfnbyxO}a8z4Lxc!fhuEMI^g@pan_Do*?3Hkj<sMyCGm$x5|Ylr=ROd;)yV~E
zh2{(>lks7<CRfErITF`G<?#2E$?22hpOFp0dF<HOAa%TH<HFGC8RIwF_42~arMGLe
zS989D5e^vxmn1WyWr-L<;#cBr_r%(<9r<~r8#|+41VXuC37`o(%`g)s?Oay<$~6ZI
zRL!7bp9MPlMIV&;0n~~f5x{FZ!2mjlY#q3lE;i>1496&CZAX*pd(xIP9Rkt@s70jX
zzx;={Spu4^nz>+r-JT~3nas0i<#bh4M8gUaj^b_USU`>dw}9~>jeDmc4)$m|?~mT|
zz@*eu8kd^^T<SI5n_0fQLjy*BNt<k(sIKzbHO^^YMnnb#0=H#s^5|odw~RT&>Rtdh
z$rtoXB-f)e2Wh2#iC+BqP^-JaqJ1EJ3!p-3N?;!YsiSOSt`y@x1wfc>9^e=TjNdpi
z+Kt}JczS04O&I7FaGdL9f|FfmQb{8h5U>j8=4g~(b)TlU(B}INMs{5gmlHE+MgROs
zq<dlUTAWtylN?m<T3?`GWq%V;7-AFJE8Y{HhgAeU4LyH&BEDuI)topwSctEN%P*E(
z?Z-ikjn!JrSnzHKMD$9SJEDqc&XE5)n2IVGOPjZi7B|n$1e4&gg2jJ>nADWdt$!nx
z#{PwFJD8b^b41x|8yd4<6N}_2@m%uyyIt#E?ES~xx0N#32Rq~{w`5F6h+jniwl@C4
zK-qbYn0uQs5uJ5>-q>8rC83Qv3IU4;3lbec3&3v=hK2ga2(AQ1fOr$2O;Lq;S)s6l
zGhY1bVE_F=3AK0$wb~6DBABK^eoS~b+$=&NT>xQi1tM5!n)<ctc<jNoEH$tPTCn8;
zB7*0`5U)D!(=!YD|F<((1$yTF{2lSmhi$7SYG}{mqgBpA-6XkRoCU`ILNLe9r^f^g
z12;RJ4atDm>@d-;n{%A&{}~<=lym9-)b356%`YVV-`PVi>}}OR2Ul@EZ6+w^!k_=)
zZ@;J{X_<g&lP>@~z^W`V?uY-;J+jcd;q4iuzes33lbryltKkoHIlJ%>=aI1Ez|1&-
zoOg5Hr`Wf|wJt_#y_)CgH<GFs{=l-;Lh<fi%jRICIh{@ct}oWMtFe6iK4<t@P!51l
z|21jnQy%?Pd?*MJPAps^nr5CDfr1+E-w>KNe_q{}<GbPBR;~}O#sHq;EVIA=??0W~
zCNpAoBtB+Jbu|BMpi@~yU8B$SlEjJ*XG;>2$eU9IZQ3r@dGN@zH@a=!RI}D1q|((H
zu}$`<#{`fFZ=E3@!N0}wz(MBk&aGH2K3_z*_FFa05NXE{)LRM2&rUPr1&MYOC8L<y
zP&)vFZhj%v@AxPY*mJ1xi~fH#?!;p-`3>h2;WPctm6mF-*Gv}DXLNyRkXWbx^+X{8
z-N~r?MEI#LZ?o)1%i6Q6jGDNsDorV$blR71mvWRTm)T(>w($W*zJ>#$`v{K2_poy|
zhOncAiHQ|&@lYsXlOXa{bB$X92uz{*SXt^&S*i9eL2CSEpxQ8;{l4f}KC{kwZIJvq
zHUB}ZmDSEgd?tA!48&<WZ~$39RLFF8g=d%qAQminQ-mS2L7rfo69i1FA8UfvkLCOg
zl*`YxM&a}%kJ)wV*j@nBu*Gpf{aP3sdeD9o<cff?Rfk=Z?>u*whGk0wz7oxSzvc-j
zBn33rPmLDkN)N28nS11|^CBcsCNCG{VSKe|@;sOv;(be_lu>l*^;LcJ=H}=O-1QWC
z7FQA#`BQr@X~YWk+D;3nj_@om>0FU5x%2T}OD9m9VP`tdHFtvCy)F=M(e08A!d(&u
zQrc?s&xDZsoRmc^0KbH}Z>jHP3Y?USUa`fU!cJ=>xN-bdxka*Q>$03T`Hp&Gpxcmz
zccP3pHhiogHJrbD=-LM*%tdb@m5Az>(g{+}@{tP?Ng&U|zSZevI7miYQ63F+vyOm^
z0!p>u-{i6L3!AKWtv4XSxpr+59Zn_GUHt{Cs=WS|-lyGqn&Fbdm86sMriUGu3CN2C
zW34)JSB@;MK)l}MKa1enp1T%@d#_(_!Euq^w*DE75@zRnf}zNXtfI-z8f*vUJ92;w
zaR*({u-R`YDo=C>Y|bh%pdGRWNkAYPZ<1A7IipuA=MFYeep=neFCucK+IHg7DhE0Q
z@9={29pay;9DMSl=@*y9Qp53%DwW~XpR-QiiQZT@LDMJLlT@-7gEYH`{||3(8CKQW
zc7fW0h=7Qo#FCJZM(J46f=C)5ol1AJK$MV<MM@*3(%mTCARrym-MRWa;NJV)-}{|&
zu5+&IT!$b25Z0P=KJ$tD9{0G%`1G{O3NpOz5BH?bQt7ja%t8K3ZUq=k02B69dM5ql
z-lQd-79d#k6d!6ge>HrVXins$dC<@@IqGtdd$-uR^O{*U1J_ogu0&!VU8qv{Ov4@G
z<Z^`}6?oqe4oByORa(lx1oD6ZYeV-MQ~o58g7;t0>p#=+LE?4UXN_Q;sSf6_9<Iop
z5{+%voeb52N}al6wcBWve51^80Zf^7tk_r8FSPoz#c3oexK`9We=jS|^KQ9D#L0g2
zcf)DGb4Cyrux85=E2hq-H;<8^u314To^vGt3B*RICUW<&<>0l0%F!A8dA7cQv<&cu
zYEpr}(_KGWb_Q@9hbA+)0ji}(d>y_1p*4@~CVu!EcTHbi{K3@Q`8!U5p7Hb!W~ndm
z`PjKVt-yU7({Iln9QWs#_YZyt7EN6C`cABWrPy5gor%=_70p=b8Ek>0|3sjx<@)h#
zEJ_?`tEP7V;hCss>AHS?{>JM6Hkmk8x;y=OuF6XaJck%(fyvb#Fv7}QdMfHR02re|
zcOGUM&eBz(uyv7dQ#c>K>4^~@wsiQ+_z)w{4>-bL<~+!>=2ANsAC67azq6)9@z*Z?
z{MujNc*@-G72cNW>>pnHO#Dx3eFhk{{*1um{3EMNLK3a?%m;1@?xE3_VDHq!y|cd@
zR7*El|C5h@30`Oi=+?IzNFy7UCrHx2YF8xD65ylmM;ie?VfDZlrNh2YH1=h^^R`Y&
z!M|vWx#(qizrIAOc^S36c;F~~`a`C22mq)YIW3Cvii$44sfm9HY9QOuMh6-HmFvFw
z6=Ex%NuqalV34SoJ{L_4rsQ?q7%h690OWEKERVKlAgka0^@NFR6;?I6$Du@=X9vN@
zoYQ6z?mZIvdzkOL;8GFP!cJ1-fCeKlAOkzq%><S=vg1pDsQVY;FgnuG$Y@D-|I9BD
zuoQrV)S11k{yd;tGf?tdDVWEu#z%el@WFKRKRqt7#k(o|_~Kl5T&Eeh;?9m|x(DBY
z3e;>)$MKAp?#p~F)AG&j?XXLcV!_GH3579TzW+Sy>4^o-YcasLY~H8i)vE;@G%67n
z<$6Sqb>{~nG3L__sM0B*Y{L+KeYV`X0roHI=AR)wOam3NWYPeVFudEGz)1&mIlg7E
zKm*s8MKBk>fEX!Po#YFVHlR7M_jmutI_95C-%o5_dEyg@cMqsgu0H9fa6@fYOyzXS
z(zrHHAuY?iKg))FTJLNHvoo`W{o&$}HX%=Gv3QnJLh`gp?sdnvAIeP+rKHpn{}bzh
z0;H<!Ga6wh1;A&Ne)zU@<!vXRbU)Dn(yFCMBC(Ulx7lAC<v%1n-3#iSz2N8uND31U
zWteAY;%N9Nl`28z&RYK!ON?>X<%W-;nyY!$3WeQ3OKTCRfNi;^xomD~KLDhy7(j`a
z0EvMS2Y^QbY5(tfJGj2x_H>=q0)vc{-+9CQ!VMt3#0Xku6sBly02g8Ik@$eq>cd?{
zv&V?`K)>hIS-f!|T%@}sMUmsJryi!a1L$GhEDmf8KsXui9*LBn<7v|ep!ED5J4&_y
zt!Y5dd?SU_H%xPQbRV=<uqJDp=KXmnw9QTIFM52zA^x@>rMjR5M@5ZEBe)0DEWebx
zQU6l!1@3b>WRH13-;RO$Uvi>!Ux@(dGchq?3`AePOjLtxXE9gDZS}tEskS5NOmd_J
z?R8=-N+P>Hpgm9`6aw8s0)e;Ks`^vIK2_jiUf}<F5$7l(D8GjjJh~PKMiCT<ICVWo
ze1klbuK1rGkPHq|!k1#)Sj$5z4?vYQDQDz6srWpoq%L+6`=nbpTrXr>aq^jE&?#aY
zHxL~9ocOW*A2}K@PZzJ+g7%2BvBS1V;tST4bMw5udD=gbKfACyFS+%L2>pn8sGryv
z5ARejai|!NsZ4Pqoyh0oIC;#j^^}a>mo&yTpe$RhsPMVY4_?gy-B`$xr|SgmOMm2f
z{tCilBO!`&BbA4Oa3oqTYLQftZe#z$k3y}B?cuuq#@wAewbGN@<mktzUW3T<8IZT>
zy)$B)u^-#P9*O6dxjdlTu|z%-yJ`a46vB<Q0dDFk)pP^7apjN2Ppr;}i<w1=7Ba82
zEPF&nbd=GO6B~Vy3p8|ACUbyiPT{)QuTj34N?XH805<Nd_jSDe+IwO}7~Eb4lnH;w
zo}Mr-@Xi38DB#lE&_5;U?Dt_+0+b|~!91c(gFIfVoes>aF#Jrl$qh<tFWvhmiudt>
z!}fO~@qmvWAStxCiQ#!9!q#L4dZ=F3B#;h3efWR{W#JlY+DDsW3{1myRd(R*uNRMt
zW*4e{Qra0FBx<~J5zt6e4pQCG$eV2F$z|1whss{^5IDLbV{~gaqgT_?oUokN{5u5%
z{RTOGdXv$le{OQ1u_LuU+~(#!-c{hZT&QsI2~_0zx^k#737?t9C}Wfos8%OSNyVSi
zIag1mNPg6p?n&YL)e))JU-BlhNklhwq*wmb{cP9!mGxRvhkQcREW-&sG1K7NM!Kes
z?z5w4vFS`NB-8HH;v+`}ciRlACG|LGFz5KglRU||kD4{0wutOYJy-;*FNKOlPO1t>
z6h%i~r~P09q|>CB$6l4$*dehqohHGbeAJr6MP;62pWM|xCpgW>TW#l2YW!(Z=I&Od
zot&rhqAg<Mm;!O~J`sv*99<thcq7a>ZaP-k*Xs`3aMALN{Yt5+)0ISRhzX5GSb82;
zZhS25APzm*=4W@2*7H4HX}|^Wb^MH3wIk|Hj>0sca2=U5VW=tV4AC56-g3yWN0ue_
z9;!~|^X4loS5Yo<WBxg&XBp?1vDLz=q&P&zF2IP6sEmLKwL*u7(d|8`HiOCry0%pc
z!s|_YQKg20@XF0$n*nTYk1^&j>%DuyGXbG7BBp(6ISP*$0S-Dx0VgN4j1H)0+uH26
z*>!62;kT*oQ3TPD%V_)rKvg30v?cce`)T53$5J;k!{CKbmcXulU@y)QJQJJ&yJV9a
znIHU}O+V3j5(=~a99mkdFESqkjLUk7ICvL^Qn_o{HM{Hq8(6H22>SRw-8F#KbUvA`
z79EY%;TuY!NXXX__@dQr=m*Dp@hDubS5_vHOu+8utkIs+#%VEecc<Ss;O?WX@V<ff
zom@Utq#81`i3gHh3my!U&Gy^HA)g-2Xz~<(!qbQE|K!TsA#nzSRYuO|m)0+3^Tn7W
zW2nF5vI?nw=C}Q(XXGZ*P2B@>G?Y$wlr;R}nm%xW-h&hS{b|p>SqfH<1*5FZUaSUx
z@?Hh2OUjqWFJp<;NP5XUG>_Zt9<V!LM~WGF!VHaTyM_4Z+IplaS1)WmVGh0bP{2wa
z6b;{~`SpD}<4FFyRK@~|3MX#>Eb-!H7f^o(%A|PD6$Dlr+l&NO-%CDx`y7uV<jvDo
zKlsmb7rw>q`~$_(j{902#EQrthRAwWk;Lm&smx>&A^vcEW?mYGOkeqk@11u^UI|%2
znng;6awX4wF~*jXQaR7l0;58Ww*v8|HTFQpfNnzHqM|Cvu+3l>`jPa~M^kZ!y?v!C
z;T<Y)QhN3#!={xk=u#@fEQ9qX2sqL^|D`q-8)z#IESIVfT){>HroQkFNX;(j8lj@7
zdYLer;YFE$t+Athv!?!DcwlhoQ-Tb6f;MTbw{K`P0U=?$HAI5S&?f-&NyV27XZMZI
z<lFwV;lXXo<TF}rz7kKRxPw_Ckl50Dem~XP%fV{gRxQ$o2hk(|--_)7fzw;nf8R*w
z?u92_QpW8kKNID1%4~RCCn_L9!%giSM(<X_tV(4RTdxG0{>XApur4<S3foW}ZDMAb
zPSBVn%AtH6$@(a<yL3teYVPbIwN5{w0#Iv&g$iz;S4J3&_v#Om@sHy}dn+TleFA6X
z)^xeR{{jvaUCf<38E6Do#}^>Yi?<ZrpayU%X${b`(*8!#<OWmQ#nRD!Rz<FAm8Mpz
zCONOtg!`iXJog-`RlbLnP>5@LXxnrz+)<Qy-*eqqu%mQJ&=)@K6dIPEt1htW8`e?C
z4S)#hR~n%g3GcTdxx>Ch`ut_o`r>~y9DrrZ!x!gc242O^{aSWMy60Vhh)P;j#w+%G
z&$uCv^89==`&5VSQ8FGCoSv0w4URT0@qy3(2ylG*g&-A;nSI+Hr77^`d?H86dQQF3
zyBzv)Y}p2<*@96q5!5H}$l5m^FW72<SmaLYhx#G0{ieoLj$&xB4}3MnpX}svo1NGX
zn+>NoxLj?#P4<zOX%X<dMoJ!`4J@bM5VlejF7h(H!aW-(B6WWuIt7RZ{^c1${?*Vb
zN-yRo9R88lZopUhi_Jswj>jz95%5Q@>hw(78VbawEJBIhd|%JHmPGyq9{H|OdWIXC
zU9#;^i3YPsu)4RFedM<%Lr%D6wW-~Y9C>>w%W};+QE5N8+Oqqp2qB#CUvQFgU4jIC
zW$;9`Jt5<l`iz<3Bv~$etD)Tx+gW@1HV7dX$7YT1a^0TODVO~#aAo)hU-~<g`+r28
z{P=$&^7mI1@k-J<T?2bqR96gBiPZp5?9<oF-4QK4&$fPj?eqUn$ar?0d_OxM_zD3m
z-5Qu`G3$num{fUb(&$#PUEXJ|7+(hchW{f%Ay3b|uOEZ@l%Uydrw3>q@E^(dry}%J
zH`TRH8ni*I*m@c(0JDbH5OW?Ly}vOZyE9Zvq87PkUTnXNF`)*Ey1GF3!L{VZqeKta
z!3PK>CZf(WL$Ik??SbL`aI^iOt6TPqJ2=65=uIJ=YG>`QH#S2H)MGwf9Wn=+d=kHJ
zTd~GH_nn@z1pLFZhLR?pTtDRfh%Yo(Q0cJe-T#Z!dB%m+`Z!jy+zzDcI)QHE;Mxs{
z7~5&bd3WL+uL=71GM7T{K3NlykQt)aI%txQTCas}9(P0ls9Zis^HYzqYTEQ`4$435
zPw|tFpmBli+frh%UGtgI@!#m31n;9q)$eY8W+(%xo1xwAoHY3<kzUAd04y8&dnEF&
z9r5VA_J2FQx=k)|8V{>}x=GJ;F#t;okdm{X7k?DUu3YE@>D0{SsMFT>iWyH~b1wXs
z=K}Opo8*FnuS?3*!6*maDEVbH%}zy@pPSkCB}!HO5+esu77qYsAF+La>HO`MnI3qy
zJjl(rCK;>j7Ug??Fc=XqH3@;{_ZV-lAbub!_J9}tz?nkXz*80T+IdEg1|+gkVh#0?
zlVP)`^pii<({BUM@ZwjJz?FHB;{KiEZaGUL&wHot!JU^YY(O`p?{w!W5shsAedo!!
zfvF?y-FG+X8G&!+skrs<Unn5;*^Dp)Op^;2<S~bvTscE_=z)qEfI1w5y4F)SclSRj
z?Z>^wQ;1i-5eL=zGdNO+)0rnF{f{c6RMr1C|8Zv?<mJ3w0Uw!xNARC%PqO%a*68}_
zYpMF{a)<dfH3>OpxrUKBFS!$ge}J1~=Kqr<<xFdMlc;2>w=t*y|Drn|0H&*Ab=pJN
z3bNA7x;pI`HVr!9$Kb#PNVOWkXM{w>vhV_Zx_nWnT>9%48y>)lp-Z0x$<c#eV9)U&
z=r(&KNVtrA_}-cyii3y$WqesiD%yY=E>#u?Zj11gIw-#kyK01uf$^}vy~r#HjMOdF
zm82g10y@19CWG%hTnH83;%a(AFm7<?8|UecL&M5N_x09#T;hhCo7=)E5Tb<bfJU6A
zl|Z_81$(=EJm%u?%+H_t!z#8Eimm-N#h~h8)Wi>sb+pDl7rJ^w=7PM!=d&dE^{Z#6
zW(BCo*NzAwP@M7r&6i-4VWI=!?Q@FY_uWi!&(;0tnZcVh3nHT+c@gNSplEX9e!L9D
zRf!yp8uHjLDV+8wf^MC5PA|mM)wMOASQg&vc%#L}L4c_$XK46&W3ozZs{!X33wf5n
z*Q4cU*JQ&ZLjlrQL0q!v7ry_O9N%VK+4uiR@g*QL0S=rdCvibQK;#n)fG;YJ>fS2%
zlf+=JvB(14>(dURl6uubYOj5MFZ$E2+XP%!1Ntdq5Q-TrbpodGM4b)jSX}Yigb0~>
zn-Q?PU)LpXUi+rrPIQAtB<>})oj$BRh_gQKrOveylb*;^c@_Y)YT<q1!j%=kddhx?
zB;$wm?;TB8E3JPxeLg=j#m4ah+>>#B3ums)5zszCa*i&%`CAOFhdZ#O(7p#W8YIad
zBM-0XO0ji;DQFe~*s86-&vPOAm5!}fR3q?z-A>N?SPlB2vO0CWFpjGLj?o5EqFuvG
zSiK|Ec{D`Bk|1tG>=aWn{kAz@KFHa332I~L8w!CPM4*px*qO_?S+f0?!ptLK3mX#^
zN}f2>OxFx{b4DmmCVm*R#NTiS<?LqoRTK-8y`$q8Z=*3}eupEmH%WLohMJn%vCC9<
zg?zcedD>MLJI9Ho8z4`uD`zL8A`+-a8-B-4KBR`cUh>+?IgXV@JnR!872IkRv%PMb
z#Azk^&Xk>~0kXomK|0}cXdtxls;ew1=EDrpu=jR&ujD9s76z$`S0Oj@!4WkBeLS)A
z5J1gk*5`oP`cxRUfozxu3;2~aJ1+OqzjR#-j=JLHb<zZ(I-Rw6TiC5_Y%j*0jN>Za
zv5lB?_?us>2d^vy0xZ34+{K$(J-8FQX9_$IzqQw2jnc4;KAo}cm&4C%I4-_#kc?&5
zjH#Byr)P>F(_hFa7Z(T^sjn9st931zbegdIQvHQNZAB~a@uyj%V6OiQLbWcVkL62%
z0>pAQB;3Afpb?yd-f1GD_of+N#Z&NV&V-<Sy_tv4gwJ`X%f0}2bDry0F^&e*;|;nd
zWrJ7;pPXTR%1~-|hMS!RNpYtx2dbNmo*#3ZKoV>4w(|E?VK>`t|BIECBYHAT#JKm6
z!MiVgU<R)zkgx}=B99^Jka5)F-D|7mdR1J(?Uy~hC$3S!QoOKLXn))eWZ~3!UKCk~
z<nX%!KjByJ;>x2n%mRHbd3=?ZWiQIrVt?skqRq+470op9CZg_!Ud7oD&p-W;T{%y`
zML{s}IRsQkEIHb)kE8VC2Mm=f`pn$tn(;?kXKsMX3ib%8oHawwzF$F(@t+B>(T#$a
zajXk(T4!%@!Wx*{YH>8@QLRL-7|)VTrN>^JbqA62)=DlS#6O3?-uF(K^ZGGyD`w*j
z)P4}W$({xTKS%SRTLbm`E_olgr}D@8LdDwj8^$Y|%lkiUc)YIOpn5{Uq+(L`VwhVn
zKH6N$gz;3EKG?4`SrCZ-{2ty1dy4ehQ^JZ;dP*c%$PciSuImq(e=RqjZ8G_uh?;@2
z`L{-;3|T6E)u0^mzM@jIT)e4czRiE~8^mDlf&%cxywlj|JOkq|V?z!LS$?BUIU>7~
zf#qAgskr83WOhc>o{~vAu4pMB07`e`fZG&E;z#J2^X^q$yR0zbEt{eO{QyvYI>z_p
zS~y+>9i~@TE_zFi(rhYcVcIO8^3~PVnfzV>vb@0Uq&N5Cf&QWP^-JEK{VTDOERAwe
zpX*;X$+1heXS5|adNflT>bp14fFmX^>;pDWnZWpj!v~hC6((Jq0?;slLz+^W3BSe0
zR6?F;)C6RU)l2teaZxXi6&)&3ndCC_&eWrz$l8IXRJXq#?fGz1X;X3;<9I%+2_`S4
z1}CGKoe8t>rhPA*h(dEI(~dR?lAcfY0}-Tmrr*oEZhq^H#aO&&UV;r;X%NCED$CYN
zqx|J#L{uvI6BIzK9#q%L*WCxpAN_!c##;_CoNkxIB4mwVvs_%`hu3V^YYGVqt5w)2
zrHF~<g-ow)5==y0+lrLn3TP15GcwAU>#IJ1`m1^}US~2?pIt~S&mXd9JVd~myMRLK
ztx;2f0InP4TH}0d{x%vr>xFDL)V&_1m+w}b_l5vL=Tm<Ac>^uV?zS?3X3x5d-;oKO
z!>knpq|*!t__4@P@aetg+}Lf)^8@QgHmSUb<EV@f*}TGuP9yMC{(byKxxn%~X2pqG
z$bq>`$AUiV)IIz-(DiXDX((UUsnUVTZ@iNaG`QJcUtg^>t<_LeKKb4-qA%F_NV(aZ
zdzN8*KE`rr#7y8z3a{AU*^+50_3}vPBs^ALt_b;n<qalUpF=*z-St?r4Rvxu8zeXg
z4(Ugw4vS|wrc=jM9KERI?DyBzl~<4TJT3)3qgK?273=H<9B?43CCAknG^8pVCzKOp
z&mU#aTtT0EjT&~6dgKTKlM4+NpJ{kk)Lw^rjqFsML+*eevQi3^%Cg1j-!gynL?0p@
ztF<b%@kmtiH!(Ih7w>AlFUtddd$VpT$*VC(ZcAaw-F#*@a}DiyB=EA+-ke4yDmg%2
zV60I8gL^B((ymrV;j<jAStCiw4<4wAnNW0|x2Xs+=kEFY>W;o3BBBQ}5S$KuiVgyC
zy-cUC3qfn7_4XqHcfT=L2mxQF<J&L<m&Nsoi&nd>LiYFozd;`xT>kh{7&4qW@vT1$
zI-u4Cx-fq6fe1X9YjmgSCe#71D=!EZmBw+M%Z6@*R2Zu_{9RmQ*86C-!9b7=azvCP
z$u);NA0Y>}Fyop$cR;p?8(Ef_OTT2PET+-eQ90iv)Y^FT*3cKuEc@7Rp0WVD>w}$t
zFVR2*L4v+cuc^^28^Lb#)L7FbmjZQ~%|;m6R*+rsurVx~JM7pO_HCQfBJ4Qy*r)!W
z<Oo%q1;)KW8>qsrx^V%~#so47-?U`u4`S#9Uu7cPlFy>2z^bGsA<6l!`9#XlU@0ip
z>7+|vOzUbV=8dA?`E;v<UR2k*(_42!CKZ22vvb#&o9sMi9-XIWw7<iPKg_Lh<3zko
z)2gcF8K-(->O#fcWzzT2LR<ukH$`IT6Q#HUw&hNoDO0bX&*c4Dq6O00Q<(fC2=twR
z86@5aaWUdYLLU(mcUTYywe(7?H>e(_>-yWV1?eewHS(o_77Sm{QdrixpVrHg8kOwK
zA1r<_k^H)SI^YUFu3#%$E{lzy^w~Da32qq?>Zho4T(@joY~1<2Er~j;Xd5@_Mx{wH
zRsn9rY~y8Mxbf>N=ZNJL@vBf}5-|C+E}>D$?1=}mipa*pU-AO0kcVTTMBhZ;YT_y%
zL)8`68;$df(dBxFBr&MAs-rNK?^q|6ytb8d=1JJ{$CU+h^+aH&>Ov}_CIXIuI+7*P
ztmiH&FrhrAiIpQ4=Be$11_y=FWtrJ0;z5uD+V&=%6KB~bNpwOaivYN)Srz2mnow!o
z-bGn2%I~_+r6xUYi*0NAm;f+9_XZw(#;4$p@5+%Y4DIkR#Us0FX=Bda`wd7GdLDd+
zRP}LfWK&cpYb^|x6aT_v0(E3cN`(hQvv;Bvk+upc4Pj5K8ty2zGCK<3SB4Kn1itn&
z#f?;#-6(jwe$`Q3=b|WdQnC&rWk!8LG+1iL?%+<S!gGWl9Q&ldlFzdyPZKm|cYmIo
z@ob<*?o1f3ffgh{0b-HK(!1z2>F0fJT>nmR`2pt%cV5Lyf7slmd?uF$C1c;Ko{+fK
zk33#L4arbPlB!{nN5hNw>MU)e9N{g;Y3mdvfz{)@eYdWP@-Geo0j|O2gNAeyyJ?mO
z6#HS)Nh1*v?@TQTutj;s)rm7iYqo6nq)L&GHARma=cz17c2Hf+UYJ>-^V_7Qc?|{k
zwouA9hO2Y89V(O5WuTG`qFET+F3GUQ;O}iEi>D`bZBA><&r5$glKvbrxh!*X+(fj-
z=GmW33+er=A5VtX*O8RUYqFfdW5GBg*YPyYr_B_^AYeWi<MCDndZwoG=K||-Z2rK@
z2eIYczzW47`le>?zf3R~at97rop}u-5^q0DwtQtJGsnf4r94aw20irKl6~!;VxiH|
zP4ql(rr(!3{gnklBv$-L?#chBpN6CP+~8diP?m{Pf4PqSO@v9)`Os#Av0Z#8hPENz
zf9>yx@}@=pG|qLpn~F@MFDE$c6LS~4`DyM~3TRh8BvIJ}q?nfWTNb~GhPjCQ!!LEw
zO8tP8q|Pdp3$Ya}zUw~+l%L*`TE#-RP8?^8<75*ocD#i0zLP-Tea2xhGdS2rjvVs{
zj{Vm=RqLi3O^t=q5Jb))SeNe>%Qz3diD&AD*}vC)DKF4^a9a=0`eLZC*j#9lO+43z
zq;Tm7(gr3*W&g6KFwBN})>(GKu%<X~MwjWN?a?>_bq%vIUdCF?sa&x6lpU>eVaajo
z-DZoE0pz616mNAqp)g68oSzVjm8v4+Fs#Y-(nVwBq|`u8cK&_UPWf8}RKswdc*+$Q
zPxo509e-0F*Ar)aM?55`S=~KI6WO4@&PFzltnj#qY;;<2Yt$nFeT`MatF;Z(Z@<kl
zWbJ<4bP${5e@=1w_JHQ(F=GBi)Nw6pEQ{ihMsYY$0abnrm2{S|g5>()`htY-kB9EL
z{oLfB*82zr@ayz7kO=#7wKZf4U0-=rJ6P_i{_!_xgtOc}zNjy-TCsmoTKk3rwaYKQ
zYp_-Jxy~6GLI#yk8xrvs<)Ey_wp6Bs?(4Q0VkB!7V%+!bXCW;Grl7@CKosaMCFPkp
zB1plR@=^>|-0UKhCM1UJ1vIQc2ytqd+X-@~w8lxd^*p;aYUj9FLq=dy{Q93nFpuDa
z(x=*7!(uA5u(L^TVm#6|QB_|+1GF=@p5hKs01uMzZQ`U_B2`Ye{NhCx0m{sQZ!XJ}
z-JrjVQ3-kEs?oM!bO2)f8t}lUXXXQ!Ec(Vag-*<5+n3Wk{%?5UITc8m7jIincJ`2*
z0zqXR*MNU|ix6Xg8Cg>Y#VOm%4g`-mk8BdIdwSPYRJ;O(_Eo*R#*4^Z%G06=;a|Bu
z!`B!8dbU$s@vHMoJ*np`!`yPuzcIoD5YQ=vvc|o{QUHJd-+>)cQaIcZR&+dh>+8A?
zs;^?^C&p>QYqX%e)=QvS@B5QVJnu_#K9BRm?}hkXeCtmCgo5E7J|3etA#KKLIAgdh
zU5Db6dpis(GTrnPD(|QIR6c7VUCu{+yI`lX<(yYhZ~iOylX-sC@YnGgrzCq%R88AS
zaEWtX+0rNT-m0%=y=o{biKXvzM(1xc;nNz?Ot<(FOW@J^fPdmI2Ei|@Co=eiySk8*
z@BMz~_1%7C_ki*AceFl}MCyrb-{%-;eY%@!D*yfrt-YRY@#8Px=|xa2Q@A~rnk_GE
zMywNVI~x`{;ZH2VfxkWX*Y|@@dbf03C<lKmdQ4Cq2Cykd2(I7Rp$}2LeO+YVe0mI%
z)_{(l!aY4?-EDxiXjZ47T68z-H`r%p%Sk2LVT;G;<Qd67cT2k<;o5CTGl;35IY!-X
znlrknors1cAI@#D6nLQ2qdbO3>Pt|SBbd7HhRL`!Bdq}YTTHYBJhT($Og`avQ&80n
zzc6)P$b#x^EEcj=zn_9x-)ixix30mwMo-V6-0{x_h1N%lISjU8I5p3%o@kL81ov7f
zsAUx4#;3u#>W*M4AgJ`M2KQFo&FOWuhDTz&V_sMY6ubXTci+S|lGtwK1U=%VDd6R?
z@TMWleb5;V-<p8bttKO10V+}6F3JnH&Gct{iS5!vu)AT-VHIFRy>Bt8cz6uN*7AyQ
zBZ>;d92%Adb%{e8aLX|56M6n=oKhdgd`hih&)U)Jw_3dem371%LnLknxjD1BgFJ>F
z2TiqkPLBk`u)o4E4g#SgoVamoM(MU~Bsug^sYBWfC8UZ*tc83$v*6usI6Y@@5e$#^
zQmS%5HggIBQD8q|j`oJ`T>WdL!4N>uKOh@4)<3{7vnXP{k`G;{QqX}X(N^f@Whk<-
zU^DrUcY7llG4AXH*>Nq{PChIP3)V%%yw8-r=BpYW)u+lOWvfEYYO5u-e*D^GvqO#*
z0&758!<>i1h$X}p5Czwi6zdnaaV1;aDSIteDR;LIb+)DddDVz;A_VcV3&CwB$|tsa
z4erQgCkP_YS}qVSz@el#_ieHPxAwGAE!t~`v;M)sh~1@I1e+t(yO$UOBXuaRML_q|
zppek$!0^oZbJB9{6>a#mQYZa=Co?t9wJ22MOd@)C8&SUn*TG(?&?Tr!{d;;>iHIFY
zLWe}f$Zs<dtTYHB#8YsGX#xRE3^VJ4^=wp<5vtdsPf&1hSr6%BsORL<R_@yc=K>lt
zZZYi|Ww7&fj#TW@Kz9dpkMqfxq{~GW@n}CCBXt|NJfczNL^GuI!<Yb0lv{-^;r3kd
zm71n!&h`&&>bCP+%e9>=tG13_nc|Ee`$bd!+}GJIh%68O26KkluQ;u#ryuLb9$Awt
zJewy1<vE2^Sv6cu@7C{814111H-l|yU0(jth$ouSEfdw+6rvwd<X}DZf_T2ywVi(a
zkjKF5r>o10{A$dh>GJev{N<XXdI8_Eqb0iA%_rmSZWo;qi6k2-6QWxmGTpJa4Nq?4
z*C#K|zfGA4l#`$_QcrZaxyak!(t+FF*O?Zb|JERS3(T9-32@S4y@_p(t<Q5uzQQH#
zDA^uV-prfJupCrU?Bq^un45Z_xYr>k(XN$@8qtLW!cQjPI__uBzBo7T8U%05oztOB
zJGXBgMJDaq)N>Fga_zEk)WVYsulv_4rE<KxS#DY62a%{iqxHTlIK}Al(a8aO>lIe)
z+m2-Z<Gs4ble7ml!7DEnLW69R=aAJTP0LLiKgyOGHs=-;bSH0D6wl1Uzk2zvw|&o<
zAx?NbQ<-8ie%w4~RPVemS~)zeb>*nH)3zqOaI2^94gvG1DDnVrg4gimhhcq~Mk2$4
zR-wQuL#H{|2TrmD!rXtZSBJSz%~0aXGj=jK5m{ReUah*%THS^M;Vxkk2CLSJ@?NO~
zk>vuW6FXtf3ms2AmS(^Piw8lk>i&fNq^z%VM+P;NyAQmn6A}?bP~$dqonPr987sX0
zj7f$=0@Jd|{g!B{tsJAbat7*hM%)#@L{|o9g0~|!jNDp`P=#&i<uc1B<&g+~DcV7~
z`=zSiBU0oVG#f{ux#r$hFT5zm2Arcr-M8q2;PNSxx~yCed%2zMiL4rxg9n^eV1=D<
zxeDsRH!L!FZJW)Hjb|>oX9{U=60M2+N^x%!SY7<RuZ8*qtBZPJ;h5zju;x}tS0U;J
z|Fv0<p7ffj+81M7xS(e{AQv_An4HNMhk)zct)IjE#Gxvjlw21lYT86_zoxuUMVy^T
z*U~`vxy$mdV-lIQ$~HqhM%Nd9SF*qC^tw_pk4GEZ13~Q<;4Q~^ozy{xFrT+kvuAsy
z7^-aB235Yp!C|hfSn8LsrLAzYiIlF~2F`$5edbo_9c>#;IW~u;^`>gQiuReyp<KL-
zFFz<I#Ns_EP99w1ws}Jm$Axnx{nX7-_@+a#bJ%}sx8tR{{m=aHgozAAwj9PIU4xph
zP^z&2rP%JeNt1Z74$naQ^>nSZz8^8(owee+eGnCFX~lq}40NgOq9oNSCTYUvE+qa<
z!oB^B3+eF_g1Vd6+}01Ja(i1%<k+NhgIAz^G<tHi89X=L`7se;#}?O9mgn7us?IBL
z-!abeHFUSg>PehOc)sxA-F6?7v^Y-L-;dEKi6I+)v`J8;El4vU`n>eT<Gz~4=~6x}
z><&!(Qw1aCyc_Jjj->l-rlZ=3b=|!;V-OXS>QJ<L59C>JPvov!U8vS>Su!*PG5*Ot
zvZ_qCP{w1}iDlH@qHj6h(4zkL<m-f2!`})>TSSR&cR$68zZwKrOs~D715PT5C!x-^
z8XxS^@AH@2HCf!eGU>p?pR|&~B>ju>n8w*t^U?!GJ4*xynJYe1H>K6&(@iJXH&R$8
zY2e#sSY)nCz>VR>Hpzsz+^7wq=0Q5$vA9o>dB$>|mcu4xR*UZ2Pt;rHiv5Hd9Bc7I
zr|<6Ho~saZ9_JM1=qL{+O34<yIi`=Ts^?jbZ5iF&wf~y^D^E{2o4rgU-+V`DGf{O%
zno{^xaMRB$La!&d7;Oy2N?WM;))&OxINoxLrI3I)-q)$JoaB76DO2a?2kVH#Iw<-~
zilz<|G~TRy&UdWOWBVd@$JZriBA3=aHA7d^X+~_#$b#=c3BCC{C3_89c+@jIwj)bc
z6Z;fZxI{E+tPU4;eqmxt{Xw+t$ivI0N~EgfBcD~<mk&kGXpubnwM?T4Y@l>Kolm!4
ziyV`R&c(l@DPzLUfEYPqw@Auoli|ZR1HHMjBKuwT-?Yi|<3!m{$L~|Ir2(CaLbAJr
zs@gyoBfB|Cqz`Spya#=NvfwOUcWIZ?6NLcm&n4rAs9m%^Y4(n5oZ;A{=f(&g@?*if
zc}{9w&qV&EL-Z;Y>)4>E&eX9>!C~ln-14{kFzVV%8U?(AH9WfI&>{|c;fOaQn>HKM
zjg?Z?qy#U#7PxiNZ(U^hVo}4`&D-&I%z`eZ#;VU26Nj^*xRxWsFUiwJ%<A55>+!yR
zb@GcvDU<t1Qbm3kgor&sy5<qap>*T9ZlB5U%iB1SXgG4RJESTqI0kB#v42om&H^E-
zALiCveS?YIx|-Uzo@eiI;Al!zidSs1fuh3I=8VLmDs$I&-H0X3{_LUu#FDw*&T7=Q
zH_s(?GXxOskouuz_*xR6!Y}2S-Cpl$KiHFzNRhY@l_z@DoO$g9yzaIfPdt+Zf*V2Q
z)tXVG|G9(|PO}oZ{smRGi%A;^jGH)2Y2kdjbY$4z_lv37w&l-o%}oj}ZT^_sU8{#|
zu()vq?h6b<$$P#}z}@l`-A$+Br)T$XG11dm_X?G9JjFwe#%o$=9m=w7*_&~P_vVd!
znZLD7KB_REpH|zJU8fvBQ#4U2HWf3**f}&$_vP7yt=q=5!_siM95QN7Zo)W~MR?>@
z!NbwX{iHM((R{>bS<r_M-?H=?YWG+itF!Y+E^sfV2sN~?bF9r0leZv0h_8?d<2nw8
zrOY=ghLuZh8G2ohqvZDqH~#Oz5=SfvE4_?NP~}hSw$2Lb=zPcT<&+zxd{DYj^Lzon
zECE&A!)P|I^h{(a0!cq2_>5Ub_(6j~aIB4m>=5^_nur7P9Hil;;`<yi-E~^oS`c=6
zr6aU}b@zHpl|5TnNat>AJ<+;qKqXU!6otD59c3WIBoC>c<t&)id-P`CgS!d$?9OGL
zIzmFPZc(UP{S8CXq<zQGy&|!^w)Df-y3Kv}>$u<0yporR6F#&ouIJ_`q^a4G*ScPb
zqWerjnhd+$`eX~@8xoYYp*7QOQYJuUGoQCe#099mulvfOW=8u_8_EJ=eIxfqO2qiK
zQ^xa2poCh`Zo0MTwIrG@<5)*R*qdfTTBAE`ib4T<cMApN@M!nXPKSE$a{k1VT&t|M
zOGGL2J>QNWNv<=FB|z)aLiS@K3qM;mY6iT1%gJyhujr!sE0uyz=;-#y_szOXB|3v~
z3`-qqL4`}{mRF!02QSq9i(iy;5FczCzlu!#3cbKs?{3mVUFe<}@{1|j@@DgIRwZ0(
ztyON;da(IH-}&k3#5u`O7HX5N5V{W#xF8C#)S{;~@@TjyZCH4;G}XLca>7xd;l&)&
zNy$yG;jR6mb)F%#ci)F+n)`0`<-0V)Z|4d3P+}*tlB-mf38sx&)z&*<Q(?Oej-Rcq
zh#c#Sv6M#li|*AsZ;&2K35HI=BJ|OE`1|96F=M%Ro5s-WV^#I5LX@@w;RupaG|4-(
zCp#=5>GNXP_usNLSDQw6)wMpbb{)29>B<(D`8&oKJZ@RH=?*1A_2jnQJkBU-NUH3m
zK<i<m$0nNNe?2U-mCp+ywiEf^LyU-_MBuxBX60`!dd9>rNte-jrIm7Ai!bh=f1cL<
ziPq5M`#P0mX<CwiA$TRy16!TpMUhYz8yV~SB%M|OUtFjmcZN}}^N0W*NI`VJ=0>^3
z+P7pWYo%-ngYi9CvxhT8JyjRu-o!%=rvoTzIzIWiHhIN69p27DU<B0m4o`F#kxK4;
z6=S2JMFG?UWy|ZIQYNn+RR2hK;jUgUitmxP9Vc}t#CG?YI%zv?YUu09)FKwd?ill<
zNecO>QT!g3<MYs=&O?rERCy00Rb5D*5!+JNV#ab&GdafX*i9jPed8(_=NOGD-_bIJ
zOGq}$k@wi7$0UBk?YeJOBt~st)(Yp5#HS;*t!4GNNBgktacM|H)+gwN7V~$*gvCXE
z9n<Vy&tXYFL-oxc!b00I#v8+ieJlgXN#>7jXNUxBIWwH(MurZ2=??NrNhLz(=Yrtd
zm}##Qwp4*tYLE;@&S`56>y7msPc_w~S>Lo8ca#tyXF}Zbu_f6(dLiJ{XJLPU@J?)0
zS+-O4Ue3(Zzn<Ms<CA#xHdB(6E8*Yydn~V>ZDhEbKFK}e<Yu|!7o#c176rc95htZY
zv_6UF@`H|1*vRmjYkwjDHpQC~?IN{7U3VFDDXV4iUDJ<MS~^T?QPIp2uNiEc=NO(G
z8UGf$#ke`5iU=Z*z|#n>s+d!Q|F6rE|DEf{p8ucUOz>AW9p3fs&w<IJ=-G^dW}zD2
z)LI`$X4hFCPkXJ@m3RvH@g0cI<R%eI(Ad-l{hxhoJ;hz?7@mUjo(l7rzUsgUTS8@C
z?!=0QrV+yWoh^jviJ)kk<9<n^Dob9jCDCnHrDMPraIkh8Ola(5f+AR^2y}KdrfQ}S
z^S7${FqfREXnlsj2J%-PF2Ml~^V6ZUuvNVlm4YhT7C!pn&Z1Br2xq>KPQiRxd?K{*
zHz*r!X-Kyj2ExO`E-+k+C=Y1?X$=biPX2oYbZl>;`<KP)-G9i6^1VB*&U=w4LRHUx
z>z?jWaqOGTz320SL2%|^x64mXV~FhE+FJjl-B<psztOpcu!e<;)ev`E5BWV=RLZ$+
z+v}G0L2zrACQ3<Ll?u7pojhxpxvGN{^cLIVx6!@kOb*5L{s1Qym-PM<;4JTF$m}Cg
zE_Q|M_D7m>fq)c>pn3{_Cn_-8i2nb~JM){d>|2t{wKZfvu0F&#vYBtDNI#$7`8uJS
zVk2s{!oE&8`2{9A$#lu28Tr1hHfNi?WX-j*dW)d0d}hM@9IfC#<8j=uvpW?lg2F^*
z-`}Na>*uQwK+KUhFrbGnLs@Rg|0HfxzUMJdIU^7%ZL2z-!D*EGk-3;l#><iN@>3SG
z^k+~(7W+9-<WpPKrGXYju@`c9UuMCwOV!fSoWJ7qMCbv(Pf4JAG=t!z6wQmogN2p_
z8-?F8*PNI;Oc`#e?+aRceD;7Z1S)<?O_Bfjs|Ur_U?COx9HPdSbMl$ZU5<@yhIQ_9
zz~cJNsi2l%gT(C0daLFg1ecSpId(!(;SG{*dD7R%P5gS13TF)A@`*QhsNcy?TQWn>
zWWx7ECde-O8C`_X@Hn*VUENb`F3Nz9u&$|^e`dr!?#}wtYoSk(G%fOC>l()*T0tfD
zDQefut1Q9FCnEkcKrStEXnre%FnsTr$<{*7_GXKiHbrS$<~h@!mJ~tRY@4r|%d|jV
zimcoGMi5?|8o-yA(th8EIOH@1*n75su-5yLn=mS0?D#yrjA6Bz(9+oIn|ptD!})1?
z!QO+w0JMG>qR(i;=A!4y4L<$GPg9ik(anIkK1N!7nF8gX-gIH=E0(J`(^{o`6<Xv`
z;N!>)+gN@PcW1fe=r?0CCSo+L0&zD0M=_x@ahpwWnIRD+GRd4jv~hbls<rnQHnsOY
z24Q<(+;GDq+4RGbjzyuo0%Ws9NZ)cx=Z$S-OUGevlQA>}m1q~6&k{IMe}%Z1?$4t~
z0Zf5tO6laYm%zK@wp&b&X~Zp$S#GXf$nc0MFz6a7vZcc8YLL^_VISAW)MW^m8lTg?
z^sh&^xmXi~|JDU5H8X0=@3u;4UCA9|8!eS10A1)hd6!~A9sQR5iBQ7PPyUl|;g$Ec
zFAJvhS0GDJS-W#d;mm^gq)Tj5ajcpUr#2=I{T}HWnW-4WgM9iT+|7v>nA!FtkFV;t
z2ncy#k(ekHXUP6pe);2NGBh1+YMr?r=-C~1HT6w_|MW~1VfJo>YdJoTk~~e%WG}+(
zRll&H?&bfPVOrH*FM1(FbbPX3K2es!`vtnMerr!O6VJAIyY0sAh*xhPdn=!OOvvS*
zjsu^!hz|M;oTd6ScO`9c8E!T18N(c6JxgSo<_Ht4l#}>z`gDYzW}mfwV*6Hv*nQWg
z<Ulc=dIbZAz%-U6k*TLn9fqS@-gF;AGhsvnFui4d+pLZ7&;;hTq?S&_HZw$g_fMwI
zt@vm1M^vFHvx$)iIp!oLEwiGb)LTudBm`Ako@_Vm$p2sksp^T3Frh4pa}NVQ0Q~GI
z?$$lW-Tv}ff!6d<<~9pRSL9p<yW35PCx37d21P64MH7+fCt)ynvlMcf-+tDwz|L^3
z7h=T~ovUg$G#I(98WC&LSW8>PTsCo-*ZgQX>U!vAoPFyvu|J8aLiB$U)7uGbW$l>R
z(RNWj<&ZnjBXf1wj%%@dzCXk|#Fap3WLXhq+?FXoH{Y~u8Y<-!=apa3jWFhR@<1o9
znL4tL_L@Gmj9I^nRtpYGHbW1E$Hf-y?!Q$t#GPoYPABq*@jewidN7|V3%z3a^NsVn
z8>Y3bhCGbX<V#e&uYMdYP5#>Rr>waHQqug*4XxoDgz*>aJtezC=X<pHIP$iA{rZ*>
z4?RQe$%lOqA9Qn{`8iVH^l)-1LtYZbG?eoX^Nqc^UiKIptqM>=Cyo@9o@r^?LY^1$
zF}LKpi=0sKk-2N&q&?z`wo4Ts4wqCMJ>5@K)p?qb)5T(lq1b{>s28H-)XeD@ZhW81
zfHN2Tr~+tKK=$3kS2>QhB$p*z!<@7~M)BPu-Th@Hcq1NZt!%b*n@O56C5pkPyQQWw
zR~*53liz8zN5hUjjIxeFyd4#0_<;X-8a-Cj*<&N@Y7=K`PuN**%EUmSIkZm2U*GYG
z3L_zW^X3l?oI;I-fAdh(q`|YZ{5GPw#Diw3AM+Td2wuY_SSd8JE(+Bbw%=Nt3{5i3
zEURk!hN9Uno3^Fi_bAIK`0y;pTgN=h*|?rdae{1}r<l~$Y3hdTcHU$gTo=vD;7PDQ
z?9gS%&NPx%w#2Q&jhpSCNuYNU6(oIaJ(e)r$Iak*F&xBjQPCTm&ePRm`F%FsEAXwJ
zx8(f!kE}!%>idg##iBKLl33m8e!ZeDaiXydbiE?XGWI!fc$)G+VX6Cweg{39`;%Jp
z-uk!YkM;7KvAyKO>P5ysud-7?s+K1PcDcloDkl5ZQYKvQQjQodG889Ov1gW*+RWQ9
z9#ZgaU&Ow?s2>t-f04H0`kxp{HPK^`37U`cCKszmZS}d}w&c9nI2Gq8#`~|rENk?F
z;OAPzwJ%BiP`(zT%Fz7kt4edTy6K?rQx-e<w4a{rnxTE{ie~Y2lH|(xw9TjCW2y(~
zD#Nv3l%kwP%J{)TS-VSpp;i2&5iuUIfwd9iJ*MSHRJmz6BWwKieBx$I3a$h94d?pe
z`uQy!oDBBxv}1C6nvVT-SPiU3yqwSj2eA+oZ?4!E=pHZ9b~<h($bLDl;%X3hHJ*jp
zD^<+B^XfRQM;EP?*2;u7GacW!`S+<M27jy-Tpy}tqdVTssAwQBcGTZ|xlE$#cfaDr
zWJ0E`TCEwvrC>Py@NT%^oad9UkW%zdwFApW5>(qy!PH}ublr~S<f(l_w;97{W3{63
zM0bmplAccP2aP|Bqul>(9Y}LycRSEPp|Gf=LX~={C2pJOO)kG~KyE>@;k3v2ma9UK
zcEXQc6&91Jc|wSi3vzKid1+?^zM6XMJs&ji`n8_cZU2X+ErsO#(xM+=tjkv<tnT~?
z{4!2c%8WBSZ10(o=f#9c^b2bw(<G&g?`f`WM?W38%`@Lx?*!K>ACs~~gHaTp4rf+R
zY}UW~a7?fC^B(IkNZVgW$1!J?AI;}V|ANqmC$&ktZ`dW-#lMzGzW4ViQaJ3+jfqYJ
z{Wa|e*w-j2($<){vdag>=D*r_>R6>O*FZ&u8M}A9)MNs*juyzRy<FND?I>Suq;?#H
z&C8=M?0#BLUAne6;ObcG>*AlR*dSOwRNP5b<W(&2m2_AI0G0}CFsSu2Q9_i<a^%lx
zUqcs&m+N5H<|4#RG*zj;tn7HHHEx~g&BjfL5$ur4#rkkBG}H16(NccT?~|Mb-Q$yB
zQ7+XoaidT4`E8n?vnju;uZMxbb14#xeR+M^Dd&V^w8GBn-a?H283qi3dr(O9{}V@K
z)OqvrZz}H1!W{D*OICYQrj1%%pW;ue@R#IKqQ*m3yEE=h7RDY3p+c-#_3xtZBUgDt
z_;=Xv2!fMy;<~5S%D3OT#@`<CU3rhKvvAi^Ih6h0T*1}#%Bi5V2$``SSPnUs9yL$K
zhPY0tKO4ETxt?;dwoc=j!xZ8+*9mugNs6`3^;XAchSZd1bswG)RGWzLqgrVHO2Io|
zxtN=n>|qtnS78-i<L(y)mOpU4a#O%+@-KB5$aWR-(HPxdzbPs?Vdu55uW2{I`20vo
z^XTy}h!b|Q^~a6k-tHTh@1nROSgyNUe-aKES?R+Z9HQ4fbwibYyiRC#9PM+{78|CC
zU=X`1y6*n$e8PR$px{RRvpJ5YeAa<+XqspdJLtb!5t-bv4J<RadLt@3B;AqUT4-HT
zP3`_(q0LHzN+`-8m8407ZD^RxXtC%?ySDd#!;O=aGmmSF2>8P<9{H(QRU0PM&r(Oq
z^73&_e_Sg5k>O866u+`PBjuOyTi)QeYF!aziK9KYZ@J(pvMs@L!ZVcex5%ARdreIx
zSoEfOhp%L?f28)+3AV!*O6fJ(YAhP2Cx!~)7m^`sMO@ylF$k6Iq>n`jx%da`*Kqnn
zzck~Pj^`CRM&{k)SD-B)tV@cf7+p*@5!Ld`u@~H?^i*morVdBDO)>>GZAsP2IInC}
zZ;Wpuim9z>TrKozM4i{RORZ@LrmNLz$S~0ePl2W2G9j4(`)39PIvm*gj9`4XZ&gOr
z@a}3T8gaE){TzJCF5$dog-2L$eXr37hHB~V{G&3Z>1lXJ%E8z5qzTqk<Al1{QR_JV
zL+uvEj{2UF=>8qq2Q?|AZsP)M=f|S=$)3z{X}}FjjI<?SxQ}QHjN4S5)`|7qgf<F_
zi4O&(`HlkudzPt(iiRwk32pJ&{zXY;3As}x*>zXcb)VLdUwmlbl5Ws&FT36uzv|ha
zS{TT+i6xfKGKf#jQx^vkw&K}pi&EOH*YNeVuDhVt#28&=Qy?@BccmHaE{QmYv+E_Y
zzaKeg*Y@Ab<`hU4BxCgS-Z7G|E|^o}J2o%yWlCBSiwDKf1@F_(jQsa!KG={l>e^Sy
z@*4(B%aSo=?|R()NF{w!mQC@!k?xf(N&Nv&7`&nK-on-g-D|5bb9Fb}#~c(o7uzxK
zPiGS-@E246hX>GZd=?gvO5ly%_)qPAf#)o614VHQu)6<B=85g@oWYYIb1wfEDWK~5
z>8KckM0f%W$$w?DH)&AfN-N1bwad<sJvpx`l%%5YS>`@+TH?=~|KA@FTib8=>fSp7
zdvk27i|XCNf0Yt{i}^I`^AlV7);4|nKl%Ps*B=C8-`tODW~e>gHhqW(8bP@7W6Nf6
zYVx|)cFngU%Mog;{2I)Qaj!e!`in9LwIir+8SL|BGuks$)k#7zE3nZ_OdsA7`+ALE
zPiS*d#FCj;-It`^CghQ?_NQHEr2zMZn7Li=1(36j^zrMbbhv&ghEyyi77>qlER}8D
z=ylBSfRU_WDbOsN$5=GQSTkh#oLIf#@;3%g`CXFyy0VimEgHgp;Gk|ijlMX=1L3Nv
z=x`-8fg$DeQ++!t+dTkE_$Y6<_qk7#es`yG--D+Nhyq*O^R=8I32F`^SptaS*gBEm
z{qfhSHi&%ZI@XnyGWYIZyA)$S;WfTzWt<|*5D8^eYmLqZWzMZ>iM>K&RebHhb&Up>
zn49p#re5=)a<;OhDMhPYy=QadT}7`yK9r-nYKLkrx?eN(#wt(XPT+Ne{YLaaTdR?w
zh1THXrEPoige!>qRkXuaKc=JiKil-Gk7iITCF|ZDiS>iNpME3yhPo}++`#u4x+o4=
z#!7sIW#34-^SmI%E`+6YWIh)bCWS|P`|O0puNJ^h#*8-%!glP%c>iD`Qs;>;%b}wT
znd|G8cnk0^cQnmTNSs%#AYfk5XA6S+groe<o{Y|6OG4A=CEZK8`fqYg8aekhmdiEh
zf7p|rw2y5*k9Q{w#MgQ9mS}3)lHa#Ywa7rm*1wzngr&$9QgXGAa|DC=6d*UB!fd`5
z6ymLHqc%SXYzeb(x!TQPSvy7cX_)Q0b~Psx%<Y0LDGe3bFC+)49ga6cg5ot3YZI1d
z^#<t+Qk;2v@o0|$B><pA_^OHM6Mw8uAN?$*t!^vgu?Y6bTXQld6)njK!WO;)?Z7jX
zri6~RbuOT@0vLzOi4$QK@D(rsqd||oXI}CGE|X2%u4ZaT*A_WVsv&!W8xaLzt{ACg
z5!wfq{j>IB%l7bewx#A}{<_s?hEP_2Vmq%tc(*OhHA`WJdf0%qS53-&Pg8x4+qeB}
zqZ5#z8me-q_3D<qZE<$o0iVV2heJj40ck2?QUU9p)yjY&r^QRk8ySlX7zuC5j&eR;
zEX8u!yiCmfc)8kx4D%<3tb$^r{K5R?N1@Skc@+MV6X}Ohfzpgt1H9Smq%en+pN!#y
zDA|hp)l6bVZuexk$Sq#4%p)Cok)ONG&ZjetsvW$tWo*l?f1OOPIU!i9WVwQXj&}!T
z4(=`y7%dazN;|~OhS6-Ar&^|m$qpgE7U@m6mtr(+`GUmTnhW*|%{jJ`-fyHsFYIb*
zyjBvbD4%c$4OzadH^(CQD$6oFNHDudP2tTtS!khlgjB`2Yg6|`u<zSg+uY)Koo^<t
zY|(}GtYg3G$mKSzJied=Jp0Y}N7O<~jC4lYR<Vjk!OLR5+M26FvKJ=h@Tx}6HnFGS
za|;i3F-KcXVw)xKKd{p91I6^6m&i^&@Vg*gbmWd2Ik!p_{Qc)!E6Qwt@FiahQ+U1V
z0;xv%<FAgN)Dmxrn!$FehLq@qI^X04S(Oyy(;lCJY?W0<)?XL1UPWHFhl|c<L87eI
zE`z%2TMFyu7b)H`=>6XXycHVgM1~ZN_o8{<>S9>9k0!c!=Ct5>YTBxzi~9?)18!s*
zBHeA{w1$2g4x(#uMZV5#%JKA!sbm<QYexh22i!1aTkAszd|G@YgWB%7CVFFKd5cnR
zK^mGMB8;kCbWh9hmpPP!=^JVu+|m|F_-Yvb4MV>4<K%e?*Yf0Hw-h<^qX0tq=zzH?
zLee3Bw9L+v$`<uFth1h+vV1Q0|Df$n+@XH|c>hY2Bo&FQ*+qmH>qwLkDrH|{EXgv)
z*cnqOS;xL)4@tJ{J6XrR8#`GC!^k$njO7e{zTflte81=XuIrrNb^ZX?W$yd^zVFxT
z^?W>^Z`G(3Y~?MN{H~AT_djwt!!Hxezs22y@_Gsfk$~&|+oP4Y)k4%Ql-V_jaB&}@
z%u)Hf^s@39qldMu0f+v*0n;tDBZHDOyhs5|CrpB~hr(+NC;R$<cJ68C_INDz6$$bB
zQ{VUqX#jD)K-+`AMp*WcBJCfMb6kOtstPLv#wYo4xv5}s5owiG+49IPdGlSILnqE<
z2(iZyenGQSD4=7dzZjC4TRbdIj*dzA$z(f<_BNDuCUUZ(+@5eDW@bnRc?U3lcOTuD
z0w`}Np^ub3Kj3$_EtiK5dc7vz`<Vo_oy2Xm114wuyg7T2f2Es?O8h*?mD)6<gFd3q
zy+~Vq=~tGiu?>1ay6fOmg1KB3Y-xIXBntWLiw;A&Md_i~x!Ug%PIIsl<Pbdy*qnf+
z4HY1^c>Cs?MW)J!Dk6N0di<DtQ&$T<$}f%1>=rky%&+D+Cox&&L{4yxa7T=HSVLQt
z=9s6Ys3FngGI$-)tO081SJA;zbAq&Y!@)3g{dv>~l}5;id)^JxCLuA0F|7`!!WQ0Q
zQ84Xt83zkRnt4QqNuOA$)feAEjf?IMr#E;kshuQE$lwc`aM^cwwZO<ypCqA&F@Ybe
z&hV$y7RaT`11HSV*J*y=0C!1cNoHFtm%5QF6_D06pzhqlGOyes!^x6@PnQ(@Jt<+2
zygksNOC9Et8+Pwq%t7(&YShGQ{UECpSyM&0dj|);v*vtnv9%>{X1$FfX6E)-K$TQo
z+ngznf<3q18l{Bwo@8!Aygc*GS|ZNqSgKs$4Obr3`<~x}!$*BHvCKY(%c9*ZFsW6`
zwbgwGbNj~i);Fw**~holx<e{u;hy&i<C1Ffnz%lU#`;xfT2B_2J=w0COB!~|1;<`~
zyKbJRD{Q%j(8D+pbm8Yq@?X{V20)WLodPOs`s|YB&p|@H5bBV)7r0oS#GIl+t>dRA
zNa5jH_<hJm)Q&MH{m!_W%iV7H{kuf*UED#^My7t^`=VY|h{W>}*q6a~I|;?;(%?BD
zyWgbpX*I|_N&=oz3=)+f)Q=>L+y<BDxPa*nyqecmK`;86G>x7P*-3^L@?Gu_nLvt`
zOY%Pm-6^<n)mff8RL{uaa>=C>(p`6Yi*KnrCwp-L`o$umZG(OP)q27;9H$Qb?&1^@
z)O%_`)&_UrmOg;2t7!y3iO3o^WP}6;A;`KkhYYa{Mc5GD{-PQ2hDOwqKS;qG=HqpQ
zi(^9yuB=vW0{ch0Qjjrbe?7EsXJqxjtqE6`1a|R(XC4m8jdE>5Ij2QZMsIi7**Z8q
zWmOiT$T@nupI$5PCC`)yOs;D$tb~+Fht5#dJ+)gbkpgj?ETp(ue!uZlxm<i*sENL4
zXnH=rs_<PIXMvHL^;kigt0a0E*J%8`g^`b#OJ_x!zxJ>O(KWUmXq)60=1F}z4)H4`
zQ9><}?k}E)&ek4*rv^TzEay-;GYFH*8BHoy3n{5GUGi|d{ybFiD@^pcu72W>rcVrE
z*&Dvpdl3JdHU(mcDIh9*#Og$<U#w(vyBRCaH}i60fs=<B<oG@Ty}2Yg{jT@eQ<Zl5
z!1@av`mS8~aD)lRWG-fxD{3V29;fLbrkL_!l}1p?(0Ru0-KBunmb^)me)y{T%~I~o
z!v|r{3rFtxmmAx}25WyoX_Z@KyshqFHl6fQx_Yw4b@jXrUbS)sG;)!!7e-vuU#0qt
zpT4nbHu|alnyFBv2_^1mu)A$>oF@~}V*W`W(_qi=hbKMQms)vh-U>fCFg~LEBDlev
zWzMEQZ5EOIdhomEE#eKg!h37&)`{U_fS&J4@hvbN_A$0-s4~4`S>79fJn%tq_`^x5
zBh`y_LKA$0Bb#bQ8}r%uHp9BV?Glo=Q5?f!`OmwJraZNIt$XdF_PftW9qm^!Tlomf
z<mX8CO!VI9xuNA3Hu2~1ZHzS8vzRJ2J`BZLn^bME65q3ZE}j2t7)AaFa9H}5|M%D&
z*MqZ~flg;yWcim>X0M4p`!kc0Z&R$MV_iQWftI39kgF+~)KHAi?S(dmf)u)E&i&Us
z(hhGF>}_Sd2}~gr$K2h%_7F=m-9n;f0K<wevVTzORTQ#KI2CaK_CIb?$i`Ch$nChb
zDZ!5)*F@isx;k~pC8lZSWmbPbO%16_e4CJ|5(W};HOgKOY!6c55tA8Pczo$h@?_XA
zbvy2AKdDw=s|iPa7<;Bmp?82y5A4;aVn}Fw*=nJ8kzGqhUGr<PeyK>)HP~p@(YKYs
zJ9HV|SCz^_^q83H)S(lxDloliMeMY?+1*li@w#)_*yO`6!KgZ5D7)ulFHdwwk^I)?
z^VT8yCu<S_dJlbK-F2&N23)GAP)-`&zCd_~*_nUMQ%t#=jU&ATDOw$0nM1t2NglVB
zv@bC_(^{lAV>S_8h*3qsodhM19Gp?WyA$3b<I{&VxJkWfPr2c32Z5e}-HR(#st{BJ
zwc|c$vJxT|zCm;}dDwR7`?uE3f_g3F0LH0?E8|fc$6gZI*L(4@s`I>jN@q`q(#DtH
zb5dN#B;9ub3!T}pCXKepPhPaA7jK)(oSfn$f&zOXllPehH!x`{l@6lWB5=;17lAcD
zn|$@*ixWXvcKPpZUakV4Y?}@o`}{0Ne?m(;Rf88dnEY8Vh$9D5XW!Pyb$cQCgzZ^S
z@c-Mt_%F)*|7~|EdfP8-{lBE#_^S`wTuu&xQ5O5EgoO7Pn5%f%dR0@mb9ucgQJ73L
zck)v*-UA+8Vqv&mjY&`}*Fs*erKv7~2eE^1!AGTFmgnR?6K0%UE+FY`_Kwf;2Bfds
zIhWSs<^lZzQvg=`%R#}Jo|t?e2G<@%*8cq1Ys8?QrX0uN^#V;9Jgd6oOewyFKerTc
zvyi=Y<S~k=q7xnb`gjrxVH2F%4q*WHv+dSOO&XA6QI&7?1SjX*U#q*pZZkEVbcla7
z;zbmH2-%13-j7Ix?Cj%>Z*v*E!qa>R0E+YPjO+&uZ3@Hc&RZ7V(ahhN*7Ur`K5>od
zeeUyr=ojp4JN;&a(o8Beb|YHJ{`G8?N3&2%bAA!{etrRyh!?Pn)$l~1WVIs9l~qI^
zUP*a*n2<d9`0(TC5TW(({$QPHFWW|t*T#~kLtbs=<+Y^fd6(PDMu_r^*ZAc@PFtOz
zS#osZt=-znR@k_E+)b+0qb9rF%4q1TpozM=u%LfFv>gDCiOHRws{ULqM`dnBwd+l)
z96^<NScQ}$9%qC(@1OwBgumR9$wXP$l(AOHh{C=$cZs8K?TZ(sms*c*2PEbhyp4>b
z<74_D8F%n{q9s;TCvGC7bkVb=<4z~=eLMtcLu3DNk}ZJ6<5*b5Flf@{sjw7!@?1GB
zSu~7xEqc|dRQ}ucOE{KgJ|ot*7rJiK!>^{-qHPuE@8)f?FI)6(BDubO)uo{Mw<<c(
zqvmcs&bFmSx1xshblaQ`N!U8Yk~h1soplE{rUXoO@7yd&LjZ6m{X5oZ!$Sw}bJHtk
z!gzkxpAF0Ev7EMcX!ou%&3A;N&-=T#u;*AOQtGwvC^fG5kkn6-ohb2(OtrILU2jG<
z|MvS-x8GskI*_oSyUf`7%Kll<w*PrY2Daa{f$0%xe-W<l{!X}#Q<Cpk=UOL@Ea%(8
zMx`*HRdk`xFSK>rz2M~$3OLj(OkzwR@~tw^avyrL2jfxYla^zX?cN=<W%qk77*O2V
zrr!<O%BqbXmn4YDv%X8NW%Yn(!Ak5KWhc(Z^K!dc+M~Tn1(uT%3(jd<fy8)2^DeU}
z6Wq-IcbF>=kyA!u(6VRK3w)>XGro51b{VmE-@P+euk(`4XWWO;d}f*z);r^OQqe}H
zV0|VA_+Fh*w?SkGq!y@9kR}&I>p9)FE4*L4hTs!3QufYWLh!U&w!76DE9dX&_olRZ
zS#-yhJN8%;JW^S}b@ffG*T+C9l37N+(UId5J8UTDOgr>4P=?;a5$2ey!AV}dUjnLl
za$P{qWBOwObn0Z}Z~50YW_gciIn&h7uTRZLGaHfyOVhgayyzy<M$^#$xt{7A$@l?a
z9@8+Up$xcp)2lj#kcw^pga_OLUN|s^!3n5%T_X;_MUm-JUH9tUp^eSJ(Kd|yhmbt$
zc(eJpjHauaL0%TS%;q~?Dwd+xt0%bZRP{R~?u_L*)dYtioY-`yR5wv^<yY%>D+j&D
zASyc+UVF0L;cZv8dv~Ly>IGXv*$(2D{~<q4z{yQY3ZX4>_r^<RX;x;6a@fcYM<LyE
z;wEIptufs-BG-x^Q|&A-HZCm}W1#*?V^o`Q!JD@96Grv%&L4rR`sj&{h}FpFpZu%3
zZ;4(|C6rp=*V8pxEftTOXRaK%f5+0;%-AMT!(SG9R+iA%9KAF8C|(JTHK(YJ?(ULa
zJ&NPo7n?)+4U3UfJlrC`)Z^a0F#?$jBSDvm#!sqP_Xj38CCGCs%^q=U+iVnx_1|+J
zY9ds<j<jUDEp|G`1d}G7|5#{`eRZ&7Q&2*o{zH*pGpQQ?3D1rLhE8NfK|t1~r4$eK
z&o<42MdI6hqcX)E=7>OVqaW^L!s51OqWkyuzQ<C>ODE^jfaH6@<eu7LQpzNC5gE&d
z4sn-*OCwcrP6!>m+_X*Yy!6ukTNM-kFlKGk=M|%P;fWO8*zlzFEW-Y;<=PLBfN36j
z63~ENyOhcBM8#r4+%#Y1ai=Bi{-m>KC<b}p-}LN(cok!W)JNSh#n5@$9d)#ZMY`Nr
zHMYhXcHs7AOmIANB`e(`i{K$qTvoJ)&Q2UcTiSPJnwK0r=S<2%ma6Z&{Vok1Q?2h3
z4uHK!RWBkab#R}osF;f-67u;6fv-m5Ax1~;BK^0UeUi1>pMxfK+fd7hyyxZ0A5zQb
ziHv@wx--kAbg0EuMq4>yZ%Y1#lgopx(`3J^ckO61{n!<+IlbNcxDJ;#QVF|D(j2>O
zj0fci%jr{|)7#0|aAnq&<b#E*VA!*;CP*rkSLqzrbSFbw^c*iCt<4`FM+R+|^a3*1
z*{vBw+?KANr3N!QpL-#BemQ5vw@wt1Spw|ZCRt2nn30;JPnJ&TGa}+t2MS4s4jR-l
zZrevpv<LnLt9Ge>yiOu}-vYwM#-Tqxela$fOniuhT){B)>O^ogr--Zov5&pw%p%B*
zzAjj}i<0@sCoY^Va?Z^x1az}G|Fr7mNtVNm?p=h)cJz!aBi%v9!aYf#G4C9f0xYrN
z>lgGFNd!nv&T@8LrB*wuwgmfh<F|XD@3nA%Rg!)zw;yb+>#jsTffG@Dy_Dez8ig5x
z1mdY|zd}ZyP0tS+f9u*9wKGhy@3f`0ScQZSeO;H7a{)_3Z6>&2s+$?>qJ2?Gn4A$t
zTkL+%vl`ZsgZ^}MBT)r^0<hL?tr<&^09HA@%bv)n5cHl$YQFDHt7(xNw0%^-RcFc6
z3YxJ#-mdj#4b3mU<=Phj^hJe7UgDO-=6isTa-VG=wl9Xn_PmV`uD>`P&;w&=2&pt!
z;H>6hHdYfhcPzaXm35#}UhwFW!>PCG!O$alejZh(P&E<FdSw~&C$kziw{`~o_b$7G
zNg2gRZ$1sP<j<GiNraP?B)?HM2@Wshd%4<}{!Bl`C?`n^!&yYSf2jVte-0=Bl?t8q
ztu;(@szsu|x>HyLxUQsf&t!6FzPrL*X_25l)Cz_|zaN}6aSyo4;KaQC?I2KGP~{ei
zbj@Vv9ZKe0^LqY7R*OyidZx(xVmsy4sIEMV1&_VIl;eMEp8Y7=JlGdXkP)$my}3d!
z2N<(rv{^cplFUMDxmVAh{@`mlsROD+EBB6=+J1r7^*jfnvUYV#j4?rbl^KAgu6fn=
zi_ok(brhhL90eLN3J5yuYGQuhtg*Pak)i!C{RgC<v`YzNx%B>I_BEvkXCLqPDPqQO
z$|1JN5iFOG=>1!g9w^+>Ig=6R-*cCdx!pq|T~nA3^#}%UM)zfBzx)O;gk{BRX_UV(
zEW`*qvkw&M8k*qDZ3$Kny{o758@4$4pzT!bSOjebM&3HP{ZaH=XD&JLjl0`P3Oxd@
zWX()`Nq*<TJore?>#^ze!^Lf8M()}^`x%T&Dq<Mr@19EL6fQvu0rX%Q(70G>@~2;2
z9!oHWo}7W3OVZPy+%?520N*Zwk9Hp4>oHJmBvJAD0SfC&5X%?uop0=p|601=Wm0nu
zP&aII3tWUyyA{}8v<FEm@PS9?Tiaefe|Wg7?R-hZFwk0Y*y=<(-3-s~RG~1M5MOcz
zi4zo1%qPleD#*nvm`3WWlLOk|=P#srk9VEB2*ZeYh_mgtUE>AJ?16T`6v3M;dkPI2
zvG}%6mU1DXY-!ia4zE9{#xu=czd=jIvbuNqFM3(?d-*}R{Z99KT8|D2?wiX+-;581
z%_Z|83#)}igV_X4jb)Ic39mqs3H97EBLE{S&MOy0<$Yr0&xOqtWP*#KB#xQk;0^vY
zgA8ksje|wyQ5**Iq|7C^xB`GCR^=;V0atO~Kg$%7p~mZHXy6y<j=yd6aYD^;WssP>
zPTt}R_X@A>+$R=1TGjHuUFSH_6ENE#jQXnRrS9=qZ{Es=)<!I(@a%2mpAsMlUusW1
z-iKr|5a>&z)}-ptNhas-o6Vv-Sda^JC*+K2f3;UOeR1q}neL2%=n@_8`;zF;VN@1X
z_&L%%Ojh^L#_e^49Qf6~k7DW^U7B>uDSW?aDe|`_wzu}I{qrYE9J?85z?6ES6*e%z
zj;IRAc2pF4X%|6!yOmdT7<^udc0SE~q(MRrHXJ$HJ!t)exky6FzF(TlMa^0B@Rk0}
zK3t;zv`oHNo@agjZ<7a)z!=QW`}J&As&%Y0ol3{n8~Y-%WguHKv=d2*)o)L2AlRM=
zu|eJxH{cX3x$@i4&qlFEo-q!*(t-i8le{e%qd|{s1`FX$BVP|a>U%BlQFz#dC2i<*
ztCcAI_M+p!w(eYzcde%!Pn$E&H!#+ghM$SJO~a7HIau}Cv)Housf*mlM#J`_?0wF1
zc%255@E2DhK<ZLH0mMGuYNFN6b~XUwDck=yKHAjwBAlC4CX^q9mvOI$NRkC~M=~&(
z2f-=y2wu_SEqh!Bv0quJ^d(Saa>Y=K8)C}W=jF_pJY`?6e_ubRRHi3(58cltBnsE9
zyo4t_Y!f}5y-lRPN{k|*Obll~Nb~Qt6H!_SH-z^dQ`niqMKQwb{FvZ~o;T$i<X){1
zSZ*1x3zU*L<alE2J0b~>f2eED$>l0Q+Kt9;)5WF2PwGM!&jts*D=)x;I9&dNyN=|k
zsSCStI#oq1YRRt;R{76t;;>+rE0i;PW#CmH&RWwIc`@^03f<PT;NlNJg_{REo(F=5
zwNJbr&(f?D!0KO&faT^<PAHP@9_?~41cwf+-krZ6M<$x_;7-aevxhoq7I;Ea{E>y}
z&z_rI33oDS$uh@|7*lC7-$=R4K@wj>eMfE<{eguGW#<`t*Xq_fP5NuMUKObBMNH*;
z&e5hUgkDqq0OX%;*9zW>wj!pK*ZQQig^5(PU9_FmT<V)wP<gCkWn}JW%SbgwsCTw8
zvcWWI?jvU6QjYTy!Y-U%4zrI{>H-}R_Hoy15qC5+=3`-*pTgdAh3Y1rZ?C&N>ED=f
zc!vWHQMh>9Ai_lEK7K#33qz&HcA}I0)q?*A9R1e_;y)no|HpbX>a}adioHEWK7ML=
zv<!0vFfw&?XTAP%+Yd)hk7>-|tAQ9u=|(>I%9I9++757S;OMSTjrD;kdMBQ8=glg7
zWQ>K`Ab0loLLygaS^4nr(Kup8slaK*twKalGzObjeaUQ6ipE{3dOCWvz6G|N=vvOP
z_xfvns72mk@u#=U#?C|xZN4&ftwrs7nbHD(qTkP8U6UWNH+O3-wB=}YMqqPNA0RFW
zT}KVZwe3{HZ8nF$%ju_#GABQ)y~`bd+h2_GMd8}`?`>p#)-{z_{^`-^h5Oe7`Hp4D
z{kcT?T#zAU%$iPGfPz&^uM@+po>mK3sJ$wrJCZAhH(>Bhtaa|MeY<_*LJ^mz*Ob<Z
zB!Sd_h5^A-BcI_4Ul`Y`wvG~4f)d4hn#5Pz1<cZuN3Z;!BFlk~|A8z=_wWZ7d;W~r
zWA0gW9kBW%h5vidfu)AL&SV;;Slqu6o$xE&{#|SvRZE_uNscGO%uF9PoY~5wC4toL
zZ5Mzi!oqs1;zI$s&s|Rd<UOM*egH0|{_z=4O^`46Qr&q4m%A~6g+IIsMk_x<*%Ue5
z>F%AFUwtB(cO^_XH`zcFHWNPab!}33_locu)c+DdCX+(2VhUcF5#FQ>x95v+s$HVI
zamynXU2kXEN{FcS!olhzdOc7;n%Kjdfs?(X(G>=^PyHRPI2mv@H&IUt@ubeK(8AJV
zrYbT4UbC$)|8(|>b-^@yfClBMGdlL)#bAN3BqqZh7N_^jIV0G6J2awJlgz?rMQ=_%
z;l;cx1FnT?8a93oYQMCwB#})E&V|C6t*cu{wFPg0ob8L!+vYgOG~FMDuS$%HK8pwB
zj*xIi`Sm;}qkhEx=9!(f-9Dnsdb%_1(il&hEI;FYs0=#CNC8}%{AqY>v@3vCfRoT$
zd?AiWSkX4Rr%CRpX5D4oN`1B0(J`Ur2TyZ*9h*$E$+47tIl}~>o&>$phzg=gzE3`A
z>Y5z5g{I{&a&;XWu3x=(KS9SfZ!uw?c8q)~$V1u3POkm~gri!S5Vb(<d56%pCmPVt
z|M6?wwv+G}H^Q{~Lf~cT7@XV_{QIPt=J+B-Y5OnCuJi&jEIEr-qRJ_J)m9SxV^B$B
zsjNxWMDES|;T@F|5Q*Kpz0bJ{_ah{~w>V%D&DJPoQ^I9VjjjJ4aQ^z*T2C2~KwlXi
z0FVOB!~;MrOhac~j~uqYo4>O6A@%NW0mDtyW>0<m7aGFlt&CboE&Pp7gj9xmldo}6
zVEax$PgwE7S6y0gm|A<spGH0^j_z16<1L=QuzkYgt%z2k6(tkf3b4(2b3RW5tbis=
zTGy{ta6J<RdL=JCG56m`6FL%2=t0PYTASVc7N5bGalsMsy(|Vcx#7L++akiCd368R
z)}zhhfm$grt4)mK+N)Ltg!kpvFTL0^ECX&KNb{$6guA2+O?=kX!&4V&04`!LV4{W-
zW0koqq~_i0@M9bcGNIDeP=AJsI;D5p>VO$7luNmNp<XxPGUnb<|47DP1Thb5pkLuz
zAx<^q*xp!~mB-t;@jzm#PpQHQEZKnkkv-Z;5T5G{hGjW_E-b%cMeZJ%D8p){GSkS+
z-8e}_5Lguvl!!McN?4bNSDy}(Yy1#y$4DoWy<q&h@m2|beVRy9>pGn!|8F;s5c5fY
zanvo)2F{O2NF{B;5%sFysi;Le8L=@?ksZTi35!e^(0KA4;Er2@lQ(+lTgGt?i%gfa
zI#*VSuNR45*U}nzzZ(TA`>1YC@$kjH(Ts>sLukXePdiF*{)o!$y{-8gkpi?PTG!eR
zOR{<*h?WB~`Jm*2m>uVf-nqG_)>wwD^+0FFu>jd>d;fI2Hg>*U_~_R4`Va0lRf~l&
zk(fUHZH5ApC3gAB?Ne@e<6d1kcyF5_VCKxi(7`neZer(&D;6WhEJn!i6dP{|5eQ+T
zsT3};t<hYh_d<6hKiPeS%uP~GFiURGP{r|OmEtMnBBe+}K3TY=jT4f-jj$^9rQiiI
zbNhq1wyoZd0u@pjyI<xc8?1@Gi!UZ+Ta<ZjxXfMlpx%m_c|7IN)#EBWm-{GDW_wCd
zU&K&XrvYrIJ@xd=8E;h;C54wiN_QD66aFv^dnkE)1(sL-n5>#@zlLVnn9zk+ql!B8
zWL9J%q!zGx3bA_c&0^F1Ssf?dzV7;W=Rdvk74RWN(|b#+>SoQa;wsl#jL{S{g-D5&
ze0Wic{ABB})OJ5BD+d6t#lWQA@MXxqx9&xC_7#AAQK;K|>{P0yO>g$}!iRnIbVUy+
zhUJEP1UsN`)9UFmmBe^(!%=&8IkZ^L_ZQ-0Zy;b@9ll>^($uQ_8!72p_gKD%Y1;#W
zWfo`&@T{rY@E^S<ceBNv*&uL)XF7Sv#(6x5*tE(5L`pur>JCL^JL@T7=T*RPVROtS
zh@BH_e0hqaK})UPEkH|73<Cf5u71JUcuuVU&ghd)Hn~SLJR~fZIf={z%tMIw!j8$w
zf5pq8qPiy{_fxOgOjkC`)qj)otrVd-`no)O^*Eoe^*ob|r@*kOaq#|;L#xMj^vSj@
zb!V+7BZnqS8JXFl%}{dFzc>A|OzQ0A{EZ8E4CYrM6h`UBZr^V~C{8+j7<fLHoY2!h
zkzPt~WptySe8%87OosAQ<~+}@q56IcDvyI9C2C?D&2uCJIM@T<zqnem&Ud+vIJJ@d
z>IC(o+~<4n<*N0>i42oSd%6!HVD|bI6?;Le>EKF0I;kyO(_OUuPHNEkgs0mw2@8Nw
zQjh);yw!LB1skGg$I`xM6*fp3@86h5RGS(HMaajD3GIEkD$ifH_Fb5a)SkBuiEjBd
zo-p^ui84r4$Q&zpjrax=fCBdW6+$BwsQv<ylQPtQ5C@AvjhBxB7Ex^$n%<i@e^*<M
za!AXS&rgpf^Gk%U7F1q&o6jzsq=Pj0<hs1FlK@h?o6~iT$QzU{ZOX!JWYwH8jo(HM
z4gNs53Nfx5Nq)qS5RD2<gv(>$%e(J@3L~iL1SU|vd}5)RSJ>__^jGb0r%X&)CNQpA
z!goGB0zNe_hWq(snBtlo(ymo6INMm>3%eUyFUaDgZuXX4%0*{Bw<TPJ?vqG-=rA%S
zj|wN8H2BwLY)s-xeAoz+NLS&#Z%B&Y#^off*}tj$!?}e{W87A*QSw_^E6DW^&kN49
zpD0*~f10{a;|T&#+J#9v50j*A`)A_Q2P@RJiGXT;mN)IL{L?RKFnwE%(!*7jJmkX(
zHS8d42<B;SS1WUXw}<+C2xg0EiM{wuLIZ*dcH<xi72ewVpszl5ebQmXS(U%je!l}7
zEg=CMs7zl+!mgS16&rz!*GIyg*p!I`^qJ*2mfq`3nZ7bJ=P2ZPpt$YspoWTk>s*jx
zp6d^5g^@0Fk9)(_gO%nPrMGyJ(-q|%aHNI#mY0JJf-nUEd-mD8qFE!4Q6cU{qy3_}
zAs6)8tCV{C$|l+N4`L?ED5DPtW8|Lg`X|YkLw@+?iWMuqZv{Rzztl9Hu%t0BPJqh8
z<c_OmV&}Dfpm-oGxMJg2M5!`YK(9hC!C333rOJ%cm1=NgMduGpU<pq1jixP?BT-12
z2H=%ww*GlSDt?}R{;~)2RjWR7*yi~~N#!-0`3~>8Qc0%WV2=d}L6)1xfCI**XVO>B
z*9M8$+L_tKM2x<hwEja<kg|S|CR=Bx5Vev(?)~&b&3Aaok7boD?SPuukhF?#6B!PB
zr0@TU^GknWyA-qa%GQ1E#ZBJl%SzRBvd`amosxBQ4{sZ=kugvy(HJB)YX(0u309N|
zC84GwC!71kUX^w(<aGt(tsel`>|;yYL4cPdttA84!*T2<30I#F3phFoN$@0_{NkZy
z=d1?i!ffwjB91mGhRV=@@5-Ejg3w7@EQI=~+h$n|-|EHQs@Rl&(zq{US6-@eEmS;m
zda^bg+0JU)Kg4Kbu%uk;%F$}Ck2fy(J!7fnap9l7X2fhE3y4-G)24Uim4=^TZZCaH
zP`?qP+g3YpFgewC*UDR?7*k}^8?m6|U%459q+jZXW*un|mkNL7$&?!Oo5XMUgL-sx
zKwNSoT)5T6xec|BxYY8`YABKRTw+rSoIQyA-q_u8#y*!$eA_bSsmoNaX}*Yt7I9%+
zF8)BJplZ6Z_MCp%m}kJ@M|Z86SGEyr6JAD?)bNZVqEuQ|NYnK&BPo;jTvsB+r6kl)
z+(URoTQ90$WUBMS@z+B4;P-`cd#V_H-Vn|iisX9Uua!NFR?o|pCE7X;03o$v5LEg+
zUo9Jbvjonqd3?CF|64t+ubP=;WX?rL=KTfi>CE~BiJduaM7o-6t>M*@W12~q*Tm$%
z0lb5ZXMB$onHAsv4gq`3OVYQfkN~`}_Z(l^8W|3U?dSwEzXeDfE@X5C;FpD4RN~cc
z%Iv@7zP&(qqIH`CGV#GXUp;xKz-zoUOd1avZk`33d;sCQNZBDLe0ICM)VXAtHu`%#
zPZEg9G=|qtZH3pJAlHvW432s-NFjgB1}_qo3N>$1tV8%8=sPjB&he`eZ$R$eT=vQE
z1`|nEL!mcc)G@q{q<l5X6Y+?2b}zh)+aqs`WLc>T)byP!sHIP4)%)FinZ!{$7Et0_
z4i*RhMZVqDn3H#spG6$ao|$ITN*wy|kd7?#$v3L7Exo$HyC%q1$PUuV=+h2?Y+oNo
za>+%Xb-EUH^<fOjH;iKEn%jy-ct(Zsda%7pOl;k@4E_%ed^hB89Qdyht@c}S#7CXA
z-UEGJ!%3Rz(`<j<JM$KmLGP!K>nYEfn`cr=kQryPgZ#^=ks|ahkEJY$x-oRTcKwl8
zA8IuG&nUP*)b}EHBIzbear^!p{z3od&FAb<_%|aTo>(i2Tr*jZnGef8rpUCkhrBS~
zQX%=J_5a&1?FWEu%~!Fx&CXYE90lVyl6R0>b6kHB;#6gll+T!l9zCGDoY}|s=%H8U
ztw&FTqa}<gqByeXZmo|LE$&UuWyJ7{I-QLsEegpC^-ui#{}T}SKbcNgP`mgiV3#a^
zdCVAv*i~a4pi}Dw14o_jE(-v@plhd1xa}Bqh*-i>-}+FY(ngce`V2=~LMxk#MoRnx
z#MdL&q^X9&mRm>gpDJ_9%w=~rQf}!GF^r(lNOjcGDO|1))D!Lc>8ii)bWm?UZ-3d!
zJ_GL6JG3SVtH=Bo7;vj4+vTjeHl&wd<I?T3!0(bPon$Jr#o9Ie?crZuDHQO*r<%q4
z^+dRrMNHWy9#6gGKyWPnm_C66GTNSR8r<Oj`8I{CrG*t^GjYW*g|%2`DcE|04N+~J
zXxNhC8VaH^+eS`h%2oQM_w;A^9M<h7QX&&+NsAjMaq@=zYh6hZO>X5X`Ig+1(Pnew
zB%XPc@=?8y*G_3w=U%Oh5WU|O&n~#-#7A)rXhzjzxj8F3<&WMk5??;*P+GFP8W<Q^
z;3H3up$F|dd_$@(*^D}%43TTm+v~ziO|Aj2=gl{EU39D98(e}KF&8&0DiOWq^-GY6
zZPMt#{n@FU_?JO}lw{N>!=)obSNZJOy+>)e@1l7?w{J&7LVUtx;C!mo^JE5eyoD56
zeBW^5?Yx95RpuY^9c-7um;BMG7O_h57MLdNUWRm=;GT+Yb(c<|Lu51ZT3KXinQcTV
zDBs|YhBlt&fE&X|c*FEzUUg$RmOnqI$k(`*#y80y*h<mvmS#2*eq#=pWY996T2Q7)
zk7$=_83cWLZffXi{NS?3WgB{;enf>hx>zNq4Fx57UfeF}jYc-71v@+CH^&2}TQBvM
zsfvJ*z)d&(AEn4IQ(J|!i|(FxB$_01wTR-wEv=^0th>9g@X%K<AB|Q#Zd9d?G&tL0
z|GRmkh@!>M^(iyAi0B6nE)^AyRbJ5W`9fsU482IBmAomKRK0X;qZ|&Z0@nrTtXHFG
zL1`Imf9$edMDJVk*5L(f(iDtx?jou0RIwOfC)KkCO^rhCEW3?FcaULH=7ZZv^|PG8
zj5}9={J9O~{-e4JExqYRPuEZj1|`PEo{=5WSvUp2AYcMo2Gh-ABks<bXZI=z8{pNK
zVmJ~Ct(RimYTWa?P_LR22lEPi1v5K264dt~A9oju%&}b*rb$}IB~$rLY>}+O6N1Y*
zD2sW)G8sqOAFSg3eZ8<}9$$+>4l|8V?hyr~jhE&72d4Bs;Wx$B!X1^2Fb3`q6!MH}
z5ds%Zie>)xHS2cQ?6zVR$X;Szj`pWdx>A%9?S}DR)gQjVbeR-(uCt49lPA7`3R`-;
zkgs&1Ec;Y6=!T`lF^r$%o}jyQ?bT8U|El4br|Huf)}xYlMv;w(NJC*eaJXED;WPI3
zR-yAA8J<ET;`!Mo)nh4=$*sY(Opm6v4q4ItWi~0aJSEdT6+Y^<72v#_OLG&sQhFm@
zk~aHd<<Xi&K&X)F2&G&wOw@=IIVv~^=qHEv7J^w5gnFd2D${h{ZluH1Pn<xftlnRv
zQVZ&ug}ZZHI?`utx$+;zEHl>Z7lU}-51vK>sci9+XYV<8x(EEAASEc>SV{@6V0|=H
zANS*9Wvz>f(|oUoh`j)h$x}j)W}BVueGs{KUanNI>%`$`ffzVA2MXGFB$qyQP@6}v
zz_snF;y^$8hm1p@igBb+`;O&`Azh{`hrt>Oy|!y~%Dc`BBC!+stg-tCU&_Vu9lTW!
zQbRKxIiWb^olG%f)bOX`s&1YGNepBu1(mh#gYW2VlIjX|1_>A_PFTj*jk6W^PGugl
zj70b3dD)>~RHZD~kPbYW%cs|{N=+}Q8tL6fd(LeGN4h&jPrR-_)!aDU9izGILYjwJ
z=1=s>LCS=*6TMQniR)9UZE--@lbD@L+r26dv9xQm+$-!|7z}Xy`Th-?im7G*&sKI_
zX2#6ijkA6Odmq=#CcB1JNI#otCZrb7`t#RD1kGV>Bqq9<$PO)9?1G(tDDpNt>AX?y
z9a`rp3&`Mjaot@%FKi85uf7jZ7+F>**2DkpESNga`4xYcmc8p-?wexD@)X(xm%H<l
zJHsAy_%vnvnU=z^E&zBYhG2?q{yL`5155KqZF8BN9AmHl=n1nB_#CJT;l7WlwyMW%
zIBCLL63BXwRuxJ4C}2|E5LW#xvDqqm;lo2;u2&*yTbF3^&Z83KgBfWnB*EDi2S^T8
zKqd8I*JsO6YLz!C!kXAS3~bhoiR302@euL=$HGh{QUacYFWXJRojskgJ0T(OP3^`Y
ziUQh(W1Nb?)${Ad@l7=%`909U#{;amY<UD2VJKXy+=&j7x-3yr)f*g;3bxx=fksS$
zZpfVf$gnjpw<?z})7Ak>D?!^Cw!k>5Mq!pqFDlATo^mgvO<r@Ixm^2VN<fd{F@sTG
zRtkIsp^5&s-jZm0^s&3>NMVE@>vMd)+HHY&F+)T&x2gI55`x@?7Q?&$nFR3pl4Leg
zSY4F-Q2@No6Qxs|PVAH4UYYWgUxKyH!@r@)Quec|v+B3<ru@AIOfIJEO1?l_2z$EY
zPhx`Y{K76=IO(448<{=@V0QdoCi}H=8H_uL@~Fg`KJ9QEdp)3t@PE3454vtYH_^zI
z@R=Pv#J{1H(rXgCqiI2f;Z7*c&?DYSk{KVTSAOUzc2+Y0y63`TS3IO67ceE8^pQhF
zZKlgrQ6YnCf{>%z%umO$>Q*QUJ-#3KSOGjNg!x419ZOizkAV7(N~bMAX=IKg3M(~R
zov+jlp}#R8-rhycxY$=q*ny@{Y|0ISh{d5St(wt!PmB3UHtR%ph#8>-^@=-Ie*DKZ
ztM^~J^&yr$Du<E>Awy2<rBKyQ`&-Hzf!#&hO1hx$ieEf6&BUB#zbr}Mq<0F#OoAv<
z%r}Rje@@AZe?~=a2U_xVo`l%?OwUPWZ`-{CAcFV~n_j<cQ!T$4FN~Qciom&;J?nW7
z0!SP%ZV9`|ww-96yVS1ft$G@$v*F(B`S>>@vj1oj?fnpc!hTqnf2cm4ACW$Fe4lQ2
z2Lcu(q}8u$-J#GQ+sj@&E3=VJqD|W@PK#B3*-6DBCC4ioMN%}p?c57KbB!`4eh<3`
z<es#BWOhzsCn;N4_R|;NkafEbfk`F|j5uq$O>ZMX@HPJ4Ws-#qOl5+3oc1CV-dCJ5
zBDWh<#}gb5x<z-J#viP9=_6m4+)kh3tX!Z!pY~i<i9w%9AF{Uah3(MR%x=CbdC8S?
z=Bwux=szfuOqZ3H|6*a=vJF)sqQJbEWZ^k2WBfkzX`qjz$?1EE-l{<C#Xa-$nvp+h
z-ejn&I`r1uYr`UBk9;HRHnx>#<mq@t9<$x7A(>HnNW+DJBcGc!>=>O}L6y&fn;|RP
zq;Az&P<Pe4k6Msl;~~$&2}koZIsg3hV9c_xrrR9a#(4YI$-i^v<lo^k(NwEzbS+oe
zA(eDeA>}4Iyyo;O%tmdrrIs6K=y^^vipx%~g5*vje5klO>u7i6Ln9}!zIUE=2G(qK
zu#1g1*}p3{Gbu+h)CjH|^U7}sG|i+AA<r8mMiscLZE6Ji?`0z?t8_o5RQ=Swm4glg
z8bh=eX0w*l(E?`~2|05NzK!We!7e-7C<EeWsoM(;|6TQ0j*@tAg{}AkZ%=jsjk<;7
zW#FDvN(3`)h9s{hUCa?rMhO}J!dN4#_ncU0r>=nmUB<6(#9wiEXUCPG`MqrCaE|nt
zkY0k#TxqYi)jJR=kZSAKe|td<YYLoW10y%KkJyG_T{r822kNR)UlpEf$V&x$Nfhcz
z3)8uC&n(zWjwvNCcR+Va6W?IPtSl24_2OGeOS|^$)gn^ok|+DucK?U&n5?$vFDXo{
zT40+arO3b!Xpg<{L$Sd7M7BA%4>d1HDLRUWbm{CLY6o=bjvbhx6F`Qb`u#VEq+&__
zsy4U%JC$BMezI}@i<XAQi@@umdAwEb1m9^oHplxPw-H^~j;u^Z<>p__&>bx;&>lCM
zP$Q=|DB)i`TXnoZdx)vz%Os~xs<tehZG+}d(yyo{VM4n)NISL?%sJjTt;CY;n80wH
z*z|nPEQblOnDkotl6b5CaOSH0grkps%j2ce7#IT)2=|oiS~vpqMv-l27$i<grb0fu
zr}SPU(3#Nwqy)C8<885*ogz5|+T1a<&SmulN`6ccon8e6Me4KuG+c(CbcCC<<XUY$
zbqC-nKSPTDat*UJU65VZbk_82NjSN;CK_kb&XaB}FeZ8Pd-;dsJ|lsrq@*$KQ?dR3
zR)*F4kYf*rY3xtj8`Ix^?dou-%0tRJ1_dWIX>-8!yjtQC%h4XSvDmvsqIuiD9YU!S
zJ?bPTmsksWV5{z>ro{_{Fk@Hy*bjBa3-#KG*B)N16gWK*v)&y~9`0p%d*Ky&j~1|n
zY<p>fs-y^-Q!tlLcK<`5ctrH=`0rd#NW!EB<i$nu&*_1YyBT8i3pKmQW=Wn;a;242
z?WTGXZzk4szjA=M)UdTaQANWGIn_~ZLcf*Yn_Uy(e{nf@tGh<rlUZvaUSz33P$L=J
zE7Kkf4egz*b@?dg{&Z4^gD{RTDTzjDF_rs~T*$bw%J>zG%&SDhPAk%p_#a|0v#e{;
zb^hLhZ(ISGo4kcsV8D2~X5G=VUrgvAm>MA+{5g2o!r#1T#0DXrXGqt!cE5{T;^O*Y
zBGDWs_hUFUXzy)IuY_5EylmrMMBeatu|!az6{>6~1sNRwNbvgPjpIzE<1tAX`=wjT
zH%Z{86neJuklvw;fo_#NXR9))rCsl2A;p?CPdJ#XMfCq{2Zioaw|88j99Q=WRN<A@
zn~UTDY`xUMtYpm{gbB}+c}G;ZKpb5eP*(|Y=G{^}k7@<aIxT(c_;^Sm^(dY<Y)lX1
zkN2e>G@H5aveVE{PSva|<jJ*M{Nv5iC?tISULC4@IG?g=PsI6Uc$T!~4~w6z&r8m(
zN$#uPBq!y!nX6Y}Ao234IvY)|t;!K7^)}}nNjdENc&q!X+!k^EW6900BMZqSryGB%
zY1QMdn-g-LXQpPBlSW^M8A;QS;t`S(Fn2_nf8{S@?rS^BCph0Qdm4$1DCgmKvYr@s
z&U7jF(1dv<kgIxnd}0ZgYt_rHAL|rPP?>y_vPfQAS%;0UO`(X7mMkvPs@2$aPBObJ
zLzL{vB5)DQ=D?&UkN2M)3zwpM0+*{}BwHk+ut23kl~U`;9aZvdR@b922R^;bjDoC_
zx)$8LdS>l2GJ`kvRhbQf*WeoJzD#yvd#cS-K7XZwLW3u3fw<-hP-OM(WYr>H^*a*V
zy1!@;3^GKnY>g#<4Y9*#A&NO@X3LQ5HL22=`^h`NP$2)<WQb{DVXnAW@>)`J@2^33
zO||&#&TAQkHj689u1lhrHr(qs!Y$rd|1OsXdT&GHb(*)i!*-*9`O%1^1Kl_IIggu0
zw6%j}27!bo&iqVzHv7wg!pL3yggptv7YkGsz~Z7gw4_eU1>Yon2`Z6XTYIANo$WWU
z;TjeB*osi=8oexDgOwj23xeV*#S-2a<t8`ycW9T9f&j6%|M5)y;)SzozKh5>1K3xY
zo9BI+m(h{{*E5?@4P+)ErM54~%)8UnuS<ca>h3<49SaoP*AIzvuzV!>=t(FQPPPMu
zHZPO+GQ0g?mt`TCa)(dnhlto%v0=q(JFerhWyt2p=Y9TMMW@)tZs4+UAla{Ertd`H
zIOxuUQI6*!+%UO&<(rx+BQSe|T=Bb!%g&`vgCyrok7>*hywdjgAPi5o>nyIjU=v24
z>XSSyo^@zsSiLxZJ;5}%P_vBp9JPTYw7QIK{d_Hj``fkqt`nBCi5ZL482pZltrUit
zV?i{FA+*Tu0K;I?GD5!8>`($Zcoc~Zn$Mm_Vn}3-EBW7Wnpp8Z%Eu(P+=_YD=L(Id
z0eT*WzfY2WDD^W=pA)Vf2#W2}^S8O2IoXk<=cKh)<BrvJr&y_3fynbTKXLikqMqNh
z5_~%o5%EWSA_6$N2H{6z{a@_|64s*`yKad=d$}b7+TDv&$LGg62Gub4+F~l1NWtni
zA6TZ(zW~|At&u5AC~+R%siR)-)^)rBb!Iz6?~R5~3)Aak-agxPb_d#JIRF`#x?u_U
z-c7;+G9r!!h{CY6_2^9Bq9dJo(CQ*u6jkl-`)jjTQ$DrCRp83H-=b3j+{^Iu8A?LX
zffjt^@UD}IXEP*#jqHe!2QJb0yhutBZkzgN2i(#AEIHSl^0f#g$stneG^i(Hw0xm@
z=o0zEWe{qfrE~2bC*}46U*l&>-e~A2=}ec8^#^`p<>->H?Er?EAG4M5iwIHUwJ5xz
zCZ~NM=;jSd3d@lAO7!*GEZvKTG5J}A8;S?tI3D!JTrpiMgv|U_e?WLmtulj3wkt(@
zx7q3p31bzf0J|na6F~;@^!grvZv^Spqz)V@QO8=gYe;yIlPz}C95sD5xtsLU8)YAt
z0sm6J<n!6!%OgR$pQ_62mavtVHNnW3;`K9*@sUE$%g{0=BNboMy^=)0hC?@8G|@>`
zq#<CX$v=(`QY`QkkAU^{8`o1rAVHLVc%{&kCz@{CS(L96%U>#y1|IQ7ZNF)MssMNu
z5+biw74Z)27Br-mmudYr$tOE7UC*|YCD?>g(^AOCc->gItIlP$N9I>54K<K|c{n%v
zOpB@d+mn0uY=WoK!)-OW>QwFM4vgZEasYD=ewGOLQ1)QJi8v+j=KjHap204)M9#7?
zShF{zu%OgvJj>1NM?*%!E<|19Hht)>O83a26_bo<zF8N+bCA%0%)i?)AaN1OD*-hF
zG?kBiy4mXs|5`b3xW(w<Cm(;+X=Ngxxc3U4Rc;~X+H0}r!CMw3d56#x(K%FQ4)Gi1
zYaNEvU0K(#wSpRy2$@d3Wl77M1Cf@<|DQ`F#Tcj(D|>d4n>ylYvqaM5<qzk?C0<7;
zPXJfakcvD6V!O)csGepu=?i8YQLE8BfR*u@^IhduYAy|y#gU!#s3i~eI(Z+XygaUz
zb^g3TtGM)q90jasd@2_4;K?&8sG7lp2`;?OooY)>vL)SBq*B4z@Y&Mr{bITBy?f&}
z`az?bt;E86xL%ac(cmN@F)Sp>H?ZL6m)fL_G)cUJA?EHj-~QOqePB+jFHS{xP>zPn
zTkPl-f~^WRS3k+t?p{HP(K|@4EFAqU{^T&PH@i~U%j7FYphfl8;PbLF#qle5Tx>=K
zi*<g=UpOax#XSE_%8tHPncg9xA6IG&6~5`wv+LYYt{*!jRJ9>pM_)Zky!<TK6a>Dy
z$ag4Oohd>3G76F6ALhW9k!hX}lB0Uq`BAxTl?xF>>WKNVM?RjxH;-p^^>^6KrQA1z
zNuSH8RQg9<a*_kp)0Iib+eE8+qIt+d3P^?4ZNJ>pSlEA)Ic+-G=kVX&MJ&T!LL6^x
zz(Rt<v{dQ>-6&hylS$Dvx^Y|!F75Sm$v<`oq)4s>?Z1zB|D)3VKggi@*RY!OC#UMb
zpTO7u3q<k%hY0YhVih-nj;g1Q%!{URxiC^-KKB+b*UDg*8FpCiG&3!|xXm~gfpd56
z*?ojV!{p^jv!P1Cf2{EtmBf^qB$9zV3aumAqH>!njuid_bAR~MzLr#ux(P}TFA358
z?kH;5zr-$W+Pg@zeI*$9yzH}A>0{g6mUD1AKKg6w*CskN*BJRm7up`$e;G+CbWPyb
zIB=oog?^Uc4BW5Z$sUV7iS)XSzxI!NhmRLLL6>UDy_i7H3pzXZLpjCku+R0gFz)UO
zqRx8GAeJRix7OG**Lv~XlOK^0@%fxQ#ChqDbI<!&HvA!TIeNf}PuxepFV3r#Y1{OU
zd)#x;Hl6=8XWl0e&_Av0Zy{<QR87Z*Cm*+^#L$sqaY@hR#eY1PQIX|ol9fRpzW?5d
z5&B_H9-DUj%t0-g@STo^WR!b2br1MM{a=OUxi8Qz`on>`73NoCKW5mo__p7C{PIm>
zsnlEX`Tb$%Edw`UpyZc6`T%J<*o_@M-6y(pG&I2lyLKf_LRS15(wL4XIAwdXQOH)p
za51iA<>g*{E0a;zG~HMOZguZdM1gaM7j-4f<Sr7|Kd%Ne)GumLR%HGNRNXMQ3#dJa
z>kLhLT@2Z{+@-&9W+5FeMXy?P?LzGg-gmkd$ic}17mO>HPkG}h;7MNnhRM&{F*Jf<
zxGD=Rd{!Eb8z9BJ36^%Q9m;Ti)JhSkZ5loN0r0F{7?*LiCvD5kf4)z9?Mz_{g6bEM
zbrD^>huccRYNFKGgEGlTuCM&3A0Ob<zVLcPmY&&B&!QUVR&>KuJ%=YF8T=K5`Uu)e
zT)9Ulc*$dgaV~oy=XGRYw=Df0sgyGaJR5HAz5H^M%u6=sS>$@OwEFSH9wjCjC3qBB
zs_Wk8x#c@H(qttET%RF6C-!ySJv8ukB7Qnns*6tYV%-sJiEQa`vHRpqvqj~3zco01
za3vvsgDyeuxEXf8{J|SgLvfn0=MUjIo?KxZbOcV<w4a))CZXBauxC6b8`2-(A^6aL
z68Xiz-SC4RL}DK}me8b2`nn14j=;(j(y8#`@23Ju_}Pl#eWb?`P5118>w9#U2kF}j
z5zY4(znNE(3TK|^2Po$8x9uR#v>kJS>oNsOPh6st%(j@E8SMB1b}L$k9xIO#61#Bz
z2-25`CE6IN<kJmrmnt*MKNqw#_srCogXc9lTwY%>EY#)nu<};*q9kTup6oJRlK1d>
zbv!vecI50pG~doB@~w?F4oK2BFVaf*fHP<L3QH}yFt95rp`rU)Y_BJ`FvC}QTBqA6
zIuBJaXVpIG?8x+HY)n?=vP>Q2QKy|TqQ&sS)um)6otVdo3Mu!$MqPQkmQh~7NqQ4H
zKm5&CO#(~X6C&wWng!Gv?*tfg$M2E~K<)tRj_2);kEWk2&*#e11rF&dYisdpmd#}>
zR9rj|qpS3o)8R;;HU+*qxOA8Yw@8{rvs-0PjaYt_SM3UvdsL#O;!;u|BQYW1Y<Mid
z*!TS4Tlg1cdiXfcIQ%mNSkIT$j@ATKS}HcIM~?B!Wo6(H9%W06?dA!aVz8(&?Y{ZV
z=^d$Y%dqHRrnpMHBMg*Cajb2TBl&Do%kbFj#f%TT=MPf}&7y)NhP!J-55XnrcfWE#
zBXKR^p~ZW^^8HlbTQV!_n3LUg{LkIhe!|La-5GIDKHx2P@k!?B!#T=O)ffTNcOuw|
zSvPcVGv?iJHI%xPl;OFabB4t{^jXG}_3&|LeXY;;0k&@Tmiy_!H)R$N`)HR03MwUC
z-fO)7h1jb4E{!wC40r%geStIVGK?u3#2D|Nq@UN`cE#oSqohm;bwYx(<vP%~ONqy*
zP{OW0(pEyN;Cf}<TkLmR3$`0#i@U<y<?myXx+9zOXwyHG4uM2Q&L)<$zD*p)$FTly
ze~x7&hnIH1jqCi8f|lgb$=YAg-E6JFl*Wl8^t};vYP9W^@4xcy6k-@rQmgdxyaXNE
zqq90VrK%&bux|NLw-V5*joo~|3Dh?3HTvFp_e@<uktR0w=I>(VrHaGCO@`cuP0Sw(
zp=KNn`8mp+-@1n**8`e$LYyzJXPyfTQE&Dgw$M1JLML@;d}0hY8p#O=XK@<Zlo?cx
zx4WUM<;F4ACe>{TnJK|Nii)2=t}+oqwuj6GJahKiN93EexLIK(V9$?-DT&bFWSoas
zp13y-HQPG&sbAq<RfV72D8?L=cFhV0^&xGjQC~QzZf`lwJ^MH8y||!$y^%5@SLGq|
zgwu6y${f?D3;%N(Pg^Ccm#pw2S0$hw^j+t(Tb506Sq^uT^B8$TC3(<d2Gr9=6DCR+
zAAkE~vOlXtBSpcxUB`FQLR4Xj?fr|}3gzSj9Pf5@?o6~gr2RVcw82cs15RENtOUN-
zow6PvIK8c#fTEx1_z>?jH9~|POO+b%z_E3`Yko(nE@ex}l`eUsHnzeYch=OIG+P*e
zEtdOk&!lfo%#TU&8h}*F0?BU3>)Ey!LM9FMZ3b}5b~lcorF(*SWf=G~(3n{d{%zav
z=eWB0D8ri;J<WdJI}}-%izqV?DGi~G`=26yso6N}r&>&cdCTW$$yh_j`u{=Qn}<W)
zzkTDSv>+-%*;)wM8nQ1#kz|>o>`Pe_Ly~=&N)ob!NS2W-m1T^5mt~B7Nf~2jFc`Zr
z7-l>ly1v&p*L^?t@!Y@r_d9;a^Urm39X>Pjd2i==zR&Y@zFuEhtD6+=A=@|;+^FSu
zcsSksO>YY{iHM{qrl?6TxB<rBZclsW?;7AP%%m;v0g`6fzBElnR$)kr5Uj|`-}zkO
zlc(0ZcYAJpf_+~Iaei}lTJiR`zxz43-bH%xT8voNjz6no_U@^sEm#)~jrL#w5~hIR
zvD!<41ONJ;Q2_q`7=FQOP3Hj)VMh6yq=`ZKgn7oQ>KXs@Cmu-P6|95t@AW!;V#gHN
z4NXW~mKkAzYMAE*E&zwaV*jw1g>)xfZh=WB5QbWV_N619AMS=Qbebfxw5$pN98@Ri
zG($t9%MH6+okJ4lRmoCxP;vaLwf9I5NQQ+#=^C_TG_(MleY%9-B`7qyS?q*qLIyHr
zy_!o%OWblh0;*|g6F5GR?Rx*cWXD&J4}h&7dse{>S@K|2=WoDXDMTdT>q?I9761?L
z4~UrSp{Hkzf@eOWn$NekVflZVu&##VMU^I_x6bpHT3K?rIc>6AG0Ha#4hffYp@2LB
za~*k2wxOXek1cfBvGGzzhD-=;;#AoUnfxai@ou@_fP;#jaaWA01GKa{78E^J&jH$t
z*8ga02p)^PwP<<pf`UpabEohrZDwb$b2)1h8ZOjG8AjY8AbJB?WC2-iak10V*`UkW
z)#l~x+1id$EH>BSs&OCKTMVHiDJ7f+eY|qqo%H9Uo;b*A(0p?{7jJN&K<OA<Z9Q9g
z5`<zTCcxQCwn2RTJ>^BBk_o8ddu%>h5sPP`55gnTTw`$AF9g56;pB2q!<wr!$`{k+
z1sE4dK%n6M()^!|wg5wG=3LZVJ1<p_OV8xWREMJF+&fN#rv<Bz5fQy&_F~i0H>BTI
z3@-+iZOOib{Xps$4<%p+KRbE76C%11U-B?p5Uu^{$wd}zWj{8uwR0_kQ7*mfzuYx?
zr5Ya2oQv#}h<BC2%=7a!%Zd~r-*!5R_t>U>#@qxPSnoauc1R5L_Ew$naV;&!#%d!P
z9RG0ot9wuICA2xhprl95kYI;zm(wn&zyVfY?K;IX@o%;BJ8i4an_z!tuYQ9l@NXFz
z^&q{kn=Rh}mo%;RN_Lzfw%Nqo@;hl`19w=tCoHmRCn_((duyvus-|mnK$ze#{=}mT
zG}EBZ=R|PnRSpaDmvp^ngZCy&86BK7@GY(mD_?i5Advi0jnX{wf@hsOLDx}sAH;?t
zG?#m=N#@0{)SAn%b35^FhZEY~etrad%Qe*?Q{~UB4s<GvIPl=Z#oZE(cIcDM3aT5$
z_>2m^Zea5tCu&r*K?jbmtQqmBCGb(+g0Clp1a3+>EGhza3!skvlYb_Lc|k!%BPxma
z)Y>kQ`0;nU$nvOL9gtGxk9|RD61*WZprkvQgvY#tT@uJ(d#2{k#dk#^(TJR3uy_ws
ze}>V^#Qv{pk&1n%JeSk9?orH^-NLORctwL=nIq&wO-2XWW?xErIxxpJKovXAF{r)q
z%d-~+noh$4X;(We^EO8va?mo)T{X@@JakgG-JUg(bOYKJ?{>DqPr!d|k2E6JMq90`
zRfBxr_Fn4KK(t01Jjh4(tK$Z%{W8javD-r&6HDTJXR(q5hwan-cDX%#p+PjY$(d;E
zqadwhD|GUp{x^7j;DWTnNN0XLf_eAw?vLAnDY$-7B-kMK)uvjwLi6oizV7>UM?^LS
zySgu%$(;&aOwSX)Kxm0Bwx&jU%HiC6L@qEAgx{WM(>P~GzJRnZY<;wv7rq%>6U#N+
zX@vU{`pZMZa*n9|3@+4KVkF1CsLg{OSsj;ZDYCL-Qz2Gr_&z_IUt}KnzS%JJOK2Z&
z!;xp*%P%$yJeNsdE#G|d0*Q~d;gYvPl(Le9@Z$~fB~)PeTB+)90>5%WT`98jCTH-t
z!PyVzB--Z-`5l@E3S7IM+hMX1xVXID3)OMtbgyKZtOld<qoy$ViQ*OCn5`%Mi`Tj3
zf9My);{oS?!2@V%{JSp@;OOGN;H8_$t7Q~5$>zDjE3~TsHpQE9UDLlM^85R!>WM1#
zVe^vUPyO8V;@(4>{l?@M@&30Q<@#*29+|kNrRC$~9^-DnkcS*or?@nF&FYZqmN;1w
zO?CVCQmH=8tqwucwupf;?=#1w0tOXqr<#+=%J|P~A5>0rd>#&T_scGX9H|&^y&3Je
zcxLV%(P-XOmW{uIGa(JV0t)61P|T>p5f(sLbF8H)OkoP8uQ1gohIAQT*gWUy-cHuv
zzKBm$t8N~zeUdBV&@LZ2aJ%_#@e@Cp@UM3Zu)0RO$%$9{qxRz^+96ir(Y!`h`RvhW
z7n>2f*RQZJ_kdo60$NoIvD<G`N^~lJs0ud;U9R=|5!*3xD=I7aD-yxN)z<$2LH5oW
zxfq}HEFUcKQ1qcqP^X&Ljcf*rM3wSs6Ul6FHpLaTxgkaWU58@46mjpgY_0#}wvz^5
z7sDWD9u5`sPN&REGz2GG#m<ec66QKj^3LmQi`3_W{gbV|NrD4fy~cwUl6Bs{jEhc4
zdRws1x+osaZf`U)MTB8zT$OIZC0g-|Qa!_ZTdFzW&`VYY6Q<WTZ1W?G)cKNis*X%Z
zC8(e}9U9{u>d%6%ZQcyO?|Y5dI`vJrAf7D~n2H6ueGc@FjuYR7#5~%7$i#4{+^68+
z2yPDc=$yYarI;y{G$F{i?fKxs>j;s{Uf+gz2aQIosUbt>g6-uNm!xS6iqcoq6Es%f
zSNT4~Cu=-i*lHzLs5T!_k%j;WB`1htwIVFn<6JA>=Ajb_$3Y#d8$HWRH49Z$F>UW!
zMA1e8=k;bTxeD+U+6eLRp?gSJIohYN7+;geOj06k@qIqL>v5V>grD&EszfC$Ilsy%
z<*eOT?UkyS+*9uCl&QqlO2f4eq?~^KX0O_QRKGD{D5BPIUOvYJrm&q!bb;EoAJS8J
zY_h((a1NhUR?QwPUbz9bOAI89CqM0_y`uEdm)$02okEjv-;Ec*0}t#^T1HI|-*9|-
zGyJ>e%^OkB(**gT+kHdsx|hYg(-}|<3pw&(9#lq@Bsr&Dw!>w;IuGr71rTd?+ZW~m
z*|^h=k513t87*DakYb*(`g$g>F%waWSdalxdsaPsFD@&=drGX=t}iHx>E!1D05gw2
z+jiq5k2SyXZ6|Q^-47nt%Fwa)ysb0m<!lMaIj6tfn&M`=^QLaoSeias({PjXDLgcq
z<gmHB&HzmF-_X$iaklM$P9gT+r-I%CSO8A^;C|++I}@v+0eBG|y5E)H(tZn|{{9<j
z>@~X2-v_L+@&haS*B>uH_pM8cQR3jIt1`ZR#^8fx^7m?vaEH8>sCG9?<XN%t1r|+r
zd>08EGPrzv7@%w>97j%}*^Ytqy~uHUnM;60e3x|puYlYrz}rQajaK{Mm%E89#;6+}
z)TOkvC=@@x#+kkFeHTN;w9oNggD2iYHKyHiZ5+3De+&E^5NraL89<Sa?!TJ=ETI}I
zQ7Db4t%pZ~GJQlqjHlH7<t+tSg@@c5^xnv3=46`gis%3zp77nbeQTq}t#yxCyF?A1
z-IxHh!+}S<miAB3CQ3tZRD(_qDZ>lNwwDDodwMMI05uB*IY6n(Yndg{BJT=<|2*W^
zdpiAEDZh#=jI0g3G}pC7DYN}Gkg42TqNad7Esehu%RfV-k?a5wXE;liWrC>fZBX-7
z*5tphm3A)TfC4%)>0iS=zkj%s;}euo0MPPRhIx>G-=ghF9PIt6Y-`_GU-;gaeiBh#
z{&BkfU!R>g_<ubI9{8_WP<XI!um?kY{auzSQ5v5VYU%*cxxtphUrPa?HTQG_|8>oC
zcrrY0&GGji)Am?C|6ZtTq0#azM}iO#0{?lBpjpiK8{JPDF}b0uyDibb&rPJ;@%2+E
zXHQe0alT*dE>2pNQ67=QKiImlE(X}kJ!t6PKXyk<XErsZOvRanKTv<UD+#P1_|<wD
zkemkgb>g1p{rd5JfyW~y*{>mC%_p|chDKvSzhCp|k==H?f2{ih4Ht32TlsrOIdbb(
zDWVG|XG^orGd5gjUvYN9^$C2u1ZU2-dnSevKx@Q)e-Ge}qOYIdMMwa7eEh4eV@k3B
z^Ys4mf9>{oTG>H}Qz@>!Lg8-8B&S}Y7IUDC^UM?#*o{*tJqG{lcg-Qn$)y5(68nw<
zASO)e>2>p=K5Fwzpr!!-SHV%gR_5Hz<I!hZf{$n%ESZUjc5DRp<%IuUlg;1xmr{E%
zHh$cRst3;1ldr+WGnN^=r(c5vn{5I#m=w9iyWyzj@3PF5CR*I~5}A~=S6i%5_y7J+
zj656h3l{-Y2KS6)li&VJ<nC<$wrCamEmRXGi3Wv`98x@81(0<7enw&R&yBeEvE4cS
zFEj`KwK;x&{^VZ*fBz5aJ^#4}`tR$ugXJgPhED9tuWNhsc|l7K&b=o`{2oa@kZbuP
zELMKkDaM%mca3N4F^uvZ*hw!PI*};Uc{EZZ@0S4VA@YgG9V=~9UZ`Sv*`g!pFYoY=
zxlAmP!A|+J@=Kr3-aNJybp4Z+kgEdARXi(wm?*Nz=!#Qgrj#PQV@2}!fp6HKWd^be
zTy%Q%%r5000xb=62XBYQH|u%7AAjiLzjbXG_^T=@pXPy&S-sx-x^4(Pw;rdcU($de
z`|L~Hg9v-mIkEDf>$ds5rHwzLlhok)A#HyxxZIy1f&*}RQ@>wE@#>8}{_FgXC`lR$
zJ{A$xF~)wnT2lEy|6_?`XP`AHNu^t-S9*Nl>v#6hTo*@Aa0iq=`Nmj2k4bof0^>z}
z*59MB7X9b<XQ*YQJ#yRic#f!XUUKFtm%&w`cKRVUwlnG(brxh^oK^^}_HsKfPkv4k
z4qvs5vxeste-g0A@F+2Pi>*oj{^Ea_v6xUb9pqiMngx46G}18^Kz{PGv8$&h@&#6=
z=pkk7*WyFMi!J2vh1`CX`qsh(<e<f06R^Lm1%N^?2d4X&CJLYV6?@fTIAwjAwgnYf
zIUXHt{;7wo8S);f{MGGsyRKqoT}J9SqG%5C`$VPhKh=|#??lYwQ_s*nv^sb@IoBjp
z=4|6zwPKmY$2%war;`X}F<z@vfz_LwpyK-t_X#>sM<xF1_nmwr_z9HOr@KG@I%_QZ
zUA4E1xPOvCo?7~ySLX)0EJ7@Fv#-6S&H6i1H@Kqn@>8GGUD3jHVGGQ5=3!TCYpCbl
zoAw=sDV!4nb=JChXUtY;Y<P<dF0#dJ-xW;$%OK4Dd8D&d%4EF2GT&r2&-ZwKTb3$Y
zL;`sfV7i*1`%}llI!d0e_>C7oXupIH)&%_(W5plZ7vxMMY)3N3@1{zJM!()DnyXkX
z;cB&L1(Yv$O;OvQVcmazx_?_NAh7v=NdV=)G)Dh@irO8lAi{z1?z$e-$6~jnEa3~d
z*4@E<-9J|XF`I#(fmk$fWt%QjMi5AYE*iRsv*H-#eSF8ILZWMRblXm_`yAmQkW9gX
z$1uIIyX2R9v-F$l^lyg&guTUOfLAy-KRy9{Fwa64X5}KuYC@3v3|R~qdid#YOKlA_
zKK@$<rgt~k{mMT}jD9Jg%Lif1K($S1RNV$;?I|mMr$aUCzSBdf4HNi}zu)dJzg`RJ
zXTg!9GMRI@1;%Urk$0v^&B;#B$Sis8bnvy0CQom2oKU-shzJ$YX(1OfR83Vn8(&)s
z-$NPvhX8gBfMZ{bzZfk#9Y$H@7ctq5j_<tE%fGFLN>)QPzYI5W(M1f*ir-20XpD|t
z@E$LnA^a@<g6|tK(R^`l<YDe|!J1pgL?$4<+2xJ)(uEDUH7Z>Mv-lPz)t9#dI)%G)
zzLK(k%7I=d<L#E@VtG9mart6npszenMV(LL-McfCZA(+H;j^fU+b+5hno~_7Y4)cO
zYLRE?B2RVVKb@2*%zUahB3dFlHE`6gzzdnn8(!%KDZYXh`n@1b`&;hv(q!UUco%J4
z#9MBT%|C`sGX~x0ViRxN%y-+2!7J*yJQcWk*_+jI{F6=KdXeN2tgYx!&3Hs&X|5r$
z4R>Rzg&mVKPs7n>A@SGO@AbU?Yo9voeSK^G#bJtoPU_B@KV}}`<5e|y102C3d;{)i
zrZnl*c|Y-|TJ<eA#v50JSmhjW51D6phO@ll+IiMqg98}dha~0{XTz&=+kaoD{&531
zgpgrJqHgMS(LpLTK55X|0XgIP56A~+0B&}^z9?svouxCls~K^Ae$#io;iidN^gg1%
zEx~T~e%&mG65FI&f_lw__lv1>>KOpjevnIZrMIY}PJmL?NFn_9Stz@@e<zwJs@{E4
zCvqnYihRxzs=jN*P}zT5F^r&2W9n>SZ0Qlc3gg3$IhwaH`~<r4Z@71b-%W&dSf`4W
z1m6t^&K?_5sJdwplWeRV(j%EVT;}Zd2^4Wux>rY_<M)PmI<nt<K6P2~&nuPjvRDqu
zD4>6}4&UP5O@{#Qn7F6I{C7~C2iU)3glnkgP_K_mFGKQvKNPe7ws&VV3ehwC`MN>s
zI-i2<j9<={ikQ~xRNmf}8p*#*;U9+ZA6WPQk2$t}Px}P`A->Q3=E)B}la@Y&*;;t)
zIN%nPKyZS+Cs`b^HY_`(xVT2WV&7WY?}3pHa>@+n^X754-(gi5zDCV+C1=;&FR4+=
z+=hN|%<;{WFZJhR2D)WIjgN!^=W5coNQ?#3zV14Su9MhX9iKVc%P!`Fo!7S8Rt11m
zYv4ZLaxm&KI9|!wMOR=KGCg>qR^gkB5hTM3`KgdfDyIo-a6N;ieSF+QSGcto+$MjO
ztcrcS^6MND$%;Inkn8YJ_$TzVAX!MT<6a1-I_r7ep@opDfoto9ee(ye=+Lzn!Q)Nh
zVU3$aQC)chCjd$XEFJ59voLAxo<Q?6+qyhz`}JYhU*p!oKe$Lhot~%J8tfk7#i7C1
z8+*B$(A*KMR!%T?|4@H<Fu>7B;#tB}Br<>pfY3y~Sib>Y{v`~Dsv4rFcOH#k%g-jf
zGQ2%!zKZF(?9M19G#7V??&L!=jkhEvIpMJ2fiY1Ox_5A)|5SAPYX8}<$q<eAmpV=W
zuO<rI%l?Qq1^9bzJwsGbL|MPp^_a*7w?usdU^R&v|AN)jbzfB)<*#vI<M#-9c)|(!
z)dH6{RT*jXWXe#x_)ufR^|RYR&qBt=u|md-TSu?EIOaL*LTlvW!@bY!A#3_v=43|P
z!?m>-Fx!*udSR1%Qm(lA$hinp>1ohrdqj|n?|5|IYif_@=TL0IMfpBeE}pw9MLO|0
z=Svo|Ci|4UeZNB9MLYId_0G44F6S!ICZKRrrZHR`qz+~Ks#>QG>TQbUBnci=#nxXS
zBZ;(hqkUNEIv9RGKS0M;)F(T8ol`d<-E~F^27ixpeBFM<<;V{=SsY-OBL9(;)XG2~
z)`_~V*QP=f%jX-Yntd;F)&*aJinm-Dhy}!Er7hjA_Nn&k7CUqX=Mz+G(gV*BIF_Mv
zc2IVu3JnR%lx&ZrhaFLfm%I4uJdg}4?G%f6#zj+#VFXT0Y@yQXg(KppJ$Yo7xmPjA
zXq&&daOL`#&Ci}W!dL+}oU};!f_XF*OBDf^`!&EWj<o0i(Wf_wB-3q+gvpaAMHolc
z^}z75tLuFuWd21kmj}?EBbzJKa)lt?(^y;F!&wK&C=)@1C!~9p72k%TQw^gE2}T^(
z9DCnLtgpUw+jW%t4(A=6@s$P<jgtjwEfC@lRe3a!f!Dv~ucBG4sW$v3TEStq`RRq3
zGdfX2b-b-OP@6Pw|BZ@1ufm7761Uvj=KH1vOyJDHwJBLF4Cjgs4CRA5<LA8<U|6fv
z06Taf?Hg5u3pBvuHR)NWYE8&+Jp3iYGT)q)CAhm&@Yemc&UwYms}rQ=DGeK|x4o@o
zM5Db_sGo@gjcczH&<q+@rezv0X<PpCWkgB@Of+xtQZO~r-U@XIdH-yd$77*s@#Zgt
zp(D5f<X9_%Rj7-8$yss+72^`yXqr-90+^#n&V4)m7PD$tbm@%hx4XAa4yqcD0bQe6
zyfpws$~9`HD>IQH^LSQ|e$UKdEOhj!7;=$$VPYdjAZYX6vQVMPPDp!Qr+@=;2y>YQ
zk`lTy$vG0P%AtDpO_`Z7`)NArx%ngBCiCRZ1#@G==T9gI>sRB!ZCNKrY?m{ksg%sK
zcvm`s*S^%BQj@MNuLd$*bb?8&BR3UIR*&&x+lKU%(u)kBwv^A%tBs`>us(e7^ku~h
zu6Vp-P7Oy8cW};}i$n>~h{dspE{+{`y=Aje-HKtF1x9S7*ue?50qtH0e(rZXy5jSE
z4>f2;1b{j)=WcIs`b5d^P6A${Ab<U2!;pruh<a=Cq3s9wlH<ihj%UYcBY$##HOrLL
zuCCp9eWEkW4jmmusrz`2dinteW>M3Pjw*o2s<gX=P3~IG9jW+<lWx*!#BWun^8oNC
zck%oHvwPikFSH@~*hEFe(e|EVEH95=^s=jE=5$Z&@QIQ3c#hK58}5%o+ZrGHx5>}Q
zjtmzZBYUl^tR4OKdn}1=?L{CUA^}o$`&1CDTP{BYVL6$zBEP3MSFBrWCP!v?t_Fdu
z>R9nbsDd<SwQ9`*<sN3TOfW(D+h<F6(AY6-!Bzir$Hadn=7y=uXNVVusl(cl4__wL
zUu8Mj5?qBo>4B3Q$7{W2;rQk<J|NPy#P-}QWQC3G{9L(r;oH3Ao7<1fPFtMF4=sK(
zpUdU#==j==!_1L~X}vNUdtB)h)~)JeqIJP1znhgMopv?}D1MK5PLQa>R$bAgvY9h<
z<kpoeMUU@_Y#%7s=A1b^J}l-Dwmy2s+c>|&zA4g*n<xzn)=!+YI-MXnF1%sxc+~_3
zoX-DHX@_b}6PbCX9?}Q*_GLsDe>#xbc%-r6+TZ-L;JYU@9FbkR-?cL?fdqBdK1Q|I
zm1~WCifMyisknVBWOcdUu6a9t@F&0hT@~!@)3eF8-4`E5TCDs!?-8#R+2773R*VEt
z*sb(*Zm@LHx7jeSZ~^6M%9$>4aTr9Yg`~>5=#{NaMi+a#+>97lhv&?{-7ecwDqtoH
zVX+^5V*A#36DF6hVzZICMp7K)(ydEz;7xR2(}hr6x9w)%_O=aPN=mc;@qCbzGnC=V
zR(1CJ^Tg16_NMvwP3z;2+!NdLjQBcqhsZd?`Y3iFMtQot&v~old~oMEc04<w%iswe
zQ`QsFvI+kHOIrGq{Nrb|amX!Ss@(g}9k4VS8~{mf8v4)RF*0Q|%fSU{kFF`m8u+(F
zN2Xr|wESKT?$68b!D6nY@cw2|k(lAdpWigT5*nR}^Bs!yiOXi(`+lxJzyJTv%cI&8
z0N&zU4ip#UCBnhnx9a5hIz%5-9SS8)X?$QG<{ETGnF76apNBVPAIh-N>L?;|G|ikf
ztws{6&RWAg{aGmavTO@X4fkb}ixuEQpA2O{Q*n919ShvcmCq`u-_Tb9u+aYdc#L!L
zE?CBPXwD$yA)0RlbgKHjDzwO&_`%woe-h1al-wEB;8A~A{BpKn7Jo#E?ptj?+G4>$
ztwhCBB|Z<+tL}pNvt7*PnN~Y&*8H6P+y^&7Y9x0M)pjA`u>#aEEunPYurL3-Jo2X2
z;E`q1&fRP5{#~?b>yyv`?QN%iLp6Vz{){FDFWVj;ho0dN%1r!GhZ;M!Q|JFx>?PCB
zkCq^-1k2&e&Er$3=IMa}otK?ZlP1V`9IE*&KEJ<OY_8pvEmdDY#}=7)yo8fJZ(xcR
z8)i9v&?cI2;=-$I`vdlsc2Z>NyyaaXg{pMsui252m%Wk7l5ewkucJ0ESTr8pp75|w
zJwwKvzHWrM)7H8cfqHQl;po&?YmZquO)O_^S%^>Qs_)R2KOxr}g%}(*e~F+M@QiTJ
zsaUfq7gYpL)#Fokx^gk55Y`JNaLoaw)hc8eo87}oHdrIiXS39{dx&kreD%WZs}`Rh
zS(4D!(WO(A^IP6E9KHN2QyZ7Wot??m@P0pRu69sWiJm)hl?`gU#bU)pAVIUNv=FT&
zH%#%5Jh-fsJHfg4v4gTl->*rz^y21yoGUq3*C9@!&vLxYM{Hk=Q}d8_-elHo<RkE?
zCvw9DM%Dfoxa8N4qr(>St$tBJcSEy)Ko2rKfY3u5v#R%BHs4BFOqAi+Qccn|n@4^e
z2DqIItaGiMy<BXGj12BUgXV1W5Qo*D82xIaI0-<OsQAybXLDlv@bRV-HG|m+*46^N
zTER?Ye6XSHsgTmuAZyj;E0=4an}X(1Htf-950yS^-dYjT7+6SIdn=_CHQwgL?1rV<
zA#T0HO^<<iU)XHPD2Z;^8f*USVfAStXt}*_xZ7WEX9Je@znPjX_&SH{$dECBVzt6z
z^gG+!FLY!q+wTn83RVf{xL$NHl;{sKe616mWK8|=1nNKvs0fc$^fAQ-RO37^4J5T<
zHQl)0@*K&|Uh?|T8pk%zPDvu0D@71ENWZLI2f(@scKPp<4fKrSdijtKl^RDN)pPHr
zWFL?dTXRv@n=w+abHa3Y!o(%$2(uX1ynJgXjvd8dY8VA1-fHV^26EEfxj&x!oX75i
z2_d>gXI^Z+M~>iKa?9pSyj4M$I+nN3qR0ex57(9}<eyw43NSk|?GFK~u^r5>CmOk=
z*WO$6oyGB9f4PgriHres{bJ5)=-tvM%8h^cF!vzrW<(pKAl5j9!jWI#VvJyoR4j3(
zg{;?kU#^kyo&_!CoJIJ3+{84{%yC3PP}dB&ql3XI>KAfPUs=x7@Pke@nm*>5P9R^x
zNM`#P>Pgy0BWJ7fSJO=Dc|x8ko|=x~)|^yJGAVAsoNFT9+G<ChZL+*v%MoCuUu+z=
zGGraCq4S}$AA&%!YI)x-ZYOp)>h`VE@=S@Z8M~TzdT&bUd2ZFq7OT1sVaiVYaGRCv
zeUz>Fq(inx?!49G0PdM{ez3A?seGDX3s=7)QI!nlL#(icMBk*xPDT9v-X-5X#iSS(
zykx?Y<~ZgRTUv;>Fn7ZWupr=qKJbsrT*5r@vQmmOkwcntUFg)xZugyrhP6}b8BlPj
zy2w{L?+H|18n`imWL+J#9Xsb}`svn~C3C5jK%2o*`@{`9)4cAhjYxwBOZHP15*CU^
zZC1ML@Psxt9AeBtk!=_v^+pP56$-h1+fhJXIT@^<V}xo;)2!#A%c)U{?cnHMdB!8p
z&9a{TLz=sXn&4bOmaUbCc%fsG9_*wTj4VE3Pc}w<cqHMWR28ec&HnKzP592B)jQLS
zg#^UFYMC=nV2Kj`1OLGK{Z`DTH?!=+g^=n?>26-DSw)ZFqg6j(9aMo14x)Qw1QoF*
z)Ru%5N0)dp^;%B#QuAHI93Iaq2B_YAh>!tElD|!CIqp2-kQ#4`hYUPFdEJSAU&Jji
z;)oBv6ZP|+Gnqdmxa&EvvD&n6UliG7ZOXl@jV)(6qnJUucB;KsH)<p*DXf*5D1P~c
z{OeTz<dGt$@MLchNuPCVs-$-ej_qgkX7Avo;eNKwbKcX-n!aqu-Pxa=SY-C{PMWPU
z9@*VRbe+X+J|-!l^A<)v8A0Y4--KVC$Bi?TY;6cuo+ASl7$%3~7O=pbBJf*ElohHf
zdVDqs+km{G<}a#;0G9+Vj#OG)cY&p$pJMso#lA@;nFPma`SJCD<ly##A}w5(0RiLy
zV<DNy>&#N0;?TA8Y*S9zHa|JM1r!s!#V$?bn}yn#w|@~tH{>*7(E6K+va9VYVnC+n
z>_2B^K=l~>SD1nm8O^co8C|n2co{~$YO5tMUYVXLICa_j(v8!$%pa`H%*WZ;dyPJd
zHR($olM;8uDqU)|*1WE-l`R|~S`H(Plq(J}{EW&^3C%Z}1t%Q13De1+!^gDMsGtQ|
zAA3)N9JerdZjh@E`dl^R%9e{?Leiz|tdl*m_Ks<!_l76Uetx_!3?VpeTGbUn4ecKH
zh`Z#fzWyONPbf;KCO8xb+n&~qzn=H$qkNGI5$E40_NbmY2FF=njg;a7`z+%|XQAW5
zWVs=9F8oM#o3B}PcGpznOXq@99)1$m29_5{V%WCEC)GLx2oKEc;hca&pU+J;qU;=b
z**$!U+T>OOHDY)>LB3qwIo^ftzw%&QIJdr$W@>T1t0Wz5;?2Y$j$d>2T|~um_|P@o
z_KoS!<F=a~c=He_{n75v?j`m$a;!#bG4!SJ^SW3iRL{h{>bQEDugvl4Uu}NJUnM*$
zVvj0yaZ*&$v=!d$FQgP|pSN4=Gl)ujV{Twp%pHUSsU%NGy_@KI$HhJu#U*__DadTy
zx`zDm;-q2gwnJ36_3#S~|6FOHel$?VkNpZ?A#GNZpmEJ?6=%V;QS1=6>fyy-a=-qX
z(@X1Wz5G28$Eem~ABmEhivvDoJ0Vi5Q%A&W?DY7hGNkM*T1<zPK=_zS?be=a#D#8$
z*QV35^IL;AKjv2*DKsO?GVfe-jBRH8;&u)@jhNRB3rvnhtd)ro-7K{uc(zI`Yd2Q9
z7R71=^t-^(h(>*@gA>bF+uv=;6@2RUBT?C{!_ZqUtsQofRYw~{8zE&?x|=yN1^!2H
zgON!M+flB!BYN9|cPH~7N&ENbhutdEVzOK9r8?-3Pe_%i!LHFuSPQO`wmm)}pNt?%
zJQ&5o>p+O-w}Ha{{&XLp0w^mctTQY!&2+u#&~?vzkciG}9~$auAXk21KjeaxW!h{&
zUAP)N3_SnPkfFk)iwB_W37RlJ|Gf?<TG#&R@BcTkb`$6DW{1Z|eoY{tH>Dd{_Zz`;
z^P`u`F;yK^y#VV3>z`5J?`rFA-FU&;WkpTQ`|f(UN9ColKr!D>1MBxH|D$3-ZIXbF
z|3(nZb7fPgdR(Zyq=qs-lx0DgJuqCe@*bf@?gOF6`C5RiT5<iKtcXrkGQs>8YnC}`
zkh^rt(%e3)2_u7kLm0oIjkAj`T1ubA8huH2Fp}q-;eYnCIjsEPRSB@f<}69mg8XCQ
zGno9jek-nKd(x^#j5;pHh)yQ|%zTaWX0Uz~uep5M2Dmy7jP0sfc-(<aQ~r<n31RN~
z#+ZfCmPal{HOakBa~GjOW^%TywH;M$fg}dk+^K+F+Kn_S-$Fxq_$N*~k0W-@dwK52
z)h7<9X2=c^!h}L0cF2guWGXQ;2=NrRD(%+;&`QHL#dao<i>vUR?X(jX%l`d6$*hgz
z64v%u&82_8?g7-bnm6vl<7s!2E$#|F7Zy369;o=F?VN!z283#U5Srfs#40~~i!2>;
zAbcHHyq#P6y&pgxw7<~n1n(utnOIA76C2VtjHT#8JN-!oXdImU72aPpDdIdcOe!vM
z>-21tXvB5;PD#`woi|=PPb*F8DcLB5BO?zQMGB(hM*m*D>{_qTXsA=V%-0Y_(yDP{
zj*QntPb_|-gN@%|aAw>(@F-H|thF{i@xe|--p$<%ex!U|j-u?QJ)C6!DX(;3J_-l%
z9cLc8j$=+<dNl_h9X)=#N%^iGkHyQle=9n+k54et28?N3He+cGv9<?E?8&#&KwPL3
z$FDp|9#0d=wO*+tG55ZIdz79&ES`F)UeEnS<(IcET}Qo}2g?t9iRfGoTDT-7)ExT~
zC!<u5(5on(DKj%5BjOZ`dEa>!1Tr-<2xzeF=MPYv^VeO8meH8|)$7B02G;n&AU~((
zn@_<cLA<u3!<Y@5xO*ff4o>xkL@QUfP&D8~4JV&42z3I&Xa!U(3`*x+|JYpL#g+~T
zzPvSdft9PVTHwyTkm#2zo<vZXe2v%37S>~uBAc;Y7Bf(^-3py6Pf_ljpLg@cIbyqM
z#kChILU``M9FEpT9JR>kisE|41GO3dvgD<s(z5;nJZxbA5h}LrYeO~Wtx@u7Qs*{?
zO$urnlS78JUyAa<jLiy@DRvd2pVfze*l}ds4&1m`R1%Fg5z$d17<JC>5}Yr=OTlyX
zO2YQ_2F1%B{0FOha|V_U^Ho#BkYvIL`j3THK|aE<qyhJUUHA`D|KQh)Bd5tDS}4UW
zRolymtLrOnvT6miKzD7M3713<Q=r@C@&meiuge|ZO0G`3*-0&hhKjPw0|~5o#E6AK
zXH?%eV$lP~o}GZoswDMyGv|f7`1oe;uBC^GO@1a1J8qP>So5@9P-`A1|9<Vr_Rwh9
zJc3fRAc^p5-{^!M2zkr1e2ND|dbiV&Qwy@+RqK*!df66NIl*TIFZ29^YE!u1Q!V-N
z-DWYmq7eGw?KPTPEkDN9^nGjPVus@@>jqmfZU7cj@zc&J+9B)2RCaaxkmyLRMv{XP
zr*}$#-g&}TgwP_>RDau{RU3x|B!SNLp0%yqG5Tj3FZ^0aZg@SVZwu{9!$uyG=7G~5
zM9fO4|E1lNR;DZk;50sLkV<N*d?*A99_sLfonNn=Tc=ltYa=OQ^FzdOzdc6zow^fC
z+<W#ZoT4<wtaRaRAVbqjE#f=UzJcgaS1%gqmU`X^iOyh;1tO;^U$gZ}nXkw4fA)Qw
z3t6PeWZ_RgiEVw}QE_93dsUVMux+M}m?n6&AwOsP87$jp1mr2l#gzNi``%>p%PyCW
z=oO^F&KSov(Cn5pn*us>Sokg0z8RE3m8o|-b`8;TpT(vSjE}Qt=j#AXJU}-ENa_M+
z8^9jCu?#ic$flze$bK96#!z*M8g7Ox-PJ*3y|o*XwHmL87%lS|p|{H-j0|*rj|V1F
z3j_}rH4!`W{6nqDtaKWao_9Q@gj%>QKU-&YdHj&>yM;D7lYPb_bYTX4gGoVUrv1Ko
zT(ASmG@<M;$E5#<uGO0yUSu1&w=ru@r>tXpK@F3<(n<VpMHV7nBTNn_d@a-7r6~fu
znw&?j%x2~e5zgqRgp*LRQn-w2?gw`~bcq7cw*0$X!^Ua}%USW|kFK5%Oalrjx^LfE
zrau%mp2)9F3*u&qpI&4WY(a6r4L@|R_R~bg%Ws!F)$`S8TyHavb6T`XJz1y^l#A!m
zv>aOJVp#gmdD{W~tG{dl2A$-l3L#H8T_h0zne!PRhCs=YVP@|I<^1Y00PSrnZRITD
zGtJ@VfHIQ1Y>6ukFP6RKDBjl%E!es=kl<z^t<hWfy?4({vwct6GM1)d+ofTv(z{*)
zJ_Z=aN;F77h?2ZDh+lCS+Kmr(DdJL06DxVFX?b_Y4(vOx1K3I#Sv=2piea#2T4BvR
z)R~|}#ew}D)erV;1<6<}(OO(3#fSc3VRsjH@54<)cB|uQQ`k;_cLDM0&35Mnr9A_2
z<KT)OculW<B)-9Ch!m5lkiHe`ycv6yWYp=c|D%|N9k|If&F{KXWtgPT%m}zrdmk1p
z@grOEy~OPh#74-{gw?#WM(lTkY7nb<C8?~BcNbz-{3jn+?N_g{Zj{C*VsInj9a$zh
z>Xj~;-LsB4IZ{z&bJn0nuIUSfZIM+@Ww$=7_$Ry8lgH+s_gqd#`{ShjtptQ;5jLNj
zHeyRE`L@HF?EuXuoJ%Eo&#B#_d&jfx!oz0$pe@L^Dd;UaE``||n1g|RY-*WPf$Ct{
z%^5g#=2PCrn#IoAr;Uwo231#lV_`7?2&ksTHri>36k<@B>O<~<4_7URIWxd7XttWa
z)Q$oymt*LkRAal7K$QL+rm(OD##PPP45`D2>Ot#belwbAe~WFD1!uV8+E>WDIdvs2
zf^u*-R6%O&Vho_mqN02I0{D+;fZl3dbV&3l5QRP52w7iEUawqcr~0hlU{bv1@4stm
z!kg`gs1KdgxlZl~u2AhLNuIU4Jin>{7QN|YVj6$hJn%I-=s)8xopySNs1D6mgwqmF
zDbKERU~>LGFhV6Qyhr%j{J;l8d@WZt4IQH#Yr%81Bju*LDZU-9$vu8}4}ZIL;0^ef
zrawoxi+MF`MoI1R&r1<iF0eGow3ql3N{(=hD*E@AsU{OQlNUDuDlaM)%t0RISGsXT
z36~ighP(*i`idL>@jeEEI>zS2R5m_~p(73od@~QDts}(9sbX}rw^>xH+`|lfRY7;?
zV$3T<bwW51C(F`gj;kgcB>qHc0>)RnGW6fY`~zNNadXw4AaSZNs#yf7@$@*$$@MM2
z0_B-AC*540WQ|XF_+dQ4Xz%U<TRqPD-QAT7+dU9Zjn0b^Ln1`1w^1zowRqnS{4?09
zGgZ4pTX_r;^75$`+sU0D7GzBg(5ZPm5cvKw@cZStO)KW9qMxYBqq0k&4^0uf{rAd+
z0xK6Pq%%vC8nk|I9LmDKtTzmtZ<qvp7fEaM=R1%7tc<iENTqy#ME_=`=y4&|@?yW6
z%H75`MSUTiR5LK&p7w(1KJIQ{zp~v;+^!SbuEXw}RHu7azVRsZg@EoXKsboHjyO5P
z<#2{y4d___MtNp&{4aw6fVN~L#e7FYqbr6)SuVr(HVC)wRaKRfo`K3N$I^$WVYf%m
zT%7zcRfO<^7Rh`?&j9S<2PtX5P2Dl<A6s0h3)LJ!{t`h4krfpLXzY#|z5d4&=0Cv=
zz})65{o~{|?dG5(qyH2p2X^}PJ+N`&tABjS9>REn_n$MihgIhX4AE~}xQnd-CS}jQ
z$sYg5h_{`o31XfQ^?yCOyW}Rd|H5<at=WV=pwRkzEBxLM00-W`niO^)C_D2vD0lCv
zK{|j5LkTakQ@l0BvjG`er~X771$=vDwZl?S&C1Tq@Mb^_`*$A%6EM=&30fGQzZ^#8
z@y{8c)We?+G?Nu@+TcM&GILEor3b!Uv;gx#M}(s-NKF1$2HCbLJk<1sfSM@_KC8c8
z8cH26p&EK@80?g7QQ_3JNc?s?jO03`UQInZRPC@*NMQ=x^7Mn%ux7FH^K8u~q)abv
z$L;iE*><_&E0LK?sF5|jA!o`0?8ImlCI~RalS`#Ls}|vy1m_*;8ur{9J5zZ7OWQOA
zCg06<k4|7*&5e<3&%<_z15~qhGWF(6rvGM11!QLcJY2O>0h6oTA;5OP&)`eFumQ@t
z*cRJ@;qQ%hi;*r;;3gGQInhgLT-?Sih>UE}+f|^ctBV`Rg%L`f^XoGI6*gFfPxlB#
zqhth`4IHA=8-Cz5LhUUbsQ9ipPYhkm7g7r$4z^nJ489^VKXEE}ifNmOVESCX<lo#A
zy|V(Q-u&($Pg})mcFhk{LjmOAuVxfE6;ie=$n!?U_6N;~4o)r}+FZsD82ePs9avM~
zE7Gv5j=8R93N=@XC?|cE0-V5SnpB0cxZYTEc)GGj_s)l+X}_14!DaEd;`DjFd~l-|
zBE6iRUD`wV*~{vcAGl`;Z1@d^oo1J9Rq&Q^JtC8ai|BP9o$L{Q0|tz3RN8B21_LYE
zDjK1RT{zO9Q+ni+3@Nl`xnituXA`!AcFbPuHmw?sfCEn)_j3R}gch)VU_yL!oW8t8
zORkeD{TjK}5r*SarixLf7GGQ3p*r!<fR{sS&N$Ak@x98fA0&V}Xl0zoe4kVCGSX%j
zpZc4vnjSUU!9?uL<|KkA%}-!Lc(yug&J17DpYSf5@;f@d6ytEJaW<~^gj}mbZb!a*
z<<!*q51E&F<m#NpHIbhyb&P5z6Z1O*i#or0QonO5ZyD5FJ%U#+^FU=y?pTdGh<-2_
zSq=5gR;ft|c&oxgG5QiF`#vhU<V5cmx8)AAE-p-c5Vg589HVBxnz#JPW~{2Rx6S!L
zvT@Ank~6gfrcD=9ia8=f;sO&jv)BYI$hkX_*=NNzIG8SaQX(D}jZaYFJH7(S)S%&R
z*xEZdXV`1DVH|sZ*HJ&kvm+z~%thf;?N?VFEqCTZ9nP1BPrP(%*FJt8LI{T&atz~M
zEv@=}Cme`XDt%X5YJA{x&M!OBr<SpumYP`!Ho)rll}$CGI2)#1$0rT5!w&Z5xwqNR
z9cO=#lb67W0eOWe4U=P2@UJ8ArVQ7L3>`O1q}-2dIvy~qp4|zd1reD0R3=70G?Wno
zpi2dX+?*EjXXRq~{NJzTcrCNWlLK87s-N$)I8)*lBpAU9;lErC!G(u-iayBL)cpF=
zE;#+6WLey98#L;@69Jnus7r*edHAPpeS+__7x)5@qx?iG5~Zx;p~o2??GN?+7^{tA
zD*%&qr)y%CgCU&Ii8mw&5(3P-I=Rsx)14IlXN`Uugyci{)(n6@9hAoi%slsU5u@?3
zPf&@7+X-N|@T?)4mjd0Zq@QIZv%>^5C8c-^Sl2w4*JY#3P><=0>sn8<8$ipFY}59O
z?@$rmTpJ8r);Sx&MXl_$xqc##y=VPPUK9n+sX>FHs%}><EmBnvEar5smAg4M_31tD
z@TANks5%?0KPq5EgF5`k0%rC7$g0GU16hHYwxvuGSvCr}Mnzj}CS8s5qdbP|jd71~
zl*HT*iQcHV3ns%YL8pU{UMbi8MZ0nq>iNl;;H+KyAtyA+|MBVYqn;vO-cRk%7eAT_
zd!En6_uQrH&`%xPM+rWuj=*`&IP5xCoxvzFXX?-qCTW@D;A9$V2iahE$=u2b=C83W
z(IY))yP=uqDpsToH51wCZ4@12;b`*C5lvpmSraZAlI`|~VvqVQ|9VwKDtgY#C}w&K
zyfuKMU9}qCxG_{i#cm|b!v+R^_=Jq~V+ZO*9y|0F8%4(^y$F}6$d$$6FJjg^z3`CN
znFh;s&K@oWuh{%mf)Y5lZ?aj`lmMtH{81ksd}=y=$Tg{c;YyAJ0u921vF6E}Z_E_I
znF+3xP4=yyGHb@KwvI#CL_ESfGB-{Zf8G4bS0U*Sz$0wwM=uH1@mTpVbtX%7D45Ln
zT$a_hwD)aKPY*B)qB^eUVC+O<`(~x`d>9F6JHNRYKZDh>q%9VuWsV)Qb^01=#hCGP
z=a+s&4*y5nJ@+@{*6}cO4HL|QCs3pEi4t*wvtHVNM2wfotB)-tZMZZ&8^{ppo%Ezr
zGuKVo4nUA!JQvj(53J7N=fBNy`;cAeayQRtQJSuTT{2&xltTYRT9(@@#xMD;jW-YA
zsw!30t2Ph%-?#wn=Uzz&?YCWiRzyK%cs?{Q3}x&xFu!;dM?6vp?}nI{pTD~j&=v^a
zaNGi{gX&QtiaeQ)`GPrA^*y0x9beD+DB7PLH&ejk0IA?^yRiCrV6>Dg3yf2oXlm_O
zMX2$h*_Ua%NRfV4XhLUy@y2nU5I?t?kN)R~aZ(&Yl8O^mMf~B-^!bGpVRzx@rd~!S
z@B8!okuQ=*!b?)Li3JWv-6`cYoXmMgh=_Ir8mpA7%Jb^|OWa$gzKnjnI%{6~t>0Y|
zajJ}#s&s*#_M78}6hP16{cLEOvm<MZ{<6~-YSeztZ<s`Hv`CBQ?abQ2F8Qjdl$glh
zuviXQi>79e5I%gt-fUGmqsZ?#nsf*?ykU<?MZ@c&sf{%={!4g&i9v;-?KbDPv>Hu~
z-ph3-Sp0*Jabe2iFHESYkTMdbk#@_^UeDRf!lqs6&7X2Mm8p>`t1X0*I*GCez@VBY
zG=x}h=r!Z;{LbUJvID&btF8uB5-BM}v}a{nO|rVx{CR@VjBdg4{)P_rOY1=^KcrYI
zH*KoMZz#ev#QF}of8TcJo({AkXF472PwuzX&+TPfZIwJunP>KqVe~sV-0HG**7d-q
zFI}?mwEjwbBe`z&trYRp&S(`k!anD#R9v6-I_Bq8T#>hu(vj@ifg7m-4Fcw=666-8
z@0tS#aVMoc?aK@cfR~BAgfus)C>-OsDY7G6yBf46HdU9{r4p{PQ&w$w&cgMDDVGUr
z6=TKgABGhq$wxDS%Id@{EK9i&EGeYuL`U#xJDH4uqLE2I!l2&jrs+VN3LE!3^fuXf
zCvJ&9dLr=X!RM7}&u5yAL#PrV!}KuNY1!w}?#HuO_{UCyVk&cC;|A#QGzF(CVzMe;
z`3Gn|t=+1im_$EOh{OzL@?#j-4;Yzu(LKH1wQ5=A8Ib^4<ei4H&j`6<wJ)s9+y3<A
z=N}sBze&Dvw5++-WnL^Rh|1tazJA1L1>3>bWV-UhZ^^vZ!kE7?RJ;3#(T}56e5`BR
zk_lV^#RX=W*(wA<sD4D0IjOWbl-Ao&KK5BY9K`f2rs$3HgzHy$;Y=qDnGh$9ST`E(
zTthT<87ADg9O*tS1b2XXGTo*MezJMM(0KiI;b(0`&1H*cdFVJx{By>9br%Lwj8`Fb
zLvRtbvmv|)tQY<xkIOboN?fI?$B?L8lO|ELD0Jabf&UNqn$LVh6f{kHYlDTDcn)ep
z8O}|=Mm1d0)EI1g9}?}njR$w`^lHBeP{de{G?g)UuA}?Vq(Kq9{@eGijN#3)Cl)7V
zy6^|KV+fgvB@?DL==WU|Yi;A#N?@z%-gBA{7`sjKRxZ$stNAxy?mzOfC<m2b(JO>r
z?kR{bK1F_%1UZ;b95fc4ik3x{7#}?wM15M-<^8f3uh%7aOcFlhf6gc&HgMgu9VszY
zr(mAI&q0}Vg$gVCP7}nGcgo5|)T|v6u<XBlR3lJ!!G}iYwX4jV;wUuO{+r)T<hyXU
z{lZbJLBF&+#n5@?8#l~FMwEvW{WX^yzr2%Oj&dz7eAsSSvA{%RuYA0M|M5fbdD17n
z*6>~nhv!}wI9xTgG##fu^voZivdE_*hSej3;*>IKH~26>AO>r8$T3vyK7~T})5AJp
zVK6Cgd~)KeZan*GoyN;CY>oCo*b~MyR+V8s!a41N^M>%l)gBCf&;#QV{U;~#PAP?&
z4zMA9+&pD%?xzL6)@5t)BV+AnK5?qig@WzCHzTK&BKg>Kn(AG)PA5DX;$!W~zy~pu
zoy2+(&*`YOMn|U<Hrp97MS2za58Dx3-#OrylzE=7PYW%kYe&R&=A9T0^;h01>_u4X
zIXekKN}BDw5R})Qd^;_mFz(Rm$l&#2%9$MjCGFXwvCJYB!ggTURei!NRvp0>(~FzQ
zRe{MG#6GK6AluBpUH5JmKQceOU4Ft!^~gyd`wAm0K=@4;Hu5G_;59#g%{CC=+m}Fe
z{Kq_~K}+!T^r8N<;K@oWN*b83o-b7?hP|nT2rSO@jg3n@RFpJtJhx$`QoFpkvn1v=
zveQ$;T`dRxc{#u_n?r1a)&ijpuUUp<_MLw<0T_L07Y68bK&K3RIxf)xiCHpV^y0+8
z=gV$&ejXX<EOKQh2Kai7DTWtyNJ~~do^~P2Sci(dDwC?!j3|=A7#h7aLr@v6-Zb}&
zu<E_6`GT>uu~pOY%cQqMH>nrsRe9UvH|48D+sWA5!B+w3?raD?1?Aqqx<ovAm3!p@
zzib9HNUALd{pgv+z!9tz+Jrt^eZ0L#g%Acr_+Bx6dfz>{I#;e+oL^jHXHxWNS3-|&
z)|1&>AL_J;0BVqz33Zxt!Lq8ui5nm3r}CvR({7KrlmUA90#*^lhxE;AM9pp8kk236
z(%*!4(R#g9%2>nrmw+CC=_7;vviun1a}u8ju1xSgw%<uvzp#)wPmf$z1e1ius6K$(
zeJB5E!_a3exV?tD-sAk4tNseAnaOXchI{8=IE5ox_sdV(+r(OSA@!p-Pi+0<HD{+M
zI&}0zyW$h+Cz^v>95DQcw|`n>b{%w{Y-&{Dc*$6s3lT<V-ymF^_NsDE0mNc|uqEhP
z+#%W--Ovt4k=}Wo?=)9ETo@|y4189IlFd-40^Ss)=%`Jd;u$L_G)horOMI3F?}fk`
z*~OF;;<@{CQ{xJ;%PVJBE&X$9ioX&Av??)_O62zrfciqgz6U;8WggT^`^cyH?>*_K
z;iB802kv&lnEcRa6<QMtL)n!zaUYud;<h&Tc3oecldWPJSKi)oAn%tpj6o`2tn6TH
zb>?}C`*mQ;t=&80letS4I{`yGs}jrocgq=#<O!Vz7E$`-0)H`3cYgcFX_*E{{0#zP
z4e8L0gB*mZpN6Gyxcbhob%slSPGvSP{aSZ|f!wtHD)JW8d6x3lRf8~?v#t<M=p>n@
z;ky^-@jql4yp@ZmQ!o!PX>PQ}V)7m*gbcoWitw}{gBOG_mzr1;G%N0W9N~`Z6eCxF
zjS9P?+)Pp`L|-dcZ`^8K>;1OXV!Vdog2H9tklKQPUjrsVLDQ3K>r>qigc}V<XqsM_
z4rTZSOTEQdT`NamsxuTN$1U0xXU==qi;CB9<FHyK1l+l%Z$l$vrGrA#7~?=Lh_g?d
zNf4Vfw>j9k!|J(G-vA#MQ9(aKmoq0lAtOEWfc%Y2WAL>802qCdq|(7l2pV3JkCZLq
zTJssW{FD}oah-qY^_@no8KXol7>nB`2O>OS_3PB@8|pEhlu-X1hi&u%h7t|u;*t7N
zwX`l)wXA8FE^~aM#trulvVHU(C5?CQ9){j>9&&woUm&SrF3bHQOD`jL_92xl8%ynD
zrz<fpgb0z<a--eqJm}-+%5U>*8kfWdD!Eq`g}&~kRjw{RtK`FWBqzc*HsK<L8yd-^
z_~|IQ)yJNB^U><|b17u7FYD&?VpuJxQ&br)Gw)rbHB-Rab#&+O^#P6tqR7uF7*k{V
z@K4%g2Uv{tZ3Y@By~9?NV=(lc2s9PmCPX0`cV~d<-JOOIX+gw#A5J!t8Ocvf{SNp8
zimdPpdW2LwqG+sYS~!Np^(^0ywkcYQ7~qs|psbN0y>t4ielLwljAe5_J=!L**KAu1
z>Mg>a)yeeoz26l9Icn1qq<?9JDylgHZZ(p}Wj4J3#p4iLG{)XIRz=cim)Z~{DZc-a
z*hQ~|f<WzZ5L~b;8#WWtJKte+#Zlno6WA_#G0qz<?9%evkEJgN7F7jXJ@t=L48-;I
z<T#`e6I>a)7U%8!7BI?FiL00TiEb+7>#%Ok4x@_|hZ}E%_nuL%ZmPFy`hj1L(k^5$
zl9)P~KyU~4V6K5u%{UL`S@%tGc&r3lm6GpkScAI0Xn3n#x5XB7aX>CPF1Z&^S`{oe
zQ804#%Xn9$VnE;@vPB<HhF;}aNY7D7nGac)#7ZeGd6d|QxIRmuw;p3F5@(u<+&JV7
zpJD&u&`p_RKS(J`QaI1_AltkGov5VwTx5Rpd+s5?4*D@r#^}!iakQI46JFBy*aMR$
zW}nf_jr(&~{FcpqUu-JY^no1i_UMsE70JIG>4tjqla9F7qnpsE&SB8J2gf0@gn#fQ
zhk84#iEFPXT^^J9&Ze|~$=3f0p9En0yhnbr`=;;zh3;p5<#)P&^K-w^ed#~^>FzDx
z`wJo8nNtUwgZ}51trzBnT|7B+S*<vU|9UFbTd%Sz$I!?752<h<P89m(8P$7g60dLR
z6Cq$<t*0kT8~0QoQ(pRnXio^Z_?I?=*aJUt9J=a02!6Z=c#n4d!aTC+yx^4JmY3GE
z)JN+8<fTs{dJN_UvU#;#uy$EX$q#zHat!iuOnw6`FVP=sMeN{(69xLn`aRvGP3(z2
zGS^yQ4(Mn7fHjLv#ou^|JxgoR{qYmWWsJzw^8meey|+Y`9IMIJ`k+n!_DRoc*W>vX
zpuc|Uesk7{J~)n_I9~Iw#f}yK%M0%%Zfk9r6WBgt7me0WUb1GpUeQZ{d~ZG4?#E!~
z#Tu-gr61ZvFC6!DM|{W=;b;ST-JY&i_Njc@!#^5+vj|;K1e2IWQ4C*kz*iISwQuh$
z#nz9qFQi?sMPdwN&_~{*kNCf4n^S$K(R1p3YR?;DXRWUte+noJ<2SY6@k77VeO+%~
z(F3xvUcB(+<SW1Xr-LmX`N3au<q&eI)b=Khp-uL4>)fsPJdW$nwoT8Y-`mgVkNNDm
zQToXXddfQNnt+@S@Y45#XoK$Z!dy76@0T^AkG#YNS{JP=`j>2?$KaUu0bX+M)_C*V
z_3F<h8{s&x^5>%MiT9$bm8<o&*CgF8b_95@`{>Wm9c%D>a}3%(c)<@S>Xv+_$Lh7=
zRa!S*(gwW|Thh;hb;=9lwGLXIwh!KG`&qpBkZUDgTJKYV9{MGEVNTc(_Xv3DJ)-ro
zd6bqX_P{#OM_zJV`x5Qw2RVA}9&`FE#m1HO59YFQj5T<1=3(PuO&<cSzxEZ5>$yY^
ztk3#h`(<tYgp!_j1?VTSD95m0^)c;t{ob}&`$|lqO~(RWYuW-20Lb5eL@tB#*PH*v
z&v$S8{{Phd#4r9<$aMhz#L^m1O`>jxCpNLJIh^{?!D_`x0OkMDkNnE`q=bIq7}~tT
z<Ps$5v@bXV*cbX@j3<lSF6X%ToPu{@B81#ep7WM}8@|Sk_xPFtUihsdep!XTF}cPc
zZN5vKdb4@zcn{n_{qWEKW&rQ;8{VJ(<=^h!^Y4G{<a+@^$myJ8-ycKkeh|m)6F6iY
z=EMM!Ze4uSpYPhe{8F$MDJonN_uX%VTr$XSZhq!B+?pE-mUv)qjl!gd{`-^oRvPZ@
zy?)2CYH?CPQuwX^@;`^CBmv&znAi6hp8vOhy!)p=`D>&666k}zo(yvP;Kt@I+!PDA
zIkCS@A%xt2a2-HF?Em=3KjXGP2;f|bmrfw(fb$*BdwAWY^D!ah{NO1EJQ;P{zm#p=
z4?@4%({1E9=K3G^$9Umdfo~(=1)s_F<31PnN>AiI=&(3R$o=Ope(R5gZz`eg^}Rp!
z>*4QB%7Yo_<W=wfnQ-nzUbS`+^en|mLOgIGl&=ZkwKR!77jknYkGp$)2qA<JLdfad
z)%(FqKz@-WuS<MtkgzyO2)UcEI7tX0gb+dqA%qY@2)Pwvaq|Dy{r>@p*0OcH*JYCc
O0000<MNUMnLSTXyvlO=g

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCDBExtension.png b/docs/GettingStartedDocs/images/VSCodeCDBExtension.png
new file mode 100644
index 0000000000000000000000000000000000000000..613bc69b86840af8ce30bd726e43f12ad6672d4f
GIT binary patch
literal 23391
zcmc$`hg%b0)GaJcM4Co=Cj{xB0qI2`KxiUG5eOg(0@6E3mu9G$(7RGZQ4j$sN|7Ew
zK#J0PkPZ@h{|0~W``!B=+~)}-nLIO@v(G+zueJ6*LEpcpL4B3w>ZMDUs5OxYgG-l)
zvEb{BE0@9lEQohd@QKL7KtttHX)oI{_=eP0Sy%berOyeJCst(OdkR;iiN~c&G%Xi@
zL>(^gtS?<M-O)rS8~IwS*ZZK1Oft^Tj~zUE{hs;o?R)NfmVI$DTbH!ee<}0iA*o02
z%d7lXUqbm`5m69BUq9(B@$R*H_LXlj{d8mFNAJd(V&kz)o1vnY^aG>oP5}Y+Q)0y%
zor@1AkN2|t@0|vp@93Q)qVxDK9uNUR?0+w{D((YDbZYwGBO@ZZ;J=RtgpFYI|BfX+
zdjoy{@02_VN_x$I$LI=8-XR75JH1Cm&EVo(IyHNS|0kC$OoTg*-1_RiaCP#VPr`Et
zhvnME9FKOxu}HCiS;`%JqTYabpS<eiS1&`l1#aSL|A2Ehc2{#w*&Bjbt*GtMzMzzw
z_p*>tH0*iWsiOVaaz3#qA*@o)_r1LCI8D?59DzIf!5M37j=^l1<JB&#p~dgsz1Gc?
z)ZgEjB<V^-j=H<8kKK`V$6twK7H>~iq|;r9tNJxOY#0>OV6Sx4l&t5W53EVMZo5vR
z=+yiUme%0!q3=EURikL`H2Z)TQP1NIy`~&1ZO#u=*7|MVw6U=vd&NJPw00X~h_r{5
zGdfRQT37P;6MJ3D*rG>St$f~h<$Y0>6lin~MOOt^b3R$hi=o_h`2A5mkIbs&9Ugsy
z?_GKMK<pKjauqa8eK(#{X``sFZlbk%VF%xtIP}eDGej0S+I+>z)HH+nl$43P?e@Lk
z(<848Nhj00NB41cE|Xu?3JVK~cIEx|KH7^d(sI>*F#hEIhY|D}_NaTdLeb4LFJ`{p
z^JFlBCDU+AN~VZf)G=}0$4C!LNW4vsiH`oU#LJloMGwOj!#wxw_y|CLv_aKh<1WFw
z3SyQGYkIlq>CD$SqTdoOGx6%)yXOp)T~-Ch<~peZwVJ4Ldq&C@Y(C4b));hZ*OPJQ
zk9Z~qGZXt%JmA39v@s~~kyE;2;MY#hg_`E^u!ZhaR+Lo<^*-O&`c+!;g0{o&i)4Z8
z(Ss&ve8n%8*KA2q?mP-UrK<>AWi<nPp9Vtmr~7VhpDnYvo*TZ^aciemmxfaOb?iDj
zJwA2gc08E#@Rcr)>hE{$DyQIcd3JKJMbsR<2sb<WQ4nq2G5Zzpyv&tgP>zp#(4H7D
zhA3A+Bh*o+BU8}b*ZouLskuJ%oyXt`S*LMUPg{wYdHkGF>ZWns{cs`d>)`V<&y5Kg
z+Y_W3TtT5;-}e^ux+VsTo#Rx9Fp6iBDc5I{S4AH^CS}|zyS03BxLxVD{YRbF^BV%v
z9JDedaGoUF%3^q+;J-(Oq|8`(ijNAo9)I*BUA#!24WF5sy7-BFCB|0y#*G`g0nSm{
zp4<a53?g}hMSA2z`!h{p&+w)>sb3t1FBjOD4p_dEbEZ4-ZOc*cC!ULH_TpKln)xQE
z0bRHl7s9>57@&&(z}d2V-m3%4E%|+SuR0nZ2+p^+#?`A2t$mgU+L*=YbT#998Ul|`
zwzv&W{(2aeM=g8iymaXl$ClPP<>lp_Y+1foF1*wfX=Gz<E%D;5!4oBt=P~`iOUzDH
zY)ERGB@~OuMCdiaVaU)@jOpLMf6WNiZy}7q3LWrbx{Hei&;89{X8DbOvp(u@_AbVL
zc7X=8WJ<YkIE|LKDcy;kPs3Ig-87d%PLy3sX!4IwO-izk-?DqdZX6FKu3Nk%;9Ra4
zvf3)8s~9hNmvE>s17EArP7$^rVyMh+vH7O&QqZ<N$R@hF2;uWjGO8llMdWr%c%MpV
zt@3TpAGw|re-pE@^gzXj!2zi`oUEG(iZR?HVDx;#yLGXTnzLg+ZkoizcG%5?^U!bh
z>1>cB^S6z?+uuZRiSwiDv$u{Xa1HJe8idiS5tFt}z2ryK3$xP0WVsJa_(nM)!(Mq6
zuc7ZNh0=bvd&C5I#N*RdH4C5={WAwl*#TQ^j6GYAK|d5karwe-sE~X{TYr^#G}VN8
za@kdX?v}uvN3r4iI9kRkS9P=7#gYB;tqWvoBi_hp2#3`7!`U6(T{nIJ!DO8<nC~e6
zB*gu8dB^S(M*vmroZaZmM2)amqQ$vtYHIQ{RjQR2o<@+N9#OSzt<~sSO(PB>!&zyZ
z?*{NJu(D4l9YjVyC0s^lCe{he9e@$!^ia#>F3OLjYFk};m}C>6weYYYL?#TwMZ17m
z{xFx1zAmY4_SS)G@>@Bp314UByZ2`9G*)+$z!j=PUH+hQAD>cTewT7CcI?g`yb7zy
zQaT%3B%AdPv}Q|>T;<uGAI^H%P+i!$LEB30wIQQdnk(PF7(V`ZSbvY1=lJUDfL`(r
z8S1HdkH}#hr=JJA{^imysQ7HlcQ3d~12<{{g2c8xxVyjm<9Qp+CeBd}=A0%ClalCF
z*?to++l|qirM%SDlvFdsJ{9-bK%Fn8CdmrWHhq7EA1Ku3!6Lb~Q*17i96q&?O6^|9
z=I0$aB(ROm*70{bv%d9R@1H*0UOYY~E9c97;8dKTiiU+J6fK*3wIg5C=?Y-4JVmQ=
z@Q-i!3q;=yiZ{(~<SNE-4y=z!77MIpUU8N;AVx{4`3)v+$%sz>gn2jIo%+t~7gp_(
zRVp3uqj$QOwWAO>vKjiL<rhQvJk#0N6|Qa11+n82ndPmF)u?^l1-|3&zlP!U*;1Im
znH5^}kLl#pNe<&cYgUxsNJq^*IOph1&3A;YvE=p#8jlyrtj}wjZ6?hF(XMQX_OLfc
zmV2z6iC$MyBp)54hS9w$F>3CJACC$nsBH5(m?CfI&r_+U>wk{q)-j5;x+M-DyY-6s
z_Sh{9vtrk+5M~COr9LXB6CDeOL47D1;Afzf4`$M-dKs!OGVI~?=9LjFEbjLc&-g;B
z!7tvj-}@+4mbiMPZ+1t)=3d$sg}v^yrRKI{`;7vU{PLzST5=+fzC2G(Z`P0(z~Z77
z7*y<CMoGC^eT9kLLQdGes0W9-DjGMHxj+e#9UZPMfE2f1Maq`BJ+qwfNRRH+r7ezG
zCi@Bvk2TiD?A*Xa&jp9+fc2`oPxPz8SFZ~z#Ls>*=fLcGe^GvGUmWBsw(Z)ss91I!
z2`sPIF^BVHXOlOk28NxyT;LsN_^1ev7or`$UCP<$vn$l%2GDkOSTaXS&PcB?evH4=
zA)O;1FMq#52=$x&lWJhqC5vr0{OWVL`RC$uZkCrFC<nG=5^G9tWRuZ%()>}z;^MDq
z2D~xf%77XG;aqM30wPt8oq;ewY>puDysZE8V}u}9;l<ADuU}<@6-?r-&00bSI|&P(
z4Z39wRNh$>H?f2og)RZ0nZJ)>rElTMx0`b8JY<ietsQoTe|<2{+;vco4ZPttS$1&w
z$L2zub~~-tHg(FUKps`;*2xCVd1<}2TIV6(IM1xcY^nI|xL><D32w~ZL6W7iIC=BK
z?w}S2IRyg#`lG{)7MoLP+TOkgoEs!;s%dMqG>bd@9g0d>G=Aj%BHME(=6<86-1FVi
z0UPFiHSye>CbXk`lCL_p!rGKyY-kv>hfXp?ZhJ?}KdQ+UVJua&b&XvWPS{%Hdo=cV
z-Qz!W!j22O37n28!$K#H$l=#Y(=;=%Y!rkJZ&^0WE=}ojz9Rj?TX)o?{j^<`U;1)4
z(A^TynVo^~2t1c;Ix2s!NOKd*w7yUhtMWxI4fzBnX;iCo3vi4(yUIH?`*<1wtv4Cp
zx_*=FO2?s$sGKEUK!fElvO`KrxOnDPI>#sd$U2I-FLmi-Qkn&cQa;8U$fpSbV^VgP
zy*h$LYc1EldYrMv%L7vTtc}%!9@7zKO1-p)BVNgYA&ps5Q{%g{gad`5S^3%^esZ^k
z+RD}EQ6zOKrwIYpW~fu!#aY?NBX>^Xg496hcx)qo*m&que#VNs6E4!dPF1U~c4p;y
zD6E4owSMViPi=9_Ahx&m$1paS9mLexWMZT`7WT{KO)PtJ-Tuc?tzrDYIxn_H|F3Rc
zZKjJ9uM7lr?N)PmO`2BQxv7jW+h~Qx)s{(O{;WD?oG3%1E3^BZZzwm>qMS^X6izLe
zO>MbT4}B*Q$>pCBl#D;zk`jI`d7EC-f$5WrGCEZc-flvammCYRUBn_`VB(|s*7e>&
z_keBBHWFOwJh9*QmlkVw45xEA+q3B;eWi3pPF0kNPkL0npy^vHX_1we@GbT)EleiC
ztr2B7X*k=d^`|j)1=p<k@QUYhMw~MWi#EeieYEjzYyvF8JOMO#8Fl&a&T=rJhRb$W
z5se0M4SEFPYhBq@Piya8^1~^9wxO^p4Vsf3*;<!%H<{pU8koHk@8%04j{CTv)F;u6
zCnlejv{A-cX3QGD)#ffRr>QxN(|_&ui#aqOm7e0Ebxf0_2=I4jP_LS4;yVwKQt%KP
z%8$r6`}=%?k~7DNZNt&8PnZAVcoIlMY&T$*XM|Le?{NlN){WdeS&KDanD0DK^815v
z*?Z*KU+rRPJMkDqYI}J!Cu`87w3Ze?!3@@7ZqIRVDwb`x)e?0gO~uGBDu<2hvN>#e
z`@Em=<Rf=in;Ou9$8lL3z9qpWkeNrrL^CE9t7^2XT&6erETdWHw#DO{s-nvGFDFAs
zSx$c$0ImDu4FEqo39K!Jjl%h)D)tL$fRD)(rbtA#tA)Ij`~t4N`K1OS?#$j_tLT#?
zW~I;|7X2ex^ZA?a+2JA&F)PitB`_55aKS_^d}kw`H7&2Z*U)&IZz-RQ4L3ZqhTI(q
z6-ll_luHCHYg@ttwqh(L9`|2a;pQ!`M?i2r)kLlEk*=jbCkQA3osd9_p&q_E<!Y^`
z#UW|Xq1zlk56!CEV(#ng+*;gxL36`!!oACXwmE{xk5n~<whX9735UbWu0=A|jZm5u
z{IpWSHHDFr7pT?CxCmfpzK4>W-9i@rV4RWv+hxzyM!lH18W;3ggI-_q2pJSqfUHsv
z{$d2%$~E=l(U-l<(S*%+hj2W&YC9yz##Q2Oq@`v+RKsx*P$ML7bXH-JKc^rRk4|7!
zY>|{j)!j3)BVJCFXwr9KNw|h}e(XCb$$}L4B`(;tg!zty%zjk{Vzbr)<dZ(7R@<)b
z?w$rTTkrA~Tl_~73?ZZ(|Ae(p-5j42fn)Wm-ge{OjtqI?z-glQij@*}*YdUA+6nhP
zwH%~}d_j}HV|xtz)?~And98b4ML;DH7mfPb+9{L1B;Fz=#_~6yG=4=uLk4N~@ZqzS
zrrl~ah}1of64H0%dkKifCrX+-cLr)6I_1~9e`WVVnCpwK#7n+L6)Z{{T!30rLF_@$
zsML+Zbt|{l#c%*(ub2HY1zDh==Ah?Pj1;_kM&2MkumVLdFYTouA9ow`7f5S4et!Ds
z#1VxZq09O$8n*g)_)7_lu$_Be_dY5Kw@0TL^5U-OBXyNfR(a>0tcTIo{9N3as>g<l
z1{^9x{Vx%DeW=5lD^e~YzDz{nq_qT<+5=t&V^cJppo!w!KQZ#@<!$VwHy(xPj)WD4
zu5BeXieT@?<HsILKxT!*FtR9D8Idue>V4p~V^%PZx3RjY&uq*RMDQVfQl(L{Jth3K
zoCj0$$J3*{5P1yLzME$ra&hN|NIz@v&RtdAXR)nsXDYp!QRJnZ)$c`kA+H?;fIxCu
zpPc!s%T7`E$9Oz_<NDQ+VM)kqS}<-t9Hrl!iEMiBTY=FQ95X3|)rUN>?s0e*>&uv1
z!c0v=4$_RQttRy^z5r6Adhd7&D4#H_9qPThuISJ7YyK&Y#Ba7}<K-9X4nXW}mA);K
zRhz4qm7r!J3XrBfquCpudesL-2bB%xiGZwlZ<ujm-sfv=L*2;DN24O^Vki&mAW-Pg
zdOD^CGcRYlYQ_~Rl0emMTvJx5`M(pvL>1p>zYedVK`A*KnrY(~758Nf8<KGG5Y2^I
zQfP;Jl*k*D+sn{RG#hocjK^E?98hE#sH&_*ens?O9uJ#26xK<u9jS84G+7oR!$vqX
zy(D{fo#?v*16)0F-h^2Ia|up=<A$o7_u4HUUaGf8X+uLs71CU3i1xO&bZK~8_@K5Q
zzVTh6d9VQBdzn0j<@?ZkLsm_gdcfYsq(hp7y}<~C;y!psil9y)7ka*fJ4Lii8lZvv
z^pWRR%xG%o1i&#mX=g?kXtOwR0gq;vA;|C8<kVC~u0&CNDqbu`H5I7>)xUQOZH*xh
z@8<=scoYI$G+ip`!oYV1O@A1~UswftJDC!w)PR0=6NEwf%9UX)$++Ot;ov(9+Gr!d
z$dvL2bVfX8^CNqty}hs&W^nR=HZe9V;`XDukiJrRn!j~IIq$70;;dshK{=_=%U&Gt
z)Xa~$&jW<;Qa-je&?=x)W4O)SJ}dmH3aPTR1|Vl3${~Q78B8?}0nZZK>q&&z4+rn9
zjmEvL;KtT)YXeDxqt`T%1$3RRFv#lw(9160naWYu&mciS`j}N1wuE_ddRmPnA8HQ|
z4Ur1ZGzBL)UT=jmg<F~NTdY(6Re0&^Zu(KMy4uqK6kEm;Xc#pG;;wNY*CN@T_7elq
zFg&1kFB%q3WB7~hGMCedFi+T1gR6yzIldulCiMrXWgBJ#DA6!ye)-nc77>I3)C^#S
z2;!Xt@P>E^mS+o=I)?_(2e9PdFV(OSePq^<X;%4Ct0G%~ij1MXrs{vbR`R-L>aEMF
z(FG!aaGY>-2wALsJUAQXP<w5zGMn2;$T53!8zdTWeBTxc3;InB7376TJrcnBau{gA
za-x!;GH!FNWxVjaFjg2rjb5`b`TG?f#ZMja?BdN)^urh>9M9CebaR-l=KNU5=+%!6
zi?-ZE>e6mhR<Gu@K7iU^B`0kGvK#^Lq1QxaieQBSs;FATwYyA(!dgIOi?wVor`HVp
z(s0~(q#6kZsk5mJj#3L~^}y6@X`z##=-i4hWTX&qe$sdD2xcFH{}jU{<kEd0Tw)9=
zK!&{-(2OI{8Wac`EdCqfT8*{7Rsnnavb0MnNowEjqPLY5_1g-+2a<1_K>PY3U%@_g
zwQpk#pj+}V1O!5HQzz|O6@qw3SqmRSvUyJW=AVwKW$2lPBrH8Odj+FJX(Qli!d>&;
zY1&XCZP<+D){0|oJuL#X5oY}O?#0B!s%QaJ#?ae^uU;T8JoZA?<b}v0U?xx}z`C>C
zih@KJT|g)O6Er!L35|s2P|eG)%i@mm6-sLLKsVc(?}!osE}e?;63G5XD}}zERJ(9p
z%@ko)Tpr!$`%nt|N?y^6D=dLTbN=t``0fs%Q5(8`RK2GNFhztTp2X0-vaW#~ruPN3
z^I=s$2l*$(qQl8mU?$}#h<ywb=hF;`CN5ta=5(D@6io`Jnes5jhds?|G?yF(R-=B6
zmelKA*hN4M&W0wH<}`p>GTmzRi~mp4MOA)4j)B><JVYB>_=?DntqiGxcLc(hY7tnq
zYa`etm39Dv2C?sBza$8{>UB_ETS5}@l3x;3fEV(&*pWd~0JucpSA(O_t+g#O00a~?
z`LBj`IHNkiFMzGz#EPP=JD+fA89=$MnSew$=~%#Uc=i=6hKq;yI^#V7%m^Q(!<wzY
z3f*ei%R1wy4qngc3A&Z8DhVl1E1(8h{x``2*wR2~Au^s-O4JceIwEbMW$i+*xxjsw
zOhA6DIQL-e&(#>Zo)0!lKFapg7XcbvVsQtfsshn(?xF<jxzdm-gy!p=u0eAcWmIo!
zQy&M^WhmiXs{r9VQpSB3y!4z5?$6qdPH3(FzB3PYRtv9mHm`JqFhGJj-*IT4(m8?h
zY_49&!j?=a^9st!DQ-%>CBNi|qA_`@NRQL@QGuO>h-xFHmc!3KP=PjmVl-*KdR$&z
zU7b4dvoPs=jRYDD@(MUjg-e=%j*gBa4D06Rb~89tTI(9$&6_v5T$1S7+1V@4Ktn~J
z9`Dm)z~NH>_y?msqkIr31)B6}M?AF|RJq!Dk{DL*bKXR>SXDBU+eoSLnrrk`Ok)65
zX3hNYJxoIEu|1KK`go?0K~_%iy4t{R16fcN-|m(m1V}{n-ozeQ&@kQl9`MP0HdlR2
z3;vh$391`q1?2gCp#lTK9XmsymAZ#ayCA9aK2PG63SM{`Qmdat7>iL(MLxO83TJ+9
z4Y2|}?H#!_geS4QcMn;h4OQ0ON4N4{gjZey=h-Z0EK&>Y=mL<wvBngVZOJAgFMm)P
zV~W25l}~#$mo{lxf{wQ4s__Q%3i$~s9u!gRmj?>}94~5Z+rJTkkt9sb$Wr~ywJ^?d
z?XNS9k1iNssr&{yYUc=ub%fm^0xuwD9L$IE1(fl&iyaH2UUO9=W+x+qqr$*mGm9B?
zJ>pIkVh&2;8cGBpVM}9Q96}I#&ozK>q%u;aGdy<q;gg~3m4!%R{CHA<6eFn7wzjtq
zw8b#SNtc>c_wG;=6oXD`4t4*=u}aAf2AbMYc7FGQ<Ocs7TC5Y0_>__lDs`8gKwJJC
zN4h1=bVDc%IGD}$m;~Y>;Dk!&WOJt44x`5j_5iN&{J3!+U4X&uF=#rThBwwA$K3w<
zg$mQt)4xZWx=xec`24on>}7NTZGdfeSJ%?c^57p??v}r&Ejq0itnF1H6(!jb-8s?Y
zm!}%v&rW7O>2%D<&jySxw-gqhhOhE+)B`^<?!>6aGFg3hkYlr#_;f5G^~u$~Q|8ZV
z?5f8YFzr%!YVQREfTe;T<UiD-^II9p-(m>-O^jWUHb2{W;~^JDw7D>1Kn9o{8w{ZS
zyR3As&f`~6z6a_|I$A1i6gQvvin$cLYQc6fO2+fJlph4lz2qPKD*94bAD&}QZgzPs
zQ-+W{dnv)<btxh3<2UMIsi6p#-LmegRk4<^U4gqY{Im=19Hk!ZBa1{Mhfuxm3-0ow
z8tq?>hv@krrmC=xSmvik+#~Pu*TTS(OB$I+&E=Xo;!5)K&vV|~^?_$hXH>Pl^kLF(
zdiA9%)s?J(D{pNQu~<7i4)`Nu&_FYHhm^v~m-PL6GTsbhYrhCpGjsvLb?ZGu6Py&Y
z115olSZy|5w!Yq&?()^v^@B=H{PgMMbh@neg`<WeYQo9O>}p!ucol?M2_wDPa;Naf
zIt;D4v<#c8#g)aUsJC<s#tQctQlordxm1%Kx|<!QeK@=17saEAO8HnpO-NaAPcJ{4
z;Cts%Ccp0e?MV4$048dUr1i^jNO$SSk2}?=+bMw|l_-t64mSZ*&l_H;zBj5-8Tv?h
zN@lG;uIz~H+o#!?ncCn2hr^enSBdRcS64}nsAd$7$gP^X)Y-zjJ$|x*mLfWOGF9g%
z0jiZ3toNkjwtvL@B{%Dg$95LL!Y?`y*g5<Z{TG9-R|E@<Gu#P@kgV&8k71YdmN2Cv
zVO|?<RBG$XQ0;zLQg}*EYpB*EQ!MMzKTrJN<=1T^3v-QQ0;S!1Msl~~-BnHu?HRbh
zMs`(MU1J%4&uA}WaY3g?>9+5D^{HEqRZC4O+L4a8&<GPD<I)|mVk<ZtPSu?%CY5jl
z0R@Plqg;T3++COnM?u<*bj(A;+0uQ{0*TQMCqLp+IEEv5z2?#u>TtX5VaoN74R-lS
z?;h6>DwU`B!&YNzyr;aU#|AF1d5_vRhYsTQ@)W&IzHhL$QvT}w^K&ATPtP`2&Zl?i
zhSwsiY{RE8a$3omFWC&!h6OECmELKTJD(<<6*oIOJO6w-J+#7zVz+O^{)T9VoWuIE
zWCl@1hfFZmj%zpPB_saOn^?TD69Oug8c*u~=)X7%aOVg>y;W|w(h|&OKI@%R&VkEK
z_*N>ewL0+Ug2%MLe<y*kYfBkBw?yprw~&>cUG>ATOI{vUtGL!TyBAeE`CX*=TR_Zn
zvB{m9*@(&4gN&vAsQi`f;U%Nf2MIz(`aYqAgp{ArcUbwKdsYTNs4-V^CRhAXC(CN7
zm5NYd2-Ad-+zvna3WG?!c?{_+C@RVf<UXvE;01z@tAkf>XmSJW+*sd)7!pyYgSr_7
zQR0&+UeN%eSxWNejIWPIY%cYVdvPP=TNf!AJE$Mh%yq_OwU*|Z2Q&AT=2L!i7PaOi
zcd#v!>}seQUx=Q6IgVrWxF%@X-pd)hUMW&oE2S5!ZqX1hDwEx_d)e11Dt{A1=jDB<
z^|sqP%(+s-iwu61?RGFbU4T^l*^gW2G6~Vq@WCqIxTmExx^Mix(5!P~4|L`#5*mFI
z`fi?yw=N%6I4?#u625((re&+1hwAlmZe5R*KAG|=(Kk(yq`z3DDYrp570H55ViOa{
zj~;u$6SG)4c{{8A2=c(s-S^!Z-MWCh`uHAaL61o-^;(f``mq2nU#>U1yb5`A_xsAX
zIf8u_do>7pThW2eF-p%9>pSc+LD1Jh6Ev?L1q9Rq$dKuts-lVuj!;+MxAN-)2@GO5
z`bHg^ZvM@iIYq?mS+AxvgyO5`G6ZznV;V=#pmE}WLlgJE78YEt%HP#AEV%yWh~4xK
zsOwNuv5-b_#RuO0ybb(~(0V)jR9HQ$m)`j0S8eo_hoyl;RO*HcMCpvF9lKS)A?TR*
zeh+#n!r0<Hkzxs*68s$xf{js0eO}Z>!5Mj=x#jaC$s}qh#;i~-A;WO0X?uBt>zb4O
zLFtS~STdlman&Qnv#D3Npz<wp&W%HUJnH%#lm?N-JX15u{^c7#wG?CiF;&>s@NRli
zuDxPpoiw|}_%t&Z?5eiCeo-9Gr=8Xtfp)&}FB;Nqk%6l60cTp0+8Koko2{gi?wgEl
z<2dQxmW>W)9PdAF7i?V<(b6pP6G*R=sCZSyQTo>F@ImF#UHXy<OXcqU<U#Bj+%(5f
zYjykHK%RM&T@b-pYb-;{Z10bO#g?Y5iBD*kL!Y5ZkDp+PqPD}Z3!yqJ7v0LJA6<}y
zJV_=-pFbGuL(p(4PKaUeYQfI5LfItj?&sS=-8`NGq#*d3KIxfe0+Jx3`p{0xpavw4
zmH%w)i4`SH^BQG5HQ^5>U5j6L3=Pk!brew&#pl@<wFKKW$<f`^t&Hd7cE!$Yy<U{R
z?y>qgqjuf0X(?9d?qxhar7tdJyZm>IhBo!jl>Am;%MWsfzL{^)fM(hAUxMdztRchF
zk!6*Y62<S|-|j<34xU4HXpequ+)!-v4w8<yy?5yU%fQqSc3Yf;qB*#ZTjkOxH>$>o
zIjtL1JwoMmD*eBq%z`xWTfx_O15WSO1d7aVl3I97AzOwaXQd;4UB__)M<CqR(zFKa
zytOsY@bCJQ%zS^`=tx~UiSsw|SiWgPpZ&T3FOl)ZhSo{`kuvkb@H;}UhUdzHi@~pM
zPQ$ZWV}bo2LP>`H3Gfe=dFIL0{9jIF=~02X1kncFQCo|AGG;!zy($t3r*#_B8XNLL
zcK+A%54?<C9I+)E<>pTw6YOVRH=RY?F@S9e-4O<2=`@F%Sx#)wt$OU`h_8r&FJ+g5
zO`xA^U??=Hp3<pj2tsjM87h!43+0Lk6Qd%ei99Jiaddq%8$;c~2tAfA>vrYdMx5T)
zGjm1Rkan~BjWFJ0e6vFBiuzsn{s0nBY1M2wy7?V+eEt?^k}-5lt<KY7{dQ_EQ8%__
zmF(5GcAY&p&JUY?m<=c1k-z)!K|EjWgyWN2?DW$X_Y=O6WJ~^^8cX6EN{oc8JU#qe
zVah-T6wPV&Jzt|HXzO-e`|a?~i+J<T{Y_z88A=`AS#K3T;f5PhNV_RJh~}#P1iwxC
zYj*<_5MUTAj`W6Rin<w$8$fHPWG=FCW0*q2?~0CqDbqvSPOt5bVB;A>@^nC|R%xTQ
z?bI3fulik{;w|Z=&bhNAsn}Z^GN<r$S+7(BA!oz>b(j8GGtR*`tJAOVknL8U+@<Dy
zmTY)ZMVyg|Ro#|y${#w7dRMbTl`ZWR87;JGHx@gp4!eDo0^J(L3hgBBJdd#kd5(A4
zFA%kc@M4W^D-a;QW`qa;b!CyfkZ>X3LNZzZ7wZME0s7?$Q9Rg7jMwE#>YuZ^GPU@1
z-V!zBP?g8qcFewTJ9X3Px=tuds9m8&ozA`NE+234D(@!2vCdgphI7Yyqgs_w#)_!O
zY}&B-a%#3|QC2S>G$v4V?TDM!xE}iE4jIL?rEuA2HTXzg=HrpvPxo`l6wmh-$pfDT
z-!xTm*u7Eu^pVceRT5uGHaC=&<ORsOqvrpr;MAnuXLvWZfO>$NZR>!EfC#{cI*@Rt
zF3f^K&)#fI7gi{*g@Sg1WYyYbv-^vKOKC7&`GKc`$Y@pK!v(gYeB-G+N|(UQd-Xd+
z59)TVCpYeR$-1qo%5L}S$)ithXTR9is63xwt*qX7zyrwXO}-gQtmd!Xk)@wHNxSMC
zkVs>3EL$S$8K1J4`-ZnRN9URGz}J>Vfy34ZreBXS>3dVbl}YjbP`|qJ6iFvNsX^+4
z8Da*_6y!&OHTr@x3j@N~8ssI%%@zm+3M9i&<r)ZuYiR-K{I++$*E$KkoP;g3g;-rz
z2HEzk>m-t!FSag?%TmrIvKwP>;}_CRMNj^kin+r}net(9Lm4#tLojN~aZR3gwkmYK
z_Ne=pF;z!uU`P$FPciBh$(qNrVU0gz7}^!Cd4!fjG^`=Ptjh6rqjif{tAqS_+%01k
zM(@T*kF#};xQ44<XFP>>jy3&m*;51fKH;!Fu7-{Sd3O|B#r#ao>WgNp0|!f`!wjp`
z^=Q8BBrko_T<`0eW*oe;(bme!-0ac;6X$H!>P`9?wYQV2IF&SZKLx9#PM<28pZ?`D
z^4iQ)MAsd1v)Au6=s~9sxF6J=k?27!-%J*5_V*UcRpw75;;^fghX)TD5r51NU!^Sk
z@`LzgKs@g0t32d&lJ<^(_cdtRTV%AxK9z9VeWo?#9}=G<uiGK`{N1~Pm+tO+>9kT8
z!pdW`HBiY5865tnd!-;5G|fPfP~<{5IQh_cB;)~_yDAkasHHJ5_7Y|Tnel=_4qxX%
zM-TfwK7w3J6k8=dh6Gw4${9dS!1Y_yYaszamjwK_u^wz5LdkmWiDrL2<uE^;>F`|7
z&mFW$fa^hHTmq09rS%$QsZ(2;c!%kta^psgZyz@GUo2=>)}K5JLs-1o)et@6h3^xh
zDt&{!!VnLC)=k<}Zs2&w%=a&^7yBirym-l6;Vz|Xk**`;y_VNf_`tKEE+anW0dsn*
z$9;o;gBaii3}Cm9_<2D%VE}3mplo4wDMARi#5$pcUIV-4<Vh>rdTz|s1f9N6wZ$M`
zWBdPSSb|tlw@L~P*ym7bZG3U1LZ!s^mF$`m*$2~yA<r#O(@FzR89kR<at9ChgI6^1
z<VK#m3bLNdPO`3N)VYWTf`Xvm;kO*b)E<m*nK!paJu}{15>os2Z$KC#=<cy-gC2VH
zK@K8E0wQB;Oi{Ae?2{do?41)7k>ZP$@iwPX6YG2Jrd>UNO_C54elG#{E2tcJ1*T|F
zF{A+pmDcqPO=|E@96_cco(N|C7nKfEgO@L&k|4ILB?Oc~RFB_p=Py12g%=%|`M}ak
zHAwRkq%-l3EeXthD<}Wi?VjatoCcF0a(^xxD{g7yM}30l5^*t#=pQoM#d^@qz|`o?
zfT*hE$=4-02<IJ`yLmsEsrh|9A)1^w6WSQuKL28~e<jyoA}$u5QNK;v=Axw1y}e>*
zyW5=<w8A0M^**oWm%qTX1&(Nos>Hbz(k@s|Iw)7YcT7RfV3FS;onZ7q1Jo(V?}4Jc
zkTOI$GLi?lq}0gETiy|KO43`B=c&H)hnZtcFPl@LL(Ads-B&Ora{CzAL)&>jWXQ5(
zEaC`8;3*DVzfrsgE1&C?I)RuR?<FkHv{mz0b3hJRY<}12@X4d)gBHg<clP)y3lEAh
zIFCwbV|>b=-v=<l$+sl)bDEwW{#{u4NFolJQMbS)B6t5O3|_J#%DZ0jdWrs<0^F{W
z58JOjXupzSWZDqONS~Yyhs#)Xc{U=5|Ido~Ka1(Y*+5~v@gS!07O2Pl6I0cBRrQlx
z?Yw~26u77r)n$A?FLs0vTYb>foI!7*W)w8<Bo5wtF&`intV8e9sQlnlK(`q1%jN8q
zdtbfssMjZhKg<4=t3&LK2!_d{5#clw{{!L@0?gen3{kq@isgl`PK-;))u+AnhsfA#
zE9#E;hNP^?*}w*bt2zb62gmYLHwxah+0%Woi!uqRkO)+A>Kt=HKvWJ<35%zc4h6_L
zzTX9ixjR)9pys!fpM=!0(FR&?egOqsmdwF&#FOoLS6;|tF&zP*@BM$hr4S-eb$;>*
z=_uK2cJf27_cg(6b8x|@L1S3yh}rybY0+~lELZ>3U#U=h^JHZ0y2)uf?fadnY6Wya
z#9mtRs95@XAdSW8ckmO}$!fUV`HF_;47lRY2goZMtzhmhr{g(@2DNd$2E<_XWGc>W
zb-zC^OH1p+4xzY4mvTR8;9cReI#lBYL<a80%DX17V$Yju*OVgBrHFF0c0Vqy2Qd|>
zHX>nS?*K{%7zPLSA(A6u-}^XJpnl46s7E}Z2vO5Yen<4lw$iyrF7oRCB`O=ixZ}Vw
z2Gq7E+hs4hHA!+0{o{SDF5~nO4H%@0RG`5i9ZCKanCsrxsODe1IdD(!#2Xyduw6$d
zc;7*)NIZFx|8n4%4-w=r-V(Z><rl`VCXkQLR6tK)wC8`X=iheNGZ>gkREKgGQhd|%
zg`{ioBvuW+YNccOd@G%yfL{N_D7}`bye`_z`=F>sqb>Hf;iw%g?6UwmoXvZ4O5rZF
zzY%Pk6~~SwAvQ)nx5z)dR*E2Yd?(6FsAW95Bis022XNEUEdVdzD1fD86qU$~&wW=c
zo(~+fWwh=D6n{MxHTOL}_B;fG8JRZpbG=^Yq>H}uX=dekBJ$%8NyxHgdSGak@2CA2
z<-V5C=|V>&UPcevccc!DLpXOiU~p{bc^MJuHej@qfLYV|Luz}F_`l&L5{^yJGEz;E
z@4+eYIixqmR^=L$(=q`+WITs-T%I1WtfOk(ZEye>!H9J%eb&d4Q-n<*?l8Ck`lLeX
zSeyrYQF!?uU7hAShznR_r+RWyAFD&R#z(g$or>0qS&jTw6^iSQy#&9VUZ<b-&5bT?
zaH!hvlsmt?E_cjg^Q&%66VI;osYZ9a+c^zD@&Ia#cDhyyCGx)Q!WkxYn@NXXSf;xi
zr}HvQ>^tnns#JJ@`Qc5e@#EH#E<(u<uzu0)J@AgVVUaryA*!>djsNM#YLA=PmGIp&
zWs$WNiOZ^vfA(oohm21!Rwq85eca9}u3oR;R0pgC?KNj0_s~?l|H&<r|2vitZ${13
zyTnMCv~Ojr<9=8_uE0DhpfNLWl|*nCMv#UPqWJ*E={%BWHhUk`q2l)@-&97MsY9z7
zEWwW<B|@^B<5PT%y+}M1iMP;$?k5dS#6mK%gR-8zeE~_I)5N!vD56oB>lf2!(Ga69
zrYi-p&xzX6#xt-;1}E|XtSm5hYU+$H8JBw>Y3gqe8#*>W*XryQho*y_>Y>RvrPD#B
zT~HcD{%?U~HuRci3a-EZwvo?a3NxUibuT}=F!eot%*<#Gjo(_`9GvamOas^QP~$zB
zI{3G)L|kIEo!PS2m_a~<BuBkn5a;pPo?=nYSpsE+;0Z*g8;RG?$Uxn_A^9gm?G6Sv
z@*uroJ&*-9AWvJnbheEl0`p?F9@MrpFLX=D?)#37gm3#*7D*2ok&!e<1jIAAw1Y$d
znEBknL5aa_)E{5YGW*x|o^&51a*<eM+4IwzJb;Gas@<PIlb-lyA)|nGc3JNdWvE!4
zX6>Sdlu$(=WZ5iTgx7t2_Jyg}lCVhM2WkxN(7(%Wqx8lzL4WlX;1aqukA(;57XP6>
z|4dNsv3}1(mWIa_deFtveNFtwUqq16;1$S<l+E?Hta@y_FiO*etRoiLo0a+Zt`<J`
zq%-$|DPI&`F3Que%1q?tM5J)pY@6h-MNw8@qU!uw$&{s*8ly#Fv_Gfe`nXcwpvxI1
ze(K<zm4EIxMYM3E=BVxT>%7d7sYTYxilZD$=$1#M=4f&f#^hc%&5(iVf_azh_RaP8
z{@L*77KP>(6WK)@FFH1VM)EM)t)v7*A#M)70#~BduCr;XrBl_Rrkoq7Cl=D@7FEvg
zaxB{E-lJ%PIp;NiW!aHf8@fCG0wsMT4hX_u^wsm`jN4D!C9t@f8tHRI;P&m?_t0wt
zg_I%|btA$bfr7VhS+H2_k3Vyukng+GuR#JMnEbE5yf#OGDCO=2(k1$3-k@pwsR0pV
zI3Td_NP&K+QN7ToVR?LNaTj!(51UesoAYMr*#_=$a0g3qh~LuKu)vo&UOlLTFj`*M
z#CE#ihqwz9dcu7BD#-9Gp`W{0`;0gE8<i8KHX0k>wSy)t4n@4p3Ay`~7rs7Xk|16=
zj}%c8d!%>DCsLqn2obO{jK1EP&+(`v?iW~V_J_eGC4V=9wKwn<F>RoT=Qv)~vqs5W
zia6WiJpZf*i$H*V9T$NULIJ{C(NI$P>>jA!$C}oYoW1wk!~8*kf(u5IuTPGQ-yiHr
z{onu=J_RJuSiDH}Rypc&z8^h0wFt4v3Q7m*&nv>G0OWX=OS)yA=7gCtg@2d*)CNRr
z*ZMjn-5!kkK+da&%3PKN(g8kTWQ?!pM&~Y>*Rw>oLwWqyIzwt=W)yTV{<nSxANGTI
z!T{yd#euSAO$n=hLD`|Q7jm}279q&4Wye>rP1=7@>irs6il^GckfPCOD{a`pig6<g
z7tpu2GPrc|-)0cfd|kBxUQ7tDK{Oss(Bi>Hb=~X#SYlGSIi%aAaD0`$_UsKGFkLv{
zKmCS;@dCce^5*_6`C(z{nKSTVg9R<`dKjoBT5kom6R7ld^S_Z<?l|QEn2RjmkmWqe
zNFMzVC{&>#Hm+7t#mIuz5o)|=Z!;VKsr}9ewES_Z6T@&A{<i)ZvfTate5i29rR&Lx
zoB;Z!==3ufd>u($NT2=I;&X-F$Pj|%j{o&_#Yff%`2OQJmKUX8Ts|FG)I1O(BSbJ-
z*zM@RjxcKf$oP&%ur)|!3jSwj4DfT~0(3=N+b`Jb!Cd-tnx9s}@-gMbrH1#`yN!Go
z6nKC(pGMu|-ul@@Ts~tQqEuAc0qjQrY8j{VMcRx5A+@WdJ@=H<D-04|Kn^pQzqBG@
z48OpP;E2IxQ;#1PfW)L^r`Sb5jt}$5NZhmc>v2A&ZCB#4X-i&4XG|<&FCFvvF<M6f
zrK^xXZ;!*1MrQy^(^>ML{=U1e306;eA$_V^Kx};co_2vY%$(BUZz`|*@!mQ(XTEqq
z1FR#O$)PW{h%8Oj`x6cQ{ypH)r?42i36+x@$Io9qmbe904vRm1Dw6T|Bi%9{6ThTU
zdHAO%^UNb*c!JhpxRm+;H8LA}$_(zgiC#8j)@X0LbJ=Yz;AhZr1z%sBkUSIE&|Plv
zePfz@VL}M(9=NEP%_3nju$%;W6OZ4Hrxi};%BJOu{OhGP>gh$B24{snaR?6o<r`gu
zf}hp(dI}|qo{<mnzXqxZnSZ1z_OpYdBsspVS*9y^bX<?t6975jBKM%sCJ2XayC-h7
zfeF+EI;d5jsUL=*Nw5F?@y9cCtC9El`xsUjy#ES5X8unmNDFY4Ef021mh2^5n^7#X
zHi}L-oFvq5$qwyD1A%s)wtuKFxlqW!Y=pGP?t!2M)*ge0E_8vzsNjPrMSu=6ngd0%
zRtEmyrE0nlII@p@<J8Xy%-Ld@CaQ}>j?J~Z3n+>2*<RT+U%xxGw75K2lo<dpMtwf0
zT?vzDYL#Hh%Kbnk@bzM!l;_Pc#6`gx1w}6&abX|WiW;mJW>(4wr83wu7`_;NF!sPN
z^Y8H}2FFvaC`oBkfDoOu)a~RQjzc^fZnO!a>37_$sDJejj}H=!nJip{s;yIlIG4n&
zcWUFOnX#%|gIZ#SrkyqwUud=QubG8TFU)qVdyk-rKOhT2udz#w-@qBFLkF)4z1J9`
zTakKpbC>;wp2L869Fl<{l@(~+#w>}a{8y6Bm19$Q0ZM~U{5k)Be#IP*c=;({K?uxM
zC5tg}y)I^twJ+U34<R7?%6Ka}%_|Sz0je_)&Bxu@r_5JVXxyYZ25?nSy&-bsp@Va7
z4FU`7J^<S+3dQ@Kq03mLt0hd#7wXsY%6eeqX=O{|*C7IH(qLJ=-fWyp8qk(ZzG`<E
z3MNg>QToc-13{Zy|CqfT|HR)Mikq5vD?KP>EF#`4b3GNb1PEng3<DvZnXzIc6I?(l
z)rfU~Ys(piq)3eNk<p;fT=QjgmWEht`qP}KHG1(DF~B~8ekiaNv2sIh@@a<Q|F(l9
zT_{5)FelKTs{YlvY0qY8FY4TDc0i>KQLtO$qJT<zq|4sHYKBT>x9eoxdZjnZ6{0BB
zYlQ7>lCCQcl^CwJcG#tAyVfZ3hi#W>v|As-gF}2@^;rpvp(Hs|cgf&-NoGbyL;Ufr
zrD2mnl|=by6eAuz52tP4uw>-#`(;^G&{?;3EB!6FrE9v#d&;-((DmC|oiz)Ms=xW-
zk9$JEVYtV}f-R*LzhTh7ZDDj5%@D*CFZMUq89TM~U=E@xu>Ha2Y_+6-HR8e~RN=?5
z;aCL6*FC_G12TR%BUO?3qiYR5=DPz~S2(_DlkL|cFD?TDn!uRn@IZ(kA*DlC59)IT
z?Koo1M)@2h#t)y3XU1ke7^N1fuw+wGx(oFOgW1W_au67pJh3_Kk~v4MI{A$GMG_Fr
zSVb*#t2o90rV+<N&jsoWDHoG1fE^*`2Nmak-MFxF2l5!$^kX;G1y+ISBpaqF9tG#}
zDxJUn->8gVG<=>{=mHM6baPxLkWs9%lp61j+{~@dB(p41tWqhidqudNl{=c0PV#}3
z-f8DV>bY+S^tOf~E@8ZLw)AA}D=EorRxbO^J^_pQfZL_;^}73(hs<|bTATc@@Xd|7
zS#wNW9*x4a(D;10e#mWEFdvk7$VJ__=-S)ypfr!aD@-Lbra+sE2nM!Lt@aKsQx4l3
z{s}V0c&ACSD{5yZnCDFvSxQ3EgBM7~EP@gl7L5*h-7VTF#Iv)#{&;nL^pAVU{xM&Z
zRRK*G^PCG~&lmWiJn&dm5{W-Kj(HvcVnrkITR|Yz7L{x?O7#9%3L-R?b0hChBk9x-
znI0XRBKiX`h23ZNVuiQg=zPD^ywn*42uoWytJ86TM21M6n;S@Ljs)Ej?6z9uGXGBn
z0omHw+2(n}1?W&jLIqrA*y1I!Xo8*mF!pP3>!~K^19;qr`0^k3cPUdE5x=7nBD5BZ
z8_ksjgaWAi+_E#DC&mdiI97k4E)61@-J!UW!ht&)@d7svu+NPwxPkSa!!c3I2A?m=
zd$mFn^nJfv;3ekdatfS=;6BG|U`vT71*iZfLH!6j%zCg-`darCd&a#(esg@Z2Qg<n
zfUE%NpqJK!KZs92KN@EE&5E8dJQft`F4@z>cPY?SKwETdDi9eZfj`84Ic~uqX2*`V
zK9q0CThDZ@6;j7M$G+QaMSxn8%ldpOZppV1p(y2!<pUPLm`0OgFs%G}NX%Q1nn`Z5
zapY#>J87^a{jXmP%Q#d9_OtzywrXJiD-F$PTOJvNAiM+5$QEUsolq}{@jZ}P_ts7h
zKNac5lx08bPEpmVI&&%a@AfY#LWRYRPE{z#ZWPmG(O5BE$Jd$XhoNr9bF+6Ob8)CQ
zfX0J8V!f}J%VW%XjdK}e@s@;NBj*NV)4=%d=WUgmtakOuYn;I{G&6fpj^Kx`S=&#g
z8$KqOlXD%n(D&j3P^Xvglef;xcHJ_GmoEkTMf)q$kzYw6NYJ1r2Ku_c7C-fuhH2Q{
zbC)a`v9xFSRq$|vW@5_L=RF_LCNci;hbY{w><VB05r;@`>0eDe!5ow_x=RAPN;7oZ
zxdGLPi!Qp_PTzBZ7?7}W@1~c12V<bxuRngcoc_V(Lw(Tmo<O`fC8xl{<l0N=MEw$6
z&MegF(uq|IcxFJ}^&L*^!uRn1%6k`bo4q#dZF%8Er(ff~f1@pknyfWq3gqKiivz`z
zYn-bH&zw@ZU8a0RifD+mFAd;^*=R6)sm#SeZ^B=?b%yKM#)Jtew(P2;CGmipC7sIM
z+EQ(5R$zUhI>SaxH-zH@CrUHT8N+MGB3xTrD&D{qEb`4K&I3>>lxwcNv<u&wLjxy3
zAEa4nwsDt^UmdE-<EMqL3u3FlW<+7p53db(jhFAb$>^G7YQ<D&*|&wVj6L)oMB>jV
zH`8=+iyPqxj>7b3Hr_-fKR(@o)K;wUYIO+~+3^4%n9lcg;M9YDhRX#R(okoAYpRC(
z|7J<}CE?{1X$kG=TGOP4jQ*8}X~P~qOE9aMO2oY%dWyH!gYpe{wD8?un^*t?V~^4-
z8gIA4sE{71o4!7c39z&Xy{_q>`>*8<E+{B?_n)o|85h(<w>nHXK7tw=7&NEgE&(7k
zw3S7|4sQy&<kVP=mGddTkWsPisCH@RH*D|lXO8z|s-J%``>D>2hkc+TE4-Mqn(xsh
zQBi6+&uVO?_i4=;GG>v_Mi$?);Lhrp0j_J|8=LDVfF2CmxopFJX<+_1bhvbfU+*``
z>)!Hg-=5_Vw(KNVcGpsU22KrBWkew+q5H_y)L6E_En>bVFvq;Z`V`<B>ppaC@NNW~
zhvlzSenrkzzX1V_3L4)(2Ladn{mx|%2`62+$cSG!7!nQKJMZuSGP^GQ7yQwCMgP2O
z?Y$Yn{_xB&X+sl)z_4d2ENF?C=kg#k&hR342pB(3`rGBWWf=9$findsUU~ByD58?)
zBI2_h7=C@6@))VEPcXSZuYZ3wbdkH8m6XtcC>=>rn<VeJzj^(s{o2d6vs~mvW}-t*
znCCj!<cAh;ypXv=&O#A{mn^kq>cr?QrQo0u$l<rf<8K%6?ocOTs@G#;Z053Hk;QtZ
zY>SjpJdX{rlm&<KoT~ss!1lteSJ6ova%^7Z3y9x0+}0nAH?1r}uCiVsS_zYvsi!0R
z7UbKr>k~1{v=|d0O@({$IuM>cd6Tsu*{}0#R?;=sJ-~#Mv7F{^)wn2a%?e*1HOB9?
zqHf%eF@yHN=c&BoEpFDqdBSEen|i!$%4`s&_eSU%Ild{^l37EaZbA9=<OQ(|Q7eC4
zh5`E?2sJurGoPQ8J++mtdIC-Y4NqVLj+=&$^u((`L6hP_(5&YZU~fzhB-|94Fn5GO
zVxEJE9whB<yUtn)v*TlYGyCPNdr>+{8{q5Rf7I5;63Utr6`N5T>wTAlk{ffWPxUJL
z$36`HDXnUeBcI4^@cnSv?V-RKeyx$TC$RE&Ye_ygMi!>0G%mW0!;yrS832#QWh593
zID=2zc+k3<cyPOKkGJBi7VKb-v5|@EVuKScR8+Gp)EWsGaOlX+`(ag9uNu>-E%W~e
zUH*>u3u6x`DhL@K>Nl&`dJ64VeFi5gdH$q2f__nV?*nD;&q}<igqH`0?xWPF51;Yb
zBr{()PI&D6nQr?+UdEQtfc<*tRV`bzBU6Mm8kHD0fh+*Qu}p*79WcoGiYF^TgRYm1
zr4Mrf`?*nIRTc@$i3uP?yczNt@?Bw70Djx9-GQR%$Ls179CDEt&A~~K&OU_V-pJD=
z4CdN@Vq*66A^U}x$oUKi_Z`VsflT1c^R>Ie$a*=$KZwUoyb(EYTnT=1krC}ZE;3>W
zg5VJU?McszVrdV65Un?ml-x<zxNxbbX&WOK%^zgOtvmh#^R^5Tojm%-4|xt|zFo26
ztxrF47RIduFr(H1GSq2b!;kc4lSe}{W2Z0BZtb}|xPav4JlVWh*)+__+tO^gb2k{(
z^mf^m^%|sObCwjszwUBs)<?D(4DI+OJ#hW;3ZHav(I{_n(KacHu4Md;DA%**2l3cJ
zGb6|myH#P>H*bwYvrI_^0WJTgIew*JK>%Fo?<(ITwcL`xyh-Vqryln<@eAXU^(2{T
zjh|ecWqszHA&nm$s5OI#oQS1SbUYC^`NXDb#9F?oy7S=gVZ$jmt2Vy;G8&&e3ihWX
z3l0l2e5(;O%nmR@dT9Sp8xoJZgg!Ct3mpPaEj^9wKcO}Q$)Tu%nx6dO5U9&Fo{l%_
z=ANG{f|`&O<i8)JFunIJ#v0t4;7-G!@3-!!C3pXB;zQVA0ksThL68(k@c`72T9~VT
zTzZ%DK_LsW;C#Q_wsgk@zLAR4MDH{HirrSAT~5XI=OEN|w_xsI;!|u&#JS}l;%^_T
zvY^+dxq!gP%=c@2FQ_FUqlJC<^<Yo!e%8EC!mf|+@$o8bgUaUgQOPtR2BvMDy7)q-
z@AH4Zq!Dw`eUl&xR+yjt$kDL5v$*X0fW610F?lYf&<|eQ7mH{w#l2p#k?S$4vV<P`
z;mFdu_F&lksBlED9R?Sv+kUKf4=luR?`D_1?$2YHvSx#zFEaQuurTL-3Fc0xFzFKx
z;P_Zz1UEe>=VpKI3u<Ov^JA(v=^rHT6FqeJ|9Uy|e<<6xkEfK#Iz;v{Gj>@glL@1Y
zG4{|xDP)}%JJ}^WV;PcVEMZI}M3yN@B3pJUON%Tq;+A3T%yV(y_xE|e|G@Lh{4%fW
zd>z-!xg6(ld_M1t%R>|PP;o1u7yAgbS@TaJgQs5#LIvp?D95#G$7wZASv|1;1S7?N
zq0nhp?-q|ZQGqINwrLTVkWd$NQ1`uJ20<XOFn87O%IR7TdJoWDCT&2>)|b@E&O@Fe
zb}Tr^)geSY>fA6QeKD<LU|llxX>|}sVSB!~PBMK?|JxR4ab85B>qsm0QEJFLJjVGK
zzji-}ReSwa-%&ts{Wp1p&_54hl@L*LHoiDHImupCRmC)M)i%>f{)(jmT|=${sT+5_
zZiq5-&b6y81nxT&y5!Djax>o~?X%MWsWuDl+2fW?K}JYD|7tLGl{7$cDuugI{e&7|
zQEdvQWD4mtUj`-amVn!nkw`k9R@iC1zUwAMvlWHr-d8RTKL?7G-m-}~Rhbx5v%;T4
z{DXgFS>bnS!9qx!B1e`o@mO-cUPN2(lk*Pbp?8#0IM`X0o}7o?#h5(_AK;bsn->uh
zLBxU7i!&EP-;qj}SG(2vPE{QnDG}AA4_ih{=LZk|Y2`IL^>(ecQt-vMWM=ug=AvZn
z+xxY&+xx{CcB^uZKMkXYf^-dEs0!QJb6~)NSlB%De?1dGlg~#bCr-@aR2x1?jok_J
zK`7dPp+~8Z_i1ncUQsbTgw8KiFO^1~u<kq^01sGU%6=o8Ar;`IfeYa@v8m6Hs^}?X
zy|dOI`KbZ7^Nd|+DQ<>xlA0Gu9vpEx=ZcrkaL{~(zh0AmOW<C?2&sqfr3dr_?5^^4
z27Zm%yGA;*NV6HAy~z4&VFo^U{1@ouZl4GC*KicPJFU9_qdGgFob0*scyMkb3hql4
z+HaL%pq6UhrB@lv!(~6fx@P1hot72je5Poz?u1>AJ{6@^H6NG2^)s3uSLYq(+E#<B
z2Hai7x6y!9%rGwab&%Pt#+7{|hMwoZFUTn1W^j1gYU$}DD!PsZWC!H(@0ckq>zp^8
zX&s5%J>F?)pIwCGa=5{S2G<-y2VCg40f`6uV88(D2wV)}h(N9z@&w&$O-<{t<^Tyc
zjih!Q#Xw^G4{P{LiU_F%seI@)EM$%Qh%@>e3ME8I%b5hB68}$`y%ei{6%vE~aEia&
z#vM(Y>l~`N)vlObb6eQtPpisBh#F9Ff?kAVoWV|~-s6*osYXkBF_B+s#pTqK?X$<F
z2~Y`w+T#tF*K29Q5KtE%2J)G}!vVGs0l~>%isYH``<qW|TqG4XhYhDK|KaJNb%=3}
zMv`70N2o#GR4Y9WQN{8?Nm(4+^MiW!8%6nx5MUij0~>-cs1xW8LlE1rL1U*%_ft_e
z4#1iOQCX*-JMEP&9E!V}*(IjxS+V{Fczf+Qd|tZi{3R<3+!dVrSk<=WX@Z&7_L~(E
zpk@a&6)3J%*g8ow)KEGtDd)-5$=bI#2eT2doB7L(Y+G`G=Pd|bEMKRwt@ml3!>oCq
ziuc^+$mlTCSxO6m%zK@jjrmqYwpb^mQAdCBmX5z*9lkerb{^@dprt00^qL)C@U%+F
zkzxMG+K;f7_XZvGv9T%ogxD<L{}1R=EJG};d>2RhW^rD*K{~z72^?~jZrA-B`(3nG
z1YOP@Ob2r$l<PUrKs{l0DKp==8+C1doLF^UN+n&S-cEx~%(SaprD`}U((w`K-a@ef
zHO;sjV6%78HzvE~q5VXW-?7tb5$(V~p;KcE$)7(rh@F1>tgNPz#<qyCSu^*H^U~tH
zY+C^J{W3REYE+}B);An3S^a_(ug!>3Iy+vl-*<^0v<?94rAk)Q79{1$N}t|qsP1;Z
z;vy;opNw|lsiHVdPF{xF4IZ9fVs%<l@eT%Q0KgzMHjNKy9R|*P)$$k#Vc?{FX9Xpg
z(S@Bt<+nSvH?mrOI`i${h!0x_bYdMtKb=I{1SN8Qu_<bltgVr8%8(WIednVddTjY!
zmDhiM3pK7Bz$uaS%U~S;iWM&B%+4WxQulZLU&^YiFTR<+C*Okyu0iI{xpC5kQ5k`4
ztt^JqDQ%WOb@3^1Zp1}%w5g<r*g}*n_hik$cPcE+7k#_R-e84ao{;I3C)RJs(qPs7
zX&t(f|4d2E9L<XmL1TzRy9p_?ig&K6GNh+9fqv6rnIqYB@{6N$IiP@?;+^|2;y;h_
z<EO_F?L(Csh=8ub*a;Pvud&K7?6G_Hc18PB)0)ZajWz_8M$GpQPMf#gOsO`#WI6fy
zl4Z1D)ZLVk*Yfq$Uw4*-6dPBs71bU5=!HIhVy6gq4I$!;F<z$S{NQ<<p=sZ0f@ofW
zac6JQrf{9bY7R_D(^H)upN$T=MYga_)*i4dS?^#S_TI3XSAi!53f(GQe{ptR%}XIS
zXj9h=f+DX}hUO;aHJZu>=*x5-cg$mK8ea^2ou~LC;F}U4dO27Vn$LYou$aVLY>{-^
z(329Yu5;Hw!0j?RDOR=VVM`%PHCxia7QV5@&OtTt#*4^klUyTRsa{fOmE~N3naKI%
z0+nG04>(=$Oy04?+zYs<;u=3Q#nS+V0Y`{I^;O?~-*+ajArzqlz6^uTCX;8i_$XtF
zp2bvS%Gh(@)qS*)#()aSK-dx&;B_o9OFf1Rh=ZrnYk3S{D}Y<<akRePke}J1<%PmW
zUAoe8uItT^vBzop!m8CclR)P~XQOd<06}0Dza2B}YwbDHaK}rqmUc<eT%N1rk`?e=
z)~iIIBmSsYKPDCi2$L3rWHjXSE!KWnc0aO)`;95Y=f4C);%cZg<Ez=~cN7<Ct%Um7
zIQ)>$<goR#R~`|HO?+pgMA=Vv{_!->cWM3P7bkDx^8S<azMXSr;4h#+Fr5?<RU_rA
z)N`XY3WFyaw%lqnU(H<ZNyQSwcE8TLPE6RtJ#TCF7}*%#Q7^tYpBKXPd^Gcdw}2uU
zkkOaywQ0TH>l!z;W{-+@+@O$()Fy8?w5F5Qe%^k$zZy4P0c4RBVdV>{{}Jg7T-IKa
zW8Kl~Psv%AtvY7axztvViv)J@44+8dj5AI(+ug!&fBi(Yo%1aRp&E@^g=T=bZ0|?c
zA}ZAPcfs6bKi*C<%*$)?_K}Yy`Q$pZUUi6v0ZS&~e%9WP%01!+@Ue~Xnf;9-mE`(L
z1%HYgUv+QVaqp@KD>EOnV>c-;SlU}amHwFzN_=0J8yFQzTWV6B8M7}BFIxm%6?*6U
zcD48ZZac-@X3;Lty@FK9`151#J0f(NolEap&z;quT%q<|eo;q8ZGW!jmi45X7h%jV
zUp@&?$`l`b{c4k~9fHi&3>a)B;G#K%os--FU)zMgQ2?z|8pqh%t?`;Mbnz!?u7CCR
zSr}32>hAW5*1vGQR)cSj5g*Scbk6VYyJeUBkjL=}3AiD$2~&H-K>2k9GIYm(WEr(R
z+Gi0Os=fHF;fr9e!u2{lV5BcK%h&Gp5Vl_O_;`^|G8nk5wWMQ@^%=dU;fyZ9##u6a
z4q;iD*}^3BxZCn~+rtLx!?wgFj!N@!rD5xsrxR4iEn(sT(>y}Tc87WZN5=7)_>=Ok
z04)Hc?a>nR0FcZ(12z}?6KIN#mBbzIU)`S3`fQFz7lkyuNNSp(v1dI6$3HW;jdIF7
zwq*x5T%pXK03EE?;~2<);vLgaUj-0b@;|ZJz@X_J1P3XN72KWw#FhXPAGh8{?tWqH
zM6cQUpVPVd`SEv^O2!f+_U+0`#uKLTXVlj6<Zc<MBu{MxCj@GPX?HTCN!|X`Oe_3V
zH`kKw)?Cagk+F-~qBC}sKD}LI-Tn6Uf+b6D3w<fkefLqG)#b^`%7e+z;c5socR#+i
z{bTzTj_alak~k#6*%Z2c4y6`CLp5!pkbzT2(lWl?_pJ;Y>=#nKr@xocSWP(Q`F*A9
zd}wvk^qq>L#Ihbm5D3(5ax+Q$)+JC8hJ{Ov1VCd9&CC#khnkx^K$uLjan`MAuA<DS
zsHjx{g26JKU|w5Yt%?NDZ3GBb&ggdyZU{du5pwgUSgv-+7z)DH>`|<z#Ul=lcxsxf
zx~X#!90-`-)#=P9_!X2rRSFS4a~Cb$@jeg^nl3SLb?&D?b`KFjRF_z6OB6mbcF2(k
zn6P#>9i5!c#0wiVE^f$(@9xbNC1*G3Cy5lKrh>dhpbuh`X#*7!y3v{DHluFCyq^7)
zrxLXQj2+eNQB3Fr@^BWvXFubmb5CJsnzW^pQ?UlBd8-^i@cFFHnL|@M8eYF1t7%ab
ze!|fhw9Z*luK+!Lx<{#dzg=L`Kv3!}eO_58Q-HH1?9^akKr>F<W{?RinIbMLt#I*7
zWhe-&<Q}r^;<MPewC%)Y-1W*XlG`p`0B2S5efO_E>WA{nzXU(p0{ZSp_o=xLb`0IZ
z&`ZJVE>flz0~}k;N};&Ogq2>+ZK>UL_r3b_^}&q2siwV{$6^iCWQVE!P3Kr7G}ZM;
z>nmHsTAcjkYcyy#@@)G0Tio|4O4-r^Pbc+N#+;E+(m-V6EH#F)_7Ma5kqyZLKyLz)
zZ)S1W<4n^aP$wb?k3O#~AxQbTH2N||o3Yu45GqedN>Z=hcPGq$sm$jo1PqG8;o&x5
zGh?SC*a(sE6OZ{HvTBT0ImCor6Kj`%ao1*Mo`Svv+$<a^s8|t47S#wJZlOqTu@bI%
zF7pdS$8(430e|aX<fPx9%hm3M0$8yllX};d0JAdjODtn!D%lcHQUG+ejcxJj=s^2G
zu}TRK?#jYK$WU@@f<O0}VOHOWCyyUL&i0?X+WND`#_aew0DSBABz=&P*y8d{v;5q=
z#bFU2sJj(NpLg2h4gcc$@`n0YB#rXjOmi8nBiJGA<lrbm*Abi(7_E#igqslKrk@%>
z!U2!%L@MVY+3;?xhJCnP!wUUSKy$1FW=!$z?hS_8BiYN9{nDt-`&)gsjATLUni)3F
z4XyW%q1+}Nf?c=3W;R@S<b`(|;+Xl~Cc0=C<;1};rt_JQ?1_2-G(&VXhi&UVx!t!6
zk=6q}%nDi-g{I7<G3Y{fGVXk7jw<U>=e~eV<&(i4ar<j!whysneH_e@!WAo>r0W6Z
zi;W3BtM$M`hXfW#k!o#mg}n!x*4EZyCY0YtIdJoE%bkwo#DUEf98+=u70U`zTDo0R
z7zfy$Qqadam{}%|l<Ho?*O_E0H%AsEu6YM(Zbhr>K1|{Fo#N3mAko`A`A=g{nyq^=
zR(#;|YzC2(>bqSVDatimFllKba>AzIZ3?2n#49`NcMnKuM#-wlU>O}4?02Z%_Hp74
z#eG?5*-5bE#8^0k-DA(jOwauNQxkMG6z0`dcsc*J&AoX%g>*#65Ugfls_b<<E1ZH2
z2w$)ZKc1JrLv3ORENZQj!=~Box#cskN!ZHbCB`Hwk-2M!yGd51bq<P=SYFa+tjP;y
zTwcPrA7mj+{@SZk;*4{RTgzrU?R8h)-bH)q)5{WJiWY>LZMXTi2}}SHY($*VWIGT|
zYhc>!&|E-LJZeXy^_#3XnP4o1ht3l&JiuMUQ|$Rzm%$jyGJsvkgy)FqC@9}!vkym~
z*9H^0LHG+0_Q@Cr?o+YsUz*eTi}2h?eva$TU|7njj*chiBX%}DzvpnKM);?QMZVNo
z_KX#rRPiH9JS#yk4~uCekiK(E2jo26QPES-r}|F|Jh^f9tz#!BO>AhOge7TltoGwD
z2Q7xukyiZ4jhCiR>{ss)apbA)9K<8fd~%PC*-*_ZyNlN@6t!`;J~nwimY}3<yCE`G
z^d`PAQok(0Q9lv=dU|0fvdkox=isy>9SxIEPQgAOY?E{BNH)3&VyhGsd=|J##Du15
z{d~Xj5XI=TWr>AhcvbG*m|*3>C@e1&cQ1AS{-Fv%F7<zUfE?9PUtV}3QqCTIkQ5xF
zH<w7vC#+2b04`Bh>dS2j3&ON2WeHpw8?)DPNqw?V$$7@MV0fr9JFq4lOXIMO2fNWU
zIXa=X+=n|(Ot!VR3$r$xh(BavdSKTPOkhcJXyu{BruU^lMA}zp0SjCYT&hd|X2<<a
z+RU#_ovYXKOq~jJ0~Eyk6}c>X{PVbcqwt=gwmXvoiC^uQ*)3w;NSuLU@XF9C&D*Rz
zdLbLuC`_G(oLtv*cn!D8^*m@fVm?yVc~zyAce!66^H^IDR$$Px(ecK{rp3(}PV0!_
z^BpPt0TA~N@;9jt1!g{4{Lw2ZwjE?mE)%-2qfkhai{Ua}dVWey*!MAAOgos;#7>$W
zFdPow<_-9%adoxed3~WwGww2Bp@VuiBPS%=qqbCSa)0Y+E)m{ahNMms#j{=L+=??t
z6Kwu)S=^ubwlpwz!)0zQ2Bl2>6AZ<O7Gp28zDPkUk_emj?uH#wgGV&)#~#)66IEdg
z_$$$!IIFy<EPSwku+Oj15Mg)8bFY-Zoq!eoV0v@j%lgd<CxK27lWZ6dv^VyYx*w^F
zozxk<2cWtFrrLU;L2GarKSsy#kAMX;Yvgl#wv&i3&25&d3EA7nEDo2xgK!)_8p%Qf
z090T;g_3>m2b3to8z7M<e|nmQJ}v8X9GsCru~I&)@zDQ#3HUuWVdH^7&4f~`VbTi;
z6iIh)t&nfj89!E#<ci>bHd4rI&?xZ<V0)?-y(-~tWq%mQa|<gxSY(n?|H^w-{n-g}
z-<OITcLs}0W$In}@_uO+Xs)WE0`2NqcOwYbYmOAP$Q-E_Fm3vY5-5=$oIE=(A}oA|
zmhLpQ(&F?na7u;Q`q&oJAS-TWZ<-n)ntSQdAKV$j!ki1_hSwVI{U>s7tPv6kt*A4y
z!6A8pY?%#%l<+u(iyXNiC$UmNxp%ayJ?t8Id?T5SUv8f-0}?BTq~_N}oiS|xnVQra
zyFb&jdn3zwx>`7{)QTg0I`C4rF7fo~--3NQS%3N`4^Ct9nG8S%sKP!&%Mm92>lq+5
zH=HffgOq|w(eeKs$3fQaoIo=CyPnw9V)7DgA^8uYIL-=o8FC={HRt0d><@f!t&=ex
z*&pif%O&<bs1ryUOaA?i2`-!ZEpN#L+HOjgBwGCEd6Y@~^dE`=+-*!DoA4r2eQE6J
zzeAkL=Ib2bB@Yg3oRAF-P2D^fw24W_9%xAUigAP-xcAKnv{ZkltXdCzeIvl=-!a9!
zfCuB$ehsb$#K9#(IrS2W7b5hNiwjhEcU1okkmfN+!fMlv5!sqSOdpJMOmz#}1qqH>
zB4UW<EX?01X6g<Q^hBrP4csN*+&ZP=r>ga(Az2O3GVH%E&4c^#zxd|(#D5B}@&9kg
e=ZLUEhPaV)9ZW@KnhZd(4;kp0qAM=gJ^UZ3eYP6_

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCMakeConfigure.png b/docs/GettingStartedDocs/images/VSCodeCMakeConfigure.png
new file mode 100644
index 0000000000000000000000000000000000000000..3ac3a2d7e006ec2d1dccc0acae2e390621734897
GIT binary patch
literal 6165
zcmai2XIN9swnn8$2P3_U5~La-^xhGOASE<GdT-K;BArl0q=X_}LJ2J(MT$b`2-1rP
z5<rB2NUy@#obS2k$9>Ly?vK4^&+M7CXVyFG-R~@fE=--0jG2spfPhj{L*)qp!Sx8>
z+41Ie;7&y2Rtpr@yq~Bm5mXJct^*Z92Spu40)pCP@^dR9pib(kVd70dK-G11UF-Eg
z*%A;ilxwOe8U$Eu<>(}s8wN#R%a+gPxFPo8<M-e4{wyCM7aqx!nqsz!YL8wM*OHpp
zRyrEry+x*^GOUq=<>ad5#m2FkDAv{ei5AFFoe5Y<WUyT_ES}X#N7{7?#S8T5A1s_6
zpU#&*H}wDL?mK<<%W(bUTF9F8+I(=uLd#@y@4~|#MjLJK8AKwaCzGcZ#A1^G(Xj@L
z0j*hBm}>&0M--7e!)TM>bW6Gx(!)4@*UuX0@?LWjdo?gs#uVJ{y*7+CYb=itqzVq(
zc=llCtVVgNH;o_u`};@#lik$~VEE9Kl?1rmZ)+|B3p6eUZ?~0KvmAfr&CTqtDR%Z^
zV?O7raR>jDVYqRB(t+C#2LUf4UsTx$tNoF4UbLjnyEArY#%D(0DAf0>)u;6U?vS&s
z#uH^tk9!Nut%|?UrZJIA=Iyw@bR5w~+lw5B=w31tFrLZT>O_e7PeciR0PpGUt)nx6
zkEAxnTuwQ1tg6$GznHfFq%Rv3?S~5?@hm&tPFzu3kk1~D74{aMIeX=id0l!(jJt!@
zeW4YJzN2iKsr#2bpm@LIbGSzQv+;f~7o%s3XVXTLdV|$cu3^CAm%X&1hqDfZ5hI3{
zYsy?m>Tjr#gb0f2>Q?^l^^%8!c&O*6EW8a$L}Vh^mTfKMt!p1549_5l?LLBre{1yc
zo^_-c5fZv9=@m>{aXrt7rFll%KmsHv@M>U(D1CCny=Zk~vSI~e@MSoN)7tQvTZ>79
zogg%nR*zg)pQGVqg@P!R{>FWxID9bTFW-+%r+fJ9@2)}-p@g1oxR(`+H<I6mL>zEk
zIdWI?CUKsS!*0?{U$2I4_4vVt&(lEo)Dl?)!w5wH@vi0#YquJF!i_0&4nJHNYTKOS
zuQ^>yXIS5;@4cJVcNB-OohbDj*lXMd8~1w1DONs;A!O}&SPy$YXi1d`!=%!%)4TAz
zSIx$yMH*wuQzBBvm9({Ndy=BVaoq}!%Iv4xurEnx-uC=V%d}tOo7i^v?vx+jXBgkb
zBJR#RCHRP;pQ4n%-F}^F$oDvZ)FDx*jhP!QU-_V2)J0Zw3Sa-bbGQx7x%R7vTVyee
zxv#wa<R=T!DLd)LSo^Op*@n{KL{W?NNgwJcvK&IRyiwu(071XEsoY6{im5%G)&)7O
zcX`HW9?GBpQGR-J?mi<#gfE63`g4Gl-hl@t%o&>{73^$l<-F3`{i&~5)r_hyx$SGW
z1*1~?@H^DBt(0E@38Sgp=`ZfwMqCa*?{BljFAmuUp*!6SwtR_q2Cm(bJ6TDcSB<h>
ze#>|3)vMK%Pq@7(MrE-Ltkj^Cj#M{|Q|nLiN><7x!>tt*gn~FO$EpD4XFWwTm^7ej
zGqk{;)V31Vtr8v?^i$VU$w$j>1B!$PBkXSD3#dqQ0@<>NN1=&>pRLS$r?$r0o9e$-
z_2lIH3Gs7iI<M%KG~q-y=u7nS9tCc`s(E#eP$LRIUWt<yOfOgHcfQ7R&;I6(2C?62
zOrFwhlXMj&SqtWK3~gJ?llI=LcM9YKXZciV@WR6sPNvSZ@r-nelcQ?<D_PEDvFp3c
zccM?z;s%;ClyjM^70oMkbYt{P86|_Z*VJHH*334`qV!;qMirhS>*=R14~w*u)S^+e
zxVoO%A}wf{GB*o?t-;~K3vx11CZ{}c@41pdn%aOG8#5iqQ3@yHNiiGgVEv)jUqNjC
zFrI8nemM5WYcj8>Q&IYuuFi5F{f*a9gF)w_BZ9<QhKI{j+jPAaabdN?GFr0Uyc=uC
zCwiEyqQt}Na~_1u-39LcY*{@^yX$B@bM>e07R~zuLr1UX_P)@2!Qw}lW0U(RNE5~q
zASs-ZyL9?F)VlYSTU|KU9t6)nyZdWgVURNn%ysWaZ~cS&iI1ZF5{*)37_j!<c6NO9
z`_5LX(!7!xiA@qBrZx8c5K_LXr)y7$M4zYoJZyM=J?<C9io~`obJ6o@5q-AGzd8M{
zi<qM5U$fY7CeEdB>XQ~iO&nTgRFl@x(*nbpd=riIiqo}k?PT?2qCsn?`Pu~`77esy
zw^ZyYhJyRkdS53>L1N5bS!5ej<NEp;h<)lLC`N9CZ}N6Mq3~F|E59%mo<5`Xt_{u_
ze4p4^xH*OKw#u^Z#E5rQ87JsWP|Tv*ChOh;(bH;f27Wn--3I;OdDnWC9Q<t$<+)`M
ze8GxT+@4QZ%bom;21s=fGK<I)wE%EY>MIf#;d;>5DqCGsNQxLs$plKfn_AVT+OmUP
zIqtsWG_oJF(v2SijVlF1S`|KWe;pvTewJj$@~g7cq8X1YqnbM@E(?gxnMV;}A98Lm
z5Rn&V44og4$D!}5Lzfdq8R<66;`67C^V{3^v7XG{R2UImF9Eged-<G-2JvBmv(3AV
zbzEScButlGtOTc`ya|o^bsB8hiZwqElWEr!l{rbyZ&wZ0C+H^PO7MGbOvTyHOxy3y
z-3o`DF8j{@2SWwC!y>wmpdWunDQ{(Pw(ojtydOq8(YTY!AmF&Bq9&mO>701>Y5v6<
z&R`R97D3wHlF}5`7dZ_i4SlMoAaP^t35;rjPBEp+JkI1sUeIP%CbXv0G5KQ#6mNjF
za3pjyN+W&SkIGyvc#uA8XfD`&J6}Xut5`3Owddzk$A+gdE^Z2SusWlvo*-J3Wf@A_
zTwVmN#AY2!<+0GJsm)zvkg7acs>f200_Ej$nBvl@xTh0LTl=O8>O@_dKqhtKlah~C
z%@40#WaKyCiXMM5G2O{HxLFw^VWdT6*UuF#aY8r{X&y+yG>14))x-`HeXEjs)4ZFQ
z2~yW;r!J%-&9}|fY4FbL?luFQ)wHf^At^F;D}%l-!K?$WU3X|kF(IY+ZRLCCL6rj)
zQH3D!lSj~k_Kcb8>%+}KHnC3WA^kp$H{hkt8=`!P(s4)Ozj<FAKTlgPyti;$GD&Ja
z;ItC4zMEYokN#HS-Ka8T{CzUtP!&!n33fMa%V@ZN3#UU^D;66$L+*$nq_8>zTw`WB
zPI<H6w1&zi?i9(TFDMmEfe17aE0Pc}x;d9m+@r!*)fGg0E3P?i;6Oy52Ff+8HZg%N
zR2wc}mh{k*e^`Ke%s_+fr*=dLB_?KRmx`!)82qT2F(uqrW3^!_sjFANPlXhkc8GNs
zvFM+;Gl@!65APWx50tKbz?Q_)CArhrH~oo%YE38IoGn{39M8@X*h2yPrWSKth@q<m
zQB#&CP``Bxb&w(3#HLbsAOn~m*n2j4?-s2bMo_D<=kARVFZVD?LXN^-nh}KNS5iyw
z6n}0=;#kEU$pRY3T01oNN;&Zm{#UK!+79Y)0u+_@gETg(A$uvW20}ne+2hJ8y$Hm5
z5fx6-=2vQr=gq)PX#=s@jNbJ0ba527db(14yn39)V4c8V7Oz#*EK~eK3-C7yeE9PN
z$SmE?1SHgKb=Z5S;Ol!y2u4UiV0c9MHYw1a4%O=<gJ4~IRFw)SCB24d#bm_A;VZ_#
zt0@&ye%65m@y`e(X@4{|hn)F;n%^=Fa&Q!YD(Z6>*Br*WVjN0Ksp*{lV@}1@>r*dI
z#~U|0+l)jaBS=c)MC&h;J8A?5>nh#KI(KP|V!5p2xqYqQeMY|VxOR5L!8=Anj=spg
zf3;Ya(Md$D5(TZ<1oebfhN`LKcuppGr>txpZu#A^nCr@KnQoeJa1R*-_>u~2h*jpr
z$VlUbh71(i;IUYt%3OD)QD@VAe61^KlwGBFvgGL)oC>~p;hLLIkjO3)Y8>_~PSo~F
z!eRv1m#}AZp?q@Y=SAo{g7y8dR{!cNIXhJR^=cmfhDihf``=o21`+&xZ8+Dg(cO@Q
zduexd5YUpLe|~(PwhYzr+?s1B?*axMcEjdVN2MX-5GUVfz=9sufR2i3!R$K;fDLAc
z3aK4H+#YQ;E?P7{FOjksY;c)ouWt^$yjUH~s1<*+z0jsbUR|%E&9=MjV0BZN0&E2R
zYc!Ow_~M8yrhFcDPFr5~(9yMub>!piX8-MlFWKUgRoX$m8W)olaLw57stn5YFLh~1
zP1!$-FNP=+xuGwe0qLG_!|WJo`~iN%D080~U}@N^Nh^(+H_<B+twu04X&bw+Cg!&0
zs3%shR|dCYRfRNo^w;Qh6|eKv5L3~qzX(cu4K7qgD&(WDr3EJXq2+JI25w<Y0l;iJ
z>HVz37Jtaj+IOahyV|!|E2acYyw@7Z&=Xu^u(+9E?dtcj^YTs@LGpw#RsZPi36k&!
zqc=^L$BSuExrSxe!}tgk^Cp>X5|}_AT0u8>_Vf2xJU)zZ20xiL_M5r5b{zID)2TSV
zOM`efjr)#%O+pTZs@4owQ70lSM-G<5CQ8Mv8*IR-OT>wypL=hN2KEQU%0;?%i09+e
zmskpo_?)1e7+daA{NdI&pOh(>$Evz{4B1`%0x9-QBx9xqM*T%giyWv|A^%~ub21rW
zZ70eefGuaX942tKxgjdrv-oIv8*6N^PY)qo@@su)RBN7SVR|!eK}s^!SYMqyQs;@4
z0@z5nes>N+v_5$Vjf1x*P2@KH<9AZCGh`D(linG_?1rVfH>3R&G#z>EqW5);LNjyB
z4t3=nP$7&HZ&+OkX+$yWdU}G>*UOd8zd6m>+@k=d10mnHyjqjjvtX$mKOzsI3%yLB
zicZQ682q|M5(q$G#vr}Z<XyVgaX@g{37p8jQU7;#xd;C6KQZ`KLaG*se><I|P3%?V
zP8R>~5;*nbRc4U88NuNrxzhfp`|BVuOh8z8WO$e!^bbQgjl7c$KKd=|`Qy{X#6*E|
zjJ*`=@37n%fQIVC^uI{&=z}jmT~&CD{H(9Y$@$6uSDN)8{Lk0r<qwlD;p>B!LAzsl
zDuW=7#rXQ%j>}OS%NLKAm*JPo{oeBNhXSknnvA+bX6VvwpT7-z-!02Jlk#3@(q1=>
zV+FqE!rOMZ9&uuM?lOA(3v14Tba#>PI&4j!lB%UjV@gb(Krr!6Q=qF&Lp&6&rd8>S
zpWWNeJI=n8`E#*|{|cMW^_BLLfkvxt1zdV`AviA2#YfX9>yn}F^9cTq%Z=bihJqaP
z#>t?@#`L^(!7B@WFc})WpEZ*IC%hgGJBME;aSsgf#k)23Iby`Qnf&~41NzdBC*|cr
z8qH`F{mc!ZhXDa!lDA#jIdlmZ-KZ;#zMVvmj=>kV1J=g*(6aD-xgCZ}dKX=r2B=_B
z8>~V91N5Wm?zrF91OQ&5Mbq+_<%0a)YN!p8agAU8FWx)!sDt5RiNy3>Fn(>|^CPGJ
zM2Q?z#wu3RSlUE`d@AG$zfSim)?mDVxLnVxJ~9yGsX;So(CR`ScOcT8BH!`xORhu+
z$}s~Wx3knyPf_V6kER#ciePE2s;#gM5R}JD><s5waOrXrVGxBzo!b{CFZ?K{6GnOI
z=xErPVCOR#9bdMV8U)e4IOn)uZs7X4Gbyi%m%&!j7k``~Ig!?7z;@%Nmt(jX!1s@Y
z^25nH?#4#0Q(quB&76*TtB><o-x`y~DkP@lIB@YOb}RdWg*Ni%mF|;0xeHIf_qZOk
z$9LJ~db88g4lXG_w&I-}dcpFy4z1oZa6Z>VzhIJgdv!=|Ymy-<dE0PO3gpBzS)A)&
zf|FU#VohV~LsXOn>sSH%J-_o2?X{S=E^dr)Vdw4Dw}gSN#x`)UQGO5OJGwUBTh^}i
z`p8pkYt{Mgw073?D~TcH=*jd;->m5Y*SQXywPc;ptf8HaOCHs<sNa0WyZd{CB9GFD
zrr1UIT2DOJx~Wagei_8uH9kL;s@+)gTXl(R0mXcG4lwcofP<E7dJ@V^M+dy0KT_{_
z)34e-1TF2S#gIqGA3euyR*$j_B&IO!sYSICtB^n4NQ>*Tg38N>ZqC%|m%?)8L)kyJ
z`mB#-yDe-e-hc_<$-piR#i6y`F2>xQsh!trD{AToMy7b`FAC?q?n9#?M{qme`+>bA
z;(o1rPF4A<DM+;FT;RQ7s;qH?j)Bq66|7T=3(g%@xddQiQ|PH~&{);^X!1z_2CHDg
z6NCbd!_If5;cwqB&^(1iat;*o8rN$DQpPsT4C~Hahb4^v5H}u7cK-JGgJ|I654@7K
z&+Dd)54Qg*rC|(XP$oLL?SvX><nL{D;DX!}>`hc)qci3*gJgX@2`|ak4=;hh8Rh>*
zcM<e+?((*fmdB32wP}sAcC7|ELkJ4Qz1nMK^tSN2zPgEK(F9#uN$X1s@ne6S;14XS
zMswCeSgXtT5BqAQ@94ekyCPtN_i2I{5%QC^97ekLsIqB;UkT;R(lHSdUd0U$<(o#c
zP+LuHbKY!abJKHa0F6OWom4v?j@!fqUK2J%UK^)#s_UwGd>f`+8P1%!wy|;g#ynlG
zb@=>TtZ3y|mXLkQbUB2c9$#t~ap@Q2BC&H<YpP<KQZ)nM&;#A2BL0r^hD~o7J21QY
z&dtGy&1C9^E%lQ-y#V<!tH{jJcL*kDZ(^5God~xsz}fiMFBOtFkiGxmM`h`qDDn=B
z9J;DKYB(=+Z*w-j6oziUI9*>|UB+O@yTbuG6>urE{fEkVCR;(mf`V5XZwfmAa|QO6
ziO&C3mV1FM1n6zA`hZHJqN0d%j`y7;cLwI?ai1e%ECTHo_eMJY42g`$9Zcv;`^z<V
zC8YO?Bg)NV9Nq=mPggya_Wxa(<i8oP+YbhW$KU<&$47DTYSDWGT!{wDX<hTG^K_I5
zLUiOSIIa-#hMU*uViPmMC&C#sRE59GdyCT_VNGT;wDO6C1G5~l8pU8S^U;5Me}5l`
z!|g2hs&8P|h8uE@u?P|M<aRmv4pG?`0gLT_h1-wEet#da>Uk{xcS!%S>=(W-eW>3_
zl=^A-S4XX<8x_JG=XE&Q;KM&H9vq7;@8DXp#Mh~uLV$D&6O1+S?Gy60>UyqUWXih}
zSOf0&sznnhi4FC93raonp~=wP0Vi~|NSuPCROFpmMiH(*ZLBp*Ywv=8mt<JrQmyRm
zfA*zt^YinUKF(t=0a;3U|LkP($dUEi#Nu$HNaV>4lJ@}uJqdu+zTq}qwFV?G-4eBB
zD%{A9A6=uWZ*2{!r(8UfFgG=w>j>>=Y3adWFav8-ge{Jx8Lt+iqKL@G!mGzCv>U#%
zIQE^Nx86dP`NcWPwmv`77km?sh{Yq37x>6lrMB^3xVxy5c6*zl$X6tLq6w6Hz9G)e
z&hG9>)R7>Wckd)IEiFMixb76moyV|uGL3c5p9h{CpP#1ye`ScxyM&$P42vM5t=YXg
z=);{YSN$J|aUY_XcF(2G&k-aQHa0_qT^YM=!AHASrgPs_ulFXgNeAw(%wil)@)@H*
zjbD!6T#V8$5(EfXm`X)6?b*u6zBvBzS($`NdwJmO$gF65FPqRmt*q<Y=6C<a7eM;;
z$|_bwR#sL-q-*>^9(8rwAu~00XIvB}z!E(W;8MAW&<hf15BNDm#2#-M`d8F`D0K($
z>d8q-b948sN&U0LC&6Nfz|^LYligmn*a{=S9;T+Irl~2GL|9n($_sf?z8mw+-W3%U
z5$7q4z!~YlIONo45WvI2M6%yHiT%Zkz(6AS2erz!Y{JI3fN+X=etx`@mPRLYywaa4
zLm5L!y*n-nWLkl#xFaEtdw_7m^?I~=(QEyron>yLa=jIT7U^LWxykqkDdI2;D4vV+
tlLA*p_Os7G(i`%{>Yr5jaty}>2NO>!<s$R2E0D@3&{Tz~R4F|R{}(3R5TO77

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCMakeConfigureArgs.png b/docs/GettingStartedDocs/images/VSCodeCMakeConfigureArgs.png
new file mode 100644
index 0000000000000000000000000000000000000000..fc1a7918f36d94196bee2a8f42d1fcdec8d4bad2
GIT binary patch
literal 26887
zcmd43byU<}+b>KE14;`D3@r#K9ZHuVAuUppN-N!+3Q9_Yv~-u$&>|tAbSMnn-7w_Y
z!|%TDXRY(cS?_z!`<(TzrHg@?`Nsb4eO=cluKh_>Sr-2`>^2%28os=o^b0gJh&UP=
z`WqZ5_{-j$V=MT9?)XCXDO%}osx|Nn#9UHI5)G{)68GXY7Wn;^ot%y%8rmHv)PMA8
zGg>z^G>a5@X~~yv23rW+Mr-4y-Mxw>4lCjD2}*j#1iL8$0!nv{7gW?@(XK7J)U_X3
z*1NZ2JwA2k;L1j?3hWhTJFt#-Uq<UbU9@SKiL0Hd>hg6Tn=qapGk8~4-FfCMo{mg%
zj1c7Lck4`i_iIJ`s-L%0=?mXl$y1oL<FCiA$mh|F^3mCI{JKasdDP1hIjA`J!6^SC
zi{j$*&8u*;T`AOCjE}#x5&rWbi~oiXg(ve_4(Tp!NLF=V*RsUx`XKl9-|=6}oy`;a
zo=PE=tA?Jlmb{#D9@k%L@YwO*@eK9cuFvxtZ>nGZ(%|&~bzwuho?QXB9Bvj!j{z@-
zmDJE*Pi7jm_h|7qT_P=qbMNva+>Gl-y6u*e%<suk*-P(D7)Rc9opv`Dtk#Lwclq-z
zlCyF5sr`)iNu2um`7E}$_GZIQ^Fx87DaZae^#<Pa&8md5n=yg;NJS&LNslLOTi%=?
zTsfCh9Dh4JS4;6e{?kF$a@w(vm_6;}Z&veKWT1UWAa*)C4-Ube_k^%5{Goa-X<n+!
ztG(ozi`*0;>hqRiW#PLs*H<T@3Y<;fQvQna{__MFetw3CUse2`*T?15Yfj#_^*z_M
z??<?jl{KHe70mI3FuF{<4)$py$jwZi?SfKTsZx1vR&=Ca9p;VX6PmcQwOs5!Y@b^%
zD&xqDppIcy;SjrAQ_1r<?cnr@%Kc?Ei}|mocypp=hgJFxkBu@zaHbA2L$-*E^>OIP
zuci4=PUZe&+h%u<?a`V^n`9or-vSF^^NGe05A&1_cNQYWr#b0(#um|uD&Jlm8D3Wl
zEXArrsZRa=nJYtbJdfZ_MA?bHSI9{-ivhP8yLSBHjd4TYCIRGPjCw|(sh0NZ4}8>+
z*ETJe$8VaB##r+dWi@|Rj~gU+ey78|&-48L?tZV~Rb|;E{zkq_=%>xtsW>fzKV;fJ
zdxJAqD|uBR5-tem@xw134f7$aLmU1)r}U`V0F#&LD6z4vn+tlg*Fna444#0)b6*I{
zn6_~^DV2`LT2AOjX+!C0t?zm52;zekaR3pX5qu#+_+C+Q<@2-6x`hY@NxU?jAc-G5
zy=*ZU%n-@eeTe?@mv^P}3$)j66}=n{+15r4TQv&(M(0jspSBMA;IuxcbBBWdQH@@G
zDxE*&_BttTWB-{lZ`0^+`3!6=CA3^=bajoWsPsQsecuX6x?`d|W#2_zK&e1iE+H{D
zqOP*l`-5(E_qS^^FP38Y#GBBZJ+b{_;#}g4)5{%SL*<7d)nl(%vBYs={g!kH|Iozx
zFCoL0FeVM(e0p$Z8t^iZMS;Eg<twH!VdwP`AB1fXi4LvFH!wj3*V;D1pZv|gc!^rh
z*@L!n0kq<$Wy2wyw1+tnk?HBzRSuti<A_O*Vd<;iM|;{j--b=QiOVE?5(6fHAQnSn
z<gB#GYe@WpX4$BpoLD#=)Mq~?{ZJ{?4`+jc*Ca;i$=al5K2)t+FNy2*Q<zhnsZ0p@
z&O(>?mA(D6`$`UW*)6}_q?-k##KqVa*>bVOX=ya99Lb#K_EqnzFoe8&myX03Jj|_)
z`0t4{5D7P;%?wtBuxeuTu*PJ0wsA|CWY}95xwO$J?57wTa|Ar@L?2r5^v&$f*7EWu
zj|uo~oOPRqaov>A-uL7A$)WD^i&4C*r{ETCxUbCzVO2trU5VRbi{!(BrJN!-?-%u-
zcQ2#$et>6SVP^1zvxTevf=E6t%6gk@T_e9y7O~bQgfl^ufgA`Hd#OxK1D?1Qw`ou8
z{I_A{4YE@lMFy6qXeMS6aX0tG&;}N4DN<JI+I%J5@Vsu7zvW??`*M=Q@8j-yBfEjd
zA~`(1=gU~=Se^SuT!X7nb^TnSY3O>TWZ``hM#3OE!jC^rX(7@QGF|byHc7c14o>ZJ
z{_xG{IlJr2le|)?7Gzh2#Rs(R%wU=?m2NlZg#D5^EU~$Dk4qVvMC#xA^yo<yM0nn%
z#>Di8wT-02eH%5(+O%Ke3TS~9(r!u;ew&0)tp^fqt=UdhpPV}!AbMYQm70CVI#SJ6
zIqsMiPtPAud+sQ?W?1srI<x+36*=u1^WC3lOQeOo+~4Lg{`8-f&4@7Qd<35wz{>N`
z)xXIMd|r4yctrX}rFHWm&BC?2X_I?H>?=P=R1}AAE_Z0RYO+_6Jaoa`sojS2W*SEQ
zm<@)e{`;73YRPU6H1gk=V&2`HA-j|N;QvNm``=8Xf9vF9n3^=2$5>7xjdhw)L&YfH
z*7x6-fd6x$Pi%&=<!$529`{@>Xvdey1cmcY*G;@FDha{mY%H(4*zfHv$m*39KO20r
zzxcC*(za3UV%xQabxhCk*L+Tb!J}s6FWY#>o7E>H#4DbC4`;f#<?5`XekDzp%B~f?
z<7nK_(C0qtj$lf7K630~wBll-;#a2&YsiW&8dd`F3%e>Y)E!&Ka{m*|qhY_e#bMdQ
ziL~l@%Iuo@&ZGPKY9faNQV&D@?b%nSK?HRreOK1xa%T1Sn`OsI^GVZuJMER-3=elW
z-p5^Jzi)G*fc+a}DGNu_;n2Lf__>aUKJ|fd$6YP9tCQ=inYAj~i&^XrgzF4~-x{o1
z`QeQkwd&LPP_lGnpLxhF5~f)7Gh6=7HJnjrnfg*tbbOns*qXFyC=oasQ6Jt|_o*O&
zw^)H}&|!FeHr|Z<+<)G~T9)mhXBww*b{yrw9Lm^FUNENAX#QtZ%dpAq;1~aS{7O|x
z?KB)DQ^BE1`>DTc%XK5xtm3ldD~lik$e%|?PQECavFTwz4OROZH7-ZpZ06FtaEEJw
z_@yF>L2`q)1vw$=%7Qrp2YtMu=Q}OpP3Ba%7(_SqQOo6)Z3lfYRkYZ7p6^-Sn_(q>
zb_3tbBcI`W25xinxyd%qH?oOEK~+O`jT(Y^t(G$l?v)hBdz9AS)b{?qE4xc5c4|~{
zIHW+vT3r5gFHijPq0*#jf_}(KnrErN{6~h6ymTKp=dL8tJStmm(49V&2nae2<!nx@
zi7`$>xJ<H_1Uq!N5Qm?DoK+-neQ^-F<8#vBy^&pUwcAdZxAmeF<nnrLho2ABv(nFu
zsM*L&^Ar^s2A-x8pC($@{23BKm1Kt0s%2oj3?E%zU-VyR`=KB0pR`;z)ghOYhmXk_
zoww^(lsE9)5z_i<Ok>X9Z!u@@S6M+Gfzb;1CSDwK_Bwt4XbCRJ;XL_uJKoR-+3dK;
z>5Ej@Ya{gGD%nW$+?MaHwD}#Hetof0AcAziS!)b&AiAN!iXrTE9x8rlBI#cHKi3|2
zYu}Vl1_u=3`*2GL9uAJ5q95($s_fe1#9+1na#n`VI+D3ii<iOp{8Qy_>jimdJa=}3
z#V_c8sc_{I^s1J6iL&(vw&H}Ju$I<+ok5tsp*<Cm-KAS!fNzv4NaADML4<gK2j@GP
zpz+=1&y@u6RCkpDj)2-ug}7Izh*d3IJacj(+Lm>lql_d?&|Le;%Pz^+X%`}>2$3Dt
zJ=;Yt5g6x(uC?RY#$%%WO$u!`KP%!<^HGWIT~N$=8j?j%F(q3?rxhV|SjhBwwV%*9
zvC<D`+>Otily6SEsW<vUEgG?>NlbK1qMr3UeD-!g9L$lW27d~RrkWS*B$7;(ysJUc
z<7(4O*>TEUIq(uqXRT+SKYE*`nuMTM{g8#xt`w$B0%7OZ4BQ_pVkh;n=o0M$vUGtm
zkHdH1HiBVQZI#Ht$)4pTN@MB;=a(C+8G!_EDe_mB>+nb=nYZ2Ag?^IK*S#T<MjcJg
zeAgIn_O@?BDI=yN|1G$|%Z9|4QLpVlRhQR?+j-L6@K&|7ky45OFT0c$9u%v@1^ZK_
z7^p6nV%vDZl<QY5a}ScI3uNHr)nVA;(UZuS15s+dfK|D+D~Di3u6p}bTudu2I(dLr
z6O9yVseKv6^9e)e3%Di5WoO1`<DR?mU1E?r$SR;Q^ExWhE4yYAw~kWoF`C0p(@E|u
zx@+vM)E?)hIIUdkO;8yu#jd&1&PfKQ>~WJ%#n{mLJE&>Gt?+Wmncv%p4xXAfu$Fv#
z;X(aId|byo^)SubWMIgqoJ~J)qNVkT81kn|{Lb0NQ61zraR7TP2nK~qVeoj=!yWtq
z9xibkHU=&?0mRrGj}+e&dX}9@YpnL!eX!IMD=>Cna55KNDKNQ|0x5*5iJfrAG;!?g
zg6~yQzDcSR#;e2H(sxC~brO8)m(&V}+dnmfZWvRMP`S<eTk1ld7E0bbj^W|f#6I{z
zZL{w$t^1lz3*PjjQUvD>H<wkaKUIRNsO+maUQS#c+Eg2*8^qXdJ(VpVGyTZ$UF>;R
z1)HIz0PzGpoz&;t(K@OuEFC6@Zrz4L8N%WwnrCwzNWo0P1|^{#7KC1Y-t_NG%C{~4
ziEeGP!F&>72W_buZ^H2GR!DMd*W-Djx0+6-FFT*p2Y#5`oc22S<?=2H9Eq>+&sL7)
z<}uF(@r9AZP^+~!MVASm3o*T&R5?SJ8$+1zO>)UfYKw&aD}fA!Z64qJ5oD6tVAR#f
zzvT<01wW!03kE?FLcPkC;r&m#`Coj9lHYPDyS8Wi=F9To#>@YQ$NPVD(*K`+2!Fs_
z>>z1=NP$zS|7HlIdciFH1|l=r%++!2u%kvpzsy&F<{C~x5;i~~<fYhJ?==O(N2nr^
zB7j8Kx?1D*tMc@lZ!hznW~yzSZIp4+fJynL8M&<B|9J}39-4iED=8g?MWwHllWgXH
zd|E>SG^+5=Da}w{ill?KMLr(at4iS!Z7?2uM#i27&h;kAG=7bYoSu9iT;W~*X*XlR
zXQ&g6m_Wrx1_6FIOmXOW=p7kIC{}lo%`y!Nhn#JOy+8cTd*Snl9UoVuWz=#wcKQyu
zgC*v`6;OIV?{^Qv{zF~Xa^+!Y1R~@;`QcjtI@0UDFD91ePXtBC6VXC_)35J-p{kI>
zJ`tyaf{>%#*~hC9BpbgHLie5?gDRuhc|YG}rXZf(&~^3YRU@7=!tZ7(uHpIQvv*!i
zxGjXMV|tA1yRt_JE+@u5M#rE<g>QT0QbJz8TO%k;I>gR5hdI$IQR&$g;jDFb@t#DP
zC66EtRi(Mje_}qvprRvsI@a|dK`(mRcNUXYuD?%;YjIGPR%z!Jgy=I!*}@@!PvIBU
zo*5}nH^;FnZrtyAsM;oCc>Z_1r(l?v?vHV#=nFw6m9&&GN!5?mTcCooOgiWnZ%Ofl
zgUiaAaGA6|A9G*L49>NR6G5x|W0stAqV{C0-{pQxPU!_i@M$rtSeBmfPGc215o*mD
zhqMt^R}VbJ%~_G9ac300-i!2AL?;^P&g1s^Ex3|>QU~yLi2F(^KbFk*VHI(GJ?Bx4
zrG`xVjgs2jR&*VrD8$}kjLI>V4EZ%CF{FMiH+hKne0RL%s`_-(Ts(O?u(k8@WM-yT
z(MYUPyb#BZ%AuQn?Fig+YMNxm2MINk#PaF41Ml}cgxtMB0y){jKA!Qt_L(#hKTwQ^
z?|1P)1Ue&W4O4v1)|Qx`p-37gtPh0?8L0U1B8K8ZRTsi;;DcOx1K5h>%--An#Fau{
zdvPPFT_!RU!G!A-%w?ct3}BXe5I_OpCqEBFlf<)tp<@Qzhw$M95n0TN4kH^M88Q(m
z7E~RL>E^Ap69^Y`4xq!ovehp}vp0Nc1e`&Kx{9bqb27(tS4J^iAS1lQs_NI1rIEEi
zOeH;$AIJ;@s2O;kzd@3yh;U<Rp{9)`8~15u4bCgCy--8NKQy4Un8#ainF0aRTi;+_
zQj462+$=|=Jy6D1EaM?MRsaN5;d$8H{XvccFD3e6)Z|`E`PsYe$wNwng$K1QL+3tS
zXpY8sl5&2G_7mU5r298(#tACknbG}S+cGC^$T7mw#ABf8L6;}24<g+C+(<FfJk33K
z=SWUMm7((SKDrWWQGA+}HF>`)I9!C#ZT;5R`<xXb=5scjo=ew`j!nhYZj_x-gp2;s
z2A;g=`t=is5Ob>23v0o@akRvTKX(Fd@`7<xTO{{KiB7O&^ouKd9$88Zx4z3A%#T33
z<?1n~7A&bqrfuZUXJKwsObGAB3$CleUC{gCmuuvU6EuMJ00WmEo;y&@$mPc}d|IsQ
zbW#A7=)TCu4T4n4Xmc#nvzmlI9$UqodfCv*W$4qWs^!y3{aT;+FjH4~+B;9Z{$@>D
zf@(l*%K1YOZ}<**nK6p-(ZNHa<xV*CvY#(!()$1cCubH%UpFz`Pu@$}MXrdOCFm93
zF|o1Vdz_#}3VJ#syG{!8><p=}P)R?3D}1pHEJ^H|esW5PDh^(U8)aB^Tg|~XlS#O$
z*|I4Oyz{dT$w9gI_WXAzG3N4UY#VS{aAt1W^Pd8YM(2A-5Mtut^EZ{2Hut~4+Jj&B
zP0Wbg<~6@HL3L19E#LIN!ncC|$yxtm8~;Dxdl#6Lz8q>IUu8{+N0=fDDZqM8*^dhv
zMn%~h0GmDd^FLX&q3Qok#{IvX{E`c1yL4><`u5O8eA8<%g?f6|Xa4Q9E3wtIV&I?H
z*cer{$wI&z5H@+0c%4risvQ3He%bJozZ9ECzus0=iop?@d0T}4)4TA;6B{<Q%{H~8
zmgj*L;ZsJ%H-}^$Pe{HyxoW~vOFazrq-?Kl*7^6FS-OEu&B}kRZRt#t;x>BmN1p_}
z^R9YBiCA~>=B*0P<U&mVh9Xp@4E_aL)I{A2N7YCGTPs$DQ}UO3Jw*KyJtAWEpCac!
z#78asAL=UH>_5DVi|0Sz4u675v$hmyYGtUbco)oiUGAO6gLw5^&)qicP=*MBuU_L`
zlh(ERHwbYh)zx6{J1!?_`sokm5G*pi@{4aQrA^0wZ)$@wW|cI(VgLd=0DRQc11Qw;
z3+f^*SDTD4PWOW2%W_KDE4%M^0MwZZJ4Qk1(Dchq^EFh$OK|LK+^U@s!_vmd7eUqa
zBT<2uhTcb`!(yoX!FEsAs$!mc$4z!GkoF>@Zoh{$6imG;ZIBg*4?s3Zr%_<5kgfpi
zaPBx~%Y{Qd6KX_;R2^D}xs8thm~)Dq4MyH`?BkXd%&7**zG%W@qomjMZE)C4Oydj<
z^y@71IVw7Y)lPf7+XF=MU0n8Ws)9KzHXvHR0qB!M6I3w{AvbrF|7Xh-kM2|wiWR;M
z=<#N^%cJpLm9u0J9z(oO5Vdtn@wy=Z$!Daz;)FNp*>~LS09UK7yk!f5yaM8Bx0gh<
zg5uFZUYf_FxSc3jni~OuR1e2Q-fKm8=AovJY21i2<FZsW8wyK@f(p68?P9M>{YfVn
ze!Yvc@fPKDjfRcIN$CcjC2eMXy=?$3n{C)NxCxg|*HnC8DYJ(F6(V~D2oLO{3aH5u
z6pxt}fo|K3G_xO)XTFP47;f8qMyMSD7P{*6Vny6=3S2rhCM|;QWBIQqli4!Yr48G!
zyp~uEA1(uOm~;fkL_Edr`z`Nu<Mok(wIsS*=(qtiT~v;Wx6KBsvv2qVdr*|+9If~h
z1~4iv?16eL$C-p{&atO2kxGpTgUmTz$1I8T<^9R5IA3IfuRJ<)rKm%{__fz<K4Pky
zIf*Z7>ntpD0a$PqbRyU^L=Z>%J=Q(#41rlc%n($KVHot3zh=szcRp5KdCikc8T-kE
zQ6Q-tNURD&o;=JpKnvj0#F2!egc5Ibd@)~8xV)&xk;V&>rS<-1dp_YbtTa49@1ENO
zD4Ntt2~7j{B|aMLT&3jrw1*_7#b(}qLJavo=<)=ik3|7y9SU^EnR<!I=oClK!UK?I
zf;wsj$V>g~i{yTfhNCZQ;kDCpef4k>HOD*1ns+~-V~I()$e5_@ezakRaEtBw6CUD*
z5wR2i0$9xas*O}KjO+FH_akvkoWl{q+lf2^5*hDjafbKt;tU3`mb)1u6$#-;B1k5s
zQUn^QKgrEJE}rwtGsa62gGh9n(P6$1iv+4vlK_D1y@F7c$6VhT;AI2sL5ie5%=r;c
z>K@{;6EX%gG++p14TEqH)?Y&j+M@iSk`i=_fC*WnbiD~Bd?El|LGAl2Cx*GqMMByL
zyoj`4vxUcLzA8xJVGv`$oCit;d!AFI%_Eay2)s!8SVq_+Kruz2!nhXJ<2&n*oja>E
ztz=$4K%JYse<L$Og8`$$f<b4V>OAHLhdTu}WDImLcA}yGp)q+i`-wSimF&kX@AhJJ
zs0}OkJ?w2zpC0y|Qqz5|=(wkQh)B($?vb9ILrE`!re~>d$RYRKkwO6Sp)t_b22S28
z1F>eQ;eL}(zvpxeRB5S{+h2Ev=hVu%k?8U8H+_ONPgKT%(d?Yc8t<xN(yia6Am-b?
z-cM*5nf~y>a!Mn}UJU2<uC`76Qpmw?Vb1WPwiULPQBB>PejK}Uj!yde<G=6Jjr{zd
zCYiV6^Rqpf@jBoOg7$I~4r_0xUnA3pGjbr3U)dmxV*q56W}E{4Q8hkaZi8X9RbLy&
zuUw?|7mC<P7GqGAL}L^)PIV$KoD@F}H~Iw<`WS!4TC@U(junU~9Ws>Gu{4{Ulh;d}
zzDZ()p!PL@9RxZQAq{klWA-)F`W$<AdbCgr*DS|AhDoV%CX^3NJy%h_AEhjMY<E`n
zawG?^^3QlV!bqflC763D3S5@&qhfuw&VOh`dC`nXT;l{(!C76~ULs|7tG52Z?%sYc
zXM*~uNf!G-V5t$_S;J4J<m}?ST<8A#!W)z`r!o~YKIb{Y!ci5@-Sokv*T=Tk@s)Kn
zK=*P`#?M1Ro;7Xzgh~`Km?9*^z53Yqe9fk(x!l$Xkpg(m7qxO13$@zo-+$`&<3u0$
z2H<`7N;A-?)$Le85wOF4QzpvKqeq+w+#cZ%0G>D<KEI2ZN?Vkwm?k3VTv88W*;zRH
zeT~7Ab;Ii;Lv@DBhM7wnSVrOsDnfSvrB40#<1_B<{_TbxgA^bUcW7wo$H5yfuTEN2
z^gG1%KB>ey;->*}{qFVE&UM=Q=bdf#+NtP(1io_jW$sr44<gUtt6xLk+A@em4=6>2
z@xvwsVdp6;5X?fL8>cymK>zO2%Hvqg0xY!Qc{Mq66>kviJf_1edcCgI^2i5N;Mtd@
zzlV#~U5ZwrLZmAqUFQt6NV%C~$D*=kkF9zxauAa>H-0nAN6-4@4JjJ6PJnUAwVjG|
z={^=%&(C@>ApQ0O^emzIFlXNPvg|qz3Nf2C{LKly#l-ToHRBczc^Zhc9UKjt(VgS3
z!_qu=n)vnonTiTa=lH7b8G7x#%<C69P_zdSFn7|M*86bqp_@dY)i*DGAiG{Vr4fC5
zjmOw21}m`Ge6ezI*^5cRrz+UF<JKkoA|vZ92+~T%kE-9+MKW#Dc7+&W=3{rZ+&_iF
zwy3&-X*}|6eTxq8q@5cytU@Jv0eP#VOhIK;J6f?&*9<_Z)SZzxsTWNq<<9ca>xoEu
zd4?YVyNr$B4GbFay;||ThfVFI+H)#!IvW@YGINUy+Vr4BzvzjgzEyX?+28Tzc&PZ*
zBC~iBkC<Es(8OB|e+#-zAC<c11W{lT)V?K(fSM%RkLQEx?D1nBEs#A)@hB{D>^^UG
zT8|zCaY+)28N<RyFG_W09WlJi8uy<InmTQec7KwXG1}R&gM9u=-JoNyck9jpHEl@W
z9r>Zv6~DY_zV{v!yRodN!du_e;XKbZrHgz{A^58t-|M*f{C+|*)Y?*GeJ&Pg^NO~(
z!`XsSe6OY006D^@Ve7>*R_#Zo>Z|7SZPpuQ96-&j+HC->OWigrx<W*cC$hAyt4Cj$
zK@m6XyA$QR?Luj(z?0e;AJ13V#_!87VDF06^Z*6k;d_1Jo42)09y}Xrc=6`;af;KB
ze8HpwE8na(ZNcH7oY@5i9NX)Baz=UQR?3Z%0xScu+h3*0cx~P(J^85u^w<&Wk5*p*
zbI$aOwmV<&@^JV(UUaj({l#(DIWQT#N%uaMca}86INC?C`B>DeHOGJYeQIW&7z?7f
znTKxA^u2aGXB14c6)*#-)K9{eh|;~+)zhE1(RAv~-WFX5zZmzu)cRYi*?l1hln?cq
zK0=?}z#FlpkRi8%Gjr6XAYJ(!n)Xxdz7ga%CeQe4+6X(mdSIZ$?4BK4y)n7zTq6d;
z6$5`9|H(wg=|TE+3J<LXAMaHMfU5~&D_+Kbx@nBON8D#?mbZAAa2mM`NDhkO>xGt0
zUWBI+<-aF16&c(}wBvcyUFqCn5~xS_={QM_FxG`<IPJvrK|SS-Fxq#nntFeWWN70p
zb;htuQDS;ARgJ9Qd+!Afv#A$po1Z4eZd4lMMA`=UX1Eu%d(&&Ph<8WYyA-~j0xgNm
z5tx&+J9p0Y5zUP9RdM~%*{`42&;KC(JS*$Tk4ZG-MmJ!;5YC_5i5or(f_=3%Fw>|n
z1QccP8Px#QqZtate+}bArCazf-Xt<UZSvhJf?-QK9vP@VA<P`*(NNF&0Odv}fL=V9
zr~v6EK|!gjc|_;+hr2J@KXm#uv|{6X^BCap4V-2+#wOF@v?YM!mZUfeRnn8^$H@#~
z5{i6YHlDc!QKMz+kFyK7PiE+4zt=GHO8||1lCeDq%HdB13u2SXvNl7pIvv;NzSo?i
zl>UT0zbn2HE9um+KdHT78fa&4*3INtZI&{Q+*7kyBwh@md#cf_A7F&oq?DxSoHr_0
zS`Wi+qriBMm`|A}C*kTH6j-`oP?cp!=ww}5(IaSFc60Rcmq1%${QS)5qjzK<H3mj;
zB+tI!Q5&-3ST|E|wsE<k(_!#*MROJTtq~V%<}sAfH2pNiy0c_ls#-*(Dl%%TwYj3j
zi(f|^p*%rL)7S6$L&S)pbHE68-tPsGJ20NMY;evGHc$6{62~wd=wUQj9Ndb%vGpY8
z{uuE_pZ)Y3x~@1=7OfO!E9RPx6=KFW?!QM*6{E9LfT|3m??#i*Z_gw^@RPd+S)ua~
zSghK8NDo3o$Rx@@vGJiiSQ3FJt(b(0>BHn^dg$?4nZ#PicJa$$@f;c6@MzwiVgd|S
zrz*NSyTvHkd!TmFv<G=0*AK)0F3)piAT#ilvuu<}Nd&dZ<q7{B7+}T?+`L=!to{~(
zo?RPO!E0ry$F!Iq&N4X2djr|9U=t8;lmhh)55Hh_|GSU+??*fj$%*1jf3DIsEL>lt
zU&oZ1^y9&n!gw*@`F6F0FrS&TvD%R9)5vSNKjbL0k`VS^tXHRD-b}iI$Q=-NzKMfE
zc>m?n<d(~ffR=>?Ny-~VhV@h<CH?aJy8+M?{?Sb|*d|`3JAi6ACn=az3cn{Mh&Ve7
zKN?B$%_D783DR!K5P5Z1VF_^RL^yx@Zcc2{SB1$URTPE}yH1($qDdmPih(nF1~`nx
zF~c_YQq4p+Z8ue%uT@in>F{@MeeUo$4O@aEZ0=4PC0z*1m4Eig?A6~iJ`#Qo#hFQ6
zx5qCIT<GP_?-4KBc0H=w7hEy5Vis5Vy2&Oyu@EO0{RKtHhZ7ANtsWOX&>`o0NmQ%6
z9KwbFW<c~k6a(|)kR2L65qylw{s(cvJBSXIRiwK`7z8$<=l$UBCGfSZ^-5=|DPWq^
zFU2cR;5j`+f|4!;=EpXp^hbv|eA3I)`M%V9K4jyZk{R~-Gt7_Ml>X2=`fd{Zr0c<@
zkDK(c%&u9;k~qfo9F@MvAcpeOD3JS*M>u>@^7f~5!FdfeyBULB_C_u1L^xlkZ+#i~
zg|o>l35A71iVF9)TpDb>I_srQuu2OZ(}+ew9E)QtCNwF3+b@aHPVmB76bY#~kE7h(
zKBr2I2Z^*}K)5}qMR<E;m?R;Bf0aV_HLC6v3YeMLJd;uA#uWVM$bFo?b7#fE#GNiZ
z*kKpZGfs(+oCnL=rRZz3@pY?<V8Z=ff0wqfLY8+_4TS~~tm$19v!0UtITKwh!YlR~
zBj(M9(TrHwB5~Qo0efU}CwYUkI&@8M++pO--2tb4=3+50N(ht#n8W5#3HdGMZ9X?`
zLal&<Fe2E!sRv>HT0d`h(}t<vX$y9-_*QOHNrY1##<<COF4xX2tNNzA+=s?V@ar^z
z=;445VQKL={qTo_02#rBaw4wRQ-nN^S!Q0nD;eb^$t|4pW*GQ3Zs2)$CEeHO?ctr5
zuXpvgKMse(p)B~C0klpBne+;-k7%42GW7;$&6`D5(Mq?65uebcr=C{Zh?QGoc#pO!
z<exVtTb2Z%4Q4QB<--YjwDF-Y$J<4^1F?`IY6JlgHS<C0_jJ$n|7_Ig#$js{{ULQH
zg7zi2hOfyWW@6w+wZf$)!5vroC!dk`d$V30>*;$xk0xy#Edeu*&&-l)fZXUJ%pWT8
zYOY6o;rT!!a*oh9kw*x}Z~XD5rPtu;1BE~tTgXH5nLx|fsG@C%<h*3(E&NjD)qtlp
z==gC3>Up{7w>P+^(KfQC+!F|Rm@Vk+<2=fDe551-E*IVkCEcUj@V8#RUlbJdC_S)3
zXupkB_w|frN)%F(VF%##&65ma1?p12;enj6FkxassLhfad-ceR0%0Xq#5UzHPJ}%f
z4Ycb4$@|Khjfj|{cYZSC;pFY~G+{@rHTkmA36XCZQrOVoR(lkZRhkwoSsFo5)7~x;
z$s)`Aciq9=CI#`2Rh54SpQgCqdcN59{%w#9LL{R>X+)>NhB@D+R{8O}TpQmFc;`1M
zcVx4S-Tm=Lj=7`uOAWN=3Vu&2C0gr;9xVi4zM=g)8p&w6SveVs8aQRki2?HLUi8|!
z9M9W`=i~?Tt67oT<G-@B_&(P^Rayv<VfV-G9G!jSP2Cwsr;6SgYSc)$P4iuwi0|(S
za2WBKK`>3CD_Up28tFx#Sd2AgCg)YLwiP~A3kzD5jj`Y7xQb5(2e`7#ZXxW+``>eL
zLi`B?7eCK$7+!n8@)nF~&$a)OL2qx>u*%eu^ZOrq1W5B;{b5>gc!{azBs}LfIKZIV
z;f446uTpEsEEJ*99WXoAxk+*)OLl+z?+f!@_F6^fXA9B7t9H7xZeDY^hH~N0V2vdh
z@~bX0C}$-f6W$-1sRzNcIBn<{hM1BJU#vd79mkUnOmgIb%?eiPYty)6rY_+SEe6`(
zp}H>>;FzniP+KZ2hv17~UC}NMmcY=tHz;AA>?QjUn}VFJ_o5gVB7^gn*y=5r#B1SA
zUz*kK3UAmMr1;IX4!^77cZphE4TRz1(XV%vyh5gL)l@F5XSLt2)<n}LfOXz)m4I}!
zD;?R=^%~<?WsrwWq6AF_99J9UGJi`_>ERH0X6Ey(1lnU0$^kBNmP!Z!2$drfUnRef
zx|OaEtG@lvQ2$w9vi*y2@c>p(g_y;~a7Ta@n$4iXLc!nJY+)%@tAwD(waPj4QVZ<x
zb1t_>==U%v!#=f%n0S01m8dVk4q!G<v6rc@X>0eX@C~znnpB6yhFR)h9!F(rTt1!{
zDMXi*mE3ShhapCV3-__p)roMdCcxZS3E|hz5(pBk`RU$%?Fc0eFODd*ISD^ony>--
z-kRj+Wgy=;7arIQ_=T4~PN{WDp3{qvR4x*@(nB)W5lN!0zi;p_@1JU8hIbG6MS#gJ
zNksm!Kg&~E%<P$letD)1>?lUXIN8hhYcIhhV<L$w#cQ$U*S^RUI_YX$@`G|^48Fm{
zG8aU_Z%ms{xW9?Vlm;Gjdaao?I8QK1hOFAWKp3iWcIP=iMI6+!?)-fz%3)QOu+Wpy
z>lBwo<&5xp3dt=ro{)<sMR})xt_CyWM_D#dy=Z<Eax0Hkvw6tE5eNWxQ7C==w)B{E
z4Bm0`U|mkzmzl@Xy!W&G6;m}`6V*<N735#=cPga_?6G%Ue$LK(y=#2P@GO0@Df;qh
zZ7k5bnl4NZDGR+rh24J8#eE^xQJfOvZ+W(5(J?{i6i&%u@+PWd5y>R~wyTdYoZ>Lb
zECusLC&j8gmt6u@r|9hM6~LfqE5}Wnf#c2*Jjx#DUH<tLmp!(#kxroXu4$*?TFtv&
zIliLf@NF_DZzH0a!Rd0^N05)?Spn$co@=kZ)<*3~jtj$oN|OPe;1v**=t<gwG%v5#
z+Ix*6s(S38;u9Q!1Kf!ZyyGZvqDOWmFy~ORFN)etvC)wiq##wxN^XlB43?A_2Oe9#
zW%LCLE;M!o|J6pzRgrD+hrz<1=YV=0i9i_eDcA*vp!`AlbFkvpcDVti-M~php7PnH
z1jDod3cR;K8)nVb6$voH_KrJ1!)d!yYGJR1z0Hz2*n6WP@Libk?$YD4^N6j6Qt42g
z%=r2m&SIkY+2`&|SfX|-&=<q?j)CA#7%i6*k(oMQHI`+o-ziStWvYC%%Bg%0Qro)d
z5;~l##99MXOHw{m2|rwk=W?97<Hd}?utUX%-Y!0y;afEw4pW1EldhefJwH-!)m1ap
zJupn`r~n?QT;0777YE8ow6RGX9AOf)I@Ew;Jx30wUwun?MfzWa%-E{Qjo!j{(RVRW
z{%IBy{|bc~PJ6VPqoLEn01N}!P#4txLlS0vB>pjf%+s5+fyfw&vO6jE60c6!wp<Qr
zQ#3|eLNx!r7KMo6M3?&nutHQ>C~^K0>CN%dpbFD7uk)>1m2}t2KAzre>(5(*w_SDV
zdIPN@r+{ReezrvNFB)~qYN?8^m;32C5Y<vExpo1qNXkEDCsomXKNN^mZij=i=gYTH
zZ1C-m<%(=4K#uR{DuI^@nfOS%bffr`0D`F;G)3{_3FF~+Q$Vd<J9tK>|1D)`8UvT@
zb59Q-NIQ`N{}7}o`I-Xbf2K$=xhb=n6sll|XWjc5!apD8r3{^X<X{zq*E<E$VfsfK
zlq=>Pk%$NaPoO#y_yKn%fBwk8?E`Fh5{=UlJ<f|?FX+3UB2kZ5p0~?}6Q=3J`-$Vh
zo)KPn_YZQLuoFpFSfvyTCBhO4fH~wT;ONtu?UimmAK2SRh>r`;X#~o-H$p+?ex*8-
za!MjpfI4FGV2C<s@9Dn|3qD4<?f2c<=%7uC!Xg$gG>Q&`kAz8)C6BZNn40&}fDa1(
z6h%KSWYJz)Q~-W3VJGD9OmxRx1wN^ert!VR79~?qbmB(6qBlATxAn@J09;?s!=t)}
zfm-0t<8!lZ6bFh%=r8^mk)|?|4W@HT%?+29?27C&Q5pj7)>G|PpEQs4f;HPgz!Grx
zUei>v*ZiE3k{@anm@Npx|3m8J`8p+%{2;KQMGu^6iK;zPc#zBDZEU1)%i+-0(pp}+
za$6)2U20NZka9MkzPTY&@!fjfLCt^JI^yz(1CBdRa>p!dkREn%H4!IMV?nw?h(SWf
zCF%E7{c}L8L34`Cy$F@5@NE<+u?Nh&vFUQrGBNff%*tN9n}n9Dib*^VMAKdVTCUYo
zLKM1r>QTPDL^@bg?v{fbvXF%-#YY=i$P1I43Zg*Og7zrq*7z0?BbevjAt+KwVD3Fh
zPXTX;vt#Ir@OE8R%Gnc`B}#FEZ7jE3pSScDwC7D;!g`@u5i)=6X{}O!pBqFy?2s5O
zW-W89X{T;Wlu1=i6{<!#DPN7fqY|#XT~9Y)jUYU}!jm=;<05y936Hys&Cacw4CVU)
zXq%dm4-a<MhkgPxe-gZL3g|scq~VXlg4;_nP)0u|T?=^zY)O2cyPP12QUoYLIQK0f
zV$;Bt@usADtnk<TUsNB12w<-CP=*qGEMRlh@hb`pvvmMY_q(WYBv?JY_%miW(!}Q_
zpxus^UWRL8{=E2D)Pb_S51$iyuSz|9(Cp#NUn(+8jXU+=6YKBMqHDeC#f$b{&X$w_
zV0x)}HFJ02;x^A@>9oU_qCqVKcT;OK^tIWkN+G+A<%@NT;^d;~WE;4pp-z!jUD3wt
zjJXMAejWU%YA&GE<(_Ps`#ej5f34_gCed4bGPLL3yoKt#r~{0z`lWOy{&}nGKFYXh
zj80!erge}Nmfh}%_r{9uIL3O>w5S1|PRr0E!C%*Xy!JA9^Z-rGceH<1CSga`h|;-B
zwCB&7fYwqMUWL_BT?V2;w%Q6=bKoJRkN7HNXb>TCaR1vYm5e^TkNR2(^#UpaJ18;b
zFtyaoUhPR|!hB;Uu8CFcupsryGsRHjU)t(wrR#gPu2Y2@nCJB%_8%w9xYs`u>H0W6
z>)l{HRZ4}d|4y!JpYkfTs9w3N)MNYQxP1L-L#u13cO*Q*vD^c%)f_}*8^fdn$H(IR
z`N8WmuhwI{`ywS{>93}LoUhM3S|>!-M;dH2k6z!BhvD{Jd^SUe@t`ECu2$^TWrq<p
zS&CEgc8ghuoJ86J5w~C8^e!?U$jM~9$Mzm7!rb4-6g(^BB@{15N+NEDLw{@dNDqHB
zO41CM7*lHhh)jyKE-zUZc)&-6LxX~<mSQkMK0XU=KXaeN1B%G1-$JZPS#v||mBtgb
z+SnAl>1QK(XK{ght|&U-Wdy3;^$w5nqP4&q(56^Tjn}>gAvJca!)Ivs4W(MmdNTuz
zTg@fnVOP8{)!$Kie5Tyta$})%*>?6ylEltE%g36M4GYs-_N64@Jn;){_L<xi=lzZi
z#wyh1>540kJ*{=}83qTA$quzo1Ec!?h>sC>rCW0!1DMx{=QX44OMRTwiXGnNf`34z
zL+yKYkZ#^R|K=Lyg}Jfd#MU}HDhCUUZIT$jke&^+ytsai6tJ;x)_4{u7@@SuykelZ
zkYr!Jf4~AeufSgyfUU3AP^GZqz5gvj#ZUtl++=+E@BHnFr4_WU$OZBh0>Wj}qzT$x
z{S_((3!;r##~!6ryHcX!xwe%O4CtnckC@Au?xZqercekm;>~}}%xGC`*QzcLlPtt%
zrD-&KHNBeo`VgRwV_Zcp7F#h14skEb`~mVv85q8)4^DrvHoy4pLa^YZkuKk>8(Wtp
zT?{>^l$AJ)j!ngwnP_)z{jnBv!x2yuTW0P$!_;B}Im`u1i)95T#KJvF&pO3+`^4<4
zo$0j2dfI%3$P1LEHieJm7Wip*6WJ(_#ar&W<p~v6{kWr$ZC;8OXxaiy@5d!slucAC
zLVV;0oo_bHYrDj@YdY#9ynMv6xGB%uT{AT@O7FtDs2G}s{f#?Z3TNsI4X~RQQx>&X
zy26YVRc~C$f=kwjv|-?(cDv0&O!af)OAE16YN)fSO3F1=Kl~ub+l*T6gi05_u*?4-
z*It=8EZh;@OPL9>UNdMdD4;ceTHzCK>58`=p`U_ToUrp`CZ>^~XvMJm8am>AEkqI0
zQjMG`)PxtDE29P#7>58!FUKdaPy1_d^-~a2IC|+ccM~-%n2*3hm7qp*V_9@KYw$M4
ztwA^I540Oo#DUwQdRtW8aq^{yoroue`T`Py_lf-AK~t(0<8rxa_W<pMGDmH&dLph|
z)q^$onl1WJS{{4ZvFlK;eQC@%KdLL{n;y-?Th~p?k38Z>>c4)>{x+g&SFW|R3Em$!
zwcAC^durqJEqdJg?Z2?MS=E1RYF{xkwcLm}sT&ql3To{VJFaj_IVdIF;}5V3(QY0U
za-b^15m4oiO@KNpGSIbtyAY1S&M5SFD0`&0mOWY_RkZVD=Kzhc(3cGQb@ap}1J16_
z?>w`1{hl%W0ceD?gv>qHujW=<h?~Vue@u)oa-2|97S)XCjr(aKGAt1qd*Gr^Cj&cv
z+><K)Drfv80Ls0QOZ=mrZ-A~_b<Jtha$+z%(2B5hv5JrwLZ4WEzTJ=~K|d3fbSvO6
zfM;-Zlk~Jesx?RvAC{X^3%Rr3_kLhQ@YkMcss>w3y1K|;=d5nb5{Qsne<LJd)#aHx
zbSQDVnhIo=4}YdXcG}Njv=kVer8liF&1}^s80Fi0`|62Sfo0v|Jz#&LfHNI>bifI;
z9voQ3wtD8edOnDQQsO^4E*s~-rC(nJ{`1$pMHwZ1y!|4V>!f^di;R8BRow5PX~km;
zambZwh!W)D(AgPi^k*tVHw1#UBcM*4U1>5r;ih1fHfHu$LU25`3ekED^=Y*UlQ2yR
zM=~!`Fq@#dI8Fl}EK$A%<6a`Xg5fRHvjHkuk^wK8`KBzy!lNXzdv(rb1M)K8l?Gyo
z^EV^GuS24DFkG{Xz(k(7ydZ6(aYcCGT|$nH(|K(TEWhyFlQ$8L6sMOr{(zbGd<chF
zd}ISgh9oECW08AiUf$rPstT>?^&OF!IbyGw_`1{eB)s}<U`Ao-yQdmX1x9r3+O%NJ
zE0#5U(PxIqA~l?#f}1&$3Vf}WVFCMGey^Ehqhwx)p;;m-?M1#eJl!;(5`AqZZOkh!
zLr3{_*uH0Ul%We))UKS6rB(0+v8t}5Z36oUz+j7JBpdfvmOz`gsv`<lZk-zJrTzi#
z$=-*yzOsMA>m^zN4;B{l7U^cV^)-gUuJX6gMz*)DhHq2KFsg?E9(ZdX4QI08Dty&R
zxxB^cfsSp{(F^4KRGx^URFR)5E9OI4{`Cmz$yv#I3f}iSY?HSy!WS<VY!{5yk8RnV
zB|pEPq|8Ftr|MAk+FYr~4QZo#rC{i%ZHli1@q6GvJ3S3^PfX|})7oDXrbQUnC978V
zO7Mk{EBL#g+E1^)b^HjHxQh7oTuPP#mT3rwkX2xiy4bM<Kl%I5MHLma003#JAPg)d
zh6Xa}d-m<$4cfds@i$!yXuEqPf#79d4`jn!50)9}D-@Oy=_be*Cj9$}n@d{^HZx^?
ze++n#JShA0iWbCpyOQXzSFG5AFEq0dROc5|E6;t|u7Q)pF^H#n;}NMp)o&7b?7(g|
zM}ABr9v{I&tvoBzn!Bz+pG@6V`;m#F8r%^-f!#z)IZ3T-h3`l*9w+?OZxz_Ivo8bA
z8|SmDVTqNC1;HQRG>xsk@eVjRy>Q*kKNn~b6l;tSTJ*1@{B88c8*x#xRQDn`KNQ}=
zA6SrlO%lx)A9mhF_^Gz<3V?5J>jbGDt!LbGhwVLDu%8wJLjnr~%q69LMWPr^CiG6X
z<>ZuP&??ji>@^P>9$K=2x{*<y;;dVC98Vs`auxsCn(qY$ZFd(UD!ZZ+UFCti@t7nw
z^@yz^TItBpRu;mIFglhYIY9W~lCjsoQJ9Sd?_`s?+3pD&t#8nN)ToR^XYmtx<3UuD
z7X=^#=-<>PM1=>Tw?$BSFA9gBWE?A&jB88n2DUxJG|uL7>9d1U;B4{)DTxUj0ITxE
zL7igs2q`LT;r!FK6_k!JxIry1vIJ)fI%9!ds##zyJ0=8}b&6ANjPGwjD;6JJ*gYTM
z6(Y+^ad_U+1^PSnerGDL1~&jr|1PS#QP32Q@@h{2P5E3YoyYV!=*RLT1&(67fBB}_
zyDkR&h%P3qYY`!+4i*8>FVs_jV8CS9_7=Zq%Pj9_41_U`8-5w!MwMY;9@Z;v*oLni
z0pz2Z0u+o6lqGAL<j`p3xQo_T1V1Bpu$>##^L*2XUJOkJI%H_1&tX;vm1CcpvZXcX
zwt7?pqTqgN&~1kA;-J;Z+n=yf1l7np5By?Ek%cI)6e1>lsqi1CYWDHJc@~Q&0kkHT
zeWE8*1x2@O4U0ekJRk+J+14K5dr~qzJ4wN6gNDAy)3EbyT2QrJ<|4q%>j2W>8G>LN
zkP+LxXrGYFsjkz96yZKS7XT_}pA43mfhIHW+PuC5>{{*YNjWFtPm{m&fr492!K^q5
zT%p77Ue^9RrJEv4_cr~*GO5Imc$oq$*=vsrH|AU%Dz59h=jjsd*K!i#)n{a&IR2kS
z4lp62Vpn^SWGK_dmIEva)Tdxbg3|wO%z`Z*08^4u8-As5;WYBM>pfJrlDgej_1P?v
zfZHfog@W&g_-s9=_aIU@_lSs2kIH;g1Mc0JuwE_#+Z7&o4DUQpuy@T714fU*?DgCG
zNQZEP5cJe3^>zrM+-&<X6eyQ>2j~ual>%%Hmo@GvFV8*%Lynm5HBC=T&!eKlE!uuB
znvK^j23~s|hdQIE_UN$$>?d%P|1aCP4%oZn{&7Mf?105?e#iIP^R}M|Fi1V@<_4~r
zxOCDEKoqFnDA-_V{~Wm8F%eqCOpCrmt7OA*u_|waTEhH4D{nC2wDGtz{Y1I3c-T<@
z!lCD|53lmRgi9yrulhWuQXW8e>s-c6E<-OiF9eD51Iz>O%f^X&Y|N}oM24bCD5`ob
z;Lv(ynRA$Cbx-7MHES&i83APZLwLv;6WueeEV9iL*0RRv_yp7fa_;}fyOo3+_PFBu
z>O9XXa&MuF%<%L(8I<%Cje;nOyN!WRuUstP4n%IhRg!g(nu#zM)hzx{;l8YyjFWsp
zh!Kwdn^kzUx$R5#iXV4w8YEFI-k>jtg;_H3hAH6@^<*N<e@To-kNKgY_OlYtOPsnJ
zL#)Tbzs+1YcRr&(?d$?8`Jb){s=yV1mzB`{4Y(p?XcXt#*bO##_+QbZwL3V?(UT88
z#Ni>&SAq8ofL``H82nNckQ>vSbH5FzF;Q1aClV}zn9g?ckXCH+lo&SrN-1)}EOoSi
zzK~BO%*T{7#%5g2IBhsD8_NAS9!;U=olz_?8ZQA-kp;NCiitZ}=s)r%p5NKrzlkPI
zpplpS8QS|cLF}Q?9Llf*NmYMt;japEVl0+U^qCv-v)jyk+qb?zFo^Mn{;~()_su8`
z_)B2@p$~g}2QwkS;e|mDg8i7kQ+VxtDXY^`64)T1_aS1AgL^8ftMsNdc!UxJEcHUn
zw4n|Y;A?sg`lg368gA=9<p2g9($$Zpblh~0j6I}lNpp$A=q>JSOo9j#f^vqi50?PT
zSh2vxZu{`QlV?E#wJn|SdxsYh6HKe$hu-Q%Y3{@6HW*s;ZMJXt5kedNN!)-3Q>BUA
zx;If2fokz#%%UA)dji_M554|c=H;x|01Hw*h&hjkQf)k%luCp8fvfDH;oXk+!-TAc
zC?@Jl9M$ei7_=7QqFVtL!Ci1YE`m9t@J2gb1U9YLK<iDT&`~#Nb;2tJ9kHa{s6LN|
z^{dL8R)CqyZPzs&l&xz-6!@cuh)`+^=ytjQM@9V=?7;CK!|rn8zk8SdtFP&wj%v`(
zbQ3#Z?GZxj`G*6$NYH<%mtx;Z0glbbhmyYVGc)0%TmINI+Qk5uE;ZBwBG9`7Sn^ey
zlWmShwK!2d5r<%@L~;N(T>PQXCRkJ*!00)BLLuJl3dE6lP?K|@`YRnu*Mz)lfPsMw
zY%pLB(g&(LL;%=MhTp-oL5$V&pf&(oEqvQTc~f}3?x7k`N4WBBc(rOTHG3=iC#|ZK
zS}I2iidJqmV*uvWX{|Dpm!ZY^huBz2azDz@^mpNNQBfXhmw;2?v3iB-`(@t{>KXgp
zH>O@>9V~!d&|n&`lUvp&IM#4=wlVHA77DLiJR;5SN7>M<5hz>YDNu#=*ucyI?MMB;
zT)N)okERA9yl6cnFEh?+jq?xB_$?V%mppliid#l!H06h8Z{TK*#o|^~zgP!q?+cp7
zG%!ntBh7u}v;bk}^{|zT)IwyCD}$bBX-+cB{nLYZmX$9No%Ujcy@Rcpb9aX=eyp6!
zW@RKp+fZH7DS*iH-ne1M&JNBpq7>TCL9P678u*+N)X%f*JDVFf^mo>E$q2`ksB51}
z#U1e)KHin2!0|EyT?%sj8h!11QqB77bD#x;g-J2-vzU~#p}W&<ulGp>z_HR5xI`el
zSx!nfE6@cu)4=@V7~w$Wz8K{_Sz5$=aa`NNt_il<aMIftm=FViECidzEyGq{1clA!
zKT8qFrxWI_yEaYkw9E0w`o@?+XBKvV;do8>^Tx6#(3|Q}6AiyDZW~40i-O{HjQ7Hh
zxwZ9Mn@#tiDjl6fR_$Lp2DAa|KrfaQ0Ps4%u<4?FJ4>-&Q4XjORKpOedt9CC>tDOf
z2p6!=%E)fXlf^&cm6+?QWst|O^l#<jMT#D4zv7hqu)df1S~=?&WR#TG4OHs6_@f%T
z{v*S7A&%P$hG#EYge)~wP;~#>x-qQOeAi06^-4206{FyOT`XljJE<dnOU;7wX+TtR
zptSIyxkvn3FD)CF>k5Cx^|V=aSEOlZ>g1rhjn15T$se+iB%ztuL12%7AfVt+5kNc|
z)C<@<^-JRStM~l<OKSc;Vpk_S&G45c`wZ;0qQ9h6Gd;Yt)7V08Hf`bAz{^exQm9>_
z>Uz%xgN^ldAq~l#LOk;5b%Ph$R{F5xnOXhN@FE@iMfpW>JTzLg)PfS3;R$qxgu}*Z
z@UTFa3Gtd=j?E=+B>)qbKK_fOaOroiw9dh$L^CISS+eFNzyNo8H8(yWjawYu_4kpe
zu3Cx+rJ{v9=aT#kaPcVomk68EvnER|TmSvem6B!2O+$lYo3Zq9;e*brDyxsqwXan8
zC!?|lyTK*`Zxe%QeFQ`SF8RJDD2o{xG-Z_Yr7O+}#>GG^KJk;ts1bWND?Nx;5@)yX
zyz#X(86oT(VWvYgLU)v!AyZwX@X_z~(GQPXkE|+xGA-o|_x|*-z^i#TKo|!ekx?&Y
z$*An~1kI}8_@h<n_Bg0jkw@7RJE^dCVtqORbMmhH>mQ+vNg{kaND+9B1}1iK@EK@(
zA+}GuX`jtQyr#eqHfbuSsnp*0!{|qKqYe2;yZ^MXG~KEm-`-G`uCD+pa-Mn5b0$?E
zj+dB0e651%Sw#f;&v0l)u_T}ews)KrsJmP&Tg$){0oPY8%t7_8a%JDfHA+b<?`D)T
z4Dy3lh1x|T#m+2{Ym?fXf6P<V2ib`b#pyc_SBMX|c7Tr|?)Q1CeP~5UVleg!7KOD{
zLO%m$i9W>xOFo_hsqos%<4H15!g}oi*K1h{k4M;Y<-5~?@?37UVA?(LYh?d$<P<!p
zTcVu3hN4glzbIT3x^FdFPHn}9w=bhpJxA3)x=l2gxCRZ!dNDI;YV{KHku$#BOG=6n
zr4bV6FNRGylDuFOm-zIPHyKAG@_M3?Je`4(FN?m;8Jy(1U>2r1I(N5b5|g19;0TSH
zmOBYeJE!xy0NeF4*quSmBSPqY-7~VhZpeItY|Zndx~jCsFgB@Kza5MGG2^4>BAB-O
zO%XC4M*=b~xYsHelU8?&v-YS~9&IqP$TFl`kEP-wk-wU`o1Yudtow~S8*g%Xb6qjn
zZ>!giZprAsw~18XFPuqsIqHPpQslC2wvPX_A8_<+9Dd=JnS4Yt^3mOGc?Uzk8Dj;b
z>yh}ed(G?%1@^dHQQ#U}t1k_U=6eO8idhmUOR7+t2Azo}LSZKtF*_pzk<LV<<Q!HF
za9Sk8|7h&I<Ej21J)Q`a)udxa8dl+uy(5wp9SPYhk#WppmqZ*Pdv=tvSIV&y$3BS@
zk==1Pwqs^=-yh%K?Ry`Od;hrq^f(U>o%8WNpYtBC@jM%v8Mjl!-T+jSyj`2#IQgui
zKoVdzxoge&rWFpa%?Qx?|9a*uxV!w8O5Awl!Qfqm#tU<Ky_%R;;bun2#y+QJFFQl(
z!(hbS&O4xbm)qIt;57Ns<z%CMFSb)*GHoS|)9<Xw&uG;h&S<{_z%44O;?pEXHbc4x
zxjh(tLc0aw&Lu*K%v7()TsAwwqxgOit-^w5?VLghts3u4o9Hipt&BLr31k;WWTx+S
zc9991;7rr=v~4S2b=$vNpo7|Vd&EwPRqFbr>ATD^c&4<%_I3+~kdc0kEhv6#OleQN
z{+3`JN0LlN{dET;*Z$+m`CE%0Kl|KvKwipCF;gU|NF3@`xZy>Q3tf`w3m3a4tl8WI
z95441gX6efP{SD7l$tB7_{RK<MRC5`U7rNiRuPO1IbNWEwKn`L=|P~hJgyRy1<TU!
zEW}={gW8t`7H&_UJ3?Vx$PYRVrfUDxv!7C*9W*cS)>Me;Ra)zswK>!4ilKCZ1i2V9
zQ(+DlLa>s#z3I7W*P9<ER8@m#UrH!jCp6q1*{_>$x%@LOUJ!?jK2luiUQCL<xX7bI
zE!vu${Q_ww7~WxVFfAYn8s;V99z6s`)X=Ptcm}@asDUBTyXm>cXtd>p$*nly;LGA8
zO774G>UWk-b|^MihmuVlbieIv+h&?ZjS|ViyZxbkHttQ|=G!}UNR>mO4I{{=x+dcw
zi)v#Hxz+J2xaSt^q=5CEOPZJzU^C~^8>2vaRbUYW<p8fD=5n5ncRPR5+O2cbSqh3m
zGg%$(Mv%#xKJ5!E!j3Dj?nJO%fxt&Xi=er&mMO#>sP@2r;lr%{jW7}zY^_e>x$|Un
zI1IrA%KxKPiodp-xZY3a4pPEoznuAnU8K_PEGcd^`i$C*d>L8ZC;uk(xe{M=gM3*7
zd>*LjS)pztuZta%^|ID#nDrZw(Tp$)=S!{G;~mme2|33^JPU^XV9qaz2Agf{-Rb`6
zVbszjsioP;SZ0*gp~P0Zf~js#g%Yo<cau_L+$3F^3cv1za{@Fj`DTtL&!-+NxWDWS
zyE$(SyvH##s1<pH7rxaQ+PkeH!K1V+Sbj!jKj4_JBtefWNoW20?K-_Y8uqQUR5W*(
zOU!Ykp_$@2QD1qazla`!#(PUvB348>4u0~-!VT5P;FelS&wW#`AGXAVjYaTyP1g?)
z4@B~6AH8{XS4)v=%PlslD{jW?^PHENy(HMyP3FeyXoV!vmw%}=hLnc%x6Fngv<uT7
z85-3bMh=M(-~7z@&Yn-9wAC;e)hz!)iY3sSKfVDfqdfHPU81;3&g<uy6CBjxsnset
z^p0HVpjK`w1(V243<;NWT-c51VV?v(z`6+g3uGgD>Lp4e*g=o*W*@h&9v1AElXFV|
z#npBQsU+i<VI1?~xv_{V3&O3qFZsE};m$iuVrsMx<r2-;4Ro8Ix@Q2(?*oaWWSi-+
zjz=N=O{2LukIX;fAaLElb}47khmtwFEp;qpiet{MhK7^U$TNkF6^?h!5_8*(z9)QG
z&UZkl!^k^RbWxkjAz~>Y#+pU>!hRwt<UIL#tN(}N$9KB1Lyqg$uapnAy;kY>R?tOd
ztq!9GUe%>d85D)Nc;<iH+An3+XHJM0D!uH=Gl*ae_B2sM;@sXdd3NrY(s)ypktt~R
zY!lYF{tL8<&|MAn;99u<Y~kFs{B4lCpj$5jm7Ux>JmJgR_TA_rfoWogny0L#zfD@d
z#N<(}Wz|G(p51o=AjSF(o3a5EPPp)&S0yO^y+$^NLr>Ph%4&XPn7>19*&eWT=2?9#
z_JF=)<+My1e#9D_t^Wl*XS@VRK*oV$d>gL<x=4S3ykHh6Bfne@O4u87<;}H1eIh<^
zHhS|~;Qzi4AsmOTLq#&OO7=NA<qMC}WZ5cj377B^(pPBmrI;PR{xXxW+9N2R+}6k2
zbKuG2iEuq@Af_+4_F#%nNG5;s!;i&cd1&%~aLx0jFnKn2cD4ta1CQG=Q$|Q5k&e+C
zHeqw=7vm%c;~DacM{3qj{p@St#;XhN99uOvs4smD#-o|hDU3?%Cc4f1J<|IZe}T8S
zy4;M>@YhzM%(7#_)a~qN49R3^=I^Rgid9jlblSv;pi_SySOs_r&umyJ6}yZNI%U7*
z?0}h7fJ|{2w%9EpE&O`4<uqS%<J0E?iNv6@xNMWLULQ1a*%-(_I~ff{{d>2q_Gq$S
z3!WVl4rE>)Io9t_a}iT~*<ay16F|_o`CE64EqLdr`AzNIu4~y$bgu`ofdG<r%<;?m
zwEGHP75h$gI5V@=D0L3%{g_iymRww(*XzKkrc*l7^I7`V3(6CZJiixU3j%}AsC0W@
zV{=0A=q{Zpi?4$h>sEm(cast{qslEXgJ4&VXH#1PAJ$ul;)C+rhC1hA2B`b}yXo`l
zibCK#3rBm+c>k+1Y|LHW$DgsYtzq=3hBe#2`sNZ<k$&b(#SUdlyEn;prYFcRxSe-{
zdE4SU=VVK8cl+puLH8daRN8pB#W64AuFfnv{ET9k)ac8F6K}Os;xg|G%YM@yw*5_j
z|I<Cno%lj{gza12EE`bg3_?`1(}fhch!w(X={a5yY2`>VO`PS~*rN)dWuLO0bAI5~
z&}E0UzOR=Aso-s6l+4ZC6)uzZ8niPwj}rSoiu%}@jfXKDFE$MTV1t=~J&X(INW?nf
z)hkCp$>~2z{pN1T&~oN15~+SDESuSOq5lJ2VVIJp#4^=yB@g}x!FK7x^8F_e=QQ$x
zbXJdgQx+~b;wB*$w2V>s)@Cb@<ZCUAa5?QH(z?mRZdGU}5<Af^u%jK<3R~KEeg1~}
z4fvM7vWfI;wU7o(tSMGbm6zoZ4@=`KDQvW1jhEpEf#aQO18ARE+ulds8Ta@X;i^fg
zV7FLOz!TAb+SIm$=}9{#>3(g@k?(ixX~Nsx#XT_6TbwLYbu@=Vv`f4K90jm@zo>M|
z&1VD*IrB8*S_KYXw~Bg%oo%a<l}3hbHe->QL2Do%9q{w)CS>qD3Rks2J%^@*SqbH6
z&^Kd1sIjHlT&uj#4LJk!$3$72krs$iu<Q=!fa2Fv9&&ahav4)1GT02v5mr63M5PYi
zC?Nw`+AlYoK(xj{1hy$UdW0FPD^}lPeDt^IzLo-$o+rk(7N8u!+WLjw>RJTb$W5!C
zF^yYi7igXN9)CV_{4g!@9(M$f^3RT#R#|JC{+t@XIBcWlaeg+OHy!rUKvGPIHdKj`
z*uI&B6c-Manr9xlwPkrSg+0MOO1SD~-`qwL9w0TxhAh-M$r(z=6rUU>jw`Dl|H0=e
zZ1sTJ+U@JYG{AspEu~y<z-X__??}bY$3y6WWbn^7;Vr+WT_O7cR?X&?!j~_js1$MT
zRd>w3CxtL;`lW%3{xy@YoOsw<vK>dr&e;RwmXrQa9hgHAV?Y8SCY(EQA^QYA!_fGW
z;?3dphx~J)LMK8G|5@Sw^Afg_fOfe`<M7&<hJR?JH-{6X!K~ZzBi2vEN`v^y?;{dy
z{!f(XMi9v)fVR?A%rBsRGYwUf;oOu8)0z;?qmQrY38ZlNN?WBfmuvWNB5~9-xkI+S
z478!F;9%&DjaRw)=?!n^2{}l(%XRSu{!RtQIgW!uHKdduiNq2XMXvF^@;>Njhi9d5
z$Jtc_?K{7urWYtQ_jMkjgO5(Vl>>n?%*ADhg6U`jsTj=%9qbXrCxXp&>mX-vbf4Y!
zZrCyNJKzerfCWA-Jodmq$epnN-%W74{|yW1zN>Ih9KIj{?gU7h0>D`4Y5q~Ez;!_n
z{t==ihQ2&M6$MENEs)}*^D?~0SYb?IcY>J}ij(@aLPfSwuu_m`0|W^~AAmKf=v$rf
zk|!?#a+MakEZ@&uGY;|sFRL|^LHRmkqIdC`3%p}>TSF!6waWvCE%-X!!>hO$>t@kN
zb)MuBtPt+ilxzjL<L*F29s{z^Lw^Hh7G~6wqK^o|)LF{IV7?>i;?yl=vfwE4=ob@T
z%%hR9YXBGuDIA!7uv69t^49;<d>&HM!86eynKTLhgqgG~utNUShtMK>uz}_r>{TGU
zsJb;BVNJ-A)V+!;?g1Xcfa^WfcIN}G#}?-gpIP!7sQLZ9GmMs>nExAeK<^ipem*8l
zO$&b_RU!g<bAfaIK-4jycKpQt-gj?h5Jc*t?z>dK*)<$zW3nsF?~{(7s=<#1Ln+bp
zZ(O)Vkf9cq{9zOC9%=Uh;=LqavkaxWtjU)O-i`O?x%_5wtiUGv79Oaf$Oo9Gt*t=3
zGdBf=_!f}0U55)V?*lFthzj;y?)~b3oX0kaLC4i7AkpwiDEPHhLE_A5dRb7c1{|1P
zdj59?NRV$m>sq^_Ue*eGm~dxQed^h4I)czDIM)D{d;d|5=)i@Zl%~f}%Y-u4VBH*c
zsK3&&FA~HBKL7)Y4-IaL{%fX|86Z~}30k$nbz=}xFv;BSJp`}o+sOw?3Ot|(m8}o6
zKD+ENAQ2oc^5dAOZstaM$)zQyuX6;OL}KrIp;~*tu0D~d*Cva#+GTa7Kpz>)a}k%6
zdCyhjA`AqL7ElSfS3lPcg|8&5-G_Dh&)rj@F>T{D0n($rRHA7BiE<aQ@PldCy2hf8
z<D)KW^3?knj7|aW5Me42KefG4^{x+q+!8wn=oHX+pVH{T4Vk&ZJCJsG#k$aB6qVvq
z(K?hNZlu3YRuBPMec{bZp@J*kh56VL0)@BgN4IZs7Q5W4%uLl{?_zT6svL==Q!o5w
zB@#b3eU#vlIN)ZE+sG$L6MN?JN9uv~w$LI_P$<?cqk{bLZg_A5(st_cR%zQ}1nY3~
z9^Bv`l%lms&7+%6On}z$-V!R?u4#v{dD>>zP(`C<K)h$Vvv*6`lkuQ(2=ywLH24(z
zHE)xi@nvZYL_1lBtS@7deIa?Ue|ZF~*B!bw6`&~phBV03lnP0+j<Cy}z`;x?XMJ7U
z@MmwSQ`f!{Y)n`IrN?IMcj-TJ3l=myH+QHWFtU76Xst@t8F*g1BE~|n9$@UyoMzg|
z^d5O9d2Cf9@C77k=2;Iv{K&kK;v6rhr-}*j7za|jNM2V&K{H1Kf1>g0bc5V=J+w{f
za+mLC(YDUn?eD|e>KX3l9H6l3cuvf%4I5$WGwp$uT#-hu0}S!o20EMbFRz>(so)iS
zZo3bZ;*D2f$dk?vh#1om={{gjPjT<4R{zMN7tpJJSX}+q*e=D^&Y@O}nfM}r*fdsK
z60q=ak6f2ViA92h5`RY%mZI*Rht;@_O9;4Vtk!y(@>qLSNIvri-3I^n<|>mPfCg}f
zhku&rult>K{f7G4)h>?jy4S+|-UP}n_|trwEB7CK@cl+cxpTT}NC0I2?I=vihkTrg
zWbIpBa=%LA+i9yW$M<$e?@a}njLM_2=_w*l;?yM%1j*;Ew#8=Fr-5K2qViX;;jS{B
z$Xj8x_E4L`48>Z@zdX{&tdsa&Qg8B@2fU{MG3M~(#<bRm7w<67)uoRB>X$ebzN{((
z+Y!Q@afE#<f>HSf2XlYV9nc5>R6;zMO0@wZo3lm+4))YrD>{4yLvOCYw2^41%|sm%
zUH;THJ=UUcKcSBBD&fUDR~VZSe1FoX%msFVU@d1%x^EsNmrs@OHr=(~5}*gQX$E=6
zTTuxWoEzvphJ*~~D3>s#Gln4D*FIO$kO^BXQ%rceK*A+%62_0=UZ{Hq2Il<U6snYE
z_PyqEwCO|)Uvkm_2UrZTOB>1M`0c98?614vYuo;Az?06~9RKP13TY&-akTb?Ubaxe
zD-V$|^dQsvP<K5g)uYCQb^a<cnOiZFLW$ms_&qLO{}I`@I@P^VBhCE-H&dT9aAqB+
zKw6jhIxnk<34^+SIiFG!uYbkf#u1+hDUP}mK=A;JFJPS9jg%*5ue2I%)V_fH2kFgW
ztfMi4?ohN~cSx)Iz5=W5#52@Yhh_C@zRn{ne6oR!6ik*3QA2dg@<2VIlDGCfe4Xa8
z-QAJ0f>YF9>Qm?OT5J(IBn`nL+On<+nfyr~qC=@1SYC)Vvy<{>oU}Wr0wy05Mp}sp
zR6#)>NA#n5eBt%-OIT%9Nvvh5^L5h0Vla$HcTR<*D#b=G+<A~KQb3*MzR#kTZJBOu
z4y)g;9-5W=)wJ<eCu7K4$Vct1-i+bq2v;9Apl79yfAA~Ww5Yi(=F!~-MGkhdSPUcS
z0_h@>uuy+0+mbW=Qpg_B6!XyFs&V)q*#%Dz1+i9^`rm|-jRHY(35?$M4}G?#(?x*8
zgR8hn2)Je&Q6DZc44Us_%PmvK6zRaHv5xS&pmC7&5_hw~Lw(m+Jt4(&)l|WU7oq6*
z<d@>lf~Hg-!-}hZg#4WE$JV>*9~()yI`g<XBe;Fvs^(EJ8DyTs^eh^tp(A(RAz+sm
z%2iEPP;(7S;vV&Gg<EMVhoZaad!lrdS$f#XvRJM%A;x}lLwrh;WIuIQdBeQ-y0Ia(
zLk0t3EcWg@=9v4VkKPR3xTq-Er7Lfcm6H}gs*(CSpJ|TtP&nB(?&`#Kp>xHoaFO|(
zi*NXg+-YbF<ir9iH6>1x?cwy*CvnUT?ZiXzM%pCG&G#-(;TF?VxW{n!g4yoooPqLX
zO#0fY++MYSD^2O>E?EHK`TkjxPE@h1*T}er45GBaTW=N+AaNc5>LH9rd%Zh_eex^J
z*nRzz2-_)MqpYqlFDacaT-h>;9ScYGNWfy@hYLo++~MKU#l9b7L*B{S(?((=7nMWG
zd$*?Ls8dcc(3&z<ecAUs_L)esEI_V1mBw5N>GZ+@8Y;xG-03M2c&qX8%rrjiaoxPX
zM2-FBo(UJc#zsgZ7fDmW?u_4iMa^yi6Nu|)flF4ORBsk)@VnU@yidxNLX^y}X3qNl
zSyOTfWU#@ZRbd0Y^oJb(<T8+`_w;Gi=d%b~Ww*~!_CV8xaoH(fj$#<}mBa`y=Ur`N
z+0m6Z3}ehSB`FsA_mT&ZQGqM-cS@-JL&K?e5Z-}$A_gr}66YAUS7`4EY)c(4L>u~k
z!xd1<(fvpTmqW&x1x5NnZrZCn!KC5w4A*R~0^B8pu=nVK@Yj(@Uq2&xdu)@J)ngq!
zubyYvMGfsJb>W}^DeeMlO9QWsOU$2<GR*f_qi0ZG^($pIiWt6&66JEtt(HwIWr}+l
zpUsPva&BNEk?u_HBJMh^n<YsB_J4Sj>Gm&{I-7r#t7xDm%x&Ln{0KYrywP>v+rzGt
z-_Zuj@kARClvVilK8oz6iokvS{N;F$U|oXc0_Rt$leY(%Ru%e$REOZv)5hG2E>Qe?
z&G%~l&S%UJi|aG)fq7ZQD(h_sgK||b9`kdTewt2%(tD^HIG~-nW9rn=+}~&}Ktsn(
z6;j&;m?S0*+e5R&L1fs%w?^wf{*F(c-X+lyvA@X$oz>*B1*cS5s`O8%)an)b-z4<u
zVJE`bzi}ESqZ^N|XVHbyQcwjO6jHAUi=M<#&qrWe|8iB{-|NBASk|6rsqENHk$rSc
zw}jl2qBGb7DkTI2T|x#W<abd%EkX*NoQOt*I3Yf}^fWuD;Z}Y%nQ7&dJY~a>+9^p*
zG3~(-NS5^ME~A92p>bUrEWrUqRvGDG=~0Ar&zhzA2R5-!$mMe4c%`yvbG$}*$z=NU
zj`^ni^x#37{bXFK-A}Nw9~0YAjSFwBG#jlCg-@()cpI=?`E;_qZEN=$=gqUBtz3si
zJo9qgdLM?R+a9%wHTrgo+5j`$l`cNQ<I^!HK0<q1o|%sI+-aL!7QIph{^-*Xf69@i
z_XA%s?=*AqHFYeqPc7B|MFkI1te?bS1{;c&$K>2liki>d?U9Xx{{&ul?s-tJ>CZ&`
zlsM_brDZ@#0o)1b00KK;lhzIZ!~10~1fu{BdbhJ{o$dU8z~4!K&n|!eOZQ*IHdOmR
zIN3zo{J)Mwz|1)Kb*IYzZboRrV0~WFxhSL4r*sqxQASHYgzF9Jzugqwf8E>(;agzc
z|C;wuhz$J50Q2vq{Qc2iH21$>#R1Mk(ADLtdw|IederX#jodnA!Aw$!OJU+pOG8lu
zO4?SPy`)mjjifJomJ}3NaDb?SyF({6*bAjrk38+$_==&Vs(a!`^nIYiV0b)qfXHd<
z8Qk4F73Fxf{%&E#Pb*^o#ErM~=lBwCgI7v5f`&YN=y3~wWc74%(N@cC=F_)ylJN`-
z;6kGB0nC_zYEjLuRZBd+!34FjCK%PA<A0^D#A9J%_)W2>+|1kZw!@T!tlH?t_V}@s
zZ`a3yP|iiG@rz&B&ZiabE>4ad@4ml_`op~5dFXv{me^C{jq7xQ7vynro<vL2lO5^0
z@!(4Hp-==YBD>L~Q^dg3du(b}9$#C+WTh2r8R9!FRHg7csU@@~(<I%qccI0uK*%Ui
zhBM@Oz(*5+MoRVXlbaP?GQASfThzJaS82Q*ToE}ox_xt{P5f%!!b;|BVGvq)^Z|$e
zgs|fXN<9T6Hx){|cw5dPMl+@@<+FwyS|*>ENov`~ICB5V+pOe#X9PyZ`e5)vBvDI~
zv)dj1TyvWoeac@$7O&BqrdJt%NE%BH<*0u2-K1)Zatfcv5cjwdU81A>qN(w>>!&~M
zm5=liqg;b7zY=D)F%4L<4xsFAk^Q4s%>%5%9oshb!3%^!Z%zo?ctY@J-Qw*#et2=S
z2dg2vNo<O)E1v~jPa{U<<(KuJiCnU=RHJRTh+6OCyofDc<|)9i2l<kp9sq#)Qx6Ve
zHlDTiy+`cmFBh&Yt~knMq2Y?PR({@zyJh|6iu1>TaSn=A&5%{hMk^UWeu~&>U5UWi
z>+G4W45bClU0<I4Ou=U?9*a+_T;3%Xd^B=>Rr5uKa)yEz*VuL$pP5|U6)Zs~-(LZ@
z>HCy}_v(qug(Wi-$_;Og--w<%(e^r9kReNaOnP86DfEJ@>nAHe=5iHD<B0`PajRX%
za`jc&_wyeK<d$8JO|ISSv}4MrLNA4gND$WV#8fEO+}PHEZboTv*XPpy2pl0ANa8*O
z<#S`gW>GyT8p-{={;{{SKm8JmMQKz5y{4!gO)RqSVBcJ0((ufw-kWfwhAk%qAD?=G
zawRvcjgYHc_I~aWYv-1(CV}UTv+Mbr%@q5eS<&^(kx4<KVD#y!t1`9F*UsejcKw|)
z0JP}fvk2?{`_cVZ6!|;XM5jr)P2Q(fy5Q)r=Kjyrq6&>P^s@a9f1l%E^5R(ePx2@6
zuciV8c%a{Pf`fC!!K43+-uExi@BhI5{hd4xVyy?y^)HX{zu|z!`ny4Iu}3!29{%J4
RUtV-b^M;OEv5H0Le*vJTdK3Tv

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCMakeConfigureOutput.png b/docs/GettingStartedDocs/images/VSCodeCMakeConfigureOutput.png
new file mode 100644
index 0000000000000000000000000000000000000000..5cab7e7f73bb1994d6e61d01adaef6f595d41cf4
GIT binary patch
literal 30693
zcmcG$2UJsE_brMF3Zf#QM5zh_DosRsi6}*-iKuiUpacm4G$J*LB8q^3h)O4lN-t6p
zdLmMl5|I)hp-77mdLR(eUeMq7FYkW$y?4jEH)AkNPImTLyR5nAnrj`SuUeb$-z&bC
zhlgkX<x3{lczAY_czAZ)<loJ`;^cGX3iqEKuxsWQcuKk@XSpAE!Nyj`JUnFyf=qWl
z?q`93OO7xeo&!zWe>>Xz^KSF-1chEUF}@z`wvdS{Z0NYbp{fl!Jm2lRlf5ISr!+-2
z;=-{(-ifF~Im@R9kH{L=h^=@Zx8*%<zf+-3!{J26*$XBwl@xFNdUH%n%gOuw(>HM~
zY$Hfl5qQ9<Vy3NP1CdpM*IoJ&8%ER6fD9C&y=LGv^6jMr_?#U|Zx`1j?u+)zQ--tI
zhX4EN5&Y5k_IP-BZkZpe-tp(%pfJDRpEo=Yc_SqLyn7_|_<!1rqyl7A00qBP2=`CP
zpAXo+&A4B*$w40TzZb?{qPFr;dYm;I&KjMJWRvl@%~)Lf5B%DT;cWHo?!85$kMYFI
z7JRdKG>+W?q$dGG*htP2Clg3b#Xop&)Tdp(ZP}x=OT0S*4%u3{?d08f6Fwn|(&2nn
zV_rD<SuRg4F4}jy%@>jX($&t;s?gX$G4Fk&v)f~AHIe0i^x?VBs>reG(s43kk$l0}
zunEuX#7Amv|Mu#0lOKu9(IwU>eT=;@)-4mhY&?iKG}VS=wjnb(bEWJU5T_T&>ZSX0
zX#RzWW`Aa@e+Fk7#GW34BleqU*1Qn{GM7UeSr)i83o^GMaQdSNa?Kpsj4ZT-;y4T(
z&WKaNoh@o9^Ly#JwjTVN@9m_$*2LooMinw_!Quy`Y-KcTDHZz@H=T<ZeZsbRnfQ|3
zfn#=1Ijk{G<}7jz6e_hYN818kV-J_IhUp;AItb69qd4EV^JzKEW-oEr%<UgQI6w{+
zNCvNgj!w2+t26lUg#7E*<2EBBqg9<U(}$d2GVEVW0CELDPB7YPAC%3*tu-9JE_5AK
zyZgat*!pq&gVB7~gj_OmGYaWF*G>E={z}UVA{~KvOGY4H8u}-NXNSy!{q3_XfFai2
z`sem691pPyc3!LS!|{zOrbf*SFcRKjjdDZx+xqg0U(}M1-zs|E`a5{9Ef6Hc^T;#W
z<mEBhHSTUe9@$FGvXzML;cS(1CN!E8<Su>wDP=x!&IiywijGJRKVFZE<o{iKKER*6
z#9myooEHccTR)tgRv($p?^pY-(jigM0u=nfJ$mq^pc}|zt-|HYr~*qFj<z~pd+^)t
zE_2p8OjvJ1FpdhC-?#QnF7f#QbDcYH^z8+~;}~@~2~1L4J5BTX;DBrjLhKhwl(ech
zN7Y7BwF}#GIBY7Aqp<-I@SC;RG^%<wXH0gSvuM6vXyl|h!?2T4sm@=r?7E6n;o-|S
zUQwH4=;NsRBy)x_u;a)=>9eeFMz6rbpz@`S$b^<G6PRh36XVp%tM#9-&|<=+tG;V$
zs>6#Xvv`LXlR&no8Do;NgC{^akze*wUTEW$oz$=~hBU|0V{MGP0UT4V)GeBOF!>vc
zThxZKb!TyXX83kY{V3NT9wJx-WP=E4O?ghqL^DJ{8$jC1{>b^>V#=C&^-<80_tCQ~
z(P4%6E%BKAHo9P<?+<wj!wwj#Ky${v*zC(SIvnG@Utn>2tM4Q7mkSSJcZ*ax8Boa0
zD!kf;xwNpuq}3OZNqx@OWs1eAtU!HZV6Vnqe`A{5do#SZTCl{Li%;SJ)fu<$OcDQ>
z8UEp(n}J9Jc^E09BqhiS7s{?-O3T-yD*Yl5IdH48L_*}CeDhljF*bMbB_UKb0zp&f
z<B>E!5#eo<U~(qfwl<;i%i&8!KMl>Yuk&gT$qK7pu#Bun#kS4`{an{!xg67%-O9IO
zOhS|JPA0vum7b0Dh;)S5*d6Fkz@fD|(ubg`=sbn0`xU@bJ%E!e<>bSMqg=SV#5R2`
zTJ_BAMXgy^z0-#-fDpqu=NEn^AJd;8__JsHOQ^3B)~IA4Cxormpm6EqW)PqG53sMf
zY}&j1#+(lvvxS{Q&wW9=pyiiHF?rah<2md#vTPrsG{X75l`gd3ys-5**cEl#f>#MW
zi&bgIG9zY*PFn5Q=OOv9ImLAgqi;GsAA(??;(m8sW_gDnQj!rYe^2xm=#me!$?Acm
zI*+~|K+J9SLPD(}J&;e;KQyA#*Qmg%iG0Svt>n{XDl8tJHZI7Clzj-wHLc&fn$ay@
zi~9CVjI`FRgYLoiDNLjud~fk^t-jW(H3WC*NH1)*luz3bpl)q~?dJCbsu?b^bi16*
za2<xBLFwCQ=*QM3Ir03C?E@yLo(VOBvajU`+NheH)~PXh`uoBmi7ni@_|`B6FS_SW
zsoJ=-VWY|m_QxrC0l!ccWRz8U+SU(hvTU{Ux^REWk_}w8(F%Wg%@*E^3^Yt+z1{5B
zI(K_a(9cktKGoI(5zcSWy<2=PYm4qccbLC?&b~5tR<k(PLy1CV-Cd|uD3`Apz+|JG
zSNagMMtus@A9$WelU%F-6bQ?@%}O4Be}()AS;ANKY%AuBg15oQ6SkCZ`3KgI$=_(y
zlPn7E7cJW%Jc$rmzj>Tx8ek{Ubt*gS9r&CzaW`KmIBaGFx_!!2)AdQ>rw`Ot<|VM}
zF4caS%I<B4`6so89G~F2hAr`6-7u;h99pb4EUkgOwyKC+RaCB?#o034kk>9$W+h$C
z;ZFS-QH=;^TvPE1btHCtKvSb2ArE*Q9_ac~N?Z|&@I7a?AulVzt|@_)*>IdbutYwx
zU?_%*PA=`~a+%LUl;QK47+NJQX`pCQo+TgyfEKR9&c(AW07+(5^sOC#T!E=yE9_MN
zO6QaM1F`4Fa^Rz)O<PiaAtk28oyS>xD%ohE$SjmwSlK)SB6HW$A|ULZl;N)b9B1+T
zs-ir1oXBssK=F%9F%*jzh_^t>vexX^qz)V6p=|C@-=StRfriK_jRrCIY?OI@AE)<(
zfQJZ4_SH0c5oa0zA+9>HNhVv8D%G=^4N9jq)eD4X<ur33wr(BzgS=dr6>uf4TDIQR
z@3Tgq|Eg1N4F5z6&$I(=eY%k#yv9UWM+{uP1d>w9M$6ESr6~>fj@pRJ>GrW^!K{vY
z|5${=1A}h>+|oB2I$`IW9Bda)yrPJ4WiER2#gB;_kxC;_w&Mw}Sv0@r-48(B<G+f@
zeXwBJp2CIi8qg*pg+3S-Mcm*^7Ufb8Nrh^G+Ulu^+<PbX<sIP{KKDUOTn#T!%m1we
zVFs@UZT;+nB9t3)jO3hT1TS$EFVn|3+~ZPfY(yb`%i+A*BX}Jm%4rzPr)@mhA~tk*
zrI@%OMp`BBiR6ez-h@~BbSA9qe7j|fyt_fYn>Uk<7=4CnT9TTzLB!1vU?R0S`Kb8A
zL-c+S>xQVHPcplzb;%;at%Jl%w?JImx27XJpr?gJ`9WBgzk`2Le*+X&mGnRl40iA^
zxb!EYIfs+9Z_5#RCHlF&@TXcJ%f4BeWx4ZB_g){lm4dNfVk=kh4g1x;^34@;NRh{!
zr=mJ1Th6kQ-FjhnlL*5?b4pzJ%i&xBhAepQQkC1@<xT;(JIgKF+pGv{B75oB;{r}b
zQ>?Y{$Dj6sw?sb3R)4}_E(SLiGwvoTPx7ZeVJpFT%jJ<-vfeVLw|ikCoogLUzoq<+
zT9mdZG~AsTbKR57Wpp?FxVy^#XgFG*+wo_$ME=^K`jkCt$$1KDJ0ciYj8>v;d__k3
zl3PtM+y*?iqD_7@TwF4s1fd!`<o}^~YkupUsN^50#PLk%cAKpKLhSax=ZKzwukyo5
zGVoR{?kQ8zz!rMNZS@7BAY#lTX?i^=nWu3-_rjw(`Tu@_+a~@m0p(gIcaY20w_o%8
zyc<efDwVcjJ+(a<+>ZGE4Xrhz$pKg8$j-~D8>2uZT@ba8XheUih8jb18mQm`j7=79
zd3poC#QlnFgIE<LtKm?-0h|q^q&932`>P_9a~2QoUQ+QKWpu8>r18L5ID$5PmaVa*
z$!s^8(QOL``ut3@kU>~cIu{O=o&`Zmr8FS13n%O3syP$M;7nrMa}eXm&lFNyTeZOS
z>EGtGa*mOi(eA<}2=q7miPORAt~O1=uQ?PxDr~{?rz!m~M)8VUc7~!v=tA#W_%!Bb
z2{q%K4A2I03}`1A-nlBilk@!u!$6qu6n&WdB>WY)hm?=-qP|{Hzk8-qYQXWTpcl5W
zww8V$UTAnGW@sWk9+e8YE*N5&q|<iTy>qW5Y(Z`k($o@s3uamFe}889mCa}Z-(e+U
zP)H_gYbU|>y9HHJQNI}D4evvyMoqj~HCeDd;1qIM-FNye<r%XJayP4K4&7x_C>FjC
z+Bpy+)rya$x{}pOmY#7&LXx1a7qM^c;y;eGT?L{B&7a*a49f`&FQsM7N{}G~{?6L;
zz;W~Gi@XeZ*e3nNZnXbs)N`6Hpfr}!H-&k@8BAdRPRR0a1jt|m*<1ETQkC!(=5n!r
zrVREsN)%;;oTk()^n!GeEN3CInkpX1dQ*zRtuME{!})h$a2Gr&x_PDRm%DPegd21r
zuQG!hqQ7T3fmWRn-Qg?0n8l^YY33}t;c$g-*ev6X{LGzBt>$M^5~UqeZ<)*i0v<%K
zl<HkYpJ%OBpCR<56+>5>HeFgC%o6jS9@a3+BiveT^IS_~(90}o)4Ic&E$kyQUeBpR
z5TzOg95uW^%OXrl!@21xZRmVnNN2?;`w}dj)t?fk;WCCb!g$VsTL>3IT|Ii836|JO
z=ok{x`M|9Y?_&upO`9TCo$IOpHL4t`{z<+2W<wBo!zVKSqKO~piqhLV3ko+~z)zU`
znbjuhj;NmMs3_{LDs#$nLhEFDVB)IZ@EhbW2Rra7Y4?!;OOoCbbP$Wu>=TKWXv?8z
zkfHsK-;4d6VYjyqPc-ze-rYx5Cb&;~Dtf&^)%ph_`Y4trh+MtT@DD30>EgJc+gPRn
zUbLms*}|kWt6*L6LDA8EvL}${34Dm<18uc#bdRxy!4wQ0vA`Tzf^RU<_*!x&7!P7B
za=+UAxvH_jXr)_pP`M52$V>1^i+mv<XOtc$ewR_EmWeAfvhhU2SHHdJSPm~KO@&=r
z)pzmFDbF1MltgbX61q{YL}&F53^gT7$Z+skXI1v<`>b>lVpgKDTDSec5PP10y~l3V
z#x_#qfUlt6KY=RNa~(Y`abh<gNZ*_bBr@fR3cDM0_uciq4tshIxoX&6SCVX1w$x?#
z9sND(d&pg(R_%$i-RaI$Z{)dfoIv`0qO3#j7OCW0>!+#`TkN$uLv6IsWJ;pSf^&Y0
zt%`%bW^u62*9OPD?&}fMX_ng$)&o>A*#2-E4@PE99S>W)gE(y73tTI;w^^r(C}zU8
zhBo5bU{aepN}(bCGnYy`=KbF+d9#eImL=UY#CB`;nUX_cs$$-j4&e3C!ikS<UUNr+
zX0qh*p1wgIH|hC|o9aH9>WO1L6}Q4Qg!oGAd!u}FkBB*!`Hwg`c`rR3aH6Oin8y#b
zA-L3@87?@=p$T=5amHcBL<ZTPGtM9j8IigEqK{l=$z<SI>{Tk+NC(N;GiHRt8E{B@
z#(<o0;*#3Jxq)F7=$an7H#m*^C1;#jLrU;wT=!gvkDlqhPV3w1#2;@+xkEgsP5ibZ
zxV7#8O(CC>(ehdxVvH@8)a~h_vxG)L^C}QfIEUtuG?Btot5NoxuRs_v(4R$G-TK|R
z;FLU!{5%LKLK&_OT0>V{=Is_C;r5d-EEuBal<W^7JN3W&9`eojR-LWHWPOd3%woc5
zZOK%OA^Imt&NdEG^3A@4;es;htI`b0Hx9|6o-N=z+AG_Buld;0LmMxxEc20y<G07_
zHZ2iH#y*7SGtD8;;!lT@%{ULbx9Uyk2?ViL$DR)Tgg_%xyk&Y(af~~&2<(6TBK%7C
zFeIb!jx#uL-s;5=n8*eAnuOh-{q=B}DMx_<BUJ^sfuo}IV%i0=W9b0Do5ge(WJ%Mf
z!Pz1%n7d9b_Fb$p)MhkFXDp%=LH<CE8e@i6EPN2cg|Nf>X>_VKkolXLS*i*|veU^z
zz^!h2A=fF8)F!I=7=7+1yPq0l^nIZZ#Zbmn$7RjZZWmUngs<ywNAJtbE<Bka^*!TW
zm?^ELC?wS;ym&r;{V7&&nClv!piSbMt<R9yt(q^i5y~@=Tsw_>^BKB+{i1x3jOxnP
zXRag7!{_@4Ka24u?J?%ALo2LfQ)!?xU|$1kX(~_=M+ls*bz;;qZ_<zcpn%Y+E=iye
zH#GazE*Xug11&oKScEy_L$|$&(-^IxG0@us)43s)&cQ5X`PZ7sZBgcCl!_o-k<co_
z_boH@)%j)<-2+F89>a@#vR#9O5t*K$_bi}iwcC8x)zC+gU2Ygp3SsYI>T3N0ptuYp
zy6!*Kf-;Wx8!aq*l19*UnLZnT85s41zWW5xf|<5H{5-X3>-Rt-<R-dN-A)S@CN)`8
z!`M8M47Tl@*SiJ`n>mF1nJPRK&6;7KPPpN=hisgt<_C86>Hdyc1Q;mJBT9&K%-33m
z*7$oBHm5>@nZM|>YpT9-d8{a)vVqYLY7n{Cj!hq#Wv(@~QJa2ljLgn5o7(nBw*gBh
zrSXdWw3P&4hK#-QwC1{;K6Cz;ZCns^uOa!|d_{S2t3B5<epXaITu4s<NmlqWW*;Du
z8JAy#u51KL+#u>L_0rd@(RKzBlh3AH+Vy^J`5MiqQ7|-d2Kp9ZYN1fClUB`1!|B;a
zE&`kT-JQ%al!?@E*9rEXeC&MMq`Dz<7~Sx&<P?IA<~l}W9zvcSXVi~9vBorH<U<c}
zG~;U#ie-TgMDO7eT1_h<4_sgJ5L=Irrl$;r8)jO|bDErfJe2L*d^bV>e_iY<7|G}l
zEdHhkAr_M=-6i@F9f(=-eVHO`2rhhIc;}?UvwMqujv0VAoL{5P%R%W*<TFctMYGOb
zBMH%6Fxl>?ubn+5bq7~Qh%(K-4q!cn*o8fFr2}5H#h-|u>RI3HpLqK}t%0;!F5#x>
zPm1-SsQI6I0~%gm{VV(c8W^c5)XMs)Jhs<@0xC|!bi;kjS$z=&erRRlNN|r}jLs?m
z>Y?7$r+Wgze>Lpy<CDhVtg;p)rvy*dP7wjSQskq*fb-W+mI|t|uzc@qKz&Av1aDLR
z#eKZm-i_#AyxJTwis@$h&Im>cKVpaF(sKPYXs>^J1v7&6;(`oM0L<@nbyL;MlH{Z|
zuQtB`TVT#A7RqfsdIo%SR~g(Q9%1)vrm1d_r(Sy5DruWd{vnuucqI>y{?0$d^nc1j
z|JCfiMkC8WMlhH~evKVU;Ct=w^VR&gv{?aqtBD!7AB#@dVSzdfr%S(G5eVNW&1Jfb
zshkK#a9Kc|+U`Nx(ZU}4Cw{p3jTb{dXcYo}0R2=T!xL^z{{+75pj$S~+UjR~kgpD8
ztb|=+7HlLMsQngCpnZABDHS1YDwuLDR^#Pg?39miF4c}sf@X)|Qw(j4%sz&v>ZoOh
zbfH9lNZR!$gGxD}_v=Vwg7_qjn8|BZhr;YR?#x2NYfDd?j-kewfP-AkG+2Nebu9o{
zF;}xYLWLa^MVw~Ok}XE~Pi<JI)!fSb{VE6=C?j_7ESBXrh>p+?^&+@5S0}W@qyl4m
zEv1}^s*tQQ6?KKvb&kPz^|1-kV{@X7T6=chJsg;!%@MTxwlR#aOnC08<s*kfS?7|n
zT28T)sR<qmfu|;?Yn}`oYAv&G>NCU6>0+8qTd7;c{x@C_u%GbL5zcMIrH*jb`d;{4
z_4?dpazwBdE@j)`5J}nU-f4h9oN~^aTgN0wK+xKfn7W&)C$c72FjcMBVAQ3EY3Vwn
z?Bdb*fh;K+yHD;a$t6+8yRE3gdR<RC{rB`me#Ymqg}_0AF4FE^tmn=5k)C~3{P{FB
z8}){ikg@sNpBd*s2<!kP{z*b=slIW706$f|z&+JD3q9j^b;c6X%ZM6&;5V6;)(H{)
z9=oC476SJp-@*lVz3q=WV@6fq7Nh;Tc0>?kP2*~(-W-{Y1`*#vQQp3Wd)CoL{n;0O
zcR6wmgFcyXC+9yk)$lqbsMw8$vTIhlvwn1&AD_QC(L9Jj^d6DQJqi-J*C`tupL51a
z7lpr(P00m#n>ZxgYZy?6^rcFR9-MwMgTZGkT(Q)eIZ#%kLa{8hlRo6moS}-_Eya58
zAFWz<oVJ^{aiDN*`eHn<R_%CuQ}D)B0OVxAR88F`Ayzw9El2F^n_KNB9w%yl5G&Qz
zZ_A+xFrv;m&sN#fM^G#!YW2OC9H{9a_*k{BHKb@#r`eL$4-pz@hu{}r*=Kv=9MLmR
zKTA)B7Pn~+6twZ0(0@?+iy#T%sFs94HW#Nzg3dn2JY*UdAaXG(Tsr~|?P+L&=Z{-Q
zI1$kRf1lhH<pZSYy6IPOs%u(_?LV-s$=KZ4vGXQfn|c+r&o-J>9WrQePum0Lnu%_C
z-jSIQ%YAgm)u+(F=E7VF4GhIMAAHBxrIbV{Doo@E@&#!p^pmI`j|@B?Bl&sE_&koL
zeH9zl3S?$8S1NoK5`ly*ey$lVZO4&KU4WpId;403g-Mi_4tOR1kA-h<YhJ%O?~Ky?
zy|;WX@-exlUwp{T+(o$T*0I;iMZ;qEB`c4uR6+q?Gj8m(7L<LXX6W^HzA6=#YBSFr
zYwZeMs=2*4F16|o)!FA_F{r;V!BJx))bhNBOoMpIs-{JTMSMtn89Vhk<a?`+el0d~
zxa!re4P}S0!^n7d{l)Ed8s%<s0c<_M)^p4>mhT1DrFZ(&_DKa>QFwn{b!M#=>)TOZ
z9IMS;uM@bqky}OU@b|}WdPtPNjSx0>JYTZVi-FWNr`28gqHBD;1$O+Pp;i6Zggpi_
za1yHuzs9O2J@wRk;5jpqec#qcu7qG4cO&rD*1lEawRt<@+fBh?<bM2{EQTS3aCrXl
z)4RW1i=(|c9)JZK#DGIxTnHH;#<g;s=YS|_!}`JdT{bF_Q$rTrtbUi%q1$_ZS>e%m
z_xS+)%h5Q^2z?yHfTc=>{F923;sP`Q`4w(F(X_e0(NJO2?vb_%M&NJ8>Opnt_}^?6
zPv5^40{#WS{|=|MMM-#S*`r4C1^=logz~#^imcJzl{43h`^Q4_Aj`$@$1lU>rapxY
zB0k(+?n=e)H##fAo$Iewd>bnszd{>Td>Iqzzahm{AX-?fuQy|ew<<QX6U8bs%4Pnn
zI8l`0FpcL$>Vk+PBBWZ@rr`-hKjTssz;CmEF}09ao6wm_mf6-NzU<@;nh|L%CZsoi
z)9PsecV;Qd$X&x)W&n)KXYc~v@%eKdrS>cT4x3kBfEG9+&C0yoaXxz5#9PJ61qoky
z;Hb8fVsb&rbtXJt;`sFFWsT%yQP<Uy;>9Le>(;8V{dG43%<=PSu}3z_9Mq}cdujQe
z5aOLK4UBxN$sKJ$HE7#L&!jV4c5vo=cu{sdbq4wP6y1%HN)x`<X$GCz=$(B{tkC&{
zy2G~Z{HS`T-XQ2l+E*Q#Ps(t+y<ywi>h@qa+<I}$%5c?MjY|L}m;q14KMkt2k*abt
zoOL;9&i0rgV~pZ`0vvO@KY>7{+q;9L62-sxV29}ix!Ak4*H`5)YE>h#zsFQO>RnE=
z@7p8;Ksh1xH4gOD+Si-qF?<PGFiYjLFV5eCmBE8TFrEXBxuH@CR%@%rBjHmQ{EM2f
z-SqSrXUU4a@><zg(@x*R690R!x+cbZF>s9GFdbN;ZmsFmS_cOfY$tz%I=J}lD*o)j
zuYhzBIl~nQv3x-^u9*A|JD{kEnloRUDOv%5FA(1a4~F=-_q;gT@--R;O-DXl$a-kB
z*Ih>LAU{PruIFCbio9@}as=6XZ}e*_-9^3@VfIzNsIA(KlA<|hnIQ0d)fh$ucWW_9
zC<W?4&%2<G;Lyy~cl?vuC_+jo$ON*CEykZlc_6<!;dG7X1EKrod>@$YgK+)q%SbtH
zd`7SZlowHZ=E7q+{74JVt==(Q9sM$&_o71WyKKP*E5<b&t!rV1L5#DS%Po>G@a#7s
zBpuUUjO@H!bldsY#bxo62Q`N5OAQ_5N)4<0g~dlwZb01lDe5JJ&~VRUE^fURYH;hS
zrL}K3G9AdMgw(Ev&!2Y7(u7G^t?WUq{O*j0-O7z5z1Ams5(10v+xTAXd>}N6ajh|v
z7mb0ajrLhj($C&c9(rq`#RV)A*^3Nu&{kFsa+k2?B&Bn>$*7;CitNi$3(c9#Rs5c4
z+HwYO7o9vWNK6yE@Fb<o6>MRs<T)8SjrDSkW9l1IqF2>BJvBEBPCe6{(5^~Psd2iM
z-SGJ-#!3oz63Hxb3Y)^Cjk-mqT*=_8U|Zz}>?kzXsBu5tDgSEv!~xUCweR#I!WzC*
zCy4E+H5@vdd=})zKASN6KfwLZ+O%XY38)#Af)bye0l#_FD|_tVA?J2Px^6PPIV&Nx
zSOPU>{K8-)CB#_^_era7>qf&?iYBbIjrSb2r|{QlP(^diR0{bB1r=SL<6DIJK(WY!
zE9nN{BhdCM<Rh3#goS12{jS3@j6kuLuYJvV|MDEa2sPQ-@UydL<Nh1^=Li<Lbj}9C
zhu(%b1N<MnueywosB3hfFfLpyYSy}~!Y3C$brz5VB|H>><x4nQ^Il(Z;Wx1nU8>rA
zvyi44Q)+>_4pa^Lm2zMtrKUR1<@NA$O5k<R8&WAoPr?rxGWsy`><AjD3HFJMzz+xV
zh244|wEIYbrtmfJ>Fye2C6Mmuxu7*;9&<etFYk7U{7ugSD%EJU&xb4Leu3Xl8OH`?
z3rYq196y0~yT4dEbFD{^JM)jUckl-7jtG0UwwNJIqPtGc2Bm`jk#~Ow*fln=HOPV@
zGOhmni|UQ2o%MIitp0-kyQZ#fB;0<z+x>4O-~Y#ghnm!JL{<XdJ|jS=oIlNT$FwtG
z#rAnrqE9h<;G*l3I{4cLx=x!ME<|{{f9=DhHsngzdW7>Jtwp<s;N;JVnKty)s$}^_
z5L>Kg@N5T^9b(pTtH4k3kfRA!a%GTv3cyjJ)gwkL26*fqZXa%92T7?Gyj5=gB6dWR
zjV$##o8zxn?@ZJ`pV35GpNCoA03jOKly3;x)tW&SFtekR2I2=-<Ns84EXFqR28Bkw
zGPx@&ATLr9`$caWx#-q>IQF#MN0NT_4E{#OA2yEqhP;CN2k*yM{tezIPoUTOABM{q
zV*3>%pa<Bb=g_3m3~e<L3oL<~x;2rku$7>*9_UTeS`_n7r6Lb$<Xaq7!%J1>oQY4;
zB%OHi$qz!rtY05qfVHHF#^j>G166F1cN2cAzi99`6gO2a@;qWp9Bj-~CI9}4Pd@GX
zcFtxm7u;|C0rz3Iz8s5Wz94B(WUYZ+GQvFgw{DwB1Tp%&Hh>tE{Z6W)Td$uI?3<k|
zbbMZJXHnS!h924fwBNnX)30^nw#437-3X?6%)l!sS71NG>2#-3-2+Bm*hOALg=3v<
z&%|l39dw-#p+pPDhgGoie!F_;K1)zmIy2D-)0*#}Us(Han7Wg@7#nSW__tN<rPy26
z$%df${lZ`_gxl5Dvn2ZnTOViaSkFf@G|@cAD)+}kWrB~LKgVU^zLik+5IW3@_wrzr
zNpcyKm7}g_t${r;kz%?mX=R&w-w0J`Lcm{Yeztyu0FkON%bZo;VQb{=$0%}bvJ#ht
zS1f$tJj~obmkAxJxuPEz$gVvCi?i&P;##!K<g#zN2bb_37dvA*-VPJF6?4P)&Pq#P
zM1<NMLse0My&B|~Q&k`}d~T$p;l{^tug8b}J7AkDW$66h8Mw0vSlg>V4e&Me1qCfV
z=1{mD6kIH|ueh^tDkph9Auql-vz^@hV%)D;c9?2%(DN?wkPz3L@mv1|q@Ui~CgIW<
z-ad@$u!ivgY(Ze^y|+2YM4s!N|H;8)t7IR9B0{qz9k1`B8YnztD$~DW^d|ay<Bk#o
zF?|(hwMy(4Ap`yGoTm|CuiK9IY>Am+3d8x>RnY2M$20J-vLns;5sZY5?V_Y*7s*v^
zQh!UsS;cBX>^V@8sSZ~a>v(=z{>K1#e~Bn5#1CzT(LT7Jr1&CMB<lw8YvdPiqH3gW
zVe<zu>;1=dEoj8fnodPpc&G2kCi8&D)NE@fv7D}gem_t;*WXr@8fK{QE;ZqsxZhW;
zh>$%PT{fg1#>~vL-A^PHtOt7jf*F48-ahI{5>fnIz+IZYcIfBy5y2GMfbXW6!3L=7
z&hVZbg4v<Zc_*pQzIqztb<LWiWRF1LpuEWF3Qym5r@dxZZ||tV*bqw=L?DY9!IrEy
zCkrQP4(=`4J?g)rL_}wwV$`l(UZ1=Vh@brtml_-U-84V0+Ra?^X8+?^jrKk2pMjBW
z+O2E8b-|xFrIA&=`R-7Ca)5P!=(@C$dcNm?ei+xlN936^jqoL3QIh{*d7Y68ZI$3l
z4u14ce=5TK_in2r8~bK6TYhKK{s(9kUHTWa_M?u~-}^rVt-Sw&*3*Ii0j)~7)6$2Y
zjim@|Pq9OQ45vk#An4~#1dR28^c(0D41o4m09kCce+)(z;ZNb#l;MW8qA|*{p!i^4
z0lyKfjUmYo6`Tbg8x#JM4%`kbTx6@)Lz7a5AFeDOtzaCwa0;Z*9qa8zCG(zZyS_e6
zpy0CR6=hMeBlj^MPS)e~^bh_CE=0LXN3Z_t6IVnppG*vJ<sCT1fo;f^I9xx<rPRWj
z$dU<@<a$UU!;)>c^^eq{dPgSqum(~rH&qXVaUC%5boQ{k{_vEW1?WE+^*BCmP>cRO
zgnA)oDr^BfY~HLcfleH=$+hzXg}+LBMK@PZs(rn(N-~D*oz!t`vij;UhrvLdZ9a_{
z*%#@)4|WRkf)`%BaZj5bz`%YFR7=+P^e`J79A>@ue2K3M8V*7M>Pk}K+>JWU)-?&p
z?a-}VrhdATd`C?F_7etKkTxRQy72T9`Es(T;GzMRKQJUmwLX6N2P{6nMbq8nU3%<-
zzU_~AM{wp`pn+CTN7O-@uzHU}6g-oveYi@;>+qEfGkENe3J*U^HLp?ax{`B>UCF4@
z^|Z-x&l!sK56_)n!+rDIZKB_Nn9i+gs05xyV*1at5L>^jP1k&rne~KZY`v{5faDr3
zb#JDuP((CjKD^#_7r$N+pFk<8r!lzt*B6Uvp2m^7b3gf-pmP%w76r#Ae4R1yE6G);
zCtFUazVHH>p7e@V&<lY-n#fW9gZo>)3P}8=(?^X(Xvcf*_&Ve6zKHLAp%$&<C2U}B
zcReQqPd?qVt|3z9ZrHl+)K+8*w$2F24*x--Io3T(KWDP#MSRRz(39xXCziwBJQSxe
z1J!55Qw!>d*NO?vC;D^ZQ1N%A#;!ScK+2~FZVz)0wt5E|fE0dwD7NaI>aoCkH<Awu
zD0hYK_)n1bRBLX=#H!F22p!b2xIQ<$;i+oJV|<ep$UD;7);*QQ{EX`pJ$n`7d&Ma_
z2h@|`>%&hpSBGI-I28N$%=#@lH^r?Sn5~C-D2w9Oq|^z=dgDcnUwnev8AJqj#g`61
z25d`*`d-j=-Mgh+8EK7fT(S|skz6~l@hL)Izz0g$JISTkjs`kCeYE`6VW~tW27@kL
zZxQcVQxka<a})#~kf!C&Jfu^z-~9)}_Vj4Szf$uplpow#tL|CX{WkPwYwP-Vcvr1B
zeJQ&0=}8%l5J{0@fA`yU-|fed#Ak)+e7#kGSmTV-)tq45NQ6&AE8)KM8}%(mS3r(x
zp&s|pU3SvpQtZOmFnO^v(<1i)4p@iSfC4oQxdI38%4X~xvu3fME_WLK3$R-_*(+sf
z?EC<&J2+ERyY>wb?XGe}E0LuIQ>8{5%4j%i8{wWD38_`5Vtf%6(7g4+&~<glj9Y?$
z_l#%xv-Hn#w?-dB<2m9>l1MQ4dXrX_4}8R7(<R|EY$4j!Kds8O0*fn<8A05&;(}$c
z`X628`R4sAA1xHc&TNUiiq%^QHsS+ZulX`3cqTgLtp7;^vH2G53;*AM{%Y4qBSQso
zr_L*Gg7Q<bKcT}_C+DKJm#XS%z$dMVP^o^08+&r_$7Gtnun$U)9qFxDn0Uj+iHut3
zK0_~LH0d^4^@SBRe~forny*nARvQLP#kxirQXZripqNEQL33y;!nPDpH~laCf8%tf
zy&^e-QFz?FW;*!*7g~AhPaUh)I7rg?7&P``yn87EI~(-tFEjq}D<>k11^xjzVf13`
zAjz`;X#52ja`8`z@4L4DP275eUiJt^xq=1J(PIElobb{p@CmEL2n_FN<DZb*v&|L(
z_-&0Po3gF30B-kGsgA}l03?Hr5x8H7zT)3Hk6=~qDAa5NfHGkvEb+hg2Ozna?YOKg
zd+k#8bKal5^aoBRe1;%i+fc&I*qjsD17&96I__yWFVfoaMp;k&rQJ)%tM90+kiKo8
z;T^S8n$%!~Lz}Q}&Qc|u(DuTAZT2Vq=@;UF`m|P>IbBOdfk7!RQ@vz$1rZ2b!1a}u
z*wq;s`d_8wbk7ZLZlT<Q#7IIu%oW_=HlZ9BKOjuH>}wLC8hckn#xburTTu`l6njMN
zg66s!_2jSQHi`F5_}4$~*d7wJFeFRD8@p()^UBqiDed<h$TCG14tzz3ENC$$p6mpI
zSu)jj?Jrj|(>XiwWYxLBjqKFc5spO);YyUtt-7zF+TCK1D=lR3;R(pd>_eHRTbaW`
zAaD;vGYBAEI4}$4PAkv&qVD;C4U;z_m#!F;52{}%xV24im9ONNuHQY@E)Hw0gtkC#
zvgCShH^Y#wD@WebI*Q`jydRHr*u)0!!%sf_D3<IPK)Kfd>QgqZSNc_Z9H;tFxf-o9
zVhyYdT&Fyp@I?NaWsJO^D}?^33YY(k8!zF_GK&_L5Ab=MG6p|%^L<hzD0J~@ZYbfW
zx_tYy$`)7UnCqNN0e2s3JJ=hT<*~{k78rs{qFRIQg;)D=v@_2_i{Ila&P5iM5xOr=
zr&B*EF+-%CFTN<ZCy4(I_C)@Q!w)BZRQ6D0nGVZ3!o7!W<F6_|yc=8R@Uj5>=IR=L
zi{eysDIoWu%7IDEwdVuL<a^jOa2UUz21sA=2BK>3;>`nMgBV9Z%bve+WAsJ#vpN-V
zt`^U~c%vu))pGM#wf*sY)5EcYy7#ULlplxQGvCyd_?601UAcn!PHC)-wBX$kD<d>d
zo3_(W;Xg1(t^_cSDCjI27Zot|K(!Hd>dCiY>F}$8;P6-CG~IEh{ozsL+v2600hdn7
zM!&ouVtvKr)Q*oW!kqf}Fay+!fYq;R4O&ZDF)wYkWE<_dH+AHfAPxg?Ucl1LG<Dbp
z;f|;5bJpYWtmUv58#c!y&U*Sx?2d3|ND|WH3fJ;i>n;a~s)7Uq5x2X0SDj)#MzEci
zVSnA(|5+37Mni>b0PgDP9myzH<;a9=w(0i1<r$afY0M1amX{G`d9`t(OQxG6JO0*R
zC4aNxt70Z?v0|$tRv0SvO;W7O-(uSVf7iiHfvc!)cfj>v@&BbK3V3)PPI*NzLX5=D
zz@Ln1${Y?t$q4FHl}s^UaLPN*!xjd6AFXaHWBqqWl#}l)L;RQ8omYBcSx&id+AEwV
z_l94nFuO)L^V5TdaWRZwxgij+#pct-!-G)Hqum0$8?b-{>6#HXcK08<2s^n0jE-Q?
zs|jlFACF_zN{W(#a;d#SGI$|d;^RMJLiO7wUTwiFQ<J^3A~}Ne*>G-rt>wlmjDz_!
zd(~DF{y@ohKqW<kZu677ksK`yf>z<sv2xXru3+O=o?F($Ab97d8A>%1#9t4Uvh({8
z^4h=Gqa3FyL5b-5IAy=l%eG+6>7gmT)ZJ*mxuW>EQqF83xRLd)RYsoO4o)jPT;aAq
zVO5>4t<pBRL9Y;T`8cqH%`HgE)D<*uk>rk=GQ|z6o6R2Fn~9B6Z3}<=YX2fi?Z<zB
z%tt|#S_e15mBF+W80qFKA!o?ZC!W6fLhJkF?>SCLoc!DkbV&XJMHmhZ)Gh{>tZTNJ
zwB(u7Oa&7oH{UUDmJ(_PR?ec9#+pi%V)c?L`V`BPCqUsVbjKEgQ&8<l+Zl&kS`)!>
zZJ7V-0fU>xy~N=}MCU|pT9>&{YLy4tFt6e?w$E)Y2Uk*C5(?gq;?6X2!)#Ezc;IoR
zm3F|pnrcCe3el(~`!$!=4exxX4YstgH2Hr4A>cL$Q9Tr%2gw&{O%Yn+P2XZZ5of_w
zC5VQr;U`)(5J5+tw;9g1`Z_e3=*!rdz?An<d=FME))r{~UE3@cpEl^0%Hwycw*z}p
z1rt$)K{e0U%PqgE8J4PfiP?s_cwKq9e>OV$(xH6zn_~`V0PueRu|#Fa4c3296aHVo
ziFc(W+@JhWsa&i!JBD1Q*?clAuy`bTyo81iXV$654qTnC%1k&_z*Kk^sP)`2$hH6P
zdF6sPUJ3x6uFljs2VJY>2Z|Y3^Z3@BY_h1gu(3RZ`wC8cd1f291e%Sfl3ksB2oq=A
zE+%-xL!`-tA!1wl76+HEIG|zIrU~?)#czD11&Lae>`hYiI5xts)3U*<0K5=xDcn_d
zrl`WWvzD^g=Rt?=wuhT+2hz}<yzRli5$qArU#u8(QnMJz@=c9>tv1iaH`lKhw>-X<
z4#h-H1x4GJ-*6KekmsE^w%SotEFzaYzA8J#d`-4x`|Qw+0wpK7M@&jL7jTEam3=zP
z;&V-xQC_Wv(dGRN$$;YBSfS?0tToRW&k2Z5&-b=Nl1cB}%mTeyr&$_G)tM^X@P9kr
z^Ccf_v^pVt?GhkO#CGmyFCg0`IJ%Ac&E@T4c2{YayvhZ$p*+>)r*k6GvVfXTn-he2
z@?nsM*CM;t*OIqv>1jTQIJl%f3Vh1{{YAcjoG<1YL+T$Cq=X;s_kUCRR1bKTd^e=n
zw9F4Q^RWh0Kd#_nS-)hALcEYtX|!6K^EF;-Xxk%E@vC+%wQTJJJDs_W&XQ3Ai($F7
zkszfvk2>&9UuXRCxGKl?D_G!s0C+TJd?rw@v1@5}s4ybvuM9bU=l&m&a(?9hAWp`P
zaB*_uG#4_r&Zb+`d@6?2D1!djrMg`^u&IWvaSIS6;x=31#hO&hv4LvilvO<?9N;$7
z`4H)x&7mYsRA7lkaV~yO6?!Sll(rJf%l-MX*LK9LP>t%&4YDORx}30-C<}{?2$L7V
zM|P~&_0sRgjeHz`_GNo&MwO!k{5ah{!b-6(b*F=P0F6q>3ERk9B5D)|IhPFY&I|2p
z>PxB^zE$Z6BC{rDHhth@OGzfm7nmh;+b~kpw_m?MozE2%06fW1D3z5)`z!c;^V7N6
zTKEu%M7oxUWg~6d5$ir>aiZUqj0k!UdyZ`E`*S=8_i~AO((@QLNmlTr{CN8_F%&nc
zzxdQA)m#8&Fv_ok$cYq*ZP>&c6^&;$#-0%*+R1jb9xJ}c@F4?wPP5QooR=xpmwxD`
zNAP>B$fsE_ygW$X66y!k4{(c?G~axX<JD#iIl-1Yi~njSvAcMKE)J?+2`;~S#iLNM
zNY;HTcyIH=MG1lT?a8Oq!IxmkLC%1iwug%y@vaQp(vBFq$k?s@0D)RFx6{tu068sz
z<cnl;V978o*wxoUa5X(CJddK&QZVJjI2d;iuj3WU{F>vmeX}nXUdYCUu{&BiWnu!0
z%=kOXH!BYoJWXLG#b1y=3s4m$6$hF^ovzNIMAfbYRL#Uh%D<m*BAfW)i!Bm_C<~`w
z387u3cF9zEzX*G1i`d>0+&GI{*R5v6CtrSndtSt0oCSN&Wj%E`*6o4v@l&gANa@G>
z+@t&O2DJ&feW15oB5oJiaeNWvfD0ilt&a%rnFW;2;^}PWc5mb8fcCKfa}S;Ok(bQ_
zO23+pE*#*k8a$hw8fk5J$k|V+nxg5PI1?$wm?hkSQZ~z>vr6hi%D-KFpI(vF1C<<X
zOuX7pAHtM8)9IdcGFrPkShVWyNhZ8m%}12|Zr!(ikJ8MGyxNJ)H;iL%vvm)V=;T1s
zB>m&CPfv=Qy$4uoY4}iRw{AUuVHxBhHRjz3G4)o|UXOu(G18sPA=RN_<=^4+XYB?2
zE->EaQImr8GK&@#Ygg5-`-G>IUgWLnyYnr-3tbpnup6L7-p)AisJ;1z4*gkfo-?~6
z^mqMJ+Cv-Xx|2K`R<k1UPfCH5k}mMi1C!_X|106}zgP;Cf=&Irg=yYD?zsab2t&VI
zUBC*go?&W3u_Syk(r*oGDk*dxso^(C3?&$`C8ZGh3lK7W!*BsGFUpgZoW6H)QhRMX
z`>@uc&Ac(v_^AnCjTmL=Ej1Eer+29Q@=V7%xePZvs@!8>>v5<PI=o>5e}f!E?B7tU
z4)J4N3$i<Q;(!_Ip1bqaNq?7su_kPr(T;KY<MD1^M$WfjH_s1Y--3Uo&KIvt##%&Q
z*hnMWVv;uBTAUg3BYW8N=ugo3HmEBZ_mB<eFG*V31XKn0Mlg(MhBN^lJl;Kmh?P^?
zb5P1G_NBpe&=Ww}m51~CC9_|g+R~m7qm@IVOgGe*&Q*;Kk+>RLC=?m=*-wNt8)z4h
z&aU*r9q4z9Ti>inxNT511?;x}zA=pbBsQfv$+wGc3cJfFNjN(8ySIg&yMhUHy(iK2
zAsjMr!z3o81B_EUngvV{r2PzE7z|IPKK50i{-zgFo90J0!|!J4`}wZuet&|T@xc6Y
zxilDP9w?5sRnFp;8DXa`4}6~S%<oxr)J+R2%ZEVir0xuaR^r#O`>EBP>p#8+`XO`S
z8tOsxGl*QR7~>V=?)@mjK!xFKCxN&jl7t2hog%vzya`fRe0Ts*@iYL%eFS)NJLS>8
z_0mm<FK}?1nF*nSI{55N?B_r;wo#7K{s*KGIVKXITZuA5=CF35WlXT@dad3W&FNR;
zgwdd-D$D};+j3(EyTiD!Rf0r{`iV-1z4P#*w33ZVVO>M-#3IiijJ#G{D3ETr5;lH5
z7P~1j@dWp>ml9YKSl>xzY|IX55>+YV;svT9D|d+Xf%`^+<A0q+ZO&};-hMF&1E*S)
z4h^Y>$ye2-eO^FF$vx-{cXqKqYhMuL1Vdo6VyDuPZ|7e#Y0y~ELT!3;%XiV4Ch~Cq
z$gt`|*D%h3c1q{UJFp(|MhQG~!L-}fDLLmb(q4NCj0OZ+=H0x4L=<l^0;58>Pd9zv
z5m6WPIk)K*vCnu^RA8I*eQN5$8^eoje2n@Nes>-9B;1GtsR_3XyQxM;ii$P5H*C2`
zH46ZNxNgr6N4$x>6DvN$D+v^n^#s)`H#9ytJ#XVjgA}q1%-ZtodsQaX4HEFV-S<lP
z4E;K$Q|G>v+M{P{^wo`KgFDYpl4>n23-xj~FTJoc@*2<q2tvae`+4X$e6NB4Pg=8L
z`KhP&`BXQX_fHN>8`^p9#uOe=b~*9YW!~U@*J*?*ZoZCIJenYGXI@j9Z)J$0Ze(kM
zTAnhnF{xdsxW))K@XHUAg#A3r+>A{KmG}gErrIP=2pF{Uo}u?o_qSPuWFGqM);rlx
z>h-=T++r9gR39tYW%q%Ri?W(8Ncj|aA2ohPerp8)oOK*8Y-;NowweqK!@vEc9i+l<
z$vK&&AjbMTT#WQ}=By_DXS&>pp=F2=#kv%oxTNwsJk4cQ?@FhIVR9KSqq=_&#&yP3
zm~q1>kUi;OS~)jL2yp(<gD<e6#pc!|s}vtO%gz5>M_8zw<P6Y$r;2NQhEAq?x0J+|
zIf@SN3)f)Dj%ga?cC?94hAufh&~JIS5XMi>A!imn`MN#k=q`|^8(F@+$FycQ59#%j
z(O;N7aQA@dsirGL^d2kSPH*<&d!u6pJm$;p^_!Be7e*|aT}3?1hljG_Qsbf%z?`4I
z$_mv!2>RHB!jfH{;lp3>Q;R@?O133CalVEhAHr8!A-{!-@nnTyv8}LE-=YF-K0_Ny
zZe_W&F*mA;Q_LPvknepI$3B*jA?JoCC4m)UQ0Mjc%xn89W$ast196^Lo9+}japr8+
zEaQ$2#(R984tF`)tXSzdJv?3IL#R%3{j4rch>5mU(ymKnZm`R2{JLfw4~wP)C7$qQ
zCLc2gOpEgb*d3rt`1!;N^)<>*2q|roWFhfwl6>*GnxvYwXTdJtnDC<pe4cg5&v7Sy
zQZy0u)(cf}PZGcnf&t+!Op^IeR2{BFl7en^=`=$h<4v}mO3sh+Qw5jlx_r}g&8kDZ
z$0d7sYGETODKrKo94o02;o&jTBhEyO*RGOzS^{S;;w}wlJn#WOJB<>T5tZn@1}l&z
zFwOC6DOjis$RmUE$k_0i7QBS+a#O38p;Qcs1IPP+ONfa*ntK_N3k#i5tybwqzAq3Z
z;G0ht+Y&zOqWF^l5T%7rg7^3HRG->b9$Z78J~;A1HSxZ~3Fg?VttRD$k^|JhdWhZi
zJ%cC8OC~Pnqy@P*T#vAbV32p+P(A!Kp*R{Gn3}KkwaDUtzr{31^#vIdI02KVcclcb
zLmCGXkI^XMgQ3-?o%P7Q$^J<YSfZc&vU8hqUWG`KBya>s7+|(6tfD`cpnQ)en!<~Z
zt?DXK2Ofqk%q9VS%HH^>#6YF0=$dMq)i){Ep{KE*X098S&=a!gdQf8ggarlVYLDdX
zTeZ!+tU7Z;#bKVrK5+Hky~%SKlx|5zqDMu@nA-1(<(0-6{EVw_e)U|68Y_>JBhKBd
z8QaIaozyKJ{={SBf?Wbp0JBOk{Z*S0Pw9(f1aJqBo6$kiQGUN45s)SUKd~JAYWz^~
zrKNqthUuemPtNQpjj><uQ0Ez+=E@BXY|#Nh5m{~-g5SYwoan|5G2&59u8<(iL!T`g
z@y5P3VG~g5-C)U5R2olp<P`0!*}-D~{Qs|!e5R_nCH)6)V7bVMdI7DMpzzUklJ?Hg
zT{Dv$OqRgR2Qg<9D}(Y*PjQy+%;v8nkI6hR8i)Pf!4t+Up@1`uH5JRfw%J3m+O;2`
z(mKTMB9De!Pw;^QFq?3ra+c*S<Yi)P>`C>#Gg=E_<+;Dp3ZIe>aYfj4)~Cg3en0o#
z)bSM%8rsefjUWaHF?Mmu(Psd+paGf;F(@rFj;Nzs;{Y<>M#X{HqW%_&8`a?ZLy@uj
zHHyRq7lYj85JV#@yxyQO#My0hYeSTzGFm>4P1xH0-znx>+#~d(zpnZDgqXiMFf<*(
z4KAJ}cf^fNpZR)9s+k*Hcx1M}3VIeOL$!u6&Jsgw%27GEx-(h=i)*!~s;xM`uiaee
zcSt}nF15le*puO(!b=yNeT>~S-1rkg=aMl?TPZ7XMy?r1aersR;i?{k?^Rx|rXN$P
z!fA|Gzv$HJTWVc|_zrtb3^^TAc)ww-{~qyB(yfukO+((Q)T(kTiqqWk`?3;ul{JsI
z!zbBy627soKxxeQtcA-?b}r5(@tw8zJNtCsFUiJevx@L<5c{QTym-Di|EYpV-CA`N
z($_mroxZHKX1d`gJUM-4J^7K|M`|!EWmO~aNX4z^%<A#`>lh|qooPVWSi{&b2Bp{p
zh!MN8C~~^GM(7hzn|!{db07{6cO$1&7_0ERGs8P4Y6b`yjGN(7Ljd@D#pXR~=YIZ=
zM4<TvmyeI$+}E)wNqy$8!N9so>|%~W=li?B5eh{W7ktA$ml&(8dA^-&SW5;^ceb;C
zAE_Q5j0?2Ny6H#N8yK|RSA^P9y#jt7Ry>gJIo`ID=Zng=tgJfsAozZI?YmGwCbR=%
zGy8)Ey9%NtrP-{@g~D1lJG$e@7OtRUTesAbL0?^c8|5pv3{D-`43w5=IZw<IOR(>a
zN4h8$-~g8+3sP-Wnmr?j)kJNiKX~>P&Wf!Z$!a6pk#z_W(p9F1KI$z~Za_m9tzX#a
zNo!mWob!<E>TjHS;&~S`fZ5>p`Mj#B?yqrddo*=rC4!K~?!*D;%sC1M213(fz320-
zt#ZJDoewMv0)Lko$8YBj!pgXnaTmL!pYsLM^PBLJub3o(=5-#cs0X2o2d4S9pGUhM
zwe?jVu#ZSqrzQtq*suYn58hC>piCJx${Vjusv&+>e6f#8NJpo)QfOH!7XFJ{6X#eT
zg3}z<AjhTU`Vd2*S66ZgiTp=i`EH`40&@w&?HghbjI2~cq~vElWpy}2z)5o#->6A=
zVunaEg4e3VlZ2d=E`})??>9rE56*bKH6HaKHcAg(6C6odr*R(yJ>ExHYT4mp;WL`=
z;yu9<o@s4<AD?O@Sg1oOGd5Uv;1<@&bG7jiz50IncL#9yFXdcx;2zN4x*r{ttDl5)
z{0ixr{+`@90SgGIQeBCxV>ZWERy3TyTBN?RG7rizc({Hid}YzxfALkva%zIGd)7L{
zUH<!x@#NyDz7jsu`e)KTTj72YVD2gQD%@d%mpJf$HTT_7O|5;pSV2J$Q9xQ01S=pS
zy@@mx5D}$A1f+&)3_YMA(u)VBcLWrrlR&5<B_cv7k_1AN79<1+J%qsQaL$?Un>#aW
z&Al^s-TNPlm9^J?_s-7m*-v{($7efXJ14h>3W|eyri!hmb}Y-OIUCsBOBmY_KG&@q
z9@0+|YVaFRtgO=W8H>=KytV4uxvqa_*JSsNK@c#61*PGOCSF)6wn@}X55Odg?~_#r
z-b);SZN1az7yLTnSb-4AsZ)s-hS#pNEVMi81s;g|mONr~9qAQ$ac3skx{NXfb7^)H
z2vi>0Y_V)tQ`>yAMqDhriuNy&;;AweXK4}Tr`pfwrgxdSvYR~9PbQXv=avfaDY5NZ
zf&)RpVV`Vz+{%0K)~63;8n~Fy@}q1(8(OZB<a5o*na5HYx53@YM!;NFN9q%#L5%3D
zfN`+%Q_9#|^!vyK4)+#7KVC1JbhX8UfOpFpfTGp^7IyW$#(k@U^XGnszZVEOwpa6h
zH{pI+x03L+x~_&_^}eiwEy{PrFWeYxU?mj@Sq5z<A3|L_qly&EGQXy|ng%OC!Lz^b
zS@B}rNNvP>E9p|Cd0a?|i24GKTE6ZXo#MB5T4G!br+v=#e;Kr&&-F<aNxikG4@x#b
z^rXVU!;)QL_@EpZs_~<nbRl;5$4|3C)%yKs-WcbrS=pCmr`A7gw`XY?D6y7WQw<E+
z*cJch!5|H}q-_iqP#0Z)F~r43%+gFDoKNS6s#p>UoMf}zFyi9ofn(R{_m|&kQsMa%
z0*9FxWkWp^c?ZO6Wi!s%*=*-&nfs#$7KhgEPtup{SQf1&e1biAO@R0BtAL-5q}JV-
z)71sIyieQ?Q9I&$;-L6e;vWhX<lV^eDw?VbtNZTErIkqMh|U^`+Q)*fv;lwuXQ~>}
z+t(+7KVAM*0hyTotA$2y(vK|?sit4nC{J;LZwDKLujSBFs-~Kpv}W7UuNaaU;Q41r
zk>C_BhOiJs(Wm=0D+SuLNe6MZQ$p(LLp^e<zlt#y-n+lekEvq(2PAa{xBghQ$)w0x
z&u<)Q)*jFS!l({`>Kk4vHCBmKdl~6~qwg!eTgR#MfoRx`t0JU0+sV~mw$@Z}vRG1b
zn`^G4MvZ+lLekZvi~oR4sbj=OcHCJ6$3o{wZgVER>cL=tl8oG@LE1nTXxprOwxy|b
zzHKlq>r+keYZ-wbRvpYi>3oNnMgY5HY6%bjW|>5nIM2x8r>iG~-amHrXm6*i!IG@Y
z)_aokxt<TKL3~XeLuCr0t#C8KTS8XBNHf~f=HX~z8Qe@jmL?IP`_y;xP;&@Ga+`BN
zT+6P<=c_84lXHCwRvW~%FF~&Z>g<(_W@0I%&PfZ~AE@{8Z@pBRRce<m;q)&h#Ukz_
ziu`>8bAlu!%#_oVB_Qv%&=qL~CWj2ugJua<s(6pa*`L8y;bjMcthQ+*RC=P**0_oh
zUl3S8gXs$=Am$F(mkS(EeQw&TULo+H%N~tMZjIz9n7jU_V)lU-b9}?q9NO~vOH%}%
zj-=?=50a77MR6~!s#KIkt?S~|o|6=gpDKD~WrC4a2~f<GcV9?sbF>PGa(-G96YMxE
z7o^M1RuU~z*ywJ;`naijiPctQEiz>_nofZlj>OR2AeNM5WPV)OCuy>d*3^y7n}N%u
zjix)9cWKJ@<3*G%k`}M(Bd^lUxAx^to>n61n)4do&fPZS-F_Ak&k7(HYqFDS=jrA+
zzqY5P>AhPU)Y^i~`P;M>M=j_HY3f{Wx5jBM`ZXuqhP<42w`f^`HnxJ*-(YJbOons2
zwpYbSn{*JkkpM(jb^6*WB4{4SVsEG^yQXeG?za+NrTBEk7do+Zs0u1iYxUBE`znr)
zST?DFZ$~%VXBNQSpedo2Lz6g{(k$}NWZOx*rK#H$C6f4?O*6WuLx($9AXQ&T=Fn+K
zE;y8p%7qu?93DiR>F`K;)H+&sQ<YiDz2u|O(razCEJC}*(i@wG^aSy!(Ms<Xc;xt$
zExP9--5<)Psa-7*ET%aZh@4c4aC_9czRiL-ni@Tep-)O3I27E`MuXQ`wRdhSf9pHA
zY2x@@_7A!*xo>3KthaQE_vgLNtFa|hhQn}yd3s_*pk=R&DQE0i@)@QtQ0R*ZcY#ZK
ziWh421+Q=9RN|4YG|hh#;1{WFu6sa5D4x44<Si6%%cx!mBv>94r%5Y+=cq!k&-7Y|
z)+d!cXulgjlf9l|y-29WkpmwkD>s&6$zF7#(_l;#M_IZAyuHH@zo~4DnXzjrg9(_P
z``~x1GoG76g^%8E*<Lz6KI~{CffM!Sh&Ldj(QCS}#}*13Zk$pd%ABkUwG-*n0Us?$
z;oqx}(h(&XesxMQE^j{Cb%obIY4)>S{}Wl9{=;kfs<C^q@=t#Z|M0Vg{w#)8h087q
z3M2Uk!-1z@08-D6m|YOrl!H9_tRS$ItvNjv5*J?HAu7a$<6)Yx#)Ca+8eKUO{ID0P
zx?+mHKkP4INUa8-uW9q17AZ~m8@tyLtE6a4qsi+~`4xe|84bt=<&l@A^`>hwtfN8_
zp6?eTpIUJlL>l3Vdf_>0D0s3kJ2v2*BkXJ%@z7V_d0055{$!k4Y8luO6%5g@qIj$g
zpyHn0Flv=5Mpo~wRSkt+&L%57Y}BHqMq=AhE3gvC=%T2wCGi~6u;IBfE7`O+gOc*%
zrJCJyHer8qlRi3OI52LWmxheSef3HR)Pj;6e>*ld>t%&X7vWbR_a6lmRt2AW6VEy-
zEy^c7e3fBX%<-wUU`8nV4jwRKFMeL`RKIcX3NuG{aO}BqZ*(=sgFK(y3l4$N#0Yi^
z+Gof5&(d*lpf;i;D)H>qWc%mp-CU*h0SAtF2Fo>b-{k**)pN42fb)MrWDuhvxB4uM
zPKQRkHmxF+lH9v?D-%l2Sr3|P3kwgkMtNE}#~?nssG#+5*Qe}8B2rJzihqAsDmaj3
z`#j1;(iXUbkJyk%=(UiPigBvmbqH@pd_z)}B>eks<ZK@)CtGq|#5#10E1y09FD2y(
z^Fm>}0G@;b6#43bIY~ZkLG$?+mzm!wnXcrX0@=2-^zgKdw77AgrGAAKPi*vrDT^4J
zL$`dlgZ}*1>Vkon-})P>Y6Es6>RtyZb)h@n&Q|w$ET>V6Q6(QF2&ggbN;e6zwH~t+
z(OjxY+^b>P=w5@Qw2XiTgl+P1iRes&icW%^zK2yI`?vc+g6-19>95_+_oR2bAynn$
zhH?ztQ%k5HE#(ZQ@c2d2t3JxFY*<!*orRw+)ftV9kCj5dH*5XqQ5AHQs5Mjc3Fs<P
zs_9+M4Jh1_`n~R&$;6Zu&LHO{LT@Wx``Pk|ofrO~KtsQS>J!MvYye{cq6W+;H36Nr
z@S^tZrkrg|#Je#8*(`7UKi5a{<(%pNIQdlK_0xfPNos0-<Kl3TS<$qr%T;_v8{*_w
z(lumvnk9jofX#ljQ7;&+_f`@&j=gv8T*iZw#g;_g=-?m&u97<Glr+Nx&_aNv4gzS}
zleRfgPc2rxEI}E&yPHC6OgUT6Dh5K{znWfG_H*zx)H#JDHf>TC+}QjF92R$&jw7}R
z-F162ifYt|*)V`RI1zeuIA|mBxtZhJD#L2qW-}U_dLQkKao3n8#^m)p$CcK9vB*vx
z2~{R|zT9_7G|29|sBo=PF=JNi!VD<FG;zXfpBBKeo-$>m6RsZHJv|W{?Pdf%Q?{15
zx18O|x<y<f<JGK|*>;~#x6g`fL%ELhK$yO;PCEQ0E-*d#TX^_Sx^4anIQ)~|03aYW
z4Ei8@(`DC?fIZV&G_NOUcudBR0R8=nL<3Tg)aEE+QwnfLH9bEu!m*!S$RYvi!9;A6
zO{m3rJy$B<%w4f2b6?3go)I!;q%oDFPtNB4)Xo5+pUyXXte7H7Y*n1{Souk24T>#{
zkBM(q%}jt>V%%`2;T>BGXA?TE1SlMJ4qUJxl*N2jii*U9NBhmxRHvI-pQ;MWIx(6=
z$2OHWihmXPvCh`FJ0O+6@lqvKX|1Lzn7i0~xN>%O_bzmJRYQ#xtBl7z&a5>bfUa*~
z%3p_~y0*S}7}?QIQLWqUU*MfG$>}835WBez6($VJVIK$5QR42PJ!&Q-{e`QLZ^9Vs
zKck$W!IrVIUpAR1ux(TNRuUmged~_th`k_#@=Fh)R!zja&s8(Cx!WYuqOC0g?q(o~
zybF6Bb^TDK#nIpY_c2bZo9o9;T~w#Q$&ra3;7eB2^+e(Hjo;-tp|%P+NnLT-lKe6M
z06PY%czuxSVf#SZSA1Oys+l56{b=_D=PK9Krn^ZAcURF-pL|<Rnjb23G$`Ui$HM>E
z`V29Uid{&eEd2nAD?4A>5OQ(WHJ`$+fQL7aRB&!<{-Cz+ZlNx@ckG5S*Ed%S!me3n
zI;&mbOGXv_3I*3}YR&5n6ED+LW5L#vUzc;Epp8Y>Lf6Acd_xx=f+}?(>@@ct!tJ+L
zt&~vo>bA#AxVjz@G3e;4jv5SFocxGqm_zky8YHDtC)`~qFJ;bAy&j21RX`;C#APbu
zta<~!5+y!I_M*cUQ*W5#nqnX~sFhh&g=Ov#oKXNfq`sKH2kg8=He`yMJ=xNoe(~DQ
zb0^CAw_2P-z3JUetJ55guy50p*)J4k2coACNSJ%kgWZ6bp5C=d)Qw<&1=~kK5pEvQ
z;7=%jq!BnOGQKgMwH>K?a$qY-(vWR9+=cZ&K|$Q8TZ%B}Kz7>^bEBfM6R|<cHPJO=
zBCWo1=Pgdx+mokhr<&32ahV3&>$4ANYA*5E8O$q|OpI|Lb49F6tu-hYdk)&Sg90my
zJ(<9y_%<8Ve3CcIW>zqt*qzrK(yj!Rsiaw`u@1uoLd`Gx6;!~K@72d^H11Eux}#U~
zr1Be|DJ|5w2niv^W7lOSFSbFqWE2Ui;8EU#p32NDi`ds9{YNKd5eokN!$^C=MLvsv
z6;pTxg@qQ&BpwBo$jY_1_SkXoy5OerTU#)1A|{=2gH=}8v*;##_3rV<8EdAyX7Rsg
zn)Cxkdvsu(10<JGAzW~rarcL<<+|VfCaxLbaE#r$r7HK1Ir`<1khJ849Vbd}exGFb
z<ArT{37mWOnU(G4^49YpO9`iKRB?#_4H?1v)1+F$D8DmkrSWIUy2gwd;cOe07@Ole
z2r*pOlJ#R#(S>4xQmS;4*ySX#?2bKcfg28Pv&t0;E`z8c4gO7bPD1RwhT1CmH^M61
z9J=v_mM(JzD-gG7AiUzGj@B@pIu##DB5iEJIN$9>;U&#A>a)Jq6{XY;_tJ~~%oPq!
zqyn%B+E*i+ROkA0_IkSbU$`l@fWt=rx%?~s1`YV!9Ccl*^s-lqf`DJ#{7NMIl{4rW
z7{=SoQGnJjr+V_!|L3TQyV$w0bjYi%Tnx&-y)m_Q?3chxE3wT_8^6Ud_Dt?y0CN$r
zegIL;UP>1iyf$1q8Zk5R>(KOZ_3O%-0wZe5w<5>F{z##SXNf4flB=@Fl|Aws1s)kS
zSMED}woD4MW;1_98uRyk7A&VGi0{roeEbhk6-(1MmpyVFsg6+DeC_Gg2opron}~>w
z5MfIbK0CK!bBxr0%#STzIa{$;e$l{75xTmFH#2WII;9)NbtbfgED(LpVZle0>j&Ra
zqDWZ*Q8&9XIL~iQagL}<kHF<@wmI!R&nDG<VCk^T-1Gao`haC80&^@gJk2xCY41`o
z;PgH`;mgozRGC_1^Vr1^3f~=|%(`PgDCfBa76Lhc2#$<uTzEnAkyWelkqwZvz71gq
z8H|_xjUYi0_JKi#Xm<8Cvq=~;mE2$Vc6PocfmDi*nqM(y4yY8TLI%HlZxek=@{F7c
z%YHZsPyP6d*WB)8nTz;kB3U6s0OC)&0lVeBLb{Y?IC|5S)oaYv{nI)M)p->Dtjo3A
zV5TlIs-?pld@&}DWAF3oTkPm}i|+<XNVsc^f><}-eR%r1w7ldMH7otCT0AQ3HOHuQ
zd;HxpN7A(UP92-7gTm&zkXSZzMak?Pl4~ZjY?Fc*4~~<mhGCg{-<6ZV&I(&DKBVm-
zyXz-N9H%%7DElYQoG5eC<S!41IE?QWw1a~m&>h?Ed9d>v)EEAFpJ5FV&#oJL-Qdxv
z{EbfD`O#<X<JSDy=otuc#`XTBIm<5?H^D)_)GgYLWN@1{8mA@pJ(=VI5v`rxhhg=s
zm?h`D$391mq>rzJ!sAIFkmSu^vClSg;K7USqGL*(pw$K*X*-{m=~k?>z0u~ox?xX=
z6TocPnO`s4G^s4>d6ToZt&A7>C|;>l;}g-h`w_$DMxf5wWYeUofm&G|nvUA1z`3l;
zupjejqw)S$+(x0gDg#A}pLfFojBEv#XqR5sHMZT4znK2hrzwdEpU#kWq!l&49Japx
zO<KU80myt?0gDz;{v2*M2UuANzqI5T|NX*0x$kq&;<-@H@VT3u+DV+?=OGj}U9tYH
zwD(IboX2`aau#!B?*@O{jlR9A@Z|LPZ45J;eAxje$%y~H`2)X|RC;2BhCVnPe@JQ3
zZu;pM#CG3?!sLFfHhxbTM><kdz8>u{k7*YS<X#lj3q&ki3rN-yvQYujpgfPS86DIj
zNC8de2iK!1-JWn5H~euWIRCfE6hAn>;T)|ti%@!bJBBhOeJ=L##xu75Eqo0UeAdk8
zG*>nU&+2y%XSs@o3l6L*{B`2A61Yu(#TW|<RIn}JJoO&tnOnMFWp*M|2k~ITt#WW2
zeJXjYp~?#eSEM=W!51U4m5T_v+o|i3<*QgJFB!a&Q86DDiFULP@X(f7pdVyf0Mfg!
zIWQ-9EMUB=2T(IP*)Lq{4(*Abw0bW0YtnaHQMU}|Ph{Qe*Zl-;ZB^v|d^z%<RdQDt
zZEm}&dpNlH;?^k>1~~iOAFQY*9s$0|(}>*oL*5A^h2M*X6%f5g>Id?N>K8D-U((q&
zpLcl|e&?UUCAP=6r9kg`U78AH_xBukC>^!5tSa{4E;*Hm-;<@A-+{`lYWD7Q1#$@Z
zKrTk=2tpc5A&W1jO}dsY9o;q??2$3F{T}pbq+sWp;!(%rxZ4$OXl`Lpq_^t4432Vy
zX`uxWr387aE4Y5=<aRgz%|=~z3xc04IAkjbVdwF2>QoXO1n4OKWa2@ZoL>d!y1EJI
zsdx9rtwi77s=NIkh?nkUobt9(A*?O@em+@SVQ?xN2Ba?EjNaJIOda16SGew~^n*b1
zMm(6&r8S+Cy`3GQ(2NJEB{!WM+7093MmMV<8GMwFl*LZLSkAu#X$Pa)l4Ac$DD7D{
zv@a{pu6(;;!^n<#4U*d??QTMPkAlT$H?ghs+CNeHo*QIbL#SOj>-@~*S#_z8n?>*X
zFGxW}&o`aC%=k;2UMfIoP1pI5bdIp)2YURO9BisPf1H5x4*6v5wB$&nDvt@w@7^K{
z^!z%2&sCkv@NkzH&*qqFAFu4`Z$c`xA#2*p1}#+xA3addsS4;$beOFLSlc<UEBVsV
z%&y9p2(t-TiNXq^w@keQY@7JX8|D^9Nf#Xiw2D}adW;2R{%3t|Up&#9f(>}eyCn8B
z+P3C%W*~TSvld^mdbfE@z-3Q|+*h{))FZDBMJ)kj#R(iq<R{-#i8Qs%X!K#W9Zqc3
z`Gu<pr&VQ*X6}bV>3%oJ(;A%yr*)#Yl&u5wOMh#t+=QlN50a7A3Rtl?QCzEZ`=B7<
z_+)RCff9(4RScx;M$!%)uBm%aEDP%`){WzM(=l7)Hnb7hf!&wCRPo}C3L-n|=(53F
z14{WSKKi}lt##3C3iLvr?=WorPl`sir1|!liz-RMSUZ1|$AERss@KXx^M7Tj0#Yri
zyo5GX;s>Er(`AStGq<^m_3ahu%U{hIB$d1G-A~@O|Bj@hpl-9xUo}tu*!NV8YCVtL
z&RzLTX0s)&YCmY0M|{{8PFH@NRiHphxe3hT(m`WAqn^-p_74zsf)hD6Mpc9Rd4`_A
zx+<&fRVZfg$@vn6*g>zzXCJbu8&A=t8pJp-bkA7%QHhsoSDLxZN$Q=S)C6k(i0YoJ
zV<Dj1@KiNV$ns?92rAF_%A|uqm0$g@zh{*L?A7UWz31}|`H@~GvYWV>V6w6Hgve9j
z4h^R%HhjmJ0$%)0TiN9rws*$pQ%#9kXAZ>ugSR3+?ydb--YOxm?|UF!v5Rg2NsA56
z&+dV}O-$vB^ZI&wp&#SGQ5c9M-dX1+JBpd}5WnLPr7*y&;h7nV*QWGSu2tKqLp$sa
z9^JjLw)<fdIb>Io=F$uJgbUMLVz00p3g~Aj3xu<h9%9Eo`q5*8lYFIQcTaN-l)9e4
zoNny6@7}s~t$LMn>GB3_f5p&VrID6jJs(0%1!V&xmS+ukijfw>b1;-A^@}I70ilQw
z;-g2((Or||we6_!jjNo+{#(%HTKQ2jbsu%H!xz5LM|T>d>ogD!w+X}Z1g6p%Ww7O;
zsIjy>Ud@{l&+8ZK7Lf~*tV72cln*y^n3LqCudo6sY+>=bfV5R>OuUzf!|jxsOD1*R
zdI3>=mx~)CA}y;7lugEp)Ia-`x<Yi_X^5PjG;NDB9(3IZweURoD{H$$QJogo<Hxvc
z;?Ah3RcD@2$xf|r<S<tS);SclahPcW%aG#&mtQd_Dn<;p8?lS{<bJoW6?#;s0vg#q
z8O=^Q3Ow#M&+*R!h_@Hpb>{>Nw^2*DKVLc49t&%#NKUOvt9W~I_M9qH`sTr7qI8(1
zXu|Q@(x=_{Q8L-mLu4pv2jTL>{v@>Y%oO1inpLf!jmF?2t2-E^-NPON^soYU4QoID
zVqqF*sGMKtjOU(g7#cAqL7|B!wx^SZ(w2zB-DF4_&Ip@g`_nqR2+Zo7>6P_p0q3YF
z@!OHB>ypk@)eehq(7O$v8ZHtl<K)ptdUUS(<V&}gRTz4RgNCWS72;(9Bp`?U`fsYs
zwBLc4{m$u^#s$!$-xJARyMiE}J2SZ1CzGMYKL~Z2YZ=lp>=s`cj92`m*4k`2r5Z9n
zBteR?1EZroc`D)(g|3Fz@Pk*Rbpl2a^ve64@Sn!z3XzcW7r+TOu%9~-Za{s&U8iP3
z#WzjrGrC)euUA!X{g3XfJ5t<xJ6U4pFvsgM`RCN|o3(K+grGgguYBICkKqq3CmR!Y
zq%Z+e(%w9Js;-&FvM}(+PbY{EGe`mkCOn<E0u1QA-$LD#l(@g+{Y}edNY7Rs0A6df
zDDJdh5%X>6;q^XbW4zD?D!G0v^<ldxx_1adeb5d$PZgTB)qo#hk{~h^zvY&&P@-a9
zSEA%+1q#Eo&$P@3_(gAdf(_Q(S(^v?{dgEHS%5$IPjk%RKUgr-%0IDS2Cl~?sXVL1
zkl@r4wy7+;dULNEe)0t+25>NW*8C5sc^z`yZWCi_+`T~pcrTE>=&CiB1>>{|Z#KVt
z92`wr2fe#H%mlJI?heG6HYx3Xe@lC)TBSg43D7lKP=|Z;)R7wccSv`4U_{d~C?7Gq
z^xZPFNN(rZqgY7=5H^)I@7z(=xAulY!MSl&#skg6X?YlhER{q3ruLHPbFuMo2<_b)
zn2r>M>M2#WljP0SrE81qt;!`-jt}!7Yi43!T*s+5@cdD>b`6J2y+~6~@Oi{)KQ3lL
zhhOuG#3=Eb;EJk(JAM-5wmPA8jqkI~vRRZo1i4H?8>I`1ZQKF^jggxUk6OpdR3Zb%
z<(sGL&C+k8llUTXd5wt&nM{BT*RNJ+YrC;vN8l~%=FSsO2L!h~Ue4v!ALBs};LQ9R
zu}Wa3WNULepAdHFiT>Twb9I&yBRaTjH|#D=r6svGjkKa-ki7fP8ld{$8eq-TSf)_-
zn0@eljs?fsA`7JS<1yamtZP9RIx=*lG|m#Cy`eN&D0y}=?J>M6;!R51Zq0Ap?X>#T
ziy^b%*?@^!3nfb*F|5B8Zsb5`S<<*6+gep|CM2)zE!`NUOML@l>p5K-W=n_@*Hk@4
z4*UrzovOcB-P4g(ceW-qA3OjgMy|JHva=22BcJ#7&Vpq-o()k}XFTr#vqtmx3sZDj
zYrCNNO1cM(<@?r#*wZ~RN!dKrx%to^r9(narzA(wV7_&MBaud5OFucLX92~S0&*L7
zC#y<T+HY1`bTmt^@;8ezzjh1v3m7fsE)H}a=V{ZP<B}rs(58s}Ji>(L<*$=lHE3*w
zCu~;2A({XZ=TqH+1%Ti8yoYC1E)8tWtPAJdaUGJ!1$@6@3a%}Eqc6OEzP@_4d}+2p
zTocugNF*5OTCN9`kd$qOamqa8-||O4VIXQU-nW{$?<r4tBkreJpq-|>&T&{BMdl04
zJHqN?uV%jy^AXh{`QwmBtUyi1e59Db3&YfiXCPdw>H{`^#JfN<j8ly)e5so5hH0Uk
zBE(kZR)fxPEgQ=NT>!%I?Cq8l)gQN(b!FFVo&q`|b7&nyNBlrLgn-J2Gd~I6&Ve?e
zP=R~v6Q($`;q}}+PQn;>voUntwW#Sd7bpOfyw!Ve%A!eAYEH0J3hVF^hnW3_yWM>B
zY;dIhssDWq@dF)%&>^ij-hS2Nc(n<b%rcf`@ed#gD5u>KNg=N5%Q~i**X3nD^SW2r
z02J@%I@?*D$RVm`C?Gz$>PwbE74on5{;*+SRsR{&bonGp4$Ns2AJ?l98dp`xfo%cB
z8!$=NAQd{Tsn;6Rm(oh+1Sx?+cLjiN5L1g4dupA&VD<bTQ?b4H9fm8p5AV-D4}m{i
z{TQU_(ZkYgMnw$&IL)CHuX5NIN(y}lUOB6#BOFx(sLK0Hk*&09b+P>Kik&K<fi8IZ
zMqOrnVsd{JNloXI!=pgo(XNrS*wykSzt34+=nybTepxhcR`i0}Vu*A9T=MJ{Z~87)
zl@*GTs0i>4R8&(f)I~BlwB7dMRO$aW*sWBIY&K;v(cHVDi@T%W;OHC^i<&38JlL)w
zGCfhEvARQB{C>9NA0KnQ0snTKbo6I>O_OV$MtB7KbO|&2rkwZsj<Xdq^O9G}&<|xD
z7_U}%q{^27WS8O;KDmjK`}qGD)EOcQ=tbGxLV8qJ%$s@fVT@k2M9;f2h!x3OlJl1$
zK)g;COqn^MLuO+b;QsC$-EhgR3T-Ykm;+>B^<)P59t-5jr^)-tv-4mJJ~tb!ZlB$|
zMzM9>xhz&_HN=;7**`XO<Tb_2i6}B=v_R6!<gB}&VmRu&X3hG+Rq}AqI!QcD1J@+B
zIZ%OFV_Xb|xoY^y{5j(zm~a-48+;IQlB|E`u(L9VcX48<(&qE1R7t2rU-OfQv*VKr
z-_tBG{(oHuud!l)U0lz_Myp4Aj^@S-);6a%`xyHChr(q?m^;o22S_OP=PlG5iV^Sq
zT`-*FBU-hkH#>$OA+qcWAt@9o_clG2RqmO4xHxA6DMc*=kJKB;MkMh&?Pi1w=AD~c
zr&}}kPqP81Pm|)*3Hf^HrKtSdOW7qU4M$ezR5)i%`&KmwW__!vC;}~KMnehoro_o$
zA#508lfEtzGjO|kEKk8-rZ#8OrcjNUiLl>|HgSwY3~}sHOR|2F>_pw&6|D!dIqpE7
zY%HVCW;6#;VNuPlIIt*N?%*I@GrLS#qyN2pN{eX+(b0clLO4Uz+9zRLqSTvZ16C@;
z_D>q;pTyg_S<9;(HKK7mLH8mz?F(PqImPZ@f{Yp>%d^kFOS*m@80sv`_tl0Cl#93d
zRiR3-#91-^wNCLWnQ;svoq)SpR`gk_{X?UwK{I#1;*|17d>Q7sWj{tN$uQ11Fs3Gf
z_=m5Fp8?Wd&?}BLBi?vX+c64kmp{e;y}5Q4)|*%_i@ZRR?3qx3{7bLt{?Wua-17v&
z%(^}7@U0)f`|m_+xU7NL8SmkR9cho!>a(@@Rk6gc23tOXBS(SkV&OhO9QO3@Ia|9o
zkx<zr`C&KT7ubTpRhgXj=LNx0gh#YKPrXNf|3&Wj56HMTt!j4I>0u-uxqG2{oNW3u
zFA%khG!E%1^+`=vd1HHRm#U&)J>T=hMO!_ne92325J}&~ypma%{j~kQwk_Zy)h=t(
z)?q;+B@nMz;yT~-(1gFIKpv-%RVwiZ(D9~rXB7`a+nKNRWGtd4a2XUBc+lKEdUAB5
zm2)sM9zn`?3jnDsKqY+u>=C6Kms^Ef$&JF@2HNx6UvJk574J>3ea8oOY&KHhHr;pM
z8pxSEmQ?ii-??#dJ+oAlNo-$1ZQ$fk@wGlbDEcN_Ym%|c9@9iDfKq_`wNP9x*T~L&
z-DURu@Yfd$poc<f$1zO_4Vb~;qAhABO<oml^PeW)HLZenBlQpL>D6b>XMa6G4$f;n
zB8hlCK0O9_p2YtLywwzaD1Yr{{E=!9vxD0AE7YbXoe+d?59-Lu0gx1<wCzOzkx|V|
z0a~xPC1{iUo2Y>r?u8w{4mU&A7Qnj3_y~<TL<xx27ooaS!qMqlm8am36;1!#Q16TG
z#Pt?(^JVd4M*iVjK&o8)>y2pKTF*!BzD292BDXRpl00e$;CHIO<9n1UEsn@-f+B3p
zbX9z;H|wtrr*5ZX(x53GE746-`h+u2gIub-uA}S-PmP9pRi6_JrMjd?(bOf<i`2LP
zx_(mOY>Wr%cZqIYIPCs{q>j=agi&9`$ZfJLUZ@ndNzr1Dth|==?dT>Zgb36El{^?+
zy<qt5>*aVk;i&A(UY(OlD<ZU7!z~0>w_HV3){RYbB+>($b!I-yMb#SIC?q5a`8at)
zq}Ewgyth&QT~Lra=kJw~SQzz*T0Zy^UkYpnXCwXr*Pk`HWc>+MLiP&UH`O@+hGDtG
z{E4ql)LcG*<7#HiT|Yy!e>D3zT=<qJLqb8+@~BiZg9L9)j|wud&rk(WG!}+(>lsB_
zl@zVAKG3=j#>wXHUMPwxtI!EjQd=e}GuBtj2}~(&S>sn{-Y!2n_$@*t=>AgLm5hn|
z7|1Ve)l{#u;$mU<5@4yEBSGCd#}=OwIt*yQB1opjujogSW>1p6doZp)LaEi{>%mna
z>A^^uuYU!5j{+q+H9Xm0?|5ERFCm-%dJFv4N6TGI7*-v86;h&c6P&wsMvY+P={SDp
zx`Qj*d|-;aj4N<d2Up0r*equVaL7x>+h%9LZXVv<j8kReVPq+*nApOmGA69UKC&Qh
zd73OOoLUqd6nb}#{|#IUVm-?Rrl*yh8!`0cXwQ$mjLF4G31lCmtsn6z)9(1ORbt1t
zhNH;rG9&i0i=HAt?Z{!)UM;3$cUfW&`*0dFa?~sruNF@u{D^P0d{S%HOI<|2IeZiL
zK#)5KG9<q;t`S)=1RMnUI<1X<nmRBoak@WjcLd&I)!r48`Gu<Almb(r)s;kfAbPIV
z@lWmFLy7&0nMWZD1*eWV1j%mR-^<dJ`PwYd@Va*YJZ=Kk&jvmq7=6&9C3EcE*z)}q
ziT6GUZn5u!-+WQ(WUSq{d*qR4*`B~St$s?Wb&Gy)%vlCvn`PnZ7@~IhC7uy6{sJNX
z_l*(T9%&;zkR8)67742Lv^u=?33%Za>vqIl#!0-0U}P!PjHp1_j3rRzxbk>KQokGr
z7GL^n2h7?NfR(a4L@78j+H6($WcK5n`_kMaJ_r6Py*L15p#9K~?%2k^8V3qz^2$UE
zmQHqM`<|9cY5S#!Wx0N_b|#$-2HGu#o^AfIE}`b*dS+ySnA2=kwTnbIEc$E<KHGCk
z*cgRMF8IZ6r}M{3l2h&ms<by{)x`0XL~gq%Y1cB3i=k!!vs$Jm)xCxhYSa&q1ToH@
ziRKkCasT$kQ}SlKS15OY&Rp&UM!mTvcz&t<JZqD36L;{vo0VH}VM$rgm^3+8KozZ^
zKW2(L$34DNr$~B_BS`{V|5-SyIn0>hg0p~?-K@b!V-Y>=L0H+et({&{5_zX?`da&k
zn0Q<4cg8Ou)0ZHDbF~4JkB+Hv$KE};-d4si{J+Haz#YRJJbL)*3+G0y{T+z8QpQh6
z-qLD7(XIM`^|7Iix(I(a`tC8ZM{Z@oiZMN8pu6$n@?BPU$&O<xJ`-i7ok6OM!!vEz
z1-Dp5UXMLxc2D{7q;&MqyT{9->d9G3QplXJa<Nk{5SPfD$L@;r4q(<tPKBFWVnY;p
z%LoBWJ>GWOhbNK3-0!VgGN&rB>KFb<KdkE4LdIEk10~G)f%}JFK>t;{@Iv~}?M=9G
z_Y)BC;vuoxsuz$b{4Hg^`Hg#?n}=aF@YB+^(;!Y_Nu|A}M_ktxCmpEM!R&^Kjmc5v
zPxSSWfH5A%Azu)@{!T<c020x+BWX^#p9od>0o#NlLnHMmgu|N$30UEtC`Bak$mBh7
zCh`u#N!IDSxm1){2(;hIL;Oi(>BQo;Ovl!Rpt6lXy@zaFq+zgCBK_|(24Kb$DXoK7
z^0jX42^@Flymw=f5_tTTGiT{<1gEhXFNFWiT=A=EHsRxE-bG-^pL_*?@H6(IDUIWm
zo0>xiqItG7ipTJk>r4^%h@VwZgS8`wJYbvXnhvW=c|-xM)p?nWjz^{!^!-tdm^hLi
z8N~VI0BG-z{ik`E8+e=nriTOFd(3?|`9wn^V^Y76`vEX0x;sVw!0ri~?+yn)JXo<m
w0OflA8)Z@d`OdRIPt1R1gIeHYQ&Yq}4upviLHab=kFl`3TK6?eZ$An77vP_Ui~s-t

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCMakeToolsExtension.png b/docs/GettingStartedDocs/images/VSCodeCMakeToolsExtension.png
new file mode 100644
index 0000000000000000000000000000000000000000..9d51f271ebf0a82cd342026c42d7e71c5418f1f2
GIT binary patch
literal 19063
zcmbrlbyS<n8#P+IxR<s_iWA(OAjO(u0a~EAYYN4k;_gtOxYI)M;;sdPw?%?Gh2S3K
zOV2sK@2+*%{qL?7ByW;8GtcaK=GlApL~5uh5#l|^d-UiL;VWf%%}0;WQ&ImXJ;p};
zrWoN9M*Tr^(NvOqR5?boi+X}-EvqW~=uu5P{;eq%>N&2HvYyMMM?}4Uf6xXU%Pbx}
z0u#KFm(}((LS*BlzwJLC5K{EkZ=f=v(w(33(VL$tqLNjRg~UX$;ROlGYGBICn9Igu
z;nK=_*O|pi)yUsb%M0@H@iojAp4=b$h*)RSZrLND+g+zV9fwO9VlGziGd#w#o0ng?
z?fnidV2k?ukPnUmD?lhv4`w@UZT5ezu|Wz8H2=A#5c!-k_1|mYpJip*f8VD7DNs}>
z{`cc#LhS66|6EHcgFwFgcgxuS-?!{HpDKFgdC<IlbTYzYe!4X}CJFYBY8`(rWEau^
zg%_9)#_cRL*A=ALdFGt>ZhGyB=Ta6+78GbkMxC9x#sH-0%5|y+$kinSsf>Lmsh(}j
zS?Bg2EVkA-t;*HgOfpo#zP>3xIZ0s6^(C{;c6$qI4NMpPP~fODtoc)8q3J|X&Xy$A
zy)&e@!w)&}O<$z6y`V%C8G})0zw$Pv_9NcwO?g>`Voj4Uf@eVpc;k9;nvuBLe!7Mr
z5v{mjRn}|CMduN&YX_XQ9G`<B9W{l`NP2eocl&Lc3d&;6uG1MeBMz|FOVk}+aCcmp
z8FPL{-@e|?y(~<ncq-w(-!-i+jldsslHcqO#+gL*#Mf<BqYrd{wSGOE$_f#)9;0zs
zXyOC-T<j0o@8!P?k9*y@9wz~I=wcrOO)D*d^}@ER_S)X2oP<Szna##T*JFIw;(E-k
zPd0bvzwdqUy4LkU%zy8Ak>XcUMj=5_q*bams`Gm*jQahN0y`k!b@K@myCE!7gr}+s
zoNQbqii8Piq$ydAWkvQ!Qz3IJ&rEy6R_E=j`cYv;sPGVo_HTT)uaxcdzsuTHP<=H6
zAi_GH{9hl*NJl>l^_Hk+o`et;T9dP=IBgMz0NDYaD`>Z?!~sX0Rr-x%xrMvz)A=uP
z0{mG{`MzHNV2r<7exv<~W>ZyLvkX!VX=<K|{_GSI6*c?=7zNToLG3*Xt)zUG!zq%a
zKXw=x*(-g!c@>xo`Ln2g9Ckn1S8k8d=4WTOG$=^wNkIxb%&x#w#B$F(w#TxY&Zb_U
zZnAb`k^x3C<MXd)=L|giUR}9tkM-Z*A@9UtEew<k!mCl>G-Cd96IA1`O8`wK;-_<W
z3O@CF?`%lG+RkWHmzntGSAHX(xajX{J`hfYs=kT_=d1@Zqy(Yb_;)V!hogeepd$O@
z2R&oN-_}7j1V1FkIkZ06*I?q08gd0)Y^{)}XfL_Lp<WjT8k`>#TJ%^FWC}csB2sE8
z(zX`V{R4LL!%wE5x>RrqHgxJJ6e4~kGJaU;3iLgnuZB{DyX)P!osNoZ<4(#{$6jR3
z$oMH{I=H;ZtTcau=i;;_GlrIp;gjcgy8+;|m@H7Z#thv^b@eZmu2q#^nDc__Qv_w<
zk4U<IChQ+|n=wqYj$T&i8a8+AcF2r;%v2KnO#|U_t<cGw?W8|tleuX-$jO-A0j4e@
zD6Mwt{Ao*vqs0pcefBe*8FzMXNx}cMtzu3$<Ty|G8>g=#JpCT^T7!zQs=@a6f)o+d
zaGCZhEgK-X);_L{rt(lUlv%hYk@CMs#Up*!;BNHSShqYgLTf@}$LWQM_I^P$cTc5Z
z>&c&DQK4<G7EH2!Qs}FVI7`u7?cwyGWUnUC$a9SizR&EWEkO}%^eJWag=PDt`i||t
zs7B9LSHl5guM4FOOe{ZHgGd8>X(<XLvRa4lvheNkUMl)~5h?5G<dPCKS;2w4bB_B|
zL``QRQ}@+4HbiTI*k1m`Oq!27GttdXHiqu~@kj(TfnEr26?i>4c$Q?#TCC2<zcDmY
zFAcxOyivWO_k3>QNhXZ-TD4QfW~P4hG;&ifEC@V5sIC=J6QCP@MlL;fc*_lXtyky&
zNyM)PP6pEn^g<|Giu#$*&6t4r<Gq%g^gA+}#_Sb<j;Ji#GeF@I5;XWvj071IefvhK
z8#4m>qbRSZ<RXWk30Rr@EQ4HMB%;u|9myHR>|&bm`b9?2h>%AL=~pTv&u;ZbKqP#(
zdn+27F{Mnfu+5z!bvE($H~q#f+?OswQgB-(M_e3#(uj*1TqbtaTrumn7x??(%FA$T
z;)x3xwPSjWj_YivmF*gn3=@VvW+E7rVNI?NXOB<e?F)nRsY;-GPmN_7eTjO$Z^IoG
zti`Z{EDhSt-P=|YL7-i=@-=s+6rogY&Vh8;2jOo-?*<zZ^TBQW8{y9%&v<=f+a#n+
z1<z8XmTiERx-2V8fL$;w@slR0lrjSB{&+)?8Z0tKdy1rmlCpv(e#C@yO}{G<zm>RY
zh&Dq-R%Uv3wx2<c1}1r`m2^{IQ<w6gmb%pDws|I#oJ7F=Z5vw!P#Aj9de|WefbF=x
zfDEDO_0_BBB-973JulKDMrIcTVn|9W@ct-NCf^bY4JN!3R7eKWz<f(qsu4AuSYbbb
zn}+96RTbfIcRGJ62{NHNtfY)Ice!htvNk>LgjgA*p)KmgskDW0=vFen6*8he+p7tx
zNTy0{^(@eGmgN-EI9ms&`AV!9^YlYjRmk<`Z9?0WQQiC2tQGMp%Hp>C0!>_MeeDzM
zKf_dbX=Q@_jG^hAv#T=7-SWr1gS87(ab*@Earn-<R9M9QvGNQ1Es?;4rY=P~AWqcE
zoF6G(18}Mz$dq0tsIX@qFBOJ{fxYpX3jI9Ii{>d|!w7Dm?_(x*gwly`#h6%by}6Q0
zZ@-YT%h3})X7r#RAb~2AXf$#y!KMbR>5kW&El$5i4y{tSX!N;dnarZyLQdvj_9ZU*
zf84LZ=yNRY&$d<@Hoos!8ah;^h`_lUo_?thEv|pr&>Ofp3c@cXc6fL^a_U*rc4c!(
zx>qpH4KV!Qd?z*SP>YZ&coFYvSdjF?hppN8Nn<*`D^t%C742FA$BTxKuB6J^nwXIQ
zUjvZu)lr*o5OAj_pH04aR{$A&XI7F~&3T$}$Bc}aqY@76Gtav#a$N54KbyXtQ|npp
ziBK!rj+K%jC*^LCS@F=1dCb3)8ALxXmTKjVLg`5>P^G7a*&Q{m*-n1Kjr}EO^wRxw
z$Pn9G*E!*B?a$Cv(EHc4nxC#=hgP3wg`jgC{G$s*I9uOCJw^RU4zj@hY0mC&mH(T)
zNV|869*0=xcwti+I0XtA^P)$BUE%-=Q=wEw>8uM)GD;^{<f$?5f0(=CrK8{nry>l-
zCOp|b#v;=!k(qCR>Q7KEhs4)jD`)PWB}Qw&&UzTq%Pg{|q$xVZ#Kf+rLS^nyN!Vj^
zj_8RS(Z)+&2+)a+Bfb&Xg`p4-Y)U+V9vVS#u;ov5?~rV=MT$mmTcW(?;gTDHIb@Ij
z{I~fh;xNN1gokK@O)&baw|cF<c$)$>$UzF(5)*y}=4l6b(l}?YZ$&&@vnnOo`wA$`
zw)7M&r2*csk*+*vGAK-<IRK-sAdc8&H1!uyb*OQK4IWs5$p7zzm3KlT2#A7UqGM4N
zYF4%dq97J|+aMB}|5(Cj%#0T@L^-lBF6Kv5W+83ry5EfhIGcX;0`e-*Lb~TW)ml2o
zs-YX@6I6;<DB_gF6Drk|&%RF2!pNH?5-y#(ZFf86^Aau4%**RM9g{d^=-P)XW52u0
zP%P#wl%6ijVoQ;L=#{F`GBGpL)6=8Xe78p~Pftx{d8G!`SPUgeevo0~Z(f@}S56LM
znH?9LN3HtG46#9XAec!((pnf2@oO=J6icsKE+`UwAP^9jgeYFNqPBb^4vc6b3P-&s
zJ!qT~@?9t3R9Bf=rRLe#A4ds(S`;{CTE;?M#>566q&&B_kMS>>mclw651#+6<1{oo
z$E(=-RhvmuDUyd??b_&CzX-c92pzJPj<q_!F_A5Q`!pvp&{f@lKfb(z>=^~S@0%DP
zCoUFtD4_zu@*JC4NKb#3`coC{&-m_-_Y$zg<wO&~a<V_D{IzIKu$IpTv(~A=+GJYV
z5YLQLv}@(NNhQE&-JtskZDP#VlgYCRy}DZ^m_t19D<f+Cvyfu&RRyq-ATG7}bFXt$
zoso#fZQ4PT!!NFpe`NdyK-TTI>%r&8v&J9#DX*8vpYL*fV$(JZMlH@*41S@X3R2z-
zhn5xTs;JrpCi)!=ew*=+&fG@#;KXcc5ToKTazg7cZYGl$jD5NHQ=9TrD5hf)1rLLG
z5NTu?(^e2I9=(173jYS8FBm4mT$q9GmJ&3OS8UZq+3xc3=dbE{NZgTso5|!GPy*yM
z<Xt>ZPQ1kkJXJ$r39+E+2A@s$Jdl8&yKJ{!f>@d4Hfq9@$M>Z2qm66jRI#(Al1K9M
zu-`qlG-HgRZou#`z%h`bYjPEJT6fKJO#9+#cVe*;#o^>IM7B>W@q{orDa$=2XtGd=
z*x2AC%}FJ2=rCULB!cG!RF)F_H{PffM~)Zr>MC<OCMr_ecf)&-*5eAI5e3j$L}8TC
z?o2O)TcP}V34DPzEk-EQ_e>hda?K%FPy0%Hj0x4T*@oiRX*Y>lT8~^Zk)yj9+~{{|
zBA0xlZ&);Pk88xS+H9jcj%ZdT$22<rvLef5RO^$IlM|<H16kSPP5)#x2PG{yVez&-
zknOjgX*z}vI{F9ae&QKSdBSze&#nI->FQ>iE|>~P$(|y8ZFNuR!hNNnkrbL7=n}RZ
z?zTRFHeG^tn<WhhmkOK{W>x?MbNur$3I@w}+Rm1j30cKWUSl=BK}oRA$5*4XP+gD%
z1+V?v%Cam`(!sYCT`|H?!FT_%HqD3>J;;!<dG<z}uJgH4x|fl^?5n5EZELrKyj<3g
zokoS43zA^j(U;t<1PIs3xPSN`I3Hq#s<~52-HgNZtE7xH$hc=S1g@E5_I?uUR<BS&
zyzZ~NhEvm*YYG)P{^f~yk^De*mu*e=o`Nrc)zA2g1<v!jCX;6#d}Wrzha&~X^2`}h
z)Q83&LdU-SOE-Z`!$oBlDYcHJ%=a82Eb&g!!@$Bo%2SYH8a8bpwIhs&omJ(iFm=ZL
zPtoMRTsB264;BfQu1#Nf7F}{jd&=XE50<NGwmWXL`7|}GmBw)r4d!=Y0k!>Mub;8`
zm&<~Griei@Qc_~NrF7OB>@k#pp{?&9@h9seJIh?M$|MgZjUBkh#uRHiNDTkw%k0A`
zWw2OH_wK3khrqe**3hCM1b*PwGpVD);@2(!FL;mh0Kx6A!r)3woqvdPWE4L$`?F%2
zd8F`y_%as*^nEk7&9cSQIM^kgf#>RR!O4P4;O58&^LV=F|8+hxh@X+&r7*>?#&v5j
zU8)=Pp-<!JwQ#jAK&d(ocgtf@<o<ewI3-{-D>6>J@n6<n+?DbSGQ_rd1ZrGwJY7Ja
z>YpnAh&CtSWHZI|F^1MhlH!xdQp9Gvw{5*9B!$1fFOobPi5ebo5I;TpGg%e&p@CYx
zhn@=F!W4^13KNS5%h{pplr&?aEVob8JcxBMmkGV?x9nhL?H?(0QGayL>{4TLxbU~#
z?Cm(j&%8Or>JJ%9RU*KOK&6XjjsiAjJx?I7f1h2&GXd<T6YvU5U{OPt+bBlg#W|ti
z@S8S+1&ZN&UT>xyZzQXm?M&p4Nur;U>AZuyT;5qn5%sLy)dG?Esh1GiXlljZJq4uS
zvuqO!8VX)kH7318f}FwaWoLycU!<xXezT4(Ul9$oMSpxfwiH(!+!kv){U~Zg#=sf(
zUd%_hWoH4*jLt@KiGYW{Uu+SZhH7iK*iIH;VG}(4s2KZPY?@L;L1?F4u${rE>1%-i
zm*&s6u4UE0e>(It`frEMTL+DY5M*)PEB4_fYQ8jDwK$IqDg?Y;ohsX(G;VI}EDUSP
zy~3+@VvA7Lf@I|4lCz-b8iwa?aoVlTVKh%i#2xYyi8Q=Uy`|{So2iAc$9)qWD%I;1
zw9avY=uZ~*lx$3N#Aj)8{T+6x57Sxdyr%|@P6PunAG#JsjJoxp-e@|;gjxRHPHp5n
z$r%EP-&{CeW3jX2r%kc2v#RIBSm*jZK}iGMKfh@CJybTW;qA}X^e&IP>WFPpMVU>s
z{;8ku8cz1Dq#@aZk#n;qeG4#rC@+IHYnW;|+bk=oeR+}^qZvo%<QQ0xV)48bJSG}*
zuiAoMXNAV76lQhdurOB|ugLKl?Vqn?V)r@!6B>*|Y_>iSdtc}%5DVWgG;DRxSBj^*
zo(kf#onn%_TyXL4Oa7}T@Wf7&i>k^_!GQQMR;22z&b~m6Y!NZDx-4QsCu-ZNR27q9
z-ki_g33_Y#uHW}|y+!K;b7q+;$Js!9r0kn9iT>Vr)sw_;PLUT+TgOIh4$&riPIG6l
zqz!kALv3!14#c+nluaI#_@Q4pA$AJPjG@oIv^$|<_~G2M(T1QuWxCzoZ;5qBqcN7}
z37?s~%|QGhtBzr)L$<yb4b6@rRS?0}R)23a%THAmZgBy?p3@>GB5-c3_Xa_oV$d{Q
zs(v|b=!H%?+_4B+vnz~^0PhL_sduo+)g)f!bqJoOut2;vQ*~}S47_)X$6V_IG8|E~
zTUlM*V~cr8SPW-QY2j1Hn*S?CXBrE5m~Ev$KSDVdXHPwi_Q1Rqo%U3jEyn!AUBtU9
zFR#ijya9Ei9F1s*nuY!yoMm-Oz|O4q`b}>GB~d6n`>2cRfz;Ny#?(Zq5}nsZlXM68
za{*cEW`-sQdvcN{uT>X@?yjwDnh62Uz3>$Rzf-BOkJDs~#-yoHfTl#XchLa1a&p-B
zXw50|InigDuFbG6+3AH(ndxFpQIB~Y-4{HT{Vq2*^Jy92TmEq3`7If!QP-MI5ox{?
z;x#qQJyh;y;B4p@RgwsebWy-)2j0)l#G5^a&(vJoV9?D@p+EJ0L&k*ljl>d?(Xls-
z(DVL!n=jzr*V;%<Vk@ujr2GAj`@Pe&!)%&WXJ*qrFHgSl#WD9|RL_R=7RiqK*OKGO
z!RXWJgKvIs$$#&^GjCy9IqmO^`tg<xPhXoXCwOuR2QOK<vUyEj!Ez%73;{xhi**9F
z#-m+v2b`J_?_LOe5$f1ncf=bo?Ui%6n7i7D;+S~3{dOyus*MZ0(Ua)cCZ@qTOGP%V
z_xAnswlAU2wJjeBUrvG$N7D=H4w)4K=}sR=BmHy&LV|>0{v^7&bB>8u-B7dbI_Q%=
zV=Aon$zeuEJiDk7`j=rFQa4+yjmXQx00a3X_}=ety%z}hB&t61wGG;nBoJ0^#(o#*
z_e>2iDZJ-I%SZ-OtG;2(ua;-tO-c<S-g-FE)m;IVG!J90$=CP$`S5%(c%k3TMg$o;
zynPv;e#r`K^*ml{bA^9e&@tG=m=ms|{Y}3se_-jXI^vHsQfqBX<0YPMS{d(HvU$Bv
z8G-`B1z!!^t|U}kn4nL&W$rDqDc#Tf!mG&Kf(=}ZT1`*R{E1fv%0Ir!8Hf&}tP9*a
z_g({Nm7oau1$Je1)2;JDukqX~71tZjf*$f|$r>+yXMHtrNhVcDSF)~}k=Pu9`eW=~
z7|9P1-(EsnNfr9#2o`g7MNz2z@-HH!97~CmPA1IRjKe^>DC^3xr?#H{y!n>vF)C<A
zu9FJ>ca=&@4)}12veE9FmkAfO<9ft!YR=qpz>ZQ`1TIoQn>K&{$TQSVU6i7vj0s@m
z)3&k((pl2TvS|=D(x9xv8Kjtf`vL_7XSk#X!af@AJZ@r?v$rJ`y&Sx#rQ&np_TrM$
z>|WMtJK6qc#mr`-mvjT%b_PNc^->!Qsw38^G}t{9K_(%ap#W;&pnI)!5ojw}@YA*+
zFVOm;a2LO^u=r=>@B*79(fjn9FP#%xWa`Tby;HU_@PXdrI1lG5{14c~MDcv)N4pzC
zJ6}*UsY%V?G-N|q-IdB2qZ*1C)Ubihe~H!d$Y#84XqL)CRNgF?s@U%(VQ9H(Ujt<&
zp!+7t()Q&aj)+cfJnuqF*Q9fo;>K(igwyv7xIuldJLYE{TjCc}Z(EJ`K{ck!A#myL
z8-Wzs8_Jz4MLE-`VbHha6U?bbk(_--xZgXai$W6CuirYkeo$s4&f_VXMu1O24mn6?
zsq`7#ar=Yy(mlydAr|zB)Ui8fE;1uVXTz2gCwTqtJWE4WTSw6M{!RTNitsXmjnZ;S
zWH9n-mwoU)0ZG)^df;M3*K-ncH9uIEmm>bRLW+X;&8*)5yA*O7qCf4iU}WoOg>PR|
zFZ)6#@?=+ChM1c=t<{VEEDTF-$Ztmuk;CblylPvxNyv4?s4Alw(*5S6-)bwG8PA&<
z<>fnlkDT=*`+tXHlkorwZ&;0F&FMPX9Qmu-1Mab;{))X2G4C^*fP1Ft_Z`<(0YqB@
z<B}MP;)d?HaEnV0WZ%Nzy%}v~2g81qvSTG|@A<9VTt0DPP9`^=miCgTx2iD-ZN{bj
zhG#*<k;Ekz?VD*m77{xSe$-?mfB?5Y`*kKjwOq-XJDbL|KCOcMTPh{CEL(ok&(I=1
zpJS7!R(j*^B_Y$w-@5>$i#vieX$q!(5osovn_t8`)WvL&=Q?CE&3BN2Q~wquK)>ph
z+HpQh!K2K;Nr6KVnJS`br;qU+*CS#W?b)mRb`+p<>{_E1GD(2swP&q>{J45Esq*Kn
zGplFhVl{?TNx0Jp$?koDDzC)jwOXDQ4S6$TZtqhDA}r{vpW?oE?>VEcaV;lw;z=X^
zT2-{o`+8r6iTUsLe$tqDqqfr}*B!N7zB<gIOw*`ciH-46noYxKZl9pN0hs#;=pvNs
z-XT5Qj5q1D-%^A|;*4v`Wm*A+D``VRG#~CSF$3oTUV$Q=F3W&+K><g$pKmQ1f*|Py
znhjpi<E+gNlYmFfV_K(K9>qAdz)QfV)k~9tsih~LQgxD@t(9KDLG>HUwD^=YlGI8N
zQ{WB6Db+ln>ELjI)oT>QiH8c1MT)ch;d#>q*-Fne9?pIJde=Vl>}+R1Wf=|c3x4jV
zN5q~O`HCC?vhRs*_Xa?LUQ;I<shOYlw?kz~?cQt2r;A{1iRc7OH$cOyW4M~qXTFcS
z)r2t^Ag74k0hqxJbB<Q6hJN&3y~n+8jC@@X(Wsmq3be2Y9NV9(yAyV*z5Ba)VNgv@
zaDfJAxnqE)X0jsbwOcdZ12D`!ZC(Sn3$ymzGi2OV&<U9mHFXDrI`ISobYlc!Vbsrq
zD|iFA6rl=M92B8k?6~9VVoF{e*y2=rzhlgX#CT?c_j1hU&Ba<d8}+!;%Tn65-1?j=
zUY}sLj5WnKsN~{-KSY3a0N9_kY|Z8q{2U}koB)S!lB~AABWtRGLIwOH;5jN6o*SC9
zSWFgg?@HdLKMp4HV^U3wtrAXK8ApocKaRxj>u|{@B*gRzQ?VtzpdZXjU+ZQ!shKsW
z!+f`}Y)aspUaRSw1{cAG3Hgr)JFW)Xw(d=;jW>Ek5ID7@aR7N=zSDW(zrg9CNWJ}b
zC~?>(aA^G;H$c^T3zji<+r85K!)5B1Khl>1b{gvigZ8)##ypuF47P;b_E`>w?P5uZ
zsN$XKvK1#6kfdI;cXfa^+CJ5`VWVfCUbGKZa7+jd@uQOWTJUTs;e1l<MSFaMgYjcO
zB4J?#IaGQ&HqHw`EmFt{hqSZk>@D$16&G49o#hN+sKlg(oji(F_O?{@W}OD&-%!%&
z#9Y*GeB?@pcj#A^?QbJuQjXV;k^2s@Z`q@iO!1#->1t}695-?pzv>E%jNdb~Ek>hE
z-ONpr9N=EnoCm7pp5H`eF_5NyaQl<5SopT=^RLOmWa38i=_#q>^pN`c+jy*}Xe#Ol
z(dFY03&u5m{>weVhhJ%=H%POV>&;PLInC;fP1v)&K9FC9;-x7J&6AqCCyB&V`%P1n
zBH}x#0ovMO@$$DjjT};%Xa9Z|-)@FY-4R`ksMFJ4$uJ*+rDN=tDzE2U+l!%n_ttq<
zy<5un%Z!_SA=(6EMu(j{zCop{c*)T?801PFA5978x1)x$vVvAq4QGn+r_S0_hjHUj
zt2?nb=dd(8d+$rS%i;Cq9+|4DA3!q5t9;!$J)g71EA**`_W0!A_gJNs(lPUy@h@Bk
zAsdpnB3TWal!9%ZAUi?3NO4>#UPRXTU8vCZ1-HS~W8bNCj|r~tZ&2MtAUGf2A=gg@
z#$=?`AHx&hDu^XcP(ycR;}x!z;y(=K`vJrhgiHB_geYs~f_ZJmCCX}crHpkyYhPZt
zEj{R*E#H#;$pzssB0+)2?Qvdt8e%*+>CV3gZE_M)IoN%?B=CpJAiDqQ0YJ)~yizu>
zZGke?A0`)~we(j{osP-?D1DhZa?u$R0|1KpB=EM-yj4}SbWr{240-7An{D6tn0K+q
z0>;3fg-YE+L)~eNN@gGbr!Jg8iVBkYN`K4#j!E5Vd3ae`#zZMXqc|Q6C|E4`wlndY
z{L^B*SKdUrH%kKDG`jII)(%DZVtY20<qr}EyJb2zq5tHNB&Eb?@K{wvYEEQjBSL=K
z5Fo0+EM~cAJh8W8Jn20qZqYawUsngQIciTMBx_m2xCav{ST;1)<(=(E@<^G^E!RZ-
zD-&$W7ynRTJ`S~fi$gGb!k^SY_aO@0qqK1cxF^ZjUI@yE#+x|kP~iEhLe@8AJ%5ph
z_}ABzHwrwzxg6a3{S6{Q-#usa?-o0GtQl!)2)@UfH&Jh%)I+!(b-ZyC<Ink9I_!g6
zf#>e+xYn-sq}J}TKb_uqP1o0Wwz+H@K<4`4&j=S=R$r^@5~-;C{7>$PQqnD`tqvil
zI`}DVjdw#Q`A7P|JrX=+c8O!-vl#rt_PmXilT?WO2Ayk~r}y{oZ!QYV{g(A-2eCN%
z4gb$glp#Y(GjFJcmCV3j1*A0BH1`V5_a!Dj7_Wp%Q2quCtoR)=6z;`7T|Bmq*^MY$
z!8>Xoq*_@jQFYl?aQ{OgW!SR9foj+9|A{a*kfGc+u&i3l<I-3KFgQv;or#J0r))5b
zR-((LxlQ$YnU;3aZy%8S9<ZFRdK39{5e>rEKt0hs#LoFGcUQVa5y#QmbOrZkcx`P$
zB}ex^qLWxRE|A^+mt$0xD$i;?!ZGhHoDQO}soS8|^C;%vhFI{RmJ9>n`zt`bn2YTd
zZ0j=Nv`cGe)>lN$F}`et@o2wf&&g|1vDt+I?jwPZp|0!y>pKTFE0YaMK0ygPDde9M
z3iwO>)CnYyK+h49QFND5VV?<6+U#0oTfRw3t$iV(=rp-ku>L)HMzCYwO8D|%6*{bn
zruNcMaNm<!@w<X{%*B~;RmI}d?43yPSh&MX<<ZVhTsXCeV#|Lr*d``RS=kw5bnn>9
zG>m|A1*1W~0EP0<OZtZQVFCfXHXK~<A1S(B^-y`g)b|TjeCa567#z6$)?NCD{&{W#
z1tXm1R3>n>ZJ18=B2V2Rc;T@*H7Zb(4O|_^4n&dB)Bg<sE2pdivoXfcouKl&U$Ycm
z1~rQ_<blt&$K}kNElxSe*QO`(yS-!Va0na;UF~lvS}GQzy@}fcveGH$5AH}t$2$mv
z_5C-~fR8J9N_RPaREUs}CnfulKCVRPQIX7SeJ(8T_cv*y<U{8mGHq>VQ?=<4s!b$w
z7CSYu`NVy%@=k!&EWU>`N>ns;iXP{yV3v%__ur;`+IG2^Q1!%4YL%M+mgJl$3z_@Y
z&A790;kplRBwm+FjCuPlD#Y<!eOER4i+9alr&evZCnMMCB91u%jvs36ez7l$=)7YK
zBchE$@ny_p7FFjGe23Dx1C#}1iU*GJcs$%P+#ayMen43^niJeeev`v~N8%x?U)(Va
z4!Y%h9_+}w=w<%t#o|AFO?hxl#$Dfkvx~EOO^x_Yz4O^=lMu(KSCXhw5GA8Y(<@je
zzrs&A?^G@(c~~LMYPfUjtKX&j6akK@3U+s!F}K0LI<xh~{KnG>_;!Kmf2Nwg)I*+H
zDum>$a%dv3Jr<b%Z5WN_H{Q)r)fObO<cYy33Gu2ZE)|ZBkb3rP6ZB3mA=AICyPh{s
zT>;2$3#a21%Oi^lq?K^Tq$#p|qyu@DWfN!0hK@V1w!dexosq@3b=~XxSH9?^Qe2+M
zK~*2#MVPHDFyBO(%)}*Q3I(84i0`doz^!2YoKM@;`rb$H+XK@+3t{3Gr|<#+A@@91
zg3i8#t(@7@A9f9-7{Z|VKbhzcwM4tshc5+bYiNS&?lX0SX|OHtK5l*C;CsJs(RML!
z@A>CT>Cw$zmAUra%~gY*Kwfj&m&aEFby5XcN*wsk)5OB*Po7K?wB+C7Gbv*pSc^lO
zd=pMqF9M^$9^Qi0%fOHO_dIH(<olBApb{)H-_S{s{67&P8Z+{;z_ImwHt;IBwzeiG
z%SMdc%-ul*!!q-n^U@(n=G$?-9A5BT!x%QfMLmt!w;>T5L7QhS2P1$x*GcmSoF6;Q
zqE!x}1U4rCLA9*d@{+M*tWA`W=4hudeoZ~#hJ2vGHaI}UcJ0f21%tU`yLTA?aJV0R
zB9oWdA@xJ!DIdQFYIg;hd*TU$_3~E^S}}b6yW`yE>LX)GSGSKU!cRBzxen4KOU4<{
znPV+62rrUEbk7t{Dh!%WL?u+rDUvrw1>rb4$c%8fLs~ZXW{`q3#yOhwXh$ua?VQJ`
zO|+_Fml#pY1!KK{O7CCH?VbhR^+>8nIIYMS88LLEM;O<0UCeC<`tl~;Zh5^xB%l(|
z`?~l(z}$EnC*xqy?A;I)s8qz|?#JR>VSo_6Bk@_iq8BcvsbU2(-kJWkMnW%ABg-rB
zhgdHR1_vvWy}Z=Y&uimMHYpW=hM1J8Mc(C=JMBorZTo<xs?(*yGLHjSCb2D@Ekz(s
ze!w~pUm4I>d?w%tH0?lU>g^>Gh&A>dHh05n(a<DP<-m4hg-Uiq$xf%ka9`5vtMzzf
zP*U5?pYrsHI#v)2hWYdxCqsw*JVl|I`3SUrif%>JW~ggGkm&J6UazYUuO(>9)M)M#
z8U&l{nSpK`M%3(jsa{plYp-W2hUd|aTV4Imf!LgBhr(7qqwXXJ=JQv_>!)+8tXPS9
zM!re>3+nnOhEuSHOs{5WPpw(<ZXjJT_^!Sm>R<aXDtXHdpXzJ?)N)<GP8ycax({67
zJk)jHG{bF^Eiulq^8ExBmxK|S%NYY5>mD~8J+OKXe*xnD%oKq=lp$i9?6OWBCXDO8
z9C8wjv<*kB2=A2wF8GpMKMC!9AIaq9TCndq%V>a!!#WaOPg@#KUEr`PHt;TEQCZA4
zeZaQ^->2V2S`|$C3BxDd1|=d6U0NQR7C1AX8dE_vMGB3#(stfFJZ|~zLwY{H9P*y{
zPHd$W7}|#upVuEHwUd6&ge|P7?EO1{ICg5lbYzR`o@RKE&WBT7gKVjS`xzhlp`gv9
zqwVL>2^dCj>QB=)%s9BsyYL?}+fmOy2Pa77y`n?O0rp3{dv4cV&@a<(a(4TKp2F`l
zFkh3yF48YX@ACJXZc9aRe-nq;#vC;5^H<FZ^6fE{<Sw|M=gx8K=&Mj$8R>{OLILOq
z0lvFh1gTCti%O~TYH4|!ZSJzFtoeNP-s7#tjNI9~tspme!BQn-3cyO=z!G-RdJ}|c
zrz47Rx~5Xgu82o<5O)Mqd<KO%+7OCVgNkHH(<h(z32vKO21+g`{1>CkewDO7)WsdY
z8Y+8Jg=Qy6_pxOTf5K^F)JEKvu=WX5sTC(j;pU=CdYr9(_8jd`jBel(A*lPK;$v`{
zch!sXRT~;fPZFNCqo4qRy4Cw#a@Mt9XRdiQrE<{;htGw2c4lYS<=wryIws+~qjWI{
z*$6nSH*i{>L8lT8@`up+(S`?H*tBKDy;_!E!;i(C?)VptuAv)mE&^~lP1K0+Pw|HF
z%e{CgBB~p;GA4xw_<z2}y<6#!fzsCx)mEM)jkR1aUeHf~$fqk&(L%yGtr<W~C-eR;
znSR!a+J>7BoyA!%2Kh8Pn-eau{#0rB&t6CB4eWQy_|M(ZH{C3;Xz1-e$hd)9ewv~*
zo(fbc2>z5%kaWskE_4|4JJaa0Fo_#YnT$>{r~*!$*S*j>dDd`eQ@7<+?|;Ol9@7y|
zpf1ni=(qf^+Yio(O{U#cO)oufNlRREpuDkWV56NP$~TPW^IVH$y~Prv_{5##ccBN%
z6~Z6)L<F+lM12mnwf(^vJ_&B#ZJiR;aC-5=iq7ZJ>PJ$}wUy@yFmFSU6JXWj6KW=I
zb=e)PcL9C?epCLStHIHmH$}p(P2B;rP~N?S3js}A{MTE+A9-NpRH?g<!$Yxu-NUGV
z9o!7gdkPlk^K0~bTtD7-Hgb`H`E^F#q1qAAqJrG=pHDsQeG|Sn8%Ze8S-u=(I{zKX
zqA6{Wo272`(0rqL0{3GI5r4~#@}OXT)w-B$$k3TWf$0tfCMKX5R%9AC?laR3MrS;w
zjuHN!>j;yqmV4e>I$vs_A621Jd;CNdT3n%HaPB0(Erz$7#7HOP<ijP(SB23diL&<f
z=A=-3JY|ng2Rs+<OHWUCruw!KYxMqxW$T40aZY7-ig0@FrbVs{wfkp19%<DYh1M9B
zp%;U9DjtN&NmdPkoBP*(ESduskr$D3?gwemX(fL!0CSk<-lg-WWn-%Cmir6c-&t_$
z`FdzIkpOz1x{Lm8GRR!)6IDQe*lgOZRZF>=fD{Tls0l>^z(xLMwovKw(CHhgAHS}2
z235z<NC0^(o5v+D_l2GG=b`h7u7OC4IIhHt8p%dzYyNEl^c9uQTJ&N-NiH{1IEfqO
zrOC*R@SC<i5ZN>Nte3MZ$vtHy(OJM&oQo2p3sZklH!9vOOChBHxZ`&Bg!R-<V(`59
zcFun`cJ<tE&qwYgV8i0}W65!&N#6wS{h#-hG>fesjvAs>Nh0OHA|oGdzj=ZY?~UF7
zG03V@A7Q6??71$Ih&E35LM4Ad5@x?u108zQS9@X7FZj$MVwOD9ed87On<4WX28@ED
z=C{z+>N`pRZs)Y)(8ytlbj5T<@UB^S2jACcWp|oYvm$V{{SGpf07UnkN^*0inem@e
z^`yaHPd+8P!aL4h<++MkTV(PY#zkM5nO&fm{9NPNNW~!5-uFBD5<h>cWoQ6Qa7$!d
zs*W(kj}4S4vz=iWm%iPa!QFv*8eC1+jC}>%7K1k5jDxCR^)l6<x|lP-bP>@jm-A-5
zoaM;51E+B})a=7CjRf~Z=zlk2Osu)4)z$@E@p+nR+MoKAH9GM85osADPm(TF$DSx(
z3Yg%1&pjq_NoLG;Fjt4u>TyVfTbN2LdGzR$miF(<6kEQdmx|b9e`i;*?@K;Xha)1E
zxPJ&mTD1c6E0tFYv59Ff+)f`>XZBEhZ2&43)W>n~@>JYsQVL=GBcdHszzTLzm`oAf
z>W;v}j~b7q7BN$kLtlw(Ut5bTViM%G{(I+t&D_Apq>*5<+_zM}#y*Gj5jtMG01V}-
zc~=W^u2c^h+<%f4^$`su^}qJx1LD*7SfYHgvkg#c?#OtYCiJ%St9&D=m~U@h7p8(U
zP|jym`L0RA@FbOqo|*CuGADBWvSVl5&o#2UCnVb6Y^E)2z?`T1?s7RkoX)#UhSy9?
zn49P*BxfdJt-E|r!>r&xz7CwBP}WY`NTJY%{vv!+@=fmiyW{mK=gW3>w&zz(?KjZy
z37;NI-A;e0hWCrl`C{G@MaK4z=RB;GhekyL+HVH_Zeafnn6pZt0`uzEqbBiljppe`
z+D*5OWv<(&Wlf;VRGHfhg}_9`D7k}pt3+a`wtf??wW0VgW9BBykxvnM)ig<2F^*GH
zAI-Kh`s4-AF~5}q{<SI$i$fy8fuv38f20x?EST-w^**w1SM+?*npsH+g*y$O!#@lM
zafzNs36(hyAVl598p@VTy@uyKNChmJOGdN9RWpSZU?$_s>XN3o9aXhYuP65kUF?6K
zb<jOf@BVA>u*{YtO~w7N`{Qdn#@s8Jw2;FI?gJj1H%Ml|=l}{;GU5Wgee-+w)~3sZ
zpEg)(Eyt#%CIp$k9O>P9R5%UY$x+5;64IBMg58jgw-G(H>0aERr9J%r7?$RJ#5?Vh
z;$r%m8(vqntLKK~BuPXca`WD{?m10;rCJE$GdS?a(%V+KFpg_Q?T1%CTdJg8+QK_x
zQb(f_koM|vmOKCRpA(^Yf%N-d7l!RO!=1I=`mqnIlV2|+%BHMI)mk1@8%+q3lXWD+
z_FcGp+Ao))mmlsgO+R=aE_pHwKQXDV#q?Y%Z}mdVk9GX#=_r@~>x57#6DFWF?^I+}
zFIA9RpH+gaX6b*JI$U<c8*uu<>%pb=Fltd@)IR^vpQVu{W=D||6^Vu_9MSy2%3bpR
z>*QDjSeqX_*EGOw%;a7{3mnuCu@v$bGXJK<85YY5wpZ)G)v|(}ESo-y!slrtX|?+e
zqxAB%w!}RuV72>C?*V%ibp2Ib#b^-rez8Q~NyPXb6wEe(5km)Y$?v25SJj4_1*(s3
z6q*h@kU{)zf3z3$3l%H7*3FN|R#>YJ@XO!)k3nySp+^sgG!Y1XZGclnAnX+t;qQ#;
zD^EmSvlggz?h)WV73#p`L*F^Br@b2+62@|M0z3o5sT?21r7kfo4i=hq!6?(5POE$5
zvGeF>8&dN1ef@vspIXI0`C>qEg*ZCY-Z$1g2NWIh_LsEcH+GE4yPJ;mlW7Xqi+k()
zW<GW`F#v1TeVrC>*htkUshIcXJbj49<v0{WL5eozZU5GH?Em$v93x9dZ$zt)xo_O)
zF8S-*U;jw}n?WdJqaskCd|y^VJ@fmwCm_8y%d)X{i<5^rvguc+^7Yrvgth)-CtvDH
zan-Ur9<eIbIE71->wOq|9<WMeEabYK?XeZygKE9d6(M6Pg-4dYUQpYgNcg85Kqcrc
zYQCcA=4*M*zXpfWLj7S6n?2jQ-)~+{i!C8lJc;;@X?Z=DHDa!92|ho}(x?VF+~7Yz
zqe9+%a~cj>mcTM^(n$IJxt>C2+<1itRujq`@MfDJ3XCV=|LKLa56Ix_e<q+|G}7qd
zt6A6jSN>1i|Db>SiWweMi^|J2OLTp|p|RaO1Or_UMDodi&w0nhvGIkIRIwT^{;XMT
zx1^{!Mg>x=;$K5o$rc`c7(M)MKeOi1iOl9<zeX+xUteVu)V}+kRP626w&m9_^<UsD
zvm)e+<$+3WS4+lu)3ur=^PZn=bzkRc^$JBe=7h>R63bm4wlbc!!t#DT<bl}LpT#5}
zMmevJeWil9X-og4)u1Bh&ROX!bVgYzI?8B1XT?-$X*!1*zEQva^kPs_y0QX-F_fcT
z3F1-xneKUr8(5BDspQ|p)ye#uu$U=GBT@am*~#&GTsYqxS~NkAE!sFUzLU^Q5V@FH
zaERkKxdj)tIZ_R-E<2Tz(r)r)Q1f4bqB@(FoQ6=E&swr+{?4p9SjvDrb1?8&bo=XG
z3=pwPX(ej~rzSD;kvh(lhYROayPkX5_Atu~GgdZaHVvn+8bJRJYKle(*WWq)RTz8w
z{BG&ti$YpDlOeg3?A*45pn50XtC!S_$aM$7yRSh0j^T)i5F7yw=op#yoaZd?X>a~o
zSZ`Uwic!(xujf*o`;qPecH!PLGcWCezcz6TVJX2Iu-?@_divdBquP0MZIJvEDjrsz
z=#BMC9ERvcl52LYk>x60J-@8}q6=4Hwjc>IydM_s<n7a#&eZ<LGpP2^`iHU@HL!C?
zK73p}Z#9iD@!ryV!#5``J+p4&=r?Unm*g5n>}taC1XB5P<KtI80uvh}EH<aP!ZxSd
z!Zy5}M9+QJPAYyf(HzMyUW$pyoNhHAR#j{Wm56>Z286@Ezl1**(m;7stsl~`4gNpc
zq+9S;H;??KxV``iEKI@R4|H(`$!o4XDl$lps~E5IHPyXz8COL6a(XFV=B6s*x_HKJ
z)<~hEn}e!ZTMqn*hXlCghDW}1EXIrrOk70|*xXlbm30<__^}7`pkPAIQCJ_6B5kn+
z?b);D$=7L*IUSyU+n>g%TVH?eRzJlo)05vTq<;*@s4}0ZZ67<E3i}5?leJFp*G(sv
z<D%11)c=E$>0c;e@BCgNQS=ZsQfc^_)%wEP^-_c+a{~93M=`_tG(nNy=eKN3o!K!>
z<%)&KF%J!|m)&%sI`AvH7U?q<vyw}t;nfu1i#@-0<Cl#~d*=zRP)`0oIz2l-<@ce}
z*vsd8IQ8!dnV6dTO-!fq(BfQogWQWn-|dpU*bup->j~&U@@y=7Jlx^(bX=;(7&I@d
z=hj_&`CcOeYW^gO#B)$b(2F4Ym2&-ph1A<!4Cbc{tJao{{kCW9ODVDcK_<!Zbz~!G
z7|!aqZWlhWcSGxWm}|VY$@t)0f@6NYB)!T52w0s#fLW~qLZ>|{g)?KG3*kw49Q5@P
zOJ@;xn3}HjMS7x6;M_`DWuU~N8zdE{Zh~V#eLWQZJK$j-wU3y+n>aO!40c8tT$&IK
z@T}cL4Q(h9HZlNtfk2()a_G1-Z1cf4E*%it+`5->Jy@7Co_+fM9(6|T!P@DtX`RTr
z#p(Q)jyb#my0d;qiU2qA-4Qhsp{mR{6vu-MhkPykV3Z4(=%0RDlILKEb-#W@pG}l+
z<?PZYMG>B&u8Eg@#hR2LjAVD6ccCb)aKRtcV1h~osoCc!#$rJeZy~jHbh+_bB&||U
zz65{GbJG+uSgxkOpDL$H$VNz)T<FBK%A3|}SH_r2`K+~UY-mz{bHyc*3zXyQSI1+D
z8XWJqrwh0{+siX!eaf0t7K1%+ncWX$udA))HR*a}fbw#5G-V0dKT(rF2pUH?9hE*^
z^=O4{3?=tIAzzg{2CoXE3}DvYMH)@jhK!0aP9;imkndto18;H}k_Xur{G$Y=;mS3h
zqe3&H(^z<N_Xga^xzzXOH>B@rqY6@J=>NJ)4fmuY`Djn^hZ}wc)))pZeG@LUQ}pYT
zdJ<j~pBxqQj`*j-bg>7c{Uwgt<Wr(pcRGb=ec^(EuQy}j4rE5JWnkZbB`#GnD3-98
z>0}CDl>`LjwU-u2t!`6<Pp+I_Le$$Dz8SS^E20ufh(=ySS&ARWWqa6Rz%8za^u@NX
zoYhh=&&_f?Eyn%D+|1KzR}tZd)oQ@v2B?M+9ntI|JwUa5zf#I~Go-XzBK5x0=_>bX
zcia4GbuhQ)P#y4Mb4sX#*sS;b@SIp$AyZ8M<W}gz_r<<9VIgFxXPIWmhx_~HWjg<D
zMn~YF<jLK501|eX3<wYpJ0I`ZgV!S8KiC6qtAvi=YRK@m7QHa9rQ<*OQgxlM!?nWL
z@=@**m5epwD=Y1!Nw8w_RWAn0g)|sN$>ED8Thkjs&Zv$$ad#B@qA>F|wESY}++yCc
zKDO#!-18`pCxJ~@q07jr8>?f*-0Ob-PmYw&2}3ajb!F|D7DE_{Q=A|)Dm2dSE*d+}
z@0ikz{hM>s5<5_Krz?K}^kM$`L19aunbL^Ny{gV7NAeMFgC<^M>WI0mFIuHrbF1S&
z=Diq?;bY@BbBA2->W`#nzUgmw=B6Q^J+tutJ?>6OCpjB`@EK8(3+wf_Ou0b0B>e+w
zK^MVS%CK5k?|tXhTJ(n{uWi%8INJMT+@FrL;;vmc=X-vTS8x=Sx`3O`sLqBNEdfqT
zmaS+<(s;(n$59pcIb5|>vZSOls(^wAwU<$ta{OjsWnt;MFy&-8uX6PL%hU?-2p>Ko
z+yHg9clVz^+C@|6-$~&>tl>x$eDLmL%rm8w5^GFI?GVbYGwW-PxMk-iTuj7YL!RKi
z;pJ(kTiTh#*qI}@S(puoY}R6Wf_b>*6U@r?+Wc>deT;<{ngG<6S3%sZ<6MWpG6U`i
z)H_e(C0CWk+E4k6X~;m>R?kRv90Sh8oZrvxjt|{lgy%XPk~?nJHEv$_dhQjD-%4uD
zfTH6&uYOY*n;{#59alP~?{1}cQ;~;zhXH*tgyWl=HUB|~k$nz3YRCVzI}&PXl!iKb
z!8ab4wtU&xy!^|<y~ug(Fh?eNmzwt=PU(1@r&CJpCsj$AL9NBB9GkTU$*)DCc@sr>
zDS^49>`|(CL`3(ug!eEQY`ws<P$~W*v^NXo^sO?MHl{Ij`}L+HJ%1uk^_nXH@38<s
zRT*bLOXzT|<;V%$qKkAtt^z!r&)nA(jv9MkxrBnap75TqO}6*x+`>D=ccnIFnJ{+}
zTbG$iLqEXwc<y1N7%MBQafk99Xgka0_7JxG^$o`ZZCm4l^J}9At)@vHP|vnUlvot+
z{bNjIqE|+IK`dxeB<dFqz;|MN(BF~{$l<Tqwum|}bMODj@+{#_X&E*+A9xdsp6ajl
z=;G`k`!+aedCsc!eM97V<TA8PdS_JJCeuy8OifxB2id=`qX3D@&HI~Uxp&pqV$?bx
z4=?Co`^8tB?UqeRJ^Q{~5!=++Pl;diKo$K*pd}B!CCy-U>Z7*$6i=^-TpA(SCrQ0t
z!TR+3gD$mD)wd|`j8ZcjJ9J@Bkyf5(?Pu?Q`)(I$u_?-d@jyqI_TieMjsKw|_Aff1
ze#h;;a$$+`iYs&vr%GNf+-dv1lz>|#hwo``yno;1lXoyixQYM*;;LCz!yPCGzBLg{
zGE=$d3%cCN3>bOsvHG{*A>i{%@tY!MU{{qL^gUa4C|^9#@UxBrM~yB^-GAa?nPZjq
ziT%F!-Op*&u8y#u9xEAG!uCRR!q|Pz^1dMg1Me{&X_Ur6>1=+J31~j?BxEhPAWAM6
zJ?i>tvBh(RpQzK%zI=l}s4gKX2_}}n16|ay#=d8v;~CaDy8+ug&=1_j(D+=67zz>8
zDPma)PtFmxg{BYdw}K6mIoqg%$_*Jo5th4|^3PQn&NGn;t`L(UM$_E@FAG&;;8UQP
zg6HRJ;E!2Qt>>}XG7cTb&1-t=#vxw{F8}B}kx-L7e*p!yk<$hGDgV0n^T{2X9$O-N
zc{~m{54<GEwNjL?TuBC!L0v3~v3+sR)8h3mGN{)2x$(0ztmj2>N~wIu5mGeKv&7M9
z=~QMU0&WB?2;Z3i;^Nn$VFfoO3!xH1rRRzW5j%-J+##HrvTF@hrr3&*t;kfqMp?hx
zA@bls(T60Sx0mwyT7qFOFAthJD8~L<98JyfC>1Gy4s2#B^e<O?`<b&GuXlBp*W<#M
ze?*t@#WIXAvxisBh6nf_$MQT@^??DvO#JLaJ4_FEdn1QV7l?S#Q`~<`lrdJRn<1U6
z^~r#3M62l_M@N}K12TRPw?$c@c+q2f`P>r(8G4LheYhsVZ)i^$kF)K)=ngF(6(*x3
z&sS#iWb(F%!T=3hGQ~|YZxt#RJf3a!s4`X@CXXTjy({+2&nqCwKPnP6bxpFR2wYI&
zdkJ9#H4XFMD1Trr=zStg!Ac=W!GeK91gm3hD5k+8K7~BuGwe&*FI6@Nb-x!-;J7P!
z`km1(@k*7{@*vF?%{RtD@sNo@WtRIO7v$GsoD*NMi*vc?dpg?TND%~koylN=5S|3V
z`x+p#5K&FfsE?>qqBpVE>C3R~ubGfn4KHtn_e?-h=JT7^{ihRg_v}%c{FoFd4a9Bo
z%aXZhol9jN%+GQ{NjVDeaX8tYVJm|5Anp@^kozyi`31e5>Pt5NH(j9;K>cN<!C&DT
zmZs!=ZHJYt26i29$$vS1jjFHEnv`aKVz1xOw|#fh-AcaIp_|Pk<`Fq4V_~(XI<B}r
z|2=!Kq{!)?G6$_!J?a@AxbkAl&I*q{Eg_?J%hvcQ!gtfp_%YW-AJsOM|NSWOHA)+e
z@vXo6$Qt)_Xv08tdMR)Qbf&Po@k@R4bSSJR*@bYF&FX~#ROCY{=?-yW<XIYG_4d_R
zcG07HB)ujC=%&03spbbD<KtU1()>Og`>C&$NClkTv9Uvd!JR-nv6YcRaAX98M&k$X
zA?iHg4n7&)qbR~Cv?#)9Zm5$qV<JV8fvjp^-<_|#xW|FP1B7+2lxsd)%%wy+cjC=k
zy5^`Rb3X<-(fIiILa~SV4$bt)_JLSxq+EC+AD-lVN!K%wZxbLt)rJKnjwdz;2F-0H
zGAi8&>wYSLJ()_pQO&)2`q@u~bl7(vAH=>TjP-OR(zt|&AMobwh*lG11(H?637rxS
zEnQ^6(~pAS>2Z%0kdzz=#=k7{FRZr8bs=Kk4w*t7o;sU5^O>zS^>V9jljqwFK4XP`
zFycf`oasYS))@23V#;%3>wJ8}_L)p<@K<8!91GnIShWo`F}}zBlpAFfdYv*{o;2Zb
zeP`2BzJl-3v{QP}^M8st_kT95K8~;2%;?lo33X}WRw5=Tji|OHqM@QLA!LM7$|Q9Q
zwza6JzN!d<>a$fdaZ5#%l%kA8-Bmj@m3E<|721c*v~ET8v9w;>^LqY*=hySYd7bb1
zp6~1XI`8v2p9o${Pq1s%Sh7HyA5)vz`qZ+FnhJQ#BdZE7*!hdDh})m;vbK%|QnjEg
zLGlWAgzxuHg1e&(wjZh#dyIVO<4g=B`3}Zk{&Ji6(qUswM&JBZ_3c)O<Ju#-qiJQ~
zZC({jZVXBU=2KaVqN=y&E_Pqc3EB!*4E}qjN3bp7+^1GcTgPLk;U=RT^3--OBNute
zsp~O{GKz=87ewI{#A+`JV5WnwOL-mKp<p4m2Bz4a4}M`P?E(zn7$Sif1@VxMpZD0?
z>nhn91>Je90E<0G$pyyFknp`A80bLIODDS1J7=RV`(%)gvA>R0;Ed~u0P`4YPVLuM
zzxq%-FbullgIrE%P`kPxf1nSHw|-=UDeODERW)d164x}4&@_TBSvWlLI0|y<TzlJK
zpSFXtY%e>+jH56^?i`pHhSs&eogRL%B^&pr*d6IGtm7EQQ3@nNN*$F@WJ;JhkiFW#
ziAc_vG+Wa&`6XJlvj5JNZX`QR4%J(^5z)qR<k0(dMZx!COEEt8=j^KCKYe!>3d352
zaxt?&k&6|WI}@Kn7@l>nx8I|sYS1&-^58DQt1>z42&t`8on}yfdH!1Mk0-Xt2XDN#
z!(CHA@w8n!e<~$Z(ut{)S8FM4zrzgwsMHfY!%Flm6;B?qdjr>nKgboiPu#uEB_Cuf
z+GPkQw{@GOxH4VuwuG7zvhub#3nWi?1Vs#K)uS!dP0B!txmceWpHQFQ+LyG!cQ}j(
z-WQfx+K7aNSzi$M+!rvo7Jpw)n=qa2uUSs``Ey>QP@ONNX!yzM0%^P@8klr*TtliU
z$}G91-V$FuIi(3qoW050ENRb=I?M5s`U9F>$=J$u_0|qgc<FNN5XLujsc)W6A7Bpg
z{pisTKKs&#7-0PAr1+M`HwV}^yqaH^)RGlM7Z-hdP7%<bJXLYhSQ2UKPb?NYV~M&H
zE^@zDaC(l1kM~>yfw$#3>*K~Xhi_CIPI>=I#p=bw7jzJH`P*{wb^Js>eDQ+HIv37M
zat2hj90N$-N#eb(o2`>Q_l-7Nc3`>~8v%pk&F?s8groNYo8|c)Zqxs}M@sNafT`pR
z>DkVg<EoF6Hk}WVQftF%Zg=<dc}IRgj4#^HcQVC?AiIeS1#wLHy&2qq|FS6<L`tsR
z509=(r-d`}R(gG{Eo^leQ8GunWGVl~2-AvEaoHSU>l3i`-_Sp@d0e46+~SN_EZ!ok
zajUAzzK@P!A6p=iQhT&w;z+Pnc4Gy)(f>qx|8Wya>(hi0)l;nrD0s(o3#IsOoTcO9
z>SB>^p?DsYlwFr0vyIN`eE&x_^MupQf`XUOy$~(PEwSn09bSJrm1q%Gw1_`VAmGBn
zjHl&tBG(N}nhXL<WW0RekmKOaw1wx~AIT1p5@ql3S{Lk1P&=j1C?9@}nSP#lWD?EX
zwRWES+;ZbmP<V<43G;?DR(naksMdcKe~1NOsj>31+!cm99y!G*b7@8qE;GXhjn;0a
zNpOAs;KD{TfR&7vos0R_a4yeuEKRsZ@9hMJO!s~;+Gkt6;<EP44u^R0Nk({fQI&V(
zciPxg@X`O6i(aW=1q_wK%}5${UKpTh6%v;{Z|CRQ_c<7-r6q^%hA1Ni|LfC}L2)Fz
z!UlmD)<J>Lw&$On<Q}`>J=a7yCA0wNq0u;IjMdVUR7xUha=eK&8t><9dIq&mIw5nJ
zzT(QxXcTAml$LFM<)JORRy7ykc^qJr=x(MLOFdAq;xQNdjB64@)Z@P<;b&Wi(l|`s
zOoR81s}F(t#`LE9!?qNVRq6|xi{<&}^$R_`h&(0ns*AKG<p~1$HTx+Vl6Fm;B87uh
z2%&~C6N)UQiqnn4DwEc0j!tT^YjluUfMBwIsn27zMDjrt0d;5GA`+BI)Q6ZrEPtka
z`ie@R_HcZuNby-x?oTTB?sR<-A~~i3lx?3zi8k*?iIPl85FJpe{B}8EIX`QI6J?o~
zRZuK1V}7>-mKO}(6O1UKggy7};D|2eE`@HU^W>7kG_ujo>;YXHr3C#PJ??t^!QCHW
zp|S{1fAhEB5ivvQ&G2y$^#8Ix+F25;hPkZ@xogqiO(@V;nniu)hW9*Kj|<KC3zJE@
AYXATM

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeCppExtension.png b/docs/GettingStartedDocs/images/VSCodeCppExtension.png
new file mode 100644
index 0000000000000000000000000000000000000000..99f8f3e6965ccde3ff87afe444bc9416ea4557f0
GIT binary patch
literal 18001
zcmc$Fdpy(sqkpBMB&3YQTngou)Z{iFcPgZdTtX(dY?j>Frb5VNNp1;+P?7tT%S2;x
z%_YXL+^=&RX14Kr^ZB0hIOq5H{r~&Jb??jT{(9bCQ8&$uc#fVvx^Le;9us5zTl@AM
zAOpWwavcV~{~UPz9{91}`<9XJzONl;W`REry6Twf?Aup@<z_h^0{%Yo*x1^8-@fBN
zcfa-%k@*kz?K7A%(bu^XU{6iwEI-qjy5vv6(>4|c{2{g88w-oUqz8`s5A&bp(-Hs0
zwI5Rd^jH1E@~8Y=P0fO81Nxz+7j+(nnMfW9gI^NjX!`rKN4=QaWBh4}@&lL_hRU=H
zsa)(=(eln)N>61jd1G9wzTmg!zI@JD+$pr}VS|<eJA+^I>2gVg@nzAB;oQJaT`miO
z6Xd;r>Gp;ZaQ}XKMWRGu_cIB7)Bi7*#n_hAE|j+B(rcH{?u^M~^QDj-W)C4spy#FB
z*Az<|_m6AOcv0^kOeWqFd;ZZWRKZy`nin;y^7;C1-E?Ejo5D$k2hCG1I^Mi#q+50S
zFFEY0@3p6U6^?P(vV<#D4n1isP$~NzFDqsm`OGTv{L8z0x30;c&*7|F>SLaytMp5S
zlOp4-vLSn)L~ehWZiKX6PPww^^33kAvOsmx+yC66bsm>&?UD*JIqZ=w#ZQj@EjXx8
z&VuZ{E^;J0j{wnqGYJ|lK3=WpCW3e~BPbO<c`ZT4-0XIqndy8%S)7o}#gQ0|ad0{)
zmgLnq+1*f)Y>q`NZ?Cn*MA>mDBa|(6_Mg;Ulh%^LF%i<$!sWi2h4U`w+dZqPNrLiL
zuNG_RBWoll>_?f5fULix5n!{*VLw~-#c$)?IVK4WtA{aPtL8q}KM7u{^>^!us;UwW
zvph>6Y-XLRkNq7N=BX-CuMjq4P-PFV1Df1auAo>~*4U`wf?Uz-J_ldJL6?@}?sXN@
zx!Jktugr%27Wj0u9h&XtK^iBwSE<=mcD>dS^z^wG@AvCPKL|p)^`dn12MC&7Wq1IQ
z$D4(p1wkk%nh&jAHIE1mLET(4917WCyGJYFxX?lxi{G3aBiKBuLpKYe>5TM(FKMZl
zoUh5^37gMp;_BLxf@bM_M~6J03uTkS`LfbxAC(OM0z<!+v`nmZo!9uN*Pou;@z%?$
z3bWDe)7r%Aa}qU{rk)?Io^55*h%pvkw<uC^?Rcl-1=rk~$!?6H`S#l-3o6*W5koE4
z>z=vC|HCyC?Ke6;@30f}Ruwt&s>ZDUPrKV}<i3v38CGN@0a01Mnk4Hd5jNvebqikh
zFh^j%G!>CiwoxCx5AVKF`{AFj0&|+)O$G+X2qzjzN7qcWwY~&1sg>sRA@9!j%jk)C
zqwd+f%#1!;WUV8v&B`HgGO@AEC&RVvotlb*b!pCWqYN>rf3~VB-8f)f#n$t?v-(tu
zQ+J2P(wQkbH?>>^Xaz|xa;$y{w}ifGk1s4uc*xkz(z)H_b`SJ6?+u5Pz(Coj#1k+{
z2rLFxbWOYMiHdFA<Ix74m0${*{!wd#BvoE`RAr#eZ5%7?dA%rG@xfG@@Z&J%HggF)
zc;~}yjAs1IoNJW@yq`aTfCE;6Ec(ppl6GvL;VMV-z?TqN(XwsVp4hUw(?^Gao`_0J
z$;RDzhM$|9_U=sAP(@Qc9OMW}*VW=QSDSx-y}<RT&uyG{v}K`u(zi-c4^|!gilivB
zTMI{K?<|pLJAR8$P5FRCyLh_Y3rE`f>1;J+&Ht>ijD&%7BRzBF2peHX1P1NXY8exS
zFP$ah^Qng-(;@l@kHhG`FXr-UOEt8^$T3Z}Q(;BlQR?T0+eQJexwZpNNA2k4^!N(b
zO5+&Wq1u=KP9&I{?G8DK5#wngl4|h5;V7Amt0_j{;E<+;fwCS~C@ocj0gYA9|8h+<
zDLJ{s%6lg%gurifOyC3FE-=u1F&f=1Ywi%Jea7~?AtSK5EibXm=PwC$06j%Rr<d1P
zmbC~OOdIK+h4VN6fHqVMzyfpr?Ix8eSoN^86jyJV>-`f)N%jxVW>xnmB`zBsFh8ig
zAGP>>`h{QN<1PcxDSS%3VU1OgC{S)$T&=hs!3z$<`UrfqmrpQy3o2FHT+Vv+MEauX
ztJfVXi`7f^3**?WHYML>DNCqH<)t5ZMi~hO^%YldPp+(V0%!6w)R%v7MEi83b|!G`
ztKN=q=bGh8oQ*bZmfY2xH+e-Qdv{!iQ4{(dw63PL%Md9e^z85%%#)SE#%X_l(na+6
zqDJ%*D3hZ8q~n45Bq?N$r4nu4GPOZbdz`m6@rV26S_8e>9c806Mf|tNTy8Y_X<*mV
zaC3)e2|OLg4|!<+Lw0lO-7x%}YytL{>d7^|9t~0wJNbh)-N_4d7_Tsuh-I|-=FP9J
z&9&h~rMjPtCUdI^1h&6F=G>kPA}tu{_LBo@ZdP6f+uGmD$c(<(D$}0)EMHM-Nojeb
zeHDFU!ocepU0~fL)tm-e|FAo{YTk$Ip5*0v7&qXWB+}LX`h-hWiH=X2xKWHY`+GKL
z>j3=Qk!f8k)zY2r>1g!or|4BdEPtb77~gPPN+cpfWO#0C!9>pdns-0rp?SeCvGe8e
zxbCTZrIz>R!K0}|>4HCG(tU2Ne1krqO#6OT6d+9H2|G7@zm0jzANBSA8A;Nn#rdq*
z@k?IK3x!HVsQX`6M-w9<!-l?=6t~Ni@5^DvgrHz0r~-x90S(c&im@m#ymK#Glj7RG
zO51M3@_2Mw+9FPE9NBo2javM<6~2*JAq7<HiG@ejV26SJ#aXTgwl=pSXE?z^<t1yn
z`k9-bbogVH!hBNMszuhX@awaoFU=Qj<V=?h^8H(_{AdK>!58d0IbfalBR4d_RQ3i_
zc<=@}8+twzPxY%$=Y9~T`|#c&my*=>Cf+hKV|+{fZhyc@vRF%Elp05TWGvbcLU^Dn
zEE4CPW_+W}ynry(m^Yd5;>T1E*#;wQVP|+Yw-#N-y5tyRYTv}tN9!^!?O*x;7vt3j
zW`*J-)8(mIjC)kO)pV8+ziCzb4YIs%sut9Qs3e&_fRsxU_)j@sQZ2(F$cLH_(tmch
zi%>u>yH@rAdxuS+hO-iv=Z-AYUbbg3;Vz%_Mh<@;!U&T7SuXE(tG4<iF@amLx$y(Y
z>rAi&ar;Arn2inO`K3q`CE1l&@Ry&_78`81%H)@Vfw<ME!mhUn-u1!N)aGP|vUFlZ
zVMU=el=%H(Zp<Ii#9z#?t8NjE)96wM=a?*-lq9G^`W4y+Urtz9U^;K0N;d}eeI@W<
z)O%Ub0En@)727iPpPBv$R(<z_mT&jq?3ys>#Q`5pU5DQ?77hkJ)qh=H40wLy)mpnb
z=uuRwTWu)*HgJ^-8gSx>?zz%=eLH@(JkE5Y%m1eIeedN=@@p4N&F_OvZL2@H@4^+d
z=&93Eue=@S=MQ;k`077bt<0{Q0aJLTgT73p@ytRo*HsGI4M$`~WJ+-AhFuJP{v%}1
zvoGzqB&t#^_{oJwsRLh-Z@;GaUYAuTs;nJB3#?n~t8y<Qa09skrd3gY$;dh_M0uCt
z2ZXTZb#l_f<rqYU=7|B{tgn%tg5)4OX0y)3+vPa7Bnr<Od43SwKR+1Gr`4PvNwvfr
z`_6t_og?BBa_(f>*t0Ao&cVCCcu8`G>2{;)*=;kmkDC_RQ4bET$Us-39;X_u9rYbK
zVe*~j6~Zr7D3_Jixbf!vZQYe~pL=*=Y5%Wn{*xWNay6h1-M<}RQ@+Cf(0nrF1vIND
z3mP-iM?7Hm_VRf<zX4}G{fpx2sc8Jhphr)ZLG)n<%TRHHlv{pNZK>|RUY|1vN(B9h
z$@zMz${KF|?yB-hhb(orI8Kch=wBG|R5JG=Pt}q}LI-OEfVzeWHjRFAN(E|e>E>Y#
zx8CSw8lZ){3YG9W$KH8&s5N@@)^f!yA4sVvb=cYJ|4C#gc6r*>9;K#h29_qhiBS<k
zHr1Z`fDr$ds^#+C@T?#4DD3rbLEW_r6;TNLda)>c<j+2~kF2zT_e^!Zxl|S7&tgxW
zxl-80vOo66%IbV(yT=mer7_lN?WYl|*+ll0?8K@)3~s2a088^N=E^c&o<yP2rF8kv
zf7SyVqSJn+_{^2~I~_6iD4rB^#xezVVf@VDNBrcwA$-58#*H;!_I;{)QJofY(fZUu
zh;DV)`1alttDeP0Q$Np_SEiMgVU7*x%v|5PJU9Q&)2`0$P*O~>&%u)68LyB%QZW3F
zQRBvwRt3<@>UXi0l(Tl)!S1rB4Vb_4))2kZYB6^&zu3Dj%iHG;{9d3}``d)v+*VhG
zqm5ZYYHJGUGwZbxB`=$9?jdELxVR|l=T;-LGz>=egu(QCY&O1gc5?FU-Xm)NF(N>U
z4i>Gh#dGwjT|OC+MPo4sBf^~iI<{4<`!4QX#0D<%lS4+G95$%L+uhoIY!+Ckg!FYQ
z+qkRNht}%3SHqxG{wS(*l6CH?N`(QvLFiIam(ag(d_y>%<YIXF1Tu^Mdts06=uf-b
z!c_!pCM`m;RR8DyJPQ4GK7fX~x`r13eC=4pryIHW5m8cDG05h0IvravV|uo23tQFX
zGxccatxLgHk)!>W7)}RGNX1uB=xnftU;dJTUHLg&GB8wc7DSCil*BgO_sMYY$^F<E
z4a(ca>YEc+OFcltS9c$?mQ%PRk^b$Ec35EHB{9_Q%yjQ7uy!0V?xOoG+@wTTxm^dE
z*mmOex$CcSi-U_*^IsnqXlAcl{$kLk?+K<(r~BJGw&s1L*6nQ1#v6&9X9bY$>%%qx
z#0#48f3EI%hQO}p#awI?SihYt6u^qCGjq^p6#=+Qm>2IyMpTy1f31EIC}r>*`CqS7
z4Yr+dNkb%!V3^eXQF(>7kfw>B;O)m(T@E{m#0KUmm+-_MqzT%>;}?OK;swagD?LqS
z?N9vYnv}i92tM5=G9Nj?sK<}n#L#P9J^)|Ko$bksaMsuAl{jpfz8TV^;mR_o=S<oO
z`CxjtDYWQ_fOL-DakZTHad}rwmSaWdf-OJ_(bNlArtP=Kqfcvk`Vi!betVI)RM*R5
z9FfiXaLF8z_QfC#C0ua2JwI7qPEuN+zikFlyWSVRiKmYQ_fRV-87>{~gp*FC=N(sm
zyqUZ6raLvn;&HR|j!gNdYn9Bc$s;>X1U!WFAasn$oxYhdW&Gc7M!0;JeCBc^LsPAm
zwc5(jZDw1Eh~aTM8Jk`&WaLCKxuNgy<kz`I8P%^tO-VN5t7mbxc>=0&-@T`EBfyxe
zqW(i(KUZ-S3{&@UCa{Vmb_$E!PLrS`J}Su%|0L1C$Cn~7FX1%&IImhOEu@#R>O2i5
zT{VD;Bh4{!TS4l|U!_EQ%n=*rvmO!bbv_J+<-qfDa0j|r^kVXMt^>-hc6!J2SAUGK
zO1EP5!lf`Z@2MOtYC`JJ!ZhPe6zZ;Xj?+SCpqmc{E7;pf4=5OSYck%-z$w^O`H(7(
z3MH@xC7N~{*yXx$ocdh;eruqQRhwi_YdBp_dYwX=D!XB<TB^*iZ*QNwVCV$WEL)LO
z1ex;Lone;>N@44{<(Jp@VbD-{tK#>OfASb4vSW@a;^101$UbGUhSpKOy*1C<N=I)1
z<n)wZ8*185Y^#Ny92-@+@(PqLq9z#4z>SwGPhd4Qa&JHln^Ijf)UF<eY&fq>GYHf}
z5Mu10O}H6rzi)%(&Z`k9+guXIkF53RS>Oz>o$?s}wez}TaC@oeO7J$q*@4CP`kYjR
zSdiP`qc4Ts(rNJ5me$UR2R8VJCqx0VC(7u0C_}*QbQC-IVX&vtHx+wz>|nN$Nd&({
zR}by&&2f&`K=*paSX}nYsLK2vE3T|;?Wb~4!b!4;@{eqCG-8z>18t8!hZ>DYebUNF
zn^fAi%mZDwIMeIAp8BJe{G4+Cs?iDu9-S`rVOWIox{;aIdaopOt4v;O0WuOWo>dqb
zTfKzW820YeYP^&%ggdtNVd3x}S)~Zfn%5LDw%DtcDEYjkd__iaj5dBv3=-ejjK8Zc
zfpa9f@4T~DXDCHPS%hlBvr5%!C!*J=eeCHqa>9<$b$srP)Yr!~mw)*D*w2}BrO(Rg
zV*1XB*T+elm#E$DCBsp)uRSFC*%p!OXK}!abQYJU6&?n@J{u7~T&HZfyM`MMo1fDO
zOW8L$)@yu2wG|sD_3hiVE~z`4JLC@MB%=+nzq+~Zh?0YmbxnE6XJfcwwd!$O^(Whm
zX;6c(4gwo?R&fy2Sjm`51HqU8>k>=4cbKZ=p~Rjf)*PF6pd`O(XX1_x-ZqGNwS>&I
zSa8v!Oe-6B;jRJNNI~^#-A7mKHtiNq=;hU{OU`RAmAV%<>2>a{pd|?svX0#iEKaH^
zO}8#|t25%BS2g0&BR0U7L+rBNC1O{f(fU`jP;m;Kcrf&EChrFN$BX&Ak4%qGjqujv
zjGtmzOZO5z426B85cBsmnv(piY!#*qo%C!Ad9zqUc}pVN8C_b}dd;uHst4u=touI|
zszRDBoYu?!3W5mT=lXV$#Pc-zg<Xo;)Yt=}AO8l(qPm!LD7?l66kl`vB4xYbAt}65
z(apuylGks0Z2H%D>p0ynFoxQ_7&{K|e+4^rUDW+zwv|wygN41mRPa{bLQ|q1cndo2
z-IZm~7;<G{YP_@Jogvy&c}%ME*Zd){{~{=ur9W+RSN%M0R2wU-_{bz0p4P>U|2jO6
z?6F8=JCX4l!~PVQDI_GUG$#z*ElKv9EhlaCpVP=xpu|z%ogEIT^A28M`JZp0PqX-q
z&R8ta(96#O)?0Wsb3U7)EJAZ$51@R<T7DIFj(I_9io@ABJm@?aUeUGnBMt%ITyxS3
ztd5w#ZC>8NgQ+BXnvm#)XoL$+(qhUHa>Eu0-yJhzY3&6ZibuDzs7h!2M%O`cEZqev
z&`hIBvizh8Q0fqtsQ3UM^U<q|)^NUboiDg3lB&{iH9O_X;Nzb>5tICxb$^3XM#op4
z8iCPk#Wn9PuuuKrf5uC}PLb(S4EzqyTx7S@s`9uBSPstONhU4aALZS*KvPDBo4ur3
zf7xk$&xKwu3$cDcEVD#XO`~fk=D$1boW<L&H(rUKy!CFHQ`G0?er8TQDA7H_EE1tH
z{UZ~}U>uns(_by=ZKtnIs|7OX-P2`Ybmmphv$$Gp{;^qxe_m>*pAb)p=(@yZk+ghl
zTk^X3Vr2ovIC|{lx`j2I2DeZmJh5~@udflcx4r&pai8CaErGRVm0X@f9Ta!KghkuQ
zQnMa_cth%^5}ZOLKD+}#CniBzXHewuR$#=y9&V<rYQ8t~bP>EaL1`wxAudthR%BnG
zj$HK{37nR+BuHR4$Lqw4iDJRW+*OE4L|#n>$08sfAx;NdlX+ThSEh@^zSpLSM8u}i
zGxG+#1_Baw0!6@eNCx4?0<>M+Q0e&KhXfe249sTg`fNYk-nk)ym(zTP?lv2qTKaj(
z89*szuAPcu>rm!`N<i$x%*!LP!v8i>wX|2<*8FjzeWZw=*loofGm=^@6-PeKIL<&R
zohUpWg6`~O*JR||GvmfOmx4t+<QR90gk$q<;mH*o1(YXncylFM&WY+uLEUcJdTk}N
zGn5AwQC7brNNyKnR8D6EA8)>js4Z1?>9RWQ`;|P^5FawC5E~t8_s<VSA!zIq`(lIb
zC*SrB7&I4i-^n;0D9S$~v%(Nb<NsqZB?4v~s<1PBGX9S-#fvCv5PU4jnGX!|fU4m%
zJukVY`&!y~6jtbl9HuH(O9+$R9O*l=rF2@O8$}rudNoByr(U?()FktWn|-2@0}p@W
zuse|Qpp3e1>dv;RdpMoVIH$Cbu+i>Mt3jv$XatyLwN^#c5X}y#`$Ql){<ld9g6L-k
zVR{-&7ilBCDL1DQe7^FaRz=;<;<A?xGo{}TVDV*^ag!JR(<o)&b%~pJ3z0171)72S
zCbSJfn7IWEB92$auY^JOAJ;z(>*<pd(S91;)IBqS#XR};cw&sCm>;MPQc@h;&eFvw
zT7LgF;Y`bme>y2V)jDmR4&~8cO+o~d8_nO={T-7sj~<K2cNqMb&=7;;uVY`0Fpp!0
z*BxCm@bO-L1&+Nfrz!$RXEMi|v5roWJk0W*1=)F`NInHtfoieAcgYr=QooX0W3e)$
zu%p}-%CKcQ*?b>M6C{QzZI?0k;39|pLYV2B{tM}X<n5s{TJ?g4aaG;+#I!;tRGU6s
zRQcx0Gb;Vp&yf&fp%@s%+|a5BT3zCujr?VXs(f&n;5QOMGV;KA%et~1-64IOe{Gy+
z@lXmjNy#v?1z2@y6>5Ry>wQfr22Sq1j2bHIxzlEJ7{6WQc_RkvKy>Vme`;OxUsXE7
zN)%sE#9Po|2>C~JM7rvCVj~iCzr}#vb2R-VnU(gg(qPMPMe16{KPLu~<LR-Z%>8LK
z4o~qLY*U9TZ!78}7_M-t^h}RdZ!`}Zi3_Y@1Ta?)fc@>wdvh&kCsJN6=JdcsuF@BR
zPT0*a4CS1moDVTG!lSG+9sD|O=Yh!3!^rXR)qYcEMrvWi7MmV?Hs%g|n$8&=EhG#o
zL-d+EJN?XC5-2X|DAJ2hr_Va^XX~9Sv702uE7h)bKMfOMY&38yoy7801Ex&RseAV=
z9=9q~<{(kyBD1@gw)itnYllUf{XU%`5;kr~RtjOXjui&<-}i2RFsw>Jd9T3d?%4-A
z|M;v8X_7yE-8^0U^~v>acgLwis+sBc^9GN3o*5EX_tHZgR4u=M-v=;u*qv5!UW!M9
zpP4lkEG6ehUxTHATMTsD{;JhT4R6+qjlCtFH}Dnu^0n&G3ioneCMM|pL&ghJ`;3Zw
zhT$+bNKw9TWO5_JBtiO=c4Xk(r@X`0Hny8c28b(jtoWS#WPnp}EkrBf1MY<5HdRh=
zu(1R`-xO09>2C{lwuM>$zA_kaaCpO0lmQuj|7_n#Q=R?hNB@cH7$wX~G{?u*%0Su_
zkDPzMoj=dSw!2f)+k1;sezEzt{EOhM(GwM24;He$b$zs}yw<>{d$x^W)oPf5Fom+2
zgIk!Ws(b*<)T+I1WK%tB)Poc6S{`9TvQqy#M;$Esv+lgf-<pQRt38PCUhj8sXtNAX
zyReo(a#_fNoc66Vxz!utd4?U)RKC+CgxzBri3Gng;<ladpSv90g%#8nBA#6AyB|{j
zPJXY8Z5aYk$j{X;-R7{glITIVg5rjwqiPaiLg=%H0TN2zEs55KlEYgI=iO;@bL&>(
zA4}W90E>O|`AY!ogPHaLot$=Do3(t|x#dkmZv0;~;1cxYrg^FpWK>A3<=0dhZHCEP
z&A`=HD5R?Y;?Nl9YfIG~OO4fLsh+nUU#&@dg<pj(_cAuMca5${Ox|mfz5B;RT?v=v
zH?J&J?GNxV2Ho@0yURME8V|0Zf>#<rJu5`8gQip!Jb30q#0!Sj#4EkSPi~hqX?Ajs
zyjt(c-1hnLXwz^wFC*yDN7t89zbgk^(sUGo5&P`jhU(k~G!WKmtlC#&fOfpN(FIg^
z*B5+y+XSu}+~g<q>@=e5w(bL>sDA;gg|0dh;Pe2w>GxZQlZVEh$;Ju>c52eviZw}&
z5u)8+itsk1%Vbv7Qfce}a%tzyZ8PC!_mEa{qtp?jD&^KC^i(gS0P&xSNx_)Y+B=M=
zK3{MK+AZVp7){RL9FdX<?VyQ95x@X2iw^;6%JYi@^PVvd-uc$N)Y~TqOPh`h&gB1}
z#WXt5Mq^TTF#lBDB?l-QEQYR=(n-)AMkg<g8uCL}>$(U(dA9H#0pc``Hq@Wqt6rE}
z2Oym$J<!LJ=ffU9bpN$B+Y_-l$(g8B$9fXqx!|{!eWUN5e^3HRa8H%UR>WCP@iS%!
zw!%QkIvg=rz;k&vq|N@J+{tPGxo6fCX1k|=#8i={Or+v@#SUHVRtReNMaR=?pAFq9
zIMPWQB~!LHo*K-P@8MSyf4kn5%|w2`i9AJ_a!LEwmeohcZ1J9LJ-C!$4pn>5HL{Tn
zX1k?y?&@ITbaQeMX8nsJ<l^g8sy&Fj^(<%4zD4`!13KD_wip$}5Sp!;6)@NIN--Zf
zF<V(V5+rwD2{YiF%wtuKU#}wdW$*0OeJ=YoX>sj3!lg4qtBtq|5MGhDHd^G0az5S8
zJHAp0FuJ^chY<9Su}%@}{x!el5-b`nUb$Y_--xq+B(?ht3otN|@*Mi1$dQ`go#R+-
z=!34orh<S)!0YTd-7H$QM~mU3^_<`{#cqi4*$V~19cr{Tm59x}k!Hmpo#SOY@l?Q^
z(k93h6=N3y?9hKqi#$NPZJm$31`8e|M19~>VR;vPfp^XKIyS`!HxACbklA!frf1b`
z?z8MSxRIcF2~2<qk4JnqkIoVzcD>KGD4_abS?v1o-HZd>a^_Nw3pJhZPFY$>Xv(M`
z3XxT=_I&(~d?O8_pkPy;zv=X|`}3Rm%Y>4Em9fhq+pLQrIe$Sry$SsWOq58Vr51(5
zLz|gnjZyUmFx%bJMODn|qwl=e3bpA$hqhAiajWV_riZ&fUMJ6Gf1Yk|>uz;Y44W~#
z5Jjce?XZEu2S`1X6X~puvsdH*Ad6+yaszh{w^Gf;2kgAqd!HzPQ|sRGPAyy%mJ|!N
zoPzGMJINyWctk>=@ZZ#-&GwMxUpHtRyqd3$U;X>Ep<~XoeElUUZe(iK5m+u^IVo0c
z$nxa-PkvqOnlW&bn^ZUbGFEh#zuOodEUEk$aJbfDuFjk*8E)P6_x1g6n!tgfy$Y0z
z??<7hxi;Hp)5)N-Emfrlup|;)+TUJj>pQpvXi92lMc*nMaWtg?6dO|TjyN~smK}R-
ze(&ug09AXj*|t}Jvni3EFC6?PEcMMsAp#AR5_`6!PH?b;k;#*RwND8fGvd1mgJGR>
zC2U{{D4m2gHHjcK#fNRkf{OQrw!R#IZK&2U+KW|nJxhN{C-%vg9cxVX2*;ct$E4F!
zf0B%*3C4eO+uFak+_((kQiR%`=ZvgSZ^T8}yZoU|%J=?yEp?qfCiKj4w(X{Ea7|>#
z{A$)gO6+z!!nyD`1!t(NCsz4~*V#*z1B@R^yl1bLW5#;r36bV26lKvHD~ZG~aG9#Z
z_hp)wQ)cqYiZ#UwHImu*b4gj=eygQFk*<Zi8=jBlK*cQBE?D3Pti+TbFHS=;YM}G|
zD9zQ94svq<WR6x-LmZr>7A`$YDNvZOjtN|_d?CcT(l7{{l=suvV4J8j-Ut^egLGqf
zfq~(iYzH|B%Sg5la{mWkfg27Ok2Q5omEtP{+4*!8uN~qRJQm=Im$2-&a*B0?zO^ub
zJ9ssoYP@~#n5VSVaGcsyiUc%S-ulw3o)G{`QE9uYwepFD!!4#4TIi(q6t-o{em~!6
zgy&a6v-0|5DI6-K2LdK-LEcm-6}6I63qf2-o|E#qL)gS<SO+4C0z;nkms*}|O#0*M
z?5%wAh^Uh1CSfFQ#R>7N)%zVWy|V5aDo}GoOoN7GK*d(ktk~u2A6CCDn+)}tqk`(%
z2U7(q(mooWNmy(Rq}&}$AvTn(yB-gOb_~^3{2WBM<Dm{s8|@=4%$2j5=Buc8<(cSJ
zLyxv_zVXm&Fp;-f9%<3nt3{AlfJSTS)$y~$UxU@B%1XJWEe*7_n<q*_N6e*gLr+?F
zlMg&^7OAnyz_#4G9z$hG-#g5(m%pdrs=9o}p-<o7p{wfLnd%Z7%t>BVo9dOVG`~9|
zaO3eFW-DSv_=up#mp>+Uz3vVBmK~i%8sWZgm9njeMj%9bM7>vbKr?-1GpL@~#uhMF
zd}DK-_lzy7oyFLW+Zsu(EWa=@iMsLE=~K6vd8*bcLorCwl#_d3Q?n`~hjGbpL~&VJ
ze?_0V>NjBx&1CWa^d+#Y(F?)+h|3<>rBD|D5bH*+m^zmXFRX<8%LY6`n4`QQR`<_*
zHwKIvmr#{&td!Nip}c0(nIYSMzx?@bJf*yBT<@o<ue#0Pe`rr1`tBY5EhA{|(-<+G
zUD`EL!>i>B;E*aEg9omvCK_LFb-centU`_r`v=oAdG*95gnNoT={s5`Z%B()nAomo
zL81rdKF0j%m-nP4BvjTfBOJBq+!Lx7kSklHdV1i<&WprPCo<{$0|}nf4|^+}mGvL!
zW!iu@x7U@QVLw`Hpif_ZdA^7fW!FB~jFFqZb_eWde}=h*k`GKpogoqFKu84=Ao`b-
z?5vILtd#kz^!ZDHw!A5qGX9f10GYP2sk2=}-(F2Br||V#B0M%IVO1IWxBPy#{c6<x
z^W^ZxFaWF?$AK~%WD%U!$H-yV9`?(-@Xr30Uo_Omw<|FTPE55xu+WI>B89HT+%Srq
zOfzrUM7MH+GwGm4y(*A>FA?7<Q)o>Ae0*k*nzSLs9GWEiwG_wDL?ZV(tqC6+A|~_7
z1+j)pqD0o%{dI~Q`$asH-`Np7uhC~#mhld?fOw(tvc0mNuC=|2mmJ=Dy5>i`&!vpX
zm&eK6NZ~trDHMERHL|9Qlo7o6eaw0gk8yclahD?Wg+=_R=F7U;{a3m%<`$->-1o~5
z(+&#Zy|r4V<$4pgll1}|PYGba&mN2<a!ZRVDLDm%1lqkR6EZ3Dc`xR<m}C9DCghky
z#7FD4%@1IO;r;<xPs-Gp?pmP_N+|}H>!5xP#|sqj_6s$2nu@F~>uYhe)os?N6ApJr
zoe?YO(ebDjk(^1dEx*4#u;)Yf%KWDEsb5Q7s;x!5gUily*gEvFY^zr>C6^tVwj{Ap
zUdq~}C-CR*E)%{L^*0SHr6FnKXvh8n?JQCl-#8XvY%SQcV9e&|{`2>inhY)#k?ST5
zZE3M3EzFB~abTmM1;cRJiwn7g_V#FQ^Xw<SuYt<7h3`{lT9IU+$cR|%@Zjw32qZ3i
zi}F^XL)(sLZGSpZ_Q%~>Qe!E>X*G?l<Ai<y<zMR)Y$hjgpIT6$tQNq<ytmIrYGwu%
z)=vGbl*3~21s7@-NR^GmP@c*5z69bgJTd|tf?RT1p*{ekG`v~gHZkp;;JFV_x#a0-
z^l_-*a!GLHGa9jSn0O|=C~1*BO+A|_R9K`iHB?D=L`Na=nuc1YSB?OBcw!@@puGFq
z2U(SXa|}0lQO#;gq`k%0LRQ84VJFdaj%*#DP=Vni&l|SyQn>G^RlbetwOnq9Q9oC;
zm3cn~*iU!G#I&<{=9!9JWDXH0f|Y@jTW^JZ_0gdMR$XxT%*jYQ?eWx5@ebEca$^{J
zpy2C__T?$vNI;9;Guw`;@M0%=`i4bzjfRMlxQ_i2K}QG`4i{c=BM23p;Hck_50h*Y
zpLNyK-V*w!Y)+7WF9ec}M16ao=JfOx?%ih5Ppb&u1%XW>yZSzM-#g8~CqV!e<9wKo
z^CSz2?5g~s%5hEhd&sohuoad@tT#B&UIrwG_Pgg5l5v1%4LPG?o{nYhS&KsE<?^@>
z1Gi3${KyAi^P@DSpf-Pkj}zN|pE$7x+B>?ENS+&aPJCO!GY_B5z<CY;F_#R$qjF-L
z{Pzk>wgNzi52<FUeqtIx_OSDK6b{gUzm2{8U?ot?z3Z#(7COugi)#dQdC%w(-Oj!}
zlszMlh~D$`X6MNUOFs%A|La=Foxo%7XL#1W{Y#8GR3uB<Z{+uR(xGqv?A@Lp!5@YA
zJxCofDjVE;@%lwr3C~{CZA_p3lVsp@VGsWrni&x`f+@_ATx4QcZJyXG&w<VT%10Nj
z`0hMDrWqsb1d9E%S3)5*QGW8x$->u<2iItNUb5<(fZK_V8xcIehk=zu1%OX2o_d(Q
zeXE#RA$u|kHu1Z1&8wF#2I$K_yZ$b1-~;aSRSXLx&dU57795X_drAGQoiyaOZrZ(G
zmiz){QO=9LMlnQZs3a*BM}=8ypZLG8N90$%dsuy5BhNsD0)A=OrM`9!eR|!u!%7MK
z|GGXJk-xP--L=(a&lt?_rgNq*Lb_67rQ<Ko8)e~wvo5jqdtHFugw<F?lk5R*A*Ypo
z5Q^{M{}6EU&j;RYe7oZfp)|KP!vy1$yN-pOL$9DA{gvGj+Wtl<6ofv4uJ3Hv;-w1B
zIR1U?!$o9y)Sx`j95JeZD}B+iA?)U|!5Q3Qo*w`Cw|W!<^yw}IrJ|@X;f3H8^enxo
zHXa^Kjjil<(#A+2&{OFK+cooIrgg#Vu|6Z+OULAFo2K%H<1<255`7pP6mXLNT%mcc
zLmkV;0-4c&WUu%Slqt+MTBv)Us)a^Os*L<KZOo|uY*Z%eQX7&m>#v!JS&L47S(S}i
zX5am|lm!U}HrX_vT^$DC=)qhLTiwasBf(4QyF8+yDR}@Et?+Wq39IF2yk(pU%%DA>
zZeb*PYO1oO+`Xs!O8@<Y4lVl7#kx~-kG!R3c6J2^YI%>DUN@j<43`6w$%nN<<TX)p
zO84zE>9-F?I0s8}D1M)Kz1FCNQEpR(GJcuoiXdy00hBG**16(!uTYOmLfrrX6Z!m=
z@*=d4p%0`6)Yhzfllh0&QtFIT_BZgv|B`9ow_uNfw^O#~RYTll4~Qsd5H^f|DEY?a
zlBQ~g9wwM}1E%f0$VGGX+->(BQ&ok7r?a@?n=tlMKR9>`<V!z4&o}zLYuh?vzKGAb
z_3ws{rYd#q5T5$hJ5qSzFQ3`HpS2MB`XN&)nMY_mVXFopyE_bRUufKCUmzNsmwy+o
zCx=XaI9!6cJaA?!f9^D523M(X*l>)`QyQm0ZEG~o)5bFZZu5mAD!Dx6uwzxS)1h%*
zi#`VKmd+bV`pO&(IaxNElL{92ie)W>W<TC@P+Cn<a5Z^JC$9AGjEArFk(YA%DJTsE
z%-p~llJmYj;Q=&@YP-WoD{rb%;%%Cb8eEKO`A4P1bcn^j8oINM=n~toR)<X%m#~+h
zbXb=R62ER%wKWPB#ING3X|t}JHVH3r<2!i&`P^d=N=T&`faO-1f=*_=Q;~peE2!Jt
z2~(+VUl{+GZ2xxG!}Mtqc0Ji}l)w4dIhDlVg%Tr)SE)PzS!&(YWYh>sWo4>EkM(Ry
zADT#<;a`<rpaWSSU9Q{PW6?@xm4Ng6w@qDA{=)Tlke{ge!b(95pBIX_t3QCe8gw{C
z?~pF3)a?3ZUMfyz!mO@bK&cA3xt9L8;fO(+Z19j5k;k2569NvJ`4Ec1FNZ4~D?^-H
z9Lm_5rSGb8nfL5`?{2Lo*WJ%iNr=%}@A=veAs1{SpCVPgV0v|zzJvgy@D$qwy%yTY
zg_nn{?YvX-?gnCn89)a1PK>#A9T1_knVtJmq)33^k=0aOmT2JcKO%r(u6EYbfd~Xw
zp_@jBuzDYdH=S>wYjnAkPdoyVZ?1DD6#sVuDD{6NfT~70<JICXa)gN-=;FRAkm`@3
z4M-eV(%4yt1uZkR!6ymJCA2!5NS6m{hn#QtV3rt^TpshPk5)AH+&uDQ^b*=7vQ9~R
z3p|@T?H~_7Ub{L9Ojvsb{Z9<2|F6m(5oE2FxXDgAdlZYzHNQ`5es5~l>t}xF@aIUx
z;14jU%=~+yn;b5ll$%*>y+$yPcIwW?x4Po!+ugP9jZ$Atsxd2av*DCl^#yD?ApZkd
zCFh$rp1^ljjV??4;2)HZOzF}OlOpgLOuzFsTX9H3_4xzQ2!(@xY65B9KxmY^D`0ap
z0wl@1|Al!{>^_Qsc7m;?Ab;Fb=Fl`$_1nQ0KKddsKcFGy4(<RWK}%m;%8x&c3)&*F
z)vO98=&>SA1}Dh-`=)jkiO3Z|BvTx$8GRvgyu{<mA|U2`BoQ$ce=M&9sS#^+=0X`K
z6RdOnzI?bNI6nGn?P`l$G=?CkL6BGG7m)<Cm?EWxnS1bpg2t%)+P}}aU;4CMBH!5I
zPje8v)raKrA2Sr{Oi|9>)Qd(BzUwzl%kLbscZ$98qW2kcZc1C8pd-2#y>t&yG0$g9
z;sVbFB!WhS%I;Av+bPc{-Gs-v&IoKt&y{g))rdF{#g3@_^G#y2=BY}2;7=!QG0EkW
zK$oVCj3ub{w_N5M+l(8X+gp=sE%Qi0mEQ0B8k^#N(YE=<xvb_c@udiImi0&8A*Zac
zTl_Ob+OUzk^Y$sWtGfVv10MV#T6Bepo1%L5`P;*#8tQyHRl=Kd%||emC4sep$M`MM
zy!qO>Oq4G1TXMa}hOovPOQNL1P95O!GE<l2>k1de6ljXK@TGBG3_Iu7_9!9Z+x?mV
zFNr6q=g;w!9FA>~3_2hB`*PPy@gYEne95MDYS&qPNoS4=NFe(EAxJbNm$vQYX$-^=
zZT&!sL=j;qdn<_qcNy$?G?bGjWDqdeeRMv=c1x##%bier<Ovdc^CSB4>Mt3P@<mHR
z^pAG(M6!?7&_+ZYsM(o4)u=Y9=Ko`GX}&3QU4cnrsz-+VEpsL?Dz5?=_S-QpNiQr9
z(R)oi@_JnF3%%@E;X><V>Z4ETIQVD(ezCW}*H0fhqw<>zN=OF<aOq-ti9w5$8WwS_
zvARy{D#vxPF_jZ!u$q(C7UO!+N!<bFPkd^Ci(uLS9OtmTSW!*`CB5)7+?yCyMcZW#
zweNtOumf*ydijh<IB9zbK{+GsV|$7mNTCMSYv~anDqD41Y>!!z2pBv@WHviRMh?Dn
zD$AFCzhA<wEY|*V$=T<rwk}d7dYY1Pz`26Bte8Yj0_gflK3^`=gQuUrTRL1eFd-3V
zqBkM2A^##@zU)t=y@1pAzk1~oYkY9<*6)bJ>{O&&1RvqJqcJ|}#&x3_nCk?>uuVW!
zQY-Tr;+!Ypqj}}z6?x)vS?vb+;Cs6quor>fATSBT$LYRn?eU8o5Vl3VE$$?Tg#hO(
zzL`nn^G|F<98$hAuewl7_p=yogY_JbCig!R4Y~X`nHEjExPyGgr|a|FLV*1H^Iv=C
z$-CYA=g%a0j%?x`$GmI)A<uGbNzP>hX~#jny|KNpsXrl69=OG2-v5ud;Q{30B(LD}
zl_VsqoG((QPVSm@9gBR=9xRDVO>~KBc3ygE=z_QAUStoiuZ0N0*gp>O9*a89sncQO
zqCIc7*ZNK3VlJ6c$s5Jcw2FaXyj%<o<8~KrE86GJ6}T{?ofP}vx<lLdiEW=jDn))Q
z|2jNPb`>Tp@o;CgQuvO(zyV$|dSf7u?-7@jzL4Y*{welYsE^B6hS{<{Z<y4q{FTkM
zJZ(F9;rAHSD7{$<E8iz)<cyeo9%VnL;?<<?nB-fGPqE@Jn8H%7i|<P{G1wdv8KuW#
zQ8_7Hl><nE`U+{#>1SmiurVp3ZVHyX-FepaXox^~a(qk3D^3($|C&3FKle@9H<UbX
zWH@8w`Fn#+Nt^T0<|wIV8bo4~f0he{IoS&4;(DTeynQQH`|6B$-?y@<cL7;dQ3J%<
z$t2t3eL8_(6MJ=z^<{3thPBW$<AS=8e!_Q4cnXhtlKvA+Zoeooxb)j)P;A{qcv!Jq
z;)Ki7$4(nb?U>EV<#_NZkBDFN16Z(hsRU|iXCx#Ko8fyeXw9fjwxwj`?SO|8j{gg5
zvvX&&i#a|p%=M&&WBxs(%UMjSY`{NczV4;(XrTSxCeb9Gfn=@SYkVR!&%OOhTnSWF
z_>x+)<kq@>X*>Se@)R-up4QsWwV#=FcjUp2*2jJO&*Av5MuO8MAS<Dd$5Oy$5*wTP
zS0&%@m&@P#N4!K(c*VI@=UA9XLo~QgqKYq^OTKTPRMibaX24if<1sbgG4ASo`2+D+
z5sbr<19Oc@V1|S^e_o{7w$*$2jR)Gg69Ox<u8&rX)L7HnXV(xe8_7cMs@jSZ%teH4
zRGPNtagBxIvAP3<umFQFTIS&}g-LgT1N5gH$AtvBuiu^O%yf7oBR!W6MF%OH^%`lD
zFJ;!4uJP{de=o{Pex}YxxC?a2kI2N*90A$}8R@XO?(4m6H4ODkVr{C=aE7ThjBNEJ
zHMk|&a&?_Iw1acNiW9-64LON2AHUC|E)8F0e)({bD&r=F_}FgY@J1)ouX=ZRT9>jQ
zYgwdXBp;RWwWUZsNi8vCN!2hyWl9UV=caizw#7%WYMA?{2aZVS%LoaSAj(&*{&5=o
zERrLjdR61(C-y!>cB}<iqzi$id*}lpO5lJ;M*a<L{tD|DWPnZU^F!P(t=(Pntc%)X
zP!DZoHZpm%y_LfFe3f%yB37!PD547-8u-PhFD6>AesK4=)yawq;WfwJ%HeDO>uCUw
z6hg*)Cmpt@ZUYC##819%pYiR|IuUQ0>DwwtvIWK&+jw`8%*~Aa4^OGmg>!h!*w_)N
zskK`X-OBSJIGH{l0jZJ`-n~f|e&5@L;d}HkO9MC}gD9^qAXs^K_m+3|a`b>)?8S}_
zmxQH6#sa66zI1!E8tzfbCOJD9oa6V&BoD^QQ~voPb*Xl1=3m&SCeyMdo<on*Z%(JG
zC|-bxC&@NhzBiu%HtD_F^yyuRF!F=LmBST7Y90lb)X+XHX0yM2r%#PBw+623J<~j~
z9EF^FuQ(S2b3e89Puaj;!D@}}MI-)x@1kl-77N$J#}7;)au;50*amy5KN>u;dp_gZ
zbld$`io?q<d<F{AdVEC`gddI?`k!)7h6kV>|8tnGVl|2Q`S*r>fZxAo0)@=_qY<H#
z0#c0q&P6)5!7C<Gdv6=-T#F&S*p1rqy-&C594`C~88o)dhVD^hzFIx=C<KSZAW~(x
zJRD;3a4&<q#tR&n)6(>)O3=<ZW4aK54YL0?h#S&PgOPu(Mn?(A_*E=RLtwo@@I7H+
zJFkd<i#R9TcG~~vmM2VHP)lmhPlKVlDuFvL#R9R>lPWC*v0uHXL?}S4ulLhA$-Ux@
zCwocYr1<LPC#^7y$!Kd=fw4ASsT3(4&skE+`&@bG@;S$Uk2-3OTmILHNY#H&M9!#f
zdoD$Xb9Kgg>iz5AX&IfZA#6&it5)$u?fH~zXX2MnjALhpW*|Vcu3s53SYGbdl~um8
z&E#z*1KhED*OLO~skVF(=o^sOJ(^YHw|ji4d#o`!8WX+RcymT6a<%0zN=~HGFwnQ2
z{#1EdrKKp;tRev)G8QHCaubPXOzC9C;^~sPnOg<v-s&gpVJ!Z1k>M8voRGk``X@iz
zCDKKRfYoGl*Epa_S2L<Bv;?t^tuQ<w8dCU@9^c@9F#hf|*eWnhqpQP^LM_=Ip&wvW
zeEP4a<&A7T+?wjdh)%^q=ujGJl|0Fd(k`F(b#u+eAuxlYv%#G^5GugX8<laLb(`1X
zGsrkSA5R~V6J*$pD8*tY1wZe2iLD4f*8{Bwx2)Rb<C^>lmEUhuCxY(^(yc<4f}gPl
zd(F{(X10=}e-JRTzN{B}YqJ0FAy@6L&!ol6UEjM9#_(w6b5)E%o^T&PnuNeqRJWhU
z?E6cJgUER{h)4L8l}rjU!qeFRORxR`FSI|{B!$(ybhe#!tApj_1Um?XT-4pSDLH|x
zZRtnoeSx(Z_YWE%+FSW(K&I4sbB)cP=+Wy}MxQ0A^cdn3ohZx_KOBrKo8*F?Y@KA_
zMe)NEPOgD(fMZFQi?h$L-Eo`ctkSC5kfmyQu?Iu)yeLXQ4KKwqI<cx?u{i?EBU=V=
z`BRyjxQ)$Hd^+AN)bHj93g*3B&k1sO@o;i;Mg;>$IL4W$Bc(EDKgv7H&X2FLJMwn2
zGdoMQ727smUsn{4`CxG$qbVPEDHxjVam^EnhNEAYX8YNmo&d<I7GolTlZIy0ylcFX
zo+F^=V;^tt=XpmfuQf94o+6Gv5METr@Z0*O6ygx6D-c4m7Mm<K;@jS?P<`nG5r{{@
z%*C8dXe#~jq&3Mm>YpfcQ7y2aF-mET6Fnr^2!%j`W8mh+OiW)&3Ygucbht;mV!5k+
zgOM^&**+)UKG^0$eUa~gRu{pnZk9-GG@5JKlJ3nSArAg#|JC=Sur!AUCMx_cpn&S)
z;9#iQhO@Wqw9+yup-I{IvD9A@>t<%%uR$I{+^3#?EU(=B_-N0<vAL48<ce1KYLF}z
z*@|WD-|$OVN3>9ned(v0Sc4~(C1eM%3-!!Pqq=RqMo=Q2*QTW1slJbHYV9yNxtvOT
zTbbt6J)jB}lp>13`HqaZTDMK4renLrwO<l93gz)^wYeyimD<9rjE2Jk39gmXb-Y!@
zc0R(8y5=<gYkUKGRnemed#El+ES}gd<8|BhWZob1+7Ts)Gdi>o^a2<GqPP3#31HrX
zTYwN`_sIP8x{dr9GL*simS7|rJBYyXH9kVawhP}4jA>tRRW36Zo>$Vqu}i%}Ng@@6
zN8^`un<ctQM#ZVim%EJKQiCm`QfQE=R+nrOz0H9Id7@>;lQ*5No`Ct!_mPy8IN8(9
zllg*Y<u7++ggH<#jTWog1rFwftq4kU!8Q{JFft%ct|9WT#MZwga#9rQ%*CL5<Us50
z?CqwGoe!@C{<9XSWO2)b+!Q<fbPiX4nAjkZ8r3B$JCXmqk)e1V%ZZ=H7JAZLRl%*a
z^=Z`;loy&{@MePyaio&UT!kLzbr;kd!E?<!(Ej9Ovmg`beG9g>#q_b~HLP!<wiFCF
zlxl>Yq{{PZh!;JoK95Ad3r%lqR-Rk|h%Py)uN`A=lpU}<IxmiOnwMFUD(XpgrqGKT
zA7Qit(+M_~I5@m5Ii5&mhF<nSiX~$YF-uGK!BN^<>Z?%V3-wQA@_t`SQQA-vDz0@a
zt1SZ!rD;aD5?f1_$_%L+oA?P5F;csUM7%D4M)hTCjb$g#ve(TdCz?f~aezegjjKUj
zM<Pw*yjO_R{eZrgRdD2{+<15%sNoGgEmKsrxU!w#ZaqNGU|BmlDeq?n0%@>H6(ldC
z&oi3RUC8ssu_?_QoQD9M1>t8gMWq<$Ow{1dDc5N<Dkrt*GaIqtw-D8_w+qAwGuoxD
zjl<xo@vP@?5HjQg{btiP`p7n=DaqVAa|(H3^DLz$bogp>nMiu#x~ibuJW>{#i4IX&
zqlT42F9u81eHzQWnk}L*fme&$l6~ZGM+}uYNo^UY5$_@jl@tt%F>T}SKKQ4x`xzG1
z+4zp})f8<FmrQlUfWaMAW}mc%cFR~jq$tw|mh<kTb&#CXIPJ-*dTWb~hP-DnWa^du
z26`EhCAQR=JeuG%w?<t{aacth6W7ix>~IMYnw&t_mtd0tQDnvKA-K^vqp>k>;Q5jY
za-NL99fm;tS_T;z%rZPKC_6<e)5V<aJZ(5q7dU)3Dh%`-UQWQ#MMvjpD&H)uVM5nS
zsAQLbU^i(TEue5w6WV<i7cO+}+wv1-I>@T}CRrKeSnZf-_v*VF^O9jU_qSnEGaZBu
z5peVAS@rU|A-X9!Odg1p?UWhz)cnhyWOvKP4e>rmrj*C#hh#%9d{HS?@{l5KF0WYE
z6p|p1v>6lDnj;WwqLb$~YAVps9+dfJ#Y;F)<i}Q)#jp#x8Cv;^d8md*AKIqv9=P-R
zxZlExFXWNyh(ql1`XuyI>tL^}Vkj%0SH80tqVM$<tBLKjBx;r_i1Zk4#C|>BCtXGd
zj`d2c@&*p$%~}FOphfa7FnNt4*?WGT6WdoeeD9q*Vb66*;6vmUeK97Nx<JkM&2fPe
zDxxjfq3>@am`Muykm4ly28~MLQ;@rU10SauTZ$1j0W$8hxQC&dKgpp-?7Oot=Q;^x
z*eh7<WfY?{$-a*QppEh<yEh^qy>zCYw;QChXP)0r>M(#-xo?T+WAxTk_m{Ogh1GPh
z4Bf4QS4DW;`@YtQ$vHvuTj2^kS38ib*lr2>Z~?Zhug_z81NG!a(1;<lc82a%0XRBi
zzsTdv7UpFzw9jSwFfpbi(|P076!G2FnjK(w<BhJ97b`3Ajzzg}q0?fAI5VMQu;MM6
zUr;k`+B~}y2X0Ilue1GbKF_&<9<qdRitMmkX|m=bk=Sxgv%wcUnZ4u0mru6uuT6My
zKuyZ3Y6`);eI5yxE}4~4TWrQ8lNXh#)4O=aL3I;aUq`iF@LOn2RVtGjhF#7iyk^n?
z%eAqu!~IKtWf?!PaJ~xUf0<Htj)zM}|Gwh(ras)3ff7DA`+buGMG}m1T`)C1z;pp6
zo;$9ul=g?(LuzvvF{6mV+rGXeO{MsdZv+GfU#!2Ln(t6j;x`)V^M%ZEGCGYncCEV>
zavjdyCCzC6>5#7w%Ux_&@SP!!DtO2CcpY74x8PkP`p$3AUC(o0V0sR4OQ2<5V&xO4
z;um5|3hxqeuEdIZmCoH|`p5HzT8;n(kOHr<CpSh^C(sWWcxqqV&<I^?b|h|fyJ@LW
zPY&mICRVQuKPD91vdS4+^s|zq4Qrlv%*${Z<X%pJql4cUcwX;pebYET{{hh@bb2HL
zoK_QJq9pL<A5lv%6#eeaI{Fp_BGz)N?hjEJDsLD~Zn0s%B5z)Hh|m$8m`2dNR%dC2
z(C)(8_>h)O%t4Rn#wlhC@rG#Zf_wE+bq$4DQ&L{j*)mA|HIFL|RR3F7@b3TY=!Ea=
zwa?CL+bu3;woX#*t=std%%$49y}-tVB!`RsKbQXkkctGjtT4*4<fr|-S1b$D4wcy$
zPAW6j<9KmVV!odcr#}DY#dVu+hF^?#dG59yd`!rqFgI_8{$(rPtGV6EJN4Z7+g=CM
zR<bRx(&VS?KR->VTORy2t<qippSc23BNo(CsOs~m==|soX;^?8?t|zw5>k&q;ePM=
bU!IXOb@|r+XRLw8z%Y2a`njxgN@xNA072g5

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeDebugConfiguration.png b/docs/GettingStartedDocs/images/VSCodeDebugConfiguration.png
new file mode 100644
index 0000000000000000000000000000000000000000..13f551b3cb20c1820845ea262d589e4ec6d99843
GIT binary patch
literal 71673
zcma&O2UJt-wl&QADvBU>Kq;aiigc;cUqC=Q2%$qj=`9kZH>Iiws6c1}0@6b7gpvpd
z2$9~ql+Xz^gwFRwJ?EbLfA@al&lnD2yR)CN*0a`}bFJ+gO?5?TN_t8%GBRqV$B&+n
zk&)jeBm29b;%{)}$%kw<@Yi21PZVXz3OX1U!7rz+Wz=NI$ciJW4$aBI@8_OBHgF*$
zyU<Ab^H&Qj+k%YjBtz+ujE;xt%F($`CjFjsRN}-5yt@0Ghual}cDWp7Bu8pI#~T^_
zD}Ud(qjlx)H!`>GvYz?tDgWPhzFub-HDkT=K>sCQv1N;+r-LG%Ox>n(`u#)OUb$*<
zk)v@mF{~F=8HGj<P7+s+3Q9Xh?AKhDboxahu5L#sn0fcIftm@S72k-RVU2tj<OJb_
zfyMtY>!dlRS#oO$zK4s&AU2nB3zPki_ue`T71gs$qvn&B7Z;0v$Xc~0NP2Ew3mQ?s
z7ydGylNaN*<(Y*VQ4;7_z!3K#Syl98WM4hZ=YGT&=$vvdeTcVBXMmAq2bYe8{ROrH
zd_H@cq5k}6_&0*#&qcQX{}%;Y;Jn7p6EIT(Dt=I^`gtoq9mx{l6E`GS4^MI4NjO<7
zfYsU)E3<rXYj^z@vwEGzF=oT?!85<_<I}p4gTtGYZ_wd)=W6hW2tnM!WPB#GSBuc8
z-*>3$gqWe|c;Mt3gXDT>6~CIaR_H#=l;_zupZoH`foCron!oVa?pAcH7GJB~I+#2`
z-{hXKt8g6M8DH~rAL`Apw%_h}5|o?{^V>>f-utd-?8}ncThQnpBW!)WFiq=VE$4)O
z|6<z7-GU3G5iO_kt3Ubf4D%EcBo0<e6GdQdF)w2{_0XGboGP(Au7qZrK6vNedZxSY
z^r|hLe_uZxZ*uW*`dal-++b_$O7daNN&8~?l)jUJ&<$aCg-I_?epq{5R&2Uk@0aW)
zdJYflYB3Hcz;H)G%yZW;+59@fXqi#1G?pmADk0FQVBZyArp=LHzn7->c-!uWKwGEm
zE`0M{>OAv~f9IjUAT?zEpQ5q+^y7G#ke52)<IU}Of-U+deL|?|Gw8v{VA{!AxJK5X
zi^qe$hxBUCmc}Ax>0|ue8p8hR>!UcvB<~BO`TWg&X2M12eNvR^q`q&yc<TD#VoTp6
z*9mrp8`|ty9jQ4vA7m1OGkZPl4|PtFsj9xnF|Nql)eB@2g<A-66JzvDJr8#`UcLHD
zPeYVA=7KpU6iV+5Ju8^t3pd0=F<aO*uS3U0NfBn#B9Fx{uWBY-M+em~&#`N+$?k99
zcYQZ7o(6@tr(kNvk}5~Uj?|Bs?#S==hK|Cg3#6{)75cmT|9o}Ujwut**Nnn-q@2wc
z_75Gg6U@PP9`Xww(4p6Z?-tzl`fK6*Af|~CXI-Dp7JimWY~>_*@5F{4*%8lpuf<4t
zDP>P=Hszc7=lQbB8q2*t^+JM?4OE6Rz4F%S&&$l;gFUhDn3p1osy+CE3faiJ54~64
zJeYpB+{1U1volJ%uDY<NxNm9bdt77YhCq7MXZfYFntd}toIfSmKd2kh2&1^=i6Zkr
zh)@mBLF4*pnijV1`Nl^m<_Ii*MdJ%}=%CTvgb?gLzS)`K?>0_H`^gi5Q}rTXM44<8
za69faUfXMswht%W+E3=QeiH8c%=c<m*drCkRrLerdbp44h!gf|4U;Z{>PaG2?N1v=
z%<ZTr;0J^tD-Ai@zXos_v8J1r;xxxE&e7zxx>we_+PLj(T7Q;ln3vsEYOJz4pTY`p
zJ+o4~IBV3^)~FxC^jiAfWk0*A&SuS4UM>l-7)KvwEt%xW<cRg4P~wNS?jp1U>%t<1
zOUT>1Z@IFief&R`8z%X*r@c09Z5w>z=$5azTN3`ceAu&8t|DVUu;lb|+JjY5YK@Nf
zU0<{msoC;ANz?k*>UIs6#+-+_QJm{MeE(hgP2)eEwyY<YeG+)9LgrFq5g2_>`V^iv
z#vOz3*Uk5RH0~RFa)<2aQQNM+x4{KJx~E2-zxwLz&1|7(tj{haHg~E{m1>4&9%}qW
z#x7Ew!vOZ(*q6|cIXS@a4(8`zHe(7UHojdgFn=v*hiXb|3Y$FYj-4cYkNo7cH_yDg
z9v&9U<=h@dmvY?ZpSu7vv0=Z4_Fg<{oiHHStU<g4cHC58W?m^bo7Mg~PSOapVQ+#A
zT&r%XJgsI?xoh6Q*R@~gxV{^>8F-LRl@&H%cJEQYhVPO#$FBA@ME`@eCqV)9GBf&~
z9-%X5bqpda%wmqFf@IWEZ&bo2@hQf`cP5dC=6UtaeOgss|9BWri8695S+-1XC^B{6
zHL55lqB-i-(VCezqmJwA_pe&YoTyTt!f@mwFC}^AYxf3AlXtxkuDMccK(N;}xGc^t
z$x&Z8te_piSi|Dx<(ny;c008`J%YZinM(p}J;%c5JXqD0>%wBMj$0JmDrm}Fa$m1^
zM)UiAGnHpKOnp~$@A1YN=tNuhqho9K9pqI%AES>Mi`{e$j7EVyhyBeMxXyr4IeEDQ
zmZ&DiQa<8Ojq}KwkJQQctClJ5O_Qy<Ld~Z0I^z31D(KGEe(8LTw+?k@zE$y69>LdL
zHUqQR1obEmnRu@P?&}eGufu<KzPqPNwegHnI$bxT{C=8ZlGyTfD?25GEjv{0SicX+
z({>Sdj<Tiiomad5m{-nE=v$;=!p*HhM?$$}HpJQdGUw<myG`DA+4uc_Y6Y-(_1&fj
z|4iVl=l_eWnZa!j*<?d+q9#(nRXJ4rtYu@S1y?D3w5U<j)pa8Php6!*CX7zH5{Z-L
zM8(XD##`HIO|Ni%i?BLl8}=ZWS;Iv9_QE7T_cRrYSBewk$pHJIcdGxriqnbmuz0sH
z7*>1iO2{iUyWSk6;u?EUgvzd2)lJEfq)^Rz-k$ZW@3C7d5aWKE=As$R;=dpigE`&T
zE>g*Y^+yUP@k5Fj?sDd~@-rw#h0Kf|A(Dok+g-N0@Ww|`{JjyZPDr9sN-Z*BB;fea
zh|d3ITd~<L*CSCm`I({RUSzPf6y^S~eaumD5L5b_^K7#Mp+V}8_c45OeyZ*EEz_}=
z^A%^<>rF%XBwjSg@uq6qk$Z~;)$tv=n9HR8SQysJ^%oU-UA=%Q3ZF@7e{P`$e2uDY
zgAQ_n)Z}fV>CR}@o!;ud7GY~i(;&0L&k(_Q_xxLE1+y~Ff*{IpKiXC$ye))4Np)L!
z;Dk<G4;j+CClq8UX(%JQWN9f~0xSQ_%Yam{zbYKzO4p_(dVcBMVy!_Jb5+2O@t344
z4Ugk;B81ha;yCOTyiKDE^$N)eHeq`8ifMxt1jy}ABNQ4*Vsk0(DVKO4GATK)F{-wv
zi5>96?_^{%Z?Q}KeNY<VE8A${2`-|6b&~7KQ1Rr+(Igb(S4Tyi6v9pXn1OL_(q60H
z;9RR-*nn0YjjnkuM5<vt<}1Bo3yPw9FP`Mb%7;AK#pAjUqWrOCL=KvsQF!Qy^XB{S
zm@WCsP{LZ$lo8=^7e$3tc#gY``}O+?S~4{<ItgLAnvWh~Y2Oar-^3lp>uB!QH-3%@
zeXE;Rn)*gCy^Xfdrb2>dEKPgG!*PRSLHeD4pP0~VR~VyoP3~EDhs6hwi*|Rkhl)KM
zvR6kd?OEK-?jK78ZH?G&<RY)WL(0kLmJDV=%Fk5hT@&A;+<&H(=}+Cqaq#So*uHB>
zDX{XRV+nh9>C8mdrU?0=jr{<^6ITxnL65_DqGgh)r1){(h*HJL-wiEW8c(IBwW1_b
zrzlu_UhS0(n6-v9Z>ym{Glts+QsA;VxC|npyA5<Y{nM`P#V5$OM(~HPi$42v2eTfi
z=2B)X3gtj>+y+xc=sfZu6Nh>&gZ$%h85wyWqQqN!G46+lP&4bVSMnH{YBY*I*eBh{
zrBrc=p;RvVkZ(s-MHnz@{Oqb@wd-enlEf_&)Elfgh3$SMoJmQ!FEFS0`T{pskmYjj
zgMO{udSCacs9?*HeQv0Yr`s*%(wOVQ9v)mQj5o;0D7%H+j18RHcl!(dT<1HI7=#^m
z2P)C!&NB*we2?hM$1rGuz*_Ybw&$S2=kT3;n7?)JsWq?lphY^VokA<$-6yzDJJXY1
z07zU$dwXslTfjWL%81BW>Y`2BhYp)-K5v6y)qZ06E%=rGFG1^)u0un&gDNR*LfZGP
zp+ywK1P@78enO+yf6=M_1x=$wlyG!@3v+-%sSsU6o*<h)-X*0pMqe~#fTH^q1%qZJ
zJ)Z<Dfiq879i5J(uU&_5<n^~nwG_5Zx3x-Babz#Kgedo!*so*P*{37fKGo?CGpqDH
z@DG8|>aN${{vh2s6{kzF(ZayATa;q69&~T4O{`8V_c$Qk1%DLS23K?ISeAGbJ_9u~
z7nP2HZIZLu{8b>j3(eG}dGVq93E{4ztzqqzKD*YbTMYrne2(l?`>MGY-tPM?X{S)m
zQ)X#u9&4XcDAfn1luk!dA}_f`cHMHT-{92ia^J=+TuS?GNZe?EiKP6wC0t;|%Q|o3
zz9j{Nw6xjdA*4lVdB}-@k)JA!U=3}i>_gcXHs-gv4$!hQbm(N?lFWf!#2Ou|j%Gjq
zkxj#yNCZ>Fc`~x#g*ItFE+XJ02c0K-(y@~jNMoWqdMjzcJx=6tI-+LlQ`n^Icx+}N
zx(DE7siQQbNy1mm&i-oq#gv_fNiWow)Jy+iJr1@7D>h{Yjy-p&I*7f#H@2)Kr31fG
zE^!heuG2S;KIU*>6lYia01X*;2wvXM@7hNi&)1B3>14unc0z9*CVj%`Z?1P4({meR
z6iShqT`PVpjmc09*-_;=IsqL)y(*0~xzYn}`D>M1!XL9#>l);=4diV9i4iL2^^X3j
zQKfOo?=P=D`EPB?v`Uo@E#{wR%I^*8ZCOu9^UB5_mkn}o8kp$37F*KaUNBl+*o>EB
z5$lwd8;%QZNkcLfQhKFvYeOtYP{HOiowdB78pZ1xbyLtQQ&HIg$ly*B-$NU713CE<
zai1vOAkkx7YDoc~;X4*FN)yk+pOkMc@_xD|GCJbA`kEX*D(LdkaNRak@^ye12Ig94
zU8>+{&-k1#6PO#8B<X)`@#zc=rR$*g+kCb7ofN&HHX1I*N0Gv>;V*1xw^_3cl)eR^
z9fC}P6e`HsZN`HQAr+r5eCv6kDYYQL8l9;t$<eMJW}lt+<+*B1|7@UeK-=3Pv6yGJ
z=t~G+Xk+Bh8mg4Msw4|44s8`my<F2{nrRI*<?)STMrnRBvTOXn=AQFO?jSag!Z73g
z+Ow4yV%?gFmu<<g#2s*UpLS30x*YcELiY*|{1;r8T%-x`8*;aOh?@%ld98!Ao4bvU
zIouYv^njU7Q8Z+B^;N&ogTOweV2_*O-pu8uJEn>6_^%1di$Ma^?g>UHlzzVPecgAw
zP;pl&<}=Pfb9uvd$7)R@c3oiq;N|n@D(kI{Upqqb>$_|SDXeU}r?di~L+ccsk?Wl2
zW~Men9##2WPGV>JU{7IO#&de7FQ^6Aq7_gyyY4y2sfII8Im?vi?@K?`CX~)HwRHu3
z#x5qtp@qS<%#~7HHOb;AwB7o`xqRWJ>{JKU55GaKXr=BXd5D_FobRyoctdgk-_t_t
zum!^Bd-9^R+npx6lc^WlHcl=#lpxG!D8d&LeQy6K7P`}zL8TdB;u!rCYBhC&=9AG6
zP*@jMs^iiw6qGh$W!FCIl+{plzhT%>0jmRvv@7B9Go=YyOFpktpJHxaclfjX%!bS2
zqgFnnu1I4KE0(^dD~G*HE!TuUcZrsT6(zh_ayaA@poglxU3eg|7s7Ik@d1#*=IpYf
zroo4WE}z?6Mo`y{+)cUrPYc;nxO9pH^SgL^0{p~O)(aaKo*y;<QGmAkE!y~$$tT5L
zI0kTD_i@+Q+|v#dwFWR%xg)=WOI+@^OFOG~>F|4cYt_Wio}5rWJF%l~X?Q!CX6!=p
zdHP55?M~lJn8-#DU3{_ExkSjme*OfZixuSPd(hvw>kDTsA4|(!Ydq=2OZyCtpDab6
zl9u#5IdSia=<J00WZIv4Ir80hS)q3=?VlN-MJUTv6|cx<$XOla{|p2KoiEiU07tup
zNIK#ak5H}iS-XL{m~!f$pmFaTW3Q+$g7LtojJ&;gjPwKeTzZB3qc+%_(|7uP?Iq&n
zf4g}7ZW#E7yL|Z7OJtvUz+Kn*@uon5Fl(5Zp#O`^4&43n_D?)72iIvJZoID&X`sYA
zULm`s*bnbyuvSf$Ag4CUVloNVWRmBNJ0oP<V^P?vk#en^CFqjuRb?;E^OHByb%QSP
zo1?Hf-=Vj!-S?^&Oj|FI6}h4BM7qUz$LTs+THzeU?K}T@3yZ&W>S$Q6y7*C_wno^M
zOR^NH=h*6KmZ%@R7}xq+mO@D%59ip_qmX}V$`{x+sp^68ZM&cKNR;AsP*>2$2}<X2
zid30k98VUDf3W741#*Gx+DXI@SjvkYC9Mmx6t@Lazf{V)jPD%3#wk$HP-0Eg!@HoV
zo3?j&&((zTVSPtzvzGDGU!v5H^C$OL*{N>_T}sgGF-o1dM5y?#AR?O`Q8b3@dwfX4
zk)g2pah-U{3Z)^n7d^R`G`aWltn{@Er8VZEFfi?yC*4NLV63{^OOBVZ;g^uCT<)Tf
zNhk_)>8#~FpPpsRoh9s~+=AaUSZHru6YOXJhB-N6e%*6t{6iH<rBZ&BiW~SnvP}v%
z5f-aOFKZJ(1*Y6j)bpBu%_7%BQIp=SwJq51uhbWdAx*zW>7M_B9EN}<)=4Wz6#<9P
zRHo#voS-CxWLL^_{h7axuYZPn1Uvto@FH<~CV36*qu58jo)}-l&6>6-UO0FHv)7vU
zBwdCQ$$Qw@f)PfrU@tjUZuhz6vH#~R^lVTXqPRY=9Z^!dG6r~}g6$QO&ZewHjXj#!
zULLzAkCEY4mZMO6PO|#`vGN+Dmc?Uwb9X_px5=6Nyyq5oMqwv`(W6c^-0ye|%XYi0
zrT6qsb|w#T(8ERT$hBoW{sHzVnRwm_HR-j?tq0^c8|z<7EFPl}DhT66@3!7ck$C>|
z>qMP5FUsPU9aDu<9YMI}O@1Ie%{2Y~Z!;_=vA%t54-=Dq+xG+vK5<P_t=#mAxSKIC
zM?-SB`@y_G%HE1R-J){UG5F~nfEP-B2ZjEJg(q8j$;aK2%YGh%<kEh7Z=?@9q*Da4
zu41Xl$gWa?9cCT;5no#2G`_#r>2F$a5O1A4jB>G#=96gEy2#3(U>ATht#BBw4?GLa
zeU%XX^GT>|nWo^K{!P8RbuN!C+fFh|dtmKF2-~iT8?}@*7m*CG+QrGkME~@bGc)Zy
z7yWk|Q;xT@ybk9?Fd1)zooeqW+Z4RG<xkM_Cycpt%5QY*Z41(%?^qx)`~8Izeg~_H
zkvApXR))q<TVG&4GYm+M-IzijoRK1CR}XqL#%v-=yjb|@V85bZ&17It@ql@MD5=sM
zIG~yAE1W{Mfnkx^RF?FSEy~HcS52*m>}msC8pwnxyWj4;KySYL=Bh}=^l^WGAG4jo
z>zmt<Ea}aKcAjZ2^j)>5_1S2mtEur$_FB51%Tb_<V>gicwi)v|HlQgTPY*5C_hCeK
zK|O!jqGYT`4(997IKG^vo<dt5!m+~BIxw(N)>t$aDY-M`e^ht^2{Aa|$!#BWvd(-g
zH}zAkZ{f$4CGp9<h$LFMes&q)KMk?p8ZS!wbV?Gli|qRCPCPe9VUrn1O5%j~n#Kv%
z-|t`|G6->CB$7l7FTB|VKSlO6=x=Pe=GBZ7ZMb<md>kwetFx?%Ql=GJEI0xvk0E3^
zf>!KK>-lAaXmeeINcbQU$<=w-s^QlIS4AeIBibuI86u48ot;YMX!bdI>)O&^-@*7U
zHYQd`I-@Av{f;Vv=egfq0j9*dwb4+~q}|o#wm0ECZio4)_>D$p>UHx~MD!nNoNQ|t
z)s;%_BfO9HsXH9Avgz3#clYY-evA{cuQ2V$#_|$vO|h|syFIb!!;?L%yFv@x|8RzR
zu)G1%Opz~B1!@HUkRcdS?<${U&DQR$O|F>`gXv7K;{<uQ+<VHNHc`e;q*mi?Qsti5
zpz^(Dzh4%$*22QEwp5(6-0ll?qq4!rZ7PME>@2Oeg_z~1G_?7KF9t=NCcU3_T1Gm>
zcRvvL@qorHR&IxKW(Vc80i1}fY@mEPQ|zv8J!U@_Q-Y@d7Jw*B<#MurFJFn&G^ppB
z-02h|teqUM8TnOttn~{eDd<Lg%<nHW_KmsJk#-uZ=g!b_&%WL5A>wn!$lr$_LpU(q
zCRI(`AS4~LZTt+p$Ry>nySp*tKH-^#q%(Q3k$ayb+iTFIrhnTSR`;OcA_Du(j&|d4
zs}t(Chby=p+7n`dD#RS`clzy=TBrC{<Yr|fKdar_Jhv)8_26%^uW>I)F5TnLK0fu`
z$i!{fQuk7))WJ%TNNdqp;jncFv)97y7*}Bvxl@mTSF>Qb<I8D}qoyjd@)dJO=6}%K
zFB_8$e*V?DpcX@!LFaYtLoE)Gsh;B2T@Wd;T`1+&iK)u<mrLn<fU8;de|;Y5lSz?Z
z!j)Ya&EYX>z=@~18`SfNzuL-|4X1Cg)mCpv7bEofX8wvh>L||2%Qrx5<d)Yq>p_I_
zfQ{b+q#uaE+P970d_2+$4b1I#K()c=bSwU9+~jjxWBZSdN>%Bk(K8;N#Q3yD=OF!X
zoKOR_PcV`rTg-JyFa}n$x^uF_eA4cJys3>J%wjtJ#_Tu0EVoav^_$f9I{?L&3V5=W
zfzy#j;j@)dDiVCz{R<o3^<Bt*z~KnSpXfL`f|T0&A%K+H?rOB7j$+Wu<tCQir`DzF
zhhv$h=;?16F1*)ife()02GZk~WVkD@Sact`V_LE{k2#`E$Fv?%aua9oYxC54t_J$Q
zI5|4m#Fq-E;9OMq@DmydmxV6gNYKbdDn*u0>k0+qMWR!_BPXthW{MaGYG@jqN^sdB
zk4nMP-I;t~=*XVJ+=1T$0-*A#xf#PZDKE13)s?SpgR_6AA{(2`S(s;tPgjg=gR5|4
z+abW>Do>`EkEdKTeA|v65A~*aJUXFz0qd^9Az&|J$WZp9uXjQu%Ema1>}?u+=}a=E
zcZwqo41#9p44oj-L{#Uva|;s!_AI0~-=s$O*;4meLbmg@K5`xB)Bsl^m2O0vtPJK=
zp=x`EN)Vg9V?%6yIy3iD1`S7Am0IdXuirT|FB#c88UT3|*pH-p+GCDB6s<p-rHuFn
zQ(-F`3&y0>B5)V9BKS=*{z?nJptN@pf!Uo7^NLm~ute3>46K$E=`wG#K61{Dki#88
z*z2a#UxU*+*nkqpctjxw@ffdxu>d`PwD$r7&b7U(%_zilM9;n{->%0dm2+n^FwtkS
zYg@T32ZoZ1UCuQhbMK2wm8%dOHKj$6HWKnW0;@|yeO+BlCm)JQ9iXiQiEuAA=)`Q#
z#C<$tsfn&o`eRxEa;F~7wtxv7|7Ss6mUy)~_xeX%hkvs1nJ0s~qqQ-0g0ag~R+bRW
zfSw<Y91Aty6OflKOly^Q!R@JqGu!r4a$AaO+6L$g>UoVs+sdjaTxxIV4l4+VJErF-
zokQnU89E9sXKdigXv$2dC=j0&F^|c}t{WANQG`F**Z5LHKOS;!92>00ugkhI`UE)N
zcOeUG{%HLIF)Gppo4*;0-ez;@cIB$PNubn>T_60C!|3;OES8Wxd&LkxPM73=v~>1l
z{rCXmPaHPth`3UlhTnYe57~p4n`3skHW3rC18<GW)ipm_#zYEHao=x$=Nv7ajjISy
zvJ|LGJs>cp_lNlU`aP`aj1;qDr;dvZjS|-T6`Z@s@mT2b<|dBQCt+|ChwZn}`}#rO
z$))x~ppeRa9g5Y0^I68(mXz{A)wAI*Qklx@EniR*AYI}{DWB0uq?wGG<8rZ3_Gd+-
znAdlEYz*Ha%_CA|cL{We#_nyK78)x`%)5qXr^#MEAf3pfj1!sa45d}KhR1%|hN;Rn
zsI4>JK88-iRtFy|)|s!xDn%T(#h&oE@5(r%?5Vugn3{q;cb#)({c#zCzSlljpooV*
z(PD|Crdq_V;Dp*Ykb04vTh>nKGF=IsYq7z!NR9<bBs`BX!8B~Jc#P8Sl0co;_9RZ1
zZfol!rS1T5ogD!~b-x`xXsht+HotY7f5OcIcR%Et&5UZD*Z8#~9=lVaYiRKk#Rey$
z|D7ME^Q^^Vy6;n>ml2`Sulj@rJ*Tg^#LNj;N~Prc1dVDM%itEeL-;9Ivqg#vlGBiT
z=DBwN5D4Vu3BeVwJ;%G$Ia^|bp{j8+floEDs~7SDSj;oKzRQve;UX`Sku{$NfU7a;
z_+Y`W8MR8g>v#@pVkyWi!m+Jq>b0nNS;?yAc&<XPPjc-%M5xjM-CcohoK!XCys6aD
z3lBnBD#g=}1<Yw>fFq(@!FE5na_pm_<7u^3|7R#@jB1rGqzb!gtrv0S@NdDA0Hnem
zEgk(Z;xb!y7<Jl@BC{~ta@<7mj2Kgn#7=j*B4#5T_9IDL<B3c^Kph02^7Z=}3&FA6
zKWb>JpPIYr&GpvihGjmA=wmNSmn#{oxVZ+)Z*B9^84l=vMBmQk6*m*hy(uitHTuOi
zi^DwgF>MfFY}c*LP?zbGUkJ>Mx!E691mOw-a5vR{K@AdI>}q!`Y{0K_8jO8-IO?3c
zV2dPte4lgNmzBJ-5VsZI>9dm-#si9Wjn-0IHy||I%olGY;}Ck$xSa?s-QKaxLyHL|
zWUEi629?$~_Z!XbC@Sts7W&&i^rG@*BK@e9y?2JKxq0kxHtdpb_Yp?qClE)Cxch=7
zY9xwzUHaGDoT?Yoxe22^`IQrQ6-}6NkLnb(0Zl_9F#IHFcV3BgMXF#{WH#O79EdIi
z=#`$;%1Ni#J16H{3a1R5Zev%aq?ry2V5ucxx_+nPD@)*UoACp)n7^FP(Uv*;7}`J^
z(Xw;8PP(ku44pVblLrbx!6D3CYPh-V^yN8rnVAKxzREF<Wvv#=^x+lr+^+A!D*w**
zHbd2O3HFBbm7}txIiWE<;)>U9d{h|n{Xx**KXN>%tvt%CWKU)MML*u`)4##Ffv$>|
zZf5{#qptvL?|)=VzW{PTARv*{M*sb}OyLn}SvkilX=oDt;;XNRvj&B5{~>?w7um(9
zqD)WNw4jX@B)X0x`!!608R{bA!}T{BKC<=u?DIeC0}C_&1d*5P`4`pvN&>5=&;IM~
zgM$NH22Ek73U6H*9H%^(1=2^_ZQDD?lrc|OJ(Wlu4Q79)r&cr;%&r(;z|Zx+-U3!&
z_ph&>Zv_*+B%7hLjksryx-1(`K_bcDps7#n?(n{8<`yBbXy+iXav>J5DxoX>!OA%w
zYVUw(eLG0g6r?&$R{9d0Q}^1vPM0(9UVew7*j3E{S&mET866!RA0O}U7xLa&xv!o1
z$!D{*yZ`hrj=fKSo)Cz&^ODTFU(ZTyr(QhTft~EE={!6~cFXKLqNaXQ;~4N8ZYX+;
zaDx_a#T?QEwkG=He~wIM6Li}Muhlrd(pYr;4JP0T|Hs(V2nO){HY&i+!e8Qe?tQ?>
zvVZhW6+H95Tvy=69!1W73I!BiO&?hK^JU-ycSwo@oHx4p>#x1>{C{3=vqfR{0K7jr
zn8d7<VDt8CFb6fT+KuJ{lNuc<Kuke3jHaC9>28_t!49ajVYN!C+0*c}S_vO})z8s?
zJL?-kadr^NQ}y$2>FCI+zRW9ooIxxoI^}2Jv;jS&7Wh>ch2t|6@Bx$iicn|@Cxj2`
z7&6RN5O0(kFl++L!o6*OWt3~FfEYzK7}A^@FTdHIOJ|7hnh4d--UoVv!Cz()B;UOq
zwAlbZ^$%-VI1V9Rhp%2XW-|ko2@Q#jpj;ik<-|$PicQYKS{4R}e3lnYXhs94u-tS5
zd-(=)-$Fi{pg<}b9Rh;kGxvXP%Sbbv*R*yQP>-sOW(FX=)4HD=A5qcqydY3k#5<S{
z!elt{*kEC!?9a%6RNT%+mzI&}_?~*v559U$-dL@@byQ@KE!oTs5ZWnjN7DiMfIiic
zt5Uzj;*Bw}BS}2J+M9?6;NGn}O<p&g&)xUrh?tc!Q{aajYqN`46iQ*Neu~LwGIW9p
zuQ{>?;YaR)u(7r(iQsi$rz5{!_^t~sef)!JCxDJaF~4zu&h+4|1x`&|dS{;jRxQd=
z%7vcYUt>Cn<=GxEQr1ksDXNJ`?<$3P+ggwdsh63NAAOOUR#4hoDu!uDuJPM*e3Fl(
zM7F|#!;}~PGR>+5D%hAf)fkGaCaw&-EOezB`WeL?9Mw%8NUps~_qCm>Olqe|BqEq~
zyJ~Dy9``cQKav}^nflHVDwEy?XRs?tHD)ra<#)hxZ{4S&ukPxUA}TKkTiUe0o`Ym5
zee^t@*26e8a&VXQCNxndjA&R_jMX?#e%Td4Z}IvV4vl=qU0`h^hUEyU`00bAyvhzR
zy`XHOfm5-=a0zH-k@xf7m~P_H30k%F4$XW0sfgDo*L_6y5{Le<krNfiJ*IwxjqfH0
zvjE9c0zD-yX1U7wrE^mecjY@v3r*Jh<{k*6#svFz2CKrZjRYU~&=*DW_B)A!CDeE-
z(?CNfB@?bE_6RY1;9z|Uza1<E=fr3L6*WItuMnN@nl{Y!f!p|UXTNsurrqEfY3`1@
zD7pQ9tUTeo3Lkb=)>cyvrMw^8ibo$fNmhGV(lMER5&+xLXwV|80?z`PK&mg{SeP`r
z!=OoHh}s8h-3~g;zN>WAY~mMo6yG$HYra9l{r|FwC5X0N*Fqdo_BT{eUF#|x4gPf~
zb?u>Xqv0+Zd!7S@N<&NgMnT>^)6y|N#Jb$#lZEh5Yt&J#t5vb(E(bVvZr4bj_!o#H
zfqY;p^9GapZCwM(*}ZqxmZanI%f4?Q`_Xf&`Gv5}QLK4Xz?7JrfP@6rr0S(u>8+qk
zcG`b}1{og(2>qVYj5!g71-;h{hr9d|m-L;evmc{djg}3adBgd#ak{Qu-K2o3^Y?%I
z7CdoM{FqlxaU^<Dzu@wrJBlrw*>4w6hyj~mjEcmV{{<6gG{=2z{voYLmf@KXAO%8U
zZ56{#CZvtX`Q@A>r8mgj$f-3i(>KK+Zk`b}>(H30<97A*WCCK40L`GCI5(g8LvKE*
zXqtyrzBK6SIks6=wD%O($IRDmb07efr~lW3KIr3Vl?wVRO44^9-`QeZHLHBQIgu)$
z2n?V3%kUr(nO$m5#UU&r6PMqoCvDLxX$LU}l5Rl%y5SuZ`>Uz1%cJXyQd9=ekY4}|
zHU-|6Qyset6xHoyVy#H^);}Ot-Hkq8ls?MBY^z|lIWe1@m>qk}-GkLV>X+~bwoA4j
z^JZ!VtThq^EENX(Y)kKHBnjE>f4VPFlSSZ45pZARDpyZ--tQZZB4lr}5esy3k;>Y!
zt-Tt9GXXIs2-}(L`!_haRpUjK)Rxkgwma^(U6$mW`|(Kx@<cR2{gk05r_vdXdnHSU
zE@HhC>E8g@x4uY9B7(2~WIoIx7Q<D_Ew_nx#~es{LG#w7UczrnbG4ebaio-cPBqtb
zns_!{k)KN$N3G7-)1^#07I^F&F7h{)dS~U1xo`NCBawox1|=0nk?<MPgp}kArWz9U
zvXxA9`d?-xyS?q{7_a_jgtrl+wyD1eE!VM>ynAl`1@iesj7t8&!t>@E)>Tg&!E{n(
zNckB=_x*n85oFIXew9elmPwgae@c!F*RTfHSdMe>9_+Q!NS=tto9Ma4SZ2{^4GVvw
z`7nt$kWz%i@S@x;JKu^@>9ywzy`FZY1WWBZO#%cU1Np5E`mKU)L*l^%QR+a92!rf8
z0wZLUV11iWCKc{SQ@IEpDa>d^Y-bHTCqdUi*)0oFL2WH>)scvNjpQJjNI(&zQZA+s
zzuVwdMCeGu^f{y@DqRqSD;wFx!Cq*}&M}yCAoHQwLfJS>>l8ax$3xl6By@50&)WF0
z?J%yhao^v)!kN~25kT|U!6ud$gDCMoIR=^4#A`95uC9(J-8?M}2<Lf!zSRJ4JZ(N-
z9l6tikC(1-$NxZuiP5>KE>~5pv2I!2h5kqua)rZM-UTO>R$Hq{KkHES{v=|*KaFBC
z5y)&$5>@*UuYIp@+30gwgsrwNHy*+ZfvC4Qc`E=dL<cC+`Ow2@Iw<JZ$^xqA@xdBq
zwPN(9_ewDx)JJRL0028W<L9qb9N#UZg<PWN{Ij1$V|+5Z3&A3Ovp-y8lUx?t$miSO
zlePFvZywY#`c+MTS#72LU^65XhM7*yUoOz^hehVn62HTxU5_%uIcYgr*78616d3mx
z?tbZ2hm>Qibxxx7majvwzAa4d-wpluds9q{p9WJwNNqzOSQRar3ah3m>Fi$qU(?9O
zU>&^&;e%V^Ry%G#G>cRdhXVP%5C{9qg|U+p<@T|;^AG1gxg>kzMR9`YK_-*FOR~?{
z{++AuQV`rxj%)j`usp^XpYDS2T;+;4lI-ags90{J9iTP&fvLC==#7CiTrw6ZwV$1P
zQQ?J_97TA{$T%G8F;zX&5;^HUd8AdV>Fax>80m-GUxvM&CSl7vAdS8Ih(m96h(kSb
zF*s~&jh7?7j%bR)pYe||{QVRK8&rzl{$eFZHe>k(qeArl5{a6De$7x*Lz$`E1fD$M
zw7Z5*)EPLTjrYKr!+{O{GK=OS0!5zLbM~@c4mLr^-U20kICZhc%jCE32s&ULleM$W
zE}QW1)ILwrc+ZqyzGn<lF&pB+Kv8N=#bN}rG(JmHI}mVd`Y&&4#th#euHEDZXQhV%
zOMNv+Nn0aIXTjiswby)fPU*eQPa>|H?|SD`dPN;~ESlzdlKM-1B4TLtB3QJo)t-26
zZudfTqdrDm?h$m2&1{e7x175p$)VlPC*#autmfxK4$*W4p^aWQIDWi0I(?C=_lizM
zszNBp83}Sc`vo<4IH8)$q*|xdsKUXSQ2mHbD5y){b_n6!r8WnGKXvYDnp$E7+-@D?
z6k?!29GyI_Xw#aCN;#Yb<%W#`Q0}qswW+x1|MRO13>CwB3g)bGff`jl!U7St&%ets
zChm{X0Y{bXDuUrIMM=p=%963L&NW1SjGSq)?Ubh;&(S(Wg+>qJ%*k0$!m^aM`LSHd
zKuuXUH{(7_5{QM>Nu1l+s*uJYDwwHx;ApKK#8`$#C&}L}D+FRb+A_$|QqBHfYa%JR
z#@m22;+I?vip*Yp1a<hSCD%7Rb`+__Jph&%+Z?IQ0V-)=P}-$sU?PD;*3jOHT5-{N
ze|1L&7U!Eu&C;1?0ih{Ny|eZys+-ek@}A9UwxF<$l1#pUOS0LFq^MB82Je*4ashV9
z>PQgu?TB7X(zbHb(C(`EoRwiTR%hL=<c6A8{XifXwS%Y#37AYUEh@oY$x{h58lWHE
z%*yosxx~|N*lfd3kEqGYQgn|3m5aFCLCe*V@{%!9U-f@jqGsS;Sv!6NUpz$&S{4i*
z$GQ4;{V1CB-#Hd7Z+^q9n^`%Q%C^H41Dh~vi+tuRe@#z_akAoDeqI&jl%`e--)k`K
z)1+z3&<?sKf-t-IR;@L2`><3TB$hgmUudEU<-S%io#+=IuJj>4f7Fm%y+&@?5c9J#
z6H<P9x#uUMT)`CNBN~hRd?jT0yKakUH1=pVO2co83i>>zn$&YzGG;%J_h0@~y9&pC
zYZLXx<_nIR54`XyYrw_A2q1f{QVnQnQ^cEZ4bg5x7zP5K`1zFYD@q3#t}34K+j#p7
zWR2|TKYOf^ob2Q8JrQ3DQLp$6wsY1MqSjV=Z#1)PRS%@>oVDq_9m^F9Xtj63O-JYm
z`ln;yZoVyNTrAIFLM4Ml63+++vz$UJ95!4cui&*jkY8XLxVJSg4FqaX_hG~oGp6p4
zeB!+0g5lN^S#GFFR%^{<(LSkU)0q)~lv0c&a98pl8A~Z%ZmNS^NGc8YU;ils9e8Gg
zY<$xY0U}Ksh%~B~X8qV`5P7RoYi$|6%k#NhHQobr!5=-%Xrz1~o2&M0Lw@DedDr#L
zn0RYFg9E(Ed~FW`DygR{GxI;c4rlajKj`aKFRssjRt0hLUVPTXZs4@BI}?dH+{6-2
z)Z>nVi*gImBmHMttFvzhH7f&52v2T_WG1TX+qJ>CB0rUS&OLu-Kn^*om6BeH6LTUG
z9M%dT6>IR(X>OSw8+2Ykb1`ym(~{TdW4>bK)D3`;bm+}d<^e@6<BHza#2+c+;_h=}
z@<~+UnXblT#1EbV^GI7y*kCo9e7rQ1H+l3n!R^OF!UMHP7i)EG*O|9XZSew<4_cMA
z;rzy^>ylXRQf~311}a|T7v1ta*NSYq(?B|do&((7IrYrze;>ZtqoOI34GOla3>Vm1
z82oTXAqEx0_s-j)*r;td^9T%B-^?$%O^u9+xqQ;wOaI<pDX*z;W>J@M%X#B!cs;6Q
zOr)@8F<Av)4g2Y2U-uMpB4;!hkDDlW?(Y?G=y^8(E(a;~d^p&v*0&L<l$C@O#PZ%q
zw??_IO*kTqB1sj#uV25urQxLI(l2sb9kDM!&F#&n==lIX%Tx2<PaMC39cO99S2Sgn
zTQ*>B`kc85(n>s#*<NaujETFgyiZ31&WbButD1@6_1g$ThA>Katg|xjy~aAl{Z5tr
zm1Cr~2L%@YWD*vR1z4Dm9&zwdh37*H`T$>J;yY36(jjVXW@dJ<v&ug;JsrmDMlE;e
zx0Utrh_)1K5+?&GQ}vQq=LDZ+hmWnH`=)n?m)Be#)ZYmP%c5K!NXq#BNmPK2E6#hs
zAgsFDirZ*F+#U3V*~fCqs9AsNF86S*L?$IAX^VBn^^}|KlnBK_{ZI*39ji(Gl9+=Z
zrPf3)O^9mpc#>*g`Oob|muRaGqMSU*f~EF7d7fIlk~^6;vt`7gE;zOhyjR1j7$LFw
zowZ;>=U-sSDd*6W#NSMR0j6$CB3Jc`N(;on;nqPRYA&sX8KV?D>NLs{S@*1EUoBCW
z>0!}9vUh<Fp)1vUJNvXGut$tyq*R)$zrX*yXzYu^I>SJc-a|i+kZZAWBS>rno|LQ{
zQoGFk(6SgP5lWC3m85g1L|xNzZQ?$_Ri~TIJE7+eqtR%ork1w@hIkrI-C9r@0o@j}
zhkIKl**U+H+Bxj_lfA8XAR5;7y~icH<B8I!<<K{0@b0N`2e4tnQGV+rdqL59xdz_L
zF(dcRC)WvPUl*)g0sq5Thq~s>-tW?fL#WuQb*01$b$fHEY6X9H@lnxMnb>^qmBrS1
zY)qdzdtqe~;}6sZo<4{FYkTM$c-)`XDw?4*#1>Pt@W*wzCZ3vh2KXrT5f_lMBJs{N
zFV75DI3{w+MCcmeL8S7Z6G-tq-kU$z-#5-C|GkPF1TOhOjojPwU&ytXoSR80iCzt~
zbMzbe9WHq$nppDbUWn^euO)I*nRE@kSWr_HdG|6LJ4pPogirY3<12RPRe`jUx~G=#
zrN!Q9+>V^8BU#cY68MCto?h&`iJlCVnwlEl0LrHhn2(YUhL$Me>L{^Cg*OTKYQY43
zTB08S2w*Rbe-B=bYrsXqR>TIm+~+}KsZV1aru1i+##pk?JBd<|Zc)~&Cvm<%CA2!=
z&{F^8T%9<=VQ#lVC5woJ|3KR0!Q8mCdf&pmP9meP_{qkm#Q_871?sK``Og6I?ubwJ
zA^e&!gNRe#3}~y%QZ&G$T;}(Gg5$gGvDtc$6wKk{AR0pJyvjB7WB4netv7|ai^po*
z*Zc_mdY#fIK6<bl-D=XmfW1?}!)GA+T{zk=^fzm1rot4V(x0MWp37H9Q{oTA$w&J{
zu}MC&H6<sXMsWy+P9uDj@EU5WMS~k26Z9?UWH%8$UT~=B-5_J9J&P(H>$>GrD4xcK
z@CJvtH&d;kNBRG|Kgv@2eqMveM!FNm#bbrZ%ToF`YZku4t#hdjf#nUiy*tbp;(gaX
z-7cg~;SRn0l~~QXWQ2!-p242?+{En5<J+tt=Ii6<-U@_VlErCuz+qLD0DxTVh2O(G
z;vQ<dS%Bj?wh{gMelcmh)OpW~Moe6M{zp8@ZFLimk4R1ywN5Ix*_d`BPsgNkyCW5s
zYicX8luW&uKi1-gCwoP$_xqY$#H+1TjmoPky$4>f4OP~xCQfh|yDSel@A|@iF|G!<
zh~B3ML6<l}uV5wJ7wHmUDEp{Ad-D}|<Mpi%0)wuq%bKYejDJf60gE8Gxwea)93G!K
z>&7g(|2m+1vTLHsIsN9U#`7=(?RzSE1xrwX_^k^Vs(c$c4DeY6lV4gwD+;s&d}|JB
zuhCebTBe9~ph+k7ZgxI5abD`=2OVa&iTz;({k-*g5QhUx*5GSU7q9i@Ui#9p`q;W&
z>4lh+YhK(}Z;q@?8R8QraaPL=A!jC+X@Ai`L0K$!?}09P42`E*=S}cp7HD!Ym@g=s
z4HI#Y@H?!s_gLn(G#ukp_5iPbIaPaFM_;7`^0{obyt3c3y%Ae{WKe(6*j)B0$U9=&
zUvwzTR5*Rb*c6nCArr@QsP9>_6+RzwyMb6u{)_rjkHWE!vFf1_`&}-btpeD`p~CtF
zL*mxu9MDJ(&dt>|pO!XL^MEgm1fhFSptu3-PisrzA6pY|@oDFM4k2gLB9Wnmx^aFJ
z+X=0$0>|-LeE^DzuEVIt4aEXNITI5TKwCGiUyqaaM<Y3mjyER?&hkP<fGGv$enii?
z--%S2yUVOySwa~M-O~M1`7DGjTL}l~pL=J5ly~!Nuw>~9!%y%QU^gfhUa|`ysa?b4
z-{C4!0x$Z!qHz(z#jIHF;EplIT_8cb9_~7a4SjELYdWexv7i|X6!#FG3#fVYW`E)S
z@DW9d*Jke&r6YFy<oj1zm)(rmYuhu5NEZ;BD9S%He}_i~ebb*m@4lZ3KNNoVuAsnx
z6zy9;CNObnm*1(wA0HoscLI0~N@k}*nbFIDlhkgh#~it%U`8iXqau0LPa&8xzdaU7
zzxh-Knm>!O7;OF$d!_Ho=BZed-L3&w6Q<sRiReSZ8b|{NVUy`{zF0?+3La=PgfJQ?
z>v9XB9h`M6ouzh^Qlq@8S`k}dL0%`X2ayqq53aDxR=O~J1@wlkWt50{v99{F+{!WY
zo9N8_48>3qKzUp2m)|kuta1@E<zP?qQsqCn4x~*?s7oq?6x%;Oo{Fsc89=pkII-EF
z+vJ$&<vb~yl9S2<FkC?a&)&BTl~^}-cO&EMFhfxLzNwKSWvx7aBTC%sp8K|HynsL6
z)2L6((~bCvhE5}4SjcujB7=?7zQ^j}zZ@#G=38oQ6Jb-qa1+|U6H&=0a6ZBRLU^$T
zRUpFFZ>U<oYv8J(jS|ENb7n)`bd!}+n|y0t%7A~(u{HQ#rWko1%kUY(2-5FH3#=#o
z#af-7(?qRdKiGdgsBd}48aJ;4#HSw#@iO-9RtD2o2N~2l*;Apwi1;>FuTb~-&dRWt
z4&8y;oO0K*PV!OlPSm3_-orbJv?kRD+c%Py#O;R@@a1}iRhAgz%AV-Sy!Pk6!Uuhl
ziIaiu4Lz6*%{z&r`>K4NHJrSTrsI4qHw~O1%li0r>(glZ_J!OfoE7r(>rHU>Zwmrt
z>dg9!Ik!}r;>_+tE5ZV)4k081;O~cV0)H5Tf{xHV#yz98_jPHfmD2CCgnrUMTst@a
z#9+@{riAe50#tiwu7X#8EYWV+Qihjw%+weGgO}JdSwN%F!}rto+Ci7bzx*F3;o43O
z1a}yh-mpYzn;juSZ1Za-pUe~c-CV3-60!NNfm6z73pRZytO-I0)9EU_vy!c=QdC0y
zlqnr|pP3Xdu08^qsm9>D4gjE&E6prh$}YsrcdDZUCB26eluGB4q|#mBiW&yQ>R-W)
z<eB`VD^eaNdqP%TF9_G-jZ$Dz140&wlviuzgo9ZVl?EuFdrNwb)KjsIM-ROY`=U}V
zFu9J1Z!usS(<wmh*-$96$&n2Nxl0KTfk^5xr<&q2`E?u!RTH)NyD_}t^H0dLTzQiK
zn48LQ=N>(N{O`f<AZmQsMpyD(+2idDHoE37LM$agZWQbe!iAhuXLTywCLJHOu5V>y
zP}Mg972`>h-pn7{yuh)xNjnFmick4QmDN3`N!3rgfV&YmL~Mn|8>)lPRZT}(?eY_$
z;DKVK2Yv_!52O$u{VmA}K5$1F-Rrmx`d;Pqo#I{=l`?_mL15Q^r?^W%DYzAkiT44A
z;%@s&!a&_NK&8ru*j6f1g*4$7m%B^T4LOQbI7u*h-!Q4_xBsq#rg9|~hew%tzwsCK
zy!|We>tNwV_7=B%d398N=Pr_X_VZxWl~jaE_<Y;INl@nxASA8%@5#x6Q-8EeBaZ(9
z?Vu6t*Yy4akCXk{noEe9jLrEQAR&2^_T#s7qhDp`)VV3zJFglqar6S>YmV<Rc&m{p
zX@Dc=thw9y(D%2l!&&gj)+IB038djqUu64KA_pwzYIBt1#OyzUmn<nL!K?K$m!YeY
zoHx|!J*_)*A@TH&8toJyzNs1i)7Ynn4VB0}7n|nYJEdz}T1T89zA|U@H-Pfn2iJ8l
z%tkU6PPd8LyF4M-0?%kT?=qwki4MCmm(pvy;VQ0YbDBIq>`Gn@gror=DR=Ty3X%Lm
zuM-5*k?5``B$@bbHX7%YldS$G-~-UL#=-l9Yc*@f>=C3GuLJCOYu5yS!$do)L%AZ!
zQNZAG>2&G5MvAca=ImmYN-NI`qTpzHGR1F?0+icfomARPFdv>N^gmkm+WxR__YD{Y
z2!t#owsXis1R6M`9(I=#KGhD8UcF+h|1L5^Wx!44t;4~tAp~d?(O+DKZS!$Jx64fd
zbOBVWa6mM@D6#$(yc>t3Pk8i4=6i~YWR^Z&h53(qJN!zve}uNuIW-V@K^QifzmQ$+
zcZ33wT*$iP2VhP{<&~8#!zHFl8=xU~xwxiAuD?A|&pq=?V{{a)A-+9P1hX?@fA#`n
z706aMeYd+wtccL3U68NzM?kxSIOx}d##j%e%d=qfca84D=cGK22qK`k%RtGo_4QTY
z1U%QQ)lV==tgSycwhaw?cncIU`zT4g{8m=oLeF^8ym86)QXSG1WJy3;aS=?*?N+(_
zyE7sN1{?D!7`;dnlTsbum0|`^-USrF;nR~IS?m!|FE&9ts!NRL7I@SD?pd_cxR@U7
zOt(DsZ9!f7R2+VJIo7ixGBy-pL~CeSZkQRfbv(>fsi8USP)m7tl5K_5lU{B}vMJ!l
zUt?}5f<_M~Pr#m6Ikx7wjVe?T2O$hj&k0tSekr;cmkph0ECN?&a32lu-)~}70Oq5C
z;4&K393b*GBW%)ntruxBKxJK)n}(zTj#fCjuzlB>gkuOjHDAmP@r|JuN$sibV8R0h
zCY)HHCh669wSlq;Vf%Y1Y@*haM5spi{;U9nL;O$)MT}BP8RWN#M6L$v3h_FoaER!X
zGr?MooH&`K{fy6Dhk^0(X-Sa;Fq`A)CeTd4L`D0<q)Jox`TvTclIZd!o^|~2{H1wx
z3q2bdi|+-}zFrgyl7szziF4Ca@_F|kI-AI*x;iES9h1Sze}aLwe@&~uh0d*`=b_YI
zpSHU0IwGvI_o49T3`rnDaIkA%4li`J>Wr%`vPS4;$g3wrAF5Yf29~O`?z}n93<a&F
zDhRIbbH1}56w$j)yvZb<C3=LjQ+|I@1c>J-KxeBent!V(Pqeuzhv$HWqbA@YCD{BD
z11EdJhGw^B@MW;z>_rj<|B`Dz(48K+;M|)D88mk3F0riRAQFkNNwi7x`hOxUz!ILB
z6qtAq(B$sxapOO%`7Z6Nm7p&=nq*b6AQR+tAMNPZ6R>pm4L+DK=;a_wDD^TgLwpa{
zSM^?W#4SZ-X{i6$Qezg?n*ni55KY;p^Jqpx^r);L!d4Ha?1%M&LMO*iE|BZDxy#0|
z2<~3rqOIP-y3EmO&?(SU-kzAHo%cOTL+bw3f=yg3v|y=4YUjb=*!ACrwtI_1%)XlR
zn4vxiYww#C$&InK#Ie_pmEe}2q?g=mOmbARl<#{0EAows1XWX6HBkS*OA+p4;@JQ;
zm%F;Ah8Hz^Wp5P}cnCydjm_JY%IRPKNrmT@)bU0nvxG+%g#M4D)?PC9@srDL&A0x9
zlh0LNduF>piz?AnC!Nt04mva)>1eY2lFVF}b@c)m^UKFV@(5}o<FgzzPT)+FBp^^i
zDv*Lr;KysAUW;scwtosYfDJ@O%$DKm>cT-SGe|*^R96+i*4g!QG*vo|&Mj@tNrL|<
zB4zJ~wQ<J3)Ta(^qHq1=MLE(J)W8>PX0?fc)J}r{M=Df+)_H)DJAmGhU2EQWW^mxo
zp3zr=T3NtxGXpFLI!h|+kw%NVrMf8bOnES182b?_>jzY#xsD`9OhIjFsenU*Xr;R@
z@enW2nLIvo96_8N9@n1xq1Uk3JFg$X;-YITVQV$`#b65{S-8B<FEMDS%-x$0f$$zK
zu@o759{8!kW2Lx-)PpkE^{+Du-a7<?cg6jxXmq&nESh=~%J3N+%m8}=)n{ce1~_D>
zS|y{HaB1%R8|K4U%XwH4R8I=vNBLO1t}FnT+=`bWdSfNff`i$pUd#$)(G@>u-=VR%
zysTYoa$N<>ZGr0d8h0H;?O*yW?}OJz{`Bu$4I-x+D-fE!A&IR6S|kY9*k`$1;N6Y^
zQn$BV&kRWxTKXTp<~Uk`x-xs64SV#RHBtgtg~P-2cY)3hh=V25Jg|j-t1zY&D-OWz
zY#Jy@D5O==<zBlA+TPb|kda0`QF3crv^0||S$eCH^IDmr0V+8;IU*vWqoadO1(9b^
zYSr^aNok&+Um0QKbG(%@3EJ+8M9Qe%IPG5sH8M8<ync1>@cp$|=X%g^*6Blwly8Rv
z&Hv%;&BLMI-~aJCElw#aAquUOtwl%^+C`zwzNG9sW0~xwBH2PHOA;b$)-lGCWF2dE
z23f{##u8(n-~HlHpY#6wuJ3YPpYOTOKgXGQ&GYqK?)z~+?#F#UbFxhDUsX6svbM2-
zh{+siLqzY+k9~{6B-@<if?X*tF1~5grpb0Gp94b_3Z|}q_rKF_2fI^_2kQnLQ%~nU
z(JnF5lmFsaXRToLiy()&Nm9*)DKAq?&)5iOdx!(p-Ptw--TqBNfZUB)z6w)OhjRa8
zyb<u@NT^V;$J~GwaXkoW4c-{x7v&}(H^yn#2N^^k#El4xKKpk9apOc6sj0VbuEYM8
zgifbedwyHeY$apL7s>37`uZadEgc;KMaQiKU1D$iINh<8QqWy4Br+OCtmDg^E_s~5
zkCh8soGF!Dwp5A`HHW-OO5RKxwEY+!t~&S+gNjs-9S7il>mukMpjyei<5X`hGw(@<
zNo|gi8f><Xi-kj1zLS!MP2+H5f-Ww?uKyi0Zh->WrE%SME)~bQJPkh4o2GfEJ9!C7
zmbwUoJO;;g)d#{MvtILozq6VfRA&n(rMR4a{o#TU-jsda1%F$?IV-}j7ePoKI=B>(
zdVz@g*n(4EnIE!6*C!qlaSOl|yNo1Zf9)$q(v^_(L~@_2$jc89?M5-D>#?*L5)2jd
z>p|RyrN5>?>erB;m1jNl!^el=+UU);GhWyZ+tBS0K*UO90_EM=*@=`tL8cZvizqDp
zz#!jkM3J+vSmFqw=J_gqmdmmf7FDxIs~i`aGaCis!)Y>}(llqYQ}*!c^nzM9tqHQO
zF)1lsbRfuH!EZ(wFp__zjsL(eo)n;HTItrjXpYw^_zJeBK0hm|Jr}ku-=hcZLC}Ii
zF@Tdw?%*Tj8P<QI<9rMZ+Si_MhpAmI1r=$;SH@xB`lMFI0hF#H(<;^g#q^x%5afBs
z3t^AW(?cbHbHTEWIS$FAWAElNDlKCRmP}*jWYG~(<R*GB2<&Rekba=>`n{9Wyk%O{
zUzI8a%f!yk=r3j+D%-2y30VQV0wh@+_)YMYRs+?Vz_aXWur6WK@MOg##QPwL_$7v^
z)gYdy_mc~{^057VpD(lLR>Q~Zk8rwyV|9no4U<1!JthdyC#9J_Q&ZPfA&YiCF2Wl#
zn`{<7QF!Ydc#*SNh>Pw!qMtnSHptN+x1fObf69})o*&L9L$Mgx1n0$B*ty`xqc%F}
zXlZ>oc`V!_cQs5tl0no<H;rnSszkfX`X9(N^=KEw+D#spnrT<FMC{fM<TRJLZlPD-
zwu<l#o`Y(4s=V_K0<Q8sCmZ?Fh(N4j<pcMNaIX(t2k=|+<`b*D8k%6*G!MC89p%QT
zhB85n4goP-69?hUSxgpubZkmgDOwO9sbS3&<}#Z#@pJv50?9AWl+LB_v93Kq;Pbd5
z2^0B3P}MR}H%p+aB9fGK;Gu4S{P>nG(OZZIROLaQciyVt<6>fZHG8M|iGrS2d^+hQ
zECn~f>1k}C>ofI0NpLkxIT57RIcq>lc>$$}cYT~55gq!=(0p;+1UumN8eSn{m$UsV
zFlo2DSmbIX2zhRpk+|>3pLLKt;pP)*M8?rMWhX>+@$Bz4>$i2o3Y+o!1V3R6S_w$k
z^oQIB^U@te1Rtba*4NhuI$gbel}=|K8XWxc;8Z?(OvOkxjc3EkyZ<3G`DZ^Yihltv
zW`%KCfLbPma?u%X_&hUGA*zv?pOSL2{QX+wx$f#-Z-ErVp6Gvq!ry;hab?k7@g#|{
z!FW}uFkj0nty@J4@ac=io<J|6Soq)KExL1&oY5J}{9;otH<Az0#tA3k{U7e*90VOc
zoK9DLLq(E6FYOs5Frt7fDCiQF-=S)ZJA&%SR;LxNg4N#+`6s-;a=KpC*RL1l<$ZBt
zo+l||IhGwbV4<z6-e&2TNl_DrV&9|FdO)kf8|Qjhzw(`!dDAZ-rr!u*`p;h58_{(-
zy&$%pdROP+0KY<`rN)Cvr^)xNLca_QjuRq;oZ`Ks&W;>=BeqIzX6*B<3~NUvI5<<^
zLHvfrQbW|R!>M3|oO|bA8$^<P)PLP3UH^P@HAIA>BZn@}m8}suy}w{$KOin`aIS#M
z?Vv~j5+KciXY{KN80Q#kRRt!@N8~uyV>ojrKw$GpUd|-RB;A$wIJ!7~S;5mmConJ_
z0)=b$HCHL_@w~lajtk83@gE#*)bpa1eA7S41)Y6E>dJo@=p7|Beb-gj*5(%8zJ7b4
zslp$C$V&8q6{LO$=#kWv6mv2WXXtyVb`OE$-GE=2xAH&E6dVX>bj63F18mGEI;r{c
zSaw8PHtAU~D^IJFoG+yjXp;qtHMA+(qNKNA0m#TtsSY|xQLOC?7I<iV5sT?AGd0d6
zCFg6DXA~!jLn`sqLzM<xoW3H}j$U#2P9xx!&Q490TBz{ap^eX$HOwdZT(CMC{N`AN
zN1y+zm#cs!o!FlvFFu{ofTlHp&}+GCv8rnk5tMb<E(W+vdVU^Rmde@9CTl$cb>pXu
z29pN3XuU3rFicNGqZf_2n8)}C_wevkX2*k0961X3EBI|d?y!qZdrQ1wA=pZ6Ekl3k
z5IAtUCz~(qyL0knbJ&rbAt{gp9VR$Umd7qOnJ>*ikGrRcG`wJWq+l6Q{-HbIH)!`u
z79zX^X>o5BOUm!XdVc1ixzQsX059sPnTt=hXB8)5zJe651Ip+YBxVa4mxDT4VJc1=
ze19l+Jj4)pBw~~lvj52N2q`4}s^}7ENuV-P9yMmIV%8z=IR1>wzH6Z~1;4YyYH>Ja
zdH5u4GG+0{$)(AY-h#A@p~W_HdAU)uioUL8Vb-dW;?ESziT<f}jhpj9)=OCl8(|=q
z_0%X5lkJF3aVE52E|g+d<IqW4rfTCJUQS&JIo^DN==xBodV8%$$!T2Hlfh415YNBj
zr=EyC`e2}`<AvFoz8ssP$abHuS?{jbR8C#%`ug+Ev5-3O>9P!@%8ilV&uc0fo}gFU
zsqWZxUuolpCle(w*p%U&Ws5V2JdgGn%`f`(J3zs9;T^#SXUl~*ue|K(H(26K>*PH-
zv1`G;4K^-=OBC7@FE}y_`BW$$hq1<0cwszelk5nRx##9Kok~t~>@>&8+!Uj{(%{OA
zZdZV20gL1NPn>B7At3%rK^2SW*Q=kzf>4ts{>J;*>fZVr$L;EvfJE2ry6c!?n}|dQ
z`VPZE=PT3$X<bqL9TOQ|_kuOgeL?#q9L=N;em~4Bp!>60UL0L?26+w3VuyP=SzRz)
z?#}xGjJvOBsNQ1wM?a@?%Z7^ERa8n_1y|p_bcxwMs3tXyGZrKF?!3cfrQN+i?eg+n
zq>tNzQ0QWRV}q@AW&XxDJjk<v!V?ZRI}JmD_~CMg*qMdsJ3(fc5P3>5%8Q^VXA{Zj
zs5M+cP`|HE9Qi2lGk1Z3!){S^WlqcJ?v1yfI_+l{bpJI;vAak~AaA^%`Aj44@wjh2
zQ~0DrsX*Ot%=fE79V(!C2E>3}w(X`a%L6XUF3S<Lft90E9<f*sodk#2jhMXoac*x0
zZDFyqCWG45v25m3ouB0bH*x6>*~Y%$&j;!GNsUon1-<0FtWy$?%sOaE=1wDnr6(<5
z*7wDh89Jm3gtg0AQkyrBu8AbY#>PfPMWv@(0f2`b(w*An?Nl~>>**QW_}Y4*SYWzH
zKzXHT;EApy%@GOT01)|~X^fVN`J7`nWppggru*_vki%rQ{e4-s_nn_Axs35<@}W|Y
z#0h^xD$aq-K|%nR309X0+HwJnvWfA+&k$oK?~}N#;5>Wf?V87QXB^&;%xqPQ-zgED
z>aTGm-;L@07)s9Xxus+%!s-HL{Re<+0z;8(DS>yz<F+0b*3i%Zd)%Jyv=ENzJV6lH
zdjT3+{(1}<42k7g*)x>`5nWx4!Z%4*+{t$uU4ixRV?L@YL0inTzaJ9sD{dPVb3)2V
zK~ZYX;@bSeLcL+>N!cu-U`Q|gmJ$_D&LK43dk^3`Vrf)ASRL(=(EO>1zb;SWvcZMp
z)*X?D=_Jmhsppa&R=cT@3v`PPC`}#hUcgfEs#7?Mr{sm@%InC|+ZJ}HY`S&yx3Xfo
zrM(@WZ63*)B;7fl)oyn0l5fO(LoBdd37^*ScT<v@IdEDa2&suT$^nGLe7`iBCe4GW
zQYWX-v%p!50eaA)?Ua9?`f#AnN3;BJGjVv?pmhtYdTo7ux>lhpnQS(4T<Y@;ef?O|
zZ`hZh9;k6yo?2R3N<L%W=?m-{!m=js8IN_Dk1h4#K)AuJTep${Jt=LA6TWF3<-3br
z^3~#ua(PGpSwB*<#82FkzZ~mQc=b&)OyR9;X2;Q+lJ-kqpCo|QoGtCRx9QdeGcjuu
zJ*65Z$=Q=D`U|M6hOCh|;AtsYbTzs;E#DrJ@F|cmlMS`zI(E~*QtY8vK6DFJRgg`4
zwLLz{`$Jj}#G94CB|}3%v%)_@E*3vh);AD6<p61wkep*QJ>1xI$Lhq7=4Me0S^ZeX
z%iUlMx7}o+jk`-OVqF%nE_1;yI4E3K05sz=lO7=s5|t+QNr<j!?Jf)ENx8a&Alh;l
zZ6RW*HDdbLFXf}r79R&$;8b<)W&2qdjBh=`%;-2L-+AsORI3@#5j)O)z4{SjTT?<B
zQ8-l-M$^Q`XC;h^<|t&-mKOq}&~pZ#NVauvJOy)ZBrizP2564eVgtXZ)C3CfKN@OZ
zk>;5(pTB_rDu8Z`v?$5>sB4}qD)+8-tJhVDUxpf?;MBXRL$#siTphiz*O3NqzG1jz
zZPm%s=B;19QEZ?STw{LQm}pKFnmRpwZ0V*H#Js1PO*!^=Pd7h^fXwemSd>NbU?=+_
zsQDo%m*2RBeLPjm&5As1AI~axt2+xu_N%|~-?MeT&cEPHvPKv`S#gfg9H1|Ud3V*Z
z6Z<;Uj(}tq!-jN~eRAjFD!`XbCknEEfhv#)+TsA5J*(-Q-0^SpAb+^~Y|*POPk7}W
zPOto!&3}s|?>13Pnm+<W0k-&dFuh>**LZmJ$k<qBTB_sRq|Hc^N~`}^b5i4BNo{L$
zAQ=3Jx`}(kAP7%}Mlu^}8LUA@VE=2kxLI4qaEP&>YF45WX@VA<5qgtefC^k;Dl#<1
zApEks%d9(sUY4<bFjY$nE;I_QqhJA}*a1CAOS*FH(iP~-Yu4YBZwuf%Xa@4&{Q2_`
zp$MHi^;00y_&5q!N<=f%wbapttH`y3*sT`{#=)Gboi7Idasi>%MO~&uSv4O=W+FT-
zI}HS|nMQ}^*rFVapYM9rC#W5>0qO6tVT=IgDwtnoa=eI<(vD5xD_&N&9Wsn0K}QbB
zF$`{}RY%usiKsIW-|o(8iK>}0y<O0OBU$sRbIJOWo<K_ZHe6gt%f%*OwXXw4=B)`8
zb|P0A@?ros8(F4oX`U9i{cwWFApOqhN7Rq|9odgk_cYj-guNS1c&TdoT&zA;2Eo;P
z_<x)>eRa5^t}H+frQjPMui(q8HZsZ<z&ca;!+)>2a21vqG^CPc^3M2%*yHgJ#pXFf
z+^jOK8HNGH-n3s4%K^rJm;IL+B(t4#v8!U-BjA#=qif@c*kb(>W${8?>JdR$yxT^$
zrs~s>mH*5}9tu0HKtd!Q@mo?rjlM<toqX39X<wOp)1ds$I7^C4sTe-am3-rY{J^^o
zt55RpqbE!&`IM$t0CGC|AvP>G-bmq7g^_}@QfWqlXwq$qy|!(k=D3vjFBpoZ4GuCf
z8dr3Kq01ToT{2~voI;yVsSz7E(0t0g6Wq^-KG^zEO&D0g<U<Gl*lQlvJ4fxmd`o^h
zC>6zLn;k@lIm$ZG?@AKU$<-z})i4?7J76Z|+IKB!bS+JOb5Pf<l=i~t;IO&NEhtG9
z#6xX3c4_9{F4c0UZtM##{^nW);rb3lxOB$%V_kkhwZCeHftJ=qFc*vNwA!vNa}Z;4
zIzg+jM0L;KCn~k+^}f;gOu4+r^kG?ah=u_g{IvNcCnqCtxGR6D8bx_SVsQ*^7rI3d
zaHdgRXy(iP=0JBVB|^fFHqIys0G35i-9Q%IL2IT>yDZI?N-C<vE+E}C7&$K($Y%br
zlEynd%4ay$mhpkkY8gb(7CG3>r;c4cX>N1r(3O#%8jPt$D*HK6wYklYUq8@(EiEtk
zz{6pGSn7A_%h_+s(C)^z_K)0*`M$cG?J#~_6GvGpUuH_79_2hYzj@ZLgT-!Oz?UPx
zrug}!)r8mQ>eit|QZj>Dojlgu()3YH9TxWdAg2;+as!^~b5RLc(K$~dWNLUT-wCC!
z(lN%(f=ag)m>U{eA!E-v=ALknTh?fnZnW3qlZqK2R789{Y(vST#yb`>D^*5FcJ-75
z38(?d74uC9+)Fz6bYKnA9v`Yx_jg^hTd6_2P-Klwo01mQ?Vw9Q(+h?A&^O_%vKLH?
zkMd;U-bV^!N1aT1%&P>N*^hb*&>eV15>dqx#`vv`{F$&OTW9mfcygoUZcUQ&3{RiX
zKah5MFCqM{LomQk<m^MG!5rl2S|j=uAA%$bh~$`fZUyMbTOe7$)fs#SoS3Mh+G$6E
zz$E86-zD_qU~t@vFlc1HvS)%d?aLdDZ=X|Iw~Dw~a}y;fx9A#A-Zysi5LKMAyZ$aA
z{9Jo&rsA!{o~H#I4T+zE+EIO%=%lG}R-1f831b@8JsC_Gft!v!)102V7pxu?2!(c@
zkj+49iN}gRR$miO&#6)Sa@RM0=GU)ZGcy&g$tvleWU-0vmy89F>PZ@)QQDnS@LZCU
zE)y4YAPYw$cP*igE%xz9e%2;j16THs8%SljvvdZdSBg?HWe@;4dV12^mPMXax=iBS
zbNgoohv^l?r_QAlpW<ydM{r^)&KbcUgph7e-24yPmq_6w5;<{Jk(>%000bauDPl&<
z)+zTF=}6<;T9rWrNRETbY%s+UOCv5zDU_U%WZD9PE`Q0>tbsPnj8S(O%cLPCU$kD@
ztR#|=p^dpLbRp&yN=#caNyo#E=U}h@9eIO%riu55Z$K=*wejv{2UYUd%z2}y1xZq}
z1o6Rx9s(G813E%Dqn@;vb+L%{N^hgOmqlT>y~@y@mwEV;vwL2FvvGOdrI}&i7mqaN
z43L~-@;>-r39yFC(9H+)go4GJ3WzNSsKeXsN-sDI0o{I*vh&rmo;nljw%z!KS0=T!
zk%MA_v&)#l6W`T5rt2D!vyG%%N-})UZkF}*(qA<ZJ9=(qjy+{G!WB_oiC%m}N!M<Q
zZqb0QxEHRZF>xxJiN0L2%_!u@^e=R?{h*)=><j`DpwE@pl`J#UQCZt>wY-ESq`km`
zX$@$e2PA28NCajMnGhs{4~0+=+&2fcO(G!0rTYb|y7&hK_^vwlRBr#4q3x{{<8~_U
zUI+yXeMX%^pd;F8idU>~*T~t~6nVbRi-PP&Q(JLbt`EvFl=pW!NOI1*cJ=AAu<cNA
zd2!t)t|d>ZfmkatHQG07`6%7#)S|didGJ>ai<GXynZj3>do?(Crxsd7IP95f;ONw9
zo^3_nWT6ZVogk(p*YsC~E<M;ib+z|qG9pxCzePTyxLwr@_i!=5#Hu$Nv5X#ms%E?A
z9+nHAeP*CjE*yQ8+VuCKz2zDuG8=;&9tAkZ9Vme3_P$?_2~P;|R3W8$NLfrhDz;MN
zym4DtAA{_R_av)NRqqqiI2+H}%;@OG6B<+k_%#_2TJa14o>w@VN-W1j@^Mu%G?ek=
zNV(4*8I;@U?1EelaQ(@J^k`Rp>I>17@gRrg)^MnCQJhPxqE}G3)VNxI7tha>{2`}O
zGPb^l^kG|&+SO!b^v)wk*zcitGJjl04^K1@XtIx1_6bm`HT+|1E2xsDQxzh-z3o9a
zd2CEQ`*xBQkZ$293@FOn55G!z;F7$3J0e4i;TDfqK!gg$2X<z!Mg==t8XI-*9q(ju
zA>zg0H#^}si;l6&qIYgwU*)?i?f#xj`0`Ice3fP1<qSTl;t>6o8WiP%I1*nWS>(9^
zDx~($Tl<b?9OmUS*fP}Vkm9&J=P=y@aaUt0CqA{H;K3$Mn??noEt?DwVE^^&lfzC<
zPNoy3d1?l@W6dJgA1!Ys3mjZKh>F`m5)WbC@*m1o-PTD|XM7v^7vw{1+D)-4-B1~)
z<WoV4GKAqXv=W3xuQxOkg!MhhNxPvwAMX|T*GgMMFBb`Pe~ynK2QQ#-R`O#6K8xg$
zGN8wk{g!nIEhK<_>6jL5%;^;u9Bf>@dky;j0}1!hR$+5YIsBNJnE%a+J*2B>>1%&(
zDrC7!Bmv1<9lHT+7>l1irw8$+@XPh_xI%4}cufkCrq4=ou2n#8k+}Yq6dY0T*b;-m
zl)7%QVigR-+K!>GRm_Kvsb+jf@AtFgbR%BOTz@BFzvQPHjEXJ7wF<k0<4vm`5mm^I
z5AtSH2YB!@0V+<TD_&J0r1}`1fi_M`$+P{89Q%vLgTo;<zXp%k6Eh4Og`3qgOjJ@T
zkTB5hQ7z=e57V!*vui`mbYn(wI$D%&SK9Wu_0-{#4mv`6J^Ex9t+F}4U}U*@WqG1x
zq@+qAnFj%*y}f;970xZKUX@^a)ix(zJ)&g&wKLsxjPYeE1WQpDU;K2CLlapN|JdbY
zV7n;(_3M<*rJsFcE^iIfs>Z$Y&-2Ni)FX`e=1m1O@^G{+Ro75&@@P^lck)ahST@`v
z9sT_HT>z4XH-)lwn!6heAKcNwiE`LaL8j_LMmaK}A3RJTaR(FzqvYZ^Y}%Z=aFs`I
zn@p8~vYC8e@)exdp*?F$YrIYP07l@5#G~u_!D=NaD4uDUxib}gKzRgum@q-%{9^r>
z+I?v+D!6h-iu@Tl)R&&5B`q<;J!v(lbhZlv5uMCd&r&n?x*t=C2t<xq1xWJfk$~-W
zK<UM`i5us{%P59S4pfJIdf78F&l0EA5%_uKFd`L~59`HlGB+5!I)1P4p1hcf<^D+R
zwl@IG<E5Eo&yU>~kB?Urk2gt5*T1FNB6RbnLaqw1_GahT&u72Cqgif0HB&94SfHd5
zt>iTQj4(rch-qYDtU{wgIa&;v9ZzNU^p`WSV~Gwv`Qb5#YCw07OjAsvDsie|I<!(K
z<w5@7D}|*lyTR+lNr^w9+VZ}W!N_@qz{Ho6q%h_?Dwp__`~NAQ`F>3jlq<u>YZ4v3
zKfOG|942As-&1jCx<X+IYp$%@p(HpO^i)Y9$w@q%H(|PxEVin>H3>g!NyiChnl~K+
zxodp|>ER}p*fL8jo@9$}-AFZ+^jq36_l2K2z7p1Wok=r?Y&B?^LD38ZFC@jiAqYcK
zBkxFp+DV5ye^fh+bKjLAaEzk$wSr+eKIr^A@%<A|<V12Z8pt;eb^b6Tv0(RMf>3kE
zj4ov|6bH3K_oGYdS09X-ozE;FEX~x3CqwtU4YGY+LOJ#h0R?5C3yS;(^)vXD!WlfA
z$}M2BWnoBX?CYGfw?Fz3-FL6Yln%57_w^vkW}0}=$HL|kzK`4ld2$vtv(}-?lZP-R
zcps9)&{0}w<^Bb4(iR<ONxKqlIxduXk2$~O&<`G$*~#Y1FG|{ND<=?>C-4)oo{JNq
zqw-b>U!W`oa-DY-0^*w*y1F8|7%4a3K|+6jLK2dms^G`4@okApCx}N%V{w+q*Q*}g
z8Tj~KrDH%q`LmRQ0~|{S2i;4}i7NG<)S8NrJ~1mxuvZJG=HayJ0BdjMXDtv=%}&;L
z1}=-oBg6{AtrN2?;S`zX=!)-H_j4POoew6?`&{KVM9{wS-m9VL*IE75^w`=e{S)oh
z+9LTU-Jo@Ae6bx7bq1;+{`wyy?<Wg)^B{{{F=Jewg0mU<KDX3o_aDDHqm&6@^T)}5
ziak807Rsl*Vn|4})dN06{{ms0m9)*esr<+MUu-|E7qkFnDuMX?&oAX2dze6-XJPlp
z=UhFsaXjKniy>T&Vs(VxUZwYBv3aD5hlutWbsiX4U|O<XU_mbFc`~D0$&XFU<i{rH
ze6HWS?j(#4Yiz=ECVnygK)A-FIBM}QRr>|Kh@VFmA$%XDE`zwAthxM*M=x9Eg}79g
zM9x68th-MITFvgw>j}=-AO}k75lU`4?TeaPS2vTC&zQnPLMkRv>wbb71I1-PdHIH;
z6tqy?1ZM)2M3X_l&WeGgP-E{(b{0V(s#kha`8v;A_H^pI@2uKH=uid4`s;d;>z1(&
zVQOS1o|%Yq#NZ}mzF&X&FAH2BE04Kz!_b424{c_2LZ`q*;&;HgF}M$mMbe>+R&;Bl
zIK_)*#t!J+W8ju#HHXv3h4(z_<8&(#V4I1CGMmm^{gU9P-I|@ll7gDvJol%X9jWB;
z;CC!4<b$ok$NXMUql=$^Y3rKqIF4f}{32KAXHV!TW1)6NL`Q6^apcb(7?<ZlId%<e
zv(V<qwfc%vF3AU2Zyo<aWRLY%H<Zbt>DZ{=D!ac#*AV3=CG!Z!*kw5yE>+)a;6aj;
zpBr@g2-`A*5dAq;nzs^VH3Rg0Y}NY<y8Y2Z;pG~weQdEcgCX(Xh%xEF^4|%7c3C6P
z!XYrR60!g)j)3;)6}d%~wyRzhYl?q){r1CUvGDT0tv(rSCa}4m?Ls%t#~2)5%mWYd
zy!Ln*%=YCb<ybC0`Gg^<novr%nknu|ddQpb({hfFi(R-o@djMkGCgQMpY!`_Z{g=U
zD-RZ46`KrlC?UM_5t;Q0-Xz5_dY^8>LLrlFj*bAFfwCW)NP<be=!uBOc|6{+VwqWK
zRzVJg5j<bD*uJ9^jh#h26WUTgdYszjAIFB5vx&jwPXT^%J6GbQM}6+cm@CnU1{U<Y
zk0$0iUM03<SoC%b#DB;>Y;;$}mzQvvFYXr3z!L<(_gFMufT~ydsu+9g)(pQI{232u
zD-p?Mdf*3yoLK&vQC^jA+{pUxh4rs0b}>XPXqa{Fau2<FQvlOrUL>o>)|(OkSWA(K
z!ftY6;I;A2t)K1tD-2Gc3DrfV0ea<X<XvLJKi&VT=A}z$<bUc?&HrI5q>T(ln`6r-
zwl0)=3<*c=Kld=5q*r`JDJ)hi7%yY<x=c?g=Xl}%1%r)SW}Ozd+xRx|Q>E3&=PY}C
z1d@=J)U{2&s>!X{j(OX`{=zw+XW<_tlQq+Hq#>7nAnfofwf@aW9I)zOo_Dp%RrF`x
z>+Sffy#v}y&bPmklAU=a6p@{5j0@lxHF4G;gtvaEzN3Xp?^PmZ(k?yO9=LPvyQGp3
zllOPDs2goCTS<eU;W8y=j$`uV+@U$Q0mpSJqqT6LF??8s9NEo}x!dCMm>#i*kN!ZH
zz~@oo6OvV-;*6gP90L%DA8tH|Si1b$1Fi~NwU-I6@gnBoj&Cnmv_`U;vq#|wV+oB_
zeb?hM->Da&S>Fyn$riS$>l}Bdw|XZtp1z|<QWXA7R&8!2nGw-E&Yh^?;e+42qg3M4
z31~Vz@!9D_4RZ9aK~yO@?%Y7xWda)CW#j`~_1m&A%j-(!=4r8c;Jlb~@TltZ#&xS8
z6UcHCdZ7AV{Q}Jku&0(WC+_M8IR1!sZTGe$yj4LeZ{U_N-n%!Fb{}4kL6Q!Qx3*Hu
zl`y%X(#8dZ@Y5NM<}$JS34uwyh0^C)lz*{9wybXVwIDp`vdGDD(Vr-t;=Mxy&m#Sk
zDCeE?U;d19m-43Q0em#f9S%G4iXXfGdlo){<6gRx&Vq+UoDO~7Ol*_X)kZW=mL1LG
zm6ak<ZREQi4;L!sjr)`a`Oeao3D^vWp<zP>QayTI^=>4PK~Fc~MNL(0s)SiNAPm_u
zcE@k3hN7f00Raym@>-B1H*>Ys0@Gb9eP6f+cm(wlt##xca$`Q#QmRC;*~EYabaID<
zzs{T<^)i)PGQIYUyoslzaX`t*A(F&W7#$eaAh7V^zGZczJkEtmP9B|cXxp14AS74F
z_}Aop-;9ZfGdkstA5mYLt_7(@C%2PO?gw1BFU;E89?M>^(Ay={g7fu>z0?(Bw^06+
zBsXR~J=N#osVE${Br&y_@VTOua!TxuK>;Azm5?{)AwRUK{O!+NgVfBPSYA%6^6uTb
z;fX&|eX!<7Pi_2iGN>23aYNhNWVY}ry=rmu!U`nhsfp-F_>ik6FJA*dy=}y}MK<zS
z&;nD$?DIsM_vdAi2!M8b9jXVqPH5v2xW=mut`<0$oc&w!J7-*EO&CHoYgfLL7=Sh+
ztTxbswL_Nofo*lncH338ApnK3Y2ndNph6Je!N7ST+obi3=+&b28J5|IN5IJ`3B&IS
za>^wHI>N}=#zX%O_9R+!Y;L$5(|PnSfUw~=##+T18!|Zlk5R@S4`CW&Z<*G5p|MFr
zFyzZ4cY3J_z13d#1}G?ATx+4XEavNI6aI-Hh_BpPcWNDSH@$v5%E6Zyc5dQTJwvbT
z<`qi6))u@3=vF~Fe4EAoMwtzM`O5n1HL>pr9ZR%n(xuz^=f{1y*Pj`*i``g-JYL^-
zCsS;N)ZNg=fI!zu$OQHKn;4dMwK8CF^|mX~?261M2Jlqo%UXRU@9fLGQ-x@l+zkjK
zlo7zN88fFfUBkBmAPFfb_Xaxv6sqJJm{Pqmt5%V)S1J^`Jj4I^Ft&yxjSn~0`0D4U
zgzqzznv%S0_V015QUMzbP-{;D66L=>;h#YHN!F${I}9ij32}eF%>U3s3iqj!fqpLN
zr+c9J*f$}I$-yO!79J5hKQtpCtu=i*VR<pNh#CXe=K#Lmyf(Tmi7gW!T2j9$Tx<TC
zeDuvOx6tdM%H-u_O8*&AV%{R%gQmYd@*Sv0S(&BNJPUFgi-+%=eJs8L2=UY$nU`MF
z*-WAX7tr)aK508oTsl?ff%?I9u;C+R+~XkbOm(L=FGX_Ho?Gl%@51wdtOK32>eL>)
zACd7L0hI>Q?58~TrbKgtkK27zsnj}(`5~Wg6PuS+k3|GMi(g`{{|SX))}+30sib0t
z3)`=|M<khv^-mdx-2xyey0-gerQ95veK_!cnTIP|DBXO8-<tCS&14wB7{u7~N<UZK
zrWrj+h#<>*s<AHrBm|;4+zfu_DA-C;NOC)(h0un$M^8o`SO1k}o8vm#<H5AR$C42e
z&{qBR6_*v$v57~)$M??-Y6_HNxwmExH(ooVbmq>4jFG?BJ+Z~tZSE-^K4Y@Yy?+^^
z`%5?ay3u=<we)_`_6~$1GIT?}dObQeKW})BDsle#J=hGo>rT4-ZJwNMCSMThgp!7B
zRujLf2~O8Og3|Vr_e@D7o1Ey!grsjobWcRRVtQfza3H3x+|91e&DNlp-cV=!ZQni8
zPBrqdRISkd-sNY5pJY;WXv8h@xt#%SA(u>U^OXo&8ds$f-6?U|_aXvJida+&LxS1`
zxX<R48x%UHg;YMpwxRJJcY96!430g!-7EkiqosJGo&M6*sRM&>J&TjIFUW5$8X|RN
zNStNN8@M!Di{`<1GW&*SV0(&4+B!JzTM1u$L)7H%COfO=E?>8<YPuwVk%__+#ob+o
zWz*_Yk0c8m)5rOa&TNaklM+N}cm8<(20^4e@1D*5JoS2hOhn18P+l>1TrH_>^qNmy
ziHBZ!OZBjknhEYoz41-i>t$g@^EyESi>(G<(Mr`<F5HMwoziE6j$zQ4bItrWU5&qv
zGRFnHd^c9>D(Y#ekITCvmmk0MeTUNL?pGAMZ)0-$`2>wahE-k<o*i=j;&=m3RPY&P
zaA{U8*5eV$Pm2uyzQ2<w7p_ni>Mnx&^ftF@N>M1)b(!z`^o-oSJyHAnQ1rw6AN8b5
z4rGy%m(>pj?0T$0xn`Uc&0T)*Qa%?k!kxd-WASr>V3E9r`HvQ~e#th)yXDgS7{POK
zq?tUo@p?Mgwe;(|_DDvnABh2zRrKjoU1v~xK(=v2nEx_5v&74q9zf>D1bk05Iu=iA
z)F6MjnKKm5&AM!#)qOXEV49WgHjsE}qBBi2&cW9(2nxC_j&*+EKDy~sue;QpT>lWA
ztvilOEPnKe4{CoYZ+O)Nx6~S!>i_+MQnmCC(JGIvpYJCGp>$uyLM&IYj>yt2+FMlo
z$3~+MwKSO(b7NHaF=y`&W7Dk~BNc+cnSab7g!|l{=zh`OR&H*v|GN$2!(h}vMLdY!
zGKu8|rR2Xa7^O1vXAqr>ng~=IMWOTtMOE^5PJPyZM3K`u<Wo#;dboh7bfZl{`16l#
z?E<HQ4miB_LLl0QwdgqWd8MMQQAv1}&mtz>Adh5gCbIb6_C<*R^<Y<p-1+&MAjT?l
zo(8T9dN+bli?!M5#B#+Mt<V->8bj;&4Ppq!-Xms5g<XwG0C4{PUuaj4@c@X_Y@&IS
zCd%08L&&F$TfR;()af%6qe}@1VadM^*oTU5CWH^QJRv2|$TD7dn~E+g_h0NTjXk`i
zaw|LnB!L&D*WJT5HiE$2<}qqssJy2DX53~Z7^{fEIn|c4QO*ao6Y(V09eW&uQ4=*1
z?~nHm8^7M4%djN~H7ncunYRSb?lL+)Qj911r<2}Y`p6jP8`dxj?JTtB?oKH-9-Kj0
zVjkv;<$XotRdP4o(!hQ;y8SFL+P|@Kf8DD(*;KnLo@%hP4XMP!gG1c|RgR-JeC)t>
z2|fE95IFld^TfG3jarvaX^%6xKMu1fgcckg12DBKC50=*1A?1gdf4KkQmi(4d975?
zZ@BGzy&X-RnIU)PEkGv5V%l##m<LBjzQeN+Ik7cAYiI4gnJq4hB5=opR)zr8TeNew
z%{ZmQx?UDiai8hEpR8wXPQ2Y0grCPvc(K!#ZLP}ToQ2Je^;tD6GZ7SuyYe|P-y@VT
z@ze>(&m|84(<JjXPL&M*fMVcM&;sPG+6!C?JbnIn;0mz?E*d(p<w53a&J^0NF^HSB
zrWJz*@AvPnP-Xy$ppOkmT#z(w&;pFHv3GfCf!VsM=<vUA)&|qkK^3!tVgZw2HFYR4
zOSV(~1E~Gu)S=LY!_3liB&DEp`*t6lDAa#G<hTmi!c&b1Q<40u%@~B-Hquvk{_|r7
z%47rh7?3t6^M3gUN~P6ttnshFT|LC%C8n#~^Qm;r9o_K?g7c#sT??CpnXxQi))X+p
zH{j08mo%AsXUaTKA(PnmqrOTU`<Ea5HRa+FALBxa4;&Q>nNzDPPdC^xqaL)I!>OCA
zx=A|ZWh}r}H^S=gL+R%xxTGO5A$KNZk2)0itP|Z&fau<fQp}F`+ltv~jWe=hyF$ow
z{%P!DQ5xHXSKU<h=Il=y8GYPNHp+DYYNxi8+ySyxVBJFk2T!M6#_TSpXB_*@99WL<
zNIZ<2IPW9B7mkfMB%-F&h&>afTrSXwMB`Y;AmnFkINUC;=WU0|)F^GK+Hltm6FyH{
zOG`;jjm%E8>7eF|S@<RFkkfW^SX3c%*L?~?QH~^B$Jgm+INo;|eXaX(c^4Qjw@U;8
zDqPsm?Pc>7O1?l*GQfKR>Re++PVHR}*JQbEn)z~cQu0WesYh(uq!Tp+u#TBd))xkn
z1LOlm&2YwV-{cqZj9zK>Pj}SA>7oQUO-|C4tH_(}uY2fhfHRFN%=)}kTHw1`GjCj|
zd%J}Fx$uea-2y}YiNf0PR#~{OXgY$eZ1>Z13ceXR-?r|s6Bctg=S!9)+U#RI6Ygrm
zVt2!;4an!rF-ZPnoXy(CYO-8`&u^Wa*KV>Ned!rtt%Erx)+mp~OM`R#M(2{&_UH=t
zK4Q(eH-W!^@%JCy(-R-}FxlA763Dl=Q10<ffK12b_$4-WAb){uHT`Dby@T1l{T=IA
z`qLw~_EDQ(g_BuX#Ot<K7JN>&P_YT~ZTfU#IhXnTRR@V~S*>zbfvHxu<<e5-sQSgn
z?oF6m_6p+qvS<deqiDissYaO@iFliea;15_A6v0Rz-TO-m%o&KEPn1D#{YpVzw2Ay
z_|aHC%mA+ygYg)ebw8oObbuXPYE=@3Q0*Su_?>*-IB#CL_}3@S>_>I?3N(a^igcz=
zQyQ62V_Ug?$hdBf3@c^m8sOdf9x(Lv>&5~YXHN&HBWto=7{lUkzkpg8wR^qm$1>zb
zqk;Tpg6R&!V0_t!qd}Qp`;RTxFO0`CztPy?-zeG=U9})Dl<K~Js{LcKkS`G(qpDJL
zN&s`CX#(1u9NSDFgnhhF=TQ|_G|X-kHt_l|?d|+nloVgYiIcYP&*U%{gzVFxXfR2I
z+qZq)7JEtG;7Us8(Reev8+_$0CZs+^1%g`hmmWaRyFmyA6eRRW3q$HPkzS05J%WNw
zOwmr!Y`5(vK?#PG&{=8!9{hEK^i<-tqsvD{4%am$$F^+eelcED!|WdRoj%dz%#9Eh
zhvtxIe4$}**i&;qQgZd%_+*lty7gQ2@u4TYjS*7OVEHAITF?ZElB^#n8Dn~H{WOiR
zrN_3eUS=~#T2B<3*?x%#qb<&yvfSS$r$Fc!m)YZ(zkSPoig2!t03QQzo-v>`16~HL
zHxIQYpq`{ZnOiFyz1O+a0W^=vxYO%Lrs}X|gV<$HZ<63I9zUVP+wJH9@yIf@*3APv
z0h-U8JyAC=1slAQvC#=q+m?C2Je4GPUa9!#@`ZCsjYfJqiwDH6bV|7SMUT>MEB6E?
zs1>$qkPowR%v%+ts`J?yJda@XwZ-j!Anl6Uer&cbz9FqiIP4r4jH?O!7-)_FchID$
z<9-O=-?wkym!{W<YoJH7?cB9yFpam3qFL`6-0s_8)tUB*c}GD&*r8qxzWZ1UrlNNf
zInVqOjk1H<ZEorLG77LC)yP5}XeTG1?;P$)IQnd$MqwxHTU2`?dk@@U$I9hT^)2tW
zJ*M*>Z-nD>6A@0e0qpgPUh?95$4b<QgSd#=CR-6=V$&!z<1|h_dPulk%9eF`?-N-_
zL+@itN+Uv<p(yLpuX_0hkdQ?LcSxNbNEvbcc2h{v=gpVd-ERBUuWwr43aXb&&;v6C
zq2{@OaC^Jnusj}(q?Jtm<>`Meufjbhd>}DzA!P2T?Vu#nf~tp-ta))J3)|0^7HpUF
z9yKRS%!&q-2BFI2U3%>gSXaE&q~}B(Fg-&jrMh(Dik_dHL)ft!W){zf&p+eZd6WT#
zey!(puk%7i>~IbfR=t(a*$IHJA**?MLhseC5e5!tr}$?PkDV57+u~xpy5&VH>0LHI
zL5P*zKY+$?Szbh@e|ZjUcmZ7AT6NPCspJPYGP7;Usz$u|TKWMA$8*;G)9bDz(6tUI
zx~*HtJFf><Fw(nS^yUimdTn4XMhs5Al3mov?}qhPt<G`V4QRNmeh<NEEVH=+nmfCU
zYI6x4;h2ElgX%DoSR$G*RU=8cyiv5nI$*!SsrAhn^TCN<^pis+n;Xf@dq_@#q9L5q
zN_ooapKA>ojN;cyhmCT5)TZjU0ovvR*<MyLQnFUc=}>7m$lmgaDkV8z$MgR2w-<Lc
zp>ryfn`U<puO~zKwm{4A(pf9)J6{DQg<nhKSqB%-Iei%4G`zbgjreg(D7Mwtig6gN
zR(4zIW3xqfd98HMfHaVC=irx+4hwLy7T^`mZR*${lMfARp%c8|!nquzfqRF=pV^j~
zG=vP=a1h8Ar4&u4+3|-~)mOfW<fY)r=fyjr`>k1a&ia;Frx^_LN#vm+qzRhSmqn(`
zIgqX`Bc-^D<3(p$s2!Lt_!p7PA-9zcXG39xXwz?s@Ap&6Q{?vx|DMrRN#_4LN%aSP
zbONxEsSE470@oES>W;Q{wDI(Y4K^0RsVrX}l|Fj}Npq;Xfi%7J(L*mq{O+U@J-SOw
z0gP-o>v^4g1L*A9<ZOa+y<c}{rgmv^JT9oaQ@A#eg-J;BglGUr1P}xZ8xeRLPH&>$
zBe*|6!!kIPJK*gw2cN&`*taDUW81*~HO`71cLXjWyNK@*)Rv9ui9^_OpxXZa^P6{t
z+l2Ws2@*;Yyg?3#whl>_BOlX>K8u!m1+5Ehi#19@z)*YgWA+#qGhi-*OG+!KGM7V!
zZE)s~hw1s9AKq6G6P}f&^9=Q3MU(O*E6NY`1FZ@Yu#PS#D5gUsc9W2NM;6oEc`B4O
zI!;ShnB$zqMOma4<K)ddmlS-xwKUWRldxw)wqgZ`?w6}SWZrOnCj{Etz-F>6m=<DI
z$s-?_vi1^$UBln?feube@miXyGs?Ouj{>heNP5{58Ju;CYj1zKK$jBfE2V(u423G^
z3XvpD37V(tXLYS3^&b)p1v6#3pMYEniAYG2_k4lVft&{g-ZCidD%pRgQ!f%J^=S*r
zEUwa0n}a%w32ybPL25^orHq9kdDgobNw}^^gje4=E0yTUdeRx>Q6Mb4t|afr)>+^}
z`}TrfBhPhAj<6#%#Tjm|n?6oE02h!jh+Dy>X<^v<3T&PwW6*xBTd-yBLgUBKlU6Ic
zBXIRqJ>g`Q*-(hM`go*O9bBHmDxj*<__xpxD5QGBiO5#o>0i5Q5SzqL5okA2>w0*B
zzx}P7_o%q-{Vh-K6d{77IAwB!HP4r3L~vZY8F_IYf<RvmBbNk!Gjx}Df5n}lakBlJ
zNUE+|l@MW{n!=XMHZpeX&VCkOldS194NLjH)F|E!UhGJk78<1@<GVOz(C3p;1-B@`
z-Gj)D4h7KJ@DVHTw@@QHa|LQl0am@m%yxF0ReGyl=n(?6T#cWH%M4dm<M#oCM=bGU
zo|SDPY;*86?Qb>75`H1k>XLOKjrh$MZl~B-!nh*kGQv$v!H;f8`T%?DhpO3z<KpWn
z;|-=#M=;Sy^8+PB82%5<i0qWL!v#dKsIRPhXP<c_uufkMYRfoIKxos(j4a@oIS$Zf
z&%i>Lw9V*^JuQGn6`cln66(F`{#xO4qptq(_;sF8qa*Hms5D-U{Ju!C!v(aHO7u6p
zFzqU2fznQ~NuQyXAem7gCW*I$b$Q8=Z}UpO^&R11pend7Fyap_Fhra~C!UwFxqDNt
zWnmD-Lyk*4=o#{6G&uNv`b`;@u&djZ?uPzsVVXP5Oy#S2q|dFXUniC*t@oos%tNuK
zXQ=zWVxV03fjic-muv{#OPMTM`k%&6jLWD6=<~9IA-Vx;vlj+G_6qMM%)vIQ0i8&B
z&o(1zX`*l~$*3x-Lx4K0EeVmhQ}Ui4&OxXNjmQxz&deUI{a0-T&CLRSdMpJ#*23l4
zWVCflh2xS;al#F$d8(QQ9zu$>YE|C?8?N{6RUJ{C(D}&Zjy)i;J426AO6pE?6!$>n
z%=W0>yOYl0S3>#TwN(#T@MG*}-n=uG&C!u__*Dd#EIr}<!-Q}Lj2cjs{gg+(EscKn
z)y8T2Lo{N7d*=JWeSdEw<Ht~SVDobK5IbIvvH3xBn-I}FXu|<q-fUmI-@V)xmZl71
z^@iAz_7`c-bhetukZhS^O4_ULPFZZ1mNV%tyZ)2}SN_#mC+8QHl3R>xnosd#QP|HD
zwueez^J6tl%?qknfehvrgfaR2b9DgRt%{I*dfBF;_%bx2O-Uh1q~VSHWhFZ}*~7v}
zWU<8nnac(Z&n7z~?$fbVbI-lx$C%vCJ7f|9+1RL?OQE7@2;AayaeNbA5j#xvzqB=}
znn~WV`JBlZ`?l}G<_N6s%j-7<s6hgyXPbjiJ~2F2kAWjq-9CC23A)*lg7KB~rN@15
zTN7Ns`7Tm&`D<HT!ckO9V^?N>p8ccV4maDJ=?-XK#*;<-e4@g_+Sj<kPgIFH;oW1x
zPx`zUa_27kB!{S<_O9+XjElxcBxFe?&A04OU=5$UbkQcPR-Yv~TBQ77<KpmW;MD75
zZ_9Y@2Y1JEn*6X1J1a!3e>!Y%!YnASbcPER<ha-=fZUm5e{SyiQU7#eR_^^R18|nO
z`TykcGHr47ZY-l#@&^gwIfKK=*(&4)JxEGk3XTrZV*%RkuaJB~cnH=D#}W28Y%kXv
z?F+fOEkSrA)~JZxM_EKIeJxKF__sZO=DxRtp63+<Pk_+hGgjVS8-1=P@E1j}F}pp)
z6)}Z6=m9Yp<qqb62@xl(WJdJvbd)ia;YULB9IxKmN8nH%u?R+S6fTT^GaYLzWw-7)
z(n_ipJ4>kwF~Z%8dMs63cFZUFE6b}|Hv2u2Y-TxIodP~dQT2k`E)z@{#O|lH4O+PM
zD_Pl!n&Z-IT*E&Owr;CdgWGe(%K1?XM^<h~KFhF{#Jw43n8^2F#_SAJ1=^j99RnH;
z`K_7tz{aUmzO=<vT~}OG_(=^h#xb#CY0pK`pFL+jB`=%vpPY@nX!Ee#RX(ijXhtns
zif~izjxK$U{kbcX34R)^h4)^6F!Cc+M<07OdqpsfIN`sCj<XMLQ)*|l9$wr9z_DWI
z`Vh*L$(73(`o*l{5hMne`p3NbxzA?hvzl9=4N{OkUAgncJnkdu#KSGQN$g1n-x}>&
z;24Vv*|ej>yl3Rw#Jx~<ZmGhn9*mXk1zsmI?TVhm3I9~4%5yY*bMH~H?(XQ#nxYOl
zY4p{5IJ6t*uM2&8*5@(~iErDIGRcK(VP=Lsa3v$=+>L&VnFAbs&zO+fj`ifwrBF5U
zZl*D`)Pn&|_9Jj_ig$q7iY)i{_KDGQRU;2x>D}pKir>XA>cudFbb$n-4QU&<s#3c3
zOM?u({femVkACrEe!UxewRNs?u7%0vMyKJInlRs&w&F^#Cv4V8dcG}8ohz;?gKKS*
z{x>otb)+=uKV(RMBD^(9?f?HFu8L}8aj5{wgOv|<tsu3-Yo8U+D)yl(_F+y|jWpH@
z{st)-^*j%+3c;1`kU2;`ECjjnV?{c(1_4{pJZ=u944IipB)JPzgoQ_>XdArN_c~Zi
z3$U2;BangE_-^dG528PZmsn$ug_(tjW;Y>_3-8Y2fX0f*xBp%{DBJ-5R0tZvZDXdm
zfUb{jK#l^Y+p{)cS)k(|ie<E#n&Ga^;|UWT$d`|-TO*aDf++XJOm*A$Kd%hPK5URs
zu1?{Hjkv*JrGqLW$P+lUP&mmumPe>s#cUyeuf5>S)tUTyaBZOLnylYB-s{EaDFsB@
z{6x=nJ)^B^imUIsS8dL_@=M%nV~x?WmQaR(9&~!^dAv3Ezn(JvpUE<+etpHk_=<y1
zeR>7jf4H0(Y54E_=BFb?dB&wa8Y+Z5P=YC_LWTi``bU!WOgRJ9hq*joWaWQs7+%le
z+^@7~mnvVy?zidwTsbkqSbm8>d^fl2YASa<0gJ%(^dQtho31KM$3K{KJ@u-hla<ET
zCn>L4@8t^{0Y>qA!#C|QVjE#GMX&CmHn41~1~uq)DzSSR<LT_p{;zSbW8U@W|38}a
zb=bI;hxl(s0v##H^9`b0^PODk821E4++aG!k;2$;pQ!p3I<n>?nLIDHa$cYU${Ryo
zZZ#{<hUvI1vSzE+7q;<>*5!uU9VNBs6t3AeF5<-J>ExyjAe$9u*nwf<r~ad;j<KI~
zW)&(S90D5l>+HI*S|fA^6Y*PZGrt=;l#D+kVKk_D<_zk6yw8N3iGzO&P~SmO*1Lt1
z(w<bxLK`EWZs}}G8Eo+<6YFL@Kw2anlX&BTZQ~=pCYb^OI0>YLv8Y}#Ot@owt|dWZ
z^eS~(hlY|A9qSx<Bt8CpL|jeNr82~a!*U|PXEgcfO4>U)5+rp_x##6%Lk3@+bUK5r
z3tu#O>KhC={-Va(n}@t&Giz^}5k$4laPBi84OB=O2BYwiPNl4)3+)O{W9b^nNn2kC
zQp?QDW0@#R0ga7ml~$^<UfA@e1Yd<w%y3CwrreTkjJbB%UTiJ87qLlNr`Deiq@{Zh
zYUw^M<=7|3=C22vtjoM!kVM=v2;y<{;%V&^Ri2=BidGkP={ash#}of3J>aLdJLM+f
zVeXwrgz&|S2XAWoEWT>iTyCRc1Teyk5dz3mU0T}<#_Xw8g1nw_Z3o(l&^+83U(r1K
zn*$l2E170FeYqg8^{5D{g_L~Mo#bW+=67<b#&OJjA=x5xhY1pHU36L>=nGRlspy5)
zAv(fR{><hq;x+EG3s1*K1u;)a)w5F-EZD!#GlWJ`(6P>_`C>y(+m-j+wf1#T11c%y
zcXI@XN`ZdhFV+xc@~ceH_JG7}RFBo=A!<lXr_T5YP4eS|_nOV-^dkTMdTt<x$y3oT
zbI=TvXGLSSa5@YYq+XbbEN}k8hi^(@ghd(a5zP^j-RYR(@EjD(frc|uxbTlDt935F
zXI!Rma1<^2?E4^4%h&P5qWSIAxUaDl$f{VZjaKH;f->3f9l5Xht&#xs)bgp8!Bc4w
zd~hPZUR}@4@68AxakjEp%seCY)|vCTmr5ZI`LOZ#LmX5Pi@jmjx?%pmAyWP~+$>zF
zP~H{FvRG~izxITC-Cq8sIQsbZsPe;1gk}-eYQ7jOEbRR!(*jpeuUfS=o7{=kmmYm=
zNw~3ZCm|1VOXpTx4zMVzBB~~x%DX(M_7^4RCwgVOdP`Pe#7ehV#Kp<Rq`7Mpp_{FH
zj%@iy^0VgBg#F^91ZSEA+Im<ZodwP67pks=s&7H2=Q?uX)vBle+tk*NB=<-FO%%u?
zmM@DGh#{f*hw}BOcz(Y#@HfA$v9o!|vwv8Xb!&U9&labKD;Ag){I?}POb91G!J2rg
z{o57&rxPp${c3*Y3L$WReIfrv6#V`>+%$r`fdN#Kt*Y+-6G*uRshTZbfDc{dTRW2f
zjd}iG5A4!{8X3}1KG51bURzDwBo4UY?>BOkTF{RR)XGu5WSi64^^u};^vE8lJ-ar>
zb-S&g{Qd9Vs*fE&U!&!Tryr$U*bHTsEq+Yy3+l&?vgy#eKc4n4kn!mT-1Fr3f?MmP
zV8&Wf6O5AZTU})y<%gQ*fLOHo>{o%PelG_u0TJ3hWC{#K)@DGqgx_W~4M`Hpe2Ov5
zz>(x66gb&_3b<4G4r`l4Oh_osJ;$o((m=&$=4TQ1?UHMax6)n{ujUr>fg>bj?2c<=
z50TMjL>VUr#3=+kraypLPz4U*FjZ~tHkM6$Ac86}T%b6%Xl3L-HPf;Km!L!E;U9IY
zI~=DZys;EnK!J53KN2fCpG0MLFm7${kd1kRCl>anhvCwDJWkJ4i_LY~^oxeU&Eb+a
zL_o>vo$D>%0vAe%GMb{9;W1D8*UuB&>=@of5=jYXr?9k;w`t)zO1~Ma=tf-&Lbdj-
z9EOYOYbe{8Wk|n7dk-f3>}EmyWb4$YGm*A9sV;Q-%E3rlAKS6-s7{3djgAR3Zc-L8
zt+aEiC;`oiTu+$4^2y(CaZE>2S#$0%MuuKOQB#pH<`SUt^Qo~idA9kBiW~>QG$3bj
z*w$WvuUd+L*rB<#LlfvKf+cRzAx=JiQn2#Ks&#h^07Yu!E#$bIUAY+!(bB=0;AEba
zS@|Q=ntix?TVmy_x9!&!=f43RW5%m&)TxJSlkk7F(>Dg;TYqs#SoXDODzR-+WLO*z
zXdaEg{5YnTGS|&RN5<4mR4-vi=ev1gDqL;$a-pbu_<YX?7LU#^H>n7o<&B==uF+^0
z>WejRTK2_REf=Y=<S37@O>BEG8<J#q;DYfGjcR?m`(1%O!S{hUWIA^E6c`-U*Bf2l
z)O2Ld!P95!@@UWdC_&MH#M1~IQrOUj+>jbqIgIdo8}@Y}6FbIB4Y-2*=aY$*`}&g6
z!AQXLKlYzb(!T7I@pcG#=!)3l%mkwD4p?LUbNXA46^mD$Dnx8cn*#ZaNa{NYCwmaG
zLW4WpnQL1VK->UlO7TBGcn7JDfKrjPoUKN8U2ksL@I<6gOz8LtvZ32HB=%~6S4!Ph
z{^rEJYKa9C{S@O5n`3Yc@GORZp4A%&O+mz$XM1Tq4;DSmT^8EqC6_YHj;db?sGUWc
zxt{S`AJxP;_%XWacDElbBhVk@NSM$w|DN~#mL6ob{OKg~4rt+XFIEovv_O3@Up}zQ
zg6i3|(DM?mE>3(<kdKEOp%PVsHEdg<&u#w0A~)#(Ze0H)5(yzwVbYUoJ#<(9^L{O;
zu}+3)!pk8{$e0bv#%mrdlO9OGZ^O+iX9=|Vg5?zG?0IJnN%BDNC2>!OWJt$J(xxQM
zr_YoeA{%mUcd0#<Tx4N4KNO3kT9l-rw~QKGD|lLoO%QG<K|#AgtV!$PXQpwE6(?fh
zRtONV-{W3{1Ru69ZGAw>VbI$Xx!kvNv>4JaX*%V5ws1ZExzY2&Twee*7@fPteBawO
zA5T8zc+wIn({#Pvngca?9m284-$!&vZHHCN5vpfK(y&NVogA-`JG!hp_syB#!$W(Z
zE)a?o$U%O9K7V<B1Zk&18cb4E5LXR(SpG^)focagN8Oo(>-Yi<IfTDKtMKX3^qS=f
zE?Q~~TSe;g?#O}5HBsSryK5Y~ryeP|^fOcEUS0TAdu93EPW;G;^bb6eA-4+;caO+8
z6_G>ajwI~z(b{dC`Eoq(>>EwABFjT5W_4@j=k?pXKNSk6B*gLvUC48mE<dDO<ME@R
z!>5f#=ka4Pb^jgXS@jLKHiroj9x=?sp5Tpx9&V#he@;`N(Fv3u@k}sIxsa5gf2S)_
z)lBy2H{rk2>%C81;-|uGluj6<yZ3E&su1fh2+qx53k2x<d8@8aCJDhOu{A_lxTdej
zZ70;8H60}+l|qAO<dVbKaNCeAr2;P`8w|#IIC7+mkRx#yjs$<@<uZoPi4OMoVrtMu
z>}-E<WyvhcnYq&Wd56N6&0QTY6J2u*ZjrL>he>-=J>Iajd7X!n{&PIxy`f!;{VQ#l
zAQcjvpmdwH*-rUw*9?Qo7NH;gF+ksw;)d{DOUYuU;>)cOOYc;tg4*|7Z8^K=m-=ja
zQa}n%wWG$eUAbi7L!XdblA`OE|Bth`4vVwdz6FyIAZT!R_uy{9rEzz+MuP`Sf&~vW
z?(Q_+I3&2cySoJq8g7$wzH>73o9E8V{S%(IyWiTit7`AHSFP<yvhC?@GpA;E5yrX>
zm7-9O&6I?dzp(vT1gzjMz2mY@`?-xpBBK@p7h$;K=Pn?nS3|*YpN~i!_w+u1G<&8B
z>FUulER)fP<ps^Fk!0AurGbu*;f$$wk&Zs%u(xwhH>6Lw$lz`i$iP>gac6JGvM2&g
zXxHSD_ho`~m|f0BF2h`wbtoDJ;yAxJzsXCrDH--XtG@D7<(@jHZsR~30A4q_9hM1-
z6)2|P1-<iG@5VK<>#nE?RaDuuLWY7)K&{5Xxym=kfjn=$Y6*QIDK2BjZS#cRC^|fF
zSH9hz1W$;SX0bREm_+GnKt99~DX51-3sSpzE`83KydOF=UQKnok>H&FSdk|T3o+4l
zki;VO9b{IIkEz+^^fEkGvPjz86ob`Z&XC@e*iqJKjqYFxo5KV{mVGXU>!`wQRV{)I
z)v=@=ygFbm;WrK_X$V+-_QRaq!TLp6S`DZJ107OmGvnWsJ&$C+%FS1XAg-^&#F6X{
zG3-6bGk;|wEe$WMZx4O|v(z}(ST;_ppe_NjlCPaasqckcGWRKiy^>3{#zwJGb1Xci
z!66F7G=WfAPrV4{2@JV_)xB~^H#5{Jv9=Bgy4>(sC`q%UzxixYLT}nsDuI+T1n2#w
z&gm~+;1a)t-Wf|=ozaWnb=^~DY@<FIorqS1N^JjYUo}BrK)^owZCL-t62UdRB8yA1
z{(dI!L}^R-@vxaNOwV8WUFzAhyle~?1o2r>i$nv*S##ael3BA{e?QIj^NF1+{%kIE
z@jQFvUJu>*kDc<bCXMkIy`LU>!@jj`*I|}VrhbCjGavEyM=j}^2E@BSL4saCz~%w{
zEek=fPjjp86tDtb!73RMD%ul^gB8?SqH#O^G8jIGg@ykWXI3jOxTG4zp?Sv7{ga=%
zrUcRj(hPbrP#Op}A^&vLCVP|VFh@3n$cpYXQsz(O2xdN<I^bu@dCK;pRK|5|{C*bc
zNLS?Vzmp%7Y;tu@d7otw%rU^qnB(sZT?t)24Iwznz0O}L8C7qJZ|Zs+U1y=W0dxbl
z>dT@@Xyul3Di$xSskwmC4(F;Z!Uqm#E9#9iV)RauIjq{Co&A2JNCrK3tCTF)YmhVB
zqd|FgP5D2r`50Qyv!Wgtv*&K40V~dvW7}k~>h_hqG}@Ay4(}Sm@>?Z&;B7BD;=t&f
zHH5BqNecWn;alUj=6qWQIF*@;p1m$X;HgCd>WR4pQ0-F+t>W2Gl1G=q59cd$9%t5R
zW6t;OTn0(S)qIN`CJ^K8QZB(CKSfi-IE^pQHFX%LWGmft$DC_DnU#o-1Mj0$pw{w}
zTFuLfEO_<fbvs`TVs>Ms4EW^N<*M?I<`cLhq<)EnI>`iQVAg_fX;|}}NVxxs?pJa8
zjqiiRO%|zB1H!A8RYWyQh(K+ZQ!x#TyZ3UPztr^e-~8g_35AO4W<a|)Fr<Cx!Kb_>
zy2^rcE<&xrar3!)!(9JRXK1i4P^_#`F0i0W%2y1{*eC;Of}tm-Hr5^HGQ}Q?k;3oN
zye944cdHaf<wIi<Iw{J!*4RF{gzcl)%;FY~+=#^&?dMR2o<6koU%8>l7AX^MImi?}
zc~|83rU*9@Gqj=h_rc>T^fEyx!&O89l7SoFNo0cX8(-y}g|70AdFdTzDS-;^I_2+a
z(@p(Pk5_(Dog2`}{1$wL8T#|ZMMXY31`1wl%j1!5oru&R`a1e;)U8-tvGnpMZy#2l
zwij~WTr9CW(%0Xdx^3IU7d+`$#$T-#j?qGI+=YAoV&sh4##>Rjrw`=!VkEiSW$jf0
z*S2h<LaV&YD6@GDa_G-zy5-OFqW!UK@upWEZf?F;rAE{AkOvdv+-Z}sKscM2Z74a=
zeZ`Rwu?^bxj`B&Un&cBhu&d&8sOuiz9Dx!p_9;g%a15bH!$t}D`f$>ftG=}5)PW99
z7j{)LNSfqh*EdqAu{hMrGt3?y?l^TUbR1kpG_U!f9oj`g;*TeHW~LAa!RJt|ej6oe
z@UG<cRwy7-?ny##-n}LWF@fwMysL!bD8C`&4gOA1IL1*wiV?Hi4V1ibGKnnW$6GcA
z45Ge)!MdHDcoX`3FsvWR)u<h~sQ(nHM+{JTe`7W)vCe2zvv}Q>V(0W3!5?a|%cpMd
zS*Xp1_YO)3H7Qq1tMM(7{5A<!qtC88@3O@xw2q`JOHMbCa-0r23{F^0#MU!*XvW9K
z&$^*v{CcZ*2`eA;t+i{Lw^yny<S$7Gata~|d71|LLPo?l3t|6r5YS!HHo?3}|BO#)
zG4OM*PBiJN1Y5mLG7#V|<rIGzd$1m{B6(w+R92k=jCrCop;b()9K8ATbowL&CD*3h
zOLvHQ6ZJfnL-3}Yk+$`uBaK%Ut#h{Pl!U{f^tanx>L>MJo9tzcQfDTTsQvLt0!Xky
zM|KBp>b7-{?&iHo(5H_@)1+Bm_RCGvq#+v#92gy1Wy<q#xVizBv*g;b?8C<Q0f>6O
ztVU?R=deTl0<-aRpQL}!y_Ab^v3z-6x(?r{@e|5BD>8PN+1(rWsX(lT+>sV$wUj?6
zdZjXR)UIp67!QTRLHs}*p%S7yE1{CI5Lob$m5RTP1NNmgSQGUvaAOT>J2t4oZThEH
z5_hP|xmYJO)Bd%m?1@1j$njSwa;DwnTFfzt0&Ve0@k~4Df$IHP#DJYMZ-4JAiO(|l
z_}BNIS6Mb{X!@U0V{{THnb=;9%(Dlf<V)MKPmK%5INTHu+b~ifF`sJLCN6?B>P{*W
z&v+7e{Jm4Y`U4Eef&5S{bZB1%PU!XLXTDJwV|nF&J>7Ot2;(2GRuEJax|*sP6<*Xi
zXrfc-|0ixHv=v)LRp=5LR_OQ?X8$ao>^&6>pU^!0ue8SlKQ$TvjlYy<!GSRkzg3|L
zk#8CYp>12@2E&*j^k^Kh-X}#snuj*5D{~_szH7R=c`icyi5eufp{x?{1;PcC|5gQ+
zl^JvYpJ~az^A{y(?~4H}Y<2q$(oSerHQx1qPfeiN*5~TAH2gTMU!0w<pFyDKpTK+0
z!G3uD<DUO7f7T|oRds@&KayqtoU%SAP|szb7p#W=+dpxbjM{u=j3bN&ec_-;@lrlC
zErP;_On<Qppcyzc4T1e{J^x?XVHK38p$e@u)G|Wj(pT3+zKdtjEA-RakO{nf)_Fz0
ztrRnR{>z<3>0b?Ul^~#9i;7dyurVHOi!puwJ|{5a#}WQ>tp|_ozh7L1uDo>}y#B)0
zYuw8W8~+EKg2}XDn3KOrnUK=(dmzb9AKplgEpz?}Lf0QPyjYw6av&l<Q`GYi!E1+m
znL*oZ(7M-1sjAJa3}KGF8BTlqC*jYP{V&PG?lo3pD`%bb2~#(Zm1=2xR}a3VWx26W
zP)V0B0b5Z2i`%pVenDY+>(cTb1q~g=1!eDOpu8pUO1P=F9`-B2w>W6G<4Y<opAK8*
zZW)42r)@N~1LkLbm~jY{VWn$1_}KjYzS&WO*J<rDwDI;8RE_wzMWTTvdVbI}RR3@-
zm7YPHs;h}G6Dk52zr%q2Oz58MFbPUwk}lfR&@zZ0i3Q|wQa`hlSg>CZ{4nT|678Ac
z8_G`Rk|#=&FWP>g7M5lxrea8~3{?^3#qWTX>bjt|<9Dsa2rI<ZR0zI=!9g+IO2B2I
z#-mK44V}RQi}A|TSwYMSK+$?(F-Y(*Gk-t;R{ejmq?T7#Pv!XT?(X!9{pT%DJ+E%M
zFqLi^k_|6<ay~#Cna}f|EI<yS3Ox0m>u<)HEIWL!iVHKKssoR%Kk8qJQZ@|Ez3JoQ
ziwV^r)-!<D9vqVV*qFU3jFKuAX>MM#>DK*vleQapT4{Ft-g$5^?@kVc6UE&}ZUI+(
z%}mlP=0Gn+G!kj>iT>Hy#B-n&ASl)9ylB?IBfa$X5tJHr<SMflDZUj8?E(`C-3=sB
zby#NoBlS-DxV>}G&ufb4)5d>d+B_0y1~fyna%2yD!k2uswAE}zgMpiVkRkoJ#A2K)
z{1W=9&&di~o(A;&SuY(P7Sym&L7>A}S+FL^0=D~o6rDh3g+<3ak&4;v2j0nwYw~BD
z1o@f82c@Jz<-=}*a1Eacjs`-KJMK@vACYibT(1z>>)Bg@ZdcI#7U!*kvw6~?w!_6l
zb+1WVh*aOGsmQAk07N10H8rjx{EI6nu@61k#W^QfzVz^gZE_=BMbDT<umd8O`52{P
zq6~%)6W;f0b=Ux2XJ7W>X*tj?{-q~-fO=sOTU~C?`KD83)$@8x5rg`&y;);7h+2ND
z$>U_nW_r2VL*)LbCLD*k8Yr{%C2~yu>-}`3o`VVa;IKK|DX>FFBFRy^;GwSZ<l*g`
z7g@s3%hp*@F_0~ukp`^GDW1Hq1)a4`TAT6=<iz@1XxF)Z)^_Cf*Vz8zl|k_F8^wrl
zAGYqyqeivZ$J-Gm1Ew{@>rRfMxe`df2AIkA3}$|SzSw7UDD%ojK*xc6_L=C}cmlnv
zK*aA_H0BsSrsDlT0+H6#IfJ%a>kO_wp&-h3N}yZ)iMjmg=@AGPp?tCRY#n8D)Zr99
zv9CLXQ731QLnv?!sLAgoEO0U_K0BMjXm`p4OF*k}Z&Q{<O}3QX9=z1H;X-Lp-qtjI
z22v|laD9v6(=sV>e52?I&Y#jXfn?uAJWpc8=jTZrat?<gJ+0>hjOU9`BA<IUk@NTS
zAK55=2gQXCyRF!4&9(?oo1vI44~yNu4f{$tl`MI^=!ckf0~P5_db+al6MbO~B?S_`
z)S%@NmU%F_Pwm(%qZz?3go=p2u*ie@?RCu(im5x#vZW%g^HxY%1y4`MX<+IySDe$u
zFwa-wVT`W^5v(W7^)j^dN!^JkZlg~ztlePT7o7gh5s@#LJdk8iDR@gmH%YW;pD(ax
z={)Zzy3idgzxR0)Foln-;traQk24nMy{C7C5-480h<hdy{+kK+uX95CFaF!}=wIL=
z{Y4vn{>KZm_y64vp#a?f_f3D|%(jtMDZ?L4%nd3TL1}#XB%^(GY6V$c9g!QI3A~Lp
z;$K)Nv31S?we80W4T;=w`|mGCJs_3dt>(pl;&_*wKfh@^<iBgbH(HSX<-<8HOsSG|
zjn-62XIZ%?K+%NVm-oZwS3bC>)6H(wO#e=zhfwR4OYDh5SuskhYWsJ!!y=9vx_s{R
z;|TX79&H?Z^nc)yXT<PT&(U#RRp=u)fK5&w+*s$zcl^<t9a-w<f{dd21W)TS@@nwp
zXSTiO8t01(D<kw{SG72UkM8>rLv3*DnY^XF`K8nL{KLT{K1-X^QjQe|aRVqh3OjFZ
z4lHm-9?e8ue?v95H$RxkMQU?w!rjz2z)v(j$r>@;y&UY6BsZLHr{arksTU9=-B~Eq
zv2}ok%^)-d($nK^&d#3|9=h=fys2ALX241hl^TD^Ib|?8(}#pJHFs9;|DbbL%IvkU
z;VM5OoZP<Nv+viEQ>9iS&gJT^CwU!0pe^s52lmF{;{SJnY3|LKo44Hx4?(J@T>_6K
zt%VPp|K!^0GKX0as4*Y^=&^B+gd9H?L;f@Yj?jFGHEnW!pgHd+V1~RV5RjRtx)~BS
zlm3k!WGrsZuo=-&SiXmc6sqLfNt`O0>oV=fhU@~N<m=06)6GJn22bx8ugi{$DA+ti
ztJ=2ZfIgH&4t(PX$mZBKQ91S5T96V<RdE7zW4&Y1k>nD*+4gen%ScW6n&j(Vvkc;1
z)xHm<ClHv_faC_nenaGX+lmAERxA6n-T7aICd#b6Ch*+2(7w04*w5b}!>ZU{<$xt=
z33n!u;E;-|$W{|9%lr%MHs4?lOQ@EynWdc;g4U7Krn(+GOsUa$;{b`bn9l>7N!uth
zA`J&kJ*eN#d+B=$M5<vTU(5n4vdn!It&FAS=h|m|c^Y;q&<U6KES?@xgnvJ%wDby+
z_Z=}F29f{PY$%E}5VNc}TV?4eY)WuFs7PEz%4>^$y7RmNHb`9ygb(Hitc&uUQx?K#
ziS0Y>zfQJ*Z&fez_#r7x*gHXvN~~bkzijJFVDI`V`j*~D4Km)NkeH?{#6*hG-ahjN
zH^PqUHd!WmzpsLWOm>uIVETdg!>=4{xW^p1%CrMcDVhrId2G!hw<L%b=vWnDR&a<+
zU@<Rv!HP3^90J!3uvgla)VK%58hErhlwQObOD1<)Y)bY*^<XM?Xw4Tu33PlzsJ#{F
ziYj_o@|r5-8C7JEJ<%|Dl_&qwZ1&ivwFGNMuq&OuY>LrM`Bo@yN`zWmVpnIE`50M+
zE|}|cACF}2YpO<U{a~>m=?YV@2kM|4f>}^KUYOO0gj`A@F-tNB-fRqh@4DIkKzQa?
z<Gdxb)!UI%Nu&WQv*$WO$z?S+g{wlDAs?}OdhMZ|GlB=gNr@wbigx%722-xH?}++2
zmO@&gR063$nvk~oRCL!xr+H7gL4P!IDqn&5-awu#pNKC8m@TE3R4LfF#W>DYDk$Jn
zY%sxkt++*W?Ks1J1Pi60)^tRzK0;xhFMCWj+6bs{X6}rD9SIreF33`!f~lBN&`>^)
zEMgp~qF!dMo-0dE5Br2uCX(eK#$J<|D@UYw5dZ!`P9pLILVpzfdeWLVQshV0a{O|n
znb_~XFjSr}8)OYN@3<4(d^5Q4fwwVb)I23%R_)wDnU45%|EM!2sj+v=dSQfoS^VB-
zyg`AC{T^zz*Ga&NG3fxg^`}$BNR|oITDltJKwU=Juywv6_wctIBO`gcBeJ4nY=9c^
zz6cCO^q5St`VI3Ra%3q*3tT*kers`_mrgcrR*IoD2DXt-L7w!DA76zzb9_NuUjS88
zQ|D6=J(LE!DvW=(S>1Slgr}eH^wRG$18jC+gEwz(5%=s~CPuwvfI7WkMxKW%;*$ah
z6qtwhaCl*_P+k$4Q~+zin7=LO9!y1R|0Wib;o@tci{{1Tyn*0Q5uepS25xnNz)^Bk
z5^~g^Lc~Prd<b1ru%&4~guMavUcOGg#IQiEWL`x)Dkt=UD);qkn1aW*7H}$biZTlw
zjGtsIVIhq8CB3_JCyB|b<4smMQc^8P18ZEr!P9Bo(j4#`jPsq0B&H2ry_00~)cN7(
zS9wRlfQgci@$p~#JHBD}bh=@G15x8O|6EO>BPSb(d^?FAq=9k=8#y1uBMP1_I6L}O
z`nvv_EJcdpDrY}8pKv})FHrE;cy2!}=O)V;MeMb;34On=PYb(D+7Y}wfit6g@Eg<l
zc&yRX;bJAX8-K$y6Pyax#TsbKYjNx?Y!DMW^<=hjAOT}PAmbDV%$&?D6LNu6zy*R^
zH8m^9=ENJ0;WQupn(KM#kL~3j4A7k_Br}%au&j12m9<2LQE3GkQ67aRf~d?nUgfOF
zLe_XUoGijNJ~5g}J<Skw?dF>^1S<_G<1r^ua_Cx)e74RznmZ$lBIs4)`+T!HkTm{%
zd@bHCGXX;#^zgaC_Iz`UjOHOk1FIy;K%vh(INp3DOFW^^8J84#bKn_i)v7^{Zp;v1
zuiBEcfeg7dh)u2Tsy9z(S#JnlRZk_P3WP&wJ~q0A56wYm!g)7KN+iC+bo^2yY*a%~
z!{R4YpBz}1@e*e^;)HRYFMvEn^h^a+(UpW9UXA$OfU|^jG@oK(hK}YLUCtVoW>3@;
zSavy(fJ1uyh#jLOvJL#3A!10yO17t;Qv+rnt6X85m9c~dD=-J9#QX+;-4ToSEz4_M
zc3?Zd%Zd{q2PcO>xsEnJ(rv|<k;M|9kL$*u>*p6VUvAR9TVVc`V1gpjwSi!gfJ+m^
z7v)pG$C?Xd`EG0&!^E<eP!74v3Av}basnaB)<4XhrF4{;=gCpW#vfBSzogXFrD60a
zS|36fPl|saFi~n(1;wbH+YY%a0dLcmh~nwPp1|hP&>5gwM6=3&IT-%)5oW`DJ1|!x
z)n(GWKY|!Vm7JvGsyJ}-6Qj7)lV%C3h&2s~dd>r~?CuZ<13CkoQW7cA{X_2Z(&d)H
zTg)EqXa9x^xCmcL&K?8GyxNBiy@>m{1m0+tO2T|ao^hBOs_r(oe5apTggqKz&<rBy
z(Twzy%_y`!M-IB67Jsc`1g3(%)0;)P2SkSPqc1mdG`b27s00q4n-()M5vopNHH;N#
z)LNyo#bT8O8!8}cE`1#Z@F!bUo@~z@Uco&gF}?uWX@dS8`QW0V6bXO8D(Bt+kVqw|
z*p!=+fSRQC3wfyo(zlXe{w8D90TM-J<|929uI{;zAYa79)1q=#XkJ4V1mxwJ8pGM|
zBl2y3)6Lkg_{Z-#WXn^~+$z)TRN3XDF@J@m5O<Hq4VBc$mqeu}Q)jS~vgTaG^oK1>
z%mBzrv`V--NMOSfK+#(}3+%T+_-Bn5({i&%-{WDze}lO~M&<j}C91P3Nze+ztfPuN
zCJstqeK`V;-`7W5m&-vWIDXgP=y&(-md4k{Wr0GiWb{Cep;n8G7w}Vfl(9Nv3RL5C
z`kxXPHJ-a-LjlW_$j>>p4roa4%DNL*w&Vyb@5eiWUxm?(s8N>ktFX&ksKB1SqUYL}
zF1Hb5RoUTXr(#ZyVMn@*Cm1Z3t&Y?GI#gX64vrvx)T2z}!|7(YFh|YPm1QrB8#(bV
z$jb(pTT480e1BDcG8b?5Vf&z?RQ)ZvILKf>B~QCi${8FClqMWwh?nesn#pqzi=^&e
zH@~~9G1t^f?YJ#5i2Yc`7plP#aNGGYY^UsF!!%rcwQb1VR&XCnkD8zcjSf95aex~w
zLj3!UPI`Vp6+uhp34|3UuY~YK$Jc7o;chNpZRI=Xvq3vOv(|Zx;3$xKjW|>!Mzg`+
zG#L^!87QqnJxNK-?m;KpE2rug-C+{@1(*SXc3@!xAWN6@OwQ-xvxk>spfdTNO~4G6
z)75uTDdTe;=%SS?o6#e{&Qna1%OaGVIHyZ7+Lo5rOmN&gg3@YnAN5#697nY#bluq4
z=9dC_MUtqQ@8#NTC1}VeH59H12V>)g_G}s_*nVpv!0rz4YbK;^H96<=Q5TtSyzFQ7
z`wa+oECvOh=c;R_RH*mA#rc#7y?9#jFQh6Tx=&>fnx2HE>N5yUmjWZ@9ce_G;NW4p
zg~Dk@Vs*lrKhqu-T`So7xt8+zpLKe29Z4(kTz720zU6kcTzk!9R$v6dDD0Kaq!m=n
zBu3t}Dh6Ocr_YX<sJ-4bHilzTok3V&8RR04w-02GA;%<AzD}DW70@=WZUZP$_JtIY
z_(h|=#$>>pCCJ~yV$i&CR0zZD-~gFk%)SXf&<zZ?tO<`Ilb)ciNpnRetwOiYbLs&k
z0>yv-I7o{!KQiAM_^!c_&fZJsA7f`CMXm2rPBu>)2xC5~!D{QSBb(TPP$CqzJ8Im|
zMFaQ{Fr}aESSiFbi@}m}$NX?aM&T`^le2YWeEwCZ1;m>6(6+hsD)Qjxd-?Tq&{-L|
z2k$iMbiu)oM%UFifX*<ZC_=eV^NG`!Hfo>EzJhxlXZa5>w+-i0TrLm&%E_PK1i#al
z!(%a&bEiJLp_i2#L%S{t4k!}naqX#1d#q>If2g1%pt2j)oUmI}m9W?t>Z8XQNdp~3
z++O<Yl$g=Jri2|gPLiv2esT6aetqMUBx{|K^q4*)PkV<A>rsl(958bzTBFR?BA@;}
zb!-ahy1?qK;+^CAoWmb7xk0>PmsDVR=sGoDKHZF~lm)1Yg1=!aviEyHyOZ_7AhnCM
z$@F;}j_t&NmW6AuncQP0X-Xeniz?j5<Ak)j$BOxZLVMHiR0P4_p`hk7#UF~hwRT1g
zG&>}pHc`GU6lXrIs-x`3RBa8A%K(Rd6pt5rJDjVr`3g$3{fF;u_nOM1S85uIVMgq0
z5`UU?&xDFl-|L5K&)mCerKE=IO6)}*f>>NZ=tY88|NfPKr?dZ%)c&0S|3mkA&UIh(
zK&7Jp@CE-3X8uEB`rm(4N;LMjj5a@@E|#=$M|=LevbupR<tGT;4WqvJ9i?<9Z{3cH
zj;jSM_y$v9Gca2yRh;I@i|}DP!TaPQAc7Rm+a}MJG=5f5-YAcmSddS87=P*arezOs
z?TVX@E6Oi~Hor&CZWw`Cpq&p+gg$_D5$#*se%D1|?^Iu`zS+8&uVAMXyy36PNzBOv
zX*e*Hzxn&=xOKnAPgY~s`|0HqjL|Y~+aB&?@LuH?XNp(IQj#0NaIXm5U9p0Su)2=d
zO2(0Y=~oW?^zS(ixBv1`#4x~6@YB_n5H*Y2xmfcHoJy92MI~K9hiTE5l!n!zc<*gp
zMvh-AqfR3(BNz96rrjUewaV#TPH8jKzq|PDD%15cSr9IMS=l|9u(JQU?$WPcw$j<R
z03TPiT#2>TqH1M2dCL$$X5gk1Ui?ODC>fMURU@dR*2w69W+r@@Lcfr&t7dHJ8Z(IT
zD>NXN%-gs&tW-z0QU4y*V>E@4vaDV|$NNLpk+fqXt1V~8IU-f~ReY)sf>v>ao2gr2
z?aSqPN61EiTwNH1(j~lFe{_Xm<$R&*;Z2Qu;@s-=QPs9joh7}IVN&Z*1QEQTvl?BT
zSweN>vFNFbTW035OO@AKN?TIpJNJG1wM)d{JHGWP(muatVL@bnbuQgv^8AYQy^%Z#
zi<x4+%&9Wv5<RWbI8^<JFS@b|^FCzrfRA?GjLKtkpWL0k<;9my3iBE0ej%~dbikeI
zT{WV9ygCIo%O^2Gm0qot6vs2(F~RB>-D+MODcQhyy}Z`x*IAVo+QG4C%xKkU*@nzh
zKdqEoeq-LP;o43Artj{#Rq$W?0%y|KWXW?oM{3<CD1*klEBCs-mSFhK2xna${lv;p
z&CgEam@Lk(Ozh2hkCv-A99VYJ6gXd~=5E-HO%5{Px@i3fS67^+C}aRhzDL`&CQ5T0
zLrU*Um)AdT=j46!%Hy^-IwEw-|FhyjsQCg@7n4mkk_ox1`G6JR3%EmlFWffg9xrs>
z89x3+Gaa{8?6?k2NdOgHI$**TD7JKYYBSHB-Z7q82Jk;fI-vVv(PAc~6`WPGuO0`N
z+eEk&i13BqMlv7O(iKf$yqIbnVO4X2VA`6-0up0F48-hG1&q|We#6Q|oo>)Wu)fk%
zOBzM+!k*zBF<?-CD=^D$jy?@{!4~gY{+^s_pA~U6SAl+@-R!eTBdYWC4@#aOF+NNB
z#W~ciQH>{0bz$}GPEKDZTo@~Y$F24pS7f1P+3^ef?$DvRd8}aAZ(Oog_^<a%su*l9
zpeA=cm()cyo!nJkHa1WVZiik*S}d}^MxPm95Ll%dBXe$9UZP5Ar;#z7%3;swFZZOe
z=THc*G6;ew9fLS{>{YdBe>VA5act9+;#GeGclFf4&T(3Ma70O)GCRP*-Ryos`(ppQ
zt-i;*J$|ykMayI&`E@LT_Tf~yRLuM1NG~*>wG8Wv9j|cTHxuE^$n0HvGi<y40j)OX
zL9)q<-3(msNpx7KcWSR{w@SiV&xq97F<BGXI_-iCf)cC`U)l4SGWQf4oJZ_%lzRo-
z%BULkqN&AQ$ZIGN+vd*Eqjmf-4)EDHm%_d2<$iPgZkO_wt>0FSX9J^zb9rO%n{})5
z4?jBx&iDxhkZsPHD2&9h+tb78%$7S|@2Mw02)wkMlAo_GRRyOzVp^l|F@fuWGpz_4
zOtrB?>ghB2vDzPc1_PaRRn$HL4%GLOOfLC@ynP<{((+43gJ;qjEBz*bm}is$)$$H4
zX|J%xBMY(RsBga~HzbSMHgQQgb86#`4NsRyw~rs(S(&17z%Jr<<CuP5GnFMS5QyC1
z5=iy)Qh3K*v?F8UYV52kMqj>&$HN<5%uz=5?UFK>-7=}7va~2AiRL=}eoD4tri4Fx
z`!OERGZ?EYUQoOeyxrtewbn(W)2H#`+Y%Pyc2d5bnZVdR(J%gEKDSGkw>ZJZyG=rw
zDrtQY2B-U3#XO(amorJ=-uvq^$PRSrtK5?@2P;s{=L^wzqZCYhAcfW>6g(OMRJ)6>
z2_#S_FEodjQprYg+yNTJ^Zk0VY`zIPVhXx3@4)m^xS(Jm43~mA#jcklssiJyBe@Bi
z9D$9xOUmb`c#8D)DBWe2Lvgh>cXgQv1wXoeUg^R?;ICL4h=H-LIYlw<mZr3Duua;V
zfU(UhSgi>WOJkxtbDXr&Ut~Ju5ls%r^BYVBBbA_ueWpIKn1oxzMC^>{SskTxypFp(
zwsu+_kxVR;{Cz;9Usfz}i84iF$$CtxST<2joV^{qSLUW7&&``CzcYMOia8W9EvXL_
z9PT!K({QGZDB*Cnc(1E~HcHc*ZokSd$g*{cxCT@0ye?#7_(x#eEbW_8z+Sx1>!aEL
zxCZVprVXhnN;fZbt>&Nby5V%8vc*(sMvC|DZ8t@}GPa~!V}isI6y%LzgC=P9hr~YU
zOf2cjCwXpfZ4N19RZ9q`$eZJ%nm-TTCj!83W7m>-Xk$fwo%Lf)Bf(s(nRW2Vk>_zu
zcw}je*3Fswy{$)d8Jd)VhY8LPsBoDHbpj`0Zu+|kcBA!binU$?$Ai4t{9CI0;Tk{T
z)TAAa3mrKRKMm2JR9XUmp8=io2SdF;`<<^ZPiOCC6a#N|<|%?~MXIHr4M8Jq!e)I~
z4I4nFDFp6OSJqA^>94hlOLQET)9IYz7Urva+h)=f#8B{YB*u<2n|^H11&7oc4L_m$
zhTxqN(@+`0#u5ZGfF+t^o;97HvACmu4lti!ITg>(5v}Gv5pntBcGQHCjTqMpjj1Sh
z(1|>ia~MNxzm*m@mPSC4c-qQd<u1x3YzDr{D_{DGu7R8>Yz_35|Dp;W>JVfWnMV`a
zHn|^n;~BSmub{0tm>G{%Q##=L5lyD@WXTg|dNs<@Rj6@d>Cl_v3lPobi<NDYtg+Co
z#!mBsOW-dM4z?yzl~A#zK(-zy#J0A!E}|8d%ZSZ#&R751G5&0)bEDItmntQ5qw2)0
z-<h?AJ5ajYVP9U0`>Ot+@iQ-6=OWz{YA%Qaxu8vI&Xu+6!o6<-(%B2t@XiVrD}Lnr
zkrMw3LU2lkWErs7#KAsSR`!~ph%q4E<A$sbkGSgldTT%ZfwpJOSY?2%%3FV`O<mDr
ziHm%CzORyIdd&pQaqcQKpjZ?k=SnZq!h+*&E!7uVniV|+?SKLlJHZ8u;=}Yxw{S2i
zylw<a>hDwcQ2Rug0R|yLJu@KZx74?EJ1|^(upTph7?`a4niH;Zw{mGVVgYzx`B%&0
z%57d@7UDRBL6GH&*|I(>3@_v+|D4*_G>s#Z;0|z?7;vov+Av;Lz5gJ47fo-9)2Fi-
zg<!P1nNV2*yJ>PB&b`niBR|tqm(rvPcukFedAY?9B<+A0<UFKWS4I4z*Yd)|SLTSL
zpUC$3hh*x8Mi-pc{wqv}tnjnEkAWUnAC{OGo!v%%&ovN~(}-w?2K@K44c4Towxk+2
zpS|#T!%E|5OjaoOyL^Av14=@FiI8uJIw4WKBx$6_8eo&3?{Oz1CJPiNr36yjep`a|
zJ2DdGZcf1^a;f<O)24DzVp#Txj?$cCDBW(|&~JPlM?&gnpF*~Bl+FM*wD&c%&vhU9
z+CMu&1RAujcVM*me~weU=Lg=9fBpQ=yRkh#fF_3e@;}??p9cboUj65N{ygx8@AY5H
z>@k(}O36>Oet-3;&!i<*ilj&GlXvlNjU?UvwkOpgV_`jj3zr{oK-5>;T^D|6ZwTju
z<CfmxM&d`QEs+m1&4=foofLVt4OzOJg!Rx)A5FdlK=_}imm+-2r=#-ng}(nXZe=|_
zvM8%zST6nO=13A)7W~f}R}qJdriErWeEAcZUIt>4`gk>^zaLXX*8|kZe>azKjQ37m
zZUc^DbH#XRap2=TAcM|UD(3w5hpm*h#*%+CH09&ty`AdBUX3Oyj2vq{_a>J-(P~LV
zVoMs;%*wh}t%XIMIXFsik|^^Cg}xBOPQ~Lb%S=&93mw?ciR+j1D2DUHe{5a{(`wbA
zka@V16h7@uMj%psEXH%tR=`Ksi0kKAv#54loPh=(BjV>peNdx`=;(XRT`Dh?;$aYm
ztIvnR=)SvOtb<qMFke-ZW*KiU!1WmB7&vS!1M5KQ8Wr~w`SfeMPo3#D1@h2{1A??&
z%7;u_NZ1)fdf)1!mh1eUqTo}hY#&?uf1{<#436rP*Gi1|#O?)<SQ6X7l}-g(VfFaE
znsM<7xXZ&mg-L8{-vfzdlRh&del_%Xujz5cBY<8Qgo&wQmdwZSWj!5jp-#+ECjd~t
zi^D}W+orCEcx(?~QgcUnx5=-bmMtWtVgV^9x5KeE0U;ra(^yy*{N55KNT|ZHtNuB&
zZ~=6aK@kaEh$T??#3(lO8dywl`~xjg-Kv?a5#+Df%OP1-z#>LS@r8A{luugm*z8*+
zA1=~sn<6y{BYS__tUPfmUE)o3+%g7}$fzh8EKGOPWpjb4JYn1M<i5%yqmU>_s4nX@
z;rfoQKbaTGE`JX{4M5y4zP7KR&YUog%US<`U&{#osDK=EP<>8<VoUo!%fSwQsZ;(v
z3BlI<55W-L$vv$M9s)1-*qmLCuo{kIiDOQ+=42-arRfMH!l+spK4XN;1!|RHmSg%)
zdKX=udDOJW*u1EwK>5JXK!+S$hT*)_*>TU34xh!jnb^*R9~$p;`x6#~9m{yH1ZLao
z)S_jV^M`W);xu5eXtlg+(gKs(Y>67DvJ3Qf(SjxY88UT3sic6ay?v=H$sSmgU~m6D
zksJi@I8`410>6^R#XJ)dOk<VqOo2rgq+NY0YCshBU8k%?JywN_4QITnd1HRyvW|ip
zXqI$2L%~(}(hO9RQYN$+GaaZ3q=o<|@sBV%iU@F-XfGS+6wp#>Zxh<{G*`1uvETQ7
z_{(K(zP@eWKez}|lm0&LB3WrGCY@R1Eo?*Ku^XUetC6l+YBUe%H@RMMg`U8_3Gz+T
zzGJ|QqFJgZ7Yihq-xn`Sq=iCW2)b<1i-~~7n<Q0Q^`b4^OqFLV(x+5=*PF04%SvU{
zQu^r=E5x}0B*U;-8WHB;{CAr7<lU&`1{lXlvJHw1npdd1>u2IsaKrNz=I?G0Q|6Wz
z%+iCR2+ktvrIZrfj8(;Lmuz<y!qS&#p$9sp1i0YCEs%D8F;vs1QI9p{Gz&vI)<<1o
zRAm0zpZon7kGmTuq+~s%n_?^Jule_SOKMmsR0s`_8qF!@8XZQhu&my8jV(jl*rmVi
zd2P#Pbgth}%%P=4faw#A<`ImQ?U+))QPk{K60}9y<495dj_#F``k6mt;S2O=YeaPy
zOF8f(KyfiCPsY8Z+>zfYO;ByJi4z&w&U#W&A<H5eLye65DKp?m*)?7Co+9Wn+}xI(
zII-EC|2HPb^j)@f5#N3M5o~5n=rUM{UVysxAn&ZtlLshAf<|a{Y~W!S9#;dVnklr=
zZ<|B+5qeB^_+j1FDF+H@rzX|d^v4F-=K{LO_+2EWr29WNxniO@WBt7|eSKS4`W8cx
z_)$}M30X|bGDFY37k4uKt)czz=di6SnR)(g(+V`eCQsW(l(mU%SlGo+X)+aDCcu)2
z@Z+dT_-rfOUHHTi#!(OFQEIpGYj?9YQkH4-N`aOO`*4hWk(-;PLxO=up-{K^6@#+;
zy3G<GTVyx=4L-&rmur5?NCVCDtY!x<9BWnM`oJn2IUHw?glaBd!TCN~n~p3rpS0jS
z%7JFOz{}f6FD+b;!9Rdf7sTot6FmLW(+$Q!{QIKF6E2DoAbfpDAQA3gXVB?w`@w{`
z*vF`%;Y%m<3}WaIlXg?E%7tpmJRRsSAH5+O`dp8Shyuk5kc1*dmd=#rz`OJ*<ts96
z<z5UL=OR{9tF0fRS|X@#@2;-Is0UZnU-h{`gRjE=pIe-dpi_)KDv(aR;&))7JwWw^
zUg+VhqR3^mdN#_YpV`Nb{HmE^FbrnD?quP}lncy{D0>BDM4$$rIKHAiNB@HC&Lcz9
z<Y0p_^|wf^1?!o<at@ltx7GYW0)fF$<*ewqbPRqVPqrLSNgR7f>C6fw)>-@xo8R7m
z{QGq|2RbAB$f63&R!+fM_(6_GV{C~Qz>($yg&Zc;_K|iJ2tSzbP2>ON4Ep-*QYL%u
z>l@-ek(Z2q`}7?uMEYo~7AoF!#+aEZnu7IMRPW6g&!k7WxLXv--2wXqD@q)eV3PDM
zn%dO#<D{SE1#-xCf&i`@`>@KG2shRH;-n%m1TKO1Jl%5FXY0*)0=uSGNxy+Q;~p*_
z?T<MxV#s8{@yUvuTB+!b#@T9d@-QWC(<yP}dc+9X7oxPwQh8(w$jq!Q?GX0a50k&9
zXTN}Q6$@CCQ@`j&(Kzy(IS*6@`qnl)3^pVpzP2e-6Eiw~mAv*iaUk}^bfYY{6k+vS
zLj<^T#<5mo{yQ4CsGd~1s@w7#7hk*IZ42en%hWzWSy(!@n1G=EZd^gcSNdr=iaQ^e
zKYyEGBirKrYt0{V3`-jST&fm9WnJgUoSexUa5st!7x<2X@Jq_8e20>q9DXy$R}fw7
zzkyU8jMj2YDzCeUE9q!EXPIOQUgj?ZJ|aP9OlO_HzImcijQ28E0URiO;$l(Qt4pNz
zZ7-RZxQWqcj&>^xx)A#;zWfum{GS9`=zoGU=QsaBjVS*FXIp6hS>yjB;)CXZpQ!A@
zzYl>rJ!vBaBetL5Jiz9|qzD|JMr?Aw)7Nz`UH7VAs(&&1oNHQB%2(iG<|gaj39t>&
z-$q^`yaLyC<_k{h`6}Ot3K??_`&>|soWki=ZG^iBY_tZUIlufn+x+H`DpX>5?qV})
z!=iaw>~tJ!x>_z=dL6*~&aCCkM~Dj)jyY|?TtK1EW+m6gpA5N(n*h6|N6e1)81i)U
zm99r(%l!FmyY?M<?~$w@koe)06VLjSJ;QyR(7p5lo}?!B5|>nM0rqC|@T(*H_Fp(5
zXwF0b89p@llCJj^HXP|b5E=se{vf<jY>cjpoyGG6-PV1Je^eLZQl}4%Yje*Lh{cE(
zQ*}|8&|fTWb*3{AAYaozBC=*%<uCo{-srywDzr=3R!=;9Wm2*9s-{4|Fwa+i6Y#yy
z;RdCkJmO%9W+rNgW!_ZCTkmHpEJYv@$KN~AIP;<6&%EvL-n#%>S|JbuBdJDqi9{yk
zt*5*@y)4n`l<M5?DvXTQBwshV*yw44MAmy((`^lX^p1BDjye?dlo$)satyc<QaEPb
z-_c=81ur6q12w}g#AzCD;um-jUzM~Px4ufhWywN#9GEfWPBKkV)hEz1#g}1#B=gUd
zD{oGzmS8lk+#5R4Bc|U*pn13z#n{Djx6xO=&P@M?bsCO0(kl_BcA&s99(;<mf;VkV
zY)hO`upo;jSEZ8kQM9FSj63>3EJV|hGw3!gtEtFFQ{nak*|l$ob|?<bx&JSp|0y^n
zDAjKkD+rVSHRtYyrb2F};Cg&iwiOS(*E94)-OLFuBD`6}Z6kl(;{VP+Ri{)_d3nKy
zUY$^srhy_PT^Ds4#ZpFUzQce|O;U~tygfH#I#i}X6ej`s4EoTt^05J-j$H<sx40RA
zKWloyYcxD%El;aCSD>J)(WDqQskpgSn@G!57&V-Hrt$^i6z?HB!;xqYO#RH_ZNWQ%
zn)g}lW{M>gP?KySFf10~;J@WgVwXlMIjbA&rctI)5Q>v?(?N-$XQ#TDmqt|6Z~CJk
zf{nX@SrbzS#%crp4SC|*|D-<dS-<kOU9U{~igS(F4~3Fon`vAxpFzh(^2m3NYtcvS
z?VenGKep0TWum?`t>LUk&`&0WQXD=s%`c=dTnK({de>_>Kr^J<{T><)sRuq#O23;J
zAS=#y89^7QqDkn139(O@#EtVVz9|uN#Uv8?KtkoV?qlahtb&qe6J|>6JGI2q`JuKQ
zACP_tbZJmslCcoXEP%5rA?A$GK;}sasVBr1?&kJwK`l&%19EHNiqW?bMiQnqy03AE
zBuh1+i{o?rn2`AC*SNx1Ze0Xe>PA2pW8wVUd1ZSKYj>x{9WRY>j`ZtyYp!29_OPIE
znN_X42-eDvL@wY_PDO3AESuMf#_h~Qh=)BYswuN&c&XsR;$E$7IHOa_yLSiS09%QS
z4UqB4C5r*w%@mjjJZnX%am=wBPx~yW-LyA`tc72E6d-9!;kPg&Ao88czvXmgJnEW?
zvnj*niL*#XDoiKv=m-jDqw!f#q1l@}?6-NfIkst`JxiC2CgnRjJK3IWOWVLD<=;<m
zG4f^Y<zb?fnZxKq;2UyWg1_f$Z^!j2bg(#gb+4W283CISUW+^et!O2LZgVpcTq0Ni
zRN#R2ikqIxG>0@~+4R&{I5Kr8{Vgb<LBj~4Ob62$2Gl0M<2cm`c`HdRxPFChe%HP_
zByKo$?v|;KOpk?TkPuiU<eZ2d7=DtrbKn}l47N(7$Xuen;}Yl}SRNh6eP(AUvgf7N
zi#@?ka2@kCsFUdt9_TtTdLo`VC4M+XFpKfefZ!dtE%y-n=d7XAG&Du^Ucc$;0|I&C
zi@yhyWbU>@U(9_Wp8ShYNHplCzwA=2;rff?ae($L%j`73N>W*ECRkf(lBB3`TBhXx
z0oA%LdZnj#KB;&OqT{IIm=xSihJ*!_8wsQc6{lDq1~3_*hNt@?ay&t6#BMxIjK0--
ziZGYCc%%ApXSMH<G~<U$OLc)NnEn0qckvNUCkwJD8a(ttS#{m@bM(mkELH)flWV4t
zNYWRVa&73wF@F1>X1<k4_XqOo61%h{Ysm1PF37&8>CHQaWy7Ws^T<&PL~$q%wJRga
z!c0PQ#{cU?`H4IwNR_`!(JhR*FZw$eI@s96Y~BVk<AI!O<sUS{&iU(H-%Ny>lbi?m
zLTrXpx#m6-^h(-Hj}>)uHu2837^a^)f97I@1=6p)FYh)!saxo;HO`GNwSr?Lb*lQ}
zDFIfo?OTww008Ofe{myCB$W<_@ZXQK>qcB*36ydwoG5(JXQOF~+@OiE`9#<j%290l
z=AP6}VEao04UPM1wtU!zm?AM|+sHU<6w+d{Qg^Tv7OtuQjeoF5lSJr-+{;!nE_qG4
zS<b?YHSi+6wq85HTJ=Xk&;Gh;b5yd5!bt%><?MS73XLd*_o$i2Q-GF&mI=n8(XVLE
zRezfy#5J45ZK-n|`7fl20_`Nu)u%yXIu?2LBoNK{<gZgut34)_C}PkpUKO%49Idz{
z*zz1Y$p7`kzCJn8ovR9?j`tSJ&n@4V^G85KtRVwf&lMV6!cX5BTA+Tni}L>i1o}US
zP5uWO1+8EFmcesP{hgdl)FWWCWy18NmCAEpqq_JzrjmK5PNX2G5b@y^5q7G<usz@2
zwCj<wtZvCx>S+{;rfp~QZraSj#LDDk>V@;8jzE?p#DL{=t=ism5?O9uJ}9+n1DHbp
z%SuE$R)?zMLYKutBge&P(Z1jlxwhd?qya-j(iRK&gO|B-JEz=#Ex3A2$2tM4bIq20
z#npR&(LLWPWb*CnF_ev#gWiFI-S`tuTTPycl0jX7WLf&b2{MCSl{|$uJifggNfD-%
zP<M3>d|`5-PG9$JVJXKlZfe<#RJd(~f_<n4x#sHo7j?@?G^ZKwbfNcq<u4;~++db+
zGP{MEFZ8m#=j+1wofaB9hLc-U94dM4?N4AEM~EvLjTtfaH$E<Y@q+WjN_Z#bsDi=O
z)0B3|7K7Qm^sZFPTwFiYD#m!WV|`VJC$9Aj7{!3!z3~qO2n`6Ece$G{LK?MOiG7cE
zhy4u*94^Eb-@$3HSPpY*nd-;VK`-?ia8cyV=J5)}RP?V!>?c$sHZx#s%jp+>@!BY(
z<@4}Jr%WnfrUdJyU-$2KAnsAv^QJ1`%xWe*)Na}ygN{l&k;>Cprsq<>Dx|=agMCoE
zTToQ(@0k>2N?V?aqLyc~a7{{!U<#KRmy+g7_u&PmkFN}qkm}Nkbn_B$_?5rONX>jK
z^<a0^wFADhTn-dkp>(sq?kllaiAhH~g`2aqkdBWqJ^KgfgvNc#9EXaP%a*Ql$uo)z
zi9zwr9M2%v^@U}Bd2D?tW<pIyn&qsywOL-Hy7V#1)TC<v!3b?ypKyA$+87r(Tz=V$
zIyFPAm{$LLQ3KiT3OODyK#T~D;|Zp>R@V}}?1Q6?V2>9Ab?FqFhEeHI>yYUdLId6+
zmJj4m5Q2j_P6uDQvcZ51%QBsMjxu=@pC+Swx{+8!Ao}j<F0P8kEky%K+|{+qu%-Zx
z71bdJezeZjN<SDBf97JKpp680X*woGD3G|^e1VRK;`Zic_AicoO%N-PlnUiCr;Zf1
zb1qqtJ~T>~Hn)l}S6BVJ!-p|8BY>3@cOi$Py=3k+{~nN&7;?#h#-AU-uphI8&fOfC
zBXA(x544_oJFZTQ?KD^u<X1w84nTA>$U1D}Ds;+7UL%0HIWWurfv2Pc8ZdWVuKQ_x
zTr{Jmt34<pO&f_kC_{qR7OMuz0y6ef4I=Emyw|qWw7*e2Q3u&{%11-xC|bGX%&5ly
zWFv_h1D16#>BD^cuDgJHb2g`famV8myA3yAXvqo5J>6#5vrK^@fu_<8U>_|7e}Fik
zmsoMr+xQ~TT7*&$M;_mVI6kg6)+LMNwN0O!WQ~pAjs{|VzdB!+b|EJ){j$-llMj=J
zRXizouo_7>yIbmQXfKmGugLiAI2LqSY3r&TU~#o7o+%jANvMgAXu|o+>IJ-Y$k}oq
z6&_bdv^}0B<My6ORkedirq^<P$|n>c%(XFe!4vQ{GfXPOGBYW)r`5LUbw-i2dWC9=
zo1z+66s55pqJR+FkvDYQ&jBgKNY!l`w^J0D<2qq(NDVopA_y8A<Sxkz2h_3=770)d
zRvAQ1qV`T~92MB)&93Oq+Yq>oX!1)f2jbc}5wafIyCrb$^$dAjDWDOK?$qDunv7T<
z#jgnP5q8eB&3vH`OZSr+Ml6OF%@=eI1ZhCKTedk#1;dmP&~mX_G*mNlY9t`ChVCzG
zfA|I9HCPTw=f49lrKgUKTVc_%SIPrTG>qdY8ybhAbMO{1)H_6t?qIGYv|~9evg61f
z3DlCJeu)ZcU&^d{Gmy31g-ouY;U$fY2ujPXDwM$~Cp#S`FzDw0_E9L^`)Wg5slDnP
zbnzkDStH@|clI{;g0x43Y?C2d-*VMSSuO$^Ok90|{!v`B5A*~8iB(Se$oi^&Vk1M*
z$U-TftNh}R*^{T5pqvOf?U0gml_RlSG=BmELW`7TEbr=sS<i7`8J3jv#&r1O0o;Z$
zUKAXC%w?L+&waYU=wTg5yoBnxfRfT6MbV?^GA;h7)qb_I4gNLE0gRg)w-ig!ewGbA
zx`7jJ*H*+$*emz3!gsoOu1N3FBiNh(FKH`o4m#%_@I_LZ9_3Ug3HZgLqa_90Izofw
zupAT1@)$+5g(DTK6i6%n#J+<JHoc1|-@Ot4g$5qFTdf}7Mr=qV93AX_Mmt0?_H@(5
zq;)&Ca_nbUUR0FZvl|JSR}Jo(PL<K{NU+ID;FTZb@8iNIF!b%Rags=GZBN-%(KAf>
zY6aB_@NakJrjDPW@tA*5Mb;^+%mkYHxeoahPg<LC*}!ZZbtFZFt9}3;=dEobaK-lk
zIdf2WKT<g=scA)72H<fTI&^6n>7LgHDQX5a%7JW^>B%Dw71Q%|g7Gk2vJa1brcBWm
zB3zmT<BE733d+z#EQ=Do7Ea<R60(}!BE`b0X4cpkJDd8f_kpBH+SrqO@C`2aP7-iT
zmpz4nOVE@v48IeJ#WM|Jt>+^dn#Z=6MI&jZnuGtds=%5%guFMEA*2ElBbx!im9}CW
zuW~0Ai!;}aEKp=WZxChc2@JO=dx#;tyChiY|HqP<e=Mn}#iI@dRuA2GRrUtx6wSv+
z2)mpKaZm!WxQ2So$J1cAq6K5&Dr~DyIvV2GR(e_S@D?iMXysM;2l7xVgiTi=?1>`x
z1y4(wluSXk`<|i@n>f_R0fVOLS$6f<hX`Qyig_!ALOA0)^=z|81PB)rOWr>6QM#@G
zi;Ost!ehyvWS4wJ0h<$A?)#%+bR%CUu6KdIQ{>h*%&07@FOh6Q^RfN;EqGLF!=>&r
zD_9jo%EI;g>GL^93It?my5!P7I1(uCqLfsGPyEY@nx<7f)=IRwU%Vs+*i$V7ncpSw
zPp@6+CNqz3Toz2$d$ikHVd?Lw>kc<>Z%DdbR0TmnQ`OR|bWqpqLSL7<pQ{FSrA=f@
z?x8|@G{bW$5F77$5!38$GSe3O@tFvesBxZ9kLmXds|@wnW)?hLTN*6nw|ruEy-8H=
z`x>u1lxaS>N$WM2#qcEFj!xVh&8~KOYoUL^Z)9lM8d?Hmr=yNB<7v0Tp}bK-o^s2$
zp!!8a9;Y+=k(qq)U^1zKYVnd`jMbq|))t0kEYomACpYP7yB=YAK%web-}{n*^Svq9
zz?lYR<J0I_+V??wtr@Hr5XStux8(uh*8DVK-Nm-OG(abM(F3LTsv6wrciS=5bU3C+
z^kEIirb_WWT6(%D>})y;Wkp>(6?2@zCGI$;y{d>Rk!=hBdgV;Rejfa|!ovU6+E+(a
zwRQ1|bP3WaC5@D{DBaT1-5nyK)KR)S1nHD+kUWHhAPomNba!{2xAA`WUhli#dvClq
z-d~R4Veh@xTr+=jt~pnUR#fN|NB3xPXLLU*j(Wf}BPY|2#!h4!ovF}xh}aL2;)$G+
ze^7q0nE2%Wx^`InE_J6{u=b3upt?k6L?M2%7H+GMn>=5`)^VB`fiMMEx+^z*-4L0B
zVE#u{#dH1;1R43~{!9F7*akM)pRWa7xhiyJT&?66G~;g-oSc7<Rm7kY_8}zQvAG?J
zRC&=K-+K|PMJuUx^zC~|GL3o0b-Ls|;E$uW(1eD0fjky#EJRz|i|>|+ktaL4jOLEN
zGT|cMI~CqUl62GFM;jAd(1N~LT({mnID%$>5q~q4SMMRfutGl{O^mT#!&MzyO3YOB
z(6TOd*s7<fqyRUAaq8|E%Q;t=q~gzsS80IVq%e6zYF4P|qLeY_zc7ntHyOX0BvG-g
zXZ#@^&fdHjsi61J`do6x`E~ac<bbt#dy<wx8_Z-V`^I<OKuFgY!+ihYY8y6`&)Ebx
zhzTCYye{l5>A|*%C3W2-oU6Qj=TPD}&eEZ<Z`<0hU%%Tz<@PC4Ivhn%eNX-oSN8?F
z5_|(CYcRy_6^hg-S$w5#a3{hbzud(q_prAI2_FnK5hRQ1lcEK}CVKPUAQKKcr<5Sc
zw&~?*=esayYshAe2hJ}lcX>`Vw~KwC6D2R$Unv;5ux75%N)^aFoR-b1N!I3~5)MlK
z;p*NQ#)NttDRSh%f^{5iZ+G+u^?M+-==St24|1C8uMZz<+90z+@ye)qzR4y=hJp;p
zo7y|K2hZ2s2lo4&#~h|5O82I)G_~<qp-3t7#;N;vOt3_cC%>F_v-rwzARX_qrgv@i
zJ@TUOK^abxztrC8LBBXFOA|luf+k_;pBOBV#DDIvI274Z6T_V@xv5&zs(6JCOs$U9
z%{}O8ev)S0<L}SAj&#t|f1gmT_f)C<Z>X&klIMXh1&dILFbcn%{_U1VqT4L-K^|{&
zK~B9kBf7`{#$VCIzf$M_4^h*fi0(}6pNOuyWQplKNGSVGgoENkefzQTXiai<>2h11
z%cnb(-VG=&5c`=b{ucc4WpLA10U2}8fo=Z&&aKp+>M4+z;9%kgG0Et<&%4AGo7$(+
zgiE?uiOua00uOuLZ$9^B1IvGb*A?U&<i}?pP-ahv>X#hjUcdf1M9vw~G&r@_m1i?<
zlsolg(@YS?MDWcK@qUNh@P7r8FW3d0(ih@lhK($=Uu^QxoIK)Ay--rC<tw4Z#T|9A
z;V7c1!%u!_vYW<Z>Y!!I$XRMaW6>EmVlXdUiDjPK!>H14XsjsvRiSKUDUXzr!1QgW
zSx8OJn31ZIOA@-E5k$#E7<oc}r!9uQmqat{@QtiWQl+k2RXZxMfg+T@PQvwpRPY)G
zRW~|+*5`MD&%=Q!2l9FU!7PzTAAYuHYT`qtVGki=s*WglsUx3~%JiDH{-sv#S#_;^
zFo!maS!s-JVgBdD$EZ0jos(JptC?o{dJ^RB{xY(MT*0;q&rHKOP(=hPB!ogfBh5|%
z;Shlk>G!Ux#EvZuJOzN9x@y0jNV8b{==gE~kaAs9Qblo<-`IE_Vj@ik_iX5!y#|##
z#5$7<!(#qNaZ?`Qm&QElMVF^YSon?h)#TW{icbd%nMHhO@w{Y-4J<bB*PNju9SGZ(
z{87_kHng{sR-SY-wwy04>2!}f3}gSG1Nz@|Xiee3D;rI_PxgvD{gnaj{6v@Z`7=}=
zbC3W(z&)||6Muk#<0@V&=Gu=J?&BF$P4pNIdn#0j7vfc=7Sh~PueUA)#Mqift?0+s
zta>@0@<zTHiA*JV9xssp8l}uvz=Vr#)!hG{2{nj+2O5<CB(-{JY`E;@7)qNxb_3`A
zj_LAT33a79T0~EZ)i!u2E$<8l^XV_8;*HXZrSN(B7Eygm8`<lF6`J)14S8Mi;|^T{
z^xx-?4ulv64EtSI5c+f*mY1%1mm{=?Zt*au0L3l!y}zN=?%k+GVjcn>W99-mwx=&w
zY}KzAb>F=r>*DxK6bzLwsW@f;5`ppDr($`J%D)}=#*gBiubd2wjvnFml*TmJ%X2Cc
zaZRZPB^9XImWqPremKgi<I3ZIpWshWfkgDzzdqW=dlmGOVul}1^__wVGDm{<>6h>t
ztwkVF(=(3vw-|gJ6@T|xnjV8T?M;Zv?Mja^yA)+#oWySC$8gN_pup@$KfaIcG?XT1
zxiowi^>;PQj5B6d&qIB!uF7Kj+QIluaM#C&JfWS^Ife;7&M)O5R-R03Ed#3X_$G-X
zF0TjhLv0|A61Id*mU@2TMT6k1*@T$xrE1<kC=&7;MIhvb16ZIS>R*|p-=R~WBnUV%
zKkQ2G-wy5e)09|xlMOA9`MUp67w7*X74<K;=l`Yn2teSa+G{U#X8FV1MtV9l?;IS{
zVHBu3r3bATXs@^FY#UUVVOt;8t<$J_T$R~c=c47@lwoN4Fz@L**Xb9`vQ~R}Tm_*G
z3jkvF^mhR~9w4yDxGA4|mmE6&;z6kZ9)#Y(D4%}onYl*`2AXb-%BT2O9Ys?{UpNJ?
z8y=9VJ4J1?y6yEcxs|Z%Nyaic2cC@XIj2rX4cU_0)yC0{L#+S`P5lFk_M9EH>jR4C
zvyThuuT!7EXs%Oslh_#?zer4Ox1%-&&P*UqmdBujX5C7$?_5Ph-K2$f6(;KCG5aCI
z=5khr1~2RYqU&`0UfokxwTCcR^PlRTkN$JMc7Ig&Z2j;yMBsL^dT(JA6W|U-+YWPn
zTL0yJsg788(%EK$aok&TqAkQd79U1Wu1lV#{D7dx3X0Cfam(%I4aZvA@q*wpS9o7a
z^W@y#dRgsakO=*B*OP~;ro&^b2m+%Y)w2>xYwhFe(fT%K5YQRFz6D^6Nu+iq`u9ok
zo$AB^55wQ7Is3*f7W617;Py+QuH9||qBuqK8!PR9dXwh7jr;Z<DkwW9O4*!}4@nzj
zh%hmX8ykhM>yM>hDJ-wXPgBsted<3HM+fd-wnaLT<L6fc^GLIl8-`$q<(DwkCNjMS
zT%KVs|K=!;RnGyD9pxzf_MeU!SSs9o*7*t0@K3aa+(~}zF0GP3zgP3fT7PM?6o}Sq
zph=5rbhS&%YZZa6;L>M>jHNM4ry6}W$m}`urTh@kL95Huslk~G$c2;nZ+y~^%jDQ_
z;#m~gqDFq3+`S<Bt3F1VOp259_2X2B-JFD?aa;>yj>lf3Ia~u>d5WB$8EHqyo-?r1
z`6g`^#vbdlln+hTGssbK*sICOTvr5&s1%VpFe<j@_UAlMAJ^vdY_Z-!4-+w-mmv0^
zd2}J=<Y>zA)=ObXk@Tm^g!Z#B?SOX@j3IIC7%@oJwM31ovb#L~(uE^{q&gA&bD;;n
zil5OV+hoh%&Hh2!m9ZM%ly_9iuPgJ7oW?&|eiaMZP5Qy58WOp@ZH0z6WBaA>6CeNn
z!t<PpcghK(0X~T_XC{M)ZJ$$(jdoYisNjO&w9x~36}e>`S|W(Xw0No3kJwb?dM$am
z1xshVq3lI`Km4`L_--Hk_!0kNG4NH(Bj4|EgSL$FR77b-fClLK9j0!UG6U*Ss)2eG
zNvt1#n1E#>B7T=$7C&3&;#+<3rZ?B$FwjrrWT1uiqK};XG;fF6JWTPdc68%%qloGX
zhwL`G^>Lpv@}}#y-P2DJzX9`=0Vc13)a&hHDXKb}XOWEJjp%Q$JB-u|Y>Gwe;FdRG
z+xf7{Pivc~PLz}E($-0)pV+q=(PM#Bx)b2({ikvg02Jxp0G7f%t)%}Xs_{rCjLMsn
z`4*@qkqlqrLy}am6DZ(+M8d>{JK){*`1Z!5#rCV|9)WS1J);bNXHU@*e85Bcn8ffg
z%w3=LN%GhPqUnhRbXjGwpE=1aJ1bWh#$_ltW2v&{8{c0ug_jdO)6y}~*_o_RP;!LK
zai0oQ4P5OBQ~u0wwX1nnAxbsCM99G?nwKCL|6(;2etA^&(f~V~k|T*eLcN=;OmCh$
zR044EJpNL~z-^sl7k59kr7An+!gRq^k`Q0?hkpbzOTI3iDSJ5Y2$0ve;k6<QVnqDA
zPEJD5RdkI%uqu$*Cb6v!Fl)?Yj*bv8eB)<U-6`}(qOxEn>kLTmIwm(P;^o1WljDq-
zMPFjZsPKpn<H&ShOcebl8}@d@ZOxW0mhs7eKtnQ~WNHmF-Dge`-U*j+JUg(cs&59z
z&z^>w$`5pr_E9-p@roF7!@b94<8Ga%>A6RME!jc%%{m5-qn`>2yq~07$!gPy2ULg5
zZ$|?dpGy2DwR?~5w`Y_<pHGJ9_q9<6IaY9h0#`sFV*avo|6gp+y)_j5z3}y4-a9~d
z3e@Q(2bXpBIT;!(lS^==a~Dv5QG{kxVNW~q2Cc?jxiq!kdYk+XxFcA)AjqUE1DGmY
z3n5-Wv#&V)R)u%+D82|QIezi6B~VInQn@BhBLxnQ&$U-u?2VU3blJ%ns9CQXhu9=o
zwmvG&&@p0LvA2Q@H6~l6b63bE=(?Eq>j6CBr~Bx4rpR<!6?upMuA=s33GElguXYaI
zy8g@>#_8y_KOY6Qkn2jFh^C1o<EJP>N~)fAJ0<3<!2typz@Bk`e~T5zw!%n7tC!dS
zfVIC8GIb9OQt<rBG;Gly+(o9J;(LsF<y|YTV^o7&arNkjH=hje1Gy8I*L|Bh@Kx#p
zPoLZPerun7EgyGBf@ipn9`&YRylBY3Kd$YqKfLu*-acp_5>CECWf!?RXW-jHh&ig>
zEUWJ$qU~Inyaz1{v{=6=^;ZS+<fDZtFn?;#p{N4Frjjy7iq(mnYx8sQL3@=GPsz6|
z*+c_%s9Ygr%&)7`ca}7tPPsRIa5#&Vw;t5N8j1ADF_v9aC!cQSX5i{j9%lSX$hp}y
z8m5W<9C>pEE+1dO$|D|Qc=FMg9?eNKc>)u=XAP4}DvkAO0BNK8(0=1s6S3osedkm5
z#j)YRCyXp@rKscp^v$x`qw*E<YXv*ZC+cq#ykZpRZC&G&eUfdJoF8KOv`&hTYO-3!
za<X@RPDyzl<TZrO|Fs;eOa8S(s)vR<oPcs74sncCigeL#sc8Sh8kq?#61lg&_#YRM
zI&lC>5R(4w%4fK#{Gswm$*Fu&x6eEwWD+sqk|N&=mOX)vFFh@y4)_*R-Q&wacgOgy
zm9(Up+GoCR`cQ*ceRvq*i4?m47;&;~DhZ1zj4IWhk=_`o*yU)i-YtujmNO@%#0rDG
zAJVTK?qnA6jVr;pgf2DyDIgH6^uHVRVKC_X!PW+0Bs1=Re0mw4W`_Sp0P{-P=^x)H
za)Q-0b>AWvkAm6*kRxX4+0PMOn0EY~8*)>gS0z-O=pd4WDvafd2eep?B#T3L*%pyD
zaZrqZ@;cMqe;f!W|Gx0oYT~k%qx5C76}zQ?S3u0~Ke=&_aGL>Yx*%r9R~Nl#Hccz+
zu#!HXqVC7W*Cfe4Sv9!{+-Nb{uk`5(<i_x_EsQ_@*aV9H$^+*&tuE-?>O@tizGt+<
zF$%lQkxczG$|9^${SmY>2NkdjHy@$TRV(X9uC(Ep&rrGN%dFp=vxP;lN07?S4`Jk^
zvTOpd=Rx^rRe!TTGS^Q8M-E1ezUNo3ep%S`$i}f8MeAo-wC=!?M)jGZbgdkl8Xstd
z7TEZRM2#qqiPQ{H=4hYy)Gk>iFW2;rwPo3dB=@80zULTVI_+yF)3bPPWWpQ&(-2<G
zCYzh;4LZ5gw|d4tMw<_E=)kJ{bf5e!zHliI6C%;pr3Jnp2;TpO?IiP;mb68Fzj9C2
ze>$1AN7>&j&_P=X_dl$R{H3G**Y1173~c>}&H5jgCA4yFU4Fguw>tz|_aDAjr8jL(
zf83||Z@|j^^8R=C4*sQn|15_~*^a(mWdmI{Von%<yoe_g4r~Ft&LHyljR?MDn)BH7
zo0Spwc3fb{XO~;^ww^;z##><CbsU^SZQ8#dn5H>D1>OeqK7R?j98BEn=bgXN0iWuO
zNW$w`bv!U<^O)+(Y5Xq_cF>&58C;DV;jZj^pBL$$7UsV?EwF4_<1ULHo@hC%*?6^U
zrRYod<>>--HZ$rV1P{$0C&$+0KP2<15^w@vbh33lzIx{Hq3?OxVHl}H)8pOw%hdU{
z37fKJb&OJ=?Yr8XV+W=p=xWp`jEAh#5OZ-VSu|70C(iCq!{<mRWslGd4DfaI_8xeb
zMw3j~ydhBsjB?$ro4@;M@k*6z&>d1W)C@F_*S}~d3_<F0{6sS&Q6>Gp767K>D9uR!
zBJQ|bJ!mW68*P0(Ha2zy)Q($Pzn1Kn;Jt*KZV9r1V)D*BAS4@*10nu<5$aO*ltPL?
zBi_5^T%kV2yA{Rui_<cY*Jc@wppGg7o@`WQ_@AdbaL@xZk{7y8-S=F-Cw30~%Yv^*
zijf9iK0vC{)ZSdO`ON~8XxSkYFAQY<waOh>&#fHzL=Jqn4Q2%sVlGhL-p<2rIiG@a
zbwxBz*gqyQETWuiv>e5Aaw-0|r^8K-8|O|-zt}fyuB@!AgYMSTuV>an?gBv<fgC5b
zb<Mk-#9TvO(9txy>_LyYV?zu=zIJl4ETE&ozjm_Hb6W(yD#|s9GWhB`>oOs8ZUH*8
z7#=s!u>bVp-iDa5{S7U)U6R*>mgv17im`q8A(z7}wYSHnv3#Gt-;w)`fx#3kprhDy
z&u((Jrd>OS#xtnRegA*1AqjWl+X{+njypqsf6=MNzgeIhMsxnNOtIsTwA*%g9vG-B
zbd@c{<et*iQKop^X>cP!oc!;#pMh4?(~eWt7bwYr(hP+OHuvGsdj`o;exvxlT{Z0}
z&aG*goZb7ZDqZi*w(zMRHmBHB*Pr5TlO|m!=yc!BasSDU!)^k=uLNC=jJGa5G~85v
zVGPrM>JY<z+)W-S`^(!EdV2cYbTByFG&lCcJx75jZUcCm;8<tpjb2d;DdURv{Kg{?
z!DxHW70ID#`$o)li(8SmWI4d>0LZih_%><KGtY8J_&h<!e)#!W<V{axE28=Qb@M!P
zvcwTC@O2Eve|)`5%Kl)95KOebUe~nxj8D6d;x-02Enu2=NSn)qUViTc`0jM@eb@83
zD@a`yrWA*!ub>LBnxMZq_I@?*R*=}dHs#*>5!@reLZ=0a63c33?(t!Oq?bvYTPb=#
zZS;?mZDT%$hLwsxDL|z%75|^<<+}|`1FoI6_qaPwXPf=v&~nKOI_Ayw8kOhGWVRz}
z-7#bHNOGQ_i5vr{o%Oe>;8x6;rl|jPi)h6=_kJ1Z@-V<_3b3%-ET9|A7El$xttH#Y
z+TgB4yT8!C?A7oFQ0trR;Pa;Smo%&I0Pg<94}~(Q-dFjctJ{5$5EuA%8vKmpZ6d3A
zAQfNBo=aI3$GGM!9La_#WBmgX9Ff59Po^Xs9(!QO5N;~TC;$+b!ap|SCg7x_e|MCa
zm`*upduX@&QBZ|h@k6hwY|&z%_eP+sP5YC`L$!zkbw+v}&zkOq9qpm)vPT7tWRa`Y
zwkFopFNMSy4?8E<MlP0Y^gd#ub8$k;KJ?q<h@kxQ@a7_BJfxl!#Pc?9%HNY;uKOTF
zqiG44F<`R!dXk2Dpknt>bNY-ZMGt++1(28xEe$>PF{WXNiC}}Zp&gXw{Ce*ERYi)B
z({z|0HgI?NPwfkkG;yuRtDk!UnBV>ke1HyCx*|>y1*R<U3T?_LGTox`SFY_-(>u1P
z<))aNzG3NJFrM%noNACJ4K(Fe%?-b7m}q_kw;IL9LsIh6>AuH2UjN|j%wRuReJ4>+
z83QWS-<q}f19dYOz=mG)=U#j+;3fRBs695=5gT|FQ2l_cv*?AstnB@OZy-TDP|Be_
zzWv|<;jE0f$ea6(;cijqn-Sx?IUlM4x3eB3@+|y}CN;=?3+(nMS^X!3PqZgQ&$LBL
z?f=#xn#bbqNf9#-^7roLCw~u6=gb<V&V$pfPqb>tNt{k<x(yEz`L6QdPyAAx#>s_)
z%gW#6@}W5r5^jcIMnHHHQ>qWucHX63^-VVzeR^NxE?TPa&)5Hmm{~yfUO?Xaw)`li
zt_&~~S=QxJ>Mv)sX<K@yYF;{R^XBFj<?Ff-!dGWjaNsM;B9PA4)-X+OxRpyu?E#ZO
z@OdmX*+ixP!B%YZ(H@virk$H_qN<8sc5hW^-EF&6^a(lM0i!p_F<<V5(4HKfw~Dh#
z893h`RnbURz9prFErS$be`be)bTt`cCXe4g70HwJ=r7n#+)97tc-oTbRi4xX<(EK4
z=})5sh&Yh2La8tQO|7m4#{p1jkJ&%j<{lwsW&X$EuHJt@>mQuU7&!yP5wic-9pJox
zE<3@1*#%qyz>44hQ_1$L9PqFIihKU}-tYhGcTs-a|KlG_bwpp+*Lhz>M0)Mg7`%Vr
zgVfMwh<=%7aQy{#R&Y&e=|=^;k3a5a26Q_UxYq((Q3PY3Xw(ZH+ks$hgI?QgLLk^+
z({;M|@z%LFTsjKq=G*|r3)|cu3;Sc4t2-<6;PvPEpmR2g=5;v1lIF{@mLp$YFD4?}
zXNq7a!Zhm>ehby9&7Rw`xr4VW-YXT|v_2nM<A~6@NPpPOpZhxqUGX7=vx@_}UT1+_
z@!qMQRnK3qculUpx{OB#uTR{qHG)>N2f@n}B~xn5njz`mZYk`qipo3}NwL5eZbBX%
z>GQr_pqu5!^z$=C&_t0CS=fK*bjHl5xBU6`+lzSb^){&|;8U9Oy*q}Z{khvD(6@6c
zgqs^LEbz^_5QXFfiYH*Umf=o7-ivUrf2My^C6vXe$=~CJjca^gBgJ}o*6xNup?1h}
zUE%QrTaJqWJbYVc;Es(GM;c6!7kDFddBO{&HsUEH>jm9ibv%zHLB)}=W``+a=;RZj
ziW&*ns0{X~&fPH1_%y=$q)DaLLqkK=RBrPgy6N&2Rp4TY*&uXEzhp)qZAAY$Ehn4`
zGz*wOPN3cRo@^{`$nOy5{FTa2&Fq`bP?viMk^u)(L^}a<Qvs#_-UIiy9Xj|tB31g{
zYqPME8ssO<u*GgiR8!Z<CC8km{WhuL+i=*v9AuJp)>E>0Tw@P}fHd1@L|>CiNoT!*
zB%)H^tprc!kA+q6;jUB@@B8JISmdjt$>qpbXQ_j;=XNX->>0q>Fus@Ceq<;VY-%&&
zCA?emGg4b5q<qj#NaTzbN6=K4?W;w04Eu|upyH<l;;)S3k}Mn6jw3a9ABu7*UyyxT
zy`k?5OWAbMVv`Q%tiAq-VneH;I-&I`saYlabRu-R6y{zL`4R`2R)(<04!$j_R-(cD
zi|m)%V#HkQtOIj#j`xL^{jftbPx9G=vxcuUBw15ea{+=taY*`Qq61BjSfpTSzP(_S
z@X&2XV@pe4!L=I5sV)Jte2v$x1?o6+)Z?`(X3)8LwO1x|1BSJ&o5ei9bk6*ajp5S=
zy8P~S^rT~HplN;wlgm9ls7IoGb^glSzf~i&O#?3&X%5w(8TPoD)D&efuY6|?Qz;@~
zP2vpQs_(m<3NvuN!I*p?33KrTvo(?u!bUvoxavMLwTeb~1Vod(tl_?9<x-{fEK5h0
z)1N#!Bh5qEE_)<wy-Rpe8{rhv^fHaQpZ(uwGP{L_8LM1CAxN0k0rErpdITDpTQhwo
zXsut~xE(uqUsoiic=Hf#$G1C`)R#3Rnq+%aGS8M%yH8KraG8Kr%GY6?7A?W$LNEg%
zw+Rgj=v81D177c5mczU1Lx`k~n~CSaVzUFLb`nL6Ppa%Inqo;_T(5)a?46^<%3;aC
zP1u0cetd0eT+a<ooBjlu!KzU<^X^0HH7(DC)KeENny+N1+r73-MkPDr;=<RTxj-(I
zK{RHqh(*n_G1QICWR->5_)uvo#AW6X!sm~5Zd^zDOS3JWx>9Qj2tM9qf%4Zn0S?9^
zp8!2z4h~xgk;794cttaVI|$97$8|pJTF47`H;}^XW?~N3X#i_Yblgf4QW)ra=Wu(H
z*m5cDy;0=3Jsr8IOs_eB-c-x)1p5LzaRd0>`DfR=@zJswT3GdiXr4GCpSBIqp%FBD
zR|VV|?h=?$aS^`9J@Ni&wyfi7Mx9u>IDz!J9qQ_hhsRUt9A0KqbF*3n4jfX)?F9yW
zL<cVl9n^Q-D$BiF8xWi&XN!j6XLzhrS(6JkbmJwC)dPCV5>u9FDpm4$A;jag=9M0g
z^%jSl3=c9J_viN>5ni@hfc=|MJofs$*>=l?ZXk`X4p&dgmeX6#GY^&pUAfzzy^OJ+
z5-2D!t0uv2POfbyzWxyHb%zhzJw6voxx>83lo}CY%03*wrf5SRcWb`txL1h~D1dmp
z!``7fig;ot?yBKn<~=4mxh0j3;t{8(V%t1i6Y)G#-Tsbx*J737h&A18-BAyMvgSWH
zdK!xRv^ZYxD|=ffsis$*ev&epPJFGh>&5FjbDf?gghA<@=J2awh`k5>ptReR-9h*Y
zsBxEK&uc+h@cq4p6*{fkkAcBoEYL*4C_op3^dRk)$k20z18v5-+d+?0(q{x@JHD$;
zt!7_n&hJe{%jND7xhua5tPFg`5tLR3haow?YPm0n&r-*NX-jFza@Y6$b+rWX?4eR`
zUPeLm64-O;RXzAEZ$`9*76>98Kso<@gF|^scf}yHp-zLL720zGM=i$2sN~DgiJsu@
z2IZ0LeC@XG8vm5CCCg4~7~4Pw4t~sm+n9~S)Nke{x{MkxjuWja$|iiWej17`OTC?w
zQPBmJgx9zBrP?lii22hrlTv`Nezdr`*5&a5z8uqbM)qtIQ~BfEX5m?uk@9y^8tv`M
z>o%PvV%Q=(y9he8TZxR8o;D7MvOjD>11GP>B^#(2P<duQm$YIaO4A<T(2{(cHk*o;
zD{a|B+IomNSGeRaM`K}<@zyk0|9FmVp@?<N{Zrrd-6ClZHB7hgYJL7N(!gUud8Zw8
zzKU#cO7B)QSBhjErB+##Z)dl$x}hNJYs*AJpo-#Pq=oBQ<6m$qdE^DVj7`7l6}$L)
zeL+YO7t7<5Va|16bq*LL;VpTggkRFG)4fqra{T~0iB`V5BA<0rogWq;^=LNxqpebu
zYorgy+y#ynBF|C~O3-t(-07Cj1^O&5)Y&r6WF0X^Q>JV?xRgn`j3St_kJMQg0Ld3o
zQu)Su^f;qF2ZP8j5~CvSg*Z(HyG^z}yKlv<qw?cbQlW!fSIb<#n#%34k0_ydBN8u<
z(f#?@KWfyCar>aSyA)fh)#gAZ3Bdkgm7$c}l8vKMDvbeOLQ?VU-_$2>6zXf}lVtO1
zxJ|9obJMt&cBxLmV+oyE)`LdRA5e}YjJ|i&rMXH^g--|X8wox{Tqge12Skm<aeD&`
z1A|_25i>_6o+5KDZI69yhHgI*2i+RXXu1VeuY-r1Pw{<PIc5;3j}(S_z7mITgJAC#
zG0FDWIifzEnaA**@u;CX@Yhtt;*jRFy5^nskU&|W0cCr^j&Ze^4AgLD{w^q(1>h2b
zGfpptMFuhU1oV=_#!+3y29jEBMwzP65p%2O+TjB|XqA&%b(^-N!%^C3u@bSaFPLQQ
zLR%#Xi2ZsppM_t#5D?-wvN#3?J>iyaEE0zwDb-=#dib2EL*hiq`gWEtrrjD6gz1mx
zw4D`NFUM7aY>-Q}9a+moX(`><SU6<+w1;6rAw;=3CyJ^dXIzd$2|7Mn%i~-El?hf!
zbf+0EXKFx!miyP7ZLe->?6r4Wd#reG2e$OiYbs=>fEVQL&Q)f`R+<^p>0Bv>21%S(
zHy>g$m=UVvB76#4DiX#$6TYQV39^0Lut@1sJv@{OVWMr3N5ed^v}Fn^_(0{F98`da
zY!$eMK9pSY^Cy%fG$|*xHY|h~EkIJkNmazpQSW4#TbCwi&Bu>a*hZ49p25f{a~O;8
zagA*tL{5|W%bR66Lhj{W<4R$NLdt_wV!b$aGkjF^9TU=C$wO;+<>y1;&)Kqfs5LQj
zNc*9siv&JBC_W2L9z7DneTDAQ=lzHVueBPP%CYLE+(kUKeh}9-4)MKNw$u}Szvpo<
z9PS;+sylGnIHMVt#BY-M);Ht@iwoke-Za|JcCRLV$-3eV<@_1mOmuh;m*D^$UbMV`
zTJdtEjOIG=r<Ja!@(;}pe+H>k6=lyY4OvciVd$$nqeN5=wi71DaMFwp8?T587aT59
zd!&Tt(b_R>F*_J4%j#JBN}KkRLS3h5eK7G6#IU&xDKV7`o2xk(xt_9#C)T}yDhMIe
zwG_tHayiou+fQgUFj-^3f6F#HErV5^$X{oC*LdMSeEk^Cs2I`jgH?Z2ZLLxmn(Yea
z9GwJLy>)9T5{Y*0XAz2}A{_Ijhtd37Kn;EPN+<Yw3TxI&=us?|(A7oR&E?C&y7|?+
zRiTFKdmlNguIN+Q(ZDYyA{}j69UF7zn)NQRwz#Cp--X-O2;$wmAb#5of}KXr9k=H1
zdoiSc+m0q>J_}|O3d)4tB(7!wz~AxXrUDll>v`zp=+3K;vt1-X%@NwPB<u?N$6-5l
z@4?$$qzJ4iS&b=MkJWkXHn${A#e!8p_1V-&7Y(zIrqr`WF;vw>vUn1Ujg$)gSg38x
zF+U-heU%ioYE_OVMHQt&!Lh>3nvgZ5EGkj-az)G$<-j(45FL<=IJ`i$DTxD-O+@th
zh*CtDtH)4)-81u8Hqp5;_Q^x2neuQU7h(>#deyFJ964?@@-qqb;$~~Tb8hN_Xq5ej
zyVfroj?Qo<Yf)wn8NT*CI!{_&%<6Hge|zA$pAY_I5y{zs!Mb-XbSy8JZhNk0FSxU4
z2^3pCabG!vU38xYk`W@ZPLtKccE7x$0(17?!R+`wwhKtb*sJv2Up5$nJ24G07*nSl
zoCgC_2`_p**fvg6Kb9TgrhUUYiKx(bN*7_2viE`&7t7)XTdrgTTDoqAz}c(M)>l8H
zb!jf1qzXndXfz5IX2Ts;=15T9en@-Nt3f>b=4mnuIW((!RD`;z!1T?rHL3Yx1Hw6F
z!^0TmIEX$pDC|NzQo%rSF(M!W$s`D~)b0>Jw>CFZ&5Al`K>07e0!kc}ms<SiATxQY
z^RCt0k~%y~@jhBMa7Nri<pr71#08S^5JVqTZ$X%^=#&WO(Fr9IY4FX=?5qLkV!rwM
z`NrLXeEQWFw!Hqr+0`9uOH!aYw$d~-s*fXi43ecmY(N_a$*#9GvIa+c0zuYIQyqvT
z^KSkHn1$jv<`Jgn#o{Q67*4uqX3Ce1FXVQ%bPa7Gwq7f>na<!EQU~m3G?SDpT-q`A
z;*i&Id`{cq#jO}!BK4A{)X*A$V+b|}SjXnkbe%Kb_-MF6sMUR~&o8v-d~yK4(szTF
zjWf%rzdfr!pPR{X2Z9vtDa<gPS|&<cOIo<4FCWiN(q4+U5(84hat}AJGBh$%Qv+I?
zbM~_Oj0-pHF~kI1+o?u>Fd~h<QbtvOLT%&%ftJe#Q)V#_u@2->&m*=OUBfOH5{0Y>
zV(!BpomWo#2A*`cC})BDEuc^X?Ylf6_PBHvO#~v-g9+-|hu3xyGuW5mtAJTr1RQg9
za8)=`gOV}BP1jLUAKOR^)wAc<eXNOSYKwGAZgGL=z5#Q{D)B@c<i1qnz?5@1&Zk0}
zr4dAx+-|&#@(3bisdP{yp%LAY1W@cKQe2SlPR~P9t00vnVPbVu*`$bS+DEoN#0^H0
z*k0+=$>VwfwYV!+Tep!L$->x5=FhUs>ijd&b0;^nYxbOisRSN3^4Ve6%RCKYpe++m
zP<}=P7^KMs0jPPjGFL`4s`UpVpO$L^C6nsK(qJxcjo^Sds*$-QX$ws81!mbW>Vg@=
zD9Fq226#krMxUiU7I(-pAIm+Hgc!tW6NR06Q5gfy3Evx-$(>y^<qdD<nT9%ayj7##
zr}jzQGl?v8IWFh=hS+uutw8x)%+N4Reb4dnA(G<TyrUClx7ovrG9#a(YYA)w;$h+Q
z=ddF?Pu)X{KE}9X!bX=2%;8MO6-X+aSc6t(W@81@>g=;**D``O@1swH-g2(^E`D%3
z!)l~C5KQF9Id<DSOls^od!#as;xd&ena_NB8)2Sdo7J>h6&`#D9ES@W&utn%Vmlk5
zdhl&o1WN0y$cj{-H3*-KEHlRujkG(DB?q@kS`dn>6LnoJ;+UFSD({5j6^aVq9{B%c
z!wWmrmVTk@6YnDt#q7`1(u>xI76eC9skHmjq`x-S-j!GsK6`ePX45rRO~jFfJ8j&o
zModFvPXD1D_z>P8hI%;Ri(}qcIKpweZ#P)*Vgq#HJ9r;v-7fJ`T&`$5xdGpur0EDb
zv87F!D?~rf0u#C-Q1{KBYtfX?AN>KCTn73%UL~>yw6h&`S}!$6%i|awE$YlHkW*Zf
z<T!I?J2=;!9|9nPOy<7nwL%mYJr{dUUGz^xgG>=P0Y4pNOcatKIn9rjPO1TNtaU*d
zQ`1!PaLV%RVva#Gy#h3NZ2mPxIoxuDZ-;7xzSEv&80xY(AI`N#jZwsesH{a$p?*uH
z#5;njiB55PX}zO-=YXzC>gf;ERq17mRKIUV?Nn}<rA$Vby$yUBZfk=cit#BN1CBhE
z5npU*fthR8rPesy?6&g>W<73$te^iRRZ?`w8h(zgPL(O1NQ%;z(x0*w(aJG;n8f}n
zoT9h@?%viN#z3Y0fuR*?>W%kS>gK)^&ErQ=PNWO$jG)Bp=<X+2Lfm#5YI_XBHbzd2
zMgde-hSCr)(BXwpRia~S)@Giul0@6LW?uRZP~$+;l6@F}2i)m^lJ3+{w6GDlvk&_n
zgk0|-qu`si{FWz8fZMDk_g<>6Q6;Lmb1!7lw0E-lL+{r;^TL#=A~mQbHXaQLpYh<Z
zlJM52j7*op5&J?QPsX(<X3=a({J_WnW^uky#NzW>3rg)uEzFci>1wAeb8cGtF1j+a
zZDOyu<DqEv0Q(q0y*_l?r}r@?1?JEOGC@l~B*u18;sY^t+)}otlMdRRpF<=S8bhp)
z9zq+9-)6GsOtkCw%S&tzBl=0g%My%P5gKUNCN@#qogF`3iAR5?H`4(fkDmxogStfZ
zA?NC&l%I;Hd9SiwDo(s-@3=l(!vdY2MSAbPJNF{RvW*hDySBSy<yEL01k=cyN<u)Y
za5Z)xRsu5Ogs!_Cdfj;NoHH@jcO{|&p*YmOW<GHWNJ#AH5pf@;-r7t{w|h%vl7$PN
zLlj{P@|*HcK_8Z44L%%rc<(y2Tx+~)7<L%ovzR(r_Ef#5yr{muE_;O_vMhAdw!VMa
z)d9L4Ja@Pf5zbUPqkT^>wm#cOJ=<Zyynbm|CAlJuAD1Y~3YAr1XhcaHeRbD~+);r?
zf8gf1W22K&=eq&g@?Kc%K8V8oh0qB(g)SJKyaZkU0vl0CHjsSdoo4sF&j6ef{M`ys
zj2(qFPNEHYk~MOe6!n$Ui9tO>TsGd0D4)#TJV+U)J?W3%bXZZb&8uRLu&>qh&dAf=
z0}((#k=tIl_djxcYuX>Jb5?}z@_jtrzsVWsnYeoK3*Q92*SIPvrMPT|uk&2dzx4j0
zzoG%VCOkCn#$9klzHo*pAn%b!%*2J#O^U4s`m|np&h$!U+<bja1b9^Un5|YEx0HSF
xll%Pm>de#BnpIl@q~E|^Ak#+;ByZgAKp(*V<!bar;`hz0Wh4~DOGOQR{s&XHH){X@

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeDebugConsole.png b/docs/GettingStartedDocs/images/VSCodeDebugConsole.png
new file mode 100644
index 0000000000000000000000000000000000000000..17c24b3358d15c925e242459471c20c8060f5a65
GIT binary patch
literal 30473
zcmb@ud0f(I-!@#+%y@atq?0w3=F;NUWLX)RC^BstnYlHY8<v(EE~()H0n^wuWSNv}
zYDf;6nhN2*fzzdF;zBBd;#L|iAdm~7Ao~1huKRiK`+1+w{oK#}zJK@;6!@LL^ZcIQ
z@9{m3<0RSjvg6jj>-~MxrcGO67tXnF+O(x$)27XhfBP2r%j)3IKESWdvF?s%Hc@)@
z=YS_)2cLF6y=fDT@ZH*tZ-D2Tw=a0bZrY^Ps{YyB5mj<?)26t5*tyeJ65ygS)+0Z^
zJT7iSN0eXvpmzWMznz}Tw|jBNR7c-j`-~$)@B9wU{dEpM@K1mJ-RTFH_g{Q+a&qq<
zU)Q`imZY^`clMmwWqq6I`L@#-N&Fi#ctd`TY<%Vl(XUw09F^b}EUDqtVCRuP37Ms%
z(h;mOYC~k5W(-R+7QHdPqJB`lC*2iz3hR%&bjC#epy`-q=9d?=|DRv5d=AT%DEzE(
zpS9QD<oT~=`ZuhSam$49Ns!!pPt8-{a|(-ljhFLPla}j~Jx1%TxRvSErI|-1XUE*W
zS6>bF>e3lWpQWnba%}CB8C2Jlcz|8hW1giR0pz@Cf&9J;NE`NZ(n;+8pMXEjxj(x<
zo(^4fTz_}8b98dJD!BET`YvQrpBAZ)qwd@OA-ZV+Zl0i`<$W1c4^-i}G0T}yqHz-0
zguT10ZbLS)9=D+$O2Sg{I-8VRI|Y(+0@iz4R;^neCABC#Hw1N!AHc`fM@h=qi9u)8
z@F}6nWR38<Lnl9KtvzaVZDK=-i&`O2eF=h(S2n8tsHwTdK&F;&ldt5Sq>JXgDzlJ}
zla*B@)%>*O2EXNQQx<4v38_)em#h(6Vwa#BGaJpT{u@FZW{I$|0A0VjPTi2UtW#2i
zP-XDOe9y*;(Z<vWeM14frU!V4Tk}!z@|FHASh^^9=TcX;<plGU7xV*CY_+aON`ROK
z{^1Xo*Ef(*4Fo;BJ$A_&w=@DmS-`oA%Gb!KdyVs!GB2^487;w&nsl<Qd%S$&kVC|5
zv82O|&gcMEJ-@Q(lj2CSoNiX2&r4(9zTUNuV)&I!o5>sUR{UGk>nWsG5yX`05ubHm
zc6R@<S%N}pf2@H-drvU}*L~PXu)Szew(%L5)1HlWU~;C_w_|T%)^0BI({HRjNJSid
z<-sLVaT}5i)d&hB3O%diP3kMvUVzXpx@WePn`M@sjmc_D=avo#<;Hh1_NKa$qS>Ex
zU_T=!hlJ}*IJqQJ$d3LDju0dq5^uw=^5F)S3yv^zzSkoU?-8Fj$nhpNUzH1K!%&ic
z8F|eT_&;ISL)SjH#vl6=!TXe(FprpTzyWvafSmyr!Fpqjw6WyVY&d9>=~kJ@b-}vi
z-siLiLcVsl)Ns^7g61^E<o0=(^JA|ODR9H55@ZVY6nv7^UODZFlX~KlZ=Kgs_^)^2
zbhGa5CJ)6&zvI130hLBLAO+wU(xP2gqfC`pz-@>kw>?B}h+0&2BVQv9Yl>jg?mB;m
zN5O`&blxgD5p>ecr>kpSxK+!Ro_+k3$8nI;Z~Il?^^UCj`<2<;X6gphfA!D=<!Swe
za=mPBb*F#+Z34tA@KdAg8#pOu<6>GN-tjkNid(tzPnSz+cVn=dsq*zq0un1f#!WXZ
zXztzoWgXqJz~r-jf*;ad#Eawv>CdOYuif(-_g-$7?%J62U*klj6+>6eHa>|wDW_we
zyZjw7YO<#F-Yq~ATb;JC0{%%mASGbpn<a0bk#2f6A9bY|>cmM|#Qr=pZev_ve8u=G
z?2M35oK_f3a``^il5{lSpk`4yhq%vP^M=m5u$^Sn`ff9o$uVc0+{Sro#*I=JK_9mI
zD(3J5w=T&*NK`aY9%<kCH9B>XQCv@gJd=mZu8kFwx$G`@u|2n$g8Uh$J5?&D8pGVB
z>R4c`s)v0y{_;nV+;IOkI`yWqaKp6P)Jl4LSVGW3j*`obu6Qlm-ABDn>Dzbgn81_Q
z$LP?wrT?q26<(Qfznw>zvVUouA++nteJ!sk?y)f~Pz{_Gd*r)pgar%<S!u4~^w%cQ
zP8Jp>_dyQl*YfXk7ziCb-<gT@BhrSf`<$9nMSbIX^x`G#&6YtUT7|TV`r!Pf0PZz1
z7m4dXDUpLI47>{+h`9c#KQ}U#<JVFrqLm75RRQ!)nt#)Uub3{a{1o?S!nq7Eef~->
zSW|>&zI#IeODDW&zgGR@JOS2p_qdyOR*fIjn6o?Cr^8CmiVL}yJG?km@9F7T2Q&9~
z<QFTVeY?e0a)qYOHCxUBE?KHuVT;0%L4|7>_!YN+w{+t>#$gCp2-QEGp8vQ0Be&?H
z66cCXZYfwO%$&M?gQTj$$zow4hc^&75p}DwJn&5*>`Vg-A#)icm1@iMprR*`Yk@s*
z0&f9?>(r^~25LfK@!?L+_sI1*sH(UwI8B`lH`K{<V|tpku?pRYjTTR4<5shaHA7q-
zh!CB=?xq%dju^OL>}RrJ#L9^Z!}$cF%Mj|)PFrnqJFr5u_79+BPZ91!5C#1eXzAKU
z$GPsOHSbW<jU1y2R>+uJ;7o2pjc9gtv^f7-bWd>-%&yM30JKmTsUj(F6J5Y>gt_1M
z8^Pc%lPG=Ws*%=Hi_`$uY^pEUcn4br<eU~9*EDQ{?sAl6T*t<Q!^}g{Ay<S;jqBfd
zTJE8Li%yHXd&@$FVVzpa1{IID0CgsMh2A2UkFS;Cq|`_Xl^Vs8lfm%|#T(0{^*9Ir
zGZSk||8yJ1=$a7YozEE=Yku?Sq91%9^^*w+%x=3?nj&k^*21?{$V&z~e$h^=DX$w_
z{BTV9<KZ>JgT)E;ECnkLn#&YF9)=v8=VN*?qW7d*zi?lh7S^n>Vdk*lb>~2=9f)rn
zd2oy7u4K=R_$MIEvIvyBBScW#Ecbl6BUK>XO(*2ve`!DEEo_k`=hnMZDL+Q9izie~
z6BXa^OK}qp=tshN(!8Tg4^63cs`QcvP(8bXsHZoYE&Dy!fBT7l-Ipw}^yQ*}`#rwK
zn2;+Yq5oKuZ>&#DtUYd7u>KvH|69?`r6b9+Kuyg~A$@0LlI>%MmWA*3Py+_W1xl9d
z3~4PL7o%+YjAKbwA=XCrck5TJaMP?cU;UmOpj7*>z4dQi?R3E&zjQqN{qMEpFXg(|
zMRm{t8x_26cAnR6yll9DdkZ$+RwO>S?&7U3=XWRoD$pf`MXvVwV!!6P{H#VMetPNe
zw|_i<S|`-434X+Cm?!km={Q=s8Y&RK`!Apv$iX!h=}wD-&;odeLD&Bo-uy2B$<RU*
zv%a?4Gs7Z9F|aDsl1wy0I)sx7279tC{Uf_3niH2|`PxOPj~1*5ZV=!iuznW$v&)(E
z6zt098`ts+qcTeDjoXnJOoWaa&A>EHJu>PrDLAl=FD!ZPa)u@HaQy2&z@uKq1*<3S
z$O7vSurT@ja8;fQ$$o78orR#deEGaChTjp^@Uo{|WxhGzq<|g~FoRW{i@!tQI;k$I
zFB>Q`hH9G3U78%;4hi_-&_WFH>r>KTsG)w9@v=Z57_mc5+~wygeFw63mrl$K3!T2a
zN&W(6-sx%o_|hL&pJwnq-WVq%E_}E!8WwY5#5fkRuthUiAxZwwZJ{Z8kaxdU?(7d5
z<|BzSA?3ik)0Uq>5_A*`Qyp_=7zk|Sw`Z{MvI^KN$HgcVdhv{-N`B4?Ggz3uK3iA2
zg(kSBUeUQ@w!r<<U8+7E<)pc${WCD#6~1&ZEZ`m&r0KjyT3;@%^B=H>g{b~os{C9H
z=QFVPS@v@W5=R!vv|rL1a#wyqz-G;#>U&*0lYYS+zdA^B#V;&GIiihxjllluIYwQ|
z_tkmWN2ui(#~##lHc&W^fWH+C);sY>aU1I@mPwn_l6WDfgI8Sn<u<O_H5he#LBK@I
z|3XlGS>^u(JHJQE)>fDDSS0AgU6n#QEgGqVdiFw?00M@uyB<GsR~;FS>MM%{Z_?fe
zv+~F8DwgMF+h%(5tS5Nb)kXgFV43FxlM}!_w~c&rfzsa*4qqPbz-aBxhLr&CEA&Ww
zZJcq=tn;!?ZAIta<UP{#Kl>=y%K9C)nqidW)5kBk=PeS9pyN(4Lmk6|(fR+{E5*xu
zfvK}Ou)5F2ShHMu;fM624ld(qA!!#VZ(nNhVb}Vm_#PbNmmROB^fC$4&BmI`v)kc{
zKT;UiteEKe6f=<{hL!ey{3P=DOGS!<Jb_q?QGMB{sT!~|u#B*;G770?W@O_NnwNE&
zd<XJT2wJH}dbzP<&DJ2z&-)xSqu-u#(44qbK}rn13)8V;`34hX=qE`G`vvh>)5z{-
zF)h@COIQ>Ng;7f{;q9PTmg=C1u?x{rD5S!XbA+$|algp)h!u?S;B;liC#%i@?|E;_
zPBY{|m$V(QS_jy$j-s>p=`y#=N}T(wqQEe)LTcs7xv#{iX3bPfAf$(Vnp8LQ7f_tU
zmi3auhf^E_)hmBT7uf0|*lx{E^KJ8K_hnyO!uq_!1+MVzmATy}h9xfgI?S^=rh-Mu
z#b8Z;7iR6=Af1sggbou?82-D0jPl}!Rj(%!R|jW)F=%|LUfcZNt5&TGs?OamG`j-3
z^MJN9j|)2e)_ma)NV2<gwV}?G*TsHr+WS6z$1KkNWRtM)n~!md0n#|O=ajGt=BEy_
zY~ks&_r|8M?_<ZdGraa+IMZ4j3JYJ!ZHqa45?PXW?hqFQ(=+kIzn~7AVdxtb#|d7x
zlSfPnd}hw6#x){zV*|D)NvW)Vtm{q;4i3i4-yri{=wBvu(e8rIL*rjo7rOK7_a+aN
zSS0^|`mJiGZSr*{BEVs!Y5n0&MU%vM2L_IeZ1cN#=Bf0OPr$a=9lMYz&Ak{wr31z<
zd)nFSF_D4(lJs0gl1vKJcU{;O_*b6eJ^m7@#-Y}xfBj?Z*?o1MN{jn1yx^6y{oR$@
zOHv`%Cu)LWz)8FiHQsE~6%F~ee5}}o6qye}pR}OD=_uq9zbm^(%6(0hB}4)nuBCy&
zU>Iza_ySi_+Kd=yY&oLgr}d7!=rQ?%c`q|bShAKT$~+PNcK!M#yQ;FXvM4UO@qpbF
z@K&SD>%oMV5t8`BCj*^zll@$tl#pU3*{b?mqoFM_!#|o$GZ9N)$;Ah@nOrtNr;RSt
zPs(OR`vY&%#ku#7K(v7ciwM>M|9N`Q_)fXm)|nTkv3O&L;lLahotz4EYR!e;vI>vV
zI03QFD&zC)vgEB&0n%B)2`FAuDdly?IMZhn17hhXs7eQDGLaF4xKm<JXfiHvVv)H(
zfc95vIGu@gHN;f@x!F=)hMMiYmll`7|M^+H^n-JgzJrjim#47#nydWqD{lT{%^s=k
zAu6Ksyb+G`U9*GV$hbB4piq<~BP)Tz5qznJij4{#^<guVvG6lZjP`0rnVa*8er^9M
zxqxwfw6tYMQ;UON`m!IlKvuUiFOFS$%)_!I9dx#xev+yeXsVJ8W!#Fak#xthwPP>Z
zJadY$&E2#6tTQ;ar<lLmRxKaw$O84Mz^Q#;U|K@+fU(=WA3U3oois7~r1K3S>1J9h
zYRIrgh>0d{2@?O(X7|>tAf;5+g>=4+wwapO;OAgnDTsf9<Tlren>)mTIdibhv%;~a
z_z8;AF2sY|LXq(5xvqqvHoN7H=(#EmztPl8_dB_=euc-SnjUeY`8Ov-D?zl%ZxijS
zC7L^;4;J^h&!-gEIzitc+jE4~6;zL_Grvrw6uPvZ_$hc4Ip2JF%$|xR3^^&w1+?Q7
zHY>MS;wxVth?`4XRsiATEqei*o!^wK|93~comP_Zr5X$Tuv-)MNzp`6YoK$Q1HWSy
zKmM+MsWG+82%GIXGu1(;Q+<LH<1s`9kOp7|l1oPM{w_STc3yp5z*ucc%SC9lvyL3d
zYm)X{+7h_}d8rzPk?lwSgj{Xhp#&nkj+^0zj}a6*a|jByQ{`E&in<e#pBp98K4lVj
zlx#r_Ub>j4+n#leZV@fmZB?96+~RBXt)LK_i4;ufjTw!V1>PE8_UqUgYKu0cGl1Qf
z1(|Kp<p0od?+E_0_erpYhDIm$*<&}`fSJ8cBdGTVUJr5Q!*^qzI45!r)ZPVaPReTE
zH4F7#^lpQA<#Z-E$`LKdQKY!pbnenHuihm&@%^sAK;O|oJ1JO-`YkP*t3*0y2h60q
zGKJnj5leRF#anM7x7MYimwge>N6R7-fe5e8xuI1RZ2d6ZW(FMFwYKu9it5HZhQhhx
zs&_8?2|0-b-Z{?G^~y*xG6RVGlfes6Q|3OZ;mK^RL?`^Do9*QEbvtlMoYMj!Gy3uL
zJ9?90Sg0d<GKHxg=)w~Qx_=V|(SO`~YMDh>bk3;9$q?4}aSu)%(0w&^)3CZCwmjDB
zQ4g2rg84SlkJ~_*%Ze`EDlH+QYe=J0NOhEt=IK5@@L+htlU=biZ_c__>N(@bHI_QY
z<_}f``sGgXmP(L7<*OE306Bc0w*C)}8oa(6Cs7t!*>`_)oBE8JbA{Nx8~+7*ZhH${
zzIgU#H)d;+61i2O7b(iyP1mLfQSQaKGj9=TE@=&o6vUK$(J~R)iEQ_zDj7`V^jH@+
zV5tUM+3v|K?Epm!^f(~+BZDeswUf`}fC~u#1PC3fJlWnbpz_<QA>{KC#FIq^3q^b(
z$vq*XeL|hwDQ4w6QV#(s`IdIt{pssnn@<RCSj8N@MAZMm=5M`e?=xbr7j9KOSy^83
zH9Mjx$Ps2plf-^U@kRAD`gr|2N>qX2icl|w^IA@n8ou@WX=cKOvjz7aDpkb#=*df^
z479sD*8;tNNvu3258P?1qfJJZvdEI8q9IUZCb;IXe}g}i2+!l@D%Q^$pbhpQoaWmk
zvEDu`2CF~H?~#|!GK#K6ZOC3Mn%M^oQ`9^8FYtBi=>Oy+m-ADwqtsVWPGX5iyP6^_
zgyj6!>&O?xt*%6jPU>%~%X0%gRl%&^k%h`O>MoR0CVD;p902gsZfjuU@w#T5uB4<H
zTu1?84%7I~xO!u}=dAV{wu{f?50<xVhKibvyknoeRpWl3@<{zw&mPyL>pP(nwxYoi
zj%faqA-rjU6RirzRlqNrBi8Ken(G`zg4_>J+EOK(?^>1s;3@p+G0wX1`4g$(phz*~
z!14jWjq9%L`_msXldfrb`Dj08m*IW19!amaBekB`?BFu$FHd%=hEIEeGixBt_iKkI
z5-s^)KECaxorC~_oD}KU1{PcvY;Q{4T1^LP-|EW36f3jhF|usk-v2D5J(i2@<KCkp
zFC)Xrpt8!VIgWxT3>-*jRxT$si3ZOUr*}$UGr8Wqn^TN4Pm!NVT|NDan+-D%&==YQ
zme#!=k*7*@9xeF#`Hf+n!v)50`<fEWJz>WA>3?!Zg`z(=Z?d9=cLd}5nS}7+R*0$c
z-l8I3Q*cY0@^%`G6xa)<W*W1qSPnE@m$X7fW4kV0<9%01ynphC5R2{t*1=l{j2zU3
zDsFC(05iq{*S7J|Fdld2l7V1a&#TE7=u!-(Cez+y&8Hd-=lfH^5C^C)r_~5=Z>+_)
zNpPQ0XUSVO`lcuOK3d4+x1Q||-TFFK`SFr*jP22&@Hqn2<~qm56uT@fl@Bno=Wcu+
z)pkCUh;>3gL*F$yf)p@Hqkm&m&D6C8MGdOn3c>5c_FehT&-)+&MG>5r9BOO<39Lm~
z%C<|17b;`!V=GO42aF^=-td`s*Rp{YrmZ}5`Z=wKVkId*%gl*w&uUEM9Aq^X+DVhW
zgaG0(5C){XYF*JkQM#ng^y}>;s&DM=?#<=n#rE>pdQ-#bL}G$I=Tu0{b#jk3bnUiJ
zmcr&!kR3ARKyuHue*bnW+Z`|Aa4xpqf99%0zVKc<_Qv;8h9Rj2@*LHC+5IG147=^l
z*l8>IMquI~ijN?<QN>=A0Y|~-Tr|XsDNkY-MU2ffQz8_j9AkTo{20=!c-)i6`5IZ6
zO2i6smlHYYHcG7FARj4#3Y$+J0XA6$&_LyG@yOm1#1y`%F!~fjHM$vl;Uz{ZQo2`z
zDY)@irhjS);9^tu9TV=m3o{7hy?2CkzufqVwwfD#tDB5%@YH^_*FHk%Jsa&k(ps90
z##o-4WJ9XI47132Yy+XRpjFnbI_=ltv(0w$*<I*;G$ljKMd~}rYu}wh_ypV<ot^Oc
ziAU4&G7}6M|EO!b)cw4HBJ>-HAy&4DkseT%Ie+d^bYFZ00BP@hzu`PfC`nJ+8S_I|
zOXkHfw@b{lzx`qK#~k5gbrFHbn*HI_z|_&-$K$o~Leo*9{@S$U%*H<MS2ZM*KY_(F
z?1jjF#_GJ_IAdgq6J`k78-%#1S=@J4t}6v%s9KjUulL;es>JE|DV`h|j(@d~;MYPZ
z?@3pBnZ2(~CAU*1cGdS<y_0Vi3?>c+vxR@OcPVa-zVH*d09$;wdW*YeCwWm~e-Mfk
z`%;xsj}(--(+HM$ZTZa`Ys_P<L@TzlZ~NIxyumH@0Q^`!Pft0ZI#PfoM%}hl$&W+6
z&j+E8DG`SREZI>m(qD!doPdtG&#%MD7U&bAI&qcZA%vTJ#oa<t9y_}<&&BWVsY*@4
z3iW<r7euz7%nN2JPc`_rblmn+UPdzqJO$HW7Eq6#W5R)C(9u|Lyu)TF`dXPrZS`hq
z16LcfH;Bh+1UWF#8_Su;+yA^4w)(xOe^=nXBN0NgpKN~pt#Pd+0OI<xoU;#Z6uaCS
z^q5edXXqfC4k1u;L?7qV72%0um_u08D-P+c!x$cDUe~HHS4TLX%)@L@6F*{PD*8@b
z(DHicv%Z#zW}q!^l1KOtFbr#+pQ@$?Qu#Ta3V*$klJL@~Wl*{?4BVdXd`7zQ>9v=3
zJ1{&VFzB>97flOxz1X;5w0O{)Zl-RSii31e`!1Xm5(eLVt!8ri$Nw7&*A;74KBNh#
z7U?aO=XXuLhmicEmp``RZ>;WHF`#p~+`5*Q_$%-+F4`)3QJ5nRG>n%5w9v?ee>eE3
zVSC3ZN2K<7yGa5w|J9m(NWNvumR!uqS912}=PotW#EBjm-)|ys)o(1tR+8k6WhRcj
zEl`$IKJs!8SIDpGPMB*6pMm_8>+d@jpG<gY>B=$QXn67RPz#B#QvQJ0r7C}OtuiYm
zY8ew8wJYa7rw7xW2hRIWwQt%vZ*d*(81d+=lJRKRdIi7cK*rOm@!Z!g{c+3qR=;s0
zgruj2F@UXRmG$NOKO&yQbmIlMqc04P3x*u0<~f}2NAoH=`*S0bF%|*a^6a1CB+yuw
z34FONVhvz<KHlw{L2`o|f1C=4D)PU%)j>))Z6WiVXequbKPvMcxDFkQC(Rql`a%v@
zL9@s6d{P)jSBjr;F++{4Yb3?^H0mS?F5jIPW%;&XqegNIW6>Quhh`eqrYISQAykMR
zTVB;PX|sTNBHfcIDZoYDurMvqPKnxkH?VV04*t#A;YPO-Pb2-PUd7{w!sZ)GJx4Kp
zwKxy*U8=RG1X^k8!~K~s!ZU>T%fmMu;<DwAvXArhh8l@nGC}PvmaNtc0f0$h^!+l(
zhiu;)8PW4wLaE2$ieb)B$NtNTLPEFh@E)n5v`$8^j!Y(2`Vu%Z3~4a#?``AC_w78X
zs;Z8G7k62R`weZ|c=@LWo5f*5`#_9f{8|`SnE!WSgA6MPY@p6ycKNhpCJZN)FzI_0
zG)RSZqK^ydwbPxZ1*^aJO}w_a3-w)W@3l^3aAFMgG%P1m0^BcS7#!}w;z+|2)B$a+
z#Mr+4mVb1uIO39eg&Bh_$)@(P?^G9*-9mvNOwVV=j8!99F!7PyCU{M3Zx*AU9al${
zk<WNu6~pS}B>P#ZkB}?h6mih!ArXxz@d@N2XK&@qlo)Z$aIQC<gC)+qLBw)HO8$2t
zRn<X00VL+UZd^(c;n?mC^KWTN{V+eKhZ(EP-bmnTeG9a6>P3oTHQ%Shl@!6dg1{7C
zW;*cO@>LD)BgYx+eGdK|SU?#qhS2Is(s$Ae{#A{p)l-(IA8eI@k(HE`BrbBE%&7My
zo$qcpXmc4Zxm%l`Gtf`U1I77C!n*Qz_dJRl4!l70vTIL6N)YZO$LUNY=`p7E$o1~z
zv8m#_CyG-R)V&{%Gt)OBZQx)X7m_OVti#aD(Ogiu=smZ(o#oA0p>Grg>r_Q=hl>6L
z$+uf^$>_xKP+M<n#q)|_;`Znziw8|{K_Zb`$KM5(^o@QBW!EvKLW*8audR|#Uy?NS
z9uhX~$ga6Ga{X=_Wcj&ElU`FVg1tWK>#M^=VyvQjl9<z%Yz51^?cOPZO7iY$5ZVgt
z^7iHZ8W+xNBNM!Fuy%KAkVxpe(oXEjq8<A^L%wjHKom0Kz?K+j1g#d|(7~Pm1|GZ-
z<X;G<gm&%b1dzp0icp!f8yLZ(U6wnQm-DL2RBT0Q9%6EkTNAzm{d=vH?iEe2d6`1B
zIVA<1rDxN+$K@$ewLvZG!j|<2RaxIDM?~$8CQegSj+N>$^H6)XYM{#j@f~k@h}~($
zwDZ6R`zT*vI7Ng^Fxy$>8yvL_%E}i~<UQQRabGSi#r0&aHP`r31BIqM<-s_~V$Wa=
z;vHLbT?lVIWuJsxYLq02>t&|c8`pkDUm;#Pa9PmCs}DvDZmVM*rY&Iw7-@9B8F$%h
z%9T-Trf7Cp`jFdLW#g8;z(<F+=S0hc{YYlF$j7=BrAwDu+MJ2Q&r6$@%az{UlPR3?
zKP+M&9iGbXX@H^ygEIp&gUX94`<Ia?B6%?YA3$)<Yut(H2}>k(lshjoLb5?l<-^JY
zQiO6F(*eO)hWta>RuLiKNf+%2pte#3`1qc9(V;1^5b9Hfb^bnJTe{HRl98G}V$(2W
zoPlq*{zkxtelAJxY2A|-6ELV;ZB3K4bxuzsCuzx*x&nvpdVzJ};r=6eTjwmNgvTkq
zECC@Pm>33uU=iq3(uAIgcY_!=xu!JKi9Vm%#DMDHQPs|VOn=7RhN1X&BF&>tytGV2
zBaa}KE~eyE7q6E*-(6F_@#g155uU5k-q)TL1E0~Rr94GrdUS9RcVDD{*%g2pf%MO;
zg~&{sPpInrcjFbx+gI8VJnriDLkLgd%jef}zLO``mIoIe=F_7D!E`rmeJk>@6!wrW
zm!YdI*=YN4h^re+C4qB%hyxcQ^0;hPRcT<E&`ISTwbP2zP6YAcOh-XNOw@@~d#Yai
zNwM4ftM+oaAa}3uTv|@BXP}vubWwF60zprylI0B5Kn4B3*EU$^PL&*f;Lp{dM@|;O
z{T~hUq$od$@<}uyz$&!}!wHnuki{ib3ISc%Ax4~2wtX;Eaiq4N5~HaUFHxSXt(0HQ
z%5|07w~z*hN~T0hpRmNPkaDMxk%_Zo;iD;Ksp;3eBsHJ|oPPVV*vl%#JgYC==}h7#
zsrJgdf+PII+3Jt?xWZAVywR!Cl?x#xXLswZ=4E+Rkzc{L10b%h_9<DGj&7!i25`Sv
z8}l*wyWdjw__%cN3@_71%g}q}3I@}fQ8V-+T(*7<6*V0t3C7Im`Eqw(0Jw-LrtmP$
z@px3gV<!4JIG7@Ayw~#amfa|IO25WT9Nwew&7MBv6_Jic&|GeGCDaKJkNaXph>OGw
z{_4?qfz-H?vJIJhmR?O&J#P1qG7uQJRjMBP=811_`U&fUCFkMXR;^g7=#NxTzYAfE
zdpN>srn(CpY~dr1^|uYzjW_Tyi2bFb_6{}m9+mFTR+Pk6$OBJMhkdIqXGHhNb>IUU
z5w60b2!qxT_yM*^8P1MlPt32+8cqd|Hj9_?E5<@Fuk^O#Q_yTPq$3L)I7?IT+@eC8
z`#St2T&!@oruQ*-^}D|_R~na9<+8q+C-w9Q1x01*fH}f$=#p3U4GHx)3yY0eQt3l5
z2Lx)L&FOA;9=l8G)GJc)a-&;Pt=)UM;GGIXI<z-=!*tnEy6=E?YSf1sv3bx~$ZXV4
zimpBP?8Bf{$5K;H20wNtHSa?tPCTi>if`;_q9*76-j`p7J|$0(t-^lwj<3ZJ+ahS(
zaieB9D(Z-oh<@Q5Fbx;sh2wFE`KL9FZ54=ru4S)Ze_^Njr+FOlJ1Un!GI20CYwc52
zGgN%W2xHeF5JGd$`VGLx<)8bj%8;>CSqq0D_Y)EV2;G8hb(ByeCz&SV&8g!-Y-uOm
zq^%cCTxq5(2<(;`W&Rx;B}J-3?MOM>;he&l3G6y0*uBC;GJ_Pcvkps>aFQpz1Hr%z
zq%N4~@<9rHA-%8Jp=3lpTymJIyjI5%Ar;=;oXF~+A8)ZcrTeBFqFS!RUm52{Ml|;+
zzu`&~Q}dlBW2x)>{&1CpLQg7;yaJ!G(VKZ!VkpmI6c=9R0W%s{o!X)I*hKEQ6sQln
zSFQ|*=&AP?#$(`ky9s<uG%V!gCBrbv(tEV6py)`w|3+4_F#KV)hzq*PtT%OV(GS)+
zgjBYh?d0n2k`8@1Xf&8?xTm^oiL=_dUdl@N?n`?xzeT2rE|=uYm(6E-#~+T9dA0Pe
zaL4ly7)O$}!fuw_!P7ziZXYZaCLAyJ8nf>$cWXz^=04`7q;SHW<~?q#W1<G4Bzd%B
zFZ;Z|jS!6L*wPfuvsSU+QU~l2UR{R*q)8e`D{Zl*!QW96bgY4s;12oNueHg<#N`_D
zhOwp8o?7Zd>d+CG#PNbKRqMJ=)6b8&QG1)9Eqb=9!Bf)lf~l8OxA5Ck3c?^tz&>`n
z1#9`dG}ZtRoiag}CUSx)p{*P9$-yw)WR1WgKS7Z5aRSzF2Gq|zup7~y7tNXRls5DQ
zS9BpUhHRI_>0>B3B+}7q+D8&$5N{OhKM;APh2p31@mcDt7v>gTo``P_(td3eW>j4e
zF-?C-Jp>ph90R!PC^Vc)BP`c2AqwaDa(|KruwS0>G(-wLr0xa>rD{lNhj^!lU4e5g
zmc*EE<W>2lwrKmA$;mX=Pakj3mTR!8JI{U^4~gAw6@eJjJHW5mfd4)mH180h9Nitr
zEa|c)!i!TOc~-RGJ^nKX(N)l?!vgyc!@=5B8ugy?uaqya2QCvE@$S2-hGv!Z1dMDv
z#cP5r*9hA{`Zfo_LF>F`4tr$|=+wf?52$VvS8Dtu@h7Nlk840qDdUk{xfO5ii{>TE
z5Cyi4UK5;|$f3!HYRaJ<jfT4`d^lOr%Sjr6ml7qrkZbI+r9%4!!J0W$WEIEYC`%-O
zETGYEn8!^CuI3ypTbPTz(*jLze3|idZxNxp!M+$Q0g45B*}}C0y2tt!B+ifeRB_iq
z`3l-nMB{?y_&(EvB(nuni|!s#*aXHoY_zZWmAx4oSw>sEs8Y=NoF7wQ=V-!bZrp#^
z!;V(Ea5&{Go61NaVO2YjR}Rh`l5T(0h#a3~SxL2ZtrMc8L$m0;4#KN)caUEEM2D_C
z<Z+3QT(6!Y66OvnOO)lZu4aKe<6Um*^uUz7rgH^Bl42u#lzw~UC2LPWdqj9PHIVEg
zjvXVd+9X!OW<9KU&(jK#tF6x@Wb$Iz9oPO=n@__;-s}&Qro?hdT`Vsfy{Md8aF|&c
z-DASc{?mB*>Fx+PtY5YG1PMPPeQh}x+FATes!wu3SW3gAbQBi=6{~+P=YIY!fU9)*
zW&(f*{T!oW`nmsx%B470p}M$hqfXv<6Ti+RuL1nipaIae#>YQ}g<x-lV;!|yc12!^
z`dty~q(3>h*k)vsXw&_hziXG}s|vpSt??Bnj_h+9zzgoMRUYR<N`25#6e)dqyv#vD
zs2K{4eRyuUfHO~_0X%hTG>}@f{A?~o@144SRh#To;;Egi&wJoF>b<_MQcA>04D+si
zPmZy#$qz0)?|G!e+->|GfllZI+Nno9NF4*95s<u{A09@>B7pdWXESQs?ThffRZVRG
zD+}fT-MMn}Pl|im(!K3m@BE})(GCDJ1aL3KhDgEb<Fo<onAs6jiPOgFl|MRMnls4l
zL6>UEYlD3=xM0JRET6GF^5WC^0^UpUN4IW8{xx2!PrwY4S(=Bb=hJP3wt)vOKh9~a
z!D6&;5-i{L(n0JBnh?xB&ap;(eu9YO4gvF~W-&5^s0Wj|NjJ3Mp^ikuq}Cy+R9bh|
zN9#`Y%%54$lJlPVnq3v}8;!1J1C%C4*hGkkBd#m%r6JTT`_e57uRMD!(Ma~s0@!R8
zq?>De5jn98$rJ*T+E5AlA%dwx`p=*`sG+>RL*K(;tb27Icm4=%z~Kw|lXrjm&+|ks
z)qle9Ynuc&GmTa?JsJOji4nw-WNrJ#OGvzvQ!thO*H-zwxH4X?kvRe<Me<~dwo<PC
zLt*Z0=ujg*Q3dqi5}EUuBN@`X(-xf?qf=`fRQ(Y#=}M?Aby@{HqPvv6^;U6$Aj<=o
z891?v*Q^t0Dk_Ek<Wla-T{n#B5$lXdz5|AI1fchrZ;}Cm&*h+d@4cTi`t{pmh-g*%
zRxP+bJH*9CF1UAG`ZE+1B<RbkWOv=L;yUgAE|B^BXEalxFQ|72oCkI+-jG@WRQJjj
z0eu*VlC8{=bU>`u=C-|P7CZ3(la@5-e~Y$~&(5bRv>SrrlZgm`YYbe8I)giBpcT~6
zdpgAkSAldqc947|B1W4%hX*N2RK|vZOuDY(hDD78EXJNHr#Y&Y6*kXa`nq_?{>d{8
zf_^gF95z-2%*melk35$#{C|KK6B4?JGjsrfO!naxUL3(+t7=l~2w=`zlLGycQ`h)=
zGZ9+8<T%w29V&(9L9R`8QSZDx=5yy6g`UA;kmA%FDf(u(>gP@s&y(oL<1DywxEE&*
zvliaZ)YjsKjCtk5O5oZ%_B4yRx;R;aEOcV&Uv*ZY3`ET9DxMFTUG+;B|IeL>jE0%V
zJe$0IRXarG+78kBUH^yJAGRDDsO2~-Gad^*xjxYUc6+?DD7$v;r-#G!3C>>AS7)9l
z8E;HmPW>Scskp<av?e4*BB?2|VA<B8Js=psuma^n^3+~7jJ68G$m`vd)Tv1%250eh
z{8hV)(ZMoW-xRkNU7;)1Q!5U;0q*}VyNl8P4|W$<*sdACm2FM3$20<BO3&+N@;DId
zQGkSh)B>sj2>5h^1NOM}yGwv8<_2IFD8$D-g_+~6v_frOM<?tV%=5CHH?hb2YBd2F
z0rE0R>kYnkSdc+O!qw@`_~yzYzpJOrlgc>c|B(2}@;@Xx*sS+_waxkcjnzRZNehL|
zsSTV0KO?KGX(U%ID&0wW1jy#I%o{&xH21xUypNJTc~?+jnBehO(km_>_W_^keSX}{
z?p8RF0A$iaiI>djam~&=#AmSPWtl#*#1<VDDMBxg3;Vg8q2lW5pcO!3sf%`t&)6G_
zJ26v}IL1%Bpr-i&c1N}8N7bKr)DKgL!>l)t)N;xb$2~j`0$Anxj=sD_;P3B`v)y~7
zAj1A}2?}64DpRbcC{s5KN?N&xX-MoB8KqqGB?EqthOlUa+BSgx@vv6LbfIH8@$C-J
z^{kKxRbxk})3E#esL$Cky(Y@p!)35fyj(uKyB(Cb)ZZ*t*a75dsyfWL(jVS}G+OnW
z)xycQcv|j>>7N~yhw*3BEHh>qj0j1W4Th9UU*{s2Xs_-7p`BD!{r0cK*ZlH1YB;bo
z8^H_mKMYW~5?_z3m9}SeYd~424aM^c{Y1qamoeY%R0ic1dC01|qVv{U$n>-0f}mam
z;_4K8F@pwYi+0O-&Gjsh{NPM(<zd!=2=&mSX+SOVWhVmWDADOBNxP6SNAJqTWAPf4
zQ9u(3b$RZ#*e;!YofX|zYxucVPx_4(ZEXlHvW%@j?uJ4srv&JoK$FLTbR%Tjk>)dS
zS)^bf3pE^!pe6QTn6RO=XMMj@lg~nUFOTpo{TaUVwo|=Br9Kni&DqKYzMSdI-BzJ4
zD!0S{exoe@oqWe_5-P{hwQj;cZ<qWabUN{<nAZZ3$NT<$mV|4E+oTL`(U&XC_UJb&
zig!p~WTRe?4AZZ*6-M&-9(Z0{=lt!9-QbBA*b2uHFH+SI3S2AxI9jGOlZW`oVX_|Y
z`T4%ajkM+4&fhajU2K`5tw?)KqLhfZ?H9N=I)<8hh+5ZX*x8&6`pHa-W(x>)hSx2S
zB9s?tiP!wVW%wA2EIR<iwD}jQqxFpi*XDsAP{lmsccfPWnmzi(WoUVyqbT@fyNS)u
zGNq3ezH|Wk@v&Dp#K1>>6unPb$RUbu$T;5NpRuo0Y)q4E+*e>L|2eO%o6ghb{)a?4
zoXa=lt1REX>U&N*L2a@J{4Irnen8o{_b}-fE%%1r&6RaRd_8vebAxpUd9sIO+W}I_
z%idfsT#jS=*kGc}rrn~p*F(md&tbXZLbbV{lEBTE{g{H{xEe7q6HQp+LNKBCf76sC
z|H3Ww@vd@PeHYSuE!UF+6~#DP2!d3>tg}Gwx&}xo`|$_0f~CK5v~P`0edyTy+U$=|
zAK^<36Ge1eEzoE*B&U|K4lO8e=!_OOQ&{fdMACdupP|3iNbB$}q<^J$m`(=xx<9Su
z3+hIf{|j|PBH8Q0`h=e5u(g`RiqeGvM`l>~@=8sFL99Q)jaV&_2ZX{gV}fUWN~#cm
zRDjDT?=LC3m+=3=>-29L_3ZW~!C+Y)5U-<O41$0RXAIMx+n@d(FrQA`1zf1p02Nm^
z&cN7~Tc1@`n`kY#XBi*m1J0;b%3<z7vY`~Q>X&mr>=96o&hz9dzb*$F34)GWnj0vN
z;$uh@x^?zAH2(2nU?njCr<t1+ru72GbHLAS6AUJSH2fyF?J|O5*W!-8jD(mkW!5$X
zeXn|QgvjeR6eF9OapNsG+#YgE6kuT@emV-fG5#nS0su}rPOJkI6_^qL+#%3A4p3vV
zA$--lEB2a6uXzx3x2MhDW?uLxbu+23jaB2|6NKSnJKtgp!8O#p_sgX#^68ShHzTwO
z0hPNdx%DipfoKfi6v2FU(bkB%W@{m%Jg^=S4$OsU257n{!Z+!NG>ZP!0d+#t7*hKL
zHOBOR1N6KpH|@^kOjN_m2&1V>M#}GzSpmn7DDn;7DVve`LwG=&_mLg-Pj)hZ%Rg1r
z0+f=^!>zI(m5*X52c6a!Ee$W9pR|NG*Q;{Z70Q{vpc_nCKV*CYe?`!YRViejyKiKI
zZ7#K-<>IEZVPX%Gvf4~*0R{bl<ptZ7l3HWi2S!p|<1>D^Q?>9lKji?oEifE(gpU-X
z^lHU7;7erwa24p=2UbpJf@xL7=4PEm5Y0moD;J6LJ?rCl0n=w4&9%4%n9U|J8n|EL
zI6#HjgvY#_U+lchw7GBkhPk=c)K^W0b-l@xWyDfVvr9D;rJ8|%VYJN<E+S@=BpOBZ
z(w!=79uG|I21S#p$%ZXzkfwkqx0Ob40+K2fj0=Cf1EFgrwrYrW=Ae;!0d2X!3i9x3
ziicf_7wN;P6bhrv_94v6KB5!CM1S?&UqI}YwDyI6J7)&3->t;(-un}61vlv9+<_{j
zb`^dxeNz>^ZM_T)Sm;7Ll%>fZc<9(URqPjV&SL?9%f@cz^RV^+-4D7F(_;F}cjkrd
zPt@5Ym%x7R?DgisaP0MF6;@Czam&$I?Dz+y9ll3&&jdq=@sr;k%VvK>POwy%?SRFC
zr9if~$i_bj=l}huzuTO#B?7{hC0WR0-b<20009#sF1f7L|86rlI{RigDAHh{T+-c=
zY7@3WULn^EtiBt!o3`nZ-IfJA_YMWaEQIS7VJffiWelgo9v$T%Y5|r*jhJA{gv!6R
z_}tq6g^lswwzk@``yY&u_B#KP7zY5yZ`AMnh5xYg89$097#QUkUHPyA-(jydz8=m$
z$cnon**#Ba8%I#XF}V3#%j-D><2*0~x4t&LG{dTky-6X1eLg>@0w))y_~V$j0LtYF
zfb^l?7~?vQy7s-G_;9q~-jQT)rm~>E_AQ6ud<IDxa;z#$n(>i`OvKjQJs5psV^j{;
zHE|nKtPgd~s;sJR5ygkxPN>o1%m=`Rp?@{@=Su-K($5#^xd|}|-5<9C8KW8K%%mQs
z6ya%tvhCt(S_+zaR<;ix0<p(f_AWy%HW^<UPOti!X}r9i_Fj412MQ!02xJ)8S^d}_
zK0WbHzi@j~_r538n&)TtBpU;bqjDd8|F^encFS8$`TBozjA&ZMAd$#D=`IBhOYh9C
zV8(rmH`t{bvNjhl0&RzFvZg#38K#7r2{V)c2xQ9?iO8r_X7=aq+VUlyVUfg3pP3+5
ztsheuCa;;Wc*+C(;j)?t#f$O|XWeJ4a=QhO)C!h~@XEviKx<Kogq>^0E!)o#*X;z&
zu3SEahERIx17jAeCtyW@g!mR2AW`3I-ID&?i_~hCzTbV&MOSnRunA+9&yHPcch_#I
zHZoYLx6ZYm>IP&z2D;oWWmu&jGmtMty|3URF#}jmc9v9i=WqF)S@gQAR0$b=m9&Jp
z-s?oVKdpKyEO({|(ZAAe-L1Ysn5GZPkIG@U6Cc}4^bT?7f&t@bJ!+x`F4_Vp`+}L=
z-5K)41!Of=zAaByMc)fcyW$tF!#w>k$p{H=!K%jIq)>hTN?O1Cm9%>2|Fi*T-0}s5
zj_eo3Z2FoS`*S(cacU0VjoNKsa4CD5EwKWen}e;P0Eb^=e+xsr<E_g1Wf(EvH@^Va
zu=7u2cqLB6%5PMAK0U^zvDZD|9Uk0Y8<GBm$zM7cI0prITd^s+3N<SM0T$C!LBjY;
z;fx?veNZ!5qV~OysWaPd{%2qQ_OuLns|UT8t|&babE*)d^`NTtC)M&6U0O_tOH&2D
z)(u*<<rXyIHzDd>d4wYn8$ohi4?pN6yA|R0sGHpWj&4`R$ZEu?a(YtocO_)m4fGjm
zG6nff+EoxzG>7h?G|Kd3cdeJXw@BP>x)?34>&^*J>=A}Q=BgN6SEYFBS;fRLny$af
z5avYyI))RIEt)Df=&$@2Svdc!M)EUqk{%y&?>w}yr~TA%@Uz8SbjD!ga$jKY^t%<I
zFoO`#EtW?wg9@4r#~lN;c*br<nL=#0toOo%t)2h)F6sD%sCXj>^p9k@qX>5e{#b@Q
zpXf&ooPZu6ODiNKFGz}j^KX+RUV@8Yi2}ei)T0(1_mvvHh$Xg$Mmf?^r>3yZM;j>k
z0XTeHvC+*sQ(s+f`14;N=HGIWhRej(5dSTLn37Swyf`Ght?OeA0qtz`Xu1;TzzTK7
z1zD*QKQ)Srau_q>)^J>k%u9reFp9y+7~e#rEZW~BD4xy6%hXfTCY>E#M!k>}oujog
zPg#lCF7&g3Ty=H8*Q-4uDg3C<u?d&*P@B3>w-~;EkW*U|Nf;3tV-M#UJZy3s0oQp=
zl(urg8q=A^8Ho0$CvALRioC;lGGqy!t7q$u+hH4BV}V|JCKa$OI5Kn0V5J+;yH4Do
zbeDVRbfh#9Kq>;WNpIJDS2MJdb8u?nQ50sQd=BAF>Y7d5yCjf+3OB~{7pyK*LgTqZ
z7-v`RB_Ow|rFF12xfLglfD{VXO>{qcr7$I1Sk{`4^Ye3`aM1R#fL9YZ-fZ@^c>i6n
zd;0skzqw07{Y?uRANBbg^XX!Lwe1N6e2R@uzTyD-=w{3{Y0f7{Z%1kB>B*cSpY->A
zgt)5&5bee&dG!N>i-{r!2Ym%(_}c%+toXki9{NwbCl!<O4L^T>>N+@i4g9caO_8~_
z{>E_1K0tjc2bBQ$I;OK<87Z1XX?u(O*b{OtE`Ho1=V8ZZwDi&$k|`EH6S(1*sebL<
zBS$oy)6zd#!lr1QTSXT_VC)BKq9_WFVhZ+=5Q>+E+|goDgV|=_7L-Sw&LDA%*+(Vg
zbo34-U`>L#bOF>Ix>6Su+6}Sab_ULk(V8_*t8%d@g&yj<0oD9b+V8@wGmVGcw!+%~
zSU#oymN{e|cvuYvM^Zl}2`fmynaF_C1rd7!*f(<*Q$ly7AG;}LpLRZuP{Oefhd`Gt
zsY~Ga?t2YKH{4dgSN>XiU5s%C;B%n|K-ZnnbfQx_9eHlSI}e;{PJjONT?#Y(gYiKD
zYzrpb8Ff6%*cB7LT$6GCxE4kCyCpt?>47s9y%7#KrnGMo^aTr+Kucm;jNf*c{`Ne?
z^xxpYD#UyR;&$qBQecM*`U|@u5(T8cHxB&LZpL@s)XBda@a+CeAE)c)5|Pyr#pRgl
z^Sr^Ye~SGmHHUSrgz1W`Ue+vhn4c6WMjfQ?b-kG}0=Je_d}W_q^rdii%hwm?!NELP
zqVL~1%rA$O(C8SLx#qW;@NAbKJmA|2`G4cXd7t1lalaOm?#4VrvwO^<VGmHm95%Jn
z%lS_Sn0H#Y_tlx)MK($ItzpG*iJ{=s=|r8khQTLX^tap6+%J3Kf=bgd{YnheK?tNI
zV`8ovm{pzo9k<2CNvG6*<VxEflh^c~@RS4OPvxoTj6ydDqW9HwMn>^^w|SfhU22H(
zW0pFqz=lkRrM6?VhL;wardiWYBWosaO4dqmFut(Wyb%DB8Jp=hr`LZ1Cp!XJCim0z
zxzCrIhRsUaN;P*OYfT}*=bK)~7-pEvz0%a@>u!m#Vwu!nC<y;5lv{@;Gu?c#kzyis
zAYCxrV@pNk=?WfCBPq{}l)+tA`UR?RBXv9%1G1KRTKJ~{nz2Es)x{m@vxS$P@BY#8
zxXo$AyB72jHsal4c0I%7i2Srcd*;`vU|kpH05<3Z6`ab8VxMa!q$@!-g?1u$>jjBk
zUgfxbtYOcgTZGNA5L3+}EYV7kt3Fs#ynHj=wbZPzVWt=dJne5ira74Ywz$OjIY^W5
z@h4Ut?ETnFXDml&9o@?mWD3D;BieVn`kN5uZu~bq#j^+gDXF)6OTC;Zn;-5`pGuh`
zFpHczB+uy*Ig!Ih8w#O6X){+1+vSyR4FKb43G8aw#N!6g>cz^exCOwtn&(M{k8$Q&
zvMY`9W1fjbT5l2nOt#Brbn5*Cv9T7P9UzyxPILgSts;ht?w({QN>U*OCcl<*QYY|)
zeB0#Fpmw-qd+;5csqjpbTcW<6C-4;t<!Z|7Mc0i-TXZ$5YR>k4FH#g7d*JM)g;C`m
z>*gIP7~`~l*okpou9iZ&;5^i?{v)jjT0`%6kruK_!clkRq~o&OA_g}A%FdMns$T6I
z70_tq0SC&kdpdH*qu$%A#?0D%)tQ%A2Q<O5EmxPf7zy?fs5N%@#^E=ibFP`KK3V}a
zqzr-<1~E%*Pfh`m!j{2vmVBG)9xXC}C;)D6`rRz%w0=Iw-|^V6<M4NYliCS5g<*rN
z(gqs8U|<k&;+}FTeTQ-%H=La{RAa9bc;%#3?k*Kug1<||v@lOKxDde`d*gWf5&c3S
zqb$V&A_w#We{cGhOMj)5-O(kl@bwSR!U<gvW{mSh)ru8Hs|4SLA`Yn<UoH8*Dqc!E
zyS9(@aK>l*J-aB`4VjjI?B^K}pY5Zbl+zeqk<q{B{OxbeSLb*M)Mqmu(O989IxTW*
zA!4f(UG5v4uj@kz^$5J(LUCb7^BY;`f!U!xaz0~I{pqz#ZT(H_)V~Yl-MWO=`z{km
z*yP9hl`$j)kH7cX0(&>YA)=n!;jJA+UVJwMWLK!&-vo2-#)DW(-BpfC_%sNLg%K;z
z34oe=fN$I|4@!GvtotvH3zV}*ieV0UrRNkea4R42Z-)SOec9QLnd1oPs8tkJ-ePrG
ztp7h(j>9QdX7DADst`Nv4H)orwqSgB*Qmk0uoIxeBTt1RS8tl}rGFj=|9RUoB8Do^
zD1WM-HETtkv(-4pP8z-nO#PcaI@pqlN@UXx_jnQfb++aswH6ZB8z^!?zSoyo(?ymz
z*`OaACm{k{FJpLam-kSXO2^A39__u-Zube;*TJ;X4Oc`~V@5FnID<7311JYvvJjM`
zA=-^_Hg%*O7k6)=8weDi#!D)Io#Vfr_ufdl#Z4<w{~c=V#d_8jug7B}DOw&rDO$Hj
zh4|N~D7LA<`^L#&2$n2=JNtqK?{xW!-3Ua~;gdr?HKbg-a)A6$0IN5e=OsiRjDthl
z0K)XVPa#}~EqKyWvVUhZR#rvA?1`n5gv0d4oq+e{tY7*l;5?lX0=$D3NS_yTv<s<q
z0_a`aZrnMlKSx_-?xVovTR!bfi8x`Zg-;$+iur>fy@s>B{`sL3Q-~7(?V1$f5=EH?
zMp8X$tAXttOp*#ypy)U?@21S4HNY!5a_@P(w-u#~7iH;`xWTA0Rch$Qin$U;%;+0c
z{{7#gZ(1bRoQMPHCOA;(&uiJ~_X;*2ju6~1)p)L-;2wNux0BZ-XXp)JW5B<8>K4w9
zzFB@y7%SoD1P2sjDWxOYIIvM-J{iLJ{UpZdHdI+9_5r?X;X6Rv+qq}h=b$8zM7Its
z1=a>$#gW@kya=|6{HuKuZ{iV53L|@2;)sMJyWIlWHcOd`wLQ~~kwCt@3v_Q^z|I{Y
zp#ru1|L!Yf{$DW3DEZ&cz)l1GaO+~zsatBs2lnd7@&9=IS_mAaZAJN|)l@%H^JL8^
zsi3wO|36wg^SGqbe(%qjnrXVH(aD<9GM$PvD>XCM1S?A;GBexUpfbfoGjnhO(Wact
zLMhkOl#JXLGQ}O3W=zyn(i9X^N)r`Casd(qpNqQBeO}LbJ?D@6yq-UOslWZYuJ7{x
zd@gN6#%@vK7DE4=lhS&1e~FaPjhS(8g`t^TXeT~VeuiY(%g47d#^|S%*~6~^8Nr3s
zB1iZ+Qo?4bYETKj|6Ub{ZuhU6hQ!&`8|2*Vxfbz*v9-V5<mo!YNeswnl>=dBcK*Ro
zGnMKgM#r{tuncg(IjP;HtQqIkXr>F(2L%eTo7e4J2F-y;2`%r+>A0&Tj}c|2=Gb`9
zik|-S_0}5WBz;);lW~mc#LurUMMPXLRF@NV^#{U#E<`Hy(#_jrY-228u#&0y_t=h8
z%5POgYwR9`CRWT>*V>R?=1nH*svxuFR7{g;;A=*<I8xA~oRRNid{s@O$J+4uM!C&~
zLhP$Y$1Y>|-~rkvfwiEavR#i0@wJ;Q+=30TxGX+6qP@^Z1p!vy+zveiY*;Tztbr?A
zd$m6x{DyVBCyFFR%7f+V%#B!cQ!&MgK$hN6fM!57o|uGBv_kAss#k@erHOEz<DE-8
zev&(DbWp$9Y|M$jq3b%gsF~@sI6!LttkU3Slm1;1eIe&|u;T(}E_ML5&;B>G84Y=s
zl^O5<+YgRLwRwdF&@OcwtV8|1e_u&R#?Ou+7?d<N{c|+R=yzWp<(*_~6q)3$EG#!-
zAtW2YS25fLvPbl)LH)fRNbO?%{mS3d@zPVgu(&Cg9}hW<3Z8pw*P3i^&2URU%`~{D
z-1_(hOoDq;IgVv`Ul#2n=HXq{*Qbs1eMhvXNDR=wlMj$-G1eP+<#g&!iWU|WJ)^f!
z@ZjM!9{5sc_s|}(dne!@OV+CHqlN?oO^*avw?6F4-Eq(E4fjSzK$Xes-(yW{&0O3T
zPNmX4M<e&hJQZbBm+@(qV&k43xwsc)a8{~%$z|{{APh*E(G<cKS3*{G`%L^gG~`Y-
zJZbm7H$ePk$ZuVd!HcW>b*wC6nPI(UEzC$5c96W~DRA8>f5nOJP-j8M{I0N#0^%Is
zOb~YDC*~5)$*%}MjsS8r_8RF{EltH)nPy8fLy43{C=hu~sX-QbPrpWKY;x5@`!D^&
zcIAR6L)zVEJ9O$=M@};!AsB+-9P6d1rNC^NlHN(C(oh2Ok;{mGR?M0A)#~Eew-dqU
zrkCRSBZ~3F*nxy;R;(n!Fjm)y+45|exsa*ujr2=y5ruC`YDf;n?9&L&{{DYX4`#<y
z55?C2n-BVJwctVIY5gynkNp*Oq5N1ScGFU65)v7w`W}mK_|0qtsJKF?{}RrpbLkA}
zc@{)4Nw4Y$imz)hf?}aUVsJlfZ(f=b_O`Rv06B!VTr^-K4bwvbmkZb^o?G58_&=bQ
zrMIVxnx^kRVS|W=LOviKu$d<J$Y&Ic`qy%y@*IDow+xD*%X~&3G#35U=(wP3&@mz+
zOWscMQQE`ket`C~G}<v(anJ3??KWdI_Z81YHZP0$&G<z?s{Iv}!HD*VxaP<CAcX0w
zE-~U&k83HRzagrW_+kmIKpvnHc=yZC^SJn5{0f>$(THgxVL?4PHZ%WyxToUpd-YK3
zvCjOm(lAcms<{)2#)WA4+{kk8XLdUe<{e%NB@WID!(6a`ih2x^dte73)^Y``*#GK~
z^3OnRR)*YY7A;2ObrYeR)@5AgqLb9kd8IU~`_s9D;RjX{Mp%b3zu*Xu(Y8Y_+E+zO
zo+8?WPC_5FHDe;KP5xM+&W09w4voaF9&^o66Ov(=&Nlsd)zgfmRye&t@~WsMDgYDK
zshnnv<Roa)yPN~s<~bo#Kh?%Z1pgId37HA@J5|SUH@vZey;oKcI)d1YB02G^9p0)}
zwVmKsPyewAV`|MEM1jhd>}|fJt4Eo@MI@xE4Ib;g%4@F|*@_%Q^g%p&y<Z`9t9Tz@
z?Vuyq$fxC*qjI}-6m@<dnQhX;WswYRDwdC-whL(3cjfNBPNRE6Thm0I(+p=KbLIo1
zRTYgT>}fd9dTUW@8ouRKUVb+Z*+%cAQN+`9xIS;Lv%2<SeKquP^eLEEX2Af#R5{<H
z2!|fwyRf`?i1%4?G(oGjn<;s{<LkpA%LfA2TtzX@w`5ElVR|#&zQayghD@SOoa6ZO
z>5`2IOyhnkbPs{dZ)BJH@!lnXsJYv^EzoIx@4WMSupaz={q7^^G-GWPwCuHN;kJ{Z
zy;RRz9T2ckSVU6P*+@6LnEIWh#42^0VEiX!o}@T=hRYk#*Q1-?O%44MG@79=MT`WK
zvBl8DT#bxCHp|0TQ$ox)zbX!jqs-}oTcoOCGh!EvM?Y3SomEUNrCO-gh9i~?a)2Jq
z5&P(Eu$DZjYL0#-#I=#}{l!i!xxYTzI%;<G6&qT#DHIXhq0II-@8e#;n^B~ds($5#
zA$0#v*_wIZp&v2fdKEw2b^W$o#DG1~<|U7YlN6o!8Z+<9Tzrc+E-v?ekB<^sDI&LH
zhl4y(>#kIw#iVp8y|J-T6@I6lV6c!1Lr<jj#Fi_<f8rIOo@o(eVNY78FsDWH>40yE
zvz8U8`pMithwXaGrbr2cw&Pqyszp9&x1U=yfy9Y8OLFuMg~W#5E{J%!<jl8uzP{-)
zqeZvkfWo%8E+f8Mw&w16?)^qu%xmPP^s~fBYe@mYI@KBh^f1w1^o5MU7sZ~_HI(i>
z&Yx~7Z4L{~`X@dVK87ir@}~Ss#!hVM2nao=2nZj~Zlo|8P<|0<{%gWI?{J4f!~AI6
zIiHD~ON{(aR&l3h?eV+tX3`t3-mT9!Y{s&~Ts=qSbQYEnDuCfoB||$5fQu7_CaS9Y
zHCAxw0Ee{LZ&mz)Q8M&;U77qXw|Kijh;qO(*`ev7I%X~=oHR#ls)MGNvnTDk7NV~Y
zbJL<41Xy7>p%nUfWu|qSKf%PXi)67kgBT5ZtYPP>C;I)U?H4Q~1<$eC=${&UV1kk0
zICQcnGdXr2!+mjQL~EY3D8{6<;o`gU?@-~SDzrhlJI9erp&wK+jG{S->7ck`xQ)Hn
zPs9c~A@=s2C?1m%EoIzr9rkQ)$*O=W+N_lJ*qxh`@?+x?VQ!U)fFTQwZ<MO~{4DY|
z-4`K8Sf2jZJnPnW1X%RKM5imHNicGdNkqT=tQF3v8HqToCoks1kf6j(Ql_z6JMEy@
zOo5HakYZQSUcXP~Gtofp5?uiC#EYBFVP92~jQ^NT$EX7m=LVhiL%yw?PY71E{;bC>
z4u<o;dH(_Zu6T2RYlt_XyM^?i{Synr64BD9@~D~V#c3zmiMYyULC#+6i=r2i9^~4-
z72L0!z@h+5DX@=U@hN;8tRN(ge5Pjm%rrE~bJ|KzKDl{*TIv1~dW7h1_ksb9ct+|O
zK+lTg6bGu8R_lqu-p0Jstqf__-h}Dg9vA{TI&0!dCtJZ@8E6(FF?Q7bq^hR9Uif*Z
zNZ#P`xJR?*Slp-Iv96}?9rAmra&Nj9mc;oMGn>izu6jTU-78Y+TW}nlICtzmVQW_f
zsopoTv!oTGM^V*S$CYE7>DrcN430&&q8op$Hd6yE=Wg7`MJ-EFOx5vb`(+TF5hNUo
zE01aHO~!KPdBd)-zKB9@1>sX86OD`O44op_Z9=(tq9n(Z3Ln3P$M%=mt##`UoJMol
zfosaQ@cD~*dlj)Z-l>C8cggq|P!7Q4X7zkN<rjg~CU&?uhxD>Cq5<c!BY)2^>yzoX
zFLj8FE^e2)zNGhD+E>qR^})48UmrZ!x5KE)qjo_+b@qcG8LKOkj8*+sdeSZh(K@En
z+E-wGzij@`@DGch9?$)>AHSU|MGpUn)$WHrfL3kTOo;1)HcRPQvBId^c!ZJ!!!-w)
z$aFZrhFP*3ojnt9R9>%yHz3l*4Q6~M5F5G;-p3MZBh#_>XjMRDQ>jxobGwm!+B{5T
z*-p1-mup^jwKLYN=7T*s{xnkAsWj&PYD6Fk5W|CB{^d|4Z9U#7EK_!vQ#n#rkK%^J
zf1aXv-)GjC>Anj1DOqK?m~SEI%;aWy3wpSTa}4wP8O-Ui8_@faYdF}5H(eOnS+25>
z5a)QF5^dU*E;ovsI_?9Dd13$%*j$EDvEM+WGi8y)OIGAeVKIi@$}-W2ye*>vP-ND<
z4A!g3tlwH@Bye88YAwZa`&~zG#AP#r+iFFb-y>R1#V>wsOTaM!-Ab<hjVR<k8lG&R
z>e1ka-U95NufeI|KJDKVUb05%*G@5Ovr4M)IR!Ron@y2)8{WZRR2-Yjf`JJR_bDYf
zq&bbvan;7uOgQ5cCLWVl7GoPwau=1L24HjddD`L^=Ah~lZXO~e5HFuWgw&;xIt6E0
z7G62`aD7F?7UShTz0F*ni?5`|%b*$-`7(QM)m-qfGe@S!jW$>`AY=8Q#)3E${t*@H
zSj1c~q$6nyYn;a<8JF3b169?soGls)sw!TgyfzXq%kkbEiO+L`!OYIBqJ7za2P1vt
zR$EW{vTAZGlv{<5!bxh&N(FAUIMH$lK>>o2?lL|F#@GI=(0FW~(|Ox7QX#Lc><Ls;
zYMW>Lay1XPc}9}eLkFF-mz;*KXR67D<U9`-CPD0HVtp5ixvyAq8Sjw~1-m+rP02F^
z4qnTigqeQaFJTIpw`EW&thN(OIzXqpbs}G2pHostLGr(Gfbhzp7dz(b%6--)3@lje
zLiO5A1ja&R&rUq7ZP|XU!lfC;zxRSsINWRV(=d6OOq=L&Cr1o2eYgY<vLRN8EFv<q
zUgwF~IFksOFTn7tS=GxofWM2p6qZ-Xrg`0mrcRt1vPj^$kuh}~d2js`=4$uAzB*(A
zRq7d_h2R^`ybbiNYqPCJQfO2We5o-uEjLJe9y_I4p%_OhB*G}1r=eTj2K=3{O7R~s
z?zR2g<fv*DZA08u-@W&`upxghB@c#c|1oPERyrSGD)eG=@^A!Kg+YGv%wW@#<-tRl
z+y!^};F@tOlgWVjQg*GxSUA6tx@Z%<II*)2F-)vxvTx99!DoD%VL3t!ziNJd!BZrI
z-SvL0H@_!B@G$!57XA<Z6xAP|C$5K@m^}jhw9M9(Gu#QsRG7lHA+M`MHpJq~FZHw1
z8Yx!UQteTqY%s+=hsWYIf5Ft|p3J*P8btAK0!x9Mi?v%Zo};~$us2Aga^xuqUu)q4
z%+=ma<b*I1Nv(ghNL0?8446;_3(a-To0{I-qr>|c-LJ|+d&+kxpTOQKnqBzu0aZP6
zFGJ-tU5{A6Dlc~2<ne}IuJW4Rfpy)RBcJy4A0aT>!jZem2-_vYu*&zbt$h;iXQ}75
zFt?<tagV$1i`lTc#+l|yr5#qpD4EZLzIG1=XrAJP0_i$kfGuRg3Xdsag<cWUmgSgR
z2I#BWx0M9Oq^N(4D=n?(laF2@a4rMgd23wqoZ1j70kSwHy<1Nj&8clJoQ84!n5g>g
z&C$3KEW0mEI%hiHfhz!byQtjbvcIAGi2QU?j-uL17=D;wWMz#iVau5d^!P@?V~W*D
zCKhTrla}ATTk#G^maMJJoU8CdJ@eBlOQykrUKc~RxNgcobEW8<G)(&W!lv^fD02A1
zY=2l^ZOg>6_k%F`#Ls$skS!dZrpX214a|bNxu)9E=vKY*Lc&)o;AcsnArIV)BxCDd
zBK*G?I_0iS$>|}b-y#16ZB~!HnFy5mHTT4=#JT<3;QRc?ls8M?daCQ%DRWlRIRDP&
zO-;*cvVz%Js6m*VM&qg<FOSdhmK&RvLkqH2aVPd0YOc?XJ!q8AGD?kfJ$(Dhv_gSX
zAOaiQ7VV5eAQV9NJaJ{#{W6>K4Jjp3^VhfFlPx=p@&|fr{Y*cfvBex!hAY!9fM4`R
zM?Ht^Z@&zKmcbFKs@@>PjWmtFCO@{k*7!*C$-zBl*kt%&{4@ktt$^y4hfByijSd|V
z5>v#U+dPLZrNwu*CU#cH;c*wrzKG7XGvZTz?r$kT?28WEmKp(ne<Sx<If|`gG-H?@
z->tZuR~@y0*dpvTqneCmR~2ZFK5z&a#;Kk-`2C<LsS0A!kgX10kvthqC=KtjRqASB
zk*PzeZ?e~85$$hM+z%*@k2>psx)N&$N11!HBgx|U;i+o2i4@6*i5@cN0+K->^}6K(
zt+bT&=$@t;-K1E3z$TrQ%BrlLc{>*MD@rtn)ENJ`_U=>k1*h4DSOlG4w{50~U21#+
z;=_XEL#xW9leg`ciuY1Y5Pw+<foYgEA=ep4@5v^%Zo<+*KAHXSK?;}zMZ5`4m8Rd)
zxaW&6k8v<2@$CjmgjI>xaYm_M>KipYkj}CNb?(Rm8)l64#<856+^a*95Z7rO-6{2r
zrz6GUmZD8s#XhNd8E+#uzynh<@;)zo47l(9?U8pa@NKk=PIt*0NDXUdepIBCOG4MV
z3+Kif(u%ZO+ps!LLN2C*+nVGKo$>!^k`!m@?Z*mKZJQVQ`^>`wXXev!SPf(fSq)ro
zjCx8Od08t<j`yb8d+R)R*E!m>iOD+Z`b0?RTSk~x;i6sZanroe%SE7|{i2ob{w}SH
zb8)}%vslxK-F}nH)*C1v?RB<~QH71tFik7#^kZODWp9W`1ST<{6qOE~WwtKrtL}dN
zG1Db8J~>w3T1e^=?p^x4XLYfoGpL6^rqY(amP`LF=WXeGKu~`YbEiM;jtbIa?$b~{
z>VFt$j+a;uN(@HUloqrAkk@rggr)eYu?tiUU?N8PERHkN`;ge3_Z<dDAc%3p+c`tf
zouDj32l!_8k$vr2tFCK}TDd!{6d$vNr_>|wx#(fTC(&zY;sVRn!!GKSkD7X**ae*F
zsy0By#q9wL&(=a5+eBV@&u(PsOIs2}o`=1ahf;nwUA=c+V>wedI}Z=qVvNG4WK_Ag
zdTIO|YPYnn;wHrWBLmx3RF5^7B<skn0`yICq&c%PrEZsbP;js(yXaT;mD&Ky=@q<N
z6Z^e9H1~D}l(~VM*D3hLVnoiDgzS2hv4t@4S2$AVDa0=^eWeMvZ!qP^vsj&aSgm`?
zxztmwFRfI@?%u~0r8Vq<@Z4HGgfI7=g$9jnD%>KydR}Cjgx>GCfW8iYq_ltsz8U%2
zw`~G&U%Rdbl7WJzL;LB4XD0ANuB}n7#Es_2cd@Q>nIA2IDkH1YIPuq@A@>w#J*=iX
z3|zL<Yp@FYKHKJ#FMNl(_9nZJ*6+{j0SY9l=xNA>1OMzggE$#t0g3X39Xb*1S{igX
z-B!cyl{v490tDhN`IphVioiXB!E9?A2t=it^2F)!h2-L}of6S`|7mG7F@;kw+nI7|
zZ$^vnrUVAdD_et`UJd=y4T0QuvRkd~c-a1U#z9ryqa>YzmZ#-)?YfxDc9x~yET}MN
zpRn&mwnL$V6kYr_wFyUUEf?R44T|<nMTS~~t98bqvi(e5HRb!7I#4Et2iQiXmiLJu
zk@PLn(>57e5_&AXP#ac(K*i+lXz*=Kuf0f29G*C&N0_A<T~9NHQ^3lyme+3>EhdcP
zHk4H!5?Ex*d!vN<&f|xaouOycX&)Pcqwj35nXoJWG6(%e*0eBE3YUIBr<Bx`z)xr?
zpotyW%(<2s>Ev#I%8_8BFw1j$>ozf41+Zd|b+*DQu_kWH9i9m-60sti(;%%~@*axO
z;SC)f<=TB$m165o&DipykmSq3iY$qYfMSdWxy$VZNW+(|#02YK<L=FmHp;MpNyn2K
zCs=sorT>LXAxW1B8`pFoUL@nxjlXD)qb&x2ow~`Q&gjN}5`B?OmvtI7cr-AHt;79u
zO!k})X`)Hirk)!9PMI&!m^)7OfoI{mE$d^_3fon)**gtxML-@y@_fu+jTsOu@AMUj
ztKc``#mNtukZ8ch=gP=n#`%q?>9$_6#P$A=QVj`=*|H<O`U=(fmJeHp2h5&XK<p%d
zTwH($ix0HFD&9lbKCXuz<%G$r0=D#SAZ(#gX>_}JAom*j3a#{xfNK!9|H6fwS&ZK&
zF1EbCR(}M(E%ok>l8@^O-Jfz&zgHY%CN{(?H1>GqFb?Dye2*nNjeEr*1Pu=)xk3e(
z=H{L&V(r(9|MNovcCF7+Vl-a4*(XlJ5IPv0yO8go?&TH$#;ufcer`%$ON;9OnDOV~
z3zl5<CM$T?qX2lI+qs~jKJM6Cav8YIngrv__!Nh6kG5UpcLmKxcOV|n!H*-oMFh$U
z2P*#Q1<7poBdgi%&J~W9_k2@NU6$GT0f+9Ea8t0tc`AAK*K*BeX<vX%nLvYcxxGpG
z1f~PmR8t|>`iX&9n9ndGec>mpPR^_?GrH5VEuf<e#<J(oAp6Iy8Y-|-+u7;=yd^L;
z7`9QyFFUX)r6b8WtLVRbKhU{UZcIhuHt~FWppd-~whxx_l4v<jV7ye>n^jt7z|e|f
z^3xl>tcv*uDoeZolOe0pyue)`!`Qakd-;rcNYG#Dw_|l)^p&jkO`mJ2l;S+a`1_EA
z#MkeHON!>87-7E>o80E$(aKB^hgXWj+6J)8$v|d@{3h&#vu4z4iikq>gJ9XSbUdUP
z!k~Rwg-ikWunT4<g6|}!$TWS7FWgg^vtu$wgDU~`&%Yh9`ROQHG`%(fkeJmmS>b15
z_l%Bnt3TnLT(IEykgHu_+XjvM<|0t|yoC2p%KdLWBYiZN;+AYeM`CtUsPBrjupSYH
zC)4A<4<o@3d#;G9n_RS&!hpYDO2F5FaAX(U+jYJ6p(fm2)IF|f-yK%QqpWyXEWvQ@
z1i>2I2k)PxlIj~Rtq+SIA5bY^F^ZBtBZ}O=wcn&o@B!i)xrs2P<q_f5QND>t^=3v>
z8ukaQQxm=0xE?sFyDH1!{S%vOT=~b!%TcCITMnQaP7dy5#ExicsbZ(m=W1_xzUDn`
z1n=pFZ|d$!c+9_+p+Mur^7i#yNHlctczO0@(v0bpA9*VAa*D%@vFAsOFsao-RL1&#
zHY>a`(Id6<9YtHw0bQ`_z971=KjMT=hl0cW+=fHDeX*15C4l88ZAD}X8)&86Qrq1}
z*F(1=PM=D(K^lLL#W+-I+bwx8jU%@ce5_`R+b;_JD}=Vd0&Fc*c1&z82VtWb7N!|R
zDo=i6lf!121Dmq^M@w;%=IY5B<;tP#+t^G)sB5(AUFX$0@?InPu9?)IIX95pE46&Y
zi%g4$A5(62DRj4b9#eYuzFBt<n)1fpY=O49B5Z~mVIlO6WFaTXG0AyA3j;pfFRM=c
z?!++wdo8582<1mgjPMPa7bv>#{D_nnRyCJ`tK*-KP{&Ha#SR1Jrm@mPY>o|LHq`xw
zDzd<#h<TtH`gH^tMI&ydiy#-lN`u?idMVeM;)JI<29ZW2`2q7QR9z{=?1cg(>1gg?
z(L<<p{mIV0DRO)_XOHNOU(gmzyS-s!L?4x1<OoP&5L|)p=co>OX%g*rQ1rXQDi!2P
ziRJM(LD84FIQYz))EX=3HPZ0J`p!7h)dd6rd~?U5`-c|PJ?O59<-ZOnt|Tc+oCv(G
z(TS`;Gj?zdi`$2OsM=eqiS36qbc-g~P5J*L@z^c{K2kZLgQfM_Ug#coM)n9834R$?
zHYl*uhi3S6fhaFQ`b_xW6m<spY1oL<^q@$Dkq3oM&VN#7LExkzFz%LKb{l?LIz*~S
z^wBzgb))_!TZg_CM~-gh>1<E%eC8`b?@oQQ%(|_*G@w10kYEtOm3;!XVFp6{4Kcle
z6UpPs-?i<W@&s;Bkp#me*)EH>k%o9wDx<Kaj30?p4$e=CpVmqU@`*5%Guv<V*eB&6
zLyG`}t)>m2!4vmDus8koKvmrH-b%xN?AAJNx2I<#cCo|C??O=1oqBKWKMZ*53G5f<
zxY2#ppwR}jBZOmHgaO)Ax=o!-1=gbe#b?xtD#<!RAN@EAq`YI(<1N3QYaQl3cO;FR
zw-FwwnjACZ@6IF&8saVdAG^8pw@<u(g9f=nie@ofac03uPx$gaK#x{Y4UCH&cZ*iF
z@Z374Fd{=?mWQhEsVp~&vJY9boL0o|`LInIo{K%^y@2&O-0XgUQ7CDd$hIg5A%lwa
zV17kiMU|e1q>P`Fq|`4LcReh3331XFv~t}~$PNkeplSO6Rxm%LbAak`a=6^a0+5lI
zI0OM5+yeY@>p1NBBeJFclI5Adc5qQWhYh|i<~tpHN2GCF?fm=npd|NZPd&d5TaO~@
zTi>4}We%sfM5vwDiiO&&$fUE}H7)isrRQjoZxTYeK)44=+FiZ!Nl((uEUtu~)!2O&
z=y!Uzf=_<D(O}bD!VRr|0HL!d@zIv`Pi5&BR8M|uGyK?6>Nf$@!&QRkDe8KZax_+J
zD<Qaq&q5B#oIa%RHga3G8iZMPr^&;LB=(YrgVptojSA~-nD)$DpmFtmTM$;HcDnoy
zddcT+pP;7?r2(N=x<vC8m<Li3+ejH?YAsY~+8XO9FmxsG)%~B0i>l=-<&XS2K4;T;
z+%+l#Op4X0foh@Z7V!8ZAZfAmjh!^=@^tji#&XibFk;>+E|FQOC$IkA2fgPi>a`2-
zXq_T>gvzF!?^@nJx=h^e2i#Fp6j)yuU4-lyeHj>rhstrmtp|e@$D)T_uu0BR?v-h*
z?+%T)7mSNT*(>^iVv4C;;RyEqS*7kZ>}{Evr5JuAG<;w4`agD!O^KU&@}J4v7D2m^
zxfzo*tlWB1YcJ*RqZMw!!T>W`h|qlN$qH|7A=N{OM%I+AD$?W0r2vvXrF?2CdZ3FK
z>!!1e!Y{Hd&&#%kmy5nZR+EK{3mODUqeHY?K)d<7u1mnF=%63)`W3@+hM3zZr9WVV
zQ@i~`kck$lvOdG~b(9P#{kX;*2x`)i-I=mu)MJFd`yF-uBy_Yu%Nd{3NZdhKR}@Ee
z*kB>57h1m0W;|3-<{ATt#{5*=Fp_K+Ad%LVI6C=W<}SW93;z&{a#3{o6c3Smeh}A{
zhlATHq&7M?SBC2+VcP@0JRU$$EUw4`^6$UBJHi8>xI&LWwB#A;h{sCluWx(YlCm8C
zoH~&3eV<c{j$$eyCAPj~K1u&Dund4m54r<?P)?DXz)Q)y@!)W7WIAojmUv<FXD@D8
zKn<+H4MmeQYIW|Ijm~{R3oBCjrJ~z?=9*pDj&f&UW)%%<oA&}zap6b_J4rXqgB+3e
z_Kqk<$6j=R`@XUD;OIx>mh;HaL}*I%I?S1ou?4yp_oo;fJL>dFB@v2w6s30nTQ7i(
z>mhPCf4*;}zL77v#48}-NY>I=6w6O)tA}pwirFXFHBK}QpAqBBk&dD+Xl2QH`NxzV
z`MN7+Ew<xw%T}K9WN;rND%Ywld!aTV#&L56h&x$x{CM?Ud+EW{72hPh9Q+Wkpt&9;
z@T89A_#7woDZ?$t@1`%V^_#l>cH-D${S4=^VktmS%)MKQG&@e%$C0h`_j(i`?I0U6
zIKM0PfbFnhS!Y>g`?Q`$pzb@vm6nM>vE6|LT!$I|mqz`+S>Py<6+78(R-ItIJA(r5
zXUk6v{An<1Vh_vlzAty`LQAFJG-iNXE*iT?97Izl+(ku8k0fXeyE1t@(6=g@(ax&t
zq-RyhG^)qw@<Nd#U6n1PSlRUvS{^`5G*gGRzt%as2OsU@p35RYh4=m5gE_c2#eoQ7
z?3*Vf-1`q0$B$hLVZE!W_JK)a@q4+*L8z;IY}ws6f!j~6xO*VSSe~I3f&urNZyHh^
zVAmp@Xt#>{@F&-vRS-tL-H8qfu@{0pJnAdibu$RzCwpwQ&5Ob>y3cB$`<#d#UtE}|
z<3uhjK4IU6;mS>`(39ckn90WB+5O_NkD{Hk#~i@(>dp@Mscga5?@|r&m}+po{yvP|
zGhaL})D6$|%XQ-1#HX#jKTyJ!1~R<&RG43&cn};#n2hND3w`LA7)KG|x~p>2{HacV
zYfur?0tOg6Z~XjT`xEXHJO_91gLaIT)8g$&@y{uW#KH0RH=VRs(n7SXRo|SR_=9*G
zCymYBzHcUN*5m>?JcKl;?-HQ06cjjZRy2cJkY*=|32x*9I<tWb^Ru2oO1ADv!n@|4
z&-IX9Ak>y`RDIOzCtTp#Ys%244e@at0;x+e6Gj0hM6WP{vt!gQjB64ZR*zz3NPhBR
z%K{~J$v<LG(xF0iWe7-Rr}G=N`g!1v?XMxtq1t`4sqh(0N_4?Au+mE6SsHZc@=ciJ
zwY%kdE69(y1Bn(mVBk`vY^<2_lMoOoHT@t1#>Uw`mj3+@x$wiW6oVB^GT5)<(}}~h
zdra|6g0<RN{f2oo^I3vGZV68@$b%Q33)?$((^_FssUGv~pLY2R0u7O}oSPEVEn!p2
zK|7N2jDj=}QQlsh`@c+|H{MwuRuh(mX+7p~)XDp>MZQY;;|Fr`Qt6L*%f(B&((_k7
ziQ<AhRcCc5&=YoJVR0Y=%dNYA;;>S3RFp8B)g#Gt(rU39EDgHFiK7ZQ49V-$I>!es
z#yk;+Z^MA@%~dDw2icF#{*knrjf0NUlpce^t_-@S^p&6?gLT^Vucz7?D6eXXGhoAI
ztE745JvJdO2~!ErfBS^Gtb>c@$W*>ta^gn^2%t*vjNmW`sWHy6uy^1dc?jYQxN!Ou
zzU@*LZVG*dVHDm`RIG=dv8?lAwz3_9n)>{F5<UB?l7$6KNIu9pl;^Cy*0t_Eez+mv
zM0M>K+e7P0s~SAmfFy(u7Tm@V)P%1e*X@Dlyk@5kS$dTmD+c>*v5`d?+yQB{2YGI=
zXb5<vv6^26Gk>?(K6Y4`#4ET~c^jW5RbFgHNOA^YfKTm>2IyjqA+AC2<b*Hp*;mHz
z`H=EytZSeNf>~1ij8#_8XW7}8n<quD-(K&CxNvOOg};eOBKKi;J|W435~A}<rBc7N
zV6i;kEsv$~`(u5BG&ZP$pTMXbsKf*9{6Ol1G_(%^3A(8BLVP~;Lvbj_LDd5jF@KS|
z01Ub}+cM9-vZucKdlSQ?9DHI=kEAzGR|>@H&*p*Hf9I+`2-#}($w{pS$XdIDT-~tF
zLv~}O@S$@HR)|eIouD^KDSs5KylibK<g6?mi}fuUe1{(Uu<li3D{(6(mEkh>tr)(N
z1h?&F^RkbcmW7-~vY@BAnN)1oT@SJ;785*!c6}QuzTapyVqz-o=e{4XD#P^m({$7Q
zO6VYZH{fU#XHhBdv5PIc#-aZ)nGiHn;5u{mo$=L2>2KXg@L|Xay9ex)4m~YymIw68
zy3~D&_q)mOXB&;9-sSA@tiF99BtyXChGsyBioy_qheZZ289Sy9qz4fh0>q=;s*j#O
z7bRQB*EPvdLkm$223@8igy%4-1~KH$Jf?Ez<1cG1ux*|FRfAHgk5~13B&T#cCot}8
zbv?)~a8a7%s!OXIa-$mZP*Lq<CcVl{jn{yNroAq_eE~WrVRY3XJ60yf82Y*XLr6Fk
zxqpMuY>Ofb?Rq>w>Ozp$Vs!b_SvT#1lQJjrCjPu2)Ww&3odcIrlEb`yEZUc!X8f`|
zeABB+PKR4ktf=t}_NVJ@*=Mm8_Lq}n=V^T!OK|Nkr1NwA&*7iCuv)DkIa6%S`rAAt
zAmJh}S!=4LM4ozAKlQ{yn9hAj+H#Lp_~>pfLER@xyx7^A1e28-@2G}c>WkzsN#S=G
zL4R>fyYeY!^BrC~P03X-WgnbRb0x7bzy<m+G^MLE6^95f47O&w^H~?yATV~8xMX+k
zH?(W5xzT9XAk_sgL(P@F<0^o;#?*eWYJHb*L5sh*epf=j#-bRYYDX+qjrZwoc?`m#
z71w!%e4acT2+;0yn#gbb=@!GuuRZE^5NAk8_TkDBf!AdK6n;U}<fz>@AcbMPQ%MF*
z?5nFovOEN?sFstxY3Qthn8tVON{Q92ud%-7LJo8NWK|DqWFo`LKuTEC8rg<Bs$lz+
zGQP(`!*iq8-L`Ti2p0%97v9RhRm2`Mq`7IPt4vM8I6-VFGY)%Kw)&mj_N@*^zYqT%
z7@}chVJ8k3<R-!3okcfECeik+XIawM#;uea;2)t5si&auYC|zG;bb1D)hGvG^d_p|
zj|_8%@YXTX2ats3+WaqgNx(J(={yj=X_DA~tNrk$fco$34Eq256tP28wU9aj-aokX
zRgVAK6X1V1k>`oSU<<mqMFBTf%)J&nmr8!O^q2Y4U(b^@&j9XSVU*9D-OLP|C#&Da
zH7<I`i9&x8eLZ-;kTj<5pe}WEF;!r<P(fX+sP3BjFVyEB|F+kh9THMC1!BWQ$64cR
zU$)xZK>b?zf_qgj#+_&(jm`NrXf{GqSq!^x(VQ(MBlzUuxT(z8DH%UOJ+Zt*4vhuM
zj7$IgrT!9pXJRq=Yi%L9%4GF;+_9GBM|YPGtzD)({pTS#<-jkPtfOKre>PN+b-o;S
z=8DDYan`j(!?la}uQhJ@C9Bmc8cIpaA%pEyZJ3{aWbQ2oGcQ;f&gFn@^}bxcrc<T4
xkN?_@XQ`ID%r~sp?AHpJT2TMlwX7}u+ubZa?AcndeeE~!qbHA49=>?%{{XhjBdq`c

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeEditDebugConfiguration.png b/docs/GettingStartedDocs/images/VSCodeEditDebugConfiguration.png
new file mode 100644
index 0000000000000000000000000000000000000000..2acab8f181d01cf144160b36d54a41f6a4c2aeba
GIT binary patch
literal 83626
zcma&O2T+q;_wKC-A_^i!5$V!FK!bpkfJhI$cTfo+y$Kk)pcLt$_ui}Yj);^HdW&@F
zB@_t+4E4M5d7t-u|Cw{noO>o3jLGcWd+)W^^;_2>L`_AG<o2W6*REY7QIMC`xOR<z
z_1ZPO$y+ypf2mYES^)mK?xG?0>RS0A?I!R8zNMtH<h5&GBk!EOApm|Ra+KG1xpwXD
zkE_S^IPSYN*REaWDM(9deK6UcBYLeh(JJxVK@SfagpWr=_Wgmv)0ek`pQt-ZJ#UE3
z_SZHni?uGZ+bO9y8o7YkW$aWBp$Z;+wI9+c5wq5&OfXPW<0g;p!VlPH`gn~=H0tFq
zUti0?v_}3Ua14S4=kva|ztw%$c^Bm3dmy?lJ&^cpnN~y(0{P-IxgS9%nx8@T@1@Q`
z_rmez`A*ga>*If~+Y~ohLxTTvag;ucW%>7&?8>)l@PA(k{{BT$;onyt-!6$FU>!PA
zeyMOIq?YE%GboE4m-_Fg1gCyx;efGOToZ5nefmQD9gE5k?ry}zZvooo4Y!)Z?VJL}
z|9(=Hm5W-HFy{>#_PK!S^)UT3FyX^XIqXJAHNU;|fROG+(SJt}Y@2P-pXj6_aV-Bf
z9Grc4C$#&c***?uimI@cRZS|+n99AdFZWr~zxwJA8bo&+q|UuhHVgK#6~1&tL_}M#
z%D=bcb9XJuBvd^|cG124l<xNJ+l~|3x{GD?^WRUfXe=ciH#hg4&<8x<J@;Cvs$5S-
zB7Jf%`UK@b!fvBuWBV&Hs!P8YJ3TlE6puWWm6cNl+sj!f*FVzcC@3h9Iq@Q}=qe;{
z=N-NlztK?*aO^+BSGqi3xGc+n9gk&PP_nC}4p)fG3$^2vTP`n7e>S^U&@Vj^7pJdZ
z@DZi=J#$J0d+Lyq%zwN=IBuFDi8%SO_|s$R#*51gRpz|6G4!`-RWriii@IC7f}MTh
z(uZfhBNfEmshSK{o@&m&zI|-i%uk6*Oe_q#R$E*9VKXnm@o+;OjQ{2i1d{1AS*m{$
zH_+sY{yl9|v8j7^GBbDLS4V&o%Gmu4da}%Zfr{8A{l-mVwF=dAv5@t2&q14OOq7xc
zd16`E?aUgv#vu4Msqn}t7F`f@&D`Al4H2YKv^<hQV%L3GkUa7R%H_ND>Cp}u!%Gr#
zwb8NK-jmJ<A!3LuoA937&h-5{bdp4mA`30IGf(S&H_bi<$wydo*8=8)TTPH`Z7<8+
z&R5Ndu*~qTn{XBSX@_y$^~Fx;GA)?SM^I3^cMwn&u7C9E{_u9Lt&Y}na_HMwfvOpH
zYvQ^uALiJ@y2?jZzg@1cNhwWaV%@#rWdi#d4|9@x?iq&#{D7aCnb~$B6qpcyCP@Wc
zzqOUsh?GI|@x15$xTdO%mYVbS&#!;Fh1x#e=hk_Bd2#MhsBC0J+je=rm($Sju%hjx
zn0{K&LT%I%yK}z0Uh-=xL38h0f@WLjgJqteAmcFj8{LPU;bh&+#jC_@w!ZY#g!4U(
z)!mE-ivqLM4{`o~cANK>657x5Jj6~ma#XG(9Ao&TkLTPo&PPVB^B#oS!C;NvX)Jwd
z$;rh98zyeMvmyMJgTKxWhEP(r-C@)@5qaS>LR(DHQudU)Ee9%I7zF!~_n%=Y(xN+Y
z+Y644;PTZE@H@q&hL$WsO~`m2%^6G|cSUA-`CViJpKisC#t`PmmkNxQo1=M5cO2Dc
z<oyH$1$77nlrc%5cf*YLqlnip;IC80)uM(38}A}5zk2Z^PtMTo7d9ypHvV%DaH%vB
zJ}us@EWZS7e?A4*c_ZA(ab8tEk+J5;^@%WQ{==x@{ra#K{!znUsz-6#)i2vKYRpZM
zC-T4Jf!qGdp(ldw53mD1b%j!yZ4765aNMJy2-x%9^JF5CH^31?EGjPP;9TxSBC|cC
zyx-VSXF_gW7BgG#X(AITdY;v890!+F%LudjS^3t0bH><lthykUxg?PJZTb(tuAgmN
zN_0m0o|%O`eD*5RN&=I2DRHqZq4nPA0<xB`(B`M$w=$~8r>$;*GdJ>yOW+I2x+Q|3
zGHmR4+Ilc3s?v@@CfMuq!4lico2$w%eJ|F1MZB$IU1MDZ)}4T9DnVgNYN6oX)0Oio
zTJ+g!BaR*|W^TYq8q$q)q~_ZrAs~`fc&S{)UdpDL9>y#eQMg}aGP#QINJ77{4<)Yl
z*^H;*a!JLBP@<n4#Pky&`YY!Xdp#ic2Kpa=Ezc1X+v!n@P9bm1igV`IKQ2Jm$;rvh
zM3SMrc{&H2DKI9S5-}};>)bt`(1$x+b3Rm6X;pjXU}!^Xy>kn%e$|h*^r{O?Wt$-4
zDDkvMY_i|3CO*8<zWE6sB`V-GjEj^zsawo_02^<|nBB|VQPABjTfnf%a*tz$u*DIc
z{0uW?>yzK;qq=#^85}djYtx;77RR?rCt2Ru>UrF~HjtwItASa96qv_C&**Qt<M~mZ
zCPYe*mzZ?VU3I7Yqg(P{($~}6=lKp@>T@{}AI%w-rM=ixx=CV9Z2hhmy)>h{x%Yuk
zm{2FDXKJi2gaoVkK-eGNEwP``#-Z8*C&9}4EDjA0c4tWijVI`rw6usl7ZAwG&BYfM
z7Ty>uAQitnbGh#q%NXf3b&fQ>$c}$zH~m~&V&3pesl;YArppBH%jMa+1oj>cZt25}
zUHxM9ka*{w@1-ZL*oS)wraq0y1xnoQUPuq`!x6bZzXC|d1r>Bsy~ym}y&HBRifA!y
z>oxhX_}RKqTU*;BEF53v<Y*@}1Ng|FRpz0$10l7vMdj%!DWPD`qeADJ^7fW^P-$VI
znrYO4k`j@Yyf7pM&-YI!gI1&BRvA7B+Nd#DppvF>D(U|m<g1_@A21`L`pjySCGPgw
zPqWCPts0C8jP6SqiM|A<nSOj}LTn^H>dTieS|U}nq8e;f4$xUwlyMMnA{gdzBSqxz
zLF{isQ@5pHk@!t{vn-XI6%~zZkF+N$%Fx_X_nZ%yroN>|5a^Q<ee*rr@3FqrJ2vC!
zLykGw@yO{9jpWFctX3G*LU#D5*-s7975xnAB>U6`h4m$b>AM=7md7i&*S>O&DNca(
z-O>A;r!NO-tjZ<pMzDH!<6##FCyT+cF`ooic#4~gXF6<++I5Vprv(4f9K344JcBCH
z<vX=0vbRk4ojiCMA;2jloSwTKhAtQ3g9^h1Sg5=Z*AjN(%zJBpcxAxC>f#E{xsms(
z#2i+mQ&VmEB&d1U&l_FVw^6a7yiM}ww-^tyemj99S00I54$>NV?RRbI#oE-LRZZo{
zk-84R&5$Ps{)nmt`!<{f<%0*s=hpPh<fYMkOuDAtwcb9?+kK5s-FJ<Qe9y64$sEW!
zllm3!J5;<{C|TjQz4l8V0SDpu75<m;+!-VobGgY05u*r6T!&)(L79WMVt9g!Vm#R`
zA|Hf+T$@BgN~9}p((WlzQ=Fy@^~6SBZ=H3O9c2&W9qSc;D&exyXd4uEP}6FmKaeV{
zIndnJW|CImtb#bvJ1$BMa0XYJ$epvIIZmf$>oLMlKK7B&2)@|i(-%THN58@7Tej)e
zb$RVrHJ769bK}IKw>B|2#)AjWN`1$7tcvA|Nf6IC&}ge9&^f8^A1T)}1Sn7E6YV-^
zu!%>*r^+|Cui4epNW!eld@;fm24X-9Kkg}kc_D=#&+uiCt+^Q{@U8pXz<O)nFZ~E9
zj`xpEi5k)umN55*rsB?}J{YFca$~5W=_yrW!WaGLX7tsQAow}U&}z`Cp?zbQ6+_<{
zv_;tA;6?0C0w&%yiecW|+k76Q8)1ecPI~&rUnH{MRiNIqt*3d{#-S$~jblPF3fIqh
z$CHt%qnJZTF;l<LOwSl_Vquh3D$b;w$B=aSS=n6@W~)|Z4QBl|8wgE|^AOk9^f+$a
zt*=?k%Anir9t#m)zTmmhnC5PU3n?7sh-n1kt%utg%NSa!P1Aem-Rh;v<SuV`We)C>
zYGZ^k3msurFUC|Qv@2LQ*jDa1amZJG@4pAC4q5p|ZZYv1hhdlOaf~h%)KB;NT5a(H
zVM^3%I}Np=&;ng!Y1o*KFF>Ct-uzsn$f^Bpz<S7`4VV9jeP#{)EtU_XK?j*cwBVxd
z1k!q0bO-ip7AGM^5YL^NH%h|QeH(cdFZu>ToBQwKKs;l~)HHB94(NGuN{aSNg*rL=
zSSZ~9>U(Nk*-CzI|7esq+v%`}7eb`3YCs8+q%+<9e&8laZC@Wm+uoUi@l-S3s=Q!!
zTwZOQ#r#ct7OkA~S>ozm2(S<5KP;1A=a1H`+EaE=eQwFipJ++fJo;)hS_e-Ix;?Ey
zlJ+74-t6tq6`pFwGxxMYJ8$c!qe=O)psn^vq}6spizQ;E(92#Q^0luVLTPI-$wl^z
z>l#=sdT0B-i^HI^N=7>r!inS50Pni938YfCs@~iOE?{fY!}@{;WmmMt)jxFC9ZCl^
zhSF=8Nk;Gxy_Em`!xkbL&xC}V-?q}!Ew2Ts6kGSXvL`P0jd?+F&U3Mgm?#$&Jo<Eb
zm^{0yg?_IG(w&%^cV{CxLm$(~xRPw?W1^+2dpc{<Sl35dqS5W#Dv*S>YEu<wF5Mv^
zd^KoZeY?KVelq#~t2(I&f+ENhWQ^^*1B1N~qcNxf%<Io$kcvKbxA!7}fiq96Kg>x#
z@azTm3@`F%LMO8(fXAE(8EeJ*Z8ajP)vi2a+Y(m6eL!g7o?B{^(oKe;)9P0EHX_!x
zO8W=|4SvK2#jU*%*3IoV_iT-Z^@&G$Gp|0D@JsHAt5_vEn2j})ji5VtaqLEq*k@mG
zfr<#L7#(NP@;loJMM`nHOhr1=BE@6u_$6kb-q2R)qehe7XFPk+$9-ZeCreEgH-shn
zZSIkgxst*gR)(a=B{^zXEFMdQ^;y;zFxX3VxvPPS3BOc7$mVis+AnjX$S#ij84wY~
z&->kyKyhR?ry~6)qa*~)EWKi3nmu5V0>7vsWH*iIXUsnv<udJ+y8pYXuGR898%pxT
z760I-B;LnS@hlvHo_~|jtYd&C<M&5OAVh*h5e5iXrbLy8dkd!E6-ArO8Maep`@Ygr
zA*XVv5eFi{{UEf#OSt~#xRL%1LGqt**XnHB`=$E&i2EToLunN;2B1KeV2axy)q}u}
zGZ3HYXjz9a3KLxw=j!O5L&l|Xvucifg$hphE<Q%AzPvszwmOycA}X^0Yax~@wsU;M
zGQ%}v3#T!1p(~aAu2yYQ-yZ}OHy|*icYf06^omZ-erbS#U(9%U?wRikc#zT1iU;3E
z0UN(*2p$#4Xwb=B!ckwLQf^WPkCZKGekM|T(yzYYTZ2~}&f4PJ)uNkRp4HV?fc38X
z=|8BNhj+1dJSL)7s8opOJBUJoeDx!|Ec&QKOlP>M&3C7T-MlmK&u7o|mR0q8#a29?
zAP==%4UghVtMOmY4Rq2q9;GO|eK-}Xgu6x$2@#1Ss=NrcO8a5W7mQ1gK9$5VB2Ec?
z36$NzQJVBoPHYM;pfrjh8=7HhVIdM8vjbn2?)B)a>K{@>A9Few9f!lb5NAfHt|qY<
zn0?>A`T0oy3|2ov!X>>*47EoI;$yn5ZhERS*&}B188@}IQ_b@8ARsunNgQXizfSfg
zJrf~mT_Z0i=6iX%pe^=l34)nxZ2dzF@p*P4tJOpN@z98$V~v*g>^D^}2W;+xw+dLL
z>+X+yq)$Myw4rCX3f<iM-(Q(b9f3t7wt_O^cd2S^@L@VWl&No3aMWl^O>VD5hKJ#}
zYjBPU;lFs_y}7{K9U2JaCJJowAxfYTQq?EQVl!u?wt^#=(GK&8P0StCXtxx7Foqsh
z0X;y37vjf4X;x~d#LW$XZ9E_KVaa2e*0%D+Jqyv)s-czq?*8m&4Cz%?D|*o>G^orP
z(W;%vl>0E=&hH&#KBQEQRx#(+ybA*I5A8eR<z7U{V3hE9-~>mLh7LvNlaqstE7jbT
z668q|v53f578XVvz0Wv%^7};-iMdeAvvccN68*oT@zqvPP+SDldiB{uwpCR8K?l}j
zFQna^$#mLWqW2gNA?8wVuW=W?>2|tPe`>p+)2;9z3!lJz3Nv-Dmz1JvzDi~7n9^7N
zwTgJ8l!Ew-KLQiKb%>!}4{07!JUESI*LZ-zSzf$&BEg1??83~w4D>WK@r+)U7GGz*
zp;;v{K&)k2nqh}IH}nscmX@ZR%C(}#ZO0FJ<J8rXRiZz=1oGsw9566#clj<~n#)AY
zow9XrU(k5ST<<(;4Tv^0skBr|58e96mw$2X6jUMWX%4vw@t5liBGt9K^*IzjKG!-<
zKTg@6eDx+HEmR+)SfkKpgiNqy65_z1n`(Mi!b{s{gAMo%l-BB!v}d8PI}e_y4S}Qi
zs^Bur6VCnp_>D|)DYuhMU-Z@?`F1rXRQkS+4J1Ped)u7dJD=<&q}*xLkGhu9FJ&*d
zTHC@$2~BtIhs-FZ+fSS8SD6l+GY_qH>)LNkht7KSl4L^FdoN;tt*|B-E$y!<_YKdY
zoJ-}^4D6=|l<x2!NY-_n)ppIwO>&uGjOJ(NTXv2eqf-R=|CoUtL|-wkGNEo%dsJ?_
z2oKF1=&|heXSO9d+4>yy!nix$^8aS;Ah98|O~?1J@BPYs{h8{RVx?mFX%#&={#Nf0
zfqom-U^Ud}xXhesFNV)tLw3zoy<5=`ekED%SVd}dhrX`Y9b~tOGZbF%FKgq0!m5lK
zyFVD#*#^{jbI&mKgxa>Z3>o<z{Di;3EJx!yW3~-VQFfcONRO}&w_7|6@=H^^;!{xc
z2QI^Lv5l2JKs0YSrGIU)s9)lSbY2yW^Abc@X4ZPN<D}ARRC#95yP_Ge`9_`3N3wM?
zRgaBtBvn;F#WDI@R<K1zNobJ=-|CxPDhFV7%$JMOd4sRW7Y(j7evf|iGNd-%AD=BR
z^0R~Q=}d7^qS^s<Y?w{yw?m#t#zv1I`nUWm!xByx1-_MpY^zR=<8d$8B_YV19Qiu`
z=Yw?eqOl(<b<W{I{f2EDkoYfN`*CmJR*X}(c6+IG5WG>v;H(Wh-FO~TzX5Et=@cvD
zI~|t<6^oV7T;X}+?l0&QWT%l3HTx6=hCnY6nc!*_Y$T6mBob^a5oALq&~PW2%(H9P
zLXC|aZcoQNF;#i$aGe5I#WN99sy#bkd+i{9Y??j~|K92vW2|;WUTLmK3O?I_Ym{@$
zvUH!~q<VMCsoc@mu!A@l*)7zvfjviQQdCuhv!<nmQ*Y;^AMvu=s|^W@&ZRA9801##
z<nkOXyM7}ZYFV>y##o?B?VxU<Q>K_Ic|GolXp~Zp+MQf6=w;%mQiP^(`zzQJjn~ix
zg=<|clLkqschtOgwKy01M*2JH#RR8sbrxcS@H<xs?+UAwX54We065<9_oK#NO<u5u
z(`SP#1`jaeoA*=#?+}R_1aM$*ug_a<xp}U7Pom3G9qbx;`!FjH_YZHRopD&{bj6$Z
zx$4!8jD2N2h_Vwv%HUbIm78Mbl-dY;57$~&T)NIu<6sDZo-xp8w1DO#Gxr{>i%f(B
z^%^9eC&T4?s*ZTiWVvxkH)1`pQ4Ds=C5<)o+ew<L_zmT9<gx4BBmvg`<!&gwDdu-w
z%h6->6ErU}_WX?x`?G*t=h6mIUom5MqhnV&(<|LQ9pF{2z#fuLU%vB74sUZ@WjZo8
zBFPxxE{?lkUXaL@YE%0HYMZU$bk>{UBQZ5Pq)3e!bR<qnis-e9%rSk_Ya=mSA%-sG
z8r%gK2Zef1v|r=l@X2=dP%+KJFHfp`SJ?PxC7!CSe>+I%mB8dw9NKc4UJNh_!Pu{>
z5s?$ltl$C3z2`x_h2jgiBOX(Stm%%+34eHduCBw#+C9r9#BHUYm6TwE!Joy>G-&su
ze*MGQ8gkBxb3IiV=@o`Xg&3|SxI%~DP4#u=i4U*~a-3Wh39HSpVIA+3yhYx41F$>3
zK*?<n*U7BThy?583SQX_#y(HmrVdD3-j$vX0dHJRJUaBh<VGqfWbZ25KQ9G)C`{N}
zNJ{fsK;WX}TG4(Vy%6v<@ej5@-bF?hEozYu?e&M-b!4*q7lNaxs<vi;F#VtF<Lmz;
z<>vl>MB`l6qqz#}hX*Qo<>e+4%#X7phU*;|&cm9LH4Bo5$KONRvv)I9Gulq5uLhxh
z3fdD$<W%@~0Mc)|{@3WpKHm?3|MwM29byRie+RDjjN||GChhTDg_yz3^)!gFajTE4
zv844D<9S%2nYIr7$WU)WoA>F4<@iLZ$i%1oe9e>lu7utvhZ94<ngUi;0;~eKJu>)2
zkU)`#<Mao)<>5U_uOG&4Hvtcye+mNGj?eZ4^t@C4zT@hT|5*;;)>+68{<bwkNi^-z
zKkL|uO%!rS_qYHE^P+>Vr#9GubO?N0>hmCR#^EyGXVR^-ZO--UiQ94KKNAtX+=MRY
zr$=q+wzZyY*>vZe?@CC8+d(v>_a6}VHF`YxvM`%vii?y~xUKcHr~kgL(Z|x#Ct}!f
zO}&;6&*ptEy`^Pj7MDWrRKD$sX#iNBx`DwL_XTg=cIM|S9Mtdpo+TcCpeW9SM*28y
z#J~fqmDz{2Tpzv@&goH;Ba%^b?heyaN_`m0*Dm(C{jybsBt=BvK@3~hYxE?=pWmIb
z0%4DD{4*=jonx(rnVrnq@-wkvp`o4N<Jo|Wi^BpF22i+?B4u!Bn=k=N{5h3^6vbiG
zpu_HLW4H22vtG*|UhpRoW+M5)Bp22`B<a$^r8l)~1ntMUW_L4Gx$#2*>)1zZ%jGSY
z+x^J`itV9FtrRiQKAm&DXOlzGK67uOvwv<t=W&<!GQb2EX9j{6{SUnkQWk!!AY!oh
zzEGl!6QEveq#D<I=UcHarAU_z<$Qd?9<h&oaOorw`gJfQ(R0NRz${(>;v#4PkoQTP
zWtDwbR~KDXgwFo{{)xWL*}Tlvx{Kywkwh3ewB8pG5cpa7CZH!sUS9s&PW=LXv}sh(
zUAiv|7e_(>=c2Eduy5Yc0qfXjvn{q?o|2t5WL$c2l2cHG(?m1;3_^TJQt9<%eGQyR
zmsnGV%1Em6gV<H1hnmd|Ig%gPOJUL&`{ZEyR(}aw)`x%AQXC4~$Fbo3AI`SZhecyj
zfuH+^vo^cMgcjp;F9Ibl_Bl(9n;&4Y*sZT_J0b!~-QGu2mJbDO6Md*c($ANoMAmf<
z6&XGj(u0RbXFs{{@NA4!*Lz5BZhlwBOC{fk^<yXCW6B~NOuL~|CK4fFW2+BeT8^aI
zN44veIDwQck4=G5_977KzM>ES{qL8Up5F#&W;*@S)3-lvonaE%wZ{I26q)3xSuz$@
z);GZavJZ$}ld_$uBLRn{49Sxy(TjUMygaFp=yGrOtUnR;`r~;2{d0w*n6Q|h%Tr&Z
znxSFn+M0#fK|jCs&tw6Itjx@psyk`;PpF>g`2{gtq<N=bV)!IFIsyo>lu+#!3qm*F
z1}cj6^(C820n!_C1sl(#)4{kE1}s0Jd#6A4`yIZw0NZ)7*Fvl<Gcz5y!d=ml9jK7`
z`unGlKUavf=hM7<d$Y8;g&W(xKCHO!sIl5oz1sE0(Z#;y&x0P{&Mct}$$_ItEr{_@
zgLI}P-}&7wTaV)iP#Z(dyzj^eSgV`mv#hJD06lDl>}-Wy!l~(Q?*YU4hTNaIJ)eSn
zrmHgEm*;O<d7>ESfo;IPESu;4<0hMORk^CfIWasYCasF5l^O(nT3lRw$UVej<2;%x
zR%+A;mz0+f5O{8OzRa+QB}6e6%TcbKd+_EjxRQAsSC8MZ&FNwAolRFhzBom1PsM6<
zolNLnTF?^WwrbDfP!<ztfaemag0XUOA2&}-n1;*~h4(Vfw<W>dI_HPWkrEo6tLJMV
zj^~07^QBdk${3@-&;CZ8J||<o+NfZlG^a+A^7IX!&pFz(C`gP-vp_{4pW2U*;f&M1
z6-#5SSE!(~=6&qVu%6-DMo&JKYwgxwd7vG*k`!n#ZmUn43J$%lxt?iho81TBzK>$q
zMEO#kkIEJve~5v@v!@S?s-Q$|`{53ZV6buIb^E4GHUT4g_gSYP&706SZ?e2omD~}m
z3570|4hwA!hog!UA9OK3Ns%~l7-_AJuKNSa!BiI-udvW+5;3Qx(i1da(c|+8UDF~4
z$<_Uog|lvPBcHQWLAzuR9^chkVxba0iSxs;qvIwWWIQhMAh!4?hCW6K-6Y1XAK1U(
z73u0xglAuMx1P5%1AEXj-|DIT8gp^Fr)xJGK_jFB_63NFx{gkM!QYzfmnUyXAP}q!
zF5BzZx9i$*r*$*-V`h(I@QF$3L~>21s_ym|Pg>kGfB*h@8@9}$=nY(-6HJc-dDQU4
zES6Nb6}7LlGv~>D-D*Sqo>DY?YH=jre|hfOo49i8CB7manfHmb83Mld7PG=xSX%nN
zxNT3-%}vk*fVDb%aegc9XUND2<@~UiK{b`s7g^m3jwb%{$MdJ&XJ_l}FKum0tuvxt
zA(N@8`<@^ac^mZzZustpUIuBGToea-FVocj3Srl|;(p^UU#%y&1O`s`eEp`XElb{H
z9jzvqE`9Bx?*T&g94B53`1DY7qW<%HdzZRRmYYT&SjnsTr27tE<x(0&9z2+j+{mSz
zn1r@Go25XsC1kG9IJA89JzHkjN*41td?%pd|HU~S(b(vPbDo$lz>i{m$Jrr`zzFrU
z0`plMlbxOYI90?IGGGJLCauNUfWUtRh~?&)$I`{U4I){`QiX|Rr`VTP5Y-&K_H+6X
z#4&y=+PbX8R_Ck}xp}jz&7Za_Y|0zEIsG<5XelsrQf)40zX&D1MKMWjUzf#kA4D&L
zOs)JoSbCzT4!;L6_!LG^^Z(wAp#BuQx%&0p$YZQQpkhj-(1KU>Bi^23s6g@orq1VM
z)HE&mr`Xpk-p6wV>57$q%ljN^q+-7*u$35hJpdWS##)CtOR={v-9bFuRw|vSzeKmw
zt9JrV7Q7CWwZlQfJMe4q_yT2i8gNTX!@=x49PwZpI4Hf<^I>G2?q2M#?`iHnhUfQZ
z>K$}}X~nG@YN;Y$&2#I2Bj4yprWE?ewx6w5jK2V?QEn`WOxMZu*OCQn#@|Z?<`y|o
zidfV^IjUKd)p<!6(qjTK#G|KmI58uZr#K*)SUz27*EK(p0a=M+wyD?Y>mnVz2y0ns
zoVIf&w$#6#aHf`vMs)7A1qY^Opo<JdJ&#JKk1!bL?b$|(@bGZ1Yb@8LiF5#r3e83w
zT3K0HH<`406fxX5GjCJ%Pk1#=alVlgIqu^8&RWDK_CR>~U_Z4l{yl4_Sonb~NNb>u
zM#z3PI56-gc9sg4dR4LB-|t~4vADm|BU^pGrVztc#F#})wQxFrygjt~A^KNV6gmi>
zl#rCZ)TEhN0^0Z0lEerytmRV!O5ii`+!3f%fy?l;l$ln3_dfp{OK;1*lvE(9X+WFL
zFtlG_E7IsKL}Q|r>~H5<uPt`Qc?7##tmPyTaZWVOMdJ_y;Zufdmlt~n#UzSEkZ5<O
z8_QY~J9ivX!Z2m`|FnCWcD1P<p}*QOPZSSuO`=RZ%jh39<j6%%R~NAKe%Maj<2wJo
zu*u;FX9Bj90#j1tXwDIz&%TS-Ir?DYsg;>VF%~J69*R3yFR|inYq$p312j9Q1E9{P
zzUQtVmO|LI@=aMp-SepjwC``h_HsXN@c*17Qo|PPWjh@UX08$^N6`M*SDpWk2rw<$
zJZF`Z8cX80)Y7D7BT}iWsVRJ!i%-cKs#I*%tb;z1E}xpj#dxA81%B0{tfQiaDVBSV
z$E4_>fRn|+>rnm1ywA)CQ3N0PubAQ?jV}FSF2Wi7Fq}SjN2j>=$sg=gv%`Y;eX&DX
zyhO}$UJV1cq$d9h&b^r96qY|f$Hza7k86Q{=vOWftUP+HGbPB+#?Q}>)%zRsF2RSx
z4&$AD3vWK&;^5dUO4uov$Abe=2kgqc=+GQFX*~rbK04Y1{kDWfAdZjn)a(Z_xOu0Z
zdJ*HgcR?W{LEFOmiI)qg$4mnBmwzfqe;+TDN@;q>q-WZ(Fv3P;sHRFB6xkFDb8}hH
zmgDLyQlN2tIFJ$30w>VrxBcaweFQrVaK~wOI|zOA=`lt?WnW_AIjHRH+6aAaUtJ9+
zr*=cV{ak*KY+Vyy=&<t^zQ<ui_b=gvZ&9#??x>RXkOO;Mh_wS|c9U&9!CqD|=Teee
z7fxi=+6}4QNe6pQ-w1{8Zy1!#B)kN1H}h}y%RU#V9sFtYF6xNwhK;HQ9{lnMNX@5B
zV!4Jj2BsF26dYDurZgR&KGZNboK*FXxpEV9La9evLOG*e7q+wf;V^&PA;0-rk>27p
zh?!Xm5O}~vsgHLX;<07kToPrif4R@luA^O)cOw+Il|h>KI;Qhi0MbEo-!V3Yq*@sP
zl$i+rVoi&|=DoHOkO)*9v<rA=wCUCp^+iFZL`uoXnD+bk?{jcDzweX0OGUZ%dOA&0
zy{!!I^7vf$>#>>KqymS$Y|iYj<cWH|hF^GC-Pkxft&g`hQ|13=$C;7=<1VIkb~DBH
zw+067SONy8b3|S30dvm}%M3f6ofSwmCA{ce(_$ccqVfh|pOzmcKgE9B?A6|=qUG|H
z0YFVdBRfdCO*7~y%k8wMn9F@=qb-=uP5dM;Qo17X1B*(-LvYv|J0|T$z%5gRS7%YF
zK7A`zkYm-rX0?p#7)Z}2g!z(UgGd>4Bvq<iXsCs}Pu^owQ<KuBo(t9$w(ATGXtWx(
z|Bj&^=jXr68f<F;>3a&Z*9mGn-ED5wsTNe|&c-J#v(pp@93w~T>GGbDlS=aL{l&A+
z{qlq#gyuiwczYmzB<$VI@WO<6%;^AV0uNqgQUzv%@q!%`NoPkRg#L=oTp|vRsW=45
z58#MZ-L{kMlfnySBYH6JzCgOY3=~!(Ye?VSjoF{f%*LlTE~u}HNRab1S9c}g8Q@_;
zM#O&W1Txt6O5KTglZre-+r}b+AbkbTNKtp6&!T%Rn&B~bog!$3vwJ+)?c^`^E-xy!
ze#_2t(@|HRSfZSMzZPaw9n`(v3rxR?_I*7(GE9_;9W)XDMXt9xBHf-ZQsRQpHO!4|
zl(s-?Nc@lQWxzC_xa7e;Bvr)up4@^jL6FWRnPtk134yVQRCGQi;6^C$=!<8#mCH;~
z)XnozrkZdEFbn{-Vk)jE&WR@0#Le<!J8E|7dU9LAh4m7MgS+c?V%fkjx?*o{JZWIO
z=xg`IMn!tc*dM8Bcx+~~)=WHuocU!^5`6S-PT1+iaeGC#LP{|?@nH~D(0;0_OMHP-
zGyl)IiSB4tc)t`qpePu#@WuI>w?X45REhQ6T9e|v5nHpWvfP`<08;TnA6lnc%OUzJ
zPl}YW@o(y$tL-7Z!+J#ueCh*vcjTIo5r@xbX*Pe$(vP-5pKfh!VfnXiYiJT?RgHRQ
z?qM?ezn@5W(K<dIoe>L}C0a{tT>8ST6$SCoF>U$qwU~Ui+LF}OJ0`ORzdDaA4=Wd;
z_F=ct(&=<(VZ7puqTjP+bEZBLKmh|qn#%92Z;L;j%^`HePJ|?i2n_zQS95R>b?#3T
zPZZ?2+w7JGWDsr_4DWmZVYhUGuF&042;}PhseW=8vVFJeO7Aztpv#*FKm1uhb(K`K
zS%{fTR6Nf32ONAly2S|MQ21z#e#T541CL|RH6Cq0FFO~fWcl`x_$DiY!Hxvt2GoZ*
z?KB{QP|KcwXvgO}0dPw7hq1Zx-^|#a5<}dKi6I{B9lg~27KL0Zqt_#~nD(~+fAryJ
z{uRPezt(S3=i=<#B>nPl@>0nB^nXARfI*PuPCrp+d5yKZ1P}wNYinkXw8Vkp>b(u0
zYLpQ`tf2vXaX;IA+v%55v^*gY$ak|yaDEVeAmDJ!j_AsSqJYP7=YNK&C?5b12?_aY
z4Eyv6AN-^KO2b{A9lUU6X((m6LPR1D0^r6}0q{A}e<%SZFB1vGV{FoTI{j*N<6r+b
zFy-e6$-iLd|H^y_#`B?ahgCZYdw{g(fBbms77!8t0ZG6&dJV+en`1~fDX9P;>gMOm
zk`j^pJEFfUPMWgR&mSKB=|5lXKNO50)b9VzmDCA0-gx1e!p!k@+dLWbRl+BvJ|g+*
zNoXY6GU#7P1L-^B1K=}>j*iX>`U&Lb5<TBP-x;a4R0V&!S}h_st_D#!^N8Pq7*Jgq
z#qA%zgoJdQ;SNRsvj~{wsr!6VHhp8`U`J1zcg|C94_cqY94)1kwOcw({AS(6PmG(M
z7h)am=%+u?jo(8aw_kc=Zza_2CPX*_6`Y{ju<tySr_v&ZE!auJ37i3-UV^5tG`h5f
z1)IfCdRdTkd3jsKl_3>xgrA3Jhw21YK)z+#nZRQh2v|*u`I-PHnr7$4s_BJ{cZj{U
z^>=`fIRX~QML=J%SqvmkSU06OwCT5+(qB1;&cP^CU+`|@I{o417@?^TE-(24aOL%=
z`d}!GJa=jzioE9#Ki%dRID;$ls+(%vxpQad;E|9$EfBStPaEEJ22K@Fl_S$dT#F4N
z`cX!Kt__EQD$<m<0iJQ9zaE#G8n(S{8yg#&SzHVu#SU$b6+CnN_0kBiBW;~{9Bu1^
zyCvXcQ|-R0XN#nAU#-T7z?455tBFEFTAzBnXIRE@dSSI==*OmE>uCl4&rH4cWxk;o
z9%$HOa5e6GCbWR*m(<l^xjTG|jQ8Vq0+0$l(XYY>dmR35q}#Fj{)uQ~roLjx8SXck
zEfeb4bzk=dm?gk*eK75vt?jsGT_mvMADLdBpl+Dx7!KWM>M?xv3h#=#fqyK{Ho9zi
zq6nyrUZ*Oi91c(Bp5>O-+fHQ%eadJ*O$H{QP;^5h364>0;X6NRthnp``<JAEJz%ul
zs>Q#%dZ%XgeL{Tv+ukT9u3`4lu_P71bJ|1iN!)%iQ8Dhhg7SbxiegM$z|i#aF}s;M
zWdhJ@MOchquFzW5Dj44QIQLNuaRN4avDtl3r!yp&<GuKwUpKZF+D*^>?)OKUw|dGk
zvF5oR>Fv#*5E0~+ow8~G^3UbZexz?0pqU;{OiXaSWUufAKtN7am4@p5r0FKr6)+&c
zM=A_rzCm@TQCGWYPBNh{Huj~F!?H?wcJ?b$Cqdv8S4slOn8!AJiHz*o7|9`{qbmbZ
ztWv=c>44shJb9d!kr6pNYZQ0Raa{%%XP8d`TKM@>&+7uWZruWXA}_#<Xo>!|7EH#h
zB^UxF42B)76|KtabOR}iR(D>D!=K-aTo1V_SZOe$fMpRmUHRt5($Z3DcTy=*kY9*(
zm~)2HbUqaDi@B{#mKi3oDo8WkFIG}O=)@>FBK%LbN-D;m7CmTr-GPS<_yV;^ntJ1G
zEXW_mVxtK9Y5u1_iC^8sq`ZotYzhjW;-%J_eDXp+9$yyfrKLrAa=hm-6dSwhvo5;O
zkt*zxy0#gP%bBdP8XI>t@n^nxae3C(y)MOIyWmr$Etm^czf1e`4uEUkm3mgwPbb^t
z=eo|6PPvp*zn#RSy>QBY<lx2d&8~hfe?BEW-9BS-Rsu6+9uYH*hY{w?;KxjHudZ?$
zs?KvubR*7kr|VndiG9#*U+*TE>m65@&U8_kmVz$KXJ&Ua-Or}@FjFEvXCDO0&}XGR
z(OA98_%z!Rff<c9npr^77C#wq{%RlU=spXf2?3T3jd`k<>eC@Y-Ku#Q490cON@dw<
z0qKal%Ut`Ew`t?CfYDJSEEQRUIe*o*oOn9hw6k`Ce2TMw6JONmGr4LIN#pJh*8Nmk
z?bUPe+!sgBJ_97-BH&yBVZu*nvC{R{TA+w!1f0fPmIoq?GbwQR+XXjHAy`H#Lpdr;
zZQBNr7un^disq2E-{0>PTSti*Db!`nQkEGtYLGgyO+`5e@JLGIobBs|SWV|Y;|%<L
z<s#{8Ro5Yb2tXebzcSG8LAHDnc8Kxni0hYYoI3ln962}G18MuED45$KSL}j31YKUg
zar0LPA%m7_a7gguxY^&xNQE5P@KLGEbR;Pcxl;7CNNAvf?9VGJq=1S2(W=2^kHm#K
zNdkjO{~|^zO4w^4S%AxBu4NGNTBi2}td~@Zobeujv$^-8oydcuGe6>|c|~*OkZU#U
zHlYvi?b)}wUb}sJNzHi9-)=@_E9<UdefrBtdUe2de!bGoe>uGLGK7MCyh#xjQc~Uo
zImgQMz3h86e+mfrB2ethaNAQl_t~tY$gmh^fq;=w@l1Sa^Ne1{q@Zm+Rj7$Zx<)yO
z&x+=EC#ggYX#&G_^9Hd`jTN8He%9Hbcm-6%6Yku;J#F5e2%RUt#vdt41i~4{m#;q7
zo?C68Oph>pGuOSe^!EM}tR>Co3U9sx+(E`=DTr%TP803a=5y{*+s39ZhZbgsn##xL
zLoFbI`C*<1144#rs-SSbj%^D5jpL&k2Q*U|;`jv-Tv1KW=hv-I__qfzQFgK3D<^aP
z6r7@*Qm_i_3#$rmWgs|=$GtDg%=M!72He;a%F)n!$-F>T7)O8u>S`XgJ%G(wYKzM2
zz~WWg(<YrcK~vQDc;U;;+S~Qi4}m%*IZ*mt*m^eDUp#~Pd<HZYSf`oKPjby#V0W%?
z6PKaJblzdNf%lA2`B~iY9U^B)N>X}p3<a6%^G3-8#;Dmuq!cI`s%K|c*2JsG*ah*A
zC!YoRzBoafUKZ!arFfzpi98UFIN~VA0Kj-UAn1!Ot9RTQ=foOS)nBFkPx%v!5_ZC&
zCMP*Xo2h-|qOj3(OZfhX-`bkX3-9SmCD4=wk>4%;VKg7-4bD4EGdvaM&3Utc*KKDR
zO06;ZO1z!rAu|%bNFEi<Feeth$>K8P`iMWuidU*v9B%fFc)WML8o%QcE!A!Wk;B;>
zADg}|ry`CUnskBD;oXfeJb)S2sjn^CEhv6N8AYI-czp+)H0GV}DqI_A+DV_3^0^i_
z{ip+f9B+!<xjd0n73u?;7tlm8_~MYJse_&e$-hWBMGsmvbSz*ss5UlW%WXlLjP_<m
z6Pxha*p-uW@nTR$F5xF{|Mc?@W#;9{sII2t%+=?)C;V0vbMU#VtE$Fr_z%?ly<XW*
zDp|Z%EB1xmVM*SLwqgn9xDH9Gf6^HTWljw5BwPmMONv2YX-t9nJu(?Q{%ag4c_Ix&
zt*ZUuD%17it1A9h&wZjNeI)JpPgyIMAb9V}J6CIAba8$o(adt=F77LG*_UTSms+Iy
z`C2h?#IH<qZ<m%f8@ZnYeGn6XCs{T(4=X6HX;AMfW~D(4WZ&PL_a>KORL@AO<kylL
zF90jF$Gg`o56y47v8X*h{Z6a~TekOY@Bn%|v>v3FW(ZJd#9JB%ZZj8+Zt<!yFGD3x
zn1|2bvL@ME=$}~6Owm*uwb0d<<4wtGGM>((M0$@5>gP0nspHv@Uuy+gQMA`eBsvhU
zj}U;S3z#U;EeTUlT@j7IKV~tkE-zOh#YP(GuADrc;a+b|0@HDD>Neg~c-aa*7P!i;
zbw^hH;jip7bxQTJrp4hj{RQbBeU>jZ615xtBCr%mNcHWZV(k*GC{>Y2VV|>xCWLF*
z_j5pRlw8Y$K5mHMFR@pQQd?stMOei0mG2f4DTrEvR6t~SOvq@MA%e;T(a-Yui!^x@
zd}|uR3>Pa+vLgQzWgP)`Wts3=4P4Ot);H$}von!nefNe0)aOEN0WXfNdUEha=h>0$
zbRdneb8g=!%zAY<)M%b5#FSm7W-z|A{H~ZhlO*Sqj?0|6;VY(}N-x}@5{mcV7F}?6
zC{!C%qe0O2hC5FQAOAdm3~gmG8!r96UEZ_)`h$r54A-#t-Y)Gkg+|5uJ}xGh-;>c1
zQ@99xb_am@gU4Izwkh=6&c1Dhgz?Wz-u>it3CH>XjRX^J^4(U9N$~XlwO*lW8uHA4
zBE>Mb(myN_wflY)EOES3U0jF%XNAh!Mr|l{5C|AiN3^WVa@`82ayp|o<B1ct7V_yt
z-3l4=@l^)|qxuC|SyMEMoeisr`kgROXTHS3Aonx^5fx{nf}@phI=9DgGlHyS>Ms;h
zJ}V~h)?RWjf0QTELPS2ZSj&yWFJ$rKkPuV2_G5Z?2Gw>XaQ~Vk9WOF!5hQ`jQdnb}
z`ppKjzsYKjvoQQ}0l%x48w0|Pa1ApmUS70@4aK{3uPdW7bH9dMkJ))1@Bx5yRnHaF
zbWD(rfGsZ?U)d|#Ii~bkb($EbE~kxY?u~mkY`NS-Pm{D8jT4xl?ecyIO~(F&x@{^Z
zwE4h%?8`<4(9GMnZ^zwlFrj$_IK84_jiUAg>vlkxXofEvO*cM|bgAA^V?uMR?mDET
z=~!sns{*N8u614gd~IG1ldAIJ2eS)#rc>=+9|3;W0g%9PEq=-BX)>Qi;7;vdWzYoY
zSPpH!B+-$%*J#BG2tQ__IXk9~dz+3@#fOk@YW|F)MPKj(O6jH(wJlj6a;B*#CWVq8
zf=Y@YE>u8ytLApGUJx=;e6%Ad31`nM1sdtPYLXEBPR<c+Rf?p*+=y-DEoXVk+A7ly
z<YSWB?JYZXP$L)R#{eh^kT@^uGg0>3oyDK%2>+o=@40>J%NLcx#a%t5+N?8@XDf({
zlN+&-@GBTvrC)E@ZMV>7jEy}jkT_Q$Fe*Kjlvh*t*M;YCeWY}0dsTIlHHu@(+y+(d
zI?eDZo_#ODF9O?GLv6+5X*1OX4DEcS^?N^FjS4q)^_sZL{azm@F#RW5ehWf{N!R;p
zB6^X}^a=IbRmE}A1a&QOp_OeYF?-fZ>R!QQG>@G`(=Id0+hLB14G7L?#_KY$4B_yW
zo=09W-n_`K@d?B+zsd?+28zqpzeEvRS@E4-l~N4}N?7$cJM$>$inew_YPXfkXP8!*
zW{oNOm%oV#86kBB<q$XH4*IYLl-vIV?Y=9mpPgAFz%ez4-2o17-&P6P$lXu@8(KTL
zwbicIXMcQtw&3vV?Cs|G-7T3v((ngMMHf|XGg~<vUCB0jj}4~SxVX(MwF=f@-jCSV
zRZp)JV4>MxLLm7@4ek~F<SD9O^2-xA5ywOr*j)Ipx1yHnO005l5JTYXlUqL~i+_&q
z=YILBl_%IP*C-hJ@=5_v@?IG+)Ybms5kOY=+I4Ea{=XfM9H9SU&6uz%aX?K>pe=#y
zfGjy#WfOREb<r_{!E~#ut0(tAj{%y&X{DF!yw4Ya5nFuxz!3hq3N`x%2PcO(W*^be
zX!|`I4l1%VFqr1Ma+eep>Hp&{8FiKgo?Km94?T~zM}};(PqD9t=E1|xYfofNp5wC@
zrwp^_3#kazGP)}H{-TXae3Wx>q#P`p@pFD-t{~wVFOj86E#vfuxg5FJb1-Kog<l~@
zs<`XT{TruQx_jvx)N>TAr$<_QU~dfZNw*v`EB|%NAv~~$OqQ<!t;+awCf=#UHV3}L
z4eHM(-JU1iGR!bNvFtD$(hGWlna{1!`@w?kXslizcQ$_n;PPnf_6YK4`dD{AvyzvW
z*cLjV0@1JZ--gmHauz>!(vfBdKH|Zx3jdh=l{ZB1ti^VoKVcHMsjjYWofuZ%CYL|Z
ztE@isnV7+S)iG7nG9@7jr69F5{=O5VG2!{+j}2(zX;Ow5R2Y=@be(T6ZgZ9C;CaEb
zb>=aIr{|X47UVBMBKT|v@ldZM=4R-XqkW`yIE?qixFYBZ50R-i!<7_9yfDPFL-KMk
zr~8AosoIh~F6)DfP~+-8A2IcrFp7zSVLqluV2>j;{V$f`Jw+!L#MGkKYVU`0&1ew3
z2tP(VhcEsVY7<g<v={d}`I%y>m9=_DXX1tThy;%g4<Fmt$Y&bea*IkXp?#IH$GuOJ
zOwXe!xTHY5jTHu{?&X5<vt>f8lq>AUlIBSfv8sL>^{+5#pj1^@SU6mP*K>8twm{vK
zyxmJ(cb@U<lWyE2&~sB2S3A77Hfa7265~iMO@afJxgw>m+`|`fP8><WukgGrj&j0c
zwxy|kJ5m>|^)N7^BjT=~7v9^{VQ?JBUfepyhrdLl7j1Tm9(REO8haDkf}^Jv#I7Ao
zJf9Pm8Xf0Nf&(3{y+cDipNJ^#0dhA`TUU4a=U20zEiit!z4@}hT7s)pETRK7heSv&
zF6qBiAX=*CSF78Su`L|U`M%35*0cuF;+OiT>bNat4uJ$hm!kAi#V6hlr2@D26EGm{
zn`ZE5<xSb@;W2KkDUVc2lw@sma-q*}^EYc$G3J%^`h<)Wil|jo@o35&%ON)(2+S3o
zj1}`h^b_X2J&NCWFXd>TM#1wq(abw~Kz1+9mJ<f6dw38l$jyq@@Q>*^nxH<|%c**v
zM~93NP=5I0u{w{cNe0-g1*Ios6;pMj#ta`_3bV6we#EPvKonr6hSMei9cXIn_tpt$
zO@U-qU1b!038|4KaKZpm@)`kW<>JuS)eQnvhZoRoT<o3(7?4N-GS7U~qe)CBqSX!<
zx(n^PDc5o=CT^GVj@<aW(F+Z$EFko};BwHz0b+#u*ywfzD}{O@FdwV$B4RfCuf8`l
zqhWpvY~hv%1@)OGmFw2nC4s_Q;)9?%ea}IIMtq3aSe(Mm+$VDL4i;v8j!7mLeJ8zQ
zP!VdrPN+vxP#Ax;$N)B>9aO%iW>&Jeg@X|lOVMrO%hP}NGV!i7Bfor=%*lCOfk>8K
z<o&Iy2G_ob_X4h4T320HT#wHOMfa|}Lnt%6PGI3>N8FFLgRl+#_>SxUr%QaRe6*@N
zC+p;v$05+LZD}~{eDeI{#}CQrnC+1q!jm6tna(JxcUD#%8y$#VB&~nKC5`|SNZPUH
z9ptzyvs?+=WAbus=(Oh$2@giZURfG$%iB-a5Dkf+md^O){sDTee;<yiF8>IjXxJ()
z(K-U~rFw$;Q_7;kACfm&{zlC2<=OAK10x1HYf{>Bir;2PEZ@$Jpbg#E^&#o(R@GiU
zJ*stmYIc)8#}oS_^T!LUZtw4lb2~d3jZ-28H4rcFT>=6EE-4J4j+^PXl4^KxfEB5D
zog7FsA8(zpNI8>C&fX9cJofycLHf68KKpmH5(2|l|0{$0GI+!1**lSu;J!IgHB85&
z?XwjI`G?Q(!6#kJ{0<^Fb4h!ePtjx&f5dEGsD;NyFIR4j(OCo4%0qSEqVrEI9Krxb
z0(!k4Txr0=dkeYMDFEYo^COsSV`}U{2q0y)TGD?UuMKw1_V{^DihXH5RQntBZ!;i1
z(MAdOr&BjNASJZ(S9scC^tjKVT1P9|$GlQz*k=XA5JX{(h5B9Uw>B>DX;t~@*cPCd
z`>GNA%5duu><jd=J6&~2CRwI;EOrKA)h;WQ|Ke{!R`8pYe=La6uimQub6jZz)pJfY
zyF0M3uoTYM-q6<6%(=+V%`I#PPPGpC^u~LkRD9h_xT#>F3uL;3m}$#B{unI&)tM(f
z&SP$AiMFJ)nx>77^~-(XvKDqi6Abiim$Z+vu>uoXSuEHR476M~h>3s<|Hg*k#~*DL
z*hkl(m|>+K1;m2s>yNE|s|obm8mM`!s3?a?IU5n5^c+bUTz(){3hr8o-n6FutdbG{
zA4S&HunPm|6#T=tsHkYm!Pq$ML=hMR&O2l)@Wr8oY5U(_Z;&0#v?B|lfsdB29Ht}`
znlu@EuEhUZHcnVG8~ii!Fd_O2lS23L=}({SIME;fjJt-ATIoing&HWacmeoU(N^Gi
zah*@&=*iau$#Hr*nS}owAwe;vy<1X*zjqnp-^}roE-xpft97cRRn;c(T}O;c^;G)w
zh;Iu!(|Sf~nazBJv^3i#JmN#ZC?7FxdN&sq%FD#|L^4za{h0(f`O5lwPF5DvFBN+r
zU_72a$<t#5I}Mpz3jMvW(b83q^VWBY4)$IyM*5-!H8nuY)j@YPu0t&3>N3)SGoyWY
zD8LQKF;d;<VTpj>38-{zkC;2GJrc43ItzME_u3h>_~ez92d>HquAk!Lzs-<e>1SZw
z$;0o%vUgwfx!ZQ^Dx<@D2!j>2BddeI4{wJAD?IdTJw48Prz)%>m?3GjApT-(Hmt4H
z^UX^miNo;S@YJk;do%2hdT3O(8r@U@b75gc1*!s%3Z9wE!Oh({UZfcv6O-c~n?9<~
zig|J!afi3znyB0Mx9M6NY~r_n3nuRc0pFd@>fhfK@x>9V9T&Vy6G|PrD?2|S#Ka~}
z#EiK!%qM=m=k9j*qH$MnNQinGzvA$-XZd_>uzl&=A3cxTOc|u9527L*1b29Ksbeo#
z)?BrLN|dZ}^7GA9pLsT2W7qp^DyhK~>?(z6^>#CY+tamo;^N`}=&iLQ2WgI>GJa3?
z*39g$$>Ry)^~3~0`v|a>+?18)jyq9wM3CL7YPt5mH!NG8B?&&jPBZKUl;)4V$nLeB
zI~Hd>SRYK6^1?8hec{mBJ;CGQ;VC|G8=_Y)6rK8%KgP2$S3)>glPV+YoNa9bDtD;q
z%in&Z#N5$`X183f9davNC58ldjx@<We=fi*>dojzU#u||-|C5#?)JmC<u3Vwv*P3^
zDemGlqhHTsd9ycSEns^&@+dBvGkGYrW0T)<2N|(RQ8s@$GI*o-|KsbeqoR7-H(mo!
zS`m;&=}zeu>F&-UB!=!(6i}qQJBO~JK}2Sxk%l2unjxfP0M8!3-}gQ5`mJ@&{)5GW
zwP*J1*?T|FbKTeVxfR@ys1|BrXAU7!U_vGAyPu6yu6%lYmYA9v5fz1V!{+uJ7)|g7
z941SxZmv%K0O|r-(}sB1+uMVHa*tznlMt(rGm%WldWu1v?GWkB{tq6VL|}T&t22>t
ztvvY8Y_9MdQ%0iD?GbBoRp9+6wcU>mLe5uy&+j~SpFaOXO}@%xwQ7;)Gnjn6kW6**
zA?k~F(pby+X9=shN5xFAU$9SHpIf74gmrb|*gX^q&c3onD^kB1mbs~)Oy_b^#EG5G
z`5aypVO`8?%K1l^pNk@=AS{`$S{F0T@#llM*`K@fo{n=(yqn}hA~mHwe!Fg_KD`f7
z4ZyQs`#?%R^d+W3^?}rU5Cv}8W}(3tO?rZWs`uz*?tC_NE^9_gN;suU>s^x;mwv#I
zbfWo;kx@><1`~C%T@*nLjF0FV!x$ne19&!4f67Q4{nx@xe955GaHc3yi0c34HK}y6
zHUC6QOG4Mjs&-2fJvbyE%NP3Qg}fFHc~NYX#HSW$#}#1`X{TITRtD+~!$i|R2IHF&
z9T(9hDRy7Lb$9yE77P3DREm_JF-K0n)aHf!a!y==+Io5U)VnI}2R{>0SijaHC|>Ny
ztg+Et5~{y4@70WEReUuxT2u}tO=atICo6-U%U5?ayeK2rkIX?_boHlAnQ(orddWIg
zp!i8FD!9Y=Bz;shwn%GhGvGR2CJ)qBrqx~Xxa?Fj&vs+1ZT92*=>1uz*f=NA$B!{z
z@iBUG_YiEZtII5;<7ytR3o;Onyjm6zqKpeC6AWSNzS@+E_gH4xz1|FbK9YIu>?)V$
z7}?M#+Me*zwCQyMj(9gP>IegVESe`Y=#`Xr)i)evCeX$g6Zh$+ptViPxTb(0D1T><
zw7jk+pV0luNb3Glp(>#(f{NL=zRwaC1#@xv8oPS)tw)0_W%+MAtoHgS$h^df9B+Df
z(<rY8wtF#JGqvgqsKkV(o)<iOTqf9op-4eluK_y{k7?>$7T)0EA$t1hr~l1kv%n@j
zP3@GQG4xc3X*QlG6${+L6Rm249aPPI5!OEj`pg(u<{voh$L7Uv5BIXMX1)C&ruQyb
z9o`+scf7giq|w&rK63q<aMKBKu3);aS<Ec3nhy9czrJCW9Y2t!JZqdiWun_LXV5ts
zALVxQT2a?ccInR_<}DWqdbBPk39nJ3%`ez_xD!kBrM_Wl>uKJ5n(x6e=W7t>L2zWH
z`^A(9@$C6$7`R{f`&4vlqrKkQ+7<Wt&q=d&Vec!vZWghyNltq`dtstt@$X&~3P{Sw
zv&<C7$BmliW@Qab3V0OxVcCf#BJLND1adIM9(?V$TpX8y;14S9|Lmxi8KAjxl?F&R
zk>R*cA>Z~@xVzr-+oyBN0#`M&|3=C;7L#ybFeZ!hE?3M74+n<vxqW5<A(BWTszbLT
znz(4Il(|EF`wRD48o8c@4?-b&VSTX5zRLAWd17#5OpITO!td^?KY3=|<?96Ss?H~K
z#ZWaVn)9Zf5AAHhA;)vR+L!iiOv#qMWw?BRj7>xIAv<uT2Xvic(btyRs7Rdw7KcIb
z224VZI}d%M0ytMomrkhh6e%NMJD{`eve6#dks`o2>ll*A>3=w<nw=;3=o9x4d^h{C
zaNs^w1mSM&LSpCUU_~o(A_z|@st;eMK@Y1$l|GJQ^>Xgy?T7t&9X-N4{*b1_ZU%vs
z-GX;hos5?Sl{l?x1ArUwClEZ;`#uf;Xh^-iy#rMJ>i^D)NCv>lv8<-iMuw3jmA*UA
z_qeSWl9M4ZzA#I8?OE@VM77P<h%%QGHOsNIn$$0{8KZj-sw0%J)U6;C%oKv5vFDsJ
z8Un%QogsQ3)o5l$_y^L5vGm0rFxYk{)#HjKGFt<R9S^qY;EU0rra24ic^^d31EfI>
z5==j7lYhlZD07c+y_)aEsc74%LCiaE3FBi^yTp$IIEH!=x4xOkedE$mM0jRb^|{3(
zRA0NA{>+{yr>|!y#>-TG=-^1Vo9O6HeV=WfFgL=#Q)Eny%r+0!?ZUUR$W~Q3SQqCR
z%Hc<cvY~@5?9-YKn$SvB#yv0MdE#CT3uNa<1fg8rk_$5R^LlP~30-Z>b4O_@58zss
zn_b79IWUo&q%Xc1tTeUWT&SYy>tMHeE>u9}`u3^2wOHg2r_j0C794WBHsh8dhufOX
z5`T{5JK_7IsF_(-lz)@R05Sl<bgpM78H-6*s4maPn1n^B_qM;csKMP0PWqLBK-yWm
z!BOGp+cNj`i<(ur<BwR`5{R(Y+jqNQz$cs)-hP7^ue1<X7n&(lIC%YHS~yhHThGc>
z$K&?;l1$u>2MA|KdA}AA&|d-WNyCK2QX3C_NxpjSD!o?vk}K#rWd4vW6ht?upMo+=
zc@c0TZF45|Q@3lvKi$1Cz#eBXcOfjsbsn-Js@Eal^1HTkt;zk^Bzi2yecjz5oyKk2
z)kHvJ*Q=(T1(}c{g!eH}65cUJ#j}y~0heiRW2qHc-o;iYVs0)5(Hc_o<HAZ!U)_oK
z0C7zi>*1ekrReH?cQFf}GSOR;KY^vQW{|B`R4dimGEECdTJ1J<w-3h^GWrtBmkLA5
z%a-{bZ_j|Csos=lk>D&Ff7$V)^BBJs;n?i6mZ47HnKOBFD`VuDaB%!iWi`ZA<@3hI
zt6jmk#sx#w9+83Xx%s>y*YP-=wJmMpF3*@We4W#V`8{_Z*$5uMDB}*?MfKIom@00p
zVv|m3e3d#^z$7s9l((&+#K_eZmONGv?@YJU+68ZF&UAD&#MBfP$k{lf=QG{*6eQ*n
zv`<KDI!23V7~%7lka9*!hzyC_1!tebZqq{qP6QD!ld;OltLx+&OP9EJaeVy#!sptq
z1MrJdB1Cuc`RH)J-|TsSjq~g}^I>;DZJU%=M*1`?#tNhzXT5abQ)mdz0$)m=M;cpz
zI&g+PTL`cXqI;!}Ggq69+xHB=QMq;-)NmT5XFH{uA(6>9;tSfF-d*9fe8&N5&*^sF
z7po0iJGu7yKULM5Zj6kkiDd8TAkM1}k!hwEIs4V7sH)~9AbEa-{LWo3b>=$%0n)H^
z24&L7E0^6^4Ag9KWlxmfu=+el{z3FiFU>({BCAe+r5n8-W%{5yp9)2<L+M7-Uk)o*
zDh$AX4kboYX$y4F*k&zZw7+uU!<wb)vntCsVIdnD`7|?@Qvq44q$Zb&aZUN@rj3Io
zMwGB%7y3~`tkV6M_XR_L>%c<~dI4<mxld|m!!-fBbEa{<ZLz~OK8@hKYUQgsXVc>!
z;V_VJRsT<o3~F<*-7A6B-?;%_8PB!))ZFP4A64d=G_Tx#fPKrTcs*xomDl3DS$dNj
z7bE?3qvTGOuLvJ~i=L%|8XKR-DRPjWrNL&qO@fr6L&ZL{nZlJk609eT2g=T~ow%5h
zRDqRt+&nkRvdcgoI{s;L&A9CMxD^Kbx=_HFjI#V+!}j$8zw>a+dsJN+YYg3Dr<d^^
z%hkM1nX?%?;-3kWEy+6|Ib~_Edx+)7ana|#Pcgf518d9N|I_W$IV-%@Lavd0rcigy
z&i`j9{sYUA66qSONAgolWiBkW<qsjMB{*tx-{eiwX|u3l19@Q7%xY0u?q@g*H0c!j
z(&*6MZ`*zacHr9n(CHRszs1i$`TcM}_^H^VE)c3np>}z$&4XN>idV8j(&Sy26V0c5
z0v>u3z+b&>ivj>}edv_UBS6W0m?-`P*S@5{dg;^Lqva46x-c7O{ACL}?0CcZd(Uza
znRu!0PyS4qKXWb2x?}R<7t!0^aK6PLL&zPU;wiGPjJDRP!ChQl5XXhv;WIuV>&aVP
zRlz~qVzyRjn$dcm6r4a9%DF;A=J@C4yXO8wya;Vm5Ak2S@N{twJvEYn-A3oMtQ`n`
zAV-Ehq)S7=4XVcQX|mhAJFW<J^yDf-EilE%?br7e@wZOu`7%=A5rn^M{E?a2w(!h8
z%~a`|RHqF8<b|=h0}n}&v&d#Ps8sPn<4xD|9&^3IVRH%d(dn2Fy=LFa3B)b-8(Q0q
z%gmRrrbLvQog49$F4_0w23IQg%}QY^;}gyr+7U`wNi%{BPUqnM-<A9NV-K=JA5WA9
zcd4|X=5hh68QSv>D1MP4fZLZ?hT)lr6eWvMIFBGBxlAFi-z#wf*G8L5LnS-Q#AEz=
zDRHd(jvDP4e$IEH-dUjNER)SU;Y|Z}2jg-QRP&P5$_=a8Gedrcjm2MzkH#hv;uy(n
zUYleHfX-L1f;IN!Oba|86-b;%dd{SAKBQoq5X?Ic5L;kL-YEfD&F8^<A{i`KlXO9&
z7#v8bOC!KL5|n^#UptKP;hIW7MnJs+le+gVuPT16cDC4JAYiVLk*`&P7))kE!(tBX
zTC@)~`o_)(^~ACg1zv~NRwq?|U_kXb{SbcCJvfXK2>(#tn2--z->07IIel^}1PzV4
zLe2c)&|8%XT$MZ7nS5%pZ2XbX!VeFz5=b&2%g@X4he%-W^9kPWEwWbE&gSK%{K>-g
zQ#*Mq*7CoV0=g*1XP4H#stLr}OGJV7eX`@crykhZhLDd}Dh=-0kaHNwId}6%ndhTP
z{XGx20+l+tXbOn9E-KkELn$LYNG}~S5I{e@v)7yd2)MA6RL1Fuk6q+tITv+3XZ4(q
zC#a5H^e~0}wDknIT$4wcPCwH$MZvyZ?u(wimO68WPsyb33g}D(++G;io#orsoGdK2
zFD@O#eJ)u}+<Uz&qi3StZ-~15Sqf<juT_;7A$+%alet>lfMqLCkshQ%IoL<ErDI!|
zhiGnRG7fhM^(#A%6hO@$^+j;DItIFII&|IV<S%oIdY54}Xvz548>^d-v7`mO?GSi1
zqB12LG1N4{etyYc<2IO?yj<TAKsdk0`eV6;9y9Qtk$DOQ-2scK_0$1RQOIw-)%~sI
zmOY8;cKka^V-@BB@n?*)D%>4htHq05=TXkTJ2v%=4rXNTHVT;vSU73?(vE@Zxprz-
z&+61RRByT-IJ8XrV8fx!3runiF*fu2vj}|`H*;FXc)mt(Tp3Nq5;&>WJmF@AmTA-0
zaPvU?U<R?C(ZYA^Rh6+0)<i8o{vh7z&;9F&3LZ9lEW06g{JsRw#_U?kBD<xHNK6oJ
zS(SEUB?Ws?YiqZ}1(E_UB!vxB2aKI}N_8FvQ?*ugoGu=^FSlg2cw4mPCNZI|yV8u1
z{<sIn=PjznY3t@M)=HX0Nlnk&K=WVvZruWdJ$`qag*Yd9=aJdAVb52``i~*^z_-=s
zksU|Lo~ri>YT!bTwHSa3#r7@}ke9oHF#>_sU-@2vt_wvEn2Uh5^2yHp{W2htW8vlc
zBG*w~mw3GIVsmYqe`~fQ4SuMwLy<r{X@DQMKRuaVifJFcZPU%C9+nQ!l>%4n&>843
zA|-(HI9?#56zbw*g2@MX_g1~%0^Z+7%%R+`COv<If>0j;o5JNEn0=+iD`#g83QDll
zSny`Uz?^3>MWoY?mS-XMr_xR9o7mviADz0_E6n{DS5s7Rt9kyR{C2kXh5I&7_S;_o
z-VHx7dAyyt)W*%<@Mby3TQf|wb9U-ES+dv6ck~MTpHz1HCn(nFw?=3xC*r?c(n2m)
zF|jPLq&y3{YzJ)Z8L*bBy-J{#=WPb)NR|h4kN<~Nx|7JDlSrpC*3{Hwu?6I#b&@>e
zT!E*TIVY$62|tlG<NKb^f6IV!q_aLNCFgs9rn^P5^pusHe!S7w6;E;O>&HwGS})mQ
z4AgbxOI!uTXOfi#jK(4<|5xe~(fYTp<=^{1buCgh<reF?i;C8rW!v<SV<Od#Z81l~
zmG0o_i&_E$D^u9BschjAnu&L3@x{U?aeHO3`ryHFs{<gPPE35(y%*i}*SY*yPI4f5
z_X%a>PSg!>a1ZP=vmPa-M-Q4=pbafR9fiju`tW>szLAYzJ1k*}0)0#UyB)o=krULX
z?VGyv&HoMW@y=pp%}AJ+eNb_Sv5_7@h(51{`GE9mpD_LZr!!0u=!(SkwOV=4wN)2&
zw_FI5e&PB@dDwSIc6I#fAn`(1+qLacBhHiW4aY1HvFTngLSwR)EQ%KsMjs7V4NNuK
zT%ra4*zO#oj&<5lXc=<X0KR5GOn>4H*Xjo0`nVdqic3nXT8C!K5l7f*yi)ygXLqTG
zP%d!Lz2P#NcZw{Rc<79A$?~r_4Z^ASJG6!uxkb}_S6eT&;yAO03*Icq?W|{f-oUwd
zQWVw2Mmf6(4%(im4ezi@P!6L@GbO3E&?;l<&3zC_uh+AyY+XxHGCJ>#Ud65*ZmN%~
zYLzX~65Z*3blG-QQu%P1%N$6^zm#pD8v_b~<cYJ_TT<~Bt%?#-p)eA*cM}3m+6&1x
zsKmW@=nIxO`NLpx)xt-hcA+YD_MGXD<FMjF<lciX=R>v(w#udEx#784KGr>ma*#NT
zG`D}>9&$aH7)>MbDC0)MGLNwXzEr13k|sucUxNnLZN?d(NG2d?y%KRmFq}v%!D~7A
z=tS%hD<CqK$Ma!t%zgaS{~N7pF!r^$XYn53=Ww&Tex7=)STz?}EBZqizkOJA@AkL5
z`bE8&xxeUvP7;sZ+_s>Zkl0Cp{Hv*O#nQEk2xF>+HfqG5LpFi~E}8kKc?Ipi?i2zm
zpt0p(9yc37Ec~&Td2@c9r~&(O2l0<G*!3(DUc(orV&M%CQ3luvuS?YEGj>kQvdpn(
zjFMPgfoHlI$?n00?nBYoEVVT{wSW@whDJ+^ERlGnq=6lg$vO}VDA_D535(xH(!cb7
zt2GLLD)hcqX6M89mV86despgv0F=nWW;Kd!OdPr%{i;0~Cmi7&M_a#=-$9^Ld;AMb
zj~{8^`YK^?A{o*?|K_IIjhe|w<q5B#QVhmfn&HfdV9lS17?z=~M@f+bbpgA65R8ss
zj5*WUfl<*=J^hRija?o_P@(P?6~0VoB<>66TdISeb)x)uNOrg#SE_B6&BgE&^>xmB
z2v?{#d6fk=T+*F0OWD~&RNwSWq4LoDtmS5|@?}KZb!OLoT#~*mCo(&_p-kPfs!e0}
z0Nf=ZnCjuVkXAk0rk7zjqmtt9LNcRgJ2yM#o#(%37kVK+>TH`^4<B*=m2~W5G>h=T
zGah_d`(W51C^e%DR8Wlq2AY4D^vCWQu;yW6U*uNoP=Lu<^J!;OLy8IQ3c@xwuky{n
z#+A`o+3c}-kMCqIv8s<}cC#p4k9@9X9iI!Hmor(vc4_zsEE@6gLwmkbIPT*-Yg2)-
zoIdnpd(fYr7rpAC79ow9*7N%_zhd>;heojH^66I?tg!z3*@*LDNfMBDp876ZfAAWA
zdHITjize&i6Sa}_6#je7%<4Z!##DI0!~Vck5l$mfIE9krka(k2ala1gr}16@H6;k%
z+lu(-p7;jV@xUt`QSMD3l$0ZT!bra{B)4<A%HuX>z~Ymo^d#<3h^f$7uWcnmMUtN}
zhH{UcTO>xUhYhxwNUe*Y^bdDv$8WQ1!lR6;(p5n?CUPdvMlV%58!1+_tbu}(+(9=N
zG$~rseEd&Wbz*l^pP9((Y+Mv5E*^_42XEYQjEwnwk<g7mh;<>$d3!uS0r0@}=G9;r
z{&g^D+<7s*$2A!~itnw+G7L)>_MBh7SmrW`NC#h5^JOv2xp~t0NHt?pt|an(>OaX!
z(yZibEKCsO#Pa4cGKLI;t{v<(@A0*f8CttEYL&L7R`I0W=+UG_Y#YeWBicT7vEe2K
z?#`fOp}qbR&TnI$#NL3#cjxWc`kYz#aIXqg!C6|Rz&iG`G2+FBBx{_CS0iU|yng&g
zjv~Akh(9G#!j=OD0sSoI?C{uhD4vH8HE@#q+4*E<!UTp!)H2A9bF)ikWzLq8Rc!>3
zdxEh)-P67zZ>)IEW=|@uj9i`>l`Y3Ml9itc;6_+lT7Wns@#>qIjefXNM%N(pB9kdS
z6H13V+_QF3T4c4*CuII8Lk5b;h5LHuL&J#r{6@2P%d{Tmgne@k8}8O7V+m)+%X3^^
zHI5z8H@r+pDj)GvlEI+Vk5#@{zizdh#agmsi%0`EO0%DEh6<f4wVBt@A{gOO?h=D9
z;6qJ~k@;oI7RzISh``B_)nUJb-<6RID~KJc78_@MRA;Wg6zPHw9v}xwB(ly|`qBoS
z4j7-d@6TDCwm>H?avMOn(3_iDKpc#@kC5vBjjf|);Yp<=%l8N&g^6H`En2*YHJKR4
zrEDRov|OvdyQ<mlDkYdKQ2t}}kYA#{-iEnb*bf6S#5OG(mJ%4Zuur0%6ScS&D~(q7
z=;&mRhQr&{28<LdSzeMQG0-cD^F>S-IX4Q-ffBN!dj;Tb!sA)ri&cjMe!ny=qK$Q?
zT$T5;W230r({VvWs-a>|zcn@o>R+CBy(UX_cFp4y<nEuyEva&46rAS|&a4lVW&9=2
zAkt#c*7KD{v0~A#lfT{~3(=VTx&H@+Q%BY*i}9Y_JdNK9*MalozK2bqOXcU-OkEpA
zO5YUb@0OH~Lsb)CUl=32r~on`xJbE_yT#-bkt*lt!bVW*W0NJ&tryX!#7gE2mL6*`
z8~w#QGj~37-r?!joH5`?^$8W@t#RIhFFv5izqu6M7q}C%w_jx5{4rTco6%=(=v5ee
z6s2K1nF0R^WuubE`<0C&bC7q(UuraZ6M&G8#oV|KIqU2x-41d{(P}5f|7@y_IYOXi
ziH%DK=gn0{VR4T8^tDGJrhaROhOfoo?!OuUk8mQ#EN`<EuyP$EaR_qCE4hB@M>TI0
zJ2^;^JblsQq7Kgpsr9dRev$_dd$>;qh;vcJBj2o6%gTKi7^PXk%F9Ptn|gtX?)R}E
zKlfonvJpyw$umC8|95Sg16I5Gh(^=z5dB+6E{8)hgE-8Ep9}<;`WD=Kh8hybc;S5a
zYaeBHB_>MFrFeuuI2taxYBvihSX9ZEUGmEk>ibS6elONi)=}y!xzJz|=Uokj6uZbi
z1ji5pO6c0E3nnn$8~Cxg3hoGszXLK|egzkldR<M2c)vqoBF!<Ke*V*VwT))AIs1kv
zruCJjTR};u8KhFMTQ5uvMUDDep@ZMtv!k^qV5$F+PbFo1P|DS-<_ksnBaHl%%qOvy
zuK8?nKW?T|Vm)x1lFFb|_RGZ-@CZ09o+=TB#M^p*-nn|Vx?>o!emqy#a+#<qiB`un
zmc5qY$-GlWQ^F*n7|{hjl){Uj!trzxdgRT~bc#Nq)(qpVhqYtYtB|t#^}RoRx8S^A
zZ79+oHo=?(sm`$6!qbbb66W9ahjS+jd7Apy<mOlNEr+Nqt}mH?Zpi}}@MOHcNWV}x
zmB}mC&2|xv&0$ab`86T9{Ms4+tj51;NO#P|^{*{1O-D~V;_9N<g)}+&vtg&_oiSxw
zT1+<(?VU|kVUr(2y{Q$&d_KB@aZaVBO;0u-`au-R!(zKzF*>a$K_~p77YkemR7UQx
zk(_nU-{K5(Mk&bu!cMVDOJKL%VJF*?a!?udpC8TeCsKS7DYT~Mg;7*xl>L(k^2R)o
zzO_>Ek%H9eCyYLCe=vH9FC8Wd799<8yX=*g*v)`rVULsC%VOa1xBnrb94Jn@kb<!h
zgN!0?<@OrgKLzHn?MteS;-;amK2kxQY!RW(<3ZH8U=j4lNjBh-45g2Z$%7!`#Y=C^
zy$|>V%)?Uc4i@=T0iP{Dy@n74t?uS1oxmSQJ2~j%ze||)=#12uizw~gsoD-qGw`gI
z+LY1Gx<}Ez#i{k5ZAgN@L#(AjC8R-mbp!NTaW`_RllX-pzkoON=bFjO>;aqanzmJW
zS#0x;If;C{Gv+y325JP)lBQODE}!X*uO7);6}LRp3XrnYz^7o>cs9y1d8@=c{$p&E
zztpu(7p~sbpBY|pzasn=tIWCg`GbmBaPs6e4+g*XgNjk<?66%n7K&FSx_UQ4B%r;!
z0zxAM7}Bw<q2a%Tj}@Uq>E||aZ(oAMHj&5X0+r*bo+GD*JQy8PLEmTjoZfJbtG)`%
z*PvAxbtaD*)yv{saOyDKb}E@9lsmfv<!s%d5I*;kI1c6z_6)?!A}__$C(;snCIbiD
zF?FFx=AGIm64ua_tGp7&YkSwu59YyF)<Y)jhd*)StWbfqbpEfIBGxSmOVxJrKBPVo
z5Wcw08+SUkh@XfoXtu0B2h-8vC^MXPbM7gPjzJeK^{e`#rhnoq`FH_Ve<X5_Ep6F+
zuh?J)PZ#ywshNGc9x$f6ngl?aUr#@&%kdhw#Lp%d8a^`zfme&q_kKVWaMCVK0xMIp
z+=gO$oLrl4-FnQlm#YI0y)%27o^I>vE%6eX_`ggmG7rU`xX6%kT%v6lrXF~bP(Pv-
zF^U>`My~I;TzxKw%q<)N&v4^a2d?;}O>fvOf06t%W4i(MwJh`Sq;jf;D%I~l1>UMf
zWn+74we9$FB4Bwx7Q`JyV-Ib>mODUv(RXo)rSz0Ifd+E(|A`I%0jT@SGsnhit_S`L
zH}$_<UB8bG)qIT|;Uz;rHUl<2oSHSnoehwne#mL}qceZ85uH{Vg_%9U)V3=!J{+?#
z=ClU)1!jN-E){2Wd{Ku+$F)Q2F%1eVf{4^-X7eG=go*s}Kf;D;47yz4OpKtp_Z4Kq
z&P|zu5Cx6hg;s(J`Z0JyR|%xW#VKyFko~lr`UCW=djy?_#bitb(xmya?-I@5$<zp4
zze@Nf@<?$hz2kEp&erofOCEr^_5c{dgBtGIn;7%>=@K{+(7sx);U2f{?7o5x{oWWl
z*k&C_gJLmefRuq1|GW}2mbuGJNgod2=PKuSo87Q;ba6z8vIE0%L;Tru+|X;2rJ6P3
zvNJl?&c79R8LQIb#@L!}wW&5<okUd^h-;%V@8ieKGA50e-}upGo<f4&{9^up)d9LO
z+cdL?^JP%V?%BAN%)s?^P&B0w!8<JcFF;Dk4TvLFS@h5Vrkh!vCT{dT=rHf-zdqj`
zzjqG^VQ704yQ2p6M5ztHs;O!Hg)@y92dDyWyK}rYwzfYbC|$;N{=%WqF4FK>fYEZo
zALS*3$;hbEP*89eNVf|whoHcn02{^+fJ*7ktN}rvQ{BHd9`uhrg@)5AG~fOvn$Ap9
zMrr=1Meu1#h;1W~csdmVC_*>??bqU{p`Dc`T9zM{Sf-ID4=|`s*(r~`b##)hoKljL
z0cR$Y<<-gdj-{0W@;@&>rN8^N^mr#DHT4YlX3=%x_13opdMy)^N{G8kGZ<S~+0tWg
zp&7DDnWTGaUT1k1-Dv{ilNWk>+4>_4x6X4@JzJC{h#C8Tj6(cZ<k**ZRW&s;wW7xV
z-{u73?7yCaFRz+*#iMrK;7&sGN-cPaK{(OyI?>(58SL(r@>P2(n0M-F^CyMdcTW=1
z0x8zBDBO(+PYn=f-aJ9s@EoOmH&cG81yGyHyt=y7U*kf2EJ>iAU`?kx29cwf#e5dB
zriK->OAAp^bDSG{`J*O9-S+2CiQYXY#8tG$;dwf^%PiL0sVnZ<=)khJ&vDs6{<0P8
z%D;Ne7n_dnD;!?bEqM`J{tic3Spz|ooGt85SE`-^X?O;tFPD5*`uCSQPIaYKRq@cs
z`Dx^Li`%28&U1A#-cj`Pi4#id4h|K$d~W~R8u0#WYvB00i-^6?eENguLwUZ93sxzi
zSd^Np-@`kmQUv$UgTk$)?%#o0Mt74>#f|zkF4O$-h@_LKAcqS+peYB`3*01>fhD^7
z<tOX^72_fZ>%%W=Uh!I~LZ>+SVNp~W;RFsA-M%jV8Rp~U6KE}hxqRly{Zc%cp8LzA
z0<>?3K0Kr#Lkfoy8w>7!4IxAd`}^?wi0hE>zKz-Xem_B^n2^H9rvaI*l{#4)+q+)|
zwOloU3G}zG1Y<<dheeLnSk|VL`I67FfUb^OU)jJ~370WjYQdX!)~8l~M*W2l>xL~a
zRD0a>C*!DZt9<Kbt(v=TG%o(0S6$>dCH%U(d&{!yrsKW9GbE88m)r6Ec&a{MyEf{B
zD~Xb6Ut<0bmGHQF4AZ4xxVso3okyi?SmMaY2;}EDx^>2#q9$h6oTXhvi-v|3J$V9v
zt%326i5E4nl`Qz$+A;#xRPhw><#t)#4(ok1Q9uhG^)=t-Xc+149>=Ep^}M$tai20-
zwM!gVLdgH&9Wo(I5bl_@@147Muwe}QmsAImp3+M!0GVbAOwpp`k3kbpe7`hS+PYsd
zh-5-qA2D!C<2Nxh;sc^T8*m@5xR+Q+PSUU}gJs*f=agqlN*o%NC|Qav{Cb=~I|-;U
zVVOu=D-xOT;B7~qp>F7vgwtgT)O~X(MINncJ013m3fbmlzUS>ze?SsX_*5g$4BVv;
zk<O0%VeW<!t;;WN8M848*{gd@Ce?6y<!^$%Om8t6Z#wm{yn=x;1lQF~F#WOx<Lrb7
zsH2fbWOlKeRM)iu-yrUv;_l<7<osVFAJ5(d`Y%eWc8ktPF8c(}#O0LnZfsa>IS?Ad
z=>K#-FK>E)j4QMqG>o3ks8K(dKF}CKh7UfILVRq`BEVM81R!lZo*SyfPoGxq%+)Yt
zY2S;d4f=g|G)Jr~@}6uYfnLsf5D@wgQ2c>@Jnk4iewwVB`w_`4*j?A%NFCfb+3u>T
zZBM;tzJAN}{0ySint#b7N%%t^X7IVc0+Qk6^EM;L^K)x2Pb2ZY@&KV=FJf&Msz~vH
z@^ZB=90Q4Uohu@J1>PI)ZEC5hb8Ic7%Dg=X78F0>KARk2MSf|%${7|KF-&`{Dp=;A
zhtEav&OV^K0^g_Onw5X^W<9+{L|kIPumgDZ`mO#f=v+!k+XTtDC^qu^_{<vJImU53
zGfnyqgotx+Ija^KcIaB94pk=?=0a@PTA+07qH^KCrDJ&mKi3mD_(Hk(5#3~AZ-Zkz
zU#M`;`pwNqz<iulm`HxbyVRr&-R4TRlQNfWAkHg5q1dy-B{QfY=*_5+d5x|e6#hnA
z9JZ4FVNi%rtY@WS*o1oparrX_oYj>>JL42qb}4EhM70U6?qqOkUia|4$=>|wMMXil
zd2}YQJn2DgeLP|OAbYrBIO_h@nL_Dhh!AR$(iOSkpIzliaaG~``7x~CC^FYT{Y5OR
zkgZcy8ETA+a8{WxBhS&SG}lA)&*Fpg&I6~6xXt4}0TzeRA+?NvMXpaLuWSe$x}+p9
z8N19QOH8?3W&E#LP?GiPs}#vEHf>$9Cc96(t9577<aIB+sroI~NP@M%_$LECfjI3H
zp6ZPl;_IS`Mje!te;l&TPHJ=%S-!n0oD?Y(IFpX5*U-o?+9Qe|yU(`FH`|E$9VRe2
zc}{Uzz);yX+|5CER0B*GUWO$;AfVDDG)N?8)$2s=?C6rXOakx#y$u_ac0fo$8wus~
zHTlT-YkSB(b{MRVaD(DgR)XIpE?3$i?%lDi9L#aW3jPfou8U?(=h_Rw8wgpRN`ws9
zb&W(>denoTCxnIXII~`_Gy(7ZyzGx}mcLb9avP4UHP3XhV`Ip|5Bp-Rm-3u=+<Xcl
zu{doGRKLn6HZw(@BXdN29`a@RuExO6%OP%0Re2B-4YpuB4qkp~Bw*F3QL!At<yVoj
z)orzlQk-s41udNlQXZ?fTH|3s{Ii5=p_YmC@$0Ru`a*p&E>DA!jf&jgi7%(0qePK<
zBZ2LET`{7da-Vb+yQ=kw@54Yi%$WL#c^qcjN7{(`$twyZ(>$BP_e3!q`Wu&|ku19=
zGGtPUV_Tb^P(iHpoAaG`m}DEjTx}W{l|3^s)GfG)tR5ydn<k1B&sK1mzek&~x|EiY
z(KeqbhQXP-OOLqrE=@AFKNfCMbItXI9y_Ijx~6YEY?vz88YP_J=?hF{phbC1;fT+k
z$C#qeRx2E#dkRFeS)r?ooxvPLBc79nwY)}~b*mM%ns&oqXMt<C)=9a@$i-vS_#K6h
z$E_W`OQWp?;=a<xtp^pZI=P!<ZHo3OMQX5Z7ipV$t#gKXQls;+;C&Ts{CNsL-QIFe
zZ|JJQAn){?c_U5}?YeCuUtWsum-_t~@8fnes8d0^K3MpZdzuXd<gKvsm@H#0Xusul
z_sF|CT7IF4YzpYHBFbb2v;pYb-TV+4ycZB692#QyF7fF88-LX%$<Z4JE;&A#$t;3`
zx%Kv+Azi_yk?RXWa%pYZ9k5$6z{zrRt$92pGjJE?&M)F#E6Oy?p<X+yyh_$=$KDQL
zTwc{o!Y+AC9=J>&=0>ejp0(Z#H)CRr&}xF;Zl|hkG(nG_>s*b3y^hHfvm(TuU~WbA
z@Mx#a3s%wJPE?JJrP+Nhv$V3wKf0M8d)ov4VytNtw1)tICEiQ)+!*dXowbMqxST`)
zj<&@Ss2HRH26UW{yp!=UM4gQV%7j}rzY=(>0JlhvtL3go5^w7U89_(e-QSE{u5>m2
zzhB;bgMHH_cU&YJR+a19z?rje1Jerb3C+-R8xuY{ojaV8M7&55V5$755PBLSwaeY-
zB5~YD8Efbg^ov)Jd)dKo)uf}Yh>3)}E#OT#uS@H#GpcZ^^^%Mt(fScHcQj=S-fn+s
z%WwnVjJu}<)+P)&3$~rNTlJq0DZ-m9QQgrxsf_VkHOQkx;uP&l3gr$ViMn#Yi(EhJ
zhw)MrG;LPwgbwgCL*ZY3PH*@K{@03vfE*p5y&>cqRwP+z_Y7zInP)+QU!y%jSLVhJ
zOa_-N_VnxqZ;9Zd;L0ynWbm-l#iry6F~AjL7`rrMBlUH!_Na~)FcrLauX6QlOGxnK
zAMl{oLE4)0UyB1JR-cfIM}c|~?)c5-LW_0D4(oy-nU6P*kmt=4eLicYR?cW?D~<iG
zFPzr`@Eb-re-&M&D6PTY$s}4loXO-mp58be9?aY0s|gRCMa>zuP$Qf*a>yrJu6B>y
ztE<F6Vj<qM@dS)4y^Hn`tZ5uLd|mF?fbYsa)a?~ot=jN_VJWS-W6vYrvLUEcoksto
z+EoAzQR>)(md$3XI`a6S#Xp|UPLEVq+uMg$FI`;Xj{B~=^W!F`KiiOplwCh+dMu|7
ze}_>BKFCUW0CxvjnZRDz>|UBuAH*UHFxXD{aCOW^!K*?3i^5W8#g?fQgw989OWK>Q
z>l8At_G-=ECH`vL%+<O34d5WB2>4%LxOZOs`g8$cKTe2&c|VvJE4=ZS*3l@I*Li&L
zIrk(q3oh;YMJ<-{<&avzjOP9-Y?k$rV~2=a_hW2*2}tmw@QdAg8@KY$@!j?60xlDY
zd|)A#v#fkgOa=r5AF-aa4pXD?wTpQ6Z2QNt;cITTIWU$N!yM*V@1;I)iA<S)rtzcQ
z7kD(=EE2*K|7NxHrUH5=?67qWBK;0ZH0(iZsL3#nB_zW};@p7Iyap#;-QsH0*hF2w
z<|g|6a!;vtR<rCG5*qB+M|5%+5c18xvz_Q2?rB@aJ7*sOW-6IhH|0HhQ~J&{f0HrP
zk9#s|<u&z~2<@2TTeoU@OR^fIrm1<UyK?}6=vAXxq`{Cqq-XZv5w9c)M&Nl#g?*P_
zc>mfh$U^gOe+IL&%<(ic&zbrxpaOkJRUp5jTs`KL2@ny2>Cbn6QhYQgatDlZu?jrc
zEYEewY1#91)%VDt=yCCkZm%)g1Q*@^T_ctJNUOu~Jl{t4-QH>=!0dp4mA1nXW_qrG
zp(sCk;AQ5a9ADtAHHSGzoKfs-IOycn(%Z-?`lLb0hUK})SkC+7#DGqC)3nrPXL=^{
zhv8<5HZ__KMV~y+CgZf~<DU>P^orzRgX_6Ype)7KRx7ACRj!=ROpnz04SBC<(s%d1
z1+)7}qrJ=u@dX(8{!i}Xs$P8?Rv%G2eMFpKnS>GK6>r#(o854-aB%&*qyPe*eUP^q
ziNSm7-dZ8}q_OI)(kzF>rInl%*kC6572$%<GU{UYsGJ<X*@NRNJ^kT(92fhw!G^x4
zO{uiV888-Xd3!(LXJE(LHO>g3*WJW1$s1W!<Y&|0oq&;@;0vJB&($kG*j_iZFmuS>
zbfBqeo}s{MsEv`D8FmTIZX=ZLut`Cxg7_)*LfjHKhI;vP?*Fl4YC<`i(>ZcK$5lSt
zLl~TXl>qWk)1$@W0KzE-Xy1ANsYOuzj(6Z>sak*|aAF_Lw^6X`SJjEn6nwehGiey~
z>u&dEb~Z~btD+y#-(!p4sk$AvxULo=sfLh4pCa%-otDz&Q{q%iq$YnHxC<EES_ECv
zq;@mRzmtjdc$XGqn4@KRdxuNnLXZr^YA|M(^R0a~WGCh0O?+lrSj02_FgegA_RVmp
z<dEuuH9wU7x3jE;vk;Odi(2z8;~$7%8Q`5^{O}r=xIGbyRXxp59b{uyc_%y)Bx^BL
zB}FEDPbegpw!PEDmJ*sE3X8CP@c0|{^|c$$8wgu#1)0;xwMVt!p2|A*3x*QQI@H7X
zG`=LhIQZP<{vaR5X4mqHjK#_X>MqfuAe4JF-QW)cNUV=InfNT)de-B(&8!{b@o2U^
zzRrH5T`Y9TvwKv@q;oWn7BJqJg=#8}2$=f~-kFh6<;T?%2)C3tKXKo<jnwxgkAqej
zQ<{996G0mFl;P)5zaq|#_woV;D{>OQ;gOMkK%C$O`a7P+(?HQZK&wq!egWN4UwV4p
zu}}`SQ~=^f)a<_kR-h{TsnkowKw<k8x5Q#B=Psf>(nQK1xg}50&pj(q2~mH@L9NX)
zv2|NFIoj2GHSqmg=%*ds{FS#Jx-XO?pF<-~*;`VI1f8f#k>-m0kyDnF2ZL7om<L@E
zD$Ea{qu|}Hd5Sm;DY5qYbIqNpj{5myh}Zs)MfaCTZ}+{fX&F)8hdv!asYWGUFJ8!>
zJBnj)G6ueVUX#-@wIKSPC(z7ilE1#W#i7yO-~b*54xGN)I`T$*l(oer!oi|oT*wzo
zekcv1SEpDP^moSh5kB=|*E@IaQml-XPQ(&*O~ZJ}DdE~d)3<!y9J9$cxiJ1crk2lX
zQ9tti7iX0F?jmKadv;~4!tkD_S9$S<fPQW5p<<eJeix*^XxMo*($dlvdpWrOvJkTI
zv!*C($|gE*W9#*|6i;SSE;bF}w33kY&C=Rq+3)Mr!4TN?!YcCmbrUVF2i{rlXK|y5
z5_`Mtlh>OL(QWe+{H<M2flA`g;B50mNcQ$6aB#@e!J%8Xy<mh*6-sNGHNFimEw@l2
zIm3<9(?1>6hw?G133rbj3wu2zFpRQK`yEuByqv`yANy&oaikS`nk|BpQ5L&18hI^o
zuylab-^^sAJvQF%RF6S;!DUm;`-5H6l4I(3jX}XVqxWf%d#j?0SNyY=$KSTeDyn$T
za`w{ex_ZiHZN)4$i|^Mgz2+TUX>NSpvbN~n4$J~QsSqWw&C@UYWgK_aKxW_^mhE$U
z0qdl$g%0GY<1-3<laS#$=Q42T-gW&<bi6T!5$wu2pl_s2_LX^ab5T|~z|zf`9D8>J
zGz-<esfIwl0O7ED0A)r}?Ck38-Rt@S5d6$^CRuNyfwUxj9Y9*VVH;-XTOTFc{XNc=
zvLm9mpdIxAGVp5o+sOK>=xXn7tKxB|F=UwTYBF?1-1|1+k0lnQ`tAdEY*M8T&lv(?
zoAjM*x?%8v7V7A5e%ir%dXJ9ILpJd-I~&_c<!4N@V3UOpXzJheacU|lTFHwab^7u+
z9vvsdrKQd(r|}^FQSgvihHqOh<?g_!2E@IcP!VT)_=~Lc#G@>lqC645>J6nF1L+(u
zZ#pyY4xsUZjOO1+HM(6dkLBk(5*We(CoJfmZ&adQii8dp=#=e_;V@u{DnM7$??x@+
zIp%OW?RCnFZq(VS1Fj{lSFfE)Z8T*D<UWx;r>DQ~G*i`EW7eT7X3TFlthuKodGw9`
zIaqAs$^R8L3-=jzWq^e@3!3WQ3p5)3{p%C=PJyP(pli@7rQcrjtfr}HRV0-5e|Id@
zY~Nk}xJ60p(A5W&YH5+Fu5zpHAuEhWOu&l)VDVK2sjGx81+Wg#Hg~`4+#Ic}(uQ0V
z&@B9IBe7$Mrz{Hkx7$X0Qk}1t=hcY=An_0a>duU;vwRFi$*nTl`}ChJ_e51i1r;8$
zFSP9+xY+9cZDd5w!-MbW_!!+vb9#Q{0c}uznWKf8+TMx_kR|n>`AbH4zQ=B0V1P9E
z=Vi=H{zDv~aw{#KgMzah0etj)<F}z99qL8rm2PS@O6c#r>EHL=$4p^mWngb8FMmiW
z=&T7=3<1(`5J%tE{|4TS6zr9mo^pKI^W+D3e*kJlrS6#&R$$8kTuGw4$aX+<Wc20m
z^4=V6L(1TnPDb2#+Qz2{N+!_vJ<kLqi}w?3676b<T6J4K!y{D+S`JYlkph!Tp9!Pc
zza2J2vj_&zezz!=0seZoLu(GGBo2Hl;nkk(J)lt~$M-n@Zxekt&t;5Jflo=E84;ex
zVbE|M<UReC_}38kPqT_CfvGgh=_nFID@px>Df;$E$Y4Nz4Hi6l6YjVZeN_HRkqAq+
z_~dlmu=^Ubif~(*`W;v&CPQDZkjA?_;oifKY;#e%DdixM(kg$$c%8WBA={2r5ZGVT
z4n=ADVp)vRX&RNvZSm21%~Iyh+x{wl+;|<=?oiIbNqdmi+cq0oB$|%(iuidUlUk;i
zy3~R0&Q6#H5TY)GIys7#<jLI`NbV%^+w8}uCjCIkYmITXJ6~iWM>GI2c@y1`;@3;_
z*jYlg;g)obp?p(XWQHr0x@4yfyii=Y&N5;gHowhRMbOXAc^3v8o;78`6p2Y{is>6U
zTo22vM(=K>iZBVvGv8Sf&^j*iG$h&Gh{eq4U63b@`s$7QQyMc*YWe*T63?FVVwxF!
zmqA^yJ=S2=`Y&d^GjiKoa9Y+n#z_d;L09-lNkv6gPA)uzMA#0^%=C89W8tcleJLNy
z_=y`+3EP{6edakwT2)U<|6z5*?SwtIOvs3`KnU3Xo=0g`MzB%3kQhxrJNO_alK#S>
z+&J#3&BdVg)V2%((PCE2g*75*$sWHHbQZ=yTyf~6l^cH_RVWs%a;ZdKp6_rkQTrtS
zEHUx@`*uEIQce`tT}4H{nJBdDvHbXN-<tM_3+LgM7FMH&P?l}Y=I)2<*yP`Mi=vH;
z6uG$@>=$fpONxT3>EG2)pA-gFOUxM>8@nX?LKt6XyumB`c#|wZErPwy((r({vhH@z
zdaA_UXu&?YO4V~o*~-N0*-!w{N|u<=d!s~sBHa`pYWw?6jE0n3?c|BLJj~2@*X8co
zi73O0o0uy|yGYkRDCB?o>pR?0{96{@G-$rdZM=|Vsz(%Ogr{n($TRj>SXbtoHa|v2
z^pu|oQ*qZSv6Hvs2ya)xi8n`!0SQ+>lKs=$Y|N{!x84`l(0B8f3}ji(l`~vMxwUBv
zgS>TTlwk5y7ITMA3&JCXmjtA9jS3bD4jyd3v<L;M|2D_T!TzTVtDBPimXlB{X;<Ea
zWS_&PB#pB6^kH>SHD~LFAI7*~p^+TIuN<=S7BGZYQmdTW+`RCZ7mZJV@>BP|GD&gy
zBew7z>|o5NdE-%q<*hzngr!%~(TL@XzQM{ntkDm#_H>)!PCm**l9Da+8&{O3ag+!4
z9Xs3S-52x<(kd+?8Ioe3@e~MkxqsXydcPDs+LKUVE_x<K?X8ZS)t~r2LQ&;^!gV7`
z>?M{X;%QkE;2|S9Q4N;B*}kLLpkQ)Zwf9hw>pY##K_B13#v(#nFS?-}V{MohaXn?L
zuTLd?dT@`!#36a$pY%Dp^7J^I9Buq8%zveQfEeI^Y8~R!8G<>LR`ul*<rkAQ0S}-=
zS$A5;*&J?SFC%*14X!));Oyl!5wLAJ<WI|O0fVL6Pw>Dwwc0M*;U*8Zraa&2<g3Hh
zi(q^`RsK){-|I0h=eXq-a5i+rtoDc9d@Ba+QrbsOlWE?J>P1f?(*RL}VRxv3dRGpr
z!g5|&Jf1dksdiMZ<3-Egug1*$|2U1w!xCTl_)0_x%$5{x6<`{+n-l(}+Tci=yi2U=
z{!7;bZ|&^jDFQd%W32}uGy)hi{Qu3~zFPX5lSSVTz*epUFn<2|75MpoIu!j|4n+T(
zrRqNzAM_1g_xH>Ecej6bD&%_BX8AakBO{Vy)qkdw(XgTX&Hz-)Dls}t4(5@z1s6AZ
z@}OB=g|y&VC;PM=)Whsv+K7X_QMx^cX9BUl$6eC!fJ^k}a+=wKD|4`q187oU`|{zh
zPvu{H%axX}JYk8OB3Jr5Dq_(3(Yhg5+^ouJx}qI!afHwhvgZ_0zsDEb(#3r5rq;~%
z{XM{cU*TRNujfze;V+_9hV@_047+sVkTeiB<lA-%D*jyB%8L6t>{_;zB&4iL*yZf(
zXRX5%vy6t9_huqJOJ3$X-r%x*qgW<G^3M4bXc_9Ilq*m>+Q89g__6nMtt2Kj(Xu>W
zHg9j($W!1i>F9=0Mi^u|ANq|-s3|^B{r5>tH-KaMCL801Xx*^m+B>~ou)<tI%&bS6
zI?5pP?yCyr?C^;cfo~S^_fOB-t*e5px)|>`WckX^D|h~&@J`-=Z=g(59q5nq@KJ>%
zo|k-Fv;t?|_0{$vG3M$s;v56Dy@M@pMK<^bXN?<Pm_g?omPZjtO#^3_civr9>p#a!
z`I5X_s@{OwZrgF=YT5|seS4zXRsyvNkCSv)x~nJ%ISp}`l>S~gbrTa4np#=~7ML|<
zyzl<8f$KDe$O8+Rf|B*<keNf6YF2o1W)fM*v|f5jUR=;>g8m<JA1tC(hoajXR8f1o
zaZl6>QDK7~(jf~!N;x?>SkV;Cvm~D<wdAe1?0J{$GnA`mur=$MD%Gh<2km$Pe{tAm
zHcVm2;xj_-R58o_`Di8g%L*I{uFtyzB4kq!w)j~dBr$6U(inZ1@1RC$Q1DB&(IRa9
z0|C{0@+nE`dK56A@+_Nj3yeIYGC|=jb0*a{?7qlmn>kK=Zj_YZ10h4$N-L8x<w+5V
zY_t!cxG6r}2Fwp&rh&$#EIwPz4xR1GsqS;A?(`URwLo+UhX#AM<5E|{Th_f3z}?Cu
z%6cN?2xJ2R-34EgFXcM)*%Mp#yzfXmvzi_ztNp@b-ux?-&fhck0qJ>6BmISs%YOg-
zQ{5LL@%K7p(fo^bAe3~7p9Uyc<w+{?j-7{Z({tWyH}0IZ;}nk=f5^zG(n;}2`a8fF
zBB2Bxq@|k-`JLYq`VE?I!NjvA^h3)tg*JCH$zw}cIE4nq^l(~;YbymA3@9cM4L7=h
zi6I7)qc8PEHO(Qjl@KypSdjDaS(@$A6zWNQa-lpK;;`LT0;1_WEZ$2s&je=W*SW{%
zvEcDW^5cP0R{UGLzu*01xrgXGzg(r<u!Z7m5FsWduM{kvNS3Ud$mm#!$nvT!THt7E
z&PjKXKT7nBPtc5Pu<oJD6!f-rQ#B7i<u+Uhosuxfk_h8=n=&JO3r#j+HMcOrTjLl<
z+93sU&}XAu4BJ5yjp^+NIt#ral)ShDG#sSK4cr%5TVLO<2j)O~1vnFM70Y?=rB6E;
zaCQZs0yUh(m*hRi-=GKak_gglllc3@J$v@4CEVI_#vAr_u3T_srA@pH!BnH^fKE$`
zTEAf+Q-yxB_KbK;#sh#veZ3*n(+fBlexvb;`8Gg59yB@7)OX1{fDL%6jU$YV-(KuG
zkQG^ghF{pg4f2};y+7|6Ij{~s@!%=@Z1!VDzgbwK=g!95T3Ar=EXgW8|7u+q!_#L{
zT~toqZt67EVu9`$e~PIUd~+uKiUR6LVGSEigUL;pa(fw>A-Ld-O9F}xdg`UB-b{sq
ziN8p_529)DC*8sGwrM{LB5A&ig`Dws-kc!<%12syZorG~aO&1QC?YzraC~X04si4U
zL?Nv%SIR_tuCLd-em9VNNPR<yXQa#;FgER}0rQ1%odd*-`;jEKge7}!;7Y2rHPUf1
z_Ob(siKt+9bmE>~cd93CG&%3yn|jjv?zmw{%akfEyO>TmV3Txo-P!`Gaxf=2+U54Z
z%&vN4Pu$`U`dxu-#}K?1EcPRR?N|S&L*Sb$fI{^N@7@9&a}bctU}M=H1+YhP4Gnza
z0F*P}p&LML2CaQd@B=`xr}6(HO6WLQ=D*WPv5>zl9)V*ju{2;Pfcy9~N!{XOuVMeP
z<I&^TUA+|=AcySIc_=TA+HKrg>FJ>$B_RpdDw4NCo$c*3i}AUfY<<5X;c;0Mz6QwD
zU)6+`-qT3T%@P1(UQ2Q!#w^v~S~ecYP-574_U{U1N&u7iv3Sr051KFq^dhTJch=U{
zj*pLj10>iBYDPU*4-@rRC!+v2NVyNwr%#{sruQ4|#~?p}y{AT!yJMTzx6}8gWPQ4H
znmrtu-7o#57m7_AiH2}ac+jV(kOv2%rc_aQHl?Fc@y3Sd_Hr!r*8{1GyFeGCqDYKb
z^gS<1TInhVI{kY(>2}n=ESDB5LEO#(KKen=pKh98c>vM+XOf0wFL&sriUfo3UwZ@x
z7GutTNO?<2kr<4tzkbyLNagFz&|7Bx8q<o%t4*Nug-(~Zh3AMsfTG(!g=S#ci2Rn%
zaKG^Hrzdu?+S`J?05H%1I?+Zvv$*;j(BWjqfMDYGudjyP5)cd_eN>G_ROk=$ciS-!
z1Kb^D0szyz4_NI^Ibn-S-d?O;?74;_r?Q|;BCKEyW%-hAz!|f10Qh&NEdH}60CGU@
znhFAeih#+~)YK1VsY~oqjlBPdviA;$EBv~K36c;Zksyc?(V|8VqNVBG=rw9EYK&eY
zL4@eNixOsxHq7WH5~35`XhHNL+9;!ZXXN)h-}8R&d%f57P5u$Xaps)+?0c`Z_g*U+
zuZYh57^r3f)*DLH6^(#?>OrEMr)SLx&m;iX|MMC-Bc=wF0??I}l_yDkc%!C}m=qKD
zi1qKw5uDkYbV-0Q*fs3-T=~~4zK2`zb0cAHAXzBhYuFePH9&NDKlM!k1o!c;rR+Jz
znY+}~Yj!uOf}QN`2g{xClJwJoIL!JnW#C^Td{2tB_-95bnjk=Pf1f7<XkJ<XoE3-5
zPuua67m|8QZ{H?FrQKM0C}q}Cji0llt;|zyak86f&d+FI`a!>#e>z$>*Ph_}ubau!
z)N&&LovJR2m^oGS#NeG101Kp%=kEZIhWX#&%pE{yOk8$$*_C9f+^3Mu)a)zVM@NX9
zGjdr#ryc`p%}7uG3+Q(jubks^ETF&(^y=XUcW5e{e>iN8yq_}mqEx2gHIBG;(h^=b
zXQg-<;)<nWbC*WPdq>Mp4?8(?w1dvdo}W$H<xDaI3T51Y@US4DP$oTgJ9ZkFM1@wJ
zWo`Q_)bP~3{z1mZ!LeQv45+SCSDUl|mB7Gvmm*<}bO}jeC-E`uG?#P@u)bT5vL3Ci
zx14XZ=mrDQy8`-IlZ`ta3={R9KxZajTFe5V?ysLUqbM+gns&bd2$BBXYS>;VOfkE3
ziYOulbXo91ci(OQ$)PE6ky#}dSQN4SN5!!|0jW24vmTWO5ZGEI4}sHm7|lmkv-<!W
z!xT~cLXSYpcdr(l=_%eQ#Ww&@Wd5RGZnoY8++>VpZ?#jfVZ5bR;KdUW-JlY4d|n1H
z8?<jVwI!S5au@N|UC=i`ch(ACN{eZO1%$W&{7S3<p=oZeI>7bpzHFdL4A3w}mbaAl
zQv;@8sFdo9dXV(sk+idUMF2kyUhnWS+xvG=-&rPU-|Ft<L?oNv{@<rCzzJa?PJu}t
z*iitU1#~L`NSH_1RD_zpa5+gk->C>(yV9E_MT-_Nc%K9WjDLz`tlPjtqMjy1LMgp}
z3+Xaf=KG6DHt;Ea6C4dIfZ;9oY90XnJc@dSrvZR-)L^+e(2M}Yx9h7w=SPg8Tf;+t
z!<pdPb9l?Oe`~Mqj;p3S;BLshp#`;3k&1U|IYUB|0{}CGQy?1Y#V}tSb#faVck`6b
z114Mwfd2LR>N21i{v8PEg5G~Ec+HzlY&3z-Sz{_>Yu3g4Piyi^KPwRRf${H1ymD^v
zQi%>STOW{T<-tEi+<yV9hO6ZCBG>8Y=m38Z*}$Dh^LgXB6B@j=O;J*IZ3?ep2oSe_
zOU)fe(*x<_h!|+%?*dt=LEnELpXHwytVfF?I_{TP0bMM)9?&!h=p$lAjJ;ScU0#6w
z=en927<Yfw;Z@YVchY{?RsG+iaXrX}4Xx6;f0--93lL-h{=h+DVPPKNInY98(wY{p
zt=0f1RMOJcrh0p+^~l<rFxL)CI`+2shbE<C@j1fBpH0ES><|B`G2$hJJaPXSNnF?a
zmi<4BXGdu8QTevkpmXi-t7lRFemCgyd;eCQ*8jzF_McDfh>~=a@%UDI6J@}S)B~z5
z(d@YsQ)%e?LYZm`mGN_;#m_5?In&{V<t-m{(Z$G~v<Us6x1z~6iET|FH9P(sTZ8$m
z`d5-?>u$v?t)@5|p#DUY+}K&qnoPB1xU`fqy>*G_*`omUl^>CeG2aAziM3D*Qb!8-
z>vNYBze9Xc7w}nr_TP9&|6R3VsD()tjHj*gYVLBYaBKbhVtK}B%wWEx!Jl{ea_w68
z#j=@Y%<N7*ZY3eLz+MGppF5Dr43S5FV+FUTxD(g4veG<_m1D-QczPZUid_;e^|}9H
zrKOVU>wWQ8OY#|>fi7KCO12K{<8G|Y>lS12;h^c)csBHDbm9%eudV;(_BI2JqJM$)
zx~d<yWSojS321$|&H86<*{YTv$xz<ceAjr?<H2Z4pIewItYWha_nGsgiCrO1)~0~|
zoPK$6N~^UQ)V_1d?3AEFjrpNN<s@L#hen0i@a)I|`k$9Nrq_^Z*2-q@&oBIM%W{pq
zH&GN_!*z15>(>AtEg1$7-E34~c{-$3&jhubyW_ycbgaeE?A=U;aLEcbNXv!XU<!nO
zr+Ql5_i!Lny1U}Ui{Wo|z-&iY|0B7g;V1YVaXsq4p;R=UlO9>a@WSQ%vHqquQb6lY
z?<@b8Zzit9-z}kvy>QW=pJ<`%teWi6909bKRB#DXN1U9mH=O7=V?Yz)4$XyX%8N~t
z3Y80Uvhtq=PZt(@Di($%$#eczfcL#F-u=*tUJyMyr_Q<gy(Z5|ysC-3w`075aQtlR
z<$<?1PplW11uSlx`*+N`6try~(-d*%uc#l$jWM>=*d^z}lV85GS7K4?tdTs3D8o_s
zF-}Oh7?1)4+&m~QSJW}a<TEwT7$KrSy6gB-^$126&(`JC3v7df1letN?4FABvGA}+
zxR;?Ypm#H7D)-ALI`>aA%H<cR%xm%ewQQ{c)kV%Ik!6f`&>y1h*XAZ-9DTotPXC2S
z2EbEK_C8-5<t%JiAea)h_0sCKP}RQU92?>nxd_vDTAS9~2a*-3!c0C9HU{u2?in-=
znU-W2UW0SEEftKX3Ru5vT~0EupLX1Ry|dsyQW`JDKAtDzCqpBU8DTA*{u91^PNXuv
zg^(@qMFus8?zgr6J&r!)uhAolv5)Voy;Xj$DBJ5W@!;|EkOb3$02TZ_bhv!NwK!9v
z(vII03;0|^a<F^7KKSHW{BfW|1pD@RcCRn#VSkE~0^$Vg+K5z%*-JQRLWZX$(ba7k
zxKiv^kWglf!gA(9UP+h1brnSM7xhKpKThn!5u1wHQYvpj9+PPO90ThiZ<A-xAv2-1
z@)R_LGUtLaYW#V~0{}G`UZ$JDu9b%lS;2+l$o|B)x}Di?)^2rD{_q1aB&bYPX8mkn
zGPO#aq{rt#mom&*KyNm%=(<3b?U5Urabh<jX;m`fJFN7cD(f{B3v)(H8+hH3nP6x9
zy}CZ`5&eZLShcJBnmafPJpprJh`GML%Ha`R_zAh={le?j-hMrweJ|Hwd%65Yz?f>6
zB(ER%#^ZB(^id?V!q*Ybv=a0FsBL>}@#AseL2885{)DEtJI?t)+|$1HVIBT6-*xyO
zbjiU#6-7K<LKkuS;VX-QZ0Qq_x93uo3lLo!ce{B`sI{bc48oEqm-2T<>yBm<eDC4I
ztmnt-Y7t#s-BtZ}mju`C+b?SYYOn69<Gss#WnJhWUG?QUib;jG_s4YIKR(Qp`u|s?
z#-A{7%KsNf@zMWSB{if9T3vOn`$N;4DKU((Iz8Iqdh|%%!vhf*9+aMbB_kV{iiY8N
zlUHAYF3yYbUEtqf4^yNen+AZf&+`^C6mPF_6~VEfUuBb}5Y3DXZQ8+0F8Hr}DNXk_
z)@d2>I|nZd71L0}H+HQmyl{b;Ba3J@N2X-np9(<D#6ES?KwUF~Z!bLoI?hK&66xG|
zWIJFpQHH+U53-amt2rA7u+|!&_NA_VlZ=cEkhi}Y6O*1!KMg^HPZ)vE*+!>RdoPl9
zqw`yu;#hl$Ur#!UIFig;<TAN<nGT^)zIpGl+?gkBln68Ka9iQ^>o4iiK&EpK&ztJ`
zlj^|@-cfg0nFfe0(?$<jm260crAy{ESCJJ%Ur4WOdZ@;%TY!=d<V-(ThIJTC=?T@U
zzVeD5y=QDhiMEwWzH<{(Z;HR(Bk&jh^d_0yZK*MM$l$B!c&@sr4w%BN<pJ*lYLZ{~
z5z%5-LnG}7H}otH)TO!pdlPwltp@dfUP_>)Sci@q?o|6ck-Iep=e{Li|5tQ+%@wmu
zx*qf#qv;6c$|{aInVkBCByY>6hr}z5QSPOt=aR|?JVAHy8TanHFX1#6YrfKt*$U{f
zSDuK?`OFw4shL*tUqj>KKaE{M*gZ7;Ozsa9Dgij+r}$r0klJ7&cD&c3->spU_jED9
zClFlMvQit@HuTt0w1Lk!!vKQOpxIwyEEydVv1=l2h6){re(KRoiG6n;Cm0`<8AUvj
zL@gzB@ypIiUONsGfM@(AD#nQi(!)t44h&!`4OLH=5VX`U<Pe0CEQT#(m3@FKVUMps
z$`$uG87XE_9`NFL@>eTtBd>HA{_MEkp59be4i^m#4aGZhFEY#>T?NdN_N9RLzFBfA
z^DM+k_i35>ss83ISX+7F41z0Y`CJj|Ew*;QDMZz+W!?2bm+ph)#|Y@_#8GyZM?bJa
zJUonl92wi1p}@lRB6B}MUS_=v3%p&WYd-~%R`9x6^?0q=?Z(-y#PR?_TfxNSWTG`g
z3xi7p^Q><>w_wupvn~R=k9SW8^otKJPsVCx9WSeAv%Sgz8}WvtryuUVxZ+GoC&Aqy
zD8Wg@b^g;%^pAH^U<Obg>Ebd8VOQx5H=L=nV(<ABTJ>3JG!Uq90{Pl%jU&Db<HhgF
zJ1|d9@m&Mcq)$gD^pIBh*`(z4%~vJ$6p7S0nb*2sC5?`a5WdyNuGaS;cSmolaTT&X
zco4<7hJOsS4%_fFg(n|0A%i@z3Gq%|Nn83w#$+r!Y2o3h?$Ukh5n3M#E)LpWt<f(k
zAZ{D#Pd)3gGJa+mP*D{HaiG@xz3PfI%U#`E(Q6)?pUsUx@~@NE41M7VH!AFrs8e-g
zPnWL{u`}24e8(t^(R+X;BEsLUkJEn}4l#gT_*du&^668ztXBZ8fp8QWp~Rb)H*Wq%
z4rUmK{Qlry2?O-b({j@j{T&dCNm9`msXqiuk@oWals}vL<LVHm<vRx<n@B>fhfaA2
zjGez}nMENU50psOdCtHWqki)^#>!svM*qSg_c$aDpKPT7I5&Oc)t9{02fWuYVVBpF
z_>JQ>8bhCWmns$Le;F+|f|ZwdCi5BZ^IYKBijhjzM_hD3rny-Fh*Ofj<R?_1PV6lw
z<@%{;)FxEw&%&Hk-v8q;d*qU&FYbBcs97}wH~@@|O%Ww+F|`q2DpgPM(~)?%pRUh`
zooWT!@Qhnf5M8naOV^N>Dfvv4u1+$r?peMDg6BsQy51ic)LZcXx2n7Ujp7q5KwVS>
zT?9%O)Br}hCz-ZrB$(T;3T_aP0if&36XfOi(`DYkRti=QduD3Nh=*VzA|k5~+VI5@
zK&_Q)E$TA20FpU%*5-T$eIOc9{?9T$K1Trh0~Vy}FFlFz|7ETE--{%d-v>}8&t+w$
zI00YhR;egvp;P2<WnDZ59!@AvPkK1J3QZewGBRpqFDm}}ZRWlHbkz5IwtmI#F}EB{
zn=q$XUcl54I1Jh4&i;mNz~tkPNLswEhlOP{LYnNiE!CI)=OOlyWVa+NWix(_r&t{W
zwG!j9e>jok-|R2(Wktj!LZ}vl2CF_;wi~ya!I!?Dj)4j+$G)ZArX9@Fl=|O7c=vxr
z>~SJb(N{_z6#e=e9$vP709WVxe+t)!>j3zF1qSosS(@-_F<?XjaMWvE5rOHKcL0rR
z2eI=bqjct60L$DiBAWGUU@FI2ULEFt8|HN>gWp<D-QgjvO~SkKFyD#VY+AGMS|6aH
zPRC_@z}hR10RtT@6M$u0Ahj7|-6mdvw!CroQy{fr0n`nsBsYGRFo;da4NEFFjUHDS
z)p@Ubk^TAY8MMrs-ORv6!h+4%4Jo0QXocAwf8dhB-FhSbQ^j;<nl7_>><3n9nL!_P
zC+v8s6(BgHZE%Gabb2zely{{+kf@Aryvwsnh7XI8reNF?y@beU_~f+X@=vpRG`o3j
z6avqUi*t~vAh4$}MYB&V=Xn+89h@6PPClmHZoFiBxkfIrz;7||cY#1VWjsmvN?SXg
zjN8}uBOrl4fO)c430NPBT?3YXv0up)3!&24mn3VpALIF@-^op*<bR(!eP_5}7X($I
zRel;;-0<f!k52mGsW>1Gd!Z8SD7Fx(4|VHFDSz1{2yZfcMtZY9T46`o*z?aHo=B~)
z3dhS<vsA%|ezf<*dq2>|P6&Cz$q-fI@M6j}s@ToP9T1zODU=fOK>!562}M>&vdwPX
z_?M>-t_@>c#t6GkY5*cRS?R=ynk&hz|I(}QBWv88yi!-Z|7K<9U%)`CUX79z50FE%
z;hzp)XDQW{UHPbCqxc1#(3-8D0^{a?Zu*Q$d+8;xjc7)pFlm8>M~YVr4Ut?1WBd1W
zkHEDYS5AI(Hi7|btl{X+6+poIv6pj$wUV#ir*U{mL}4M9!qZb(iVe+101+gAsh)Pf
zX{V;3{!C)bS0#Yg+>vri5`*`UWBsJ)1V}A^tPl3K9>|F)U^UK&hk0>46g5MMD$W?0
z8dm0?ly^THkuOgK1lpG@-fbxvG1*dYi|t8lYd1Dm-TP^n+v$~+oeOXB5UA8OcY#?;
z<W1fLf<GXq|Lt-Ua0eBaTw7Pslc*7X1gdugR1jP;p$Z!c#q<yMMO_f-$Q=X2`!SQI
zERP>yB>U9`I*o8*<u8jR*YvW6FE^9_J`UF-n1VkxDYeAWmt&w;!6<-kvrm<(E*|=W
zR3cSpzS()FGF_6*dTCXR6o}KNE5bV^Tb;O66c36}e2q`?0g?Rp-{fd#pp&WFhQwDc
z6_EZzEZ6*l2ebyZ4#76`Q2;J@FZwD?`oC}i2Ks;YNV)M|Fx22_5Y6tM@NJjIsDWPb
zY?b*P;my)3>P!>S0fMyi3z1(-eoqE?S&c?A@HSzQE&o;SBP)+K!2()$l~$cM&$z1!
ztkqskmArPE3(}^ngg$$tB`vgK_I@&f)2b@4V3ambH@f7E`eRpCsG+d6w@~-k*0Z_Z
z=3*{xP-oKN&g=@@x7h44TE^d<L$lGHTFh8~Zz)jsJHB2>=UXo_vSEX>nc(#gctx+d
z^WfZNCQ!NpUJ$-X;*cS9Cs^ja`$)abk4=z`zk87IFI$t3k^2z#6zau^+!vYLv(aaq
z8n1(1lDpgWeIuvKF$t?_IAKM&kbKh3D`4rFc!jP;7D{Z(dfBXVC8S!`{j3~Np^$Tq
zwhB64L`0Psyges)A)Xjo(Tm@i>&uRgyhp~bnde^`6|dk;XUd{Sy#cO6`~TBz*C^>e
zDL(B=WajgS`V4v_VYU`DFqoA`>qPd+Iz=Wnrdxky!B1n|5}yPwX&D*Ob6+;nRi239
zw_Hyv5(6aQt?-xy-x=^<phQa?`M)5X&^vhJUM)?705l!UMaOPrW5@(gy!>nuo<kSq
z+`cXGUj+#KL$a>>4=3Tj#+UW+wFxq^e^rY0sM1lCp>)j0kE*BsEUZBl|4svcDz`nk
z{|`7SYoxu_6C*Q?8$<;g3j8)(JciGW=GRwU;%(>lX+yd7=jf=Fi&k$yYtY?xVU*eQ
zb0N_?x)f9J(;NURa&ZzNcD?~LR-So%y;a+@#ikCcHcjb*fD+GxDw(CQ&F7N}zCnH|
z!G&J@-ycex6yE0q^Ka*QzewJ;mBB7{dN;ZnhA^$ai}8%}kyw7vvv23uE|=7@c&gp$
z%Fs^>sLsue@BVdF_lgb1)~KZUtho0=7?2nwqYBca*RBpw*k-w`dk+7{oZ;2)d(y2x
z0M(_AqtMi}(rdT0?9<vl8*{RVxn0@vqMh$bi})5LRC+!WS?l~qUOIMKTi!xJv!jK;
zlAw{qEjrmEZZjXX5$gqyA+YNAUb4J#Zd7WHLVVSy->@k~uM0`D7<6C<#G-%HY>%!H
zV)`!RCKwSM1VHQXo3na&V{%$u`6Xe%rTxLl+>2l(7;q&gd4Jgt@&E4KF0XvZ$!G;$
z>8X)UP#Ae>hgea_^}VwT_PnO`Uh+OVPr=hhDw-bcd-u;qa5s^{yRiHxr3y8Zaoi&G
ze+-;^vF*=2<-pX+2VB(i^`2Lv8_!soW{n~{;4bs^b4?L89o2fmVfVz>Z2X?nIIZnE
zpyn+}@6pACqptX%!Xy&l-U3(-j)y8OZ&#u-$v4mJNM%OKpD(fmvY^j&i&r)tTlw26
z5(VW6-(CDh&s(_FUK_{|4q9}RK(1?=I+_4}p@5}t-UJR<;3VvsO)e^7OV!=9mA+qz
zneoW(-oSxkd+N7P#j~TAPOYlEnK|#OKplJB(n6{eI7q=U&2n=f^WUEhipQwqdu3sm
z4o8H*54{7E4uO~5==Ms_Z!#uQ%3-5<t8*Tewpr<NpwDJcf5ed>Tt;1=UR*o-_V`?B
zFW{zV4uAW_Q-Yj5Jy69;%!okgUNZOE9k<QlcR$6GP50KgH@mZAPM@S4;<PV4kgk1V
z`W8~SanL$;W!)51b+SwV3qlbVrkH*%XY{=z>zW|JIjXtMTrv7cMO)~TEprf2WM;_Y
zco2l*<YMn7+W+mK@R%4Cm+^LLIDJY~O$$2GO_p1(h&;g}`=)(~&CNN-Aif@+UIJ`0
zd<CA8l)^O-YVGb^K?1XGaF04<VvfOeqB&xNVV<U=rw320+9pmLRUYdleXf-2J3iA6
z)h<W0y~%9c{=$v(HSU?9QS=Bb_spP<v02`gkrLl1E9(1Bi?yk*NNKWZG}|7<32Chs
z^%^k}@$b2EYitBUexKL6%`jgbch|CR=*XXX<9ASjI%IW><`+*ntnWv=kxzQlyD)i_
z0R@vGs6Y8~#VA+BK&Q_ne`iIw`<|}tr-pzMZ^?d>el4k$sslaS<r7|UnVh~iCOx{|
zCN3!+J!{hk-6md(C*qycVk?JN8_G??(LNH%#%@#mJw7D^Zw#Ut(3Li(UciLv*1a1f
zSfHut+ydX?I`Rhujtwpd{N2$%`kV5Zwq0!SX;8zJ&hvmL$$d=G<B-qaYcym^J15C=
zS}19m&5Jr2hUZE<0WQtp=^rjL;jo@s8yJLPcxuW`q|;nVIV4jkknR(Glx2h7?;s}c
z4zbyJw^=Ih%)fQuW~`4fI`n?TDd9Hsx022>Y`&;5Xe4Rw*P_%%>yZaUp|a@_<rJ<S
z&$nK#?HGN(`B$%RsJ3g&Fg0G#duDsg%H`ENl~F}QB=NKTqwl0g=@|}H>sMtgBfDip
zh{%QcGa?%64}52LT}d78^=Qkp(jA`CSe&XVh_1hzJfatyn1fZ(!AG+|t`7(^Mtvul
zq6yv+zao2V53^3{u041nbWR^L>c{?YC@yRLWLCU_?v86q(~P`}O%dW2$kUY6Hg&l6
zDqFywLEi+|#WM|?<@WIHrjl7sIuxOBH|~7LGaBrR4rrRAOZlu|JE<p*&iL3UL6w?t
z*l=ILc{xj>Q@e2X2~Dy=Cj;f)Jp|~v7&fj_iK<bk6Lph@;>UPYLcpG+cpHz^g_4E(
zET>I^Pu${@20%SF*=oW-J!IqfHm^%(8sCO<thKD)0<4$3vO~}%+q?|@Cy98qbVcvh
z=z#D_>NxqNI9)0@*^mKS<8!K<<Ux8peevw3V!d;UNS=kQq6)~*%Jg;LUYCK!O0c!X
z_+8d7iukE@VD~Y^=}A=GKsirRkTZSKMXNBVunY;F8>dRyu>oE|@^&ElbJr3b3)j;R
zaUFiL<BK@}Gu@HZV7^ClxOm*Kr9Y4;>mMC(@8etH`A3FHK|_lSGHp`Ho2o5v^G_rm
zE53d4<e7YfHTAqiX>{(0?Pg44DPctYdhUBDS((z{AdRY$+{JezUFIRe0wc$a(2lC5
z4*w&~uk$}<QGK~n^8Q+5k_JL(az$i!y0EpiZy61k7iTG)>$=aP?09D=C>B#lOd4oG
z${SGYDL{`I&AL;u|Akz{d1hW_Lfo}jaE68#)pEgd&MlvIUnQIa3RVY_*HDA);(lJt
z6AmNT(U|3=qw!!ds(nsqPYvpAYmtf04bv4ad%32!a#m9N2vNF|cRk+6if6mY1=pRZ
z(z^LOV#0WnUy;r5%`y(&8CNI3M>w%S(Xq2tZ<^iRts#-t5r~eg*@{l7I>53N?YY^)
zwwk7x_JyKDgRUaVXa2fnc2SavQIQX?oVF5^3l;ImuG^&<MpLg~cKc~=9lAOnce(Wy
zw@(Eu$2_#08fThFr>=0)-_fIfTqDq9Kzp#*S-Lsa*&vI*i|QXP!SuS!!qwLmf!tVd
z<<)BfKdOAh^R!!Z!608(gAnI@j`htB7fWr(6$j<nnihTU43zGfS^b!Q>S&Kt_*eb1
zPP49NowS$H(M$!(`NU%#)D2xX6Oi0@r~ulYr^7F10>J^s=uc&j)!by0eAG^hCCKCx
z?t3E<aVIu~P-IJL!a*i}lC5pz8RO|5XM6AMzttpGn^{8!FcpTy6HebZ2(V_=)~%mA
z=X#?u>=yY|h22Ki)Zt*?`b9+VsaCj+M$^0XNb9pqG-5v!yxN_tMJqTpC>S%2J$y@(
zasSXE=;}049p60~S6n9d_0=bVqwRnPCWDVe|I#%Q>Yofx?w)N#S&cju;N9LCwapur
zD3P4mq1L?_gPj@A?xGZrmv)#-k*yNrv)udb$50{BR$DX*N7>nPpPT3andR+&1Oo1Q
zu1;#fUg>CIOXyn_5gpIR@8fFqNT^d-nRDiCR7Sxr1#o4BQ5T=mZ!*$lI<W*1#B92@
zw>L+t`nW%vFV&KsFv8n!cSU!1ea~Gq-XRfk3zuM)Ce<DMCGVMf=Q`<DiNp6Tm{5At
zY5FK*00~E5a41yl2IG^&a2;xGV+AU+G<k)Mc2iM}EIylZGj0>%ZZ?*@9Bwe5@XM*M
z8KjLI8@3cQK0RV@lY-w`4K;`8{AL}UpCS2r_B%7c5zWup;pVc{IqG@GHHf8+yUShW
z?aeaWfDwhc?6eK>wRW^yQIKZs^D11FRkd%cW^e3Ha&YZ{P^2cNzC6GciiI<e&F7nV
zRbk;?=4x|uj%2sBI9vY(2qMbGvEzrvHp2CGu;?rio4EX}&Tal@fz!_ZxmRM4>odP3
zJ~x>vs?Zde^R^A`Xds^#6})|mu%*!B=NTk=_LC_#mb<W{uSNv~F4<ZuIs3W)pyLSc
z*&#xDPrT>$L<MNA8hQH>W{dr5wwCRHv%B+ff7+qk7l)u<qOR7It!x%+HDjtu#z}*{
z5=_3mdeX)ktyHo?!Zv15<*lO~q|chzQ$~5^74ENrNomCI&!8a=T?V2g@!(<@fmBkO
zw1tBs?$@JKdJ*GSMNLqsL&gBR)!;obsp4$7=YbjG^d$`1*MA?Bp~k<l^34jD*<8H7
zL&sH(;-r5j6D_QB5-e$TL5~hsT})M}INZ8#pGNY`RAm!1^4#x!O@MhrSq_7QFnBVG
zABS0ct&$P9wF+SyZ}!pz6?!?8i{?6h;{1m+N)02hM;}>O$%y~;NPj>af}<XNUod=g
z68b!JE7aI`B|C?)JUo3}i>kw{b`nU*Di6xCn7^9SJ4st*Oh!e|qTtdF#u7lYS<|6Y
z;qN=8nr%wvd&x{l#&<u{HDu-c5}oer?4`K<l8D*yFRhG{P#ArBP4>-(Nas{swEjg)
zli#}pXydl*xz3B17MAk-tgvZflJ+mRUOc=v$n}7g<3YN`b0f9fbbALY<6+(O*TWNu
zr)pMIL>Kn-+Mj=GP{k?!y-N0qRGuWC>!%uRTx4q%FE{sz?3`V;u;21#FYs?`6SEiC
zbhZC%HxnUj7r5t_{q?r*ocj2pQ<?OQ2DxzGn|d92RSkDl)3c}AOK&`W8FKRx8nXB6
zfIf2`OScvv^>pmJ7;okFYMz2$7igZvc)PiBajM=Ke!#0Co$NhXkQ^y=TgUI4I(8Qp
zpx`%mvqy<By>>AY&agcrZk!gX-7j!BixS3$@p>j1dNY+Nh6L2lmbD8-_D3pa8)J6k
z(>)^lDX~&P<!Y&~A$I#y<MkKMjKpgcwvK#?%z8$4Kbfygt?-p}=J-yR;G&_P(=}Vi
zQ-6}1RUJO;IWnVO#7H9py91V2LWfUlVz9bd@ZPFf1<(6laGd?QBu`d$;n$<P5uW+d
z;hjBC&~D@Wh_~aC5VeJ%oZoXw{`J-;49YsqWqV~+t2?9osMX!Nd*XiYX72mTIX4Hz
zo5~JoMCBcV3F?Ynw$a4wgajmy95ky)ShyyqM;PDon$&|iiztk86y_`FxRzADHkX<^
z@(2^tIRx#vVDAzul9D4u$y~o*k@h5hmm!d)vfOH}<KPxVYd>Q<ZK=Y)ZR6<N@J;B<
z`K2b69RE5)V!??R0fC%Z*i=LuxvJgi4>7LPWVlD>*t0AVYe%WUgK9>{jaz-G8x)db
zLrTKyQEam751Nlj*nZU1Da%o*Ifu<uS}SD{DiLrcUmZwv8ZXN-1za1kz#P|<V|ml^
zSFxu;?1Z^*;vS`aQtetU5)@`9dINQVeeQZSssGTSR5kU5XS)T9Y0Z!2BDk&cD`?<~
z@xdK?hpxla>R+ImSIs{YiDM&e^#gD~FBHmcv1773i3e~Y4&Z+>dGEUN6}e$nuC!0N
zY(`&JQ`89vem&qKWl69F1>lPFqpN@(nY!PHb3t<?oP-3IFBYi$`*^@h5b}+bv-UTo
z?CGGgiV6mBWPiK(?*|B2DD(o14dczv*7e~91>Zl*VkfL1ze8!K07eD__#T(s&=zBZ
zx)8|?e>s701785YXRng3b^x|f3Im#AVzqxJ6aPEbtx*<vB@&j=Hnou<g>k2okQ@Ap
zS0DZ7Osc^YREbe`O3Doo%xP?$PkZ=q!$aUuiXKiURbWUvSU=-)%YgIsu&?GTb`RiY
zC}|hOa^H^C8<WG-J|k?S8vS;PDK<3;XLumyR629<S!1%4$#%tjzr@13)O69Va8+<*
z>v&gF<*cruLsVb&#u$Z}{{DdueTvi=Z|8fFw-lbAPY=r2$Nhj4s&+WIsa(_(f7jD{
z4`7*31Q7t=6wgOWP@J-5^>wm0O&GjuA^V`D;d7SQaGyu{)C~gg&rz|pcQp5MDToY*
z6%0E0A8r=CC4^gAf!z&5`OeRqAjct?K-ORG?_`-<`)F8r6C2FvLL&Ue(4hKPDzMGX
zN5pRl3FLhL{ozDFsba#|rRh&6)nvR84MFfJdq{MOL1>}lt2*3-N@?lqyuK_cac@2p
zV?YPGx^m{sq}pr))8~Nb9^Vo(Zl2+WchCBF4Lq|no4S*@$mADLH(550O$BXNW(Dds
zVP+k}Lmc;gD<(PTiiM;q#>I{d`CCN;K48pz%lizyT5rN}O{V8(*T9epr;%e$l7UQW
zV+_A+wB&sQM~}Pr$;~{*(z2wRe$qt<IM={U>(RGl(-Sdfz<mb4YVw`aTehn1#1!kB
z2aHakT(*4|NI@XbWR}<L8-?imJ33?v+h~Hp>Q9q6q!8Nx+OwQ*_Q?dtz<n2_zw_fw
zyCOmFT~!8`9<Vbql>T0mi?~Afy-b^Y$zv_FQzVCp{l;l3Y&W3i-p0BDc=%a{^kUKX
z3aFsQw3UYdt`XyYM;CPZ+HY^{H`3b2`W$1cABO%|#;kd;l9un79f#!GwA%|>P^dm1
zc^6pFJ@x@jVc*1qxrTj#G8D7Xd~MWSzq1E5OM2SB>w}KpcmXQQ2Fo@cZ+#c^^qZiW
z93e;dx7AJ}=a;o?9i0(8w(!4qHk1ql?)1?F1r>s8S9P$H;!M>H=KFiBx}%3h&KueY
zwwkRvKXCuR7&;*^zJMP+?tIblWFsdv>H1h`PeZW1mofGX4zaCOwQfeMx4^sHK+HKN
zwn)#lrt^C$PGczoHHZd#gT$`7U)R(D4;k#Y(<U)_y4>`;GpJe*O0m^Zr}4->{Z=eg
z0d{Jz?o-$snW9n<)t>9@%};u5bMiP&u7dJzgH`e;>a`xBN66;I0of`I0)jzbkvH4u
zhp(a(8Dj6+D7_M94|P%^kb8hF)0O)bLm;v4iJqG*&bk4{eh56LCRODA>D_Y=W^%9J
z*dBdVO|4oZ4W@48w9F^HNeU0z;D+6QTj?07MMc;pjpVA^R-D&p8!VA_>VpT)ev=kk
zPaZ)sG(>0H&~9d6R$P#QI*!YS^%!mhx*gMx6cy_z+wW|04$INYx-J%m(~}c=^kl#l
z?V+!4*b;GQC?E^#;>z#ucG?y1n6hhN&-bg-8Z)hTYGfm!=rq(w2`DLTn?obSzBwzu
zNzlgeqt5n3gF?X=p>Hx$y#t?I<s0K)U@h-Gd3y1s5&{_|YXLVc5Y}3t`Bx1Q+l~Tc
zIXSo~OgnO{w4wUjiAI#QaJ}5?2<eSzo*gKuV#k1ED2Bg9WCBP;Jo+kxB5m2YC+M>y
z$29s1$fJAg%EHjIMq>S2Zk<gt&Lh>wj+odRtzkVQ{Z1qV1V4-Ba|^22WU-Yo$CbJQ
zEvHp{M%6#@vV*dPVN*F#kPspQx%c!>Cp!)$>^E{)KSi|WB7Q+eer+Hl;pPY2eq3n}
zyc7D&YbWb(Ha&?U$P&6Akn3^Wjx4GFuKx7-Lyyh)A$BC#QslZ({y6*dKD`T;G`csk
zb)93nl-0ZT46zwBW5iTJyP04F6QqjLd#nEVTe>I4+0Qm0$rD54B&;6?-uAU`0zuX-
zn`R86^?Iv#IMf_!d6hVCuNs+X*`D?Eo@ityi`9x17}H8s3y^pF_(7de%x~qN&OK6d
zpS1h~fuxWbCzCIOCO2O?Vl)je5~01uDPi(880@o9Lk$phOzN$xZ25-Kc@s$ONADk#
z>*`Hbfv=TXp<K~zJ_-mKQ&;47bqH8Cd7{*#XLGPVY3+T0^vTpMV@EHJ0mp_j+Zn<Q
zSzan9Pp}8aRAQzR&*tt@<zdZ0vR5TsV?47bA*QU_jxupFO};KCNUQEZwqh(Wp?88j
z+T%^A=jOQh0QLdQsb!7>*w;<k<hxW2<29rY5@8(&ZP%C!D3l@VBVGM6I49Yw1ad^{
zGGj%bx2>d-=Nx$sPu|!gATv*=X~6XMI>}&!p{2l#mJ|vHog{&pxeUArd9T91HyOK#
zGt%#wZnoKWX6L`7-I?h95|(O5b@eGx^Vc2MGkfZt<gGFi9w%7Uwn@jlNKRVH&vhLO
zOfPMITF3*EW~z6Mj$vtFIJ7H$8jd9^>=(Pivl*(GwAMiL9Xo9EA<NVjVvoie5q5Dh
z2Mm(vaN_38y?YHw1_mu%1tv3U{a(UerWm|Q`6==JU~@}~7;1P?v}=%D0{z4jDabW2
z^=_C5DNEO<mJfwO{))PQ#Bg>ksI!&zqg6`=0)hf=F0K+)g@Yo-LY5^W%BL29DrRlY
z>o@P?zmWG>MN4$V5E2X$+>OnY9C12(2K9aTNGr>*JXBA@SI@zs%4;sM^rzWZ5zX=M
zWy4vUBOO)-HIn`|F5`ma?i|o8W9tA=o3p5IqJaj<EpwAMkvzO<TE(q7(CaOac})k)
zyUohiUl&T_rqb8}S%|r`cIC~bc*Q|JvnFFgY1z~}B!|o8qCJ|@M)JM()a#N&2{Q95
zP|fhB2;2dRBl$Yl#QHU1()ZCr`t@dA<|ZpuESv@RQ@VR8B_mkuwb@*`%M$V$OVqmN
zrP^5;88FIM2!eG<NZ6CuOQJdlfv$PSmXp!)%}`pizdBS4KwVz_$!}r?QHMlkB7)p(
zR>CenrMMSH5!v<6BOH3HHsh_6-kAUKeKS$1#$pIJWb9F`33Pr!D?VAT#xAzru@4q4
zGj5oyk3Mg(#wB<@%AwtqV&@q?e8RuDjo@*#QJw{tZ;Nb*zm8^hu~=WV?E+K@{W5a~
zgYWXbC2VMh6baq20@a9bM(PDbYYnQVMKv564Osrsn_?eo@R%^OQIq2@rD@`CVVTT6
zfF$+IpC<No-)kv*7&~EAYzlK27I<|fJdU^DvFszz{SNj0S}jQT#}^rm)JRiH>I<y@
zCYhXq1G7Vm4`s!*MoqtfkU1u((VK<UFvEs=uP;;n{2;`c=g;vdDJLb@9KJfMupD4B
zH_B-Ao6}1!@SVQ-K0f>=qdQ^OOoQY2#gnuBVbk)=H7<+eMdpi%S-)**S$5g|W(oo|
zSZb3CEbC|5BJL=TUdmr!x(tOeLQqbfg#LhasBNSB)EZYXa;09I-rHzP%2B|tcnnR$
zFOrd7bcnIup04@f_pN^#haA}_XWFijnrc86^v^jt>K#^S%`mA;i;o+7tFegA;vnvZ
z`d8OWIRkJhZ$zJMqsziK3`Q46%!=+zyYI}Rh$0U94$n9J+L89Sm`bMn0F7Ur(}L3)
z1ezZY%Y$Yq2??gYoM4-?yfk<7na_#?7VhM@w)<f>-6rDz4`x)2<M>p)=f-B1mqT+w
zwtM#@tbWjeeqbq*Gu!*y`BA6rN#*ISMB?Bg&`7TJ4LMCJibB2l3JNXP9V6qkqM4r`
zROP##-A*K456@*Is0JTUC@+Hoj4^Uy(#}9vI}GWwXUiZP*yy=EJHy}j_ZjYFyu~@i
zJg_dycfG_pO%+&+fZD57Cv#9EuoemAjEk5M!jMfWZ|%L;V8$y11i3cdJUY9X9{p}@
zod+A^XkdQDzCFyw`GqYW33zDBE7)iQgCETjJ4rnH_4;_w5M1=K$eLS-eMoc4y~vt>
z#Q0#T%A!@jtt`gA$a>M*zhuh04&yc2eO7?X?bK|rJGnldHaJ#zIQ2O$yKiV$^n8wj
zAh(dq2%pynVjRsqMyoX>*Vs1ZT8ikloPbXJ*MKI2tGu#}W^&TnqpGl~N5D`|Mx{=s
z>i<9`gS)p(2zNVyL$T;qucNym{wHf+O;<$guCl#kTqI|d9O;+6@K51827pCZb^vzL
z`c@U7a0$Uq+BI1I0}%vp^M3iREGe)0*4HTKnbXA6H>My$0RaKPDjGSt`=`eg^w%mz
zdQ9LyxFQ$0mw+a(3+{I*kW(*JF^n!^0gG*yYm`jYMAvRw2Vmw}=CE5cjxNo|MS$RL
z4~f_up!IPm>3>wg7_dL&>^%wv1q#$j`5&3e5);^yDMUAJhqD0v|63mAk3{}74?I~U
z_ggDWIlVVnbziz9g;@wUPuXyKE7<9%fso*Xq}SHw!u!x}SboOx2QfVK8v^dbR3fnv
z(^Lo1e_adUjej36_W`i32nhH_?q@VRWz4vuM{R-l!4UF$ZT#5qbLlvE09|@*3z4oI
z_2$SbUDPEyXYfh)%CXQ#?qAIrF&&MxCsUZYRNF%n-PdDQ#WQ!v=VW>Zl=J>{Oo;}T
zCR<uz&Mjte2)^Oi>GMz3<$4d@;GS8(%opz^?WBZH9Xr3+2<)~!aD7P9uuO(&!9x05
zR&~zLNiUI-@S{pY^XTm7WrvRm2z~%~nPBksTV|;~+y2Zq3D<C>d2I<Z`%AE~D+Hgu
zkq|Q@+-0Z4KD;Y+8=LEPa-Ry;sObGJgs$H=YdFR609b;0ZG`x0d&-R>(NynNeusvc
zqqBMXK66KD&N1pi3Z#d#t6Gkki^j>L&ud)@%;Z~HKnh(?6i5bK9P>!9PE`O78+e^y
z@b3CBMDe^HJ@G~dUi!L;@jkFo9h(?84h=xrO(1zQ4esSRV@LKnRgX--2~4RroctId
z|No*|7m4XJ4oAoT34}b<E?Vl%+W>Fb<e-YSmgUppfg}~5^gGKIl0M?{QK9sE{Vf#P
zufZMtZ7Xzoszc}2hBi;YiCM$WOOoDh@WtshFqWxr_~^+--PR#wl;IELq5_V`d(QB?
z-Rc>$Gs)D#EG4|n5w?-WCbvZNI?6U*O>7l%Uwo%JxYLv!sLf|&TRQpWujJRf#q`&Z
zm4R=$)~B=f_q$UYOMokOXsCU9A2HK@oUaDt=f%xnWh!8e+$~6zSF%yeMs1iGH@a1*
zWlJ<i=N3?L+D#QJhs6IFG?A)TVlIxnS{9;3E5~4EdPlfVjIVl9*jbsJ^S$GM;c->T
zn8q+vpZ$I8PHq8K+$MGs85#i&U(~LXgxnvOwne;pYUgoi>LjedDb%{q^J1KGlsDl?
zj8+!aFnfJq7B0KCb9vSoV&lCvv={9nWn&g1<rOp?|HO{uN`ORRag}J-yoFPmqR*@H
zzWUq0cfvO~mMM&wrBmJxuM4$r8MxO`O#8Q})dyy0Xm8Jd0>)HO6l8z*?>io5R`-_y
zqfY}-inNKncZ+o&?@Tv|b&@nt$q$?dCNmmrd{t4)T?@4wc5+WMZq256uU45`aKkpq
ztMWNn?uixo*U-c+!#m%#HJ!7P)F}_m<LKw#qP?U%9mXg|12*l#8_EoBlUDtBZySLz
zu*N|bGM|`7WFiuLT1qxXKPD?Z^FB`_@|qg^5HNIb>LxJb@SG#MB0Bx9^h)9ecjexG
zn?A~{vGk$PHFm2N#^L}q`m6H5ZTT4OOh5piolPQBJc*N}0Q#G58vQs~AYmIi-JI69
zF>RnYuv+V_Tth`wc88uhVTqe)rjYVFR$$?q)sOfW`v<l~I{1}_)$?v#!J654yvNj9
z*jda(eTUG3m7~U~HXUtI;dgKV16m*53@z&3^Ng8Hl+OUiNtI0^izHK#Z!FnXpY*)K
zn4}tr_sOhJd$}?Ro3@G?Y>k2RBvxN%h{y=?c%s{y{k|qEv9i>4G8-=>Jz2?c3apjB
z5o22Zn5BeeL3g9x7n#H4gbrE!SmQJ4;=r0(YC{9&uGBIgJZ-?F9kd<X_jOZa$X*mc
z%4b2HhMz|Wy%F+5qQi(xH#gUEs?gzo41aiQBw>(LQW91SAIPHEs~&^Ehr8Psv)MJb
zAv&efZRdCHv<dPdYFVEo@6@0fREe2kPHq*dLLY&6WxDZ|9mz~-u?Dy=sPq~G@FO7s
zx5bdTJ+|bVA^^W0{m^Je;x-FR0z02X-tj2ct0c>`=G(xHewek%GWS&biE)sW1<s4}
zl_!6K%GlKXmKli+-Y5O8bCW%rWh8-9?_RX>KSfr*TXG7i%Fxua>~Vn8CQiN}Nq58s
zfXhGwhovZ3_3UX4<flfrY5HDKvN%C5z%-H)*i(PQa@h6XcL{)$R<d#^eW9B=FjDhP
z2nma5ozj%5)JbYOjt_C9HEvl4VPh#->vPjX-Ve3vTcE!^E`}t)(bi)Ji6b{{UWE~M
z`NQ0JR37)ropyO3`+O(5EG=BW%OTVTj@Jhwf-?`cGM<#}98Qvu8FW<9?&XueFmLkx
zA9%0ysSVl-9bY&klxCF@#ZTH@5Dc9hHwEYsFp@Lg@N*l|MPF{ebOg)!ux;GaQJizY
zZ@iBZjZ}XQE)d8!OChf*%U~))_(GsQkh21%F5a#%EgM8o^7W_#fsNOUJpyXXCL5D8
zl1vkh45#+bk}#A+3f=L0S-&!av?~HZNzxLf)BRgi6#gVQqw2AnNe3F>jf&SVg^D5L
zk<_;A?9Gcw9}*G>yWXaG*+6WQZ)za<;azuCXRwe4!Ss^D1wAx9X+`#bVA_@{!{&yg
zT{385Vd(_$V=}d5#2tLTkGk@uSxqSgW0)X%Jh{vN2=hedcvaaC8!Q`R(o?Dq!uo<}
z8ML!ya=in6f;J2)Mb&(`9ff&UxQ&q*xy?rUh<>zCk~jfDA1(gLgylMQ*LkeekALgd
z67!fc*w|Xhqwswb1F8=myU&B_(@X13pSCIwe^;7?-nh=@jP&fvwP7U^EQGp#6%=!b
zHT-iDzIQ`$Ox`d%nS9I?{4hLOWK#w@ju!5+n4Li`RaHp(nQyFDJx5KJ{uTAKcrEC*
zcSn9EL>JGsJx%~SK5QGyF|kJ^w3(5FsyGd@1Km%my<?|PnRk<6N!OzoE9_FrM0r}O
zi@dC9oidZ{9fjf_rN&<OPr~ZP!WuAT71o;Dv0H>C)IUqX8<9iv^W77H-J4FJ0d-nA
z9oy_4*ZsB@Yk^;eZ`YikpIUrLS^b-21ol=$S>%wFp6uL}RxbUzeT%Cuuz=n>B*d@#
z$k@`@kwo3GietDtuh%`VwA*GT#L*DO=|u9XFWZ!<T*efg;Bt$Nn1F>LB%UBx&u;sK
zOlqQzN4^W`bPR!Qj<oxldnJ3$c*VdGh*A^z8hZ=gUYUL0toTYMux~e{(KBgs)lf`Y
zt!C>Pd)3qS`FUOj8`$Q!1S-S8d<Z&zPJQ(%sK`0(%9`(y{7Mv)D8^@5E-iuIQ3r(L
zqc;HGR4%PnNoqP@@NLj(dKgX@YMC@mi~CA(0-o?{_01j`4|$EGP2R5gwM#`ih-SQs
zV3n6spi2pSEbfru8VcsSM2xEXGlyozCZgY*p*)Y*hyu&VYN{B|>LcbYDYEn-L!M_a
zy+J)B+9hOnGst<rmg?O!J-44M*8#t<mgnjl$a174(x4$8svc+o<BL@9VM#k!?*#Z+
z?tfS0ug`P%UNl9rhj5~Ojk?SalZN+FhX)nA0{azZGE(m2&o|&gg`XA8MSb36k5;4v
z%?8%GA`UW6{HshmPU@yO)b6iJ#*|Rsy-R!VzWtx`+R+ZH#^;$Kb<k-duyScuCw+v|
z4=wT86slge+fvPJ`Y!`=O=F#Mgxs=|VAPNMhcvd_Fq&pQi<+?BLrDn$PDbD%8?%dC
z_qhjQ169VLfLikWRuhDaiC2ZY@)r~i8PDcM1pa~8Mhp<Y1%2spdM1==@EXz2hj_j*
zR)_&yCoz!4(-&7)FosYEJ4!Ze4Vv>RZWh_J+{j87F>Vr<{^)qA9u6sXGC4V`gFMN{
z=-3`E<!?ASrrgFFqTqP0r;zwjJ9ME%%P&<TDNRWCJ(wKkc(EoVbO#-&$2`!hFB)T8
z#j*YF1w-tR5RBF<=m14}?nOOrYbT<a5$T2izdM(q=|#E)QV|e*{yd9n3Oel!s!mXs
z?4sc_vc~fg0l@q`5*S(@1lqgpyk>pA8ZQGy70(OD)6e3w6~OfS1fY?L!Jy`l4O_}j
z*G&Mig0Z~k*TnDp0u$cT5OJr8dE^k>SX{Of=p<%B4694^`R=d&M&f798`dPVk3<OU
z)$yz}MYfZ0=i$ynQOJ>5?P&JWNM6?2NNe;TG4aD}H+o`#k`|AcO-r&_o$}k41{+t4
zuN!QmA4!8a{pQr?0$(>CVk#8Yzl((xVIm~!&MK~LT32W_X~Ui~&IJ}OE5OuLs=uzU
zo~qq26`0kZqCBnqx=kXr*SzRoXR|tKydeEPTsoSw@P1J8ENXcFBx{pS`h9vdgv@@t
zO3-&M`alj-u+N66%T5yBuVyS|#>Qu^GD=SExtA*ZNd)s$B&`NWfhl_`XHf~A>!{n?
zK2mW__qN0<G4>WbHR0<ci;~sOa18%8^O~U4e80q|nxrd>$~O94I$+E(G>f{EmNo<t
z)bSgNW<pu>AT&>pJT?QQhCScD#!-CtYl&t$94qAM<rvGf!)!eGT{p@v!0GNhbl@oi
z^(|8!nD(1vvO~~LZ%zd^1^qfmhW`Qi&Rr$=u#Uz-U}VbKuHQ(pW5zDWmHT%e>)sON
zCx6VXc+@a=)=xsBA@L{Ch_DlwyPh~~K9r_yjk<cT{eUf#(~@9se^|q7!_n_|bxhFd
z;+D6}Zd?q2lLi;=igHa}xs~{$U6D3ZMU|miM)b)9O<it*FJHO7f~+V#Z|#@hoT<;H
z)Tg^uR}ty?l2@|fW+%A?A)nUQo^H?98-Jwp;;roQgIA)<Qf+untKR}>mEaiw*pbk6
zbPjHM#c8Bi3jqEx0h?B0Hr;n+lN}a2KJ({my^|xMmhxP;1_~RHUcpX-?b)Uom3I7$
zfN|i@*au^E9(L$PAH)q2ZnR(qP^YUqNZ~VH2K*|bdhs$0&i4oiScab0GLx53{ID?k
z;|P{wDcKz5Q4lY`>HN$=>hYw6nk1fR9o<*|Y+I&a&hSO-S-xRBp=aPQH&MLsRt39?
z`whh_1cR|gAkAH1oTSpDU!t>VAu-9jgU)UugyhC)qOO$JRyDrfR}aCYlRpU?ng!g|
z8&Wm_#CygZEqgfa!SAQtrfT!ND4)d+U=C)mH92n+1&?dW1Ns8@^O@^XsziX8XY7&C
z=LOb%<=fh969wvkDWce+$~nB@72Mu?yG!|$W4BAEoW=R!Rfw-J)LJFvbIzybSD=db
zjv@gc3}?Y!NQ=EP6d)Zs$#w<UPFNj5Ko#(8xi4d-iam*%u734PqzT93K+w4dZvH*x
z>4+|rmGLSqK+)==;Ie0H8W6w?h_-k{rQLy6h+HUaF)1mDzqmNpPOQ85sVhss!-e#(
z76n%le4DUSj)6CUlA%tZyQRbScpIz_pcS%6Yr@<Wv2SOnpsxCpn>jT<plCGa)f|Jj
zBm4^mft<&$b)a5F?L@)>l&03MB&3-6mQc`({M>5BIZL@OeKhBmCZPrWIKkIM<-cLj
zC}TiM<i;~@gAz+n(@o(=Ky*MgAMlOS6k0>S!9A<X#)j(uL3ugjvGtJnFRe>}p8^<=
zlHt$av6ICa0<~eShWIa~3M6dQs=5sE>$(cV->_`$Q1lI2{<nso=Z^cmOax{op|0g-
zO;cyGmfwhJm+l_?h132!>|k;=bQZP2v-!Z7@MncMxaK7tBpP8q#5&GVkQ`?}FflaS
zpbs|!!4AO@&awr6k}OMtIhtIE?3IAHKn;Asr%_F7NpPGG)YR?Kz;h{vPm<)XD;KeH
zkybw?W`B1A6pabM#(>EKyb50p$G?J?BUSM~_A^lx;E{Avt%g(7YRX`CXiDb#3Flg1
zUGVo#KleCp1Vh@IEhaOzu{u??TY?#)ZZUmLn|sI}4en%o%~rTU+6iGdz4UdY6JIYi
zge?3r@h$7On_T8-@ymNG48JJVFcy%7xb}Hrez0pCRrV?u3Do4BQMK2V0aVx^RqP`m
z8yBvR$+8u;>#y#LIPdti>TLD3k32ce)~W%gB<CS=F4JH+X{EQNFm#%vdQp8ag_SZE
z_50%Yhu)+#J;xyMOiUKfw%o*j?i;b!#mrt)Cu6*7x2yyz^R9VWn_h)?`T8NIN_T4-
z`jTBx%CIVN^IgOsFofOY`i^l9D7V$u1>OgaaPaZ~3|x~>h5^QO@hh16aT=HVP6>9=
z;>I%K_prjxXF8{<OKkKiT|awfNp^G7&f;qdJ}>1CFw0z8j6S-Yvh>Be2eZ}(m={Ur
z<_Iy*?DFO&`!mf9q5AJ?pZd!|KaA31Q2P~}_@XD^a9s+^pqm0ppik}o#08822pe@1
z#optHZ2DO=l_(!kht`I&cJ@0Ce=`7WkL<;-o;c&qGpRb4Vk8U${PHG8T+deh!H2K?
zhMB*9hkgI*j8<VX$1Hxz_8QxW<DFAH29<Xse9y=mth)Y)x$d2b{XguzXIPWl);5Z|
zuuxS*L<DSzbU^{7yHHVz)KCRfdI_D-1Huv(B1JkxiXgocNPtj8RHTE{5UNNGp%Y37
zocZ9|`+d**edm1Fb<W>C|A>(Cl=;j##<<Iv-}OQo7N3P-;XMxs$v5BrO<y?6I9_pN
z@@w%kvo7k2>0&82W8Os%JPJ@45)OvGsj|;0{e;z;5p=U>e2->=LZw$am_h0N1f159
zC-Tv{9vnU`8t6@CR`JuJGey2*f*h5uA39RIyXwxv*KS{;oj40WePc$XqO}KYzw3^~
zxLq{UKIhrDXQY=DzAufsGuG9{KST~UYyS)v8M&mYy`t7whqA99H_4*k=7|7EWwJur
zZR>n`vd!2?KWxD9r(X+(LA%QiQ#3Ez?@&dum6t@CH165Ts}%dRTSkn<j4Y4z%i6ad
z6DPzYwOKt?+f6HM($$hAo4fLwwkeCPJ?GzBRXN;Jd!@*IODIjUf0s`o&kwh*S9(Wg
z`BHHRZS&8-jL;oIAkp<n>)xYo;y8S$FiYYamIrV5CU|qV?DdDisT;;G$ixS%BpABE
z&d5HNG1=`^no&a1fWNW`K}_<Qe5Ijh%ZB4{Kx=8MXDO*T4fEojBY<Yoz3j@8qG7NT
z)YCNSe3#_*BDndp8Iq!dcnR&AahR2{ILx4sVzznN9fE3$=giB?JO%3Oj&~^T*L#I|
zC}p}zlA(g1?-N;wRvoc!O^R@B!DHPS_z0T_kyv+vgOL@!X3o3Etix&K#jH4g&{}0r
zVVgDCY@s{?!*<F0s*zZY{YylJ>Zmibu_=1lkoc(Wa-|HhmaCXSOS+_`U@F7AEuJrF
zq3Q`esgQ*`FRmw1PFt*Ol;sB^Ak(V}zPwms7?<|5oL^)pO@f65oX!xaLeo?@2f^32
zJ2CrLXs^Gzl+x2wgScpRI{{#8`>=vx=QlXgW(u-YxLB>}EQecYmr3oCAkhj1Hx@gs
z&kW&g38MP0Bk1e_9csstt#mb3?8-IbK>kzC^&eabJ&9q)B_vVeoxVrA_CMCnG&;k*
zJ5Q*yz~#sslW5^)Q~Mw(7(P41S3xv~_|7nxXt^PvrBKe)V&D3OSZM8Y#68*0Xtr3C
zW3$7MJ#nC*{prc#&F=4*%>G)iUKmP2p?^Gl<uuVO1wN;<SyME)oxIvU>UJzN|7&r+
z(=S#_-ht?obJY<#3$Z6ZxpT@2oOzCt>c$8arkpXTvaWPIcw>HH;2}vRyO5(qiYx2+
zi%qUJJ}%<XL;xVgKhSV)O`o_MGd&+v6O?_U_1Afr<H7v}<a!NP$5&ONylX5zdHF_x
zseFQ#soV+N{#O&#VnSQ+qhm3Rl_txxJf`MP0Klai2oQ&K3qsY<OlJy*7vP5=x<MPn
zV6^0e(1CUf0j3I<@tO4eqai8Z?#g?0RzC5xC>Q!B^~@tKeBoRhVsUg3`}J;fwvu#Z
zPkH>s=LLDfq^}VoR&CrEwSI$PFP-PNl8bW5yfL9Z9)#P(g2M5>=E4#6mL*%%9p`jd
zvH#t(D}rS#U5^>QwpHxWzeC&^6*&7hr+=Dp`elocs#@ij*6X-vHI*b)>{~c*?|C+P
z5#3EUYX%z#>9t}!+MGz)vxZ}vf0ObqSu5srZLo+XI)@0^d|U^ZhqY=2So&{1)+EI0
zpx*t4mws%1RzpQU>@Nfss_=`u3&p7O!y|rdggA20<6D9~oi8eOUCI*{=4zf+u-QJT
z2u=K39)?eTO@w#%m5w&g)n3e#wLYOm)&#=m4Y;y0i8Q#tF7v}|n`P88tKu4a%JOxe
zvd(&AUft}4D>7LrofRN1k1&EOWd9L-ERWFTB5NCW|H{RjE%;!td3m=4Azr-BUZGsA
z<%@Su#9!C(O^Cu-(!|T5_-bvqhnNIA(N8*RSQ@(x_$6joW6?I<?L4rHgctq0qH7~n
zV^e=p`RbEbxY$n1qr!=7h}|DjSwzoov{&IDI`(1X!}lMuS-(Y`{Oj{uG@jl8qlu$C
zg#lORTm)2qq)C2flC!a*DE=%*q#DyPbd_g#L{+@G^+XbE$tcYl^+TO;v&P)|7Cf@<
zsY3blDN7L$MxF#wWI%lAe{JvAZ9nGKrxacteUp_}&smgejN3)jD$9V6H#`dwypsR8
z-=YIC@c>bZ2l`hnFx?y^#tKb$XCfw%xg^hn-C3|`(I~XtM@55ILBsGIczk}3H*XdQ
zGy#DcAROt(z6w55R6m+rAdZb&2f#-WTR-+6D5T;h^w|pZ;?3D21WU;gL?s@q$idG&
z!N#Dg^)ktTdBm!2FV=UXhUA5cL*VYMG~clsyCi=_Y0`UX6EMMAPU#Uoo}iOS^;U_s
znDOI{5OS`6XV;r9T$(B=SSgC$v)fgbm&Hxp5Nh|~1c!D<7<$6bXHtf2AT=>cW=Q>{
zJGWhL;Cym|Z@=M5>*s^Ax=y9H3#QYs+)wAM(2m9yamcf0BT#O2jHTk_k;PDqa>)*8
z9=6CNlC%)-@1Rzh2JTHj_9F-^IqHTj>$M!_(S5;gBzUiC?0jd6oomzJ&v4{%!;($1
zWu?Kiod-&2+#yca!m<9B70;;oI_m`PFnDTdE=GkA7N1jh<X2hN&Kze0Arx-~!h=AR
z4kDI0`rW!zEx|Zf#UhPwREr#XArHdffcP+IDZmru$Y+T)mc^sE@~G0Yh9x+7i^Ypi
z8jYZ>w0SjZ@-JA)Xn`)PEldR2-kJ%^(k|!nt90D*9=j2~6~pt)YC!=FSU#36)yeq-
z)9asY*z<1*w24)lT<I^%Y-TI^X{=p`o4KGBDWCOBOov&$vn&48#dt;YB=_69cxFf4
z%VOT}49g)-mH44(Y0K?Z-)GO8JvM`EKI-(OR(5;O#C$f~pZZ>-0w4NFzxVd9KKQ|q
z@}3*G8RsGnkDh>AGr6{UW`_=aX|}j{P5bBZ;aDT@A(mFl_odw!_lsr;*MoxOnzVYU
zu^(?8bD6Y6FTf-Qg>nV~UL%q*@jhE<_!sX-5Uwi8%nm-W&l&IYbh?E@YKveb9T~UI
zyjK#O8+Kffz&#(gmv8v;$gi=h0Yt6$yd#CyD5<!b5Vg=hSbatjad^^x)s6N;qLM0`
z4oqP!UR1aGmVWUk!M>4>ihbb=+iD!${e|nfj=K}judfUd$BQCI-{t-w<=dbbtJcOz
zcjcvV&nep8`1tC2WzQ9F=N1;EN%~$hVj$NTBUeo_k=O`+hGhiz4FXJQ3`05<;kIBY
zX?YYDoof_VR4vYMeaxIFk>oC$^+DS5$?OdjchL`O%&a|Xvot0XpXfe>DZL@!Hags4
z8PuuFXzO4&cl$hbZ_LklqRjWpr{|-|6Z6F=ZVWsnc=&O{vazJ;g%*iALaKr3AviHL
z#wUKHWv`&J3r*xzD}OTBwLVpyXlG=su!6&6{aBnxUf!LU)FE&_QuLsP!NdPJ%PhZM
z&berq44Ahun-`LjIobL7xUF&L{lu$`&N7L3eL=X(j@JB&2|Wc)%JA@{>H*Vk?6FTY
z{h$YC^^Y4pZyy$TbQwzY@9xagdfBKKF*#$3!jH>}Y~bJO5nAe43}V^0Qhuy&Nuci4
zARbO5Gn@7G2=+ue8!L3r7w_rRd#zHGd+w;iU0cQS`J)0W-u$;)$!GE8LUpU+AJ9|q
z9>DN46;eKfdPDc+8SY5h_JVD;qlLfErr__{skdAMmEMu0jZAlZHveFYACcA4xDx_t
zM2%8%$whiK`OAjmFm}hcsm=5{VpLRKolBQ-%(%~|V*fHWYE7{>qHy%Pao8RrrsQ!v
zAQ;im{Rutlt>94ymG(|)i3=SX8Jc{GqFS5xMBZI~xl_9foWS5QH<&6~H<@R<i_J2m
z5XL0E8$Rt^V3SO`p{+I0@wh_r9$NRrpYD0;N|Nrmg)4O~rq5+d+Ih9b`X>i7d3OHd
z9MXZ;W%u<|cK|A)!ffSpO!#^X`1Yt#P0*!tubUZr69)VBiAF&iz}TGfI)6Yh<Er1@
z<8aQl*%~G%D1Fin8TjimQ?aS_R`Ce2`Hk79fFl@-w)673&(x}yyL@MElL_Pd1Cipq
z3lF{H!xw%jDT2+_elRuDyF}MYR2+UgU%65$#2GG{?_m!Z`G3MS29_pq*>BM0-2En*
z7-Q*f{pw*yX^94xO~4J5z2haAM__nODE2cEC&Yc(V@a@dSS}kN_Zvhm7v4b1{X_AH
zh{fxm&5fcbz5Z&Br>Er+!M;K*cMTQ)67^u%QnXw)J*eeA3+vg>-W=K(?TfJf2ttR_
z$8jWMyMduonaV{kF~fnXg*i`MwCpJ<MalAm?&h~Gl{XCa2=Uc<Nl^=al)~6QO%Ib7
z-_ttZ@QbvPCk8Fhqw@3KZCPL2+h@UK?H1dZ?`=jb4ox<%DS_Lm5tVVA$A|{n;H>i+
zYyL;Y$R3*60rAE4_n-V`Kfg`}F$-W!D}XvC&EYl~@VNsw2HGu{$3S~6&9B#BX*(PN
z85t0yd*51Hj1{hYl=0f|z)PdUJu{sL`pfSjL<cg}-{ax$j5D`B1=>Tw7(U#Q5C3Sb
zd3Yq}Z6nl7F&$8{g9bPfW8=yOaj)>>7cn$fRhRb;-_D#nVO>Iigm9gRv>B+qhx{|*
z^X3RqRA4K{2({+5KRo@*7PX<EAODUxc3BzFPjm28y$!}-z>xe+EQn5=evrL+!FKD9
zCM@$h8hp3Lt^Z}?{F`0ID;u?Jl63y)#a8!7)=P`+wmY+=5SCs1qLH3KRvN?!uaJN)
zkC1`~hcrCf7-Zq~U!%Y5tzt$%?27Uf8k?K_uxaS%sEdNtBe3{2lCBMmJfnit{h=md
zdZfNh&JhQ;|HT@wst%@sv;!9TE8H)foWH3dkJ5Qy>*{Y;4NwM7G(o44zqrYdR-^>_
z2ToE?v?CfmOlp`9r}7ivC+rU#<mtho&}L?GK&d>wC;Wd$Np78Jk#PMUe1q}9j~=!4
z%>2RIN)+2F)cJ3LLHS30<BM?ak;YDdk(~dezrfx>%rkFCyC{vL_@4}Y^l^r_d)3o7
z9T;oCBM`oz)&Gkx=&ZJYUKfUY>=J!CUz^K<g8WNB<4pdPLr`b-`RsW6p*=O$?@OeJ
z*HWk}($$@rgEdxVdf_$3W=@Brza?#)y-`AGu}r+K`Fgg{GsmFp<AfG{;aAqx3yHsB
z`}cxdeXe?}iw2Dts`X`eq&<O;($Vo&I(}&Sm?VK3Q;hXOUIZt8@dW26h|cQj1X!as
zuGuhf{b**=C6~9n=qCxnYI_iW8AQ11DWS(Qjt`$>+aR(DV*lB82@xCY@ySa$*I%<o
z(M$3kwQ{&uXB!wov;+tAKlfaj;Rv@QEnJwH0jCD4)-j($5PY(BV*7+zctykA?ni)I
zO+pjr@(@3@IL$&CYrb@G-??!Qu2UMx`>dLw^4$~*x@|Vag7|rgOn7SJc>6+H9?7nr
z&<tx?=TDP_VDGuXB4df^^=!kzess(_eTM@e-zu~LY8FlRXLqbgN{19P$(G}DKB3J+
zKW(+w-rl3(WK_J^A598B)i4e*27}rc^VehT9m;ol3OmwdtO$i6DT~Ma@y5Rw>wfv%
zmXWvM(fK-1;vFX&+g`&!&YGC$4)Y@<G~PRCU6!`ECn8qlvMF0Bc4x5TZ%cSK-)&l(
zCfBgkK@hbD0;pb78Dk3<Z#GEu8dNWT0%dD76(^wwpy+eNbeK?*YV|6gk$)-Lo#$q#
zrE))xrOuAXnpgfT=L6y;Z`)Yv&rVW!!i!wNj$h7$I+~6riI#`)h~+Mvt#9fcxRr(s
zhmWB{2}#O&pqlN>;|c~_qRX4|<4v}$^Z9>U#m@cWDH!w9E@$*f`O(DOA2Xc)UaGs&
zKPit6K^=huE-RtlJ<dHv`8im*(#5Yqxc91r!_bSAkW{M{%j+l7tQ4h}OBvlhg@4=l
z!Bz0K0-KnyAdBf`&KLSRa+_xvV>O^>VIKs+UqNPXFyZ%_h1rc?65=IvC~x0!b(Z)D
zZmB*Ql-^Yk*lLbD*?uFq*QIS%opV&sz$K((W$NK=2aJ&Z*+rj5dyZL1p>kOoI-wc$
zIy)Sb{Wqhu=M`Ps`c@JgY=qC7DRAGRo^WEiv{niSJj&bqsm?Kk?0x3s<XjgSz=|>r
zF&DR>Wl*v26S{~TyYcW?RGYkGg9#j&YVsmoqwX<pHs8vC`-Y(8C4>Z;I1^%=BlSXj
znx0&w+!CwvsT1C{nJ(L%T{UeR7`5=pYH5KB>HRZq@%y8cm2JVMFSQS5MJv6@!VgMG
zynRQWde*aS4JE(7&BFpWBCj`RbvkKDU(V-4AD3TxslS?ASI98%Gz;PV5^$Gj7M%Kk
zo3;E#laMm3|NbGPEQGmXD&+F9;|!%jMwsogpSG=j{xi4J$^g|Li)66I#b$YVm53t<
ztZ4h!X~)6-l)U+0`%^Zwm1yL$dkjVM{Ba#zw6%xeSLv6{K|NRdZ1{AdbTH)#jl0)B
zDVepsIoPfa$M5~(@W-2n!X3IlH%U7Af7XH4@*oPR^VxDJ_fvm=w<liMc%ixb!Wgyd
zKJxqGkbi46&Mv)U!toE9VGMT6yN&t7P%fZ;9**>fSG2*7c^V}1pdpCbs)`WjXoW*h
zgu~pIW4YlCXF!U2Jn3JF;P0F;{dF>^Cd1Jj4!B|aJwJrvEg7nmd_m|Yl-E@*iV83X
zx6OhA5tQzoMK3rG>EjMK(#j2F+aY#Z<BC4+TbHf<;4@L7A=97kT@QJXwk(j?hi||O
z=l6QnxVGHkW~h&O@~B+9x;0&mRf9}l=T@eg7xOVNw}K8+(K`<}K|jg*wtBgYOt{gS
z7tX6b&3bmY!^3YhuthY)p5$+8hLt5Laj^GeQGtQc+C{_#Jh>@E7{lSfZWc#R!SAJQ
z<JBJDZ%NAB8p=4umfS(G)b=hZuTJnAL+tGA<if;ZM^Zw0$cun0X0Vg9n7zhtv`39Y
zB$#GjIQRa2=`!GrWx|lk&f+cmtnc4Ll(FhUqRRaSR4Z=ikcKI;8~QcdhYYAtvsOe>
zi&O29<rg5}5bE_AJ%J}2lXu{DyD2V>2}*k-F*S-M&0)8ULOLRiD0OaH16rDX95mg>
zZ?1Tz`Qc5<;7H~091_M(4j8if{;GVSLMr2YNcT7+uMjI)(7|ttBS1KR1;5Wa54aB`
zZ+N7^CYN^Fob(oq_P}1`=H;XT2wT28I2dFsv-7Bwbj$}Hl-4h?QF*(K-`;?Q_JL6{
zL{=9*K(ZXa-fOeIb*mfWXRU-M1l`czG%zh?uGzS98Lvw_Xgp}T^(wHpMx>hz74~mF
z270)-EB7p##S!a!^9X`pOuLpCj~xn0@I&06_9uvcRgPhZ;=^A8%Q7JI0ZmZPf;Hyl
z%dt=u3cltH!M^pfTEV||-J@~@QQe1LhZ3P1k{8k%gt`PfoY8DU9hvO|BZ$`>hLgP6
z?>x>Yw*4uve(l6FiQz@rP*IBxV><!30agWGZu(L8xN+;QWynB(=i~OoybDH>)o{sC
zE%c<V8qp5xZ}xuEqiKFiKzO}`Acga7M9A}8X+No&`?o#zi>03zp!B)xO398O-RiBA
zR7i_Xn}+Mh*l+Wg5xMkH?I+!u`yB1mf}hve7!>P`YPAX0EcbcMV+)8E#!h^AP@V7x
zk&I=VS*|?QtCXnnKpl@rkC=K|$MtG^m+^1aC+QYmB^x@@cNSET47VsNP0WS8=q-JU
zpAq$3#X0C1H>}HX)CNMHzUdJZDG*6m483~%dXEfvs(|Q*f?qu4-Eo-C>QG|NP_rG-
z^yCgio8Yj{%gp*)yrO2{L7cWmi(_vLn0_>TNN2knVE(c`-ztRQ$kqSNc%mH^RySzT
zY+PT_+L@X<Y+~BHredt1xjtJc{hZnrUb)F;EblpO^0204RL<VcrLHYOSN|XsIS$Fi
zbS<qO4U5Yhd_0SOQ}piBB%n<SJ3mYC_kT@dia;Zz|MnxHr!BjL)fpczRI$JUSSYFJ
z;x9Lp2)8PP@863hAU#YPu#n*6FLP9)T&{lQ=VhZ3&k0fVx(FSUwPuw`DV*cQ;4WOg
z+M$4R;m7!m4X4b`C<o)kZVV}O;u+JR01D9L;|*4nPwm379HSeo_whMrV)4JkXiY2M
zwq8%vExQVi*uI?p^Df+t{Y4sMiIQ<MCyuLzjpnjj)p+yX=_sc@O(nvlcGsqvwaQ^?
z8#k~0D6z=cy!zX%9&Zv**_aPx;z!BtyZppqcrN!A;9hc%`C>VqVG(G9<@#d9<U=l2
zKas@VP>&kS3)y`7*85mdEf*)TFwy<BT5_zcikRta!WJ_V!b0uaa2W9!jqpW=x5rb@
z-bXJ<d<l;`RLf|%QETn79GUnq;nM~$d2s<F2uk?T^rqb!gW<uyknbj5M%Fiq7FJ5f
z94Xsg8!O!(IQXP%biQkwL)X$M0Z4<=eBDyu;k3uF!i=|f^6l}MV*_O<W@RP;EE=aX
z^izMvqBzy}jv-hymJJ-+_-lru)^5=x8*a+v5Mdz^)ZIscCDqzV{eQe>X@>Lgyo2*m
zL<M_)D}QLCkKrSwow*;DoS=D7H(uRXgH#mw?AIf4n38h|tE@%Ut^HvTeR7+t+G<Cy
zD1Yb`+|F+%bMM!mC{lq3PU4C*<6-F6s>E=Iu<^b~<!!RiK`qs3(lWtj9y1<QXEzvB
zz7l(iogC$NAejM+CThLRYAna~e=~iRQRh0&U8H--=}33^eyF_^+h1@0VDmv>Ba9yn
zskON0Wa(1feM^b+o~#pqt5{V*<+U91kPtRQ%fT=5+udq&9^ZWVP;Elve!uzU()vMx
zA#&gYOG|x+osH7E7vo3JE8bO?ov#O>nKoq|Xh0K{6e`W>M!%jLhv#;&HF~j%6q>PF
z6+UAhq1IsW7QgVI-@b09xbxZ&8H7$1XF1$euFl=H=(aREr#s5T_xC)u&U*F&3a@%J
z#+K!lLCRo*3-Q;-R&oKI<Ey^l=W6cH>t6N;Z`orR<xrg#!(Wd*w{^Yc(!RvnVWM*x
zt@64qYVuhh(xSCyysHTQXs}1Q5ir5Q%JH!E8SJO_O|w2Lc+J~RHtpMD^bICjfblmo
zh-w({e%da3E9vgC80yk-R&6mDQMX|VL>PyZM<L(%U&9Y|MjkN^-o{o*T(+}Pw$$2x
z-4`&kc#3Vn{7Lqt_fThyRE<Ho`Ku1DS>8J|32}OI1C|f-g=U2{UrXYd%&%N!53yao
zC2k~IMos12tUN^xoV2ECr(LogeyKW}yh^uUq@vAJmD-%rR8Nd<7bc1J6&J-#=H+)8
z7gkuAN~6t-s5j15wat6KPD<p1n`f8hv?3^tHLqcX*Y1Cnk^0br906=VjY}>0TgB8C
zeMcz}gdBkgCx9JY=SbKfEY?4vg0cs^#iXjM61BWr6F!9gBA4bGd6zM442w$Z8!M9}
zBm)Rg2OHwIj2EwS%ps*ef;Bj@n;BEBKU*683W}-pnJG?6DEPTiFC;Ge1jqF*Q&vyl
z`8lGd)R>)%n#fRDYHFS8I&+bc9j=W+*pD?yqKdH!*lwn#I8el8gX~hJ@>||h6RWYa
z50oUb)CbMi`uRf)DG_l7MG9uwJFMiznzPc<W71Uuvkx9w6h#D;KND##A&7d(eHfmG
zxe6Vv#0b1IDevu2U&=&y4K6s#5}lPIg%XQRYI71tlawZIa|7v3g<xD-;&e!Wjxl!<
zDWqGg54#12!soz$I5PIet+PDd(@fHhXVg$H>HRd&o+qn5(qGL$+Mcj&vQfljoq8|f
zx))9(M1TK@`JWo)(|L{>(T7zAzG6&_HV)6!Ubc3>kuA@UNWJ?8BIRGdj88wCaxu#Z
zju<G(1ZwR7-$V7nV`r>TwI4(RY)Qpg388F_^>Qqq9u*oy;GAt9+D1<IDh(}}yL*8*
zd{a7v&_O|izp#Gv9O$(&YEDVL>zpBET+<i%L9~{V7PJ?IFFUAcVLozlRq|+sptPLs
zh^0oi%f`;sCHdI2Y-_nwr*yzAKOEf|hjGNor0Bfla&%Jmh~!1?6i*ub;XA`edpa^4
zeSc8prz!qU2TI}6)a#VVgm1%vFw~;_d0Ar4`DS_bdjy9)^J<R$_4rYVz1SskjFQRC
zUFQdRg~zv+Y;P}nkLcF!1*Z+W&CO*`L%}XIDh%o7NIUc6L!72k<LWjtbbXxLc<~m!
z3%?3W_^we1+9it>T>cbS)JENjqUFIEHrdNNIrucSd)%}RUE3k1;$Z>Thi`z}1&wsP
zmV#s35<iD*X+qkMmDq<nKm7d~EtsCBqQBJm?g(#5)%!`~)<%*scEqVl$-LE551{x?
z<8;1bPR6dpMS7U_tHo`OBZl$51&#ujw@F>TeKYdajoE4PU+Sp@c|u8A@q8bD;d#GB
zQ6)kI)zRSVSP+@)qZHkbjbq<ly}esCDGwjEkj1@^!t7$=iJa}yRs)WEvBMdZ=w{R5
zcO#MIr<rTrhgxeqFmhSELyaC|XvdND*t)WVsE)dsDTm~_3wpJ+O>(R6>d76Z2Q4YU
z{_f;$jwY%#Uf>%;IR~=rM<=&Sw4c`=d*fP&{g=E^_<k!R`Pa7;GPR%+-Pw%wXd_-|
zIG7lYH9HvzANI=0dhc3MIOcb73`b=qMo-7i?_~^T)aTZZu4#Z%r@8Zi9nl=kgSqZG
zD%zwD5*+Kxv&>6ym}7(8xba3I#q?E0)X{jlRzA<{!f&Q>)s3ACgH2uHdZW_GJGlzu
zEm@q@5wK|YxfDn)uW8%%))!O0Bq7FoORC^DC_`SutY?$~QR{sog$Y0IUp@j0*JYhg
z@X)DA{}5~%Zmv4u&g4GtyH}>WGw=etwAtYKBW`eczxHeR!R*gjd-DS>VNZ6hpupIC
zDK6$43o;dpZ*i$k#05{cXFY;FZnG!)PJo;!An*>L)@+sa+Anl>V$2RjEb1G_)l+Sz
zSmYO_=HqQt;d0t8Blbp4u6eRj^WLag-VZMxpg+-=D`j8r-kXl$%X|JoY>&(D!)Mx&
zb9Zrb?d9gpg7f7ZP3@m=N#A;=C+6-JqjKWzJUMGhGtNa#`^IGFF-M-;7pI!@cj&wq
z^kYf60cm19Q}{P$J0jjPsnn>p+?o;-Mw+aeF?7vyFZt!`8a&xZBuX^|D`cCu^@c#0
zA#rf@+f$ScWKKZ&u3hR<D})7X>l-GAb(R=-X<Fn}C<lHv+O`|9J_V-t=Ern`Gbs`Q
zi=IB9+Mqd+2Y;iuw9*AxgeZ?JW_C22IeR;wE+prUy?^3sI!tyZ5vnIl-_O__RDVY>
z?ffXqg{!*%KyPP1vAM0-`$SJys#yE!;$pMbv@25K22@Y!Fxe_g&>s|cC5^?+7xcL;
z59671mp08_)x|xMlZDDch|YAAfx6yRiREPa==+#`St(qE<Dab?VQ(UukA?HbAu6Jo
zLNVtvW9PBXRu(Co^Ix{I;M~aN$91=9(J6{@=b{*Ha{+b^tlf0n|9e-5u(5`2^Zi*F
zYgK3=I`<Laxa@~SpfJ4-E*ZRK#PU>uy+DCWKBH{a$jte&eF@G{2*0hjBxefP575bj
zs`KR=g9`-PwiTRSs+qjezLs*_f_4AwD_NCi(vk9Bzi6?lLoeFFI-;uUr;Cg1Ss0s5
z8IaC8mJmhGVS3r8`?7+6Q&G~?)<b@^oREMilHh@*+`CAls#kZ<utUmdlT_1r#Zb+#
zLcPbc7Qngf6-9HH+pzJ09b0`MH%u9P5UDwZ?_6%kPMMu~SkNv|AZ{GDV*jrPEFe4#
zzBDpzIb}86o&*W4UT7YRj$+05>G4WauPy*kIAB*hL?~pO@+oyBD*1J;vzngKTe^xo
z?F9d1-}ttVdp~y+7pvhud(okY3;p*Z#013~6e$Sy+b38(QRGae!jDa54)~SI)o^7=
zb&A%l_4V1*nQS}M&L1OUdBjWSMp#J8lKzrC19fD}Z??TsohQ<K#H)p9S()ppscCkY
zxuhcDn>eacueMa_nYjMjMqAg>TCDBueY!l|8W8d1+{YaYWdvrEez`Kvhox-;0$|5*
zKd#2raIhvtpSr!I|1yEO5F?I#Ckk$cZCg$z3d5fa!^eYcbM26HHU&gxntqEDyCL>j
zVG0fvUtJRj5uJ)88SfgttFUpCm)tvT*HL#u13*Pa;fjti<(C6zObUgjh#exD6?9kI
zdB~r;AoFE+=zbX4FX&}1hAKj7JQo@;9nC{;FHs59f;7>65>u&Z`{4y*MG5&K1&ojL
z)iQ++DO8sq7S)ra%R^P%>@%;JS`gIYg6jFP+(Jk59j%t<EJqe;5$m~6F+2ND5L6j?
zP-m&Qr!)TOhR(Qy*MgBB3IbCvtMz7^uRqi%2cAh*hvqjAjR0y?;rs{ByHodD;zJ-6
zqCzi+$Gem<n*?|XtJC`z9)bpc9s(H(bkOdU&gI*^3Rz$5r}Y;n$#xZ|J(vYT3mO_N
zDDI`%Jbj##7ti{D6N2!6{rz7s2cQ;0ucCP~bt`4yD&ta^MCd<%y!pnAX=zPS0sId0
zU%#6&@f()gTRA3wJQ2qoK_Dy12V?&F_dCcG%<w89m24JZ5F#W{MBUe8xn`|>h<+Rw
zor>VWm_J#m0SacY4`>*Ls6`sg<}6i^32Bv?W5pZVJ@Ioj#9gA?U1S>zl7Bck^HId5
zoe$g&n)&(Gf3VUd|CnrA-v01&UJjA0#yN~f2&UPEN$!S@O|;yG`*O>>IMoT&dSsC{
zGrvOZ;R)pyVcY`6*&`l5fOfiN+Hy<1W^88X5U?>Uk@MRfir|#q)89WNKhccB7b}tw
zp)mcLNEupzW)Blb`q|FP>PEYr#t#ziz*C0p>#br(5p;+DmCMi-yUhE)ENI@-9QLz(
zJ}zo%mcPE`3=kUS6a%5^FDPa~7d#ygAoDT9{z`4midJi5QXMXkFQrJ&1EK_gZBh3y
zS*;4kyil^@@HSC1`8ClpC1h`M_N%kE4R68NK{=#2rU_U)d|hpL7?|U7Q}CJgq$P24
z#aj+1;CiAyH8z>wI!q?KNA|y)-oUe>fAd&qqBx<6E>PNYp7PXT!>|^c;4Y_c&^Lx9
z<g=oSOCbiZsa*M&^X*)-IZzE!0dZLUR@o|(fZHa)WORC08842vQ3{H*=jV|O(D9ZZ
z7NPf#tCL}97WhLlds=R`EMD>&-fywOyq}b$jT=s`-WpcEdKfu%+jEM${QAyJbqdph
zxpxDVck*ZGW?uOoaO9YMTf7jmuqxSQ{7R*em+O4yA-xeQ$p#D*s;9|efTOg0ygYDc
zqEV<T8mezA)HBV59p1-kC?BF(a2(r2929FJ)<K~0D}o()6*|I?{|;dDi}Vho&~D6O
zNCN#)Aq;|pY0jw{Bt!p=68R^>0}lf5Xo7wPzCGh#4+l+p?%^E%-y?W828fth_&|Ac
zq09y0G;D{ZtW(;ia(jLQB<gka1+v{+(gzvpv`uEDi}D3K{6MUmY6$?kOq&N?)5!wa
zc&aIv?JTb)cr?>lp|7+)1H~4gVZmTU*}$kevpctRk>!4Si^P!niQ%hkeUwMRm(v52
z4UQrWw^GBD_W)y^ru%Nh#d|KlLXcGt^YW$ULTG5zJ~)oYKx7{<s_}sFPDz7i;pM}k
z_Tg{8Gyj{?bB^`DA(_yXfrf(S;o1THsPPZ22>keeeyLLUrF(0N@*^2KFwPA{z_M}L
zUXezgWGpgkju^<(=H2oKjs+tX*l{EQD8J47`}>#tp)av+fvz$D>dPmAHoS9}OtLe^
zAvU#t6ciR#0D?E+-8H4XbBC`qfa=-`x1IJ@n+Y~KDY{k)S`}~O`=KloP?4d-P7mc%
zEH`aHB0w9}9X|KoaziEJ;oMeH{3o#)bvpNK@kdq|cUu?e;a8ZE@flcZ(9q;YLY7*{
zoARdHpV{_KyFhwsji_KI<y5bkB*f}hHeNI>Gnb5Y7@G(N@=>Z^iz^udttscS8$d@(
zjBP)^QMF4JM`Ve|_R0&N?a2@lFtYew(*bo)#B`t}d9l~h4)$h?Kr0|*yFGEB$U%De
z8|ZLouM#h~>Uy@KHbP+3`O#KfxD=ZGj&&4wfhc_V4ob>BpVPHnbm={t@H6YJF`tq&
zlr3o68UABO&Dg>R^tG&6UAe>ykZj&G-}1WsU81gu$x`;~&+e5^YwYsM3-j}p<5%-?
zQf<@re(}OVGB=Q;&P^PtMx(fXR8}w7Q}*<mKpUfAKhVOj0+Q*giyBo}zoRz$?}c#G
zPen-E1ERcxzHW&LDPoIzf0BE|{T%0V1C`K#PZqZuS#t#KT3x8X#|$rjur5#dk);A3
ztMzg)^hHUD#65i9dUX`}%k*H=w8*L})nR+oW4zLIe=VVf6k>61G&^GQW6aZXVo5{&
z0K)xgvaq2;Yb>9GenxY4xzuv)`pCHE&3d8H7?vBVPECvtxAcX#;tP$iom9>U_S@g6
zoGmEFdYgl-gMCxU!Unxl&5B^2RYn4x1bJ5e06&WA*?QwfoJ&+zR@Pc-c5C~(><q2R
zPmc_%HV)XYyBs3-=npi3M;*thOCH863P(ht&XbERylHN|roO8W*<v-i`5BV=p67ab
z+vxY+QO_Xgth^j5ec|AJgU<Xf0$mUT-Ns+{)1t`Si~%=qU74(r-|dN9V0iq-8~;?P
zc`vEU_nR<oQOu~`w;FP^D4lEyp;YII!87Gt_z0@!+<MmNS{I}ip6z!X?8plzve(7a
zJ%(Hs46s<ME-t-zLzDYuE4z2x6vRGG^xm6&KV<?zP^647VV74;QGv0Od$&AuXeL2t
zMwq19tE!dyqOi^nN|9VGr1?1E%Xu{EfqsT^&m7i%wK$|6jRsv%RG#W7Xc4-lGA<_u
z{zZ2ydp%3UuZ0V^D*W2*3HaD)Y;n3XrlwWa@H``DRP3{5p}Nl#X-ika?F?v#ni@hG
zk}GLw9z{HPa9;-|RI<8F&H3b=ZF#1T9_hw0Z|%eT-YL+B?-N*=HB33B+?={@@0Q^b
zNv#5NiNdZGSB^#>QgH<N2v6?^RSlZ>bWls$@A>WMb&Do@eVhc1Cj02_-26LNAt=5p
z!5bHE9dN&~V`0ITZSI_fGV9gBfDCT}614NA>gRu>Q=T!zy#7(?3wna?>94Pc$nQ1M
zPWI(RmD3P2R3BRy@ayZc(K1#pzQ5<X2Q=#=+7q|hkqoaJyG-|fvMu@dh#5*SoV4Wz
z78#{L3)C-lg3~dv|3cP$t5hFC=lB)Q0u0-68KaBT$LV$~`$hcP9>6?<Zwno~Id*ox
zqnU3?i#V71eZ#}4l`m(g*cdmWa^xvkfy!@A=zcFKoAZJX6dI6$LS+cuB}YWcL<}t2
z*sp&27|e0?GT&hU@nb$G&0)D#8~3KFensGPZu?DI=5w`gwGsOIqk0Dg{1qm2cODej
z<zx!BJ0jOnORScP^9e0f$`;P-EbU!ZdyUHZ?p}3yl34Ek{_=rbNxCt{R4VSu_NQaa
zL!dA3V!V;Vs<xfoTT>NRKEkfnb3F^)$LUr28xw4d8hKLdpsNt?79E;7?jZ&8i>cGG
zT%C9!#l7=gX{0=VCMEo6sP}0<u)6HUUd#_H5^UL)IOo|Llph#Y?mYF#XF5*rnXY;4
zfcCc!<TD)sI^^sxTY1xQ;+Hy3N6@$ZIh_e-(*`Y@Nx%`&!ynfw7;eS4u&gUP7_wD)
z^ex>RqVMMh18T|6Jo5CZ*GH6S9eOp{tvS4H{D(!rW^nJElfbY33mYRv$)fo}A7|cg
z7=j+PK4Ug-KA9^XzYbA#((xyc{k<C%cMJHuNZh<|!SR?d%6b$2L{C<N-_TDwnJ3q_
zE+hT*(M&qS2SKpb&swK7N!@(kwFi+dtB{lmHm;jZ0Q#o&xBXb7=($Rrs4dVNwJR^#
z#}#m2IWes4MdgAZp{v$d(Ku3jD~jzn3rBQ0U$4bI{($_6l>EB_&rQb#zgrvp1#1uE
zG4!KAYkai4!p-mb6w(`kVy6!I2mXoOl%T+>U6k&M#`66a5(tUiGk+!xu71iH<93U*
z<CsKLz`=~E$<1udjF4(&ETFD`Q$DMqpd}xz<gYMLTF*VV^GJRLYkoLg9^DDJz$g>k
zc%0TggH&O&<JO-oE@VtL_7h8}kgYrCcHyqmbFs(lIRVW;XEuWTc_hs3hegmgJ^`H?
zkL9KP$Tka(oz^V-&C{`t1Lk*}&S7XTC}SJ4vn51W+qJue+5C6fOrK52FbMLaL^<69
zSb(G2G0h{jxTTr`-QZMmfsKWQ1;8lhBr;-ma^8NkKAsia-`ENIbs5h%z8{X(@rg|~
zH8e~{q)G9{JrwTmMa7h=J=xUawv<+y_q+e92{dP`@{#sdx6DweIr_ep3_C6MaqC2!
ze_~2e`A0gCun4Ino=KeN0UK+jA2=37*X;Q20QQ;D2xFc~f-qRitg5UP#LgYRQK?!p
z<9RW;Q@Z^mW7}_YmWm5>=jRgsq&<30zpo0J^cErY;f0zCo4$sV0zUk;<%|uA?(SSd
z_p|ammk$U&VunJ<;wWyA%AL?Au?Ew_2fu1r8FG_7&TwJksLX4PN+-DVNNRCe{-A`;
zJ+?m$f)>J!n1gy~OeK13@pKm#WIkgq^&kIuRKF&q->8D?GO;zEVXLT};3Q4Q#NVU|
z!%h*pMTs9g@#Wx(F&1T-g^|fA5&1sNTYQqEZZY(T87<kmdvx4$nOhZeA%D=4<5r`(
zs0EuF$c)Vg{>OGjuMXoQkdH%knNI-0yy*qswvDsYDkP*KgjAS=UQ^5d2R@Q@ALc@w
zWh1lb9|zx2hj$V~`oEn!eqHgRL++<v|BZ9lfu-`%Skp6cI}9z#_}S=j!086Q1O@w3
z2mMK6EKRlvbn!P8)$y^0>W!(T3xR<abbnZL;Ai}%1x%eA1Eccc0@@`|#G;%5mxJ}b
z<w_tI(In?1lp+ldlm=nyJ$SCGf70<o`n<^gs?7l-V@iAmmp{~3yT+udSCbIGuvz`V
zLO?#WD>BWs!uPZL&p|O|3y$~?!;JmjJrgb!iyVp<{$e1^YSKK#2faA`w6VcjL4CHs
zw#T;N*4}Hw{)7Y4_<o1%17$Z(<7+ShCh15`C(Q<j5LsOF7F!lspg%S1K|+}0wfe||
zowS3poK$cA>JBF_+B@!xcry2BPN7Mi6kgh+w$N>Cc(yN3JI3MzX*ycy+23wkx_gd>
zgG%=wSx6LIdO$SxoO~^O>yo7m(WKA$Q9{^QPEzp0SC1{K7wZ0`Xq`5kKFt*~S9M2Z
ze?OY&15#^iqz=cQ?9r{(eXfmrJL}Z<13X+&Z(Aiq^q?n})@Cl<+$dXBK(_nbOQ7T|
zHsl8}X25QN0KLYmDo1|`L0DzAM~T~=Q%i2``?aNJtzVEeRr=*WcsL@Y+V7GodZXDx
zs<k9Oc*Ep?>JdtvY0}H`EFbG@KOwmn@Fg<K+rOKvyzvks^xqMsWrd~a-v9Q@#-K>?
zusm?H*t++Lt!-$4`3oqz?q--9gjvXPfreb_Evhg~rM=lk%^^kPtHQtHVox2;kJ>p;
zm$FjpA0BzUSze@P=4J~epEO?|K*8|o-^o(IpHOl8aQr`I3V=EZ;(1iGHT*c!rMZx9
z4GG7wMUa~SzqiAS1L+yTxOwh>n~3zkEO5j+jzgwk$)BNQ{dY36^RL?e|NjJ~0{V3E
z!b3f~_S1V`Ba>tg_SV5c%1FwXePiH|^R23*k_m`GV-GwC(HFDrQb6<XkE+u1A7d6F
zg?keucCQ1i&>ijyk62m*M=A->OB)3Bs5Gr9NXiaHl<bj;azHLi0C~V%b2}uF2ZB;i
zfy=3J<^+qH@nW)FaT#Rk=Kz9eNlu!zN+{z6QwyYENJCimuT#A5Cql%C-5-Lum9sAY
zT*RY|omQ3Pci;IzeqRTAFc{D57Kt#(Xvbmo-Z_|~n3?u8>oc8FO^Wu46VN|P*bN9u
z?t|m4{$%DUL-*KHnu!*$3K_6DgFx*I3hW8Sh$JJAuWwi(7bj?F$Q1G4+^O#J>wFY`
zak|--GSn<*shzF5YL*8K(5A{+(tshF`OJs?29P?8tbj<P&~>&`_<N4RBuK|*vIj$s
zrfWjZ0Mtol{}r=&3#kYYrHnEPMCDCb%&|3Wzb4_)&5=pQPK~s}EIRDzJ=4FxIN+rX
z?0ySKXqr3k&0gAiLjj&{OXYNIg8CCVAGH)fSU!dZ(GP_$PbbR|h^z0h{nA#@eD!H}
zsLDB$kW<caKy26-$RSxsF{Pl&xdj9SM)%zAm|A4=kAj4atPN#&VEX;E1>XV*uqzL8
z?VngY3>L1LyUOMUwMuv3_FZ|EW{4UXuXfGhE;yr`B<H!34j(FQq}{)mL5CH)*05E#
zTz&ZiCTC$F|3}Ib;pQ_PZ{BKiL`x}I81hg3lRR6~6%}v6Ex7n^fwcTFTVn0T4;6TK
z`hCRKsK;R<t5s=1e<v804XdMomg&0XX34?1pNp8B`hq_W$Mlt15iBuN8o^e^M1jO=
zd%T#W%%R@+a8`gSMNvO3&%?%QP|zQq>&Y~>oa{o9(S<<4oFihJxmvs4siK>y8@DXt
zH?Pvd-%EFiAGHcKVQ+INbYyja8&Upl)ul=ioNqR1A9-5I#%^iEKbJe50oMaD?0`_t
zr<q?ZF;t!3w<O(j7|_~g381uK16;GYmDTTmhZX2Td0)9Mo~dqU21Wi%FEaG^nQPCi
zZpGYCEB~MvG7M52QlGZEJ3$|0!$!q5HNzIygJF3%k7Wno)t5mZXj`{B)r`CRLF^9e
z9*3mEdsK0!Tc20N09)m9u0@j{Cs?5>!`M6ZvaOmUIE^XqhU@b`SV>2KP^6794NMRR
z)bKJ`IN`*>5)T4fTysH5z3uP76(rKmy+<yadXFF8?ex?CE=U|c@Bd>pv5EWl;&aCo
zT9ppR|GCQXUoY+dZ~N?j(}Y4RHO*!Df7AMILKY>z$Nx)_>F@>rdFg+yz<;j5f3CoP
zuE2k;!2ic9u#gL?<;b}ZA_;VJD1}^dkb;w-qFKQzpu1fbto?t3VGcK)HSH4BmZ?bj
zF=n2PrBMPv`4oLfm4hQHP08n3O+gY04F!UhlZMMkl{2}&1lb?V!2UDmdSEmt@}Li>
z;|J~{jA?E^o*;{>Eh;-fGf?VbwH~|;u6F-^i))wcAY>yey;L=|h)$yx8hg)Y4FKCG
z;!s&86htHW(2#$u%_z<T+a`=_7b<W+7u)xb(Fsk3ENORRejP6VJ_ai8LcJ~wEiAG|
z!N(3{sjx{;y}fO}y)rpaY%FbrLllvQ%9?}<ya0ROX+2i7+NSpgh2-c@%(emD4!n4)
z?dzGik%Nb+#k*_EfQb){wHUo@b8s@om2d-4{f1m;kyN57ZW4(1hJ2RmtO!^~kM%47
z6{z_fP`60?lw~X}{rRD#QQYWS24JKdehLtOMF4wdx%Kwj#;`@;ThoHv!j13bSwh9o
zMkU%SnGv#Ned*n~Ok-X1IZ!7my&rVEdg51@Nc~*SOvo4(@}i|2o_4y17nW}aimpJQ
zZoFwndtTA8fr=;!_*hF>!totxfuiansNG25v3~^@hQ)z^`v;;fzm>)l<UDo1R`+Kt
z?rSZ)gj~(c5rN@#%q9Q5RdS0u@<$QnSB&~@-oK7I`h9^Tq$}_yFV36fM+?yjk2yDU
zBIdfUNXh|=B~T<y<Y40C5VKd*l65xqr*0NYVQ+?M!Bz8{mz21?zNodaf><iu=AXP!
zBlkTpsg{lc_Y{+#&kxGZs3OybG03KQ7?kYiXVN@>h6>Y{gV-?D^XDlDu-#nfZv(gw
zF`lu&qu|<mU?p4aOe@LyO9zovF0y|Ausg-v@2pcJw>IC=akQo%2^ATb9L`1gg4qiE
zSjXyoa0kF>#{v}g(njsTM>-@2#$2JjQ(27p@ZaxI;Bc(!EHEZpI)Ex~RPMOqV~}|a
zG~n8u{a6rpLI70d?Jk+#*4EZSpRFZf8n1~@M<fr5uw&)WBosDV1EP`QVKP*d59an+
z6b19*fp~+qx@<pOk#o{_Z;IO^Wzt$2&`$#5U;mZ{2K+gFDOQJ9d|@cNqN0zMi?T_a
z4Gim&-Fn~lmri#Xm|c(FUU-p{f=Fh(aO)E-$1-kNj?m!WKnV68-*45ce+d#GEXYIk
zK}QyQP>&|J3Y0+eV^pjff)CXoc{v#A8ld+QXI6ww{q|Rpnoiq3VRL<VqjR318F#uL
zz@>`OD37tc`IJhKgOaiS6s)lRJ^y`QLYY}eT1*2-Q^7-_pq<<0bNBGm-~zd7E$dzK
z;}LSZ);?frX#>x!%ZHQJdn5uFI>G8-aYn>^sl%6p91Fv{oc=N2UVvpSE5W2(4JEOY
z7s}A$h7W7L<oXuHW{9>7CsrB}E=alMru~z4rWbuL*u?}!fJV7NoE{_2WC%=Z$@ifX
zHgRd;5vBnZ!TleVEPS>;YxxDmE-9ljdn--ADy#2QCs2kOZ!UwS<r@CfQ#lA8R4V`u
z)xe1ujDV59sI9+7vp;$d?SJ8wdjXuP4n?$^=|xZBV}4u4(x7>c@rousO3Zu18V8K8
zqSqxHM&`Wn`y;b*Ry;gB<nPxahX8J8g|!Dh5TKin?VJRU|H?QPcW|&ol&m>8%o~dI
z#`>|W51s*>$DK6XUtGUy%NDf<4*I3XxE~f(viQCG32(};{R1e^6scVaWaN?=Dz2Wn
z$QIQnLB|MbP@!R6O}8*N1CRj>K=XdMyR4(e_r9GMF|mi%S#VN3$KGYUP$S?xN@Q0)
z9dj@!%Cvt1KP=Ed3v`UfCh4a8a~9GI3YZubpdAna+{{r=1B0Xj-umZ_M<s=AgH+*9
z2J{s5#&yLv__VV>+Us$y`7Zm6w@InL8U*c-27t->%xqtK479#jge=si`R{w7Bpp*x
zTn^ft$8Cmz54a6(<ukpplV1OLb0l|KdBa>y5ByE*dNFRP99X8`^OA9yP4O58pyCK3
zv+Xb9GD!HL=EsuqPn$n%Hh?)f%$M{2XEw;_eK5c!%Lib&qjv)^;s1I_SY!Fv-$4H3
zBbNX$CH!~Rpr#V11ppd@(@@=~kF=;lZ2{zC4U9Q&-`w7U>iN_XnzX=>4^CqMz?|t+
zfAu9Q&=Yd)8ri#bnGaM(9=W6~Oz<W@xu_Mj0#amG3s+E2FoeP4P+YR-;Y!VC8E@LA
zlJhq2sI80jh`!~J?2PQ+9$iMxV$e>Lf3mqTY~2Hu6qJltxwJ_~@106EI-2SQfFLt+
z%Z=1Y&Z9qEVPJQCXIC&(_lOMWELS%!u|LC#N_>g5l>GATkHM-Ulb@;AShltkN9YQ|
zRYn9RDMuaYJB~rN-QOQJ`KoL{%OEB4U^_B4A>WoQOsbn5>UvN>GUKKswmofsJ>0HS
zGVwzFrzT}<+2cqpSOd2Cl2Q=EHp14qZ+kjZqzO@1D$_b4tZ~qFCx}^YPK<r(T!7Ai
zxs6R8y`U|=zd#S?MYk(#glPwraW@9OZua96u32J#?>2GoE5u(9sD0+%50mgA+fz^t
zI~?*^4lkS<>t2pqOBQ<f0en!iAeYQy7*=}}v9n-v?G)2xHpOp$Y)yWjh_HDgF_b?c
zJK3WoP^dX}{^F)13s{2ScHQab+PK+NpGC+NzvM3M)VbI&T^@BM16c?oeRks)SSsTr
z9_KRoJg5r|(eZ<dA@N2YpvvTsTpo0;N=IY0dN$Ry_p`eqb$8R1q9wkhdPE+sc)uI$
z$yN4ko~1e<K4HH4i0|0iL}QQyR3*98@j4$Na6!s_L5EG}al-T|nk2C3eFEa;Lo<2$
zTl^F$wtm*oPg9wZa*h<~xPCg-qeY`jR%iW>6-aEKQlM{=1uPdA%@PS7lvYLE*PCj3
z8crY@AUDhJ_o($Iyr^`~<NC}xq{6Gs5t*M~)c)NX75%~|tX1nRcJe||G1q7?rhtE-
zHM!5FHL*_u*vZ9b9u1z{oh*CMrAg4Qw1o}(JuGlLSW9S7C1igbU}F@pLj$Ud!%k_w
z*WRAuBnC!B0n*ol>EY~;V<G!w$AbaJgN+<{_hpOuzu?MaTQMAV_22nj3)%~R_Q1|l
z9SUqmES6;*BjwNp_0^HJl)b<4`?K7Y$q!>i?~W)_^=}QP`fsoo-~;nt#T%HD`gRPk
z#tGZ?1=M?Aw+yb;_`zOZGC{kv)|LvUVkcWH&JDrXYrN(qO>m1p@(bD*P79!u*PlL?
zEt#u*P+hB6Hm=<Enf59L=)go=1d%(Q)nB?~XV*KCBIa@qEpA1Mcub0v$f)dj`I2Od
z3J058`>Am}%)-sYEc;J$jPW{@WOM$Q8goIkoBvd0_E)m8@r%fTHwd2i(6M8amDbA#
zTqEZ=l_+z&Nf=J~@ry|Z5>taUOzh*@pM7p3yFAwX386b=-`ADgTwG>u<KnY*4HYxU
zC)H_UOGe47vX`Wno=;vn$Oe2N*S=zKS;xsh)CsjO)5vF*+x|p*y@|gE^i~t*&`hZ{
zr+fS+9)J$)vRyLkZ#O~U3#&r{H2K-`Wbzhh4p*}<*P7iY(4Mh3rzF3yuXjSczh68q
z#ErpL8xEWqB*1>bX5J@i!<_+l05!sJyMtD@zWOG!o_&Y9O<kjM^H7NN=?8U`C_=*t
z64(?doCs#(TqqaqZ_(KBj5WxkLSalLcb)}ndVkr?Fg}KnZ(Z^qSD}z9LVD>g2cUt_
zXFQrcW{ul0Qx@K+|F|V&Q9wL#MqJ(*a7^T}-@d3nbvtNSnGLb0m`GY9UaoKrd@ZzX
zL(ucKg!-M(Phdvi<0YAP_>R!(9`|rIbvoEi5W-~nsdGqFl~isK$(MG{5Z7AYe5n=c
z*Of|7+Y~5z>R|Rg5nb5)VS;{%``~Q*pqQh+3(?&kCoHR!YDbOG8OjvcU&L}2V+S#I
zwKaXmH>A$`uA08^N33J@*ZKne{6Dq{U_Nu}xz7ho$m06)sjJoHb3fX=cSv?fgOV?M
z;B7`ygC>ZNKQ)b3XTM;yTZO`ES_KO{ld4_q^<0HQ-j=!g)S+Z%7k>1@S4vlEpH|d2
zzFz*pBN#JOKkB#oill6k`DKlJac%m%J*ALq62me(e!nqWzF{W5SY^QH3enjLH*m@T
z%Q?nuG;Gv0x8q3{z_^rgxr3V|;xJyr=DkbNu;^~`zP@}7o|zDb8P{6hif#EIdA9lN
z$l$S>OUe!nGefK&FWMWQqj6~_l_+(QF<G7AC(7gSV-bzc<Wi=0Q;YcJjS1wKg+G}k
z`0c%pF@tydgK-`676aG;udho-axynhwWb@xI?6dI45cQd{OINsFT%Y&_<*yBdEBP#
zbX47BiD?pUmNJ}(_8!8uOxXUcRrYZ&Q$$k9vg+9K`pM15?ckg}9apvtDXEQK3A;P)
z^?DM6KAwLIgsi+Dt<U5DiJ8#Tg8X_;tw(A34E(2a(?@>Sf?M4BkeNq4T5r77icc>;
z1p{dj>;dhz4#`l~xgh33U2IV<{9A!j$w{u@xcf;esK^&a(NdC{+1dH#0(YbMC^r{g
zo#1k!w7!lom_5TP!c6o1b@E_$<h5PR>w~r<OZ2&7FUgKAeCxS6Vhdz>)0jB)i!c)Q
zsqTWE|1#1NcHPVh3tME~w=?~}3Oo03rvLx{r{2;>v<^ygSc)79MJS94$@xr<%Ug3k
zRL*1DyA+`)IlRgFY#2F}u`P!vV$REkk(ilnWDGO=t<U#&eSd%c_U~TT>$;xT_1yEh
z`{Qwc-0ts={>sR5L2t2Eh>=!0nTLHH{+Yr5K;FAF%;<S)()h33b~;l7H;PxYu!3ZD
zz7hDKo+4p~tgX*ot(n1BS$?*=oZ|iu7oWJn#cH@0-Uuck*_9|#wY?SX66A-oYM%$C
zWoTW`PW0Mo{|IBt$sY{gg8B&HWX9BC61Z+`2w~kKB5^#=tHn`HZ7C#nX{X30tfR6i
zoB#Dst<xdZm2CzeRpv)KPj+rtKCGP|x@=PzObJ(eXv2=}KkQbnt}6ZDqDhuZ<w|m{
z$P;Uqck{cFCxr^2V5Q?s@s~q*Dz{dG++E%##=ph=PPjsB>@r@2ap)i0k<a=W1CBo`
z%8)l}r0+t+dyV5?dhzYxmZmMZ?Ii2CF2@*DZEg65ai>LH<t=|x)1<-x)uVQFXXOXg
z%H#d_z8l@P6?8wnHjZt!PI8vU%S}70j=yg^_|7Xv@pCRp??932%GzB4Q%&H9==Hx1
zG%;2XFB9!f@%6csFqGql*~Cv{>LVP=b7Un^03sw$F|KjH6m-8_t*=~b8lR>GaiO%*
zinb<{k-9D}pZ34TVI3};t4xQknK=(eB8-2V!y7bWuNNwpO^w_7yr5NY-}~iCJ6(6o
zmBhGb`5e89P}^3Ja4`L=&91-dSPt_AI;|ZQm`~Rq_!2AJpq0dawxDWs3{p|`I2r@Z
z5-e{bE0>4|e*O0=S|V3Y(V>$x#FI(wr-J0S-QaM9!ey1Z*5qg-^}2E3MI_r~a*EHe
z1>gJY5RDkMfl2JX6&$@9e(SFTx6BDE{D_tVVkW3yGi8k@#AbgKZ1!f@(kJC8YFV(o
zdVGWQ7r)QyGtK9)`AzrUG)0o0oDl96Rg1{EmzxhG?I2-SlDI7&!|5aPL~u%T%^9~=
zhIfrWShe!gUAqFv8GG6%yVQ1+x7n&LQU5_d_Vm5}$%?Y~KvBRKV)=kcKjuxSOGVqH
z?FUZnUHS%~Qc&=$i<VB^mQD=$V@v-;*cdH<eeIolf2~iBO8zri&^qT*%d62sXS8|^
zhMB=p%nq)c{%E^1d$jrqT5BKbu&UP5IJykV^C2q{R5>3Oqrh_gEjMSo8Lr9?+$bQv
zddaPEdjAKl3SIfN^rvVN=;Xb>w<B>VU9{8D`igYO#U?pfCufdYYo|DME;ih!y+$QB
zJA0rt>?1kjYjzi1%?YNCM58aAeY^R2Y^rYJ;)M6cyRe)upMt(TJdKytx&&D?%3QI6
zwE5`l1Qd>ZuYc(D@4>5(w<0YMI<Ab!-YXH0!U&7pGvhCv`MC1GOTVHE&TI)PQ?vIt
zna_r&jEAENdyH#5xY6D4C`8t43&vFD;}FZszwCVAIaY@5lF6DAJ%Msfw1ijRbnVq$
zxZ3x%XFz!oBnh6@21eX&f?IHMZ}1amTY@x)ypc^@dv#PHYfw}229Djd6bqod1MwTw
zxe9*_z=GA6?d_yt+yUHP%AZW8tzknz+p)gJYW{oQ8rxr%IWai*c<RoGd_be$Nf*te
z>Rc>%;=(%@gnz3vUZlT~zIxKdT<OD`aEwr2YrU1?Gy`_Yt_sS7(;RZGE6RF?)a)ni
zEw<Ea%vWNVQ6Rx=;{Lsy@(^%WPy>;0u^?%2h@@uYVe92|=34_YqE3zw^bO5?@x9N3
z(1P+N`KP(1^r-ixrx-Cids=CkN)j)@8{1ofk@+;(n>TIW@4z|!t?!{joM1#mb!Gy^
z(K)AlkGra!9dWiTu_;71gBq$~!;XR2(tdRRwz5An-^hS}AhKQhLAjp*O+Jr(rlT~l
ziDN;!Xb-++==YzIJ~6rMqOybO{4Ojic>2?b{`TA<0|m@g#hoZHZiEXEyX0}JSIG76
zPGf#DmFzNqI}IQFV}c%5JSKHxPDjLE$Ss1;`%JJ8XyG$m^DFOLI{sn29kBcZc{|`|
z%>PfH9AHj89TSaC{jaXSF8_z6B%B_|B(?EJ+WtJ-ENwDnQ1Acte;vds14=xO1l!<$
z`)dFHW}4{e$Y5n+WD6d^^oh6Dn|&P`w;|om+<|SiZ)S#c6pJ$8dEB{Cb?v<<Tz$jq
zSU~%H#Tk`Efd1Za0ckyp%Ot|KwkPA^d^^FggAOpZnfp6=zmrE_bxZ3AsZl<*bJNcv
zOwC}THzT4sI}+y&-kH(T-DU`d?2%Phy)n8UKa#PZ$os)ll5l_il8j)G@uWy9)uR?n
zeY~|V^d&_T_T*6#m)i%OsxKh>Mj12_tb@<;k6U`s>Z{Q9;)5de#~m}V5CkXjF@}B-
zqx(t79FwrQ@}LmZG~T;Odx-DY&!WfBV7R;8+fW-tuwG5O=yGIUY=Z~3+&>;p?Vm53
zi-;^dwOW5SyeZ6@>Sz6zw)w<7V2_UiDmp9nQm-=9B$ocUT}v}st8FW<Akvk+5X93p
zSsfV^3htNisB1RVC3$WZfDeh%>*id7Y5P(1#$u1)(K*#t2-%B6U92Rwo9H(K>xseE
zxX7=OQe}Jml0}LBEUt;WgnYV{nYPt17AqBs(V6JU%{U%)_bUCZr6VH;S?r<l+la%E
zS0H_Tr%U{*FHNs{KpYd@j)!Mc5cGYu8}{laUP?abj*Yq+Jm)9v)g#ntWC?{+NLqA)
zTM)M(>ZHa6_!iZko@=Xso{vv7XsFj;Lvo+c^|cF<8s)^TB$uBderNL$e9W1=u-0EG
zVBpd|aEq*l=F!X-*J|(z{j%=>@r}_zVVSU{f<e`n=Qfuo;%9i`Gnf%B*g`p_5?s@&
z#$z}d$ZJSfhU}9HqAz~B#vy70iJp`eVc27%kH2)%nY*H1TgI?e<nNHJ%sKb$FVB9U
z0eDdPI}hBp=6hb-erx!`)4YB;=TnEnBT1mPGK?e`$B~ZWRlCFErm9<^oMKmkfjeb!
zj(LfM8L?qoM_<WLtMMO^)f+;KZOBYwRi%DRr7gl=wH;x`ClEc|E9i-fY=^av(e#_3
zRVJ|3uL1Wuhz)DL0<MSRD|ooNmaK0kEaqPGsWd#t{U<`94Ss1^sv8EQuJ%w&(XrP&
zb}HMM@&s6)@xb})h$h(KyOi>F{6Zn*9FVAC>n1yXoX~;|_uz#-Qf1eYe4Auu<|~Yu
zm_99_MVn_Emc6)8jME=fJ?HRus8k$2Rd-2|HamY-S2_At3=IQV9W-PLv8O+@`jd6H
zGRfG0%iy}LKzXD3_?|TFQyu_1Qyh=YSueQftR*VjQ6GWgwf*he8*D;u@1_Wh?3~%v
ze)IZSxB0Wc$DV6ZRp4!sp!mEv9^+5=Yw=i-m*zMpMc<pp=<wW%uZ(P?_Y`)^5!flq
z6bIEp>$bRx1ZLFH{YJILDa<u}^G2ADwuz|6VJgamr9T!MyEl6r77{{2+*oY7PTC}Z
z*wzbB(g%8KKnCUCaCWg#;q66~X6Pkm^)dyb*un1dy(jp*5w^5+ai9I3KAV!2-7{c8
zQ_i^z57JTa$i9Q!NWkBqGHTXhE)eKT9PIF<qWSueQYEq4Bdw*IiC9K86?hrr?Mf(0
zg7T+NrS#>lEPxgA9+Ge1qWal#Gn9=&5)JF7_57-R<D8Z}Z^Tz{C86VHbQrYdw}(OB
zbVG%ILDonkm9;uPtJ)D*D!p0fJDr#`yUa5AcMvRya4>|9$E}YxR7@Bn-T>jgWx&82
zIv+J+<qxK#)%G18f8D~tdR`}nFT4WU{2Z#6AAOH1`7L~})dza0gOj5jA2`uA#JTFc
zTeNMsCU5c7YK8)(S{ja(udJP*fuTWlT+7Q$pFSb5Vv1>B3E<h<4G70TG_;}7PZ9cQ
zWSxpB9ayJNlOxTGg8ZfH_Y3YQyLs>`p8-NaimdG+bcx;^@;ggg8p~6S^TNTV$?W&I
z$3DOJuQ(J_o@{dgtCNeNpS<lF_Lq)Y{SH&Fv2OFvPoKiKaj95gri$g|-iWU(iK^d)
z>diHr*jHpqj{bmH-gsnJ_Q4z|**^pj2|Y3iaG!tN3-sHZ73bOwA7@>;Kx8B-NG<5s
zY@Uz0!zra_%*ob!tjRUE?{fKZs&D%3`j9kRxLso2zJ569+)BzLSr&YMksM;ab1?lV
zENM6<fSaIoX}gP9x^QhPG>!hKuR@u`HBZ|J6S%Ihdu3Fk2+m63J7-}kalA?M!uPu!
zLt8o3lmeuSZyWpPBM>MQ9C_CnXEe|9ez=!t?7xgpU#2vsf^WM*j%oV7UXRJOj1H}O
z)isyi+l}v9YjUW^@^<2glv6WN&S`oh@SSPTkJC@1QhyjAIvBp4?&A@_yM?zmai}O(
z4k&*)s&c^x^q%b-qS`nUn_CGK6?-ItH^sx*yosU=Z-cW^mHm#3q~j&{8&Flp2iL%_
zcd#}h%CRutfGYJtquaLy<=9eCGRn2#O92ayWJ>Q0!?(vnINy+<$Y0%n8TO3{Vz6RB
z)*3ntItfKM+OUpxw@-;u_%+9Kclmv`w1T*29>ch%fmA)#tk6~$Kj@QaT#tTG=6P=N
z`rw$ls}rrqV{5?jo3@-IY2^KFt^V{5y-&7|XLmR6sEG#VE<s9#f@fB}F5NO5wyauB
zxoYkJej+pL0C@*rPp<pnL|2zH+#L=3<}V*1;~Q2+s{~IaughbqK@6q|*Gv03{@CRR
zVC@JvWuMWRoB^m?NWDn}-7w0Zp!`Kz^BHT+L;|EhB0Xt!ZNssN4D*(nk(0|zlf`OW
zrA>6<3%19Hs_zbw^PJGVf}mq!RgMp^9}HIC+g0FiK_qKq7lNbkeps2SnTtwoaamM;
z(q0r3y|h_SCo~*n@QCV4(<_`=&ng_fI@tmLI(w|ZB=xT^oZ-ukT6>9Vt{>e9#C!zN
zo7uthYV;`JbJi83rz*qNvA<fv51FM!sO=0XShdP3$b^!y4QYYiPgZiuQD&o|_2-tC
zYL-mN7vN71zsb>$6}y4{?d+xwH#kZj%REu=`e5R^>uu=LaFYqlkGK2QeDJoBX0LD3
zEPHbw2p11{xe#jcdNYRjqw72p{#6`ATRx}#JdR-q%61mSuOfHG#?@zH(Y?agS4`;3
z8XX0vA_~0dvQwvP$<x>|%}LIkz~60iH%+ezj5Hy04~ih<>@4ZpWGML<HnxZR1NHBZ
z%7pO88|R*F)dADTsL`t<3<;F%X|W84t%aoh^AoCL2rx8RvS6)Alp&v65mN%`UYX2U
z23UcQb*cGLdz$17+kDKmnr#&dAI#`9Z+L5tKiU`MMa6TvlYK0a`@EZw2p+ORTY{@o
z9ds7c1qS{+v9tV1|KFCOLtv>4ceUKxXM70Drw8Ho6{+y@mkb3fV1OAjb$8kXz1UJ{
zQ8EB5fVJu>)SVif9916)25n4eq;G_Or*2gSNvTwZr4(lKkI#91{IW|}=*qr*yR)$H
zcs43YJ+BKeX~Ft@{IHY}Wm5CLnzF~uFVwu!jS|QyC*9#lbq`87>*{eCx8`ZqXzLwm
zA}~L%Qk~G2vUS=+RR;y>inZp^pwt@+1cOs5;yx0|S%jUwwA&<+w3|AhF<8+;%B;C7
z9RIPOrdQx@G+-ZINQIBVD(NP?g6_uu)cfxdjr%mE3cM>g7tJ7At>DUEEywB3j?Uvw
zOqB)eC!|!FcRhWj5Ka`3wpd{r*A|y%EjH{N+qvHOb~!rE^WH+v{!mykJpi-zsT7hK
z?5T+6SqvB%8ywm^AOpiYepW9$P{*igSpA(zb$zk8*Oyb-9;5S7(qK{}rm&Ye_(&27
z7aQ%y$RuZ;I7h}RO5VZ!+ZQM)W+s3FTIzq<_n$Up2n3khR3Mk?mmWG`7STeU8k%)a
zzK@tpk^cg0;o1X=j;2FOyk8%VEoJ(ilupARg($yohzrB??tEp*+!xuMfYUd-R~ID{
z+rYc!I*PHG^Rb=w%>n6o5u^XvA{xMZoDQ=meV^fC54<*E3PFJYgTfNL?oPkF|84&C
zX-#=48;91nAF~Y>202rkG?2vx=0^D65RcS|MR9Spv1LvW3uLgLQ;AP{<oRjF0)K3T
z{+w`SjPmOGT?w&x^(*pw0$}|2Dfsh2M^(0$gT1_H**ofNiqNA{mWTvkX@BVpH^K*j
z%wt_SIa`Uwl`v1tN3E^Rj+syNJ92fP2*PRb*F~ribLUQ>iDvDOdpE2}4mW#0D!Dq1
zZ3++QVCx@AV;mr!<Q$oHp9WG0ni;ZLPQ01_jN(j{&Y+gy&iS3PHvdazQ*XEa)b0;U
z3c+E9pvmhgI;rgrM*c_2>6EpJrblmqD=*r#s)!#KAJp|uToCA}SR8s7c+!hMa~RYb
zbjibr`*t}^{+(ae!@LT<rF?2wN18B1{31E_YMb3hZoq-<=CRL{&d{TS=;wX%u=iF7
zrjYKcm4Xnod&p|~T=e0?2q{-<m$FkrQI8QUSMA&_Y0Dgf_|+Ek;uw&ww0)p~E0~j}
zb*s?dU^jj|F|mSHE|eLh#CF|JP761e$+p8gS{j8mLO&mAvSl58ntB^}9PKPN4O<+H
zN)Oc;;m(|h6A;ax<VHt@c)bslRVfWDiO}CMsF%Yjz8J;46~6=iyh(eqE%5%^Zxu%+
z!VM8c#U=$Y9}{Z%cXR%ni9^<Iiz}t{!KePaz@M(3>^HO9w2h@IT8-MUSq(ueVlaHB
z8=xh)+#Rz!QG*KjNGv#bihso{^FbJkcjyz#qTq?2-K|dHApyF!lzKYVxqIy_>u6rZ
zi@r1aPyVIq4`)L>KCV4A0^Hqwp}u?hVKHm&xYN9o#KYZN#}J_L4~urvWhl-?E0X=D
zDVO^Km<P2Uj&SUKimdD5h5QW1zh;oG?XYWvz!>cw$gVDcnXd>Dy?h=?<6|AHE5IHI
z%2btJ$%I$<Dikom3fd@P1%`h@U`nP&AGgIFUNR$%#@_ZYNO+h|_gs<G6QjXQH^M`B
zk@MeL^bJ^}o5yNyQ85;@q}j2}xpP{+#q`99q~?Nsnf;5~(?N;>$=<szGx1!7Sv<HV
z?xPcDQkU!d9$9H|?qpn6xj(?XuQt|>?Ni+8`OQh|wbEGZgKO^X%bJqA@#3qDITzU=
zj-pj?ES$ZbKgo>6lK_RY^vZ*NSLQX|7XZrNtSVtbX`oir`LqJ+<`jyu70$x`JK!6T
zSD+%dKSexSC|~lKw#aM$2E(pwoS#N0j)gs{z>i;DJ~1@L39s;_Gd-vKG9$L9-d3-K
zRek6$!gk^9FeOh*74x%+wd20!S@sV!NgMX46*NG8R|M(%E}Z_MkJ{#JupF50cNHxQ
zL9-iScnh|7YXR5sr~)bKdVZ)XxziA>l`L2l0B3Q`Jl0>JQ6?T_=_fHVqA&VNaKM&2
zCD+i!)|Fpm?^fpE2<!!ISuet3cc^U9@z@SLYT(7ew_dB}0(ayEs<(pg1t-!@uY?D+
zKgefIz232D_|R;)MPF`fyOPFqicnHitS+)_jw*ECl4(V_IoYp~VLwH+Rmva>Igzq6
z;Q?|^Q%9#%Ju9w!v$20@?gZ5T+eBUOVakPNUW_T2z3AG!TpSg~`C_(MqAg=gKK%kf
zmTI)s3B9kPx_1X@u<Pge`G#QVb&q=YnsNv+?I3;xASIaAD9CP(`-B+TBwSNGBIc7p
z9i(i}S(-cML<B((%{p>De~aF56}6c#>G~&a`L!&3=%STb*{wtxb<i37MlycZZ!@8$
z@!MT#mFH7AI$Plag0QORxV#l{rF`G*+ZsR1jxmajLwj_9mV`JJaa<y+!o|5k$qMk7
zPNIx7Nx`6YQ=m43(cl_CTh@&uZ%5oyxbm){KMnN`mAx!=7|wg~iYesPj(Go!eKs>^
zdAbW+^Al3Ga0JmN%>34{IyxhCF4bp1YrMX>WMe$BlCd6y>ssO3^_@d356Y3aZ<A7u
zgB4Z`9l=L_0z@K`c-$4&yQF+!2uC+<tlM#WxGwQG7~yqmlB4)8h@dTwE(|wFU>Bu&
zFpJR&je{wphvthIeG|J7T~z}9vwO9B69iSpk-wo#!ZdR~w|`T+2?ZY^dvC&P1FTM}
z0R^*KJns!8bS|yI7|CfFXte`mcu-=yljvd&f&7Gi1_@13ydl9`Z;X1>QIfEL;Qbch
zc;`mSm(m|lxkaeJT+`OZk?R<y=C7T^QH;=;lyjztHS@|T$BSsU%IkD&lD_%A)^_9i
zBO8>c%jS_=Q2sAxHk1|fR^_qWDNwh=VJ0U67D5Gq3+eM4f4id!t8Jm4wr{MY9qv*w
zD8BZ*L##OX3_9!dS#I}L7WL+h8Q&E$qBi>|v<LC>JFB)%N>DJF#V0ad8r_J~dqDUB
zu>p?Y?WALygIIPkE5!Xm>&&+E=~?eA1ir`dWq{eX2>;-@WxbtOVA*W>tv4u5ZwBK`
zU|Vouy-Wd6xA7^j(Q2A*v?}Gkb6hcsW=n`lbT2S5oR4(y49LE=$B^i)2nVh()o0i~
zNepv?uAX>IaU8CF@o!(7+2qpdgl~;=oO<HhS7RC|Vva*z_3q5YPMsv**<G84YaVVG
zTeS9J!NqYKVPUfsOGrK9tFvS}m<Ri5=tU)qM5>K6U%grlX|c*v%?;T_@4sw<m?q?2
zaC>68_QDsO+q``ZB29mbyE(YeJq2@b)-QW9oQUvnP!(2J`i;_V3x{L_U;^L7#6tYM
zJ}bs8N**{$9YD^WXDv0wkiDG0Sm7p@W#zM5aq1(9?X7MiQ16WJ&g>hQ+sbFF1J>97
zc{aPvdT`Q5oO;MU^jEPrNt&*&R|+(n7Yby#{^FRIZq;zEc0`o`JD?L3=ku^5)U(~{
z%Fhp4DL1VNsO&bBX6tu2UV?tIEgjCS0B;zLHO&a2Wp>+bBMwws_j<Z-d)3F@w4cmG
zWu`h0OgIV_p*W?g=!D&?_$|Tn`Mt-2#w$UEXjJI6D)&w83-jHP?tD!FdSHx`Tj^A+
zC3=WstXGPaPGJ-h5f?`y<I1q?^oN`$lEK;<D|_(#Y0WXLqZ71htOg4<$~e74z)dab
zINcP}8x~!O?3mH|P+v1yS5QQWYYc5DJjp&Eg-2tyred|*wG^60$f3n-xGZ>&X3k8b
z&K^pEd`mc_<-2IbwtMeH4HCgB`t2ix`aUsUXHD!&3_C6E>Y?x|F!&-L&-_|Fv&6vY
zvg{p!7eIHYS!rBW4|T)!=`k4Gw{*dbor7dv$Z70R2L;la+@9)iUsm7pL>IkObgTK$
ze?I%Or+(Khw`de}YXWxCvMlLvH0@#`$A;tCj8!kMxMx4S-phQujLD|QRt#x)Ou+c;
znpnk0b+zr`=lGk{!Mj6kJdr`$g@+DN+TBpB87F*wUyE+Pr*MJ)X0n|d)m+;t=fXqe
z+Zv)lO=FzU*Ua4QmAr~Aw~W65rD1+qSDgg~<tKbfuvb@ZdwRU7v5NVT@bE`(Sw+N=
z*+(sZfDN`#jS1rvA2cLg)!YuK4>dlm>t=_r=|>*XZMJQ95EleLI>VhfPY_7$HAMT%
zh{z1__MkI}@4G)sf|P^7p<MwccUZj+Cp%1^<EEDZF2I0@k!(dS((bDybi3jN@5M!F
z!Fq>$4FcD1XZbNT&H1)FMq<U%8P~fk<02VnIsz(-Jkx#Uj&!z>{qW}P+9yX1zK+`B
z39grFv1bm?mN@MH(ITm~fD2}))3Dd7gHyI8GgDpoDCsvp1q4Cv%K(GgJ3t&mSdrRo
z4^UPfSj#QvTy;Dymo4<}>WyOW(f2{yo!QmILX`RTKVq0;%6)6aDo`~VbVaI5*)X><
z)}%S#FZNQ7A4hm@MaE{zkF*}qB~-a)2-3@H=+KxE%H>(D321J94`E1kaq483_a|Tl
zsu#7a0L8nT9t3wv)n*qid(C|XZ7`Zdj?Z~^WokBzg)LD}@nnZjd~D+8`<B82$T|se
zWX=j28)56R0v8#$*N2MqV13L9_S6yHQ#vl@S^p;0bZiuMIKYiq(JC#|-ruh3s_)ry
z3HV~#{PBplIQMm;W5xo4Js<lehlkN$ynS``KbT=)%TFujNGG?XMp<pe@)6A-t|yWk
z)&^VH^JIvJ!W<A~&O+i<wJ9i<?VUGNuFAV0NGYfK8ZqNLUwvFrzL;tLBle-rZeyty
z$UM!UcLs1ER~uukG^Vy!Ta}`IaDje5@P2)qfxZ0hLayiTPZWNN!NY1npoZ|Q=Y5jN
zyssIIoA>)N85){<sweC3x)GXM3xXY9I}3<`0Mr<LsKv=(RB7?R`5E?6&9U;ZQA(`g
zOGLKFp^#0}zmGuL0Sg(giaxueW4;v8YAC1jqxQ~r$EuC7Ehd(1BoZW^KHl}L<b-}r
zq9PP0U|DqCXv1%jAYm@U=4BB1{m~O#h7%YKm|z=mB2A_oZ@Wx4Mb^)-J5YE|t86qX
zY|!(sf!9j3U+T&T-26X*8W??6P;Eup1+Usy<Jd)jzT;BgiUKZF@&x&)@NG~~jZOxU
zk=!a<?PWQpr&0=8U@e*ekn{ZOv^+)Gw?BOkftX@?+FHI<sTO&K`-`H8j;0ihj&Mhe
zl>DlnY=1+tg5{~=wGARH8iAjJ^aN7+STMIs`7QL_aJ`9_D^BLfC?vm!I%x8=rlGcp
z+m)4yb@-J&e}bImIij8WY5O;lftt06C@2AYvz``d8)Cew%<5*1x_6MR#XIv@mXAbz
z|J&4O2cS)pIsw@>Q`q9Q+m}h*Hu~YI(C*>37kx4OLf)9q*_A;TwrQNFD#3#@qUNh?
zo*B~-^u(VcM^sIQ!<;^=#l5uMsd=5<FwIJyHPMmDEUz%BkJmpwHZwphKvGuXujjG*
zXZH>%&2OE)PS{C=lx6E@IA)o#0r<<xB-nX0Pps-ItJqV~!&=&&<(WG6A(2x2+o9#D
z1tooedxFh-)@Y|$^axlYG_}UGAdPm1v<A}(#%?~(5iXY|%GZZF@b!Q#v_X`8+5`0_
ztd_RxQ_9C~S?fd!?rVZb9g1A(0IVmpAz28>FSrM|>3|21^3FJ>MpTC$ej>XlB@T)V
zHgsI=QtqGU&(IleJb~d+^#U`g5y9(K$tj+@*Bm7d1`OEHEmlkn1(&*)KtD?c)9?N3
zmHR*2f9!rU-h%n`%UW6|`2+mQWcFHJXZEXbhe5d88a9l}4_em@Js^5<HwWolY-!yi
z5C4qJr;5{Gs+%zly>ut%KPb)><245d7ByO`m2MOPk904jA>h;|^?j*4x`yU{9xCu1
z)x~WBvx)27v?!u9S11>5Kc?M}_^z{+a2(+?4jQu|;Uj^){s`f1|EV>O{T^p`SWnmH
z`-`n|W)SqSQ~QoiY7o016|@hs-#Fc2#m<u+jT#Edc@zN?O0z4n!Qa{O5%Ou5S?8Q5
zMI|O2$JK}J%u4MKqj096jY<w<@;H|FYiQ189VC8sf9Q(>X>QJiH}8Dx2T?jyh+Nv<
z2K;n7-t~lgBG2qp*Z={jCH072t?b>7B9QldYK~@TJuh7?By8*9_C!U6_Y~}{S{`$C
zCRXxIo_;z_LekO3^^*bj^?_hv8J|#|Lk_1)(s3U6Yt!U-xx=C)u(koLN4P4OanzCE
zlyN`w`}z}`ZU)*Px6d(3D^z*AuQ;KUq%U@kHdxd){JvVp;#>J+@9S3tJ2OPH81qF+
z%ZKg)Q$^Ql>i<-f`evShSv7o7b0q%KK%-^aCf?8Ub{16IcZvzYW>+m;1lG?<t2n|8
znj~o&JW3&*(hs$LB+Z)JD;==<@cW(BBZD8aqu&o6Kk&O0SRKmk`4%~FvHoKlg>v<W
zWavr31LvOU&_<eS;BwaDfx9y)nURB`A18Fp)ujbNh?9EtN`5uR5aXV7wiDxb7>$|1
z<G$kHJa2z{gEUlHFa@cn5P>!TZ=4&L+DoGmM?mfqGUcCr!}tYzItAb1ABCD-s1$Sd
z&Nj3k6+)?-x`zF87vQjKd>8jhGyC&>x8es4P)B=T;Gpc<Am%``Ck_)(lpo!7ZLsm;
zKM6%eCF<In-^)aj<J1FK-mh|dZTk!YaJ4PG<Nqo0TE1x|?f80c-5hR4x@~jv*0nhK
zX#Mw4pK4l}t)(0?p*$BA-EjihV!|c#V70s+_-3Ex)OTt?3=bPfUg!JMckF!1;Oi$^
z;@>i}DZMA*O3spcdJp*4=kurd1Clmp|KF6PvWVH4>5=~%U~oX}PlDoqKmU~ItYp|*
j75`8FnQ!mDaE-(3?8CdCiS)Pr^Mt9fl@aRBgJ=H-Q^t1#

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeEnclaveBreakpoint.png b/docs/GettingStartedDocs/images/VSCodeEnclaveBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..44ca0b6776015cfd359ec4e94d78c801039433bb
GIT binary patch
literal 119304
zcmbUJcUV)|_cn~ju_7X)j3QDZq9Q|6P%yM8sHh+)jC9B#gdUItg49?LMv<b_5Q+*I
zl_o6^S`?H32?6O4AR;9~2t5Qydk@a{^Zh)(=lA~g=DH&1z~1Mqz4qQ~-RoX!`}CHD
zsl?u+dqE(O#Pw^Jtw5li5D;j)*PdO#Z^VP=_W(b(p{z`eK_xV~8Q^Az=cSvMK%lZj
zalY$L;9l(BHG32Yw7+@lyNw+1&K(326<oi3>96}PbE9H4a($7^$Sm_yZB%{jAwOl8
zGjSlXhxw{OCo53};@6JpJhTgX^2O(&#<7b>oKKXo9(_qDvw!|P`g7ABH^);1u?q^C
zQYI~50_9H9PMDvfP;uN2gOyVj9xtixr<iQfd!tdjg}`^F*q_TT&1Fu|oteGwt??i3
zI72N$!07eySlpGk!`lEkfzL(DB=a8AR<VEYUg3X7{`T+XPw(igf3HAcM-`R-y?l^!
z^}kJ14<a>=7&Y^oOmoln=o)$*R&)8#|38m?;1OgnX|PdQ(P8N)I*%GmD8;#v_|?-H
zn!+mVW|^UfuzSiU@_(N1b=lN}Ml94gyFg@1pau!L#cq;9L`P-h!Uxv>G`Xncupc6=
z)|)Pw6;cH;|IMQFER2skf@nZ*{*WelwM{gHbNdxS;&y{0KKA1gbOLrEf~mh2U>ESl
zDRe4zT9&bX)sZ&|PWC^=q{s%;yK2;Y|E)?c{)L-{+lN$69=d*i?F{4GhOV)&I0>U&
ziQIbc#g(y8X11|~KKop-;OX*=C1%(uY^J~mYez&Dgl<fwcf34l*1LT5q%lpL%WrhJ
zt-V4Gp8jYmiG43U_J?B>|B5cQnb4@P@}f$gdKR{htF@&|A#dzC>6(JMRdw$}(Z!38
z%t)HXX$5_Ko0DrQhz5`7i4zZfT#kK9NU~llr8gB<UVJMxF=o*XgZK-HcWhb<vImA)
zYBzOrc8~iu4TwMV(-++|<5gcH+;&&n1NnAy(#e075s1n5=nqJ(M^7@8*ym4(Y$B&r
zVczQwY8-gOBEy>-w(y0egTNURSi*SqWrY)oP><rdxFTM^V?f_#Kea3bP)WfHj3Yc;
z7}kxE!POg`t1$GgYYnfp$dWEbGA;CJvLH}cs*`xSMu#vSw|)2iAm`RlPM<9<0K=nu
zxVxXYO}P7Y?@Co^WQW0Om&wy|kCVn08_?o6(@a8So7`HfA}ig0EMQvG;qKe#e!8)v
zn^l?Ik>x^<ei>hcKqXg%%lO#f@kitegLd(lnNom3&us1D$%UK#w@VD6MK#>9a1^=d
zr|b{4a?BOums$n!rE{Lc9YdFs8{2MXFg$0No>1P9)n;LKA=0V9@(L}{-#{{=Tyhj`
zosQ2Iy)6(po}iybj)VpB&xE!SM}Bg8V0bLY@nmT>IyTFj6^s<QI}Qh*<LesdP<X$G
zj`(59TZ&F^aMkzGazdxEF{Opwm?6nxwfMD#!b+uybgoN2mR)65!OZiT8u2AB?E<|@
z=lHa$ICX_CeU%<ayAGW)yrRF|;+s_~@$YYUS5S^5_x<5NLyEa`n~jjUyxjA#qsw<#
zFek3PwkXBgmxHfg)(zgR2S&EzRJgmWgqs0-3L1HuTsB{`**?GkE?cf%eKS;vJzFdL
zK!2gW!p5{!w)QH+FZNlzVro<kqV{aEa8nV_5S<x$iMR%Hmep)nwVET!x`{IOgwD;b
zBWe+pBgBamosy0{ox8`m>T2mxPndCPD*=}$2kW%B_41KuxADa4mW8}UGVzW#?_ff*
zK?t3jPH_`+AB7xHU@f*>ndRvkFOO8IGB4Ya?sQ9wc8$Ok6hiDZcq(L<O-0I7uqumU
zR2y|e^h5--;!PwZ%9>Os3I}UyOC*MJ^chWM0ayB$f(3tgPmCw#hO3d=ICai~9nX?h
zIxr1~#!Gvso5e2&EQU$GS4zgcn+ERnqlYhT{)9<qS7O{QS4@n~Hddn4%GWe+-uH_h
z$+)(T3#rEqxztr6jR?!bKFp=xK(D0RBJY&OWZj);iJx|4Y^F)*6(quh%jq3%iH2|c
z5m(F<@pg7gak`N-xwTJ{EdPxU8&lf4fPs`I&ngI(8TX^)RDEswaq6MkQ)3s~VceKo
zW5+gLzo;L7scSKgTlUCrSV|$lW#>DxS1%d=W^23o!}!rhfBjY=@AYN7>CN!~IvD@a
z(g8DSM=4Ll@F&*FF#DRA-8K%lj^~>Xr>>2zpyQvC)I&8eqmAt-jCqsR%;Qy7rf<p9
z?C^uL>l}9hdUXI{*>Xu$dVD>aTzIEDK~^#sn&1i*xTz-!7A<CL-89_|H(0|QG7WmT
zgbEE9{>+f9HdpW^JFi)8{;{j7TY13pJu5a`C~QaB&$nC^-f+fXM$!3=JMiTr^41tb
zjFW>Ry?^*6qJ|BRkA+4p+qJY*Nw3K!$LbR_sB4|BBB)Qz$_d}>dL3CsW)44GtrX(j
z46PpBP@yyr<kQnc7v>Uu&DuxZY{|t+^d#Mkk{m}}zOG6Ci?DL1vF~lD0WijpNINI{
zXPaJmi7bZ1h{E~}#HX|HFkPpCQq2*T{z%TmY^-SiwQyi<h@9)tU;8EL$sFfM8GT)k
z;i%d$VGXZI&=V~{u_>_7`Qh}H(Etielg%))pHFX#Y7Of~+oe?*zGsrgCW$1`@?aG>
zA-#w>9OO2cSindqQe6liK}WBC?vqA7Zx-1ttTltByiJDFgW+`l&_P@7W>Q#`s9-+`
z)PWqxHW)p8_(pCRWb%)^ygc+({En>L^)Jf3dc{7F$&_O&(w$>I`|AYy(;uCoMH^GT
zxjN#~I~AE`(1ayQ<`iiOH6jb$V2wGo!9)_T!_|g2TG}usrzhicDpe_?I6YDcE4Kb2
zO7S6Gnd?#N?8I=&b;t5KkHr-yl=$TzMa#BhT{p1z0{(H9O~CBqGrf7Ir^?M)wu3f>
zBZSGo8ceyoiX>Qk2G^TPDzPljF-XJw#b;WPiwD$Z9BU#&wvQ*k2Tc(THu+UkEkE4A
zJi8zFH(9N)nLO2%M3QeaSoQrvd(+CrLdKuoj0WLIdC^2k>V|+CKA&hhnAR_CI{UVG
zV6Tj?h@lP}UdzY$8}N;M1?g)ACE<~;xou@Z1EA3PTuEd}&EHL!VlzY0$iQT(v?8Jg
zBl{$rEhcg}8Hr?8@;SWIiOvjxutvCnXmcBi;qx?u^PR5A3OW6KD8Wmu0fGS+W@&W_
zQ(!*4Wb*E6G`WpoX+OR8nKJ~loh2@P%h7jb2+pn%mr^jcPT<Q9xlO<z!Im?n;W>9K
z+nX@SBb(z!ynL7tSkK%MO%!h`ohW#rHIu%2DTmj@=5;m)whreMP3(SHzEEPmsTd5G
zS6N9+E}9@HV@CD->EoEz;HF3<f*85BK~G_pOW0cWuXLi`Pq-8=+qFB1DhVKvS3f-6
z+2&eZ)E>O^q~Twsv03<>un(aE&H(#4El#8MT5->Zeq-8KGioP{lLGNuN$+s=RXDpa
zv>A*Vj3imFXw%2eq0;va%z_(4<g;aj%oNTpt1)x$fbWxK7%9!nhKGCFaJtpm^;1Hv
zAwsy+{MaX-fFtxv!xD_&V<!{=J#k~K`^8v$?B^Fuuch$<tVUNVCr-he7-+lcfq*Bg
z^oEV}s5X@CDS9C9L}If5J;7XaR-iyn3t>Z0Z+g{`8Yx$Zlu_cwz+`b~?&tW}PJ~j{
z==l1C>{@3$kp#ZdUI{OLDcBS6s3M^*Wn)5-wZZfqLtzXm34DP#?*+j{wL78IubGj<
zkQ{F@saaY9*P-3*>u6Vkc0(G+tC}&9H7i$ZnBzqGc2#NQ{_FD9Hz6U-dPof(WfV2e
zwY}yz&p2J35UwUjA`3%VG&mIWGBO#PS5i{9s})HCyV8Y?o1FzCV5oNwf})P1th5;C
z$CK#N-lqK$^dxdOqmtSEmQD}_TpIIrCTKDf=xMT2p>ib)P)TwRBey85i4mjJDG)4O
z*SDH(xlzMz!}N+%oE*z@Fy>kJ=uPs{p=zw_A~>{(=>X$5dR9#&#<56zPI@edPcD~$
z*a!&~gz?#Hn32Xhlu4RdxWC$DDXW^4v&fqTlmh~-N)b!ekgY0$Fm}}dHBH@d&a|Hq
zv2qjDb~624up{8rH&C__-E!#W^dc_e{$N)9y%!scwc#DE6VP{|orWa1#RXJDF{U>T
znjl8^y}Ir}Q4V-JB71tHutCvJR}}AA<207_B;Yq^=NXdtuKa}F;D8<apW`p}<F49I
zKf+cD4h}a$gl89X@$9@5iWY`mLgfsVGWJ$W3}7((-1Yr26$DjQYc29IYm=Q*U06D7
zS2I<@h{DLvSk@HTdn4MkhS2@2u2N<Wk0TH)vhdlvm+jIvIF1EXDuSE(G2{1Re;I(-
zew*RIRHiqp>NtBnhK@=!5w3f?4be~sMn6L>o68rS0z0Qh_B8(va|ykTENO#C8+GbQ
z3W7)6hIB*cxa5UAy5>e}X>Y1-s=sW>NY%_bf;Yj0hOldc^NWixu$3Ak%0TNn+h;;u
zfO?%mm$sdTrlUvPNEip)QIh%wt3}0$fteqW5@u|0%3DTZr&!S<8;E~+6qcS7A*XM^
z9Tm2Q`KvkE9~E6Ni<AkG-lu0ZPbfra`YDezLN%iFh07mZ>`rk`{!9smW3SO;4AL8G
z8lMCUCXQj8N%Ga2!$!Uo5a_3JgB-HG^c{v%2&>wLcRY28St{BrEhN>BJxepD+2dhe
z`|IZ8JcjLU$!Xw*X}9T*;TZjClk~BGgs^e)S)pFXUdF|Z$&Qrp?Ng+gm$l0=Hy!bJ
zgtC^o;mJS8Mu^O)+z}jNNI6uAIZL=PoPs;U9jRJqxw@Iu?<q}<7D%$LV|^`iq&F-q
zHdI;HBSYsCAKs&*SvMj{#ponqE4oRL&aQ!X@1DUkq{-QsDA*J@?c+l6OW}HjV)XMD
z;mw+qf)V*#bgoIa#f7WOP6S2zOJ=vJDAaBM+8;Igv2@v1xGkg;?u?<kI<k*VFlmMu
z`{6)trzEh!$p#C=B2`4ITd}%~<OXX1HIV{r^U4WTcUk{%`w2zL$a<R_M0zx=+`Jz}
zmP$6cZ?wr@X~E<W67)so!+z0~Q@H{2q5Y7#(g_7$!02+FhF@SrqntbaF9sf}rZa`4
zJ3`jwYrr}MCKJVu772BY*Ocll#0D@bT$Y*W%An*>$hZP;;(N>a;+sRe$8#vPQH~|%
zgek7|Y+KE>a4WJQ8txw<VBct{3`}Pl4G|b``Kc2sm;x&2c61~fa3%#3Bq~fZzGz{1
z5v(6Ysvs~+RpDCu{rUXB7ijl}d-Y9WuJ(f^q6<#8IlRbJEzx;p_`F>#yjwG5PSAJ*
zt16kk4b){Bc7D=e;<@&mX>YavXy)nU2P-%R|E)dADD%kBe)T6=cgK$l!uP(-39f?7
z%`cGUHux~I7wi0=5fxJ_46n8=MA(W`<HFjX!1|wkbRH)Sp+p5PV}r!RYND3tW{t1u
zSl33tIo!#}uFVtqkwXcpC|zp+EqgRCkQRBTg5kMNSkWn){y<$h;n@RGBq#ZS91_BI
z09GwOa-mMBSDyWb8Q04p8_#a?x;4hv#Yqg;&>G9)JzSU<*|_Cv>BQzS$`sfsBq4fY
zqFOWfiKDIobShY>lMZRrLJL`)VqCgBcaguRbD*9HfG=pVdNrmg9xLa#QLO=>gw`k@
zM4QgY+U4Q<>k~``$`YEx*Etiq&cxpn?T=x`iwvAhX(}RqPrI}JmFteeFd+&6n}<ta
zQSzd|LGXa(xDc_-+AKvWvg?AU&d-T(-$nX|jkp8J1ChhLtT*|FArT{5-kndZg=_q<
za*{vM0GK^iEh~PmqDYCt*BM1e%c>$|=QC>H!;QdV!nnE1%T(N}^PVWVUWn`S9C|AX
zsMwL`@7Ki1&(SY28Y)TJ?B;$<ERmPVEn*YVBYIJe!kTNc-V;;Mki_QF*ManV^b}z0
z6sxmGlFAqD>X->42V`V0y*F)Z!Y3Uzh@Fud$@Q?Ggrt?JbeImkI>46lr6AqKhoN1`
z(!b@nA5xKZfA-0=VF*7BGDll*G@a+MGV{RvoZ9^$cd>wXUCxv1tyiAO-UeM`#wNFJ
z5hy=Hmh%j+c(E+<kB`IkF_Z7}6!Axn==JcwBwzvnxL8d+&?%_eXw4CIn#%}Mu+=~R
zs4@cOzxdnQA6avD&IO=bk~(uG-lyi#I@Zl`hr~gk?*NJNhqAh12fy&!_URf*2sYW;
zXly^|sA%Hp$nR*VvBefm@#*sElao8Pu0Ws%7K;D5?CRMA`5!iB_1wQLfd+>0Nm77A
ztA8Rc{o79vn*&f<UGZBDFLrht%YfMU1|iU@R&0y$`3Z5@Q}Orb-$01`23qBS62OS)
z-ZG&jTj;&V%cH1epa)_>Kb|Vzefe@iwlVZHJr>Fz-@z7u9`wscuKuA7Z$Eo>oU{Qv
zZuD4vz%f9sN^^1Y8A$7r1j8UjWuGo|^|hq^FmD^EI5{c#)s|R~7RMd}@^xvc%Qa6P
zBkM-2+&ZQHo&S9|^j#wu)K#mLXwWVf-23h6D{X!V7zFzJ%@gi^KyeS!yvL86+JYmv
z*z)|HS>W|gyL-9YK@K5b4w(KP^c(0w&hKN;EpE%<?Gv{QxykjI0EPC0F<Bbl`BN|<
zoU<i#n{VgN>~Yh9W(*(_=#<rc(M4cdy|9N9T#-q?Mrd;6-d^c@jSG<r)(lCI*XVBO
z`s;SzMWyL~loH%^wlwB5Zny(b-7C1mg_yQW2?6WVulKpOs#ILSOxZ?#trrOvbV;jb
zr2Jo_fo-Hp4i1c(8X>p({HJp*?ah_A2PLnvbG!aKD6RY_Sz2)`(wHUbzO8X_g<Mg2
zc87{0p4Y1PtMk=gZ>~*<HY42|rxA{SG|s!=c{K08qy0T5Yd&ulkUhLZli#HIZecg5
zavr$DOmWsex3d<Nw)nnRg-^J@M`!)i)0pgS&%D(7)Z-rQ+|~cinxg6?e<N2E3MecH
zC9QFuqRD?JC`_&HxzpL`R>JS)_Lf^XUZ`&$Su7Cww7C`UUvA(wEL4<MpPn?2()3(k
zfNrf<u?0ndtO^Fc692z4CLKn$a|6+4t)ap}?P)j0nJOmJFRGQg)=ts75D*2YOJ=f2
zi=si{$l_PhIavi!FlxBAg8)5vuN}EjSj@1HI)v1)Ba{<F#tIazV*k1#l4rL4S!8Ww
z#PAb*rms<8)zH#3!h^f;92d^0r8uEQVcM7({+BTJGGl@CUeQ7J=!T@&H!gq;ill($
z@?ieZn91+RH!R>QTNy_48?Ei*w*>HGf?37YAA*O!BJj5z96P$3&YJH>Ml|b6!dv%3
zF!RhPi%4h^oJq^J8D8;-R>T{Ot@9VKUsXF3`&jwoW>*pKLMa2HMB<M&#u@3cjYl#=
zkzGzJKfsxeQG#6R+fKn#$Vy&_#cYyw6P0Bo!r)jgg1B~}P}$4_)n0C~EBl~_3z`vz
zS~0`1C-kEtaYX;ls_A8CSt=)77rTVPR1>+y`W-XUxo=Ate~M`=kbbJ6rk=sE^M$?M
zCnos?u;ajfd?lq(zi7PjManXRnG;T%8?K@hIqSda_r)hh&e?EW&cyc)4A0p7yRs~7
zT0`gKneQkSfG%V@vb6K^2Cx95A*SutV!qO5Y2@8sMEr<Utb4b-o{Yw(T$e|T+O&SX
z=9p7}4KDW@x6}5ZWd}^>1U6zTA_^dZ{SO>=PyMnSUj4UwEY9?#mz=R?s_TFuvtCsR
zJ%x(+!R2XarZ|Cp7Bx+a>kFv1rYV%sYlY&XQW=NH&^HlnAL0;$)l>1JzHdn=FAltl
z90hE(Yl3o%3{1PX4t0b-CF)c&;1mt7NoPluIO~Lc@ATV}>iWk}hCVmL89L~#Q4<&p
zJn7j<kGZNuY&a<#Z(kGP`lkNQL8lx4yieUIF^H7e+F#CpZ>~yF57|1o8gbrR4!v3#
z^2|N&NbtMOBA5+F!ty9}ckW9D4!$-CC=9rlSrs&6RS~k_vNBs(>hV&~%GNjU_He?R
z5crcUq)8y9P&f1QYlsi=E!~9HfeSc?Sysl}RS5g3SS2Tw_YHNmi8A04-a-3raDVaD
zR;<}EH<XIwKZEhAU=@`7ISNczzVXvk_XFabuU2$cg>?2^n~{x52zO?nBQ!UxS&t_L
z(-GIG?aq4DE18WEZcM*0RVWKMT8TVo`O75TCQ}XCvT7%i%O=A6rFM6G8uIOkP2GGm
zs_3cgrO5osji43L1#sT|)hXzC6DH!H;vNfI0|9|J!y)OK(dy6KK1ENxwZbp99BK^u
zbJ8iS|D=vrsvwOS)k<6wY7T0>pD69IP}Y>!vBhjw`&M`g*p%|ZT%Nom8MYNiKdqUm
z&>c)H&aFQ!<D&_QEX)2D%C?r3f*1c<mAW0dq)!n)q;fxA!q+Ud$o7S?yFwK4{M@x&
zc>7%8D!wBx(a1;ADiggsdpLn`*UJmLv6TfFi&*J6ie-<tYZ509uB4Vm6xgi&h||o3
zpmudwTN>VRJT+xyIZLS(&Z)mwRW4T@7*1iEL7hUOZQ_to>eILYQmdRU;)6qH`eEda
zn)O)BdMuDZusLN+L-IFEMYS6&l8|-8{%zl(_?Rp%14ANCB<Rmg+$p3zi@Y4k>OWg&
zuD}2?1|AVWGQeJcHLMllJ0DSjWTISZHZmdH_oeo6{VsVWQnQy^RS?&4-2|I4&0ntQ
zXkc&e%yea4ZoE7LmBarK+#M?08+;icF3ZgoDAabA%La<~VyTMT;4`gZ=TtbbUs==M
zzdB^eQ1kuNK%|h=+jLVAJT?F2c?;w*sw2jfQAxL}5cE_fEj8&Ixustpx{jKD$3i~>
zBhi@=2BQs{2j+PY6I;UwB2iR5f5)WDX3IHt)lEiOYvo()&W_Gff4OM2Kfz}Dnmq9v
zu!NZOgF!y}!+XV~r`(gzSmjV)Vp?#lLHfnzB{Dd%SjinLu5q$Ah_hmBp~7O`(oT^^
zmXI*n#N{#ydjbKg>r=bn_RwKKaWcB*=bJbwMZ8+i?6a#TG%1S<-x?FrHDM)baZ{97
z)!;^Vmd{kjvgYMwFxIBTK*^?L=4}#csUQy>lY8W7!)Vq8)LZP?@C0nN&&_jj70VI*
z{3}>6OnGun?w9+&N+o`OHoW9~udjG|Q7Pe!srmbQj~LoN9)UJF;K(NG7xDmI9vK6+
zl+4vtQl0!`IWQP|T?H(io)}M&+(s<7QHQw2ORQEVz8BX`?!iLyci&?l1DlanUzZLG
z(y;})qG3^GBHVrm`sFW=R^q*(-(>ytycMTI^O%ENHHxjKEd_T4zzr7{kN{O`7=HH>
zbGEOrZ?oh0q~GmtN!GLbBqiyKANyWe)4$mOp1~3Q{nIvC^TT40(T?Qsti#Bdhsw()
zv^WCH3#{o>)#WFuDqgGms1bheF(j&G^>XAl^VW?P*?|5>08<DPniVJPctPTZlWZX_
zzHHQnYNzwX4Z#A25y5g~l(S=4dqdSIPV|GT6fH5xlp9sVAqj2koccrP7kTRykP45$
zXIG6auvj8S6t%(*z|j5Zgbt15g^7r%R9iKmFCl>8%Bo-OHk%#`Ux=^zwpU~v)Nk)e
zPb5=dB#U>B#uj2{Eg4JE+2hr-uhTm|H5H&YRB-5wozl*5u%w#7*Q||CQ9S2tVXcug
zvVEV!#!qrG;42jFf8SPd_v<r<?4_l^Iwym*LASC+s|1{Ca@YV26UinfA#Dd<a0=vY
zO#$}HeAh4Mdgb~*#E7}u;Srtpzn|2GxA@gLHPIecn9fb8Xj^EhhBSDQ3bhF(2a)ZV
zYwO+VjqYUUaA?xWedn8*9j)RJ_^ydiU8s-0unKbq2jlrx{8)Bm!IPgyW0mTFwik=!
zF$Jp+tW#u=hl9s{64wNj#f>dcbgXtDg}1xykw)EI`LLT}Zi2t(;ft+9Z{7gt>l!bT
zJL;KB`P@5u_%+*0wKB=N=6CCLuzHBL&Qz)6v{91=rNY=kF|irJsQ@}8B^H*-)O{M^
zI&w4gg=}=i+>h6Gk>9*pRYb3@-I@`)zW8p{I&oYPzav$MsxA?~aB?sR(FU1FtNUBK
zD0Xeh6XntI<B$00ETm%1?1#dRayX@<jI7|9e%(u5TNl`oX>hW<Zl4jOW+{{4V$ei*
zwj-O}c;9>6?tnIvdfxN-LcH<Ec35cR>IX+EB=>$tmSE|zhu7+U6ipdZwRYQ6IwHpD
z`_D%=xg$Fh4_a-$#;b*N3dm77du>SbTEYDJfj@X&k)<zw;o;d<H+*K#!jM~HHb0fQ
z((mj^i~2#CE+UiM54#w8KpW>1O2v(?96`2|D8Qtc)6kLlkiv3f+LPu&swr1c;*1`W
zVpM`PLpY}@DoX1Z-R<qiNGCAUE&6?c6W0z&z}Ed;;xOH7RMNQaUR7_uH5;pkH!kOb
z@73Dl%FUyquceKKFa!v}B<z<L#+`g!?B!v9K-dtQ@iECduTR|=*k*r-K~_AFo8xdL
zMSO2+Qm@FOGpgrWYbdphoY|+F>)S#KsV4Fmqy82RtG&Q%P|YoJqvHW3Yl-*52A-rx
z=^G72tp{>G%2y^*zf*BvRgOwPN*nbQknNHZ*IQL4%hXf>Q-afp&n(3VSkqsmJWsS=
zuG4gJxM1_;`NL%Dvsv!>+9d0=0S_eY=$Xf=wDW}un^{=QXE-5hFea(%EWf6f+M06D
zS~dA1Y5-7+y+a0;;B>7<g&j*#R{CYw-XvVuJc62)w<H@|*w1?)+f92DVG$o76AuL*
z{aERtO@C+TWXeK)B!En*-uP?}6B>s#P`I$W{q2)1>5(-R)EcLbO(y7))@(h#PC2@<
zg1To|0XjIBO*b<I-{3BzgAQX$@rdbXySp)$qL#el*2fh=pj+a)x%YoOwfi)4&Ax8C
z#S1iJ;ODZ(A&GNU@GCXpyYVwH+jRRsyh(3zq>(ZCjYas>LtFcx+o(jNLVKz-Ix$oc
z4|cCj{6Y+i!ZJ#1=F>RIZxorI9u0X=m;sd(9rloyMMkm6t;@Vs<zYT<NjXyjBG@c<
z64$6o(k|9;P}aV%@~@Q=P0Rw3dNl<At;czXq_-eGH!%1;ON8tCuxNaO(WW9Qn|vg$
z@sBz;*sN70ZS-EX#Ao-G>5)6Wb6R5h&firSoy6~tBs}`t#NAjMmB*}qvjA+8dB>Te
zAh20F8A!a?wa%H_YN}2KA^unISJi4g>I@sT+*YFDp2P5i=-N-#jkzcwQ%${1&OPGT
zDG4F1Rh43)yb7o`iQ`CuLrbDM4Y@#oRbJy82;hGJQr(2{>cnsjp#o_ktPT+f`~X*3
zC|`f2N;-|{h{JfrXv*9H=Hs#-W);9<0#anDeVyR0eqoQMWBJ{uGU05u>70cz@536f
zBdWf;x1#y5$AE2M9;hBgJHAPnyvW{v;p^qttn6t9^q;q$$Qw-`1kX0z_d%wJ5tnIC
z4qgG$@2bkBl?Q|$lME!Gw0UScDLP9=k(qFQI*Zj=uB|jLq_L+fCGhWqv#*+1VAcx4
z$4ZiVswR{s=PZDoV61WNU}G!wX0cOi;=$|L7Qz7t_cjMbgXr2Q_uf=wX7$jtJTZK;
zzGHKg=}I<OS9Lz3J&Q9~xJHhx3^oo`^t7AqoD8Bwi@tH{lajGnU(FqBs9BtKY4(yK
z>*-^Up?*{9;+it`gDErs6LHPaG+L3#go-wD*2iC$dj@PyO7}Xqsw7tFWd}`^3Tp_F
z*qa~vX7Zl`vET-(gVTv9U$C4sY<r8>&7_1N&I~M!x-;-2yng5D)i}DSaLxD;g{PrM
ziOI0f-@gUurIhwvxKf94IxVi~dCA*#+FcBCG9`#ns=`minXUiCDC5P?oIDatX-dRV
z;{UQ^q&}H4&f!f7PH0Y!Y~VtsXk)AAk0N7S^9|6Q%@?g^V;G-jVv~UYB(b0*`fZ6h
zO~#lu-wW7vFup;s_Ag8<hd!8SC-{&0q_<6MW$oFe0V3lQ+6OufR;YHww>V&umR=Xw
zGJI%}v%WfeR<a2bQXbRSAJ2w07A09Lm>t8eWoMN%E<Wx!Gr5m4xjSLR{8lI}1UWlN
zj<s+h4P~uN+Def_h6dfHTip_R1^_U&Az29B{FX=^uJXn0hv+NrgD7v->9WavP;PF~
z)AgFoc-RKcq4hpnD0<fqsB=Up!?Mkkh1HLZYy?!(xu*~MyZjp@M^r`WU%NN7r&vN_
zOMmRM-?rh8O{#fm#b#yL0rUG}2nR^nBPu{CzGgayjKW2m;5%FsOEIuBmjC<JZ`iDP
zB5!A~bizR-8V@Y74N1l2?Is7k+C%QO`?U{MSe653lwKQ5tzR4VEfaZl@9%K>r&eV$
zXj;wD8`#T<5Y&LU#}ti8eN#1%A>~Q?ixsmBc-Bk!`nKO)zt5zZ-J7W%?|*^jCt0^U
zb-gdv#r|TN&biHweD(NtUZ47GDRK*ApI6SV{wx>u<$#a#cx={uZ0rcRFJxh?xDov6
zi^EK$6Teps(97ijO!*dP^~!M4$o2Ski%YHczbh*1om8Dv(+lqbB81=UGa;TQ>iO&B
z+%wu9)N{G~$z+d?O!1Dd(lDn`{`ETZ_F?&Z&)N<m-{`mfqPzg*Ll+-PR;~sHgTDU4
z+X}j4_j{suWdT{*y1p^qp_7~{bS)4_0>n#6@*$+o<0PpLFHY7Ane2JvaZFHy6hF>N
zsgjUc@LyU7;Hb>^Z5f1N=CE&R_QwYm;OKuT9Dv5zm8Bj3?Z4avFrHJpez8S|{*CE@
zolv`tY3^2eZ(s6bImTj#iOe3z!>5<FioC+E{42+VF%A9y&nErvYr9mN!uJ?k1j&n~
zKk)y*NGo8BQos-ZpZ#o6;SC!I;e2|xLO05@mz&|-`J0t@QV4mV2g_dnOWtYy-(8ph
z!14QAW$H=;06{&b+Ebqro^_-D0NqmfFGaY^*y8WITl#$9a$wA)(r}V`oC7y3E;=-v
z@EfT8|DeE<4k3m7PEq}46zC#rjOVhYwl3LU@`El?{tqQ|1E}_IfF`jO&BCylB~9Uz
zjhS4b_e!U52&xU;NQQbx{ZNi-s%IK5T-xqV?aG}zuT+|yyZIjDA2sb6)z62C21w<l
z#oR`2<QfMkxdWdyRk*&T)mqyvt^QxMqD||DIB8LQ8YW_45W*=EKOK0;v?moRVv6by
z2faCayOm@8Qwd2`TIT2Ca)mRwWung)U96Xf!x+3VSZG7!$7Q{gq?LDepZ<Nx_5YWb
z96?4cJ_es7Evu65jsb#UVf?SKN(N=d19hWIMO*LWT(7ZwesW;)l8GqEP2mL->I*Yj
zc6d3E5+VPE#}H9c2k5cX|C6k|+@r|6%zqY^2>^N-(3yu#apGMcDw9@#@Pj0A*S%$k
zw4p0%iP6@|vwoDBD;Ub%*#!z6ZDpCdm@bFC9JupGP$Q#pY%*B66e{ApYj6Qr*V;=x
zik{k}H$whOCvJ+8UdXO8t{dM4N>Q$_0TnNs91^qVCl*osETn_l=d?F6ilfhgjw+Xe
zL*<DNtX*KsddUO0aP~&2DVqb7Z+1y!?uXPpMK?=;PFvm&+&27K(&mKM3wyY0mkQW9
z{od86Ggq$JZ9kS9-tkK+*H3L~TT8-six5{A*VMSEzdrs9cYAtw_VNn{G593;pJ?EP
z&rqfEq4I4km3<e)wwQCxEzZ4C4UmxiW49XcY=+F~6B*mO47d)*zXQa4!}BdpyL|D-
zqiOl`>>b*XGkdjz$L_AY$V;$ctx7@N4`@ULy5hwRww>#2NaGLKt`GOP<Zkii(f`x2
zTS6gf-4#Wa4|xY?>jcmKg<9#*#pNaF-B8#3k%3jlT8Bh*XYp29)Ag1OuGyR~m$dJ#
zIjp!AL{<Bc?V_7LURihD_h9XtOTaMeAi(m{e@Ff~c7H-*C3_))?1UbISHWTHP101y
zfChL=OUvBK79Ci>Leuv#w4YyR&5bqCHIhjsjaxZGq<4>cda%1QN!^>Sxx$LOM=u96
zvqN0`WQ9nKGsx@8{lJ-B@R+P0-DaBStH;88t;ff1TjOy(^HGGu{yBoD15}7*RG;2V
zy~M2EXi;j}wY;60AU(@)L!k0BDDS!~Qp1s8?mRDh^r%&O9jNEY3yl*&<FAs)8s}C`
z%*2j5FV4&oIh9F0>QYhbM|NSC2X?--SM)qm8xxrXw>0GZ#XbwFH2Eb&Y}SuAaT?|0
zV*vm4J`ImWeLjTVg}3`JH2~?)Iumqti$>u8l=4{XB@f`_;|v`3Y=0%F902kQ7j<!!
zKqwYE;2e_eaEjnJbXOsK?ratH$v@uO%A+gku&AM!XC*m%9$ys^4<l=l-jpX9<pv{f
z85VYj2~)9ITRC>X-c~x^5A<$XT>Lmx9gr*FE&?9nobNzM6=iAxU<j!F#f}K<o@TSq
z`SzTsO>gZB7mkQS3M9OH`iOulWG|oDlWNquxjc|s7yNA3TV^h%kvNs+xHmTZ;9U)H
zcrU;cPCQJfrpQ#Vkz)G00g^NkPrcAqG{Si!D6znd-l}jrJ#mtkT~&HzHu|W1+*PmF
z`yTXrm+AuPB9}AXCN!WL7%S~^|Fhp%J>>Q&#n&Tq>UJNG-99xkXDWSUv*L8Y2qx!{
zPwj)-Y1i$KAUCI6@6F`Y+2;tuT%ApamsoY|O-gex=#_j^oLQdJgXtzy>Gtbh%-?Q^
z$vI<pglc?B{@Ae-x9s$&{>)?wyrj|3q(7Z7RYocS3JPBYk4}8Vgwh~PIaJS0-S_a<
zN{QJ%79`I^3CL8bL2mWD9%>C>Gd&H3Co2|b&+?Xnxwp|kjG8HLQk^5K`X0R2a4q{>
z{PV4{YtT7gD~vMp$JaPSmr8}sXt}&TI>QpP+2b+Z^rWm-QQCbB2-eFI!|Oo3hUsAk
z6>33R`;H3iajva1(2$3CU)_CLf?9hZUa8p}*=#~66>SG~?A6qW-`jk3gSV838Hu?U
zWyfrH%3uzx(50eUXOhwGksB;1nsu!X$iUB3t0KJF-X{i=!HjS1#-?(S&mo)yyc<Av
zg=j;jlxE4AMtxaJpQ5x`)HpxEM~QE9M{ZzyQ7rFgz1MqM?Y4$+vEr0KQu2D&79S%U
zG(SS@p*gjQUw9&Z5W}&>oIiZpM_cU))VF(QyvAb6gWK)=SKWOa`tRKYKP5nTrYjbJ
z4SH5&go*0z2OiPV=~u50P8;oFqZG5iU1HGZt0p&c!N?m#-jV8i+7Rc4GjrlBeX9XR
z%v)@tmnIPCNI>8%(_$1_CFR6i&_jF#lv$+RpOKdUJxj<b9Xk6*DDO^w!rNr9?d~mU
z8TpcsuiXV^?D(9KkL~2aDm_JAw;o9aIB`du5M|pbsWa-Pm^g}pP6olP7>J%!-%D>v
z{y-FNkd}Dbqi@>-n<s#X@F!jXe!MWzU8)3x38p!`&+q62sI_*Hb?*~tm%-jd_J3jp
zL|5n*UtM0Dm@&?_%(#;nH6~n7B3QfwBopqtb@PSZYY+0T0`|;r(u$rHCoZS_{VlSd
zzBAeN+RxeRAeoqdO3c%EmkJ!`cc+#_4sERm&&THPCu(Xn07UIBE7bC4t<eLjF@mY`
z$m*LQuh_*O-KWJElhDi8GY+T0cLvRufj>QAw8@lcvNnK8EiD2^%{li=&xhuiX*Tr6
zgqg|*r#R$XiHi6+$-#91mab}T6h|vBBU4|H<?tm;U-Z7wu&7U}jMp=z$u{JwLx1WW
z?oRMCA)F+eCp^YDjjnAe_LwAKHeSKUzZS?G4B8+)n14hmdO*X>_oF`NgI~76NX`cc
zOae2F*ws<Y6gh-?&Gx=u3s=U8U5K=1YUsq347u7oU(m*n3W^|rq1|FaZ?SxUO=GX2
z_}0-fEtcgK?Bv*ZwZ(Y&1mL^?pZ9MX^@+6f*6Ts-m$xvAJ>WC9?p~Sy%CY```eX9(
zNrUMOw{0M)pG=I9sr>1$iq*M_j_&sk_FrRnb$EN`dhCMcr=(6rt9Y~#V{x$l_CKRS
zzb$#R&5+)tO@)_2)<%Xr#@=vuQ7~Vr4&n8XH6;!l3~8`yI6A`}9(wUyh-dvp{|3|{
zDcYwUp(M)rPZww3HL?nK8hu;(nvIVSp%G9CvCg`sU<mU?7wsg6zdYPNA97%ZtTe>D
zC-)|Jg8YSnzDmE6pI~3^jFFoh{KES~r9W|wu#ylPsi1G0Og6@-Gb`vcgV^N+)61i=
znHECa%Vt7pZe2%${j%J%mUsO&vyj7he`r~W78=6lF@3CgyFu@;$dTJ=9b^m0H}mY!
zB1qKt3)-A7Zq&e3Od|eHj%BWP-#(38Zx2n#=YIX^^}LS2R3t#)4vZ1I`;+1236+7=
z$~-n>Lv^<gi?~*hFnX1<RMvwZ)a#B>!|AZ>9AW$Rcb@C9)T6y*I^?<o<ujXzYG-zw
zqt3#reU(mK$MO`V<Ee7a;Kz^h0Mxxm*@AsHA0$(Wwl3Z@!|SSr8Crh*F2w$Qmbcq)
zAV*rQP{a1%zqXo5X4-?DeGYdHv_Jc&-;#idwvSkG(q`3cYBhk{!j9T=vl4B_ZmGa$
z^!m`78S+v6PAFRI0S>@DdRo+l#y~V8Mk*_pXhZ0+r3|PNX5Zf4>#LvD#rs#%;oQ1^
zo}(^&W3FE~kq~*8uHI;5MOGUsf$rb*EqM1!=Z=R}#S=_>1QbZ@a-!)MMsEI=zD?FN
zr$!KrjGbg%PjmTT-qYaJGS$JTN`F<RI_TnWS6x@itS!#rU1~o$A$fZ%mOp$&Z`AjA
zU{%3J18RDn7V2IGfn(=nHF7S5WJVeVjT->lpiQs4<p+v6NIDo@%W>janG(hoN*hB5
z`(Nm|WBpjIc?lm`MKyN=)h2s4PtcKY&#0iMks27pXpiR*+0&^Zzu%+UdjP+E3kIt5
zKJ7L-v+Z!ESpe~?Q|&F)!V5w<6kB~D6O~}w-hO7{az$7~3HEjBQ#h)lwpckcud3YG
z=&r?BSd4wcn$qWGH|orUSx1}pEXBj`Pa8|r>Tto$)e01X(pW?fGQUeiP+$tOBCn!K
z&NDOFg?mtUhARC7LVw}@Wgu$woojSY^t>y2;=HgAwW(FDHk=loW9acUUp{eiLmnKv
z9@aM@<)>f8J`QMm*e25aQD9P(^o5XM2!bh>xPzX)p7Eu#>Z*IL=aq!mTb&h|>t`+U
z=1qeAGU?TO;YC?*$!Zs35&A-%gUlKYVOZ&nqQd9Svk<u(qG~bFt>@5W)a-LNA8jr8
zS|0UXP{r|4^J`-2aH2s-#Yw;!WNB4crM023qbe0=q>D1M>4X%nwy{OxFJ#^sYqa`$
zISW~}l}<ZYVs!G)+`#dhH#TlgH_2Smmq*V{HBWy~x9-zA8%`lkzoaBuQJz8C)f!EG
z-9A8AORg37(UJCkj;e<<3KgKbw@L$e@~V!1d)U(3`q~J-?xI;ljo`*}?%X!i^&){+
zJ)f<sBlMnd){Gl2o?F<9p+m@dHsl3Iq|*;KW_vQv{bb8)m+1gq4E0%8VyvO`yv!ML
z%WUYx@2jjLN)-ZM>3pj{BfIMOJ7%KE4+9OoQ#*%g7ZlpqEuFY)_oxB_3ZCVOB`Yxv
ze95da1QbpC<CVX@AF1suMPD-Cpo%nZXS$bU^r4*QN*ZmUZ3kVv=Apm0jcid;pNRTb
ze<^_e;HUC?Wn82?DpQ#LgnYGhnbdNpe>J$3bO^VhkLop-t3_uiuw!IFw{j#g>&^c_
z#<I9T8ZiX|nAWUhYAyaS4&opK`uj&VanK1Ry6*A8W)~>quclY~rj#aEy>v%_&^vm|
z;D-%=IO)+d5AnzZ8i0mBcmll9ll)@G>dbVPu(tZm*~0!UoLb^sM+F@6yON&M|Gstc
z$8W#^GNs8K4;ss+_&Dka;G65En3+R8p13C!hcjfXJu}2(HO?sC$uY~8O3;5>K4(|q
z^UVp>ws>4Spe0B<q-BXP$A7&+paw|A&pb_9A<+G`b47e+hiYm4UErvV3<_XU2S2Th
z$AWcu+=c3gOdyd9--3(5f;W}2^IA?Afy8ui^_Z3=R8Z+K_U!d*__QyKm$|W4O+wg|
z8o`RUgGP@7p&9VGs9EF9@j!i6Vd5wjumBqx%+-X3>m+>}DMQy0eJ9b5o*N_EP@E5N
zk8g7_(_<7HTwI#wIk)s8E$almZl^o;jech~Zy!I0XPH=tT{!uL|3%rzH6}K;PY*aJ
zF#YM_cAXs!KvJex?+T#YE7Z*MuQa$FSr9X44IrRAcF@IXOA65GH-#oNRw-$0SC*Tb
zn-6hewZ~Go6Dq1N#sKHd-Ulylbv6*LlRJRg^OCfuz9qz#xiP^5hf`a$#L1Ic5kR=5
zCKlM!K3~i7rx;3iyBtB*BCZpG9E?zB+uz6k<ENkf98N;bbQkFKCd*_w5U)1ktc_{F
z3AtP9oq418q|YLTm!^r#wamhjTD{xARs>S=-QbXs-pkm$Ct2R(`MrVL@F`}7Bz4mk
zi&;h#PreGR<6j?RpAD*Y_!k)f@xxS2o?58E1%n=QTyPO&9&m4~$qCwIIZP!sWK&JM
zYT2pX6L4^Vqmv1b8WFShYjArjkH|H{7P-+2`%?*Dda>k8H@syT25xA7xIYzHee?Z9
zfNeWK2I6eIO$aK9_)e@3%ZxD^R<ac_{IqeFMfw9t%6k4XWo>tC<?^|Zu~58(9#Cvk
znCAJ-za}ozNU%dTsJ-ZBwI3x-T_+{w_uf)jKzG&Dj<KNE_@wVzMc@*qhYxT-Y6q@c
zq2j`}pu(-C415|cHeFOqJUQtUM3a-<e**-m_kRePm_0d7P1Gm@PGPhQfD+1H$B213
zo>RNKyh=zgoOprLy>ptc-n>>?q)ch5Eeud7LG*CUX0H=d+T84Q7Ao!0xaIZs*v=}B
zvut@zp=#%-PVJq6m@I$-J1=Rl_`o4;YObP_pvc5}=Dhzk1X;yPOi!Z~8QCCzMq{%9
zZ?1y44exbsG6n2}1e=C%p5Pi(SU0dhnS!B8GN(!h^uLq-bEnYU0=sm&LJP1U)RYwL
z3oSFN_7T4uSQ(X0W{zG@e`?slQ=1hh0W*wXZC0o=OXc461tZRB%UTmy{pm7z4Yfm|
zk@GgrGRPbF6YoYEBkLS;;B7BYqDLiUb>2<c1H0~O_Wd9GcyS9?wp+Y@k`?t%B~hR^
zOzvym1pW~uzVoH;c<}VFi&N6M8brK3>FlOv*>!7b*Zg@8&Y#8m*xI8-Q6BL_l|T;v
zZCc19KhzVMqrL65^vZZu>M0q`GDNL|r*V-(caGa>c8!4b&22In<2E8ZAu4{K!-MdS
zR^6Vq3tDD0zGJUqLbieaxpwWRhk5&RQ*5eAC;V+b^?8c@ORH0gZ*VFqotBQIE?~q~
zr&tQ1y$1;9O~65@PC_L(vb6ty##{#gg|)KijFN;_7OHx-J!z$~$D-oW6cCj6Evv0C
zJF8jknkBx!#;sNJ>03uhkhYq0#!MQ~K6_YiInSg#Aza8Q#TXty)-Fs21v?#^<?h_7
z9t>1z{?wWw0|x8nHM<TykdcwChWG!xcgtwoE@lR&Q|;_y2dtN^*JC;PeGuzJ*M*p@
z1POg*=T@0)@#H0_n!9Ls>fFkUq>5~Z5#17T(5<7GQ+Vo!6q#h@Y~-6rf6v=AgZ`JF
zZlw(|l@+XU&NCi=w^J#v#hHDLraiQeMJa7C-RADd0K6|f7e1p<_eqPz)Ayy9tX;>Q
z95$=fnv|21t9&?SB59bP<_Y1Bpb)L0GX?1%wg&1Cx)=%s^PX1}rw3dAk+}ny9Vq$g
zt`D8Di0sXkr;3WV`{M~a#Hl~#0;990yiM1WxnPAbJ5@!`jXe<S1IXVldY`!V$FiNr
zo%ZK#uj8hNm<Nxxb3OM;pKf=<%FKA!*2-jbw=A~u9UQfqt=cC`ajr9s)jd`0&hnr{
zI1vz1kges|i=bB>q8$v@z7c+9AWE4jWoh7Q#2f1T0JqoiAMpY*2>uqu266vk_hwFr
zoz44Od+(WKZOBB7sdAW(r^UOjzXlJE8VnfuIIdr{>n~h|yG>2o_tSM6^iZl%N(#IT
z<ePxcgk~i1Y-#Gr?J@W1<29EnSbWYz@Q<nZXz4Qcso(UytINS_c7L({0FKIKAJNt5
zn;`v}#~#dpXQ_Vpe*eo_ack60x01P#uvVEO$3iKNN>s#4N_l6+zP?4zE=MTOz<QYA
zRuZ7y=>NMF@p~J%XK>J6KJj?D3+xgWS#;T2(R0pVKluu9fMcDk@1iWHUD(xV%Bu{!
z6Goq5Vv}_|zAbOs)u5Z!df?gO1nNSZeDga5cfsehpyobObo0RHjQlKd(1W{#EKD*s
z{KqS7$PXv&@J+vpd;Py@yUp%Hjd$&w&TmJ(uZWm`0Ks@QVo^=!D!kVA`OZI|==ii`
z&1MYs;D_Pq`!vfrw(6O_qITer9{q3-U})Pzd~Vo<em!LSZYnc$WqN3#DFUbkG7|*{
z0}MK_L?B^Gljb9Pc9(A#8?B5tt4}&!|Dw}MVtakk)&4ln**zFPY{>TP1}JhO`#|>{
z0&$q-IY^M$<wWlj_L=N7{OA>wmNF(f!}ofFkd8XpjvOZNX5#IyuD^X6Z}0z3YTkC$
zU}5CC{`6xyKdObkKN0a)PGfG{rp#RJIMJ#I!5d7t{;BFv0x42~pw9Y>wS!JGQV9J}
zY6&m8@@*h;jimB9aL<rnDY5X~S|P#ZBLcDSnF8f9ef)?=uIG^3G`C`qsE~}(IN>7w
zv@DLm=prc@4dv)1d|vlV*amv_56&h)M>-4HNSs^ccuesR=}gvd@MSyXeXDVGSN%)-
z>U{dNP>e&&0b^R3nGF^nVCN~K=?O2?%>m$HpdBw4obOC#{L<tzQ-#nk5%Z{AZAv;&
zBV_W+X<dcu;B9hD|HE*n<Xvoq82Gf1$<)>dRyNP-aU)ruUcdU%f&Q};IwnCRHSXBA
zBy8awd2-ox&yRCQPJA)mW?28vPL<CRm?c3;&%kws*tu8NUL3vVUac;88lb$8wRD~S
zx$GZ~5{7=I>D`+NIdH|_^lr`4`1%z!>$^o0%p0!>1@T`(<+4zB$^_-C4a5dnb>aTx
zEnbQSyXH%x$!X6lsY}_{a*~AvDduex-s`Ld2unH9)WJE#fce)N#Mk`X2GjU1pRyNH
z6={<QoC|NrD+JJy?#arC@h8#%2J-FIy9@Ad)AMx;gy4|*k@x*7|4ZqoC@D|M9Xac^
z(<2Q1*YHiBJKq*he;(^<pHsGcjjqS}FTAZ8OMGY0UvfzD%H&l>>d8ls?HEls|Kdnn
zyu<WbGhqTTFg6&=3gd`(lMQ6}?z^u%>vhW>B|y^}jX(c`R`|yOy4SDn(|SP;zWwYH
zS#887GWS`w=lhhhl7Pa$>4b&N4Vi=n5_pD8JkGuEUNMn%$JQ4H(I^w1s)SBHZz&&p
z>qlx0J#@RpV9ul^G!6KV3y8NCM?SPcr4N?IeHolV{E>z(@uu`m>;fvje$FPL$O-aQ
zN!CK3s^G<o1KI`#ewZuHQSLv1+}!!x4XUT#25@|=7yYc;zh)a~N=#E@s&x;fa2xZo
z==&}7VAq_)$LK$n(AFmJb_C$YZU#mQuJTgm;yMYe(fjnpW)eiwpNa@Q|7G#<K2=pG
zp9e-ZL#}@-z86p=kID`wXzC8Oj-kJ;TrKvjmWSFN<XOo|&BQV~(ZHGB@SXHDor7-D
z#j;R^&*eocKn0pgA!4d34b3m_d_M^}07QF8b2oZPjyPw)U&-y2oF+zYnN~qPTL{*t
zGfr(D0+ZLvzpN{_SPWHP&1d7(B)L}{cY#h*MZuh%g&uSmBpvo=I?Om7E}U4D{x)UX
zF=dLGOz%l7R7*y_*ChR;LE#5ak{@ef>>Fx<vaVqi^uh@zu%BQYTNOr@l=H+yjtU;t
zsc~6rk4hvUrlzKdd&JNc4_U7<G#xR$k}IlrK0I6(QVNuCi1(t8z8<}|9n>!6;?({E
z$S7a`gq6MTK9=SAv?*aYzC!%S-sn4JIR8?Nup`XP^}*pC_aDgyh$+tsp7$50GUL+^
zE}v66U~bp;U0MIM)u7OK{I&%h{ani!Z{By-+;9y7=s`bJ@wuMIxNumohip!OLEfg8
z-&2#-@BD4tSNTHc-YWT`i4*-2tS9t@HhqQAa@x|nqE?m>Z{%i<)Y(~97cV5QmI_rq
z8ddxy8e!V$%bv>dw0AokV758bN+O0bAE}pCNpqA8@N+siLvT}MsTdb>L>qLm`NXv#
zKv@q9`0Yf#6_J0iR&51rHuzI?ytWtYQvFFI`QGjJf=2#v;P(SBVD{-`2mNKc{v}ML
z^Dv6FM+HU7)KJ71hP1I&{Y0ahHFdRC{i=Y!cdA1dOPmWJ3DyRedn}=&w8{GEOkcls
z6`-7^$u8UGKk;CCLOG)XlJmXEf@fm#ba|PS-Xpo~T=9<W-#V&CZkg)#nLy|tR({*5
zN!`Oc8bEr3Rst7;RadJ2AIjc3uIcZO9>*3b1r=!!1(6a^Iuuk;N<q5RNwa};xS=Ru
zkdl+`W>TY>iZY}|*GP#`1L+up-<`ho<M;P{{Qmg)C&G5`EABnd^E~HV6FTlWKQ>q9
zmInnR=NKM1aF0d3+d5atogyNd{O%I@Y*`)u%OtB1ZBNrw^5u5-$3s7E+(A#)_25N5
z631enaN3V^EcGwv=1Zjq8C~Twz8B$^ICbfYc_sANizv}LSi6UjXi1V0HtqFKcGRYr
zJmv?AG-<EWjZQcxaeuV@tEUkRkboKf@o!u%p<#);%S}qS&ITd7YV$s*x)RqlBtbcU
zDXLg+*%x<yx$c^~$c0d^TH?bbvTxu4D!Nr`=c<pZU%k2(gw&Cz1QvptWOVH%M2GY5
zcnLj9R}$3St3oC)N;g%BcXdYL6t3k8mRz^o$h0`yHsXp8hgQ2meWJVpFne68fIQ&+
z41P3wH_CFQ!hn*Cu`ysxiO7gO#_4%oc<BNtoePkXE`=<H?u9Jp>OLv<&QU!Fk1@AY
zGK*BF`KRpYO<t(RLh+9mho7(5?%()yG~%!$)pJgsl$0>6xQotSqDPmrT(geV%@an5
zsd_@Mm3fs>#ERh;HD7&Tkt4vYvhw991mH?nuV`uL#n{M!xMHZm-;rjR&e54&#fd~n
zK9S7njv=fVM1P+!@6hAPde%4nPPEP@(enqjgyV=j5GdJ74cWAQ`pN3j`Sz6h7p($%
zD(UfWM{HunOGG|=yLpb*73G9Ze{IDgDQka<>iL@=xXH+$SC*>9r%-VMIdHB_A&(T>
zk)V4>K=V55_r_Ee!uyW-MrYw+sMb!QRD0!Lt*2ksgMkw4o^h3aRu@2@r42{oL-dbP
z#e<^kD(^<ogLluFX1trQJ=D?%sA|6^eHSR<CL1AFq<0H7d^6KG;IYLuGn8);m{<4F
z=_^~>;kGO+#1}e^w#pc}-U6NgNu}-Y+JhE%xIj;FKJrHO_-#sy_v&9>AlCWIo#}q$
zYD-axmgFJ9+Y7~&F4o8+G+N>>UrMxgX1D+aK0nZrTlG)rAUbXdE<gmB_><%x0#|(w
zf3ryKnvjHjuTb+S=liPjlS8#W<rFBrz(8X=WeEz>4pzXv1|Js{p;VadG#C0!D-eN5
zw;kh>Clf$Z8m<bv+Gk$f5bx3^&StoX_Xwn;FlRC1n}$PPgq~@Mq{^;6j&stVMSNyb
zTCE0(E!}k<R%m|J^lYqzVCh$z1W^y@w`A<Rkf1a}xGi?Nw4z4IRolU&I@=9Lug@(X
z6q9?KRT`<2Pl2098H4xd-R;$$sY|$5f$_Y&yjH_iZgxfkl)v_vVll|(A^5%UpMD29
z=5TIKlmWnbo11^ieJ7v_&TYP*Shzi&0!tot+LQxRvjjb|UsHRxYhj{9Ub)3VUUvn7
z78%5e%f3@s|8%;2gPv~#eRKno3!?c3G1VY?Vm`)%j~umEv0lx=lLY|K;#qCSomZ9X
zUxcUg<md-O!+^k?mF#T9iKsCJu@wf>C=Ws-eRZNe?=un5`yGw$Ees7~y3PwU2b8Z~
zJ5Nn#_FBe%+?7<Ji%As0f#zY%bDgI2V6QA(aq}=LJL$fc5LB(w1XsqpZiX2WpGB>y
zMz0_IMM4e>Uoc#IdDBZIC0#xmv-ot&RJrL&g=>0<#aTt>mdV5SGC}V?{WH|QWhb~J
zE+bvQ%4U<b#5+pAH+$A<T|%&>Jz2ju*L|Y|N82VgpJW69={kimY0WnYJA5)$3Qvb*
zx2uj(C1bWEWG*^HvP6pebhd&jH3p`ik;e-f$qVYp@Y#dvQu8{|clrgIO}Pb1<U_fn
zMZ|O;M5|ZE`pjvtMOH!miQPMs1)}f>%a#5lvBB2kG75uq9_2q(G%cicyPiJEARXX=
zW?tmse-5MUidU|PTLC253QA5%dApdtpxgUVZps7C?ccC;H+}s}_(h*rxJo33NyyQ*
zb$peM&Ws8xiQBY){{j8<mO;q&*P2EAbC+{e?J5^;o?h7s%1iq*dgS~6MsLZHLpZ2a
z1j=Z1h>(kf$gnq~xjA6qs}q&L@M&^f26z0eJk8)HkK_uq_jWp^jQBz=k#XAte<lDN
zQ=2e^q?AMCJsm$SYI!p=@JtQ!)l|6lQmSSt2zWvt(8xechj)DG5{@&*J~`sSXnK{E
zozeL+pM99}^#@haZT0lOtRt(t$ar_Y$(AMsT<MO(UFwULz3DAukp$Zk!Bs1}X}E>;
zR&6|ueyi5A(ae2AD|i($y_1VATEA(>j*pO{64*WVF$Qde!{>!T$I|#@PIwigX%oa2
zS3t0Ob{4dxD}_9u89?sQew=u)OF;ak#0kkjnpg3GapN6t=w)2K1lAZO9+0bVfxqfC
zh~qIF9?6|+xp69hhEck^7kc5`Q=Tk``U0*cpMK1hlbV9KQ4}pK`ibAD6b5%D_^^n$
zc@$y`9&|)g<kK=~eBH!Pz)hhXW{mgW5Y+xSdaFUVAJLkFc!HNpdOUH~(PX$hXl23W
zV)f|U_K%)7F;e2@=VftBBwptbw_YzkxH0CbR#{Cazm(#UkT+GBA~(xw;hII4&AjiS
zOXU+~Ea>~Lc+fMyb5I$yX!A9ZVgd&;g(8rV#imwHO{=8?QAQHi%qk=AkOnv1?jm>H
zMw<oJGg|iRH1~^Ic3dUyWGIOrde9X6eE<Sh4p{gZ=c-Q~`xRAOPj;HgC%ak~Bd1mj
z5dDo&%{zPE=V|3A6w&w*@O0h=ZE0s9$<AntWnpP=YI;=vCI|%SSO;0+X5L@<<bS+l
z)%f|7Lx)7iK7Lm1IN5lF14ibiJ%KOA)j|iL){c1@EUqHicOv~$^xTx*23&Mk0u1#z
zZwP0!K@RCG8k%$r5?N)jeYAWVdW4`HZHGyRo$kCV*TbzTxA6u|u6i5q!c#K(d24WQ
zdx9w_1x|OC6=NgUQM7hOp?82_bo#;F;W_77-8Si0vKv*nA=KQtK6BA=#93~l)cPRp
zM%qqI3iJ?FJ2&8CluC3GnUM(skJ5!aMq35epP<1Nlr2KWMp^D{`rO4c!tRn_$jIuA
z`n^Vra$#z<;i}pzJ|J&x_TOz`N{vBgc+*X5*Tea?)WSO3TG-G>pU*0Xit9r>;}F9(
zl1PlXIT!qU)%r;(TEX*0h{3T7J|?pyz3awdj7Mct!<_^=U{~nTaNm}7F}+RU4z#mY
zI?;gXL@27fbw}2G^vSND;<rQO_$#@eD#uny3CD$rTYaG!-NEJfnRyMRn1Xx=$67rA
z`#;Mb_t{R$=c_3pgzFYdHk#2KYaMb*cFo1<J)+`P<KDqAHmc`G@7%jIS@dV_5|==O
z2M})mO@41d-DuhulT|8QawP*^uF+&hdgMEa!U!Ank;SVcH&6Upaf5q-UXQY^2&fi?
z=HWlNIDDnOWXTcZBEiYv&)VhC&l5UP(tUpU-X+bGK@YM&2bXK5CP{W@!wgvB*2tH+
z1=Xlyq!>jm_J(eh_2S|u7P3jvh6dD=C(x+(ZnYCaCxXG$y)m_Q0z~7zZBsh&G;zy(
zvg8+X^IW-bUTC-ipv8hiG%H~8pPHH2Es~@}{F|ySOqN0-&oM2ne<-sknwYthhq_~r
z`5EgqWduJ$l}rbg7DmaPQC|vwHSnHMXb>3}C0^dr6NAy=E0OSTX<W0mnTGRc$t%r9
zG7%v;*4A+SaskT->R%h&U&IlaX4vSp_31SW8`rgZW23-~V~olSN8Z_8Tu@umO?;A6
zKgKuWe%tWDqn9z<`8GMeMmO%ByI|Ygd0~*QA?4vr>Y~ZxVab5_9;YTHbAMoFvVtdY
zPdX%PZ^(Z?x71%5*0*$XX1W|dIDh&5(-A9Tc_ipZF>yH0&Ffhb4PL?@WRzJvY4Ka9
z<eHR5C`IU6-KNax;BA4Jf%oF8I##f|NR#QgW($D`S!JsycRBh34kxe36Xj&4w%c#5
zE<kb!(drzV3JDQM{+rj)fWGd7Z7(cA>w@YNrJ}tAT)YennvJTxt9~!?@1;CnV<Rto
z<UMiH?_|NpC(j=+z;Z*$@ZN*8+W14Xa?^u#-($CUv~R!8pbm+uN;<NWe^e7Rcf%yy
zFwU>$2PW=2VQLXQB;uwpdl$Pq{s<0G&V(cGZzj4v@~O1NueNODeG8KyuZPP!vU(3&
zFB)`@ehq56eU&s=I={U?eRIA3q{)U}TeuSlacr&FU2$niz2(vpFC)>iyIs=icZ475
zf-{4~;67YyZiyAEkB4szfC#&<Epbu+BokodDVJj{!pw<}rsJ=)3Vl$h{~$NvX(H*g
z`+(%Rv6kb$eX;)C!irm#Xi;;z!@$F}JYwG2)@uZY)^cK_%eK!-%j|TzU3F(P$U4xL
z-#b_G@aN%b=qxT$U~zDe?bjYIWh?=mHf4j|?WgG5sm8$i7{ba~;5(X$^-m~TnmEn0
zmJq*wT}2c}W4EIBGO#JQRu8YQ)z6cga^I{Y>>G`BZu1v%&_TXFSPj>5aVasAXdt!>
z-6E=vtLYM_gAHDc3DzM_Dt_zL<Wvf;vluYlg6N?o9<0@@?&vA`eyO{-S>O)4(2!q5
zSr~i91ntQ;NjX?mro+&>7Km^sP6E$Q8uH<|cFx&-!7ZuU;<LNpi3HWeOpCbB%f0CN
zHfD;tK#rC+{vkc*vrl_w<*+EAT)Sp9+gZ7>4FtR`*ZNE$XGP5&7BTyX5;)1d1d5j=
zJ)3SpmVt)SL;uR9x2yI%g#L?p3o8^3jSENN&~^cbhM$ti;sEBR0e%!4xW2o&dd&`U
zD*zF$>b*M(9nkGVmGI;Uam9-DIG8dIZ_?7yAqPsV@z`3wurAQ!`b`jo(Xu~grI);t
z;(UlZQsC5xUd*-AriXy6#r~wT_aC;K=1R^<XZKUkXv?ciA3Ko#094KZP0WA&RZxj&
zTz(Zld~3Tx_5e`7+c59<^-T4(4u>A8<f8om5L)#@1yd-cMT9UjLy%1o9A*e%vuJ-z
zB#a9*vkdx%Me});f35q!d7s~a`NAhalPha%`@1Pk%0tP@)f#?xx7S^a_%MYc7=(!1
zWM3!nbZz(wm~pBjcjv0?X-@rVn^Od>;6t99yS9uuNKB>AFt>$r#@cdmx&3f;S!-cx
zDS9`JoVC8K^mAhGuE;fMX&YZRGsJ)?;#DJgu!<D5`cB07k(Q#@C-5o^@99*VNO~*^
zk<xA}H(BEpJNBY1++!?3`!^a|!t5(nd+OgyK^c3k%_6o?jApU++tClIIQb4m&WaVr
zYSZZL^u14?o)3T;h}`40sXnjV)FwSaOEN&DklW-?l4)toJ<6I!8;!hDy@~4E)`~7!
zWI@cNNHeFmO$qtdrupu-wcG#R7Rq<6rB?FOe^8IMc*508d-r=nr<GlkxKzC}X@fWo
zLMsat>PU;#P`Fo!!~ZqP89&`NDT&OskD-=lEqgUufyAIt(nQy<mC}HXt_;()dRXNi
zUTD*}y}nr|#V5o+nIEe_y0F?Jfs38((!SSxfNJ1Rjgh*&O2}*Okool`)%Wq`OIL6T
z<>e{Kt2^_KR~&2Cqk;L?!;YfiEQ1XM1VkfIaH9Qml!5vE<^#zI;9~|SV(s^8E1hsl
zaT(ULQ*G38h|&C-X`QlsQ?{1*CC)2L#y%~3bjAs9t~}Y;AA9ZvkI~n^*@l2twC*PB
z?<EgR#b|ysLscU<t|;{<NklyCdpSMKHDo1eV=2e*LB(-NVt&_hegj!v4_0?7g+)qf
z7?bAmyHb!qJ5+u<n$VTWfr<_^ZJhPf1Y#pgFT-+&JcA_1Ix^7_BpzG>^4)(LSKiy>
zfef+XMay>+#3aO%qdYJpG%_62NBDIcXD1h8=;W$_SL(uogY0DFmDP5<)o9g2uWxNH
z16xvF$}xd!N5%K9SyTxtWPBC7_hb9N^>)BQEoSN&!OG{?eO|O0cB-eF27Y?s)2;zL
z6zd4o+NH^Ynt6CZi}_jAKom%fL4ed+dz?R4Y||>mVOLiC@)*W6PG&AJW)Gd-8q6j&
z_`J)45AO~=ArQmey*@xq(o#E-{2GY&jP85NNQytc4df<lejy?Hb8E0hqtiUroXTy}
zDs667qd?S-C-r(Yzn?nhVMn=awc3c;-LcQd7DnCX^#?3&#aJi;mLvgm`)p``ZFw;N
zXUGMhL&%8Ue%mtXDslOuP0i$c^@Y)oA-peA1zldG@4DeZJ=X2QlMz{sMfiRJ$ich{
zO%`W%-dP`VC)XXg9u0<ehtd4@=V>Qk6TkAf!J$IHjgNa$e*T)vcw%1*wNdj?C5Zmw
zHe61(Yf#J_<+D{`WGqP9v}#K>Sv0kqmY*yz>A2S@@JOFH(X-qRtKU<Qq+L~-W)FC&
zlT}xDmNPT(#j;ziEL!`<^;knbVsCjI+h9*cSeJzoE$_S1;U|qOBx#>-^K8ZQ#~!8m
z3VoTF`l9Y@T6RTBc#<~M^894CVkYNh9U$|3_&&_yL5zg~7Yj=frfRWRpg`m;&oBK*
zL0FhB;<cLKYURC-R`1h{j8)Fe4^9BFXG(f+2+jH7Dxgd-1Pa$`V1RP)fw6^j)AWU7
z9w`|0wO(*b$sA=a7onP@AO<yHz}LXNuuFIo`<=x<au3@Q8XlV1=hyO4-aC=@vZa^!
zWF#^UacQt!LyIjxBk-Nbn)8cT_~H?Z`<09>-_l>bh=O7kk3g5vX<;1<GY*wBhx2Y&
zDrBqoYBLv@FdVN(zeNvgG_s)2D1@S;I)PPjI@nj3svtzyaP+=P+m)O2U-WpmRJD`7
z%`RL$rmNUSPepZQK+Wm`CK<6$-o#s&#aLJ{OHe#VycQi{657D_yzRM0=}4L*wk;`9
z4=zi!n;$4C0|j_$P?nb%Z&y@J9K20^YN}}WjB%sDjZ`iNNhaqVqCfnnidG-mLOZT<
zwl`|Z7*BN)@F!Dh)G~ppty}%CS+aYOv7vcb6-}g<5rZIfKqW~G>$y(Uz&U}2{~$~9
zvQa89<T3hvs~3@KE;2V~I4k)0vzhT0a})KU1n$#8jwU-(Wjt;#sYE*Z9xTI87rD`t
zCzM#+ZM4Nxt6+^|XNYO#FgSkD6TA5>ARa-w%Vk=dKLG<N#;IJl2)rP2IoVezN$z2r
zxj2rNU8#qHdEQS^K#hwvyCYYU($!JLM6q?l>LKAcmoKG*vN|HrM$ke`LyNGOKbbF-
zgTE1ulY&&4iOk;_2v>dfHCi2R#7D%%yT^lYP^5Er_y$TS!h6LavD%xT(>KWIil^W3
zF@dGCW=ziJAYXa9$H3wmkp09D0PTU-&(FtNUmQBNfUPatNdSzK)WmdLdFfic%Ahmz
zIXfVR3eg%@3>Z;sWa*74E-=9^tT-iHX^8}x8(^U_iUAxEV7)TfjT>14J}@ymH+)g^
zS~wEBOjVkj9#$f`DmwP1@MZ-e&}!r9i=X1xXoLL9w$QcLMTVleDh7-K$E(f|kIT@M
zQ(hPJg#R07`E(1m4J8|MU-At+IzK|OOM=Cj&&uZV2VgG`uqygl+#jS3Hs$X(l-sfj
zEevRcERnk$)lZ_}&w6q#H<o)qWM_y_H3jeBGInR#dIvBiA)$UvKB6YjzL@JegBY7_
zWnj;bD7M9F6iw+^MBgEqh??u!yG;4XNNPk`>NwgsMZ-nbwU82Bv@NlAl7(y`=#E<w
z+SPoM&vuuwt*baCE)zbba?#I(Z9)>4$%p`W8q+8){zGlQHneMq*jdp{--l{VUCLTH
z^U8O5l*B1MMVw`&eZ9rvpc79nMwka0$dl!>*cU!U6?U<vB2tA~#`3JSCDQI{Rcs9Z
z&WOggTGgu$h~qh}lMk#t+%HYGocJcL(pD3Ox{b0v)Z1bdxIR|Exu)05c)*nR#H)D!
zL74a??chetEmCDlC#K0eYJF;AS7a*)&3rigb8%ZhJfPXAsE*&Ezc~6$0F=@I{{V;1
z(oFYUYHT5}W<JChK~x<EfYuxeES2Pq7>~E^^~0|zw!zWQ18SeBsj`7zXR6)GIe^cJ
z&-&JBSV)`<!#9=hm$Eew{8{@PiR)A29?lK(gH8{~in!B^Pb?3+75&sc{Mqb$_5;gT
z@nvA?5Z*=L3}*<!9^>ZW*F^>RCxwR4br#p|HnIq>mUA!&q>*b|YhWZDfxLyy`4Q||
z{W6-oktoIGd=#5Di2K>Uk^ubaR8LpPaVuu=E5q@4G_-^#YfMfiuJ0NTVUJ8AhW2eW
zw<&CzQabByJI&vKLYJtaO?`bTZIOmqM5Eg_@~@mBJ96NIcfU*#PZrGuCN528kQhOB
zb0w)StQWs#cHfzbLf0cxD;?Se4y5TaOs^<wJ*pRTBpW}Eu`%#WNv7${H6KO2^6NQy
zr8n?ni(`G#o7l^ulc!mrgoPNW;Qd9S!N<{}k41xMy#7_R(L{ofI)h9E>B8JPdF5_(
zC+^CpXbUYR*Y<_A82>HM?Wby2{e=}1<eC)|C9DJB@-EY^5?7r3jH+A<fqY~Ntr7hl
zlEW*ZcoEZS^}GopW_fq*{u-hiOuQ{Yj_A<VEK;5C{+yEgu)2-&9f?Qm%obHKdfzpp
zzRt0oP5SxMDc?NpFB*UT{rt`)?;Qs%#ayr!?=%C05tP$w@-~~z-H!sHs;Z*m9z##d
z%%&T~4Xgnpo+EKRFd!fwVE;V){4ubQG^ut?k=V&&I({vAz^SjVO&>25WAP~Fr*5JJ
zVtdMcKw)!;DG&cYA>%_vqjFqL!pc+EZE4aU^x~~oeNgH&xOrKz64oI`ln$Eo#i;04
zviZCzS&^bf#TU?~igR_qJ=$M<8#GIP3o4T}#<7HnFQN5m0)wiZ7k4KibCg}Q^2b}j
z?x~sh!V>^Ni8<CR-!5}loo?OWU2q|^1q;V;34_Hi=5aG?#-G9kJWLe1AVIlJFHe8K
zdAozhxAGZ3fgf};{{6mRzxH+pfZ0ZD=aiiE6!z_;x_*++q6}#l<lpGeGyfl-n9OX3
z*p{*CNR`<z=pf*dpl5}ozwh0x0@vq8jD>0p*Dxmwix?PLN%Lf-i7${ut}biF#LDn%
zlsp;uU`b<#%cvRk)l}$?0ESMr4mzo!hc7jk+f^8lz%Zs=fIt2}aVQvBtr~)k{0B`T
z?NMe-q$t;IH`i@3B54UT>M&YYyP-Y{w$}Wz<?i+Q76rC8iA}Sob?`bU(Wr<(-m{-e
zNu-tWe-*E@R5f3y+Z^||@k^O^GIOcmLzUGk*-6t1r<6)y5``uU;J#rMH^f#aBea1+
z%OG>j4tiDPkH&)XN7qHi`nvhefdr2tzaxwBcr8SPW+|<A>snC+gNJ*19i#uehcB#$
z6<0S>RHoZg%3JH)?gA146eLBUL;WpFab17}Q6|P0AaDKo_{c{OpR@#phQ@V_Cp$d+
z8l)GkZUiX!8ZFyiB;1ip+;PbyEAp4AqU!Q52^Qw^#RCM&2FF}vw=VnlbN+DOQS)s!
z#*H$PkB{zJGFfHGG}3BO2B6jh-Ybf{zXYdf0`e#*HAjhE&*d@%|KC2Y)_a!t`yXXA
zD7I5j3>1QP8%2YH7@Y>0hcI99eTwK1kh&7G;2}U2cEJYeq^OeRDZ3>lX9K+Q^Prm*
z4<39vX)XZ3`&WP%x36u+6oY^}cxC<l9_J^o;#U;nuccY_i;6~&J5pX+Wl?m*pnwL)
z7|8N~kO2<4$IUS!W_FagD=BO=W$pfL$rMlpi|cDda`r;9u9Xv~c;Lv0b#KlT<&UX4
zu5lUoQnvqJTbeuQJPn5FDpoCuE}j1Kgz1Dl=CQt7;^JrJA|3&J##B_|Zkmk(U<-LM
z4F+oswmq1N_O@ahf6_CZf>8j>{><=}a@$NyKUOs`s#yHzuVtGmEW;ky$wzA|t#O=e
z?oHS}&?|Q*@!m8Z)@uKw*5J4%KL;PRN}!QT3(e{SnL)JRAc0?gcq*zVv$<g|see}i
z>E9PI%>N%IVk}>RG@|%~ezCiWGFYmA%hgcwGI+{PO2|^44(=EK{MD~tz4R}m@qhnh
zXE<1DBwOT{E9>j2|Ir%i7$DCEzyAF3Z>s6{4ITweJ@CWpV*d=FbBW@51#i^3e;9^Y
zkKr@UT4E~IeX%`xrNwVQ%UF>m)LTHii{~Z2H&zpue?{e`w@g(_?!~Byi`aarkY6&+
zOlVh6@uK8#{$k40MY#CLuuR*xw(+^`;$NCiK%UF}I~v+Uyb!Br&xV5N=cnq^CeTBy
z9QyOFcMbgG8ShyR9abN!Kunx26Z(8KRpiy1)8>6$&l-_T{i%mixijV)<ay(lhQqpM
zM}BHXJX4U`lZDQVrX0;E9}alhw!L{xx0!GSSg9VaaQ{#79s@F1cp(#34o|)Y<?>iR
zFn9krJD(Y*3;Wqsf3)%r?BUt0T7gZK7c+d-y5lz)d8}vo9%ef7yoxug4|rW|;JHtK
z()p}-4(<^Z6|2fWlup703F)+lE`|&M$@5<wI}Ns>>BA4`M%DP0+w9mD`7r3(IodR*
z=x||_i1wPg-zi(XNnalC4gWZWIYG{#o1fL8!(Tq%EVE$C;~FRoikW}M^`rl(6O@0W
zbu{a(6TT?)CI6<ti2J#w!%+UYugz@q?;S=<U9vf!^n?aG!#weY!7-(kP_1>(2fapm
z3Zf@Cn4rG5;P}Ow4II*Q>})&@UBI1LtSpJWx3BNZbt5Ik=<qdg-U>^Q#bcud`L01n
zt<&e*a@Gcj_T-_T^EP;TY$~6-#s|5;ReWJciQN9pHv1AZP--_n8??XJy(7bpms;PY
zL*Jh%J3{s8>+hQI*A^J#JOkte8pEwCu3QG%z^{<ys@}-r&tUrkv@G7IfU;Gpr%=l^
zE#df6yGPlWp(E0;;Tf-*{qH~1vu)X8JjuO-TDruT1&G`J69s1Fe%Tu*&#^_kjSf+<
zjLWNaD?{6pvo}zRisOh(c7|I*H<x=3M$J_`h_2j#z^Uu+lWMAxddAdtPWemgpgynO
zR|q^`xKwC?g!Hyo-V682AC65=s=q(FhUlAxgnQBBmtUip<d(jy{M;)21XbM-mMu@M
zt6UXg_l43vh6ht)KW@n^q?dD)=`E@EyH9x$<#XB_G@`voy<unD#tjuPp?b3<TB_?F
z=l^-eoNail*VE=Ez^W)5flQcySUvfK>N6TX<ve%ej;4eZ;nBUvNj@ppw`!DY2lO2m
zCqBPc8~MaPe^pSJU2O$DyN<W8*bp1Z+Ui&L+A&o9e0Ti%c}e$2mzWMK>qzy(fZXpc
zU41I_+hA^j?hU0}JA$9bVh=7fe)U><qDuHzMZN|hL)42t<&7e(#H8iAS6D&KqN3xQ
zC5q82@^wi%QV99?aHu}Cx@@)8(F9MJL{GpsOUK!@pe8JYwJK#9k=9+gxvOw`>+Zbw
zWSc4rDk=@Ce-;J-RqsY5CcmVLXR?L<;0Idig<y2cv)p%O;ZM6b(|Vg}Ua!ge3&2Is
zMtb7ccFdMc9&p<Ct<;BkCfwYIz`L*+BZU@!C45IC$E(cA=N;Gv#nu}#9vTT>|IipF
zA=#U#{36U<=+(T3GX~t(Q0?5vqV}D|CE(Bf4neg9n1kwUXW2f8i<TZ1fgnvJ6V;vL
zcO@SWI?-pL&A2BuLQFo2?!`*w4!HD3>`HaMNy;Niw*iwm<1ZTLcd9@n@BGBvp^;()
ztxN=uvPMIzTV_pIrcJe7ZT#~~8CqhDR$uGitvPW|Lc8WY;N+vECwMiKBYwT1AwUT6
znlZ@i+?TIk;`I-n!v<&!inR_dWeaf%c{SG{dQ>vRRkYx>&%Cg*Mx0CP9q{hCGctkm
z^WQ6W$l0MTaHHz4gV7KZa$S!N={{xx5^Wkih>?u1pCu)-TVr5b#@%z}-54v}BkdLT
zd;M<p5U^l-{2wpblii>9eoV}btTJkNHX>anhF!-VIYvt;e@H#>-dI$W`>ooji{l)V
z-@Od)E{l8)l!ZBlTz9cPOvrd<A{;^}J2N_(En2oRv>bx&=`M2j+v~PGhIk{kj9+fU
z?NnwTRzr4T#h#9QZOD-gpi5E-Uw|a|(&HzPY;SELrxqNWWQ2$)bG;lkSbd1^$X3;A
zUiicqmx`ANH2=zc?bG9%10i?Xm7qo!2AA~P#uv~Nq`4*aip1eiCx?ZnHV!p&evmn8
zTwH0NcWUBgxE#1KH2*wdvzOS6L-@BIW$hmHsm&jHuB+kN$il#({GE;TWd$~)3;W99
zqayNILqq;q(}~yTJLsxSFg9DKMmHEG9$aESX^yD@rx!%`mm5nnE}>qp4+Ll<D$k~N
zHybzxg+4u9^Yt6{LM1uiO9-Ee)+sI~N6a9jv;NnH!aCTGnmh3^A}x7>-kfjNAZ82f
z^r1!th##gWKO=ggv*PP}R&Na_-6V}ab(`qye|mhs_9=M{%TtG&CFmAtIbe+C19kCQ
zi7w0VH;z&}N46*XUtup+I<kC_4U8b5&frm=M!W>zy=VG&i{BZ36%haCI=>c;S$kS3
z1R8VgtPW)}W_t4v4%iv~>dVi+<Ck#cEQ3s%ktJOlALwFG@tyqVab5$0oXCs2GZK_8
z1(i45|LecN&!{d1{QH?4V0Q%nPXD`+kwYk<EmTzh(R{y`bi{wBgne^`H+q4Lu@6dH
zFO{zBlQH`qs|LWFKJDSV>Cp<fn}S|w)E|5|>+u@}-P14#{N;C9!7TaildSgl$P`{&
zY=2y7_t>iM9&TR@9O{Is(h~er0sarTR7p+_Rk`KSNtZj0CSLN{nayfd+M7`NP-fr9
z*JS*+8rU)O@Q?p%Gs%DK6k@dB!YGj)HPvKWZBbzSSdy3s$=q&UkVc8cp*2JM64VN{
z^-BoXt!ZH{WMfFLV?1M|wp5-y+5Az!QF8Io#;10wa@0M0{)Fq*uF0cal7%ycE+yIV
zF8zx!f=lgtw+MD}xTLnZ0SFycY&U?)yWLremO$Qn)?_1%i`@8(Xm9aOc$GY|L{6ln
zxI&t5-@e_#;W2c|r1x))q!aKWTueey5q3L}Jax$GiNlacD4PWDAw+H4TyB^y&5*qF
z%S77nw;wcktl2g*@|4>Sl6rL7hm8gZS+Cx-2B_aZIe>I2_YafUG<3}z6+ULc1gD>J
zz(jmD2T3ZbSRt~THYfmQZZmN@13w*d8mqKdwB4md)}?5ZV_K0C*tYIxV=s;|t|#E&
zi!Rejd)R$LpSnl&M^`B~bb8Zwf3tOL>|s9a{$KQ5lFIEu0Z)9&THk(V1B=VAMz*Ui
z*w)8pU%WodS1|O1$vM~AZ_4?Ub8eMe(&|o63WCX5>v>2BB~3TE-1VDA+co>%{^V6k
z#*KrP64_NQPj{~z=-JBZJg1S?3$nm6C5XBTzTMZc4rE9pL1H=I+}XdCtn3{tCklI>
z66WIh;9$prvV7etzR88gU|+ZB4_Hh%8k!k-vAMqPmelm@)NHyLb$zOlUicRJCBla%
z9TS2IXDJ*<WR)e^l(+}g>>W8^yAiARRk6-=^!7NpvyBOF^}-Ta9AbShn(>5((4+>Q
z*~r{Wa|^<WuZvW-AjayE7Hb0@V=pfczTeYF&!SB5OOx}L85b<-vB~G~OLu+O`?STc
zxUAD`%7qT2c6OE_oDRHVg=aMPO_)m)oH=uMCt~~E=drSTJHm>IUMSK6MA)w{Qx*og
z@&<j+K>C<$9C_3OLo)j%#Uui=<A1Ik89=8U;<d`3G>T6(QEuBfcC(|^v9^_a_xPc6
zq#^w6doV|I?L8ia*NxVFbdHnu(0Ou*qhNo`Z5vX-tBZ5X+5X(H_*AM3P>p&q^`NK9
zFUUHFQj@vPNS+pW_N-K_Fb@6nO&{UsR(BbR-JNj9Z$67dd#REm?k9V+Tkgb}XoFco
zF-`f9AwSko>Fkl6;q!e6Xg-8sw!(gQ!Qw84=DSSbvGQ%=WeA@$8pRb_vzo{4hHvGv
ze?(&2!}qsuWnvcVAsjHlJy~sED9D`EGFz`#0m<<UL{wI@Q0r}wO0?@w$@9%d5B%>n
z3E2&EIS*n07mv$KWy<nWy?=Ov`iJ<%-et%1^|(h$H^Z>Yaf_Z@Y?yFV$$X~2NYSU;
z0_B}5FC3b@1t57xFQd7Z*WZO2g;S+|LS(!WUKVSWNm3q+wN_)tTy|@*V_k?4E$~GW
zJj>+Kn($}q<U1QuMZPSbV|vCa&PFYu)_RBr&Rh}}j&uUf^w<ncNN0JH8{*pT(nGaj
zcR}nRmrvHGd1<~{#70pB^cehZ4Ik(cV*qhUsd_<P)82QGp<^P9TlqpG+Mlc|X#eWZ
z3Mrtf)o5$|G@A5MMN8^cysgxF_-)77Jn=)^wXHkB@CTf6{#F-XQW^BB{S5b-C>&1b
zKN!G=y=fwP@wAP6{C749VOr`l{issKSCCk5#ft+I;b(&S(J#q&sZ%;}FQ0@xh+POp
z;{*tv1q=dM$#l$~F?C&T=gx5I6JPQwpBKGl-3Y7B7(1H8u4KUK!;!(kaLPB>5)-YH
zjfYJc+7sMf^gY$^CbvMWxv<#5%TB<t-2N6!%&}tpD5+=_P(CQMMxDJ2h$<=ae!RUh
zH4UPhPzoONRa_!=e_0d(Rd*o6l?L@T2=<KI3X>oNNb{dmi(;g@g@40|tv}{#q?N>&
z`jhvRReEF1(>}kHuf?}XgiG@m8w5HX8j&Me=iwsv_{$j9-7=O2@YLx+H!gTNbSY=U
zsAcR)iIo;^JA0*!&-60Zt8abZ+ktB)svuG20h94b=wVN<2~^tJs^IMbeV#eAiA-<D
zJnskt)F^uGX{)@u%*1i3>shXvjo_S~&3;Nq-C^YZPlo-6b=$3u4G3YljZNcj*8W;j
z3)lWKS6{T*v*mBV1_X#E`{oaSH=m~PQ_fmrLRw<uJl0w#BRJSCKT3UCXY;VdCXt^w
zCX(4Exx?;6TEB&LzT1$HbA5Br&)dWs@9w+eck-5lLbVxuIzo0)CPjH9_6$qc5V>jY
zr9zB;?D`SE+6t$Z2+K06hG1l;DtJ)S6988}Co}v#OoBb`o-u~QWMs>WeWOniMYR6u
zeZM@sYl#*~_^2RNBbEoN&gr|q7<;vn0Zd!2cjFpcVjx}J(Ju4NH^364B-^_UIYM>a
z2QVhvln8hX8IK7T#@Be2Y-4?QRad9u90!wi6+8D-eb-c{QG0W!7La6Yzdp%4Fy+fd
z>c>8wm%96h_j2w2wGn7%2PS}BEWg;n54@~E5-E3<R`2GEn^SxhtXCV+yK$}<Q<7M?
zr`N5M>0g^zD>~Zho-*H04jXo_(b_o|u)BU49|`T-5bTHP6%gZ{Zl{ML%@Y^O>nz^5
z3k&DlJ`s90Ue|{YarAk^@|FV=FXqByqVba8YHS#5BbUuPmGdaVnf_frV(N&+nIgr*
zq^RDd4|Dz3&b^*WfOL2ni?RiApmOsOghtswC<yYojOScw5F)XQILrUA42~xZ;9+D#
z?1tQGY}T743x}3nNX(YhB^g+75D*!+&U^@4WlGw*>A;sY;nzk9W0#;rD>5F)GAy%;
zqLTr~$FQ1=T>8UJbuRH;oou0QWt6J8p83R3BF8cyw)Q#F6EG~B8a9nNWNj<^fc1^V
zVH4qN8v&w17UeLrveG?_(*CNFc6ak%^$LK7zNQ>DOmcDgNe4?f>1FICXedJX>!HZ@
zuvGvwY+8Xa-$A<4wky++Ln>mGVQ-9K0Xr~d&^<LVi%9TUs_iTE0pUtLgZPh+RPwb>
z{oTg_4V2o~qj(wLRl*wAzA8cCf4sH(o|&4-u2A;ns}#qQU9;(@?Ru`gb|KS>_Mo63
zuxD%UO=`CQU60*5J*T`4B}50Loc<xcV*Upd0ToxbUf?*eG(=$$SvWb-n8Lj{%yyjB
zXTKw5vW%{Kq5I293!5%YtKZ%+$6@wKm~t*#54R70cln(^@U%;hhtLqrM#Q!))vRif
zc60Lz#Q{aF-W?H|8X6otfW;}2@)L+&b2(XjbJzYpmJ~QlL9&-J^OUv55jV_82U6Q*
z2=Nf5AA2C5EN3eCuMz7n=%vtjfCirS-Cx=VN(97`&#1)9moM!Uct$%YZw3~<$VKkp
zI&<RI>R%4@-#L4ML&63_6ZSV8_tBIV<~AkP4>?Mz9R;dWmfk3fhu{wHyR44x;eAV#
zwANyLw`1Io&VW-t7~R<Zt|<ST`58c^Y-a8@hJhFj72RJ8&@Ze_)X=29qO@6wLy97n
z-%V@puW1vDRRZaeQGy18RX~Z7NPb=2?J+O)m-}9;UOXX_6`L|_-!i8MLL$c4OZJc#
zt?mh`$HMfLO1{w2*;z*1X^Sn33Yujt`L5H@%gJS6z9xOGX{nyI1dwnUS}vJT(?|G)
z7Q@@%v`(Kc^z7XP+PvuQKH|=5Rf|ip#*xkDT6$K6hFh-bM8tMEBh~Yb8E~LyS)cj4
zBk_vJ@7p=r@TO-IY@=7eeGK`P(%>6w^K0{9d<zcU!2J9|Q#2L)mvFT_caBA3Vq(I|
zRoX~WUKZBOUZBPArU&}zZNKs=^u;O)!tdp+N-YMjXX)~tzt_Zq5BM_E&=~7+K|a?;
zak53}D4H1LB4=`X!QIRz);r$k+GNnNnK~N_3f*}<25{HIaRn`(T!D*2hjQ9YS^i(t
z(P{Jxkp~3_#ooX8sdSt$;{+f05Ad2NXi+%BgZXPzH(+1csM}<HC$t)KqV!yaCKq~t
z3SlgS69hSEgH6O|mD^+$A{WWzP73SV{<?5yJmpR1pB|6w9p#ow{p|WGTF7resB+Ij
z5{N-|u7Q=q*<q%=eIa8mm;^-R{HI=>g-x43L+c~FDrz!c?0v)kJam*=XR>l_G%9f7
zN6al&8gsvO$OL0#4(S00K0u}I(uLfzVJ9c%b>T{s7et>SYeD0l$>Qdyh3F7!0X<Lr
z_U%xs4M{UFej{zJ$*`wkVBW+j1WO_i<NhNNqpSPwqzq*48E%=9U^QJKs>Q+m{ipj;
zTl1<cac2iMm>}U8i#<<!tQ>JP^8CtRh;POXUP9bLs0aOPr%@M-2oFMjVqSG3Ge)nR
zSjJD9-2@>berP!{pR-iYss5=<BUL~>i;RPLU7eSZEGaoW%;+2-g?{>-ZT#6{Cf@&K
z$Lb)R^Evhb!ic1^vO)MTfi?<l5Gb`=#^&qMwYbBmfO1szHJ2B9)4)?O3ar9#`UWAi
z{DfzEP{J_IO8GcGk@-n?1@sj}pYD|%-g#=B91<fpi13F7PFPrEhU%6MR|FNUz8cpG
zp7(&7n))nHoKZrV`t*q91?cPah4`B#x|piupu%g!Xp*p`gmQ~<d#NFudpo`bkCI&<
z4d`CB3))-KdWjX`V;%ju{s139EbnvQa<q1XL)pJle9;J7tm4R0|K3!P(XLxOLLQ()
z{(ra*N*iQ0>P|mPT#wOv0C8Pl?Ngam<0pCNr;RWyS|g_RpY;+rC9m=Tv)y{@Xd#{H
zQ1G+ILhsj0uCgAVCB?eb==i-cZ0wD^q;Y34PyA@n)3;5KluU0eTT+yZyw2R$TT_}z
zf^Y8S+?7$C$EvdlqLN1Tuzla93sbtOE?c)eseQP>G?ha-qY$!W@RBTY-8bR14D<Q9
z`P&01t8A!2sE4!Hsqf3Hn--i{d~oPXMg7?ykmw<IhkbFZMlW5P(z+WRKobA<9b}5F
zoI{Y|FT4|$i%v<5_04{S9hd3y^HUQyyu=5l<tTBAv)}2Cm9*X^sW$KadpAqT#`x%J
zBOJ93qttS6aOj#0JYR4ZUU+vA;_Lv?sYlIi=;B*>@jV-QEQhMOW+Ay<8-fJS^zJwB
zn&RXPE<Yyy_<oKs1Yd4T+wqF0+%P<jMPiD*#MEmVaSO`d=a@Wtq<@dkd{u@tb%$L3
zd32MnzM>nQ_u^qUVsOhga)L9SYyD}V%f!Rxl0D5g>v_5QN|nT~dl|vVUYOxAs^|3o
z_7DKSn?<^R-gm>QHwf1j3m`2E``0H&IgN^8iD}S=mj|In3AN!2utX-Qi6a*W-x48O
zVL$vC?t8Uu9RVk8<*~AELBXA43OFNc)p<K@g1I1K$iR~J@x%kypi**^45xtGkJJ^b
zwlmEE@=cyrAtjRfBgNcb-|l1*eFM6Qgdn3I?DS6-4LTqLtoYHJT<_v(!q4wZUfAQf
zl&ywGTU4TM@OurB$xV3k!E-lLUD_;^%)xZ>iQgLX+c6TL%;fs_4dhjr)Yz-4iW@Kr
zp=OYAIT(6gYOQJ^j&SpM*x3tu13NdAK;C;l+xnm;;&gm>c>+^<KO1QWF@WwK6ZJP!
z%0RTcU*#LzBD{L!|0U2yiA@fD|Ka-uA8D&cAK$a<CII^^HtjM(L#1^gkDoZy!eWi*
zU)l{yK#j~7?o~C)6jI*`Rh70HU#14CLa5-<Zf+u>wMOxlL%!YH1e#RE%;hOXINSEy
z(uB<=BU8_zmlJmQCZAe+!i(dB&e)66%%)zh4qcm~idG%VYQDqZm^YSxTU+;gxXzyF
zsc)N8?Y3{C`<0YFAhj^w>cRVdJ^=45)gA6R?1^kY_;OAYou|8Ig&&?VC>WUul-<7Z
zc2sJBYd}=tq1q{jQ3m65Vc+dAC99rxi9$u#cQK}A^4q9u>{^Fk+|ev1ZplQkcg41l
zo0K@ivmIe@C~4V}PK_pi;b{wf@ndWkN)W0a>O*$x_&P5v=^h+p^sMG)0pbPuZoK^?
z!<n{aC$Af5^4BUaQq&Otc!*CbPKI<YX4rj&9X2U##ZJTDfoR_h^40x8s{Kj}ZsQln
z>f)h&4_V)qRLGA$+Z{LHLBH|uw0|Q|i5~|JhVii|QuxG#>;Lqt$gm%n2qv2|zZk%#
z8~^?fAOLHDzYhGx)V~k?Uzh_9PgrX6VLgimw!&XIfq#j<-xA5+-1=Yi6%d-|^OwN*
z|KE{}Mf=A)a>=G24XnNStKd+r{<K!||AA%fyZ?IIdT#^L?n+#uk#0|B9gW=CD9Lio
zzGjndV@y_DPnla^>^fW4B{#n7fmoq;Y`AV0wu|rf3UU%ApfdcEH5PycECWr<iUP&6
zW~<)70is?8vfs<K=;(cZM+%3!znCrkOW#FUQhJvytZZV3Zg^z@h=OF2ZwmH=NR6?i
z*s}0s(e=ol_AX`YpCbCaBcoq@KYaL2CE*y4wekci=Y2n<r(yrn$&c8y?|r^IvFotL
zSyv)BI`2BOtx02L;fn7gn|}M>SFn^ugFp);xlbi1veu}uu7D)-kG6+!9pi?-Aqnhb
zmkKxaNme=qKIuszTeMC6%1)0C#>HyF{p11734kpeEHPbulrsa9xj^sxuf!b)QXd0K
z?IZBjH6Oj*(!Z6>QrI(F1B!hYWjeXl+!rjK&L!rgOSxI@hb-t;j@E`+21;!fz@Ny$
z(Xm1?&~5md$_?hLTX=@%;gy@*JS069aMH3ds7b_l>Ktv!B78g9-r|!Q0ZHz1We{V!
zBC;ai&dD;fd5^N8(Y|v_&%U#ly!{yLt&}m!Xu6GuO`87f>pJvt4GQYDUcKeM8*tLC
z1|i)=blQZOy_CDqJVCkEx6tvkSfT9&`EFc<w^u2gDBt*A$*Oqxu987UQvI?dD_QDd
zokh_evo!MxHe=5*6w~s4qt<PnVAE~28&4Ml9AX_Vv{cVUdeC7m)>HetpFT4Gu4HVO
zW82heWIz<h^^xMXx#%#7_36RffMayHu-rg_H{t+!z$%C?qOQji@jtIqAGx~xFsF@}
zM04Jb#O9EPMwB_);`OmYj+mk1$PH5q_$>BY1Y0s+sQ)m^cx?ROIRhoyyQu^t_;<y?
z^RtlY;Bfe2n-p{V*Cb}vh}cM%iYS(MGFVx8$JAAkx`OkN%oF9%&9pk-E=iH)jce=@
zQkm<P8$)>sG-otJ)tk@`_(gV_Ya1Y4Aa*LgUIxo=Qek0?kAh~!(-hW?EXl%0FVF8_
z`E2Bt`oA^TlPN`Lsqmz{t5X&$`v&8$nw1k+8oi7gk-MJWYvgz`IJJe&^L9J8RF8i>
zm4&NH0;_YwV9@3bSj)ux)Y|><vyZ>lD})0KP#gJ4mF|M`hB}I=&v1+JJ<%4DD1UbO
zsoF-@DCRs|2g@6lpB5;x?(IbuxjeO7gq56PZ;kNEFPjJ(iUAY5>mWB#rhkg7Bpc>H
zTfYI0|Hw#is=aBlBPMzo-cpQv<i*aF6zQVOOF9|9UnJHl&-}I)akFTZXU5}7U2%ao
zn~sz;=bJhJtxX0u>s5BEWT}#G4Iar{T?^|H_E3_)Dl3E|Eltb~q}+G+d@l?cZn>At
z`lYcYJJ#>TO+Dj}VM7)J?zKs`Uh<cjYxSq}y%A)6J@bR46Z3l#611;7ap7v=Pt|)n
zaN*vyH3;Sm_G79cfpS<@mdzGO0aUb7^j3pLRKI(-dqIJnCz}tsyFr6%HCA7_&55@9
z{A3WCg^fXQD*pI3;WaMUcDnN9dRn7Q9NN*H+>a(BNLXD?AIm{6ZdMuG0je2sK>q$O
z5r!A2u^T;{qjzcMnYe(QfU`A#L;p4&nQ~n#>4cpSC}kLL9X$8nz~>vnO4L3YJ{fxN
zmWs#_ZJzhI-}LmJ+Wv`9_;gWkh>EjOxR~xmG!Y<P4$SaY>_zO=l&CP>IGO&7Jl4~S
z*5AEat&(WI;f$c83sptS>WkI|a2Xgv$#`cI*!~u8{<A|&T{`JJ$i;DaGi~ni7vRE*
z+sssny=-JrTPezTqSVs`hQGHVOv~=TRqK6g)2JY(#3GuG)6X)o6v51k@A?wYZTKFc
zKi7lh8Nl`L4JcX%-n_L_5N!0r5MNhG`0jLB9`WrG_C`m0KY@MzXHDlI%*LngA%0nm
zw(Z4SQ63<2KZz3Mo0tj=lp2habA$y&;4Sa5{Ys-hAl=zcn1g^&KZxQA-`V*&h$iTH
zil~#KWLH#R%g~#U;jQ^2U^2J<nG8_%7?Unl;rtU;=I7U^rVtv#$eA$R>YPILfTO|h
zz8u&T`#y+XQGW6EQe-wN?-<)`=a;Y=_f_mylk(hfGUKx1*OxJ1W=!kabh@Vf7cUd>
z7HCm$I>@{M{`F=NYj(woA%0}#GKRS2xkXkx>WqeUwBHU1EN}ft{#x0tc3gkVQ1!(F
zeY`CsnzzWJNoF#N?puS9OlEGs<a>fs)tD#$hQJ_V$6iRg*DD%M&mZEUf-0HxGG(hj
zk0N#VX&0N_U-GDVMsAS#juuRHDflE~g|~5EI6xKasleh48>tzfggE8^vdKPL#4NWk
z?yt^lt(uxnhN$V`o!xaWwp)d79+47yLHQaG4DGeM@DO&^=b>Q&QV3g4_}cx|As1ZE
zJSAf9w}pwURcJft><SK%@aCjoh#6f4aGVZZ(yMr5q;7i1?LXWgfB|hQfNCO8>fh&z
z|6cjOqzm$A*lKaJNQu-_TS^BlPqZ17=MSBMG9G-3^`J9_#JN5MnxtMz+!wxZodRy}
z=idcuD*i$YD`k*6bbjinmY~ZQS<rO6;sv6m|KgQ@97X?YEdHxO`m2b7(#UKU2=ard
zz4PyvW+SJJRt9^1(>!29K=hjN5Kc>!`UD%*-WAL{7Z2%GD)~xlXUX)q%81;;T4KA&
zE}<#Bbl*K*kW>b(G7njyG#<Z;73s&O+{n=CYxLqMw;60WV@CSGHZ&d5@rzX{qX*Xx
z3ci?uLpJ+ppwZh`;l>=)vX(|4KnkX~KIS*2NLilm0El7rti}$wWe-mQ)ztdR@_h;R
zNRJPuU8Pe@%6{=dKa~%@T0B7y&e&=@s=#rpall+SaJ9p$*Nvbvhgf$6uwoRW2UdTx
zLBJFeRqUK%GX}y+bpJvNEN$qA<&N>W)dLdZl8XwcXrIrSbT^~8OC!KhERhen70!hx
zXT@1Pot_;JV<Pt0H4Zqd4FYLY4uwsLtr?V#h@hNVz)C!*dsfcA<m}_yDTMyU>$Ppa
z46mTEx$Y)g0F;RF+}NXRbU2~>wo=zG>kzI3Frmng<U6)~`;ECM8<Gh3a``ESpdX|t
z8>xPj=12u!gV;F_%+ecod$(HRu}8WNri@sL6PV8Cl5hA8>;;zGZ<{5oVfa0RzD<(w
zgkH{kIoIgsnEYF!3mm^*<if?z(3@xbb7FeK^D;yaq_*L1Iaa$T5gvr9T5jjg^`Ab$
zu)5J4{Ki6b!M7$j6-D<bG@?(tJal|}Y_J#S0dGl%&c0KEE%%w<#&a5B!r?$ZR}1;#
z>p9b*%2fs)+PB@|p(uOe{|NC&0ZwQ7xDG?0M#U1by{bU?;rhXJqIAl#nf}OyFq<pq
za?cG-9}~QveV;+-gT2IQhOTGd#|pBIKj}cFIOlE>d$E`MMcICMlJscYQVDPNj!uPm
z%R89O#@Q?NyPs_EfAnC-@Jv`IPR%)g0{?c$XvySCfXHe0bqM5Kh{syZi2J&iCENhZ
zi8%;~$1c7kdT{q@8)b4axb2!L<&uQl(pEL2rM5n(4U0<g4L}TiIpbAjcFD!?&5iqC
zu}b~=;bM969_#gDEe?3z^->_oOx^^EBLnm+DmT?*MD)r#{?cSRta9ouLo`>+8jZ;3
ze9ANwi#g+l2Oa^b)ATDr#>T@pZcF_5ta2Jw%6hZ^<X47LyHu)l8>b2N!%~RY3!yKI
zev-nD8~AZw?ih_szDsADdmtR6jZpAnA06F#8hr4A@M*#81MX&Enk1w==JC{<)n<Fq
z<FJDM*jsK82rD{9yusfVeiCHva*o{cBj;|2)oC@%UjZ2aGFX+~X6eAy{;H_;z{}(i
zE-4<;$+hoFoJdIK8ZSCj2I{jbd4THEWM_nu{OQX&S-+?B3kY=xwR(Eyv<?Lw#3ACo
zBRQNd9E$kjAbp_(J@@#t%C(=bn@T_OS$L1eEqPd7PhE)6BdR<e=6>Bo|8%ZfF}*wZ
zL4DoL(H|+u()lJ<`WL(K&?D+HDaOW)vx91f_3rzieT`qAVGBHnm2nw5@sU)JpEOW-
z*3cWizLAH>S3e;`o|w_KP`!gLn3LU+VJ#IL5^Iq;i$sOipcRlPAUtgE;(NwtEd@@6
zJ_mw#K;DNeiq&dIN&1Pv=y#*I;n}|V{5PPES5A$;cV6#W*iU@x3C`59^kw1&<?s&&
z#|_@LJikdZEdR#s<#IFaQ+Ycs@z7goB*7QPt2e^dP>S@w$J)dMnJddW5>#Y)WTP6W
zs5*AI#qq%nQX`^{$a35|#O!e+@+m!`2>N};o%C68I@nFiYkHm+1=XImKL=#erS8MJ
zj9}3>25F$Og2H1#{Yx`z%B@=-?$HnmYWS2k`|;CJM)QY|m#IPMPQP^aH}}3mURFdF
z3k{IsIp}*2a+Bn9=a&r3E7LYo)UH49q)p?_&w-en8VyY@m@6s_g`XT5ApiVQG{zpZ
zq$)k~2m{hMdL)bIpQy=6fz)?}{V!x^TrIqiYyM%pa|Y2ss}XswtKq^1Z!f_HpM$DC
zPxy#|<s-E4iEDjMWx)XrEI@`7@$aw&PKaTdc0<#!bCK*$l$O@&q1x$sDz+7Q-7>iy
zddwi&^rU`Qqr2(7Q);ic?#E6vy$g^XfSmt9eCwS&`TubC<?&Fi|KCcXRJKa845?H?
z5*llVN@a~Ad&rV8_Q6<&ifFM#*#?!0tXYQa6&dRw%P@mU_I(*+8)Kep>YR>qzTe;T
z{9ezWy)tv(bKTedxjxH#S;;BTT{bGD>4{}2_2y<!j)@6#U%xP(W69ndD=p4>5DH33
z)Qtz4riQ(vFS#?<rm*)*YfCw2Z9br~N$sc+miT=5IUgM&;<=lYtCDrzw(8uXUiW(A
zSF=X$THJ$H1JVtgfILTTT&Li*7R|(c_ld11WTdux4NQp@qaF<H0iHUS%V$siR44}w
z8Je@2I_@$v>$%(uoN{X;!QK|%(_b)9L^o&3(iv6&3?G}HNkKa@7=7R;ddDGh%X)yh
z#Mn`ddgGrSQ9;WNcx77ykue6?nvo*-@x)!;-h2cBWR1=u_`}&;ib1OI>kxPQ^AI-!
zcayXm8Yf|D$H+(28x8BVUv{I?z9h{U1`M)W{v^`!@$(n90$K$eC?X4zf!%357&Ny&
z!_Jm=Mt?V&^dD0s<$unJ!WJ}-5fJcI+XBJfVpz?b?#De$Wmkds%Wv4xuZxvy`xHtX
z4eNSAefaQU=ZNHo*tY8_n)N4IYnTjPXd(~YDx++iRpmrXQJapgRsb?FSgxfvfTH;q
zCORIhfDR#w{60P9?7z%lw6<#`xSa&{JtwOd!d*J;tN;npu53)Idc*zn#(u#3n<*<c
zQw{}0G%3bH`~|JLi&q|bvlq%MVRFa9XK-gBP}jVe5d6e%d0LwN;OQ%|yW~6czg*(I
zUA6k-$#UL~SgR`&svOJ>XNEmnJJd9dNiA#?kWP);0l5C}+yy*BH1MmrRpFDrSHZUX
zooO*cA8JB3kN{?PXAI?szg$b;Iu)2#z3I!Z)9B9i@CBH5r*K~@GfuHWt}4OHQ6QCO
z4sr%c)qjtla{U^w3cBy!rLZzba(Mu_JU~95x;(;y{?dYrb#34Ij9aeEcJbC^X+p|i
zv!+pQNMf#_JWpr(&P2jlrt#y9`vY!_rB-wy@@zS4rqH?aSOx7~*QB+3MQiIUl@&M3
zg_hPUvD2ie>_TS}akTAo@}rR%>EHb4Zd=2M_&HTnPOrzeLA#j)ctfGc_;QS|b{K*G
zNne5Rb<~PPSHa^sGdH!@6{aIIM$K2no4phH4E)UcRxe^Ta`4Bd<A=j9$roU;;T}{R
zO-;`EjH>U*9*_5iFQ#@BjtO~hN}S0vT!&OW^b%46;QS^0HUJoRWIUih?M+r}uYEcR
zvB6IUZ_Mj&*EI%uALd~bc8(7r=H9Q~u^+<#r^FelnB^TJVnG)BL9B!Oc=kPwGzt%o
zzt^c?V|Pc`xcja-mpegNpM%Y``&#|UZKE8{GW<nnVGod%-@NQTeI&nxdXB&BegE9H
zhqAtn{D7wJXlz!lj@$R}-Fp%H{jX~u@W73$Dwwps;4F4Slhr<30O8pECY5FS;z<|y
zsNVq5ti$P0|1+LudyCS~{-ZZ?PV1t8&`4Rp=#08cQovLN;5KXNgDo=sB&v{)`^2>m
z<E)92XwO&gvUpgcHZ{6|-6rU8>M*wcYq0gN*QD9`dwyK^|Mc`}xL@nn4}5|^${1)d
zWv8m+`p&rBAEq?1WEdCfcqcvxO-vd*cT!zPwJ-V;Ipu&|j)drNb4PxZhuZd%?Pu3P
z8j9BR9=MHK>Quv=)}<kMDkZ!0%r+n3h}7mXhAu~p)|MD$d-xFFla^5dp&XVZW}2Wo
zAu<zY^*Z=zo=aFjtn$H)QqFHJ-FxhuuIXjuj&*Cph%Qpc+0MNUe;Oq-Wiz=DIfhsN
z>Wb8MI_`MxL8sJ;dP7k$%ob&8p*Iy7mv^g&@You3<4W9BW{FPqd@kkV&2>eeH0;W|
zRF{)`i`o6)^EY$SmQ)ed)(~0Vy$|iZ0)XmqRhQ}{gnq&=0I7EzK2Y!_*Cj45d)8E<
z6UW`MKf7dV$B;1}dmweehSMdjT~85Jv5_Aw9gSL@5yMKZm|fcoO_R>cnF^1C%N(k%
zE$AubR5gqa88src*?BZB?j5Z%Xgx#n8}cHHws&d}@qj9nPSZ#pS6%g-g#lpf3Ei#B
zvs)dPsInL8p)SjR#PCI_9*)I*08210Wj|cAcnV>7r>FSft;Vy*{3Q-vwCkJq`)vI>
z`&7Vj`*R%y76+Rv_N>&X<V9XJ1f<5P?^?JU4HsncPqPgbwWSwV0BZA|^=S`@qu0Kv
z8%PZ|!-y(zdYL9zmfH>REb4)7?Y*tfocu5snhl7Tm0dlk_Ud09k>@wB`*p#MR^AIm
zH7@$hCyCownvu+_e+2AmeS0EGYe)Fq`$KOr=BlU$vYgz$yZX!UnFFE&t2^N0W0$7;
z*qds|xsz4t&hjLp@tn&=pfxQoA5X0qt1fHLGtgQO>|wa8X$fsPo?`1*5*P#FoTmxs
zNiAHDyF?pVU0eC3=3b}`ylJ{#SXjGrSI<m($a8mt)I~vr+^yz)+y?5nX6Z*lp+Mpm
z;ZbkQPEeApjlLiTHI?E^?2UT=3e0bAOi(-vDl;rPBW7$QYJo=OA>Z{GpD73G^KqMN
zJ}*ul+mj{86PTorXF-{`j#J7FTjy+&)OD&YQRc|$kUU4)o^PZj@@b^g4><3h8|*^q
zA4m&B62#0B5ya3~0!m2G*&bGQrsFDZzO$xn`)WPtQ*jhcr95L4Ou!vZKVrOG9>{FR
z7VK8TJygS)gvIfy8ERjtPgqeG@amu3qi4&X6O1+%adE*7KNS*FZ(9yQTOEqcj#JyN
z+&ciGURKG|cq7|nlQzSba4Fzd5nM#Owv>O{=U@zv`{cc3kY7^7&JGt*)6n94V;9W_
zkS_#cZdp31?w+<GRP~O0W;CP59xE+3-a*?;-8>eVy1{h)yk=pzNIK0sZvkS$%=9vD
z%ME`+UjM{L|NIJ!a)plDvG|&lI;*MSvJ=qTCM-WDgYMU=?}BZm0JyZNS)qviX2E`L
zt^UF<edfKhS>obT{RLmLb9U<OBrHG3+S3o*gKY=Sx}+XII(+&}N?CTm!G=X2%iXhS
zWiIWjYgid%^VCceK+a!D!Sl&EvsHNj4_TmI_S$?U79=S_FF>`AJH_b=<fW9g_H0)M
zw!FiOYW11#)OGloSepD3MC`jGU2E@BQx%T?k?M3|GGNJEP;?GiVZOqAc_H8fyspaf
zob%Xc2G4I4C2J7}VIh1<zYvrja!*BK&$XiD!y6|vfuXzU>veCEdkzwF1VgeS?o@}u
ztAQza+4U=iA4xisRd%eXvk@r3R#;emKM_?}rb+-)axV70F;-Th+*tABQh=23<do=e
zHU>U*gRncIw1__0c&*=+fBF1DLDHE{C(HT-YBGAqOQxW!FSq<OodVT!M@8&E1xTe^
zSUC6eQW!2ECERtkp=ilZPqIRi0iW&hiF2M);zW)(<n-QZcLRuv!Cm}gyBpn;KCjZM
ztEMA^pKUfb`A`Q{)@BSFy+UN5m;9%>x8*l?D|psdRJxe^BRduW7JjE*JJvPFq>ZO5
z{P`o33;TCou|oP1!$aLL@ZJwscYXOr!0my8Vp%HA>#fvCF!~FNF9wB#7abeU&WNxL
zpuZlm`VhZoZwyuurmBV<Gd8S0`C~{wFVz8`xuR&HV!eC<UOsQI*Ue_=fQzE%1dhKs
zGR5Rp0B{?YnNpp;XdAj4=M2OWlQ2^$?)t%KtboU9rrX;Y%^dt*5&O($&O+Xcg>eM=
zp?uArx&EYJ>dvL`J0E%r(2<!$zV8egxz_f748ho-ip@A*^l8=FK|32R*X{FnXl*8l
zQTc6v76vR{e;c7Nx<$Rn36cRTkN~l}y9iNXVxnzj-L0Dg5Idt0)pqH>wvPUFRmQyS
zUu3$U=`@qxf1i>4f1&bq_=N=JhlXz2h}sDos@%R@SFzY`m6!b|gYzF(VnFnG%?z2f
zrRoI$sK!Q=xofP(&eOlo&tl(SC@H{HEA<#lWEkgxgj-j_h4(KwoBr`#vN46wsp;(2
zXZ9Y9qK?5IROb5KU0k+vp{-LKlfC}N?l2@7K__vbivkRyp&rfbQWdv>^+|3yZo0P+
zBxd`5Bhk(=i`qFc7=YroYAOU36+1>4{3+?kpe~lF3|A~Rio-vhysV)yLt^+)AWVN_
z#2TZ?0ZGVh4y=s!BIBma1>GA@<0}1Dy47&nNpii_XOj#Xix7WP1r(%qpEpo_XtDQv
z)8=OpkeY*!F+HA`jOs}Jda_ST$F0{k?)_BJZ<%sWLvL2}{lET<5G8~DdNQ|qbDdyw
z61L)`^Vbr6ySg0u@aXWKkCAVQki*wv<EWMBKcBc3;2IB}))A5S+a!zUepE9rG5-DA
zf2Z%ja>KFk{MTYQu^D*D-S8Wj?M45Oe^t3M08^n&=we@7HO~pR`!7f|^ZEq2Ck9H3
z^`fJ|1T0J<rVQ}RZxS8<mKgY5CE-KRM&^i{r)!sHfa4&5Dl6u1OlIX7{?|V?3PBqe
zo*yxSv$C?b0JWayC;WgX01+(mmWJ<d)E%zK7;ReY^uDVXa5zlH5@ETIFkO3oFWK(`
z3rrbpkG}&VdJme6ERbKFdOnC4&OPLJ4(oDb)JFgXUvaDdH^=_(&MrXiuC+&^&K)$V
zVmJg-Cc7T_8k2gV3JQrCq~9&7zYDosHfW78ngMKVZhS7@RR;8L^KW;E6+&%8fw9)_
zy-Uk2SHu0*c{P+ikIfFWV<@K*TAX3wy?2h4K;c7=9gV*hPvjRUdG)j4PdasRW2*PM
zQ3u|u6r1Ca9nW-%_k!JP(ZK-lrM_c7l?q7O9{mV>f^NX1fnCQt?O(o>4D-~}J$o9k
zy|neefp5tSv|C^gjxkS0t<5`BYCYYD?UqmntIyrWV6xn`J;0#gf)RFx?OkiDJ2Hco
zIv)sHx1sMrW5uTDS!c1I((v?fJP1QCbB-$w$Ii9K^2KxOsW3K#4TO5@bdi$l_n=b1
zyMaN>E%U7}Wh)g0(l;-jG5LFkoY*A|`#b_<SetgAO<T;5-u5=zgV6})lu_17bT*Vf
zG;q~#;Zq&}uzWUGeTdEhN`wN8QNV@P_<5kM1-o|s<R7C9sRj1a>OT>hBgiI+lAg#S
z7$UfDKfrMOhPgJLJ9G90x@98TI5mLZy;xDJXeI}6i?1cvF#jRnBy+5O@-|?QejpU5
z-OlNjKgLuD|L7h_6CU=YJjMl4sIj*+2)Ro{l2=Yd5-s6-Wb%$K3*+|NQYCQSi|aFB
zz+W}<L*_nvk>IkF668KPJ6{?!Jub)t2yI8pkG=xiC&=+vp`D-fhwQuuJUg^U^RYsj
zvDKjVwp;k|byBYI_xp7g9J!3B+5B{mgKct$goypJM*Febjk``W%Y`-VX+H&Dx4OZ(
zuiNv~uzwu@=A0?5CE`!qA!Co5sJ_*;FioJiXJBhW5YB-Z=@?tSLWwE3;e)=*b&}~b
z+8B?EBtsf<|E+^b$q9I`9>XOi3kzW<sl%%vu-#VEcBn^Ex{Qbk00%0w=hTyD2%tG;
z2=w%p3D|+Jqb*5YaJ%2bnYVnvSK%javZ{|IHGrOshW??)Bcg|@=estcp00-LQLxfG
z$eWjHj^7!nF0liB1mGgW-=DR+i_IkD-3oNClM|sRh27T()UviYPTbWkj_NBQ7Dv{o
zd|l@g%&Wb%uD`;NUhW5j7hEAup$QfG4q_tL1aw~`3!5z0oOR(ze_P2w@4T?v)MzKG
z;0AW}bGqBH>NG^XXOs2cy$WfG(7I92H=WjR*Cua7dNH!&%b<ex_?3D-Nh$H+C2Xyc
zgFj%rSSebm+F%WONu4yX78gpugY$58Z8JlTJjX-=i~I4kQieq``4cloJVRIFVS;x*
zBCeFSOl)DqQ-;N^sgapmNLi)Q?~qD<9aPwMT3eCm(YXg^D|mJRVE4m%9XLmOZi_4L
zDH^<yZGP+n50q%6o-5FR*no@KZ+@LhU+T!GO3<{6JHqts+!@NK81tjUP6`)KbGoy@
zVNKSyg!AY6Rl&-{-Uai4jHKT?2j?jKJv#~_bc!lE1=v`lJCq!I46p3h`AST&pbFv6
zggv%H=m3$bInDh#-D<M(>}^>t)I>Qul<O^XdD#oNHqZLICGSH%SdAYROnn#ucO*hZ
z?5&C6^>-De>pm~AuVJxQ`=!8zJ^8ml3n$+6tiXNyR@{#_Qs)(+h3Z<zF2b(Jj{Daw
z)Vw|M)ZKPU9`^{|!~*C|wK<St)0=0ewTc9HyjWPAT!FE`HC{QHOWa^rKS!<5PuBzE
z)gPS^y1<p_$aEkfo>x#Rb->G_{^T?2i^CV|_B)gx_AK+V87t(cAEx>1Kmf{&$&+X6
z&3N-1b|<)=P;R@*0;W(vWXtUznG~XigM*PaU6A@$UiMSM;_Lr@iuaFHObF$Z1Ep_>
zGA`%|ouMf;{+AKt_+A1P8T({w5|+#kZB-)2F>c6H`hWeg+7NM){pMhKC?8p;FEwC9
ztYxS8Kzgo>F_4$6|16bI7%1c3Z67y|SZ^laHyfvsE2&3F{#SEkxV$Qgu@%%7gkx{5
ziG9`DtPq*7FDE-l(6ohvq<nh-BXq{^zI!<-w<2rVa+yd`1l%}(a?si!>`7+<Jg*AA
zuhPxix_8B*@_aEsv{<~VOw}mevb>izYP?A{vxFrNx#=Zk>E*l@;OVAp=VL{7IpH-;
z&t04K&KmIlX7;8Nx-tKxImYE$vV2Pn@7<AP_4-~bR^T0ng-F{6!u;HkBAU&aE&&bM
zzGmW6C^=vpj}xThls0D}iLjax!R`eBN(yg?lD2#zk{(k?v*192>N~yq&OX8QXGjGz
z)M)=`xO!+aziudy2pmWKd*Oqd39)(x;(mAW)#n1&Ms?$3>;o@Iv=-S^ugz`>c8zrj
z7cN)Kz7`{8pC-9116rX<FnU)o`VyDB90MYeKwM6od%x`jh)vpls*!+#_*>-j3D6o>
zU5w^Pl26$%CZ|`gw>Cc=QqAZ-+4wMF&<Xb><(vz_)k7ojA-cp_-u|X)H(aofQ!4Jv
z2gA(@V?-8kN?_j(g9vhTx5B7}t$rh@jEvx?`tsA|Z0b1IK$y^@yg1;_Q;|2X@ndD<
zRWG?F(7u~+;W~AERdW<oQt@K}@8x6LMKNgP8MM9Tkgx|jM9ij&7glx!<uUOtUcEJ{
zQblV~MhVh~Iu5AzIePg_rN^;0!5*{3bw#;EuH=(liGD)$E+xHD9l2wKTvx=Mq({<h
z#D>F#mqsy=%Qj{ZkDR$Kn(pby?mUb+*F!V`+o`Tw?RJ7<Go}Bob^A`H+tzpI#;!|l
zc_+D0^`*1S)ps^$`~n;O=i*S`R9@I>Kqyw^Im^|%<Z>x`EYz+s)MiTV2%r1qLPe7Q
z;_JpCK$n+~zgayI8Uob1Z`(8fA?086>dxmgA3z+~eqk4zIcEaCSVEU*$S#sDb6o}s
z6S0-`FZ$yRJCAq#j4DX-PWV?;A6#u9FMZEniz;+HV(;$zM?!!F`^f7HIYO^*GRsNr
zZ(i5AlJyp7C;li!q>W*ifYfYAklg%@;tp_NIAyK(&Dvk{qj)XWWee$-DacLVphoS1
z)|53YRQFV@S8j)B#6=bcy5#k~i)B;>WzUyULL*xw8h8go(Q_N$bQ9@|nxV$rUS$d$
z5!5K;iYC2zx@>{e`9ii9*Rzq^TU}#%9Acjrk`i#p{o0vBECHxhqmz-W!QsJvT~Wa7
zn*VOO!jL}6FfSC1(&O8iBv&6Bb=?l>OBuR%XTR@pJ8wg6vwFUOb8C7hj(ysFOie|#
zw&Q+{@NnU)q_c(j$Hnew#qC+!xS+c($g%Qz{)`Gc<~3k_OLo|W6Kuapx%g*N90QsJ
z3-9Pnml&A73qdzl9aYzXLI&jWoU`!P7ovd`7st1O)-<y%LGQ@phv>lhNnKgs;ukbw
z=d|9mp;xF2lnxIq)l|nu+R1afzw4IxR=o7}`Pc0YLLATs!ZL=2)Qpc}TxMkjKEk~n
zGSEUb+!=q(9dJs*qu1?G(&k?EcWb&P<pKau;ejnBKZ+K<ju}hhh<7o(Li`3PpXrm<
z+-1X)xCaXNF%}*^efS|jWL+v+A)nyg0yJiu8JgtwDjpk}y#6U+^|MIA*9jCt`OU`p
z>*=2TS~`KoCKqm9LDl!_5xF0CuPZ!K#}%Co*(+YDSKz`pZ3W7mIlqqtKb=@q$F1(E
z+Ycq`?u9;h`OWg+&cx@N4dg~2e-B;d)n-WHzR;hNa$45^jxHC+P(CM)eZN5&)WX$j
ze0eZ8UL<ppe=T3cQirq0ftY_m&awQUMHycz5Lq1bzAtx8%?R#?Jo}(|Ix<bHCn5EZ
zdSe)o7O%%FV*f+&LQ^!KJK<#uNBip_NoBLAlUQaYxG`5ll+?lT-tTAFw#jM-quUiw
zsY6sy`QnQWZ>%3d*j~0Dl!l26?^(B^3K3s8;Jw|?Hh~^sz`qwOEIW$))|~!rV<bt{
zN+*T34Wsmg_Ue`E3%g6xeo)x@nc@9iFFOKGD{--vG3CF@hX^&IXX3kxgA?!Cewix?
zPR&n1U%$m~Y1v!SBlmbVj)(N{@Eb>W(1mm@$UUe)(Cd(54-7uBj%qdO6$-R_XF0m7
z2G=9^EpRv^xq#6Mf?*<qvD-ht%vRfb0WLf-xu5NL&Yk+Wc+4S~Q73g~`-MuS-G_Nb
z9=T=2tr5csUIAIf2a?tjWbGK4NouhCJ{0n;`Gn^A(Pey>huxwbt*p$PuICFH{ydld
z9hz4|=Y;Hjo=)RiPp84*0Cm8s6k{qfUpm0@z7R@Q$&@TqN@xJ2cC~*$+gifSIa&JD
zOwIID9nzm??-E}MkSZ4oy4t|<+$1XDKv3D7_p$Fgm^{V)<4Di72d08L*XD)@ZsDk<
za?^2$N8a60#q;f$;k2=Z$UD?;)#^N7dn1#p!9mLhQD<dZI`to4f(!ZCBPvV!SGf7B
zWL;wUkB`iP0q2c4#uS$6$Cd;8@4+5;<*MncVgG<?w*Dp8WcT;^_CH{o5SQwq^KRt2
z0MfZ?w|+Pf^@TOZl-z85t7BK`Ikj8~-zV7j{>5|W8t)eMxy_hf8(K6}Gpi#rnYHDW
zI%|tgj*~v&?!M)&O-31VWNQ|dzBe)=X<;FgLGg&=cp5KlG|DJb=ZY-Ypi+m|9<PNH
zRh%XD8+T81e`<Z0>|2lQo}%9oA_N*)BdwAN_Qcs&i4PPznzBn)5)hl~#%Bow$PWe0
z?C;?Y0psvO7xT&p^X~d(urNU^m^nr0objuzAaKuS(9$y52hh;MwXtA!p`zK%4lyF3
z`sG{rMPZ!<{%32X*oMk3<$*?d(sC*9xkj>`dL6phMr4dJ7Zd*O`DOr!{~r4}0iXG#
z^`|2>kk&rg@u~inznmDD6rJhEwo!y-0CpKPu_v*eux&%z3Tpy9H&{us4=j>D(*n(D
zS4x-j7t5PvRb6eZN{iO;qltSd>y8fZgV76cUkg=EOL<-Kdufizy(?a4Pe+72)^?Gp
zp7E`JkI%{9=D>?1>||p4^kyqI9|-Vj#i4VMNo(2EeYp6%crn%=Q}3GCY8^>WCcf04
znC{EZGO3!1JY`E^`t~r=g3U2Coh7m*6s^+)OlGEGu=<lS)-i=*HV`fsh2drwVhFn6
zwBI{B9k$(IF^ht><hj=jXqzqVgTn>u-tG~JR)NXfo&YCSbT-C-qcz(Rj7nt1H*Q}S
zqS{)y^0j>IWNw@V)2zr@D#`EefnCQt?5?bTen$&KwiU}gk-PB{&hLJ38s_A65?rS3
z@(fi6ht>GgRR!pXFhJG(a%rG0b-HumWLBY!vgSSoF$6eS3bUhRB;M>%eLQ>gfu_+x
zj-yn-vt>W4C>>KsC{AiHKKkh?g;51Kh;H5QW0$tszp~UWkx|?Q9a4bC$S4j!Z5?jr
z4(O~Dy5{vq{d-5N<Mu#K!M=#Y7@{G?9n9zuwrnjf7*&~)*&2nytu-4Z1GZR)8m=NT
zE%deCIU)CMb^R3^wVww;kX$3qPK(_qX+MT<bGz?+MMG~I5{_5LHIlRW%KXI`Dk=(L
zTb5Pf<oaqUwW>v7r4nt09KiM}T3M^>(6Avt?%DAJk$Cn2cR)$~(vWB}p5c#H-rzby
zt+_-w8)#?u+FX2E^FugGpm`;aNO~9nQF!6OTzk>yH{w~2!b{DLiU-|&5j<9QgcU!=
z&w+2<H?&++J9jUgO>B}ha{f93{P#c9j+V+BAnu02kgU2lu?jF?{mta?&-yHY%iXYt
z>8WL3ittHQpW&jBkM(kF1)v0KGv1P3e4ATm&<DU<X}Bf3{vV>xUv1fceEzTCwIvb#
z4chpBx5v%#!DxoydFZ~I0_PMlKhdG_x3^y4?%zns;VwQwomg*u(Ct)g`3&lg&&j|Q
zov|{kTd$rmcwMSU00_fbg#kRVkx?+3A*7!0nX&0!Hf{Zx2`rcEeiTA&M8<1{f31S`
z)~Kyz1r%xxApCsNX|rjQ2hwU9C<>4MY#wiwZ~C_9X?*^zFk@QAI$&COA@10XtpZ0J
zSA;^IIFOfaf5nK2f8Ob?Eq8hn`yn|8P({B>JOLxNW^K5!J?ISGwP(mD0%bvl>N?ZQ
zCtIU5cuUfk`;*$SUF7?%IP2s8srZxpT*%dAd1zt~+f_Ms3@~<M=6?RNHs-CrEM}Tx
z@6~#~d3(pYsaSr-tc|gZ{|h~#TyZsA4Fe}IAV=-K3xEh<KM8LAW)cEGibPaZj#d}p
zp8ot+^T%7>rFF&w|M{tre|+k{Zmr{Ihm}TR4LSj25nLwx|NVjg+g{Wns^R8Hg=+sG
z{n!Vi)$QmU`{KPxIlcivZ~ZF2vy7^PcT&n;>Pjb-Hv7QN=rvBEaBfC@^gE7$Z(s_t
z19S_2%7V1)`RQZ7I#7V35c5z2+p_A@#ZdizzBfKvIxpJ}G!|=#<8M$LP`KXe17b7F
z+iY8jV05{K>TT4Az$+4kPDF-Bz%}EpKXvxI&N6;zILx#jxdQ%>DX1GnS-`fJ9ZIVK
z#j;-EvY7}4tI_fSh&Iwd-|68ao}(p}<wDK-?7fA~h3*psZ_v-L&>mD|Sc?5Ak*Njn
z#h;yU=MyMkuf2SMxE2_SZrA9-oVjl2)9Aj7zhC2vCF!P=x5yiM^umWe2@Ybbqv9r)
zr|ud4bABwRAYhCJBH~t&tHxM9_kCc`KeKmxyve8^@fhKD>S_r)KWy9EX7p0kO2I)r
z!y0T+TYJc>%>v-oYYtZ~sTd%Y-RehBn~BXo7$Jucv1Maivr%t$lTpZyy{T1uTIaJC
z82%Q0wsBg1vm=ed+4(RWb>?ohsLa}s>U)uNQgMN^N&Uo|kjxkUH)t~fcF8|gN?+dH
z5;ycCtYj2YxU30GMSTzfcQz>hF6b0Qyp>%f`4JlwKjWA5^F<!tDup*uapHUP`ezX;
z`?Rs@l}^CG0|&-J0=oaO`!7+_@jYAK-ihpuAde&VZeYd_U?{;6sEnS8C>fdB?E2GV
ziVOjUpop!<)1QOimz$Mnz(qeTwqxdu8t!RS2i+}ISg&~>lmd}+r#uNp=el4hHig&7
zYHj2AF491W&Phf(*>-yCmAwI$=AGt_=*r6~1vn?hTlO;NUvI~xugY+C4{|;V3YbAA
z3=!9tz~cLFh8P&vAYw#@Jt3y59}UERUgE?*F7dyfaGF;?MDNH37hpOJx^dB;0XPZx
zJ^nqX`6uM?SH$Yb^}EKfnrQ;g)4y4S1cdI@EhNNB=lW^-=WXP5$sB-v1hzC_j{FzG
z;@g%};m&g-kf}B)hDQ}D&iK-T);@2FU{3!+=bg~p0=EI=5XU-=(5zP0=K7wGD;usd
zXU-n<bDoNfOtf05*a1voeg*e&mA@b=P7V%ij2{;CjniH3JG<rT{a?NyezT<}2}&<)
zNozRoX4^RPgQj9;UI5^jAV1(!^9<{ZtjA3F|KLgeFtyr*?l1SocJC@V`6i+|qKLwn
zaCP$<Yjg(y<u&W6?Z1r=nQRk_M8<#?N9Tyj)d0+hWbD!d^)+gbP2|@`bD#0;8tqQ?
z6Wg!iyL)=#O98ME7}?J_(p(4AtET~$@merivYs-v?Lyk09w$G)E`5jZZ;YcpyM(&c
z_e0N^^zBrtHWr)Yd}3d=J(uNocYO6m7bc$r(HEPJ8(O)vY*~DgxDR~OUyh8wZVZT8
z{G9sAxeTCB#JIY)rYJMCKOUVG8GIQWs;?^^r`Ps8bTIAU<%7GR=C@D2viVrmM$n!L
zWxtD=|3<kq*;r;Aus!JY-?!IEYAE$tu;%w{%+@Y(0&dHr9jTi|#vfg+vU7FW_a~qE
zu*d$k9KZW+BV7WSxZkSWnC2>yUR^cR9TU{CGx@HSB-8!_7G{j+!*rtK4Si7LU&uyV
z7W9!lk^!4fHB*D5^alVj|0DdP+@&6%kWoYttd?3#PSwwIsAdw@{$;?!^inHEWq3cp
z#A8UNC%2{hKQ+%9iV?oP{p*<<v2$xnsz)T7%pJxj!986g=4$imuS4WHh!Wp8b}5_d
ziH}HCty)iVaI6ux2VD-~Wn^SbOpTqqBK9(74&$xQ7$ds9Ts52>scREz>Kc;+{^XWN
z#b)(~ilYr@L(xa_Aa~&pMbcrKjpm9>Z5hC)i17s%5*TNi1i<?;{>2o_*r5!F(f#EF
zId~$UfWWzQwEJV@QunvVfEQ!zUEuiuK2*&>S~2jyFA+c}`VDQN0?c*9V>+YDOn|R9
zh$d2heXBzYn2*796lc!Kc6MGdH`ahLMnO#L+d!TE(iXUkw!|1GgzrE{WY_#U&1sMS
zx`R;(<ARHOrJvjaa@_==lEoC{POEd-xNJ~V4A2U{KK}NmJ=*OdaylQ|3>-CVmFGV(
zFPDqGogVO;%aI8D@kp$>zW&Oj@8Yc&BN!xB(7TqvRWjfU%gK!z%MFL+mL506cj->0
zS1Uc)h>ALB@pIxiw>dlaluAkkVqBS&i|MGRCtRFt18D)V($8!c@i{!XNnWRIPt&Ad
zc+Hj1sdx;9%M<dKh}`<5E_fWkyb|0tpH#0tNlZ^gl^LSuzkj}!phWuUmWEvE_l7m0
z#=KG3Y>Ub=Lz1QCi)sL!@KU@BN3E2Ta-Oe!D;6EjH<bi7B5})K<lX|Z7E+*i>P5M)
zbLl+r4rYj<WGM4mnJ)H7xrDwRdl6OUj%q-TzPKugf1$LTs#p+FG=bBmlXk-edv$zN
z94TKs1V9~rwrRHuk#AaPIayps??H`)d$TllJCni%mF?!iUia=^I+S=-_`BM6)jLs9
zpLT{7L<Do8T!kae$GM76Mw<5*fofUg&EDRW&XqXLq=G)mrEYfh@FT;#9hmR>YB&;|
zMlxzr`}VNgOZ>2)snKlYJwq(SdyP6@!$I^N>}gWqc3;P4bckF()K}Vu+X?u|6O&g~
z$L?z*rze9cH9)ygSXSS1eK0ic%T6@v3}1HuP(XwWRzntha)ws$Voh%ZdsR!C=kkg`
zZLU9C_c~?~C!vv2j?e9Uj?YpIy;G_bR}B2ZmB`FK)%|c{@mB&TaJhDCeX9)3yOb~n
z=3GIeABQ4jQfbrn63FbXiTx7IPAkn_HC5zQjH7FhW)Z&!(}k&`3kGTCw@tVn9z>lV
z4BeyOx|4_d@an5X(WVfR-J!%a`1(|cNN|zJ=gYS&CmYV<Q6`p)z(wr+XIoK`^rBao
z{>PW=x}O7sx+w?5hFk22{%pis)#bqjZmVRkj{Azn$FYBGuc!cvDP0J}!y}*UxNrQ&
z8&!`^%h@kidQ*YzbLaBs=bEHDm1md^7&p;2R{$WqZ%sUM1Q9@Pk;kX7<8xi%Ycq{D
z#@G;Yffnv+_1={}(u*i;vQi*mrqsqT<?)%A&IqTjK65n~sAfa<z1O|>c3~xthw9st
z;#c>pv>pXX-`#ufE|-5QI<iM%IG>$uBkB*e?I%4DMQxwDqUCHyUr{qMA?F?Lg~gVa
zsS(_0Wt;0$Fd|~GkAQ*ASRy5l`XginX<midW~KUjB`tj?j*%njtC2t&2KcnVD8Y=S
z*xj2~k&mDXy(k?sNuIye7=IOch^e6f=z1Lc5c3`My*9BW$9BYyoE>VH@Q^ur2_V00
zQT^w>Rqcq7e7W=%Gsv1zpz7==x#|i0$;BaV-nK_zN&33o__|X9?00LVT!1pfv$0vs
zl%4f%=-3-2rSv<cimd&x?qr)yWTx^9-&wP`^+huwDk9jam6G4_a}&6%FHMYkq*BeM
z10I93m50mI>r^wNIDPYNyLLEu5ki9ZpoAwvZBag4l6W;{<KwngoJV*O-q9-$*frQi
z%=kAgjdi;@h`jp8w>_cT9nl0iVoVU3p_7^1|Ni-kKCnjV&tGC5be*<Mb_N56-tYpm
z#{TI`sy=(B(m`9rZ2KR)d&-J08h#%y8H`!30q(@b5O;;ezJSy*dg}m5+4M!SeR9So
zi}T0t_l3hAcF1KGDBk!ImHRAn>E4Am#~Kk!#;2}IHXYyltY1&9tGG~t-?ToyULERR
zaH-?{7r<(ic&*zw8?*b$&WpS27caFNJr+*n`TUmpkZsn#JOb5(Do&-0DvqLIGnnqp
zdJQhs9B3U?dO&(K-fwoT(@ZhF4$T7%kl1&%q@)aHf)}N>RNtT7Bp3}J5i3<T@}8!~
z+%liDFzT-f9jF!w=2ZK5Xg)Gxb3&Dtj>m48vIfq!(n>Y_b=bFykw)9+PV5U{OJ2P}
zd=*v?RbRO+q{cS5<ayst!}|erZ?c2P(bM0D0>>iwm&WV%%8I%97B+^kM`j%f9@DeP
zOV3L1Ixv3uX;tp*Mqewf&m`#ZBXsC`nZnccg!1Zbtl5H7ue?fB`peV>^GwyJL-#*Y
z7>rQa^^olz$e1bK()qi?Ya0x0$`7rCNNUW))i>lX(nno3M@5gM6D<QMU0zywJ0&02
zUsc6ULrAHMtjmX8U@#8f+;%r!Z2Cq2!QwD9_<dhSE?W<<`ET~BQthWmS5fn<fv%MD
zYHE2_>iYXs-=nQ}eWpxF3j5FRl=F`e@pK%Z_*hnq(EVqIa$J3)$Ay~J+2WpvrTDnh
zEK3I{x!$3opG*ozlVA3>_utm3xpF30=hmmlLjx?HgF!ZxBDXx;W$-Nn9*=c`=LG~r
zr`J}^TZ*zS$XhRQa6swnKpU(pkd{YBNO%GN=+)5Bcv09Zpddsmr%ZGUDwPn1$vv|h
z(=n&|+Ao{E_)vOr*wc!~l8*Irn9|n%-t+Zxo%+S>BUUXBk^}YFqzjtvNu?H<5AX1&
zcLc8M@=Jfg=Gkl~$ND^;yTk*%cW6drWvqwJd<}!Zeo8qSq3ie_uZ);fWfAbDKjZ`t
z(s~{U0cLNGRByy(QCH^j0;}izb!r%XBQd1*^xICG8;15o-sFr@msezo>eWj6RB+9c
zi(+8{55`jI?Oi3+w3#k@RcdLs%2)ZSg>Z_xy0QxUp`^nK{I^pxBi9P|Woy`Tgob#K
zb6f&o6yQIBS#J8$p{wy-NiG{H=HTTiAK%gT=-_LfgYzTt=WC@aWk<gB#D@D&n13)M
zD>+h4;@A&3XXR_6@|iY;bi~Y#I86oyg6DU}{|V1Niag?7cU~bLipM<gl@zp8=T+)Q
zIYjeZHwZM)w<Ns~w9=Ei(5Bv#6&U*Ml1k+J*CMFZCJU^`YAI>0O91iolzU@p*=XI0
z^yiT48~!=<<PoVrq>aRfra+RX-;?6y$YoK#aOE*KZkYfnL)DV-h<gjAlILD*GKWoH
zFz;{WCCu`wv55p@9{{rnciO>`>UAT!BLzskk#kyYZ(nQfOK)2{xS7YZPl`KP*nQ6t
z_f3&dPH6S&SIa)m+0~6v`M|L|Ir&+3bzhB!hBTAp^-d9UWrivj>i8pTrHkDS@3q6f
z!?Fm)IX0;ubQm>+&g4*hm2>|&`AN#A<6K>@d@>vFK3%Ykok^NKf&;H-YMYLkfgG=e
zk8xj|YUd@xybZpSyYf&7ii|2*CaZd$ck|06p!8%hv@HXV>fXZHNVso);@G%NoKspG
z<|v{Co!K8v-gtz@nZcK0(s?Gw#iWMTHyYLmusrzc+Pa%ofTN<tit(q_uo#QfQ3L#;
zjIOZ=4%pd5lE}o4kFGune-x$-n0=YuNKhr)cf$ye;te>}o#JG`?SOl7-JEx^qOAd~
zLETNR*B|&JG4<e^tE<+5l5#&GD36CWnYUTf&BAtv&4KM=#SFf(_u-W{B?D%s-4`-;
zUlkC4Sizk<AM^2O{#Cb|FAtCCwOG<7r^IBpmF6>7sX+W?byzn|Si>jQf{LAdJw6n^
z7sA|w;@8^KrRy&xrx;`u<5-qru&u^Bshu0|FO5}pPu#B29n-@E(55UcTMfppl2^zq
zRgzT?mtYdH9jzgbScs_+zbA&O(1aax)iU!Lf;6^mY|^UfE2MJ6Jb2IQ;kN{aG$wv#
zvIZXj9W^LjRXnjeq-jAJij+cjj?n~Xr({o+)UigCo6*Vi4fZS&&;?X%ctE=0pF_mX
zPKx00nZ=(&nomx)97FHhym_e`!y}_OuUuPQd+66wWaACNnhbBu(W!H$>^?vVI~7^G
zT-qAoOp|}Mxsgf_RI=s?yBwy?{ju`})9??21EFT;$u`rHx33nxp1IEhUlfUI;JEkL
z?VUT59B*!g&a`Ck!lRyd>k7kZ0!4i4(6Fw<?eA1D0Z!Ne2lAuT(axL@r+u;xvt3}R
zG=@BHrzWb(^){$WaL4%X!yL>>vR*q{M|{k>oauf&W;8N2;&}&Affu1IzEoa+l|S%D
zU;45jJMRGFI3WQ#CzgBl{N<13fZBIBVj_tfdTeu0l)sHGwfVKWXPkLmN$T|pWF`b^
zUi8M$@yKNx?kqDE*3k2#lL4APMuy0XgoWp-s9Nu-9g=r+uDeJMF3lT`KFiA`AD~ox
z{&Sc6^dYC|$H#zfwdJiR8WouLRn=5)`mD)$wH*l3ZtLgl_l5t+E^OzR9m9%l+oc#V
z{OrnQ{(C%un7H9XT_Kf1<$@Kh3uO*|d;5KQj=dXvAQe!cJ~I|mc8<lX>uPHE9}BO$
zkH<#_UrA3A8+tmbD=2xwDC}l(=MfPTcpf}=W_9Cz3wHic-M7;D_<d`R5|c@9X4NI<
zR9Pe|O6wcM=!XTd+*GsLsai!R?qyEMbItFHV(#}NmAhCE8<axdNjhbg*F|OVK*xS8
ze6HK*G`gf?ectYAAk~FFQ#P9WP^WD=Lq6_<>gsNGy7fA6|0!S33Z&%a4#roh(?r!7
zuQ}trYOhyST2kgz2%IWG!9v>BJXBZ6S>QyVPh@}E#dekLn&b|V^V{TVrFh#e9N|gj
z#(6#sx=}4T4egKkG?6-d!6&gvI@1`@pj&)BRXz7q-Fu;Rg>Cv?5e+Sb?;5lvE3#Z_
z?FkOAE~UfFWdwoshBP;Y58mW-OWCLMgh{j`+ynljyz(MkAq8xOjoq{=@3OT)^?mM0
zy0q(H%O#y)=pzp{#L|NSbZ~TigS6Mc<4&WG6GI)<%Mzqh?(Sw^YjxsxgkRl*95<-E
z`DTC55(1%eSL)H+<m;TZ&U}Zdtn~p7aNvR+@aGTa{389Reodo-k^_z}Mm%}4Q|H1J
zHN9sic5v^=4-b~Vp!Cf3-B5JU(dfrE8$RS4mga{1kUGY%<nvQLSTwPsVt?({R9%*J
z;(Y$2WbWY)O>xqfVf|gBZMrG#=i6E=$>geikW`z|oP0;P!AzNuN}y#)BJ&OLfS&p2
zmiJ?C$yktsU_XV(Uxe=R3iDnn6=vh!$u;}#qRu^Y%Wd8w?eC9>txcIGnL`}3T3e(s
zjH0(1!X<RiEKMGY==++LTAHPci80vz!KwfJYo2q8AOQS&m>_T;=Ys0~A+}xQ{8dhM
zvuCR}UXf^?&FO)((#M8jnmsfZH)|t5No<B)*HzX00&?lFi@R_51(jV^0!H_8dCpW;
zuSX@7#m4A%J>6>wvGl}1K`8J3aeD>yi4N59)0(C*FW>}J#3yn$*=X#E_S8cc+F=E3
z8kj$&u&Ue@hnzWR!)-M4R2kz9LX&)8jKPh;ZzSi7^D%qf@~Dp$##^rNatrc8*M?yO
z=0bHI?a}#^cXwLC!+jN^^LZd~wL>!8Q0Oux$XTF$SE3+gl>5&}CL$0MhED(VRgfYw
zegzPF)8w1X%-k2!cmE+EUibAHNN-fa2N%vXf~|OjFUmB3cvQO`94z?Q5ATY{Vjbi%
zJMa-ohynjhyWUvVbC->X#ahXbS03yFStR^(U$cwZ7;Q{|a;#A)ZKF#dsHJr$wvpK+
z%LL+JHey61OaJ^;wc0buaM!_{$LKI5n>Y7DkWHXW2e4k==6+YT6j(Y0_!`_8f_B#Q
zEK>6B#}F@FTPr(ps(#KT{YT+Zq12PnF}l1CqVA0BiLn(wj$a(!GZ^;qJb!T-&-X8b
z6FXWWd_8szzOGT7-M_3^g8Q{!r=NtOt)%<;pZc<YAag{%mKR*1cnuBJcIc{hJa!#)
z{lG{k|FygM)IM@5E!4(j*{3{eL!Q0`>#q3sE^%4&R$b;b8Js`TzUv6Mk`5yo*m$J6
zASNjhxZJwg+eKP84TMpmBmM8B(E%yo7A?7&>}|-fQ>bd+gayvzVcb?5c*p4*W2)5$
zW4r27&wuSM9(xup2d#gbpROmlmgziloEP2|LISROzSeX87hCq$u2s~msZ+773*7UN
z87smx^YSjg>{-4U@tFfF$xS%{hQ!RkSpu5hv~%r3GOJCenWlT>?dIred>S;|AC_z)
z+J%`(L`VzvCrUH~oQMzXCq6aBzLRsD?AGTT@-T27$s}8AweX!ctmytWv#(SINZux+
zRX-V#UqYxE0}5W06_a6u2}dUD=ceQg7<Lu3)P4|Jsn9xnD|Y|t$r5W!l}TXNYiQQ-
z4gUek2GTiv3|ZkqEaS^++Pkz?=3BYAaCm$rHAK`uH@Pw?u3OIrmg2}m21>P#0h0N&
zmg+TmJce7$GUw6gb)rgMM48Zilbd;yOXRW6Qt5ZpZ_DI+)zgU@-c^nRyX9K&)EC|6
zQ`s<+iH(4na|3;e-Uw=9efq3oL@)C+E9Ai;YuP#IWZAdbZb&Q<o3$X|HzSD1>BN3)
z%%NnFU($d=e70)9o*$EkZ{DEmSNmF&m6gl7DU|0WjGAM)mte{xiVCV@AsUx(_*~4F
z!Ar0G&TxQ;?+Y@mA>GXeRpebHC|}Cf7vric))P|K5;U9w*QDqpU8<W{x(|i%C&px;
zeGIQ<!Y&1TXNKHjgrd4hUeqA3&X0!ow^k?u1=Q6pmcxD#lEt|2!?ram42fdM!UDmV
zxm&HY^5BL)ZgAsOr7?Ko{t(w$OlU9j(wfC>$eDdZrIB+YYhO;tcLtaNRzZ^WIWO;k
zpvXCdTXTgHy{}?)e&g^1R9-mZjsT%?&JEG$Y|$t_+N}k3?0Y7g)D&=~s9M%*g&bB@
z>hTuoJ0n{{oJ1~xz|mh++_@0B*{-TkY8Z6bHgD)YJ~FkHCvb6X<AYy?<5&mva~@G)
znMCyqoQv)gFwiaOE<mE{rq`#S3$kCA3stEA3gLi5rT7mZEK<r9dB0O4C+iG7sJ@8R
zwTb1M%7F$LYT^y*Gh`R}YL!B+qbLrW3;TgAM?w)g-={`P*J@Kqm+DPD2B+|vEi<wY
z^4M)QJ9TND4Jrwyg$nks5X5)0&f#Sn1>{H7?t@e0hrTK!)!O}^FgHEa`<Y*x%9Av8
zjJ*4?ndPRU{sDR0;E^k`WYm1X=+Idydcu*Scm4j3n`LsDB<vC@lHxWtIXg|vHZFk-
z&tasG(~72`s=7*`VsNQmaugS^I9kR^1`#Jc9Ylc5&eU~-!Ta;YC6#c>`cz(?3bnVj
zcp3b+@<!h<FpJbsEGMtfH%XSN!d}I${>4!5(9!-m)XL=Y3~@^Shk{>E$`jwp<n#cf
z)*{)>yNoo{g)J+a8~XBgKa~E%(%)BV-q9HkQDch~4;*r-_z(sH+E|>pQEv8Ze|bq6
zislRZxdDO9R4Jes>A={rp?*RuDzo>Jm4i7Yw;SbIm@E6t-yT|7h2e8^gjD?FNi+1Y
zF!be%I8L>mH{dsv@oSw=1(8!ExP~X1?9UY~6YOgIeXKXhrK<D~R36=CU@@?2dBN~}
z#T8GE(Q;1k|D1A+*gDI?^ZP7$QnK-5<yU>x|6om$@pWb_D)cq_T}mL$l8!_q(rKG>
zbl^MjtJ3^4WU~$4stEa2$gV_HvvWZ~d4CV|Kk3xSH;o-Mj#owh4zpa)a7H7c>5~c_
z|DWes-6bw4Xhw_~0*BAKb&lpuMt)`l+4xQ`q!8s(H-;ngHW?vhYC(~z0?mR(tdi&}
z^w!Dl9K0!Uf2TIB`N7&MLAw`sAKoosxxC%)bzx|sZ7O~0*HQ9U!V_`zqR!Ck%7(QO
zDLUcp0qEEKvGdkO(FR&M{l?i-`!%~aZXFSuiWuK5;H@H>F+-x22d>ncosVpML~HXn
z&pt`t#M3DNxm2sWQF}OIioQt%IVMRlJui22C~zY(u#=4aZ<iE3GIq{hr0&wNk_sqZ
zy%R*IX1<KdjRg@Bn59*CM@PSmB6}^Vb@b4nHOOX7;A&boWOoYatyEJra#S}U@EvVo
z=vPC4d6nh2GMkfYSv^3Qz(!cwa}1u9@ea5#KcrgFU+R&L3H|wW`XANb6;K<#sP)H<
z_9Pq0Z^EDYs%Vr!qhPMv`&o-@V=C)97tGqMlz79B?l?JjBc~uT_|)Pl94s+OwDitY
z9Z-`|5pvj9YZU1J+}k-qwBBtDC$D2Yb!hmyj-`h*#!Hmw0MB?kyVIW@Ngtw@=kChT
zb+gFYI4>rfcPIy$lb$pd_I}O#Mj+v-hB=^&VJPYNdVvZdf=T-182Kxt{D;?P{M)Q;
z9|niWcyv(;1-(6>z@>1&fUe%=8O_7BfAFX9d3`DKpYOo;VWocHuR!6yS8d&(u2Lc%
zD0bx9>3g9ZkX)eQUu;F<<$~7i_we(1T&k?}+?1-neCjaHJjugG*W6DBs8Ed<Hj4z~
z3QY<-M)xr`LJuq0ivds2Y~pO!xaA!A7u3J7%GDm+CFpN>{f+)k^gdoheTeJPSG7bB
z%yv|=-pvqE7u}X<6(>jU(+Q%;j034AX(e&ZZnb@-UnEI{hwX%LCjn8%_Z$$yaQFH*
z4MBfLt*+6r2f)lsWmH5FUUxinqv0mLqPyd(_C1orreKPt4PA=fqzauNBfCv1%*XVJ
zwXNp%2AxPG%AG8%0g)pVaHW$Ug|7mQ`nlBMo09(L@)+BTHtZAeo-X207XRLB22cOh
zCJ<s>(#s1)2(2RLz4L8$Z<qyN*e?u0_M@oFGvTP)r=7U@GCq6E@U(cGlUj!b3@+Su
z=FpWc2_19qcoFrGqpIv6#$E$I`Ypd4miIdU#i+_r`%=5~20=!M_#kz}{V??)luMFR
zZ^<$zBzSMI*duL>Ib2XOBO}sg-Ct>!*{A#`l80?_4Ta?wB#S(U?$u?J=jBot`P*B#
z!YB)7d%nDr4#OYP96fLCC?tSKW9%F~q?;$4EK1tq3kF+>Z;NE@-KC3DMW-`E5Ap6$
z?6V9QUiN)4yzR#%;X<<Mr8O=&g!5FqzqLp7vqbZcv!h>nG9OT~rZ9UE=Jjd*2C#P?
zCrnwrHWY{gX><{5V7Re4ImvKy&>@5+ZAcv%i(e0t%zVkT`LZ>gNV%<>BANb#t(G$q
zq9S?YL`mJYN4qsIF^A{DUX2>5^nUg*h#@Malzk}It$j)kpKHMlyiy*Pt_m$jqqMbV
z29K2@PAgUsLN#+++Iup?l~N3<X6Nuh%d0n>DJ}Q%#+DJT{8L%7=bK~|;j=$q#sIG9
zj`P9w@8$O>Djs1`yMoUxj)*=q5^&QY`lJ5Wm!&2eol4K&L%RtIWze$+f4soY{)lT0
z+2DR$VOjd(tSkq_W(Veanqx}ggi>j0T`h;(zHOY<c>yz^UlWz}*lP*4_Ynm%=^9As
z^1vL8>}YY@y#d8qXyj-@7ix|}0?&9359zh$`fa}zrx0-wUuM^t<?&#zQk=T70lrJ1
zpUx?L%we&bzG%7Gv@Sl$tt9FmF;UC>a)x7~sF&IIgOPxWEGq|SYLZmBb{;*%87ce{
z-I#?gdaj9b<S~T_xDC~X$K=D{X~lI}_jkglSKIBXI$vYnQ$oqCepaT@9t}dH25RWJ
zq_XtRZlRQ>y;bQBHU=p7r@1Y>7Cu()PG3*pux^2Cnc6C<UZ!z=JMtwh6qckldgr^)
zt?n&4F{aW#LpN3UNP50Yw1Ha7mF6giE)3V5uw$Xq&rhv0L62rT`16{~ztujimasnN
zxN`^Z4)m#m(Rtm2#q9zO*mwgq9eFHpL(7J}l^4iA>D3^hq1E!BRROh=cx8CX2?4JN
zSKWTdV>sUAXqdE7w<e}bPQ~NLa9<)b*2BYVo_Kk9hviUvMFz}Kr{64i^qww8BE<KG
zfxXQ>M;Rf^yfOShs-=Bu8aP7FOmtL#ob3#Z&G>otjhubO>MPV-X~{9``w}|_jN6Ra
z_bT-ai4G0|VjVxn(j+z&^`k+(%2^=trt)H3+e=?1uaiQiJJ}(vkq1m^4MXsYyp}Pp
z&|77p&?*r4>#7z4I%ft;`v@LATsw|!aMh$Qe%HwM&#wj$gBY7E=dOsn<+Bb>lr^)_
z(YFGk`y&JGjU+Jv6@_Mn9mBZR5XOd_2E}8Y$mXEPjzjdvMeOR5KRn?P2Uxk4R+msw
zQA0xu4XS4hzV2U~gv-pOW_Hco^obTuJ0I2BCopApCn?cJFpt`p{{xoe;UOR`&p~M1
zRS=yd-S-ZYTEJzBzu<9Qz~-CX=~RstaaG}!SmE)Zd))%%qZ!J2c>moS#Rs5M$nL~U
z(pX3fUMEAR<um>rnRM_+1AgSy@x17KjNK|sFu#2i6ylYXirIB}DAI;pf|@GX%#hu*
z92oZBFVu{o3sl-3Q{<TDR$BUySG+!%WUSO9x`Q(^S%vrXFzeGH=!nK?xwWg!dVaed
zUmb7R6^1n&`;I`!8q(pDY`k%A{cZ&iEC=KXH6Eqg_*J+Yj%KzWXZ0e*)wXq;K1$2)
zVj-k3$7%#v#6`pn&$d-Gbb+?r?C#B<F)_!BQLlbc3Hy1#f=tOd^ZfJ=@|EE?60c$o
z?aI9wdn|O(moBiW8r-yA{Elv}LjwWm(5{^~-+UM8hfHpR2yJwAKTxsc@Fq!$$@xFJ
z4*72Im8ovtEjBW-Q~thN##iieS=Q?J(sH-V>R^uEnvsisR?ZxSkfq~=R2{~%|0J~R
z<_~dKLcn#xb5w*cL%WPt{KCx>%WZIR6;;P0tXr*HbdnSqO%N-~i^J!RfGS&(nYv;5
zv%}qF`<jO%h}BD|kMc5Cj$_H(?7*(^6?vt*n){<#Gg75Ft7Q$vjy%mkoK-<&6rZ})
zHfOV@w10|Xl?6M1lUIl&rj(Q_Pg4tK#hncNd``)`nh`TC{miIEvumaKmy$U;k)2aE
zcW1etLKns2@~)0#cTX3UsxuaC`O-xlkOmDsse0W1ndoV*#Wwc*SH5@@<co8l`9!xA
zXEfo#EvkG_^u2{|Wmhi3hoaUwg*b(mUUCfI$flmMD8^~LX1?O2HvsiFvvwg>DQ7>i
zaY{^THCEdh=y4q}NX)r;zS_ZM)_uS~&y#9EW$EFU{L(Trc-=Vze<dft6aKipM>cPM
zp;9t}wjSSDxxe-Q(Dvr>Q0{LSaA}b?ONp{fNYX-1$1;|gEKv!`Rv1FXnaMf^V`fNn
z?4*qtCMm``iLo2|QbKCR$iB{$u}>KL`;0p4dw%cd{k+RR^XELz^WE<2zV7R~za*tw
z?B1(v%tU_Y-aiHo^yk14HdZ$Z51lY!Lqo33aSL{prGM~CyPA$kXK+FH4^R!@`^}>Y
z_~D{V8ENNTQg=W7pONlg`28PTRlE+sPOq0ki$w&$<?8}Eezs`f3Y~Ip+VKD8Z-1ih
zH<x}CI5z1P;K$<%5ZAe&-Qn>MZgewN0Y5_tKR><p_#b4-jGD*T`=>OZGlV6bWbZyH
zyvmi+&;WUd^$L0rFi^9O4AlhlW@lTGiUKy@l?fnyE}$o%84}s?cK*N3zcUFK$0!GS
z&yPNaeq5eR%1H5F83*k29RJleib*=7SqWeS!TMTec-oTaERf7&r-Mcfta}c|qgrq5
z>3mi20R0o}i1={~wm&?2PwnGUbi#oHPe6h@lp0(m%Uim_PWLpP9(!0?x8w)_9H|<9
zAZIEm^O@}a9e1+0{=%1R7d2nkwrDNXBsjSl9B-o(DxjXx8Kq7%@F9J{g=H((Q7eow
zkj>0!LHlQ(kg`~@NPO9?bir6jxv7BY9N|QW6)cay55LV_%GWb)Jn#L$wJ|Be$?k)R
z4}-Pvc@8Mg<pTH0KaZwNuTZA#0T+L{r8}m_jOFuV1CHF29G`!qur>9-e)SooAdhMF
z4&g7rLayvkOj<PJJ0P=PUQhBDUp455$szgil-pH)d8NIDK~8)w-AK-$Mwv={Odkv*
z98LapQR=z%xe_2QT!L|YcuueN;h79nB3tlJ+$IRl2yX_r=C?QP3V9ob5ByLhEr)c9
z`9Lo4r7As3**0z^K2pgUmg~gzLt0Dm!0!BId|MguJ`X1tLU5x8YoW{V3ep0)ngJa1
zjvz?%HqJm*;D+A4g!|VkjmD^0s&vx0d7m9W>mEPB&?}T3%7se+u;gMTkKRe}LdT<C
z^=A_HlP$7zhRa==zGS<+{o<mQ@#&(>-tnYu_U)6bK@|~sX6F^0qdDEB&5W%+xwN@N
zy8uWZts90HI{E$hvpt8x#6X;C-cbAU3lmqxFRprEqBBQ4Pv`$WYa1pN!#SCCqA222
zmjRCmTDaI-(v0jsaj`xz%ekH^&hH7SrZ<iN)2jcFy~HFy!*iA648V(IM*RsnjyURc
z*xJWXNJSe7e5$QU))-;V-rWt$g&54BQk-n!3i86+#87K9{Lo6s!Yo)aS5YO|xwUFJ
zER$?=S+DK3_wd$_3!&cKyZHY^N(z@RpFJ87{`EY5&&4QH9OJ0|tg%&gq!iqVq@wg*
zqD>A3J>#$mio~0`W<N_lCUn=s?TyBE4ony3%R|BX^y5&gj7H0-VXXLKJP9adI~Ai!
z4Fp)juXRDlC;RMM(Qd7pu|2n)Dra)9F7{S@%`k%cbay?&^EYfBOcTMt-lJSF-p*Su
z9u6Y6Dt0fg{4R9**zgQ^v6$b0CpP$|bVrD-Lcbp-&ywgEGou8@ywlWc-DZXqr=4?j
zi)m5=)t@^K5hpOPQ3*+*dz{I+6d<P#6fp!Mvl;WC7<h@Akk#4_Ud!Tz)@wj$c_<Wa
zlnv=d#h6_!Cd7k#?U8{SD+7U_c)yz>tVq@E^k<2%oQ1Uva?c$*2|;jtD(~{iYhP<%
z{NFj;1~rJ(AYKgim?m&tEn+0dZjJNVL=&y<`OrshCsDx>cK-Th)k8-g&5$iYCP)-$
zoXM)_>q_e#ntS8TkNgl&%d3IwE}xS-1f47>?G^tVE1`Y07Nmqd$sbVvUSy?3u}TwM
zG;TS`Sth^8r!kSwlj6Oiu4=9)!%C?OvqekKdA^Tipm$*r0MGWdiPEz4!VLuFj^xm<
zz)84p#!LF*(JNn#PDyp_40^d+6K-W=AeV4)b!OHUpg=|*+dF-r?H)be-#~EF{Fq?I
zPRJH65`4f=i)3%DU-DDf^~jgbR&sQcRCdlq_b4xxX)~W{Rwr;|x;magOJ~??qfRC?
zsjS%8GoZ$oJIMy#h;5MK{fx%Mqj$%9vrLemm%byXiEf}s|K0(nHG3LZb-($YWd>Ee
zEY7**t9_n-MM2=B)xd}08Vcq1n9lvxd!BG(uebyD4c~I*W0M_^1w8!BJT>DBbu@5_
z@d|CJ`=pfv8Gw$<bS{Q3wA#8&nhpdC(Oe#H(^#)}ko#Q)Y6Gl2F&E7KtCI6*n7ZAg
za$WXuD`z?W(o-BoEztQh6d#%;Q&UxO&Z%b%%Te1r?lWYiGdy?2nYmA*d;&W1UjE)q
z>+A?WU+)KU^+NA;omjs!XqzhoPkB$(WWXP|#qb0<+r+WEn88YdS>`eX1>?yTY;~`u
zs98~rD;?hpk@T#83@k09?dQ8!!CPqO6;^GD?EH*z0a{bjGk&sCdN-1a{FOHV??g)L
ze2u4wguoY+L;NKx^IQ?)f^o>h{?&`2m_ez^-8(olgQOzK@9w=N`9nQp_35evDlf-e
z>7Ei6ZyIfO@da_su%35`s%qYF!nZ{8bYI=Xj>!Xy5|a)Kowja+{&Sw#0f0#`bIRrq
zGc}%HQY%DEeCm}zQby;MJr8PFpPP3eZFDqzW9<Fc(FL#zLeMNfsjRReS3RM?$n3NO
zLCsRy1|!+~IG>Imn!U6JPz$xY-P20%Z6D1>g=M0FWz;9WL&?G;3D|>CmD6m~k>+oc
zpYgGRX6!*^JbKsgcp@F_FD8I^F4jbqR*GMZO6!JWvi5f@o!!~o){_8NbP(CvK`&_w
z*0e6LRxIj3=TSH=lBg({_MqO^?-Z`~2GHG9V%9E||IAN1!g;H=X#nZTRVy2w3(?uq
z+QMS`!#Z>m$!VF;{)s2;;%T$L^3!0m=uU8i>68bgWBqV4TaaTi=^#=(GjyHOwVJED
zS*)<)!a#3tAiSO#$G&I_R)XirmKvO8G!two$Dd{@vnC|^@D6Z0>%fLgBLysZJ?(FC
zDijd#2&k+gniO`Hp8Z4yTZ$j`|EM_B7$-VBGMlN&d}4;qA7ZVUk;`DHU3>}=+ZGSE
zI%Rccf-j4D*{Bj?GQpC=SSne2B5jgY##$2nnU^HrX~nr#*n39FLpSr07n0E=NU^-W
zH~G^da5u8M%(OU_lG}Wvy`a;aOr576;gs>&gP>NZGuV`59A8E5JL~aWqx0XrhYEg<
zmno=ALJMFwrg_fezGm<{Yz<1?og9I(Z)mZ^sjn2>*KQp`(a`dN!l&*9Oi&<Z02I;1
z6!eTBqZZyQJeW3I2#UNrw{<~y#gKCL{XSGIt=oW}E*cGE?*<L9h7-`}^-^@}(30}+
zcT>dR0HK}8^7n>BkZ_K0J5*oA9pcD}|BoCFD1<diad}|1_SKL4Yp=-yr~M)ylX6=6
z|8L{XO<*XJv^)>XSW)L(81+nWQnUa66X5=TfJA?QRBqAww@upH=%-GmfeGj_v$=dA
za3$jB?#+AyIKVXl>Lsih5I7|L_%2Na+e&}b{9sKmjZ2X;0O*=KuxnM=P;&0w@i@~3
z7M<i?|LNI2=xSepHIO&SatWUklqq*00+Vb@-<ARTi}1>+&!q_D_%iq>zvH3uFTfnT
zO-SdM$Hjva^@;meZA-K-N`cTr0Ov1PyN9AsKXWOkn|k%a3xWNuRLMMwFboRZ&u+&g
z(t*RcTL>hpK5lJ3)j<aPuHldSZbBh7jekM)7Cm8QJz<CH20=)lf>MYktnFllnvnIe
zR~)ru-2P~iYDXD5s{dNrnWPzOxLff9cKDyT3^?7Cm%otu`eBc3n%<5W?#(yMGa87u
ztNRW4gE}q%M1h{BdTq`r=%(@4@pjg@xyOWMyH*fPiz{pjSYc#l^i!6*njjR(ssi5%
z;NHmri~uLDvq+H`T1JdjaeAvV!^O;k8&0*QL*k};m>=kF?|ly8X_UlZB$2%|97#|E
zw>t-Qe*K79*8EY~_ImzxyU2^l+MTX?TH#U=bs3EFM@xaGTHz0+;~w~lU_v6#zL$lP
z0qhn-B*#`epOix>EnJ+*WbbDlSQsjjW<JvTAcvkEDv1b|%n+Ri&=j!8_Gq}?eQ&?0
z>N-(BqrpQsLb8Kqyvt44Ttl0arqG>)4}%JVLBe2dp5Ysjct`l8&kee+*91<vA)kK7
zO><fCe)Bs`fe_jK?nsHVsv>2u=37%?`?>0&8*B4b>vYw-^9--&qI@VJjbrx**}&E7
zISq&F1+d3DxnM?jyD4=2`vDWlIhyCafQD?zB}2TamU7Xy0b`G>sByurOkLMG(<ElY
z6p}wa_%$ZMY5n{Cg&gLVxhTChQ@2U^i7;Y4yC7T?GTYIgLuUY3277G}WPTZJ<TkLl
z8G45}o2$>bAaW2;obf-mE{Ao_Kg7$$6=)QPj#eb^8C)JxAHOSsnsz@Y*Vv(KbD<5i
zk`J;8{&?d;TWr90r^$Vcm%#}^VWu5PzrB_5x>)`A{P2BAT!bkhL}C~a3lF~rAcgJ2
zC!qYUQMs)bC&9;NsG2nATWQ7<{Y~P}v*#kpjt>nNc=KnIri4>9CC|l+y;(v@Nj*}*
z6isP3y0Fj1m`wD|BNKb!KUbL4CRjKSR5L*Is)@BPgw6!<@2`@Mx|pg)ybqJpr_HXi
zDuvFD_Jm8NS>GP8+~QclBm}M>BhfW1PB~%lJ@<|jx+Pb(8Bvv3;u)gJv6<*y-D%{c
zx6uiSO}&&XgcbcokJWj*hI@>_ZXC@Nk&};IPUvU&!KaCkF{&+Vwc4pKue5c{yqCI^
zkk*EZ@n3g2r-1ghZQrNTu5AN8c562yP8GZ%5VB81XA4LKc`T;4#M7y+xFy`kJu;IY
zBYZJP2`fI9c6`x>XXKhqGUy^FbFKbtO1p&Z-nn&;C4jH{qU-+{T^QdLNbzNQ0X3eO
zJ<&)ygF27w?)@=u699!YVKb_Clmp}+SZO<&O6`vOTV3yl?G^%Yo)|5i<b2>e9wsbw
zw)sKA@s7sLN<?`WJ`HSHVF`gnNyWBrbI?c4d}H5t%aKKj=Z|7{5keEJ%U$UxH%T*u
zF{r2myyY%(B|<YQoWF^(-k*|<ib=G2Ls3{oCyjLUcli6|oby#UIL*p{K$)X-QLIAc
zPW5qHCJ|BN7nU>bbT_>CJGxKDlgiRLel{M+9>eMnhl^R{WO`a$PaW8CrCaEldU>5_
zg;9FG`p|9pw56@{odHXTiMB&EOvf5YClU&CGosAkw-w0+9PkDxD4nH$WvmmD?Mj3C
zy3T>i0)CP$Qg|RI;Fe>;j_l&urC=;ap)Op+dNj*O>EMJ+v6|sx)%lHbRgD0$ZZ^US
z<I{=knFaG)&exKn?A!yjPkLDPzcdNj`QCPGb-1jVbfEJjl1(K0m*>HF(c=^zM_k47
zv$V!0lMw(91aV+`ZE>zoOg<z>y4efr5}4nWZ{5x1rTXxeULPoP%NZl8q%Q5AMuO(h
zgkacw`9nUcKpZ<Zt~%)E@XJfWm%l!KX#T*sq0GItXXzqwE8nm0H6Fm(6?UIp?zRpf
z4nYFqt8B_W0zUTlj%h{%K|dohaN-<aJS9+K5j6IDSv!0(4PnON09*L);bXs)*SKqO
zTTJz!V`y=9ZrXt~Tm03Y2YVe|oEBBb8Sp-!KwwO>W~IC}#R%s$Uvd*kGd^cPD%aVd
zCe}UiQ@PDbNHWN!^}t-8y4fo+s67Rt-Bu`ZQ|8d5e9s9&f`-V4w5d~$U)gxd?@>nk
z-qIGtQ4r)=6&?mPLHu01e@dT1(w^rtY7tza_a^_*2AqqVb0WD*S3yC|Y?xQ)L6tmx
zNGD<$fU$Z2j1_`~jZGiQ3e2-S&(R({T2$c6!NZfBXqJcugC_DMB2A4v)~<O&jD!LR
zcTNILMVViF<DzELThxcv;QT&@YvWNL_-TgqqD3+kT!~A>Depk}ygasKE(4h`1dQ4e
z^rD3ZVv5_qhcAe>?mKruq#|ZDoq3KIF}9MKf`nG3S$};TyXX1Ga6DFm(r>%@+T0%}
zA)w$=57j)jRo`AUSEu6%rzU^+eC=*RKflm1tR`g5eHLwZS4gYgJl74xcV5B_iO&)S
zk;;p}mUule_|xiF;9WFL)h2nOgMxE1Z|UK>kr}Bw?-?ULK-nPQ0I?sn(QLV*y^;mk
zv(r0m(eFOfpcX9gdLQWwk_2HINPSH@@#@~aWUWKL8hpV?n6rRG35=^KTPJH7<OcFl
z7y-sadQX<k(qTiSz-r{Ukm^!I=19@Mh`td4E`ex!>w6JH{9oFy|G^+`0<4}ox-E-t
z)1YGiP7BfYS##WqAhD4(dx80OBDux*|2YZxKcLq?M*Z(tD}>zwT&Qii2wc<-s|u(j
zNB$Hslx%7p?03(qy7%{f?XjBjSa=i5<r9_hW^Jy_;yn}mV~|d}8~!-)$f@PSK?A+&
zu%Do9Ui>+NS+Kp0y|%JQU!oS1ejKIcz<mGx$(jmZQ|)v<TvO5+Bwe2?xp`FT>cYt~
zztg8BG^Cxo<R;SMhz(2gTGosBo{SKsg?7r~Ww}o^pI9T;z3J^?vaCWysb9E5A0p5u
z^H0p$GIFn8fKNbZ>RE&gr}Ry@nw003ss76HHhKF%!<eEyeBU1%F36iN=Ih~I^%6a1
zi5O44zO?#F4?m}f^LYz`7v;RBB0H8hAv|98U;lku=cR%05dm%6SKGJm4Bv|_lQ7+q
z`iKkec)+98$A?}=9PSbnFYAhEqyR-XbvgGA6#Ju?530XVnS!+yxEAmQ9+TNCMEMF@
z^25$|sAm$?iA^JQX`KFv2{VtjXF2R%$=egAl6Uco-Bo)~vAfm`LP}Y>K9d%)G|?`&
z-IseyQ4{YKHBM_OTFX`GuXca;WcmLBZH-Kv$z;|scTf~ES|?}IG&fHO<i9X)JYV>J
z3zvs423-UFev}N?6gVHBy%>HO@(`vnEU@QEtWuWCSsijoi4Ioo#7BB-k~*zDBNm24
zf%VsfOb?p$JUHmSvV1b&SIdO-sSMXa{OK<kWB>|ekwjqPs__~9qtyA-qE3C+s+~lm
zdBHkK8rfp;?Ak7(xNdSW^P0`bhadvoqR9se+BQ>TwGMy04U;TF=v$tYQJqbz++4j)
z!ORqlo1n77KUw?IE9P;!Uma3-Q6W39c0gy$Xx>1`Zv$L1Di!vFjMBfazxa_<W_!@~
z{_wH0TbhK9_7-PnM2IT*c-J;j@o*^0n>9Kd8f#Rs;*`xgxZhCAIcDJq#vD_zyoD)Z
z>UoQVaRYf{gv|@+!y_$I^PD4ttd+7B=7j&6Hx(rv8yPMGB?9?p7dfV5dGb+`NiN8B
zd@?|iyHbW`Q-SOgZu`%Qg4f}}8k^y$G}Ve*Bz|VUC80{0PY4tizePz%S2P1M^Vsm^
z!{KKUJbh|1H7|FIo$tA@H+FK)8yIZrD9b=n!~lEdSN`@?NOE@BGlvZ-Qst$FeRb(5
z-Up+1ldV<EuaB`qE%(pPYLo{P76>vMWd_<9|0GsMTHa@3r<>N{&m`rUe1t^We2=W^
z{8IbHyUGUK9V4m8&By?q%ddc;Xz9bb>Fbq1d*N)8fH|{)?4`79Il^jCr~82BJhjJa
zQ}93HyAT5uf`>3wz3UedJt9<H7}X$2>4unJJEngnYy%y{Zd^(;ZgYmwBY%mFY&&40
zS?UiML<{_TdQ#w%u^K;$6!GD4YIVVA;X|x#l#nfJIOviOSVL+HfYeeWwxk`=P#+3*
zT7FZi=tKn&)U_&5OaGYYJY9V}@usgQG5dyqj8sWM=-SzC4FD*61e7XNkkT3_gWX6v
zzBmpix$oNoIk=CGpab7;V_y}ZAMkN$`H#5@$fKQHey_@no3SA7+l&C|n#iP)aR@04
z9~*%`x^-4MEZB_YKY{khJC>u+XQR-0e@_uj<$Wa7b3$a=o@e-&w5;Rn#SLyEPXn~+
z#T|6dI6Y$q(AlAKIs~xJrqB1t{rpb8@FVN@_%%by&!-jD#~ukKKvzFc^Bi{-foAnd
znFwEgw%b1oVV*If6Y^q`ee-U(1Zv;Rg~IEJNooX<rDHMFGA5B6qSOuTLno%C6bQ~^
ziIbS$^!ku1Hw&RaZ>N#=N!?`w`k99rjF<bzGnJL5zAk?wvh>O|RB8O8n9E_`ZL`c!
zE%pIDjD->IrrQ1$&{rK1;hw-?BfYjdj}vjo9x`bqybGph5NmU-im{Q(k5iLoZvPO9
zqH0zFHIWSre-d;xY=H7Z<y(5?V%S&7+W9vm)rZH7Pc-h>$#+R%%R{sLDI2yWXw0|g
zqIafuJ}@X<b3>n*)fLCQKBez(xL9#@!q&}^rCy>oT>4<Oy!X9WdPjfn?aFcR0VL*0
zesAYe32C|%H?(r8_SJYE8NS+PH(OCn0S*!Jv*;>%`S<1LX?dB1_$ll?h6PFaBS$%9
zIrFiKXGSZGz8%}jjcYR;Zg$E&E&y`#z*c612-I`#P*SAvF7+SP2rYw;SH;a!i4oVX
zHjP{#291=4neQNG0!hn-Q7q8h+hoqa(v18|QB&!@?+km9Ju;rTF*lfMJCLTfutjSV
zt@iQIy!3)YV3ryj0ed&%?gFR4V34Ut%VYe2{LJjMAQ(Lo=QOyl8KA33_^?Ea(fUyT
zZ-j_#G2gP?EkAAaBB!nQ!~wRr%<dVdyY=rA(|(cb7RnGOw|)Njg9oame5;q8KO-De
zyB^ooQ2KRZ<sSP~&1qYR?aX%yo-2kNntlEAcySt#mgC`f&$uL-<+@#h&%k2u@aGG!
z_hZAPiVA}3Wn$iqxoi3ZHG>495&bKz`NQP7Z}(s9aURvdnn_@nD_)2p0HEjRN;X=(
zIFmitk`R?k$wVdF6v$&+88b)J?%)PC))(EW7Zl(%c8E_$Jlfv;7LXNqY|iU+;2h}M
zsNQOt$)s;3s}CXg>4NdJy^z7$+m6s^l_sDFbVN`o`(XqigS$k#l!Tu{{wk?#E>`;H
zw|!yLowr1OkU%<Jsui?`9+-mH_`b8#dzxgWoz?dB1rk4!Q#Sm#H8D*Jmj#NB+|0YY
zhcXVJvv!S5%JK-KZLi)pHuo9|bBZ<zh*q*X^)Sg#<N)(;X-0H6kN_Dnx;kilY5pg>
zwDKsZ_p=newhnPtf-vpg8~LrJ*^%f+v0!vXaCBm3Wp@JaygW1@3*jbV5Vc(^1S$ev
zJ99C1YfNVNvSz!vEjcLmog8FWig*<}dAir-aa!k;P9{_M?TQ#7O|(&T?8{HXiopJ@
z_Y(tO3rl;XoCz@g{&c#{T|_|TDJHY|3vT{PDY5o2%9kC4Bdz3rYrC->paX&FO#eBZ
zT>OYbv}=F#%x~_Ybp{<ZYj}0?ti@26Xm{7znZ{CU-`nsQGjeBH#$77Ke6;s=3@Y~|
zSu!-CwAfff$<&*DeYdiyjdQk(xQK4K^}9<0E|h!FQq4Bk#8YGor9%SRh~9%hLduce
zJI9wps>+v7AAWPm<skJXDHDNR7EoI=gTN*Y>o4&oal9tnqa*StFz#9LH<au1M_}Ww
zy!-oKc3gDHl73Pw2xIh9>Y6U-91Y!mB6|A%K}uoxn7iF(rjej?uUp@P4W_9yW#x88
z#Ks_c==z@UmZ}51fF5tV6P<i0XAfE<?i1p*QHu4cCg(F=Ixu8R<(U;*BTjTDyp1t(
zW=D`fs>kKg5#;63V=1I3=j7VY30t`i)@EVf8CDfr(DS6_PJp1>mU5H~*&qJpyqM78
zBIuHz3L3s(f5Y6}cDpp@a$RHA_Nj(n#`;4qs?E)EMnNiBwSwq;3scuD%VKw#5~Ehn
zEK6*~R5#<gC$(-h(}D-jIBL%B6*urk<0Qtx9pVV_+PCl>jf-mVw8m2O=^DDfytNgP
zHH~<UdR3K|*+fHoTp>&tYc=)Ud%?UfGc1LWt?>$P4p)5nVk1q<%#$;CN-96V)z<xb
z*_M_hd_M!3*&MExrB)pZ7BWm$Z?t4TGONvM4;QCi$t~3Qxo5aBn|su4P7U`M2b5}u
zb<{M4M3>%|dZc<}Hp|;Lm^5@8Z`?r5pEMSlmVUYCafJOzuVLMs#yQOwWg0eI7JBn<
zKFm0$Y}wK=aY;|x9B|ulWd)x9#JGlkJnqe&KLVv7xVWjR-}cKw_9y3ex1SsATH&tW
zzX>C{{`-$4xYE$Rs=z?hWH-4}fh(f+2RZ{-Z3+|&OT5P3kM~z%Vn@3SeyH#SYKQ)c
zRDWlLk9KoK)@Ks8@>nyi;<jX{&CU$f9oYKNr2B1jy?Va)M8Pp>=GZ9U_7uZx26?HF
z&BOKIC=xCHFzmRe>C4f);lrN0(su=oaur+QE+MTKj&(;xgIt%xwWg&%UyDP60CMjQ
z^w=DLFj+biRhy&dq4ZyGXL~#=LEiR>Imo>*D5fuFOUPBQ|A^2=oRQ<B?Ha4U#!MJC
z=<*S>2*pP#+Z5vAb&b}&6dXn(wB!Qjn+^6o4$$VI_JVD58uAj$@YENjBij@l{jp?_
zbTKp2hd@V%g3pRD2EG`);Sbxvu%rL_ueI>^q{{ZVzI4WRCHL}@*J@aO@b+PWVUW%Z
z=lFZaJ8~ngMdh2Do1GE*3U`fCmi4;E>k4<EVBafj2uAS67_dIkws4fvSC^<22n8~X
z7y|S9d?%(lzjFYo2n%M1F$xfC^#)uOJ1`V0To2d(3G4z4t7jo>qK>Pf`yy~kmiR5&
zfbY&zaL`^%v=uDs%&aS41Tx4NIaG3Bs|BGa%*qHkAE}_~iE>LOU~zd}vvmWkn$Fe(
zKJWG^{Bo+e{dt#qY}1a;lRwftoi35Tmg8TFn3gR(hj<(>xSxMNRck5SO$CT$Fp@`b
z<ZG+J{7|+kpKOT*L2%A@wtWZ1c>9yEZz_cBi8)Zm*i>f@dmHJ%8^f?1bQ!u<q4cSt
z&)s?aJA;*1F_`DyI%R$iGZ+5+Ku&+HN897a>?{QN1+#ZY%A`hBX@iBNW*0?6vB~GH
zo%EG`yoU+&zVLfpGoDG25pP=p_2PS)Qs#okBPF1#m6CV+G#%o53-d2khh#1Zof0f7
zuvbZN|G7Wk{E5uDg0MftJpgXL7sh$;M#kZaE1!+>eyB*t&CBA_Zr^vFK-+$-bIv4o
zh6gIl(9ky@6PY|xKD6^W4Df@d>`ABS)et&gm#m)G1R~siQGYD26g8nFGs9w_>>L6n
z2(rvK!JH1rrrdg$gUugV!M~o}%qLXv-G`ueromh1RmiVPC2x+y?NYH3sGe)uM)_0r
zJ0N%88$t(lVM4oRO|{;h3eZzkB-J$uD}3)%|K>X@SUx<Oy_(S)o!f|L>#Mj`zUwR<
zrf0m0Ya2uy**uhL75<3%wg5f;+_^vB|J&<$OTbQ$L9t>RSeZbUw&e~`(BqlKB*;R3
zEU9UFf*IsQ<7_IBQWp$5o19UQ^cOqfV8wayBW*jFuL_cdO`vNZ#=kfd5UwKOKh;wT
z2P|gH?fdP1tYU|aKObAD3LapmEb5P*#y@D5kHJCG)l8)2n4<ug%s&(qgc@Hx$&ufg
zu6IQQth^}eDU;$i{Ek*Wu$DsW>0hAgLnncpl|BwAiB?pXfkM#l9_Ya{SGOC9fYFip
z3!6;BPs18FDgngMZ-CuJi3uCkJeYHe)uQgZ5V75WFR46*P^t!44ZR%-G^~K+ebwnl
z0H_@?SbXZ*RJA)mFw@>Dwi;N8z&5OP_~SGJ!a=y&h<ko%*L}`h5I@#~W5HZLo)jWo
zOixgkY!Z5v#re#4l}pnX-@B*<%dO_f^z5QFm!0fn4uP{>r?7sx%7@C>TXW*QbhKh6
zMgss;OlKd@V5BK!Fth{aSC%aCbB^|9d5)W68+h7&ud@_-^Q_B0RtaifnCz4;XnCel
z^7e<a{YU@~k0Hn2^OO2l`m5gh53KYTOTo*UFNs6Gd*-M)0tJ?>o^MT|PD;m}vX3vn
zS>vWtj~B}O=cnf7W^=Z>whuX-=3?Fd3@!luY~hjV8X{7!*xe=ID<Jb`Rz7LYV&>a+
zDPF0IJffwxC*~GxbMJxH&6HiYv3+O5)s;aEMp3t<)X)|5I6hl3;H^<|EC4yItvZrp
z)%9ItkE)U%n&}+H*#(P^O{{*?75I*(p|2>BQzY!RHBrNFW<%!ALdU;#@<YQDvc4eS
z(VJ$$-!wZbkVkhZ2!b>Dq&j+pBxJoh1Nc%D?m5!0*UQVf4pSSCYaa|;rZt*?mu~GH
zdv&I#=tphy$Dsn8pygcX&y7xiT>5}^^T1%XV|1hvSFt~uIUKDg0Wulp_sE%jM^a+I
zcX%DBG9OI5Z)>54+8XT%KVukj(h(Mx>&h4b!!G6_@_br5mUMg}<9?_Qf}@?*h`aL+
zghYc@B^rIndvIigZ&)KRb+vY7RJV@`owt-<6VfF&fuHpu-^VXEvtEv0dlrGG@k*J#
zlp%1+1Tw|z1x=D{IY+Pgfb&`V+D`ht^~nk?3Na^b(=^5z{xp65L?i-#qC)`4%IWl9
zOwjf7jN>BNj&OLrA0ZMNks9510l=|~MiL-3pSaH#a$c95xZb1i1Vur$(((e56}_3d
ztjPewk7#y&r8`_wxyjs~d2WXj;LG({*sW}-^klXo7ylu%tww6+^#S>~f|n(2Du5a2
zfP?9<Gy!W-5fRBLZ{`boBm|!IwQ=640j+{MaqIF@=IaVx{(a*%m;Xtp{)K7)!-TAU
z^!8^b7yQJwhIYv-@exjD#pyc6Hu}!;+IQE_6(6QStxg?1KYIrsX_!%i$aNi0NDAa#
zSKy$<n&riuIARZ@`jYv>;csWZR5o-a^LtIdy)$|TOR~oS#SJjfc7Px+>LeCdkP>TM
z-cvq*fFqcJdUc0p1Y)Ko@fN`r1Rak$zU+@WSSTm}wv+Z6J~ety&Z`qoy|&}ZdP+v;
zRac0tqn9{WyZU3tU*P)5xN&zxU}Hu=XFJb9>AgVTofE;$#|F5V^=Od6%NQBY=BAN?
zl`I9chUr}Z*Jj6jmY#jnrtLHSY#-KDzr>}JtR?6EXu0Q=8MBVAzsB7WZ4jY3aj$bR
zbP{9&d(u9cHvl4eq7CUi2^J0Z$J&1wLNHfi#3z*C4;9HS154ssZBF_5DHTeYXpX<)
z4VGY7$oiq<JjY69u?oUq*#xgE8&8@uoj~yc?vLaBqJ#T--VeEofGy%3pO$Cu`M*T9
zB_&69j@yHIMfS%>;O8zJy>Ru(39t~D)|sH-!7~zPIC9cAdeIs%CBJV?QnhlYEHM%_
ze5VQ_<$tJOJC`&tyJ9r}h&ix=5@B?-Yj#!@?3q~IJK}u98SwH6)O!ALZvGuQ{iQlM
zP~(wVBBylKb9ksOG@DC^;{>#OEkSLv&!{D?FZ#pqL%&|s<jLCs$PP(PfQEG}kAAhU
ziCZ}A3jMI}{QwMubRy7|lOl!RceGXpYf`UF_M4>S1%`A!C}~qDY8B&7X5AkL0HB1z
zte$FkDq@e#pXA+$m{Z|c5l+ps=9$l1eu?#1`mx~v;Ck~#D4OdYB4ENKwQYrEx0mK$
zGAFviMH`H@d#~j?@S%)q$I_>6EPT2a<l@HPK9-(a8OcxS_66Ro7kD$RCTbV5v>o0G
z&+$5C`4K4GuhII-eNDy_(qc}9(fw9J5^<Z1iigS{aq;i+4TS^qTkXuXx7z9rex4NC
zr_awY<DV4b{r+Nlq`5zQH}Y%>Q!vZI{k8=tTCQ9#D6Y$tE{|7aEC9`uU=Kr)t<Ld}
zajz=Rl0)N1JM$+vaF9Z&ih&d8m*Qpp57AmrS5DJ&B4vwLg1x+p1p6vPn*t^0z{}{@
z>ff50n2OE0*FPqjZ=!JV*#F2`05v+M`S;})dAzr^j-J|2Fx_7htja&BAfy(yOIZ=u
zMZGg&x-N*?KREoL_-T2O1cCX)Ud{gEv2KQ~X8_FQ)6yLfe0oOSA>3(#1IW-zd+$L#
zkMJhVJ$CYTo!j>$GoSytjgm}yW5Ci_yd08{p=`FU-tUqFo*|V|J2fqmy6gS+FXM0_
z^w&PgoB31BW~-VX!TzTYbi8%!mzp{S{>u5(8~o#%2Mzc7jXkweslTiR)HG3uxtiyi
z%2kcBs$Zq-)(XQPbA2XF;;_9qvSr}R^n?z%kAf=~K2kfTjY-mK2h$~UG0&YSDN*g8
zv^3*wRs=PqPh$4XUY36L!)#K1y(=2m+-v<<(9CILqJ4eh)>MJ*xyIulA4aN*5*`5^
z=n`fk3HO)H6<u4yogm6FtIAf>pO;VYQp;XM?&I#0+5g18JN^6^4wRRwpKmSl4o_`;
z4rw5^XY$WT_=`GUkvIpa_<#dA{(hjaSQ&&MQUn*V>!IT78Vqy}F|DQJ+N!$ynV37=
z)w%O7XD~9k^7pU{N#b3za{D!u3g<0{T_$uHmY8~Km(US|(phM>@?%AxXs&&UEFlI_
zpXx@sNY<NXM?Qrq&~nk|qqo_E=27|FV5A25&+H%sdJ_ZXuTu~`j~jdzR=q87UYMhZ
z9$f5IPRCrg*O3EcnV`8!Qluco@@yiqgyT)WAa^X^>MtKh|D2~SKCxUSqY-k;Z9Y0d
z40EzL1~6|>nF4#}9&Z`H%LeH*Ur15JeKV9(##D8uLG1U;qmVPoruJNr_CMA^DzAei
zzLF4nM{lbZCp(vyam4BZ&)1O9n8YL#Jsx+fAV)rGCoP2Yq8Bv*_bme(oK@TSitp5d
z0Kvz+V}U)nA_QpBy3!YB%-tpnx-Hkb3(^osI52qWS`EEFwz-Q2#EtyUE^z8Y>e{xf
z8*A%qV&|E!Bx$*;p>Wf@%uW53hxmVE{*yb^{9iDJ26k*|;MBd9d@+Ci3}MQ_US({)
z_kPh`nf%nWmVI`i@Ta+LmEFoFW6!F(IhLMMc#t=w9C$}16zC&q?c2&TEe6*X6YCYc
z@N9y-&_R|@2S#xU%xHwfA}rZH(9hzH$?Qy*s43@5Yv@t-T;c=f4454b4b<(VpWz0*
zCawwm--+g*9X9^tdH%E1`ad`c?qUIE<{vPC;6FZ@9gCY70s2p%4G@H3t!ec1_+!E<
zHIeIotJ9}&?Gdgk%?6M%|G9Udt~a2hOzTr!B)he^PR8K5c-Ga^xk@3<1f1La_s{Kx
zMJ<~QRMLM?Da=cw2hAKo!^3C+aD$M;T+RjK&Io0vNp%g|?SKzYvu%$pFVN#5{D2fT
zDN*Z?!vIOPEzWDoOJcJ<hHur1R(5gaWM*_gce~bN9&Hgfu;~8Xmzyj6Ct?O#kT`{(
zJsgLG;-5CZv%6zbP^^J@-C5eI9K>IH2XNdi`hHOa#NPjtK}*$Z<HrsL%emt%X7@VW
z8Fwv|pH1JbRg0WEB#s(n17!n_pl7)FdqvYr`F5uun}zlMEHk?=4(8c(Gj>dMsQ+_&
zRY?@aSfqAb)BFHfYv*`R(7nK1Q^(}t@iNSmo2x$6TA6?N@CaA<pP!j7%brnQw4QZ<
zWh{&ytaq33>eR|&HzthU%*D2QoDRg6b$crmTEg86rrzj{K52h?3R>YmjoElVjsu)H
z)?H6Xk$C8L-N4^mnUBRI()exn$|}ycq~oLBb!A-&7&TvkP5Up7Pr7eJK1NOc%U0vC
z$x?F*V}RB}y5eGCCXcDGr@CoqQRI1J;fGu77v=0A-w(*7Mna-5fyi^0@bLJDdO497
z3*)JmdsfOy_G1O=u-JwUCYjnjYhiogepmB;vVMaf2vV(73WyC1u0qku{O;S3pGuwF
zD8A_o?PR;`;&;JE$0uF&T3pu-8z5?wlx5yznXqq3zF2|>a4v7}1oOgQ9BPoM&Tela
zIA%6qg6)dzfA;l6++)$@r;#T027Iw@a{NoS-@Wsnm`IFFQ=%fLZDA{1sQ8~tLN^fB
z*CXWlT_u?~oDiuethX;*r*J999pQD_G{Ux8|EQb_<lQ!ucsGYWB1rC354`?}7p~xr
zoB$U-`=Gtxc1B}h|8QTMX4sG!u8X`7W!9cXh!-3sdiu*0<iT8H8L8`uRtW8ih2W-E
zz+Akl>3vhq(vN^8hNBJZUzxCHQ0Dkf9rr`NEON+ep!K1r_M;JB3Okv_9^{c(2a*q)
z+T)O;o}bo~(|Znwg5T+jt^C*LoV*jW$y_=`;```Lrz`}#Y+cg&#zwEdJhVPKGN~rf
zLhz9YRe{X=>E)6Sq&yo9N^I#7$L!~G{Gg3HFD8|jXUf#r!9M!C$-E$`f=V`mXh*eo
zWFoA3($F8FWYSl9z}E@nT`?1!#ok=Zd9dvDPxMy6OT9j9znVIq5&5$G0|LlGq&hCN
zO=S-QDTus%IGzTW5{w|I)nF(GnzOe0xU5;riVpdiGySWt1ax2MhfVi3;3Cuf1Cpwx
z1C7P<4RoG2ffc4KjxGCX0?uXE#tU0?M_(O^339rt@C!`^Y@0AnBwr?86DJt<uLlF)
z^`U1+UboNJw4KF9trwI{TGNu~F01m_ZTfF|OPM@Gz^AKSB)^*xruS&C7CF8saK+{(
znG9IDkyf6UE}>_Zd{o>Ow+foMTlrT-K14c72T+YAMMRl;#+8}h)`cv`S_XQk>Y1%f
zp;;8+M<V+dT>eX>Yk$G<#c+LHD8Cgw4`#E{TZ(k9vwWc2=(SSh1Tcr8=~Kv<Z*`3j
z=c*M+hV^h_7FvCr%-ij2y9d%qG@)PbBaw^XBzn4iaV@D`-HjVQbrSw8lypgF)c=B;
z7dhr9HS7nySYMOTeQZAsuW&>uZ$nFeuC$VYn%!sLV37`|C5+ekK542k0PDL(zb5&8
zhLY235p&mpJLc{oL)9|yG-Df;>%SNf5qWH-V&9v;#%3y4hiZ<RrMPy<2AF4bQt1(>
zCpT@GN@NDD=%Ajqh`1pCjZ=ICLp|dd;f!@42VM4;B!iFJ;p)+tJcTA)_8Xg~N$wQ-
zBLSd(PsY=<wmFXn<S7#u+S_&P)u7D|nPQXFGT&Tegf3&hNTffG7=8X?Ql&qD!F{UQ
zO_5eW7+z3Pm=sfW!&A3+O#^Zj&s+<^0~?uIF_keudlFzQo_+p{G5}hLtZRS$T;;W2
zVYxLtTtR3!E%2_(<<ZgWI?k%c1!7?%?*lVA<0SyE*eA+&GECg!iC*u+o3$A|f|mpg
z^=tR8%ZPymLXH&<W_YTv98BaN-akK^ej}N;>1|N#jwnU3i!(PKY2cxZ1%|>KxvY;(
zYC<Y&T_exVpI(6%4m>xIC|}5=m;n9US?#70Wru93qy95Rx<+BIAe+`(ovxVw1nD}p
zFyVVH<s1VsQxlzt;hDo@0?7L&!cjB6rV&cLkO%ONp5I`u#cqA-nXe->&BzMxB-%hI
z=;Ssp3(wxgPgF=^+EfAD`R)WKdYKpv89NgG47IT>UnbB?+Ut?ohTuI)+Yk1CvuP{0
zh^RNJDY=efzt6MRg1B?&g{R6__q7YO-Ty%dw$xuFrk%;x9cG*&RlJqzow+2|@o~qq
zi0vZNpG$-;XAy@NP98Vv2v<*xTmjn=w&xp<ev$Pp!C#sDZ6S0aZb9{CU6WJ#(JDvW
z>1p35_Vm}=KV@oN4$O^&w6mO?kh7?9{~xwct^Wk4)fZ31-IFTcb9C2X3xU-33$eS`
z%<L<7%*9zbM(mM$8|U=S#&gcM0~m^~@d{Y8XL-BtrKuUekIB9wA`Wy_@ToG%UnQMZ
zC^@(Zlj2yo)SaoaTA))zVWxJ|OV*xEptH#!as%2wI9)zIUyE1gPh|4!f+$Q})a)1_
zPSgvnYTXH8<|zR>j8P3CX<5-yiJlXxDt!9L(z+2{VWFCa`nWeGrzXxtGn<l=*S_*l
zh$}whP-C?K+{}%|@}5mOf34<!erQNYIbbE*r@(gvZg?WolVdTvZR>*su+(eD@z_YU
zdMgL7knybhG4O2Vq0lYA3jOxg>J0GICA}4A?-*Zgj3t;gU!AZb1O~c>d{}&ir8W`j
zGcgCl<~gr<<j}qGCRG9OO)It3hd=hn-wnTjbjY(Y?xEShcC)BGXTrq8q=c?zogHaT
zuSmg!<90WcL6K~AHA_3}QmFZ_fe@T6LopS8Y06{$WB<eg=Qkoflu1uWtNeAxO3O&~
zqUgvQ{x7lQY3INNXB*F__^6G~(6!HE%6rDLk>l`%<!2GEH%ERb_P^4nAK>%v1mNG_
z^iL1*pS0RP{mCW09Kx@}(`(&JVZb@E`4}eQKX%%G;LiVY5&s2u{=Pak{}%Z9i<Jiy
z(11_^1jDWL4A|io3J8cvGwf_+mEYWA2G9xD{cczDB5=!Fj_bg3XR#%46?X6MYh71p
z)-~%-N!Zt9Fz3UV`awgW4aGBZXj77J#Yl3tJ?DX99)wd<mG9ZRr0_opU-mJt2>F`5
zp0k=^c*pRPV)OHwPp&pw=ikYJIfuShj!`q8Tp6yIOp?Fe^qQxvz)+md;zEhXC9X}H
z{G05>CfN7r_-iiE>d(S3UGclZLWOqAc%`&bzKmHDStZ{q&O#e5mEhF}96@x}jRSup
z-TufyMy^UTt*Vxn-z7O%ywZ+}%RP{izP%vs`WRTykGPHC9>DgM6!fqas7)u;1k)qh
z5u{3=x%8yD_xsbVD^n7Ew?n8ct7Wsq9%NaV1v53V`J2)`d)R^1c<NVbFJ-?O*|-Kv
z?jKY(`XZX7Wwr52J6g~#yB$!9u7qm6X(3!b+OERmI1ltH<lYJIz4mRyteDQCvTrPg
zwlx(gO9I->0Qfx6F=;%Ju(8C-=9;&yOIDxSFMYbS0d)Kx?)JSr`aQvZ`L(@u4^I4O
ztk-+)mjM`2lhRv(W{)ldqR%!NpXFOk#ofAUindh&Yqv-cEN2F|%@An+iX%aR8Y~L9
zgnl0;)XRt7crEXz+vZ)DvIy#G>_ll>ZCIw3W^udzS7%L3Wq~4){I$c9hWx(T=38~0
zOXhchCf~8&)mQ;=Pi@R(wS|2v87p5V=?%XHSWb&oDLk9Nbox(Kgt=n*cd!CFmGQz&
zc7bd7-<R2_9vlO|(4F%KF$MHZdU7^cG}!Ncn6%W+p@xR|Zc9Ss)&0X)gcE0SUp~ct
zmHS;?Am{7ngzu)=+a+lVTf?r4#JMPDJ}p{Ac}j3R9F{l{Y3+zi@<?{cZsZ*;eV^;r
zY1PHM-4fY=39@<YWnpo~-NM5*!)J=r?PFLJ)2i`2*D+Juc;DTOs_1)RggoJx8|SuL
z&i{t(?8YHd)D>KZM_H~n#n-B*x6e2QSIav*UT}u653rmdvUbu}E<Y3x#|KO-Nwn*(
zm=Tu0FPCf%{g`J>py0jb$l6_NZ%JxHRaZEQUur@7vvA+Kn(q6jOYVP@T%1_9z=2Fi
z9?G~0Jyo=F!T+Rh<?rKmNo6W)@t7u(VgrVto7;tGHT23}m|7;H=;&?8=l-J7?yW}2
z{zPBR_THr}$&bqvQ2jK!CPLPRrc!Y`Lyao=d&g21S_3p#(o^@c$GK-Toiw$rSiUG`
zYoFvHz-}}bJ8XaveNvvym+rMv`nx|x;S>^aywF#l=_)3Q1nKOa9hI_oW{SrwbliCB
zy`D4Qix%wROw~SOSGBf_S5fqtza6w0$#`McKqVlfzJVVwhy)Qg)_A@9xbv)3YD$Oo
zgjez;tNY*|0V8z1tgKk}6DOTl<azaug3H3$9Pj)+YR|UlDR62<>|o6LMmcm=^^U?>
zQj-ik7q$N87(dmvpV5Uhui0l){4Cj>ch<}&qovp=SLXV;z@DoDs<&l|@;qHfm@AEI
zaO0&jx#hJb%5vV!#tsUtr*1-a-ZP4y(53JA3Z91~k)wvgKX=i5_6nTic3Z#XAS56y
zsI%m)^f~t3gV=t~1P5pvInb@K+433a<<#;x0Q^z$oLN=1k+yi%=+}7HxtM_2YI>lc
zW{dqp{i`d~x*DpY<&fjm#na3}$crc<=2_)nDZ}e?=Xx!#{bYtKsdZ|3$Zve8*e+P6
ztXIaonEs9Zozg-6JSJ*Nf2h`4oWeg=iCbAH3p^Q^d=9*tnvp`#t-TJo+hB$35~%0|
z`lqrRGWNQ2XWik~Fi*<!1m{;I^ANV}R<Ao>LP!}pu7-^6G0C9zUc0LVhP9NBx9g+O
z>usf-mM5lN_z{v_<*4WHVf42tgtLKm#i>(iu;<-|)nF2HS@VteI?CQSKYCi>G<c(|
zvFymfY3Ql?N9_6%!$4y`>|rydsB=%#>=v<eY)80J1_QM>J)ljo&$&%O$?VT9YBQR1
z{}!)K%SC}KM~nE!PJFtY$J6t4dnouBbW%Mg(kVdmWv4Zh-*E1H>zHedR@23MY0+U8
zbQh6)H@$fGc<WO+hne~)MY1+*1aKDEA6OKlkqf5;`|J{U0=Mgv3OaM~99o$<sa<U5
zbLsP7Yt*Fog6_!hZRe5PmSvikh{{??qq!3D^3};rWL|nDDq!ok0EglD9cwQeGI~mf
z*bmj0Z@*lBSu@)l9}vB*XZ>0blzeGoIw14b-Y+$QN+>bpcw?@z<v4c72&W|3q)QQr
zDM%|<Xil@A+3cQRyLeWmZR2PAgppE2fzDkr3M>vH6+|j5?rO}Udqz)pHqN3ZCSHoQ
zWFkKJjoLn{VlW=7tj#$Xr-3KL;A773dK1mZk8Dw1fv_voRRO1-qNZ1h=D?%gE>_}i
ziX5d6$?<NLIL+zMQXIn@FzXJKR-RRjcXPehyX%QKeST}>(V`X;(E5jRn|RsM%2=!!
zosLdTLQJMjF5a?NEv6}N&7D6HU{y#_b?d!8;M{D(tWi6H{EoR?3`+L5+u?acWV9}U
zynjX$Wz<VB=^m{KG+&{vXEC$0Gjz#Z^~<qmwo_?|FFId$-(EyeNAQV(h5av9m3O8O
zZ)dXt+^WspLYE$;+4vGsgQ{{~F$;Siw$u067b|`-Om0o>@2JRF__C|v3ef0{?ez!Q
z7$fiXN&oJ*`s2KDcaFU`@8F$51-cuG|B>T{UC7EUdS|*L?Q$-8w-NSj9CLGtFecr*
zXhpgp<q}u8Le`h2lx_B;Xz<jv>|lwiyf%3;>Jm+bS$JT2<}fWCmAVeM;Q`~O6>C^|
zn0Ks9_H%0x7L5cLHc@-#>}jI(7?H5hn}j!;Jv*Q7{G;i|ZJnwURC}Ir#dBr9vF_w;
zN@%LiQ|$|9ljoT6yk8EdtqUo=>>NhD=k56#uieOq7a`A1Hl`0CE#GAB%x_UNANo#R
zD-7|^b7951uGPNJkPK1lO!<_;Z69&1&em;4%Rnq?j$UcdLo%Azl`y0TkBt-*_#&*3
zib1Q1yq-BAHe1=FkTRF+GnO?%RnB@C+htuo{;`xrWEwE7a9tL@(OL(s2~(QUMD`09
z{RtM1JRR5_+Fd7fHM}N$zM;Q0_6QLm045zspARRK5;6N}S*7Pffo@8OtKSxsaA|9~
zVEEd}sI+BuOuP*lv6gQ#rlxpR6;YG1OoXv-Mi;KbeKA`%%8skk-@jgP=_}R-I>ytG
z)=Ueg)Ekq@0XI9;Y4WVZm|03kqRU?L7y4XHCv6aFua_+6Iu}P@Q=ge<Winn$wqGdk
zMkL2D(ow8xmG`NBxsm5oRj5m9W~IqxB>WWKLsQP{ny;!`ZhVnF=DQP!_F?+lTyo-o
z3-&AH*U<56lW<l=duukgG0&#7_b$*>EP8+_OF8-xNd7&5<iA;$l4!P8e`zp|12h|?
zS14>R9W;NQW#N>?KVT}!3mOw8D?bbD^Me~bppWKDPCK<qnMPyl=hAy0Su<zUYj!lt
zCw1OH!)<U8^VXH1gBhqyMCp^V#rUi3w{sg<jp^jEF6I^r1Vwlpi4TyhVH1S055#8$
z1s|ydMzS}BA@YK!zOk!bbMLLtKJbK4weh^_-IsIAWA{|5#65!Vv~OBX@2=i&k#k*d
zQCsLxRPR$fTu26`uJdG+srMY57uh=)zlXMOea|~_N!FS*Xc}1tMoe^r+CcbIZ5kN6
zm4{kp?WdYnAH~KlJXy$F4R7FgX&+-G1Wc@YeMsqmjGCcmWGpE?6K0Mq)Ubd-e~0qE
zv|c1}YD#3Iqg^Hy5hk82QAklP{wNBYOj})NUu3pSo^S0+2i&K`h1bjwu*<af%9Vi8
zku%U~`Vo*LKetC2t7y)l$zCa|g;i&{@=eAB=s~#fTy!iYIHAK%bW%w>P=tBas`${^
z_&_-9=93;$P)8S25KaT%a!uGqNYffzzweWLj>TdTv1zD*o#U)LU0Op1UG0bsz1Kw%
z#eUh&+>ywNUF(X?g}!65tz5s;Dp|@zW6)<dk(3mu+N9v4H$ShWmPfxL5xZmri-+Na
z@1iOn46jv0Olev)Yh}5gEPmMTg3sI88AF&}z4A4nKf3dlIsX!^Ne;p(YY)qV%;1Fw
zwk21lMRouk4K4lv|6Rpgn|a2LR5N=+W&&kdF|Y0kaL-C$WwPH~N%NPn*Hu42*)P@m
ztf~^!gd}e*+W*42@Ou4|w!NI?uH~f$=kfSmYmP7Mug=KImEKNT9{cnSevA<CE+yMw
zWGT_xsQ}WaXzuvkFq)zAUaXB5FVe=(yj1l9;ZB^yQADu(OOhW`5?c150y&a){;qIw
zlGR65@`h*{1DWn+Qgh@4iSZ5b3N-_9epiAdWA@RCjsZlu>*UtuwceCNxsMaFapTPV
zv<eD8mhjF5y@n^YGc!>ywBl_Lqe!XWi~2|Fr<}%@O~snuiS}V<C32s_bC>X$y)sXH
z;fgMk744}5^xWXpBWb^I=k7&I>yZh669|HMgFSW~3AoVI9Y`zpeP9RL4KYvLMXuB1
z9=>#1uy`F~gsn_TcC#}>j&+Yh$K&ERN}@qP*WipiKEHj2bYfDVNKdrt%jIQJ!zMP0
zgt_&u_YI9K96>^-YRCzD(Gic-20$;%4ITy-J{!d^KbID5M~F5=cSaofH83WFab;~8
zX6?P6Qt&Bx5nLu3oqx;j>3<}(Ew>%NN7BBE9N&<=pQNdZp{QKL?O2yQSBs=4WZJKv
zg!T2)*X|FW&D(gH0q!iNk%>2xvPD*0`f9&?nk;pj_DGory0d+nUa1RQN^aRVu?G~Y
z#_f5OzI<?G?c<n7x?_BohCX{vy^QQRQ%5L)P2_Y?E11I%NWR6-%5&O(yJ>_T6w9?~
z>V>4`vQr7O*6~xCN*lOI2M7*|(2Q2hBAi3*FIzrkR%#H%7(;!S%vUhDomEu2YR2M$
zO?4OFT5H>r6S^Ra{8;9V6m5+J26~R8e$uCKs%KC+J9gG09%Q1eiPpztCW+u6r0!5C
zl%KQuDV|cOU+Y}#Tj~Do2#P)J2+kwN5GjzIP4kK0mVpjGHJ?iV57y2+5X!ax|EDOe
zh#azpB&m^8gRzW?Qppw~+Z2^DA;!ouC~<}gNsDX~PFcsK8v9cA5<|^mmu*HfwlT&s
z#`L>~bUM$|^ZdTQ<&XM{nQ_l`-`D&4eBPheJH`@q!=;>MbD^hf)^)G;{ow7JLwS1T
z*^8cUb~_v3y**lcIdR;t2t%|!64TONf90MED|c0>@k?aAc6aIn=aXJqSJ#Y>suR1<
zRC`U#+vOSQz*o!~An{C@m!Z*Z8e2UWPaa95VN2_7!`4PUU0k=eyiY9MOy2k4ad%7x
zZ~Ai!j(P(ne@6u%o5rD#Rl-GOFCOK<PSx_-cu(~dB)HL^dC$ie8wd)}DoUXb;d2_6
z7PPl`*4Z;Jblhj$5Dz8;?PRtM-6^%SN7+waKNd2tgDiMd3V>xU=jT9bAC%fEK$o06
zgslw~W=|Fum|CVf;Jn5|4Bk&N(BqcDiG&=6kkk`s42&5Bn9r@BHXDTN(q@mQ!k;I@
zBT<=4;FYCs*6o(q4+@^he-^qC0re)=P=emf&Xd47!Gh(Jou2`VoMNO~!&HdY+VZ>R
zkJ>A^J>;bb!*3TX!o;n@3f37e<hBN-<`@(o@8#Yq1c2!&UCqL7W!`ePE4;F(R$eVe
zEHM|DP?1;IyFIFH+K(iGH!IEZSj$=B#<fY|&AT!o3nh47nMkTb0;(J=9V0UQb+&W6
z^SwAtZQQbB>EFBqn(XGd(D=5nzuGjm-&q3;msDT87dqgRJS|46K44QGR~g|jH!6t%
zRa4VLL!VNNj@n7?36rzC;<=-Ckx@~5p$#Ipl%cmyQx{g%j|7FlUWss1I13Y@@8y7z
zXUg)(v!!Xv*Dw8~T~glL4W9&Wf{9DD1p5^nn$(501*W}P=y(P%Caa9vnc@3ci=~1i
z28W0*inDbWWszQ06S9k;k8zVSn7L6W|5D)KzX-_*wk^#fKV^ED9cAKo7mo)ChnPL1
zKJBVK9G0p<Waln~RLXJ~rJ@d)(jI4SHjfom@NELMxImvRC+y&&g7!6b%oc)D;?xw^
z(HCY7hLE-Z!u)FGMV1eQtgH59cH3;(6MY=l1a3nU3^mu+#>}%=7H$@|ys@tx-C`Jw
zoU%&-m?znYIi!HAzJ^~Z{MrpDWBwzK`nz-{*_wcOlI#Z4&LZ2gYHgh5Cu!%1oC@JM
z6~i!X2PB2H)26=%njGH4H_ue0{Ni!+qsEpN|5loJ|G)i&X2tua<VU7`4^cg<eV(7K
zN8f9Lt-sg3o`6%7ytkzpunFr@Ope14l57jXvD^Rcwg2v8|G!lDem43nHyil>{TMg+
z#fSaL!T8?`n84HsjYar2O7HIH&C*|EmYjh0`dt{eJ|Qgjn@s<F!=EuIK1{r8b~QH3
zvm>s>1}iZJTliq-kbIlqRA5y2rh)b0SeM>~>WU$`NvEY64U`Z2od_=`W~lXs8oz?z
z4SI6xAJlft5S^5lCnO@Dk1PIxpyor^xKlS4&-v0?Qxh=Cz;yGq5J5(*ZlTMYr$Xbb
zLzv}qp=eG0>d?!OesqfKsWGFEx)w)CVi$aKZUz92SG;SBeR->}DO`Ut<w<2Naw>Ha
zMKeC|)FIe}cFKpHazMKil?I*=T^y|ti+}BIS2+DfDeLf9IZ*ck$Spv!L*Vvx+w_Vh
zAh!~`inmXH<&4)2e1GSW)rJ?q`TJ_GblMfBv=j6m51`w>-FKc74t{FT(l;^osI0Hs
zNt}pd-84L!GuV_>deWFAHM3Zu(Y)Yv)VMV*Dy95&UeiWXSM~gL-gpmel%cnG>GvED
zVbj&=7@)V03uUttiqGVBg#V`OsH!`zWD{s!r$B#8OYY~Un$)RC-hKHs@8cKzAPWe^
zO09^`s(4kKeHNERmAfUv{-fGUpFW!+R`RUX2ps>}?YHW(-SZS_6|!1EK{;)LeAyUF
zqOGa&Pb+SHPFBZEpx$1Y{CK3YJ1PY!o2u=hEQFYrhD^{uaVYF<y6*F&5c7{$<UngF
z1xrMFGmJ+91My-MI|~E$EdKg}diC`41YTSiw;n(F5Gb8i&zM%fDO%JyEI;ya*=&{E
ztQjwr!+3X0^II4GwK2-NkKav0jaO{)l5Ga&I0+yn_m=&NKEts3<Cx$O<uhw{HD!q-
zOpZQpJOZ3s>4GiT*!KXnZ8_)+NIR)m-5~jp_PY2h*6WmvcSvRd2Zrtqw)16%%;|KD
z6#ejq3=6kUCRj1FO}Vj(tMkRo%D>Kb^-=1PUuti^j>GA2DjqxNRo%%uKvOH+;t_L)
z2}Rv>^Zi-^k9!t6?IDjh6He8O%OmO>sm#>P_BlDR30@J?^c8&lV`3DKt{gYpX=7$R
z^a<TUsBV4K+6zJ$i0r(6s^hPvrvz>tC($DM$%X{6T_#Fd3c;a`tTrAHE>;PhST1-#
zc5m<k-Lu_w)=T}Nn)%xFF0mz#;9X7a)z~J8^xeSNX-yDxUM$P)+M66RxBF;Jp+hlU
z<7M9ZcRFd!011TDgVifUVsopzi09zT%~$|*;Ie##uN;}HT5RDb77)>FXUGhNRJosd
z%==x`-cz2+Hq3MVt_Ytfr>RJdin7+|7>kXk0XKozT`s>9->UGV6OUCv+^=+OZY{nY
zP<&9tb>2q7A8Rl~WR21;2|_$l`u2^Jz4jIbE0ZYsgX|l#r?gF`SZ(Rj5p(a+WjXzk
za5QvdI_U-LE3yf*>|;K*R+B}tgQafYy+%<?@u7v}!KFl}`Oz3cEFp}?!d9+``$U^H
zxIa{i%-ZWUA4eQ9ZYaMoS+JyAE*1SCLmaZ>b?eDc4d4(I<kTgfR|rWH7iDH*yUL}9
zX=~kzcgqHYvKsD|N=FY#?=Euuyn4&7&SnmED7nwEnIE){^6OpEDL>b{ggv88{-xlB
zjwsk0-cD64{iPG(E4kGZ#EC&Mq;*}w+!Y2Eb6(p?W!*_94ttJVG)D>}3u0TJ)97!Z
zG=#hl^VMr6`O=a{>E`56C%4>0h)TBqG6h#wCfZf3p@+N?VLCeKbUhR1rfYlOsIB|h
zaDGktqUL%i>QS28H8H_*CfzA2he5PjDg%G@kf?Hb>r;GrLt0evaQe6#2n$}>qpm|%
z_pcS7g1h;ZqbZ%ovuh|zl`SPvNl_`p8qMqXT8_Qw+TAFo`M$A0X*)*0qIHDtz4(~i
zm0b?ko3Xmx{eqg2ltpcCfgj>+&)@GY?Y~yu@-{`0UV4FRRQ-P0Gc9h|&%*l`Q<6qy
zup&Og?GPzVymqUe?O(F&&uPI4h`sVJ`ew#f*17u3pI=fA6i0wskCm(W5ISv#^8q%s
z0+LU6a^AcorUxNQU(fI8Dz?$d5AD8_lIc?>y(Y{un1Wcn*Grb~_2A|kKu730P-}2~
zTHT^_M2Ok2cqCi`O4{v{O&v2<-e@$82yS5vid88exte=6CI^Z#36w=WbR&}OK~rYf
zoT(&z@=(aW``Iu4_83giGF$8GbrmdJ@zephvdtv1?;TXg?V7T0&6P_0i>kB4oIo;|
z?NAQc+e#~G>1kE|-<BByt-kHfQnt$91h>_9JgWLK-Y#$#u_Zck-c#L|+=FyM^#KEB
z`~3!+DU?F^7LUL74{QtbcEjY!=o)g~tiRXTzmMIM;b@q?U@PNU;LHYs@Ni};H~4_>
zN(0q<IZnW6!@!%JesuU(+0S<0>XC{3petN4K+2MYlvm8$SXp43H(nJhI<huJ*~$!R
zDp+OymvSqMQt@SN>fG&b>a^ipf5{mSF9o|&@b5)?*MFjnJo0?AzBlDC&x@8IP4C|w
zX<i}mA)O-!D|T1`scjgT{#6rq<AqZv_^wpGFxj@+GuQ@+GnqrWrQ^=R{J8KgiEs44
z4Ya3xxupGMD&TfWXGkQF(y}aQsH-dYXEEa>Scbd1`I|#vhj5ik?Axcfrz`ZU)v*SE
zzy8k#?DxmucjI9(>Yx&B<A2dzm8;n+=c|^pSN;{_{6B5L{$I<piT(Xc6E__Bp;-or
zlYlb#;YC)7c>RSRj;Y;`LbL!@dhKhgQ8u2z^HT$K0M#eM&)MNOf)}0vk4_J#zJIz1
z;x>a)kTqRV-(}YgG1c7pvn&9-uvFK;+%w@LREY2c*?$I73EV4ZH!xBSRx%!EkA0UP
zKbtm3d=4LdUUx`PK0;nnsrZ(Tpqa5wm-WKS0d=crY5iFrRVA9w{S9FZGB##u<z;HF
zu706FRcC?AGA!fF7FSnt#@r1lU0L&kl3~o@t*PEX0J)6TG(Tq)-d$Y9#x9c^E*NTA
z<Ilbf8&QW{^%RC8N`>n`NfX38h)J(`Ufoob?Cl%}!lr^91#%=LnU)OZwBD$C&3oG3
zIad!dOjtb;+kV_``%thB+*a7F;t*R`y!T_f{Kgkh;S<*!lwSUU0rr(NA_4pbIeqTf
zVbY&5_!6L(qbuxlcUH@rc~#DDX+i&4)rbQyp><IvCNBtX=*JRIlX;v^yL6a#@y%uB
z4xzfWw4BvVrs&5W^Iec0&=pb2TG5Al_5=D*toTJ;(Q|Mb7=eHgrGY*i(r|a9OL8gm
zB@ky*eb3mu3)FUUXYCWI`hkNV6h+aZeYtH>QG4E*xng`z-n5p%s3<++s)zys7u(v7
znbV)O%!{qfGCpR)%yssx&;1={hfeYW_-dba3j?v2-nnUBp_YVqLxKnZqOko}bD@0k
zDtn<3_Zos0OIPwu+e$MV)}MtyHE2poG%uTNmTmrpA{aZDz)O41`n#rNXQUXbN-pZ`
zZrrR<@sjtjWRH(EyD2P!s+_(}zes#d;lPmAAXv3?#BeR9OgIhg7F{Z@9j>c;!I%G0
zo`L6(8=KFM^KA_LB^&Ys39%=hl?Mw6SrXl3Yky?^K305RR$Y92(^m-FUkcjKrB3QA
zdEGZ!DEtba`Yv*@tiWHHR|((Et5bRKaG)lqv|?WM>}yK?;K-089TF2}PPR5~&kTHd
zJVoSwZ)2(>#tO@JQi~03m_r!l(|RwpFkEKr8wP{eki4z;me{zkrCkMSB6L>88wNMR
zwbzBRrJ~QXwQ)nsZTLB#E@dDI!#ov8e6_Pv;7y?&FNi~zzFOd_X7M-!UqtDaoe!?2
z%2uvXE5GXx>QEEmqX0i|G?ukvnujdwmn{wcirzVGCp_!Q6HR&m26~LLzQ}A@XspK^
zt35iynhh+8XTOi6<|<#SaX9|3bG`g&u8doowLuv>ca~V5>88tUw6&dCgX+ZuEC9^c
zbv_Z$m~-odNuYrUd&zTu_tmHFe;rbfh2ox*V{wCfKR#tkb*7WEr6y~Ibap?9EuY;m
z;yl>w#3ZF$@B$IbcNHfl3Bm75Woc<Oy!cZEpfUs61S(4b&l!9f0_bO8?E{TK2%*6X
zh#jn9QV^ke0~BTF#U7Z{9G+sD(2RgCsQjC!X!<PjU93Weg{s$C{)~m<1?-*6`DPLw
zxl!oR+s_*8^7S-@r*Jhe)jBoFBI!)&oRcBSx-eY1jEoG_OWEb<GhiV2mW6~!B>@qX
za$dF=$V#iWGU(;%((Ny7f$#Y41R1-#dJJDN(2CA9L}edsdZ=?Iaw~M3hVzvHd)F<c
zUpB)6kg4J_nBiNx!k!!D|5fslA3&P=u$O4vM=H9X3TdKpMas!(K0po}>yH|OnY;TI
z!ntE_N=xUH_Fn+b24}qqEds~!Vz)=BZuFi9cCPxNb?|%66erQi;0-UR8)QGDu|?&m
z)}GR-CF5j54!koi&x|LB_j(3OmE_>5x@kdoKj&yaX%<wHbhVRc5p5Rr7p<+>&wSZ1
zpbFDe5w;EUKDd6-#f=FOvr^ABEj%3a!I^d|rf}ZxmT0;0VOIvnPm~7Rh;z#^_%H&0
z7U;)H%Wb5!b*^J3!Q87)k5=r1pylci@>KHov2>LmhbEx?t8~2aq0TGpfpEhGz{kN(
za9j9XFjR7Vh~K|gK5_~4y?=jT()@6yb3HD8a{I^IQc#jf#q=49)<Og(*&|bgX%SeC
zPf0d)u7$jyTEW?~ME$z#vkf!SK#5o7@*Be}59jbW<$qj@^Pnz^Hz5<#%ph(_*KofT
zV?E5&(1N(-dz~P9?^#{3kzGZm`PTRDUKD$fdm_vKnEyyY=sguj)tMMe7t*GWEv#TK
z&Kd>D4a|1#MLX_x2cZ$157I2e3;ehmnX3(fr&xw!5_Ud`fN*<?T9RD+-V~S;(zD^~
zt6r>VlpmuB4L~MASJY<EHNVr*%C=I#E!5wA@9y>Rrjz?+1sXfJ>iu}LSha0J9$2x{
z+Z$Cy4kH4eQKz+7FSO_rUBV&6FGV?}+0-21%1g%>9%~sQvVrUG?Q7n0+s7oMi>PmG
z2ai!!Ma<~Wf2Mk0;Pe33<7lx^6Ao<WDJ}4#U?j(2kKRI4Ing{OlvmMGlF3s17VB_B
zGRxs6Z$&4q?D0Sh$q(;)?0(-<Cz#qhMWtRUz6H8%U)};%+xx^6x@xSCv#}DU8}33<
z>fgI5I>!P0f-@yI;xlCxYvt%xI<Nh+(KhP&4-p)=gbFa<_=(unvhDF$D&#opypv?D
zNARJzQil-2wz$Nv@T>~wrSbxZX!k;}InPJlBWrzP+2izr^2zctVd-v~#&LL7=pYq%
zI*x^=(Rnu%u>3@IAPW4uAp7Sy2cTOs6yvRxJXd}ufGZW^>_o(Me;0R0O@2}!HABMQ
zPdSd6D~sd1!2HSk#;=aE^D52fNW*tGzy!#YLG=nX?K#q52umk_VF-9Y(JAez6M0`_
zt8`&=yVvgiR?_7CZPvS(+l5<l_<`Nn5S+QJp;q}|gWhm{#`CY<4;W7WPE1}_U;O|6
zzf|J>p=3e7-<aq*_f5b$6&tR=OI;qe0X~fRYHjGB;%wl1EiHwsK5H6T^S9z#&F+YX
zwS+Bk*y1v7fn%Qv`4jM;--c$dqBxva8*o2sZ++nt*$;K1-rjB-Iy$T+ihdUT@?`K{
zg%E&zIj!Pv7q13j0M|uN@y);_-in#^-LGC}8NZRcXJb^D*l!DC#?A4G_L0ZCl;6GC
z6m!o9@K@I>S<mgxiQCW2eSP)XeP`re9K{(<(%thrUH8wSKZ><YmT4Tz@*KDTHC3y!
z^5@UW=W4i1OkPp$_`20}RY0k!%$$5PytUMPLw?3~Hz0O5Wo;NP)ommfe`@OC^_;*D
z6RtQ{6QJf4qri&N@h<|L0sDWYlmLj~_W&9`qxhlNq$qutR~3-BU{ol!cp}0te%mfx
zTg6X^Y*2%LHKb`A93B_91dys_@E!$hDJMZ&Gv)Z#cP_}Qe*;*CwC^YNAM_Joz8px@
z03uz+y~BdporKT=yalsfgE#oTTMwwdYHM8^4jzipCKq{!FdXyv6HK+C*IsyF&wu-1
zSM{k&7De@yy94M-6=F8neW|yoWkF}XH9k$k>7bKdE+e0y4W9vupYBTsGhbs=zCU5t
z)Ir9#nRv?sNDgIJXNiMflY<-!#iMizj{Y_0bJ|?;_xA%l!14t0eek+<2S6;@oQzP)
zGB#6yU+o>>)}-CxcWHs|;>Ss$Ay5ob|F8pn-cR1xywEtYuFBZb;Q?H7mzP<zCs2fi
zQ>nh$;GReoM(F9-N-f0Dh4Kwbsx?IZeTW<A@Z{5<?_XEFVD7gzb#u_pBg}>v86!=R
zu(&ncC`5Zx{d?(yxrMc?>^P@8mt2OGvc}9)Gby^Nz8@wAa~A)+yO9R{CxWDJx_6T2
z@;$25IjRY;lx{HTU^1??rW<ERrMTAyibLW;VhNv1Z+eDmovh>HVT*XY{d29xnH*=J
zQq9MCl%QWKud(oq_UGd~gf5(t&E@q`KS!PzWM9tWngG)lB867S4=yzI(YdlKd5?A7
z8>Wg6Uk&aZKs{SJs7phf9$zNAMTmYs832bfVHMv{b{-B>QFta&0!XFOedl{hc1Ltd
znzc82fYsv7YgNuz4|&*My<P;E)WTKHcIjehkK~TygABlv8&KI#7LY?$#WX)={y)pP
zpO(wHebktWoC<uOm6`H@DA1=ltqEwix`p35LwZWtJ4g<MM}wp8C`0YKpgw1E#l*3=
zOZy7!Ft5AbcEG-IC>DeCg=bKLX?d%~9`ZP{<t?L^iu!mY&C|HmB8>Anub<n}@3aI2
zRrW)!hK<8vi+zM5Tmh8zl#p-807RWtq@GDQP-d3Uac)bvzw4a^6eOklO1*f|HaV_R
zFgor-a}O#MNWWDuoScJ%Q`Ka`;@-4&4qZs@s^#(PLBVU9#0yvE=u?)lU3};fkX*At
z9Mn@172Y;*^rUB=_bwaTWiQg;h*32Fnb^iTv^xZ}H^+aYYF$~=(cqKVH^8VU<1HGk
zq5$)mv3=JFZ?yA~pneRxH)aX9xi>c;Ae&&?=o}m|4Pss@nD=M}XykMN;tn8b@yG62
z%gDG{*FFF;B=$BbD#S997Uidy9>K9mGKoWg4?+Gjz^53x5nc*_fa}zYIa6~|zVq|^
z4O=ZcSSDWFM;!Q<;3n7_HYLJ)cd{RC$Q>~80xA0KynNQ`Aym*d!glU^g+xE?hYaH|
z=)ka;b^pzuwQ9+if7hy91~bY5uKL%$_X6N2#gJK92UF_K;1yq`m%Du3R1S2^A-Exj
z)=p^NV5ps%s;TcT(N3if!iyqu0*MZl2HGN0q*Gf4)8ldwrY_OU`E58&e`myzib=)9
zB<1U;6^gnhrXdJg&78O=G^^l}VS(1d4NDVeZ6K!Rn0bVmpgE9D57AhpkZO5fTB`T@
zPCs@ZUwQEVM1_<6-{{Jpe4)#_GUlc=C7YER9w=Iy#fh?Wp?B@ZOd+g2XB2sA-o=j*
zh#a_1BT?T2+n1JvmLh#fbWv{9Ev~yaOS8e6PWb@gM7IDYCCUE@;VHmpKDHQLL~w?>
z#3|S%bF;G97FN}1t&Yhv%-Pgp29RkVJHeoD)A^oku*~rV+PEtcQ2u`)0g1;#?hGXe
zb(QK{A_9{Gt!0omJkd~(>)k{r8x~Q&EHI`4lR@>NbA}M3+K?>jyAow9PY?NwJbXiZ
z0whSDdzDpuAY=j<oJsE%7^WoUX~nFurc4v%AEu&)ojtOS8;12=?rC4R|7|;-rzU#f
zmiE+)$X3N`O4ozRe_}JQ$c-n!oS;rolbT|E|CRU+5x)&B?Yt#`@kls)22pmsrUaxE
zPZ$T|JmS42A^}LVv~|dQ?6l7Op2lo!p%XXR!Fm83nBTZ)|F+bq?o6vk)_xfvm6cc#
z3f0dNyy`Jd-C#P~Dw`R2VB%r6R#KxAwu%;I@^J=l-B-YKrpQK(a}89#wf&B_7C7zP
zY)R>zb9NSr8D~jm;;jvR5Hz>g0^T+;h{`qIEbx?1+8aRrH!V25n-5n3?s<@|7=#8?
z1pi&>{`awme@ee~eCdZ;7yQ-k?p*!QOKM!LY@FGD5~2U4CipM2I0J(SfQ?4tPt5^}
z?CN;=QE26bmg=tlh3|z+dDwEx<zId+Zu4rn4&FZTJ#jd-Zlm$Bx?>9@E&#tUEYy6=
zVZO5~3ISlB*7t8n#wUQ!kK5O_%EvaR&s|v7%>mqBiJfI(W~pk`7TM&vv-Ma;4vO?d
z8k9688P6KDo>Qb9qU~P(Xep0Z55)Yy=<m^W0EpqvQy_rpW>coN!m=EDX?M)9EA?$B
zsa6WeC+!c|?6+w|s`6H2$19RgR5?%+>+%Q6dPqm_XMi#@t033quq5g{u33VxnC`c5
zT0+q^XWrBvzVWsjJ$zy5$wckS_o(};%K~hzO((nS^}05|=fyIY4V)RGO3&{i-)!5K
zmzd=Q+T|Z&P3$tUQ9Prhv?Qjy@DOI#cqKncriqY30%nmC>26yZ&L|MUXR$7(qn*cw
zFNQeVQ-a_YHs4m>_3^4B@#n5LFkr+yeWJpsExu#{2$$GW|G_*FAWbEV4iD~Z`~c+5
zW>&_OM1)C*=y^DUu9bG|F~mNi9H}N45qspIX&jW(Ts@61=$0}IYrnRaULYW#xnFu$
zg2EzRM*Q+J|CYXf;6(=Ra`QyEqw3psKK5)zS*I-3P0|#OsWT=;MBRC-EuAT#d5WoQ
zmAmO|qbQ^jlntj~3pobnes1W`wJzD-UjDS@5G}<B&tFUHT|G8OgcY-@ww_yOurUE}
z5KC1-qQfKxole_ee36jR%!XDiAx)x|m~3S~!?(~XG)n?<by0UAV4CSe(k3Yg8{KgB
zqp7bf<^S*=x|%|}gipP-c3caKsm0w1i8@l}mto1C988Zb-wy;948<7llav^-Lkt`Y
zN`6IM-}ONa!`V%{((*<a?4F3mUra4_*5fX5iL8}w&i`a?$+rCepfYT+nHIxpEc1ch
z=u}<2NC9J#g&=st4s|a*t?qn?RspPFsFhc;!gBR}nkcqLCI4!i-L22-6gHj|;|_n`
zc+<<yYc3&RgRNjnCKX%CND*XV#39iX{pfeCc3&Tb?Y-engZWJMZK;Dn=f$-@;1FUB
zqbbN>6d(<|L{gVQ5=S>IqnDQHj}}T<iDGG@_gZf^sXdOmXu7V>d0jDNm+!I~?vY&V
zP+k1;1`Y+s@dfeYe0~BV*?H|dEz0X}jgf#;K~DzhD}PA<Ti)n5yF94*>t|zHtcp_S
znKjHe;oU%>y_<PC)tVLHWZddGXI}Z|lQaPjC3F0?gLjfSkiv^{D^>A-Ke6gOY+4}U
zszRq5Y$Ohg?!L%~h*E2J+vO5qUO5m+(5_z4i;LPZY#DluBds5Rov)bff-_KQcK%W%
zI-6LbJeBT3rNo%@rUB0Zq<n64io8H3&h7@7qmSxkE^#Q;P$wDgp*ZQyU8?w42b{;?
zYic$)&LcH^J_n3r(BZ<Ffj7y|8t#!B=AJKd<Yys4*bZiL*~D=?8A1jpW~QOl=t<cv
ziG~XaVTh1?_FMBlD}&+dFmy@TW7BJV%;B$R=%Z4i#KaUtEk)1nI<xaY$xeQWG+H$E
z<t^NzxP}5JI(~yOrs1zR2Nh1X|HcD#WpDphk3#Y98|`F6TuiZYz_@baL5AilBRgf!
zNtPBS(*X>Gx?m5)#p~>uQWU|Es*5U%3Jlg_+VxS~0&G>gei_mZLup7nEIe-2Rkx5h
zZ7mCVIbgBx==14Mvkc)f2gqy)vA*Sq85E;du|9T3^0)iXpfF6S1HI&fwhECmPonab
z;ZNzPKR{$Yqqw|a$F=K~B8F<V?sOtTZ%rv*Kx<)mFJww|j{Y=*^DNfLu_js}E*tN!
z^x?s>QgI`s;~(Dq6Z^fHPe@hAVT(eRF5&zbg2XRF3yxX$)=Ym6K;VIR&Nzq7#NzWN
ztealF%q#+By&ix8PcSUyac8o^t}Pv>GH}&Zt<5~%sEMI&DPhTe_LLnw_1gpeo0#e)
zwc~>smRp02lJxPQt`53`9<jxtupu=SJnoUhlKYPgi^5~Adx?IhH*OP)*yZI1fjqXn
zZMYzM&kwN9^Dzg+f59B+uGxA;S&Iawqq0WHq^G$g3T*aNvH6VR>6})2tt!|`#_hd#
z0a*>8H-r`={aB*CWkVJU7<#R_!qFGh$PG<tBMDVrv9j>gzdyai;QP;=dmY3jcQO)l
zKhK5N+7Iuv!$-FV#eZHr{vW@R)A0#f;Y}%rts*5&!tXZ@F?fBKo$7=Il|2TebP6&|
zJQLi^D{}Cs>a1ijQL*1EhyE9`i{v=j?>wy$RxMDiHu==N90!K9pJnpo=4^%qDkM3s
zTHr&^j=YImR#<D`XyUV@TD;3xTO=JhHD9KMZ{bQ|P`SsnVk^&j4_V0dhKf34tKx1B
zwO2_GfI&xCXS!(vaB|DWY86^1?KxDz{XafJ_=Uu}DO|}Z!K2)%(EEFUQ0|js*$`*J
z3r-PxCGYgOuyTK2h^+%qD*v&LSW(@qXQxh+i$Ce(!0Hll5rGgjj&#9E3%M-ESL@{v
zthNBx_xfcHhuK7Xg*dlpgs%IYyg=K{S|}4G+9xo@et3NP-p({6<C^lJ-B)-?n6ASv
zq+GUT$}_622~1|^@8wke<#OP^$wz<>4*=r$r9^%^`loD<AEn)&Yh)@;`+!ih*JXjM
z%kaD}=rH&4CZ}?LPd0$5Wy`dQ$m`n!`51Wi=69vvp|^QJj9KyQrqHp%5GSLtPJWjZ
zC*7SE$JOT_d0LlA@_a@;(Bc+?Rgx%I)p-)VFAZN&SL(EVPV$lg*N4}fp?o@%ZYeSt
zDz{eTxqb>qAlGP1;qZO?wRiG{_Nge*6vPLv=yiy6p}X&>A%G}o{_J2{O1T!T;cNvA
zA(xu11tjcdRmPT8o-&VdhU4I8fT0o|BC8>;)g(q-9@bbubA$QO+&0mh2(O1;jYBp8
z#Pxt*iJ(B)w%bYaWcIUa#%&oNTfgf8qLf-4w*g@I!6Wfb>g@{CW9X>0M~DW^RoOKi
zQKbO2D!FJ@5jyX|pAj`}tOBIq80rxDQ_o_ACJOfl`AUpOD#={fH)o>kPd18JxVN|C
zL%mei!a2w>ZGu|%Nu<khx;#YWT5v3|>->G<{kd1pXO=k=(V<g9!O-3Up~WPVFNUvd
z*VHt|rxrej9`Z2fksrljQK>O*F&gC!<MJ*exFYhALQ9IzrfH-P%H!HdmYLZdENh}c
zE_yAPjIg$r%bSg%Lq$H0w+Lg=jrY-|%+8UE3Rfn&jQALIR`IUl*h`Ie3^U;v<?=Xf
zaFK^{9PJ@)k%0=I<=S|$TL3XQi_F$)c`buxx4W$WwqxzEEp|d(PYYGXY9Ep51pcfK
zSp}c3?wlM&-Nfw(e&r~TU6@o%n+6N`j&oS27bIwb(UcDKeBfEiX}24+GR9DVN6)sZ
z)>s;U9(<)yzglGGe@*<_*Qor|%_75x^mGf6j61dN4~_208%M@HcVZtwB?}$%4IGzM
zFCyonFT|Ks#~rJd_l0{-<M6@PB;;O96<$d|qlRr$Us1}yMTBxUKM=nQd<IC|S-Lj@
zfO=AM9eM5>k#<LXg{gx_ACr?S)4_8r2K*U2k9K^~1Ef9AX>WMJ9iC#HmeJGH0Fvm2
zJMLJe#0~MLZIe-<V@1H6oT~{%Fyy0^78GyCNIEj^X7=XzjHWqOLT6T&UeVLPD2Tu^
z40RQTt-gV>V<%8;FG67lIr#N&Z0`>C_O-Or&NMc7`%UOJ9sE!~PfT|pp4~q^ha7+Q
z`}nrWY9xbv64qk2b@=j@&JcwKX(SJk?GK{>Vm|#>i@5YO5p8iKS?IJpapo-#(DK*x
zE$IXIg+An<4^I=h8PM|_0VSWH!*&MXs!s+pocU!`hgBY}VCcSyNK<cZ-eQ6btfk&<
z#Bg0;4~6ogAb|_k805Y~2{Mr(x^&%n`?^=cA2e-?IUwmIf#9^#S0Ya{aRS#rhE9h7
znang_#A!o+W0i3=Y|iu-J6y{XSZJW{H4?Uq$%Y?s%OlYK(AF4{N)O=b=|OtV&h7PA
zKo9LLyJ~jaRd%6}0*?&E6my$Y6-H;Zs)!kd@2$hmPHX~%zoF2Z9WulHogppRCWZ;Q
z-fZ{Su3+$4p7NARF#)5~63Huzy_Z+|#gSko#55&$A}EDBnki9k7&kk{_TDmnSN+!`
z88?NX@=fYuLKi7UYMQ+Jx%x9^mAyvQhI{O!8WHq0@r7*5O}zWM>xPKvKF-t_OCqSL
zo}du0bc+;s=|)(?#R4e#fe>;kP|u-z;z&2GJ_|P#<rP9C*h7nO0tl<n*h|TIj!em|
zsixEnR&Qz;8yWnkeX2s+LQ?bA4%Fm)pt6uZH@en*i)ZC~h_s{UvvJ7bKq3wKHQ?lg
za7(gNY9%!%m_*qcu$UNhQPl+x-}=Y`KV*~~I+j~cThB$y)G^A?(VwOIOzzE5kUfu*
zOpv)=)XXHg&KxsD0TXP;rUZR9kumH~u=X>wIE+wiR18bAg3CFUzH1z`hd%@76n1m<
z8DxIhJ$tq2_RmL9&`y@n;ZgZ3Os3FfgY!yS_vAwXTC`BuAief{OeZzHFnCnu3DqPv
z2Tjv8nI64RkypEPX%0Q40<P_mtrTW^9@J>Z#<kw|eMi)7!|BrKRoPcus&;20o@qbr
zeG&>Ygk_cXyj_^`;c|WTk)Gx;Sm@5<5E5;ut)S2papU8{0}3T#fl^67PjT$b1b^0D
zC>-nMt_$tx!MOPnIVPncss52YE^f}XWtSg02!TB?NE+}7`bTJ;J*6yNA`Owll5dYO
zQpos=;y^jMV91QN$TyVe$G$HbQ|9N%H2<1)m@f2+^X#LM0uWsL#nw^83n+9iY?9ZC
zW(u7{+xrrQ&NWO4c|h}`4rGwuOAVg^9x)4>I3e;bZmF;74-Ln?pr(qGSJGz8qSqo=
zVySzc*<+s?hX+BgDqmrJ1;W4<^`9+##G0)O3%h-{2m|YXGJky^Y<w#=XR&o9zYfQG
z&ax)-_jF{m3eoj}87qee!GdnF0D`;a>aZhY__cV^!?;kGH#Udd*4~k}xs1JbA+ELY
zYBp=E6-~%H+5$Df+$P_IUK>^_=3c$Qa;_nA*24X=G49BgLmGrgLpGC@AA2M@fKa;s
z<E2A$z&*0&=b8ja0BEU*=K;wuoM6M5e*8g#J}VZP1_}e@x6^L=?Sf1pGkMXacMh7o
z-#!Ych;#?NOb%{(RPB3q=KQ8^==Gp{`4omg0b#R^P-x#ILXfmy#+ylk1nb|Uc4$gt
zlCq4~WV5D`d4XADGyTBs8IQ;+T}*Vfxxv=k{DPiVOB+Fal4l{BgEV7X<0p+^a7`f0
zR)f^VC@l!ScF4a)9fiW(b)$|f(5PU5a3VDm?8)go9Q?+FQQ{&Aq{QjZ^JeW0(MN-u
zDDQyLove2ZY5*PBl+02Q&f+bmMIk(W#$b++3|nrRwxg72v9*H9D1DTvM|l-EQRamp
zb}>4D9ceX+fiIS7E`5=k44}=0ewiB_(c1aYe_{D_B`nWl)E)@oO#w74$y+M|NcbN;
z+Dp&G_uY8j+|Tcr`b`y?ORNjXywY8K6G+m?e@}P~T={|P%Qs(evqsqDH{E5w+x5ws
zs$;D*%(r$@arM$T$=z_Vlnkwxte(HC3L5}gUsZ({l>248D+-H%)>prS!QvP~X4dVX
zEqvXgUDfoXA7DQpnK#E#{<GJ41LI9UxFzjf1o2e+Qgvq@KP)5twosVhZ@mW(haX<z
zWFF*vxVT}!cL<hOkiwQpur?&LB6`soq3bGZlKg!57iHzID@L)NDEr=7hMW|Nyc=7F
zoE!)wE2+Zklgy%Ho;VL*^x{M!l9y^jd4LCv)ujLC#fRwMCWHIN7hNcBz8m5boQ8MZ
zaPNO)p3m*XER~YHxeea=1M>$l3(+JvZi#aeGyfICdm2-+yzEx$Fu>(nIrZ_~ft6w8
zO=!vJiCe*vfJ-Y@rDk|&udjT#^Q>L(K~u_8O;Md_iaSjx&AMjvNi{c*;iFMg7F*H;
z*n_AV-=;MTKTYlo3jJ#O?L3<g9?z^^`I5fB(f3kJaI@iJ<z!LKz_E<rFMW|l(J6qh
ziJ|IUY8x-4d7{YtWr|oj&<3O#pU)6RRV}pi2O5hiqo>_IQ@*@|*VFJ67rnp)i@-~0
zE3At}i{4rV`lZm`0OB~r*)NY}X*N6~mF+FJmgl1E@3Dq^P6&#h6`Owe8D3uiAr|W6
zT(jzGH}U<pxxdGxYq5F57Q7aAAvGcuoXsdGH7A{;h#WdQUVY-ku<@2<T8cx-(gLQs
zDhR;MW9Csj76vv~tFiP+!!zm$e>5R_Yc+ogAwlc>6Wn!7lJ_P_HN)xnxB}jQAs5ZC
zn8fW2Cl~9a|LQ_C8|q)=PZNkfxE>)Dxksga!@I^~n69%hRoS&i6Yie5xmrCaIlfXo
zNVL_wYcE;xx527pl;$%NxF7G2lCX>K(0XNrjj!17FbPAhCp^E6X%q;xy>H{<`)Rkk
z0mj-7l65^S_Nh=fmh(o7XkMO-8KiTrf>K_438!^0YKU#Pw;@JMi*!7yF80LN4Amu%
z#X?$2P(p%~q?RE&$6|7quhIvl^GbfxNWZEKbIjt-n}gQ<gAu=4N&NJs<@!NJT;CUQ
zv5JTY@T9oy_91cRnW0;EZN>VlrXuYqkV583`Rt*#$9qQp1>tdJze>dg2Kg0hd}rTy
z)t|Zji)Dy&jT7V=071Pi3HCf0mnl7S95h5KyW*DTof;HtKJ1rGm{YkD^RjgE*xFl#
zq0Xt=e{9p%lL@Eh;i}3eWTKy1D`oY~<}aCEkAF~naLL<qI{M4k@ZB(XA$;n8`V+3j
zzuxpfF6yW<b5r{J`oBP`jbg1+s{KGoA{59!0*VD2gO+iEKMgT#ykZ-W88dIkZ!*<T
zEZM;do(i>aiC%|**a8ESCx}fga`C>0UiijFoE}3csY35%raUWLs&GD}t0;cUT1nO0
z<80xl$Wu@Tr4<<B*!)*t^>#_MyzFz;Rpy4?KCxA;eIt|q-n*zADerITAKu=$9dcDU
zqEv_6zVY(f^qhv33W2eiu{pm&(C}x#^Dd8MS;Sgf0HolEQqukI#P5zQ189MH;rzbR
z>$n!_6B}%<jVBm-dN2dni={$@c06s=x7CV5f>V0V5v=yVdD;&&D5a1va^>}HPsM@E
zfL%5mJ4%+ZIck=<+kHtWGPfyu39#Hg(Q-{$xwy@QRJ|K#MHHaiKJaxcezJzmpx7<v
zOqTjS#~=LN%~vCE>dQMi;4HzyO6;#!K_*kawN`B&vk3V-07QPvXaRH}A;)5Lp|!=V
z9lu>s)477o2E6Hw0J)tz`sDikfC#DKrJb6afVNb&4Wg{0u7uP5;LUs5Y!W4MAIfAc
z>0cUC+&q#sd~d}I4*pvGqJ4+T{8iyTI~G&KOwA?Z86{KGz(mdjm>|SVW<9q|_OMFr
zt$3Q{k(!LAPC^WDjYkYrC2s+SM7O@Knd<Vdt}nRnB3t(Q25kwPV`@XTX>S9wk!+3z
z)*{4Ku8a#Dy{1dPxNfx3ycA(9R}DHGeis<J*?jZfNYQh*$-8Rt;@u$j$LN%B&B^|1
zg>Cc)Z$odj`a8UsRa!)c5XUdLJ|3$F9@Ri=C2Unz%<cyat{@R$9Rap{m=P{Ki?i^g
z(*W(-WF2Y6DMKM_(jOFSdH2kRVZUj)F9oM$hS@s%@psu}gSFuHjS1ydF~@s|-O(UH
zTh050(c^VVug{;dPXbK2LqIIE;r{YFDK8n{6G5_m_ACwj(H8xv{L}Jk1hUN!9#d^C
z5q+Q4tr8w<oZwj}#XV&1jxj=fa(tF+z4WnV$)K7#;4_^G8u6<jw^|IH9IgP)V$oPf
zagR~Jj7&UqN2U5&YKRR*whjPW2ODVd!<*$MS+hO7_50wVz)E4;=T;WLQz<<`XBCQr
zy$t*3-4rTQ_0|>QsVetoWh@V7gYLs5RblvbAsrrumXk!}!7g|H=DK0v<=;wt8UJ@D
ztQQjT(x3v_wefNH^vq|A;^k}dhvJdvn^bIV(pv}zP|;Sh&`eoZ^V2zQ1C!xuS~2Pv
zH4iA7=isio-i*{UB03W%sA;TDw#2tjpvnsw(r(IUk4lZ}3b}g#A-%h4LqO`yIm&Oc
z>I$Vm;ya9HiZpc^o86Rwqvx`e{w$)}&K-5G^}0rO8rp_q!#44NY(F=TmYhZgolcf+
z>LZz9d~Kv|cv$!it!$pPKTkni-x0uY#Mp0sn0mc*d&HUPmGATq#q`WgDq^;xhj)3E
zy^M@A-fp~i<DoR8F{Qd}kmR~2HTKF@n`BDfevY=XUQ4<Hun`X10R(`nhvuvdDz<%v
zpWf;q6VpptSEqbvLg~uYlv1#`7fY(MazYpegNC#;4bgsw5zMN|Hg1dd^FdWce}K<A
z-*%>aq~s35+dD7pg)V<m*&lw2<vyScP;uCCxa08Q{LvV_&b+ra$7DF$Gok2E<DB?Z
z9}jbsO4G@y9np`KMZFKHO8PWK$7s$EZ#9n1yLqDjM4ik=qq@^A_=5fu5%h-LXIVbk
z^+WdBoO1TGEV3o*e8Ig;#1VO%)zXLYq2SXkS^nDESPiXySe;stjO1{COvvd(fgx)X
zci=!?KqDq?<h(g6;fq{s-Z8S`j6naqq7}!E^Og9nY@2k!ThBLLQogW0{raw>gN9;O
zQ>q1bEWwv;hQtp2>6)|SNJ6ni^~`gPR1{g-*>5`ZZE@bZel@G;z_L;B^khRpA;PkM
zH03vheUb$Y@XtC_G$b{9%3HJE+l3d6RaLz*eLDj|mZm}$(=Rx|BpWHe6`ecSNXb1~
z;1ve3X0EK+1Anhszya6`JoB3)1Rw47+j)QIo|E=gjy0zI?%07S^}2h;zq{&fi_-7Y
zNQX-n=8{i>jLmt9a@0E2aosR(Zrh&YNF!`-P6ma44appeuE~MNo5O){YMZG`E)J%?
z!7-r|BbkK;FQ`L_`c)=VMjwg#%;cnlMeX|Kg*R?VzaaY>-;j^Qttr9L$rbqB6B;kb
zXs2GD*rLPAeC$g(zR_!?Ite5(Y4cszR_i2$;st$7yxUK1vDyN-J&tYy!h)n0{A#u|
zRg2qi&+`cxgOu6hjv&rp1b2<N%jy4~`_{HG8}ZjT^FvD(?wmwAwV{9}pkF-qx(MV&
z>Oq=Yi#Dem@@`NnHio2{j!?%t_IBi$6S9hMl2ssGN{=NRhxjag!)<ac+w--{(IGg<
z+*tr-fd_m0zI-v=m^C5Lri0Wt+$$no+qe?=)3`d-yKIHzfBOKSU7*HAV&hlDtttK6
zUrO#C4%$+N|GrjMxqm<Xw6Mk8?!Wq6D^3jd1a7}{&ajf%)wu$`{AX}kIsc^M^!ssG
z$nWm^Tahrk>MPy~6AU<OF&trTu#gn=^M>|4=+-~;-z*r*iJgEMZu#Z@si{{25>Y=Q
zk<tRGa@deNa}~78<ser$5Z4;HRc65jh*H9jD=RFF(%-9wo&Rp`s}5qDe4nk>%#BB0
zu8b?BO5eqgkGV&-vIFxNe=v)R4e%=wu7lC4j*EfMfA!&jkR+fJxhR^n+=<+f00jAg
zwuvbF#zHKB^rRDmoKJ`hq^<0?!e`~sP66d^+0{&@;J+|c3Y_%nnG<0^0wn)p@He`~
z<<YH`I66MI93m#FZt6Q;BgVXbH3mIgaVG`s+6~49hf$V3)wi2WIOBTxkDTS-6|I?A
zy@6y;4RhZLK?A0#_7c9L_7@p~&1%fcyL^LMC1KpUGGP>SCSAl(sq3e?58hmLSSo?_
z3sR$${R*kEtrCk4!?ri(A?oG;P`Ni{J!}p)IC4dvWP#5EO#_qQm~biIGwPbUnA~FO
zOklP=hmqv-v2<;H?!<FHI5eXmri-{(Ysj79NR2j{yI}5GH(mmXX^W`&`ktQPCu-&a
zIkF*)(i23#cosiNiUNJhw2?iawKUZ?$9seXbqbsPvTp~Zp86aMzZ)SQy+2AF^paS_
z$<5v^s^j$W*52H0{9a_bu%H^>$wvI3>XYkyRICuRz1`)Ey5}TgP<P6w@Z-=Z%fVxO
zes4id%DK3BxfdQ|R2^G&@B(BGFxyv{`z{1hKd)nS$-mPXwhM`RG^`LEIDbVxT$TjX
zkFGj5otqnxwT8Per4OkJI<l{hH<>sxumPlINFE~>JV`Bm_*^OL?)^6sLrPh5g!=g8
zF1<n<Ci<^Fr<$*;34kljkdW)EP8fcy3;o?~q5ksA1zsIHWMnKigG-n4)BAun366He
z5#EqOEVlU3a4FA!*)X<s_H8<utzQ#J?xR)QfR@)F!DVUY!Mz0M&*&7&)ee8mf^?dH
zi}_|oHrRkl5F$rm!q~EC%`)h5iUK@(KR=6%_5-!BGUH)0LroqPeAA_xn^@;AQLgj2
zNxA(_%wh9us0TuHoi{4_3(KCl?fX|fb0G8gE7Kj^rU~Rdjz_W^ZYy0gz*BdE`Y!0y
zUx*h}!BD8pP)}MuP`iKVHeLuccdNbRL0tdr^_9`5(i|i`uMOM5gcxsAo|a?clDuVr
zY^M45$E*9u4|Nv!C4j#O2tOYpA#1ukY+P?Uu-BfRxnItxEx#McUK0!|HcY9llJ^x^
z`eN=PdBo|^vle}iMg3?c2aH$c(`H3M$aHUI@Z3eSy+{pNc;(EO0-tp85_5r4Crjw>
zpq=ju=e{V;8t~;O_W3OPDlXX9V&i$*c+l^rbLW-<k1giYYUg_inMO5<S-tACt<C}n
zN=4|z0@QvJ#Kb41)|o$k)nRD+QFeKA095*uiV#)J+}Da8C!eJQZ1zOW9Wr6lOm^T3
zoW00c!BE}`J|2;wvOM(An07nRRMtkJ?f9WQI1#|Yl1Xe*5xFQ0lM^_ah?8S|4XsNs
zK{(vOh>+|TQP|;wAJU<*_{OqXF{wtHP9(XZzD@T9z0RHPG-Of$T&zyKw}exA!8=(X
z0(C<&KQKW&KA{*~j!TXkv=@iw8CFe%od9;P#HqI#LW&#BOck^OEo)#Rq`K0>haNeK
zxOp(rO+`{WOk5jeKZHaHbrgUm-O}!1!8Z#g_d)IowdWu*DixEvOy>r!eo2wz#DIJi
z9EbJqBAn9KJAYfe2w<1uJZpQ>bchw^&7VRVIP-lvcbCpxFo^T1)I-XF1oG3#@vN>T
zSrW1)Nx_xp?gIjL6a7{G%ZhPO6|@)WcQoN}MGkYmth#uIq|cW41P7h<v4vl;ItxL-
z@lMGGYwP-OaNhV(QZwJY`LuYm6MnqSWUE(l(p`_)!c+%4ie2~cUuLOXgVSt_79(Vv
zNpff`(>nMNdRyJqZ#l;&GqGjhKM9#sONGXn3ydz)^C_NGYf1-v4xgMCsXs3^wA8Er
zWYGIkZk(H>A^?W(8?NvjK~oS@xMYjylsHCmiav2#bXcTVKZPiyFt*`7`&}e@M_32N
zNJ1nIQObNbar9^lTEshZDyK?iRB-}uU^6tE2HZ&KZcq8?Xtwk^1R^&z5%!G@gT)0e
z&W<C^0O!9$@lwl4Qh~Nlg?XE_o!-tj4-!JLDved4-5>F1;CVC=sn-m2*+e)y7f!Eo
zux`m}%^{DJW(&yhg4{mC&&yE-u{nh!%8u?B2Sgk@<Zx_REI!U(GLOBp*i{|bf-;M8
zi~HmE>v98`$V*PKm9t*^I9#U<bk)f{WE!c{gpmV@DF~LrJ~is^NgJgeOPQ6L4_e@C
zB3M)EmcSa=#q8Pkvftd)ZnS6wYpW(Y930%PuD~^6-mLDvHD7>%)-QAnkF{dwNMP(j
zh;t=uz5|RK^s8b32v^DKh*EH7@A$1v3<rXGA#wIOkRTIZc7&nj@C1^5mCgZB(0_-s
z@Ehs(n8gjdE-F^7vhRt+6wsFgAXxvSL}NbxF85fK@-~lunM&t98qNVrxL7agz8(zO
zH^q!VQ9W#7a;8fkC@n_#yvrkO$j!UYl~Md9z)C?W{R!9SN*N8kH}M&6o5xoQHl)93
z)e4s)W$2c(Xz)qIOvxRbsXJz^)dLoFP^spx&3q>Q^cN%0##Cz`5`{&yhh9bWM87Jx
z^aeGCqou-{+Hc#2>>Nsu6xtismMap)vqbkhd7-!iceQ3YZKN0jv<DM?IIJTNZ$&sE
zn|=RwfWd~`%kok%{=AsBuC2DeYqkQAbTRU_A!}^d<e8OR5}ME(BDYWj5ZirUT|Rt|
zOYeD-!A;8(2<|m>ebd^T!Z*%z*sCub5K_1uK(eKrrk&(@Bp3~S+~@$+!c>L6seCMa
zt+(PTqKY)zgE#L4Tfh{$kY-ctGIi_4dls`Ii&3Fp>=||TU6gr>Lj*<rIL(A5i?xlc
zKze<^GOA*28Ts(tFA3w(x;QWSH_I?YhpaAXBTqw2N11dPK9BX68Fc!CyN&XaHT<}N
zHARTWLj(vStb~tzETEvtry+XZq=)=i`EJcF2>2LiQtWa54)#80JDfn6$4G(?*D1Q)
zVgE5!KNvV*)r78kG?(dh0s2SI4>PEoC#}vXAUz`s#U`<Hbh<ho-wWJv%skpPX#Ski
zAM>}jh*$-+k&K3%yygHtVDIfB`7-VW&pQ)}cinvNo8rF?#8y2=JdQfK|KlyEq(%xb
zRf_E6<NQ^J;AX$YTMq?n{XmL2Sxo@;FX#CbeCx-&2FmQ2raU%d%rs{xxOaj^`>UZO
z#%-_?1aq8wl<G7*oESQ*8f-bwAs2>t-U8>~?aHKe^|d_}l7qN}UFSc`Uc@m*5iAID
z-d=Y$#U&Z1!Rze+XYCYWO*!;f!08A^Hhi749AM$UVRPe2H#4P=24CxtrLb72;21{6
zD+~F|kl@X5%T(wKnw3ITooF6lv2os)EkBt#9s*X-!sX?aQ^!Ud3W%&hw}X#i3MljO
zgYDQIUubY@sPjFFMNfgDdhxl}knGG&>G)PJ1<Sby7`XMk4xk@f|NR8JFCgm3Z%m;-
z<fFJpd?Vx=qUO*$40=9}G-Tb;K!`ZAZ+S*|u+WDT%43aSAy>xVVipEWDyZoTO1`cp
z`6K}?&ujBQ5@w-o`_^*G;goAhnVhSOPVX5^+2CNcVJ5g+0%sNi{nm<Wy#+OhxWQPL
zE72e16;e?kpA|dKleI?ECPqDO27xa4RbC&<*a{9zX$!r6$h^g%%RTA!AU!Q(JQ&F3
zlqKT@TthzUY6W<@ydJ`vu>-fF$Ug6u-qGkw89)L^0kO7Ne%D(jZP%1CK*wsbU~F_T
z(#8p+7*K|5IrI1u0)Cb@j=Wu9-Dz_Fwo_kLS4huuijZ4S%9O(~xpEmvzi(fGUhq^W
zc2cb9+-tS$m>>g@Mi)EJgJ@lMDd*eP#1J5|ePDi7crS-7fX6?Ks@GkRCl@$ccg!-r
zC|)zFES23X9}#eqiN<rj99$=&$=jKUHuC*ALM?&nBSnq}*|X4XkP2ZosW2qA*9a~Y
z`XLVur$09f;gpr}$UFR_Ww<f5Fy06Zx}y=kQ;0eLdN-8fWfnpH(+TR%v4zE8K4?c$
zx;u-Hux!io-Z$p?Q=cPeN`p|eJg7n#s0z5I&J(fm3V|VJa3G>R#|W%W?nc~qq$n?B
z%|4Aa3C^8ZH)jp-M2Q`cCaW;>C>10hY?z;hKBcX}p;uIhgjEH#s2VC9Hk8ROZf##I
z3q*c#oI5Ak?1M!P>lI%{?njM3CU5Q4nF&l~R|JH*8iXEdjLoSaNtPjJImJ85|InTl
z%g!rzKjWtA8Xnik?Fi1wN!P;wi!XL%<gOSsS6)r|yA=bZ|9TOVn+w|n9?3Tm3q({i
z(Yxitxoe^cob%8RSRpm}KP$#X&Pw0tM(>Y#UZU%7r#dtbT)HZvX@$J+d*yd)w~3bn
z`}8O=<;u4ii*GY0Q#cP3y6DnZcn+C&78g^ZKO5-<8uT@?oe)>@%Y^pciv;EX<vg|m
zU>0Xedh0E>dU&5T{E*6td58BC#KOF4iW26Ooq%XwPm+nVUc+4RHzJ{HU+3#^{SRBK
zs)naRUO@78b5VV7LR!-thXUm%KX-IggbBJKOK(A8b~rnzi@=g8`6I2Xvpn$XR&WtD
zM~jzYvb5hO)WuRgbefcOMIJxSqGvM{r5xG0=7wSBsogzEwqab<_{+FfjFE5)W$~dS
z+!C?vv$KNiVv@OLmv&~^*F44;TVsc#n?GC+T=X{U?sKzm#E$R<|HZ>>!g%qv-XK7d
z>a1kL0RsWcu5JE7J2qPW#LRJ%x$B46U+Qk(b7kD_bn-Gd{eD8^SRLI=HSXL|xnh}Q
z^qEdkd0n4p8A+lV?+Hos)t6fVvb+du?UE_|9uTrJFYv-}Co89Hdz_r3v&M+6=diNI
zg36)ub``Xaku`5(37R1jwf4@{L-^ddq;nP{{>iwFS9<>!Yu_2wRN93*V`Cf(ild+)
z5e!5{VE`#XAR^6xf=HJVB@_h$(rdsr(g`GV0ufN@L|W)!RH~GKlu$(>5IRB#kc4s%
zsNZ}u^WC-XkNYQUS<X3c-TQf;XTN(}8!NANR^DoiIiuIOmsndsAm+2*_*L7}yEu;v
z4YW@u*BH3D-B7Z8n#D3Kvr<U5Lf<T8DR<#D{p>G`7Y<kaM6AtqF0mzBo(>48L>p2@
z4Cct9J!ET3rax9!Hd2Ond{<;4Rc5hzxEikj`Rc(K@*ky8BqQcNn-SwHWO5yDtv<9c
z&eu+HE2T1rR@jqEy7_4Y?ktZMollh-;l#?c$T^373Yi%jN_V8oyb8O&xcq)9BUu_i
zJ9paNnlKfCg2vy6bSFUV8wDhSM@+xZ%iy9~fDU8!GQGIV8m*Tf4Xf0o1RrgGj%puH
zo7$845GY4HGnc+TOaA4?@L2%s{-c^BKpyh6O9Y><9v9Zz8~uk|xHVm<e`Me-Mo!%Z
z#y$BsVCw1Q$mU=mC%Wuu<leEW$&ajOV{f4kql+2)h0HGksx1+}UJX06o~JCa^)vX{
z5kapX-1*L34`54a%a5E{S_AARCx}a_UjuPm(Lwwp|3h)t=f#cc?d^isyw^XczN75j
z;35OWg5BRQ#6|#G?+?P^dyS4w50C#Mh_-1A;IZ#fwSZKya}xw$$V9%=6xaSymTtSp
z-yahCM`Ypu_?Vi`c0N6Q-5NBr5QFw-wn{JDpVP0VD=k={mvDqT3?O~@b~TQV+7kIF
z5Uc51?d%__c26$suN$4u!@^cB5`Yj@{J8Rn-2ZCDw`-TbJh|$&bM5kt>4h_bTI=`n
zO^VOEI6R23YsUIKlf)D^HB(+~6D!Su34OMQvf>lw={o<5s5lzUaKCueG45BO@<t#q
z8;rUKt5BHP+R68nq;|_}j%_kQuRGfzV{=Fd0eB4Dk92;%j5awcP)sV5$?pQ(F~;?M
zPv_@pmE3{`s!{Yj<>J<v1ycD9z4>v$`>*mtfYuCJ`;$xeQ&P_8$@IsLDR-eFPk_`H
zlxBXj?#GlM<>fD$bq8I~!DP{g1gnkwKW%NU5~_cG{lC)Oq5eC~okX_F`BEdwrB1jk
zjF2INP{15@qnmD!CzgvbA!8;11F*A$*u~$%@&_r$?cXf`lo6uweuRO<{kA{pUuN18
z$hHE-^s9wr;_EDWXXBpy{c8fIVcBS9E*YTWofHU!@WUyTICWnLj2s4i%|~zJ={;Zc
zMl;kJUs;`fBD%>V8<KHTa6rF8<WbJe!)mwH^!vA~MhPW-%YgFVm9utodF*+7;rf{q
z<)8Hjr`<Z=W<S~cd1kY&B`ClOJkgOUIhA3g9HKwR;}h)h^Yaz#od<phUg~4+(Xjtc
zU}x8hv<8Z<h(BI5ap*BZb&t-Bb-?a0L>QAV4%gL)N3L5QK(an{2AmO0o=z<4aqF5B
z3yILCzZ5v7$~ajQ9n9?wg66;)X~GgHSNqMSlaGNEAs+tD4Cnw|`^5xGO~*A?Co&Nv
zT+Ciy51$~G4<LX}r-#NonhahGZki1ECCYH!{pc~UwXi|^cthh}y)4#pT-GxR>eeM+
z?cb)8zo%Y!_OSm4WR~B_OsB&2_<i=ZkT9Ou3)jAy?v>$HY1-?!$JJ^~|A_`rA#U@Z
zlI~x5>DJD3NVm9{-ff@h4V?P!JC_nQxmX%AQl(x7+Eh84K~F@FXV8L}f5@V8ep|Q4
z_~tZ&UA6MtnsAixk;*{hFlq*S95HzIYc}+r(_9P!D1xWqc63b|GBL3MFgF*Ea9ec5
zWSP`A>d?BA6L`+_hzizL46T*Ffb&;1{(1dw%KN?g<G1p^8=Qxx*;W(5I~PDmO;F$W
zltdn-BT?p#ldi58)Aj+h%0yh`cx^skkDfz5Bj^XCqI!+T?H0hOtYrg?ir{Yh*Me>D
zDL0vaWS0(j2$Cb)hd$|DvKWa$4WbPPPm_sXMP9G4pz)M*LG0?yf|@=4N4YlUy0d4h
zdwY8n>Pa%wNp}U9Ju=2R6P-N~L?RK8DUd=!OWWF4*dt%Y(&h%I*jcf%DI@_%;4?Z7
zoIh~oArhXvCMwQ0S|xbZO&%G;8Pc@}-zi`7%RkKXPDuds$+}&3TFY18WPPVP-tPTQ
zbyQ^O4bmP8z0By<vgpo~SB|en?b~5GYHf@Lf27H<1^E#s1%B7DAbc=L`Q2_Ii{2wd
zpbQS43X>19pH437S+q9`P<~x@rHMFmeGE|Qqa?<%hsOcVBd6BEdG}bMgoim%KaH(9
z2PNefwkPYtKu!w*<ey}E14aRs$mIIn?!nk)cyQh|<STMTcEGdi0|2!VT|VXP=WBMo
zMD1eAF@#Df{5O&3Ya%;EX@OoojQ(-6YWpr_^nowB*ZEYg1JUqn+tKjuKs0>#UGq=B
zpOu@tK<?f?#E0hI=*f}n30gRZd5UojA2_A$+}8P51v{PHbb+Jr((c8aVM<W1HaRxi
z=Y}4oxB<A@)$@*zr>9%aW~L!|z_@hy3pKi7Rr#yO)aJxXYDOu8y_i3DKI^@ky<)-u
zE@y<{?H7r%|IGt^zl&J9$jm$e+;W9Jv9CAU-gL*dG_E1Jgwty+&bvelxK%(sfBtRR
zGjrhTdI7>%Q|<U*!*^5r?ms2T0mlRo`HJG(pf&2;`7e5N7k-I+rtwT`kD78%+(T%*
znX{c%w}Dy3)iK`@o?x>jS^FQ0K=#KX_~E00OrC4<%!aY<!5AKeG;$*F@VnQu;<h|~
z+q!U{U~vpv6ynbO(FU9Cdph5$#L^ch$?OXxR^`0pi_`+0HQ*LW@5+1AR%DLR)~O{Q
zx?-CuVr<@ik?04T-^K!`hm-NkLRs?{e%Q@->VJ!&-Vuqqz95o~LC!9{+lXL$H<mm8
zb>#Uj);;u{ruLkD_}%&na{aSQ|07e$|8HpUe}y6cZvqo$_m3;39)O$eC39bH0Jvf!
z;{x*s==NjX*Yn*RTz?SsJ6Bb|+oi_%zg<w=)_*U8cL5B3GDJXI{>p+d#3MyRU|2nP
zD5xo94loci6~<=Yrv9%~f7@v)vNJ!C*?o=5WZ#KIuacGXpBSmD1<I^u-F%-ffADT6
zs+f8e-%G;y(=u`)g!RXVIE9HhrB61ddq97saeH5{?iWXC7bIl@AYc9XDU6U}C^EA2
zK;}`X^QY>HNT5seDr)WLx0l-XWPbJjp|iWBs_96ItO#}BxuW$i9u=kBp;_->of+X^
zy!OP=20SDhSMz%7`oq~7R=*v=Y-4NCZ}skA&U8DdO222zJ*Tqrx<_Kc^sYe~X8u}L
z4i52Cg`#kjS~*{*)V1=2YY{wG4PyGh%4bUC?jNwf@9%O}f|#B#k$!DA=~C!5{s12z
zR8+j)V#rzm%ml4`fD9Q6m+l49?$%JqbUeqxkWfX%yM;?O3b++Cp7hGEDRYFns}BdR
zac{XySuN5gr~z|S<8EDHg!u{e*!$q~n%KyV1ow<oh?38fD77TogD(9S6*t-T82J04
zvQ(XzaCRN<REvZV;mqo3rfYg3g|vRF=1;0ni0U%2dg+5FLD_W#ea>>b0`efD$63HF
zJZLmqHhRn|T(W@=8Qwo+u)i%dj}Er`6W-p>hfQ$Dx+%*yS12cX&e4$G`Mqe~WXWcD
zV&+e=zlFiIM7pg;4?~wlFewQ!XHDZ#%{sIEC$TO|s-(%XT#4Dbm*>a(%3df#P8HA1
zmQAN`NY<GgQjxrECDnNG$#9OK60G^b&UafsX~%ZtHTmke?(4nK%<9hEoL|D-f&P5$
zTE@cp0`f~uW32Rm;?zr2KB!5Nkyu-H;Y;YDehl%g>hkeKWF+);Deqj)=}P~IP3tO)
zGf!*7iPPM*8Epx(En`u-ec=j^%p><Nsrn0Ot;h@*72QU;C|6l2y9-#{NV4l`Owgw&
zXkgII4>sIO4^8P-mKe@JpXxT94qRW%kF){@sz^SSkK}V^hf5*}GF%@cX6%0nx0@V@
zmY7zxSy!S(U7AxqC)gK(Y<5ZMHSW6s*HL2f;u2qg&2Dtp(?CVBic&dYXT;2={Td@r
z=knmAaN(UK_Y585kwV>Q6jDOeODs{c!+E|6V}CGq>#9X~%|mP#Fcp#w2{p+V(oCb7
zc-p}{bu8}XGoIsMk?Xz};3^-5Mb%tQJ-|9vDQB{e;?BGP<33DkKlgQyX-(5X-wq=B
zr$a_!<yGWFP0n#I#=7R^E?<ZW2}#b<w9r{m8;Op!d@gwmQ{c%rJ$7W0s3o3z2w~+f
z-0fBG-z0zG>(e@uS3w(-2hjDU8O%q@sHIHeCCbgxf*3~u1=0Rnpi{b3{jR2~dG9si
z>_BFHuflIeAf#|nx`t+=>=%;JZwymL)8rf6xCkX4u|Y*A2{Z%jO?YWRUD{P~(d&QE
z;N|1SwKisG{YE>T598nrf1yHS5s@l?kMG^)E0)s}xhz(cio-uH4X{v(i~X}h-{ji<
z6Dm*6QbX|1zDPs5tz6Zb1yAgfeK2<HN)#t8@7c|v1z}E7Be&}8Rnqa6Sxx>>5#%ku
z<1JdGT^r<;2XDF8LzGqV$tDtPD;aBn<9#!s+9SXe8d@L*OJ**_i;Y%ZJCS0N*|&V!
zSkKa<b1P?PuPay+8F=+$k*=}wB-~)uy7pYxYqdA-ArA8rEeG!v2SDs@%zKC&RyR&R
zWPOFy_{?H9xe|XXJm6L&*&x8!<Ce(&Vw8Id?eg}%l5B9?=PFekmRClxfk2zjpGcw2
z`o5D$2kZ1`q$88Skfpvc=G{5%fB|a*^%WTm=y~5`N3pnmjBHG|)xn(IAHadG;SFFe
z`p?Q^n1-Wt(Uxn7yoSiL4U$rTI2)f+Ktv6A#I_uFu@DN=DF|~DPZa0R3EMOt7dp6z
zxPKTab$RtXEIP!^qTb_RG7GLFLdkh)_KaNsA~lnuRgCsm^%VqINnzLt)^!kCY_+Ov
zSz}Qa_F2EItQ!`GX6H7@{>E-YucpbLv%SUQ?tYLe44wbhuY{VgokhCRU*l(-C_i-F
zAn+mPUNl_i1Ngj^)a!Juj$e3An}Yh!fm)Weg~PxQ@*D2iuGg8(VE&fAgqZ4P@`aGI
zO3Lu1n?<|(jV?;hC-8k3|HWhN$RN8xn1CE%sJUH*L6sAgVfSwPsi#tZSs5)ynxfM(
z!T4$RfNNmI#fm<=i^g{mjnQn3M~q6*a;B?|s>f{0R*vE`p-oL%?T1dUeC}Sa@np-c
z_<6qT53!Ts9=hJ|jwM52tfm#|-W}um2ai?H4DFW4uvCfqMnW)nKkp2y$EBarEFb%7
z#LoC`u6_K79;jQ61QCG>aR?mZ)qVYa5_RRClINTIZLUDBAZIJF9p8tf4ZdT|IOd+5
zc`29j=&a4pg74FDcrB|*5B*yopU^b(xI|!4&8WVRkYaO8D$iN1cXuU7c2$y(pEw#X
zy`~s5vlXnXX4RsiBMOSxp~R_`dIL2=x>Gj>-L}h32YZuD+jRBAbJuGZC6Zm1qv@t-
zTAv}gBM6JinQ_Qv&zKokm><QQWrAkTH2m>WS?XiNVqEw#4OUdKJt%e^(Gp9=cY^vN
z82GVMbcb__`5`H5-J);`eof#SxjdmK<ofoS-Cnr3Y@Vd!rp|=nsubF93?0`~$W~wa
zpS!v312|=YekW5$X|YT#z<;|)ZvWdiYtEPR%vQaZ!OguF4=n!#7g|`D%a6^CY`FD(
zbN>v1@^TSBH5jALE*>9dUiD9rcYC)V632W4Y3QWSlo0h6;Icr8CDEn&`kgHV{G3$X
z8QIM*X^(LD20rOX;Je=jo$tqs3ABUq+iqp7iI?|BCu|QIUMm)!fi|Dqv8@f!65>Ce
zYW>z&H>~t$aHeEK_*sPc_ntQ-NdDyvb%1YclFNUzLlT+wV_3Z6L*7TIF}YUxess3Q
z_6t^9{K0(rSY+IG;Bt(qcIxs=hzu1Gh@R2xAshW}6yev2UVSWqqyquc`E8fVhCW74
z9V4u%xlLzh7TnLgp)?0%6B=9vceQejl>?}Y8oTwa!8g7QK)`=BSC+pROtrnID+1k%
z{B#knqq2kn-_>yqW#YjCQlKt229K>(#bzD9lL_@v<R094kL^N+)_o&uB?xr)&Xme8
z)!P(HVrT<EC(N4_C*H!_1BHna?r;P0=y9Tn$RHQHFT|yd6#Et5OZtWsI6EUifw%u>
zCQQLvuO}ZAChR#|c#S{gcunYylPTgG(}v>(v?Lz6iUs`VsT^c25iw;DA~gLnnegI$
zfq&c$(ov=mTci?e-?`8yC(Dp`wTLvesXY*p?O?9zcvf1pIT7V>+M`Wx9>T`cwOt}z
z+E&ud3p9;<qv$_%;3#?$Ef>fGn7Os^g-)*NsJBJ}&Nlo?{gEC}!S6kN{jZ)z*S)-<
z1IFGJ>P)u|`=E6Ot_-o1GIZVNIonr=uWKfChQLJzIM}PEmK{XLUq#~Bj?uHX1&UC#
zAaLBInd}|~06u+jg$}e!-r~GuHIL2gswr?eRC;rx1m5mwW)qPcsy_>1!}-VM5tGv5
z{VhxB(_EaskKPxy(u&|IY=e_9FmGe_MqglFi;Kv7MQzSu3kWn~dsuJ0{Lxrot8KE0
zTY+sMkj((M$+V!@IkbRBcV`<=ZiDL*#k)b;sN~)P4X5ign99sMmIP5=gyr8yTt<^^
z?~hb6%Zn~OX$6}()ZYSSsz{C&+soM+rG9+|k<}FRF<>~<uFTkQ?%*WE!=BXr3dbdM
zgoMQ4y&or>yCy4|TzOSl^l4=<Dfgvr$y;TQ3&vz4*Q=mut{6wG`3i5cmVbR+%s^G}
z*p%?VYXQz{;&x43pBw(S+u;S14j}Z{Df=q1cHsd7i&C9*fsLzpu2O=}L}D&BUoTQh
z*}lzo@ME;V#&VCxl<+amt<&taG}?qVg8lJ0+yAy`8iCoVpF*2N___>Tu;c%>=&g6`
z39v=qq+;>u68)O*9F@S(`lvcus*Wp<m{o7Qqq#0z$6s%kDLXG0r!zpx5o9I&gsJnm
z-ER;$OYysTD1_xJ)PSL+H9Do@BxizXV7L}Gws3RXkVVRm${BYX&gR2)crGaJ)p#QM
zF%}q#-*R|h$F=s2`-%h!7ab~;5W)3j!q{z<J;zXb61_GSQRXXhqGZ>lY|LbBmOp0y
zpMAU>$wia;1L;Kca)d(`%9@cBtd^Yf-qR9N;ml5p)J=7_Arul^Kb+5H>mQWinxx4a
z8@N`8v+Dyq{C`sTGeE!$C`-9C(CU&m8k)*RMjYW?H>~<*-j46sFH|U){+LVfez>G9
zHx`&XVNv&-l?#hJxNC;jGIz1?__v}VAd#Fi5WIEZAPF^>x!wvdc+k9IT~sTn)3t2D
zRJ8~<O?`SFG<-o2H#)37QvQ6PpjQoy;d*oWSVhI*(>zIvb8AV|YFpMZ!~+U^+}yan
zBHcmR%3>UL1~;Z3kt@~!K9_N^QtPg5dcdB+{=jbrR_eQT1+1>EEnrFX&ZYIn8VCvD
zj@^+w|I)haWu3Op`cJZ*u_zIA`lZ=1(Ejuxu5tX`4^6d0a%e+cbm%OR$8g%=`p6OF
z@fmBgMGC1ys58hskLq32mbNpPw56nAnu!W2-z7KvFuWZI6ex-v#}y4MLPhzqF*XAb
z)}dJQ5)l}~-x}Hjx0EzAZKf*f(7?$mWfBF3TR976E&nilz<z7JK`y_@BVsj*v)1}x
z5E73+ciT#{QtODJr;w;mpRrPrWT6NfD_^2M2;C1J$*H>?fYk};dOn<`Is$cx=fsUb
z1uIUQg=;dw(pA_eu_Li)kseXW2j*y!TlJZC?MSY=1lz$*?$T@>biGTbQNLmGXmWPL
z9xP@iX0Zb@ejgM?nK@8|W?ih(({uwhioZFADV^jsPyi}OHwJyPvR8K8F9i<xA4zFo
zzkb^ge8~T}E#Roo+6p+>Z|ekbiO;{E835cVEzKIWYArDU^5NIEJAU)cpT0Se9cP`G
z_;2@#!|#;{WVIv@I#r?S^}&Hm<3O3hxd*y_cig&e%Eh9-as__nYHL(pDI{%fUlxm>
zvC;S7HGilg_B5YbJt33J4y)`GeWQCCwZzpIKYZ>idfmWJgWZ&MnDEssfDgIi^lx{b
zEZf|CH<#UXR8v5&m;UlBL2KGW1k7rM*WZ`^&`>AD?0k)l)KXhv@f?dO$qt;d4Yb-S
zibq)o8t`&n`OjC-#TWRIz+C?2otv6l#fv_@zUd0wJacx^fo&`o9covY$(uOj?5)}#
zhw}&jRE3Q!#N$FcZA;vkJ;ucAd>Z^s?xlK>aKq_z$G8P8*MPP6Aj@9<BwB00N#qUi
zzi>g>0~|g`!1cP@c&xFk9T2OVBg^9vZ|VEM?dw}EqP_l={YpyAtd~}f`n!G?Jr!#Z
z?u!j;u5(ni!D93>i7-oKri2JW1jL!ra>WiAZk)8kOP*^!ZxN+b3ViOrJM#@{=m$dR
zahJ>n)F8U3oOwX})lEKq#q+YR??;?blZGo+cfYc7kCDi_>ut$_aM_sP7`)@{M!Rmx
zMze-7LKTbmw<lz31%aU%sO9^b;v|0Lisk>9iOry(>+ah@m^a;112<W1Ht`m{$)BI$
zX<_5`2zXsV-PtHL1MKZ{dVHu|D8rG?RL2j`r@;u3Ye=j<d&%ZHR=-KdxJuG?0l-nM
z%hdpQxL;7a$zC~SSgHvejJqcQlv8(?rS$Vyr_4UYVg**ZA@5KZUVq}yR!BgzNPG-x
zCZdp@lW$fg3sf;+R4SGo^_zHMzuQ99Kj4%94Y#4QPiIq2cKa=@TZi}a?clSrDIES`
z-@TwxUSA%3b%SNInk!a9l*^5uP_oz`OAFUE&Jh>=HRERU?bl?9FIlqvZ5wn~0j{OR
z=2keoJ-47TC)N%&2pqTlT};81aC-F~7Wb9SBQ@i3W^scI&?j`@=XQJktc-{NS2OU)
zSKVp;EVD2e54%C8PGZU!Daa%Jr}$j|^XYp7g%09s^M1i75iVE1?!A!1t*N2}{S*5e
zRjGwa&r1bbOa}2Sy$a3Qj6;ig11j`X?*i}&TEXflvhUpQTY0-v-n*@fT2uws4&*Qb
zt2gg*`PnCT%Uy@HyQy1JR2?&lPf#!BBbcYrlmH!V(y&dgg0ij6$2$o&1yt9RHv7Q@
zb^UE<{mC+#hCd;~a*uk-69E004~J!^wq|Lvw(D8_%CCp<Tu#3!ax{CaN)>4)Dte)Z
zz>|l=;$Kw4;W`67nsIX924d*Uw5Xok!%CN~wwE6&&-b>8+t57D2ANl%$JdhvSOdQ;
ziw@uI5_JB^VOwg8Muhp6da(XD94IdqX@y0poJ0qsCOzu!^FYbV5expe1+C0B^+7fw
zgvNWVsbC^Y{oP^|<v{V9IOIu(WX9kf(O*1tDuFan#wlTY$X+R8RqnzLO3x$qEZ%Ni
zD!oY$h-H-KR;J$Sl{r#j@|sXS@qD?ab6%v|*f_k1(Di7p+=;RN3p*<kW7>rNqH2D?
zU#i`7qO!#^QpmNCNG98rqFPg5d`DJ4?0%@f{=T7vsn_BoUsbB#hI3x<>nz)rMqHHY
zd`;UUwFrx{_PagOslhufH~2b2_k(?yWWwcw8$Cw-lQ|UjQu5YMb(-}znUaxpK`={K
z*zr1v)eIQ+`9QBgQ<*$(UnDzGo@!C3cjXLdu<c=R3eT>G0N+WHj9`H1yDxkBPq4D5
zd&PXr?_`E65znV^UH0r%3|!WdYtU}oO{fzdh$Ou{pi2FHqop=48O@V~k>BUo@m$fj
zf*{@zfedLPP9~44Z`D0xihwdsPc;*>uIyj8J5-EOwm!**9A=sCpZ2;va_ar%#V33i
ze@9yB5#$r@PTppXMCGEnp)#x6%u8RDh(}jC!#tYcpg=c-i{+?t6ZbMrdZk;C11vgD
zUx=&-@3_o_{5+hL5g|^ibwujAG@&H-8Ny2RDavCnQbs;Rkq6YM{!*#_=txqAlZSuZ
zisO|J26rJ1KV9Am)m%Q?{`MtnvN&Z`1$ou^_DFG`QHo^P4>0~?7JhXik4BugaWe8a
z+t_AV{U9SRx!+E4?Brag(`Wam*RQx1_r)D{A3k?GQVw5O3rA~SIX-=ikh9_~o$I3Q
zIa#h&BGP}ukzj4MLW>`5NLT`m8Cvi*eGR&VzWth;d8JO4P!~f{gcU&$(%p>}?}M^*
zIVB+{yACaiqyoX2+Jo}DIqVF1ie@;>qolr~b;h&ic7*m!-YHeZhNW`D-o<N<!FtB{
zH>c-{C5GX5&!$4&VCK9P>k6|DU*5OegIKZQu^|0?g(V<rTK`jDyu{K|$|Uc`b)%J_
z4jI9oTtwSm8kv>X5G<ieNfXAL9Tc4s^Mi_F;{)Om7H1Ik*E&vca$YDAoEfKH+*nU1
z6e2#9WJph03O6Q5c|OpzyFD_k?>nt|E3&Bb)2%^^`xh-FGc8eA!*#b-*A#!f#I?`H
zk+@m)ZeszvRDG7Hsdaa+oga^ndCW;JG#&t&(rq4uIa6x?Mc{T~Yx+N+MA$XCaPaTt
zZ^xfU@+%HcPQBKV!(v};Kq)@$OE*tTRVIchAW?2^=RqDBA^7Q>WGANP;7jtWuD#@D
zBd7PEfpkpaLfRPCa`XK)<{Ew+(%;M1Pqca_Ugz2q$Xf&-={$U+=;q0-{zgc>*axKX
zbt9CEK)9~kc|v-1;-UQF^5-Qa_aVA>BP&*!)A!lqOPYhD?$O4a%5t54YQp8-^26t~
zNgp+zj|mOLpRSh`T#!t~1#jF+y?mla-83R!mlUS#GuuFt@8yFvH_8`*Hgae|k0S1K
zrGr9M!j0#vlFsst9rHvYaE{i9M^d^uI)ieg9EY$!=P$cSl<aFTUw{m2pHpr+t660o
zo!DLGUw0VQlv|MG*PnsPniKC>2$l2bi$oPV&*s7g*6O$#Qf$sUT&#O0MJTM<b#gQj
z-OZPcvtWn$T97*53VNQ!YL+=%!UN}=zsB4xJlyoRe?sF)+e@E5Hzb=mb+}7sCY!pS
zn+YuNkcK2z3gPQLt6els@RwvqdeW>cx>LH#+$--Mw2*t<_hsS~=O|Oj-Mr{n<C&~5
za+nZ9$giYP>RjAXBIJ40NgmuJ(NPn`acpTMd#hQ8E#^q{A76W-i;Wn&T&x1*gm*bK
zwH6ZCs($+P>a2EL#XSPpj%rTi9W^oJrDiu2q6SHxdDX%n*6!2wCBtNk1E{P_`>;j4
z+H6o!0}rz}JjzjEwZy&uIoaiR%Z9c!LtfN)f-nf<u{>HKpNbLg3-(+}$mOGvt0su2
zR6)~XsV!IO($-7mXV|+!>pNt4-p0+^Zp<RW;UIw5pr2_754cYq(h6F7>9;>ZhJB3g
zczdJ>a-}GGE-Mnvf_8iIu1T0x<R{q$FNG#gLl@3zbn5mSw3ZO45gp|{1p#leW$VH5
zX_OUkxAC$C@(X<1+*4NaW*kopUf?gj|NXr99UHf#f1Zd+R!}y~OqO*T?Ze37{ydcI
z<iv<@susfckUAnDOF3a1S>gk!-DT62S?fpoW;wg<n#$k21<6^+)y75?`1Z%$bSjdz
z7}K!3zbjOEl<zW^1u~e_nY+HL!C)%mDT>)8B9}dU1Ji2|4rnAyu$|=rJxt}fD$DHN
zqnz%}2FXU{X1@m2qQ{>3F4JJK4U^0@LwZEc%^BDSkE0teTOs2Gg;@pKo_8u8RY&Cc
zB*tvlb5u{HRF8<j_Bg6tnbcJ<o&W~d`3^y}p5G5YhHNd8D0+KG&2x6h5Uu`OrqD`s
zy-~QTIq$5OMO7cg?YFU)8<Te7oR{Pbok-(ZO%FXUU{SNJ3r+L0m4l=G+ei$PrOJ>q
z`fXfnI^M0lyHQikW&Y#bG{4`e_k9)f#cj%j&IP_=IGSQ*=FxC5>0cZ#KQi1@fHhil
z&i&YH{yKkLW1E1SN2QCtsT|7Rm2s-2az8M%lQ|f<n4w3m`l+1hX+NH#c+Q^wP`To0
z_!xFh8DS-W+yD<AWto=#9PpyWt|v83w;tz;2p8?wfDGge6kbAG8P==bu$SvnQA}JY
zf1Yq)LnU?Wre7pX3cRbZSZ`u4!o%?a+95@1-^$5js8GE)>f$3sNj+!-#ueORmCU$6
zFeUA(@m3sX{mjmc)a_BhkD0&@Rc!sTICY9^^Zer%u8~hi56pToyEO5cp%?a5EEKR>
zkijoNL`-@TC>r_5qStVFFS`Ec3UM=BM>%H#!WNFg(Cwlwv0_mzaShQZM!$!I3Uu`(
z^7m}#P8mUeEFyHZgj98l5L@k7Uom%<y+2$vAX@<Wx{$W0CEHL;;Vo6af+j)I60(Sj
z62+}d@SuOBg<bK0tgY@hUX-vc7;GQhimtokn%YiI+UiYe=*(3<K2}-y)L&IDZ0^3C
zaAH;qgt?eq2S@8(lUw{qjSxrmdy+=v#GRrt1nZLRuPQg*Uha=<YV3=|e4Hs7QJ0x0
zBz1-@0+RW120EB+2yn;Jr|Tj;PEn7{NQ?SdRWsOo+p;&$4E<8)(F7Umg{l{JRCck1
z3X1*Pn@|>Tofi^QN2T2}0zi7aIb&R-c(`c0OC0FeN|yI;r?d-#_?(Y!1aDq51|5$@
zW%VMD?`B69Suiv!#G12xvKvO^NPP`_Yx6f**US_@(fp`*O)x(v0-0ykJMQPvYR55^
z8>BesEIzSUloXe=?4Wv;@at`LN+@R&=rwABUIJ#M({pw;L(YQ6C1ME~-a4T!VT;eE
z`+j0&d50(u;+l{xqzvbNr%2Pt7Vw~?lVK~Ho!UeCjy7s;M$@))fEWTtXuqg$C*J3O
zf_l5ad=qVVn7T!2Vv9wVXF@t-X$Cy!AlHC%a)SB~k{UQ~+luZS{St%#9h9Dh#n(Od
zHqiAw3A`;V{qLA^`~0bD!VTA{NjI%&P>chVJ3xtScWVXS(pvqUF9lBW{ni2x|2&p-
z$&7R{WtpIuq{^+7SE}Dn{5NBb3I)P!H$Te)T43z^!&m&Lo*^I-nUB>T*wg}&@IQ%a
z2$XASh^}1LU%{|w<ASZdov55C5KBW*3oP;-ZQk=CPpHJc5zzjh&w}Y!uUmZz;LNoF
zt?51>b;WD`A_{1>a27TenLTU#Z;GM!VlxXHU;WZ&g!8HF36O%P{?%+Ap#D&jS8KO6
z+MaSNn-l@U{6tBYj>C4Ht1=sFG5+L~_?p?-xSTe=VtLo}r2z-8OIumHI29W#N}!6{
zOn#XxP($mF+<^<6;{bQ@ql4jT+XG!wAp&Ko*O>$WwFCyu-P&Z@)Ojts-)-*YHGgwW
zbSC^2`{@<8wM~u;@77YS{if3h;{N>bs$|<rAcvR?QQlm9<yh|rG<E{u&`j!;R)@Oq
z?jPZ8(VBw&j>DCu6*C1@cltjx*fs)eOD~rs9KMS&8YW>Wj-yqtFSQsq-4gwIdRrsd
zp&1gCZth4CZgAJ7XQIUW1n<$177t@{7j*`ytOixl3J|Af!`j0vm(#~93xQ$LJnTEP
z**1@0)7yAghwb(Ta<pqZ1gg7@rmVj*H#rN4x9HVj>NbLCc`Fiq6-}L)ZUk*DPh@~L
z?kC?UpCb(>Nw<67Go#Rf0LQe62q4+<QkRjlPm7t+<ZYwDLvlkM0xosV+v)*2ep46_
zIue*FItCio?>B%U@LN0tKz^v%7EORf3jD0dOGfu=_9jD{eb`f(L~oG|L!z&tTeqHO
zDTkiwH(xa5Lr<aho<=WsqR`!MHA<kDdO$<bDVU9TK*SymZQQiV#sOD`+OI4)w#$!&
zPmF=Kypv-L?ot4nWt?WWy_uGJh{|P`#0ue~I5alZcUO#5^DPk-xJg5u=tcuL(^0H2
zqzxzsd?0QR;?kkQB}eodo=E~K`k^jS{5~-Te0k!weUmFcq3PpFo}E%|1r4h`z?Q3-
zk{Ezu;5y1S5+s7xC&H!Gu!y<At?E+KejHxXR>3u0>e@AFQE9_=W_l6gZ(5I)a4{xN
zP9MwIE8(q@{Bo!esmX}RRD6Y2Pg$z^#4K200PAqGXf``DwK6@zm>Nj;3drnv6`p_J
z?^F(~{Osy1hw@<$WT<9)+OC@~*(;3HBtESK@Y9M6lMIG5w<ToJ+^7XJ18TN6ymM~u
z?>xslr+!~mgOvGr&)E<SY<LV@9NTJe8(Vi4rS%N^)2lfky7x}+QORc09?ii*Wzj3y
znV5uwG7UF0bqs#RCTy2-+*ZZJ<Ka$43xBOX=GFEpk7%X_1j?=W^-tME%_mEM++<b&
zW6^NQ+nk2aYSqZFfLp6%3$szs&(X{aV5vxOm7a{SLyq_KnO(Ow-kz?o8)=N$ud~(~
z18*;;DEp~jT_jN7$9|sGcAYj{`h^K?-mlmL=l1|BBF*+y6prlHdKV3WFuO(06=s89
zS{u%5UDIFzf~9}D?ll~mcCK+#NLj`{JTVfVwFjG^b^o0hQ15%?xQB@1e`IjJV!>da
zGUcLAH*{T<IsFu;V=;6>;ASXW^)U414HH544wc*h$6$y;p^EF}UR_ltmlrJsP0Za|
zawq08l<;7#UqoTD?m%^$g6j`gM4(kX(Exc-!c=MwG56PUKef~q8=X)RK5kAJEIdwF
z4u|W_8G95V!xJO$S$RAO-G*C>*ua>qe=Lg~X<m-u<vM+wIl`$K5gX*JZH#Pf7<mD=
z7Hv4Uwx@o*ydyIdB$yrvFzoJ93qBM-Be2wBqVXIurJOyTYdnR^qxs3guTPN3;LH^y
z4{m{`_~qHLIK+eaImwacY-$Gw8&`2-37dJj%F;M96`aYF3I08{uKO5%@i<G|570^L
zz#?1c0lP-c%gX)w*H-P_y>p0Y!_$U<;<w4q#^SrUmDfHWM^%4lTXo$<%x#oSourj|
zx{o=`ApxzqU4Xn5&^C_QsGs<R26YWBId7^nB42H&?h}=NoGI;GIrUl!$bT^b1e9Mw
zMYYnno-fzM@Wcb-ctIP3UXG!?v<T5@HfZh^zpl|>+``N$$Hrm9#@9ljm3_f;V5uHK
z9KHyL(8R1<^$eHnI);k@i+fleS@eVc@vlZlXt{1S6V~CJ%V_~>zg(|A?K_#)BE^<r
z{^DV;dE#{Gy#vYHbaTAT^V=J5m7GbaD-|~_mtsW8Mqf)H&9?xL(ZE;yi)*^;iT~*l
z^x!&JZ1v{acA3x(<#t{mB~@Ej>PpG@$_P7u#NKAjNiIO<bYJHDWCq4E&X3(i_%v;`
z+pJGbV@@@D^K+^kkoAjr8RIup>%20u<x+Fz={G<5_Fm9wvimzCF0Sj1O-tOz0QG+p
zvhG+MH6mBGgPSJ>NGsOjk(uIo$BZ}7ROx9OGih7*j(GPomtxw@TSg%*X;J6ub^e#%
zEfa<71YF&h2xDi!?iA=_ix;>;cXZ?k_`kn+)6$r(`N!J4mZctDGsrs~hn_wR?0%by
zF$^r=eRY9Txa8~Pe^L6Mk~Y2`f$L(E>;t!L!utHe=Dh2bkdEn~pmr!7Z<Ck?c&G1h
z{+}LK58mG7(s-IGDn=|H4W0P>l-sgXLzuBGJJtr_Hu|1Rub+Zenw2?Objoh~2f(qM
z_?t}rjfiiBw{PD^oWmucM@swm5{ojzB685@{?`NF$nMwR%mDS2h3;^sV(H0RKYf91
zyO26rJ((VMhaX*AsT?xR?X-=+{w>$bDKx`*-01Bos3%fnC!M0DoZJHY+NX>JWTa_<
z9iejjj;Z=JMz${6-eGsj$XdjRNde*c&g=Tkpr0Q>E}M}YO%<kKK9_?8eN7xPix4h#
zM>YSWEgV2P!F9af9<b~XJ?Ays*C{HASgoX%+H9OTO3cuXLzrMtgJsUnsY@}LmlwPn
zuM9|$(&ruk+wup9tG;2bb0Fm7hrg|<FzX4xUTiFP4T4{JGjkEcfYz%wx0!3n%(1Be
zoGdZ_3VSjm*^Q#)Wh(gQC`v~gh&ZVBnRg=$&JM8(CZ2-U@45|pP-8nt4%7l8QqetN
za9(JcM85jFsS{2FjJia?V%VTDRabGbZd@S%wQ&hR5w5K5Vq#{QQboWht4rJ|;NSUz
zP>2s_u1t<wY5A5!)9(d&Kv0~n^LDNc89V&qJ3|z3R?*F|9yj^>?!1Vt07HegUL2`S
z*!;9gF59>#R6dd9kaR%2{O%vELO}vW>56gF-19yRAW28951^N5doFw$#(NGtXv>6c
zOp(GJdl5ja5a~_GTn_r8Vn~ZI_gB+Weq^s4RL_Ss9xvxL<kBd$4Hd-(2wUsCm&-o+
z&gA%J{SBuUU!RDhwN}$aBup2z6k5l!+d_eFwtnF(P|eqY_#jplIxwxmYozh=;MQEN
zQ|j7UV|>wZup`L(^JBvyV5r;Rkd$r#A6oPr_wT^i0wB6~#0-b0`1TejZ37PI<cp^*
zp2*hq=8z8##9>3x-~YhAa7d&netxt&35ii6ZG6CPtPB!keu#6(h9X;dyE<U%PD3YM
zIC52iQv^B0kQd?j`kchZHMg&~&0gWY9AD-v)CTTd9ri-FO(fdMvZvT#66Esy1wV@o
z0QMo>22o|D`~To~Do=xs29KD>2|;rp`O550Ou==_rRmy%C_iQ{#X@}d9QODmQd4Tu
zI`LN^zM#L4rY55Mu@<;bWp2o=SP$n}X3r223@`+y*l6tgwWc-p2j1qBj;j%Fu3!{y
zxf(vvH(%^ST=bCAa{UBA!Ztvs>hxb9134dy(|VZd(QDe$Oep|E_G^mB8XAp8gKcj3
z-X^*ZVPrX}wAPjAjWJjN>q5n^B2dI~I<Fj%K6UU;>S{IpQdu#Ptu0>h@}~8K@3Jm*
z9Ez%%PCtZf9XN`Mf#4rnxdB&%B)06h_P6yFWGYsruH<b`E>Nj22=vMS^KQ_63c<f#
zQ{)?(1sWcHk9ghnQ}F^!>=^#x>h?eixisfat=}uCd)-GunQ@ZXFTr*|PC<wi+{p+9
zzU(zuS&%=YW$W3qySZ(;lqD2J^Y2RDOouL1!yH-w%zS6*vM8ry>bx!w9til*V=QOF
zGSF7~`*ptnqiL!L)jJ>amBw`cpygCl8w`d3fvFTn<@GPzWp5D8|1lR`MU>hrQ$^py
zz#@l=7mxse^tb&0rUUWDHOoO;FcEpomHG0OsdFOonQ&L^X9Fw_BI8zcoA|1j0@<je
z_HnTIqLi7SD1<R)eEaxhsB4Wq_$rc;@YCM!Ejg)Yg`-k^)Klsp%rLEOOu!gm_ZTCF
z$$%dAS6kjt;PJzjqKD;pwz0g|N=?CLOIJ-n`|3mGrD4z7{>{FQ2)R$?!f&Cn&547f
zIDF32wP|43=ofWeBjK)EacY^V>+ZnGq8@iF_NWL{h4@BuIVKa>b_To&;sJnGT)Gj^
zt{bp~YXdxs{)hkmvQ627_^}{<z;Mt10ux`(9t{f08q*B9kkSfZ{nX<jt#gBAa#uWO
zP4pn%3g>55MWFo<p?+ox9vhU<2RM+S25x~V_^l6JK;UI85It#OVRI%e+n5SKOWVad
zu#Flq*I3taJ_G`VyR&!n@|~j&<1S&)YvIE8FMr$on|%n!os;3EtqH{C1(N}o_1!1O
zycHO)lbtT$l8#!7*DQZDWCMWcYP!Cz{`j-ZX}Gxt|HrpFH(WoyR<nCW)x2SEWRp74
zjoCj12&PuT8NSw05lq(pTfq7~f{R)AW#^ZDs`NkHtZN^t4xCyokpbSppfjUE!56lP
zgPoSy-T`7JXV$;3j8wTnQp%91gpU?36LZ0P0B3!!DE1IQvh9KDK@Y@kgii0mbz%;q
zX=g!;n8QC_k|@TRRS0BkRk9Vm*T({1`3#M1qKmgSF*AEle#cISugrdxx(5Zw2FLSr
z+w=4b@fCxhR{gqtX8ON3Jh~mh&eRfc0s~+-LekcG{L$`Iz{Ta(jo-Q+V+D9YJ&U`-
zU?@gurEda2Q%);`&b7C9I<oz9vPF4aU*y}u0{;9r5D-@P@9+iToq)i<MJ^Oy9{|%&
z2d)uzBB6c^lIl)a-hUR7t?Jl+4nf<0X{%a%p}7K}8E$v{=l=lT?>(D~#joq{{~nRJ
z^RiZ7>oy#I)za075m8IdX1%2^*xw^mYIzF!PwNtT{b%&cNWjjW-ERfp=ZY)IT(A{b
z5@o#%cF|_LMa3qY6XBQI<hE7<<whzPxVDr*g2jgf7UQ$#2zCAQ0WXQ+v%`JuKYP?|
z4HC%t`CFqN&Ze)vO|~r^L|iMLNDf?$UP*O`_Q|Ol@z!9>ZTa~z`divB4cgsn!{VzD
z%<$f+pum+bQRnW?=QmzmIe=jQIhY(2$i|&m5ld8;I)509+}fNSIq$L4AkQd+s+m&C
zgVlxFW!)qKdTVg5l+_|vosnM!c-6Z76qyNWVqgHHBG<BO{j2tB*{Zge<wGsMjE$74
z&B}_vMzN$V4x%j9cV`xD1;A2pds%MS`hCx70x2kPDPtmSkcil%(0v$~cmj2O(gAUw
z!)}%%fAs&N#2e>|G{u1-AvGZXFVdJjvtI~h?Zmz;GkaCr+vzy|A;Q*IKa@s=J?1NI
zf?Keh-l>!18JLs_4P1N0xsyYZROAV&0x@4B%|ds}F?)8g+f%kOMW_<HMt=uSJi;_d
z8^c%=#)A~C0^#ZKP68MBJ+x^}Rjlmj?gkBh@}UUeY+#(+3zED$Y|M~Ifjb~AXEe!m
zs7V(o3DEPaFc*Fxw7ukT4#}s(2C;~Y*j%m}!Os+SmdztCnmWX`Uamv>wVEusyz>=E
z2XSs+6sx$fIZ5-N$d)V|R0vh+Nqq}JRZ#kj^7*H&lsG=gjn(bHZWQlJg!I&x#?!TD
zUN{Ig{@L|p2zNKWG@ZYOu(cM{h5@mcKDJYmKmn}cmXMC?crH>}fF!7CB|qeXEaMT`
zL>IStmT&8_;JQuTsf9k|3-0;HWIxIX$?dUo-Nsup;w761Q{uxL9u~&*=7fOs_Vo4E
zI)>JBhIX}+-o$#-`!kGcOJ<5!(AC)ix9*R<9)k6&X>@qQAFu(dgOv%F0~IJ^nmx+T
zXYHtp1(2^UsScXdcP5!KH_@eO8LSRj07gWTeA<QTm@T55a3Lp_NnWoFp*_!?Rgrlw
zyp#7dZ{gvQ3c~t;X2Am(XX4ZnJDAi*m0j?YNKIc~q}Fy11gvGkEXi9oV=&Gj*K(8o
zrC|u=N@p{_f=jDo>#8E%=Oz}9*s9~iD~@BH6J-$P6Ng%Uwnh>Z2BK6*MMCaB9Xjc*
zd`2`y?b(SV2fR|bvPL_cv<V|sTl#bQ!nveZ$t>c=0&tX`sY{&URZ$ME`h2&m?b;C0
zTFkbGz?BzWki6IGg-j<zZeKo?k4_A@Z)Zj{G1w5Iz}-F$Bv9Ge6MrP!k~@DQ%=~>J
zaXMZ4fXnH;y@uf@cQar#0omsT%vO`JA^V%{qq;KW2Tf>cN>{t)$Q}IUT6CpqqU^pA
zHpeWEex`lD<gL*-Ddruzf01Myd9gz@MX9-jk+ayQz#Dy>`hfIm#wCC;TIIEMGdm2n
z6wl&wmFAx^I|h|yq!TIE%^5B=2YU!{RTAtB*~ImF3uh-(;8<kxAOtFAitH5=Aoh58
zd<vg}Okey!xuHn39%Wr7Y)$yIB{2n7Iv`v0BJs^B-#kzM#?7c_d)O9%Txu0JM%Ist
zu^WPX>JPr*r;C5e$kPn28U0-Xmg|u~b+@c~B%w+bSQ&RKCENZCV^nr4Hn`l1oC(rB
zogA&W;?qgDiy1sdGnwRzbeRk_<|Wj!nU`ki&;_>H)ym>W6i3)byIhjr$a>L=WqgF+
zXX22%4Wnm^S)hqc+0A&M`bA72kew1VKwes5fHq#R)~gW4(>Gg&aQJGY<uPJlp~tc&
zV#7RH#OO7j!Rv@a{RPI+33pHIha5P4-=Z#4K6)?dLFxqFQ*R~h*fZHnM=bp~^TS(P
zx9dMNJ_%gzp%9nc@^u7N&m6{C9d2sUoN$<go2#WrvKfzjrYcQ?9iFWCe@Xg-%qMmt
z%Emiy-EVbsxUN)^$n27lQ0;B1_UF4c?~saa^mt=L^Ipks0k(Xtm{W1ymMLa#Xf>g4
zIX?)_7|gs9V`_DzF&UlhzrasP=*vIuVhO1SDi+kSoO>&R{hjE0=WZTvZgXDPRO9U1
zw}sp&#Z;G}4TJa<ot7^Q3)roUNh*erB^&!_B-4c7?2b}R1*o?+gx23f8%y78ZBXU|
zXtwvKJ_TpqAM|@ELT1T<oCXtl14}Wc3m2!?6<!mviqFBMS?uE>bp7=)b3|#|2Sv)g
z*h~KPt3v1-er-ooC!F)<er2b@*!ct0vw6~+MoDx9qE!;r{dn$!Uh@(;O1bWm5aw)L
zRb*|RH23R}p42lSzi@(UUh;U~Ofq9=_2STKFU%=mrN+6m%mT*heL5F-IdBG~+#6T1
zivCR8OlN)Ml0Y$x9T)u-#ke;J{6^z%M|+uf-<Gs0H8=AHZLVvM1a`LtYPnC_%8JVO
zN6oQ|^e$nA!u|-Ms+~FD*kw)VG47GQ1Z?aG%up7r(gsHMo)ZyEozB~ABr5p4c>`T5
zZ62xqiZq2B+?2a&7M^KU|6D+!PhGIKuX2=!ZhHf^XnkU}xOy~5M{zAW`qBr1XZG*q
zP<qc3gd6*!LJD_T_fO&uSPS^cK#)zyIeSQ4VIb=i4sVFh!jP9v4q7>;r}V{7F3Ego
zEHCWTP$DfFqFhok#45}+G#oIx69>$ekI`Y*sv5B4Yu4*U5Kt8L#7tH1&zpL>S6rKP
zIm<@8lBq`;pQ7_S`S{x&^hVgMl-A1}L22nSo6<5X`M6~r?KaFK3nS##O$%CTe<_;G
zy6N^dfB<rVHQ-!jYD)~&EdCVt9k9x)9N??6I>NCFV;?VRsg?I^8lx<oY>>>Z74PUe
zLDy0~qAA<Zu%+dYqJc<1<o*--s(5?Y?9+)elzNlv35)yoj_j^$K*KlL0>fV=4+Dj?
z0{8oc7hApXX=41=GJtV-!Y22r4Hidnz;Odh6?#C{aJvoDGtoB)if^;GdNOYy6rQhP
z9+G7rB`^AHERZD=3*4j{uT}?r(Qmx>>KMi_@@UHL{x|9tWV<H%K9s`dg>FoH1<T*G
zKZIP59+*TVJ9a(~pA|mVNaUbCNFH9kdF2fT(^to>V%D9ZWEqqp(8{RpvI*O)oTv;F
z(Cpv*$QhCC91({J_f+2^aPrT@-7#i7TB~z-7A0{f%yF8x-~XVRQbXN|IU@(T0X+e>
z)eG6w(3IaYA7ojDVqDCZ)d_1a6xIossltMGXe9o`?DSer@K_Ua@?#s4z=d1?Z7tXw
zabxikg_=j}dnnkgkReWL^q~eAN2)Eiu{!z=3W@$6zvafF!~9-Wmn^b<Ilpo;l6lf%
z^B;sDE}5c+;*AkUWiGktx=KM?RQ%k>WKbed=D9qQ_s7V(5L&Tw^u)rb+KG}w=p?s-
zFi3scDZ1UrV$OseY|Uw~9S8Pb3~(g4F9mb))IAlBgT5)3zwa0>oq9D_^GkG(I#-UG
z&Md(d0fUlG@hh<Q{0UiFOy}LGJ3QCz<{Is+2TB|we3-Qx3^nY|2(P&h!5}XdQgSSi
zLV8D#;R|ao)@*7f3D#Nf<JjpIiy1mARShS`PR)pbP}V+dj02&F9UM?sG+MBDFNl?n
z=Y)0?Tv}<i3-_SPcN!B)v^6$wwQqR!pHdAsn}<XSvCkKQECTA;0`b9Cf@6Jjeeo_`
z#fGoO<H}GVa`0$Tod!S0u(m>AHK<i$JTxoprvC&^iaagQO>H1glsN=kNI&#pGL7gt
zJ+_wC60j^(c2j$HH^@XxlAJ`Hgw?IxRdonQ%SJ@#wn@+RD7Nnk_!36?@Y>%htnpe;
zyXc4zMgO7$tX&h~IJ#!z4D@s81d@L>V*$-Zp6PE5{Iv{mucYMY?ue8KGHkVd&S9l~
zwc(+;i~m$#m;)YpwNc2myK&5<F?dqJsQBhoJ=+^^Ly+noi=X`(qRg@IOm}txnWhkJ
z%&1@P=T?qveq;vr2Q<jnmA}!g8dX6%?p}GIsbizuLmc3YN*<D&C={#()@V95dc*>)
zHY#8+*Ef|E53h_u%5%SIZ0PHjBiEJkZG=}!ioPiQ%_g1FN5waKoUODv!mPAzxLtpl
zbAn@hdMsj<-^Ehwjhvd(sT@9yZb)+E?ovtH2ElQm={L-N&<8MVuS-KF+y%cX`O|V3
zirt&kI}q$3PTI}LmKWy7oSiMKul$AGBPo4?O|VU--U0h$2OX%Cbw#cpx&I1w2w0Zw
zWAJwW+aKSBNFAj?&y))BLnJ_X7B4dD<-~BQH2=?N=R1q&Jw2mS3LT7hFY(9|Eqy&I
z8fF*0n9)efwx3C3A^x{vKJRT~nwKhIte-xP<F=Gu9)^|ge=kw0EjJj6G|F2uB<5w3
zD?cDZHgDL+*BYKK3Xk_i&FX7jfvClbnWDnQRzM*e4ZiL)-WfTkI}4o@$1wSZ0K)=y
zi|2*(gQOBnTlIO-ey`;$y7UU>&~#3~D4(tR%IKmt`l5qk;m9OHoDQY-xq*&19RVpv
zhc){3Vr)i_ZG^cEK)4KV<dUnLR*=xuy|Z1K)ODll@o4K(!XRhB^`N{)k>fr;)<D!4
zu94efEPFldMMge010&=BN5%nhSF}yH<k`;G-i!5fp=Knd1B#{1t1d;6ecnmGZ`n<T
zLZDj{fihmTUrLV8LEC3r$`o}A^ES!>{<U7igK=gh+f|wCHfT%$O<@=R$xC63g}+$`
zk+sPk@$*w_1?L88y+&Y{SJ&$kU!6wU3W0VzTCDzl!Rs_vPsOcdM~#y}OcYYWSz%tP
z0u)<;nJYTxF{->l4{&eY%?Za*{A=@lSx3=n;;C1zF6x_w6WCU;86nI~$6Tk27H*J{
z$`41^@3yH0ru!R%qTy0~p^`t<i!{iSG+htU_mjU|*)S&8k)wNFBOl4Om0qoNn0vC4
zp`$+QcOCyaE%X82>jkmesA}TQn3cZbl<G<p!PqK{?Am(PMWB;w@?(So!wO5NySB>Z
z(pBxApP`)GB@9~pgK;-6Y_rja;&3K@uPmctZ*sRyziG$+>Do-=*+922-dlIZRVAHK
zTSe)Z(pGI%A&St==pt1NYDp_fXJTnAtsqIOcj!nfQz=0#oupHHh$YrW7a_E$+G42;
zAxMNKL?mHyxpVKAzTeK5_tW$Ho##CNa|i{q(~P)zGe5MhvjGAM`4_l)I}8coW2zBc
zwX2NcmmiDMn$5tnK98*rSN_uUJnRG~Yw5?6HFVq?d{wVvG6;{EyO0LrlMz9=by<KD
zg=~HE_7_FE-jYwxhr3mbXcby?%_EUrTBzevL;sIN^b>(Oc&CIxg3aC>A<V^L#cr`n
zt8DwNxU46dm_xXrVd(lfnp{j#nixuI(yORq|Ic3V(s4@rctoW*5YD<Y(>B=W;ni(C
zzFMGhNKS5H#|&G}mh^ams*h%K^@ehUK4<gT08j;(Vln0PgC+k0X#80bx~O)}Rt`4j
zrz2~s<;P4}37@RXf%8Wv$|8R}LS-=<2oiW6gQB!~;bn=}s<oVDz?=K=le(AkIeQjs
z@s;aw$*{m-D@i1(?ZX^lsVt~FVKKJIXK%?bdYZu(2i*C$&X_6=PSk2J1*)*h6;(M8
zabV_dtauCW6u|O+kh18=x!BQbSnccA0`8-|FA2@w>DXi|P&rAJ1}*KozvPZ3uXq)U
zkKgV$fy6^ub~whG`(Ar?Jx5Ac&aBLyM4aa2_jUczBTG3P>KyA>G$X3qqWS?TFD+x0
z#|X1a|J5Ldzo8=oZeItrUp`eUHj!%e8$R3cwQ=_p^(3+R2S)3C&<|1s$8ZiV!#8ko
zepB&y9m!YnjHqExPV;4CSqf`buaDqhlx@W)+1&D^cxq3u4+>1!eB4n<%bkv>5H)ho
zN|4`U3ZnPsvF7rAn?IqO$<|tmZj3cCziZo8<1UH4_eG@e32z%49KPOfRH$C|Hil<7
z6!8c?*&kJF9vajd3NeqW6)8B;t6nJyTFSh((7+Zm%)&arC2KZlTu<OMRXUAHV&c(v
zBAvpnEJELI&kQx20zPNsf+F85C3c%&jl262!%VkY9Icy!arJ_K=QJ`1<Xq`#c_)lh
zKO~~SDqBvDtbCG6CDk4l7SDfgr+Nms#9m(j>|W;@nX{0eZ-2{Dy?UGySh&3v+sZQ@
z!7rNitaZ;54yqcUy{pwPERjH0AU4rpD%%xicB#RuGn}rK5OLpzmrzDx>8bNYhkAMd
z<E^~l6W|<n2K-x=uVjn})XiQr=ew=B-&|y(BM}zw4k~CGsBv-cgJ*`J`U)1gIN?Z_
z-7l4!)82G(;(bY%mIkdIb<b+!ELN=k*%xuL2k|}_{>1sQVL-1t@p6@0wl)r^aG7{t
zxIX;CPEXN`AkZB&pC~e8(U=ZKscM*MZ;UBF)RtPp#=;B~Yi~=IPA5!G6L?l5D)f_g
zWK{S$A5g2@Xiw6anM%4ItT%YA5VSdjvcP|}^|L2gh<ep<mnq$6@#!<O(VE@VT@k$;
zTQEk98NhbFYx%$~jezudz#@%1@9N0q9ab_R_c*rBWiG(@C)q1yQ{o~|ZY%U3+g~y#
z{uuPxT!6XxsZ!ff>NB662<(U@dOH0Gjvn$vw}EOppKwD?w}>`KXI;!@G3KYdOqaRp
zjK$m+7Dc-9<;J7)4#pKH6pnXyNobc9wI=QV^O5G#ymzUI`*1-<`uys?gn^>v*K*!3
zTMkNX@OqsqWOB6}lJZJ-^Ij93QjE-`1dV*dLTJSQj&i$ub#EH$(iuB56mZ)@(llj<
z1pf%0-EW&cZ-?*DNzPC$&i7;b)-E9|7uxfQm9|#$&8K@6ED3Wzho{~8FSKo!<JT?x
znYMYmeeX8YiJj*IKxvPVIu8L8{S0N{y2fm}iwr_4#wY|r(q$L}<G%VqINB)fk^${<
ztlFexU+HM!#MSnWKWc5C+HJ4;9AL+uZ|WIwxt4zEFS2rvY16gm!`=mvoF*<Wr|oi5
zex1Ph;JXZm_$UBma_Ub%<cFET&eyL7(+aMPZ9Mm+{VE3Da-?;ss5J*=CJhOmW!S9b
ztHj^m`bmD{ZOGF_LcgkBi`cgoxm;Qj9GH{cfA5o?Ig{uDF6*%rvU<6$y6lfeagk#4
zuHDUvw!p4eC3J@sue3y(C=X6i2Sp9b@iqgdt-&WU>|-}5Hl3)4jwv700QJnK51nk<
zu)Qj>%~-)6+Gy~|6#Wc`aq*0~gk5ZkA$YhKw~&6l4H?qFOe9k*#vh82=(8kRwG(kb
zcPu}QL|*``rdPB3w$2-LwB!ed4UFc@r9Jva-xc$5Gn{NWD|wzUF?zl@!|iF=h}Rl4
z5EuuHS-W^0f;a0z@1=354i`N!UhaW&t&yb`nWw12AL^X}3`toaF;%g;{^Hv;Bf{iE
z(F6O*ThnmK;RO^G{+{c<5$1GFokhbx8u_Orn3mTy`Rina)Anw-UTDEw%pVZ-&7Zdb
z?eW;vY=i1sG38?qwb8Vxv5kY$YHW(1IkCNQG8gqaDRVxk5G$6M=G18lKnE+95QcHl
zufttN7n^p+|2A+wc@&w`uST1^X{OMT=o9EEXr?>!Osyl-HS<g)ZeDXC1IEy#XbES<
z$HTB=HAd(ML21CiDC8qoBbLac*~;d^%MrD}b+^C*q7!yU%c)gO-5`eb$hy3_{wBnZ
zzC9HsU!#B-<#^;X!{$Radf(Yv4CvB<a5)+JSWBF=ppw_*vU;E(n`(Csy>t;{&2W+;
zLwLgC1##TVd)RBZa&9gz0XfCRM86Xa=aVg{U(r#WsrD6;t=vsj$b4BfXZ=3U0E_0D
zNZTg?R<8|Ms~gbp*kC8Oo~E?lIJb*(wq?6pMYbHVocO&fDzKaq^+ReMemy<;jnz{G
zJaoL<!=QG-hd#0=1UjEiEO)4R=I>C~c?0_9yGN?R@Nf&uoN&EWMgU1WC2v%t(I&kA
zcamlFpEH6}FvhfDl;Wjw>u?3*YJ`ccz%IFpDuXFE5~7x5VV;Re1egyj2Fu<~<BJN8
zT#J$38+_$2_P#|@Q$~fo@0_z$3IQY|jA*LQNgJR+9S%GxQh-r4_ewm>n`xB+S>BV$
z-2p;rkm#&Q4K(=hsjowB$p4DCYc;X5dxve{u2*qu%%-unpyW5{ID0HRYKT<%c(47H
zO~B_QkLSr2dUdGj@%MudND=_3kK&|n&HHIrA4=G}K!GBCPITtVUfYzLP1hrpH2d$L
zI&iFiETVH*@Ni8o$)BXL!%H_dx!Tx~6vbepb5@CbGgv4^X6>p9n^%hw-^OhA^!oKW
z=e6*5*hZdC7H@oH5V1#Yf~^YaxBfd&H`zfK;m$K(0E;gH#+S9X>EE~D|0f`nFFsIN
cUCCFf?kSv8OWh~Fxoi7*obx<OJ$*g(KPnnhcmMzZ

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeHostBreakpoint.png b/docs/GettingStartedDocs/images/VSCodeHostBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..b395e3de34fb3379237daeb5e3ef4c7db260294a
GIT binary patch
literal 88949
zcmbTedpwi>|M;(0y(&pw9lc6YiR4&_99L9wUMM+EMTk*j<S?rwose^4mYfMSOmo;?
zIyp>E!(wKN8D?{sZEUuEFTLKM&*%I3-hO}mcDr3%v+H_ZkLz(gACKqbaeqAKDcHeE
zcH4n%Qc_Z~)|bvZNlE>wA|>_5;MUE+UktuHx(oc;5awiMAywUda0Ym@$^V@FIVq_R
zDKcx<{{-Gk-?`)#CMC7w^ZK@-Ews#6N=i~}eg2%wJ?}Y@bgbu<IEE<QcggOS<E?&F
zk^I&9=S68MQ8d4QzG-Y$@W99#Y*yH?dHXeNLejZEYDs4|CduxT)e0c>R;h+J&8TeJ
zJYq&YlAo;W_PXO(dJb}_t9j|sF}-wOT@nE)au_^;ikTh2yK{eXqn+VBM*PvLqDp~a
zG^XdN<ha!RZ*L`twZ%4-9J3f~UJM%t$SWnaM^j8)KA2+|dg%9CDJhpf3y%G}d%xmn
z#-@LF!B-xo{pa(FXW(7`?w-A})8>zVcgxf*tpD@*l`E-Wm;+<mDw&KpS2DKnvMYyh
z^2fRYf!Eoa>M?3Y%wK~`wOa@(jAewCYOE;Kcg+=)WgU4idsrrWGiBqyhX!c+$*P!K
z4M{@}OR#xi<CJfYeiE#6Ojj=7`7cqEipRmQ?$J9@!Bht$tBuxeD>Y*H`2ajjFzZUV
zJuTdQ+@WZU{5<hcv|7ExmK_IQ^2cI&ngy)eer?H$OD*$=ns>~}L+Q~a=<EhsoJaM?
zU(bBZwiUK{@&n7NcV<p7-sH!X&dhHWc@+@!EV%1(^-jkv7b?-|zn<&t=!R(YfF#Yq
z!x)uorCB-<ZHRa&+pqQEpREFmJ$q~nAVXRVQ-h=F2BQZ~pfQVAjr?ilPdEnrjuk_3
z^Z=7Ct#Vqwf1%y%e!<CdcgXnZfN=7KK(`WX0USfg2*lr55n6BT_1s`#WMNIkN6QrI
z{;8JvW1e2btZe%(3cjL|u?<me3G&Ywm|*-P$+?4)-Ei9oS?VY7Dk8S~L;kW!)>=Kp
zcPI7ainq%z;ldavZi!*Nz^#r&Ype)sf57|E5Xoq<hzSdiqOT#Y`w8+^2p+^mHyF|?
z6Qjk(%?W9exXVbI?+Dv&`PwXw0?DtoHAg<*+i03OZ{BZ^!1D@hbcl|9X7)`=YCzAd
zP0RC@$VlV3WB$7)FpSZST4FcN+qk;Ax>Jj@z13-JQ-<`PiAoNY8W+zMOzIq3d7a0Z
zezHhxknNa@lJWH<pEF`~hnB2$u?X5)8V0$%3H%ayXB_hD9m({LL624OgR2#G5Voam
zeLb=_s0HG>oq`r7GFtd!xnbxTrOunDGP>%Ja1%Ym<#(sO3`G_b)wR`(Z2WR@#k<hy
z+KRT*G#xm1#puqAK_0Zg{l9g^_=rjp%H_~wMmec7wO4isqBQjX`Bz=-5!ELmP!>WX
z3as-8iSb2(kR<5Dw!X7G!E{dUN$su?4rxOmaOzqFZjS&s`_-)c4yqDPpbn_iWiF14
zsHBv%nYy5DRgj@lQea#EAhq(~lTm|LT#Gxy&A54x>a$LJ_t<pj7((Li(#Vr}iO9B<
zoI<5eBQnCe8z)lu25MQf)s5-HxCrmoh`43xnQ|&r&<pOMXrmP+=*?TDXR+d9W5}@h
zWxwB#)DS@haytdvXf7xgFZ}#mZqO;(*m!Mq?QR+KdUhZ`r@BVLrja?Hc)4-Amn)@B
zqo#RR4p#WXOx1=)F$h6N3^%6C-R-P{JpYM2l+hFt*HWD=iR#m(*6>!QKQzE28V@pq
z`3X$~%Tc%sJ5Kvb33QR4?m(e8(FNWcU4%IcDfN;BdkRyR8c3;$Q(fZ~_rs+VZnMqd
zDODk*hhn_sw8&@=6r`cAy0n@AD}@po&3G$65CIK+R6}eP%QD*^6e`B+T)<8Qk)8cU
zl-T0hdG48Et~NRPt?}A~_cJ?m6|A?%qkteY8ucuPaB$iGi&^ByXI`bfv2@eqBL(7G
zQA;YcDeMF{%%u~9NMMtDKlJe%%>;5^a6^^7^i1auLNf~Euu|q)%Lb{lS~HP_wWl*&
z$Pi@9+El2xL|PTDNDy;th!ZKGL%|;J9$HwRHe}OA1r>Rm@f0hnSax-g$ZKz2<tRgS
z1WOPTvAUD%yI|zXw30qg&InPD9G_N-4{0w%u1zbwps(CKO;U0iY0$Q0!rjT|2m`>w
z(dOB<(69%?h19=VYigN4wJB6bv2nr>nH{7R^XuvHt{DE`E2I(E5+BPz6t7Z5nSrr(
zN4gnT)kJu}N2tf+P}T9(<Z7>`qi8eP>!T6INTVULwj<xN%zIVX2J$ZMkDC+U!3p~y
zj{IxP7{g!^miI#g<p_Zi*!ZxNgsL!*A$>d~QH#Vcn5d?dGAFlGHabL@)mJHe!%-?p
z?jign{B4iO7#6IqWi!e>B&FO0-2|~IAnxE66W<ewSkS1bbRJIoAztHN6p?Py#mW!O
zy50R#O0$~KcTLb9A;=vWN>~k{Tc6-YTuFUP^>c;$6tps3n-&s}vVu_gaWPGJ;}l`c
zm}rz)C+-VihUbdtfjG82)E{XT5M%fR#?Qruk<0&zKr>^IE%5y|v_#%>lNwrfQylv)
zOc)-RgEWPk&3(8!($G);VZg4dPOr|z4z4b90+?&`+c*}PI$v$ayp1C|v!iDsrg;H4
z{Ol<VVwHmv_M#w^k3vgIppr2`Vi=62&qU8Ks6&*v<rbk{iC@Ga#P?;+JJB#4D^l|a
zDTUHTzKJvwM|?-J3$X6hHH~r^yh=(9locx__2@^KjW%~5d&U^`y`X4zX6BT#>gkuU
zv*o1^p*ENAsFk-)5ZqcEyKzi2BgS-!a~zyss~edwZ-ZZQ-5KKbVGR_QA+o#(p@KSt
zaYF9|v5#h!&?*}y`3ENXs}9PFo>uY$W(!rdssT!Dt<Lp2u0?V+3;;JGGdvhI1pEl7
zh^3Ul#=5aj-6_?B77hiu1+=W;ZTzx}=S3_MJ)lM6J<}NIfv9H|ab{wK^j3!;1rx}J
zaOxVJqH~OQO~Cy7b<Lg}0Y>;M*@S(`B%f_6s9**#M<+ssclepu2Dq4UcmVG*LJ+Oi
z`VA+?ly!Ucc#_!S1>v@;=fzOH@2=aZWcIw4YYBZuFf9669Tp&}M?!;;crb1Gns7t>
zAxq&{oN9(hvkASWK?kL?Y&00b?m2&|PEMp4AdCe0i(zm@5jUI`6vH2#j!Ujrsv^Tg
zilJl*@R(MJwIspVJSAUGL>EA1eumUGZAW1#H6-3BtD6~eGhhTGTA4=}*NDaM+boG|
za2T149&#0WQ-VMdBVN^%?jam0D=PtOH7uq=`*_AI^32`7iJQz(L^+(t@exXA3ORug
ztR$F73iQ$uuJ*2S83RKzmDC8td{$yyJ`^b!gIEzk7XfqZDWwe2E>?vxNHBh00n?w{
zF)t%^|7B$j-dKlzZ^6cBhGyj-qlOC})-{69X6!$OyF2mCC)a7uKAUdHVL~`d57wPu
zLo{+VR|nP3o4~pe5_7uzj#v-lec>e|5dCG>ovHX|laikk{h)wRQ0JV|8NrySziJd&
zuXUjWRAfO9$q{aOEwQ?Z3nWCuz@r3-Zwa9Amb&h^)&8h80~;chwGfCi+sqCxnJ9sG
zdSM|9tWH981KZzA-b)9Cg*P5-vKNfeLYgFVSZ0if{u4jT3#4ItZs3?RSxj>b<fw(P
zWR&T{Pb6wvS|!akt_VA*1hHTk!49!9hZkU+W+Hx|K^|GGk3py=P`Ejt^EzmRs#Jg<
zWpT*Lq}by2@L2eM_R=U99D!78l8o}PN?ICZ|DBnPLy?j0DdlkvqZ0usRU*YVqXNK{
z+tIb5H$g#hgieXu-BL@mt5-hdTWAe2Oi1Rr-y&b3%v2^DlXR&OB19;%EwBYep7$6w
z<}+F$)h1}ITF!J&ZirP0Sd9WKI9{#<xu&XuKqy0udINW7>nNXR!cpNKBHG3X!U#6P
zxDG_cM&NL~Cao~WU7{v5C_9Ka*EkFMxC+PWpn4?24zWWWG?U;Uj=NK8$^2E_G=yvW
z$}+4=S>ucASdQ7Hh~b-lltzSrqi%wx#+eZMp%|eB;{y{q>?agjt`h&0@_E<Gp${Ll
znT>8)oyx^T&U=SR^BV{v=x|-2^LyxrZQE3kcZCdkUM}HQER3S88^ktU4d%DNy8p?^
zK;sw<z9W7f_CgtmxN<9jaAO6z@^M-2fUqqcF!eiYpo-2Dz;fcwmV96U4v!!@S_7@C
zl5Fub8b*vuE;IXe6^eX?8&B0ivtqW7&e&1Pxb9Qhl%ZjG1SR{E_UCFslU%q_L`<!g
zE2A%p3sY|zi)i#@9vG3wj#f7`;j^k!AXnenAp&!>O(;DDlx~M67L|2};x9Nj9itUS
z$yOgItqv`@IXxeWGz+tD5-Jb4mP}NTa;7vcluR&ndhmRlP^V6ZxaxMEzS=h8z&tfL
zF)gkpPp~#`Gp=fVVK%lJi+x5Hzgr>Y2qGyfEVvgH+c?JKzr>RGf+nwq%aUt#oM~*3
z2UOlYnV`)!uO)8%?oZrSAev!0uW=X2=a~9nl3&8mXNMpYeq?r5APUbHZtugh=A$E<
z>bqG))DBjBFD#4|=}{6M*HjgP>&K3yc=(gK(|v`h@T(E4IazcLWv1ESOYJCfyra$(
zQNt{!?3(@0W2T_{>Hfl1IAah#K&Pxy;jRL2;#@2nmf;l<04!2}NS(Zz2l#q(KcNC`
z<+1cJXwK$znur}4??~6adal5isG=~Lr$A6ocV)fEfP~W(VcjhR#l;*gJ~2T@bmftW
zBjEL8Jq25mL=)B!meQG#tCGLvzB^agAur7+B{kX!t#VKi<c_#hzNA+plNUH|TN*5h
zpiLY5y88?LzCe%!)X=av+!!5WGh5kR$^t@yEuEsHzLX|JW_)#ub{j3uD_M&K@8yP*
zzhcm!NH1>o69T)qpSx(~GYuH|r8-Y0Yw-l%|B`T#pX$KW4F_Ti=Cp$lO1;U#a>-X9
z-0XVPP!!cq2#m-E35Uaox{8r}P61%>uNbd~qUz-kO0%~7M0_J_F0NA_a>Am`bw+n?
z3B!`psueoYnErj;rGCa}v-~n7`)*{ZsOJp~RG1~)&jWb?>ck-Om+0DU=pnyHagHCM
znEFT%$+(I@hEwZ3`SIeh$m}XOJ7U)S11Ul>Y|Q%n_++Ce%Zf(97I3?>sXM$N4Wp1P
zehrpnE9RVF7E>=5lQ$|F5AiQC=g!MEnHi%+R7Oa{kRQ_n0xaI%{L2A2wkft7g<Uhx
z&?Z+`4&f+oS>Yo?Gx+zMY5ZO0=&D8dA!uohaSCvrLetoARw-%ZTUD)Swl0gpBJm;)
z@moMFo<C01h)|F8u4-r-8k&i1lodzZ2C*3<W<0=6d;Z|DVH>3W*61Dr!@fS-JC(*l
z2zkYWfrnSSP3GH&s-Ct!DOOj@a0z21)bye2ZkOhTO@4kN<Gps~s6M1XSM;FtKZf48
z9zmM&AZ1r@;*~|=l?cUfMJ};1Yevc6_}3?GvS{OXR-5>NzfdQu+A;u@!K)#DfE%nW
zNyfv;5FE1v3eOEjRTE57L^lV_R6D(N_;Oc~!`Ld5P@^BBU^2O%J}Hdq!?N+cST;7}
zIYE-yG#1xFurFR{fFvX*u;m+)ytZhOA=Ny+U-L>0NND9;vzXzG3<+<{6T0$ILXQ6`
z1)9<%SzQ3t;7Z`$O%e;lFv~dtJ@a9Z1_yjWLWqBvj@M(a{LVTcQuL=W7qP5SbFgG>
zg6+_Rw&v@NXH(D+k7_hT6dVxa!HCOWqe-v!^4Rl#Al=EsyijrnG`*_D3(};Ca;1#W
zI3q)%oJFMLDwHL59;s3I6ab1a7vb)b%fZHIwrx|2R?`k~^avNj3CzLYR-hy{#R<kj
z8VFulF`k*MHm`_kJeAvbv*73T0NgMy=1G$&Uyq^fIP7=A%$qk_0bTw(ftR~Y3qk>c
zL_ynFKa3w40E9Eq!w3cs2!{`iSg~V}BfL_?N6JraOCqbsvP{P$B_z8EitY9~P8kxd
zZUX{z4=Jg?ZI?|~W-DuM6*I=7WmE`jbRA-A{FZq5ZDN+zRA>%t^mFYvST}cuXwcqs
zP@rYRSV;W#XS`CW=W?%HJV)xRL4nT6GNtI)xojrbOiF(j$n<;&0AB8Yuu<BTp3>V~
zpW*o9T6N;KOdw_X@HM-mhbJ;IVpP-8IFOZV-6mp5$H#nz?^N@JR-V+$r<+p+^lruS
z2LcN<X{o}szQ+Xye-~dbGWi7X8~rRyV%qI*pPthp%Xt}3$p<st_G|Mu-~UVa=ht7)
zZ4k=;lAk?=NB@fkN%^i1^ZWItVynuAe|KH>{@3UKp+#_i_9#wD{qQmeKt5oZb!_w|
z<dMZ5DZ0F16+k;>s_Uc(99Gcl+nr}5)v2}|woecRV5YLoyKTB(otk)O5Vy8T>Z~jZ
zAXI-BF0VMC&0F4<*yrv$1)m)lUp;hoM!PW}?}dV)`6mf#2QZZEx`xscK54#?jgGZE
zcLTR_z38>BpUpz7+?((NHoNTpkh&jz7LZ-dO|9$Gk2h_GdsMS*)n4YAM!|j`Bky^q
z!1LbE3xTagk{Crm-v0I5Q;|t<`&(go<?*L4umvmY+lP$;`;X<ExqIXHISe$?ycOVN
zW$SnNKUaTn!)WC}QS!@yv#`;RcUw7T_xoph>Sa|$wm1=u1*k0Z{JJ1HO1{_UdM6aN
z?Xk@a%$QtRoS;9H(cYRrzafK7LW}Lz{Dr1Qk~NvXwE&IZUI%Vq4ER;ThjS^RYA%|Y
zN;b1<9n!m1+b_s_9b=#(y?={D;02-6dg6Gsi|AU8G;jxJ?RVO|Wq0Ko%9Y6!^c??W
zaed#n&1U!l@CTRSi`KV&b{W$)s!?m!I%{6{r5&&tvHke_EUmwQvs{jDKk8#qu+p_h
zb<eHq!RxZ_waq+{F%UyV2uSE1zeP<)ukBqOC^c7<teU5+Q^A2f1;=K00NVz1&ZkHJ
zc_IZj$}NBebNr$XRSX=w*OaFG?k3y9t?{QZ=Rk!{X;6yjQiLi0vyWHtcb4Y~LnMo!
zATS@;j6?j|jn)U<d<xbT;nT$Pky29kZH{D|rvjVVxSsQ?|Ix_c@Lx97^P-2Ni)PmL
zHN%|ub;jJme)F)1*kQR2`_MI<8#<RDp!rf5cn$f;`BTio2Sr)Tpa3zf;)<G)f5*}Q
zPXkfoSAeBsxcMQtI_55p_?Ilvm+Wj(JWmnQA0R=8`EimEoIqTq8}oCnZncw+97P75
zvp_tG1*E(*=IVt0WWR17w-dp;;K0UxGtkq8M+hfHe3~J<nbYl)3;RGk;Zjy}<G-dV
zpqMo<?AMp4<=`c99E<#rAq*A>g-Ld#uM3ve2&CvaL4%WBlTue%)NOC3`lwlCB5}on
zMEKw{YiZ$TCpDYA#g;fx6DU)`TXYjQ*ZBFSamK*H;<uVL$>cY(L=)d4>FDiCbHCc*
z<Mg?$a-O2z(1K}e1}#%J!X_4}u<w0P80o2k?>J2{HHLt^rj48ZHNIBd|7KB~RO#DR
zY>R2s87p}SUdl%10FU?n4d{>e=kjBhtfPJ=$WH<R6(%ao^}Ux7^==!gbv`U7KnMnL
zp8)rN+~e;$Ue@W>CC{xYm&<OL>zSDucJ6jGJz;PEeQC7^q~+?3I}+DF@;6cv<y-<E
zQPmGUvHWGXdQZu#D2#N1+t-hGmh^KP7o2kR!|-|XlD7wM$Ite!&q0~Hta`o4#WsIp
zk|DOV6AKN>v^tcdLiXHkQfXmb&!<QZyB<8F4OP@rW)Y!%v)Z-qa>rJXev5Q+(V)(?
zs7z@F4=*BU9I(;Gugwm`7-kGyejVba(&ZigL0X9)E0Uz+h*yiVK=Wz!CGQxMNCT(^
zC(9<jT^JXha?p&V<2nk9au+?cmA^Ef8`<8XbTA8N%P1Mlwu!$et7r+YR?OBs0{G51
zHYE-yRZ2r>HX}c#ds8|9oYPxk_?szNwk7i+30dSq!2im~Yi9tAx}8}=$j`*~VGGQ+
z?HxIp*MdnnC;0Oxj~trH`wDFp*v%ScjMg&ttxkZ%H=|a5CdPBik}N=a2Mq8)l5y+N
z<if)HJY%?xyT=4%WCG8v3eC~25(>x!ZL(J+;(f}Eqy#W5mb2Y$h#%!9oIByhAEkV&
zIG(72jjoL~=pBnBYBjV&*1kg8*P++DP#5EEr(CM_w{FiAF0V9hxLLq%uC>HVL>HD6
z2p_;9EpYve=Bd|LSGyyph@s-Chb!}~Lur;BHd_<YT&bLjaL@vrgJ%$tN1v0S&%2x*
zC}=aShJ1mC+nwRZb;e%Rk6$wRW;ch5oeCyDUCFgOSwX2Hg{a|H#fEk$>|Mr*Qa2eB
zKL&?@I)Iwhh7cq03-k60k@>Jbg3&+~q;c5un^}-|^wyT~wAEW*CfWYgj+Gj}mmzKt
zZ_a3Gz}Yd!$7zP23T}cO&d~ga(*x2;G2^{5I-HYX@@hNu+KGKS-bW##SywuRCXRTP
zjD63|HGrnAbMY(uC8Cb4hewksr%SI~w~8Dw;?00tSp|BCdPf9cbYrZSoCoa^EFmod
zkUbKb@id(qSoITI4Mrc>EdHq^E{NhXE1rTe#&{uhzOzjUd9VO*D;2%qC9!Zm+cI%S
z4qwBy`k5!DB@|L~g2YdhQ_6bqK<EUg-@zuP$veDOmsc{%+NSIZ;+DLN5-5Co0jE6V
ztSpZ@vB6Hle)IZyFrp<WBqXZ_!3vtHog-_x*IgRBHz7;<R>PTDgj;^IpvKJGt&YcE
z0J6`3!{y8UEJ{dFdgPef;Vp9AXM!xO0q$oETl_{A4|rO%tm4VVH@nwdnqaT$eahX&
zuJD_8y(27YNKWs)sNPbC+oimjGGgLOxk)o1eq0*ol!NblF3@?cTb0{4v@fq=*C-g%
zzYK#4BNH+F>}4-u`)QaYl&Y{@%k~`L4bLJ-gxb?vD#A}%tGP+ZDsay}n$?6BLb@Qa
zi(fID(hFoY5*|MgwDvE6OSxC#t+YsivVVd2xSk7Bm)&mx7Ig$F^eiYEIt|-8L)>c<
z(n9cvFpW!!LXPJ~cINF3dkFP<l=kD}VnrR;iD&`6Qcy5i7fAZvv)Es38_&Hx)8BnB
zw<ZT$Ah>}$t|+o9pc7rs&sxr&$Ovw_(X{_a`IKi&X<m$Y6(;_;V(!&^^puURIijy_
z>Roo&Zkxw5t5>WRwB0bru9VEz2LoYEDmG_&5&rp$MWEX1yqJ2_2<CgM$kVa|AsnGo
zBZ<3h1ld7C(%1HVHtH?09#-nJbW-&Gdh>hVhB9xrKGU$5l5Y(57*0(an)~|mpLYkB
zby-?+$j`xq<k4o92QqXl$gN&!&G|bR#!fR*eNv~Jkj#u8dPT6#^2Y05gJ`Y?PP4hP
zDk(~!L(-}`gta9f;f<X(`wr8<PL%M7h}Z9H27Gkut``HVheyQHr1kD&Q@d?ObS!y@
z5^%qqTB=FL=)F7fQJ_e=r_o9kV#?dm6;x+mqHk{>6uS3-4PL}+aBdw$ifSaM2QS8d
zrirMuB&C|~x7;D{k<HJP;#LZNGx8ZS+I1#Is}>P-vc~U#&8%OGL`0B8I#+Wjes5w&
z`_h2uqQb($T5<J^zW%X!ys-M<nLGbv%!rObVpyjwX+guS@raV|K=t7$P>>5PN^$yl
z9CfAgYA*3BcMv*JnGJTbY%6X_$=R8vaVYk}x6}2nVY0_>RyK7B@7nA6uJ&brZ&9U2
zc^PC3q)s6ve58(mh87K@JFd8TW!^3Xx$+2v)m*~UM@jQ7d~eJ}I}@{uY@~ZA#od^|
zyD1?7tc-isvOP3*LIDF5?^YN$GNWo3qhQKkX84d-*VJNGv5(V3aF5fhlEc3s{kyX%
zAsV73DCp60>GM>LjDejGnISQDA;KYAN4_B_%eDp=Ru}T3Z{Y)Tn%rd$&fVf&8GX3C
zV!zE)kXMg8hi}b@UVn5465=4Sf|*kL{4nmIYw4Iq%fpX(G={W_%*#-<K%GTApsB99
zLm$DE*hdEM_7s4fhI=pLvfU{=Qw6t)b1GE#e60)@fJa_cCK_hAM6dEPTU^@_1bE6p
zK~g+svf^th@9L3)BJonMPoH>K-<!)b!dMGy*?rVNlN#A$r=QdzX8gZpQ4aTqCNABz
zvc09CQoc=Eg_|v|C$lqDY_mEaN$<ALdE8~J>qJ~`$+FKo(_sfeimEaBYHRo<X;mWP
z?Y0EB)sH@(j^QTrCsZ>ATv7SMh{AVqOH9mc7$hBM67!ut%IgnNa1jKb4T!&F0*$wj
z-AjGxL}b+o$5?ulOV$J+p+v^6ux1lBrwekx?6Qv7e{E`Rn4}GW6pPg{{=Q4Du0cf(
zmL1=7Z^C8=O!ptk*Pt{QX6~`MYJmmALKrr<kcCLQ;Xz0IP3;CO>l<d!a4huEY{faW
ze%vrOF&>`TJJhGD7-swsesy+<wOad-`*ppR{YE@}B{bx4pw)%jIp)h3i9mf)jPX{?
zo@w$ZpnvV3H>!Ar@w~my=JBJEDP_Qr+K*>+op$P%RgjTZsjqtcnr(JM!Tw0W<cjp}
z$tB8A=Ra~O?WxF^Y)uMAvwuweSjKYTnQNES$_q8AQP3aLyor9gFgsKzdJ`M|$hZ1(
z8n6xkb<qH|aye`t*a@(q%ByPSAs-8@@Ep{9`|^x^AiQGqcm?=XW(r5=fDUnonF4U(
z(d3K)TWo0;L{;O^!L%%*!E0Wel1-0^m`)MYmR|QQbJ*ApT1^L?^2_<uW=FUAe2GQV
zsd25}rV`0|y%SWb^+YG~Tr9dYF-^hn+vImcMu$RZmr;;KhXxOHyfQTUAJ1>ijPHaD
z+nQndoYFMy;pp7ag-)gY>p?iZ@W@2Lyy8oi+^x7zD{Idgi*FQwsr*P*86CUSap`bi
zpcihVb>_bc>@>W;J(KPfu2!BM=NH`>Q4Q_~_!J)OWp1Hx^_g9ED0A8hG5G$ZtJ=)w
z6y7dfN_SP5P<D`lxtJEJwm+Ao9z%dVKhgAag{xb2nj;riP*Ak_NyK@Sx<N)bB`8WQ
zV0%JZ&dA$vV+&ofn)Q`SYBSz=#KQPFXYBRQ7sH5Kis$RQyzx~~Dowh0$<a94(OT4&
zq*49xs1v&aa4O#^@ZLvh#z$czX+*o6$LR)d286cQcORX!^K{L0(HeV9Zyye{v{sa!
zNqjEggjyNTR*D(kLny6`I)sqUEgJ%EU}MPgIl~-nTAW0b;6G@l5-OUKR18nIuLqgm
zF@r#^5%u0)B~Yr;@gR-6q-4V=$@j^%srb4Slg!EzB8A?=u?y;YxBII+?#%o#gW&AI
zG2%b#M$U|0@-q4h=%xUJf)AIwC5;e}NOy(ruujEG74C^?nJ$1%XZ)v6P=FfuKp^6N
zg6z&Ez;v&G%0?0;hZRsfo%x7TZYEgQ)8C>4ui^LIzOt+Rk@7rMMLx9Y%#WdUT_uOq
zk?7l0pdf9F4uK0WOP41L9gT-lQwySt<y!j;GS{;8VrF=+PX{SOW4U{59P*paUq!Gh
zRbP2>C*Nxh^UJ~y#X4Oz=k4XZ&+RoeH%sxAQ4twO78PkZvx`S@79F+Mi+s&Yr%M_P
zcbf9J@bjHLLtCgWG2unF==V?{qfxr;Y~8RXfD~ud6rQ$(s+aF0&cC7_F>JXLzbdqp
zOnv-0%%s0Aq)e9VHhe{}WQ)X9SjQDQaux@qB>1FCyXjX+*x%7LZ0)R5rtrD}koRr&
z-KNxLqgH<8Z40Ofrb8Hd-`i4JBzy35d!3({P8NJ^4-I9mMHiDo5Xv2UZFrJ#cJoE6
zM!@rl7Qi%0An5D>R%~{Rda_Seh1-H1d`TLb@qY})m;)=~7*ZmFk-ZYTgqa$y9jM5$
zoC+YMNB<kQX$yNAV*2|IvoJ*M=L3lY&VX4r<<!Gd*5kJF7%O+%Xr*kKZ;so$8QcC$
zVFz3kx%GrQT2s7n=ZchU1aQGwMU#G~Qmztn6o0#_yu9PlxWJ9a+^6M!EVOy?vGit<
zG5Qe1&`vW0;0dW|#y9%4$bPg4kKAUCLzG2_&4OizJI$ou6EB)Y>fXM)%F_xJ!PWPS
znk_5E1G>#3LO#H8qf1Nnuoc4{uL<Y$Uo`(Gef1H-df$BbtH9i19dxuqsy13*P}_ep
z%hGz_YBgAw)|XmsS5PE87F^u=l^RKddQ)v104M(0!lP8~O9$}4QCP<x*z2kVz6f>w
zi~;1w-Yp{mQsw-Y1AWh`s`R!4skD&CeZBKG8wAU+Jarruy-lUcT9M;7R&9<8_W^60
z!|ZOoqo^|Sk#X;<9D9_9Ev$<{WF83grcM&rJI%Y!=!+W#J28V#mP=MSgU`#IOE(h-
zGfp@^q?`X<qsu%(?LF~Ta?O2PXg`*q6nA<qEicrfLm}kJpr6{)GI}?iM7(`xHKHmT
zbamaXUJ~55q&)-c-Usi>Ow-z~?i*fI*?V7FZA!23`o#Z}nYM0%pe1Vz`<$Unlb0?x
zRWi;a`X`u=UnJZPaTs-l1q65>%kZo%`TF85kOsYyz9g;kVD>Pux*SF}jKYHKH(JBn
z6eC~HhpzVX3gTvW0yxA$<&X0g)_W=jdR`>IsyqHC--&H=$MI~!R_>K||5A(^1>LOY
zfbR;|KVEPQY_^Wg_T1vLsi$R*wHaGj4=4iLMsvLcAUXaGr7XTW0nJzS>p`~EEYPv_
z|3zK4syrB3mrIKK@IOrAevjSt|BC`WN;?Z(SI+(Db81f;3$OnLma{-RKKj4-#QzNO
zb`D@TsnZ|Y4(Y*x8$0fhcZsP1DUjVL<>L5XSWP_(KviY3zX6|4=OG&)cK)*Ig*&>&
z)jR3}&>)pR<chaY*eq3+|3BykNZh~*zbT=2hFM0}MG7;vpwa1(!FDOIS;0w}oAHNe
z;IeD#po~2IKqvK#wSNf`z^#s(|9kTr0RZ{N_kRwp@C15`BuhF(g1}W`Bc1_?N|#b3
zi=Zsza*8;0ZL~*}w>H-!*1T^z-Sb>Ly0+FM0WHZ8791zh5)SeRVcC{&488K@`1hV4
zI7a?)dCzrp_#5l|F9>%<E#n|4t~n1WUR|1TM7o==b~wJ4qOXskEty2G?cQxC28K4R
zI2*6|;?HPP33{ccTj$js2}Ddpo{$J266Q+JP)&QOId^8Ir{Qs${KY@4e{0VEe-T9h
z66q$S8N-;hXwkd1*&1=hS}u|k+7)0et9sg{@6M8Z+)sJ%^#f8jHG3yk9lLtE2`lmv
zi?~I3WZ#Rk;!McumDS}^kTQS?&DT+FS@~PQZ<zX-q`TGL+8}jXZO^R@!vPBch$%hv
zsX}G$21CM<2I0oT-HLt14~ib2kj$Y)wJvJXhmnG?LJ&w0Rs?bsgk^43MSfjtp6Nk}
z*KnYe0<`NooKrK-(40C!(ZR30)%0rA{{a++ATKva4emB>l^Xtd<jLcsHuGVn%E!3<
zPzAf$Y3-Id7t6g;2_&?V$O!YGNE|!UlOt{(Mw{^&r<OTD7baNxLSh>C*z%wI*Js1-
z?Ju7zJPJ7Zwh+7K<D~O*=;VcYopOE84KH&=IeqJcEN!&DXbsF~_jP=op&9;g1MKeS
zzf5irWmUPmoMkVYFFtkr`#^<MJCH8)p_N5ZzzM%~Zu_s!9ZsG#A3gg;PL-P<X%oLk
z>T4~?cGEh+&R;hZn|;Qu`mbe<JEoV*=ww>!F^Ey}-g|=M!$Z{G24B1J*;)bohg!Y}
z=%2%{p<8-;jsyLUD(fwh>nHAcTU+a#tOU}|H4NP`<l0$eoj!@Bgrv*pG@rbNPFeh}
z=j%pe__1nBeW_ug3YGZ>vwqBeUm89e1F6EADbas`Ru?|+q(43`)p>lGvrm9qN9Ot#
z9rxEe7sq1e&2WO*N@u_Il_ORnq-BqddFzQj$>_AF01b;iCRz=nQHSo0Z*VTD!M1c)
zA_8!{KqCAQip;VVMleTtoe*qDTO*u#lz4|ojoR>LPr+`xBkDW50wE)%JjIFzZ1C{W
z$gwE@%dM1z^pei6R>{Sm+6Nt5P6XwPAD_BO#g3ce-9uu`ZH7S!TY;uob)99-)^#|4
z(;&kW<7@qXwEo`WFCU!jLFl~zOEZP36Npetb3@+&pWe-xSQJWUkIjfK{c%FvLRpQ$
zc-KA~!I5&p4tHLcUQf~3#<NC`98M;b!A~~aow&HW+3QX#&|_&gQvD<3;-v~B^4JMr
zCBf%`LLS<A{I4XQ9HUnLj0*a?H9=LX6Od>NAdx*F(ZD$Cn?mUJp>hDpb^eB4wFQup
z)Ta>wB1DXl-T*bBZ;5Azt7X)2N3vxV>qj9aloSYqPk)>S)GtQ?7TT#5{_w;j*(n~2
zavaFSF{`MRx!N9^n3$M~@5(8rH#!H$$9<07F$tdrS2$2uV=X49tLnzE-+e^_E=<U3
zU??^RPJgW9pVG5{eT}ba|5$R>x%#JXFg!a7R2}$O6C}Xk$VDbKmHQ}c?4poZ)GKnX
z06+QTO?Uy?5U@4(ziSI7o1-|BKxbu|Sq!geFtDr?BE{&+Nxxb;H*KM?fGgZnKZfew
zXEAaXOswk$+6JRR0d=H^J;f$y+E9PoC@%sRf&<A(Wmryca^5QYRsUe^^*q$jf*tep
zwXk?&tp*Z1rlIG?MVV^1+KVAA+#w&-{6p#V$+Vc{T(A=a9({|Sgb{Sq5G#5R_EYS+
z)7fDZ+a@S@rjmzcnuh#UPRX4&SND~y7mCgr09tq9FnSDIi;|z!`5_R9r8Q0uaTFJ(
z3`H2+GlflFnq2Z%xHb|9ExnGG-7fO!Ropw1n8vP?Rf7`Z7N)V^_t`XVC?|H;%;~Nf
zNP*w=N|*d~;9204Deq733dQ;_Wd;Mc^1tkMe1);w;EDCo-YrXAZq+U@rme~+W&0)O
zCp}7Y53#bDRiQXf>7?(K+hI-gQ?QRA$X#JU8wyW|mSXo{kn6G@&ON1Qqb{qO`1rBi
z$zd8T^kU-Vwqu#H;y4i*X|_x1@x_zskuGm#H$%^sKX@~QYkdo4@(Sugy&fx>Hj?5{
znLxf!m*jP^?2y#6oq*vV-GdKQ^N%-Dl%3uZ9P+WGMqJ!J{1Er@hPGpV1M`iv3jF+J
zol16&uIzDOM1FR#+udT%Gk(#&=B}q3sIvOhrC1l?5_Da(o0L~_DubUAWSk*CmN9Iw
z0$OqB%;p65>T_>QpcEjkMAR&|pdtYLQ_5oLLJ?~B!Wmk}G6wk3DVSiW)Ek#|tA_m<
z7UxxR$9|)6j8RyLkGAjU$Fdj9+WnSBRo1ik)2)*L8}{qKTNQK0(=kgQYF;H$A5AS@
z38U0IP=1`%gM4Kxtqap$bi|_LM&NYmxi>AN!<(PRmHATweWnxRunt73PhVD3>suBi
zJCcUr=Zs&bT*Fq$0@;GsV~-L96;Ae=8q^}wDSm(aYufGmx@KY&_Xlh=L`7^o1BA%e
zJxhGL8~lj-c7OD`_cNhY5WIZduolZsJ?)58hR<ILvYwxSwXQsEUG*IN5fOQa)$lUL
zW~vD}>Zjgh-)QF*QE*NTkn#S9q~FD}^~n<Q#E&@Y;}CepAN@BgF&yh@^|%S~BWg6x
zGhNkQmw!o9^<}vI>?<8k1h=DjV?1mz^``Dks(}%IjS~+=09OIE4`9GZyag{sJ9oX>
zC3P16Z=n$71H1tg^5{R;`rYh)-|qkahu_Yt8U0%Y74_?goVc+iUfSL*VAY(No=d{7
zm3}{ud4R0<RpYOXfYQ|<EykA(1ApGeeH7^xB3yo?sn|ZG51#VSZVt<hz4a|%xQ6}F
zTQy`U#W~u9`_!IN6xcS`huKf``-O6CuPGU^d)YGzYw`T}$sy*d=MnozZ}c4^Z1sFu
zk}j)18|{_s$H4HOgew^xC0W9)Nug`ao^jv(S{pBuJC~GG+SlBk2BJ!Z--4XE3@;9F
z+()l&TZi0e|Hi*6Bd98oRC<#oHsTSbw5##_j)QK;gG5X9%*pl#w!T>i<m5=1g8v1I
zzy7&uqw()CMIP1G?DYCY(cSUaEB+4T&zd@Y;&1hf(Y2%hG#cIVBBA`eZgnJeWBNy4
zL*?E*FYm#R8Rg(xR;hkXLc_xtZT6{W?`oTpSF3V|w}@dRLFAB|5ewd;JD4Ciq(!=!
zYFfPrYf$poEOqvDQtrKif(PUm7f60ioJ~2qa@EpHQnH_tzI9BlEDvC<`|)*d?(%ke
ztZ$CEORC?P+$*JqO5PzOfjQlUh!^PC)F@PoY1Zo=UJbNMH*Nm7oudCpfReib&hKGh
z&4@{^-|UO0j~x<+th4=?;Vs`W>C79%Ti*R?v$ftpY~)hni1z*q2tCertOt%)JI>6E
zHd_vLx9gi(4zYh6G5Mw2P~N<bF0Oei68&aLLch_pJ`86E*Om!ARcikcC0K?E{kjY2
zg?_f!OH7hsXH>btsr~!_f*tjCY3+~b!mg)XxxRv~+LR}MWGTX^L|9w4ch+!0W6`i&
zoMQyvOHq?BVOtH!9?U*AtI88KlI907f{!$-w_V*$bYl;1>+JS;NTa17jTzw8ADI|C
z(`vhmL}sPwDAF{u&u~|RQt=as^w#YZ7&ShTeh*^1)KZ;D^3E0(d%;kKDH@o3b7YIo
zux6XGNF^)t8lIqpsflz5Brf?<OWlUPE;E&C7EWzHB_u+so6uqJ8V>11B6G!QEK5X6
z){L=0So;OBUFxi~{$DN!(gFiM1``hshm(sjYa^>Au~T2QFcYcux}o+S>VM~%hhd~Q
zmPXncke(ZM>9gwW7=7kbHBh~p1D+$R!IF`S+1F{1IFHi6LPS80HuIrOk0Hmi5fOJR
zV|!J)HgU)+g8GMERZR(WEmR#rxWRbng66(`r7`{6euY57aYfO2sGUs-&8ApJ)TEw3
zzdjliLDOy`+ufbY)$j<RX$6&>5xM*TVu5)2;N9Z7IPT6I%<a11(e$2<ya&S$xpz$9
zWB(}kuTEwb`c;Oc89~gBO*lbs5i<%HMci8^D0`p%C4^qVWZ_G{EptLyBSCj)dq3E#
zzh7Q*X-6zO>yjIZ5jXdppE0`9ol+cxfQ>8*tqSprjrzqS(L)67Ex({4qw-}kKZK(V
zlOD7s#Fazd3L&7|S+Q&d$ByS?FkZ__M(jjb?Jkm#M>L`R&|;zlYYD=J{w&Tfb{~%!
zNi-bmFs*Ty;0hO`hPE*4<|BV`grnlFwMJ+l<rShOOqYp=@DgTSu!suy1Fl0bBRcAo
z*u1`HyOxPMx)xol=|o{><cNHUuy+lC3d6K+%tnfSbnGsno^j|?;onmCcYRb=Iet3H
zG3nkwUxM+CzGUM%W!cld127b}aA&>eMr%b}nV)f0;c<AzL|$f<k#I<GalKih>}gNz
zl-}w7V+tW=$4umtvQ9%kUfH48c*Q{9h}01BvSh$CGxD>n;U;3`&F5WfV;Z_)kQ;(e
zZG^)bzeqAlkiP=>e+IhGXQ@!oKXl!(Vh6XCmO|aWK)uB;8hr-)U*Y3K4!GW|9J~cH
zjS!oy7(UrRFV`bz5dm*Uq^)SoAmfll@3^a=%+fIlw$2!uZ_FvhAZi`vvsv?!%+b5P
zb%+R^PDTH1fsp3!Js=hT?okb^;NjF5QYnpKZ$O!O*p<zoAuo@$zgM&xyLWjE85ak0
zr<kkEo3QH5G1?<jNqz8BO!2oVUzA3(Ckai7<3N|hIbU?G$d-PP`8+!UJ30n4M;bRU
zYCCqfIX{i@onZsbGCWGk$%#VIOSqXgTSOxH86BKXA(K95Su4vnmz|$z@)kW<8{b09
z^f$Oj+#scPT+zNvf8jMeQ1kS!%U1HUm(H8af~^kR&h2J@xpeX0r(mUd8<#axmz+NU
z?)UzMs+x~hXuYPjo*cbinezvEC~IM6x?}wK{Q*(L5)(R*ci4XnORqZvAH2i)Zn%Y5
zSu%gwjoZqUwsa*<7LffqNY6=3r_IHFmN&+p=O5DN6bVM|fU{y3%IvVDZ-cs&9MDY~
z&0J01h%*y?em1Gkk8%7nhI5xTPYgpY2r;@<>?=kKTO@zgJda+WTeb?eK;m@FMe;Ce
z*5q0VZMwNfG!)aHRWRQdrx8jd_H-z%wN_fowIf1A2)Q$GYeKyv_9Il+{g{p<%P@4*
zgRe3>AH%$|T9qwdJVN2V=VHGDV{{NBkj5<Kv5})_D#kI6NZa9u{i@Z#lxG=|qZt{2
zt5?4vUSA6lz_9He>?P6^pA6DOAfuQ8LzJo%?9)Tf15iJ!vSWgi&Pv4Ckhq_SRlY<_
zBMNnblQT9-fgK9QWd_$_McGpz4oRiLh+3_%7Z)Ol)q0>zeBq3roE(*vu|c*PdF|pw
z2cl2p8=$Qzk2|ZIF;F@`M`>{Mj-v045^>2%6KyHPzCtTMAYyBc+O}8la67<K*2mmw
zW002K&rg-N2@#$>#3SB+JgD<oSsBP(?^pb25?`HpHKwgs8hMF1a5aabYxP?7bjRbb
zuI(>Y>aaNmcbmiY?Ng1kNJY>Q-<(0y(_CX^v2jhk^$lm$uMD(rXX!Ue4aAhvMbZy^
z_%4rpUC^hCipZw5&uV9k5|D&gx&|bb>>Xo|Ur5ktH{*}q{G-$AP}KRyKmdJq70BS)
z0jB(r!_Zj%6L%n_apu;lm`~8@F&75E$M1PAuag=Y$H`s)u2?5MyG9PX;eIp_HtXwJ
zbXY*MjX*1}-*rz8vK~auw)dgi7gOR6+>O|hMwuM2I!-UNbAZZph4Cl`;ik<k-|p@o
z*_U6lbbxaY$n#!!=+Km1HQjYwA($&!J@|n~X$@6`3p=3ZYLSstzY$H=6YKesOx?P9
zcU-728W%xN8(?-uu~ai+r%FPG2aI|$g3gx1jeELRDu+^<7XEO?7MU&nb8x^-tsDR&
z$&O~+44~+`nX<gR+}@FX+&&<RRZrebnN(i>(@056>w^!j5{FZ{Rt+p8hmV9m4D<!e
z2#6WEbQ7ok<a-0-cW;qg^tL%M{}x?qZj@FDZJbfveTm28ZDx99d%~VJul#ymA_7wK
zhftU_;#_wd!<_%f6Tv;*YFr;g){Yu~05le=1JL=%+s98qg1(gPvR-<FR0MzLX9o>d
zkDLk%Q|Ap7ZoO2c2Arlhk=oanGpYNtM1bEaF5a6T%qD&-4*RZl=^`kr1Skn4$jHC`
z%faf><5|n)F`ymHe7P5}H&1}za85-n?EzYTcEecpCZyTrj`HZh)h|!e`)A*Q)pAbQ
z4Hy`_9EgT8cz!c@5-*YpR~zi%lIL#>9J}ARj!bmd5sQ>mQW0>KjazoKXA{=^IQMhG
z2vwl_!JyUG%F61!d2X-#WUM{P`1_`GWA*+l7PX1|=*a>1Mkt~H+@CevmugVtazJ0e
z60Oc%x&(CX9Ci}k%s6&Gdhh>pf%SfxcscXG-w|(dX9ra?n&&XYhuq;u_`~uR@f|vG
zi_cYGncjQvn5<}$rT5Y$0m$g@E5$@%p*3^Umr$-upj8b^GDd+0w)}6kDHtwVSkf9I
z4TzIj(z<sA_i~JHzI}m)rFJzJT~Pg6T91df>I1YS@AXhLw1&RBG)a#%aU9}XQlHcv
zB(Mj9#tQ52yL~?m+?~3@An6jShA4hP3X!Ysr9f{1tXa;h1dkpu=%^#ZF`QwnF*N(K
z&h0}sv)cmR-&+`O^+6cO?9)8S387%MuA%LxWncv*j-k4an|cgix&R82J;H6FsD`g%
zY39I>n2v~m94T-RknJh|+sIkrXbE((ozBQ>DEa>A-hn+45k0AUP2}7C$XX}4?j_s^
zci{VJ#CkbYKEdEr6*Sx%>d)wd)dNA78=-;JJR9pi)zGqr?H<6e1c4@1WMcsF>*<7?
zA`b9P4!H%5P|U;4DOXEby0aI)TXsCx!T;FwT*za|4EgKD@PhSf%u`KVev5tj$Nk=9
z?>gnbp(_Ezxw4L4Q^89GRGR~mVM4Q(QDK>>Kot~x8kv7c)$akGET(a*%1y_13cp2p
zp7s&siDYLkEsO89U^_;%YuT+NUENWocQV5U;hyHk^;*|l)k*vu5k?E_s(ov}5-P*l
z>NEH2uxjZq#BG8SBHZ&aHeuw&UD0P<STwkiieaBKGSfY({O$d66I|_?xH<pO+>W7g
z@z0(6*>dC!Qg^U-0A6s(LXlObydA#jZSt9czC?F_s}r+NEK%%hLwSFn*dJP2fHv87
zx4ZKyX-M(wnV2Ze!6Dw|E;TE!Y81pOd<5)FcV|R9bHJFE7V4%ua-g+4z+49m_%#>?
zGz9~B?SCUu7fb)1``fo~zvSp&(&#<&teAXd1gLL?%thOd(Ik(8w-3-S#25YX`KU!l
zuzsGVc7|#6Y*F5R_k-^$%b`Mgmz7*c9~kBLsg0!jgOwFY9G~gCZ}%A!eEq=E`eNYr
zux<Q<l+^g#+k$+>r)A30@VY_==GOCycgqUp>K!aWCVyNm)fqD;*9}IvmvX%C{9G+@
z_-q4ZCf^v)rTpin*h@i-T>b&$5d(FyF*&#KW9ekNqxlJlpg;Q|eAp8y;sRX(F}9Cq
zYXO(F87K_^Xz4D>Ot+V!Y}T^TTW$D+*#VabxOJ#<Vw%yx=0(M*CT6FPSBTN4r0v~2
zFa~qrREFK7l$i&Garld$Psyst>`#5JX}9o-uC&{t@ahJsGtYrA5<c)Y`BL78fW{ny
z!acdi|30t~n3I!lZhkttFZs?uY7&qJ*ij{YFMM8*XDSt21Lh3_g%MV#M)(FkT@kd7
z0U#OMb08tgpzJx=X<oYg=dbn1oqI&jzgwRV13HuBE5*xDsk1W{$6s~YY)(O)npv{w
z=+5{3Ykv?>mD*?(;}&t|o}Fi-SFjo|+gM+9!@qeazq@F8Lc!+tlUvNf!W}J98#k0F
zR!#TJC#FU0Uro6ku2Y!&d{f@A_J^UyL|-+WxBp|TN<%BwR!-sbksDKB-Nx^Q&^1Kr
zuHn!=mbzy1i|$;!<FB@%O(}6LhLC3s2)92@Dx81a;~ua)_U|(Ix}R~#zsiL3pe__x
z^0Clg!q{+edOxEpcj3dFO%;WTVZQL-?{>?4-QY5Yp>ox)w@?zz9lCOFD`-0pTjgK0
zD*pqR;(g<e0C}k|Q{E*Xnip7ddXgkGS67gljZusWu+kaXnLJ|UPo8su7(cwsTpmpJ
zspIF?A({&RX2obV5M`;6PF6QZ{3!Uf%daB7+-j)=G-@W8E?fe-;5&aeVc|a~%H<w*
zwgTov*#FE4>#6>^{O%RuGFZ3xfu*$uLVq%DHLWGl_lw6;_?Ym7M?mWKy?QSm*ByB+
z`|aVm8@I>KLqeWpy#kpo0pIai-Ywk=li8Ah2j6+MeLTD+#oQO`7~k6`?q{4(%NWH%
z99D(@P_SK0_Wb8BjZ^Xi0*;`~07osKNR4ZTC1rFSNFI){*=$Kn@0X`d4b(}ip~g?{
zy{1aEYd1V#Ty4C!rj~Pj<3D|1z5SOOMcI87&LRKgY~Aln)b?v>!D2<9Eh9@yoMA5>
zYc6{OCN+@W!VJw!o?+>RMJLudKr?Y#VMT#X>A}}x6S|%_2IUqjo^m7H!`9j7YI59j
zUnG~D*p;i>(TsIK`F0w>yY*PP$ARu_log|%XyHPAly>0a?e>*^Tb+(fSMUA7g;U)q
z4XfmXr=UWiFdn+J^S{Hs8+Jc_D5Gw@2EJ0zl^u|+>!ceU2z?|?*G&Ygg2OfvF9j4I
z$u_LvF_Q4aJ!Ql1L#ADRJ}BzcY2W^5qC-wC-cLpa@!*ZlO|^1p3)IGBbIzk=zmdgf
z)uFrzCUIBD@r@lnuQTw)Zt?oE{JgW>k77d3W^X;PdqckbCRL`>Pn6P~tJjX5(e!H(
z;q8RmDXl7_Quj~I4H5b6d!G*x2eX4S>9sni3nrn=&{WG@xlXEAWbues6YS||0|KF*
zF-NU)%5T9@nz42{0iEm?0gTf)Uy-TH{v^|7%EtV4#jwB^0)eOleMXAX!-In=C=?1P
zFA2c8)TT(HJYnU6Ga+(*%m=i(?Z2JP{<y8yYB}~7EIKshK5tF>Wn0;^$32H{ywrVD
zsK?E*G$BR8@_o)`JHw9oU{da^xIG6<&s#d`ahmG2WkwRvShbwuXI@Zb;y47><shu7
zJ2O&=A5ncVw+7zqzY-8t;5&|?ZwftDWccYMNu|dx{eY~I`YxM&xUt731bhRO<hz>q
zXQoCSP@UNdxED-mY1^ix7~b5e4U=M#5D1i4pPk^K&fK;5{m&+VTFHM)zEd^8&h)N{
zeQ5TV{*hfaR}n?N)&;&LQnr5ESi77ayqY=AdD7YJJEvT?!@=!O3u|bu#x(JO%`Kxt
zZaHU3CWlfn%iQnLu_WIECuXvbmssUVkv1i!UcUbzHO=ke1yFCemBQ5PhGSwC^4&mX
zmFHfe|A(=+4rsD%|A)D6y=_Fr0t8eTC7}a`w1N^NC8WU^%|MZm7+8QPIR=v!iAgJr
zAu&)<iO~ZF8zD-Mfs!)ncMjuzp6~Pi@&3(NoY!@o=W%@Mxap<pWaTS=FoH!9A2FOa
z^qe1S5xQ4RFRD5{%Bn!QL@Pj{$$2%8od<S_iaGt8hST*vYXnVhdW7zq5zW158hTG$
zGQeqcsPwFj<%RLb5uMV*7XELswI6&iQkWAAQi0<w{t%|V`yH3`-Yan(&!tKj2gB_h
z75MsA=9$Y83q5kjM>NU@u#;(M2d^y7ClEfLuOVptyVzayxqT45v(FfF(;w_RC-0||
zc4S*<@Pz)z<ndM>u#d+N?hZc-tzqwbU^*kZo9%d=rDP3UNTy9js0_lVKpq?v=aI7&
z<K>kY1EdQ{*YD1}NuqL<X@W%Znb*BC7H?juTUy~r)G{4CE2OmRRo$@`S800*2?=P1
zeS+@emW0W@W+YjP^-ZcSk`d#Kl+H$We1sBF1X1I!xN=AjWN_m}V~Ycy)nI?c#ZP*X
zjc=T#AFNO0tL(Cz^hBmF7UX1%Om*jvjx@&2eSXNXgMLQz-xbUXL%%K>e5=(o6&hE@
z4yofP4c`%Cf0ya=$xz_nrAS*zCGO{=eA?Kc+!Fqmi7~CY(T`C2XR-2Yd%siqlG`4o
zbTB`Y%N}NA$pr_lO7~=Eg`o&DU4~8z8RbK#-?=jh_Iq}d{pOF7JrJwa?WT3FKR+gR
zbi`_`mG<!O7UFz2Jn{G)2b^0paiWg>ROWiv%(=;(*(*=P6>FlZzK}mgVN9Hdojqk7
z2!^usZJ{L_nZUZU=rPkBhM4J5sS8EB_K3$0R25@1`H3H^Yv)^$LieU8`$Pr?&Wwf}
zV~(_Eq~^HY`WEBYO<?-}_@>Xr7t~&DSAqz~TbEc+du%<JDznw|x|`)3Y3SV7K7MOE
zgC+M;tRXEeEjfYI_uUT4Kyp=Sle^gADM7DZf3sUiecig!-Z#*Oa{TGB@%d#pMz=Vq
zG%nYy&5`Cn4bs${C=FCE|E{n=J~kE|AGZ>8&*`xKah`%U&C_h86EUV2oIYfzJ~+oO
zWGHbf3nAK6HfUYR&UXCk0_;JCr-`keTBG0mSR-I%Pu55C%NdaOm*wKyk0C(c1}Ml#
zx9KqSZ7$7<jB^+POay7}bJmlySY6FJ;zEFlL)@;Bd~U5gG{tK4NBtug{=IB$V%LE1
z{~dVWZlEhWva-?^Jg9WpDl9IPYN9@|7s~eBAJiBcJqI!n{e8D*D;7u*0;jQpa{D)-
zKSVa?zQq9QKd&iszEkR<q+oA;su9I1*tRqh-c73HTHnWZ+!ZD<Ai^M11!0ieb{d;C
zF_sQ>c;Gruqzw4F84%08$v6YKV*ky0b8&}~m;dZNs%2$ml~q_{=14-FB;`(JjBMjj
zI$2yj_rxzo?`4hUpITI=M1$o80?LpcnOyCqqFU1=Vd0tiiJ@agBp5&mY|RSHuiMIE
z+>pq~u1VzHMbp{MyVJerICX1QXR1nEy7RPXKr+Ss^K<f8`*?cw64iAqCpm-Z0=8>D
zQjetdnIUD*CZ#vmoMv@8p|VHacCvLJ`qR!mUwTuISTvEvOixXrXJ%%u*_4IUoRoXO
zdxk(kiL8WB_~Xk}0=wInGhnAQ(-l*aX0tt%1?G>nu@kl#^0SszgC*Qx>*8B}R*)8`
z-Z%@KI-<Yy1QiFn05$yX1<$1^ma+NKw6dqM;NykWzYK%bgp+^&XF533$5i5&wzI3f
z{Ys`iMK)qcq+Tc3SV##i@qY7E-GQ#2{fRv=W9m^GH(Nyo1>J9eU$4#PeciR1qs@r`
z9lk{;->mQ4r9=u<@U>_hVzhd{b26+CU$&ftUrqzWT*VLbH#;F22;L;l<TFDPJTR<f
zew_^}x6;w$E<DOsI_A5P8#^x}5ROBp7A}u}$AW%Qm+s})1kx_Nf@mHDZ&M%C+Tt#Y
zilB<>IpWQduVaO|lf~6?PVYYzRuw^K*WVh^dytm)wzAK<JlTc3EorX&1m%0oLkfMr
zI`iin)~}t26>V8HlvSOj1vgB{UPZy9$wI7W{Fv=T-0<*Dy#dBU9Kxl*hHvv-Iw{-A
zCz*C^3MH^uRv~{o8ZL|ca`)zV6Qtz!r1i>Lq)iDp#ec#m^Zr9ii#dfvO4eX)CoydF
z=Wk8zXrKL%c5{p`Cc~M1muyUzv+Bt%Gb=}s#gJ?*0FgDv55HJi>>iBEjp<BnEi1~4
zF*K^vVu#3TbuDv?4bFeqFiB(=l@0XL)NrX_mqzj^rn8^_t1G>|k%fe@BB>U`0(7tL
z&p@PhTxg4W;MHenpspP}l9jqdR|5?`yWGHN1<<+>ZEE<<9jqv7eW0qptk~4SE{04V
z=C3}%^$*a2f;SZg(k|vvuuvrcpji#GM<4{<&6(<~B&ZA9hWX;+)kQ2EWhTfSp@|yM
ztEVwte*FL$Q`b(_#FY*5?oM>I*_(awMd%Zs?O6#c%TMs9vf25|#JwsANJrey@5`+a
zumf@J+68}wfw^a1i$YD2Y5KS#g((5dG<G<a)rfYpoR)9Kl4QsD(EbLEeWh0Rttnh%
zd~udV%YJSyF6i!jv*a-4wiJ0XW)h!jH_Iu1tHu8gN25iHF*~t1tELr5<%HaEizvdX
zzKfqG8DnCF%p@l(j3)*d>8C?&$M6O^1Ie9(aV53~;5}Rc(VujOZxFzWt1kz|oB}fR
z)mNvoY-&=kQm^8?2kVOi1WnUiZQ@&v8z!`u-@#yRc=F6dy)}?DFVD!_V{$6=nOHkU
z?^{^XGMK#}h>7rCgnM9#!(O<Bef!RnyRRI}KrBB`ad;#MepgKFppMb(soY|4aM&-;
zoH1U0*0l<s0cY}9Te{TpP;l)DrMrgvPn^G&GY|kDtoRNEKg`uk^4vlVn#mkkU3%uP
zSU6h>+7MEJ9E90HplaY|K_Pj^pvjypSW%;R?z7tL#Xc(41>}GQs%wMK4q3rouDY1X
zqZXR8NK9>G--bLtQ8JuWrG)C<Ir%0di(y8e7STRKtIShV*XFrYvpAd|%A+-<rKMOX
z<K?BPIfYM+zHsPeFaTHVA@4t>wSIWnFrn2bBAryylnME{Yck8-`m84>oX!=y^b|bf
zlFhYO;J!Uj>FuW+qG+X9Sf0r}E|JEWXn?)lB1_Q{KPtV_^WdMoUq~K0-Deo;w8;Qu
ze(^Cq_k`UNrHDXdP3tOMr!>*RGlWDRP<d$I8Q;MrCoA+dr{(OtQ$^m$1e`@A>Vfkq
zUWQxd5Zr-9o3ODVvJF6{O@~!;zCz$#956aGVJ5X20ZuDXjJxINidzImB$?v;B5OX@
z7a8;$Z+v~TUia(@3y94#&DR}Rm?XF4FI`V>EkrJsp#~(KD-fl-`H#)`8;-d%;-2Q<
zpKatwSW6&Xi?OY==;Uig;~gt!lq=CJ7Mv3-&&LmyS-#IT6<WNa42`6|^G(DTnLjUj
zFa@5Iu>KT2%#0y0+p^t@5IDkUxMb?F>|S8D#Wd_ny(U)2ajNtYTBy3&(CoS_JEUb-
z<3TPKD#HqgI}438>ADi4V05LMM&zNhtY6QCz=r=sYe!_RuxpinmEc%e{?aygagCpw
zffOwJvV$%%{zxfShb)LX<ny#SCGE}l*M*S$7G<u*5+|aEfPhdb3o7fn1P}{eP&3Q!
z7c>RtqJCo*(ch5g=ULi6;EioYCJF!)`J=8Ks`09^TrTo{h49yu!ksNB9<FnVyuZK6
zloki1<sq{FAV$M`_Kfz=b141B1L+aq4E?z{zks=^wk_6B<j=oqTs@XCQn3zI^0eGh
zrS1(r{B3W2L&FqH_RRWn<OZ-eM3BP<CgR?3odehT-i{Cd{bwOoJ<rB%PQbaA7xg;u
zAu>7e6;7Vg2ECF%i~4h^exGo*;6-*a*_RbORNd7Ym%OX)zV``d0mZT`2)@KJ6#ew5
z#GVA!s^8>Yjwt{#)Sq`+WW<&N;-$*WDGS9%Xz%Gho;39GY(RbcvL)f>$0a<J?L1Ei
zsF;4f?t;K6Oo1`C%6<k)+cM|VgT=5a=9B^^rS@)7^+KWJNFj$^d}bT(e!^evy+4m`
zKf+YPJ2KAxm7)nyZLyu?RBKd-KjT#}Zs<A69G#0_-ZA=iTY2&|aJOC1`U!8(CfGOz
ziPfvZ6}+KWY8c!6dJ|9!004p66>gmhDJ`G$s@vO_?_4FoS34aN`%i4PLRU^3kJWhC
zoNehcNKzTpZL{Tz`)(|WZj|6e+^E*2m#t@=2YE4xXT4MW_@^}Oko?Aux-v*%eI9Hc
z#To1sm;`4l315;z0wf{RTl%P;9LT*`DkOC+c0!j?5(mMC%Fe?W?d$Q4PC=LLrR0>&
zt7{`OL3-4NmJTvK*REWWJf}9=*V};x_r4nV?Jg73Trv0W|1~-3)ub4pYXLWKM5MVm
zEf|)dCT_|Hjcs%0=;9JeamzCFOip1=WCbEpsW8iOWNpfAdPLZW6Jnz|Ds66DS=2G~
zsG@hhy;Cx>);zQ|1%ROgDlg~`<FZjIg8Zp{QZysvHhd(AQHm4Y>-Mm(=aL^`v9*Pk
z9$KYT=v%J%c4qnWlD)jGe0DKyVq<^dvJ>h?`gvNcwPvZE+G^Js7UwcvNnKB4NPmXo
zbpqYrgPXPM82fij4dveL!6aCs-|eT(b~J~k{$=hB=XC%zYn9DTr`>D<2c|!=)=lR{
zbL#jUO~H6LV<@_&66Hio#NxB2D6^3U^{d?qv@k*$idyotyj9lTvi$B>UE`d2=OL;F
zMTgYCTy{ys0@rlT$cVlOy@e`fAhmKAh=t_m-$7ZyC3S?gkFXSax#!vW0|K&ez9+fi
z8XvOG*bdQ-?Cmnu&kRH7>#v*e@l`6CJIa`dB<>1ayC!zzt^7qBubMTd28?L4w6|lF
z;-am{WT<VUAAwz2hI?%EAbbj{&)bchQ-8P6-o)NgQt0bW4JNdoGeh05Y2Al>I?GXP
zb1i)$s6pzU&h$_}?Fdy>!6Ps=W$_%{Dca6Lt#Rab=L!@rjmqMkH+;qp{E?oTaQ$#S
z8G*wC9U+$P>ZD0&;pC2|3Z6!Zu}_e3MgrVdj)NQDR98e^7-m+}A$Nj{J(uAYpo+nJ
z`_!nZ*8_v~UkISDHMxpgcy<sS-hS?mNaArlV7Jr@*C~Ix7eXY}tal{Dl4=V(f|_^f
z;fjhsAIM(IK%5ovtgC^Cq19J8FJeTWhU!?R%YN{rNIS`_={$<d^qxfFq^f)}MkXo+
z-#2zFHdGjtoU4b@JPVsMM%vre8yCY3(y3CKjB(tF48+u3p}NKk$wq38TbTTN1_v8k
z*=Q7|A1F4)h>DelB=3ccnxZQ2TrT2E0pa+B*}I5B(W=ky=Z#UPRb}@=ifcFg{pK2l
zM_KyI6abIR0Oy_s!Oh|o5(20jO56=K?NlG&N@M4fb?a*H2#wFEL7L|-`W&_w{k;O{
z3OAZ{LMkxmeJe4mypd7a<lJmHm$e{&|MSaedn|t^Vi$xK7W4(bSf}T~oG^HS!rCv`
zuc$X(`!N=3c7y|REcv<UL6M4KBa!3tBYPmJO#Fprj*e<ZfwRbDkq&}qzE{`+vgEOV
zUWsY<L}!c;?xq$Q1o9d{qHQYF8aq&F@(4k&_ogsD=_Q}yOmb{`lwfhF3Qxiy`|sv9
zCmo3!8_O;6VRV{UXlgzcx9+{}gmR^Ofpn7|L=*U_5CA=dR_%M#Er{tav42{<!KBZz
z1iT<YWHcj;4;?3L&?Mca#OY?YJ432rF{|CMlYiYw9n>Yrd3J7ZJ`lY3X_Us+Bns~P
zXXe<2{R>*S#QiLs!FEQ}LOMGF69E<AH>lufyuGdU(yk<K_QVsHEq+XBnVkoiyM%yq
z=xQdT(|*sLl=kNBi12`gY{cHbmAPduk42V}bV3X(_mOc`Dt_B<#lDra5j0;=)2t0v
zJxd}CRzR3h&HNSyj++`|I**H<(qNUXGYVt1?u{F9^C1r@6P_BRL-gAVUAN`E#cp$<
zTx@jqLo!zdjjfE+PGRsgOpM<qa6aj9Uuqqo3QJ(!68@p^%i34@+KGm7%wp2gB6ANI
zk@!#x30?S};O|evT3p3pEg0psZ+sR2QV_Sbo>t9*B_usUr?2*pk9<647lC2)zOLII
zPp1?|W6a=yE>rF}aP~0VrGl3+5$z9dpoGcM-e|jJEivl_O}ImnK_97_0W}5gNp^uD
z=C|(0L{0ZSgq`irz=quPO}(KX>ydn~q+I95{Ynr)Ar8gp?sys-n}9=SAfS&TqA&~0
zv-XWECCX01nJ!Tn-B4}k>$cY)tnZwXnc${gZ8d~)dxrdN&N-F%`HVHznRsU&%OG7%
zN7|^Z3KCI+Zl6<*ZiFO!1=_WtMHGm8-86Uj(GSqsr&MtEne<Kfl|CGOSq*+*F>xtr
zVR7+t(@{xlC$+|8j~aO+TTyU3+)UgN1AA`5Eg3XlRD4Wk?%>b+V3#x;D*tyUR`hN}
zL_xuRpx0E>mhy^t8iCPWqVGuP)3`iU=d*`Hh@@-;RW}^jamjQKgmbtjNZ1;_U5`s$
zd~~NpP%78C@!PA?$S<^`y`Pdo&@hpOM8-ZwT<6~vw;Hgbn0<l!r_b#|=~sV^lfZPX
zrxIG6=`7F0`PIpj6^8O+QbUGwn#Cz`MxG+_zz-a)G^ds2#-Nt5m?FK(QQ*?f9#emD
zKiih6>^swshlQ}<f&4X{s`#j=t_}>~2g@bcOmrp?#=I-a6FF4uEl&7RV4%X@!~u`-
zKNc4noc?YBKnX-U^jhZqsAF0n8CT{VTBW7W!Ut;ZRhJW(UXyyxEz(WrhSlQk&LA52
z4H-yi{adc=<9))}+dVU4jQ!H@n^+_mLXl~ghGtZnPryUV-))b#T{TkE<{2F4>;Wnc
z35s>81`8rw4o?9n;#hM>vrDchCEzklR<;q~eA)T=Iu5NV&P`s_)>^!PP(ZP@WN8wv
zDZ)9<-qtnlLyj)GCpRujLZuLiw<h8BomX;N{c_w{B7oT@Ki<v`nU9!4pt7j;NRoMn
zaZR*R#n~rK4y7(Xm~WHzF846M&MYUD%=ZT@j*byqaif)ij9@0_I~0dX>f1j+xc&7I
z$6tAmz&*0QzV3h@={B>IVCk)Q&c55pk0}Nk4bMgh_7c@aD;FvI3ct`f+uGWyRiy?n
zm1y9TqlFCeZ>ic#a-#q#<Eg6sQ5ljien(_dl~?h)OiD!0<|Uue<D$84j}r%dKhJ$j
z5jy}E^YF42?EgM>XpTcvUEs5u;pom_p<7QVnhELqhS&Vmy+d~wKtoI>uP586)*?Z5
zA)zzzEN^+$0KdGf{ovTQf1<RRgdLBT%mf$q7MhjJ>JEE}VerTlKlS@BtUPE4I_*pw
zZ~~xkjJS>A4<cWNH=N|z*krSo!%nd9L?7Q`nPqg>>g6f?pp+*_L=_@cZf>l$+%ei}
z7?YEejZyutd=jkz;{aqU?tj-hx=+C}hEOz0vcCic%5&JIBJ`1EIY2F>ixZaJEy1<3
z9GcZlU@bn7g*Ycd&p~HLzK5Uvo^VD|cHK2mF<R1Yh#qKJL`uKa5pu{iNs!_zT*EO*
zJO^;KmR0ymZD4(MQC*!bjeUOQVSTEiuLgDUVz(y>ULG2+fCA0lvl0+%B-}|b1kWrG
zW9&|K<F>dNhCXtLTa>G^7@;k882)$U^8iEr=(9$kQ?UBjPdPApCC<>OtgNhYtR-3R
z<jUJ^9MAB59+{`Id!)=?oir-K2Bn|BecI^i%ilO93{>4EYiih=$9#tx+<=Gc{bZZo
z#<ImfY|qgIk0CyB%~61!;$^(Lq`)x=+yl>aDgk(PdXyQH0<2n)|NB;l{>FM>Wn)Yh
zkHAAEZ}Y`(LIxe<KaWml&eeXXTH~GravQdh+#>Zx0Qn{PqZ%Tuik2~JYvZc?qGwEg
z!<@fSwdb*i?@R`E1IHiMnXW9jIDFoJzWtc(-FLcn-rc6}mi{Gk{zz7m+o3u_9~?*v
zA>qPKQdTfCfZOBJstXOCFVX%RoA=2p{!XSL)aG@`O8}hDU9$WSaK3roXf0^LwD|DV
zN?qEx`PF6MXgfSUmh1t$nB@;*RqR2B{*Lf3B|~m-;o52-BlAYlEuDlV|HLlBTix1k
zYU%s-^TCz<tkUm)DX&0%!{|nqk-n<_xMT5VEUzoB90$7MJLOA>1P0wFo9bGT;5``B
zzdeqX)MTlOb?=jK?I}37kV~;t?de8|<N^z&kKEwho3Cn)|Gq1(adUxI4XBt<rH;{2
zUYESP^+e=-XRP}`VX*t8w<Sp2;hkF`8zjS+3U|huuknBULnQrKHS+kgM@?7!ybr=v
zetdp7HZ02=%*MK^f?yL?E+waB=$O>i-xuc(SUUJ)=_;3;z-@#2r#D*0)<ej+rpqm4
z#QW+*=wgY!v7?>rO&1RjY)+2Q9jS(u`Ee51`RqZ|Rj$fG(70y#&s2;z*SR*yb3=ik
z=QnCz(364K{Ps8^;sg8gPC5%#)@Z+7FPV5}mI3&tmwuIg{Iu7NV9(Q`)!#VBQZ^yL
z(>(T93pYHkr>6&BbI`QZ(8zeCs7R7iD^1C-v;VwISCJ7wt9iPqA+DoUn);2aKq8_Z
zV24h~eSJ-lO#}y2asOg#>Wk+lr@EOyR1q?D2B)F{_W|mNKj7NU^vx_}ON>liXGgRG
zQu9Kql~Pzo3?xrmq{3^`NZx1K+y#^6ztrbwKiU-kZYll%^FjZFPeCu=KFIiou_m(s
zgQRbr62*_==~$B4AP?pzENz+N&4Q)H%<5F{TKM!=cXzeeDVf<ad!+rkQNxRx#-#aG
zZ!8X9SZEv&-G4aItZxOFsjd1KuegKARkp~}pp1Ld%EvXqh)o;3e@%poJ{5mI?Jf$C
zFXQm#&(8A7y}Sji#{84QrZ&w-Fe@skYx2mMtIsH=W|EFFh;Wxfa1}tsj|Ih2tncVe
zSq1<wFzQ(sjxS_Pv>d3dG|V`FzuwFJ4eow=$*lB0cik1UQN0A_R4Z;4X@wl$5vx%6
zSI&+^0`W*5xx}o-x4C_pV7*O?{qz77NF;qx_cQ=n|GV+%h;hz96zKTt9nWR#g8T$7
z%*O|fjqK{%fB<OBb0%RjcU9Mg2%@q|B~ZngqOxQcS668ZY-nPVs&mEU8TmZV#ukI7
zg8ZeXA36IoV>PX=Dr34HX5JqGhN?rNc2z!wAXC?y-lOH0&FTrBvJmo_{#UHF$W1c0
z$Bcc)fWO4DRC$jX$hw^g1Q0`WAb}&;GDJ<=*CHc`0ru@;LV-DVYhO%zlnnk|8vj@Y
zK9V=m3Bbq!sLeG>dPIa#7lFW!{JP^orEV%E6eAhDLe;2iNE@U#E4i~xF1z;mO*4Cu
z&4(ZTebWLUMcQK}3_c>4w+KcTv*`2j%k1u-2w?lm{s4H=s<wMAJf~nnhP*euS~Ce&
zq}`oA->TTwjLQ@)u9{J>D07JiF8)2&iO7ruS0eBAid&S2(AlKALsm5(okltmOgSLl
z_qpLqtcvg0R>cQ4>q|{%AV5iJ>vUjZN3cTSsTVaAv(>@$9>aDHZVBYqo)vOlZ!CIr
zA0$3BAVVijcBB-m6ebx!$mA?*W#2Ur`xy2Lf9g5m&bEulaY;&OC>5vpqLV>ca>hF2
z__<DK6-K9;t#%uB)==gG(t6XyN>SS)PlB8Axb&V97MOPuBZKw!)o#|6^AYiL-+UGE
z2g+l^XzPJ!go%u>e~a)(Xn)aitF0P!@jd$~n++{3Qs~pA`?4Ea8m5gP)(+-{?>`vA
z9Ncl2kjit`(z2K_T}}NI8V*ardlL$mvPZd(R^HF4DW}hkoZ)zO;oRW^Q_z0zQWRnj
zB%a5|B>-q{4mhuRK7?0^KR?LAK!?L(Ht_svu)APqeRhKD`UloVdhbatIGZUnSGJX3
zJ(ZqT?s6O}kL4lb%qiA-f;0nzY54@{6I}<cJk$oZGa9h1OMkCZwy#qvPt6{M-Srwe
z!>D8b$A;R9q<7vklv>{3g0r{urDyQy4#66{oL4IK@;eE2MQuGcW{GDzZOYx~dm`)s
z5_<XB6?C|;I}R|g3UH_iu6cCuzRH>BwrbkMzyQP>RdW`^72$nM&pBM_zLnH#cT3NT
z+){&)9xD#&s)nTbs|!g<NxBsv;K0EKxG-^k#l;3n-yc;VuWM?Cxq(nNpsLL=SqE`*
zMx%<pGcxw8%d>KeNpS-{G-OVo_+UVZP)1hgw!3RTZgc8SjrIeLCRYA=27$GeSxbT1
znIL)iM5vQhfOgrE<9Mln*gQJ~=mDi|(h5gM-vnBz%d?O7zcsA;WGIq5oDmwp<aWWK
z9z9TDXJhQTTyE{0*i&)+#Tjz74{>0{Yh{Kx5m03_v)T^ZwzZ2zwJSqx`i;>CS^8He
zlRE^y2&MZ~$VGkU+O-|?gDSCA+1U{9p$1?TGxK3k?VA`V0a@VDyh59x1GTfBNZ-JK
z1V{=h29C%=Gs0R!tbl{1x^^LDgM(KA(NzD1DC~L^-eU>cJR-<mqTXvK2GZF120Z1w
z@R`D8)^>{*6$pc&Pb5`Syl6kLVc0Vm6WDPtO+M<iD-RW|W(Jq9^xbOfsRF+&gwW3+
zHZZz^a<DpvwIT4pne?waFhRWc1-VUGz%bA}u$;hb&ttuHJ+OK@a!JeFDui-5(x*r)
zTvPMQme9cF|Ci8!N&(tlBZJYNg9*&DPF2?B)^=sYlEs_<gV7EGF^vv6>%(ZTPJ(!>
ztZPEU%z#-_X7u2V!6CnK80Q5RWj6zak?;4SJSW=qjbZ2SHdMP<p_BpazmG%JY0%Zq
zKl>Fp9@vaD&8OljL1Eld((lQuU2*sOjXIn1*P(wv>HKKJ6002s(G9nPUjh+2+woP0
zwlrRG%@r1a>H>}=XGGb4z=UZwbCzrBbHII{vu3e4ZCCV}-j$HK_AhemUl9m$V%Xlk
z)HR@{!H|}HX#^r_)knIJ<6#dDJXsQyl}}&d%Ku>ZzX9oV@OoPShJe?jfSfw%fYCN>
z6qQg&v8M;#{N700%EDxk3%~Glm*Qv7_kH{q9A|w4wtG~vPLBGhi0c1At63=YZxns&
zg&<<}|GeZS5pcdG&XXGRw)`@g1_M1Ow9~5xdU_n17I*hAh4+#ulG2RnwFZ7ro^6p1
z{|VRLwCUuLBF|ycS{nl6f3eTMuAb0*P$L>LmP_N-or)_rE3~w40uc(&{O5d@y?N}v
zfBBfZ68q=t9-;IJY$Gank`-h4;7dN*%}6WzpW<;wOPaExdDPq=s=^|*Q~K;lWgt=f
zIjiTutDE&v*W{a6ahzKu3?z|6Xo2)?{X5&-ofcVF#9%ed+0_;Oi%A5Cl#y{OQBX%+
zME=u>nW;E%tcsbNMF0c@4JsManz_N}1=h7nV1y6L&T0}-;fRR#N}Al4krklYXhPd!
zCO`;<fjCSrG>l*7H<f2U{C>Z5;d08pmWOL#7R@<uAVsVAnzITZ&(HU1fGES*fJX`l
zwzzgdlz|u~Z)e=kAGuBz_9(U`T2@w8W)X?X@zQ-vprGq3-7s=alDP;>35{z#LV!iL
zkUYPsWL)cM8<tC6wp7XY%WHmI+xoPeyi{l`oakAY-X~+4fG@wq?3e@Q2HnJ^vY^{v
z_?|JyxMyZM*z4mSX-en1Yk@HA^}OCs9#op{PQnp<8h|UJlQ3~(p4!oIs%o~^-PZfj
zOBC}ifEwvBp-+6>ds$3<0*mgbZVhjV>~gK(rmmv#x{-~)%F*m533gFNAXT46^K<i)
zRIp^x6cvCEIT8!o(-}L7W;8T3ZH0z_l^X)HJP;deE1sL{%OoJkxR%yjm;{<v<bIz*
zfM;SGq~*LxzOyueWu%={T)nWG68ph2{UO(tvhT}h#><l14QU=zDUMCv{$D#Q=2m#B
zPOm$ywAZ-mCDu?@%8E_r6`Se!@UQGPp{c<`re}=T>G?}62I6&&wkN85aB8Z*%co!E
zE<EQGb@V&`S_Kf=lowc(etLvv<{9vK0LjDR6>)$<XJuppy#${9*kU(3w>mjd1AYkp
z_e){$FnW&wCDBWR{$Qwy9oMgm2z(}HR9so(lRi>Qe!}D~ZQgS)Gm@f`#Oq(a1I8|k
zu>J#`_Ue~|WwLnG901gHS!DO~LjZ1Lac7)Z*XXF{(+qB+TZZM&N18c*b%=tPWm?(0
zlTOU%*(<0SrFRmY$wJaDB_}d>@EimZil(FRwB9?-)_Dwy1^5=NNB?)9C{RyS)3(Ag
z=IB62;#g2FAOSY23(A0U{M~T{fP^28t-XwHNHFZ&@pNXC#(l{l&v#W6G-_w(096&)
zj=SAvr^IaMWfQsj$6E2fo5}y|H}|MNZ3J!RGB!f`Ji;u?>2BkCZTbV}F=Edo2n=t@
zbw;K3LoW(_vct7LbE4AxkVB7IkM>XQ@Avk0_R3@ch$~`|DlsGvy3F;=8lcHn1%5~u
z5Y}f|2QMTqNlQ6vcMI6qgrHd^!`jB|X3ZKa2xTiBWz;ul+!q06G`%Ba|4~o=ZXK!Q
z=9fgG4X8P?va>I<nD~6NVwm^WPmuRb7Ns{jJ34L*mY2(coXogHcVwz0PzmaFvp{aY
z+FRGdGUlCmP~CobH&TLWP9Y&#S`$0q)>M|tFr%o`B4oWe;b{QiU#JCIctc<j8Y!dL
z#;N{zs2a1m8oXKDA23UN=Li2+<oZj|QFiR<$C3Lx`C@FUd>Zd>+o>y(i+5)QtuKBX
zPMw>`EPwXxR!b7(yI)S?<hyt3In6zcL6rRzv2&&7$HzM0x#%bf;~$Jm0#lPf(TsAw
zmOBcL)9`|?=0K1z0xBonlYYQxfv<E-M_pwld0vEh45nN)d-87^`-}2aHMUYjSkiQz
zt-N0QF(xKr{GN_KGoxwDixZh<Lv%Vw6FTKeDUwCP+<H&S4R{&n1pzArEA)W`!jw|Q
z$guJOpX6L}ja#i%xx4KBmpigq-i}N;<N!K39b;j}i2ts~8!9n`s$c3_1^rIqmGn}_
zwgdu!U}Bf_)VU(+Ek0A#H3O)(?zAa89<nW;UJjaF9!VZrbI595tg2nD0-<@iS{7zz
z*b@p~B1Tsq|N9#XfCs0Sb8ZPW+psDJ`1JIEY$c+qZ85ThKq?6MhL6|>I`k>y@_lK1
zvE+vX_bc~I@nOigo!MJ7?7h7IL^~?HNbVp+CbFQ?v%(MQ?hZrBXo0FtT@|J5zwmN5
zq^hc_rMouidY?c0-?CWCnn1riU7FLUY;P)-L9tZ{0(vpO<pJN82|cUw|7d((je;!d
zW&a~3QOxR@N;;xD&osBj3xy8^r(`Eka!`BJOw}7nl2y7JAPxt<F=DWBNkLIjFHxvW
z;m{mFJ9S+>h#(AQj(_uOu&$m5ji9$d*<{+y@o&@xpKUCn!R-FPEO{BFju&?9*pY>k
zzLVNPPP}TT?WitN@tQ8-7re<?a?TKo-MG%h#g(vOXfu#!C{j^j77EV9LAd{%mVffb
zaBQjgTQK+U{OX@_5O$&2D_UEkRDgY;1I^q3wQ3GgU!Y)000Lxoa1aWF-JG)<LF-7K
z%M@Cyt*NQG7O=<~Db}1h>pR_hDtNU#_>Ah>Fo!+J8+As`|LgJlq7Z<1Uaslyzq8s9
zDrED$#ARn}QR(m;<Dp!QfQPRQR{^QeE>u$kv=b&~ZDI%El4yZh-Z+8eII<>ROu33z
zj`1Oq%IXpqsLJ~2PcGB5osGUgom&b@25xSJP_OD%W<ro6xdI1~wOVFz0dVTIlHN^#
z9c@dLzvJ*~HV{C?+t~7iK`U6G4<;Q6a{dMQuC7-lq4%@$yn!h$lPIouLP<z+KoW*&
z_U~Kz?NjjW%Kz7<pr7hBrYeeRt=`Q~Dne$W@EoWUxzP*h#<CCI70w|-JAepS6nh&0
z8zzy1!RJh(=JNX<x(BU&<xj@B(nT87*80-d69X6X?bw$r{=Ko|5t1#icQ^e-a=nQ*
zHbQtj)+0=EwkXS=OEgi1+p{*XaZnxlMZ!<vXsTSP+q*&S$vf&AoQ4~hu3pZO)zwW%
zyyYq5W$i6y>o{((1M5EVY?ol_#*^pRD->~zjDW5IaAj^4#G^T86QNC4f@F6?KtnE~
zx;|;p@{MAMf=Lk<&_Jc?{V#lIeD1a6B=1D5zBD5Y-KbM;ym(u|)APAm<=p-OxLIvR
zmT8k#quK*m-j#_6FBu>?pZo6K=ly9%bodo?<|)LBnc<A8IC2o`_5*-ZK6XG{(g?iV
zzip06v5PMsq{nC9SCAYANfR#%U5hLP=Eusk!FJr7HXsJ@z?d>uY?9{;mqilb1LTGR
zODpzS@$0#hWWswiv#S_gz?oqWT9sT742m+;fBi@HX`*rdQL|ENZb8W>FA?XztD7^j
zxEM|v>Xx<u*Y*gQ7Zg+jS|@Es+u%yA_!FWP3qQ{J(d%}OP%orrlZu(-T2Opn`*4Gd
zxclScJavF*<TG1ibX0QsEZM&eSiKqyfV>vq-}Mm~JegZ*V_;}K6(pl8#^Rjm>=!r5
z!AyfW&EN&i+>-pFN}w;dBDiVC9|3;KiUWm(;XA+SrYcC7bFei?f?E(UTb>Ig(~k!w
z!#~mlC5NKq=MTbjD5efs2<B)v5b$uRH!fVb<AuqZV~XLRfbiOm&e+-i<~UG_vl$vJ
zgwvP{jH03<t<WPbPp4T}*~&=VoLum{Tx<ydSsGN=>Qoz8lY8zME*_dqUmFnyDd;O$
z&y`UujylO%wOFe-^F{y~oB<YZulKiW>DAxfhd+4GnCxC@0kX1ZNvzx@3^+_+y#y*N
zaC&R}Avo*y_JBAePziP)+;yU5lnSVqR<9!w3`6LhR}O00!d|+MB7hsgK@hRDdO2yM
z<WW)uB#qm)*}kuD<d~KiOX$w}`l9{JM~v0k+M)ggLm<!s<>Es|tOZzJT$;Za)Tp!M
z-AH-OqQnYuXqAY+U{q*b(fJ4sj-jWRV`5-Ej|VIdx<6=ajKgiGqhJ{P#jF}I>|_<0
z&zK`oNL8~nI-nX8V^w3jq8|VSpF*ZcK95!&H55G@)^}-J15^p6_~Y>82Nb`irb3Wm
zr&i-7{u!sn1z5<y&5}bIh%fJ89xH0g@gtKo&;@$iJ8SAHB;{z)@Qn`s8f#_VQ-adG
z$x!X9t#qyKEz&EULPbmjQZ?+n`6Ot-dkaixfILguz+2P$f|7*|WLUL6xhFwRFX>uS
z8Bx-=KjhdmGYPT}GmlIdSP=bcufHl&%5G`rYPuJqzB%cnRXY&QDU2?=QS*FdabRGe
zk=n7jv0$(%Q)nXzw*QZvtJZvqKH|mKIyoR9c=s`vL~b$n4r)gn>?J<)7_y=!cqCTS
zh}^_}-kYg7w4$Hqe)k7GH#X6|cS2HUl||0$ot#XVEJ3Ej>9TL|bhj0{{>$Ab`B^3B
zPwDxt<tBeFPp2$I;*5X={~IsR4?pKybhi`*WqkU+ZM1Crrc2W6&3Xf%Rsp6MZC0(a
zWrvwkvh)G=T-;d45;a}l)sEZTW#!A#QH!n~@wobEX;L|f#^q59G`6`L*fwYBi!T$L
z6;lmxWvQ+FTa1)%Ql<a#K8rHLxk`GGjy&ru=Ja?o9IC~mXf(GB0+U-t2bdTn(VB+5
z0}_&x{5(LolSwd*fP9K?)C4GssMn7fmeQc$&Zso-Dw}s*yG72?8|(JC>CEOtcf0qp
z*hd~_-Q@!_>GEG4wBZlV$_kAnc$Bw>qTLm%tbGSSh7!w_9=UD^)z@5)+@}-#vgr6&
zV}A!2<-iy3D1~~fS0Tj%K(7nVGRB>>{ZmB9;v@|Kg@ZStT}S)6N9K?=6GNNpLoAoi
zM<DhU3<d`PD=n&pU0wFs8Y>8YUPgfCe)q093*+wcV(no%ATL(shmgs5$*JeOrY~i>
zN*7_~Chj86>K_bMVdwGlF2O->UwTt#imLV}ZcIbPk>hQd#X*Xxl&CKJsjMnVA6vEt
z2n*w2KM4PnNP0s$j?cEMQHK4kJ%5r{lE&I>75z80h}f*L3t*h=*^I0&Y3PuA04xU0
z%LSABrArD6^*|}oLM{*f_K?3JMgEQvQs&tjD-<wkRc8v%H&VM!tChvxrNKUes$24^
zDAvOYcA%>r%uLGP6N2VmtGI|bmytzFuiX#6_o@#qL_>q>SEke@$Myp}jT${70C!+x
zy9G;@JtM?&wxGbK?>7X*={H_Gmw@8Cz^1CJ3yi^`z!Y8>mA-7>rGqN|6scpKG@u1?
zji;3NE!MIOd6TZi#H)a<PVCW_YMEg$WM^f6kUKEIk*ecr26)7g8~r}CK{THir&#%4
zb|43B`I*U5$utP{2Gge)G>U7}y5HKjD>NsXp@{QjHE6cxetPz`!MA(9!K+ej4D=dD
zIWM>z$ej)Fhc#uWg90tvo)BsKSBmqa(JvpLMgnH%^W3Krz{WSJTvuFp%QFOG0-7O1
ztUBpc4T~TRQMmi6Z9Cc+r@yx+?9Fhd)r?BJ23<M?P3;MN0tacbAW0dFt6aTBLh{2F
zys+7L4<L*pyYoowyywPRu3s2TIxysAqb!pPo)P=2T@s`2PESmn1-+<`+lMPrqlTr1
zp0k6*x!{eq&2yQM;2(ATN!tLxxxg0(&Z1xhbz?+Wweie{W)|uW4kGDhWx>6>1^;5p
z{LhalXVwS>P=>_rSdFpvrGwD`5<9!C(F=c5Aj(rb44lJNzOyjw_01)ZO#(~Qyur$d
zm}6DzK-e8*g;HBi-<V8qV$ETA7B;+AzPU8iyo&_PDA{Eam;Q&Rvpsi_>xuEAq0uaF
zE=O6%1tZN1E`1>X98x>4SbI}L&E+#|5K)s^Ez=YvL$7ce!=TX9B&?Jil2T~pD7n(J
z<g;-DuqZzZy5HFZ4CGLaGJu!z{YAiJ2@jA+iH*Vp0#0uvU}!b1LM~&F^9ui?Ov+>x
zL*_#l?pEzWr%vpg+JC$c=<b#{l7si1*s7V8!QH@yxd_ZJL|=rcz==W$D+24Oc;LPA
zhp#kdPgULqJ<9^I2;xFE#PE`rfTz1WUYNz)1zEMfi?|fJx<x0k8LG%u;1J6H{^!5W
zVto;==ZqcxS<)tErvTyU!_nldp~b>!?{DQi%{q!FNpj{y#pOy1af6H|zX!VRi6;y9
z<}_yg2mtdC7&^)JoeSSV(0y6UhaX_78cH_>CTSYI{Wm%o-z}=_@Cb1OfdImIP2(k>
zj}N@#f6hbdO55=mKIAImw}MQKHS`40L?D(ZInkD2A0-N4DW5*?z0G)Vx`xJE;!q$g
z0P>%2i;$$vOh(kUf&Hd3tGp>waBGeQn_)l_*JR<&<o~Y*JSysFqO>MWmh?V^x09-1
zL!|;{pvQyNeHVMP<mS$q#Z-L~z)<a(6nhq4XglbTaOCMnBl`12pTvLh<tO3WBl|!W
zXaw2>EZLO0I}6X<Dsr9Jxc8`hd%LX!H1_hhKHuBDC%&i9{Pp{4u-8hI1T4pwIJ6w%
zJiC8CAM{ja0v+Gew>-t_!aqv!!HR*k&UootT>t{$oemaY0!eCtWm%K>c<<|*V;9>k
zYXIi#3|vD6L*}gY+loYit{s5th&aC|O{skTl;<o0u3c0EfS})Ofy)PY$uxU%XXF?$
z%A{+bD7k^vU2$>nDT%NGDW}$B1vGU7QZ<hMMr5Cyy_mU)U}S;HP#&o%_1$Nz_|Q)w
zc$x3V7mJ-TxsBD7*oZz2ef^a4=Vbkj9yWlYt+5N3Kr|JoL9y;Y2H?Pd3}ohlz}I%|
zTm?`(77T;D@nac+%K(XCyYP^_s>o^rz_xcUX;&&HPv9_IsL4eZ&dTHkcYIm-e}S+-
z#`!aaVX94*QV<J#L(RsZp?8-x7_hDK$pzt+vDv?X>8!2>Adgon2aOyn2<GS2P-5bz
zfd{9>)pr>_k3gdQ3Hq*DN0WB0{Kr52w<eq|t3%kGPA;#itZX)}K(-zRB`ym(0;+CN
zS(cZD<tagA84ULbyA6Si>#^K^rk8tnfBy-$=;l8!{F&SFd_#iqxDlwBATWD$vnvwn
z0Mm;H-V*zuH6r0P`OLVtmL~bIanI3oO_G-_Ffn_iDgZ8jo%yk}C4h!&#UU3=Y0iBt
zu@iC`vR5}%Qj_GZQdsqQZC;niD0lAM?wqF7f$#9<@*VzX%#?&r1rG~S4%Kuwk*w0<
zmf2&*{p-qRYg{E6dUm|H{LYiLuS{NTb;SZjkN!W8d9bbVz!efZJ6K-dMRP8s58yj7
z1LY{9DA}*fdYp3d3d!4&J{_PqR4V72Oi2(8zxI7FUrG+;eDCEv-4ky;POfbHTAv7#
zJM0y|qGqaG?DN`2?@)Dr<l0l+ZwEY0?D2U@O@j2uXcx`S=!$3V5m03<;?{cpUMA<9
zETBdT(3v8aFB-WM>k%&{N`B$=;IjTgF>%Y$T>+rfgKz*(iyBL0wO8}!W1yY;+q>ie
z9%3&q{Ig|%ypEv&nH2sprx85uTSz^a?`}(*cnoiOp(Y@{NaU82ygljto7dR-oMWW+
z#JIT*O>G?EAL?OeT9CZ)j0!I;G%C7inUxWNhYdjQ`h#6{owbZ9$o>3-qR}e;KvyFB
zxNBKinP-&c-fZrK(lqMux&q?Iq-@>r1i}uiT*5CF$S5zgHSI61<HuvtT5na1Qp_xY
zpjxO`vDA+6&lH%^AmX>sr7bUwKX2~%tR|Y&PPkxW#L|DTuqE)3hC^e7W-!?jS#o2^
zlLh5|d7YW5?$DBCub~M0B2o{g_H5yuStkE(@UiXZdb-bSQx3;9XH(gMvNg5nfd&WU
zPH3<!`VKKl1*5FX;7^E+y*{~Rn0h`#>|U1b1Ib4KhOXZ_^ZQ@l40EI68zX+6`YeSa
z*nG5eOBAx}Bko0LV~??>stp$PI?;f578tOveCcEu{=f-{lv&qZ3<zJy&CFbc$#_X+
zEYXn_L&1caOe{jNx+9@a^R8zfjD@ObXsZ6_wjkDMorcs<&j~|^$Ho%GukdrpTl^Er
z1$U1#&iLF`ae^B9F!#b0O(BJ4r0zdY8eg3?)^e)TDQ})tl<{y<u~Mn5$vlm$+Bqtd
z35pH2R<S?8^v@g5R2MOF6Oi$T1Vm+1A|jFsz%CbBr^<O)LqpglMxNU;=~g@Yp%!I6
zGCwTt9L8&Pe{-@Z227QC9%@^O0s$ynr|N}=zwc2KK*c0FXCaEcK6)u|=>y(Lyjv4!
z-j5yvK17GqGctG=*2$Xo(_aGpbCC`@U=TO9Be*%0gw&cQCbR-JwQ=ct1Tf;j`xS*L
zpctZKS;Vg+e@n!|B$a7`1nKcTgQ$9+v=SSKf45L2Pw4t2&1VGReE>do4DO;e5qd9v
zKcqA?>b3>F0td?8w-&-jpC$qn$hgegp9TGzs%wMyu=VDL&-9gQ+Jf|v2(YD}0%NuI
zwI+j*oS**M?5SPWHH>}(Xh!Aztkan0L-0zDxbJ_zoz6h~0K_l~xczO)yVhc_Bv+`B
zK9I`|IDB?afiHaT(^X2wNKc`a-nW-_T~NR2*YzVI$82}CvVv@Wy|qTpINs1two3)m
zEG}_gi8cZ0k4OMV1Y2hpK*a3YWib1?EmrWme<xpTJ)m{1Ohaf<@ZC!qp{oyB4xg72
z#9)wu6xN(1OX}C0V~qkNsQ;#1ja)!*)b*P{D2=_%u^h(wW`;Wcn+?2*J`G?jVlzrm
z*dXnMTi9H_i-;c>ER!r{ljt<=9v}g(>%G^aUf}=zRrbc4sVj%EF2k?n%dLtCSXnUI
z<a*Mh+^+~voi72+KSYl;VtOyl|H?9QqfX#!T&lvqo28nKC!a@J=LLC!tW2Vk!=P)b
z1Z9bkn&4W?3>t$-ga>_{cdjL@n;VuHLMhu^F`Mn&pmsW5r6!#Hy9!U+@c=$VGn^}-
zA8i;d_in0|MdnnO21L14(v9YA>1Eb5@M)k<dIHjCoL@Q79c}w>sOh0<gFGDbtZ8&l
zM#;3N*|ct#6b&j|lJfew3s5hGF+<LnIIbYU?s{!{Pb!AnA~O`d{RL}Hg@2a~C>@=r
zpn?S=>g>Y87VAOYryq5TvPLau+oIQgZ)mJFW-SiG1~_45^jx5`vfIf4`nEtQ0nE%|
zoN#~@=mI`ccLj7V<T1^S|2ZUC`u?b>504vI&>L&#2BU?nS#bkn&55T93(3abRDHX$
zY9i5sg@-LFL??_(Gr^F^52Igi+Sr7lE6)<!vJxEQ@`qx6qxJCLCM#8z44&n*fAkbS
zRDXjEZbN2PRY3OiAS#=sMC|S}ldvmw2v6)`N?2V@^lYj0jI06HZ1y6OxiJMOKmKvC
z5MuWFl%r~XLw%yMP-R?5Q~rI!k`qT+2ZraA)61e(@mVy7YPnTZ+j%pX#}IGu5JXdr
z@hL{2eECzku{<qrbvRAOzLZ?V7g-cgTwRW`e5EG=>5=;Gx2IbUgH|;rkNi;1tY598
zjc=!R>Dxywp70xRpS4($hp%nu7J+!);vu2hW$K>3F9}E9t`E2^ty+Am5|bKu=;;se
zO?2q$HY9WkJ1jmA_L&60Kg2@W7K>-VY`H%VkjcO8!mwv1P~_{|$O79cE)%EUl$a4X
zb42E-TH~dYhuCY>>>U%iuuTE2*wqgNrvsio|D4RE^A#1xf7%P-ROKv|;^+bcE%z<i
z>=X+qc)Ffg@DO!WX@)%Vw0J<=&U!3i)Wa<dUDwH<_teUN?O8SOfr4Pcviq>{G@8Ui
zoceu-(|B?5iS352zxOb)qEgKr{#$mVL!h4b7r2<UTO>e1b3FfVFmXjjNL^bv>uFFT
zUtI>mlLz_AtoScGnB!N4XuU`t_|+csy^yweiFG;Btg^J6QGy)KfYY$2?`7W$-~)(O
zI<Wh6F>2k^k506;m?E45lAYV~Y6d6mUW-aVZ@T2OI$Nc08aPM&*|XkB!jmX|vtrwU
zv&*Q0th`V(Yx><vXS}uw((50!brt})m8TzPWbX}+<~qd{SEME4OiCsE#H(Aos^f9v
zZ@{)D<0(>soOlzs(9w99M~pctiX+I+d&C*rq69G@x69ZU1Zw$tJ1&t3Ab%<X88;Om
z^SR4V=6vwwkz;TTNsEZ5p?`%haY;GL+<$58(Hom|n|WEuly8p+8tZ@b$3M#F-k+%`
z*!P#(5~Jx9$=|gWwyUMr7qM~c$Fp;og)zNFWK$}NNBoXds>Ioah!dm<&qK68=aShG
z70U9=Z4!P^duF3VgVMH|a^#y|14;=R9I8&wGNNbG4toTDSP?&hH;5xiPL!I#I@;7m
z90f_QVYI;2>_*hl&1oqEf?i8HA1qXrl&IEtC@SnpV5{0X_Tt=|)mr0LW#6JTCM}}_
z4bswkh9I?$ZgH!pkz$is3#bKSdH0WP(z%sL{)RgK^-EVlc^!C?(YlteFF!A&tmIV=
z7>$%3SfTh$r#D(r)ysMNczrj7di&3)^YZ~VX23^GM}&)_s)YUybuZ*Og}=m?BrHb)
z(KwC$3G$vard9I-NY0T3<6*dovzdcCORmhUnroY~Lr53-150lWzyA!~^P3&j&PB6o
z4z)(mF;_6u?c*<tSZotI5U3RuI)#Qt1I#-t(|b@$n_SK*m~^kx;;Psy-Gs|jVP>a4
zt#-Gtz<no(V9lCl-QUH{k2q~bhI^}tq?OLu<#D~_S8sRk)*Wia=PqMStwrSFlv4+E
zM|z72K)frvBEu)yS?=w(W%V6g4^!~Z+awiV7x&*Ii7R#ws;W#f<`4Dyh9i5BaPc}f
zk1QL);u0<nb)KPjJpQ&~$$YdX^Lx`07oWu58DTQE)P2Ke6q7x>XK!$gQbu~*2#l^E
ztfp2-X+y8;R?TukgA%r>?u770pHNM<&s^W3-gsxU#&HJCzqCrr11CT%?3J!At~@`&
z6er__Cx?G~E#*DaX=wED6YzY=^ZPAo1|I@(PD2t^tsiJqLvpk0xK2Bp@iraBR4`Rj
z%s}IBtyF#MPwOKG%TvL~k~EsCxB!dpG}IIc*9A4{5g?XN^~QRPlZE(y(}ox^A?REO
z2ZSs|(eJlI8<udp@WUNyM-*;~IBP28G`+~kio!><j)x=&VZ1a|D;FDC34P=Qv)zfc
z-*8RM*tIqFIIUe{JGa~J%0bTW=Xr9Nee}dX?$|RFf1HH$q3K6Ue&)6rvB#z_VGBu~
zOSMH|$FdOps(qIT!q@Tqj&|Frkxz<zWxRBku$E>>`eGd9@LaaX&GY+8J86z9);Wcm
zOEqNs$*T9wDs5#P>h<k?V;yZTs|F@lpT`(>nl*fHC-eouNJ6x6kG?%C*Qp{6mv*ht
zDbWe>Ub(*Er{7%%2B(l1TOt=^GNNEXQ%yr%3*^wV$w)c^bKyDXIxXTOMW}yg!$G*`
zZn-C~z@+nQ@?yUvM_^a^aSGuNCfW@XI4UP6yPPG5ib9h@(PFYU&Pg6%9^nDyqz~_r
z-4N-}2-|xWvf)zG8B*V4q3eGaWxm5~UhaQ%v{B*Ak&{jnpBL<zT<qs{MZUE0m=W0C
z?GT$$s2tWHFq%$-g$fagy(awHV6N}etr$+r8qVoAq|W6Tp9&iN$#xaL$8HAiCt!-F
zVknX{|Kt^8B(d%JWPQ4vWZTUIJ{Q0GlU>1CsDx{0BvP8BoOt51XHyQ%SJHVWg^^V+
z>YLM5-|WACli@x;;n+1Wvw%9VA@0~~200PE&}Oc7dsXf!{_6~!<D|MhcrII<>N|9b
z8KaaON$(YcoB?|GDPk--Ha3P@&Mvx0<h;gh0m3H`h||x-?`CEBeQt5)n%>|2*GsuS
z=f?X8^a=J80#IdptMS}9PB4bqwQYO2t)V$wge#>jk7Nivd=$Z<-HhGn!hXN>=4&fI
z`@NDdq2cE*tToDSddXMT1f7jLFi<q@S?IfD2wmOq4oTo-pT+P`M}T;8fq6%Eqdf<9
z<!O}n^{L=&S{IkL8T%@$zcc@<GfETDSD{iTMmm@8EMlS2c=9Y#S#7oEMFzsTUVzf(
z&^N-gs0>P88+1K`(8((Z%|JxO#sIS;{sOrw3~|E?@#T;^gJKhPr9l}&mYgI2b}a((
z`*-CD$QX5AS8JZKtt{LHev(rEr@edB?L&Rrv=pIGD473N=iGDvE;JJvkHl*YHy;aH
zCY9|DgYLZ0u@ugB>d1b<hmj`tV(3q+EUp%@3BQhT5{XUbL1aC6B0hYT8q^?E&$<Z)
zJ@rt0r>s61c3K!9zZO3w_<5|JkPnKkjaYb#6S=>BzOn@vZzJfbXP)VF9b<C6(x6D3
zLnfroI`*at<Ja(QZ<erhX+~b0VdoIX)d|N>zn+zjn&u6Tpc%E*CadThQJNQ5Yqgx~
z2gX&u<tSw!u8gy7)<iePoU1hi9wDfN(}LjphPY1bQS(psyZ2%FRE0d`Ph}-aE=<zI
z#+4ylmv?t@{=yRB-LZVE>LB$Xrkm(SJB=x*SrB#$<MWT(waXZpvZ_=$Pk*V!E+laA
z#crWgzxAC17zHDv+PfcXV;uaOoL(RLEB45`n#Z<~EBDVf<tp;+zK6bUgb0%QarV>$
zEB^hR5B|C&6clsgVdQz9h!JX0N=ZRE|AUYRyumA(_w_sjloO{o4XXF=R2)Vn3<lTS
zH)pCChcmbb#%_ru-XW5g9IXWxv^T}G!>q46(-|S!9sZlrfZIy9_OU#l&DgX1qstL^
zPVoNz^+bkw745`+NE~uH@H<ML+M2J!m0F(lHKUUmy)hksnR?sc7&|XX#;By>&b<n$
zEa}eMW}*U+IMk*0^&?Kr4fX?9qpn1RUxVJ}@;x78(x<M?&L_=?0|w$F@*aPS@cjXO
zG(^H5Bue>?@`_qq$&i{6I{Wg1*1b}5k!L!X%kOheNAAcOW>Uc%?{M@8V1T0&#2@CR
zZ&MS1Y+H_R&Jo96b=(cPv*_`_8eo8nTN4^MGqw=9OB;vm8k$g(KG}(98&<!#YuJyi
zL8CvRk1rnGJ%-M-A|31j^V6s2_CQFvSI60ic3H>ZLYkMyDzg;-A8l_Q4(0pz54S08
zmLyrHFcBdt8iOf2*;UAv5GvVsLyMhe!eq&oCHtPnJ|g=ryTO!wmz}Xa=a4?1?|t9D
z=eVEa_&wKO9hvLA&gH$G@8$LW3?#hR&nxX>avjvNM^=)a#g32=qyE@gzQ<7;d8Bqc
zZyPxOdhS1it0Kv!0?pNh&%M4kq9%W&uIM~Yr<-fUdW1EcI<IYXjJ5+7I_5ng+wkQw
zMj^vyAd}<%$asRPTPPVXp&7Iyt80s5NWQ?5+V_}WBunpOlX362UhwUNX2+q*lQdi*
z;$?ZBM83ZjR|hw*Pl5M&FzG^nwb!3aw^!0}u_LkHy-$(+u$)>G;BLxri{#%t)Ef3*
zt~ZC?c{Jqzhr0{>&whsKU*~44?7v>B%Sj<669okP_2S+?kP2K$>dwcH8-44<LqQ{h
z^tA4j`9J`9!$1!8clcfHFfyCT{nqYl2*7;;{+#x=KW0NoMJ{JS<2F)4Yp~j=DQ7s;
zbY{l)SYVXsWUTRL;GxKhmZ(c7eg07Ew}V+cP{NY(WJ-_zz|%7F_}j_N-vOSDe)|ud
zwXq}BnfW8zn}fbZR_>{K5;bi_`6H7fRwtX2BAr^^iCzXb&W03H9&}hBs@ihbH0rot
zAocq?Y|8r_eXm(pHULY3$NEo$%%~LM?(Ai}pi(ioti&6GiGI8I2kBcb#X8qB=+XG`
z_wk|5YqmwRTxkXpax@I6<L|D#>IZnP3SALD+hTC@Qn0W{?2?C!{9GvCz#7WcOv_f7
zp!#9^JDU<!I63pctLs)~_N=lu=ikP&+=^Tlm*ei1-RoL)D8S(FrkdO|RroCdOqqbN
zJc9(i3TApyErWLq^2FHT!UjECaT&z@`x^D_oAJiL+|9#%Se*|gGYgw|r*j6NEbBzG
zFf}rXgn)ETumZyaPx|Ln{<Zgc<wm9?-DQ+uL>or+gYjy3QRO3vy0#*ZBNB4E*0TUu
zOCeM<$<xQTA@2tIDX9Sd(4oD)f+XkY12n)Q{uvz<NSrdAX~>Uq5tHU^qIic<;Nu1Z
zS}q&;oP+{pX?8BumU4~bP2Eo#>^_3drN7d02%!t_>SQcTz$+{*&!*P8B5K>5g(R<W
znkpQRjz9dAbEJ`d<0r$~FTv<qB>Sz$XS~9+#N}vQpBBx)n^9ejxuiVyZ@qsK$Ai_X
z!WzELZnF<N3j^G=H+4qH4@c#yWa|{-p~2-wUPT_2(18>|t!P}-yu{0MB}o?WP%{n|
z>*3>mSaX4}o0pAk2lJ9FlZZJhZpq;nU(-{-0oA?w!uVHQRm;|yYW0;~VpN-J`}m)q
zW_#WU)I|k9gZvfV9Nrg_!#%+acjYdTKwS9$&W~+)arOyc4ylKXrQn~;PZDbi?z86m
z1Ny$T?|1$;Bc>SxP6kgWDek%F-2CHGHf8_vwCPj`NNwBW^aC*P|M!g5XUrg!hpw%a
z?YDH#CPiWn)%)%<A&tVQt$fS3S7!?LpmwHb+KNaayN0yb|5{piXQM-xvlnDhgN9FI
zCq-h3Bq;MgxWF(_*d%L`tppWsh|c7lG@npe)R|-v;Ym7Cyyq1=q{3@Qci`ExTN-^a
z-IY-;I0{Nu{-EAl=XwW4iPl{bkmlTn*!jdT#f5qC{CRMwo^u^Yd>V9&XF|A%^kgy}
zxIN16D`f@-$$5~#R=|@QmnmKc9BE;9)K-?4!@AA!STcOb!TlI4bA1idNF{PkzP|7e
zX!M^*<P|B;AdqKu@;LHyt7;Ib8KP&9P`~9{r_Q#ZM|2;P&L0Td$Ek^5IG7a9$zL(O
z4il*GA;rfJ(W>9)OxZn6hWu<PBgX|-Q`1GRbpB0xW!W83(-pQ3QW22kBd`F_qb^dk
z=1yUU6z3#5=sqc<bgH!LgG-*#z8i8Y_}(qM)ibqs0CMOS=oPt_B6R2z7YHORgW<QW
z$CNBUSogNYpFFSO7#*&9oy^&O_1vTzYLMxvcU_E~B&ajeXKn_4^bU$u4VwD)`siXk
zcUD4TgXklHeTTtL-RHLb0GBEIElQ|FJbP#9+8}oeV%If60q;fRl>R%R`2Si+a;QEj
z5ullZf!kytA2?!M1=JGFLCx_SB<-K=CXL=H45U5_zj8kdOq6rrwKHk6IFrEL0iafy
zv)kIPtnDSpzki6c8E<~9PeKX+#DsRYHnUx^-T*#$kTodL1n{xr*;fu9ot>Sv2Kl8)
zouvRu-<Y0<evfj%_Wsyw?XtI6&`?-fZf>AhsPicShb$K?wx9J|eh{$lf?MYZl_o`J
zKpZ)+1Ee|zqJ)Rq&N7g?nD=7MwG#%Kga}M#hNU11E&!-O7Eh|C2NCreMBz<v5Txn6
zOSlp{0@_{Cout<XT^tGlTxENoaq+m3va<4{%|DUz|M-2fidsxF{VC$&FLcn>5M3E3
zh}u(PXQ!t8js@~E^Q3S?KJxv&i5_IFzmis42@G;Z$TD6N1J&o&!|#OZL2@t$i6$GP
z;6gv_K~OXB(vPH2hvM1O`|gAP*a+Yya)!t<|4M#66pt3;a_F~`VK)+ST1+72W2f9J
z1nG@GWJ@hfO*wgL8#Vr(GjJds$bpblw46qkdUyL|qc*6MA}yXl4tVI9&!!l}9Y?SA
z+bFX?UIxt82>PaOui~4agRz40WtE;GAMX7#o*8E^TU2?G4HQIsN_BHaY+1iCMP*VP
zY$h;vn4yKBeAx-qYrj2g=))}PG@X%8>fsmtaCfnRuVHIr>1{*fmA@353xou&IeH2m
zvagz2Wm7MJs?oys0MN+&y<2t|U({MNd>-@m1Z5)cQ4Ijqdy@CYpW0<`{`LE1HLsl2
zzN%P*Ok{vr__9{>8r)fpZ@x>TRLIygoYY%j|IqJ;xGR%fF`j)@cB@8NS)>L}do=JY
z*2u-Bc%~<Z&2D4W5G@+g4oX^CDaF=5^@Hf^71t5~nmL+TJQqZ2k3h;r*C)k#c=<yA
z(qU@-c@dBz;6OqOEM4Rx1z&)%Bb!S66ybdCfUZem<Hu=e@N1*55KF@YR^77^ek=2K
z8qLx70;5a&;qaY5fofCsgFn(5^LE?MU7ZxItoFdXEL9!YBo%jnZ~XI<cPJqJfgoZt
z>rqh?VmhP(|F=M>a^)j!FsAX}v>!I_N%}z0#=jWp{8H(Ak{S{CHy=L1(UCqUKNh3I
zK!QR88c|xUaSh}ffeu+fz{Qh-RHOy_ZRp98lvp^4=MSiip8)!^A02cYKD*ahq_nj3
zDUnnv0NI|9SzN_iG=NIGGf0c1uT8*8f819BY6-1Dq=XUla@4`<<Gle2aGNn+tbb*p
z0kr!3H`jy7S~hwGfl7gsA;lnzlj&Oi;dn0(;f&Z%N}I3aLD4Scdf!IBu+X=>rD9`-
z`z$bPU>ASWssp=FL_7tpsT(?xiD}UAni}c@couXQWL=UePIA-Lo~6vI8&T1XdXBLC
z-2dCtBcmIA8cPzu@(&u<D)<@Y#Xy}tiH(m>cMO)gj4sqbD7(z=B(pKxip+~0TEnfC
zc5upQTYQ&+Z;$f1!_GYf+36|UeYh8Je=vdGT0|kKGW*P#+E;17Nsh&R;dlgCvq|5{
zj#hq*yyIpb*Uj{guG^neK23Y29{&hC(iLPhxp|EOn(+j61I*)n7B~}BuZs0xiPItp
zi#%G?<;T>`Ga_zV1psT8BSWb-FaRV>ep?s~)fdcS;3USz!DmnSxN({#-S7+$E@QSL
zm87Y(fYUSH=W1bng(Bw@3HjU?lG7qVZSAdqdZr=84-Kc!(9*EY_d5+CnZg*%)L|Y$
zReM}_2TBXJUxA=*4T__#gmtI}V$(t4Yqa~0Q#jn=WkN=am%s3kn*Ltrlq=5)7bT?O
z8HYc6`2er2{=BluqfEv-UiJGYTF(Vs)*8Yt47V|jR%TfG1x?vcro`g=7xGU`sjU==
zoP`IoT`j%Nx5?Qcc|9!EVNB5@cC!CdMh|r)Y*WcAXjW<0?VHAr3DsG|EeqS-XJtj#
z9GKhRwAXI^`pvJ-Nv~^R(hE9rz<<<74o4akf(<l116YD-iL$8eF=!cGdn_2>vIyM1
z9R`|?*e}O>y%xOFVc8l2pdL+R)QD`1pjo3w-gZx5NT$jmdak3doQHs#P6NQF_*Hq0
zYxgx^D*)IL!kqM4E#wvdw_}>U(q}#buVVhW*auvaOX56bWp&+rmR%gwD$?DE8q?})
z$nlW0`E~o=L*10)@>*EPvKP_%NLe0EakIaMe_hLmZ__&IT3^1y%nKw}<tkd)*#%7c
zCW>_G8!Bo%It8u$^QuSXO4H#T)#G087*s&woLgROJoCv({d#i=Sw>bbaXEaxcH;I`
zz@;W^z-rOj0bU@98chv8U^dYTKMQ-HVj3#b6LJPR@VNf$_hsbGym}m}jY`3og5vZn
zTo<JxkUP+ZyQhVHX^8!K%N&v*9go5)o@P7>Qr`J~IB<H{V&(A8F`moApvdBtv?^c?
zFK|zcJ^bnT>z9YjzDqKS_X)Z^o&fiqQ&7+?{!{P)?SF8}Rvc@4f8~=c#6z8Ig-ZS@
zrBCiLORX?58?T^d@(Q0yf!WWv_>xZzSuNZcP<#=YI}@A^++Gb`+1HVS04h`$y@fKo
z4O+w%+idk4Z(L5GkDY8`+%pGS-~UStrDQUNn%02qtyeB8Ari9^b=M9@)HAR=4Fm}J
z>DyzPNk-qsj+;!DKT8y|UWr0qLjo_wh2j|<wu@i9gEsi!c}z4uMfeZ)Thg1|D?W`e
zSY>byt+oID!WHCuMQq^vL|lESWw!{Xk^183sS1I69{0@-N1bi5_K3RjxIuIN9q|V8
zGrHu)-A9ja>aF6If>Y)}h}*ZJnR@vtC3Hz2K#L1>IxO}$Bh7ZTvtk&smO=wrSi$A`
zlNI2z1DUL*I%YllI$$jz07T4H^v{BF-!I;%wmTV?f+e|;*<3Q5Dd#SKyirE8Dh1-W
zPY~~KoHGbBAAf0r1z(JvXNpbWGV8q(W;<rL8apX;k2Cz)a3i8fISwEE(Bds2p&^Ts
zxy%R>n=RPtp2H>$B%Y-`_n6CNAoD*N?U{f#!TQc5dg_2(IHVHyZ^fW1Dl)OxS~K<Y
z{};uA@>Q|kT0eQ{6~m%3?_VXhmpkP_(jsV)T&=Dw1gWR#9a_&FK^c&M0E(R}{wlIh
zL~-|sc;UT^*Ds);qRvA3if1%P()zyKgoVxh6QtQ+`A1Eq@-64XQs3@fmUil-%r$r9
zHi{{msW((R+})<fNBr&~=p#+iP5V_AX$yDbW9qGj`9>e>C!cMmSQ=@9#9$my-cyTh
zJoB!$YGMMYhKNCv*!ia6x}pMyA~w6PACRT(OztXT#09a*)141`7aV4sV=$017++7~
zVrEdc`)yVW1Y_#aL!TD^W8xhI<nJ5SYiG+$E9AO^OLx_F#s*>nn+vOU+FCgzAg-4n
z1-R|J7YfhwRik&XUGCb^gA?5kF0eswMK)5&v+PR1c81-#Bet#2D}GO2^j7)o6%^v-
z8vb3BMycxorx|EfhY>yn&8T-}SzMaIvk5G&20jJ|ubosxJkx&vvy;0caklppyxzwa
zX`ps)Y*-L>w8A@yDUXr%4Du9m`q?i#s*}oiAZN~2;XwutB-ZE_wfw^)u}0<5+aCi0
zTot3w0ytz9Xlz-ND#^xt^%2-LT-uyYgHACY@?&;57CFjx&<SSsNpH;s8rVR)#5`BL
zM_?beO}tJFwmuwFzg^@0z`iW_m)f(l$G_-2E!}7;vz?+rLZ^Owm)5NwADp?TX!6WK
zi%|BV1%^ZsC3=~|^VRwrtcQQRNiap0$D+K{%Qpbtdt1Zv(rj)43umeeg&n;q=n#1S
zdp;RLc<+k+TEkmwksnuLkRhV|4HxBCXM-VdWKv(4wY%t0iKV5jKDWb$6B8xdl5^7R
z+8gn@#!ZFIPBVvrcJW^UF<(^aCFCpy+i*0~=XFE$L!3%!3SKZC0)XcKCP56NyuJHW
z=%|p`!qVb*{T<knUITB@?=Oq<dc>MVxc-h4J!0-lpwpKITHtEH@2s{n4$m`!u36t&
zygaW&x{iO4EIoN5>RanEjM8<}sT*XTz-j+bQCj}Wo8-1jP<~McuZ@-1_g7BStQwsf
z3~I1`!$c!2B`#>9*B(k!R5eYoI&z7|$LX?WH5HczL92HKyX3uQFo#SW4PRAER1skE
z0WCjc5d+u}w}mxTR>?ek)UacMkrt|$GHO)1kIa~0;=96>p$zYO+8e(1nRZ8{GIaE1
zd_J?;=B0BxV^-;uk?$b_^1w<w@n6@yGZE^pv@^{YV`zHY46hKqPQNknd{-7VxR|A8
zTxiz1{yJb#{l{tMO|M871wl)Y{4YCt?6vSI0R~nSD*a}A9re5TcsAWzptHmTKPwx~
zbxwc$gk1eu-Q`lcYo6b8sSw#GyJd*hZ?5So*$zr>2D~<9zb0RMUj9PAgQPRQR;<n?
z#+ZC9NPH<w05NfI_J(ejk$W@l;w%SMm=qSeAlANc5yTY+UvJYz3cY38yk@R1iL!gr
z8;&rE7x3z!9$a;b;noek57}UPUTVAP%`x(-{W$37O}=f8+A9d}076N1!z-w4m)Jsg
zQQrBchXNVejl8!Y*68+qTfRxqKHGtB9(Bye1fV&qSdMsIf3&OmWLd|9vB>EBsdAmy
zml_PDlQ$aPEr*_IV_n(s3@Y4gzJe@eyL*3dGrd;j$9xUUt4Oy<4{0IB37Rl`nsm7-
z*+6^cDS{;)V7iU<n3&<2PoA<tHcOB0I$7qo5M-2eS!#&irjtl60=vuqA=^B830;;y
z%3L>VoHtgbVtgC5FLF5EJUn{BKmz&Ni93D}RAEu^-=KMtC|=1A!a+RT?3(hy+#~gR
zF<0;8D!d=bj1Y=z!q%M^H=c$UFRv(_hA#D)NO=Y65nhJlb{8TB7FPV{z1MeI8}N48
zG}8>H=KFJXY8rsG8~)k659h-)?b;1@?N=lOwkQ%;KZj&B*md8CF*iy8B3a4f-_ktU
zmBn@`iLeeci+(im_GKK=OU#nDdzD{J;2k|#_~q+ou2Yu!dIZHI@h67PpO+`D<)!;c
za^7O-U_TPwW>$u~KKUBWEfbdTS~;Y(*&`_B6IWYk*|jfQDyEqD`I#TxaE6bg#Vz8$
z29r%=<gNtRghpwGM0Gj2ZH?hZM9&S|A>6LNw55L<1KVUPa$h{VRx!;CW2swdr0@A`
zL@+ViWCc#5=^Jj%(#B_?Q7bp`zby0x0z_CW7zYr&-FV<cJ@iVL`aeV|@GoaEZJR98
z5jM5L2@B85iRoKy@3my^oRdFZ7;3^8Pl;WKDT!LOec>?ZpyvyKDW^3)pLpM9+%YkU
zccU8Xt{J7sl!hLOZ*!748Yv=vora~T!Tt>gqbsy@>FLd6`D_E@pkni0Vl$TpXG-qO
zm%LFf#y3vW&p(q{$J+(oxz?Mn`;hgq|4WUyM(b&7CUp9AM!z{~E#l1L;%VrEF=Plg
zM&YZ~81n$%<o44vq1cy+t+&?c>#Wn?fjm3+b>aghP>tG2_aBSenR{z9GRNrFb}TqE
zX?6GBhW`9+fKKk?nVmKjJW#36?(qG3ng>p|`aeWN$JmFM_q#|U(~T!TR$>T5SmDr*
z-{kc<AdUMDoAc_d$o$f&Lw7v?gCc;FrY`4unT{aW_G0%JspZ9|`V)(~Mszq=Vd$*=
zVZ#SQ0(1E>dn(82KUB^;Q0WA;KPZO%H!~b~$NqCcKPFxlj)pvTx^?YQ9;YVB8GUH4
zav&Kf!@rKGeHfB|-#q_|4RYY--M?~o$pYA=fB^QWkn*`Z5eh{oMs0JJju=+UO>Ryk
zS&K}9%2CCQRP{;Y+b%1Vc!C|9wR1MSC-Gb#XaI&pp<;yTU#RmF;XBKpY)J`)#(N<P
zFdwyjIFX~7Aa}l(2-0AQE22?)5K>wR8)!AO{iE<f^w#hFEF^|>jcoxP5N>8zmc#{+
zdXU*q2gKB-)^3Ft8U)gw4H65{#lP4rHtr6Okte9;qb<penYMkI5TIjOQr~e?#;ERr
zE9w_|j(^GUU3@VerTc_&%V~DYx0Maq`_$>Fc8OtZy`#t(ym$V5W0CQ-)9K*$wXld4
z?asOSrdL_3f;9v2T)b|t@f~Ocs*aa#IKZ_Yn$JJW47#7JwB>@<Y-0(Lep@BCBXMt5
zppQt2T%XIb0!SsR5pe}&98HMoGxy2}i4~3GxV~7U$diWNq@2uGKlU;Mfem;+#4AYj
z2YtGKJGgCKef~-%R~oRL49j)>8T16*Ht?JIW}DsAlvhZ4!_1NF-y9nA;&NaLd?`nL
z-ZQA~cVko;a)KlN@>7=B1m5`h<d?z4XLkfS3hqj3Rb)I~5AUg#B|L?j-=5CW7MS>Q
zSkAXbV$xnr#8zN1i;=weu+cB$N&IMrgO+0q`qdXcj0mquvk1G4d2cTe7Vi4Jmq0nN
z&9<TZPSFWv^l_UjnDm`m%Qc6)c6R>&+{puEjYA}AQv;wFy&WQ$Jht&5*2CUs3uj~n
zXg8jGBoFA{n3XLnsfY-O9eL;^u;DovAeQ=slYVP))(Z)8aJ|JWk9;?sNLbN&`#Lf<
zfhDVQp$*q>7&YiX%;lz$PYjjmhEjzU%>r0onS6D0Y4JNJq}L4$8Cr_|NJp||*i5}+
zf1_9);>#p5%<yMNTAN$Y;peHD3IM3F&fCazq5yO;jO2uKi`Pk6kCbW{PZTT_yV_)(
zK{_g+UfAPluhL3R%@?)S-ko<$*hZlskTnO#zIpQbHOEItFM_|9kVUHElc>0u(q(~m
zi)TA$V&bpuIvO9rGkD}3y8iHhlkQ)LH4+59mWK5?2lzg^nPN`y1{sg}&rX=;$~t1U
zengxSD#2orBln&)H{_>5Kz}$U2kpkqA&Ibn%Yo`i`W-ZzRyVIVaJ)Ko+<-SpjK}CV
zx->tkw+n8uBcK+U%{psC)AKSv<{Vna$jxHcv!eP<{SWa-5tM;gqcHwb%?BK$qJ}3X
z#swaArX+IpmpS)aBakTHZ*E=h<!vIxnUWuFd9-%KoMR|jWC+V0U7BQMTKS1(xNZ2?
z33uO?{)vTU#9QA<9Rxlc1$cYTgtyOu*y7m*N8ks?d6#W4?>8Joz(oYJkLCmfMedf1
zJa8T~rYILD8HF7BB3|H%KZP{2JsS7oa`>)s52a*Y=_Z+A<{ZGs+tg`xJ4q&9&iBLM
z%AMb1`3?7G`E<P|Z{T+*ev9AIA8}0ZbZXn#reeiAk2g`4>C~-EwvS3yP`Ve>w71Rv
z?#g&IOg*49ej6{GmF3zH7lY((A5YUPM9}<N`7M=?XL>$<aUE}xc!Rk{EkPWlaGAPp
zT+tCp6R)fEkz<seg7yct1xpFM9+@<t7c+-g59|F%uW5!~2qYYBGfeAmk(~I#_@qzD
zjrV(8jF3fdk)9HyPmtKFsNa1I6v4j&n9QJJ02odwsm;;LkAF~4Ph~h?@2!nZIC+UR
z7PSTy7^drz{1!wEGOM^efBG}LY|XRdb{epE%hr=TojgyjLXx%Z<kyU0Af|cR-TBT_
zvD0H0J*NdS90qN-b7$aRw(^LT_Qf%6wayq@kz5NC&g`qn*LW)H&KI5MUNd2Bx4Jj;
zynDhq+)jD6y;5v(({h||!^Qv>o8Xj1Sps`5{wD#*DIsC=aYU_ge;vUoRz>f#7<w`W
zwsyk+W!N`<Q+Iud$;2%&zQG<r2@)F-X}&EV5Ejdja%r>c+D%EQqj%!>lI}_C<Yk71
z!!QZ~k?fdsFVpo;C4AXh5}BsgV}E@2ZQF^{mkpk}jydDDVZSEvL0s-jqdMevtk&W^
zSL~t7_=Qs*C%o`6W;6usH^Hac^Ci7I5_VQk2}v35sGk{_;Xv-zlQS)?<7@?kv4*Nc
zCLFp}u||4`wb*THjHY)Gg0cQARPmdmj+a;DC4MR{(0*_w4<u$K8TCO2q!!&}rj~tB
zkqRNBTMAA!g3a3s$J_~I$M8^hxBeFWzHy!vn@`ifGEImGa-(WlxkJh4Nlsoxp!=Rp
zkvbm)ti2DA)37MPCEZZbfSqNQ7k>TLEw<4m!6^E$|EgK^D$`U_MXV8aGus%mDg~!5
zN=UqSCPe(QYJpN&p8GY*V*UPLgTPHGF+!5X2??_H7>H6;_hp>U9ssd+-(uWWi{YF6
zUF2sbbnA}5Hq`xi|5~D02`^w|XOW|utzHUdlzeqEC?pM?@XKEJxzi{8@6+dVgN$Bg
zq-=Afm9+Rr;;;Zln1$4W`X#xRmr8E!uz{O0?6T4CwGjHriDP~nvduS$a0PclA(DO7
zeeAI+f-M}_!2}0`asp(hMP_kLefi6$2K26L_4J#V?<H>bH+E6V03q+&xkG+`r8RKG
zn1j+Vy`NzPIxcxQ;5JRk@~SR%g;PK4p;q<fK)C1&-0;xhqJAp**^{P@uheXm%a9Z1
zY=QN8d^_AY!ARgS=Xx&4O2nJ{xf-mIP@1c9XKx_x$h(@Yg~V(P&9^Y7-e_ECIDhlA
z_apo5Evyssv`!=O0f-xR^OOz$nx8+$XVic#3$B>X*ow(&-C2}K6gTP<Y8y@DBj{&+
zYbjN?NWk*ZzbUjUzmx7WyC_j-G;#6dxm%hYxd|QWMeigzC%e+_%T6{uPw>Q4LC})d
z!)F~HJgFr3lrq8f1vwQN=GMCTx5FgSb|ETi8wiPB)K_bi!^oPrD^B-yOiJZ^&V;b!
zbR05ao5@&2nSI(;|2*x~(L;YdF}iF7^<2|2|8%;Yu-xCFEuUWK3oeB~F$#>v$2ua6
zR6qwwdCqUEZ~96)@b;r=xzkaOriv+LOAK<Td-)s8l!u@Pf`b%HkRlIoz8BzJ=ic#n
zR9p_u>dTjwtiSrBop@^QNIYLK+oS;M;Y!E2{piEC6)YQ(oc;6@@&2C+KOIC4VUGUG
z1$0e`2rVT$7F6%1DkKnK-&i>qlM&{`&2H<vlze2Zsh8DpV>!7(x*ODFu%N9$aY~fM
zrIVO<J1CAyvR8h4A^$zc)SvLi$$t&K9|ZYl{X7zT5vF9p10MPtuRPFte*=;G`8xj&
z*&H}f-evx8K!H+U;!iC8mO*?Nu2wdBkgS+OB=y4r-LUKo)ymEYb*zGD(I?G=F-Zlp
zM~@2poSF>^>(2aAlQKUU(DC2;8GqJ0Domr~B~kYv$&HJWav<tqbiTa#Qd<oB_YMzS
zeE4+04Tx+p++9$M*tKo7)lt`ByV+W^Ah-t|W3KSq6;v?=w*!m%4*9_*9mE=FgEI%G
z{u@G$qD<>Mkdl;~S=|h<y*#{{i66~4E_O_ci_2=DaBQ&&p#AQhA5)M$@FTNPF!HOv
z{HO&ZH39y3JSepb<Q=0xIlSfXumaoS9u<LMV|>b;-wDgc7dt~Qz6(vicbbyajOIm@
zeil+%;>+XOi{#Mw2HV^5$Cf~9rIyUuD_9|r0m+-I3;NL&ZnA&|kml;ZiodxBd~@ma
z!D-fmjN~a}e5tN(;Jp$T;qT_$pY^0cj+<9MpMEZolaBYIQBvbg=^$0f<RaAU$lbGB
zFC4?jIn)h8g{)gVJe7VvO}ug3v&uW@VK(ye%}DO&oZ&b{u3UXT3aHJRxr7`~15Q7e
z$>z}R?&^+M-(Xt$y!0fj<>GkEQh-%oTN1N*jcMm_Lki#HYBt(4C)qvDSH6;_IC9d%
zFykEC8!B^G-&4mABLhAOYC=oM;_l}8_9a((3&y=pQsgmjCwgHYR$*}uv~x1}rnkhn
zH|BIUiA|e&&$GU+^||b>n!H=s$Z%<PYI?4>^wB26g+L&bcAcZ94z%Hv_w%XEX;tQx
zxworS7jdC`=HxT9t8KAgNI$HwWo!ag7-!TorX(j;v|V0>&t%RMWtCr@=Sg=Mn=NCs
zD6_<#Z@hA>DwtbdY)f_3TX@<hR6Xb6W$UXWV%8=mn&T8Lw_N$8<hC*{I}@p2QiCU4
zLRC#t66NV;-FtOYvc_AgZrec`HH8W}{RpGuhH+5BM4qGFl=<>~L)@@$^|X)4j8Yvr
zTE;4Agbf#3DCSV2q^H!um*MZ@<5TPV&saSDu#JhR_mrSTXWWlWPA50K>fluvpS+Tr
z#V@BzsSk2yj`;*hU<=e2D_xUDz86MoGtOhqgZTu)&O@anM>HomLUrGeZ+wi%)Y8Ee
zjYb7;594jhx{&KSJ#izc^I%p`4Wvl%Qg$*{ALDxewo6ZUxn!Mj%)4VaZ>>R|+tAvV
zwN5ZCH=W`SLIF-6=4GUS>190FT=r$rU`t7EZ|O1zONXh2uo`YC)s^#^>)SRdRz1ys
z!_Jh&3ESb1*gi6Hd5gF@q4bS5j$Klr-%#0-(X|BrMoZK085-MJywki?oKW+ldSXYz
z@_Zco47#*RXPk-Rl3Me|Acy<~{L)<5a(BLzq@<(~nO_hqtM#?z;0CSng#N2ewjx`B
z#`BSI#`QLH(tNZ$;}U#)m`-nxSa%iv2J`K=ZW+2fA6@)2yoCE97(p`O6X#V{)*5j{
zVWeHN2d5K-d*H@xr**g>=!RlH{0gE7`Ochks)ZFixeQWZk+2KIy3ur-hmv~>rlwW_
zdmLyO8>7=KOqvXMtV8~P{67w9Ovz|;l?0`zEz0FWen1~-A0#Cy4*#8-Y2g#A@6YwV
zI4X`NKEFW6gXevuW263D+q!+|qkmCM{IHQvQ2w<!r-|4qQSkoW>yi|d|Ga+}Q(|CM
zm2LiwR_L0Z4b`T^Pf4GkZk+kT-TC(<dZG?w{<~>RJSS+NSp~mt`A1|Hn)cY=Cvh8z
zaJ9t$Qo<vOOY(ZQO+$&y1n9~CzDKB#ov5I80-Y0+gIt9#6?7vof)ZzLHJhxsH?<Ke
z)q@?juU~|-ov0XD<gFXn`KEaLp{li$_lShQ_gtZIKkxqD*ZyVqVox|n3mv5J-r_AG
zot&(f8jeYT7Qhn;{f8fN&qFMVo?5A9AgYVm%lG+(I`E6fU$RNKhRD>#sV|lkU*-e*
z*uF6EKds?^K6?&v%+~bYR=@Sn*M&c$A#ENtOyuw9zcklTL0ihv1HbR}5Ap*#1doi*
z-*0!p_(}f;Pc6m&L{dGnn5~}@lxID0?UfTpv?L|%YbK7_gus+k7q2Qi)o1JNZ(wqd
z0>%~pRU&r&CV$bL3)F!F{KDmt#-v$*XXIK=Ag9x8p}Vv=!R(3c>uap6#fG+TU=4py
zvVycN|CPkSw@XI*5p4f$P(JPcjaUahv8`V+>kHGz1sSaeH2B19d&Ew64{VId4DbBT
z=hbtFZu;t<kNiy{!DVOCt^|H*kd7OXSnC%!PgJ6bKW#)!-OC(L)7WNJHRRP@@^s;2
zy<+z@UM@k6{_L`CFYaf%@#E?KLH7*iCG<-RUbbRyY5N3aZ7zT>+m0K5$3pKBEcE)F
z20qPFzbqV&C3A<r+b8vAu88f{cV##pR#t5R;c_NspCF-YnHRC!D^*h6{dtZ}XEj6~
zIaHnX?{4gYkeTRWbgu3&({K+v59Bxdr{wp4ah!;Cx!_uF)U!u%*3t{`1L+!XtcMxl
ztpl7e(N^T2snwsrSt!A>GqEbWHB2EtMSWt4dJ^J35I;+Oc3LLc#bv5^7e?4b1nHVO
zXg3pnP1a!dP9*W~S))RnR2P52+4PrcWw3kX_k5KAD?Hkq$mujNR3lTNzj52PvRw3T
zAe^RQO>pj{AKJ%Loz<YS;ZZjdO+*nt@3c8WjALfMT4=kr7PIdS@Aa2M4iuu!P4h4F
znRU#+qJj(;EUuoPD~3~FUQ%tdzDn`%vegDNdVII1F@aMHNl8@l4Kk2FrduJCk66c6
zeT^5~JG&dG1DefM4{?ybU|_AkL2Z@0P1UR#&*?;^y4Z%+$~t%UyA?@}%)b3218DwE
zq?qg%KkLYMNcW(-!^roF5nlJ#+Nz6};zoAhP~}w4$*6t7+WyZA9uTb4vQlligX}8&
zs>7?e5$8B|Rs-6@=tr1HTILph{G7wSAX11sknc=a(Od7ESjM+~nuG~3r#w#iW}l#y
z8l#VgZu7~b++{gdr+tEa&9ioK#ey2XA(Xqs)e{8!*-v|7Xyirw!8kxqU^!t;P8Gk*
z-l8pC^7lBj*6HuuOqiwW_>=T7A~if~B6*Gz(b`_-dz@`T`&Y)M$8*BQ#HpZ5{BtfZ
z>A(7tcsx?^AGxr%pQQi$M^t_J=l=xHK?(L5q%D83&+ut+32%}~W7PH<v8e{>2Qr;R
zCi%9J<@)%{pxRE3UE7;Hn1qRM(;P`={GVk3paIhH<dS$#OPVCZ!P9(hr}f=|9#zGN
z%<5nZmL%r&w$`Vm_t*C0uaHKCa9<EA8N21*eg7p%vgQ;Hc}-$<KXEz<I1Ql7Toz*C
ze2m!HJwpLVpG)f!LL?O)pmbg4MBK<(e{L^xccfL@EumQ&*3cuPXEh>C959^n(F%X$
z73%n3afAwi0rn{7v?z${&?PAtdg>)k6^sZ=X7N&!Kc)NnfQ#h)nH86<b-T~IcK#5H
z*-gp1Zsc<_m!+ZR=|^~PoU_${oqp-M%8ON31eYbNAH^og>hg)S{(BVh#veGHNSgCu
zCo_*<P|Y_rs;#anux#{oB(Sn7egW)brMl1atn9pG^#Wbdk2hoo#5TQ=Z7jR@tgK@$
zagmPRy69iq<2~=?x(tV|okndB_ffi+CB%*J-gZ;9-eKzwjx(CG?N7t=$y+Cl?zk!D
z>G%b$%+>Vm_;6}T)h<=<DG=DeUs8jQ`Z0c-DA3O<`Q=v#=SClwsxy2tkE*gcBUz>>
zRVRb6FO5OQjU?3e98=h1)YDW4BnUv6*Bu23R||*re?G*BxP^#6p*fXL4fWoBv#)a^
zt^V$TZtj-jDrTZ!D==cf&6e>z6df~)#@~#!yq}+dG%=bB=y%{4=|{ISz2S6f5T)c{
zao)Er@O$z`Nq|I9dq!Gd?pDESJftO)069sgYol&Pn61ISjT@PR?b2ao5Y9{4cM43@
zapO6w<C(G^bx83cwXkc*P0E26E=eOiYuBXeC~>oWR>gayesYgGNoF=|np3|1b>XVH
zKc(}&j*nE^pM1egZo?i0OG<X_{T!RPV-ZSv9q<Yl={H8tiFJF^1lA-4X>)o%x>=L<
z3OxIUJT@^#=g$~pdy+Y0l7nvl2m6-w|E(b?&}AD!yJJHOX!orlk^&#1Z*i<Xhf0Yz
z?~vJ>!AQa$BWt%S^X7^|Hgh1w1pxf@f`+bL=e3^4@Wsn}a>iP1kJ?Dn>_sVWRVwS~
zIE{Xgpte4SU8dgvcOvk>eD{c`YdP5e1%-nsi{$$=%L}M|lNQGF&)=Fqhw2HRXYT$r
z<j==K+_(PTF5N&Z-C*QjgpU864t@~;srLE{mHayEFH}0Icn>$KjWgaD@XbTE3nAO}
zwn+%lyqSe#AM4zh)bs1dyWO|D=a-J^uRPHIYH}JgJPhS?suRQaC|7AskN@<3F8yS9
z4M|wz*;z;LI+njRsb_=VPKA_deb64$9+yQW55thogp{xBp|@(*x5q4Y#;QQG$3<h_
zG`??QSnn#H{QlhaPW|o9D)1+Zxdi|YI^Z%3(uP}bg7x}~Q2pHX-`<E4jWxdA(J~z!
zkTLJF`W3MPl4yTgM_!Gg6#4y4Puutz)6d&0mHOMmS)1%vsz(bp6_GP)l%14@CG*I6
zJh#MJm6bW-OxJ++E1pe%WQg#KA^+h=6wBo%t51<x7gr1-aS$1MB$^~sB5lViyA(Y&
z4@j&xgxA{YaEw2Z>y)J`q#P~gb7Dn2X4vQa07p$u)H!Ie=_|_W@3^kvU}B|s8LxQy
z(XwRGa}3<z!!C3r+`rQGzO3y&1GtzpF8|l3LPeLR^4i3)sBw!;tc7;pN`Lza)!fWB
zRexb!Q~%lvv6=n>Id{|jsp_m=6d~!LGH-s7&-ljsy`#FDd&+lUwZ?s`CRFei1*$!%
zT052k(a2|aOK%G;Dc2Y5A8*t-cnY)BR~6Fze3fbiv+!UuyCwCp-nLs)w`-Fa<QqRy
zts1h)U|;ACIBBF}G+1mh_`<w%ckzXJ*KxSRPU#}sf>i`ug7y!;8EY5Ss#JM!oq9}n
z`L+KR*Bi2_SmF$;#){UaUE3iDIrRVwd}_#@E98NWeXp@ZY|b0bjaW*gY0vTXiyMPp
zZ$|{pM-o=)LG(#Y*`+IY43|Y`8}a=qd!Fi=#qMmG?x~k)l6Abo&Avh37KD!sMp|ml
zH>R&pQ--$`6Sn6{VF^(^6WwI@!qT!9Vgyys<+{Vh?6&<hN}gn$SvbA$VB1<D#%Ho4
zha(M*nb!QapgN~d;ut2XenEqg>FYn$Rmp?4&K|LF!Q(GLb{8OsJW;NxEo>Cf!ayS{
zA_`yJqocpwOopT-D@ab_5sdfW>iHQA-&|~K;-U&TcBaqp^tzl5A9C{ETJ^iI)i-n{
zk2e(PsqWcu7_7i+ZbUBx#I};Vo)10I62JNi9XN0PSTD^wqHqn1kr71l)X~rCX2;I4
z`vj4{AUCImPS=D}&nAzfDmq3fB*SQ+W@%XUpODwr-#js{m!TC2SFZL~p;r~a&Sd44
z_lNbgxnt6zPrG)kemBa?=LC5FaOT&dGA;!54in0;TM?oU*Cr<}7SGttT(!|Lf3<LK
zSaqJX`oiDq808I26$$WjepCDHFy5kUThpWNJC*)Fr%FYZ`bx7ZgG+Fk*d`@rmuL6u
z4UMDH!~;`uwzf-RQ#ZCJ2-`=^$yrw@y<uaLb=gzH_#`<@Lgd%<BQIM-kxFr#z4I&y
z(X0K;nw}Le5m0$G^eei{e7MI-m(s<!*5~7ln2Y^_UR&eP)-M|$#2GbJsS5OI$9LQ6
zp=a`mfiurykO2I8sF=vW+`TPFC>eaNgQSG4?9hVi#XvdbgPnI}3qm0^%8nH@s1deK
z@*vkCsJqGiWQnjX59M`_r9RXtsk(~&o0JSV#s*m<a_S@5DTMawI>#yYvjZI4*5hil
z4A07V8SX<Cw1?@d6bes2Q%_%7nANr@wYw_6DDn)EinjQEU(_bcA?$D=8{{f_@kTv-
zc|jVMu+1qI71%1RdrZuu7|cFDYe=8&_+%({(4ix#ucB5a3(Z+)wN<t~Yk^S4q|buV
zoOa7bhSQN3RD+yRy$Cz^YL=eo{Q$8<6RF6ICN40wiFOE*<Vj$#a%KM2>|bmhTe?<l
zQgl3SBQkDA3!n9gpT{?Py_7felq1fwA2oNa8ByJyForJ8)kN&w;7N)EF97{rE=&Fm
zCDw1Q!M6-+W_BFl;Fyc-No%=&?rbV0ih5{jJwEKJ!(DT~cA|t(W1tRu%vFs|RX1rT
z?<u(PRwpig1*TBcDji;Yf=x1$P5$BKb9ka5KgNcG-BPFOZnebnbe!Ir1RU}Bt>f**
z*E}tlG|rPfJN+%&{W!5$6rtwW7<~>6zWs{)5oE4+s%Xs$Lc|$Aaj_?Oc{p5?I30bP
zZSdd}7kX;M>=&ZfN=&Q>$Tgl_X-Myj@1P<kf6ZZ)sYhgYqXmLxzQ9Ip&1j%TGG0l_
z8*9ui;1Njmil=5-qOo3A?m_Lx=ke}ShjR{<eWi$C(V)HXOnd$weZ+&`hzPdWKnS*O
zI36VXkLU(j-rt1_hnA_j#MrbjFMmz%V0!pE7Yq5y=}R6yFWFcV-i~@7DtPCWgwHe~
zUQ?>DFUjAv#~@}^Oph$k(x@A`%wNPw?=tl0mK!ro>U&?^CR#VWwW99X2C~^4#0zN`
zf9qA{RW_G*q8gi0uIVm0_)ct!;bT`lI(qJ1gFyRBnQfb=N1t&3t)ApvBMMMT;Pmc8
z9Bxk*?DW^{BqC0~hAmjB|Fcjdn{}m+fjtEjbo#Cftx0=U4ii%)7MAVQpgoxDxY3}G
zTklZb?x@mr82Gv#$487?+N!;HpppWcHhR$8Jyjnx^kC<i$3IabWyJPOqY=~OnES*8
zWnw}pq%^SeAM4;mS&svi!8v^V`UeEbs-O;x-*fwrcHPLOVA?7QZM_s|e&9B0_d1Y}
zwZF=1?ygJC0^I!<3jrn~h9_$}m^;yZdsFsdy0v!&xwSpAXV0**3V0v9xc>v6##qvA
zj6}YFezEW6C7Cn(zo=#UJA`%LuNsdLOZrjZAOTky-oJm?fA#+~_7dGrg?`U)%kBn(
zPo|M1m8;GQ^=Gdapf?K)_AF4JTDkEzRM42;9vr}$<X<FV@edC3ZGSFfmuWn$zg|%_
z4Nki%$!#i$V&4>&RNC_q=H7Cj&D#Ddx-+G}on~EGvizA(w`3*5LO1%T%q&OX^UT7h
z3vWRa3x5b`9l^4wNLW_<?zT5uYlFS(toHZ9KNhKx?*A1d)?_^vLX53?ODR@RqdmA7
zQYwf_aoOD@lsPW=>z8CHXKj|WY?f33+}1%TQxc9Q=2tOpx;O+hUv}J{)-TIahR|fE
zAb+n^0l?YKCqP#te!r%indWA-ruxUcMxB0$DFG#G-YXwS=dKB%&N+n?Df@NSqNkfB
zhwsSc7hLkvcLK5iex}(%sz&LvEM)UMC(7r;*EvNC=XR$!Bad#t4Av@ONc->R`2$#2
z$})f~>pja6UP-YApeKh?(=r+QbbYe*KvB;85Xol6LdZr!ML5Ps%CHu>EX#${nZ;h_
z-c5-xxF51Qa`?-*DrqOX#^2CFsej^T8gMUqj+6S^u1Qua(UHT+z52CkA)m=T$z9Cw
z_c2VqJ|6-JDYvsHtvne{FPSJ*&)KuGo&erodoppU%GWAVZ}MdFBwFwE_!I<M_bD?{
z>nLe&b?dutt6ds$>Trww?mYVlGh*R+^{`d@%I(Rx5!Lw{V`Ar^^Z+${4z4avBCOgg
zI@xg}!O_bJRm=|kIgY&zdiHvZPX<9tj<G5eWS2=)_i-O5A7szFKI(-ZgH;uQjs+-A
z`qzQ}4TBJAx1=GTWZ`p+G^er4QT}q0M!Lj0V~tDqJBnkdj<PuZd@UOL%B1o&hV4Q>
za&3SPxV#_1C{*XzbEY@4`o<%wZGK4A#W#Q1y9CzS>$DQCI)PTd*F5Fs{1gVdkpta4
zFUz)9M<L0bSb=kgB<L<~GNU5=f~eqI4`N!ko2#f*b5|)Ry)V%lSj)T8Qfq~RFbJ&=
z#Wq{`SBmmiONWLI&u``rI!_0YAMa@Ly=C*W_%ur?MVXVb%(V=M7gE;?7pfUU&3o>@
z=E(W%9>vjuk#ReU`;p)GlTKC8X$luh^cHJ@bxp$S2Z|auOi*=D_L%S+<GURkh>^oF
z>jqgW-pr%XLQ_M<sED2Q`t`5OVK&6o)w$xV8m=OXq2$>*tt`rj%oE$sc&B?r)|>*S
z#%{|t=XRCuc9i&hCMxwWL<kr~Up+BpdJpE5>1Hr>i*$nr(Sx7v6UPk}L2;kXso?y6
z>xLn7U;r*sHV2wdh#P($Y}34ZGXcq{Dqs|_?lI@Ui&EWHG5iJR&e0a)r4GDGI)ea7
z3f`TRVfykzR1s9WR1uD1XH;`h!9`qZ%d0Hh#)J9l-Lpv^?@w)q-FtU<Lc8i>Jw1mF
zN+rm8$cq=7esArA^;o$L!lJy$kQ%Xcu{Vk5xt2N23CUxLEIwDUOeVUHnND{am7+IA
z+99{+a(+i*F_UOWz3<!Mw*re%Up;*iKJ-`=v-CXJWVqLI`1)Yc5>r#!SUPcPI_H_*
z`bg<3!(_uMjdu}l@dYXVEvKB;_Ch*=ojSkc*hMz#l=XIg`CO{2DUuPS^*|i^#(QK@
z^ur2Udxy-3|7>C$J8t+!+>`BfyR~8^rme#)1|L=(a7$6a2wU}<bJQ@-?U7vWBFn=}
zGRgj?ub3U`r8I@lsGdvZe2s90UYJUI+*UJGIC!@cKZzgjO0mhX(>;@l>!#MdU40zi
zk#SVarIGEm*Mi^zqT8ZFTBJjC9M+;Grk=TAG<XX=`8K8q7qvWEu&V4r9O5uc%0S(v
zFMjY`lojU^Ao_A^RaCVcTm6N1`5wh5v^rh}_VLMs=HFFTO&Tp%)8SbRc+(lNmewVv
zDVFIyXVxO8i8!X;!^d^Sy$9SE9QdTlc!j&*+-!?vFZ37uG$O~j;~uZ^cj`&WY0}nU
zT6pEF>1G$$_5>5)G^PN_>r;*>Qx&NbC^pl8V?J+HJgHD=mgQDRN(%b4RmB*k75;OG
zsgkj&DG{*5C+&uMRi;XnZDb79+PBuID>aAHmtl8?U}sc=ux{N3)r_MeNSO_m(UY6&
zO<`#lH@p~xs0h50bu7wFx9mFYQ4e5@8Dz__MsS*pi;!dSIh!I9EjGzZbAMKIpzw0J
zsVIs#eP!PZOTOjeJ+wmoUiwJo-DDh5Q~iz9H+%W(lh-M1rgo;*2e8#@(-f>lhj7#{
zQn%0dEU#Sb<R2`u$!e^EEru7FOVy2_ho|5<9Xn>q1XbMh#gx<WIf*{=&)}*4EesN5
z_!P&nPx`v(Xm4SMnZ)Y(4!4vvSlV;VO}oS~Dda%#t+}=yWc20d{nOp=l!5de0q)R0
z>b&^KuTOrbF@@7t-&DwwYeDZYov;3B_)A1%;b_dta4&P8%$qu&%3iYf!l93puXQ@m
znhd2iJIUJ~t`4Kg<H}KtRJZDOe74OMHjcT|hkw>@*W4p@y}sl*OOD)&JcD+d_c=jd
z`Vb2V7AV6AocdBseee06mF_z{66mtGXvMC#Zs8jB1Ij~ne1l1Dv^KDNsHq;d#Ierl
zg}3h2z7{V`+1v)zr43c-itAHd_X4!v53HevOrOWCh&OWDm7ct3?jOD?*m;6UQo-l3
zz&Q?QS6vZ?lUJ_$rTMWA@O2a(T{TM^MlFiZEI{slCbBe{`whCYkNvcGHkT%g8!jVG
zn)?<v(?<Y5`T9?oTe!YkXB4(CMxX<Ci$mmwv}94`1;X|EUZz`E9Ob3q?ps-{?!ha`
z!{7!{t;E}9%xjW|UhJv~`>3&UHr-ek5&Z={(Sjc8_?n57fJ8X93qIO&BkuW#BtDUR
zTZgE#PGk4%i@&!5R@QIKUMEVI)JfX0`S<||0S_{xhpbppNnK3^$ut~!@vk@bMzGPL
ziW}i@t>6Gbcm5y$8~beUwg07wSDW%P2aW6>0wtunA}c8xwG@}SM_ltRu>E6YP)ODB
z6cDFc^tV7Or;(x0eA|l#n@ot`M-kcUbMrfMODOcw>MLHVjICmHkR=Yv5yK8%nbXgg
z3=yk_{=hDA?Qx5>tb?8kD)x#*cRi6r6wU<s^Whw=KywRT7T4e9PyplE-TKlm!UE@%
zH4i%MWfy?{9cz6LH*iy_X%|R#h~6g2I?2){ZJwlLHK+W`*Ks4?nLIf+-VxSQk>ZRk
zYyC^#T?!LL`ET%I=^@(n)F-)4G~F0R{yYk~odq$hF`+y5oUx<-3ifTaRoMHa7-C9H
zpFi4gO4_NR-zUFoZME&Tca!YR;CPe0#T$oSIxl@KK(-+Bw$CA7q=zg~wVHAiMxef?
zUVS3&3ad#U$-Y3c?%xS~L>j{{KoQ&Rd<<P0ENcbIkglWRsJM|j8Yp+#lXw;co54Hh
zErFL&2r<HXwb0y`w2k4gb+ycn0<d*53h4{RVxl#7((UGY-Up{_FhkkO6;RP_j{-;u
z25nMOci1JbNuE!)C->4#Pmg1hbd=Q88D)&%dMv&cT6~@D{$7CCr}lfKnd;&@i!D@@
zzy8)PBewjW-eOSIwEiy7cfmWY;=jdPf4wYfi!$^PE=)`JgFl#=te~u!d`s|=?2$U-
zcN^oTtMYL%FpRJml0R2<Y(0@VJ7cL_a5&(bm{V<7CqzX_d#;i3D>NGO8n(8f8p{7$
zDzei=_C>tlCl-WVlW<;3Q;cTroM`hY^B&`~H2C7dmCR9*FG}I=x<biLDX;{wLZ6nR
z3%<-QebPDQoU0$ldpck<L0p(pa6u<T5R`Y9m1A5o^vbekqh02Dxyyc%bzf^380*ru
z&}CU-(g#=(gdZ&0TZt?#FBXD}9wFlTx-JgGhmY2<>Fe*V5VF^Qo<J0gpC~Te5uFoW
z<zyjt>Z}L^>{HySN*vc6>0>ibe#v4Qqfpdm)Dsc*X|9IqWU}>n-D20FKKq*(Y22L0
zNpc!<@R8+%>s*<O9-h=#h;MK?QHTe);dT(?U&$m{Dr3pjuF7PmJW-{yNo{?AHp_aW
zE_tQ?!KJtW#IcN?%bfhpk(8e@PAT3}>Pxe%x-q0V#7G^n{;Bce!d=3MkHErbotn)1
zjP)Xhp|E$>f!I_0MsuZSlWUZ#>F;j#Z<*bLyZMkA9GPNrzE-DATvUj8q~!iMtD27A
zc&BIdw%Bvn^ER8lSe#!FCMQY%>!e+A+$m$wOUOd+ls%Ko`{9eRXYZ2VPJF3^3DERb
z?0ZF=-^9)1HBNLqDDw$hpR`|3XJyMdM}ri&f*ek3jul6YJ(}*CghU8uF~G4oHK?6<
zk#bWWX^;kz>0{{#>fCuf%ldm|-KLmPY^j{S1+~+Zzpg(S<|1_RK4Hh^Y1}<;ec~xC
z|GwY9S-=E@84;uEVs=+oEj5g$^fu}>cs*Gp8=m3s>ZBfFk^IK+Rh6<clSTQYSf09f
zmd_&$HG7V-6Ej5Js%;Sc9NtkR|IXj~oxx3(S?aRv@{poDiLCMP0)gYRzQIK!m$xO*
zJlA8$y+5>x(3?ElsZ=HVNr9x{$dSCQR9KBo)k#_6zzR#xe%I9U?=z8n5$x}l^z>`F
zMh1cG0cTnqd&|62i%Uoi^?2%p;5odhKb80U^ZJMJ58~K6a>l1F8CDC`R7z<N%^`o^
z0tq}THC}>ap+&s%KfDdA*K2myA$*1`Ro5T+Q<E$(;(&jL)a{vy$4LbGaAyyRdO%YW
zaIvWY%vUB>dDfSi=kER4lp{N>O)#n}gawpCWbtG7x}oP~tJ4?2nGuTB-XHUT9Q(x8
ze~Id_xz7Wg?1!wU7MNnWYskg6hre{1n9ICRZ&|;?`DoOTYpjyCI8U+j!SBwhFO?Dl
zvey;hHS1S|dZ-b0d7T0+%f664nx&45*ZnfYMco9N$@^rMlEnBGR1K$XrgAd4+THU)
zeRyhYp10M^tLU#ao4WP<JgWcIjqZMIx?d2v8Ff2VSMmvu%aX9Lb5K|!bKq5oSt4qj
z$Uo6zuNpMWyYtRNvNmkFoYKxW-{0>w*3~t_q<(rCQY8gjnlx0sa-vi0fa8wg`pd(L
zt{PY#J7QGok~1h;ST9ubAlsu~G+dySfVS9oEX>HLE>erlwzCu$fL3GO7uXN~I&qkj
zl|u4cytzE*(aLCYU0C!vS5_{o0A>gKvG|g!hTk>QTotMmTo4qPlq|asu*)xQ>d}>n
zGe_WTjxfyT7zd>2pr53vpkq?39^c$;%<6iVJZ#fga^oS|JhOjEbzFa`3wh_sXO!TJ
z9}g#|1#)Yi=9SssrLCuGW6i#dRn;I9@$vC)737dV-bX#=m|3C!**|D~-a!f!02)3d
zFwx*0klh4?GUqW@#eu8g!>YR-H`Y3!_O8;|ig?q=1Il1!mF5J_%vb6amnv8{J;yO@
zH!~NbiXm*`iA?(Mt)55i`&ED{tCG#Td&%#W=f(3m$r8w~4g4)D!{2m`#LvW)x`ndO
zUd>wMr?nYMh{l<XJ4MZ7()o|<u<BU#lYI^RsX1MI7U#<?=A_h^XP{j}8Q;UzF`QJR
z7F*g}h8i#^Nzosh%VA2;=_XGl;M|b7Jg7y_D%#jaWMvwUWOhtsa{s0oAXhfn++*W1
zehJXP;8psfR?T@9$xrtfpD<OZ%~KXGWuJ2Yz$L%fSQ9Pdb}`G(BOnS+U2M_kW5Rw4
zRas$2G`s<ox7JxY9B);zFEe<3H80+Ewv`#`AMm5T5=+=9sCV$F&C^&2#DON_YdAR1
zK2MAooQLLr^5ajD_<u<I?x-fS_S>-yC=L)11JV>wib|28gc1e>qKF_OMQK7%lp;b5
zJus*!H4#CIbWnPWN(&HF0s*9mlps|J5J+gD1V||N4bIHx-0!Y?e{0?R<60QrkT)mK
z+0TCV-sjH<PX5qS;3A8|g-(~j_tZ@?<mC4fEmA)TR_GXSBt=59kABlc(L2(TMnVoa
zAoQ%;`dsu&3)J1_7kelj2q%CO_@h~{$>+*czqGSQD7lwZ$7d?A72uATe2H0)S-=I4
zaD28TJtVJ(P81S3gw(dpOSc81lx9dnGip`7+<F3S0FYmQ^7&}@Z|bGK(0&XYrf6Fw
zHrBhGiW`ndrppl;2e2jLG0naL0&p9H_CI$5)}&QwE5zF-@e?(N3iIrCm4N_Z*8@;%
zE!+i8g(A_hH&4O3c5lf~B-$I*9L@cR#E};JPHA60vHp=qE)kdHYaYnFZ0*+Vgt;kY
z|7$uLYyJT)&Z=&DohWBKf5`jte?J2h`}6!%Z27Hc-EEnbv{Q!Q7C?5OX(%nY%OnCl
zbDjBL1nv(Qr9V}DT)(wzv;7ix7)5)*zY)+4CFlM8>Sx$k+}%*8=5Lmeo|J)F?Rok`
z*i^TxJxc+!Pc7YuA&;uFY%tdZgf3~h>$FPwRPSuF!0but=Xt%yt2lr_0<&q<@-3O;
z4HFQE^iBmTZZ)$DU`|!sHQiM^zM9P{Pl;q`W7zoh4RloYIxrlL<q9p^Y%8<h{HU-w
z?vz4=L6>4*XT<L87GGXD3GQh9{|P~)e<6jBSIrI+CvPOS3Wd)DnhyFraE_kx$#?9J
z#{FTovo64H%kKv+KNh5aV|YHa9I~VXd=zXNs-AUF=^Kz(Gr)hy&rsw7#OVV7MNqoo
z&+}f8c_&TyYSVWLQTV%B(suD$RISsyIvMw;e_xV&S?RAUWuM=<aJ%HZVl^49nJ~WR
zBcY^f6esoYgB<oYcaZOg9MX3+-}@2?{hE~$NyEUd`$^Tk@O|9Cmxj(bU|id<$6?0C
zV=+o5MGHB0W$SzfMTE8@I(g4-YEzjw!S}qYeFF&787ndkZrKN=H`-@$Yqn{7_BQ#7
zs%_C<(A_i@DJyexBfbt8iw9!_v!S@R_Ts8`JOE1S$NJAN3-)z*Jxje+61Y>~54yCP
zR!vsB)uLt2-P@huy=1%fvDfVyuxuuZmw_cfR{2ZsGWxjj=*hC$`KY4{0F`-EZDggQ
zkpTfnTF(&{obfbxT72HEaf}1H7<y|67@P-!Ggvh{W2m{>+w%R~b5&#8{f;&VQY`T3
zNF-c~vlY~p;{(}nUk(^mdAcFEAr369*@v+$ADVQKT9SglIPs5*JMnitJz>=Eb=Ars
za&#2_x}Bv*#cjp&Ud<9m6e#_IDiS;oAv<@1jINpte{M=Z&fu?hYWa0;WWSlWCUj{T
zGVXr5VL3$D0}3tRaEd%jybexx6XSgwM}c;&aG(RvXyu)~#UwxV9{;wU86D)}aYEwm
zNybnqhfg2A`3vHg=&E@w*m5DH2+s^CehG&9D|{2ATGK7axnnZ-sN-+-M(f#MGJR(i
zVEw9J%yv%Vr|?#rJd_dY2k~KS;-#!6+)YI4J{w$|O5l1I_b$Xl19rk_oGW8ptisbM
zWU~dc*)ks0upYIxPTASa(D|~oNM;`&+}Y&a<G-q9xD8`tvgwZp?u%r}XYcVDmIXV`
zDC%F#&)&bi_`*8B?4f~p6eWPe!ZXh^!zQn@q93W0&$Nd<_%0~yZeGQ`KC6V;f2?_k
zuw&a`CQQGwmP*lb*)XnYj`JsJ<?;kmnLb|<$%8s`Gf^4QX_Xqk-kP;6Sq)#GS7KDt
zht~8D3?1vjeO7?{2{rK$pS%-k0civiRUEYQ%IE7`-T!7v0*kBI3apkK8Ka{>iHD1x
zpabXv_Tdz(XdyYLZ8@yv?$MJClt8?TjQSL)dr1#;60{#sAY|(bh^nJAmH3VW6<JTc
z^y2~I2G5^H&4s9*Jabeu0i#h?gVX3j>L(7YBv~oF<o9|2kXV)-sQpU)>ZeiM&-}R0
z$G<8WLnZ;^K{k^D^Zy79R-TeG#Ah}CMyTR4dqXrwT(+x7gIjbOy6r)6BbEy{o@{b_
z_?xk+3ru0xI<3fT=kNLYt(x<Gq*3vDyIDP6qoE5oQ~6_Z^;@aSTMHpO=eXU2S71Bc
z{tpj9$1^H}&WN}c57f<E-nltb#=NX)+;oFH6P)+{iC^;A9j)<FXi>`mB{pgCI_no7
zZRr7$;9cpX@6)vwQ-}GjmiDSx4k|x|TCS$xkzz$RqaTGkN1TMeGOjE0YqC0vQI;NT
z)lIwPKs@G_CVfo@e5lp8KjinWmpOPB+IC~<!gm}+uVQ9<Y8vBPM;488*m&XK|LWb&
z2fOFt37$b@VFf`mzS!f)@Lw%#f1yeqk6|-ts8ww4{-{6a;%|O&6q)MX>Z8|s#Juho
z)qk)jNOIsBOSXK5rc?;8LsIOMqYx9y$f3yRt>VN!U#Ehto^*Up5J~AO*bsghG}h;H
z4V<C!<WQwKy<N8fC#KB<^s$#?#tOEsS|Kb+<qVo}M-&q$?KZr-Jo>9iWx^Tk)o~qW
z_J*xT*VB8<MaT)TIwGMjAQ1pTg8DQ#k4l=o8tl<g1?fpV0b0!h$$n1T2<?yjs3I9X
z|1@h^63(mvG;o~IOYgzpj$Oit4z17>U6z#kxU~&8CG>6uw|?psy*JRe{ihw6mkiE`
zr++0O(6L<*U>e%KFZ3+3^*5|}`b+W8>DuwZ$;2=t?*tViNMJ-=-)a#JQc;QU&*j<f
zVLVX-M!W$JsJrva@zt`Btx;GN=r~Q%*UV((^4~keM_mE1%<?Em*HP+mF|c+I!56Xj
z(~H(ayO{J@?m5X1&idoCK#={V66pkLZKN{Yf}(X2_Y1uJ;Efjpr#cI&-Lxu#1=<lt
z$LBm$<~3YqB?NB)H0*$s>R|Z{q{X`R`do(J7d0aG@>s!!>7@IiS*BZNLKboC1Mw71
zx1s&?<h(R}0=!_}5LuIY5{8@wnJ-gU*FWfx32LhEKspPuIoSLtyIU6cU5W`nU0kp&
z`rHllv$)z!J+P0&<38NyFz$3v<T<fx-I7jU)q=@tXHj38m4h=e=Y?3oS_YVkF7bZ)
zz7eal2wRj?V*81?99y(I>~ljUN#xY_4YeDepbQysA2DCcV2UKvQT1HVn|PYMS}oJl
zzd(Hqy|@1@k_??&vDIZX=9l2b^1Odf)C}sH>w)Bofn+wSRWaeQS|)F0uCLvCd|*&Q
z{()oWp$pgo=(poedi&#I)w{{G@$L(Xp=P!gM`nVvIz`J(ZA5+J!A_VRPPx9dJNL|2
zwk4G~Ld+2k21}wleWsq5*i5C!wRi$Y7yZ-bQqlaozU}xdMhWD5vXaD?la=dF%sQv?
zv8$+Ggc?fy!?sh3VWMC|=s6#6tULmegNm<$Huu&Qdfq%sW71Pm`XRwb@=B3&!ps3e
zN@e#;c996ro`CwCHS*cxwf`Y8e&F#<FJ3dgz|H#Qw1pdD4U=a*hu-E56C=KT!Q@S2
z85@ln!I`YWTj(N8_(Qw*S?x`Kbal&_y)j25t-Fa%Y8b|-M0=Z|qT2vMI#m)-JB+O=
zk@-_zO3q3+GlEChOEga84~B%tL?z`<)HAKyI-Qd`<(9NM9b=`naNbs8%|?r=-bqZ4
zoKa*;>#sjCkk<!Z%Ul%tkR5ql(r~ZU9~0AC*b+uXdo?GZ)FymXx^HX)PIDC!C-5~$
z1{8xne8ITrCtK|Pty6YkY4)X8NKM%_HBwU=s*v#e@%VaqMtsC;hAGM}Fdu3-X%QV%
znoX%_POpjU61&s|NSEemL0RY8)DQqA=r43IY85#Ii~?@-GLgxF`tgs0Ue!LYm01RM
z_ii?s`M<HEVRli^L1IgEv2f1N&t|j};~>@gvl6hi<N&79J-l%2xoy|LHJbw<_dNZ)
z8f)d-)bg|?^AD$>xotv4!M%R+d0EZ9I=QLa$TNeIBDc6JN?GKmF<&x#2(`ydn~R}L
zb)i7+S!(bNu+yb85s2SCr;@D$?H6z~j)Y0VAmySBqc7~E%-95{`YB)J=xnW-7*%6U
zr3|%b6ZY+LgZUfi5`C^)G<H;0R^sVFJt@kg%h02{6LXh+fY8M;>bZpX_j057$8zgF
zq32fZI8DVjADoE8#Wq;<ax|2pdM>M79zB@6JA7v^pjkeHR<=6SmQ!R3J`n;?qwJpo
z4`3V*px<H9Rqk?=ElzB>NGc|1LQOpONLAqGxWe|A&pY8iiz?r+Nn`L{cHyr-a-_=t
zxcj)ve_!qh=xg+U{ni_ypG5(?DA-vUAb%^#z_8bz9WNTi=4A(h1#N)?yrMY7{BCa8
z;s2fu50W|uHcB0wPUH>-5A!Yn^UtbOj>(B=$m@AU_GI{I)rikf`J7&u$Xm66eXtj#
zI8It>eHRYnt{O(_>!sZtB5f6tR?Irxgt>8DuH06W?($=>4ztqL>tU!*(BwAZKnj4<
zp$V&i%c6tbt^l$kQ>`PsCt<6Aioul4CEE^r1YkRwfOr|MaSJ@H>35NYJIG#e@p?)2
zfyn@RyH>!4RD@t_m&{oEq|E+z7T{Wx!mOMFLEwa3^!@^m_f`Ub`WoyHFQ;ky9bu(!
zHA0U~o?`_Jk+kvG%L=sbf3fd!96|MumC2ZP<PC|bBHSvYD$>dM6zBm~5&oXz?_G6x
zo|pTUS_4O~>1?JGw$4gOz<~<OX82QpC0_f={!e|uV-XgT)zu%M;Fy)7hn=Ylw%2lp
z72>DlFIaiSgNt*jT}79jXD5C!L=q1|##Wmc!!MmZU!9#q0=e1cw-I}L9sgVaz8OSp
zv#68$Auo8_!myYoXAy&7*5PK;KjJcxHy=|IJi;iyUU3^%-;WSk9nQPisp!f@Xny&@
zk#ZAUBLIqRJa4wUP}m>&o72^tCD{`9m3kEjcVLRMU?bZz{al9f_ax;@mSTRJTm9I;
zYP=n%sq1Zq1QJ~3iSJ>eTp>s_&Axpf3I=Yid3Lxy4LU{_9m9&Op*82Nn;)>|suVu0
zb`l6Cn!V~LAoFv7Dn^=8<1V4ywz<!dOfV&7;)+xGVgaN3HmH!2%GSG6J(ON@AwK+(
z>MR20922Vb3}aST?m9d0%A*&WxI9=jzb|M-i=ok$gKy=)_f+*DED?G-3>o;IGD-L6
zR)Bo88G0-VhdUa&PS@<K>U8UczUXSdOGWaSLyE3cxtc~#88pl)<!=;j{MKjMb+MwW
z?)h55K;F{cXo0bjkU<#2Xx85$6fYKWFaQ7-b4YF12BTFSmAv&d8(P6Cr#Y*5jca5_
z1hLFbP%e~4r;`scR#<Fl?4)3O&d}$KN?bFCqiYv1m}&jjt!0M6<iF&~&r`#$%HzCs
zuPJ;iw*mP2fY=MkjNlW$9}5(Scx``N*|M321$Ff{1#yV4bcH!OP3@(Zc%o>dqHz%^
zK1^PnY$??EBh~aCbcp;Le%O>5#opsIHcZ&F&P&1NkBouUnzBoqRt}PP7Fg28lm5R;
zyDv5>drZiwwr8PrcL;rm1Y{(tZM{XkXn($jYL`k#yxSScJHj0)=V)o(t0QFNz^UuY
z=W8hYhmQHW+{>W1Z##;c@rX#9M!!JCpfD$U{Th3j&gteg)NfT?XYtFp1^B9ZVCUYs
zB8Gkj>5f=DHf;&4qum*=Y}kg>zAN0M*k+d@eQWc(nyR^ylMM;Sl1QgUd3!E+S)Qw!
z@Yuhlyzng8+^u8XoEE!Oh*E9q(U3~0@!vP6VihXL3Oc>=sAjl3ByONlV}q^03;oeQ
zvy0I!tBLH>5=X%oYSitJN>>%atN&;_pnS!CvUadrtulv;Y<tDYftDv|SL~I_^`4Nx
zRf$x1Uyhl+aHf5aLoyLKAHMVT7#P187D$$s{!=E|%k?l_<yah3!xQZ`o7D;NzinS1
zqEN;a3<H1Wc#Ux&m--+t2V@L3D{Z;is#Nu<&aHoxCicG7`T8hpstRL=;F@?v92II(
z%x31=5>KTwEB3s*#eH|dzZg-3IA%s{^IE+QFWP7d{@rIyXt7bt^-P~Uqy!<{jX02_
z&a5jOE2xIyPxrZ$6hVMU4X%bouEZ{F-}Ov!<W_|R{6Z?SohpqS`0^BAAl%{A3+6K|
zp;aOeqgmSv<nNyIDEJWvm!67wL^0yxEDHa^RmU~sVK4$=e?X~kEeAKBgHmc6xwFmT
z*jWXrq|f|ZiXL)t%Lh;o^iJ=+uP=XN+CgEK8pZ&MkzXH|G&5TMRXNdgKC-|=(hz(N
zISb`Rz5{B3_HrY7I~g_=C38`8-1RZI?VaOWw9G{taO<5irOyf;$#AMHsb;*2L8(q4
z9nev6Nx2HYWS6$nQrZ=&!8kuPxO^Z&U<hA{tTWSk0rjb%B&ioJfN}&g%T5~C+pCv4
zi7E93pI~J@_rfg{pb{W?4rAu=H2ZKnhsJcxOi$6bnBP<?k0D++t6EvXztv#4`oyTV
zZYaSHH`h|aGP`{>y)p&=Jn%im#oZ|}NDr7Alz|2qC{?QFF;779(5KWdS~gX`5E~0P
zE0hb1+!U+ClDWLP=HA|GkdLmv*Z@kFM$91QCp9umx>y>DQ>V6o_Pq+|T)A!HgEq-K
z{o@A|s&9MEyfzi9?4rNRv#Y6|$AJ~TV?GQ%X#m$x8+@t+*t3l&Ku_4SR<ZE1##-~8
z1G4Y!6AuA*%MA^=Tqmini9j%<%X-46H`vy>#Po(Om@k7agmJL-YU(+PLCun%%t^ms
z%X(}H56mWygPm;O^>Q@?#J&R<^DVvm4^AX=l{~T)S&dSehLa#@`BK<Ta0BRYc;Y$w
zBzb6~RAErka8VS+R?&>At30vYbTl=g+QJ|QTYtk-QwvOk>UUBbAg*;ej7QHla<w80
z(4?Vct0im74Hm}T+=}SX*MPB`gW+MuU%yvPy(3;F#jEonnEgv~i)kduZ3^Q$I*)N}
zjH^$68`t%jRk~Mv3nfv^4~uaeNnJ%w19jFe!>Xh)9n-$t&e}IoAL_>vaT~c~FIhgv
za_>zfi_viG1ss7L#83ll>>eR0{bWI)(R$;mebs8n&`t4{4l#Etx23LSBYxWNSxxD_
zt?33=VA?yeZWezgRm$vKdjx{>ytHooVH#%y@vKp)BtzE71o2$|V!w>jI?nBRU9R}}
z_VjA2Sdyzv)5%0z9NVbURg^b>(A00-e-&_$J&NVR*w(#jKXAF?Q`40)%EK_OY}@L^
zVTD(DL6p5J;Mkm~uhD^@xpJak1fyonQlrfkreHTO)d8g$5-g#3T*L6edud-|fbVr+
zyh)r}y<``}XVaxSl_7#GM5QTjNfdsoVw90B9g144Q9KU>xin{CbD!ZYTFMLQPoW&>
z9-Za%PiA1(@(wN6(l7Qia9=<+<gSq;_$Qv81_TW$1=rWguTI=f(-vOjAG@*~g~4^5
zqYxh3rKwG7P^g+@3!Msic#kD5?`CnVXJ+YCMYC|qv3;wwiQ-OVFZ89AcM?{)D<112
zx@?zT=fHc~2YcD%9LBzM`B?WdNKli0suLId0;<+rT!}jD?xwkw7vv(AY?V*H+)a!r
zdl`2ua0*f(CQ4;N8#$0dZ_kT&hG;XQ`zT+t9K_%DP|SoTkGGdJYODY%jh0peHj=0j
z1wIV(hYl{H4k_j6fvS7au-1zLCoz$ars@{9F0Xyc7e}s-u2dAs)C77v#%anMg0I#n
z9;=xAc$j&hUv8|%?^0lWb++fcR3WNA3!`}~h3n(H6Gw^>dlHg(h3UW&F0)e>r_vki
zjyJsPSYOq{)Hp?%GEYI%`K_3g>?+FXV1D84#i)?x59y4RGN>W=P0=(NVQg37SZs!R
z-TYF+=~M>YZphW-xc{ZVO^cL?Fm>i&f6$s&R`b}h6(U7r&~1m%i74S{HadfHXIx$D
zP@?w=>aAr|_qg;X;8pV8^#KLRbgrPlYew@1S3Vsxp3-)`gA|T~=AimWp7M;BaijRo
zI%dGQf`^EUJpF)3&nV*R7JABJ2J!G^6*a|W)?fV7fPg!Vc3?=1GQAq_<p$;V9n9=J
zy;4J}v!LEUdtV)Lyr&(|nadDDIhj*_rDHo&0~|6P$`&9gkwt_3BKyZnX+Bq&xW8`u
z{cG71Z!@-P0)1~IzaP+*@{kPmGI3AlJ6Y7_R)+cxuu|!)VFh(l=MS*Wo&-$T`51u|
z7wB^GrI0?)K}Wg%W2S4G2UH24HVw%j-_`3)wNMP<an~S+p>Lz(7`&Lg3ULYq!q<5a
zk31?CoXEXeI6Eg(+x0HLiePT$w>ayWxK-o25tlUBcov=#4evknMa`@1lMKatWf<VA
zOas20`~=TT_u1^PxyGz+Kj}1K7WrI+%qlRgccQQ4>7XEq;m<7M*;11D*T3D@BJl{O
z1XM4zHPo-XsLTOW&Jz<K!<_4@OWN(E(xocvZ)zXr_U^t^m%|kT5i@yyGc>cu;M`Yq
z95Vn>;@fx^f{6fh4?wL(>&5FIj`)KwOLCmk>4JbhKqJ}h=i=nE2nv;d*sY`5+w)YN
z_gVg@q+ZbJu9Zu(px|knFwr&|!KkJ`h8godH`1m;9I28Zrdc^da_pRd7m7|fiFA0$
zTRIiG*?&ST=X;G8l`3~x+?=1373A27;PC?On2!sqCd1ytswjdEtz1wR-nPlMQ&Z(h
z`@v8ZWUJ`5jP%${hTrwK>42o>_b%jhtN7yV6O$_i+0G>neLQ0XD4$x-jtt-`gVfyD
zZ67&Xqd29PtU3IpGt3r9{?eQ$7_%-O2d9~jyHY*@N?OMJ@K=>+2ZQIaF|*wLnUT*W
zg+X7nGj=vI8rIV5f2$)gGyVXC?HoWSY8Dbyn;`k;MCThtzPbRr>2aPeyVP;@Y-9c0
zPYMk|GjXcv^nECiHc%v$enh)Jw)`zxd>ZeXOs3{UUc4(l>FuofaNB%N1zmu%pQ>*D
zbxY9I9U|88D9G?yQG3ThYJgO;Mc^BZ_6>9NTcY8lY`Jhp&Y=oPzVq`d1XE1ZIgfSI
z5zeLesmXzMnE8d{#ixy&5>=@PHD>}LPis;(5D73v;`C*aojyECQ~>BerG@pA1C$09
zWOVf}4Gj|)&~ZHvNU^>~>1PUMAg<upo`aM}1sDeVOQ3J|rrgcUJFRv|LM&#GH%lV_
zirB_Pl9G^c;3nN`Nrag0E&kM7|78HcS|O!oi^&|gvKv#?%$uX2<*OX=pqc=*VI}Pg
z`B>koxAzdq<(?R13SO;crO6~qBW@((#3HbyKHH|-Z7`~Or<m{yQm7YIgmU3tq2E`c
zaq2*OiHgs9K%2R|&7e={kpON>Y=le%um8rR=?MSH8e#7hI;|jh;xXkO#-l>V=wC9b
zkMaf=+rmXH_8(K?d$QN*(gN_5vRlmt?RxQ2N7141L2uG^cQ+yNBK;gOH$u(|St!=!
z#qQ_gZ>3w9c)AyK-XkUDl2a+%D!?`eXWuM+YkYzwVy>fxA?S+UqC%SGCkr6Px(%}p
z1Z$d%^nA1#r5p7M4W|M}C<1ST`&>pk`B-4bNTK!Oqq8X2tvl(os|x|fqC|_|ZGjnX
z-b52v=Pu+alTL$}ePO%s*^i0e0WxBsLPm)GYV?J`_k-A1{pa<;?g2KBU(CNfBp>~W
zcwKV)TUn)VL&V8S^XzWhVj*SZfXPO|O@49n$!H6mY|X@;D{!j#!sQ)}qrG%Jcgv=i
zIH)C+?D;!}ke)=Y>fBRU4KWxAiNN+-WN1m+yJ*b{N|KvSZ7s&q1N}t>pC%c4n17bW
zvVx;5e)+}b`bB-+Yf_!v%)Vg~q(3<AWuh5NBs{#>MqnR^ujon*S|&o=eNn*CyVRko
zBsjn!T^6CmXQl>d%6H$7zCPeOJtI;HP$n+?`*oqgX$~JtolXF2v{_YrGMxrXu0%Fp
z`+J;Ao>J0bQS*3yL_+xUv)uuzK%B#mnJOrGTuEoWIpxWJCZe@D!R|H6tFbq(U*5Wa
zpk#_;jzTzd_@jRiJ1s{r{(Ui#&)L&PXJtd_Bs&CA)b~tj!#2}#s0r*)SIuTk*i+N;
zwBQx-iq_Wel|%PzO3C@Z-3eU$z>#=U^9`ivSqhtnSyIu%Kd)siG=wZwcv}w#0Tyk5
zuJPR%6shpshgIfi7OcqF&qpq0oc2F8mNNCKS#uDE+-a{j^zA6D*5vq_xQ+)zY?f>j
zYV6%jlU*jN<u)*1lK;LpiK~@u!1DJ>I_F_)Jqi#zpO}C{4MqP5#@{b9*6fNe$kU#*
z0KYN^uOsV#vyW(%s}f>`y!s*XnY1QUz4cTzqhyQUW>pR6S4u8JVDa1p3u0Q~&=Dtl
z*y8&s8U6H}rCP3Vlxtc6Jcb+2Q+#OzaOZj4EK?HS{kyF(NXC+*(rP;Lis8b^7f6Sk
z+S?Yx-;cAr?J`olt=&!m8uI4=IQ)A;J$p?4p=3F-TL$cNcLD5YdqtxEb7iUD(Tp4{
zAXrkE<uzu71vL0k)WMA_(ns4OTpnPJ?Jy9m7dEwq5#`ccxHbJq#s=m2Q6}ANB)9mq
z-_0J<l%l#^1F_?dr>F`Hatd%2C2oa$X>ogyNEhu-+Nyu`cHZp)2~g6BI6IWm5awt&
zd#o{g><6c}dnZf3OZXW*Xb%(h$kA+)fyLXdIUO<FYte9_<AA)c(~@zZJF7`^GTJm`
zb1`-)S_x;Jd(S9d-?`l`Lq$H*)G76$&(ar)I#DM51_!}#<XR^%yxcqa?xYKX_FGOx
zC^hgMIQP93(}K!8>5x+i3BN1v67QcYGKRbtol+5Vx#Mn35r%(}L^{FBN2?Ut7<Bl@
zqy+?FO#^K*Q!CA8&GB&xgR;^bNVGXhnYeOb@J+hNGLE3LD9*j&;9H+XRCB##t1<-$
zzhP4bbu*t39e2ewAq6+h$H*EgRxfZoCsdQoWA?RNP7`L#*f`W8>z&Mp8f}LOB4g$E
zOvrJmx9`<2TpNBi&|^=^VH8F8J4b4iQ8fc~SPEXf1Mq!0L4fE^<Y?sc1At>Hwu7y9
z{MaN6zEZonuByllMj;Q&GpoyszzNtasMns=cZgI*JpBdN9qOGt&-y$2skrhh#I`l}
zFJd9lLtD}B6Qaxj$Sr9|@74HLorwLAaE_)piLtJ}U}Bs@Kki?KZ0E2^mo;5YgHM1B
zmow{3=Gj1NOqkv`_tpf&ZMf}3Y7%b_U%b+4twpN;f~Y>^l*IS@9e8nj+&MhIgTk8i
zR1itzGg_2bfilW0EX(NaTm2>&0-R$;{=%(3Un3f89e`Kv!uQL%%&v6R(X?pllH;dQ
zdCf-tZELpknNxBP9Ax2|lRP%#C*)_njfE%Em6wtRghGxq_Nvogc#FEB+a<TmJGCg|
zCN;$Ct;6FB$5;G2n!XIRfIM0))=mOTK52KN3Y4In3|sUgyPeOM<z;3*g+Xs^BD{#o
zy;0u=NZS@knW?Hw{fSH-aM%?E5yuBuYX#>M%O+={`E?@F=(P)%1)I!it|E7(@fvGJ
zRSS?;qGQpq8iE_IY-z6Pg(D*7*sE$cQjiFvopvr(?0x&KYpi0&G@^{j?3+AS?db8R
z78@D+9M)&O9;atOkCJ;KeGCiyTLs?gz<aK&{E#3L6gdhh^+5o4gdS)czkK7O-D(G2
z!%f?%uWnJhs%x)TFOnL~ykbQ<7XAoF(V{>CS@oSN!G<-3h*mFAWjxI<r@APkH->4V
zv~*DfkZ#^<8(3W}jUKlFkLPdYI!)G*Xc1gjM^AABrOV={Thh6==FXJf*)gG3QS+Me
zJiPsIKiB-A4$-_)1o3@fYY%cOyVCv-Z$O1fM2Mdb4j4HVJzjuR#3`17-^UkOM{)AA
zUMlA!E{i_MC@2a(zo1EMQCO+|b{x{dbgnN_f1F`9EL6rQfodXr2s#38Q^q!goO{X-
zy>K$-GaChgk2D6Esc*rS8z!14X7J(l4-QqW1AV@BV<J|yHN)tn$Og*(!i7g@^Xn=K
zRJYRegZtnvX|AYzD1}P3y_=J|W){@LVMy+)iJnq%dI7Aj>Z@u^Ez<Nde%}hy(wRi2
zEDL#|0f)Xab}3Zw>r>S5G4shxFQDiYKl%?_HhJd#fn#9L;h3f-(T^v<eV}+ty8*8g
z;lB}U)QyF~Xxq<MF$zKFOd714@lo<ydI?_C5yjrMD03=q;c~uLUMVv-m@1JDPp1Xp
zP#s_MwXbC$kQ}$#IFQ;QIXGGB%kDBX*44uhBCh1326k&Mdl*<HWJdYjbz!;Ct)_6H
z&?jhemGH99%TRG=wl>yt@a=-P?Oeazqbua1)p!=IreE|yYFnYdS%aME`+@6uW`V2M
zX}E<OM5P7K6-jh>oCwC-f@ZjUOer!D;0};Wzer{fI)W^l(r}}OW4$GsRh=4JPUlMl
zjg!w;0J#wmAa>#(w%uiq{CIUz)Rjg95rDGhgMq_rXZH{XDC(28hkfaLbmDu`p%Ev1
zJ}X?fn-eV>++&Y&974gP{QRFq^#pgPVaFda3ZnebZrooi4_q6}^G?vnhwf8CDlsyR
zV-juqQrEb)EWT-eG`8znr!F6iwp(jEg77h4epq}0#dA*lz2{iQ9tWhcJ9RXPR$G{c
zo6w<?P(2^y@lF{*J<TDfUg@lg5YY@I>3HwD;i^zA(fhNPoXTkLEqReOY~K6QQu93K
z;epP2=yYR9>V%G;AJ57D=un-u_7e<Q46r8T?gdGY60Q?p!YBA0TEE*4V|kKc%qPdj
zI0vaAJ_k0PO-anbbn9sw4_Qx^JzxQO1GqE)sjhE-0pGJdJSA}s{LWU&TZ@l}+9bY3
zZ90Vn9SGQY*B8|?>@PH~2Cf<)sF7Eq+HKpP1Y=V-oP%l4gXu#Qbze}1f3D{aUU~M*
zuPRfcYQ5`$qtD;IE0d@JfL#@I;nCDtx>ZK~S^Npwr|O*gqXC_nUBW5&ZGl0amqnk6
zruN|tWk9*D_r!R$`7XT>d7TPbL49@*MxGT?cJgYTP!HVWP}HB<Lk2|Vm3SieIg{7T
zDY*8NlTcLxo^tqk)%yILHlu(93vxNbyj9|K-j3N{*<B}x@anOrv@0`cqafokyi3H}
zP7jOWyN_O$T_HcB3Xg~U9^&4^BZ%=TD1%%$qk>Pb8f1e9b|w9PFns8g{~5#AA7f^s
z@b#@0X3)3EYks+roo_PnaSsSCm9&fc+<|ZBcPSv~$>iN1S0D$oovmRvuUjo@%3+__
z#=eCpxsC{8;*e7(dQxwhJzsmx?&C*8q(r1R2$wRtSth_#uqAAduen#^wR&OWT}ZA7
zAXq>-O4Qi<3HNZ!ECTTNdOsiV$ygr!7<hO=C5K@$rpDoqk?5>bWwN-p*<FZ<TKKb#
z>bYJR+(7;slbEYH3IUSIyw%ywvr&8y<E@VGLg_1cAFtSq%Gmen(l?AFp7%-n>Vr5`
zyHNAsRB7lp$?dzJh##|>BRiBcHrneoi^tXG6b0O3@>pqmg~x9N=g`Aznb9qKQNTnc
zqk`uq3Gr}CL#gx<rh<vS5MPN)H-|X*ikTPRp!AYb&AXtv;zaDH?POOQ7r?RW@h(G?
z@OY%p%AtNXPUNKhh0e^*oT(Hgw@&rjUAoMElnTs&sBub4`U>TO{1jtDE_~y7w$yR~
z*~OC&wq#h0rBn~@tE}h#cgJNG{@iwgvKP<AX*+Bcnww~DW$@4lEcnZitLe_b71NAx
zh2C4n)bJNB%#)1pb1Nke4^ASTUfa?Pw+wGSvc5_*)uFnc(e`ogDQiq^C0^4k7A9*b
ziq)97*T-192FvxDP6nm<M<3@VRGaB+lB@-b=F?_5m^}%8Q-jRGXodyh1Cnw?Tu5>`
z8As+3&PT3KGepQ-4e|8k4dU%Xz-4=gWw+Av7#kYA%ewj(gQQK+$>Q1fsZ^$Mht5_2
z>R%IKbt=Y_<h@^Te}oZOwJ`kiO!l5GyI+d358%H6XDd1|U&T;3d4aBeV2vyrP>k9x
z|GTM|ta0Z4yQ@dcafGRd=QSTjdbpyJKJ{rV3x+ln)V0s05zZB+xM@z~sgoe2gX5))
z8;Qg1^`(U<s_SOXlE{F>9f@fRmf0DVbb>g`K7DV>Jiq0n{Py{hsE%ISy^QvVnm*>g
z#>?z3oyv`COT7^K&Acfz))XySd=sNHAKm6P%OfWi^KVfEr%w9`<R3y=xs*H3Kx2^X
zcMgM79XUGXT`{BODt5YvVd5mz*HIz*z+rVM99LHU+O(|5O)N!Lyr77VX`}sl*2%t}
zg_uW<!iAeOh`R80w})O=NeHowcK8vsN|lCxw|}!&<6lJ!D&nfk+9Qr|9<JA^?87Gr
zfkXG3J-1f>6@9lzLSKQLa|jG5A_xXSGsI;LUxe<O#i#b#(Wbsn0@U!V%8rhcN+c{#
zT=5?A%I1Tq@y8Z(l1!ZCq7}vNlTcJJ=)+YtQa_P4Inbx%=D&Y?Sp)FSqR$Z$=vT!y
zE{GB%LasqMqlx%-uaLAS1RV?eCSCaK@>ESJ%tO4s;TI)F0CV+c^Zl+e;x#W-@9|;z
zO*d`*;`g~#22#_|BER?5!ym#t+w9KF1oK}4mXtEEDI1Gcng`1b5Qx_x@X6BOsTA*H
zuErIfa}LD8U;9P6rLimY0DzmBI9-`m<KNy*g1}dXW1JkL!*3R(xCzIoRh0$!>!U<(
zZQkHeQOH>UEJ{+oD#7l7{@mmFP-U_9xmF;>r*}z?n-4y{k!6hXHeWV9)7#xo;f#1u
z`L9)Qe*h3Tv|Ru9?f<81`~P=>0Rlr`;&e{t_v7LYBL@h|k^Jd9o8ZH=@9I-ZV7D#n
z`HK{(4oPu0v8Jm!+d=&^?9A3Hf>=d~@3`^fd!-m4i5ZxXPCO+DR&FdL9{w^s^=<=j
z-sf6G>JJ~?lHyN0=>NoxCH9!`yjC%5tQFXPfrs~vpS#rmw-2c_`%o%9*7^tcVxsx;
zi-W!|HVb>&M*7ser33CW8-JK1V6xwlFf??x1!kcJ(S!tsT)5tRKy*uW<N)lkaWRL0
z>R%U<``3kZ6@3-1g1?t@JxU99ai)T}0h2+@WkO4U+O4xs!=uAfiU?OPxPz2t&hH?Z
ze>tOm{Rw8(I!X0kKKMwIcZ)g_1=>f){$%Y4>A`qP20VGh_>t)aY5fVG`xxjGIKyOp
z_jno!>RanCk|C3vF-1X?d1Cl8St8hZ_(m1?iVfwS=`Otz+XKije=sG$5I9l)Olob;
z{rP)MoN=EQf@~)>fwc3Y^$TNwjyn+IGxt`0%jBY9lfsX?e(a~a-r^HIAODJb&ja(=
zUHhf}gw(FS=7%6Ab}nCB(p1#<B17Z9U)7*8FC@rD_eW}<ycBQ?o}M*=Zqq~D=nuiR
zZ>v|nNb?L){04hUZEbx=q7s2#rt2%|e>4~T4{DhF_OF<YusA8BClD`g-AN#m$Pv)a
zRvTROHt3up<o6smDplr5o&vDMY(+S;Hdx!i=j&t?+dkkhA|0}ncSgQp6Y!d^M-vx{
z91Q-oc>r=EH1e^&L2IL~*^;yO=lULpMp(r{9y@`J{fH&&0dmZLrVDz=4}14G&C3@+
zVx5fQi=k!pjIdAY<^J=ChHqM-N5tt4I!C!xEZx&L+Fj(gEE?`UEwFae8d*3pz^kw<
z90MEfa}l60wfOj<ZsPAtDf?MSC)-3Zw^dOuB@d)_o;QA8E7!WB6ToD7=_q3zG(2%j
zxv#R*Z|2g_9Ub5BgSACv_<*m{5Tm+hsk&*f4mEgxs#kmZqm>ett7uXeE>Ifl933CA
zcF`2)?0>kGBba6zV9#^xG`q5}A1z+=q_vRmdE9>!ckBs)et7wx;eTEbGTRfIbx5#2
zRpT-G2AKCm;hjC8u&cQt?)iD91Tgj7DI}pyd5bUbF*nmv_wkYj_G&3ICs?w)K=0BV
z%ns}VNK|qio<ia<1wPhl&B&W|v4W|pP6ZnUS9D%1Bd3%es`I`v+*)*iI~L=7--u6}
z+KeZ=(cF{=tw0>4H1i<m=yn%ssk3`#|M#3BM6|-@)n=C|@e~WGTr-=z=4X%-<+<`3
z7sP0R99{1&zaSa>6&k6Jjw06W#E|~sBGF9pP=&~c6TXlzPKiCb*`zS}my5#(%H?kB
zr?QW-PK4ei3+a3&W{HHp7BlUJ&n-ViZvFx6Vj@=JttSx|STc!{L!gxmHys&*u9nK}
zd^dAiqitz_GLduh^5m_13sMPYBep}pzNdi6XC1O(_TnaP&m%47%&o}cFY?}VE4@W?
zghwM#{QvO&pnE-ubqqSLL*wTULal+BoAufErJ&t$&yS@Btp%FXav(cH4^Dm#&`B&&
zTs*Pk{{#ubuk1nsEC31kl@=6_-yUz(q7FW=0Z>csa=w3Y@t|hJt!ru|pU<eiPm)yp
z#{_77X{o<^ZqTdJW*xb*Mh*JYVn+c5R#F6i3a&q=?%u=f2_IWzpG6d#HT7EVP~#cm
zc@(|tM3%>|k7spUd?*-!v@l`wu}!;9WPpx+GWVmTe9r-RaJH1vEGtr4((s|tA4&g6
zDNX;DQqK2BdYmQ0UkrSK$4oyD){<;1Sz^m(l^5hDR=mSBobo*oh>PvW*+wb1_v+d@
zX*KGO7OZf5slaBRKgqi}+d=<rZ%4%{Jpkf^Y`-BEx>JWf7hIBa7<;QO9tOQi^coj`
zL2^u6KOLbnc`T5@!3sQL1FcNQr~G+5Lh(9Hj5R<!o6hV#ozMknih;~g`S3ey-yZSI
zV^3$%UPV18R1_qAT@C>3I={_n08WZ8K7b?ZEPQ%5+5k{5X8z#%yHAKWJPtn`E>IyR
zVR^G>Xwf{Z)ZVm#QwVf<(Q2r6OwRA7=E=(Trk6_QPv_z@4yn?WEIO@M;YA3@Zz{Qi
zz$6^*vCj=HlVHvCtFJGGEeQ;D4r@(K(^8cJ<_)omh6F6|E@PTghOFwfvhnP<_~<2A
z-_QL^)s&{{OyW9rZW3uNz0Hl{yEHB`cYd=UIqzRWtB@c5Eg~bpN=o7uSdQfQ;NjN;
zc7nrUR|I_^{ioPzH`dX-LVLW@{7X+8b?!zQ0UNNYUwapx{_>v%$d+kJNT*3_eUFIB
z)7hE{yq_o~{$1>A=MTGyV#|mxsJHNfp|<bViSiRcP3e`xpn;(;I&&5iG&rm->T<JG
z!pefL$f;9+8Y6fM{Sh)2A-NiAO#(3&M?8dzh>8*$xYd4}M5rOTA3_R}%DBs={nxhS
zxR_*>#&VJR;m_I)4SOTR{*<Oa9=|pJCMw**po#OQ#Z5qSgI#ziGJa!CKnLmW&fCQY
z3sRczwO%ifke<}=$;5L#9P!0yBKvl5D|8v<ehvKd9L@-B7lCHMzMihXMmO?7VvT<X
zN{{Y0XdU?gGo!&wPp?WANry7&gPqG6I}aVTMTlBcPTJGNNK72pEisn}wh#sME2u+H
z04EV?5nB?896--vFWMa#T5lVu8VhFmKa_f4R?ajT8w5(B#_ef5-KuFIwgcy^#e_xI
z0dX@VzC$pCU=vSo-!KO|3=7y@-u_F^^}tIZ+giU|HcR2A)qxJ)!2NHw&8F8o2YTtl
z2EPYgGgHJKCpZon5DKg@=i{ACDi&~fL&RS@RV?UVP{y%5@}|Wf!V%6dWE~HW*H&7E
zmY^@&f#+OB0KHpIH4Lf9w~F&*iY3Tg)ER&8LN!#1&PN!JTyvnh-g~qg$^(S_{_(Ri
z688*jcE*WxL8|DA&gyx&5jE8T!<$8OLV1y%y;f$=k_rc&dU%#i?p`+taK*x#g*!aZ
z?QXw!-5a_nRyZdUoGDMc25Is8Q8og8LL#$~oYpxQtHujbw9l3-GEc+16EFLin)B80
ztHqZfTa?XTgJK5xedl<DgvW~XFHY0f=s=let)zW&0Ah2$ZatAV=^wrv(fs4exSy`v
zvhgu%cjMdjuKW#}4A|o;_Jck0`Wtlb=ApB<NFdVdZ*J(P{MCQBwA~kxkN}dv0F3>E
za^AhxKLfN4zz$u~#AScK1IUla&~ncp-!-lE1`>c3?3dWWEC=Cj`;}}UFdvAQqbRU*
z5ynV(w<)K&&%u2bUB@ad%CAq-@_{Y%(K8XcmMi#c0ujpaiaK5DH#n{gCDR)jY(>D|
zuj$v$YFIS?$9pJ!G5#=OTx2ilBJasY4ZU%%sOJ-rsT~oIfd7z6;Ka{#;c<*XaJm%+
zB~W}CnGqdyTMNw-Xj&4t9H-YI-bKUvuwJ^q3E|}j34nk`fj@nb&~z)&4qtX}H>{q0
zGgD8AEpMyY>-<PipSb)3LlKY%8jwLAAH5=;bDZ=-_g5{Po_cuP5LF@E0k^PMkTP4!
z49uszaB0&nOKVrC8GQiQ^nct-?*za06bDq#m1)h((elsK*cKxf9Tq}*Aye=7i$fO<
zzvQ>f-T#WJ>?H6P>GEtGAYF=lzxG*U{il>OYJAlOF6>W<tZ44pG70^Sey*Y0k6?$g
z+>_rWsr3CVBeZ+u{(pIk`Z=!wL$I-x4y`*We1v@3xDa4t{!EF*P2_x`@D`pWR-DD&
z_B^TZ?xb3g_b9yh7TRjA2C`^Qb}*<ioo!cUokf`7%fBaW^bh1ejVC#Znw?VxJ8Zsc
z>dDw%0kl@$GjB?wp0Au3onOcoOuOmxVRw$n_Is+01ud7O1lZ%u@om<EgVy@DN4pYo
zudP+mf?LB}<xqmheUhE;oSUYJWz)zBorwtG3vl|c!K9W^c;W`=Q$9-gO>WA(5W9{5
zsi6P{2P|_Ew)&YfdgfqxL%m-oWgQQEIDt2R>H)TNI<Jii-v^S-20d^*jfFkV@)QV@
zDdRsqc|(n=wl_s?Z(ne4pLM{05ZtuVIQYcb<xBRt`sZg|L*ADjir{Tne-+(TY@v-t
zP2&aKoQEiTR!#<c4-MVCH+%^0!m|hUMPYKHI`Oo2^NlG#llQg<fE?h8m}&UaUQh_b
zu4G~P5*nLTCr^ufZe_nwwe~_Nks@a#aSaLttek;v#Od71D9dqXZ(e|@%JBt|KY)A=
zq<5D7=?DCS?4SKT@;TvHmY|@EGdrnJLV^bX9zVFB$A<}7M&NT(j|B+foVxM;hB9q_
z@4X1hK_4a)9q=m`g}c^6q1=<43afsRVs05a|A-%^vw1!KkB%Lfg0i9A(4jfdQO7oU
zEF&OaiB#jQHL2kL8)$mmO)d{H2fWF7kCg@gxs~C^a`#L^J?C9d^%n@LH#=bVjYaDU
zlO2GtUly~Z5tr>;q5D8Th;S-f3j3^Ro{}#FtcK8RAdmavaYQ8V#rf(-tL0(4y<IF<
z1aWg#xJ>BKZm#;$so5LxvwO!mAIHd^$mO~qnIQt3{wNm0sQ^K5U05u5Xbg5ST(M?t
zI*RH5VDB8Uj~G8~AQYQVxnp!ZC3{MdPSR*YMjvw%oXloU-x`ma2D7f9yrS*IdHCGQ
z$`nmv>J#_Dl}yIVu%&G?wt*OILZI*#Y&q5G9XH};SMbHuoNBD&XpV@5ps$>`xx0kX
zULXlpC=T<$+=NxiUevmTO!h#0LB2x%wpSgMyV62$I3CbM$l~GWwYPEk{Y|>Fz@e#!
zQ&gM71|Gz^$<Gh+aLXAz?`bbtON-KUd(Oa#RXDsZyV%A5?GcV$@xM|4yRJh5ZGE7(
zqBCHnQcPKjq|%(e(C%@>bIf-=bfsYV1D?46DXPpWbHT(gy6bi;p@|&Ezwe*JCF%~=
z9yuv1X<N*v1}uvG;iKY1t`47~qc|gEE}jwDM|_9uE=Zu89moc0_lIlD5S6pL<aY1i
za_K`m1*?3?CxfbLi3C8!%mMoLrHa&)ehx^XDkyW~>4Pa?#yLm8^ysM!Yd5>64BXQI
z<1C8cn5?v=yK6?<wKKgg=#?^74&%B@G&hPID9RjWrOHZMnJ@35x|xtp`f5mM^#?#B
z(-vX?amknFwaa{NYlvPTm%jG6lL;XyUh>$g_u~Tj=_?^u%-*n!gob281`O|iER8gc
zFDe)CIz#peOcKsx7LqM%LBNzFFV(*^GR3>gA}n|X(*SDUHHLVWMnCdo8YbnmCk-6G
zb_y-#yQ<tK1YHzz&{|79$r#w*hU}!j*p3Ken%Q!`k8t_@SE340vYegO1b~tr0(|`+
zEC$e(=k&PrjKilNmYdPCqSRi5A0KfMfC;LN#as{ysi<dNK7&o;cXZXc@V_fuUhXPf
z3Q=x=z-10pbnfX5($)!PuFf2%jY@j-b<~QN>zN7#L>B5DCcvKGtxYl{zF=YNOS=CG
zK1eJ19QIWSrREDFe!xu|+G6Ka>h(v)m|VH(Che-jKD%edUgoBOo643<(Fg5^_QK~Q
z_dhmhM!yFV3L}2Ig%3Qp#j8S2tPC2PXc^1h4Q%<-{D2rCnNwfVtElp+Y?d4_X(bt)
z9?wLh-dC^h3sN@RjDB1I1<w}lP^D3ZUKsD^)vm?n(LsD%*fM@KAH?2489X-}qu)xf
zpu`Qh?kKtncksMXmF*c_P8+E0S~*!79?Kqj<G1O=v~*-DNaZMVEp<2Iz?KsL3&2$6
zNNk60FC?GWf3Ve8e=4zp1;dgAP8Ptzjd$LjF*1~*J}|pulz+&s{AD4{N$A%6L$cu5
zN@%wqN`B>o>YOCtG*l_=y{xp9Y~3%)!<xW#IXaJh*a7OwDl!d5#!US(@cs0yL2P4s
z<viHi#c9wD4TBKxNeztea{wHwSus#;d-i4#+k@UEkR~SXA2n$0F$U~Hk+JVBnqJ2$
z{_eE<`bHxc9vF!dgHn@%2_P>3%F%oqRyEw|u?!G^9U<TS(zM>UxHw&xo;Mn#Y8lc?
z&c_sWN@LA1<yKp0Z}perH=m-~-oc-usC<EItx4@~2Yo^!AY)<46@rubjI>BA_IGyT
z9Z<k`?Of#2G!N*u9GE-ud0rG7XG?|_acS5s3So`bXZG?x0G)xqHWr5#rYt}vI(3{n
z1lNnkk1#5XS-D<4YJh^58VGn;k9{hvKF#J@&B(%`sChkOyO`5^#kcu|S0{8(<=@eb
zP{y^+@*<^fv?!w><t2}5blSEohGDqY?IDy{L$X#+Z}WQZ(3Q+aI4u_qe}=vii~65K
z<>d`l3dCb#w7Y=jZ<gTex$sc{2v~EnV9(t^9CX4H+=^%gl770q>2hEiVt?7T*R<@k
zrnFIRsuy7LO?6BO&T8gBrN`I4w<J43K{KxID)NKLh(XKA!?njwuL9fRXG%QM6t$XW
zJ^qxk(&)2NABVihyR%1J+hupdlNS1qhUTZ}jQ<;0^*%Qvt~9@bIsD`KA_D(E*!CZ!
z%)Ui`yYc>K_Bn6ObikBwrW8lL-dGv;o-DpobyUIcgG$sT1=LbG3aqHA#QQ0K>-aaC
zfkHrc)})9|@%MZWb2d2ES;GZvkFz24fIJ784S;_@VRk@U`Ib7M6ZMb(@8C2%qo@?;
z>b0}AwoozVGvvV<g#F{xn*r}grXZ_<NY}OICh=f5P3)^Q!H9~=j8jRp${z<8?7G4L
zj@}vkK|;bH^ZN#lW?zSScY?c*8EydbF9m47z>k&!xO0YcHU>qI@8y{5VXvr(l=gyi
zOCu;gO+>!x(}QFZeebID<#>^jKHa6b?VQzD@`0xmPqA{*9A7WxK!?0-vz<pcI9l&^
zbYE+y*SDt1*Gzn2gY95@Z6rHAysKzI#t8k@awUa-3J}=<I&~<yBf@cD4GI#iU6_9w
zY>vNMgo>!Dlvb#R^6s0n%Rjs>elS^^G2cM6K&@0N3XpZ*6Nfe4+jdSd_OAG^VW;+w
zTHvd`HY%zy<i;dupV!RBcGs398$QY!p$S6hy!~-<iv}_upuvkN4EYC>)l4qQ@Avg%
zeq$@Bt(mzo+dv7xyV*I7>9<2<RMrs4+S~7-Mg8vlEgPxt)m<I>T===+9Wa(FdK-7c
z*S`3?y^H_6YA@EZyfqa#)8p6usp0B1is*7atn?%&43r`R7YA|F1}JG$YI}%>R)F6Z
z?JjA4bEvtfa(zK!4}vYnWAs@}_k^ij5MzhJqH6ZJ13#Ou*9dwL8(rO>tnj%EgOxR3
zK3L>!xjeSE_m+3EI?G;gqY&G^F^?A{9}o1qHw)Oj`vJw*d<rg)-TVQkADt0-Ed$}R
z#Q9w<V1RsNDC@~xK~rCzcnefm9<-$$(n9EU_6kalp~NhPUxmyY?L!xtGILAD(ptUh
zKb3RouV0)G9N86}Z@Jd3-)z^ow`xP9;Ywb@Fv#A~<yIy5?s*Sez%HW1!0I`G+t#O%
z#XRIMdCgzh?Zga+kb=^!hTL|+9KWgKoya+spR9}gdO@J<Mj?d2&AO2oFcq{hnYbWK
zK3*(o)ckAu_DY^YY2A{iLequ8LYa-$j7{07Jm_lVNfCHgkW3F|-AC4*!4ATBc=&j^
z{)3r^hkK(YgTIUDh6fh~<;mY98Q|ra52$`X-oKqdz2%2gYEsUCVNHQ?$12;b$b6KZ
z0YqOBDqZoRf>h=oK~w1Bg4JooQ<dQbGd76d6W?~*x&;?{43a(HaTGRK;9<1K3lp!!
z&UXNJ+G+z@qUgYoMLc2y!kST}{eZLhAB+hZ=^R{~QJNJ7!a6bc75+|%`10w1Ws0m|
zPJ<4Jcy|m2ls4}bV1ES0?fUy^dwGu^(<jV0nFu)X9^<{}SDMYGs%7qQAY0zZLf6IQ
zTZG{G47m%)X`Po{Eow+}?1MX(G?)LFh+MQfA@BWc9T2!r?ANJ4`#VOBy;K`~D|UTf
zI@|{S$iB2!wYg;wh?h$(v=KPnTmKCAemzI!P>v6kx=9OQ(A|>Z4BO4Vx;{bri-6hw
z*Ui{NfE>-qh#Len*O$jLQSl8cwABc>{6dknRlNSS;z>@7MSS%A>!@pc-d2eN8RCF<
z^iMH6Yl>5ygCON$8njrpYfB>4XV!89-Su95g`DIwTV6I%s{5_F%5(!deIVFr60&Tx
zGm#nRlMb6pw#gs2EGd)XX;u2xkdT+@3Dy`dBfjBoy*TxiobgEri3mKwz-DQ?jZk7C
z&czmZ)}YJQ^jlY+vSWdrzT=P>MV_S)b|M{RuLw;2_I#@XBc2w}osin>(9v`8byrk1
z?S@3>Z3XADn{nGBB$V$n)E~iL5|vt9I@knB3nyD1AO1XCm{S|%E@x3U<1qkhDf0EP
z(0#1&SaW{3aIcvFMgwGN=pnGlAGoG$!LvT6cUe>cyXFn}CF6(tYB-wnQJF*C4gagP
z^NMRS>%#pgI_NNh=qNgrD2RXv2n-z(3&L0s5fPLUDT<1SkU_wZL`4LK5-AD_5|xo6
zB?3}HNmNScQRy{8fM5cNNl0(!jWgf(&BeJm7bmy;Lf*3WT6?ek?C1ZJheCtRyyD~%
zc{u1<zA~)e{J=RV#siR7@22nyj({30uQ8+Rrh+RLaP?2~ak2J-r8)bPE3F4LgY}$)
zQZYl3S`I<)L9hzx8n|erC8|I`W#j)$m@;}&zt4G5pdi*1o<5KGXmd#tonQ2q!i-3x
zRb8ub!{W<4mAMV(>RaEWj%|sYV@jS8YWEL5aJyeH5jqf)uE$kZ`mpqYV6o+({a9M3
z-_iKcfYxW`db+FD&(*5kQ?|5c7o<(xb-V@Yj?U|G8+kF>-|?I4h$X@`%<@rfG=D8(
z$(Qq#TVw{lLIlCukdGp+*MPoi`c8PS%z6crgoP6tC3pLb!}=sygY!S<PZ-#hN$oma
zrN{4OpB%ARsF0ssjxM}w5%Xk#o3ATQM#TTh2DFR1M6|+Gg^|-obZY*=LjT^HwZAXh
zW$YMSuMVEccX)q=xz?jZ^eiEAvt#+gw!CuZ7pFjIO0t92sBpCYp-^|%r2)s7=2KBn
z3NyOZu}-JR@9g5@C+dAP9$eJqRed-ryXCA4t|Dy$?r*~15f)cvVje{W0efNc=-m&Z
z#g|%|+~M(e+-bK}e`wx!yc3w&D{))pTKPaMWG1Jo1KRzX8TFk_hR4JUxe)G2Ksd6_
zTitL@>5^%aUcGbLOSMZQn9zyxgX)n%kC<a6?u5pq%x_-r)nw%lKfZ`aM`?f42;3F?
z2WV^v7kw^0HA3W`qPB|RsHId=L-(0^#sw(HbA=(5gWyM&6F`x&9@}djALLFD9Dl+a
z^9)#Uz+YQlebMqyocENdFCJB;`DG98n;!v3n+-`|X@+s1IhnYc!bkfyvrppcLrD*o
zpEO}c)<DK>=C_lTxe8cOsG1_YktHD-_7{(@OW4=`5!2lHhI#lGk|2G_V#~#S!%Quf
zCS<j2;nW;W*InBTnAUF>&zJDkR*w;$qHkz?%bju`=32-WM}n)uujyE!uhQeRDt8iL
z)rZL{k8rpjaLYJGG~gc5-Vf{Scf2jB^8<`(Fdi+i%|}L%+9F3=o&K<WsPegjUhzJc
z7_+Ff*d3XXj|{t?Whr__3xc5z2H*wc7Xn-JEcHg|%b$o|%Xc?y*W&n@^)x4&Qyrr9
znm407HK^)8d}}@?PX3gq2hsBMhIzg~VZtumm|6Ab-!Nj6IhIz|+~`)-!_emW6cJ$9
z++QcsT(E$BkzStH{G@`)7X^f>x%V3fW7&uc-CEa7^CGtChn>1zcnv~(y>jeTr{lHI
z^z(FkjSN?K5;_i0<(6C4C5dMgFsHAI91ZA0`YeMktlRFKh@^VmS2YcKy}8Z&a91dD
zaVu}5uHM~J)N-BZeMETMW3YPA8MJ%+U`azF%_j0JOIZ|K=brwEDw@uBvau?Ro`5r4
zqg&HR41*A4bYI2$DaT!Q&rO04+*;AFkoi><`RrmHY$%IU?m<-E_BRXFc{h!V)@koF
zzg1UYd%H?B2D>;3wBpk1G7>Q@=L`*WXk~P90bpJT5*4Vf)zy_odGFb^=iG}ZZJ-ss
ztT^{@DyKqv2RQW67Ly+8`Th8`?yt6|>@;R@n@Nc=J-D&OCl0r-*=c+(k5`U&PqFnx
z97dNMA*4aBfilg*P6Bh0z-M8!edV1x8`TdIqStqO_`&SntBT9w`wwC4G4^sVyAyC=
zJsw?IpVLez%zirQh0jI{Xu{dJYigktWq+4Q*Toz^3(z8_8FUqEN3%;+L;kW6QYYIp
zNcDPARb?W)2n|_z!2qOlKZu*iyYSbvZ?PUJcHlFCHQVePg(6%vXcvgEsJBuC?GEtH
z`D;^ie2y51oz1g%RTe(E{s=QK<lUbAIcIRh?1Q(kIAUA8{a3O$(e#(IE*c{GXR70$
z>IA({yU*TzIZBM+lZl&HgOjcl>=w(cTn0SEw~X%iYcp{K_PFjO96DH-yN?IB#&h<O
zo$B!hv?&+6XPWRw%)t#DeR;PrEXV|ym+Xb<w1Ts8@fils?9EE){*!r{WbG%yPv<xf
zr?}Fb)(3!83b7<sNc2M5*Y7?Kp55ra8326(nHyLHe$bN}-Q1l#s+a~y6f2Cbzv&u&
zw(|qW828R9P_UV8|HXYM7LLH@{|6z>*206m4X~1$Q$~GL=CigzS=)|GhVKM6W82(p
zrr!$QDTCig65oG20$Dv`JPBrUz!9t&K0apbM>8ZVRRb`)66bOw0OSdeMzM?rOpxfg
z)&h~j2!YdCjwpBkl4n1$MeU{*VR)}J#d77@DiPR0cb-Z);yhseKX(!0ixeOQ#Ix}1
zhWOrw{WF|G{(d~b-9l_6CI<``^T%^Ot!D#mOmGEOL8)pJnQmcgsoyw$a2}U>XE?O3
z@-T=CxITW^kOZqfdnmI$4TE<ov`0#!K~9B3!;wY=niqD$VY~XjU~;NQbLLgM9GERI
zK&{bo5zEkK#uDe?cq*LNqve@vQNJ3eK)84}7!|3^D=2HJX5tzErug0%D(vadocZ=3
z&{tz&^K!BChYJkdi`?_lDFBTlUWcbC<(FCac&&R?HE~O9<iQ3QV&niq^wDme+~nV1
z{cq1=>_U#Spd9o`_8>y=pkuI*_jbWNX0U@Xj74&57(K>VzmZX}pcJguv$R%t3^+YG
zr<k6$EMGEnz-|g$>5o8i=4!$8+JUeW4r~1w`_eY}OzMt#1s>47xT4X#PZkX_(%U`)
zhEZ76H#-0H`BiK`kYkv#BVUw@UwsvplJ!-Em20h@`9DEcu(1bQ0fswswnfUD)Bq53
zm{v)b^@745*cXiI&W-ObT;Yxa1d>gebOkN1#_UqO7g;&*kGnquo&N4KdGl3WLjbe_
zF&%XhY!5h6_~)eVBElwI*7|F#DJRkNJ_Ih$W!o2q$-x2fCxN78*bU3Tg~7BvYDC4L
zm9gPl>UPcllDlZ8X8GM`v%=POggVjB!@0ns7%&qAC}$dExfH;qC^kL3<#rg3U9Y_}
zaQFx?ap10YDC5695ha{9OLN$eEpW+eS$OQbU4aj~y#CnIOFt8IhMvf6W8$494G(kY
zv2yU;`cGrS(D+VQS`cK5X}RGOS;{3~7o(kYwmG@L>3@pRj7mmM3!{nt_?~VMw31ph
z==ax%eeB#;OzaGLa@WmSCG*-5(0yd&R2(}S)6$~1`H)3*|EHt4eT!V{LcNb}DF9ru
zW5_EID@rrDM5C_z@U|lYM98H(zQM+TtG4K?KLu2(VxYqOk9SxvJJlT@B38kFQF*We
z^MmzU_2RLJm9V50x<%8$nFq;H8zOcC&vyBBavoqXAvGk>{h1TgB3{umBrqBvGy$V`
zVx;UtP-p6{Cct@UsB(+`Rnm^>0O#*n=kFW>gkg)qO8vWOyW~<h(zdvs_31j^dy7DD
zE1Z&XjDatTkmm9C0-I7tokL>&{eDuipyE1cb1X%Z+{iDoy3-i@^;Iroe15dvc<7b3
zujsE$P{F)u>sUqae>q>@n<hZp1mGa2BnuR5DOM|Bbll6#maxs_>;+=NpsYd8BL_^h
z0M_47*=y^YC#L~O5-yZ41dg-z;sx(Cz}3gZP5+n6NzEdQD#`ZO6C^(jDB{#RrfrkW
zemc!8BIa8eaHKCvwDiA+o8g=j59FDKx5Ce6($B3;$yqQ+vI30|W&f{NkTFl0lqB~n
z5Kh2QfJC)vXKQ&9JHnQ$@S<xFfNLDJ=Hvf-_qE2=rgxpuJzOjm6Xarrp(UnyG~=e7
z=tVwO_!K){dp`FcPVB!%ot{SxyCT#n%*Yf^(PsL@j{wvey!CzJcl!ut=6qwlKT^1m
z8bc6I_u>`XW%&98_D0ON6rfh5{p)S`0=LgLA=k7FMlzapOTH9MuXYei5&r*pz5Y9r
zox3GH*5r-n={VyoG-vpqFxJi{%T~zvRdas%R5>8W0S?qM{`J7Dx9h8GGg~+Vub%rr
zkm-$rffzhYsGSA03oQ9GyJ7~Ap2iFgg2m&c0MT<2Fc}JE41?|~Zn*3G!XS91S|LUY
ziBz11%~N!|K9joS$p8f4yKEgOi{bT6o_{Bx(~1O?`;yXtq&JxM3fE|X3$=Zbcbn^5
zd39L-cwQ)qH>a?}sY%1q#Jj#n!oWUvB-``BValOHV_HIxhrHp$_xN@W+2)HXna@Rx
z=b9Yt_y!;W(o;*ER<8C^fUFxaRtx8rLt87F**(S@*xSS9yyZ2ZVd^2E{(-Eat4E=4
z0q1F^ucQdIirx;9v_Ty2*TWgO(5njkXN`)>T1s)61pTjvRKHz+))+r${1~)=e6JGl
z#+!(ZMDb%#`~V@Gz=!8X8wH=h<Pszc@aTMC41=$4)`ke)tC<48PGsoz>v`Tx6n7Xy
z5CC0`?v4{s(E=6V6>II)i;VRA?(g~Ej%SkY@x$^pnn(|^GV+V^V@QaS!nu6Aq5$*9
z9lsuPpYWbh6wN@69)zuzsu&o*vOgYCGr7??`=CR?KD~Utvz`z6$zuyt(9SPKcs33`
zLeFu4t@g}pH;wIN8Lz=iVcP42UzxlyJu1_O0>FUpKK$Nldh&lUATo|@)pr195XL-&
zv!*Jgs!JUxm;;_*UhsA@*IN!vRg-qeFR^9`0_t|GGz=BUYDCKgFIG0J8v(5Op%64c
z&Vyd?gRj&9EzQOtVFCmq=RgQ=SEMAMz0*Q<ieOEQ;%~6p4Ui*m{GC-Xru%_2r%p%S
zn>)XCJnq2;B5QCvPy;ZvlAq9MVIF$tKV-A6@!2ltZhzo0S2?mM0Lkv7oQHx+I-&7>
zU|ENpN7xUh`%RX*C!s^+J%E!i7%9v}#j$E~TbHL2#S13@=oUWgJcQ3$vB9&_Q`O?X
zD4kgIg@{}xZqN0<B`n+&beRzXup&fdh#);sqPylTAh@s-#!4&In^uYL*OvyvU4Xe<
z!HuRjUC(HWdqo8}0eYgB3$4Hg`25Q~kUu)T{l2w+0M6=v|JXScZ1i9c5ZH1@_lG|-
z1;%pv8+U`3^8mY#WD+3yoNEe<Ddc6N11=8%XciP_a1J1ZZ@90n>zQ#nxzy+Aahhip
zahN*wENdE4k76>X|0tYJPR=qz3BC8r-a`b1`Y1kAHr;wF!xN?OWKJXoxXaBX9|*PA
z-Ti?jqO0q+Z5Tixy<cH}4A{aPyi>7)OO2x4==pA{Z1FcI*A=zun#;t*FLZRd{5`}5
zegqgkl2-%)O7o|zZ>iJ?7li$W^!T&+DqlBb&H|LkS$6OwKnazx!Wps7X<Bu=56-|y
zYG(A}c4FD>gK1ibw0P~!`UHvt9>$`1qXuiz@{+r{rZcn#A2%DS?}=#T0@D!yH+UXc
zgx|G@E%~d9@%2Mc^1*ImosnzWe5?ilP2%H7{t8m8?+4a@uFEujAlXnzeQ<A&<inby
z-B{6UtbNQ2S?MmJBHzaGJ=S$60A$ZBV12)}CN))<XH9gpJSFwv7Z~m&w*m`RVndkF
zn7}R{Xr`#Mvg`}XFDh)Un@dzuA8p8tFUUt<*E@TLVC(^uN^1}W59k3OgXlWrf7iIK
z#QrCn^~qL1{19%xK}T?$veZyElMB6|24M<Dkb<~3U;Hv8qCDn!u`10K=be%@Ic0=P
zG2H2UzkBLDP_Js>O>cZs3^xjYkI|3uc<}c-AQ~X&3`_}7HbypxY7#sJ>dFg%7OwdC
zjRE141*#Q}CV-k=WPsl9<bG`tPcvr>9Px_0IfWFjh-qtM<f}5+%RR&m$)04Ro$%7b
zAsYH{O-O0BgNYFcU}d|$oF5`Kc>cJqD?Z29<4g$utVeYgIs(l|cFb_lSKs@$i7~Kf
zxgNFG`B-cZ5!pAlf?7cN#|zA4xDF{wD6fvC<0uA|M!&C(f#CVAOzl4(Zo57sS+v27
zq8=G;+>nj)EmO%UbG=dl{;Uk~%K6LW!+a@O%j>?@Bb=`VBp@5qbm))vz1*>jzI3tn
zW8J9V&U$1*M`d3zvahZDhe(5vF`#R}XS0vkNWN@>#9P+<J%BP*FqV49Z}b8@z?ZMa
zy8ItbO<Ue;Hc~gM))sD72lRkGQ~x|hT}TwiUDgd@x!(9EhHd}M3S+ZC@{Oqgb5PEo
z0}wTo%kO`j%v4j)^#3+*0J&s%Kqp60!Il(ejDHC7tmS2G#CoBC_n&wh0JiRQbv1Ti
zcvsQ>KmDoqBGP}eHOun5!?%5M*7qC*_?Z|3C>(Q;<=cO*x%Ru#Oo6if`!)W*@D@*a
zu-}`>$baj%6gP0|-rsVy@Bd=?m%oK|-+y4-=syZ0U~yUF`5)02@STtnttLa^>|_8=
zFpc8PbhygfNM^HnO_?i!->?J*XS;j>Dqr1_;c87h)ZYe@(MTppx>SCXr6MP4sD%SR
z9?~FLK4ErVGD8p$Qy~Hz5Rkah0Gqd&ZPW%NO<4mZtpoPjZ9cp2AH8GGmW$<!O1&bo
zV3rBSq7_%_*hfGSZA_5NBk~Yo%%EvqF*KfXLW3ZWfHVqXBH+Vs5T2@TIq^%Hg|$C_
zBgy8`8q!1B;bUo{8*Q%0Rk#L<N0h@h67}-^Yxb!nm&n=Wh33n~z>T^p>yD97z2x&c
z@}7LcEtUaFAO@UTB4lH}xzQk*7<>A;V-Rw75+A}UX9A=@5Mti@G0IFjMJL=8x^h7h
z3B*^@vtnZ=TL}xWT~=sqq8=ZLb-wQ>8OJ!iJm4e})XIfq4FcyqoG)wRzY+2yP~16!
zoC@{L;6hM*h$(Vqx<PftdiJ#QvHOi^*@T&6K><WOc<H%VXXsg2+vVeV&eQ!Acli>*
zM1DYf+^f-&T||(bK(Aidk5-Fnm<KK?H#cp<dUn=PGN<?Hq~pNCUC0O5`~@{6Lw?~i
zJ!VbZ#Z4~Z+ClAwRwBUW1v7G?{IvM`XZeAHEsN_r5<MdHl>5@HgM4ia=vxSJA@WQm
zp7e@zFm!mvwnCciLkpfB?GEgCqnhRkqIWi`jw=_{w_WT(v57iTid+Ow5>4by@~v{0
z>wpdWQtXP`;%BG<y>Khdr+cC6Mh;4}iXa6~S39g8Q*~L<4(cgFpPzIQKWMr@ibQF3
zHr-I6)GD7Z85(XK9W@qTyryk)x0xl#Uq@JeB=O*v$SLUUa!L%6GxZ*`U$$f;pDw(4
zzKs4Zc)HO??K+j$ZfKLVCb$}NPD(TZ5J>I4ewJi6s1od(%}12<6{^}#B}k7+;10&9
zg)iK+?Sh-b?;`G)AXMSdLNE5juXW+a1Iml)i~cGsk$>|>A<3I`<4Bs^$#uNhAvo3k
zBesyt8YU&p-<;+**~jSg#e{h8HuFR!913#mt6PrLS$wLst=;wl#%*Wo;tr)!kP~~x
zo8R{uW{6<hE|2O_Oi9^j$2pAMkn42PSQ>A^4-@|6PflZChSlR1(`(w*uqrW0KJOIv
zj3bhj;%x_lr};V2v!)$#)+Fe>NLCAxf#9e%_7})lu1&`at7l?g{+q;O;EprYz636~
zA{zXQ2fG0z$b@;YTxF;L$pn1nP40djEl*cX>#>Y@2{2KS&uDJW_N8tri;#Im?AV>3
z=yp5LtaCn4Xv>$7kqb~W<_BA5Bm>QqOVCVvENW&CTxz;xHf9tXSZ(b%O37SF4i|%d
zT+Z}*Ilr&jtqWNhCv%6yQER}s9qCC<5f96Goq;QuPfZWE(#|ae<-!{?j{3DX4Cn+T
zHK}FX^T>G8=8?Pwki1xqHr0=3Pqte=B_CP}t{qVJN8?%>uOX<Ss@_Ae1JSB`l-0Kw
zdSVa*mTHR@HlPW>w!&_y=`wP%>gXkM+*2Zs6DbdALrFU@+C2Tj_TJlCXDgmeZgsLr
z>X^!V)I_Bt&o{^q2|FU>pI-^Yn*5flU&S$?mWa5L`L1)fdiRDQ&x-kbJjrS!3kS%l
z=Rq?GvdJXK+db5j%oUH1qb-kZ#*e_R)6sd!={sCkhA1fQHEW=rs9x{p0l%M@RRBO)
z+XUzi`L?VA6<Xljg<#+GiOdLqapRTKhRFog8tOMp9xE~rdvtDDY(e*-9>Os|g|19@
z1S6@#uV9#AyM*fsYg`Q62lbRBHRHoK5)u72pWcon=EX@^APHlxEke|@KrVL_IPida
zn9+d}K?uyi$S60r>;8fZA0V;>^7)Km5K2UbGzrwm^2#=(a$uN87J6KQCd<+<ot8@>
zQremK>3^yi4R$I`dV%_Pr@#!<N@I@Ie0fLN6>~!852b-jn*_(2oq`=>z>`EFtAgYv
z^@{H$apoLf+x!{5qxCBK-ClF{oG*Wq!w@)s74q{U&wG07TYmPCb>D(5?#_)ilL^Ut
z+_ea;5!sUqxzW5XMS4I~v}rXn5{h0@VbA!j;dyMxqlR#vydJv(=IzBjnN%wuiK${X
zUC&OiC+qYY@^HfIS<OW+tLU#K7kdk0<&(Ee_7QGV>A9$byIo|mBWn90v+v}4<x~_~
zsTbY)ji`kJ+#Gn0Fh6Kpd0sxO-z{SDfmfVrG-f!iauTI28y<BG+ekzSm^!xw=oc`Q
zW@Ijn9q|`TGDE^gj1M#kyljX{VW^LzQywei?7k^6;}>NF$!C2WmAg?3eLdq({9<c-
z9&DP2NY1kbGU^@MtI*IiH|o)!=R<EiQ?(35IGs{zVcu-5-RG_xm@{}ApWsmiy!F?F
zwm$Le9U{kTPwXuDZ_}@<rY6kOY?rW3i|)9QaLz=&F9*!CmariLcq&8~A-^On8I()R
z2z3(Dw49BdA?)Yy=~(&47*jACJ<~GuJhrcus+~g?5|GP|CgtE_nWcQ!b(7<4{aoPH
z%fDql)Y-O|Lk!)vC+=c1E!Dgv;P-9Y?T!(3Vzr!i280$w3+wnTtXW6}C~nmjNnuR#
zrmgHm<i<~$>+|z8ZtJ8pM6fRm<SQLV=x`Gs`>_DbxS*r3G4|v_qDU|iQXuN|LN_DW
zt{Bl_;$FNV=iUj;>IIMRE~8t0oARF;zk9449A!}f166kKUB#WM%kH&D235YCH*_Bw
z^@*zrx3U>_*ER;=1uJ1Qu^(NW@F`Z|(U?J-TdiqsJRMSn27X6L6)KU}_iB>WC!v^`
zU&OdpVkVT^U7c3O0#P5Ei;7Ey_w7NFQ1r-Dh#Q=IVbK=dr2HE2Tywg$dcwb7SuLI~
zYxRTq${U%tJXv1AIo^qy?OLP`4|EvV2tATpuU=>NB^Mbt<mXmr&Yypt0oVe84#DTj
zVM$>54RWAPd1wAT;Lml(f1b}&hEY&yweDg2hm{d`0Iz@lTtQOBA!w@Gp)Ye=e~MRD
zRg;;1g&Jf-7<tN&JA;G+EsJ(`UG}TduNSmNoeoL;ZoFoOF9m1yI*Q=IY`<Wpv|-I`
zt~u_Ag`9HgNj3Y|IY^aohZ8Cm)G2R){{F_4%lwV~m|KCxG+|w^zPxQx8ty6eQ$Q6R
zBa53R+DPY;l%-!aizg`goTKp`xk6R}VZ94-3*{FpwbdfIUxgE)&LnQ}ko0VZ@z{a~
z)VIi7HLFOVEZL$Gl6Jh`06mr_8L=DY>xuU0JkPMkpV)6bWSMlK6S~r{DJ7SB!Tq|Y
zxY42^fF;cY2@7X;JSwx@=NYUYQ6yL^d?_yt-`b@{CsW+^$C+@t8pkqtCq?E4I>Tm>
zR1dz7WRDum?sv_YXH`9ehjuLF?4Y-ZX4cO^>qged$Kf!TqoLp#eA95;s@+NM3Jmh|
zxsIL5>dm-<Exu4}_*dL4!c3gjG!ZcBMD(<G&GY3%!)jH%Zcd5SrXkYoq+Y5{d;wgT
z$#B(CH+99U9+x(?e@Y-!x<cW9Yz8_e=aXC4IkCS4_p0l|e6Q+oH{D*Rd2#qCN^W{=
zyB6Drf1~@zw4sSwQJk!~0ogX^4i-UkSEkC|YqXB?ydr+#9#!J5Kixb3aO<JPPDgtF
z!cu+Ib=bWp7ZU8j3%JPJH!N*Ls~QfZvC*x5>02RhJxQ9!g36`UUn#HpBKgn!hLJfe
zZ|Q2>_2b&Gp+elvKq&0wa{EIG7ionbJDr40I|^sJ`b*sVD;MiVh<MQwFAd5EFQj=;
zN*Cq<3tTn&Q5@Rqg%jF-FUe}ulk*p<^Digsl%yySs%LcXPzx9Eh`Uzsf@r?YyOJ4K
zwufqkhM99M01(v<R<UEK>*SJjgKt!}GO;KUj?=-`;&WVw@Pa*;3yrph%_J;N*bazJ
zRg#iv2^P{N%q<#S64--Ef6<_wWB;T18}Dn#+A1q#sqnokZwJxQ!ltlx;4OM2QZqT#
zhrL61@}wgzEO2N*ulfkI<ibECP@1QPghX=jkU8A9KisLRn#3iqYY&udjS)TqQ+4Kd
z!Km-Y2%@S{o$=han9E&m0iny8qF?8q@Me;xit!BN<yx{~ZRc22+9vL5869GCnQ3#h
zuFZgxLTJy7iU_UH!mgD|r#?%MaJwVfDn)$uYQob=Rj_NgXYkp4oL2aeXRiESpPa2H
z0<w#QgUX_(d<%tPSj#4-2M4u^5PsqIZ$md3*6tm0OZPZ$Rl?8|FSkXrGksjb^Y1})
z`b>hio<Nw4+J=#zZr!mm`m3d^R=LLg^~zb*YXqZwx19@biRXy!+MG)!oKm{|S`>Xu
z`@V;&@y=}50OhN}1AVO%M^@T`2joo^e_B2a4Z84%*oNHn17$A1y0)a&hE`a<^6vIt
z^w`L#x-536=_jcx_K91dB*9TN%uLsM5wcpMv*as@oiCL)6_h&Y1LuM_hD64(767=(
zX=$R}dW4JFn43>@$vjs6C1zQ?Uv{O?(~O4SXf&#^*}5)`-17WN`9hgF`$NG#B|JT!
z_c~Ifgc&ZL<g>OY{bfdykaVKk@BV(w4`BT=ng{G~bEr5tA<fEbCg)euYhJs<>$b<j
zGZ<y!(5HcXXpi2cW1hD*;S8~oyL!xTnJnr;Vk2)s=c_aF*;iT^q0Ru=FoQJ?>OO{k
zh8*Jf5sAvtML;yx>&s~LT+xMrcv_<sK7bKch~t~PTs(q|?X1Gjz~vYALagvj#jslk
zdcIy+E`uzG;n3@~EIWq)uMTKNb$?_8CX8<P#p-jogMdzb060CN@}80m@joHhJI2jB
z?cqkSQy_p(LgCj7icExaCpxnm7;w!-<1A)&2#EFNMym{yD`w<K#^o?pYD8lo6i%`v
zrc`1*O{k5GjXj>YW7C1Bi6?Oc<ug#u_tbmW>=>2!Lm(4!h1BuEN0^_%JoZvbkg^FE
zB%fpO*O#aj77eCDp(f)e-Y&d1kLE`Ej%uD^h~H#*iU-g2wnCExw1g<k5wjz6zt;6<
zBI`2n^M<S=&yMt){dH0^_{fScEZ|9R$IuQyYyiqpvuCQ$??y{1N2EO5s@;&^&69*1
zgT0Oh4XkD(&$uPJ;|2by^x6q`AVe=EU@Jm@XN+{aPOBwts#bTPpo7YSgY#W^KZlRC
z>nx#3vUl5~{KRRc!JtL_U5``rCZ*s@?tk65R%vOb(`^vk4&o*0JDZ;)#l0FR>ioeI
z5r%0C@+z3ur3yq{O($21>@dpu=37)I4po-3Mx&YV=ebH?*h-FlJdZ$a(2qI(@|E;G
zNjk{Et36YOn?ZDAePWISu^LfdrW|vHtvy>Lqu10KcE{{pObQpp{O<C+;=>;6)vrj}
zgS;ZLes==?G>ATBf@9>-KSEE(Z4IrGOxz;d7BNS(T0J)FAvuc$8frkS-ZCMzCVz&=
zj$lFKv(5Ocq;yMev3GbA0%T_1o)LWG#pU>!)1Q+X-*nvg?G#!cC+dfjYeKWFC9`3#
zTa4QC?9wK}TI?=Yr8vNrkhG@30nLl;niJxufNWYnI(o_j{(FIu_awgLOcm^RU%utb
ziJ{1Eb{8xsXrP~}%Mro8h|?tVm}<5kW$JNSo1^V1siDD`n=~>n%D;pWIuCPZ|LH&N
z(26p#yp>K^d^^F7JIqu;EMF*0Ekdscrl`)MsI>45xY%#<iXSa*RrulTNmeeq>&9y{
zW_I`Nq1{Pz#;afTq5*DoFgASJmCgM`jy-EwiN<m5H*g*Fg|fqpDN2<iepdl=epby6
zeA$sU$?*eX!n?JA(qyn0mEF|#JY!=K|6oR#qZMxg!?ylr<386#zVDwikG?vA62kEl
z%$)0el_y5B5YC8Y8ofe?FU^f2Cq)-b0Jaj+eeL(qtD3DkrA*oG$n=TDQru5z*;=ov
zL@S8fJAHXZ+?=buk*`SQ7FIu2WEUkIW^B>J*SbtcunUmGkE0f!QZwDmI0aK@W*(F|
zt~SEsoag3^?PKL%(UNCY!@0IyZKcnu;lAwpQ{W(nYm<)wqhcQmYuJuTmSIC(>xlO^
zt6WbSM+OBY=`W?tF`|p&POjhvx^DcoxOcOAYcYK&^0rpRrIG3=pK33l{&!iL_m8Vj
zdbIqQg;`P_Qn#V2?yOy`)&Yk6CM&Ebj{NwQtssd&7|IdY>&ld3$doB^9nda8t-djg
zW4!lMqj(xf+*+8*x&}HDq6|o=z)bkV3^qc}K=~n;i)VIrn@9Iff=K|F1Ob2M_G|G>
zizt|}>3|lmSg7b%!IU6u{pZw05g93jW}wQJri#z=M;nX`T-e!=FLqTL8e^=(yK|*S
zJ$qNRTR&O41UxKamm;$xU-uUvPzjX8j<F%?ya%y(lf|iiUy?C+34_SB?hz~_uaUzq
zW+0$0A(go2g*#q{1H#8^)4_wV6s&#8o#|3M@iQmOB6t{insUreN;AjT=2Fm<i3d*M
zQnkc`4nr2Q>Q^Y{5gfzl`c^d(YnZCC3}Jk%q-g)xe)wcsZsQ%FTGw*KqN7!=pm(ae
z|Mp2?pUz1;+!7AM>7Q7z4IfX4p2FK)E$3`NEMK$HaMez|{qFLx=+-r8{D|}{5fetq
zi;T^H?r3Es8_~V#0LB0wL<-YSi$9f4FkSUEAYCmN_D>9tUDX?C!E$jQQE&GS^8?@E
zV#qPy3dEEuWY1k?)W>w$LwekzZS}C=iJ4dzR#Zr7+6%+oeM%0`)68z%0_%s(tw@a`
zlyoUrc^lK7pR{VWpW34rH(`wNRY4|BqHkhIQ%$Gc9TuVk8lqc+8?H&k_=-zibTC*6
zSxfqsZH2{OZBt&bx2|7x_f3yejsIwa51dbEbm8bcdeM2(cX9Xya>&}Mv&qihP|zpw
z(Uh>Kq-SinNarV0v*lHhP)<N$FX_;e9wk^geY{sMSq0keOE2kMTAey5%XnGIaG+&*
zXK-#GBb)-jQ7g|6sG=G!I|g;Zl|sxuo}&~@Shl*qLk`=A`Y$!_Q>Kq;-T(A-HSWN<
z>E=69d+}ZTn0}}cXv98ivI!bD(6kp@y<i*mUQiVM6``7nvkh)DzXh|?uW#$|Ppm#q
zxsB8s9#-Vu$HG%Red$s06_&*CT@Xjvyqf%?&}f=0EP>z!6ta9}p#+8G%uIgo4CbOJ
zJbtO0unr{Pabzxq@dcW>EoqX9win4+@%yj2S85xTp@#wo2|hYLwllkE!8v`O{IeX9
z{P*I=tHjsM`XvEx@@vf0Jkbzw?E+}N$T6g7;e99d27dlQD2*Ld$!jTP?+t+dHpY!w
zaYY0i<hlXH0dbd-kk+Pz8ooS$$3hTW!>-dOJlx?r)7Iun$grv`Xy^Q<-;h^{i~|8f
zYoKY_u5&cpJJsF$r8KSBfubsS-EOF3ECUyaPdhSsMLt?EuTJo^?zXwro^3Z0U5bb;
zPTz5*Jnn^wJlm?_$7uX!Iq>#4$=aO$1WF&FbA-R<3;NdbnHZlT+qIlZ`cv0_0|dJi
z{2DP00z~cQ*h}g9_;bSI%FZ^Cx-nkdIIN7*sWhoyB^6CpTDo5ULF`4JEJM6tmMl-=
ztUFJtzV5#Q8WyliVO5;U$n_GwaJ41kuy)KoQuPVHp-<L-I)Oi*qx$o2y%K?cmh}>3
zUt!(S!3EI6hw|U&(Wc0YiICUHk*kT*h{~`5x?k*N@VLrYB(P##$MwY7rPZk*`b72%
zwy@H;Q!PcZ$#>YN@=vbFODqs-PP-TKJno@!XApt&1>S`chceDjaGBF!dS9gqHyT(*
z;c3{(rkStVQBGBqRm6Dj>TIU%T7)Y$9jyE=l()8C==)qedsl6lPCovqy)7X!xmH|S
zJt7%lU-6spB$M0$z%D?~cr&oWk+iV1Ybc(LOfsXnAj9xA5ww;oCGI2n)N6yih^ooc
zoNQ%$iV-d`po$y!B{YXrxRvMi43#LFf8>hZjc&4ut-|K2Cq1!z=Z$E$sXj2eVE1jR
zh-f!qISplx@o&?@bZR0-y5HMdE5GXeP(;nErp+YcL5uH-8KfqVYC@UQQG~W}<N*Sn
z7wxa=fIqN}dhD*CM#GaBRy8sljU~2LQf=UW);DRyYF#!JtVZI=neww#1g!z`ttgc&
z4TZ42k>5z%;HuzP@E!8%)PN4{r+s1CqLMpmz}fSxgCFHw4V`$~ozlpvjQY&YF`FMl
ze(^-Uw^!R9h}*n!*975$&-e*k)vqQ^W4~Jr%)XwVM7h7o8~R+s!Zk7|hikhG>8nrl
zNxnL?SGOcda<>B%#w|KP5C%v1*8`m)LXcpaWyzy((zt8%fP4iboV~<|yX@BJkOiFr
zU)3-V%`CdWar5Ce{19&NH6l?ZF`9Q!BkG!P&&mt8i>6Xjtjb1gg!3sg!Z%brYYvU1
zv}Iq|YD3c=HgKcyPp~n<sY<(=$@{=gcUw{fe1Q#r+8DeUV5o;QZ;bzoswSU40+*G%
z12&7${x^r>Y)=U=4^;f0&pP*m&dREr;ey~4`7<XYR9};Zv#Fo04J>9R@pfdV*iaru
z=#~!wDilc@C(~iSi*;0B)E3!*FE!#Wu6aBJHgaAr32&#Up}5psrg<FZg&EjIdP=D;
zkfu7NvSzWw&?u@&$Y%<QJDBo(HOC4oX%YsC#O%4Z(8W72J80ShkrBl+aiw$A7Ybtw
z<wVFuj_t7q3H7DqH+dvLql)^~whX1>w=@qiV;{VJ_D$1G;P_)^_Je=#COwoRSaRjx
Ypw|sbLQMmI06xc#o^q}_eDU7@0le^w{r~^~

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLaunch.png b/docs/GettingStartedDocs/images/VSCodeLaunch.png
new file mode 100644
index 0000000000000000000000000000000000000000..792a1fccdb8bf6694c8a523e3219bfedc240b6ac
GIT binary patch
literal 15468
zcmb`uc~sKf`z~yw&r_+DnW?Fjl{uHD=7405IgvS!G&rRx&JzliPg#~(&O?f6&I9E<
zqiLC<l5>iJrihA)f{K8^i#^}pIqx}Zo%NpITJImg-fZ^p*~7iB`?_vk-LWv@J0g07
zhlhvnwz2+Q9-ae(+;sI{hq>=>=MgCG$G)JuMz?q>2hJ{WGY36&&2@Qrz9byoy?=<C
z|J&c#A&7_PWboc=AI?KEoQFqy-)((e>u}fA>1iKl&zzYJ1fZV9yLo5mp33dvPf_Fj
zr%ep+b$(6!q`2Sd;6Lpd6R+J)k3Me6y?4CvuVBM-j-LnWx-0^PV~)GUeN-yNrk(bB
zXr(e7L@>dGD*u|1WjwI=|Mj$hR=6FZg$!}cu?jJf?ZJb>AJ_mwa5>ZuRv5B2Mk9m(
zV$Xvv@8^z@hsVT)K8t~w9_QQ3Jc*SP{Koo|<O$r}DB{T5P2=|pcybTwUjLKG`73YV
zUSeJUKUJikdHpHSKB0eLFER7#oamn~K+jQv(PUxx96Pf=8^tiC3IF+8IBT4&&tY=b
zJsvT@C=T3;^JgH6FXZeh!wcN=$CuPm^mwSMIdQZVSD?GeVF5YK*I7lJ9ZxF`BYgeo
z<OxY_e<Vfwoj_&Fc|<hPmBCn3iRkpy#A6gRtWpaffFS5FMC*Aw+>TkHx@DU0m`?h~
zJ|Ed`FRjF-_zX{NQx@Gq2P##!+gH_WOzCZ3<y`GYaZWFH@CK0uTu_C}i8&DeV+YY!
zmk!w68vY$}{TlLDO$Pd9Kjv)GTD2vkoxmOO2LXU_;}wN`_-;2mxmKMmukvn;yrj*_
z&`dcz$XP1_X2_)6)g3Pa;nHY`sHXH6OgYKk@gyXn({75SU4Y2C^w+RQcBSTYF=w+D
z;zF>1pbyaL*+y$*c_f+y!X*y*h*;gl5}k0DaJ$+!jNuC8vXEw4MKo)xMP=Jv@o<YQ
zKI&|FtO+=7w=|IMe9BS;4h78*K#36@xr^zR5s>KfWR7D6X<V|mymq!f43}nvk0QA`
z2*64fm;+g%c+@2d=^hHs%-mIM#gBTzXm8PWA)DW`X;X~lt)qqUD6-;@-MiM&Z(As{
z<9-rq(NK_hEKMh{k-LoRTS<sreF-=VShRoX+>@~ghDwNLJ@4yiS{YIw$1>K5w3{yj
zXM?L*zoF+)QGuYgzQ2`G%oVHmP?~jdGI=_I+>-=SiiG%xTenkj;*B5o*J5nUgdz!g
z^s8(}VkDt6fxt2X_fRC>BGEp`CZOlmvJZtJjIuT|zbOs`w<u}8NQI!@8zE7bXD?K3
zLw~p05o%}JBiBvozgb~j9<4Hx(?<t<kUwI<WjE>6Ff$9a=#QiqQBk(Saoh(`%m_Z$
z`h&-j%AXe_kyKMo>y4Ja`~t=liXiw38b}|wF)Zd4d!ub*f;^R#Nh*mvP9RB)?EL)U
zb;iBL4$WdYjQOK?h>4xy!0=ouE>UUz{Zxcat7ntXDiOGIQ)!qVV|GlJADEP5@ya(X
z8x;-p&WT(kj=ZyJ_M465MGVH%#PB~bG4$_6R%j?WD}g|*pC)M|VOJ#a4N~Oi?uqmD
z(V=2G%z;YJ8efwr=t=i?0B1EjKe~)T#K%o`2!ywdnG&`2<B)ZP$@cw%rll<hm#A$(
z($_;x5pH9TF4g7qJp7TC4R6U&^2Yk+z<_h<*AgRUTTI5JzpOpA!=;9SIk#XUEg}Li
ze3TImo(w;0#<XpV2-bsrdVnXxX!@=R20O^z#qZV$VT!f<ptb1v{r=pE>$@Oftfc&8
ztmT=P_!VBh(Q{ro3gMx_pD&Q(;y(K3+qT9<qO1?>*kHwq(>4lvnO_O^rRP~CKhk6&
z6cUZ_y1w!UblHkg&DhG<0)o^s^}L%PI2ra-3<8}khN?qYE>YF-$(Xs$xX!g6Bg(vL
zYahnEQ~laO`cZ&3z^7?G)V!@#8ic#sq2Dmw6Jaq7aEweZc7>=a0fMie8Do4CjOgd<
zVTGJIMsl^W>6N6b_TzW8bq=cbK$!cz0YF>kr8jqj->g4x;e2tmb2;ptJ=Ij|@S_N~
z&(xBhl2V~k3!i2NY~=iqAuxZU{21`ird=09zif+2;^wtv^90A8-yvbnq8plxxxRMP
z6ISH7Wou;&|Edxgu`;(L6v3PxC-jh4csoB%y>K0<r>xl_3!hOQ3ykRAfUlRm9R?xN
zk8(HQ4CSu}MOFX2E}{6Z-Sg}YYx3)|y&oHh@;z{KxY%ZO5z%~_6oyKYM&gssZL8>+
zts>rf8^f2L8BGU$a*gG?LuI^b*ba!xR7`(_Blg|F)F%QWGajHvzVaSf!d0D(Y#zDW
zxy|63oNh8OvA9~cO&md-qLql!W!Ixj6^vlwNBMD_8!f^b4Mb`)2A71yv8uiTdLwb_
zd935a>ga%`sLu1%p$&~PkyeLgp9}%wBVmx}S-g{-HLSp$w6lUY!W*xNMy%*@njB`U
z8wm)jqOHi&5_$oH?C`CD_{FbpPB;}A_(E}QvU6W_W+_&AgG%@wa?YpNm(8=|m#<)s
zep-Ebn05A9BYAXO_!LCHTZxCK;cTA)Ea4wUSFC?`Y^c&L!a2=f6CJ3g4VU=npQHI&
zb@kn9ILTKR*Q~UqOV6`wCo7c*fNEEFfaME`yP`UG7M&XHf~gxBboZ(^;8v*wiRt%t
z=p66e1*1SE*1Inmbs)STqia){gzJ}{JtVlwTI?{_bPwfKGM-?Y3v9U@K8gg(=JFXH
zHrtxaIVAq035YSd${^@I);G&6l>?W4eVb7HIhco)vt|f7_;YC%yEHo;v3cm5*lfz)
z-PU&@S|FGqvD6fCXi#(JuV)ghuyt3*^^98#iLP;SPyJf8+R{w>AtmIlv0w2MrIqxt
zy@mBO1Zvm;71YmA9ImjhUI+qJM1*DH6l*Wt&vHIwgg7j4-Q+c1@56dKV4r=MQ8N?}
zq6EItWhcNl+Gzz$!^{zwtAGfXw1_3Ec<_4x)Cj=;iv$S2YWk%$8kmNF3qkKC${paG
zpSos1uq$|+vdbd9$SZ=L8{O3zM#?D`ovuzsxni0UK04O3EH|&}R-3Ezc~))(<b!cd
zf?_A~weK)B%1<&H`4S2b+z&FnX^08<{nVXt>tpnS-ZkdqmyMFCTtu{f5)FO%>%xIY
z<Q%Wz{EQPfd^XxO$twGz1%8uW<=pPa6?s9UH$OiR`>`0&Dor+F-x<k#-s!RW(^hP^
zRfgO`e$nC)Vot(2HA*3umvBr&zkdMFmzG9C8_(x?h%De{WC8FdUik*z;qA>f_x-*A
zd>BDa<s!`{2t#(xZm#52oNtYmDXb?SrT;cu?|RUm`ZV*3JhAVQicku|bHZZ{e+rPS
zqob6K6O6$2J;p`fh?$}&<&9NuKP(>bg}eAgJv2J7Xn9iotCOI~vh~*}Qoa(UB}an7
zT1c1|3p%^xmQb+i?>pUDeq=2A`{f|$6A8jSzuKSVB{>%zAni0D{TL6=J&`W#4Tnb}
ztj!`|_L1BJy5}l@Rz-4x(>57%I3>0rn*^t0)@)Qct0;~@Bh?PR<ht+4_D!7zN=eK1
z>Mlx#pSy`Z)B@R?2z1P1#Bu!t#ur|4C%65Zji~;Co2`GKmw&*20j=A-gDLRedjOT^
zNt)1qAD`J-{|@^X%%x4bDZeM9IJnl#{sj02vsk*RHSB`XbRkqVK8n&K4HTfyCxKu&
z2E+qA{$pnb{soIgWz+eB8X6k!<B3jH^p!d~bAH}<#Q<OU4y3d9d+wW(oemEV(I>C1
z{BnOGqrQY)OEWGyNuMu+_edl5T85WUZeKk4N}mFnd@ZcBU;^BofJnnXd2HW?k|6{n
zp8a%phG9e*1n=Ht&yv}$Y#aB3KmM)Ct)HeK$@4^(+m9f<Q<6R7+P^SE=9sfk6WM38
z&zd(eOprCwP-*F;)=>Ee|D#e5xGsv@<AwLKg;hC=Kn@j%i2~*XgRTPu_Fy|t!>0AI
zY^I=H*xFP8{MA%*7>1>)upwx-SH{!w`1ih=R9Lp*zvwqyhOl*0_|VY7J=cJ{3XaEb
z3iA>8xhuDqcXeE9Z<K$x(DC3;sVQ=?<3U^a=QDdb9wB-2<I^h=Jv}||gR|D+RR&XA
zlLTw0&Sh^=Jb&V>NR35f+DlQrWcRRrB#e7nP}E+fkiTOVw{fq|3hDE>(}k_TYq%B}
z^^nQso?or6U-At+eEJ&~9G*uqv}_w(=^eCwm%)E4CfM?s<+6a{tG+p_Yh>vJOey|=
zE0LEw+M{ky0fXjC5`^oS!4S)3)@(=N5kob?y+vHZ)vEm+_7ATk101WLr{Jp}PQ>xX
zRjleuIr2_m<p8t{g{6v%)Xu}3_l-o?T8-uZ3VBpkbZfBV3qI8C`a0-sQ|ZFTIQ@4I
zhfIf(vTWd~tNRC@VI;qG7pd^Sg=DG8eQ@g?5a2$J@Su(0VyWTCcdEifRH)YIyWpq(
zez5l+&z=>~cNDWi_#*4w{3pYZipnlJ*s3Ay5wUc&)m}Z?tJi+N$Yp?~W0JiOh33?3
zk<IFpfz88ru92TI-%JzZ2YiM9Q6(%z+g)asDkcw6#d_G&-XRY^OC~pae=;@V|N9eQ
z;^<AwcY-TrR%x6-;}JxFo~D+PDXSzh%GM?n#vR%XD2JlNQ4Tud4ER+O-#r~$nnB%c
z^D*NEWR?zErGxX}vZXy2ed>Rk57m{|AAay~F<8mZP$0dr`x-mLo`)Qn_&a;D(DTyv
z_YwbjN9aT)+FQ?UQ{Lr_o(TVRU513j=vCmGvGXghHtgZkKlv2h(tS}2I5q8FrEAeR
z&r%T}+?(U&nj|D*x;_-naBi)>Fy420Iq)hu@=>U|zQIprCPBys90pbP3!V>sER_^;
zZW2aiTeth7<)*PZP`Xeuyn$oIywP}zj!qawghK-J7^l3*zNV%$WxvC^Z->d<+q!H9
zFJW92Jw_6b8uQb0fZa&&$7!adfFhZ9-P3O9lm-g3Ma!0d*tYbBZBu%1ZMl!N2P7{&
zBS-^%)7*)ct2^c8o4ee}^1qfbJGI)Xr!i$2--=zvml)bbz}nhAEUPU|R``pGU#UG@
zRQX;)Y#?hwFi$iQTVW5fe9ohDT=H#H5ctrR!o>RHe^Q~cnC=S|tK}~$uxdfb75hl1
z4ozz@{t|SXlrCtt@`odu;N?yz66@Pog7mU;FJV)*@0&5}f<+H#@Q-mArQSHtN5;P#
zR!t9`((*|luvbph5F*ib&T=liCu5t!v>q~JdApUp%5VP`1yNJWztw&5Vg$kn_(|M}
z2|h{^;G+(Dd<(+5{v!;MIwV}J|2;wS@`1&J30sh0HyZ^fByDoQw^qDPUA@KMHkBL@
zRaYnAzV!=cC_sbw8a?&i*sye=PR23i62Wb%$q9+A93l|DGXhca7ULJ(*H)y7+1v4^
z^QHW*YL2Dv>!9a&!)&C~Mqk@yg7YBxUgPh4dMj!TpMRWEG@dp-%x81)g;X=$pz}S^
z9l9LS**2(A12AZte&YH#H%WqjssDQVYTMD?TsXX`XzcZxD%RC9o*oeyN3Df~xt;PO
z?yl(6b>8l7WzK418H<skqs^r^J_*XbS*TEbzfN@@PFt7fbijh|Ux{ehQGicj6Ym|2
z;;i+rLnMduuRMqvgHIh*in?xCG%Va;LWzEh+1chp#IHzx|Ilre+4e3;7NSreMY<w+
z3C_WkmBXNCBz_bg#o1^>BD;J5-?$8c^G!QnDH*S>30#7{REs>yEXugvFW6+HSl%<n
zdb*=#?uD|gz}-2$907yc_dcGI%LQVYOl2?MGD6pjPXkguH{66A0J@!?Ck6Cc7I_%{
z<`R$s!+q%=GaO_qtK05W-z{)WR?!<Ur<bH(Y-s;DT(?&8=0y^}q)uvp&-AL2cuk!4
zSiPc`#ISH?{VpI4eCDsTzam#uMs46nQX~<LSatHo>|%~b^{!qm)u#Q!+ETv@J0lqr
zb%YdV&>7=0h++9uKy#*-HG$k!lh07u$zJp_4jZqVc>n<AJj1<vQ=})YdPzgnO8w`Y
z0DDMJ#%1i*CZSRUra=P0m$t?i&M?wPUxqx*KotguX)4EUr9L-nf9D7kw14x-#M#bA
zsb)z$_-VpXuVB!FtEa{af7KN?g=qWhy~L7+;(#Jko{S4B$tZD)m0k#rARO53KB$-D
zT>>;%zM(^u6g`V_`P5r+`t=n=7aOT($#Sj9{9{nj3&);$jXH<voz<!csC9i8svaSb
zb5!<g&Uu>VqPYsq==8SR1n<*PqeJ^jasmL(%7eyz-o}S}$MDm5vF+XT^P^4DLrEDr
z5eXIi_F`Yo7rJLoiw9vmw~1T+g8`2lT8}iSJIXGWU3Ipm-HH{+%u1V-WaygBZbux9
zi<7wJqew9WsNx_D=Ny9M*2)A{e8i-Ik`+Y1#9(Y6d(;z(`|(P2IUyk<0TYps5HV`4
zLuZ0zG~waBNW4&n=Y_>l(|*0Q=CvL~r0q?<KbO>{;LEzfKYyicJS<U5^jF=mo)jGS
z5#p1skFUAcPzKupQ96K?CxnlUYdfS_vGxJxBTGBfrBtG{9F3UAi+7?smqPBy9BV<3
z!MzY_;_`Yx_zzBxWt;>*s^HelOvg>>s*3$%tj*!{phm-JsZ5<lw)fw>SyjLz6oCSj
z$%L(iZ!eZJXABRW?O-441=GyF#k>&FcW+jx=xCdI<BMpE4JoV7+y8AwMYBNS-3SWO
zTby+5)07Xx8AbrU3sDE#z?O%dzA!H>IKf1q&=(PBY!`Nk6+rg|fDRF$vtR?FpIYTC
zDc>zwR#0f%!p`ly;b=Z%yjiP725Nye=-iVu^PnkjsEhsgjM<Vziypwb?RU^&e~r%^
zZqdL97q`I~MesmmDRUUevZ8M&!Qh5~KWK!<dH=t#geUyM%h1eesgfvU2{hM&0G`f_
zaRFi6o0uY0ga@0F{)nTP30-a(zk{2ZHNRiF<T-NhgDI=HYOjmW*T0@?YPCE2IEC<V
zFmniSM8bJtVtoy-3KZK6U-e($EjgqMO;^qfb5W0@@ChC)j7k0#6Myni&$H<uPlRSA
zyz>Slqim;>#63nlA5v77URfM;xU2wH%7n!|2B1(`i6Yvzo-novu(3XH{S@@sy1dH*
z=IyAm%S`Hq*0kmioa-Q|0GOXzo!BQpYh^FV&|JH8#5Io`+e#|#zTk>-C+%PF`nHee
z`aM+fF(>B`72Bx+6tL4{HT~61?9)aQZ;kI6-VY^ZO<`8*AJlUoJqy*?$`j((HGRpR
zFqnwgh`w&BDYHmX($)Ih=Rr|ZNZ1(S^byz*ul&Hzsw=d7_a=m_&p$v%Y$`VUMO;M8
z)?KuQL>FwlK?X$TWlj-`VmEgUtHAD2J`ZiaB7XWJ(IRY<^-Jv=e{=h_Ccu7|%JeVX
zd46*l|B<a;ArH)2n^or9{E9apeaiS)Y~LrMkE$+*zV8FIKklK%&#1_zPYnSK{h9{b
zrpykxG=**YuYP&F8n@Dbc&Fhqj+*tR=HoR-b-P04*W(nllATeyNNKrj)rj(O-KsIA
zba*80eE_6v2vYC@n`HI&GEnyBr7Kdjq0iVa+YOUdNq4DNncXP{SJCCP>(TJ-ZIkbj
z2AiQ%u)3v)gknW}h|RCke?Y73>%+*m))|N<&Dm=BYH$WYcn#me$QK#`_dgD6IsJ)d
z-mzK9?jD!Fex}$Q(r<%W*3t>;En43hh5H2cfirMn9h*Ac;H^0zlvVW>&Q#~lMXHet
zFrdKP`e9^X;7E4xG|HTb9lS4###pTO;Cg!Ii?Mw_j@}I#0+<Y_*r!HJuUNbt(YCO7
zdwJT!5C#PiR?R2<9J5veX_L!j|47=Tx#VuPaR${yLCGF}FIss4DZ14|Psiw!fTqf%
z&*KAq)o5xKd@!ozZqu7S(nys{hFMC$nCIMW5YeSRc!=px@j3@Nak&-p8)=0AA)8H~
z6YLz}Cd-f(#im_1*(_W^p62x+Rw;F-PX=)n=!lx%?$>~)WUhwZ@Lf=&r-D3K#ceRF
zZs49bVSMrAqeqF`S@>O#h0WjJUiS#Vx3N7oqsNcM9+8}yPSeeos<%0M)jAdYV6!~e
zs64`SOf(eNQN*A@l`Ryw*mTQz3&eXNUbV5n@yl}OkXXH&UhTUB{cA63z5^O1Nq-Lk
zK)RSa9KRITJTBrKp;&dM4F9G|>WEDMy@!*1<km1Up*OY~>a(!TTJD6*%(-L1$gHK?
z7POJk{OD$>{Ldfc77@L<wTiwjX@*5Y<Ne6pKoaN?EBX)aivJMX6fwpzD4pAp*J=w)
zz>6**8m8M*!h)MSK6u!p7zuFh3Xa^SUB+bYw_C-OAB=Zq<`(HoHOQm7dTXD(TV*V7
z-Wi=$*?_#Tz{fy+6krLJHfOG!3J?g6WRJ8CT%+!`9=lZU;x~r;O)<ipbf5cn%&GrO
z9&58vHd~(Ho|>yPQhre>YKMeg%Dp6}<)f@wapM4ng6>zUKruf0sS^s@D%!P8Zx*!L
zZ>ol|5MXic`QAdM(n;qhDj$P>cUJm*UR>omHto-A+KYlnGlmcL`MoGV*LO%QBD2sb
z^y2+yRh-y#n{UoNfYa5~qVpjkkNcNP)?Crcx}kiGuQ#u_L2J5G@|-GUrp2T2p0ZEI
z`Y2X}hx-$Lu{W*;Db?gd)y3l9TgQJaO93CoGe|Ij@a3fil@Sg@eql#G=?09LgK8~`
zC=lM=98c90ZYbCMKw@)EXnU38BFK4bYaOz81A-RPiva4Mss;JNM)%oBsh(}Fl`!*#
zX1X7jtP|TbB>xyR^eGjNR9t&BGDxw>2W-5%BH-}U!=N)Z!Ts#9r{;_3Xd%_>nz1Lz
zGkx<f3O(3ncb|HM70rD8#|3uX+2PQXx8xfr?IE-1pGKE^cK|$ZRZy`2^i}E+LRvvN
zyRNyX=wov(V5M=hob!C47#t#waObXe=7QwbL2%k=@c4#yH`tuC=O3coJ5YkYv2e0L
zupZz{V2RbbphILs8I$i}T7AX-Qr5`uGv2DTLaiE9$_EKhCHb`tAHi_7^`|$h52WYY
zOhBSb=p}`+fC|N*Q~Y%<1*Ipj>o?!>_I!`J$!V)#`x3f#ZA=uuZeLb!fx$Hf4guo5
zIG@JBN^tn8`7##w@&$-!s*Q{}N8Q2tFS_!g$mP&VL1BY|R4|<&Q-&%V+|G1^n&&T*
z>^QIctx(GvI_P;x6m<aDy1KSA((SXuoTVm%09da1e}ewT>KaW{rv08oG|03GVEIYO
z)jN+ws7VHqmaik)ZQEvwLan9RhN^rg7Go=fILRmOsF3IO6f1jemY^LT&S{0Jig8m%
z*Iwy}Ie_LXO{+!7%-YVBq|P2p+?r6cj8m)7u+QRXM&SYWOpfLLKdM+d_BnqZ78?4J
zaNo10;e2X+Xx{zY2yTsc60mZ~y!qNA3$C+SUuH+S9q~Mgkf-_k?WK6U?=b!Srpv_G
zn-+(;ED2&)`wyQIaXMRor`@6X6zyMv!T)q+Xu=AsO$<}-MxF2tBSY2&)fumT{!6~>
zF)-+4ZUuT~u~OOX>JqkZDSQ<$RHCm#Uk2|r%Vl7|rT>y4yGh$zqt!U{$7)HIWJC|)
zm`-$3J^UQ7f&D&eQyBOTzSE3KgWHJg`%hKwu-wtSJh^e)e)QSvvA_nqYK<KxSJ8un
zN*hTVB~`W!$^EhHZb<Rhzy8Dc{Gn|Sdj|7UTuEh)7wlgK%YUilOcM^#@UJTQ?f+h7
zRD0<cN?4rNxA+=-ak{XlaelJOu3_4pe#yCUt#+C;SuhTHkIn>DL#<nPT`y2mF?2IB
zJnF*)8$vE2tdyvhc`cv4(W!m<@)aW0v54x*C9K*5Uv23NxN#QD8y^i7o;@~=O>+dV
z9mckdCVhdb-%W+%9+1L<z^l45@(Rq2S<^$WV#VL%QngZpo673^9JEu2P5#}OQLu_J
z_}q`ip)nl#Xfn}xui;Cb{%h`@qU}eQJF=FegO-ZrLX`Z%KbP!JG7S$XEM%!b=<^oj
zM%Zf{(6p74HST8cow74qWjpXuTdV|bh#3J3EwK=7H~rP;C^w;?I;S<VOpv@J7bKp%
z@bbm6?HHVTnwo%@`~lPXCF++q2s<*bAAZgF;Z)LeUYW4wPu%GVJVp|&Ormh@l4AbX
zbCXluH%8?qlGg@bo&DBSx59e6fiuHW2`a43nlH2eR2Eq$=+x-(`I@{jyiU9My$H13
zBs9S3`{i3%2V2wW(i{EDmJ`CCkLg0gK7OSnAmP?*0#iL2^SE>+dK;3ra+kX9jH=A2
zSES7Z88F+!*dZ&D_&qA&_fqs2(v995)eV~19j5D2rhtYmk4J*Xr?5KCbdMCv>+>28
z+ph@FQSc@EfwNND!63GW=5hXk=#4{{*Zzi}BTe0QckXu>T&s=N5*Jw&764=ZOtI<X
zJkf}x{G`@b-r?qbq^q@D2GB@wG&de+8f~lUFI~EkxoeiLT?na{F1;_p-0jg<r94Cc
zEUCbZ;?TSZkg9DbDh6YOEV7#2o$Ha8gJ@ZE5sJwy!)SPE%PxM&Kigy+18pR@UrU){
z5G({M;hQ4Os2EmJnnMe`a|HL=oOt*9ZW6Oz!*ZWlUdu^>T@`E_l2ufsr8#Lu@+OKT
z2LwV(`@vkTtHfTZD$$c}rT{c{7$(g(!!(A+LwDyZz!xUyWw}?Qkp3LA*3hkjV2zUG
z=Cx50VnBe+Z?)d|E6Urn&^gAvFrj<q!%Xk!r}@xK3STeQM{*B^aKVVn)Th?)jR%#R
zod{OwUF8qWN;K$&Y;36m;X0(^)#h5W>+8Cywd-zE*#5@xFOMVN-$zN3E`1UB{HWYD
z3|SEXF@1*JVT3_mz<Ci6-+9{lP9J>mFmtdqmo@y<@u_Mf!8TlE3|T9_l~(}WR~t?j
z=<k33l)@rOg>lp%J&q6MTc^FkBftv&Q;Wur-yb3sy@3Ye395!gC6S^dc(3SHwnNH}
z#FY;mksBBS!i6;gXu}TOW%|gK^SCp+w`=&{#xSlW$IOXJBGvU+ra6cYvriu@E~~v_
zyG$&{k6w$qXjHmu`<wV62wAVwHcl9sF8xxFFs?UlHNDbn;dzm1CCBCCpIj)Q=?nZz
z38*!h<=f`*t~VG?E;_)5Kl?{Y>3pKzvCfJxVei`HM_8%yhZ%%Ei&**QSZ_$*#f;OD
zU`o#7QY^5)9*!mqa0w<eq3-pJPn|#Vw&doQA^Aazz2HmK-~yq>)6MU$Qg?j<+t9$*
zjFJOh0P@q7?gRZ*tT~Cl>OMP#2)l5+m9>AR;OqsALDS5YF;&=!uV;~!yPJoQFKXPh
zEbF$nMjoBw+Wn6d-q(Br^Wi@e`KAFAu4!X4H;z;}OZi@s2>2vq4iQ~!qFoFRTuJpl
z)>JP0EJuQ+qE)dv0zjztp$z+d7OG-?h0-V$VE5<DFbfa@#Ce=}wA}l|VUZ1l+R&rh
zhzrpR1BI|US}+eF6=%EL=8R+wzkAL%WgpDq-Ve=E*@HI^$G<&$IS;HAc<y}YiFTc9
z0NY9~f4yDAzx08tMEoFb1^WU1srnLX+C)+i`S9JzF7gKX*XAjqE$4X<!~mc%?p|vG
zvTM#d8@VF-aw+Fy29aDg-=SNvmFu4w=wn{dK6Cwq{HaRBMB$;sM^vw1Q7U3O$=!1=
zf<yBH`Eu0G9vjR7f%_I`27HAS2fQX|AU;z4kGZ1Oum><l85mmclN%?UaYCzYGa#L#
zWj;D;!|@LPY+t#Zb2jt*L>Qrx|Ctl^OVAf_9By&tA7YP3n4aTYcU28)fy?dt?+ZUP
zID}FHEE#*cH*FL{RaO8Ie#W_`uW~iRBE|kO8m>f_`259Cy<wLG8VPCjuvF@8p&~o&
zBQfLC6agEVE;4=70k!FAT^dpD9*K9K7IrDlh4mQ;jN_H5I>Ds6X%jwrcG4eG;3VIp
ziWb&uJdm2<$vPdiTRaok`K@J1^URyeGB{u<Y-Ms#dVwYW-lY{*>k!4tdfn`G^{<?A
zah#;M7AKRo8T~VqW!~No`o*=>eS|m@#?qI-;0D=l_1Ex)gXli~)|BWM5B6@$oBx}5
z6AlVq*{5Oyy%1m#JacxX+P9XM+XN5KYd7e>YEMJg>7RoC2KmJON2&OqK|BAGGT4iA
z;%OKB@9Rqc$0inza<Ncg)p)4V)dUZkG1s&EgbjwA@tx4puq5-!WW%>tB6EIZtc1Ft
zMylRY)SA9C(p=cW#?^90ubQfgyfG6R2#QnNTz+!N@G#S(km9sWC5u#oeTkS4tm-qS
z_HaxfGp&`aICV%HKI+|p1>2&g!WLF+K0juqMRNu|!#pEl2UGD;y1|^bO<OhBDnX9J
zGI~0T>swej0Ytb`kC9cAk#yiMk)Ae3L~}GPR7T4sIB(#_zM=!|Gfow7J6~q1wyRch
zQhsHo)sZcXCHTdktG`0-^0ZAYvC64%ZtiUO2xlg5eB_JJFivhjz3-ainDMbh=2W93
z0__ScMk&$g%u9IAYaILeII?PsxO>1k^zuuK>v?9B)}iZMqxU}8Pgu2Oi0WEb7H~AV
zku~9dRr{B<bhWw0nI`pAGbs6v=1@{aT!+J-6Wa!`EUN)}^@O&3tVCZC=ec|#*rr>p
zek4&V@WyDnQYpOhDdMlTX{gB4uT^RAj|-{}mf)uek{;zz9_w?RF1tUDlqy%QgQqCy
zBL^Q6RD<X?Do*s25Aa&g?&b7&)nrHPtM}r6XqfI=_8ZLs+eG?oSd6Bj7+3fyKd~@m
z3sU`dxZ6+5V+Z!5$$sG@n~~PGlV+k)Np!FIyd9HTD%F^uc=~)9Y&p1OJGzHXzC|qt
z^IVNBV;mG!&2ydvhD=CkS8nrd$3&DFPBxs+&Q2@achVRBPSO7JM^QnsiZ7d?0wd#h
zRmbhblwn*?@?-=<JEFBZ+DUbw8!(|De|*cmq3pnuH<7ls9MQ7CX_m}t$fHJ}rJ?%G
z!xu!{ajuY_nN8)*Akxi8PPQijJDPtKqyoFUoLCktxR0N!A%*Oy+QvxbDb#E62~iJs
z*ZwOZ9sFM<B-ri+`vP)ow8(YMDyz*|mHgfZD)vgz8=zLzmx_mRQ{^zlmZ--(b=-&M
ze;}Zx95<R^NnC$?;F0?>lR31)H1%i8%>}UcJ#ldHE#dKyV-@6zy1u#`=x?A#J+g8~
zLg%zYGa)E7kdJ!qa{zTT+i|08qQ|1LYPP*+x3w~-s5x=@8mDCT?H78Mc5T0lN=1(6
z=klh?kwWBtrfUbt#81y#VnHHxN4XRUrH*AD36?}#8+l$Ohd(V`%NW!R(o>CEF$$J)
z`V<B%cJZ~`NPi;<l!qjz^W?s_#KbM*Zyt_GEpJYF<mzOJoa=Z3rh~>$a2N$T*3NKK
z8mMElBj8cw-(o`=Z=(Gm7(XY&oG_^xc&W)%mxV|KU)T4a5(K-N=r5F`>49%rErX*5
z$W7&H`i7XHTF8~okJ!3A3e}!7&$hzC`dfW>Mo@_itEF9^=fbs9f4%snsu<l~8fH76
znUSr?ORY@fnr-WY*`g(P-B~$tZQoBHrWX*Ly6M$koSiFJAQ#-ny_L*PEB2WP#DKrA
zVDUI?szIG(-=VP%*vi<)wkh%wSupIqbh%`SuW`RDjd?AI;TA17uMr(U7nalHWVDnh
z*OE>GyNQ1ASvrPIsNS90eoth}B%#<QOSB>ky{MOMssQ)vaW|sYlRd`_Tq<W_m@L=7
z(O_Y#O%XD~_tUlufhy(S=(2U>p2;zRx9+F5T~7@^HFNY~>W_g|ZGO7N#_BwYx!<J=
zGp&0FK0A2zVK(X#W;{4wT?WoJiE7AS`}=+B<1WnC__yVyk7&HI>AxBks(hfsW!D|4
z-(KiNZf%+kOYh9+5SA#G@qMed%O;UquKv?m<!z6ONUz#F9gtx@*zEKzitVR*A=OV?
zS4{z3R^*tZq!5jMd-meQmi@yUWYf?q7{d+M8e>bA7QhBNqCaTfSgUpyxyrPSpkpbc
z`TbP1|2D&^4sKE?$<=UR_$kbFi^{p_=1{CMMXgotCfIu8_QTawC$Niz*pTRlCYF;e
zOmzfRH5a6)<~7WOFup#+);0DjMZ+d-DjIj}Ush4%fE;dA5`Nov>H6Wov*nzv(UPEo
z(RXh;%hSC-ua*N+*BSO^wOdy1*{VrqR0Qxf4V1wJOZ6N|%30v@Zu3@D=LdDF;+vFg
zln0)DMEItu+qi%_r%Om;%R%UbfpA3m*!Ek7YaO-_RWv6x9fy*v7~B3>E`g0=y4Wb(
zk<G*rnfZ4*=%6%g?w8B23XS*VzPB5{SCuq58mcu3aoeDb-&-^$Oh${7Oh)}?s5IwM
zV|>Zw4RL<YX6`jEw<s($P_<B}>fok*VX%XWsIp<Z^C}19x2Eo!F^+7QM9kT$*J$#I
z(ALUiF3jO<!)qJi>f1kMsn6e?HJm~rMQfM4d?7(!z%@&=FCTFuJx+Ft4+G9mHVCU7
z6U!g=-uL9;fge|Fnorty@pr#T^Tg`|I*xnLE;U}m+(yZWi~}w-o%d`De>?x<7$4R=
z+48rk7uZd!ja4XZmX^R@xq936oBWW5yjNGbGx}HRGe!~A%84{I7IJ$P^{bM0JQ)(0
zHRORrU1AmmGrm=C$#@kn9X%0$M6Z#Egco!ZombwuxWKo({tk*73-gzS5sRF0O#Iw#
z8T8U!;fCc;P(GvC&_W?3I2`5-v>`r;6LwgrnqjHXHk@F)zn~qE-i^`<RL{NQm0eZh
zw%lt!pc@7l@!s>Z<Y>k`y>x{+7>7W`Y6jlE4TFQg^Zf`MnVE0A!Cj9mM%x>k%K&e)
zud51JHiZfnU(MfTSrtBJMWeuR7$AX(Y+(15&+pzd+{mc1?Oy7=dH6wEnO0t3z-$Ce
z#+!3Gi?hq)9BLOM=R%cjniPipJz-j91<+^&cR2tqapl6Cg{l`)9#`0TknTub0fTH6
zpR|^{j)aT0Uk`np70$K5E|&|7y?wMs!U|3NO_AgMdppkS{cJ~NBV+2_W^4bpsn_vi
z8^;d#314iE7U3lJE<ZB<v3$agLPD&W`}TYv$b3_Z>n8Qqmw&tw#8SWl3x*L-ci#E2
z3M#h0gc;pe*n(_ydmew8o|8IO=V(!zQ|z3>onE1B_<hK0{#=3a`3+myo2q*C)z;3Q
zs+{<g-;tIzuvz*>aP)Ug<$MD&qA>x?nKM#<8zOSJqlRujLHEI}+MS+;{m4NPHJev4
z99T{70NEXo{f*$H!+G$H2&6`rD4oo*V=!&Q?luu3{NNjO$OaMbTtMOy9jCJ4z1v_1
zdjH;}?vI>)lso<~Shh$C>XVt-HwMR0(S2K($DAl4?@U#*C_vxCm2SuU4Zdab;+BUR
zW$KlJa_7&^ckE{`f%bX=27wO3PqpqZ%f;)`CzBa@2?9)WK=ycS#2I@JfzR%UcEDAE
zLz%E=T%Xgp&Mr|fP%NX)NE^_ilnCZ*j?NiAoL`%(Xs<x`@fjc)W%H|&_$6Uk(V^*D
zg_^$CXP&o^z>y=J4w8uIMxPfD%%pLzXzjIbddUzQQ^ql0T3d`&F;{2%vMeePkJ95m
znKYL*2y5P%5_4;K{rKeJLys=yKk%q(XIYJJkOFoO(zN}w>$~F`?~p>+nIX*Si2L_f
zdDS^1y&1%yQzIZ~b2^&Ff;lHgpny>W@KV3Cq}N?dQ=2g=oziopmQpN2hcgOio39|0
z+eqXs*6#rJZKq(?h6en)Eg`j(+H~M%{X^Tz+EI<4DPR|3+AV4g@+q2J+ScvfTuwBg
zxh<CYU!px*<hlKT1{&xGn90Hf%-64b4wGhc)O^Shqa(NR&NAhfo9=o_)&vA3Uw50F
zp8u&rE4Z`O`|0l}>Wh1|v=x8fXo1SMS;Od81_7I!{&LNnXR*nA{p-1gp3=^sAdK&r
zUf<Nuf<8n*U?2(676vWEn~#B8HhA-GtZm`wZP3J~PM<cBdEwZLmm!Yd2*841<_anI
z{i8Kh?+y0pu&7e1fp@os>d@<6<YU$_QCj6w(^q=QZ#Jfsv#{T8ZE>FyDu2%E(3F_M
zsMj0A7s*4dKWAeW;^<MpbfVHhZBlpN=~nmx00tPqGeR@M*FUrvy9BZ`gP6>)RY28i
zZ(usrVwb7kFHH*lyvW4k{4RX)R2vanv{NP0Vy!~iD#EX98bijNN}POq>$oPUs1M5S
z#{=D$eepXV;EAW5;U*Z#NT}nG<*Hn@lg&?gAF-;-7#p++5yQ0yDn$Cea1rNG0gr0}
zQa{0g_e<Fa4fMc5;&dFDpeHasao4>4?b)UftSw(1YaJ(>0)a7%1$2k#q(JYS4>J)3
z!_hqkH0{Qvt=$n}wm}0=QS65AmTllR-kb8Of2}l-Fgw5C9Y%5UZAe<?%5XDno~;~f
zJyY79=8&tv*pn#r0keE^Odb95IYd*~z;>bPZ@Y==5m(Np{G5Q{>qKyVaXCA66;ZVm
z{fX3IV&fFNhPJL!^gAVsZ7Y6XLfz^FB?{=s=;(NA7?}T!5m%dF(&mJn<MtNAiYU#B
z%AV&nv7X{sZQ)fNA9jNSSz8ygs*r_W=(5J*tKIvrO$!nVuf<D;@c*^#d57IZoUFI}
z5ES(t9qPnMb`8geI?xAv2AQ6?x%&B?LE)=*2`bNsTtmz?DfI%OPWDXQR-84MU#_Ex
zIK{7aJWT9KC91Th{sGwk8$JOx<ZkEAptk|FF>r?Ghmq7UWxtXu)9kNQ@CGFsYh=JI
zGOJk45}D);89_w36M4nD&^JzBFAMUQYANu=QB5-<Faqu9`*(f3xpc76^efG7H=>ee
zE$y<jG*mDor*A;IKRq*PZLmip*%z88N)g;DShXt}XlB1RCT66zvV)=$<L;&~J_5_y
z#H?>-W`i{GHE)=)RDoCecW*;Cet&c3vNO!p`O-{>R*!~B^#l*AY<|7a8+jc6^E<<K
zfc&y5nB5T34R&D2)nx!)<<l!N4!l<)4`mT|^iM4Fo_@tRlxt{bJ!DCL?hd~t6PiD8
zL)DoZo#(8`2+h-D{cI71Z|vW?&*8DZo7AJ<#$iKg-fBShH?k7!-|)Yi8BNa?8L>fs
zqW%1D|5sq<|M&;Y|Irivzo)nVtBFjdmwx1)9#?E@xJa!#`M>yXbfk=YI1{~W$MuoD
z8>{U)s<yz}EUiw)k}_bz$|@)6524L-wTS*~ksZBM@wmn9=|kuLcibS8V!ytv)B;PX
z;8c<ET<>|0Ebzn}99(S;hooAx0SxpsZb;lFhDJc{UnS>PziF^S^AB6vDT1aDYw;sX
zRhuuNBT9Q*!3{mT5T3eLu5X%aWLm_sN?ZL{Tz`l6ODvb3<)z}%{^JcDSHu_e9}voM
zIn0ec^hKLM<Qk*Z!w4UlUC(Jl388x}eKxDC`!4&$f;WZLwmFS3{F$FM5u=qHn_w{J
zXHKkvgnhd9E3J99j}eGcPc<agtuFDCAB}e0gDH7eLr;<1<F^t$Ex@x94w$7R^mq@d
zC@gZ)i)D_p&X^2&1@`(e4Qo^^<9k0?y?N>B$79n@I%sm{`@bTyo(1}2iH-2yc_iw=
z+Iv1q)dB*Hx?r;n_NE7!Dr#k-qJh<l%Yl3}C~nilp4~He0k?%UUTyYS^X;c*93Bq2
z(w1;!41dMGt@;;hZ&QqrmUlKf8=>xdp=U?-&)snvbGk4`1Wo(+6ko{uQvRdX-fUzq
z0IjyQm>IK2g0<gO|16*-H4)ZY&WuTYT(lqaFSOlN5c*VKSEkzay09KCyyQC(m8C{#
zum71N-W^G&xt~**@IUcVv0nF~`N@s@T)eA#IB@0kofZ~|K(|N2JFe275yZHjM$Tj)
z7~5E}-I==ieVP2rL}(SE{EdW9ZC$nX{?r~k;W3UhrnBWLfz`wNet!(UDB5$PAI^0l
zF345pWu3cWzqVy_B4|p;Tyl^Z=CUf4MaFG%DQ^ti&dppr`6-v3jcmLBY`leG<;+2k
zqx|W;4`_SQ7k9V_x;0(o1#eY}SYu;nZioQYMEOQg6%qe#l(YtN|15dPf@LLi>7S?W
zPJUsc%4^dC(C@zN(yq&Pbf^0e+8rZB8O^_5MK%>e?^25dQc)zy>qW<yEc=X!-1-xK
zEsE;5r>NML+QJK|_n_!H_!ZtPHUG!K{Hxmqk*8m$A@}I#{+4T+{Zj+~!p&)eC-GIe
zGAP)ie<5d|^ZFT6h`OdC!#nn^nD}7xX369Yr!ij#u*i>_D}h<#wkrXa%F*ZAqFK%A
z52dtve;sv*nY+hkNCefgu64$k3${ogCmBh{3Qd>cON=xHcn6cKq4L;2Dboc_v``|C
zRuh4#*1REgdjt&UpM7~2*d}SYi6ocM^SR|kDq)fJQOKiwjlTuhnx}+RE~e+u$C~8S
z#jO`DOzO2Us{;Ga4-ZdG+9F=lx`dVBA5F&bt_OdLCu`}#2G)P);TEe{cD68;<~CWY
zZyHgTb<aTdGg5qpMo8B*Q-&=~$3_n?zV))=m=+53Idl59nc_a0HxhV<J=7a0XcyST
z-hc=HYrwOto*+}&>FsZ!vX_|2!5|+!)oSXT#PH*KdZlh9^mpDl`=X_r;pe9)o~WO>
z2Y&6upf>M3N)zJ70B*GNeepw@`uLyqbt0^i(JoXgBi-Y_zwE}HWEQ<4GkB%MH=F9~
zf?k{!rWtxV2D2g<&M6^rN00Gk<Ly(NN(T}wn1yK}1V^XJiUx{YR@><wOUa05&`R|j
zY?X5BwEGs`hjla+wfN_B$+z1?C#-}{bVf}bc-spTHKCREPFAd|cz6{ZiTgTWpo+*I
zSvRjJXePcXoO1MedCbD4?P!<J(ao}<r&;2%s~fuo&X%B@=;QX8{FS1mQ(Q{Bc4;F~
z1`89qSY#_tx?nItLC=#B%9lv^wac+%&AGBjqKXTuSD}H;4LzO<phyHzueRQM*)oxn
z8muXGt=Z;Kc2(VZABwXX@$tkaRhgQw3XDFRm4kcPCaoc%4Y`~*p2z?<vE0$fN1X5+
z1b2r#(R6Mt6CGH%uhVowv~Y>}qIJ=A)N%!8G2PiPnv^n=<Hr0a&sxvrn_JadDoNtj
zspcgs0hQ_HioRM{4>YgL92skZjkUQ%oE5glp1YVC>SD2#^l|eYDLe+ud6P6r8R!jO
zw{Bv2?1UzJN)83vDLBZvwvnTY_U`Wu2GWFhmEE?giph>{f<+YPv*(992kZOVw1TNP
zKR!2LROl1FlkR7aW)_@}AFN)KnEkp$ELcGKD7j^<j$vY712f87rDMywMLL2$HL%kv
z;60R-Z);pdk|!5tXPx;A=#vM19{g}Z`uI;o2ujN3yke(=!*`Zd0c`J{d7_eGHqRuZ
z!jK-+Iq<G)WfO{|q6axY6VKR-#h*DlDyc6Q`SLOVZGUQcPmO;<z03KJMxNS7;V1qf
vsb>=Z{7vHjXSVvke@Fj+jzai7M*ypsTE=Hy(8qlkp4$c%`jxltJ^OzElyk#;

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeNativeToolsPrompt.png b/docs/GettingStartedDocs/images/VSCodeNativeToolsPrompt.png
new file mode 100644
index 0000000000000000000000000000000000000000..ca7f4447622b5ffa029ba936937ea19c24b2ce6d
GIT binary patch
literal 29158
zcmb4r1yqz>*ES&1B3;rsL#LE<4>?1lq||_dlp@^>T?0tNz)*@vNeCj12qHs@AkvIU
zD<JUSI6lw&{cC;SAFjn>amTq&?6dc^uWKI@OpJ7{kg<^A;o)7;)76CG;o-{yKX*t7
zfGhl@a47H#-w&pvj`#E}D;D^J&`r%y4G*s&jr_OcW#Dhpd%D(sczBe37eDwz-qp@{
zcs{{;nrdc&cHfGKADK^2p9$>fPl-+RBXr&3QZ><nAP`JgmzwIDU?NBtk8OlP<JzmZ
zMFf5{+1!hXYQ1Lzh{|dZs<h#n=cvH3F~#%#qi(nQmRZ{eC4Pq@evx^Ko1q^!l~2BQ
z-B&t!@Uy*-qP5~7e+wwRtvyi2lZX+b<_TTt0ky=mfa1yP+U|FdDSXnrqBZ2kMcLxv
zjvO=;h%yj)S}6KCR?z?nQj|d0`Ba-nmrHk(mNCpyf*oa`Mov^+D<+TE5^|Bt!m&3>
z)kz;GG}1+H(Z}1+bD-4}B~~&jgg%)jHI=Us(?hHbkx&YhC9B7DIym5n&gH?=!M7lM
znGBsj7tNiKzNXL>M=ObRAMQB$>)PxVv?jCz32OU^8g(or=o>`TO^@{6KZB61=11g%
zV7QkIkVGPyi8|>t8tzjg)V|5(>&rQcrVv#_I)*>pkRgOT#N(|TL$oJn#GAvIEH^a`
zLI2#G_J-)Yc6XYOb+QZ;HBdgj!TgwTN;8#7vtDjWux!eWNSc?}@`{IVA^&dDpKj1V
zLR~@SbObVd#c5D=I5)26*(RT*XqkD4rVs+~{yhl@$Z!qu@8hf*L3?Aemi2aZX_I3G
zvSL=x92PqQKx9h$u0m$^?Y?~WR%Jab<uaZ#_bg`A>1(wvl^b+di|MAtG<kUZnkT`}
z)PUDz@aVvxeG_5YA=F|-6GD_Nf<_P_uNUEmDUaQj0z;<_Wk=hO2HRT~Zv1$Db7L{=
z!*4||`+J*3<lj499Dff!?Eal*RQHT|Bs~Ijy~~75+2{2hg{zG?B!F_~didFI;fK*N
z7~$BL2+__c=@HEb(nQj+J0|>)3^55ClALF8JlhG@8q8`ge-?YCV&9%)p=JF*Upe@@
z+xab(Z}wt^r$2ICLw0tbh@C5(e3{({+jBh#U$XiAO>xtF=~Sr7VvfQE`Am%zO7e4~
zES`PkVVvv8?J;%tp)xvNxp<5P+Kk+oc#B0n$~S$+N+FlKc9`*sMvVKt%y~jaO`HWJ
zW@8jR&U{X0f7tDfGme}e^frfgTfKBy9Tl^$`F%VsztkyluHr57`>@E*Qv*CqDEQc-
zjvLY-rjx=FD<5S};)j1{u7`>my^|$PLw8ADi(8x@O+|$cB*|b=FB%L4X-o2z>7O?9
z;MH$kE=RHI(lY6RwX0XJMX^dsMU8L<4U}07=wpXkr$RzLgrA2EZHkSZ{T^s)?UX)E
zGNiZfvN;(0vUe7}y8q2@``wo*vJaAaMzmA|W2)*Z-w7sUJP9BTp$8RI%#~)mB(X`H
z+@=VOTaDQi90}nUgw4}+ptmSd%{(y^y1r;SdI|NH?o2i>?$`D4ie|iK<ihQ}4A}A6
zw>Zoz`|jXx-F9+cmc+8d8{iw3fm@-W-@`vzZ7;PlS}ujQnhM<^kTjYr7qMw3%;U`2
za0l5&w>vaBX}qa;HqnQ~hzd~4D~wVTyyK){25WgDFX>hC`h$s7?<%M#r{~b3eXj6h
za68+nYX669*lDZ%ncwMDcz56-<2ARCBgnvP{n*j?wY~F`ncmMYJoLfO#VBE4^@A2-
zV_+nCbNzAE8;+0z2F92hNOgY$mkKjK?!3%<pzKOr$L)7T(p#!bl!KpYay8j;<7$8f
z6{zi3=6BnlPb<DTKl+Uvmo02@S=|@2FFufA4_bQU2I_iKLw|kM-8rlW^leGYC&p>k
zseCUWi6L-d;QIOzlOx9}eV#8jS3D@2EsgN*cX2d~TwQAlLr*RINRLNXm#11iFAz<*
z0>&@%(aTD|Bz)9Mb_G@m=b=x_kVB$&?j8Ky_q7OcSNp~f*{P7`<HxPxJLkpc*4t7Q
zxg*^n@_}2Y8wc&@p-l?cAR>99CERyRA6^W3EenrgEVbU#gHY=${B_x)m=^af7zHmL
z-nCmWUNjdx<`dUtvpfSm)ef?CgtIPhE%%iXMFOw^*hZV*o;Q&i=P<?4a=I!uwtLF~
z_FXOeO`H7ZN$f$gW4}JvXD@v!`#E-b`oSW0imV{MIQE&*;L)(bjm>s}+N!?`h2Ed}
z#CdwpWsG<>>|lewL^*gvWtRAA*Dv>Ddgc6=HnC}y(+?PuVM*@A$V3{8Yf*o^T&)$j
zE0z+If7K%7XwaoZS&{T=S4p?H2=EqUdtzV3d-SINEF0iE9&TAb=6s_58f(*!`ye-Z
zzw6qVT9Dz`iDmfFF<(JR-mmjwa^-w42@b>VvoCi{j(7KRkwrhBm`+GsRnoDxupN3$
z)CRE<f&6RC-w$Ls>~8M$h<SdrKV0`@yc-s@;`W9A{7Y=jO*>wQ(D~l+!ud<{&~N$I
z3KLVM&i1RHCA!H#cW~Yn@CfD`oVIp*AI<GMpRZ+g7w)|8kUD2J3Azqt`Tgi;-REr2
zrw;@bHo{{h1X&+r%=|qafsm4<hl?B)$d}Q^6+LP;d*3l)c1k5+Tb1=Cb*!hnDP&~W
zN>|NUJND+P7U0cA`2X$jVT*tIOlR<V)wrQ?m495B|69PzrC&x<clYS$2b~BB*aoTC
zH{W?5`if+2TkEB-)p~#gL{)_4A2aVjZFJe=P2@kQ|FxC}h9kXT$TP11y>;!Xr`J!P
zE4}7oFtB)Xw3bf$1}jO6R$G*l_a^ML)9#ekCaoUe`p5ID1byqs|CvKDk>725IIOX`
z@bl9Oaai!j=&QEdFXF|5wi=Q+&iY)go-c2vDL<UHmi=fh=^1TmSs;-}^N7_VEP+ev
zm2eS^Ba7YV+rCD&<q!zJg`^+n;q<U}jLIjoS7w1;cH3gsQEr8puZy+jo~tC0uh}o9
z^=kZ(Nb-8chZ!zI;R_fJN$3yq5rBx)DIgiIzF=o>Xyw`XJ|(MeyVR*liq`tK%geTm
zoq^}`*E~M9x4nrC2j_LY29IItQn;=8AQ^axx+G}Ir>~gg33)}KgiaIuc0P1E&kd03
zo%cMjG>{}!+=?|LdzT8Dd|r1wXuY|wsW*^h1kK@xv^?U~0y|uaArKH<=ZpnsMXB*e
zCf?u5UW*t>=0`Hr;OzVnIJR3Vc=AE*?hReXL69vWeWcE<NLcSxxJlw()~=SnZ+^rK
zU9zQ@XcX+>mdg$S^Uf&k^v%C3Z)&42rHv&sg&=6q!xe50g51<Onqoy=`wRLI&|MSU
zj);MkF!S*7gNtA!gf!^%u&v7}$OP%#jAu+~()T(L>M@{x@>~;}TmO05kjK?sNa(ke
z9fENf;Z|JzG4Ws6;NK~E3r+co>9Pbf`opq0`HV=5|3hIYs)PTJ6+l1-dDsLPgY&VL
zh<jDPzAMti#u?Y}u^}88bsyE=_sog?34u{#?j>`_flJa5DiLMeXm+4vKGCUxtY8Ux
z35btA{B3H+5mO$K6*B6PT<pzv2z65QUt5EeH*-T#n$`&HYyCe<unwE&11{L{A^9O@
zv)Ly3AgHaSIvk}LU`vWlpqUQ%A8$~j_wQz;hxG7<$_o1y*0=iO?5zcjBqG~snK;@k
z`LU)dP!b|3>HYG^_2qZWW$eM1**&e!Y8kW5FJEJFq8-6yY@%-}T9?8U3mjsgZ%V?B
z!EV#|j%!Rz_EwHD(q^EO08lA=@K*`{qOorbj-zi)CJ63cl1fuuZXXVvP2$W8I+=*8
zU;x#jdD!r?#y&qTBsGGlBC$C4JDmtK;NQ)eJX|LivL<=?Ruk+6d+Hn)yBynkN4pHN
z*4Zq6<LeCw&zzrWYXf(ca8d$hyAE9XjK5LX=AnP${r$uAMU<>|o7n3f?stYgLLwyJ
zR85(XC^k??IdxpfO9Tyc1W(2jfLkF^wDs>p=oS8W{dHq7KgUBAkV=T9`)&}{WsxV=
zp`H1mknbB;y4o1;Vg^_I9WA!35*TRpt4H~8_UpDEJnK`v&k{O>3o<jdjvzd|()4y@
zU-j5%Egr#wwieHjPFw19Bo%cL=Bg~2+z1BhJb!SeRxX+v0@eJc+T4gJ)8AL82NP-W
zT6^(=G6fY-KD)6&FwCV5;p_xKY4tUej7hnacrm0&(h67mB(l=r7G}!XY)c)Ik<N!c
z>=V+E%8Yz1zHf4X)C+nA(qaiMBijXA4dP8KP)Ea9uF?#b!KTP;8d@VH!Ky@8^&aTn
z%dw>;oJ1$n-i6ubmy={jGm)T?sv<R8)bkbJE4X700~k9(smBI*P-ZGSFdI`cFRX+W
z4b32D5WRF6vd=mZ-Gg-A4QddVcwGVig65jA)giz~s?xWwbJrl4IwoPz4$4i{t^Adi
zcb0+aRFYUPEmw@Nzpc*H3!eSdo;OVC+T_Sm_=-8fJA!N&KTVrv6j6j_EehS|K1vf8
zLqVUg{cM8mASqEgkk?s!%9X0hRgKh|iZtD37#W~yqisYg(jU*mMNvGMW=Z-kb4J`I
zk(bMKkOAEPhI@FJYtpWkK>_`O)0cqzvVkgPJ|A_ANl_`%t3a5+Ld{jzj|WQ04d%kM
zlBICM#FS`UM<PMQJ<ZoDxI4<xxvA;n0m<(;C0i;Izq6r!4;%10d$^l=Q)VO^3Uy|=
zr@P1a79L^T`SA5Bk_pvS#btS_KsOwUYS4^{zWWZ&)x0d3cC2iip<4HAd9*sf%y_&<
zLDbFu5&L}VX_A*koIi&wmP_4`{w|$VxLp*WiQEwR<3C19V7$&Q@ZBB;-Q415Pvl6^
zR-7JJ>KpG5SH(QZeX5)HmJiLt_hJZJ)R8)>ss2M{lv*QmIb%OUD`-iBr1T(z8H>kT
zZAO!>Ir1z($4pR5A;r>~n2nQ649QN>k#5JiR!-d|r+}AIZYIFVTP?!|#u&b4<yxCG
zIpCH<)nILGmP7g#4a+>4tJtL~k~o>u>;v*)`DLTDo?QArMj6P&N?w{%ediO!&WsrL
zJ~l(9`fE+8D^EwIr~6m9zd~yB_@1ZhVTTQ{`4!i=CSGPFlBniO?m+S~bC|ib(+X?#
z2{LuDP{<Ah9VD(mfihUrjUbssMrQ0gyi4^rY$}bhyN|%Qv+f|%8Jw8|nz$F~JoHQv
z71A_jO2UMtPn#1eD-`0m#xm1szq9QiYvR><`Nm>nbm0r-9r`s3G#yFOvTK}IVsn}D
z3L6t|@p#bIK^3Psvz@xqwYxh|--}{UrIplfU@jVw?O0}dy(Nmbu)ON1L@LG#6*@$l
z!6}`lrCPpZMrF*$9^H2+J)pN!=<8@TYi6)7rjhbdtaGBtX9KmXM7@0G@gSI(;=DgY
zJdL!VZa(T7A@;k!X*z|u2Nze;Cj?6cyB-GIZ*398knW#Y21{k9kHM>2Z*z2?#x_Yq
zxkY+f%D`pP&@Lcf4f`8<Fq#hq%cNCs;o!o3w_iMg>UbK1(M<T<K?9-XtNj9`vB>JD
zLjU!~a}~hJ^NoNi1;lXgvY<0o>amYo077B<xZpgBLHBL$WyXc$U|KfAuG4G)FQBBI
zj5_wi*4{C4P%53QB+8Ve4+(b`$0bVdO6)#8jps_SEH*@O)BkaXe8`R4QR4a&vssye
zBFX!+Su;W36F#TlBDgzfU0avZ?6T}$ZspA2M5Y*+GBoWTgtYpK=AYOEM5D9>y>3?b
zgVuz-L|)`|U0ff1OjxE45{EdQZY4978#w*)g_4-%6js01@V<m&D)^9+>JlR%u0eDU
z3i*-OopG-%qMAL=KIiBywgiC=_G=gmTMZ77ZQbljfmDkxZkyfc@LCkVTns^>E_jAX
zIPi6oeD{Kj0FG@IWPy}9lxG!k9MUZqIPyyrX$Q(aLjY~N18qwbS&*WS9)XiH{9@Fj
zK>ZOcJNHs(AlDGUFdrE`c0wWP?mQr_jVf4vV`NZ8Jqbs$R$MU!hG<Y_t`1jrJ(C2V
zlB8(S0l-5JSWhQ~y2Lb$>czyEGG+Eie%t0fqK*w*NMMP;H5h{l8Qpftyd(f7n~1>>
z@dEq5a<cXpn5|>0*g8pU{6iLlh_~6nX68srhhe3-T}FudC>j>!u0i`}VCKJ(c1^p3
zSH!v-!d5*c!lo6n{d&x0RetwNUA?h8w3qvFe|yz9An&2^>(R}Cf>9@3qPKF&w3@V+
z|8}kflO+10*5hqqZLNHho8?$-b)mf9%s#W!TT!u+>))P$O)HD#AMW-iWErWPCQlj_
z-241%XLYbh^01$Fh}Ca&o0^B{in9N!S8C<jX;|OGI==Pst?SGXbmuPvs=J7PzoNBi
zEA7;eSni9zdhPn1;dHKew)=CRdZLLbnC`t(BR=@{q4mL!k4nLZgx62LHW}xN+A0Km
zo_c=wCWUM3;{6Yf@oW&_-<x?RNXg7y$$V{g<+3#r9FqgAXc&aCIG76>wBR#jZehXx
za4ka}yR3aP4MRAg>4;m^0b}^V3ONEp%n`Evdv82^e?mtM+vxHpRc-}QV_Nk#PpT>h
znF%0X;T9TA+Q0AUz*VF8J(lG+snI~MU(x<}Byn36`>ssm<mZp85S8=aduq`{ktL~Y
zic#Yj42It@A8*3;{`>V8OQ&9k$V^s~1Ovp&8?-ADEVhBmu||~AVZQ^NKL&lN3t4Ot
z!Z69(_b1tC1iXA}<Sx&YLo>hJXb`kn^q`Sco2ljZd$$rF3pOh4)X1G!dTm{e*hc&K
zTLVBI;BP~(f=<GKMa0C2OI8O{F5PhOeVxf?AATx>&s<Xoie)n4QQJo)iK3*_CJ@iX
z?5(KL3QNY|>lOfFqHlMR61)bH=p5n*FT{|{{80X2>4U^Lp`=4R$@p;A_Xu?57cU&e
zAnFRq6|;YN|J!^5t-wn4*AJ~fQWd}JvWETM84A4I^`PRhaf$M9T7~p4rSeBh(wHHz
za_-0bAMVaoN()M<GaL%-_T9vP5p(}}x^*~sK$!Do_3d3#GM7DeWC_mrSE`zWCfYT@
zyF1eQCD&W-FNHqn{NC~9X>di7_@POy7J@(kp?Wz|PTi-e!8E$Bp;Egq?n<PkGX{+S
zX%W;n>&L+8po&!A!usFw1(hYzMRU{aVt=Veaq~3zJQvnd4|-LImW0M?BUlA}S*mun
zV`)5~H+ZXr&|unJX&Gkvj&vZ->eZZXkGxBEc95h{GE;KNWEY2IXxmpug^=Y)s7n95
zaRG(@OgVWi<IgX%_0V!{qSuAld}yl3#19X51{haoR_HE2Zi{g@YkS`|#su=+VqbMF
z$f$}biWKLiQYD=SRf_Y~fUfBaaz6?p#X%u=V^bD$fAPD=!v^`WPro379>jc<2xN}F
z^MKbqKQJ4wSrv^;AQa6g#s8FD>y8y?X^P?E($M0*amQch6vcgoos^lPg}Fc0H6!bv
zsr3Kcyj%3(V_x1H+xMnq%lLu4F{Ewba||1KvZZFqNT*zcd%y3jR@+Wv`veJh1JqfJ
zJ5rE$BqN27z9G;3Tu*0sQ$f48K(}`5BiBgUs3t+ZE>Gljmlzw#>mo{Qx<m=uprJgm
z6pIT~q031~=qKfy*n4Rv&nBo0q;pj}4ua7bxk%mtN9bdczmipvpm5ME#njeGr&n|A
z>HYKSOEw@2ErXP!J{T0J>U+BolOml|CbWAVf2CP7Ro8t-51wqV@UL)wqtInKn~|rx
zWteuF$n|<#H|Q02*AFhjcXqk|S6uUE-;d@WkFUlK(KD!`|E^RVxRc03ha`Y51hdf7
zybaC1BH)|;>iH|ayL9hs0<#mh5c5;?Q1YY3t_%FKpQFXodr1<^mIt=Y^5@~DAYDcN
z!7rDI^xh;>mFpNyU*Nrc5IPVIQ(|Hxg7W+Fs>Z-aUg-vjyX$mRTAT2Tyx=wATWG`u
zA9FL~PHw{~3-pw{{`p~R_j2XRB)F)WP|!C$PE|N<iVOfLz2B+|M0$Y^&GS*o=%Vpx
z;CIMvGY+X%ur%sWlSxDqlB!0QVF+E4a$(Vz>A6G^M}>nfpLNta$S^=2%O}mGOBI$G
z!AlcRV+c2~&`vCDesZZR16oOfeoMFSz<CQ6fZ(2x13E@U>t%hxmt&hDps`ZGU2M7O
zra%02rT@0%N(R5jtG_P$yh`V0G-lYiBK`Ls{J1;6vY*FrDgx(!_>it96liKp_i{Rr
zWE$ZXT>=UrvzpdS$?p!*Uhhn-Jz}>Udt7Ya6=-)LZ|?V4Xfla^T)F-=GFZP-<?#n+
z(aC`b7Kzf0*)*ni`%6lYDTjZ38=ur{uE9gp+NjR%K{?-Kv2b3CTI=guEb`p~OvkY&
z01SfvC$#2QXTC3h2-*wQRL4TuQmU`#4TFG?PKrwC#XZDAfR2@=Wrl5W8Ui?q`hu_i
zGxQ+}bmp?uA!jTAs51T&jNMsck9dJZ8So~5kwcnD-b6?yE2IoiAE^Gl$lMR~qa8Pq
z0N-CnlKg6i?A|<Nh5ZT8pc-yYc1%ChuOeSWnNFRz)A^=O0<Yj&FmDB|t4%|uj6NBx
zM6Oro+$%JI=f5NW>DqtW05{8J7FV)h>@bF12`u&O^%domz~ls$XFxyYrfMI7T;v=#
z<CQMUHf_-xE1t^L9k9|)2jid-fI__9H`24_yf#j7d%9uwMV`O*ComO&6692lTvIi_
zCxw)7(x!#bYT>wh8pxi+Die=9bUj}0#uK26R~}*LN_a0oj!!Zplx$+*sC%TQrf1GM
ze{XYKhY~I2u|ASL)!Py9Meeb6(}nu6u`yO4udfFwyAVpexMF77Y=tP&-bj)LG%+WC
zC!k$k_$HFf+c^cW2mDv1Uj#V(>COfA5gtrpmO-v;jFogp=u}qfJ;=o{$Lh{Mnd57w
zC+TftGw{ZT)xH-+aszq3iw0ObX<#|2PU_chI(Zig`o}3T=cyOS444!5;=p$5On#3o
zRIsba%NyRtHqD*T=@NZG+0WPW1_G@$Z$7nY`FtU7I5JP%Q)6Lc^vC9YWNm!2^ZDVX
zcF5p2n7)?R`{c}>AyP#<9-AuQ17&o**C2zd$Un4CVhP66;$z$Ly6lX1h{#~QO_i@`
z+vkn=lE95fowL9*OaXh??;265AK<*BPOmI$3amWO@hvg}Mq#Unn<S8oxO?Oh*I7gt
z?*P#&CyYj$o`kfFl60O{*WpD$+#>OOTT1Gcm>H7{2wH(xcdtdE0}H#38h+nMQ}cq-
zjVL*P!b#kSnv^GbVQVXOh06n9{RBfv@Q#i~Qt)%qU_^}O$gM3JlvX7xX_jND=(>p~
z60BZ@;hZNGL-PE|DFx3;*lqpao16P>n3<2|DZTKp&{`kOYpNW7<a7VwQ8V1lFi-Me
z^mUeiQKA1a)~)dVe2nQ(8i(w6WP?Dl+{UBZacN8v?%QRTh$vZPf|8GxUKdZ?l|({&
zl`a*w-IUXk@VuoiEjSOm2!M7gg9RBc)R`8&HDRe=p?By;)I5W{v15_VbnuBYp5N&?
zSK<TLcp_~YWw`eF7Gu%i0XaUJ6q6qrd6lm@vw|qd9fL%<0a{v**FE7~B_U@#1Wdac
zlU|Bns%v2$bDt_YCZ-IWUt|ZO)3b@0skZM#DYyjvB}t93s6A2Ck6Qp@n@i`?pj7-S
zel&RYGW6u|`{E0??@O28YR1Kw`tNT|_*cPaHW+r}VNEL5(oW-sT3X<2wo7^e@2#jh
zCjGgTJE^()-!a4#3N}xtM;pP%)tbNgKVk^Vg<=zQ!<;LVIg}s)B5n@6ZrYO6)`V=F
zwz@#3sB{PEl+G)t6_v;d`LeUs!M*RvLZX@S>%zSOB9$f>?5;!Gvb{i_fLTpdeA?K!
zJIs?t2e~R+%ZJ`L%27e6Q=<LT;8D%+t@|EYA8k5*A}bS-IVn+iJ>bqJo`USLEAr;=
z^7~C^eG_zVLF~DiNqIG5)6*Ez5u^SaQA{I@j%G%bbd^XJ>cibqI;}<)SnZGjynlEB
z{gmPOidgDjLH9S(LhNM(D0I7rcpN~oIvk;NNYR_mzan^29|71KNCS3DkqOB(-<d;M
z2ZUTxPGe3Ww3@x`MM1{y)JFS|+(!9lt?r5t0(Hga*P5W|6n(`;v48@m?53mY2QPJ(
zzH@iENYId~+Cp?(SIi~#mbFxyB#jUllB{VBJak5B!Ya%{qa&S=H$(CcSj*O0Rf!40
zqir*&Tm6&);^M%23-*Zj*&_@I;BmDQFOsPI>R9a3oQmrxlZk@=*1NOQlV}Xk^N@F?
zYNgG$hf+T^H8(fwW$~-}=i1&ctKS*VgdKN<ERZhf8r+|%hBiMI7XwHEY^bq1e-)C7
z|7ePn27~y>2SOXT<)&A&(FCMedZfgh4h=k4#Kt~H62`RhSAb*FD;*ZK<fJ(Jo~a#~
z1X^?Ev1rO~rPiC%HyisqUUnZ%_va$j<#w6Fa0)`eqS5X=dT$)wu}n{^*EF3GRPl;C
zFtg)EP=e9IB6D(cqsM(#2O|x{+nrx$)_0%fM<ko^qWdcXVxHZ(A@rEwtthnXuQ(pj
z<S${`5puNK;yG(nC`Ya1vh*?(OMX<ArgFwqU-~oE{{TBld?bN9?%#v%8ejSGZr{Q%
zv-Mn43yj<HVUWj+Mf%8<?fyyO(D|wP(4UJt0K9(jJwvotE*R3cDFBw&qJ`t)#*S%6
zX^>BM*eQ#QhjaR<wKXiCGasb?&rO8@o1?diKSoE_pC%*uL-_w-Jys7O0rg7p)^3)9
zP#Ged{<va*yoi>BvT(6$qBNnnz_U^=ePQ$mpxD4Ih^cq@dcS_y*lqaC6VG$U;pHUF
z1R6*RKwr>%D$D<hX>yka=xSEnhb5pa&8is9yDpH)jadAM*F57Ly2A$lMZ=dGHU{_G
zvQVQrX|HzaSk@0dl19rp_>5-yB;X}RQfUl{*$F%e%#@_1N8<v89LR7-5A*+uQ>MC^
zs?$u%=x!7IZ!(Bx{|dcMLjuIC@b3Vtnw>X}Gr`8l!Xw?6Va?9-S$s{`x2})X&o-@q
zF5ihT`P7eQtq^yCi4XIdfQjo960HD;02Eu`fr`3nDt6JCi8f5r69|vVGir*YU>WXh
zcdJsf?Mvumw{Bhqd2mEj*3cq~5iq5A8=z`}{D&}@Pm@&L86zc5pFyIJ%6)5hRFPk8
zh4V51g(0U8;iA$-svnnGx@)o=>1sL^R{z3zNZ{_A23*87qgw5+Ru>I}C7J^P|HIxS
z54%1}Qvx?CAV7aT%4Pa5R{;J4=`>B9#=}>L$bg)v;P+t=>I)qJdxc8Iy+fo4pE6_W
z{7SDb4Ukh_|ExcfZb<MdzpX*3ecZUTCYRSVNKG1g9d|cQ8{EH|kc)?v#De5?Y1jYN
zrHU>n8dn7X%kAQ1fC~zW7zzR!&iS{8tnx(wFnj+`O~;<knm+)*TyRkjfVe}h3g44g
z2E~>nQQd}`XDY#);f+;dViWd7D<SRrh4179F}X#~Vn<F)8GG3R?6KV(d@#w=ZP_Px
zbR5@q2Sm7&)8oiox+&ZLk$?6YilFlq+(Tmas~U7r{$UDl>dcS<Dtk8+-8CUg$-cye
zM&?*S=2po#0dEalhMi%WGcYCl_|reLaj_d@{3n!}80?E%1w?E<R(~Gn%f1#+a04x@
zI>4TNSFiw&bcB=~zqu)P^jN>9IN0_=WGMJq`upD?CnMy&u)TZji|k8=Rm(b4dB$4-
zdws??_FnOX-w4MVUR60W%gy_V91XE+eQhd<DJ2l#BJ&<>8*99l&M5~bmei>{NroV~
zBP}(#xsWJCt!ncLwMMRciXe<4QFpj%Rlg&tUz<n|rK`I^;FB|=NzcONTRjXf9PDF+
zRBP>|7e4*3;)ALVvhx3^KI~lpU!d>^5KhT?4X3nnZOvuejLfGC-#0yWH8*=(DDQck
z%<Pt%Yg}-D1_?GDFTC+^rC+bABy12~WhfW$`<KtE5p(cL!tGRf*Ix+gXd(^;hfk%@
z@}WoPMPHd0EBDB+E<C3868O&XO^_w03GJSSQPQTkACch173cd;8s4l*`rZnsNHiaT
zMAYpYU7%XTla*<s6?vaKQmY^6Y}w`zWTI80DibV8RmsgDdAgryNLldgY7%oO%O&)g
zXe7;ed;7E>Oo<6%K4ql$m=vhpa%YhLTLuF-`Au8RrFH;%Jmb=cW4%A;xSMhcK#y;W
zFCK&~U4E)IJ%k<3==n+h=DS+db2`leJlUH+uD0*+5)N-vcFch~Wcsr}I@fc|kcZIR
z4sGRG37U_ZFs+}I&@g9ynm{cU(q=HvRAvJli&d4>l~$L38v<_z@;;b00T<_^f(%nS
z_GfRWFyvbDLE@5Tne4E?MPMtX(gOl||1ItqIk|Q+spc}#8u6xXS~1(JsR`?%k=~1*
zGoE6xbIH{ef!kYF7;I)@GBQQJ>>JtYxN?`tDjf>N@%Hgx@ssvn##5;V+qza<N-u@!
zsnUS^X4s%LbXaLS7dHP0P^U?d_?CK5WV+bo_+M@R{{eYa(yg@DykGt}Nm+Um5wl=(
zhhW|#^VQ=fOIBVJ#@uG8bJdFZ{aXJDAr!-|OE4D~Ru?NGbUXS#qJyI@Q<a$}9tH^(
z*R^qtVN&v~6$RonS_eEJl>ND9OB^AY!Gq6jU`nKoiB?m@$c#lv!r${n3NGig;Nk>+
zA^QIhZfJs|Ay>QFlr}0?+GX34+WeSUX?T0GAzU5xHXvU~AH8d__eo>)J7M5?O_tNo
zi5(AU5~K393(+yUT@7-gr+3yaB))1AAGOg<X;D)ZGK_h8r9lO_tVcC!I}5-`)%tfK
z(T$R@wF(!ut(0U*El@yZDe<M{%vue)gu#p6Kf3qE=1*7w!m=o&s=2e1H6-<#ETwbQ
zYd-y)kkf-%Lgxx!6w)jyfmbjL7hx~S=`%{9-vCVCi~HaD6KH+R4!?cKeVNX2{A)FB
zhb-uau4RdGXnF}ic>OFg$sZQ_gDpJpO7#C{YymiE$G>>j7#sC@;Pm*wbE-N+P14Qf
zbg~>sF|GgIFEx`R4?aG0a}|96B;A5faC83)yvVYYyv0f8Go%e*fgArgdy2#gvvAhf
zeKj)R;oW~+z7!}9BkfbKeE}>g^nc{G`y0L_zX9#|7me(eHam?85SQG$o+4Z(o$)sz
zB7n4a<nVjk47;sD$RA%E+Q23C=s#tH=1bu9j#O#r&1~2vEtru11)C)6)vntNc4=<_
zVT8Ov&H?L5?RbmbHdM(#3vmHk#7owa;*#ue^Is2MPjrN%w8!j~%6;v$rbE&mZ<vqQ
z+uf)?F05^z&c<qGxs}X1k96@(mQ3H>MJBiD3!&&pOA&<0thXQppH&X;I3%;;>E(jB
zYj+aM=QP(j)r&0opo=(cIBgGUx2TYY{`XXgX(L9U)`V;huk2NVzPzsENQFbXUMY;y
z&a*sbPC@j~0@hX`eX~KAN8M2nS8u_ZkeUh<gLZ&4YJLq2hIVfizbY?_fc0EOuKbpM
z&q_M+S`VMjpvv=G_A?u|e>0f}gmBdJxb^}NH5#eB*6(|(SC=QNII;#2gXcgRlu_Bl
zxB!FZU`BNW9b2B_R{S#$nzf$ptC`3Jz3?I-vyzS=QWIRk5frOkk&&j!JJ>FmIY&69
za6v@_g_OV=g<d@R;Vh0*-coPCM!}*}98hQiAh>D%0a|yUZY>tQXbn_nx{`Nu=d%@G
z=?ojrwnM9s*NjO|T3qyj2NYLZkG&b?iG}Oafn{F&TUg)?X@^_95=gLGzf&UjvD*AD
z@=7zSjXU<KOtlre9Y2p<x8{eNxR0436@1_3_@mRWudvyN5A5AjGfbEjn>fTR3H=px
zr%ubL4-2Wsb;NVZb|axvO_v=>W|!8^gy%S0tYre<wS{=$w?^HJXQk7#dNbov2kG-#
z^;<Mmhll<xG~+^#Dctu9n=`cve{eh*u$N44vQA1M)Gw56V&nEV`fI?qLp%@NFI6Ie
zi@CV<I4HpEPvkAWZ*-Zws|GL1I!};QYySQh;3dFdZz|b76QYR<=;R@4VUB!kufb$|
z#PCI&$~LVC;Yt<o`2sOi^bcqgd?E#_J^H%PzW2eq`?Tcz_hypV%SVb2L|yKGo!gnv
z;n3Q!v=0qf3jGPKtfT)1_=^iEq<Z&Y*1q1VK|Kim;rX}o)1`CU2a5qygkow*3?vr>
z!r95vIch|9DP-@%(pe5;Jyp=BNaA<=EcG=tYA5eTvV|rT8G~axJZGN37dvF^bx2pw
z59-5H@?fh#b~o0zQ&-26c4N1$_2c}5rO>1KEwS(;a*Io={ZWAI!`8NXiwd`~Ykwl+
zh^xVij)#LkMnCQseUkC6Ivr#AS~jIVKwu;LF>qC1tZS;$uwW0!XY9|98J*HeHSI%o
zv?xc^t6zF8cBq`~q=noyx3Nh)Y*10HQP!GxgVIWR7Lcm&86-@_4NQm1-U_{u`)`i(
zU&O~NU%nzUU=+V<s)~cYwaji4Y04Yl*omoVtzQ9keTpK#cQc-XIqI_f>HegTeVZ`E
zwuvg<X5AP*UaTasMQbFtOu^HM|EW<Yjr|rYjVxn*2spNlJhO72*zbDstq`37dCRpm
zKnawsw;a6{a`Y>9_N(1NE+7YD_(3hw9fKQEPl(i6+%`0>D#hH!&kamE{S<xmSyM*f
zkFK945R`*RGv^WA<Wt)hS5<zeW2orW{L_J&^QKula)_zNVh7y^m$l)HW`)LQLFnFG
z-j~niLma(0))A}_`L_sP&X?CwtYy-T52|ZxKWAIoCG=;OPdk7_@{keLbn+c$Rp1Cw
zy-Zrltim#l_#mL##I*0kwaTcd`fmYv_Ej_!VR0qN+h^Ko>?zcK)xZG7-W%lg??6QM
zK{9BS{FC0#1zzEflV8TW_dSx&J;vn2ABL?Cyzvg*x@x?1@<Kq==Kh;{_8`>c=t<Q1
zHdhM99sd!K4?C^i$6_w0wUILj%WW3=-OG7?_rv$jy|>{%7azPC8DS8!`@K=%z2drx
z4}X&*;*c<OH|*HlCNaYA?DR+YCG)9X>f`;%@mt}i2Z0NxYgxu7>u<!mHL1BjG{a9u
zrN%8REw4f9*RPwrYowR74?QrqVX-!+TW;TP-z>f~Cs%VX;Q^I2N$AP9);3Q%4SA|7
z6g~b4?T=<)7$o=ZkMMIvEhi8EN1S`*Y04-aHD{;q!*r0Hg;X~iI!Br9XH?DZG12}9
zpQo2s-TM*LCE;i7*yZj(rXEE`$)$&zY$lQDK{_J^EU&OkF{kqBzG=|c&duUraUBYZ
z+ksyjhMpx`-P07cZj1@~4aDf09!9%B$NH{AbxK$NFLkX>r_^zp@sw=hUlf0I(%N!<
z-5KK0@$^A*(=0BRB_L8Rlw-gG4X{1L95)<$3Hc?pSBKJ6wqIRpkD><*@Cjgmi7+xV
zL#(Kuot5v-_~VVyn%aC*Yx&@rCyC5bZaKy!VKeXDjEfY$xv3OLVuAURyS)-aT9w8T
zJ`V=A!S3r-BPPYeEs5K4S2&dKy>kfcf7DPk^5fn4kBoTOozz_Wu%iXP@z9Mtw;Yk1
zafOs@QE8=ZJ#&t8Kj&&dm*H{}&!Apy%S45bZ+HpyI}`v@F!|}>WToL;JxQN{Rc&hM
z_H6eVecqg3V5*k7X<~qC6(`wr11Lxj+Tk%Rm>k0%ok0|7Chh(4Mo6zF|3|uXZ$YBo
zDr^6EA}l7OlFpl~`(*J4=(I}Zl=K^C3J<j^jGuirBVmFJjmPgR8;yx2XM~AR$L)`Y
zpV4|htVZZZ(UKzwIftakBM3`432mR)ceA7AQZf=`qiBt9Q0vEk4y@8x!=UvWB4Q-+
z(E-7$DY8b&N6!9<%v==xZy!lqYIOzn<ICL<p&hE`ape=vv*maWqB%!Mq>@dsyx)df
zNod@Vo+yyk{8<}qIKaa&^$YvI!Y95b!{a4t*HTVLb_hZmVUHh9|1R<bbkIJ5_&!QS
zgO?56-b*jLf`8tBNnZHTCH(g)$B$=yluL__@r|h}S3n}++VlG+WQq5hcHXAY(pT9G
zr4~iJ>-zaI30mf|@KxgWV1!cVI`O5u69lac`!E}F;>(mAo#8wwcZuEcc`<X^L+ruA
z*GB*k8!sDh%c(gBlhaJbL<AauCp2q--@-aWO;|=hO$yVi&3*YJ4~T0A5OVr`Uub_s
z-lkPh*&+>xs3Gpfh9pzTEf-ymt}<94pkVsKgY;TxqxPnK1U}#c>_uRQh?ib3J3HIK
zu6j_B^JCmSQpiv$Thdb@LBZ`a#DOOGlO`i5n^00h?Ng%ejTRJxTz@hk6^nM>b{YxH
zQdmctnj|t)r&Hk{0c>i-Lyz|WlOav8jOVA#jtkH0s^CNGK~pnw0l~#f7k;)*6T5JE
z(;-Q<ttc?MU!4{m2$K7~-FH=K|6MOk!D~ToK?>Cj6bAh0K3Bdkq8-~6<wqJ!SF*OV
zmE_>;T0!U7_9clyq?cVw`8hRcpj?do){d@rFJ<4^uQBhizBlhW<(cqod2~`y15xP-
zpDEF86)=(lCSpo7Ak+sm%X`pS>d@~;Rk;H>9B({KVI9PwBLq#noMBMtkPmZSsiXA^
z0o)6GOb-aPG9R6`B6DKG*e(S5R6q7Am%E_Ls7EZ{<sb*vER}RR(xFCgf3=(OdeR$-
zBkZ6Rpqr2eTW*ykqkL)7A*C2XH}JBNX#k=iiIKlIdPMjss=rG$AH!jxq~dnQ&6(Io
z>^48ZXdePZ^ktK--@9)bR)F2sX9~dw5BSktr!9u>B)Zw$dU-hiWq*>VIr&AZ2%;#4
zP&s>fa20Ct)|~peBqePjy`1{aKB5CbNF?{(gm4Obi?79N%(%0YLVNBmi3WX#Cb|2S
z9(Ax}2GKXVh(20)*AsVI{A%^w!2H;I%ul+qE9nSPIu+E(%aK<qBCkl|^GZrkN11|T
zt`PT@*Spg6zF=Zkl<*{bb(0+v=seK7qC_tLD!Dk!Qx6P*y39PW4y;dB)c?`8O4*71
zG{JZpWi?WP2YZCUPF9sC0o1=f!O4}rau@(C6X{%lLlKf$RsJ*9Zp%k&x!Ss)GRcwe
z_*!0#4G4Kc<n0oI9MDB*^YL-pXX%u%kWW2oK|sOC>TgXafNjPjEm0z(WJRdm-+G6C
z6JIuLT<Pb+-PXmhUws^5j3XJaLUjNE5Lzi<E3)oEMvIlMm0}WzUAKuMm&?d0h~(w)
z8ra~Y+*6l3&d+{!XAB0u<5Zp~BTF@{RgbSFK@xO&K5dV)>?P5U;l5FmUmR_--(wC!
zYxT3E@eq>u0=6r6)bQR4O%3od4Soe_6G9qX8k(>)SDVckH#?offPPL9NJ@~eErg$+
z;<3YzNw35l!7>;=c5ch5;<w2R_XG=Bp;(Vi5)BIbGLR^82R|TYniAyY!=?z(x}R?I
z+Vt@icVUGGl4D>;YSau@TCZkwpP&Aa;E9KI3dMr83L=_1I}2$5mi;||qN=AH9;wlR
zM{;0KsBc%r+>M_ulcs5_Xr7_gVO0~k=eIKtLB2Ibu26f9Ai=L_a;-c${nxWC3Cy;w
zV6fdHe=Y$=$brghO>$%2kyz>tufobFmXZ^I#B<>Zfpz)_XHw+rWcC{wZs%nS|GhIs
z@CPKJH%xuUF-Q35+k?qHk<rBBAzll&)07UE!q0*Dd-912n{rL|?8o_;*hiP`J3PHo
zZuNFujpfpuQcu1ju234>&{_85Bqb&>x|Xk-lZcXrF5;@(T=d~<<0)S4>kJ{!D*p_G
zf&FLAWxxd=K_Mxg?Irq~=FzYlD=XV~7TP3~?-JRcJH?vPjkn6lhwqnjL|Os$At@0J
zC9pvW@`v{VDkyLIxXPFAD)7~2;j&m8r~(|r8{$8Re_08LYZ)r4g3@T#J6d-=(WlQ(
zuezz&%LjV_8F$!jR*86SJ17+vCnk0@K9`)hnlsx6`ttLI=7$S;8Q|U@3)qDybOSK<
zak5wU>7o7UXUkiqW?KSwl>E>)7Ouoq=j-!V1!s${FDDn>pHFCb1APyiy~u`JA;-Dw
z)`#k%A1fQtLcTQO66Kqaop-}?)*`kY{sW2hA&&kB)0XxD)8-+Lu{wqxkp)SX7Qsok
zt*08Pf7t4t)BifRxDotyM?liAU8or2E_pgaW22L^Op>WlT8WJKCrf+}n}2L6Hu#pz
zxV;cY=63(b$0D0g8!P5%AeXNmT-xFf;1)m+%Kzy>gFvd%p%wqQ``PcKLYS{4fQk*L
zxq!(ZP{Sf`$`;@2VMB^~PP(4+q$=(m2lz8HWaXBxsIFg}1gUGnP4FFX?C!5CJ%^vu
zZUdE%^u*}N@4vq6pDg_d|7}*0hq)FN{_ZE}#Q0f73?}Gry=^3H3qZ}TgiYytZW0T(
zIvYP&u^OyYUeY@M;ryW(Q?j_b0&U7M>NtBpQ>Wilfke_ic0~!>ML5KoCKUo{87>2B
zhmzg>(S2*xfkt+$mKIt3aCPs5!{_Vk+(nh3?_`E>>w@ReLzZL5iz=UXgO|XbAHqg^
zrx9w<4~J~w_xIwW(@HFCX6}D#vtA9~VQOL$lY%mgE0;AF<8nCPO1j?iABQJG_b8vQ
z4Aw1#C%lIr9!u;!EwGb#F!S{x`*`sShmTQOevHD!N^WYgBPH^|XK;Fb7UTAM=VJx9
z6c1X7h{AK}sA~OZ*9X6MP))eCb-`(>90P}mzW$q6o290LLw13(4(#ViIzFE$SuG{j
zXAE`5Up#L%{2(#?INs<*x^*)2nARK8$qTSD0TzFZ5P<j<-}Y5%?>(cJeTokM3HlYD
z=Bj*N1P=f8Ht*^t_H|m0L2#|}3=y0biJ62~sKS40#I?X@!}>={((DhJOy{4ULYtmG
zvDzaoLN|q-q)B-PzPuZ6l;s^%w)tt|Hp3Hw*6O)R+xXYAPj&i|Z|lBQ8QhLZ`9lHC
zSmV<CGvtOKU?bMv!l`aPdtf*uMK;^)r5OxLUfyx6GD3m&ae_p8exNK8xOE!ev+72R
z?sL1PeAxTqUQTATaoybyY)#w8)KX7Xvm5WT8NE2ZddaBx;r#BBpZ;jYT=rQzb^l{W
zB<H`0b_wPa1*tF@)W#tgeE0HN#{owoA*i2t0^Hg~0nyk0@HKpGXEOZMt5qY4n?|{o
z@&?+eH&I|`KWWqMlfrVYCorcu;C;aucXfEzUlu|K!u8Z?pcLcqg#=Ai3?H)Hxn`0m
zojOU~l(S;}V8&aec;{7o`6khMl~=)Gk?Yw;IhSc}vxn{cm+jlGH@4M)Ih8`}NWRI-
z%nQs9%%GXp`%8eJr`Dy>42JXG0TAX~X>_qsljU0Zor=+A?5-ZLW$bZVCI|wiBlpNU
zJW;qsKO=#RqaUjq+kY*|tX~PbC`(nqZIjw=q&j}Jqs12r^bvwlNRbaQql5cQS0$a3
z$)wfY_kx~^OUh5!LNpqV`B(hCFYidY)QO|0>LDlvVI1vrjubReN@cuitj8{sS5jA(
zoYs;7bmZ?rIaDPQl5)HMwyBfv^RBNqH7LoVJ@^Z%jc^BiS)|c78j(zozJcD<J~yVU
zc5O`f+>B!k!%RQ_zE$<f)qfZHTW;3JYh+kZti+tagAFH{@ga{#OP$j%aVZ*I=ahYD
zWtcj7jH8$?&g%5ck2p~^Suo8KP6b_5;8M0+T$PyL$h`F4@3X=a50ihrWbGM@rC-s6
zeu2VJ7pP|0_&ojisMmdOV{Cewyd?O$Jl(`n%YdRq^>=CVGPPsx9~@*aA<|cD?5u_C
zba-q=Wwdpl+-#-%_9)<uFrjH0m75C<ONmOjvc0tUH{k3{AuMr}7dNFoFoiE0^nPAl
zgG>p)FTI~*LbU|vG*3IR`Hg-h{<TS1W9>cy{khzbiH?KbSn>mx>xsPA4Qk%vqXX-n
zKGn8Qh94)4d~shh$?tk62SV=;XYe#V`Irv21!&$1y{uooB)P+DN$I%hlLMcwWxto<
z5UoGj_Sj=ty&6XStK3t_>(+)DqZAC<E8kZ$Q`bX7wUTtJf^sfmP8>aV3RDb8+cU`n
z=fGa}ko7(J4YF<bMRVq7u}GrRiKf#)IIc=dAKS_ye16zx-{G7{I&t+W0Xkdu);iFv
z0kroeArv{d`W>jMO~-p2Bb2z6K<(JZ`#Z`cTRY0BR1Pwc4|c(aCdOOT*=Q|J>~c4_
zj%hS!GF=@YL1#u((A_R)g|gm}Gpixv{ie(BflWk`%7DB`r;-usxB&SCY4Hn0ueoGz
zv$rgB1SKoPqo+Cc$$h3q5RCNI%>a(SCc;E`dy(pz{2l4~71&FH<`wH&Q6Q}ve6W>)
z8E-X#wqb7$QEvmbun?5(O*o4g#`k4ySD>xW)UIickmh4SymHgl{3}?(Aoi(MW<1Ad
z*)kkYhtpsrH)-o%X;e#15h9&l+)jh>)9Haz?VDBAMW}$&%cS`3R0+vQl#I1Oq$v&P
z3d1;woIGdQ`Zhj-b!{&;RPerJ4NBQpFJn~p9?m2#l~1YdpO(yqq^qDKYCD3st{+e6
zr1=<WG3Cuw&b|DcPO%F%M5~w9te4ZNo2pL1SP+7kU2c5JhGeER;mTKFQhyfVVrnW(
zg&M-g$P#1#?oF=&l3%34oB-M19Y%w8)LeRj+K7HE^fV2PJVH<-dMo>h);$Lb5GI=Z
zBuG{b>_jy{Dx1{(J;ckRq)@GkTqy?!Rjq6Bf9jFsb}ZJ79?+x*4pJdiZ}4$C@WV6A
zB30SY8Kfj&+HY?f^mO<{`Cc6sgK!bVJRE#wO_eXTRGMbur)d2ZG}Zm8jS*Fr?YNLk
z<ZggrN-2p0uMWtz#iQlaCGJ&Q1(SPE)MY{e-B)~61GO*~?zLyh0OmrmlE}y8@p9V6
z`m*Zb(I7PpG6~grLBzC?2pC&}L83v$U*1{|dwv&EB~1x@?D3Jq!;eUhLXXYD0Z)(E
z7yU`@$RP;-yerNv5~<b@PdpH-J94ldIM6TpykgU6c2Dc9H#Exq^rFlZkTVt0VVX-_
zglIcRYY|0cMrwAS0Jy9<6*rrS1(?TDoX6h>0$1v6LeZwSqj(SLqXY#uc`mu_2k|3j
zLU9Y*0POV-S99>EC=h4gQ0FgOzkWXvy8ozY0v<Wa8D|!Z@y(7mfc3ilLlJ|~*WAKR
zdc+7IU5J^^@Ppj?(c{nAiM3zK(@f(q?l&{@GW0U6n`6e0ao!B5PdukK38GIm<v@kM
z*e-Y=dVYBDUdDU$WXLb8kYSjj8rtiIio)TH-70^eTE=ts>0&dS)|NX`-x=d#1z;jF
z1MG=q=*gMb4aCgvyRR+13s1g%F$WrXzq`V0MD9#vrk6Td)7tHeLI2!auxZ}9KYR~3
zW-Efcf+8(Bz{yhC0%(A`{RvbHTGrWImfH~|bw(kgF#}@*kJFJarB^@v%q2n&^4RRX
z&8)X0MmKrdm2|oEVS(1Qr63NCfQS=cXl3-y>k@=kGD!o6KLpSK2WZvm#YO{=ARnD#
zfU4;PZrYVZ0I#Zni_X5CSgy#W=<E~xdOSORbl8%ZKP%LF=h3HTRafqEK=;YEkFxCe
zs_YO`CLJ)REe}*{7*hRnB={|I<rQJP1I-XWa8`&`i-e@48aENarT*|6sLj4OOrA{r
z*!*rU9O&Y>w@idydP4li+YE~l`Y2@Ly;m!b_*QA~=`L{*0f|*WZ(>y-95e8y48Rfw
zI15_<4GbCGLtM&Ye;{v}z#asCb(B1Un+>b8Z^0@<J}hZl4`sZgF<MJ670NfJ^KRP7
zO#^1pO~%BhfrXYbf(W2xQ$6%dJe&KT#VCC`>W07pDC@()xHO>J)Cp&$>)P1)7Ed-g
z4$1JJBwRh#+9Vp{_Dnv0JA%UK4eOt~fturW4^KKHFx@$`oeHN*UyOZhIHfY61l~$S
z?6HKv@m<|(a?uw`5;sG=1HCg%H8R>Vqp$XohdNvWr|bBZ`)5&y62_|Xry3q<3YM<W
zp>;cWflrM1h!O2jnyu`bTbkbrclk8ERx%!C39hHO;kQmNRUa)@(#U<x_#G>zUN=cN
zihz+IDdpe_zUf40ITf(Irhvd@&R^-YRg>6SdIA~re}?qCeLqp?>0F}=Ioc<Ntbs}t
z92v2_Cl2I>1TY)WUP-VH>F@!oG!1El4uU2|l~Jb}&p;jT8E+8w>*ZEmMUDp#(aC|(
zWZ?WVPL<9cH%{XQYoQ!r5CtrT7y(-`DGp4~CV{W<EIT{_Wc!-1EyI6Ln>!W<a-H@k
z=_gj`UvNpsTJQ?)l9W^6)Q|h0g%#pJciJOAV~o=hi!sRmeB>HB0Bi3A)Td1UEvyno
zcUr3x#2=knTuQi^2KyeIQEOEmo1Sg61(sk?)l7iC(SNv23fJUfFQiVJA2tw&X8e;5
zAPFgb9JulMTbU+aCm7J>rMvrlfsTZV!RS3NS6P9j(7c19p3_mr#1{vPa3LzO68Qj<
z{0zPInxVd6RP4RI&j3BL)F3s9@j=$p&O`2LGI^=$7;VlCS5LvwigGFxa7rAf_X6qt
zM?*-tPFfg1)&U&EAHTrYFH_#XSRqv3rQ7246-Ks$mmF9~)n~@(;*80N2K7g`NKWdR
z@#0LK1oE&7wBt2mdrO7)JJ|N&*MY8|-#g65=3L4;hm-9%HZLl%|5=PY*hdTON*6O<
zs>w<mvaQO0S`8u+9Ja}SwS?D>@;_$Kj@&hBSSfND;B@7B>M$?{_6f(XsJZ-67j;T<
zg;VCO!67;7q}5tDZD<!d@?i|I{04gKJ>pu+${A)Ldc@}9bQbV`AguR0TLF;Z-?RLX
za%5`)^$$57*SCoCQ!YDJw*f;YpGj>A0c|he(vfMMtA)xxf7x?Lxm%2T5i9(!w$3}6
z?fC8ctrk@+wW&?bioHYa(I7T8Yt#s06rr?cTdHQo78H@%dvCR>MJ4vC+ACD4J)UoW
zz3=Bd&wcKk{FU=PpY{EW>-t>R`xUikEPnqn35$%2kN;y59+VsME;6hN8ey{I_n*@P
z_TV(lzM4>DCI3@$6#yg?w~7gFHHV91gRasaQ2xz92f#LBXzdJ&@YKgl@SeM4B9J&{
zORviYO#fQuK?I40^~>*<8nPmCJMkTq2r+b}(L%MPXVhzh$Z=wsho)uuJ=Z<_2T2}$
z6xUjT@XdpzX$+KMng7a7H<%87pbmQN4AZo<=^2Y|0MQwlHa;4a(R1*K`Ghzbky;mK
z@c}R}e4%3mTB{SOILDL-ar6UWF_%$ZYi3ST0~1mp*hu{E5M|(X=*LoUaW8c%sRKiK
zf0-=0!4wTwfidMiV}5KOOO2?OJFug}Do}?TchRVIsuZ0d6uTxD`ZNvilSG9&D|G>e
z4|2epm^at|mQ%@FJ&XuTRD$;7b*yl_GT+BH{M7GW4&-ayO3AGHQPEF#DEh$wrq`sN
zE=r*;qxKK71JNHiBbe!n+8ZF$r;NDoMJ2<8nJRAN=GQu-c;hP^Ck^Q!nV}#Fm_=&?
zfps^q-3Qg<H@F9dTxu<{>dx795|t3P5p%+2!fnF$jyTv4PVGBvwzuaDe2Dea^ZAmR
z{J}ZeEtF*(-GGWwJ6CpDFA9+lu8G!qke~AQ-((ul=EFI5Q{PW|(@m&u*%>(<`pImk
zH}cG6(aXWa^Os95*|zWGUWADb)8+m}6Kno{tr*AcEq|7Jig6%hgrK*+o~p;wVyj~B
zYQX(^j-i0MPsp52AH=M_=uj2R9@%|<(wRX}N^>anj8-R7hg0J(0_P2Df_Jh(LH-Cq
z(b9+C>=+@-5BE50AB0YMRZ>vASJi7||F<98@vXEL@;Y2br+$rZn2aob5ofpqwvwxP
zLYVO(=uDT2D-|UDvp$?m+Jr7aSK24G+rOmvSA%_x`<yo^t&u(Hz^>YT%^UM<VfQjv
zHiXf68mut}cJt%6@B8p_jhKJr%PjWs!6`Ew5J0$M#weQDz93&05S-sj<WN9A$VXE=
z&hg46Q@&QD33|*HGNcQV&m!XZk7G5U$md;f&w;6R@%z0`qoUpND=M(tBhrwc`%vq^
z^N-#~Q<!FCmcM^3*)6-?QhCSk+87Q2W1IVkOp|i!n2QMb;KU*0**kgBkCESikXWo;
ze0bDfM`Y80jPjPEa@)5bCgkx2G~s$)NQ%Xcjg%}k*hu_iCJuJtoZAjS8vTDWW~x3?
zE8men<zPi?rmlt;#K%Ds_<&*5m%%IES~Uv)=ax4jv2TSlc<!l~utC^evQIg@jy7(y
zMeE(qO+XGQ{8ai0pYGoZ@ZE~Y70%s{4PJ<!=k!$*arjVqjUDqYeu-3zkFuZVG2hdP
z(OXfITOXG6_`A4z6s6T*JrxsP?+ock)nNS`6HG>WWDkC65@3yaHI^|(L;^GkIa(Xk
zBDZ?cqaR*(Cq{Zd`1I-Lzg>Tm6wUXjR$RYpvQR~kdU-Yb*9<PgiaTYQPvb(=QorQA
z{{j1phPnH>YMgsTW_!xKX|)g|zkh31oA1ZIvfR#x24!0E)_XCX6e0}VhFVl;23(Fy
zw$#oSdty^fnkuTi_x|fL{HUMKe}OQI#$v!XR|5#ffATf^=T!Oe4d&Z~yW}$ULK&X7
zg=qAC{uMHx$ECRadV@pT>ctG-2V-k#PHX8re?2Obt=#`?KLZ+ksu^!XiwV)QmYuv3
z7S(U!u!f{ce8cSd@XsKjG|F<T(@mv>9NDT_?)jme=~@eQu<<4{`WufK(7=bIR6@g@
z#ibDs|MO%;z)48@C&5n^w1B3i1js4YqFu*m+&gko``n)oC|7il!X_QrEPLWr-^Xo|
zQncSq03fs4tbh5Nn<VHcZIBMNh{<H|yG|c_CQuf<^o=h$6J<FHNDGnwcMB|nzBdP(
zC#XHXPT9xcwIaaFwWo({U^4(&xa5k%&Moc+`Xyq|gNj2j)RZQ+oA~m~ms2<701aqX
zxH<<hNtS0@*9S(8NV*|@ZN7JOg8Ekfifu$H*O2(Ts)pX)bHDrUeN2Nnb?!aC<ZQh;
z@!WTm-xh;Z?#)7?`<iYK^Zzq<!+Qtw^CURYEjMf9)4U*F$PdQ_+(m)^PSht5_GzY;
zuhDm23Cx#5ENx!vl_maBN=K#Y0y-Gi^E!E50f^1>;{&a|DDl-T407!$=}*UBnWg^n
zlw(r9!^%u9G)jD`XCYFWa-X~w^*G%*US)ep$-FCesl}=~Y-C<Oj|qvUPTiL9r)CL=
zvwF!nUnP#d0ZoTKeSd4|cdD9H{}Cq#VA+0`N;h!K45Oin=>GcQQ`^4{$N=dAeZl$5
zo#a_0C&jxFtOjp)QcQ!6Te%#9-gNBtVHr1n;F;1`f`bFx24qPn=&FJwFwKcn9ahSV
zH0VkyAg9)CI=BQh>Ktrd?>GRv^T4+t0n%AGuJbTkLfc5{-|fN(vf$GKoGKDw4SD;R
z5-sy1s+fUL&updYGd9bkG^|w%tGco*t%thOe=`zopt$idPl+!p@cKtR*^+Yuz@B|(
zm+4Pf%$BIwa~y7Z`I#;*k4C@-xR(3(x_b1AgpG5EuH@ol?$O?~*tpT@R=$l$B_Vqp
z#}f>(z3Vc21?^Q;CrM?1c$FoGVndf4Ie2n>PSO5%>fU$cCMF)M{$l4zUP|IYzIWD{
z>=flL8ULs2Ptu#_5Oz|Ix)+{iOr#fH$`HzHSX7syA^Gje7xAP=^u$G$@&SsCSHY*x
zILzQlAoS{nU%V2Mw}(n7R<FecLN1aG#M<7QT{F$^1nEAc+eoTJy6_Yc|1&;wkrX<4
z)T^yOt2%krWfv0tcvNWE?(5yJZLM)Dh^i3<O%j!c#WH=mz2hT_E8*+$irS}=Ian@d
z4Y+ZCup)sdJ5}@OI%j<EL+%0|i-%t~xytr;=36y@C8=1bG-}|YSliP{=1fS+Ua|7s
zi8=1o<Ctf)=m*>tT$c3(#NPt~4a|GVctLk9P0Y>5WrZJQrwjy|XtmyVltoBXRaUc2
zO_^ai>csXm!NyGB&KHv~VN$T7`gEZIR)AUG-mrIRfjM#7B^0**;#-2joNN%lVX{_B
z7hOFh8G$SEeO&)VVxfxTh2Ld_SP&wKavaTL<VxuHy;^;aSmZ^g3+;GoJqxC$SSO!F
zQMFs#lr+v%H?LE!PC#@K7?OVMwXi!9BSHf<Uwy8~IMIk?=?yBhgSg}!gWhek`0l%d
zbAbonoH3Bc)wG~5w?}yW{fpI7FRNL365*Q=R|a^q_e=tw#qE{r4HdJ8dbUjWx@vBc
zEx=UVGa{I&IR`r(;AlgZJL+6Z+S!@|srGfr4v#H?Ead1KLp5Hwnn`4xWBu)IchMDT
zNTFR3%5D45xCr#J&drLu4jC3NS!#d`%d9J%X`sDTjR2R2)9;W*5&?azd;P*c;5@(@
z;pO7tbe$22LPypZ_Ebjsxa%d4gPv`;%Ln!}5zjF2@H#xosC{jb*qAy4iaGd{*H`lD
z_v7vM2$lePb%K<BpDrZ2Qxn{Y@U9np@6(|OV-#VZE-ERNR)sZ}t{P$JiO9b&cse8A
zF_tv{nH9=I@pI`|2&WC82h9ng<RF}N<LN2Lq7Epu@Pd538Ndbpyf{1PSphtH{pFj6
zu3oXu?X|AWb2AlMhLT1#aI@aJjvCTgZdMG{<h-lJ!}X!qk2RpU!B|PSU_ko2E#x2g
zKri%9$z18$B?I1w4>n!pi%UjVbW8~>KpK5*z|z}|lCRg(6fz(ws(fg`v%jeasxQ<u
zd~if5PPv8c01@0lew_q;oklm_omrd+df3S228LfRt|YvHD2SI%%;=dUDQ@2xFZTO8
zdtqic6PWvWk<P+*QHFYEnN?{|=?y1bJa_qvb&4l~JQr@8fD$p5$=mIdduC%U!drTB
zCBdDpLBLZ{Z2;eMU8dGILf~5`Xu)XL(M`PnAOY;HZF!H_f@=Vp+Goji;ke=mdw|{O
zoIBh~T(#!&t3{|k!R8w?Ht;n{%$hK%+IS?@;d<>sCEnw5=eJ6{yF_Yz_NxvVm~yZm
z7wW_jMr6-3g}wGgrQtS%5L-XlcU$TBX8!gwR~*B_Gota@Xq2QaPsp}`%dEs46wIY#
zUT^F^K`qEt9}%wewzS~9GlCVG9*{g_3o#}mxTg+Mo!*`^dfCq`C;7m~nd|{}R%8fN
z<u@bkXMl*B-Eo#1O2y%|CB4!!KKyx`@J-M2`rsJ^FL(r^9~T*)2Qw~%_vQ{2;%Ady
zDNaJcIW;J+vkvq!na)>i=6#Kf*iO2@nvM0Q=s9suJwjW9Igi4ODqO=bYGHM`Zf3?&
zcpSFm23h^{Smx-2Kcfj6E?jR$3cd?0^u<XM!G=aoCnXN%qGJ5bEkBDRtC{8XYgM?g
zJ_EGHZkv@D!(PBJa@%Y=Xc$YzmS{!f_dp7cdsia)lt%?-9{XhRX9)IysU1~dS&z?*
z$nc;7qpD_n5ZvpP;3;iH5gj_?_4dsU*jKFNv&3B^5(`tQ-MW_+79DsbpT?Zu^CIw!
zeY)Xb!EC9n!gEvnJPbiZ0s#{Va{9Rt>^IqD`?^mjgU)ut$raMY;Z2rNT$EYTaM>;&
zsQL`za9|LBdrL4j;~`kB7wXGmjAKHjLlHowZ^Grjzn<mpmF&3bt>)ywq(xsVWYv$x
zY3?JoX*~lGTJ~+?YLx29XDl15MP|?I9}&Cy#Z-y?ri@Q}o-tHmme6X$IDsylPIt{d
zr4mS)zQt*%tta9}vuZT_17925R5};?EqsLP8`eNd3p^%|;Fm>&)z^-dIe*AQQ#h%|
zatTzC@}U<NS{q(1(1r$2SE;-Pdi;~^ZP*uVo;}R4dFJ{BvmbuRyjNWiW;xzi8R|VO
z8A#|(ngIjWXw96iZ7ZJ!OYrYx&{J($*McExDfkucozvj#`36RV*-v!L7jBnnE)%dT
z>zZ!$8l@Hj*LOxtnVWlVzg~HUDeM@k=z%^_2alCzbo&qcfYC};GgV@Ql{ftZMnK{o
z?SA`Yf%U@fBz|{h2hs&^%+S;Ch3Y3rDHi$R*y;;o%;(6Nz7OtQztP0v8CfTG{Gk_q
zD7u4ffYbeAcv3*&*4)uT3a&7n_t(0%IaU22VlHU+vD2V31;Hn~NvPq#8Fl!~E>7IR
zZ^yQItiE{$M?LG+o3>j}s0QO<%d6~T+MN>Y-LS=mfeBqnzSlBs(WZZ9K7x&SWheKR
z%Bp2RDAdVZ__TIq4a2_7osr%13kMZjB{}>O?j?aV)2jwUlGQ|T!p%BIb6!t>4`jH{
z{qCW2y*gfd>|`pwRUs604J1gSZ<(8H59_8k{_WcbcS<Xl26Zr``r-t(jY!<4eVW1z
z=Q^QDr7)+CSd<NL?bqMJmEM8JwO}R+HQm{r2RF<GUcCvVFyvHfG25i|#JsXVOxM%Q
z%6M*dSjFhX@+n`7*6iK_(`@AE%!oDywukZ^F;5OQJv`~?K>Ru*3g4~J{lWqdzRjq5
z<o?aW9HHjM3#Y)jn(lq7T$;Gt6JmXNtRF)`nd7rOY4}3H!LtYj+-)>ZGN|XH_!Hcx
zy?%5c?i$uTT$tSGvd7r{{Si^r{lq=Zp68nvzbJw^43xSmKjTz&yMWeC-R|t}pD^_U
zG`w3t6H^9~^@UFrx)u+GG7PmYxc6qNpl^j!kmuRi)K-k%m(VOY?m#skN;~Vt1%)<0
z^b0>D+jNOxA326)s&32+--FLW=j)%{FZ{Ca%mG*DP8dNHjavDA?SdxRAVN`m#IAT*
z5Zfr!%5(Y_sf!ce0yne4ykYaJiQZn#^_L_Cn}xkAw1B7G{7XE{tbTp8RBg>21om?s
zORKnJdD~B<PDYr(Mzu?+v;#)!+%JA28J*5`B<CzV`?(1`OD>sn$T&*l2r*nDMqkej
zq*uLxnXmD`??{3@<c(2WbLO0^q*_Q_TY^`!Or-@@$Fdh2VB9NiHS8q}1-#<@fEVYG
zL_^j30y4c2Me!*5I#du2IY|2eV|Y`_Wc)<wncf>luR#4|>-_gM>e^uJt+z1_A_Bf1
zwWdeoo+&%%UWZ<!x}#o=>Amp&<WO8P5-tYH=ALg_>x_sBWV*?ycei*hy7`ciNn0uA
zhu*Y1tLVL2WI=(FcXFUj)2?9hx!asf1xmdLRgvNPcVB1P>X!x^WAS%5u}s_IjH#H%
z?^o+@I{nx+@pV>rd0mMp>L@gDYO}Kozcb$-h|p~GvbpP0^ohi6F&tIMd)IGz6w!^x
z__4>ZeKR6Axi%Wg@y0n$^cd4?6|i8S$Tfcl4RigZgQos6n4TQ?N1<k-GnB#Tvy0!7
zyJx#fnt{ZnCS*nD;jP@;jwG{Q9eZaI&!{$xhMnCNdNUL*+%8|xec^h<@|BB{H!0U`
z+XsbiY!aJ-&Sg}-xUM2;Te~HzbtYvv89-a>vwZvJc|PY&*Qh(_G6}1SZEf>4&p51B
z(W?z*2|L~u3q?JKWCCu(NPa#2o7h_|$wWr2KGU65uBz{T3CaijQ4qK`R>7a+0<leh
z6P=yqU#*}u_i=J8A;ceJ`t3_qMi27pyM5ee<P8C(jdTrG3_E-0hF&Q_hN)r(Mq7){
ziOTRelp-+*Y}`erp7baso{J4zsOdEB*`Y3*E4-iBWsr>y<qBCWBm|Q2Vw}IXZE{o$
zN+F4Goh6l`%19ZR&rYxqUV>EYaZi5kz1&WUR#x_OC?7K>8QWhy8aCa4Lf6PEG-r^L
z%fZe3E^Y~?O+8Vla@tC@<_+$ALDzb62u9xEo+$mnmZEuct*D5=5LEx(T(*@IZeA~q
z;lSPZ*{!dQ9f9_IAL^g4%f+#QC0eGZ(j>Gq;troKTw}cKPVK^89`IHS=F<nPqiHjf
zYjMpBP19JiFcGNO)&kD4gGONw8)2Y~^d?y5;MFN*Op7u=7D+1ch4UkcvY~g;hj}nz
zLa@f2s{8~150ohxb8_7v$Wc@Dc`j!R3Q^+~WI!-npVu3kqV@RMZVeR0E(0Y;OasKd
zy(h%PcxkI;yHh^3AVm7@ZIo#lG(%!nF5rlqWqe)u-gC=GwT3=vDA-V3NTsF;Txj%7
zO*wOoN`#&U3;!zA`FfFoG$B6*M{&2*`cy|1w&|olT2NpVEMBXi!l4>IjBe3W6sO1N
zxiB$du1OrH&`+M*YhQCwEUY|NiFf6{JwsA`^%5C_it>_lT79!1c1-OeWb6H@sdH+Q
z;cXwZ2Z?{~P-Cbsk)_;Yp5o%Is5KduGQ~arqe`r9)=erz>}l#kXTfbY5l1%y>ToLM
zmWaxskDtS@<1{q;qd(!^Y^Yt~$Rw1Fg|}@O1{IQP>aOUi&b97PY@IpL-^)sGwo;7!
z=wGCDcgOG7g7x_Ca?w>*`w-r%Vm{r@*!Fz=jO?z$V2PC<@P%M$xZRVxmn%|uKSqNB
z?Yi4IL{X$+dol(8z`QHVg?!8J0*i^#U?ssXvThkN5?<za?N2AXMV+RFF|v(neP!$z
zkg3h373~!5_NYRR#uSO9BtBIVW$XMk#2Ycn@x8s*-f!f^HAb>Qc3W*-#Q95}<bBRR
zyC>Tv%@s9_TX=W@gTO5lK0F;GGW`4?sb*KB@J-lCn_fQ7ygZyJq1^11z3v}IvWF&f
z{q3R8f{!!{u0fhR0<Rf4CIyp!xy;HrQ7ighetQ*uaTXH<rdg8v{n}76_;jOb?P+T8
z4yENH4aV6sH~p*J_MOl6m|Xk)87IUBQw9eQ3u1bBA@*4{=y%neaRD>N%hl=iiCOs#
zJnwT)$_2SwxALDBkz@u`Q573hgEr1>w7yOoKq6u`I0i?BYN?DwmfYq;P2UC)#|N?M
zWduv<39<bmW7E}<d?MxjbTNH%%7d-3=#(jBI?v-*V3=af^G=z~BY#|h9`=(!&S=QM
z>eF?u8%C}dj2%-mm&%7G;=FHGD6=)$8)uUdt65ck*HP-C>6f=YpV*UDp7*F{qWtT`
z88-!az=m38@CTyIHv;SO3`2F+RP(ud&y%$EOw*N@5?Ut(@BBQ-{3HM<ToLC_qG*{9
zN!)_**5G5`lN=-+==dRp#1RsHO@eF8g5hWzd~L^8t~p>&qS*aO<>uP~!uQQY!3>|t
zg5F!}Tt_0@jq2!Hh|?4$RuvL{w)dUEY|e-^VoyArk*I5x7p~gbD1L^E?R}w^lku77
z?`qmgVo;&)P!$!1T1s2Ah;RHd%npdnxcujJ=P|}M7&BKV{}<A)7SHQZRkimM2ZIv5
zIfkf{PnSw-lC7GpCav=+a8OTb!ac`Nok;xR&0vk9`RTBB0sOsMpN+&M^?c^k&D?|q
z@<rM0xuuTlo<|)KJ_-x*11Il)E|8C(Rvh8IBT)pyx%v9AwGIc=ksjIQdX2#Gd&$c@
z!zFH+sdMH=`#*H+Y537OA_P%98l`T4pzW@tVseor^@FWWo}4ZDY#G$&o`!G78_LVx
z7#epO4*+)_mUAC<IWDPiB*H9C{R#vjzSkq}hw^>9lLTzh%OxykLOJFfL0bv53pU0m
z#PROeW*>zd1*Y>0zwC~oAHln>B~GDAVOZ$0Ja#UX>711ewU3~JpOlOIuD}_A@Z#3a
z;P(rD^GmS%D~@T~-5S#yydGe&G08r~ie?+9C5M_qnwo_g2FW)GN4#&0!9|f_ux~X4
zzprk-VLqqhF)N|$VSB<q5S%nxI;^x@wm2VpR6CD3QW`qex?j7)JD=xE?3#Z=>aEs|
z{optwJt=)e)cvNxU=^+_9n0k8tNVa|9mRkr6MBlXw#%5~0uMf^dm5oW9v~Iv3x?7y
z8!4&^4M;{mBubRH`eSN_DX=>g>e@!%j1LEMjo~ap(1aIHlhGF%&(4VFCjwag6&i%n
zAvzyx>>uYP!((PT18X?yo$B3xH24zZ<?S<d?lg;&f{p9aP`1mqW9in3(%uy~&2i|(
zaGZ#{%l0!z7^d9$EA=8?+swkAp}}}To!zjFYFm7z5@3W!pt&7l@BSf6I&7m2{G|CO
zhcK1Xm~^r1>}YJBZeB=uq2`eu5xIRlmwW&|duM)TgbVyK`(iH4JiT-mv6?gj{bTnl
zwijBE3VA<7g8uVuX!IPhNgEDZl1;O#t$zQ79r8s`VWzim1%a>tfd*+~P$U6>*^Jpr
z`}@eEC*R7bcf|37=5sej3~frCzLEeuAbm{aPydhr2Qyi64fPlguGd$z=cmCy;TqZA
zW5mgnBotKUR%mX1|3GT%^%xk88zJk{G>_U${9j5mtuq3F?w-z!+Wr|C@~J_kdNyUH
zNtPw@k);?w<^3Xc;VHSL_|ZkIWKk<xDL6y6<k56m>?8@*nbua#|5IN7D1vW#8mM@?
z`ftVcg`YR`P#clHFzF}H|G$d+|8+%D@1u78Kw}9|XeCue4E~OK$@{L(51eVT7)e1l
zSH7>kzQ4uH`NwtttMB`BpqveEnUvakab5&LT_vhB(pMiS`+?!wXm5fQbw`yK>O49*
z>JN_n(Z2z0w&2C-JQw{rdhzuu)V1P&Rua3Ndo4L;YuTyB$VcAic-^d;ZW;eL5hF2O
z-H3Cvy<l#6`(LBJvm;p%$mv~)qu#!`4A*tVnodIV|Lmz`1RtgZ4a>=&TuJJj4Kq3=
zwoeJKU&+7vPPl^i`++BBN-IRo3Y4nVPHlw*sl1KT-jCG(m9Utno*0pCO3f_k)1AZl
zmQ2pApFNzMRqomGk>7j|OpLVI;%Up`v@xS~ko`sPgxz_OFaKItv3t<*J0}+Z<+wGW
z){UQi*_&0mQkX$yhL?3$d+x>Lo5u8zh`X#Wdb_`n(xLXh(oCFR?kUKfZOfjLQ)N~}
zBRo8<ccxn>ipC~@Qwl?W%{oCnmg+NN*I^tn9f}H(+lJ}TsZGDDZ~OD1wf)7%tIWQj
z+MlHnZ5P{Kzomqj-+dF3WI8!(9%@)hC-G`q%oGU}zkG+YA==v0OcyLw+6X0PnZ)R3
z--wRinW^_s$O|Wv{hL|5<KYuYL3wL^zV&QAaCZ)^l>$Y{GW-7u=`slTsg`0gm}Usj
z5DvGC%xIFtoQBdL+4oMZtl$bz5)K2SVm!K8(q7mNOt#lFj0(!E5H#Ch*qi0Qm}(!(
z@W`$^r!#_#UfOwdT?7DLA{6G~gSHpejK2OuNS5F(AQMXb^7N8ek@NYje$9=jDQW!p
z>WU#06%w=;q(5CCF9-w&p2wGewrrM?NJMQ`@JkpDvoR0H!ayK}AzAA*-iwLT&uz1w
z$5KM(?VkO?k};=;bKWkGEI0Rp=UeTT6XsAvuMoXUmgbC*v#?=+24)Q;6#z;3X#mVK
zM=6|E&@%D>kPf~8ppmSB+m)tPzBH7)1j95mG=>G*8{?%GfK=`DVC(4<2%Vs;A0USV
z5TUI97u{3=AVSIMg|B%q_@Au<3<W?nIr0Y(FsgV^!Ds5=^DQUt&G<S%2!#Yb$+c4u
z<RY8ZIA*Jt;>J@3-zV<K-?WBN->5g5{?l>y%(Qj!m(P1w=&&xjIYO@(>V()v&5KCm
zd|O0gRU=w6<s4OoFrCwk$i?lOXdLh+<zD;-NJv0}(KTVghJ`S*YDXQEtS^wA-a+}U
zsHkXQVBq3##sg400Sd0ewzC~l<$xpk^)v9*_rG)aPGm7%mI{)^Z`Nyl=f5yd(~pps
z!_dGx(`R){#PU+h3+=H?mPW|MpR_!f#K-E7ASYRGAg&%+6`gU`^2x#<1fMf+@&a25
z;2H5{*?R>6Fa8~Hox8q1lDFsiexFJ+no%m2tOih$UKhDW<bQ`r`rfw%HV_Cjw;R&-
zV@4MF=y)M~4bT_@TEr-53djP{O`)-XBJkjtd4t`RavlBMl&B#{f6^ZxBt!;&pk1gH
zE9vnN-LIWcmJu^In3A{0hh*{j3^WY&?Hj_Qu9nJ?_bz3DxaQVEysx5<XTVY#-l)C|
zg#L`jX?$8~0U@zY`nPUoN!X98r3khD!aj5|8S2q6M7juf@JwFIEd?-aQ)eA5yfOQ+
zq{A|CymJ+{K%n{8=v@df6Qbg}a}M^075bV<h;Wtm8uwKaxphL;1)H~j&+P{JZRt17
zM6#eC_W8A~E*HnjEN`%1L`4}KtS>vCY31SPja+$3p771dI`MUMYdn&h3XAAjv+|tq
zU~S&$?DKfJK0NX0csZ$FzTvzeu<Xg{`-`I=S5E4IfNmF9UO~MKPT$$bU$sAagZ9yv
zMX#)^EKq64_TNm@N)|Xd-6|*P*M#4Nv{x?;#bC(YTU}mmjbUP}g-<&>TNA5CU5^UP
z!M1l}3@}F(D9uK3fV*_F@K{>*#Xt=>_~@9EasGwPMe|YHuMwT#ptZ%bEVIMrweqHo
ztjZ-Q7sM->KtBYs_GBXKj4skZ-R`GdfzQeB6(A1}CGEu#3u$?`-LMqf{S)A}Mw@;Q
z)Mz?A*a&~ARfubl?y)|++!0i8lM8-QoU~+KE?evNr_h*+GpKj#Lp2E1H26Yhe+{b_
zMAZD=9se55Ix0H|EzjZ*Yo~hT>OlihX;qyp%w^IG_|=(1oh@13x>EM^3Wf`3eAKX^
z>md;Azod5bsCA*Buc+*7FpTC%!0Lq<RG-b<#6&$VT_-~lKHIR@CLcf(hNY$)J9KK1
zmfI6l{GT}2`TNM7Ux};|W}-z?15_4evb8-iOGj<1$Xr>i`lVt2k)UVksG$9@YY-0=
zNV`AqpCuFSuXbu@<br<ITC~3mPBVI!BR;BDgEAig8Y!o=F<R|({`>IhRlpp${(PhK
z>ACx7^pSk?adO{7)7huBi)}>?e%8ldxB5_sfH)TU4jxZDpl8nt+##_!+!@~w1k?N$
zu+nR#4~P8&Q^2_(M{*v|s<)snjlYp56WQ41RWV>{o%R{r;^C1$U8I361BVmVoY6|P
zfD>it2`}N3UmFhIIm$R9_y2Vxj{I~mu-)<~)#!1a_-Mnh!NX^{)a0#nPlHyB>#tU`
z))ZQP>Usz@p2c1JGeDeGc-({13a&+LSjB<No1X8T&}F??O~X&ue)bk(QQiA^(5G<e
zmGY_?m<zvS4KYc(fVTOY<<9hdWYAiKg0qoC{>eaMM!9U`$sf#uDu@L_qTjOkt@|_R
z(VIoea!rphLu7Ot2QFcVuR(Gg$<nwAiuj_b`(lx>@I$Wn=yM`WUEx*;_VVKTrdrCy
z`9Man?^5=>_1>8&t!4Y_hvw|2gEED04cl+udt45prOr=h(Gvo)M+6;z6<>d4R)Frf
zPlcNW4Bnlqtw3f4Of%fEv>pJ&ff#TlRr1a*{yedo42GC%aGZ#Bt#h&5-|D3yL5F=x
zY#)rC=lt(>k$s89X2T#WPwk%9HuD)0p)bf~ZX&Zh7ayCJw4BUZux13#h0}c9$=chu
z7!We^9Vax^H9Oz0rnP#$_d6-#4t+Fv)UiMmu~lZS;sLS3u@WYGXTKG-UCv6^;rjv0
zjF^3)ms0Rh*QM#XTlLsddKolt)PdX0jZY&Xjl)Wcu~`ZXUJLou{A3*ZWT)Un89A<I
zt405qZUyEfJMM*i)U;t5i{_0n7&g0~qFaFF4ac&7)?g9Y{`5J5?5WRB2fDJRz|H~U
zwXz1kp(=1uSqtoN<zcbl$qJ#Vm1*lTcIWKR#<cg<tH6UUCw;kffD@c+b+omwK$s`K
zVEfSUHW<|fReasvyd@YT#4`76Ws-XWHM=~WxFwHnMCI-Tn1O9;#d?>PrRN9%m$2(M
zFp%I_gD=!tBjW|s(fH%`=8hj%Kdgq1rw)oe+Pu5Axz3m+Y<D~Rpsfp=4|iYspWu(4
zdVigZ$*4V_A5wU>``}WE{hrR!M|XqUyQ6tEUvx0rFYuG{rYPhLm5?PSXyy^EzMqxo
zRG~E(H+#YF*)E#k<3SAJQ%KCH;bjawMXnUP%lj|b+UsVB!w<ViaK(a8+D;43g8Ys=
zSS_j#H(2p)7(*a~`*BG9BedsR5!JI`#PmvZTTD5)ZBL?aO&gY9Kk>Be<NI|(akv!{
zRRMQ&qPOEI`Thv*)(-NpQtw}ZY@7{e&%F8}*%)KEy5jpDdq_2u{^~G{E8;Grj!aBO
zz1z&kuZ<~|C&xIUbFYi9ahDs7FZu4`eGzVob7<<})@FQ@)=7uFNet)?`b|~fgqSS+
z(rmKOdi!!d7A)m*kO)lQFDx;^RabB!lBfnB0kt{7R;kDzOFRlEU*i0Zvr(BuVv}Zg
z-Wwy2#a4&Sp0E7mjGK9p!pgap^Z6~xXLafqgV-t*RZX8|P`jT0Wd+%YBM;6mcB*O~
zDYds(kCAa#@5%gM3Anm^9@vs3oFkI6X{h(d)Sn1&_Po@`n$AhHC?FaRc%?Q?dpYk7
zsUyi0E=R2puFFVw6|k^0`freYTi|o<xdO#iUX<2QT}|LuG1*$}4MZ2^=OIcpAb9Q^
zC+l_oO)X`CdM+qZ_KvEf`;E0p4`tYms%nTWc<;?22}XxS+Glx4;SP&WeW}V>7D~kC
zp-dliOA74;Ee&cyRS>y4nRNppoW8NK6W^`?Twv5@5fy~74AleJ#?i6G#rySzDrexX
z#@>nR6AF;Z1}JnA=BGSGqE&+GJM9LQEPJ>{9Qu_kEqcS9GNeC>dtJs_7@Pfq<G)|V
z`j+j@jQxo=Xk>*3Ey^zTH*@;Io2RCZyiR<_0LBmLYP6pQ!Dh0G(J0?;#nKh=_GN>u
V4Wfe&_;1E*kJX^6Wy&^T{|ELTs1X1F

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeOpenWorkspaceSettings.png b/docs/GettingStartedDocs/images/VSCodeOpenWorkspaceSettings.png
new file mode 100644
index 0000000000000000000000000000000000000000..8b72ca420e7bf9b9470bbfe438f474bb3bff2a70
GIT binary patch
literal 11873
zcmb7qbzD^6+OG;o$pA{j(9+#72+|-e-Q6iMfD*#c-6cpU-AJc&cc(}T4Bh!|Jm<XU
zcR%<3bN`r`y=Skr_OqUTzRwC#Qjo$xBSL%f<Ozn1wD|icPY|?$>tK{;!1sq`3`gMS
zsq=d&(I=(DB!7S#L<<plkta_oqR?-RkbrwsM`<nRCr>~fkDsSK4*8}}o-m)wh>NJY
z>%-G+%G1?SwlML#@DN2;)^oAQb^SLPf+>*4pW^69vMdqk{CtW_p%9!OgX+&0EdC{I
z^s{AV2x=0wwBHI+RRr{7sGMtqc{b<Tspsw$U7}e+05svmNa*x-_`dAUH2rM9`NxIO
z7WK{X!&K|C_O3_9S@D_vdE<k{fpcsOyGb~EHvwnoEQsjw>IHWVteXJ15{rOm0uM|E
zl}sR(e}_!ESRu1E?TJY(9Z&vw_??B$s+}hKcWf@^pKegg0fGjp`-P(9^zGg{+3l`O
zS(C>Oco(0gg$vI4cbJz%5A?A4Vc!IKvD(Y@OmVF5*Mr8NrIB0NdAr9qm|TadLl4^}
z3b50hhw`Kj{an*e`^iM<O~#wv!@9d8h^J<G1y4uCQti)nrXX(nrbU-7Ck2XL);*D6
zJw*+O&doj(u46=v!!K`m^-S(PTbtF^p-SG!pH-H53syyaqNca*Dc@VzyOXUl3&4WA
zp~RB+n;D9F*H@Ed#1Qzm3^J`Vx2&~N9p~`@AL(m*UMLo^Z_2D*9vhy@jW=vTc49K~
z3v?0{LSX4JHOSK!1@f8OyDLVA^a@<$U>CHIDIO2HVA!n4?ZmfF&d02R==ZxBZY~+t
zYgNk0?ks0mM|RL7-ZO(bp^n!p#ZD^K&i3`Dx^?F#kQ}3p^E?}<iv01Wa?E6bn0T4c
z^z=2h^6Tljv3BX@YMUgQ9MRC4@4x%eS7TmsTUEIiS?AGI32`yFTr6&bHdmiqY=nEs
zt3ce>cMc*1k4Lt*S#7oWphteY2c%a~!ik{E)glX@Z2>2|rqiHkNms<$HJh^L?xncv
zS1I#1xz|l}`83;8<C_CzZ%x*^oPT*;a6{zud79i);dUsywp(WWYN{g$MH}tdig#Ym
z;*RCQ&Dd@>hrZ-FVsv5rBs6cpn=vCZ2>AT^%<s+4^@f&LmU3ZN%3jPGSemb>scM10
zR+ocC_vR{nyxi$#0yjkvPrK<ymEzg(IyGAiDdc0J8<)n}<}XGj@>)y9H)pC4%;uf`
zB2|qR*IjkWq31O!KWsE5zZ}qm(;c^0(=eIk;VS_q_~81TPgDjE2HT%+eAt}^He*=t
zQJU{+hR`4O?)tUL;g~Wyd4nLQ4VRIMh$87oZ$ay$AF?(?%dg_c^W<$kQs{l_-EZo*
zzJ97gUp@OJ#B8r+uB-*7u|a_l?Dj>V<Y;~lY&vX5ADb=+o<QQNVhk+e3(EbW@dm*z
z)&M<N=7f)Pb0*lnsfqszt#GM}!-f2V0-CXP@Q*S2selbBDV;MaQ3T<_ftU<ON`dzq
zN<8z0KR0@v1p-3QKH&tB(WXo}9j64KxN%%Dsr~pt8eGFr&Xdjyu1q9C&OyY;$}P3>
zb`tQD3G<DAR$bKdvZv^|g(Bl0duUvTmfeZ^x~=o?`H_S8zywID0;B2|o!6v7aTKkb
z65Qjf$_6<fPik|&aYn1?StJ;547Sf7)(t7>LAV=p?_{UPP=gdkuGl7a+>r4jB8F~n
z-6TnG&BpP4xNbrhdRQ9h;H1Qmqb}jevm2Zp|G=39#=K9FC8d<LR+>*)m|3Hs_Njh5
zZ$z-)Vdo9uG~LnphMb<q(Yid{jjF982Qh^9jBQNd+Ki%R-CV9kO$4jN*Ai-aAtU*z
zW=760ffaDR52>T)f`j6aQ~U^%n04^*lWGrVWxerjl;k5R&p40Q`bUiN*xvQL>{Q<R
z(Sw?Y9T<X`?nxd8zr5TtTob1!&?rPVR@)h;8y4I(ZCK3WNH?dY2v;pm;lT#u=)5!@
zDwG7-#|A4nn08~kB6a}`d_NQjFi;i-8=v)joomBal-BJy+pwRhB2V2aHe2K=K}q|Z
zL8@^TZ-a=wSH16pMdb$e)4_I3X5|!${>27Y8^jB=v$YnY)(q>5z}yx4kU9E%dupl1
zhW7kdSQe})J3B&?bYSml+jX|+nHawcws~<?5gTGMU0T*;mBAu%+E7jzf95<Eb<(pi
zlPnaQ(U@n>F-nNU)2772s1xRfC7ul!tD}>nnAuY*{p#N|NgJh=GzJV=%uO|zo&;-P
z3YtgJ6NrLvaVRJhVyxsDA;BkKJT?krSm7k~4@u*DBZBpoOg~_(w?grv>Cpz-queIM
zwPBQFPxP#6c4`zCxqiYWkSODgF=8^c>U>X`CXRy{v(UK;a=#7mEW<yq`Jrs?8Wqh@
zZ|CGtP%0=_70JF<s7+=ko26%vrZS+N3f{sneE)LRT7bi9TREGjF@8=+E_G%GL6nv!
zgXnlLG9NVQyZE68d{rO8RU=nonC62Kf<P_RcFTanpDqes%Glu%Jdt2CcbJYe=|jeQ
zh5E8E1>A;O(2Pc_RMOWZkf<qHLAn#2c{A#QOdE$EGwhM3IP5IwjAG5Iv()!NnV?r)
z!i6g07vb5iw7+NQHoqi<6y~z#cN{pxf~&kC7$-2c%&1I3^SU<?djGA!FtKjpxF%Q{
z{(0O+&=5@>catik)JUtwI=T;SYPvnRQ{S-EGAs~XDLt6eA4)ojHf7Grm=#l|vL4ek
z^ftmyJ+1^~AX1W|C2cNELWD7H96WCM1VP4JR=ksLo?5l+(~G{O{_im|;upA`?-Nwg
z)F#3=p@-RF7K=^x>*r+Qp6f9P>UXy5HV-Nv7j`mQE>;KPomLZn1>yV&zHNBkP;XTp
zK}^?dH5oi(B&B)~Liuv3u1J&gg6zX<7Yy8Ed_{q9qCsgTOqKEXRUmA-L=5p&eT~MC
zG^nCDBQR?>G{&)_bV4geX>R5yNo^Mla2cK=0xQ9S`;eRX;MeQ9i7cqxCy+IV%C_dS
zgw<yMka6Fs;FIW)qKTJ9*4Ru9>FtFsK7|8B<CWIigRjC(C^+|h&Eb5B#)ie589AwQ
z*i$ER1^FqP`B^4U!46zpq4sY0^N3fkBYE)Y^ga_Iy4G&FaoFi`C^vpy^QmpaHDc`p
zoHh=2HKD>63i`(ThTbwm)nQJme3ocAar6Q7Q0qC%AB=7U-?8cEJw6b*^h7a021yuH
zqM5DaL|}&1#kr-!MFB^)eHZFcysQM#nf*J3IKtJNA|+||Br%zpFUbw+LoMB_!a`Iz
z9k_~>?AAYVCq73<fDgU0WR&`lS<<!Z`xcY}cxYitb=g|J2#k>|E9n#A*H`PjQbIRx
zxIV6R9O!VJmlE$2U+p|ZgD(3=9!^7j6o*m2c$1CiNA{N4{7jfA`KhiE6G$1C^-&S4
z&!Hzd@@!i#NRN8mO=o5sD|A71bgI#*qp?Qwd$0-)eCK`0M8qoEwEEaaiYk2xEy&ke
z+qnZ!ia}zSdN!211RRR+6xUR??Y4<sW7#fa=WPRygL{(Sc_Em;f}yLgKp%<7g(^=a
z^mj2uA~sftNuR}|anL_kA7QgoqVfYPzZvn6=XP3k4?{S(7X3ob@?qKD-8f`hAu{du
z-JkY9YClVdzVOC%ME8*S=vvu^FcPXppucM&wO7_^jK>pky+A`C{5qm0=j;28T+fU_
z%Fb_Z{3ijow`u}0$Eg1J={)UwW*rhyYRk~(d6DtsPx_-%ep6}%HwUf4kvN4mMX?93
zwGw4J6^*A-J*djC`lcjXc)J;T#jjA6oxX~Rq3%)oR#{q>v80g4*?%B92{YE7m;`<G
zx*CsJ(D%3q5>CH1F`@NdkBqsw|FoS>_OScv>w_2FYgbWkJ%rLU`+z!3>Cq9R>N~yn
z&9rrTbVXle;K>SQZxit`gB6VGyqC~arI5RDrp&hW_ze^@GrPy_j~ZdNebhlvl4tqu
z%x>)i#pual)>qdBxhyJdpX8`ryiA_z)Y=c>PtXtM1jRRyr0SoD2k$n?Z^p7S2y@NH
zXOr9IMnd0;rX5Ou)_kHvT5KKnVy%M)wD&Ah1E05Hij!;xsW*ILxmcb<%n}EIAFrlD
zLrP<4FL+fDAxHJc?~2i>qwy6{#yFM~f!bV~)t6iFKn-8n?m7EpF<yJ>(nt=gtui;t
z^*EU?(z>ILPn1*Sh|u0MOI9PKs76xxd7@=zxsi+#p;Q`<YOabWYuIEyt<FOA&Qt@j
zg*Ge4Nmtu`A0v;eM2js5n5rBf0N9HxzUp7TVJGoRqqALllmlgF@W+$kFE6``G_27A
zEjPxbAv=s#fU_dH`pK7VP4$b|1j#JL&+cp5R{4u+nNembz$j37n#$gC_w?|7TuC;s
zx>tz}Qz;rQAiF>9ZEi&YKkR+UiXTJ0a>ZCZ{t;2si#w&rJi3%K#Q1j6sHtsqBXQNW
zwEu%f7u`PdQZBd+r@Ekf%;hb(ke<%DL;Q#!^z5zNyJrI`(P!eR`p-W!kei2VNbBpO
z#w;QU5NpFSwRdgAMM+RlE6VqKM=(3z9lN(QMfT2Mc7?14k4FyvJ_^i}jU&^Tq<9*i
zX5hBZHLsU}4C2{Wj44Ya3|XIf-HM!AEi-+Dhfu9BYUC8_(WcG`@teX!pwCHFdXvbf
z&&{_rPb?-k<EXx-KDcnDHtMmdjb)oC_64Q0>;1F7qxJ8RvGrjtGZh%f(HiC~W=<tk
zvozrWlLd+~4=qxQJnXVBLU1|6(Wzcu`E_kqKOsUQ%4b=aEs}om`zO0IT6cw5F|)89
ze<9|F9U>N(-p3b}VJdkETW29#v~haHzRH<h-@$XP-<3=HctVT(0`sM-V-BWfJ?|Pk
zW^-J})j%Q`lg~6UQC(0glY&9IcD;(Aln>u=!c|PQCyo_mh(2`RB#|Cwcndj=u#O&$
zG|{JDj{3+pMzAyYWyI!s@i`cAhqK4|OJQMBYUMxehL(E?)W95vV;MoZCk9e2rzcm$
z%YycI2Y5^m3+UbVOhBQ<B_)j5Gt!dlWs4k<B6^Iu{@!xsCyLYO8kpU91la$A>Ha4q
z(c#U;tBcmM<A6%`+_#Fae_N=yJ=TANr(-!_uD`V!%=iB)|Nc=SnhTfr0!1RB@%Vz#
zh#|!Coc@oi;bZmq=1)llaygjmCfMa*rhfEs%)4=7qx4grdILfa#SzDG8Co4!AriU*
zTDtqHpK+O)R-ze3!ZLS^$pvo>Y`UuG(60uTXr?tCy_?P*OIRG^Ip^ID9ZiL9=pXvO
zQV_hqd=-i~P{}kv!~l4|GDrWuBsi@ta>*aHDfHnC;nv;?rh&@htntNq=TH6E^C0aB
zU`1*D=!Me%JlUK3(Sc3FX$heV<ut?i92)g}Yee{d)+B0elXV=J%w&_#B_O~cHA_W?
z^*BGj9YpH3=(&H!@4Sg;WjTFzq4P-J+d}sNF)1>y(_*b3n}aD6{~5gqBK5gNofWaa
z(fVPIZxyT|dtDm^uqOFwb{04dSYvxTA8v^7_uXg^_q~dqp>&9Yi;H?pARsY-h13}E
z6=f-~>mYki=S5fFi+Pafhuq?)O73m*zi^@+R>?2!*n7h9ta_mUdk5c+kAjAi**l=+
z>|H69&)?RA(}W+~_fPnp%V9k@|2t?9MCx@qRs+MJ8;<9GVr_{WB{ctce);Gqh}2^}
zrUn*4|M;l#QU09kFN(ppE6Bo^y9N)}zfym)ynJs>i(}DG^knW4CLnZrJ`K9x(P*7-
z{&b-dksMCNG^{G6UAZ2sq3^Mg$8C8#W#DDIJ6%F{Guu<;2A{76t_PfX?B-pTJ+^-A
zR`igDafwIk^?Lwyx-ou7m?1lrp1Cr9B5SKWLXfVQ4KlC&Vy|9|z+HEq&{;t`#7zh&
z`wJYx+09=9lyx5dzI|^&xp(~=)8}&G*L@ATlxA8%q(5;-Mc;230uB$M#f3l&V#{@Y
zj$ke)2pwxLi)+Y9WNC8@o>>tmhZ2yL4AP-i*jSoDW(N!}|BV-no69cX0W8f;qo{`M
zHC*o${qj5+QUDu$$Q5`$l}15%$!QlxLP89RlC($e*eNJN5wjF0lIS(kNoU_97kObB
z4>q3zopU_mCqFO=-b3;aV%+v-MQ$Q^m!%=|nS3f>ROjx-vX*=d*&vEfz|PmV;$J<F
z3=~2dgp*?<iS3QkhF#^s7&OykDk@>@q36*y98fHq@j>N33v&Bh!6f`_N`h`Y*wjHR
z9reQXvH)KtqMP5nBA~MWGF7B8G2F_N6Jca53qh;Yz@A!c^57IPA2SYC3DV+nsCcm<
z&W0za8$$=;T8&O9=$FvOlF0wX_EJx?)!Peai{PMc4HPM1@!1p<O5S)JVhn}Gyyfl!
z^bzMp0hsCE^cP%ffeYtFmKRJ{C}(rQ)U5=MwD!{r8IzdHA5VyQVg`OIC%PtK^wU+T
z-f(DV_^oGZ89eZ$3)!$zy(%OhtS-lfXsJZ8Nl6<X-_4LbqwMEoxz&X`rZ4in!SLPh
zQq?q1jK1CINBjXBwFl28lUZ9TpHK=%q^62nLO;#a)}Sg&+K||LhQLHF;b{d7;~}yx
z1w2R*G&pGmTa|PDUdaC~f_Wmy<9f6-%Z#ao2~?{g9xoYiiJlM$jlNChUF|5AnHPy!
zprLC5K@leuYY%m*Le{&Hf>mMtsydxGo$MCM8Sd<fbwclo6~xmhmFqQm%8MFSCJWlI
zUW-%p_Hb|~%oU<D!Meo#Wn?mg8$9MT-+zrGlWi&NWmQ+;bpk9M=S48M_#XVhV7ATC
zsgC!~s7D{3nWpRcRyyrM5DwHwQ^ImFrpQ+1VFI=$Go#k;_A=A@hp%}Pew&LYX9bc5
z@FCRuA~-oUzDlu1pSoS#5|VPV?Krn;h}Y(nV=B;&t2h0M<4Y-B+h9nfT2$gf^18G1
zvweR)HrWaiLv~#5t9-dEZvSQ~1AcMKt)BL0#@3X-!>Ldt9+@`$dA6<aYF8f8dz08w
zv;p4TZ#)=&sKNgh=vqX?CocYtTxdZh$xk`!QbB9#m~f65iZuol?SHxEi5i%DC{Q2b
zyZEhF5Ov=4y{~Bvy*5=XWOQ_hEsfayWOHcDe1NG-lhWu_Sn4{u#4~t5u^$ima8x9;
zLyr7e!32q#PK|8}UP`v>asBK#jVMGIZ!;n!m<uumX9A*5;H!l;FAL<7<w?^$@@Z-z
z>_G}q!CNVJ>>4AIlM3pe?$+srt||c}l<RZ~)s_fTPCdEMY8tC!&8|Im|Fj)HZlx5i
zNtz%zr^%LsmYdmFvI%Y&qIync#U{DBsE+Iu&Q(SEXFf;DO4!w&t(ML@5S{4D!Bt=q
zD4@J;<|`WIRM*R#;V2k`XkP;j?|rkwBV%#Pv}@^Jmh+NC<;JPKOs2+t0Z}WVr_HPQ
zZZ}scA-4TeRl&9G%DQLBaEYigDNQi$j1GfRzO(dJF!~$$wx%(QD|e{$QBv0jr{G@D
zcqD!Ag#jM1i5$8uvK?}e-h?SK@k>y#!FD4OFYH@%7T|kTx}c*_$63HN`L&h92-+^2
zCIGqNE{H6&8709D(XVGf-Mll=K4bu7ni~qwgs+s_7|e?Rh;1%%#ox{R*G0D+brUzz
z-giu5P;BwGUda<pJpUUc{zANgX};Ak4c!k&LQ(EE_m@4w-lyNl<V_wO)%25mDu^Wz
znY9oKR+%v|{J^#-{HD1I8h=ATwF5HqW0-U|h0MmU%4s2xFNi!w<idVvIsL!a2c{;f
zCBO|;{>C}mzY~fI?|;DH58$IRpSxYIT*hUK=aJ~vO&84vZw{JHhWWSBIEVSx*5ed~
z_UqO{H3I&X8eETnYOdTmTkqfw!neOM^Vs!bNc;)O|FPsv_&WLEld(Zi%ULnzBhk~N
zkCgO@BtHc*2Y|53!b-61J0~pj&w#Wa(}O}=<S()RScPGsEteYE=sC(iHqs~JGQd5f
z`@`$ze2E(hpLg9#cf%9Ol=s)8{yw_DgeiFVnX-%S^^A3tm^P78*~9SwYo0g8%VW73
zVjkPk($5ss>mTNc5;VdR){g{dS!Y4o0A=cGH86P@Q1<ZaB;8nT+(ag=SZ!A{grI;}
zkN!0mRO8m{tcpyOL|JG_K27_2j<;PR5c`&0CgiI&4po2jGBvFGS4^-(gj!$ic^o%i
zEEh?VRT%88P$>$JXx;t(b+;Ffxum+c0|tAZ&BwStu>NT?Xx?a#!berfh6x=ponh8(
zB{}dPu>K*vy&s7Xyr#i6&y$VT6A$i*#v4D(uOY)lru^e5peAr@AEc8wWs~aBwPfLS
z7SYiyq}7=xBj?hc^q@F1F$dy#%^xfP1ocLE&BA+Hla2m_D4}c1ok@Bo{9H7ffVTb;
zHN-D-ZD0sAUs{O4Y;Op(DHb}|L~Jw45=`k)El2<@C;KxGT3tVMPUEe(Y80k>nQFDy
zfGd1;<5Op}p%Ln?D8pjsH-Bylrk~4gSbBlk|7`oEsm9HDsnp&IBCVbZx^NyhS)G$q
zwGE)D2$^%TWF2vLeOIzp3m}ES<!YFTiOGoY!!5k_*Vk)qHp$(YvQ_}fRcTc)`qG}Z
z<TSu+jfIMzALtn<*~M~Ij?1XtNr#JAFQClrh_!?VRe~>ubZ_~vlUR<Ll^thk%C)i)
zLN3QKeV8<8Z7zE!Mz&Cg{K3>IcGw5t*I{^Hi|ya#c9{1avV-HsyPo$6_hI&F1gOmy
zee4A7&>7E>NH9Y9jtC%cOb04I>ej$iBorU^S0wQD{Hb*7opKs%ri-u6Yg?Nw$0%K$
z(Ja(wMfe$_d(ckuOoM}o%37`q12y28y6JQ@5%w`DZee=S3nI`EL6QCFOaLHKOnwOo
zZaJLlIekj8fWg{yn_=+4dd-sT@3VNOm_|aW`E%QE&m`upKVJf2DN44;Gpp1{xZ?di
zS<AWj_1*Ad;Es*u=$^P{6lDw^f5l4EGlrI*5`E;;aypj@mx%053YXH<j9N6j*TFH(
z46&YDFo$sb0x$i1Wrl=slakA?im!I>4}O|0SdyHM1x@9srdA{tm`Qh<Op3^oMXp@p
zxUMmFeb`Vb;uB&1q?_O{eo}D4#~_&__h*b3Q}@Vv`OWr-MnsuZUUTK<o4jUkm$eQ~
z2R&WOfl8uxc<}G6drd1LJ{=9%{H{~>^V^p?t$8GaBrOb>s};juhi)z-H(wrPktFg@
zN)_#CMAIk{Wv1!GKMc8c#^S0@=;rTWhorS^`V5Fv=9JK9r-t%|XKD(ERe;m*VqwWB
zk&Xk2%zW+DHZwvegPa)6<c5XrEJ0zh0h9zSY`jqBJ#xDQzsNm9A!UH=+%dWZnI+1~
z@-1u`D5}&3&IW8?C|fvq;Zi>tQH#s(=#OCs;&NBV)!6G^mU$=N7g-{Hx!;Cd-kBTL
zy&cScN6);|$%Od&B^rcofHH_WfUMnv`h;SFW{q+n!9%3L$Z579nh9G+Et9?Fb823Q
zB$Hv(v5cDV4;ZpRg*Nuf_X=Kya$LW$h=#}M^3M)FxN5OQTDFI$&=*Gv9BwjyqO_ZB
zgDNy07vaxW76-Ol8LhNmjYU_-B6U_3WFZz$H4%S})FWcy3}OrJoGYq%Im?ht+rtzL
z9c1CIf_Z@Hqm<+&j{CVZpHCDl6#R9N;sIS@_^p?#VeV}e6%{yz<PWq461>G~`{VJb
zCGgC^mF7_8`l46tVe=KWfNwJ8z~{tk%qALD`ZSR%ZyPo!Wc+TA91la0W+Jh%$kC+#
zH$26TEA{ny+pYW?bMfN<wAi=WEu<m-hpEApbYu&1^6*Sg87KEOeQF^Es^qBmpcuh=
zd&~1#Dwz*E+s>?kN~TSd<3T-PGsn1D<X2bU3(W0|KE3lgGZ=M8Vm3Ec;C}yR8Kv7e
znf-+U(bo*$;yRo#lB8jsIOPweTx<sl(gV|SNIUuItU@DJTcSFN0qxmi=CWUcp?&!q
zn{xeLnzPl$wwFHwp={ROjuElOtZ?bzihc?Ot<WM_7-1Oq=xf?Qmw$zdF=nH+xB3iz
z0TppqDl{w4&|&%Z?C%1ZG8xh7+J8%!Yu09?%c&A`DReqJ7a&qz;Z!BeNy&ACRy)RH
z4wji&gV7+#(3w#S?<TP=C>y*e3(>D0EO)bmMZf$<h9)^F!E#q;^R1a0r%-!wVZl>t
zQ-gM%f|#&gL}#j3DittnvRa|)=2Qi}h^g523JG40>d7hvX7Vp|2E?)qlDJcpDt#3i
zIZE6SEN#*#uZ8ne#!OW|2+^ihgn}niPwGGs$`V3L&H8|eDcS#+-C<n8B9&EOBon0`
z5fMjYq+u*rF9Z+D>+`iLk%r67r)rR0V&~bmJZ}h^X$hRJASbGUO^7~*)8ue4lTbt)
z8iW9@w7)<^gVhH&tP&gAGrZR#@24#crP$k`3+0PF`DxmVu<_O0(_yGg?(j8`u-mCn
z(>hOdg0hb)1}|5L3yL{xzRDnN^u15F9bcrbU~E8Myi$xIdyjoidb(9)J&}{p**}$O
zD<ly<jzgE8A&E>0cIl`!?d@JTOW-9=$jHwAk~kI!HcdRLNX@oK&cOq0fC&dL0xI?p
ze^Vcf^BkMK&<m1Z=M<k<lmd=dJuH{Vpj*w?6cf_J|4(j^tPbg2zU*pI+8-yPS%*e*
zy>yp~Y7V|F1glalU!FC>#Isei=tM=QV*5Mgl$K0;%jA@XR^vaUB%kjY%F*h)vS*@^
zH~Hqil+pL3Kz{z~{;E#G$TOU9-%n{;>hiDDqEdf%P2vc<|HiQLa1BU_Bbo_;70P})
zPpjPvFIYHKl*x~KhkKQEEfW{o*i~698eq}Bg{vN=w<UB5N#U74v3J+Tw$+N6jscs7
zWr*!;_RA_$-)l>RQtmN$GW5?VcC<qHm>;v4V5@2v$~X0!uTT<x&gJA2On4z`Jy=}s
zDC$gDGI7Di9C=DTmmzu(OX5`CMJ}&2P!&$z?-i&kP1@6++3qP<PLrY)b6{nJY(kD9
z5&Nw_b|WYrZ&$h8h<B>^!AnMnZM^$|l>ZBFngNL(wp8I~OFBQ7&slsV^q|7u`ET0h
z2?rYCvmy+8>=V46jKhv+fT>L>)k}!gF$yNOcn>{T^R<X4qEnZ)l1m<&)(43hA%7!B
z2&*rg=IqqOHE>*jdZG0?N;tXoIwHm3C6@j2(Gt}AyRTCC%IG`&Jhr!YIg8r3jn~@8
z0Wde+MDG0d!M={O-2WzZ5FqnZl<CP<M9#Tn8?P+ZpB|L-5g%9ikEqMRd#W|CH#zN~
zd30^{1KD3&c&*s8u>U^(|Hu*nTqgxA_~(1v-<<dnQiy*{M~(iKKdb#sl~6d}{vY{Y
z`wOhUAXlQ=ROVcpENipNRG}Ix&}w$GDK==mzrQ&!XmGKbUqbz74ogG_ai7t1Yd#&9
zU8u49v{R7Ra-2}Mf==dr`I}j%W(9qwM8|DPO(Uo2TpE<kxDTY%dW}%K+48J;ud9uu
zv(~WobNGTo{RUo*;}G|ZY8*m?)!_cpd=6LPm^l;f?AcEQ%uzF9_!s*ItF7Vm>JN=p
zqY)KoqWaVZAv=igc5Mowhw&;3DZ)P9M}_78LfOIzIiGieR*@>a6a|ku&64yIMO_nF
z4IaDpwyQ(DztTkQqDjQlWm)Q}s~MQIDyge?s%l_H1DV$Ch0tgo?A0o>vEbe<E5lhx
zM5yP+y1k;xmWsbyaVa%)Y&zQ0K{$4y&3WXF2J{eUBya6!0Pq=P`6#ls8E)s`wX1_E
zbh!cxw}K%6#SbR`;ZFn)zaw+EUW%Y5pjz01V?x{k5bd-XtXpA>q>nWadyUJ|dV6e<
z;gv|TD2E1*SSQ~p)~VgES+JK)4^Lp!5W3#}R-i(Ap(9bN0!h{pz{bt?H8GL?UZK`@
z7(hgja6+H0rzc~NoRvQv<qsBoxIL+WS$y@_EXe!%u^p9m@C$ELQX94u$%pN%pj8wP
z4@0zwIYy3vZh}`URUd<@awS)gJc5rBdx(Gi4kGiORF*meXlrsms<B)6>b@E>>Cir&
zBU=H(d~>P<9OD3}3y+9+1H7g7m-nZgnV-ZZfO52>v&!8G9BaB4kj$|*Y46OmcrO)!
z<7vZK{F%c7Z+{h)wS-dXR$C`{W-$z~S{w2Wc!ttdYCtqyZerR&UtOoQ^3tL6en{wb
zC+--7Y5cFGdNE~!z)%8KOm9PuTy6&ds(c}+jv0%W<clr19xZn0C)ndY13B)c@<1j5
zgVQ-JhMPQ2uBSky`pwr}_y$dYLaMa#Uo1LfMq=?sUo*>qDA%&XSlY2mb?e_RaobFL
z-Yopmud<A3;19?dXsoMP%&xXVc7BETTp{HPkDW1}h|_kdPHiMJ+<K!O^d65gE7d?w
z4<L6D<P<U@bh9_1D6IDj-+5vU<!UZC2~n7Oh%Fc6zLUUY=k%CYmcz#?i<`|ai1Z_!
z{$Vgx<ci+G_P407+&1by3vCg^ypK9kFcHgG*7OqM-i532-COqmnfmoQ$cKPclazO!
z*=-CgKSizMGTWc6fHB*dNfO6nrO0Ik7K+$W$ivC6JgU9Lp;)K8u&p%b;S@jt=B@J5
zJ&*hNME8aDpF3|2ci|IFfCObC*f+~NK(aJNwQbKTC#$yIn$`|GFogk5ZXiiXNqOY{
z`Lfzl1#9YAJKS%%*`IXi1K25d4B&;y*UT}#`IYWRtM~?<*sOd!Jc**X?G9><>GLAJ
zdU{4<vl1FeYN7V3D)az=_G&|=+ze$w(5UIOvwl*&poM17(DSW(H=)G}iX#6;JQ6xy
znqxcaW&7317MX<{@gX&LH$m}K)*V8T*$}7s;7^p{G=9ztzc<HY<Sw?z!iT<?D~IYO
z+6mXpT6K;TeFI6Xig$_BH>0?Z^5bxPMtl*#>iHBo@tT|VqPom0VtsPtUX$;P)?2U0
z-JK72ME;AANO1(CT{Z)wFUtuYqsM9p?fbmI<D2wy*!AbbMdy(&Y`|<%@-n;yat|j}
z6ua=-`?{;1Mk$*NMmu)`7PK6+f}$lT={Q}iRgb@?0dc>-+HzQ^fdhE-$DP{souaaC
zkoWBx*<ZR0pGP|SFADOBmYxA10*qd8xA@0lfCa$>&zb=Nu}L6q(<I=itTQmr$*O<(
zd}Vjul-n~b^AOqIbVF`Eig2)9ZsK><cG@keHAXILI_{rzkU0jKuSA0py(9^84;KaM
z#7yRWE%MpT`Px7`ikLS<pr?`io5_GTTGz*lWnEBoF+p}{I+B!IrWL;Gn{;^Q@SrGs
zclu*QC=5Y5E0OxZ@HzIJNHi6qT-Hw_q6wO7qj>^OTf?uW-><=5znD$YKDD8X0;kO$
zf%pT@El9~j3E>?hXYKMw8^8~kk_>*1y){f<M~nD__=Y!vT@2|fJz>5Gq6(ke{-SCB
zIho$PNI1Fr!PQpAL$8!jtSDg^9&^LR@+TQhAON6Mi#TDJXUdq5CYMS(fVz{jj8>X6
z3Bcf`*4%PgNS*l*(VR#PV7?<~GX_3$W=YJtb%y|h?*}b}PJn;04eFiD`t76E@dvS@
zmlq=bM4#Rph7*F!N4}<ePW+6qT@hysxW4A|sPdBLg*sjxZ`3s}IJANv-2NS{T%39A
z7u_FE<n7hSD6|onq(*<$=}xA2!kVl*9$jG|X9OGzY}hUBc<}loYw+&wqG<~NQ(Et@
zcY(7(fg=7nvPrpMu+wAbDABB1>7zZN$@6rex$@eXt8-6QWi|y2$c(YperbO5L1~5_
zIK5WMRP?W5_%EWH4Tph_&xJ4j-cOJ|bj}R$IM?00Eg#yD@V}47zZbj!;x<~&RwBFk
z+qR4F$VeJ8Q;ysPoEjVCp6+fQ+u3sOyK9Lsyqr;0m4A%Is=!}ld=%A0U#j(dB@AEJ
zu?;}jhJdqV_I<Ih>A5g)M!W!|N%T*>SvVmdo4~mroXugm$)!IxzGiO)0f3JHN3QFA
zwNW7a=AT2E4*mM}l6jIrQgv>RvPrdDsL^u;`trhdI3st<IC-mmv>8l(iDq!(zeIoj
zxk&xRWZt~Lm3z4n+ypSqq3(C!WQs!QmbXJc0Dql-8+RTc;G`Q&hwu`TOrU=I_D$s`
z={5YGzE3FAeZRH<(9*nM|6zgMJxUIbIgs|Wx9VRO`vK}r?PelialSYAM^FLD%K@3}
z)85e+`)hG*aiDDewBm~#mU)WrbCgsD2y1_-@v+fk++`6`em6JbeGYWgu>BVg$J7sd
zgzt}HUnlv4O;I|kcLxkwlBD->Qv5t?LK%mI#w%$GP8T`4Pld&9G9u+DR4$(y{aR>q
zYrUz$Am&;2Jjpv*u@JtQbKRXzcj_<jP--7HnlxQmf5vWi487z*Vh^*mG68O_Oz@l`
z(i;5nlo^y<lqofZF~yQXKznhC{!MK-yH{lMN<5pzaGHxKt^BVA5tr*fK0ufR(C7w6
zjnYnkqgPZE8us(E-VZmzKc^_JM3FWYj2*%yjF82SL=3s&C6VUiBhX$jb!#V1#XK@}
zqPA(^;ZN@*yMREd!tQrML`bls|HzvQlE}mT#u>r8(}|%b^7foRMGK#$?U9v}>&xA;
z%3+;n5uDo-B5*ZsPilLP5o~I4`hiLTwMTwmzxvchZ&BF7N{R&u25`_pAg8N3_d{t^
zKQn!-sOI$d+CiI*mO(bENAp3S`#97wa?G^!82|1LrMv54^faCm@CPp5v^^`cZ9D<|
zpYG0Pj_f?jv%snd!g&sfC%?dhCw<|H$aAq7K3#G``F2{<)CrHK=-mNqg^OLSRfx|8
ziuHSHHOg<}JatZ_I)PrJM?K@VLM;s~I!aC6)oN7D{FdU!|8g~;dF7N{?O}0{Z61Jt
zuT>wl{SVnKAV<b~mr<Y(tMYeih!1&G6A{7y_-eBq|M!JI^&QE8zA*sR{uR%gs0V}w
zFBm-2OiL{9uQu@9D@vUcK4!@n>3{j%aY>fCob;GRbGy77VK$LdTzzmc{RJFO{?8)K
zK@Sr#cYgm^gy23X_X7VPi^$HR?@K*G$3y~;){|>-=p#_+QvtRuoEX-rJ8T%yJsi`)
zmkXZ&5S*9Cb!J+3*?*~de(rYz20-G5y;7;Ns|C1**RB-0Lme{-1x5qnoP;Q~Vg``I
zodei4UK_LuumJ;~JJ%YC#meHp)1LsF`RH3v0qY^Xd3cKd0$C23@lqZ*7XCy=LP5M#
I)X?vL0Ju$9D*ylh

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeRun.png b/docs/GettingStartedDocs/images/VSCodeRun.png
new file mode 100644
index 0000000000000000000000000000000000000000..36f58f39c6a79c0bd00723c1e12c319d7b9a4918
GIT binary patch
literal 90414
zcmcG#cT`hb_b!Zj5Cs(*a*%dBD5!K4P+F`Y(v%i@kSZmhR4GYpfQ6zWU5rZa(h>rM
zNE7K&0|^ij2to(}LI_Dn@@@2e@9&TAj&Z*~zPra@knFv(_nK?X^2}$>{rr}>(SG6M
z!U6&U`;Bj0vlI{zlot@#IksmvaOMtFsTBCPBiPdDia>dv)B^D3FYn7{mjwhWlSH=e
z2m;^t-n(HREFf^8b^C8eM_{3cfB-+w_}XRb2QEw8sC&*fpXMVhx%jqgrq}T6A=izJ
z#4`56K_{i{->ed=JimOk*!Q=bgoNai?3TaPTqPv^zwD%cHQw3R=JS{F@xhZ3R;()3
z&b*RunCF4=*)!$0t*=`Tp0iT7LKo+JYN#&$_iR0{Q<Ghm6I!#OL(vPF8f5AGY#om(
ztHs0L$w9Ma{b;b>TD*%NFxBnjL+T#+9e+L!OEsVT^XXw`b@S}nT=#!2eDM0;j*(0M
z>(B68!T7D!o=11L#os=xMdbc>_bj=ohN<y>!op24_0RE%su_8Tw%3V&ej;$!MNCva
zu<m{}t0IwGiy?1%dyV$<lQURggjTSOu6JswgCtb+&)^R%>+|VLgu0=vCppMWzxSI7
zntrn&&mL)>PW`?=LmraPEffT)Iv-QDfD*mSZ=YTO?!;F=fpR*<9f5FD@)p8LFzs`b
zr(Gf!@_MxNSKE$|(Kv1yY(H_NdkP!XJC8)T3_#aN$%gs;-33UvZ$JYTbyr{Bh=xh@
zDJ_?<`8ogLHN0RU{3#s#E8MVDX8XCBlVAwU=B;F4qk4TbcI$@_NUb4^`eL+`&7kxq
zA-3GBgXX&Kay`s^+dL@BFmfi|u=ky=jQQJs;_7D%`P<ynz=_a_o~;GMyA@;4$Hsz2
z!mqZp)sLMXSu|;EF+@0C^TZIoqB^No<#RU=$tc8ph`I9g=3mJKoS{f=P|WF(3(G0F
z)DaFDf$|kIZ8yMIBCDN_uLd9FnQrD^dFIeb^1;BxeWcr^L>_l8<c%@0Q|l2!{VN^@
z;XI8zCCFZO1Z$)MF2?2BFKR8!YwLv<A<B#>C9^aU1^oQUtx1RH{crfX#qVIN{hkmw
z%hMP^nkCSj)?F4Sq{}UcmOUi5WM|~jsQ6*8Di}BmWlXauqNxiAB$&?E*_5n-!smXr
zzuYfwx=cj(N3XVv=cCcuCClWjK&><tXAM={R*<c8k-V5G4{x#6<3wL9WFVquAKO<&
z=Vc5;0Vg)|;t?yqRLzL74gMSn5G!f#9Yo#=e<g85x1IOew%iG_;vQ5RiWn|2C{>K1
z^z&!v<K9T+2R-W@Ya#pOgQX!<?{d|bjC|-&+HpiyZ8nHKkmOs1t?VzJ!n@(dG=I*2
zDS)N>Hana`6wI-mb3>2Po6Op0;wE0eNH1Sgs%`eN8_l%Z=xJv>SvS9hm!ApEa_hKA
ziadK_dwpPhEDhElaP=b5>Usa`RD5M91z&<v_6L9SKo|sJ3)q7nXKoi(be31Vxv9Ub
zgCb~S=PTJ)idj*+1Rh3a7B}bC-COI^rS-h^(GBgZ@Hl-YSy(<z1#*W+kprE>H*WE3
zc+Cr-OuuE$YYce+;>e#Df_tQvx}^DlW@h*orrj7%jQL6KST<s|5PL-oruKpb8g1`l
zcDx;(Hf&t5K^$yA5oBPMp!+|s<tJ<+uB8>HgAUe82V^g&`$TbF2T44&SA#k=W#vht
zpe;3ZT4E*t{j+>$Nt^{bKw6GzFsD<Vw+AHpGtkklf+`GBJv($il$JCV1)e7>R`xF2
zZFcB>B^j<J1!ID!CJ)}7r;XCm{2Wdcb4;JoLO1iwsI}&ZDMm^EwXr5ALaN<ovaA&!
zI|5(C;=>A^KxhXS&M%Y|QI*$70dr=iWW)DO8n8RQ)`r6F!j|dBWH>>yQHaT~o8>dp
zvLNj;W+yZ}4|SyWP!nzL8)LlqFW8hkr{N1E|LvUOWsn>X(+XbHYELbh<@|kw0wR$l
zSsM+nf<Q)drMl<GXO2e&o-gAL@K37LI43(pPNhUn&|wE&-0mew3J44*H%Xd}xLPjb
z_;7kZZyZ!Tor_wX2k|ixTn0V|+O572M^ciclk~QLt!PIWOb<Y^_{*tRy;v{Ao}=*m
zO;9B7>ZfvR7H@MvR&zP&BDNkBv@Y~fcKw&=KimPk=ODXau6kZm?ST<L7vcxijq);7
zJFHTaX#04BBzm|-2QAI3=gu4ru=0<Zth5~uZ=y@<QgK4ljqEP5fM<)t73^?&ijF+5
z{(J=(U6IL5GPWy#eh;IPaG=$3tAjJ>p|zAT7qo$NoE`RQhe9;2D-S-gy29#EpD^cR
zM{8v3iprvB*Si-+7!+AuKK5QHZ$AI<7WbZKW+IkG070$(F89rv2rDj={l?;yM5Hvh
z=YVS&OnjLURV=J{0$acf;@v+JH!4jrq1>Z%hwE+46!=I>;vsdDccUXKw)n4qOnHxB
zm{xN<?+NAkv<Bp^y}QEiBgID2*3Ok}5RQTV3I`eetRPXJI2u;)LdK?`6{)L;ehxCK
zmm+EeE`S}t7X(R**9PO{hNnbxwr29fcv@z$y5!6QXh+IHvyQ}<IRCLU9E``AWiD9R
zZ^C_bC!&-W9cyIpUy*n%AL6iW_X7RbVhf{q0uVABQVtE>Vm!w=6GW*=U5sMpH-?zX
zyzEs(MD1!)9HB^5S(djyD-cFdflWDMDMmxQ{`9U1jmTaGy_7eh)c|ixX^6n137g0{
zyDX;;jZxdV$Px8}j1n%`5iKPkpuYUh@<xteG$Fr8%Czgtmxt09i*BtokhlRgW|(r;
zOh)tF>*k8K>3lExq2S(RoF@JqZ(f2w`Ka1!eC?m~trgJ8&ConyzQAE-N4yIc)Z>H!
zDOZAyo6Pa2Pw`~!d9qK+%ZLZKcgRg+4KPcrpX1&D;)GU_X$5@jA030A_!wdZnAuUo
z$r&VRcOXQ!SWcY6$dq=J;!=rIfOF;nrUm6T?1C~ut9GP>D6d@L!xU`kElF@Jw<e(O
zahFY=N2#_#<CVdQPB4u7>X>_yCl<-mh#b+X*Wq)+VVfN{sm{)u7oXLtrm@38h;k(o
zN2Y|1uKwPL&}(UOBmOLemd|y4bf@yC*5(|LsD5ctM3y_Tf;TeCjs94<fIV<^H#RPS
z0F!TnrE>e9kkV3L!pukd_!*~T*xzZF@HqZO5qt@BA9@IB8^xdag-9GpTC^!Atp+r3
z=SJk6kXiVUF|@9CEM-5@JQml_(>YJufY6sGsHzm2yZ_XE?$e<Y$|WS(W$rEeIy2rz
zEIl%G$hQJM(TH=wWtY(BrBm8BjGXwqra~;aRR^mYiEzqBDA~*#h?XPmBI@3;gShjK
zNOG<7GX3KmBY1IfeR0Ei2p+LCKh7vvxF?ytqHhVo7$D)qd$Kn3ss%y(cOR+2#G@O6
z0+)K0CmUW`7R6Oszu*~UE;i5Bhf;dxy3?rNI;C~Pt`Xn*1<A>SOV9IHrqI2baqxh0
z4A+J(ni%a>9<hw*+63vZN)FXlDGc%0BK#942Efl-K=5dG&R2eG5BGJB5C0{4lg~s+
zVR-2;QaGMGS)Xay#FTvaB+nPdc30PvA*hUCR9zk9{pHRwnR2;7OqoqOW=ebHId1uL
zUm)ZF6rEU&x=zfC02eUoV1prbq~%Qv3||9(v{^v_F{o^%6kIkOllYqR?;%~Sl&Rg}
zdeH&W$MuV$dy|q8(XG_rjtNqd+oGH2+#tLT2?D3mVBl<oUd=mxgz|ZsY?2*>$BQAp
z_QM3tMj~ntAYi<(XSy;!6OkY)`?h_a!OKDeK8!ifc)u9@6PL7%4aMzhtLSHpciAjk
zNiyw4I4LXM?Z_mUORWLUY|Mp1=YXS9Fi;y^tnYe8R}GB~qrp3hrj#W&l*{}05qt0y
z)p@`|*%3qVS>f2VvLPfM6$`6_CG?hL^TQu6TFaEn88Qg+RKLxrFVbNAXm3Yi0co@h
z{r!HpCr<;Ok%J1rmiItQcm<Aj^X$Q(X_Ccq_$NQbX|0%!W@HldC5~E5CyC=oW9q^M
ztr2+SXhG9N)Et2gi|u~l*hj@Vy3|-K+ufBwPbNBsKhQhrq$(gV6w{YxbuoQ7jQdj@
zrxqtFi%JXTleKZ`y5Y<5DCLe>8F=-)S#a+YP&My1Uy&T^+1(3Th#GY|7os^Mt49ZA
z3Zf^VL<qAPabpih@%m;*k_BS84)kGtk@syc|8sG!6T-AeZ|g}vNgj&hXjEwVO7aeY
zjhFv^iWp;ClUv?KBTjzZ=v^i4LKxr;id{T;_0HKuFC6URgwDhUr{fakJ|`;>>tNWu
zICvI48PH@&Jg$4Jd;*HbVG~gbN{Tk+P1gCL^PG$8L`(z@i<5<OoRGWBN_qkz<#tHI
zloRdFgT_{>(w{xYOo4mn9m=IJQ>1&a0G(M`+*oDltoNZ2@g{tL3$19%h#!uf3Ithy
zZ)}lZ!o}(1XH)pqhx_IiNr6XDcoZ92JGsn!MeuRJ5o?p!PX?58U|`4Emt_hQ$N1@(
z(6-cI&*YE15XF>xQ7zD0*;h2n6j9OvF4QfO^I5Cx{8j_^VKm2?Mnf-dHEprR)Svy?
z;7@atP3*Z(sKt(oU}7YDeW6Y3r6Zy|G^QoYVN@_8kq?RpDzg|Om{Uzk|Fgk3&;Xmx
z-C}q9O4h>BjX3HjpA^j87UP*?xIeO$u~R_J*>uj;(t^ZeR3M;Njluc%)&hCtz)uzw
zm5$uUov5s3HN4&m*lRf-_I!;JhyYOQ5?^jwmKHhX#BAli`k`u7ypkk~<Q3jWTv`|b
z%o@dhqK7iY1OaFOBvot9jLXPkqB~(3qWm$%G<FEH=m;LCt3`-)A}%$(dP<Z<S!Gi!
z=<O5kmK6@>R85-fu2tMV%my5i@_{-K*}}y~I%S|P6Bhzs&KMwgs6}z(I_liu##1@<
zkobwT!zm?GSWpUYUlDTUZyy)RcK|;?*XLVNyeKMqKiZ~(9YZD8mI4l=;^z0&V5B}y
z3C~$Z7+mXS(IP%ZD3=(V2LgV_)e5+7_`4t=RE%*H9pW4zO*0=g!ne+s^?!0S_jKsP
zBJW1?ILrNU$jhssoJ79F0gz*+t$kC!Rpl1rDc!+niTRWy4~gQRD~sT|;87(`9hY%T
zZfHp#$wK;wHZ2iZVkN8cY#?$ZDc_km7AD?JjYHv8MbVch;CG{}=TTsat?V*vE$Imk
ziD3_uBm)pN?>Lk5fC{WJ%D_O7ru^MLN>QCz+=@_Gx?1CcE-R)puT#&{7DJRKG<3A!
z**K^8)Z2h#kqGbMY6UdV%Pi==Gk6SKvmywM@TH}$0``srb<prMt1V9(+LR->V6H}V
z8eS~R52oUnnHwPSaxBh8Kp_8R(Q(s&vCqveO|aQ-uS<1e-tgCvJgZ>l<id{UDYsf$
z1ApR|`p0Yfo#^YbN17N@$RlpuX13*^wQK(|YyRsTP~-%^DD@_H$I%VN0LhvJc1yVi
z_fh_9@c=B~=;5H{Bt1N$sAhj9^f04>QKuvRFa{CA2Cy=!sBEKi#D~N6oRH1sMg7YQ
zV<Bo{DPd5qr((0THyWEbYPB?f9m;k8h~hO_-+ZvuPFntKFi{Znl%rb7ywcGgID@)8
z#}=d*$W5=Va=?!FyJL|S+=;tQZ#uvoeSB7M3pb1wwaMB8s)zw}Ll<7zG{JkW>lGQu
zXi&ii&3%V|We@61uutMwSCWufqZ}%M1^ciXLu&xh5c1sqOLog}xHHB8$M!G8me4^K
z)3m2<g;;*WKkx8b4ZKM$7IdvPoJbkX^8|pxd$1$lTYgJl3>Dg8F<c?rRw#>p2M^eS
zW-2KcxGyAD&Y(_An4_HoE~YHlK%HcH8$JYTcpW5>-}Hjg0SW)u#H9{IeH2hfO+|O;
ze}y3V8Faitfb%D2cedk*A?@~3ov}aHHzx=iOT*>_@x$+yGkh8*D(Re&#xD1cZ^#4l
z&WOcUk|;v@Y&b|1kX3`AiXb^<<IKv-_;fK{d0vx%fLiu1z0Cn5*}1&nz#PG35N|c9
zx6-}iQ)rbRUWJ1;&0Ai$xZtXRjG-*6@qZNY2b_X`CXJ$F`S0#?O%Tsib_uZBn%X|x
z|HZuz`RvXR_-@)Fa46=G=}v)sMg0r;e^+`^iqgMSz7aiMd{^yE(XwL?B6N#M&Q#zV
z(R=9#Ez$)hE<<7$N&975MIuV*q0>>rMUnR)w_OP_u7?HWpXMBJhpJtElnWX>EFf?m
z`9dhU>h4GanXhqgpr>iR26Lh#k0fw#rYZMAw7rl2U&-72#Y0P*Q~xD(9!CG4NS{By
z0e<G22t4ukajAD(fZs>qMM+Z?hnl-Lvn~c76ZnvLOvP!B9b4~Lpopo(biV;G=GKA7
z#sZhd-FAp&CL4&}Nsn2O+Zq=FE_7X1+beL|QR%~#;KBJ5`>NGoPeB~u{H2TAQ}TQ%
zXnoh5t@rfKvHYYJZ&~2NX(52Q`ru#rP`K9^8K>6MvVMrSv<tW}_YWY>TjgW7K3-g)
zAB?q6H)uh^fb$=ufXP3sYTtSGyaG(7MNMSLXtR2oU3&Wj5akxi?otdnxBu$jUU%4g
z5E}pu_AuxmAXwKik;3oq)+6?`Dw)du|189ZjEVal(&Pl~DYf~2q;`P?QY(CNL=p-%
zPSW3~V-ay&;-?~5Dbg^s7ju1k_G@iBi#zL>Q`gB1d|JAY%&(re)G6$@#tp(@$9eR1
z_o4X{$L^;5%)<AduWqnSXO#qKkuo(E2)k>=elO1XWENdKT|a6gord6ZwBAL}XNUJp
zx5ni_6|diMKh-5UqKVKOlHAX^8A|Wf&O&ek`DJI;Euh0%qa7aYVfzGb=~g~0wo3v{
zc{XhY)v{!HaW>@XIEBZZ`ccO+`auvM%J5f6zHMx5Y^j~|soxY^yEvp~zTJ*%{i*+|
z()Y~xK&No5eLeGb^;{Vw14`l#6CyXN>?2lu=)Dr{3_g%I;52YtYG6)iuP<+lH4v1c
z9q3Y{cl3_{Ij2lgGih*UgVwvZaWavo3FU|LVQLY}K$<lME=JG;c?qn=l8PQ?6BGMx
z0(Ubexl&ruD4cnm4n{D*03Kr{<SppZCVW&}8t;ZJPh|LnFAkrfZx92$YxzH(h?*K1
z6+nZ@JsE8ppLA;PQxS|3$SFc$zn!yxgLOXjo~MS|%B6f&fx;NOOE#t6NN0awE+gcX
z>F2iwZ)YqH%a<zRo1X|Bx%0tAvtsSD@{59Psn3prB&tJb?pn{R|G@xqXZ4b}G1<%T
z_3M%jUsFYFbkZB?eY#YVvMhY_PEFH5Eee&1<Su!8vDW77LrcIFS|IL%1vKlk%72zY
zk?Wkdl~0(Str3;yKgh3Y&gGqnjvu+mX1;`MwQO+^e4656^RHp0Qo@||>7eOPIbZr?
z5`{$=%|k%WEtr~l;EA#L&Ef<_E9@0Rd>`a1#Jiko2~mk34idgKG8(u`VC1Ms;fuWQ
zt4tgO`W~*M8!aWZqya8JXlj0nt=G1*%&m9P&R45x<A~(7sm-2?!IO<KTBYyMZrPXs
z^T;+*Xt4Ov#+ocw4PvoP$r1_TH(J{H*2lrKJ5|}FruWouqrYpblCBrN?DX%uM#iXP
z4%I}H`ox&~T0(?#GY`@JSF&$)D8-h(&A%+&(?Ge;eG?OS(IvLC9&Z;F^F&x&Q+jtY
z{QIviCk*?04KAK-8-*nkR6yz0+3>%&LU&%OZQoh!hB3joPv>+2+L{va^La~J5GCjr
zdMdJeO%<02q*H5K^!_Y71fhS9w$r2*?5LcxQ1CvoYqThV5J+m$ua=qgGfWGvn;RKb
zrr=|`pA%TbQXjN(dD7<zno&hX6MJ#2GFq=%28VO_?Y87|V8qFV*KYzL8c_7oXV3bM
z+2XiZ4d|#;#E24>x!MyQ|F{#hH7&XkxR1+G<<H^9+{ue#4)usT+4(m42>t?ys}LnK
zTEZzX5VNk|`1#m`S#euc4t$VBf$#~Xj_5vr0CbouevYqA*!$Z}Wxl>*%<V1P@?<Vg
zX85q0Md7Yt%Z-ZlPG|PWD;V=%?3JIKn?fRZm~1`=$LHK7y0vYqg+Q=#X4w~uG;qVg
zfm-ISt7Z*{Uf)qG3PRN6=4i16N|Nri<vN1PslrC4^>8PWz%3|X`G3b92+hQ?vTQb7
z-e9p*dj^2S358HQ+S44_;1tEu;L8xZ0&s81gfb0{uekz>i4T~HL8$y45~}iSxay8`
zysRmE=#C^Jic7`o9L<lR^O}ZVY{vmj31KNQ)5SHY;G5vIGEH>j*6Z;#vZ@)=T{R=?
z{Y7ue^&Ot2qPNu+gc38w&HRRQ9vgCHp}i%&d^V0(5$1B9ni{;8kPbX2-da{pPR^cs
zJf@`+$D`o1kZ_%_eb|BI_CH=dv-7c_$dQk^lF~&Q`g@E#`}LWPP;nK<;z*%nVTZi8
zRc_W>)7osXshR{w+|Mz7EHOn6|Lt0*m?`_wM+o?)TG5<4Y>uG9m?v}?y8lPZmPoj}
zOX2vNbUXq(I1%9;rdFgeV%+3v`4QOy5)3L=I(FWd5CeyQPAkC@*v+|F#}F*L^g@m2
z49T@LQM8HMbpE0R(g51+#+cq11y-c;Qi<J5j?9g}lFtUq$%h&<8FWXp{z~nhwLp-M
z>cWAv@D>w{*y*!+(HrC5IXiL)B}!m{4Ape&XRHc71BZgP)Emw|Ha@W(*-s~moFqM%
zNw{`;p|E`LW3DO3)e_<HwWaCGddv;PhYp^Yu>4iu3Pff7Z_U8$ywt0>8JzR?<mvY4
z%U(;C0U-bQlm^e?3jUYu=;qv1Cc3{u=%FtVk^z?ap=1hoT6A)t{?$%>uKI^pH!f$3
z{AEK9{s{S7pne1X@K;>ao$mz)Z#92NwTk$AC)+dNubfd?k<%l6g2@3>BwOVQA1u4u
zM}i?PA`g(PZ~iEQ2tJ@DM^4P#cRjb|hW^UeNk2>Iu~JNXkMm%5ZK>)$dFKa(u9g+k
z&u-K*jP&YF(9Q?9h0l;o82`0pf{8J~0P$OxZe-jwkYiL$IGtP+a{3J8fP6{Wtg8lo
z2+gplsPqiF-`&3W;t;ViXjWK&yK?K!$Ea^T9*>R1W!O3LHb}~}c4VmB84<zcOj}7t
z1sJzqz}iab!`W1sdvr9Sp-T$%9wysqDFdI`*}>!SdY-jJQ_lig((G1>ZQFV6xiT%S
zBXuZ}o{&CVHO=<BybV%-=+~F-8TmfCdv|iA2D83kN^3Hy$s-_Q?i0)bEutXODQ-%Z
zR9{GArG<(M%iG|8$;n4-?iUdFG8^+T*P6XUn|08X`~guZpaG6BNch{7o#sUuq`G$`
zdg@ah9({P+;`Hca;RHjD_stNTAIjo>RpEzG_M%OwTdtPp%XpJ|0@eV=I-7dM2$<Hl
z&d(~OyIoF4`_ANA*%i3<iORxK_Q`9Ot#k=Ki40|?hfv!gaX5JGOTlEg<OqjI!J8Gh
zT9PXo2mGTM3K>zxI_O4rWk$n!{taUVuv*c|tvSrH`U2sltYK_(E{JAm$Cgu(q{<{K
zD=U+|L7WV3t4^sSHnNtrV1e*Grt}Tw(|F`}TsQS*95@x@sv*S9DhF_#YmnOxn@Sn@
z1!;p=(YkSL)N3p{cM*UV^0}|f5o*u)50BseFu!;WYO{Rh3a*DS6Zc4Ef?jZ)a<4fT
zSL!&WpW^uO<6~9uJo{D@S|+6kk>W?F9SL%nDjOn+qf5IA9M#T{GSBsgOoo0bjapN#
z=B*2PvA7mvRd&R5K*z~8^E}pxJQ0aW5Kc7a6}#Y)hE#-v%6yk(=N5~eGp7;ga=%0C
zcMwbOTMrM{ziOPZ(L5{Lzt6B0Fsmd0Q2w(Gl*-B$UcVMsQL^|e*%6)J^ZomN@>G=g
zDT0NV@FC|P_BXIs+I+unW41eyf4ozEH2`Yr%0K4nZH&!m`75OoI@mte@&7@zn&$-H
zOyBKrn)uf1cD2V4fENFQR`VNn2^|<#e(S&cKQOo0>*w;B1(oUpstQT>ALSDKLOe@*
zt^cnf+_N&KJT8fk-9}&j&XvPF1Pj7TD{XoqMpPHLL~Z+j!|t4)&9lnr3Ad|XJGVIf
zd=@ARAWS_NHl<^UI|O_c{x<*~C>PUjM{!?{q{yM%1s)Qf|KH3Ca%Nqth6@7uL;wZn
za8qVtB?EvG(e1y1<R3V0-RNxgI0H~ZOg@j4WtOFNoug>9WTGMPA*>}?<oA%6w^F8B
zZ^qI*0P&wHi2pt(yzP<SD(hi>f4jBkcMdb%`MZk#@XGI0N5n#<_g6heq-V=UJL}?0
za5?~(VKsmc5D;+P`JeHgRgsaAJ(%G69_R2$v9gNPi^1e{BbkUcr|`+p0k&I@zq7}v
zG-AkKKWf~c!z&og*ETfur8|?6*9dWowY2uaw$<%I|3jxe^1)*$XclXI$f6f0WP8F`
zb7@}p?x{H_WP&k-!ZHZ6MMTx3%bi>2$z}LS;6%|A76|sxHB2G2?ww0N5`-MF9gZW!
zGBU%tPbsTt-BM8skb17nYS@qLnIBGLTazjyz47JF<kb#Y)icoz0e#WIGeb0wot@hl
zczkWNqU<`6ozwkv5kqS~J-@jv=Ou$7t#qeqFSD8n{N$vxa*|-I@J}ZJ@zD~~P~nX&
zADjia{GWcoCzXr~@Grm8{KiSV4YU`4f5N6>UIxG_=iEGfX+kf`698(!qAq*7$^yg<
z@j8AfSlB`(*@kv6pd(RQE1ENkZW1f&&znK%hvnu1=<I$lRU7BibkRN4{yX-BzC(~d
zk1bdhp-K%{ceT8!zn#Adyy~ynFHeGVp!6@hM6Xe1SEgHmTnv&l+WuHiFhqFq=vd6<
zYzX*t`WApJ&%xrjn^bq=KX=q5HV!$eDACdQ+Cw<nJ^ee`vZgyPJqXHB67Q3~7}OTM
z(kw*o0P!j>Ms1WXEG_laM9igt{W1GQMHQ}~0Z4k*svu10fYi61my6CsCsZIQKnAux
z@TpZ>Fv(8{QZ08%yK(bl#=u}ex7e+GEhb?>LiuG6dq{RH%7Wd^UaX|Svp(aT<fEdu
zh4}Ew2T0T*O%q!yaiH^Y2c)}-tv=+dJ~ByD=`BvSTOkWQWKM=d{@u6UdPBSHpIc5K
zxTN@+wB7@?fh63171NL)!PuW^Vn<BtS!#L=qbqFKi+mfhs%j-v=zDZaa<|8szpXBj
zcV5)45HMp1<F`JW&jm~&H#kb3!#`4$9eY|uK~iNRFuzf$;GuK#{%S?wUe)EOFaGeE
zd9R@iWQHeaH#Ki^StC%~Hr5wQbNDJMSBq<x$?25Z&in;VdpMBXgW6w+X}uf%bpsr>
zwRxZZM0V?ok|RoKU{qX$@7A0vGT#;x1{YXJ-QPXAu8LrFn<6nlXqVTigwng+x??;m
zwGQu2_MLeOb+#+gLB~TxKVY6Jq;*=V<^R)*duN}+Kibv4c(e^RuS=@*#9XP1o_10Z
zo?8E$X6O8CJHMv9*U8!=Z?kL&pjK*x;%LTxRTs5w%uj7K$Q|V@8`{LqwWs&|F|#ZA
z+}6OO<}P*jnq!j-%(JU<uC2wq`Seg_-;C420v%B9zFqBZkBxg9LT_Ab_NY^?oNLiQ
zE324>o~N-_@iSMt?m4zGq?c76k`KRkl2<(T<xG0;^gBbr*b`Z@pBFS6l`cXqh+B2#
zb#*gktDAET4OQ%dUn*N&TDWp^GO!BTN+s7vh#cu=`C@4B!i6;PC%*xbfHeU~A3aBk
zZ8B7$^=-PNU+1sf0I97%saM;#o~Epo9s)Z({E~4b_IV;sI$$bL+)>3gf38NKP;MuQ
z&|iK~7csf3w+u9@{g8YFm{!TH3*w`5!ed7VF(z5TF~REL6ZegbMZ+^1{1e7Q$QAw<
zFbfHXs>$C<^5@4Sy=MGCm7-ssD<3JIYbr5^Iu+WNS|<JO_L&_z3i#HoAGfyDKBv15
zDk})fxj)KN>=ri#>Ku=6bcl*`=e9nm*~$}+;Z$)3`z|><ro<6HM4+V}l8<h$59C6D
zPr|{Fk6C2y!M<8?(5r5-zL+p7!SgDbQr@8AfJ~Bk7~DD;*OQ8dXJgWGtG!l2>17$!
zIlu~4(s&w+;Tp_zrH#!^%2Bk1L&2#2xY|)b@4l>u_XaYRp2fnfjQ_ZLH-+@hl_yGI
za$NAIhkg3SI{Ox#Foq!<Se@q<JQ|=8Dw(EAr{1pjE;!strGWwhWR7cT8*mftYsyGY
zoZdh~Vl42$JLyGLc8HIFc9&)SX4SrUIMF-KVFx}3o_!88-Yqa}zVz2NwFNjvd~^``
z()p#Vn{JRdI|OQv=r(Vk7kDN5J2F%r`O^yppu}zF>i^TleoeN85^zJWzITEGg>u;@
zylK!@-1bdxX`l0gc#oI*F|M2|2u;mM%Y>4Z-uZZ`rr#ka_V&}#-F5J&%#9Qg|Aq{D
zxpsBOBBPkqU|x!*TIYKXcl2QJMEog=RmPkX-`5?lZlLeS+eb8n75WD_vN>-;Hfl0i
zFTETylc33?bBi^TVUsh&pIygD!>J3^w@aNHMwOiE?hXEqi5w&TFWK#Yb;<e6(W6<R
zWiEF|sSdtj1`*Zv2%4~C)8<#LYGz8A7b`W<^g`XeRVT?kDodGu^9?jRe`1kocVUv4
zqwZ2kiwXK21p=)(pbewQ>7x?Zw=zZ<Wt1kLG)zSQi)(5UMESDrk;x#^P2CDGaU)+#
z7kh`)Wr|GrG_1JrXC^d0hcC0eI*VPh>K6+<y}V{~3?+PLKS{!V8A_eKYmFgK7G6tH
zd^^0yFvZ6u=d>o_{=(Od$FPzniEW~Eku1xfLHypP(7f9*pGqmQSymaZla6~99(o?I
z{?SmX*vtYFc`fJnZTx0Gb=l-cBz&?~TTo&4;lpzhJW5mEJn00zmx%u#J>+$QSPI*d
zx&^NMAyV7?taJA$iR9)I;aQ2{^H8Stfq^e0SaT`>NhtWR=(HZ@%aFEzd3<8#z<{Dx
zovP(;v$Jw)1+tQ}{jcSWdg5f^cMVvxM<^4RVDkFH5IIqI`I*W&`%2Z$grC!K#NISW
zxfT-9G^n?7>8w?gAGkyrU;;L~hr2pt5&rFqXBU>ntI30TCix9fW;HTjhQ;4I6`vjP
z+Z`9%^XlA~pXKE&Yub-%-0u$;_AdGr^zVa6Xo6!o|AuZ0adu&4BhC!pVqX2=PMQyr
z6p&i0tf?IA&?7yG&baPQ_pNr_FdZ7v=vRU|y6PP3(bTT#>u*#!9_2hW<z`7I$18(6
zQu}57aM-Bl&iS5wO4aux(x^tBnM^#X=eS0?UgUZqtJ4DR)>=V>(W1y1-tQ|<%qdnh
zx~VwTxnAu;li)=E@v2kx(UpLeNwz;fB25m*IYMQk@BRBW#5!N6b}ywXbZvI%x!SFY
zOmM{5v6O0nEvoEiRS)R6>Hq+)cKDo{N9^uM`L4*_hwtQ;B|S~6z26nDX1UFo7e0>*
z)b|K*#7-_XEd*4<JA1X#qdhoR$wdu`8Oc}+f|g%{rPsZA!{F&}STaVR*o&3Kd$?$;
z&}y1zi9(#7zV~w|rxSULH9bw0;F12iWk;01nK%1{&fPBn<B<EfW1An%FDOtTc)7ZM
zacX=puse-86%|-xroJst%#{ujA6^@=ShTdVI$)%k86?&`d;W^rb1$*?PQIOqi9LTM
zpBd7<;ITW(>IigcPxs}atW3N7ux<Spc<68@tSwiPRk(8hes{F)am&#7$4bsu1(StD
zWokao{&1ZZqD+JgnUS%~scI@3N<0R&y0K&ulyfgFsH4Rw<xG0?Qso~S4q(r^{!7CF
z?SPr8O`HGz4-H43C)I}f=4_y+>h-JNKM|6ZB95w_>n<sC9IX&ZJ5ozW+YbdeI?3L_
zkdj<LoTYQyq-{^+7Vr4p=98H=4}yxaLk?d2K0}V`x%BVT;b``o<>y+p*MKSmfZ}gf
z%E?cD>+lXI`G%D`dl_BT5U$eOf5f!hp|&g5@c0>tlB5AF(39A-K4>z)zOub)&1hV<
z1`>uEoHAKU)IH`k0$@?!9Mm1`kwkcpP5I37<0dylQ#Mtz?7PK@oGfv(2G{Q+n13w0
zV?)*9Y6})|&@Czh4WZn+CDF&>yy@O<6Dg@^@>&L%U(<}oR|TK_=KQCaO@SD-`<-v{
zHiCb3jr1wcbXiw~-QjF=mU=+Psvu`)e$L9QW#~o_bv5dSyvk5mvxm;-kVm;H^XBoN
zO2s%ovJM5GwcW0%2n=0o{VQ463%)fYON^UpTMWK<|L4>F3Jvx3pBO+T>ZJB#Y?Nbf
z0kT{zO|?P|J(VeKT5KBn24GTt6|7i1dZ+kOFd;MSBT{y0&bI;uNRi(TF*qh)Z0g31
z-I{BqzOkz-V!wWkBv#qM>aeWS509ED7Fyel5sBUqO&Z#!@E3vYsp5Zhq#**=C-^!O
zzfSK*_Wkt<XulA3t>0^*qM1@x;Nkz&<3e%OvGbNe!|^T>TCjo0?YXBL9G6dz24HCK
zOVy^o%euYkWWY`u=TaU2GxrzKqII{&WqIGF%S6t6r>ou%d-S1Uef<7^nWuC>j6H>}
zx4Mh;_U+(mXg|J9NfLbPJ1>-#$wb?9`#Dtbf*cIF?T?KS+?dl+);9`2e@}QDa^lln
z2ddM9UvVkLR^NZ6VZw-LQmW0o%G~dEJVURV+`HHE{De%kr#tgdTis|mW_nM3V?*rU
z>c2IsCw?4npSir`qZv%}$`}{%-i~ou+u`wLpzpchuVfoiQ_!OYCt_v>7)vOL-gqn#
z1}9HYsEvfX_C(sI#-bIurca}q-2WM<^n2cM9BBwGNx;EJ0PZ}vgZ*7cQy=G^2(5qy
zbz@MO;gq{a_a8F#l{=~;qZ_8=fb8!|QKVLJx!eJE^lw}L4_USEfLEaR8ByH*M>Bod
zy65DC>9r+5ND+Ejxp7$J;3-riM8?sa(yQ$T=qshaJ;9}sv&?HdZ8%V~^J>g<_`?O&
zEXDNrg!=U-ou3b+_q8OOD38aH9;5{mBUGR5qxijy`dtI8{q)29e3@$yEA@cn>=~t{
z1xH`4B}bnCOkiFaIAd|LaS<rAGd{A!9Ea$>Ii7%e=LFfK{ffrnbsbH<7gJ)Ofv{YK
z>Hsv%w;*y`<d=c|)s*4&DKLt#Q7)=HPw<^8%ej62np(t6f;Qpa>bKW&fTXEP_HJn-
z$@T7kv|2bO@wj@?>*PDmO#^Q+r{7uKDEMsN{7%+@eOAKM*Fo-IXSG6bc#<*RWh-=(
z0&cKVTR`8&;;?Y%GtC}<Yn)XZ-m<dD{^m=$axLNEFvUZ4E{s~MqFkY&ExjRV3I;a5
zc#C6l^JIu=Tr!5@7xx>p6^bF+at)9A4(Avi_dWT^P{#M@r^Si8*Aw)Hqw)2l>(4qX
z!-RQT1J6vfQA8B)?$>Q(gep(6G}QIQ21Fz*g*4|MC6En=4mNvudl&3acY(9!?!pWl
z(E+v1v*peW|5bY-nHzCQ)4Kv9qa1r6e8x@30xh1#iI|XOODKPb=BF9z|A7{3hzGo;
zFKskOgHaJ=)__{B3PGDAAQM$*E3N?)-t9Eo2BGhD5#br3O+n%s^%`bz++w}xO|!AI
zRI7_>(lH9+7k*cPFO{7h3zj>q`RP`UjAq5_XU8K7Z$B%xTA4Te*O&LTA#EJxTcD%N
z*+y5Cqjtq*pv>Ez<z<wdw*!d|G<Fnt%ttV(JmI&<YRvR#U_X13;OjYeoeh{I1a7~4
zXho+T%wQXExNR)ilfQp_%lh#o@40Ibm(3zC6zG~F5GJ3v)*lZJ2)>UwDtu^%DGVS|
z%#jjJ8oq|+?Tgz^#QF`$%`!(^Q{(=?VocanqOE_n=b2fnjBLn-bLU<RB!mp_=~&i1
z=DjTBW2BKdvM`e15yC`<z&JS)lQkj|^vO7l>g84Fi-fQ5gaLOntpBf=+VXg{f`e@J
zgH<=6WJgQi4y+FPDN*&7|41Z;^|U8UC~39*rKSn2(}Sg5_Y8Ya%PDNf&0@<<h0M`k
z*Aq;arYgt!6n_oD{%MbSm^r%Vn)dcgtY!7FCK@oGlQ}^5p`k`S$D+Q8I}jh>Fc*NW
z<lOSL&UZvp6r~at3<I?4WB1C>jesGVvat2n_6=ds8iSCZZF?oXe1|<sn_dBwlXYT4
zL2g5jPUAbhuYzxUX(}_j)nLGswil(awv{NW<t(Dx`!mKl9|mu*A4Lt<^!TWUhmgFE
z0bO*xgz~rJQ`oi;rF6ekG}_KtnQrPkCB-2aAQF{{<JA+W!0fC8`)cD;Ln&7*f!Hs6
zQtUi$n@RwXQ&dd?kcao^ao2}X)FP{bPtX^KIB)g|6lSl?{%#Yf-B>A$1G?|fS(Dn6
z&{0*)`0nH+f5bPvP`r9@6|>W{AxgVky`MV%ey_Yxc))pY*`?|VDBX)#wH>Y@NfVfX
z9su%$Ng$kW_!hdZZLZE_0JVVQhsKFSKY$jCf8SIlG%0oA-j_x`kAva?49x)ih1h@R
zFt}t};UcZP9UmVq6yAB<`RLIONi7+jkZ-ZCjFMzDK>#xJxBoR6PSQkAhB?+CJD>eY
z!5#$pg#A{0flTA8e<cG%TiX5;$mq4sYb-PENe?5_WfG3GJ2j|7I{YNzt^4XvF@c9V
z0O8d8r&FR3i;|?BuXYf34AvPG{j{*;uc;e0;a^`*SX$qpQv4(QDACm(#tru9fDGfj
zW9c>}^`=prD?ka<foKa2s5{}As!IFp357zvY>E55Y<-{G*ZEds=HEy8XR)ZxUY9%E
zhAP>H)t`f(D<@}&=nfJ!MtN*ZS(pTPiVz%^p$_u&QnEWrHL8fbP;(bs-fw8jbPWQ6
zDj9e^gA5eu<43_(|0OU@s{g#`;~O}>T+mb1kmRV6K2hbFaPi)cF#2MN==eg1EDe2P
z_RE(8LwNMSI}l<*k1=fEsHL~{7G~p!eSe{{KR&+kZUMg3-klIo-yPzQC2epM0;5|u
z_`g;>&w)mKT=)$LZ(As4s0M{1tO=HA5vjL0eNfIhVop#BLoc!~Hn|cWFcs?R?})aW
zoSZ~84UA}}4`by(n?H8Zze)zi!!A2ZL9NUH7Xfg=0GjA6zx}wACo<oIhd`v5Z!Svv
zSiRxpkc-)k6S5Vm_=U7as)4u4x;J`362NLk=AJ2FLp0_d;}a%Y#}@B8%FG14zv$Yh
zTt7NdJO5=Yq#{CRv|RW-Jmj7~%m+7F{SU!w(cafUf}{}cbcFFTKnvG9oEB9oo*vx4
zFVkYQV=+jA)Z`tY6@HyUxrA&sB)mU!l6y{fy#JD1H=jPUfsYLF`BeVVY;E2JCs~b9
z$WJmGjlu>zVYL=;$ro|{hqp+ajqsqA>cZf;l<B56jV~buj>2ENZo@)F<kM6k0ewhN
zAP~O2kyX-uR?z<?w@u2T=98;ey}n5-X%^jRc)w#rG;_*2%(+(cnwn2*>w`itD(JCs
zOd>cblV_Jb5~z~I$kslprwOcqQBRSbvrK_1<UCmQC>`-mQQFj2{a25;seF^EI6p74
z>L;Y7KqqF;YuCZbj<6Sk$ztQ=XT?Ivc~S*?6Si1N3hAX?@Ntqtv-e3`+gm)OYy%0X
zAO*vA+qiTxj<U|3FLDj)2?lDG@CZa$gu1X`GTtSsD;~%^Ut7T?)Ueda25pDL#S#;>
zqJh_eO{{!aJt{W!D`EJ`|58Qeae<%@9f}n7U4V!mz&pH-2qg>d`l55D##w8<N4vgy
zUDbX_BYhorIu6oTB6dx1kGzSE%MUG|5w_l}aLidR_U>e$Cun_^V3=a@$aRgt;q>CR
z9y}QrOBHYBu(~6hII+Dchk4#IYR*ee4Xq(6ztoB%7C7f)na`~=M25Y3((gb-^-v1u
zsEa^D(_Kg?=$rLf&+5VyMQ~<fV&XMNvu<mQs>i93Q|ZyuG2*{-XW4)wB^4=SX|skk
z9*kbEc2q;}nqvUaw-shY6!>BduvEThMs(Bn$Vct|+ImB`sw(1%ag;>3l7O|^0}SYX
zM)<#_!Ob5f#U$e6t?R^{`;@av0&%#f|2(ypjd<J{opw(_)fu^GXX{#g+q3@l8)mpE
z(Zj)v>>@g6t;L4_fb~M;Mz{43lbWWs#qMfpPj@3L!>02@)vY6p%70FJUplOmwV-?K
zUyqbLT-&^3AiQ%fx!GRl*9-i`yxqx{N%ki$e|C0%v43JvE@zFQ3-IF&Ux^+Yic#4<
zom@IdXrOy6SVGkB{RT=k8n?!jmO4kPlTXXK)iZzMeq%JRlAZ*%17G4Hk<ZmaKTVMW
z`TCs(qb#<HFHVChziM!^9j-MZ&#b4S+7m;IXhw<1j@ih^$X)z-gX%`S{6^G?j>sxd
zYvs%vTDp=N4Iw3|S+pk9%b}!ZK;Z0LR+_C(8Vq?{qBp`Ay?7HNyd(Xr1Gy%BJF1lh
z4>4i;Xh({wvUS4=`2CVvV_?B#DwX<NXR_s1MZN5-F0IkMwG+rSTl@(%X9mJ%z9x+R
z**?8=J@{4~YjY-vnsC9LQG1m0#%ZtL=!BGV+VXPNr#W?#D6I@fpcw)69_x>S@vZ#2
zvv6u9;nL@wUvGSbPWtuox5nV-K2N9K)fX6c+|EGXE=Wsh?9zW-FTY=2WcMAdO-aSz
z%bEKJ8cmv<u_8jP?E3=)ad$|SuWoz3{!&x7@);mPI@KKpMRrv$ew~w1&yX3oa9ce7
z-ack)pM_L%bhAf&=?gh|dME3YPOqTUvPexf6Bkds^y%K`k1HqHrzS+j4o@4hyK%DL
zPVIWSp0@Sepqe<J79cBXT2t;4h-?YH$hz`W{bFL-{x?C(M$t{1+?y}sbQWNJ;qi2!
zDUNBt9skB1H~vg3Lz6DQvMHo(@-}bknwxLY&rGX#@iBYzn5}-uG1|Hohtb&|dxZZk
z1{T+GD~JYms84DE;r2F1r8ysi$I2nAO(T{=J4kemDN%lP8C9C*NHJEG<&Ss!KXG=U
zr4h+e9Gl^OSUJ;>(gQOM%Z~gGBvWaEa|>VAAn@XQL2f+Jf)^L$PfYHd>-xO#a`=#`
zTm8)Y<XS7bYZV%eUuQ6`Q+$;-PGJtixfByGB1*TaE3koT9=tG^SGtydsw6-It;c*X
zeuFpY597S4^<uUTcwQOVBR}%HCdKZ25ZVE?Ej@6_T@q-h+44f*SZhCA=-NVISx?Y!
zH=^YAFxJlfmztwYHQd&mmJcOAU$fgYFZ6o#ma?~6#xKX5gHLXqD>3_04g!BE?5?Xw
zpKiL5y?+-y4sr2GXJf}neQA|>=ExY3oJ)1?+4V0->PGa!0o=EF+tdFTo9q_r3>AWm
z)k<I9b3|0*r$5n^75x)7FKYX9M@;J8uA^`2psNLC>+0|Qf7mW<cwtosps99y&OL{A
z16`?(!b~Vrq2Aftr=zoz!HS2QS8bd^FEN`*z_utX=D@shfp12_XR(UQ^8s&a5_q(i
z@vEWY+-eDusshS1g4WT-4sn{;D7J`-UxEuF)%od!g;{T<$Y^)a)$2HIw&|>aJl>_`
z_G^`gAyr0}Uw8HVd+(xl=HJYBrP*#zI{SG<zShU3IMVsYfP=gFiz>~z63VLRrJ_kG
zXNK0dU!0|Ep)jT6^g`(~XDA1<HD0EbYG^A#{A>eA*)qx(wQwH2%G+hNeAl%W{qT%d
zpn6IXu%7yufKH!!FWFl^SJEpQHt7QoB~6maV#&CXYY(c5&PZAwNPqwNookR~vxocx
z#iLS*K-loX+0E^dZ&%SZ7}Tgr3<7*(^U_<uaL#Q#6TEpJv-3^Jr62UBw;ak~jjX|}
zuu)Y@(uIbpXehN_gpm!hdoDw?!~NV)R`fWdd{0qpPgf+wjp*OL5qg-IS_^?A+8I=Y
z?axPjvq{Ox6uN|d;&q`rm2<Tf0lF_I$z!W$)~hp8{cv4}MOL;nbg3{@wlQz3EfE$$
zi*qE6-A9~<Iqr~-l9uDhw6Rx{eEN_Hmr9)nXbA>KFiFpUow(3B@Jei-Je`}Q|DiKP
zd8vk(JzTTAYn-4%@}I094GF19@9VRz4w%%aj*f^c%OXvA9t%;@k}e6Xsc?37)`}h~
zp#(y~XU|P)c&FM=Xpl-5q$uIb{?(1x_FQtWx@1~-MxtOa)G?f99IkrPj54^oaL?lA
z<Ic0U1y~COIQ8%;O!qot@?6m^%jTKbBZ0)%Z?ariV@mc}2PQ_PBS%Z87$34-2-V~M
z(F=0bZjQ?a&T0`T+5tLF7Ic@Flq{MtV6<F)`LQ3p{fj=ziO2heKJsWrs3F{Iad<g{
zO4Oi#io}l&tSxrb4rttw1Ty7xnFG*?y9Se_K&?`zBW3*xdgH^XGGRyd{<BwpW{2z4
zK^0qBaGGn-VMu8WY&x=QuY7X%sqTDlHT&qlk8%zNaLh|}_nnnzgNbcx*W(V|A9yGy
zCoRLGyhQiQmL8S7b<%?hUhNnI|F)WoXjPc$8{#3w?h}5vEog>6X`z00zNltqc2;<0
z>Ha<g@5(BtDv}Ta_j1w;k+IhvW;E5{#IZSsO`G;^Q&nVppKF4cFP(Fm;(VOZM>R3D
zvn)bPLmI!b@#<By%OAOC*Q+UQ1e-OiJ-T`8#C=g?L(`oj_lS$sji%(xQLenu?y%oL
z{%q|RfKdLrjgz-wF-1nY$)8-H(@Q}xX+6CS2gV#F77gA+LZN1)YRh9i?|rDmy01%i
z4LyylOBEM`<_#rHn_!>&n+(w24N%Imei6r>&8&HMfSG$Tz4Twf*Em+MH@Ujs;GAyQ
z`gLNPl0Bx+Kbi-VG+nfz>kB1jDU-N)<7;30dlN+WkDD}1dQPd7?!&zL9`hRL&x;X0
z#{FRVr$XDK?WVB=fhPHPN*_D>HkwmT>{X>T5VtHuY1I{esd@MUFjz%c#(hp$&SoCy
zlBw8rDKu2o(bLGZ36C36YB(_^k6iJvGTE5cuI$GA-qM3D<6-b;wx=&hfrHe1t~Pw=
zNz+d62~O&~<j)V5Np{WhFI;dwCZlgS6<r0PR;OAlKcSwxkL$@@*KfKRMR;H?*yJxR
z4DyE^f{eODT3Rn%hPH4fi?%Cqn)C1X;tz=w$Tu$=@qQ>;X-}cjKd7FF^dGuo9R`_M
z(l`RkPwJfAg)U|Gc1=w!F;9(!CruusafL~^#;TU$S(IrxZC!mIDT-)RKI3qykKqY3
z50XWuufT3Bdo!MNUZK4%>t{+No;ms>K{lral(otYs@kyViUfTHY4_(E-ONv;Y9iyY
z3P<R?Fd=01um0d`HO@i0Lmm1-@n4y${7R80--LH33)0j(@7_Ewx_r@I|F2}5w+G}A
z?q>4ojd#W!g1d{tk2L3Yos*MK3(FF7<n-i&RWe7gBot6czIOS}gEMGDgR`&VN6tLm
z;yz&#s+@Lsln34Zr-;|O=5*AQ$7{xt-%AGe{go(ue6j|VX*r!kc0RbkoLQ7m-#cv1
z9JC=TL~)k%<q<j?^<@nTgz{Iw2HEhqrvT=%=5ih+a762a|EBAp^Rm?5?`uNIDj_Ca
zf4v3TZ`}tkBOMK@c%OURkzLZPpp>O^gB2+<m~@{R!5H2eL00fNZ%>B@f7*b>O&rNS
zU}So8ZOk*Ko;`RWlT%c5N`n9IySmvyj-_+R=Cm?sHBSe4Tcx5K%qQw=C-uf%Zhw$<
z_s82w#Qh!Zb@xcEu1Z#Tzdlw+bFA7_&}ds&T!&mQ$ZKXg7fcg6#9KQHPS?!%(N4p6
zN$E;g%&yu1DD{RLzlvxvEOuz{g5YE0&dG2O+>1>;zyr86>r@%g^B7qS`x{bE)^&oL
z(CyKERj6~(7HdoR^!1HXq`1e2Pk5A9>4CB$m?hu6ADDL1;wVvWx<kl|2>uhQ%7bWy
zqgxmzGpZC)+fUe7g(=oqFqv5h*6Qx+?mn<edJoe&Aj+j|oh5YFbt1Sba*upT8}6;6
zeDE3c#O61k!NS*Lwu?A;2f6d6xaA@|xrC<Uni^7Jp)~(8CQ0~|vsw|*aQo$#%J^uF
zOXx)u;(2(J>mWlqb^g<b0a4k>t*<tI{@;HYTD)lKw%FLn*hSGEQyYSq?~#8*aMUnN
z3&g?aq2!@mTrc9{5=kWHsX~?)eowQ9dBl^BqDyJP;0GRe<UXg3o3(Ox<`<Q&94vgc
zq*mo0qcVfyyT>0&zU#uAsBWLKvSg+^Rpm}9IoE%i3bvf9r@5P$yc}<gs2<q$L0r|v
zzxzBb6%Uh(TOJRfor$<gi8f(o3{zfgte=_*a2aAPUoBcIPmRbx`R1^)^}DJ1XT|%n
zd{V<yzD<-2PUckIK4@y&T<*+#%U#Ku%L>ozB}qt#Dj@ERf*7drm33V&dIqlQcN@Uj
zqo%Q;yl2K>d7kHF%;V0^#PoOmY71S%ea>BF5s!^Oz)__xe#q}-QD$Ek>3c1-{vXQT
zI<Cp}{{zNE1;s{0;3zVXW|TB4g2)I7k<K9vk`e<20fSI-BUQSkh71NGDltMBxe+3g
zqXagjpX)}?Ip1GAzvuP*>+!fduKT(^pLcx#uu|GGn~*c@R$Q<$K7FPxoK;Z|l!^9D
zs|w3qo=>7}y>OKo^H*~FYHK4VK0GFit|oV*V5<uwE_Vy=S)>MT`?$~ci!6USrP=SZ
z!yXg0@E$ymrQrw%{-OKY#evI%7mXGs#8VdJV|h6SG4m=;J<7`+^R+$0>F^#nFva#+
zQ9LwTXf!XGA)e<)VE`2J;fWo@&P5h1k)5lF#yF2F`LfDPAEwu6IyMw?0(>>vqc`nW
zYL$i0C;_$%2}_@%DeN&t_+J**=fK_jHbt^N$X&a>iVi;zvnDw1wfx<zS6%pUcY9uD
ze(PvkQtNu$P}cp~Nj*-Og3LSeV2Om>TR%8J;{je%An!Ll(3ES-MyJbKe>rP!3SX5H
zYm=tt==_X*S+QHg(JL~(+Q{>9@14llx2f$Z#VIpGQ(wl1)J_rX*j5MKqf|4sB}NRZ
z+{XLYW#H7e^4%Il`}{u2BsS5&NfM0_FtL(uE9m{4g}PDaB<XGuW;a*W(27oji=O2#
zCFB_ANwq|qmma}YyF8CqtHq(mS?7f%<(Gm6R=yu_C%7+Q#H%?ZKqdGbdlU$cZ;od8
z1$mv*#<_(=1aLUBP{-(F^4v$Q9jjh4T(Vj|FTO@Dp}r3zy{7{k8gMC)*2ZNw59ZXy
zsohOnSe+BzS*4#Bsgrr%xH+?3-G-8!tSwZM2gv+@xW_KV_n}MYy%~ynaf6o|9N+*V
zEk&LeSpyn0W~#@$|D0~!gE8d|+%%2)Y`i?u#ea--BE@^SWb_BKnZJdE6Umyg+v@j(
z`Po;JW-8pt0YopNiNqu0ik+Kfv-4vU>po7{IsjTFMHa3mrK)rcxM~w@*X*N8F9U&J
zxB5R|q2d@p+_E!5D^|HW!7BaIpZ^F+86GJoIDC4m%xwSZtr!V^f%Qy1@H0985f6&t
zx@#oLYy+wX-dW@AFzMXZm6*>A#MMW}0QAGFqzk_4MO|Q#!f^c8|EagCaKd^a#>RlG
zz1&0#o86pGn#X#&OW!5=i3#F2(D*1$PVQw0+k-Cg_f_cFKMef{al4*C#N%4{8yiz;
zn~Jj_GUq}tsg{u+ZT4Awy1zOb!hUiO9Toh&|H9=zlK^z_R1ee2L(d9td+TmvmiZUG
z&_AA&ni!~WXPL?Fu<QDQSR*Rq<%UMxh1V>z>Jc5Q=*Mp^y3`)ih(LF~()lS3{uesE
zhC|JyD^$OW(49GgHyVFhX#xNt2NT3qev`L1YqOmzU8X9TDm!mD7p0L~Vk!x`GppDC
z{*Ac|Au{{av!2Y~zO=S0BRZAEX?-@n>~i;mn*qY;v*d-jy=8i9*Kr2gbX@9V*;VvP
zzgKXU<eA+3xLON$q{pY^=RLdkfX4YtKGvHl;r^rC?2bLkL66Y9C%^qN*+2b?!<W#Q
z^zdXT7Afzk-|b$_+!2Oi7O9)iKdw2uUq{CGgSs%Un`~?W<%Y`zlNJ=Rf8{qhVSb*6
z>NhH$p05AaVnp|3z%{|XZ{J?8EfIv;)|MyT<F{6_6~w_B*82jrRP)sf@*BKltP_Ep
zmJYAu==&m&PPH}N$~CL-0jQHB#&m0KsM<RTl0sr?#R}nd3i{j@Bcoo`+g1d+M?zjf
zxo0*OS$Ev#m5*?R{HE*B6W}pCY|DMsY1=Ou_r&ZavMo`()6LA=+q=A`-@J=y`?CIr
z1U__kO^aT!5A*)K!I1DGA%%M$TfYd^G>iTztjOR&h3?jhp#avlYWa^|bjM}tbt3`;
zRS(aL*l~D`^%;5AbX*2+60D+AkeJBMclwJLu?pMM>Xd@CX~z%8uMy|?nEThI819qS
z03~KKQA24P#2VPp?qOzn0@}~Ttr1!i6&f@e*E{nmR@-j}uyeBqMB&s#{kptUak+&p
zTct&w)6^Vi!0=!Zgj|<G9daf-5SI#W?W$97GbHAaUHq`GQ(DUZ*Sp;y7f*|)%zS*3
zXvSbA;Pg$qdo@RX6S*?eJ02EWBov4rl>h+>SQ$nb7nYswX^Oe<9{~UG0iU;aA>o8d
z5A<hAECvXQ95D)obXwHP!Adx>HrpjvK&L<3x5BKF&tyW#9SDptbRx4V#Q_}l)xWZ^
zh%H)!)w0!AUOV*-wn$UoYix+%h?&88^J9^Q8mRmTtQvCLLoRL|znD16M-)XH*ZNnj
zjWPw=9%GY^)yvkJ16mv#fNmIg7MYGFT?ZQ_?evlL@x(NQ@bq<sI>hF;jx?`}KY-X#
zja7qP%I)$gZ5$PMoJbuHO9S_W(uASI<Mt@d?hh8*V*0?>fa=`+;Nr%j(8)mBrNX<O
z&ZsvZL<o5?NxBn${u&T^ST-iNHYp=CcGol;+cQXU^y|QYL5XF^QEqYRt~fS@fWh6&
zt6g6g^>fgtcL)o!bNk~@B0~41ah$`A%LBBYoITTRiadWJ4~h(M;YW8%e|AZ7SnHSg
z(n9x_SCE|-szJXsC-sw@SE}5Z-+PY1_S5DR&0)vvtvjK-eLPBdXTOJqY@c&Z#J*j^
z7duuUM{x5=82LNN+I7sPqJ#R|I#ml$Y!BcC&>TCz8YdtEr$c_D0Pra$<xb*YaiflK
z3juvkL$gk{24-}0wB}95Cvd$5gXUdvxg7eiL~la1`JL{&7O#!wmpc?dzK%CxZTUM1
z*i%>s%Z)UP<|0F08p<0p(S6bohPEm#HE{I70i}}!9gy8^c&uY%WKv^oSq1_kb37>|
zgn_<(l0iitK^q0QoDEWErzHXC5Uoih5`Q4uQ$FbXhtzj`y@23t<xcar+?Nl`9GC=C
z-)2a+6FK#wqBwMs!Oa$kG$q9JcyiThtepG<o+jjj%hvuVEOK^#UPQ|vZctixqPVf}
z#+*2Zv)cQkzIq(KN69$PF!I>MkTl%~K#uHQu)`6~gdx;m`H)9~fzOVek=M5ma}%GQ
zp@2?E1@=^TAir2X7Nftlv5@wzIJbMR5p9VOHX9sA{r1CEuIcW~>c`UHX3_iY5a}s&
z2kX6H$_gNzTDd!>0;9}7+@QDLdLT41r~#6qhx!FnO{DqFOH~(`u^)UA$#Hv~8elus
z%XaXI^OH;p!3;JS(03O}s_pj*T&*5ak9}suPUrte3vch#9L?3~rfUXP9^n{FVf&Yr
z--vP@g7fql1XxkQ&z9^D*ZsAR&YthLlwPsW?zM5jg&zIc)sMyUHLy3c=Gv<+{y;;0
z61mHuXUxk@ClE*#4s-N3-((8z>)T>)kcc@Ga1E#{?>;QuJqmrRCsPH0<?@){NE4SD
zsjVxsrJ$GOHY8J;nfcjqxMpC5Moawsf|(3&s~+$3%4{7a_a(6!PA1)Cm`EI-6M%`k
zMB1e(G<t-Cd>tU$lfJVCNwu7TP^x<N%eYBaJ~CB+42V^Y%2o`Lpf}Mc1O#jws|j1Z
zl64jocDz;a+(;ooV0m`lXs$e7r>eJj`%g9fZsQFqNrZFD{Ixv~&ClX<u&SJvayrb@
z?j5^Wy5u6D@5CVDvK26qv9|fIwVlowf?T{BpaJW2F8wIf1PHPtni9Kfzy)Xaqp9fy
zt)kc^9k^=dIdXl56x?>Uw<HL@+iR0^?mDRtzaN$vA(0ZN$H+!~7>JGqND}Gm!dx&)
z;+LOuhnG>YTU^yUt??sA^eV09;MD~!fT=A<0)bEMPq(-=Ds$wZ18Jg7gI~tmMq0~%
z3Y+A#!@Hc&xh`Hfu3JRyz->#%*ki2b7t|C&j8|J6U0f=OJzC)10n0khaRX=vpS`;?
zI#!F?I61fSCC^xM;jVe^n%{g?W4zpQtLQWAe|vL=W7Vo#r~PL6*b%o?RKlu&%GZ%6
zH>{G!^B9>YM|TUTVor_Y7&pPDpdPCpzcYT0PRnn!IV(>aZ{up)#3&VvhmH5GG9tR0
z71wu;Lp(Klm^M3bN<f8rW&{6@w>~5N+s`*)?9Y4I08?x_Jk-+@$I}<=F2A|hpfq3|
zV)hb<anGbW+UMT?%j_2#jt{<J^9~dfyQ*E?>m?%$l(Puu!S|iLlzPbkV3Jw`iZ@sb
zjBhgtP~(LVWRg2vUz2|6jPc1`C5<9Ab{+rDraogT+G$8fo2j+)=uP0ZaG6{HdNJD#
z%eG`G20ASjP#<}9abBYLwe;+=Iv9FT-Q~CR%Ul}M;}wjFGqgNgbX&o|ZwQCX!lNuE
zo(=lKJ^O6}{1Oblmh^iR)OPaE8b?n%Onf{hn(tZS<hM20i|~u9qzziwv}$5l7|sq%
zW<S}Q($i;r(L24K+@1wABJ|_3;1iSxk4-QO7;q$G1xQ|SAU1;J$e=Q8uZyyN7}YG|
zb((7xluRHY@iti<;E<qBmSW?Z1OBPTw#7vq47VEv!()-85+;<imaDP6KC&fKW=}`~
ze=c;dVt~JT12igCPJvnY7QNo(DJfQsfHBsQrkTkJ6Z%$QBH))hYD6Ut#U6s)tj{3H
zK_~pWHqf+zJ%L-c3KVHqK#^A99Dei)=O`DribvDP=ICc9qH+pDLB5`Vk<G3i{8k&m
zDoV~~*q0(eRxW<QEEGw*^ZakiP6CP7wF--R?mhnv(rtcNc|Do<39zw1C|LXJ`wQA*
ziA36T7l6G3$QR`O`wu3RjH~^lGtgEGQC6A=w3podZF`&h)tC|<R8%8Hr_gI17qZ+&
zEo5jd7=O{WY1B1xYA_$3)!wc_?CP>yI9g@-`AC`1vW=+KmvBVdQwOxUcJ0pA0-2tq
z>!xcBNn(EU-Fo9AW^lKt=1*H(AzIKC+TJ#anv+yZLv@F~?5h+kC+6a1oT^&<?bB{&
zwlWCSnA1S-%RwqI*Cvt4W$Vh?Cc&zi&3HUsBDUt?&$oDtZGlMzqzlY9av5?KG{IS$
zfs_iZqklH#83F&jmGH~Rd*=`2`beI1^I6qaz8RnET>k^?t8IW-i(wJCa=#;0oK?~}
z99tX;*Z~_*2ft?j)6{eu{o3y=c}Y9{FY!8yhJ(B9SNL;&ouQy+U_I&?R#-~)n{PJu
zE8alZ|Hw!UJ#CcL1=f{XXK(!T_zgoN^4sx<AoG)oa(~=ZIg+4j_f4sK-%v|Zt0ted
znU~4+1+Du)e3p2gHs&ta3EFU{ZFvK=tL7a1J;oF1M}#E@efnD+r%Mxkx{)S9s`zV1
zxXggnMrp0L&<I3!RWH=afYS^-;>@e=6EeV4<oDL|tsi5};>Q=A(q<q>fc03a?3zc`
z?6-RQwx*^IrxfMb0BVnZd}NwKI<06Eh!vZjya?C;xt3kD@%R(e(V329sTe>z-6cFh
z?N#LZTZ98$J8e7KZ(eL!Vx@mg&qdbC(95y8n;=>H^JsOlvfeOAE43kJsY{@{<38d-
z-n8f~C>s`$cHSBUbR3Q`tRvV@+)3~}46D!%v22Xu(2Okx;?;vOz|C_zR$mQBZm&$V
zr`&H(3+x;8Tc|C-(R28JmDls9%}N<~iX1t$_4Us3+r>NeZ}#4<!?$dGTU?oDp7pp_
z^!g{jkqNC~l+JPoA$v+tt1;!^Bey?St+<>+&KwlNuSEMS;8#x~{Z{8I>N5l>G(tWX
zpyG6wCxzaPW+<!RN*ltM$aGrunIjS$flo4Q4Urb_rg*e;U8fT4s$73$zQ<ZD@<7(+
zhOb@4?npYV!++M;SJ|1fh?#Z2ke5&*2JmT>UCW#oTI)4(xk=W)0q#obv_>t^^++Vk
zdd<FPE0w`$X>ST^Uwq4P+<v&OoaB;}&r~-UQ5$|BA^<~ruU3=NpZSeWtLTsTi0ZXf
zgZ&g!<yqxPNHlUv@zbt!zA-h=2~dyQ(8os@+PW0yDYyM=%*(KNWUbwMR)7)6Wn0<2
z2Q7}V%c64?+<x53@*k;1VP~g0)3K&f1DsK^mW1pvJP+96pAUa>pKKp^q`hY_MpNEy
zr28J(9>|9T`#y#UOneMs;0lS3WH@e>e(@&q$O-THK|8YsiOg_xcRA~;>D~n)2D+Z(
zsm9<#rh7dcKaAr4X+0m=wt<)|9KjOjRfmA~2eWa@o(^*`H+OJIMY}%Zqe?|5Wty1n
zBs|d9cRv+HGw@qb)fXz-oX$?eE&~H`@phW;%oQVfwuPGpedeXZ;B%tXGaVSJ3A!2K
z>j9Ew`4q#4tl<1ieQ#cNaYW?W^_e<}7wYRX{l}Hy&Uz)LICulS-piDfLK{%xs_X0f
z`fkuXu|*Z0wFUq^1i1vQ8QKi3d3q+`n0YgR^DK1AmyjHM2`40Y_rs|b0CQ?3;>5eO
znVx!4s03;r?fXnNXHfIO<DsF>pVB!l*k@Q35%SJl$4Luhk2km}WSp)%rq3ZCM>b3Q
zMczvn2YgT87%{+>8&WkkzS`DmiyD(gt-W1ar?^jC53H$uCok%c><&+EDKc{PpG7Bc
z;HRfri*AVaBc)BZnQeNq?wK4&IWGb{2H!m+>>ZO-R8$&GL>f>5TUSJ*b6;#aQjaF_
z>4&PPnH{84jHz~_dJ*B=C_7rBxC1zC99kdmt4so$RFj6n_QSfP7a?K?LKQdH#wK#J
zX#=IBquI0hq!}tyOk4lBDN|S*TWote<N7V6xNnfRgG0Uva7>(t13ISoIw#`MKd_CO
zUZ!u`x34c*+z$Gw^Y+e@fM7s33Fz&g_w-$7skffou-U3ILmw!?o#&B6%ZdYKql(5&
z%55f?!)e=#Hx_!<x2oTIX67$#<hW|4;cG2K-<o%|HIgLGJ2}+5ig-_@EleJxdt_5?
z-5hNz#S8h8wIJbgyzjx#)~|}1cYX4_T?_m_Fm{Wh`ER5IH<$L`G2@)jEhysOA5$U0
z6|DMGg<T`_&J*Opm^BJGVC2CU9}%Cv^fz8)e}zr)V0{LgUan$kHaG}cx9TLlZObz*
za2%Ntk6vQ7d3=<kk!-E37a3LBsy%q90g`9+FsQVR7mI)Y$>qMjqGnZWMNHV>CRLR_
zNYL~{t#F9zi+WlSs@?Jf3r0%db!|QASqhynP2ukgE_bK$-re4qTG&xaTHzr$eh#zY
zZrjce6q&4L_ojMhiRQ@2dtHz)@p9UBr1_=alo8tWu{4-m`i$7B$li&~@mu@Y{0vum
zAnkDAe&_G#$e#)hNdXp<TOF1UYfh#SMFja738JO)gtZ?eXJ*8g5z18Qwy)?Ld>`yW
z+$?=e4BNGHH3{p+muFT6rgu_&1}c6k(D#{&HR6%P6@%M>U!v1q+%g!b|ABtH4nAS2
zao@eGAZ&t{c6uH}?)3Y}{bi^*>P6-4b0hwIHh3K%L^(-7$}clbsG#>PB>=mH6_LsS
zV`E)Z3RXS9D;TcY!L9r<?y4mqyw^|8I=hd~Jan}UR$_+Jk_ZMDk>?a6Rr$ww&@1~0
zEB=@IyHWE;BI3j6jid__51A8}oBt|YdF7SDy#3=qgvDQCCk%0LRxR9z=1{Fu*D?#2
zgVkBBxq@3;R0Acx?{WN9b(qA9?w)K#ZO_(t55D*n9w%=JAMs)iC}zH}TFKYnfjCEr
zXPP<F8s~py^`^TlpX+waKrFiNKC*_NHgL<|85X3@>dd|OK?u4YWXjfO;F*yR18>vO
z{Z*Cv0q;D7doCBUG3>WcaV_Jzs$2-U$6?6OSz7*;(ceocuju|?t8y^Cgewjpq(N#g
zoR5x|8(m&+C5<kBV<BekaavG$o(m(2MqqpJJjJGq&Ob~L@1nWUD>oWvt@M3`SxPV7
zfjv6U1Zz;VmsM&x5_{4@&+)SHc)!)lG4{+(>5!<R)--HT$I!zM2@4P7&m$(t^WTRl
z8K1nAurjz5tF+Hc908}Egc)4)Sl`kNi<<6?KE=u3(4m|mv?I!W<}j=(8H5C9cfVtd
zfsn}Ecc&wfaY0zlOP=x4VVD(oOZ5`9EeB!%oN-<hy&{D73^Ip5Xf6^ulzuY(d+EoV
zmafT5`sU1Aj)460aGITJ5P9`iNw+!loT;W8WN|?jgvR#$^n0fgmSwJ?(dVdB414Fz
z#WHhT0(G5xC$lbrpSXBcXa3m_plyCEm=+nAzH}NP?>B={tyW$geirf{&crOz&yOmB
zmytY6kCF{-%gy1a+)9qC5)DtAJswU)*@s7<TUi8cLK25F@gea7I-AR5JqIi--xdJJ
zrB%bH*LB*#&HiMQMLaew${J-UlXni0wZJt~SNG~pBv81_YKb~rcCzuIQi|_ifTG_&
zoYwOdmZCN8dI|q@12Q5#&r!eBA4++DIn6F&M@Gm$;p0WGu-}Vemoun0FKzWhOfbP3
z8_JR&>kHQBC^L(lWkIZ`4_cNs6dXFBk<KOil<Q>IcoBoVXbdCl)Ek@B(zidz^KXMx
zU1S<nG<*5cD?yDOU+-B9+bQTDkf#@Xd4a;cj>)?v+$;w!NpTKZt5f|6VfO&M`KLDk
zIB24)u64VX_RJYXR&c_icK0*ILbSOX;=5b#;N$4x#mvDY%-n)w8VdD(mmCpMImtPi
z%LxL<5s_iA62dK~Uq3jQ2nP_K55x%iyAzmY5{1~<ajzT$;TweWBAEFGrq|J1jX{Wz
zo9Q>7Xq*_kXf}afyJn%4aFzW)Q1k36=ULi;wDIOAAEhd*7yX>}*}7Cko(IV_7iph1
zepQz$BeFJb1)S|li~GSf%o2A9_F@L)gim~}ct?c9i5iqqQQz~GZkOd=Ri~#n#8a9F
z=T!$Nl|^N9gG)T7)Ac`^atmI&<o#nC4TjmM(4RdgE*0`g89}1sJ>__olMSZs`{{C4
zWdBoDqj=6I;a6nP{9=hG!Oyq>=|UD#<3);TnN0-heC0<~xmSLm2E~H1aR78?t3#Cy
z9^M-}M7GboAnP<C^uIjVYwpAb$t;ya3GC_^Mi?=D=54}v<$n6Tac(S<S!W}%!Xq;T
zJbWs%Tg~0pHwX97X|brq^8;dG>Gm-gHSNzorGFzZ@CB&IKTm9Lkl{!?USMK8q1rKJ
z<Sfu#1I{9=r>U?hbMSL$w5{Mkf}7^0*wZqkhaScc)0%#g_k<JH2fDUQs-CdYJ$i!o
zTU939@fox#ZD9|1KjgnQZoj-X$=9}zDFZ%U?Nvd7_vA*@AqxFBe>UDND2i@Rm2-fa
z9$a;w5@nBAasOdx00iCnX1P^I5m3mWBO}l5O0;nvub>h~U~)Km{K}U0{BQgmEHHi2
z|F>6=ZidS%=r{EeeOo}7lT(QFH$mA3>L)ML)z{$y!QVl6#7y+dzaL8C|Ki!Z{3z?p
zZ-=iUC-GF3q|30Qub-d#{rmS}_uZ(#Lpbr3mZVNdHh^#`gU(?~$SOIqJ|XG21;8k*
z29dY!4JhBlXgL3Z6jEhJniWB>?me>BfH)98r82HYJ_}WDco~#tYkSD@Y<{}u`*EYm
z_V$%xq_Ki?RmieUVrB}%EVg>-KlJAtq@Et+F<C6I^JL`s@%l)CcU#Q3%5}Xqmj`qR
zU4xl}C5v~EM_?R&1>j4=U04SuxYA8RvDJ70rUsxQwB|d`AfOER%?y=^lO1&qly2oY
z7rdvRjT}9b{8enBnN2)M-Yzg>7UZ^{bScXk!oHXP=vK#p4**d}zym0Xq5j(1gT`5M
zpM&0>t@Xz0f+XMF0^tsYof?QLnLSmVSy3TQoVd4OQ|2;uewkJ;zbx6o1_z!4=ZSU%
zz0Z-8df9eyBQg^B2R_+HkM#uH?{G6JT4Qraz({gTsjs9jF{sQ}AQO9+W*msm1vhZO
zj|%e82^>}KR#}1gJdO%aLZ;yadSk<PwuT(_pAd)pa?w5;0G5NUE<g49@bGZzbh@tW
zX4Z2MU>UnMTNVeBwY&#Qg!4_2c{;2WM=2?;D^^8rA)bO$d^VplMofuEwob!wKFr%y
z|ChgTuem+29zgg1)fTvCMN=50TSK`hbNMY|+S;7-XA10Athtn#B+{b+lGr13mZr`H
zdfvElZ<l-!1#)I$Y5dGYuTfdBYFw_y5-@mdo!-9k(j8gy`VLWWWjPpcJlE691RE;<
zMQHq}6sKA+^0LnVy~#-iNj(MllDpB_e5Oj~58bE#UY=_`KhrRfK9@j>C+Wx8Wn`od
z<J~7UWPD3crqd^#;DqJ#kL+{SrG+VYFndO+9`N1fY8O22ksvQ4xWcecv2U2^IN-~V
z>^Z{-Tw-AtUz<%R3)^p%JkkciMmo#eSbHCJN{^WaA*T+Qxr#YHbOS5vw`o=hePzI8
zPMr}Q{6l4)$qYrJWq|;WxX*c;=Aw_Oub-vHEiJM#U*&z}{eRoy=!K~uAtLWKHL?E9
zMbRIOv_#!nUzS@VR++T**2TCx=^Ijw6zId&C8Wyvy&cbien)32=S0kTDVE-GR&~sa
zk5VBXM<}OT*GAKeqw6!W#4mOIza=dJ@{*_z$jQvq$A3N46=n&I^K}2)LHt2XMc4qz
zB>VChM+5!f3Jr?}NoR3b4W~`y^&``RnWXJ~_DYXa^G{XiRWTgig7-yn9K^W_nF&t|
zQR2Nd$M4!s367oZ3nNuib6SB6!OLj~IqjUXUHcxXry+b8VFtAb+W6q#b{8!bAX$>|
zqw%{>X|;f$k}f6Ts(>y3<rN}ZR$U!eXF#6T)2Y23*AJc8^8>VL_S{Hc`mk2TD1Bv6
zC4tbI-<C+za^E)?ym=_5%ry%m9vEt8R`o$6UxS$9U?jTin?jZ#w6go9)Y)R47UDfo
zoX^Zp#$<uir8)Eq)+z(Xr-ygrIr1nh=udJmdPJ0&nHsHL5^7bBf!|QnyP^fWr|9k#
zfz?8>O8G9UeJbkU9|v5W^#nD~=Rka(&c<iS3gpbI!qK4S;bGHdfGA+Vyo;~95hyM-
zKSKwwPDbTURiJcv)i$KlWn#l-s=+?CSGB@B;lVyd;F*UoMfb2Mn)X6sSj_n=QufNl
zj7haX>kYs~dmWqZfdM;1Lqmj-Q4++DK@yrm0NJzM8+N_X;^A2_Fb%YvM8E(|lF7`8
zg+_fgGXTLD&?q+SLE1@Gbmqt387MMIax|(i!s$|+E5_|7*L%Ej+B}F_^*=yHXB$Kh
znflF%yZ>l90SQ-FwR!tV)!r^17`K0M&%049=gy1abMFnElL;!-NQVIx7`VW0b>29*
zP|ae{KwV%R2twp`6uy#2erFMkl6zp8=0oiXbA0q3Nk}X~p6y=)y{sc9U&i$tt+m{?
zYIQ`x!mJ{^1^5xQY*;Gv0~7VljtJ=0+O#EplF(oVV5ogY#`Rs~EPwv%n;RgMC5fXq
zj+4g40^&lUl{EXbDS0&(F%k^_>6)DQogK=ZRZK_!H#MsbfD<=nNVcv+V^Ipu+0^xv
z1^-4MgYCgqjYZ0|f>2FSDi9)wM9Ht`Nck*TXCa)}eSVxU%C0r8YiU0HoR{CE$}N-a
z^Yl!w?61(O(e?%#8?}V-mR;*cVg5_;b$7riWu>Qc5)<4+;v6n#u^upF0stC^@6^RI
zAkS19NOGyQOZAz+C}A`cJb<UX>{+RibJgdS)m82m*uOWl>;61`J4<LNHHTwXohzaE
z3eX;aj_;1FwEsY>re|W`&in`_$(v0WIP*o4oXuR!jEsz&SVNv2;W)E7O$C7p66je9
zrOYS(;EyWbkjE{Vy~So}S9FqohffOi6<5b@LV}czjjuc!`jz%OFKpK2xDobSf`m9e
zv<LD0RCZ??Fh{2il-ucK2{}czR99E4`}tKn88L}7!73U!{1+d~9g;p*WK2J^y|JKK
zPGytx?Uo-HXrqt<hQgo$6-Da)TiDOf|8}=MzOnnccB?_b3+{8rWah4aGG0vvp?VLd
zq7u77K$L<L*@69mCyR&=QC)Jtb%|c#*JFbU`#3haT*CY1h=6V$HGy<Hu6D?k2$q!o
z+_5K4Fa80<_x?_K;LNt%4SC3$#`cgwb+W=m#8q0=`e}gbOU8XfHLyE_0Vb~4L4D!q
zS>2eyz<uUc{P)ZR(^5Onf(6UZe*^p<tT-Nt+AFh2?XK?F`Nng6D&su@=+i@obTx;1
zZJU}OLf&zJ!m-S`|I1E*w*;^?+WZi!!0ulM8m(L?3L<*7Ho9uc7X{*CasL|rephMk
z9dbskOXF-{>3rrl=yHx1>~T8SM{=9LXpo9K5aY{;6KpmGEOQn@Q}nr9lXBk#rOQQf
zAzrU)#JTiOCzNWOI5g9fpFR#<zzlbsp}DfMX?ZaU#o7iTOTg?mTQh%+#pvMYTqEJC
z`yK2umR)Up)|)@00v&-+ZB6NFF8!GQ&c=x3$j0z09O;{k3u=yFm9%NO4cwK+ku=&(
zFPX{q6z0N?@m{0KB*1*PUXcA|UM|lekl*+@O?It3rH|M~U0HgUk~5d7mN4r8##h;c
zATlwT-)r~hwCbQQueXbf%l9?z5^Pg3Ky&sn$(n;mjF&v*605MIy&5Uf$OcuD`7Mx^
zo5TSOpU+;!`9@a;siNpM$GQ1Hd1nj&+sgWH)*qXJ690Jp<wv=f|MM572hW>l*L(UJ
zR;H2!3JVK6X-$RB^%?AG^HFFI<Ex<j=}43u@fYQbJ$*FBsoPxp7>B%Uu4^>F{LB7z
zQrh~1+7{wcr|${(wF{m1a{`=ed-iX=J8}l=EmT4zkc~iaxP)&HoOjo-s#gtoTJpAT
zkyp`3Z&g{L3u>7aTgc~v5hcXu<9lVsa4rM-ak(j`;tM2!WJx0boU!@pH7fNk(OlcY
z@>YU<*xc#aD&GTf7F!^)E_&()u;C^26alO4kJ~;VyKBz2!}6mlGa^;W{R`+b5+<Ok
zc8?|C3yg|CxLN<0#Q5OtO~);ASPsS{>Ic5vJ`CF<7QOhRYZk~xt%g+;M3Z&|o#qVY
z_gn^mjbl4%E1{ggobCix%S-aN_6R5jq;X%p22sKVn-aKTo+jY#x$0~jgE=eU4a(Pz
zJftoSu*RZ<9Q-=5W?kDhcWJ&|q70Yb)0!gHP&88LGIDQ&)7!aqr7plO?C1@>EH6Wi
zW&7-L9Rc^&EtDL#=!EjaUNQ6_I0V0-R)_BI`#eXk<R-m85#xfV#^bw<G)H<f$pNf#
zSQEmq&twW_8>r-BZFRz-C(!lP6nr?+X+hVAxVxA*JsFjVz(?lmiFz+x2sHnS>4!80
z|A$GjxJ_~Wi3#8Sn4Zi>@bd_HDsEtNEyhOqo@uN&jJnp*+68ush>nA?CFZ3&-V@`+
zJJu2*(D(BW6Fo1G>!&`GJBTYVT1^hGxEbJC9b28BPmrITC~0IT#8zo7$&9Q;4hctu
z>t0<0HtoyGcT=xE_!#Q!T&oKex?&h}culMkkyi)u{1<4(iCCUg<ODK_3hRAMN{bMI
zTfxMM0vC5v7!v^*{LPm<6jX<dw5vK!Y06pztB$hA#OPO=YkS0K4c*Wt&gTvS%BR$z
z=HY{^h>y)sWijlcy$l*$5okNa50Wdc=mGj7GuG{jchPYO^kKYc1&9yLKebl#@zVRR
zLGWX@9LR!JE%VxpzE4S)YxX_x5VO9jKBG}ASp00!`FrV%`PyDo$JLEmAd7xHQ2*MA
z)p-M5U=AM~3GZu@b*VDmRQrUwX(kx3t~oK-GlJ1z-TOr_zt%RgdPzjc>?*Lh3#FyY
z^SQR35VN6=Y4+6kRW>k^W=!jD%3)z+6UnZDgL1~k705-2Jv}zrGSY^#9ze|!16tMm
zyPg<Ow~(ac><pd6O0^Ai9WyeskYB=AkfgSZB0vO<^>PhVdoN&@f#yP8)@G;^NkXAe
zUhAV_9N1AZVByP1>UY6Y;F4XswZ>HUv!Mx~O!v}wfg<rM50D4WWvHkeTS3Iy?H@OH
zDP~y|T%}PQ-qhCrU@u!)*nA`;mv(r-@#*A&P>Eaof*;&R-*Auyv^qk<Le{a=s$M;1
z;puLNPu8$|7nm5G9!~B35M#5Wr{IX74{g+p5^|U<Yq*}hV(w-P`VH{?(J7Wm|6TkX
z$`#fo?%OBRs-rnqhKy`6W|eD_>bpglpLfp3<K=L*(*@xE-gCPMnc&0>7bw%yCF#8M
z^z`Y}7;wND7Xi_ZCU5NN10lH8^y@d<_#SpQDO1O0wqD*D_r0Y7gx%`Z@<Tvmxc}=d
zaGO1Lx)}`Yr&iGy>cahOKdf9P9ZMXJb<jak8DUOn=1_N2^Xzr&97&9#vn+b0;bZfP
zoP4QBZPDx;+OR%@Lolo17OOn(xo+Fr#VEKEf<De5ou{z}5|`51o&_xyru_h$O+z%5
zriVO#FPnUt_Z~5)(dNS3y~CbIVG!-q0FOxY2Pd>Tph3!0Y;V-9;ui+6I3*nVuQF&)
zb1SbDDkWb9+?w(GhufRg7;f8*$8UKYJv{C8Z9ipXnS7XzAIlx2I}cQ(z?dbA`wQ;3
zA6Zj?n_)+UTBI`fkK-JD;Puu;*qhWsrw5+Tjz0j(j%&ZrIRs<nx#lCRCMIwtNGVH~
zlWfMegORG)vM4KX%0=m6l;vkeTU)SVGbJo4GIy^x*Z-J`8wJ_!{3c%tkI#XqMM=Pm
zR#pMJ8j1j!mE*E<>HwDL;lLf##-rrXQ45(aZB`C!3fP#S;7uUasvue&tU2*&TCGaQ
z6m<&tTdz(gj5AW7YhOhtBSs{eS{*53$6)R~H~SxTGMt1K2HkCa`+K3yd{XEOENl^>
zsLx;VmpxUn*Hu?vCs8SVWOHrKOJ}6nK|v+E_9KS&Y>-zcrS@I!9LV&U9UtLc=7`-*
z$^tC?vlMgt&+?mJ>XKzdg5YqoeV+J6>)!FMdO7a7r=Oc;7r*HLRg+{r(tKQe$Q$PB
z!O6#c3K6>cKKU|hta7iu*6^apPA16!gfRVuZe5vUw-tS64yUBX4|J`fYb*hoMFkt8
zPEV>F*QQfgG=v#Nb>8dO4?o4NarwGxnleIu<?D?JkP;wTjHe|^q1MY$S2Z4DDuWPm
zDH}iytr@GS{7;l!-p>UgjAvA{80%ddQny5GEbd?ooLvK_mQ{9LmU$hCm>-q&Q8_a)
zO+NTaYKA|sS|PBjRV^Hipf6}1FIyF;inLrMs1|Xa5BPHW!kOv4pATbRe?9mrz~t9o
z$tzpDqMq4XCte1ma5M6pqBI43)fibkBPuOzUj*Qx7Vyv?S;m3uS15T`eC`Mf0ncb8
z;XK&%RFw|>5qvUb`F@}={gQhEIIKVk#}Ddu)|>x$#DV<%Q@3l&RJ{C?Xs}h|5=Azo
z)rc?d3W<Rr9pPo>Hmt5hB}lLXU1oW)vH3)}dOiZ`Jlm2(MCWQudu(X^`SCg&Wz4Nj
z-JH;Nzsr&hfMI}L!&aTuu~K%W2{$F5|Kj?_k~ydYNiB4Ot}Atx2Q?dUOsnpX0WmeA
zpx5kQ^Q?|1!PWC;<2UY-pcDUb=1h0v_aqXWdh2i1wVf9f=L@PpP0Sq-^kQdcCjx~!
zfH+GVkj8*@{u1tCJ^;4fctO4DyJhxz33e`Kw$jpuj#V?>P`{Y30fj-3r}XA@u?~GO
za$RqQb@NF-%8f$4xZ6nVHL7z8@x<T!;-4Ic8O{1{f9pRWbr<W|=Q9$H{pMznMBW{U
z00AT=E@6FvJ)q@a1aDu>%wTykh;RS_8izL$ZwtIb3f1{H6&RF#DWcSF%!?*TIF(XB
z5#Wt*aVZv9n4gz`9M*G5z?|}1MxMw9E&vE51EG|W_6nKVa%Fzr8!h5N+DK=mF)%Wv
z74&$in1J=^Y$v}qPDo(;`-%USY*W4e#-V$ke(~qz0h*E&mYcc4OW*2)u^>47{LiWN
zn-Y-Tdk7#hHh*;CY4fX46R;by2i&`V7q;7fs{IoP4IPfaO(<d2vHTd_`J0eNAA~1)
z)w=YiZ7@$nj@|g_3oiO~^PqdjS;%mSN~A?|&C%=zjVg;O#s_bd%I=Q=(UhR7{R^0b
z_44`{j~&Hay#KB*15Vvlz#|#KHr}Tar@m(HMigpg6RLBu`7)E|NF1+2CkQ2n_v#Iq
z1W$bAP=MF1|CoOWAqQDvayR_|VZ1>CIU4d0j5K?C|1<&@(FKpNSX~f-OCp^WC_W2r
zSLfPqK<J{V*w<5qWxfYNqV%KbXFYn&v30T4hl86dCWl4p*5_XPte=9a`bRczxF1k*
z2Z6$eW;Y~w|2e3X_Q#xYooMw2W9wFxC`y`6z5o$T_iQh$be1&p{~5A7JOk*u?2fVf
ze~qV5ff$6<sFB5p+u~b}kG}VG7Z-5|4?BU#W1>!zl0jP`z|^4T6dd1|pYKgL?zT54
z6fl~*TDJO(AVU4HZh4X63>!l5>Na>D=LMu}wzf^0eM2G}!&(7X+~GW?Y+$n%V(@MC
zmD<iiE5U51*%3#3E458EYn7^6mmyA9OxG+<dQ@d%OWZofU!2;~f1!LkGVImr#9`P*
zXfgVCfMGQR0_jA#vCH{vtWBm>YEpW2c0pbedllGJOj&+Qm;ZNBObzH~Y<6WakwHoa
zf&_&<EHd_9XXfR-?BRJt7($Oi!CZ`*y{*C^VcwzG)7FPtXcuVER!y}vkYsb_pwqn#
zbpEW<YL$=-&uSJqQo$y0B?4}#y$30V*6p7X{E1z@ws>#msVXaiS8Eg0Tg9awiawhw
z54WZjA^_`VecZU0sy#2Vi?_8|IqA3X8w&S94qnj56nqv~ZaZ4I-1fZ0uHwNm<mm;5
zD{O(4BTJl}fk65=d9tHqJZ}Wjl~&7FB$IY`hO+xrPGoN)NQa{47!$xKp^?qdLhmgs
z5S|)Nwqu>j1w@NB;=y@Kn$}w`8v5uX+Sb*6z>7oA%n7Uzc;NP4Rt;WpZzMFxZckc}
zTAdRQ;~}av0C!no&l#?mqySveD<JSYeT;mdZid2K{GGbQKIyH19{mCZIvy49K=f!!
zvp+XfVDlmv-Kfs!uEl!mOCA^C`R!Z79v%}8IvGFB;ir@$e+Db7Z+K3B>k2^+%yEzH
zmZ3-0<&{7N3E1e(*9YF$5NlBHgic+W2Y%SW>IV^PNt4G0d?kx<^(m}Q1MYrUGF%|v
zO`ur#&Um7JN|F~L1+vOw+tk8dKyEEs=J7iO2RXpH=OxLwhZch2f^)2t<)#!?QB;u`
z$zq>YT&{`t{iGEA>K?X2*silHp|-T(ET`gO7~ieY9~%pGF8i86g_q<#?2~QIbLGgs
zAughPTv&a^uRU)$_}4+UK6M`c-~lJhM5dBGB>9L;11*xYP5~2yK5Gbz$57a#y~?ef
zIDE&%yoIGiF2ScW1_H(3BglCOVS_8bU;2&zrK#bfk4fJjbBBQ$i(a1WU}n4hJgDCI
zjoBM>_=SO~$~(d=*v=Xb8=U6`=cNV-IxT^cQ;4}0^y6D}28(a5>VY)VTvjGn3@5A%
zG&kV;sCc`fIx`%Nv!^}dPJLIO;TqN4Z1u@{pB7!tiRVWSH{d|<ebU{hQ-b@L7DQMC
zi^n%l#Q63sjdG0|nht`&0XM))<pajv(eXjg3j$Yk<k96!^@m%Yzmi0IFuiX!5h~fx
z=+z$eLqOp!0}#lA_JxirDB{RNMdd|`vr~$TcJ2Y2o;*P)*2pLuoRksDcX?ktk0=KL
zROnZ=jMbRq2#G@>LEAB9CjIw#&>qX9<Go-E!(Y^yRo2K*T_c6T(_kW@z@);J3v|4I
zNXtFHvmM>(hsff1s#Dw<tvzC{ea-5Zu9MJfei-_~m_mi$lID11cLc$A-Rtfl7ULz8
z7ujxRew99BQ5+bvkdKd+x^MYjo@mOomV$QUj8oh+45af3eR+gaTu%61!)~t8L{4jk
z0mvh7e-#fDJa_&4{5()Zmfb@ZL;&0L@^HfLSfCmvj_eLW&niGV5fGC>$I2|4eK+#p
z5&p9?Go|&3%5oB8wvD%;`BdHNv-^pyhhW)BK)1w&8o7NP+OBgc`i+4$$6NyY`5lbx
z&GfQfMFG8yIG7+=p3a{1pxlZJRCs`_pi``Ze)c!M-ffm^!2&D(Vea+>I!3el4`*Ti
z9HW)s-~_TC@ZYp|{zDr8l~cd-oxURe+ll?i=5JXFgiJt1*}9HRMz%A>j-2SNIViu_
z&z@RqVgc6dBPhS|?`*3&5Qvk8E6jFs2xtgBO4F;qtT|FtaODI7%GCl9S=>_ijrnTu
z;`KU_%YV4(e=Kr<*KMGWfvWnW8~}@ble`OZgV9e@OHfGVZ$U3O&6~SgLEAg9>8+r)
zVS7aW+RyH%Rq#RP;`|pcCVuq+5m13b($-c9q;gkWJ1>vcUCc3u-<>>7gu(v7qVxVk
z@O`Fynq_gOk#XfRB|pNvR2JBv%gvYCx!Xu}enYJ<dVpLkoin?&0@Yxn1ip-@ib941
zu|#gP>_56Qn?PJ!NIrAhI5BZvGNI0ks8L$5^HFM<Iv!9wJh=)|{j<&wX_f+DBGejJ
z{G+m#T4*by%U*ANrj2sXGJeqW1OM=YI?Rb&kd4@_?9|{(hn@#7M_}N%+iPyoG;nUV
znvq4#LqiWDqLPaD1T`-qs?4=dD@R6VnSh|o5(!Vyt)S+7{SHh%Gp>;Uy)ebZdG0D;
z%qRownx9!S7!jaMezRoHj+h_DlMg<t0!19G(-f&Aj-HiT#|_Z7G}}N3wp09y+{;7U
z;)M_+4h%271SrNAAhN85Nd+K#RSYT(P!T=*KxBPxrtni;Evf#bL|ZGBdlCk~(_j8m
z?X6Y9O$F+@($EOrMcdog^T3>l8ostK)kO48c0gnAxLI^cP85IL+A?=rxDu+?9DYxN
z2s5c&$(_ZXLOLL3mitRX_ETC9MJ90|G`z}xfP>M@IR(}1IT@mm1ZpR-B*E(SI`o)@
zZT!7$AuQ^xyryvOHg`Og)GrT!p|!cPmQA(KR+PeHtO(Pq_JV<1(NazXdk#eE`A$DM
zOO2Z#4^VLo{ZC&2dIAaev+cY6fjhZt#LA|<dbm}s4GY=P(Crn4*a$!zd6hMqRusf1
z;mwt^0-P!QW!9+m>M)S;O{(_d)vrr5_17`Njg*Xc7dt4hb&H|-SB|qD=CBrJ15xuD
zg0)-2h?Fc79s@^VA4(zF>FX-U>@xrpF##+HVrsb5h*j}?Fjsyqw5-pPUA1vR(eaS@
zG!zXp^yMB3Q9{0Vdt}$((yh_5a_ktFP!E>#vWWpsUL>gW;0!Aw^s%w8{Hf!luU!m1
zj<+!PFPmSN9!xsK8te(;okIc)Q1s;J8%5@B!zu%)D$kCMCZpp0oEKuKqXDPi7$&%_
z?zGn=b07Dpf5Wgfy9tn@_Mht>8`sk>x&!M!MSecyS#vG%O*%&qSP#sNlbVTJ`dh;A
zYE(r=aI-V3aMnI0sKh*;t)(S42l}9S5c7%3XyhO1vLN`a$0zQZxAcnLDmrVxBsB9o
zo`xEuZ}ZLkt&)yPh~u|hHM5N8DoiT{D~FG6bWtf@0_p|#rE~0{Au<;&3)&BpPoI)L
zyZh-@MS}xYB5;*C%bh$FpS6X%4ur1?A+LNrkw=ExlclU0nxG8Y#m-{y)8Fk3z*R*+
z;XOkSf7#xg7x9^^kh3wbkr(kTRi0r%khFv@gycMOtwB(m6$RP4xKvmtUb_lT$(*?4
zOHu9PlTAK!EuDP!6(5@MiX-A+(W!b1HwBQ>lY_1(Jn(}7mZB3A_$%UL?T=dx9^WSS
z)>@yt`sE--@I7Ngy|G&q8gXldjo}hrzPp#{RvBp$Ft*{5QG(PnK8I@<V8wF^_C=<0
z_UjZVp8Zko8wZQ*fhw=C6lVvAvenndrPj};r>5Q|_-1QgN#e^jrj9Q0K$}ICxf^AG
zU?n&(E#P8S+BKfwX!6EfyFPKR!~v%gUjRBQ>^R?5%s~RdrHaD(olC7cGLlPO9Cp)T
z0T$=-sDS{F#<oWEddyjZcvHr8O1HG}PJlr{3Z)~0(bJO@+7QN}zQ5Ekdt$_I0gtGD
z$3Yjt3FuDUhfJz63bwvFi5yHk>7z(0fF>Dl$O%0u<D?hQ6VcKYwo_45ju(QXThI5P
zZ?v1kOShjbb~4=)pNlwB@y60kD!;4V`tYV&ISPoSK1XV|LV~NdA2_^P#g=EtHEY+k
zhst;AtpQM!k<xp^b$9z3gn}XCr3AbTD=&1*@hkw>YndGp2J%lp+GZ9Aev0?@uHMj3
zKMgqPAAkZW-ulEp7sw-WTN}c1!DD%2R75BTzo!z(NYYpMp!?V4M`h;rD?Hs?%gzSW
zxfx?4=EbVokFMP#S(ZVnm27JyTX}t%G_tbfg3AjtX4=u$KS57P(*89S)U=XGZoU&e
z?OGbIIpJJ>A|}AVGIrGZ%z5NJfX1*~J@|I+OT$eC#iOfSWyz#<@||Z|CC}@vYfnUd
z4oCBg1KDB@hXiar{@Hc~+p{^q;e$Ul4FQ8#wpY|9C<GNeu<!BnqLUv!mjtB*T^l8o
z74RB-a&R|FZ-o~Q&`pr8`ZwidVof45gH#=jV%`N19SNY=0bhaiB}-+Cc2GCP`r{ma
znQJ$fUl)s;)X5n^L#X^xaI+7an&@hr$7+(UK?%69cc6DZ@_o}>h<~*~Hq9&>DUR#n
z2$>@NBENp82__c4I1Jlb6xL^Lo3x)K;y$A8V3fn{1BXiY$0&|Lspi%k0WmBmSgNwE
zE%zgxx~c3j2764GOv9(|gbmw%R8?J#6Yb|ej`;HNGkUN-qp$DRRP!fnPFw%_WQ0JP
zv5K!4Qsj-TbNz#Y*uASyTR9MsecT^Ep=Il>vs@&7;RE{8FKe#eWiH~BGb~#~{)kIB
z1ao@%u-%yYQK@I6KK<yWIj)gmf9RY3%((g)NG%kt{sC}5@FZ%0)Xe3{sH8t>54$EK
z>D9a?0i)i2pPmI$MRPo}=#erA&J`f4gOcN|Bm!AA^=dv~1L76+wa+1DR0rL4OyaWu
z2sgn%*#uLz%%{SloaMc8%SaCLjOQC@Zwa`HcCc{jm;%i#M=c6cG%0RmN)9kNWb=WV
z>O2(t#tW6CgmUhAA<SJe&>3zlCW(ygd0lNS#dqrh6BUNAxoj@|dO1P!N$OgV>S3(Y
z+pUKWr}~~T!(f6pIE)0(uxw$RPm$ARx7`mGR9%iV${lr9>P2>5TSRlCTg!jOcRUH{
zBoqd3DEWFe3R$nt?QQzSMH=%A;1EA&hh~H|27mc9PM&tXgS4BU9%`lm7!GbMA;8EB
z8s`2xsWJF$9^hv35a$YNwg<&nQHC&@k@Dgw>`cKG^W__oX&eZ9(>E!sav=R$ShG0b
z<y2p;F@g8A2ht)*s{}aV0*p8ON8gOJXP3Gf>B2&;Ytlt<0lcLeM;}9%r>1Fo{}Wiv
zKo)L&MvoVL`oII{CvW+P<vY60`q}yw)Em+Q3m;__`gQOeK<yvmbN(^NIlq7PQYQwa
zeMHf<^?Y%u1jWlno=@Bcd7)B=BcR$Jwa=Cj@FW9}C?>920rm#`fX+30(<B42x*^AV
zrNi?3RhC~cdksjBtKyh`Otd8>O~}9O(OouQs^~K<tG5#TT;7>ERI<IxQbyxA0@@vY
z=T4Oc*!H&?dEB^*Z_&*L^VEC8PQPDE(5`j`6XtG?rZ7w?T}x$HHlE6nKW%Prpg$QF
zFr!Ho^kD2u%Qx;0<6yKO?y(yRxR(<!2ruyxl%?)daY~p0qZU0b3HRhHfS8J2`qvL2
zgi2B`xcO6NmjUn2w}jB+riSe3mGNOvr`nz?bT?{i9_DT<#b!>tnqwMRgF<mBD=*Iv
z(QB`UIL2=%-qmRfZod7s!S!yT;Te-g>;EW;cd<~q3Vr*lp-bw`YE>`nAU^K*ys3X+
zvEfv?Q%o94PX7%Tqifr37a%tP^jM*bf&I6#UQra9R`nlY7IcXqTb~XJsra7_#D7VI
zxR#Xqc$3=myFq!40hN(#;C2l-iu)XM&@ZkxT9Rgm@iMr`f2sCdF4pVER;(v<@WIc7
z;RVGY&j(x*U0X(0{SU~40gPD=!JplDlEbMA&=iW_4!8>I;3mXkKX5*V0>M$=m&kWO
zjqO}}aJO}#6N^ba7!&bt@$aRb<?Y(UaOn&JqFY8_cki0)Hs8=~Ss!h)1ADBm1SW*g
zmxytnxJjl{6a_7gUZ3d8W%lUNO!D-G`X6s*#c@RMhs}1bi7(tE5=I@S66D&Q+={ho
z1<903S`y1E8r@fZ@Ql<4UUt>#%Alkw83gHl#X2$vp<B`tfaFx!nL~q{vrILLz#~C0
zs>7Zg32^aX0rU-cAJ`+td4+z6-e1jw|6X6*kn7|Ym{V2oe&?{LJMDs~U%(61q4(m@
zn5qD0Kjs9leYUqDF7acwD|bKrNH-1cygU98Oqm88^R4<Z9Cv&FtLVy_l~<U)l27r)
z?{{*hYdkAcQu|7}9UqRWWEI|bw;cHTe;|Rt`kh?j=?1jGpGp(GJre{?;6p<WCqWj2
zPto|E*M{Jp_10DsV*iRQzlO}J#U{AQ{Cfju+6?+_oC9bzM`2)046>R7o;32SYG5<v
zM48*p13$aU>Q-_{+(qUKz+YFM;%$-f@iv$yunFQgMF9+F;+p%ilZo?;IhdYFA&0!0
zSq6SJI4~!w|JMbqC+0VN-JRIHz#XI-cV8LNj=68xH)!eXGkt?tlG%Y}+Bkk7I^cay
z-|v!<2|}_&AS6p3bUqYTI{PdCAji-bQrdF&XfnV`l$EobNj8MjTDX_mt4Xu{{t1|*
z83g~NPSccN84XMrfZa^z*2{*6#0Hq$nj5rL11a0T*?mYuB6bQW0UZobWzZO;FAdFU
zNvY|@Nvvu9L`UDPQyX;2{qQ&bqZXig@my0z<fSN_KlMK^WQ8snxq3muXn5Uo!Zcc=
z<CIJPiI|dc|0Cx-M{b2Y1!4DqWdz6Mya;Ie+FQqmi(KYKcFmXn`LQ}!kCs-@O6QMu
z)VY9{L2vVOZZ#28HmOAZ!t<#6hVvkDP|%V8Gy>;SnVeOT%mC9{_^8?kJNsy_qWHg9
z`)dHxfKfL8qU`@acN3k9=;Q}9RN2}>fK9yonc_68#!hqc#=6iLFz&2o6C_Q%kbw|g
zjlo|4&+kz(^g%=UH1?VI&6^mH9>qLPwFcg$ukj!#pS`%~Y?ilh)t3zUj*`I?&BO{T
zRGt}Sx6@2oDaEWu(H?q!ZYrC9Yb@4SxBWsYK>BV%)+0B=12NfVaI-*^$XIFJ!nG7n
zYR>d(LPsvy`2Bf)nJ?79_0owB48vG`u|t~QRsh*SeJ8{n)NNa*oH)BEw`g_=FXn=K
zk%VOz?`vBsZ9V1#pVr}&pYeyQwj$@uzV7re3=KG4nho$Hs9L63lDDX86Dtq#GVvw2
zevvjoie$ppI75v$gmM18&E`H!-6JY?)%@VWFrW@?!3%eVCP2>g83%J;vlbKot5+A&
zt$*bRd&~`pk1hMPcGYcQB+bI%!Ohzvn1niD$T^+QDp?q$%KAusKVsTPh>jnoM7VNN
z%=fg13EsDzp*MPtc+K#*v1w}mS)(+`LG9xbSQip~UCPmK(HFD(=Ss-Yfz=G9TYimV
zx}QXPu*ULowOauxsK97)Z{TQV0qR-vks}SYM;t4U!ti5L9n7HExY42XR2sV-9VG$)
zzv#bTR9<l-BiL=O5W$c%A`lGcKEvjkie421?L?6}wMP=I`)##Wbx7(?)+1rY{lxUM
zF>{|n!X$JrxJ(8q*0m<^8JDNSm&2bk1{3^Y)$=?c9Qj$j_4kvDvv(4<GrzSfDNMgg
z#NhJlL{o-KdrmNYgYCtYtX;ZZKKT3)Oy~mjqhuY**TbatTb{WvW`HLAO|6()s!Pks
z_@2Q6m@aD6wI`D=%E|lZa|WgtOt7sjo^J2nQmN$gEFg~us7f;cp@0DLkKZs?kB!Q;
zV=Lk60P)?crtkzok1iqL^K(mrn+NAUnS7rkk=H(P4SbF?<R5efthb>ZCk$B6q)wc(
zF|I}TNU$S-M{Emg@d1NYu%nr&(@fItpaafHUOWNUlS9v9DQcBJNe=k6k9ZL;ndK)Y
zMLYdo)(7mKZ56l+vm6X?=5VSTSkNyir5S9F$u^t2egE}kBbA5m0(^IOMY#NZnR-YS
zMVwlN`+=BgH|ATsO$aa#rt}IJxoq(U@A89UW16M@*mW_tk6T&HX2`0`ii|8)sDlfQ
z3*P@^9i*&ykg5G=&@I*{zUh~oP|wmY6D>5Ro`Wc-%8sTpN^A9)qeX(SGa^d@0&I)_
z4{L884t4kc0Z)sBN<vyl$k^9JvPGg{kR`H?B_W2AHD*X@LADViS+Zu2EZMW~30cRI
zY}rP}GR7F5GrGU`-S__ee%JLp*Y(Ul_jT7a=X}oRocDPzuh;9%8<TjrU$Qp3q&^Se
znD0osb>2Js)EC`iXb*M|ing7+uo32>YHhkr<S*#lkv>_9?6#E5_H&7AbaZ*r%I=N<
zfd*RRm>-}GMNwPw>~X0SRy0d7wRbM7NIL1GfY#KO)8<bxIp=LISq$T;1vdEbeF=#l
zuH0C7SPMK93*V4X4081y@?{*)d@B!9@8O2$RolgOTdpbj%b|>My0rik<E-TWv1dUe
zUrGKLsk9;~$DM|7u2&uhc4_>k&nf1kP|Bp4Wd$<nCx;7e+>3mBoY}V3QZl#02K47j
zPX*X`3c@qcN8k9L68VP|-ric9lVtxmx5KgQ9H%YD%)vI%zQZy3?#{*rONt^`4X>yv
zK(eZ_u#a_dOGQC+RwnMW@<1Oxz4nsH=Mp`1>5(YsQI$_4?Ha&hbH1KkCAS~6GbZ0|
zw(L0+7=bJ$#~$01Z0-;g!xlBSzSfe&!gJ&bb(oiRw!EM*yuc$%IxS&cc<643!?KxE
z`GAYm$Gcq;3?`<XTT62A*`DdUGdV-uw%}XTIJWiN(b#zoscRO;9cJSIVv7C%UtPto
zgosv;w1b$&@w0%Wj`(73$RBICSe^pZR_irCUaY<INb1f?%K2W#y3EG+u(Rh#R#8Wr
z0!U_DCdz=xj>J8j$r@1P5ZzK9x*eCC(8hsqG5jE{xL<bx{tRXN?5^!WOgD-!hFK#|
z(?+DxVvJGLhgg$A3uAE89M>uscO+hMP68PX_<L~7(zyd#&wR3)7QFat>SKSX4>7Ld
z7`qg$j-s81l5azY>DLqHO`afq)@hfBx(lk3;-JgTU)jmHOXiFwr6pX3d|CO^8xE$R
z9ecJthyO5un-w$Hz~wl!w|E3F>wSjfmaZXwiOpdf7u4Zf?x&ge*-C&GkxHWkS@JQU
zR0ULz$J&mmueKN9t*4GapJdz(i#yDZSr<cWn(r`SBIzVQl0(e}Ekx%0HMlHK9Sl9q
z7<D4(m|*XO{-;WYl*rnt29HgvTUXw?MeZ|mt!Ngw+|K&Jdmo~_1Bo~V5Fz*g(1ra;
zb#Jqj(fKosBq$tgVqrF?lu_pz#UUuk;=)3XWksabGWN#qMD@l|L;(+)%9#P6h|g<R
z#f=XHpA?fI9#yohzcHRrudd}YVBOo(pWr!lq4v)7-0gYn{9x1kzHe&OjJi7`RQFl|
za16-s{aW~Mhp7b#Y!hgD21*c;Kqf#2D2N638);BMSneXG&UjAWHulRqMMt@56Ry~9
zamqV64AVr>hAJR&O<TtUTHAUH*iVzn=I|EGxwJRW{&u#cF)e9Bn98sV;#KjIJSk>P
zM?p9_5MDd=?%MM`6{B+iQvDF%Z`E-IK*-;f7df}2^E9lzKd18>XzG)Pu19)8qu0wU
z34pFM(=Jw16vK%CYKcr)0>AXjHYY4V=k#8n3AhlTQ!EEkqjI_K_U6vAokCw9A|I|#
zl#sSbo)>W!(BhdTJ3H@lO?6rjVKvJ;Xup+4wpga{c^t<@qvfss>N3d(3wuH@)DTD8
zkU&@zP8-uNG~@=nv89`mDDMJ4V`r7Mu`qqa8et{mhiGPA=!~xt2#&w$xr!U-X1IE~
zxnZeDSJ0vD`(s*a$KB*5K`wxFjhqp=jV((|1xQ5N@lRI(p2Yp^@}L7}_@vl^{$Tpo
zP8wGrt@|APeKtT91db6qMe{bw2|zKI3eO~WhoPe!X4THjEL<~~-D2{Sy9MY@O(NOh
zJ;+2ITlA^S54ycpWhKp>6+0taQu#|O1I;gBNjv`(eUf6OMqac6g4^&-y+el%Ejs%7
z`TZs@2*IpURGO(NQq4f@PGPlp12das)4TzGzv94`M8i|F&tpR8Z>3jnhwHsd9j+i*
zZ?zPgXEA0_9<8(&o%4H|&b%=0vatLld$rVP9VC7zfqx?`z@P@8PebH#HQ5=8-QFmz
zK_V{Q({nGdZKHyaVde6swJ9v+QKm5{a{HERpl|Y(R|nU`v`(^Z&GiMMoUa%S&Tg$O
zuxf1O&tIFcc&7+XMPuKzpuUnQi%9wiGO>Sw7K4sYzoi2tFA;y%hd_^+9eWrku-bwq
zzukWg_bBNVr()AN^y(5{;%Uc+JtH4nZxu1>eu@?Y@|kX-3_KKvzy~DIUdd$1txH|k
zM<!p|#OR%(EAr!fy@UFyAhF$=G9^f?*8}d?ng1HD{vc+;9wzJc%kr*?`|ER;PVYUP
znUAt&oWrt-(+0cZ8#?}Yiq2c9c+H1OuW+rbgtFs0k4;YzWYL4OIt!NuC|sBFAv)_j
zRlK*BXBgHa9OFhkvg9jgQ~bhO?^mz}lppV=$}S8@S9trGf-OLug65x3{Cf)B`ehUn
z;Et=th)}_!mw+|2rdq{k5f$gW8WsnMNb191I$%Qpoy)+2i+<Aolz#P#dDD^-huo3P
zk)nlqkxAN+WQW&f=eu(25f-l0sT3b|wm?<b_Lc4$;P0CP#Pb$va~gdE1^`w->gAtw
z0074{scE)R@vc;zqYmFRb*(0lC~M3aN_QNhe~42c!?PY1#46b3l|5+B1vT#Kj0Xok
zyMbPhZ_KY9#AGgGbrQ)LGcKH$&*ax^c&zq!7d$F%#fg?yPYB(0n=&X8P5)gk+p#w<
za~h}iC%IvsHt6n)>NZp4$QRS9DU<Kd*rNOvdC2LM^1Rou*CGyWJpQ3f^2$B6T&9O@
z`PX1;tB-6yiJ9<asHt_fWO{Lc^b^-#vj+ecNA#~JoEO@@N%yM@{Ef%|Ba$$42f~l9
z&5e*CEE(x03$2!_*VuTd&IcunJ48Nas=cE~&#%b<)j?F-=UMy=?eDv_tNU<$A*N&Q
zcD&7j7SKVnOKkaKy%AJJlIAXH|0R}%sMDuAnHAN>K_hVgA0Tbsamhr_0w_6B<>|mg
zO0u(sh6nEaO=kF}+U0-x47>P&C)bq4hine97y_ZO+PlY~43{@PD_u(57(16MlymiS
zM7;qcG&}qBlU6rKEXS4k)k{p_0$3o?XEtS3-z>j-jZ69wD?l(E2DbpvXBkud^;6D$
zK8i|uENmk#;n<cO{~;t~xybu2!eYnHV;4`KV&u{91mF}mw;228`sOv;5rE$&iA~_8
z+49OYF}B=TR{-acGD>7eof1AvCo%fI@jgi$>$bp;c1!Vttz%VNVwYVV`>O7UhPVv$
zF;FJS--m5!Ls!mAc#6l4%)XSKC}_FCUOI)=68#JpjYGkk#!SyDK3lJKJzcvqO;>An
z%0bDoK-V{8_YM{N9x}N@&e?PBDK!_xDx__ieXU8sGoMPGh7&t?I!fZD$oX6Dev)yL
z?a@NFOKZ$+ojgIIFe9e3=v54Chv|K5cNT~n8?zk6V_k|;MGF=d7p3@g5<0R#g@Y(4
zc~A21itzBF?eGBwo8F<?J8Gb_jP}O+mXsNFd_p8$jid`J>MenWZL-!n6f{G)@o?g{
z6ud(?4&Tn$)6?Fp{+)yxLZ9F=v0C{c&ceXheC;xlI2W_HBXA`Cr<hMHj0OY3!s%b9
z4w9pNaP>CWvHl-*!}o`NRdI|jcaS3}XjVWNmpT6s$o(FQVe4EeKz-@Jh4(NpUVJz0
z6?=3G8qlm2(>y;ynB@Ad`a$-b#umlsYkE7nCHB~viwmN56;Dd?DD7<8cV{lrhXlP{
ztg->g27tr9lh+*ya64a$WPw;sQRfbY%#3=?{r3}RIeouu`DhWO-4)Bk2B^+IK@xZH
zY{&GmWT*Et&!b;{*HAY4kh8_0HZe`#XJ+X+L72J*6A<kP34Cr5TUy1+0KFFRLCg-^
zzO{<BRkURdW9>Oap|UE{`1s8Pe;@fM_R}kPn>R9W{m-+3uF~IEua&zEVvnr^h~KXi
zW&R$>W%ru5uHLmoZn3?jtANw&3utbil>~?&YV!A{QaGj2fR7EBg-YG{T3Swc(F62m
zJttLnk8fBTfX5{vNgg24wEk2XxIc=w=%B0e=Xs>xh-E7p-M7uSv|sG|*2nd-CvrIA
zret?G&@*CsJc(*J@b%F_OzV<{kR-Nf!ur!97BsT>RRu62YcZ{7;WO1bnM#q84`8J-
zL0zHeic%Qj&tpT(>fW9Vd2s|>)8*S`){-gQd=~;*Pn6;aF#|=8alBo-X5lKeyuj9|
z0tG98ZxCaWLT^qy2gF&I&U-P-=b{cAIAFZQ_YZOGp3@)}eZn)k)&kRZPgC4@l?h`@
zgDF!HZe<-wvsID6>EI(?UvC{!cRE{HD0mQa&y;_$9n8*KiBS0N?l1I(w!%`GWpW(v
zz>C%o@(N1xfmmsIc*voU5Nrpt=(Bg}O7kDS7TVH@)ttjzvM&6#R00is0)R*`OKL{`
zeLy+&UTX#I^~Q4$HHyO}rKK`VYFkqG^yH44=AHT{s|qwCe6v6a1n{rwve>zXu-mn_
zycp}9jJe|ZBuu&v*$;6cR(i;~pfH&%RuSKA!?NJxn|QIg;Z*{N0A8YWZsf}ikRuSE
zoV*xYEqzj~oL$GS0ns}Lb=afY+gtlCD~r$3c+GvzYq9Kk_Jkzbr;U(|=hz~d-F{>D
z%?f_GO&2$ppPjR$tw|ecLk<@+o2GIGlj!G9z~^_uMa|@WHgdeF{ur@l7qz<N;)mO7
z{q6yLTaY|X)vTgyVE%48rzZ!Fc9y5OWO8B2K3mk2*3ARXkz99Z658S~4&HdK%N%n|
z=c#?5`Zrrd3H!5q((hO2nI9*zeVIN6v8h8Ii~gu=SE#u4ZOLBzw6IdiuIz$j;Q=Kh
zPm+ogi}n4H6BEuG)j$XFBTajBkBjwg!1r7GjNPWj8u($3iyu7%nY7dE>t9AZsSyIi
zgmOlu7w`?virG7-qE8AH;0ur=O40~`3v8vo*{p6m!(h0o=*GXi>ji9AOYTf<DxM)T
zB9xw$DgwMZXcNX8&;%sv-he<z`k^tgQ)c|_dq(q5_ql{Rg#S4hA04BZFnt*Ej=%j$
zi}Po5#ni4GZ0Cr)rR+3ibvd%&l(a!S2v1!N?p2h906h}}SmzVit004<_rF#^BV^dq
zkaqy))*PDdyVk9~G(A=zP563^@%q3mY8PMLT&Fl>=(yzgk-S8gyI-)eqjz)m+Ta?m
zL&Q6&o}vupNvnjcdc`|g18yukX4XpMmX%nd_95RPVonDiN85l@R8(Q9Dg8EMph*pA
zM`&r1=^#F*rg;ts=v8hL+PlLgnqDRQf@9RVkYAH<YZsUREUS>A>Oiaxbpn*Ngp;eg
z3gs=^HRoJp_@qT|Jj2+4(r^6m``j9*;-9Uv<-UrBF=5erKvpWzjiS6hJX+NR*l<Zy
zf>{U1Z-<G}LP*qX<^T&2>&bi|R=%hi%6uY*PbTbF<YwwGy%j9zRHiqn`)DXeRR=nf
zo#<L>s+3Ps%a}jmqNWT4IrRDfSE|${kpuJ@4Y&GqTUdk)64h}4Bxoy27jy0TvFm@$
zx6HC95EC{gucV*hz@~AM9?A+4JnUv=c{~5+FQ662FGz)d80-RGsLC^UkjQCcqB>6>
zf2YmQUpfkv0b=CKbaS+?(p*#c-7`xq-1FN8uTVi$c^8zhQGV<8ZS0G&b`Hb&LM-sm
zknNFYVSGA@@jxu@qTxlX0sk2WPC#jh0tNlQ0MUCj6>5u7z|?V>(Zhp=Y`IBB7T%4O
zK+|xBik{s!)r#SxQYRg#SaB-d7&ky=v@Zx<phiAs;-q|9T<7lWjYn=%yFQDzfY@{&
z>scxcA@Ar($`!UVJ3rNxG!BN|%lOb^j$TqT0XcgW?Y@c+`dpJ#XmLABK$c4lyeQ|>
z(%~nts(Z%8eXdzXvXF*96U^VXCuCmzXFMf^w~}4X7U8FOGaX)M<_%gBS|XIm^UqPD
z7u+7dYhyVEQ0W!1wyf~-D+7io{;O^%hts>R$iUa4Uk&1wtb20xd+#lSYQLz`&pT4Q
z{=WZRz{+l6gsy)>dLm$+HL%w}n#bVl?DGJtG6v3T==kWqpKZSi@7Ew!>Tmd6aawpD
zhQ?-I@gtknK)!>T_+JP(YN;$ISseQf^C?F7t*t|O6j0BmV?9{z{}uFdsI1r?HV?>k
zEgq=kRB0Lxu3+&2X~MzhoBQ}7oBx^%KR}+$YtlghX67a_?nt}Y=1<z^R`G4cIRR=$
zCrjwS^o|_RfwTaTOQ{Ob2UG`Wr+0TtP?_+1ZRrL5EenIPSV8BPl+%><bc&_!L{gmL
zUaghpW%*m&>ujCf1WdK{6W9PB&xL&~KtT7KM%U-?(`U|rPGx9s05wW)&wUJ%>e6R;
zu=2KQKtZ7;^EPm)fvq?OYPwYeIO`o!y})W$_2^y0B0wVBJAKI8%TH@l`A@AKxEdHJ
zddF?wJJA$F|4du+cutdY|K7lmiL}8ys;KyK@A|~^49Ian=)BYoz-@<UJ3fEE2{Iz<
z$KKSAecSY<GS~?-jwxILtw4!AFaj_-Adq|h|KSL1^*o-us`JS0j%&l6NRC^^le(DS
zr{$mGWU<!MR|he&zss8MnLsIVk0|h4x?x|h%`C$~O!<h9{nxd0ZueW?jsps+@58@!
z*^>hPPGa*N;a)w6k^bDFYh(+kQ%g5mbuV6V6|`WaPKlLT-rUPvUYfMBnR$t;2KPGs
zaNpKDnPYo6P-@-huc3!uhG26Z@(YaEP?5O*6jn3i7cF}f7n?X?4t*Pn|KmaaCrpzX
zR}Cb9q>E9<eZ-#j0Ys46fcQ6k;*y%UEND2<&0PMQ7@Y)?;eRnQ%t1s+o%PKF;J<%@
zH>s0xf{bPwu4dGeJ4S_~)fV<8MHF?#*%_9U3=Z6;+@T&zqb|$Hn=I71=Q6>i{qG&b
z%xj{umTxOS;Qaxz4;PoCQx*p9+FMK)Y&3%O+n>kc4;BL(SP%W$s_Ym(6<CI!?OaX8
zfA4;w?;Wwr*wKpRm;J54ZS4e{l~cLQZ1Cz5)DzNpsDkBQ&#7!iyadPUtljW-C(3ik
zm9)z-lz5oEYqX44Kf^=a*&;5Mt*@d4a+BV?goA-MUQcY{*xrm>v*tmRmIpeu?QLg&
zv%^p!OZ<p8Q1SEZtRmvuvwQ%Rw-e`5gS^}I1(lhiq89i{G{kL{{?x5}%Wg)&Tlg7@
zLyZn7yT4C;jm+)7+M|ndDpUFW4DukgPYISKu77H0>z&?<TMDV1Ra+4wYK9)HoB$Z_
z&dxRsP)PWB!^mUvm(@ei+4!v47V?^NL#p2&jebT;mrHER_TK=@^;&9F4Zd;YNbEZx
zI`Vb$HSx$`VaVfz2Fc>Di$EX{pd%j|`Pp6JagRRAA18oa1US@c`)UtSqRzK<Af-pS
zvcUWBN`bF)hS>9V3()1$&BuMVBM?1M4a!`PK$yKmj2MwF&2iu2U0tUt?e$8lAd7Np
zbV`H^89fla)1;D$58u5^cD4+bmpz}#;kzmAt7z7!DkO8WT*)Z&`kc*=rRGiP;mH$n
z>B`2SLPk^C$3gT>1ldpXt%uC{Kmi$0pK{IzVt_t-^-;bs4moEkfj9uDuh*#uMv7v;
zy=W1)bc=Cv95ye{)s4;r+#!FBcAx_Dx_Ow53PgLlzomBHMe)l~Km!bv@N>{qW##OI
zyNpm7^POOCAnIoy-)8_i?XA((XTlH92D-OS2c;wl7$w;)<Rz@mKLNJ5x+!L^=2wqu
zk`WLvb~jVZMbSU0UHsn0_=SM<w3=5!{JQ;Ku}Z{9Y%Po<EXjNd`|~mjTU}b1%LFBe
zgHuGVL~Cqg5b3szxE|2DLWH$X+uM;_9(CC~25{r6Cu;8mikJ;r1Frl{H+})oyyn9f
zPKmj;hMJr>Kz~k~o5NXM&Lm~78{p4fv;<wFo-~huB)b7`?H!Rcu}M)8>=Ds@jOyl4
zQ5sL^RsqkYs`5$9F+D*}xLQ58(ywd}aqkKHD<Orpt^Tle?<c~3aw*XLpWUv?>c)(E
zZj^)Ch_;jFm87?Wp#jYoILQ_>rui5-Y~}rlw3VgPaW%f*-g+b^Y8=GG5+BMZg%k<!
zVHfv0;Fhrh+(&1SW#K-6Y`m1)9RYmwx#3_=HGp$?f6}}p*GD7z5vfEBpef_3p5iQ$
z&H1qg{<5HkS5Q9h@WqmlEQ=2eU<NhY=gL~38_#N8VkIbZo$g57(Jx#M3aQKS6+eCS
z`!*zdzV=S((YT&>k(}a<bp==7S@vXi(Kpte7a8mVB*UGO3mXM5Y$A=eHlbpPVJ~y-
z<gtsK*}WSf$jRvyVxAsIuuF7tNKxSz{(4mV1M-{vZ{2i;j$P9*%Hw-PMt!o~MnjS!
zfT{Y&%1=`L{%`=K(30hWVipg#wC_B5xE+3x<LO<s>!D%kZ@2kj2zfwX6iqQ!)8@t5
zwzK~90(Gv|9^ztq3)`VXEYiHu9FzSqbjd}>a2YiU*Pq^h`Bl`E+w4d{^M_q=srJ&*
zz%;V9aN?l$@+LG|Q`0$kT)K=}@Tx&hQo_X87!epCa;@poJl8(kG2K3=Ie!sn;vpU@
z4=o!WCa~A0;xdXxnt>ZE1>g$5FR6LDCoOd`uDEblz$@c+?^6*swicH?Ckj<Fvp5ID
z@}9H+?>&jpRJz)%`uXydK|2#>^0A&_l8kKk4v#y1h3J|QD7G9jFF4+R$VYlRXkdC6
zUsvb;oX|Imiyo9{bw)_BU9qF_FIe}&EpmEl8F6EejJLBVR)FTBux4PUq>lb)Dp>_7
zyv^z=&s+n;UNS`&D~lUzh@U<fW^;lE+Du-**6y3avkpmUeU5p3P9l~^m~bum3@APN
zFT7_HPpeOVs~r8*%J8<G`WKq*9jCYgRPdtBD8NOZe71;g3Wa&UGn4<>&I(skq{S<|
zKxqdM`4Hlnlkvq}#<;6gB@&IlMHb~66}Hp+V;(ZYqXE4*=B`};?A5cks$cD|bpkit
z_B3N1R3-j=RMsuf?U+|#ddQUM_30<AcBA5JIlJ#~24mK$=UaQMa6qf009CmBSjI%+
z0lbZF+FCi|VB%xAae}3!W31cwjzk9syop%*?6oo(v`c3D&c-|lJpH-9Z&!~(0OA5t
z+h9Z8##>7I-t!n%y&9Xdiy1;#Hl%(!f3ae@CG7{zEiP=7Wt0W?ce?qWAVxtOo(Z$t
ztk3+U-Ogm|<oL<IV2F9uXDnUR#%f?o>+DRfE1_Cg`C6NF#YLr2MR}-$atoWcP9gCU
zw@2lPT7*+Y6Zs44P4LVEO{UT(1-I7ow5qG05Wwpi^z4_Ay%c#)OWsw`7*x{U?Ef2`
z<%qW|)Uf7(+7M%fHD80~S*O>4zHJJXd75PW2NJBcE!g~x`7r9jD#$=Xb(CZp$2~y?
z5v~I;O7{W5Q>}d;1ok^8Y<O)-4<Ga_vgdZ~okiDKx<&+EAx%{bnRs)1dhGQ;)H3K5
zbTtA%ji{bl5Ws5uMFOQ#N{ng14S4hIzYsBi2;=`_&*#5<7;HQ$sKjs|cmx)zZ~I%8
zWDkQwZze9AZ}ZaFbzt8|uV%_!wXbRh=~s$%aUae>(kuS;qxWm?bafAOmMr_-E2&&}
z{Fu7@7>K8Us6iX~t-r6Y_x~m~{N3Iiput#yFU!Ek20&Tqul|2P@Jm%ZqQy{?(?5S=
zBlNqeG*ifXkW3PML4zqIRn&;b<M1U?O9P-W7VC~c$hT}E{a+q49jDK#{f_9+RVl}H
z+JX7AmjW-ta8JGWYxrr<<R}BaoHS2MmHkI3yaHum&_MX~rT=K`+>`~c@%SMOfT*2&
z*sAT~O^$pmT61RsoErLmmJb5<!F?5$1mOLA+^-^%9TBCp)g5-iDq*-RB4+1?rqUWi
z{mtB6YI)AqxhUO{jR9J3`4y4TKd}W$Crf62&UfBt_e!%XZrgK*_g%TP3)Ee0hXW}P
zdv-8MD3zW1-T(9{_Mk(U%rWJQQsRc=MYU7K=`Nc=RNhW5wKoE&r($yg#IYlr!#W*3
zJI_y~T%eLrsOwNZT@E)j6Zf8KNkXk3fYZ2&I=M}}4X6V|A(@XkTORItxeS|T2&>EU
zF8ZLFiwpHdN+o8;cOg^ah^3AB4CF&!y?|%7zK-1|rzfc(C@BO&j5o?>Z)9-*#Sd^?
zAP~Vo(6G$9cB(QoEtafNPS(oG8MKr{+@1}9(L6wZV2dVOC3NNY7M?Mm3sZ4JZX<6F
zW{BU+2fY!|UfAqcGY^Yb9n2@H-@|#-iffz!^B`#j<UsCyjJeMU&?3zNt!_h>F87??
zSONtbFx=H*z(qYqWP;B`0;w|0r`hy!VJ*;=r-QAZ1e!X2riO~Xi+Xm&1HPxEo-JLE
zad(WTj>WlC-B4G5TQ0GGx@16CY3HyGRa#A|1TeksE!wwG0~#Knx7$!Lkh<vmkQT%T
zfVl*;tp5`qqylc3+nR>dVw?sje+Y3I0p_5PG}holx_>9*s4pm^dIx$quK`iLI{B(C
z<zz&Lt4Q|Eudf4<DvgIQp<54@RzW3GF0ri+sT<2eudq)l8Vr4<?!4q%#wRUMMu3%_
z`pM73M}@i>XwC6J^F!3?t23#=`w2k~cu>G)8I|tW4#R$erP;mN!&_YO(VkWboQs)b
zj9ljNb@H#Sx=qhtWRLg>m&UHC`_J5)EX9>Q%s};3wo#UdxJ<?x^Xlq-QqRDkf{XU8
zYnV?T?W0oFG@IrdEVel2KGL6=)5C)XV!!(ty=MXE3RnSReOIhjKFYeE@o1cPuyf13
zj6HJGvvn>S=bf}~q9Y7XV7gwj`>*JR&(_JaUCCmk!J72<k=`Y4=~ppu)UVG9vaL_h
zJ^?^SlTyx;S)8TtoOlKu%4c0%+SY8MQv6}~`g|7|Rk6O$o*hsxkqy9knmmUIi8=_@
z;U?17tWDv>QF3}D6^nl#n6>jY-~pr$L#d{g`V9ua@62f0VLpV?*P^Dj0Hp5fgFj2W
zR5=GAhu|VeP4*lFw=%yrwM6)e3BGZ9G|zVGxAq-1{wt&habD78s-Xs5<*7R1i46*m
zKty|ep88Uf0N~{xvuvJX)&?@}fDj6>1^>e^W73a7LElGRa0G3pA^xfVGOz#G>^-%x
z|J`PT4X3BG6!Ke*_<wmYaqB-O{15o}R=5!8MY(nNqcv{yE=i;`u2HiBNFXJ}f;+-w
z?(`|iYuB#bO==d>0Sb%-lCSLmb1yoZDgyvMRIDa_ou#Wo7xZEK#o3Pjk1>090MdJv
z?e2Qslk|4SnD!EU@r)nZspj<Hea#|pcVq#sI<vxoyY}}#A31W&mKH+=+m+@@{PC09
zmaeT?aUCLERkJjaHBzSI)pv4-DEF<)%(4IpUTi(H8g$4A@A~}g=!^`R+!;eld{ZO)
z0mojMRy0nP_St&W;m;uuD_Qkd^lbzz@^@N{<A(e_b&a<2YZ)Csc(Xf>0?hGioM(o*
zW@x9F@x_fm#jdnb@Gs7E{+~UuuLJ#pOlcpw(kginV^Ei19*`KpRhjwyLH)~8kgCwi
z_jQWS8NJg!@V|6&_Pa|8XMlEXj9TpwCwF%@b{Y}oIa$krB-*jv@01G?OuEWNtgmOr
zzLrQE?aN<_-l%(dwYS>;95U+0lZxq+2FdDI0zN2TO{#sHE0KG+>1vUu>lOM0j>*6V
z)BR1F0TRi&laCxbiq-nCHleZuSy{I#Hqi5?iCx5@;u-f2iDr|Bo#P*~<~Q(S%f42g
zJ3sue2lt7rzQa{>r7>{&wXR;QU0Fix7Prd_5QFR#QQpEgs-thERu`q%riO|gfSljn
zP1v5oQ@W~(eSX-S<D4n|72K{38|U&i^|ZN?cNjC|3BNZKe86gNWgy4sp0;u%)lIF3
zks|S}`M#znpws#6<C~Q+9y;WAeq#ztw0?yZbAg^|VIB+3mA7)%-rsm{oq8_&Hh*0*
zs~|6EtKx&ZyYLb=UL8dV%~($sg!oTCQ&*H$kN~YIYD#>j>L(>dwtp1LRUSWm7!$hS
zTsB$P2z$D>H6fQT9EW=P(_<L@rkKn5IBIyAp}Z(k!xWG6&vTS%^-+BbVgmj_sl3wb
z(j|UwmaQ<?c1#%e4K;6Wl^vXmx3)$$U3jsZ@<Euxc*X$;zl{8kf>EEEIet|0l#cL@
zBIViHdRLpxMq4`;ooi?AagKjU_)vN3I7s|}&-d`F*pYo3a!{8?E7_6a0y=7nGeVCF
zbPj5;3QUusoWz`2_kr>ItA(L_CpfQ18CdBhyja_xg1%!q){Y=uE}^{e)Wm)(L0th4
zyhTG;S>oJ$lmByUx6-sCLn*H^A!LFrCfH{2WvgP%u3{U%pUn9^E&=2-*JJUr13BWP
z_Zes;@tdFPl@}PLzR~Sbm!Aon1Q`z<6h%o>$=_z7?-Vl>m4LF=>pe&=z)M&~@<I1m
z3hMZbF!zYLwR>u*k-)mTK8UKjv)jGYhl%nWag7)7lla##0!sc5Cs%7K$OM^@ifvKY
z^h^w;7e5hpW_Qy@6B|Y3=I*by(Q9Wg3|Xs7?ZR*lb@Pc%W0!#;o-PRUaw6vHpfo&J
zZJd8P`%X>vFk?8q#s)kQ>rZ!JzudvjdiP|{+Cd=C57tc``%srkc+ZEv<=GpI7*&|Q
zw7i(GR^_sEZg*X5zIt=3`Q$Wr(^Hso1B^n06w|v`{^C{1(OjOT+g5r6gSR2``#xK(
zVi!1jDJ|Vbp1WH#<6kK~OXGu-H5sJ}@^ggY?v<dE=m)ZH|MdnVs1xA*AAfupB$j&r
z#{{o}=fXZim>uKza|c4|E<ip@fyMm!UyDZ_CLO%RYqWnJ7Jo3F_|ckA>{qBmfY1FK
z>_y_F&$Q?!?c-LG8nh69_W%0Z^Kd)_jOOpK**N{RjHPbMeK*x-m$;)s3>Nc(z1{V!
zE+kLH2ouuaAI;)ZFdy;TYnMAJ-m<&%+0Bj)wd#hKUJKPO|M(Gu=WpBVn)T@rb?5%)
z0k1!pM0&b=j=CFp;$E#+HXvnAk}9SI4`UFhb{)@}%}Bo<lzX_$%gJ8+_I8n6C_z+2
z?gTW^U7h#^fi@!c9#GmO6n3o4kyx1@>>Z5sCt!d6=h+!1nsDV6_)obNOQ98S#l6iv
z+qsvL8*jAV+T<sCR()qHCyo<dTa8_A9-Sk3dp=^HHoxn^1y{`TAw3@-tlBoNUuj2-
zQr5)cCIOk>sLO6|$tM3;6I<fQ;AnJ0)Z+CPIF_Z>H7q&xgNv1(sygL`hp^%X=j50H
z)(QQTe5<CfYR<;5Vk#}))ti%)hG%f0q~SRoV-vl@GIta3Y3a^gd=;}}<@Y8T#!0Qh
zN{)U}!N+M6M=6%mnXPM40-SSH(Q<#s<G(GQjpDNMsAl5YcRXNLk0|`=<-8q*k!r<A
z>Xo$6LOwOE1h?nGID55!*a*Ni#yEhs;Zsctzvr6nvbn2q0#-ON$QMRDM$v8!NyMW!
z%PXDZqdx&_m1bxU=bm<P*J%yCev`c?@@m<MbBTnD!ScCEFJcV67O%s4#}2iqXAz<B
zbUv-Fa!d;UUe5gcd;nN>1MK!o7cYAvS&S5bS3;3zJ;i(o*IXaCu2}S3&}q9dWIJ{Y
zXjb`@Q`<3hIC8n;Yj$_=AiP)_+v+b(uaOz~wTa)r)ufR>(<**dm^|He1h4^%s8>K4
zJ{lid;k@7sZ??d)D>hYiAkORD9CKIqY`-&s^byS$&vaUCn7Z=gjr=}P-h$VqqV^NM
z;LA95R|@=0TzOSDymvR_J&!dj`dw79(nG(U*{+l$I{k_d@A4k6C{Nt^#WBhpAg@Tp
zEI=RwU<1m1X21w)qj50`UdC!;+5EClco2kNB`N5!B0{y65%u#L=3ukdQ<wvyL7j;U
zbq<_DrzZ$A4|QSH{xC;}is?5ep_ms&Y|vi)u(`||jdU1-E?~-KuyL>QLAA{ND!D3r
ztqF84k8Fs&HQV!eS>*(73Su)qVDFSHo&xXrI31?W1&wnbU6Mh2sEpw%C9DW*YkZhZ
zui1DpF~Yh-lQ}(xJ4o#Z&wmD2dt~Ce&a@OF=RB8Z8a1cXhKkR8E^a)tH1o2RkkVhv
zjJai1$a2X@N0UA;S2lLyWvfM02zsrlj(N`-+(%MhW2HE$!qXQ`lpF6>;vnIIYXT}`
zq*~(y;nk#07g$|#r+)V@j%6=(=w%IACZYAofvwauR_OJqC|_2&>vt*vj8N~*i=>_s
zE#}m`Bo8kuy&Vm60ipE^h@O2AZmQ8gm~6B4vt*aQRJIzDhqNjb&EvJ|IUH8?^|CG&
zuA^E~qa;~8a9p~1&QHr16J}qEg=*0IHUp>w1Y#CPJ$zzt^xE|S_wm(l&+q8K+I(P`
z%FMbcPv2&axqMc#!3Bfbn?0)RzU`)Cg*ifXsWT474%ZH<A~oj+!yJQeX9lEC4e>#X
zb-cx<Z(+Yx=X`DLje>lw6BA`q-<FzkFCDQ;NUyxDt2dZ0etP$_mZ-{?U)duQ`I^M>
z17(kXti+T&vMzL~SG;5#ZM-bU=g9@%Q1V#qP59{pCEaqS&hnF*GO%$G;sQ10x#L2a
z<1zvc3x_e>YsR`?GqN{-7I^C!CFHGfGL$aS8-^4uql|?VO(gUQIjCV#h<~G)=<_eO
z-qx<3Yx~D@IANg)*tc^&ykfMz)Ve+dl4lOwj;mVOD8!HIorj7%T+1>{(A*nfYtlb8
z^!;W-*(^pMH0?>NWH)7!6cqcZUNFD}MV$>`y}Az~OucFHP*$#w<td)%VGecgxNvlV
z92>NKIj6F`C2XvN!sJRF#J_z%xDnseWAa9zb*b#Z;{4+>bG-(>MRo7GFm9PbDk<qC
z$prVOFfp(FdnfeW!{c>R0c#QX(~TvBl#zjF{IO`W=VAA$yZQ5_BjCpdi^T=}rXAGC
z1r9>OL6_ez^Nt6Fzu{9!_I+#Go2EsM$3$n=rIxfZM?%C|sdvzG?%zHK<S;mmR|8v1
z#|U5XMhG`^Vt&G|_h^bzDGQWWi;x-;wN46RgVHb^%7yS-zY7WxJl@v){`%*r@;7$Z
zHCZp;y0gaF*uMsT9I21{@IwIN-wc-c7&tT35BrI|Uk5Io{pA0P+wu?FKmApCFXDsv
zU)yixN=v<c;r0LiWeB)^EzeMwUG$Z>x9@O#VxrjPrO*`Ly}|uY|DTuP8xL?>aiC1T
zaEyu!OuKuwP9KMcRrIc|;@2+!zDXfiMyek$cozMj?6`AfZpA_<t{jK|)P5MVPY<7m
zD?gi3$?-toX=@4wAHv7`+i%=Ybt3$$fMYQF(8kmBkzS#nN+B=2P5(9Uz|66wLVvg?
ze|^y$qgaQ+y$UAsfZM;+&C~2xZ{+?zRu4$G$^ai(U$US;1dg9{fKBKf#t`ad?D$4?
zqo|$6ArNsM>V?1eHQ-7Q9fxB4y$h5cr7Ye82VNt=b2g*-f#TjbKX;smJJ;GNEpFkr
z>=g3JKk|2G@V!rbVHkM<9$S<m<nuf5n&KlG)OLe$2Rui5%<bCp6!FM;#BupON%Y^&
z+{uy6NY0-LJ3PzF2^;mh$rU?4X<{!6EdSmw#qPvL1>#8WD3HXp8Y>?`lS|z=x4u5_
z8RzGOSRSeQWXArQ4@%rDO8xBlhu=#h2+z7qYDAFU+9p&Q>AGf#lS1s|FVdj^^vX|V
zOmq0CjC^$kXrjwZs5W#7`u^#qIH-t;>8vMLN~jiXgG(*kDTKh2KKu!WgWN9z_gW(p
z9R@XAoe<6P$Fh&?7lPC4P~IiZSO1#p(r)pIlL2?nCZBcccApf}n8oha0H4I~i@<)B
zm1!ka6ub<xOaJx&!EDi_QKgUH$JTZnTt3NkXN<=YfCJ0auWHHsPNdDqiqPqT*5o>_
zVeTDC*fZ!eFj*9#N72FIx{}y4ja`8BM`-kBTq-uZ0DollbwdDUPnH%D%vhSkynDkZ
z?YmHlHifomB)V?*msYzQe<?ixF`}iO+!z(?wj9-`GWK+3ncmxYkPh0qsgv);NmI*y
zF2on62&@9{-s_;wX!IUu?@8c2gf4&Lp%m{=KkO<fopqT{Wx{lf5N&JjV7gkAL+?8r
z&8D8KrT-LGoN`Mo)Nxw)UdlOBQ>O%%vyi-VdnfF<c-d7nL>>Juj&Cn(1+jb%cGF{4
zs1n&K>^3?-6+NDss>KR5wT=fDXM?d-SB9xXm-T9Dp1iq3qRKbP{zFV;)gw_gU=X2m
z{cSA|a^GIxBG^Pod0QJaWxF#$_vI=6b(VqO4nFtyQ3qgyPRD#wS|}IOXd$~lZH>Nd
zN7M4g(!Nn$Ayjc*czSw};Z=3zdCrAs#f-z4lB06bH{?Uwj8nymjUqf2nG@bT6Q{dh
z3|zMVibqa*S@q27fQ$7u^W)AS=aWM4wt^QPTWd*L`Vu-jCS2V!u<~!Lx;J}$Pj`X%
zF2bY8S5v-dS~zkB86jl_UpwfZ9SCBDcoaS6Me^^-c2m!mSzYRRmA8uT-a8P+b_7dj
zS`h+{*RN#eTPLt?T-Y<o)(P^D-_P}=`*G_U8)1ud{QKJmT@mDBMBGkWL8>VkDeF)l
z?O1#iVszkNv4V5$QL(KtyukQwHGZZ-yS!^B;5i#966&p|*0$vvcG!6%<(nYh+e+{F
ziZ;y^<)`wjs|IdS(yG60wUUDl;g;JPWuS+~p`QMUYmRqMDJw%7M=tYg{grR@q1G`|
zHH6psZ3p#9j$ugLFek)}<6pZTycM5++u+}ZhZ-J@eXUyMS)NneD0rM$c8UKZS7~)B
zxn%@-#u+smXXxR#SUj2?B&j~yIs}4&#ooP*dyMUGBg^kxxs->`tH94YS4e0Z`R?S&
zx>-rS^x^b|c{+xdUNSw5$=`}4x^a5X9<{RIE~cd8<4X^DA85{)9VN{@!0y??`|qh2
z#pf|_`UCGzB1g?VNBT!Sn$2T>d5wyAx_ORz*jVft@Ab|7m))#f4Im@TDIQhx#YpA#
z%_2D^C2)DjQ(ve5fkV{DZUY2_9$l|Sk#n$?g>uukAQzxH_MqK8yKrE%XY{eS_v1Cr
z$<TvWy(9H{uAl!Frn%dZZAcPi9}d$e`)U!FN{7EFB_QwXn3p83P4Vne*&&yx*2vNY
z<Q@i6!|r8daBEtDYeKJgYkQHdjp4g^V5@0G;>!l5)oy#%!!gOp^6%`cn;!@W9t*J2
z;y2jWn@%c8Dc4odLJU=K3;DS9#IF?XUA9*bQ?HFh5PvR4Ez-4I1?({$gP^Oi3JTuJ
zzZ&icL!brXJ{r0W9k1`l9#j#6rZ4*n`}wB}!iP(qlwY#a%cOfpM><6uf_eUBRoE~8
zd9N7zSQA3=(F;>v$N85(rByf&HQ|-9X6jfo)YK#RWrGba___GET)!>4!QgFdRGgC#
z!Tfr%mL%{j*}M0DWbWyWq+r5nV7`liZQBAcilRpEm(ac6=t#s?=G0x#`TeiI4c*29
zq%LD)b+&2|>=491n8(CY^w}m|8^Ne-ovtl-pOxzyaRHTgtouDh;L?H3G@ZWHdmtf5
zQd?8q)QSLgC7jfYKARn>RWIu#YHpb2@C%%WOFxB?4_wqf=){0o30try3Dl(ym*gZW
zRLMfkHfq{X9<D4?d;5}Ide0@ME+%l5MBx1b4fWa2eBZ`p{LT>3ABWogfayGPC06A>
zvL((BR7<N8QsD-~(_LP7iH{k5lPV}1E_AD=Ko(VD6m-xwuN<fCDIGjMO&3{{i}D;J
z5o|esh^@qJcEud<&wjj@c4);4iNQs~b>6&9Jonst&!{}7ubYC)llx68e8z}l_{8{x
zXEzd}Ue0sFwL#|L`!H~;fv<I^qxd|0UcFo=?61vRf6$6>!e3k#q%!;+8UAHPzBC}k
zyp)Og%j7it_{i?AFlnM<{CM;_xIVT9YN|o_NG=ERjWyJ}w&JX_*LGpZiwBXSw;$vK
zPsRu2WU_t<Osjs!5PP1lrL9kGf}knJ))Dz0+;^*{(b9B+XXy3%L)F{vDJ2YVrY2H@
zIRW#Xps*s~Q2A$v{VT&__rr>jT!)WEtgwz6`A!>&cyCW8QfIT7PR%8H+0!Vop17pb
zbF1a!GB0BIX7`sMuZ_%Wve6r3E1{mk?JvazC`H4^FX-Tya^fS!Y|}#fStELaLN$=S
z=$vXD$FLF_h|%5>JQsv>2T?UUAnee?n2W$UI0-^}U30M?bllZ1E!lty3cat%mug}_
z0yio0E{%fhNnO3Rg_S7jdmgZAKbKXSxc)PVYdq2~MBeZ@4Ciq?pE>Zk@An({$J@Qg
zgo?s(d+R~7a3^Lj=p>x@7A7ks_@x!WN?xlv?7cBLSgjQ&mYhlvLcZ9P>2G4O()(Iz
zV&dp)_|yOxhCFKG?$2D4Hyz0Jtvjfhsxw7^>O4wmqbQ{^#+48s77#UHBfx`tRjm8b
zm_YHl9?CnKUfje-+2n&FE5OM$;`|>k{-aA(am6fZd1+^8&Y?+ee0_2>W^}vZL#Q4z
z$)JIm>r1e25G#4nhh$1d-;h1otwUJy)YPax7Y4={3VNnzv^t$n35B_o_J6#=+4C$Y
z<&hKlgUx>b?B~BXaQ2s@qjI1lHQvsGb=q9gxjKzJJ)o5D)62FUk2eOX<3_S+d5rpW
z9+$-q(o?ue09z2mX|ZBE`Vn5%-qN-qSI+1+d96;8oLZV6mchT9G<YTbTu;>;Yc^?T
z+Qmop=3T$VyLp`5RXWW+jX&PkppTW1y?19!D|YX9F<0b&ba1rH?`&N*`fhURCGg7^
zK^lVdvcj=816jQGS@$sQFXbOGDZ)n~qDo)`tfcZOl#$1bstSG99T9OW3eC-<Dd*OI
z{$7nwy%}ulHeYtwN_Yx%a9^(&TC!CB%s>rpspP(T(`jfKRZ^T+g!Frj8y-HBxZQ`?
zh~5G5slQ|JS?5o`eKLrp$eyKlT-^2g>rdeOsFzAflbGn<>4rdT_O7e`%|;-5Nc~tI
z*}D(V)O`B=|B#T!)EuViBpblHP(S_>zkhT4$KFl`&i|o3TlWfK_WKKvro9*>cO@9`
zs2~uq?z&-*SU!)vus-p<@V|cSD)uSmMB|0ewtESG>ZHUu6W5Is`%n{XXe;8UW`(>8
z&|8j~0P;&>S=3N7=E)7={h#=gu?Ign{XOxL*<Qt^-f|$K);+49K!}0@Z$ypSgX1&$
zWdpZ=Fn18lzx@yhUz>f$o|MNZ&ee``$S8gC`JSQlLHOg1y~rcj7hJd?Zv4QJxN<tN
zd(^F0>)r9wT()W2-%f&GS`7PZ+{$_Rje@YH>Sc0uJ~?KWfbihl{7k!-@fu}NxAlCy
zwtF41cHQcn6LrAE&1cU&YIY;Ve(v;^`k{%1d`cJC_}KmqQ#`3*3P$?_e}3S%GSD8o
z0`QzleHKi|-|URtub-^Ix$H)}^(g+8DWm3}EFVtIHM^_AuFwCP0!RMyH1~;Mh-eT$
zG+)xShWt>8_;9q;k6h}>_~`4C^5=?c??xXctiHw1`t8hCsLTIgvWhQ@c)qWCE4!xL
zXR!WUzrqw3<6QO5LQOUKnak!gykqr@W4X@mnhxW_)w54qe}_a!#K!mEArVM|?z{Q)
zD(eAM^@{*%NCl+}jXR9#seTd0t+FK#w$32Pc0ca)?yxz>OdqE2HO0eux`gUWleta=
zi$*T*;Fs}eqNiV}PyN}k<1+{r>*i*qofW*ovbWBaojwGm56_04U<-1sTTR^E#t-;W
z28hn9#aCG{3xwdB&ET_4#l<4Y5tZL*#Q1w^mT=X%<mTN?PPVy+zhV<fv7@~S8%21)
z<k8xn%H8a@yiBPwPz#-w`+ohyHtp_rP8Q_eQyF4e(5tw-1?QTTkIaOznOAg}j0~mN
zhGw~CU+;)~or`!qEQ_wx2~H3ZSjGT9$uwcJfzLzf*8!z)=No|ol{1&-Dp+`zeX3`D
zqUV%0pC}EEy0(k-JpwzmX*ep*78iPcmpR*(Mz&u%fjlyM*S6TVQ#)=<1>FHX!S1)+
z>{m%%0L|aDEeJ-TDXw*S=;O0-HKe$TFcd&r@hPsnd<t@Mo#ZscR$Akk)eu{6<N6C)
zJNGycMubaR(pt^U&6)VQIftwaB&?zkz4J3{$DRn-$x@D*;RF*8(F^A;R689R^mb`{
zo<8Iq<7<lOsUiB*$OOxcr#FPp7~i8DCRp@RNL))K=|<?B(HPm|l6kvBxg{<_af-di
zrnZ!K8M(vm6<5SLhfDAah+2PmulYDhE&NJP`c}7vQ1X@jL=A&4%?BW66{^+|$=0KM
zN~BimoLiZ@@nK*-J?m`)%&LQ!bpzE(eniAZ2`jYmWGznU{nt;ThcOGQ6O4YBSF6rD
z=o<3|wPuIdpGn?#-Mc~se=YIXQ$As(Sm21Y^+pgHQlptbf^p1i^3|vjs?W&XZ+Cf@
zVmnr>s(F7*Ekq4#2FioWV=JW5WncAOw<#B~9eS#@Z~?LVj7$wLU9hyy^?J|BNsid>
z{L^<nrg7Hv^NHk&3vg#lWe*B)Pl60VOpofp*Cog|=iO<F>lrWvqj?SEOg>WNF~|ox
z^n;<3tS58cr=0Z>I?~c)as4!_%HmzbSoX~cToloyza&$&?r{+p1?C->7Z5(oy<T}-
zf`*i~bi=8ra+k8ayt5g$`-z;lyp<=87=AH4c8HZX_cs6XElVdl%p>;K5n-e6PYL+>
zEe)VWUT4!`Obmb7&ZzyU{qnIXCP=$@^L-;$Ow2Y%T);M?Atb6)B{o^&{l<0MnpL@)
zi?0hjT6}VCmWpq@Nl<@tcj@&8MRo#JpqX5q{BU?UbEjuTqnsTlLI2~d(63>S=52u+
zKKVYQ3n%)|aWX>gFP(UKJ>c*oi$P{Cyq({MU9S(*5_*}47Nhfe<I?`p-kYf|m6a|{
zWKMraBOw)rdsKOh`r0aI74nZmc|`=XRVBP%5A|WNA_<g5J3Ad^wQ&iMfjiGB<2Q3L
zF?PD^m2Zf7QCevYWr=M^VYQpxNlxrAh5;l2eg=bX1hbiptqGA)L=Zaa2evM6hRXFI
zgf?1dV2x_Z|DRL4AC6LAlbF<PW#yguLx{Fa?D?}ORt@1u(Lre%A^IU{q=FdxjkDZp
zn*=@Wo+8Q{5t|XvDd*jwJ(CrIhm&*z%Xj0fE)I8|JBjr)vRwSRxWHVbpK%~ei}^8Z
zQY0wMB!oneMuZb1(@B?7DL1}GO3AYMo{h{a;Ggtf2}V@1KbZ+e>U9M>sR)e@FQaTx
zR=u9e-(r;1X<RZwOv8z;7QrrSx4(MOAlplDgp87R%_U;WV?K%dKNrI;oNQgUfeW*A
zYxgS(9TeoAZ+#>11Eeo{qF=lgyq)=djvQIO(F!;1N*C%04N8f$TUtQ|cN#iHxfOTE
ztk<Ph8sXfXOimgOW<Z-ko+%k?#>Nyc&2`Vw)T7TiIDa!J|7Tv!&en8u3H72nX}dN#
zdJ=J0bgEaETcb_k#eG*-*NJhY!>m=PEQo_F17V~-B*g+osfNK!)v+w^x`F}}&40Pm
z#PPZF4sJKsAu9q{d6s+-{Xt=d9Z~X*i6sn>566DLfEJ(8Z|$#g=?@eZ#K?;<BiD)n
zYFP)>s+DJXeLpUpn`B}b?(r=TAoWp0`Gfq+iR(FbX*I6GFR+t|l4mDp;#`h__wPJ2
z&Fh!qdwuV`44rRz^P`tnt5KCy@k(4^dfH}q@72UR#`c={ezS&;;Wnd63<fdsrX|mc
z@>MFkvWvNvvVUei5S^AnH$rpyya{eeGjzF%X>Y%U`A(y_kb~Q@5!GuWy;8FM)$1?S
z9W&Nz*fq;T8bfbwb34q-h|G=;Y&*0cHuUW;DQ5p|;9j6?bmX#HGVIIE2Bs{o4uev%
zyn}!@!Gd6LhsEG{l!sG|w9bNeh3eHPHxZXW7|f_!?}bx5H+&1tTeU8+aji-5lI%uN
z>hZ>@TdD^yv&uJz7wVpkBX}ngy+?Z!ch=V8BVC2ZdFI-^Jb2-Xo3)JivGqJpTjCjl
zMK#`@^GE9O>0E}osr_Q`Hn9hYUD?Ela3Z*O4KJ{8-K0?&Ql&FdA8Ws>*)1<1)@=AR
zq>W)qcM)Xo$Ddi!+=Td3YvCncy7lzDhWCHXb*mwIE_4O66~0(V7L{oil;)4PpM)H&
z(bJhHZ_u<d>o$zZ7unNc+6L9j@&Wdsc}pRpkSjtm5`F7wtBJ3w#7w(p><w&`8&mUz
z>goJfd=53x6T{NNJ=JVb<hV5^pRZYPrg$r=Km#Q(i<<t+B$<TTn*A{4NE8#ZiIISr
zUKuFK{fX*K>=!jvBNTCZGeQQWBW_R8R2^m|O}*g_NHBZoTh0m<(KDn`Ri1Buvyk{A
z$|HxPB!Qi*cwrRXoXW=7C#_Jj-gitSzb<tOmMDm(kA$u};XbG&M7<^KEwyMkr^|MQ
zA8|RI$mq9OZ@25Ua%KOZnYHmNf#gY1keB40mR}(v15#gJKCRGM22$f3-B521daIsk
z7jBS^bHYxMp{O@W%elYoS1*{)2Yr3-P#t2&Vb#Ns0D<7Xv&A4CUY>Ea5sLE>u&F84
zIyp70BC;u+mcZuZ3oOo{bdkBE&Yh3!rpn2UQDLrr<3tn!AXr?YYO=#z8H(MQSf(A+
zSx?d!KLJTnazkn((bM=T?CeFG6{gp0MLDk+9MtC>67tXX71##8Kbq(~X@-l*@XIw1
znrYYHr<>S+vX-3Xp|}|EKL6+25|1`)ZcS0;cZxMGt14{16)|K0a;IUOkWbRU3Eq8b
z`IMEU+JL#@I;uNyGfzOI`>Ucv=A7YnuVPW9b)%Z&6H9W8jhNsTp<gXipBY+p_;gw=
zy|<ogTW_QaaK4iF8ypqj;pB^UUoT(CTR_iepanbMx!9d8N)*V^_h1IO7xb4|U+r5_
z1{ZXyAG#VTJ#{EhOsF3RMjveHHiY+^ZnV=deK7a2d7su&?$nu=;ryJl{caAu=-E`;
zEb&Yv;pqiP2S{m_r19Qsd6mm{AocCHhz#K+aNRC6XQJW?y%v5r;|#bbK9_JUPs1c}
zeqe30{cU=A^5(<FU)<-fOAUJY$f-S_2jr91Z!68@+KQTBqinp}v~8?~6^lZeu&=Hw
z^z(7kc<0;FoW;FKUw4v=6e~Et-}>9LsJ_9~2covuM@rpUa5c;N;ScCd`nNRR$1_%(
zpBK84Q5CPJKKnH~hPa`m;A^pF@nMI>blY3ZW4<>-PmO%Y-!blnaOA>s);aE+mW=(0
zIVp-FCn!_5X;eEgVUL2ZI*^M{Ufd79mSj7W938i4Z|Y~pR0}(4vtTN|zhgw%6UT_v
zrR1_ia+w?A#OtAF*FehIW~!U=M!n4!I0s0q3|oX>={o7amoGZk3YG<#kdXruxux<&
z<UTg@0ZR6)p9S$}mk6*tzw0Q~KLTOOPnCrrZBUJHA}E;YpXavJFz@`BoJRjvP;x8G
z+HuRks;49qd3%KgVriaCbN8%C^0SegM-o?QPGs`!4;pEq7u*h+hM~0BRK>$RkZ+<^
zJd7XI&XCGog>9R{cPBy`)JO$qQK)(S#4JS-fyH@0*ezgUEqva6oyGB;yX2Q8E^q^d
z)EvGQ(KFM2#jbZo)f%p}A+#B`)Bhvoq)l}w+g9q^r~%*c#Ov0gg0r|^sLhA!?ZM_Y
z6r3W>*<QUbTN=ZpCYSA|4z|er>Di{lm;iRi@qj@gk03@T1=jPqF21sHMm}P<{WKn3
z5Dqr)UT@rDhUAHG7u-0m`^AsNWDJLxHjL0|lry#1$@<B+e7yy;5IOa-#V!$R5TVn9
zI%|<*keWlmmYzqx<QNWPV+G(c&GMPKg5qm!VDih;`O&>L%V!5e_@SP)vuONmIw@uo
zHK&O<6TSC_#27@zohLo_;^jB?j~{o2FaLabuvtK!5D|6+cMycil;bb22OXB(u=!^3
zR)0df-Q?X(RXJ8@aV1jyS6!-zU88C)pFJnRsGYwj8ZB&AAf0teV2)cj=*FduhSdJo
zHc0&)o?fNg|A)EvjB6_E;zpfu?4lwHXecTI(wh(v2%|KWCZhBrL_kPFh!K#IFcvxi
zkxqb&fFROa=%5HeYNUk{AW9$+LO=*Dq1~X*JoDU7@B8WgZa$`*oPG8>d$08`>m0%I
zwoTWCe;vHh*}&!K7aTWQ1bk2Wf7Y$@Yu=prS>a`6z`me!OHD^j)E_!Ow)#~Y>m54|
zCFG&T@_c|3Pb{uz;a^?53-sjUR%2_rm-!uh8@?a0O6Csk*>-F13z3z-XHI_WKF~5<
z)w92sTlnmIV3c*>pqe4N!&?|}x3hPf5yt&xsdk+8lhHWIbIgHgZ=VR4W$EQ9foAn1
zF&2AU8uB9L+m#k@ltVC)T6J&_O#MLGJBu)_ZS@)O#PSj>b5Cbmldk8&`$3=g-`Zco
z_Q3;@>1?HCBQkK@Ti1`(1C*R@%wf)j?J@2TL@t#b{+jha2m+s+BKQ4$VWyY)f3rVh
zZv4Bw+Ammwd&+wsaMiO1bkJPL!0tca<h~;(;vM-D%Q*e($3Ne?u&d`nxqoSl`@o71
zZQle0YVfZ_$+h!(zCU#uA7&0ZD^IC#6<+gU4!BqA&gb^+v!422D1_%EYChT5iL)n;
z+vD^yH#)1uGdVBvq)e8xu5n{v?;rPGj2DU;KlGj0CKDFuuc(Pn&1<z2`$bn$yH?Dc
zejG5{Nn400K^v~OIc=vufikXR_exPeqW1bre{Qz^^`E~~7s})oNKf`ApG5nOPN%;a
z@k<O>>tJ|Km^e*pFWrYPig0QajM{PRFT};BY0+)(^$~&bQSBesaf$sRkGH|~*yeTE
zgpU(vrLcG=6d*#G;DQbl+v}8Oy%=$aW!zG<yYF6QUmm0|HnGQ??$Ly&SD*p+tU7P`
zJLO9J!NJdzz|4MZdmU@J{K5H@obj&#dJAf8eLHz_pk1Ad|B0@A4f6#y&ht#H5(6fc
znMl#yoP~UymH650@k@6-IiE5)g$udCE5UECrMdC`wnulWl-<#*-IESA3Vgfs@;1AG
zEh1GivhuF@C<ecMGU)66Baj!DV75z3m-KYGIPRwp|6o|&>RjIIv#u!X?XACpeh6rL
zrb>toqd%|4GC*9;uDcUWqX#*jmUtV(bxk?<A4P(>k`W4elc`^8>o9Bd^5(5!<;AD%
znn^Bi<s|V(xJr)x+{)d(>M`*B-SEuvgk{ddye-r=!zq@_<L&z|Qg-6d%MKoP0{}NR
zu`&U_nUyUROw%o4h_JR67c#f%)@7git&g4z)U(_<LfNTX$%t1oS!&5aSK5VWo;@*B
zQj}-?=FW~SqReu5?TzatXA5$Cvu7-`B(&05M?~I7?@49*YlWGtB|OOX#J*u}hMgKk
z9blO@J-&?a?H86~#c;&}6${f>xLrf~L*do!Yk|Ix6K2i|Wjt}G=S`H|>Y4{>_jWmX
z%z?<l$nL7%Tcf>w9i!)wK7$$Q8Gd=~=0APsAHH!VK^GlU&gex4Ew48N%@4=>1v#yU
znC)^+4(86LxXXp8Lpii#(o_ECW_$D?#6dw#T3T&P`87Z4rG3}!x~(ewyAO}ZN#M=C
zAEdHsn^#x&Ab&3M+Z_^qt4y)Rj?3$;!w<i_B_81jIU1jOhkw*Bs7}+_yOIepOSzZZ
zb9N6t<k~E_8qH8W(V5~S@i?~sNk-GkS-3IfdcFrg@AN!h{H4z}=B9cLX*E}TR>Vdh
z&y(K|Rn0)pX(T=A5O{W1|F(j0Ohjlu=~_z;{3Mr`P~@h(_Vbo0LiCo9Tf7HlU~;1c
zinS-@-HP{CHttL9kn>~R{#eR5TWmCzGWfDXfzt_}^9mT9h!5V9IKAZAl5;q0ZB}1j
zztPr#cjvMLXU#RIIH*0_jQp0{Lgx``d!t5V|A(pwCwrR9y%a5ebH%6SrKd(7BV+=l
z%Ptz+-!%Ju>W+?5tYT{BTtTAQ@9&rvWvKO*QDp_z$J_UewsVwUm`PMltfg-FnUnC;
zKY9zBlskar9v=|C?z<gM#>0%UzPF5XU(<WMu7K8(Oub~&9CL!MwR~j4J&5$8-VnVV
zRVUfF);{2844Tu}b-x|R4SQzhN}6A;6D?-!RD+^a<xAbRC{!eOXPY+kc?;V_Ae;=A
zi)y5dxvHUN)r<Y2U4d-%8hlAR7qB1ZvfrsuctwwpT*oJNNy2;u2MI4fmF`}C;{Q#C
zzkzgCBKf&{fvFPytf6F{TXe6a0rv?|Hx9!pi(0|UtUghN16uTo!Nr?8GPG0%N$bc`
zjf?1iR6cuSc(!$PU99<=UHqxkm+gm8H0j{~C<krqhEE@fe=XtiCLAd}I4XHbe9@;Q
z(18QNU9I$)$^T^QU}xBQGi_^#Gby5AJht}7tWoFB6n*P#*}bvTfqS_3-g<!S<Cj1#
zNgXkgzQeqeBHK?pBf%%#YNOPvcwOt>^3EaW{xK?f>~>1`He@@Y2XkTjs$NUFKP^Da
zx%?5}myY%VSL<^Sv`Z`b?uDKq*X8YeG0R=dIKy4hbw;&ks}^rJw@#eqifvAu<3@Pf
zwU&nxmrTwSxWvKQ&@VgA_FFBzkZT(`-obxX^-$8b*{LC0*vVF~=dt*Fhj<)8byR`X
zt@<n8KP>#2lFrKxSzvf^mKU7O8sBctD?C+y&Q<#!-kXJ+g7Z>sdB)ahS1cWToy)7q
zN1WS65}FFD<Q9WtTOM9aF-6(lO>zGxo_!DP9d?f{>~4GFTrMz^^gQnHZ6n_I0`ZZO
zCk3L9gqiQ=_ueg>+blW)12bb^6TZ!x{%&`n!C&;9V9k8+^LLi8Kz*&;yT>b=3W(G*
z+zG_IyhT5GF6?l@9tq2RY5YURDhqH`eF70@6!`PQ2kABlqc)lLy9v@{eoNmGPJeC!
zPB$fb{^%e01NjrKsrM<M?aPc{?lN=1D=?Dy*sh}1BJOIo{An6gWf-m1If$59b=B$@
z_|GcvQ@8bV82Sz=4d*YLL&_EXnWuZer}>tCiZ?%~{`TLI?j<XK?%s0&#co@?vhw%(
zd1pU3@ZZn%1KykJIBG6u%O*#3du1LyuG5LR@^e4-X8zom_rwH0$F^^86Zys4|70z=
z6df1v`Xw#+56=;{|DWUj`o)KD|M!Pb7WgR=V1L--wi8AV8A`e*_ZLqf$1_C6Q|P)=
z?D^>{-F7&%{M|r9$%)aa?ODV<ul+G*sZ^fX5*zo44)aXzGnq_dD;lCMk0PFJ8wC%g
z;4bzKmQ=Lu9C+Q<%J%RRN*Fy5xHRgGsrz15Of>g<Y{_x6!1V<7;Nq@|)@OvhCz2vV
zo`QTs8tL|alk!aa#e}E~T=cPUXKPW7MIA2Y;B|)Y=a5zR!p|r;yZR$xY;waZV1I*(
zK|5D>&BG$FY7}d0e_X_3?%FfXxqK)$e8ZeNOc36v)M<t^0ca1Mc3!grnV57@zdJg7
z=eI^SIZG06dEGlK?Mf*7HX+2^=Y5m6Kn2mLY#zTJ;#==hD;!K(;-M0M>u4^Mzx75J
z0mN5-p5f}Nb1DJQ9D0(TSE8A&bAUD`hH9rCDfR)_R~VqwJbLGYjt}pHlb_cvzEQI+
zFr?WE;)q5Dh)JFi#O=cSQ(~ee1%TE^3#_M2Fs&i*(+iC3CV406ETrG%;>S~v5&etE
zn7zDgZ~BpCeLdgwF9A<MCKT<Lm0*e@DZLFyI2`0EmP&bI<isYpo4a9pT*vOboN3&r
z3>8rusd1FMEegLeQBqGJlFxMVm`2J#g2(hQ8*eZEIk<Ik*4>@v(N#H{TnU-x4AzlM
zPeX4<*7B-BA@0zJ#Frx(uyiDR4#2#1T$V0V6O)UCsODa6R&xv8;?oE-AVxK9L$~t@
zf3L4g496TXPOFIAO^4ImDyr&)HOa*t$sx<v#FqLT_xJluwx{7fojFNbgau2ySJGNZ
z9j$t__+(zI_K&NCtC%BbvQkh2S5vwtA)#fVkyn5>q5x^%401O_+h%y+!MYARvDvp2
zmIFB0wEL;vag?tIvwS|;jo0u4JtyS@<27G-ty%h(%q0P1jqD0VRV<nA+x)-*F;>}!
zO%<;^QwV6zztO>iiodC&sbLC)c46-?4NV#Nr21-&P$JKQD^_H781y2^*!Z1;2phla
zO6wnm;3l3GjpnBUnuj_Qm&$MZQH_;=t+(gwCIQX0)}=ern|?dJorPXCR<Ih5{7$m3
zX&QrHHTd{L`W<h_6PIy@2;8W{+Cb#4)F21ugzQwJGd~Ai4RWz|ghV!sl=KrvJ8t=1
z>n8SfOlg@SbMa&9`J-Q5I=ZXIz}so;t61WJUOy)L-8yziq2HlVd>|-2BWyoA2(wuT
zDt=snt#16=cflrUIP5}+fnxDlFbMm=?+fAmRt<4%xZ;4z?n{QT2w&sGs78EH9#did
zd?#&H`XyQcH82o6noFmbOw*~dEHcRG9{3|^Q3?ue)e8jKlg~EKP;Jb0bPjqVGkP41
z8)0R&Xi>4%{wn1myA3^}E+18{ev?zQDQKjze#4XEASNe8*%VLvBwNIfOPW=(e?@z!
zN=w}Cr@2H&sTvLp0a1ZW_IL85*3@W3Uv5UcEXh;p@^LltawDvfxIE%yUfJATp>~oA
zD#vdk3zg*K*FT=zVO=tKIo?zb|Hbas|LBg8b>RlS=WpHc2T88UK%u%Ht23L}qgKA^
z^6;sx=R#lVp1r#x8vg*c<SYN#YwS6;F##?R7`1VMC<9GZ%-lFQNDNzD|J~0b)610f
z!wv~bH+w94+&7|8s<GNb!z-Co9ltrdF}Q|}HG<0yg`q)ru>`A-=8&%jNV~|IcVEa(
zQOS{wXs-jBhkB4Dl||LgGt_Q(UAuy&P}Zjnnf0YC1pt;*d;~e+<}&)Q0+X74)e(~Y
zwKukV!4=)ug9vDLMbef7u$_?JPOB)ej_3=Ay6Z-RQ>KJ_9Z^%pTbDiB^QMwR9F}v8
zzK4x9tRSoia5Eiw;p*6~riD(Y;v!nmQ&HR9G_-JP27p*yUB6hLz8*=Gi0;BCwl8Oy
z0ER)Ki5LPYRt9R8kJohb({i#vCAIf>+mDzpRcA+Ew=+cD8Kc3%!+Vu3u7~umSItS5
zi;J3#qiy8H(kmiZ<`E@pL9MW4YDu*F-FX67BtuLm^GP9dg%vk%Jlm)<NI*y5^%aa=
z0mESUB9JYn+7;4yY)h4fEj58BzZx?qOCuK#!y?CezoXLHYd9Y^`!+OI2Qp*()B$tT
z?OtdDu<MVw66~W5Io9Iy!kq_stX)r`RmRO;#5(wy;w<=raD9{Lg~Ut0@S@-LeVr<e
zBBl=td|aj})N7pcl9+F4fXdi@uE0tMf9iiQfAG?u^EZLwp$#R@(B<Z;Vpu*Psc2kp
zIsqiJrRl8o&E)G%@=oaGrquU+X|Yec3z{$vZqTl+D{_KH<Gx>y0Ss-76Mg({eOoj+
zLb%gw7~CLa#TY+EFUNfX_0Tuj%vcp15KQWxIf%>{ASY$in>W89TI$hbb7m0EsPYRx
zW&@%z$j>K>H6orgb*4A~bOVs+ge0fu4KqS=9Cb}?rs)i7#6SyQhWvAkxNJgpb^y2+
zv2TJ9Y6pFR%wz2un5*)u!BrWzwJHfS;K$d`bjjGFpi1~NVb3r_zJ~L7maP<p4`bLL
zG+KiuTOB(}fdqfjP@OI+b||Rpu|Ay!Dv32h$xWk@d@j{b;d$a5Ea+m_hzIKnSV~Ld
zXIhrdAkXmi_yooT08qg)fM`)n@YUcU+&RW$dob+KnkDtEHV$!o<t4SG_sv=#*^63g
z{UY+(erK}G`?Z|P&#@#kCj0Ov9;E8S333m9zeo^n8~AbLm9hwC+a|zC0VigMFRVU~
z43-7UZdr28A<71Di_!J{t%$f^H9l94iYVky^UtSzPXJyT#Tcv-Jg*}xN<So-EoNhJ
zf4wW>wFSbB`Y{pJZ=7nP07<U3kG@rNXODZoiUeo(tMuamW_7hvWADDC$1WS(wqAwJ
zD}(K5h8}3yj<s?6wc-{5eW4kp6!ycghx8Upy&Wc1cG>Wf;CiI8X%=?ityxrUES>z?
zMW&)eY4?q`szeejMh6sp8yi@T7*n_R^E#$;FlVhxxkHT!FLl<S5c0aNncHT~G(UEv
zYP?>btVYy#ED%)PhR~@3j?}H1gHC5yycnJE2%5&V)4C?F9Z(bALJ<V}LBiSYICyh3
z_3v01A@{hNY5hX<h(os(^E@A0_IAM_JjQNpX=x;{L){A21_OdUK62<cDAkL8Lk1cP
z8$pp<;P4=2ACPf+Nq_c^@pcyTK%#%XqiE=e(O{5B<!EO1(`Xq$cTKn8)!?(l+>Ez8
z-02&Rh%_Ti$*wH^X$?&KG+5p1?7FZ&k{vmwb_UF!v}TB|^ciFEaz1h@Kl>p7Lkizv
zvV;fAmzpCmT^p(^u3Z6daiQpnfXp<-QFUP0`pH+p|8w72%UxyN9f!(F3DiP=D;l>J
zf7rL~Z)02emu1S6{c#qe1AmP<j@UGhrX)GV$TXw^&Y3;c1(JNv$2ao6?>4y!0dbV*
zJCz=}#plTV_$xi6bMtsm6;(ROnJORtv4v89sm-*<9dftz<whQ_`^Oq9Js;N9r9NrX
zhUPJ)Oqv)Y@Zk<@r`!}1;fkfk5^+A%OYBF}T0Q5=9AKshFw|_eI8%-fQx%^4jJJ6s
zK$-A3GaJzgjw-Q`u?3m=ObBLO6~~@j{B+y4pwZk(l{Ywi(U#s>Y28aLgc3RGjYMei
zO4-ne<z=$x@MJW8!nJ|4Wf`UIq;{JT0WMZ>B6z|L9YJfePh~OPKHuse98bmF)|>-F
zR)l*-2if7h6`#GZ{6j~``4~w_9i7gGLN2{Pi+WTHOIylbid`#<bf*@)g}0CS(qEj)
zG>U_3=LRPW5FUNqyyul_2`~9TPLE;uhy_}D#EBN+xU)n^Fj3*&V*`#UPW|gc!PTyy
z>KhYqeS5crRZB2_=HPo!CZ{#Wgt3YKYkWojU-+-g_7UxEQ+Qp-xWcO)3Gr;F<5tYI
zV_8f?j&QxwP2-wpKa6XYzHB`VtCji;ALF9aY|M2h(&+0g%X<HX2>8A6AlXtXG}b?z
z6m$mM>vfd7J{Bjf>3QH|)(t%aRg+o-Y{pG~te5xt?nup2udI)@hydY@CQP<GT}{;L
zI%`~pt~~m8yO>Wlz}<*MdOm0c*@-HvO0o8RcwE2xuvBsGn0X8`J&AIDIQ^m;tTAY3
zxo)QH<3{smqv@SQ^zFcGjd$Hf59(dd?!S&Ux8l63P9z#S`F2Y(HK6N2106$mjC$cl
zcO3aULCOA@s^!+x*E~c19vM`NA0WrKi697hf*jwTF`dk81u;;K=lzh5QOLimYimS~
z=irTTRd_p;#HKW}<U8tKte@y7e>B|v990!37vbVO7nI{KOMRy;+BhMjNkv+`^38f;
z)U`NczmA&mI2Jh12Dis!h#P&C1!}o<`NAr(glZ-}EC?X>vEgdF=asSY*`_AkrziFV
z2c`9kuA?B|d37#VZB;uU2=fOF@aW{0Rnfs$dyO;hQ)pUJ%fcl1LXdg?$P54PjHH>s
z+oB{|MLS2<EVc=(Jo=E3*sezb{(^tO0yqsDxfM`})2V@j;0ty_F8~EXRyx*CH?e7F
zXQt}+w!IJ4GArPD0a{_>H(JM7GC$IevbxAp*?o(BeG%U0Hce@0;&_+BQbDDaT@%)F
zpT|guhn2Lv997ZU9?}VLa%#a_n0Xq&h_skBA92oVj{8KjSWP-yYH_=$Nvgk^K(v`%
zoP<|l2hXzAH<6NBqA&Z9M53!BiC9s(Y~oK%kH-yfD<rDXbi&EknC1S*rLW=3Snkg-
ziLIRqu4LG*L5|vZl}o>BJNbU)H<U>GQYYOtvplk5Obe@VWlOw<y)-Ng-h8KBTr8&v
z60J2W_ZJDLe|m+1dq$sl<Um;rCmOW7qRLCRpK3V0UZj3V4|FECRI10!g(9t3HUkR{
zC=V+a@VP*~DcNSXDndfL&wRYrLWQzT!@XiDym2|oWuEKqbP#C1A(O=KKgzy3RZ(XB
zs5k62Cmc1A8B3}?7ajO4rl2yAV^6NM-EKf>!d-^Fp|o45%(=IS6p%%CJ7`s@?7dD-
zZC$|58RRJ!sDn^4$nI~1W$P_3D>*`euOQ`-t;n%rRG@=(X*4BL)C%oMG^7}a^&Ztk
z;u6s|UxVCGUt;?<<rjlpho5JmG8oEktPyXp?H$Pa3(>8wKS0$5Xs<Pt*iX*kdzK22
zeFKg-#%{XerFh{|TKkh1E^yM<)5z;|EajBkfc(c=^vo>q?0{Ob3SST8vv_Us{`p9w
zK;oUq)1~5v0)nj%X9yfr3bJ|1?P4vG8~ZVq!d2UGxr}b13&xJeR)A4#t+h+Hw5q*J
zb9NEL1BE*gQBqm_(Wf{3*5}PnamAE>9diY9rAra5|CNyM6`OI|Yq%qSZJw2=h|RlT
z976>ui(R;VL(jKY@{~AzIt%9(x1&DHg)vU-|Cy+By<fkCn}2=!DcsyE<$j?LU%mfv
zdi_V2sV?-B0O6|o|D)vO;?uW&*~k8mhe)nf2Wc<%5)bv7)@8d+BK!i-qzs{%nPJ_r
zAI!B8G|@Dsyy5vzJ!_?=nn&tHUb{bA>26>FC$If_YDBnj_S#}b_QEt&up~8#>k?l@
z`8|N1b+@z73=UmseTiJzsGKzL_Hs1g2;!c|N9pi`DYOP$tm=Gb25N1honpF4Vgw;3
zi~V;BbxSR6@b$Eqk&GgU4`A&ho`K3h5q_k-q>lZ#)-a%6|2|wnGLx9>$+OQ|^q&Ey
zM%9(#2_}w-OW1{5Esj))plra8BLEy)OjUU&OIU251Z{jJrZNM{?fXDCa_)pqNo;Vl
zVZefFh$C>pC0hylXFw<W^UHRF^kRT}{#Ln@bG)^nX0SwNcCv9wH%i6oc=5$M^A9cR
z^8YONXjDB+r%bC-#~l2UT*ID_7i`f?DtrKuOt<o$_yW=O3F0H-RO2AGVfKI`s{>-b
zPVXUsz1)FxED&+G)XXjl4bz6dO|;v*AgQ{-3lX5jhdldg)c=`2SNS>MMEz)`KYrpJ
z^vV9o@r@Ng$N-<zfJpPoM5Xq`*21F~>izf)pIHGZ>?A{C;rG^89V>X*?G&2Zd)VFK
zZu8}c43*Tb#Ml6(PaDu#0gVObySDy1L{cXfgVo6li=e-YX1#`9vaokU)C+z(k1ncM
zOqs0QJyu$;v0EfKR}x|~t}r$SV=^)_ifGFl_hRy5-ogV15G8>iLM5T;08g+}_ypug
zpg`BZgK}Q*AN5aHt<i&YMha&T_a&eDcXBu;>)!Ex<Hz)8^Unl|*^Z~sfFZL4Ylf=V
ztAcH#O<Nsa$`?3yq$3wT)2?AICVEUvo7NneoH>ZdVU8=j_%4CA?;c$W#U`Om8DM$+
zydydOy^I`RwXu60=~vbA#gJ(P;DABNqplvSKF5TTGACxW$O{|P$B}+7yD|HbxOpiC
z|7xOC)48SHGaNw+sGank6{Rn9Y>jlWq-**#wG*uTZR`uf(#s;1;@0Z*u{Y!^%Au^_
zUG-(S4n{MjIl)mw^s1>TziWVwe2f5WdKihE;4Q~<mgMPw!iw5v^{{6(C0G4V0dmuI
zK>YLea#w=x33Ls5L7W_W*|I|5i3Po7*Hg{+>mh5j?P*X)7o&l!+_%BnP&Bq*G$Igj
zNfSjuxTYLlzXKSAD^mbgOnZ1%2Hjg7ULovcK@h~oUn@ew!-q-Q1x57_0-E<FAN%*>
z&KWrS?|%nO-!}PCUN}Cj4-E0D$N_#<>p8uK^Fo{04Pi)6H!ot=lAZ#DEI1RN@e!5e
zVz@QO-xkjICI<un%>u6jpm(~}IUs)K8SJ*yijv&~)HrqEb~7wEc>~{q7+aH88eIT_
z=p3FDj{<e8z$yH;|6<TwPzo(*%HAJW7*&FcN%mb+f>TvS`8o38eDsPIQi4-##+t@(
z3z=D55mK~`$fT4*uDk9ezbvCOf81=2x^~wpsNuUVv~rl09d7})0^8^BuF}MWt%y-)
zzj4ZQrt0IG$gs7+d81jkoh-c7swYxWnI2E8&>=NVDW#&*mrCk8_i_EVxAd;xGviPb
zc{&!_YAUsL<i+RP9V}cnA;+oKBtNQ9S>SCa3!3J`shTP4K130x7o2_HPqw$a);-1w
zEEJ(|eM_)=@k{_Yx3}c2@TY4r_sLCMm%zTSo<FtfKOsW%=2>~TX$6)%MY!6OS~Q_9
zW4^0z3uY;j(4P}9v6OocSAY#mCPkA%$Hai^5S4!4u_rw2M3YYhY@u*jx=xkDe5SI_
zZyr?330byDwAiW*<y|3np=s#Vza(nb=jhtaL}w%A!+Sa<l)dVq0|evuVDfF28mu_7
z4${|-2I=?~CL+S{iLeeq7QRT7gD2BXzU*G^4DfZlfpcYz#=iBibKQ}f@o|3G-Ssr_
zao)tN$0D7yDjr+ye4^jVEddQ7wtpdIWr{DOx<n|s%B1S)*mlIY@4|}%qy7p$_6?y(
zf$GM~bxC^k=Tefst7zq=lpe&aA%ol^8OL)hi+!bE+6Qb)C)P}$oDlO@;(9Dnt`%RB
zINiv!;hZn~5?PTzCy#zq70-p&&n!xdDG9MJ2|-+rY3`H%*$iaQ8>}p_ie2~`$}JK2
zfw|Y&2bN6MBj4@j16NwCe+Foda$*l<8oTT;xfN3>JkeS(Ayq=@1_DI|{!G&;YvUlx
zgRNGWgY<hY?<d_ByOI=0n2LLou^p`zeU9Q1<ZT1GeXV&3TZMZCRWwB>)L%PEa^C*v
zu#Lv33i_>Tt<!ri{C=F?dXz~_jy=r5>Ddr_jnoa%paJzE+Jgp*-n=YhxYcU9V$<rH
zJmaA+k8FGY=2g5u6eNv45>84!yPD#;%Iq4XY0cG_k_nHd72c%OfA)F-vxso{kQ5(O
z28oln#L6F$W9OTm%YH8GL?+5)J=V8<7@XLTPmFD6ntmQBXvzes5eE@%WkO^T-qGR6
zic%d>(fkI&14RLIEt88?<nRf8u#!-Qz<td;`+?u&xuV%$B*f2)w=AJh|3=PhW2)zF
z&_Ls*x!^gTMs5t=%x)CN0KV4|Z<D0z<(c^Hpzmd)KRycrNA0^KTH~-$KJ=@JCEbY^
z(C?#?why`%He;ZjL0I_Js9$&XHTrWNm@AUM+5w;1W>anfER<_Lm{VI!w7{Y>moYge
zSkOXwkrM9%S*Mh{5?O`r^taL3>T+Ey<lWU5Z!5(zfK>sBkoL~C$@VqQ!**Bt-}CO{
z$^Ldeq<Vv+kY1`c=;h1{WL+sa=}2e0o-ZKF_c;TaB;mu4yg<=OM+-5ZD2cwtL7Ax6
zn@VPoO@IA+#W%6@hu)-@>|M6Cgfev$G&7$X39c2gO8k4mGX1R<kZ^_j|Gs8*xq8v9
zUQuO&C&pq>GKIxDt|A|1ezwH<59&R@gfEX{?0t1dD0+rjy4!?O$vK_oTML_VUN;XB
z#!jY|FWqu|4)`wRlV}S-D)##>=rY_ZzS$s=abwUGDbye>zgMxjOCwtCxY$xvnMu>)
zH3lJdy_s@vhP^5XUzb_!EXz}ZWSo(VqCUu^;=9zC8lIFAqGD{ST-1&PM-|gG*n|2G
zT;4`(k0rHRdlvB4gV{G|>m5()CmN2ksyh{6#BjAmz7k!1t>Y+nkbNbNlhoj5tf8rT
zBAH3vx+rf<iKl%Uvwb66;-bq;>(6AIEn*9%+FfMpZ%S{U;v+X+hFHup?b$6EqMw2?
zWp!Q$<JA?c%$oT@2!z^d-Kj()m;yMz8d<kX28mRV<H>i;x^BXfSZY4@q{*{0HFJgM
z+&|UUNK+!e9l+XKgn}+Lvl&l2yhYA1V_UsDt9@*#=g+Bp5dWXc+Vti-eB9E^AQ6a|
zJ%~(ohaX)f^p`c5%ai%Hc-(RFu-ojXD!i1z*az@_;e2iP<i_h>>-6>+cwx134s1e5
zYK`EuytQ=4D+9oq1g<KrE}hz}G6CWHbJq;?8FGDPbF|MY-A-D=WoF!)yc`Cvk6KzW
z%9^W>W3>}~TJZ4g@<$e1rRlp;bT==EFXk|+t~Y&iXE;hAu&0BOM2#$g+*lOVA-1L0
z_EZoR$V6({Wb@l<^4Q(hG?qWfi}x6)H{dZD0#cwirN99%dUc*xO{_~bf6Zu56|UxZ
zxpJFPGE07#8-PxB_QSL3W(AAoOq!Oa&RJi{UDIePZ~ZYWA0Fl&NNc`mHW1nrSz}Lv
z+lw7Fposx0DrIIMN^|FQf^B`1K~WqZ<P_DE-j)Y!zu$|TG|(uPU=T)&OQgoo-k4L%
zj2h8Aj>MebjpKm19Y&Ywn!*S1pLVEU@!R;OX6p>_tHl+y7Z!2Y(G3aVVwhTF1?1KD
zfH<{Ot4?5gyJ|SA*2dz&?<0q&pxV~^zk2@cdi8VP;_hIIC!S-zaD9;s{oUz~`*oo?
zwbNUN_Nm|Ge)0XkUyMWL<Sv(CyKcIz8?;Qn2brDw6H_!bZ`+!o*>eAsc!mG;t#g0L
zTt`m^oJx9dt?)N*x&LmC|6kLmmED>Pro_G8L=9U3Hvvr(BIHGGBdR1TZ>|wJ1LxZ=
zAy=`vqOQ=an?tE<L~cNJe;2ihG3}KfG^=+;??yTqP!}Wnabkgy?U2{pnxzocc#EFu
zn0%g2)vxHX{@&g|Efc{VWZXod%*R+t-FY-8HUmry>28;QrP1_oxIh-|xfDm5wA`wk
zf@+2SwomKdCEDi=>;&(lt=xLK6`rel)s={v&pdBO?g|sPT5L?4KWb>lEC)D|mVFoU
z?x?54qvuzxi&|5?&L6tHyW#^u*LTjFq!|DHg4597oV28*akpA@;7=t=J%3v08ibi^
zO@7e~7&dfGF7v*4!}=-eoQ)GV+(sJ*AS5?qTRwpO=b%E9K<4cnWbjEk@sBh{Ua?Z*
zmTx+SBKF(9r~gx3VE=ZAf@;UBIb$$>$WNtwwtzy1P3S|UfY)Ro_tXq1$U76`Z+qrF
z{7%y}`^qHl8K3ffaNZ+RSyaJg?P^+b#lp&9TMic2R5aAEA$ZdTn~xJ+M>b<VSoGt9
zht&LnPTU(sZdnq0G)7yi#eDE*_xZKqeI2-`*K^N#`LSbIycy75M*))l+lQf_HL`&C
z>CNKPeG*)8oqWurXQ?kZCaeqP!d<z3W#86!3!I>w$L7TXXF~%p0FLLbN4)Z&nLWSr
z<Lf@3G^Z*KC{GTh6#gZ)f~|hk?caE|c5x1?vl<VRlu2&o8NjdSV`E*Ln<ihcs-@U8
z$bN2r)oz&t+5isuHO2IME?HteU4$1c4Zgf20A#1Imh!dn-TjjNy)I~|qg$Yw<m8D6
z-dUp{TPeQY*#xdwT&*qaKnKpVIYPz6DY1%q0A{C?w_bZPo4ttQZ|h&v+ZK;xghcDZ
zQWQmx&D$R%NvburN0*#C1`2+*x@(<o;!>)F9roBzvLa^OCJ(W1t_*jMJzZ`pqF4@(
z?9^STdD>Z==$~0BgDRdYcBvCADSx*3{vp@s2`HxYS%2RyFN6fSwR_s=BzbN$nUJ}}
zndEvs*2qpG<&Y-+sn)7`7l((guG3thmNX2qAhgxR=FN{C*=Lp36VlPfV|aPZLHxgN
zc$Gts!NQa~44x7%#c`gsmjLt|U)_?I+ktV;{(N4Y$D^y70aIm3AVzEj#=Wf85d#U5
zEigf(JHfLTAv28eq;XSi#~veCL+B-uT<Z26#W&0#Er}lXrQ1eVIp2Xep3S4uJLM=@
z7tUa7V|8%tH(_Yc@>}8fVbMctA#{w_)DWl{aiW)1R%_+yYi*nwBp(DV$nZ3pwuqNt
zj<JolZ*Grg4$=pgj9Vl5lDfleprd8cJz-<xKOj_2&1G3J->bcWtKY2CRcFb^iM9Mq
zB`smv{>N7<>EP1553Mg5nwsm8H9{N<z-yf0n6eKGADE-9xmytj&2QWBEj!ht8>7=q
z7h~;ur;j>luk%OShgGZ)Haa!1r`-1=$UE1*(j?nbVG5m2>-Go!DrniW^-n$Li$GaL
zJc{Q&X;^^k?(e>i;+yvRD)11<1OvDBGbmpUd0?>fWov%=<M7!RL)PPji*az$U2IQJ
zYeLUNtG^=1#2>Aa)B}eH3Q6wQ*D@AgHtJ2#IMM!!@F?gFw)S0-4e+tDnQrqWu?kVM
zBkoncG_n;zcht&N4ppwdD@-PBY{~N0r-6=7p=M+6JD%S>1;-oT26DF!9{hW=*W0h<
zeeZ3Ri?s-zNn@!hi&|`n_Ev~p;Twa%GS0hKSa5PG-%76Ee<d(DJG&WP>~Y$vwz-Sl
z$+?QZh4aU<t&ax2@Q>TU4v%5p#afN1@!#E6?cE*~WKrsr>@|`j{gH$8LZ;tEsNK9b
zD=yK<m$uUlJ-qze*D+@<*d>4Yf0(L0sB94a?gd~&RZY560=S}Y>soPv8&oPcu(w4E
z38&e4<At~UQFU4A$sXAH&v_xZ=<PQrx3^9JGA8j4<RhP^-1Mw2Gq-;gq^#WTas2wO
zlmpXox+|DJ8GY73tq^iatxHQdBi%PIFE8Jr%yr05C)tRc?v$-zuk2GHOn7uom%U|V
zmkXbjNm~q$D+l#1QxkROYmhoC`21$m*qNu_6;?Ag6-9OzZc-z9pV5La-R&<~;C}TN
z%4pDO5-E40{&G$4S^UaNaH)S^&}9y&6A3*Vrm@N{&w<=G_q*Rz3QS3+)ix__*IHBr
z##onvOW0MUT|zV)KDh9xsSBBZ*8K*m*As!yn%nHo{Y?%ylU@zGN8G=!Ci0iqD4ah<
z;~nKrG9Y&TU_gt(+jo4YR-JNGy;|DGDB^FKOKwF9V*Y3_|JxaV|4lxipM~CG3yGOp
zj8Q_;44Zvr%2^sQZk^kW=yHteHvHZ!1!z<~71(PUBfzS9gzUoy*?(D+TT}^j*mZ@T
zlgJEQO6e5r+_v)?G^Co`+8*jO{Qa+fa%Rx$9@fnUqu{x)!D`k=f>Q0dAwg*G@JLWJ
zPIO62^SN?dqs`c$IyU3Mqzp23Q~L9<xs?@E0)6CWH)a}0Bp(QA{MZm(Rdx<mPsbeS
zAbT@yla+QcBN@dSYR!-3tEP<K5pCppEnmW{rcfOT$jLj=T$%n=z_Iwpi2p%HxeYdG
zf1`DoK#^@XaBbNu0DT672xe(-Z^m2dZPT$iO_Z^CYcO;8CUDMI>)h(nL*tRc(Is}z
zb&#o9!<$>M=$Pv9Klst*0PM<Sk{^=UK|^1t>iaSL#qg@*V)FAcld<P`g}}5X$V%K?
zQQ46*t(g_^@e5a1tAEf(XP+kqKeoF%X^Fat_EFKixN!O#&F8Y3#73R|Y=M4oTgl_~
zGfJsbog+yxGH8V<*pF}hYdh)<_~?vbz+KEosL-`x&rhF&WN(6Cy&a#~(t2fz>G1^t
z#ToesQVzT#VDkRw-dI9acKAh{)vBG4=nYY^#F}F?8L=Lp3B$eXSIL}Ar`5P&LPo0D
zs&M(onwv^#O;~zn^(~f>=vfx+mG2b8N4qznhKaTx3g}~xKd@3duy6AhC~UB|5N(GB
zjNCcD<t95ZsKA;x(1-sJ?!qpX!<=2iiWIo{_=ZFf^wS+(SS&DQ=AcBbLNc7Td~LFs
z<jy{L<%f-W@wnd*CW?HMAH56!Ol%o4b9*MFOK8c1?d8!}1z2;rM(6ev{jDfc!zxkT
zZcVAr>e!YRyJ0T0iSSjWs`k+*_U6iETx^my+6y&4!}|LX8RUk7wu0nPPLjATj>ehH
zdYi%-5S(Cjsakv4i9#6hZ#<XJJhCM0Aj4pplNQO=Gvdn4CYX=|U^+^yH&-eB#kZ=$
z5N$t!wa5%3J860&BU@E;%z!B*vqj^0Wu6?hKP(e0fW&Ssf=4lM7-eXQ+DT|e$o|3N
z9fQ&<7dETPb{tn2B^j$o_;uDbEq-_Q(}W=VDs=$F?h4t7;2;Q;>0~uI@^jlu{Yv4u
zE|?QrCR_KjN4`5;Z3|_Ve}M;)coXDRJTm=e=y4{K*LmBJV;fYiscOr9HSqjDy%6BP
zXn~fYzt^Ta@GE9-?PY#n!0Y|)9WeF%Zsg)G<)n8}MXh4(hUCAg&IztoQ~$K^3Ke8^
zGwAcYL5kL?@%A5Xf4)>#D@*z+78?F~pSM02<^K!vvmxwWBe?$~lK)>aK#gBwX4C(F
zIOuSG!C$Gm`theO|7k4rf20yz<zvi<n(WTFR<3aI|2Fg1G4O=n-(69^qQYAS9^7d}
zauw%1R8=J6$zy!e;)&>@Dd_L0O-QDDdtTHvHv3eWIayIh+3BO|om=#8F)mOX{psdd
z%>+l8rV=>m_@05puNiBG<&6<nh4y__{D<~Pu6+j&@|7``j#qPh#%&K;c@9#U9P#u<
z0W(Y3%1<Ec4!%r|OjMhnTYszAPfmV0l6z7<?V{;HwbQ2u6+k5A-~;Si(*s+apdwLs
z!mu;iOyTdsbCSspDe2z_3JBLOnG?bl^XG3^kJVZaoyVpJ4k3tTP0_J%ss>q=ucVnV
z(#)!Dx(7M9Z%;!1kCxD!ve8|E5CZoT3d$~yJyKEYpX|(ZR4f=xPUcCua=}ER$_mG~
z<a*`w&Bkf5vt79nZUVaSuKrjLFH#jukeDxUE9kf(s%Y6lwuj$cb7g59p(@sRGJ|N=
zu3ua5fpE#ns6nMr6il7Z>WQX}*wVSpf%inI(4YPKeyL_rR28UDY~Y)BPsa*JUeN$O
zj(-cz!O9WFQ(as+dh&zH2N<5D5rJwQXRtQIz*LQm*~uy4eRhG3FsD8J!~@mI^8vgr
zAqm4Tln<dq;^$wNZKfRGf>Vp;4QW^T?~-CGc%79;)w*weQ^{aVW@bgRQZpf4tVdXU
zNFn;I@y&_g_>SH{07UmVnJwH|%uzwepJB}`H=cy~^J&geo?q~7X}Bmq;18TO9Bv4R
zo`JOwGX!B3I>5kk_7al0Nu+VjVf+G;pGLYEucJMbnyXe_uP>~t@63T1W%T+s;%vX<
z*}w|4Ey#|5Nv(LaCDByAa>*c%xc=RKQ&4XH{Y?Fe_-fVPm*Jmc@~ek8Tz-_usfcr%
zc$_%!FK9kSfK|nPG5NFE*)~Z|&HHZC_&aDN!Wh6eVClmLoa7>E+Gb-{4=~MU{lv(g
z$JKBnJZVe8l;K<W{30U54NyO52v)I$DoTDu4X($<7DZqZFG*yiB<k^3H4~%siax^`
z#JBL~8-h`uMqGSifyXBx_<m5+EwZ!Iss>TfH-rrysZF3}HSVMhl1a_gJ3Yjqr}kAE
zvNYfihizLa|F;>bBjQR$%uU3JRwY`yc}#ssrkSmdumX{nlC)YP65HJvUF2U(8vDL!
z+rw1>_n^GiBS+k2S~OUQ#F#^XPe{TVbzUeY8I{9X+ghGEB)z?{ntK+Rxn>`WJDH8T
z4;68j4K0#untvWq#uXM_`A7ZSWj_cMEBF5lOc)LQd*oHpOtKGYT%F$o!_&t_X)S=(
zzMs-&R<U_56{+8W4!6P&GrVq=w{gTN){(^Wolu_gYQz(k|3_ImT+k^pUsdhH=+nrQ
z`CF(Qb}5(EC|!4;n95~xgUB*ku%#@?r(!3*<X(=~hDSW!LKske)>+)86w=wCA1>?<
zJqQvaBoH!t!bWB}_$5UbJEi7lizE%dF~n$WSM^y!%E&jDYqC~vRErbn#N=)gdI1ZT
zCs>{)+Z79t+?PSIwdD<pw5Z3uE|ikaRCQ(Wz?L~qe3yn#R(qr&5Nk)UhZM(S#I|oa
z_0&c~GoKG4nOsn;d-2veGne56>wWvwf3|J>*(gnZ4uJbgqj-IY<e9Yxv|lJHyLcX=
z^RV-vOk)0F<+c$>xS2Gp&}cC47IxZDP9a#pcjg8ieUl}LA1O0gEm5!<WauBpoMaZ@
zVlNWefBS+8Mctph<L4!~*Z>)nZl{4<lQ9t&-`N*~!+J_C8RfrCZO+sjpA6g9szZme
zs^00e>b@Tc&v!xZrwqA>Iny6rV7*~zdKQ#kKRjkqNt^g`-l|Fm0-+5*@On{p_9eo)
zSU?6>*xQq?K}z0e=-yn|jLUm469{SZ>PWtp4La6-{#4?z{w($UzBGn+X5`M}=0H&s
z5v;rC@w~_An7nqb6#mVB<?TrBvX%g7hf*z|Pl_)(E6)rAUoxQl!&2nS<)hu#r^6cH
z8KM<R$!hI-ArA3s+3cF!-u&p2@zS-NrJ*qqLi(Khc57BhDLQ?K+<6#WR*2<V?vwd=
zwXv1Lhkwfk-w9>8J@#+ULAr*sS5O!=-%n-dyK7I+2(SQ^R#gguewO&}nlTtfg2B8<
z_TFrd#q^hJEm9-a5}N=55_zrW-&J%+;S^sPleu&eh52}d9AS9Z+8WMyM<h($iRdii
zL;e<`01Z?&>l+_}n)plz84F|GZ%02OhnNg-AHV(e&i`vy*&>t)Tu%bLgzoQyi_rYD
z+Tc4JGz9RjY)zMol{o8KP8=_;&@gf}!a+kRck02EWKBo*D0C$kD#+6@j9I!VI)w2`
zbVes5zfZ}U$Cez|$vl&d@BI?9mbeU2%BVo6pVJ9r?|0Tp<i>wdMn3v2&V=kJCZXke
zT$Y376pXh8`9q;A)E{(RR1BxCigk_sU^*>6S!sjI0v5PBP3HOT97jY~F-5W;4G{Er
zHT!Da!{^t)CErl5IGv2qstcpS8=v_$q53|kGFUz0R>nYl{DG(dWsv{l$M1=S!FDfa
zmhl0ac|;VlI7)q)9xE9ca-~OcBUj5Xh>|&;^n^!=nsT0Ngb4eejinO7m<9522JcCH
zJ)XnUs%+NDFhHI<Vm#6MxWXJSw_#%O3-<*p<CS<kpd!o^%R;p;%$=<o3Fyf1C3tg6
zb>+tsoVBdKq^u?$9$W#ma#8{)u<~c!?f1uWmK3LmH@5CztzZJkWOkv~CI`Wf+kXw;
zQv7m_GF*lJ%rR2~*!djS-LZtlj%bH$3E8rQKGSsX)Q1U{Ar%uaB>-)<#uU*^lY(Dp
zp{+pr)F{a|51<`{hVYN^ZA;~gb1Bc&&T96yEX=aZTZ@|4@>8z9Vi%NZW_D>!HV_lg
z=`!`M#{Pj*y5wNq_AX>#H@7#%%K&n%Fe)>b2Q|vL-Q|v{(!WATP@E|u3Q*&gZ8mxC
zl8b8B(B~q`N-44u_FC_p##L+b_&@RNp5Hv$9D?GyNDlss4x&|_4qZ_LTL_M7k)(hF
z-h$9G?pD0KB3rpS5xm%Rg?*t{@Z5~-KTW&#+B3>?Q9FXh8E0k8K!o9}$De<2A6w4t
z?)xup`%UNh)BCMq-3yqP9rw3=K)FZ5+AI;i;zvLdQCE(XTJ;ADjv$p^<ZW;bOGp0M
z{{HWi$bUe?|KBJ|R358N6+U#V-(=kKgsX=EL4GeFo!9Ks*dvd*)X)=V-5>OsHs!*+
z2-vWjS+l`CVjgwCTNoGF7?VWrk#DaOX0)ZUoLS>SOY3@rO<5W9BJT5?(k8iNB#6E=
zn+PtdZSozNIse6xBHjdyWhm8?>7=9oT({IH&hHHqQ)HF#ztz;PG68=*Bk-VYr-vJ*
zJYa$k_vZq6_L9$x9m3Q5!F;<_L2mGk{mrg;Y*RA!Hj+BI{4qpDx%m7jPwmG|)2{op
z^150TZUm?(&uY~|@43j<D>=y=+*H4X7Nk9)ntWGVTAZU%XKl#EW3`&UMPT|yCQ6yG
zQh==Mg5YGAfBta1xBz`XMB}9Im%P>oJ;`0Fmp|LRSo47zQq!J!AS{o9SCL2&UK1kI
zQ!~C82^n(%UwlOAU2>z-L)Z7;kO>W$zgFM4D@o;;bbEtbp%u9>V~|x#2>ZzcNyuLt
z<=1pr_IZSPFDIFwUhvqxaGZ;xv_Vf3_$hkSP)IiRbqCOUn<uabG+XZxSa;5WYJj*B
zd<iV=6`3yQahxWhC|p95;j&bYlZA|f4>L{rw4$RSCYLjzT9<WXgZ!uZ11lHfpCBjZ
zklE_kxLfoNaj|PU{aX*|ty9-jMoZMZsvAHiO$QS;5FXKT#9?Q?YpS6Z+fdmkL}qcB
zN8*k&_6ppNGVDfmOpXd4y_$JUTVWHkfiB6Yx5WaOYA#UWF{QEs1dLdzevCBqp7OlB
z{z1Qwm$sd<Q_bcHN>cMqv~uAtd({VFc2z^dz-5GUN!aO5L(h|)tD`O^<Y;uU9||K1
z215R1q^HoYsk*I?a3cQA^_{jt+tzEE&1HAOs%!c>1sIjzJsVB<DNhE}2hCc6_JE0m
zLd1UH9FEk}VGE3mT00mV3S{l%20R<d1y?Tywt^bV=HTV8MFp55@TX$KL=RMVN2m`x
z+K^Bs;$_;p%Ppd)v)f?Q*$VS?n`U<<*=?TRS1xVOPd~llj$$zI@VnaE_8tyY$^)uZ
zuiav-3CH0Z?Z!=1Y`O}0su+;U<SUVabt3fXkOY1ek-&%tla_;O<{yO~x{3#Xd+~-j
z9si>)dq=umZf#|001SJz5-@N4J@7|Q`R)hYDyx6UA!)W9N4}qXpNRV!aR2KRbS56%
zy~=W&f3;3pd#BK`&Kk3*((H?^$fW$pi}v`oTj_gzRZLW#Tx>7X4!$Ikj8OuFAp#ra
z=GMn07qre1d>&F2OHq&0xe`i0e8Oy1tvo6&c8C;(O1epX-}Z{@nSm9)8cP6$siix;
zE@{pC<gZvealj)}rmW)9f>i`vIx{TMOq>!e^=&(8Q#MNT93#sN0MSQ#Z_lOn`@x&>
z!Ws3ewZ1+W;jUWcnW#!<kwD`@IqC!T6CEggTC#Juq%Jw?iFUhBOzVlIH@RdjBQ44?
zPv4UxwMWUty{XY2eU31A<psEAT72llem1-526^Y}A)S;Rd1mnlcC{i!<>y*(zWz)1
zE!dLX#GUV1W0Y~(F8-*mrPhW~yLC||&EN7Ty)o6I{f`tRMdB6TQZP`vS9AKnYq>>F
zWLfc@tH_GFGTVvpB%};DO?mBg6LCcJM)3YxM=}$UIAgbgm+ipM*{_s|Osq&3;lZIA
zhZ)D|Nz*()Vt=)^Kttm<|GQ#UwP|4w>sQ@7MQMGBa=ol0O%dT+_eYd~zV;wE268*9
zgDSmc>+D(k5UzdjQoSeGzKwJ$tV`Kzp^=zgly3%(U)R-iLs3Az9BROJruX=<7&B%K
z3*W_ly%mR$?+UEfjtYX9kw|x}mM!XZ7FX*U%iEj|1*A9L9$2U=QTC*_Jy<MnV#rhv
zIO$qOx9e#Xdkg7OmQpx713{Xan_!*cDb}0lSoSkZor0wlv`MYy1jjzPDVz(P9}rI`
zdiYk~#GhEQqn$)Ju4o!K!N+6XY`5g?|CR#QDRO~8K@Hr~6r&qn>n+ycr}$~<3@u3~
zB7wnEgH^(<f&A_u9YAt*eGXb!WG>R|t|$t(W`AojY~>zh^T`FR<}_ajdeqWXNTqAT
zjuh+SJhUcF2o1tcrVRWD0>bhnB?gurfL)CX&;gpF7eWpGm47=6q-jLJeM26b_wrlY
zoT_M3b8H3L1VvR6Oj^0Mj~Gxqzvl_ny#Cxg{QVT*QKJWM7B&r`tV6z9CO#1^JLWj~
zr9<6vEqrmsO@7$~)wHe~XphK9QQt|JPWDV+LGlyb&8E8~Xa~!?f%r7mBMsokjp0<F
z6gKwliiu8UymHLjMcet*O0^|++!%M&GNico7>4YsMV6@&RI9e#(hGG@?MmRGqeDTY
zsVp4CAGfI@+AN3l2Ak6D>rNC~vy11+z2@Hs{%Q$5%HFDPYBS5lNYP`3v9V!7cEb&^
zy_;8>S~O&tyo7nvrnFO#+LD7uHMeT)>k~(gksVKCjQY1~qH*2hMPnr2DaZ}C7lT9&
zG@T0SjZ`A|P!acO0kiGprt|ghV7gC))1ZFQBM7wbScW_b!dPed_y*K{_bY`gSK&)E
zhhq3cN<7tMQRb;9SK|l$meSkwzF7bjJiM%iqg$0TJDZ~Lc^mL797>knbh_ROc5_sV
zCXGJ<mZqw>4<&oFkHBCoUy@6sEb!yPU><hyuXoJPCm6c^xN6M_FC*Shp9HU(=yWzp
zyVH7GvuSxd{2nJ?J&62QYYVPY?=h;~koxH232!2JwH_on1-+;w@C<V&k`Mm%4~K3h
zkB7$E`KkCNtf<+b`|WtF4wn0zvS#NcU}%VFRl`;y-ky#6B4Xu;*H<??xTLRbN}x+s
zH5;T?F_q|%T+>g}^Nr}<_>}vy(;G<S6?*$a7cp=KvQRk~jI0!9YS`1$?z(0m#C1#`
z1$)*WF&3u2xA*VCgX12X%f5?^Lbj|9$BdT4?Le#A7imWU2^V6x)p*JMabxY^gQ4gk
zGGZc*h5oJ?^-U3Un_^N$9&>~BD&mI*qIo<fVYvNGm;<Cm@xGclunGEglZ8&y<Gj32
z1Mlw|2Jvqoue<49CH<w?8(D`4zM--3H`I40ff|DnV7H%g*iS00|A0@PG@{4=3UNup
zuOmPU?aF;IO14X$okjCJK^I`(tp_$Q5L6`y90=#{dCe7Sc~Hos;^f)0^#>r>2B801
zfb$Xh&CMlPeI4pJRtZoag&^alm&}u}|4(i29o1CY^?y4v&R7^L3MwT60wN`%0xFP<
z1p#SNq)3SnQ7I7-K_e+MR*DchNFAvn%}_#56d{o=HIN8VTBL+PC?WklIQQJ%^Ly@h
zt@l~$_nv=PlyLSrSKHUV_WpiuR#%lwF+LV}Yn60$V%!MbnT~Ul(``d~IRMLp#5T=z
zNSu8MWJuYW3POM12l{@NM)3_yO}?{e-_~N_Y8EM1f|ny1xrg(?y}kx+Qb3xHPo>k&
zgc3pVwT$wM2jWS#7Y%G{6+-5EZRR&&D~guJZ*4C4v@jnR8)&6M^sGt{<DXMu^!zd5
zo0OoI1XpsKqb`$aoF7moiLNgm$sg%^MN6HkYq-#HF7(qAt68_7e(@cT=yK99Y{j)k
zFY;2)>*jw=^%prz3H&Z<PDKEX#VCcXBHC??8BKTou#s|23e*X4&ayJZYWb9Il8ZAQ
zICYervjmwjGy+*LN&>1YZPT(eLiWiGo=hH$+ER5Klx!8xjU>vhn%7U~<apVXSAk4N
zvn-@UuDi)Dw$-|up5VwRH@@<!`^52cCk$qXSc}1v_jP4crx2FR3wm8fjSBW%f<R%)
zn65R1yEW@n1j+#1$@gZsG(@eGJZ5@gOPwXj_=fV!LQhs0ywuv)6=Aj7Pdg6R4{-(H
z)up}JcV_9@lYS5#`VrP<N|hE!dKjT0V9^IFJyJUQa;^EJSN69n-{OPn<`4t5$lpIb
z{zqj@`c$5qa1Uv%4exS$^12UFx*r_9BrN;v`vWUrHy_h@KQR$e3EDmSwj~VhBJk^H
zwI@OLtAI$y);xVIPJpU-c#OV*wSB<-O>yo~i-%xVE1f`Vsm?5_HjCRdrgT+ij^7ZS
zoTbYfS9i!4PaUo<;D!!6ve~`!L=;@n-+zxTtvvL{&LwyX#lKWWR5D3DT@uLD?ZpL_
zI3u2G2Dq|PFr&%L&L$hNQ?0!OzU0-#QqrzsA=-sk=j8d$gEoP7AXDG=u8gIgBbiRY
zjx|KtYm<%Id$-CxcA!>fkiQ^e0jXsjPD7MPXcZL&Nve$cL^@sV8@WH|{-}W0PWQ0o
zTRV5p6U)k3nN4NnQAj84XgXE8Ydjc!)(qlLek1(zlEnByoVv}{LhUCuc3L&#{%*QY
zpc`dxh}@`NgWU*J1IG%=O=aNV545xbnG;74uScTC8s=CIAhP&YXD$42073(s82UBn
z(5NuI3jPjQ0-j~zW==+&ytCB%{5Ye!8l4-UnmYS(zMSPLZeSn!CFx<3IUC&{R`wht
z-%fB(pZ>HueiUePdZ2)}ME#*9*`nB+`|$z-L!Jr&+|H$V+L5W3hbrk;=??z%B6f<~
zO5)Vw#I<+XnQNCb)BA-$8u$9)0D-Jy9kg2;V=USh^~vn;D%sr3U~9Wkz4H!(!}+(o
zYBwh%q%;lv(LVNV6e-crn4;IM$0!fdf?T~DeSOED&)9bv?f7YD2}g+f8U@4c&m!TE
zO-AS+SSA+Y3USYd$`BXGRm)Z%xwk9!;#8t5CWYSOD}c7IZTenOQNSVezQ`A8b8eLc
zZGNIygnZ3}4UBq|r0$BJg&;DB3bXXy06f-$ESeZc#osR+r!=<esb=eyHc{oCw|ZE(
z1}egewy9;F(DthjG~N|~)ai;H7}}auGwTb<&rB3e$se7pSlkBp7=+P0Y8?-_3R7%Q
zbSXYk3f0)rPLCnB*RHarAja`lW92)JPc1ZnDT!6?9ZzEDunNOvmnEa%CHv;YEK(Ay
z)+R!@1;`(7&4isJ`MTcD1hTv7+7$2oxZ`xfvPOtwS)vO}C8%Ul58HDi1oM1NE23}g
zlR~d4Yqf@$OwxipFG(qSiP9w=C>52DeuN#z{0zz&1)q`EUOFH;kOYxVb7h*Ifa%Bp
zyz-3UH56mfEt(k_#-@9GyaL-we@4jBtqrMgc7A>@SV14IKl@bSo^ELeX`Fd|VE*U4
zZbzgl2Gds4*46oQFr6}|1GfyL&0`Y{BLb}C_~jVawNwDxxZ$eb-7hcXNPl|h^`4yz
zC?_8^IO~Z?<UHND{ZZ7|+~*p{Zd}m`9a6aOyOp^+_^wYZ#ZqKYQ0)|VXNuzcj!y4!
zJ9q5XFG$JPdzPhAe`|iN*U9|&{5_DbX1r4kEE}e>LGVWqyZoK8Q(6=tGWvfUgFTVF
zYVqcS-pRZek=qhq#Q*gCERcWp>u0-1N0GI^$^S64BRw>E+v8UKzoRMtMU&(0z!Xt1
z?`j+i2$Gu4H!O86oDSaA@MT-TX2e5Q7;2l-zsp7bF9bjUF(&&ZlVN~?)N_noV`vPW
zwT|X+W|a_YA))@H8|tPm9`Ab0?}Y#muC&UI`M&W6;r3IfPx-CZ57y}HqIXdaMcX8!
z(*qP->(x6~ekKq4=kjc!0Y`1tkK}G^tdpm{QJiXbo;f0uy?)HKBHp%5$=`VK>np=k
zOCl4W@#iasK5oe|2xg8oND9z%8dZFuP0&$F+xp@E{2xOlM^9~Unwa#u(KO+`w{<<L
z10Y5tzQ=cUk60>3*65<N`XRi-pmqdm*)aSxP#^FESTIy}JFw~6b-`27AX#;~h)}SV
z)EG6{_jFqp_(R()N)_*WSbB)WLOGbP<eV<Tm!RSWc{9g-mX;3<*i0WNic-Jpv}|*`
zly*5CDhnwWF@s{NckxTk7<V<Rdp$!i1f^V8H|(EBEbHpXuvRrDNm)Dc395Ac39jDz
zekS4Y<W=6+?4}Fg>ssxvKPD!EO}6g6=bx%N2i<ZczhpSmHwYfqoBq4Z7QOamJ<25g
zA|){pIfgt2;Woie>qFck%+Kv-kN<&SzVE}?nrOZ6y{8##DcCD_f;3&>X{l*z-#dP?
z_?V0<x%86^$U?-ki=gaH4a|r11g;UE3h^~%&skq5`qzK}QnQJSG=xD>ShsNQFRgsw
zT=qqz^TO_nf2d2_oR2yBuqVCgTCBdBV$_xs77hy<J>pz8r?BP}dG8jdMq~SCt?9CW
z?tT}3OSr{PFSeQgRz4mk7!85EcKEs2)4CX(jMp1GF8xSTZk+eJ+}eM*oCArJta#bZ
zbyB=pI!rac`WXvKGm;a+T+$9Hp*gp_9K?-pUbkoJdxoy^?(7FY{z2J%W>|2A_cPqf
zsvjFmh`!&SD{HIlnP)T0NN$>xACC}LJbk4iP7=!yPZ|UD^?9tklQPxu!<RaoItWX)
zc}McAP)Em(AJ0#W3Y2$rQ3v)OCo&H@s<n(crzb-2gj}xlRQYK_!aSc4LU)eks@VwB
z2jo)rykEEG&ECHU>oM8bodfn;jb2=Ww?tm#Wm~@`oE>r&oN5FR9yj_fo_R&)kMEYO
z5ppWGjy-xp!pVv<fhfL_`x-{$Kva}ppxa;OnDBSZR-z#Pv?pBre1BxcF%o+I@@C4Q
zpu6kF{&r1J1gu2C7PW50+m`R$+*bBL!&~@9rBhvx^F7R7Fk72mcG=yZ7L=gx1{aIu
z)dzp}DQvt5OR^%X`Z!){qnv6wXqlP5N>Iqk3@(s*9TKW^J3FNc=<AECT0W6?t+HO|
zmdvdN8a|EmJEu!|@sUbhBBox{h3yAOYW+mHripTv!}Tw4+4iySzHt*5&~YC{>LPgE
zDnMrOZ?z_qL+4kPf4nd|o@##L%9J^Bua?8ByC*$cm}PTsR`RSgK#?b(-0wdmtK{d?
zc=MXSYs7JSv?h1>!59E}UQOJX{aeEo0;@SE|L7?O%3=6Y%AVJdG?Ns!qic8ch>*sx
zlCxhmMS};P-O%casO=p4#BD4ux>@}KOUu}U0Pow_E_B=fL6}(mO<Jk`KN631EIqbe
zeD{}@;%D0TU;Ox&OxA|aobOTSShOX9Z_8*my>77nSit2r{`c7Z|3gjbe@y-zEsN90
zdl<;=|AjIhJGP1(?7eSFcUSZIR8VI((+3@07hmy>zgJ|7t7r^FJ*b_lJu9D)p67f8
z{EN<U){-eDt>!$n+;-52JxO!+kPc<I83qBb?v3l;k#cXHvCiy+a^#UM@fRDh=MGvP
z@v$d$U5C&uZ5R$^?YV*Or!IJ9>)Q0yUiG{qllD`Hw&g7!u6J}d;&E%nbBn27!Rd=~
zd1!GlT3aqh=20Bv22>iZo0%s5WCAP+8&bZpHvV<cuL4y*+u3|b=_P(~#4_cR+s7Ae
z-ZB_{X8G25*EdD?0ra4h;eP6688sETZ=!dlTHgocN|f+TI3&r6xp3{}-YZ+bs50)(
z+S`Pa)oN&1n!}D2=|%FrTb_0_>Ck2!R{hWkL%OoSZ@f+DWfEa_{%|kf3RT3=M~d!<
zEj_;Wp`xW;6Im_f2lP_*&-PCuLekCar9$J}&%KyTX@`Vz7Kcx6hLSztC!x_%Xbh2t
zFwD{xo$j1JfE4a8W*3uC9@2Q1xi|W>`_AEAMR?bGMB^Q!lAxg8nxx5mo^Pu^Ge4n_
zo8cdcYMe#^*n#3KM|wN|y8p1=`{bZ$lV43SJ_6w7Y`F8i6?}iB`R0_!bz$ObwG20d
z*WpsP2%DP3eHW;emq*s3t6?8+T6}#HnP@dV6n%Wl?s2(kT8*{UmC+D(faZruc#wEU
zTlI9ito}CntSedlv}opi^OkCJv)9ookW5Hv=E?2+!27mfzfdhg$ESkv3v<_UPwI|`
zoE>zgFW&!ECC~`SZz6GQv2KxR>6rOB-mcC@V-g3Y8eK7JT2wds>@3>N7%ex>47i|l
zmVW~D{!F@d-z=IEL~KC~?b{XljF6W_6r0fti5WI9%++2bEKP24By|Z`xNpDp*RpK;
zQStlU`L8@w6>!=|)ccezKa}@$p8um<SZ<9U_Sgla6GnxbMy*OEr6C^4hWUrOFg$*L
zWzQ{o7p2LjBZl&dr9B7thaQ=osSab|fQLM3V@Jsw9?}?l#SPS$sSF2_;0=ulxuw<c
zZS+(o<v!iV=%xElm+K2`BfF1UN8tN63*!e^OBKkibRDME;i;1g?{b%Jxi?=3ZFD}i
zY|Q)goRW7wn2?6Mj2)A$a-!`4MG-QDY27!zG7ihAcSkj!A5jOIE~Wy1R729Y?|(cM
z$UmEvUo|9evqxHfz38rTQDL7S>Cc{|OO?rq$-36k`7>z?5j9Ff#EHh004w<yCqwWB
zF8Vh~l_c%r$3!b1WPP}={Lf>98^=x_W@RY4_Bd1DlprydeukaHpUb>-UWeGIM0ZDk
zBELP#*hN<Q4C!PSjd|S$;pQ3}rDSHow({4M9_!i7!_@OWie)fR7Rm896c`dm%0bvf
z;a`24sEti|^;ZuB(yqLfqQA$XzGXEMW5EVJ!xsqOp922KXb|)6!}a=`U`^;{=R%z3
zl8a~iYcyV^2<q}Y%!jWr9E;P8jwHO<%@1j2OxENJhIZr1D(^k;H+K&(O>lgP#1zv*
zvJ6(zQ_dQZ9)aA`O?-6Uee%YnoUR^p(u_E@9d${L>iA(_LmA?VE>&+VP{a1u04OL@
z9Q~{;W+zsgCJSnne@-ygBWK@{)iVH^VAEf7OVqan{Odgd*%`Ov5QCxbl=$<6n-z#~
zez!pfn)Kx8QJ~`No9W$&HoPeQ#S=Q_u2m(Fc6!_@P$w>nB;rPQ$OX*xojj6#sqJ`B
z@|6Bek#=!2QGx7|rb4~PvF+^oB~U(LHEC&Vj27ds+hjEZk2_fT=gy)#u7iH{+%FFG
z1(#T5Ve!HIY1VSEQ;0x#ptdZ*EBeuWxwM=Fph_uh?uu+4FK{r7lDB7E`g#hkqC#xm
zN}Tt(R~OcJ*Jv>0Gb84W+o&U(`_}Z)wsGRRl<#_e@~y4^$cIZgb@<7FJchFlG^yrl
z)gLU|U4`B8oVsbn=EL>|_)m9%J+8;wuK>GN0~8SRz7rMcsgllZ^aa{%=<ckVtIM$Q
zF&!#*+8lijge&xCbel^<LsUKkc|FV0a<Y#uy{Opj+yH$rSJQU?jqZ(Ei@Kp>2sisN
zE!l@n_q)kXNwCQl-F?TDEw`=^9tD~#etZ)uPc_}ORMgM}yG&au<_*+l?7pGGydLBx
z#dmh?b86M0+Qbf?G)NoYI&~!_7~%+2+}<EFd<~b`5j{(z(V@DE8n7YAG8DZo$os5Q
zhM|i*5b@7!^~3#cN?Y+iZdh#&TlnTOy5f1#@utEfKnGZ-)pe|ED|UPnI^6J92Y}!u
z{HKh~0-&jS4Wy1h8PL5|DgeRE&j8|WT~6_h#osgU|M!#Pbv_@P^dBKxV5k893b;NW
z{T%+kQ!bd$G~NBb*@|_&@NuIQc*?<n#l3_)FU&>)f(9AphoE4ZTVGaT_wdwbV3$Sz
zC_a$v<(75{S7CAP_N{fV<L#~Qi6T3dv}Hd2y)#>cyDuJ=U3qLpKG|2Jze_D1Jfp8-
z`Aa2P5ANS-qtbOC1a>%xuEc!&{1l$GvQCQpO#9|aeJk_ws&1M%8M;d?>f<<$xxPz#
zYU45=X92b()bux9d*lajvk@hwr&=Y+p3m3cQ1Zs_XVSKw9OveTU$&@ehVA{)Md#XT
zcGIOYrFjQIcV_zT5EX#zns*c2#_)1;L3>)o;@@Cf7w)=e?@7qZ98wAKVK@partPQR
zC)s8V&>ZoBE~JIDs>T};NB0X(%IeRK9}&z2>VA@^Zhp}{m;S4Gff?@ujg0SrjfdD|
z>t>-l(tu)9z3xtYZE3tv{&}!=*7{g;d;hoh*Y4Il7X9asVG-LKKflq^96Nt5#lhhd
z-Y4k|mOGIkyGa|)3bjMRtIJ@OPSc?|fvRUHm6zAvMDL|&O@7jwdY8b(TpGI{Mt307
ztO;QB<k+h_MkdcAm<LNiIKOw!{#FYvVK`4H_dRc*dW3`{%i{viyq~v?)2`wz6PyiY
zDHyk|=vBAsg{46dMRz-3+wGL^wmJNq_S^He$1fDN#+%Sm?)Tqh#J6RYJvNpcy58fF
z$6lfA-F)3|bNt1bYL^>hMh@h?lt<D9@+?AL=`1C>e&LLk)>E^QmyE=b#kKK3ZD)1D
z0dHfwdq9wC)fxqT+VqR}HrG233{!)q$J;w>1)t<!%&KWh%s@xX94R~2P5J#FrkH*9
z*?JLw@PwMyc~Nx>E<N~3<k|bNf&1!#DqVCLw6sXeQpar4U}sRpgQvdoB}$eT>4o!N
z9R&qa%};-mcLk0rTs%@{DmG7-?OXa0TH0@#)A^SP&Cp=UQ_+i4zL{y$=%e%38;*z?
zERb|e@F-x!hVB0;)IcWfsX5j&c4e1Z#!koeCJ_a?2YU9#0Od1j2!kmdeALlG<%#TV
zc;4FGMGwA|&|bmmJ+TlHnKEXoAP9t8OUWhZ`M3HA3|5%_c%ROoAb8q?To$T$w)xxe
zsoL><-{bz<;*ZJla<RXiPt4ogBel7QJ9zm?;vcUhZt}pE%=ohYAhBSl2aveR4vi1=
zZnD@NC_}N{cp&Eu>20^Gjc0(#`PY<3N*tFemXf|N@uIiWsv2ncq@OZ85qB2s+%Ic5
z(c1c|j9=sCCYR6GI>dXG{%kLSF=`r%ezMJCCIlBtD~^JPwO_7BLJM!L2=~31)s5@6
zWaxB#dn^A=xqcC;`|dg~&{A{Xude{LTVR9c1#Hl?evbT}TJQYlD=7or#=~&I%2@2I
zq3B4hv`0B#N)6XO1*YxUbyLUl&d%UFj&Mz3Lb$(5h%AB$@vGKOz*OkoV4m+)EzRF@
z>s<W|?u<jEsIh4^;{(}X;D+>J;gk?TS8Q7)M76kh6i_IEa<f57ORb+NN4v8?Ew#g$
zv$o~BC13mibASJ7okRXFq0jZ5+t$Tzv-^h62R8ou7yoVN<_V2%oaZXc$9LRXpHYCT
zhWvNz>EEg3|6^|7rAA_|?e+V%0R+H+>q$w#^=|<hll3J5xVCSCv;mu=|H~S?Zl^st
zEnrL_m&k1dkDGuW*gA)}{;R0%dxE?ty9q$g@jlG0>6Ia^{=#dB*%I;N2JA`^EF*C-
zSYP$un*V>9ds2S&h-F)R3>(EXtiNGA>(X9X-N-_W;DjG=TDZx^+-ZD5;%PAIixg0=
zv>Oq(E~vQh7vpeUEjUzK4Yu%5_8K5PKiuvyh;B_rnLm(ll1V6+`MqWLO)l0?=cn1#
zm8c+w^r`>l-pZB`Zf&<!)7UybEyM;jCf!G=o?N2<w75P-fOsmvBMCjal$ku)N~sGV
z@}?Y|qVu%rtEbPWT?1O}<iBx@&)z?gitl}i+T(h@r2w*0*uH!NDi|K2GsLU&?(7Fn
zTmU-h^FlnK4n3788p4U3xxp}QaQodtO@x_iZ+?E+xxaw7|DlXLHyPgQ8qla09sz*o
zT=)Q@^3|nl4PyRmB&Z=)T|IBxt`i9Ue=)@4vH2M&QM69=^Tb5D-l|m{Ku>DI_D|XT
z&*ujm=kD(Av-p4`Hpn*ny3qMrb<x<WisE9JmJK9dn{iy@gJ~@y)9922h?i8is=`Ry
z`BxMCM_q%?a(F9%T4T?wGt|M@4;Oa+v8anfc9cICZ>=`zJppUGsL&Zt$n7+ouYtQ<
zKk`?_DNu&-R|k0e<@QTJ^*x-8W{1`r5ErAS1*)V;S7Kf$zb}i}A?XE+dL5=p0?>YZ
zfYuD~;H?ZsDz&&BHz3Cc67_Snfy0oSVu%0H6~8n+X{8cZt2{IRghs3r)B;|F&=J*n
zCj^n76n&(D@%ecM08jkg33U>W^7LR!dW9Y91Vr!Dt??zG*7Y%2llooS>6yif?Jb^X
z+B*MZdYsOAZ@`(z1@L>i4(-MOE%I{?0D7iw_&yxIoPE-&0mZ1C&D$KCDk;6!SR~+p
zB^+;JSaJ`JfnwgnFv~msi|J>dn77+!@%s-QC9)6!vp{Q@UPCHFAcEm;Ylfx<8!<W#
zlB|8BH@+4m6d0+tyUOl20wSY3zQ5Er)5P0;o}Be@_+SjbG7_sd0Uxz<qJ?n^#teX1
z^=<rrJeL*siR+el{w$rN5UcN=8NKI`f9h?~3RTv|8YAIivA#Jgek1UqPF=vuF#7&{
zo_**q<fh!aYhCw<$HOC5bB2_U5=E>48-@n&TYuMKtFkDVIm)qJ93Pv|E57GuP>ZtI
z#baoNxhbG7Mo00V_7<tDWdYnqHQPl~?6PV6!Ws?WD=W<6#y*%<RTT@5Rd<F09eLPz
zG2CVjVAxmZ!hPBajoUGg*6TteziV_2-G$Yx+_NMCxJt98>^sbidm%86DlBf4H0KR=
zO$u$%^oZ@fRX3eKKMBV2${P-@PYx{sF~Hp7^)G(v`rMK>FI6q0_C&VvtI0Hcr2D~O
zMUoFk6M#CSxtz7A02KUUA6!E-c%2KQ)29!7UfW>wKAa0MENVlSb3h7H0NiBtpKrNh
zbNoYztsKBA{5I5Tq88Q>M4{g%M`VAFVxmGo1mj@n1O+)!uT9;h4nWEZ?y<2FK|Mfb
zh6Vz64!-v(&@@T?L+Cf=kn*cPSG1su($HAcL4cgYwxIVN1Bn-&)t5>5Wj5Xu09r@x
zjusX{w{xNc1&}xYW4_84Gz~vC?~a5C$L7XqP4YIT7uL4jX@>GmC5OY~m7iYVC7Im^
zKxZwjhZ$SrY1W6%ma158rFk5(yz*uDhO1fsd@w_4HSliInNp>(FRg$BaB_e6Gsk@m
zhdnv#4Af+=!+-<gcKx4sf3#ceNq}fDfHk_DZ}0>e5r#Rk**A6X4#^j&@Y#!)!@T;P
zYS_=4Fjrpy)R1b~rrZSE6ABxyg8q5qO&XS07LO`FI1mVG$`uZ9*%)s9`eCY$_CNZm
z5@>S!&cL3?XM9`V)}^!A6Rx_pvzAtV0RJE$EBbuO#^2k+00`FPA`S}-q_=qouM_}N
z!@(Os4}Z5g9t`k@)Fo?C5iySUm(TvWIbn5tH1^WI@EBWK%F)7Az@dEW-2&F3??(Iz
z#EMqWR9XXHe(M5W@uQt;I2<niFz>4=^mGUA68=*2Z%Vs=Fp=*^Niq`79y;rrI{6Iq
z^;v3DZpn=&=JcmS1>Qew&;dZe{uY(GKzMCvQ_t!3?cFJ$H<lqiIb^v2OB;hym5V^F
zz=L&0YIc+oU@#<XPy_g@55sq1_iumGU|bppNNM5vPl2BbzCVr9x+mxlP=g7ow0(ec
zIQQsg2Jq$gbYKej7N-Pc=!cVT!U0F-&5rEgt-z=6=#R**<0Re!xZ?kEyRh}WDBzF$
zFK=d^f_i&zbloBU>$)Ad?w0@Sdi&&?m-DahWV>2-t(*O?%k3zWSrGUy-VpG!x1}df
z8RCxXPfQ0$oVoKbQNTzUN@%|Y3HGraKDG9oDk6=L)}n0GCeRMRr?$t_u`}E{EEgtj
zFcc?)b}V^fGM5J#GxLH*$*_pdkSxv1F}U>hWkcxN;$7H65NV}gL{<zVB@F<r3cRa8
zF)nK@V}6+`4(0aPppLMDMwcZ*TW*bk_=0nY^(_dm^DZcW&Au@%L@9c5Do7He{XD8f
z5MU^YJF$))A3@x2=>}l5FzizG79=R~hYi2K|MF5Y!2na!u;SS)%h``*k{(#Dq=7FX
z&g6_#jEb@%P9Fu0jh7***tyY~8gu@dWUXkvR>Eb6l!=|P%-AFWQ*6QQxQ8khNIvn}
zJ>9>(t;4$(Z6ALiX{%PxgT?%S`f5pA*4&(;AZ?UuID!?%lPu99vAX1S=%S4T<9rJ~
zwYDfXya6*Yo^^5i*1N3<YDl|$HS37BqB6;1vZP*6$9*0k?;X!8%3ABcRAj-XB7Hdw
z36*4a9!bAS@%p)M2Wk%MKv4@OleLi&o{hveE`Yq#b<Xeg8^eNaa5K=DG`dp*0u@`4
zVy%na!-uO@OC*O@uPOSA31(@#Eg&O;V@E1<yy|JBR_8gSa#`U@6?oPHmOq6plx-ZW
za*usrKO14?RYvqTPLpk^m2VgN)Cm*si1jE9w<3qGmKEu*X8WZl;Cc;A#GBY8^h`h<
zR8l0#@cK=3$S-CyJWCi!GWU^8B#ZrQsogye_17TcuicW<iHMfR+)g($EXTJ>n=s8&
zUX2KtczTv%s25E=LzDE8glWrJ@z{#Ze=r0Sl8cb&wjVdR=}*+%EGrTdO{kkg(N!zP
z_U*{#r#I07BTjP%Scc_(_RV4h`5>k@xhrk$3j55Q-$iH$v0(m;Z;-09YqmhD&|rlK
z-zs>Hv)U!sGF3ajH=FnIWW|yn%#K3o91_xpiaI6vYoQnfjC>V#VCi83o^r9Mi_ky!
z$>7)pKa0Dp-SkO_cpkg-Y??h(J3s!Opvqp+WAd~<^hJ=C7!oI60a(HhI38#>U-h%O
zV3;B78*XV$Mt>$<gC`|-R2x0snaBt`^|&=2%cYp3gy2YXF_bM5<-MO!{TD4eini7&
zS!kU!F;lzSX40Cq0WQ1E<fjWi26su@#jF;yI8J0W_N3PWCGu+ZyCUyv@rPHgywgO&
zz4NnWy^S4V59mfgw4+bie!gy&XV4H;5B(N_bBu0>LXZr0aqqR_F$1e=-P$PQp0&Yu
ztJ*<E-b!yOy#oC)uEA7K1yGnabRn{F-xTw_@K2UmD!DdEn(=`_yMM@?tT~w@jJ%eC
z99U#=F1UHzK~zL?vqWW*5o5{nz4vwcx2{<a8bhz>;yZbR*#iY$@KH*80zd8GtcWDe
zfLfq2?KUD0ZW>mYT+jQuX~Wx&A-{b2c0Idj)@e<y-5ui<Z$C?IW^C{|wk)cyF@)aO
zZ*r8|NYVF;U0bF=`ReTeqt1Iq-VANX;5e}}T>Gak^6S3}UZN?Kx(_wpLZGyIcjq(Q
z@#%K<{(N%yK~_;`@6(PYx1hrz{FIN#%JCRD{tV>^)_d-X=^{KUGAV=b39>+pITeTg
zW93{YOwVJvkCYt4#dNW15dJqu5IfT*SDs0h%K8d$kYzeHDO%#In@L5l?Wm)IS6?Vw
zTMsnnE5q8?V3N5qdzg3yDjRyFmV%op=_CLyC_{RME-8^!_U==<So*s5p`t}*L+;$r
zJ&SM^ip*(2Wv*r2!Ls1YR5ydolzkPh56wB~{e|iwn@gl#OjtFVMJo}8r0r71xTg^N
z-gEVCFpgc=Kbx*zqRuJkz&B@T8>rg~v`L7d?dNqXw-edH=)MEgAt7O=^u0dh<KhEX
zWjcjiQOXVp&!Fl`%v^XUo7|XH09srC?R#)A@~e~tNpi+ayJ9K?JFr6%+$u$e_&jrz
zi;3>~qI(5SAijv#g-Ypn0Vz)XSrMgd1|N)p8dn_w^I-0^wsFZqX8NbkA0!iPrt@g@
zhTq$NcPm?|J4ujP3vM9y-^sig1*!+vY@Q-`c2&I^987@dy9g3#q9JEe5Mzh?(=}(=
zMcgM6Vnz^l6C!jwPrSl(t73Idb9Lo}C+G0bPt`G&gQu=4z*s+FA?<6EL-_+;bdAa>
z;8b@TjMpU@615hH)kZAZ)!z~)I!U#{x+A>JTno%9w1C|wYis9m$2goe{P-Sb!lrza
zk<eme@2gRoKY$)J5*@V3`fAbAN|MlER?fg*+J(%8htpcG#fCdlERbhBW)C;p^Ie|d
z<J~#S5B(5(<j%WO<F7n)8lAO3RH_pXN{+uo4ubelnG$K$@_}ThtTqdNBC6`l+(0rx
zWo53FiOWkT&W*XIZDLsf95JvudnHfb%w<1`IJb{=zgg!Cg2bT!ROr4tcIxFf+#8^x
z`?)(<RQ`otw0o!)J5K?P%o@TE-7U-sQgX(AMUKzX;j^wh&7fD}s>v&>F1Za;JZGQb
zm+VHUsuip^X(fw7-J9!<M#2U-*Mu`a(Me_OSfi?LocqFf^`xFvtgac)5v!LQJ@gvv
zW4bian9e-S^umz~8@p)whulj8Y0=GL5sx|LtXcU6;Uka@mgVLjQMtGzS;QVPT*mG|
z5K+~+s18>dDopU6WCpT$!yE1PD(iZbr5@_fpr_pAkqM331e?V(cegoU+hI@{SFD_(
z$OhXeh=TIl?~dOUZ^GjDsN^B`mo-dGnTvn2^-pJA_+`V@>vMV!<_`FjmEF;zI@eCk
zTF`s$^cYvVgD3L*o?LPT=a#xzRKX$>sL7R@EZmAG6;%RXTJc8fPNfBh(IQa#-mK>+
zwei^H53nS>F5;MzEE;;~!@lgbkD(j<a5OFNoY2iB1%U{9BL1sIJ3S;fx_^bMDAO5l
zBQwzEfA$0jgUJI=+xve!fyd6cnF;J1X+BYb?z!%A>WYTjp-->4Lsw7jtFYfCm*>`A
z;FXqDhFB!V2HB2V_WBbu?xCR}ET2xE1H<xNM07ch*AEl1m-Wo~anCkvL>J!QUsa{E
zS|pv5jAG=@{g7SfhX-)%@t(3UWQJ%|;<h!OA67_Q9@|r;YPPddF<4f3&!R0?il55w
zpGbeFZ02hF_Q(U>H=?%tlZ{5(<=r>r#GADH!o-h1u8P8MhU-`o8n{tOvU1m6;#X%;
zNW(dN<qcU~9}65B7O|QKcD*n<yXH5Zz@M>ijVDw-?;mik6jh@LTL!x^>8F43E0{tW
z`iAiC&dTD3zKEPFT0s_2ubgNT<^`PJ<cV%YO}kNIHYNv-h6ZD*wncJlD>ZHshl(gA
zMo4h~RKZikxfwHepL0v9-O;20BJFb@wS}vs|Mk=npD`O2g$Bm1G<K2XXG717&IbA^
zs-oqZb<l+@eHh|nGR?i+iLTn+9dArvvrzr09Arpz^}AIcJh6%`a`s&T{D^aQw<dg>
zCS1iMprxWu8*cl=`sKiOuvV^=-FT4orL1ffbG~;O;xcNHS^AT{4PA!JuQsa#WYWB$
zR}OzYaII{mw^R|R?zqJ_Vln7y({W&SwF$psb<60D-Yf;b^CcY)uB`jU_QJ2Tz6w?5
zxT^HQSp3DhjA}$|NY2_D?p@o4&4Y?c5tj`;d|+^uR15QJu3|)qlV*iR59&VMUy`ae
zo><eDY;2&M+o&-)sKj|`B1lMPEPY7vo+C6|o&8WWAa)?nIW%{B^`(GBsLnr@H4zq!
z1APbN^r!rZAL~}lLOJC=GKHXw<7vvGvZYi_8I#+4zTj8l*zByyXC~l2>G-h)4eNw0
zNz#{KcHP!V&{KY98DDcp67bUYOWvph%eJWrEAP}Paq2(lK;qyCYI33z>yT|FEbTgY
zUmO#bdV^Jo7?yVJW#QRiUkbe4%(d?3#n8BU*o?GaJ^A6pusCm<`(qR|<X5^Ey-(^-
zfCn3G`Vmut?!jjTA*kG4O5PihVDFX2sbT&DEn+O!H|r|1@^a}^->U#dW@jH99l*4T
z_FF3Qk#TiuyO_oqWs*3u`~tHaBi=0fXox6|m|I$<$H6I-U6Ql8R&UZaTUCBNZ5a+5
z?dFU|yUdzl`bnMfr)f|B6qjR`5CM;b{0gDXtIb}V=7}QlfO<Jf(mY|okidGuW`0C&
zg>Yat`rDi{J2ZjrG<aYnJDByL7~J^F6{rBe#!plB8t)bjW`%%6%>})b$xZIZs<g)e
zrz;Yb>(M6c!`4S^0~V@>ZgQ+Em+CLHJs1Zjo(!&c6;YcBOpE<hV0Y*w--p_}+2<UM
zFdNgE3<*XIo~V~ugPiCVo28<CTzH1mI>!n+Ukhk&|H9#%rM;6b%7zKSqQho&L;ihL
zJLuG*A;KAc453BFuWZV-KChTK2Wb;rrcA=@96xdi){g-v6(N_+djpZp1yA>pFCcX8
zx^e8V7eOK0nY(jx!R(+&g=bY~UJX<QPkD7%FFu(!nX_Q#$(WYtQ%w+iTqjOn?JE|A
zjG}*CgPYJ2jFU2ge1anKtF{B6hnqeiw~m*eYy`>8qtCF+?p_hs&Bn5A)ci4J&?2*6
zIG@!HeL~np-x|LI`yT5o9*UA!oA1>qIjP~D8y!IT#Y9R{ncI+CdKG4$nVL>xI^-HR
znwjucy$)hm;OO0z`a@{L2fb#QTjN)=%Ue$tYe%pQ+GL9}QuDnhA6G_(8xQJM(iYc_
z(QuVa*_|ew0a-%&;J_W?wpMAua#<2xhGoh$i`MHFocE8FicYFn9flW5x0v={f4ove
z%R>^0iWa0^QWb;m&~6TNr=-Z4t;B%PVwO*)@gO%u9^ioUE&8+wr3s1pla1Xl)0BRr
zQ&3d~uKIdBqRg?>(J4CkkCBawIY6hYXyEE!tmC%;rEiR<2Z^U)x#2jWMF6I1PX8+<
z9#G^UPNPZjy^35i<Exkf{Ys6dot_Z+;{aqfv7EBnNN!FEm}(}!6b?X&MT3gp*0hOG
zmC5#+JRArjct08SigpNG`!X&~RwGCB(*`%SxhnhUNg9HB(c9Xym+MKjAthaKPRrr+
z7Ua@(hpOIEdyICem4J=xOlK}2XS0cKd`54??nq3^%3h?#=+C)1XNO$DIH2mDFDcJI
z+k>}a_RxxWzF9-6Y;?xWTmD3=YBSf8MYFn5%^|8=w)M4Yn@Dm`#BmD;otYr%W<^o=
z;$g<>I4h>MA6ePqo#x$PZ6egtuWAcN^zbUQXF#>rXV+S8y|{NqP>HEzqcaIb&ZI#U
zNt=KB$>uodT?Qy$^0^w!bLQeiZCSaXj07qeOg>Ek2a&!ogkLyk9t~O$*~ea!WSGp!
z9UF=x#Yd`*rZh-*eY0W`xN*R)RgHgnUgM9~{W@30dXw3Zd!Ij?JaiS2c1&%{PGrC%
zN6JfY#2btKX*#ku@R!@a0x@n^J2I}i>Z-HrMjr;>GCIfP9W95#hn`z)oG=%76$~j&
z0&|a#AWpXP(L|xmvNJuIW2;~uDO4Vc%m<Yr?Atq@45>iZu8OqHU^AvI(Y5+AK!i>^
zfSEIxPyX{N`U@K7=L&bF4;oe32nOzi6vy4b?PXMJJ5`)(Zw)nff(`4M?{5uo|H<F|
zRFZy)HbLT;+2E9xNJFaY^U5PC3y^l!{(V6vud4R1kha@7QIv_VTH?6Lxqile^<AW?
zVZ51pDEbnLPFH?7jy-^hvGVBQzUjxD=@Phzecg}(?~c>@=J5|Wqh03h1{^0*y>=C(
zMdyV*&rjsfT3M+!5vy=UNPI?I*>Yrg9s+OS5vSJl=F``Oz*`$?ir4%q<)sLghb(Ec
zr3rYyXARY}#hrb#x%t#VxJfC4lXd%nLN&tNr4Z~xXc)TrZOs!bR&liK$b{N$wywv1
zSwY+_{!rs8vDJhWM!g%S`kmp&hfZr?mV;EyQv2iiy-AH(mwe&$jnf4(podYmJWZq>
zIl3ijDR_@YfN0Olr6a+tM$_hmW3!*TpWKx1O>X2$=XX8nuUh<*V*9KA!!^h83(=Eh
zT}AxM?QNkMkyjc7r-ORR?b|<uYEU_aL;A^Vt={Sm{2V1XGv|aM8}iE>9%TyPiKACO
zr5+<Ac1k|Xk|ZsRy9^AQeGe+`fliA*cZ=%;D^Pyqd?}U}KF=a?)O|?DO*W-H6e+di
zlb1Cy;j|YW1RKk(oZ0->v<nfh^UYs;O}^yKnNaqG#h%M4P@P=KY*8~?D8m=1`Khyj
zAP2u(_8eCCquc>tIhzarQyfEz(;?7~?Ox+}#Bk#RV7<7^+qPGIug<p9Tr}Z`oy*?f
zgM{d1?XTf}B4s!g-#_&(+Nm!WZN3E3wiS36?>6MbMLtgGSu`d1Wb%Q-5Ll2BIt-0b
zyw)*epAmp8g!;kplapn+ehP@bRh1z;J;;LITj@w2RBWw~%w7|$jE7G-#&A}>+pYHJ
zB*fn3X-=2$R@UlHOZaiz1Jxx))AkGA{a_itEaKe`OoMN-GRt%vk6~<Nls$hZaA`Ns
zq^VBFvUY>+sAMA_D%`tP6cFlqtC3mVCpjFUt^B)BN5nxjkY5Z=<%4Ns4sMqK*}rsl
ziRFBPoEx3c!?nA>Bu%Cvm|b3iN@gMH)~l?NMxt0h?68*PoS=flD;U9P35!C^=*K*e
zt<v$|qFuxqu7UW3|E3LB8Rw}cjnUH<WlW4hyk9+<SJhv7TtA@gfq&tON*IeDN0@jJ
zAc#q(fj@*ALeiMj3&46BxBPYVntgF6Ck_JRNoAQ~2dZbz89O!ruKxHSkXjKjqOIG<
zKS$A;=2TBoZkBE|B)+ml_@~)L?$}?wtis*QDd(Q%7}PymU=8n!ImYi@J}k~v2xafm
z&FiRJtKkrni75H9<Fa;S@*`XY0>4VHjk`-vrYVgt1qCp@ZwV4oGm?MC+rVx6CQwyA
zA)~C&ET*VPR~4x*Goe=io`6bL1d85Z6>3?vhy%LE=6}V`V%YH#O;+$m-j%#lnMr#_
ztTX!)0<An}H*KHVsrIw3P*&WRrJWV?25cVRV3y#vY2-FP+4AvcV5y%uk9da}ZfUC6
z)|0()gHwC~Nd%wHp>sSSR}O-CjPpF)5uSCc3-M3hZagb$im;+GF*RK+UIR;WJj6G+
z(vtDAI)P*<D*z2-QNQuK7VmA4M?I~5riAQWpA3`Tdpo<q??n+LV8gTLa{*nF&)~D2
zR?QcY&H>wPk2PT!xu^qH^Q@dZa>tX87JhiTpe`0+ZEQ@pay)vo%hMJbB!YYOSb+db
z^d~({hy`%=Z?F@;+?<bE(Ekt>E&@q!sL_uJ{;l~9TR_F`oPtSxsB-XFEsWCmuwq>r
z%Bi!Y!oThKWvPv&9+v@Fa<HhTttnG9K~n<Ml5el@pqR0Hz3K_)x%@;N_6VAk3rPSb
zH^ED&8P$5&sZ;0oE^W&n&wo&U1=<!v^{(ydlhZ^u8z1>bqQ6~IUV3zklPqvdUz70v
g9-wX)jYvRV*D_`0n^o5X?i<Watk0L8z54L~0W22S!~g&Q

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeStopAfterEnclaveCreation.png b/docs/GettingStartedDocs/images/VSCodeStopAfterEnclaveCreation.png
new file mode 100644
index 0000000000000000000000000000000000000000..dad26afb7629bf5041f04be5e7183d2fa34dc2a5
GIT binary patch
literal 149041
zcmZ^KcQ{;K`?Z7+(GrOudW+~n5S{1*QAV#}h*6{W2@;a%z4tzP?=6xjqccP&dS}KM
z-FH0C`~JS)_s6%d%f&Hg=FHyv-uGVjT5ErMr=~#k;MoH#EG!}=MOjTOtb6=eSlHJ0
zae@Er-5GcS{JP_!sqhA?e297rxWKWNR+YxWs){7IG`|O2<2xzpyI^4v|GfRV6VE|R
zg@tvKuOut2?P;<*k7xD-JcD-#^*#{){EqbQXOp}JtOq|dv}NzL(54w5OsurVw#Xbr
z44YJTPOA+Erv*L;q|e4ge14|<N$P$cYu?7}#(eUiRn3<8CG_?FfT)|bHEYYT#KFZ3
zA(db$j_m)mLA^I`?%LITWc+W-u?p{c``-&j$RmmY=Ko&hJPr8&zm&ZYnEY!f<7;R;
zL9uvY)}P;M94!BRBO{CsO*+8oivCp}pia-id-vW7G-P#=r+cjnlhZq-WElAMzpcn&
zn|fdX;}E)cMJxC5o4M96mQTx)REDBYNLq+&FkBM}|MQ`YFsfAZ?%?<jD`YVg`DNjP
z=Fdg5I8NM~K&gD&ugszZt)3ij<Jgy)UoMkC-$hompR?0?F5U6;@hLf4f8QU+_BAX_
zyXV#WpZDiHSHe%X3NtIsyK(Km6(E{itOwGBAKOlr7B^V%K~+=un@nbEZGz-NpDzFX
z6>7kSNNC-+v9UQl>?Wy;u{HE-B}o|<SKT+Y=!y8XkqM2+RfvS-|2xLobPJv<ME0f5
z!{QifXJ_Zy;sTFFKaBZ&v)gO8?KmCHgpd%t{WgqAD{4se1vmGkvMmn-L-w|rRe`S0
zE}bZzalQZjo1f_hY*AzDB0uZs3RNlVL|gD9#xoEFgoK8~-fjC`14~P011SOo?d|Ob
z-^_2=*wzByg`<C&-i>?t^5smNhMgT}0+(TdYCIo_Rmyng`1RFAS-CD%!p7D%qU3Zn
zR-K(lY(jyzMi{q>{Xy%ipI#N}Nbla%xnIBJIPMH(h|j+0;<TNrtHbEarL4G_?JZ=B
zdLEk9khD&2h?nK~MDNOIyKz$tw7U2DZPw2^bWfQ==XXtawoN+L2d0V#&(YHRiL7dA
zmFFHsf<4R!!`U(+e^(+Uxm`LY7cr98rxtBDPWsbs@2@d=BAIe9MvU`WRI3-tikXE4
zao(hNty(m=I5pEMxhk+XnyZj}wbkQ%eR-yAx-+w@K3O~@42i(F2^T2EJ}*9^^FPgA
zDA#3V%t??6OhyV<6%{FRupJ!r(DmTa`HqwZCL6c7|1$QN|MG=^{O>?Azd><yON(fR
z=U;qk5!d@FiQEX~9r?gykPg4(xNXV<Wm?K(tO!C+3b|kqcRkg&Mt32Kej<LtAXN<p
zZ@SAT_KzpC^ZvZcBZ&`IvMtEU!dmpd;L7ktDhUjv3RNi8Y^`D!`*ZTWax)val&SK6
zOG-)d;K5izV?DK~JK>ivUpB|`Lv`LiAtTE#&)=JEuw@wx@%;on?82+EpA{UpeGR?#
zb&HLeYIvz<GUY7ZH>e#^#uDT6d5&YXsrQPBi3$6l4U>`Lu)B0`v`%r~7<xXQX|OAv
zmmk&P_2&9_a;#JVjw;JL0gwGTd3?e?+xZGp$?-NFNN%m;qRC)v2P^4jY3PguxiI&1
z$7NFSP51?R%9LtvCXQ}o0K4#f<54jKV^`0)_Ph%-3f%PlZnB%#P5%z(MoYnJ(yCZr
zWHAus6MWPXz7&~$CzMvh8R3<cyk$?E+}wUyM2hQF1iUql?;6-7s`w$g^%-XCFI<aP
zf3;4O<`gP8DK11<F3d(zyQA7@%}k*ig;gLiA?{PFjFeUyeqYH<*KXo}1}2-op6a*;
z9nd{3i}venKlbzX_J+8G^)Lm*zqI&W)LUzbtGFKM8&w)<7VrB)!vC^S@Ls7w9c%zk
zUs%`Kh)>&fXdu#bDE$miPgq`9$B!yf4EZ(1VYa@k|Mkdl)tW8i%DKq;Y#eyaR}se)
znhrsAO+CYZuSBob-kaRA-@N0rHO3-f8Ugo(PL`9i#gZV;cbMpg&|c@Re$+K~>eWol
z1YKgh+&yfj_tBkgXD|ETjqd1~GB0_o_C9i3a9yt`Tyybob$w;blu%I@x3i(z+q`ZH
z0UIoq8$C{d3q7%|Xo=cjt7xMRiGyG0luw1wdiT1fIbZT6sqd_wZB|73mu(G?Ue4V|
zZE#<dL|#bSgIpyB`uNU$bR`|Uh-D{UtvY_bwBMO1j@5bJdeGd|RP5tvfjl~r_V#XO
zlX{*hvx-vGitVsS6|`qZ2~8qhG%aGL*txlhr>Cda{5@~8G{lBEi>*$4^`aW*6-(6F
zW^N>m0_2Cs_r=)L^K`NHV@Y1|z^59+sFl$>y7Sn19(0{T_j`w=4wpfj35VErp#)(B
zRF=d^`p*VlT@G9Hkn?G>#w5%Xs?)^_SS44BSoS_#U0;8Hu+X+S+rX2So?hj)ql0Gf
z-<~MeYjVz4c8j-H<b5MyWDN$}*iJ?GZpKOF?e?VM(C;^G(C#j@Q8~7sJs(OJ4cV#a
zFab~YRqxHz$@E0ffCP%sJ5x*|A_m}PC4q%z+SpQ_VXvjm07!>!xzXr4g%Ypa(4gtf
zx$f?4gZe#<{PXQKc;aY{wR)PE7pa$*7dXPSfTc4bDd|2Q9-h{EA<pYOE*u-o(!9r_
zT!X{Bc1i_~lx4?y#Wx%e%ZnIXF7o;_!7rAMy|y)GU3cT_=y&>E<@E0gF!Zo)=$)|i
zuxu!_5A4p=sTeCDnoLf1r*qf)Y+vjUQt(Qp3!RO<81Fb6bbPDN<Mz_-4=)Zb?q6W9
zC_glaT4_X28dibfPtoT|9TDh{?d;9vgTuMhg}!%UuXyyUW!p^n)J<$D6Fck0@PtF0
zQ86pAI~uMB3&vNBxu&Vrt(GReRjH<#$Y;G5zu|BdaRs<-Q~fa})5!W<ki&a^Es5Dy
z9x6fScO3m-q94sJ`K<S&h_G<+hP9)kV+!r74^dlJ*4GkIwyHy^M(WP{gcxIVd(@Sp
zPQ=`<sqc{-+80dc%v04`hyck|RP4(1UbBnR`TP49pjg+C?L2I3FXy#zNoY&`#iI7!
z!PgHCDi$h8@3-7sU%d3c^mOyv!B93;z(by}CGN=V?>I{Ws{q(-bwINDMw8J#mQqrm
zVBU;VVQXksX{X{h9J4W)H>wqMP5x_b!sb74=3K{Bw`sY0*f1JibXV7y4&Al&;jYUR
zA-V=56G;=VcBGi4k*R#gfwGzDx=MXV7#y$u+hf**>C80pv!e>#3X>#3`xFsVq!Ice
z^URA%*f}qS2a}wVLC~ZN_e$tcLSC-<bAgde$^L|-$8jAS2^(^dj{`|ByKBqE$o&i=
zK#~%uDWwjzfrA~9rW+-}f-{$>DTDoD8WGob6|tpE7=J@UL$|Bmrg+nRv<+(KEy-B_
zhEx;l_OM*N#;BJN>#(VWLccW++yVh|H6{>NJM(2mt(v^($&z$Lp$94?UDl_Pqc+&#
z{fjPM?al|UppM$Ll1<Oo+@k5C4q8!abwv2V{a&$C3LRF1rjB0emPXh6dhMAU-sv3P
zH~j*({#<arhDHAt1Sag#FRo+dyeY10=0c^nZnVY2(Tyi+C5}g&%x|BSkr76$R3FtL
z1R_G_7WnQ%xPc^oQRq7i`})&&)d%b%;$ZCTTz&4#Jc!+gG5+?L%cNB=)eyQGf`Xu}
z94sube^N<&0vAx#aDfj=uz$29R4A8&?VjP4mD2Wx9Hct7H_hlvAsI|EvaUm0GLq@(
zO1Fc2>8B#)hD~BZl{Z02Ye6|U98{r}qkY$_GId_^@nXvK)*EUTsfEa8oxm96ovF07
zBb7P<n;qr$)lEcp0*`6=dY?<lc1|404l+PDLh0r`Lq$j{xA)UPJ1tl@{AC{>sZpI+
z`Aqd(qL?zmrA;KG>3cc3aQo$@FIrAHBNB&tjRI|>VXDuA{31IP6gBnML<Y5^5}|QY
zW*y&Kt!X^OcTwA}bYbbd!2IxeMd7ZNq}thCX47pqXYON{7gNzjlILd?U)RuVd459r
z4cQ>K%&3jx;m6M6n>}oB<vKT%O|q%RI59H+Ep%@+GzCW*Ea^P2a#9v`)#p=_owV3+
zEZzQO2jaXKH>F_0nr#}21nWUf-@%{no%CO+!Tu_zjvyBjr*s0Jkk(F>JXFbg>z_4t
zpy8|@g|yD_k~gM9TBOg(<RyoEpRq-hTu#<+;o(=q7a!Rq$n-Aq3G1{mI8WD8R{)7Y
z&DPQjUSRN<+5!TBJxJ>3LpHoyXmK7UMK(z7&yzlhA--Pq-MomUd!A?1dlt90+M2Ye
zWtmFaIXawL%SA~_nlo5N35TtFlewrk`>*O9Z|H;gg`Fc~INh$i`Yu{?P%kXK&PL@E
zVtvAl_}`d7n@IZ6%*pdeOev%D!m7x4DtQc{{27&HF$`56dr>`?xpr-(3ZAMPh;=C*
zj&&()uq_*ob*5ZBkIsUCj)x7M%U2~hB&jzyYOAmCg-MW2vY8%mu7;u=`GiEDx-}Pa
zvbM}Y5a#Ni07n}1iy*IKG2eDg%h{$QTNkR+j8e(kI$TL##rsv_QvktD62l2fmyS^{
z^6y*pQ^JiMW}y;tm{8s^MRdKTGNj%X!`2lc6!5K?$4{M5DKK06RUcI4^V4W`R>YQo
zO3`WDw}=(VFwr{r7S1C#nFRfqh?QyiVnUY+h)Y$;r)N<-bc$bmJIArbRi!1Q`d=zx
zY0Q{TNKP2w2C;lHr~N$E7qTksvR(vU)fh_Dri_)A5Suz~>f3p4iZiIh`jYG(C)mU<
zhGhLb#Qn_KjP`4d_9&WhHp(R*&y|HhwcWF~*4L?G6Rx4!Cy3@DKTlLRbAC@dQ6na~
zZdy(C{hEcBpI=K=rT&Y5hUMI4<6xgx0!GG7u~NI8SKv!<tGc!<$-|vhf^>hv^{!v%
zR{o1)czw06bZ1cvQ#nSg6Cz1?C4)gT&Ije2c<lIUedrRr3U($8A%1z%%~x}!gwfQp
zsO+4*{-eH+z2XWt*=iA>6tB^neUKX$9O>LK2CaPTZ08*2J?rN@oVb*KNx=ZsT0336
zW*tWgX<qAW1}F<l#%L5+Kj}Y<V;@T3#Bl8B6G%Ncd!#E#zAjClE(UFbHR1eT{c}7u
zl-8=d_NUA~m+@R2){Masev0qhx5$f6s<V;8Ywabm*7MTV{)LX)f}8Vj{M6f_27!3v
zsRY!j+r$kwTny!7C6`&onT(eLZgD2sl)MDhOEPRocbKg52iPej#IFdL4jIWESi2zn
zZVXJ|)vaP4sNt{#b|2_gCLQ~Que_|RwiXgoB_iW@T&kL%=U(9YuGSk3K?}couZh$z
zX3(Y_xU3tuS9Bu^INp4`X%HBYdL3N<agnM(Wg=?l>8Esy8xk868Uzw7f(7}z^QJv7
z6>8Hk@b$y}gaDeecQa3zi`eM&20IkDI*>a-b)PEh%tA8iG&DwFe8{yfWKfy!NChWT
zu0)@36z8+Pz@p92^zxh?xyfiZmd6V1%zcTBUc`K54ITQr=O4Ez1<0x{W0*JU1*O+h
zMrJAFrv{J;_b68hO6soQb&LTzaI<;=<lJBfHM}uSAh@7WJt>wxptbz`nky(YysUmB
z_hq>pWZ{@@ocW!_G<PWrzC-U~NWcHjC|jlB^BCzHLv7;(C<bz|kl>R^%N*x36G0<7
z(f01Tyw{~NVb9dqxgyqHC**Q)GE+rv+Llx=9xM9tD{FwUIK7qHP(T_1gLDxrP<I{k
zqOZN?sdnktUDLZR&Z-l#eo*%@sB0;#;FCZC)PqZZfxqOu%J}Xe@^S!55l3=%E)0V}
ziSnNxn5G+vI+yjiG3@kPD*|A&Sx`yK66qxck?$iJ9lK2NwTk~#U{X>n0iqnRgZj7i
z|Je102<QCm2x=o5**|8N-MyHL%hrEy5o(Gj{$-rzc}_MTzpb*w2pq3^+n1t*hcqf?
zTgV&DaMo!sPI6esauE}TpN<og_dRh0icYMLWM}H(p{p$Os~XKrHStqE5%N2C6)<^p
z#>j43z|0|&Kn~QxiF(r}79%xec{9mr*tVv-vf!!EQXW&Iwa`+WbxW!kB8Ks56Tc{X
z<t*(P7;G~o-mh;5)*->iZOXVxo*&GZEJfNIZ}-4Ue2w6$NF$e>5CRvTFtu&cIp#S}
zFlAm7-s~9JtcdnvmEq&w5v&EKQ7?w4-1~Rg*+o6u#Hw%al@yHSf!E-g-$K+BqW}r%
zpOWni?k?)&`hkeY002yf`?QNd6Co-c8=F%fK$c!jQ^~rICZWC2KAEjT%!)6LFX}Fh
zqcP<Ji5*1i2Q<Qx$m}v$$0KKGoR6`epTh`t$yfpybdf-ks7a=G!YU2+Qs0p*>a#6e
z3>rMp;9G39kg;98cDNSK$?42X6KbO*H*dEWb{B@8yFK6NF%Up)XLw8}T3+{|&HSOU
zY6F(d)jJ0Jw(E#$FqL!p=Tg>-si_iT@lbsd|9*ODkLk?ahUzPU;Qob<gw?uuOjVkx
zFdkXkB&e+epn{6PvBOTtWceA^sZ_2fq$6?Hto|3Xi?D+1ZLRpOx0qd7!g-9yr6!3j
zi#!8)eGWXrL-md-<&a#2%r_jN!QcYMWV{%ncd_n*wm(`8q6uS~=uMsc&$n37U0VIO
zWD8;_R^S}Z_6*!E;mwoa2T#0v<(bzUi9?FsCED^;kWk!4m0fK+cwO>s_B==BsXjj&
z;a($s9shgoi#Ayd$;SGg>$c?$vdbtT5uInxA^a4Gj_50RYDu+}3J@8sI>><8);85M
zMh??sb~rnXO;~qKEfMDx+9C?|eCk^okFb1lMTZ3P8N4;ciUaf;*_^;rxt^Tp9ESWQ
z=lER;7sXRX&TaH=sx1y)hXhLU61Tw$55EjA+z<eXY_#NTJEM!U4;~{JKsU#j_}vz^
z637$~B|EttR?g}D7bOxEa*&Kw0l|(!_!VR@MPQpYUso<cIuN-o8Q3cT_TtiSKLB5y
zGhW1BL|!k%WLJ08O(u|^FTNAsEb=fZ#B)SvC9nA?3`M#Yu&%{NU-ef^t!GlLN*EZP
zpOqK+ePF=YT?s2=sqaf8&-)eyu1;B;N)|(pJB~ED_Y`&991}<?NyEl53{!!vlW)pt
zP{ZP6_J%{L)RF$_N(wHMd~a->7uII#E~z;5tE%m8F#`Wh3+q&=e_Fy$pV_t0=(DEZ
zmNYKaboi%ASXDrz<fXJjzi103VilA!O_iU0?Dvsf@7qwt*Va9`29idOCbH>`h*0T=
zBKwPNA|(;-xRaOpHMT0qWVP#cxb?lQ)5`Wg6cSQXY=4vXNxz%o-8^C$Q;L!fA<iGw
znO$AEuYVFJC?~5ePWpjP#Px*)z)7LO-&4rF{Fo0%{z$%k_^3|SJ1e8BWjk7`!F7qn
z^egOK`V$bT0>uvYVZTqaYo0SJ>VqzF5&8wqd5Om&A#!cy&vP)pn<}~3U+D-7Q5$|V
zf4S?<9el%Qk@{9v7QtfrK99Y{GKe=yNmjNjz_on*Px1{{^rhbOjXr~#y8y3JmX5<#
z!v9JLfv-8~VXfjeG%#UY=klv+pM>$%2D5KO#V7G?jMTRxbPNyodRv+j*)dE+Bdef$
z;6MB=<UvfbzT^L*Y;%G&c@P8N{>!y~eTE&B{69?a1S4+}@J;^HxB~xE`rnSNRY~6G
zLEpy$I8;<r_F=c{(@RBN-P-E;qeqVf97%s#(#IApABqDTt1K5jKR@t*BK_*8M&_Mg
ziv0EA{gws)+^8FqY%^YA+VS+PjGl=}i;9UcrywdZu_Ro>c4c*y5MZe7VK#cWT;Q4M
zY5i2job$K@t5Z$0N1c{ZvA{D^n9gYXA?v_1CQ6g=_`pVVUyGLY+Ivnjn1HXi{{5eR
zLK2S69sr#pDrsy?I^e&hHeUY2VCPtM^CdBklYWQ}`1(v<Ny&zH{8IeGng1=h4I%!|
zEj?nDj4~P;(Sjjgw^Lv8k5i01IcEa;sNwR{?4K?WOx}H=`8?n$F8{Y@Y8ug&l8M6u
zPYCTuZ*S@T_ZAgz`dDC$pCy3*86FK6tAG1k%yQf3+)4TuFWylxK@60X5^G<=lub;^
z1?9`aV`KRNTBNr4cP^ghss@Rrvb>eKdG@or*k=uaMGR@89<(PXCy>gzI#5t}c(~xy
z;g>GEwA+bb>%+Xm<uBHcGPCl-i+=V#b)xwwrI-?z->_o+=>RA2Fc~MO$`o~3^v>?I
zOMzKIdOFQNlRjYwyi<oCs0nkdR7mW$1Jq!&qShXs3ddTJL}kMVPjfK4n7ZQMYrBsF
zvxh6RgTl1-C>Bl6eZmfeZ^vvQDOqXoE<b;<@REQQ|G<D<TZ)!dfi}++KflbI6bU`V
z^|}70XE$f5UqMF-F_k;ski$7?czT1C?ZMX(X(1-xRb!_U;x{JVd}EJ^|Na;{_;_~s
z{8aW>W^s}0X9mWaiOavCUZ*?Ctf1B8;_0;-hYhuwNx&v%vuFD(bgq_p*TgAv+33}r
zU+ZjKd86wq%030|Zk`|HGzzsLP;00sPBW8aA=c53+TYFomEPh0smUVKox<>u-!SXd
z7@`@yHBwSiGslB>-27U@y_WxmGI^<$+8}OF@&xq+I;H7sJ(brBX(`ZdH_hjZnb#Cp
zcqnnUYGGe$1?(Ua_NDt2x1Cnu)q*AMAO=t<)T3w5VC%Y5szUR5v>g}wqUaC8##9Mi
z1EV|#Z+=g|{^=(`E}W=VQXRbhSm6HX_{{?a63IO3+2GQ=SSKg+XNA;qCz5ZnYR-3u
zO0OtJ8*a)Fxcn?p)0kxvmj2+scURha7p7@`eYy7swU15obR_M1bntcS<qKcYQ~DPo
z52q7rqMg|hhe_BNdLbMSf;S&EUJAA~ktIf&j!wcPNe6s=7V*;*hbNUwLl2$1SK63L
zXa>Ywp5GxRCbR+~7||f%=WTI%xa{QO(w(o8=(N-+y*t;Wl{(8?pq37yDEOcSGHiBD
zHviCgP>u#fB8VV60i#>$AF_}Hy2%1qWY=3*@r)6_(3}&th{t{yiNq;ZjrH*FX1AS*
z#P(<=1+(QJa-IOO{qcBH<MI+UJo5}K6PPSO^mfuJy?;WNcYI;+F?WFZi~hmih*jCR
zCr>}P6cq!igv*kYg6qNl*T<|6s{GrI47R3*AGLW4{~gKpwOcfia4E~j<(K=Y!7%jm
z8n1Bbl8PnxDERMa0l~TW2|kiv>u?9ULBBF^$37z3P?7c6|Iq$*qj%TjLUvbRa>kxF
z#fjg$@KikhHL_#A)TxKeUuO?S)y+0G!;BplgUZKmU?<RH=#5l|g2Wqhho>j47g@{H
z2q>>cV6xmjxnLLDP~*(quHta(T48yII}Q}cUa7{jruS<o+o)8X4#{&xUeq`AMHP>*
zF-KK-LkIZ+H6rvjQ{_Bg-`xCgY9xjggiE9ewO*^)1BU4E3M2VJWuoJII|fnP+7xq;
zjUKZq0OSc;zhezC%$!R+adjA{iuU861FBDKDArEV0WA)jv*&M<J|Rk=zjvo=YDppA
zn4^UKFJGrgLWy}=c}X5UqIpC|7x|b~jh>HBGrq6&<BEgS+qYr$Pq)&1?~a`9OXh4m
zuAqmkAB>^{Hbzm!Q%h4mNyTgR{d2yk!9Oh?JpMNqi?%GxVq#*oRmf*Mj)&nw%}W7z
zV%ke%UD6z{Dg}JEHxY2@!B{Xm(?Ryuc;PK0%TX+hZ;*n=%~iMqpH?+xvKdz2<UP4V
zc-j5lGuUHleWD}cF|Ag>_!XUm4tEsWMLgjk$}q7=%1Y)VN%)(^kn3<Yt&CA+Ww+!L
zYXS8Hn-?rBzj{^Fe`H|%L+9dT%bqlPpOv!1hm}F_S5HLoM44%tKbNlBy>9$tn=d~d
zT+KyLUu<SQY(wNh^AJeSaC*sJ$GJv)I_M=npu$Z=1_J_I_s?&SYgvi}w^@?BF!LTv
zTwH^PckN4^9%f`@G-4KfQo&OEoScL_ZO2eg;PtoN;+VOz!F%VJgAkzw&-qse70`47
z9v+_V#LdFDU_R4?$JOOHBCgfDnb)s+UYY7SXr1u%NUz<K#a${$WX)aN^P3?5JQG9z
z7r7=0Q-EA8KySo>C6+rt4@R?amWIO^5BC}tmltoYv23Tx<*cj<o=ujAgTQ=_nEm+=
zQ|0OPPw{<pNn9JxJe)`laHtFopR8?UH&#BZcPEB?fKk)qhbe#3zMIb#9T`b-eH00$
z7ZWq$U_(?{D72pb4TU5JuP>WpD^*_}^-!1UYo#RDyI8j`)B1vdsWS)-Omn3+x%AjI
zaO!Bz$fxNUY7oN{W!1I+cD}r{PSjBp&{%1~R?YL<Hb1|4@UjrXTC?)n!tJ1>n4Bta
zyJhzRS+O(X{>Ogv^|g7~ldnmqI5UK;N`vrbCnJtB=so>ncGTF6OKi3H!CXax&3(->
zBODKsHv=_HOY=j9s;RN;8-;=y@~59Fox9Y44W?PpxZRi1)DKODL?S0#hcm<}M@oad
z@vXdld{zM2PA4eooSvBabr!7b)zqi;U!mkjg_7bSA$0z-;`M;Gb&ta>#-0Ubd3v$9
z!5}VfEH^EAzR3itfB#FJ;$@CEQH@HL7N44l*BWSC5Rk4SUwiDQ)#D_K*8b)FE0q2w
z(?<Lw+&1>nNS|q{jCPe==yh3me6@~_VJ7tY-udxX(BWY{jJ?T=DjCrG%GhJGG!GX1
z4%ZS*AuijC-9TQi{$oJ8xR1U3Y~m@)uV0EYRk#->UW6B>KBPyBoSpgeRqS7eyT<VZ
ziIR*bpXC=6`~^UM58cga58u@1up2<J?kuTjhb7n$o}3_=tj;1SiHQZ-Wolk3);YI9
znkv)E9b?#<_SS4(qfu`@A7_4+9`+~bDDSRqa@*M451lxjSDdkKoBl47DOm`M-|61J
zhY?f+?Zo_Lq`o|$Hkv~{o{4OtqqT48Dlt~CrE*JTkM&}IKmXtg8R_=b&nC!5Q8cz-
zkZq^G?+JRP#E{;W`4$K1kM-q`V5f+CR|+bq3XDzRGvQzRolIN9R5R9}jZE}a`JXN;
z9HLMhv8wvXQBh__O`7OL+`h5hsS2K_JSGE6V1YI8nnky0>d{rEZs+ew+}Io8J2KWp
z!9gll_e2)FHfXd?7Mk6v3U*bCAGEt}c?9ot{*g!#>#sGDy9CsqA9!?^hG1WVat=$Q
z{$u-_H6G~XI+lip#-D0%4SOOQ?f35LPmOhC|M!W$#yA9CQwXqRGbhB~1ELVD)Z<{`
zbVKqc8<&!NOz?YVCeQWd#)cEHvWu(FpX+C-OPt{}yKd#gzjB1Bw)N7o2XRR<ktMp9
zMt5x9rx73{rj=ml7#|%c(eRMK#?+@zh{Q)jp7li1=}N-v7u#uMf(b|0u>jYA#u^`>
zB^SN@y#@$84k@hgtHqlux?73)^!yz5DQlpCc?a%(jJ8Z)U!N$}+CI(nKes_-*jAXd
zO`LL6v<3qECPYP`bl|Pc!I)mzTuf@JrG3KEHX`L-ODQ;2P=Rzame?jQr6%0+ndpS6
zg7UNyYZc~ddJUGi!$;~5+Oyb}@&66BSG$VEY-RIgD*TNAS9-Vxrw8T27P!G>O>V#D
zj>QnMO%hLx%8LB7SM<%aVgX>yoCgi2<hSbV>%#}c!Z!}(RVOhovxK9oK0Sj>m=$Q(
z09u?VfSa`AQ9k=k3aR5_N?Augz7WjBy{wU|AT77HQ?@9_EJ8cjW8bQ6-Gi~Gi%`~p
zBj_ZvX^YRfX;gp5uqK*gbT1wXh}<1tNc&!YHS@v6R^5SGO)bK6Gdtwtyc>2@T%2}6
zasW&*)nO5O<JaT{=#jfM!$nfx24dCT=cN-eNc-VSh+m&RKHV|BDexAGJs~glPquzP
zX|1zfq`?Gwc;pDZ5KZ7b%VclaDHlDuz92YS@Hr^?SY_EqS~mc|k(b`bA3!>bd3Uz%
z5iE4&MoNq^-c30fDu<;sMX5o*JG(sOd(U_2LnQMj$#B$tj!<^^oGQ%^8)TT`-xg8=
zE{pc51gMk_R&{Z7+<CNJ{}YR0Khm(c6Q+a46=F1IqlXTvO&LnM8%LivH;(oKOd%lD
zf-g!nFE6jielSf~%U*#sV1V4jQ`%l(G8&A=xVSJ0;4^!&Nx!wJF!;^VJ53=U>HfR%
zBX^^B-5)3Wgo6R4eqd9#3JW!;Z(gO<*9u2i6%0+Y%7R`-UJk~>5|8$H76VtYJ3hD=
z(tR7JIa|L+edXS6^WpoS`7h~`OMmz2>WYJ{Ev&IcSw-#pMLHrRUT|~DPv-ag(A*XP
zld6G<-t^-@+2xn`r`3y~{q!#Zf-)*f?E?v|UE|PWs@XJQsCH1(b^=H@7r>+?Z-5f_
z?IQ-t?_A%!1W;2ZKF0CMy8Nc?zD=-w{qYT!03Q6{l!hiHG7fHbc@2LC<?kwH8)mi?
z+Y7Xaa^sf6rJxQ_WKMxlOq&m;IHTlCDaRc${HT+?S%rH-fZ#|6$>7X26&(`=<X3Pe
zhfe7`_?OQUrG+N2l#F!!O#NgLco<cm;N!8K5{U&p=By^WX^iLJZ#@XQzV*_dhYE%>
zJ+C~>yD^Qe(8ohp$na-szE@9?W85nf)g;m0A42N2y_`v|&vz<rHCIrbssE>#`Vf}G
z7m|FNsGrqf_yjVBi{n5D|1&NgUWpfifwHmM58wMc&`%;LfQ1mR<NM(p@>R>%c8$M^
zci*aLK1V$uusxv__C2i>oV@JyX&;Q*qBuMjaylaD?iyZST4IGtN!O#<d(nLzvx<bT
zc6D(n9UsI*v&m>hORfJh4u3r0>g3k>`AjJ5V&c1Kfiv1gI%Ih-x^jj3fpb6JF;G!&
z&d^K0{q|_yeb&A}YP~C{1Lj5A8JE=gD^!WSvbZ5%389s1R)F)N6m4Kab91>N2`BUx
zO&Lt~Wk_JpbN&bl$*?K5Hc_r~v9<I;vKSnEJdwOP)2<t3Gc7N6-oLXC`+nBxQ{H`c
z_3d>1DF1caUYKBmL*99V37OIGE-ZX?)zVFilr*i?x5;}i9^@em6YlFR9WH&#keo0k
zbGCSWqC4lk^9uCb{(~|Ko3FR=R&zD50z433!vO?CBwbDD*lfcNARa%h_%G|QMtTxm
z9?B9?(KFmGF3vaMDpLG=y$%5Ar{DNN$y|OxOj-DM0*L_o)5UkLZH?#Cd{%s?CBcky
z?_ROg>agTZDa^u9N3!DUrRoPZj7<~mF>H<CDd)QtK$9I=7c3o2MO8Vkfw~u88@lf3
zw6i^AL!s-sBWS$zTI$cIAZBJ+f;xV{Dzch=<dK6?9cDzIy4yj$p2d)qj;_CIEh>h7
zHhhOCAgk)9!(lIWN4y7CFJ0lYt#T?$G^R|YZgF557_0kNYjo@UzANpb64)lig}|wM
zqz5;*sFDINfuf@n0G*?CJz`W^5DKLlJ#Ts~%%}ogL%-De<=IUkt_y;zr2N@Eeva+B
zR)H9vvPjA6q;p22d3UbCl1S4=Cylz50*o3rr8qFhUe)5$``9FNi+`)NQo~g7b9y{}
z*9sMM^7mqQwARy>-0(d0N=Bm!5~bFcx`I>@11v!$?WY$PHWm}w%uF@yHGGn1tB)^H
znKzoCm<IdV^8P&XU10KgAW<IylaWqc7$=9M(JP!{18#dOWe^JRhBf3*%^3+dl6}#w
zG2htyOe{3`W|c;r@$aO<$X+)2GUX`Eud^n_GdIx(HDh%G5VifLvC9xOSfYvmi8wtQ
zWkLdCxP&oaWL+&VK~vS_Zt@sD0<fH^f`(@6?Mt{2m3gsreQHB+j!eJgbgn&{Nlp&_
zSFdVE1FPyZjFP5`rjyq5?A44dtUrfx10ZzjlauFX_cs%(k{|NJ3)xOOP`UGpb3S+4
z3NW2{x{g0P7f%$14O=XFbFp7KEKoF_wV0y}4Wm;hc_lgJJe#r`I&|}8K6?zNg6V-|
zcWzGGJJGk{tTLucz|Ut}DBm^k-J8piE3bLE;~K3FS~C<m(W_Zc<m<vi3G$nIZ{28T
zX|{9j*joYcBweq~yRMm@WksRd&r+1nare(lm<&TQt7Qx6$OMKp^4qs>f9gtVYe?A<
z7MenYUQQ2(=oEhnsdN4+=E|SeK}++!sHv`gix}`Z-pr=`HC?kY!NWFY6We&uegR8o
za9!&3ClebHy^0PKN6{jS!KuP7xb6oFxifbX*7=$FH9b&+LdDgeKi9BVdR^=_*Z^QN
z>1FQGq@g1NH#fkMTvrceNFn##V9iZ!u>`G*&E2`i)~_4A7@d}gD*59OU$li2iKp|F
zLum8j!fczY9cSxRRd?7+oUbnyZ%o?!W184h$rKN@4vrPpuh11x(8}PK%k%`P0_xmX
z;W@D%xB85{UnL5bP^GvcnLrg~Zb+?n?-;Md5noG6N(6QI!$+;GklE<)jBuO%)9S=%
zzpdJ5maU`7bq%9Wx+V(#KsEdy)wkBr?3m7fp5V8+zquR9EhNuSsX`xdLmEluqO*)V
z3NEof@;p#%6^7~N2XV>(xFmeofPTEyTNpu->VI_(x`@rxW@~ubSz6S}H|AbIsJYfE
z$j8T5_Yy+1O2lI?uZLQS@rg=}4jrVktI&8jJ|l=G_8Jh4X>{F+QQk|SilEIC^Fro%
zx9-)?B65#iCCobAAV$?`mseLu<LZ*dg1q@cF2#)3y-blsXQY*_N582+qRFJx@itp&
zvLct!+Z#7$!%*!{$Hj#i+Ueb!_V)b}pWA65zVXH(lXFhpL=-~%xONMz`u7G_NfKUB
zGOXe~DBf=a!*u}j?Gp~&a!pC+i9`TxQUEn(rXWbXPQQ@P%gb$8#F@we@1~t;c|njA
z;CULW9UsSF%5~dPb>;4c0ZC6x;$oK{WN)-79<`H>QQR;D@Rg5jhv!kwgJUH(7yOfX
z|CXaGF2v}f&w=>3;IUg?qBOqQg4>iaY=sU#N*N249YU+wr4C1@5ZL@+<{v*_RJ7ri
z_irrz9vfS;>|O51GiT8wvNCBnug#0PIB<E3=(|9>{G{<{EN0(a^o_NDJq4~{5T{^?
z1gZfTt9#Q%|3kpJSe;hvg}*EOl%_{AEGJOxCl6H1&37Ux#rvl0S292Tw#)anHu2rv
zT{BzT691?u>CH%BQniK8G8QKS2L3PCL1?8}^G^Ta*16<wv+fo{h*5rPK>%A0z$pO=
z5aHXcVt>F=rPtt)z8soW*4&|#b>4+Xrww|r%^$^Ppu!uQQrL{kZ*L!dXVCvDt<ulO
zW;W^3qm#yc5!N&jklBl2UGVxqP%@t)NhDt{i8QHL!uGnX_RT-sFN_Z0M`VXHey3!p
z#zzagZEJVGyYiPx;5N3RNPuV!(gCEP-7DFp=v$Jj*@R!S&KJ4b2Qiv4zS?gIz6hcZ
z=$kR)jfLfwcMZ(E=Z!70`G-u`hUO(p+w^}2!KrR(MLXc1gLf*DQ_Oj5(7;`rGe7<z
zjq9Eu#cSnhuz*4RPZJ;mDCYn2^hI)J0xpoJdEPu4E}f8dL=R-WjJzcIv9Y1v;4KMk
z@ZH;%9~G@Yd+YdH4jQ2>%Yy(8xuAvyp{JaBS@9Euw~Vi9XxG3bz&+*I68uX5Yfc#Q
zj>F*u9`kPGV&dX;F|fYG7<I|3Cx8W(o8XpD&nft2X0`Ln?D=Tjmw)MXwr#E?{p4mH
z){6W8^O+@0IQ*fZp&EL6MS;nDpFe*tI+NAz_=jE{{+APn-V%%&WiOMay#=Ps3M{R+
zSG*?++BqMAR7u{={P_dR%E#fMq22}2Ye8#kVx^w{`vt`ShWf-x4TzON9h<{n^5D>9
z5^vmOG3TOLGcO0>+MzCryotg!anSiSU+Zj`qe!=f4J9yu8mRwp@wN#8Z&CDVCR_>F
zc*Fvf%22{6X%Z8@Pq#7$mvlHRSxBy8jVxNe|J&E1E#~LXAr`Xe?$+i;FOUmmo^sP!
zE@A0=HEkE~k+I93J17OzQbC0DEjIyCgFG21RjpXl*Vl(lA!}=2mF4;0PWVJE#X#P<
z73IJa@1?PsPO0Y_dr5fwWklzEBLB>1k#MmF;IcO7js03=^D;?^sEaSFm?S~^t=~u@
zQx0rPTFGky4@F<#)imV$54|r81l8BC5McBn_tyiIP-gjrgqEa;blS96Bt|KCd}uEb
z)U9_vXZ_Rd1i^r?Db7y9dodW4aGs_9SYt04j~gwWIhh>!7#J7<@_#3SHwphwi`Nep
zUP8I1>Bf|_uQ5OF+7lzbfV0MYQ-BCL*GOMt`F9Sefo~}*Tc<f?W~HtD#G&KLz0|nn
zDNr2(Fesy>gyWWa1jyo?%F1^fWt6O$Shbn1l5;;8&2rrmG?F~XHgurj@C(6gSjCMh
zdafi_Vo2Su@@c6hR&0^E9)SVht@tH7NEVcw;)MciE5Ggm{%wW`YT=yz48Ie7AehXi
ztHHpUr?DDL`H~^-^A|9zuO$$Wkm#=DWMy^M4gqZYXTS)&lxXVT1sLlK*FCnz?vaQc
zewtYfz{acmFv<v$fK0r2o6MI#;G&|a*r~$PW|`t~dT2h5{NcRF#>VCeIH<LUQRfl^
za2}(^tb%V}w_(D#{2@eC!GPI(1)yPmR9W=Yjv?hEsEhXxR1!FgKXwi+Ah4r7#PA!U
z+#$^`BuND8-62MS$$c#r2v2YdvPoCL80hKy!x$hF{M*Omm+5)&QFbw~%`S13jiGcc
zRI~dYtbk>S;^D(j0|RfV#l5xtiU|k^v`_<y<4T`gx&rT=_DEi5Pe${^RYwR^m-|y!
ztHRfqJOA<LDkK9nWdG(xg4_B~dP%?4KvH)9nrEJvgoH^vFxQp-SKes=co;8G4N6ac
z`B2}ueID<JKoOVn_t5BC3!;-YB*jU`3G?3${ZA^Sy|r~;f(l9Ob`2ef0-Mt^&zbL#
z;ex(CBUy9-re}h*7G}0y*0As$0CBcjYeY06+F&6ACVkErjp<@7RskAnYC<0$AF|ar
zyWfCKx4XMr=H5LP#UdVSrG&x$e$6iBzKB}+$$0zTddt*md)wBwHjw-PK-tyBY)4-i
z;M(5+;FOmm_G?Ohz5VRp%$rNrTkH2N;e8)4%dcapiyeJtPn71{WXaX=0H!Ntz0Vm)
z*xDG+ri$y6h7J&lqXw`PyV13;B^bhJDr3c@D|%^R5HEjucJ4hr>?h<*t`pj?Jx`0a
z*CI0fzc!;N8yo7bJ$@KjNO<TM<m~BdrJ}~)QJ676^n7pkHVu{c<j<a+3)#2IRh|6W
z9?6#3hNqP+tE``)HtIB)`W)i2mVr{xv;;8;(39F^&iFV$a6a|BH~}Rm8`j%(0WA2(
zZX%%~n_`jum6hDz;3jw?PYHc-YAV&q{yYH`3I!o}goX7%0*RahfaB&bzyrYynk{{|
zQ2<L-R<P!2*$R9bWacoX=%jyDPtfj97L0xyWeKe=RXgFjpyoCEWKigX*@txaogZu5
znSR71U$m=^a{KyqJIFG7>Pu!Ooi}E`?5@)oVenk{+5!jW=Sojx$)_|<;GD@pk(CJZ
zg-P|oS`TYeA)G|!ycIZmP~x^4k|St8vjl)3(4ddD9IRhdMCAS9QWuOe681;5g)z&N
zkb15yD$|`Z5mTyg7)ABy!wb~zLm~xry4qAvA!;Jjl{c}@o#7Jl$F+4T0w*p&P0|^F
zebmRASp?YxPNx76jI`XSDTmA4San!kW*nQF`n6NhV!*AG$zlVHUCgf+drHdg1vqD}
zx4enz<*gF`gq++qAFMQ)V`;7|Xca<Cqm4CE{k=&dJt0A-9M<$!#m#||8H;_-$RJnu
zWg<^T%ty8!JAH&vg%!7{e14m%jYkb1@}5qGRr!G~Et;o>G%ubr?K`aP@go7UCcOSg
zK_w+6_IIpZ0%ui<)wucMW_}re>TJo8C=}uf*cpxID>(W;RTOXgC-bnezp0X=iXj*D
zjf7taEzj{R7A^mra%AAy<5T0hcvu|b{y`;vDrs08&|2<^gC+k0QIcuXDnhXf)E>8a
zItO%*AMlVQezNNDztWaM33Z%>pOfAehuOV{EVX>+<f8hz)nLw&B$elIU?o_SQ9nWE
zYZl@?$?wkSzZ-QfQXPgv$5P2QTd#u<6A%E2)15gRQpHp;T|`;HKF|T#^c&8$E9q|R
zu5>!i$!f+6X|X=N#4wj)P2+U-ak3`hNW+Am{(d4t!ze1GBykA#k#&(Ck=hjX$!aEg
z{skMS)X*1xMI#IipW3hDwUUzTj23O<#E7+l22*1JaY-N_0F9^&0d&K6*|5<m8|KZW
zA4%tXC><a0mO(!;#*YnA^M!V9qT_{fML8*ToSIvnhZ8=ZGQ!aXVD#D^*b!6m<;{sD
zC%7>;zL<@cu4Y|RDX8Pg)l4^DSBgJQiMr~oAM7JvNvUrGcGNiL3tnE{cd6`jafa=_
z!Wmxcl<^;5&>)f;g!E|u?d*-L?B{;X(xJus^YKB38lD1F?h$I6PUD=28n2&aky*1c
zJU{qzM8Bh4qLDl9PplAPo<$`G8{D8@wkf|1W>L5G1(4#R48Xivid0Dz9oHhaBn4S-
z2{GVT94U!YF?(07IS>?Z?wkM`{8Agr2I>VbtoFqMX~3pKvp+wjS#5?scBv4@SX^8j
zlx*p*oKR@#s2uNt3ZwALAgr+()C5<n;+rTZyYAA{DA(Ff4b`S;>&C$job3P@5^$Ns
z93a}{xE&y3^F}t%**Q{x6^^K#LH9;8fee2FRhBBYo4&O=y%$CVG(We{chBU}{PJiy
zKlPm0qt}PHe<=I6bJ{anYGc{bAK=?uXwD2wKwrnI`LV+{OZU&B1+##?rlg)FC`=`p
zx?$Ha;&!b8t4(71cxS4@*YP#iC(ELTk2J=kvGk1<4|h&x9eZZ#Y(WT{Y|IZX8pQpr
zVnhGkM`Opo0coWOW~37JR^-Q{nDCDGzaIQkVrbF$iLU4I(`@nDZ;j<6uB+hBrk30f
z4@61#?U^);^geN12r_sbcq3Z8K+jg1RCJ&K&HZ+#@1(_TryzlUF(W@EjSk;Pxkq-a
zIBFy_7RQ(lIHk9{*kKBe24rcVA;@pRQ<2X0v;Uq&gca);{sVpg>C0Dxe{T5q@2>z_
zzQs)cX$Cm|FOdG<FMWPGo9ZPmUmyq=S5%jgYnJw<j~eCvHn*26{_(_8a*|nf^IJ}-
ze1sQcY4y;Xm_%VH<28LV&zrP>V+*S2C$FfNg?%bfvh_2vGCSjiBtTv-Q5C4?K0LF3
zf`p#YPP2xys0pcu=&EsYm%W0f_w%ss_NdE$-FcaIb@H_;YlR*s;-k!Y2UI$P{r;y}
z@t00w^%TX1AZh)eo-BJ0$rVrkyWE%7R1d<nz{P8GQSYm6`ax9(urOcJ#}`-^i=NmU
zwTvp}{HC&nyJTODo8>sF)}Io3S94VRdq3)+6(}Dk@Ts~)-4r)vXx#)ZGmuvvwUI=d
zC+VQX)sqWs-~X|X%<=dnXdV;FUn0>-(o?5oD?-vKBh<{eAMU1CLB__Uu-vyveR;e<
zOdWqDF=Lyra!uyw>)@#gdeAu$BA?Y3D_Fex_gEcXHBouqo7_Mz;)A^)I(LU89Cxza
z<AE^|yye#wNv6yR!ET+HAb)zH+RtzYR`%BkLrG_r%++;%@rF9$7%Zbov4ni*D_#FN
zkmjsIC|^lxCO-;g%gL5IP?gjn5003=q$u&Q+ot}^oH*~;v}Z`|v7kSWbT;xEsNk>h
znyfcANQk&rcNc0+3Z6n7zE5#v)#m^_L6H5+yM7ZE*N8VbuE%fOA+&b(_V0}J!eU}b
z|IAGPnCyC5Zld;r{l$;9aY`p=k9TXo<bL(S**hyQn#~W!JfDy!c2<(w5u&~$L(Mim
z;AOrOS_P9Ap^x_xDJE-NDz)J7Msu>p3*i-rw*)h<wFS0i;VNw9!FQyz8tkJO{~5cH
z7!8~zHV!UfnGtTj#@JmoJ3R|qA=g|7zm6aX(VB2|83)jlQM0R3Dy;qZ*!9ns;NWZ3
zR0j<JQq;W!I`H7$y?d24HMXC-@ciE6{@9zaqK3!V2-WV;5><pfR@5H9{<=L*NyErw
z4ux>l|4#2-E0Nfo5Pjy5NMZ|rbvcr+LJnAmhPGRS=|q0mLRkN#%|-s;_|3O5D%1(z
z!l@<!>o%tmM#v~Ijz|)1`NW2Sm&KPQf6|>%MP})7t>86$3tCF6B4{d9p5iC^W*t>`
z@b%*de(Lo7Et~ps!Q+%q?piImOT8Pta~3)#Ywv!wmpnV44>0%h`}h(4EYC32ks{F1
z_kMJ+i<|3WAK#h=^b%Lgv4hBuwRZ$Npgou*M*;fti;DBmzVwYmSFgrw`sZs*cnI`d
zhkB$QIP6DsXS~3C^~uV4w!`A`#8LG{*@xFqPa*e%dg_xE*%b7estn}5{P5<33OHWX
zuv3_~*A0~d({B!ZQ~M6f*K||n@>86buWwj=J5Vp&`<-6Y?Ygs5`#$2|6KSL}=@yb4
zpPZ+RTq*v2c13uxweL#0GfAy*y7_T48u~P&yIjU>hStu5f48ARl)FMAcxA2LmU^a#
zQ0A?fhz|Ut!B7VaE{Xf#uL2fpr#{~F?S(r+R|Pb!=)L@zoEz1k(Qypp<lau$EUjJS
zrRr=Q>fPB#UE$h;2%DGOuaQ4AeXaJ=`h@o!LUMP)dUULeTdu*8ax@!?vfflfO67J!
zPkt$^q5FRwiC5d}hNV5iX9Za`l~o6cn9@9e?|ZC1oXgL&w(V)#VAQMwuc5bh9)^%F
z7*(v3ozR8oV_XAM&F76cX1V80U!D)}&IR#MWdtp!Ncbq$r+<?WvZ-(rsBi(abHL)0
z&4x!#V*TgOOcrm)eFur5`w>X#o;zJmN6v5hr#U@C8nX{36!VOG0rXzdJIwaEC6geH
zCCkRPBrutH=%li);Y)f@Sqj~PDAo{d#32DjDhCHR!qSi4gV&$G{q`v+HvQRwM7elO
zMBxvnPO^YUCQeRO3X^LkFW9)HTO_1=75Scndj)rC_WEgJag@f1R`__F6^jfc^Fn#b
znJs^?4$zp-Um;LU&d+7+Ynnc~yZ;7G@I@yk>gGyUrU(Oj13)eLtq@+%kFZVPMZfe|
z*>3?SeP1{~<_cPNbUY0@*u?IE8&<6ZwwpYB^M*#l8DS?%B<AVuZNTN2)<vVnaP8#E
z!R2!Q{^y#^nrXhtM6IAqNh9nzmBRVfW$M2Kc;kFSPK3mtV;dxl`zoK~H!;vG367N7
zE!ltdwR@eWmB{24uJ2VB{A_m?z|FY+_A{M`88Le&A_z$))&U>53u+R?hHY25kt}-D
z^z5%wo$70`xo{Le!5rZ%O(0un!!jmx<Gtbsc0uTI&9tEZ@A9UZ=0%_)3A0b~H{Ckn
zpxXC7;`cpCUaNdKOkCCOyA?&un(4kd(PHOyptiTP66cV1awMJlj;Aqou;O|t?9&Jq
z&Y51SHA!X`)@NLbiYB^>KNh=TUHNd+ssQ!WeF}p<VJDJ9nN<3koe{f6#}6L0->3s6
zDTmPSDX(AQM1$)+@Iz{h3F%hxEKdFWUUsq)gph2b*d_Pb@jQ4w*B=E$)_L)1yQ{6~
z&D3`Pk+kV)JCzO#C+z%`-E9u#B_R&>l6mg>%CLt<+Wzukma%m_(YCMtu5LOj9hFh^
z7JG!D2@eY8cbFUd!fu>)KA7q^!7kk1aBrA_1P|d>AdWYFDUxCFpWuwf>+6h@Ruo)q
z!cMHRwh>da?<fk4WwYk5I*XNg(aWVx85I++pQM|2H~5||0Z7pDvYr6aZfU5jvoVU^
z7^&C&^gvKKOJmXn?fym$LQ8tWQUX4?aw0ACU@1N_R*5JEb5kp6>^$FX%d6&)n@iz`
zWDqh6@tblroDYgagxMr(dXf+?P{ie8Kt-m(<?~uD{HA%k)+V(K|CS!n=0Jv8<`Po2
z9ChoOE^~|@@{@iyif)JVUUxfK{;^t`h-bt(eimYW{oCy_gh(nRhvRj;c~u!M^=hJ=
z?OHhh>+UX&C$yu#Z8ofLz85*rIyv!QI~%zRd;AeiNu2&MG)NP%Z`E_K`Ce~`%)J0S
zl=EU3yUXu)9Jf~2(&ermjwmyOM}>~yshX=d<UaM#B{}{<I#+`)LI#bocXL7qw=@V*
zmko~N0zSjW=9W0N8V^iBiwuKi-IfW#{u^>fy4S*e$Kn){O+4kLbOHA~Al;>`QSa;h
zlg)jeK4`sK`U?SP#4qo7kpONl&XAtN-`qR!MB<IgtGgpR5h1*WJgHX?_c!Cer}Jd;
ztF<)$n1$a{D{zDGz3!ZcW7Cp}k?4|;c-l-qsLynK<7+8&Je9b3jqP6G87D3{d%v}E
z$vteWAboCrd2cyyke`n6A=y?y92)g;BR#*{dwQW$qhPJxu>&V$#NqU6mD{QDkfT0z
zvf{F_ggVV=X>IR;t}V*4Xf-Y3I|Tb6jtd-dF@!EY+(*nh(bijl#2)@1zTPq_syFQ0
z79^xaq*FqqJ0t}`y1N^syBh>lT5{-)p}V_b0EwY%K)O?!XXF3ApLeZyz3ZKiewZbD
z@45DMo#*j8PQEkwR#s_)0Ti;8BL|IHtxaI{G`}Og>~;>FCHnq!jMcxb-{&~8Z|2u7
z(e^r6A2SJkdxF)MTOoY}rC@_71Vr^Y#>uP2=$=G>g>Kx49S<_Its^{u)p|wRes{zn
zAlz#65&7SP`uk6Co8#-1?4uKOr;yZW97?3H&Wd!}ApSdofgV99`{6B8u@flKsqB3N
zc#A1eo({(=;pk7??p{^3txSRgn6w`BTx9!|YJHzjd3s|sN7~To{g?9ILzaR41VCr)
zeq6E2oA$%}4eYvcH&k;QcMDR{4Hi143Q{@+6|(<+bL&5y5?(`i|Bl)gF6wDtY~J%d
zi1)7lys;YB;eHD3`;~r}um61?ul33D&P5(M^U@V?iljj@d3|+BeQm8We@8#(c16~^
z{6u%rZ@Bbyj3HJ(`(9T1ubv?8K?@(5cI37_Tsyh9;FY!b7nY53u7=LD-;-|b0S!+V
zRYs);_qFMZF>ZRC%pG&Y!etz9iw?gKSnO5T8%<0TN>*1NP9Ac%Dm{6T`8SPScM<aj
zKSk;V{H>)ExcD%$WbDXfde|4P(h(p~HY~noAmbmlzf>nR`r}D3c$LuY<o6wmiSFKA
z@@=7qS~+=`kij5(gBZ~OM&?%Kc_01>t?htWw2rg!$9_NDpZWf$ee~zs@1~st=g+62
zD-PUB_>Sl!Q;d9{no-Ah-6A*+W-Ssn{l35+xNtC#%M+4xR?n`>82sBA^{ri(d=;-O
zlbBVm>Ru-pFlh1180hp3UonmEo^<$!2wyo%%p5)S9QrR8B>=|~E<sC$Un%NezkYaw
zgHu-wRP>+gv@|T^a}->J%K$ie4IHHE=&Y8H2EH9{cl(=p``nhR=Ou{ukM`&|3r!Ax
zFL$h2>Hk?QGRNi5w`KQx`1!zszV`-V6N4E56v&<<;+K7P(?v=ILO#6B?#EG>q<lsF
zd@3p`bu`w|&&>j^vK-2i2Q`Blppf{pCk)G4Wx9E^cWw2{OGkUdC;74uThWcDx2$=#
zZH2WFJAfX<zQO}8+SL)j^#PndU#Fr4k#3&u#NjHSCYR%W$=Ar*Bzy%X7^{&SmUd6#
z(ahU5u#C7;KIY(78I}Z_=$jA`<Rd0~5L_~}w?^ZkMQ-Hh2k-5-Eg<GL=7}Xpgj`e6
z38Kx4*NVvN!#SZ{KMbV-Y7-!el~km83<5oK!RU*sdR>Kic@%VXD1d$76*{_@q~xo#
zv^3S(eV{L<+SWd!u3}~m5JO}f=1YMOcYima8U|C+`x2U(1VBNUu(7EL7Rj^H+ZBvl
z_Yo*{U~zDa7@M2RMT*by#L1}*jC{Nlyb^5rlKM52>=DtqFrm!c&+CV0fw>G$u(&mC
zj%=BUGi{>DMX9E3&gFNIF#b4JWzmA&uRu~3NKe{(&xP5oeG#A>plP=Ypd$ro!7Xvb
zzu1}IZCD{8eL+{8dNY0hb;JKR-JAj<rFSUuhKm!uyuP&fz$fxc4>l$o%a5MPA8Tp3
zNrWQFU?SJ%i|;P>2~hp9G<1g`U9jE}t0tuhQU`WAL|XKh30B-dt3GDF!{1-G(E$z+
zkJP0Ee*F5IB7)?ja-Bk@6_oy9xkV#Yg`*C`TsliJs3gJB)m0oorMT7bp5H!S(9IKp
z-pum}8NgdXAmV7-ph%d3h~qn5lC)S*Y6$Z?rSCvIb_kTDW?oPhiP8Pg27?_G1trsj
z`r}VU%qI@8=!$4#cHltO^@2c`Gp>^{?>?(iI0FTP>+6kZhEnNvz(L}34GW{!1PnPm
zlmJbdI>md`ax8=nlz>y|?IFn%$!sQ}+-kmpUKgwa6<E&%WDyJ~TZM5K-nW7{EWjd}
zi2%%a-B#~Hhmr<Fu>7ZeJmW2&YhlkHaNGJX<8OB%xz=Ct5j>H=)m6)1a%ChfWcLJ>
z<d8j^ObktvQ8mAWA?El7@O*LKe<k6~f8E$rgf44EbomRkdvp{fLGG)nMwj%-+!d(f
ztUcRjhT>>Xfyc%&AF8nkkp&9V0_PA801!l*sW7NWAX@g=@PKZCOvUm3l@+x{AhnPp
zo2i0GOHii2ek5(CkEmI2`^DslddZB;no51uGcw9<TDdR=(0qZ#Dut{vK&6_=9Ju=b
zleEd%vpj>y4!Ojytv<IP5>%Olgvfwb!zaK|VPs)Zn84lI-7VUByH`RVr&`VG8b_-j
z3K&6Fy!H=KUxILB$0GBls8F_~f1d*49C2-JBA@^hX1Cnj)zt-OF_uP$KRC_7l5avS
zGc+_b2-MTnRx&-eEX~dSD~|x630H-F5Gb9`Rk@1~WexgmMc*87DtOs2-rU@n!KX|W
zDo7+T>z!<++5<?m@7dLra+j>kuSmN2Q~<W3aXVbdPe{C6a`sn0H+=xWzC|lFm;Y`L
zaD#*-@V&XdXMG@Vyy5HV8$lt1V+Ib(pCmO58i@)*{Jj+rT+i6#MtrpNhxG(Vp|x?T
z!6}Jmrh3^GREzOl&;df=T(GA!6URPcX4c+ruk~f;F3FRf8QA{D_@YLC(x_`CiEGbj
zFO}WD`zi;xpW;8I78cS@PE7&5fvMok$4A^Nvjs!ytedlu3d7#-*k1wAQs4XVQX6P~
z$;uYnu|WGSW#v##>{eRE>#*pxQrHy+a~T=-2b%#w1$c?5c=$2%$>(QK5PaFU|1Anx
zjm)g5WAJsjWjLI(Au%joVgwm9(gJVoqTSX5c-+eALa0yAnX<mJaT?~)L2iK=p_WE+
z1=YgUg+%n}AvCv?mNDs2sJzW`^_Kni(JUhZZJa`*PJwMFin;%RC`!se!9YF1`uXo!
zGA}?_f41U~^1B%VF+6R{OI|*{b-;en|6F7n_{62O$jz}YZO<_!u&7*3ds)wxuif}8
zh8iw?o49{}z2Ss_j9iQv_YHw7-&WSz)_hN^MES5ahnwfe_Z0X=2xEy>Eok>Ir%+=Z
z?a~_!Sk$rbEb1smZyG2%D=Cay3+9AN%x2HFbzR!^Z2-@bCL#QJ(Yv$j-O;MjmU>WH
zjEWjSixZZ3uwRxuGzp-UXY?ehS%ISNGa`l0$cyC>jdw=jZyCvd77X07npxCj<HkKN
z9PdLa8+33qI!$|Y(7-v><b$!P9@FRk9K5?!V(h$VDyY%zFKy7s8t6hP+FAqw)kf&=
z8us%FJTRm$z6J!um;%evnG8+P-OTlemF6SeFx{*KXayAzU#pB;bgd|wTid^M_s7@e
zP0OjrotYv>)CiApy`e`v4_9TalH(E1qcJZr3qK2oa#NQmXR>G|h<l1xR@I0|DWOP9
zo4#0jNQ;e2L9S5bsq>w;?-$=-lSHzVazr6Xi<INW!zWTN`jebm(p(GD+BPgGD`R@@
zG$w>x151}xK6I+yR%ZzyCN!H}=+@WQYbW<C!Ox2<A(t8}ht;G_?>G1#RcNO@Y-Nfj
zX-PjCX$%ZEaLX!VYrh$8t-+3Arzak*mp2S^-~{M*gsg&`FCy=eI2fozMq!f0;;iQ|
z@d`tqVee!CT73q~_r~VyciX;IP8W+sCoaWVX80r^VbXlIdhFx|4@{pKf|u5BOo>zZ
zI=U%H)Mgo5ZGEP+u{5=PnScjbTevus$%*4!4KEjg3+GBdNP*ZL2tVYWe`hWAbB+e1
z9^q`kRZwV<=z0?AeW??7bo_z()?BX%T+NR4^eZ5z+c-gx4%&r=zUbsqHvke$QUz5Q
z`D)esc2Lws#xS=R+{_A3;NwRZPzcgV9By21iMa|$%x0>M$QYi_s`WoCd|X)nJ#L{|
zS?&8|SQp{&*SYutxT^0DUr6$eG<lp-ii%3BSd=h)_#i1bQ}B}y8(S|p=l#2WD(oMd
ze&av8^X6+NJ~Cm>UMT2k=ywGluj(1qo8?6lSL1Nc0C^CR*kbJO241#iBYk6_u!&q^
z${5cwqCn5+D`YpO%2ye#fzjT0%F$orkdB1(fFNC)xQERnGlHD&;t6KGagVO7LCUws
z=rN8~cHpfr8@1kT%=LXEb&QJRqXZ%x3yGA7ycILIKT+XA{o6NxB3AvB>V)Yws%_Mz
z%ZF<tR#U!TJp`-rCwOWhHo8#Cjmq$46tJ@%k{+tg6xQ0)1&X7H;o&Dxd|V+w=C53j
zHzLN5@nXg)bf+yokVetR!%bZ4O%zL;kIQ41h%V(1R|z$VaU9xNs{2DA@KR4ry#PU)
zB~w--P&O9iqeg1sjA;two?Tv0Lrc@s(<e$aSO9<n$oqj)>MrJ(x)g!7(XhCYvh0U9
z?zVwu?#@baw^X)6qW6k5)KBW0<wKe4BddgASfN<c(xVt+#BE-lOcBXEc-W^h3`J2y
zfj6riL3P%bFgAhG(Fv*d*+TwGAQ0X@^UsN487a3sOTVT|nccghuYR7t2(_A*>sH4(
z<98t2qkZ@6VKnDtJwAtx?K}`pA!Of=AOknjkM+mf5<nJ=;Vw<4AwNkW9AOEF0yWEm
z&eg9xp{5;)`-#G|p|k4MEF+_{Gv4i3OB0w=7dMI9b~9x=(R!MS%oq;XnEfrePh~Z#
z(4Aszt+~s{zP_symgJVJTFb`8d)GwIRsWEz<cgEV_6S&7k{6<TYMC_&reV<T-1ByN
zbo(J_&mUa&v#)(Lx&(88l=CUTQO{P&s7w|<(R!VV)lDA}HY~nMpdb6ln&t&uKI>4=
zRFHCr&O$=G+lLSYw0u1oLKk-CLxnwC#l1sS>8(7Viskk8mm1yqAEkQQL(RQIOH@xz
zdzmR8UDfIGf^?YXrSCp-<`64s4J6L29QX1}HXnz$*xc{A#~Wo2{=5)-ae3JXNcI#}
zRr8(?2wM1DbV%7hsy4xi;U>bIesyPCTQ$eW{iMgMk+_>yR*>Ef)tIR{^#Yv+iQ24f
z?_?FnCuh7bhBo-_z2vocL-B@xJ`*@NHVqqcV&bVqP|<?vC)kfeND04_7!Xl-d&J%}
z9~()W^s;yHm~b7dGP2n&dL`x|pcNt>_o3lJ8n$5KIM}T{9=cW^RP+S#YE*BW(tb-1
zTZO?X`}z$LHew~eT1`+e8A4GIi!PB`tAuCca6}g3A)Q6z4}eo390z64HTOCwYHbbJ
zf%{o1!fwvBqrzX3fz1PEo%DM41BE==WwUBY3yQ7&<ez6MS0uT$>(7NVrm=aq4XbBo
zLaE@jBxd64<1Ec5cv@m`*>IhkNxJS)5}_FeUCV8MjaPQA`i-On78Gh;@it?1A8fy@
z)Zgl;#ITIzNe)VA!;|}bha(fQKP>QhewRkDN|ZDefqgsYN!+%bsNb*y0!D7byX^9t
za!Xos`BPgRIHyhKJ_+W{Ym&&#oFBnC*#A-6m>HWVw~t2}5$2s#g==bH*O@}4^?j%7
zE3lgD@xONkA=vAXfAc`3y7OS0bjMpCek>t)%l2Zd$&R=Ak>qEzzBs;u0Rli&?PW9O
z9ZP>cs~>5sym^E9xSi~U?&2i==~p_q{Agn<hyDGOpRDL@0R#Pr3OjW^Uz4c}>PV@S
zukNr}%)`<BR<c*Ttu%;DrACv9cH_358b|f&-4we*Vw3u`&YauL*(NwR)%&;&AJ`*I
zOOM2%j{zIlT#NAxUH~T_-UAZK;P_RC3oJRY(mKiaYB1+}DR4%|6Xul#{CwDolE^s!
zivO$g64DpU28eTiU?>D@en>L();Q<APAZF0RVC}On@8d0R`f`1RHL(z18E5sYh;3h
z@rUkVRu$F1uJAGXcLO2Xwdq>T6)D4=Q7m<BW`})Ams%KtSI!W2YqXk!k0qiI3NaHF
zeV#J%a2A??r52)bWp5^plo_s8vWjDIbyN2mS)JWVNq@ohDthLZN9`~xuocy7JOt|W
znm5DKd{0t8c@7qr2ORncC5g+zFZae3Hm0-`O4v4++jt{i)Y6^TvRCdSGQA?a<B&J?
z>^4ZR)%eZuhPO>Y$6)kjYtJ!{ys!Yy!}3NI#OLnv>l5R7=g!oef49x5G*dMHm0PJW
z?8l(vZN2G@M``AHEVu2JBp60CIaY#8JVpa2VpM7cP-L?a|37C9@(vGi#1HmlugePh
zcI-&mylwn1HB0m5fujfI(kk(Ww`)*tTe`NyOn#_}eHR2ce_ES#0%5(V)%z`;oyoqF
z&4B@lOKs-#hiBW{rO!&6w|heD4Iq-Uv<6UcwO*{A0dXphD`eLAd9g3w63XhW-oIZ$
z9+d7fvTgoiEQ+mLAYE;gJR_fKnYCp>kzXCz^0zBMvgci|ZHXhr`LdSwR(AdIo`!<`
zS3I?2HRz$$-X5BJ&&P?(IP}Rtr8?+V9Xe*2`6tbw^@XAktp;iSl=IU$lV~GLAB2K-
z!4Ze~;=w|?@S0i5bMVa6Z+!-yp`Sf=Q{pGs>aupx3To3_m`ODOS8a8Bi)=g;lY%d4
z)d_?BL||~Cu5lBFkz`t`(V4~v{q3qu(K-jK_*lm~#1Y5iVRu;%KiXzEq<PXl|1v7B
z{F#%WhQJSii`uDAhqsvg@<+W3J^KzjJ|w_dy60E=>Ux}9CM-AdX(AEcPsjoOxMKdt
zw-HOLYvXgcd*@xG%j93KY6%bChs>APn~5(6Ss0b~6??!*hFe)8!M_2Ypv_z*9Dquf
z57!?|<c96dUjjgDH-M{@c`=dmyOn~KncFfdbQ<J!Qh`n98^4LK`*7d-A?m{4M>7O5
zCT=exU`1|nmS92LS5?g1@6?D(n9k{k7P2ff``@dR8V)an<Ll3%skYG9HF-clrH50M
zk!zNtR9VH~l^#tqec^gWTm8Dhj}x=du)VAI_8>U=E+yMqQGA>dLP?<@)e?m~oBpkw
zfh`k_->Q&ZgN53_TEveu>|`U566=zW&{OQOk&w3^M+p>t{9adXV3hrAGU`AX>W>Yj
zur-no@7$%ib!-@@w({>NzHh`GQiOt2{_fe%MQ8L`N<C1-B3MgRN#m0@TI3VyzXJ|v
zIa?KDT@V1cqI&-x>F(;Vr$8<>CNnb{h$s?10iL{5;Q2JZ+=J2&(mfklBN5T?)&R_C
zVFB0@sWnz(8!+mA4=FH0S!WOI)$F;(C+<Qei4+M^JgQu1x@hTG|JJf%XN=Kj_gPn+
zU$$m)H(H7DD*c4B4qq#KZk)|?h)_(v=Aft$35>&AhOKaIr6gkcSB3AO7+WQP75+Sv
zJ`?20OVi_pd(+%XR?WO%)M}~M(>~Dfc_s>XrsQS-(yKCw-YHbGlfoB$_<PYx(c@)A
z9f)b_W#lHd$tC?}KR3w;+en70t(4V<+RqzQsu2Xy#SNx&@Ekn_@2iGUo{C#rON1>Z
z{Xkp>yxbf=7y87&5wGU`o{so&NU5aSK$&EnYjNTusu!Yt5BO&ae-WjoB?wUlDDN!X
zxDmozWWMHVL?RMaLqNPSJX!mSfP4o&-7nuS9rpDR_+1bw%;#>0CM>Mrvhy0<-=F2;
za8ZhhLG<&(YcjH;;XHo=i&aJ5yShM)uoVIh^9b$!9$|uvz;~|><`DHoY*j%HXQ-TH
z;YOawJmhsz`bR+IKZ?xH;R3y~nbZ><6H`6-;IFn3;D!(`^Uq7Mo+`jN0!)8tLcZFF
z^u#J(LSd<lT*Oy)D-LIvf$4D^Ha4WS%2pp}`Vc=1kBI9pAig!%x!RYV<~>87HJm!>
zIU$@{YqQQS=Ah_+aj?owa*Yg%E&b}>Cy=zF8jSXk`^<MksKMMwb!Z~g=-9%|_1f87
zC}<Gjym~K=tUzsmacWx|#Y0kI21kh~H`YeRq~$00CHd|LiE;G!j7l|RcCVIj<^0=s
z=&a#0QUlyx#HpgLM<#eL_^Nv6hN2hTTw06EWKAqYGB#%##?F$NuI^4u%t~4rCiU}N
zzEbUDO8ks)=VIg$5-0tv(c>sBAz?+lwV$aOMZ@YAq-vM(qusWrh)*IP4uZpfMd=Z6
z^AQJcd$clo@?hj_Tu#_Rtwytfdy(n<9+Ht1<HlMDFGDL3TD>eKRq23vyFX5Ajh{%i
z8&v!&y~zchj3aHaWfYuPcsLhY3pdetA2jnLT6L2wGa@9;z9B`NQEi$j_`4<l76=h}
z#Ll4FElJA-K5yk^!Nvq?Nj9Xtrrv0_PvpDo#FgIm26xPXLPDLTlAZa?A_FV8t58AG
zzPLWYc-weNiXaQ{6HF{U-0==HHVONvvCd7gJ!yHdi&Gr*E1j>d>-G{^^~CA!s%K}V
z?d9ZD4V#yXeVS0ZX>tSk-(?;$a{tyhDh23W)n+=ZR;nzxgFc6KG?g{Z5<fq)9_R_g
zxE`^Vzt0qrl0qpM*ZG#Y;zQQq`-JTCcbqoX?Uq$pMFlpW&C|MYDW?C0-Nwcy#*<r~
zG&)`;W{UreFYR%c^sQ-r{NmU!qJNl5XchABhzRsvnY#@pv417&kxPATraDY>X`STB
z`RKIk=jGx9BjfZICngd{Dwel~ePhTMOO@%lYMkh7)-X6ZD<3(0h)qTcck(=eIn37N
z?N7L9>qM>B8d&l($!rcYo08&zbx2u3zLPqQS`Nwy;v3({(91A!zhiWl-y{l_@c`hO
z9kl5e)=WGah4mlLNV&4LFjU|I&Pe?_AIlW3kW*4Al3}e;heGspby-dN(E(%ZI>6pq
zU3_}a#Ud~CZh?RcF~gtIiX{AGZqh?c)|VKN9pt1e1~j3$!99?diMt+Z?-9MQw^haG
zWL{8Aj5vp)zLKW!7vDf)7f+AYA&AoR`eC3gLZJeme%6ZjkIJ1*+}W8V8!p}~b~G;l
zG73lScXl2g9&3P`THUf#E)WD74U-6KudJ(?EhwtO#mA*QpC+^YS#-+EQByjT39`%s
zFWdr^74!5At#&>aLNl<u0Y78Oev;Y(=cm3sDh`#Y!TEsA66>UjFM#>svT^g__5+@3
zG9m+X+?&L-o(rhm{gw}Qq@*JY=?iK6m5{TL2?^vdG<iuo{vt1P!D5)&#l=PSp-;Be
zmQmfmK_qhjytTD8CL^PKp&`EA3?N!yTU()NX(W01`Jlu$pPTB13P2a3tgJkJU00w~
z0#e8nB89<V&yH_d+73F_<ar+tam?TSMa6lUbJ>yDTx3WbBhBhTKs_1wltng_@RT2O
zBU!J{P;&9(#>U2)EwsgRGXl)z&(Tz#TmU$|27>Bptj>2Vcd9nBnfSQ4ApodZT+i}!
zmelbq&g}y<pg#Z_TT9J)Hfa>X*<V{-Q=_BGpLAI~5d;Ff2~=K}d-)540zlwieSwpR
zFPRQh2n3$Hb?n>9D7WRxbiQ(u5kK(r^7C#$5^6jwH?0T9#%H#;%la|RR~!Mgi|5CU
z2X}5u8dv;@A#$GON#a!QUX#Vd&|O>q-!Yg3+?4RE5BB8i(X+=`a6qO+#gMgz@qZ{V
z?f3QB^VdL^rIw@g9-w=rmHX~@CUSX!IFS0J%h?$bcjpH<NM&VxGOr`0+reC5P7bB5
z{FLOFY=1PepQyAOJs*-w=N68RlA>zXsIB%`yKOC7?y4X=dR)Pk7$o_F%P!G(J${_p
zj|nZX{_@7Vb`b)ByqC<nk`h+ZQQU>4WP+bz2R8N#<p?Op-VUt&x~qsi5?=`PTPV}`
zb!spjeI9ftxcCTAER><mZ<g+tdwLun8q4=QzkTyspM9CoF$Di|nQb3t)aYo;Qx_$4
zv5OxXNBax5u^)Qk*3Rp6Z5%RQMwvLUv11x`jgt>I(fW49rT7#Vx2nz5`B{7p>j|r)
z`&ZnxqC>(Unr1ZCn|&iiInAMJ4gS(4D-~ut4Bp&&z9~SvDQ`h4ncWN(V6sDv%N8FC
zrpH)XwU9Yztd-#-D<B5JuGZ1nPXP`tdnB4>6pAzZ1hD8}WM+yFgFOyMEUFC2bRzAJ
zJYR^fTuGiD#xZdR;|~V%@*;>3(MN+pH=ZGlmsjn)?#vkW9aWf)9q)|?E2B;>oS1Pw
z)yAi%S5)(DdhQ1!h#Vf+RQfHWe5<=GR%2BO%5xI9`<poshSsolF#k5<=MQ$>Xqtj7
zCLmt(mH@)|Pp<O3E)TKC5FX%u(}xK<a&M;nM3X|N<ZDic@hh?|E$h9;!+XKQW6|^1
zmlg;@bj>fn)E6<Tban`c4&w)aUo{;NknFJXP7ivB0XC$O-YtAR1EYPFSniT)yPtY;
z+sewc3-a<1vV}4Na?#55+rSIkwKX*=C~nGS55pmxYAZyX+Ca|3GQzMRMphN8Cj_YI
zzO`9x&(($-eew6j{eD5m#uZ$Hu~nv&1DEbM<Z*K4^GAn=jqjL;LGx5(owa^E*$N)^
z2Lg4AZ<9$TED0WkHd(9$38`_;Wu-06bL$KXHXn`oqC1Z`?qcFHbFX-)jVbCgmdX=d
zon3ki-j6Abf3DY=uR?wBV2tibBZI_ut_O%5R+-!ps<@dvJsz$dtOo=Ii7t6R8M+)}
z8xI%7qmRLIDb;4yugVJ5C@Os=48DbWC7_v0SDw!--hxZTo?f_{nr(p(BQjrO=nxz3
zHXu(s0Z(p@9I<^52G#gm56<zoT;sQ#<8B8)2Y#xmrfcYW<OAnY8lO8#_kuwbc#~Rk
zK0B9OSC3RpaYg`VTHstckpqx@QYRA<>;z^}C@lF{lh>7d_7|F&7q&02JS>1O)t_86
z4>y_v4`0vIDK3j$x)MV23OWtVwf-54u(9hfCv0;Z|8y(;!TSTI-+8!o{Uj>-#>qJ!
z&;CV$9C0A<2d{Sqo)fU`v+%aNG97uJ6YKK1qOU}qJqW!X8yg!O8R006D}e`PFv~kQ
zRSsmy+rrj&0*JjO-gQo4SXAU~w8#2Zp8xTbJ(@)nCg;rt8x|H6fR71)-oi7=p403u
z=4Mq+Z;t`EpbUWt2a5Qxc)B=1Z_Zsd&4+>~L~^d<Q)R;T*mg=)8l@9{x?CY4?Un+j
zXAbNmGg>~qTKId~cU8g0=~U_EESaSUAI5<sKd^6&SLB*>beFCBVnQ2u<P#aN%G5_j
z*7mo8U-huRiH8i1avlJ^`*gvg#BkKTZ;yw!hV$*4m2CGV2bv)V6$&0K2Xb=;0MHB{
z@XNE&TO)|*X*7?F*NqdU-Op~W;cptMqO`*lbQBvq9scz~KXK-hMHo!Z@;+a*$SE8M
zk+TPX7C41<k7_>lRM5XDvM|RaUcuhoZK5xt6_Ej2ZG{&E1xZbfd?_;t+-#Shwk{TL
zjs6}XsMO~oyrSXY*cC<cy0Q!I?l#7KonRJ*8Lrq7GblvE+GMnhqH<++EM&X(XI+um
zdW!uweHX+|P*gF-pom?=*%|G3n?%ttrE6tFAH*AJ%}TzVu0$=U<xOjRKvBkWu|;Ku
zaFV&l20sYC=l{K~qi7IQ7ZPkxPA*<onQX@-CWe$~oI9Kvqt28qMrZmhWN(rFe1N;r
zsHwV4^{2XlIQHC!^Lk&Edc}V#V6Lc?#5k3r<4yV%I4Xg2vOiCqxBbU>YJy|WaaPKt
z`xjYdJVgQe`gL|(+4~r}=eGxxteA-UlX}9{<KgS0MZEC{?>CuC4X=(NK6;3+AC`RT
zXaX<>xM7OMX?vZt8&-VXKB8(ju7`IiThMO^icdl}o^`^6c01g7@ASK@GHe*=Hr_Oc
zx~NaJbvK)=&cBo#lP+JWB3u3DEu4{0R#M`A%-S0f)xBQfzHxu!QuY=+l{!~9!0Mpr
zeX)-pb(}=@0cWuGOEoS{jOWfQ8ZPtxnqgRB24PuH%2qnO)a%LR9zq?SO!@{pG1C`L
z=ctwTf3?c;;-9-@j*k!I9Y75!PX=UlCt813*b$*}Zu$!4GBh(YHKj1lY~h=y$?8hA
zNPme2TIKCF6%dqVcE*^3gCpDd%1g%2uQMfJP0h+cO5XN(rv3IUr!8^0*mT6G7cro1
zU`4k#NmT#0vk-&glaiK2KAZH+xqx{q9sqrgW#4*Qpsw8XExyL%&v~KhYejOaH|V9s
zbZxX?3Exa%a_!s#SAK<Kr9fpAFX<P~PfZ4OA1}R2hlW57l?|UgybXLBzt*7YOY_Gm
zlk%ycA)un{prEWn6A%b!Sn0aPSe{yB5QS-Q&W974FE5z2Vp;AlY40z`h1U&O%7b!)
z%Pdo8SAQcG7taIO7yg?OcW&wt$<VL97ZJ>N2?52PmFht$UJeO6+BjU6+|NxsDJAW|
z^)MJm#HQ5;{&OOBG<$`}Pxq53$*eFo#!2aafz6^@^$Pv6NWw_MDP$Nd@D=*SmsIXY
zFxYdoJzce_ws`mOFcK&ZJ&V>}p`a+4v6sbNv06ko$=4+i?rmg;zP8^m;rF+%ix6VU
z(~|>5p`WSke<Myjb#@mYKQUAzJ2<q{R!@xG%~pcFx^M|jYQgCa5`YSA^5!j%&V+VB
z=w(wlhaBLpx~wbOqPn}mC93+vl3!vZvgkTBao)I)%)$7eQD$<Icm<{&(glU342!G{
zcM$!{xe7h<JcChIGe7lh&HTL<Q`=z^wPz<udpJIT`{g3wwYXxj0s842moX}}wtTO@
zYuTjJ><O`#d3&w{QGQn1UINFH&}3J7`SjKx2t>CxleNHK=I+;+yz(Z$7HKrX+kB$N
z{D=$Px-?U<VK&)}1sq@o#lli`o>c>aBu%&qR^ncun58fWMWv0R`mm2ro|W&WTF0g)
zDaoN~XaS(+CuOZ{<8Fu-!1s(g(+z3&^-bAHdBcUmM)pIpwkUFq$A@GgLoWyz>p~Q&
zNgdj6*zd66yOF|9i7xVeK;#SCzuU7n+U|Smu?5=Q^Y#`K`v7c3zfVugsxia$y!#wl
zM8CG&;yy43tk}TZ0j@(JxHTi}cls0jMW|ha*2SJUFZ2p-W$)B}%6OXnww8c^u%N)6
za89m_$~<y6nzM&H&&Q=9s=&;Q5EO-p);sz#$H?A3j4VAEDrELFNvLFP@_gRk6)5f-
z8Z6RlyG=<J@@<AuMn0>ae%{~jHB8JiaS}yGK9Z)9ra@i2<oWb<AAf-tm`KlbB|C~1
zir*$qaUjWRKzm)uZEsc0q@`I;AC24r;h9BwTAvJqfy#X1?PK1<XnLW0&te~1MY*4h
z&Sc{<wo;F(PWl#fj)7l2`&dI5)4G)s`Kw946>Rb<x1pgVB{8Fg#zYw&q^x&$vCCkk
zEm>!YGA!llGE^S#MmL(Dzgfi1CD@t<ZJvyci6<3yBQ!F~C}0#vaoF3JuCtxbKwuBq
zJWU=?qR1yBSZ<<%J6yag;{HIBI_Z;Ps-L1^(6E%LDv}gXa&!J>YyTCBsJ?J{cyraO
z5fkWmtbjtcus_O9N`;Q5<~L|bRQ%AbtZ>z5z>z87=^2?$N)jSfgW<npl0;GV#OZOY
z{hd6@vW8Le${gLesxk+WsB@HOHNw8*K|R%ql4{H7l!Uz0Nc}%5rfqkri3vD)!#2%q
zjF~w&Bz$?2wqDWbPG^5cCgFD`<F4m+aQiE2r_QHqD>Lo08=$o?{#JRvA!ieSy43LU
zdo#PKx??i+zG^GL7XUH4u6EzM>FP-pFL`;)i!06$7ot2qVri)^fPpy~Vd?1X8bx-K
zXa1m+u9ei;-;Z}>+nmMgC|n(W09e4V=kcR@96k~F=_wp6Tg!&V>CaieK`z1gsP8$Z
zb~Bjs_v%hhmjF`wol}g@`--vka%K_Z5x(AK3yA&_J-_X~9vGTi2ArXWjvKO0(f`kR
zW^Z}*(XC<c#o*$iX3GTxL=6l!!S=lsTN@z9T6?aIUfE#XUu>OUAKnQYZU%Mq&{1KR
zmzUG;c-&rCCKS^RIpH!j0E3n;4(4&5ft8BDWy93tui7l^>~Bs_Pp?M|9)kd+1^;;f
z%X1_Xh~<#$>+4G@C=39ZNVOA{#G0xqrE~)1%hZ6NH1znlxZV8K!l)P<`0fwi-MZQv
zRsUcDb+*qpuDlOZ{2vCTMF1oQdLDPE*RES1w{hEV_@0X{8WTXzEPx7t2?O_1JiEf-
zM8S6=1wb_P5NguTX@8)7{W7Zfij4uq{EJ-o0RdJo(+xZ^aTQmnIW{DI%)h_D`0=7?
zE(`aWgu+%@R*fg58^xA>pZB|lzSs+RTbrhWR4w{$%vcz$bOoNKZ*PpQ8^4<NOH<UK
zzPX5CyH|>^UHW7m7Z)MB+toTCB5U}}#{u<YeJNIFAV=>308namr}zdwO0E}Fw#w4x
zdFW+Tw!>RLLBRK3m9IFUwW)h!+Ih|Y7*I@BX_s)#37z>00?{*Y5Sg_sOq%u^4dD}K
zuO}`zeb)(MNul^P^dC2rGcz>4j9<@P|LP3AyJ`BovZgL1H$8XnWnal>d)+oCGMYZ|
z$~yN?Qu6d1oFzapVmgmHCeas0fLdWrw9<;GO~*z3aonjL>S;j{r`^Ipd>XQsuS=dt
z!Hgpr!4<(1_sP7*ks4R)NN6WV?jI|pw2Ye+Z>W6yL$V_!3P7z&cFVK-6_yd_Ly!N^
z^u5{>#?Jn1XBKKsW%w*ag-UPyH7{paH80pZp`GT{r>{|395qG$^k1pqvuh1f@ztJF
z6d{nx%F(uLHZ(u~Pm_zSw9o2xpjoO_^CdMWR58i$Js>LpHtTrAWA9KzUJ+-@J%`b;
zl@h2c&7%S#TmJ^m<*1urlj#6WduMgSzMl<jGXIT_%lRoTAz^JY{pLT~AGHLO1Z4z2
ze;x1zk!mwKP5yrgOw&HT@W#h_Yg*Vd(-kY2IQ#OS*!Dk$2^=!)#h@VEMt*4TBNln*
zMhGDrNrf~2XC!zo;}k$32Xj?a@)-ifa?jt2tz<T*<2hyWPYL_qKX6q>LJ}jpAV?Qs
z`{V<(f0>knBf_!MLld53M*luJ{aq`=I^0Mc#NQE^1oc`^2DcSpE72A(DAd0A3}b+&
zcsCP^3ut3GXujBD_CU4w5yZk0a1K+Key&DGbhh?|v)O;+eh$L}R3lL^2!k3z`<75+
zDmFc{ETNVp-TTYh56_N1nD42ilsxo#t3mH9{NBf($a&VPCr2ZqkIew)*k*IcvSY^h
zZ|<HIdld7P)oUZc2khw~WFXn$;N+}mwzctiC<yh@V4>w&E=VO$TOwWC+DFI#41y$W
z>R|-Oqxh0qU`cS<=@-~bkX_n(AT$=40a%yZxtVr7!@23}>eBesBt&=aBZ)0UmkS`+
zm|>%HMK?eL8PMT#d!agRj-DJv+#Crlh;Tx4dOqGbeqfVlU}MH#$F&)rd%G-}dpftX
z+BM(h;h5g!gvV0mGy3**g4M2IcXNrOQM=x`C+?xW*mR{6;2b}IXgMGC-f-Zb!bSix
z2LK-Bpm2)QdGp^<5Z{>KuZNiwh(Z!Y^^6(uQp~xdtlM5@W!)gN^7CP$(XK{OmzAQU
zSP78_T;>iKcBoGaNSbfub_VSxw}>!+@!2$M-6$#R=+ZQ!CTff$H`q8%AI^Q(?9wLF
zx_(XAZ|K>A*|Au>5T|5`xrY}{$=;9unB6in96&o~l{jREKkx8=)y|OF&p6dTLYCTI
zes*G_$uES+BKt_PFp)?*B5SR2^|6>e-XC+X>DD+un<Rn69m+UXXzVv;`sk3CoY8=L
z>p8w)y?LW{=A~AAUzM(zlWA`~pvSj*?FACVIwW|vO=Bc_<80-aVX`&eciv9SAgKP}
zMJM>)=%MkO<HrqGj;sT5t167=Qin{C|8r;o@jcC;rbFH9sPZe`n(a5D&DSaYG+%fA
zF9xK|v|4T-qs>Fhh3`3!2mm{Qg+`Ci2p{SLCOul#ZeoD$5jQ`BIxX(9wF^$hIms^W
z2vjqTkvF41xn)>Ax;A`)Ep?3yHan@2me_oT|8;nWTw=Rt2EaujEgfj`$IY)QUi0+Y
zw`E1GcJ+}JZ?j_)9a?BUrY&>`t&mi{%rgHIP8u!;9mLAGQ;U2$>WJ202>38ESX~{3
z{%d}|A|3X!ED(W8u+D0qT{7!D{4gBK_Xfe$$$?$Xvf}6w=qaWZNqs++6wBE>)*A5Z
z1iXWFK<`SxnAM~)lRJ*+b7ckX<hoxy*<kAy!Ao(?GtMv3iAEpg#pHYco>SG{h{9{$
z`VcY(1*pYP816PJB%!=AH-nqlfc!Q45@Z%?g2t`$<SN^FPhjiEC9u>&D$f|ZJxz*b
zZRYV;BkdFa1vf51A3;>lLvKaFw)(uIhFnl>{{GBG+EA6@fYZSzgnp2)0mHWGMf;Ja
z>8WmMTvldZb7(f_8h*GI7~;^5uJQ(*F`Yc{WDUJ%e>2$O&|{j-+>C&BPaNG#rqTsy
zrd@ISPu@BTM&i2>T+zbm+b#%b7L!*9{pW`lcQmRZ`W74~_-kV-CN@5Jq>w|k^Q1fW
zEj6iv%DL^Kt>cX;UzDvtMKzbLjm@+VUEC&3)`zJ#)WG>RhMjP=?oToi4@=yq{1^$)
zOvAeoecm+Vl#X-ao?4?8c7@eY#u9rK7XIp^QosZHX7KIv?>ccJIB9Ex3DAX)N(Okp
zSZO^pQ$ZH_Wl0BxGUSZ6#K%TZM1N}KdoZA{w2Va1BK$+0lgNY`XDk}qXpI&@&Oq;k
zC^gFA*@4?aZW~lLK~z(e@%W(eYI5s?8Mt`=v!$!+&?~M?clSDYMGOY>M+dPCO?~dH
zx<BYkxyac_Y&{F%;RAheIMOd8&B@wxv6e6f%*n(e($C%c<|8&G9T;EIg_%?xfAc(1
zE-=Do4exCHs*pCPaTv)%u~DTf`@N68N8;VNVMU!Yu!AYrUt>0ZowLmGx&i!NWWIWR
zUAb<9jU?AzK%FRRe3@s7x2BxzC~C0uElHwbjps>IMnrN00fTzws1}gJ^rZeo7rb+s
ziur*qaJclsdb_xqTKuo$A=KngjG`DirV_NtEapta-9^dFZGpSU5qewt_jr{Yusg9l
zvxNe;JGsexuJk^>zI9Ei#O_$_FHz_$<N(>heDR_^0oECMCqIXQMzE=^bbvCo1<l5f
zip(x@yeE{YyVV@{>`6G_on-yyKb$CEZG_=%$XGUrm)KoAwIK8y^+;W$w`u1X(*rBH
z1Q8d@P?RgzP2}7HzM^5Eb%Gtz!;Ic-dwx8-wGxe@fC29Y;TSWZgv&)g@DeEjlbz$*
z5ywQBS?O(@SaJ-K?C<UWD2+$3m3HPu)H=c=48$-eZeN0_Fw0C5d>2~|3a97Ai&hJj
zBat8afYa*ZzDn3r=vxy2LcK`uYTt?(wQyssLMb*6+~muMo3s5sa@HHLy*=}xr7l9P
zV?Bo?8b;u&QV*+C*CnS8=Vq`YHjWL5FFga*0582+urV=9=L*(Xdp2+Nl!6+e{V`5N
zcOK;&{z9((syzLoBhaEvTlGQIl5jRkwF(ak7w2tbMhR>G7@Q|)`O2R7dn}cAu?K;P
zab%%7FmZC{>$8dL*<}uBU>t7F%v_F^wCeD`)NO3-6o6w5fb&!VO;5FoqNU82jh09?
z=<wyILQkDkK1-eRiq(!RaHEd7i!|5e-(#PWZipOU$se`ny$yR$S^rD2VD*GBS<t)Q
zC?;#0*~XNy23sIf;gZ4>FQx#QRN`;%PpkgWUt1AuI#*N&Q6m8j6;}=PTS#Kf7HhrW
z=!mJ~qdrTI?v4`2$q(>tL=>M)AiO$Cb{^h|^`AoW_E;U*x+qmxxUu^?PMY14>#uN2
zp<%}sGasy{d^<nq?-L=7&`$tV54J$N`C@6*<XW;LxmJQIS3{{WGnnsaSn7AB%W_Iu
z4f_D)fR>1%)<RP0d{v*x7%-I!W2!2_Rz8azcA{ph+;6<v_iD*8j751b2Bww47Cw{A
zMFia3zv}ald9b)VgCM!}Y$Dd2T{1r@&iiS1@8`ROF-}#A2JfYZHJcT6@^$ue!p*Ih
z;Zoxx0e30CvI@sU_UB6amWL}PtM-^11tHHGFGhNHb(LdiNiM4C?e%q$rIkk=s=2hf
zxw<;uv+cK3x9QEZ<5|5-JEXJoQ?0$dY!A&ob<qb<959_jl`6?`w^af@wu2-}ZBv=s
z`r4P*<1wZluk!3S5rp8Yt_HcO;5)74t<CgceiNVsYNc;0IUwweFA(yvLI`Q~1^LC!
zDiB#0#ELs6DP$56n@+xG_0i>IH}U^uCI!;q_A|2LahB5dhh(rVRleu)#)A%8V6k3Z
z74>F(CKAB@C_ggo(}=Y|MRs?&qj_-XVf_rOP0civ=IA5$Q;dFd>M;qgMWlZl{VhDS
zBOitbSC*`ZK!uA^&{-y)3QBNoGzl?VjN1f@4fsVR;P3MTRc~JNtm-!mU@N=Q8C%e)
z=BA^@aLy>iDwAWxBzEJXcA<QyrN(p-K>HHa73Hd&w+N$mL)romZ1AB6y&WwqxUpSy
z^c!mI68j-qcx4~(eab_tZOzpun}Gej652+Z-y4fr-=Fb4sSdZa8_2&lM;bOZqBUS)
z<n@4ICfq8fnrG#DhLh<W=+;F;Hxd{K!3Sjx?LEM}#Mk5onZnY_W>&b6c(O1cf>SO>
zID|$E%stK}t8i6DT++VETM>!5$zo}MUB6cWsS^9sx@8yBH<_B-@v8GZZK~O4r5iL3
z*K!&tAPtR8dw-gR=8Zzaw|}u6Pt2bFv2`9nUwv{<s7Jt7qB;xzqJ!15nn5ts9B)LF
zbGeHOpQy1uMmg1!+66H`#$9@7)#7sMsZ`{nV*Amv$yl?uKSk-_^+Vi#=QxV3tmR;x
z0#aTWV1CHK5ecmrsq>tJ;vY@AWpmFHP=DfH!|b`?iUs#49%|17APfwfN)UOs)N4aq
z=hfI)Qq4ZJc@vkU%$}xc{(K;*7~vuz(H<>TV(NT2S~Lr;scz?#%aTh}8r_$y{t8<`
z9^VHgfRTOGxd2n{8|95;?Q(5I4m4EM;r#KvDPV@^-b5N8S_51=k-$`AFj_xg(M|mf
z&DId%+1}m?2V?`#8!T+45;rrdcGgSP@=Ns$6zYDW{*Jj<)^$U<p<+E$r(g3yY12M=
zG+&{EYQ)LrAQ0BLn7>VrD3d1LXER%4ec9p;{VeNDP_ad)9A`-ZNwE0T0<3p9#mr!4
zzJ;NZiWfeg9J;|~k&i$;8a?XZa!y{N?j6kr3mx~OO-wc0BMha%J2bUY8yyf<YyasP
zrxf^Sa-|u1(yd>Hp|Zc7cNL+P)tIdLcUGHA&XCL}qVxVVA9~MVVRO`3&2vVx$!7^B
z7ThsNrw|4nGUsYwR+=s3D<oOy6&9A5VHVFq?J1DY3b5i)8O}#-BAX=w0&Ak8qN*U-
zeLloH*i7K^>%EP@7YaPz?!0@(mvJA-%3pEHqR}O>gJ^@}u_D<YUy!XIX3rd2UcV$e
zC|k(xa>cftZfq#2p~v4k@9`0YUX9My)zm4S7hvs`*H;|N7;HD>-jz6NDGZxERr|8I
z(|$wr1aH3^ADx&`Vp`RO(kFYK{gLVkCy62x^y-8{)yzx)>5LfStb8W7+q;T5`rVGZ
z<>P7m0AS_<I4THmi}lqbSbeHy#6P|z|00&4PMbu(9nS4n%J=k+vUw(<KFN~A7~S9!
zUwv8SH5a^!{l+*}5Dz7*xEk%OH<dq8iJNJ>I*z~43t9*V$LfQw>nl#3G8MiZ!9<-a
zQz0F`mnlB{zanZ<<qx)#@4NL8QrY2X;bj<0RCQ`WO;=S!YEN}G-jiPZk(2T{Mp_#d
z8dO6sbe#%h6W3KVmFjORJ-IW{!M4)-(0-=HAx;5LHR#gvvKPx1l>ca<`m2hH^~OYN
zx&ltw2ALXEcT5U2JCf|E&4eXvUN3CB96rM4mDt`uz^J^5^NuNde_IbxUTx}S!jC@2
zkqvg67TJn@N~aud1LC}&-iV;8=esRB&&@H?K-COOJ6*<`2%Z4ca#r(Khv5Sp<FXou
zhF`?Kf!$d1mu2aa)-rlq0TyKfz#St<`PKUxO|_$KNjp4%I5z4;o9%1S+D=$0+rz}i
zUUD8R*2h}LP33~Pvz^LMTq{DII%TPeap4ood|-BR9(*n#R(9D0wDX(jDB^GHzkadr
z^YQZ*d4}}$6+EE&lA;(7H<r?xJ~f4I)HgJIjvnjU^Bi<OyWo^z{Tga>d%17ngT%FF
zcdhC(K<Z9GLGg(J?k5KA9+27U2h?1(Z;C!`16W5?I6lidAm|nYN_do1RM2ogzy!yr
zQ!lGiz4gx_`mEjX^z0WdGNn#m^93BM3#uD?b5*&w*;P=_YkUYPz!7c1Nz<hwF%sJ<
zEw|2mF<e=f2t+*S{Z`cf1=6$r@gcUh)=O*T`5+&{nVFoNT=dMgj94p{KxB9Cw}Y{S
zIsx29n2YJqtR2`Qn!$r|fbbs>is|E7^~v=TNHQ$A@XLsa2>|-;Rx-~Ohy?t%`nS2o
z<r>GYdXQsH!!x>m6gdt>zhI~g3Vgmb*>mRRKw1qV>-;=qp4)Dz2uY?V6hq|@rS)P`
z<^w(bq;w#$eJl3!$O}L(pOY|6@;s#}1@FJ~<mX0moc7G{$1OF#n)-y%>C&351klY1
zrO7tuj1<<6Jx{dThkX@@tWO1BVU@hsCl-ym=2+dh3gqWv300Adxp^=WN50bZ-BF7I
z7kaz>su0kj+G{d(_q&LlS@UQ5Uo+zWHs>jUyxaxgv2=xXBbu6;8s1-@J|~)4?Ur~2
z&IYN#Omfy;3jb4Bq09;Wb3lx0(ZPMPXLu0X>bzZl^7k+Mr73gzqbBnPj2wNu^EHCo
z0enRkH&~X}6R{i6qBHHUZJB865BugIbxrhOMP<M}6MFPKt5E{aMsJZTDd<!d2qemf
z2G|6Xz;?`IX&-|DyrsmAV?PK4iX2}VC6-@#SLy5&8d+8qR%$IS<p}rl%qcd>4K8Hf
zQk!m~E)oPX<N9yJ6F~Q7+RqwQx}ScUY3dnlav}1+TU-W@CvjO{b@uciN<{06{QT?y
zGW-AFxGMK1mTErRd(`d!XpJzPo13FJw@Cy3=QM-6q@JYmPZyY|)yj$h&STEcfPYUa
zPuPDTCWRCcZJ$!$nj%_LW?oJVOe+J#gg@ryG;Nlf)fmc%fg)5=TM5sSXl`w>wT|05
z+uJSHEGeMx_J6zP=(Y>BUC$;vIxE!CoRp@TnwmWfY51gHA#^<e4RhN05(^l_qOAPJ
z?P#f(NscKpPT@QE7Xf_Wk$(O#;d^t~&+pN2s7x9L2L-7nI63$A^)>q3u*;|M2HGyx
zzvF3mtoBF-%{L10U4)dSw{g4L0w#E|tzyB2w-a^Yz_nxJ_^-xl=7f4CA?3(+7N@ed
zw*8V=hxqL_evt$}77wq7C&l?1o5#g><!CrKIIy;tzJ7++#mPwkFx&)4W&xyYg>3@;
z)E_9MFM&a$((O<?jn5S|BqRh}`VLTyHva2zP){lx{O<o=t_Or=q0?OuE&Gbj=~q3H
z_sX&!HnCMP&xPLa;I}@D2y@=e8)x9i55o|V-?fg7Ubg}yK5a4et`+t1N_O3d*EcsX
zAkwYD#=6@mVeiETbUtY=m7xC*O7w;LY^llF!sT!QS6p2D8MvAT%oXM)gCiz+I<r7u
zheg(tZ0dITn-Hw6>U`Sn?OWWh&ii3C_Ld5IOi*X6<-j8)(#ricwz53q>_ETko|g^a
z{rl;raBa)t*0=R#BC4v>C&Ic~&&|k!z6*)3TXrNZIk+j;M%NK7jvFy!4uZa~Q8en-
zzfkyNVUY`!%5k+X3;RZm3k!#j{T2M4>MJy$&{9YE?-r^SccaY@essc<XAT@}azK)|
zVCgzirWZX6aF$T$ys{EHQ=Y`$JB}=wZ+Z@#%F&St`;k012mr$@5imcemPuKSI+cr~
z#_h*XU_<{rlO@CZNMyC$7g~$p!{@RSfQHXpgkQ_Xnyf|tk%Lf}>>7n`zIcb=H(aWM
z4HFIo-2tm}^}S$N??t%P`~oYMc@)_aa)-YmQ9%T0&}szPxB7Q*1utMs8(|wiyzSIC
zZ`c0(3Fx5(AGPTRMRF8IsO?7(P9me=GsCK3=BK|Sq#BJhg>9BDODvmCsgTzsec;(^
zO7M$gY_IRUU^V&HvimNP=mVMLDS@eW1nNh;W`s@U0~p8A=Tb>f$7B=0*!v?0q!h<m
z_WAvrbHRY#vo6^V7>`ljAuhES?>nBO1ypmQbP=U!I)X#cH+$ppuV(*UN5b)|wzYNg
zs3nGN#h7#?e0+S_OrhnsMe*aeK;%~RuBaZc=9vDjCR61}zBzoNS*zcllIxkZZnc_)
z`wfgAQu}lcyp4K+)j9B4+7Cv%X*q5uj*5y}P@X1|df_m+Bcj>hEA038p4j7Dc$E_T
zIT_V>uRPDpaAh&G_=f%7-mFh>d7pZ2XKT+``*^O{xzTx8GvS@3{1w$m+xa{@wLX2)
zFS7&$gT*k!jgFC-<eAvR;VYiQN9ctB(#1heBD8F|8NYB`uUBps3n~qGY5zBBCX%AA
z9J=Zd5stK8PXa~#_e=Q>PE2<~u(W8P0#H|8q-)BN3Ct(`dzxR;XKHHax%guxXAg^5
z?^t^AP5L90_NAWKCONze4Jm-IYauvO#ydrs`GP>}&$PvBzCY@`p2#JERW;4Uj;vGt
z{Yb#VAucK!^ixrWQ@gol707D?%IM#KA<K5idX~K0pM>WU^o_^fn-Cx^Bn742^5nN<
zn$Z0-?**1fmQ|a888JfRK5c|A3ra3s5~pxu&Gg$Z$zNTd_i}7x)Ora}@nNWJo@pj1
zz4Utbk!JL5R=n&N6alxR*98UEpW*Y~*xZ|q=&MvZE=N67^5`n)QFcRXV?N~~kc<ZZ
zg0dC4<KxD2j$@K8&CWT`&j>p1vGG-twhAl_3u1l5WWoB&4w!+hh?L@tU#Ad+lb6=N
zg@wWBe>I^Jm-u`CQ$JD$jTgbaO5?*DgT33EXw#u43BHH6RwCPl=%{*6-3MLBLM<YI
zsR=}07dwG5F|WBEPI|C%ft>+ZS4>>Icp&G#q|)6n%sX|=>g4~B_10lgwe9*aiik*=
zAgv<s&<)ZhAe}>}z>q_CiU<Z$(p^$BGz=XA62j2kB9cRQ^WEd~zI*TA@vT2R)QJ_d
z)^%TT#=(K+lBN(Z5p-&r!lzPMNeL1m=%?rH@Z3am<W57)1>MZ~F3XE=DeZ@YoN$A8
zk)%WHaA&e`BjL{&Y=zh5)S*PjsOxY8LzDmQpSnl{NwJUHp}yyGve=?}2VFzMdYGWY
zcxMk)!J0+#gPNGHx#e_+Eb?LwDk#4VwubB0Xd90HsY?16-)rWA{|w!E<t@W^H}vz!
z)%)xqY#D=bYy{sHTr1Wsl`^`}=U_yj=*K?;;}nwu+7MOEa>;XdwE4sq+3=NXdC38)
zP!PxVQ$F<xq3rd*s~>t1=H#Mu1QI;I36Af`aPg-oyaVK|C;y!oEwTAG-dwqA)N$LQ
zjnE#mlNc-M962b67gJ5eTHCkyhmrFr=Mu=9nk;q4PBaIIVb*n0;Ira(`^D1lapSPw
zrBuB#EWBplFU%jt5P_+;MwP;X5`oIvOJMn1OMvR?dVTnhh`{~Q%MoRb@2WRH8-p<x
z7rPLyM+f0-M^ZVvh42q%9aaxIA)M5A&wDJC`6@B9ou_%iV;`n8xl807-?Cr$+FbPn
z$LCQ{Qf~CzlJAu}2M+5O`v{t6&ELJx1L9irpWE1V6!xGdXiP+67)Sd>?p52+KI!Js
zIe0=}xZ9HQn7P!GS}N&pd>N@5f%l?nYF^gV*DnHv@0OF@MTp12Vn>*iy82hRv-0B}
zW)!c*>-C^pLhYG9US5E<I^s)Tv!XA__WWtwdO?Fg)b})tqb#pDGuUdNjEI!R>wD_(
zM0DVf_di~YD(6*>GmZ|S<;&&Tq=H6{u21LU;V8W^#{0b3|0T}=S2-?4sY+21vzHfH
zg0zpQKc?mOM=++QnHP>Zv62CDxz@qUk9ZI1P0nTr^%(z7%pgBnW=TOO&+*6>yM(B5
zVI20Nf%Y8X#l<QUMs8t4S^=bO;p}9Y)d61Ph8_hc36Y(7>Hd0dDL_g1i$u_E)9x6?
z+*1$GohmT+ZT)5$m1uJX)QmNG-54#Wlg2=O#|X1v)2|``dB=Ki6zMK7zBt)aFjM_l
z*wfc9V<bVHd)(YUqMXb7b&wI#62XxAHa)pS>#k>=XTjl%?*h-^>qo3^0;d8sHWMYM
zRVdJ?P%J2>`h|wsNU2ljU}wP2!}Hgs1`y5)({X}puCm?V9#W^8duokvs!D&W^Ole>
zO%yNqDCE>pdTFO|=;B4a*T90v#>aD(-vQbXU9n*&Zx$q3cnB5l#s8<;|H$0w&yma^
z#quBukj6s*s3fP_S+@Y$%<y-XX=wZIOy#|;s;p-fy1<*e+Qm_e>agZ^mG-dY8&k=t
zcHiB0Qcm-(d%Q)}p^O;B>CLpg{9{kH{T##In3zYyzH1&b?8HDk+Cp+!=;h1&TauV7
z^}RQMfSvme#x;SA`K+3Qj11y2Kd1R^n97<|10JXU)#OjbVnBquKMeWcSGH0*oM~<-
zEmu=$oJ#l@!Dy=iPgSVOjYp6UxeS$UP26@p*v?p1xVHx|Cx|82|6)#VXqq;CDP*5a
z_vZEVOY^53`wKAtBJ$Z-tTLSsr*N)eS~GUWIgKOT_&%PpsPp)v(Yf46__}w*(ok;B
ztw)Ch@&)8<ft}LE>?K;~iNMU-py{}sSnpHREe?k|(|;&8Hq}&hK5qNZ8PIz&y}&=1
zOYSVF66{^c`HNsTtl!&nMwWFf17KEei_duLT|sONz5Ft&>QAW5Cc!F@z38Z(_XpaX
zR6kL^kMI*>|BhKTm0FA>KHk~**xOm%IzCQHL`1hb!FelB*-&%SEaU_3o0Y!oo!#BH
z2*g8x7<N2$78DjSj7s!^^r|Q}ybC4OxJSN@>jUIS&V3dDXl8XFGsvcRaBPgk-rk<6
z%WG|j4r%;zZ=?q#*J^+h+)cMLIRykB$@_G(_#oT>(SZcg@cQI<df^mvH0i$eaG6wG
zydH6QI1pgZC4lm&{1@Y@h%IRJ!HhJ5mX$&25O48WuU_z3rbZs0PV*HOpeTiIP7?!M
zKGAEH{*KkbMyE5^ucmYUGamDvz8AalK==GsPaLczU#)SV+JT|rXzIblWbGn=hDZXP
zkvYF(!v^4U>Up{p9~BvyAvolJb-JRoq~4=Qyw%>>iRc{r0`Mn})Kq7!V|^3RehM!n
zewIdJX;fLdX+FBe`hRlz7F2l>@ahD7tTgO&-iJFA&x`)e7??%@68GrFa2Jrqzr8Y+
z%M8dZl?6%B@VTLdaNcv`&UnPlxqE+}d{aWL9~85V&RNci-luS<X3;)u*s-B6?+50h
z|Ns1bj1848N{Z?M>{!5$O#{|&)Cld8vD|!+amo<_b#@B-%yFZV?_=f+)KaEILbsm3
z;ixEFR{xJ`?7ECMn;5`kmzS6ST3E=0f9iQkwFej{&&9-y4~>jeRo|90oyi|cvQZrY
zy?ZU3)o<Aw85vJ&YHIRNhkU&3><XEV_x4)h5CjJ4fV`ZxuP03Acjy2NJb)v*=$xN7
z_N$J(tkiPDgO0)ZUFwcr@35V>a>mB$s2gO&8VUUoKzvaYz$GyMi^~Au2))OL2GkE8
zs5>;qD|CuU-b{S(ePm^OvO>0~GY!SufkBMGAOElBOjcY0o9;VJA=G~*aly;MVCVt+
zqIdIu6>nFQkkDT8|M&m?UxD0WUGNk<nX)b=KR!Ifh=$+1c~f)ycVJ*3d}ewYlZe_h
z=+F1r2w*@+z{DZ+!GE!kIjMJU`nPemsnRdyW}+~D)nFS7J`Y|TIBf%3_%TDFUQSMB
z>pu;=IY>dDG&c=(dDCwJBZgkETgLAK4mg&6tykFQ0rVL6!Tq}%f012F4^Wi2g=cSQ
zi>;)?!W#btdLR}5w_qjM!2E>8H`EdynVkex+u{#ZKKK`cQTN7Snf0%?#mMtlN}naH
z-q>05{RM*ER};bb_V7V@po%o_Kj1#+7@&YnozSwdVELW9t1sCxSFC}G5rulfK^0JQ
z<phIo(a#GIVFm}+XR89PTV$Dl(vRfuZyOZjxnCA5%_Wk>**gMVeo@*EeizIg80L5W
zdl$t$3?6l0kga;KK6<~PAQ7I@g37i0uaf-Fo}Tdzy?AO^T}#^}mA;DoxV+7Fpyigh
z<}uMk#nL^=soQVntE6ha#=v{&p2L%~vLs=JnE<V%L~B~Vgl`8Sd{dWY7-992VXK3)
zF%X5ods*Yd?{3>>J${woY35_TB|2sWvjTcPk3SGoP!NKKH3lAlULO^{I2a~6^juba
z@HM*PJ|$&HX{jSdbP7Phz=TW+XiDidX_V5)xNp7<wN7+&aekGNN0G9z8L6-O@#}*O
zOHYnHf<-RY{RV^7g^g9L0Al`$=_&Ftr?>SLwB`GE@BQ8kG-3Au?Tdse+9lJbG{@2k
zjq|(5$C7Vs=-(0aSR}W1HV{r9I=QH!6>tRtLu4nL3N_xmyf+yhdALDkckkC?$WvmE
zZ{~)OCF-jdfXRESt@>nxlJb{X0>AU`r{+dK)kJCm)u<p-6wtGtg0k~+0Z^H+UQ}>R
zFyA8%yI{4aab*4<LWDy@m&Mga6tM~5SFApqqYzTrl+jdWXy91#awQ6vjI_*1Vh94u
zHBp+_w=tK0855j#4&U_hGP*qPYngAy8JGFD^SzR(mYpWb1oypKqfMnru5kbX`XSae
z(dA%sGr`~;N3M(A=(WD$mwp^KI>Z`tilIK)E|uI5FnB1;g%>0j@#X<GC>*Y<s;=lU
zLR?~M%@zquOG^-E;3mI7kNel+@|XF8%`f`5W!i?@@tjt^0$S0xcM%U%zo^K!7`FMe
zwagLmg={X9JX!!mgviw72#kIhBQ5TNzfnz@$D=b3JF}_q7%}HIaez+!n99(fU1Ul&
zsbyZu{&lEggiD#|=*dU{s{tj|$k~lF`<Fg+hA`u?#F-L&_f#JD8d|i)<3|||)v9)4
zuF8ifwtlnqlyOI2wBF3|GJlQh`jZAK!uk3OgFs)Qi79es5A=<hIyf-eX-wqD!qW;l
zuWAqNF_v`JDo<*P^uLeEmElqNWTa!cQVs8R*Vn5@Dh2SMqC!{4HWxXuCC`M!^ux5J
z;Yq~Qv&88QyS(AlAIAZbX+2lYn_C+U<~n#hlaHZBAx{3TP!<xtH`vL4pLKx5bF)HE
zlbi;7-PyS#?hNI^D6#=v84Cq@Rdx=JdrnSHUHuNJ$Pfx_(3lFTN}npYnJ9TP`axlg
ziTTQ}zM9Nw9bf19=e%7tx7ZO<@8Sb4uW)!Z`GGHoE9(x0sFW?UMu@eQkGov<ZLWVo
z+=rf9{QV}cRu%wIu9&*L(t3CxTb9^$b>K!pLBZehYvcs<x3Ey$oV{|u;<=0%Gk$y-
z^CT}e4x$T%!Z7_Ua>-!}u#W#HMB5~;f2DhkY(t?)B+D81@9uFlUb6z|L~rfLE0CA!
zrm|arTDF0lNiY51g%k9p*nyEUMRwfV7L?4<)fw^VBESjoLwIQhtrM6Y*7t8fBF=mp
zm3pTlzo7V=(mo7EhqSi$k`Z5?Qlkua9=&V3SxNWb?<$4?W75Hnd^+GIgjq_oxY<L2
zPyOGQ;UE6{H}FrJmce!-!si*;qz1xN3+qd_03ht7`dD*OvLi_FG$D6suy>q{Ekrf~
zixk<=#Kuecf0r8zTL;8#Lpi*AoG)+9b|Phs+ylu;xwignnIy%@{zq?%-NI{|Z!7n7
zgkv3<bPBMuj@OsRAQlr~>M)NjN+65I3Y@HE^|P)ppg*<YH@y4h|2iFg%(u9E=g!-r
zqM`*M<^O300^dknSy|aXD=V}-BgF0PbTyuwI1&<~|1dJD^^lN|JQEha_vw@NNJC3d
zw$u8EG$^Owu$869PsZ4J>^hBD(aXzrI-+;b<J+>1rR*D<o2sg+ceJ$`%%MiScEd8T
z@lu7q)}56yZUs<#OPy1PDbG|4r~}~0Egg?Gbb;3w8PI7{!*$2FNDBy%$%a!7#ud_d
zd4*`l0;xqsHMLAWnJnPxjFI%<lm5F@vId8S;^(TQ7rz5gf}>ZGk~f`QT%rK8Q*_0+
z&J_>n(TQJQslAq$mll7^KQvU%;j(P?g?yAkzq*5LnOJ-OMX7+Zxe9QN(SrGGOf)5M
zm}2?*i8%i0(tRl)0F=_wLSVTCZlInTopy2A->silQoqrQF4+#Pu;kWr<Iw1HgF-hS
zJVw)Ty8!%Sf>?m)6<}~;DrdcdL13Y(FTC>|yJjWLhk*T$T2bXz0?;TOsZ2=J1yh5+
zw~Zby@wEw1j{ZJ5i(jj|=7?ks%uW{BtH5{K{Vk0|8G6j-*w6(Wj%wFj9!*17myovO
zaJx3}W6^?V7e~&b=|?X>#4G>_Kfqsw@B!sRq%z1!!Q^mf(lWhZGn}0FZk}?gq?T6P
z-IJfbWUoNmDAHw(r}zg<bJ)we!z|HrT8HI&YJ%1WW2K>F4V3=ee4Po(S$`hINOYU)
zl`AEyXS-wZ_#D}JdU;uE$be}}$=x@4x4GJzuP+@ah1?Y_tdh_}Ir#L-Dft-ir&{W%
zNEosIF=JDTum*D}4`9iYFZXc8vT2vy-zPC^pRTAZh%@=CIncf@V>KLR{zI6>NVvb$
z0~7IWtnGb$spUU^c3Qdi`&?S=2PqxwobNeVUCd_1F=+ID48X)15f8pS0)EAy&HkYq
zKC+^)A6iycHqqo)U!WKl^(%LdC%b7DxK-tM0=tDL>`f=nLkP&;Bx%P4JU(LEa&#Eh
zC0y>zis(<^#0J(r8q@KMkIPv<waL}8tgNjSbnC;(Eudh=u^7tUq<Y`<XO*IoQgB!p
zVU_*tXCMJVWgKvctTNYCzr3hJ7i%!qX8}Sl#{b9>0|zhDH83dbwgnRq;D>-H;Ns4v
z@0C&fC-O=CJu%ARyS!(@betsktfW@rz0bKd-X&Haz1RQEG_!lTqGwvr(l+0=xUlPq
z-q$XLFe9RL9n9J_P1fFbmcC}Txq6WxfNL0z>O82Ws4Vy9u)Do1HcN5VU(XQWNx~kG
zuVe*nY`m#a_UIwCt$<}Hh(fD+j{tk~<M;3hUtdIb28La!`(<ou;Na*;D^TI59Z!E>
zjFYwTKIoR(j*hmW6|ya$@=TjxxR!5JgE4Zxy1HUYVlF_Ck&#WQFUe70mlv+i*7IY$
zJ%Bg!YluXN5(eg7tfm%yZ!zlQ59ek}kZFCH{3yXf!e(GaNzNHLX=mVtL);WlJu062
z@xV#Sy|rTshl}$+te?0?U3ULa?S7ZK|MIH4!qW<Fda^(usO(KmOfU?!B@yAHsehN7
zB~4e3$?y$>S}$9jRvXGLeej_2h4ST3=$M^b-{Zjz9-O_u^^)#fJ<n2a9aTYBV2Ww@
zU<`pUr{bmuH+L329MSlPrO<EXK4vAc(F;pYBm<lXv$qp;uhC+JbM+|9FJ<b!lC4Dk
z-EJL)s;3Y5jHjn%bCl_^^Q&XC1MgwMo2xs|9~Sl^k~G=V7b`lv;}+VQO|~lUz;3>5
z{3asmr=1+>wHRHt<Myj+1-C`NTbZS$0qFBgerK-n+2pAl&;0`Qd4kh)?%Sr^O$xxO
zz>V=={-@%SiHw`uZ%k3VjqY`LE4Kn6jdPK?CERYTtRO+mk8PckJqEMBtg8XPFvqJ4
zFW6^tDMKI#J9}dQG`$HJ7#IqHRts}M8W21(1J<DMxd6j|hlS)q2?g*-h2<q;Z4O_V
zNt0X@I-TSLYSk)cjEmivu<;phJki@1`2t*{!X^R_ug_**hMHt{bzC`6w_Y$$nddO!
z-)VYRPiT?8-XiyS;#OQ3b<kz5HJ)n+MbDe2*2R9=#rGtI8^~3jTycDRxK~gll%$a7
zHdnMlwKl%`Y<*`7JwPeRpg)(rP8Fj%)a^<AdmjCO`W`Wg&;~-gPsowjPoELS$k)e%
z7HxZ$bf^sv2Jn730fM_G>_3%)R(7=iojok!tVSozk~h@J9|r*0bt{k6S?QcI;46G(
zyE*7Gv7@k8XvEbGJ24C2ccvoJ`&BZ_;@XgSuBQjPGA$PDO{KLo7c0`le53zm)Dqrx
zG1u;0Z|R$P$JS_s*ISR1%MR<d3ny%0CvUk;ASU{i$Xl!M``w;Q61P?dPrsXj(CxM%
z=RifLTLrpXJ8S<E0n{qY$hs)GbBSBqu<t)v4da7d+$SM<+vF!y;9L-*tb_mvI-^GK
zg7APBZR!j#Q+e!yxNm++YhR73T~?GwqwY=LdkUtwyKOs8gI!-PZ^Y8+(I@qbRpB@#
zQtv=HD*V6Pk&5KA2{YI3Gei)_K{^P_f0ybbxQKk;KaM^`^}ICbyE%32FWoDFBK+vu
z|NRq$#(LOvN9HygMKU|wm}2?O8F)4bzi~+s4)Y83`cd<{y$srh`UfuR>FQEAvf<si
zYu3DsSw>mg|HJ13Q*L16@;`*GJ`?CL0`SEJ_kqKk1Q;tM#l2k;+HMGnH}aM{-1`>I
z2lO<1F){_rH`om8zEK};EhK+Fcy)L%9H1%!)&e!|Wzw)JYH=%+9V(5rjpr45m^-A6
zSUWPtx~2q|(|OW_4`?3o*~q~IRX)Wq{n_MHAyjbGOV&n4I9_EfJabOsymxl-)TEOl
zw~Fh&50Ukhl_85aO8)V_cNY*jUEV&wS#RWpD`so46eg~7FVZ#K?Qb@w_nBFnYiGg?
ze`GO)5VzE8U(M4ChgPtTl#84D{=It{w{6J(BIqpK-K+R;fb7FUM8E}Y2+(H;xB{9x
z8H|v@9KG6Gg6aNsm1l`_=h5btd~~%Z4<7XWCJxBg6?XyC_LGC*>tBGd#6cKv(zcDP
zRbmF&mqX)W?gH=02QA50BX<oZKe8XJFWTt5t5GydPQV9fr2<C34XfwESs%WS<e7}z
zd*$=uw-s$w;$$5}4I;=)_8|IEBZ=-$AiRUpexgf%Z;INXcd(o*Hm~gZJ;RyUAtWa;
zGd7x!x#$)n8YB_qUA{MH?1%0a!3#f&VtU5NTSJK29~IwzO0O*$cnie`BEyqqiryuv
zx6kzUDkXCP99r~UJ&+T~yKU`Xoo^!u`f#Z|u|V1dw4^90DMzxsZd+>THh6MkgbRS5
z`_T~)TiuvK;(N?+N{PrLeej(5c)cF#Hn9P)>3cIV6S)-JH=4`2rjg41q*_L-jc!rO
z{-W*iArjs^9_XWw<ku!A;xK<h*k9SWCql$=u{qJp7hi_Af;jXMP*E-m{X=eUGl$Nz
zhxZfSz_aWrsnbiU6Y)0EN2z<*;_Qt>>S@NHe2HoaQ{!zrtAST4&F_!nY}!`12Y%Lw
z7wC%Ii*mbVn}D%bd^PfhYQBQXYfXEnxnB&z8x6yEHjNH=OeB4}^Dpo7mN)q#Cy>@w
zTU@xBv$=ERuHDm>-TVQ;L_z+zI4*Wc(ogta1}l5dPcC(gBHe8veF|iu(bndAVYh|X
zWC@Ti^N!(q7Qt1-zOuCSzVxYz>s@;h-bwgua_y~67P((s%*+bOT;2zRvQ8iyfbZs|
zdEcerx7S>(19t7dEBZx;bH4zgsSiN?*hXViBfT+k9>d{X9mFnaJQBQ%kB?MGzpxT8
z>!8AnU5xw=c~L0>51UVWUtuI{UC|_A81?d{yLa#Iw38ZxQA|KP_);@@F=b_C83O}K
zfM6)d4NlRYj5GH<+MYMIsFRmLybKV%9~gLp>5lLE2qQ29Oo!B(8?T>#g~?kgI<tV@
zMQ%BGn#rnX`3zwifByXW1(d;ohpWgaCz>T<))!cnJ+|JMLnYTQ4<&oGMG?rh&9CPi
zPB7Q3Hwt5+dwrOyS2r6h5QU_kf3r6^D8VM43MoV3ga_qZu`-4Yz7|x6c)PHY3{chE
z$~H#vssXM92WpFNbXFWIiFZ2I{_qse1W<1EDL)zKet;lKQAMXT#C!%Vl-E5!+Z5YG
z|04vh<HupdyPFV`7Pisgds0__A?6c+O#|^-xxRL2AboJ>)g75Fsh}Ses_G+S10m{w
zQP-WTxr>-?u9M5jDKflZgOOHIG)<T5*Inu9#oBFFZAr2wtH&hCD}2JyW|hWqXjS^;
zoXz-ghE75nakb*IEEvrlEyq>c|Dq%>f_BAV1qGD2=>r?~Ym0k)nzSW5iRIQxu4k#J
z&o~cLDn_n1xOqis4aEZXyeupTcEhP2)D?@-2xmRqP8k|ekX_|ZcK4BX^p9BE8cUl*
zJtX3m>a69po~dy%s@`Mw-wi!mq`6+zlX4gs)wTt0o$%t~F&t8ZUpT2Gc1^%LdFzf>
z=91XeqS(5v@wwhN#2L7W8U{*u1-Vc>=_fy2OIn9+_AdVjNhA@UT4bs5-6-p9Fk^Xg
zxvt&(yRiwE##gm^&Kp6hd^=)S_aE!oHds2&XA)t(n$sZ#$lSh8sdeU`1}_gLTG}>z
z+LGGk=<c6CcgHqG&&T(t=db#F=A=Fld6|9-PUf~WT1-7hjvIw;RJiCTtbK^{e~SJ9
z$BMkuin3}HLlH0<6+5O07*l=i?LBWKA(bP>ZB?WQsxV()$geVoG&D$7R91~f-@So_
zm0?+SlNW7jcN%+Xy<e)sQ3G_+J#OhCL`<QrevLq!JF)8x<n4CDet2=io_uxnv#yyk
zvk&9Q3w+~~cl`FbVGfvb$0MczE{-q651V=<U~C(N>KjTb-X;;8@=QEhIXi3)dmlq$
z@4rZ49HII8tWbUUrgXa4QLZr|nd{E4XWKeHUvOHrYQ6t--7gW`&kAK50wqP`{`CIE
z=KS0`GB1yxjkL;f<Y<!fig(iIYf{qh&1#pkfGL+rThj(5Eb-{>W!tqef?k{U7XrO?
z#}B<<<|cbN;Bmp;Ws;HUBV(RE#KL;IHhGf3r<EI)YQ0!Ufp9cOp|%Ed1DRP*ywBG1
zAUZm$Vd>TmbIn)i=5<iA9ZI6WoJC*AW9wjywXtgV)|X)GaRV2n?BbQ#-nvBnr2>c`
zeK-6G45g^ARcx>ZF%#YS9?_Vw3x22Y@!onyk|%n+IS|DTbW{2rG?#t<qOp|5Z0ly@
z*<?TU7s}%$_5f)&w?QdvoqGVi$+q8Ty#Q|{@)5zp`Y~1Msr*5Ud@3Q~>W|n$4(YAL
z4*Dla6*>g5cvx7G7k#4oXW-MtpFiKd1a_fg1sZPfA`$qovX6>cC(-y){0CWO8sV3t
z`ZRnjN>U*NyIh=T3)@CF*fdu*$W49FRh3Xl8y>5D7GZ=|(cat_ba8#3LN=@r#U60l
zWAwAA|7I`nuU)egJ5Q{J%@)D3sC?{HOanLm{EVmLF@m}j)>lI$&Z4P!dGANKF;=g?
zMvK}%F4$#aN;ZqASSdA`fE$Fl!M^a{h;m~f)^=I;oOb_0MbVGX-jFfv(A<XhCc?sO
zZ%Y%oUECJKXpZ0YfMRxDzxixE6r$r9TYWuICg_lkoUEfVGqrGeoLWUd`EtNk3SB9H
zs{Aa8&)j@ATH?Jh0|0`g`~;QXw>+B9Q%Qg8Cg>U&6=%yv)HTl9f?@ew<=OoC-0{?7
zb8??l5*|J6&H8PlUwRZ3Y>Ol^dV<%p+gJL@@?T*F3iwp86b1CUsO=b`Q9aIAzS>BL
z_SG-k`Ei=79o%idz4{;e9{Vo+g#Gr9&CQ@w{`wnb6#QD=D>wh1$EvLi5m~{Pz&6)i
z98#}<tCfJ_@&16TX3+UT3@HvSMl=^5qSFUe0_u!P8k{-G3-ym<j#r{+ky90x5&VVe
zhgwyi`>wCHuaEYg>f4=2>%VhBJ$1rU!FtpK<*F`T0>k7w(ga<cT)Mv96qi1MIf7-9
zn8{=>fDGkH!f8ZK3EhY!9Me-*FQmCJspY?7z{+q-!1_loJpt<uIKWlxt@=aUshUM%
z@4B;yIxh6x%l>r#HKlirKF9VBA4QopE9BDgXs3%6pxnesf^KmCogf;|(T`fzrz+P6
zDrdmWwh(ksrj3x$fydegnI!=t!l#PX)&)(cy$;?#59Tjt=hs+6E2s0bExB>ADv3;?
zJgtgg$4>>23_4QNu0QRTn|j#l6@dY61gZJd%S1k}FK#r|a7E@s<Pz{-7{i29Z?O?w
zflYwiKM1($zaD(3BAf}(=7cn&2A~U-u3ZN1e9Yz=pOUg;K>M1gh=|*vX5secL|Gd?
z7i`Sg43Y?p8de&=4?&q|`0NtE8oU;Uy;J1ir%*lXo@^9w>9#!qEI7~rP%#2<2aS_`
zH?YKUnT)o=erl+d8MGH;_8>kCtZ9FZMH1-E_FhyDEAQuq9|xhT%15Se3laAD&yl-w
z<G$S*HJn9N;48$WGmdH&57f<$eJyUNmF|{1bjKYjfcwVs(Ksci7FxP;vybh4)*YI<
z*~{*tggN?wHdkwY7qs%++|%KS!f6;G*9|N`P4~<_4O`8Jhv$W~Qw=u3T7`F5VvpkA
zq!PKQMNXP2Qe+Z9&^Yh@UQtuaRG*OQgv`a;YbhfYF@gsM4xHGx)3a|#^$mKN-G&EP
z%}#iCe7KFc&ZuaFoezf#@E_!f^z}JyeXn?aKIo)J1-*$iAW{xVNH0h#QdzIDwU$46
zuQ&=3VJvY3F%k<a$!Ur#&ntBMccR&h-o*DWSMoF>s(H#yh^Y9q73AdEB%>u08ovMc
z%gH!iQW{MO46(ibv?1I140Q|ZMes(euf>>VUGY-y>wXP;Xjqjy<k}hY#d55NDH7x(
z0i{DjLkDxa!)_-kc`<G+w??V_dnjyn*@Yt3Q=2a!L4C@DyQvJk?i-G&mo2*9=SUA%
zPyHf~@R)~}jb`fShvQz1L7Mx2?l=0Jh){VoDYu2>ctxB}bkbXQMLz59>KeeT*1ZDU
z-Un7Wd3m;Al5JGKS-tXV_zw3CERl5lf0*?ZxpFol{=D`>GVQmv$QOv^rrKl9UA)Kc
zbvuwq^ZP?fqb4B{I1VJ!IJf&ZHte?hDI6|p=#|LxP$*Z2bD$&eg<hF*6REE%VE!6j
zy_GD$t!;d{4&H}}W40BY`a0JAZa?YbS1<P4Aj$j7y~DwzMyp6-YGEDF4m+5-Z;W8T
zT4%&Opmo~gN?4E5elfso58jIrPTyGbO48?1$E|bxO=DcGjKx!=i6C8O%JD9`n{bK?
z4$~@jA&4u6*DmGixL?J~bP?DuY$?5kxin6sgLb}A7iRe`@!khQ5+k5Q%+|NBmBxt7
zQhTpHbC_jf3OGa<uYuKd3uPrAuZ(pIOFUk_f3Rz0z}Wqij)}31PS~ZkT7+L^VLmiO
z7Xr2E9b+Trs-MkmPts7$ct^^n*1oQ;<kE}zN%i=c{9=r}VIQjPO`$HaNhFSEqe&QR
z?Y+9s=PU=WR<gJrVhzw6YA2E*K6Rt)3%hw{^%B?inRsw*rCNN|(lL+Ri;j*GAQm}3
zLsEA$HWBNsD4U@d_qi2>9=!I}9e9K|*}lI09=!0v<yEqFdw4vVy?)g9TN0Q9xOY%L
zf7w?Q?DzX&y!A-F=^V=+QUk{{nJ-V^J?z(!<My)ygN>NqeU+835iZp|aOZaKE%3Q1
zyXh*MS-)dS2a>(QLPhYWS?79#dn;;7HUSSyyhJVc)Rvgh!!($QDGo7##Dw|RGaz6m
ziCuq~OHbw#DY?F!Hzen=s&RIvFDNcn23gr5i7PQC?0H9*pU!;=#ZkP8*^}#?<k1-@
zck{{b&_>-pSQSXsY8!k~(h?I-S*z1Dl~cVti*8`mwfSscjuy2jro2=W0(ZVX_#~Eh
zSY0+8ffx;)u3n2Zga{($ao0)DyjD^E+qSRe15!QrVX5hH@W7R{qO!J-d}FbKt4$9c
zyI)v@>jB|?0%*n5ctLT?6!)atDSo-?eF6#$DvbzYOT&!jrsJj|sq>8*mwrJh%XB9h
zt4q67z|9h5KR5}MB^VB*W#EDRezKinow>Ln&@Z~^szmMAWD`ER9z^^|Fd$&N!7|O?
zdsW!dW+LNJm?*nar*czHsEqk)YI9Rw_53B`Ht|dC$(8gxjZ8P8t&Iwm@qrfXn5d+z
z>_dlI(wS4huxMl&ugU;7$J-bD04HC48=P)N_T}lX`{0bSeyjYcBe6ye@E8hnNzF5L
zM@)%cEl(%;tDVfRROBst!j5#zBGMhNyo}EC_lFux2FLu4YQB=y&ZTebOOk!%ev@##
zf`3lz6;ZvydGvDHqc73Yd)mDLX~^mSzBu*ZSxIm4l2qHU+fibk>{Q6N6f|twDF`<u
zo4fC&VZ7p#t;P=X0-jBNi|&}6Svf8w5~kpA1B+^Lq@a4190g`M7!*SFD3S%`3xFoG
zB;eTJhMO;%rMXX8XQl@#dj;r0GI0Vx2hc?}0|^=(5DksRD!mWgm<SHG3_L#3+^|?{
zGs~%ygN}{?Odi^j0B&$TQxwW-RsfoNN!xwJiGz9TA|dsRF$BWCTDy`q-V$_v2zmwU
zz5FWcmBXR~I}1U)_A{qvJ;vc7;R+DtzSV(#`EB$@#W^z_T|448#wchM7%~x3@F@aS
z%TY`;04Wo{>x|Fb5Gf}VJYlO)UA?m|F4)X!T=~v~1l99vsL0UZ3PG1~UClxrf8V(9
z_?$_SytcNLSJ^bUpT*O;T%g7F4ZDlvLhd!Bnp0=Mny9d~713}BcHnhh*gLkF0JMjA
z^arhbfLD4WUnP+lSaPPm)pwv!Y%FU2xtbcal4$q(j(g3sr1i}ehliZptoICJG>YiP
zOEhzA(HtaDwmL;dAL`MA-(#tMMw48IJ_n+P&81VwA3J@iIdHlhy@?+Mq4C;Qabs{3
z|3q6*!iYQYId{Eo+#lB<PZHGpfF?q#Zlb|rpbBOw4V>IXt>tidH=^{_GzU2A42Lc@
zO@Es(n>YUHv1$C;r|^-_kC|H)EW)_<@nbiSviFrJxl|7!DjvR()=b*#XKVO+ROa;N
zzwhOYXxsW}<gpnQ>*|i`DMW(!HDKwxIP76N^<FsD6aD@;uk3D*0$c45G`;<3tR}>r
z280ChuU%TE{<$_)q6Le^?eS@G@VZ6W8Lh6U#Vr43W((^P$7=F6CO#V7q$SAfGsD`R
zo0m03vq!k~-kn>=)0;IJ%YB>aB~}eFT!(#KR};nSr`bsqm3~R`mgWWCo4)rgKzuqd
z(xQ9fx)NkOc73rHFX(sx*;d)lrn!8Lp@tnaU!ONmRXe25c`g!`P#H#WJj9B8RF1zN
ztE)j)jXv2j<dyGbRL|7@oLJnDC?H=nnZveWF(<o(K;h$UkBr2aSk>q#U?*lG^|iOx
zv<!8dR2D<CI&&&7LqqJ2j@T#F5xe7al!7i3jqRD8@27f>YeJs1xZu+0*Ov0^)ts?z
z)xw-cQ~j~(tk%B|$gvGSCv}&>$sLBSw#L{rihspiM#R#eKQ+8Burb%GKRzvQ21O3x
z<Gr)I<)&AbrQXf1CMOpqL;cVA=VD5Zihj6e8R>($Jl4aO0S@TJPmu_|FS=gap;Or{
z<d0b*3j>rD47zk`oAeGDrFaIX<;8!^6nPcWeAUBR7iq>9%I+9za4c0{kFd`BdsA;$
znzr4p4lx%8!GCq3H8##I7M)aFiDJ`~lPeC7pH2Xr$sR`apEC^uw1eD)Ba!02pYV?5
z@{2Az&!YM2hb!-s*%N}tRa`{^^9_?jE<9Y2?gKbmTWq|*RTZgDE;Bp7h8qNpoTT7$
zsU9oJ*Hp3z7i}dF7tt&V-*QBVOyp`4*Ybj|IDlf75-4-JuvdAt-<YnYSAfxREm@S?
z0VQS)Oxx^&7VTLw9>+ODM&)>8GY=ujODgBlNhJAgsI&~lQO1`H_q;>AEXJ*UT`E3!
zlv2ss#(s6NFem8Kn)FgUWDIi4{P&a(KqT?0h@ECxq8F;qWO}FD<CCUL%ng8IHhzl~
z^H$EML-9@D02tGQ2Mepn4J^G7I6e0~#6BeMLK6~O;vAc_>b_Xw@(`O<V{m7s^3Pc;
z;cPcJ7>-9G%w8LX%e@5#HR}2!94#svcFVm}l@dbe3Z87&BwNgda&QHezC)FBa?VTx
zSQ_WjBd*?HSHvBQU*;+%?gi>^JCYi@M%jY|A2!!8iR9q}*&HD`PuKZCr3?&~s*jE3
z`avUa&fS&+Xzh+A@!HO4jg#}+r(jf_sz)pSup3gQ70f8@M7w^DN4$xvtTJgz7@-7v
zUVW07m<TT@aMCXtE{ILURL57992Eua>JIoIPr&j{DL>WIPtDQo2{pt9@Bf+_79rq!
z;>fOA;l!mPcIjG;`|~X)=AB7ud;tYjP}Bo25J$zgO%~0JoPW}Ruvo~iyezPivUv2A
ztP-AF+c;=#ZEcSz1JpeupsDGouMU_$)xPJ`^X{x+bk2&xe@hB!{(UR(7t9`qbyw0B
zE>HXP14aj&f)3ngg}k>@k3r<8Sv}xZ8UC5=fZmAVc3Ymb%)jc=7j!^<S3O^Y`&=qD
zdi{<$BNo)ZRNl@zo<9d`zgyCr-?_*kI&Wa8e_G6BM?k)ZGGp9GFv~@~f5<v7c)FiZ
zM486-7nNmy>{tKrIbnDCAj!@vi%zveVo){gORP4y`#KEK&7xq>(_33xU!Od2s9lQF
zPe5Ug6l`*fmE6kvaT$e(zVUYM&VT$|J^A(r<1MX*@;bfIplm<~C%b<s6Wgr05!8QF
zwdrI{`t8*bF>1Ah|7g@39d95+KV;t-up`mtGU?Um5_VT?rAwiIzYk3lQTm>l8@B8e
zkkXU;gL?5piYD}?__mY<w6aMrQ4aDC*!kDl9SO2-az5qj^Od}YQ{z72eZ^F#4l-|0
zF}iKluE3j`jPg?5ld5&52eV~oX$Q4L+;2X`95z^487N{!<=Gpn+VrbAhG{hRL8AUR
z>i;I{6Sh*vn34vwiKio%mc-Uhk~<p@0lZ;VyV?6SSl<W1_&+wyKMs_y{@)DijRryp
zBUU%7Rjht|%oN;ikf^)ZBep)-c{aDWp<>(L^`sEA&3w*35Gw3Xu|7qTjj-4JdZ#+g
z5k@T{=sM?0NM+M$>3QBSh-TRqwwhc6H|o4Iy0^Ue*ZJ}GaU8e`X3;lvokai_<+aD&
zMEjgLI&N;pYf->$oeE@7t3;sJtzCVa+v)eK&58S0FnjHad7^2SFSD6K=@j53Rtcn~
zhhvhHi=;k;uK_a!JlKjgCJpvK&vX6#LoSS*S219p-^+WwfXN}9$}%9$3+nm&nGcGz
zNj1N&uKM7oicv8(u8rH};keK2c-#5>7?sD&f}3%FfB!g;XIw@$1MKZwx}SuNjm_#+
zCG5^mWh(Ar0&<?$ps!spZG&R-1=q};+38Cn9@cCqCwDd{6k6UhG$gw<64^<Te_}K~
zqG1@5ha4vwsUQ}Ghea0;zmr4i9XIxRf8X2+vrp&N4yJ`|inrM!&mBkavz|M}rj>3|
z!xyG<qNf9jlKJ1`UT-tDj(fD83&&EshxtM3#Wb*yC*dmSJqi2$@ASQTm+<LT|I~e>
zhyjrRF{Onyj<0AJ*F%EytF^hphtpZ}$0|#<mtWe>j^>;5#cFcL?xYJ{H0rv~<94Ko
z=_)agt_Rod<y{mR>1Ui;*k?<(>ltw}A5_D1Hq7#3i^t**q<VE5ej>3}H@y!M617s-
za8q{Us&0Y6-Nam9`ihQ@jtS*X7(Tzn>ariRH8oh>%dDR(8+Rrqc<4^@4K><LwlK-w
z_8Uo;m?@AXIwXmL=y{lY%k?R-c)wL9e!P%ILnK`49Siju-y$FAZ8d&)Z19IqsD(Kq
zcz!?ak-2-Cwp)DT*fwm4xj4s7@cPoK`ymB2VY5m^`|0nCUhcE#4s`Ux8NQovWL1VZ
zP9_~+*TukZ={kqa=Gvvux(?)rSnH<anw%-U?WCK0taBMswfM+}30^F5?kC(JWe_gM
zk4@LhPD=QFanMkkdBhZ3qLcYJGpC$QR=UiZVL-pZ{}lrSF;4Ws|H-vNk?Ze|?zM)E
zS}5BFzdjzq>83>aR-$`E`UTw^_?{*D*;>u`e#56bcG_CA@-5rF_2Fry_Q5}mV<*2(
zH|Lia`fD~P9R|2rTAhwEXCEfUx*R^MuD7sAYIa3%L0L(?=<B4syYCSyiKvhoJ4Owi
z<#|o75R-3h?sp=AZXnm9-qF3Hb*TNK-qv(=KavM(W>V#f+V2<JhS*k-&Z2H)__+D;
z@7q0&`=byGBwqBtRTeQ<+Iy7F&J)S?56@)rzzoZj{WUDJlf8~XKCBa(%cn`T#YpV&
zFaj1av7etys$Cc68w+btUYw2FrP)s8H>L=csSneG>8itnucTn}NLl0`>a}9&_~7~(
z>Au+k3%}_<7EF6-PnUO7pU<?rwa%GnFL%Jy44I`0KW`Mr&x8nx4k__fp_c|IiyGX@
zZ`bseCKS()pNU;`qMg_4zEzc<!!-H#JHNHQGz?4*Fl4n_uG?(zu&Ll9I(7Y4@0sl)
zD<bOe;p{^=9MQ1`rQV<Ds%><aCVn=M&pOdw9XmUbJ=gQy=g9;A-jdZrxoD{s_v4vj
z&XXoyw^`*<pT?4fvp1raMJK|Q7ydk#WZ@o4^v;GyNs{SBZa$sx0lzpsejf3YT3oTw
z&;3RpK3%cA^4sLwH}WYt&7$>o|Mh1;1mEw7#z*>LF(DO&S3|1D*KnLB`riR@6f~q`
z;m2*S{Q3k7DC&LY&6@LG)4FX(<gKoHjIYyV`<wBoUT^yh=agIW{MlM7o<8uuTo0F@
z-7fN|vZ!-2i|VK;8Zb6sVl}#F)F1HL*oa3nAmJ*7{<L#MtmyIhe7@A&jiGPljdjmX
zNR7L8S#!>Uo8Vtl;Q40UaiTP{%Wm8>g@ic!j}2o4l&ecF-icPC{aIPuuIX#Mi{se3
zhSK9%2eH-o-9f3tKJtrjw?3bgy=35vnZlwwf3;slc_A0i(P`ijg|JDfsLSc$*{nkI
z_+wp-!*jU2A)n1xzAew0<ouNm3Wt%BfJ@s{VJ~%{1{~t^Xezs>E-`|f7e07Pw1qCp
z%)WMsB<I^nwjJo>C;Zzg<GU57w(ffIQJ+_qC|FNDR>F9Hj`bQk%X^s6oyR`lT74p6
zzSOGjQ17d<x>Cb>EPcd(E0N@-QQkt7-?6nq>9qdpOvEF?u{gRdr=?CFw?W@tmwFM#
zc<aHeXWpnIb}!|_#r;a2`AvK><4VPGYQpqp-+pnWM#j>LdV=1;)VY`TTA7cH-evZT
za?{HZpP%~|S@P<7$kgQ%kNl>fSC|f<n%j2kt#oX`p(O#pY_GabF)c)oL+|irRY~ea
z@l-`qwIQj&<2)ZP{1SvNp26{3x%8t}is@#%bG)!dCRy!zzlBn|os)sDo+rGL#|8)T
zf1KP^I*rh2=Q-L3pJmp6iyu!T`iUD!agCfLVuD|3Wv<UffFOp>L@U<RZ!Iv*+C}&{
zCM(zFX55JGSf2>W1Q?5`g`J6T3W2fNcxdtT`z^Ul3i9vgl)6-Hfl5*5&gUs0=1(bY
z?PgwL=OJzWdH?JD{`pL=Ur1Ye_RgUW*1B=P$T_c7`P~n8#M}6(KHtB|sig;}F&PwX
z1dvE7a3t6+G>&!sG{UOi`u^0=A6Cbw7r!fE#_N|qJx{dhEhf0@BmahI^>ke#>7>jv
zy;tIFXO_hEN|Af}B=*YnO^m2+%86x-2z{(!?&ff3{)m1z(!)2(KJ2WAQGwsCLB@f_
z>0G0DL^0sHVICc_JL)~*V`p7cf1KugX|kZ=YULLjp7+N}{#OZnLF)Fp=cohi0(4l$
zy6dgrrC0WKPj3Wz3nyC2gApR7HwkIp2)4;FcquhJ!#AMI@)}>zeJ{bk{L~Ut1;$=m
zhgHKQas{0KeDpuartu2)xs@m)g#fd_#XT^oa*tMc-U+5Fs_};Ii5@IiSa@=O+qO)L
z^ojLI1U*E6#(Gt23n$&4s&UpzDg5jio5cQI9!URMTJUJ`GrcPmi*-+Th<vvXb7hX`
zQElOrb8W*#<(@TUlz1fa(_DC|NW{9g$CXd@CjO;nLIL$X%aB*N<`OD)cid--M>`rB
zc%B}#6<V&|QF`JkSzlG3(SkpH+j^&TXL&TbL%yYWo*j1lu5@+9c@d3tVrfBG{#o0b
z+Emhn@?O>@MGv^)zN=xVYR-xd8hU(n>YG7g%&X2YJ+ma@D)#QUwLTBqEs*qiBivZe
z(R=WYL%hiN0q0Of?3SmGSf$dj^t+mg#cAMy;OD<oF!33=T&!PrnH3c{z<VKZ_wwGa
zo4@YYO}y*tTC|0njocu7!kzW(slD8<%a49rP_ed8rQH(OQ*Ziahmq^lw}XxL*$qzu
zfJ06Qyq9Po?U=S~n=uuA#oPZ{BX1SoUMT-8-oHK9O-?K`<{+edr?0Z{<l)rTSPsrq
zldL?2Tk<r~w7!1<Q$ure*0D+w<yk$f-(_o8Y>*q0S(3d#8)KRr%fC+SbKB-Z@!Ft=
z$J!TpRl37qFLYlk(|XZ@<Tbhw;kBCXNczR){6Xb@!n($7v}84zCf|I=%r~ZoRJ05X
zokh>cFkPRF4+`3ID9TX?->il2ah?3A`LZlMR#GW*WsxA&T`k+J;{t;MbkDKZ<46kr
zkT_ZUEkLk%v-)8(robblAI<7vV`JC(^~|Oy!j+<AtQDPYDLG%kI*@lUx0K|6DUYL9
z_W@$%6>H~$JldA(p$fb!WfrSCwiRbm4WlX^MU#KSi#E9DG^kU8zZc4OE0M!IQk!!{
z%zbknw=T~8R`Xf8vq>9opHqvWLJ5Lwvwka(oKo<}je@2mtPlZfbHS~{`{3D9U`)6c
z9A9FUO|wCuF#c8|8u@f@BH<Vj&Fe8c_arciNg3Z1ckR!dc3a@;Kp=T;6cd4gM`^wH
zG|&6>UjGmu9z-SKO!UA5hy}%d-Po0%Yw&MuL>naHY9&*Me&iE^YFjohKt=9H@#U1$
zn;5psnCUIN<x8Vb{;e>UGQ*C|?d;9K=FlqAh+QW3-j?jlZO9_~@CyetpVH4y#SJq}
zMS9i(<L}#gz2dDEUz{kuf;*G?N=WgAbfPY{uoro_4&1!{Ahn33E7nE_4$ZA@<s`0}
zQ}Ee2+P;?gTj;Zj$kJ-$pnL<W_MR`DOh@VVc-W>UUv$Q~$#TW$c^H@{`n?T)Z^XZg
z!zAXJNaALaK{hHf%i2;}zEUu1t7LAYW;(5qOgk$uKB_$S?)478<navostmPWp@LhG
z9u+=JrZw1Bc0IQ9rrCDzgpS9R*=3Gd2N8jXQ-H{UZ})MDQ?${iThM1pO~rA@%euDX
zZ$)+&ogrHjRX<R7{7xX7&aqZTu}L&{&I&(sIQGsBb->5Rtk&upf2uqWT*`Cv(!?pi
z6CGm>>tMDEdnkBRcR4v^S;K&UtVLvR%Z*qLY%@{oW;GvWQD6V!Bdo7txRtaSASSr&
zBcEk+7(sEwY}?U(mSDT4#YYcSi#v)tpG9@9E{ND0-y{OHONb7?E50Ntv$hJFw57Yp
zCw<sxd~^o>^4Q+R%&E$%IXsQPk51I5xryS`B&0r#CXC#H=f-fM`az@-OxT<r>(xEb
zl=QBmO-3@^(=66eD~1ae<Z@Lu*|;ozA4<Nk{6<t5Q9;}|MTB_y$rQ#Ypv_10(t{G>
zCm#o`quTGzVrDPW_v{`?&hGfWVZ|3EAuSyo=kcquNb5f7=;%R~T%E6~)S)>`$vZZg
z7bgcy&#*02-Pxo+ShlDx1jgI>wg|J@S1D}WnKio+Z>*M>;ds2KH25q;dx6xrVSF^^
zM{zylf_;VBqI8v(Nv=D^F^A5=YI?xLDJ_qmqLs*#J9?z65-prc^*YhxR9oIOl-Qi!
z7afk``V-y#;u;MrqWAN42(9<HH}F1OQH@bGGwi|hh15-6;<0xTl`z1Iwq?(o_=E-=
zj`F<+JpIaJ&BUs{Z3f_utcOwAk5XU{7gewFJvN}AdLMV2{v5Buehu4g?uSJZ&xLi7
z$_c3_yX|nXAYt7Fbaw0N=Gnk+;V>cHBBi2B*7o3_SoHu!p;@TvNm`K>BP3Zo9WzjQ
z?Y-vZLTiXpXwXGzTXV}nODwtL_+7D$bEWynR28+ix`UaK((%?&0S1W*49wc=X{<vd
z(hKg%`JMFmpG!ZhI1HtS>^san;l80NH2DITJ{$XdNTh6G&=Ha~&pMneOzR!D9>SJ9
zwp5{oel8JB;WD@l_p_~Y$3f)VHPngoYXyAL4A8as#xEi37=Wudwt(|A6YUCkWt#TU
zg@Pl9le-by;}>Wf389kdt<&;N?Cd%venseF>-4~z8<EDN>)Qcu+T7VA54P71vZu3{
zxurG|#u=1`mylOaVnitdc!bv?t{bXe=!KEiTF$YI`#-jLQ&NA5CW;6oJEc5T_@+L_
zbSGd_>FnXmd=lPUp7MpVU~CF#r~NMXhH&W=+?%3r5Wcb%MJ{T&KqpKVNpn@b(s(3l
z8TgEngkZARjqf<VpZ>dZzkpWI%=n-i+grPp^FiHt4ZY2`{`b$$f45ak3sFi|@?BE>
z>Hu7YKXr-5K05jji%}P!n5YqB30Wa*>vMZuQVaG=eMjkHMU`34bLe<>Rf5Fg*#?`%
zn3vc}Ik~TujFVN10-C*IuQrYt;3r>MMz?1&JcAR3A|}5`GuAoYwx%B#KTPJb=*G2g
z)SW-+;BWZpXJ;)hOBMZbYD(~L4<b*wadXTB*h>`g+K$x}6@vlA%f<_5=FV^HPiIeO
z<Q()0wAfLjnMj<Zbb<;p9V^ocJzObC2YLr<!)&&a)q1;)P8FXDGk(pXkZJmjOSc2m
z0?ec(1;@s4FtzFMccc4(=WbIqFPHl9)dZCNnBj5_%kawMJB-QGysXd1?hEx7O@ol>
z4((W(j#0ZfkKQ0;reXAsqQ=^KFnPnXKD7PXMSBl~lUYhXzHjhNT_(0%KQyM~Z$nVZ
z0@KNhFQ@s#q#30s0qq)H;V(AYhZYgJ^513|sE~`w^5kBqcF1~>;X^ghASB4twNc!R
z?d)o_@yh*l+{!n9^W^H*JCw3^;nJMQCsOl}Bgp$LG6{MthJ|hv23scR^!q*N8LjA%
z_w@7(UtI!P3KYm#c`pQ$8YoPw{_Tr&qpUQcS;zR=snWglb`J+$Or=s7b|8%GoX1ul
zdLOmOLdc((mA834t{*gXh7t6VARfb(ZA+M4efh{xe%<KZ*u<!kDC}hKRkzkxeyIns
z+ZKEez18BT?^JN|P%!c8|ANb1DpuA(Obc<oR{Rn3`QP5fvw~Y^Uyd}P^psE{(6*_b
zaSpvrWH+C{MK#zy10tsQ@pIG{8Sp@Z?bF&<j*2|cAbYzdoj?`_CJJDC&<5sMSQ+~F
z%rPU=Re7+I{kwg=X$r0_W_$Y$(`Em=J!Qm1VJsd~y)_$%rY0CMVS2+@14WpLt=v=n
zV9+kXW5aYxj*>vXA@DLdQ}(IujPqsCnbX{3d*)A%*tP!-qmwZo6QlvVcq%uN@7#X3
zXeS<$?Dk_*%{}w8^ZN61W?QaUnuqQ;VP)34l#d@hvI0}1e|L4Jl*qM&4JNTRw&)ph
ztPG(P!NV$j^j)n)0f~C8!eRUIp{IskE}=Yo;<Z{Z_g$!W+A>MlNZ=l1FIjN<e}{n`
zVH9})e?19vYeejA4ac*S|Efw!I;>lZik*W)j7ZGA5ziQqmjPQNLj&gzj-BXtbaL1S
zBE)<Op3CAKBdsunr>6bq=|UsKO|jTYc(<-@CcRj`Yo`q&u1~j6i3x)w>E0tM9v{nb
zsq~DlHudXAdYcws4D;oWO}#t){3mUzW*~@{Vb26}V*k_R#@y3Sf95c=B9(FB7b9Hy
z!O{ZqgqQI$*3cCN<BVzcuT|ImMRjXe`ViA=>H;4lF~`7coH(3<%*_GO>Fc2QZ*u8|
zS^ARaX;Z$Ie>fS8&!VcgSffh!pnfYA@#~H`w#@;JN6<dS8U^p&z2I(<$}vPC%Rf5s
zBC?9gx)Ha#?8zlL`si3*+giJqDC->KySEbOZX|7s*cZVYH{U9S@^&5-5pEU`i*yL}
z#ff7kYFHT>nET@EtK2<Wvp0PZqwI_!CLWk^lcu#{Z_Wt85US4|q8xX71cD}JQ@AQI
zJeTD6kL>W#=SQD~-nQBvv+(YouEN^Sn=<0p6L@GK#a-N8uV=QNHcne_5Tvz^jy>lw
z(M&6LW>sPyqXTn1iZz-hxln#h=B59Swf7EWtNs7~b!w}st)ivqq@}3cBB)liW{pUV
zNbQl@Vk9*>(1o^YBx>)dq-Ka!w6@v_B2*Qzw;;y%MDP3kx!<49`}_UP^H(b;C+A$(
zb*}MxJ)Y02=FEFZ@m#j`{>f{tSHybkbAuK`1K#!BGN;|&<q_K5cbn!T0_i|~^XJco
zy874Kwb`9{t~$egcZk%9rh8G70JS5yq&%HX9y&zbzUJRj!9&nKE!H#L9T+TsTX*sf
z?VVf>L+jEZ=P1XEACs@OVzcJ$F4Ch-hIL17*)EYMAGqM8inqTc^W6lBB1qs3GgtS-
zd(NPiCZge0u8YkPArl*dFvGa<`bH_mAwFR*gMBg+1ss#(urGO%^y~{x+Rb}-y%Nk;
z-jb7y2$+}MOR3oFcwTNqK6mfw=l~u!!X4s!K0aa3=t9!o)?ibYtyUnN!LsbYoOh;0
zLSykQ#C=CNBK_`wStmbYq@@kA(Frkpy%9gWnl&V%o{c~UtFAnVDm4JhcE%1Ic(0o8
zPIh-}%Zqd`3s(Vyb0f23CO7WIEZ0#<afOc0y-D_t#?pt=RdmO8K1Mli_fIygp$}7-
z$tWJDkRex4v<{06S8`e!a1W}XmU5mfs&QTukH`9gMH(ZtL&bWGoYZfh$q)v);$C~0
zH^QJ%O%P{eh#lJBTW+bhuMWg8I&nxAK+hrudAx(U2RGGq7DeUa(5(YPM~K!-f>dKI
zD*$ZE_K|+0CkoA-zcaFZZFD=&<*tW3#jh~dr1f^q_$%!g0Z^Qu&E4f*Z)O8@g||H(
zV-|<pMCWzs!^=I_yPh>g@V_~Bx?<koscL?k$DZugECKXOCSRwDs?jE*_W>sp)p%rh
zcNXnNZ8U`=X51<Mk>JP1Mt?d({xBf_uNwCNeJ0FhjNO#X#mq*j!fwk0&l_{G<t@p+
zc9#!uxXirP?m=5&wzhj7M$7~+3r&>yzun`~0VZg&d)$Ber{@K(WpED2RwVIUv9L&f
z{klEBytjyXhU#3GE8ssPShA94U}iQ>Vqu{UGf4(h2#}P%Unxb6&ctbs=EzOGq{#FI
zUv6sqYzST#aXvOn+xxH7nh!dovxiOA_x97Vn9|*ToM!nit|7BlRGOI>^Pe<K?99?n
zHD_aC;ZMFBC2H&tTy^IFn%g_tp=Lp3Wd??D?hJ`vX*w<0>dbsX)w#}L%P}wnn$Cm+
z0c?|`&IA2z3cxx_eZi#)7L{sKSo7VYNP<kZUoU`F1vIs`u8?*%$W>1LG9tHGSmIsj
zMBJS5E>22A^7Gp1Vr1?EkRP3-vi5TyJ3w0j`<&zv*jZE=HX>DNcP<Y~LHs6gXY}PN
zkoT_g{5W2v%S`aJ^C2F_I)c#<n12!FNGMuJLZXer%A!h{ArXK20?x-xS1+``&3RmT
zMD8f5=Jk<W@yngN-z)Rl{T_gHd6^Bnbv=j&vcGO+KH1JogDU}Dnvk4dA9#!&JV?6v
zM!wXTSsOHdg-b1ObDLx`<4JCl5&qNGM)rGI6tul9E2XB6WxaNn8o{a*cL7MyZuy+I
zw0jKBxVg35Ma7i+@1{}qvLr?2vr!+ShcCmTO!J%yHm^y8TwQ!&`r!t*cScW1;&v-&
z`7Se)dQxB@KkW0b#W%1`tJLdDX#0eY%Q5CD1wRy;DY)F+o(Lc$)bJ291O8{r_y^<S
z|2b|QNNNycnbknc+pY7i;_BLdDEbUur0WxEwv-8)QH@I!y21fqCEgZeXC9k!8-Mc8
z1R%bj%dU=3v`hZc*PyKHUA=kLv*W<)WqnEl|3Lk_+Ne{`c4mt#vvsRVbm6XhF8*$G
z&yflPd|NGrdVsluS9t#V0RVSB;K}`lxZC6_z;U(OIZc~14VB5_l$n82Lk^YAFHDg&
zxie_;@3+FaV+_dYVq1h0pLE8t3~$kgBKYipJuYdB%@RJla24>A?_%YG(Z(j|n3(b6
znrr1xe!tgPUK@!h<NnSr9R~JF05XX#KwI8DOi3BnyRcHZHJx;TAEk|}?37wOSx_gR
z<W{uHzz6PZ11%Hr_l4W@jYHAKQD@GIF8ywdM9x>U76C4z<j$n*CT-8rD9B`sbeq?|
zPA&&dmK#imMfm~Vt<HV<>WS+u_Fmt)AT)sWUFi4M0o(EB`~b`#u@q)O0Y}hS{2zX7
z@B-g>epXgPPFA623()LQ*7l~?Zvr!JiBEtkGz;?H@7K4(@d%O$M#}az%F7x^L01CC
zhBvoX@PP=iSBn3YI3#b(QJrIQYd%~U9Unv1e)MgAvE9$82?%Deq=~xD=5BOr3{<u#
zfC?Bd37I+nhN%T*qyd{q;&4Bli*x~Rc@98?g}H9|42#8<yGvQyUsjnZ>?*&$)Tt%W
z1H9j9!2U}Rz&oP*-TB+)kEEl6Q@L$Suk@P&oo#ysQLaUs{9>S>2=QHHYZYz3{8sG!
zIq5?AIcZ|KcYFZR&eH)FFSWE3MG3@P^bRe%3G@Fw@$5>tUNH3Ws-dzQkTLzapat9b
z02t1WfsFw1DPYAsh?=X&1a^#Nf{(l)WFeCdUVUN0H4cD3n3)d(dd|)ii|atk{GZdm
zPt!FgM{^8-se*@BJ<}(j^x0&jc()>S8e3Yr5sBh%X0I3#`GUgAb{SwZrofdrU&F?E
zOe#$0^vB4^RA4_e(|rezwhQj8X@D5h1@Gq<0d(EjX!x&rFiYM^Tub4%<%~F&PC$4t
zW7_`%Pg3%ty#p+Kjm*q)!uaHg6|a&3Tn=DGA$DV;UC#FrSP@uy>q5wPCZrPJ)WuLd
z48W7X@$Pi<8Mu?vfbrC&vv&QyvBvS}=x8ASL3rI9UB0u;uyAvH6BagsXQcoolQBaf
zlxbWF2gVTK(jjO`%#mwdOEQEj8i**-?qE<0=+6xPU99+FX%sIo>d-8xymrVaOsRsv
zQEBMAY^+D_WYY)j(7)#YKs87YGw}%8)m^;EM->dZ)UcaG_hJ_T{_fnF9)$*!HX$dZ
z!JHt&QhAi$BcF%TBTn9XnI8ktxFi#U@G701u^U|4T_3QhTG8zOC<a)P$QS=g$pZk>
z|DEx0x1RnFrv_P!U$gaJI5KK6DQ9haw5z`A=G`+cobKidcN4dNU1xWTYrHhFW1g%R
zC|&+!)6jmm8&C4N0g{$pGIIfC1MMYzmqwuvGID@*L!ZdCs|EosIFBt`wZIvF%c{Xe
zZys#gl`2aZu&s8V|2LEk1bxFj1wf03i-~>d7gstuLRT_jiQQ$mt5-&(dEm6>K#~?}
z&{Ir|Z$A5M>*l}>TRpxLra!u0wbmm#XQs@#TgF7Dy5ZQHzcC8h(&Inw8LrZNis*U^
zbC!DEi|gb<)Dm1l68R#e67c|KwxG=HyP@Z0Wx)sp!X*ch1r*?=SG-^xkh<N@cPhBx
zK01qFpAl^WM`7@#eiJVCLy_)|A;(+-Dqek&1Ygt;><k~ew5@e3XSum*Q)g=eww(n-
zHJ=FERLORcV3w~}e1Ktw_WIXc;i&%p;&cLlLjuMW6qj7lhqhz;XH4^S%b;4G`2aAF
zDmTxO^MNA9{<Uxl`^>h^zg08>TNSZ5p9+3BmMPed-%+ft(x_O9&)lbiGeDGc-c6W$
zc{e~>qc(SDO%%JSe>-*(G(H-z=65gfHBl}nyj+{JYryVj9(PKBuUE;<tnI$><q|gQ
zI2E5RQzZgIx(#I*h+J3l?~PYkE6>Pno5@?^+2G%rD!k|xI8!c25}3JHb<HD;mAs{I
zmdJrer3ehI^}nsCd!@lk(17{;EUoYq*+9rRX@PM&%Awy-7QjO%UH-2%7IO|4=jANF
z<fYR9($h%jqdo}hOMC2pX-BDIJ5;QHZspb-FDO0EZwcC9C_CZ#+$(8QmS5{j#9EMJ
zs_gK9{IZoTCpFjbphL^(MH%n@n+o$I&Ko1HPO|fu$LyeCq6<vnuC&TFZhKimVxqJa
zKT-5i+uzGhrDBZe%CXjcFMV@6y?x{}eA%)>9+4uH;L|(B%Rej5?^L$@q=H_iGP%%>
zFr!c0BTR7rpnl?RbEdWkhqWJ=Gnyi+AWh2jK4rgAN$78{sN`>(Iq+4U-Jr;)O05lL
z6{L(bH2pnb@9&T$WUg%b+#*1?YO8U(y_9w0L*r9V)E?`=nR!9M^4Xw|S|eW493Xny
z5`5X0R=!$7HVB!l6-10HFDD$-<;%IXjpC8|xu_lHKc19;8r-JZRxhRVnsQa*sBv(_
z;J7&0?x!zMtmjTJU;pJj=q8D)`mYEr;Kve+z}nvhRw)H9#<IPULLHw{v&h`nCbz&=
zrPU?7xyGl^d$_u*8WCV?Nn5AizsmDMIAMWUj)!M0E3U`wQ;79W2q{aciLC15%UXM)
z!3x6}YHswol=+Fpmr*}!cH<xUZ@)Z-tuh!Wr7R8X6Iangdh69r1ytTu47Yc%ajVJj
z2fu$^AK6x!yiwThi88alDk^b%rMjL_mrO2_eQ^Jb|E$7{Z?SHz#7d4_Tj#tx@V=Cy
z-o4Lwk5mtQt)#rle6FOW6U;U3SC?G2@E8-5%ugva)uo0p@cXUNdQY&Fyq>>vw|0)l
z*~&Rp&hwBP`{BrIt*bZE_B|DE58Y-&h`&_Sy81kAIGDWv9;nc+-e(Pd{oY?r&OW93
z;ok9CnHkjV$7Q2*^8k~dc~4zd#T3k*->xTBk?uUAUdX{6HK+4iL*Jbl3yw?es+Fdq
zhHcMn{-EJM7UnfYnESv7nXhq@_3o;>Z5Ha};uUof%xV;aA=TGt=cH)$RFB8eu$I+E
zre3tzmy!62t3?I<9d)RqdS`!21aR47J?2h}f*9sDu+f6tDW}fmQbialfl`Ng8}PU#
zHdaR=-MXIY#Amaa*es)u&*}^u6s$@?652dzCC5rc^zqM@M`KN<a!qA{Ji-UsS`KhG
zs;tb_%%%9<96A33FekLJK;=VfHwJoGhr1hYj+qEHQp6nkCZ+6{Y^jrG=2cTJ-kyzl
zD5Jg4Jd#IENG8s&gt9hYBRQ;DC3FXSR60amh~hXOKB;#_7c%zk2emxo2lc}$h@L#o
zadmWYp~<N$*yrn%@<KG*l{N!oeJ|UL!0nH02C`2E;yMZj%^-}zyp8$Hn%m439}D$q
zU(4=TR)DtW!Cq47a(>Zm<OJ-HmDO3-e68v5egjEHnVL_V-C%c1kEPtcm3#bfr@M>X
zCgk6bAhfS7)c1WYe033Txj-oIdyncCd(Tw+C{bXXe67WU%SZcL;}s=!K2e1F8d1`2
zxH|e5Xxog=FV43Y`DU|y27iKHdPZ0$mJKJ|sS<$MRQcdSSeAYk;IE7>_R`zptzqC#
z*yg%%SD7va;8xq8t+v?d0wFhtNO5-QNL4}zT5SL8uo_9`bI|V29G0E{23OU5#bu&^
zYlhU~Z`WVo-reQL;@|Y!|4&0LOJS`PmFSM=Ml~;qH2AdMQ`=?Fqgp-Va-;G2Va<gd
zX54Vc7W?yo6IKL?!jCIy9GXjHYD4*Y|5`(9vIe5c&vqLj(RER)z#I;V1J<NmrWVt3
zz|AV0VaEOr+vI!!)_B#nE(x8~!GjY`ad5`C2!27=>-7Po+s5fAT?w)UxwD~s2)=NU
z<7%yQ%GR}Sla=$>t5G5em8xBtDp(Nia+Zgsqr=c%u|9(-Q{?M0e3@_=p%;gG+Elhs
z^Cm{ZXg0YB0~_N7N^kd9lWN0!=b&3#*{R6it>nUm)_o!Y<0Tt`^OY2eu`Jd+Pfc{w
zw#Sa&9ra|wPddsF!l`hQrG4Uc4BXhbi1YziCk2Uj|K}BYVe;G#SjC@_6mmtOTq&&!
z{6sgzLS^PCxs&%F;mLb{M<jDKMVopS7Qy{z<Gj67`U>pftr%ICoE&P#GY#&k^7=Xl
z#_tNEWqDDL)6@qou>J)9aa{PdMbUMu)nJ=z{uY-FS&3qfuIr~kzW7`d`9=8h-Jfgs
zZBZ+Esp%WlHHk0yl)@qmw{LGOriez3$?+LY4NoMtdlP#6J~QSKi!Pzr0CtUoWrxJ@
zS5yTw`x65!izu2w2zhbd8M$W>gxP){rv_`bLgz&(u2Q;n^9KX5x8;J>^>x#1dE$L<
zF3f4vZqrtSKoL&JJjGjV<1Uy$YJ{fxwtrvd;zaYP|0$(c1Ja5@dKz)Q7IU&k`v%-9
zDmUX+8d91+{*t?hZ-fh`)TiJsezO=a(zrO64bBOfD>_^`yMK^FuZv8jRmyK%lg*q!
z*^O6diLUg%Q@lv7%zX0n^>c~B#x|3Es2Q?A*pkIJrQ+d%VYorJ=l5b+f2t*^;z{yB
z*DFaPKzzH<)Xpx$$*JEsL=A|lCf)X5iMI}WrX86~UrzUlD9a6xX43NpJsaZe*HIWr
z_2GAUUK^)D<@QM)uBP0BmdREf51gS^)au(>>z1S98x=yqbR<JXe&vh6D)CKdjN7|D
zT_DHLI=BSZTG4~6|K5b2urUon#D}<+woQd7`fvF6r!*H{kutWP-qt|4O~${9;F$=%
z^SsFRen}i&Ebmt5T8i7(Q?mz^9vHfMv^fu(&*%L?g47cf3U`EZ-+uCG<aV5d4omWG
z;rdCry)~D2V((q=?JVWIUfHl0gnB|t=!qZ|y`P<)DYtKJg7l>{dwm&z5)kVGfzT3B
zf7`HQPG9cIO5aNlex_cV*mcrJr5we*M2vf)VtNvZ=g|RWc=*gtj4}qo?-V|1Gf<;!
zBTRTU7sv<eMznu=k_y{F@talv|3e*lvxzduc1~_<Uu%4ddY70z+@I+@NDkOLw^De9
zcs<=zf*Cgp5@)6xXb&LeJXKa*<||~vfT@{{h>Db*9Wb!;3F?Pq3o9jr(RO-%X{H{G
zVkgJ7L$05ij<O*Mn}O_Hk#t-)Y2%vC>m$il1XPe?x+zpY`E~E*_vpK0Tn<i6${_B;
z0obDXgmEL4?O$%Ok%6`}>7`Gzucq<cZDRM1gedAXb#}rvasry0#zY0^O1y^?W~s#z
z%K<NxYm-+t(I(0Ci}SrG(eie;{J<Si2=>PDhhQAu*uUwxju)lXabe(aui-32$QbSq
z&NT>myVy_hX~V=+$>@ztC3dx4JdaF&-AuoFdAz9|M8T)7;QDI%!-iGG1G^thJkp^x
zJfX@Ul2(;S53ZV&y4jA9soxkK<@2bDOr;DF8U0rS1z!>BRpi3~KQO0=q1BUQ6s$Wz
z^~#gEwtX;;^TTbr>T3ug4=T?wW6dqe882p@1R4x1)!LIcRy;-B3;oR_sir(<B?|I&
zZ>k3*p>t~hwm;WZDZ~y|;6vF<;P#jkHbQQNDV#FpSGGy&%n<jM4yWWlEPY>De%|<&
ziNy@q8_7U5*?{7>;kvh;9<hqK!zd&P_8cShH+(y<dB0Tq&4q%85^sk56><8!Cy9Zq
zbjB^cC#d2B&(lURv&74KM=J!4!^TzS>cRl5WPWQN`->L`xBfDPU^7+rQ7oKFxcrq(
zXe67o{d}LSP09h6+g@&ZG=4X<=~l<qFjvo{L!_(sLqh=8n0(e|;`yu~-u0;08M={j
zF81EfxO6x7G8Aq<4%L4sV;P8^P@nHUe1gKvSpuoo(EigDso#-~3%MVVFMP!?yXop;
zj@%MoF<Sxk){V-`16xWZcMz8e^Ib(MPv$kFmS3nAfTGYs#h8x0yoAX-caAOblI@d<
z;nwC)HLK-bPhObi4xFy>v-NSp?j;xhzF9Ojfl>4+D_T#ud@jSFGpF3k`)qE{y#Bhy
z&*GVJ4OttzXr2MN{Qw?UaO=jQ=@Y~W&oM-WpsRJlMjM}^8LDKFlvBJcB6*uq-RuO&
zu_~OZM1awbhGd4OkF7i}I5>6hQ<cT%nNa(T(%jWX@fL_3br0C&DxjKS=ZYIN$mZ?I
z#wrz7;u<HOZJe6&NRV5}5jiBJ-g?8gkd(WAa8ilqRNtLj!-qpmE$c1$^%^@q?oU)n
z0UpvKrayK;phCP1$Co>!SE}u!zDfvTdwOAnqc|Mlu8T$%M9cZ8TmZjLo~q1ox6KGf
z4U6}7oK)~JE1F7>l^CelkfNR{O%5vyr##@ieXKGIB??dbv{y%97Gh0Y5Zq_2BR5+-
zXl%^Id)lm%FS5{5EuI@OGTy?OrJDfZHbkHKMWqj;G4j${tk3BR@23X+t}Q39lY*H-
z-K3oBaW`3#bTF9Kfw#cmOI?^ftb^JS<EQzAU>Wh*`30R`Uv#9=p*H`To5^t+^|y@s
z`^YT`3D3R)z9-XiML;pq&n;1Strs+ke5lS|fR<OlJ31CGy8s_2@+)4j3%r+#PK!IC
zSc|BA+(yz-QbKu0j=x6RDmanc*jn~No9U1JbZax~evI)4gx}*?{0WE84zxNwp$@{|
zV*JX{C=$&tOa<=Sva<1v%)dlTwQKVpUriKM^7LDtdY#a!RDuttr}j-1ul$4`i}z{N
zhoWM<^!V(h<+rCCyaFpw$G0rxw{F6pSafx7Z?uooes+JpTToPA7Gv33PEMGAJjOF?
zj%CJ{<$$2zw?cb4Po{b*PKL*BRh`NQ<ZI=xSm2lf^k?f<2A;rNkoT|Y9#DoWfMbR;
zBHHe<Lbw=ny3JH$whI~A-A$D$pue0U@rm_r-6*}|QyU)T0P&J}In=6{((&bB1-PVa
z{U`eYO`99c2<E@i7k_7klYyGqJ%TKlDzks+J6S6D{`Wax=2z|=VFsJd`Ef}=0G!6m
zI0w)Q>3u6S$aR^rerjQjcA=I)-cT1u(+PgLkxjgW^T3((Dl*ss!4pu>3~Yz{+q1Cb
zF&aK|VHFgB$X+8IW2w-qx@ws5<R>Xo^WRiM(DOiYdA-TYEP)6x?ERlF7AGWRmI9g4
z74I9eKvdm@K%qVPSNemTe>mumu&DlF?9Gwb-GnUeYJWX~-oH0Yu~cU#U`b@FujsBQ
zkfc4MQ0x`XU9WPV@1d$unxu;sstIgbey%)W=UrtvO*1{1@W~0Jv<0Al#Te`JUF;*&
z5YH!C*#S(J50+ajUTVY@RXi@orIi1093*#_V{nR}_oTn`wl!!e0RNpVKzcpp+MVpC
zW$mr4Z@dg&?C)Na^~EEywvRhOq{-Csd3b}4d)%JYH5e^N1dS}|@I=wA*1D3(i&(pZ
zLu_47=R)gMG%7%_+KPg6nU^xLuZnMwN2kT;L-<&-faiAjPpa^NS&gHVoxIdn<$561
z?N+2shplEG6L?3#Sd!buo;a7UW<{G<8JGf4ya%=dL4d65J2NNq@w|(@d$}|!E%xpm
zUlbgAuUzQ+zS6sNN4`&a%ZU`RY)0r2ubzwKo)<gI#IeC+-aZHBJXL-ZbOL@Tya_HT
zC^SB>RJPc&m*wPpG&&oD0d%$sfba)M28W42KDQqUTzIaX7#vr<1wCz(5=z{9185i2
z6*eA2cJ|7g<;FgFtC>kLz*UUAvBFZWU0b44I$!_1_D!ukq(1!B5llE)Ys6ko|Gs^)
z8Lhu_Z^TZpi}9^WN@CFc$bv$`fJK)r=6Ao>oM(T|H66@&ar|3A3rSfr|6K$yg*uE^
zA~>IjtN3Hi@&k&f&E(*n#A1^DgmpE84;e35@PM8W^0RGk&HPfd)6{%QtVrH!h2W|}
zQM$QVRO;2kL(K<}?VzF8VnxGAozAS!TNc3EAT}rgXLLW*m_W^73kjWVEyl6ODnN24
zLt&p|BdpqZHUd_Pnj<D51>5-9qheJ^+d}0651jIEZ$dpFIqXb^?5mn@Y=5b2fP45y
zi`KblMFz$PE@os@mGKaqFcfyZaDZ3)#N#36f`_f+7ee;!>@Qx61bU4u5a$As_#J;0
zeW$xqL0hrg{-g*@R`0aZ87+KAENJwpX2SvGmvSb@c*%{*pM=${&m0^$E^|<uI03X{
zoY?6L0;X$+A>Yw20XD4C*me40(hTa^aJsXWwGitNg(7p={t?f9TNVB9*2xS$-_~LB
zIz`9=vgUiBw%7Y`)sGPd4-JjAd-j`z@hR|FDGWH_hgT!}w{<BDT9Tastme~e@(UR{
zLePpUzIv-zX8#6v_d)tr<vv(fUVF^fN6<2vW@q8&?nM6$hj`yr`S+SFL)#v4x<?y2
z3v-~i6(9G1F<dc`Hd4ra*u3kYa9f)T*}~|cp}c5YhXXiVmq9ni7`|#lss54?VM;!0
zn3TZ7-6gFI#q*16zKN+irsc_|Cepur<P(jF7|XlB3X>Vc3GzO)bxvXZCgdi!X;Y4D
z#+5PFrjMdvplFZHz^p7=WZ!Fky>F{-F+UC>tp@k6Mu(Q&6EuaTk6i7Da;XhH+P#1s
z5^8T<b@wMUx{Ss*m(`_$U7GvcOFG~aN>x1@Vz>Fg_d}jHcpDG5mT6m0<}7Q|wr=_s
z%83A2shH5Yma4lWhS(yIg%35{d#)*DQoBlIX&h?geA+iYbX9QnOS^(~cYC`|fb2$r
z#kvy>p5}hwagO@4Y&Utjq<U-ct%bsQgvuNpSPH^sOnH&6YR*rOgRCbYQK)u*DoSfg
z#L_H3aM+H&rPKhrI7&MIH+QaL-T-uY&l-8tjM&jXG5ywER?b<v`m;665#}xwCmbbq
ztXy!oX_R(cQcHeqs5ZA#X&K~i_gmV*(#EUE$5AvyE!M~zUCfB^1Wyk?+7w1+VCBZ9
z8f)mLGbVF;x7)|BDSf-MwjioDM0a_~lNMc(H2IND_W9S7EJ$|d(DtFhDB%7p&2n4Z
zVkfjfLRLfl{Z??3cPs5N+wvo~qcZrig$K~%Q5Skohl_vC+RR<;=IHk0biOELzO;JZ
zF?E2W;}1i9P=q?Y=CpM_8P`a?Jm5@U+m3}Vt7Ro!qaM!|IwF>fwK+mf&3?ltz-MZe
z^Xu9n-LhiDxb_Q#B)!%~;;~Ccj^AS*&#q1c0b1guZ|F+OZ8f&V*b<AbEGra$K5A}8
z8H&gvJJOS$t4)<8mtdDe4m_XX+UVbSDku;v$4C4r%qt?dgK$mcR3BuxT}dClm@?-W
zY8+dK?Jj;EGm&wO@dObCH0#l-iOQk_oeEP<;_0yKKW5;Ht^*Bkoxq{Wif1f#79B;P
z&|#uQXcb=hte*-r-P7ph={12_?3b;%E{n@Z|1Zx<5XC&KDxMwV%7ycU4w&9*^T)4b
zZ{LPDA@%YK%2t`-J(&*k!7kE|x_;dhxk77L_^^is$|MTj?e~U5-IQ9I6h==S*xSnF
zWWQ9Ei-6bnW1vDrMaNHvb<8ir9@1Dxr?w>b)K+V!5!-Uy*o>$z9u~oVhdRx%_R-uv
zkFUS7P&|Fe#((|d$BbH}n1`TMox|hNH1RxZJvlE&pKFJddpn|%hQ-I;)9cw1<0hR1
zs^0j$AyWk`*5cD8^{cg?13_drE|X>7cxQhVD_AD=`6HGgZ{u~0+@*Tw^_nP0*J-yn
zYE~&8Rkj-Pr4v!hVPqs|>YFWatO61cbQXG`S8{f1-IG_j^mY}Cg2{h_ust5q@C0)I
z%~DFCL2Cn+)PHkHb|=&<eLy1Ht3R0clL6jZ@iwDkPDj$RQfEHu92=Dne4KE%#qB^x
z<O}sckl(QFZ@Adzo750I-0YWLmMydu#twaSqu~I{@~&mc?*dc|CXPOPuV)Wp<)egu
zR2YQR9^W19mJYG1sZOlp2@X6C^-3=s-Fbt{VlyJD@0_D}erHb>ItDh~vg~V~5up(H
zjc0YpC1RYM0)*(`M&7Ie^#Hfy3ATzZkR{x-mB7zn2c3a&pqTCm3up$>6;k(cu~~1j
z3=-q(qg2;MKyt;HJpC(!Akz&ZN0p1pIW~XYl)CMs6pMlR-Vs9{pC?Hs>xI~mamR@(
z1b&0komjIs?q4zt?S%CP0{B5!fqpf>pT39uo0uR-9hIX@?i%I@HH+nzt$!*CEuS4T
zSy3!HZxD8xbByxgQPP}$Yf%)t&jXvDDE2nSya1uiaV^-m<eAJWN^?FBfLpci7djqk
zdwOU6GRrbIa~<<HafE%1`7sdlm;b=!G3mJrPv;wUVdMrr%Jq#<THSfW5~=a>SIL4l
zp(?p6(6iwt^p@90sub<4YN+@v_aW^Pv!%g$Q;2_`i(L5c`LnX86xKP1_TyWhWe*9<
z#Ffg2q^eYASM^T+awlQ}r*U=A7Sv^lG?&=m0kg-`kg6PbYMw!i<5>58VfDplo1!bF
z_ZocSj?CtNRp|vOr}>uB&*ai3CoplFL=Nb9QO6$eQuRYl=s0DI2*eQbteYCoOc&qw
z{)36%9gKKFJ%v<ReLVH`N`Ve}D_?E~+m+PpN}6%0N#qdw(Nz-J)4zPjmm&=q{LBpG
zjOf{Ml7CnylRxDEyX{$zXb`~>IbSN1!wP=OZwHV~pK4mWeg+d}mnx5iIIWd8f8<{2
z<KTd`JG>n$*&CH5S;NUvG>cMVNn$VuDP-lenmo6iZzCk#_;dd?m1ga>IKEz3+I!Zf
zA}fA<JIJ93eeZNlb8vrsxN^L&ZN?P$*`5l?!f(b7&O7T}nxY~GrfQr!YnyrF+d8l^
zB{1)G6Bt|W5P>=W2)}oyk8N0xVb%lcsJm!xMV_w8xR9+>tc94K()Ick^`$pYcmz_^
z$H7RpeqI0`VjPw?(W<pp$&BiV(tb+sGAm!W7#E8k2#(2vwssl(V)cFn_3?3_FixDk
zEmIT5HiZZ)YExSuR+WX9yg^w}rvTg?Qgk|C+A0kHdPYF-SE%8cizhisOl=~GFYtXi
zG6?d|Dp+eEHT3opZMG`;veYrhmX<!_QorlS5Pv<5avTsBscyHIOz}v^NvLFGzlnAn
zxod{&nir#I-x%9E4f{REAz@pcBt9x7c4V3YM4LM}*^3s4JLbeYJKLW>mVNaf!T@Y^
zMEtkMT?c0hf6Ci_`E_*XbRs0oB=@t)Fs#MMsP~d8931~4C)nbO)9t_)!dr(cVTS{q
z<u(F%On;S=FB{&TdkzbpW6c~K+Vj+D4$c9GYuje{^Y^~6lRw2C#{2ABuiJsaG?ne8
z{*$idlwVp_BKmxf^S8&(o5Z{W)^bu4Oh+1y0i;28Zu-9SEMA%a*#Mz5egunPowA~}
zzT=B!sew0lBwSt~9;vegKadW0ocQ$J3B_7tC5Dep2Got(do80Luz4aJoS#|=u^dDm
zifge=_Tb2MmeE4czp%gor25+FpP`grA$dBJj(Ac1cocQG@kw#<63PO0GC<{^tHUqU
zjiHe}NfaA9J8VWqX>~2;E|a6C36Rvuxf|u^WYpK#pkcuvQKM>(Qd)Hl)COhx(?0T4
zDL9eOtgz$Sjt&it&#{e1QgIB0TXs{YBsi)B!-kGk*6&l5(&}#lU>PMQ5JkLg7Wjr_
zrjPEEle_4#eA-bi#4gF8;PUFe?Q4N!RHSnl1lo5B@}Bbt)O5X9w{tCEf6?OLB{n=S
zz3Fasahsj$+?T^B(`>y;LH=sHtZ?)RN?rSOd*9U4=wAAo#C?@Zn+JjfvVqtKvsaQk
z|6io@Ki9N>Lwqx$uu@aNnLTY6%4s*;n$Vjoll9{H12F)r*<~bi-O~R8z_|l##{k>I
z8B^vWclnM)xm&c^Z67Aiv3scEHEc7M0(a(ide+Ai@qkhO!w8k_66Gay8;vt@?FF#u
zH<mG5)}}ZHkVnhgg)>!~qY@(G;-vH#3oPIzs>Pu+A4He~c5@{ICP7oVj6q-<thw?s
z@0rCP%sti!8XH@4fp`vo+HGC{3i1h$SM)*7c!TnsS=uANF~s_#cq(#Pc`9%P)&U)U
zKielZ`WL;NvlZ%#mX$#%Ql4Mc{GAtV;yqK;h5{CDkxzR?Da((FHZ2Z?2t~mA(<me-
zmr3MSExk5S-aDtc3DG*PlCo#8P5`tN<=7ACcav%uD|m>O-exUN;Sbpr7oSPd9fkW6
zbTk=&t2Qo(NS6slp>=n*x2UFFR?qJaEsWGx1OcX?)q}+c-qwW+$~e3u^dkNJD|l>7
z=Wkkld)Xk#DXhD!Ru7ovo9!%0?EDH&D(>B2ZqV?Ym4oTZit#Bg@}JOx8Tk3#q@LKb
zEW#nK@Hu@aKBG;Hm%B)*+%IT*i7zw?w8-yc1E*rsIY4Ql&zkqKA)+W#WeCSdJDp}w
z(I=b*vk#(+Cm=hh)JkV9(dXK1t7E!1vV@Up?;I0EJ6)?jWW%<W@5g)T<lUu0Q{k0v
zp_Iv6%7B;RdVr2i>4r3p`fYkCdhR3q9fg`=_rsY!BJDFYQk-@R)_X$1E>s9eB6%eW
z49S{90;d!)znRS=C?O3Jj85E|wvUR7n=0mI0GJz=&!wc=S)EdWB0z3A_PpaZ0zkH`
z;$ma_PwpWh9D=iA#oGXn)~6T%IPhx%n`a^rMG*8vXrc~U&KW~r1Lz^7Wmevi_My!&
z`9TF>W&(JdKE+zx)Y7Z+((PWPf*m(jBDabr&G4d2<yFK~GdNzvrCeWrqj^Sa<s-$K
zE0j&p_uc`lLvPiWs9R81H;?S?3iP|hXP&IInUTQuV+5)KP^pjzNGqq&bWvPzm|#po
z-Z@fqJ>7v;|NN;{L!6#dYSmCQo@e3(rRVdVA2Vg2%^}(!E!HRQIHP_P1wY<tyasZg
zuH9&HPUd9h9zojpBhnC@dA2C7q{ht3e{)2TjunRBEoMwpOh$jhb~YgC>FMgvG^++=
z6%{FFEqT`U<tke<!2TY(p&Wv%YVCm6XgmDPD8#*gea7!s-lT30X>*t(kS3OTH_QXY
zlH~Kycj&k?W2tXLePT*e%df4-`<<C<`|nyVf9bDYcIKP!Di=ED7mGgkV!)nJoo(JZ
z&etc3(M_M%(<=qzY)m0@bFQ6NsHr(|Sr?8%cGjbwc|UIF$87Qk!lnZh?Y)l2IHafV
zd@{UyZ=X=K+$WU>QL$eL;fP1{mG-H4U<W)w4zE``Ju;xB$#d*wDHU94xi@`iy*C9r
z;vzIy(UpjZo%<NK)FV_Nvd7YHxQxBtRa29nFNIg=!d~~6wriOe5#Cu+*)g1}+Np$x
z*+IW;J@5bwtOrZC*XmW6G#=Xx=R5=-y^}+D%Xung)<@Pg9PE~G<3ts%X4T}S<I@Z=
z2Hj^Z3kJw7l-H6HXU)A6j`1r(MRywOdZtUx$GNtiNsX+RP9>($i!8?YEROo{4|US;
zXfs3^k4H#-lal=!#GJMsq|77mSZa?T`J?_-tY2yN?C6N>D1(gM&NOCUW8<IQIRX9U
z<GkG>q?71-!{BO(d;J5Q!!P2WSI*OUQOi8+Trc@$W=CH!gpuQ@G4RCi@bB#7JG0Q)
zm-}Z_G6(}s^(FVNZs}zO;3+^`jc*U?APWsfDdE1gIn(`nE59RuL2&0ut1JCGB;T-$
zOm9C`j;<*?X#(ySw}UQP>N}f^3eYvf0h{=ZM!kR(`XIdWWP{rMsUrcv7L=&rUjUmo
z8TQ_BI6e5&wl6whG(+e2Qmbn~SKR&vnVy~j0qcmO`d;fjNq8h3zqL%*an1SxV(g=C
zPneQ1S&||zUqo>@Sf;Jbi`X8EI;gE{7&Y|0+zMZJYJbE;vq1O0!PDp=$O@&C!dfLL
zAh8taN|wOzI^@59r3oTfAX?MjhF;_f@NwM9G1z(QcKK&k`%rbYW;G{WC8KsrqO<oA
zVf=)l6;>9d5O>M``L?Y0eVb2>&3Ca?$EF;#Wq-fA9ZJP??OenNWE<;zNs;OBj9B}W
z5fN}duzaT;cRryWu@)=idj-nm``ZhaiPyUxCY4%!KcW+_(36w2xeyUJVD--N@qqTx
zj0qJMmYwDMcWxP3gQEc?^N^#pP5(Dl(pW^ygpVZQ@RQH4I}_(KOL1dn#g7-ZKPmeY
zdBS<)Bmw(78hm@hLWK~W#ah(PAyV;W@rzL4WrfcJW_j1WJ}&*N?f3Qw>cj~CIQ<GE
zqd7dWfXUZj?BfbxRK;ZvA#e5Z^Ge;}-B?h)Lf>k0bXdC{0e+yogavzt(CH10NZwMt
zp`Fk(8=<|UW-zk1&z;Bw#U%OLK9BCToQ{4jrRFnAdm7>{X<gr<oyIJHstq=f=ki5j
zN-(OT3TH8%AvZL|#1Cms6@WoEumMjeh(3_Yn5!C^l1exfIG}9}{Sn4&09j(iE|%%w
zNB!>GYcbqN)3rWxh-ch%{a$0mI_%9{t#x7Lg~J3MmW>eUwl!51Mtv<(emQsbDU8D_
z*LnU?6fd$<IUUnZm`+B2wDiWzFt`LHiO$DV1P+asUq*hq%cfF0Q`H{Fsf995D&3me
zFiw4!&mV;bwr_AfX3%t+FmY6qKP?g=QJPz<xjDe7;;SU<7i86+j>4o6Ci~@}r<fgq
z3DP;Xk6X@VjOsH4K-=4skl~Y@Z0F~QQ{t|9h@I1BkE!-h%2vHeNvZFG74Rq6{N}b*
z{SKvS%Pe*2JA7Y|4G9m(tX-@5noe&fxNMJGDy-<jbENqOh=r=wy4xm!Ze3`VheeQm
zLPJRn*U@t4+k+~wlVwYL5MTJQC{gw7+*!75>x%rj7a;*k-kpgV4^NL9U*xU18P{De
zwCotR8m@kGqPS>-90<*!0KRSBMs{^&!ijySkWf@%L7&UeD~Hz7xlT?Me}k<!%!Iih
z;0@WCR~u303_M?wJ&ifX4Uc=8%w|G%Wl^OAhNkXt_SM`zJTP`=WWs=1iOd?=Ph<Jj
zRo97)z|%O4{13O>!$d^3fXJbbaWl?Jp6g&X!FGrcL%M$&{5|Zc%Q*Ds-*dIW0ERQU
zGwSh&#J#p9Vu@i9>vKKg3q9bCfsc6FvytlJZzfstKHbN1U$aj?mRoA$==xzNG@Eza
zW8<6ZCkJR&l|>rop!QfgFJ-7G4ib2Rn!X_&w~UU6;J};F9sG59NMftRJRpr^ACd5i
z7#%zQ5){Z*P6plTFLH_w==3l^f1$x6O2>Y}SJh`tnlXxm)`KeQ?DVfHB&>a^&_2vE
zzdwBT5on16_F#JdDo`Sgv%x$+Jm55O05)_F%+THsq)?J{er<g(U?gvuZVWkMk(W0F
zS^XjhN#ksj%V@m41O4gXI!EX%yL8zzMD8}<#H%wK$`i(T$XXOT#(=)FoSVqh8L}V+
z0k>0f!u3d(F(8-dNg;$z@(~2c64B)XMFa1A40fv8D+hUPR@vzj483Xnu^xI(dr^{4
zzEgJ&>(2eE3rwh2mE#T*gwW~VFe@Cy(jj&sepH+xc}lP{FcE%>T&e-7Z#gKK9tEY1
z6dW12k3`Ro0+q}IWSAHot!G)<M-NG-uJ0y=0AoA7K;%$va#=g@!S11ok132o7Zo7@
zYrS@U-S|l=HQNlnI^AblU>EiWg_jBb+f$RJLg0U!TxyR4bb{*Y>JBD2EAlRiTycPt
zWe?y<2^VH*`fnnb&M0}py_?xMP>L>iG^cR=C1u(MWW6_uxnR1SE7ra#_2&{GZIlqp
z1prYiyiX2Aa~8tCE6jL{wKf4XcBK)Tw!ojH@dDkYS%e&Z<a{MoB7awz0OBeDv^~e)
zfzAVFfO_60yJ|NU8ZUFfF?boISBjSH?+0%+Gp9f-&=6)E?vhj#%pm2YD;h{1lh0mc
zT)b%j%We9ndm-@E-7|rR9rZPr>97P-uJW4G0SQJU6dv@{W2KxwYsXb@0!ozY_IYxp
zcFc>@oS7+tMti#WcRrDRtdt?V*t_rO7^p7eKiK@XQ+CNf-9I9gD_E8;u&ptuFEn%O
zpO%7u-ADV9Ee|nIs#dE~q{ynrPSyqua9DjBIe^nOQ1=}FSj6Uf!dZf5-I$~>yWQXQ
zIw>UQJyuiQ|KK{zcGr=c1&L{C(eCN~#;5ezmbs*AH+zf(hki^xaTK#F7K~xmLK68(
z*Je@Z$FeVKTwKlIX+T8;{2F0b5hZ^$4!<|9?-Oo}`Q*s+|E`_-f1aUC+Gpc9ak073
zJ=Lsf5sG4Ms4|K0TE4k&F-F{_WHxL`wyj7$_8)K>i&xw~_~?Jgq={<9N3<5BCW@61
zU=di6iN=7Px8<wFeXQNPuHr7KY%K{OGhm}bcQa_S5DSv&Hfv1(qUxrvTf|JiMd5O5
zAI6r_05@wtqpmk*KC6DV&0aGd46m&kC-TW!MW1MF^hYO4PQb9#BH6?==h?a~4p8X;
zinTwB^*ZOGV}NQP=#qYF6PIXV4Q%f%JLI7GXimN*?EjS+D$DYr-H_fNkJEs{GakQ7
zvWDg~O?YJoa_hdlZq<mk^W*vu0GZ8KRdIn6wyJT1d5kS@Me(dsPsX??uSB|bg>=43
zaSn1jtJ*~@!BHgsefnh4lKMwxT`wQqy*dE}2{Z6~ZA6Q*$`Ez63pap!XS1Qubp3Ua
zCAAtwS=q~{dBsVcs&)=Dq#hIz42hoWT1%n1Uv=I|IUiTCrB&SRv{@t{`s1v(t2<3H
zd36zlJAZe6pt{~z{92e2F5nHy#mpR$DHtS<QMm5)p}DXjI9~th#9v&}yIpM)=pfMH
zoV))|Sy|t-MJAW12$#aSLj1jp93SE8kYllZ_F!x;;G)_Uz46H5wDk7x1P#8r&*gOW
znT|(cN4W2iR5CA%+k7^M<!*dDkD)nVKIb+|QX+BO7h_pT7y^FR8g6mp;nkJ;!Y=1s
z8DIdj3@&{!n|d~4YfQSDdF8l+9iT9{1gUR!4osi)cx?pG#MR}Tphi{p!<WMKt(}o0
z*5c#}mjXo{zW2i<=1Z`Aig^)cbeeapLJMNyk}-)T!3*RcXB<e3!rpJ~(1_iW6^iZY
z;CCrvr7TaL|Kre{`R`2bqaTUgg{u5^tNU%Sy45$IwoA8&mg$bf#evG7&)hK0`S?ln
zqP1Ib(+_K`-kHyAR3It@yzopz2-<qN%Wq)5eYt5jJo(wp*zYfc(W>Ft|L^vqEbY|)
ztm}S`{#(C8B$c?2ECX_|vfPBrffK*xwMSi^C8imcn{ySU6&+amp2qAgRO=gBT8wmb
zYJXbh-eN|zR1N>aCd4GXnU1e4L{8?oqbl7rCecHBYjUBDIlvGF0ed+XXSIKMdIo*_
z$FRmM0G9q1tlDlLmGejA0(|Qa|G>N`%m0weCtVZsw?Q|JmFh4*2AyQKy??`9Eh3@4
z%gW2prKaeK_vt3P!Zp==rdZ~mT95D&5a7fCc=)Az5b#XbzTmz;5{^Gz<)u<UvmgwX
zHRG#krRo`Hi+id$a3ISz)87=ikK{M}^5LXY-qdMbHJp2VBjcLNlOSQ3Z2+SVc;mjy
zGR9h6eFy5koALrS2&mt7qvJ!LH8!m;jJweCU80iR1v!8lPtsuyI~A(&;f(u$CDoPg
z57?s{7`n^4{1h&`-bmU1X+~N4+Tc8{DL8%5dtD$Kz)0V3b-fX-W%YeJg5VYC^GPi3
zE`!#oHKkPd=YIp?He)lyG5D<WvWDVaDeAYEV`pHCpC;?a)el6EyosLZPaR&0nLCq}
zE&m=EI#^g{)PcgkcM{zc0p#`}e(#e!2;MzuBI6g?5wU&2>&dAd@^4AMi?#cu@v4R^
zpJq)S&hVy;wzYgH{@ksm!YC)GnN3<J<`|nrUyF%JGzKWMji<a)9h4Kr<NDCKAAxhl
z{+;vf_Pu|ig2w;tRn0ozK2U)(kVUV*KO7`9eZ)COH}qK#hUU*SnO^j_IFLq;q7ePd
zpfj@W4PR-q6AQ#-G6Y^B=#4dH!@Fi3l|>b+du!6g$;(p^k#^<-C9(fKkoT1Ie4%~u
zq`p6zPU4SvoBYb6MNJJKx3)J*uw46%!u9sIlL>$a)5G0CbBdWG_z+GG1Ed?+U+GbQ
z?Kwb_*FN;3(z3q8ltB90Z{UG@eAaFD26p4)wN@|1u_$$jg(+eFW464{WE$vuv#1fU
z6YS`B9J3v(zG2=62<B~>##SoEbkqj3TiPNA2ST>g9s7w^QF4(stH?ZQv_yVmkQLDb
zB5s~7M$~?@IkI`C{{O=9C92}MfS$DVH<>v-;Fnm$rv57s{-5U%rXzJ>UBHfT)5Sz%
zA7!7;IAd(jpCC7&UuH&Bk~sdn*ULXGUorP6U`f)_0USb(fd6Q<b9ZT`_H;SNg-?6A
zPW|;qX4Ba{{_?G0{`>#*&N4s$AE%zXAI7vEg^1c8{TMRlVC%4z@Mb`~uv%5DG8II>
zz8Ua&C3>pRHw*5KOK^{;@R*Lhb;||aVq);>ex@jmaGZA>bz=4AHlhsw+~vfMr!|>0
zRVhHFqvt_wT{F1Str~i}qU+CsQU6x2HS%l!!F`EKU*S$`M}g$fQ>cApVinWklrB!H
zAF!J$Vf>;#|4K&z2DiIDJ-k5g05&i<X)!i-m0A>+<$oE-uFt5t+T7A_V<c~bsVfy=
z%u0n0@_W&KrvFZRCD^oh>jiw`DyC{SVfty0H#MhlHV95TNN8Ix6vtE3$}BwCf9#8*
z$V~U|uNk)SDAAOs*pF5_D@<TgiWYeG^5}Gq_Gj1*F^Up;Y_`Hc0S@7_pNw)4IWTs?
zuJh9y8IHZHts<baE~TKr{K75rAiOi}zJ)4k<!yP%oTFhv?-wXuZ^LVoycK7^EF4A_
z7A^r+k_s%$4)UrEPjr^U?>)ONrNy5C%*zGlkO>%q7)`8#NdQGGG=0a_D92hjjl5$Z
z%Csg^NVdk8L0J@r)cr(``oqHcN=)YI4|Bz<lI@N1R(*?#kTto;<PrABl@05-l_2=U
zA&Yz2&P3PSG?ZNs9n?+EIKBcDQc^H^0Skt&ltDW~?IXM>x%xR|wHWWkEGX<J1H_Wl
z_McmDE?e5T<E*x$|MjnL??DC!E`%vPz=7ka7K)V)X~#a|KMZyE{dZ@b#b%crIAYwB
z&_cYd+x3u;&Pgept_MH;dJehMI8#Mxl~nmHkI!B*Tj|P_UCRa|7g9<^mIFdmlI;bb
z$QZDXBEXfTond7=*h>V({JP^iic_y3Rlx00q@8+AXmO?Z4pII-c_Tt42{FWWP~_Do
zN;o>rS`yzlUJ-JhvX4CV(1&a$3=g8bEf>OrpnRzSfImA7*0}H&fd8s8v)FZ`12&~R
zsy;g;8j<@tTM52F<fGCXQ1LJAX3-TPZ!9|UQzI{oyL#!RDvK`6mF{ftR`5thI0M8G
z0OEsQI<o}|h|^)--S#aqPkzMVe!^!@`@neP2?w?r+h4pgcl=%{XlRl7w*u}|#7HJ)
z&*!--bGj=>b|h9EeC5A&0C&?1G_@KIw(KU~8)5YRChJFHP-4RjUk`@R46n4<4@OT5
zh|OWqGwVH(UT^5NTn1l>C^L_&@2{U)pA#Sn&n2Xsf-5Y%t=ytZOmYkc0RH9C|Awa_
z%a=dB*UXLd7~7yWXvxU8;mfokrViszMO2Dfj4gMi`RV$YzR*679a8)v*+PE61jiVA
z*0AQ8$B>t$>PX?{Iq2*W9Ac6x0}&N+o6r4A_~y?+6Xp^qHP7L!lYOkzk<Z8(lB&9)
z!_JU{=kN07Vo?L?m`_i!%XjV%YxQ?R1!nx9-c)YiUhCWR>2LRRB6v0M{^KsDw17dU
zD2LgVhcR>SyK0~l6<EqsViJ0`iF^9gv4ITR*#KYqHDA5k2VdZN*aFM9gk@H-`$Z2*
z<g*kSPYsmXgGd-<>fwQc_Nirj^AFHh#L9}VrOnTRlcuJ}>YgN{kR77$>-$RU?~06D
z^t?%qkz7sr>ihOKt5fVTnmUiwI<>wwg2SKtAdy}x@AX3HsM8JQN>k?nJ|ek#eB#h^
zHCVGn>}jIh)FQ~kAWadaMfPWW8mn@lhzyJlRoc}g=LK$m8^oJNZTD6sm_i4Jsm-^=
zd2{lFEjsFYVb|B7<1?l^QgSZz#XEC-`y_&utE}&STPG?cjpwjB{;L1Q9ww=oSc=LD
z@TqT;Sqcxs3dpD@GCoocu&8qG4p|mRQ|!l^2Bvew*cizDo9ZHOc~5tV$cWKeVnlLt
zN<U(5VfyU*PJ2B+=3ss4UKV(wmK*t&J@h8`w>t>J6L3{wkZ5)L=;WD5nbkWZvl#tj
zk6-UUvwFMo;IZX^hAL#|!>iZr;w}1TgF|>2d&q#9Dc6lTP717}@zzB0l#Z$*EXHqC
zvdTmB>>c*gzxKWaeC7-{8SBmWUM^y1^B=Xb-L0W&fw=dVy@KGBRlJ}U<be|#ard7u
zHyN_;Y3AgU(-<<e?y(U+r@5JMtov8a-H_S)d}RzFkG8#JAVUaL&QH0`0paI~QO1X<
zwU5qmBWCAgqu=90-_4JEl%e7;dbu0X7uv~fhLX2>zId_UaKED;?Cq{(Nqt7OSHbY*
z6zU|$g9nN9-}5>B2&;DoISRt|;}kCi{3MlLbE6BxkBH}09X-Sfs1)1Xc`Ge2Qfl;v
zZWd>Dw(ijqDgx3P@i`2#(nX#46p50VgTl+1bH<Yau2eO>tJXH<?EoRX3(BNDfD~0G
zH?O^K?dRn(&JfAWy60$CYdOB_slyH$d%&|IsnOPL-fng4E!gLPT5t)K5O>}39<A5z
z`JRcWm}j>-$L`5Sf=Jl?e0#%GV;)9;mt@V!{g22~(S=J0*&OLMXH0pboQuVc&qSmF
z(LyEZ-Z>rtt+qlXi^;|cyxgauoV##q)jr-CqWwPE8(t2mx<iF7RohEAc5hBOi$gTl
z%6+o_ZwujNC~>@|XWEf{Wd3PjBNVr5CtCNLJ9C3APve}Hv4=TJW?7BPM4Sm#)*^4r
z#vtH&aeeSRo>4!pI{KEa!S4-4rxb}fl(BTp`ANHq=((Y?kjA)^mG-S*{keWTzwq4&
z1FSf(+e{D;{AnNIziE-#EyQ>$sP90S#5NVV5a1rrwungERp-1tuMcRs^jLGb=MAep
z16!4a7rWk_%@Y6RvT&OnANP4Lne@A*QOBWv%1PfoK`{d<aXPwhOTc^kkc1m5Z}H_p
zJziR{H2bYY7<!zI^(ja#Zq6j>LJ@m8j&7WO+HbJ8uYVu(YsHbyUh#(NdgA5wir$<O
z?HB&k%MYsi+%W)3w7J}0aUV_;YJXfR)djw*yot>~^?V(kGGqn6mt%mMIrIskm30I5
zbs<i%$2Sz%wB{51EIo29-k9At&j}p(0yB{YW+6<w7-#0xinb7L#Qy+lhvN-tY%z4n
z0Q`bZfcdiwoqn`5Y%iCa+miSn*qqi`2K|>bfsrvIC}ZMNoHyAxm7(Ne8mD&L)x7k+
z-+OFk$scJ#G9XPj!0BG*U(9R-oNfHGt00p=&O_cnd7<{$&WIv^y5-8)eGnI*{iREI
zw5v-P?)!L=T2ry0JJPb)`O%vy%_CPAe_r9%)8ic?b15Ryx62vIZb>eQGRAn;xuTr@
zYj595@@f1p#@;%vsrP>$H)y0pK|xwT36Yi<1C&riRJuk<mq>S)2#82aNJ@8)M!Jz4
zjP6kbHekf>j90urzt87e`wR9s+s?Vqx$pb=yq?eNy8Q0ODLUI$*_p0cSlbT{YlZ4K
ze^q~Zj|G`nAYHc)vV`=lv8HA9yl&#-vyk_V*K59YaMR270U+shr09%BKmRj7p~WBb
zV}B>1IBWh?*j)u=29=olX<Rp|Qdb86TluP@{esu8xq(cuK6@|Y225<qh*iI(ZU}9v
z+~rqx1+bgDE15yUn|Uhq&Z`FlZC0zGs6bZVr|DUm;m>IXKhAz>=4z(TZ$98?=E5;I
zh&8n}jMIN)GWNCzX5Z(kH`S=v#`gP)&Tz~xRDI+q*tpZd&n9fYBU{{kT>iOJr<liO
zmbX~Ug38R<=CZbxUk-mqQ~uCuBpm%a)mS9+A1(vBg(cC;-$9QuI!$1_6=Z3Evf2d^
z;HZ<Jv-VvTl`%>|5^}{#G%z!vEf+Lj!M;1yQA*7@B}&Ln4-^hoCYd=BJgu{m%5bO3
zuidio7);kwK3rRm>9jJr3_`P@8VJG~oJ-LSwV0*$#_VQOKBOk0muEoZgh0wZlyw2%
zR<tzkPsp}yq4m^z(R~w$iG+jFMa@&$Q~tygx+Hna4;h*RO?yX8W9*S<ue_CkQzVX8
ztJ5O3S5|4Ll04|uVY!yp`5z4^<kRwCAeA0kbNQLHi1YJJSPM(tH|mZE*DQND8IM)?
zd6t5B_{}~iPAuEv{&XEc0I>aJ4TyIYgACZPPyoOkgexRf?nqM3)^X2#9`(FG+nKbY
zm&~iuPB3e~^`RkUsNfP`U^gOyh%c-Xn(hbqm7X$Q>19Y8n+S05yGI`DzVvL_>Fj2m
z^sFj%nf)>h?U=RAsHnm?jC`JpnUS!iZn{(KE>aigX_FDmXU2m`am^8`o=K*^=5r0J
zC{_31A6v$2^0)pvC*ZUWu~eeJUjGAgz`p%I@|SCcF<2tQ6^nOQuv_p-7)S@3=VnF$
zR!V@w!2*_kt6R@gKZNR6g&;`NGF0Ke7+y1EjIb(g)mVOZN+P14%GX}|3(BDL!=l`G
zxPEcbxJs^IHKVw%w5X`3^IN~&R(uA@5}m;2x!2Y`|4K03Qa&l?tI*%o7wUS_2hd&b
zYN@Z#3<>uE9=BlRS3W=8#@^W4WHueT`#VJR^@Ciag%=Xq2pt=x<ry1(4+NHZoYWt$
zVzQ=PFmuQJ^}Du{Cg>qxcMJT4PZbtQK6Kd-VTsXVU+Hty?R(xkBdLd+-BL5RhkmDQ
z(Cdle&;+FC_v$?&o7iqYd&2>Ii~kBorRS(ZrK8I`m9%HM1;EbrYW8C26F{3=MpbsA
z4ACA(BXEEgIfV2N1l!4Buf~iM+s+&b;G`VJ5#Pt_pRBH^zJC)%R6cusz0IQ1v75bO
zR*lm;A9MsrufBk3WWQX>Kl-?T14eLyRrFNT8W8lgP!OEP1HNmh{3@B3)*U+y+Ux~d
zbt`3G_3LM+N)$J~8dRxsB<3n+$iUwvDO`<wn^@-XyoA>Eo!aqJQ+K=Es?Aq1HRrF#
zv3K#%1A7<gcf0mQv$834(kt_hO6CG*^wR6T1-B^`dv*g&fy_hLadH#AI(g^JO`lCZ
z`@8qqM%i$B3Pyc7@OoZQLZ7T@*8LpL1S|gXPz6~3FM8gRpw+CHe=>*fk5e8|HaNYd
z;ji6T<GGS4Bl-tN)B4|VpsBmD`Zn3HU&^YkZJA(fe)>I{1|AY3kzL;ZFFI}s*f;+L
zk56n4tf5REG@(k=1Vrp21HUe4{`Tyw{$3aAV&#Nf_W_XY`2JU3ZO413aO9`lb()6K
z<@c&8ukI_Ps(1hKT}Y--Bi!uRJ$wO{L!78$(ZDj5Cdb@WF8DGHFpquUJpBC1f`S0A
z+7bIaT92$4n2^cEhpPQAFa|TF_?Lh*2tZ;LRLsifRFS%>_f*haA%=0&nZNCcRNnq2
zd00V(eG~iopZb{CcmE%8hQo&dk`{Hvq+hj6v3&F7YUAh)n>7&z2vSfg+ZkF&Pi*aY
z`&}N}oyt3wuD_8(m%wEWT`@*pvH%);uU@@s?VS<Nsz(jcuk<@^SKTqGcVZ+|E&6jb
zN^N%fZB1o2(eN+Z5|i4(h%t(_Cy>UswZY>SfTrfUNiY>8Z)C%$!cd{mGBgUiRP3V@
zmxYXC&Ii?u`?Ly2%!`;_C0v+V2ALE-QJt9uu5JD8)$;LGS0g<=3SXtsFi>q0(4~o}
z@dOC-f=Ef%8c&%l3%&zE;bNvuoT0$Ksq?7s56fAsv<gH3r$)5G{>@&+ur;&opE{n8
zy`}-6#)tHO_e9A9<{k+nr;<KX4~QiWRCDhFZgjB&!tN-mLe26HYsW&nrH+l2I6WtA
z-F&fBn8sa$VVCNkf4O?Z*eGA|oB#uAA+&hj#_y=){_-MtSkQXu29E`@V`~{Cb8fHo
z>AYu%os$dDG2l)V9kSk5J~>>eo3IW<<@I_0Ae3-|V<}W-^EyseDG{=|?()ktGy}Bf
zKdu+LSeLF%DmP00{>g53GP8gYSuVw$7Mg0>Ek)1N#bK=}aKrQX*kiWGIwN8MH^{tK
zGY1H6V0yC%TLT0+4S;aAbsYO1Ya##`%mG3NcJH45Hv8D*$ij0UsU1Vbvscyds#oUu
zQ7}N=M|}*-8MfmcoJv#Ej?>Be{7ZZK(DL9l*5w9J&DC$D*+!vOUTMc!3@j=ZQ2-#>
zZqF4O9uBjh!|qKWh}(dC*7!>i-=bv|NNa0#`of@jsAD%Nw?dV?GPU3rUXfzN8%5CZ
zuWH-VLrjJ7v11`Z0;DAa=`xG-R&js-WK=OKdT=5gfPU#+cUm~y0N5B)-+R@UTf0We
z?Mq$(;-HRoTjQK#8N(l(`}`GE)a(c|l*)d2IP*8Wd%gll;%_Qm<dY@{J*UoA*$QO)
z%r~0-gfuv`s23e?$?!g?8cU~ppIO131#cYLSP`WcMU8j){OonGyyD|yS`}1=rc8(r
z(~@nwM@5S)K!^cdQIJrVKvIQ)X+zl)b3=zdMcRsT2?fP%V8NB_#FjyTZNfbF{i?iq
z!<Hcg!n$(j@y-wcA!GFu$D(!BV?uYn7AIws{z>Vik#5E6TW5Jyu(@B?Xk?3=%R$PM
zs}}}FZY#eUh>2?ErEu>#&ue>S4Pzl;xJ&wcO_82%dg3iFK>035WqvR>nO`pSEGk->
z%MhAA_*JB*v0VtSx7J(F{vZS$Ajap+x`=nG>zCb39Vb%1>w4uKack@&tP9`?VM$el
zkEqQW0+XZtqmOR=IZmjqJ=!VV7<>M{BZRF3@CMl1dFEc2<R*1p6&nd$B_3bzT$O|7
zI?uXHtP7*w^Bd;z7mB$77KR+^f)BzV1!{86HDek-2U|WCmyM*}6|cAx?j%N8sRU!z
zP0Ml*qpl(6QOF1i=DfqQM(XsKthV}C!g|<PYZ(<+$u5qN7pi@G(imh(rV`C&F<2$p
zz1Yy3k@qGioM1vzXaz94aO^6~N6MZz@8U_={Tg{+q!J2VaxvSlPY>oE@>fWS1!(A)
zq?Cdj<!$lo)9)>HL)IPBt_6_C{z=n7HsKR-<>R*>@t|1QLW_8|hr5fbCn~RJEbzH;
zx;Eh67iu%c|LXbKJ}*cp!uYwfh3!V#4!i?Us}V&X&QC^-X}L650#$?{>Z3Ht(Hrv4
z{VVu9qv=98iHiFi)UcjBA(mO_?Ctw7zIJR=4`<b_F_Kvdv#PhQZVU5w#uzNip4|Os
zB!LtzS2V4zPe&%G`!&{BBbijC7TGKLwf6J3J_+WTZTGWE5-FXF5%KV1?>FFTi=Lhw
zRaLN-jB)btaJ|-6zJ*}pF9VMO6V>tcH0^Nt`{^G^Eu%MIs5`P5b`DRIZgkkJg^m^3
zSHG>D%mh^M;okw)LRP3F3%KI4M4R}YL~D3c?d$3%b??pLZhjnkWBWtyyt#qGfAYma
zhk1+6RH@n6`)_?C?K6=om#HLBUh+X1{;R>tR{xguB*7*F=!GEB?QWRrJ=die?sO0`
z;oqenE>Gwjctp>i<Qk%AwG@e-EO^Er+G!zxasJSOj8Eu$ZkQ_UGV9*M5c8SFgg+9T
z??PP6-2&*|q>7=S*}3+@eI`3fG=DT)I(CVjg;FYEsr}H6P<NU^F8YLRaTB(Kj`DCA
zj&xYemM$Rs=Ni*NeNvu)kH$qjjx0L+;ub-g(yw#nzvY0RUn#WX1)O<f7N|Ud65Dp2
z+1u7f56Iemyt4mu(=#(Iw(Q{LPA-3DV{EdIB<g=Q{;ZvZ82=}*apf`E+$I9{!0HP2
zzRWB7vgn&BkHW%%kplRitm(Wbrp9JlWJ~x!JBPZZT8G;C(>GtuF&rEO*p>!SB5VO&
z=qDdPO-#be_AP0z1VeW^%<Y}e@X^Cx6JyeGh=)e1adFV0KbECWmgClO>mq?@>){t{
z+szZX|0ri;nbd#1{%U10<IlTlnQ&nJ|Mx3g9rKsg>(!rsYuhD0Ep({l;NYmh+I0c1
z^{d*`e~Zb>h-s&-ANM(leZ6H<dm(lHY?r7y<^^_$9CNe(ipP`x@di~;5kUI%U^%zi
zYS!Zv)k^gffiP&6j%w~nViI+zsIL&L!X<);h)AHR@9$sy+q+ST<3CM1Zm>c}-$U{K
z<i~|%c=7!u^ZaNRKu7z{@_GdC|7yeC&4XeNSHkdWxN}SzY}`I%Ra?Zw;U>T>x?Wme
zrixVx9FDhp{vZ@r+aNw%8ieF^y=(F0PQ<Fy#w0BY<xk`_E3p>leNt2V)lJ4RTRNSW
zWlv=p{kalq7+VJQ->P)nc)$%`w$_-lFNDN%URIC*PH6g#%(XdUPY(6_L&fg_LnnEq
z@`6=R#5PK;?~mBaa#X(QNq`N-KsS1NtrWX}SU0bTm=9BNh+B8gY>v5{$xGU4QoW1X
zjjCHax=H;^OJDOV%{1wD`8n9-W#Zu!YaMIFZf?J`EWJH4i@|jZew&cfcHCLQJ(pCy
z4uzSpv|a5BsL!P4(fc*?+_Isk$ImZoI+0f)UqLr#4=|*xtAuEl$My!b{ZKp2lKi?s
zmv#bQ8qb@Ckxo`<*jvp_52c(A89|q<2yw2`IZ<37oJ{LfP*RBDlY6zLtByo+JkF7C
z`N>P$F$#!8^s6}<yfaDtS4Mls>vE#V^Zh1cIJ(Ma{D_)l2wvEG_`TZt`l?c8gH6RJ
zwwfRlofzlJjz6GcIj35@!aoz7X!GV@;<_tZiE0H3WqFlCBVdncD%)RbJ%RkpMmk#5
z$jULz#CKYGgId>D$j%wd{cDDz^RRtTX-ilAL{|xm5AyFVh9-|c(h73-zHs@Oi_Ia9
z)VhFD!-ed6c-KhhOn;+st68o|&IKp*{-^is(!mv)vwF-@X8Esaf8H`SSCa`8rmd~+
zBXXu8<49^!3;tvuQ+gCkGTVjCybm@0OJ2iDuSkzwkpBp@_7&}Q5GMb*rg)0*KRuzg
zvg-593!xeP<b#*IrUqIPd^A?b#(Z@4i=!_;NG7=eS12fJ4tIt-%4WHvqx%PIVWp(~
z&sc5mt62-e#`I~O2d&-zuJrs%h9=$*<#Gk<D`3_c2Q$cFg{*m(I5ZEDigA&OYPbNK
zv(&?{Rx^$|)AooDGet{Es;XNbHnZv^Mpzr{s*l*Lr_+*;G!w^OOK(I*pMbH(cU7W%
zUM8(h^va$+fr$%f?MP$FYnn2T9zO;ybI2eb+fv7-E1Fb`&6yg(tWL>!J?b)b$uO4$
z84=%4O^L4xH6|*7`<~n{?o?$rD4~iY-M>E7mw^t{{TV3i{Vw{fx+Gz$&pJI#Oz3jh
zy7Hlk(7{(X;qv2(kuf4Aft|tkI}BSU51q@C<-!ui#2<R3bUADQ`+%Iui%4s%Bj{<>
zf5gVf_}yz7X-u@<o|GC5U(cY1aFENRG@k&zmt!oH6xciSPkuBctG@0hyQBv%`0;vU
zxfEnmZ(H`c|1*)_)x(nU4w!{zlpOpS!~IaHtvbIe$N@+-NUyDb3P>0}wfd_rTlnI?
zt)MR>uAa7Qp4iE7_4+^MR);sP3fdG}vDEcc*rWdf9R6EQ^dC{N0Z5^hmoE`ftc7I<
zR}>)P41A&xn-acc0-PRYSjc{P06qjISJGdYzoox2XsTz?R{u=|TN;afo{SuPPtwXl
zKD%!6Vm%%!A{AZ#xAt{4R)+0gP{KvGtF3qDm)G(}&%w98qv@Fs*klJt5S^}`avl)3
zYR`kmh0eNtz4@6xnD3g@-z)>CKTtIXz0Cec^qTH3z4t4hq0G0`1$E+On%b6`e{SUu
z0L3b=yu5MYQQQU|pl!~N#J{p6T{>SORN!hVJ^3$FNst%h3UvN(r~=AC)Q4w5+wvPG
zbG+DH=!vToE-r3jxl6Pqw%g1Hj%5`8*GQ;>(3fw^A#F3H!d<s!%k@L9O8BOVD!rCo
zH4KzyoBJOD?7zk)!fHIPrw+h2(xXJ*Hh%5~wt8R@iNub}!{A>;eXD+bvsx2~tG6Y~
z{%Qw|&%RHcy*`xxB?db@Y0g*gQvaom9@sOccCM6Qd4>5vvj3J1ewkHOHGt)rwS`bn
z*IaFB*F^Ok9R;yd+xks1u$5uQ;M$PjziPDq6CJ}I@c#&;{r5wM{+A+fG@{c!*KdCR
z_HFUp6|l5*v$kzGihYwJo_l)g_E$T^`c>zJwRHT{{u@AsJ^UW8G+;Pf#M-#j8My_x
zvyTDN$7@&IvozZ@Y<L4|2Hc4=uzWCXyo8R3QlsrFEx@5T?5aG}U%+hN7tbpS=oITJ
z^ddCezksf$!zmFKMVt<>S*7cg?w0b$t1TQCaXb7)`rz4o74}*j;!-cq)@%wLZR$4I
zs)Mc^mZmc^+WNwH8Z{<#>=iRbON)x$Y>gL=HhN+XoxRb{fJg2D6xDQbRP1)TkyGh<
zU}7tVvcop%+j?WP8vtYI{*;4*)Jteyem=_@uQ1#tqa%WDt143+;`&=GGTCTtAUW^X
zuaEAn2$%XImx=oxMXQq!!N7$(Ym=-FB<H86Gh+>b;g(N$cqZ~x^Jm~@?kL2@_m{p}
zb=B&+jxp8SO&xxIH*^7WL$~e92?6twhs6MaZJeHRx1qvaQ(K$1wiByNpCfVfxZ&b-
z3!4C2SmaIYl%rRF2Gf7irpu_Q(ZCv|3;?#h6U?BqJ-|G+x@o(RN3T&wIp@vMcz-On
zHgu~2pzt-IhbNCN0M<@<mCfuX-DO<U87uO5W=02VxIJVP3ChMYe7I3RP<04Mdzm}M
zu4^Cod=zXxSz-V`72AboT%HzRe*Q7nB-dg;E%?Lx;v^C5?UivbZCU07C~SUgBZ1cu
zLXu|lBR!T`;1f|iC>>M+ma0(=e}~|Y?K17PnrocJh(eJ)oDIb+2Y_GYIv6l7hB{*0
z1TU(1czBc;F7^O9V(@u4#tN@Vz1{tb?r5{`%?ydi{fMyhFTm1!XhMY$x;r9N&GVO1
z>pd!Q4SjU-u16;^9hW@+ZX>2B#buGO_#7xcB3o|}*PoU2`^myg!wR*Nw)tD^wbt#1
zWvE@Z6-%$RgX0+9Xh<#x%SgCi=zlcy4cceGv@u+i{AL`TELho}6dVK)z6m|=1`bZn
zBY?j1{z?I#wlLSeLXH_-^_XgWa-V8-8e>+xGIx1C*FY|C4AJ`P3iQbeyEnE4lewcu
zBC4PEdwYwDb{%S(IRc{UF1^)_N8J7Kylun}JgIC>G3P^re!sEaJdh+@my5M3RuoMT
zDIJYSD)+wMYhqIFhZRfbOGL!P4W3jVc4q5^M{K0BliTQxxWvmp4*PYxT%c?()d1tR
z5OIlnAEqs<-RF1txo6Sy4eRTSqYqD~%6^lPZ1aDBIThd@TukKA*}_Uw!Nki+G>r>|
z)$q@va^g;nfDw>;7;XkIiDowdW$^GbOxJk*=fIeK4pkWK2dwP2WaNi2Pb#7I=_c<c
zbdKt#rkTEhamh&cI3V>+gL{WcLQB%1vpTk)-o~#bATa&t=m;WdQNWkaeVc^Y8ifRe
z-{ICWTLn+~huvXnC`cpV)NGT#b^<V+mI9rHroO4tRkd^Q6y}XeSH)^fnsq+WuIj54
z=$DovesFG~kjjvFfiMLhTnIRQq1(a_MLhu6r6U#Qqcjb8^^m5|d|lIpJ;MV==w{Oi
zi?sv)kq<^qIwk0iORdVDd4QBD>zQIb+gN?9cTif;I!bSp8k*fmDjQCd1$f=NUR`+F
zZb@1Zw}NS@_ZBw<sxc^j@C6`!LcK2?V<#m?$NwD#2f!(5bGw?>*|<8b`NoU<_OhWC
z=|K&(@KtApDsW+M6*tveocfqfBh^%ZBskIVySTAzPM==Psjr^RsO4ASo$&@3`j4`b
z>s@U<%=CoTU6i0OORefd31k-wR<)jrTWeX1cI%5~KV@z8wy|%?Y<U$<pY94E%N|Zt
zRRBA}YPj3(=hGEhpyj}T7tSOojD&8fcKMqE)Chn`?74g@ygy2yXY7lzd>!vr=k-n6
zYv`N)%n1Bug5H@u1r{@essY~AQbFr*3X6uF`B*v|N@Uw5|2?VN!%pOG;4Fifv%2U(
zAHU<#n7X@Oy;?Vo_FZ$mYG6r^8mz>PrpktG?KhchE5R6csUJ&#e^oRK)7RrWk!mAO
z5Uzmg&z!!Lu6FEz{-sGZM0~uwJE)-S_jqBU*o}UmwnTCjrtbO65wm<@D8YG7L`-4S
zS!4O8B&jxZB3$^<WWTsZjM;2tcpx3sFRe+6TeSt7y{&Szrh~0NV^i2E^iD_Opf;;&
zn&{NalT<|~ekHaR^hoPMCxf^6&z)nC4Ddx@Dw7h+N<t?ErGUT)s<V^pX$;a%5A)$)
z)K$$}@&mob@51~pP-?n(yMc3e8}o7M6TH#&bKz%;t*x3EXnz8KCv7(KF)<0|LVuyy
zQ&D@}Y|j5|b9Z%;ho@jfOz3IlE*a{6wf*s0sXee99a|v>z0OZvw}gZ|Oz*O3n3*@l
zlU<Ae+Lrw&M-^Xb=PRu4Uduf1J&jYQKwMCZ-8$mfWwySM8&av~&XI-isM64giix>P
zC~Tzpw#@CwV%OEsKf+~EHMOIRLnS&TW#{}pXOw+~8Z&x4k3$<1nWjI#9O<|ohW424
z?>MX=A8KuU0R;sAA@e)<-_$_&BNcBgt4nJA&cO8ssM(SkpC#QPmb4<DGA+%?#pS-L
z(rDotml%$YTQB|uY}18yG+qj+WrtUrV*p!(2WXLP!KnuMOj=K+#mEHn@(aw^m=wyh
z<wj?BG`oB1_PlA?W2$EDrxs(ssUW8ajQ^~66V1#HE0*K8E_O!Lo=s&Bv##EV5Zl?i
zu)f4n8EJE%EF?4nUBsN*bKWhCqZ4Dk*$p;LH^!Rq|7wS&q2im=gHkbSFq*?qu)g^Z
z52|de_iqpq-z`WiD~$1RdPB^CsLlyhv1M)Tn6(PUeYn~c#R5+)y)7bVS?OSVE;-sH
z<PHWbu-0&&TN}(yY|mVrAV5_%&2)~bu-3dg)=u`AVEw1}tlpGhY68PiqGzQX)?XBe
z8xj0g<+j@Bl-Rsy=WA83^e)AzIJ9K49C;%_!Mf$={w_cxCoqvf9Yx&F+}*^-xj`tA
zem`7d=vRR#n?q34W#q}c>GUKIBZB&d8tZW4U@>T*F?Dk3izmq>53gS|`4o@7-z*?!
zEV;WH?4-!u;q?=2xA@{5;KL;eGp%C1nu{AUCV7^&=RN_;ed=~Oy}3}knkf=c87p*t
zkv8?8m<(p$IdQ|MasE$kL?K=U1IqfAD6y+yTgRaH#Q}sha}M-JnhL|6u4+5I#PzU@
zL&}IL375brVik2hJ9nN;&3BC8vCqHtK+LJYk}wivHv7_l!g$cSCCO2W3{rl6-=m-(
zIy(bq^q`UrX8^;k1vSb(yj*6W7V<{|?j^hZ7W9$fv*zVy&K0XWsiCtBm_&bcr}t}w
z`~45-@upy*CwZVJ_g>-edYbOFDdbBCP|avorZd1b&F<a0v3;b4wx&%TW^nGR)5Nld
z%h6==lpbFi<i^jZQdK&oUt+>*z{*~T1Kg?OA3~5ELV9ZVh{?6%4JGe9z(R%Z)0;~d
zV(IPaB=?JX`$TT-suw0=kqzpox^0oL&!3smtpjoLj-RyKF;>656k!;ng-q4=Fwdu`
z8YPcKN=O<)T?1x1T*U99vu8j3r>^wcXr9Hkdmtz-aKee<%#zPZw~7aaQAnR-0l=4C
zLy&L*^C-uo?YTQ-05cgjTHlVBAl1LE@E7+@RJ0G#TTs?}!8=MN7fF9qH+YqLLAX`v
zw0zKoww?-u;7h2G)#SV)@}z$5d;o*XeH+`{YDU@G7hyyh>aqTu;j_v!ww^p{>)1^+
z+<mYT8@{f07f^@I<@a>(RWH~`95X)7sI|Frvvc4lW+{Xf2S$gM0g>_*z9NYvASE+y
zdr9%3>WX#-@;R3s&*M`1@oYgW(L}d*dvYND_Z5xJjqjhRIk~egB{MVAC9MC44OdNt
zX0P?em%lO@#{1a7dpZC}l7QFH*#9-XFuFRNmwy=c!PvM~(Bb>$ro|OO!{HV-R7m=p
zQBX(oZ<+sLU}j;TIIyeCVlD0v@CI1nO9qdx-@Rk7KY8t&yoCkFRhk2FUAbHRx0d6&
z$J!5j(yO<zLH_tRvA({+!HLQVNPg<YVa{}^QLyDUjrW1DcLvaFtpf)5^+!NR`@0ea
zafZ9*uqh@k7d8Qb#%bi`aby<=e0g?ol*Qxua${oyj>4t@*q~9{_VZ=D?@fFQK&v{h
zpuoX>dJv2*AC$<~yFkVj-PJW%Y!5xHZ^DQj?as}?;EkU3JN3H~wzHEH{p{eAm$v5s
z6IOA(p}P105WLQ>s;X*hf}c)L*r~7QqYt<AF6(3?>9-3zy>{F=FD*yCs>06Qe>Nmy
zFbxfJOa5~?i=GUdeG_Al!jm7r;m_R>fcV6cM8{4yAgJI9LQNWNpJFCcSorzNhe6hZ
zj>2eAme^(EZqJ&{w*6Go)X2z))>*ZN5;aDX;6hsf-Xw@wL@#`B=(ulsbxX6evpWhM
z3%82u-(XV&z>p?8OCiq9dhQ(H<9i%`1ZGknCRomL@&th&!EiQ@4>!8RhLhOL<YGnd
zf|a9W`xf1~4l(tUKYwzS8;+vcm1JilqgdoNljhE{gGgvstzlfFfTd1#wGD#7iI|FO
z2*?(p+t?|(Q*6FDbAhoN*EDs-coa8Xxc%8GTe5-f%YqJvp1U0m%QaLnie1L@8cjR!
zASAr7_FdlR6W)TZHuWg13JDl9HK=15@9A`=+2=ojm@CdnamyPv@;jTbjU<FCjV9~{
zH>_gCDYU)UlARMhw)ZR0GuEEEE$(!8FpZOTY$z|9%V}Y&$sq)0<c?UiqvB_@$ibj>
z@na`%#G1HEKes1c^&v#q*=AI8S5Dn*XFAbn!g`_>*v@NGw<ZTasy7r(Vm89i4Ot+B
zz1wnE)Gwd`mCB>|H3GdiV4{cL(iA54dA1j8@imNDYKr6bjI<5)q{8Z>xVLCS2Q5q+
ziXy&tt#P4Ft=(7q65vKlo@CZLkcT}3*1Jl|-o=$GbxD|%5y1I<RlvC)1-e)a<Jmdf
zH7N8<MuA$qT4rLrO>tO}671=@#VxTAJvk6qlnhH9{nq2Umb|7arNL-`U>K~j0WYJC
zQIQK_PwM0^&jv3M=Na4cE&g!Z)NO|14zK24`S}N^DPF3JY4GwFI-}0U!x07e1wOrt
zBydAf1Lgn``24LtQ&uG=43`+C)573@@GO721jxZSa}OgJzPqD$tVhWPP?4YNgIvIA
zGv1fy@U^xSvDgML7&@ld<9EGHy-B@NXjvyU6_p$KuyeBy-F9IhVbpP}cowByVp}}d
zNToFbx36AvoFcn5zQcohfC4J>9kg&SqqS0Wduy<Z?3a5Bo`o>S%0S&V>c+i5*;Iaa
zU8;!fxu&^FfszRu^t^D>iQ;nIHvLq?tM-23IfQ4`(k!KW1J$ibvhAulX<p*hb9?7i
z%<vQfzh%Bs^Q(yEI9GMGE9zpBr%&QyKe9d+4>f%*SuX~OD@Avw!1P2puWfLYrm|=+
zdL}<)!9Wa~toEANh9pqVHRp@Qr-vIwSxZys4Hxg6YB~Ek<+>zKJqErH@~z%E*9fkd
zP02=`5w4f<RSXu~Ayc*XITJQg!KL2hTDWPd_>+cU75phOn~O$3d#B-@s)4<hy^Xe&
zSeMs43VkxBCWT7mnhXKi+9QGmFb4fMI4-LPu(~_yl@1$Oac&b<V1#y3sS!dWKcJ#>
znvB({AW-nq8+C!BQ=A9A>~NNr{r2_x?Qi6*_g2aG7#|MbU<N<V3K@Bo>vPC6F0JjW
zR`RG&UK<COGjl?FU1<pu?DM`-<3*;%XZaW=LFss=pah)Tj4U5WZ6&tE(b1R!#74q^
z$Y3|xUKit*0xDd90FlYK^PHuv{xzvi1|{G05+iwV@~5y~eK%#Qc7sI+8o0@1N5Bte
z@~Az@;|p|?-c;G$R{gyJFWQo5laZY^29TRW2!8}^(l-;lGXQlVhJ8_s#eaJ5c}1CT
z3SDRA+ZQYb!imN4xym_Cp~NNN1!LbwDUJ>Ah1ArzjDK?vuv}uJeZM_w|C*3>x7`MG
zkmHC#-OHx6(bNkEiy0TkcvF0#1s(U~8&z^21!$lCS}`Cw3E1I^G%>UrRnwY2mf<?k
zXOCDozK2W{YR(Za2_*~(2rDr^N$<}(Kirnpp+1xF*0q;_iv>hE%~DI%aJAbmbfSHZ
z=_zu!Bad~6VVjMSoN$vZ^ZoairMWSxzy&w<5ilg}&xdSNLtG4wjp^KP^IVEVZ2z#u
z^fcQ&u(j(%cRbUxn{=8r3ANR<7GIt!cvm(OuIuWuFnWD*aIJr$^q8jXbho!}BAofz
z_&^v&zCv?G*xbFW=Of^em}^Y8<}3b9T|unL38F(~+@&D=q4KdTM0d~JD0J&*wP4s3
ztcsuW`k*OncW|vvyF_0qdnoa4)dIS6W3_2zqi(AR){#F0<0_H^1Ocgpjpa2@E54GZ
z7EhXR#Yzk;osGT`D|GvktleQEbL=rTJxIOn-~O5@fZQ5?kwO`KZ;0O~i_&c9B@&`i
zIzgJuxx3MBt64mdUNWWR)>n?ZOSfn!HdKp*^B`>T90pv^dzK=>^yA#gAv7V(TyV~B
z4ntBOz-!C`r@mY#KPf{sssX#NwIDkGp*=txO8qzW77istvYF^;0VTe{aA_rJm7|tt
zuxQnN!!Ky@-kaAS4;p>`gogMQH=bG?3%+}ht&~bX@_c4;9Z=x91?y%QtsF5kcK!GR
zt<z3A>2H64W0Vn9Lfan~Y=3_*amd6!1+a1CdJs9Jq+8-kw(%i(8?p9m-1?)Dd6w5(
zwLjFGB<7E9XwMUVNOz(M`QZiLjwJjhc}^$c;S!Q06j(Eg7g#BoQkO5DNFrSvSx^6n
zditA&K*!GHT$|(TM#Obu$Hb+Po{V3L215#BvYzdhNggE-Dy!G01WD@8T!w>d2zz(H
zT*f(1-#2QasjYrHT9dIhyYo`(GW_ASie;tJudlS6P+MYq4ISauYd0nf5)~C~byS$G
zK&DyAbM9uhWjD8F^SSIA4y+`mfu5R0bL(-H%00f^|AMO8*PvyHbByYzVIqZDNkc|=
zp7Sm<h<&7A>!gQCf+{Q-i-KL>j>~vHTs&CWS~&el`bT+uM!j23>xazum(FTQh9Aao
zEwv9$V`c^m6b(un@h610`ZRt%u<{nKOmO<)G!@6xzO9OANS#Q@8si5?Kdicc61GLL
z?N@1PmnuZIm>r&0G+Fx{A60pQk5-KMS@adp>Q!RTG*=j(qtqeELlaq#1!6q{9=xiR
z^3-!HW2M^{<>9pF*YO{`otk!i0}X$(ip9r*S#3WW7)-a4B-oz`X=9gUXA$-Y%4Z#^
z&oySuJhYw#+cyD_klMg)=@3-Qw2G*gLwt+qr6hagn_sR*L*__`nD|Myk*T3J_np9g
zQMy<DZywM+!ed34K5f|_k5cgWgo2B$a{AkRqS$8%K<&@vhUWZ3QX?`QkzCez$%Z)0
z$TquMYWJQ>y_=N8pCDF|lvsZ~!jwg6?aw2cAFIBlubmS!P!U6R^Q|qvC`{A;mlmTq
zo*<mk&;9AiA$e+6;B|2FHXog<nT+d~2O?!<)yj`#2~5%=wxKm@SF0J%ycROOn#8cy
ztES`L@muO&4Bul&Y$ky<v1ZCq+LJLw+oqPaz@Bu%HP+`HafP5z*9|Wt9*s>NxVevy
z9L*?R-(+%CvmOimW}2<h7qvJ!C8^reEfAjAaQ38N@U~g>BALraGDbaFEmy`J=>(zQ
zMedZXi<Z6ZPE=NwjyFrdCpR`p4Ore!f_yO2YF-D74ZyS5tOmLD^I|_O^5An3Spaow
zb_$Tmhv<KW11o%0*|?ydPeb9r?V=|3n|4O*i~VKhG?~6gEJD{Ny2hM14Vnm<FnXjk
zvf10+#j&MU^|(`p9@*~MN#`6Oz`XZX&-d_Czaf5+`3v0$DJZg>NS<Zw*r{9Zrk(4`
zyX?pS?lN)0(Vn_r9*I&@jk+`0E@hk2@8-xJ4IVeXC2sEpMb+H0<nN-kyD`DBQI1i7
zxXXfW=C|<%ELh84EV?bj_@^H{idI_eWcve}*8y)`^Uw{2ZOEEsrt(aONwAtstMeS(
z6Lm0K(NnLHVnl`0i3x@Hcx;5}HM*H&3d<$$0gV*z$mwf`E-_7)V(n-E-hC>5a*T{?
zdNA&4JDMnHnYVE=9O?BviS)$));n@+Ps7Z|P~vnrGRPhfx4P(|VhS(=uOH7}mkf?3
zO>?|pLZw@<$r!MRPBK#4`3~qf`*4%v-kWDc4n02d_qxP+;M-Lq#jZ5BA;7}5IMwRu
z7r}nQO$1A$91sb2F>+n+qKu>_O*B`=>k@J?bp=5GR&}i<-x^;ub@DD>MV`1?fd&Q2
zi1Hv-KdmK=6Qu@Joq$!2`f13Ar#AG#{XW;p&sh%6j9d6~?>}WU)NfZ2Y-RQKpb+eZ
zSCHul^Ab?%un6f#wDbm_cEu@s(vEH-*ZYTJ-wIprSydewa%;>z<I(#uS|IcrcxVuM
zCPQDoz7V&o*CcjDQ`>SPyC>2V<saF5GCq1M*F_0Q@fe<H2e&?dT5X@iYaRWGaYkI8
zUr(8>7}#Cbcv}XL9XI{&A!FB~;$%5tchUx>6Aj6k5<I2PLTnxw9l?s+cb<ExNzojJ
z7tsCmdT+w!B6xF?%28DD&Y{5jIc=$#?C-3_yTP936NS19T95N!<{y<_Q+kzKb=iei
zn9eBt8g+W&nCvb~Wv3@bW*N4f$nT!SNOV|T&=g|55xLx-O~IV46q=BF+|K@uCE{6n
zSrs?KaWj5Z?RA=(m{CUXUh~Z{=i>d|(Hr`Sbm6#*j5k<><7B0t9qnayr3@KI#gIa|
zPa>~<UN;|N<kGFHD2sjA`M~})pDS{C=;QHH0C{?H+H(eHk9!(Zl(Q~h?~r-WGVxeZ
zvh-Q@LHo4A9iQ$`^0|LhTG|l5Nl%4>QGRSzb66LNi{QgFgh)58L%~25tJZ*)?JZN@
z2gl>B-^BQpA^0-KEn>teY`1QY;>FKf$I5Z``aeB6g5MTOd(3ZU^$;O@VB8LQ(tm@Z
zS=`$?x3f)z1Yuw>vhy@cyccf1;```@t`VbY)xnU{)5(LX43D}Dajokc&jS{Jda~%>
zoW9fUYzYW@^&9m(issRyFSJlbmLT)u(lNwU(#@^Py$BoW>wi9Z?xo?o8>;J{@=u<u
zF2D%>SX=rd86#s&wQKOU0T;JwhvCLd!bDekSIvqtMX8UAZh|G1gzbOqUKGwc!MF)@
zGLuAY9VgMwJ|8XaF4G2X1&VHi2uDjW3JGO9r1EmWjb$p{#jj{llk4Is{+Y|_QR1HN
zszM|2q#oae#(c2G``BJ{War)dE{}|cyQ$%0nlEU^yXp52AM;XDZ)QY@a&Yn1&@TNx
zKK~wh?V2#5&9sLKbND$5#&d>+%B3E>2>FuZGSOo{2%=tWPx{7QXx!TS3g5M@+>iZ%
zW(fmqsOD*m6amvIvkURlkg5TFuCggcUs5K_`eDq`)5k=#>(D8mX(eqFFr7|Px(P&!
zH=z3tc!$`S$qKJDglYBV^T`>bdwpeJpNLm<2@}(~9?X=muVhkl>D@~I+$uCF`=I~M
zFD{$x&TrXj((qrzKnm;}BFt8$NiQR0nJMn02j#SGe&d;$;u;yuMMGFW?BV-+!fH6_
zFlwM|*TfR1UZ@<;!_HNolaf#I`(gaoZbt?(No`&FLO&-TiQL~L-$9V)^vH-wiwz}z
zD4&mzZ-i6)(|)!91==XpoL`is{dF0Nq2{tP-%Y2_e>V#OH4f4Nx`WmJ{Aqva#3#?U
zIflcnIFGHAYR9({UTRV{R*Ja34bB}LhurlQzSo&!U_jw~-=b2Jn_TE)gP(4amnbhv
zx53TvnG+Calir|OY4H*_6@eEOn!vp+H(1^UnWqHctzj_4`pPeO2Npad?C6T(v_`@e
zJ(J$QNN7wAu4q3#G&ZmfIHI&pt|{m*alc0TwhElD__Oh2!Af-SZTP{rPy6Ud=CkwP
zPk+XsCf%PT6`r;E6u6sE$q2E$2^gtq(oxVQ-&Smjh=@RQT*8QG(gY?494u)7k;_eW
z16t~1i2HVo$C}vOOCjs&J5|5;;0gg!DeDQQ*)1}!jEG(MKHkiEr!OiD4>w=ySUb*X
zp%)uS>C=oS4^E0BEqT0J+L@KysrV59bh`nFqLuPN%3C6)7Y$rm6~B<h?mtJR<$j0V
zaL{ledeixB;9DsExa&f9IofJbL)5_~c8KZ2Tgmz!M&E&Vh~JUU9e34rC`2P%4MxrD
z*3-lClI^q8rv*%25H+Rx;w$C4?y|d<k(Sc6>1U~tkq2DgdVMP3KPY_c@cf6<4rSv~
z0(I3Cj<$)Tnn>zE7I?6vV)*gkZFdiLkqB^DMHx<S5?LIwW;M|=?`HQT<g5BP9>hV-
zrjUy)wffn%i~x-j%Sn3CC_^^~Sb=szR!f)J`fzImnWV;M2Op8=v@C%R%N;CqxPIQ!
zwBkp8Vcht+Ed_ny5juJcxSw2+YPUO+W1R3t&83Tim-b$lTXNb2dx}uU;JYOGPLar$
z&nh%`CabD@B;C%5mJ(O~$$jz6hBLZAh}F{D!<+Y)tySc~4@XZ%pWm)!r{)VCC^j7v
zw<w;TNcTsm=UfXHeGNXBncRgD806>e>y3RQRw<_CP|-KDB^A;T&F7G$+Y|hIPMkgJ
z52~7+H72RlwGvL9Sc{erVVIY)S}Dzl)$QbQIpk!iNt?L)eTi8p@{4(wTJV7tUjHlM
z<FbeYirrvnqu!653L*BQ&PFI`a;S)|{=(yUzmm}I>_TE59c6+H2r)nDv*bBw#kHkG
z{d9h6*#i5cS3O_MP){{_dgJW}eg$_ZsQAg=(?{I8RI<ZIOm5VkZ~AahOz`~|SP{zw
z5X;=@cr{<(YsqUzH?r`H-#q#L>`k_V_xYBdt$d#V7ik2`>yWm71$=4^kH&>jX_oV-
zNRNl&y4=xEm;$=ebFPvq7`6G$Gp?Rn-(=A56s9T@1%_V<$ksz_8*(8XjLdFKm2@xj
zsjYh5?md11I_xe^Sh_eX2I}hzFK<Y%RyUn*>o8He@U@FQG9CD#nY<J3(j{Z6Tz?`-
z#xS;!{$fnd%<4m)hyi6VyKSNiM09UnDt`HKuIJGMis+?D+xgNSJD2<OQ;!44r3si`
z*arFXFg)F`PWLzCAy++&idyyKJ{Nlp3xv;P&tIP$kY-DJ-u~2+eo)C>HHbWXg#GvH
zdCremz1Fsg_INE_oRrARL#4|*IEpxujf@w;-p9cUxdgkT4{zZ-m%R0%2WK~}qB!(m
zZlKLG#eCbxtcy~z>Y&oW+u-00?P5vIUTmLR9BaDyJJG$aWjd<Y!t8wl)E38p{Nn?p
zCJMv^oZ{7a29V3_aZ}C{Z@4s-EjJj-hPbUqkM;$UOIOe<@>BnP)bQ+~<{&m{{pV9J
z=A;d?|NRfxvbn#;|8?De9b-oP(1hr}96x;{G~u7m0!M^YN&dHwuTKmQ??YC+wM##(
z<n@4okAhn294$F7|M|_39jTQ6^H==e&cO4UJi)N#eIRb-v-s2XVZK=^hC4mRYO+K^
zv(ZDQ%%nfDC)VTeI^#d5JsU30Z~0;KPj2_o#H9ifz@zJ9xK~a#)r;jNE>D`^tKLeI
zGnq`psI{!fGb4NiQyoK($#}umx0lgus#S-IvJv0EP9^JGT0Qya8V=PSntX<|-8cO)
zER(i`PP8n_CF(>7U#FsoF;aZJqA}itZrHUc|HDB;Ij1N*Ths5_Zf(#Zoj%vO7-*=V
zUAWN&^o$(mET0|l$U{7j#(?uJ8AVLZ6=g?WS}Bw#t%M(*Ztq|0=npXxCd`Ka`@`wN
z<+Gs)Z9ydYXT2ss4pDGMxqTy@ei6=axz8R=YYTl0jDRb0tQc~CoZ><}#3dx$-0uO*
zdl&uYbu5>r*3<~$jkR={FliUAeD&ft7iWWm`H1ahc5rQZ-KBya5W)$*j1XCk|LE}}
zV&?|MF<``Q_-VHRT%5g&4?bRqb)cg|73(!IP4=Op#=)l<qtb4gO~;Eo4;A8`6s{Ii
zQK<g=Fs3IUp4u(87pq)U-v#ii;<Nm4Fs2-=fJgcu9^1hZ!>xO=7aXY&A#u9Cj0Go+
z71W((9VeCnxoht-^U;oF9zY&C8US6mL!<#{??u_Cm7b5c{3cBSZS7^U%RRDhfEFl=
z>s||f8w#6xEa*BEU@m>AXHM3<pZu`zdCV|dW^0Xv&0Pou2zs3ba4&%A+pE3LI=$sd
zMc30l(r;ml6wyHUMzB$Nt0c7k3|agznBL6{N$tJA#-!+DhMBwcv^|d0K(Fvz>I#B?
z)SHiHTbvrAfTG2+&rKAW!P%JJxoSvx#**jQUNh{v?_MA^L>?IDvVMsXe*4ug%acZt
zB!&la5=ifFOwWTJ@-!U2=kq*0Tn4aVvJ=L0U^^wTdrR6bC!!f2l(p@BiJpKVZVn`i
z9(^sD>*-@e)bE@Qa+`}}E1ZyD&eUGgUfeV;18QD@pXSVSlE0C8%=>poD@ojsICv{d
z;2$ZDG<)<M@mi$e@?0*U&TOTf$9S!m#3R9tw(NX4+8dlX(K=&U49Yh)IEpB{^ano^
zJgN4^cp)<w&L0I3#xjiTSl?Q<jsyYrP{yVg5?`UHX-g)u+0azvS*}uYj0ZA0_4UQz
zrHI5y^4y8O{2&0$>dpq60Zmi(ZKB2=10t#LGH=Z|qeqdr#8eO2lMmgsH|Io{3Roi6
zC(E|0yJM@K*3SDKL{loA&6apBwi9-rokZedQr$Ll4U*<kg23ZBb^wsagfM7xy0w4P
z94Ky_3K<w|*$<wVF9%Rc+-|)uUNfr9w{_+`r#s3zE3pHJ%Nr#fekAQoEF|bGZu<=A
zw_PHC(%t!Ig{q6*9^gL+qO~C~WNnqZb@LRsgRFBW1I`@UBL+09UYKoa=<eRdbD#1(
z@|b4vY4X6mFTMWf1m9O*9?$N2@q}m*yaQz7RXzbvS>O^-jH2_B`*M%Mi%ews>mH_^
zQfWEpdZuf8$bx}hVh(fXCsK^}>1h48n`Gi?Wx}+`@N4ZNE+{5Orh@BE_W-D@<T_@b
z=xh{x{+c`*8qNjca=BQz-X#K5mlU3voS!;M`D|E!VQ8`>*Y1CAH<aevJ!R@`kz_vk
zonrCCDAM|FK?w|KgOi4@4W=>-+|-t<SoVkodim6?kAYq=s}m6D0WD=5uA^_6<TZGS
z!Si1%#*70%Ho*6%9*##3coXc?b<dskvv$wa+WSAkCkO-pcoL^oZ;A&%$qw@n*reue
z8R$BWP54>+20ySes@=#IF@OO=?MWUOSb3Y!K+6Du4=+K23l8iAC@*=lGMuk>FVy(}
zGWMK0mc}C?@-_=Iu4_tdRRsqW!aVf|PNr}j&deysDoh2BPR-NFzE&2pOcHIzdE$ST
z=Iv%Db`zVK8s3u*;l`-GA0qrN1~eh01d`<@=k{f;2dh2f4&%jo3^?EbF7YvPY4U1v
znmr=u<;5joXDLHVn5SmEOTeTl#1?31xlG{FuHqtiM{qABKA>L|0x|0NLbwGq-r1MA
z?5BTx1Gy)e$gRukBK?VL?OIcag$(pyK&%_x=xhnh@eWaQKC$@ldFrNP8S)HrG{pNn
zoY5h1enOWqomq%)#jUsj^{S}xbjx72eXK10;};Fw<>Bm_@^<B+IoGvWeZ8AvQ?(&M
z1o~cd?;`lvXE=+YWfpDXzP$NdK8G6j%w3qMA~k#Z+n3=)dNZ=kf#;~C+b=#+Q9e6p
zrlqD;ma`1BJomm>i|bzQj^@-BZArR4Jc;x6c&ym#?nuBIJ0sU8PvlT0Jq?J#Oi3RO
zoqGt>_*_11<}#2S4MIV{E`PP~hQJ4$POdWsfOyRKDo=fGlFAp=+o+L?S^mbk(R_0x
zfGHN6=W}ov`*y9hT^py65(~_Aj>hJs34F$L%Ro;gsUO>xixu-NX~;d}kio*c?R+oz
zZyI#EtCTVDC|LQv4eAPupG;<mE_Ie%Z0K>YK5+R0QazAFwC$|@I7rC*_`v^Hh=!#f
zzo9_`;}0#})AKoSZkb?e4cF%YqsxKU1EACOxm?6X1EPEoE>(gX@H>z=m5i7^ag{Iu
z*KZjpOx@1bJvhbP-KYUtF4=)DFI9t=2aPz{CoDl7`@sE$B6(<`%(X(~;DdQVg3N`_
zoEN3NrN)E8E+jak8-&DtoRmM00Qx8C=rPdDXlju3Pi!+xYE`YrFE<1|-L!1|ZV%__
z`qSqY(031qDrwU??DF1gnh@R6`EF5Z*2UZKIG1<(DR0{qvmcd{3VDj~eBsMXh7p8-
z2#W9wX_T`S1q2N!-tk|2jgW$u>c*N)&N6;jq|;PMSx!2;c_PDAfFJN$+(yyCn8vH{
zEm%IR;aeI(fCf~0+wpn>;pQ{?KLqxGkUbIPYlzz)?yB<nN}Z0S+fvaRD<O$c<v%!z
z;QpC_rg(tJiYqmoolOh0u;!ih0_yk|V$j`~Ehge56R(XdZ`uGkrGx{LB$I)|GmUkb
zGtd3saaG;H|6Xv?l+Ewg8ud=rF4Z#=O<s=50k2;Oi!YYJE#vY0==|Vzot}?ekk_Se
z`+XyfA@~N2x6&~=K_|;E#T2MJ`G?T**Y{k>>6wEGHO_<<xnCy6t6A@Q;lLk%zIV5&
zp4YZV#5Dngfl2+@GUp;OA1yAO&;zR8D&ybgr{pgb16DG)zsnTPt8V3l!0MGPeFgRm
zQkA@rk@+jcc8Mermn%HpV_AriG^?Vf3%xu?Tr%x)igepTWpuC4BdguMWk+(K;8kED
zeS4SjWKf85J>CzX1h<Q4=eWm1`a5mNANBgIpZp}Ft6!<x<S1cz#!Pb%#dLG<4ZQed
zOK&jWY9rv8E3iU+&68U%TJsnQzGkTm|96@=8P`+sYqvC=^&Uz6D9>#Xo^>#yrg%&O
zy_4!j6xqZRWG}HF3cj@vf6v74p`H#Nj#L1lxIlRNQ{+5d0@QXiyOZSu==_jBrs2pJ
z%`E++A?`NW^A|<|BJR$t#5WK?lj?R!GTP$C+INbluBPcLaaoA(j#kpAuOD*VY-Qe^
zs;JTMn4))GjvCw6hbLVKUaxGW?()>lqu#_*4n5x@d$a^JUBEcy9DesO^%_-G`$&cc
zui6h<d(N?3Qjk;7o%|wM@nc`pyFAhhM5{AzmPT%@SedpYO+y*Z1?(l(Z+hjSQqQ`l
zx(B_z=7iwiBwZ=0lOyLbmlsW!mnwsDIB(hq3)IOc1?;JKzS797<@kd3)}M&U=>8MF
zt%o0Ot*^TjBby2}YCq+FWq)CdXFyfllfJQGsJ%$G9kSz#Hjg!!t*eaj{%5m&fo9}Y
zUiPDAW#C25FPK1L)9*oLn)U+2+VZbioJ@XgW^wXpm8*P#ZrS1lme->mEs5Lw|J)J>
zVX@agp6zqSTw3EYv{4kUwcs<nzBr$|Z0K!u7>nUlSBoH*(dV=Z;+C<tnyz^KIty+P
zOvj=9f^(|Gz|$qzY|5Fy7I4$7529W9%vmIl?E;3g(zIFLyx7^jc;ewJVO@9ml0EtR
zS$FE$OCY92t5rE<#TcY|qNch-*;C@r08qQYYU34Trtnt%BRv@dXW`LoMTN%GvEraA
zW^Qod>SliN8^FW`x*U129@&~NKZ0oG1$u1WU=xlRfloSea&pSn+CnzN4^B57=d@ux
zvTanr*u20n^C|=Rij>OIY(9aNmR6JgmX<`&c(frKGs*6wS*WW$5~%R8V|_!~PR~vb
z+ODC2aGv40m(!GS+`Ree$)LBy#$1#4JuCj^^O-dXbx^GHXxV_6jqCAHPs#oGRM*vn
z1-ecaxro=OIq%Doi>t@t#KL$|=7fVtjBMl_8!dMO4L9A4rz?csn&jYgCi5e*(LK1t
z=C6!zIjLTvs`BQ7%a?N(+jFhA@Nn8H#66c;7zl-y&L>>Wmum{1jx-m=>3n**cdA7B
zDa~poofo)7y*tiIl`-K#+}J!2C3lr;{*h5q;x}b%0OE;&OZ&9}#iF{+ygi0{%@DVZ
ztTCRkIUwZf4i|>sySV8;TRtGl3GMKSl+?BF7c`i+tl+c4+sOIx>D6(h90f$N7>azQ
z5e%)-zVGy|@pJ2dpFpbD=|(rucby1C8Obe4$n>x$uTnga-B0${q-FqHjY+mQt)f7q
zQZ&q_o;zSxS$_fuP4XSQMt%w2LI6=_4qLfN|K@xA7lT9U#h7&LH$xg}NVKs}{dRbx
z36S5VZ)-wb>{jNg_UMO%=RC>*O#GI^K1WY_j6tzhC5JkBUs!#N0rg7$BZN5l9dbUP
zS9p+7{#rV&UnY0KO+OswM}Bzeza1xZsZoOo{Okk?9p4`-x7s1<7lLT>7FJtM0*vgW
zpy3}021itdtV$|!vZxnJ6v_FxxT_e3yKGHQkJpDYqOrAD1pAZ4fb^PkF9xBn&g1*1
z73XI>3O{%lzy|KLWuAcIHWTQ~l)>-rS`^PXx89GikCw0}KqKoOZE&0kKjW>i-iT6r
zLa{34>8i5Bv8~4Hs()`)hILK?8Lf~gkU_h&^-AGyrxs{ei#VnN?b8)z-4L~6$UF0>
zdWIK7*|!!80gM>^P>$a9L)=C<(5qvI1R4kgpteWB;4_0y$ZmG$1V5KnLiUHi5;_{|
zaZ3?s@M>IEPCZqL%Z)B1qV-+=`keHo*I@=j;Nx!|A`&UL6Yo0ze}uhtSd?AcH!7fj
zQiCWR11KRaNDd8xQhKXMr+`TJ3?<DV5>nDABB0VO3_VDr^w8Z6GBkW^xZme__uk(h
z`=2>RkvT4}xz<|e`KyzsnZM)ZQw(Cga>{qcV3vdTaGFRq@jd;6d!ULt$`D-e2J(@1
z+}lv@F~tzlN0GAUhnG#$$s>}nU+?K+y}^K>$94Pp4#BR1<;m8I^?OqFRJ%L-g>R*g
zfFIxkqt|+IJFw2s?8Xx<{RU+vGAn^1J3Q71g~D6_VWcE#D-oDlfxy=pNU1o1kZ02J
z9(?qc)9&NZVj5E!(9;-Z2ksTfDkc8*UKIZJY!KXr@p-AKBTWbh!dgs%v}#Ii#EttL
zObj|VxX-7UBRkhqXvAh2`~BZyOEa!{>0#98?rt`dOYy=R3k+*Sv&hDt$;5?fy`_$0
zcWc|Vu(%eaVfe-1TPfK6^Pah5{LXOPNp22W77R&>rdiFiV>iYr%@ijTa@l_CihkjD
zgo$!oq<Vn1|M^<Smna$f)h2MS_4CCB9A=gN@Mabo9n_ZR+ltuYit94j-7e4u^|}j2
zTRfh@6r0!N5ll*{OD{_M191IlcfoWbn{}^K@+2|f_1fZoe@D^v&~5l{hJg3^3<#&n
z`|FwBw}TByh{=$8$RKq1wiB>ryu@<I>nO~ph*<w)p(eu^9?CpZw0(}cPQ~#YyBOH!
zuli=v1DIyW%!p?ifX-0A9M2lmBs8&U9+MJzV)&xa$rOjWpCuOhMPXmR40$g!wm#o}
zUK*7N5mksgh*M5gfCTAv5<s}uc3$6M?zpO|csfH}PqsDr(%9$0saOYQy`X0EhQ;c^
zUdA@$w_n*anS=y3J%n8axY)Hiu1)O_yCc=kmtRbA-9_fv2ON%-X*ZK*E$SCxI^8in
zjE<lMG7ernI#Gf>ln47_%S1;}`0k5a?$iWC<fQ$XNu!+t0XI$Q;P8<FlWZEWMDj{<
z%Ap|uS^B&xgnT&y6dOh(H5;zBu;0}ruzp^n1US7XyU1>`A6qU9GD!5SHi3IJ;-6Q-
zN(N}%z-s&bBxf<xlw-e2t0A`-W#ih-@L78c4C3g`|9nRRxbrWQ!trk}i@JTawfpWL
z#e?D6(`A(l>L$v}5h(3$oq~)`^K7s>njdzw{oS0U9;rEjXGT1k0H0^_T>fmzfX@ki
zvophn7Elvo5nmyPJl*;9s=B77)^Vn(WAc~jXa&MlK^P_@O{@;&LoD8omBh&rqg^Cp
z14P+(F1s+~WEc)`T_ylvMp_0~k#QY*KG4_Tp}(l_NQO*=UdRz`wS-FxA5{^JsXN+o
zz~{-BVd5w)r%4oI49+{MqG9XlEo|Z`(r?TML)T%#A*S6jZvt9PQL^M;c;`PJ#4~%0
zJDD=|QaAQypNUa*h)`#9tH7X?&whi$G~08AdW4r^H<Ao)%(Ks$KKn1m=1KAItr0YB
zI_#+b_4+yFcBXcsbL1xr<9kcBVZ~Q|xjvn=e*J84?X1I<KB(4yqWaa8&%wt1Yf0aJ
zpxZwVgi#4-Y^|uAW;JIE3tvmSSPX6xSUdkQmtfztC>>8Nx;69HC?hNE+h~HZOdC}_
z%YE|Zx??hg6P4)2j@djd_Jh_IpS}QboHuK#qb}F8?6NTt)7c{K<@Gss>F(VoKJ!wx
zyi*!Jy#ZI#mzPD8NR%%V6VuiU0Cy1(uIn5P(|T=`>+d#^6uuauUjlHER*%d{Z2NCt
z>=dplduw4Mfzxnsw6a`$-o5}G%cDAM`P&;8Gm0#do}GRR2hCoslb&lE^T%uT@w`T-
zo)!)Vu^)#L>yJ|EHGwHD{dDT$B&{RCRpw+w%Yn`{qJ!+mi#QE)zQhRNG+b(r^8Gv4
zq1~$~;w<eUrcUKR-Jio^c=Yl2Y>U8)^Xs503B+`Unn4sPRW3^~r7flOq*~&uh4qKw
z^^X^SPaW^z5wI>ak<>$iiYMia^t>40d1s&=GlbAozJ$EH$hcTaF>R#o-k#kvHFD{G
z8Mw{)Zl)0(|I%pE+3O5IijU6Mf1l@70~oyi+xnvzoaRf-%h?nI{DN<#bxSQZETSL^
zw)NZZ0zG9;*)NgRY8n78ml0EWr>w+>T?v7NK((or#vjGHtDWz#)KmBEffDR)#_<3r
zkJnnD;K7)~)I2yOLLiHUzWYyh+qKe%%D(kvI>CRlm@U+wuhoYv_-uI@V<Mvw{TgC-
zjgLBBHem&T*rxr@XT@e2)*uXXapB6IX%@Je7ZsN%H*)e_c2ec*<RhCxK2361QUBhJ
zEoE7sB<}85P7hyY5xWlfq^pfmRx?FLMYn{EIx4U3Y=a^8Hjnn5jH9lMJ3zfkV3^&O
z3{gJxJ(fHyySd2V!25_?V*V4<U8f2dqiiu0y4L$E{un}Q$WTE|B#HG1Vo7KWtx|3G
zM(S{7%t^*}RmxN|Mf8EK@S$A8M&(6TxW=sYV$eY&MGxu4qfW5#CosBWKDT$o{|MMn
ziDdlQQepK{8JeMewRW%Pq~Fnq@gs%D>7ik>17H6in>4JgHRv;rSjqLLoLWEY4{fPx
ziq9N6rVethD^C=m(C+1B&Wwq*sx)Sc9`z?@{QF-fguDRr9`NMcx)7mSgY6=$JAcZV
z;k8+5xav6SHnWBpeeh8k)}87x>$4rmGT!%V<Hbl{JLq}xU#Zm?-xlltBjWNOe5dv{
z!m{GZ)hN)*5^7Zed!kA^U?M4%DCNfGM4D5&QS+KIM+Z%Hp7QE=Bvg%8O|KtD;~VoS
z#{t!N%^jq!dF$rQzJ`ie&EpAZg%h)pJFza3n^1wn?8eDQejj0p<7JBH*jH3JM3gza
z#NNaXPTpB71T2Y0`&ZEgd9g&|fbEVkKArtID6V0k%$3Oq`2?B8w7Q<%SAd$`G2_p?
z?G8N!`t_@<R8A|I;dRd=C{pzGB+fgH&qJfN(YdruUk${gL|8Q|JHC7<i&<Rg{1_^E
zc=S6X19ovrBL9j><h2Q8!A}y&_w5Hqy3=W>jH|kHGg+ykUOR=gg_K2LWzN?W)K*zP
zl5Z^y-_AH-4FNij8*VokpjWjrd|zQ&_q#&Xy4D80a{sZaRpDJ?zxvDrOwOZgdQ5fS
zM><1n>qAHS=%>k<q;?gt?H;9uvW<pT8QWut{@(vIPDpooGfNUVE?k>Hsg&OmK1DnR
zK|sVIV%q~H9%Q>LzkhkMb^(;|uFKMSb;;dF)VzmwFI*MNlu(R7jtluiE^bl}VKKYK
z##zs?&T3NJvqQ+1h6rZ;g`QO-RT$2F%3hO|Lk*GXR{KzvVy7Cb)d^77kEoN)<Y=O4
z9n^@rYX0pW&MoGkjFYX47l&Ho!~ulvOB1pCaqKgbzFtcwRmA-r_b8NvXOG4~L*PDY
zor8n#=S*vDeGf3^&f9mub9<rA?794wM_(%VC5oG}c&7n9*KhmYN~np)$v&dySy9&e
zL;MX~dlKXWoS_s(KeVS#Zk~H$hl$;oc80NyiWJ>stuATteEJj%e$Y1-+qGL~pN{LP
zw`nbp#rxX;csI(o@1+ajJ2Knb`z@Q12P(34U?Hqa=t>b2P?!D>KgK$W7nU?Zsz8*k
z3pX4wGYZOYxLOU0JSk%5lMS)E$PA;zH4<ovnc6P0N_$PkUVKVv;C`Z5K4PN$SWz`W
z7KYtkEtP!!+yg$?00jO&m@9~f7o}H%RaO^(!Rp6sk$;sstO8!BJzKGX!|RCy5052@
zrwA+d-IWGJ9A2-Bcx<Ae_#cntVx$vaW6Q&e5T`q>4v)rWi+TddhWuSMQ^kdlY5#4x
zrJzEk3__m+ztxlz+aYuk)k{SW>%EWOP4@;1HhFQ)tmI^n^-tm9h4{b|N1ogH>b91a
z8mYrl0NPg+sq*=)hh;6aW47Ef0MhTBw5gU3BaR{VHDPwb5DO@5Ijsr_bn2lbcbe{~
zH*siW<%=mC!{hO=!W6Q`vTaiRnUoXTqp;n!$nO!~Sk?~;nN$Pk5QdFZTCm%*W9bch
zeOmcZ*B-61n>mb7+!6XJO&yog4utiU0~5XR5B{@5WS&JQj&zT^_IorJYW%hkDsIcZ
zDQrQ97k$A|<V3or{?&3-U@7H*)pU1Kh9v5On!@q4+HEZm9=si960nS1qGb!$&|UoK
zwukCu=gCLvs@F&_e<ElSRjRjy^ReBSaRV{)Q4))R^4`MoJz7VLw39W~vrK{;6Me25
z<;I0Ks`eG&Xf-%)_T(-w5WK{?zVm|5x@mT9rrw-<FTU1dL}r4;L*08M%R-<K*HRaE
z0)|uG+EvukU6TGhAR#rpn!3=ttECJ1g}u5@@)RSRD)(yXc=iD?GrBvEd&yu7a~qP5
zu*$yP0jQ^p-19;jBO6E1Oaw)pPk;Rh$ed6&6VD^S$u)`o_m(jI8SY9sec-~XG=;}1
zbnXdLkV#a1k93%9Jy%;o#$jJLXHTCLj*dwXpTWC#P48YPBbaZ>oi6-^oep<VY9Ux~
z6Kk1<0CO=ve*jpe=C{*<ayX-YU=^bA8jbB<i;GXU0da3Zs%zh)c3rEqcpM|w-a=z+
zFf!`1UU#zD4*cKAutUHvfo5H2WRw=y{U0uTvCl*p0KW1w3K%kC#}QUbH8_TuxR+VA
zD-P7#%LH(t(x;v^iPmO~RZeMzfBb?;Xs}2}P+u~G@@IWM?wRJdJiFkLYq&^(`)|)r
zizfTcIPmF2gg0^242_}d)9vpL338)M(56j*&rAP9J`ng!OZq|50~_sfd$cO9sbL)j
zb;3>I8nP`X>gG^Oy(88;tjChF$GrzX`X?CtJr>j5v~v!uDW&-=lb2%2{$_aZK0@$c
z?`<t!y8!>kb+=)u03H^dz1cUVT<ksjqTqUQls6KqY?cjbVI`L7<u9^{rz;u0)yF&e
zo+gqfV)YU{KQGRWwJYZP_0e4-PR&;}Cs|1Wz_G#RjW#l>$S9(P{{}k=@@8tr!cj|W
zdV^Q+%}v%&#u(K8kbe6I6=u4M7AN6`N*~9Qjmnp``Md&)Zug>|u~x@$TFzQmUg9O^
z)un66YcUo6Yd6G)3hEygN=wP68)<q2e~uCIq=A5fbfYckI#pBaWEZ<&q?El2>8^^n
zQyrM=XJ%=nPwXUB_o_W+9-v>uMwL4<JcaO@Mya{($vQHvQn#n5IL-y{*)Yx!Fr@<b
zpt({UUx|h&{KbPncXD67gV%Pp%KGYAvzCfEEq@LrG&R|oZ82ps^=srvPlhiV_#Q2^
z14xcB=%I-q&V9sLYW17^L>DFAFdZkq3NRUZEG}W8J;^Ga4(qfD_MP-`fPxGbwMMb9
z5H1knUnhWLg~d7Tdk6@7pJl6GU(y}--S#~{TH^enoquBtk+FiLWUmh53u+@23b$!R
zKc*Odz{WQG!0u`$G=P(W<x{Uslsl550T2jZz&0;`i`{pWU=%+{FsSg`GbyVdsURt0
zuu2y)+K0NH0iO+f1=bkpii5}NC~Jm%KD20AP1y&(G{~)dCMyX5+WZKZX_dhiLlsIU
zMopX0_LwNF&q#^I;I?(8-93r=JQq^79L~D8PiXv(O`oL0)~mq+Q9R6J0j*4YEpGc=
zCchL$yjI)JLv2)yH8tFhVxYQ4d7Jjrq;n^qX<8#6!80npE2fP>K_U<yyXkO0zoJIy
z$41d~7+CZU7!?evwTFZhz9Lvo2@zH8%z6~tBq_Kpy<XIO&qm*LTN4K0Cl?*7KatD5
zFVQ5dp7aHr1;*3`PG9JTC;4mEZ^~dTS&a7n5RL=&+>Go-U^xpjTHI^-LknoK>8|z*
zng4oTQO1dJ1#rn{L($#@>=+4ZXh=_rIS~1JX}4366TSLSJ}xVw;#fX;vuZBV#D#~Y
zgX(E2JcX_j$02mE1K5&PNgv#NBVq5_36fak4P@xBp@$(vO84~nL&6MFCCXbPp%A@0
zY=Tt}@bD<^?U8@Kef1y0b`JC;NV9lR93(Pl>Ip#17yW72Mk-b%7wcc;!^p&7EAfED
zmW&0;V^GhB7+*MMr3pD4i)`Efwz1i1Dl0K79wreX0O#RTJzQ&58(QIGwFt`Hdl&Ry
z0N37*LeziDyUrTK)p;o_sir~8Uf4?#mY;uN$eY`LhGnuOCQ|p9_a-db@!Il+s}r^8
zcZPN!Rge`jvxu>A_fyf?rsU*=dQ8ty{@Q`Z-Oqo@k_Ta9s5#%0xpJ#szps)GE;i~G
za=?;FXA~P@<fXe2=|BMgW7b;4w{iB7(V_pxoX-aKDZ}WmG7rn_cvBSLnn96=(XL6`
z=t@;rC+6Np;-T+NhrlWghf0qmTwmdXhrp?5UfU#=gmIEJT@@^6(0UxydVd~4#L6p(
zwD60N+c}(zBBJ2;lBGYPRG@s+L7XE*>KD<<?8U48to*>`25WVwrGZy>GJX%i?a@+^
z-RzP|s<Qa9Z|6QuJAds*^{#3Lp+$-aM2RB9q=k3P7TnmZ3;(t?Pa@tNQ1$s;*~kIU
z5Wqv0{)I*IO-<e>wtc#-#Xy(}|0DRMf*Z*z%C$J`VD;zCmaMQXy?DP&ZRo9ZadovN
z#`-B#;Jb#gwpI;#U_?BQCZdK_Y!Ccxb&Q0tu_y@@XcW)|@fq<w#U6w2*D4@4%)~;T
zcg~H9nzOLg#M3SLBg@uVIT6nWzQv5)I~w+A*-_0DJ(kL5C;d*d!UYqS{@vdo)24{2
zxHo&6A*lJ}eLf$j?IwlEhTu{Zv$SMZqmkInDcRi)McmUM9h#kFll&8+0H9_KVTZe-
zgS}cn-h{k=xYBk$qbkfLY<Kz8n0ftIW+XyPA-7Fyi~Yg2O$$5w+aC)C$QmnLs-Do)
z|B*NKUfoW8RqZ)c!@TDIZKxd8b6I0$7Jji_)JV7N31!VzPr5ld5qt17OyrP$6CFm?
zeBm*vo7R<ap>s$<#i5QVc^j2wTz}pU%9Be>9dR(>!Q)kvfhzl@p5nfoAX2D>Lk>a9
zPA)#}_X>#4ewvoQ%M-yZzIJ~iX4>=0(M4(+ma8*qI<?n$)|A7k_rJUD-+dU#NH-dJ
zS1sWV7$*45cH``Ci}m8=)qxjJvE8n9W#}zwAlCk7{7s40XS*>p;L`v@o0^RS!H1$R
zU)Yh(nYHrU=@KrMI$X~>Du{XBN;&*`zcMo;M;hQhRLAx!iX}rmS>#(u#qEj>aOVDR
zZKfdd4xES14OA`w>oHw<q=iXG2d!CpS+Fs)X(n6~@&wT~?KmW|4>0Llcb;Xh>yM;F
z#Ir6H0j3s4CuVPJ;lP<?-r(oo{wpHop8jQ%k9+B5=oQ(c)(}>CJtGUUR&oT`XGs}E
zVW(Ot_tV8D=;evD3J)1s7PB={VyrTJM0M+ZeM*2GD)eLT3HMfzkn_AItGBEVlegaW
zSnfhVk3Mq8n1;To>ij4`al*=zFCz^ZgOWAT1BF;${o4yZQ}Rg;nUqc2L+juF_Scbg
z!W_23U>n{`*fUx+qv~VO5<b{zdA4%hW4ZyaJyME%?3ZZJHFs~A4~&Op$0@<RlxaU~
z_l^vg`LiC7CgM{u5bV~Dq?Eb~08NoN&S;};(_?QPPp)u`C5FL4=~LIIA?syp(cf$p
z5&0Cfg3!E_msy51n8<HqPCminAX?`LMc?FW<D-1F0?L=V#tJK7?dyKKF6B7g@Wca1
zbW?HmPSg4f%R10GfA`>8!GOb5_&32UvuIwwqTAl$fkLfLv6-@t!-HfTZSn8JTJymQ
zw1V#yL6N-<q)5a90b-_9AFi>spwJL$POWrC>|l796*Y$fAwIS3B#ImP6v>X$5kUMy
zNa;YIEjs%!YZe8J!uOE(kamPkGy#y4;R3^Fw~Ka>{eci2>h+Lqs#cX`h?^?=NfFN)
z$MLjvC46TMbl0j%MWDNmpd7pGuFY<<(Y3OZfAtqf=AwmU^3@V}H3-S*4ftGaAE(JZ
z=jjNQmlhIG+LikW92`dNz<|!!V=h(k?zbAjhls;=A_Z}4@Wi=@XNce;nON1SS0fji
zVf2q|l3Qn^SpyZ%W?{B!n5@#<r1T<O^Zw500)RVfXy@zE?KZkAseh6&rz(&TcvTX?
zJ+Cg@N<bxrzoM*TRPAbAiTV*^L%|?maOe%;>(Bo5jHQjndK_qFFbQtV_3Qd&ubnU|
zbmlBniT~}d>q5|7)P4~EszBOT_}6Fgo37*Eo^;2a%bd@R=m-Rj)L)Rx%LzlIA#jKv
zgpX2+kQBp8tVL{tu5{lRg*vk}B^8BkH%qoM1X%<?@J;Eo<bq%s>3VX9B3m+j_7y@x
zt$j^zm6&#~FottkD7?vclo9<FoL6S11!JvE{P||^do(uF`^piNSGGJ&5JEvI@=Yw1
z$z3P+**S_gH%gm1$jXUezqMYgB;gp@aMY)kmI-D1GWZjQ%0(^}7?P+kxji2=LcFIH
zg27|h{vJs_tfS^P(4m|=AZCt{$%wnoCfdY90oh)?vxNjakVFOjC_%^gxw$ZmKSId-
zVW=H(PkPy2p7dvXU8!avxKoMNCESUtfWlR~)-53k+rNah#HnR{evTx{h0@Fb5f+b8
zfYjBUZvy^p@A%r;XLUxRnrTy~)a8Hl4@m`!KqZqQFG4^Zm^7SXHf=?>#@%q==R<`^
zvgO{53dd5^lN9BbPo3P5Q5Wz~&mEzVmmH28i8+EZi3gvrBN~L%%X_F0hz<Pr;Ak+Q
z;K*eL#z}b{CBcH1w+gQ*tshK|9VbL-3c($7c@{q;g~&!34@u{F`9FVEic^$`jXNqj
zgNT*j1yFkwtglE%XRGo5%qrmsf;4?1%ZW%8wbQc*$E~Ldnmd;6?C_`=rm!W$QdkbJ
z`h`5z`5YZmJm|G`CdHc36|<>mR{flNd!3$qP5SS{G?7YwBn&;*YJ}IWJxvho_HqEZ
z_NK?Kynd{kLVWaHY7hpy@hVoha<;rK)K~Ob!|X(;oMhM-%D8hr(1Xo>|NeUFt`_1$
z#zW&rkU$!amF9<8?H&1*^2ghs&@LF;g*6F_wjZ|>`6GuH0ih!-Ep11CR$|dvtzMin
z31!<Y`aDELno8rPyIXHu?>mN!&~==MR#DQf(F})ruSSLL!-UEN9I+!-FR!WUuTq}&
zh|j&>_5%Ij9kAlxI0L38)D2f|(I|BRK=dw73JC&rRvqiD&az@PzcYfLDIn{5$f-Cr
zPagw;Z)4e{C6IUqeg88+3h9DJO?1TbC=&4)Sv}@bAYmc+Ec~mf^(EvL<Q%Zu_0U&P
zgW@Rb9CZohfhL#t9(Zip&^BlgD{OY+mlt-MYmO0Bp6-MF34QH&3aVR1v|#q+X7ySX
z-wqkEDcd5n3L5Ri%yz@b21^;cGbber+g(g?2yxTW*4r4rPW3C)ky5W+EGu{pRGWqs
z^LC-DxAf~HecHmmx*cwtn!Xb@WqZ~8x%|}J7_GF|KoG>C)}QsLCfHlIx(IIx%5k((
zi&*&ZQM&<)aaqS0Hl2|26`;IzB)NF{G(Fv?eEJfOg)KXU1cKc<36|L2dED?G>7VmC
zo0GN9>cLciybLk)qr?F!nY{95^0fX`I>zY@xrxlk7?x6|^|F4=&zqF8h}|{t?HOA;
zGA=>&VlK!ShKPDU>{^YAXYv}QV3NyBq?$PGp5-wAQ_kSF3;M;0huh(WgL<sYXyv_I
z4?ZWay)R+cIMu_TLy5T8;-uFYJ0&pbp=89Lb(cP9`X;@xZ)JOEPO(b2RwkV1!f!`7
z<IH@NH7>;xVoN?V)SRuc5HxDpY(ve}36yE~Nln_Pu5+eFuLA<HUEu9eXUEf)ROb%v
z&u2Jt6v%{64%<{@ZmvG(I|6RfI?{t;&U852QJ0kr)$!H-94#&1^SumC*~3PPdn&l?
z0F+6ENn%GfiwejMsvxE8yo0SNfxK2@CKVke6Oj*TbCmaVRUDOGD+MjVBbBF>7$4s0
zmZXrU{?J!vnNGvm${M%ZfG0#nd5g7>QlKaOI9Vb+38YeaJ9j@AzO%RVTWcZ&@)iWo
z1$#FE?PBbYg6eyxMCd<i0<|J=my->X6G#@Gmi69fnGXn^F>!8V4Gr=aVP0`r?0SSl
z5vJ*aK5|ZG0-=K^GQ+uc_8m_Q$RNBM<WIAL>&(yh<eHY)BN=APNLZDmAeGH^d|fs?
zKR-H80?s#f96lE@V?febaa7S)*@!!6F*273_iKDO>b`PX;k#03Oj0f}63L;8-zxk`
zQGH%^veF&adXsu=uZI8|9~NsogiDKC-7WuH=Z82<9zFr`g^#eK`B>8;Z@{Z^;)pp2
zj1D5aTnnE0CMfOG4~>7pZ|J3E!a;{jB;eU&aYHh|85Y4*sJY%I6xUkZ%B(*U8zg@O
zz?<7mckG9vq&BOHqC}#pD_r=k@8oCEd5`lFe*=|PWGbjR2i+4FfKVY{X23tMA|_O7
zycBNo>Q4o`-fpDBs2a22gi|Zi3}&scUIxB&SzHqrp8+wCD}(yjq9TvAnuoXJ*TR5}
zKHH9f?qCeFT&~3@5|n$u1x~rDV^!4Ym+UWeK?h_1XZBjqFngdaEO2{Oeq9NL!ueo-
zlA?B+=3lUIh~u+;L8#rI_~3GSUb9)v6J!<W>?I~--B60$XmEnhfT)96_#NGGaMhb=
zJ1cc<eFWh2g0az}blI9|$-Fv6P)3!SuD}djS40Q&wD9s9YnL=PYXu7s<l8sbiKkbT
z?S^mqFxh^zd`4}{kH%gxlEU^1OqzB|PJYDtLsNzfuPzBKT$FV3|40v~u_VRMZj4je
zasuW&R46G736Y`u!|r)AJy-(<X9qNyai9l%V0jBX+pA>sv0UyetY0mA(m@c=Bg~m*
z$ftBlU>#L)D`4!Buv93MhHv<3d~IFptNX`3y!N1km=GgMHl6_Ye8oNvv@eEDqJ>Yu
z(W&;wvd_J*2h2c`lGs60RZ@zSP8%4d1&B$dulY4x8ZhuK#ZhGsNF#SpWh-Ow<LM1J
zh^BcS$rXhl*eR&AG!Jx<dH(7dr!;Xf{NrrcRa8za1u3}X8pRXsHLv6yG$Rb|=!~XR
zxdW_iHlqZ0aT|D<?7tt&gp3!x&FH{_@?HM{IAK6@Qfy#cH_Nyqtp#-!ZK~CY4wing
zT=`Cu{bcuCQ#RrZC!+4>dL$N*r=hs?V-M92z=2V+6HIcsOBtffXGrrSUevzZ+R$Ba
z$~t^pS-z}D&wx#T^2ezIk9L8<3qXkif>dp>`$WS+10V~!L;3ppN1XptyaGV#->>pN
ze=fUrd8N3Ud-+**{+Gs}%lF_#N&l0F<!Tyml02pHv;xhX?G)+ZlH#S$q)duI_CRML
z15(R!*?0f@0pOQL1DH58QxD@iE-K6>s`umHMhJle>=l5z;>&;0J$Uo{zT4`+eC@%c
z8W6!4j_5^#4M138`BPvF(ELl&30u1E0;TnH?45Ri!&L-%sp7n@ufQ?i4yv9QG6vD-
zSa(^3bwrZr#-CTf3)K#=7~PSW9^mDVUauHKj~D4FkBGd(wyds`ORY!q8rPvp%1>6>
zJtu8J(XWHM8D?Ht7h4;8xVM=TBi=7hqO{Q1!0aS3M6!h0A`lbB069dt{fAq{=AeTF
z3i`2X1bf>$*yY;$wPe!(FH;krFRfyvM;4@jUb0F@WS87cyKg$!3^L^s8R66Z?fMS2
z@hFha8lP{-o$@O^OI=1u)IbWH>gqrMH1Gv$^FsP}pu6?O*#U(D|9}}mpOj@+BHwUp
zwcRKa&PjyaV36%L=%)hGg|jD8{G+#Ve`!ktoy7H^b^=%DzMg?V6ItRo3%RRPpjQgu
z<T`o_#8)xJ=B*))@8srH;64BZ<<YMQ5a<2Rx9tl0SlbU)i$D_a>^1`gAJxi&-&kbY
z+<YP8kmCsx_DM_;wR;RIgppTg$NP;8Yx~2-TeEi`)3U2<-fB|$g8@3F7~eBVH@gh&
zCIi4O-}n5RINfV8bIe`+zl1B`eQ|~lhwCoeqB}`eX*0E*v)<s=twwX~-P=PQOfK>*
z)ef|9WK|}mCpqc)oOd_Jzyb;hbVXTYeZ9YVzk2$-$7!N*(RQlH)I66*dsv*jrj*Zy
z#p0h^8EKv8AWI^|=DNH+kn;bxIm8gF3c!CWW>7e6VJx$##_-)JIz0J)Ezl0Xba<K3
zn(1kD)jAz0YD!ER1O8b;+l35jbOcr4)#Mx2WP6guZsHLTx^q+Y!GH+GuHzBTIaTb_
ze=jN>NcN?YK!NTIVo~qlq;eKEQ%j(xB|l?Il=8559(?gK_`)YCR#TE&VlA&U1~7oZ
zJN*xa4NAXi-LEgH6e2zWNtzl!yI8J~h`P7drzW7m?7iJM4<7J5TfW~QA2bFeB60nV
zqIChWj+{S1i_hbwpHlen+t>6K(Rl;Qu&-%>8a*HwY`$X5e$6agkCnWGv%;EvWwTv$
zAx4e=Q6%7ow%^V)1>=|n#`6Q}`6TYqOF~%b2Kt=}i;oBb1cJs;vOjzttf7RbBn->a
zsrtFY-1Sh-`wB_yfwi7uJz_5#nh5n{^gW!B_oD-Zr7FP~lEJAJR)K>>(BuS-#GixD
zh?zM~=P7fDOpAFj5e%;wS*%AvzpO|<5^AW+Ng-%Ijsa_Y_=i)nV4&Ya2`C5aKgC-B
z&AxZ{$`Fa@;#o>oZyyy&5`&n1?q-UZgAt8CSNCGXJOKkMujdKel+w0lkg4zbfMJh$
znxvxcKW}%j@!wt&C#`d8HF%kX(+Zl%RaHP{AWPdK<DhHJ6-Ihe$eucW^wybZtiU9?
z+KyLo+wPIl-4{3DObxZWKDL`dWQ|==J>}r1HeAx(N8NtHkwqmH&A+Q6i6CwiaI<TR
z{`}cn$BebKQi1aTxAQVtQlFQSEjRSxEz&F-lxlM7fF1Cl5jr_)J!(2ScYhpc-Q=N?
zfB)nM+D4VHQM-GTZ|&5!QU}FY`nCCA37qboI4m*SIT+Lq&~XE4&6n`K#iTlMitilI
z(Q1$M!60oA9)bGP-9Nv>tu5;4zka|Kz6ZgfvlCCn%;+C^JWc6)3^9BphMxz?M5uPz
z;t}&A*^qef5xm)J_}8_zwu@455Yu5)?vsDJ;`W%kYCQTe(0S<b_8o})H6Z{5F$I_e
z<|=vH3>T2GaVosKZbr<Im!fkm$O4}X|8tm$E_9TfUZhIR^9`PS7iw0uW+X)9sBHT!
zFiNpfG!&2PXr%tQ-P6j^?dRM&1oSm8AyF_)MhOCBK7sAzt9A;Fd}<aqR+RU<R7IrU
zJ7OeF2B(d2l4rT?$Zk=FD{I-2kFKMkuAani+pF_mzkK;pu=eh+J|dbW;{qn00FRPf
z&0TH2!R3->HMj@M9Sc&fr5ATJIZUKnb7JZY*b5^vrO~Iy>;ScnCWksL3p3=8Ji4xy
zPVx`@nTeugD2;)mJSI|1jvj2gmbqVQHy%|1hQ$Ix3#!s-DE5!`ToSf8$|tWxj0Kjn
zti}RFih#-ximLM3{K*-lb_lzr^nQ)szWxjgspQ*-WA`~A=03W`so=*xO*~j2Qzm9c
zNVC@MD>H*%{i7uVpu>Cm$rNV~f~Fs$q|A3mZ?P(Qu?dx?$SZAw8fj4(b3^@;`I}8#
zPi{6!E{|MMgC3d!^130gC^+{yb&r5>c@=LQ_X=L$v%<D}9i~Q6a8EOj^rlLBv<}LA
z2e@Rh@9Fw~q&MYP_2g?(ZURpGyHSU-nV8*`{s~GAJ~Cu-o>!MmJdr>x)0*5AU_NF(
zlCLs(j8iJjVb((N=#9|o!Z$%dCp}FU)c{}1ueASp;HsIwKvUcmc%@xv@zK^#5U{6E
z!@MO0>Y!$VdsL9?G^Vj5*NC;tPKduv_6t%=p4Cb8n8)q?G=>n4&7CPj_(^v34~vI6
z)+(azYU(rZ{G_fxd_S(5wW~;{-U6K4P1`pX@gbE-0>VwLmT>2ivnCP&()z`bN2t>!
z@d_7TKBElA)*Wh(^<ai29&&~#Sli91L=B6jJvI2l^ltjQJQJAP4w@O{4ZboCb&)N@
z(SvV|E$i%WH5R*10-(BofmPOrKYMZMIvVB7m!CHWi&oivW4$!o6W*CgidYHB6TPNN
zWnH@GBhAjV&VHIFnff9fm}$zZ_%!M!zuN6B7(`73y?%*<7Z!^{iA?zv^qHwS`t!)n
z_w40i1rR=sRFjGGIiU`j?2pM;ng!P2<AWrdC&UuSY`@{eTCpNZ$SdN0*mUA-XPNm{
z8WC{}5@sS+#I_~7w`vnSjr<dI804o8!%&|L2<KOEvFJi_1gyT~ZVssNtiGT`x`@Un
zOPcK$N;PP!3vt?`{^>60M)ffG|7G<}KAYQZFhT|Hf#i8IV8zHD^ZMd0Hg7uk{e>ay
zp{ndKD&uhl5GM!qV8Qu2#fee_Rf=Jvq}!WB&v2TTwa~mB$Cx4*ia+>eIegN4uUn9(
zDLZ<%gE6wX8B%<;P?1UyatB2-3rveisi19sG2`!bJ%Bs&TKdI&;C{)rJ*-a!qt3IR
zN#R6AZGE4jtz@f3>62Vh`QA3UG$^^7-ED(u!?>&+9de9&0*z)lqvqpX+NDIH(tZbQ
zqT#^`1Y^B4l~vdG=3})A7Q?F`RaL`%IS-$hQisJ8St#m(bFyRA_MLE#IQuDeV;;%o
z5xVmy?9*Qb@=^ibe-oqVSm0xD5T2E;Hw3~cg2ZiQn}g0tP5OD;WZkD>Jvp%LSAW^4
z_x}|5S1~Wj>ps)gRym5uX{X8%Fs2x$aQl>AV*d&Z({r^d=YI11w>MKZf03_&GPHFQ
z9=<f#4BOTLGL=2z6eqU*uGIqRTs*Xn?FFEILiaPV>d3nH=q`K9#(=31W5RJ^D|b!#
zum1Q!vP0HckSj+H_zbN@k$?P5nvNEIR1;B4Jxz1<Ed*&>SI5EhX(j6H-oC0i-4J+V
z*^8dJk8UZ<sVdrfl+KPbAWQB!CZuhER6v5>8BLR-*BPgi{VRr(ihZP~NywG07TWsv
zm0Ik<C!1?Xn7VYu-|f1`l8Km*U~3f8u41aAm~?-ho!^Q&CE4J)$Li+~o-YJ2*BEY2
z0nP#<$sQ6<v>%WnyJG#2smP{*T5xL;wT7yhk^E$?F1@ba$~-gr8CFDQ^c55C))&R4
z&Kc!%E?Mc`I+~?jw^WKO^XJ`o|JLfZg--`}PEg~E^qeq&GNlu+3OGn|Z!I-<b}G>m
zE~jm+Z;s|n%Pa+l10LkL^e*M|pR(J2B#`p$`7$qpNxfphX3@S^X7~q86bCeWK?=ls
z=|+F|)ITXXLTxv{WHHHKXU$DtDb1p3Y=ScG+Gf&JurZh3K5&+yZbQsRnA<%h7=uWw
zPd9fCD#eLx@%MqVWmtQtdXc245+Qf9;JP#6|DEpSY<w_Fj$RYO#k^P;zAAkvcU6&;
z-5zS6Vj9pKvTvm-kjdy?MD&v}5N<Im6#cMghr;#j0p#OLX7y%{420V){U?=u*|s_H
zZcmRy0`IScRB8C%-|t!q4=zrNxC?10t{;ron;FH0B}9&Kb|lIaE|jW!aVQxBx<6K4
z{16uk_J)(kNTq8w&CU0iI|7DzZe5QldlDITFcNA$D`+PL5qM^5ckkZJ(V0_K0`)W|
zk2?=xT`q3N&}tbxH$zK8&^N@#f3cGSOQDz1I5#NT^D&5!OFD__Menqn_#hH%OWHbB
zn4Ki_8H+di`V<%kO#AG{cCqq&`}d5rnvGSc>!*IrZUlJnw_<)yPP)HOvswv-OH=gC
zG?yJh3pMqQBjB}2y}s9ItSM8M=;V1;u-$t2UYnWq{*tR0ancSHNiLZthH|;$FaS6?
zSs>^8Qsb%vp!YHg;typ@9DUIH&}B5m9gRQX$|4j?P<5ytTxb{c?j%kB@Ev+sCiqmc
z9B|JTdpSxUers{6uFY@bB!?{421kcS0I_)W>Jiq>f<P#UVl<i)9fz9}@M0%wJ8|^Q
zQntoS{_T#>s?%)UFoV1Q4P;7Klz22*0^2R&G6&!1>0_5exu91GR6Fd|PVWaDyrRR4
zEYH$-mpzg(kIu5X)VJRd4)CqIK4tmw;dt`Ktmw6lfl}CVY#)D8txd3`%}xm>)SI=S
z2Kf>Gk7DVlFze{;%k+fN8<M|vply=JzR>XDE8*E=xMEI0Dnk5Eu17RN^@zK~nxYKi
z3*qWRvo?p{+adB!J}dqpqMCvjA0&8Yw3Ax4l688#U343t+AMTrLTgXuPN{W!#Va3L
z3W^8oVTO$|MOI70!ervvd54P3e7`FWxlyMj_A5<l{2G7M_u6<esZ$1T1jHW1p@%pi
z&sukGjN4UC1UM>Jf7{azmFVdpROi~#tTM{&S1vRWjOx2@F~Jla2_DZ(&jb~iel9iK
z#E;A;<<{H$G)Xxh@x?@Qg$tTOTP>|JD}}#=I3$KWJz?$RB-Wp?FE&9FXF6qblTy=~
zXBWs9O+zs)YaE$eSv0;q{ZYF<Tke)3XQXCLZD3dr*VbmqiYs&Wac@}9aUbA#k&Df7
z=CIQ<uiKO#w&{1Fe_Hy>%x4ewW+)#fa_CU<Z<Xxz+e?r0R9QjDPbg2t>uPGTDU_85
zi*tq_iv5D^;C!S$FD#LX(z7R)l<@qc5pt7&I54t#zbh;6`V^{jS5QE5SC5eSwX-+9
zH8TP+@TOD`YP-F)q-0>8T()msw6!|;qq!Iq*B+2!E(+|N#9E7Z%A)PFGls^X=O7D?
z?Y%{Od6;cNByEq?W0Zi6?YqMc37Bo<nq%!ijJ@sZSe)LPuKGB~;0>p-@`tpO!c=*6
zxL)QnS+Qha>_!r#*8jh<ah{j<KAcAEuC6GD&hB%uOB&Wfx6<Bj!T3NiC*otiK4;>`
zu`#I*TCUzO3%{;dYpI0Da}cKUlxZBOAzr`7yFl%;ZvOi1=3{Xq@B{~rq6i?b1CQE*
z-!2CwhE<7xFcbqVw#a7TZq)4SrKFp7X4ldmVclHNS7en%c#LE%XenTu6mrRw5BXp$
z9;uwovs!AL>Hnw)R~*h&ZJghp8h)R5rUk~->@$6wbXQll@=9GQ+XgLxPAVsg-zN!;
z<roJ+_o3cTeTi)_QADB0$EeDvi!3sKAwDCADfn@PK&eQ|(n!|<ky$Q7f_58^O<M_F
zYwJEKYU17Q?a&CZ^cEXaeFJNY4pFMwS;-!m4%TjRYXp92N~PG*XWn8umS<(#WKu)6
ziB<y5IVr<<LO!Fbj_KW>biwYK7rvS_XjQ{u#?U&fI-Y&#*!Z!s^7_&T-#Yo3&ZxhZ
z<?+Q6yqhIw6DW5B<m7v_I&LjKrIF^wNi&ua)i#h+4vtqd*Lb8+tB5z;HQH3+4w+7)
z`<`nW`z1L*H}NmhaS2HM)!WXSCEysVS%%UR6h|CDAGg^uV@lR*?s`$Zc^35g?SEti
z|Dso;_!`2)I8}5m$$t<O>8D`PdjWMpW?D23zWOiD^?xU@hyb(&$m}xt!JGg2XG$LI
z|L+(VeE`?~_ai{PO$|D<`@m%Uc=F=>fD_0Qa&5VPr+aNC;XL-d{n>73l6PjnAQkC#
z;PX^<A9rf)NKa=K$QN3do%SQRXEWlc{!}MF)0STO#LO+hxYwf!hnfR4;aka2JPr)|
z3B)^<22=g_^sAc?sREv2IE5frD=)?a$F2pNw`do20|+}A5n&=wI*}^ja=$R%(h0Cn
zmlRx;XbPD%Ck47!zgWcmrB6!_rp74c@Nf1YyYbuIg5J$+t_h*?0kx)dX)kxvMBL4J
z&39ASi&CKO&}<hd;qExppSfFfYEugsr2?6vVmlB}-qZI?K$T%dA-<G;V}|Heo+C(F
z(^*$Xv)`t#xR7;U)~nOQo%nK1kU&C9=mhMN!0ve_=xBMR+I6Lme@)H^U?K60z*W<Z
zTl9(?Lw4Kk0&DB~Kz!g<`x=^ZmsH2w*U<)F-#d@xv{Z1~(vdXvcf(jXzHc-bQd1y1
z)wkHJ#^8E#*hvazgjRc_qAT)W7<lirw13M<Pv$kKDk}N<^9gf4b($xB$N6+11-aYR
zlQg#>T>#?k@pvioh=YjtSTHb08k4f{{YSy~^_8?IEV(ovjeQZjKwt5^!an$KY}8Me
zCGCp8<nQ_>QrfG3<G%Au9vo6Sc8#N9Z%qBo{;KkOW>H(6-Q_P)A%6w`Bm=E)htX5&
zt9gp#5_fP%Y^+O<1SbOYVlf~wMrhq@A^v5+6*u7JBNEyOAmLYC>`wWJb6A?n*5i`d
zoF@@W!Dl$~1mY@QNUEHE5F`OSYV+qOTNKvs<z0n^2uuTA1^t2n{u$)buOzqIDglgr
zUb$kV1Lk-)oUldB<UjJ<uBAYYoS0`!nsE^X^p(qAPks$J{5VNBbRW4p@C88nc_qqa
zHw%OdHUQU@S)zRTG!KLW@?FUD@ACJh7rd@eUre1P!s18}*Qig2DOCaS!l5XE1Nv4<
z&qhumm~`jd<$I!WedfrqbGl#H7PH+kWOjTo#frJZC(~zVS^}qN5obw|-ED60-JWi2
z$BB4kB6)7I)8EznQTYR*Gb&?DRAM{%TIOBHNQGBQ>Di}1@*7J#Q<0^|vE>x+W=ma0
zUM|u@H5kR*R#|5lOFw-5*kb!@c5h}wBX!d9bcx=y*u|&zjcAqy&}@=7;j%LrhA2ft
zN$HZ;LB23++9Wfkd+Bb44Nw25{d8^mHT)?YLaaMReKqaA(IPSpXd%Dn*;#-QUY{As
zsHj+gbwk~>?-M^<m1j&7wuA0S7=;7INRjE?wa2LK?Y0(%ezewZV9|=Q!5+C?HYeMW
zm==4}FP;IEMg(R}q?@N5Wmt-}nrSX*VHiZ|902Xgd>eaIUdW8JRkxA#$u3mG<pxUk
z$YP=iYoUNzbhBxNryRSs?9kTniHK)7dK*}ez1tRz>L<qy4G=ykwm<3XGrCn_D!T37
zE;+p0<{RjvoqoC$e=92#n1uvLmp<}2Ajht284Nk;F2=jjEys@jJoQXj94vjfvmf2E
zZh?5rqn{xbS?O|CzSh|pxpUGfC&Rb?OjF`(NjVG%L%%KZ@kiyk27aBup6pJe064%8
zghU3au}sg@k`BF(it;!0nJQfm%f^Iw%SUm0-m?82%L+dL>vDpDL}ckN1yI`xv|Y)x
z{^G^<6UWmZER1x4zmxoA^_mkgZx^uY1U1s&)Gx#)9HY<}0L$IU^0z~u0r7Y6UOI3I
z3w95X+`);8aA<SU+l|o&W9nKO?3%!?mPfv3(O^$HKX<4~WkzBBipAYxg3uhGQySC)
zzP0pAr$=e&9KhwH&J_x%kYMiPb@OW9^zB|Q449H&UG_Jce9U9opNQiUX>2wpHSJU_
zMX(<=JOl`j3eAa*XUS@0nDze$Xv87h*jUa_b4F-f_Fj4LauD<~@a5Z7ielPj;L~<9
zg-3hnAd_u)#G_UqwQ3Um4P-LSZcPYGLJ{9Zx8<Kt@~jkb>~>9H5JBvVAKD?_MQ1>x
zOWtZKyN-<bMlv5YM_B^w)k)tCAN?rj8)G0n-gay{`5-UE9PJw&qB4qubb@Md457qK
z5Y=}AVP9P<sS}CFxigb8;>i7HojbYSVCGTt+r9vzZQ!tA87hU{y&kxR?>|8DE>6Hg
zU(J(r_AV?N<CSXz{1Bl?7vO8)1T3rt<cY2<z_FTS2*)sus24l11sws`Km1M(ZKE02
z7MhC(D0^zbQxK42mgHi0gD<^I{Y&}Zr!V~kiNgg)H0xe_bP!VvVUMaCA4KKwyTz2W
znjf@tX5@uLyv!eTY6yWZvPq&vTd4YBk(6!H9A(fyeOR{iBF*Y=p#!WP&8sYKVMQ!&
zPj`v{4zKiHET!~tWdJSVeYjneR&vK!n>lr@HnhF|z<?iw(2f_AS-1dqU5Ga&QTn*@
zlBGOTR{pePra<TfC0F?BP3sv9&bf{0Rk}x&JX`WBmJtV!Z<8P_3`17>b3$FNr~Dmj
zj=8^|XS7>DVZ(#ictp+EDjf|X8-~@rH_X&*Xt?IUB)N(b&Wx(`rxZ5+UJ?`$eWRtB
zt{Fhy{5issCH$Zu$8H7%y5Jy@5h05;>&g8<E7^_2^0X`h$V#yxyWLk%OY~A*0<=^B
zpydLh!RuoX1BmMK_Mf9P-JQJI3!o2c655wbgbVZQ_8m=%%eBeVel87e3u+KCX&{#`
zl7G%t2lBQFKTs8ST@|`YHKdV;-()5Qg(MRvTx;t1Bp-Nb2}0Y_3tEefMRR0Op98In
z&^(?v_2*XfPrVs$+dfh*58K*dBQLid)vN1TBdEW9o$-8Q|NQ6<hidlS(kkS~LA2W;
z#BI>A*z!X4TD=Ne1V*bG;(k`gTUEfDpK2wFziT%6vE1lo)>KE}>EWrB|FQ{l44irF
z!A33D9<7iW9H$8+5|DIwyBqA-$9=v@N$8!R)zne}FTY7sA4o_>YS)P+4wNCZ0zpR`
zCFG=C5PZlcM5Bmx%{N(MZT(B0UE1C|lj-+=03ON}sJd)At>Pnh2*h|b@b40t#AbwS
zH%~Meg>63>hwIGX1~@ts?Q;}FhhV<6DHZ7{rQe6<QgQ~mQ;(7su$!bcRyIy&%+>yB
zbThSnOod<i$(#0%{>T&#neXCuv8N<f2vSazlK~%-&aYrX&8SwLXYU9*C<2U~K;E<Z
zqDH>T@tZ?)b7WVEcB#iiC{`KFt~C*6hK2E48aK^LS92iE6`MpE7Ug9CA4l22wFaM^
zm%oCx&^Rw*J;KXKxNk~;6=Urmy&AYCU1!<Zw0{a}jF5}df3OzNe1m5LPCY^&I+S<|
zT#iGsXpls`aqei6NBeQ*rb~J$N(_V+Yr4|&hAiWqUA|>1#INV$VXS{YcqmD%+iu*q
zo@ac!aqR9Ns*gk}52u4F?f09zKcv|yEczmH$8LNO+&adyRo2sz+9;dWeJow-T2YdZ
zGivDh13ZgR{ue;26KPC&1pV#N$g~)+1#6?rm;zq+f0Wy9PMD|s+^RLmN3hgtX3YL1
zJBvtFtCsBtS13YExUFR~|6K640&jXTI{1o~_i3xtKzJSyM!zQLI!SO;e_uw#(jb%~
zR{!$$8rduxv%cPj#W=YE$eKuMA`BD>O3B0HS#t7~-mYr|awaY$K5>5>-@czei&63-
zURW+&_)Tn&Iy#GYhUBRYK;3`j4Tgjf=^AOxGdO+KcF5A6&9O)((x=9Z1VyuPvB)Zq
zXFH09V}4Xndrt@!H?ETHhwlm(KBC^8X(Z%W$9JoxV-p!B5q&uR$=>rrIq|OI$Y4J|
zC5>5JhSA!Z!bnju=kTXWvS@*;Tm?^?(y25mHy?3zqE57bbX2QL+XUsU1>VnMd3=g|
zGe0rP!%T~3_hxcUzM=l@t(j4jqgPC(Ysx3piC>czu%DezT+e8627zT^KAoaZowcQd
z|1Nyne^KSuhELR=`6x(Yt%nFNh6{~plx|Cgb0idP22){o3S_*he_x`?;b9K|rfg-#
zx7F2!kJGHJMUYeXN1D$N%g3x#noPPWPrh9o9KO*=`Qg?MJzf&Lh!0!L{ipm%Tof;|
z|6}P>fCqlPz5ksUC0I;`$c)rETeFLnA^Zyeo*Yrz{f!;Iu@h{M65Ww3lZ-MPi8>r4
zhKsmtz;(93B~|$<%Wz~pA(y>4`W@K)x}OYY{yIaQae7V(<<8b!bFGk$Fxi?p5vfP2
zzQ*l9xJQf+Qx#Gbb8A;BwQOpT&fmOsU4$?YF{+dTT6bGr=$je4=XYFbecx5_6}KAI
zqSH;Bq*911-Y-9#kQ0CPFqFm&HJrs)OylrF?oQ?=?i(wiej5HKH8{hlGhjP%`5#f+
z9u?l*{(ds5-Rm?0Wq|z5eMy{LMlfJQ@S*T^h+OGw3+c`pnb%)(&1*I)^m84M$;5Al
ze#N|9H%UyK7~_t$Uk^{SUfZ6xP55+OcbMV{wE+#vGZa2Ie7)@7<&YflzwoXAsfey^
z(Yx(dPpeidI8BsHq-mPG@T6X<!(?cXgh@lg8~AA@{L@~VUrL}(0K7#+k1*Yp7O@5G
z|11F{jrr_JICR&BHadb?`kt-gt9!zUeE1)33Uy^;G!q47kkTAij<|m@DsqmHIIAy|
zi?p!#TZ<ACo|}uP(^#4W+v(WS7jG1{gqNjzqZhi&`lrHIHKj%VDO|l)W1=`K1*rT0
zF{J5&e68FSR_Xi#0tCi}pli{OQ(&d?;M+e_#WY7y*{pcC$)}GQOqPaL{YhbMa;U!n
z0tBj~#9K`FO61|qmSuKvy^~&BOcl>GNhjwT?+km7mTACRAkQK1&3dmr4adttFb&^O
z;I<Z#zv`eds#Lel+`3TAy<AROkVLHo<G|dML1Z$2+>hC9S^~zRBpy9MpFywsMSoR=
z>b94)iOV;~$bLT_rJ?#l*)q$Wjc_CtWwY&gcVBqBshJRKRI~XD<%Ou^-7m70&`a;A
z>mPXLYR_jnCgOfE*`8SD6*EBtK_styP7FmD93SX7pZyVig@_jm*B&apKTNdo3$%fX
zlCM>)Wf7|Kbt_^=6+-D1MgnM!8auoDc7Y>xPv2;GB+Ien2$1c)Ixu^cwAS2lgac)p
zU0vVW3XeX<wPsQ)l@@}h|C5JWVH}qq3KE*_R&p=0agtLXmY~?DUn<@uff1yn1YTD&
z^>iu=B({?5IB8+`BPb}Svq|o6&rNuc-bs2F4iAf-RVMB+{R8iQFdXF1hZXzHNf-kU
zWi=2yJXji&A*}Jv!h7mhCB4pWK-i+5q{1brMNfz#&0XqBdbZzX$}m|^Xrzn9BQ83H
z@(<jP80-<=xrH~pMENwVu~LhOjnzp<Mx$X~QHS`KJFMwDO@epwoC_HbOVNGdE=!AG
zHd~~fUB}no`l${q4s^U{#L!|f1HDN|2e<L8#t)l^w!+B0ZXx1tb*IwnD&F5)v>!6o
zj|7*<E$=MQ3`d}LL-LBcjgTUkwjqBQbl}jlLDBH7-C@Zc%~7SvA8J1#oWp$BiZ#++
zzCu#7*}sU{lE^h3z8!ep=COO@?rh=jJWpz4DHHcO(|~&Z_a(!j!FEo)9F7ww$BSb;
z#&7#~7uwat7B=?OtKzOx5QPbB=xsaN8+lo-Ay%-Wd)WK4_ru0+lT6tzwO9K>?*An0
zB21v3E&BUlR2yf|nE)Xe|H46IUlO^|SOs2B0IA_BDSePeD^xmW@}~4HXIv;nO4+WW
zYI#%KQJ#m-uIm(v)XbBO1!3Ky|D(6?vj>gOU6wH_(2XyrOh0X{!NM2(5E=i^4+8zl
zDlTx>heVc7-0sE?h)+@(_d$9Y_Y4l>Sf;yU`4~7Hk=6ejfty*=JACP}yu2Ln@_*}~
ztQRjm0B)agwvgV^|H`0%!PEBCVC#t1xd!_GgBHC`{+XQw)Q^ULL#!8H8aOFmf-Hcc
zvjQLsP6q&@YJY3lgSi&3&QFix^YtZGvSMSBgsnKhP+x0{@Z|^t=k~kp0Hydpgq>$p
z(^;eLMHEoL1W`JnDd5mMLg-cLqV(Po5Euao9ccliC|#t82q+yw5kl|1DG9xUH0ix~
zcbs|8x%b?=*8MV{oVBt-^3UE+`8^+SiU)wZ;`E_7aDiew&-kx6O4f+55g{&=S*KXC
z`6qeVfI~2XP)eLvp&)JK5l9MafQ_^EZk<0$(H|C616UO6{d@1&etAklA?g&=DV?2O
zVI~i;%PtM@f0Hdjb%mMJ1Ic_WlLMxRrG)NLb-RXYB`MHfb+5RK!+3E6(zq39t9-%4
zJL6Mw8zqCj;fsi2dh!Y0t?_$~r;1fm9){*;??OJu)IgIAxiEwWYyZY$?yhN@7~2U+
zJfoy3T!_+ikXU!ptCcri{o)`})KW1VceGs}00;VuEQ;POadn>?3?cN04f17c<9d{=
zILt2C%Dp?f>T;!_pgg8OweY10Y@-2(gW92@$OwUChXu;|aHd&TPRMq=?Z4-82~;zh
zej(8e(eR+(mqz~epZmf(wl>DfYqNVgG>rUA>teYXc(R=w?z)++D)S%PU5_X9Sa;Ao
z#HC2{Sg<j8GUct|)6WHVRsCu|nT+1F7X!{|P@@Xs1HflZ3Fqx^%5q^gL8(0n5ZCz1
zH}BCkmzVfXj6N>ls_=B^(<Li>@p2cr#pK~{C-hxm?H&el)MtYuriJo;vlXEo7aXqy
zg$+27Gar#t{QWFL=PdRqg*(Qnh1qY{KP9+-M5ccwCUPZ838VX4*;?gj$WDSh3n!m~
zr{QL1xoXE25T?}ofssBNXr_Vc<Cp_x?X4gTF?Tg%3JBjkqnbSe5UD??wUQYEJL|eD
ztg6YHCrP)=qpA3qK@ImzTRhiodzH5w4H~CR^un{?4=X1s;xwpsDN0xxq|TN$pch~P
zbpf5AXQMT*)u6?qF)k%@WJ+{HEJ5@`5}NJ$Sy)_!a&5>m#=U_pfRtt_;adWrJ%_9x
z4Jk1cI<CUzJ@8^`V|+I(6Y5ShUu}N}@mdhIsFbA*?EuBnN%H3V=U{E{Rcfb`(>>R6
zLG6OA2cF7{JrTH=?WPB$(njtS&|%_n94Y{(*4i!VvoT}VD_@^EG@!IQ>HwjNc*5QZ
z^26AW`e>}=+vG8;?JHit&t^<Tv1*pM>Z&$OKSyo-R6b%Goc3Xd?rv`Pz-zFy))<IQ
z8l^g9aB0L#sBjd`VK30p5{{}c6Q0*a>hQY#9JGp&I8+AVDE+ar3jjWy?{09CVf5VV
z6X9@}XwE#^tePn*u$E)<{_)kx)K!)+{()F%csO7YDCh9nGd6qupF&fM1TzKuDkICi
z*+MIPuichREJVKd)0dRj_$MMUI(vx`b>SAp+M||G<K6$LOz_NP?vC#Q#4X-QZ7?%G
zQ&_gWdY}kLLxCZ-UKNQ!zu2U5*3Kvrg|QT7G@k@7EIgh_RCwFxlRjT&#<0U%7kiOp
z?4hrB)S+)M?-GTz0YUf5G(rX-$lNk7m*R00r|hI$WhO}kHGEz=%N=cx^Q!am_|hao
zSLz)mQU-1nor@}d9z#f%_ayhWO6@GuWi>jW5<iAHC**x0$v7`;G}%n8nkaQYT(t5{
z-?`+*iv#T1O>@0;U&P&iXUv4Hrw&V7?R#2sCnlnJeI*&EZQO;pOkmOG+8p_UW%D-P
z9P2JV7p?BR{kldbucq8}i;`R19ai?%osw<K6`3S-I`lYA9X0lL+oS)Dkc>@CeAw%m
zA1KFYQz0-peAeCZ-`Cmt@e!yq(qqqszq#?}CQeXYuC+<Jl)K<MKp#C2vu+NuEs3ut
ze)VuqE7G;z&2Vs0;{hRP?bZWfFffI%Vp0`v&%KUT8$Mi_8#r(!CqUdQRz!1E>Knlj
zt-_HDyC-VIBK-oyD^Tw8FPw#rF)iGWMOMb^QDU4mknof`Bmlbcq0hLSH2b74KpyU<
zM!pw5!hX|<@tnWfnNo|)+}%cj-G*rjxd>`R--Rcdh^PE^vR)Y^6Z}r)imi(4tGhVn
zI%8z!j`M1Dkymb2mVX4<B5YMrvXTp1#Ko1SW8BK97xh=(MBmh~-vUL)K^feaHjZ3f
z^y4@lNGVj7XDo=;JBCpd2w0iVYn|X4!N0RZgm-a>>~;P0cfn0Uucg<nD~#)`Npr38
zA(OV}9~gkP*CrniTzbR$<|ZHxQ3u~1?XwJ4XYt_GV1a8q9DT(})&WHT;Zx?sh0{Iw
zCH1|XI}N?xmL-sETqFIQzRP&hRNyl1$YyFSG0=O~k0Bk0k^jZ+4fg=7fUf6QPb+<T
zLPw-6Nl+v<2ca$NbR_^Q3NXcsK*Y`W82z8pQM%IGzD~pGc;R_-O=)UNQ-X!;@Ka*+
zO4O-ZvZv8rN#n#BSYay|f76Bz<uutSbsQ^$N}bhV))>y47=kMsn?wI3Qm(qkUSy{p
z!fFL(D{ET)iVXYNVBJ0AVQ|OB5Gt8VHM`Fr0{D-nJ+TBIdAS^mc;<6piQ%=>n^)Zt
zvyFihsE1f)KfM;Y`@41>%VV7VB1>y^*c)v5Y7g)aX2$QVeWmn8($dDU9+qoX^+=zB
zVxOS|<cwD(poF##h!W-k`LuipSGoK(-tXQ{G>aL0A;#-`pzHxzz3({e3^|W*93?_H
zp{KU?PM_0-(JKqAXv20c!o2K+ai3KCO<C2^iW{i%{gH2e!{fDZnv`fY-`yiCzXk87
zI>zkUqxH8e$q!TOPTCCN#jxeT4zcug3K93f>PI}7l8kV2?{Tp9)+jM*8l&h~j`C9l
zTUPM;qLTQuyF=ZF1w?C~#@^gNEXp-)Iz(ZpV_(ekr@HongrRH$eco>r(*f#%^;*eK
zN#MH;F{^GbRgth>xkbgxJIN@D$p9(R<waZ}aspZbzO5L>yp+MdL(tx(7rSz9Yp{vK
z=-nOTgeR8SKNsnA;F_+(#@y<N<f(sJ+M{Bgwu#WxaZAQ6OZ9(3Qz=&jc~0nNlFQjT
zZeUA|M+2iD&?^!A1Xvo4L@*gNs)m|Paz7mUSbD%uZy*-w7Eevbc&#nXNi4}taW(!n
z3}XQQ@u4P2FA&-4NA5*JdyigsWxoXQN4Q@_P|)*<xnwgPKISDW*l4WdblXS9Md!Jn
zZ#LnryHSu9u|*#R$%|zr=Adr5QN%;&pKy3jcPQjm^nOzq+_}%$d~J75VqkYxZ`j%$
zpjaBHw;tlJQ3_WtB^ow+`JkIJL(y%*eJuo6NIZW|PDoE|s3iMcc|&?*!V&wpvwSQ7
zmEsiW5Q)dguz$6Pr?nqDZM~5J8v7=OeV>eLjn+fk2!WUclhVxEG?$uAR7mD+Y)pOW
z*!bw-TL{7DcnNC~)XVJqYWs7^2J_s+_WRAnVWO5X%)@H>ZLmF*liy&Ht-zWXCT>Z*
zC<)<o)6-nEuyD`m=BAMOh(~Ilz3tkUy$^E6{63)A`F1_MEZ2`QD>nDxTM;dj$-%E;
zlLZds;<H>o_pI~`DNR$YC%U~l9Tvdqx={tg(bH?B!)o;M0Zq$9jMzXye4JqQdq+5?
zhl4o()8(mhkgxu<-{mP^>ga^W=vDiVJ`qKQs2a_jf;x$X`rw4zG*b>EZyRSn-&8rT
z2O=swn*x<9)nyn$VRI7OtoK?u3~@iw$wUrH@`|k9Vscs!*?122Eq5~u_uMl%u_UxZ
z(Rh&8)ojNO`P0Im9qB2if`Dz+<c8#o;o7>7;fxVwV4b!=@&$Vz&xJV)RDawNYzp(8
z&L7B4umnfm$3M<`o4JBC20-4O!!UAn#y`v~4t1<t71GsQL$=bgtK?_5vFbM1SXTVz
zi2kgUp18x3(611!oOIN^XD_71&&AD9l;&{Ks8a0z`*JQcm?)(Kl+c@<H-?hhXPZ`w
zwh{?9Ui+4iukuX<@+f8K<Qv*h9;P@&II1VRN|d`_VhmT-0#g@H57xipb9V=%3WDf+
zIXtyaIbV$}lLbGXQlt;e7X%;JSWKr9*@9KBS9;2?Xxy;M&M96)y0gTw`t&!&*om&{
z(~I`!AE_*pYy+Cp$H9{^|KAsK9bxM1?hHI?>(WCzd-O)LG$MTAyN_w%gVdA2#Qn>m
z!W^H6hrp{-q*?wwo05k4^lMHcsGC@MW51EJb*9g`o9#8LqR%!>nLh}=R?M#xq}i5u
z$z5cf_d2`_0Z9G88@1BLRZXfaE_KPes&LWOM<s-tC6sydUlN3oLbVA8SMYdtbH{37
z5vMfPUEWcOBnM>9pUToj`WRoVDC1)kKlnSuZ3L>(e2}ZN+}1cTK-{Sy<}+eoB`J?T
zXk=z+)sF0w$ez-OdXvj2>^1e$cmAV%`p+Prok&v>cgl$QqA-5<YJCi=$L!^*!h7a!
zYynx>xaS(7uj{;$+owL%sS~VgpLo~A6(7k?A$ere&6z*&1Y++SE4Ws;Rmfb(Eod;h
zPe}94R@;`#gaW2YD_Q3;(|V}6e98-*n)fqjxuD9AQ#jy_)Ty#X3}$?c5~yuUFF<H!
zlz#hsgXvvKw~=At3vKzA;0SpYnhhnVvYLIQ6!wPrCR7&mYfKMfKa~rCl1fRjiK<T-
z?+!&dfydsmn#|KIf!D{u*x*@N8m!{va>60F?OdO0ZKb7>@KW6cboS5-5Yq0tqXl>M
z+NR(n_V`2&1<mhm`Fl|tEky-}Yz~vvrG_*`AXML<F*6n`3B2o%bU$5Y`#L4jR6Ua@
z;CX&1&@X2tdWH?$eqc!B3a^8K;LCF#?BsCwj;F%A(I{Gx5GU9_gf-W=EF*R{G|%e!
z9hrxqCCk@p*a`wH===R2Ws>)pvz7t{%@{Tooe0mX;1)0Cy@qdMfd!q`%qN_=ygZKV
z!}H#rmg?sKpX2KvlN|8!stUACzbXDS^MYU{4wLCN)GiC&Y}70#@ps*hrfplBY7QB2
zUX4ZH9ai#zZM3=qKA1sXRhE#RM2;E`qy}5Nnx+$UiyRZ^{`%*!>r^&rzvo}QnGgH$
z<N6toZq2}wLZZbs*)eFcR~zqdq%ER6BF|{?(ab+HpZKeJ&WdOhWH0o}g_Whfl(!@o
zbhJ+#l%qb8QA!DHm?M-T3PXwb#fF51Bh<!kd+$`<q}80ez!w%>wYLb2Xp4M$Ue@mc
z|Ge$;fW?j<DmS|_Z9O+C5W=6c;af~(TAb(nz1C*1zypsg)M3i|P6}mhm<+SKWU=wK
z@Iqi@0-;LcD?0%uC&Z=(ndeE6aqZ5XRvVKePcJeGkC3eD^^cD9FWM`*_&f_h%FNo%
z+AsyvuH9kJhD&V>+Au$VveIX>KT+V=7`*%I-sZS!kdF}azEEmG&7iV=YNrtd&f6GT
zuQuO=lJTMz86<q8Ai-WEN#adKe?+{#+0i<^T``=tsZWDzr{02$l)cV5fUE|MQ0B(i
zr<Yp)?7B?KBMndCx*`)1Nv+i*e_dWop7DjnWG|If*>(dNUNG;DjZvAEy|v2iYn0?t
z(C1LeKXrOL*6Qs`;#PrH=Gs-}7p1@IdWa&yQc_549AVl#Xtun1q`}2_&sE?GDAY5l
zNphVl^|FAz0MSj>?9rPmmgErGY{WEK214$thsaisLC;$kGO9q{!UFWv$ZR!W!*R4K
zNqB);1hIr@le`Ln{fCYd>+82$HF{WF<J2jFqVeo`@i5&*WPrPAQW(dfQ^1MhaPNmd
z6c>*G4J9mxF!9D?{U?OzSmMR7GAYm(Yp(g>zuO}u3Gk&*%5(&nB2Xv#bayaEkL^vh
zJ_9I>=n<~59N4Z7fBvY=WI&w8Ou$J3{do>9+0*9Y2T_3<@GH43sltV!Y^|!#9?@10
zQ7^v#dSp%sv{KZ1!YzKMK!1M&n&mW|9&#74o>t4(Tyt@3MH$tf(y!C|l8bs)8B7Pn
z;9WmJziDj066cn(@<aj~AXG^UyMdAt{wWQO%)PtZ#D_(eJmBc=Ejg^&5bu2-MVjaN
zk622hFYIuQR!~c-Te|MeL`!v1JGL(D^qspZHM>an0Brw9<PWm71cZ(jU=3oDydF6K
zJ4u5IvWd4TJMDhQ`;M#c_RKYo<|PSBeN0$Y%2MhA*UXfHz`U>)^4!vJ#<^@e)pbf+
zX@O82;fj&va<8Vw<jD9eeko`)$?tpqQI$5vSGU-NeptpdK=R5`(?uFza6`k(t$7pM
zO@}(D$dcp5P4e+F<-Nl_y?W99#+>~x55tZK%ce=r>jFIy(r=$BEz}I!>329iDb%#x
zG+-gwO1Tj{P`!@?OEiDa6fB*V95x+M)2?=CLRJm$9$f6&S$iucd-_pKnLhXJY<=o7
zU*+d{Uf&0g7&ca+rzljiun}39@wQXp%oHRi|GAwhM<v@Uf4<*rWP0W84a0Xzt@l%R
zjVSta`M4u*kO+FVIs|PiW)?v6%4p>C#XWugo{WERrgIqIa!pBI^o6Lxp-l3}dOhEz
zB*A@Q)q;w@rJ*bS)Xti%N@8Cplk@Pg!LJhAn}yS$Ac8_xS(hJwOs24~XMktFvor|S
zm$+7GXvAoDJ2zlI7qKI@V#S^o!#SX&DK?EFhKXenW!mFgiuviMu{Q5);-%T9^PWLM
zdc&tvYzFN=smH<?3qA2l`p}ByIS)Z9afr;CSD`vs18$uQPbK9vh9AU;7apc-QHZ_u
zNl1dfedXBb5ncL4kF|aNoAmLaTl)PT8-1*I9H;N$4k_G(sApFV!KjXzKX^2LI8{~7
zbwuxUx%Ux|AUW|xVp$OH?!eA6^#@(u;S#)?2Ruas)}3W3Kg@^aYLrcf7~2`u;>9fj
z$Aa3r$1&F<S-2q^-L)-_r)6z@9?=z>B<g648Z}x;cuDc(gujroh-FyOk0|w2u?D;=
zV|O?=eHa&{E*GSlD-Dnm5yM3g$E_Zg0UOtP{rMx4Wpk(OG((jOjY#pr^v@L!(eDBU
z%c9Ujx=4vnYu|o34Q^Fg8V*}bf3=?PXDNp7j>p>=r4sBc`TlswI$#rvS@ukQ677-k
zV4~e}2CPu<q7t%${H`3_Dy7(7+&wZH?hGR=)g@DKx^H5$&mkIm7$KJMY!uAsp*Dl<
zU5_2&OjD;-##b38B))apC}6@GM7ATY&G+5@GGC+lbX1{rsmsFYaY{{qTCWZAyG}nr
zhbCcl<%Mtg&r{?_PO^7}1rK5rPx)LWtRB4dmChe8XZAtpP1c+0=g=!&soc}=9xq^@
zs`zd`<aG*!A++wvj81{kx39a!e4uZe)SG&g+HJ7F_=dMHfFPP!(xl@hRO{YA{w-%w
z^w6-py7%tffQYla_;fLgvTOM#SL^MlSM-dkb6gSZ9q}f^?WKNcE>Q1YTCOP3LZrkb
z_FLY=m<z#9q$*-gnl90lZASITx?6ny8Twb#vY;c0yrZd!31=TJ)6yQr<!MSFqLoAW
zk{jmbN9zLLnM(=N%};~4js-!IP$%v$Zn=uR5#@9Y8l+lja7-B*D-*ku+l6#e#j5Js
zP7Oy8CEvel`#EIOY$-yi@CU>{Izh#Rj?b0;FXn!41Bvo=(jC#B%2KtSW}(j6!0J3x
z0u1M%Yu1Mc{yFeuy+`ji?-G3&@ZV_D_3{-hw3(_IjjRG~f<PI(&5RtKyDf}iO@-kb
zQ(Xc6(`!wYJ1>`h`4(nTi0^0jwN~!u>`J?sd2w8QeWN0a55ztvOx9ojYKRIX>N_5i
zdMaXGQ#FPXnQECJL)dr-5L28BpYNi~mV1jBp2<MXr!*3T=E5xXl#ZK1()Rk!VtL7w
zx!{+E@WGSl_C6V2^REwKR)Du-;f&r<bYJ6dC`jE-#5s7nP&K6(*xgDdPN5bDGQOUi
zv)kMw-eksI<igw9^$$Y{-uM!XOmnGO=Q6Cw;7FB(Fi&Yu11m;2-)4&2EP%B4w1#g&
zTYU7(^e(nzU*(LY{!CDCq)pUw`-DCriXIzXqnoF8#d@qk*R8wCzE#nSJU3OBPP1Te
zr_(|g#Ogy9)4q%)cIb6xr)y=D-Yq7O))PF#3N^|~bgchyG@y|0R09j|xfKMiyw+$6
z9u=65CSfW43cfr35P69J<gdJ#jg=r-9Bbe$feE$e{rynLZ{#5!Bnx%acteZWQ*n-o
zm8l$oTCez4H+o%O^hU}-pl&XME?$=C0`orJP*tq0O`HS}&<_?Q1ga>ZRAgR+w<b?-
z^)B`3K6S3Ph6|9HlAV3ig3wl4f<zjE9&Z|rOhICiRYYB`o(Igp**K*@CZi1_9w5<Y
zKXT|Jd=^vm#Q_$}I1dgiw(B!Ve8<RlN8dNNIt9x4{x~dIm=cMIlueKU2BwR?AQUvz
zn8wMcT4?1)dKIeXa+lg8)u!&^ESZ0Txy-}}n{I(W<_)faJ5=78kAsofX}Ce0N&ZL0
z{QozQ_{ZAGa{BiF$kWCF2IjL$w~#$i)BP9R-xl9#M(dYsfp#r1aYsa<St@953+>S~
znb_1me7S68!qGPm4(jSJs^>yooP=qI)nUj_RTlP+NvDtNQb2IFXI;U$#gr1^q+!~O
z=|c;Df>lp{`&C}lmnB?}M0-nf?EPS`_+EZ&(CeTQxnWG9VoImZwHiJ0<a>^w0VPeK
z=fdg8U(driiVG&fQ8kT1k0c(i`+t8j(0Um8r;6`HNKY#!52pV>w#F^_e^1W>Q&Ta-
zowjuw3=DwzE>mNkHTHITzLxp&?ZEv(yvUe?Gy#g4!1Cy{EtG4$yT!@Yz`=^)xR2*K
zzuorg?v99qnNrPswB2~6jw|5Ou;BnTWjLgL;<7Bl4Ra+|{No0$Q>m#`G6M)03B4Io
z4Q0Bh*MLkcfVeoo1l8%|hDW;7N9QM^4T{b{t6Ts9I_Gg<kD;LKGsoyJJ?yAX#d}c`
z!%ka)Oe6M;KdD+b1`mc3xKMr?_iKj?;o03D9u1IvP3s<A-tOiozV{!t$kR%}q<`PO
zsPE+<-y^bb`V$mdqOxoA)a->&Wcr)m|Fu_24aZA7m<Md4q>V)Zc}|WYxQ1>dZnMM=
z@G5XXKyfNGFR$4DoyoPF4gMdATuL$Z#w`%MPQ&%)%p2TuKol1j>poWr;{}^^ZzsWB
z`%91rfsxyw9^grax!)FX#6tVk$nm-uR&eMEbItZyPKwN*P#e<QB{$~pu8`dlhR-8e
zzPoO<{EsN^2u7e5|G$#BpS`7#QlOlfpXFYNkyuRwWJ%$Ua<D*^#EOe!6D4_2{E4|u
z&<|4FuHy25*y(QgxdBk*v%Prti%QxU$x}OiU}C%=v#BEdSqwIV*&iNaEjbL|$AmxX
zt1l`Wk53Qvo&%|}cMH+tMIiY*H1V%p^zRl6<8~bYi6m4w$qY7WXA%)W{)x$k;Ee;t
z<S&Ou&s2RD-zxEkJi;d%l`|L%J=TPPCiCCJLqnx~jDdKI$2$u_NipFWi-hJQk=4t0
zzpHA<?+$4DrvFOq&^nKw@s2LdM(CwfIgDO%`d}+OAEr>Q16pky9d4nC7rjz2#^D5f
zj4z$338tf5j;5@w4klF|Z>qj%=q83azGol!$HveJu0nk9INr~dO8XY$K9Q7om{mer
z9$2L^`YloEkanYdcTuW1n^A%j$HEtFa74&Ws(S*TyNAEHV2{xVX2uwu!l<+E9z#gg
zitl6CfRpWb=5TBlri|7e3*m|ys@#br!j9NmK`1?HEML9P?yPA4f{(aJzhQb`Bxsm=
znN9eLEja05=3h4bq9^j#_e?F-tG01odoTg!_{vINcvM`_Wjuo^czVBMYZjdMX*>J2
zh2yH|`t<y@4o?+|NQen>5-t_>6$@C{^t$FuPT>##ePaPIjPl3PiKv(LAw6=2!NL%X
zd%83n#Im1H`yg5oSB9-I$f`#^#)(ZC{y<;74-&EY8>{#7)po3YTpzZmv<lx`b!xXj
zl<lcMT#Ao{4Y&C@Q;ze(k>$aoS=A2TB!B99qWknXr_u|~SbzH(D6=g&>~yT!l<tp}
zo*SHdkYW)CVUFe%jzVstA@)C95a6~>de+1ovC#9u84Fuf*hscm2u4XV!JODB7>iUV
zq89)<>>qnUvT*PH^^VgoOP){bfh#>HW#44D`o~{DXbb)s@QL*@p95`1We@Ome?M#q
z<(X^K9stal@lPh6NYOteA`p@%U;@vy&cU&^Tg&0WRd+j1`}yhp<);fS^fe{vROsi7
z2>d<85*}jEPqwqI-^T$f`D*Z7U0x^UYu9ncd+n_^O+}!TJKsO6KRNW=0Bq*CA0=d;
z&ogh)&ZqR4u~a^2zH84iv$M}ddyjeW6z}G04(v%7J0#!#`~7A=kd|%nBFi4~zFKCc
z5+oW1VSrU?CocAM2feI2;ypP^?@=(PjTf){=-3bJ$ylEG#<<#_lbm@$sJli=gmf;_
zCABwRAz~?_6^xprNk}dNc)8aFAsy(l{!ed2b%K9{V|zZF(o`9v0*SaOcveyC)4T3~
zHWNI<k70HHUgTZWWPtw0&NHsnAGJ>1fa5g(SmxBx=-vi>cFu2LZo3)bF{Lf?&Es2W
zT_LO5`#VK49QfULYhAg8=K_-|s69yRRq}NmdmK1QMGkGnC!jW+<eLqf1AoOZM--_w
zm->{pmJ<XB-&=pb<K$yBiU8GHv;(A;%ywG!4VD#~cGz`#UD~^Ylgv@wIJfBdLcbM5
z*x+gy?TdgqEYS*pQPn{k7s-Qn7^C<=mj_b23f{WJ_QJ+xR*wLJQr{`!?K8?e5yX+v
zp>4&Eheq}rWyq?9zmdi_0>WE#)oKi1*?(oNw_waEem@Sz+62q!1=}B=v7T7^r+CR@
zzf0}5eOt`%lCLZAv7IvQ9_NhYcb7pb{`-)U*0fj~`DbB=-dZf0=#|^$A0wboAl!6x
ztfO&Yw1>oM)l5J-=ab3`KTLjb&bp*MlPkYPU1=))N%>4GUyHn!Slq!ju#T6!8V2!l
zMjq2_+(4VBVQ?AKV_@LnbI{%^QzsnH9O>IZULm0OSBWD%E|<4}EXgU2cf(?!1h&@w
zT(4y~%u|wXoKyodp@t|>--UCvtfpxPogewi1Mh&CHW_0GOn}A+oCy$g+TQqDCW|36
z+4sf>WVwXNJe72hk%0vM;8VducpM=fG)d^BC3KO{$Dliy6r0gRvC=-m@@=}D;8MXw
zg5?%ogEiqvc7j8MSpP%Z$0>IGLlevD_4yrGw4#JHI7?WLx@%095>jn4Zhj;*Z<}Z{
zJsO4m4U7LKeBrK<`q-F}KJ-QlC&2tC=?-j+SFGpju&d;Maz(h1o|Um=c;5S)ZUQ=w
z3!Ib;ti@MQ)5+B_!dsnpm#&i@u2dwPR|yB78%|g)CMb~sJ2kL+Vcn6$T8+NxlJB1`
zE_=;kfggDc!rsep1f~_%$BGgOo|~X@etCNDyST}Y*0m!Se_tyZghmSg{U5(ZZLUE4
zBfE2{^%_3^9DnSf{idKsb2)uNnHCb9vMghC=hgIq4D3<EkGW+2Bk!4XeTl!~G@5gw
zEtN9+X6L+(2n&m#ugZV%Sg*f^Mu8@lU@OW#i~tfceUstR6S(>_-_`vKp(6H-Tv4)m
z0ye77@B40q@jJ5O9R1|wZc-D${?4~7aT14E7Tm10b>#MTe`P_xWYEoE+I6FL7uX60
zpZ-sTmE_tH*mxTxt4JCj(Gr9xi^U4_^8d_BO^z30v<xT%`)bcdpSOrjn2_wpI(v^#
z8}d5KQ0$rYFjJ`R0x|v0j*Z64=8@N4I*|Go$&6+Pp{EKbDVTf2C);ND1gr$^5-M-L
zUN55DJN)>c2<uYaArtYuENc5|LNT#*OMALe(6q30J@jt1;*HwGFMk(?mbEVHqrMjO
z%&!NVLp<Q|WcbHujF)D6yt_b=8hNO`-ALK5>wK+KofVOJ)~hyicnM8Hsu!Qq#||uI
zuVMs!Wyt^1&)ecVYz#avo$+QG9o9)~>Sl?_av;x(F$wP5{UHA|UjfPKQ0~=LduZp7
z$AKF7PMPC`zfz!A%6!iAJjOHm`KH(bDP-2BK4=(I1+QjZ&E2OM9*^f=G_LA<zA$p?
z6nj_1vOH^@B?kQcAmHy{T@tonW1G)*={G!bM9D-0Ml|BW+XTonRIzif0Nmb~Vj?VW
zu`0FGYJN~liT>H$R<yK@>+#DvYyz8TyQ_ggV^~k|(ifztDmZo<Tu1Efj16-(6{ln;
zJS*RbV^w`3l_w%8Nnx6Fdb1w(-9p=$#q_rXg~#Y6-1Bxi>tCf@FrtX*7*eA=VqE^U
zWj3JcYg3#X!Q$wHB?(=UfMEg}_>J81)aAggD<S=^67JE_+_L!Yql{DE-O2mjKN@BH
zqMXS`wf}e8tZVC)X*jlwoh8{58l|>f@>xHqOOJ@%JL8%Zk#%NM2i>`Jm$%w@Gvg<5
z-X^>OmXan<viMgfV+l>fPdQniB#@@=kv%)V126|Z&24-49mJep$%#wX2~$nZn}26F
zVlm=SkX53#fbfpTS6@!l^%D%*d&*=cU~FKeO7>i{)*(rW#kufI{?1gyVh7|wfS99G
z8kfHIWa)KtL(`9=m1QJ|c}-vq+b0vL)Fcz6vf7QeRHDvIC@Qc8I=e*@MHx*&gkcaH
zty^%TocdzJs-khqZ70dIYStQZ$AH|gYHj_meOwzJywv!`y^DTa&R(-3{3)vHOl<@A
zy&O7ttHgEWoo}lkD~9zQfzdHldqJKsjne~_`5Iq{%&+;j;;`tbCbd{LMl@wq+t#Nc
z^9e90kN|o=s2*wHh4g(Sk88(uW*$;3gZqQ_Slj@ZrG7SG&ZrO;?p6-P03Z0yAr}A|
zFMckNwmK<cljz$I4reNERk-}7)v(=6Y+hGDT0{N<4(<n<$}INx`+TfVz)8K3?rlt(
zsjxGg4EP>lK@wulcKI#-m8Hd1@7Nl1o7`o?z87)4nEZ#DOiE9NUYiD}K`Rhf17t2H
zM={d)B&hU+vSF7{o3sm1hHp)L(fFQFE!V@?sX@vAQ+0Suoi><P`lC}a9PziciW6h}
zJ4M=fzJSH|D^rgU_%MPsPmpK*kxkaX7PH+&epFc&q*kO4epoOZ1D^u%2r!n^fuvf|
zZlBexIf$DHH>Dj#&>~QzlV*QFI366ohaZe(ILc$=?^@doCYlG8ZIwF+vx;uN&|fnj
z`x^y6IXX`G{BzQvxpLJLEy)~-3d|%`-$D26y|HH<)hG)rH<m(?M%@ynR<;yz1|$}T
zPRt5FrjBxkspwO%(wT+!S4(8j%Wte7sWCQnE}QR6q(W*bN`fR*nf}PN&dkXTe!ZdA
zGsem(t_?f$4qQ&wFjvH)*1G%D*o-QrK34(C+k&QIynv$H#Cvka4s!yAKZ0ZtdXjc~
zeXNtj?2ws6Ok~3rRI)jFYQVBHOwC@sWmmzgkoz{pRW_HY4)<!4YVMN2&mqF14kT1n
z4-~$84X8OREbLpGL-tGP7u)*eQqb!xzgXH1iw^vp0k4B6d5{KkSEZQpv4gMKQ!9a5
z|JGuzub;Vzw0Ld{7!q0B6nRNgZP3(X4bHz^u}pG*8NRb>i&!!gQwn-a98n=_1T-?D
zW*TDC`3hRRkq4(oTNwzJK729?JW4broyrE&&pI(nXU$9RV#OEy)=dK4{d>&R=Fr?2
zOxSvrw{t_5&oSy3@Z+026kH@-Rnxqbg^V&r3j_^};QFBQ>ACg|vA@+IhfI3uBT0nO
zh&ft6mje9cmUoG)F$keiX7$mlfI%$X5#!Y(CZYi&h}D@taPQhs@cJ@?Xy#toQ*XzZ
zn$oSg=9`tgRwC{JS0MT|64(_!HyyGnz2kwM#W44N7LE7O(_VR|%L+<_N&VDLbnYR4
z@6fAeYO7M`y8qoLE>K9WB3j>9@g)kbze0B{{2}#79u<-a^$sUIm*IrxRH0`v)jvD=
z8Sfc2v!$1f#Dgd<_b>k)Y3#H>x2(iUWZhyo+7iF=<r@S;GP_)E+V)Ot#a_8%Vo2Rq
z*RZWAsRBDQXOGBI6JvE^;8pvHS2O*DJbv4~{*t`SW?jR5Pjq~ke$zRpHzC~blRB!*
zgq%`hR+!meZAgDe`~`p88|P8Pzz80D`+I>rMdCeG#!{7<FTNW(_U)iKVwzabsE*He
z?e4qkW4tcz1ip&NxKz2g0Gnm>yGF!xTM~`K!)j?et2vk0iVmKGsiGL58~Yissf?|&
z)O+X`q?c}IIHA}^50BSj-Uc<LN*m$be3Rrr+&u^)wXcQ3I87+>TRf)5WmB|f`f{wt
zyWzXtEk%&|>^?IoOjvjyIL%a1t7y@)nw%C`2X8Q^-krkV-F@b^sa5nLXi7BkNNZ%P
ztW?X9d?x3P*3*G=-<3$ybBpbqp1&OCRlEm288hrubnOJ&o~_DxZ_UF~6TV57g#QpY
zU6ypzm<0ce+d!YgLX@blzLWZ&2k7*{TN~$Vnn4!|N8VBkpcS;hW$J1?hZoV8Sn7lQ
zW^YcZHEP4B;NCPYe%NslpXJ3GJX8#380xwKLvgA5@2v>-EHKJo$bCBVbd-j02R{k%
zLKN&NVuuIa4(QCG%enWi23fq|M?PC0Ergi7V%0>S@Ak+j!$HG9j)fPX+zm%{L)CAK
zJbht;q{Q_ghl^))n%?AQE!VBIL^0KQ=4^rjag)F%=&q{W^?(LLpDdhbhx7@{3$^6l
zZ@<RfBY+PXhI;??PMwCIMrN3@c!Cd`-XG>J$mvhif}<5ck-aZI*e;n{H;Rc+M+?QU
ztJG>ZsD6NOhz~c_#E=hH-u-+Rx>mp)Yoeh;O>KWRrWnSbf9v%4qUOiL?(l8&RO2vG
zTD>E6(=}!Jt*))5&$nV=Y-3%<%Brfc&QB}2V>O0ld_PXN9tun>d|a(E6l3q<tfiDm
zgYlX*3J1|UKJvN|XBkR5;ToBy`xLVZkMrpMu+Mk>I&Dyh0u}O^ktK?}K#oo~Uk?X+
z$N)6mCg~vI+}fPV$WyBA0mC|LVZS1*;WsiWv)y#_YeclIwoL(dH0TI2NuDbV3{P~+
zZK}Mq$E+773V*JZ*_N}b2+Q46Hh^I%h_kX*e)fBNnu2jZt}8t7)-cZ9oD>$$J`$4`
z-cQ?j2S9+TWh4?0-y_d)HGA5A8TnM0l$wc9hD}{u_HOeyu;7ix%I*fIS2$GN6@=;%
z#rZHZr(nZ)ElmPA7byctp&n2dXe_iJo*n)`Ty<*}?ng*Uqt{JL8Y9*!)+#uE#UHj5
zsCg~^x&|u1%@EOQ-`7J}X;ACYCv2@7nuV&onv-rwpAF|?P|#c{P&aGAzNCDcTvB37
z%@oHk;;hr^QtrEP@V*U6)*^SYR5K^G<03KZu3GnColC7QtPJzylbLt0YUak-!8)b9
zre$yPP*b~6E-bo&a%eBZvX>UH%GdB9bZGf*zhfmw241QchlHxFhd0t4Z}X=TX5E3k
z*gTxg6sdZU{Y8JvX7j=Pj^K6#VY}>`A0c+HK&$x5wJ)He`jDE}%<Ne!M`U;aQp)qF
zjrrD9>MT``Yuwi)CWn2oL}Gw6<B-$ADyxysD=%rstHvnctVI6OSMGW9U+I2C=0y6e
z?16P#Llo2W`Y~pD6x~D94fc@;q2(nx98a_u<3_5P82{ifyI|9R-K&AkJ+X`iq%iVw
zgDu^$*UW=n?ZuNhkmc`CmDr!DO316`nlM{b(d_O|dmE-Li-*iN$)N5*^k;vp50J|u
z4WwJG3}8VPIc;5^)c<JI^O(hw?e0*IL*cv4fH%SQ-sV>>`t(b_pV*6yLJEzYHu1O^
zLMHyx2Su#B%(K{dQz?4UoQ?P?y=wX3<{n;^PSk?|WWL{8S<FDR%%D}8Z{rU3=Gko9
z&jAtDYmu98@27iBq;^s}M`9wo@%gwN7_yguNrEMuj$UNrF3&=}9ush?d1+#D#hZB%
zVc0QoE@qEf-97w@55L}}WVGVr2c74P+K4O;<c}{bSNs4ml{7n}1S54{FA7M?hf{2i
zn8g%^%s-N-AzNR*`?AQPTSQVBm78U0I^9qW$PKfbk5BD1lnLzx-%_NqnC)J2&w5SS
z=cYA#rT-k`{DaK!qL5Mm#91)%9G;Vc`EP=G;NTDm;K6F%jd+i@MI?`w&YtBkA&Rcu
zl6-)}3+pMxo4psEzrJ<De9kukDY?+GMKf*K<q9(Ww^kU{w=-Tsc|~uPB1J_ZuGh_j
zALOCwu+8#tCOSr==2G7{)=i3e8TcGM2gracVWaJuBfStOLaR8`jw~JWFZ;RMJZGJs
zGEUbP1e)6AAHaJ>3Ew&<8JCQF<#KgXPg8hfNmJ6+R*GJLY7x-Jn!pzvrA`jgpHCms
zWmIyRuw@X*FFv5~FTuB0;4Kp^EZE&`@~bqL@-y|nh=OhbF1+l+-9QF3QD0>uWVC!Z
zBI<;O&c5l^;SVtth$fGZm#;paDc9n`wfcg2C%-ho*h|+157MP-pOZ4p<;5UVc>y#V
zqVLLTsrwqmYGyt2*D;}zy?)D@*0it&ita|&4=rcBU1y=B>$OBF-#bExGa%MCJ=B=5
z{Y}a!shzV3e$w*g%-pAdZp37i6O~HzC`CIOd;2VwVm`MZ@R(gn-o6{V23gUxO&Qe~
zFMYTIW*2Wko{Waa{r$-V3OgVZonCwUIoISrSlleOpTE6pb-;2djyMOnxZhmMun};9
z)QuESEZ{?aLF1$RfBTvHj^y+cUSVZT-05wVOI;viCSxOuCgUszF4F2ITv}QIsleD4
zN8xM_3l)5gt8HZ2zWsw=8M*}SkjMYCe?u7XA4)CmGxUG;Z~l;1<PBf`hi!6vJaX6%
z0DANrL#eYYhM@1V>b^P-%aok-S}*JZ8}v^>GGE$Tx^|Fu-I&WsrxxXmSVb?sQ+bD*
zE$2jCN8JeBbO5kw)IhpKEyhH<ZU@E)UIFSKXK9>*ApVac35KBm1;4Uw$aR{#B!x1V
zoyk;(J6Fam44XA}UKVVR@CLRutBYgiHOL8k-s{h!z_rA;3D!qvmmB`pegZ(Js9C;h
zQe+*(J5hSw9KWq%Xi#ghX%7B#CRzpCNnO|*p9_LWihlor+hF^{kv-X4(LJoZH9rL_
zj?tOK2d@h`jr_+Bx`Dq7z<v)AfFu$J9GCL43i4or!!gXHCDq0jXgzmbr!;~RV1YXI
zf-0DN88|DH%~odsrU@gMFSYBqasrAWMSg+xoVFia6>(#HIxWj8hbDKJ(s3YK1mIo(
z$Y--;h7G}5b|1u`v;|kh*o6^OSez|@f32=Ab+PYM1ks{(t!=D$1==46H~BJ9Oqy5i
zEk905jOw(@vcwWzQw%ofFRZB7!`g51ZUB^67kH_0@I$>*U4vra89}%HEZ#BG$Q)e(
zf9(n4f7Ist;N3PluER<4#evl#AbiHCSp@E?W$qjs3^>j<!0<W>RI~M(w}jruH3IZH
zf{-$&I2z?>)E`?4XFq{SpJ$cvL4o4L&_lpdNXKED&FKT<J?r;B^W6V4ga!wu4$%Zx
zAJLa}OflrQ1a2(sSm?~Nx3+-7d6=1sci_Dc2a<XDTf1|j(w)O2n8gPrFEqw}<6yb2
zzxU;vmp51_;*pf4;g;ROX<=>VD_*r^!V{c+;-kCQZJfntwt9$D_rUttGN0{=LGsFn
zm+F9&{Bse<R6DCvN*hbww6~r+>Tnf#Uar_xu0JigeO3&9-*AxY1c@}glu}Os<EkPi
zQZx#yH)g*%F|mi+^mE+2SIkX?V}#@bZd|PJc!*x({x<YFm>Qw-Bc0#;`IAUEUw6CG
zgY`ui>3E@_kN)Q|VsDGM5q0rG1KkCOdxhNCL-hJ5l6tuQyn|VH{DU8EZ3lx%6){Pc
z-Kd01ABt#^h&AfPsXrgM`q%${;AF3wM3*vlWu60iabbZ|51?DL@N{4^2O&>)m}T<>
z0Un61Rg1QOKe_c2ZZP83df!!7avA16@0&2de267b;ds3Un5LCGp7TB%w~0#%tpF*b
z3p5v~2r!<}7ILGORGtghL)opSOG>~--!&~tNFi9WknsF4ekJ4F!hcWM7mVQr9buFC
zEMFtz?k7?q%qd*~vp-B!H0k(J*cgLG8L$>ZAEX7_zJ43N=-ARTiaycvN#AQGXccI#
z2di=|evG%)ZV1bl7*{&#Z*Six+0yFZS*If>p3aW+jmKO0j35%RC|B$(r*@z5R(h{i
z!jiptls@)dVk2A)t8rN>m*S(<;kj)#@~QN$aGA$PcE@oNM?32fH3<cGJS~so?KyKP
zSI-#7qL<xRVsDf4dC_Rwo5$~k9R4yCf4Dy=Cntg9_8v^?C37(6(<^%3L$k!dK@Z(E
z#l0u#hoz&e_gjLMIrB~->H06ZiO%B<D6c2Wr|ehHhWzvqWmq}(%sRPitj57Hq%rwK
zVcE``;}t*l?26GzR$7MPzCOn0e8oSqyll+Ee$^A=o}W`u|C-16as=l@Q5CP1TNqQC
zB=BVkLWQm419KUY`IW7<?Vww4s0Eq@CCP=?LXL@IUVTUi3>39s)9xd?-WX|_t`{KW
zn3=KC_Kb(5;L#`2?7oHXj8m*u?b?sY(zf-kc3*L|8P0yxbV;(o0HD^-C3mjKUCHbP
zgW829Q9jJgX4?Ju-q)pdunJHSVZovI$Bzh4cx#zm82_G=2+d9Ow`II~eN}Z&kAqxz
zRen3Ox6IK1lE}R`&Fr&Q9s^KSLXXq?s#)t^-4kw_Mvh}giok}s49tSjFC|mqvJjRK
za@tlAR>+<TwuM8F_nO;t5Kf9IHM2cIVU)pYA2wESm^3!r2BzHr^l|B@a6iC5a!f)Y
zlCMS|Wl=t9x;D?ud5Q8!77pblJAWi)Uj9p=iTPZ}?1Z&1v`VYIWH)O%cZ|fRM$Zm^
z<KxX0BfzViliG%MuZ6$;p=02k^i22pmlpj$Pq3`we}14Qni`?zpG?lBe-I>)C{j!F
z$6C>_XI(e301_B+kZ*L8K=kjZ`We!Xcuh?N71pzK=rpKUuQ!KN1T${NVS*&nn`Sti
z?LlSn^<eOzC&2dzz5?%Mrwpbx3)rf2SjXFW@jXxLhy7R1oqaRuU|Cgz5;K{kvU|ol
z&KBLF^dp?E%pAsj0bUV<mM7g`KiMyik<dKQZEjZ?98M4>m4Lwc$i7t{dLnThHqDGj
z8Z71*1IiLo;a$%i;y{O!-6ffQIiJt{RyWWAgLY>(QV%~nN;shCxnKJvuROGG`89g@
zzS;qnu~<Q^m%fJ3B)~=ya_A(gzUrVYCpm0n%&*J;oPN;m9e^wKs{ZS~L!nUNH9TiY
zf)IUPz4jpFb&Y0R(ETM<_WX_DJoBJO1c?PK)5&a4$>@}-kzN(ZEKfbY%oRGnl>RrQ
zPz6gUzp9;mJg4DG_#69KzEDDP?LY^zML@3?Nu<<7W*lX}TwBTJd;<V%jKqAe=&9p(
z_QeT}BdeY1l2!#jD0(Mv_jLp!%0}ys2Tk8?Cd<;Vc3=It7=Q8~{MeN@*4X1$`P69>
zUrTA5M+pkpjVgl^sh@j=kR=KTWB-eTXJ?iIrm%xh(u(ibyQ6kl)Hc{i^_MyXEnB(C
z&!LZ;(rU)@W`8J)PqHu4)0%Uj*X;>Yne2q$v+X?>(s(+oXs91raKz}{Jz8!v{eS$B
zD-AJ9LUJxnUKQ{3h)q~}`cq$JO;_>Tb|l7Ekw+c-Iv&<nd%A3f^cv(C(wGD{(~`v$
z2|}{;?D)20TeP`1@mchf3op(v&|AaP82w;`c0yYFb8XQbWVsKyh((ZE9Kkg%c=s_*
zue+&G${#DT+gW>3R&r!@dDigTdpmj|;o5SD-Ik~txn6hh=ErH?gnjTx23OQOlAU1H
zJUh@$%lSP2&it2i35E2&-cOiT@90k^yqk$$uX)3;UG8|_`L-%TH%k(Xk1EVu4G}4Q
z1@PVG=wgQG9SGy|LSo^m>0$ZF?6$SE8E5S}r@6q_YA1?U%Bw9?bL#K~NP7$g+P1xB
z4Hy~Hy^0~b@|PDCMjWGu78=t@`Z_MTFcwK0-*9xI*avqAE*^Ax6OifnMsn!i(}7av
zoK)I7YJr@vB-GyU4xlFSIfkKq2|CcfFSa1~$u^C%>BoA?w$35v@3zu6>_jFGvuw?2
zsG5_0BIae#O=7R<EtpN>mLJ()g=MiclaKtyMpq+k?@v%mpFVi)=|X|%`EhkRfyD9R
zsm$KmzH9jmJZ~e2ZU^;vIOFj0QS|31;g6rGp(3(hKU3Fw^Hh|%z*k&JwG^#euU?}j
zSW0we5P5xFyQlPlY$F&<pe!2l%0+q+F>L8(I8&Sj+-M*oK1^5j_NOmqWi<WHwu{uX
zS~1Y42q9hUTC+3Ik2C%K_}Uh|s;Ec0@6gx=eQu;L(QE5EBEv`NeVsg8A=&3+>b{vK
zSUJ4@`wTV$*PMPIyx0vRb&^sU6SH&Gc76y+HTN#p*TSMB8vB=;2s_>rnt-Qb9S7N%
zGO_*DdDa<WHHqmALf4mEh*ajqAG?|N^Xa*-HoX^pB;tN&BH_S=jeDc#gaVvB_KISd
zI~%GVMDoPIJqh^_5?+?DIcez+s3IrCDaem{M(6%>I8|(j2FQiKeosUsaMafG<eB_;
zMDi#=`k^N;ez8vsg?uvrcCq2mUDhhO$j(_12G3BR1}PrUCEq<{%HwNXNCRMOA}Hn%
z_-|HVfsJUr#BL~S@a=W^AzVO|gvilQ^#f(|A`1}-uM=-dQjv``&2WzLjvH-Ex~RmI
znxppy7#nHrHpxjUEE+F<)3^Tdhc%QO!)02$TXHVobcemA`qHu%gzfHwlZImjcT&i!
z4}9#4Xn@OkTFGkud`(?^^Uj*e#uS;HKIkIy(bd+KznB{DZb%Qrqcy!(?7lsPF`tcm
zmEil#5XFEb_oM(DTf;Yo47J23&jux=iI`dsK~ufzrLgn#2Q=_4y1?s(UduIpHC3?*
zCnBp={tZs~cfqV`3}urSF;Oa@CXw3TkK$Cw^3c%Ew|(&XUb+h|zF1+@DKK}ZNl9?q
zaUR}H_I9XW4y73DyFeO_%pxbS_iUTH`*d_6r#OgyyLZ?02ZbzB=c7mUtB<&6FLE>F
zzb06&#<cwz5X<q}U^*WBIANWX76;yO5qRnHlmfcvhL+9Rce&TtmVLg%lZyZmR$1u8
zLy$5P`T-zK9|kJ1L7dJEBT3uvmJz4TadqdvB%cS0qW)g$wmMk*(d0n7Lo^_P9ylC#
zD7I=0z?(A~7O)?F(ZmvMNov9?iQ`;VzZO+Rjx6m_g@v0{0OvHs*K?N1@vTY!im$f#
zrXcf%(tdNxtu3)02ZPB<Qiu#((9(NhwW<Ra2PVi~73PFn_ALzL{^(Fj-~KR$!*)I5
z(9@4oKda%MPQ<O$A1*e~JH#HrQ@tlj;=2fA)w>g1QkL86!D@$YPXQ8D6W8&gc9Wue
z9gJ<?tYlW-H~_Ge>oJPMEeGa1mX>R@l}iRFI1@_SLv<hvj_vo`eN8{&sCSJ)tntN%
z4nkRywHwo!*c8*<Mjq?>z5X-?+K(o9m5fewDyMdGz+7M`(%tPw#N!KB@&>L)`rL+{
zajFi>`+)rvV*9cMcBvx&(J!X0O)a4XZU@)Eyh_3O`onF{997BlIY^j&h=hI2bfc}*
z+1TR8FxX?i?I4Dyl}L}^%Ei1-(Kn~}zq>Md2|N$;hScDWbyyQH<8H-Au66C>M=*jq
zXDoyy^Zd*NWp3x4qQ(Pf47ILe|BLnQ@84T#<>^Z{iC{$fl?(<CY?w0{J;&l5TbYAJ
zO(+IbPR3p|ztPH1?%H8d+_*EXun)KsuWpdbyug;w=btDoj=5u8nH(=Ib%Q?uOeDYR
zPFoQXoE4ta)+Zb-M-|b7FCHu0&*ZfDc0o@`Pwr0ZC9c`73}L1r?)dwcLvbBNWx1K@
zHQ_@hD`ty&z$7zgj0ouPOFfK^4f9-T)0&-xr<TvmFZeztGF)WiVE~JrrUfjO=J*>X
zI-S7=ZK?!w7iUMr_DTV5HjCzinSnC1^7~6v-SKXgRjAdi?|1v#EU_I9E2zi4+3IAH
z!YsdV<8X@^?i+pnt*WDs7(DdBDW53FE1Lb0<U@i9rup5B-7+4|m+(0k_(6i{u;O`k
z4C=~yYm@t<l$Fo<Y(GgYSb04!yEOc=@b)P#*BdT5uyQC7)R5HWPRxC)h)S7Fmo4dk
zud45DrmsS|p|nt2RjbC@zaZD%gKi8P7~d>(wCB#Y1hX^~=wP}z0_R3R?jRuh{A26s
zJ$mGGqN*L#!dsSC<L^S}en5!lqJ#l{h;g5aNH06a8tia>o^H{53L{cQhDmz{6Jvv3
zxf*yK51h#a3htDCM)@K&{xrq9Qgr$SpUX=~!pxaH$dGju45sS}be!EvEY^=|kddc>
zgNh#tSTqv@_eyW9W|EM!uHe9?Dkm|Js|*Zw$dRst07f*>^S<g$r7=psA5=|~iESrn
zza_p8$r8BA(m}l#Cw6l&+&x%XUa7>l@mp}0EZm6lJXck}%9m5eIdb^^e^i=%_j@)k
z*cgeJvf8r9EQq&Q7wbZi+<$!55hLLjlhAoqdfY&ZGO@+|c`D|#z@K(o@2u>f#yVUp
zkJ5;#o4Ngw6b9~fCG=ZpgSoVHEIpYxg@+~d2zuEo`Ju{nA*XwK)GUibSQ=h_<U>&x
zd8b%O-X5I`@HX#DMJhf^QJi*hFhKZ=ho`S(eI(>jtwgx;6Qm-@l72f1c$NfEvSHGG
zxWf7Sh{@;Pxwm$U`ms3F{u49?XH#9!<ilq?Y=wmp(IV+R5Add)iDdh(Ho1V!-jpnA
zW)_&KTqp^t#cjqCMp@>``1}2Y2&<ZxoK|GQviF%YLk9SWJShA%WKTWsUU{9*!-ntL
zf6ZXn;pBQZW~1}<b~vFU4H3f6G_g-@yZp<L>WGb(zrJXU=k}$8(D(cD;(L18{pJwE
z4p#JVfc;OR#OZcAZ-A^ssdmbr%iWXb-7o3);1OQl`Bm%iTH--inG5<TE1MG;Cpc%_
z<sL+TE^ej2Lbdjv^;9CJ{r=uWv;g@||MUb^G5%|YEhqWGQph(w8n75~91?5Ou?LfH
zRn9rty(Jk;DSyX%g?Y=gcieWK<mxa`{o`;U@Rq2NP_t&SX|vWFM7*H;95cjN#?*~f
zvWDhCZIsCwI+(bCw?w+td98=AqZ}$Z^5zkn>-gC{C#gzvab~D6%SM5HhkYgYUyzO0
zX7Y5UvEYZ5hmB%dL-{;A)fXEgSZws|FI5S}V9SQ3pcw$*Wohm4zTMUE8#$1t#nMtM
z<V&ww{_yMus5~0CAOdVz5bWKAF1^^&+NVwv-H<D;Bv&T^TA6Hjc28Ms=YO&F*I`k0
z-~TuaBB8V(-6*JZ*8tKWB?jFo4bm+Q5+fj8N-L6sbaxNkozmU)+jINA@6Y$SuIC@U
z81c+L=j^@q+H1X{y7e|BcESSCBWZOMYUZsgLYv;k^7l!bpUiAij~~(DVf}zHr}{aq
z3l=?~@!lkMig1?^QGl%J#D1dONll#azkXeAwH_a6*J~7QbfK)Bm24Sk<a-Rm)k0eB
zxUgC#kw<r1PRMX{>m)e6H)OHb^3>;=vG6>_{SQ!aLx}DnmO;tQz`sqpdk1->fFr_|
z$hU{k6bFuYera{fgy#u3)MobrUP`_RP(5Pc!BvP{)V?osyBrmU_jw`YJfgD8LmnU7
z*XRQ7=m>BjB!lFhDKFJ)g9!$cU3XlYe;*wUtsZpHWi1_i?tH~Baud<)j}TJ&=le5+
z05lGvN4=Sm+o}L@W~)0MS^@eJ3jb*Pj2$W@^RiU^$q4hyWlB5z*QBv~?g>D=%SR)s
z57!+I*Px<@bLWwi;n<M^WQ4jvH6WU)u#(PGN))$Q<nH<?22m~L>s1wZhXOagl_bkT
zxuhE&U8Z4BpQ$Spr2jjXKf-?y9&xngOnBY>f?K~<0H_<6DxX75$Lak?U`oc|u-*^!
zUMLB(Yxw+;yjrmN?l+aP`C^3Ug=6&keVAfa65PmI0h&VvL9^plz?2PKOR`S(p9d|O
z-hO}6)ZK(`APq$M#ngcSVUN@870|7;{QM_G7C|UvM3e$~tZG&9`Ts77iMhY1L6$|z
z%(cfIZ1=tlrcyZoOE)Jcp^O-1bQ+t**pPEn3fuKZk;HiuGMXCO37V}OK6B4=Q{GH!
zraga~^X_PE7}(74!sVy;di;+NJ_q|$YD2~yS+NhOay_+sXt0`1enQr@ohMBUW;>|k
zf5)Pqd)X&7S?wGVO-~;Z<(>f{4$QZ=_!Pby7Ygg5D_<mjt`{d@KNt_Dp6<=PY9&y{
zDz5~E#}+|@qqONCZ*zm3{JFDN<^P#m2$K>(o4~W~I^G!e|Kb1)WbZGcBV*u&)^<<~
zmm*;KNs>*>cpczJgCkl7$!u_UJQOW5ait4D=|ee5;0|c)U@s=_qt{N`BXp9l5;yxj
z*c9=4{I8>whgz#@sY{8@r@UokWIh7aZ4f)&Cf@e9XS0Z^@VWZqEA<2%+r7G#)XbEQ
zjuM~?>|c?!-p4nOwRbOqmNF~CAr$J8O-Ghge1?Fg)|$nz7eIdf>QU(HnDe9vJF+a{
zqaG92FY`3aM5t3uJU{@3zc^b-R3H30-rHWG%r@oPZgC4RD26v|edT_`_IDor_uj-_
zbK6z|-IS6S#|W)(F~S-|O<2&7pqYWnA>xroFa9YgOUG;@>fJzRHQ$dk?c-W@=$}CL
zw)j1Ka>a0zp-uq>WnR1+kjg&3MHoqTHTt5oRJqaA(>6yD5sX`)Cez|Lh+v9S0)=!S
zuo?1U$&`y$2e`@WokOjAPtnA)S0{68m_1jz0!B+uPZK(xIw4(6UStJ2)#@N5IKQwG
zaF!4(t%8R_F;>EK`V^}>+EHKmsB&d|dWvQ?q+9r8km2uIb@$uR?H!2+0%IArB|y9O
z{+?_O?=+$Am7p6}i11o?TNp7Th^?3h^!gk+Q?=X&KT!e%Ab3YF6MpaG|3HX1{Zt=+
zOPEcrf?X16zA!QEK~hdeKw#Y@R7&~<y&3lWaD;a3rp#tZT(TW@2mr2%K{%92z{~Et
z;QO>gEl?psI4J(KdoU6PC?oH8+LrV%8{IJWzY1R|0fh7lIE59C(f=K5xf$?}1Kl6E
zFM7ISXnEj9e;*Q5P!xO81DTF@QKtgLgQv=n14%rd0}`n}_jBawoylDHIUZM4yk(f3
zAQoDF9?ED|;Ky)}>TS_*z!Edw<Ab=9;qikqE40%=nq)dSq2pK|K{RKZQ0&G^oas^X
zZ>Ip&%@$jqtLgns6g^vhVl9no4Lr#m?XdZBTxyY8P3ZsTM%v#st=x1)v7-~%7qrpf
zIx<=FWH?8k{<=W7PB6;|0pD6;)Q#Xpooa~rD<c>YV)}MNam5ntcMf@x<f+@zaklUI
zMjcg;A7hqV1RWJ`4;Kuho46lx)Vpu#gp5Bu=BCWxv@A4#p)_IYbO;<^F*nK`!iu3N
zZF)vU<EDQje;L<5{fgt~c=P8V4n!+1nv_7BC(4X-&JU#=a}JYe0@Tg)5==EYnn~^y
z6`JXxMMm^%8YBwnyipI}Rfv<U!ed5C1tA&r-%ymrx{y4xw+nKaXWKpWY_pBrrgN}P
zj?*Z*oM1lxT1SuM5<9GpDUWB^=^}Ba3R1ZcJWXpsUcdZFGK5%+Dx6ulwMj_+2PQ@$
z0x^CfoH+47B}P!HUSl0|2V>S0mk9P?{fez@`CytEZus{tPo@4ph8TrEuL(d(MDR<i
zqWtjxjK`@E<vU3}P$~Rkywa&+@bIH;pm|YGJe&O3ujh<!5E6QSx52?#s|rJgw>7uh
zaFOKRq!YMea*$da+~>BaWsk4^KzUJ=I{17D5SR`d*!D+@bn$cAqu{FhH4RraUC(np
zxi8{<szho#3TqZp&49exYppl}lTsjR{1l-vF6&d9){fBA21-;kRcCYQj0ihill;8L
zB3PVu3ys~Hd%(N)M~MkI8BtAqUH^rPeb7XqXh8J8H-$O<+iVRqs)^=;Pa|wSGtK=N
z#K!^FG|}^BOU=d2Ha<5zK>*kmtRQsN_vQ_!_wH`X_s-lwAcz4cnL<`tHbo2tf&$qN
z;(9y#!~GTqOQKS;$6PGCz-Uvo+-h~a;nwL8h^w8v;)uEFpgj9-F`1x`ku^P?nRxZ<
z8sYg+JgZ*qXr2f4bZwc=C*qhG@3^~$-)%o?2&5i&X}()wyyLIB+D&)*AvAJ?Fmbtt
z3y%8>7u@EKUTC(U_(VRa$~q%RKW|w<7d<!VG=eSG`GM1A{;v~VaFVTivuAt%AHSP_
zmPvK;&Lzsrd0<D;5=<@vK(CA_XjpkxJ6<&RZw{z^IGHinLe#EB*HhplEK3K!-{*Wq
zh=|0p$d!VHjSA-o5cJ1oK+@CQvBAp%d?UXv<G{V(`9JdK;LVYaZ9SIN!p@jq45p^K
z&(V!Gh$YKqj-cZE@uT<6$#{-DD2D-QLSnzlU_9%kIneY=X4Wcaz6O3pnEf3v%qZMJ
z$HnILeEUY~n?du%afjo<23Q0mow-a(1^1hJw`Tf#^v&$6@B?MxlaaXjVI~htT-@SO
zV8n+%)Xxd@!trq2Bsv*q|2OjhuQ1i>OpojC0P2$hx%@-lrFVCt7yF1C|0CFN^r9QC
zdm3bIsyEtKJm#-#{Nl-ILKeh=7#By?eCl3^&~{Fgz)W@GvB<djt!%%RmEno_k>M5X
zn58Q-`N07y=W951gQYsUWG@f`4?5N$VQ{8%#h>4voS$Q0F0QOUjO}R_>8WX|o{uaT
zYBmtk3w}!7DwQHd;m|uc9bi&^u|(WJQcl2X+(y3M7m3~gogd7Ud4Fov!_h$jYx73&
zR}aT#R7gkwq_VpJuaJlk`-!T@SBA1ZKoZrTBytuMsNQzj)F@&(9erlHE$OL_#pIQP
z`3Ccw!P6*jwS+&@LN@UYfBI75Qytt_q-RBGrqNr0L!SDa!tNd}(RUC9t``aE#bXTL
z*Co28w=vX`^tkWYZ_Trwepj_(saNxYIbQpaudA@eSvL%L0?6H-+OjE%?EB&dIPq^}
z&C83N{D8f%Ozp6%PhD;)T|WP99j|vAYlma-=Jde%ZyZ6u1SWRd6e_n0?-YQe1@V1f
z&V6L)&FM6of?^vNju`SHs%=yH^-4d@!oopdNWiD&cXNB*XC6%s+qt53OacI(_JVd5
z=6zGW0w9<9zp|Hy#m__3d~Vm*-=8upQknzDT&$~FVlp6TM*beZL$VYwb7{7XUUAY~
zC#av~`dlW`FeegIxHg4VsupNIKD{t+!;o0hF>6k8YtIhk0;Z(;xtwXaB0d4i8VPuT
z*3#i5RHrJuZU=NzOR;8)3p=v>6M>%7B02oaZi#`Dm{C|NSO&xKw7j`k2+^S7vnW;n
zyR2bJ<!z;UT@P!O&b#dRTWg>_mCVw~I9>dhx2I(j`|U0ECZtI79C~*S?T%9_=D5dL
zgtPDW)Go4asj*uhRMQO7(N(-|F0sKdpFw<P@mW`0Tk$CuDRh1G_o;E;bcbC^Q-ov{
z1U)~RzXjQ??d@8$@nD7&tu?z*`?2wAcWf5|Cps4P@=vQ}qMf=;wYkznWUBY|vQRUy
z3cPxSFt#neIp|2wqY`r2oms)XT^RZK?8V=$6WC({%!T0P8Jii-Tv6ymkbdC#0dSyo
zJg__VT%o^X3;~-{`yMbzX}L397`_*x7Q(p}cnWkzpUhv)6)gHB5tGs3G-rp#hmeQl
zg?yy&-}iqV7*BmY-QXp9eb1iOI59+8+qK{AeBjX@t)v3o9!1!|YOV-DJu!5`=JZAL
zI<Bqk7z?wNk)f_iZHOB~<D-56ooVsuIYYRG?aRBx#6$3in{swM@cQu*+asobZ(Kp<
zB+9Tx;z6mh!h+3;&|}vfPXr(LV5RKr!#!td?$&+;EpoyXFYdu8gF2#ahG9>y@R3r3
z6mJe-e~7F?i>*!)J@L_iB$=MeX;MHafr~r<(p)O31Q_U6>FdLPc~(4J%3`H^5lP1L
z0-`OJ#kR~-<$3XW0b3VJ17H)PiU={XZr#6|9Bt6t0Syw8^kX?mv3CI<&_VHIv6aAw
zZv!;lbzM$A;YG;|-kLtb<l@jhKh*ue9Fh>C&TvR;M|Yh-Orx95aR1&ke(!c&lKFPS
z-K~z~3;&JtHN}p*30N_eEV+3vJ(Dg`PB|>qe4HUcEM<=w!+$@#thBLk!m2BpFR32B
zocksoRarGBE!pe*C5}O^Z!Xh4I;y6IGY>}9-0h=X1<8TRTI?aCdzn7AOiKn+PU8Ho
zC_WqVsYRHL(_htSNi-Ibsh^eB+KJH7Qp+p}e^28ctg2a*FkYcniGo~js^Q*;D?;qU
z&PR*9V<E=_Elsc)kNCHYBA0_PEsh^WBZPy{k$}_DuU~(KcER$mO9ojj1Q6^Hd|$`~
zSc;~l_RH;n$NLCVT;pC8dKB9CybnoESj||5Pw7m^TCFpl(rD9pmh4mS8%lfyh+;2s
z{<t7@JLb=rAiy8krKL;v3%Cx_22H+MYhj6qe#|yOJU!V?Xvvn)cF})0MSoM0@L4t}
z6{~+WAzOal>QV$oofeu^H3sFSwK$l%Z%e(YPt_V~_Jpdo_7xJ_E6LaQB_$0YX!sG&
zeU8-oGGzHpnlK6RSi_oOxF(Z_Ka^8buMguJu;|jEVRslIZYPzGX?}UHajoAki85bu
zm2(E?`AN{gY2ocAiGpEaB-IM)1E1yhVlkIC!@U5;V!8NToUHaI@}AP5_PP5FHs1^$
zBwV8q&>y?glyVf4<9ZXha;xuvOY@KIuC=TfrB^m}Cu4Z5i{m{2W~&nszmG94p=l**
z{-mHF;Fvp!kyesX*iCq_Ki0g*9YtzKU&wD~*(0K3m)7e!+$;50eZc5^?V$~79MuwA
zM$OeDQ0Is4X!b&O%7*>U7D1{N5%(YwBj8pz@|3Eb4lnEcgWRAH=0Oguh>d_%_hT3_
z+s}tu7>^aIP@5&~I0ql?qb);*J}eP0fdU;h=D|HigNq_nf+8prcEGT$*VeSyiuk~i
zdOvNd$@T#A;Zhrn(02fW@`K<sin^ylk*_0Y<tZ+KP{}ePdAGQ*D^y&yX%j(#OLjwz
zdYVg8mKzAu+JGyQW&!-A<}<UL`CKo>)U!@HSwnf?A!cs%*?Lk*I8)n-dXWIyv3Ukc
z5|6rJ&mbOqKZ1|&3fxwa7E4--s9(-7KYEqy>tn{SS5@|W6{2oH-q3jJ`l8Css{P)o
z1Kg>ecsP>D4|-qa3}0e8;ulW6$`hhBY~!Qm)Afs|k@K6Y2td^4A;KN|ACQoPys(Gx
zwo%pQ&-`jE?i<7A)>N0dM1*Yb;%qBIXnBH2Lh!ok;1fy>1%R(~0WDW5V5-v0BijP1
zD-<G!ZMU#~!Tg?l6%0{pJc?Z5NIoUC0u*zf`pHaY@0V>$TjJVj^%P;<nIX0AD<!U;
zl?PSkr``E2U--T-SBnJv!G7IgSvO~C0IZw8M?_9HrDc$gdr>*#RsqO%3(B@;m*rdc
zXw})h?@`6yI{_UkV7+Toeg?2s49JU)x~nTj!W!l;5uUsgv;}N~A10($RU~!YfS7<L
zsdMHD@Hg#tW-=W*S5B+-z~gkQFoYGmFijC>B;E__G#YlnH%bEzG<FJHG&=waRp{PK
zD@#j3>Zsb8ulU=fyD<G;crdxHK?t4hwfKaDl^DsrQx0ru-;iQ;{`QVo)b-m1bWtp9
zrr{`oV8>`(%pRMuf+tM6LuWmDw?8$dJ^9-O-QrFOl+I-*I%F*HhD%>c9_jkj8WFO|
z^|#%&8VzS?mEi7|@)(p8oxi9I>}if~G~&R^BL*n~wHnl)4p%9}I<#0R)lg_--AK3`
z3M#23WA%1QRkVVdH!Kg~dM?bokJF9{sEW_c4_bpOb)Yw7sJ=smQh<gmf)Owg!hSvO
zbEDQ|c?1lYu&7y4M37o}<3ulFU@>k--UR(8!@U=NRbG@{py~CqgX_e5?3WJ?(4Pfn
zI-()&j?ttE5!9mfQx}=Tu7IU%T}73Sb+w^D?L1*H+RvH#^1kqvu_zD{F!*Ga+E80e
z`m%VI2#o+MWLZ!`sL{jdA6e|Uf-fRdtLLfZyaUIJ%hvLmp8Qy*2)?j&b2;}^6-M03
zu!{x$ewFQ)b#72RiXXVun6_1yNw#G49!0%C82>bThn<1)&`b`@`rZq9mL=qiW?kNd
z7OJl*q|Y2`Q+KqxQ;_4b`{Hx4vHBuSdgw8C*+!82!?vP)cM@nH1$PLVSRKp(Yj&N@
z4}jt@zY^m*3AO9z5%UBZIRJ|J;kerNshjmH<u@Z~JRciuxdH#d{+77myp4S;<c4`B
z2IA)RAfN4^Wk{M9B9DuCk*T*2U|p(_&lvLA24yEA=4w87XGT>IbQhBs053|D|6h3=
z+bh(?K(=_$>VwvVXrPG`HdD|&z6bpvjDd=v<i|sofN;qHGDl@NzZR3@3!sOnrm<C5
z3o2nhQrEbFoSxRjc-=rrCVj`SIYH|mLOM+y`?kkjfS^w-=#4=0jOGud`3*;%-udDz
zN)hW27HSEOxEXYm)3P{Hne`>Tj|eMmcZf#Dpo-@ZsdrsiTI3gOgqX9@Uq`V?z7OMK
zv37JfnszNc?7l>_W^X%AL*;s?%_V9Td)UmAK-&<Z=WMZ_0v(KkmK6^j#-d&ru>a{1
zgy)oC3u~-DLdPY+lAJE{Y(K&2ox@Thsm&VY2suho3r6UQS#PE{n35Q;=}_+|X}akX
z97<0bGD(^*yr=ROrPgcVb-mzf?5|dGC$~>?YZTYXsBb@+oXQ2KUiOi<n`pXkdykQ=
zj7}OiDV@?T{dJhFHh%>2fHt%pWa78h{c&L~1KITK+5U)OWA(&ZkY$fT@X%H}CCI4q
zzM3;NO{JDu_D>-fmtAa474mH(&oO*O9oU`7H(cWV{)ft7<l`)Xi2XFm$*)S<e3l+M
zmb!Yy=LEovn`Wo_WTX5D-@;QU)>-+;xf`Z2cvBx$FR3D=;F*%{q!&<n@+9JX>Uf-|
zbv4RmR<mx&6Y~ssMLd{K?zCX4qa5Bf55k@9{K+J>8YQDb8RWioZ`>@unL#gNjEnY?
z^AhO`o?^g{ZdaQ_RF_uMK@pnU<=KtgZN3=Lhkt*2Vq;iTGbel9n%;!vPa{}w)E+Je
z#K`f`AY;$7hC3T^ii9GMbfX;Y-2D2gQq%~YdqG(y86l|9Duo`?bPQ%XF&bV<hkg{!
z(^Pq)TRpI<XlsGl+0$)!(xU(udjHeXRFy-?l&nP0#e<HEENpT-V*5vY=K8aOT|fu$
zA}bYA-0$|%tSUCuaH*9m#aCz!-IY|I?Pb=!F8S#z3@WO}P5uxogA09kQ76bL5pwq@
z&VKjvcvY%^EnzzKQnVb76{rJ3c-a`F`mqHYcA_PvPek3E5+M7R7(M70hWahun+SHZ
z`i_FG8%=nWOQG0dsCpX`6-V#s+xG2sh?S(*#*SUx6@>mC>B?Yh0rxMP1?0}Ek`BDr
zws=G(m{%HR``8$UYu2rXboLr~E?H2A8z(rAbaf}Dc#xZFM^W83VS4Dc1p9Yk8=|tn
zINr?%&AB?%BbY}ShM~f%0^>tcRCq6jrq1ass&=uhEbKcr3ga_)v$5QGGke{#m4tUb
z04ZPrZV(QhfN)UK&w-&iW2y0rtucB${+WLR@3IDZoGKIUcK>ggTO(Oa69-^d09151
zfhNF6d1)Toq8w(jHHMS9)6*iz=S^1?H|{sY=M&cX%{FCe4+h6U?M^brpqq0qvWz_J
z1MYrS_KfDLN{!Xzw4ztG6w|_N6O$@)(XSJ4lB~f*({G(GNv_;|!*J+RKcHb!$OPN2
zbQb8@<PIy!Br{H7U0#1{cxI*lT1@5<Ez+M5&I!|nMx+$>jga9IV>=rZM>HHqE7Fxx
zQL1kenv4w?Xg&doNi2G&PtqAr!TG$^+FyDaIP+vphM{Yuk-4$w(c(bRAPjRk*j6C~
zduZQU;1^gcC7AwhY;W*HC{H-`9S%)Vq(cJHhnhw1&#C|79_seD#zH!X4C!GDs_vv|
zO;=7MDb8*~4}gD)D_i`Xs7ide$<Dh(sk0KsO~=h~&H-f8HXUl-<UsaUGHpsGoVE;-
zW6}LPIQ>`B0?GzeO;$;5&HSsyfx;>qE(V_M&F@!0I6HO!g14qPU5xLfbE*Lt7*>6J
zx0401R#=TchR39NYHB^F{=nPDWvu9-%EY?k=4Vi5vbtTb8S@RB0Pto*Aj$Z=7kz%!
z9d$#y8XN_+^L&q-<N7ety-x9<ftHxxKVQAp)yu%x#2fe1NuJsJaMgQTtCbF!VghD%
zXLKIL%U$kyWEHWH`?PbKmygU1w33a@<>|NPOwJBn7hN;+aK_&f7xR?SZA)(@;&}lo
zur*fd*Q5TcBZY&&o$dHM21z)~v~Oxa#S37{J$6a~j^|6i^C!kzS1Mg#AMt(IHesAf
z`S%9@P?U5n86f2EcWRYn9QEwXWd<wprizaNkSz+w=SbJ2kb!58e_#*{*f;v#tBODO
zlXFp1r%kbUdm8oq#QILg_2#A6%aC!xvRR0@vHM#xTlHT`C-Abn0ekW0E92!uS(K(g
zWF!=U&3pcl69jRG6=f>uLsoIBRJ<6^-N%W|7d%DJGk?j-&wc7c+sg{8?tD3h+YMf!
zZV-iX{UlUf%9Fvy1T3a?=WHvtk$WhurVqq~k;_Q{BK?Fu=o-Cys*t*n$ETp3hMA_5
zRJ+H#SrV3Kf@CxIs<9>ITuh3dhD2Rmy8;0N|6RZrMPNWnBtNv^E}6ws5_nV!*(Iym
z)sj<5ej}OISIoAPDZKylq<*yf%8TBBcrx6wM-=O2C9gpt{s&AqM!{yHQ)AjxG^Z$|
zU(D)xVH~HQI`z!V2l{DxN5xeqCfJG;yK7twe6}gr=7dCxAe#l4SrzXM_%gvFjQ?9e
zFZj0HOY;f&8#e1kidJwO4#id7w|1mN97bi>#p(|pN^$)GW6A~~s)Lq>VP&q%6=9g_
zDVSq|zP92U$)16NA~Do|6^~~WnXmA`ng?s-;MYO9yuTO5mB#rYQe;JwFy`<jDSs^f
z99~KZtv{)^o9N@!u*wAKB*wR@ZtNJ($r@FZWrbFkaut`5TNc{UVzAy>2`iFtB&$H>
zBy=g;Sy!T}ZS13|52bGUYeYP6ry@94RhTAzC<t#A=o6q-12<Avr-dG#%_8c}2;xZh
zspO8rt2wOk2Yx6!_*AN8jBb7mr)yJOC8$jq;T<|G<6cb9E#7v&Hs)$Jp~k#e8D*%~
zHH{ii<8l8R>Jmd%g^!XR*iU0&X%#oDwg49YBagZ_(gFVbaWb0JKSF*L7o@%d>V@j?
zqh970Q0dKP7+hq!^l$FtG^N@*<F?MBSq7$eHhO$oa}NFC*JLG1Oz||gp#<Wnx|Zjs
zNDJ|~3%p;%w<V63Yr%t+<U~s}M;VZQF7!#(KlcPJL(0YJgJNgvR!Jwr1Z9nBAKCsY
zzCV9w;~lW**nLCg=2{Z8;pF;@9YdDBZ<;qB!XIQ*P}u59JB&sfboS2VU=OVfIkcnI
z0j7a?fFo+%{zso6>~<O6K<s_zl?s@%yaq4yJ!j8&Wyw)=lBr&~y&dCFc%QWkO8%@A
zJ#6cx5nH~OD8GUC*Y~gP;9?_P?u#g%2Tsb<ZM=oka}S*trn>#MdJF3`f2>y961kQp
zBN-F^e*XK7F^pR*th(za@YwD16ij;eEFwV1n9H)La-F0vX-Dk5)o3G<)+;N<k~OT<
zTFeT@xe}<T!>FKl7oKsrAhNZWUv8(&f_SLnOf5mun;?*+mfs`^pm2i%gE0E=kjFzo
ze^;A@J~T+|sULo-*d32TD;?XT!RKY>YL1*YYEQzN*R%!0G@4UWmC?C~N*agSJt7Pj
zKleYoNAh-eNU{L31X;!=%#A9eA3DEw$9v+c_x2j~O?k)g0JA4rj)*RbeWcy~qx~x*
zkE_y8t_@J3IW<Y`xP>k86t-IGT9;Rehx&FqQWTh?b2#QE_a;6yMNHONX_$^0?7P8A
zi#b`UMWzzV4qt}kP_es8196a^GPOb@Dx`hULdFB9d94EzIpJ?Qi%cyHmtWYvUE`w~
z`Oa?gH$OS|gu$(1o%=2XJAWI|y(6u8taBzkbpl;5TGg<vizpJnEvIL5+o`bKtL<Cj
zeOiA?vqd%d2Z+6lm|3=zc0*lD>p=l3cl557_bF7<I!=|C8H<XpohrcoyblrSc~>Tx
zBZcbk2v43K%GR7+)Mm$q!pX;xaPPr3ZB(@6>W42MeR*7tUm-VVgE&93tg2Y*d@z}a
z7(pa#|8%!Tq?A7+WcZk^zD<VkGg$aHxy2<+P?o*$mPBQHb}EghRNC6hiE9UHj3INM
z<`7-Of6DUH&oM4NU4wBc<vKx!Xb|Ub8z20ml^XkM4Akbp00;8uN^m8r_Au5`w2ow7
z={N4N?BCx74oTo@)dL6@@4r`@jrhm*=YK^w&=41UE6fEISW8$zp+0|UQV^qedl=t!
zb2hK1VM*0@+6w`qXDw>Yo|On~vO~Zq7j~Hsct8*hERfhd3r35*0D2fb;0%sMDah@%
zUD6SKcja?uJ7HrW0+iznraJ)QYo&$y*6v(<83CnRk)XbO9e;jZC8D4XGgah7Ko3CT
z`y&S((a|=(Jl>$y_6bjI0FWx<CO=dIAFPc9Pu+VW2r+Q$mLTlKEek|TS)EwiYQ7Vp
zZTQb^NxBSwF<V1u7u*Swih6q<A|Qzz(7-#Zqt<oq7yxK4Ib<UzK!UyG1|5v+p8YWP
zkUt+L>hEs%?r`o=-^=nn?;ysXv=wKda9!{n<!1y^P|e|D+Q0zZ6py0eYIctSLExPB
z(gZTtuC&o!tzB+bMtVe9iwN@9FY8qq(MuJK^<dF!13V^{em0+ro-SbLN-@+UQhu{-
zCYqn}AIu8?G0xsrB!se`68jtwcL6(Uy~!Z}DBPU&JnA!8Y#`p_k8|)|ck#{zzT2Kl
z1nIJo{7WI-Q{@XhpZSbQfh$w26@bwq^a25|tQ44X&|F7Q3YC{WO$I27`z7|EqSh6H
zPhUOJbN)w0Gzp7@ou&%BEdO<5tmdb>NeD+8=k*B$y~hg_u#|SeA*+~0@fSCqtRfx@
zChz{flZ2beKcJXvpPkeP36I-G8!Smqy=2fQ<MS|BpM_*p>Pr&v*hg4qC`-n8T09~!
z8oADV!qLuRKkiBPKstf}nqHG<FSh*ovq}_3Cml_GV=)}7<$6zRm}iW8_Uu%rl51hl
zD=n?6?!B5?>Q6zZ%XhK=%*_waK609Z;&FF4mGBgZ|II0O%@5X+=dW`pP5ZiCNyaHi
z?g@-#%M)7`FKg~LCCHHku7T&r2Y3o)S|s7FBu5CX_61pPFi*HD=G^m7YCXYYqK^pk
zN5?I{GwV+=zeCyc0ol{EM+cPJ7P|O6w28oIrObSIo5Q6j({{f8R0E3-%0>7Ht$lcN
z(_(9ul(+OS*~nly6PGF;;01XAf;xfcCxb8T9}*Qr*PhFuIY74P&A*Eatk=&{W9_}*
zBnj_duXI1L5JIP?3MN5<3#?Ok%%w~8k@6y7(l9`rNtlG0B?AwS={b3lfcLWOe>jSs
z%q8B=qyhl*Z>nf;d@q_THIcXDCi8hF;2?J?(Utn0z@JW{%WFAPw0EY@dLt;oh|m$O
zWB;{7cp%A(%%E>I>j&v>GPz2r7SQDl4P9LuAI9vAjApWT9My&)O7|oN+(h8Z_42G$
zPnh6J|Ie5o%Bi+1VA<L{<HBrW)~Ox=^=gSzK3#v3RltP%0B`X_#oXoycLkD&c_*K>
z%dHaYs4#l;R&wz6A>p9_GhBhDSSyW=L-7HGj)n<-hNl+K1cH>-pslbdDQ8Z%7ltoU
z!!t+(IIMz#lZ^hfG7%WjI=s8&Z+Sr;Bo*EQkQ&o3u!7FGdQ*yr#7KHg1oay~g*yZb
z?kn5?RePI=nw9qxuy_AOEb$P-s8|ky<vEZxSo%OoIGS&RflqNVXpRnFZz%ix<hv$a
zo>t_WHHLcu0lKEasVXLe!<8=HUU7*8fNYA7pr?Ym`kNYc-e1dYb?v~jr>^B#4u^`^
zgb1`tn0*Q7!dP+&Ju`|HV42lUWWC|Y<8(}+U9qjd$Ptc<1SHlO5vB*N0=0Rs`Gx-%
zR1tCd8IcAq*Byul+XEl5Y+WIO>|dlv8JL)u`atE{uTGPm`ix`#iS&RqYRk{N^A1r>
zi5F?#<?JPD4su$#9@)0D*B=aG$DXbC8hdwvu647!C}-B3FaFmn_TqBec@ciit((s4
z6cRy=Z=K5H>?ChFMhu^=YCs5p#aE>JQEdBSTI_w*;Erz_Lntj)@7(|Iabc)ny$Zsm
z)+M-BQqa&yMDSsM8Q>Vv21&>Os_s^h9-C%aUYc)#Nl%=!D{mN*VhVpr8nIb9p}T7}
z*gUrP*Jc0L{0FmJ%+P49(tcUtY<G5Ntk%uJBfQPgrfQW4bR6AlplXXC25;M<&&AtB
zDyZ@{Ecjt6#4!BE`R;1X8O(qNUr+a$qmus|j@Sl^I}zq;|LkxX6JO(EV|7Tcm3lzb
zv?5N^fSE=BSGBZMlq1l^<O0(5#p^ZBI~I|Go6l-q_I-W+wikqE1t^v9_7{snr<MT?
znvmFr$&P2A?FnuB0di|JDCX<X(9l9WxPhQgRqp>HJ3|bkM^h33dhT~icOoCY1cSpf
zL3I^!^#B0c|KaQqHmX13sE@I#+f2jU{4X2>u~0%3jO&nIQ`pS)Mn^xonh#!F`Dft&
z`y&cBG&qskaX>5wtX)&!WX4|Se!{6!?N}1jb9ngC!y5!7XA@fpcYc2U&i-K(z0A}F
z2cvSD)%tjVh}Y!=`zhGc96D)(C))flWLf~O$?!@X@z>w$6DGH|D-i89(M<k$%V=4=
zJzY`6^GYe1x3532%I(M$rr&fA2H+iu05+Wn4CS@xR{>tZ1!gh&f*dVBF&(Ir<mfec
z=V(>fjL~#`UIT|nPGFk;qmJP@CjybuLT8lozi$dLjB(|0peEWD0LB<QbRxYTAjqJg
z^&q35B_t)0)nE)D<}z11AiFiC_}pHMbt0f1wW`fJFzM6}Kp9r{#f$o1^ZyP!#PG{-
zN+Q^C%3C_pfk(Z2kV2!YfY+sCjbD{*=l!58gbvlIZcqW{{}YTP-<0y2a+XoRdq}xV
z5kV4N#!{Fwna7f7+e;3x{&oa9z)Ck#6Jrbqyl`Ru|9Y~B8NbnGks#3C4X`Z(hz$f-
z1(w((@Jn}rUdRx)_0-4=Xp%WoDd^iM24!;Pu7PHhSsjmWn=b%aG7Bl(#A(@-99f%&
z1p!yd*7*IwJfjYrAMVv|c27L=!V;JHx8GBDu+|)7dH>h6o2D9@>2mK^P-PYcs<gcT
zY0wA0%TVo!SxI_#_p7bI(7{K0^1${xfK<rYYPJeM*r(q2C<|^p8Ls#8I08I@WPnth
zvV=*s19;+jbZKd+A9J|s`}gK?%o=3d*)k3Y#od2i&of>D79?(qk!KFTq7lub-4p0@
zt%2nM3%dejQS>#ibjmuQLc9E2#+`T$K*=@{lw${QR9t|Ix%?X7hhv<U=90Acav0(8
zf_<!VW8iz;kHSKn$T9R~<T(YfodqOvuEs9p;fWK*>(;rWHXNFP6s)P}`2XKZ?QIUk
z-1)pB?0(D+CVT=SAKCeG0KkbII8L6Ra=YzB0;#Z?G{lYv=47FOKaiNpL_p8b4)@H<
z%fs@v7Gka4zbEv>8@L8?*Lj>p&hW$OWGRK5xe<A$of(TnFb)rZyJqtQTpopiS^6Ce
zS7M*ZXY7{-!SyR;C#Tc50sqCgi!U)81Z(hgTQEIM<5+J#@*B?Ad+ofIxy2>t?Ijb^
z*bW};TLhA5?0XG&^_25zY;EkOk>oB}UeKhZqypYG)Vkg3tzN)uF%`}LGMF}LUZ+(H
z{hF>mL90fcEMGYs0FiucDa^-W`0=vc_dnAWPyx`WwWcc2)uEzzEN;aX5Ro{4v#YUo
zJgf{G_ABPGoons|ly`p1UZ4=%3-$4gGM}whtXrn}zqQu>YAiqTDu6h&v2i?0E=I6O
zs+Nx!P`^_OP;vVW2OS);t3KRt9zowb^m65!COYu`VlS{Pzi-CXa<%A0I+wt94A8?R
z(%k@9GeU+G!<umLUjKaGs~5l<jjEk@$SCl|36pUs1*d+n0ab2dXAb}z_T%~u=zh<(
z<QiC-8oSZI0~Xb2IrhJ?OtPM^%tgSYo6zB8RBe1(eLt7>kEV`^jZQ_QXU)go8>YO;
zsyXc`?@NXhnA6Rwv-_X=zMs&j?VM*fMR1gzpSlDMz&;Cwk=t8S05K)@7>1is$oT@w
z8t8VEN(@t~>D>r<r0f9Hc{%vWRlnLn+XcXlwQQM!%0Q8sZRdi0Mwx$CWEWrD^JJp7
zs{3nv5zgtRzZye(zqq?ghZrTdLGyitWCgm+zdLWpOqW}Nn?#Ix!UY>IGf$1G+I<hb
zp>`_{o$`0dYDpECk*$dJGSV07*27XUv3S%QcG1oB8}nuxB)(4V;%oTW@Wd{52O<%}
z)zb$A-bQL}2nW_}b|)gmW|GM|4;Kdj=S>8_u<<g>@qS>9$??O1I?*Unpq({srN3^!
zIqWp;WNUnyc9C!HT;>QQ0I148Q6(5!r1d-xo*r%K>6sU`2|2filQum*(5EpG83ukV
zlYz-N{0m6KwQgKowsW2yw_haM69|+cT~yQp9|Lp_NQ$)X&Z#`GN+eV@XnumKz9}&K
z`AHmvXE?ox%ayxJ%46Z9g+^*v4^U>wAk{@oG*Yt^gWRiywD<X{)-Z#$kyL<DFFE)o
zvg|(q`sV(y|K9THcJcD<Y5o-6^;FVL{up`#XUmeXt0Cv!dXe`DQ_TYY@%H3!3fMMI
zT?GHs0(lCqv58QQXaQ-LsUN{S5F85r;$4b`Nlgt66E!chKki^dQ2<HjcGVO1l$d?6
z!n|ul-42Zr9m9!vIYb?2W2OpL1soLng!UA85Xrbi8;3fWn!VRY>37BJ>}$Xybw~vG
zfFZ8|R#_Rq^R3_gPOD7OtNNIo$ZwwkR5YH8{Q-%enD9Pu8#M}!pSNp?0E>NWET0^-
z>1`+O77f;?ABHE!FesJ=^#P;CCIl{|iS*x%h0eoyL9W-r?@o)rhk>jX%WJCK+7kHd
z(h1c<wAkMWk|foGf$A5H)xb(io5AU`jf@VEU&puY4)^zu_}QZ`7tQ3Q+8B;D^MC8+
zf^7(PH(hRRB<Q?tEONc?FNoU%b{04&|MWZV&UDqcAfr=!sFMoBi@?Q723-E{l&T``
z$G)b(u$Ko{`1rM5IX{A)ekvgYvflzR*cYavfA_$1i;@;Hu6Y~Pd8Caa)uVF<gIDtM
zeE>gWCJm*sKGSGj0*B406a8Ld2;0HFBYRfr<KR@WN4PzJ2HA&0E_ybzH=b<Cg@g6I
zZKeKdmkY%8N^rb4>N`JJw-}_RCF8i-=9*EmZXzTe*S!jUmpU{YPU>KnI=)sOaA~zW
z^G~wiOosj6lOuLkH(IkUs7{Q1n%y)PZ?_#8*M(&R=H&0YM3+MV1WZfy*ab#hzr)M|
zn*JnWV+oiQR%b#*e)h`>nD&wgb*#uxdl{cmZUm)3$@%&LfOBWe!Qt{4YOQWVrQA;m
zFaf77BENL&x^cK%=Hh>;M!Nhwnrk&W0_XtlWInZI5ij>?Bk_=S<Rdd2a^8{tD7T|N
zzVQN^{&KrTx|*d6y*t6@mG0AGbpf<7t`MO4-lX#1;Dr!_KO8b$^DD3GZAkjfMXnf{
zs58|JiNCz@cdqOEJW}<<YOZ#&H%(Y*f@=+^f^Y;=xqm1=d#Vj{-kH*869B%hRg{HZ
zKp=c7wnIaG9WXOtEqxp3HIKUhZ2jHQgb`E=<yi}y!%w=vw7&|#=>~uT`}o%GbTO^>
z?m!m%-YVk!BrXa#iSS-<PgZl@R|W58#<gq}A`P}p(iDQe!PD;&&8NynsEq0rX(jC!
z{d)o)sA=rUZ-&A}?`l6d7)$#yt^u*;zR!=DdO^%K>F(+A=lX9!JAcKZ7J*DZe?pFG
zIc97N=_MlisgJ>sA8tEY`jlUj8p6rpE^^dsEX0<AC(eBzB&QF(S8=J?q8lMKiQlM%
z0WW2Tkg{UlyJl1F-zVorYh+4hVPWwLKjv;jpG1(-=@vL`OT1Q9jXQB9R(bdSeG))%
zqIqm|8TT50PX{EIX27iIfB>JpH4xw*^#8XxSJ5K&yltd1tH~k9?TIFC%P|OlwD9QY
zsB?9QVlt<Pw)i6>hM-=ME^&d7rH<?J?-=O*Nl*hiL!bO#G8`ga+QN$T<lpcQzGb51
z3xc)t-zOzHuMhjrcN`Kx>Fd9bm-1T<V&Z%Ls~91EyTt4Nc4NdZ8rHl-Bw_#kuU2PY
z#7X79PeOM5{FsqO?29B6)^8%YSv-!*uae`uO;we=#(sI<nbhcg&~)6hc2E6Sa#OeP
zom`=<6u!L|)UF&1a%b2g>@F$RR@i8)-;=NMpQ~a^#Sj%JHaIXO48>XZX2{rbZLNC~
zrr=LUi<oJfP92k5@UkRYt|?v?Oui|h{oN4!T<Fwu_?H(k%wj6c^dRPrT$|;e(LR(K
zADri;45BpFbbQXmqxCb)G}l6O1!;IWWVo-pBArLC_SV&|jJ+7?^~U+4i5l9K#_-2=
z@0|HFA2a96OO2dSR(}N;j?T{5PpeNGWpIO>oo{u0K^I)TYfkz8LJuXNEy_GPr*}c-
zgTHg%hm3n4D%s^2gvbYv)w%Gb%21h19aASg`g+zIr?}-Wgcy<v7Q24=24CyDLTy7q
zY|$A<(G|%nl`{7hGT3Q@ZE~bXBu93^bmGs^9zP+;@8I?Z-xZ$E<TwR?M^E~^8m5pw
z%*Mr&oZnj-e`hcTzZiHI%Z6L{_Y`_DWV3I_wQ#+qP~l&1t+_ig?)|b5_IBs&WTeE~
zw6DW9F=_MXLS*ycN#n8t-1ZJ?K5TY2Qf|2^8#;RSuuTHSx3ZfUid=LDZeH_*;_H+=
zs>&m>5?$ESliXG-ZSJ1ls;iGM^MjeGWh$@!+GfpAWQqA}^jm$^`jfI*s6S5Ur=uc8
zVV7^S^OYaUFOK`=A9<MJR2>>z`CP^_PTyU;NybsrqBmvc;W1VG*>b!=DO%C4mfj><
zHG7+W(Lp_R*A`Hwezt*bdh6AI9oZ@Y!M|>UD{$9P+=-el(pQ-FGRdq*$&AmUOwQ?H
z?BD)@7^ZlQ7ax!dSPAJTTx>U47IY|G$P_WYipeUwnyTlWF{P}TzEKQYSHGawxlB35
zgn7>$7aY#d!pysB%Su(AUD(^350xs~t@OB>W+ZU-!lrfv=_cf<I-c+gJbUMAu+;3b
zA)~R)yCw-+SR}_(<sIs(OOGS5U%OqsTRk!8WLtO5HM?S6{1{!PxIj4ztESpl^k9BP
zlsP2&YL|8c)^cwCWo6FM`kN2ytNs>i(km91U0WZahfzfr;`N8DO!H}0B0kqj9=-9x
z;i2B%PYbR}4F;qtl1^(P*x#=*DaZ}4<(MbqJU_{5wfZq*ELzUHH_>OMS>6~I;{=<>
z-Tm1HN5|;k!#VU{FL1r-Qcnzdl`OunlH{UuxUFZ@a=K-ci;J|EY)LAMF1;#7JZIHo
zpy=fE%G%0Mwe}z@QFMc^>2U_f;&?&g3X;Z0LBpaLAB#BU3o|j3%luco?(T2$9KL-q
zU}&;k=JPxaHGi)<t*aulh$P{qktZlRUCytd&WBNvy)jk%toc&$(JW8uEgEYi)4W@~
zz8h(z+0bbrEiD`S0O70g&=(Gc1;5k}+=RUv#k}8~U2wJpS3B+$6~PM5&oWV2pq>3n
zGTwaIDBQ3sR!=>frg(|Xz)F$s@=cevHrV$EJ)f9}>%AI(L-Xgnn!KODN7e$j2=8>f
zgkb~K#JW*lN_W}jb0+Iw6;zX=hu&%C9_!`(n6tWz=YGy(X<BQtV{RbyUS#{a&!JCA
zCPk$PDphs9)R+4(4(@8Y1~Fr34i<}QHv>~Fp_`2e-7Ng3kE7ondt7?(mzNpWQTtI}
z&H9cdlMxx!eFjRMQ&GWDm0f~u(yL^n#Fwvw=HH*==vWJ4<<0(>Gz|W=xT6C7I#8xu
zN4!@dERLM@{aeOd)OURCgQ;azG_Ed#H+kD=I<8>_NKp>F_1<<AKi|fx9<iDL?`G7X
z$PXN}tj|zb)7ZChm5G^I9-?+XKFHjCW<6T2#9_O=kgDkUTp4F5?mBlc3;!D4W`t=0
z3GwI7RH(U(Z=dM8p=$6dQxb7_I_@(0=Dj(Qs8dA*f%I)E^itQ3A<c6r!XrnAyIlmg
z>SJkJiQ$TbHo5F2m-T~H4(4@xYtrtgi<Q`cG48pv*oi9NNQ{o{4zOIl=3Qya{Cxc_
z3~7<qdU~*Y^qIY4QUy0iSB({3MNQW_kE#YKpqtBScR^Kau$113bV7r+@4rchCm$!5
zbvqG0OQ>Z$BTg#637$H>yABndt}IA8jixl9Cu5Y`Qq_}L(cJBN;u2_KS<aYOv+;zF
zaAi1+@4BaKsw#c<d}oWkt?~B(m$yrGqSFy-&d1R=9u$*eL7yqp`Oj&zVl4=?udbWe
zA`8tr6~==C#oC8YP(C6HG_$|?<6eFCBYpxmlr_zBKl2x_>X&$4ui*P0(^OM3$?MOn
z^3>~#mGqq2g&U|(=AhDTWBwzkf1Cm&NSu?Z?{$eBc44SasmDYAB(YLEY)DjjOguE{
z>?MQ;1&ELa>7d(NOqIWVrS}{&GV8eO9c8iG&a0zIlm_LIweMHV?$@kWX^Rke8&%xb
z)OznA9^;JV{;I3bg2Kd<u9IOt71HWKDa&<L!%=3F4uPM}w!Ay#v;@NRD@|Xu?*@A@
z@<)pbkaB6AO$wh3UFml#zIP<=YnMt-x;VR=BjcDn|2s85Dkn@<+>{mCe}jq9$K%v;
z%27PJ7sgB8AkbdrSoshGnS~I8Y>uj*>9Mju4|PML#WyzYEz`Pq!3BZ396|XV7wTA!
zv<Un|XnO%k>QzvCm(lkZ`1QQO4KJBp&x71!bz@BXtkLJt$M-&GANkh>`J&~!FIN{V
zjj7WVeUWdlH}8GzEvu~Mg2pevRNfTIO}{ha(84)M@~yD_n_gb&1WBkRib@7AYl^u^
z(2=8GieYRPOJ<DZ)Z)Q-!b^MkGlTHjHQ~gL+%Lb<&+K1O|ByY&dTV`r%-4JTV4h>|
zZlzfBY2nZ27f$3vo{zLCaW8xiKR;rM9;~%gt`URV-VChyOmeJG3UCYUI8?s>MtXZc
z-0^uCt(KKX{VTzxQ>+WFb$I+#Bnx>1xqKQvwAg!O0584RChiAz7@eFbjn)AC;?FAz
zOw=7VcmE=-bHP_e0fYSE1HHzgAFR#=`N=Q-j8S%>Go~BB>+?K~8@^w@o@|BDzN9|8
zqW+WZ>3Wa~<&TR{G@r!8oxpB(ODhm&ex4cx<tgy+>bq^%4;?p~MgKA)LLam3tr+n;
z*NH^1`cxZvVUpxi=7*t-*wMR(QcCR#wJZfL5)Z>2>Kcx?uC8Lp;T7a|y`;O9W7wEb
z|9<4%qKyFl?br?3%~XvK>;rM-Hq_f*59SinwMFN6-_^%6#JMok!tbM^LiuZLCuZWc
z1@k<+oKd^xa}5{Ld_}8Ec17+i!;aPrj_P(ohUfScf1IVT6RK-(c?s?b@#e3$F6uSF
zt!*b<mZ<K+gvZYfcAPKfH~aC|^VSdAg11~N_B}uhtTsCgobtVX?|tBwx=2IaNl@>;
z7!{8rxO;o#%C~zI`YM;b7Ut8hOx};Y*t+UK_-=&N#=E)%KQ2=aM&z_E>o7;@8t0SR
z0OwIUJy-U|huhtDG&%L><5#Ag;dc14>!jQ)+kbp{?WwWk4k6)eV|?K4ey<^lZzXd7
z=5Twcebt<Q@7l||#w9!kmzo^v>oLBHy00CiQue1jZ1RG9zQW+j-fzD?y<E6G%@itj
zUTw9E?uaBCZ#VU+fm&o;U$iiV(bujD-ZrhA@3>BJd$e45a4`MS`^w2iy`=m8$JHTL
zt);{6?4!c?86)_C%`C2Hfs#^7=|=PZJb4>7YGhIW;=aLpCcI>?dh|~aMH72aZdd<u
zy=83f=f`2aem*lF5>A7@bEga2MQ9w&|H#QIGynP4F`RVYf2+Wr1!rlKJoM%g>-uJ2
zKt_A2@>nscV-imdoyZ@=h8)tveDvNg`M2iS&t6W&1UZMil?yeWy|Og@vzN|Yb9-&0
zwJT-t5^eB-4yn{!3iG)MJiaTB6RPl$+GKvz+?!m^Yk8B&ILzVN<*Y`qC9uzHvAjL_
z$a{99zovNbv9`LmR+mq%%uD{1yu&}sx&9svm6b2~y>1-5LB-a9EBuQ=_M$ty$!VAB
z3<obe*DOX_WTeEC!f4rrL{#|3RWfiZm-wQ$-G29A*v}}%Ar-(0E(gm$Rkn4N;99dQ
zp=vMZ8s+dZV{OF!pvF_X{fvEi@ABE)$JXhN)$dF_R)vtZE-X9hy;l1|`$g%lYU)UN
z^s|{f$P$GYl8CB}?Q1>5UI!<vm5idmMI)rc#1(o}_{r7lwkPJ0Q2NqGaWd2^9bJas
z?c5d*(X^B=(2J(#S>XeygKDAVCm46Ld;D7AErH~*>vG!$at042bIy?0x+wNr$Q6QV
zGq=6ve$MMU_qyh1RvFwvYHn=kclJC>oE!A{JqSq#r*USOCVHSL;fa!skyW^jALRV_
zokcdc-Kj#fllu>q*OqmvHtUG}>9r(W`<b{D-t6^?znv=mooYrC*`_>iv`&`MsQD@>
zVd!1(3jz#w39|kArk#X)64|K_RL!IWRzzx5g|_WKv9Qm`U-FN;_*CAf<f{+2D>Sd^
z*AnhvD~_yOf32?~$=}~joc_$DtLY^5OgMv8x0j{)n!xep^G?DSFTdMSx*4OkMLs@C
zEnN|XM&@Uloavs<HnSdROQhN1wrFdk_lVIir={XP6ZX{UD$8q4x~qT722G_klz$&M
zi@qMw)=oTU7Yr@SGFb6q&xqmWeyt6~8q|Lp^_^e)mJ=(Ty^HHG^%@E5YF9gYu_+*!
zv-9_igh-U0oc=Bm8Ai}fW!0K1A4Jy8r@2LOzRj2RC53~%!_kZOE@Xpf+gAJ!jtA{8
z0@gD`M^g5e2_G!|8Df}y{aA+K0z<+TYv<dwKsJ6Nz259VqJo6n7xbXB%EK_^&(*XF
z+5#@6z`u<%RqHU`vAYAt{#HO4eZyB=S-UE|@@?=($gBYM%Ajz1-&r?COcu7nLjx6J
z<I9joGJ+Zwb3cL$;`uvjP9UeX1yi`Zhtt>%;)RvCd1@QIHH*#x^Cyi))*1^U-7QPG
zcZNkQ_XBzief#{@VMwoCZ*9iQIS6xFsL*pZ<8QX>aqXoUq7>&key2}Hvs#xwwRh6z
zXw<(REK)ArLCI9h(0{fZ-9^xc-T-OG@pu&2vf<iEVS@a{-wBpG8oQIV6KuIY2<%ZJ
zIf=&by{-jYgt^{owOsI10+Gk^Am^y9p$+^p<UfJCvqPgz0n}qL$eH=nXy@%o&nTxx
zn^>9Wpk|qDTqaWQl6RXO;RnI2GQ#xcWP#}tm92p+7OvdwsC*|6;mg9>T06m*_D-Zn
z_l1Pf2h2I5O%A<ff>H__SVE(h*%vt%u{;q8IOhpU=^*qoGN<ot_)IW%owo+V{ByQe
zE+x|mSK?fzstu2&OUB7Rb**8Z5;8MHZ!=aNngo<d=<P>T7<^&djBOIF8}250Tl6~U
z5LHWFTW33DQ^KTqwq<SHrz-kM8ukM>UrN8~Fi7ievG;Ab;B){Jv5H#|mgJ=Dr!so%
zA6#F2_irHiuf32PKWUipF+DGN%f#_!Ld>gYtx<ZE+ex`zKg(*WTBn#8Td*Q^?FZ6|
zac}Fya*=E6k`SR}$CBA@K?M!&_@yp`$h(!^E8jsj9pBGK-HzM=E~Y0r*kjgwIBUZ*
zs{xn|$EEp`hCi8j$8P(PHVl~}-bu-Pmo?PR6nBxJ)|Me^p$Qzs*1(d;Y_l)VYFS@O
zlUQ95^s;*Az0thve&$JY7mCtOe-;?$7vbwqJFXfk`yB1PrRvyowA<Iv;(Jn=B;ICc
zCY7wWKR(~jHrD#o6kBOV#v7bmafJ4CS0xDJh4|Ui#G<R(+<c0}mWb|0PXQf@f4z#8
zS>jz<V)#3Q4|cA>raOY8q)8us*;6x$ep33()UfCo(wzNZ{N9D6H}c;8;N$tv1-LUa
zERTDLC%94OB3xE<TFfOOGvm69F|0coE1%};U0ClhPgbMPS}_8`YxwtT*+=4AW8G;U
z1UzP>w#Os>Do?2R_4zpdt5=oR(eWy;OsYRpp=HlIMgFlmruI?P6!=W9bIX8CDn^xx
z^~h!OwJ|MNQ{9STHg%jYyyd1Fv%VBQ>td~Ik#v(h&x&~(G|6v7zqh`rzG<{VR{kpe
zYw7ly6iT6!w1pbniOf6T{qDo;0U=&b-j@CzSxU_E)Q4WjPwE@@lMiwAB2xH<`x3jP
zMb>}z=E{>ts_Z>JyrEQa(l61!cP>UeV_Y2$>2~js7SkHqSs>_Lpq^J9Fi@g<Y9uxr
zCQ|A)`?H#Ne7q~BoVqYoM*4?Q-Za<ZIB8j?T*P~OL3ZnKk6_3DFCq=y@_Ga^&wIFY
znV?*U^<=`QUh_Y&(8<L3;@%-jhj#jD(s|FghA`tguu;!|Bx#fjuEQPH^XjF2>RIG%
zR9!|qeLaV3^NCNP$ySbeH|EcD=@8Y1Iav&osUMJyepD=+A(ym42AmB0WjP$rD4F3L
z*Eksg!lGP8^-rSoUha)*7x_@ZF+c3a0A<7(rk(NDl~XonAoiVc_)x*3Y1!)FQILkN
z9*85V50wdj&djKfAlZ^Bo}>ki7RU#71!o|3vOyZUHVc_?^5oLB5YS!`M`w2+FP&|I
z<8j`T$Uu~h1V}s5kp9iUAKp+e&v~~(_64A7%@?V7R@u=oYyUg7b~H=~^kb{{1~#hA
zseAGTBV~B5%rMl8l>I`GlQ9#;e)GC=`<pp3Kl}Uj_V?h6Zm}D1%o#MfmV3gGaR`Mg
z@NuN`%5*e@cjkuqA4d*{V<`Eclu}-H+z;$mRLAD^sdPv+4w)cbFi!Es3ZaimyKHcc
zL^1FyJhp5NXAUX=t5ByJL%!ZK6c7(h<Rzc^)R^*saEpOcXp<-<D0=p5=DuUMGDJ{m
zQ<1wb!5Dk|`81lOWS<U#uPpgSA-AERWCPDd4xQ}yjWk=PFQ@6CaY*;IIteruzSn?n
zaA3o0fiyu$So*?)_84EufaB@pfc&7`FpL(Q;#vq?W5`BB7}Xd$Ws+;0=VTn2<RcU0
zAss-Tl?~|>kwQSa&>?aih-}D|zr}!bbsj9f66O=v23kX?*TG7sIEA5}OlN$jPIhG^
ztd!;}OOUQ($a_VF*LKj}HqV^GigL=9uVRW9=DdklS|jO}l#+(m)-K0iV4ua%n_W))
zv1yMdW=e_s;;m=wN{-BXoernq=0XzVPobfHjH&~RMfr!XnI+HNXE!>wQEXZ|-<~Iq
z8y3tAj*4PXh%#SjlIp<e^oVSAj6&+k)YIr6bXf6z%2bcp`Y6@0!|;`qLiZCK7^O%H
z!X#{GpbSG@MtvTK({r5HW4b=x_C#D87DqPyfW`)fOWu__A{}uu6DK2t8Pz{Ys`ql7
z55>-ag_8wF5sX8*eEbd**1z(_y%(G7m!O|I13zUW>VtSL5O?ejNzx(QhbktS;_38f
z<cYe?^*vob*442b!|s4y!|z;e4pBHe1Rq$Pt%rEK4|3`B>`a9FU2%PZe6dq1Rc^F#
z-n3+{-LHq8M?P@$C~0EfZ{3^^Yxna2&rC)yr-L{pnR+n^IT<sV6LRg$cWnotq)8K7
z=-nKdZ1#8R81v|H4cBsy4}w6(IqP*gqP#Mx#Mpd_?VU+sS~vSYsdubh=%=K#)Gi3b
zTnWrMz&u=aqy(n?!+%=?XeLNII`M>0L3cwpP;@9*u3;hlP=GQ)fnyj$E)^DW@P~Y-
z14WQwr%9i~^?tl)ps3uaKq$<73E>^-+z=1m-FYpt5B_jwhA5D3=_-OXGv2b-xM6mr
zB?_TWTmzgf#E}jHL%aM&8Tkk|(!`l~u}D<7f~4W2(7QN=^PLKD_4_Z|FFK^9%d@DV
zVpNz(3<RVL9US6B<KYytxZ#Q9i<3(~ABZ#Y1z(nlBk$l8UCy}`2?@u|y_62Z$MA~`
z@EpPp-{TBnu9M*6;?g@#4mgj()p_{gHf$$vg#h_Q&Ydi$gNAwC>}fXM#KUj=-MeIx
zk0`=27+1d2)j7y1Y3AoU!z;q1E9dDTT%JuFvaS0v<!>fPOXSg|5pl-@ns-ijE(#2W
zC|WMR9K?xZQEeb$5hh`~xW|R>!}V?&j$Ft^mcsaP2g-O{xp#HN$5+)~i5=yXtx$?-
ztDXDSzDJW%({b-Z&CshKH+x?Hoau4I8Ft<vlsM-1adQi$gEVpJ!+)2rysvxDIMSsJ
z@)S2WSU$wnfyII}YTmg=?TVV6qo;bn0FP&G(>Cp`Jc#0vZ<%-cMiLz{DRDY*m~?uC
zJC|;%BOl6USWiapq22MrK(BK1TxWs~E7Q3Uh97Pi*Is3sp2sI?8f6Rl=wyMqh!Hta
zq^rxoeE=qmq(dfocG8b_#e{c5mWY>=t8g1e9!A0S>G}b=>POoG@`^bzT^r<#ZVqI@
zo%7=vCo{;1uPXuR5!XL)_<Aq*hTBDF=yLi3hEbeeX5W5sY(8W|xGzf_*ynu;LAXD~
zyU`!ux%ooc@X^rs3g^F{uMX16^`VMQHt}pI$S3-Ncp199cXbox!pVG6dYyc6-Mb-M
zuHV2hWIc&JEL*6DaR9>})p^8G_M`pEsn1&POY)wPc_{_hwCz7MRW7TnoeD3`d_b@6
zGAbq8!Q$BIVE#_hC0}wfW&#Poisj5jg}b-!5oryYsbieun%cyw50xYhpYz0Ei~15n
zSW#Y?tKR*W-FzCtJM;4=|7=%Mv!pVvP5)uGg0DwSjoJA5r)Js9{|FA$2M-jN2DnYH
zpF7>A4f`0V@Q4E{9=_hVp}q`DN%DmdV-yB2m)6eBJt-7e6sJstpJU^HX8bVO@bwJK
zXLVWE7*PPJFq{H`0_iIapFMc3J@1}HW5BUYP+`z8aSvb3@h*0dE~IOr8ZF)t`RCnS
zJejkCiaZPoA94~tmn7eL4ntK)OVT`?HtFVWarkq+;Mz|`=Zp!Y|H4OZtxGpHUyg_m
zX~}UvANcYZCCh||*8&QjJGW`s0(&kST=*zcyuV8$Hog|S2GhNlPdYgO<PQUf`+8a^
z$WP*wP62j9cGyTyzL3YgOA`4Av+|vP*`ej`8GzBvl{3P^=$$TXWR7=0RyfB5*)D&5
zGL>^5+xZNh<zJV}J7&t?bdc7*JP~(37;rq@IUmX)=h^72gcX%^Z6IOszMOMqk#x*N
zw%$l#a!Kbfe%uLzI>LEsxO#;2;9Sx=J74T-+9f4+I1L+fT~iM;S0nRi^0ARRq;;>s
z!5#JSr%wUr(Hd93#gQ&;wiP@xt_~~)I~{qJ>5^)D)_nX{s<XBzI9i_#^Jmz4r~9F&
z*x~4+cod?{C)E*s!flOD(sGqfk8pL3ud`4mQ@^r^O_*>yg?<C!Fd*#F9tK^@P3u5-
z7_&%c3_rYAR9`2ov!Mf|Bip(sDd?dr4oJAncNiCLrn-#uM=qQZFbQ<%3#EI5uhZIe
zO4A<+<Lh9wSI7bH;p8f+4MVQN`3lHZTt6Ti{b*amyKP)Nw@#-cPQGq~EFcr%c*e;L
z_xZY#>xabkPonhRh9I0L#Gm(Y>5wl@hFrapjgFTD`fY^g@)7-)(T!2%(A6WZZ1}oP
zl73@8B#9@#xh`FKpgt~C+WGKo+9>}63;)^A<)aJJ>_nBVr1r2}S@PW9OjW9GE^Xb;
z^!(Njt>a($$8XyDoBXvOW=fivwX@z!)l-v#yK<-eqt|SH;7yxxn|PHqu;xq2JL8Af
zx)tU?%bokB8qrHl+d=!-jzT?ZYRtM+!pwi*nyuYhvjFQZL!`p1hT9HEityy2xB@fZ
zz!z^6Z+;fsWP6?RGg~o*(}DR3@JwCs(DiwxLqmeF^Yw(vw;>wXVnXFX!KNT)TTzMp
zphJTqyDb`}T%d7BxpoF!A;k6xx(f3pul~;~rsJLm+mEeyVJ?0CZ)VZ|-I_W!#?CDi
z9zn9bl5d;6t=jy)-~F}exYwAJ5<exSU{6Zr!!JzhT?W|?y@l#1isI9lbi_=0gzL07
z7CmD}A&CrN@Fe~57NWfS`*@CT&;1PErRQ-!FpD0$V~6ZJsBa|1_6v*1q4#2}j<Qo>
zSe^IR33+>EMnS#N`?O2#2MintnD%LDO8+Yq$4_2vO2-c`yE53%8ax~@8g5)T%g)<J
zf^1&1(yUJ@5{n+a&2|#p#QV8|<(RKLxUDnyCgHQyR8`u|?Xy*_T$1XX++XxLq40v?
znNjKRd8%Ri{L$O<PKSnM<Dyxn!_WimP{-vl-laPNwaUo(b||`5R4pzjN>sMXUwOpJ
zTSJ2^;8BFqR{p^&!BHW^_6Y4SBPdvmkpFyutX{vyta$A)`{kWE8*}w$ZH%<qWsvE#
z_o1onFgs!;o6aZ31v=%ZyUcf4$ohEof2LRuCH_185l;Yhj<;_bi;kE?k0?84yd8BR
znJX;4PX37<%J|v+R|iM72Jc<wh3_!zAo~HS$Jo<t2Y214|1sST{<f`)7yk24!PVOr
zOp}43fPU|e2s$w%mC%RDCn3c410&P$q^?@M+<MD1hy3R96?QtOg%96omOgi%)sMFY
z=-f@)bVxn7g<1993k84HL$f#J=b0&l5V?W}h5bsDg1I{A<TeKH96IyN$4e!jX*ih>
zLI@!mhQ_K#?C9W$$?$f!Vl5wo7&a&)@s5c+GldY15j-<x%oIWhA%qY@2qA<JLNt0X
zX6C#AkPt!$A%qY@2qA<JLKG7jGldXB2qA<JLI@#*5ZeVMy?gi8FmoY<5JCtcgb+dq
eAw(m`nEwyF3PcILkA30*0000<MNUMnLSTXulC~89

literal 0
HcmV?d00001


From 696beecb7021a3df295de9c9337a7f9fd9a90722 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Fri, 11 Oct 2019 20:29:56 +0000
Subject: [PATCH 190/420] Add WinDbg debugging instructions

---
 docs/GettingStartedDocs/Debugging.md          |   4 +-
 docs/GettingStartedDocs/Windows_windbg.md     |  71 ++++++++++++++++++
 .../images/WinDbgBuildAndRun.png              | Bin 0 -> 51983 bytes
 .../images/WinDbgConfigure.png                | Bin 0 -> 85778 bytes
 .../images/WinDbgEnclaveBreakpoint.png        | Bin 0 -> 165094 bytes
 .../images/WinDbgHostBreakpoint.png           | Bin 0 -> 160935 bytes
 .../images/WinDbgLaunchExecutable.png         | Bin 0 -> 70115 bytes
 .../images/WinDbgNativeToolsPrompt.png        | Bin 0 -> 29158 bytes
 .../images/WinDbgPreview.png                  | Bin 0 -> 66864 bytes
 9 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 docs/GettingStartedDocs/Windows_windbg.md
 create mode 100644 docs/GettingStartedDocs/images/WinDbgBuildAndRun.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgConfigure.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgHostBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgLaunchExecutable.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgNativeToolsPrompt.png
 create mode 100644 docs/GettingStartedDocs/images/WinDbgPreview.png

diff --git a/docs/GettingStartedDocs/Debugging.md b/docs/GettingStartedDocs/Debugging.md
index 9cadf6b10e..6f72db9265 100644
--- a/docs/GettingStartedDocs/Debugging.md
+++ b/docs/GettingStartedDocs/Debugging.md
@@ -1,6 +1,8 @@
 # Open Enclave Debugging
 
-For debugging enclaves on Windows see [Windows_vscode.md](./Windows_vscode.md)
+For debugging enclaves on Windows using Visual Studio Code see [Windows_vscode.md](./Windows_vscode.md).
+
+For debugging enclaves on Windows using WinDbg Preview see [Windows_windbg.md](./Windows_windbg.md).
 
 While you can use GDB to debug the host of the enclave app like any other normal process,
 you won’t be able to debug into the enclave’s execution state or memory. To enable that,
diff --git a/docs/GettingStartedDocs/Windows_windbg.md b/docs/GettingStartedDocs/Windows_windbg.md
new file mode 100644
index 0000000000..1d4fa5adfd
--- /dev/null
+++ b/docs/GettingStartedDocs/Windows_windbg.md
@@ -0,0 +1,71 @@
+# Debugging ELF Enclaves Using WinDbg Preview
+
+This document provides a brief overview of how to debug Open Enclave applications using WinDbg Preview.
+
+# Install WinDbg Preview
+
+WinDbg Preview can be installed from the Windows Store on a Win 10 machine.
+
+[![WinDbg Preview](images/WinDbgPreview.png)](http://aka.ms/WinDbgPreview)
+
+WinDbg Preview supports debugging OpenEnclave applications since [1.0.1908.30002]( https://aka.ms/WinDbgWhatsNew#10190830002)
+
+Currently WinDbg Preview can be installed only on a Win 10 machine from the Windows Store.
+Join the github [discussion](https://github.com/microsoftfeedback/WinDbg-Feedback/issues/19) if you want WinDbg Preview to be installed anywhere.
+
+In order to use WinDbg Preview on any Windows machine, copy the contents of `C:\Program Files\WindowsApps\Microsoft.WinDbg_*build*` 
+to your target machine, and launch the `DbgX.Shell` application.
+
+# Building Your Open Enclave Application
+
+Open an instance of x64 Native Tools Command Prompt
+
+![x64 Native Tools Command Prompt](images/WinDbgNativeToolsPrompt.png)
+
+Change to the directory containing your Open Enclave Application. Make a build folder and configure your application as shown below by defining the `OpenEnclave_DIR` and `NUGET_PACKAGE_PATH` configuration arguments.
+
+
+```cmd
+cd YourApplicationFolder
+mkdir build
+cd build
+cmake -G Ninja -DOpenEnclave_DIR=your-open-enclave-install-path\lib\openenclave\cmake -DNUGET_PACKAGE_PATH=your-openenclave-nuget-packages-path\prereqs\nuget ..
+```
+
+![Configure](images/WinDbgConfigure.png)
+
+
+Build your application by running `ninja` and run your application by executing `ninja run`.
+
+![Build And Run](images/WinDbgBuildAndRun.png)
+
+# Debugging Your Open Enclave Application
+
+Launch `DbgX.Shell` application. Click on `File-> Start debugging -> Launch executable(advanced)` and specify the program name arguments (path to the enclave) and working directory.
+
+![Launch Executable](images/WinDbgLaunchExecutable.png)
+
+Open your host application and put a breakpoing on the source line that creates the enclave and continue execution till that line is hit.
+
+![Host Breakpoint](images/WinDbgHostBreakpoint.png)
+
+
+Step over the line that creates the enclave.
+
+
+Open your enclave source code, put a breakpoint and continue executin till that breakpoint is hit.
+
+![Enclave Breakpoint](images/WinDbgEnclaveBreakpoint.png)
+
+
+Explore various WinDbg commands and features.
+
+
+## Limitations
+
+These issues are being worked on and will be fixed in an upcoming update.
+
+- The debug cursor often jumps to the start of the file when stepping and then jumps to the correct location on the next step. 
+This is due to the way ELF encodes lack of location information.
+
+
diff --git a/docs/GettingStartedDocs/images/WinDbgBuildAndRun.png b/docs/GettingStartedDocs/images/WinDbgBuildAndRun.png
new file mode 100644
index 0000000000000000000000000000000000000000..366f44af0624227b297869f428198909e4a6e655
GIT binary patch
literal 51983
zcmd42cUV(d*Eh_JGh$}|M^H)>sY(%%&|wr5Lse1fphQ3n#Tco9WE>TUGzF=l42mF9
zA|-T^QA(sMC4nGB6Cpwf5Fii&Nxp;LGxzh{-}`>g_s9Fkd#;O%Wapf{*V=pSwb%On
z*1=qGu-?1t&@M4CvAvM<R+q%YewGvy`*Ht{?LbS?O_&n!?+3&s>oa1N{qi%wm!JGk
z+n*K_t4i6udHrYL`_9|vT@hkpQg^rhewg$FMTm)Y7eTB}Uykr%3kJ$!2G%}t^$p?l
z-%ck!D#(T}&L;l2&-~hLC3TOIfF?og`5(P^e9YeWVCA<Y+2DBIS!{g!JBl)82j)JQ
zw^!+%$$6i8RMW%5vH|aU8%1xrgctGQSJ+p|$gc#9ImCR;C(e4yf)O6(T=A-Pp^|I7
zHfga&+wc}pBmmjAE_K0u(I+%|iK)1M*TXY~7u5g#@6!I%_<w)<{@YnCWl4?yXnf>$
zUg^?*dG6bt_{Ua7|FyHN##=`)=l|OXK;!TksVCpN{`crFA1W*T``h<kF7Ad{{ilG>
z4*ahKoL8o!S1G~-%ZvXZ(^I5OxD*G_U6@1?eWtC4gG42w9%9H6PJ|WpGrZR+q6$)h
zut0=ML9ctS8z_pViGl?OoB$`P7d4k^{pav^76#L;HXVgSL?KVKi58(%MI^My0<~Et
z+7OL1aDq$`m!TsH5wb~WUcn}J1}~Z-Zif87CMK(=U;}~fpGxl;6<KV4miSy2b&%zu
zORfYISpkXEQbhES%}iC%0#WE~DjX8c;Vgv97Mpz}(Xxn3QAD#XL~=tgG}mG?B@xn2
z<nq#J64Ig#i-W?Rt3q<YrjWxF@&?{I$4m_fBRm4po3HEW6(Vz$UdNW-V9P81Xww$a
z2B|<j&5(4VayiimpV2t+C@;pLCnBE)`yueDMy#s{)gKj9QNWg;g>kQR8#76L-2G)X
znmub^_()~kjA9|Bk6MOu%vykqefAySSz-H+iA<q<qm%0oI8K;kSUmXhi6_GQlp-$A
z*eD58L~p&LH;;<miEd_A?RApkgb2DAYebQNv6gHvsD%?){kK2%8cRJJxpUd1xx2+R
zM6J%}*@sjs`5lZq12bv#=PE9%8C7h8vQHxV$@xP*D^61C6<nvzuvciN)id9il(l}n
z&J+3Wb~eH>MoJtjd>_IEakf`9=XfhdaaIK9Pkto(Ib`TMQyo(i`|vRdNcDfLj+4QO
zq`8@fF1QK*RNjeS>sR-Lw0on4=o6uLQmXdaO6dmAn{{Oe)C80xBaLn`qVDf~t>2Gm
z1y;Z62!^*|v7TnXbWL;KDCSbMDQnoBj{l_PG>3|)F2bYgs`An<n{fz5F66bRR;G-h
z;(+QC8qfmz`o8nmrdd}F{Uej7Hq(W^zWKB??JNJ7-5sBU2pclJ6v<o?KjNz18WuJN
z*dJ1uPh@f&g=wNMH#QeI_+g7p2~k@L`YVVZ2gaoYLfYYavS3ViY=q6n_PRKGX2GvJ
z?;D+7^#45MQZvIY?c=#khUH(5m+N1g$t*<?PERTyDc&38Wx!(IoVU7(oa9Yo7mI>Z
zPdpya?y2Qewy5RXj?E1Oy@2mz4Dii}PFg)JDhO8%+dV@!tkj*n2h&2^)$*Q~I(%54
zk%yQ>YH|rACA`Uj7_aHUS81#0V{Z?QAFw^+t6jIe=3z~MF0F0v%H0zZ8!AJlU-may
z4Ny#F^dQf;f~)p2v%M3Tnw1|oc|$&{^-Fb06tt!ramAcM%E>5|c<Vx;%&{unI=KoY
zvyQSkTef^Gq9n-a?_K{i^BBXtb88K~gpZZ?4v7fWchw|C$wbCN#O6cdqKu-5jozR+
zbcz(cH^xP)#26cOVGw$pw#t(b0#1=L0PL^LQ?FAsFj+w>^yx6ZkH%1^{=}ZncAHD^
z$-6jAtgp0Zt*2s*>aTA%AaYZYHT<Di14!WJSb?(0GuVq+hX!_Gztj;l%W)7_FBq@W
zQ`Ad7K5;XXw3B&kBPacWMT-$0G;lCQuCq?nvO8>=!5m7F+n`2Hr*__c6moKM=HnPe
z$h(2KoE<l61twS7v1}Y(7QL8TbD=K#ltI0q0lKT>QNn!IJ7l7H{byED-;8{hN4ocb
z?z@4D8JcxY*#ml@lcKfNLuPt@0qDBWV%-<er;i>-z}8$9S;c|mk!TNUhauUta`j}#
z5wLo4II_R7HZ6X9z4&k6?M1Xh?u~QS$|n$)3|}n8JvNn362*khI4BAAM7<WvyftAf
zdV#Yhh(Xi7*&liiv_VotFNX;GG@djVU|fP%itPjH^qxvPjZGuerzp$t4%M2`qG{$n
zIo66*$9A(aoxsV=>ajh$gKS@z1`j!?Kr*=<5tX%?BpJ3NP6BSvzo4qV)Zom|d>XVT
z;fpQ!`q_ZalAGT0j&se!6t}lZI_p^^pKKZ1yvCrRL$*D#aeihS>&VKZ3%c0UR$9}6
zsj9$@Cz+acmf5p9K{k}WbX~db;ov)jtG%7ou17P>-4`U!x?>R!PqvzO4h~Mcbt5sR
zlWyJ*WlLU=o&VW>OH#fcy<HMY=8r$sh08AAVxYY}o6_Q;cW&EBb@r1$o{DL4P$l@L
z6`dzUFVi*+Qiz+GqNPhZw^SudlDw)uYk8LiZtr>ElzsRYgQ2(QP-f@OAO1Dw$!rSa
zW8e(~?DazSh3TZbQuQkh)p;Bk9GaVqM`>5sL6SI|Gxr8JAFP%b26nnat|`CBEeY5x
zOuFMhqCXnA(7if@t642^QDv*TRbhS7uU7Xa1k6v@*~2uoM(WZALxoj45XN=s?XAqL
zs$u3;m$n(VQ<Ku&C;PAwgsL6PmQ#LEjbv$`It^b<yO=uK(Lq!l-J}2+Usm`zQu`6=
z5u<_|D(@Jxr;qT@DgV?x6CQG1E59jR2fbrwJ4dv&yW}&hHf_-}I%dKT=oL_&6o#QD
zMFIr@yNg{<tB$&O9Ag-?@(B9O_rB-Yen*ljwp}2%eva;=PVYp&(pzmDeOE8F|GISU
z$nlgkg87Nlk24Hq#(0l71HQq;O@-TX>HFR-pCV=q1XxGMRtKO<o!Va<>IpkI@FZ#A
zq)vu0!<np~aR8qGXfQ^&DJa#{P4bRPIY^^S*TJ=}c3uKBR_YAXcx$ASH0JV%@d(;}
zvO{I&dFenhvVBmTq1%TytUubHHo6vB5m-j?0wqAB|9yyM`1T&(TKc>m(1W7F73$av
z6AVvAL<bJAbmEe8hDG^F;Tn(1!?arnhAd(>J<$}J{$5p8Ig+Dla=`_8Rx;+C8OAVV
zrO00JbWc2%*<F11<AV~p4+6Q!>kQXi_eoyL3)vpOWp9`X?Swx=(RR!s=zczar0QNW
zDTJCy9i+<mc<tAXJrcR779jOf&D^rI^8U=4u_}ASCqSKHRIPlzqT=qJ3}Z`OTvd7R
zLcq>i;W85Uyy{f4M!!);bnrv{j8)>vjJ}rrFBHeCPW5MJ-1n)Qfi>*QaDK>b1(x1E
zhFtl%`f_E#t%EGeIGK4q-rb1sLY-NvX!%df=JjH;R+*lqT&}Wv>qwk{v{$7;FP#ux
zPv;Ox6dOi~6sd^LgZ48PYyg#UrI2>2U%2KFlC>R9jVQ*>1k{+dWXv5#8Z5DN*~(|G
zqHn?~+~wU>x9tfc>4uQ9Lt;x@b_5|ipJZ<GOtYm44*kxA0+}PzXUF=7Jf`6)h^C|F
zz8ga@qNtU}SIt0s$c?)dGpfa$som2ZUjFND?ojMWwJTsmTJ2|Z(d8D(2bV*nQ_QQf
zFnI5&j6OG6uQKuTU;W*_@bVAVR1sP0)9XFd?9Qk8?&?k+OU7*T9%x1SD8)XIgpk3d
zuO*Z}UDkd&<I!RKm>HOyd1|{r@$A3nqA(Hp3yd?|3SGZ{1acDyYJk&N-ojH>^tziz
zW58Z;NI4`&m1J~9q@8kdD2Y<5>_c$X>}iSgFsS&<is=8$4S1e4cbK#q1zwu%bUW{%
z$t_tUn@=$v_$K=5wPsHP_EaTRd7l;4v3pfaf)D4p%UQeCEx)$+`@$SbJ#?lwp*pYR
zf{!VTajMfg5N*?`&PZX(#>X7*zH4WcZTW%et6gF2DjLyOO;=XDctD4_UP5n8?i@5f
zSK!`rNW0Vcaz1tcv`R*h#gJ02-qU5DtD82z_jT2?kWR%7fjCI(0JrLqZxgDBzuc;1
zmJ)?lCnJspArt$SyzptujW6oCk^h_$>bMJof<HQrXI6>OCzQoW#?FbM&Qfp*ZrWA`
zv1GX$qy3K`JyZCx>aL2UNDXir>kJ^iH4i&De)wBv5c%H{gr_D4fOs7zq=`Ur&w%r&
z`@iQIQ^~$|O2YYYBDQ5!;?Y0H{=YWuQ>R`3e-noPn=+aVO^o4F4*Gj;Cf4$@YBO9k
zfeu$sjsM>Cm)sG|j_)6TJ1YgGqFdMRkCeCa(5>rNh}HKGV#oe|MC`J%<PYB)UzS7K
z(fk5oNe4yc@5bK^d>~56JKN7k5v~62Fyd&1vQN%$wW?AOr60dP8e(Oul!0kmVjcRs
z-@oKaRU~0M+o&v!e>VlFNVYB{o&T>-+2E}I84L6*!|LPxzolI~_s@+No>=|#eV{*$
zk7Ib@!aOwdhGASZeF7C@PC#$4Iou;HanR^!GnAZ9?nYGf`Owd6bG)X?!W0r^l(;ZJ
z(%}dcOyLns{mAywx4FVq?voh7ijhNydA<?JSH5!a(72+1-QKM+w)+FtH&5JH$lt?!
z>=^yPyMV?Fi9lC}JB)sOvzHDd#-3NopD+3{rZsJNR;o(k`;<C{U6tZ22#})5uG`6*
z4?x~<rv|=oGkrvNH}=?aiKGE`Xo1AkDV!X7*caV5BFDIv-;52pmYEb*iA?hRs=?9s
zwv<uH+MaLN(w;LntY6n4974A5WsWjl8-CL~%m`3?O(Z~zZWvk{x~eqlu^gxE<?Pyu
z!}+I@BZ94^mQE^5HpdrSbDJ=G!Yk)dE03hcJF^bCt3-y?8?73i+_%-w?<nZH9GVd#
zuc|63x`+M*%G$$}b$qJa@nG*PDf6k7UGfL;9~q8gnmc>xrnZ9`6Mq)V&3LB_EWD3<
zGMI7_(rE9Z!4CGJkM$y{o*2kTXKZt8w&S$sv5jA#UMzQC^KniR6t@y$7!vAm$(NWa
z)Qs5y&tX)dD*DeJtvhO4U8E2<HdueTLLvk9_0Ld0$d{<pbL^(G-qx=2Z#TMS&kY$?
z8&`xqKNURH@>LY!gRz{PykIcN>L$$PG5SWA;1#$Yjwa>J4Mh3eW5dKX1vpBXfDZ;?
z*A7XMUGVejwIQ!|Zz+n(RF=%N&xn*ZumM{oF^cyVRl7ctvkTa!uu-RKKtH#DoP3Z0
zjwuaX*&g{;xo(5YlbY=b)sp+ovH5uvI$TAcUhMgJ?MS}2d8UTz^SUxMxdUWj=a(L5
zz6NRGGwT%mmw_2i6C*QMpCrrd3y=}$P*ZHOhyQq!k=Z_@*5I!-H_iNp&YizoBFLT9
zT=s_<lpXI3@|J?5h-X}2P67o)Zv8=42K!;8j+ccV=H{ceC5dxguq#pW-CUNV(tJy7
zQC;7f_m(DK!vWI@CvHpt7O&S>vqP@(B5X)T+KgTjc!-&T#ZAd~Mb<#+tg|L?L=N|&
zvHy#S2w@;p)&QGfUsp15x9zy{2~>=!`Kq#HPoxy|s7mnjNX;?UG_SbpCo?0xs#Swd
z_=yUf%0bC~-57-d=j?<juFc$!`h;o22(p7xVvP`@PcvTbbuUdnWfKsZiO=V1tzP%^
zN3@3aX|iq_1)HnlXu;vd9roTO#oWi-BSy}Rb=IwjmKN=ntNqBtwrTEVw#(Rc`1#7I
z5354yEA$KQtb;*;NUDNHP)g8KgtpiHEj`~a{Gt4;uGF}{_QNnZcw{+qfx;qvdDFDh
zIaO(BySBa5Ff|=KQCN8c(NZ!o>TMQz@p<s{*}@R4efdYG5g}kBpVy!9(}h}0!nv;@
zA3u>OZz;AvDzU7Cw2SaHS5k0l`>HB4l%I^?3NH>A*9^FK*Yr2}Tut_!b;`xAH>{_X
za7L?8b2ZN=W?^7A`RTO>h8ZmUdjrxSzhWevY}qA~#$f!?4+_Mk)pP>$`a~z#R?zLX
zCAk=`9-`EbJ*Q#x!5F<xxMX1qPCVmzmR9T@5RQnpZpJo&seY&f{n@MG%7H%2x<TFp
zXiZZ-Z#u&<;Vk_e^*!xzqD#LMD#%VLn9_gMjL>h`{*w(`kTa`)YSzX75y3D}A6ndx
zG}LZ~*{Ir!%n0Tn3oaru$dvqHzUV-G9e=cF`6u{%hp=O<6=C{vV#AJA_$8rB1D@5+
z@Moq30XBX0;}S=6SawU=-zR>CSouB=e;rWMICet6pEwqHOb%a`7T;$-^|d^#e)x++
zyuGkA|F(I6w0ozSZRgp~5gmtUIryaVN<6W!pr>kz;z~^C1(W-)>K!S5Jg$|tiw(O#
zh&_j|(qP$rkcq4C>us-ky7pj^>k<xRBbv)F20u$`u!m>LPQC?)m8IA}ioA9{f1Mfe
z+LefJvY{OyWaa)E7fN_W4s8klZW-<i{#(MnZu=S1{>ACKe~4dk5@Xc~ysUcJ!K0l}
zfyMF91qG`G(VEufBEgTl{orjw!4dZHPadN6a6vv$@6Od*B#Ku!HSo29z)T&};A!IS
z*(LRyZH#;AVd=>#uOV``=2ewYuh28xzsO}SigeF8^~T~)wAPpJ^lql++?+XtRf(L=
zXN+d9WVw0vM8xPCneY3&`DQieC3m2@5?{p*2>)VcK1?BhI|mItQms6|deV_?YmJaa
z6;hVL>Fat|$SHE&cNp@iwvh$oWj}0>Oa16et(}+P+jtzF2X!$}3>K=AAC@M(nz{pY
z=9&JhkZEY|5}3&!H@B+N@h({2yb1AYObUvA0rs&VugMGc!bm_U=|XlWRrI!&?-W8P
zwqGsvFfPrp^ieP~q`c-T`e!$J8)4Q%;eo0w7RrJUx7OXL;5|;p<K0u-u>pZ&rWGtl
zqCa>#;=LEKD)`P`t+lc0V8FoJ=#N)JE)Wmg5~NY09OTCH!>sWPMnueaN3__ajxkgR
z-+mFaq!ygGeKxk?u}bLG9zUnY1tvzgYvTj@k%wIkUghsCnv9E%22`RL1ohW3+yk)d
zzHM&!ytL?Ce9;p<g8o_gUV&Cx>=b1zYG~unj<BK*io7`2IBoj3!(Nu8%9^MjOMZ>Z
z^>W6h(6h4CZM_|RvIp{>Pu%)QZR%VVn5{L24h&B>Jo6yZ^;ZOd<EB`4%cNP-U-yPA
zxm~G1<MH`}TRZe(YY<%fWG4)?Wk>rdDw5j*YL2SyPwgvI!^j%k7}T9PcSk9xJT=Mf
zsyFQc1kxStk-zuG$*_x58OP@1x~0_k8bY=N)1A7Tn<{GqsclfKEgF2OK)W~==Vn$K
z{DNo(v0_p&E4+R?_+u$ddg$TZRbAvZIICQrl3{4YZhD*Zm>ikt3QmqFA0||7$)5u~
zJ{|c87F_|?f+0-tP&eZBzz@S21jTAbqOOthK1M{2E{0F$+kKmRxACc{J)C0;{#eGA
z3V+QnDbrP|+mkax?(Z(2yvd$xid~e-Vz_Vc)Kl|ykKA;K-7>?!swVX?>ZtBcAnuE5
z9iomQ_I}nsK?(<>f2^?@l-astxg|gf{$8LVmm2?->j#T-eAQ|(%_BSl4JmStc5RK7
zKNFMoub@(F9~>^F8-1zlJ>PP-r#AmV5>MP_*ka{(Tg?J`Bg-R~SK7gA9y*zB7%@x8
zIojzbv{Z3!YE$!aC6*w^xk&MH+E5kB@owA#5NCcWX^NEkz;`}wTS4Pa1vukur8vds
zl@5%yhb1K``~1vWyBpGsTKJudG$t=#<`>NXSvD^_LX>6;O!r7wYb@L!Tv>EO?fNhj
zj0Q~?(Vt+&3U%%maGR^n?3tXsx89`NhyL?TovK-=w>@Qa-&nh%86~_y(S_)YEchl$
znOTT{@I1Ul^#`%P${IYS;C62-7S>GFy9&;%)Hat$SgT4h>tYcJlZfX>kR<VGR%g3v
z*lLUY+y_KV9P1tziC=RihX2KHr7n{fOrl6IDKW8@N8>7z2n7inddV-g`C&0JhMJhH
zP4)L+FX*$o$mEkV4QAR3w&&|Q`Q1D!J9){lPcHU+PRa#~E32nB;V&;MZquDPmRzQ@
zZ(R3bSQFULzyIv~sD0oE%0;knk#I8h!>QzQhq8%x&HYz148O4VhOPzr<gqA~A#C{s
zE|zj#u=>lwm|09HR6r2$Js+5twDWkRx(aEkIv-2foh&;v?7YDT=qAIrSQW{(w#&<(
zdxt7<63eR4h3Q){>a~K=>eoN)SaKm%MVk>G@W&&o>P!Zy+KPWMI)8hNM@C7((ekRE
z*n4_RCI7LOvr!Z8{XazY7AKuZ39u+Jw*45$_6yZwmA`+~wuw4BAYYJgRa=>-_ZsC&
z<PvHF)-IdvBVF4PO~JK5Up2pKtYGIX;}z*yUo#4@h~#B2Nc+sa57j?#YFVtdBM_?v
zB7xNBb=AWBOL5FjXtpwrw44q-Rlg<D^o{5Wd2B@GyT*O0RNXxIJ1<A->wc%=8j0e@
zcX)7!M#X$;Q6Il9xR@SlMsa6Gk6CGv`bb~6<Lv(02KH!s{z=lsn<cqJ!Tor|F0u}*
zo+hOi&`UH|1lh<Zzu^lcS>bcek>!S&M@gf-g1tCjZt|a8ZsIZ^XnE&JRblc90CB85
zz7;jPvL)^2Z(flX>UK%IjLap+@i*UG9D8TSE|MVPs~&)>DQ4{CXgGBjDPfs1R2P=0
zwhz91H1IKfTXR5Px@pW}|5=BLmS1N>)6Jhkce28T``OVSDHNWYX;?XEWA0`>KPTxx
z9AesVcA=)6oL?K(PoKGel2q<p16ZK0AHSub3|#!aelFBE*_G%w;7)vTBGw+eS~a#I
z$6!Uy<6m<1b8%1<uz|`a)i8!;Ev^PC$zh(M1y8K@2%O3-q&(#kRzA%H7?g%24uzTC
zYj9nxGaF3iw4aVtr{UjlR*no``GR<2;wLS~Kb)-J?+b(<zHY=JbP8^O<S6j)l1mA#
zH7V_=s4xf5n7*krO6G59mf=gvN7^F!zsw$UAqFiFQMk*jZLE6gw=jiSK^sL~A1V$F
z96YqMNZ3h{qDEDfa<9zD0Y2&Uq$(ifpE;mhQ;E0vP2wt&auWUPZ4qA!d}6LuB%O^~
zT&cwl*SACLQezn%x+YYwo222%H2SBHC$hec7mUXwd8dSu8uL3(62blJcat<3%e5x2
z00A2@=~UAj(&IFL*9tRV`MBjR-Cm={C(#10QnI*4Mq%Y2-0{_?TvinMb#g^LQ8)id
zko~(`F<1BilY9H|+Igi|aRc^gbN?6@`N&yCAWu>RztEkMVC2W08@OMxc76CziCgpM
z2+rqm193feR<hxFL=)`(&<An2W)LaRC*5!dG@E*mAe0wccr6U!b=z-6g<!IAo-tmb
zo={||axWp2&X{Q<psG;*3pFSxy28Tf_IC0@bUAK<;zq<r?uL%m1}KaRh5ZAVeE-jv
zDsXt+ZDL~bOs&*-&b=|=`y1ay144rb=+g!JC5oonBBBqcZ)`;wbT)Faw%!CCl;HHz
zIq)!3cO*GQf}L+)LN4exEL#4vH>EEd@uVzdvaYu24v7Bo3x(^kw!txLsaJkmlGTR`
zVo|9h%q#wf+`*afiVPewk`lsdA>eBwy-mqmF6diiF}_hwD<b+}K`9a(&`++!ar4(G
z7M(-(-@7r|F0>i=33}<`Eb=9m1RgnrtiUaOb4i2j)cBsZY^9C6Uc5~28EK@3WAnVZ
z@-#F^F7`kxXvQeDFa26l{o0!$>ij#Q7{RpNImjRb51n1E<dWp#E)ZAD0^fCtXf<zi
z*WT#K7zHg~9b{dlpU_Bl1z+xBahwj_kDiogUuBTV`gNX&mZb_>kxpFj;WYhWNn&oj
zL^-WI*m{%ZFGybD9<J}<>*Msu3q^Io&NDT!{(+rBRbAR(>Jnrl4z<OJk1kB5#Sd9N
z`+RTa*R*)O_3Kw26%H@7c+u|rH&0xw2!b>o+0C&Ls-We(Bc+|O;;j}6aCL)ijQcSW
z_U;3rTaLZKe(rphctDyoBR%P;;&FUPAO+ulr?2W)glUI9L3OpmQkM3c7x8-Hb4!EA
z5RfrF6DpV{$&UL9{EE02EL3N<vBEp}SDrF<F=Yz$bD_uiCS2W?j0#Nk<jcrpvi@-W
zH?MlTS^1f5gkhOlYNbKQ$w0a7ExXo9BlOrM2bP4t4LHnxtySC(yFPDk<R!zB!Oc0a
zGW~(*VG&`bf^jil<f{H!B3`E^N+?_D`YAPj;oMluqK?qwor&`GY2DXd0*nhW!Z+NF
zXyYBB3d~E$d}vy{!TNqBNPEHQ9A=yO#oZoCn=j=G=x=R(1a$LnH(88y{DVK?VwLH~
zT~NAfSoB-n<TS?|d1ex&e=~uPz->StFKPs#_RqJfpx<BbP@`<YQ!U$5<8i-l1vE3%
zCsOfgnf7m=SZzvvM~EV>%cx0C(J;Ik6vVje4*=WRTb}32o4Bcy7G2dlo-`en_LYx{
z7D~;w?q5d^&>?HNMhAuGAnj8itvl;#4_Jt*m;)Co6B-=Wx8_dFW4c=T*{1mUX9X*e
zL^+k+^Rdc4+hG2yx8Sc=))b+G^Fug6irEo@zOv++w1sb@n=~fB@ui2%XOGPzTj0Yd
zH;S@kT3^R%A$s%jhcM|Y!G86m7uW<|SJ7`{@%7^hQ*xP`)@m;tr*>eUbr+Xtr`&7E
zmLZME#Idu^n3xz0)$#h5%=a*yQ{(f6QT%HRPl*oGM6jTD{G&XUfU3bmlR^|ru95gs
zq${JUO_~VZrT(gWu*v?s-Dy)!H##CR;j$ZLz3^sY4E$yf)45VwK~E;FGpc~%iV{qp
z@xJ5>qHhlK4@~1*!23K+Y;%u65Aqx8yt5O&M7eGp8=eAT0WE$nX*`T+2!0z_a6<ze
zgo#d*Hjwd7(J2&$S>6Z=FT#5UzRpZqyGpJ+UU*^b@gr<IgMMOWGAokq4mokw6=W*l
za^Lh<Df)O`)Y_S*2<m)H5dH`&DR(dM*1G;onsnvef-br7{A|wj=sW!oX5Ygrxq36^
z3Q%I5!p4RcO$1((grQsEuOG2(D5qx{8gEu8=wogQCaZJ3%_*nC#~M<+O<>pzmV0)B
z;q+8%bucgICnZ4a#r;e*$<~5H@p2(RL><_q*2TiwpT8CiNDNe`^i*M(kDl(moE~Q9
zFJDbb1D7vfUTUWd#pO3;m^a+i?WeS*e(mPVZ9EPhw8Tzrwl`rZ)_CYCsxGzR0koIH
zo+*i|h}rN+taZ7oDk+m8%-5H>ngoSfWGr9dH@A4zGCWOu<?x1CuG5E?xYzB2ceB1w
zNDNC?lRjmi1Gsy#)*4-Meb6p1iy8AqVcTg|)Q9P3bJlJYy*NO2vHsgADcwMqr9S(Q
z>Q?Z!KLc+RhYj{Yf-EJe@4VJ(O{mSTJ4u;xf327~k5hH?4cn9QYsa+Geo`dx06W34
z@}Lr|T#cB~+Rs>n#=X1QvW_5APEzQLqE1Oo_+sx_HvYK_)f}c>?iQm-!%<RpR&b@0
z02`x!lBA{wQdd@vBv&j5pQ%c2;VK)oADNNbgR28BCT03hWaF2wBrIsAK+5GTex1eq
zx@95HCp0m#;61yz;VLhJ{BcOC{j4+C$bBl}4<I0ZLHWZIV&xbOEq~B=O-uLYEUrYt
zi)^%;+b)~ISnYMc!M3(B=^To?;QXY+px==#@YICw2(?4#R@aX8e4yz~zbzUeEycV*
zH8628i!1fy$}mqCbwIb7nfp@W_rs)gD@Xo#T?zd$B+1thT*k^yK(R{nwv|exXJH`i
zGy;gGyN|BFh3S6U1(<|fmqujU1xo$cN^tIqy~DZx2qO-+9`MMsI>mkCL>Us-VdXxI
z^4Zhog0hi<OOg}<c1j<&l|Q2}<dLWuw0dV{ZMgCMd0ohGr9psQxPwwo^4iLqq4|s)
zs})p;2J@ydVe`gyL$43$f~Vz7*Z}8cBHYVB)n;J*f!@}vWh|$~_e@`&%>9B@A2?T4
zC;5cBSZgu}HY(i;A$0Fu4>Eb7FeE7+Fw}G$^A!V3n?k539Dk=$Tvy{l-9=c9f2F<|
z8&dTVMB^_6EmyY#=N_Jt>=Up-ZG7DRQ_|gn$$rlmJA_HVQumOzqr9o<^0=-{oX8Ln
z)KVBik1<~L4a9{-v$@hisfFDhvZ*7=Qh?k0oeAuB!(8=1CDo4Ul8;te7TZ;V@0cqV
z^d-f&K&pZ8!E@rvjWex2+YTBSEpgz_nPYcv31$*4jU~D_T_WknSFdAyg-s<yg3;>h
z$~ZR=J$JX<%w2`{y?41D2CgRQbs4;5#$)ma)$I2@V9;u#>=<)&;ADte-$PQh@DWOz
z;+`|NOQ3KAo*3G^!AiKF=Z`XBp2?-9km8oQ2vJhHodzLJqRHyjDHbB%R_lmn{Rd=0
z?uNT4?(IseO>|~xMzZUxX0Nuvbw6Fywi&N2%HYo)eMtM8rVpt_*q5RA505Ed2g?;w
z{eWQNC3%%xU0OyB)`XEx8CdzCTj1xx&ZP?rbm_xh3LGs=%;GS2<&9+mx^$2R$=Cda
za(Z*ykLd`raJDQ1t7>UbWR;K^YCea!9#Z3ooOH<9t;ROb!|7_(4Mx?jQsl&sw-VXy
zBQHa=XDNOjGMA*P2!2-w@lTVTg4c5KL-8R8^jd>a!cLDp3tb%h{?p&s6~kU%NPBim
z<YTbbpdT6EIND+kt2cRt*U~V!ah;J7?bhE^SQ!Gw3-7iU+ASqw%NN~f+wb@$Ed2Sk
z?Xnu-YA`=npuhH}w?^^Y+s#LEWAB5nT6+^6y-l_`MfVuVWiu#r0MYP}CzCG0CLMBj
z<GxJlJEdNM607-9sSOh}f?@5$urdHC_8%Pmg0CA)jUU&Cu1{90g4|i3c=)3@P7oH~
z_?UhHoA4pZoGYJX1kAD6wQ#tU<bax}!R_M(a@xg#rCWlZQ9o)m0`aMsSOmcDpmV7u
zziqF#+tK2NzE=Po<6A#$o&tXOlYvfTd*I04p9J4Ip5F^%|0aO`*K`$t<Ddc3CxHed
zE!2G*K}>9ZAxD``qNqk@DLwfY|Migq;D%eog{~`)%lpOngsLn>*@vxziUl7-@4U=s
zwGv}u0%zG3?zUm5XqBL|>0q<at-~MK2qqDL7iQQib=IlSQU<(96fJ3t&!yYd3b+#O
zZ+D2@mXT4G9Qxv#U4DE$HJ+vR^TRMS0I{c1OhYq4#D4Q5veF3wZvnM1|2zQ#2nlPf
z<7Z6QDMu+?RjwPR>!PFQ=b?K}cXWe}lJT2f){dUvd;esvZL4$+OM_&^PzTbiOj%C9
z7go|)M@w}!M`q>(PygvtI#W&38CD%^U(|X{3SNa8yj?8FxBRD@#{4WG8=#qu3R%5_
zEM3X)!4y5LRB|;hz_uqv3pu-m76I45?bA|l2Qiz1$poSrd>PVyYAjQ@<MxwLCy`6{
zd$RSN{>mmFB@TmgP#OiLRf9<Tz+E5il?1D<-zd6k`n`|a)jg^4h#ws<D9?h?zx%#g
z24Fc01s9>qZEZ&nMdxq`Zzqv)`-<{$vrxUi`MyODU=m5vT@a)7q42YVaGTs23!fHL
z_iNL6UK7^bw(E_Jg=Z*m&-Y~kZddu6s%&|MNQ+0KOyi<`zK<`4`#h{nx8OJ?0i@lY
z?`@y-bAbvtTYx!Xc=P;4jU4$U%=fOuT4HNb<3(>5gqsW+U&a7pwXUPzgTCfll7cG?
zV&fD+mYbGZ#27R42Tcv{m#hQljb%Q&-4tHW+c!jYq&$}rcbsrWw2#t_n?^wT#&C8P
z0C26<vDWsv5KEwf{IC0HfMx#W7&@T*Y{fazQ{u^IoRM?N2N4xf$<VPR_NabJe`2Ni
z8pA#$2Wj6$UYMB-6HNX9fM4Y_>50!sKz?3neyY{5MWk$MSdXRuTmE4qpg5x7%pM8P
z(%EfUCBeZC#}pfP{=z@W<3FAyl!ZrMBLv%lycs!F6%atUA$@Ra{IBJ-vep59>o)Sj
zhzrp=isTP$yv1YvHcD4fYV^%dLv~820}_dx(}OEw$I!drcJmd?5zt?zp|$`DHsxq^
zZlUqR<5tGD<xr@Pv<b4neomoM9O!G(|C_M4%4tVi8F~QC9PukanjS~zMWPlzq{T~-
zQa}j>XEY-f|B9A?#i>Z9fqtfT!V*cV^1g#`q=#_^UAo}^5E2$1<g-ku#Etu0rqqWe
zckugIwbUdRq6Q~_V#Ha89OA`PpoHw_=Sndcpz%6~o6o<7c<C7W*g1K#SpXFJX-A2w
zBzlcWLKLaxf}%AgCQEsrCWVrdizh~+4SPTbri`DI1kaTPwOyz;-%mvax{iwd6j{!2
zAt-vE5wKfa#uWmBWF$Vpp@-j5&CD<j7W>jF`~Cuw>6*YvrGIF^EK+TOQ=Uq2U06+1
zM(EX>9oJDrABub?>_o5cn%_WkSpO&XHkLuz#&gQT`R0;YxZ!rznt-zK7r$JWlW6Zw
zykA7*!bhMVrag&(ZIFx%FuZ1t{LD_KIH+fvgYc8@$IEsSi5X3tA9|~IE)4^8$5#Pm
zEi15RmK67~R_D5A+81sF;ZEXon6=w@M{Xi69V$KW>-zMyVuhiDadX_Fy)08-<Be-M
z2_CTJjKNuL2(>(f<#)`B0<e7jnXt(J!txPUM+|d~NK+o2RY6|$cPjIowvfIlR+w#X
zk*<gz5v~5W_}BioP@0!A#>G_qiXACS5o{(AMu_`s{a(w2^OcC-`WUt5!%WTv@JT0=
znYNH1&BCO)P{-z@-nn&eIrL3#ZG{2@W9gCbcDsi8Yb@ELYe;;-<I8ZLd!d)}jHOY=
zYZTM*Lq91dCJEO8CGo2UlEcbyV>jUuLV08^P>oz7(Jfzt>H|!;GizoUr9CkE)W}be
z<4Hup-pYc5s3gCIkVG82ky1&f+$JQi0}kVLQ;?LdwBn-?@#iz2`<gU3raO?c=0`EI
z{1O+mGIjZXgP{=v?<>w8TWWl#P=nbU^9$(^^Q62C{bU7g2B?N&GD=X|xFnJ>HE)<s
zz6!$L&Hq#lu=Hh~5{{rVo<Fnd*}(dzn?iSo0=u}51sL(TP9U{5+1~Bwy<r;9?Tot)
z7*9AB1Na%kcQ9p1agKHHEeY?TZLikfbS)pAL*6u3#*9YX?gw>RiuS{LO(pUHMuwkZ
zh=B~=ZZY(;9^cK*q9QNJ=gMu@+Zys=oknA{v>Z{9m5eY;@<j#ZF3%it?PLaoUrum$
zM@S#XM~?kHh2P;aA#2Shzv^MrE^^2?mlgi$f56U|k-w~NS!R}LpbfMe)M+M>lrQeM
z(DqW_0Uy@Jp|{nC?DM1QD!?C4uT<}C3fI2#KLTeazR4S;6J-j-kUU-l|259LoHho4
zP@~=~$9=hl;OzkwHn=eWQKR5!)Ru?3Tk{u$Ml+TJ2Wl3}$rNf9u)4{JHXwFj)I?jD
zXI%j+e8bYdd=vE;#&Cz|4|5I0^F47K-fzd&bdyRJ-V9C7Z{oEa3cYkQm$Pn>NO55U
z#ZD|ofBC`43)7_O-o|$$1|jZlo{bXl;3Za6<%WQ#IO#6+*{OG$QWqM;o?U*Wm!yU5
zX}H=$si1SZnmp%y@6XD*F}W3aeH*il711%*1f3KZ90o8J*cF2yB!|QMMRfWxw;Ave
z^$sq?`;DOceX?^<>5b!N(utIW;k63}DM7FFSKYj)xB&ieyU1NtGBd8^j|h*^;ac;D
z4W=s^K63d@FV<bgV++qNSVtw_K&ZGdrehXs>ww_075^WgT6fN-BKQVFv@rH5YvWUP
zLT+8;@tM%$@T~nLO}STJxXM2~8NmLFkE??vA7`y@usACH@TV(N@AuxQjs-BQ<<)y!
z><Bwv1T4oBg5sAAV-}^Q--Rd*7x)eO?;RLT6xjO^R8-zSFA`W1#Q~=_7v2VdE}xuj
z57>w9m9WEQS><*~lwI2M0>$L=6-~zh<~Yc<d#`J}^ODZ`IIkPqKsEg;n2EP+JSYpA
zYlBsAHBAuOclgs<l*;41_iMW_obFD^lys^=9m~zXaeDNTQ9k{UxAcaOBwx;+{S}d`
zz<6}JY(lwHfzwlkT81XFt5JG`Q7=Jh?F~m!M&uAwV%0>ZJ8`Pv?RtklP>S<N=n%69
z=L>sQZg4CAdFWnl1yG;y`_YdlF*gq=_RnI9Sbf+%<FP;B&IsZ7hQgL1ep_~GlIKv&
z!Vg1!1f)|krGwvbym^Q}l?~{-=>f1>84}U0kdB#q>@E@gSj@?L%Jk-oV4ckbk;KwI
zNLJ*Yz&mIqvX0kS9vL?%lfM&)DX_>1WxBoj!}C%c|HsqouN{Yf%-mry+gZ}EnCe1o
zkob0!V<-@i17iT!UuD1x2fH%7dj-=4w-Xs((o{*247{G`neZbEC8Zo~g9SZAhIE1M
zx^TKew;sR&LL5JgiT4U=3M=}F{>3-#HV~%+7~s~AUZVhnw;rw}EcZ@zsQ&ZOH(cxh
z%7EIV?5(*R_PlXIxrqQOAU=rFIV+s3i5N8VcZelkl!C8YCwK^Ve&%}w7X18_rBvxe
z_*UDJ*{F$87yXd>RV_w}ajxr+<|CNVzo^-*Zt|LfR#H~&#tKXXb&L<$3uza$JGxeq
zt)BU7AETT#ltI7Sie4MYKzerrfbYJ7EUwf}Sfyjf*zlQYCDcic3t&1s%zC|3Mf3qO
z<7D)<_+|A>X%F;p@N@^9+i~5b_<etWU#%9QrbVKSm#+M*gqUwW8bPttm3VG%u?#jK
z72{}uY!?QWq%m4WXovq=htclwNNhm_e#)swFyG!--|wnB=?f6>#}FUqL%ijwOY7+@
zD^hPqQPm_fG{c+N_&)RUSe&5+p71bI3zuX`>6a?$c8N8wWIInQHF}W=yF%AVTj=Sh
z0PXWimDm&GYOas$-IZux+WR^v4BMB)iC<j51sHO3zKqs%Jj+J?GPsDY%4smPYclZ5
z=UtVuyGRyyM90LuMwG|7IA6AXTSSV}Ey5B1qH3_nOlRAyuYlxB$iz_X)TUx1@SVQ#
zNW}GDnRZQ%q)}WDNr>uMBlg9#Q@umv%YB*$LoXNyYrDa$?Ume!^_tAg0sTHt@H~Uk
zPc5F}U!7J;j*P^W%Mn!XZDm=e9qRyDSF)Yn>29}gCw3mP#P^ey%G#26H>CYeAiYt^
zciR;J%J@6NNH^thR|-oiUr1=XB`$McD>qdOJI#x*EARb`EUM<Gxfj{8Nnwd#?a#7^
zXe58;I*ev6b5!d<9;E%@3!*;&5i&+cQ>LQRh1xh7b_B&??3~s<zYL@J=opu@@wdk7
zTn_I7*+CDJ)d4%)dC_L++_FnG#j(k;Qgr)$lUHq{`o<G7xAzDj`|o<W1y+0HGNKXE
z2D>hPJfSX^U7B|nacTU*zlgil;Hz&rQ`=9(42*oI?w+d!h4m=ki_;+hcEXBcj<y;5
z+kn79ylMO3wle^bB@RGco*Jd_pKRq#5f_nc^^CfKoZV$tK|O0MF7ymcVD%iZF~f)l
zVJcX#Sxh{X)l7T|vAXzmeA--VEiyl$R-i}jzh$qyogO_xH|c>&u{s?A7;5W1!B000
zY?Wg7-ajMoganL_v9^x#bo>6RM){w@AXYQ@YtB+1q-nCpuj{$k?#bb^X6|Q(_Mb7+
zjh$*RTRz~r@dV)Ywm7dFoTOzZBwFUbfmw--Cjz)t(cYz?`E?k8+g9MqJY^1S=@!NR
zv;EDVc~*%q{NZv|)?e<>gUNlfQPa<8{F&b0W-V3xe55$_3#9PG`w{kAxj5h|A?@ex
z*i4=n<_3XV<<w%*(j?Q0K1aZNlj~%ty7;vs!}GYGoz*1mzr!m%#{Px*vTY|a3V_m?
zcDS|M+xBj$xC^9HGDmH(t?~l1Q0-Hf?4<B4`$I!{Y4ODjGvLr_exWMaN^|cv%1PF-
zaFtDVUZJU}u-2&v(__$FN)l!eVg7k52mEttQ<+|Ely0E5uG(F5u{_AC2n<vp)!I9}
zA_p6K*<EuPcL*TeZ9h$|owrenqO)c!tv#JRDsow;?RGs48m7)=!|WZAmo(Q%^+M!$
z%fBI1LYTI)?&+fwCG`kr(9lPRoR*~(inO@Iz-Cx)$7hRv54n)9*ocDUn1kbG3f@S8
z752u<lQOY4^f6lnxSt|{{k~6a7d9SJwXR`su_xs;2Ai8g@<$w13Q3(~_j@}V7-e6;
zjsDhYpBx?i@oOYF&kb$Nc-(*gq{Y>I-lG^7pKRj%3@#+utejOyjx%JwJ!kAG4&UZ!
zMzJS5yr@tiFbs=AYayyD)qQa>+UHh{R%?34A&Ada<-}(NJ=_e{<}+w<S9$2fypT`7
z#>}SmH~zw0V{i(it8w{OiJZRiVPbuG%sM}pdC7K1PteMw8dFFX6`qK}Nzr`sUO+Qu
zD=Dw<5?m8$zctBhWz}Er*h|4*2iGdksNR}5d>#zR>O1$cZtPzXM&RtLI=LRIZr|P~
zqo5G^)V?dT8_m3*;+?IdZGAwdp}?}fr+dFz2~Snq-5&aj==a~IJO(^XI)Ng^_j@%y
z(0%hHHateh=Z5m@)281-njM)iyM&5b#R>tp^Nr0yhzVSO7MsAwAEZ2dYE_QQPQR=5
zg7I|R%%6RVj_t6+VGD@5GHu8^(P@as-)f2XAzY>4sv(L+_6fDwp+VYU+yGFT@jb*C
zZBQx5s0n@v5C;`o1YVjcL-lwIx&EHV7~Mpje_{lKOUIh~qx)h`ESJYUIYFeK1J`0l
zK2R2hDE)u!r`_p4H_gLGOt%@y#Br;JbLyp;Z;v;I_dUHaGKwoF<SPfS)$8mFDx7#_
z2B3YXz>yUdKvh9lp9`VByo*FOHbk-C!J^0gfXYR~;c1`Rd`B~D=(qCSQO{hf_T?^%
z$^!;Zxi^MuzTs)V+0Fy=FD5oA326tFtZF=dqb2?07Nn+j_<J?D1#o<VzVbj&6G|CZ
zCIbB(QTbHz|6MFT5()rl1t|;kH7ci>{cQxX-#407F+2_)qF8)h`CstSTIgvh4u!Fd
zv^#(T0F!-*J3I9;E*l92g-PAsKc)+#7DBv1*eE26oSFynhPYpRVgC<8wJ*QGsy8An
zzAC6|jj>GOg!WiH%i5nCNMe<KtKt<C``7{Cc&8$-s<Lbd%5*;Dbm4?IC?(~KzT?Cc
z30LE|qqE&7XR(ayO#kNzk_x2#!?aU`&&j?tt3*iaRi8V<PR_i$pPqWyjmL*-5h)*>
zw#uM@t04t|tv*bLOZgS7E-On8@b_PPS;pg^pWTfPHAY%Y{nKar6r_D5r`%mSKqt$}
zqrBi$ZUB+_{_k!gD%Dga#XpBj)QOC1R-)|M^HvzW#SflqqNsyQ(4PFJ@1y;t=keGo
zSNiwCk~R7Q<YTmyuKnr@iyu9dSBEV!PS$dt<kpl`W}V-Ri0*tq8?B!sRo%D0bN5pz
z7Gi!-L*ZZVWarLRE7NoTlHQML>H}TNo&`#F+8xC+EDq%MNN18pJf%=?7Ysdq?Xq#4
z*z-5tYPto6a;)xLauBX~KDnDK<<C!%#TA^?OfezM7Y|&z^Lo(Hd8;b)yPT$!vwwdS
z!~G9$4{R~7#9>X*z4SbDLTnwL7!|#TBZ1#s1whx?$^NA{uVaEdp9VxAM;>pnYiM@c
z_RmcLLdpC`^%zdSp@&wxnW$$WJgkl91y7;2>66qtDbjKNq&Yk1=z&YEqh_<}6<PR7
zXj!vIi0oYA!bKQhbsqD6Kolx?xPDz_Q=d7j`kM$g(3nizBRD2;wj$0jHQwM&8-I=q
zemErf?8`@f@4L$!=sQ!Ho~TSmc<^F`2PkseO&A;C0Tmz?Hw9vGG61$I+T1FaI6idl
z+2;Od@5AtBjuRhqFMr&)a5<$-&thbSqrdvOd+(T_SNC1s5`=2!BB4`%(71^f{^)*{
z&UFD2=N^++u@)E9Ohsz>cZRbw=dv7=!Y7`uo*dw0bNV9bi%+vWi(rAx1b<HhQjpB*
zRQJNNLCYj{emL`a3nL4NOFH^e<Ms0yUmTAlceVDZwk$0&O5Kf3FosKN;>mD9?A$rJ
zp_RXAv?XNkB<X{I;3Pj6lU*qXE3jv2Hd;KTTv>u>rp8mM`Z%Git(okY+vN!z=bEva
zjDnkA>&T!Bh~r#xSP4OXN`VA0B${4In48FJd)gh3WSB}=5X4_tro~SgLH{_6yny36
z3U%ii(QPaZ#;B%Tb)&<n;a|ZrtL8<}-HeN@fhF@q*pb?y);Bvz&ixx4yxI?!5^d*7
zq{QKNXRt?A{HAhmQeGOO11#D>8g^VSkQwWZ6wQ?od@K~%d7$!#Wi|hEv&M3)7z;uy
zZh5&6DiHFe`ZH@i&8!d6R=E1HgH5k1^4!MV{b|q3VH35AN<;D`y00s}Y50S#^k49-
zy2`>u6g0UQek0V4eQurF#XL(~bE7}5HyAe4#N5n-!sNRNS7-CXM4qlb)6L0wh-fNz
zH41U0vvJVh#8&<(?-5gmDu0Cu*wn`n!B%BQmOeyU@luY&h4pP^9%@U&NfLLFpgqT#
z`wa~6!iO&VaT|(rh-FJeOd#Dd^y$jjWSn6gj+D8$*yw4U9yk25QTv81+9U<Hn<4!I
zPG-DjXELw1D(ZPhr@>ZMl%Iu~xiHEqCZ6H)pjc{%hyQ9QI2jhdW?l6pe_jGl88WY2
z%Ie@13lb69Nj)`TMRmT+iRW_yeO#OsGPxC4P+G1cP#H@J+Z#mPL4i;QO8cwpf`Ib7
zj)s|m?G=W-3(j{Z7FrR3DVD9c4xWR9hbt6NT!1j;GTyV;Bhznrg3-Q1;%0=6d|Mzn
z%$qR9$SN9_ODw~sC!!-BNmyjW$v95%KD8_y@ih037CTOIW_iEFt&SVit-onJS;u>w
zi~p4hy28A`vb+-=HJP<vBV}g(zG`R8LT<1Yw!ECky1yEgcbWdWWpWlP#gMJh1TSS#
z><e!v2>@s?u+n6z#q${aWx05Gw5Q;%qBP${^d-?hFNvwhJS;Cg9eikEv|!1DL7Ae;
zFk9uFZW6)gNYt4G&b#p38O4#g5PxqhLY|seOTp<7jP&>YTv5qAl*6i6d#KV?EpGry
zqlDC(4AG0xL<=S|qtk#?-(>B2msCC?qZOQPWX_91;u~G~Fd-_Ck=&--+DT`nvx4E#
zcEDWd2j^Mkg8WwO&)lM($Wq)ilh7fE=QR#g#Fb?5ez}_JbCKm8@zrUAEr+c;f~BP?
z`n7FCQl{S;)CtXRM(b85NK9Qa?Lm+?egW}Va-|oKCSL*-_xT*^aiO5h6hY0MhCoFi
zK*qDziu0@NSv797p-GqU{5UR3FXj3y8i6p|#q6oX)Jj~kbFzsxfcfvI9tePSOUtko
zr)EM1qO!PsRr_Hf(FmYyJ+z}--uAq9A1v5>o&}56QZyl_#Dvwl$Ml^`Xxq&Hg#_f+
zhRlc|hjQe+*{c^8eieijZs=@Eb6<E?!l<~w{1X#n8Dsa|2qq>B0V6n3F0nLZS<b!J
zy}U?Az6T&?!_oHVWQ&>8jbG&4DSik*RXwn8OG)6awO#B-F~=CCD@Vp#D8tDTxZ~t7
zB>g=iv6!5HYOSzRgK)p$oK#%M@59KaC9PG#H`P{<LbLdFSfq%Nwc9n?2Si}HyrkH^
zEPFSA8==gP=QrG3Q};(tu#SAqf%*!L)e46huSXKIrw%=0-G=!5XTc#mcfmEs%{$$w
zuJg$1@j_geu%T<Uy?i9IpWwhWTZ}?xHySpzzLOSzA<_KJ%qJ$m7(<Iq7`Er*W!mNm
zdSnF0?5li^m1h4zQK$jB^=~Z^ma6y~7~=E6@qF`}-QvvW530<#*UefgUB<8QFO2-7
zV5n0=q|U28ByF@9_HLqNFk+rNY3Q8^@qQcSJ*{2-WRq~bL#+k8@>%aAY<6wdrC!@R
zErzqC=uEVZ+>mpnw7oJX;j7eH&V`=K-(EuSbHjaRRn0d{7FYG+l3+Lalla7eq4}5J
z-|ff}Zzg!(?X5D}H-&t1*?$;hFqWT%=T{?=JC+H{9`X}jUoiIv#kU}u7CaKjjU+fz
z#f@Fx*HI5+m}77@;12#OWiW&`nj?2|rqvUhKt&F!UULN9wOy)Pj>sOQ^);|`sg>dw
zwPgJ&;%Ym=yxwe|n?xt7BQkTr8Sqx*XY!UC#&QFBwHH-))@)o4O12c$Af})>l&e9T
z`FOqA#LVS}X|wJaVLCxkYQ(5A>8vX;Pf$U+UdAG5C;Hy<=kXCdk?eB~zqUizNq2G%
zZbFD3GOF{W=@?Is%EwhW&0oBN^dZmoBoh=PTU$SRL=Zsk5%de7q38)bKkV+-9=#Hr
z4eZh1<{)nxBC9OoBNV-&C5)Hv7p;g*Uo<IM`6N4AjO!5R`w?THWg+j#;x~0Qsv^x^
za0?~l=%G~-N8UVJD^xjX?YoT|;BXC>A@pO!BXYgeSnD+~wd4vTH244E?9Jn$?Ee4p
zy6bMaD?)dXWr{(YO0sX=QB0Pplywk_G=?P0V5qyr7K$txOCpkG5@R<i!z5c-W*CeZ
zW?~EmW0|ph&*<*{yuZu)@%TM{{_<evy3RS*xz2f=*Xy~6H)Fy9<e_OPu_|F#A4y@0
zk=I=<iotx<?m<rAGxGTtsm*gSN>YkN=U8CpI?UWfSqol!f?{y#x@xgz5`(Ii9ko3r
zeq|`Tr5KfgEZY^ft#BSyiqa@Lz7NMA#&!;0oFRGG?{h!Ks2Yr&8mhffYpRT0=VtWP
z`L*%VUu!zYJkmhiiM<tD3tn4Ik6PSzdVeZEtmRQp&fH2s$Uwj6Q6ZRJZ?b_D)u+;}
z4dB>S22MtZLrgs+Uk2AB%Jpt{H>iOc-fVFr!Af2@Fm5;#3EOtv7nH0%J-E}hushew
z^eD!2HAJ;g7{4%Lb|w_E^OIIzsdOnhqX0l1_PZ6PkM`R>p|swI)>(3^F6$HVHhF!1
zUjvh&oU6<-!Wc`&&bT0)okH%_IDSLLwqFdnf@mnqUMy1Xj{&>ZEg#CTwt1bA1i!CR
z=F~9g{AIg3z;>F`7@4bLEqnb*B98nuO8r8K%^H~eX9|F{+LL<ug*VwJ3a2Qq?FX4k
zQ|eN8YOgk`RnieZ7Q*V80dWo{wzbqHi=joDCP)~=ed?gj!Dm$TtWAYoA6I$B8}1?5
zc4f#2A%(vj9yCZL9F*K6OzG4iQL5DT;TN74CkQXn(e=pjDwR03-}ux&)qcZTw|XbH
zm3VX+H9maol>S=PQ8Fn2bA@R|`%$Vc9v8#C7CH42p)M!yP(mwyM1QM{EG$tL`qCd(
zT(EM8FHtmfU8&U<$=QVy&Q^7@(`Kt4nw6&180|6@JoUrwF-Vu~zDL<XMXjGj!`|3i
zSu?4s&;P-EmItxL8!cOA_fQs7?qEPts#t}P=W6<}Z0n5fkvU9ubnQ{_@Fz0pHsWr6
ztB{lXHVrPgAgdEKT2N-Qp&dRT6<m=EYS^J%N9t18Rnt!o5J8<GX-oIp%Fy-SMj)Ih
z;a-1RMK|8!A(?slrVtmEzjs7rq<*w>iWxi;ch`NGziQ!KJFs66{no?^F2pmsAX*%}
zIB9moyeU(0?P$&-?t_Oyx?%71%F9r8qFzHIW85<v-uAurBncM_9cFzGtX2`Mt^p7x
z;F8|dF$(;&=@$qz=oy3l4o)EaF=SL2@+J4A;~yER=+GAB+tNkl{Nc*Y8}5~Rdx`?A
z!9ORC4LC*tbhr+>=9I9hQZGVWZ{yMt{SIE6OVHyTp$q2A&!kr$)ppLf|E|}{FG_?U
zRr*V^A@_r@@V$fA3WFHK08oJs!ppg)<7dgN323>UHhjj<JG|XQqF#4A8yPQvwoWnu
zMs*W^$}qUruunUdt<~TtUZ5aipsV_LG<LXI|5Sp$)a+N*{G{Y#4ZRzM3Hou4aMvF4
z_3K^>h-TFe<8c$o)~4!ymghTip^x_q@%S{DVLKJg_w|eGD@;>FS8JrE8s2sEQm=sj
zw&7mC4UDK?B@5om<J1gZmBp*po+N*nKKYK#ujZz06s~P)4eL=ths2e6iR?%{N8Q~W
z@6(i0P_SdnKQKlOrA5iE9N0l5{9wiu2PQ<*(<U)~Wt9~d5tM4tQ=pT#SS|E^RdhAp
zXIp3sO+_ewDX9Mvg{1B11r9S(xHLm4Q(=wPtpsh<^aKXYEKWngCa<Vv(I2ewzTy_N
z%Mwtc!*%4NE-3EC6Q;1?ZaonVFSRgVb<bDXz9pqEJl}ny9;4nZgc(&QZCmMDyFX&S
zpc-Yx@&X0o9nx`zb1e-~ZP=zJm+C&MrlC;_?UbMet(RbR{sbDpE@(P{XQ(bczsr5b
z{Q%b~=Z*SX50Av_&n(qFr}H0%mHNwIEtV;(rl>3l^;e9oSJ@xSRvk?L=#D?B+*W94
zrV*y55PzG{Sdkmz<{LL_^w@d?DJSh>i>p;=s6?d?R*_$aJoc+{Nh6wQOp%gK4mRTv
z8Cl|Ctz4O+6DA#Yw(;|R7ER**g|Pc~9K|SSopg)#Zav)SZqKKR@Z%fn(Nki57HwYD
zRtwQ6XP%6TmYePfg|Rz7V9LDBDf)#Qdy#CjA~lW&!D$`5h|1PtEdD)35~EW^T$GA3
zeaO7A_LB_c=eJMl118b^?5T}I*2;T_lCQ|S=4pn^EH+gBNu6`>BKujekvE@{3Vl&2
zWRShl{|csr^8EmiCOe7AvVxo(eo#-L=LZ{0UxD<TTdIG)`1D{G3uBC77WZzGjCw>k
zSfby>6iy^Bm@>B)KZD%Nx^C{L_p;3=k!Yu}c11B=(UbanH(ss?fA@H4V4ojba*Ja%
zk1BDuF>nmGv{(u8S-XX;>9HEKJxsZ_#JyFmpv(SaD*AZ;=?G*dU^$RO4>uN1iXatj
zSZzTWn8MgN%^u@EZcHJG!^&J;x$!i$e!ogPl~Y)938U*l&u=wa(ru;|xx~O%LMEJQ
z9xE^lxIsGg0XLORNc-s5Di?Mk2AMusw@9J{B`0^FSCf*125F<|O=&5H%USx;?FTa!
zFSdqmH-}t|-+FKH+Ety@W5OqUS*!;a_<xzxbr@+R*LQlRiP)HrxLA_W67@{bj|BIX
zL}wLanJ?V1>91u~9COBP<`zs0Wq<zYUjY(*I_a<5=^9^r8h3T)oPg=8BbCx1g|z9E
zD!tOm+hvlZXSD=%vbSyzg>qW)+;Ta+v(a9LZWEvGXAwj%O(IXdu{7FmbxNk5${F-O
zwxTpfs+j5)o8r1Aq|(E=Uoj}#VUIj930C9+QDfg|?Ewjrt6n7cx~CP=C%|l?PEm+7
zi!cDAkj@!|x^`%6Ve_l*PDwuD9LD91FD#|5pudP#i!nx?BTI5K1n(uln&5cQ;hTY9
z^Fr!zy1R{q5%{p!OT963Py2>LHNbm1<_vjgW}Kkbm~y_3zC~VTZp<enpqnn&S|9Og
z6F2p4dix4jm9Uqt9E1O}eRpgt<C9h$J}}YxCUY9E?G=)}%OknHkpXj!{_8Xu&c7IS
zALO}ROU5J|O<>55-bs}8Fd|>Bp~phK@wIPSHs~_9%?zFD=CSZK6m)jt#SRnu8^?3_
zC`}>Ok}i9`rC3qOD9WV-VQ@i8&1IT+u#Dg0CN3;5G{g_&6OK1zDwJ|MU_{H7c?WDd
ze$$2z?Hn~2kzEJPxg{*rvB~PqQ9bMJ!pA<j5?1p*ULqNEX~&v%cc!17+*^;1v^Mqb
z(djV><dqowV0PsKRK!v$Nu7&EE9o9@!#I_g7tCJDcZ+!BCj_tlQaOxJQ-hyE?sTPZ
zIpzq#hq$vXW0VV<V*I>5in_H2YP>39{BZdcloNz^^YFhoum7z^P04${<x!UIxmC=!
zzz}#fUJb8VHc#J~?h{t!R=^#Wc|p2zr!yHWXHSZcohAs=v?Ii67IXI4O$*eG8@@9G
zGN8lP0((Rt;s1078Tc}R7IjP5J|--gs2y8al&g!9Qq^W$*Dw!#_na|gIuuNoij|BV
zs{wrHE!TP8d8H?uWlPJ<3%uWUmk`fthvnLjBC6xUGwqvse-vL;!hEIT8|`i5Nu@!$
zCWAVxq427dtk~^SFDARwiwEv^oQMm5fgiBNQl;$p-dox$4F)VIfgXx)2kN}`m(;=x
zDGN*ev1YQz3y@nk+{>UB#)Z#rG2{^)*dPB2{2nR1v*W?v?2XV>2ki2FrEzq)M9pl^
zTjx+@#;51Kkie{%kP~Yc2DIQet2r-2vfY>Kt@XmzVrNgc_I(W-t9^Z<W4}Z<&m-ER
z(19I%m@Sp=mw+c6jYwXmy(M#i_#kys;johDhTjuZE2{@`-xc6(rN_AGczWfOHP5ai
z<`Q{|q0!zmd95Aq9#P_U{Fra8cWL@yr)RrV(D3b24N@Y~*hUzuJV!j}&sKR7Cc4!}
z^ip8$UhKtk4rYP|GvwE_2e#F9Py{O{sR2fu-WA-{{~>7n{Lp=8i@N#m2lVe9gZ(|h
zUA&j1bLNSpOrF;`L#K>x@}!p8L-nbdv+|gwb1o^I-@-{Y>&Sk)xBl8}*dB6-Iz+)N
zBE?TihrtO2%;-vM=aXEQ5ER=)$4jOU-FXt6c|~&16{goH_)s;2*~gKJ(eBBynBo|3
z$)<>>?c-Dn=K~5G>6MY(DZxUbJ|!$<9Un5ZoQRK$agsoyJql|ZsUmc_0soo>!ZW?b
z*TTJgj?O1v4=KA0an?ttg*We&nl<N=ds&8MRWk@fNNoE=N=e2b&9l%96%#}r@z$Yy
zJ&at5b4zw<n5uOjBy0TPZOrejTKLoDZD>aOfObSc2fi2YC)j3bKo4eHQ{3{#ck|yb
z25o@1)jrcPeJzZV<c5769V+~48dy8fbIhm46AE>%E}r`Gz?pZ=p`_G4>QTpPOVz<*
z;zuXg^QPGsjRk6s`K42MyyZ+$({n!|uWA^=VsOys*gVm;R<9Ik6Z;p+-cwDfP1W7g
z{~2*ITy-p`@IgXFNL`(bBUU_!VqW8Sqhpyj#VS;`Bu^O{Z^M$va%0U0S(&HG82H}E
z-p`j6-;=v31|ibuHZN2;IY*B)(7r!x8e!lR{HhIKM9YE)=xLvQ-98I3YNotcp@Fj6
z+dpIP3f(%!qWPc<3th}B)U?+pLjzx4gudyVpDCE;K^ykTm}Z9<3rn_cg)U|0t~}*=
zx|FmRCvUzKV<VGt)E5CG{<XB*0Zssn2WxH-H&Vl^7tw$|tiEY9_|Za=;r0DtRNJH6
zf+k~aBctlk{W5e(hmsbjs8Y?&J{0LC0*mMW?Qdq=mnL1KFp!E=V&(6l$KX|_2mH_4
zom&Y^RdU%w?N6=q^3a2&#@Y%u;57>YIEyQlm~1m{m|is#*yG?&P%~otAyH+Fo@#|y
zx4OsX)~wMLN1d{{k>o!y>1{_temhQ-O>w?zCp?;5IyGCl#BTwm&XRguYtj0edfQu+
zBRi}(PXmh%`{I~E$>_#K<FWdcZf4`#<x4p>{T_(QXInPBj7k<%wgO@nOl2E4cU;Oy
zu1Ek8=eNjEOx*$3rQCYs1A0~|ElSf7zis#c5FVg}?>S-yLSnt>@IyNH9A6lY0BHI(
zzKA0D$9mSk;+X|N+0NzCHAlq$L0Sjw5+wW~Cv-*~txoVt(-%$Zmz2p&yO6{4!Wlb;
zH>i+Kq(K_si>^CaPgKDnWy6LOV>vM5`*d}Q9$xMJAxx*M%}>tvm6q^LE&nL|j03Fe
z6@7Gt$I0@RIyZBWe1H0(z%x<T*T?5F=W}cE*QAf_ytJUUku9Eoql1+A4CE^2C3K6R
z?D*Y&;CO`i+R1a4iXp=drIiW#k2Dk($ZFiy_qm>9p8=%kFzJUPiVQnntH5C6C$L~q
z6*Oy_=9y?%;N{GGm@-64F{|70t;A*?RUm94tDt|RBASwXXdpeyRLe8ggd`eQSWGxY
z@T<<!F;|w*iD$@l!4ojMLlLJENM}r|BI)B%^?s(AX+?Fsg1Nsu+GQMlq->j(rt`ip
zTi{6TcGvCPENP2vDHvnt_g%Z#N<JNU866#$W=bnBP~&(|?FrXsiH4<)*rS}}$sWRN
zprCp8kTuq##ax#fC!e1F((d+>(L70hr8?ka-9hP>Av_|*{x1|N%y86*T;c}@>M^nP
z*+*f!`O``y=gu5m!n_928wR6&H4p5E%`(<ov!A~^{=DOucwHE-GkL0Z)lSDH%C~t*
znBM9@A@{s2Zi_XMy+y&+SoYD-0uH_)J(_5UQ1|ROkD3j1f9uwJovcO{g%3Q43-_*x
zHsi}Gpx*P86Wtv@St|hAW$>tYE2y-WJ%T!Gs&Np{)}ej>!`JQz8|6xKS|8Gn6h}3s
zv3*q`<&{G1$?6oXlD9-8y7nf88dh<Bi^bpiGW(d<cvb4(Zj4IUp@cs5+(J@COa4wY
zZ0Y8mwiAmvD<#0)S2?q!`b-K1FtQC5ji7?^;JQWGel@3zS%#^$AC(x{^dycD(Ynsu
z-6{DkxWIdpWP{J4ro`4QWomm5XMP7V9#Nf^8X@pgN3sO?Qq!1i5%(%A&5%V`rW{RQ
zjbxl<M|^zao4QQENQcp@nXT1r1>;OwBjsDzowj;PGrlUn-7>wnd;9`&pmUO}3<Ck9
z5otP&vi{m2=piuTrT*mKI~ktTCx=PqBx`jfRiSJoj|C$fA{IABqxQ6m@N#<+E?ykj
z{yTuW(zkmi89sN|@n!ShQ5|(B*Z9Md_*iVb{#ns;Qj~AAd&dvWXaLF$>xV(|>^LO}
z8m-k>mUpxe39q&zK}GNj^FP90ywX~O+pHH2Z%2cq;O~8gVbcUOeXRElPYoXi1%#-)
z;F8InX-m>8=$<`G2#w)AYV0MgZKQa^0;orz^T|_ERxw$LiyAj*XQj`vQz(a-G$QD*
z-Osz3h<bBoSb|q@LlI{`jF>#~26eGH+AiKLYrL;Z21Heo%U_abTC3tlsBfYhUg(I~
z(61oXr9vstSEqBm?PXF8Q<>$aI&;Kp*ENqzyP!haQp#<sg9N>*SBg8oKAM11Ht=Q2
zB!!12;{)#Q)O88Ma|L(YK+#YI5NQ4V?a$J0(>?<!!PXOP!dU&$3U{%az0*piW*$uz
z3vZyq2ZFU+FGFvBX$@RXbGQT1m&q{czvc2wy>;G?i9>lu&c5&}5YVBgV8?F$;xhFR
zHTJNy%Bsh(ss#ByZ|^6L8RtZ=i|~V%YnI5pyuc?JDIcV)hmn&8{vC%JU-=0MxA#0m
z@4ysM@I_4swBy?y%)HX_mPg{GA%49pstrdX)HVKmt0_L7K+B1)*&)^@S?M8WbwRx%
zkGiF-zw~N>WM@^+<6KX7z4?34;WGk|CiJg^)^z*6n&u{zplUf?<)^ly@T+}h{_JF4
z4RVFkc(CgPCbS*t>n3{Xy>yZ;L6ha}9y-DeqSc_uHqYnEpPi2Lpd%*)t#lvM4U-@2
zA!;tJ1_q<Z06bQ?q{EL7FRXmZ=iK`F6dl@Ez>9OIGrv1ye81Z0Isg;vcv#_b-E1Jf
zHK^yL)o_oe{}rU&WzVk$HN&}oZy}puP%?9Xi*yjWHPI(FB68XmsoNZ<2c;J&O6hRS
zdSjy~_81*z8y1yz&Iuu><bFM7s-QP)GW(L~)&;3VEsFW+1`}JBPpx}RO!7IBJfIyR
zKKtliXj~Ni)h4C*aM#ht>@5s4<};X~PR6nvUistK@>P$BJ#$rV!MTQZsv@opRF0gh
zU|PJRSj2^oD{4#SK-=Qg9}VZ;FqS1qpa;yWC=gh*&ww()Cu4psYb%lzE5QD4_~3xU
z8rC%B?uN;(?(EQ+;u|UnKBhz%B8B+_Mg;MHE({LuYvXl1oI?G7?uG*1Lx!PY(sZ7Q
z-q50R$V3e%4@W6=p{3)=CHirq-We03%y$c&@25`f^Ogz=zO}f;;XD80a+ZTXZ-oq6
z@bsBs@b6F&M==<20fh2C*o$#Oqp|f~p?ma*1?MA2bA*G|{x}Kn8%k|MAlBa-3L`wJ
zAENY~OZP=-5kWb7oyO31++6mH<Y)#L*FKeeEl>W;b2GB5fm&xs`}eqTbP_x~b^HZu
zLYflr)>tk3A^z|ht?N!9r6}{|lN+Nv3GN`gJ-vLE0*C<zwtu_fC0aaf>+{T^^K1sZ
zlJ?YO^1c_p7A$1nx%OboL}k0_yLT?cY~QQ2Q5GuN052#QF?4o`5BsD->D4acbiLcF
zkIcAygq*V&SmSUk<9Z6qvnZl?;8d>|E`PEjL)VLm+YuM8z5E?IJOits_JDgFaBmZ!
z+|tKWpw4lpsS4qZBVYZpoK`t?V;c#J*PqT@1Oj8vz5J5Gs1c<cVXnmu$o`0uJ0<c8
z_P@ZK=9C9PGPuP+DFYdL59tfzPI$bAqQx=+;^^pu<?F3v5>2H-_4H7>$;?9h#$A%U
z;M7b=-b?^fE6RiND4|BC!|+{KNVPC$(RN0u#xZIvZ^VbBj3OhGb1hSI@vbuPCvdOf
zMt}PXO5jzm&~gUS0*Mo++*DDM7y5#b3WS>#t;x4#rj6=g{ghnnMpvYr%V4r<MK1Dt
zvv`QbzE=MJIpS4O(tvoo<&y<fik(C`JJ61m0)jl>GE|)(goP~^kD_8^z&Nzu1%xb&
zMwxs_WZ0PD>dXC*Hz3YFyAt@@r^{Bz>VS9AlDq#R7x~DcXq%<P!(f!gV}t$2aA7?o
zm~iF-swSuPbI+=4R-fGbf?ayGS>HVOT1L6}R&>^Be7uZ*ht{n9KFf~4uZ)3jVH$ew
ztMx(PSYJF`!(@^h5tXi&I|Fni-3_ouP-()E$yiENkl8#oelLFh)1u*+a-h`l%G}10
zHmm*BT*xKYvl-|50>YcpZjO1ObRTil$Tpbc!E7?$7V8FCqT=5~*B_BtBTgAi`nuLx
zO{J9IZvU|+1ESP>B>;apr+^_s@0Usl3wMngxa&ABeen2Cns%U?%ztRSoF5;gx>jo1
zsqZ6iZt5r3WQO}NU`5Z5DBC#<7R#I(s`!E+MbrGUp2w)y_>r}IKp#gd4TA853f@KR
zTBD}<Q?Iz!zAsz<%C8&3khnb=J0s49DkidIZ`gPxYVo_otYFUa+Mx*e7}qkQK4GCN
zpy=c2433m{nwcXG*``+(;9+Am?u8<FP;4>Bb=c%_86!KD6c(=h!iw%-SSrf{U5Cce
zw7rHF)4_Rs!-iZfeL-z~*08Cn@<l@!e9Y<eA&6_fa9+oGV&~+KmaX5@%kVBb-r<r8
zPW2+{V)nx9OyRf-LFnIHUp8bVX9do*zLkNaU3yg9vdG>ud>_a|e3eMdl!F_M_34Oi
zd5w^jG$z?$UtB>waz!$*u5~}{$zRw_H~Jr-clFTg^fQ&;E|d=tZq(Y0PguaWxpR*5
zud;G$65*A(iKNH4B-IRi$@F40j}>K*r?)TNkKQxiKc#9rF`n*I+s$G<r^nd3VS~6d
zbo{!y+2nUua0q{wZw+~?D=7l6hGAwmd1$7;)ULGnDH?Nf(Bpva$fB*9uy;vmPpab&
zpNV{N;T`hnPPOR-^bTj)Te^<oI1OPVoC=zD87);XTv;DGmWO<sE37QUaxF`LS7B_e
zj;_ILUMy+|Nafh3;tn1>Jd!hKRdf6@)mqLZ4U-aalv{O#AdKQ2ZhdhoHfS<$s7Ia#
z)aW`IRmx^q#2kRH^^lG?lp==6^CnG1`>ZdwSJR&Jj*M2M`{sP+RU>K3v!E1k4+&;p
zzlZ6arStW(Pi=!vCd%lg3D;2#{159)Ft?ZdZv>g=TW1?}#v=8OVYjxQKU%7M6J=;w
zE2$};ZiS+~IyKpwqvZWXYlrWic{9f&0v*Ynu;IY7l{jJLB^|t^^G%p-hC6>O^LA~e
zC}5@CwChW+LVZaQ!9_j4Gx6!N8ze4#Xyu%y8a!0jyGQF-gf&55M*A6c{s=uQXp)=L
zWp$XuEl@c}8+_wN^FRtvtrTs2z@a&FK{#2^`tLt_!vi43g~BWWiDsZFEzZx>NGdyQ
zv2{y_!4HF;&6R3_L&>KlN|&;o$KI@NnNcWqYdfDv@6gOE%q=0?6b{tR__Qk*$}a`-
zceg1M+4(626=b!DLv?B*WFFC5+Olub(ouyy60ts!;zRXeuPHW54!t;A{nz-nrPa*z
z@e7jyjf^obC808OL3;zi&&Zn%;RtW#hA`4YYkTSO7BMUvx5-)D#Oz*PKX*kMbi%Dl
zz%{=KJA{J#(Y$qW@#$gxHz7KDNn!2O2gS=TkzW3*)cJQZ<9`bC*I71ZsbvRGxc?iW
zea7r=|8x9;WU+WTx3;pVW@sDpw8v`MaPhf5Wg)Ef7do;;dLMm`Yvb{KZ*d(7r!wg4
zbTvkM{#^P3P45_K*PPi{;3^r>vkeouJ^2)^nKh=B!1O7t-Eu^2dxjh_#0ET`8-)w~
z{NOKBiigo@g-91^AHYTP<nTHspDkRmx<gVayAT>*>FBtRJoY|)>o@|y25tgOOQd5s
zE@YsO81ROIm~d=ISQaXm+k4@CdtXUe73I$$JGG+X_`@``_HBXG$n63oh`C0GES`Iw
zj@wmt4fCczSG-wL7sPw~dS2Y;JgR3hlGLTHYzye=+qfn<gN{}fQ;t$BSK6%(wa8tj
zO{Gg>W0;;YD@aCLAc6|f+<1qkHH!f2dj&<=lit@GR#A*2dL)!ir5nJs95wTB_@Kcu
zPmgj{nf8^gEWM&<A!#rl!f4&XQVW~Xh>Jd<o1>PvV=Aw0BnIPg!9KHYI2aQOAch(v
zrIjbks}b}#-oloo0HGT?3l+3mtoP?M+iKgMER5UF?rrz}x(r^f?-!FmAU9)B;!97X
z<m-x4)B;QVs^!}21D7sJtL+(b>@ezUy|;XTP`D2~&~SsLd-|UH>yaIZQVCuXUMaRt
zX8|aHG7iMl*TUdDY>Ne^^Hnt5MgO?xTNX#(KdrZDM?SUUHU8bq!ogBX>KasNQu8?s
z_LRr1md0AE7r7ZgURxK=%d6%jV~e7m`xf?5t_v%9tBSSN+2{jdE|=HJG8p(S(sA#@
zbu_5|`NZPi&xPjdHB#QYkdb~Uc!a^(j2%YR=NuJVeHkT)_Jn{mbgh{SnhcOFzOFS^
z{%v;1<6sH{KC+?+CwL|{tkLY_CG1iVYv9R{p7SSS-1ihStc6;RhSWkAB}w60Q2gHx
z!H_SH0uWk)ePLQQVv(LLJpKq$^1^9${;gWZJ!Qq;nVO2359r=-jBtaZCVXw{R)X-k
z=3HS#=x#7gCIM(s_&V=Wc6lR%ef0*CQqv^dv{CO-c>HZRMvh|?1(S6Eg1$>eAbPmR
zm;3*t0WGYu_WE3(<Gvb$e@N&bfI^ScF9qiBy3Y)C{)Lm)D8_|{{Q?i)TQC$Y?n`~g
zFLW~hF_0-38SwKp4C<`@OZa(F!dO<u)%-`VsGt9ve{j7$h*U#UJ<SE~vzp`R)~bI=
z-k!#?k-oB__P@Rxpbiyj(0W#P{8y>C1{?LSGNHq+Uw{373tInb{)Yb$ke2;#qZ9Bq
z5R3Mz1LCUL3m1O2bJ;`Ct`A~AA>$6)1$Ud?yx!J(R%ZniE1iw&E%=_W{*isjVt#e1
zE!%6gy9Dv<)Af5DKeNuo3b^s}S}ogk?LJKk3A6_8Ww3{#&NJKZ;bKR8xBI$vrCstr
zKOph*m-!UmpYqy(koC%1@zvy$DwXlJH`-Z0e_8(j_TQo5Uup{XtPFl}!v3F%;BObe
z8Hg7g99#E!r5r~Jn_I13Ts*b<iO1(Hri6~^)qNI(rr`BfeQK!l>CPl^2u1+<3SPA<
zKq1=(LeLLIjnADdM?Ntym2IQxjQxDh(_4V{+~VnTcTV_P%PQ-JrQSU%hWSP_d{t}j
zC8a0h$XNm6+_+Z$`lUBiM1h3kT776RAodS0a9Err8)%cz>Xnh1rdr#}mvtOXJ23is
zq4K`E2=;tKrl#7@ujvfD0M15p`h3SHOl!E`Tx?%tMx2FScjB5j>h^`1Bf&?e!r?s)
zhN&HvK#kac=i|YQibnLx++a@8ZJD5I)kF;<{N$vuA6UG=&-W`#pa8xu3?R@9phq~r
zx`~9#eggm#vG8~oJ*DKg3WHjueUZfpjUsW6ZA`P_q8CsBeFLXRA5))$*cSW%q&N8Z
z+N*bo+2fh=Wgak`?hJI)JL4_3uiH60T8UT@e4@=Lz}|cwNa+2DGSJwk-yzuB!H!@8
z1P>Cf4?S<uIx^&H9Jp&LgX><-R+Nr4j<FRjO!W4Oja>mi*_6;H==cwPl%f+tnYtXr
z`gb=3l+DJ4*99%_SetlmxU=a{gNXiozGCf`X2_BTujcRJ_z-7lF_Sy3PbWHQSm%TC
zyud!QWcttf2|C`^CXmd}Sj=to>4!#C7{|NGH7kxT$1K%`7vpRpcr9Dg4)n7aHcH(s
zYSTY&-aTz?)d&soHt(x{e@^d-bpD(51mdly5OH%UE&NO6C&i7gIj!sveLa0v#@-3{
z^6OCs$=V@`vg_^rpk)8l5FrM;^Y;{;gEkfgAnX|ZFUREHNHx9F%3N!XHJ@6;#O6Tz
z?+{M+itD={nmhPJyR33KggCBoj6E4%e{l9^zwea@ly^f<Tl$&KyaB=rZIx8)k0=<v
z(4g^8K5g;gXxtm6D`F39F5}a0p9cC{VHIlgZU1Dn+wK5*qJn&O4D3M6bLg<~1*n>+
zk7Zw-aX*h^pYeL7F_xdm8JIt)z<UUZwbWAuIS{hgR#wl?J5TE*DTsVKx&qBz<%>8P
z@tPX^CB%MqE(omiry?QSLx<p#qZ!uFb<P}k!2aO0Z?-50odWOCj1fVQh5&z+`L*C}
zxH1)Qh*&-O`J=u}kY%;LC0+RY`bRc=_cN9)178yVHS|`qdN9Lyf75HPLq|2ZD~rqW
z-H>Au-})DrCn{IJQ<w_~uZ1aR=syeI^evDJsj(IHhC)T@5ZAn?Vi9AGk7@h}(_gp7
zG3KDd&x3D4pX9(Rm3(KQ7Rx4t5}m_k!CJ@V)AFBb92Ik6_>~ZHBFb!6de>9l@TDeL
zrN(2O!{U5v*k&Pb(fIIx58bP8?<hr7G{VOXG!^@_IEz%pllA;BH9tFZ#t+DfnkUP{
z@}GV+i9Z9>5$^AeH+77~oj$Byi4?swo}c*Rtp>ogg<jX3GLVa~R&H(Y30YSDVXxnD
zjBCZR(sjiyHlh=G`)GYh8w9H@D2Tl<hs(BYuT)(s5B|doCff>orFw8roM}8X@3j28
zTN$S$ug1Acn1B%Z3E65WIeFv@kPih~trcZ93aw=LU$=@)TT!jEVq$@07x^2Z23Y6d
zt<KKx67Lppao(T~DfoE<Zo$adfQ{F5bfhDdH=b5V=*W(JzNh4!ltARul&!1juBtfw
zaC3hVeDRT<@ey`m1o2E1=`^UjjzZ$+ja|qWCL6L}PH%5`<+#K;w{|ud$mXqI`b-88
zhB|m(Mcy}OO-AgjkF5KJ@ng6Kb9b0_G&sP3!{V(eSd+56liyj<Z*e1i%RTdq<+B+s
zjtv3U#AJ+Q<FQyJyxC4qu~?suE5?RDSF;Zz%TQ<2@h45MI2O(pGwwiS{H|F<!Lfs{
z<=Lkb>48*oOkS;`{7#_OB^MW7JkXOkcewWL*Tw@TUzAWV9d_<;B>_l4!BvY^-agZ_
zPsZ4udh#*u%FhA6H}N;rc@f&Pz@!6gXL8F6QC&yKY>>@NL1Hqp_}75QM;yY)PJV_C
zA6hoXu{!-f#cuS{%d^&cS;sNTABASb1zdgPvy;9yY_VRM*|4G7KF%;T{u01PPL0I7
z4Ea-|aiiOzO76MEQv1Zv(it6MeTB7(igk(Eh?HPE(U1m~>m3Nu=TQ|P);OQ?!gv)O
zRb2R_SsmwdBb1){BjZRx!<xl}WBP^!()vJe*pP1$7e1^=kAoz%#v9$aT+r%=FilLz
z-b^+{md`t|#qMT?G|llhBF9(yLcZYctR6ziLD9%2a&mS)sqp;x6cvXGLdIRXY_|J2
zD++$_=TJ}hngJZz-S@;xra}p@^uWueZo1~?7wo}#6x!6;l&rB6$Hh3eeXT1%p_fN1
zb2n%2ZPpO-A1)y~=Hc?^;veDlm}i6RBW!*)GP?*SEBiEbxoph>^R&UxeF_r#bFDZN
z2_1e-hWDXvX7C;~F*+lI|M*Gv{=OS3a)Pl|jIh2@EdOh{5&!jeZ@98vx?^H^ik$tS
z5sQa9a(6GWKB|9kyi;bg3N-Hu2BV75N&b;jmmHR;6RUI!K|5~4)#0*7!1{7Yff)<~
z<`(1U+sR=s8~~HX?3rOH8Vj{zrG$#ch1>lM;l8U0bZg>+&%U|@``#3xX(W4T*)T3w
zn6R3|AV4ZL6XQ$uSvb8gadGB`6+J>Dm-}~9ns&$^m!{uy8lJ2NEBDlWs)3J?wcVf>
z^dS+RM>I^4haCu&1yUbYp*xHO0?m!yCLxz)KdEp1v5*2Q!h)}#5#==eRFIl>1+|kF
zyjXxsoX0GzdfMfF>uj>#vk}+@UEtNWEI#7b;?i;be`J|!i2uqmH^u!U%X~26{;}Bm
z$#?(!SCmog53AO`>~9pmxMpQ9!00wKMMw9MU%d2g6&tki5B_sWRb-p;ZkN|Yzb*nT
z=7qYF5E}9r{WBE*-db}TSORW-ZC2)o*c0RBIeiRuF1^b8!CU$5$H=>i*`&m%U3X<O
zk~9(lm*irob{JWp({k=_x24iCOY-CxV844O-&NdGl%cNFt9CgaK}OrPoyb6@<a#*h
zunP9X{K>qx$l#U(u$CBzQP_(U6ozrs)HR?TMGwh|_WHTQf4~L|L0`=~^lY$HPk-Pp
zR^&D8Mnzv(*V?Vk@QY|FD+uX7nfqTgm)DhT+cd7@6j9d9yt^GWh1(^EY!?CPx+i|*
zRGZyI{XF4htbEV_zU_|=US#-`2Ru0cYzvW<|JvJQ!fQ5gwiSC+h@mH#Rv(Z-Q_xrM
z$I{e(<g}*wrN`w?{skkxyWi@vp9BG=Iqw%#n3(i`kx^FW$jLuB`~KC@%-i!d+gDUC
z#v@))Ynm`L2MEnKG2d~P=pTY|3}!i3rw4^ziCSn0spYm{m4ujx^?2d7{#2S_frk#W
zHO<!mlz@HGtJ;CU@9JSPBm%(JBMWl}vI)xOeVon1jQ+lPW9>$<tv3eP7Y+pghOigB
zz>*D3!q6CH9p39U4jOy9kidGvk612W6zXqhyYqGORxGQ~g|-K)abdQUl_EIw-Q%Od
z*uO_x#O{zB{}N;uXs5YeJB^OMl^(ur#bV+@;-Q&`_vOq%{#)uqOz*e(v)VcH>3g;c
zxZP(D&iz%4q-C$}e*-%{Rg=IG(O+Uj7?{^FBBl!T34RC7O|XUhjJ*c!T(YuPq^eN*
zuQ471YyYS1l6Kw?q#s77VN?nh4l?tCE{ZDmJ~wgsA|~?Xv457@-n?BvU<a9ciw%U8
zTPy!nVYzE{_M_Nf`l_vd0ybZ<^43Z>Ln+#xy+~#4YDLmIk8^Y{)P%AIg>P|WUb`Hj
z^(7e25kGbcdb=S2bs`N|A-MN$IWA?<TfxdOjyuhJ%IVS-XsW<EVZ}~LVj|x3;|m-*
zr?SNib!=u!-%nkY8AO}QTWN?oH=P*$uR3w}*sMY$3$T-+eJof}I@*pu!?l6)KsB!A
z4tW1+%(aD<SU#a!I(RZuogFNy{`|39oOGoXl!I5=tZVp#o-j+m9sm*U?*J@N;qiIT
z7^B=Wv^{q>pdHVvt3ra#h<d+Vkkd6Xecwc`SW+99_cID~K7fawe_Ph{f~w3#Q+V`f
zgEx-6RoYTsHnRomSJ)Mgz|1C+fGA}Ex%Wc=XvSxWL0CsoDIqCz;+gS^Y4@;wjUyG|
zMQXza=pSVh7=qRNy90p69+I}`ONL8Mjl13*9W#K3W-awlT?t_|FA|28xOV;GSoHyr
zG0C#+i@T!&8BPeM-jsCI+<5UHIpKH(7tw<?Ifa<0qs+pD<*#v|9c2n6TkrRUDtuLl
z$lwcALdov<ODNOJvfoahpyDNxi^}N?vnK}M!t%_63zgdiLos~>tdcrrJzu-UU=*zS
z8$5KQL;SK_hO&frE_Y$xGoY1z69Le~U<XLZg^JK~RbL&Ai|owlm}^R!HO>HLy^EeB
zs(R=d9^ZZPb}QZE*N1_;cukXHobh@=O@FkrTwfyN?6PtNO>nL6`@tUca~IoC1H7XA
zrz7j`h4MBD71kB}adpP%q-F3a?n(bxFTY)n;O-e5xe8#2G@GL1>_H3SUiC?h#OV0M
z_%{qG(A*2f1}R^w)TSo>%&-7w^uxxow2#fYsgLSzeyJbP^LXFp%UVpN?1m9LrIpnv
zwY*Q7=6KOR;j#5*HLbRagcDi5C|Yl`ZZ5!Tmmty&mlrQU4!JEXuUy@ST0Fm1FV$Xj
z(B0=i@VHZndquCJ++HV7Wcu7wo%VrN^?l6>hZg>*doXFq89*3N2E2f?RD^189?~N{
zh${v>n|K=ioy|qQ!%;`q(*hp>llsDplOJj8_kAX^4tpJ!EQDtu(Juz3V(p$9PP~VS
zGAGlGYv94Jk>Swc?y5#tf|b61jBZhEy>2Z7G`8ZiNP8X_JtYKC9*<M|v}K&0zv>>n
z^id@)-s#3~`ROgY<BV>E?vIG08oa9oFrvrve)_5CVM%#XK-*EwxD)K!UfhXdQ<uax
zubvGOyl*kMj!6Xt_klUzh}?mM<SQs*Wo^@ie{GzS^G_A`#dt{ty$-EM=ljGR;U~<w
zjTwY@-bp*=ZNd2T?y(Zqn&q47SbslLSZr*+*3C5cg|u~+L-`NZp(uj@M~V8I`;9Df
zyFH&b7N+i7;-9;|ZskM?#Lc&Ha%zJSEY=;JX5W*&Qb()xg!1Qkx{Rvi(>!X7!4H$S
z6ZP&3gMSQTwY3P5%PHF)iia0pcGmvVC&N@Hy1K6=qdSMcVp=x=7J)xZ)Ej+USvQy%
zmW3l(@vfad3`vX%%Ox^~4(V;!{=SNH5dSuKo8O$%0lk3pX~J%V#q&*@s+THGl3#^L
z#m`05_mr#d1+Gk^OFeT9`yEjOUE|}zGb-yYQ218b%@~&(@i*-2nwLg>%x0fO_w66F
zhWBk&C|HTc5^!@>d>Mkdx;7`3hL5+PBV!);?Xq(gYbzOJd9yt1)N@G(b1AzpdkaY(
z)NKnr>mqOp0ui{JseP4}z+>oW7oMz6La$ht*BCu2i=s4-d?4Np4LUCsxA0JHmYYv%
z@v*O&U$HtHT%xvx)L32=0^A3g)oS=fp~Ol(Pg=IdoFmxNzAIK7089giaqM$MfJO?G
zWGeik;em_k;tgTdgxP3PlCb_T=MqZHYI^P<xs__#*vGxii1zC8c5oN61s+llMx_##
z>>Y5#0*S#3)tu$aEp|TIoKmc(_(QWc0LCVzn^|hY6S$K6cLP!_K)u+%V9?hk(`&CH
z@Wj#(%7NZ35NrRx&7)$j?Z@rWU-yoJMH~E;UtPd0@G2H&X$iJR2lBT&{lTUVbpw;8
zQCNbx8S5aRlos7V<<|V4)=^w<@c>}4G!r;l6~N?AZQ-;!=<5)!9&~MF9i?cf&6lHV
zml&;oZuNnHzyc2B2)^+@+$hB9Y%>@BD<O<!s*$vK@%mU8aJ(=motu`HS+0_4tKqQK
zxuKmT@{&NFh0eGJ<XIF6cs~QlUe>=JQ_a-A%j!0-zN*txTR3KY3x$K<`bk8E<NGt~
zMybM%CnP@>K!6-7@Ilfg05RsO4uvu^V1uN~YSHsL+^)rnw9!n=gL`{2=nQyz<A2K0
zB@c=X->k6WGp&KRe^p1|p(W=#7%3eAWxJ<{u!=0z_<VLy&E+{in7E>TF1S6~%ig1$
z8FWU8ro!ivRlLeHdIUMMkhlBHWgiDdqRu*D7MsI`&n1Qg@LuYCW(R7_HkNmG8I5ID
z`>p~J<<+?}M?JFt#9%#N543Wm*`DLnQgxeou6DV6L0v(SBB3&Q&N>`P`8xP+K56#3
zqZ?LAo`7BV%~BEK1QymhTGT#1Fa68isS7PkdK6$LIr(3-><+Zm_S7vB{A0G_gEHK8
zp9d?WZKd{Lyr-k9y9mdfb^bWJ^FQLJ@TobPI|miP8XQR6YjBwHkrBvBR&P*<(WL-+
z(M4sTmU2W`UY7OX?d(QnkB*s8O(E2JU+?OqzL43i3!bHlZfR8U&D6o=Y3&NFh(j^C
zcP*>!#ub{YLz*k#q$F(H?HbwY$A(Brdy3r;<{ghEU$WOf9rW^&8m7k1A>W1UioWGy
zL4NV-gpgfpa>PQxO!{sDki(ljEs(=QKrGG%N@M_AAtg@~w-}}@ynkVwpef@)_9`su
zD1UT90Uq@Le3jsxH0~{KJ>~YTX~A(g$TOIIHZ@W0DBbR+@*KiTdN#+J{(TJOo)+^!
zw-hpLPw58V6t+1$>g1MXsh(;wk@OlOjd?0_%3m*aX}Is;9DLyG6<RFDPJJu4qK%y`
zxe*?WWM4p8Q+hskdZyCvsJK`RUhf{>%~NO#nrQBE5X5KZ*j+EPz!W`F*QOT6MfVk@
zDTM~J%UCsED;`&oZQMdx-aWS(O@qC(6Z6uBSnWe=E>CijcOjhuy==q?et6Yy9ja<<
zhXGwu@rf~De};cT*%!~Ee+On=#l|S&Dq(3QX;H}8(LCHMm$7g!!Vi@r2ml4$bB%nE
z3qWVU=LcjEb*4>6!s6RU?^_3b{-V^RQalNS_Dm6f3fIjVpxBFxCtvHI?BhS}YL)pE
z*K>D$$Lej@Zh&E97jN4%9)Tv!=oK<sWy)LzhIJ-2X<hL$FaI&iiexbWx_e;J9a|u-
z($2FN1cZZk1L;TcBK%?k^M{wUw!o(BvZ(hp8|~MD!O}nxU(x<VrZ9fj$X!o-Xd0`a
z+wuP1usD5J4&epK`KL_ZQKnxo%8o+z)b&K=6l+d)Gc;vNDP9Fwgh4Zg93bOjS`=%5
zipiq!13Nsur(V>~toWY`c5`d+XSbiJqWFghCwC9)+VQYukSXC_)_=sFA7TY*#;2b5
zHnTRpTz#5gr=A!$=j4e#P)OC=Ly2jESh6vnWr&vt>(2)+ujvZAF&57^hJE^4G<PrE
zRz~OdrQ!tf&3&`hbUQos4g)+e*is6hnmG&tobs^s;B{`{U~uZ4>d8g&9`BP2<p{@7
z%E51^W6h=>?CpED7vNF5Sf(itxZ<^;z+P*a5Z_6E+R3^#dr7Lq<6%4{-kMSDU1}F?
zXGiI|wQ#Fl%IY~OlJa!{XpkX<4?BWR*MCM2YW}GD%6r}LS87yC@511{MFsQlDX6<u
zpxT8=JG+FbjZwBWQ41zm7P|-COuxonpW;O(vRgXpUoCF1z<j30iCXuC)z2I}qH|Ya
z?MpRgLn5Rmd+QB5$d-mpKY)6*--mh|ZNjCQmv2)2Z?$Xf8>>r(Ki|4m+*&|bogRq6
zF*B=Xp4J%ihu!_<6|PFo<^#kjd8$fgMD^Wx_2XOI?5c#-MC|YkD=#E9mVg%<<D|V9
zK7f)v%DQ&F`f-e%TVZ7x@!&1WpX7(7Z7wbEy@@Wb=cCuHL8R=I+bs}u<T*#3e{H$$
znqzdYlO$Zgx@<|JQLLuWYx0CqZzGa_BElc9{3nG-JbmIZvcw~3!XN;}p7jQ2l#kwm
zs3e0q1C@0!4!HSThQ^nWdA0G|4xo}+bg=&qA00U%rYu4K-m)B7d5P2yKCBJ2_TG+t
z<W4^X#jLr&TD(u2>O*a(7&qb&g1Df#ZIBLa0SMfR?Q!8x)8_L4%lik{8CZ4+0n4s{
z^HOc+f<vDiw$Ta6Fewc|NP;)-!p}qu*d5*oP+|ISIdh>mT2}+=(b=I+mZ6y|y`OR=
z=NFtvibNsSCR&D1+Ktc}*{VBfwX=$fa4D=CEgeXuXgPauR;gUlZU>JQL3&GLpfx_6
z=a|xr9?$vY-EBtp#vF(^1W@EEOf9*HAFgY)fI%HCkXI2TGw)&17ep_ujX3pGWWU9V
z!v`YWvn)gY;H2oaz#3{LX}4E%J?AFBh9QH4<!7a)`H{C`9QN_4Smq?)NJV3mL-%v4
ziqQ-<Pm^Fy=>g6_0l5Tl*$w&>U>D=!jKVk$0=Ka*KqbYY8;r<_>r2G!k!8rEP%|T3
z6ow5FQ`{So79})a7r6)xxrl(I|M|9Ndt;_c{K1evitjo=(w`Zowrh65BS<;y$Jdeg
z5P+lb9!t&W4C}7xjcHuk#lDNmHX2&|g4QR@%ZoGzc;I5W%UF1L1N8n^oL@D!D*l*5
zw5GY^zR;a2@`X###%~OSJ0y~OE!oaQv{9@??R6ct_}sbLOE)~0v~XSQ7dtw0MS>d1
z`yAmj1@`5C4*v4@it(k*ux<w7j<9gYyg&Czj>`Z{cw4cm&<)3<zSWcRdTdpR;gcGy
zRY6^?CK8frxD%VkV2s!3wP2srVqd2F2yrcji;D+96kK^&YQ*Od_n@ajIbAzfSk7q^
zcARRgxWd*U6wwBG=he(kcR5eETSeIf7E!f!kaBTB>Z{&z$DdMO)X3P*W+^)9D3{C>
z4Qi0$Y6hKuJO74)efWa957+cryKHrFd^WL@MIEkomm{8JGq1SWc+I0b>18J(H0m6`
z`Az{V5?vuK;HZJR&<~q<Zx5qELEiEnWd=xgTMVBaENyLL)vLsXYqEQ$Y0$B(#U@}?
z{Vw7ZckGSc&f&)v<9%<Ca`t_PWDd-$vy$!*oP(7sE0^v*$r@12Jc`&M@ah7xS&!7p
zBfRyRD@8~bZG@XyJgGdG_!J`f3eV1_t{HJ1M*>w`GZ%zPo6A`UE93lJGzuPU*HrS{
zlCpoWk`}0YY&&kWVkx;Mq<Y}R-g0ReahP_pE<H8BhF}`(6P(XQ4%x?_dqNLb=wENW
z)vODUhk4vmTC627PP;yp^U1$0)z5=n`%VH>5m*<dkTK&1{nt&J-n|<eD0!w9OL~j9
zNf7%(Ig_)(y($r(J78@EcW4Rr$%MFw#I!bAdEu%u;a%}3F+SfI5idHz%(ROqZ5BFu
z_uy`=JZN+c_rlQ1su&eO=Hs_kq`TfEvVunbKO@M1FSYHOB&?tFfDZ*{J~nk@-Kg<9
zcew@nYRCeTAJ01(PzN3MCq3rA(F3}B<)*Ta{r<dj_L%2oqc4x`i_2INShwS{aQ;|@
zXd~1)eeoHf;HD>|1DyAcM<P!*DvSjoI=9!xrdMw3;$J8A>;ajE?o=0(U;~fbDU1K&
z1ojs~F^tB4u1V<RU41ma=T7Lb_4y9OT-o}>eGCBt4r(rp*3X(4@mgTNC*JI~XxO9d
zGcopH&h{NrPRZk*u!xJLqL*4Hecsa<-;<={BO=i!y!}IPD@eC#T2T4!0PP)g36*xF
z*uqp<jNhfKc5bi+rONEtGbk_|MObxOGboL!S_9=t95l1gOXmD~xHg$$*k7{`=6im{
zJ07%)`OmbR1tn7_iyNU&^)rP(2CZuN^iS9_m)__dlI*sZ9OD|@2#QUDx!lCM03qMy
z)Ogpjo-Sgtjb4HsHY$C|q?;!h)9UQt<rNWiDy9h9avZ;Uff?nK302s?62-bgnDjt-
zm{MZE7GI2Rm+oSs@-<0~i{|W|j-f(p5V~fAzjbV9P;=E>n;lbUXH}!0jp#Q?poKy9
zN;v(v3@sE>wI*17aZCV?rZc{--U|(eyz)1bEt0%o@_zn}-jz7akk~CO#r~|m!p!-V
z5_+e+N$63RwPU#W;ZDEV$9_S&XsZ3VrRX_GbA|KHxIpE<F6mk!w%Xo--}K*2N-VE#
zGf-n_kenfwT&O7tk$kskaDvOVwQbY^%*5t{LNhDfr}o9&?q>uWJyGfaEMU7PebU+B
zq@U^)qcUm@AlLeD$aG`2)Zqj$TaoszxV}<GI=-M@#rU~mr2t2mq^-Bl1&1$mr9I3x
znos%OwQlo;rB_`qfr_Y~x`c{<Q>%zN@VW|FHx~fu4*M3^rn5!2F2DGxLd)htRe3x0
zp129E2<E={&7+OfZ=PA6T16G^ZNUO~Qsu=MiPL?pM9x))`pwq+i4QpqE#oh_+Av;W
zQA1!{!>N6*p6WCU*v<L`Ud`xSRpVmJ*-vlwF6g)dfpBjmYkyx+P=<d@w4mV%n7o*Q
zVg-2h&#@mhk{8J}3wN45FM25mPCY{&FT&)vFI~cH`?71iVr&Oax)>d=_CBaDfqaqX
z`XuX}Wg^E@eUR<Pt?FxC(8^%(zaUIUcKL>wJ@@^jkz{CIpq~-C-(V&^F~E2Xmi$7|
z6(!BGicEUG`I)G4w`TY;pM%>;u<d&&J-lJ$i}E-26p29(DUNj>#-+Nu0<TK4EQmN<
z#8E9ip@gdmF&H$8E*>2EXI}uL3>TA`?~`P(T7VcaLwxT{Y-B@ge;Pw3;P7y+2*);#
zXe&0DB-l(n1Xf?3)<wog%p<a6;Gt45-u2(Gc)7#a5yf`hY3irk4^?{K9tZtY5xkbM
zp4k&X<<sGj%KB%wNZo_W2`1-<Sik>GZaBbXNDPack*g?z2c~P3O~j%M6X1b?>*k<)
z*RFlY41KzBT9Ym;Ved*&-CP$nsqO6m5ay%ZlXdE2Q`-7s*|w~G3*O|E3Dm+ne7(x6
zk<oO2hY5!}H-mL4yD7@FJusqOVC|01Rc#Qj^htY;``-p$4C)eb;Q^v!_q}G0ux|Zx
z;li!cxuITYJb%iJ$8T%joVTxUaqXsCVH3>{rkBc)&+vEn;czG5pX+u31-y3I9lrS;
zze89T_I+HY@tQPV3v*;^y3e<Zm6S;EMLjRD;c^Z@3=8|1tuU6yzg5+^x2~xsSd?Rq
zK^wU>s4pK(vLYz>+Z*VA{Dx$vQv&&`{5IelHhPuGKDO{=t8H6Gc?o%hi%e5Z4|>2%
zv(wfmq$9&w;#0%B;=(&f&zPX1MSOauW{}jNtE`Q!J<++Vz-Fqdcwi_eWUD=hXST(c
z4D+{u$yhw}LzBQvaUTpF)D%i2)Qs1pjiz(XG%wBikyC0y3QHP&h;+n4m0D#C=Qv<*
znLY~Dd?T}un)W<Y`ECf@Ojd^Q(S%o0-CA15alH8VEuF}~tPA=KNwch?Mdh*Qx3m6G
z?$(d)Q7L0P+Lu8?Vr%othx=@CC2VjSWhyz=FG-DuDpN$mYHBklonVG6DLeYbdHm&a
zw-qfsWh4;ZgAh|DoYe^=2M)k|ye|hg7n_tV>}#er;WAo_ds(1&y#0~KTqH;7v;B~9
z2PFH=$^c&G2<!d+2MF$JP?QF70f{t>F^Wfe=&~k$@JB3tX?rsV^DcyDtmrlqLSkP;
z!RRR^{aGnKsX9K#ee2Ol^Xe<_3Z#vssu-;VzsqdZULzzh+lj|L;&QnfOM&LY3N87u
z9geTr^HhmZpv2~@T=s~-OnX)+Ohf)i<-ViNtCV&s4-ys`9NWI_7%QGmM^R>6Zc!L{
zQgfCZ-aAeEHkjmn;zWkw@~Y6j^OjyAxDcOhj{g16$IoKJN+tOK|9j!Y_m{j6a$md-
zE$z~}+8>|=xtTlPT{$09SP_xu>q8poLU9I4MVyo8ecqN72=i;kyz@~T+<uC;72cSV
z>Z4zrLMju))UOj%B}j>Fmvjgd25YuBZTI8mk+`)?YL%a})R&<6IZUHuiAquCGhYwb
zKn&j?O<kyQHQf(2zS7D(NX8dzZQrzLxjv9P|5tJE9oAIVwtdgsGq+_NMQ{Wm0Td}J
zq9Q^<AH{}%h=meLMj{}FVt|Ai7)NOWK|zs@NK+}15+IZ?(jqM=U;?2;2@o-aNC}|@
zz7?FAyFAbReD8aF-+R3L#X$~sc2?Hjd#&p_&)?~6oQstk8T7gVaX`(Llxs~V+J6>y
zElPa<TbYFaV&*vO=jp5%9{wD<wg{aLID|_VP(s6y3<4}J4a<X%e#n4PnFn8>eKr>l
z`_eBKrB&|YoP{9aUVS3G_I><f5(m{w;ZSl~oE^CwL%uTBo{=^u7euSS@m4&Tt!qiB
zts*IE^{hjh12sT~m~|Q|Js<MX!+X<gS9X=LM)vSKE7p)|TlgMDqx+PjFpx+gh^TX#
zH$?d>>}uF|4JJ=1ZG%7uEj~X_tI?+T)(g^n9iDJ8bDDu7T&<Rd*Z6k<7voG~z3Gu-
z4vy#nfPF(WNRMdSHNy%1zHw8aR_)ex#_v>!S|v_M%(w&#9+oNhEy?CiOJFH*gD~Dz
zkll8qu2Q$ELg4}>w5mbEP-{mH{M@)+Y4fv|<3Q<a&lt=WwrOBTS}Bhiq<&&1nWx)o
zf@XnUfcDX0R46bZmN6<SW7x&M&=u`uN>(e|Ik=Z$IygaM$C%*E(IcH`w?h2UNtCzn
zIq6Czs-B_Dx!L@(xQ8_^P*Rv6Y4teob5KtUcylpOHEK@ln4^hoF^jnrjv5Ut2QhWH
zt|}D@Nw1PLN#3}eN0g$gk1SVz;DEX)SdJL4jT%~OxL!6Nh3#}VchN5`smLyTA;|Np
zd8j?%DeUj__9#breI_hMc>gw6lNO)0jy?Kcm~o5SbGQ)UN#8nmHM*g{=<}nsLuenu
z+*|&2!#5Znx{6mszFALslIJMas(<M-<jT#`!d0A{0MmM<uzsX)#AztRGi&Q%l={+g
z@o<=1cdW@yioc8S{i{$I*6}cEt~0!hh8tF^V$NCrz}}hoWA|$2wH_uvWgEJ)nC;Vv
z35?&4JX%Wo984#u?Rb|NxQ(hqu~}pQ7?PuBY-VyEmXw_N!YGM{?<vQfMWibyEniS<
zX2;=gJDRBQpnzqyWW>=uRMy<cU?p&vV|uN%0g1|^LA_ZGnXEyNJrR&TVgJM;tJdqh
zTVabiIjUvm-twe{%E*IV%c|LQnHIkte3-n8#}CDP>QJBjj77uJ#dRPDRWug(26`IM
z-))50F8AloeUHiTb5sNI8@?e0g2Eqo2glZ$OJj4%pFFF^o5{&gdDferl7a?#%(3^y
zEiSj4wQpo@Gpno9b6)5p<y62t@AaVHXjLW<Sv<Z87^RAg{oTTDy^emc)ct&D8C;ya
z8EW$GcJzlyR`~_QioEaj=>k&d^8(vZ8E1Qup4qQ(CbnhYY;#jJ?gy$vqWuDnq#5Ka
z&5cl0nO;^PKRKSn6mDxlfMj39w*6+JOPo(`e`9E0?V*A73qqnDyPKa?OOM)5$zSsd
zEU_p-)x}hqDjg9Nqz$h+@$URWdE0~H=SypiE9r!x4zgly!7>p@zbmmVM%Y-3hhc1*
zyzdoZGc3fAF5fV75tV|3Fqn@%Ikj>!swjbb-cwau4EhCewJ1Ut<^U@uS1$+f`A!A@
z5NMH4HO2EhtMYW#aweY9*PN1Yh9X|n-4`YEh<_g>o57z_TdijWwIckd6pXFQ`c4Ra
zdd*Gwp9bl3T{wJVW-GqXi9e$kbqn1nRc=_Zpg++#WQi7CvMlYyq<lHhK$F@FQjalF
zv1~3vU#nZIIP&Xk3a@F>H7=L<HJ6%UA#28433o0|>+>!S56=sI?mMq_hbwo;odXu6
z#hb@#eh|4kLiEmsScr!IxP^H?0?AsCb#ElHH<<a|>yXl6?CanoqhC@3*sofQ)_-za
z3gxU?z(OY>0JLAn*+C$`SQ*tPX@!V%SHogCKe0YSKFp8I#=X@C9qMDB!0OX`NZ!|j
z&_qATt-2s*GH9^5N$^E>+A6;v`f-X3*P}e#xb8&6_t;hshW1!S3?fSiKd|FHjxg<8
zUq8NVPf_GeCK6eK74P{@cy1%c1lf>^uVn7BbjgsHF07dlc3CJk!hd9}kp7rdR*se`
z+-j(=gQ`J0vHbfeH(tQ#PP<kceIw|gtv)Z<R57@gxyMkmgG=Ky1Q`R6{esb?o&J7}
zi&AEyx0^AUx&L(S<=P$sm|5s<J7=pxR7}nvmmd*0aF2`vd%J@-!oA+GQTJ@E7cK|U
zIhNeKxre!!v?mURdf~lq=@4?URGxd+`6t3)IzOuPjAFdyxGT2LVi?NGn_flDjl(|9
zkUSmjYX#M$l-8uK-VxGjJGaUZM{aodO4Ve2H0U`#2U~^q>2dHFnHy0=cyNbDSa71L
zF}rDUVv&|CAGAG?(<pru<Q*q3r&0X-n0Bbl40VUFzy@c>4srWsc+Cim+gOtB;dq{_
z?4Ts~@aK9<ulF1aTm8EM$nItAq}G$imEuIgDK3@0Ke&=kOVjGcRJ%TLE1u;Zq@h_;
zXsS%)lwk*=s!0Ciic=4DWZDV@o<dLzW_-)ycD)8-3BB^L(3FKg7n9g*jht?ht6dFs
zp1M0H*S;~;kR~1dJ%Mq)R+MSi=rhj~3EIuhkU5QRQX4kbALA%hdKU5E+GL9+W7y!H
zij1fx3L<mHy2_?Um_s3_fMJ%dQg)r(j>%d3pv6kAOx4`guoOV8q&+-6_zCI{m_Pm%
zA-#$0Ols#lFKsVRF&0?=$XD<l7dB~zog!$<t^mAix77kUteBB;LMD28<?c&5KcT+C
z*%;(!wbOhrb>h}D_jEhhvd1x(psF@S^1RhS9UeD(EJhHb5V-nIi~YcEx-=-vkoo6A
zgIV{!wc-ciLSYu!yh0E><uE1!d62ETJ7yedS3>IpH<3!@y`ip2fm+0j+~L)JHsIxn
zNABE9h!dobv4r5f!dtggO3+DKFI%3qB9L5P-LO`jVaBBk`saA{Ozo?(gZmo1yQR0y
zFi#lnTKsxL6PhXQ7;U&&w9OXr>D_YNbykzxpW`%I-yexE&W%Kr)<1f?@DzV{3)MyR
zN!EUrcr}_HA|HIkzZC{KXJCDc)n8H*fd$dbXy^OrkYcn(!|XB%Nd=X-K`G~kSk%gG
zdO4kYF+C<6L@#Cvym;QntIXsN?vU5iUzNL`j?!xB`23zu8)6+?m{i+?fINL(1C|%I
zgB0=d;>EE_M|5SMoV`ZovI8_YYp91)488LFNpr9)3*7eWz)%f2crYH|oa}rFCLSHO
zN0ByCdnfqAG<g3+S1Im?OgDr?aP2ujNFM&O{4*tqAr!K55{%%}iIpoCJwvoJmmB4F
zp{{$B&&j2Vr&oc4$#}gF)F!}_1;Br-OGgbG=&XBRFI3PzK9IG?_}=pNEyV1_)|Yx~
zkp16$@WA-C3(?>BYqJU#)YK|Y|4^c~e&~L3MX?I~TLTHx)9Hsj%yH|5`!XXz(YG$A
zOAWo~wEaU#zGc4rjD)<hB>&8S+p%-MYdk#NytH@%)P<`ORU}RK{;j%L_nlv7{P~2_
zb&$dM``=XqKd^X13VyEsqj>$lW!~8M=iPq@qrdt8!42}icffjJ>j#-$D^)B7q+(+*
zyp_seR{_j4@KIcq3GF5jxpIJh94A^?3t5$7v0m?r^mj@G1(nW8Z=~V?!!nC~b&8$h
z>(Kh~P;n^_<2opQ`(M7)fb3G>=mv;z;{km&kLeGaW=KdAWl2l_%d=C`zUfNQ{o<hq
z)m61x1Hk3q4GS;icO&iO%U``X9wvt=*A;EVUK=|0cQPF6HFr#qYnL|R25xd{82#ay
zQph=NKdax|KSVc~6}4S-M8$B8>(33{CK&FB*-*#-@`RfZ^>~a{WSj!?JhnY;WU?1N
zN|rZ$(*a~FN}<2GV}++j%SX|*5$BbhiqRgA#|DNc`q^*b8>6@EC|0XDH*ONJ%`PaZ
zQg1>|b`*Fdeea6NRGEC_b*VRQo=D~Re`-2Ec`hY)NVVt@4yHNdF=5CnY0kZcY8oEt
zRP&X7jE~YJ3W|?s@fKT4ZI)r_ReEYK%8;gENk;eJT{E@~)|_XOgAY~gdI(J(llCv^
zn>)1q-s+Vr`xu($-~ehn=kSh?c$Xh@+@W?E*0ol0RX$GhVFsnm`@FrML-<%1BoL&y
zdMs7b8RG#-++WIct#Rj}tt$k$u@nnY72g%SeJi>M;r|m8_MX(vAyYyD#vHPta`VRk
z^~u1E6c{GwhDjgXi`jo5Exvl@q0ZY<Z?w;TuiF%k#ZC9#C+%mwAE=o-*NW4#DGrRX
z?AZ$amqLG=%liSrFHmt5XiHKOv~Sf0m0iEi^ERi1<YoD+0%6In&3_3?Ovvvn-=lhK
zA_xv{gEhK_J9PgF7d-D*AWHvyc+L$CD^zdwL`nfQ%PCv*6_LDedX+3Ui5DJt)X7*Y
z`sV$nS&6f4=xagHb^#YqV(KDtE4zfqqugad(PnR`_&eK3Td0<N>HRmC>p7aYJeQrH
zom+im!CuA8k<$0;dgIJP>TjxfT`V`cz$vPLbRYF9%Z<C)*6UUCaktbSacMp{A!^(p
zy7Zw`)jNZvDXecu?~UIw(^G6$AZ&Otoskf`g_BGna0)wHW`k64cjQ2C(g3X{*=o0*
zo9dkrI8oepK`yVNrUTKvEWProq?|lb<C=u6_$RbC@k(#do8<@Tg${!`Bf3sbGEV9o
z!`AC_K`(JdQ?KC4jM<yP>(PKQUMz^!sWjvf9#v9x+I3}!Cyy3)gKoCK0^B#*;!pd*
zPOL0|WPN7=v6z7t&pqKYxYV)NHCyAOzq@`{-}3{Z|Hf_|YA`cS^gdBW`?IUlPs^19
z&F%P1c3LGrn(txy&6%|7oA=fLz$HW@q+WS%S!mzHDTKbgU@>TPC-;`Al$}UU4)}Lh
z>hge2SKW2oHs7d)oD!dA94Hqr&!rmaGm9y%IUo<xG73d@+J^T%T+Bi^ZYU;njdpxo
zeZ8Qki}na+$}f#p_7RKz4&mw=q6WWCzwTK8+Y9VHprVH09A(*jc592UdS3Wx&`+J`
zMd07`zrr{>*xB8v+q*`%XE8NoEthrM!x|vuhi2VN&kvo4EJG3`I|AE@aRAxJ9C%4(
z$VMjr{Nle?dbH*KFDpHCRdyr>tWK?#^4$IV?%Nw>hRfZR<~jtnR>C$s6q)0|G%(bE
zKJ9muMOs%^#0$(?m+O^*6OJH$+cTeb%iqjm`d<H7*5|F9M4eKXq4FC*Gi_5eQ*1Z*
z<}+divP_2Bhh_-uqxr5p5A9vfKahv37jhP~4<Jo)nEj8i`JZB%thHQ6ZQFxSEd~|o
z(|S)NEs-#I^R1IEA(^;yq-xT}7Uh_7_o}Z!e-Rk(JnwBtbK3nTJ){*^Z$$s=q$w6^
z!8{EPcK0u|iWQ5$mxJ&QbEDmrXf4z+PiR$ESqd!MXH;pyb2#KZ%mSosuVh+uOQszL
zin=eUJNIu}cQu-~NEh}$DXnMDkQf;{5RY?V5*L)b7&L2}vgVt$H1$J_OAI~kl(*rA
z;Dql<J^tqo;oVQ=*EP)f8t6twNu??RNCHhW$sG8CiebJr<G2&joDgpU4|`RwdP`JZ
zg!UBAkid8e0g3cBH%{#u@O(|nZ^({otAPx|Lr!%zg72I7!Hl5k{ad4IZjmDF(Ri!w
zANmTNC#7DcukECAM_V~Sj$83@01iM#20T?!v9hGmz0>HctWIk3xF=0eg^zMZQj9oD
z?-J^KAcKn+Jexy{_`1swIzc@e{;DYBvLS^4j};}BJb4@GDpiWx-cssGW7)bDul-N~
zf3&K(O{C$h$p8-}3I1bWeM)698eOGOrPJGA7KmVEg?4*%&OEITMGcS1A*Rb+h7*pe
zMz-wZv7Ux%^ew9q1?d~tGYDOrS)OjtVFp}2rTCJ2{p+pEpyLc+y_Mck_e?a#TseLT
z)*OELML9wz?YGsTw!ps+hL*H_*H&XC@JOFG8e`9Sy_sM0qE_|j%ymSNZt1Hn!O^Ds
z-9pg!;mIoyI#24!EZ3uc693j&zh@Na`htK<dhbqRHi}_qc&GQi$weaIp<>L<ALS9%
zN;^5UKUUN$YndxUHEy?j9jr=_Gjhv-wiC_WHy+cr4`Vw43oL#~Z(t%U-BE*p?LJZo
zmyu<Y8nWZm+>n3Wkv0?)XH701xEI&@2E^AuBqx*o_Uk^>v2NR>R!H=2%vE+VI?~;G
zP`35}&x{peZvIkdw8(p+X(?&pRK0S<Whsr4%^ELG+@ktlUC6e!d}$9P>r(H?I3+`h
z))i>(X=fMtH>W(x1h<Fu&|M^z9agm^uT*of3aF$%(bRHP09AKCP@I;CcIaS2EqTdw
z?>+V>NO{D_DLBe}M|2ZB)7AVLg=Ey*T3Imskd7lOnAEke3`|r@cRPgFSYZvP;=~Jx
zU){(C(E-tiOWETCC%%0FL+IC*?5q2JVv%lSbU)Y4d`oI#w)jSTyGYEevpnJFS$SUR
z8AHD~0~Gq5zVi)nn^QYxri>R~e+J!YAY*4Zt8AY*o3IkMn9E#25%`6RnmphXQWn46
z@0ug9Ki$0_b^@hwlN#xVV&jUpE>ty-W@Ei)YcmmP$JZZ*D}HFSbZAjD>0DoI|H72b
zx&&0kK$LrH-;od>?rDspo6{GgK%0$ao8HWo{y#Oy2D_klgIVNh1=fqOnSrQa)+Aw1
znsCJbJ+#1Cu{)jZh^dbDM{t{k+7%^T`h^a2=f)0sWuBfAq2r2Kg1jm-DWDf#sb#&C
znULiedlHcA!f^}6%zy;mSXM%gQ*$ze$Jhy(6bqI!w-R30^Bt-P-b)_M^?bi4td%3_
zUl)mW>N{XFI_Qi=N-Uie==K=B7Uj?aut&>k65*$Fgsp~uf7UrAtkPH8&2sy=3Lg!!
zH4Xdym+k@-N05+yw6p18R<$9T0Mp!6lJ((@<%+zX%s!ooHBSm=WD2=iMnFzBm<-C|
zOiu{g0_uOdNY;^9c(j;G%zmZXJ#u6FUrJ{;d_(n*LW<YW3c)H^XLQ6rrI(MlOh?6Y
z*|#l^*3zSomRurF#J{;VbR-(S;}*Vw)2iXNAglmm@c7_*&o1`<&kdywp;A`&?W$dG
zEo83el9MS*vL$nYwDvg~!8}2MJx2cIx3W3TA_4B-E(m<;)&gQr1R=y}c61YuF}A}I
z6};s3w`sg%wNU<a;KnKV^6}jnUr&KZ2B&c3@}H-W%&o?x9bci~;x8)Q-x}lR({!59
z7L(@{5JpLkS$;h`a^n+mDJ{HYijP}6Ww1Hzp4rshom^b)=I14mr0&ZsBg*nFn>pQH
z!SSrZq}W>}k<E6#>7Y+dc1`Fq4J#{lJCcB^C{<%5EUq1BeFdF6UdeNyiGGy$_DaT`
z9*H?^Wm0XlsmqbmnK+wFZCR4yi3Hu4cBAHG#<F!vH!g(TuP%bn3WpieE)5B5hw)o5
z%#p&!<eR`vL?Ei{C|@;_>RbMW9I*r8mc;)y34WSaa|U_N4%)cVzUOQ&yiBhcmvh2v
zyzUe0?pO6lYjDQ(dPizGZZ=??_lRJZn0U61=_|Pmq};#P6Whz^#li%jtS(|SojAuV
zw_4X@k33PBYZkXaVZ3oR0{Mh(R|3pswgUo;Es4R`WVDFQPta4y%Pxu+YuBxJvWDKx
zTpMGY-rM|h>|?1xtC0nG!#*9e6>4Xi^yWEj<1SM@qAzRSO*E9IBH48B#E~uDwR2<c
zG7qkm{&KvnOWDaB`SIB{ei%M4<^VrF!0L2YKwsaAeSNkItR)~sR^PHVxR24~a}r0L
z*wQN4nXX06Lv%hutBySFWVn}j9~lioE5ceVChcPj{n)X1dxlGFlh9zIC;up&q%bH7
z3fU?cuSp6JFP-Q&ZV^!9MzV~ky?hgchL93>qcV&=8^V?4v*~L!)9?RMZ!5l_=3}?Z
zlWCP$-yo<@(C}NgcR`)`abJ$5i@P<QS;fOeC3~vm8H2xsHZ)?1hG}lR=9;0EDaNHD
z8>G7IG=BF-gEWdlmG}U~XrsJ8)!zXt!AKUABR~z$D(q$+aYAN>UCCb=)Ea$Ir&f_d
zL>jtgaz{!02C30Bk|tb-f)${h^^I7h7cKs;It4&l){?!R%Aa#GZFbk>$~1K{rt2Pj
zhTST}p8Ns73LIEbL=~CwNBvQ<s{upv*q*Z?#t_Rr?C1U;n{nlA_HWXoR`dG_{)y=`
zm4k&f3K!uvo9BY|WN1_KZgp0mT`diQ<FT=Z4wkbGB`0W##FlYrTVOeAlzT>hg5=~5
z%S5L7V~$+N#ATq%-iEwAz%h;OVn*_W(Se5txP;)g<*sW8*5A=#DClNhFxKTr5<|Uo
zTi;?TP>kwFAG^3DC$~gTaT~dC3;F|M*rnJFAA`4L3^;f@YIW!#2x;+c+^WG0cT6wi
zg}dPm{CV275?;Y<k$m^EpxAU8e}~kdNw`}@5uWJ{$Xoo!ksPP-rlLpwgeQz}Mtfj9
zroS%prM%cp@Eu>EW9me7kl}}{5AUT6a3iTzhnhPB@Z)mS)-@d>j8#V-{bjldGXm^L
z8h%$Egz#wF8vNg##q_Ad2v;4<F^4~LRlIsn*$t)~y*=4_se=8?p{Ql)iZ3#P5{kb@
z8)kULF9&_;TGxeguivIYy#=iv)5vaZpDqV;(XQ@ydSOeU^`Wbq$f^hfbUoec=Kf&A
zzQ-N}VFlMdQDt3j3x2Q&M(!S5d8I}vC&x!yIGi{Y<|zEkbT|*XL<&etsIz0Y@Z*2n
zJm7c#`{sfDnst=$(N6yl={nqdnOQhf)MobyBBVU27RKcpMKLV8^~$^L+skP+&enwS
z$l;aMf7)%3jdo-TxX~saHpq2t1oTF>cbaB9-e`0!O^L#3tvXUUIA{1&nx7&H;-<jt
zLFgEqwxTRqu-8r|DQEaK?vC&aL1iibYG{Urg3Ci50-oLQ!&0_){rT}^K_xf0WHW0u
ztEo4#e4_f*e%Cec<L}P+TFKjUSI1W_h$d@(Qc&HUR+EOy^FDl`HjS;%9PT5z6YtEA
zJlIK}{>R3}A><1(iV>gP@NwB5lnyh73m-3fZHVt_@aEvNJW*=N%3WX4Cj5rFIYW5c
zA&N0SbX+7{Tn<_7>mDb~*q*CRL<})MqY`Pmn#nRN!o#FJa0YE+k${6?J(=j^G}DvG
zk>uiexh+&z>|^-%By?18)@*2(A5=&IGZ5P~^K@Yd6y8*j=9$u)&mf^8>?0&%%%1q)
zcHSiy`$0eU12O%MzmMwI`y)c^N0<Gp@>(w44}3))(VMU+jYf5AH#7}`aSL~U4lA$H
z4~kZP);C=e&bF%~v2(>kl|$S-?pzz|wmnmus%z+q2z$Jy?Ff_UUDUzcN)OwGRM|m_
zG;PVB&UZXmnMv{mD)+gjlPZLLI!pD&>6VCEuwM#x0{f*3z6u&*=ZFsL2=@IiVs|Fv
zX~@5d-BAbmTg3@PaLWzxlt9x^@i2Q1lqp(@i;Z-EB>xVWU%jO`^BKLuVGXPWg0CVe
zq{K~NiyjQdF`Tca)c&FuhV|@g%?Ge5Boq{%LHbQ212v4v6h|7>57vXQ(#>fC`@+I`
z&yO)}y`xV*#oYBC$_s*SqOaKb%>qGrCInf#vmmdleNh_mqankdT6d5R4_LmPE(Gq(
zZw6!@mkxhOR(5uHHQu6hfC|2UN54|X?66vCLfPKkb6u{V200<90R<MLB<8x|;dQyN
z#xpK#TZw`$%rjZ7@zjBV$c_o;&m5hRxzxv0g_X*Y^3NDs`dSagt(d`l%=|LcV89Ea
zk6DXO=151rg<(ce$kv5hRECp3)8KpEWqT*sIAfr`#>jh+R6ZV09L8nXTrB}iAo>6+
zNc@R+u?7kMl5>Pe202Ifh>o5X6@GD^ocd)b;G;)BDHz_PHI1KGTYD6Y1UX5BKMqhc
zEzxM3kBcC(mPZ)>3(9-7!8zi;3-76cG0LMAzgwInc<|27{Vnmx-mL0N<J$rkBcR@g
z$K&!>^@8DM%r5Ekd)O0L?uu!xb2>;n8aIg8+|%E^)LNe5?O%JbQt%+Q!RH;`+IyaQ
zj2Kx_f+p~onuQKp*J;5Gx?Ldt*KO*fsy#g(*6;Hp=vas~`gClOeKVCpSD)G45Zx!<
zJucI4yjXiGiAt)H<x7w-&6E(lw9q)4Fx09;xeO^)<OUPOkKR(pLFU2tY;IIjzwu<y
zR{YH{?-B<Sj7QoWjBZ!h@HdSeDq)?c!eVSYu?>o>rr_}*0@0JpWENA4yG~SkWYPs{
zEG>I}0inn~=1v9f7FGphBPZ`>h+>0T6As2>Bd`p69+IPn7T7#($sUUz=&l#0a01>s
zHI#b!Y!64H?5oCN+60*AU6_h`z6V!SvBJN<NTc27Gqdjafp*%eeT>j!(wiAtXMBU`
zPfOdk!&wobIWUPcZC2TG-{bXTi6gtGaWHB->{gZ_?Zpk<Fx~uFE}+%d-%LD{u&h97
zi(fx_1lrNqvy#?@T2(!GWMnpf{3fHLT0yn6dw0GLPO~J^v>OUZakkbCdxfT*ohH93
zLcX40rnn0?_ZoaZ7>Zy7-DJ$io#EdN@IDsWG+W%}AUe4}@cDBl&D4m-6ajr$s?v^$
zwIs&HC2Zx$ywS~4dG{G@>dAUquI|n##@kY^d2QAw%$rFpY3Tp}qi@>K{QGilR)M`<
zNhvQ>HR_M?JH$rha(jBcW|#B3WQCLi^Fp<um3GZ&f}`8e3bUrwx>guCQT@!ox-NnO
zn3SVI=QoT?XK5?6lZ<fsQH>p=4mW6&^-aw%43Jxx*7lU2^<gnzhDg}<{pE+XSJ;eJ
zB+Si%#mu)hYFI2t6EdGN(<6^}<*y=`&AVl&Kd~26t8XW?&~0rmhmD7;H{YCOEd0&0
zitFYmad1+#x=K-@OR$s7>2H-TZ||D?o$GufYun0lS2(21uXFYl^dM`sHNZt6@cwxM
z{d{4&a&Wzlj1^PHvQ~XA)x6W!4ZnAbAYso1A*)&e!N}n`DTQez4eBhw9KtGtu`Fiv
z{36X9b6|RZV!Pgh@ctXzkJVUuD%uSC4Ci>=;yl-&_3$4JB5@-PG>GO5TC^$og1qI>
z&u?lnNr@FIqa$jH`-{$%W?rr8Va+<(go-u^DU)E6T+XK3p-VI{QA}*O_P*k|J>~zZ
z?c2zNLcEjd{%hZzaRn(cfN4#3P>j45EK=}ye8Y9iqh>qAXOH9oi;=y8zh8)38`cJL
z1!G}uKIdGm(@{w^y2qd!DZ;#+p-{%EB=GwBZN2kQ`qRUSwkuwJ)sZpuCi|sm%?=%y
zQ-rtjub<-Rv=a1|-@9jj6B=czu@wK+s30uyU4NwP-1)#YrKc#f>x8bF!K3rC$b=}N
zKRqbG%~;FzBQm6B?OKGgQc!&_bHI1|w~Ka8{1NKh7}%r#;beF)XP*emTwz!!WhM_~
z9a(%9uPo_J2%DT)Y18DcDTC(Cd{8;5sX+4E<huU)cut#;3hj<+B1iG#_l*;Fth5cL
z)xiJS-oLNINog*%WE8fmZ8F5N1|%_C*2{dF<I7r*C8<HePEo97g+{fGxN`7KwP8Zk
z<zatZj`FidKc}xoH3MAr-x;dnm%gd;KPhEpnsjgMwN-=q&+A%az?bh&-yLa^5H-`?
z*uaL`O5IbIME`jtfNN|FHf{r&VSf7Q{n6E%|2T}$cTm}R$;Rt&gBrhI*?BeB;hDa>
zG!vk7D#JF7Fe43G=lYdIL^p(U5=bW<et7!P`YiScQevc3)>(SlIMZ#?@_Bg$ON%iY
zKc3$MFJK>9E-FgQ<TgGVp4Jp)oNyj=O3Xg`qD%sF<QCqH{`2y(-OL7q<->ar{&qn5
z&TsUHk%XNw^EIauoUfxBDs+*1g7xxW&=P(D!SAh$+!<2zFbGgy4Lx)2nT7eG-DAqn
zTs&HnTfXnHNu3wFSXbzp-HxWG-5q)m{DvcbbX+`_U!pC$tN*t;iJ8?|ay~YBIFWY$
z=*Fn=KLVn8a#WktRm@$Y8V<3w^pUl{so%AP9}P{z$z9snrOKQn-%cL25|0NMskY?&
zdmW$%ogPyp(MAq3Dz3UjKhtWY<J$>XAr%WrW5}D{%ZT_i+HoCEhsIL<l5LO4j>xbl
z<OidR!1n*HR+T#Un0pc01U4N4J%E@H6)lRDr{8>01@*E+bU;>chbiL-rb@S>zccfB
zuB3c$qLju-Hr^`JtyL*c<?u|x8Y+^z_@<^$AHWYK>K>sR*>iQBtrv_z)&B91XbZPV
z-{OmV&Mnj&uXMx<Dh7L5l+eHuw%w;eSCDC#nHb}~;?}Ye8vUyfQ?C51U<2}wIOUwH
z3_<jqem~DbLFUN$ni|A7K|Owp0Jb%=G6?#pG|99Yyq7-L4t&cEMR~JaAkZ~&497Y4
z1u}V`h<a-^3s@+pd~c^{$Xbs8>hr=sKbaBuWEZxEAGF)AeCQ{p>l$4ggRMyjzE53c
zCflYP$&;Gj3~p9w-QES3kgBH5o6NG%*xc&Kn)?)Gu*4v&y<`)w5ZSl8--MmkO}9*4
z@hQIV8*Cl2aYY0u!oavitKUT>M4f3o==-zJ4fui>;q!e;LZlesV<y!+7`YaTZTXmF
z3Ie{Ijzk}*$9->ED=*^3UiY=|S_Xc@66&9|?Tusp>{qVr%!@~DM4Ie6PY#;BZdRx+
z+^4#~-SXss7y?F##I@ghzldO#5G9gwA9wx~d02NBjTAWC!E{^c@6^;cjNa4zf@B4G
zlKwV<Dm}>vZyoV+3v1aEVqlbjrd&lPVtD^lhK>o8{tT5zZcNCL7GMl=?>YBO<qP40
zQc2qn(ZzVHJ>K-Qt5;cj<AEjdLM)_a^oz()xCFAJeLDfgNj18-QIAT(0DzStBb>&Z
zE){h#f-c%8lB!F_a>r|q+(Q2~%@n+nPp21W-6-=O6Wp^cakM#qXzD`hcIU=pF=q_o
z`()6HkM_V$upcPvp6i7+Gr;W@D(j3pDOH;E=rcf41(j@z!PQa)RV1%@ZM#<OK6|P8
zS&_1;qJ62J`i3>>o4Oj%1fPxG7)fC8+4Mhm#6{_V8yG2L%~Z6$qwZ=$6+SSYmO30}
zFd<JjSyvo*9ar~0)!<zQ-^w3*8cL|!(6I-|Dof_oBo7DPy(m@soARjr-sqdYoZvo3
zdCAR!wGP8AU?2l*0DZ10;@O00){VtQx$f>w!%e%&d)dKU%SHp=UHF3St9JN(rXT%#
zwPmFcNW~Uzh8H%zeKjZ~RDy#ZB8K8akw)hnF<&L)tLK#^!-acm-*3uLc5cbg`Qj!B
zR}N=cFvj9dl_KV}M~&Z;7c=R*H<C+%jNH#r>Rm<ld2WQIS1b}n$TF&z<erI(vkhkd
zBraU-3_DyzuX^?F5bTW$$oCC%;S0;CuaD{6aVvL!!HsSjayn5_s}+5q^+N0&l*N5x
z)#QXxs|sD_<I|tW5mWd#ob1b0>N__1#}oU#5Dl>`apF8eXoU9piKfZiO|(+DJ5~SI
z_+WIuZ<fJ=0(Od-LhUs|8eK#yPH~HFMB9ywT(YTOk1&csi*E$KtJk_q0Yu?7uk=lW
z7P+rpBc}S{E!z`*9{JG5N!5u1)DscO;{g|nITr8PQ8o}eUqgY9LHbW|@<*~>X%?CK
zH>y@>l(htQ1aBW$xs(<83`jYZGG$rbOM1+rbDl;Es*>HdiB?jz^3mmXQ^aG^n$i7X
zSq9Szk7L7fe0k<5M~(qasF%N#jy`Mvn&e)@^2_S3Yb)N#4a3|`;xil`0^zTwI@+2u
z*D6ZAYQimg#KCI(R)E?je|tY|W>mmCdn}cz<n^gsXEcKBi_*K@@>;X9=Q_j>R3L^u
zrW3I}pUUGZ&*IU?_47+7o&<J$F5ddcy7BY`msl@RsW~1*D6PI8@`TZ$jeKF;6`3^j
zuJt)-0N!dK)253<qT0z#f(#W&{~@*bnsXUtxcj<U-NsSu!y`h$N&8()J*|<#a-$0R
z*-z|!!VP}EzmFpbGZ?r^*Gap6Mae6Fe*5J(w{qQW_(6}@F{5tC?-inc<j3^hv&G)f
zVD_=XI1T^KO~W#gWclkJn%8~aoF!FGR|s>pW!-saE<nwxjDThCq)8Fi^y!pr<OE^H
zG0|wL;B!!Sp1e)4Wh(n-ce3yYj&+gdm5Hv~Sq35nk{aP-rgl8mh${4-#XHL(4GO9x
zM4}#Ny8rriyxPX<qb>t@?x*`Zw=>has-xAnKyt_$*Y~Htzc#vatZj2)CcK}Tbc^b7
zjR>kKQw48n9cq#$@}=wT)oBJI?83fQgKVOm88m1}lXCaVi(&)Sdd;_l!ul$Ii%gYt
z`_k6VEB@TK!F{G^w+oGyj2<vaeJx@yntpN#tpm>${fR1t%`Qb7Dw$suCu@|Sx%*xz
zRQDvTz%2G-%ViV39gUAMh2;2{sDwJJLWys89oMG81E@)Gzq=*2?7dw8byM2d%Nj9i
z7Cu85YhXTMsEa$!D_M&zUx%Dv(R&E;gBh)cm6}=TIz>y79c_|#SBf10o@Ii*>h%ef
z_y+amh!aSRhFxBcuX?`-yGXa#fC7Q!j<;Hs*9=|l9U;AOaGmUoCx9G=(vnBAC;4ke
z&59o%hcyRw!%z6fdOOTL4l}r&Wu{-UFfyVYC_O%uru<ANqSAzK6-msvP5ap2J+odA
zYy)R7zA(S6bFpLMCwR^1?N6eOYp)QHtej_KI4$2Zsq7r?F7<4QGikmePsL~B!fZS(
zO?|TWxLH_>4%pl}E9G}7L{du62$DVBv4$Ai&#r0j;e=U%6H`u5+%{#1F|zi7j+T;|
z9b$+L6GpM7-yNins@d<ihpu|<WX&$_jPx8Lk@5m*sSd^Lp|H4vr~ze3yfCtdEPM`3
zua&?TrofE$G$)2Pyc{B!6id`|JNHCh;WvPh`o^gRuwP#KU9lhB@?M9^jkwUWg7TgV
zmUG{qNhq(3e!ntUt0`#C_V$=8U4ea~z^~G~g|8$P*VmIwn}gElwC!XEo25A#-eGb0
zs4N3161_7C=ZP>dr0gEVyr0N9BOX9W^zjR=ff%WG{$Xz>g&FBiFxmC9e5P#k4d0-y
z^F#{+{3Yk1x4Sp<)@p~;an0gXrr$N{1EesOAqb`S{fnO=1wOkVpEc491KIMh$>JMN
z`&et=kG4yLQHvuCKJD(r9FVfTl3@~-esS<uVR0Km=?26;d!$5DFwf}UeDI;IeAtb+
zyNvClX%1R~(=RJ4PjovZ=G-Q{n?{?<nnh*zMP{yyl?tEdFlaxUziP2H!<R0cv_D$o
z3at|&F|p!t8hH)8H%ramd<j}k)E58Yo4VuR5%|m5uguynT4J^vFpY{|`86wgL-Zv6
z{r{fi>nm&yoWj%pNE8;I;D3LHAa!I_u(Y_wtD-U@zbFu9W(13#QJ87&%)a;Gta3KD
zCIY~5QR@_A#fD~~|Ci>E8H_PW)HdJcLB_cSK`#fsdnI53`UJD_7E=rV??N&0(;Z}S
z%_@%qf3WT<Z$`AFUWk&`xj$jK-%F=}72l0KRbQ|zZ7EgFGnPZH4QzBZy)^dU%fu2B
z++d*7*EG8E?)~F6%FZfeEw1H+1;o55-+%c8A;9aL)a-F($=ax_Ul7BF4;PCTnI-!Y
zqHMTw_9}t6D%}P6@eMJ^uc0z3l8L#=uTF{<6B44@G?{1L&K^utxnq~^W~!G5>GRt!
z0vKTV<zttZtyB+IZB@@3wlFtH3j|wv%@@r6+f}f+w)8VDiq4&Ad|{`XJ_R%Ncx^kU
zm}dHN%BCkPPh#IiUjsVvy||Zl!!)UaeawD2>80Sc&vy9=+Tmyi%bw?s|2?xvq-gnP
zFU@h_Nxg5Kti4f*0IQohu9xgVcq}g!IYZe`1FQ>hIeku0c1{T?-I{i_3Ddjj^1y@E
z?fDgV2zdKM2*!8S(EF5G8f8n{y}g#n%{WjtIfW;exFiC7%vC<WB=_u4#kN_a=D7~e
zaTRnQPH>~Ck;zI9S-N06z6eY>s%J)Z!F{Gc&8!G>VAr7+K^_Rk+lT)JFBCm3#tXTu
zdGK7ZE!8|TB^uvm3)=H#1Bx)GgBmWYKgMt2x~WQ9U~Jc39|+toKJO1cfR&RnWTy-f
z(DN-tVxiZ#nswRtCxiY?=auF891ZaU$`(JZqsqs`ZkGjRpdFGz?N{;25jTM*7W3P_
zH`LWCU4XS>jujJCWF=|;6$o@uDYksgRC|L6^y2Y}3+~t_q)dUv!gWVC-+FA<VeU;`
zFC$eV2z$wIu|O8&3mype>DrJh&w<eg{v2ysFyJ=}uJUXLu4B%ZjK5o0+mI=~1<IUx
z&ppBaF5|LEP_pxJzlyeD`bE|xbj@VqP+@|xGjTO3GT{_YDLJ1k&SE|<cvRnB>gRVG
zR3FWmoycv-qg$i?mFu&nZ2JFE$MtO+K!<~TBEZWWt#f~ruuH5qQx}xqXga`(y|An^
z{8!)Ooz7f&@-GLsK$ghGCyX}w2^8{puk*uX^JDWc<^4&3&I3t|0yXGs@kFg1ns+V-
zH{=IxkJI}TT=Qa1fv{~RHNo^h`Lol5OT%XHe5k}Np;7M!dFTREb!IVTQcnDE|5Xt{
zU7wY`)9<es81j&Va9AEX`Z_)LDHc_3iFnX&xaFhPth#>H5}sA@@F+V|h5hVy-Lv``
z<bPCW8JIegH;tojUWKHU(EtQUjGlp-1zK)F#$&00sjbHwbV}k6?yHaO2C5k8s!HIn
zN!}bWmJ;^Q4FfxjEl2&Oip|CbDF^J8+6o%`whw=sAIHY+hkKtIZ$2|Mm}>sg`!)yH
zv!DT)cvC*P;8AACYqjuYxehd>NZ`?`4qvPJ%0J4B3=c$CJL=mzwn^pi^oY+LOdPpI
z<qZP3hc-%;QYGKfNBbh+d|B5#d!;jibgaIrXe+XonR;_lE=?tHB9q<!WIh?;*b#u&
z+>q&=oJ$pdz2BH0F;$vK(+O-6l1;y;0LAO5dH>ZU0Xw2>2p&0hd89y4H!yLWuAxIQ
z`|aw`&M=U8p>qqudCQp+ARNKvmD})GxiRv=&A88LOMA-ey2xvl5>`_k432>@BEiNB
z1wp=u>yH;0o(pSYVpJqICy}lI-JWD*X;_ayYWeNOWYCa+S9UEy{(-m2Za8yz;;UQR
z$BW9S#Cr1RY`UwQy^bY!xtE_3_fLqM$|C#Oma$jxToI&#xKUpE`SUa7(Wm{tKdx+3
z<VI9KP{CSvxL$dXrLRl;Ww2X2aIYQgB`L1_(Y<#o58}JO){O^nA?lu5#tj7n;_@`2
z2XGO;mZwdd{*$OGCF%Efe<Epi?Q)sqnjW4b`~HEXp)_!es-{zz087KQ`RBUxd1%s-
zh113@pxWWd=^u0B3eqo~*NH5#K%RFxPt661t&gsn>Qvj|4Zq#5a&QjwUWayBD!)wA
zDHlIeQ7e`BG7ip7TRQIk(`OaUM+rAEhBr;~tn?}SbulVco>TvabW<A>CAA|l>d6}^
zeJ4>`=&GN01rFzE60o&XQ~cuZ9}N?uMhiTO{zVJ5froz;+zY;rl`A^RlJB@(^c`7O
zgTwy#r%(95Vi9(n{2xjGhyLf<!ao)^da&rlbN>?l3Fs{Ac@4{p>)%~uS9$gBEz1+1
Pu<4nLr%O)#^4tFdPkTLO

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgConfigure.png b/docs/GettingStartedDocs/images/WinDbgConfigure.png
new file mode 100644
index 0000000000000000000000000000000000000000..9f8251bdb1a8c0fec682446741d5f454e5ad2f49
GIT binary patch
literal 85778
zcmce81yodRyEdXogOmu;B{{?>FbWdVCEYNDGzik&NOzZXH_{E#-6`GO4Kx4X8@}H;
z-&z0p&syi7wUlS?+56e|b3b+6*M05rmzEMnM<GOkgM&jC6%mkygG0cAgM&Xqf`^^K
zmD;?7{dr_1E6fj9JV>++J9uKiC&>o~R~CwTr;PwRMz#=9v4Vrcwto2cXhEOU9u5wg
zB`UxtZ?Cy`KUY#b7qfs^RJrTvBFACFckN71>b?&5CBjnOHkzS|;aIy}1WCsfiS-Gd
z2mz7+@}mHRrvk&g%5+$$I0zK4Sa8Ib0^>5n^g0$YvDHJW`^X=e=8!!r)wm#rJ~~@a
z<*AV4X;{3z?K~YD)?A!(GWqDF>a@t(H8+*yR9pht7=rGnK-JuCH{BrS&;eL+dl!1j
z;R=DCPq{%Bp)cKbq4ylni)QE)bffuH2|5owg`Sr{)S!dV{l)ucsFT}$3GBXGw>uta
z5ws6{eE^13H=mY3uMh8D@|>1HOx)hP-CIL$#@r5apl2z!Q_#wk>w}Nbey|uAdXjQ&
z<+k$?S^!;1xr>Dg^IQ+zVM4m0D?CSiu478gONR&GMX23+iRHBy_`Yp%x~T~w=ys^o
zd^N2kCJJ7>@o_txYF^@Sy+?(T$gS@}$=vRf_jd~p7a=zY&E#%IPLa%{W7x02Y>-{>
zS>ouFQge-)%e}ZOt&7WUEM(*C{G1uWbRDR8(cE-H-Mrpj0>1gN)3*m`c0D#%j1}5n
znwo0f6P}Hop$At=lSIY4CmP&}wX$)zO{i+jINzU;g3cyPKQ@{AZ|xf1ZSATxQ$grI
z#@<Fm61bQ-%ncudW#gOs?dPVdUDrch?-^W8ZrFA+m@zKsvej>QAm_2jYOX!1Ck)r-
zOh@=7&bvx?RUg1Gw=|od?iPSAGOqhT{>`p4n41rFEuM<IecCKD0)y|<Z%|_)5fmpT
z){D*OeQpH}Yo&M52mH50)CtUUQ(4Vd3+PIQ8yiB5&ArJx9J|%yC9-X<mG-B4Z8u6d
zcTDR-bM80yD-AFo++SS4d~gV>GvMZ&!L4g+cNcuF+gDPu7Aw~cYcrtE5O{~(7<fL)
zyjaiPVtu$)=SS*N$r4{4?=%?8_)4jNU(MC!oFT;3UyZr>Y+#2WgPDN9b-(kaQ(s8}
zZTqR!)^jhs>yG+J_v2Vch(nnR>hRPQ&(URK-^KYv2_!kk#pT|_HTLdivgCgLj_)A5
zqr`PU4SG`v)w;d8nYv#%qgDdkz8No(;%xEu3A`_O9g%P|55AvW`~cqmP<N-XANbPT
zit}b-R2WRN;5Ku$GUoCH{{Yq%8<*ZNU+ydtyKP(U_thA~4q8T-&$l*8wvZ3OJV%&o
zC1C32o8mjE<&yL&sLk2!8U7t66s76NhuL`<6@1l(|96oMyxxBYeGHq;zdr8ngZ<6u
z2Ks*;w|D}9f0ds_V)TKb`HLaHPieKr6a4kHUmEZ<bh#hxuVZBk{ilDGb^ci%)xK7P
z`DyjPxU_1p-wk2_S?K`_J}gAPKKAUen+m|!@17fMxShCNbU~D$Kbw!5A^6a>wcV7P
z9B3`i$;W$U=oNIs?e^ncIM2mL=yxc8-5n|PBXpClOysYc;D$O6;;)AwXW*-9=uR`o
z_01-9E#>+ZG#)xXbhqAo;tP2N-D^HEc(}O>>d*7_@78j0g3YA)NxjxK>lg1o*IHy2
zp%M-nY^*OPCWkb+-3;B$G+)I+PS$pzXZVnnkI?JpBXieF1869;bLg(W`8sxVz4@%<
zZhJfadeim9x9Mib*Y#wxS5E@t<~W5O-|22VH0PSp(pHBAFX82CPVCD-12Lw#B8Ff)
z3_4D!XbIy2UlH=oSo?AVE$ikp5zK*Aq4Ba5&ZD2H;?aS|@Y+}eX^(HDSU}vC3fa#T
ze|4!nU{p==`n48;g>I90&dOQyx+=@e+u(WNDbLxhD-;uY6iRd>M)w_P<%lm?xNs;p
zPP`yGmUxW388TKL628d_h_K5s(66t3vrupz&6Mn76<V`;?H9pwzB**HL@>_`dSZO?
zmcw*#P3qIfO%;@H(NzM(ef2kyP2)rNYoXO0Nx7X0fFumJzM8gV(Y{}u@KMlllP={c
z<Kxdmb{XHl)Y#Kl>q8JH4K~bO?-#?3Nhz`<2K(=-W;C6I*QTb8S`;|<6|QcWhfj@$
z4?;sF!s=6^a(vn+?Mo)7P7V%B4*?ub>o2X%gf7J~m!*QG4%#QJ*t@tH&6e%!DL(Xx
z<(04Q*aC*}9-iIe6&7N?KIX31qH$IHo;<Nn{L5bd-Tfl;9!eJeKC`bA6S9N}sRLi`
z_6q7b>PwlYpM555wB4wd-+*;hPW$`yH3S;w%`?{y`RykK)u|92CLQa>6dWag)zvPy
zfY>}S=2>bDMWLrvf(&sbb@*Sg)%fdI+RKgU5=AHTS@kGmD;3)X^?oWbq(;-$>mz4P
zqv_&ekG5?np2`7Gnu<%Z<95v7+w8I^WIOd2EPEw{arc-bA}g4KRD1y{F$iJ_h0IwY
z71vfSIg0x<IJ4TyU$iKhU;YSgpr35dnwcTfE42c22NE#9d2UYe%h^L89q;KMoPE$?
zw+pIup?w)knG)}&b=ZH`xOm&xe0X`^)XbNOxqULX2(f+3<u-KbJd|=H=eC0hUFJz*
z6w^1@fYe=EwThcK;SAv42S*nRB-CPSE4XL$M#~?tf-;LHdB*6d#M&{>d1mM!Q91bq
z-}}EcjCxv6jG?$pxbAEc#z$X@XeK_Z2tG@@Ha0qQC@68wnykm3W85u|`(e71zhhiJ
zq0!w23Eh-R?my>9sY@<x4FhFReabtLaoHf8&nDZipjFJsz2oDlYYS+aJsWy%%v6*k
zNo%PU2sApOcZ>OoS6kIPiv45dTk$7u1{HpVXo=YefC4A7HkFM>efCH>!GX5=>*1&o
zDExg?R$#<XfAfvq=j3>|l~=ASAMgBmjsyM9$Tc9-q4(26kiDU7-O~}^cjx(W^Slc|
z`KGd+Y9%{`)Ap{y`E`LTl8iolZ*M%-ZjtCL09)g*e5uTekCdkW5CdJeo&MI#bXU5S
za5hz0b^lNe5#dk<D%sp=pg)de*6gKzmMQB1KX|RSAfcKdduz8=6O(|W*ybG@peu@u
zX?J|^vz(H}39$^V-)?<pDIXO*A4SQh&TRyg!rI9|4y|_p`#)CdAqmIOKf1Nsj&!p>
zNvdPpwEy!Jrf$xd<y&^Q+qp%lUAO&``%0cOU&ymVwjaRn4$RT92a@uDt;@OP=&Rgy
z0dky3X@%&j({anV=XBpk4HCzz9=C=Sh8w1}@yL`!tJ#o;zm)7z?uiY4UPQgFaQo9{
zG(vaWG{nql$20FFlIc2cHnb0cB3k3V{m2-|h=s1Q=<6)_(h;=$93_uGXKHjAv{i0K
zqwhp)MCF5S7Iec<xLSU7^!}A0*p#Eg6Mv9E(_9<(p_i6sM3_Z?P0Pls12c%}1+u{g
z&k-V|B^0t13hRoGckLgY4=-KK>+S~an#OG7M_?=H=x%mKLroq2IFUO3+3o(3m~+&O
z^Te*-+6G-=rr^oKRT3l5u26dw7ExPvMYyX%$!*GnVh#K#@vV4lo0#S{7Tc`eMS-RE
zC)<R++-b71m;}?Fk7yqUoJz-Vh=xfu_kFTHE{Ao%;S3mKD0Nz^3s0GBS>({1R<s?7
znN$64RY6pXk@5nX%UW=1x$4OVe7#A^L!01+gdD}0e$Bi#yK~Ttx@N#*gN;S#ts9i|
zKEo{vic$J7;9$$m5-D`m?e4be@HPVYUgn|iAZ4VtWw>D>V_rZj*ZJ2a6)rtyy&RJ#
zZR#&H{X<oXn`cqJB=-kZHHy&YeII{1f>YU!6e9bUhIQQkE#;n29b~7=tz6WQRYB3<
zsnUsgwro6VH-FJKPGVM1%=r&*nv--x84F%F`${~TPdMp&S|0>hMCnZVrcBUw@!BCV
zZsxq2yHq}}*}jvn^5=GLne#I!he|XUOCX+SG-OFWG|t^%m0+lUF<7d5c_p5R6PPo*
z&DHOQsC*L!pyoNo;Rzocf-S0x(C<9A-|5ISIt@1N>b4gOPjwuS2TF3yc)&pmJ-$jS
zx|92dRq58D+fW}(tfVTZ1!?d1FRQs(z((O&41D0q_&09`agqt{o`MP;izPyBT||?e
z<A)jYk6RbFqK4Z5GG`o%^eI2o^2iAGqkmML0e=(}vCt*)Z~$jZk;L;f=)k%DZ>$@?
z#xTKeR?$(ND1`PYh1Yts^HZdun@s<BDlaXD9jnr2(oI1)^5F%p^_%B^?3#+BFBSjX
zHQ&8|`LRmsVa;5!+y55de7|pgy7(yOeWrNNr7LVqE?&AU!j{a-OkFD!k=W&Um4-C2
z6E#B@VAc>C^u39Tu4FBRjXm}IUeojZIbDG_<Vs3b<<G+j==f^GR8HRNwtr9x&ZM6l
zj~<T7ChQHPn$}`EWbX*REq~jqL0+P;_l?YVn?}Hn{Y%Bfy`SF~8M=&>$(#7)34P^~
z2*n#mO%g8bwpfU5*p_23nR<6#lqB>_=5Fy(l;gw&Msm1Ea7!sQs1(mI4+pv1G5Yz`
zsn>XeQH&9i3oK@XeVBP2h!bT0z%;9JUuNr4mvs#`KD0Lvp~2a!TBtwybydnQz;G9O
zm(hG`*GLQl44lBnM`BBV0=V}t)nKS>+YRc*d0hYlTHi>M;vYTS*kbVDw}C^=KaXLj
z+&>}>_W!CB_8%|WKgtsCfza7SufNe2oR+BXdWqZoVaIQXS^C!_VK=vD{y0&B+3{Cp
z-|lYvp=r=3zpHeoCXQ)7Cxv`m`3KT`z>&~@*x;U#65sqb#eAXJdGj5q`TCCB>BTW|
zhe2|0<z}htT6b&grFrkVC}X{Sz?_SxDB+<^eJvj{vTLw0SH}mZ$Hm-;cZ8Kg$Ta46
zs7SEp<xnR(L7NRMMu0%*-P=<GsL2s7GcCu`jg>OD<r>^!hChzP!jj9`MoGifoBShO
z%zgA42+@(rIN()W!!<J*tTo@F#FOHoau@xku9n1CMp8U2&v}}oZuS>7_e0m)CS12<
z8{gfFY+fR_5@VuHCHz<k&nS;IahmDiHos)Ar!hZz?`Vu{oaP127+n5_$>bWmQhxPD
z?7PXy(`F%9x7Z^CT=Z?tS=v2PHm`-}Ik}>m_lMrysO;4y_}4e4q7gPuF>If2u(+({
zGA;<e`J+O9<U2weql1fK48o2Qna$F@6-P78FpWr#t2Z$Ephetb1_-=Q65C2yG$-BI
zbU;USlO7o=y%JV-c!_5$nCCNQvw+WB93JCbQmNk;fh2>)q}48)M#lZ=DNmIs;Acki
zSH{+NO|;Qbs;i)*kOGs#_2~~q3Swch{(yYzXgP0GrBc3;<BOWWpsE)}@&#DoqF~+i
zG}diT0>o|<Ht$J9>Ql`{LOPZrIZ&Ch-KbCZz5S{uQ5^dUTA(e#I6=&Gy8iCqk%{~Z
zX4oUGXlgA&Z3)Yt9A2f%%Nhr7w!A9_xCV<|5i(!~i{kfl@+yXrSG=c<zr2|g@i0p6
z_3x;Q1PB};H@m~S=PFbEq+i|jXOY|8c#4WwcLVV~(c0_Cc0m(PALnZdw>^FN5J;Yc
zpK;;Qahk3=@0D(X3OyA(CZ$Y-Rb;>ufu?U_)Fl^{*F^Sqj?9}RhL@|9^{>_hlx;Wl
zZB{^xbxVvNq{)0|j95)ij^=|pzG_%MeI!HrMk1?pQI#9qLmSB09-lqdBi+zbBZO?~
z#HUH=m|5Yg;*T!oVdGo`^y{A+G36Yf`Z7W&MSk_BS0XDy>2}r`qv2g+tQBTOAUFff
z3-H#<JvWpvTXx#K=v&FBD8c6|{RQ`g4~QuU1ns{o0z)y6;~iGfv!&fkgLSSIIzMBa
zO<3M~Ot;w!ewsm`+{LwThN@?~kL(KR=Se>=?By^wzva1&^j7~ad7a=-^y%gqUD8O2
z$;(y6O%mfshcv@*c{>?~Ga|~gRPJg$pagye_d)6h2N`XH2nLY>A4I{QK4fUL-}eM3
z;5DKeb*k0ZiLrq4WNlI%O=Jh22#!K{rXE@PG~-3Lj&iPGMsda^ly@Txda{;@k6kL&
zqn%!q_%YUNeM*KuOf2)J1Tf<Dw(V&miAY@;MEoz>lvIfdbJ?ds9-!O(fLp>)|Jmv*
z$hA#ep<b5IjU~6=GHJt!LE$}eUVsCF*fs;Mmh`bW!bK_tP1w&9;kwXr_FUsY<w5cf
z*wK~XeLlso$6E@8KLkD%q)x=^;S-fE&#&1uh|WkfCOJq8Xwas+ThO;D5A}qf-Rcu1
zv2*HVJyRdtLO|eiRgQV=PwTj$Rp0LSm>bZes%V_aJQXV`z?7$>=^=ZAg78BAPS%4v
z*AJPhx&iTh?`&#5lMcuiO;mo;wGvT<4<l8n3<D>;$WzfEM#G}zt6k*OF^wMZ+;W2t
z%O=eazAX<)m;06Q`@0euSbN>|T=gMdZbz6gA0HRn=x3*V5;B23FXM%30T0eL1wR5U
z!cE$&5(NTYb51I}zO?lfWwP5Wsx|J*A`{%7kJAB2VA1HZIbF>1)Vm}GtJ4vp&UvAC
zFEtFk(k#h^Z|YYhBXqzsM`SN9m0naCMb@yYnuVPBRz$3x3e`#!;<DkcB0j_FA$UWf
zT5zP9eZY)P#Iy_=UQJM+H4Hvmcf|c*VvK>c$~S_0BbJ%Ea)~S7f);>r_-K*DBSa^|
zCfL)7cN}4vA&<@0X^-!DREm|}=l2OeYUT_LGEmJ}<N<3UZb}WJvU?0KNuI1iP=2tR
zVRHx-49Gyj6fK<>Xk-1O`M>Ji!BJ3vGK2(79{gcosV{}7pRF#u_QUcX3It#Ie!Nec
zeX&)rzGaYqvn+~_MXz-YVZAMLY4Y?;*O*eI42X#Axh<#a5Uvpmju?HsL6YlO8<A3v
zlbA9>7-8r;Ns$CU<cYivR2ls27&$T@G=0F2h2SlEaxi(F-D1iJ&UTA&TXWCi_tcTk
z`9J}Z1#V}1dS1SeQX}M4ZL?x@6tyjEe|lpKGL}P+0#L}i%d$lJi_s1$NlRDk&Ke8I
zSh6{QV=}Lhl=5U`9b0}rR$x{-v9i-S1*(3)-XB)=mRnL`Npq&@n~^kUt4qY1dl-By
zq6_nH7jff)*Za<fPC|)F<wc}}cC1CHgpFzD<zaq+dm1#@zh0wGSAgN558!bDT&xP;
zaq4a5XkF=+b|CP`oy(rd$t~kah)MH*mmiK%g3SU0H(UjjECtd-C3flLBCcUqm>aBc
zbLc=c%K3&i8y5IcEQ8&1`eX0d1VbJC>ZH-;Dgt|zo32hE0BGE5mzpM{s0o4{$cvvt
z;;SAgad?8$aYd`S{Taq$C^&3AO8a1-d$-dQv`dYW5=1V|LdS<ZAj_ww$!94uCPo%O
z?=zYoddcuIcTkbUuvxul2ox|DMTEnsQ1RBP2372Z!J66kZQ}U!E-u*g`)W2TsK*HA
z8u()pP;&uez1WDO`*K>#K*TX~DFaf&LwP~>WoO03Cetg3c=xX(S?^XQA^nVEOu6cb
zq~&ZsOrDt^>Um&~1N2@9CIVFG<uMi4_n8t9d*VfBimzttSNKT}uStb;3^24O>S|7S
z5yVRGl2$pp^*Kcm%m{@G0He0!KT`Sm3H6-eJN%-35GAL5K9xw;w|r|F=h+aUzm`Sp
z$4!^=?U%UF3y5H#rofrZyVd{h1}+pY%%h`0Y!;&P*=fyRnxdu5OO;$ToDiH1aeN^!
zB9amGG4(}R`B5rzeb`>55&ra82K3i<fOcfCVJYz3cg>QRIB_7p_FlSti&S)uCwHqW
z{|=d;7d1Y=aKuI@uo8{#D#3*sKu!^Z;y?X?6EoubJ4&4FAf&U|msUqe*FK05%nIw9
zNuBg%yqw-o1WEUF7IZ|ayQEd3`O;lGuwn?TM+lw_mkWAF-`B|!Un2!G3OpK{d2K6s
z;+E<AcrJTrw>>h+hFshf8=sZ1a#$9GSe)`z1=YJ4=$0<hI<?2}1sSVMUZkC*%^@sl
zo*<q@Pat(_A<j#<o0%)jIgg%a^R=QsLK`_1?Tr@x>GKbD++Tb1(Xe6kZfSpN;2@cM
z3=>7+-c<BXx3J+Sa+J8i>@t%RZ!j-xSUZae!JHt2jE}Qj`V*oiM|^74b01W2yGts6
zW;NkWXOki6WK`7E&Z9N((i<rsWt~lXfk)nfFHo5tH^_J7waDOMkLhetQ=3ukiqA0-
z_T*B<<4q6tK!R&fS1Gn&PUssGQ{V@g?Ao@%z!^=yvxHolK0QzPq(S}UUtmOug}h;=
z;Kb&Ie3_tg&WEowf<A>*8ktG7KQc516H2K=c$uu#7j4{%Brqi6WI1LlVkaGg7^LDr
zeyRD=036&orT=APaO)msKhbi0t@9{s2>`pS4)(`VLAT~^$>TvsK)j!c!i_3jB%q`1
z))E<JRM+4KT9;S<%+B4+@*akhotEa^(1R{VUae@GPo@cDz}*p^KMc}`TL0Kwcik2h
zhWdRW$!`~gQ~VH{R1ir(a4^tZ;0exnxGK!yH%kj=f%#9e`C)V3J-izF9XTu^{FAi)
zXIa!>quH9?Ss!x46YzH&;;!`MHyuv)^#8HEaR)s8N0eeO`cK;cU-Ti5e}^#kd;kl5
zNa(%6m%oYgBhTM<!?pi+%3P!I*NK<Ri`Ro)YPC1x4KB{Y$0|9N`=CNnkmb?(eWIlU
zb|2u|ifxKkM5j~jXQ?`TO3Vh=YZ>s0hf$Ek0#x(Cp>WO=zfcV+bVy_GGXB(QK1-7$
zB_W4XVBURqNc+57V+E;VZ-wsjB{B`Ov(&q7%^<F$n{{Cqf5dE7HV3HFulVoCzoz{V
z2>k&IWfrzD8hA$o=T{n~^1wUm)}*&}sx`BHv=jAX1)m-C4u87-3^p0iKJJ#8>8otq
zTlrS)l&BGj|2`+#n)$PfV#Cqn?`u+*zw!Y~IA8o14Io2-!0+$$un;xLPZ^eeMKMlf
zjTw%``Z|}%S1YhEX88;6mqw5TDTv;w_FJrmddUE4xe2zx#;#S)-{$Sb$1f~m-$Wnp
z|7hT!EImR9S=e7us<+g6{t&fP<4<BI_*b-70o7sz`~nOgQO2MkY?A}+ld1o61X0`=
ztBYBwNXI8eU6(tmAcX}`Z+$A*HMa_2o7KsbDH0N(aS4w0?aV~gCn96$ex^zq)$inD
zlG#!rwcf5XFN#lbxf+aWsWs~dq{mI-4-iKI7*mHAM`d7}sAF(XV|m}7)APUj_CY`#
zKTCeq3((&CwFjdo4<3DaaqyS7;r6V0fL0C@YRxedcC~z;7D6;}Kz{}T;HE7lsYu;L
z5u9{F250B37x*j=fg1mtVF^juZOdz6E?WkU(<O6-VN#`;gbxC70J8)D_9wAI)407b
zb(XPfqF;lp<vl(p5Sk1{N{L@pn)bVS%Mn0LT@4ym>f0AA^EnRaE=Lubq&sqTGs|+H
zQQMPEV^oedUs#}!iNJxxQ;|=Z$~EazAjZEJKruMmo$aidsP&!wq)DqvHK8$%!rdi8
zYdB;!gEod>7W!^WT2p>Heho#|YMBqqjvVQ6FQb!8B`>~S$uyIagK#?<o?oe48M9x#
zmd7_41U0R^cx3C{&ls_0YePg*1=Nx0jlH8Eg!4s>dpn6J)E!kuV#Umd#q~dxf50l{
zE}p@;ew*|MBcU8N*uTBy#I{{}SG0J9c-`ON+Bo;hL?ti0NgY$?N<qB|I?Exf(9aOZ
zp^CzidzA(6B#nh5^7%S{H=__ef0iP~syj?TZ(qqN3~vq25pS0TYlhy?Mt=qY(bS&9
zf!JJ@U5?p+1Xl(>fR-#NfMwFklImWO2{8vfM49eMEYOjUFN`#1otIy*PwPhA){4{3
z6mP9cXYK=qAGOeKA|un4yY{<x`m`%+e@q6rN%fWfJ8;7tY(^XfO^Sevg;^`IHI*r=
z77ZzXL;3tZ^HzA`4xwE_giH5a)HWqqy}gTRFGgCP&EB8RuYJE%j|>Xo&uZnWcZWlY
z?ISa%mDstEI`8pd@QLbkkYZxS9eL5(Rf7xwhrtJ}<LZ%sfTd8d-z0rQEZuFzGv~pM
z>F4h<dHQ+A#+^Q3X1HSZlT(Q0R2sJ;hIQ1e%m$4Dh!XyEuth8I)Cb&qQlE<b@&Rk(
z$u-K43VNf&HI4{T<8Ct0($3nLy-BA9#WygE%Q|}(jMLI_YaMvx$1+^kzAL*XC?fZ_
zHDqd|J7SEJejmBMm(4*iKj60yz?I>RqdNSYY>v|3d7^h?a4n3XOix8CWb>9Pg7Qt|
zXL?%u(6ra8v}Gq&fX+Jki+7}lQ3N3FHSO_350HSsc7-C$x!tzfW<o~z7z2OIO-4>w
zTs>ia#Y}YnuH~ZJa;GtL0prKikLUOeIy+fgX0rc^i<3G3N8r@i!7bJe_jZ+uIVQ8x
zvp$J0?Iq2R@+8SzV_e4jm?2Qo<N6OV7W$XmRCNjZ6-}aH#j(yUnJcqsf^iprTUyf+
ze|<>bJd~7rSsmn};iNS6#`GBe6*vjmbw9EsOfU~2dY7aXmEykvXYXEG{SVP>faJeH
zv*T&=*bF>!%(wvJI^*`)hj|Da%25Ft?)XAeW;9<qDhUEg_le{G8Xynbgzy}Ul7%-u
zE111NRmYHL4oYhX%j+f7cvYp`7v@<qqqKrep_3Qp$L)Pe2C4_LY4`f^mNc>=hK7Od
z$*yG;TnCK`u~EH0h)AEc0ydbwT05adD-claC=qGL^Wi7+!7-@`D9@BIOoWFHck|=2
zBunZ}W!^zaswGpp!Zyq4cs2#9^oX7d7IB=XvKR-C+|Ufdk?+nSK``Yy@TT->+p0HB
z`yp;izZOER&a9z+ZwIhdiL;H{J^ZW1WCpQ$!!b?OUDo5<Y|#4uFGTkXUS@n~r5137
zO~@EK5e9v;6~5((IGFhppUYy7R9!-Y!XG9inxH`BeDdE8=Skd$VZY2K&x118jwhHu
zG8PJTL;qOh;g+Huu3%^n(tThay3~Isz_mB<_N@Dl=>ex1j|w9_51^wDIL~zv(_rJ(
ziii262Mi7V`W*Fg{rJrT*C58iHVn?+RIlc<e^AVEr$hZ<C^uB^_qhhL-!Kb~^<lSJ
zazpqH<(U6L2=n$|!&1@roo;CV)%OU4{XA#j-?VfK>OVyiRvy4p^P7_2LWqCGo3*gn
z#Q~lAe}#BSZZK5pdt~SSr@!Fr1^<a8Nw$ad-A*Cv?-sA^8I)2IszVQH-|xy7bNilC
z3S%@ixXA%N>dbV={XD>t7_~2%8z{q$tw}@&xP;d`c=7$J(_PM?5XxiaYSS?Oa$oKg
z*Ejd2#XYEyq*gqsJVt}7WB+~Y8hVIlmzes>XZD&i!GjI-r@wNna8m0JAh&tFS$n8|
zBkQ>39ev|FfF^PD&Hl&fi{KiI%1e!WyPWE6OZu&U5A!%UQAilREZ5hrdHh`^Jk)K2
z6oULk-!_MFrA5uywU5Zx_oUioB6CV>XhLGI$rhZ%mvQ-)9c+#<CLGeMS-h!-KV@?2
zxtGu$fBog}dddy-9R($}sz<9aPh(VnwAl$bx&$qf^!cmg;$=NwSnwA&q#4DY8#GnH
zCZ|tF2!aJ|nZEr?!SQQt+_OgA*bS?JvZ8r!zCAvysk_h&;T~7bdO{byl`f_P60EU6
zc!^7F9$MdR7#J>8Nr)AH_C}F}FcJ{=#l4X1gQ1Hw+u?apIQ-b#Xq-TsR~mjlLpcE5
z9!8XdrG~M5$=d#Jq7t021?4}Z8cJs>mtCwN<B0&+?S$}u4f&<)2cmg_X3E_4+~&)(
z`05M}87ZKsdc{|{?pWrVqRF-C*ah$0P83qox19(Qno+SR{w+U5qSk(9QalPT$&u|T
za4~z2xRAWiSBp4%f7N|}48n?;uT@F5#|Q*)_C3Sx*0xneOXPCq&@I!3EoHpp!sv2z
zd)10VN^HFps9&<Tt=VwR*@|W0=QP8n{7C5bwH0+Fr!yor;Z(vH{qam#ze#(nVPHH6
z2;tzkUf^Frfm1+Wv&2Ee<pf8k3?p6bfJc++=fiZSASHnq4VH2#kIUOcR)qcsTlHG=
zolh^G`$r@l4N)Q2>L;GO!2xxjk;`&sfT!3yiw3#JX-@e^DDn={6}Lb_{CrNI`}E@g
zhE6~Ed{5Hb2C0<75>PP%YEb!JNbAo8<|EY6I(2-m?R`g~pUdl=9N@zD69M%sh<+Mg
zd_W>s?eaYPu1PsYS$fq8zGO>WAw|N+)=LXjkcjkG3L4Iy3UGAW&vUZ420Xn%w@mq)
z!^J<od7EGI;sL3}>i-K;W8eRuBejM1{|Tv41bhQc16XzFmL41Ou;b+tz_8h$Q`2{e
z4@NFy8&y2e$^mI_&ZUUT?njB}a<8}%@L0Uke^eW}jy&I@Wmlb|tw9vfc-9m_uUp+k
z@`>*nq_nY-0Sc-Qwq>sye)?gZKjh4=Bay13seGA_<)DPcbd2VUZpAFoI;IhI*JiL~
zyfWP<+D=R|iU^>wK!xIRqr^P;fmOtbmL9l*qkmSfN;o;|b6Wqa&*3=MJq<Qcn=jX=
zB&pe9czr~z(9t|A5DAaP$tdK1mvNLnBKct?{#aPtJ{>!sfb<z26C=9Ge%rOiFU#B$
zEj^$-r=fS%ArN9Mr%#}BV^QYR<(Gzms0%tUBC;+22!)24Hcf@zu#W+Tx@U<6qxp>{
zx^AP<<qa4xE5OBTn?xN(Vj;*e^s33Ap9s`Jz>}((vk-|9U6OPF?hp3;bha4griSJ|
zo`Cz~7<}<j)mDwc)M4~UZIwY9>o+0aIH#FeDYj&ouieSA*k<UZ+k3qJ(6eE-QV;d7
z<FV>4A}vnXpsO`djs|81Epv!p$EZfBO4lA>HIT72JUzb9d``=^FZ)%dVml&>|6EI9
zVIdvHZpBCK2b4520M3rTLA9xDH=ZdL1u|gDr#|T$0)=>)evOnL&i+!dLt!S&jYdzE
zDbx8%I!IZ?e%M<><YKl0b#GhzK4UsFg4w1;f_%riyZ;k7o3>V#f=xTQ&Yb=BvZJou
z6MGT$sBNo`0At_MqCp|mZ}m^hL)-O+`gbao(-)ssFJf7xI=(_*_mNPT+<IHqq52iq
zd7ue9_8FGAkH8*z5@OFxayYV_&=be~V357{UEAZH*!&YKDcxvgG9rG@bWB@TbJol`
z-Q2=nGMVNTq&~E|Ei`z;8H%=ESB<<7XK$hB>F(R6g!MGnJXD<?W@DQ+E24vSVbqf~
z*8KW^04UwG>Fsvfw#0Ye9}+Qea29faBd7tS2x|64pQfK7&8eX9b{Dqd`?72QjiVTf
z960d#6w=gbXsb$cPduNO$<t1swrUYlZC-w2-&X`LSEwJi*<&D^Sj>8y@+Ni!-6iQN
z`=^g}CA_JMPoo`E*PiS!WfpLhl#g6z<9j4!@O|(hrcY&vd$zEraQzl7f109cjQm4n
zI=^BBKvpVhc?4h}IgM>new-wT{;X-aNw{2|j09D%Qw<@&uRnR>k6pBe4*$w!gVe@g
zLtJ*z@>03E!_#+J#(c8u9}ox@oVlTHbRSYKH=I)a2mI8<10=n1;Yo`Bn;`q;k`{*3
ze*l>!5_K5#y1cjh4IciLVtNPyLw_qX|1)-}z9;{$VATUAv-|G=n_pn28hZIpBOV^?
z`_G#nE}A^NI{c?G56Q`a!~3p(-Uz!+3gtJtv*-K$CEUNrPXDX(B-^k`Z(|RgH&=_)
zU5pprH)UKE%GF*FO@<PIV3`KVS}uP*{EuJiKeC9fGI>-J*m#M9KaH0M`Yxq=Iid*J
zoj$|Idi3fPx4E|wZWnCCgKodZu7Y7qQhM6GzZiIhZ`_-5H~vF+vF276`s`BYyd|ku
z_x`;V$$5?=KGBy;UkD#e0-zZBle+2nPoPBwJu2|1e(}eH>H-n}^Mjrg{C*G~Os8;h
zD0qkZX8oi1QW-N>i!K!IQs=%UsZ(LFe<OytRC19i@Ll1!xtrSFsdCM%uITx}(Xc@;
zvu5%;SA2C7jKE(2YF`ikvSEI1FJWyn2Vuc>TwH2z1@hBTTCO`t%SkH9u<dl^vE&W>
z^fi^|Qw3bt-1)%u0YbEV;cNG?!|ai_WEEG@G15EsYsKxU1AXt(_+x8=`}jH@y$e-e
z&vYsqS;E3h@s1R7K|XL}W+#b@tT~I1Uu0%N4B8axT28w&Ge?_8h9SG3`)Q=F9esQ)
z0(S?rZyxx-^M=3V26y}P@aCW$>Q{DO%s+GIVjVMI)JLWROi3M%J!o7Wi6uTCp>oaT
zM(YEi!8;1Pu()%21DSlA8tD@B<G6c1VEwTbUG6ZoD=j198<g%{r>8O06jg*jFONhy
zjmBe_7cO;nJwP6P-{O0+fHxP~K~tqiilfY%$C7~NQPj%x@wU0Rc1#};aY%pZe^4=C
zviJBnRg8sE+jrq-MaY_PAufEe*>5Cr%B>VbmZcvNj4rkeuvkW6r+vFXVi!L0oHE$>
z4F%h_Ng>y38V#0JI2FFH!#Am)7IxJr5wdOQUp?QIs(V&TYOXH*bW|*91|2DdzT#aW
z3?+^bhwR}?ZBv+`{d`#%86)^|JO9bBBVA6EkB_&pchwz{dj04RYwTAt=*H{vR_45o
zd~{*>=ebX+eAyAP40Q{?qKdqJCGgAwW8hPkB7@m;FN*Xh6|4egLco}!9U55Dc3DF8
zPnPq!$bV2~Fn+PhwM|l@$IewlV7CfDkNtX?%cAMn-Ol}8y+-&Qx{9ZrvkX05Wv7*)
zv`A_7M0QoK$z0=CBio<ZUss-fp!)jgGb1HG0_aDOjfkkebkp>#S8)darI;bI8Bn$~
z_!FQYjNptYBq8-5au5I#{vm;_jFmWC5q_80m!AmcdC?U5g<_a|_#xuo;`N;5j8h&&
z7!I3%XfQ&z#Zw+-Sg!e@{LOR{?8}m4*}s4x%|v-BvXgUpdWXuAfz6isF(=R^Z#^mL
z3^)0!w(@rz1vo?6BM1frp75Z4sX*;W-$Q*y_Pul<lHX0PHoedN<j%F2kjf|W!Pm)B
zUsohM-$-bMfY^+~2OqJ;(l9ITCHtY`No}X^BRB*vIczB!THUx{q53KI6LHSIK%vV1
z!6`P960FU4knVhGXW&p~G)rRon9J8|F;R#rZcGnR@ALCkL8I`h)kLL8<wrc@XMY-6
zN(IYLn^NuLN|5b`F8N21{In-hFo6XGkA0~JsI~#Ms9ctg^wABoQyVbHE0>mij-)_K
z4>wGF#u~_ucbxhp(!Jr$D4sXUWX41q6$h>PryUOgMoCX`_4Bfi>VmCb<wXVu43D{v
zs_^<@A;W?oxl*VLb+*RvhHev$#!)|!BTAY+O&M3o)%&5?0!z$Qyl_4IphCH&`}ZO!
zaRWAgDL}$$dyt_L5n(1(bYNh(mjo$=5AepuO!w!`&kts7%(zSuI{;&!Z@N^t6`NJ2
zU$;H0x`?f5nd$c=ED`c*k5c{WpLsvhi)qYNO${tp+KVY@pw#(_A~2mdjo+?O$~%<n
zNfSmdOlk47H=s#AM8sr;bpeK|jsd-EY-!H(Q;GZa^`8wI(<Q^Ntt3TRNAZ2n@#+9&
zUdYq9#q@$htMHCl+WW7;g8Aj^PjhIDpVps@(F#xm%A|bUY6v!G5w6^uJp=4}hTEVt
zENb}BP>cJNYblWI`Oc#BR$Czn8jc9j1i`<=?$IOv+IGRMRP=Xz15o>i{G{i}V^f&?
z#8bgxSU6<T%Qe<amN(2W?rYI()bNH@XdFV=wF+AqJ=R5AHV#v`Qqth`<4{G~M4w=6
zTMs;m2IXa!nZ6m6jtYWd-S-z2dy2q7z>e)86J?snHbsYsk%@n?IAhPYZ2SP=H9i+m
zJaCiZl^nr#-#M93C^=yO{RUot4P8s>N-WAApP&R;ZHGos`u~_t?gL>+y(B7=MFJR{
zd3uuZF!qJ>rDeHerru9mrRt~pMb@YCQUs9T#~6>gPQKJ5$QfA8z3)Dj;PHIJsF0>Y
z+imzR@6o_Bqv*mrP;d1)QZpwZ5>CJiTK(^j_21|6ji~B>5-mn#y?MIJK=VqHD~?ab
zov(u#Z`vy$j@Pn}?v~cXE5FKbohast9T=`Q=IW(`-Y0}t<~!zBNBXPDn06rJ5-l2`
zM^EvZ<+U*Bb>MrL4!!>p)}(3obFj|^$>M1mc$$9)&QWeWa<J>$&3v-27Ousb;Htkw
zjuu<qhaK(-a~o||iMrT>%RoHjUVqkLJ3_!%QWu7|Wra-Kjg=iZ>DeDkw8ejtYM^i2
z^_SShhQ%5y4L-^<-u`d3$>e2aOSSsap({9JiR76L-<4Q?&^(D#7{dCddVFH&2Fn5a
z?93MbOSEWI(C8wbc?9ll?^ndun&!4r$;9^H5o4<;p3G>X6pmg!ovg657d-BMB7?bD
zBdRndhe5OQCy(UGE*d^>{sgc!#1bTqOA8^#q*#5E*zNWC>@Ge`N*<^o!z(~Uva*9S
zk+v@@Wd3{`-HOd+Fi@tcNcc)nwp=?{nu?X+{OKtldcdeLJ+Pc=DkCmok@=TW#47+-
z{_dM6N*v$FauoihXYk}3l!Hey_yWpw6bBTRCbQ<sm~)gy?IcoEbFWn?U1~`>hE<c{
zH3V|uvYv6Xz<T0O)el)%p@4ANNS#nCH`$J-MRd@0XSt*a%bvC_VIcd<RX)7uk7@^3
ziVMZO8wCO>)22VX7|>mw&_k~ClYS)TadzA5gB#StifiUXQ}g97=}t>IDxcK3t&&E!
z=ZV!|q){ZGrhOe839#4KzdW@>>_(?6gE0;v2TzJ7D%Rr~;PJK?WRN?qQBVSGHPnJ>
z#iVEs`yy~jm+9Y#iDAY$rS7bYxgJQFx(b<yq!X(KTA*;D(nJk?0@ZIz3fTd5>QM!8
zpV9Qxt8FI2e=l>6hp0fpAIG2|2goF2_^*i!WG13`7HUmVKF*K8^b2@S@g^9SpV&=5
zU`?vZ7bg&ua2<4bGhqB8$ND-s)GnVmdd1zn#vkWJfBTE%2;BmQ7;z;B*4|gzbNOJZ
zWJ3x8DxImV8y#IS@4>{OR-%cMVOz-zSS+22+n>rG8F7k-i@RS}MJN-MB(V@nP4~V{
zfl!<HS+*RFx&#tJm9ghn65yJgt^FfQzCU7dBEzC=^f{O_TO}Cj(>TF=d?Ups1z3VT
zJ!>v15i6AH)VfXD#6grZh^uRli9O~sO-lIsFZ_z!XCSg37iP>OE6TJd&xGdc-!bvQ
zG)%m7arF-52)dSNf^*-Jg>dx{DSxF^qIyPbf4nV~K98W{5r3uVRqRAw*U)A%iZIl#
z*B$72`w28*6z>tUnVvyMbB66Bd|F_S5Q!Z%%!pU9jz@+6rszp}t}JcQjeT>u$ByZ`
z$3<WCT~Y?8WDjertY87qw?5VTi_ijl;zBr`WB-S7AD!uJ4f)QKj@V1PYvD4Ug%cf7
zRfd{A0^B-nHpad+COJlyR9IT0{q$1-FV-tNz8P;o+sJBL1-N}}v#?90BL7Ly*aBgq
zMMpzh$1?lAe9#D8<FaG4>@Bo}cTDa1RfogsyJOt%Gp*0Vtw=}|(#+JtE=^=pQ)4$Y
zUNv}%`b*Hqpv<12L<A-%!pq3hMJc*8fI(ufeHEoy^Rw`_#HeGVUxciB7O&)e0_jCD
zy>I}iu6lyDvSe=2OSEJ?u@ka9s~SAl(zBy^{}Mk51yRJBsZIyarSy-Xel>fp@6^ub
zjuP@xnZdj9Nuahm`B6(G&?c+1+&d++l_4$)l}>`1ipoIsg5)pPu~GXb8a^i#A9nph
z#bc0@w9Xv|xS`sPWZuB5s#%M#brjz^h7rUtZBkr_Ww#7gMQYtIUD72I2U7`OLt`w0
zm~_2<`TLeq`CO91-Z{0`m=VCpa*g9kyAGeL#flgH$sliq-Id<Qc(ko2Rw1ioiOW=Y
z6-Gowbs}>zm|iHzMp4JexRi>|NnUH?M>MkU!#mx`LTTCa*2IZf<ow<evjJyf>BNde
zXw}W4uReRgGB#NY-9Utob7_978WnYquVL)Nu3hz>n(Lqqr(pFAQJjzE_8qp~gz^in
z$XBw6lqO>d$7~c`VqW2zAF6&H1&&vvn_Sr!&%_4!rnMp0q-TF^R-jG|ZjE0-2rsLf
zAM_%Q!en8@%SS9Yk>(kXsbLqUQNP72kY+S<{fH~3kofhIHcOgYIl9Yvt?;@xf4~~A
zmc$+nWv{wtxR@?a`6(`NH7pu_U(IRo4KrFD68BM%K!A#JtOZIxMAr?3z;N8%JSuB%
z&n%?Tjdl%kT94AhuaE|aSDx0<s$cZ~e5F0CDQ;Kw_#>$_c@#dIf=b42`*RZlkm1*r
zTQPNh0Y*IRGG7Z4Dg!$q8VLfdtxArKC9D%vOe%1G?+_?hLC3=a2|3{XbVox+*yqr+
za(XX;`v6Kt;1&#zrs@SEG2Gf@y*<GqRPlq){%*9FkaV9S%K0;Rc9{|7iih`^Q}(pc
zJKQg&fmI-5dK?~1YA<%LA(h%`8w^4s-rL4X>|$bKdzz0l#jM1^ys!J^YiSoN`mY2d
zUa%ARMa>|fDPUkLh3zcA=y;~%Ls{(v${l&3+783fPDm+Fe~Y_LL5%)PerMrb8{Y8N
z+=DY0yzMS=Ukl<b+9QZ^cYIIyX+FzM#fQ!gdHk1+el~2aXg0Wx&=gUO#Wsp8tgQU>
zlchA-U?HyIqW)OAuHJaAH$@<58~bIo+QhgW(2B{&0vG1BmG{8>2YuNofJmjsRH{C8
zVCnm?iVfdwqdxLfGSQyrLww0Hz=>$HxQG;(q$rs8a{p~M2~M@S5VdDMf31YHDOhG5
zfk`J%y0qGa1wG=_i7nB#pu|G8*j}5<*ZU3Uev3oufR2#sAZww($hPhP;atCTlu<Fu
zu1*y`MI%jqk7ax+T+VkDgHZ$^#xR})lKDlxGx1XeQ>?}9uryH_at0s3+lqO+@5X}^
zHf{CWPEjH#Wt%qda;(EGzwXm|KOHImG<ITTJGR$rI$Pp$i8`S=!@f_5Ii{T?VWT)x
zoKC1eZSgX?r8?;-kc!3nSwO$A%X@`l;9iLiqv9Ml&4Gn;eF3Z?aeNMu5`U`Ao{0_~
z?k}Kf+IFC>f*6mjkQkg)Um#3JQ1ALh2GMPd?lzHT`UtU^bQn$n93}Q#xOV<88nF%{
z_=G#5L|vPKPuTTlG=^Qwb}^5hC=dx0;oeDLJFu3F(6AB-P@kpdWZIg{D<A_6vDT91
z3L|T4+FE7$V7fP^MCo7F0Jv~>gV5^3mQSqM$9K9-XO%RDeNN=7f<LZm&kAnP!+5WB
z{fhQbWG==~$L}HBmP=?X#uk#}DM}e&^P7+BIk1Qb0KW)99=iNQv@~5(VZYWgL*%qp
z{FvmnYZ>dCulUiCf&Mu&LCjK`8wJUQKC$Ck3rK5xDPWkHHNxO-#+}p{zm*#`W(uN*
zbSSgb$<>Bw$8{0<Bd}qQ8xkL%vNnK7fO(H|+`_TjLWwx|IOFM*m#YNFx6{oxuDKrK
z7E4O1T$W4Nf89pOg=z4w)EZ2l)$+z6oF~i@c?-OX!V>Ltj0WW=UgSjEc%b6A;9xA3
zg~o|EGo<AsyupU>G6?dFu<6T-{)hZq%{xpR{i?%p<a^bDM;i+7m?yKgG{Po-?$#D%
z;d1FELXx50MI4E_?PO)+RtGPI3VMevUn4SC(reEjpd0&&EVmHZ9&}h>Aet%$&3lX?
zS=Qy|j$;~v{kAlzq+X1X<Scjtm)Rxf8|<wZ)~K3>MjC65a9HyoB74rO&QHJTV|+YO
zf3Ty=;S6Y%-OLyTcmDyzJQ=oSz+TjYAJVEF_+f*@cF;)tDYfTMMXA}6c1`7u0dhh#
zR)#N~skWR}7?16O3vntXO%P3K^fMMHrXKQjT}0pduI)}=y!z=aE<HP5O~JhI69wc?
z>fhSPc~rv`FYm@!K4Ng>VD{}3#>dlN1_(Pe0Keb)i=+DA2&t85grTtTd^aj;#!*5i
zjt*fW!lnyi>8-!Qb~dzBuv&@@4Q<%WZ#QdjIjRJ-o}`V4`q#9HdIcP#yy{Qm*Ex;~
z(j)?TU?)it+hlz8868(qk4lW$d60Gi#Qt60PivS8|6oMwL(CE}I7&>csDo(FQnPRy
zH`P+49}f>OMxwF(`74P)cJ?|ZmokoOH%LMRGycFrzOB1Z+|RE<QYq1j%=%GcVw!Wa
zL<K+q>*cIY&_wxwgygr9u&~=69mNQ3{&-F|j9vlrH2(0x+|Oaf);-#ZRUVx!Y%u2^
znQ~pkgIamA`gAa^PJCQVFH0Mg-PnXtDik00V%{HrJQ30MmR)#7i`CS&R#VX#V-v6N
zvb-Ipx^5Rl#KWN_O8)TbfQ^lga{Cl1L<J*Vw(@DX!#hI!oOmjL>JPe1u1ol6Ia4u#
zH;PMc`@>%zc{KL^8)~Fz)8YvK8TJ{&w}pZ6#|nOi*9%@iEEOa+MyB?tB`ueCQjBHX
zzV_I&kHddhFQeG8LYtOeoc<K6_306(ZTB)}#ZUN=cKEq`O^GYf4!GliMEEeUzJ>ep
z0Aoof?lP(y*pD!`ZpJvlJwu8flVa|;f&REcBI}Q9uq&3LPUr>8jN(g8GomdjaaXZp
ziRFXjQhg|`o=F#<zKo9w&(cBbC`6RWQ_WER<Mof9>QyY7SSq%y-ER>V4kOdtTMhlQ
z_*F{j7aJM{)2UwF0Y&+XXR@6K1TffK{BQ>ir>K>M*BP!=@W~Kr+j^=p>DZ22uK3Zb
z73h(C8u@16?=`!zi}~~w(hJYpSIWDlae;{2+9>Niz0s;))Y<%cjMI18KCP%DG+lV*
zqgp%6fGkAiWTI1%YTF2Ds7H2=+iE1+@E=k=n%;BY;`?^J((Z$T-Bw2Fp{9eRMqmis
zP|9xTfe7DPy^B$9fl5-Ar~G?f`L^A)T-oU+_*!-%qL$`U7IscLZH6R{+&GctX`&}o
z8>+$LRGlAK!`jN4zWON=J_KIvN3_QHHvuvo4e(iKc)xO!ZF?K`BA*>_oTDoF6x7-$
ziMBkg#XdpQtqPk=fPTYzu_ST4+5Bo4MTV(SB&{SmHt7o0^TDjt=}$ujJRVmC6f_L>
z^3(WXF-p=5%D+IU@H6T6czxT;M&>u%DXg&-CGzl-4)*BZ&id7(wyZP@dHN|4!VfR9
z(lpyv81XVs9;y5DrUX^mj4)}>Sy=erbUoJ%9K)_^bMOiPxnaO#TLlZz`0v;2BYt^4
z(>y{5i{fd&P8#F?5kixg=KlS{hB^GA?q5+K?1c^T%@&ecG*}GFrZt;gOQl>O!pP0i
zB>jV~U0Yp2YvY*#D-mxqm!VpMsK0nWUtdYkm1{b?k)+6gaGCarx)1Gqp@u64OpF%u
zXd^;PsbipAlE(P?LsO7HJLzjagS1EU3|jHdZ<20r(=!)qN?S)bF{HiL48|4mtDrQE
z(n^Vm0UBnEi4W)G&Nj5`A>vs<h@P~?lhKnu%(VcOkee5^f9TK@@K@PkZ(O9pyHNkT
zplglD7#=mNprMAF)=E@F+ypa-c|6Wk!4yg35?&ku<!Z3YiI`6%hEYu27z0^K_oqHJ
z>@5rvR$bGttjWZY2J`~kWornVS_gw{E$Y~&IpY*QNc+^EAAWSh{t*eJf6vwO(ggy7
z9EU?>+$;+Wg_<!e+^<E4#2ReZa+*ZmwbcoH*&cBTF)6^d)<!KBQ@568#gF?S%!wmF
z{fWwjq?NTmhLoz0?t^J-x77$CzI9qG?azw5e<n)-#;V8yGFj59=f|!cVF<VHdv?LR
z&WZY23i!E|S%{tZ#u8O8z@D;obnLIgx2U%wG3Ob-K#1O=jycSkKJ~H`=L^#6T8l^d
z8ACEIe}ZkrQta%m;xCc^hLTg~Jp-&EOa2afKp>M}mNW5QV9JGFmc}Wj>oxn5RWBiU
ztZN|UhGHM74;$37FQ-`28EfftwQ<i4PQ*UOeNLT@Qqeh;-HyzNXW3$m0pqftMf*{{
zvJi}w7n;x2Mm4I#XUqOcv|LVGnQA#tY0vk`9(`rMkx|-nHVZAoa16%z!QPL6EgLW`
z7?5rb5A39*?&lUcF0$9p_c;bzL)a;osVAvi-&_i;;-JOZ`xGnl#Q|<bkA7=n1^qs3
z*{CAdsc-MG5}B*ZWW(cir0<9?FUEP7t{WL|g%^~Ey{HIygBZ=r>LRFCiovE=)MNQo
zneNf#Bt)+9W06_ssLHP&Oo`n*9_+_B#^FTFCG9@%a)WNqXd*q?FtEps&<dXZa7V&h
z*5zg)H@nu@X46x;?~sFxazrg=ExO3?rHrpb-4FxKf2N~UfC!}b)(>U7ZUSyfiI(|O
ze!0+;Khq?eD+cc3zZboI`(Rj$tb%!mznw>9Fa{y@+9W|~nxW@?N29uG#lU3d$}HiZ
z{wk+drp<>a;m2gy>)KQ_Kki<DSigkL_NpmD^+&hzw5PCf3ky{`0+PpxzwNl>cd}Uh
z`h^(vZ-_j=#FPL~%U#$;%Gz70Z8X=?SyhEeCoKsTPn}TcQg($%XwTg8LAk=14;~#e
zx6!o-vK(J55|Yga{>WrXn!vbvd>MaEOZ0V{q{_PHnCzz%(CF?jFm2qj`VM;W|5Y1z
zO(gLg5%pe`EnF#sJ$OJtgreM-KLL^L88uRnm%Vfbyo`SY^CY`i+_O3^7GIdlsjmR}
zWg=~Mge-3?n>=R+FM`*yHXh!nNL9QE`ai_IWmp|Svo4whf=h5GK^E@r1b3I<&cfY2
zxa-2*gS%UBUATL2cY-Imi{#s9?{l8>-23y+&zb4z?&_ZI>Z-TiqMC*^C!ky#4}eGG
za4S_0O&f#E+&4e2A@0Zt8XO+h?{Bu}$@f7onL~udyH}!&naph9U-tI8;2a71Z$Xpy
zpEr$BjtLGdzB5j6`kvy%5nZajqUc!dfn9XB9Bfc#z<tp7sA+<ubEND$>&tY}$vd+S
zUbnQsmqCw}i%3LV!CS;(6!$X7*7_CiRk1|9<~`o$J(|r%*2DZw-!k~Ell4AL<j>!?
zBXI>U5r?t=y$%20&eAu`jIO}Ji(#T~FTVqxoqXA3dUXG={Twa~CA%<kHJy=VbC<tg
z?I6B<?Hi<`H)i_^lZV~`tT#%<6lYu*zlD5)>Ph+dKCp#7;IKV@&bpD=C=?auZwkGT
zXpN03Me`Oh$;2o{TT%rSV{=~@D$(=3e&@%$M?Qp*g4=P|4bKy`eO@No<H&2vjr#aj
z3Wez<RcGn+adKYGnrOFplL%GnF?qhZhrUhUVg<~_MrbIH;6f__Q?23yytUfuF|$%5
zHN=-BJTf$$DaU9FTGTj;g;63yZTwvEud1ItX^-SajEv7TV#fRr^1h4@3;(`fnGME^
z{jt?G1&w}v#bot!MsaYky$9(={0slZVrZhSNNM(1Jwr%U2%U_oQls%7FHt9DWWj^9
z5yHH?G2D!Z6v(opn^<#2wDNcj_%j)gjc$ed+BtWh?7K<eY<Z*?cmDi~fXaq5%k)X~
zlEBu_Q2h++{na66z!8aY#`LpeitCJUcy8r(X^@!H)Kk;boEM+9@G)03uwZ43Fm<L_
zisbjzAomWiQJjqmkED>jvwN*@9g8izRk$x?nIOMYuOTubMj1vOv}Q0AXfuFfC_no9
z`YOJxWH}Ph^h5Odo@3E%;@WYnjM!yvTK^+lLY+qs>7#&<AX;+C{q~ak0TNJqL?EEp
zS=hRX85fE^MIRpp<){VrwHF<q7(IZ+Ukrq9DT=vn->F_tdS)Q;nd8ib6(tv*#>Qfk
z671t<i~P313cj=^l9l*?>cu~D=}L%u7c*k7+<Uraa;OO1e;n@c)`o>j-vXV$CWM8Q
zVdc94j%djY=4+FWNF1lMmp;KmFw0}6(pn7EUzU1hL1Yc=>eRGFks@6om#X800RxQ}
zB!=NV$C|Q$o8o0euk>)Fkg0Q&vyUf7HUAn)UhNK?m?QE%h`-<@oMDA!)Dnpqgslnk
zIeXeatJF*W+EtBX>C2(SQ=IjZCbCATv-)mjMh^*d%dxUBC#pVPq&O)AN!BsAOOKWV
z2N9GfqHnIa&H~RXleb~tNkW`TIPFzoGm-=b@ZGx9cLOkPq-@bWmu>|~s0+Ov#W`*$
z8>d!qQ?7ill6<!${AdivbcE?rg2RvCLFlcKJaJB5=@Y>mXB$hYdZ#D_Z+C<02zRTN
ze!j~1>*9Vs1f7^-AC?kn+AVO)va`|sLL1}p-4K?Ck@Cz7ZZjXHhnNCAUP|-J`Pgqy
zGXD|9L=87lGz#{a6PVP-YmQpgnlf*CInTG;Q-eS<P>mC2OQcKPSLf4lfz3dr#CQSP
z%v}l$)Nj(j1nUWkyg8ZQ-#ToCvT|`(4+*&S^u;v4F)Px7%ppS{*lMkjPnS^kW3Fqd
z+J~67;iO2!*dKj>{e^6W9L5EB>iOE@ZmXN+3GmY|>6%|Km|bE-Mx`I_DD>tIjh9n$
zoQO}v0mAd(8HH47D>PEu$__ay0B}apN(Q8td~K6AE>2;1KxMt}c<|0?XyV@B{a%HS
zI@gFCjJiwY!bCc`OujY!AE9esi#b*5&LQo2-6on$l+2uA4Y`N0b9qJr;EYi|r=EJu
zWCxO$b#x-s`qYwY6o15e!>1~B@pmy^f7?fUT?Szx>Fe0M)K=@hYySkFeSN$Hx7kN-
zXqV66L-!1E8W^vah?b;lKEbP4&<pohCN;wsfyV)JzckZt>*Duq|4Na=(FRU;HN&R~
zmX^xwtiD&umZf>r1@FW{I)Of4H8=TFr@tb+YP(L3qb|(_kt4gIKqyK(U#X=A>9Nsb
zq){3h3LItYlnOT{K|OD&%6}H32WvB+lLrEXF5=h1o}qtu_<SV(S&Gdgcc{JSr8*8B
z)*vrd1e0&cC7YFmM}{H|exjB(q)mpS{~6gLsk(bvp8Xiz?!QB8#r*=Wt)AlKK)#I6
zKpPjArA~G&Y(*XX8;}31ajS@EBfnWvlniwF&;{jl`f|EBbVj*H2_{0!GVwe-@vE>d
zJ-wSC@j|eU)qJ79#|qALWfvF!R8GMU1hQY<sn2Ffb$<R*)bx_+;~?p<^xnM(lkNfH
z)9Xc9O*7dgUmRWSR~`^)9`w0ON|Iuf!Q;p_P0o^iS|=Q6kZYeN#yxMlxNe-~E=S~)
zs{c_>WuQq<aUFLHX2s>ribK!0ca&byWTx59_SFNNs&CHnu6`GQlN{Af_WPwxkHfB>
z#T6MK1TTMfvgeAL@e{yhtlmbBDq<~nLS0#+-z?+J7LH^ylu^zA{MVBw?>1H^FL)M0
zFZc-dK}Nr1F8#tqH!iXDZ>NqVf(PX1WU?QZZ$#=9gC_Ol9V<J=B}ZLG{{&asy4uc+
zDR<EBjt2E*-tsOdMD=bnq{G@(=Qm88kkaMTmsGeXc!?4x$F8Q66AXY@T+r{hvcxq6
zoABj%4dSw>5d=tyMc9uJs%3&mgdkYNVXg^eQG#;uz-KH4QV}Cq*dz^)zZ3K127VHZ
zcZ2V|!W-wI&r4&ZKVZ%3see8ruNjw9PvWX{FhwuF_V_Ab<c!q6ZPbwF8h-XJ9gmUo
z)Qmtzz>Bsg1o?7GFe7I0#AP%HN&n1u0OIiI0-os*^qL7-E)7mUVk^`sp^Plpo`#8w
zxp!kA5>72~S`opm3>Q6Uw2HT`cBqinD(#uWqYa^zw@MOy=|@?Hg_ERa;5-dT`}YHl
z-87g1nF96R-s{i2p4wk8Q3zx#;lE=KaUfbi%74d1w!E6P{=N9-Kl()VM&LE)Zp(MV
zZ@&k4lG=Ztag%|FV>%+2lcZRue@JcG-FSBYE8<Q9L1me-^5pygdncAk@lFK!&3)Xe
zfI~%vMkf6YP!do)c**Ccj#rF5+j>?yCo{H$-u!@fAZiKCp%z{$7Q<(uiuiBWwaz{S
zTkF{nKFS4c<lFv~Hqu*`Uaqs;?07m^VEKWSSDdr^rq6A=7dYw1Qf+kd>A>ykG-$Ka
zcKVmrJa8~?3(iToM4Ow%J?oe?tFQn6Td$b@r&ko&FDEkUHOzU_L+PQmF~e?-T)f}R
zM$F*<Gtx0%&%cAlw}zAcSy+G=SgD6Uy5!E8YPfM&wzmk^cYdhiid^K$FxiINhF?dg
zBsM>>`s|P18j^DZHi=PuHjR=Sknz6x%^<z>fO6*jnDFO75;45-@21Dcqws82e>Bk7
zxiV$xOF(@=op!h<YMpa=-OI?&adTFno6$_}yPnW9_LbfQ2agw}lhMtBl3wy-Q8_xc
zobt))vC5yTGt$DCS#yrEPO!g}O*-cGN4rc`TXieZzyvg5tyx5{+={LcD3zAYI<=Ez
z<wUH#<dDkLfPDnnm2XM?^uvDPDdWeFr4i|!8b*ln4S$Zie`eKptksoC5CMFHmqQD!
z^=c%$6s8n{0LPtN92?w$%j$Kpxzt%7GHj3rKacIDganH4od2C;s6!AW&(VAJ51kU!
zD4ku2FOTiHa1mJyP}tDAhXRuG%H@i8LlTJbWIMRoCa)?-jRlcxDAytLq3~D@vXcnv
zS``s!t1xJ}bz~|JE^HoS=iQ2lV%H2g#|o0Es7`}l4?~z@5p@McYtM|xZf<jp5IO|c
zmpqo(prc$>6P!jNVQy8StS*fc>W#crn$8U!X|*ZRiyk;%pDMjCSC4bYhJlBaw@$Po
zxG-z@Z@PWfy8>sH^1cj`Zpw2NnxW`{Lac{484C_gyKy-T_1n8VyvkDmxfdtF={YCZ
z1PvfTCrQ@DiYw{E#HI!uD6tkD+9R_Q>)kkuA`&Q&PG0q5#P~q3$>9_ZzG|~<?}Ty*
zr;c41EQQ1^v6Z$XzzH7JXPwS|q~ALsBZ!#emx3e$bxvmd_=^;M1IM7Lx4u}B{=;;R
z^b$+ThcQz_BhTJK(er$i-L>pur#!iKPL5)n_CE7B+<A1ct+cNEufOY$_|`*6tRFPt
z_PhaJ4QgjZ%RS|v0HY20CI5*rsb}I|w_IF=tWIhMC>VPj3=E}=nbx%wjN<}0NX$?8
zr=`#TKWZUlf3=V^$(mok(Yv668*C+}$G)OL=pUV12rFlX>KFwN_!gq2gUZs1a+s19
zNJZDQARDSQxG--anWB?!Z&f%W8X{w*CGg(F`~8@#iynkg&F2dHgbbvLW9-T-cBy31
zWv$<VyT4{iN|ilho6Fj*)wqbb1mkPdFH_dD^f<tU1EO{v6@)n+cy~+q)Ua)NwWYXT
znC%uqI+an-gs;rWZ@v!gs6klXLOgi4-15JkadM-t!7&Cu-fQMB7MOOYUh>PL%S&*5
zi#64UzyvA?lHk->WdsdrD#gNDAgW!SYAd{@64;`zFeRGJjUX*3tDq*{O5|{5<FuY%
zLx|fd2TR@&)T&lBrlFvcV2xJvt`YhOIY>HpW$!8RMA_pat{nb`+j(hEO05rF38!5T
zbF9$eGuKFP_GsQx>bg|c_TOJGcF>HMHDgTWM@sGhFNmr4Lbqw3#Q;V-)ucji&iuPI
z1XC`WI)fEZ)a(9D7;O+0D;s!5Wrrax7O4EH*m1}%TbrP}#=L80le){68d|GGbZ3fS
znK7de6*L?>c4UYl*X}cYk6t%xDXM2qUo<6H0BcX@7FN=9P?6veZt(Nrmx(^B_H3Ae
z6FX{>a1Zlp0Z-50t${dt(iO;H$8;XNH|59K&?$BF^y~Yr1=yj3t`$i`v8{&M&Q5Kn
zu@vX9Y%V3I9u37%M%Z9K{%*VSo!FtndkQ=c#)ZE+N?<3BkEtnSn-7ULOEabXyM@}!
z+BU$3w4b+opE*w)_sY%CJ<uU&s7HqLk@Mdm4a!p%22o{ZCb+6cMYMd&`2ycQe}5bE
z+YbIhNO_~~<z&;cwWRjAUlS8a+TK#1vDs^>g0Tm$eg@!yYh<ORU?KKvRDZib%EX*^
zL&t^r=I>;XIGD{!TcwTKTB4P$=<#(|&{nCI8v9CQ1S_0~h3t}3Hx~So30e|OwUy<h
za<|MT^>$qgR@9=kV@+_(y7n_H&&bNSt;4)PXl2=AqWmS_L|#zS61m^AT257Y(*_r5
zjz~kBy-OS)y0_CrF(Q6dD4P|;FaHf~A+|DP76sSDEFvH_Y)DbAt@i}oP;#n!8l5G^
z32J(<Z2E`q0BAUFsYeK){!g1a^zLPK8tmxLyn`{`XwvBCHIN>-He)t>yXOh@OapZK
z*|k=bRrg8I%&9GQ!{kRR%W<g)nuA?2B7MF329ORwxa-q32ONU@X#+69QQ}-NQr|NQ
zQiJ7)hUHd16?sl`)gxwACHP>!uhvGvb7#6kjig+r3N^9fbQLWi<@*u-9>x4LqY(w#
zW>?v}LZ@KOW`jC@sl>4%C~PNeUZ*gI)+qE83c3(8g}}83{BJGm@mOJHZDF`YX!(=y
zpNPRX)sUdRPyel_bf@9{4+4e%p|e2gor1jsH;Fn;;Af6I7VJ)l@l+oP94}LLGRMsm
z_LZJh3nn^uVr4T&o%oebk3;n2>D*UXAJM<dr^6lyY^J$o?i%~<&~1f#)Td<aT5RHQ
z?n_fJKG2>W0(E0)`R6&^iEUqo`7d%O4ya|TAmM*hIJAb}-Ov^Oa7o1=9mm))F%G`>
zJMV&HL*vt=ykS#NWlrZl6l+93KoRL5^qp798JX^MCq7jHwTvlr^2%RtbvfKYY^3!m
znT5|?RNJyIxx;Z+1)@r>yzaQHk+3sq9hgNJls>&seaeeW+}kt?Kj+2QA*6NV^(e>Q
z;uID>zvU!I%I(1LH|WR7bl)B-%z!sP<}IeKk3j2N%76!I_uHWtBwKq%hLIoPo<b$F
zp}v<49*lMB7)-tWh?_@v(^M?qqITY9Q~ln%g(jd^GGKctIgPXI-@kNh@u6@Tx4(L?
z@q4adP~j<gH$J$u^;je(fiGtl%->XXHA{(C-{EoqqDLGe*i07?bpxY{4akdJaO{hy
zP(THjE0}*1{;oOw0dNCUFk0M2XSO7EHs^3FDNk!>v8qjRj~8k@?~A_`TdW#EUG1DI
z!OP+qtI#uJCLsXGLWQd(QSz}4O>%HbLvisfi|CZ~BUfys99Y=jiFST+HfFe@{mI^P
z+4-q;gSPS9W6!P+El??wEwWuusVEJD?(znh^MP8mVNYjcBap<#3j#b58b_|B48+gi
zHyZoO%-8UV(~fVSeB|1}YOPeH*>{j!<kW3+fO!+A;S=MpU#2qrL*j+MJZrh52|1!!
zC|dLPJVo+739k9l2sMCgCj6kj({!C&iE$9h+J3YiovqtkA>9>CAPs1y_f<cXj_mLn
zP%@iwf#`)hSIYY-jE{aHuRR<6v@8G6r+e*ewm(yN^ye(FdeyxD7ZL@axz7hHj#;5_
zl)5%AW{3uHSHu?TXLf@UWdfIx;fD+efgLyTLg38thO){Be-4U*^4X+Do;;w{-jnE=
zkykCuAgC~_L6OwF+?~d7ny{g(QsAcmUfi4m{<wH!%2m=aP{&Yye7@{l&pKt;pCtu7
z3D=EqXpRNm`12%hU7piXS?F2f2VVGAsR57%vrrwtlRHlS{zE=*rWl1JZ56#sM~Llp
zoZs6;I6`q1<{m;)((8b@1Q9*v+dQWC*FPcN+r(u{6QWjCJ~kLE>(pymA7xTESzHqO
zA6nSqqD-K?fS(jpO6r|xiFn=UwmcrKVGykF3WZG>T|xto7Fk)Z;+k(D66aRkN_9e$
zzqriusW6RC$59<Gs6pvQ+^P1ekfq7NE9)`~D}*4S@jbzoiG`5+waZAO#&U*<|L!)o
zqiOF(#RR#ZPkr*+U?sGzI9ys2$A+AW40%0U;l_X%{I0QO^moemxZW>9<9@j{{FEz0
z{Xf@D{$o|6E&!HJQ>4+O-ckYObn@4}J-QPqxB~UqM+)-3iR7B8v5}9xK{G0z?13#N
zE@KrAF4Hhcs!_RDM9SSQD<&BIVtOEps>O+)NEF=o@i?QThf6IB58%fuKzjShMxIh?
z`Qt}=Q4TOOU+4?t3TE$(WdcIN4Kl2*dD^AxgLLEa4%vDaP6oiejwM9<5;d+}v!27s
zC72FFmSt8%9YE^eHEuIboJtg+Bv}#cU=q;aeUuwLPY4PBX#sx%MK;t4G^NtXI0Kq-
zj9DrQbp11L_I}CH9eik1rsD{B#}Q=TC$Li*)1*e=6g>4&g|zoHs+1+L{P60MZEVyr
zp`61)-!#5ZCtS<L1%ccxS1156s(t~qc4$Pd!k!Ewgp0BUZ5W{sx^ls8;<IYu?8bQn
zaUPjeQtPLX_9K`%7enF;a4{-*y?;;%V#oQ9eU;ZBAB~-b7d&R6;?M3_P#-0yEQ`n$
zJqU+Qg5DQYbeG2%M|UVtavHia-i$~PCaf3HF;aH#b;?S6l$Wzr_1dsRG8?Y7mt3q#
z_qLIE9ADLLO>`1C5T7{zay8|)F1&VBg>}>pmsDQm*c2)fi0}>V_=E}Nh?c!*bCSEF
zg@8zT-)QX~wixEtr&IB!KHMnB_1X-@!HJ4C&*pzO8G0AtW4C2&(Z(#%qAeAOwyGzh
zG>kBqA<`LCo5qWUdmj-sCMm~ZN1*TRPYRp7HMI?{CZiVSp;*$^2X3BuZgvN>cm~=i
zlI-O6qD3*!v3gFm%*`MkrJ+*;Diukj=}3HpgrCH7+ZqVAQ$87fm$sx7Gi>>=m{ft8
zS~Sr%g;Yg7dm~MSgU!=JoWzE;XHyV0O(v8P*vU-C&B=3ST7XzJ{l#*;+gc~gE?C12
zF`)zRf{jam4)vr>9HCa~Envb<%wT4?P6BV|B!-Y8nS#5wwNNd7cu|Sh!S{+D^R$=c
zGdfmYBNGq#Si5-@b&49U-K1UKC%S3(Z6QE#gRqNKd(iFsDrWk=s=Y3n{#6|OpDm{G
z5?GY@h`o@M3OsR@*$kdQAS(8jGhU4W*IEQBQ~kN|@oph@&sz|FWss7<Xkp55VRTNR
z-REW1PmB4R_1lgXfnt;QQ?70>SkjMTv{;3~gP~yUCI1sSa&=JRbKQ5s-jAp*t><B+
zvX+I5$V^syH!U^3$@NhA=qQ_aOM}O@A&(pudc7i7^txr!2l<HwcVber=*89RmVV&t
z@a?ZqF|eY+Y-^T}a_S$=De~S)UtI8*SZi&>ex)-*E^N&FoMyrJM@7#n;$!6`2JV;f
zpm1b$rg;+tSXoOttkl-%einlmBC+Ji`Cj2M4j=5IC=BU{_IR+h9Rffdg>AT^9WJ4d
zHxnK)cv?ip!<Z*T()PQpkw$v$F9}f!DRo0p?{%rt;1OuCAPVOdXCzzhsN}M-H)5(m
zSo`BHbpf3EqHW?RvtQcZhX81lP!(888j|a!sLuBMMo+Nk;3I0IyW)3#swHA!q$Nhp
z&3I}91Xr<$48!YMe)V-;LaefwACxYRfbdU&b@c}ZBZVJqG##?DeD}=+zBQEYqDrxr
zn;to)acx3f*rL!RUPq3*xl7^3BJR_l)~M!w9U(vZzuIuUiE-v9LAP2}<GE{VFlQ^R
zV`eb|8P2Ua%SVY$(DYfZqY$jF8czN@&IsAmE>{9%z})05*LwcQW{9e5=urgK$-L8-
za$5fC3Zymp@m;y^DbN=2DmOh{`h%{O;w|Q>LsM1sgCgbS-fH2|<5(;*<-DEX9|>xo
z%8~nFf?ZcsH4_b78l-#SnaMeqRzD}zvVf!*+6@dVaVyab^J?n-MfGB$Sq60g6}(|t
za%5<2^ZgXm)49&x>+ya4YbF#d(g8qbt+D>-kaA@syxg!zdv}1O)$Xu6LWR=3BN3W}
z>9^UFC>hLc;$$Zc7^-bjLOu8yd<Pt<By1_O-%w&nGhQ8P^Yto9;Ze_{B(+jf73!-7
zEoq$*Zw=wKWN!z@My>a&AI<9L&A}BXsf225gjGRU0vq#WF7H6X4W{jEos2#cB#q?B
zCUufsvVZ9Q48J|_%3WU<3Rd=wN4mvwdL4rpF$r*J-2dAk9Bf9)-{EVlTNo0Hv@aAm
z%jd|oomrdqouA}ilf>sZ&E<3UjEa~MmHuLGz&6}IcE)XP9Yo>GPh&PrEZ3q1TI!Gs
zWQ5|J?sgc^(x=RCCsa$0xL_@0<CTGp%@?sFJ*#g>b{C3!XO86=Raz*h`^o6Qh;pl{
znwZpIAjkw%9q=8>XBPEgZJP)B*<dT09x`}vNO13jQ8*#~GdOA$ZeD!LIPFo-)L^E#
zj<R;Uv0xc{L7b|$fe?NW6mtXnAK_ziMTQ$YKAFR1%C+Ar(IEYD2Le)CLLmVjZzEbH
z{p(Y?fKy^x4CRIT#%mqW0L3%MUj$L<<r%5lR7T|$Bs6HQXfT#~*B5U<L@MI?%qhfG
zOyP%sho*^spscODGo#H5xld%Kf*+kfyW>b~bBD%g_C?;s%r^%E3doG#zZ0Vn*)itw
z7ToB02ig}F$!A|-T)lQe*$Ok@+Uf|qk`E@0`bfh!zM>?6kv)fZpHDhevIG%%A8~Y(
zZ1}s=6><1R8OZA5N-20yB4!uR3OmB1{A}!vgXk_P!GfUVB4+XR4^lGChsNT?fG|xn
zW5#QFYGr9G(7^UX_r%6-Z$Aues%1Uq7e^ICTe4at4H5JagkP*3IBAu_RdP9|>QsHO
zNY-F_;!lSV`pXCUdi3@2OBAzS;fzTUc*1A{4G^4bs2nOMHhXH`$Y*s(V0kTQS>2yB
zD!#;DNk!@RC#`hN*Ex)@j#Ou1oFKbR{fVkKy?pcpJ?+1Q92SBVi$qhpU~gulL3b@_
zMGdGKsZ!tgB8IrLLNb>BRw>**390?_04OVMfbNXndvehi&J|`4xLSJqhw2M_4Vs-@
zQ8t~DkwR;DVEZr^XyYfH53DlS&#^6a((|!SD*J3}Dp#2L`*78B#C#D_V;wL~CA)-u
zAkbx#I2C{D{^vX0q?K!@y8)5`L!2M)RcbzaT|s(q`ZZHZ{P)oD!l<Z&*Df}j<@vTA
zo%HURN@#tQ=GwUHddGYIaT$BzO@?=EpV2@$PHT#D%=e!(C6t3Y@oW`kee!3TMwZ+P
zw}hL#MN$i5>w@kz)Z5a>9o{B5AbL=q)1QeFs1B)xBVsDJ7W_eHa}sY6It+F;t>Eem
z7B)020FIL`D56nx$)ydCw8<q`Ar^^2a;c=_sFVn|8^<zpQ`cEwQ-bCw0vV3AzR>xI
z0xibosS$kE=|6BU?_qNpvk;#s-xr0+QE-_llQVN1nJ%kn&m>1|`LH93Y1F$S6`9Ye
zrEX$+TC~?7#X*ZHx0Lc6vNML}N3ZDgvd`REyFC7`VTk`!bU>)O63#IUXK^rB5_XdE
z&+sq-579Eka9cm#5#Ub$vp8^C72gJ#?JuMRKiw8w)yLe3NfIg^m`f)TaO61l|6st5
zs1V0a`(|elwOA|`&B~vut1|fkva9-WMp_>P{VDhG?z?B-N0seO1JC)4GT=bM^0(Fd
zZsYj{*$~AZPFoQ38q_JuR{g)f*S<H>5}uf<o9$&OR{t^_z|buKibOYj8{oKr3PwRh
z4R9eBdx%%aDLL9_)}WEyqi6Miu!6$OOPkEyr{g{6W^qyTE-B!xM-CTCe*|z82ZrrM
zuX#e+`7WtvjY2ir^gD$?ft*$BA0Ri{_OCDRI5E8&z6-slyx7qyGQ|<PyM(0`i%G9P
zd|AF9_+fi!|B);j36n)FST2U{11rcdb~Gp&PJA6#4#K~-5n0dNrWyG1nS=}~<!x53
zq&KBbdA$;68OUBSP<w;DS(@)>Zh|FSdNw)_(t##fHPf+>D}{94<&-$<(F}*QC<)on
z>+um|ziH8MrY_x@&x)1CkMWf5nb0SEdmvKwiU-D~XJgp(2_g9c!P{mubLZb=m-LlQ
zy-g()C*j3(N-99`RQ6Thk@~+lcAku7akPMyvZ^T#!StR5LFL@E@%JGVZdyy>c$;$K
z=ihYOFcZemDfHcBGm45|_|Dd9XDRAq3d6R0Kk-UYr7dqTkGfa9*IOtrDxoU231Wy4
zV6Nl7j2qGJJD&kIP+nMvMj#b}xm>R4YV+UA+7uAW$YHSz+4N)Rem32AfstRZspE*x
zQVKu-q3?DAAH>ZMf_|Td!DPu(w4Mr^9uRdQfl(;ZreSn!CkQnZH16M*llFl(K9i`B
zavPnJFtbw+F4go96fnqAXy(Fk4h5OBBVHDv67EypHU#9FekNhaukYh<+HUX(xi#}A
zoQjLj0Ko7wp$e2V;GM-=(*rG$28Oq+4PKw9fF}Gu;o}AmS<d%b#-ZcUYNtA{xGz9h
zH-ldK`tW`Wgm;}}<2)5_JleuIKVSIV3-+--nm6Rcy5TuJ*Al4tg_)s$h25d<V!Ryp
zVzp&DUTn#D7;L5GVh#Kz{#z!0w48|10k{G9Bkc1>$S1_?`fXm$3>eu@Ju-vni%%4!
z@X+@ES(p)0_<+LC2|@4b8PjZ^|4_+2$glAcK6^wWIJSmUkQEhC0L%*C4RwXNiSw}E
ziN}fi(`rr5duNT{zbO&E;%27Z4}Z_-{;uo1%lYe2zgg#0zr`6fCqp8&j|BC07*6k}
ze)m7u+GW7n3s@&6K8o9Asa~unORiAd-aakqlWO+_S_rx{ZrU0jLy|BKH<=XbWN=$$
zABwyBNl!LMXuBuGnDuH^gyb98Ycc~0fXw^f8l8Yo+2?-eiy9Fbj&y0Ev9t=P>!ugM
zYPH{5oSp)uKBJY-XVg^`?bi&ExtGM@{8y9R@ojy9$p`NRz+m~0=g!I#>~aHA6@NWX
z?<#UbNuLC$v)zq&(vVRbI4pL^C#;jdRYRZpg@)$d9SZh+FEQP(=_7ML)Y)VBkH4^L
z(C5z|u=5M<N0RHeA|DL`f(B}BmGZNb28YP4^5>0Bg~uY1dm|(eFrdQoVBc1bN44N7
zhJ1!u>J&$$L6c5GR5vc_D7VUMiRFA6f_G}E4;7}K!&N08lHp{o3v#W=hGJF!+j&S1
zh_!pL?8Q?-%KZ=f-iw$0VP-7N)4_;$D_>UW9<HVpJ_d!wQ-Y!@iD~KhV2GXHRfbcw
zHQoL)_e#o&7vL&+tf?<NbI=aX6cb7mK)iR7<O_ghunbchjve3pM3sj~w_lU@pPJxW
z4$_vtFCv=Ho(EHYiXiOx9V>kaADBu^=-35sUMiRLrB^_>Pu^cQCMt?g)M^}BCIYwq
z1O81#ZwnT}k9S50KK=zPwvzeW5jk_{c@bV-KkzxuGMbwugRQw>WtMy<PkdZ}PD?8P
zsgCR16`1|Kezr=meJaw=8wj6B0eFB`!pkOfOkGFfi$V+z`L&&^YjjAG4-*n&qKkq%
zZyod-%ev^Ls+C5=aWnc$QL@p>PiwevI-F=OhcBpnBMvbkNXRR=5S@a~Br?IBD^&L%
z@5r04TLNbL1Jfq%b-6AXIFXgos-xUw2w-$yvTLSm0)o3p<9ZBKw0RNpu(AfVt}@Ym
zj66RP3>N%(6MY6+8xmc_v#Ss2SA_U(x1R$rtnec^C{pGa2<6S$VTY7n;hd1mo8#Ob
zs7K5)_|}^|YyyhMTT>W4f}&0`7tLZ;%lQQ^`e9&8=}Z;%I3Jy3MP4)99VU<Y?SP4}
zX(!cBt?VJZky=&)x7$y93yKXOJtk*7&nVZszX`n{-;U7EN$YdUFv3T(Zety53!;em
zHZR#fkC=k66{BBhr1v8XR<FFrP{BBZy~k!kITgLf?@3bvW~5GOC5Cx0)QM_szR$oB
zs^mvu(uX7WL3fn)e|%PN-t@6gfPa44j)n2=N+rhQ^1$sy@X6^LurSaS{<G*2nai(W
zvi=aI)OM0F5%Ben)TR^nqXjlG7`w8uOIO>IL^lmBSYAfmnv^VJMuNx^5~kKOp0{42
znvAF2(jJ;`-n_YykKS7m+6nVq6vUpJV?tt+vGJEk9nvc<TTfusH^jiGoweya(jBpY
zdjEkG#iau1QY2aEqj1d{-jWuvGPB-fVp+b*@P{e0_1GbkXo?PL#vamN>BdEps=z5_
zzMy_<l-Mm2I_9uuHz}o1qSGNjo65#TxR+Cy=YK|DlK2!1Mk~khC^e3#ka32v;(^|U
z5FZ1-q%9SFYQMl4X++WXtZ8p3_L}ZXRj||;lW!PR>}<)M+2#UjkYgZ`)Moc(@neb`
zv&4aV^y;~nH~~Qg>)cWQH9X9254_#PL_8W%G3=b%XncI{TK>_Sz4_W6z*-OZ7=QkY
zz#am`L+kE*ohp!P4YD?|$6jVc{O@=F=OUYm!^=9WAL6_&DCISR{*%#%reopbTLBiT
zr!$?Gkn{Jrax;9EIhJ#+ZZB6)Djrpo5xVPBW8v==yeRay7o~1~tR3*)#DKiPc9{S^
zX1lvO5Z~GJ_Mpzl?t8x?qV<XshoWy!Fq3`JA6pNI<{tTiN3gh9KkgX;PVeQnk3Le4
z#0#xoA@2{g{Fq$F@uvu&JTb}M52q1lh3za+-(E8eTUx62JZ9x?!<h{9u|#)!EOi@_
z5?JG$Abzba0pz@iBbFKd5fhKaH<4=878cbQc=eeFl#=hfU8vx0pmB^(A)&KZ+O<-`
z%Sn~zu^^N+IZR$T`TdB><YzRup`P%1!X9SMPp~y{2M@BAfKMH-P8qb|``F*9IX%ed
z0{}ceB}O=xrzzA8z=ha?<va0I_bpz2GJLW9L<hcZjDhc&*#-pwgs6~@Nkq!gON4qT
z&69;ycnn={#&SI89;7xC`0AM0zxWI*B^-b<TZb0deV@pUlbg@I>rA)YceH0i4`Uwl
zAg80l^+9j*QIlNzpYUg@hn%$d`6e5uQV=UQsrYyx%J@Et3%k=7ApIRWBTLDG4_89h
z;R^esVLJ{!dx45s+WZL}g-Jn>#i!b`YluGku)HsB@g|hgD@-P-#ee?!nh$v*y96i5
z77Xw$>Vm=P!XaPuDq7&LezD;)Vu}C(9quX1*qj31`)-_KkOoIIWsa?SF%{aN2AZ*y
zw36JJC>qyGSmQB;gktaRM-OF^YYNy#^ST@^Os1NI{gQ9x+J6qf-Yxq6-MaK(DXc-C
zk>gu@U$N34`IiPAJ4sbLk!(s3)L2wVg_&cjE(r0q#AC*PwPQMR;4CIR5uj(PXsWEW
zR533jViE6F&2=o>R+Xn}$EP>?@(KuLg7i!jFK7+kuSF*N9ITVh_UpUPr3*oHOHNPW
zu4_y6JC^-$Rc-*s+?9r@zxS|B?gohCSQK4?4#^0T%!X&E&r?xrUE30YbZXGV*`=*c
zopR2)QYWWG*P3ym+dZKHge?tigQWnVOAlOVp8vK%36;PjU$9(q$I_*|9z_c-ZPl7z
zk32)?R@_(4N8gFrN!6k-L^|}4;BaQp{aKTRZbV7KS?Z2XOCi}L$_P7iL@ewaT0abJ
zG0<2Pvp6M3e9ia+-@nhCh9Xr&R8;SSvg0sqhyZ5s=dM?jDT{V=1sP;b8_W$rR>>|^
zklu}fCo6ofGe#N@2V_yL*?<O&mT?BKKxy>KQ8MDhXGzJg7Rn`wC8$eSiK^j7tlGtG
zQRt{YtIcpsnNw%zN*2X(>bjaGa9D1bGjL?94szI5V|3N`+KbdR8IWbt(ZeZpF|=aS
zdV%QTboeByWS27L({`)v7FcqbXh;dsje})l?m#ZHBV%$U>QhR6Zrs|!pQWJ!V+Bhd
zQ8AkiM4wYzx-w+-Y&GW#Vt7pF=-5}t>-YSL2P(p45}(;VR_}~VfXgX7*lwNSZYv@}
zOz=JlgKxPXy5~e(#7h*hA}i2ckBKARChE*Pi#(Q{W*!NhhzHgc)ZB^qV6fwUD`PF#
zwHuNMA}$<1BBy@dDF_}8;SM>7`y-Yi?5-!LEacd=m5WG^v4Nsr%Hic*xO#6?53Qg+
zXpi{&ts|$^0<f|w&NM&@=s8>_N<P)xTDc5WFT#Wn-pCXq8<)&T)KHtg)Aa`>1<%AW
zUVUK*8)O<@wR>kI8{*PH8|MV!p$p$5%vX;X5LfID`Cz+b#y3CRWNBRW;mKH9G&PG^
z4QP+WPn-?Z)RcFer#LI8OGu<uDzB1<@Heta+WR{!cqS0&MwyfiIwnB*$J@+k%l0mz
z9Q@EW7C#9fWQo0`$f{u9J5dhO*ovB%dpGjlINv1{m2hw99g98Q6nv!UqXW;Dgf2|c
z5NL5lI&D`}4K4AI?<zN;`vn$Z(js4z)E086=kh((R#FZ#b`6t}MNn|BVrAVd9f`J_
z)Q;Xl;>Jcf!dC}XpHY4H@S;s|oH$q;Uj9Wx{8XhK#=G7~>VuQ#IIlKwXK${!#U|`S
zG)Ur8RDAo)9g5{vATp{G_58bg?!TbEr?c|E!6ddQrho=H?UhJ>Qk|-#TaW{XV_3Cn
zpRgON_W+s~;GI_@)ndeqKgaT(wg3CmM!Gtxc*f3xCS`;fVWs@F7tJubTyW(j<a{eR
z1nqS)cG|9cL7?&Bi(L&ejR~PDR{(Q}r#LEpik2q{zY1wlAr_5jIG~VGQgRbcHN{or
z1)co#i_}>m6%x*NTSC&i`Z-OU^d5FoPd)g(USZ0mf`sDy4x2<~PjYjo8qN^Ff%vyh
zYv&&JC+SMO)M&)3$`2>DLJ6EZSuh8YPlmdSk|Z3|x&4ooaI*NCcT~oI4V*LN5?m<_
zH0X~!mXs5WUBLmm8ZeUiqz%~Op(Y+U<LrBN2s>ww^q4^ad<DLe!Z`I328)!qu5R{X
z)1}6>FTw85!Ue?5bk`-@qQ*iR`EE+Eb@Q`gli<@H(o6{W3Mo|k>Md}=M>Z>Sj+Dzl
zxgd#YR3hybJ+0vibc;-tfv~G}>!q&4U{iDWNW5}B@oM-nFA8XwdWiEt<hAb%@3%~F
z)W1s+dDzKgSR_&kl8U}<dkd_D7?l?$9bF+IZ(FOxs~YR$Oq&$rGVWAeMKbJ9I*E>R
zT~roYy|<0pXR(?BN`&^^S6@rwLbU0>j~qjdldFC{`lTBhB{%kr7PnX7-;j(!#rkR`
zx01Um`04R(r!0-Bwg;g&U3TlMRCLih*5-H(7;tUDuw$*3hWT>wWPYN9u#^L5LfV;J
zUjL{+OqvUhkfVDjt6?6Kr#ZEq?9hjivqd>18P=vhVZ-DjG*MyIyws4i(79n#LGl?f
zJ@lc|$}SL7azssUN2|R0<$k2(;;`Y9Wpj6pDByTY3MOg6kpsS{^F_g9J%C4uxoMiy
zv7;-Z&WIG05U-_WSH5f3o=--ngx&1df+Mh+miCVHn17v4$WPJrj*u=5GoPMzqJ9>V
zF!&&mBk6_20@z5W%YbnJNs=-CYBjEXL}7&Aap>s?CQ3%YWJ)9dzoVKbck-V+67<Fz
z@e(sub9H&$9>LRQAclKZ-YmzM+@e`|NTQwkV`0@F;_>jai?#)MK~HJK-?Z5tSK~&{
znRL-iJ3Y@WU5XBplKfXo(>jjs6F$*9S_&-Pk1bWr!{H#`;I1?dxSP8qRnyegwh99+
zT)w5?>C_>ZH2N>)PRVD`M50&3s7rB?gzUn25tOi~16f8)ap)?r3fM{MFkLy~hR14^
z22;y}TwrVKEy#tN)0fBr_=z#qypE}<8DLRysVO>ftF)GBdo^h~C`<=5lxk>;XhJ*%
zfA(X&Dzfd8Q)kaChj8JwK1URY7eyzik5)*F?3}c8hV%&Rms|1|wdLtbLlf_y&rQxj
z9X@YKfW%q<h4~YmP-OUqyJp(>3;Q4ICj96$7a~wWL`Yv!P47^<XQ8}-a#)jfO7VTs
zBzIwQe}XLbNXk*p-bd~q-lz@jyd{dGj0yf-MhvfGP<t5m_yPU@Z4h3(rbqOk%6aKu
z?d+b36G!z@%~_S!OFp`)0^|@H4Xs-W4UfYLvPQv>1yWg^ER-FN#icEAHdcx#M>VSf
z+33iAvzyC+tV|s1qP;pToog)W)~enWR*@tRq_Y(xr3)8<ptTiM4XyPfQ-nqGVE3S4
zk30*A^hx(3kn>LbBbPVcN)94;lp}vPZL^mHxRd)Y*C;M&(#4Ay=cG9h<gHM7)3I)r
zBgw9)-jS<!xU#MGuE2?<CX@BJ&p7-x_$U1McV^5Evhp91{p&4K1f+xWK2BCZW8Bwd
z_OX0M!=bjv#u!3slN>Wmy0wbRNXdmR)2;FgRC02`P$3kvPGT1Y^fL5*9+!a-vDO)n
z9@6g5^kGq;bwY10q%B2_jEA2Wy*dKpZ;oOCHR249uVkvrH~hD{Pi!dQAZ6d_wXR_k
zb8n>3iy>YOgBcxj$p-OfQwU862_YI1WhM^uMyX=Zl}PY6P2N$nUJ%cYp6V_x)~m>u
z3Z|2(mA>k(Qsuc)cNLADLpWU<59OF%EytFAQ5QyUQI90WNy@6IkS}w3l;7ts+-iMb
zKCwO(+n^ScE;XvtApE$roS~DtWbj_aCV5-hmIiD?p8VEIl2kL#FXW!IUTwJXs2+@9
z`ta31x^(~wdL3E@>$|CXemmaAmaK;PjR%!~0UDAOde3>y(bix-3@aPn@G;;clPk+A
zjbacpIy;jk&FDu_8P?Z1EZP?##9<?wAjS6{T1>-9%|n;;e+hZIW;<R8Fpqy;fgCAD
zY(ZZH&9OW``dnsisKaZb$@Yl`tt!C~r^LOEwLZ0|GxXwd1+`})cg>nN>G#JynztO=
zXO(jxfb=Ofr-MBXp4m)$cG1P>h(`r^oEuF>eU6cOenNazsy&=#7ya6{#60x{B*#&V
z#$xxH^HnGnsHZNy+;U}z$h)`-xlZ487$9JqGeXGMf{5Z+M~44stZSuF*~YE~h>z>8
zMT&)Y_#E3OGe@>BS7kKke)E8rKU@|2j6-DvneYS=Jp07tCz260oPEd<r3$Jm9C*($
zY&yfqc5qI&O39bRW71#hxfwpQ*pgiIcNS%t2OhW3IQVam*xu>~04Lx$;X320qOiU-
zD^k%}&sAvl<J0u^H&bJ9Yc`L}xa2iZkvV_9F+xx?cROXKpcLa6-!@5DF_{w6J&7oa
z9j3Es<q^xPZhuco*}nG9Om@&%_qYqQb_DuBHiCQ*f>`silvz<`?x+Ul!C5WD<Y7j)
zA>3pLGuq%JzfH)MMBr3|?cCo}Y*5OOX%Sz^u4LH!xBx&eyv+=h=ADMYBRR{&$8z{}
zO=H;nl)b@iI7inAM|R)m3q_XxFPZ^3o|t_JUVExj%<*OOU2y1v3x_%;lnZz4+gFLf
zT^kUNpC2Z@xkZk;T4^Y8D2A=KI>v+Ss)rZA__NGQKlWI=hpxdFe<?0dTARZ1p0MwP
z)S6|gK;1zoq`^5vZX}5i7m5q-WwXJFo~+C;o|dbY#^BsBg67owB{N4QQo7HI6Horj
zhFd~4F@<n~*GCxa>wGXW!KEFh6pSJsJ-J%pQBQiT#vdCnC{1CXsSCW&(o~NM`Ujmq
z)ON&c$2#_j=dz@(29?#GE<#&3Se#vL(oqU`{E_|<5)gaGS@L7oN2k2ulysQ*w?Wac
zk`s28;By!58Zyzjabdi_aB*49Nc?*vAj_#zS`AuH2|<CBD^;(T1BW=LRoq7^6O$h-
zxfqz?7eQ7o9LM4==qQ%<W9|Fu;opc=m7~RHRfI#g_^fuZ#QBFOM5!@}SIjANSH#1q
zOm<r!$46lA+8vLqmO3cf%tn0gA~?%5r+`tZ!#$o_Zzz|3iJ(<hzvo)lzgjNMiSOTJ
zABlwr5rg`uOhS#S994xBMkg)#q*kaAAq*w`49A3R1L3@{4iOE%s3YOAilp#kmZ};t
zyF`0-Gr;x6)UG@tFY`|O$ndWQnG|71&EDOU7>oM3#GG$gysj%I3-OprI=Cj3@Br3T
zUU9tG#_loCMog@MhUh7=X-aVpSYj3rt0mo)sJq>)GsSrSM7(eE*#Py1ucbC~#-*jg
z`z_J#`G_Upj)`uFPildpj#XOGP&uGu5or_dEORP{XgYUxggiyJ<g}wN#ecbnoOR{v
z*mxS$3H(WyftpF`G69u|G`U0+KY20504@QCyYXD`2st9=)_&@TO5oeBTmQb7pltOI
z4M<e|V$QBhK>5t3$++KiaZvayj`jVyu=_o*NgM_I36+p-C=ZuA6FKVjiRBFU2T`bk
zON~k`4P<3fV^c(sJi(+V5aw%~pF3CICgrr-`i=1B9Pj4%SKB|G7r)KiDLzKu-CQvk
z+X}iC9HU;zzPmKw8@PYp<zY97EdC4M4P%qb4U&xEa&Fj9O4Xxr2QUF{-_<X<5G<Lz
zloj}NtCHTjHEHQkzf%_bT3F-%EPVf3cx~5CzK7N~XB*rB%a0IyS<NBX!}?fqiFUVd
zwr|)I>Ot|={Zsb#^SjLs&K;Nn-{|&myG*bDk#6`yAnOhBqZ`IUb7ag*@yA~$$&tSh
zQ_i=XZs44_cKwO*ddhzzwhSE%b29!jQ}vHeg7<JoQk%bcHBq&=>6D^%yqT2#Kx1$K
zCjt*R9kz0#c8+IFxV_XVS>-wXYSu`6YT?vU4*RSlxTot4ALD)Vj}H9v+8r2dh91rJ
z8R7&G`o80d-1wa;UPD5ou3CLpzIt5-wZZjhc4>J$;VY?nIj5<n%(!8!#HAt$#9y(A
zi2o<N`5)rdTls$(^7RbYj|wxb(j!0`f5TLvHH1*bZhy6RxZ1hrHcAmtIsohWd;kW2
zc=@0kCH~<37NchkB_i$-IiPWaKXu%{dF2y$^G1N|9+J;;_R82hXxOgh={={UMh6U|
z^j!VS1N%z4`A?0sscWM^$j;Q;|JmqJ=(80onJr8rN!(l4>gfRKAmzP)c@64|V=b!l
zo#@{Vy@cndd5Q?^Fjym3GjdUMc|;Wl-BDQQ6V}%r)pjEkFLV}|m^vW|79&2*%5%Hv
zlH~Fo|H#~bh_zfmtna-D*Tu^_I65~dy#Le8PolquK`Q=z?)kX3x7YZG5am>QSiY6a
zW^B`!WxS)nz;skznHAz@wP8(6(W82M!O(s(_aFHo8o@71FUSGtZQVvF1PE^8a^jm!
z-fFHba)H($)^W}hWptZo>frbPF~~kxuibzNJ8E4a4uG^TdLg8+)qe`mx5wS%Ms~e1
zrj#>is)KxjLbBeq6XM}{ge|1QCu1@LN!a!^gB@rwyWjU?KE0DLU5gWS!W1k82xHyf
zb+cQqK+@*MBP`paB-cD=FFqfG_iMh{e;HOxGi=q|qq(@0;Gm~C!?v`vt2CoD|1vx(
zEBu!q0Fv*n6>@Iabd|U`-FiO#5$#&SMm@bz5xzA-61qIz-PfXMzQl;K0tg`{wKO=C
zT-f`nG%kLq-=jWicUl?%xL<cyv!pK8oeYT^cAO5waQoQ}B0Ml3p303TnO+AAH&KO$
zIxVTC_TXdZ)gYzLN`Qg|1ZDsP@&t6~E<F~VVXbTpx(Nuq(x@W;@nb!<Os09<4r(1$
zPo`f6b75;ImBg74rUG8XcMW$rIZkngfRx0fWua3a)GS`1K441WKOqz*Y-J-|I_fLJ
zZP+V2B;?!NZ0Cpm(3A^om^QKurMg_1Q<f+(Q0nPTy(p8l{OKIeFC>qn+4Y@{X>g%K
zYO6E@NLJUjzauv?<;C2XBmVtNIib9nX$N+V;SOIt1c3pUrtnf!>BFS{;)QZn(<d(G
z{fr60!xyE*b7BB%RbsSlyr4m7Ob~q1&-^(n4`MU&p$Y4?>A*y7k!g9)o+;Bq=9T3y
zEo9F133(<QldS(qylU^hkF5f}biE`L*q}D^oYhG7C?xqSimw??Cy>bYKIBwLyyZE-
zLsuAMXx5S(y(2MpbGDD@yW~JeHyUb(dSGAnAcs}JYGx4=AmGn!eGF29X+Z;#aTMx-
zVoP~w&n}E&j}$G*%vIDCp)1z8%$>sBvIWO$o`JD$_c@?v(a}nJE8AZcxq`6$UowUt
zSgnI;Y5Ecc1ws!q<y*UkaJ08R_s8uFd4Eni#HPBi%+?>|TAdd;v);cw6I=0&m*ol$
zhOHN~s<c~7)|31K6wRAWz{(g7%fD3$T`Af&w0AP+q)9Rz#6CaIqgpv@ZY~L8Ix(#7
z@ufCIKBUx?TrK9rI!9Lc^O{e9@78%)r=7uDd#=r<p2SV23g1<WwJ+!7pHvjO<sfS%
z{XFRo*P<yxN0@iPIzwK~MSmd+6Ivl9ut$BJQJEj3>DFM|Laskl;KY}Y!isH6%@ZE`
zXpxXsET1JXd7FeB=;V%sY8Vb-E0l@gIW-Vun9jQPRanaqnLFX9hAOd99Wx?!5k=r;
zM8I`5b(QNpz(xPNjI}VMx&rsZ=6TEJn8g+VYhKOuQg3G$&pVdYC|s$B&!5E{EBlg(
zPZ=tY^lq8<LHG-G7?mulj0`0WTrqgqBhVs}6$kcasKL{zNV_IAi`FQ2a`0Q`ZYajV
zLtlTnXnWfX=4I5>=PMx*+_anSHvxCHfY5(ywjC$>jZz~Ks+TS?lumF3M@;;74e{@j
zH{H5DY0C+*lJ~#IizF^D;ePzfyZGkKIpPF3UE)D*;D5i1{NKrrJ|j(l-GY4yFuuoo
zycGvk_*JX#&Bi{RN=(RN`q>iw{eA}rWOKmEOk;#3E6T{cA6|B#us8p=dN7Vd5VL`t
zcc6`5QU`4pPn=W^cwkxm2WZi(jT<l@R~19f@u#mXK8$NU{AQ4x_K>SP+T)4UY5$U!
z@8}0uXTm-tg`a(vzIDf=I(pSTEXNX!&HeOZYK)a{{_pE=bP^#rim@+up6N{AU_EeE
z?H&qdLwS9XuxRc&mZ3SMmvppq8>!!sVdSf>6qiE{m84fDZ3^T|8;3Yi9s0D&@LJ@F
zPN`q1_U3b&`)K<d`>=c}-C;|Qwq$g&mQKrj+1nw*nW1R&^&f+lAKAYe4WG|Vhee|@
zvTieQ71=iY7h8HM%l8N&)3Q7AVRrAl$neI8kF&d136^yaD1kugt-Fp&8b*f7CqhD@
zz9lC3EtCRzLS?xkwG!$C1+>DfQ;pqG^sUjhJlLh)k35D1GBn7#^A;zO)=5imTaLaz
zLG1h#k{8{V#9A&C%zsy6AdY1S5~UL&_$L59v`If82PKlP-38<E)+5<mX$9u-qtJoh
z&0X<sF@VPqmsfHwUq?B_K~lezx_FvoOCzQ>Qw09-*)wn73}Zmx43ckfdtXsqc(tLZ
z6PK!YPfJP=&x|ZomiD~~+NhyVnr-IuR~Q?jN^9o5)S4lorS3OoVY<!#YVXEyoQ6bp
zOL2s`?VEN7JS1hQKkDWn4nv{ZWn_+&|55gbO3tPPkQ=7z7v>uQBqO6@mm4?@xkIPo
zN@(v*{kVe!iH{xE(Zo{cB&!Jw7DlatC{i#z3#<Ph_TDnAu4YTr4IvPm;10pv2~G$a
z+=B&o3+^7=-4^cd?(XjH?(PtB7m%-e@9wYnIp;oo@1N8BTywFiW>w8G#vJkvbd*SK
zc0egk3;J|?5J4kjr2XrF$)3;gxE=^MV9~lNg_tGrj@O-lmAn5i;~GG>H@gWENH!{U
z^%A{TyaqM_?x~mdm-<w3iIhFA?B(~JvSjooP=6GR5MJ6>euux^_EAgGm;q|Oyt;0x
z_BGAnO|pl=UB#Sk_*;TY<A?nz?(}~eq$h-Q2Tv~sR>r;P<Nkk9{|CbI!!SU;#p^wa
z;SM(GU-#fqeHgqZpT6)K3~h}(r2ygs9H>_~<;2u}#X_l=DQU~_BKq73Y=~T`_)U|T
z-(vItwy<Av2V-xFod3=TVP*dTBz>)k*=~^rvg+5%y&PLQH@vD!dx_-7K{05{yhO>x
zhNlMQ)!ey;-~4IsX8medY*gZ+KX~~<wFnt$W!W2$Mlrm%(*w}=-fjPKk<@1MMf}(K
zbDx1J(d2APx>lqn-3Jxq>JihDcI{qAFr0-Q?4}W(W3LMGRE~2EFqfv@Kaf!0)>!L=
zZxN$R(FwB6#7sQ~0gvw*PLYp7I`UgQJGVQmHq<3}3;PiU@vri<+9^60oe}sUUWCsa
z$Gl`k(fXIR$STo`oj(FHd0Gt+p@Ex6fT7|m%$t$}col)G()QPkR*!<FAv|NE&0ORd
zX<6+A+!Y9x!ytnFq`-LQd&Y?jr~;C!zlzHE4%3Izz9-hcl<Qyh#L-j^Dm(B>z**Jl
zR8K4%<VKNwM7k*_FzKO<Xt9aofj?*R{PWBqj@amd!(QYJbs-$uC?=1-e*9*&9$3Gg
z$=`BwYt$q9SJulLJ8=DNeck&We|6A*{7mo9KfM8V`rU4jajigiQy8BMA~F08^N@pg
zH5Zx)*v<IO=C1I_eg7h6+`j{9I6zr`C$l=(*yj+Mh@-#W20!$tzRdjs80D}!?RFg>
zpxaZqQT+{0OyddIgZ{nZn>XQvn+)DFwIz%5?nBMV79@P?zyH&Vw1uYsXKA~Z_aCJ#
z_@Ak_Isi9SskwY+!png;#+T>HhnwA{)^0zIw=0<?p;Ztv!5F%dSwKUFH%er|+Gf>6
zs-o(A;j5hCpgA1aYi)QG#5_f^h$7SbBC`U?CP{E2n?%71=_B0`aq`H>7H8*8-g*8R
zT5~`v`5dPjTN$R@#mBb-LE>nGrb3*D1%##(Jy;wv5+o#ORt7@;26!*a*a#=-swZ)}
zV5~k#+sVIzY&L;;x6b*k_Z<iqFzP$Rf)mYrXFoM}ssZ<gQRK<ixzidBV2)Zvr0eEf
z`C*Q(=M=knmf)YOUc@K`bfTj=r=p;z(HwbT_^^B__2oUGoDQYif+*Ta{1rWzi$x50
zYvU4B27f~MSd4SMK6fK+7b$=tNKbYD2g>qgYA^QaXkHgxX4-KxGZ9nebR?fLPk!ot
zVqJ9K%jkG5OdQ0JE%X7lsQ+a|skc(*3u+qnbnISt9lXKl^jJTtYzU+iwihgnxzDT(
zG>iMgF0rwCeNkCoFq^rM+ZWb!_1ANQwvn#Ceg0(l;Ur<e9qf#fqv)K&`0^>fMqHwh
zj|zoVW6$AL^iWX9dsOz`#)&&2#aKbW`q%$mOr=rKz*0EvD-Z@q&z2ntxo{S!S=2|?
z&cWy(ssTIT>MAFBryQ>`j4#tG{9f!u61eZIcMT6-(zmy4!u8Xjkkmz3wLfZIuA7#p
z$KKH=T$50tkhR_;(ENR2KqK!8Z88rUFxLr3ISJ{n@eBs$x8*nV-m)&1ub9h86j6)Q
z?0f-1SP*|5k#ytRlZma;qH_kUO<Yzxk%FZ}oH`Tj@peR**^@Ca4W0@s^UZgj$*jMx
ziGFK3KaO1F3JFg!KFlV;pvmD%U-$_F?8h8dM-hL`0R?|@w0BnD7B<<(b-h0$VqLrl
zbnRfZcu<0*cA1|C)W%{WLhW=d1}b^U&|~xO;J7!$-JUg{LGbmK3uTHG#MgHnkUIiF
zb`;2(k5X%f(;?^Bxcu%0_9a6&HKM#fUUZ*F1NO@C_YV%wbejRTIMJ8metHiyH~^@N
zltpfNE=~&2*eES`G$<nO!S+tjYEv7C9;Z@e&K4!O^8;=GPY$?2^i3e%p*iP|-v3#=
zsg&*f_a4^wdPSVXISnSqUPJaS%v+-4_j?j?rAa@1Z4`UNE$QZsWkjwM2Ca@MDI*Wq
zVCorK+FvH*KC=d-j==r8S6()R-A0*#_OF<f!H1*EDKqr<ar-J+sJ;m5@MOjy@X4ps
z<<OXFXH`Ee_aRD^W^*U8v&d(U(8<*RHQ;p40*%+Oh%=)mV>N#h2y`ZbeJdEL_@R0O
zt#6fG4Dp_GXtR$M{`x`7)KVXA;QgzW*@!&isu!}-JM{g>CA+b@bMUB)W_ZdR1myA<
z5(n+E@@L_%_#ANn+;57X@@}?hj-tTs*s!$FY~YsGJCpF@y$K4ryRFl7r~8pCE#n4=
zE0UJgzGm@*0BU1VfEyqFSkwXI7?y*<iKL0oab#sGCT2R^CM5RtRmmkM?yxg@`uwU$
zZ5vzNQ~D38VANs!^gpSBEu_aiseh>nZmXWmdhIlsgdg;0OIVF$p;~xe9WSlW?tfIk
z;=`cH0nuNE_UfGjQ23kEvF*X|v(IpiFQ#_t(lNTMdE(kQW-&72&6V7rd<Lcsz0P?x
z+WtlAOK*YqgzB@dMXe-!YCJ4EjMvxWlz!DpjU<xxdNDoV%0h9GVVp4evVy^Ovl)|8
zX<8!*;u=7SS_P(@KtRWUFOv16p52_Na8CK|h%lc?kJZ;>Ikw?%Ge&&xYrx-SkLU9@
z;RFSZa(Kw6!RGT!O^SpfI8OI2W`05(d3}j;k6rH@8H98lItgqe&o-N{dGc}ol|rH8
z;f`A_-M*a=B9efISCKo~@l#u@kNaSjF^P{PQGog%N*HOY{Z1R>Gd(t)J9yA!F$7rO
z>S-~iiSSc!Y5d|pOHE8yUPHf->htsN>-EMXdA;M3ZlKs6XmE9L*-?0SVkohLPLt5h
zk{Ur}|D907Ld-%v2H7#ola9I-!4SlEFCtDK3<ud`8MK8h@?~WP`V)5o*|j05+x7<*
z-*UwHZ0e(~F9<X<BFW4E!z*3?%8$_V_IfhyX3~&V?dksc34HvW?VFkGe}*0eM#3NC
ze<0A#Kg;JppnM)^au_2$ukHh2zlnjuF1_R=$A|2ABtSs{#vXN?2Z46(0GpQ&ziJ)r
z!vOx{nN;jS2w8ikpyLuSX?~wH$}e$P<d&LEN-rW=F@Dp%>~)+swEclefIV$5ZdjOq
zlf&t3Zvmnn`o{3egv>|ciWE}rSA;5mW7(!7B9Tn7h@R@an{LbZnkV>F#ULzc5;qAB
zKl}oUdE>6X^(u4iuSUd%;YGcLi#HR2(l6x86Te(2Q^Qw)_87tdIC-o52b;f<^wR#2
zk^8`xCEHDFCEg!nU#9wrxOf^6OyQj013dZu99&3;=oZkz#-@i1-rmi}Qn^*f0n7_R
z5ki=Y!0zb%x(`L-tEY?-TrX>5TuFQK{VtJ@l>l9Wl~$`!HVtCK7fQ0?I!;bK<`g7+
zLJ6{^s)B%x^Suab)T`=ll|A3o*HaD?eWW;9-db6nYCrUL%aeL*(z%epzG0F~-X0mG
zPV}ivhO<)p8^Dv>K>R-nRuLd%>tQ`?y%hS?gIqDS$sX7k!uHEBkv47|am9WCVl`#6
z?HLu)^e9wTvVRhr7?oJ|55_w07aGEwH?-|Y$pD=DuBIe(<n66xXn&+Opb+&NMuu`y
z8So;7ZxKS73W(hKO(H9&EwtFv+-(Wx3hw{6;TigG=Ys{bBAqUJQR(o;L$lORW+Hco
zN(!=(Xc(`L*&E5;iWI;GXp}=osM^sHek%ku3hEsoIP8{a15LQ!OZbim$NNx2&rwcu
zD)af7mPOs%G4WHKWU~%LvU?WSrBCP+U1Ru%aw#!k37e(Wg-4jMbqo6Z1;}|ug*YU7
zBss9J2k$hWa|VFHbclz$jU?_&;4EJq^1`YDUNz@3*K?KWJfUP(JF@o&Cgs2UtqubX
z=|X1@Zi>Kv{OHwJ4EzQVui&iEZ-&}3{Tud<=GA6K`T9d-jiuMDjq>UD?aO|)@&Owp
zzZlGaNy}!CzYJf>3l;tCRSnDW1qPtCEM(=07~3{@=?(8Vxfd;=z`|P3HH2g%3q(e}
z%tv8+Z)6bAVK&IZ>dM&xne(_@xTYJbJHyGi;a`vR@4pEQ4LO*kg8d$*g7@5ylHS0%
z&T`6?D%%+%DFsTd`L{*l2<U(hS>w#AIINt&9J|MBgm0LPiF`aK1FG}F(8M0q0Xc}M
zLp;yeq?1Sx;UvCa-$CEX8h%S(h7%Or#o;L!1)oYaGRo?K;4;=R9mn+7cd+pa4rQ?|
zOx$%!ub%(FA9P~nQt>kBR?=5F+H@3n9}L({xGrkJUn$Ii0(?yMHHj*{%gz|z?&+bT
zxYUq<_}?*##dML^AmaRoyeJUzF5Rz?x;!ldjJ&l6`G^ToNeIzg;}l471z8Y}6L@f*
zhW{YFR;|t+fwpJJclE%#q`DTqgC*WvStasGJEM#2U;nQi6nzsUj77~<;ix)1SR-OU
zNk@?;ugD~AW98?k7?&v5f^Sm3kSpGojL6kW<;6GZLcRU6Aa6e7pm8zAqRDyM<Ew&G
z`Kd1&MynfTpe;83u+#z)23tWyM<Nj;=mu$Jq{|R91-g4o<`YU2`3!_6qyJM?@F8QK
zE3bd=UZK}Y1gI{_o`04w96I!&6cfyQB2V0?vs~!tN^H5z)PEbA)>bb&6yb^5UdlF)
zt}i+fX&Wtr#VHb{>FC8JlJ^B<I@DYkZ=m@x@j{V>0wG^7#<g8eInYl;EKY8Psx1;h
z@qGcJQQ+hxP%@Tj%3yJ_;<Z-^!Emv$a$|m1%AhG^#3;j_?8g4H`F~l!TmNVQn_UAf
z;IE#adeRC1YbVC5s27<%?A<H(nos|kA1&<YVN1A(eGA9%-q)I@InO8u9dd_+FvfE}
z<<$drOV!xF0wS+wm{GIuE|l{snP1luQz3tcx03m1#|SGFu;L#Rv1qKh(QNB)iXpXS
zT$I}1^GoOxKTZz^Y@TA1tx0v?nTvCwRiT3AcK`Yywz2)kM9}AEobYhkxiV`qJ2Cp1
zv97R@#rsk-*w)~z!uugvC&ui0ijM;)itW~O+KXqH<>bT(^Uqt>t_ZGe|IT3`UqA;<
zD|EKT&li%<EC^d<kb_3dV19|nZ1L@USB01&A7zvyiS0IB86BW{XcN^@AuaAuqCa;&
z;Gmt#eggTUeBxWH%RiE=q~k?)|Eg}h#2n-(MMEU@$l}HRkVKA5;(khd=6{vo^6`Jm
z*`bxc2~bdv@_QI06Tq8}FZ=$OB6~hpQJhUe%a94Zs;7bXU>@Tr(f{ewwgPsI*=zPY
zC&aT23@^1^#p1Y9W!5cdkXPC}V&c_F3P@scqE5-o2*Vi^3#BNGpM0jl_Io@g!j=WH
z`<hy;4?jCurt!4vS=qgk_9qZ6BeADrs#G)Z?H+;*q6xkQS9Np_ZdU$Wz&Fu>cFyb0
z49=(Keg|dS#3@wra@1B4p7SdWX1S>_6LFH0i?sh}vo|X6z!tH{XAc3v3LI+dgMXxV
zEh8%<H)YCdXy`wE^m>kfKlls^Zf-jfQ!Dqn1D!6p`kwz4{G02<W7X5itYrVLTAc5d
z>{8(($5U%Z9_I{FSF!2tR;Nb}S0wEju;H%x@kNpYFads>Wf(Czj>TzCIQiPeLc3V!
z+@obY#B}<qc3jrQb7!qPbnybnsKIR|8Xo*wrwIA5Ns9aA&(;2%ZT|}to#xi+Mj+LH
zb&eB|<B%ROHpoMpAI)lqPQZL!kbEx|a@=*HkrLmj>T0@d5dnV_T=8CVFrjIaXz4}(
zL4W<dfKLz}aX|S(TSuG{XV~y&7FiPO9uh8kOubJZf`UVS3G@CitcXFfjnob!gYdzH
z89S7ci?-?6GaqMmQhM~9c$;Ax$j8C`e9z|y&QgmOOXQl~pWh@7EMUMm4Un3E|Fzp~
zcfs@u$|+dh2K#qVP7GI@peQmrEH?#5CT1C1BerRZuqva9Ge`_KOWs*zGqHn?rcv>I
zSO(DuDVtSjk@4fDa5t6N(w)vg`&oBQHvAaQ1)p@;#ArkC-Dp(bm$iMQ`Mgmxc_#k8
z#<|GZPj&o3@$Yfshj8|dwu=Xq4~f-uq>3KQiCo62jL$o4X_<@!bA}lTW|RhLfbS3?
zDPp+buxE%?7*=_RETxX>$vJIvNZ(ktZrG@+hGRfV-Y+TtqFmXaYf9+Be`V#YC2;Bd
zZOVP%FG(=O1zhkE9Vsim!@ksRz0g?(4H$Up-XW||HsNyTMNGT>(V`Ukz7G#cmKK9I
zVAQ>$Zf<ijBV`DNEovqbgudb#LBhobb<1J7%RZcvB=2J|V3kHT=^9ATcBL;eL2Dc`
z&;l25K9P$y_NVq|R+cIi#QKaAoTyn$0<3|Y=4JcFsJkuErxeY>&ysd}#Wx}>zpvY7
ze%P*?@@q%1P-17m^v3N7Z$-^Y^=L<fog-BJbd;RWMH0p?qw^bbayh_;Kj1O6G0P+O
z`+^lYHnrEUoCI``S-PYnW;sS@ilQ{a%<?h`&!S#F`zR|vx<nNN9c9ALj<R2pf>eJT
zWzJdk7z%N+R#o}634^x&*ko4Z(*71b7Gl(qbl{hbgjnpc#g4NQkY$l!338nNC`d%#
z(_=yRtl{zNJCuNImi2j=9^+jS_&YT7;8sm06r@3X0s>kHa<)wrK0GMdkLqrBw?cp-
z!Rc_(E<SCkHXrhlNm63V9xsIPx5c{QLhl$cC=|^+fDN;-cmN<&YuS;pfxW{-IX}j;
z`w4^#GCrkKz;qq4^qM2l6#Swv#4@Oi8luS@?@6F(U=+ssWX6PsB}t);RWk#*qNG`i
zuk^hXK_Uj#i&Q;UB`~^47zk@gCR89f9NHH<pJ6e^kU~d6fb%coCHeZ$SHHKpMIuMJ
zOLp@lRYv?SlZo#3)-(S17fmOL%25A<hQ7_Mm~UMBxw3*oG8y6w-*I=P2N9AF2UT#h
z){t5&GMp$!Jt;6FbloB7YkWO@eK^zD3FY=LGQ+;LOW37Ah!h*urvXFr!<VTx89Z~+
ziVtbc{+L0sQvm7noihSI&N?7<(W4Z4jx0~v2&Mn&)&Sp92fHJ3@OQd6zKQbtYc(=(
zE^t)?jOsFH1LKOXIl0Fji9?8-N*Eo~w_it>3Y8M7>Um=zNdSBJ1&HBaR)8TqU~zLB
z8PRk*D+7;mv-N1VQOLs+hl*ZUpMbIw-gmJW;`)e%KzfYnvEnbocjr$eF;;%c<fvFY
zAXvP$nki>;Ul;O&>v(rV$q_VdyX63F-!AR#<8^h}`o1MpmXr(06!RC=vx7x&jDBnb
z>sC4tHnpaY$io~EhI=PiEo?>)sm+n-X%>u81Z~;N*`8osJ{?seilF7q$Sw;_gcjsK
zjq}+&3J<!sRrd=i72;OUo)?}CMij23nlYtr1kyJFsq~9ZPm#A5cx0S8{(AnkW4U!3
zw`FDm!uTO<-N5jl!*C>hO-@#~xlbapuQhBz-^{UXOH;I{gVS&wY~+FpF#EFRgI&F`
zz&#D`R(?U^b6J18q1Qe8%Ukx|jTIcFDgP_(GLAuM!p&{d==FtrhML&`_`)5gSFE%V
zJxcz=kQO|^yiR_6WO}X_zgY$r8i+JN`Fa=)aVVXxLMifoUMIE!47GHoyf>Y{`7&f)
zgj@((z~AyhAHUq4p{9K%92p-6>9B~l;>5PeOoK<Isf{@|%tC4nq8oi5gUdk0XwUmn
z%s(nZKKBE0Ojz?rd>29~)p^)6(Xdi=;;P7WIu*YI5qYRV8GTg)@R_JR2jVDb=p>C$
zk@$e~YU%FX@YJEUW%QUttfcGmF|e6k$|^k#W}40#-ogej;pHGZ%tYFKUmI0I@7YXu
z#GM)fIzyegjG!}{uW(4Bk=Sc0<M~3H2f0bCEw`vpwwf3p{R2jo(QzWSRGDU?1}K7R
zc50+P#27qRLhvf5)n}^m-oKrRi_x61R7Y7qf(~|EEbq+-Knnf=#N}+WDS8b75AxQ;
zD(GP5?9b+JY<U9at(k(9no*$)d&CTe8>D+!QnnAasVf#nE6`Mq&A!zQjL#X#%6T8D
znLg_*dwB5b_Yb&(9NKGX+0bq_CrZJsh4Lh9uz|IK2hin(tFg2eMvrW?-zyEn`H8SP
zFKA;GG+=BmWI8~?chy+u38n<fgv_H6i;DtbE(O2n2S@`z;aG7$pp2UrY_TZ0qyoI4
z$eLOX!paOCxZjp1ehQnme5;%Noa<gh?ppa-QbXkv5(%?nn_MJ0HeFtsoW?dY;($Aw
zEwU1gJTx@*!lhCag9I7*u^>Z56M2*(+vvxNV*(+#6LS(OWI=f9t>8U$g1TSz{+fo}
z*LVm3A|-ExGaJ$@R1zd)g!oaz3HsVCI^}#CP-JNY`8bxDKB#49ggs0)G4&%<^q5?J
zF3!Hxab+OsyfXGTdC7MvQnGI5d%=(y1!;LP9T^50(Ssk+k0uI<fAMm9fxH~;;);e^
z9bnRTA?t_)cNt@fEU?3>Zzf=>+`3LI@#Lo+%X=V@sB4>}ktnDK>;jdjki%aMJV?<I
z2yAIe{d-TfgNhut<hXGiv!|sMR;BR{%`u4^^PVMl#RT~dgfjb46y+UT0S!NxDKdc0
z<%k(mBsXQxqFx}f1vc*xZURMmx?rbRUcpgK38OYCzAwR*7IK^*XWP@ICFn>w*nEsG
zG)?t;kgvSLT|OdK0;NujyqzPUjkw^8JeD6U)KO(#Ia%AjL9`c=mXK*_%})w#U6M!@
z+qQOPdS$|PUQK;a|3+*q-Jm)VMY|6i34#RH1^(hP={$S4^@P6ub$wzwQSXMdDr5Yy
zU=^}DpHsZoPDR3|d&AF=6*G>v*a<@VC30pkV#zwWsCG(Wq&fvy8xb=<t<ywMP)7_u
zz7L?ty0I_F*Uw2u#JGv((~68xEUIoZXLLfzX<SbklDDFdOn3LAsBerdJUuJM^+SpS
z7CkIv?YZn(!Q~N`5k(4|>)z|%eT4(kijIz7Xhk}yC2^wd_9~@VsuX7@r~*S&pxuK#
zasO%y`~ZpK|F<)94#Q#}Ia)Ul$ufY;2d@yve~IWU3-r3CFQ`DIkRovluMq4^AcX!)
zS`GqjP-hbrs9veJu;6S2nec1seS1{#hkqj0--+4F1UA%pVrOXOcssy2G0ig&LzNn1
z5l_+pCCgkAu%#<%6XZ+o_fhDXD%C1JP9GWn6iU|5)fGR1qP?n*TGMm0fsL{OQ8HaR
zWvrh|D_H7YDtYFqx}q25;ueIcK&Qj_%XxppoCxR@gc(oh15o-;K|ryr0^dW_L&i|J
z4ixg+F*bGpN=LUZq~3ldM4u+|Skj#62o`|VGhhgt68)@ks8jtd6+)ZHNMlkiirX(n
z?-@M=q~ds*%*PQ$+CxDEly2vr*YlGc1JfaN-3e&YHM<BsMe;u_Dq*1pa*ivDK$?^n
zMBjWHYp=EKE#HkI<zNgHp5-`AF8Ot6u&I@`NWrLnwlY8katzlP?O5J<>=No{YSjg}
zEY{!S2-A9soal0%9*7k`H-YzkA)VPSDHPJ^=0<<=Og!f&CQCK5Y^<z$CEOl`7l62^
z(~f@2qvh5o#BPuAY8@mz>iP~AFuDOH#&F)k-ylyC@LfUEH{LknVMzy-`20GrL#dnU
zSg*l!*&}(Im^IA|4Ma87uWy9Slx#oFDXfr?ynPvlg)IBCwBdrzA;-8m{`Y45!LhGO
z?M_sbszckgZ~AJz8<B2eY|~-$H}X5d0!SOi+#uuG2p2zI^42rRCoc1*m6l3Z=ph*A
zLLjYVi*4#Gk%-QCkEaKXf(!+c%cU)q^~5D2&oKo?3L8c8pxG2r#(XBIsNC8|_HI5#
z^-DaogifT#2(`(3km)2rN@OIDKnJ325A&!EMY~R$pF=-N96mBk`xJv_P)(K3HEkXQ
z<co4Rm+`TDV}d_u)-Vm7s_UKI6k~<L#;xEefN&ojuSzQ;xz4MB0<WcgC&wKx>555$
zphfrx*q|W$=iUHbRFfqsNhxxPw7l!??2@wSK~84#5qCd|?WFMo2PatQx{W8&y8*a^
z#d-P=S&!*02?Ett?Z2luo7W24oRmY1QL$cOy^~ddyuU(ZB<<GP^*n8|7szWB8#G?y
z%79$c_fM#uG(oeKUWsYCIo`Trz_Ly-Rd<(sG~)KR@3so@;&4!L-vR3%P6<;!OHT}G
zm&(QUf7d%_h(d$OkM7Mq`NVk5!(ky~Tbja9j}|T*{aM6B>^;H&R^1gDi^)3*&pPp3
z%mG*NR>6d6+}}f%1f35h?@Y;V4ct7TB$j)sL<VR)4%b5U0<b^nkKI)OgEdQ|Yo7%%
zG01fCp%So_KI)Nl;6_7YAq3Ua$LshKG@|KiTUUVJ{p1w{rvYW>3BQ%7mDkTOl_OnC
z1+Qr|HjTF52iBb!FmVxEqYqaIs%cJo9*RZruB8R*S;`4tyrkV%vO_7$Tltgfb{~-%
zo_tNo{)e>tg@2uP-wu^l#Gj}1G}=d%s$%x>p?6m0IUga1s&`~A@i>D8!@fAkabJpm
zG2wqw@c$+SAALmW9O#~S19A7&jqx$K^5)bHcNfjOujG4bnk(HRH0M-J&M%1Ofw+YP
zKDl4`$--}NgK}=0TUkzqYTI(vH%!;Dc3^=1bjjem8o76HzNm=+yS^5w6*npS{FAr8
zqV!B}E0h-xYxlJ|Bj0eMN}jp=G+R!v@RV-pUg~5SW&?JGNKSYxB5n=MfdF!EQhoOj
zo~B5W_Z!;2&L*S)e8KRx0q<6S+6SCKJ6|jZVFlfPIwonh7zVbtdUgK3c}cYS9`45S
z)2(5**X(|*#k6j=#e5I<GfOC)FCXr1I0EOdmV-aZL`t>e06>Ui2hvY=5Ny|9v^_%I
zlcoBB9##aO-X>HadO^+Z{d@-JV8eZtg;L!NBI4pibApE%G2)t?*fv*yzpiubZ}^kb
z$Y?poSm9a)F9~;j<o0mcdkWwug!`bDG)mm)Gp`;cR7glQr$EU|0&nAj5QA%QG@esd
zkw6S0P$+NKUmg?Rfg8G-#;f*MFk)3u<$N$v0_F<)3+;7VS}OME&5&Os`GdlrHXVLm
z>E*!Nv6Jt_XRi}Y6E{1!p@GPc@*%jSAnPZWwE4VOPN=j%)Mp-;P<Xor%6By8=Hn(k
zFsSMK^>nnZU-dQ2_6DYQJY^_EQp8%m_7Iv|6b_{V{s*Cu-w-n@u}JG?oQ`;<qb@E6
zH7zp)B`&!b43Q7+yGmxpb-gbbZ!t7(FsXC-$-dDj21lP47kjUNUf#tc9b6m6h02oB
zmI}wFUFz&boNsf48&rIay1CD6X6tX;Ur}X8I7}R#akQ{m4!TgQ`2K$Y*J*{e9ALC^
zgWj3B7=)z#{r0ySZR&H+0%rSPc+tDmgYa-{EAJ{Nv->GE@zOMNT4}xt3gV_$>3I+f
z1SvrTJIHG;LV=ls(0ezxN@K7PjbV358u?3gHF254CR_t4u$jEfiJruV%{y1k>=kT>
z<gX|1)N=8BPz7~mZ>fQiO+yUO0;KK4!Ue-d{~wWda^S@R3}-6viON-&);m?XPKkQh
zFd3K(w1uo$D#EBm*4Kdf+ph!K(*x@><Y||6w{{^vma)c{TBc%Q26o94Q!MhM|F`7I
zXZ+zJ+0z_f=vQ#`3`2YCj<bF||KN>xj`GjE9f9%>cU)7R^|@Zb=LAS2ADKu}<HT|c
z(X!MAE?5cKZ1pxma5EP%18m2keQ5YX$A+8#oI={JCSX&8H6=44dsA64LJx6$<G+&J
zgYc6TNEXim<p!a#&svQ?u^t+lRFKpTDM85++)8pE^nO%g7FnS0zBPyQZg4~wGkt@S
zScyo0GlD*%sqp92p=|(9on`CpfwS@{sk`Hcv#+4Tukf8`vOX5^rCU-B#Jp*RsdG2k
z(v`SA&ljigYBeGx3C*=OlQHFkg{myH@n{U`-AbJ<5{7g#m&r8SJbUy-?D=33T|k+4
zgA-YR?ZXi@1^%GptZ}Kjh$85{FzR^qp7<Xgj#>z?7s)|^+ZPw#P+pIl-%|xG0^Js-
zALmaA+U8o<Mad4OJ><YiJT5z_W^v>e38ok|Md3-3r}>?CD~@}#%LS3tvSKyDU5CnK
zh$t8h$Z>hKn0<RrKg6JSE;MB3cEDY4ATE)g+;ldv@i)D$>8Z%#EwGu$$rYdt`sQ@X
zO^UbEqH|wBZ9k6S0I}ZN3z)6W2X9kRAa*DdwsaG?sq9P5HLI#T(X^{MNcyQzmsD9d
zS4~CA&;py0Dgx3cOmXD-xz3=+=<U-enZrIzKx`j7#_s-uHEJYLxUZN?!TLKQ4<nFH
zf4)gL-sA>){7<MJE8vB3&UQ13&mO*C-`xB;3+A|gf~?O6{5e99-O|5X?*?}rLA<X%
zCud*8-Rh(xb(v6hdo=5-VNE;Oai3=@e~jbS_#~Hn;IE~?a%rj6Hj&&HdmBB?$$E1)
z+_*u6cY&o3`RunpB$9k+uBBICaA;FE{K|6RsIr&W+;(BU@%7l@z0GHM4MhFz43$DJ
zmvbce-<`N?y{X5yParU8k97|Oqx`2P$%7M|(p?7Isc2Ioi5xHpSP$PMT}Zy(tUHuS
zim%gfvz)N@`95^dd6I4qsaZxGKcxFHo_P}Rb%!Df%pI+24pQL?>7UC)NhDrE!o!HF
zc5M0;a84;;+3bK5GmWt4USI$+ukKiIybGJ@Yk=sw3I~&YGK0HUr@Avd-Y<MEPprj2
zQABQO-Kpj5C)ipTdx6|NUsvmm1_w-~0!Vbt^>1bu9tOw&+3vG9lE`iY|232+;r~}C
zk6!FEMqiQy-qXk4zb>dw&L2y$iFRaS^$?gPbN-MRqpUyRKI3Ux^b~z!5w|?F5vFny
zt$fpXI)uxB-X&a7`+)Q<o~`XIx7jshIIqC>;jJSs^zmxnHb#ue#Scylxn*;N)iCHC
ze9)E`-P#fnRCqPrN$l1K`eF>7t~n~$7cM-|=i@8t)st2x{PQJf2@}1V6J**El*+{{
zMEN!NBawYSbp`pR8QBJl`@kG0IrmzBEbn%$+kO@AM=W8;Wgw?EncmMztL$x1z_uY#
zosr6C!KKx81vXLAN3R%}NCF%*jSoHJcoLFovBu&yhoE}MKpD0jWd4oE!~eg{<KfR!
zBi@q%qXn)0AdXo5C!O}6S}jE)h~ngonaDX|sOOn>qij#A6j2<LRHzcX?^h9#(^|B^
zmK`7p0^vI8^%>48z^#_$JtW#BL6Owzde;}TyY+>AiO=uY92M}fsJ43Y470wE?+HwW
z&>UU7>m4w--V4nu0_V^*>f4UoJEQ*jvy5IrxXq@_*(kbPsb)Xpm9YOJy{1>CyRi}x
zVw;!`)O12BztWYUl-?WBTA<^epq#PKFahW@5*pt(2+oD#vv`1ISo9h&Y7v<S$E4P+
zfX=%-%N{ru8y6hH8tUqf?4RvEvT3)IM>iFkMm6z@%mQ2Mn<1Xj(lv_!iwNB5jfQlp
zV2^yf8d3&F78LN}(<%(>8*?px#`i-`L9zEYam$%Nf{??)e11v=V%=wxk&d+2?@bvT
z>U6(_vI7$|Dkcpg2V>qlB3pR@->zf78s5G;J=|S}x=j6p<vChgO~aSW9fpX$=OhOL
z^(U4{Jt7L?P07@wlNh-SmJFn9k*8gA&C<a)<ZSe!9vvDX2qbA7F-kuk@-mC$$0&Qh
z)OcWH^qdl1v>3=jBuxKoLJQyt<v~;S`9Xy@KYutzp8r6n{}-VL!TSF)LQlw<ioRa*
zh0frSVIF-VK4}-eYKPHzRl|~**_O<5vXyDaCbI&(%M5jA(y?-QbD&h+K83y$D^spH
zW?D1cMp(0q?ESCAjsUE&p#d^S47zNw>B|+ox@Q6~@6d=%Anbf!3R@<?c-o%WTIAml
zJry?pgXsAeh@OPNWPk%4s-_i?sei|G`-YL+Hr4E#gb@PJ)jlSIzLg>7=r1;ZD|`<g
zwbYEWYnM2G^EMDjz&<*Lc_zNgQwTu^!vktkQ%3>k3>t4ZlH(MYpzCN!qxf#MN4M=I
zcuIf%4_p7=*!rZv?wE{V{F5BzN*+&f2ZuB?f3bNa5C2ze9x%uQiS$?y!WdjK4NKa;
zZ;$$)(E5Q5eL$@H;>e+OKbuF41jm+$>u^4_^iM1S5;66LU?0SNeaA%8u}w2RiiQqr
zfvBtfx`L_bWCeL}(;U6?>=jX9l|bH|#tN-=gFK-M(+k;sBW((Z?Ck8`h5}?wC8_C|
z_fdpRfopm4asYd%h?KG`6R&xpM_?WPNbOeyJktb9OXY*6{eXy=xi18?J%Sk8#fZ~5
zox|DT5KBf{kx>Rx?9Io$np&m|NEpOC73f8}>w+EM$jkmM2w<th2{xVUR2SlxQ9iL}
z(@hLz0YAX@?*yOPz)X?AOvc|o(?#~Umh<=L@^bmRUADqzGl}F2e$Xurs&$c<+ya66
zDubD1AJYS9PKYU;8w=jAza#NB7_c>TRKHK;GZLoi(+PJ5JSjbegAU((X=w0-$^sT1
z0nsuMbhv1Tg0Uix4Fb}Pz?MB1^d$dk3$#e|Bb&hG?UbJz5nPcaP3T9Oa(tgFeW=fM
z7J8+{l%9`1(_&zX1mbGhak_sLmvsai=!v0k<xd9yFwy)+w%5Qo*l1@(26U@xHz{Q-
zRlTe9eJEZ4N$JZ6&JcA~d8L*069dS_!cb=r&=<TD%->K2`cbfWXF$;^nn1&XP|oGC
zTnDVz;zdq{-c~&KHBcn*?f%TT!OUAFeXFR~tbh?$nRh5$Xn$l-?OlZsKu7)6<1BOI
zu`NI9rE3A$u-1B9;%Cga`V%xRQBZu`$x4v_=E0U(r6LKzunvzIpxB#1XQAbJ?p*sD
zJY#zw*xET@mV#rG_%|FK8^=GAd7^-1o?T|N_MN^?$?=-rJL^vEV3qR?YTB6c9j9F&
zQ5ZW866htZa|!Poy+wyp?}R3_pdE0>Fwu-as3sB_cb$t#vGSwKqI@Un{U5mc>!!ya
z|Bt!)A8%Q-q>UY^{o-txuL(|~2(skpm8e4C4-ds@#7s&(@|Z;}h*?lxqK%)3!V5>a
zJDkGjC^qLWmGrzBoLgJF7uP{NOg*v!Rv0M9mSCO(j+J+uQLSSTKA-$G>}D^`wWU2V
z;$d{IBH+<E06$R3+R^<n(LbSV!KY^d{saO(CNPuq5hcI%ASkTMZ=?zLcTybIeC{e?
zpm^2`M2o}PP5X2agjUALyiGVX+H(0;Nmq<hPQ|_jL<?#mUc)u+7;|%A)+v(L^baaL
z-Y|%|H-J9#^vj%92!SCP3zDV-rF*!{xZj)B^eI>8x{;g<9ceGEB2;fs3PdrCbca6X
za7sf$?IvK;{-6d$jiNCTae58CTYuXh7@33cEhWaMyAXPz>R;BrjSPCE9V?FZU!VRq
zo3<Ul>B<85A3V?B;CTpvgw91=eCVqK{T))2oxm{G)ZvLJvW?}0Y8}^v168^I1(k=@
z_%u0YBfhJfLBn_U=Lee~di$SsW1;WZNXz``mf}pMPA5748LVFhO~_1*uWvACsEHw4
zK&iunrjfEQ;9vTNhwb3Kp0D@&HueaD$KD*tN$U%ADwOQ=7(gS;7MQ0IF~h#oP>{>0
zL}C=qVNTGofR0R7C?eJbPv^OyDOW!%*3W(oQ>6Uva&@HAvFxfIw~9oFvnR@*SWutm
zS5iG9Z!C(&%L6|;-DUs?z78o_KOH`3nX_2ehK37*Ljm&JNxq``0s2b6>b48M%P<Wh
znM;E>>6$}dD&%oZ4GVv6(<DXIj8r@|my0ze%$nOqeG>njIN4E3_!FkMBqWZ{MPaxC
z`qf7cq%0|WgA4%nw{c)?B7lyiD8wUXN@ZObVDTV4|1g%bCyGp~rV}tjZvcI5OEaNR
z>a4J8EW3^UCoFcZ-JaRANe4BT7FSTpYd|S&6vJ)J08KW7)%%%&S>ZV~`vugK^RO!p
zo=lmM%#Mt3qgOx5V62;7A4F*~hDEG0q~zbo!c;fWE-`p(%3#TTG@ccv5<_=auRTxo
zX=}%DCnSj(00cZDqk+!}^Y#s1he&s8Q=gWrQ40vr{~)xMzVr_t`spjSjA<JSB;h#d
zbI9p@)a}lT)b~fB)-b}lQZ&jBV>2a8-hE5KSi)#tZW>wTe;9-)7Z>&M<WmO=F9+$R
z{#T}5>u2^I1;@#$u7)jLUl8-ErPX$;V|zWVA_|7yHE`7t`w+C@{quzByM17n(QPyt
z`rZoEvXSr?D7n+RtkQ9(<)FNy28FUfNW!TGAmtn}W^zMsy88qzQqk}JbU5Y78Zrpg
zF{YQ*CKH6y2i*W(NsPCKdpFif#wlNb+HDoXc>n~)^FEEOz_<|}aXqHIzZcLvKR`9e
z#e=zdD|vNf$n9~$uzkJ#;lBXuvjK}_+hnz$s8N1)q=D&gtDe(N-rykv9sOUpvjA96
zg{UkX#rNnVL~la7WS!Ml6K?btH6}|eSk8j2;9jx%#*n8Q<Zqv``kIbFtiFHFz3IP(
z^IZG|xd%Fz{D1|v@|!E-t1C3@=LxQtCEsbTX;tcdM}`Oo*TUXA>b#TueZrm+L%7oT
z;%r?d{u3x*5w&^C`gpGngzV>Oj-Z0Qw2sy%hCnHu040tpB`jIW8Wk888t<?wyJ<Zw
zoc84U0cUrmk#dmJ7)aX|ZuUxLI7L*s9xPNp>R=IlxOO`Qiy9%qv~WM&_o7+*2jqS@
zN0Tir*XVqfq_#eb=-U9rqU9)E>QBC0K(LN?Bd|Dv*5HwJ`L(?0H0n>dK-cn8PYDjs
zvgb+v+jb`Ad1I?%g~BX$+VwzPb{?z0jlbFQihw)Hr4;`PX%}F}xODC3G|7*|PQcLl
zW%QTZRw<{;lr{B92CLaM1WxN>%h*;L{m&z>i*WZ6F<7D6D>R=&bB)2K(8HS-3@f#V
zRf{46iJUP2()cMadJP=PcoffsG_^j`Uw%xj0wAz}_J8Po(=cPeL(H3J*=AH2WoJW;
zd~+uFn^hCe?plh>8`Cpj(|(UcFlH2P+DfAv%1)p8u5qSD2gx;t2?~maudi~m`8&Ch
zr8p5H=`zjBWKKUUUJhcHBzMU%n8kCswtYG&wNi(kNlSOXo??b}b?!yG@$ws^y=rzW
zEImcHABC(WN#C6xzsWfIW-EBVn!4RF98ul#1H}>*O!}T`aReVo)2PkGm&fO3cJoa2
zqA88*@M%wyjvT9@R*%Lpo%p!0DRwcG6~({cDxwMU#|57p_&pi$@Sy8f#Cf92V6S~N
zn!SXDRT1bd4SA-=*{k#4%kr<K)X5zzT`aVWw!0-vK#jD8{!~>nU4c|dsiRAR|C(Ce
zN@)&^eJDAXoMd{-uF&57u)7?_Z61LOdX7T~<<fJq0rOxn?9tJnU>~}88ahY$_+epi
z`s%Ui^5-CaQO=6o1#^8X-ITzKL!Kzs=M&PYGwAeha9kA*v0~CO80`+*HPyra9@W{w
zc1SU(0UIa<grV+b^zq{1?M1-mz@qxsuU4vcs$kC32!m;6`KG<>)f;<eV5makQenDW
zYgy9{y{SxIh;0-$xJ#=55yg}M=D(#k00^b{cTL}&SzPf1m!~ji-H|!9Ix(+~jr<?c
zT0Wl~SbhtbN#vwApbG#a1Gm3xZfq5bk7{G|W^8t95d{}>Tmxc@zc2mZW0k@+;U4!a
z{+{8sxF_Jg`Sz!<ho}r0@B9T8o1n-?SCUfe5Wk>V4oLjXZ?}Mzq0dU{QlyzYR_`-G
z>eR=<B5|XLKECg#X0~qf;Z2t&`q)%sgucwAkzpiv3X@9bd5f&EJ!WumRV(yC##w>E
zRmxL5mT(#0rd^JB(of==@$ut%DIAaQEW^n8_3g>MdKU=X2$$9w;4@rO$4pKq6<&Nc
zFik!T0^jQcZ?AysJ+OCG;MV#6o&}3a>o_PjxRQfE!Xd4E)Vm;%k%Bjp>CypR?-ZDF
zi`Y7nw;8^FVO8-ao8ohOaJYQeRxQoe&AK+hCg&>Gp<{`ZxtfmR_pMRuv+oiNx9Aw{
z`8Pv^UsuvWHX7_kEKT#)#zRdui8<#+$FsH9){rmbpKRoDSk>wQaVn;7_I>3+?e}oT
zR`UW&Fp8TU{Lg+T)sS2+#Wdb#t2A)Hd%p8bOk2#5=J$f}2e%`tUbZtZX2L#M^h+Jb
z^cFxClXhUMca)u?b6~X$5Q%28g5)kv)4S}!!^`zTz>+RnZHzg6+bvlxe3Y;}csj9r
z`MXlRYdQ_jtYLptz(iE}=7;T}VK9!5%k1Lm%-!qql<b6aST*qy%zr|xtEJTAF+02{
zXz95(q!OC<7d{NOZRm7wK@yGehxp)HYI!}EA-&I5Bj<U6mT>0FzQBeXiRSpBB9WM>
z?@rC-2cn$bI3jL)n-N?KA1D?5*^Q)ODlAsw24ap37dPn5w!7mm;r%ztSmNb?uUKR5
zNwKVA4VF2@%f>MNA9#V&QCaWfuxe9NCbjF^*6Q#QhTO=(ox_>hwh%Z+)P{b~lg&z1
zvb1$NSRO_x@x+NKaJ3s_bef}u<%Ho|mONP*lVTuBcxB#(AA3(eK>$YQ<>?H^U6{sz
z70DMRHe5g0S4XLdd^D_?yk?hrFQIh59IS29J|ZGW|AQ)d8t@RGq|QS4JdF>Q!DjbM
zhb>rjOe53rq-R)6kKngdFUtjiZ`Yc1cNT@Rm*ZA@`A-*afEUIdeefurz+qcJK109!
z5^t}IxjqT-7{2^B-6FsZ`3|4R4d#wAjw|r`#^}@2y|2xU@3eSSOO3?KcU&2tzjQp<
z^8R=*VeuyIYJ+oiT<rA{eMuFg=fkx)i(TJE6U!B8ls$}T_BYF_`@Q{oIcFJPJO22m
zz9fh8;(C2WbX9lH(?_*R&y+;`=W_^wA8QY+J2Srnr*WudoPiyb7Vx|h6Kl$uT>BN~
zd++(6=B6P5`n1!|D*n`V_ft)6E#=QGz|ht*E<oEYfGsYyoS?q%_~l&9;kBh1pQece
z1uU?D#5;h#WDX`o)D*$#IX`YkoJ{W-#8dy}QnW17zt9HkveV8)ehajRoG3_r+xBx+
zzp*g&(YKT|Pqv_!4Ix=tV~DG*-DirNrj(S(7$940ml$BA%IT<;IETUJ8`Fh!_xNJT
z!@q-1cv-}-owIe0i=WG7l7zL1DZcfhZw{B70cmeeeh=wpc!k>GOflQAvCoZ~Yxd-x
z8M|!|#e3N8hrMYi4Q@BAra=64HKlskJNcFLt_O{tq3P{!DsU1m51MW!iVm((U1I(|
z%XfxVJl@+ZckZDC?_(*^%6ZywC28q0e8S0vIa6U@_c6Kq;AGI0d-VH_!;sGc=-@;z
zL*>G6^xq>rJz=Iw>+kCGJUr#)M3q@=*r=&HKe2;_fQ?lRHp=?4?GY7pIDE!bcFy~*
z+bir)M5C$_n~j<)7a~XvcLq`RSvT=Vn6yev^c!OTP6Jo0<EXE`A=s)#hZbANvm2d1
z2)+;w8q&R<rgLlDdd3;b;*LdoS>JcgYp4awlU44j3YW88R5Zti;5I^^XhjrLzcYzQ
zYlCPC-6o1VfLW;OO5l)WMtV_WY+Wx(<ks$rj&3_kw9et<(jaeffRQ<DV@Jx0#ydy2
zX~++T?CEK6j6oPv3xcE!wx_(Vzy7HnM@1ulXOf-_^H8Z@)#3(fu<5Ta3lNK}*(UuQ
zyCWvsN$i6{pZq*edN0Xo59(Z0*O_Q3Kq^pWxaj0eAU0z4hr_NN!IRnm9}K_X+;g(L
zUGNuFG^U4QJ1?*Lwg~fjSS43gU0E71yFlpG>MH^{(sdO(m5(g~1#4VWe{9ZMmK~^4
zy7bFQapZL*TJx{3e!|>3FHc^WA(psEN2D{xp91CU@}YBe*nan8euDA-aSBH+D$*$m
z`Op2}e|>5*pxm`Uc-hZ$<mIiCHwCf#L(v)*7LtqxO_km0USRbC8M2=)Rd}kw_LFb1
z@Xsx?kU0v4NFl#75N|DhzPqolMVHnF)5sr`#9Uvy6k5}rl-T~n4&iS246Udlr?X>f
zR}Pdmh`s0$e|da+B~RBmD$on_Owrb|pV-hRjcu&db#mdBH#W3u4@*SQS4BPqM+_<E
z`!uUhvUvq-cM)x;jEvl?VGr|N)s)NldRa$It#RVPo)=HolmvdTkrpOt6Uj(i%LuR!
z+IUNV@(@12NK3wkugoD$Pu~&{K-}fpfCyI2I2P8B<RvU2DEc}LB!{*nHafMu1FnU&
z;wAd<Ij?b;*|sB@0YscyUj7U@Y%2VwCvJ)~Oj&chc)pQtYvqc5AskyFQjB@3N-O_j
zv%>?#OahHsq$Px%Ec-LRv0CUz@{z`M6a7}sH;dVj@vMU+;ctMOiV)YJlsde?kNCRE
z=xQ$d-8Y6covD=dD^@D$Onivyv*vaBze@K)Cwq0@v&as;(Z!jJSI5iab7}c`l(DMa
z^DH!`G}O^7wDI&KzgTHcPx#xfE~}tv$8%nIAi`)@>4aNV+c9{3^nH6w3|fs8oK9<J
z73A3{{_*t~g>F>Y>Wy2p{4hl&vy3n`_#=tSJvc4`JzOn&w?;dX0I$!JCE6lDJ$j24
z6v>-|@%6tqX=)jfULSb~eDvc%ZjoP_^uN*1X*I5?9?jZ*U%?+7!xts&n*HW_^Yjhm
z<;UGv{*(N^-4bQA(|i7%u$F|Gc|e=XLv}&o=G}6_J(36~ILib@o$@bh8yB+Ac^w=C
z;=eb~nUoZk7^#A2T6yeUX=!WSEnjuWU4z4m2xq7KTM<4W`=3R)uf(tScpNXcb0@84
zu3wFITn$|d{bPk1&gbFI#14XG-O$I!h78zJp4hpNc65O$M97QW2790Zn&knNOYiA+
z|HSwzMrIjqIIjaWTez);E_p$gjSWWr>rsAvnsCUS%T?A>m*0=%u#5qNbEp~8Zyvv$
zU7~q2{21K?2Hs>5TsUrdnn<a7S}=Y7yjbe^(SCL%#6e6QFW*3_`~zSxO<OkA>h*wp
zw?9j|`*M<;W6?MawUbr{9Xe}#!oUZ@nn(kjT;oA*b>6^OpAWd5i@Nm2%u}~86WGZl
zK8UR*miL6oH=_H4f`-}fyikerP+Bb=N3bU)7%|6pszHWwK2E6vB7PBD5aULkP(x<t
zAb0|BGzv62o*rDuY8ryDgt8I#U$9o7kTvBB1xTzuw9=V6zAEiajK-(o!)wr{(PXs6
zv&y%?IzyPF_JiU!JUqU7U4NwAY$!NoX==lz$*s!D4>P;Stf>4m3>OkO+nJGta65Mf
z24`8O(fFiWRrS^us`1LHGHjStteu3N_fZzrJc1TV@^7Pv5Hs$6)XD<eHCb9$mG?x;
zYJ?)y_`eCJ%V|4(R~cHNb6{*@Ok=4Hw{PkCWpcw=^3@nXfnNd~9F1w32Ild-Z8i`5
zW|p{ntrVgPGfbF?F^NCbNT&JIbc{?O7|aWQ&5C&orPC&w%_c5P0<l^rYQc&lZ9Scq
zC*gt(MBmrGRx0WQIdv0YB_=^_crN_(Q;D7<JK^UMKVe}NI+!y9w42xV>0wWXqi3<4
z4*UD4w0Ei>gkPqS+?Q}Pc#eork{elW=p#_Lg<E65KVypKUAzt)6X#N&8MqjFnV6kz
zb~^V_u~&=DG#2q_(e6sndAR5l%wA^$jQT=OT%N<LVt!1ia4yMMe@6Ajc9@%|Fa=LN
zPX6U1UDp;9Ahz=n&hLoi)vA_th+P>f?jCv|8_dYWKrM@LT1+2PZCLu=w!C0v+hm+2
z34k&pwTX)i5yEa1%urFAwtA@VG*pv&t4E#bsF6GSp__IjF;(2jQ81;Y-ZQ|`GBo0?
z2`Q##Q5V@}FE{!RFs@=V5JOy|Oo9nEKTsed^F@k<i8c-Zi@Q$}cKe~fI8YdZ7sXC1
zMwNc4F|f|}Nv7<r{<4JRM#!&L9Hr%pvPYyTnw^=rK&q~ehDK;q_(m-HPMD7~5tqC%
zXuhve@I43}>`7H!1~b@p$cqL%vV5vd0U4*8l?mU&Ui|+0R4h20B`LwI@nV)_;-z@<
zG@Ukm8j`|k?CE)5Yp{U`UW=GHbDW)~zI1@yuIu{Wtuh{xCL^9?U6dKZ@32W!>)gJ+
zXw0yccIe~5pJ(SvW|?qyJi-2hBvE>;aHg@!F}s~u*F3IA;ColUr6H%{JRU}|9htKy
z;=c**m-4aqjq0T(iCVj8tH*vs0qIEE4PmA23j7+>tr{ohu#KY60lE#c$}B$GsmbjB
zZdQURpmlNRt<5sYxt<63Z^>!p&0*|u_*V<zPN4CAIOt^JSR#NX<7s{$F$*K&w%rH1
zRuk_~rJ?8YtI=k;XF{HydpVrZP)X=yTJuWlwe)G(Mjcmlq)}-}U~O4wg>Y&e{lOkT
zr@2{iAia390}rH6nR0nA+X4p$Zx|oQO#}!~jg7@Nuyyk+lblKfd8J<_TIu6kTEWqD
zSrWa-`^~QoMM(hbM>9*0K(0O(ra$UJsV(VFApFN@+kezBC{Lz4;ERBlQw)5YX!}e3
z@Ithi>pw~F!w25=gt>uK=&!j!KVjj;P<G*kz3QOzjpr}aGXBPOb=1GMfvaWu^Z7*M
z^f1hHKms#5@U;NC?;mwa3Dv7kahn(}jC?5eR<Q?+5WOn57T?$v0CX%`Few#$NomSt
zN+El`!Kt<a{Z+Dz@685>ou2FKvj%Y&+_*YyLi<aL)!Zpa72Fpm?e6^}0n^ZEDV#Sj
zdCDvF3d}K~8^ND0D@5DDPBYDTOnW=D<f&QSjC|{8HIdy!GalI)`eoreG;Ah|^RePL
z<5m>Z_tk@Dx9gZdX<Jt*bcyFdzZLe_Ywe=kr?SiZC{6rKl7d!_y63&B^v8Y(d{Gay
zdpQV)A9vDPD(nuoT!5B8wnS_&;^$=>xrN7jWd|Nuw3sl=mTMM?baML~ILK1y1+qlF
z0)jDh^`)*5F&FCyH)jOG3ChzEEsb%)T`hp#n~*O`y`1PGsZ=?jiCSq2qdeY0o&qk5
zJ>!l<1mOX!Vy`>uidNFXIFsPm;C#^a*ccF+gA$h$u4|Cc_TORlZ(W<bkD2;^sC(<E
zy1u1bFo6KU69{g>2^QSl9fC`6cXxMpcMa~4AR)NBLxQ_I1c%-SlHdLA=<mMQ-EX|n
z-G61|oWtI$_F7dn=d4<5Pap-hp`JhV=Lm4bAo&W$;?_2GbvY3cpiMommg^rJc81g9
z)jgkML5TkVwM1iRfl-~ThuXl}U7Eg-zu5UxJJ<psXJEp<=5OCJ>!%3XBe&h9!A~bL
z>m#e%a^UL{)bwH6vIQGPII+qmTl%1tDR_Y;_Wnx=(n&9Zyow)Q9>J7$hSxLH*ZdRP
zk52y;+wEY(Tq(BA?o$|a<raB84d{<1wS|g#vE798rJYqq4)%}=oIgP)eT~}n&eq}2
zLV`sFPD(n58asxmM(T*x!=em5_JxnmZ4Ev91F;O9o&tGzsH?X1tu#HQ4%KD7V6K|h
zD%S*R%z~ia%y-3`xS}ivS%5qRb+(x@^l#{M)>Vk7Z3+@=P4g8)1%$wRi%}}eFOjX}
zMvvEaTFK*;R#CPiuD^S`nI$dLz(Vvqff>W!?{Ks(4skx-M0Fi-4`p49W9~uZf-mHZ
z6=AxRzn=rMm%a;s<J=${f};qcNXaoa7MX7D>Yu|3tH5X!Hc8=6tX%Sr=}aO8FKPws
zc*K;5SH~i{Y@890tUmZWKQg@KE=L1e<yei*4#~SUTbk1HJ>!7gWlk=x0C;^{LN8Yl
z1~DexBFr0E`K>oIc@VKlo?P5}uGTDwQ%n6~I7s87ih*Zt487k~mzt^hfb+7GUr~hH
z1Voar(ni1r$<GT@>nm_ltb8B8Y}1@*#ncT@9l0)lhf72dsmt6zg!jj@eE=v6zV`L|
z(k0aV6bA|2<uwDi0}oc4m*zJZE6X6EA{J#nmwQinKF0iIE{4F2@SR$N_-MBMC@H#H
z6{9UA^`+SvViCbsE7C^7VeymIx4G76Xx%c(O44G>T(JDz+taBh!Z(i}P;!;jsRX(7
zM4n+aN4nBd^2yEG;nud!VZ|}^rxg6)k7o7DoJ5$!@wPSppnMv&$p330SsznG12_i-
zH>7>~lx$|BvS2H$lRSez{PRki*n0KLKaNQXs3Nfuk5ifp!pB^fm(^c4pJ^RmFWlka
z$B^qHt-yio!2gQrTgdMOXW;+A_J=-yzw~?Kvod^_JBf#S7K#4|W-!wJh<eA&MX40R
z{oWJuF7?GTgF*tR0F2}2Qit@>VDs?H#7)xHKVh5_NCp_CD9j7?#3Pr~MABp@=<^aK
z>n0ZyQ};Pnc?d^A4EK_AQ^<;SiPsWbD2IbjPfo9I;Aqf);Bw(P6mNf9F3Q=<PA^Mx
zkuK`EJxOP$=Z@v}^N478W+PG1AVo&J1${NVuH3f0l91uitA$RQo}rXKn{<|JMc3VX
zG2dE%K%!_(c~QOorf!?|tVhXHv!pKW)WJ#$=NpYAOtb&Vd`5qtb|ssM(iFU;&EQeV
z$BU0bW@n#MywS9*;;WGkyve6^IcU#e++}czn3SdPVn<+ALeKe*DO+#|*Y@~P5XHI;
z>98;G(KBZaA1a@p%m6@f&%8CHq}QC5P=@(E4UcABPyP+UUtfGZ^}(FK_Ye%%yu~6N
zdk4rOuV($t-$~UdL~mDA9O?+?bFuYtHwQ)Upj;W!((JsotCFC9A)H02hYLq6lQ8j8
zs%n&CJBzQoEr;t+*O(J2T0{_gv(7ir8peCeLMHL?CpOOWXedr@0Btk-n|Rrx(+JkF
zld3n+0vzB#=y16n8HvA8-3e_c2LV-9m{4o6Yon?fWNHV44Vz<{>|B6g`^OV&uVm}`
zqhe20)f?-nC8=bJu)|fcSKsQm_aFR3pe!jMM)0NDzK<6Sb|NB%3?<<-at;kW5fPv+
z=6;Lf+;1fLGXp^i%Fv4+{Z?#~=V??LVS$H(7cM(AGkpMg(fr<3tR!p4N!3FQx%GA&
zZa2zA;|Wj3<#dC!M;)`Kp2Dm)_NTE)JSh+T2My^m)?<lTL)U3uHT)c($@(2(W(_~x
z2Ox>;6bo=vgDaq}KoyDDCy@fJ2Ued&pk2`Ya;XEd>}1F~XrP`v=2WNY=P>2Rw<ief
zA5sne=qh#}9Y1ZCa~b|G2KBdmq3!Z=JZodK#gdK3{iVWeh2gBvp)qmwNzq~cSV|Ka
z^Y^xn9~~_rT&qTYUX;gk>5~_xPijlC5m+B%hTHt7Y$A4Ll*d3ti#-Kp3M3P7RzW}3
zZDe_BgdGhXIY}uLuq^}5ao&Rw@29&qK^~ntdQHK8Xha5=$q-B7-TT6bN=!LQg_&NQ
zy#-TEC3D%i^g23`;>)bIAe-oH%!dzKzx!rpy1IfeDPG9wdyKz9ED(nInEP8<URqoL
zD$h=V0QW$dGI8tu%S3`hVbcg(46|NsBMyW%#>2&DijcSk$^m{@rcE^-ZU~SU?Pzlh
z{PxGVczDYs5#s2}xG{?ZsR15!6}Ca9<36H;+?kmdKUmTNcP;h5AVB|72-nriEH%;a
zcXMJSeBy;zJA_eA(0d>R$PWn<tBW(@kJWc>mn)35!fE--w%n9p5RsyLs!~749H|u&
z+z0-y^`lP14?%^}g~o_0$^0|zYEB^CXHjY|erm;{k~X?wqyVE5{MT#9G~YKB%TU)p
zu=8dfg^A^LVGj9iw|^!{nJQuwbs+2z@u&JbP>)@NyQ}-izk+kjVP9=}_Ys#C)6rTR
z&foqb@6}-qjb50=4-C(|M@KPQm#Hb)b^d_!7wvF&+$>fJYiW>E<I1(KGM31n@{{xH
zie~z?iyn2=G4rV<Q}sVWP@8M-@DDc$&paV&_WEQKNV2`G>AM>doZVY^Gdu`9c985)
z1bN#Sgmuf3`YHvhCPS(ds3|lm=X<YDB@*vvlbKOP+NdMAx(thyuCh+{qTrSaP-8ja
z3JFDLSq9RE^9AOzys}34aTlZU%pvaq+$_QNpv2iWl(}E#{G7zz(D?$|kd6oW?266y
z%J8%D{<;C+I~6dV*S6q)LbhMj_vOD|;`?dU)3cY~=~X`zUXnh(sk%iuNW6*OwY<ka
z{>qIxjHmwxs1I8iIy8+B@1t(EQ&3s{LjqdT0Z}NkGP7wE#?HL%79aI&{qLo(4?ur1
z3UiJmi$>sC;_=VjyVZao;+RjNb*;kEi8R$P*S%a=U`P`oQgij8r>bdgZldW$N0Qdq
zX4}u5!aQ8VEGBd4Si3y-Y`Er!1d+J{Zi+Bjq{s?H$+}C*-;M8|ZEqq!s-usDl_gf+
zTqP**y6>|vf~XLtcXKama*OC+%wU41PI~2Pd(3uO#|i(q_9e_$APl!JOEy{yogb2c
za)wB;@!zlZjeZ7Y=lmpKuq`1fcY+@5;vA*aTwS%Tv1q{982`I#3RsC!H4|diuqYeP
z>k8DF4nCrH%W3q{&H4E>m<YZK?-+|WBz}^sW}?Wfl<Gg{``*x#(R7tMh{&I~vVpID
zN-G{}>yytGPG+~DjtF2*B8PLKy!LHG(y}Kur*HnzZ-5+1enK|vMrEUDg(-ua@>*v3
zSIz9sGhTahS`5U(eP)8TLmpRz8;YLm=~ov5xoSD{YHeb(5Q<9UOo*r}>{(VaOvtR*
zU45m3{U3BDv%;~4br~*AM|2AQR(VQJ4O&vE5Ip9p*he!uTAI1K;;6V}q!}8CVGiUK
z+o>xXW4<|8zFvCi?^~VRyFw;qKqV{nwg57dXEC$qk~=h=`YAWO#;@oH^c1Uws!v57
z*Qy$2j(CNnm<ve$3_R-4ple_(X+Zeph5;t^!tZKP(cQ3<K##O#@wTl<{`{9s$44)0
zA=Pqlhw4ZRNi}oaG=kA7)k^cDzdBdKEM<joAs4ohPBvCbyjzBf4+&F;#><>qW`r1{
z>R`RzMat+J=XxEa{uDmn@M**YSdy^A1I&Ftr^dmGLdO1gsB9N2#TbhU1l4y>pI=}l
zj(ov<NgWIv5Svgq0xg@!5T6&5Z-@7`-zw{CANphp+WP*^``2^wU_WcC7w%%T*m$Fq
zrTUJFckEirGPoKE;bq;vN@b%yXCQ-{By8d%szHMgMnP0MuX(T?gpi{vS$yiUEpGRh
z&RsQ@@?_3`84Eb^9n-lcZuv6ffl|%ap=Y+p*DKzUel2XoU0d5U3lzovh`gr{0Efod
zw}iuMT0Z=@PycI?4oAtuP1RHRF4hz7=Y7nj`2GB4-9z5ZFFfk4kvYzmJ^E`OPlXpx
z!R%V$k54DWKKt}il;&mfU;jM><mXM&ebSG$U_UyUDwDP>aW0m=(=ROz9NkL%5q0q|
z+tPoY@KKD4i>L?PmEAPZ&(tv=-{${S2IhMJS9g)L@Y*|V$4@96USNV0=H&FX7D(xm
zW{ucbSR7h}r3r&ZHOEa$j}Y6nhBTQ-pb-^rMDAbSvkb0vzo}^_BR;vh8MSjA(WwYM
zGLZ94pO^}ar^&}fmm6eEQ@889uHBFLWoLU~{QT@zom<i|G#)4Jv)JpAmb*C@Z*p;m
zjse_u%1Z9ad@E|zMl_r1JCh7IleOa66lWb3G)9OaPY%fOy<PzuDV<`M8C@D^OGCej
zILkyie0&!^aIDf7srv;wsyh5itF4}cdgdt^j&sR-3-{0Q!Aj}(>&c0a2L~DDD5a^5
zX$hz{2L_1$H^Re)CBaM<q%L%T&w7LSH93Dies@TR@lW)xjh#^o1<z__&{j482*KG0
z<C*M5loxs-sFtaFnaJ(8E4t{TApy^qhG@?!f2FK0Iu~YHQT?+sM~owcUNbZeB@J@Y
zj|A*p{clQ##@^A8jQe**kh8L3U>)_n1pLML2L$#!8`>(*5$c<BO}Yy9-Tmxh$|d%>
zQpA}n6A+eS9&79CeBvu%OUv`jaVgs!c~-K_NNiX_VpT%p<T?v^v6$0(j1Ffqx}?xB
zc(W=q38vm7H0RE4x%^_Mq|3wn-Kfmk8BrPjjHcWd_Z@344>yXQf=w;Cf|pCq+l77g
zNh)Sn(C|5w{f@lad4Ec*TfHN#LH$q=B<Cyr{%B<FHWRr1l4Nn4eOV`$Zbr%9OV`)&
z?Z-S{n*xZ5a34X>g++6qM4z#g6mx87(YSsCm=6l$)RO}R9+v+4LZry~EQD!-+!o!K
zV{ACgci4+@>D0}s^5AA4gvttjbby}A6fzFeFF*Zf{o-eUCsY#sEYgLM$5MdHc&d9Z
z#amzf&?yEW1t_jy$&VR=F<$wpq9p`_-2q9ZiehE02D2&ueWN}Lsit~+jq)$3msO!h
zBr|UyAxI0lUGs#ANs}Sdtz4B5%N`w4uP2@rIlaWEkj033GfQ#yt8HPR<ZQkFAT8eL
zoY^%?`%+p)P3uC6?9*%8q=16fyDZ=B8Mhp-zAQz8TNB1n!pi>kc?j;%O~?aLU<pS+
zvIMKdlAd@|2a8b#Lwc4z*2x-vOS(&a=p%T_nd|HK4x7H#kzg|${`^geGday7_-uFr
zgsM5Ee*7<N`n;y7_E_^)OjYae>SzWS`&s<=;Y`HyC}<kz_>1OWWuDPc6DuyYTMzAn
zZkG?q9x@w5cQe?OpEqJ!mJNTMh222?`xgUBe{l1US;%L<0l|f(fQNyOc(kV3g1NWP
zpZYa%0F|d#XJ@s;p$D1&fQutU$IZ;PJ22xF2uJCE;KSuVeE6C2zQ(=liT2!!w7Q=8
z@P|D=(ACp(gZ=%BH>VLz^TS~ezf0RA%ahO&MD5e%ZkC7LDme>ZGBYxWR(&NQ!6SV*
z0{erayxGqPmxu41Eas9C_m@YBy1M^{;OY+3!@)i-)^fFu2jq^f>smXg*jMrN1Jg4-
zLj!qw(AMmj!$M(5M|x1v4AxOjUQ9h#KVPNHz@P1iL|kW)laHb|@oS6tWB*B*c_$w1
zH7rgy-%vXAN7$%#k1y=0Qz2>{AS`B~iO2L%KAU=RO?Mp*#Lw2P$);|<i^yVKq{)m}
zPlD@bHiv6l(fY5KvS7DecqI*G7_?$BgcQg(SIpoI|0xmOrbCJ>+X;nokWmY7Eqlw*
zL=xzAfK;2kWge)NbY>SxSpl=;v+;W+#ZRR-AJvPGV)F-3MRoH#8Y~QO7!Zo$*z9UB
zjMMuKRcc-4)Dw#K8jIqLra%lFzHg{jIBqrdB8L-^2~L6(_>k2arLa^=$AwfO^|nOU
z3QRJrNG5>vtH86t&Mz0u3~_&F2dH1HA`ur95ZhP&#O(bBF_~)062yhdD)@dO;LIs^
zh?dRnL<ZHD&d)jP1ANhFR=ynZ^VHngH~l;^K)jXdD0iX#EF~?zySxbVt(`b)@pA|7
zc~$R+)zS@QmJhe)#R?7DuUuK|Q6~5mR^Hu`z;;bb_CC|9H+-0u-{?Eah66gS41*CY
zTm^`=e&Xc)GC?V2frlFFLAu9@^(%-QFyCD%-sIee6I%?|;5nJSb_shPLsUz8%jwaJ
zy`$aii^%I9;u5IzQ00XwgMoDzXi3F3pBXPV$j@`(ks~HDLtEAdZC9k`xII#r@?+>u
zSTTe+@}u)6j-i)HA%Bu~lrNA;ZW9=6EIvIbKOUtF`_Z<Ps`wJeU7Zz}>1cl$h?c;&
zQ0vgLo;(;GBjiI&ZwNJ~7qv8Ywn&l|wlRY%MrAh_DF}Yesi;NxcYqO>z{>6B?6Xug
zkR%tjzzM%j_thegLw0us7Q+;iVq2lMA%dcTwq0EyK{ov6WQ~Pw^1_=l4MRs6sIO_X
z%rD!M^jPR5QvW#TodV!Kf5-&B9|!b5e#Q4X;NR4ze|`gSipTWU7EV*X`|r(%*Az{M
zUH1y=cUX<Mk&knu9;eoi2m9QxcO#qeo{f(P9y2XG^P2f0z#@s#1YEu)mZEMqb20fI
z(z?}sd1e2|c>ViNPt^Hj<}3S0uxDP=go!wpe4znWL9h`Za|pG(E6Y-WFxIvKj?vns
zd(0QID|pt)@`WJN%jjxRZ2>4Nz-Z89hP$z_9BZ~oj;#7W?0A5+9BID4Q^EwSJT>7s
z+#0lz=12Q#^L_^W;&qx5)V3D=D%|hGx6>=_R;<Z|M*6bR(mV`qNAZ`?#JF9sqVC9g
ztJ3$Ku^7ypun&Z~*X|R~qzV|>-GW&|O6PY`+P#DKKfXIb{ZK{c@6BSo-N>~V<RWnL
zo9pjU3KbRP@|J{Od*pgyp#>YL+&*Ff7vbUpxfaAQLn^}(v4Il>a|{Nj>m!&7Wmu3K
z<I>~{{VwXkIrT#CwQS#vJe+$(wroyPjNyuK2qtUguCPQR)HlD3&K%kC%@oHf@#!un
zTob&2U3}q=HBlV$Go;<-6H2CNJAQB9D!0K%hAZra0!C%4;K9DOTA0DCFYXdwh0mCm
z3-r(fY1vi_ep=sr_Z9VNq$j+&k<om7a^O=}=k-j(>C{#yZL)6$!Iy}_R#um>!Tc?5
z+dn$h1%(uJU%W@Te&xVmRDm!z^Q$fXh3=<`;F(;E=4M3=E@6FIj}D@GEu{USw!Nlf
zuTL*$cz)$?ZVR^6((^!1bPSDvjqr{`058A}p3%*$RF<A=48<9z9$nl0A#y&W<XA<B
zoH?0YNm+G4N&O<zKhtL<f-%fED^k>tgmb!&uD4+Z;r1GL*-(%cO#Vx5rfK9i^F9~V
z<u~(LR^g<QPreVFzXD`&4cUG7Y~`C<r$;N6K$nT*%hZXssfoH361tSR3;ldTzyurk
zUvlXFnO*aLxnC{s?>-ZVy?p9|FaDpuQ?~EMmkxm!+QuMM7Hj-8p13OP#4^y*`5d8W
zy=@((zO~ABy|o6;NV4P8O6dR9S+r`C*ZS0#mH#sut1;SB9}HD<Tq%8QEH%Boh<I&f
z%|}k|`wILWRKghBOb(+$)KsWlhTw?0G50qy`Y+N$H>N+$his?4QwZLi#Ly`<eTkqA
z2gG(dxL6SCX-NT8xs_%a3#erm?Mg@3Z7)mXbSq{IB=SWry^{wK-?O3_@<3}qqBjV)
ztM&SB`}03B&X5FU;#o7f`Crm`<&s(n<!IqZMC-Li0fNZjG1T$sKbqi*esPXd%Z^ja
zK$rAq4D6+p42a;2BXyW|ku-+o*=|r)&A+69T%fVyeODdb)({jVNRNwh(C}VWdAsS+
zI3J;qgA&xq6Qwz*>$vHHVT9&qqjsDK)nk=-jIbuS_ClY<5_j2#K<m3$Sv?T~8oPi)
znA~m@jcFbs!b89QM;%uL&xf=C6o8$IJxr`F!u%I{%74b_^ZTC3HOKUR2K5aU(DPjm
z|1v@W-O!rGrD)Uud20edy2J-yFwBS@<kdhCW?d2(IZs}i1>(}nJq(=&aJ}<jtt|dq
zIyk=H^pi9n@rftV$|G#Dk;xm+8RP=B!BF%-5w_QIvkd^^@V()@8oylIRu6N~p@!Ce
zxCe}x+8`$<Va1$rNCU3@gZDbZEYlU?@#f~8+%)xH5Y2Z=`Th@~Zt=@kFzdT#5)@rg
zeIyy3K<dIxFE-_WbM$_Ei$~+ziH(JL2)B+awg&GD(dv|SQ03_R<Rm`TOM(6!vEMMt
zBX0(9-seic0*8N?@7cn5g(G>=XbN{(If{|WRu7CAYVundNVbhqS{?%iEP#FK?SvCN
z1KYEm6&&#Hy)UD&-}jL1d%f?JWG8mA@W;dYxw3(0Uz=1N;Q%)A9fts3MhOfA_`B;a
zbBHCI7nnSth=5laOZ^rV;FT|l7&+BMyAWwq=-sTDEhFEVm(PV<w|Bt3&)pz5M*Gp&
z1t&bbR|S-yIthU_4p)H!jX{YPWmld?oWTB~Tg%5gy^s|~#c(@F?LKr0HQWskHl3M6
z5|okc3Sa$QC2NibKLp9v%HC^y#9rjBKqVPi_ZgRDY;}^S<rH*2Iwap653A}t>tpm2
z`hjm-NxU1475Z{FSg22zlB+@hE`dsMqW2evvi}zL^=MDm=A4OKn91mwc!-WtdygSw
zCoXZjvI%77>KZsF4B@vmg}vMNMX2MNT2>#bscpuo`GUvZ9~G0|HZl-W7x|8$!_y_5
zo%3Kr4nPp4W90#Myvb!O(YEsS#=(0-hg(XYHu=*0+5?IrT}`^C1w6fT{lR)B>kMOB
zr99(FKJ>s?s-(YUZ?lSJF>;W;484rRoG^=pJMp2@p(ZsBkY7jcolCo#Rh#|AE5$z(
ztCnV~m@}q{>K(Aa&1>#G#hxvIKd6nF@seAbOMN<@gjKNUkyz3cr>f_Q(hBm5j3}KO
zTGGK_BB-G*zk%ogtl#W!IZQqe;XpDgesqH6nnF^QNL?B?cmpAeFA)MVWBHxGH3GYP
z--`rwHwx4A$}zcO?&+4!qe0Zzo*o>r`O^ws5Hq|ZTB@R-Vdty=(mL12>lk(!>5EBh
z5QiU!@nhBcN1MG+Bry6Uqhq9Qp;maamG{H}eqYIU=>a;S+e8@wC?vha;EHvnTTuaq
zVLR5v3aM<fpA;`zNKC2qj#T{Mv=vcA(MHT_(@YH86ozURH`VuJ>}mhXrevu2Mg002
zeBbdJk+!gI-VrUxXb~l_8`*5g1Z`+%b^Rs-Q~j1tGBo;jL=bst;EPo5@bqt9RvT%0
z65+@>c{0+Q-#w5ZE20M628JbqmOT%COCE(>)*4%^C$+2_46!y*+(>tr7(T(w>kXjo
zc?n9@Z}IrlO*(ZR1!Z_;freXcW8%sEO@XdEH^Pn|*Y2LP=ZUqVy<A(|?>;AiXyWPW
zzc)-jO06qtGkfBydTO1=a#Pu~Gz{RaPY0f=a<`qec)F|KdqCc0|2VCBWWQ2>)cdho
zkOB(lo-gN<AEnAE5xIZR-wN({nF5fgodeu)6W(KiTjiM?ol-c@4wue+bXp@v%eH|B
zW3Fv?<_|%j#_N4?sN{<#D}OXW+Wi5@WC9(R8XB20tDlZ>!<|lwdbf_KFPQb6vLo-2
zuiP{7A8J6I+fkZ*YaYXtGoS46sGw|MWg}ai`F#+W2#2*Ql(liF;T$W2LljA#ueP`k
zx>{4zBx!s4bpqTSrHaQA!*e-uUFo!SX($0pxyc8mM#E>EBE@kOD~{F=PPJyKYPWlz
z&_}pF&fV>660lTeCuP2ud4+BQve0o2mTzuGMjH#k&;|56pbY~m5A5Fr;3F+Ch&<0l
z15OMd`BO%eZ=ExN2FmaRyV$qr#RH$JlCTSh;3!stJ{oH$${r<v;Uu+5x6UjY*W7MX
zbP>~$LQRm<_$K_Oox&Yj^2&_S#_rx`NlWKsN_#leipe@03_5;(?(02I@CJ6o=_5G+
zZ)PX~cr#N8z#HA2i-Cpu|L5>VPAiiHYEtW$z}BX6!FkW^=ZT=L7lu?9<@%1Ta2nnf
zW#%`C2T71O`_iZH2i|XKu<viVwvLF>{6`$4mm2thqve8DGn1pUbF{`du!6no-><nQ
z1*Igt6aYJ8WKma}903X^j7HMh?>ta#q15;yq(%Ud3i2mu$v+yE6x=@=Rco<}eu3m#
zE|O(ZTaJMF9Q6IxT5by`M^47XI8p}5Q8bc}rfozDxs3z9GZ8SzW{3D%Gy1D~L<zb+
zUrK%)h00b@cfuT7S$X0VIm4i;atIbbS^;&PUYe&Kl&DOQdR31aFaD-p5Mv(&hHZJk
zi1c$?fL}-*qDm9@__EtB&<~gfGzzN_;!rJ@C;UfcD~DJSnrZG`-EZGIQ)ChG?No6|
zv3|L317z5IPJWg0J9s?|t%G!?tsL4<y+V*%1O(J!{DQ93L8z!~D;;$Yw2FLE;=5k`
z9o0{4iF*hHM7E4Cvur+`Iui9*>7OF3x$go%<fHO30?B_1L=23NQUS&Nd;KC67?3H~
zxv37zw21e?Kmrp~=rJdQCZW-iWesWLG`AG<ER*X#7^b0E+)F9Peg^PKdn#svffuII
zf++$tqg6@kZ5{!bo5Xp3H+-^mm7~xoDnqo2AYw}+k>z9dJj7vNV2C@>q0vpXGnri|
zlC%gZJ+8NKxijnSjI_)|Th19FZeXsyr#L^kF0mgjE<WU!ssqwH@uRV|rT@AL52&1Q
zruEhXTC!v|=GHtUrv2*!vzXcWw)*_G4CGb}&Cm;b^?~qSy4GKE(Iju-7_MybG7aCH
zzeN3b?v&ZiXK1$D>ahvHPC|Pg^EsHOLA3-39}QlV+kJLjEu&b>!Orz1!Ibrao6dWC
z*!^Xu@}N4ab3&A{wd6~<7|!s_smTH@fPfB>!v0kZSPV^IxOSK;W#by~RG*AZc%8$s
zN|P3vMo*kH-ql9s0{P+dH5O=0t>_Xom9bK%TItz@766=rIT_K(M&=x9<L+h?x3kLS
zC)RorFQYOyPuOcT65>uyku5(V9Az<+#p>H2?&V`@aTF(I<TN=d(b*e!E3aO!WAf!L
zMzI2FUT=8U3(yqOqGl=)Kn|dm80(qimbTkQxNWcLoSA?9AjG(RO)S_fP%%b1)n<5q
zRk+n`5H1a`B;OcB0=@OdkUeWa4`Y3PMlpPkNn5K2$}bFR4~}&2tvfeGy270EF5DV6
z4=HT}3x+s+if8eYmgoTuLIEWsR@!V&C}5`a83o`n=^SeP3k3{pKBItvVh{>g3jQCX
z0F~h2Q4fS3qCz+~i>)MNqU}f-?M&GtRTtp|-eGsZAGDXDr9N%biU!28Rej&Ig8C=b
zFB}4?Uc3%a9O^fg5T7P@Y1nap@PhmuweB&J!zj)g<6f3fFoynXeW41c{fghY!sMsW
z5)4kzx`fL)4OUS|{OzjmE-=y&b7&WXg`opqtjD}8QJc0E>7egEXPGLN#Mvh+xzUW)
z7mK5Dhpll4kaH!2DjsNNJ!M*BG{=$4%S#{8kP^B;>jP%HOWDkZOu(LIv^qo2wWS|O
z>EFAp5EI$L+0^EsHbl}!%xD{I-$?k|<XC!|Jxf(dmOqoB-*Rz{!CxPgcLG@*6>-ou
z|Eor(1xmy4O<gV?azr2~v98yFQa7H_j7ta3N(Pgqx-j0L%l97&>uh^VA=f{5Yj8h4
zDIN_#p>!P!W7_vpJyWA)=;)_K13lreG%VV4AH0&+zlk0kUH5#uBX{+s4-z5VQP0Y%
zUlbnjBgi}GVLX+TKb<cCa~L^MWv8FjYcY(UQn;vCkYC6gf#<N<bbL&nS>azn%0?V)
zn}WjH)b7vA?1RNjE6Mxmj9S&%u_Z$v_I8@(!zV(EJ-%S_ABN|J7XiLK#^_DUh3Ppu
zVFYq%m`cWdrEiDu3tV?biKv=KUDlOU-zZ|ppy`-mj=q6>oa9AslKJs+&#FiGFpbcv
zex(M)=%ZYn?$fW|FWMXm!f<jOlvLVIxxRA@$An=->p$me<UP$6=Z<y7JnoI8WY+wC
zAaRt*KcK}AIhQ8@U$5(ot{{cfAk~=om0JjWP^W(q&f&(y4hgw(mUb^hg)oIzsxGEY
zRFMSSJOdf}mQxQjm^sBL@p-p-LQW65Y$@wBBNo#<1kj4Rb^zM@aj8XJK43^d{VrY|
zkpK?GE7AyMA9fPNz`4KBSK#B13`*hCDN!3()4#%X@mSk-htain-uhxu8CD~k`-+gK
zQsqv?P)(=Iyni~4)3-@D_NS2PD^Wa6DpSgA{Ds=w>>(XH_E5Xdw}lwG={}tBrV((S
z&CL<DKb$_SO8C6foM~6L+r%KEskOO^><dX1OI2!+^i2x%B`-2GK?+>fNt+3&CCYtq
z?3_e^k$<=+$8Vh`fn>Tr!bggd(mcwa^3opv8!9pmgCVm%!p*SDWchdU%r+Es^jiBI
zNMWl&OdWC%0(C<J8VL4qx>9x-d+3CWkbXcp6vMu@NP-pnUIRA^J6P;DeRZ?TTB<3z
zsvia~amrpHO2Ir|lZP21E)?D!Cs|cV@d=s5a%xg<J8S-&I{O+mh6g%$C;u~l`kK^I
z3?)kdQm&8i;7afD)>&>|*_3$jnC!{dm-V5;lpTj@VmE}J7YrAfjicV<eX&oec=t%i
zH*%~aq3`H$`x#%X4KDs-Czt`8G}+`8Et)8O7Io*ej+ZadL4GH1#1F9eDIdOos@B%5
zGH`~l_ko{YfxM+T6>TZGi)NmG(gyR~M*AZ<<0b<tn&U0cOk98gLqS_5^{0i6Qnvn2
z&N$+H#59lFPa4Xss2M@_dnvgLDDs?^#I@Nd!wIU@en!Z%p+4!_0p|pn9LW6<?eW(F
zF%U{h?G&@4Q8s!ktAfSrR27i?!V-I`fI&pQNod;PG3q&tS_B)Y@W>Fp4T_293tyWC
z{FMN62rfv=3=7hK!6vN-2&K15C1a>SPWsR8&q4*JRP6yEi_0Rm4Glf2!|EM_Q&tB*
z*HZ=N=SDVrjYp*GV4eGJl#C@2f~_?Vb1;&gc%EaNuRmf_Da)fibSjUAl5mBbcTvt5
z3Aq;ynHy9e%BoCbHiZ4_U!0X~I0oL+)D<{0rtm6mEabF<#8X-jhC!B2sD+)&aV8?H
zba5}73x#)2mwx}?mDpQ<GDQHRrd~m!dR6hqB)DmVps&(s<!=p*u&;d1oD~~M3JrdW
zj^}x<#34%dr?KbI$2I5zc^hvA;0j@@7$NxWdN_i<g7<4yI>c%J&g){v&Vl3qL<vs%
z#8)msJGT%8FA>|8Vq;QZ@tl;#x*P3P_}ofLfTkE7I0=;Sm~BvbZ=xP?U%4!3LXLuo
zBwpK>eGse+C%Ea0qW1Qt8A;snwH$nn(3{m%uFxpTDPTIHUfk=&bE8@{<6IQ>(6Juo
z(D%Ln)NO_*BF)rY4ExSD6tW^q`(Wd1GecLXwZ;H#i4C;q>W-+R7$xZr@^;lK)>p$@
zxk?E-&?5WX{>E*<6e_Mo>wpW~>L|z(ooCdl68|3yPCYZ6UoCLIvTYEF#in#yRu}we
zztBjD-#j(dOwCIRnI9q~YNrY`J{ZqKIg~0298b23Q6gf^Ymbj;HM3s({Boj5OAx^+
z=Rg-l{VW;GW~THJWJ2Ldj42uO?%Rn*RM7Bgk|&}{za8<ISd7tpqDc~8L@j{o`3^X~
zjYRQh{$Kp=uzPa63Qpa_KHVEK8^`6{pCKm&tL%|&(3ROGQm_X}_|s>bGOhyb>Vo5R
zO2|O&&Jn{rm+WYPWE=xpJR+>X;t`cu13Hc0>1q`l*@Y8E%UmJIQgt?ju&QzkP#S&}
zAox*P)ql{Z1gA2A)BrivbYVoKVudZ<`+baJCdyim2PgFW(?~ZIKi%M5x_+x|bziYC
z5$bnQ-&faUR3-(s-BVtt%nw7R&Q_T-QSB22m0VPMv7MO2N1q)vm~?xyFavCKc2UM%
zf_<@XJ!(y0G3kw3&A@ChhmqiCU)Da6LCf_ahfRn0GcLT$0(|M}-_XQ5L;BFx6?Hhb
zjjy`UlgKfNqpRd4?`4UB3MgK1xOJ6zcK8j818rq|3Q3Y<5R6Hx?i}-mMI2mVq=kg|
zzR_qLlx`8wE8H`_yM5k?^sr-TtZb{tb0XUp%JuBZ9KNqmB`QS~H3C?|p{Fb+WJpaB
zit{r1ObfS4RHH>@?l>f(f!Cw^U+j1v@yRGiB8`(Vxoc`PCiGmzaricKF3l9sXBe87
zWB<mj<Ge(oT*Z<q4=u%1qy;4xXUd~*^q1nH9j^|ERBk8P2ZDaUQgsMwU3{w$mk9%$
z_!AO*!h6|AM5|?ei*P+Y>w!-NBiV2LG)7;CCLJfKy`&?Npi6`9)Q-252FF!G_a}lq
zdx=?VQgdLe3{1!{f!g_?SXSVN=6cxH<@yvk(H8<HK_4AU0@5Sr-{(O1sfsJQAHENl
zz&pwtI>bwnnI}rbtU+SM!iWO1ZN_cq-Su*{i=5M!S$JQ9?MGU87@hHgol*hRcD3Ht
zv^4zL3Ju5Vi)c(9mo9`SqH2J+QF!G)17~F}IVtr1{4L64rC6y-5Fw{9*4TWDxy=8q
zGrW>63;kzI-$Z7}4k*2bthR<>j&`@KfE0;AGzJM4y7z|3;oHgaJcx2`)@WWyZLY=D
zI{xrG;C9A`V>C_;F+32ZExvN#sj2U?C%i;chw#p`yrkU7k?S6y3<J~Qd|w==DJsZ8
zX%{XxX$N4w7@EUtz{SC_xFQ49VArWNObtnHXElXC&bwKAY8uo{4QtX-4X+r_bMIa{
zDc|)z{VE<PvzBM68Q&nsx4>%5147IH`TKA6OQ!41e@jbB|FpF|b*@QUw{Tt2a~G6x
zQ*K(411%uV?gpAB4`{#fPRe>(x_trA<-0r__R@3lP&mQhsc^Lj`Sg!Q6i|sCTf#o0
zD%sb3kW~A~D2K~x>zsc{gw6Gi`t40C_GkA>ZQOi`o8%_o*@>m38@?6ia6@41K-UhB
zMPgk2Mjcl;?kW_iYRTf17SIM8@#_P5HyK@5k#&5+Am$jhO=BX0<oGIVnXtzf2<><f
zJjj0uuYD|y<JSf|g;j~*=(ax03KodPCGJQ+2EBRlB5#(kagy{H`3wM&rv||0J-6d4
zOY;xsREge+T3f}JWQUlH?@XvgVi5<wP{{v}z*$46FYg9X^j@B;%B?O#D`mdKkXAv3
z5Gn1;P@J0bB*q+!bvp`-G(CN~(M{Iq$|e2;(D2M58aju1ILFsWk$2zq1P9az?H*&3
z(A|MM!O8Bw#o0x6`dtddv?hF@g&T2c>?VG@<=cS*vD=qS(Lt&#7pg;+wVA{1?UooN
zVutge!Vg5>8ozRA1RP~=F-I&G&?qK4YV1M|uuw3H(SW^5?aH+OMm+s1-)!h7eXlD+
zvU#mg)cMI&bvF{`xFkE~FG``h8WCY^?-bhU53>`Mn*gHO+Y^}!O(Ym55;?J_nin+8
z;05ES2z*Q`tuLx|j-O))a%L%vamgpKeofu&TqYt;2lFB`@I#FDZZj9-yPiIxs_q9$
zJK5|VSkAmBXiPiCYwIAlnRQeue9%~Oit*Xon^%q0#OhUGF@FAyqHH>pWHKGwjEX}-
z5z*Vjkxg&bu%HUW3y;G*&|@G5Avxwk#_NhrUs}G{ZO%$Lbsnn@w}S{~-;jG%jrdVa
zO-;_gixSbMuqtm+k1a;yjet2{d4B7@!m*_452y~rCSY4-DJgI`ajA>M3`=}SWcaiT
zai)c~^E+xW5Ir(F^2b4}*ccCP9&xo_T|UsNk~cHGa2!k4pG}t&_4F&b9lRxhM_SLV
zl{$-G^%U5~&<HEqAGXM(5crUkUCqTAZLmxv7yf>ez!-#lRN<_m@)qJ)daIPOs#Rrr
zX;4An)GOfaI!%ZZOtMrwgU-VJwJZlNO7Y6Lh?dp~K8Vcx26iqrc<`rG2z*V0yifSL
zlzgxD6(bb(W;5NbXy)kPi~)U`xcGaTf-oz2g|2Aft4+M;4W;bCl0@%1jr-4d1kW#R
zu(3|f8U;T$bc6D7umkG|lGvozJ*xz!w@CH!u9y=97N%?joN$v!eAC91)^?DwIxJwQ
z-kURm(ofamwU82d^Eui%S~N4eG0oo-92<`NEi%RP9`Y{sYvo*D#?FrxBF}!HCmir<
ze3OcEyDUTRuwWXv&|^+_1qN<|9^nItXy?=$xQ>)O%pV<}8><YbGga-f{0YMr-G|Mu
z=VX!<h)2$Hz^Md#N=ZF#%=rk=2NYJFZumK=0?^gOM53~`E52e*|3AWhsoI$%(A(w+
z;|=|lZ-UsXv$PJh8Bkm3-}Z+30IN3&3z*lRfsla#*W<4=OTGOgv9FJ`E{B@_BdF@!
zDMG=D?SF>15dw>{B{X)nOvqwacSQjzgs)E|GX+HwK<HM)%cHs<50+&q!evr785=Z>
zQDnN`5c5c}bf+Lf{(#$4Rn3&uE|zC-OLTIc$4;C8Alq~0lki_P_aBr=o;;LV`*rii
zGqlZoS?}1%4ENrMWj4w?b_kthRwWqzeL5FEnJ>g@1Z5#RS=Q)X?G3s=NHyz)Z@SAg
z#1(B(L_Gbt|K)#b-2W#KV_{(I&iPio8ooIOWGMXD-KYe~NE85I8bE!u?99P;u&z7c
zEq>{b)qX^UC%^5XLuhFf7#h2yMF0j;gu42<3%d-DAfZN;AX;NqdE@swML?->@Mm9>
zMHdEu8AcGVFKow~_Oj4rMF`#$8m{@`V{9G_(=D_9)SDti3SG$K^>K?s{W`(AX2Nrg
z^|<+!qkhCxWMxNAITN*7R3|*fv7G&5Dy^OjJU=V#1&r|zfEBuPtA2$D$6(N6ddUiJ
z7!0}pLiN#Nnyse|&8m*?7ad##F}4vIHw_33AAz>yT~N?nxw&NoaP<8mjSFH-B<}p-
z5e%GtLDt<WKSmZD_Qhn^5dvuWy%jMF3pIx|pX{j$^)8!aXlvq^mzl$!YyRMvtH<MR
zr>m+X?3>SlE`EP@&6=PnTtJ#|EbS@YkwOR_k|?HeuC4lq&sS>sNLHWHbs9?)I-~}$
zso2U8Ur1>1b81e7NcgO7X@}@}(NmU6Bf6pa6r03E303Xfo{oRz=q^~tI6t^<=1M=|
zFty#NysSTHNYr|}WM!kSH&q#O4LQxGFyY)ZSudsV29dk?iox$}fD^8zxHS^M9IqSN
zzaI?VyH05PIK-5?|6)Gz0`fsXXzQ-IW?~jPxSU`v5hf*X-UHt9yp?N|1epcv?l~)i
z&nPUW_FH6JTMC|TKhXesZ<f;21LM{;nA|8mZ7v>PMe}c*@Dveny()U4z<I6bG+k(p
zFVV4;Y{{X$MBq<0ET$^YqOk;Oy<|-LibrtrqIcHPYk%JJBZs7}%jzl;7!rcZY7Niu
zvxwkWMIKszhbzX?i}yW#HN`oOtQGiW_vnS4N%B{3ofvtj)wkUHSICBR5Gc%^dmyMr
z2z1w@%`5GpSH%)tU{G9Dtn1hNO~3vZBe1Q(jKu8Khb?0IZa+%^^=Y!N_S;$NbbC-!
zKnZOc26cGb0G96xc=hMe<<Ew=+FUaHk|dk3m?YR3Q8j}?{~&0d!DUVbm8$lD^Oubb
zmqzGKpGC94rkC1^yoV&CMvYtZhBgshWOzuq;)B&5eQP?T0(f6INtF~A`O?T+Ez<DA
zdu<*>evXVlV0Mc;gmN&cLKJ_;v{JvJKz`9`-Z<hXts5~A-FzSI4T|?4{{gATr*DE1
zKlS`)h`Mv?`Rnm^xl4ToJEQwP*CR5pD-s)|e`o;hP?qAS?9W;~@Bz?z_`GETcxu48
z8*=j%h!2A!#(Ti#=+qG4dm#9}IR&>e?Dpceyd?a4x(4w1H7hV2Ay3=Ey3%UTYfZX?
z2Qs_mX!=A$7wPu@MR_nqwMf;S%Y1}^)^WBS<;Vz(bz#6i!@mm+6T5?dZhA>spGQ5Y
z%$SEC{SH9%$9xx%rTj8SWX&QSZLGq}H13$7ar1%@>6;_6O9Fq~%-;&L4TYQ`--Y1)
zQ}(o6Qs>`akABJQ<Airw7fwk1IOLFjIg+hkiSKJJn*%v-eS!C%#KM%XxB;6kW0Tsx
zKgk#Z(=5L1rF*?RuZae5sa19;5%?~j*&K{baHTLkY*IGxhKb1!5y<d{;ge4dJ)q5m
zh)UQ$Wa09`UB`|MNrD^1<SV-1^_#T9A|6hw$g{JB1tjsSrph)>=-d!FTddEy{Hq$9
z&SaUDyH$!l`MiBUOZiY*Lsd1+q;EQ$!Mm8-XO_$8lNVW$z?d)^W$|ll)PS}zU65_{
z^<-F;R9i*>qi_JXrl#;Ojiz_jB)lONrYqEJXK+a9s;qZCdR>xVhDzr1c?Uaq<0t7E
zgZZs!hfM`lV?KFZbI9XR8Oo=!<pl*8_ufp(V3Ur3IXa6d2%F=F!QaWz5)J{-MJ+TK
zA*Cjj4$9q-(_}_Heq<R24(=D*CtpGqd3ahB(0Zc*p-%XYlwIPkC;hO?{z*UF6Z~!s
zH@nyK-|L4l|J(J$Z#N85_3@MVygsdRGSda5T}M`Ow7!0|;%{uD8NhdS&{6+0_yno=
zy(!N!A^}K7G|{TSc$N_zc@o3^UzHIjQQz&Svz10I_Z?SHNLeFS98)qinw_4}(N{l-
zZ|ZH?2K$XO2;cG0|Erq#yC)3f>4=NT7izP*%_VYyelD3-NfqvPh-AFq1Y9~;l&@M#
z0?srODxufy?a$dz09nO62kf<PyJOU6e1tDpsxpCD3*dl+g=%zg`pf#qbW~ShE>g#5
zS$IXOfU5vQZ!tKjqJTI;e(0z`mptl6^Chg#TB(Td+Y)plakQaoT|^WXQ{tSJ32F>Z
z5b&l)8(qp2aWiMC5h^HN)5>|kDKC?w(bT5WdMCwF4=Pu$u8a`~#%+T1K};dV2ftCb
zyTO6y8g@E@ZZIS9Du6#un=C|sS?@UzTn+E@j~(zH*QMocwnHs4)K*!jC%jqOHTfsK
zu>m#FWrjm=c14QS^U08KQT^Fvgc=@GVFJq{1@uPNRA^$i2l<ZDw|-aoBLqa^jCt4?
zL_FLo8<7xcmcpF7RT6(qnS&aS4X@e->zdDLqcBo-buRlTc>)sU28#u5UKuPFb$~^$
z>^M6JM9?#=kzKt~-}T0e=bX#T)sF#@+D)W@Wi<`<tUCzPOAIepVYiMKJ^{Y)7%Uhd
zZ+i3baVuGP^njN}$(Nz84P?u?*mT(d(yE&JUzILSprGpqN?NzOR*#9`D`~3I&Qkyc
zlib5?rpA6O46kc94xU`;_l?$Tn~E#!aJZ0#{~#QI`LQ9uCKs2s3=|(?;bK|g`%G>T
z@;0A!>UDE#7po?UZfB~VJh3dXJIe4@RJlN6x-8?#8~IT#4l0B3jnk^$72pl3|8tEo
z4cPL~WQ+K$j579Ke-sz-!L<B46Q<a~e!!YC!5>x_9J|5SVJ#s>+VKxpu#j%n=}k%K
zWh~q*6DI8QSySc%8l4*g!U(~4mGdH9n7Ghmv=<L4!82kd6*&p2W+gF+dWDTYv8U6Q
zL&mk7SZWOT-r9)(C(;Nu%}(OCb%IY9`0uMMQxhLGoi&+tNAWVkZFEjj<Xs>^vHrd{
znnGnT81?%3YMmjC7_$=GC>`V<azH=01sd(q*@-jeDUoTW48ip0gg2KiN>%?TTo~e0
zlNAC;w93DuXVKB-P=6Ih>Y{<G6&d?D2Nq_1WBukXcPP~7b+g@F+Zh2V=}ePwvvp=m
zSr#EBO}Uc!kN^a1$af#(o3=Y@%l*G^57LWhwY^H!+t3f1NRl~Vg14{U%o5v8ZVGT|
zE=Eaym7WPzpmERtGoC-hPl9l|0ICZ=tt5;@d<mn&d-mMj*;ooj*G(*gcPZm&?+j<8
zhDiy*6%XC@kXX5sIqfr=3S+4bD8cJE*QGaTvSO1Mk@o#6SY#2}mo&hj1}mxiM{+l+
zd=-7;=>=Y)V@iY^q87pCju8I-+($^c)30Y9CW=-&W<}yXLWvtteyeXMBT`919L-Wl
zHJ9!PAq2NU{h4E^2*xRK(xv_avS%ty4D7uuzgvSE<G$NE<Xfuuld9Fb$c%aIrYn=$
zP|!&?(vVa49q8{0%%=2J{~ZQy{`7i=fhP^Pg|2y|tq9^%ARotYYDsTcF8{F17egfK
z-VO7BS_79jimCl~SrOS-D6V}1Z!p83Y8Nci3B?xpL^|<n*isdi@D#JW+sdGx0rI0I
zTmWLP4X>|ly0hOk4?JUX(nq5tD?l=(!y2Qf@W#!*TBUwL>w77$-vxs;4z)c#pR0Xr
zL+lNs><Lw{X@-2E!kzzgqFN@6crJ@^_@-urHf55(wEk-G`mp?P+>;8Kr}SS{$d#7}
zKjAsq*yfM5LG_#mlYbzd*TC-5@P7HvYw`RpR*vu`8bF7fzZ(T@8(Vj_GW1XyO{cqe
z?p=bYSb*6&X7K1JTw1d}<9}*b-2zU;F}H4s?{)vP7mu&J{qLTTr^9bDRz0qd3_YaO
zJe3ER=s|bh)C_%+A%FC>yaxUo)S8X~{!lv~Njdb?!4-w@bgG*47I4Pf`DL@)0QqgA
zr}Q*MU!3sp=Zqar=s-k&aX&5^C?!0zq`(ic9wZ-)tjc2ywp2Qi5HtCQXoQs4@&v-`
z%V3F%&ojnyr?C)l3$%}YavefKXhS5dO-#O+TwK?3PIS&|!zwl9La*C>L~}t!)ikn#
zLo`?O)ctP+N!}m1R|N1-TiD(m=f-Y?$mv=dh&&;jIpXeM+_WEo=hPB1vy_a8`<PDQ
z-@H+BNBmzP;Ltj_?G9L++xGa#dIluNDdE6Sq5=EF?bayWY*ZW5hfm-ZhpSpLtfK2|
zI~vmu=<qb5ALQs~cS^=YC0cb%r(Muf_5|eu;SF*}0p&El+z||NbVMj+OQ7AKItG+!
z%_(|`+i`~|wE}RtlVu86q!`i|WdpZpqF3-*b)$45w`DS0YYYW}$(%U>PRKikFVQr5
z5TDUtXh%Cu?sN-O0>Q$&acrD>wB2IA0Nl5X{+)_-2|WYHoacAlW4G_RcTb1K7ql=8
zzX(AKd1=*L)eL{@RGo_}V|9gejwGoGpMD*~)vP+L%*WqoEX<$Uwe5hq6GSLO-^~W$
zia8CE>D+OQT~A~?lV5#k{u^tIHjeRPQJCYIDr{0AX%V3mWJe~65ZVCY1I1WW=q2#l
zY5Ur=Pv*N(1ep2wPeo-8*!c~71)Q(`G)%|RU10!t;xnTnVKW-G=*K=!zbI69RN(TZ
zprJ9^6M&CcmSOCaUlJ=m%laTEw8b_sOczhoe*cq$Ch+aaMfT!I`a4i}UvJ6L;LW|E
z<U{C%R@f+!OX!|F+M9VA&6KrEmoAT@axtUuii(Vmn<*lV?%7tNma~*vn-0g8|Lsbp
zVrDmVT?`wM$Qvh^{+si>D;x`QgQzG6XdUVp10Hp_4lsn6+Eh^ffRR^(g~8|s1NZ%g
zFiPWtE%a6zf1)TxsPsFxW=KyiALD0CXgEqP0g%fhXt)`cFIjHFN>UZ@wh$gLYdlJs
zb+7s~Gm~oeU8r4hzz5g|?@}91eTwMcQ$`~9z7~Ey>{Lnz85+Vm<&;C_?fnnzo&b(i
zi?>SUv`Lmy9y#j6HGW8pTAm28LhoZJ>l=|Y+5!Od)$#VDEU~3CBRZSTli)yt(b@Fc
zG;SZM>?QJtI-?{q^ue!<c}L|N>eNlua|PeBw16{*{9j22B&Iurq&oQ<R*mV$W+o;_
zKM}AU7z9S$nI8_b_pM2A&8=S80l8Ui;5gs74G;+@oXM(f?2tlvOH~ySImmSp_+<i*
zSu)s2L4FwnYyh}{Sf^bwE8^$71;e7%G~C9O@iBuIjhXy>m4&qEsnSjoH8VA~Cl8bz
zYlC6l!@(@^+W51?Ss3x+_&6Y%Sp}+OeH}3ExlrXt#fuPwvlV4jZo^o`%77rJW%&Zq
zW{G)lccUBc>f9~gOtAee_flG*#Fo}8e7tB?wHRAQVJQ8Ph^AX6qcLL2YM}5!RX3W=
zK1q&WxUrNox~qik+HeJVxqvlDWB@<mN#27A*p9&1`t@?-qcVFxjjP5g7Q&~1Y_bGE
z->V$idUehOwewkD`E@6bicIBi8qCn8<k#zhyr4<u119-*c3ZY~^J(jhj@AmH@B`MQ
zdj++4kfr_Cf51aJ>Lsvq{?Z$#1jX9Lq^moR?%7bn=(<UAxP`PKKO`>CV(sbId~Oql
zZ)2Y9M9Ru6J?#M-uFJ)}P$ub7w<EzI>Q6cV-|6dCw)fWgV`kHIV!jhV?f^3h+`&L6
zNqP4kpL4Ji^kAe|zjO1UzG#i?&o~$vqw53lI$LP|W2y=qnFpV*w{WdL2%EKE@OHEX
zz@?dW)3gnXnZ4LK$Kb=DeB-FcyTJR>f3sk!hYYma;1ul?RQo2nm*wbfu}I{yS#RN8
zxZJJwyHZs8M|&9q`urdYtnp^6RNuDA!BSLl09J}}`(AIZ!<wv>S*a4(*Pm(uWn@O;
z-AeTz^8EeL+1=vh+4F^eJ1IK!r1-0UHG>y52zCgxX;C|?rQu>9g@DTTMM#B6+~S0l
zU6b0ua7LJ4xln2mr9+eL8r&#toPd}2B)+u&WVYak4LOYvO9EBXCqv3qLE4PJU{3I5
zmV9?bkL{lIP*FrJpiPILftw+=50o5F>rM>V&xSeQKQ^l0v{uM$wNT<in>78!M&;H-
zNWk(e_GeL|72XRB+9*vB$wOmOY~Z{O!8cU}wo0ee;f52zM(9F2GrMeH(nY`(>PB<z
z{=Cu>32+AbXq=>&R4#%#b)NfN1P|<n>oH{>x?7y75DzEtlfOoxp6CE4_aGyJgiS;5
z?{Q6M!)MhP{E$;LamaENQPbks>$8`+3TmTCyx<1NQ4>}PMy&{07e@wVw%Bej9Vzmt
zI+m5&y#r3ceL=N4EMU`ggGU=gX5`336sgMX|54j{hBeuAi&{nL1VkW!ARXzU2+}*!
zyNZY?9RY>Vi!=!kDbhiD1Q8H0Qly0@z4tC10!WwM$$mh5-@VWI_W5^yrCe7gGi#nT
zvu2fh{7DNI3jNE5zZv~AM;8(Eq~}16p(N?;Ig>Hj+q?FwCPtis>bx5y<O4#@C3bBS
zY*bow6Y+5)y&u_$n{+Uq-eI2ydzXS(PWq?%fB=~9?B^)3SNu>h6rAFYjmH&l6rEQ|
zXit4BXCgCAV~FOVvPAT-R<~X;WAw-E?dgGBAGQhyrN{`YhNGR2!v2o2y=F^drotpi
z)euOhvT>+ptH7_ZZ7;9tIrpK3HscK})9$M4AqRocD~!2;k2>z>4}D4On)}@3oa5(q
zpxv0okUR|IJ;}Ky1p?L_pIhfqbvp?--cRMiJ*%ltSbM6@|Ix&C1h$g@KT-Acz=v+!
z$)c<DS9LM1A5lJ(u-TZeC^c2|D>G^QjzbSzoG)1Gz2dhcWSn7n4!n}XSkB=)*GG)M
z9En{?d1~?cV?6WVTQ`4gbxC_xT`l|VeO6$%+@A%iqWz9dXqa3sV(yp#)c<DrTDW2x
zpy`7}6NX&8`=3%q4nqY41?oTZxw)J2dP>IuDSRs(OdUAZ*{uzpGWGs|;T|{o?jO(X
zJF3bo4$j9T5t7m$7VZ$iK5*ha{Ba~EENGdO-F?J&dclwJ*Qah&wz-FKAT+Jz0;2DF
zEUuXjnX6`$*M09+<s^#Y%H3Eb5*WDh5=0DbvHjKCI}=Decltwvd(Swij+LggQswiV
zGWGq0-&P&=B7LP&{JiJ;MGz4CZk5~{?j<-`CT_^hn1dux{3n~&P{y@w9>a^-ueB+y
z`%gx*LDZD=d6v=nnJ4Nm^#S-;J6<DzS$To+=uR0u-J&}Xd3~z99)3nTZP(K?gGjin
zeXRtF-T9_9+Z#V8h!w&9W>uoA%6u$&LeSf;3n%a&uC?<UtinPU{~+7)X4B6nwfxL%
zaC79V{$q!;uloNc1OV<_TT5FhqdVZA;gDnR@f<ig5>nsP>_6-E?3Yz#w^^}}6rPkg
z+ED!_*g;w3i3WmCQ=;qM4s_hYQjKSW$F`ESei;7vHh-wfH}Q}#^|xJrO8*(q6>bG7
z<w(uksxB`3yAsm--@idBS`yS>jsM2>z~8_cDpO8OOy3Bm-K68vT3m{>Qu;|Y#8~QE
zBt$iRxL!o!t2D)V?rZ>r<arwazO7&v|6E=UBQI&U_+{`+HGR>WxZjz_u#469Df)XU
za8G$C=}p+@07B6;`s}NL;TL?b7HbrfKKA`1qY(;s6`gRepi7}UfX`978facIt>p-M
z&Ve@C^@l=$5k-O!;Lb3*Z$#^~_Hu*_dPQQJG@&J#3ro!srW45~hesXqmo-vqkLmJ!
zC0Ju=Nr6+dJ37cY(I4|Y;@X6kET^$*eWowguY@=yg-rU5T2^XLp_RyBGMonFgFo|u
zTOJNr9#a~q!HJqI_Ff|3S9LN6VS(ybae4%}BZJkH1>OZ#qy`Any9oaMKd;KssjEU<
zuZb#>KEFvMouKa_vZ8#&XWh(?<?-N?jR1K<l!fn7UcN*m4C_*A;;~?Wwvqnm_t?*@
z%3%d=F8D;mx|NC(%&7EfA;C`6t`|Y>Bv1EwU#Z?#cdD6%b@%ArQ*{;&5v?z2sa>3&
z>!&(@LV-@B-?){hltXk<OTO&Rck?3y+a=WB*+wK7^!#4b>=lpB#`vhprC#)(+B7Ms
zg{Y6PHVwL@KMh|SyQmHVR)`G%M_^I=+H{UokmqSVX<1Pgt^EC#@lF-t>j#Vvyd%Ma
zukeL^Q+wb2RFk(g;*XK`5+fWRDqGVpBLkEF6$5SMa@R@4W{o(ZODkfL<q|Y5+oB1S
z)rj#*Jy<_M(S=w0D_siuP`OONhXAs<(r}VudHJ0_kk0%^_5J`@Ck7BVFkw>W9a5W@
z=`x4yK!Q!hzbP|P%^~X@XB*!<Y9)Biq_|H#{)ttb@jth-L`u2uR*tha|I@6u*tZga
zQaax7_Jx8DqNL=BT*dC{FVx`gWnBU^$t$+ej?<MLt#2i0Gzl#UN<3;gN7hVY?*5}n
zNg6+C*Mh&Z_lR6h<OwD4_z&+|m+!wfNH!AUGelQcKS0<&GO!f(RSqRkG79UY7Ikp8
ztR7dGY3mA&O{JQ4m#Wsz*oeIxr+3(gp9#+OPwl)=&4;^=&(Qdt>5DGfs{AxRm{}V)
zg-`~nGI@u7xDy|*3^W3mrsqw`T(F^gpssxGt(c5E$E1H%`i=Xqu4f-u;rdZJaKS<o
z^}eO_fH)-SAj~tE+Tm#*Ar4<F_2z!kv<2xeiuXtYvOrOT2y@@1S6UpT=4>*i+JC1-
z1n^){5X+Bs^eOOkLP?_KWpiyS##J1yO!V=L8_1BmQwc=u8{Hz3Oxjga2*xteWBR)i
z2yFbW7`1q#I-C#Za^P!yC-q_fxl3FIz(DPFo|(jtUQ$;Q_>q~X$e}|+QbGN<-%0N9
z8mx|2b}##HmsySNG%&}-*W!xn-(8X}t>Ss6Y?c)Le=5((c`6n%<Vh`;jmd4H^86q#
z&&P78md{im6VebB@$g);jc?AG`qcSDE?_T}NAgb`77qv|6pH+1L@t!)N7zMG8lXMi
zQF;KXAbozRf>v_s1-kHDNYYc9SaNDka>rbG#r+COm_<!1n>Ut|EhJ*XznaAu`?W7)
zVJ(_l9%4n)rGlmA<&Qd&*SQ=5+yi0p4aT3$;jcWJ-w)b_zC;8R@1dX^5vqQzTGw{h
zKK2bk6^W??|2{j+5R^bP8RmAE(afbLk`(%jZCCVpe}6sG4gD)2{PBb-inFdu48H$3
z-XDDZ`2%!)8w?b!EauN>9vr=}o;+asQF^9ttcQQXcJP*wPVI!V+M5Bwu$9&!$&0pR
zM>N!|>PdK?O=;J_5Q+7Nk#8Dmu={zQ&)QGXJ1n-J7JOPi@#Dk?76g#%0^PCfmNRJ9
zbqz~FG9LaMR2}kx<WS3kj&duyMfY$lwY3`~w(R;_z%ie$T=B$)cWsvC&OQ<2He_Eh
z93^o4;jq+62A6?(25<*q4DEk^ow}y8kyIUVXOE?XbE{T-$KkhOrGHCSq{iI+(3Mhg
z{$6{B59v`hYP@DX-lfR$rqWXb`DF>rl(wv)xQ6%d`rS$qLOK!l<Fb-|9)P!CSH#JG
znts-$oh6=k&a<L|)CkadPJwG(y%{7{+nx2$F!%Vg4K$0q<a;OT8sld*(sCn({z-z$
zqT9r5YM5~!U-OnoyITyqshEvyt4~t9haN*T<BIFG7`4xaCnIy!b;uTU`{^6Sl&z2F
zJTUY*cDW{^A^)T)Y6IW2cOxu%et2w_K$(-^1)W}XMCBDZ&EIU1LYf`MPf7N6?jL2V
z-~8yvWkS2d9H=CjYd+CP%1m0E5En1@s>?V~Uj3w9Ut;;us&qFm=eKFn#P~>|kb$(#
z*N!8@ynDf^3kd`Wq*Xz6RjV3MM%~-+_^?SwU{`*tIyp&0J60@J!8Jb8BKrwZK<hnb
zTJh-UFz&Rw1=%s*%NHDbqP2#l+RFnU=f*{-4OUphy0SE6<K7UPeILGPNcJEomo#AZ
zwIh9G!Gp}SqF=HJVk7uN3aimk^Q+>C=2{+EM=G`MV8i&4)%L2gpC^XCy&?@R@URW9
zRVZuCR{XgrUY#dkV_4n#z)^=n{HtCJ?pFg-r*AUK&?aFQ=MPIOD4y;XYXv_g3a{IL
zoR`JD#E2C_b6Z_Ck5*_Q-^|T3F|RSsb@%#Xkr1~aWTiY)APQIP%SK9lD)uik+L#3j
zO@8ZW_h}2fR!h%&9XG6cg*fdGx0{LIyer?<&#s>x&7cDL2I}i5gINPe;}7gP-kV6g
zUJ?1Vw1xLouw`jjPa854^zvs4+}Uq2!YNHVOhK39XX@0!Jw<r5GWhN-oB>70+p-Vs
za-UD?L&CW;B9Xe|&04)zZ0MU|6WX`wob!X3g9;Ar^1UIfV>+kt6*j5@?xuN@8l5c&
zvz*i3G=%w7R1|CXbP$qJiGm_p`typGH}2;`damJcTY6H%8<)4Dr2R!x;xa;F==p<{
zRGC3(*O#r|mg#LI=2mmw<tECzX7lbYvRYUt4#Y7tw$Ss$swZaQ9wmo*#}}7d!vlU*
zq%4R>_gkgn>zQ*K<=tVbxA}h^vdh!3%2D(Y4o(-HY;V4eQW5?1LPY0Dk{!p8IGYBN
z_*VMO#p9u-%E98mAv3;#XHm-!dpVN%cp80^1DNP$P!V(PIH{y-l`y5RMpdLlSY-rQ
zPT57`As}pb-R_+6BV;lq!V3GUi**-K8G$<V!FT_B!w7NQ?6}P}5@tiLd$YjZCga05
zfb~J*{I;8KyzoOk@8yV|vq7I(lR4Lpxta*+_&w(}0`_k_<E*539NrSzUZn1)?AjwH
z11b-fqm_c!BV8g%6;K&Kgoz<8A|izPvou}|owZf@oRPM9Q=Nc%A@tx(<ROoBOA@NV
zv`85xv%ytUjD;xJK1Kux3u9yM!K^98DU?L_rx|<O+aq!&m{R0qbnZD+eZn@V1x@G8
zlHZ}%kL9a~a!CW-{uw~JY@--ilCbCU+4zbxpD)ey!_a(zOt*9&A`7Y?W8{`HSnuHG
z0kfVWGENbWc~oYO@0tzIX?vsSL05}?!QcK6=AC)RcCgNK!!q@Z5t6K_11_W$MBW$*
zWP-s8qVQh}*-O$2p_JY+=6*F-Qe726JI41<w1+U+C_jlBE>+3nH=RjfZ8f<`oFvE6
z-=nA#$x-XU8L~Xg-uDct?`@+fDYvqPU2w{!6<F&7sh`f5t(+0)Yqq4Udib&^XnP6p
zwU~TP3zbT>$-l9-qNAUr=os%Bq9KH$yiwN?J4=O7A!Db~Y!Ae)udHeNu1=TnKB$<J
z0|HXrgy8J1$;746OWI$-jp;JK74cPTRqT^XY&wkWN8+~2`Wir8Y!Ui)x|pyV^5aSB
zZU8#n_E5Ghm!LF=>^9@eJSH+8L6U%gRyT0QKo~L^?$%J!!`AoZe2hTVJN=m=ib*$!
z!!8_y#60pciKQawzNbtP;x<kbqb8R-9C1F(@Q%mmqX(>qI0A`3dQg=zgrMB>Fz-0R
zSh`YfSQ2NeFq(a_B;$Zd_Ok|&2<;GchKHBs3xtZNr*Vg|%v}>Xe?n1$8=3b}*y&0;
z_im0E64K*PnjvhHHfEmq$Cftx3}ZMzR)JWXRH7+<eab@Mb&h)~!fgK631ic-IG)Ok
zJ_sC-CAgT+#YW(UXS-lfh+Rsfwt{#MI7(o0D<DP>yiSsESE?6;l$SR~z8vt4Ni7OF
z>vbUKt?G>d3M~3W&@p5{rvKUoy|)+HoCs%6i+_M+qS?&vP!Ze&Y|K@aBvjxKE~0Nm
zDLwuH+M|NvwYqQE16|RP_}YLBIaPtsC;?_#YY!#gO6#<G>eEl=u(TpISn{yzp7Um3
zK10eiwfB4#4&?-R(l;N^NIygeKkxTNQO1`ny@%y*S?qqR6_<0XkbQPvzOK;3N$4sr
zrFyS%n!EkOo8bl(z|!Oppf{DUn`?9;yKJ}HL;1k=Sk_u!vxuVV=wfWQmawEG2ca|-
z@6<)^@=05#QrP2em=eVv?dqSk2dSW1@C2)}E9Dm=x)>C(&URij^02oXL^C~3DEK|_
zm_q+CNHZP=Rj!wh2^J~a3(x2?G5iexa_f&X<V6D2<y!@HH6KnP?pX8Qj4s(nC^$hg
zs1mUe^K)38a((5>hsYhTho1v%kM`x1@p6SsGiC4}S{|bgzC?%Pvg4q8*xOLTVcNt6
zb?j}oure|Wn5iEaf#a%#s$>MY&jjNwq*FBXgTy;$1)tzE5<UKMwwOk3v0+nXF60S}
z{`SS_gU;b{3#yH8eqmPX<!T~)2~RQ9<$LF2x1|`Zd5>eAIX`npJDyoEjyE%mbAT4&
z5(#4oHSZ&}fqQ~P9$EAc;!~#-w1vi6(!i4r`eu$7>A3_O>am6!WE?~8icLQ-EHuY!
z<>dtR-?kk2)b6ra^n)c-F>&UKjjy4qs1N_GnKsJi_&27Yo6(ZJ^h-96j#2(r6v<aW
zGt!k1mjc@Y(|PxdRT75DUQ%3h{AeBxRuJ@Y)7RAds=8zn4_-0Y`=(=6FwT8=Bf2ad
z@$#Tbj|{M7uz<@Aj_t_ibgLO==RZ1bgZrShY<N3s#TVNRyah^3-Iv$p@~&<+`!$g^
zo6K5gP@*O2y4F)tFy^r<MG9bJtadQS6(JaoCPD1LWbQe6HFT@bPKT+dD0ZY34)LZ2
zV*Bq^ZZ1)9E3oVoaA<c8y(b<`$xWs$>Bm__&FK@)6HPF6YUxYmgk^+S3O&_G;#tgD
z(5mD|)V~Fnt<t}YsOM;^=8;TPt_=UcZOv0e{~TG~mJ>3lKmYLhOU9KktX9gC`^#h$
zhHQ@T0zb#z`l6g_xCYS+W*1R&j=qO%34Xz(!rZ+emI@NXZUJS^8&KKJ<ROlC&D`hO
zTHbalwk?HO@$vb2j_CsK{!5*-7wd$yp@)Bq-5IK)6DcH81n%+j;oRToz|3P#Fz3fU
zrL<=`8&A{A1ZqfXW{oFKBbh3o1AsGg*a6dZasl|w`0Yz4XK(4v;9Xlkt0{@VzG#Gx
z_&{VEvx)hO00n*$_&>21mzKCcNe7e50_I;@U&MX?zdoJ|a^K}46)5CbpGv^2)tpZK
zfm@uPttuIaM-njmn148@vMsl_e5X3k?Ec4B|2+yTKJ8kB`NxaoAK{8VOF8s8oH~R2
z3oM%?`S<<*177yu6ZkG2E&n^~%)7tqq<azJbGowfsroqg@Zf0p$CPO7MylLd<gFV%
zl9(@cc8r(yzIo-~rpTxDmrL-_pDuvG4>W!zIooxzfjQgQ9mM@Eb+Fhm?{bu_x~;lR
zsyc8B*xk*50|S?X6&SKvW=A4oo77F|tf(qwHed?=<Iu1Js+H{}0-Io_`ezW#uFpZr
z=!7cd8EoDoaa;qw8jdpAn1f8j+EwVNR?(sIha2b6hjZ(m!!%Lh$uVBf#;m|nhh?Rs
z<Vz);i(#VkP3I;nu+_b2dSxk@y%G8OmdirEIUbm&Zk|!h6~2UclN6ief*zA!om{2s
z%IHNrO{%d2wO_Q=Z3UhhUcee9rz+{R1ln5o+t!Vf?G9&!IF|BiS%U4iV+r#V9=y*z
zrGR68S$VBZ_PEyOjbhslR)fxgiR0oiu3@$hA|R98)-u976UGk`(@X@(SU)%@<8-4l
zOjUm=b8)b|Mjq1aFc0i@J0Q~rb6A*lcai$@hIo7&vbAAub93(C0By#$-VDZwmM2X8
zJ^D^*9kj1*tT65=w>r4o>Evgt(iP)NcI^!aIz8&~8`9<y-Xb${0wJ^N0^O+FM`qN#
z=i_+7U_l<|k0Qwyvf~Vtk7B!@Bd8TOk9i5el=2r`+gzAZ+~Q1~MhAJp845`iWhaLM
z&yx*9YxL;itrKTfY<BQKAr)@G;`cJ1CDzGU2LPMVW%aQQ^_Qf=Qh5;bPhrX4UgW!e
zDep2T+@IWa11W>4=daudPC~?`GeV@)lVAO8Y;Cx@+dCdeGB}p=!F8zJl)x%u#fdM5
zjdU0q*0|V~tzITN@+6@WFu&gtJhEL%N4ypO)8*6-0PTt5=>{*r3b`=DN3On0Ue1d=
zqdchsFIve!cMowKEBkW(v6bBqDd2;K;+<MVlI>D-bZlQT1dd_>blG91NhfR;eZ<Q^
zZC`Eoy2HTG=A}A?TqnyH4f3ybRC78&GP3a2O(cOxsw<SyJ{wB%h5S{QeEpU6x+}EH
zT;1s~naP17j#9viZ?a63@l8ntDCDxYl5cXSImWcTye=bM9BPN75M`5glkQQ&oCnz1
zA;A1n>a1MA5O(W40h#aZTP%JU@KWJHSjSEMd>j7Ue(b%gXBJ_j3AQT)jMF@gu+Soc
zHD6N(+wP_Qnm1Q^<huEyBaNP&x_nX__SFan`gjwcI3lkt-cY$h3r@7gv(6m+z4Lo1
zClOY5$W`=}EEE3}zD8Z|l5btjZ#~TZHFgJYk*VC0#}R2xlo5ivjgJQi<G25*@kh_=
zZ*;IX7oON*HWA@d3G=DT4xL*DVp})Iplc6aO|@(PW1^l081__D8t>?&b+UG40RjDY
zv4Q+&Zpd1S@849-U*G98p5zuC{bfRiE1(x_>B*s;VJ6Ofo0@R@jH6%3D?*5M2$@|e
z%+**!Gf;}7ALw_`aFt$5^n<!|iEP0}=+8&NAe}2VU1Q~?A%3akzyCPf+`aCU34BAw
z-Pf}HE?200RvXIGRzLV;k{%mASVa>{SteEQ>jp=9fzal6b-P|GZz}q$q)<DE<_Rk8
z9(7eq#vUBh#n=03Gz8*OIZ@!Ny<l59F(wO2Wi_cd7Z_}{|Mj*6O-TObEyfI;P<lzZ
zEL|<p)`dF58*;7FYf3+~*hN34lgGR^YcVVzQV`RPYy7jev~T@LDW9O*oZk{<nSc_-
zit$vUU8JDechqOAQR7X7JlA6=l`m{TLyscG=fyq7@6UP*YkTxFWx7_xj!|w_BM}-`
zGn?WK%f|z*cQCaTh=m3}>$RcQ0%P?HRoRm~o;*1``Cb!ze!a0ETQ|uhl4O`DGCxlz
z>=_@u(LDutz{0s%Yr8I+9$<c+-VP}FmbinZ(7uw-(h1Gv{rheSl93fTyS?qXRiB2`
zCcaclNemb<nt;x+zRX6#vA7?4;Rbz#>agyu&9@5-OXC@ydPkBueX=hQ^EJ<cQ$&8`
zbjDjnTpJv%=J8%eGs(7H6>$nK<Owq!sL!Z-OP<qkWs@&Xz8-hAu5dW>es-qRnqC2m
zs=JtI9{)#;tUUQti%n`S3VXV+91Ob*QPF<!q*{?MWb9`6is24Q`LBwIy8zgPn7B;~
zYGj%~@EjBpu%w<C=Wdn<V=3W}Vi*$VF7w}15}+|6g5HVhLUhQN@i*};OvcMKWN6+~
zI(iC}Pa7xRxa%t?OtKMTm}lUhyhX+?Ca=`@67L89h5co+M_KAI$)&EnLs<~eU@Vf<
zg;Y9~A`J;su_yinx*mjmDwSE6*yuVM=JsqgovthKk9OEKe*%2u6QcEv#VL#X8s*1g
zr3@AA+?MdQo!U~1(s|0PxU^~ss92xYWRFB2A$gXu5YZn3n2;g#X_}k4BpeF@9hK>!
zhd&DSGW5I`?M4SN7<gtOQ~As>_7ON&;N74{kNi+6&Me8+tD%b(z6rlefw(*8=#HqM
zXXMCI%oioyG&4UA4fKIHx4vqO88|(0TkRSP)=+Y(qbgXj<2&u;S}Fd@a>3_-?hKBZ
k`M+P9PZy`o=A<w_^I1@flGmF2=Qo}!D`?0gWsUs)3xY&NWB>pF

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.png b/docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..c9d4aa4aec9c5f1fab897040e746a1b939148faa
GIT binary patch
literal 165094
zcmdSBcT`hdx463jDT)v)C{<K!^xlgCqBIetS4E^rCzJpIR6s?*La!nidM}|@1*ri7
z1PC1wLJXmWKtjlk@B4k<Id_b6-rpVfuY1=Rn@z%I?Xu>aYtCoRwci*TXtSN*IspIx
z+x>f*MgYJZ4gd`6EKIa-d|uqa&~|jbM%s6PvLT*7AC5WQ*1rt^mGP{Hj~Qv7k9*y-
z@CAS~et$N)xo7-=06_hEU-R~(K-=H5%ppAAr_{WT-wXRB*Gpx)8X<rDcnc@;xlXwK
z$vnfeEW8fw_Kgy-`f&G|;P0{<HdQ|__g9%%|Gd@kLu<n)SrEN?hmCMBFBR-7r=%1-
ztu&jtkv9)joxcZHvU1wv!NsTQD?xT0=xG<?JQjbcLyrIy4n9H{s(mgqKD#awv<9Z5
z{fXALUIG_ryJN^M%hzJYD(bFM<5FXw0_@l;h%O(*=C5M_^}|cRpZo6Et>9Sde*}6z
ztw%UXU|3g_$(j2YZOi%hQK!^c!fCy#i>s7G?n{m{<jESVXi&l%4fG4(KXXuj9ty2}
z1JT>lcBk|}ZUU|U`(-(>hRb<Q8AQe;jSeU@obJuS$+?L-9*9_0Ww7%qx}uNM`ncMb
znV7BqB6Xe4D7`Q%2dZw9e{IZadl>uYwrOpthXe54M^`@xa~&r+LN+2fBTY-~&SZsc
zt$gOR4T-c3?Cs3X4sDgG4TPOnK^DmnxaD6J6~#^Z|LLF?@qf76Iv^!@$7i3MY~}Iw
z*<d;{lsNwYKJU#uOMthHs2v5#%|fttm?JX(X4sL^Y$!ryx1E9dMQNk{lSeZ~%&#j}
zZd4zBm}ncC%WGoFSA{!9JL$)4%wv&n$%TBEYE#!Qt}~B;UGKCAf?7oX+z;@1(FI+X
z=>#Kuni|Rsez&7ve+AbXn%M1Fxx^CQfby(Hrz4FYsAy#>1;Bdv!!j&uUA4+vNw;J?
z=Q0$*>zWVLDAFy5+x=se4%(2VH`mwd&>p!>_}27|L$cc13Ti%&;jbYyiu>oQ*y8#P
zvjm!hcKlsY8}62^A&K4%Z@cCr7?_biKIF#sJAA(Y%m>U<E+2+sz9z5rUe7-FSd2PX
zVj;CYoWszvH|@6D$tw0b8{fPW#}ZE6iVqv+4WMM&LU3#jKt@v1uOf?TH17(y^<7dN
z!SZQFMdD3N(D|?MA60`$?~7n=494ss;tbjUOvh^f7Y+=j&f#%vaG6X}{HyXjIT?e6
zAjg`DY;Aq;DbFvw(i{4Mt!qQ`t5&)y-1$n=$+ZJTa!ASYeMqm{xftB{mymbYCcLfO
zg=a#|kp9i5&}P%VgFPHYYDaTkZmhNL*FPARCp%b(;LU<sx0|kv5ZgFO5^1lR?iM{&
zZX<pBCm9*u976#qD=X*6F3|UH!h?ynZ}4<8>ygQtpoM6DXbNB0(s9>=nVsEkE4&dp
zKyh^Wftqf4UC_&oum!rt)vVyP4rczmu%n%9Kf<^fl7O;%AUESDRSW$ZD*^B+`8OBO
z1hMk0m|Whx?|J{Cj$xO8I;)6Y#S6ONhJ`A1U~$smlDUB&uqyNW_1!P@9~WdyI^`wG
zwVvFOk*j3co4GS+eyoll0<Z_nf4>Y&Xq^M18xTvp0CrJ|AAS=k#Zii)i{CU-ujKIO
zzCq!?1!iZXmJ7=NQE}NAq8n@ru?6UR=NIoRXhyXSOfu}3!)0=*%7-j1a~r(tvi9<9
zT*>ztu02Htzw8-B+XN%q_@N0N6s)@+83#u)fRxo^x#eKkvZlDSIj^%Vo7-;P!2a-J
zZdn|U!mk@*T3n-EKc1XGcDidHlM$seZT=?p^qx78@#^;37_ADY@%U<e^PSTG7Kg&M
z7P}~o6dX+6p%V}LwP$~V?<_A6L;haTHa(}!67JBC^&T^WMc1CPgF(W_o)tM2@Ef8E
zj}wxVcN_oGxA3SAw-hUWdi!T5BF^$2NooU!dc~Y;Wo^`#a~qp{Y?<$GU)1_4UHtUA
zzD3>3r~w=O(CaJ1Sl-6b%rNTpztlfgZtn9n{j}jhxp_Ugxe%dR$d-wsSNlbP^PF&A
z@27l)goG0Bgv91o4wB|9Os-J^b_Df%t1O03FA2Y3atm}o8je^S@RH1DTTd3sKmFK0
zK3oKQFL1%&CRsevq&a(GyM1prTr<nA!1~6dbfgR9l7|vA+FxZX-iPfwX<g=hPil_!
zYP&+w>er~dw(H&JeovKuQkeuRso83SO75&aZ-bF!Hb-SO6}n^+c78TOY~;}&DDni!
z^#chs;pE0V=_c_joRyMNvaMsa0P%LoZstYHnD(V2=AmutxRIdedyURBQvI#1&O&>N
zPD_egl{dgE{_H*q#_=Y0WwvTyUR7H-K4+N1)z}TgbE9P*mA4#G&d=C7hxUXPWaQ7;
zE+JvRdkT_1p@-24+~p|UHs<kVIgwR}cZq|u+!Gtz<Vu}Qd1e(a66$F2$!jH+nCzeR
zLGqvG80nL2BEU0O7HiH$G2dhD57dxvH$oTYrG1Q;97Sw(ef#&2C4_Nlk15f0mFibf
zD~TiFZ>rbcIN5z}I@*)lGFX7=r;nDx=XB&|LxfaNr1K8IVR;xO9lHIATB-8mXr4;3
zgWy|+;;KGcdF2{22w>@&IiMGQVaCEWRK4JgCPzVa!&)JxeCuvGF(<=+=e#?kGw!9g
z9RaPkznuZcT?mfBVR|~V#}}*IQMyW?2I~!NYt9}pOJZ_QAzyM)o>Tv@_pu>?KsI`m
zriYy<+(xboTwdt0>tKp7vn$JvZ;qP4A365<e`{`+P~3AuN7d<Tpog(0ZP#3X<a*3o
zmU*I~P*=*E&_a}sn|995ad)YDTYdKjrJN71?OKTB!$E|U-5sY7$J(n(Y}=X<3nbBw
zV&PT)ESNi%kXt8+^~D>`UYL%*QU3fv!Y6P+cCLHV9;E=42LmQ=xs`KU@m~F`uMqdp
zD*6qMYx@1r4ngv_nmLLjvmLf^@wr&Y^Nk*XcpFc<4&UnW*ib8o)kM68nQ@S+Cz|NE
zFumrka^|14E=Pc=T`#I#1+uFXxZlr1=M|HL7*U}@-rq(1$Qf|7a)$KUa#cTNCZt!V
zDeB+&%!lN7NWIyx`;E1nHg2<b#aj0-+XSs7K4DqIrp>7%RH<ip<qh4@$I(?_W)<>p
z-=)X3V`1&;MFo?~H-z3q&-ZDBmXB4uumFA60FCI6*>|5yDF7X;;7J<(;5Nvm9I<49
z7Z8=s$hRFqbwF2$LDn6{i%0UE?+op8qB$pgRvY?<BM>>Tg${qVlRX%g#v01_BRP_+
z9;(+r?(uZW!C@&@koa|I*<p7^_NmG(?0WxIa5^MN71b?b$%J^Q@(k{8Ulc|NNrCV{
zGR47a>x$jDHSDdPui5eD9wj@5ywhdbbpti3#&}+|vb&8HTH?8q`P~-TX@5auv}B#O
z#DgZLIJc*56MM3cDWc^qp*G~IVUmv0$a*;9=7hVB8aqKTx=$W~{Dvk}iGdQ2XMEaj
zvb>v6yeO{+E<@EebB<NP{0oyzRwcw%^ohynz2<+^F!S3^SM|{M{B7f{M3ReEi<Yw5
zY?}NzSB)OkOqyTI8lc-`0FAzOsdn~TWa3ix<R$#DzRTM)m=BL~LMnAh7VK2q-yJqC
zUHhmjmfJ7Zmcb?Cs@X=K#jnlmh~*`fT5>ZiTxmU9^ZeizWMv$sg|K4}>+gquL~H`K
zKCJexm-#k?K;Or`)Ww9R_{N%ko2i;7)4k-H)A8Y6>S*RTQ?R2Pd2;$?C^*Zd;i;mX
z>UFgDE$nohE}PFc|AAGPlfv|5@l3dj4br=aaH-E(;GRCXtF0JySIzUhr*WySit`7w
z5n}wDXyMLfckVs#;Nwhd?V;p0tCa&%Z+3*D@zAVaX$jV2P%aZ>9RHAFQ#FB{PO0)#
zD2IXd$>oJZ<L+r248~s1a6M2FJ#5jAUVo~5R(nWLd<vwjXl3jm<gm^`YKD1TxdCLH
zexmlJA-SRyYt%-PS#o&mls+0i;+8J?5P^_J)L17xtP_jZw$*_9tcSdbw<%|a*>Ykp
z)Z5(Hp+|kMFY^~^PLi|HMmFC|;hVS<^1r#lTv1UMfZ{GyM3xGQX5Tc$n;Gh5W{C?|
zq@8D^xy0Qrf)O`h#A`o|$??C2o4TYhvmKubkl_z^y<$xLFo|X(3ad8iVXCXjq~&bH
zmmSf@ge-3i-2iPuHt07?FeI~Q7Cb?zp5Q!^gfkz=jC8S4s)ruV3I1e>ygKnR2#%{v
z;~PMolMFnOZ_T%jMd|-GW4l~quR{?=jMVUoje&oHjpD0eIPB_qm)TAHI@m|3ygKeX
zH1p0*qMK7eFxWQFy{ok>SgF=V&cZI_xn)Zs>Or~FeU<C*Ws~@av+$>-PUT9-tzz`?
zMAlNb=`ek8nFrF3zurchqCDpRB+Y4BR?5aK>-q}?$5t!>^(%dY;g4+SWO-JE7GSy7
z@7whF#~!2v&bC+fV$a9Oe&x?a$vQ6KAX9jUhusySK_#x?c1Z7(=^D|R+0A+0#lV}M
ziX37+od4`7KX!JetH5Nott&+kwzr<Jh9?W#+z(|wnZushgiOIyyV&2QV@qp!5j9|;
z^|C6au;-Qax&(xYjY}zW4nGoa*|x1nn|>T6eoGM#S2p1fs2xY2l%AvCybY!|Gvk*K
zm3p)HxQ=fwrIYXeE3WmI5L|Ui{;_M2l*dNMmj`Kgn2=jE+3UG6eh$D07!;hOzEiER
zUq8}&eA<q|*ibMTOL%s&sB?@htj^|omulz3_;`gq&-!cY&G*nztt!S%-aIc))*qrS
z2Z|gt?xU6oxRs36vWXZg-r}Cet}!0y2`nN|b$kE&5pMNbl3Pz6ssTs3h<<sHF}Cvy
z0o$pn<?X6_=~(0YBn~pV$9b!#hqKWi=2kf5tCVeTQ93w<l7VaQNPH{T$Ml@OpFWz}
zH-(t`dbFb8O6V9<950U@^82mW`Yfbu`#Qq6m{rcUFMUJo|19bE=<O2=^{S*I+l;<w
z*joW1Yr_wx;cahaJ<(daW{D#;Gm+Bpr%EDokd$A^xO|BqLFs3vbSs?6h6fWTib|Au
zyl%Yinooo5-MynaAQ#CfLJ#WJ2Q`-x?tsWEU4A|Ok|kNebrqMzAI!pzhV72=S>7`o
zt#;h>)d&5`J$`X4sAK2h-eUinJL9D~@o#*W>uny)`7d|poYKrJkG8)kQi6D*2HW1g
zkhr|yxZTJUuVuw&ZKsmozQxRN0|d?u<3QOQ2-i(@l1e60p`}+Jq9Q20SSJwt_s(S(
z?l|ywnMzMPHU6Ls*Cw`!;@q-bU(}wHeD(rl`$Db5N3tAyuy7rxBGX(PMLrW{u6DOa
zaS1XFFSJt&4PGaGti=yYU{NO7oXQWrmSWsZ=UAVlLfvbZO}C((v&<xAZ)*=?j=w$u
ztdD!x67@yTo_ovH_?N@(1k7*5TCC@Yg3?q`HBK*bX_)>MNZp>lQajf&7D<}@TwK^}
z8&7KP>Tg7@sMWt=Dp~aRd6xukc>(oWwzur+@ee!?ZaHN3TMm~*lm43h*9p<2j{gBk
zuxVVSt8jr9v2Y&gyg3=+PUi(CJhZf}%IY@gg$eNMe-2{Qb)NgOl2Gl;I4FDrc2j{d
zq1Ilabgm+DkFVewJ4AoXz59gP*e|a;M*JJ;d@uSB)-@pA9pPyIyak33D#B}p2W=FW
z17qHi)HFny!3F5wi7zJ9#u_?bnE<o$ese0$P!<bCSH0tc+#}V3qHaX_iu3w<rBY|c
z6i4EXlg!G~m3!<Bf980&HX7*7W+~cvicOG0vL?LKIt7r*gyvL;0nFbXon>T4b6?XW
zz2o|Vm>HxU)jryW$?!H=_n3m}WWS*<`{|DnQY?FXl-4EIdTzuE_=Sjq`Q*)dD#t5Y
zb=>VBN)m&<a}Gm$w~{T$>>|b}a7J}~)`UXp1_SLRTvfxN&baF{p<m&?lt6Q3bOQ9<
z6We3%Ix7SS2E1J7Ss8}oS!vvc$WLdqww8+GR?F<nDD`?Mv-4%mP-~L%vG&5-Ek}lG
zDgOgzc<jtVSCPDFrt^q}=VW+sQM}RC+gfS=>E~RE{<j8)guW2c>qci@e3ups7L7$@
zXmwrJ%Rl|;*>FN?gS1n}<vyWXurEvJFUy<Cr3q_#J!L_-eqlCvue@I5A^+$h!&NU%
zTxc?jsk#}FSa(uWUqD9P<{!Nc>61LaA&!=6=YP*ML^FZ-EFJcRyje0*Q{AmOggSuw
zia^2GRM}5=^?Sc$917M1xiR8q?X>!J`<<a9MtvgYcdEDFI{#|EOx@O!F0U{ju&eiT
z+-7S3a@}%JrO%Hg{F9l@xV~g`TJN=KvgqlLHv`YBXt=FWrVKGHwl7=kyg}WW|HMOp
zOVAf|UMQ$W0rkgLf^o$w|BdMf$_YD*T|LgkEQT8Q9zHXr09<aDcAS!IM&Bvmy4V;S
zjj8?Pj14SZzW`8IF`Ul76D~e#t?hisLJLXP)&38h?ihnT?J(!be+<(9KMVanCGDBs
zjF1cI@W;=w9nX_92Y}bvyv(W*$0Wz;@>Gp&G}bl#W_;q~|AiA5ST-3oZlucBPXNFh
zM~FS^mO~N4y--+V)L8W2@bPgGEA6S!+H3w}?WY%5qYNdzy-MkTGyS{m97{cqnBSB1
zz-)yeaAumJXK&Y|{{}R#v~!-!dAhV<$pBnU!bFICi!WrqL`YrdGUERi{w(~P&C#Ub
z6rde0cHvI%w~ksS;GQs&!Rj@?F|Yc%)VNHZ>c2>y@qa_Aae$rptB-G9y0HQ8&0)-S
zr_^AI;bTrkZue+T$zK2#_BV$B!uM|jJan!0EP`j5QCz^KN<GkX0jM4rC`3F$y(j&P
zTIl^Zs4Gt&(s4@X8he=xp#CJ4Z}QGz$~s__U05bS$oU%qr>y@QlQPqJ9ov5)kf6t7
z?FNK@lT@jQ+?V*@9(algzoHI#&t#-*mh3`3a#alZSzl=_f1E8m+AK_$w5tyWdrisB
zhurN#CmLEdWj@;Mh5I>^4SHnP&)8KovIt7uE&0-oBr5zOhbR?jHJOY(IXd1`MfzOE
zu<(uplQ4I=zkVQj<l`vP$|wr|%0zUtsZe-wi=d;c%c}FB?JXqf8*w^uxB2ZTHxc$x
ze&Y1>?Vr1KpIv8sMGkZz#>=~YTTLz$^JVh1pRn*8PJ4C7@gXa<0siCO^I+PY#llD8
zcUpX9z}8ExVa0m7TrF+>J@ug<sZHd!stNeVN@!yF*Eq90q@xXrE4k-IA^ZB<<)*2X
z`L?wE5Vt}nhp^D`?W_+(hcEaDbMbNTWiPTR_PvU7;YQr`5Bo}&vxv8JlNt?v20ROW
zFHGpJw;dx(QMR5tG?4oKEmroX%^~N(SgH3}L0e$1!$s#?^Ubs7q8YE4+q3T29BY?l
z3CBipZLjxhPI9hvZAHbEXL7AYHVsvNd=1DONnXAG-Rlb9uKz=nW>ZO*EOMBB!3)$0
z7sF^IACxoFFYL20)%CTxJh6@WR!b%Ag*q2u1Em<DA$Vn;RYPfu%>%hSK>p!;D&e-|
zSo$GRvs6j~@9jzD8|VDDv;p~%x~7KkIfg<9lx;$~*}YP`u$ZX03%bQ959y?Um%v}b
z1zb1CWNsIw)3afeB1B#R4B82rK*r%I04-Ak>{s<zjXH`x)`FsnZ&KbC+azn#(^Y&L
zN2(rOk$CkIsP``k&U?&wzcGpfxW2Abt$HsCQhn!Ov!#xk{y!>mk08K*Ud&3cbABU~
z>EYaq$VWEd6xg$;#?eD6E|UdYrz6|%p9R$FD7vIypO$x1(5HrxamXCcI~w;;TJi&&
z!cz?P*`EA_-wn3{2Qat^LxfD<_5t_dj;vu6)v03OHE$eY*Dw|Jsb8;uIj4-l{@FUF
zm}o8&8Pja*6$n?iKr(o^S>-U}*#yo>Gq?B2ynn12C39HbT(>=ati0HNuz~NVB+OQ$
zCGM$(=-Cs~ztO0!dlm+wX6W!47__9BtybiRdtXkh2D)mf4dz>d(4(v1d%=WPp&}M!
zw&$}+U?iU3_JOFBh};On!f>Uzng+3ULiD7&`fS-8hyMKeJ<51UN##?BJ-4T+*C+Rr
zR&YE57JZO&a1|Qp0g@_l+{5Na^RB<If6^cT{HnP6=-O_0>*6l3H!-0%U+F<)gu5Mh
zI^D3Zn-}s4E1QqD6z6RY7$e(}<Hp)pxrhU2vavg%SMdyD8Y=x+IUU&i8P=RVkJ*?f
zK?~4|S?yYD?UH<9hjo=}M_1Td%@Q4CX3<rgCFVzg{#~r$xd%gI>vlF~N7~176Y(0h
zWl%&~ROSSBbfn9~g}?czD_)7}5V;`HbCX9u3bF&qE~4^Dpj#fZd?2{>xNFRTnp<bG
zE#n9L`Q5-55RaGj|82dJ7!sqM9eWkmr+oqN+NklXHva7WtIjjuTrMB`mDQdu>q*=-
zSQujo*V-owp4ZzETSnlD3J=pg3qu?id|zxb>iz=Ep{D(o5uP`WCEXT{Ze7|*^Kt!c
z7rokxOVG1(i2Nq``h8C2q3}c{bN|-+leAIUlO%M=N--*W^nb@sOF}2lgq#xPgGKWN
zqO>8y`F3I#nF>&2=U`LxOtxhw&5BUzmdq1X!!k*9Q7&10lSKkACShpRgj1Kz;c*m8
z$1(SH)a6{KwTyM878`MulqI(xC~0%Nj@Q-xHNqD-qsk+nD-+eVx2Ft#&of(#28LKF
znV?@aS|_2f=((uht64W_v%%K2m)xfhFTA)c@j!W>J@TUD4@3S(F@T21l^1!#FTD={
z>)Gg&Dr3xxKHO}Az_XdXebrI?ZEypWpRfzphm$+^D8g;XTEaN~5t5h#E$?$U8H#tC
zM@G1>5fez1_cvgTahzCNFQz<23e^6x@QIqRskw1UNzD_9l^X&<4>YUeOzyTNCz8j)
zGWG}zWWyI)g!*ytQc!tSW0~7c5?*hWm~+UU*x^v&;i%#aF5W<FWfqSo7KUEX(CZ5N
zW>htn4vhuJ`IpXn!rZR+O=4dYbB@r?&CE@f<kKisJ*77?|5o*INB5~~r;q9ak4!A<
zzG%K`ZM~xHGT*AB=zZw06|}u8>`Ixol79N_!gO2PbUm+0Cxd<HM*)v|VDcPK%=Y+r
zUC>rHXGs~oJ#y<_-9nvH!xeEOhNmh6iT#e3g!^7!nmQ5ah_G+zDYv@8t9zf89H2|s
ze-4U&o)a5rU&^T2r|5dYQKh8yt!2$-xfs8*TaIz)w+=up<KymvI*93;au-;_2D>0x
zn)L$wbh?h?@;%p<_1nBi239L2@nfeUK@=&e$j@w%m>FJTwh#4(BxH7SL#|6E2|MPO
zNswKgF!1}r`-5!3S}`VTwHy%XzwzeDAEoXPzjBJ>6+}2v)e7`g1626^rH|k#p9Iih
znVPfNOD0N31Iqo|$3Iih;l>Kyv39l)XC%UJ`KwuMjBMnA^5bXfzp!CKIXX>D@<;qR
zBk?6VK)pG2UD3Arl~Wn<r4J~jFQxO+X_5<_-Bs+`Sg=6|M?`|ZT@kTVS6#48dn~BZ
z6a^O1B4-xb@z>gZ!`E$&lzNo9_ZdFiKwEcDM_CeKxbCKnk6-6fz@aAvN_Csc3UTT5
z_7rkE?g)vFKZhXw#}zZ*Z)p>;YBS)L^Ellh#@wo#T>d3_F3{{%`{98h;WUjqIUTO}
z<K{eP;%*%T1I$o4{f_M@+;;}Mil-ZNCCm*US)v@{?UI4X3AafOz=|wx146bwxp|S6
ze+j<l&T`qkBRi~t%cE$Yu0~{GF&f>Rb%?RchMUYYsH=n^Uy4$4)RwVN8euToCYYls
z??HK~z^h>*e+GYvn~=Krcnn0e&fnf#JKO1`GCfWkB*8^b(@t%)_%Y>Qd*|wVYGiXh
z5^K0AwgGO}^*pm71&(f4`U2iG#=Rw;_6Xbh%M7n~J+rFMV>%vX*s&XK>CrEf;iar6
z2M4)vZ;;=dH|8CyT_75!*vptte9fFbnw1X8mqJtQNvhI}?R_eR2%4pLmpiQo<`pxw
z=Q=^sv&J(E0+O`>gw{_x&xy|Gu&*T}2((e+OUHza1$nG;<4=7U2ixe5K%I(ERv+i1
zpD0BE=I&BMIBxoWuA^Lf*hc@D?Gq7;b^Y%+bL%jR08v~c%+2FuI2$nyGxvU;6_Rck
zFEsHV&oJplq%MY*>G;wTOpK|J^Spf;{ChNJI$+~AZ`0lvuw(kS!^oKAgZ>u1CV$k-
zZ7D~3dpP0D8!_`L=60A*B}+Jgul>z?VY&*^Ci<LFAt<v;<wo*P*+7+}iziCff87Ru
zX|U}Qe;k47Xw_lj*q)9oD<oKy;Hfi{VWBI~7ud#Q7ruyoSDnRbsc>2;4Zl!>Ay_%}
zHtW7I$m7hhQpQcg*lxct47L!AH-+22T34&^?5capOM|9$CC~|M6Ab@$nkU#jg>SMu
zo$FZvsM>vJJbEF@{?1428tA*=*85owW%>SN{ZT<)d_pkAdra%Z3aHp*Uqg*?t5{cP
zz7)Y$B9#B`dBANxb+OfHx%Uxj%g9*i*&kgIOPy|l%=ZS>vW1tf^tF`EB4C&FGV|xU
zXvwTLv8AtNSj)G2N>Vd~H=;lt>Qk-lTHwr{TVmye3HomHRoxa$iQ9#GQ&HS>&>)Uj
z3H9{l7H4dSg^87d2m6=4|Hu2YX!T)h*%}I#_8HLRQhIy~j8%ExNVs@!hvVGCCUzU=
z_Tdjtj=}}5Xx(Ub^8D(pRFn|NEMA_xwwR^A|3c6guud2FJj-D3#^Q`TS{8AkUsz!9
zIKph7QrZNjakt?*s(C}sr*HLu`b%-qpm;2U@o>Isy_`)~T4$A)z@;$u@ed}+LsdiJ
z>MGY{2Hx-5cTBL;_x~nWB8qRO3?p({rD|DQJT8O6GYJcc`G9$i33;mk*KHaVR)j8I
zZ0anv=}yN)xHn@uVhIiLxSTpZ*)>pu*2R_EaH~ywY>;VJmnZx$tMxGgr+NZuIy+rR
z%EZ*QLhxy=AOc|wZ*I}O*W$Jhb-qFTfPorDf|h2w6peqFp#gKy;ZND0q2><2^OGG*
zVdYg%3*0!0@p_4**&o>i$myK~_r}n$>Hc~YD?g&^QwI5U^wUDQOx%%FjoZV!$D_u#
zJ65J4Fo=IKS#wtI)_=_|=)GBKL5FKC^QHVWk0K^2L_Uf`#Nsw{aoq6lhJ&$Us<=dU
z*ii3aevxbTpC`@|j)d{%Ys`mmhuBqAY)g?>k1en!4bW8_K4<l<ZI>Gb<ZBGpq=Zsi
zJN6X#KGLS&!}k`uKgRe}`yJOqwic||Ap0HutSi-l1vs%!d=SGyP#L#Q`~z)!&U(IW
zx|W;5?-#>G%$J$T5r}R@ujA}LkM4B5Jb!9(T|<e9a)IE!o~_@JtBTm48ZpSoxle;U
ztgvXg4@~Vj;NPf9T7HnLyqGpNYOU%@BX|ezcgn{a{Gnemr}s{~GQcQ;Fa8XW#bPAi
zrGxTVt}{1tURd5`W8VcdLS#$MmYw9L1P(50m87g+8qsVTpMD-oEjvJAFrMiixJL<~
z=Td=o1z0y?)s~VmnSCt&e)jcvtyw1iXhlWMFDdJaSx+zI*SSl~&;R0Qudx%-tc})o
z6@TiACx!Nm0dhs)n(*XgZ{8sGa0c?DHvXToOT147HEgQQL!Gw4iP>7bTBiVJ)I(xU
zEweHCy=JDZcWrLzHw{`WQtz)r5vQcZkVj0J_ukuhk~<JG$J$|y{IlcJ@nFxXHqPy)
zx|+~9!GDjd`eEK(V89g05x7$>BS@mOy%RH+WNu$q4jO<=a_a*F^#PR-ktNEJT@uan
z4hb)1me&irA;SN3r|VuXAD2bH`{QT!<TucJHk>~hf>798m0i#fNO>k1J2_8vYx@Q9
zbl2v+84-M=y~5M3oYg|xCusjt=c#8Yzj~Khc#0wJyTetj%f2YQn2PnN#uZq(Q>jCn
zzqQ<U<6F1lNSkZ6^!65_^)_J#Cq0;__ez)jC!Ff>C*YLte<_ec=gBQY^jLo{-?<;r
z(;e9ININ|yjgFPeeig~flzzzp-N4g-Oqlf4#F*RXur>)K@spL(O4S}PX{UN+m)EtK
zzXq>CnWv`&&qzN|OXj#Zp)zr5;|dJ!X#C#Qs*EWrYR{t)uj%}i(eOh_*VuA%iCf*|
zUGbl1A`*7$^=~^kbGz}*U)g#u4CW;Sz-*~~0Xckk``ma$fh24p+K(@}!S-qWMZBUz
zuc7C5$hey$Nlv#ddK`-w3nP{+Ow0+TpineFOr^5S=x(_Nl2rNRKbR%^6;pd*9Bnir
zKN5J$WUk(^VRQ$2fBcKK5Mt3`W1m<ih`~!l_rGb!qy(E2j~J~^?0-fz0;f*_46kTb
z{}0Ca+*;TVnD1)J?mml?`<n^%#H|&&uF-LW{-5@6{}E6Eq6$Yz62xbMl~ex0IgNWi
zy}I6<2)jtDkNbZKM`*=u|39Wt%pYldN!!-*Z&voNpPSbP&o%$6Snyw8sjqvpg_A{R
z%*0ZL*l6EfN=&(X?Y<+-_fG}eUoCu+g&W{Z;x};ltDfw$>ca5YE){Ha`mfr*zYp2J
z1DvG&_WmbrX#f5%00=kx>v-TJ554{C=%V%98W*x^pRlzquWH%@1hF5+tQ4CY)~qlS
zwW>0&maZ6=g%@kOThfJ1t4nou@$`r*ty@XhBVE%8F6Efshj*a2JQ02a|L%P&3XqSi
zxdlxW?QcmE6{^2mKep!Dcy*O)y~(4(oBLGDY*PUDYI=!<@!jfYgE<)))@e!sS?|-+
zSKIqzVv@Pxbngc)H}C_l4DN$3fcnR8waLT-gW-<#+yvw14-oxZc@v>h7*G7WTvp52
z9HiB|uh}Y!QLV&<8>BgnToEdtmRj&r>CB@s^RU#B-GH#E35sOl>bE<UY;zo*$eMCZ
zuVeMK9XU9m^tE?H_{fw>z_5kN<$$uV7P}UB>?i|Tir2ShGxQG#{?lv)00RL;Dddgl
z&BnK)7BeZLqV;`+!)+z|I#hgYA)@<sx4Zi8<)F1Xk6EVE8$;=GY8L?PZE-P&{^W8=
z4~9#rivrSDb(*KAVft3i<3&c64IdMam6})TEa0E@>sWRtm9kj&C5h%gF>TgcsIsbi
zo?ldSrJFKtnn$-e^Of7#bn!%*MSBvn<Eq%%Dvo=)E==imJPEzqNrp`6aPuFQ6&b%o
z#qt@kpbJFKH-U`pg{Jwo-x?`+wYA(t?pw}Aw#O;?SZUJEr<a)Ppp&2ZmE~U;1ch*A
z&PXPYX4`4Hh?RY=N!AfAH8Ujn#;pD1@Wmu(=Z}JpC<2uI)}tr0(T#fN(M#^zb^7FY
zat`mgW99lV%<lb#z2PU;YZgw$nuFh|zU#c#HWw4RTfRlUfm?~~c8KFR!u^XK1LdcH
z{P#{eR>(-!^3T77j_!x{F)R4Z4Zq~#l>5s1Ry2QZh2b4Kd`)Y6xU}SXE=%w#0>SxM
zJS=IVeEzDib^S3q@w}3I8__FhGvgr=eUYk<rg^J_jQ*|6+YFqsd97Mqj7OQPTUA9}
zt%^8(rd~nY2yG~oZZJ(I=Iz_J1r_hlpI~HUyaR=*im;@#*+)>x8H4%F%KgpCN1&kX
z8%`V6TvE?YIyxcpzQ@F9u~^vfk}nC<d=Dw7+j<DG{xGO7hcHY*S8n(PA+b9Ya=sjp
zA73AfF|Q3fGAJ!k)zSKjUW<fEt;rF=F#cJ!a093h(^t5yj*D0_Dbf7trcg_LpFqp_
z6UBqdlcYrz${LE;N>j7JUC&@4-U6KvPkV<H?pWEC-RioPU5`0|Y44x9MT5J8@cEH<
z;GUbf2Ew1``5&F$JVEDm23?Vp@eGlrYhfXUS?JK%^~3D=*>*UNby9a0I=Y^yimm!s
zLxTyTu8sSqitq)ab&I+AN|l1ldkpp)bj|j+Z&$1iZ_v>4Y-4QAvq6ZW-&z3+wBh<@
zm7~yirz}K&Lq@Ag_|vn!l+DLmfe_hcnZBv_52hS<3N&s9GzOEp#sYs2`e7zv^wgo9
z>D7Q-1?*1Y7ax9JRiA-+6=(CM^MS(V@A1?!(Ol0q%EY+bsN8REDjvEWuxLg4U5z-T
z@;N;W3Q{P&b@MdcQk}aJW^-|}ZvGw(PAlvz`#@8xeO)%*iae^Q?5npETRIQqTV_H|
z7w_3wtmI1gni=iLX^*&o{POW?3Yi9w*4Lx9mKRSzRifHlN-5YH+uJS(vD{BtH$UUm
zWD^Zq@C=QV*bmZ*PLY$zm<vnaFZ{ZjtFJ(5#ywka*=NBi?3rBZi-o4u9v%Ct67yG~
z_8-MxXQE#SpB-mj8`r`cmXE)5naVojkgB<qbuE;%n_G=gjW$rDoSbeB;#M)4emiut
z{#BN6sKLqmf!!CKUawfk^?R0=ea3Rk>p5{+>#6jSFTz<zVx)mADJM~HkUe|&L5}zB
zj?3#Kxtw6kHXUx(>L$JYh9Iq|r!|!Mdx-7O%KDOkl=@YgDTHvceHCJ!(+i`l@ilsA
zN;QTIu=#m+%lP%aD8`IB#{Ln18(9*h5j-#}?O+qf5;1c20<FZ<ca2D^W<{D6l?&TJ
z35opFgtjm(Dn;^Df5>+4^~=IDl@83jihi#r4&bS&sajU>?bY1wQ0*(zfc(TN{MoEx
znmm|kMR;ECfSa9*X!9wMxxLUR-*&8y5|h<tqPni=K{va<?WKqt$?@w$R^MnLoY4sm
zO3c<p%un>+q)c5_#H2F%8TB*LD#U6ylbAd0BExJ+)vTC=>s6SV=;(c-#5>gsZR)?J
z9?s8qi_3Aj_hG`&9x&oI$T+gxpKdb%D%Jm=c}snkmYu1fEQmIGOym4C_A<v@A9JVG
z2z=V(Q@p1g(i6L~Tw36KTxEYjV|OQ;nvo{$qGJW$$h)qS{Z;L}^}YCHRSk5Vi6Ih(
zidnHPtMHO=FE0CB%sH>=#9^&I+ehYt7w;VS4@U>&8CzOf4l86PUF`2hCxP%ayxI_w
z!kEkb?N@5G$HNuc`PHCjz-z;AXf-4{WTM%d1v94h!_?IsA5k;g*716q*~S6(u{!sr
z_ix<Rym*g2YXwj3mO*%+XLXm(K1tsj7c1`!E1x)OE_Hv9^RbI?-ERh7ZuIU<h3hyi
z(IfBQq4kt*^Higk`q{>(PmLP`J8S*CH%$Dt2He(`B=pxhJ5VPMl@LwN9uAFuPmCME
zzh|YLy67c%YFyGAzvAue$w&51ZAlNBPG8Dz4rJup;rtn6A0He7Il<cYsI!v_y$Rh8
zxya!$-<lc6tF}Q^oqzDP*v!}<PUenw$s9ko3!of2bXcD`Uo>izmZTE>OzdXNdS?69
ziE!gmgO&n!@~S{;gPCY_n_93JOXl_?*{?0llBW)f7R89aZSG!&|Hz>Rxhl#)po%tx
z3E{?r7VAa=CCG13Nntm7LTW8R`<gMSIx<ImpYa)iNp)pQk2D_!IwK&C|3q|Ggqcf4
zHH@&Fq?>(wBruIBo;@}Ex3fai$j@cpm4PgHYnq~?$7i@yKL&Tv3M10ypK68CZ$srj
z|NJ=ed>r^LhsiJ+Nx|;-SNTVP=TdA9JoVA)zWragpNWqG`$fHBU+4AI(uY!@d@_iJ
z`0ix={BiPx@yds;Zt#*z=c``7ok95UO0wN;3ybP+?-B8db$MzW8QSqlsv@dRP6(Kp
zU1;nal*}vfCtVTCY4;%PhJ3Q>4ZQnISsy$<d^+Qk2Wv=>Z4c_2aRXk{KIl-x{NkN_
z>U^8aogins;O*&A1q@Z2npQDr+IsCti|<^%paeUV=0SAhDJBf|3RnI7_evH{4f7ms
zD=Qq^ov!6B2%|<wKc8f=Y>+(c^3L`IiSUr(L^jXwz&J<it{gS83dftV6j$9@qf3B`
z?DFgG-%1)DhF=CfD<yO?S6t4+nOzz(4%u_h8whYXE04;jEvfjhbB}HYnGt<?m8jn%
zS@ZfQbj?CKWr!PmKGV)i!KR|!Q^&zovh|`$($rffQNH`ey48iDN6db!HOz<ohbzBq
zZ*#^r#LW%i@8|{ua({?mu$S2+9GDK1SMz(W9-DykmYTcg=e)53l*1yZP1C11m|k?2
zYZ|Vp2+uSoQoAy9kAm^yxT)%B4l!Fj#z?I!>dUM&O&$O-6hl66T;Ukb_{tqi23_}{
z^Ljg8$XV+`C4)%cf`dFgmHO5X`WMAO2ZwL@j>_^r+1`L<!_zd9TV!K5f;~^vUX=V4
z^;9IMm(k6|by1N^)$L-7#B<r%X@8!~z2APMBVWeLyXP0n$6POFZkxl_j)#!BbH9<J
z4ld~RaOif6!>_qh=5FNIn8_WKYq#riW0;S!<@V6`ZFWG$7As+;(sFN)(~19?AZTr@
zHifx;s#pk9KFewJiLbceezs&|S-?e`<p6NGWMe_slhgEAtk-_9`|9^GX~Uyw^#dVQ
zb1hVJ+xsdVAzp0Y=^!9Ph|;(gzZ(`4rrp-78Z*QjcD|*hMoMI=_Tw$kb=hM_n_UmT
ztl~@IM<%aYl;6!=`6^QIutQ<j3uC+_h2U54IoC3Vm4Qg)vbEIyQc;BOpK-1EDcl%5
z{&LLSU5(37v9mt(+6yBQKNG=Qz^|+}jA(?revh+JGMzYciyNveUn}OV7Ty-xgI^!V
z78E#F?uTMV&tLw%LNaEsKN{GH2Jzp7&~tK%$$8jSy)X)1bG6F)49HvCTOuXWG|vK3
zr|<N9Ci;f5gvawN&bgX=K?OZtypty57AGFyVVlX=uJV>?M8To_^Nx-vY$u7V-~2J{
zovT6lir?p|+4REgVFAll2R5(}m-=A-toG_)^NXS0`izafLpgoxPcAdCp>t(P4-P?@
z)6ZY+gDl6YKHLGU;Y-{=c`ibYnsG}=2m>fx;ytxjycZ3H9&TNatEi~2H-GL)^Zy=M
zTCP()?CyTL{$LLgKUlyu!q|@eA<I+6ayyq*Lw{ASHw=1lC+Px_-ynoxVL!`P7&{i@
zj8>yk-zIYVkL=Lm4C)3Y+#m=d`zEU`ZWI1$)JiOuUsWo(%uVIpU4+ejGCS{C{QaY)
z{&LI?6{=+ywj&Zs<ULRe)8ZClAAOnGJ>r=)`1w=TVpe;^Ch-7ZkI4Q3Gsa`D?X^77
zh?M6*N_4-KSYTU?^--L{=i{HlgdiKAt(YGf?%ZxFm}<B2bC^Ftq9|Fd9hRZj##2pd
zT<1AWzi=<U`Y$)da)4nW)s5Y#8Y<|wTydf?$S+ZUIm>ZO)}h!TGoY%@2-)fwx2+#-
zI!sW}y%7xd!>7>P5D#Jc1+`&n;$f13&5;sGzax9C<i43<bt-XWl7M`N{Z1>XPnT&@
zk;khQXMI8L41I|<RlS&jDzyq|#LtEy^_SC;+0ShBoX$~G4eb1{QB<kQjn9Tkcket#
z+goIM_TOvla!he7Cb~O2JJ$x3H458ca<DtRpPOY@hp7}dNfFa1Uw_tsQgA)7JXp+b
zO38fBNH+3&PCIJ4ZANU_q0oK*N)XK^(s>#TDW9(QUg#It97wIEWc%K@;=nYRZD%jk
z-}34pKSS=xH|;t41@RVJM?8A?RBz5HQ#;t+aH+X`#@v!USS0#$mEOL1!b_A_OUStW
z#JRGfi1NuWuQsUV4{qxoLBKS=%bTsn%iLBi)Q%)!ne8C=&9B*ezbODux5dxv)s(KH
z6urI8@p`Ted=Ur`<GSY*+nh0!6(*6HiIw~1)A)3fu=``zGy(1+V8UA$=Qb5LzUvQl
zQgj+f^qY7QgZcPIzaVTYIu4f_csx9G#ds~pSYzJJHE7DgTvV46JGEN*tczhjK(}f5
zpf4cL-Rj8{PFlI^)~C4=!CJ2=_Ay~vIAc2(V%g*`Vq#`SZcAU)ex>n5Ncixr>cOrt
zHQ<1UN+hz-woB=B49rF&o!`4D+P6l5!0D2pr9=6X;JsHXz@y_D2iD&X%mtipoGd*!
zyoR_by`h#tix#U4mP3asi;Ts-xKo*n<43;*75^2;;MG!32d<V&9iFG#WYxulSq*+Q
zi~998JXvGD#YFq2=Qu~7<)gdjnd4r&?ac<vAA~_Qf)D#QF!CRu+xt(0_l4*eRubl_
zUbj+zoFfrh@Z|U$O`aIc1=^yu?M4?XgZ!GC`PAS5R?143igeTA*&@<UHxeE-Kk`Pb
zHK#PXEw8R&+;5AFUh64$|MKh#@gsi6bIr=Y?@G#lIfOPbx<H84{Fz2?XGY3O?yYp8
z;6~>587p(KdB1y%HuJgc^b4c&qlJP_!!ANxBc5-E^3(=fQ#{hapq8dh2FvDP1rz=^
zcrSmRrIWm*9G38Oxwb3v)T#4g$nOoPVX1z*6GO{H>Rc#scDMUI95ay-Hi~CO<RUq<
zw9JI-v*s)(6wHS-nd)3$yIFax(UlN?m}oq0P+^yQYR^3rt;_QJYqCUitK<(he!yyH
z7g4!H$U*ld3MQm0*}d|d=}L}{7($5UjpX*cC6fDml%>U(eGiR?xD`fEgma47uDAIw
z#@jK$U|yqR43j6c62;9~KfI(XIg@0$GayirY}@T>Ze<KSCq4f{OB>-#g)?rmS`QgR
zP0P`ZotJwg`c5g#90+prB_%`$CsFBMJP!u*0-zgw_s!VI#a;TjN4F7ATkbZoZ*Z;@
z#qs3aEUsP~=tv&PPPS2Zifhr_Juv}yqV;S#87$k9<m8UtQaH8Ya|*lTp8E!r$z^R9
zvY{YxfhWCl<trYZx40c_IPZUnr|!;EFz+r9cej}qX`Uz17A4+NJ*}Fg%C2yF|KNa=
zdj9buCzbM1m3-(+TNk304uAf2docZF-M-p`G-W{rdV9fRwLdONpL)Uc8j#*ZVh;q}
z0iGUTgGfL=Kk$mmnBy(V+7X@K=nm^m+=@x}rrEJ}#Lgx{VfR-7V?uRv2Gdi~oG|~4
zJE*#TSU2t&(j9M*8=z{bt~-H0w|I@nvLVqBE(&$01?a+l$J$*GB40mQ3V-IGLz?k0
z@c%8JyJ<DGQ6WdhDBR_rD!UlD-2=1v5xIGb2$AS!J2G{3pL2e6dp3I{Om$i}zqK;;
zNNOdVCE`lze-}*3so@A<KPu<EA5z;y)@<)auG~qwO>_i6lg&I)hJ{h7wVKiS5l@}4
z2l-;8vlLp<zpL_&*zVyAS!sXDqiIM*XMLvmWc4c0LYPqUTS<)7Y8P6?E7oM!nc~i=
ztu)hCHohurC2>KPOXUg+LT*w7SMh$|OVZa~jzViz4IL}2<*T$k8z;EUK~DNDV8{0U
zh;pk*?y~$!bJMO<h(Zp4U-4(Ij9Z`cP=@sg*=KcVc8Pb8ftj5H?{C`geW^!nMVbBe
zfl9k|R`h<-&TN5-jr-$rfeabK#CbZ;OPey0Esuk_VjLHv134mGmFex-i_XhL)~q)a
zua+dU^5#liH84HoKk<96<w3Jt8iU=2$xwtCa|h4SH4UJ-tud{RufS{4w!!LEn|6pP
z_Yx4ey)I1ZTF_k^a9kbb@3z(BKSv07j(F8&QXB0~nsUG48Bnm%Njz0YOO@I-$S}es
z)$54t?2Mgf=oi+$32iQrJI`@2Y23Muxp_;YQ~kli{^Z^7VN{_zi_6zlVGcbHSb830
zoO<l@>z(k{2>^L?<vcCS0mBr4IKqK`R;DtYR}sz49I2twaOjwukpShOx5IDylhnOt
zB1-Tuk#3V(lc7ZobmF0`zC7uA*zHFeIg4D&%lDyeJ8M6CB-ffbuNmf79xRczyoPsl
zWsz!4E2F&+2CAalMytR3ZFeEp9>jybWSwRGE|D51!}0EM`TcYs(w3FgTIBDSHMq@W
zQzNWoC}{;Q?T+(q^xYIyES`O4*+BLs{Vw)o&~?lD@A9P!9HLqU{aOTo)=m*1tJ0*I
zY$g^qyKuraZ5Y_+pe?0CkE#t{6gtw3-A3e8!))&c47FrOmGNnOZR&TX=D05JxjOuK
zzvxFH$PJ6YXLMdNgQSu^)C(uOP47auR9(*v&dF!{z&VFW3|8+}x)#00CxXpD;oqIe
z;;@hBhb`$URDb)_+qN!tKE63lZ*OW5^xA)8=1+kAS|F=|FPe>8V2<tiEirF|o#^#o
zy7a!3V;T<?W~w-VeuS$t*EtqvE%Bn=5)+g!D7-7W+?zGLcKK0sTHT=W5b}g?>5ez6
zf2jkHI)&VneE%BHnos$>pl;He#qI`_0`n!weOjEvm)1-xMX9Uy;de}28IAFshqdZP
zk5usv0nV7XGmtB7S16AMzVDJ5SBD$UavS59a^ifhxz^u`hOjeLMTAf6&I-PKa++x;
zj3t+`hg7$sjFiREZQ?rk{uU`QU?^9{(tM5Og#P2lr=p{vJbWZ?#K?Q<D9SEO!(vLR
zu)z6)H}%6?Wnf7E2Tg`->}SH{w^+k9z@&p!yWxpav@>ZJBOS8uwdET_-ElfP@Le7H
znkZy8vd63BGE=|hw>#-wG+CSe>(?(5m5tAUKU6x+wA^BuDz|V$#IEw=ub)4^eKlx#
z4WoEYx5ir%2R~;ki-*%ZP&UT4s7*QCcawyp!!x9#Pg8!~8ZDT75Ic=|rD?d7noS?B
zy}|eqgOP=!R8O%s{=nt3mt#*1=`s(0NIUKKXIb6Fh;WX^<8j)hWXHD-lDuxh7rJb1
ztlG?EN9>|-u#4Pkbw<-%u+W}1Sk^%_Cd_U|eU=r3+{m?KObSeYCh*sL3TW|9xZ=5N
zp#H&e8@0R_9y}(FzCrPlu4k_S6a98d^)J${iUX}a+ai8xR)96+n#`>ODGGE-!SC6g
zmfvEY+uF(txbxzWqu+v;%t2iDMuaMeA*5F@c{q~OR@0_2#9sIc7&EG$u)ICfR8vI@
z=4)6UFsS$p(s|Vr33pEe!4PII=b)lv?MC3*2fG8mk@@_DjoIYw?d{l=t59w6<mK)4
zrihk`PUB+jGAn>bbnKlp@C;`A-J^f`B2bL&wYOw@rO|WxC}a$n#PNRXUD#Z7s0r{C
zEVXO9f2?_Gs#+5ejt-d^2h$eeQ`xz!6f=(!M_vqN`^iuo`_u}IABx?Ydw3Z_k)-jr
zS#g|!tMrbt;+19VM!}tIY5!O_u^hWt#MQa3p^U{A1uF6UDstpSvmYDq$!cI0r(ZCC
zW47=?N$kO^5L(y}%c2;+A5s&H;G1rBh`w+HZzP=xJ$+%_;zVTLV%I}k#0l2w!iqTh
zg_}~oFISyFP(h)?Qrv;Q&KJPE6q(x-H!}RVtH2#ChxyKFcTO#uoqIzp;GJzK!GudT
zq`u9AW7H;KR&WlJ@gem-zL_jq>p{8PvfU>%))E{r-Ru~{^2#n~WxRguFB>?}DYHuq
z=s|+`c<wJkj(qmr7~5$k>{B&{OeMWHa8;N;eFST%_-FtPxi-7&e=YI(l!hItysMFy
zjM<_)@Y}wE%v>yI2^X1f3zMhdaNbKPdOcjM-R)*QU21Lh5sG5+n&(d+YiL->9;UXm
zq<ZkwrT_9IC#a$zbiU;aUD;5LME)?|Z}@X_(4V^0c>(PkxC6HTI|aWbO1D`Ws`HH;
z?0JDEc&RjtIPtF3&mAwR9dr?J64V8(Nlv8DUW?tH#MR;K6JmKWQf0YKQhZ+*vE6S^
zP1ejhmsnJ1Z8YJbq(M)pE^(e3Uit3N%OlRLY_t$nE!$eHk7>YsYzs9cmFVqHcf**2
zS+Ld&3tUk_vXPA+x$ZHmxj7ODpKb!bhzj_*mhA30-UqaILJ+7K_QKb<e2QlRX&#Q7
z@bX>Wk5lJn(jdJ>19V>dkF)f1JiJoR+>2IqqpPTc>e1VG`N+Ix58%Di<6zU~g(@!F
zRB3fXsooN`HK5^rmtO-@PYS%jKb&lAnA-)<JC3QgDP>CRUnaSCPwk@LtQsL*0u0j+
z*`>YpVZ*S`DmH2q0}}41?;6|}@#U_AXr9^j{MYYFrd;qs-&Zx3YyJI%fbGUg`Z>e!
zVoxP$znV}xmhj~(wh=uuGeI2{o5%-hxrxQ5Bd^|^b!iWe*j?NN6<%snZ{8uErAi*%
z%-EOTRHE)KBcRHUD!$>_*rOsXrXHD_%h7HA{M|sy{aMG`wb2-3+4r2TXw2l+^5so7
zZh(yN94+~IJbYYH#n9qrrww~#L$qgESnA1OEkJqTL^ysIf#y$<vtLlBQbH2yJm+r*
z%y{RwZM@B(^E&w_D4!1N8DU*}VVa9c=*b_yaCCx}uYwc{-kE0Y=Uw!iW))gXh`w&L
z1MeQmD$4!By!lScaqKt6S`pK0joM5Orpw;W?)5vW=6@I+e@L*GpD-6^YHgG&0aBvD
zNB<XHUme$U*Z=*cxkwQKkrGi1x}-rsETlxbMWjPQ7&St`1QqE<N=c<-3`9k#jTT0V
zFh=Kq!M5k%b=~)K|L))O@TV`~wVn8!^Lf{KV@p_iXwkeR)0hvZA+E3VY!5fPUaBBf
zq@XOPS4t<yin^8okuentw}edi*}o<67s+EyjAkjCF09n({@1DmcvV6hhad6#rSz`G
zCc4&<?MuFIkq-=LtVdLTfOe#6A-({MP8C7DQ<rFdCEnW*ljby`Q--Z8IP}md-dq=)
z#S491i<k?5<lP=MJ!}AJ4L#b5;$9Z~EOZ4uZzWAxy>(T?wCg`Gk2cS>C;jqW=WE5~
z`nxi`Ocixl9xZX#dCQ@7O$5W0y|VOd$2G9RTh?_84S?~d#qU_vc^$39U!L4}eW7Dc
zx9c2Rpk8fkf@`?j;)Yvv{#aAwh~vOutJB9Y@8bJznQ591!ks6B@nd!8g6BJ7ZCQ<R
z(9eV5=&#t;hR)f+I{WCx&M@W?du#jG{u7ZDl|CUiPf+^qbs@qO*XO29@r1c``Hb;#
zl?}bcMuu=!el<<*CEtZlQu6({f!=om^O-k~;I6QPz6QU=Y2U|Faf-=dGFvFWv2hvP
z_ET)%oP%dxH?!~8#zK$9+cO^s;x?gX&JE4c<SJBM<fK<Fb)!XiNo)tfM=_)ts2Sbp
znFRr1Zd$>XJGn7?-nl>jrmQpi^kN@E*?$rJx-oQ}f=}(&R<ijD5;Y%eV$rB{lC!sX
z2~zM5b6w!sPLw&Es|=oKln&bJc|=;08a+lDqq0*&<}-#<VY@Ye(31DpCTv~*I<%ba
zMAJ&Qz(H=#)r#%Il6*0BUg{IDB5;*-1SFO20ldZba^~bcQNXa)&99qQYT8(?mpn$E
zulZiUXq$D*`uqtr7peC18Wa|ApM{9qfB%-$tvLb?^ifB@&Dkp4_WA1rzM)kw{;8N0
z>s>q-+=veeN&2m`)$S<lpx=Txp=}B9g>{#WcJqYpsl_6@h+S!{<J#nk9$|tuW;4gO
z#avH)hkU5Us=VT)H1GWH6C0}dbsU=NZ~77hUju7Yr=7ahboXe9Dy4$1#21G;haDLG
z%GC$+1)gyy*<38PF88mcLZeZV&#c-RsgS)JuKoG%0fOB15H_&seLwI+OZ%NQL>Iyh
z7S?#YxD!TD%7tLmFL%j<$z2|eeRU<P17*B)$gOIAq_n~OoXzfvwg-RXhO)&zq6J8I
z#E({DfkEI0bnsW&NK~yyrhTysANT2GP794nmvm2Fj4>W(<H?Zdj+Gqd=eLab1aIhS
z$voH`(6r!w(B)W?$lrR8C*qiy?bKK;|BZv>;AWPM&utP&qo9pn_t*%%sWPUI8*M(@
znv76XqTn6@cUN<NEImMfb@0rwjR#9E@u4u$wQUVI=!j(B3&`3{m%{d)bMVZ+N&3{x
zQsFjM*n1M93!3lTC0Mk%FDOeWs2hkY*fM%K26lJd|K4?wFoz2BIK#Y)rutdUS8P5`
zIo;3zs_4&;4zfPKZ!AuhDf>H5W!b=2<XlJax`1evG(K3tAg4a*@8c@<i$9ce+RvEs
za`t}Di~JmYgxvgs6hu1YpjsLv150!8E>3HWP|<d{&uA4){(zN#XwveKJo7~iGFiM!
z+p4Y2_*IdM6KHqID%?;PETk9EP+Xjx1S~TnZR^K!0PDDrSs$Ict{&{iRG^OhuC=#R
zM2D0<3=LDv9K6S$N&Mv(<m<;)Hc@M96;*@5_f09?2K3FnQw6GZgK~$CI5CEWBG$M(
zcmS`L%AcaC#1d{hb|uxZ1GnUbplj6$fa{Iykqh@pU_l}PfgRRnue34c<<i%SIs!1a
zpFbjbAZwrYA9f9lIV(W;HH=?(-`}E?BLv;%>p7^UA>irB7IRiVMJOz^Q3mqF9*1n@
zDkIBv?Vu3td<t*ezTYDpjbHBvMqG2G4lb{|1lOV%Z;;KQ<?N#Um$ASG_wF1GT{KAA
zkfVA2bow&2U#MYvtfz{V*I5e5WO=dp^8?4w2D|vRiaZc{GmxjP<2+odNXd$GX9$`Y
z^oP1x_!NaHC%Tyx2bGX~azC1*!sItJ33ETykBGKeN2{2wO{GE)jrQXetwK(o;)&%p
zVxK?Hp4WQ<cr~KW9%jB~#Kn$GL4uFOU7~QAM%2$tzFg{1z2Rt<^26R<V}iOh;ge4!
z7JKfHxV$Cd?DSQ<ajoURd2fB@-pTtCU{)V&Qn$Khc0z%qNSf`9^V!d`<!D+#PsXMd
zV!AxWw?MJX6z*VNWOH?ZMBbS9CQL@XyRh<=qc0X&mehX{C7N>$rJHLSGuPL-Igz)!
zmZUng{Vld(yNIi>@2396c6FZ5wlk^s2$MviFMqmEUeJBo(JyG|gxn?K<Rb#>=3UzG
z`nc_0%);-HE*yMvRC5I@P#8^u?Z%I5sRxB7aBQdHi-1G7`rmD6xGCs%=!^{#*o-eH
z`++{LV$pd1Lbf!RuV_CT+*d!+Cmr19RMS4WS+9cg^DS36=n!kR@*Wn#6OSxq8u4RG
z&ZD0a?^=7XChW_gkgJWtdA!M{$s;t>t*f_g4L@5Cm~IuU_FvNLXi5YB0ei%$mvpgH
zP<Z>yWK}dhS}7PR8F?z0y&sBHRBXr!CVr?NSzjLYT>`iK5IvRrt<QX2E`w=5wly}O
zMT0@3=_we$#H_SUFiDfhH3HQSGBBzWmu1E(!>Dw#FTado;@5OgJEhx|B+jw6RYQ44
zgqoRDP4n&z$BPdXF4yLnIwdYhud3fMq-l-V8i<;VG9LP6-H?7cF=1^%>Y+_+Ja2AZ
zG~;{N)_mUim0=Hzv+>P~9;1!ARswZf>5{$?N845oV#)9|-VqF%iRN<t^8NKMBJwan
z-E<!{AxrHSpQZXfcz0D+UOrixh~3#9&>wh~D8fhKeZ)!>Q%%QSyDmU#sf^SM6V49X
z8N3?QV$10<=5Nq!3R{}g8uY)%MqJE|@as?Tbz^~3wd}TjZ)6Q`kY5EH*6W*eUxGss
zw>yw~Nop4U-HS7r2kgY{2{FH^J>vHG_APSFm~(VzVW`XP4qh?p)}x&Xex{AbDeX2$
zlVF0m0z}@8+@|oJH);Ifl=?1YHiE-XH<EJN<0eRdt3Mbt(jTDVvby2bydk_YiBPY9
z5yi&Ol7zJloY5ZqG$&K-;~2tUcn!GIlvx6bZl~%Yf_8FKWw7YBsN4W;-%t}1ljr+D
zEze<3!ml*BFP*2Poc{fp{F-i8x~seU_}anTv6S{H=d(Hx)3KL<H8qNgzVGv^WzkxA
z9S!_42W7;2`Vd%Z$GW^Z<@8gT`JcV<@f!<$??_7x*QxU)keduUixZaA%^{uuaLip*
z4Kj#j;d3U&ynL(ZKwA^Gp}mNy6Y#*aWPV`f%VR&Urnh+1RmH25%(kaPN&8$^y=+K7
zA|!U#SJ1gaFZtx-o+XPH00{02*=t?H!uXCRpR)gPM}fd;inOfPf-wgmHcYg}Yf7+&
zYMQ=%YTJpcuOh1_FL*4z;MuKgg|*EI<H3jS6qy9{6{Ui&D!1U}KaKX%@!kEu>BG&_
zb+^e%o(1L6*B7cPTA05y&p*BX)TZ%3Cdjpug1qzT^JD_XqcA~XdoByf-){Q=obEGI
zHh)hTw0_hU*#;#)+1<5K&g-1dlcewlWKi6uDNAWi3HwRNR&9TNAvRpR`K|c(`e&<|
zM9Cd<#gu0vCPS|D&iweq_SUUl<!n9Wm65wPEplKQbB#+(2HqEC2`6p6YFlhPCQt)N
znKsKK>B?x8Jc1m?HP%!oUH>AO>@$5Z8Jzib6Yz;1OPcLxftcq7_uEWW9i{_!h5*DB
zi0QqkC&hY3hMie4{*@dJk`i7U-SS5DP&W-y@O`v?xEIL6r>3bD!%}cQJLnncUFFC~
zx#u`L<HUuDE^G$^u6QVVLG-v|JfFHo$w=uAxoPk@315daYI@|=_v_r(AAFFAf2V)D
zy~Hl{ynXgQ_G!F2=Z^ovy1i1+^2yL;+g>11cs6gJ2UFXnRWrbm<;ReR11Pm3p_X@~
zwOOtATo5_<L_v+s3{#jJJzRTj>bz4QM}=;|kNpx{6`=Ppc)q;2S+0IXl>P}-xb_|o
zQ&@W}(nTy8y}L@5RHU4)o%8E2NneQ3XmVLzWREBwQQ_NP<_U7slOujX>UpO)k*xdc
z_+oG=@1o(s|HwUCOX{gx<#)t$OK6SJasno!R@)KaAe8YHu^z4JHY7cx;PCUWJIfNT
z(_2*aOd`)0YjZ8R$5|6KhtQiH(R=ranEv7*d@v@~^VJO>`i1`fnlp!)QbOtT-Kjjr
z`gYW<uR4DX4L?BrU_+=O2?RGbXmz44ez@HFx`;{XF?CQ`16adSWe%BX@@)sUU)=6Q
zRis0Kn)B`t!+0O)Wl2Y`wj6kZxjsMFohcFnpRe57k|^C$4y=48te>Sx-s@0zK8VXa
zv-f*z_E>duNL8TeYED}eE_%2Ow-PW}AZA%dKy5HS3}gS4a2_&QdK*8*Ijy6j-fEM4
z=NFLCIggQ#Xi^kEw=NDP_Dtc>u}DQaF%6;m^bx;;<`JO^(!})Z0@7}tS5KOQ{d8g@
z5en23_0>bY&k~zv17|;ei@fOPKUA0zMjC$5SZGUwkRc!QQ2SjmRnfxurR8i8t-d8$
zO7$`h${dC96d-ydD(scnj!v?5FNuG)O&~`yw0Dgq9JcpB42_Vy4Xz!i6O7@eS=Zq<
zfr8d4zH$@NvulHw)|fk|T2d~t#>U{I2{fz|IpWKhfLE8@FBC;Hay`##RpIsX^vsf4
z@NcJBFEv-B4;MW56~MC|(a}JF#lfe(AysBo^DIfiRzt+JygH1a?ptBNFAXz-HH-=u
zSvNg;-il^mlyTMw%RNFC6`<ZqO1rSSwaCMephia>(3;4*?16T?*g5xP|NhpMR)qVg
z4;xFs;&v7=bsbyW;w$i9>U0L!;$SYwo?HR9lId0r04mv#gUB3Md9~nwE{`mO7j1*X
z>Ne^h&VtF~y9--CEoRef*1Vg%u|{`^wZC>n`HKPCs`lQ9I9uG7GW>ezHXFF~%pxDD
z^>NlaJyiKKaqyBbbHAYHAN_ouH?V<yfU3wbBFRLMM#CsWNmCUIAoKDatMKoE{fY;M
zV=~W$7~rEn;(PK2vQO%wc6u)JyNRY~j#Q4l9bm;I4WwGv4H&WGjheXW-p_VlTAbc}
zFs#w&xGqkZQ?@M4Le?<BQ~zt<>`}KOjsTzvQe|fh)wC%yg*T?V%nx9Y*Y~^V?xKx<
za6-u$+Hflv3-SE|WuxS*Yoi+h`M%==MfI9N;=?8b_;fDMAP2v2#?(QNptqi0Ilbau
z(TII+gD9ol4P$V<!Gfp<79}hyTi?-f>3!b4<h>u+iYMp!D|so$!~(twRx&Xb>7sII
z7#A-=SsYAS>ifTqEUF%e?JP}Yj|D7Tp`vBVAN8F#7$q>@4PB6Y$)~K>%pQ1i<BpWO
zbSzT&(Q^JcY|DADIDR2BU^17r(f?gT!&dR8UE<2&H>Y!e+#9+mz{5Hhg0&8Kx=RuV
zhQmoXIn;H6pgp5XUVDDH708`D^NBk(b-TA|jgVYdm~0ys-RQrjH<w<A28iH7qN&YG
zoj+~qnnI9TCVBk2U*|g`Ar|=PF8?Y0UH^=e3+y`Ew=0+ka|sDY|9p{EH*YJO_+%`;
zQ|8YMnVS0Cz>ZutB!I#OKMcb^n}hEc!ATcMux8Qz0Ai!m|K3S4Hs}1##n!c#xQkCi
zfoZ`|X)>}DP9vvR2-W{aZ67!~4G4Ua$k`H>E97FF%#Y;zdgf5|m$K)$_@F@G0<Hhc
zsOg<0`KSB{pBv6B5iqj_?_-eGrRS!W>0j+<J{WHgncD8F3%rYrq_n7d#OE<lYkl||
z#R~=Vo%y-SNZ1r%VJsRrq@jreT1LQwtI)NQwhjnO6&_mrTTR}+^Yi^OC^eDEwJro)
zIbc;2rFM|9awx2qaaCVsgL-Fi$g-LJCm4UnIc^{fX$JO^qL5x!s2dSx8?te3L(TRZ
z(pTS>4Vr>+txUngZD2dbY%hE(Y(1#}W<|#VXei2Q(_cU+2`=k0j3fP1ll<4!_jY5!
z7Fj+Yua_U&r1#es<kj7Pv>Q`!=a4TmUKU*i+r)#Irw%_Zm^mD^S<&U!yxtD{2qVw#
zmOM(w1*~}#6ly&h5EI%(+fsS%C^wC;D9vVyZR@}r1bm=w*FN^2psV_fMEq0Fri}qm
z`3;PJ@7gJ~BQ$;t8CiaK`Zc&4j8jc>!1Jc&vUTAZK~fX4TjD?>6lt<zqjS)=RoB+4
zC4YmKm(uj^a>3W<$^F~7)HC$+g1NeF6+m)w=cv6kulg#9%8Okt%6^*Fq$2C%=~)go
z1+0btaQGxCj1)~S;^5RP>w*Fa-P8Ngy)!x+HV!PctR}|KD}BeRac3ZYnFlXc4g<~Z
z^9!f8+uC%j9KN}9)XuVoJ4)DmLt0XJ+h2h2C?07)=k-u@z$C0l>R-^xRCTC8&1&*Z
z^_B|tf;x-afa?f6TFL@hH=NY^(^pp%G@Q4+ZI$NK6NH%H&o3ghfrvdTY_QR*P(gU$
z?~`Ks*lzSozi+{qg@RPN_w~PIKB#QS8N)Z__z2rP=}`i3UAj29F8eTV5hiA>u$oKW
z3=z?=Tj_$4`+uAngsgMFhzL`bl23{iKxlT4AzY@m-*KXgcTQp@`7FhHo(wKP5sT)K
z@yd7NYQ7~<&Zm>k>Mrj|w<w|F7j^&PQEFDxE>vb&r?Cz7eoxT=mIyWtN%-(X{TXmQ
zJ`KgZJyB76+2}7u#S<z)%L*XEI6w3N|2+G8JRf^*Hg-BWl%#!HwC3~Yivx?|5I^Xg
zWA{)$Dnbuf&OkO*kIJ?}{9?9r3c+>O2;{0RmbCfKPYpqVwx>aoK{6^qed{nXQuCD3
zAV1Xc=?~XrYAjFyNJ^Z(K2u(TKvzyRHW|hOhoxYR__H+Cn@bpp#rsX4S;_ba_~hV|
zAX1?!;)xy!b(b(OOZ6U`ulewHp~FiWqXpM3f-pe<X)++<ve?L8y^l`b#wAbD66Blo
zhXB4Wf)CLXN){-XdNg_Myf4(P@ySKNJ|#}kVz2I>To|bN8Hg2A+?^bvw625pUIK9c
zJ)k@DZE37uPeXfmxj}8$C@OQmiWDaZ5g+2C|7d~>i>buM5E&oh_kg8<z|1;vdX!fs
zFy*r6_-#fmake#@-p({`Ud~e#l7n1;bad)1<Pezvz21crEtLwN4XjV|*3jh-IFk;Q
z7{ZHsw*A6*(|pjdpHkgb-{ua#_1pk-%X_0>Nacl1*uJCE#zx0y9nzHI@*IDQE2QGQ
zZr7(A1iJeYx=OHStwG)OI6z&Tyutb?>y~<RoqFc>ZHfX!<+#zF2-Wnp`0b)#rQ12d
zW4^4@BokIU)Xds(CEQaL!puY{u|qO?{)Cq#ze6cFBy&JdF27QTo@K}P0qMa&2f0jf
z&$wu<MMw$1FE49{GgPYRU|Axzv9Zv3{8vLTPvJeB7ByJy^fVB@#?k)4y_cCCvh6Pe
zSIc`W;Z4Fy5J{D2`@;)o+J(xQI&t{AH^cAZgc6{zoL4T4nb(Zei_0>Bs{G?SR(ZxN
z{otr+|25HiM2}6E;AyWNUF&T;#DeEVEk61b&@(EI&+;Q{`CG5Y(|p#`I{D#sTd~mT
zOr@8b^H^m(-%FtJ|2Xg|3R@IAnx(Z8?v0gy^i5@!)c({IDjjyI<npo?)ZG!l@_1kf
zNFm>^2l4v>Sw*x*DW&<I6HU+Oz*#q#_jRB;WS_wa;%!&jIWvZbR}wDhez(>}wp7T3
zl0O1Kby-t?M&e*HYW52n<<nT#PED9ZcEA|numx<<ChmY$x6pR#phbaJ?T-TQq8|t4
z+B(AHyQf79)|arEzDDVEVq%+6dP(YW^+}eoYIUx{|7mFfAgVmh{LJK3@ILxdx^Ls#
zzOERkUiX_xW4&eSyF=|zBIbrO6q3LJNvK7IC58$EF1lcQ{?o4WMma|{*;|fpgHOJk
z$1S<1IZnK*=^vleS+Z;6{b4y-r-P8$%ct@8Hqag&an^aU$B_w%?MhGEl{iqd=-z5(
zNPe6r1;c{mNr`<tKjjEzWUBH2lT1Enj7yiztM7fi#kLrF_@gKy0OHz5M(y*pY6GdL
z`o_k2zvaEZsvJ7_>gnDyF`m~?wQ!<XPkBGuwj~qYDEBMJlrd}vN<m4aQrgw%vGNw@
zgB~}9Q{rObW{;)w`YXXaQ;FHXQ5363bDhQ@;rx7KJMs{uuOC~xHrW&)@RD05X{-*2
zbg_5o!}rx$EItBP?9PuIAbGr2r1Dz#-i3uzpQr4g@!S~b=ea}O;2^2Y&F@SfQ6`}>
zU!~SRro>5^+|Dgo9}^~Q(P7@VM`}gLyq~E4xQN{T{e|e)-^C*oBvARk?}4gE_dp3A
z3r8a(aM?(vSbsrH)0(W?@-$42sK34R!gry<cQsdPsSv#wy7YeYyWp(ShR+WmsDIO3
zf_oELvT!dU@0;JvjYPkV$ZxVmXHfObPY`A*ewYT|I{I0Kw+S;x=b!5mV2DYN8skk$
zFR%%EKX{Pjd|euv7ksC?q)o+|D`@zO3qqZ+pMfI}pT+IP-3im6C^N500?shuFwQ-7
zU>k_MrDHm9xWA<;A}01y$Lu5w%HXhu-04I7fABz-{+%6ooKyBdMCUEG@4m0#dr$PY
zw;lgLki4WY0?z5z?uSLK>VT;*!*5tG_Ut{Z@92j`SBzqjCe)1=*fuo8U3MLQa5fXa
zeoP4n>u<T$h`R4}>FuLVfOJbbWVaNxU;X;-49;&+E2?;uN9b$I-?HaIv@vzHghzgn
z@LG{rEQ#ldx0`(EPEWvK%{o1Cc|vU109{Bt_21<=6l!jKQyvNzwB93KYMhReRzkXQ
zXJQI&KSsix>ryQA$EVG(I~REtA_KSvq9ZmB%k6BiC_d9Z?G>*67yY+7lx(h^g5<Lv
ziC9a`N^IYqc`j?OMZ2QvCuxreGY%bQE>z>8GtBm>G95-}aEZ2Lh+k;Vc(9h{G*0`)
zrWCkkh+TqSH-ETZ62V+3wMG7jz^2zy9P528)B#dWqN-g6I6J#6uW)nATs@hQD989`
zhtRfmnU>O1x2koft7i|FiEP33O`l}*&ihE%vXJY~U%<?^wS6!!Q*h}#k(O*4Kp~l(
zjfH+5+io;OdEI{CL(}?H0c&<7NC$Gs4{`kq861AIUF{2Svg#8(nCLM|o=Dr727m$>
z!OpDD*&tuQ)p0*yS)Zq}C)8hg2D%i(vqiqP=ysfND?}&8!sm0-Fg<035-sHuXw>4{
zk0ggi`|qB&g8dV)0Tk)~bsB=T($tbRnN=HMlWn0_p*wY}LJxCk@}NuMkT1h_#>^?u
zo(7>dii|@xH}>inb!sbQ7@5qObv(a8Iep|~`Wn4bJo{|*ZnfL{kGJzYej4aiIiU(l
zOH=*U?TWdiV_UGCR+qZR5_vLEGc3t-{(;tt0{4X8#CifLY?1%c<^D9eB^){zO=Z9h
z$&jpjvC<$)XU2anB;5I7`Xz~}ThF;9I8?)73mc70;qmTeIh{Yu@0Pv4!^<@7b8yJw
zHQ_SODGStBDi7{EJ`ZRP+n+N%voIIXA#U4ZwS9UnTZEWhHj^R5$Y3rhn$c}PLpl4m
zN-L<7Y3Z=}ac+z+{dHBORBFRFVk|o_;h7aZRQuOls2ut@CdLCZQMhLaOd%8h9jyPS
zsYe3T{w&Kydbn6bR*RC+-of_qjb2-+<t?o!TugF|;mE_SuWGZZ+g0}&tQ%riD<(0w
zLX-C>`#jtW--Oy4lyu+fYdZOFwg1^Fp!WZ9_6?*kde`)zSU)?=4?l`U<BGC1(&fDv
z#nWrt_%p4&KS~<?6<+5)s^^sPFvcu)WX|Keqd~BZK;wpFGY!r2;_LA?g9Tl5KxyLW
zoytpT0YKUg;XmU&8Dm9jz!QvLE&{^5;`%^EKBW^)YmaXTXqxJ!X{7guX*BhR-E1Q6
zIYm$D&2Uvuc%@I7AbY|JT-1v~N&dGnkum48DAqsCb!iuOXc1Q@t481zrED`2<liWj
zsS~urS7V~t&+F%o!~D6RE&yWd|L|M3DaOhx2{lkoU(N6>{oB{ba=+ocBr6@UBv>6-
z=%f?%f`TXtR88G!T0jpoz7)WgxqX#Cl$`tHUV7brU5_dpW?Sg+gzNf3XWOz{`ogC$
z4q4BhjVpdU=`N^`6~&e<Nani9@PA9z-<+bHK5Klp`Z0gVx*%a61=rI}lPxH_rLVve
ziW05A@_mvcNPoH3gJZB7w{wrrrmoWap|`n00iwLHy1F`NTbRnlBQnTC($+<w@q?jA
zT7%HTgBLL)v7Wrc@dD~k0mpVVik7*6cu*4Absy?}wEUAJ1LasRTG77bgVJs2eu*;G
zfFUr3m|DShE&<7;m&qP5VsWsEBHwMhVEdL(H|JjmcwaB&kc%r%+a8)>R&Sawu^+6i
z-DSsVEiB%Yxw;U1c7^;J6%XgfEC0?mT``>tKv(p8A#Gt}5?7tw$CA=FXX-G>t|NC0
z`^4q0>jqWZewc@qMgnP?b8NiNy#mw_kMQre(O=N;LnG7QikV~*!|Z0@b07#(6iQDL
zpRHUMahNvc;Z+LT*%^_2*nht>Q+}$Rd_(&b1eb+f)9m%~`)2j`ttrFRe^I-1Onvv;
zoM7rcqPdK4A6>Dwa$CK*NZ?5Db<3+k^7DGY#e%vE`3Yp1#IV2sTXOAW5jb(*SKcrA
zc|9+PbSn;>7&U4t->2LD$Y}msJk`+-5CYfq_Gj^T#u)$Yz&Z^Q(Dd%G3*RnG_iBk2
zM;<bCGyz)|QLC*%6JMS&9U`8PshVD1|LfLAak{5IsZUXL&!w|TnMYow$&l-hKl;ED
zNK1T6-|om#tmC_#7G6-(4S}6eW@Ub>J?3Rj7?Jj5Y<QNcat9man_A;0Z$KtdeQj)J
zZs@*Bo8vm&we_I4=ChgGKD|Zr`IeFM{m@UW@{M!sO@m6s!zg`Ec~1N48V^7NJ{3N)
zy6}?tnPXa!Oth`8^t>+6^43aG^GI(kP0Kx-Sb67rituFfE_OD%XO-K7<R?U0?0#+E
z`UBkC@*dXnsg%==oOQqitn)aUckv;r*X);vh5bx^BV+h^N8#T`Evw!~aQPfwfs-`^
z%6=MXu=|+yX;~NcXY&hORd1;i2qlwdepw^WtE;8=Tb?i&llhvvURNO3y>*0v8S$rG
zokDt@JnBwK{&c`8QiT2jJ9jU=*<(O$wuh||U<f=wiTC0pU2Cj5F(yWI<KGm1cz!IT
za5Hpo=0e}r?yx2KQl#~&?rX%k<e&<k+hRJFM(@r!{iUDWd_{GHDZjf%F^?&kxMb_a
zzO;GyHYO<qQ-#CHgz2MtWYuqLLhjg|Tpre%E(Gkz=M!mNo(vow=&_n5m;KE|*??6Q
z`>)T8?@a=Wt~R%L*U~zei-FpL&~ru$#MLTiqQ=&~d^MCZ<fq%L2`%f&QdA=7)+KP2
z+599Q*6GkN6{~72R3B4W4RZga)V-N(f+>X{mLuWY>s0M`9WM$>m)+A|C!V|CYbSHq
zWmYJu8s&(t#<?r$?xah<)O~l+sHpGvMWg7OMuksy+c%H3jqALP`kaLb8Zw7eT<<*4
z>;-q#>ANLH62JOLU&*$>j;;8W=g98wIw6rj!s8W`$fNNKN0JJC0bcE?COCEITEy$5
z1NChb&&?urskC1Bybu9n>G0lv>h_}I`&T|mo+p6aJq@2oABUDZ29X{2Jkvg2tfg4*
zLm_k7y3kZdFF76kyb%Cp>>SnfgC0-TUY^EBvJ<ZZ)QM8Nno6Ogsg&eNQGl=+C`p^G
z;xXyLjNzef??;Sr-@->2Vzt^+3X5VR?}eJb!_K4QTBFq2x_wg8r((+)n4;3MCf^b&
z{Na+tbgkb!sFS)3ELJV2kZKwJqU}q-zr909PV~s%-`a8k9QNDv^z+{O(=?0>U!=`F
zzdVUop=oXLpc!l`Q=I0|C{~jFbo|*^a<ryi4c$sib6Bpw+es61=J1JHHY@Q+;|8z7
zRa=2xrI5gtQ;<l<($DNi;+ugxp^FsW-pW#^?lrbN*%tI0%IE%-iBwtktp`FX^6CyI
z1<$B7-9T44)INM--9qC7!J3o7crGZ{kqdpGqvhYMT)~{#W51e*uIvrs&a{NwErhjZ
zrb$DNAVv7+qZf;cwDJ0*$u8tY^v`h}rFOD8bKcIZ!cH!mtlnSUJCb98*4wk_@|FEH
zr+xM7T+SUL>t=|?7tfw?8VZV3pEx0&9~l|_*4E&}8{4aln~cP%k!aZ|aweZFGJNxJ
zYN@|jr8azzSjl_r*3yXA5n~GyePkGJxoj>|rhR!}F5KH$^i*cc<#RWU;3%VW2tMRg
zwp=zq`=YzQzxyaNPxJD}{RZ%bc?q{<ILl@Jw#obnRZw0p`Ji?yy>_kWMWozd*j;|r
z5&3k|kUcLEvEt2>wd<ZOYIvj+XfAh2e>zWZt(X$(!EP;;6B#6~rde=+%;5-Duc%2p
zP%AoI$-dL1IP@0Zf9>C7>#ISKS)40$J#GM<EAZ@C9c)Y4z3bXr-JC*L-2jdebv&)x
zO?dvj<7)k^-pAEfg6&^x2OX8zY72`nns<K;QkkvEmBxPe30|!1A6D5t_VXkpf_Zh|
zP2EF44-veFBXX2XfN3PwbDZkI#;<}iU*;rDt!wSIV3K=tf;rfpbbTKAF#)DHUKg6y
z=9k_G7tNW1hN2H{S3W#$bA3`8llv*a)7vIxdf)^E&Q1IbQ`$~$$<9n^S<aX$HK@I;
z9-}R96lF~rQ`$2zEpN_Pl+(2OsKVlWFvs?_oLRyH3eC0D(qlr^raNXNFtc1Yq3){}
zaO6qJol3bKD5<Sd$iSG=ra{-=*#+@J+#M3dyOg;tvUO{ejVG(9$$1aQE1vuk^H=!S
z%ZaFa4L+H_A1a`vss$XNQY$WQd`ztinOBA7Tu3}MC94jQj7UE>g{%Z}i6h-78VhSK
z7ESq0UhBEOnu~Sf%}*K-aa$REaVyBZlfqTWIhj6%?O)+2SERMT8%OwM#VcNj9Tsbt
zqeIYoTdaE*3$NN$BY9N5$b*Tqw?{L?z&!8=EvVm{07-kCm^;a-#i~I^{s?HEzc$FM
zH0EPrrM#8C!^iQH5T-7dt|bmisk5g~-SMfJnFIB<P1Q-SJTSR}#4_I=8~-#n2d0Sm
z<k*x_lr-ZXI5Ap<9h*E@79M;z!k?r>d57)(7}XuQ7ygXF?K`p$zCmWAG5mXr*>jh9
z59Hn&{Xi=W2G`BM8h%t7Vk6$J9Sd&z-`psZ7AU7}siSP`){{Y>5kONBF9|)6K3x-(
zap~xDnzWnL`5b*nFNcrK-=Loi8oG0(a}nWYjKSx2>fIQ^ccx7yu1S`1L{x^w;g@o}
zI{d7^G<$cPE9aq{9=igKOa48!3?7{qR}yvK;(vYnIg^E~Ak?{xWit*)U1wbRhu?(2
z$&m559=p0TGIgbH+((3&U#0tFh|`c-=Y-Aa^)-TzP4<Wfa2;$kwT!>y$ort`wF08)
z_Z)As^odfMp6fOqd42&JuFXXaL|G3g-JW{n5eO(~)qsZH7-k-g=bRkMNx&E9jO|sW
zB$rEIcVO0|jApj0*B%$UqAXRR%hbTI@XR8jgg<W)(+7|Ze;$HL-4!!H4|@2k$?zpl
zwx|ABx~D$EJ{*#42b}!G1EE9a^Zl`Cy7N6bD=x@mxn7|1{TamT?2yi<WVhnj51h`l
zY9*?7&&l!1(WUlEnj8B<?leUvPfndWqqt{%YT?`x=j8Co>JJo^g5!>_v))NT!^4Ky
z)OLUB)|zOLYNL5T$1(P=M4mw4Zu)COvNhSt=P&Cc#RO;%zDdvc0rh)n7iQWcwX@zZ
zHt-Q+xNf_)j{hl$Cx`%GJDWy7njPFge9-Qy4h*&reqsH94rV<`>(zDl+sjkoX;gN>
ztagc($I^?TpMwJ+PR(p(jyI&J^7u3enS)_gii61-_OZF13wfYlDIjV-ZXqbchyMAh
zAf9kFUK%{`<c#Bl(ly5eX<HZZw=pJPMWM^f?GNMPDr@l|(zRR&Dp#d$Wo92!FGlnK
zeK10;BGj!noqN)D{H8*82fV_zEE~xrx)+Y0Vbc-tr~Yd|Uj0$bh+BTxyJsFs**Jz?
z41VN457ORrYuvqIOq6yXU!FZl*_d}v0uW|dN&%~jWEZ%66<2dy&1&GE-(0Nx76+LH
z)0OuENsY{1=@Jh}w2lpg1=s^Q^}~`5*F`Z=b4+cmP@GuzzWn_@>Q>8vFhR{JZ=e7m
z&4JyZa{yZbW;1Wu=-PRk4|tz%;WaU*2gLkphK(jmmim=VeHg=syoahKc2aaPudvRT
zYs~Fd*TK+Nq<8HHMzppcMHBt6NxZocY`3r4(vvpfX~o~WQYX)Kbm{6k*N52^z<b|i
zwgB4Qxr4|dgOv6W&Ir^!B4`Vg<f6YBg4|;#Sm|Qe;AFRta?Q+6uBBn$@rNtwhu&`=
z!W4wAg`6Fp^GHe3;kAo1{%m+1{oyglhzp7z_JDE!s<J|QV9-Z@Msy7NX(EiCHJQ+_
z4^IM1U9NNpH5HWn(3##D=DGNAS>$5gT!`3P|ELif!Ah-s)?5*=#Cyg|<a@XYo62y-
zJ)kM!C2bn?xt#&Qzx6-6`RB(X4aByY%HJUzOj*UhI+1r%8?!Ddn51f&H%MSeR2})A
zI@A^5xecF8KS#?Tvy$wnmN*vyg5r-#Q}yfoaZ2DLJ+#_XplrA7@^99hw%7PmI-(f<
zM|sGPVHLOun!uMz(7Zp4r*Q7gkjw~)<<`FVlpS|p)#c3o0WFOW8BP}0X{!WYeu}gk
zxa<$+bn#<XrFl$i+w7e<Mb2h5Kg&<|Qv+kYswpHZx-gPr$@g<yf{<mRLX?I!g^!cl
zU}H+TcD0X_yr<ubC1VCbFZCSO=3q)Wc7>i-rS=r1>2+AUlF2lm+2xRnWhQaP?piGD
zWo2vh@lkV<yw#ULMK}=d$?31oHUfR#W8E+ws=ZL;i`dXVod)N@3jP#Cr+FK;_WZz>
z)m}TWbILLI*d5wL&!z7MzIzHHvT})iKZxHwp7~n^5f(dER4$XTGwe|v&I|^QIU-40
zAH_b=p`}9-52kYhUSGai6~>E2W=jk|y$rFGz2gt~2p0fuRLY20ZPswc%O3f4o(w}g
z%2hr0EK~1uh(q{&hT@(I;_f0<!W%r_GRz~455E`E@>2E?pWUy`mmEWsA7reC8|13~
zvq_Iqz^w1;h5f`EBoY_q?WMSH{bXbT8LQBB_AA3l7n{o@z>tcF+t@4}9bOjv5`{UO
zr!xQ;Au!o!^tg4L-ApNGh97x678!fElv0~`p)f~g=*JbamHpBx%9(}F7V;*im(_mz
zE6}Tmx<Xc!uHvd84;sbR=V1Ek%2|b8N+&XsOFz@L!aQ&zT-Mqz;RK0O+4<x?-AgpB
z1N=k^>nUV+y=c~lB2_({IxOPB4B6<*i5Av>$!0)}IhDP3OqZmuR6suD=rrWF*#BT^
zfL&VI`sFfKeY<g`_JJReK=gr3qxX$tPNGG>q^<CcOKDGzR+!JmV`$Ie(nWKT&)`MP
zSYX#W${=$1=5tBB-4VuTlU!$iiAw?qIPNgd2>OLGg_rTS&qSF?b^9}+FtR87&mIdj
z8-xP!`KHBvWYrs)T<73F-HwYx^WHlV8zoo639W&<rpE@)fnHP#;uY9a`&VjPMIJ-A
zx@&N5nUi}EA$y_iFXfkx4(A*eqPEGT_2bNDIHJ8%K9DM7-xXv^=sWA%%JcqK+Zi12
zYop=n=kaR33D7wCq=XRC>_mfa{DokkBsA<wLZLeopTax%DW~JLUnx6w`YjHXu=Zpq
z#<K7;A!0`!FO`4#Wbt-oqN##@wa#nGQIrRKw}h!&;{>gCW4dNl_lw4ZhM}Oj4<oFj
zeoeWpguG~Xy3Rd#i+~=x&F7<Z#|CpM)|1M!dTqCp|06NpCB!ib_icMS#cPDol66{J
z3pcjCg&R#>C1)4g8PPC@%$H8rOy}08Gmo9L@??1Z^%2$9?_&c_wW-2kg(3%4c!9=Y
zWWDm>R$$OB=51(Ne4iLp8w0NmA|)|<>8T?YR4qyoEaB}VXuKBUu{O$nE@g0CVO*Mf
z{=o&z++52iHopV?GXFth@sjAQ!&|LNkq%eZ@G`-&9ZAa!+mvJGuEiAIE)^wFJAwuB
z+$ZbE@ZJMP#GNleJvRUV@zT-l`7Xyw!{6`i9_@#UJeF`&U=T|WgUYf<%8nZGB9Sx5
zH+M_Ww)E^-s668u`6ihL@pg74;`UB|xnJt$6{)1Q4HD7#43i3YUlmt95T-jfX9<jF
ztHh?G7#}cWUzAi{RKDlEidxdD1Cefb4Jw}m;g@ySkW<n4)iT+ng!)}zD_BE}n3q;L
z8-D!AD|=gQ%FseCm#=0;GNJSB8rRfJ=3DunY7(#4kDWUHRmXD6__slc`p+oytldW#
z(Xsg%{*8S+y3_<-UE!5tn(R*DeR_OIYXa>f(rg@ME>g{$xO)m(5-e}w6Cc4@yQ%Y%
z3bQAkUZcU|hK)vngj~x|Bpi{VB(COeTTWf(*d9FaR<-xjVFUJrh<D9r+jAF&J3FtK
z(^lUTAd$V!YuR$oe*ou~k}In%8v|XO?iz(Cl|w^|Re9`Z;SHwn&=!a4!zhtRvifD!
z3G*cK?01*=7!uNx!0MSpax2}Mel_ATVMg65{Yp+O9%PRGQ-=(uz6e8;)sHPQ)AdaK
zG1C`#M4p1fC#Qs&xEwRZmO*-F>9TH7Qp&5O#2v({6#^tXXHThTOr^=^=mirR+lbK9
zUj=2x-9Zr~?;ys`pPUn+Z(J!V&r+JOnT%;!)J-Q+fpD;3=5P-|pVNURQ>wgHrp?J_
zjL*Mb&Je7*2n}l)s$QLgc_JQ^8H`Non05#JWuf@WpVcW-^-<aG@z_Wwxn<@g!$?Qs
z&mO_*tw3E6N7iMxOE<!rC$~9XBC}w4?z>##`>aVz>ehSa&kb6G17WO<R*bQ1Q2PJH
zY_2}Bhj>rXHrj2RZ6unKP{ddQywE7<biLTm>Zgs9p%%q;;hYQ4UYX(yOK3ZTAknTE
z#!MmRaK*tPDyu9mmB}m9B9n9>0Lz$f!_#Ty(S1D5phb)XqCe*rEjMRPjGpYfZcISu
zOxgaRyoT1**|6}d8~wwjxv3TT{O49zGPM-_pDb*P1RMSps~R!c-nNf(LMI4yC}JJ&
zQg>P)w=PGu`R2;WR$nNg>65;Zgi#{?h<C2$6isHXzd4$`uL81N&&FCOwUth?n;y^g
zvTGTE%$S4AUX2utd|cq>ZG3P^Rq`@zYmC9&wGFq#nO4lCj2UftvxJ;vl6`rY%I%mI
z@Lm9>1&nv3v%l(fs5H9M6%rc>07$+WtNS??PseGI&OoMzp|Ls(QC)D&vIpjlvwYCO
ztpl|2tzhsV&&I9eF#SSuR#v(TGOn3uXXz~cO8N!G`kBrULO>gEQWqcC5v2BNodyP+
z9w&97|G1UgrP8MVLmVp%o~YGBhDqusL{!p;YqeFRaM8mjhS|HagU{c!;W4oQq129Y
z$N&YPNS!F4t30*Z$jsqE(>@vdDrWG{V4pz`#e_W)nq)h~(_7rNPfXOh-XTK$?Pw8R
zgjgPzN*DW!*L}9-ZtUDFQg>lyTd6sc0_g3M$$Z?xboh5(rsAd}uQ5Zx5~kgYx<W!s
z;i;z<KB$KBIlA&e=~GL<X*utxWCV<-Hc9s8lClGzZG@+AOAFCF^cHhULF=yId6Jam
zt$jJp>`V;nc^isK%PTw#p=C3<Lz74)k!@qj-t8~cttNYzw}dXkz^mv}3<lbgm|~8e
zaW=E^M6QSu2Uw#J*!t#*5_cbPIkxP_Even#6Vb9aY{8mchuovT=kB;h{)alXn9A;;
zUGd-m?g*9QdpUB;hG$1EIfVsOPL?Q~gs@6=E5aZw(Tddu{PKlZs6MP6NQh)v{C6Nz
zYQ(2xkQKnOMzwk%&TLsdQrohiQTq7v$Hxa0$Irc~<z%{FV^e*v<@jgmJ~xG9&BNl*
zqp9TgPM=z=2R^0_o`6bb$}WyOx=NNNC3g+&yr8JGxA8VlnQT*1g_0uPUo4i3E)yMB
z%FWHo)F>5yKvCHrHF^SiKKGJ{N%5F6(f!2@rGK_og-AC`criYfivINr3fqtgdDxD(
z@Y(4d+>~MvCWg|1#dQVYGUUHq`LjW7BwKYk(Q(_(+_8*(th`Yb;Vubr=6>8V``q@Q
z>Z(Z!UclVoa!Xj(L<>YzVRMgeca=i*Qr6Q_hmLG?tr5F>q{9MOucIsULNJHtED-x#
zWw)=;VYQPR_vg7Z#t?&G73BMCob}a(zG^we{7+2gLxM@h(ih5&p;G4k(q0*{kvcbz
z1T8n;HOHHv3=|`VIlC>^=9y!fB65cDB%89>a*m%dpRM*4Rc`|*<wmJzhi&;l({R`q
z^uVoR(YU1{Q$CGqA!vB=^-`^9g>IJ}cTIpqvP&*?o9h*~GA~xYu9&()@d#8OZR>d0
z{k>AU7Jw{tH$6Kg&mwSR2^6_tZlH1eGPgUhG~=BY6P`3v8YUsb_QADXyyOeMI;-)`
zMd%R|u6yZ&YHW?eYt@*E;pD5(`1dJJCJjH`|J2qdKq*hdO<1tYoRFJpxbbjh@2w~9
zixe58^NrK}1Mcm*vFtA3D?C|JXCYd*2GxtiJU3B`WsJ`aJ5r-nd#eWWQB>ygQrZ=>
z=6Sfe?sZaBDlt`wms3<uZvCvZma^UE)C*|VGP^@%C(>OLYejg4l5S;=HtL;8Et4F%
zBovA1HmI2PMuZOSm`Pq`q3-i(X}nzkGE?|#-kjQAY`;oJ^|Q4pVlE`qk`T1G=}cv3
zb6)5e^%4fWC(y0L;)`Ap2Kx+!-ICC$+o8l8JE7m<a*vs^Y?RU>h6aM4qs^ED9ZzRG
z5zKL8Fr5h6qfK@bEI;7__VCLj$5MabE+?MUq^PV)e)ylml2{3u!HX(-$4kuCD7q;=
z4e6LoA#ci3NG8~qhZLXZUoKD%KJ=k4P14x2M9zRiFD)eAE0#MwqiYa4sdYt5mD9u0
zC^qmiO-=2mhYaC8T30Yr*GqjEV^dE-MPP$?UeMGsIxoIH`^uC^{s8K)G<DL}5M=7p
zjFmr0h#A(!=H?tc5H6;xl*_2H^gg9~rPOP{g9l_awl)Rt%vRC0&cqv1x8Cw{taFh2
z&&BT^6Fxk-@5U4^?~zv?fC*lE_G(vfscKRyWp@V1VlBjXO^xVzJs>7KP%#a-u0Fxk
zX3qZSygE?qQk{L4T>C9|X^LrP1*iX@?=sthS#HUpXy@JEXpG04PcUrY@^2+Jn${Si
zQf!eYH`9~$=yv*Wqx9th_aLW-3d}oA!{GI4lQqlWCrzqbVnHJ7=F~M~lBfcN#WR$2
z1_y<^9mZtez{`poDiXn<qa28#t!D;}<8G>7`#6>55H<60966a#FZ`c!GbJcVmE!CU
zq8Z5Lx>>j4Y`Krc*2?!3(0QL$VPWFt^Hf;4%N#C|4&$><3J|k4@qX$3zN92d+|Vk+
zS8m5#{%5_%6PvTF6T_t!-<em<8|dkY_hc%g1m)#XL(Q-)?NmkI`BQbw%<)XVASXjH
z`0&{=vy1E%>&Zt6!C*XuWA&5B0+H`?OD?bnj+9%8PmxQ!v_iQm)Fc3Q<1Tb;v6E;s
z`VKt|UV}A_n>ay|2G0xLWU=q@=W*EsL7B0uVu?&1bD{5O8()khccmce$~h=Yx;7Ju
z(Ls>Y)9g<fr}`H$m7QZ+F5Ih~(mn@3)H=5ffrqUBN4*Dp%Igml>*r)Da&<Npx)HbP
z6-vMPy}tVsL?5@@Ih+ihy)s)X81!1j&$7-liXN`mJ(vAv<QU+|&o-H<Jf3Wry6!u&
z49t{9+~EYyK(h$%3s><Vw6^_mE9+fn)_<;j(;R?3`GN>IaOb@m+KD)M13@)8h0X+-
zz`0w`#fxl?GJ#|MoeBK#pG@G(=E$%F5gX63%U7g}R{$H^-toTJT^*rNco*2avfhiz
zy6=dsPYdP@)Y!D!oQ6D8j_pPKPpsj~kz5}@tanU?Zz~0^ze+K^^C?DJ2Ba%^OBoyU
zeN3FPK|D_rZHYdLbPY<{trLqH1A%Gt{LQ@3(vIKWy3~=@p~N(~FOF~cGAp0bEw|y)
zBYgy6w`$6S|1|dyUT~Z6tbI^DfM;U8?M~xlJRA!v{DiJ7@R`nKC3p8%ENh>WW7=~4
z10hY*U8<)0XH1Twecya2#~Ws=5f?yAZZ7cRM_u-s6rQhh+r3Ogl6T1qwV1R%kR-kE
z{k1`S!^#kc-^wo}+MI^VaCft%ZT}b#cs(Svh5abT;)o$!{JEjZw!U=;^q_Z=#RUxF
z`4PoAcCYE5&M84ZiZ8Q*11vjd<N2e0gw}}RK%4UWr&Fq=sg8Z@hV+0E+FNkF@@Ndv
zB#mhNKcDeWAod+?ZJmWSI)S`w@*#FG|EAGcqkmD#RF#vL>tHckX3(O`nX7NNMr#)t
z8iO`;{T{T@43;(Pdxz<6+NcjrD&uSuT)a*o5?s5IcWE=zJl8JnRQ#3r?UTPCC&fBw
zs_t4fXG{iH$bk5dmkbP?v{=?tvTu)Q{n-xv<EoG6lxCJ~6f(wYJ-GTSUe%6hPppU+
z<}N<m+p(<dGP|6`JMzxMG|egqZFc$2J&eC!Xo8^!zorDnO539-ai9j#S&VxU^?8Ui
zh1tW3?MTR!vB#n6o=omX5u2h4vdJtQ%N0$8O^=h;$%p$i+a?;nvDAV9!=Ml65&mxg
zC1LRKUkSMRbgx|Sz;@)PPY?RqqK47M=gzrlSMCgClkOh=wvU=q;)QG*_JRnZZ4HAp
z%>mvmJp5@sfmPW*DQ%_J_C2ff7q5E5&S;vk<PHo-6zJ&y-HM}7@u+@3?u}ko@uj~s
z>uvzcbTHfr)%%dTm4hP~P=CBZyAv$Gij@9e0ihLXozlTSDQ`+ioR7V=`*7lj<^F7u
zTcYZ`W9*sV?YUCC^}D88BEr9;BX4zpp^y$8xl*G}OWpdY21Y*-YN9xy=qF^Ye4ka0
z+wh##ESVT5$b+LIgC#LzMo}r_EEa-|C#@xZr!=#*4<=~6h;*QC{rLaIL?5o%tnLRd
zmBBecYA0X!mf{6odCxP%-{;kHP0DO?j{IeL&*lcbRwRSmdV>A*HqLD~opb7&DB;id
zbUQF4_p`-$=$N#+vRZp|v7dk}RpDe^cDxc*a$20!>t+?d*({{n@Y}vT?XO3Cb!Sh{
zyCYxd6;MGDK!X*a;0rb1)4u6V?^SMFj+tq{{w%9?9GtbaoeX9Z!F9ryAQrC5VZRp}
z(_rTuIM1MeZeP0wxpVbsEqu`GxahF&Nf?P;!lhAQaAUv-X?lR2ShKzCF)IFHJ6X=7
z9aym+@LZeHQjb54)`l`d04{V4lE3Xt&e071*OmbZ=;tqT|4DRk82$ZY05s~uNmfCX
zIW(DyOJ|f2d-{HaPwM?^Td0B(?6@Y1t7XQ_c5{Cdw_`N$lA>Zcl!y10F)p)2!YFtl
zi5Zz0=JVsA`u-zl1*~7Px9P7*<V?{1v&pu+<WKv7T3uR*q^ORbjysMX@+XD$xkck_
zt>>cw@u!nqo|BOQlXV;BWh42}tN6~lUlO&t3Nn%_X<DrU2m}B#{}zK-*xfrP>k92(
z?KrxcS(qp3PAKWW>-X_jz^)^lc3Ow3#~E~cI!a<bwAu9dOofOZQ2L*5|NYB&ctfOX
zdqokD4)kKZGJ#>e4*juJNtgjDyA8z{t=mOuM=~ZpHN65%2`+c01lLGmS-kOz=r^<u
zg8PVD<txZ&l3f1VTeT+7fs&~|8n7K*S1<4$hB1iE^0#j`X^9?moE*D2Rv7xkCDhp^
z+e_vp2`i!5HLz9~|A;UG{O((kOV`JQxX*aG?SR82=HeJ${a`=4f6m&pZ>AM#{stwV
zoJDp~Qk5RUz|FAf6KP>-q?5WYr^yl;htmhg{+X@6=_=EOBNi5_2P`aa*O6gW{a_Te
zkm{7hfw<AI>uj$rMf6{t*gp8YwXhuxFBIXFEvQTKe^gq+9^uglOK~(}wL@Gl=Rec6
z^1l6+<(5^@UeJQ0Xb?T!XA8Myj;=4Hvf0;|JE*UmEOe1eH==BR0FWqAM8|n`Tt$jn
z7D=Zd;T5q!?AoagJrGY*3#A2a($~NgtuV~@PdebG&ZRD6>F=^Mm4*DRLGf0qS6OJ^
z-TLm*<BOYF%1!=AZ$xEZ#-H<HrgS_BJjvy4Mmr+jR*_HF+8avPWj`rw88RFsX_>t;
z;tXq%fmi~pPdx(@l)R><Nrhd@DQQeZ7Z4xyb7+aY6yK0&YIgf;C%Z1{^2+8(gU6sr
z_Qnecn0J)y(sQbYQAK#HSMjeCur>6h5_JJ2OGX#<x}H`iZcg7+=6AsZU+kb|a<5^n
zL`*@PA?s`mfUs$fZUfNCyZ-@;9+BUw!7OM?FNBt<&1lMzHmt)Z?ELx~oE*%?f=W#g
ziFs14_UqjngrlF%sygnOxqLre0nr&HxNBfsfM2MIM#Ojz4_ca1H%Gi0I)RT_aVe#)
zCrE?tX=f&nudCX7L`lA+Sq0^7@2dbbM|?`Z+1sz6fH@C&fag1rtH!!vWm0={dvj&1
zrfG%P)4#Wo@Fh4LX1za&^&aF$)K-oh>s_3=z^?Hi#X!bg-$855A`=io?I!-IoU0bt
z2Z_m8ZgKYqXY!f1$7>$5y66g4W7I$}3g_{TXInoV>R9EPFN?)r1FQ?SY*Oc?@`--!
z33+rhqIS=tfH7Ff8tuzyjrO3j#(T2$>{K|6CH3k6PO-MvC+NzuBfT@*nXbt;`%dsE
zi>I<ID<WLzUj-N9MVOa`X(q!B?$y&O4tA2sbOM?4RXwb+b%`WrTH}uOsXpibTHi5D
z+<G9#?EldA7En>HTfp!T3et*{v?!=_gTx>xD1x9!H;Ba0-6^1;qS9RoBHdk5N(~6i
zAT@+^3_UQz%zQ8EImdJFTK8Y;|JFB)Ma?@;>}U7h&)!7Su6@N~-rGVwy8!a7ez(rd
z1)t1O@9*}NM$P2Nwyr&o+4U00p4vQ9g=?el@f9!sJf?{REb4^JMWOr~-wSn!+k8ox
z^Aervob@Wgn+$x!-y}50u=db1wiqCrSqcET1zcIlNtZ!A&uHD1Ydvjm0c4zBK3Ozr
zn_|{8jahdcFFW6E(uQ`G)Tx^g7`4<P7hSaWYh$D#HMs*SiYzl%9Cn^7dqVD0y=%we
z5Dty7B!8CWi?otllQ^ziWn65!i{exq9Sr*zlr{s|kn(((U%qOU1{7O-9Uz}#T#>j`
zRG9aDooXyA<>_&sBVv7Xt_jWt_#nqxx%A3ZO7CYCQZWxai7_3{)m_CFii9_l26ILJ
z3h$``^}m+Sv?AEPlHwu*eL?+z=b88H)NL@SKTn?NOnL&VXCMjeA5Z4c8^D3CC`++@
zHPJ|s!NmJKP}o1j@)!_I`_P~nB`|t8=A*}YVyB<=fynS9rAI(|*%ZbXaPlP==(^M`
zW<w8WI`RSvF92Q(`{{<*r~OIyfbIzbuh`^th(G%#AMcTW^g_0b=4-S*U)QD-nkF=B
zCMg3dy(X<@TdDUcWh%)z`Lx&~J^=<ScMX5oj)EpzgFyB|+2I^pT@;Nraodu4E#yAf
zQ;?uhcYb_b3iLX^jG*j7o$oo*1CW$dXQhb7CSZw{QN)aGKKD2e>H%^o$WIyR3_;nR
z8xv*S4oSO*I)PAR%UaEyYiZ9og$T`lGfkT>G$6n2PFjsKes}I#XZYlmlUVa@54EAD
zft08v$<_}TWKdgqno_4JcJ1-0j(Dn^e)_mAq4tR(&ui^dJAY*9nvC~p5cot0iY^<h
zv5FXy80Ye?!RMppXN4xu_W|oIDJsgFpI;pPa9`3F**sX~>yez>KVDAz(QUZ|m$|@I
zqHCCBOX>(ABN!kkllwRpzW%|E%ppuJv=0l8w=5{Ag#cOOZeMPc>L0a<dt*DxJGqmz
z!(}A&mDBE*Em!O@K564m?Au)R5R`|zK3~0yjEo`zYTZuXN@;CL*_B{%H7Na*XB4Dw
z(o@B6TnB{Hvmx=7)L)C-h}$lgQ8srZ77&!-9+(5dXI$Y|q;m|Yg@<n~R6W}QspBdA
zwvhN@NRnpdk{<|SUg|Vp*04jOs|mO23Eg{t8y{p74+o7)uAf2QLobLG8_4C~a>r6D
z?mYoDRp2RAq04MlvhCTD|B8UIZ8sVMH5UZiNp!)-Uo|>~`tvHvKmT1n>Zi7`(gVf`
z%b{0*;z8e4dt6IzbD*Eg^=lIuX~mp27Nh>&-wugxvzDf)oUxQNvgyCggq>~=30Q3o
zD_&>-+(9*wBfH*X0WY@e!w>3#JiZzS!!tmvHXgW`Cs%AxJyD*9pzilDeO%R9u6C7h
z`0b&PF6C*Fs$!Zkwo9&NQsUeC5z#=j+S$e;{Ket6&er|uge1Y&kT-ai&ABRB6A#nN
zpme){*AgHYRG+&3fMc}bY_{8+rCtV-;-S^hr9K)xu%}1RiM~;8TH0*+dUpMRw7Y;~
zPf4a_)#YaPrQ*W(dCfW_lthvvlwmbzjRh&ERMm-6D8|)vQAX-+@DvrwAs`m61vP$3
zxoA)APL8l;Isq>DTGg{%G9++p;Cig%N8rRboyv`dtAJRTf2sO;6U1#MzM#f4U8^BO
za0gNw3|?@-A%$qR;RrwUs0gSH73kr2`Qig-(w9i3-&6qDZ)GY#VUpa+!JDZMq!%yl
z;B>T-^)AW#UlF(cHYyHUBC&zWp_+tm@2j?G=*q`g?i#nWi{$7!_-@NJtjUht6j8_!
zX(J0&pLAasFR9Q-rxTO$!>lbok=eRJ8tk<(uFk}yzrWSUYD8ofh)2G=+Q-uOxT5yc
z#_IKzX0Nd3Tk)DgQqcO>6e`h)hQI44QI0f@@&~(T#JWzMCvM9=;P1|ouCq^HHmULD
z;O$%G^r}khVUvGfU6SarvD-97xH?-7;dF7h?F;^qpgmHJmDC!crq&!eA8#(clUV-=
z@ib-K6u|#<3iHJP!TN*!MU!?rY4N7`c3~)WMAPMqRQ{Ricq(-kmNf$VVoO9TMLNJq
z&i>{k=Yf=wl}~oepvqHxzZX&Cco}F)8s4mv%)1h{xU~10#Gjq;7c@`f(_C$G^mSf&
zw)#aoLxVs?oMMA!%|ehAo0^gWoS_`JY$;j^_@R70+63q~eFcr*pCvEv;VdpjxpL6d
zl8i6CY03*WB5s?<c9owC(tnRq8k`7o*GGA{Tj4j|7lT<jvHZH%1dz4q0%$YV0TbF(
z%ka^NU%Wrc3&a-@OtptI(I6;eB)s{!`^sB9yFru(wHcPR4d(fG6&wXuAie2*o_gQ=
zNk@n>+{7=PajCvx!uM{qRiEb?te6M8VGYiuV!ioL|2ub2gU2}nXYVQUr+}VkhiKvA
z*VDX<In*bB&vo?Jti#g9oM&my;}YYFJc^i|fDYveY#`BxJOUjLCVfHCpz-D&=WC$X
z<}r(;$jF06|4|+%h6Da_4J;Y8rfET2NlaO$FS;+`7%uEUeu<u#jUGtM(E<uFAM5k?
zg>1P^7eVuY)(_AKm|!k}B(ANlv?1c}r2I>OGwEKG5+XmtH$|XsR?&Cim830d3w!xW
z+D-8=91a!q4bXmpJY2Q>sHo=dgLN{(+3g#=g?FH)R6Ag_4MluH30EfaSrXW7iDm6H
z(2TEjlB8Z_)&RDlqfSs(AL+~ilGvx$c>$yo<TlgROPoeE&-`xk1%P|$1zXeFx~L*h
zsF-^8r2-9KZzPjqg8<Ouu)0jQe?-w7XjrKyIP>q;T#rusuLx~7?G5ISJiv&@CpyvX
znfR{Kp%(>%?ge2c5$jj3*na_T(!Emhr`l9`bxEC7rbVUl>Ed%AqeLL~ntU3P1#-xk
z;o<0k^V@cS&O8*Ysq2$js#nq^nWQwgcnmuPlsLRsGmlHvA1hX^Idr;2cvJth1!Ja_
z{;{+%d9d^bRk4;bwiF-Yg4ucYCtDB-RspV1?mRiuu!afP<Sd5js#_(?#aXR~$^~07
z@e+HMlmbcW^%E2%uYl0VZ=fiGSma6x%940|PYjx~?rb-HlO=Xn<{+hCtYT|_5&Yld
z(}e!{VTv37q9p>^&q|WPG^Zg48^|eU{8!2rhz)QvE0AuH+`U*Oek%CSZL<I2u+ts~
z)yWH`Gb@N~4^eUu13p}`iIi}lC1I!g>)B_A)PMM~dc}bXu`;smM5L$T+0dG^luZAb
zANH@wY`*-bi|On(DfKi+(HX3elU006DdJzllM(!a=kNVeUK06Fzs$cjJM<<S`|pG!
zirMpQ4Fu0-fgtHE!>|a7f9;bF&}w4-+2SR!C;w^86L~+2bOdqMv2#2ef@N_k{YNez
zV;k51v#oz>Kht(5SLP8=zsP<f=Ei$2z}F{G3G`c)34<L4Nft8;qJ^uSz$x@B_cnyR
zwRPdwm`1ylYVRz})K*i%{MHOUm5{&@?v9%(d|9gadWSD;x6^$!^1rQhX5<H|ZBE9#
zZ|eQg1oQBCbw&0WF3I1}dL-*`vsz*#T=~bQSOQAXzOu4)+5zH?D0jT1YG{}`+yhI{
z!xs&7SG?UmhG{9Y7p8kMS3dU?ZwqSG(hso1llQpi%#6T>&5J3~{?WE-`G;bzxbu_#
zk}ctu1zMPgVy&O%s;y2Y$$tw`6Y(#gIwxhOV+v{oT2@E2{~fUgON<$af4Q`eMV$#^
z;Y9%pM0Y<)B@G5T{)Q9XJ8e9ZFjR+{ghvCKf~0m%hq{lk74W>%7q<H&ssS|>)pL_V
z(PurQ)IYui)opcg72N@CjJ^TV<FXDM1als;SCwj$0+&N_P9Cyz9I2a=2B*`2QWO8m
zU;Rh};=RBGEQI-5r6~#A@&%C8Q~s8MK!~<Ilm2mD&J&=mLyK!K+xT_P?3;wMXu!C&
z5E}(0IY8Of+4nQ=G3TB*z5}Xw`Cd?(Rsd~01C2MGwq!hgDTIUc%*iCXWUZcS)R$a;
zT-_TH;Y7vIgeL3OREbfNYh)!7jBS3d!mlStXr=#jG;{&xTAn%7;OcGbQ*s>QFbVC`
zpYa4dleFD{tr#AaeKU43Ai8@5GeOf`k-z@DNy!{exs{J{HxTN;k06wPh{$v6o3LM&
zo)R$zl8hQ0=w(S<9t7BY`lh8@RJwt9tSn;8BMI{yfcG^dG{xMRzqGe|xT%C0g*&iI
zfos?K)^F&U$S9A9s{+_@2=_@UgDuM_M0caI2628KUH$FtzCWOoaT0<x=WQ4^Cs8>C
z$E3j?l=7f0iG(Q6bW)tW7ogC$4t%Ltqk-nIo*}gCIXRrRQ5&8a@(kM)5Ce}|db152
z;$PaQ->G`c)NKG}=-DA2yw69z?<rBd?iuLXcwnqV8NAqJ)*RCh7@*w1<&)aJKKK(#
zQe4o?VY8^s!5kX?;E(7d0O9P&RHK^aUHyn$*MI=S9Dj`F?7E?37}`T9vdO}9VhGAD
z&Kh=7v;`-7*+DX_lRV^kTiT_Gh1+n><)e{}AzIw-?mJEpRrpJtk1Iz-#7(~Aya{gO
zOr(?@#eJDpW(8ZO)U1+EfGRK{n(tz?SrzN^g1<pPe10pRCKKALWpx4!=k?;Y$8I=L
z`E<3!IW(T1d_1UPB3N(gqh_bMuGiztlDA%zX$s6Wol@e|G{;%hnjuTv#&UaqAMQ}r
zwENnu#~MMEBK-vsK?9l;`vFQ?{@SK>wk*&2@!|GZq`$-g5YM+NADmzs&BuazCm3&(
zo^3LL&(*NWQk5G~z9?RJ922m)!DQj5bF|LaHz|^#(G84$y%z%7IB9xOf%c*(0W!Yp
zu?3U#+0JqlAv^yRMjGP)G|jv3--YB~ax^giScxiGdB}Xtl2=d>HY{fM_}WGKK4V1_
zIa!GvR|;Paz63}}sUOImI{(gi5o;;SrwR90Pm&{YfI{un#h=V`j7rW%s!@vF0Tnz;
zwL4CMjS;B?)Ti~Rwdc{jiBQx_4|MFOm+u3Oe~2tu(6jO>N4&-P3A+b6_6(@OZ&{~j
z?ir<pG|<;U;9c(No#nR6`EcggTXn0KzKXnf7CD5w`Op`sD$*2B;Ec(@-6R{$P3s9M
zn@}1b=3*o$QwQ+ofM$#=xOhmrgloxG&Z5gVq)Z3M8gm|F+xlen18FBXxdJOk!rjvz
z9c7npPTD?SGXxa{nyx*WZOri7y&)HvOd3EGQc_M*Mt_KgLEqz8F+){jfc3UU^auaS
zCMo+&ztTW4Ty(frjU8N+mW>BvCuai+nr*f7%CwhP83_T>V-LuHfQpFg=VtB|nTP_m
zxz$ciM67SyHKJQ1N{^W?7S0u1`r@k(zbMpesp$ugI<^2Ga;QBbdZ=ADt36$7IJ8P(
zO0@iS@7L(d0pT)Ka`s~d@L>tl>Cz+PMu7?0>L$M2Ow&5A3x#kB0_W+yZ$v<#dULO6
zrlrEm*%`>%rlPzK(rJ~MO#N)~fuY2fHNaTz`B<cZjy`9R_6+@PmCDx+8E*Ag`jTt-
zBcIoVI^kPoCh8?G9`J(>zY&e|Uvp$94VaDyt~t|f0dV8r{4#4!5me+%+!m2F!qyVu
z+tXVnSvAGf@TrNoVCFSv4X}0Aa|C4{07DW77-Q36ieKr`pF#>EJvz?3gt=5no*nSj
zmpqO92E*LtS$2VsU#y8hzSy{WR~u!O%H9JSzo^FrdLU3u9jw#=CV?w~HiiIRu66fD
z{h7A8nHLbM;LT<q?Za7#A;(<(9tmh5g?RD0a>TSrFN}v$90VgW1|<BR$WI0gd;|Un
z=LgYq7K*lwDd|J}?!<jZa$UW6Selr52m6`$L*A^;@*<-J9Y|E3fr4OD0BF<5U$?j@
zeqa(md5w%XckRS^9d=RZ)2$EJPl{dyI^OU=IL=jE%VlY;ZYE3--sa+cL)QaO%oF&M
z6B5voPD0Xon4Rk3xNJ?HZFvzSsx`gR4itlL&}{^b*Qagji-q`dfNE}m?1h20_C7a&
zM5$&`J!>jAU@P*1Mw-T2&x<QQ+xS6O&?TH_+kj}j5E6L+B)xEEDOs(N|AB_U9gmf{
zJks0o(C#vAijk=qod@<kV5kH5osq6!t$>@mP*L$JV-rc+p-3JFoGh&)Q3+&kLNA#2
zW|Zu9vF0$@#cI?bIx*%E*e$swprDjq7FJavomBN%`=Ji`gF7|_aSS1gNfhwlZ*CwK
zQu#53$J9DqvM$Do&F{h{cc5;QF<0PYeSm^-e}oX@oRNt=dDZiNKr~+1*c#aLqT2e^
z3v7y*^#UD&?Q^^v4v0Pk8(|;n;>ZyjPU0nK{47CP*TutLXBd5pqhQXt*dnMeh-K=v
zMAQDn%NTnl<@KKPt2fcI(l4ugSs>O>nq>=vZlo~VBA##1>G3s|nwjXAASrDhKvq~+
z^N}><<{M@Lt}7H3b#dz{#}nJ)9s8qfB4D_GzUb)cbAYw9lj?m^_sMaD%rjliOZ^9W
zO@7~`ZtivaeNg|CYt!=E56o*hbb+LE%i&(Yo)L^@umtfD4J#b+bo7~}ubSs@Do_fL
zSC(8iiwpV0=R_Vugn8Syzj(70NIiqq7Pp3t->^JWu_jTx=awM;cD=Bt)KpadsYm_h
z2|$o)j!GtwpToPF`Ziw%mH1r->1>g_K&-D{1ugmLklH&a5x4RR5m!+G;3=*xrO>p(
zXdzhb$%2`X_Y<t!vtU<2uiaS}WU*55CapSUg?!{``BM*^1Bu9k^pz-ryJUyMbRFP8
zm#tzF=fG1_qJx4nz4s4!IW|jZ7Hso}A#kdjL!MqDY-sscK<mGB;8G?)Z~pz_0kS*)
zG$wwI@sF+926WK-X%PMYSK$Ae>E};PjejzEf4%XM=Whf3_miWve{-nc|5<xc1+=23
z{r%VPAMfS=PE7s%p9A8E;E0<K8=lIH66H0VHZ=}Lb8Qws3QiKO7XS6kb5`OuO&&G#
z%kSB=rcd1$3RrV8B*?CB6!z-@4!~calr9wh;*GDG$4^D~Ao6+>(MNtQ!(VrRg2#ct
zE~yX4d9_W7M==GCr@S-^Clu}ls<yI&{2GKthBP?)LDB@%|HmxVqIc!~T4=|`8G_M-
zg5qDiSz%-J2I$aXFq_)MKiOnI2L+Uw$ubxDpC1qa&9ppMMr~>YOz*GUE(QCL7*BmX
zFYfDJ;ld1P{5o2QrB@$)5M$koZ*BsMw?JlkffcyGDfUKrK)yY!ijU<Fkl5=4Dx)8_
zRCF5EWH6av`B^7gM(X&+UR{$`Q;&2K7SM8G5`Y-czy4>zoj~LRu_YcS+CVPn?`C-u
zQ_(s+V$7{I++Yk?9CvSn(snKrF5MQY7Jc5lC3p6lMi9EPj8h1x^9#%^``6slww?H$
zVv;-$b+x(lPJ$Ilguimf<n<6_)xu*F4W)<10aU@r)T-Fm0XypBG)aj+m%;Y;GJ<1Q
zoqTBnnv>49<)}C(>aK(=d1>yEnC4S=GiZe)pOxE-(SYFWd7fu?&I=His2}zHK4p)d
zeU+>iw#Kwt-aTxSxT^tsUtN6FD1(@j&@7-zXHI8_&!$iRI^WqR=+v3prll}~GNi(p
z;;)$s>E0i$w>B|bW+`#H$`}jA6ICE%=T@=ob-A*G<BF9#i|?7meUnAv7F_s(g!{@K
zaQO;%_)`_4XXXl6>O`wWZHI_f;}R0M-{*tX!gQQy_wMV&<dJ+ESq*6?|G3$eEkaFE
zlW_m)ch*&lp!!(}Hbw_SHa>=Nld`EUR$FB=(}P#niAx;**-btK?wFAT6BiEmvfcbt
zaFXiOOnD%?DaE>*7$3_o=2#m`CO=10ZE$k2ul4vHS>ACXuhM<EFKZs9wgb5%w(qva
z(?va2xm2vwcKnFs*w}$Q(2s?tu4Yc~Z&Gp=!Kypul<GEmft-?*1$Tv@>X~^0T-GD=
z9*rwzETN|N06)pfTA%lK{4v#9<Be?}?I637@CqF>NO+sCpv6wTlTMkvx?J#>!;bZg
zsVQ;Wc>oaIbETKY2fg<y%!GJ}CinOIK04IUjYcin-DM#Svbtte;Y&~*FalIicQ8I#
z3Y~4b<pe{3k_tGT`GE8JWOzz{AHe|X(5>AhdPH)*=<Mh3ZL-4lRTS1l<|PKo5k=V|
zI^!%92D$nwaSvbXvb4Gyg*XHEp2o&{(Y-Fb>!YZ@NBirvX=JL&gAZm}L%guvyu?&z
z+XN#B4dsUD<ig???U<;-#}H#8kLp0<YgbvwQaOF|JfDWwW((=|)7~nkJ4#VB^pFl(
z0_huXDHHby$c3$oQuzm+EU=STQwAmf!9FgJYj<eInrRsGU%NPG&*2YTLF&*43r|&1
zSORNh7*{SMspR}vlb&miDdOA*B}i>!fAl$pPeio#|HHd1cB#zH6Eh6FpJQdq=Y=+>
zIQmpDzl!b<8uA@4go^Sfj+#kIJ#*W`RjJB!0}-Va2YdDhmvSuatgnW#Q&II4EwD9<
zfOI1Lb(WJ8QlFc&Gx(85tut>OV{+NCcQqr!UMKus@>bIUY!ZgJY3|H4(!ia!JxHbo
z0cxL1s8wBRX^5ylbO7$rcNBFHt{240fnb9w>C3JyfDQ{>z{(6fF3zGNVf~w<g7R(f
zgE99&MZ23OO47NFLme)RmnI+}`?YBZndcoRbA0&2WjG^<S<&)&T0y!Cs0c_<)!PD+
zxDU>HauLm@gwCUtSr7GDsU{x7cz^S-X);ug`4s?N!@V5kEF4BNT566xXn>64-kWQ}
z+tz|Wnre@m642(vJacR=OWmqj<S!8+6upEznV=?Uwi7QFxi0WtUxajNF53?(>Bw~f
zaBQFGKWi|L2-aDSwwh0G&o*f`Co+3TucXiuT9B@<q|iuGCr;8f<9E1*yi|fzL!P|4
zLu&sUFa7esR9wKRUvILUPp@-S;uF=<<Xr-icW(l^wxN?5l%Q<9h5l({x~ZI{@3Ir0
zqS;?U2juk@mu}h!@}Aaf(49;!RN-N+J%0|^1l_lZ4in)YZduDE-Z7<UDsu-tYdHl8
z0bO5$Jsi5BNrQ1Jd4h?yedCl(WHFSHda#$t!vQ4}n#167?Kb^-tL>R)yA??Iz@Y=B
zuV@tl-FXqGT1^?E{!93My@g#6O4&|K{w%{O)LEHpy#erH0i}oMb0)&H44u=mfGYvs
zKKi$n6i5yWBEGmXA4r2F!do9XDE+<m;O)!DGT<cuLa~WJwkG+rw%yC)gp&%#vm%@6
zEo%)dms4jjyo$54=#}#<lv*;D6%3^~oGC;fhzus>H{aJgB!&55duj9%3S;C#J5C1&
z0P{<D@6LirbALiq%O$JuK^}*8x|*EJ0viZZ(Bos{S3MrF3`zo%9P;wa1O>1W-ZVPm
z9pfgJ`0J=YCc|6zv~GYR&>f?L9ET;XI6?Cc(-(ct`Xd$2e~AAuwA10z!XIxrQ2rA1
z7Wse(@TPXg5wGoUaP6Z`g-s)SuFfy9=dQUbPM-C@h4vO}TO(X^@VVqlcOOn!qjg9A
zU}Ia#`1`)?+GjA5O~HpWq&>VK{nncB82{;<qwIOxR9Q7@|E$21V7sB*9qE7^T4@rQ
zSe7vl2y_>T2bwcU%M~!;UxOGa{->q_7-#W7-f@v2ktTpC|2GN?pnnLxGVuo(j#gxF
z0ur>8xe#4INFc=cKNTT6z+5|38@Pb-z0Z(=FAbVylDN+-CBp~+P2qp2M>j#Q8Ae=w
z9fQI~GLG940L-sHLGRLVB!O3e9%YjZ!z(S=g3?q23Id0lzu$f?H-dQ5f24Bd_tRG-
zvD7Db+0H)a%uGex8t{;m%&R<QowhQuHKUh7@_O2=T1i6YpP!ur%ITc`64wi88Tk`r
zC`op~JrP#9lzW2WcDG-hnDol3_Pk~#HyEp}55nD#^Vz?~I^cgV?ro-3a;}Q*L&Os9
zSkNj8nk=Y4`7SeTQRm>pQb@oT1hcr^g8<#{sOvDNnM9rI7&BP8R9|6{C5353{ic$2
zdNkHQ_iAZo;4AGlaaTU_QLVj}LLi#x3ig#=M@!eTe!{1ere54K`fMy(Ew|ctc~J*m
zBf$$*FI+dnkXJqQabQ`jf;gt924uD$3Zj_mB+x#}9+{onGZd`(l@1@_A}M~AEh6xs
z*%XozT0u8Rbh}3!<f%Q00rOoC6QtX^uN^A3&nwG*L9qGak?qk|!3#L@R2dGwn}nk;
z<;NMy3jp-*cNShjQg*$wnDQr({(_e3;tRY^ij=Qe|CiS0(blfVP5phHK~*WCta2ZR
zI^LK`Z-z7*GFnhCZA>N@p*Y#6;M>9SMl`u1>7@@Sz18}-&dZv{V8p_i9pP#`9cs0p
zJ93$`9tX|?k9C|ED7@_&p0?BQL~Scue}Z6dHlC63rTO7GJr+P*>mcPM{v~QL;B%&>
zk5j`Lw>9~xiR4N7HBoHZm}hB?2YekVVLB@3)MLOFjp0nLt9FQQl6dX;w2on{Vs1;x
zP`?AWSOY=JYyNaEk3Pd6N?@DW_>XJ-r)CH?3?&n`0suPW0==HxpY}4e88<!&QpIjv
zQZ{VC2$T{3MwOpXIB=P7jsL;!Ui|@Q{!uX2J2~;*$?&IVOuN+jT3@Ws+|4Fg&x<_r
zCFNOqp`hURv2;MRm}eE^v2fMfEKgJ2`X=5cc@WWgF>pMAq$Za{^^@6`Y!kehjm1Y9
zYWV#{dZEgclH^sXPJg`5n7e~}UV~?i#vbm6^fL%D&+l_p#;UJOOfEg@o*GhpSvElK
z;RBi1&ZwsW+@*<4hid>By4+c(w@B)Zhf}NBOh$$RmKPfp>X!*O2geUbU3W7^LX9Rx
zI(CO@>~Qj@6tf+LKYZPTINn($X!4_6eCZwLcpJn5w>4qL<5zEQNB>17&(3LuB_BC`
zctRQ6#a^-&=GK0)Z6eP{Eh6`fTHc0Q_>BJ=QBXTg1hEn?^{p4zFN&RSS4-LqCuh98
zc$MPqkHC)b>_J}(gJ5euAT*uJ=1^3T=j$#LbGIa!?&bBIy1{l&^95OnJ?W&<@<5|J
zg)iRI6g})Cn9hfpOE<S`G_VcHNCrV*pQrUpSm5A(@mPmq`N-F=F=^Kwz75kK`<^K&
zY@(hj(b_g(p73^VWkX8SZ^@jNwB=yIP0Fki&XyrTj%YCtTMi|KAk;Jg+S#4kcnBQ5
zW$Mf!Bq`=#@`g7-`lZR8)LaUuR*WNC^$woBUt*62XYmiK7}ey)8D38&G6SgPF%Nzr
z9L-V!kdDIcY-@9@AfOJlFzLr-r^voO>*1YNQgjDt+Kmwpud6;EbMILr)^)Yxowj>W
zs~QSahfqvm=*Vb5I4~)Dae})4BCpTS3T~;N)LuBX=!1`*Kj|a|HV~|LIy`ViYe7cy
z7G!Dv{nG<~(iNmC{aL@Az*?ZZ;x9h-Ym9lB9fayni`znQY6uE^9JKQ}$S)tbtK`4l
z{jHgDg|&?|SojbAcM%DY^xutvG{M`5nR^VN=!_O1Klq06sVw}#>Ml%ZCd`B&Fp5Uu
zcYy@Lf9N4ELK2wpD<ddq_bbooY`}|#6M*<JP$zP+Pbqh0@Ra$=z1xLv=7f<3vyONn
z9CB(;tRN%2-hE|_C-4S!H9tDbe}Me#dOZ)$upkdiK~6?bmS^=z?`+$@7&frcye~Y!
z6l_7uJr1NR6Z6;<#i@zs%NGIMi1iL~#`F0WUa0`V$pV>&jXP?Hm(2bcy&zldr1nuA
znBtiFGmsrXDvot|{^y2%0`t@4i(h0ROdcH8aSNUUFO5P$$Xp;?8CsnL&d(MP&dL1=
zL_2R<eDRON$ZWJqb|RSSJm}B;oRW|Sa4a)BM>4H|hT(*{d}(^lrQs1PVZ-XksFlC4
z_9#&7`>##dX7SFDPYEW<Pth3%M|=G_)aW*Ve_!__vsYsjzi!4T5&tJ(w5A`N)OyL{
z21}=9f~}7HCS}BKmcBf65uBY@Oc9@_Y<M`>Ars6R%Yu`hm}!;$H|EU&nD-7BX<i2=
zyE?)i`EM*a1$smJkrUGU<S*3~HT?ClBdJdZ|6b@X*uY{b0;KyrG<{KneWSgjIm@MK
zH2<~yd-x6^gB{Y~pEUNCOX-}~a2fwFen6!3RYS3|JG_iP<ZAXkoWn)nuA}zrgG;O*
zj8c6<uKouGXiWpBc)C#)P+ATxq1hio>e5VS5bsq8h=sx;-fWD_nTt9En2VgUF&a)8
zUXK`naD^I*6T_C1VGH-bR3qhQ;dg{y{=?=@QTu`za9X6nkOF!2-PR%%&>wGWb^PXn
zcfR<-g(h-{OXn1|wX%45AjzUqHNHCrb0w2CiwM<r&GAKWhWMruTWlcPuv)gz#8>yh
ze{Z7T6yRRFfDuA9D^NN_RIKs{*I?{E<Q3|F!ZtgVy}v&l^RRGc&z6L6woa`*@|>`@
zP{<z(%^OWRWylo42SeHq+7-rx_}rYmtve86OG46OO=6Mtj_r=lAD7$Eb~b!G;%Oc%
zl^d+~Qcp``SCQgAMn^H;e{uofIz<|Ax<K2#WYQ2B*$28&;5S497-l)+=<URvKy^+>
zhtb-vho*5{q<?a&84ZA#9s$>ng(Mi88uphw)(KcnWK>u)r0cMnL-uR!ykQGIsw;(&
zU$e`6Gc3WbWZ?sY3x^`fB`VITj24&vVI-$?cZM6F>gz;i_x4YWt5bB&_!6e}-u{JL
zM5j;Uz<zk5;>m~8B%#2Sg(nT7INJPFwf?FZ_h_pghYve%)Y?*pMBPU?*SUB1$wVz=
zi}cLDMX!Ez@#nd6#WuV~ftxXGPL=V(WkN+pnRaKck(4cz!nNn)^oQ}3R6sG(?-evl
z(!`&u&s}-zus`On?ctejjM*^OUY1#IL}X$x#RrDIsK@D_jQx-|Q83)9Kl@L9*Cx=B
z8DC=zN+2xZ9!=mtLcxdn48g}9KGY1sdwvm$q9k~B$DWqz`|~y2p!@C2KR<N(O{#U<
z8d*#qyquS*OY4$PqsJb&Zi-96OgUkrzUBv_5OoObbWmZ9OCWX?fmHshl!d})U^+t(
zTU44Bu^DF5m>Xm&&=k;5Y=+Y*>tQ5Fnj8vs7i<)q7~T5of)fa2hM$AZ81jIEjzz(X
zfwQyFdZOr{b)~I`{v_M=AY!xMYtjRs=znEjS-PCwe5C(!q_&zPpsAe3LavT+GKymY
zz4J^ewb^zGYe=hI@657{4C0QP`LYSGOfl=j4%5yH{vHJcdef2FT)l_>^uF>$j9@$n
zj~q_ldcOAxD6h95h?hofEVoW!r`hrPC}x^q=ovABqpyYF^%>NllLy0=e>!F?zvU@e
zn}&%`KBfh3>I}uts?;ii0ykQg>mep?uNt>_z)KHQE*1o1dn|U6{3g>G6a#5Yy;m!Z
z*Buw4si)^lnm5C@j58;ZX))^?md^uPfE#i+2~^W$iCgJO_{dhTqxsGU>PEvE=j>x9
zMXX?2SO6JFfobBq?T!1^@(38&aZQQJD!(B*>4|o*_{^mxiwg0Yi=NfUg@dxCmGDKE
z9PyqTIg)?x*BO_U-j)9?a}mCKerOI8EQk$2xi%5_J7$r!-5PI(HJ@;0UTYyZDd<D2
zXB<Z))}z3_R;9$V#tb~cELU(Q-V40bJrBG}-z@JnJi+*!4?cHMgS5?IymPNeV)>?h
ziW~dm%}5Xhs4Z$}@PU^8&AsCqoj1<CXQq$1O9h_g)%wTB=)&X`lZh8LfP4V)O?hhD
z$ft!Qukyc(olU6wEA0VTF3W_z{|&5upaX*7WYM&x2a9mRsch*EhJc#%j6A%i12#%p
z_e{J-u)2+fN_-hoE|SydF=u81=Gl@pACGg}5N`J%@b+HWw4VH@hn6@+-Mkpuc(jG8
z(=cV_0rg29KcC!H<|dxSD!#OC)T?v|2BleMo-y;4==F}FW098Fku4<q2mxA5o-qTK
z6YA-i()%qLTKno2{*Z4tkUXJNXOq$_=E_pV&JV*TwtH1qFU>n#NRy%JM0}p?EmRmx
zlo~nu8|-acN;1(JAHaPv^uZlH^1AX9(oF;>!>D?A%Q4p$9AyLw{DHf_g_aShZ)AHt
zUvd@b!zKS3n~`Mlct-gyfgV|79>{;!4wW`JZ}=IvyhG@0@=@b+&m>||zR~=lHErlQ
zpxwGJASai{g9wgpdUY6<4s_ljZSzn7@~q4lveMJ@9%UR$1uzS-Jv`BtH)*)+`zx++
zy254h->_~18F^PqKJN%ZmDVSoBnI^cV7z3Z&CXCTq3_Oi*ebt?Z=)`4uu`iWeURLH
z5Q{wQxCZIzg#Hn~UC9mFLy`ur*lkE^gAPd*8F(8|*p?OflNrcJ>gPukxiNtP&G%Ty
z(Y<=<vrT$G;8*L7Efo~o<6Q1;`_6qZRg*xAE8{7^I&o-}+gc9kbSC=xJjR)C8rQBD
zWv0I?%&_;QRXafA;|u9xpQVSp`Y)?9ml;B#UmSa(@1FB=?kT^E8Jo=PQKh|`E9j2t
z$w{ydm^rNfbih?Lp}b%~Se9U|AL!9CwiV;KR4<YbwY$5A$D1r<NPa0ca^~9{(9W<H
zspZETFp65Y^04=z(&i^a@cOvB>~{_7^UUM0d~7E`qr(MP_QVW=Fpt;XKtHuInNt+M
z4)srKp=2akxBMtq6q9lG?;{`Nsj57BjIKQKCOG=Z$^=iYq7co}Ez=mFBj`7*1{i0#
z)r#*68kC!iZo!wf&IKN^&n)A<3xelxT~YI;`9FEBb9x!^?EcPBk8T4m=9~Zs^10*&
zC=yB9GMj;KkI93$k+wbZp9>{^asKhPZaCqcE1cW&H>(X5H3c91ApELFY>4cQK6>=S
z@z#Z=8Q(C!dpuG`-V2ml5w!w6fwHERHF;9jTTZJG>Y#xbjUoTy;;)$XF8daDc3Ppk
zMoeUh4IjIfN9~JmkqN#_VZ}AXTYn9_<DXMLpN88UU{0t}Ht*}%FaUQyON-hW3>a+R
z)bPpb=K(r^G|=(;C@+u%-3Lb<9QoB_*#ap`&A_xaM)gkTVy02^_S01;%=ntb`}Odt
z)cH#K{k>!Si{OFDW0@GIEuvncEhTDxhAU^wwdQ5cR!e`y*+XB5`vRurMnLhVlA;lQ
z8-3&B1mb(jvM0abW`G**%`r5y5CqyFsj3`#+$+kS??lwC<VOTlM27fF3jKX3G}*tn
zpDvnemV*#e>yJe-_za^2Ticsa9r!8i5^=lkH)!FDI<2|~<AmFEUXZ%Ls{tB9JFrL;
z&?NjEz#})ou<u&5!5xO5r@e?rs*h(tTcw7f5!!d*#KeSj<327XwEnVoUHI#Icl7S%
zXw@#Q<lAJjXzab>R*UN-Rs5PMzOR@dVCG|Ek&?iylV<QR+WLNmzNMzgv7ha$;X$L1
z^VsejdftIRCb#=(2I6qTUA`{e{a9hPRBM<4pG|0KzXr8!&lJ!cytWUIIlFtca=_p5
z`uhII?~r5DZd-~^Zl0JBOpQn8NVD4n@9>(aEyT7oVPdI@6%@P~0kARE&3=`Ahc-LS
zR-*BvK#RX&GwZMTi$|4S0r^EBkFn#CQ{cKyt1Z0PLTc-6a4GlvgSngLWNp(P$AIi;
z3`5-|Ui!^uZ;>`W0wo~MtHGDiRAwflG4P4-gm-V=)9tHset2|}8CpIcAKAo1dM+Jr
zGf+N2Qxxa%u9g4R=dh)Cr>8XvXiZv&9}TL6n(D;-+4Rr^*#-IKFR-i^?&$*)Xv2qw
zjWwBPTg3f=8p-rO#)+B0g_%{lm94~(sSEF^tA*dQx}l5cWEpZ_4YSExw=C}+6xI*L
z;g#_4E#7R;QkcmEo+Sa_v-I$sHinW})vtP#e%Vky#=3$XfJpc$MArM4S0@d&$4Ud~
zh;PyS{%U_aIykSj3f<);Z%g~$qX1s^o9e?y);4CQ9VwUnCeDxN+Az4`p(~)+vOWMY
z+&Dm)O%rmF0V+Z+O(2%=J2^T>OBQ#@RX_JLwrA^{uoF2HXIOUfUe|FE7NHGm2<oeU
zj=qV(rEDw8s|H+b{UUFG_yOS#{&Mu~=Au;RJ5mEh{tSMfr!OR*0FAu+!1X4()d{KM
zanHD7Y=T;Xo($^w+-0$3SWJ_6&9nHnDuiRRxLD)!r9`vuJj=6tkD88>PC+BW(EQ5Z
zDRRmJpYR6dH@b^}W*0-<HhRWr?cD4(ZK2PX-&kcDwe}ZY|2W~)nHAUfL4rED*76Y0
z;~I%JH^kyUh-NxL+MV!+PGKCRp})VR-u)IE^aM$JeXWNsUMK_>vUL^5mGe_n>s$=M
zHl;k5317dB<;sFap2`dT^PcsfqEqO+jtNc}>U?=Y_4AjXka4<G1+LBKHnDw!BIdkB
z8?4Kis&F})n~>H<Kzlr%@clMtaY*MYAze$^yqr@Esq9SUli<UDGq`I;A+b`gucR*Z
z?J%}Kx!!dmS3I&f@SDj1?t<!GK8yD4+p9`jvEG?qdYA%WWXaL(0z1ZtDrF!lWn|Nf
z_r%v`N#w&yHt|PAwAhyiz~zWf*a%9XOvGdliwpmvh7F*TN@fEBw8DL9&w+o4s{9`i
zkR}xT;wRP&!7t{xa(Mh%s(vE|BPOr(Dh2WeAX6`RiV{fqt88!cn?su~1d}gRDUt<0
z)7g2cG(&sm?Ftys*wkq?4T;HCQ~d*L9?T(ONipZ|89bzQGuZ9F6lS{IlB@+PIeq|1
zlonNaKwA{RHGBgUbD(ZZtzSO68wH!|@##nKOsb$?ZWtUC>r>kXRqdQb^#-A1BI>VZ
z8o~~GZ`xrj>54@1tH8&VE^=-qxpu9?Ccc5M0&2z%fpUM1=l(wA5YOl7srmUlTPw3U
zjo#ixHBRsHdm^{yyNJBpT|d=?$!WZ%+C|=xmvZIFuSYy8(r*pRjV;o6)f4HC%$A{F
z2%BZh$Y7}_N{EJ;IDOr`fWhqW5x7MxfB)kDNf<X{&{3D)v*j$kHEw-4WfTc*J3RV~
zFLWDhzPFRIfFi?BZftv_7H+szq39msF~VJub>YhwoF#ul8O{yT`0%$>G>hr#pr&d;
zqIS#iCbJ~dR-CdMH$s1EB?hS77=H_n4Oap^%xklGlXGoXWM5u`K}gR8N$`AMMg)#^
z@{&K=j#^O04=0T(TNv1$)NLhx4CO?Hv#)nqq-86J?`v<wlA9OLQxvOoKOwVotNo$h
zOIPz?RWu{00^HSgAx`yU*W*bI5o_5e@(*qea8nPQrM7k2jV~L3?vObMGB5bvZM50g
z?yj%M4C8n5f8p0<4F6Qlv>=+|w}D$4aut4w>1Ljy-1x5S=8{@03p>1~g2W$pcCV$i
z2bMpm2s@0mU_h0>gr`9Pe6%lhi@QDJIvMR@%7`TZjT_ro=NIs$ANw1US1D~wJp(mi
zu7ngmmf9eHxkp-ig&3(+enHlcd#84H%J%D~&NsbO`k}VXxtoDK8;zi*f!4&@V`MUY
z&GSYK2gvD0;__4~KcNsdqY#Um@FGYO#jy$CSsT_dj8pP<);k6J);^?dv<f+;3|=Hn
z3-21&U$o4sUUr_J=Gl7tqHED1lp*;3XMuBV`>gE@2rL`Qb|;~1Igi-v#;D&d1=njV
zac4-VZfv70<2Q#C7M2gk=i|>@_l_r?9Wos+`CfXgUU|Jc7-P;@8&cW?rVH|GETGQc
zZ>7^x&w_-|`@K$(-FvgMKYFsY8Ate<d;C>92bCJ*DXBAsvZ%ZkKU*!!J1Nx9mCP<H
zD2B)nyzJ@vYGyg%NEtG;n=-T}YJj`}B~wh}ZOufIWPpt*C?)7%LgTqnuO@J5m-7;q
z>;u^PtZ!}0V5IC{2+J2_+XTV69p3olEm8^ld0sn~>q3D*_JXHcMZ%zeOYxb2kn4g8
z`%Z)E40~0I<gbF*$OZ~H?utd}T=Bjjj-Wu;j4q6{z8!yy$)F?jh%(B;#fL8Gce}5U
z%nKzD;RW??1Ru7H1oR=q%Da=rm+V{a%9$E2+t0E1D39){?->pRt`?>#W!|3b^=lNb
zT{g2te66FlY<ZHcIgJr8Me1c%JHw_N`zzHo{kn@Tr)f?VFJC?$xg>M6L$Ny&ySv4g
zF?SW_uRMA<+Tft!mhskEY}_eBRlW*+8K|3z%(NOTj-Gtix6Un>uj3=JDRN($jDT^9
zxcaB2Dobo;MsI}ujJ-8JCJ*~AdaiAbe{Rl;n6`(st?gKeM)~6K3u0z<|6e-pIL|*w
z$R}LL9r`L;$0j>xtebowyRIRH=9}U!*RjNLDqRWsvjY-x1MQ0c0+|TNc<8+fk9+n~
zHM{S|^J@Cu!3vu1Hxs!Ddy|~GP0vudfzh5m%^VZ`m)x#;inL_#yVbZ3%8qOdoq)Rn
z3u#z-Si0X-0)Uwv4|v=cHmcl0X787vFJI{L3o375UpEhA<&6ev9tk|MKMtIwD8CtY
zvj5(@*TX5a8Vix*ItfS+T%OgJ7Zpo5G_no)uugeciuNDpcGMCmjjdkpX{m_It+tL_
z&O-^;1^re4hzPt5NeR4bx07R<M&&9wHhc+=fR4vvtz1c@1dL@Ih=|23$yJVDHNwk~
zr)Gh4G>9cig=A}GMTkz(!u)+Bcht4VkJZG;gtDbNFg_KE(cG?j?=6}nsD$b6Fja@@
zU3et2mUGWYDK#r+_=ZAnsPX=)Gn+|gMU=KHRUxCzK>NLN)~QLoYn4k0EI%}@j9&4(
zRij_VMn(0g5(szZGWQ*h`3s}KkUJ0ROJLH5QeGMQ;d(74*AKPW`4eDMX_js>i$yzA
zyyYGx^qD*B1+8zj-X%cKLM~bkBu^G@3{+ZN&lh_)@F6Wr-az0!{$51ghzT-7=7p-j
zPJIrv056pPh~-h{7hlJHOZ^@0-X?XN>L`-`xL>rSI1O19D6MQz`&@sk^lEYtNlT)b
zYdx~VA2xu*vYb@fqwrhHHu`X(j5OFKCBvki7I2qZr||&d7S&?S-pL?#5(Rms#lkzI
z5=j08!qTbv#x=EvBc`~lHF}}U)Dg)6j%&W>C;h$dL=s^rW^&!DqP#+08dKi8b1vW}
z^B2jqVI8?VTeYh_vL9Ye92Gxau<K{WNNiDGeZWyic8b}GptDcI@T4~CLsxf^Ac6CQ
zLYkq6XPqxZ#7l<#%6mJcJawp8(*<kzw_m6CQRL*M%R_(G;9J@UqryL!o5wOdtx~*S
zFnfEn2T5ibwzFqJO&487IK6FPGDQa0CvY6gi5K_05#@m+1xG8=XCfx=<K}Dp@^bXN
zT6K=rur{T4q7CndxafV1>vzZ&wxamaU{`h0UQm49NOEg&=Mx=Gwb5EB^y1!@HIryc
z>INjeGTd!RAFbc7;r3=gYa=GWSH>5?_yY%@kl8&LnebsbxkRNR&%hUSxBJ*NXw;u+
zw`)81{eH6b7xA|-<)&a0NZMy;HNYrDXFPRAPfRT`-4^}CTD=W0X^dO3E`mQUpv0^5
zarU^;m{-}~6@}-@=j+Y8MAlO`gqFnS9gh38D(^o^6*NNHvz3U(WVdqnIDPM#I2yK|
z7Hwo+n4RU=Kj(%Ciaa!@xRP6Z%$6`}F;g4A{5%kKxQ`n;QCjccvy(=0Vv^C%1M9&P
z^Kq}Vzg!QTHn7~)U@S#lt>ryj?`FV?1$E*)1Fy6SOs@E>xy`P0w&c@8cJJA;(-d3R
z#q&-WtoW$x>7!J^-H?uY!;dlIX|YmvLD%F-+O<CdYS#rqAt7df=&a8i$SB9xhW<Xv
z^QT9-Oc%VsOxL2fgkO)AX&Sg8GJNnjON&g+?)<%}{9!(w7ld)j`WLIB<X|ir<ty)N
zt2ODf>nH<udJhNYTuj?WH{J^$O@6}GiSfL0G2-)#_n$DhR_Xe_I)K8qNH6Z{jrw=!
zJNWmRR&38LT&h>>jv%lkUYzPerN2$8mTBaVG#~DOlvhDhr4HJduV9$ydwM0Pfg=Q>
z7jIj#=$+<jKLf?&<E2fbtBj-5pA1;1RUnJ%r<1HlJ$2L|BCZd(7VmDd@yd(zShUs!
zR`m3rzv{&A_vEAsD_qv~1uq7ay+BLK<sa333*1cB0SGsiGQ_jxS<{8hiHZBrOM~x_
zFDCS+5^Y}&M%YkqqGoFS`^6qCu$8>hGH}}0-|}*3qR)KW{EdofQp#HT0Zfm-p6|Nl
zo04c2_4R}ufOg~9r%GM0m)S3x+CdhoHiq;jG+fxu?}Z5NS63ezhQrXR^}2h>%V`p!
zS^1vynW}(z;M3!y-&)OYHF=M$)RQf)aX|<EWmvBK=7;^!11&@EW)xQgx5yL?T&}Ts
z?_G}4i5n*4e>{4fPPjTW%euI1`TBBI)ZGuE<BxYQ$ECHRv>dHHsSSB*wMsG(9oS5S
zB}3z*)Q4)k(|xwbN#l>=Qa>jNs=oY+vtp(*@@dSkDt-#t-*hhF3)He4++zPB8tpKd
zhQ4`axnI;L$dkI#O&g<R=#^=|_hZ3sGoyNH2{JN~|8DngDtH13|A<kTfLTC*<M?o-
zF}TTRz2S2Lwf-7Mtvsln9S?Dro8(D%vPx}I>0@5iuwWzaO8{~&G@?ZFU)DReGL~Y#
zU(%|mdSFqb5$CdasYrN4Dt;VpUvUCO##(mP?_t||^05gp+x~&C3t82Da{b?XYMky%
zc)^Q3RKLlN1yZ_H*uydc#4$xuy_hQRIGb1NU$MP#-he)2fgJUHm$=cBxQUBFU+dNJ
zyr@UGYV<%(bs)dW3-L^!gn8o7LQTMUzY0ijiIerxfbRi|g{C6M2c>wEELivIoxiPo
z_fw&rW(?XQyIio{6(y&0>kfTMRJf9kjqP<ZgEMT!94cK^1dZ~RWRY&d$7;#BriMu7
zdJ~h!_dP2lc}Vtz@O`x_s$BxR>DmhR{BdJsZ*^psb5a=6)y14LdHN-zrmG2a7Ay5F
zGd3>K>-x;p3>1_q0TO&2F5-_#!}!x-R&n3<a(~i8?MvZ!^H(X<GN$jFp6<;0C@yTL
zWkJ%!GrOw0eWVJ44AU;TH3~ylCiI1m13NRAlpGv7<lI(X`?qep*~dbYAI;d+&wX94
z*-AtuxJE5I9MzVAJL{QaCNq~zOk%3sV3p$RHYGybhKWXyDH3#=OY;+5`3GxS+W|Jn
zLwyM<>uoK0Wh2X~>%|?62vPLRp`m>(s=?Zp)fH(6KNd|xy|wqz@vG_lnxfUGmE89Z
zhF%Qd-<h>P;9X2Hz2Bg+<HL_PT$t6LfMz5Iq^nN_g<(0b1+Y5QP8!-2BYGb~6Ref5
z|0#rs<OwhRrV1GKsmbL=-WJxu$IGXGhED(XaFmEa_J<GGZ0Nkto@pq#7Ekx7Gwt*o
z$^{b^1GNH{FfSA@)+XbMzxQI}$Q;8MSGtCtL_fUShbF~b;b*5cjB?ew27gCZ`;Fm8
z-=c3(^_cyK@wMYB7N^%qvDjYOsg_f{z&hi@abxDOo<E}4B4|I8l^vSkUkLcZ3#y^*
zHr8MjBSU#>WM3T{Tl8qY1>~#sMU4z=m|G2fzLW;uZLR0@K#mS7bC&S+cje<T(*5=O
zy4&S=r|lS2<xFc_t%zgiMzZ--X^#==OpF$~wl)=Z3(VlJ-y1gCvmJ7WKhS@34ncWL
z*Q4(`o7*eeu?@~=2?G<Y1Va3w-&m>=@1tlf{Uf2oY?Gt9<5Lw6G@@LJGp+d_oG^Vx
zj_g)FHQi&gc}`+|9b9LcJ21WXX6xbZJIpgv9s~Jdy$NWA+-qL{n-&6tRq{)49fNha
zYn<L*vh}|Y;g1;7saikC2}&fp+B9xSKhx>qAbZ1oN0EG5_r_WMt{Xmb^mbioId!>o
zM3|g76PoCSH3$AGvNzwXVK?gqi!H{o^lZBdR{G3?24RZH;$C)6Nf0ut2gA?=sN&8W
z^hN0@c9_A^%X++zDrXBl^((jK<OBb&WOH1b`Rf&}PgcJx7cF|O8x@KSWcm+d?T`76
zYWfhD_oi+XD@_cUG6-i1*Bb8G)4p$>wj=t^hqZn<IpV%)b8L!K*`;pAg2#y>@D{0C
z9SPR=H%4gOT;!%|S^9!52e;BsCQ8%HY?o}@vdna|t1;L>-9sd9$jQDAj9o9c88EEK
zzsQ`kL5pQ`;5O_-t-E9&#cwTEbq~XMGC6H2<Lh4fM8M{sEJoQmU8T}#^bf4=4676q
ztc}eO^>2l=#9?&4MP)0me@~l`kvY+;%6H4GfnL?$B|la)Y<()a7y?67E{Q_l$^EH*
zaf84<2iDV=nd9QE&*`OZt>{s>8W5P_MY<zUX!5ON_LG$-1m5M|{mq+$<Xa7yCrL70
zsB_S$t_3GIXyfKhRIjPjX34(y@6g)7;Boo}cgyxS>&ArXHU{>FE@QvR@F%TH_^$cr
ztqx?f#6i7Tr!(DMys<Z?ampIbh*$rSypL#D65K2e_&k4~-LtkS8~UBx$^Qdpe03<1
zzrI;uV{NbK%<@$z$P97n@NwNFEW392Y@TktkgoXbozL5QAu=@K2?;q_H(MUP%+2AU
zJEO%utTDkJ?Shkui991L-+iM?z@n<yNbNEFYgAZ4W?kO&vh?%VImmk8*U{2P*K&QH
zxJXowNL3`&8YOyY@Wz@}8VxV!`d{y=)=?OpS4tCKQr&psFK4)9znJEe_np&WtR#K|
z4l6AO7-quM>pjW^SE;#rg_oA_y;y(4i9%t=W4+E4=zCUMd2^NfX(^}VDRC>R-d~x8
zohsn&dYQi<Q$Q+;a<3eTK*2*x2M`*bGmq5XZ@PjhP7sSRcw^(J`uu*L0g@j|$s`TN
zR)|%3trJBbh`gk1JmcA*CHQ@4mW^8mH0=j<J#189z9&F41ui<x3%ezukJ6_=*+M<p
zBrTot>MEs`5K5j-477a=@4BQsEaNk{(p>oDYM)Tdi*NeqypDV?A@CLxKk0A`7wz^~
zA-8C#9g1XJ=0jE|QTMfeO|Z0+{~%lGiV!_gTT<nuMkn$5860H>%InE9iwF6@{Fn5j
zXh};HH~Hk_X@Wz(|BrCx8N%(`MU{1}5W?*wBaVl5aAGsXb%W)8YW6+pt{?RM@z%wG
z96PAb4ubAT^#7sj%mblp|F%C$izH<aQ3~0UY}rCm)+A!at_+53+09T$_6S*LvXtD`
zvF{@pJ40mbWSOb#h8boo@1^^`pXYtw-}B60mcOp+T)yY|{T#<JlL4fFOM&uHpO<Rj
zCSklc>1|qtkiVc=P_G<0qL9lmkPYIfVk*PvMk}O-Up$TyF1XIc)p3r3ZZ3FO_!fuf
ztl9Fhd;VTZfGJwZQ(VoUQd8;;R=NjU&hhArxDhF>+@QE6h34}h7bG;Fw;R*`ZCnAu
z_zdh}YOj0lyTba{#NXWPn1B(NVRE<}6xX;`B+b9f4#!mYj&+-pV$Re?QjyM^7k6`P
zUBPDsAzpzt89(A#A`oRA7ki23Xz6x6kq`1aE~(MeZeNKQsBtFv?<wGlDTIBfl^ZWv
zwAd8k$(^CV^-kdo?v?A)npO%{BE(Z{R~;d;1iRuc)8}fth6^1wMcsVc!$F@GQ}ef7
zYL*|YbRP^Op>5-9=pSAaGVPB_gsEZUx0TA}RNDt6x5rw|z^BH#_CGB)|El?Nn*=>y
z_1<Mx99ytpJSM;O#4~KUY_nsl7>%&&nLZ1zSJ7D7a_!<6{Pc(v&2qS<{1853v^?L4
zX_E4$Z61s_es3xmWgV|T+ckb|9ze=-r{Tc=eWaO9EBg=Pdm&obU{c?=O)eSWV#o$2
zebB)U4YeZqq7^`=z)q7$%dW9-|I>~7Rd_xm-!2QgZ^?S@GKg9F$yujnZ_Gx6WF__G
z=A1ZEcxlx7e29FszOoF=>v^jX2t<fDg1w6LHY?{DkDA@H0bE*5_3I4e%-=GSwN5L<
z<VP{nw{$%OuDHi>J)fvoKR@Yu)F%rADIe#nJ4|dih|^syiO3xgJ7L3k?d%M7eKk^;
zI}aotZfOis^{)!-cioV%J(QuJbuxo`1mnYwpKj6YW&dh91I$c?o<_5dgIAzNbC<a^
z^9(OmIXch{wWC4>Tw?(?@nuS&35}<kUQ?KY?ycw+?<>nhm5?(kp<RzMFM~oa*A^c&
zEg0zh1UQ)0ewJWpZ7Stv*VJoFK+Qox05hLg_w_%8Wo3E<I>)~hG~wGI58u?;F=q|g
z^`%#PAxq{F1Hoo+1@ITb42r|g;dwCexC%r!PuzHB;pw}BpUmFm$MZ6IiM~1=dAWdD
zY!;$=xr8d+^bHDJIG!8!F<ZEIjuf=noEO&Q<)-HH>mqzV=Luai*WkCrZ(i=N$Z^x^
zt>j_~GD?L_(9bHw$48pwuiHyKj6w*kO89fMpP?+)smlSuMn#Qgr>LXKrdw%3>7Gi9
z({D33Jw~b&991P3^Qt)_olE+*l*x`=72xNkiBQk!an%%n+`^FlNyrMIU&nED2fPBj
zjU!kwzQB(zstTR>0{(wr(7l)oAstcJ2GD;(RePX$X+UbN65@D!xiflK-S2$3pUBT&
z^Bo#WoDy?Y?_(rmyk3@a79=TZerawNif^t(F`l(o_uAahwSOOWlRG;4>|gxYOfWz5
zZ}~U0c#2w}W1UU*)8O7@i=8qT7+s%iXEt+V+<s%_eo2sv1eBo|CV?$G36_aePt;6!
zu;5ekTp}KL?R=M$=I+`%`E(u#stxP~xn?f0eChneGacYM2))9*fV{EC0>3#m&BiJ{
zVozz(*xQ@y&0h$9t`-5jqDRjQaS86Od!*FdB&c#tfo1eNZ4sPuqIKQ=lo|M-=EH5_
z3Twhe>(XkW74y@e7KbB|0C1=N!*^!i?o;3zds7b8?F>hMn$Y=s<At_y8TrmkA8dEh
z&t6_8^DiwI{OJ;|D!uwO&P8X&DxYU&6M3p&9ZCNn7j^v;WZ(3q$xmX=eHMkg{Q5iV
zpV<!~HvQ&Y5Z3djuPNL|ZS16Z0Vg~JcYE7kScE?BAQe9#5a9Gdv1+@r#5-<p{c|4_
zYf+MQ7xGKHM_UjBv#(l(F&fV)b7-N^#7qKDPk$Z#tVstNX&jc)^su{1Ixy(0jt73O
zvRh{8>n5zRd0e%)Z_F8!4ux$3Dwz4By8iD&{+S)mUmsDdD<Iq(Q#wEXnS<@w|3I3M
z6E+pIl4ph=F9UL$#uiuhzK`eckTz@bO~VCmKK1d2SJvIy_+Yx{_VU>ir)7>WcVSmk
zy}JE42nk$QP1#n~+JDql*I%x#4|!By<2|Xk`88J#B^$pr0R)<}345z?`BYPF^_umy
z#-RJ#6&xYOP**V>0k?wKhyAo&WCt&n_>x7KL@~O8`=-)O&0nyTsDUiYQ~KI005YX|
zRGq>=Xa9wAr(b1c|9vHw$uSw7>Zl1;xepSueIHy@LA>*4^Er1!L;~n-nz;DdA`EyV
zH6r)XrRC?>)+DNGT0}R!jPkD0JI<LG@5~&7_2;A-vFml)o!tJRy66&_e^)<m;WLAz
z#r@n#h?e_beP3-C^W@xs;@Zg^KOQuq{OIklXKff2F{(yqW`)0N++)xuY>)0%O;l`<
zq)WZg0n9}<UkL-kTCN5%x$SW}21{fCx>V?ysH;F%4&=i3f3Mp=Td%|4ou2g=#|t5p
z?G<Zg7C=99TdY-*Go)(mv=Fimq^AM<==l64fuyy8&IuK~8N(V9K3g?+TcJo1Sd7at
zlwYo4-}ZTdjnec&Ns)(t;2y<U^?8*@yIf8F3%8|OuZ0M0S5+8aTEzy@Cs4=Z5hc_X
zTFBqNF!8vOy1abC2J(5~GS5>?VkgA;Y9*oi)VAfKf3Hzg14q6$LrY;%cFKeVIetSC
z1j=}M#F9_9{5K!0z4%XExC(BYg2QR}uZ%5%w(@{_z?YtRhK0;ay3~^Hcm70tv%Bk=
zJ9E^$SF|XsC#+u&a5Fuhr-pf-uiVbt6_?HxO-*uj-oCOubeA<Uu|;5TuIBvvMKjD#
zuOb1k`F%O|)f#G2(C{)QN?|x^JV-*|T}M0pY&-mBHUDABH2OL<W>Mo;o$yMg*tBhb
z_jr++GnqxlHEd*3C}yQJn~gFuN&dVTpHjg$vdu9}a6!+2nL(h5Kj?Sqd`LXAR6RiX
zzIgW!4cYtpZM0m<%KU4kZD?N8cVo6QD>H@mk{BusG`r`pn!XlY5u<B%b`tzwJYr~g
zTD1prg;`~ro29afqUR}Ho^$cI=Lh<|b&^OVvNrcPU(fy+B%iXcPr1Zty@1%tmMU18
zeVdQjqD)%*ar8uR0$;oRQ?~&{Tzc9oL#TipplPk?s0iTy2d@H0u#ic$gI6ld*v*vS
zy%SY%@%haC+typT%ym+c-bmy@A}uiZhk28fkISJx+L}ax2a}Zk3UpjmxbSt-A#>FW
z_|-8Mxo9z$gfrpR&4{QFgvx(mBgu@`$W|{zFUXBy7<5oo2j^h^$UgOdHo&|3plKqo
zs{TjN$VI2XQBKp4XRmhigB@%%rr*eB;NAe6i!)%ieWL_0Wx4F8*;Y{k<2xy%8gttE
zj|<eP!s9PO8@~9Fsw7i~_gV47)A1b&MYN6xJ1t#373ZADQ^oe16X8<|78VSzdQMrr
zw-Z_sqU}wlmwguvz}77te9o3b$pK?$$_KfQ6^Tn;bL#0IfqzTn<WrV+mM$y%3pa-g
zuu9xF4sW~_w~hzugure_(48gW3xgBScFk3nZY6n2jLHuEvo=40EV?R&`%x#RCdG(G
zuKo9D&y)e;DEX&vqzgJHfcxPAd?&(8<7jqdqZMzQtJVEC8gJSB=i!zaoQCxtkg#X&
zm@!ch>x0kAg^d?sGbQCFAfXLk2w8%D_WM{ghL$!{+)Dr1i(Pt7nIs;b$}#9}*=o1c
zJidKMXJ53Rj)Am~hJkt&O;f**3~v^VCV?gsOD6;j)^b6O&uKcUunl7Up~1jEhn)Mv
zO$Ysf5&vLGNA8(}zS0%eKhXUF=o285`lI-Zt_f2CAQqp+-kTF^W}PWou<6ok_d5|_
zYtfi|A0s_CU?X?T>2x=st=!=Dje=V=Zk#<hJ5RPx7`OvhsDnQZjJ|voFVZ1UN!2X*
z`pz@=J3@oS^h~pxmc+eps|wIeOigfYb+cOZyHv3y=yE7`CufSnFt@e{@a>pKXakk|
z6xySTCV!@n4_|!8UFi+3BcLu67{0M>#B+%6-rkmm4J^MSbrJL3-s5CeF6#1TOz?f(
zP9}9}z>wJ8Fs7`g^Z~1xC2vfemQ%kp8HS59*=Gc`H2!I=W`Hu=ULN=L`#ILMjgPGP
z<vtO4g_HT*R5mdi1HB$Mz>|5Z$3r=H^p=6&hdS|%2dqnp@F;zxRoJ<u?$r1MYG>6c
z=_1Zv$5?Ks)q|A>w)t0FJZXz&UN^CjqCu}LfuE!3D<HQN4=I;;HMuM8&+YoX%gD-8
zY{p;woFH?+4gKM$+x5>qH7~2PQ~AO<99ZWk?GoBe+TM6S>WOw`q2R!87&b(DPtf^s
zLob9hWM1EOw)Ajb<UQtYp*i+sLL6j_(#M7XfDO<ux?S{D2b~P~A1UOS7LdE?<?MT`
z{vo{Sot0~sZN2{T`=cC|{bzQrGM850=o}M`(z`J1JZH@X32MA$skGUeT>kp9Bh$1g
z8M`>$em&q)ZD{D;%6$<~{?ZB5NBQgT?Kiv~VOM{cmr!=f_EHF<VW1+fEZB@z_kOvP
z2FNOFqV^n%=F`EE=yMTbY(&_cj+7|5m7YCJUILK_Y7{ZD%b>Rr6S8_tE#%>FeFK$f
z8>a8}W{56+)n!KKJ)tmy=$VoI;dS)T;>X-ISKTT=%XLgRrPD3*z(Kv|e@Ba>rkUDC
zUM89H)`J;|JE%YIw~COX+esb0%@UK1NMpjAw-`EQw(GfXs~b_kPmk_%i-Cr?gAT7Z
zo(osj9}s{%;EL2(&Q=0j5xopAgfPdaAdJJH+-ln}Hs~W>QH>@naPIkOyvBoj#s3Ip
zyG%tt@WazCK<I5)`XlX6NT!FzC&=Kgx@OH2m)jqb>9HxL{tCo_L-_OP?J_QAJeZ?F
zg08j(>W6VS<Vu<A(&{a;9=w;culA_2Kdt0r)7$to^0S=YODZUm3MY-1k3y!^{ZcfE
zPSbL|l=yYeOacc^J%hb^W;VM8a=}T1KX=C^Qu$i<Ln8$;X-*4zwb<yQd}MMLXWdWr
z6|42goHv6~z2+RRJE33tOM-cIDG&PO`oSB@RAekRD1k7zms?cm@MOz4gG(E|)X}}h
zXus>d|AJUr){Zz}Bi%4)l!p}lc*l_)I)ZF}MABXuO$48Nihe?vZ?)??_>oy%Dq<@8
zrEMHi06(9vN|^NVN9D7z0#WEQSE=BQqA|73vHOZr+Z7|<xP@KSoDqq%Z|U!^!$lNh
z-Vq0+2Cc~o`^t4QmCD@9tXJ=O76%n6@bhRs?B~Hdbxc&i-MS|S_H)Ls+gprf6ilh<
z-o!*A+L5A*CTdVs2f6&8x`<0{56jmx#nD*kU02t{VqAsEk@V#c>Dtr21A8Tz5PZr#
z5@>+9(lZ1VA{y8HzXBR;;?7U#QD2#h@u;a>!O&tg@bk=0bIY36tLrBhj@_9aVc<Bh
z5^6a+K3Z#kH~ZQwSF6VPyE~2Qvv0^`0Ubok8aDbMfX$TZ{aSVU;D(h{_1!_}^*2e&
z*RtQV@s>v{lMe1v!~{~XU3L$@5G-PTQ+Ml9;a%D;&v!rFEY9jsZePC4niIg!g#WUC
z%Y}zpe9M$^cf5*xZCx7UwB(ZA+pu@Lr=kB;kip6{*SpSziGHg-Iau*VfLhA6*k`-r
z;3u(8S)q+~&6f`YeGUdZ^S(pv2}!%6lsLkYdn_@^u248$>vzSZFrt5_cN2BLtk=s{
zH+G*YUhXaGuUFSX<jH_?6#Se7zgg5Ge^W_$`z~r!=cQTohMkY7yBOISpL2hZ5tODd
z!2U%R;@F=U@@|!6j}BbS%$6#C$vzz_5fN~u`LQxZ%kO~T%5rveG@a?!ZEI*K?(<J;
z){54EX5kvexbGcmG1~%|;FNuXy-6wX0nOaj<v9dw%#knY6Xll>DG;SL&mEvti5^xy
zjX!W!zw-_IF>&9#U)1M5M6pWx7MRv=94#Dg>>9_Vc|mx!LlVEce+yb2kzB>9ONJ@x
z;wyQR6>%5Wq7|>tx2=3@zusr=JTFdoyLq;J?;Bf1|KTm9T*_qWzKmpzH2EFA8Cq%C
zHhv%&JhB->-GJ2>w^zBWF_SJ+J$|A%B@TsVJ(A`jyEjseM@x4x7{Yv)%i!k6IlQ#X
z#zkmB>}WcF;iG?nQP5&xPaiFL@wMy@0E`gleXHd9v2(uwf90rh&fANa<E+Q5mDa0o
z9Zj(!=0A9qB}5Va5@XsK->PA`z>w2=+V-7sRFcutpTx5oVQhZ&b>c5&qD1s=EQc}b
zPHr9chogR^>)MHOcC})hB=k<}2*i3~uumy(0u^-Sh<1<hhNqvVNGS|8_12_+$lG3;
z2vFNt%I+&uZ}&S3Oe7ze3sPn;ATr(Y6IQF@!4juy=YIC~)sd0k=9?c=YCi5dyP!L|
z1D&9Sxc1(QWOv({suczmRNbYn(y0JHi>gc~LF<kWeQzN3{Xt4{IPvaQA4Yri+Msxo
z*<yBt|Av{^R*xz`aXgWahdKB2&gZfZ30BPo)k=mXn?$WkV7>aeqRaQwaoW2sibxAs
z?4yCpSGp$zwJtTE9J@E)rSQ@JjOxh9r4r`3JW7RQ<n2cN@vHmA#n9xc``uL^mr|sz
zx7+qBsBI_Mhs(aGcG`VME%V-}Wu}TyAml)23Y)zVS79d9uFswzUg;6nM?@p8I3K*P
zvl-LF8)GiuDx?FuH^cL*s@=1ua@z|$vNo;y`0B`870beKxo7?7fed0V11#R&&cv>8
zzu2`+dKdk#?%`<2jy|JTjw+-@1gKH}tevK?=-q@oPBlLshVvF&gKb&Ytrn8(be4xA
zrLAuLYGc-&6^Z2EKpH5Y*}r`yf<Zm~bJB!4N3yAH7qIrf(W>59B5g0R+e&U5m%OL9
zQIs1@&kg?=DEkG-XrXF8Dp8Mm@ll~GP=X)qvhi+lz9=i!h~=WLc=5X-Zq&rs?}|Y$
zYP^U19FCT}X%hp|gV)A8opV(iHjC1CvPcuYNhrL@f%LYu72Vbds9WcW>X=eV`T3=z
zs-1^pc^mQVo@hM<2e)&JFtK<~24hJqkSJp2aT@!?Ngr8iOi71gfOTb&c7Fm^@69#y
zUM7@z-9wh!y@74KPBDw)d4}R(59bSdI&vBFrevl;3$NOejyT-KgQ+nsk9aT7j9du`
z)p+}}D`>}#vCgqpJ~6^QX&iM4tQ_UVF|M%KESR$LZQm^2I753TBOMoUz<6Lr)h3BR
zVa);QXxCmD+QB5Ehp60M960n_*tOd3DoK=T()OTDxld%%$lmFa{pg$wqG{wF?>qkg
z2DY<TKm4s-0NLyx9q9Zef#%AnADYl|>Cz=3x{jIzo9sxQ^v?;5cd|YRx5enW|GF!n
zw)&WE^pLkL>6x13W|5{@5&Ef@<h@_}w;DQU9v2xd@2$|xa&o<=Sb7sJJxkhtm`PMF
zuUEP-xC-<aCn3&~WP-O9o!@R>66;MK(OIBr!QRsh#%H<{-4v_fs|9PY&>ZWf%oo80
zhwiJBn2}6nj&eh?@*|{Eab?gGSakKa;%#6dfw6~*pV=|6@R_2{=WqBLuj_klp*iw2
z8l_9c-F4~i=bG=mKN0x#fJGNex+d8v8+EM7!kFvb*!XW5?)cO`DQcVI7}uq)8F24s
ziBaKk@QJd-0o$>=kG0Y?l=7Y8ZG%(r4!laD8>K5eIZjWmaMm4$;#&8nOHZw8#~;+w
z;$|m)5*0A6x|#Xb!7(pYOYbT5Q!`UAk;-d3-ZHp0Z$9}#W@sPZoMXe8jl#8;L43b-
zhd8*O6seKdNG5%u?LmTn0f~|_o95LK3Q8EWC5vZn>6qhf-eO44rs4RJzjmjiBJTAx
zqk&BmV+Fe!*B6ieySvJj%5*;D{~5HpwPWrqNsV_dgz-ql`AG|$3Aq+_H$g)r-S4Kl
z&KdBvNe^|cGrZaHoUZJHGL`Y?Lvm~9J65%jFVrf;Fu@AM$Ndr@;RL;{cLxOf_tXoz
z0$JWTHZa*g#l>9KAV_ahmLJ0={2;AHHf2PoXg75te{80E#2c(3SX1F&#7@W~>h*9t
zt$Fc76qDBK8kyt8#>x}pnP$F^KSjp$$wWWCZ~f$o99yXQh5E;-d~7(T!BEbR5XLT3
zHS<|Q>#^;G%8|<}uI!--#dH2FLU%JvKM+aZ;FGTluoRoC5NKt#vNngz6`!_^O}Sq(
zVw_RCPbZD-H@&YgJ6iqH>_PD16Z<$I_72p7S;prO{`|$DgTSn>6j@(2U;oGDTK%jY
zu=tmkpz!{2zFgYL-QiT|I6}P7ydvWB3Iu1`aLu0PuIzd=Iw?BHPd<wjZCEqQd_8Hq
zieSEEF>?FKSca*ZQ#89_+7l0zjkI^yNpS==ylizzZu^m#tx9fgbdO8-zt|81;K<uI
zr!@N_3LD&sOOvIl+p@+W#AdhB6r~Ah92}fdyR8Fir^JkGU?ZM;;HSwNloFilY6FbZ
znp)Pd$g~moLPe@^BYD+6Uo$YL7>=np=%4CX4YW#E8r>!P*5OJ#5b0~;_&T$oLHJG+
z-eD>8=Ak)lx#*4}tyLGbQj%%?u)nfBg*a-y>-I0xY`wUr+Ol>D1gfSxs-d`WP|(J}
zC5gkH6A7WY^Vj5(!!rGXrFtKzi%mh!E96|R*c&^)t3%SI8y$)d_REY`{$`LPD4u9z
z%vvfgl)>&1PwNC{RQ8lxQz20gkk|YQ4rJ(M3|)%~iWurVRjQUG&MvJ}UZ;-09i_K;
ze#CPeR`p(jSMzq1VUi`t5RH$OUIwTx#d(!_Gf@%JgC6Ma+3`0ZmldzYfM^`}e)wog
z&P{1HKOU`1`n7Mg7JuxQo0Uw7F;1+U2yB`aXPkWeMv6hfVZ(YfBS<Odv>Q84q9N);
zfSOyalp9L)-1<&FI;`*8%%nk-Oci!xvpU^IL%bNvT^KHLESx|y1uUv&K+!gykoi&X
zfobGhvo87Nw>vXC^m7Jsu(45Ytyc03)A)SFJGy#5AoFWb^8R0A;275E0v|VvcdAfW
zzd6k`+87-8CEhgXJ8!bIyvuX*X!iHtnupC|+yrr8;y2IekxpV6Vc{1365%KO)9%|n
zwQ<DnC+OJG@^gme=1UX5W%}g~f9>Ap{4b55DCm?e<&SneXXoU4zGQG|Ac4n<Fn#zl
zIqQ5##~Fc)Ho4O+yjC|V>1~chDndnKPB!!_yeF`PKq%_n6KR{atg0D|vM6=XDjl7|
zsUxAmKVuyM3YtAvzt+EvzyDZK;f>urqtWxPB8ARkH(q=Rr}`;1GNmgxMha&a^JGkL
zxParZE5Efq1O<s)zL0DE+9xjCIiuF$jApB3y<06(FbyL+h`x3mP*7jvl|KzH&I=l}
z>zb%jN$2ml5$8X9j`@A_pyy{hR*#|^@);mK563ceTcv^Y%!aMo)$N4l6rkVilB`(V
z^n1Tx92=Cmx<cq7Kft@O9&>kmvZ+A0-`tP(H_ZWTe0b)M*Y9ALo*kylNw61tsb7@}
zf#S_BScs{@Ua^c>mv@LN=)MeV2S3=lvC>Cms^<L-XmtIMQL8Tf1NaVo*2Gs5HR34f
zOg8l+7E0OgTk9H`bD9_|Rob?l_fj)fs>0Gp)p|EX+VX^u_a|<>Ry_QRqX*2_mf7uM
zvP?<x&{w^=oKm^@<WY}$PPK3C+CHvJvf8KHwwS+0o0KL8jkI58R>L^%%4g2G^*h2;
zKXK%9&;qT0dO6QK$IPFl6z9i0=)HvLFXzuy+k{2{T{7KJ<%ezU?x<j~%-GUJI_Ws`
z>NFXu_2_si^hI%{n&VU@F_Axo2wIg-uc(x-BF6DrH>4oQifx1#>3+Ca0XFY$_jj;l
zyMlklYqazBMd$>$-s8+h`afJ6+G^+Veaf4HZUCB6Q~DI^l@fxP@}7+&v2puH#f6&w
zW9gv14T{=?<<BrnU0_H0ElAOHtDBW<rm3tBJpm{L6X4mrw&AEfW97;bqGaTC4zt>T
z>kkF-!Ur%OQV;BYORB8(A3Lf&qbHA!bd!Ky|8Atk-Crk!rA(8;#6@ZyUztj^wn^W5
zd6hv+?`$NA3eyxq-@jl|`}1lzueY9UDYP8=YL+lYd!HJu(q$@b*ywgWWCOjI{t*+X
zb~Alrz;RTVS}gGPLWC;X^JVJ9t&|`pWy4KXy{FF>_90<)KgPL|ExwVX+ZAeDgT<=6
z9RfSfOUo)jf*iIB`$SOcFS7RDeqOPZM&Z75z2{PLRy#uHDKz9H9|CUT5bl&?1mcH`
z;<etCr1lZsVQoZzlT<D8X7#jaMQ(1nChjTKzr5}}x-!LbX}(G40{n(U^GVTRQr(;M
z^)C|!Y%{N$MUXz3zg2nKJB`nr`HGlEPR>l?9t}tCCe>{0R?2SWVBdaI{f^Q2z}4PK
z=E-MM>O?q&3PpVmeBPywj3nRZ5dIFmgv~r|ohrAjnB4vzeu{Js&OsETdB*IUPkud!
zChG)yInzui#m}K~&@y4vP?Y^OlKqddN97XB?`Cu5)I6=%;qR&5<V|Qa(Z)~&7c60#
zvL?&lqeuc`5hVOSQFzFGw6^Nmt6uyIyi_?i{D|<%rhTWPuHrD!oM>nZi`19?*m$em
zbt8?yD6o5X#;eWqdHlzJu+3}&O{#8bt#)BGV5e>BMF(0Gl&@;Ig(bPW#^1FO0qNS}
z*+LAhR*+thAl=c!vvht|cR(fcMZ^pq`xCQ@cl+R!F@M1MxTO~g$~+EG70?9es4YN~
zJfg$<nGiPmFN*h1Jk`Bk#>F^9;&}aKh45Ehxrl(aZ>Z6S?(hM)J<BLtg4>hN`|&Ka
z{%Z%KOL4~}ky7@5cOusBhSdbDsd~hVb3ES&lLY10gvOV?cp|_NEw*Z^d1G4ZKHzmK
zBDv12OmB6G{ebF&2s0P<2ELEF$<pnhFF(wa$KSe;%ld*^Gx5UcF@jlwU#$O$pZ)U_
zFT>i{RpZ#cztUH~6`Pas9j960(XD-;6YS{qP5Wa0?ioa?E-1yz;DP{*q=gFLC!iCT
zma#sAhDA@tOCn>cQepmI3*c<4=4V=hB$1ke4FMCRAST6%t!*ivd3sDmAQ%vyKqnD=
zQWCz4wVttQA)>$muT)TtaL*yPOc-X5<Ah~Bt>J(jTQt<2VR=12imM-)p_A34HrXrF
zz$4O?n77d0xM?dTQzRG}y8&bfK>zex&W8X3fNP69g_mpfEk2epd#vnv5b0-C&QJ9p
zFRsz0#5NrCPFC%!opR~}KW{(upu-&R`1|fXd(ntJL@7J<&OT*>$wq(F<izYc;Gvl$
zsqGBDa0UE>(L)co>|2>$(qBhNywS<I&PQV^ZMw_Wu4~t2rtC8lO==CQ5t2Ncus><_
zTiznS`qPFMt+M@#U#Ul_*iOWr+pf?KJO{*U|GxAA6@5}4^kX<^rL;$RXfA1cY2*=0
z#H}A6WeI#60er%**xavmoW7kK)ZQk_=XOyE40UpA&#e10wcZcJ4^&OBkMN|d7==Kd
z@uvh462@kL-SZ>IOsx=skx=tUc?fBLP;RFx|7{YCbRbjEVk?U&nG0UwFyCYpqwHPG
z(r(cT-o1~QWah?HS$)K>H~a@!tN}W{-Vy(P|0*StUGpNNEUvZc{nO^5k!uv-<z|Hb
zOVgf5{hBZ2Q5E8*_YDV982E9yAo^FcyC1ht-cVu0P4EnQ{jGhSy=cqO!Z+-*e~G!i
zCtB;U!cWZaeZv3X*)^e`wRqbVJ$p@VU6n8Wv=PfKg(3|a??4nO{k{<XS#ia+sHDqU
zq0-kQ=_ORFN9NGyX5JG>1Dm~?C0fz%BB~r%%x-y<3KGIb%#sN_(SPCU>vZgr>X56q
zr+7#O4Z_h__tMH7f=mxWh2USpj8dP%g(7yT5*c7}@8cwLvQzMv2yFF5(%amvqC#xo
z**UYXjj{gR#F{-3ywzqP(=F3(ewYE8JU%Vx=#LKoUdGaqB;^lUM9NmIp~H6=S1(=x
zq128vA?uBUfSVZ}Y!A2mNBVIuiQXoDOK3fda&omtTaC5$pQ3ZVwS+BX5pXSU7tGL!
zN6$Vk!nd8Y?5%sq4*A5k0vQmxSrw@*Xp|Qwl4I=DpW*=%2;~pOq$#pj?SkPv!OuC<
zbTrI#dl^#TEM8~aOi&CSI+{z<3x@<s9=uiqITGZsD_Ze!o%bQlWO;$&UQ{2^@u8BV
zuz2CC9pt?df*F?(9hQi?j@*kKGqEj>T?-ZqUT97$7d~Y#+a5{vKg^)v14h_3=|LeC
ze{8w`GfGXL2EYy@dFIk``0Q%zEF1*5`<6H3y~(_%TZBt}aJGOA*&-fP#JL|jE1*?9
zfH~}(lz!DIdYLYSpi8=W<+IjV@o1L$wp{6@c{>9KjC8)Br-#|xaczqyYHkH?Oh*sf
zbK(O>QX48Il~qTvUs}s0@iVn3qmb?WNK;y5!PLPP?7ly^3kZuxnKyU4NPD72DTNac
z;FTWA#rwB7bpofI#dgbnTcf8H!^Xxd4BBBPC@^duKaW|N`~Wv1u|@<DnA*873Zr_0
zc#%sZYl3sU7#awadh%$aKH5+Ibs@XU{5zy($JXsUuv6V_)~(I(v$p`%g?$#g?R&<S
zaloL3vj9oHx%v1qKie>)T^HBG1k1RqE6x{=7kiJ~y}&3t<M)=S+!_E!^C@kb$2b$g
zRM_V}{O^gK3M7nM=amaEq#t>S*Zbr-Oi<ol$#&oB<##djDiZ>r8kJMv6_+udB@HJD
zQ%F}tvEr`;WN7TZM2!E45nr*uF$ip)RI^$&g78>wL`{YkwsnQJZ{QwsW2!O05k>jG
zbxVIg)0e*gTB>JSUJt++zBZhZ0=*BL(gU5Fxu6UbG%p{zQI<Y##>tfHG7)B@5<kC!
zK!;lo?y5hwXL#+o%pv`dmE|)|R3PFR&#B1kj~WM-1uJ)4i*_Eel!6~-lnUaM!9ndt
zEWuzqgH(u%v-)@Fl*LD`^rZ`U|Niw%U1>90{*fTts-8X99-^F*F74j&UAyFM-6Znc
z@1Ir}H45~<^48U*AC9|TbEI@};mN07Qj?LErU#vhMGE1(#YGj~;=rl?)X@#jR|}-7
zqT-=_igOD4)xHY;PFY3u1*a5WZ7yrjj7cm&#CLteMP?4u?fR&fc(b0uot0Jd0-2{a
zE(S4Qgy*lADScTX{_09lvZ-@i*-n|1L}LzJkb)C?dM5zK?8RoWK(<9hTSZ-e1=)N_
z#<3rRejRN6bN(EXrc`}czBb0}atOIkZP;GRNL3>p^kL_{{fgQ|M!QE8=O}4GC69Wm
z{1s}p{Tn5MBTAgL3lAv?s5+tpC5zL|ifW)1Z+L|s*fBA5lW@w~rT3GThFjso+N+q#
zCo?B_>1Wr`{rLL#!3(U%|D9w+ju4ewwvrs!K=kEl3X6&RP}HnPuhT27%3!k>%x;$|
z?1H1YQb)4r-|UdQ-I{EZu4~+faZ(T)+4x$#H{#mhYgz|QcGRtROel2`Hh<dHm*GmD
zx{G-BEmTAb6l~yx*SQ{PB_S=GXZC&Xc4+54V9iMjrQ;T+7Zf!E+e_66dtAf77NbLu
z+7@GYR_s&Vo-nXhMb4~v>+*QSw#te2>LDx;-5HGz)DEqNo^D<d1dGQW2*w2R4O4iw
z=K}>7TH}d06Fz9S(r(u&PknG)Sl~<n_GV3T$#*hvPWo5BF~mSu8~fNolHHeTH>0d|
zm*o}S@*$weL+J_JS*#mMoG8viS8D~)$s6v)nP>UQ#S_h`MOwEko*dM~H7p$-Z#T0w
zCFw>pxAzaVri1h>7Aa$QK+k#YjduqClKr-jCJHJYQa#-w<M}+VCUBp!t8?><d}K=w
zu9$hv(CGV-L<H!oQsZW$*AVf56$DrmmyVU4VjqJ`E3>t+Cxp{;{hl`$MHqWznX$YS
zzuyo<r^>dG21grOo=qa3N)X?1Z0!7@-ki6g{88=xwb_+;hQLK`MJHuf$sD%Y+8y<x
zNO3{O=7qPgt>LiT+WtvX28oVJX^6eSTh+n4>c3^MPr{CBT9MDWG=5LF&HX#*({=iR
zO-478ukZG5CQoMYnd<$Tmi7VD?!@{NqfPL*1Q$SCryK04!*fd7di&zX<-S{=%6!)w
ztz_Mj{2=5SRi&qDW7-5Q7yi{R>S}AD=Q%gdUh2(PtEo%{!|6Z@kUs!d6ZGk8v-sY%
zji;|)y){kE-jKH(Rf(Pp%KS<z&o!E5!19k6lJxmGbNKjKa#-rt%#954J5T(!7SVGR
z{WKPkG&j?7sJkgJkoxKg27teWOcv6Y%z)<V{;^iY&6v-N8Kz-{V^Z*Bub=N6A^vVP
z1oG`s+Vh_iV5DFJd$8`g{ZiV~^SWP!GyIUQuQVr2#rWPGLXc7ts!FhPn*tt97<rWr
z<qTZZ`1GXE;Ji5eo>%e+KZ=t?)LE*vHFTZbRpp#NfCWoBBO-C-<)!WYGQu5us#l#o
zVqsFHwtt3S!UHV-1dbS3>v0X>@GSW=4Oq<hOAtQ}E-yO+db%`V>7}f%E4_*YM2H{-
z#{1cfe>(U!@BXm<Qcxy;jP6{UnKSm%?HITEvWAkmYYBVzoAnPIPJFid@C$xvrF;Ks
zsT0Nj-i2&y*4=tji;5`sVr-p0d&td~8lzkjn>%3Xg2kMaigY(<Y~9V~m{Mp@W^twr
z?v_$s@pzRq8FFGu!C`mzd-{Zz%&zE-8nhrTopNnAp(8JPt>w@h@%z9n(%9>{JYh`e
z{?Y<DfRDe#0V2U^q9#gnVvVUTUGse!xxjfbLVqx-YvYH*UhYN_+>~{AP8BtyRy;ql
zJmE8fyp))34MteUWI+u|HUrI~VY;hsqWs`ZZ+5lbJ`)uGmdir$6Bkyz6F;y?F%&VQ
zb~|;aWEfjZI73hYzaNl*_j5!+k013|fKN5U(S{7D3%+LW9Cgh<<!Fj)yuja8e-lNH
zymv*A&D>AT&~*62S3li^mr)zz3T=<?K!?v!3qmrCq`KQ=lNjX$!QpJ?Z_3VSHeQCZ
zzh2-qO~@_S8OHj!yV)Ccr$ap7Y9@Q=F5`oh%g|%cWuh{EbF$`4UgHM^XzxBQAVJ3Z
z$x^07rV@^@m3Hs<)wS(P0s&BQh{yvPQm6fns90CkrImh)G13^jS5S0id@x=f`n(2s
zg=XC%u}{6aP{SSF&%_99kb0@Mp$?0MT)F2+&W&c<22@3K_@E)-WxJ!{GOJ4-`YdYL
zMR#9x_wDAJSS(HF(Bqzx7Ye`pZ56G+6+NZx6A0<DKA728X~KjahVnNkFFDfknj`G=
zdhD5y{_XYt%g-Q=%&^UsMP)`fmRq-Zwd4Cl<QL4xCXx9z>ImVjJw7N!rAEtI%xa|K
zr9$SAm!p?Ov<gr!vY-Sn$c|I3RF6k_`(lzJ&*!$P87XRzh(oIzStcjH-teR%WHWSO
zN5NliO+RhoH*&}|30AzKU*1KNCS|+{Pr;4I=*HGT<%KYYC9<@vt`c2mkJ62;mlIQ7
zr|hR1E4BX=CBVYA6CW}{Zz*tiZkFW===j9R(=C5S*@g9wVMi2%+6jFjelINah3LcW
z6H$I|N1}N4ZB;GpBM`;4n%HB-A2a}?Zq#|esQc;|`?;MT$TRd`VLBIHvn%Pyr8vfB
zongsRYsKZ<ZzWR5n{#KjH}p;<t|FRhH4v5f9BlDN_tur+v<VISZmv%6s&YzJqJ4LI
ztM`wd$9Hd=QA?Hzr+DBQ9WvWXge+OY)Aw&KE=uoKd-rqnr$N8T7g)=m8dJs|jON$m
zQexFtgNvK4TB`w+{7dN%_t(T%gpN<jONeudJ*&invc0u}J~5FMKqRzNmogFS-#*bF
zm42wZ>{SvJPvFEY@CX`|7vm-nl6}+a%SnnmR@n*<E&NJqc5-Ki_M1lP9hsEL(;R7x
zKLX@m2c2YD%&4jSl+H9>E1?=){T}|~;@%f{7BY5sdW(jiI8PuSo?EGN9W0rIR`!1n
z8kzVJJYx6UiWPAd&xlJK=--TK&)ulteMm^E_H6f9LZ7zh!m(b&sb{h&DSq9bsuwY6
zELCZ)wR!{Ptywt!L;I^#RpU>uGJeB2H*7sy^dla0iYA!P%)>QmtUPPt8a$J%%7bcO
zlyk<tao4XX{KAaX_W)Ouw!4&<Xxn%_NGvS0NvfnPwN15W&(>qO9lr_a-ED%q4qxu4
zZdxHQ$(+S8ZnWl>Ci2U|x$!>Tz%9}a+mV?YSoJp6baY%tlOn|RPc)nViP@cCR~iub
zRH}B3B)7D#hyOKO!me037uRT*YjPtJ-*d{}+|TTz`$u+@_J<s|Yng19A6_emd-+Xr
zYTZ(DI(xujt0vj^!2aya+ePu+O4H1%V8w5Mu6$D1A*eyIOYIkslhw^`RQXQzf!7N>
z74__g)2F{pzg0DTWAR3Fnf@cz_ThKA4{NO_{vy8%E`q+{eR370>&9PVduGuuJr-^?
z=Ksl(5g%?Seu(uaDd@fq9NTgA;HDb)t+XrWR#(`8-z9i)7ZW4$stN9vW5fde9hvrP
z{F;QM<O<J&9j|G_e&Sf7SmnvO_@@WSBY$};9}LY2lN7ezH9Kx!EFSW@8|RmZsZzNF
z*K@U0^=@8pbrKgefM=}8^c;pZNsL(LHliwIaZgLy5aCs~#y`g{IqkkGp(#2cet*S3
zfX(jbW!+4<xmu2@Ht4A_J(sj+x7%8g3Y}6Z>>XnfhD{DQv~|V6Y{hXq%AG3-US_KC
zcv_&u#I0&VVSZEfh_Vcofv3{jnc__DL@Y4=^8HnjqFBt;KDtf$<gGiAR2vhSj2#*}
zHMxRo`f0U3ernQ0?(gmWR5Z3#Wq%7Fy#?op&i^iFFazjM|NdP1XJgk?zs&dfE1hCf
z__zJZOOuONn$^w|PkA>zyrJAXWNX23U18A{<;X6tu$VdWBUsPKLEJxEvwwyrQX|t4
zQT%Q~1dm($ae!MJWE4df=(o8JluRC3h(EI<OcyUVODsXgg%}6XmN;QC?fKjF8(}zy
zSjC3mGAoXWYQ>2lRVcEHRuPz*RXEN+UQc_PA<X{-MiF1scZ32C;*Lk-kISX2cV*AP
zZN~IfainWF+f5HA%NP9o7zu;eBWL$53SeUW-dQJd%U&obt%@PAa{qEim8WTc?)H#N
z@8%7A{;M#iZ_{XWa^0YYV!p$~2g6+4n;!?W#|;DdJvPyKs9fvK{SPZwRFNr+NI{gj
zeb@H8;y##I?^q&qWFM^hN$#pcVhXAjx9hDcyq~e0Q`^BsmeYp3_D@{>MKH7%Bb(i_
zcUW-fk{VG#VwIOlARE{F$Ij<J%IqLupiTxWs@`s*_PU23o1Ax&DzMCLo-W&U<;pUI
zM|cr?5whLVv`dwFbiQnUrG9(=@BG1Xx3lxwYDBlg01Xf_p@q6$iXlIvB$pz(7VwyZ
zz?Wd2e9p*!2q|dbkDbnku2yLvUsFNpMuygPBXOf>F`ev}?I~I(3<_IvFHs9RZ`c@n
z<P=|*N$G-i^X`ua%$Q-B)^eW;2YPwlU?yRLqWeY3Vb%S<rnY%6q@cwuc33a=?x0GS
zYZ;Eys)jpF{u?4wVkP;C^=6-xEfPnRVZHCvBFGz!t{D{=)1&oSs<n%7ND(U>HKg>U
zdUW#+n)R%tNP`Pjm|gc$lx0Ykb<@NkZNcZ61(@|fNG5eR`e^K4tQ4j0<u6R~KAtaL
z&~j$o7$%1<vl7h?Ty8ABWzm)hp7ZlpdjJfd6-*7XpqN|jOFB1_wrJTb#O;;pWq0<T
zgd8#m;bd<n#uNIp<D0z@IdDX7k~u|6SGB?=DyeQ@EWvF0-6s_$e~0#j&Q0mq?3lvA
z@}5mtd2xgABqmdhIuCHdHAdWx6m3CB4sKrA(`D>Qu2Vjms8f9(;{_(IFOBSD6?x_=
zqbyA=R0;#{Om@J{%fqP~9>#}@+nwL{?^s}Q%D5a{t-hk}Qc^Q)D#JlF3XnBa`C$?J
zVDFg@TBX?oFgf-Ly^Z?mmWC5S^ncVoz!EItKU#pm-Ea5h$UFYjVu2WOfzMd>j{_er
z5d@2m;Xd5CFmjpk`0l@}uB*frt+|o5CLF~z=|HV<5Th82?wz&!z}c245rsMh4}&MB
z#7CN*i~T4UpKkw{H?jG$^`qxz%@;^*3X2DZB%h^ppr)!-yzGRJ-G(y0b93mdn3j)n
z8*7GO4}M}AF;8`yzX!Fg439&c`f|rclc4Q>rjojwW}8d!y$D2xYz+@7##&9x`2ZEo
zhT0o@)}dGJ)SPhO)@NRfN_ir!-7~*2y1DdiIz^?+e2Z!EZKq71cF=U~^MtRg<hsd>
zgY*<l^8-dTFaDu)Qgt@2(mNm}NN(itE^G}7Z>7Fgb?K`3n|1GYZH8A$Os(N-8aW6b
zQ6df}AUk_bE?B<kPg&xq@+Edm8~KNy1P}$Gd4#$<hPd%wE(fe%;W`aI)=qAoVAc04
z;{lMpmI7?St$Q5#465$~(cW&=gj^0o*SIp|Y!C9=$$G=+<fjro5@8_mBbg}Z@1h5c
z%RdJ4(=DbRSQ)V>vxq<sOO?rpV|Nhu^JzL-Cko$ODecgBDSmwc%T(O*mYQ@%G+96=
z()7n&YA;xr^2`g}9%VfE{_8>J$5&kWf4s|u;e%4DawjBR1p~!V+gkc61|G<t6{=5O
z2Zj^7GJ$XzQV!oXkSFEd#PY|>OjcfBSmK7MS-#&FEUr_8)lJ=g5_>Byy)bfm1Ske`
z!<DF9j06U(nj!PY$9#>ydi;)D58T;kVo17L6QgVW7w-74;Ef6`2?Majj@R3g2VgIq
zK*;91iX`R~%fI5y`XhYOd}CFIQiD=F8+syIdB5R;BsLK%il&>o=)TbmiJ~b8LTHiF
z)jZN9SY4vkbIMSRuo<v^xQRF{V3^Jy#Ps-o&F5T@ey{o-KXjWtP~3TgGEC5$=bX=*
z0C!h_GhfBWDnjNSM`6;{EMs&Km2-uv{FSL<sx>8E)dZ8+fS~QsuBBoxr{*`Xr}na|
zeL0vk+^{mEG@l!$7snzo^8kq;@cEK_12WuvD9T8jp{x81$uGE=W@R&D{jb0d2%~-X
zBzUB0Eo<ht<mB#cN}(aVk1Yh%xM@Ivmty`Td6sDX9UJ_QA=#nXdgq^f;8zU<Sv-Bo
z1V{Q>>rvoq;Om)!<$XQa*`>@Ifat)*K%6f)BM?bBOc`tZM~`qa_>VKXu*JV6GjQl1
zxATwIY2wJ=Da6ZTFD4kL8dPg|aDd;D{HL3Rmjp#0uTbuUVa0FP5>M?O_q}}PbUEst
zchF*s;R!}jjy%;IRHYh++MX{TbF^_#4EW23Hb;nBvje8SzvOZ&<K@kC9~AMj!Ryju
znxHX8C*h-M<%9W7yJ=6$Dh<Qf^w^Q0ug9Jsi9gckWc>NpI^YVhUUsGb$?Xha+132T
z*r%CpT<<lj`%MbQxJr{rdN@izuSj*!vU^s0=}w`bLEq8loN*azLH)Jk{*xaZ(d!gF
zi1(ja2wv@29k*HY!f;R=#*mIRWtv@L7rkPiip7`aJC$boIz>0iTdZyBwqL3AM&wr`
zmV*rJ%AQ@sT%Hzz73_+~xpf2s1hxj3@bfBg>a(xQuY}&MG?^*XLWxv6ZF&8LE}G=T
zr%@vDcN?)(8lrxRyUIhho0qpzI`EyPGSqmPS~myxS93*G##rZa1n2Oom6#l6q{zgG
zxH$I7cpLoS?@v*1+8wA_q+MC0cxK6}ot$V(9n{{1Z|({b7vO#fYE@Uz_stfWSVcLq
zb7nVivMk(b>RG8=l{7tQ6vCTNWQ?zY6q|iw5rp~oNZU+srg*g~ZEm7*kWX?e0EtAj
zPkE7i>!YRoiUVi=3O4OPS(o){HPR`wzT8%44+$*`EDqe&Ry7JbzGM6zgI6IjNqMaW
zZ*@BYG`TqO1Ns47YFKXtn-(B#0I1NHjv7m%)h=WHRPuK;1M2%gB9#7g%aVF;^c4Gq
z+_OWAKp8@nN<W}PR`gL32Kv5#^6CEeOp{*>pOIU>V`$%_ah9F29DUm%JmQ5Tej>8Y
zviYa9`1LOIp2Fa{ru*L>-Ep$r@=z=NE%Pj^(J_(wtl9G0b)hZ=C)HeZrCk3bk2qs7
zkdsSSHoDSfc<;A}EAMFD)&_6eH)C}0NGdZqs@eL;Hecj_Ppkee+)#EmCTOs%TEVJr
z6rVnEeBvIPhi;_{Z!b~AWte*Zu!azqav14MmtF<)a6USIPtc#LmMAE(eQG;{FzteW
zBWIR-KIyySU~ggF%qcrD>~V}1SPTs=d$Q4EbIC<j!Z(0G)|uGb8_5(whAWuBKegQt
zL^4r#rBmbcQ1gu*nJ?T%+S@nTU|jPuKwKsFmdH-*{b~~NAq*M56iQ5n2A57xCyYUf
z%j*}-yR~q)gmK5a1qXd^l(OeXNmW4&1u~4=r%ENpm0}e0tF29DM19VAx;n*Y8efX;
zY=2BD%XNih3h&f+#n(wy5<`E-zb2xIH}K0C#n*_7{K7aeGHpMp*&H>%F%LO}w7$by
z5W*day(^ms-2F~#FQ+k^=H~Xgdb)0)2=Z3DTOMcRytd{{qstI(-WaGfLgE}xrYwE=
z8<y4@@l!7jzppyS0db43$!+sumOY3&tRZR#2haw_tTNb<+Nx;*@l%3x66=fUfKz`X
z7+SijF9if9=b8*;%g+(~3f&=axqG0KBY@L+UV3R7a7zD)a+f>tCk5qn%clF^PHQR`
z<81Xq8zWY!mi>RIbPXy6gmD`_hzPTs^N)OYEfRD5LOT7V1iabtKRwrmfGM1}@R<8=
z(p_;D;V(O@tdvgVn+HHPZEK0hpJ-NM^-fCJp}*9L*-Pw99cNnb`wJbDzaA$z>B3La
z`H@0E%6t{8`lnlt|4Gg^K5Du#&~Y8{7~kl^Gpy(F{rtZApz3KbeNFWE1e(@qIiZ$F
z6g0?`cK9kQtj>FE-N&61=;4{V3C~F)2Ts`3BbL7Uzf7Gzor3pe|KD8KF!qpN_CCJ?
zxdiJTzNeq<$i1Tuzm=^Kr=+!B82Q@hM&zrg8tFcfHfPDkr~6^+=do|5ee|~??RRN8
zz#Z?0RDFpNbw&JyjqcM#f#7wm9mVl`)rG3R2zjb|^PU|GW2ut~=tOwOsI{gOoQ16?
zrCG3Y;o?iXaoiZOs#4o?nNpf4^@`uTvC>-y<F9jwCle;gtU9XmsrB-*{O%5c;VXUL
zNWJ!Y2Gw^|D~5@oIF%pr+rBNQC!CM1+n{8u2bBK`zOCdxNg!VY;zXJL8)K~poj<m|
zJ72<R2Dl>a9h>NQQQ;G`do}-v9a`B!ng)8N4+MefHd)-x^R?mhf4Z@k0*;$;^j5XP
z8{6q)4U|P<i`AnpBwoAiej$P|Kv-zCn<>4_$99)rHKo%2@^fi*Z4Kbx_Si_Y>N~j;
zFC%teg>gPVRh%`WJI@rB#@r}Lg6SeJ=)jG6dYafs?92R&l4d%e>xiXOvb|_-FezrF
z3(sa(F#36A3_a`LV}G95+ksea=7h=(q~A1(E3T-PCzj3R5@ee1#oAMZvXhkf*k*2M
z0|{*Ad5h*2Lw*gntc~^Zg6GBq4`E)_s?4W9rUock6%_}T;Ubn&=KFui05$jc(Xsk(
zi~8*DW%^l?_7Uww%Kx6BYn*b^fc-tUuigXr3=lEAY1xtn;tiWRu+LJFrBi4WoCGp-
zEg=)ycX+}Nt{I4Eglp?>UC(xau<+caeb|{{;Ql738&ozjmmT|TOa%Tk`__zEB~@>n
z&93P5=SGx6ej`rf&r2u{%Bg+ZR7{T75<x-cr(OZKAc}>rB^B3Ak-jhY#sfTpTs3LC
zS9h{+#DAHeSfS|o`eFAa<|Y46Yx+M9FVLdDmOtnp+f-`F-S)r3#WOUDsR?ztzQP)>
z2tNsGLEKSN(g#AR{)=axpFI1w+75Z)6G(4{64(*CdQ<G1m8z9h18KU6?Vnvm14#TW
z+lvF%j_DDo24af`1kRd&9&?D5aJ`aH@cnh-&)njn@(S;jiYPrXYLWia?iF5p3K#n0
zu>2V#%`f-Izu6s%mTgXkwo}}6N)p$2CHzghVXnA1_K91mb<;l~PWaR&#pwO3a5?S%
z^E!3&gXQvtftsV%q2BRZRlj*`*F>ASd5rrazEx*ilBj1vA^S(RtN+E^D^53hHL}HO
zeZ_C-D-FoT{tp~InFQix+%?+!2AHR1hg~Y@Sw&c4E~F{zXuKA>lbVxii)t$p7>ZJT
zCp{8&(FwXlRR(XyJp2t~kbBBAH3U4$=P19dl_ZK6!lG<Tw<~2<7=3`Y%Qz_}m+mH_
zw&QhqCoJ0gDw!Zoj^7$93am&`VhVh>oS-V`9QgHBugQZ|M%S4KfgQ?6QxQyNn!d|{
zV6xxj%@~9Nk?G9;JES#Y36VA9XKE_Ed?f0r5coGxx4MZ=`Go9*_!sqY7C;stq>~e0
zZD7m>W4r6Xo(5z##CSx9+-_e@QNEf)b*}q)#nlNN%pTL_wYe=S;I4~Ib{X8e6&>Qd
zSl`P8Zulv@!d)Q`MF;2M2%Q%-Bz(bSLMnXt7)<TK=jIFKk~uN4Pfl5$%!Ra9IG(k6
zx!#rkZ~gr3x1Rkkt2mb!NX_$5(0BhRpjJiXX8>L8wPlB6?mKa_KOn70`x7?t>8A%C
z{~z|=`>n~m+a3-G(o~v&BM6E#rOD6*5~PTTfar*H5LB8Nic$;-C?L`mlrB*$sC4Nq
z^dc=3=_T~2)KC&aNb=qZIM4Gv=b3ZPAMoBk=v>zbck-!wuf5k=yQ)o5XFl<*STpg)
zDTpQ*7`F8=vrcrIU$|}l!j&1>yF2de!RV=a^OT>ORrANb<1*aFc9??<!%hS6UI24>
z)VX-tW5{8l@)vd5<~n{slQ#B;)OA12>nv{MJQOK;bK|d}g_rnPxUhdR@OymSkA!>e
zR>zS@zXDhQ^XC6ah+uffWXjfni$-;~U$mpVFg+A%3!ICz#s+;*tiHc>vdb9?EEK`Z
zd^|Ru>&M%XH*A-k^d#bdZNbL%QR?E5G-F4O==Cn3_I*w7rAXKpHpSG}bJk${g6RYK
zg3n}2fQcD=KAN2CZ7dAz{V;LufbCL&sKR$AW(j)k8LqRfaF-~zRC{aSHxrTTPXdhz
z-!$JLWMMu>NLm+(_nxMo5`+Aq^Bxaq^P({oyHjRG5j{H^!80k?)<5y>8+E#4S;DEd
zg{$kSUy+%zLx7vacGN^kr2WDsa6gb3{&hd>oeY1sIf!1`oX0Gu`L~Mu4e=IUg%Q<O
zi{vq+j%ntp_yQxwb8v$-dW>OJExuF{30j)w*c~B=egy=JaF~$D%@GSeulgqvDqhbI
zkJzND^_=|E>+$9IxRJA++?U#>W(_qK_)^-z8_y9N_|WphO^GTDH)3z@AVF>b@UEu#
z!Z6}hv1>G0*(KoO%L>_zTEN8WSb}qiItM8R-|z)*Nz&W+T-?!m6>MaMmuUTq#Fh(A
z^MO8kiDxe{wEu**pRbr1`DGBBm>f$yaTO-qcFcQyTsV4m>?M4<e#n97V1i@-6_EZd
zq}XeUP}Tk2x$e2eL14LclVstH76XNsg@)5+{03-J-+~d)VqbhLu0x}M*2!J?r(^Zt
z-9~5d`ZYr5lY&L&sjQ4geZVOyN-L5LGSiDFb>M$IlK-nnD)2%^+E0QUME-HH9w?fY
zwkOAvmh%JaX}BNh!uY_bnm|-m6*oZy=u(}!w+GV?v(O5>|52v`c){MI!Sqkd0$^Kg
zvjRHo^vB}g#Bl!KrV^lVL<`#JPw<xRKaWw!|3!_go3$>g*=fbY&(2feepPqPx`0Vl
zHdX*Iuh8`Ca?kUk2aab@)?4GjGbZCntAi6w1fSI%zbE|!=`5SNB5q*dJpPBd{vQ;q
zXofp<-7^hIQC6m@<?y)PFjZ6^eCa{Pb|}tQsn#9F%ebbLp5+YqI@L-1<Lsb=n|UQy
zK5E2HZ23(J2GBQ^?&CYdtAGYjT<D+wqi9mqX;2wRl(oP(`8vpidY~y5h2voGuc<2n
zka>rifBasOqLGyqQ!wJT|4Bx9VZ^y-DAkD|WlDAVua(L%!k7rR1$*7KVP)p2gqu~^
zaehDp1ELE$7`)|hf^jVmg**Izc*PLtQNQ0wys$kRgqPlRItU#)1$0gpc9+4+VEvN$
zp-5$h<RF7J-J4Feg^cIe%r<KhGE#$efI?q|Cmr`twJVPYoYv<E4wv)RUsTv!c^hXH
z>vVYNoJE%Cwxx=<f+;VD^5e*{+0Q$OyCki->g%Cx^56$iRd^MZEdT5qyhUx{)zGyR
zs%6e&Qs{cC{p`jU)UmnIbACH&5vbR;eaQH1_6FcnU@xP(r;i_05I~)*r8ug_ZWbo`
z9B)}Nz8{oWbeQBi5ZAom!{fMe7~+Q7Qhz^xI?nQ0OgzNOhQ;gb+!5O53*OTCr*&+1
z;2@(XVI!9l8@3Mg?Hq-$?*Qq}GtoCo$IC%EY*k-CLa5W*bhb-sUJQ5eyEa_>mF<&-
zXL!xdPd|w|K0T@d!`<g=s(9LP;+7nDsNS2CmCp+d7&&=weG<vFUG8TyP&!iELhk2?
zB9AIPj=Xv=trrpJFs3aQh`Wr4Rp@k@%dZK=#__b?7Th?^7G{%^FzYiNJ9uNgSv$vx
zf}5JTy`C1oDr|M7HF)VgQB0XZ*~ZzYeb~}{#!0^l>Z!U-9&Mg^S~gj5FX$duh`Ecx
zeA|+#y2iNVD5B5%3$r(;*^#y_SKKSad|~@cUyPy8bE*+sb57YE%Hu|12DbUfe>?~6
z4*ZzSFkCwfaTno*6C$dX^ry6l$9@1^W)1hLh20scAfZW~71ZhEJYzDe%Z(|Ugk#*z
z2}QiYAKtWLhnNgG&zyBtLB0ZMhLg=}Z@kUDt`qg{Zun6-t@qIDh|8F->R0T0wjRH+
zD(iZ8CpWjp`)SCGiiK{e2|Rl4-HIKmMKkFs#U+gY`jHOAPhB|VCnf(ewo<t^oWJ!}
z#zU3A@Q;cin6d?nKNB6H-rsj=9UfQyZg>4H<@2|AjN%Wc*A<^Sm>r0P=xNz0t^XD!
zgKYtiH9o^DDVEQBnnYqN^tgCxl-`CpL?~1wJF%+ktl_Tee~h2H&KI&!P+JxQbaXO{
z1;5hMlZ~~?_}O4HX=)wEVh<r(<8jZ`1r}uHPKMvbd?^^bAeH<0YCFe$X{u_iB+)la
z*;Qe_U|pf8dDv7qd;5G>z%G8x-or*Q=wQI$f}m|(H?|<qto?Cn5K#6BcKydA!dXwA
zvH&GXFl<jx8(aWnJ+3s!QGpxpG2P)x2!Eo!sTTueJvw$=b1!GuBKSVnm?=r$%4TwC
z<ZP1a`|;$J#GDIbqBv8)(XqQlwPj(U*4gkwbK?i7q4*+!VCA6ZhlJ8lbw4Z6Ac4hR
zpezl0ExYaWTcxsazK~9S+?5wX?gCwg1b0*dT#TfdW(MLX>0T=-nz09F!QuEn2E)Hq
z=+fbvijPqTEZ7@`H_duTn<xICPD}$hi>KrjPX-;{1+gEf&!TJQY<0}N&mD+&rJ1G<
zl9YQ=Wlp)t>{gO3#tp25l<mKOdC3dh!K8E!AC-kdVA$1o8On=ZQGpM=zRd1^wrlxT
z^GVu>XFow3QbQU~nw~{S7VmsC1j)_43;SP(THA1U>(VmKJBoXK_Kn{OJCGb(6_81y
zPWuBe2$rVURcoc6qRtfg1yudSGxKqj9lurBDPyMZO&_m8x?=mRu*LR`<2va!Rf*EY
zlV3nGyN<aD*!U9R<;qePneXcl54qtoA12MX#+(8~J=bmA_|%oZ<3A3_Ips75-e^-N
z4^x6JPN^tCFvsEV=0i7wWCxF1W#ku6ex{xVjIrwiLTPFi4_WJ4!v!Yld%sPc$Nv0T
zs8Q`d6>DNL;5+jZ_qNL4bI!zM8L{t5qM?}={m^^vh@5ccY=cDxU3X}@aP;E6jG}r3
z+Lkb)@?y|DYFgr$Q+cs$;nLXiD3txIRkzzR`TQ>;>wO3|u+)FXPaF7`f6%4Q7WXBr
zdCho(*ruJ{SRx-_GOEdo-2bTu5)hHO_FU|(4yyhqsYZ|2TY{Za`9jQ6%2}=w)=$EH
zBFE<}#J-QO4Z15nmW&<XP*W;B`kqz%f`>V&#&orvZ0Hlm{Yf+P5}xPA?hNsCYZmfO
zh9S_=I<2H&Tx7qI5*^W+toc!)b;mHI^hoSra&b-s=@sctJO~hsxLw=Xd?C6Dp?sl~
z*&7hJokk|Ab)NyjikFOIU7RdI9~E+)*=b9d7WmBDFnUU<`7!(01F8mhaxIpl#tXXy
zkWQ!U__JwBJ@UhTv+ax($Z!N09KF%T7?hsnzA@`d`>*nR_YM5ER|#XlSh@#(wGyq;
zTyAbH^S0b0Bv<@k(4V#L(eQ2)(2;-v(Q^+Kf<e_|=^G<o7tuwY_CpKHxY<6$I{sR1
zsk+~oGd(fOkloMtS$TYKxM7$(#|W2px7HXv4Tr@Ul7Sm)rV29)mYoFDut+EB?4IKo
zb+~4qOs!cQ1&5w&B!!`*pIsCdL#-9|B}cOAWdi!m-1<tMz1au5z-PF;r^R<J2yFa`
z`HHB~<_r1=P7my^SWW_O+1$|X8+^m&J}wt|i|arbsI!#~u5V%i?q5nm^@L73gm_Od
z#=(#I48Y$!3l%#0F8-3?r;($B!?v>(O8OwY)UxrJ7M^n1Pz43q3uy^)uWfJQweM0p
z84C<Npl&K35RoUo2VJ2s0^?2Bn|J07uF|Ox2tC57#d%};EPra!(7phVq<jJF>CEo>
zPQAAfT1sV}`Ip67?9gobgjUY*i5;R&#VWRyZDR+v&RCTt|B}VJQvKa)_+zc;0X63|
za@A_laT1X!%)a$`%S#o)@@xArk+K*CyNyV>>qEk`U~u=;eeX$U4g||uq3^{0c%S&q
zXKWmh9~TL=T?R0t1loNki~xL>azKZ!7#MdR7=05F!n39fd;t*XI=wtE$50NbE@iv=
zS5G4Iy>I+4awJ%JtebOBGXBK`v=ommVc<y1?+ZVfpAEF+j(~44X-Sthxyoea0g)SV
zt{Tk`xWkS=L_VfXdO2cG_v}#TQ*_|mhm{oOTSFXmrdoiQ*@=2R);ed-XYm^#8aD}e
zoayPH4_n>mV7Nk1f+2s>=it}1-;`w9S{d={2#Un@*))r<YI(I}WtrG)Xi&tHz(v~1
zM4{b^^_~_>EMO)@w21IxaMbsts57o79?ymuSK9O1IHKmjZ-p+)u$~uxaWU`4PMpuV
ztgKG!bw9^dj;>Yp0Q+{4%-6h)>KiDfM1luu5*Ki>bGGJvC$(GR4^z4AW-y|wc(9x@
zht0Du7@?*u92$aA*OCvD?`kRTj_PZ+<voA{MW>r*OqD(!>sr5eisTFQTq?Azg6KId
zn(mGTbgvcF2Qd{({NN$_fs$AmwwD;pyoLAElqnfn=<cn;Ff1?(EFbwylB2hb5?23L
zwJiTsV@=K_Ef=TR^@ehJUlP)ZTdSLwV;+7hsAsT?mwi5`Kz?k;Yooz`f0tSvTfW8=
zvvOV}4i)$37H&~$TsohytZ<)VC%5ize@Wr}#V!+s?M@>0^5){2o#UEhk*SkwuIp<{
z;Ri#*>9-CQu1s<0Ye#}b?1n79LQ3ah2Hh!v9f9w2Kfih@Z+R$jsC-pQqB>3z9W(4)
zVcH=448I)&6RZdV%*KWq0eP6F!XjKlsyD=y^42}$c2Ot9BZge#;WfMIyHhx$+1qlC
zWrO-Ax2PGDMl>(pnqBbiQqQt4qpI(ybr=2GxKg?`dt~-6q)!?AAYJ!w<ZpEnZP28x
z_RDmZeZIXK2fbC;2(<8$**V7Qh4nibZ};z!o5!uA#;+ag8P;?TA!k&rC`R=zOpnf#
z&nqXyc*_nZ!(o2N0*&oE`Y-Mc6c)oGPNC1DWOHv6oyx6AtbIyt-ERAei4O34ea{FI
zwOzWc@00+kde~9T>Gf;r4S3Qd#i$p8qo~>M0+CS6%>w<MhJ?6Q(%sTCgp!u(Cbbn!
zG`}g-#}x|eR+l6?<Y6tJ={F<0d{)ZQ+O*YR1NnPTu97EfIT-Vs0f80m+!!AQv)`Vl
zS7_f0Q0O@HM2{z@yx@gi&P6jle1FSaF;k(`WJyF?daBE(kq?DpmsQvj!%BXkTzL=V
zdeJ^OB=#+!vU0cMDSxfY`+%s1MOKDkf+6L-N~y|y$q8L|w%J!pS7(m4W|Qn<J#yJ-
zwG4o<c6fh_()S?nM}h8s#AYLzFf9FvEmiFHH<a#+jc8^E1>r7vW>xpxL@xhCM$h!9
zv7={NUz>skTc>6|l$7$<S_sWO-;6tzm}d?8NIGb90hH*@N{D#4AIMhi!yCVwfk3{j
z``Gv5ZQ~qqiD?toq{=o+VW0a9!-~A52DJ+9lqUOI?uMN*CEQr9;91RzAFeSPEe46?
z4+?+29VmF)EHC^1p^u1%4(KCn`~0$+GHczE-A-Ae$UYKye~)D1@cXL;pP=;!0^se`
zc}rgRh{WxIv)<lT%T7(khF0MMlqbf&hIMZhirq~deI`zIB_y1<ZNJ`J7ycA<kM;d=
zSyESF^TTZWD0{0jt$l+AzB$0!0~~FH7F>k#Wg+iQbSN}dXU{9qgNc*nC-wy*ECl6h
z+eJK&**~msPZ5b~ez$T$wI#srA#n+%n~XN9#+``s%~j`*>R7qqd=J_BZnfOYbtrp$
zUTf$6d=T+EP>zMQD2}rrwwuUR%@L$wWZ+ZSs$#|}*mu1oueI9ZfzR%?w+Wg6o|Uf%
zrw;TWqY_lhgT}Ym$do?Q3d~63YOw^h|GbmXuSGFPDZXrNSdel%6^7gu+Hi&goDhq^
zm8@|%+7Sn%a8|XVN{QRD{74_p+9k`PdEVTFL4yG44QjT?qp+%NTfp*gBt+;SXliL6
zYA83c5=Dx!x!0%-v)!iTh&LIbrM~=Z7&_17fR@@7mK#zO3SrU)I~VsV3Q(WP>NtN3
zy7nL%B2s>!(D!Hd?d(7Ej_L-a-TsC!?tH29W1MjfcMFV^KxA!+KdvUF<fiN@CV_-V
zTbVv8*e{F)3J3Sc7WR8=IWo6l?_jO(oUiv}TnE|NAZ{cqlhYr1DR0%_POS9uMeVvq
zztGvSWUT`bI*tm^c!bJRDGk+`@%f4c{`gWpC*}!2-dR2~_xh5(q+5lL9g{;W7h0A(
zSj!6UC;c9D1)WPm{IY+jCCYCKZ=b+rMy-t5?|=#0!VrLrmn`sm{k|7pcNKdZ{e!va
z<oh#@w<WmzuIT(o1*FrcGG0n0im>;|XGpiNWX^edXoa<<#0X&7z)tQWu~^cG*EFNo
zZHRLeS?>?ipQ_TT@6lGDcZ|6W=6B+gt0Wl8sVP6m>Ycr6b}&R=vY5=i?P8VTz6xdC
zOa!lA|A|(>F?cnGE`G@Nu8z7EVvA%U{EE49<Wc{_*U;TO-Y&+qcdMSNazm~)xDIY+
zoU5n|)0FV$$6SGH@x$$UY4JVBn41Qeg<0#gx~+iC>o<_k6&yaS!jSBJC9*hMdm&pK
z1d~DSoFYWduO_TklASB1fn9ayZ#1tQ_EJ=Fe|pmPxoV=B+i4uAq_{X1Q95Vsm;MY;
zG$v6v>SP;!s5s_;Y+$qHCH8=V3e1yXSU2*L_*-tqwZLQ2KVp~V6}BkG2N>75#w0+n
z&N~T5gWYk5MVR5Zs_|t=5v<}csBYwMWUqc=CRufH9|T<fxK~qj2i0%~0=Cez=&0<K
zysEf~T+Y_al>mX@cNRaG4R=`QV|9j?!i;+3;L+Yxg-$)&&_hmPq{^}cjrf>GFR}31
zQueCpWlXyPq_yNLF<Cyd)*|iwTH0ig6sTj>B@x#b>LfgNBhc3zC^PgMl#~Wa{<L8{
zS93UdLFf$sP}5c8d+Y95M9uk{UE#?gp3ZEQ2Z$-3M|o$bVl92TD8prCXQ(2qnG=W%
z=?S%4-76UiA{UHR`ZeRnOD8D?inXp4r&?dHLzLUpzHNC0J?AV&gesH{G?}LqjSDEn
z{X%w|P)a?rZE*n(t!hgX4nE+?F9F6bM5!NH;D_O`-gRQ6Y8V6P@8sLlPYRM~wRm9f
zEM7UXcMsVe0My6};~3YDDLm(RX&8J1Y?2a{S##ArsQSTA+3$#)w<oUE$;KossJe1|
z<j?dV22w`r<kr2W4?DQa+`nmcK%h^9x=}a}7an|c89c^x=|?Y9%1O1udS!M}qJ<qi
zA3n0zeU2H^)-k`pnjqCR%{|12?P)Q^n6@)3%dI>dGNMQk)w{m6%5RowZzQxyeA90;
zCpjG{An9HCf#t0Jp}*qqx(Gd34<)WT6Y)6rlf^*ccsUDq#w6wWi0!OOTlM`g{wx=4
z52QZ-0A#_Z@AyHlpgUAWgJX?tFlZ|^Cnqh=BiA}sqs94*$grkRFT_aW<#<1MvVt$F
z`TELrzv?#IU3^j{K?|I&T0(N(@|##eTr4~c3f`cL-qI<UWysAz=yn>{j68jPPfhMq
z7nOri*rdtrS9OAQX8y01*NsP{w2v@bEyj!jMyPShH#+YH94Nn&lc*Z1<;GZ0B7A1f
zts&2#dUEW`)|e_lZhUk}rmrde8>1&z<Ws0Xp6JQ2k_SGQ(n4Op2HhPI%IDOV`Kh`{
ziAR>e%z=g)H$vGkv^g=a6;`$VkkCY$)w&%bek9R>_~Ok-{(SsVRW0+aT;Z(1Zkikz
zVBJLEFD?Pd%hnzk7u2!EqH8(+U@r5mTD`!=A<8kAY6c+O_(#+%<By+J2o6ShCI?%Y
z?_uq}W`%MfwDjFl*1FMZ9)MlOl*e9o7-8(>!dPj6J`ZexlL}8Kd0t&%ED%4KCv}MX
zvQF~R0@iHSOZAB+-$hSFFDx<Vck}DtPFNgjD&~<%%iS{N`$qdhBC}bnYbjk7<Xz#f
z7ot24myEx7@+Ew8-U69)wd;Dj>^o%f(5R`nOT#_3zVK9!16Ag0mS={F)dszb_@eR=
zZ8bA9WmQS2Ron`Y@dh9Hr@Ddv#m$*jS|!Ps;TYpNCWi<$Y;(q_flY$HMmQ)Z29q1U
zTX+Qdn(wmXApr-&bKmtG(dIaV%o`T7C(}w`GJ2$UvWRg~ECp4ys_(UQ&h%LJN$)$*
z8axFsS@%Cyds|VUO9Pk?Yf+G&LjU@JPqb|@zlRXIm$ASx=&(4$@K;j`=h41=_)07C
z=2ps`H2&7l6~@7!Lm+MG{}pDk+5O?n$TU@Xb%Z)DcQ#S4?cuW&AND$->C<nMW-q_M
z=P*sdfxZY{rzfBKBUHr>#RNDNO3VaY0W|GdFV#%pe|V#6zZQRsy8wY?3wD(1=hf<K
z&llXAbY)N*P9GCljcAYnYI{XbtyWwZe`$j<e(1(t%kWOd9mVH;MY@qLlzyI(PD@&u
zRmu5Pq;_AJlXKu{$_yjWej054_u;>H?*E(QxI^^zA_IfJ6u(=;93Vh_@Yc|~5120v
zpSEi1KCE&KF1=M=FR{)nuFl($$#H%HSi~&yMHx9>kpShN9R04R85dvhF(MEUq2`I#
z-s&gZhEfny;X$KtM|DVqLt@wZqp09^v#p}Dleu#712Y4T5CIPL?T3HVy7)yO9=XbE
zto+?Er-YMvN~O1yFA>zyD+9`(61)ylade&cKGupBT<I7C=HVgoZsS=r&*73)P%I;E
z{f`}5e3NnxsB2WwO_}JMe+W&}x<1z31XwuE{k2@=N^`XhQ64iusA*1`hy<(0al*Up
z9<Uflx@pjdq5ro$Ml@fL7T`0XZ)Us%n75n*1b9U6ENcW<Gfkz+^V@9?F859L#Vqz<
zuZTW!RwW0{#sC6`I9J(m6CRkW+>Rw*u)&T@v{UsrO_nbWV!Y5xFYobb$udN~6I1)3
zBJn8q?Abmz#p#}Fu2_0anP}&Wsc-Px5%>8oBNClnSorUXK2ofJzYgsS1nRmSLeCXm
z;L?miD}nbXjKF6B&bU=s_YHEJS<$z~cIPg;QBzC10A$TI5zNtGzN$dX+KaAsN>u5t
zxF7KqB`COH!z%~vVgtrh0_CWgGlb6?c5`wFlF<Z7c&K&zSGZlTRyZ#494OuI?-fyw
zxL*ZIU((PtAH&Xl>#ZN$nbthVPWBK5yhZ;#5z2T5G?N{~-4rLuO`Y6vgKNg+hk{8@
zzWn$W+LTej`m0wI<oqO4jQ2E6wYkwN+_xC``$L(pR=j_^3$gn&Tu<o*M}?yd)Oxe*
z)Spo(9x*k89fk8|0s6=Q3lT3Z$;*z>N2!{ZgxXO8FSmL}uS4|T^tI_5@_hFvooz7V
zSx_n*;`+3meogAb!$hXPx_m{;8bg}udieEF{;OX^Esbxx7a~tOy<*GJ0Z8K@{PPN>
z&Z0`t(gjA>(t}=5>EiJ<F-WS46#mi6!5{S-I`OUMv9n`{>)iHQJJn_If=G06x^)_8
z_j}g(3Hiz&s6{;TXWpR;@Lk2?@0>t03Eg1?a4xXu$*Kit>}!BB3sUS>=Un{@4fTl_
zEavCW2#xb<)@kpkM<#Hw+b%L?0dRm1N=FukO!v#hiUvQ8C*VwM@5IdrnvW?gpzQ;o
zVB6rW#PxAjD1jevX}APs699BGfNPD8v23u{!3#Cm*ts49`Jc~9<s08ef&L5VUqykl
z{=ECeSqJI;RJB_OYYf6agVto^E4yEU3f}~u1<cDFthJ#>%Bn3<XMa?|-Jx68YN0_t
zN#nErPZ{efXzucW?s47pNkP4^X#<06xC;Eo^uR`wSl&_2IF?yg{pEVWcAW>$N*|F7
z%Lf5$uMhFAO&;51;PPY&@m1{8mI(PCM80oBQp>uj=n~wn*S`_3aD`eFi_cjc-7SjB
zXa$&!yA>{)Htv>x#iHBDyU0*0<|zemLM`td)E0I2hA9PRFe(47HM>jy`@&0jqeaKA
z8`1VKE&Rd0*mHU~;2gUl1<G2*-T?pFsh*Mn?*Kgs4nx`^i#9wDNpXl4KPn@Liw23U
z%P=|E&Al4BhO>B9XNB9{J|`bdVE#p^JbH9z<^ja~EZ}-n@h1M>V&p(|FhHc6i72+O
z;$*5PpIlx|ee*#}QfqbtTX#YT02Bhxt65O01MS*iPtoNo0i~I&Hea>a>c;u0s}82l
z&V(!dORPieBGNTzwEnVRvKV=CdNB^iSF8H1%&~e_m*_*$xF!g(fp*?RJ0c!<Sa!Zr
zCt(JBg=vYwRKR}dTbDAc$zCVCiFaStpgEfcZ-lJ%qA?GvNPkoV0=RXobci7dl*5;k
za7;Rs-O{0S$FL>ytCYWySthUf?H4JL-(5{Uxa5x9ifMJ_>--R>%{9(h%I-F(7z_#O
zD=OkOskkbEgc8Zw5w0Jw@w*}}j+pZ9+s=f*ds__7i$w?lz(}SG6aL^e8#bG=($m5|
zWYF~GyK0UZ_xAkg0A@gXj)QhuuKZqPzcchbebV%sAiTcaMay9oc2w#oZjP2l1+|iy
zBAG88Iu9`Ua!1{nA6e-d-YbmUx~_Mei>WLr*U`MA=mL8-E+enY|LGO({$i|@8Tf#r
zHITwV;)>rXQRVt~CUoB?8!BKDun~Be%b@{G!s+$qU(&P4k_gS$ZU^WeM`M4@|F@6B
z&+LBcucpj`+Pv%h4YSF<RaSouGCAnm9D61ZS>VVwS<%CtB0zMS#>`x;X1L&4HgfhZ
z4l7nWc^1^+oH=*aF?B0?Q|L6vnVev}g|&61*xudMx(ZlVB)cL8Lmdr|Ct&ram~aEX
ztiMJfhWfRvqFaYSw6#hy+1um)1v42s1q#=d;mfR0D{!n&iej%G&f$M$z+R^`d5j^s
zNT7sNVq_nDvK(^{UTTScYR+H*Gcmqn7<@t+<ns~3zy~whSpBoHQi81xH<^gh%@|#^
zG2J4}J;OAcV=6%aXXwje8iG>3x}RtN9u9|aI!<ZJSl}!ZOwgaYR$qQGmv!>mU!_dE
z0k(@nHvZ6K9Kf=_lbx(=39<`uxjQna4xs2cBV#+!6Z+=N4o=GptCc{tMpI?CatG$!
zv^sO`P)T9Q;+MnjZFlH!)Q$fLM^%_GB(qmnKR-cw6@_}M=5aI%Xjsl_2-q6ETJFLZ
zTtn`|JFr;8D)X-uuw3wj44=L0iZ(=>)09z>s=9BXHxln9p|$Tv75C>~V2|wcHC(Ph
z$-k@>P--d1q5z^ZA}JCR)f&D;Fj3_vex+(DRYN;hKRF_#aQ%Z!du_iR`&sQlnG7{A
z)d?@aLuq5OO+&7tD#PMIu9log5jX=Vu<`#MtY8)TF3SQfeU9M!>tuHdCXIbE`s-Dp
zR{q<LvI^3nelMTs78?$qY2uu5urnK0AqAYpKR#JLCKGx4*GArHUQ^jyH+Y$5l@$_k
zLSK3xb-Q|u^DhUz|6}w9|FK+*AW3_Rn7@5HS)>vYU;D=$lp&RbcL<Lc{D3Pi%_zYP
z1mrz(qxHc6X>onV-ic?bcQnYSUX`_GR9RwMqW75S9`Fu);?wkrm1FSdEoL7B=H5ZW
zFjUh>Ay%&i9!L_PBZZ#(9h-IsE{)gxq-0O<oiLL^^w`=R!tn1m+kikl`@j%z7!ene
z<Crp{aEC|8|NU3&dt?J|E}%O~>|Ht^<H%Ye&S$AouDK`Z?_AR~qjP7blpSzuA=4TN
zD14aTS71M(-||D28~p1x^|1ac{zq@u<Sg>tHFRn5tKCa^FYY_ADAHR+s1vAHsxXlX
z>NTzicPJaJn~MH;(&lXZ&fbjg0SbO8zm0+Hc547JwoEyST~OeMDq78l{`CB_T93s0
zxCeRgO&<cTXJ49~_7mp+><@F`B)yhI`&XXke<$y>BW@c-!fC3X_Y{zqBM;)He&{W;
z;K#Q#HMGE;jtJbE#j>hop=y26?MHdJ>Sd;;rsKUA;2GuEBjdf_0*QbTYTm}0zuF2-
zWoC*L*hGn<Xgp}OrP6}iav>*c1Z2O7o|}tSwWmL7Mt_HMfbmnu!=oc;j<Vdk+OF{=
zO?SThg(>iMG?TLNy)h+gCcN=51e@-ZVdf0rM3)Qynw4O3=q{ulcv||=V+W~LOn2YT
zcqX>wwuItHj%qrKv#r~I4M>UB*)pHbc#cn@kNQeBlF|IdX(80BMfwqxEmZxvc<$^I
z2EHb1ghAix^%<32JLAme;6;J%QbW)}!^Q5eZQkZW3C?4kihRL@I%hzj)8{(lnq~ab
z*<7!FpkoQ}mx!MC-8B{3zxIE>cZrLxA|MWG71g$@dy^^8$5|}OGEo*2CP@!b!!}8#
z{9AFHH+f0L4a$;a#C-Fbm^Sh;m$_pxT#*@{do);I^HMS9X>EvGKq-eNAkgYFL?aJq
zqC-GSmK#(%pun|TEw#6V9e%%d4}=D6<)-?k)%jIsZ&~xJe+vE@qtChbR;Qpc*O}ab
zRvsZ4?#mQY^J%~JbwA~iA7e7O7c0g`YiFGRDF~8a-H#zrkO9mQx$UQG&?u=qcC9wD
zJf4EM<%C1^1*Pw<3Raqb?bxyYTy}w-*Vax9zx*Js?A7i(bpnkf!PF9k<E%2ci;l^D
zCi+cr6oT8ElSObCP5Ez6)l9U|&py-|M!0szejzIoqenNk_1a-ieexEH)DqW{T#^)C
zzAP=-&Uxi6gF??2xz^>aT9Axjid!kYH1{{>10t-6JBfkv9xvf%!c!3}1=z3mIF{?P
zP&L)6jp;L%CL8_Lx<MlwJSAT0;pmg-K+`Sq(;;<t*oGoud<nI|od1y123|Ko8Ao9_
z>`1{?U!qBM%ji2!whsVK-M04;vL+bNfBU^m_sa-0N09@iR+<hTmfSgSwOMGpzN*C{
zCtn~x0{)^B(0E@m33I*C(>C_V>kZPV=%!u&!c_CtUrno#JG!{cY8APQJ#-<3UFZ>L
z)Q&1EsY<srKv-nKw>Q;I#btId(0r#VoSJ(SVZM88=!8DY@x_1HpO33lNT6M^DSp<*
ze@**t4uy);kTq|{m-k}?u$H6MO9CD?6d2KmC!r1cnrvxvl*;8EWPh1dQdnFb?*7#N
zGT6w88NYF4{R7X&rcV^QvhYvRE6pi*iOtDUV4Nq93=Bn5FC)ZDhwaDGa8_7d75nNz
zKt0uCJ!P0Tk*Z;B6=?Y@n`qV%a?Hq7Lm;B0<~!B_nvf`HC1eDC@AW||{=;t1;L-du
zxSXas8(u+a*1Gz9dCz?Klw0*GO?4w_sJh&U@H!)2JFut<i<^vPxeu`^{fWh$0S@Nh
z3wN(Dq#h2scjA*4kpU@EU>$j$zDbR~>xCXKX{foFEoCS3K8g_`W5sbx=V)!NV|ltg
zuaZ)I9gl#T>)~rI&x5324t^;#A5Qu{BgsL2i`>)?L0@)^-28x7<w2f~85rS%r&Dw1
zv4soY2UA9yM!%Le9Cv%Kd~L~JZhgyW>^<~ZYMiE#iWTuRHTJ}7XMN;D+;iMfpYM(t
zJ4%2hgmJa~oHx*j1y0jh{Nq+`NReAm<D|@1znTg}GgnL1ZBoZxTDY%FGyIdOtJViK
z0fI!8L6nngcOPP=c)fA`x~uF5o9oL0KF>ip5jDHAQ^WECK_tpfKp;D<fa_3b(Rumz
zXwVI`HKiGbMV|jGSc+nnWr5M-7jY|nin<G%b+gW+kaJ?KC6TM%!nw%1PP>A)0zB#{
zs|RWH{yvQ0@z!V3dV2)_5OmHq4zUXrcU7#lkL4rtU`>PEiHLhPVDlh!Pm;KXR^w<D
zuEaO0FK#?sOzaM#ee@~Hwi&S@tiVEr-B@_v(wD9&{558n$A{{ZhF&5n*}D<D0EPWC
z#VzrqD^6Vq_j>{M>(lF2%K>I-{h6i0()i=q0h!xhidS>M>Ea|A%sTc3HDEJ6rsB@L
z!H6805PrvWaq@epEx?ufn?tCInH3(oca?6q1a#t3ciioL?TNpVt{}*ZwE~|?yyW;z
z{Z9YB7EjU>ryM4Spf?NQKRjJjR~TrKi0$pqTo9HLOxgSl-0uA#^RsHx^hRpzpy7s#
zzOTAD#I7P4ntNf?oo`omu!%3#ufRkl+=e&in+HuKRnT$sPH}&6M0vG+oaLs%h`<h?
z_q(G>!*{7M5<}TURmy8sv5^KR!$tJ&%aW2Pb#aKbivID6d&Neh_)Xl@kh-<w3aNzH
z*&To|tu$}rMk|2br+f187J)Up=bgI{DcSMs;0imB@zL~*yH}bYxuK;@vY}_N-;Puo
zY`9)OBIQ+p|5y$7HF3B3R_OaG!#$C+OO2<B;=#DK7UQrVsy`lCv!<>OjbjmuH?M%V
zs;DjGl~sy$NzBHgDHWkA`g;NK(E0RS!A2|(CtElK0t(&yMd(S0=)2&n@^<+;J6i2g
z3*rm_0vG0QwtZg~<xVaZeI!$v)LPU8a)o{l&M*8Scy=l3N$tXEFx1BHzHSuyvgl!g
z*|)oyLPk}XvR8VE@$#;RjJQN4G(u}eg`bytLJX+QrAl`PRW@_)1WllqiMmVrCpB6U
z(f*p-54#hSVWq@QVWW*ZXACp}gscT@KZ=hl6%cpFTRROU&wPxweVwqb-(+KL>b|6v
zi~5kBRQg3lDcAW&<6w=tZ}(ubC9&5n>2|g0++C-@wS#Nyp`dDO8qm4-(A6v3Edf)_
zc&RWJgj!O#OSU#6{iJTU(7P}F1NIT~_VOv~cjlW%hF&(5%7m63opE;rnMr?j*U<yM
zc@%Llz0Yplqf5o{vp;m?!_Fr`0L~k2#sGE=MS92opvEWbzJzaE_4#+Gz`A#YQbm;7
z3%7SIA=9V9;5hf=^6uGK%j;=>noC<d+O)rp&$phL9{Hsx?JG{o!44cn8pd<Z+YAaR
z*LMRahwiwHmDA9I5aFI{RE@K%UB}J!N;lnRgT$ETnr{H%EZX-czzt7-g&lp==Jz46
zZ+GlClAmGN9yW!?%6ZiJfmn1vld}I8&iDPl_Bh|}c0R^49P;o|_n(CpnhTS@*s$-|
zeScy%jCJ*PU-*P9wERtXkz9_u$@;`Y2vNbW(it;b?Z4}>67V-UcWahT8GrrUnm+DJ
z^7KIG6o{mo?fX25nQO~og0H}eon9s{=QtGRiX+L{mFZbwYVFqW(aj!a4_4VHcm2-L
zDlAVb%yUf1XYog)sGUcMWx*GXg3m3#+K}@w3k!YXp!4svX<a8-Wuz<Wr+&orqvBn|
zWk;EnS*5!}7oA>F!2O>VQbeq`FD_WFwt|Pg9lXyHCtId4fh?K#eYrHWtLc&*5!s>s
zVO5gYnQvPdo)GBJJYF>7+&+mV6O)yZ#XC7+-vngBGwsRSx|q`K_syu$$<0GxUInWW
z=Y|y&HU8dm6F*7wTTm*bShIgU82fxla_HM1Lof4H?K+kR@e$R7tv1N(f;Zol@}uXV
zqns0H78b;$w=m1t`yf3{<x=*#EM!IN#O`aOF}pP@Lfrsr^+1`39BFay66`#91LzrE
zDOs5pA?o1{Pnp_M><FEz)txoeUTJIGLC@?<=Wo0Z0ckd=MCM`v%Q<TOEs?N5+V~F(
z(BfzSJv<UVx)MBo{V02MgZ^2jzapLJm#4H4#Y8D`B2wy_<JtR0g-=?}bP9wWyfEu0
zFW)Emr(lU_&E2%~CJsUQ;@TF>l=}1KKkAzk8I*5jLJ1pbnT*XvTv_pGnJO8x$AR&L
zIJ^<0HQ=)`_mi_hNLQteD}_ca9?zpDSwvgL(YKLMqm9VYbY0TG_{yh+S4)zE>e2IV
z;QpCgg-3lblfM+<Ihq7@EW-DtT7kRzMVqMmn3G5D#Q*~fgm*EDZ6yP63G9Z4CW2^T
zyK52jNY2GW%ZHRYD>WpG|9J6u8YI7%m;;ZWH%*328u|RHz`PjAZYgy7rUEgIh6adO
zqk5JX$(XaCjm5y6wAFyX0NZ`_$pZfwy2Le2F8wrJ@>*2D1h7!PhB47Z^_8r!C^2l$
zt_GD>^{`bXf_CQyj8?)Yz3XiQ39#|3{5%Pe!Q<H4R~p7SA)sn?ZBXp~krTW}D`www
z;><%9vf2r}7n5aRWKzycb@urxcI5u)vU=x}<wr8YF(RYXCNJ~<TDrc$oqRf?1t!L5
z#9+Z*^^xA1oIW;V-9W(tl!BUocIGa+(Y%QNYrsC<jgg;es*8cqlZj540fA)xErqJm
zU-ro12Xw1iJqI+?5~?IX&=9n?=ZSj(*ZoDxKRd_%u3JY`0bGfas?5`@&9n>`uXp<e
zKw7iFj-keCekR;(K&OH_Yfo>#%`U_MaL?qf2e;y9C^gaZ!rE9c@PC4~8wBmux$-|l
zp|!G?5>Xu%)`G;luT-;)e7K(=8&cO-O(k9^u;N#1R0PAX7a4VHm>0an%*%Y+cqb4n
z(y>&%Msv1^RLAbb{s5OfKzbeWw*Dp(7muC^EQOq8r8AH4|HdBD6aj+7mE!;#8o(NC
z!uGPPd<L%IhqrF>(Hu_gJ<-%DgZ>f)#sYz2E2h$uk5EMdi<dl$SG24dw$J-DS|^o0
za1>>GW@B?`Xr*1hrW|i`%$UHQCS0}3_tUwe6wn@bTsZbJ@ZyYUS<=EQGOX~1KxY5(
zlr}@3{K}_RLKStXdhT~>9>hd_$W=dE&pe`OUID!=Y*CRrf*Xd*3vZ|Fa?}gZ_G0Pp
zmJML*(df1go<ji1z3OuiXO51hpLW5eJ-BTsn8tBm-LBcXWv%J@v&g;ezuO#JWdr1j
z4^9qj&xOSm5}bq?{L7!J<;gyI<l^WQr4{HgxSRcEPLW43AWd8ezzW@CfGg_ihTuGV
znKD~$r{9I!d{9i@*-xcF*jmwfxXYYlFQsuH(E_LcY)u^9JQG<p5LC8G6SmgTJk^_I
z0n_y#s$-sttEG;tJmK>F0FtQ%$PCC7kPVlNk%y4-biu*vb<)rJLmwX-mRkRy9)}U8
zXoPPsnysfSNE*4wu+_Q7gvGVxHDA$91Er6Nkv;O9L$}*|XNrcMe@J_n$eWPLBC?6M
za_A6A@bW)H7pEWL2=P^m5nnyO(rwyvIhw23d4dgx=K(cKbuPM8eIvlMC<h#Xna&v+
zpBo3*DK>FFhil)J2n3IXY8<zogz$+YOP-~KN-$VNsCU)2KXUWB#}gc8FK)f@vS&uI
zW94=lSNokKuBaz_F~!)w3Uzy6&4s@igc4#G{F++N_xmxgcC=~(eXrm_OK#r^P!2$t
zF0=)$=;a+`Fh`hvF)%EUDe?Lq+IT!C;QiF4h7+rjVU_V}?e*CAURW-`XS9E}80d)Q
zS3F#zW)g6~|3>k4=hv!4j_-L9b^rT}1>b10kAoi#Hfp#p0SaGb6-J3K0j8+1=fRdd
z<V!vAjuwXJ?(y-uH{3crsA*OZJ1e1(KV5Z)2<M+m-@N<4BUkxl;GpPT9ye53AXuDV
zym#cCF-R^d&#4y}jho6Mk1X)rH9-G7@X+1r_le2nHJae+A9BJ%6$$;<OHK%_&;6*g
ztuEiRZVh?ITOtDB6dOyM+vlQ)G`(U>debBmI{s%x>B9J)j`3E&OooQ1f#k+~P%5mV
zyK#29JWJAGC3tm%n<T%p+H=B>Y-$=eG3_1gK_tJS8xyYS<;YO_TJ<sT8Q~G$7viim
zHbnkId1{;F!QUp$vE0FiIq{5l%PEhCnCq3;tgc*%dSbULWn(Pn&fTLqcnXx@v6~tg
zlCqKj_3V3ih9BaKk=_B~co=n<(S_qOSWq04;E*4P&Npy#W)$y|ZFSRMPdoJp=u4Qk
z5~#YdJms>La+I84+Zi;Cs%oNYUtLS-1kApHr<CL0X!dyT6Z-g#1`p{qs3HOIh-uDN
zFXsfGzF^Edrqad#7|x4Ft7DU$zgx1^Wn7aPC}(3x_F19^zs+?`qevdvJ0T<;0YLJ?
z?u~CKj_q}?qY>(a`7Zk>0>DJevDIw?;{6!1Fu@f^=T;<hHGid48MBBG#@U=dPeeJz
z8J$vEZFG%j4MCj7q>2^F3F>lB-mY~)Up=(hGx&n7GxBQ3YA=%wM=n_KG_Y7=$QJYd
zk75h0L!uYYEj$EzrACEYkIR3I#r;v!{CeT~`qiS2^_0XUt91I89X>>l_s)Q>bDt*L
zk7P<Y@ToUUTUQ*}i?r+0E*s^E9=m#>dfrcr3>LrNxH=$ab*LOMeGjlNmAf}56D8x^
ztPoJzrFosfpEHn#XsL>WkmBF+`i`rTA=;g%K&=+{Td7TNe|u8?C)wKUeX&je$+X)?
zm(}<g))^1-!9V-I;Zy&C@{rM_b%{@%eUAzH`Y9-|JassWFHij^L0bN)B*V_3&;p)!
z%V}o{punj%b0L$gvU}pMjw0JBz}bP;*$YUB1PB9-hN)D74hTGp)sNT*_==_#MFKv<
z?p_$)VqCj!s^tpwyVGpN_nzT3=MTtoQtRE*uWPm~ql<2U<W6Kb-BJ`Tz4Ic3U24o?
z6GTf?Z>Zt@(j+FW;4<~~Ja6ZyxA_o~@<BHfVo+T?B0nefa2nuJl6qAwLo`B`(X&_*
z9}%SbKq>HAk?dCXGwGkJ0xJBg(&W}}RMcB{@v5BKSC0hWpX;61cf^<w{P(0;cPnbc
zoqpmz&Hteg)f=B0#Dd~ld}k9)<fe9Q#NT^1`+XzYVkhlo^1{-mQAh&%lUAJR`)X%3
ztQ$DWi7hC?_YYk|S8Kqd=}hYk$p)NuaA_yDq_$Y~I`R+r$Czfg%GzUx&(Lp#zKbJC
z-k*N@fnahSr9Hxdzs5RXik)XN=9M5_8k<R4@@9fbKHG=ZI|+Ybp#HA`Sqq2{x@$$l
zo*o9%R2r8_HB%*=<=O4!oZ}Q5l|g;K4XrqNY!6)`27m%6r{5@FNNTG+P!9C;?+>#>
zBl6Xy^4IN_%u_4Dx%`|K*5*v^Qa$tu&r{%ETx@oCw0|#$apJ4Ge#?qaX}#1==m)lM
z>D5rNy1$neAFe8sa<y72KPHO%L4Jvx)d6Z+<5(u;a06xKxkpB8c!lkr!l^Ry6=h{Q
zNIDG32Wfd|(EGUMyqX#-ykVSzd8<`socB#}^b2*uocBig39|CE0ThCMCAP9jXbwnJ
zktgX3CQ<Du=}ltm*3Lov0?m-7QA|=F!b3)OWjb{_DIVQt@t9m468O1ElRQ3CbU&vP
zA<pS<FDvj&7VQ3^On0kfrZ(O_LKZ)Szgs;>eBLFHzqJSmZ3ar<L+7d8iTw77J8p>Y
z>nB_K`n&ZVJ><94hsWN}Kjm+Y=XAAkjk|pYQmowUepypm;oMMD3p=Cd+9JoeyGZ%*
zRoIj-VSHX$ex(ndl_kc7Sy~CGE}MNk#+l^t8;_c{C*!dbwYxWw%0yT#^{+RBEyT@!
z`_+p8N1Xm>Hy~e?nt@7>e9zboMsp6!>Yv!dsN6(#Vyvd^-rYDV&)=ud0O8LKJ9jD)
zW3FJ+ozHeW)xjZxBfa?G8Kt&bzRT_d7Sc;bZn%UnN{{JIX1%kxg8t4ml3)b-Ma!?H
zNN_iGaDBtV$8GV7hogt3^{vCoeaFxEY6=i{K6v!0>U9}phzsWKz6ffK?JmkhSNga4
zN2<Fin8J?(67CX{^4=9+2hEYjZ?~cg2J0<LYHvXkcU*<iL^1|51eKw0^Z7V`T4(5f
z&nnKimL3I5n0VJ*sO0Pl@v<V`B7QDTyq5PFAEkZ?G}vTE;rCohimHVN?cu|ZbDMrT
zL6*VPqI_mxL#wt)t^_#|{-TwtO4%qm#o3GnkdytlMg%ylj^OuT%;LyhpB|pl$gs_W
zw=TuH^I_&Stsq@3+o}!gqrqg%;lbnYYd+MfD#dc&eCBP^ReAw=5NU~<C2wOc_uWO*
z3Q6yXcOxl->*V3`z#K}(TX`ejM^8)qX5E+hKZsOt8eVD#aH+%asz~yJmg5l$;Y+7s
z%m?)V&D(;7;tLe43UXw_74>~Rt!Tjcx=V~WA*CgiJUG0Lnroad8QsWK$<p`GGG9_Q
z-_XO|aK%`{)r|0#sCo2h>c$UsL7$HHxUaT5tDGGfgEgPos;&X11mx%{?852;0Vt|f
zD{tgY`ksX_2bfeBr$%@+M7s}QP4eV*PG8diU|by1rqGvRTL%lgIQNh!qp)rDPh^y=
z!0Lu*iJbNvd`5`kS8S4MApNzYa0l1k97t2U%$|Z4O62uahdlhMK9}lp<-U6qS_#AT
zPX68NkH$^&<VT&Eao<oq`OgJElsBo6ph^{XUA4H?>QmqNg^jF&7P4}3Z9C5pN4}ov
zYrFH#wy!iRj-|GHgvSSy-{tJvy#ebh(TVks#aVKMBT8Cl7UzLt0lvfL)l0&+Ew|ah
zg-s==vxC=R7rm_DM(U=%JzA-zY2MlqAtkEwTZKMWvzKE_vNvst0$o~O3~xbsgTtXr
zKD27!xFy5(MlCUbFbttaldvKr=aqycNa}V6r{)jgfNj7W7)dfFSW{;>LP)_|08I(F
zt0?q~q|SG5XUU!T9v~=hGuQlO8cttAQPGS#HU2g1KM7LusYy&sBOm!^^rx#zw)3|7
zBYzbBuoFh}8~_#(BdR46`l&#kost^2UF|hdaaa~C9icRCAf6WCEwhZknDba(M!i>%
zx$rD`i3{%r(;jUg3y}rJ`jRcjddd>X4<Th(&O(95OUJCiv-{BI$buqFrYq@#5YA@6
z`8X-ibqq3U_cCV$8e{7enf9meLz8v^ZXXY=+(JU}PNKKn=$Fx+;*7VP)`W#&b-=W7
z-XPmH9tVDr7K5u7tdqXV8(i~gv3bH?ohVL#P}brqH7Ff|6N}V-NXqsCglu1d)Z9&5
zQG}45!`4;7i-^TCioP$T0AMu<dwZ?=OehZl9hTGcm@NE(){RE_+UG<(9|3i7xh%$J
zx0|!P3_@t=UT7T0%Y%v7iNgXr{&xN=NWVC8_qmL?8sezTf@(F9<siH?C3_Sz1O0Wn
z75Fhi#Z4Kw#+@KKb86URyQt5cz3wkDGj`5hPdUzB^T$lI!m;10!e`^=J%lT@y03If
zFXsL@k#{D{!;%$xrfH}Nlxco@DD;`d19^dsT=fq%b7QF<P1kUfUyZiRRAZ5<#Zk3D
zLFI0Q(w`J@g>Wg-TFHA{q6a>GOI-=#^3n-MEJ8FG1O^HZDcKF0ql-SO+{rO7Z7P4M
zA#PvR)ClZd^QFspOLX=baDtdfdqs}A+mqMM1C*!bmc=c3UFs_%ef%(VUv*;s+{1yV
zk#RDDz_Hf#w(F1OKJ2|Nb!l|T*7McN#P`H9Ww0z`K`kDrec6r%uY!(zXPQD&cA(`!
z>mm6*L4*Km7|9yF9XH`lnG*4WQV&osOpPT5l544l2xX{wh<8543GD^hQl-R_ULk|j
zszfX}PlCqoaeG#)J(zCrnF!~bc9*GH3!H8!Sy@JopD=rHBi`SI&1Ouh^nTw*_4RwN
z@vvJMp5O>Ew-vy@LdZQRsx|}@UEY$MPtl}9ECsKDV9MiYF!}8bjkXTPXO9Y2*eztk
z=#|WI=BEwC+i-z=Yth_QdwG9Y%S@?Mr5`htQuQ*=OYnBRjr3p^f)5ti9CSB)*IN6X
zxOOtWJs_#{la9`XbEj&rTSI)ok_y9LqcLv_6H|c`WizwMQ_G6--dBO2;B~yn{axW@
z0Oa~>qccu6@bpFw!3nu|`#@PpYvNe)3VPIA<1*eIAzVD5*F2xzM@R@<7|I)NGz1qo
zu8b@x-dWwC1a_vHTEPb!<~R~{d-D;yZ=u$KeUA1X&_@T65yx_u6mR)qf(%Q29i!kG
zbC50(s|?qGI-g7UgvGgN_x2&d{CQt@lAhh7Qy%(rOtzVIl=Hgka`*~1<NyS!9v9-#
z2NBIUZp}Q^j~<`BPwD>PL04gP!w_h<IC%>YF<*HJ+8ve;8nxZ&Evp=(6k#idsP&K;
z%Cs_O4zZI8^%b#O_nuO%;FKk1h-21jclZe*Lu4-kr55Mc(5jaYa9%XMX6{$c4%-G{
zYhL)-c>8G;{;&$4A_I*QD`iH(pnHHo$PNH;2%Q2!GkgH%1tZk(WZu6WVgRi9|HG31
z0hXKwbYCb=$e@)2gi2LS0`-?2iG@-C!vHe__U%%wN^qw<CpAO14aT9>OLba!d#e4o
zJXI3y%_)~p{r;64o=0q1E9{~6r>#6d!e+jeu-2J%b}?f*T3bJ|R?`uZiKu3-U;<M1
z$sbHp1AosEdtI)RS?vwSgEWa>2aRd;<uMt+v5(e|g=i7=w|yR8%*4v|z1%IM>s!29
zdCd4h<m0LH{=$eL7b<V7C9T_F9{B8W>AUfy&s2)?%33Ovb!N3SpQw9bcWZZ!x?)B6
zPF=rC7+|^YW4c=wG)eAL%zp?eTH2tvqk74&?@(*0@o5uT!v3DX`E&45BjF<{-}mMt
z89>G*vXQeDOp*e@UPJ^9eGotIUl>lXo`;>S0EyQ6+>ABQVK1>3{W(<y3p;ryA~w<g
z4x8F-4P=y0^i|0riHgXRong0yrMvPHSG@-A-NW57oGTf<eMo%hlwD~&_CVS7D6=TE
z4&-ML|2y@KPM>IU#(Kb29%+F4X9S)t?I7t?#haF3|ELWoC?n<hNLuqn3ej1^niqTG
z;LBL;^_XLvv@DN)IiI8t*%a|3Ud5aPkk@mfkC!cP@E+b<T79OPbNsua!TxAbH$_mb
zH9vtP6}F{}nWCfwEfO%Wr=(`+_UXs9yGR>s#!hEkc@}kkY<x&~S7W6JL&c6uQdEP6
z$>U*AZ)oL$-~=bR5L?cP+QG+g0Fps`e(rv+ca{<Wl#o@-*V9aLYj)`TDMQ|}%X2gQ
z$eWQTz8#Usbb0dZZg_1A;J@)e2x!iW<@R>l#3zPknBSeTbA}l$eFra;1a{Fl(KYo1
zXXCGi3pq9#xiMoVsKIqFPh-msp@2cRpvsmVmr`#l*s~(BH$cOHl0h|O<@HOAal~@K
zU>D&1kk?Vd8-?#r4-7mVp1a8Jj>0ZZk=XvrSe+~firgVpEx;H7H|Wi`02<x?nmd^6
zM@9Xtq;}TKrb4|Tur3jAd;k89@mgZj@(M<C^Ed$-G_Aa{h=h2XQlm~2w$PMkq+bW}
zy^-X{2M7^R|EE=?ROkcf&O5X>ghC}|J4=E{Wr45a{Emnm1{7Ifw+n|&8HTxpSs35;
z=Iigi_|BB#S;MR7Vq(1A$Mll_@s(KP;w31zTd5@|@d<a?z|pMGxXYOWSquLkYi}M7
z_5b~iPkSmUgiy-9FWIxbODYLP_AQj1!DP#rQCYH=vcxb&NQ`~WGP3WJC1Y0xLzclX
zjF~a_3w=KK_j`Z7*Y9^-_jS+J)nAy`>pY+5JfG)r9_Mj1yQa!3eyAJpm(F9Cf<AfW
z7rxWI#-lZ!4~=h}PWH#VbwrUYibY0#te+8{HHZS{g<J6`8(V5FIg)?cY<cNdPoN-0
zC-Nyehl{-R7cb`(SFq<-0q8tXumP?W%zsJNCV&$9|AY~%@PX(U4eyyr|1}LC!l}cn
ziZxQ`tqUs)QsWEhyX=1AWVWphFzrj=&L2Rz4+(!oq1gnYD1Wlhe+p{nl~;Izx@5=W
zcEjl>{4jJ%qU`zL1&OIef<M5g+n6q3g>F3rq)H!2iO;+Y7wFID)$1D;cu~j?y=!rI
zTx7(SL2BrmOJfwCyOFz(Ila~3loh9h&6$w$-V-oY-ECeMb#VqO`SbZLz?SI}yj*Eu
z-L)OhWNxRP2eK@hqPz7Nb?Un^d6^$}$-_*eGp#!OCJ^IukE0yW-OC=)2G$UBQs7te
z)I5Q$V%r3OqW_yu?L{KsA`IK>f|~7RXrRA2`YUjE%zC44hi_#8gPv5Qr4|At7NC=g
zZUS6A(%|dfTMKk*Tn%zNo8C~j5PkI50h8`!1bUyzmxSG$97-|;88;u3?Do9+0B7p;
zm4D}4Zkz%V|BvUw(KK_Fqrd6_X-e+^o;4C1kNIvvc_``l6jI*eXkGl>FD+VgRS7zd
zBA_l)h&kDL`Kn%*B1%0<nFYVKTlKpK4hyi^&|cM7MAsp4s%5aw8}8OI0xCbL;0?di
z7F01n*Y$6t{cj`pG`;}vmbc^4UpnA`)WCttpd?E1UV!YDpITC<SMIuQjcII7Nsvv(
z3FCoLl$}EQM+?<}R0>TDJ{B~Kq$;jp>HSDwjV&~-X(bH{eMNZ-rYUUITkN6%nb&vi
zdC(0a-<HkS`t!AmP5?BzYN{1dB;3LgV|eQysguXPM~<96l)RaHvWQK@!y9S@66=1L
z3ct6cEW#ugyXh14(S(`7buFvPnJjlFz5G;sUiZ&+w<74kAK7$S9#}P+4a)*w!9FG6
zp_e)JQ%&qU^yKMWw24MG`n~_y<$%Kjod8VxNzuha+uv)Z@RL*|x_#n#k7Ct{0<yza
zgaFUCxzxivyL?lB(sx49bLqRA=;eBEf{ibl6hwF2!W58iZxstn6)n-fEz;jp7O=ak
zqep+mZ+DH|8~3?dMY_~r7<x5|KYQ?Ky-^5LMwtoArFWOUK7Pc0)#N-xeCSr6@$=N$
zH>R99{0=|AOysphG@JCqCYI|((5?@Q&YSsG=I8iG6*L-COg`i}yYn4;6p*$8Z>ifw
zd)b7m)mz39?%*nRJoNysv%(Jf<wq%+nl}<)`cQXftzYd`3-<1+04%+?ef?pt3Cou-
z?=oL4QSLCs>J7pkV@gRQ`^^@ny}<Om3Kl$|Vj<^fo}<1`nS5M7TuxJ@T2E^FjXR+?
z6l09K!jm<YiDhrv7FSIp42u#_rSUq5_3C>v*trq8HB}X!y+UHO?BP{=G}U=)ppyQY
z^1`+LDwJuJmbOiS+yL!nuH@?1HU`bUQmnBF>Oguk1rg!%y9@GD^OH3*Q`RK<3HTb?
zi{7P)E@A_OD|Zu%;=mxG7cUs3fzzb#s#V@eH3?u=&Rsiglns>cO@tJqYX<Vw-OT)4
zEq~|o!cYh~DI_PQ;SsY_gl&+W`{?#V(4zf6_7=Fx*N-JgX#%Oo20h#@h0CCVShl13
zv+$B+K1|AT4vcTtkx8dv_A_<p=pY;Nt<^3k>cz^yP6A0C?RWN&Y3v1f{m{fm^4RNF
zEh%Y3kTd^Bc=$#BjW|3UV4vrIjHIdqRCB@>JLyASel&Okhgi1@%z5oQzzwxqq~C7<
zib5tFxcmtG2+Z*BIgF(DU~2TK@92GXzk$QJW|L_<&Ug2=UoJ~9&(2nT3#}6wP(j&X
zgm=@ZJhaS}Ccu~)mPE!CMtU39_-y5_+E%JQ%tP()Y7^7h$vItCKxYQ%Z}nt7|J*C|
z%c)EEH1fa^DOc>@p5{hastzpmx6ZvhA9KE0M-cI2>=|d)WA@gi5Yg%Pm7lYMMpL8Z
zUF<TooC6Vt@OQ;vtot-9YB$<zF;rPC_7nQI?8PYKKDSF{Au0r(g?B?rXNOGAJ<ORK
z;h?CM2Q?68dC^apZ^qz5@uKQ{sXK^2L;P(9a|xI)DMf#jJ7H`*kujAfT_daA&e1kH
zHj&2&C;lCVfD0eflv4ZYyT-qHS#2Nu*aM`uUcah5nPfS;e2rPq{NGI21aRS|CHhNU
z%*&2daMtqk#nruObQfCGPBy$#3I}l`pFXugX@WdvxdG0;CB<RrN25D5{RQz~x5V@~
z8WB^)gx(}n^N<JV2{p7-`qoPCUYOgCr+>z+#cLGLj3w35;53O9lE$v3AHmg{P(U5W
z<j4eX2Jat|t8T+P8VwK7qx8p`b_zWI`wmuN1Zb4Ls};VXWh1)e9D4d2I5iTv=YLB3
z)Y?CL)LM3z>3hr<$XxFH|A4n+Dx4@gE!Ht(g2|>b%If3MaJlqyjLTuyyay_YDBMjD
zN%<kWX&W$35761Ew0u0_OKEW4cQnJpMR<Jrc0Of(Z1)AFm_9}yp#3UMU$!Pn(BIbJ
zfa=bwQwLTGzWbfNtun!tPInv+x280$^x06K96%O8?OHXk-=Zc<akGi5nGt-d4Myhb
z*st(aumEsj%wf;mRpwLTRyXdlNq#vOd2>&Uph}9HQWFDHWYa1th}+cAF`JH}BJ&#w
zGqZ$0{I`4uTeAXLS_s?2EBK||<I+1o4$zlAEVMiEqi<Ear(&>>H~BN#X4tg0aDzvP
zP6;dc`Tsq>ZAlixF|clWtu5b&IJ}4D56z5q1+eWz$|pi6;_@n4Ucq$&4O=5NQ9W1N
z3dqs)IthyT+E<3sCS|p7g|_lx+y-$tz#)zOGct@)!Y$-#srRAu#XU<3%^;-^;i#J9
z3^yl+?p_Oz_Hi2{o<St-6;%B6K!WP9+4Eb!E9;x;mRnQD<ER~Yp?X>?J)H7`iS{~h
z$q?ylQn)+xOZ~AL01E(Sx#-d;Ap_eeoxFXYhn5e0rnE0%xE!J(=AH$z6c%1pu&#0v
z84BLJNEFDNVto4jWvNt25}`Qc3;%6lwEj~IsoNV6XHuu@D7Pi|$0<6$pjY3g79Pux
zj6jr6ALsTI_axgU_#DYE+>Q7iJlVfb(XH4PAGIchI<B7B@?rMP_(xNNhnxE-*Ip^$
zelXuyhE+9Yd&)uXMDa@L<XL(t8-$p$YF}kd4t#^Z7;^{bsQj^8#C<jzH)MalRXRlF
z|6<}9swH0l^CiwEu+wZd;K!6o^a}-e5O@y8OUJtXXpISI^6su;N5t)$)fhyYUSWx&
zeFN-AAE*71f?Zp~CTeJ`<;7L!A<<taPvoBf8hzJQR3(PgNzZspcUB(s4iOF=yAjh~
zIw9BsUZpipQ%d(Ps6dC;zHKu>mg17dH&01Pn})LQAL&MdSM8b!m5)pd$L$%e3VgqL
zitnM@Io=n-yRLTsR7uVyP2a4_J}F~x_eb(k7F}*zm<Y-!vz#r;ocg(nWk=hlY$uvQ
z)1H2u7v6@>xvrv8lMzQmm$xU?O2lL}=YmUv9LP4imxQra_G^UpR@H&s0`Y>ZzT1lg
zqb~Mm6BuoxAy2)Y`4NK9^84cVUP-hvAM^Th?~gO=UF>_qr&i3K0uwOIaA693dJdMS
z?E@-i%trBcX95bJrnVR$<nPfbuHTP;&}eLPP*+&F=qdjfw)HnUy!ahFPG{Q!s|RxJ
zIpUq#ogc2>a#R5nyGR!RrK~Ol2c5rqq2%zxfA*til==4{$&_jB8@Jw&=BKsP3yfxx
zh)y&)E^Q9Z5_-*d^H*h+8(U$m#V;cqqwdPi56sKjvD&_Nhcm71&)k|;S^%T+-RET`
z*j0gXO|6_K@234f8@rVw@93I-VM{G_prpsn8EN_+;!?r5W4b8S%!ByP1~4EPnSeoY
z!q4~Jrvh@}g~J(uP@9!e%PJ_>r%8%{Y)|!FcfPF4|05(>$y%$ynf1OLMJJy@P>%38
z&GO9KX+1^3%JQF%@q5Fls4C8PH4-nE&fAwrfnC`f?)~psRJ*B|vYe}!ZY5?j^=ui=
z5H0;K$*#hVij{Ovy7%sUoTgt{Erybaf7p>YPgIKIwjlj<8g*W(j+f{sAcj<_-+bU+
zy<tiyyQB*yK)z8n_hHsT*|FnzOjg~+Q3=X0cfW}$lQUvoR_1u7CA$*Se>C3#=&k|)
zhlFxjSD9wLKDL*4jP(i+zdsgblzU-OCnMNx;Ar@ZD?hGO`Mc2Mt_nsn%&wUqW6|j@
zHr-&15V$GV4}BkDY73z2sJ+=it*wLJuPJwTK2VZ}5S8Vp9}6I3HZ^2+gluph^-ZUK
zgahL6B_npO-QpT%^=~S&D72kKY-8<)Y)k&*(@2dN)UbVD*}GXo-@56fVRdd`#x%f3
z&jM-@{^q#nu|06RD*ZBGl4k%c{YBp1g$5A32e#w>2Wa}(kA32iF^GWQLQ<BdEvF6~
zv~@b5h9dzM&enWV5A~6!K;-62@fp{xd&P~+QvC97|6#Gq7=Ccxlk*tMKJ8Uox_HST
zXfOtcXI!2pBpM@~?*q(**6q|t%vD-9mY0CNl^t&r>CO`JX|&G1`NjzLTV?Z5xfA)9
zbBm=l)2_`Vyp~$H<-9@gp0uBmimTqJu1z1x9kzcMh0alM<V14_O$-^N|D0xpx&g!f
zatx?HsS9?G)-&0rhEz+vajL4AhMxy5?$XjKz>vO)aB#q=6(j~C1;q|b7+s2zQeXC{
zRv>NGdj59a>WoVu<o;HKO-p?vY|DbZkW{~@l}=wA-g--@@m2b^$qMZrwglE(O^*)j
z5~5rA9V;r@uEthtc&!yy1)@v10`~M>K@GbH^%he2kg0!r)UgtdPi(2*rthGV57@(v
z!cJ#SZ?=U;p3_915aT@|!-i+P@rovy<vJer0%UvgUf*ts+Sj6tll+O&-$%rge{6eC
zW=W)&K4iY%P8b}DOT%bK-|X<dyhmVdSzF#_TArtnl$nG0Y288MT9w0z7%ulqqtj*^
zAM8?ZYvgctbq0B*1t9%(n=SIugq$(dLx5P?{rv`4sp3crM4_bsDK?q3H9*qt+Lm`&
z6Y5;UnKK>7uy;sj7k!e)3@V4hl`N(|&uUI362jk4b@>cYIow$6D`rLl{DI5a-@WtL
zx9n5{|E{(F?}3%lsDNAL!u@He*VozE&}%F!Qm}A$irpGy#Roo}L6HTMKU4f<$zrD(
z&dFO8nNq_j5$NqpE7NCbn0*6+mV~Hg&Hxte>8YzFX=lAre2Tr;Y3B6#rbb2}e4bq4
z4M($VDt?Xsr%(8gsofpU9BCV=3TaMs-~hovPtrPMli~NxV%<wZfNrdjbVmWPco_O&
zRpzlrVOb9b-1A}D?6u)f$9vIoZ=e3a#C?bI)41_5xX*#53JQrircE5ct$n8NqyBgB
zt&%i)+Hi{F@8|eTH*4R2&%OZ<8%RFSRt~uQKr*8KRRBuK2%4)F$UK6$wgPkSo3!m#
zE~kCnF)oI@an%W&LHsejrI4Kxe#w1oTJ<|t7skDFvl8q?uh+md1pF0XIAi)B(D>Wa
zx8la(xnO)PrCIITyW~pO?dfo&FSd8JRqDmjLFHrprOoxH8?^s<ik6-+ZyFoRufw~5
zMc!fZy~L6I79;D=ISGa1i}l`mTN3+jof-~!b?M%f2e`=WTs%!A)1UmjsdEOjm6SKv
znf;o30%m@gTK|y3!~Bn@)&I#YJ;CdFE_e^}33Gb?&*9Y?b(J{%mrj*UU`LOepxBp-
zJI5ZIbFu3!xVzV<J7H9LwB6&TD5gZ`Wr=kwSQq!+69D5VG{kNkG<gzxj6xY+yW-;j
zW~l{O|K*t0;_`41u3(wR)9<fMIR613o!T4X(@8!TOunO02}KeRhdqr{88fU{*%p?2
z+dpk<AGZ0ES-U*4u8=2qH)*MCbg9ygFXv<<(Aj4(UCRo^GY1<&-w(HJx5?`qO168j
zE~0)45Cj08MHira9N@0|SRzv6X2W3sR`{y{S$iB|awyq;ZFpcMAQE&RtIeNixk(9j
zz3CwM$2a4n;EeVm14_Hia=rhubSfMm2^QsnK}olaMif#(mi{_Pm9y&QTJ{muO9$)*
zfD4`fw=?&<5um3?1!@|=B9IQ8=WoL(B?uf;#r}4X0Gh-R=;eUASM?-FvTj-XN}qn@
z8%t36(IJ1r1J<FVy0KPl!SD37<&wD9NO>DP;g$oIjbF<pnN}Rt>21-K?*U1X14k<Q
zFW}&RflYu(M*E$mLn>52-*JlMzFe87WO1lUGCFbcq=4zoELKXDl6eXX7<31au;8D(
z6Bshgt<>Afc1UTbI8~#&Pg1pz?{Dug>fb=co@)Y^n|&~W;SeBWld-ZVW8?GiZlIyR
zO;Ob0A_?`|oq;&N4&zb38=%W;3Ix&NT*Y9nP=~)n95?2Fn`!@Pk8Zs>U`b&@TBg6&
zEUw@lzAPYFeW$zxRAj1-r`SX`)QE#HJLiA!4XGx9ELqdcELH|QdKg{zK@=bq3j!61
z|HR3d53imv)uL{moH{+eU9nnVYk@v8%xnTEAGtB4T=~M#@bH%#i>842P<6~*U$Mro
zP(wdJT<lgri;1e_H4oNTDRDV7d#bg-7d!%veaZiSA>b}r1M&O2%p-nl)1OodW;B<u
z^tk+T=+QQr6&u1>t6H~RA2Zr#ZDXeWlDNB)s(KAsQ3n6b|M~Oj*t7oPiZzu~LP|AE
zV?$YYkofEkCcN#H`dGIJsqha$8FzHg?v%e|U?DrBwIuc30G_GcO(meoQ}a{=Gf)`0
zLp8;hfG#$pn=G#kwkFvLMxb}&7LATRj$@;k_n~K1F#ZB>;8p)jPM3;YfhV<MLjp_k
z_zz>8g$`cR6nIUb>)_Lu@eA>F+jA{vb!Rq1e+|!thL}E1;sw_N^1IX8iXKr#XI2y~
zjy>j$xbB#sXumvW1pE@ef_qneD5&;&;F@3HdZ1OKU6;Dv?y$_E<f=#-;QnoReHz?g
zzu`*vuR}y!xoRR1ShKZ9RxGaw`aT_{Ut>`aw0CrKtv34T*TkjGEv6ZQ3hLFyfclQ-
zCxwT#bt$(RZ&{s*eksAjcPjSDo#%$~Tv1A_W#w@W)|>XPF$N&gT`*Q~EF4h1SKO(1
z%#kymlLA_LyY%4JFRLIHuDurxro8}SBnpIResRRle}1IyDSu=af0(7J(zEdNdg)rK
zStQ@aar}WQZVbz1CrKS>e<Za-y+si7pnYXDaL)d-y7zJhhpy}3UC6s&g`$CT3e`04
zd}T9crXi7+v6r|GuR2`ZY9wvjv)C;O&RL#t#SG|r?%N~`l)u$iRiFe^*Y-wtjbAuu
z0zb3Fm@({vK6VBKxf0pwPuZu22lspj*iuHI6{bRWty$xTPa;1Wv(OudGlX@qvC!}4
zX0ODbY=Li*6mIt|0$Lt3p^kYRR_hlT8ern}XWiYsCVxMVW5P=XYl4QVd&>#DiUL$q
zp#AB3rPrm!&cei?GlxtGnO=sNL;D!yuY$kYl#ju0CZ$_aKQyE~*zvI4-x|TCz-4iH
zl&itOpYQxt_z{28k1@x#XK7T%UvH1i6d#sGecy@;#eD*Oyin3%%zXPMa<=YH*CKR9
z<nZe6zJBlr6nWGDecMa0#a3%A15l^Z4^!W)UlZTHx_Pm+fG0J?ua2h}m>;wDN7?vS
zhVnLtGEudENEz1aaptN112=L?IOHsC3SVK$6t(7wdiu7T8TLFdY|E7tXDgC!+1$Nz
z!JU8frokd&!F=>IIoa7puyeeRs5}J$Wa+)YXk==-VR^FI;Lug&?zo@p`3b;aGR2-&
zD!KHDt@?^SYC?AQjxF~Gc2$o$9#)G4C8j0zt@XesHa~e7Nn6TIPQ#Yd$w~>(+v2k$
zo>TWmDOJtC5dkoM8wR*JcJ{gs<<#Cv!vD3B7v}lkCN$G0prSYGJ7!RBr33FW1J0rf
zAjLk0FKAdeom!uK@pN`Tu{?P3=xMl=m?+ceaFw~tupO%5(y3DD<O4)3$)MPT?Wty;
zF>8bUi%J_u@g>P+CfughwCQ^uHl&WP!Bu24cS-ot=@!^G_$}LdsU^JDl5wJ2ti9hF
zuEpQMX8nAsMSbplSG-J|j7odRm&rR#KAswkV_`6{n4dT6eNk!*&~EVPbqislB)WIK
zfOrULSfkj=e~nyGYEs%`?piw;C!lR_R$nn>WN(hYQkX1N1^P+W?0RdAjQL<Vmp87G
zQrIM)E*6POS7pn^cq6x!ak5=--tX5ip%U_>#nSen+!>kK!$`1Odcttr&$dv?%bkv4
z=e60v);HqnmCn#zw}qj*G#$tf+6=Nv&qG7a<O99bbQ3!}8X-VY!y&4JWRgbVm~$4>
zgVUw?$lC1T3lQ%rQt{yWzy?#?I~O_??e`DBjh*-_mEJIU6$%%-^{ws}DXmiwOI+(-
zgG)BtiQexOC<-_TaESVo=3+B#ydHJZT&FU{SP^PZU#PIzQ<OD}6E8Su-uRZ<B^nzZ
zSaw*xruB5w?v(b7bYx%FO;xEg;qU?TZ@g7orN-w9ABx?Nv+Z!O9@eMb`ZT_N%<)?i
zSs^x!y|Ww^WI+&usg+$+Xy=Ig#468^Dh}vfT@-N12w`LI5k%RPUEK;FiZivybL>bm
zpG=&~D{i?gM#xG7$knor!%d+<*b1Qy=$tP<+IR7{*H7>41n8w#3Va?5*NMx+s$vf>
z=?puQ^JfUzRcvk*D{<Hw(-5+V1KHGzF`)bN)Kl@N<4@7wX~!t2z<ZSH=0v6P?fW%_
z&53G1Z@N#IThEev={+kJO@uw_rRUb))M<Z{0{=Cf1%i(64bY@uScZ$quh`I;`o~>k
zUp%{_s?Bd)XDfl+v%N}MI7O*9ow(qGY6KUb<5`JlSs9j^#6)2pox^Y8ef6Y*brRj?
zV5K|dY;#T5O&^XkGwe<O)}gMww`V~qo11=9WRP<}w6$p$+=%4MQtAkl;4ybwdpC>A
zPm7VcJ^ou9^=^O@IR-Qg_d#~zycDM~l!Wz$PCOJd8&nnNeAZoK&@@ul+46(XwK>Cf
z+zssKv^hv+QF`LI0@D4NRY#z@Bh{}=OpQxeuY1lZ$_|~3-hlR*cG|eoQqUHrQHFV#
zMofpv^CcydpaP&w-5U*eEZnTYuG{ML?(u;sI{zVZvv+Cn=cd@@Nex}D%FJwf1l@Fh
zG?<{}0E=OV1*{pfEtjf4Y9~ZCe`<GUI3IcwTANcT#u|}C^MCm5(Ka#@R8VZBDjhWw
zX%+Ar@%BO&inrRQ&b&4WB5=0N#Wwdfc!YWM7Q#Y=#xdu(`v)?3WwDEx*eX?AX3RS!
zWnMGx*S~9=2<^&UhUf>`aIw<N@t-L=v~UQ1w|s7<_)Sm={_XmG*R0tZbBi(*rmr}_
zI3v-fKT%1847octR}wQ<irP?h+|5xUlbh7lRm~^aX{=j5h^Z2R9zLS+hrMc?Ywswm
zV&6FZ@_z_et}pc10T?D)pa%mH%v?bKR_7X(P{!2np;vzUh#}B|{;zGbbdGAqaClWI
z>}I}{DuvfW_#X;ywbaSBo8lLoav$f#UnqEbH8n)VdOqRs9q|>O)RuX>wHhwutw__E
zE&DBA{ckp`!xT!+g$8+G=S;u&sXv+!xs-w2*fO<kWbRf)1!n&!!IVDf`sy`pA74n`
z&Qj9utVIFVvFm9YSMS+1t|)jHrANJ9SsIXkVeT{jeix@R0m5UU{GL!<%M_O<m|fn#
zZiUjF>)3OkE-B|O(ZD=`O4N4J`pdCa+zg(Gr9Pi`G*5aOg$QrWo8>Eh0!);jBd`rk
z5B`xIX&w7Hg_5Q2mXZ)!qm|*|6Y$W9yq$f#1pGJd=QBoi6`q36``7=uR<C&BuVLo)
zv!Tm(M4#|T(7TSkeU*uO;7P*%30<uZ7LTf2ur?NF3L3@~2iH<Zgm1G)O+C8rp!Gy!
z_qUhz`$S)6)M0<o6vfD6@f{9XZ+e2Bpmax{j!4l^3@ie_GauDrTT?nyeqF&D)=V}Q
zorQy6J5PkOX`;{XI<47sjrTcrd7YtHjM$+C1hrN08y^s|ld@$uGP{K&kh8LPNxv21
zB}QRi`qr(SN=en;buEsl!D;?w@e%i8z%ufI=3B(YXK<<&t3CI0oh7E2fQ@k-(J*!V
zt^B3<37W*6Nj4{iKG8v#Lt6_W6+7*A>!Av_zw5`V9;YQ&FH0=$-S#j%e=)S7mo58x
zzw}=(R`;gL?0tv;hH?cIXD?oHx$0Fx!%E>pFUqegY=Jsjb}n7btY+<JaSJa`Z?5_J
zbIExXS--}(pH`4)oA%voad=o}a*CYZC#9*<_MlwXvUEsrIfD|mXckYl5KB)wniUU1
zL~e?m<YW`E5ikB{&af(b+v^N2`NYbq=K_~RxTwN;9oXP7?-M7A*0q*T-&>gnuD3wj
z!s}uN@9db50)fY9u8j0`E60VM==H5KRccJgO5+0&dZt8cj7i?SUT68<<u>jPtg-^;
z-r%}Uscf$@^sKpChx_6P+t~A~(pH90p5;H-hONdTWZH?fQO{oHwqc}qC;cqTu7@pP
zvY<KQ{kg(K$8_iJ$R4@4%`@?6q#P;mZA(P!tgB1eo)o&O&ENF=f6#aO5sJAnRii)7
z7e!;y<_T(xS(%O@c*d>#9zC!u=<&P#lnr+`bgb5Y^1|b!jTXE?u?^ek&zlv()K0sg
z`FE$fgWg{6T`Xk$5IG(Br5~dxemBovG}HklU3V&w&P?R36}Z++S+DQ+MLR4I@*n8S
z;Xd^h>2HW#*m33FY3@8W{h*3Nv;KIxPykXLuN(lE01Je>+CTEv9+Tq4jaSf6fMUjS
zTJM(k<(^(Pq#4Zx(&>24N=Sp>CD5cB50P&bXpJ2e2@kOBNHkg>TfgKev87h6M%@v8
zgmV}+3sk6>BVD;2Z5&<ht6u_iCbcF7ogj8PiuRZUWGjwMk!31c93K@`+G^-jwC1)r
zrZ<_6lHV6LLAGn%pNE}o?P%jgch)7iJ@qncJ2>hp|6&feZrxC1hf4AA<nb2y1o3#0
zjk+`}|E=28u=F?CUE#{~zZNHaknsZ2Ew}!5VuGG`9q`W*v6o@1<FC<|54!FE%Rg58
z*YC2-a^>x1%D_MW^gY@JkdAU*IR>az?xnc)ezdiORbs&YsNww;GiBO~p8#G!Y20}D
zMGTrR{`Y%VjvP3U^^wN0dcVm<k07N;<UW_{Tu9-qtI75Bq|Fh<zhfJK<Yu$s0P?6>
z?5<yA0ThB)SW$$cOUyir`^{DofA^Hbo8ds(UejjUwl?@^S6nb`W>+Ur<ggT5(nMY&
zd}d-h_D;>7p!WW!`xx99XmH$ro&D#c+&D1C{=}r4g`~8G%M?=I4}Pk3?e<rG*uRbi
zX{o<&_16?9S56$fO*(^ix6$PMvc}=(=wpu$PlEQEAb?NsCUE=si`eXc(E+PR;OMW5
z518R<;-9e0VOxi`&pzJ&X%J}7Y|g+?V_Z|z%CGq+o@uhM6Z0=ru8Y7mel4tBt><IC
z4@guw?O1mV7t$p=&DCGxhT-90++~O2;V{Cn*(uxS{?U$I<Em=P-Y3ku7XwO8tEvH0
z0~@w%o?(M9an<2#D!CCkIX1o;^f`?#@88$A)HFy%qwLY2RTqOu?kk0Gr#iCl&MeXo
zyj#jXQAyim%3V$uNt_~KC&C@t;VH5x;x~eq25Hq3AY)QfCy=`J!*#UEufRn_AH8vC
zi<Y1!=ZARh<)NZyv(vDZBmX?nJHjxqAgnk#K%v7O1{9?%=%sezm@z`|Znc6s+W}aj
ze@mAt0Pr6@f8f{G*46j$5@7K8U#k>dKDg-Km{C?eOD9dIvKz_0#YQz1_nek~cryMV
zmA`rOzohaE3I8RP-%U@T<DiTg8;L+(k60-YPHUc8sjdT$8{68k5A#~TPzHjY^La+B
zfcW!@r93M-k96y3A-U#hv`<T}Ac)0c*YU8PyKc>D{;&d9+fERRDiit$5a)mCooq-e
z$}@nm7cB+u5$*Jk8T|KW9y-;a{Xp3>JUo5E0)F%8-RXw!pHwzfH@40kV|xCI_*gmC
zku|lI!Bs9vK;7BSszkrIV<75>t<^=Mi~&!z?^V4%PWk?E{*R1Hav{1NXl_@%Y=1Fc
z%yq3F#rB$@NpYODk_sHau*dF=q5)8;O|2+M<_-8aYRCAg_{z}f;h^*WqfkhENaCbm
ztNiQd@nfb`o|%@!2#O=w*d{to4cKYU2u%>_jPk?PpVx7Njb=xGc`%M~F9H;X(4ewU
zRh6r%CmRe8{9U?;?Z3O_K`LJ%-994v?Ed*dmuVXg3uvvJmCAZ!LP^*aC&o!*Yis*|
zW%InR1@wTN^KcPQRH3E?7X!w-t}UDxB?EM^7eJP4?pE6j0mHyk@fFK2_`_ajK+at{
z+s58$(R_jVLN$o_6p>33Ds;%-u<=LY1$ue%(X~IV%jX~TJ^~e-e80%bb``|rOs)|u
zDv;Ha*n1<@u5p{tF<}Rfnub${s_q|n_lxpheSYHrQt@|R4T0dsqveXhS*wYY4|*m+
zmrp4?yk$CxnF3uF;g7ix?95mXXN?cz4HI;Fi{c->b(Qqvl0+e~I_G3V_#GXzNTX~F
za!3Bu9g(vaK26%?fmAngw_+T>Gv#8WeQCq|wTraZ62MeMd~@+MSI_sh_7C{C6}@W^
zUwh%emv&uPRRm<7u3p*l+%!7eRpN9|B4~U}w$`Q;eX9qlOewF}zS>JD95A;>z8A7n
zbCx<EwYc12F9~^IFxU1G&79eUgXzIF)N+hRQtjKf&_gR9FqNM-M8+yh2*Y*ES|OyD
z5b*~|S}DVK*agL9_#&>QwQJF8@7{drWtpk&!73K0ao0<rjw~>#I!ANrO_63@V(|5)
z)f9^(2i^FFBIz>}SpGP>SNbP-zE8pu@7u3h(K^NU_G^@BQ<xR{2U)B@rUz+vxs74V
z!L>ZdfaQDt=z!_-Db=<_Iq#2gv?2)>Hm;>4NFwwSRQ@4oX!@26#tpk-bgL@`v#l0j
zGr=QIQG43!Ld=E@nRDVkFW>3We--514U|zE%n_<tHtjY;O3mi!o62c~3u0%p@W=5A
zfNt8%m_cknqa#kFEx!I^t$xrcjO+qD<3QM<!Mv!7`t?m&;kPsYUgNnvN(2hD6t$6d
z@^=e^&F45Rs^$ImvFleGr@D>?-{9h^G-6%9pAp4t@cj6vmzdNLo)WOI!qMMauP;1Y
zoyT5m`H)4kt+hTGakKS-rO1f(^oa=NC;EbKe$XOUpFE7bVUA?hQGgs0-Xua~DDiQ_
z<LkOl%~j$8qDKG_C0;5%E^P4^jI)A~X3Uuv3SBl2WIp|2s?4Y2!JHK=ZPp5ZL_NnB
z9IgFi-QBU!A+>zSzm7*IzO@AEj>-%5>aGYx)o*aW2CuepuhB`n@3z|IzbHSo=Guv+
zT6Jm=cqSzwqO;U~hbbxbQtI<WV(D6GUB~p7<sQxsCPA~6mbDK|?=IczJx;>5&E00^
z6m4X76kTUq5n)g+F3MxC3a}70Ev=Rd{OM}-7QtRhnSN%&om63}<=s)Q)U#qVw}ibC
zwGsa6aGhiBHcupesb|cZ|4-YH+k7F>XDBE!a`S?XKWyQM#+#A*_7ABzQ*5XjaG>}y
z&((X72^x!S4i%fOok0!}oar)b&$&=9@ShYC6W{HQ#zb=5w0F6w-3KeS`Ftq_g&5_C
z&kD+EF>KA1JJBK?$5M*)PQ$bIEYQ9exXS#p|3Y$A*1^8#PEbac`)q}BzxSGUHE0#?
zHFLs=<A1DPe6+43A$8o<V0{TFpDO8K&ggHu&6jePt4YA6JQLTA)#EzoF#Q7s#xwbh
z{D%W?p8VGl9RRfCjfsLFJBQ)A-I2$3pI_BDdHTN6#U_67H`4tKDsqnJcs~md^#~9I
zZp(x+DD&4Bxmy0SM%SBuBcOB<5~?659SYzm$wj#gQ2Bd(PU1QWcisvX*s%DiO4xX2
z2YvwKhO7U{-dr4euCccGsi){htN$55irm-LEnSxSJc3oTUO_@KMb{kdq`AU`;wi2$
z#>7jN*GlwY8xw1J&4b93cS+9{qqj~TG8(?Ol@nysenUF|EEcc};3+V?*Q_!hpa6t&
zIa2(deQ0>RV71ir)e_bv)p)qzZDezKVE$on?rK-mV6La+&e>BV(~cPkA+|3>SQ$*z
z-*r0bw&<>F=<cVxk54nk51ES_h`W$<Y@&%DrjFol9TJgTJ-izp;`AN+k%7}z^}JAT
zeBA7F)p8|gnz$fW0=LXE`)<XMtgl4;=;-SqnoO%#ue3(X{pbtWa}+ajll?_l@3aSn
z&q`{zaKbQF%QpXB`mF0^*_?@1Wd&s0jzGEmoEcS_kkez<sUIUSCfB+v4!_RzS>vgs
z1<_R5W?ciCP04Q_s>RFM+ecs6k)r)Qiv9-h|AOuuU&~~1x~t0n_C@7ejz%p`-S*dZ
z_w+=Tp4dgRi(fzA#ELkTfqmflCxly2^sR6s0kiDJ(%f3~M0P9nXQ9!T(~FOJ-v~&0
zA&H9uYr3(z;tZzpi7UDpi5Kx}Uh%GP4x5SSty_16vsqA|kd<5=fv4H#Z`<x0kLwPb
zL3=Qcz~tN#l#^N?W5o-;?E<(C5yCUD{kz(Bxu-GR*;Yi#E_E7WtK(c4{fSkzOg*n(
z^mEdw?%HJch|AuVuBvAK*qx4IgSByragp(05~;v|mB)%|0u^^3pbr0$)lcCgXLzYW
z&w4nnpDuqYgAH<+eVHRrluXX-KHp|qpt}}vTTCyTmVtJLT;0tI(k#Pr7rGYXAg%B_
zH3s7~%GEvJ6OSVYILyc85~uT5raCW|LNXDK&#a>EIQOQg-EyA_Tf9&shkifj)+39W
zx{?^<iW8qLz1<_#uh7G8pYGUP3<!TdZFOvPLGx_;lo-Wo(*6fB3G>lkUQ5S>rKGv{
zASM2}?F#;W;l|VKI$=2S^c^9Clf`^2me+0hPTo%Z_2i_?rx*skUHp}g;uNp9+5Cyo
z=l2!_B6)j(CRfuwm3vPA$>9tENi!^<<vSvPzsDW>^Jdps{jS6xg45&o7TTmWh$hI)
z<7PJLm2$9%ta4^DtZ#I-{v9c9HW^yE<DF`d{!C#_sShpDsdR@<8ni>Hh4U{bx0<%A
zcBS80`rxqAb2Gi7=smmfSOcc)_AL2YnEkO7nKGbF`#1I-JGwl>XTIswq;u>!o0y=h
z7O5s|7}Rv>6N@#QN_4aNn#P5ZV*zXMqHJkF_9LS~f+HBIp~)U)jyz%|r>x6qQiQ^9
zdc2hG_tugKVf_43(Wr9Ic-a!WSNSwYZX3D`{JO%bf_{yD0@*^Yvtg>ox7W>5GQqEq
zHDn13r_1IVEgyZD-Y*T#l~L11%_g5>dsMp$yQ&gaP~~2+m0hH$obnUq#3faAjQH3u
zS^Wt|`P;}1-1{NavZEb$&ekD#?B8(rFJCFrJV>FFj|xaZk9vJSecE~>;^mPD?uW_0
zjvc-&cvt&I)U7L$iFdC`Y$$WX;KF^(b~m|L5Oy|TG*1n?^Jo8SwP@XQTut#kmNPP1
zg0?2ia4n4mu+Bg6wATVMUEdr}Nl;XED)Kpn)CI{YaW;|fK6j6C>bMFFLA#d+mUy~k
zU}ZZBryCgUP_6tPqFY0)_qR?V=K>`$vX`+a_Fxr@{_9-p6}LnmU_-KuL{4MU6HTv<
z<xf|OdnBFeK$xR%d_qtkp7$J$q`TXl+dGj?(*sh=G%Q(&VU&<P1`>z+lf@-B;hyiy
z_el>e6s?B@TSXZ}jMWoXa%FbDAx_v@f6z~)@fKvMJuVh-m`fMg-UG{6(P&wi4TM^a
z;p<BLetEvtHReW#o_lYiTI+JQD=Hv+xvd`|LGpK@C|H8aqNbY0X8lnCzL$}Xas?YA
zP=z#S7%A{3Nu-AdTMga4MpFNIAlvXS!#@rOP8dKm_wCW}%vpH#6>raHh-N{ZlM4ib
z7O#j?R^W#(S3}E$9mL@kM{^pfmYx}|FlrOd^7C6?W>;S9*TXs`X6Lu6fZD5ejW{I>
zEq^GNpDm$T+&w?HjH>&7G1m%gYZ{JLY%W{TjQTWn5?;1l_;h8ybXF;hX0LSnJ!+Xz
zBdnX~&s08AZItN)cE7K#f$p`x+V;!KojF)c+0tG_Du26uu`J98sgE#!Slw*;vEp<M
zBE{1-;%12x5TZ&}C(Vnnr+Q2L^&ms1ND?h@xWrC{2Unlyu7&T1n+AI$KL{2^9R0#L
zo;J?WZd%XseXr~akJ^0Qf`L_Fr?R=`8@rGjM|f*LFE;M>KNlZbS}P+(=lH<ca#nW1
zl*P6#`fcQKx+E4-yL1O<PGTBzUh;_&p!`&0pA#dP^bC0;c9Oqt`MUN45lY#03eYWz
zbd{n!tkEyE$^0`0Sye5CoKk-mjg!C^s=j(%UiWb}&(Rqi;yWv@o^USs1tfeQuG?Wu
z^WPh17FFN_6PHAb_Cjzf<C#&LJ$!5PDjrW<#W6fP>BT_@E7#z1;4mC5uaEfs2=XgH
z-#*;-{f5vC>n%RX<ZYxp;4c?-JwK^Wo&~=WRf=H^ex=)0TxI2aMy6h1?iTvYGPmYW
z1uvA*lYc>ZEJ^nopK3qQ;Wd1vG<vU-U8gFZ%vvA<<8D%#d!eFgxpTYgQ>1QlJdb>0
zh<Zka4Zk5br(3?){rgYPW-q3pp{fR#eQ_P8ed?kulF>PH^woNGLJZW{?jmkziVu?B
zmawwrK00}SH}zb&xplkhJM~y>_SlX4p-)AgZ7+s5O}mRbNl_HpUTS_a+laBBA$HuX
zHol)T?dcn{R5+Y@0r9kWM6^Vwf{pGBRVE~<dwyY?T%LxT+{f>JdP$9cH4S&{s=Rdh
z8^MIyKP{`V%T!bz;(AQQX(9*-gRbBQ_1q_DW?V$LgrLAx%~8QIO{6qF#zovU;GDN;
zsgD!9>hjV&Zj^Gj(gH_E*3oI@f?ey^i@U$>u>V;$>XP_;`QCc!McC(~B@X<Z&sUev
zx3hw8a1fhBc5XDdr*5=|(vH6|e|~L^^_$+s3oaZ-CVUcNQhX;qN9Q<5OJLr)h(AeK
zzs~ix>Eo06mE1eG50j13SIvs;wen4iNwGnC2pg{zJYUeJs*qjVq-$Xv-^#>V-FcxD
zv~?f%(v}uJwj=1eHI8#<67%~DB0{LsY|ufwrWvVDkE=j0>Jrti7ex6C5*{O5rYoyo
zk4FEA`MkMJteC*JeNI*B#~56e=fSyF#X1J0tA#I`eXh42xU3wN08`hoc<46v4d!4O
zM^aIAgkVdB!*R5==g<i0;NNC_sc65ri9{Sk_=taLfXfPa(awapwc=H;7E_olzPAk#
zJZ56HAcCO0d23kHW2J~ghS$VvmCs)^pDbHDe#hc=441u9ZUC!x%%^r?&e2rPRNJ%{
z7uhaqQ=HlhJ1_ot(ILmJD7k2#q)ve{1;};A-uZkVT44Ev1M8CVZrt*Lu5P>46Ur~f
zmQUT%c$6F2Y4W))#euauYaSZ$ezdm@9d(b)h>!akW!QCBJjlbx=9zk!vX{NO$U7dQ
zQ~tf>4$E?^v|9ZrNWsTBXmm(j)Josz`eYq-^LOy^BA2S~d6D4YMO}RSMcV{fm43!&
z1L-vv$EQA4Jgr#Y{9N)J0<|1!<(Tj!70-^kJ-wecno6&}ekbe|=TQf^6bs?=<&mxH
zy{NlwvT(j2b;oxy%*W;urG(aop<}9B%YW)U)MH2=zTJ9<;KbSUvfChR!0&b2gp(A-
zz(X5r6b?(}pBsoVmur~uT|G`4Nk{Dh<U7k5`+i_>HUXmG?srYkDlp4(g_Z6!K0wB{
za&>Fx%|m0nxmuJxWLt1!XWEJf-n2EAXR%rYrhn!(nw4qSnozCT1y;Ahng#1rleegh
z&(~mjX<1HrrM{h<0nvLp#*Ks+quse6wU=#p&-^-4M5g)>QCmDIVCd?@e##VBoeGs6
z5Tw*yh7Bf!*uRVJ!>O+Yin}oWs<#aNogcQnOf#(9=Rrwc+FN+OkOE!#Ioa#^&yQ>e
z3ob$)btDUm_{m<f0x(K3JTv6kB?E})wT=Sqw;~apoiwlG*W(7Mo7hKnL$`s}wMLNj
z-D`erVFX-LQ}fZ-2lm@_`a_Pl3lg4yrsU(qpg-4ok9)SfYmD>rxh=D|+bqwP7&n4$
zpR{^MWyzbDYXqqyNYx#&)g)?}!V%Mug^IJY=^M3zUOnShuC;TPrTv@Fc4}V68kVuy
zh@Sby_px=Q61J*UDIj>UMZ+@dVzu$T<3*e~>vC@N(K%zBP?%zB+gw4Qi?5{zmGdcD
z>e`cXNo75oF@#*RQf^z<PYZWeKYjZ8A4lL(f_<*K3Y>Wy@}s;RZKo{yDwgleFXAa#
z9GOA(_|=f~LT`Q0;$miI`L=;Ai01|8k*Xp7u-QS*FLhp{9z17;Ng`&h?Y`M4sieTV
zXB}@Y{hY;l>d*CFtP$z0t?jFs%lWh?Z=NoD@V+RkOhR=FRV_+77$bJ(7hVYX;&aa@
zBhg2c)GlzNT9Qs3**@u}PPU~?)MuHf5H|<`Ujhyf6Snj_N!chxCt3YL<BJUi1;V|`
zM@(}?Of2>ZFP4`N{`%FBb2m?34Jpv<Gl%9%2Qzg$5HsiMwz}pd_37zxqDO{5WVrNq
ziXoTr=ESmA(9pL899M%^&EA4|lH1K0j&S__3+KL_)!JWH^((K)6xv)9#-3>MYhjA`
z;t--?A9FU9`k%kD*@37<{O!l%U_<L3K;w@cQF^gApbk`I{R9<qD0=_-fd8z*GY$+I
zY<}>EOOg&z{VUbxDyrf4+7MkJw#$Ty%__oa(%{7gABSsukGS`i=C2M>SJ$%x*8Xfh
zsri|z$kfx7%HETQ1vk>ZDl$o>rm`2NV8NZUKZrjTO{6Lovyyt6x}kSxD;CrBAjI>_
z+0S<Gd5B?bW!dC$e&Tfjw66ihF~4V<7DhGhq_*{^Di)@iNG+LKW2!gjlHe8O+*GiF
z##SEs!pa@PI&wLBlKLGfNBo_tfu;Tdqu}X0hR*395VQsK7&Vp8h6%o0NdG=31m1l{
z^rP$6U%J$#0d!sKR>4iO6vAOJA|6&wmcU{Z!7vng5xy!EZkfMCwP1$7C)n(cAXC)B
z&#LKttyo@CqInZbHL`+O6Y%i~=mHn3hbqSM5EA#FHtJFQGQwpp3M<e8KTAgZ+&z<5
zoqp-&!Gg1wM3K7yt2>$;QMwk0aR%iqEA~v_t{pKIp50gTmSi^*v-)~yJVjLs5J`<9
z3p(6+vL307AVs`=6MY4|o{jq!WS9PIbBLpB{+p32C~xqK>d)E{`TFv&Lm*?~mO-z@
znO`*dWHeS8?Ha?t>dGTKt-SdD_Wc-Ve{uU_Qmr|K=kXFJ@IEQmdu>4$%P!rwgT7W9
z0}ER4p)ko#&nEK_bZPsZa$X0%7_R?%Xj&)qQ0<!@Aq}^lsRt`H!2<*6S;C1hoWWC2
z<>}!YlL(Z2@K}zIm6fQxr=NUqsCJ!Xtoadt;<Kso6w|#;@%U1^`GOteuSstIzFMdV
z(9ycsJqGg{`*2lJ%3486OKLVbS2;u9vwnDp@1DbeN9(JK1X(0+X+fOSYi)kPXJdtL
zTYWa3LZ>Wb-K4wA;@*}m|6b5$cWfOlTcdnCn+vP8;?Zi8yWxl8I<j4R58pUDgX4Bs
zQXW+en=8n{8^D|Vxhx9Rz?Ul(Nn##fC^;`Ae>*(C1_&bF4p)fcUADi?ZP-^^#Sftm
z-oCG*9$FzCoV0M|xTm7fz3S^jN<aUcJMQ^MQ`scR4dnU(67%BJ5r02hkWKQ?V^GuP
z16PDKOUL~=k;lNB2FqV{&C-z%4sUUt<S6?pua(H*0-3Y1s0^$t^9U4ZHTn@g^dm(T
zC62aWk`WwO)FMu|Y%kmegSN&_D=#8Hjt@PhoZr-qah#e8Pnyk<+d6;TGvA&R6tj-+
zss>g8Em_Rt61JUMVRyZD95+WrR9{Pud?oWqF$Cid`+5i}X*eB!=GS=g>)Z{;UboRN
zdhX5L7vHyCV{>JEXT><EGf=RGUsrR4UUo&e_?$aZWw&Bea!CAJ$l|5rt1FG5dTCow
zlSn}9@gntORK(7HOz?ezDyt9*u3O6%Y}{t}m3!kublLJ6iQ(6!n9o*>kC$J)*Kb`M
zY>zr45n~kd_DOTSo3(r8SVa;?gOrUsk&Odm4!0@jM=Z42wtm6n4uR6=9(nVL&U})R
zy;SqbLw*wH{gv~GX$<6N!SSRD+eHpn)wm4U%A|wI9Z$Xa;Zb${F~l4^d8|OgAvz~W
zB6ULfi2rNH=TKI<q-aczyv&{1NSUwe@VgJk9MC8Y_EsMf{;8CP-!xfO9dGa<iAj^%
zUtygy*D9X#g~xh;Ts)<k_Yj`xAI|k_nQ`*syKISf)ntThz~KA7)W%#yGP_muXxqoh
z$^0dVjDp%TG>3WzYsY)nF>x-<lv0J>0_az<-VRGQV~8Tga7EWjkUdD{A?zirrzK(i
zkz?z^Fr!aQoa<sdjAoEjSP`d5p(R&tezw08)HCzBb^b^FmQN_Lt*023p)Acw`Kab9
z-rJ(#E{k-%l&9Rp@8_{e5yHtuSI1272(3HV>Gp=%TaJwT13&YjRJ-0vB56@)SxF0T
z|6T}gJvVAZwtTMJrY+Z_(`izl{wd9CG9y4vS^t{-48>*f-tvd*2xv_%lDx+D6PXJ0
zXbxbo->_GOc#tTw=GQt?#gdeB?h##_AeQ(qx+ccN>lZZ(8+}SXryz1O>H~gSV@O8(
z=lJ8`SiBSHbZT1-X&P^%$++jwNfG%8l0zUi&CHq?Qi|Ix{C6E1hCv*J#WSashd89)
z1!YfK-TyS%(7|yUb=7XnoiUb`@Hiuyefw2_jGKOI=MPLpbo11ZVzNZX#s^N`ETx~q
z2C{c>ecSvzw6zxz2?KVrU(OMSqyKbjTL{*x-^q5Te=Z?S#0GGdvh(q|wD*<qDCiFa
z4b&$5`TBM_uneuZeSb0oHq?%(S@V@8eB&Ng$h03w=HIMdo{q8W+LU+a`Lo{t&AYmH
z(^W4>Lx|WpbCW3bXZ?K7+fl@Fe>SpkcRa#-!lM)-@Y?7}TZUArn*QgWXFc(X%x?JV
zsHb|Gbnk1lGjqkg$HpcLh~h$Z3zmU=Lz7RWF1?fW-bo$)&S;0mOm?q;Jx{FN9*ftO
z;Q;YLKGrZ?Zpm;@JcHO(%I)G_9CPb(;pvXqQb<f%i`nk)fmAbqk+sW=M-2T~HPI8K
zQeMaB1MuE%7YcCzmuzU&v|Z^FWY~*zug3P16f5cU4j{?4n9Au>^08-6X6G~HZ+HCD
zbneb06D6imcX;;WD=l*dBD;ME#_82!b1k1+ooRj<PO8gFJ>_p(f5g1&u~)<{uZ_;l
zbD!NQ5N+Y<F`HoPd8mO$^?Ny=-SH~%((-vfD!yDQ+WYAj=ld?5pUFOC>`ulvD*3u4
zu2m-68#bm-;7)Q`q5g#S_Q*;&R<;y7RK)bs7F6#BAm;F?V^a)EN;^9cqHTY6ltw4L
zNVj#MnYkzFL+wgN3c@Ubl<R_TtB>42PtN>Uvt)eyiPrmjj4~Hta$~QkZmC*g{O!?^
z;d>sdn2C1%*2db7fs|7!9I3{WpYIDc{cv!-<^L+jRm{;-P_~65EY0h!tl}))9_KiU
zkN@DJTSB6bvfCfs6x8*E>IIFfaN8S22Dsh!nMK@4><Tr4=Xbb25!RXw3(`zqBKg_~
z9@l8CX(y?TBJ;+8n_%7NcDbllfk+Y2Bs&f~pJ-0XV&0ecT~3pUqp60vs?`AmTz=1p
zq<aP4^LK5YiqJIK4L465-E50>m2-4?N|6~!x>yOT=~&*|A8`Ac+Y4cy<m7S2$!ab%
zY0m3e=2TLIdK6TJrW<6^%O%s-^Q>@w4q7vDQH(MkQdk|}k<gmK4S!Ee^R7T)wtVy^
ze>~v3H@%)6yZmY@XOrypXG~;9>5pGc&^0};YJ_)o>;xXSMvmPn)wijIPVFpLTh4P-
zx@VKhqYLwvHQ6oX;5*l{ZG6XtW?$kUYf%~Yk@gS2<f&pTk$%plMHm+>xz^SC(ZgMu
zWqV8h7{yz~6633!<6V7jc4x>#u`LAmXha|G#u`Tmq>m&Kl`Z-mROXtBM-*OJ60R8w
z{A{(U(J$|!4&OPr)ErC)G7ia40M104c=OUvvKQjDuO;*NB00|uaYS^dJ+Y3S?Rozw
zTh_i=ZlOC4@!jy6M!!s2z+mEHG`Iaxt?YiK-jdw1xO*~jJzuIUV@3pAC^Gilo3k&M
z1&$13QJv)vGy99*{vILZb%!SrUMViz!_CC?%u45^sLpz;j)MOPe~1=H*l|wCn`$*n
zElnGHkF9cSok|qzd1ZCxv4lM&-~AT8331Qf@GBO>qA^Dio$!y13C)TGe@+5ZD-`2u
z?7g$YQHmy08(~3~y=`9<C&Cx&U0(C~K_=Q#YXYnddU_yv+SD6v@2W&0*<*%WnvyO%
zxG|2H53<^~?bAEVJS5*o$1cef#MH;SPeJv(J7WxEYz-onEePEKnVqESiOX?m?xi$1
zds1wm%Rno_F1I7#t39W_9@(q6d!$j>7{S#Npx_qQnmO!Xi%ie}8_iZtt0s;{k49j6
zgz*E^a`Nz;P-m{uGW5dJwhHg`**KmyWLNbi+$coWq_+*h#idbbU_GH!EkhW42CxQl
zd1}50I{H$^)qhG7?RgHeg@a0$>G{3X;D7P;odHdrZQG%=*j5x<ZDmSbI6yW;hDjB{
z!IC8^BWTzVB7_YISSyGu*&{#{1Z0cMuoX#INn{2HO9Kfj48sl~-_7Xryzlcp-}f^=
za*yk}&UGBedETS?PamGPCxtWm3X<xdoaXetd)^t@+AA#fXZmYqXGF}G?v(4s3&#BS
zAXWD5m1!z|Q4eLvdB*_P{GvnK-Kk;49$g|kW-R5P&ZuMxmO*64?v^-NskFD8Y;WnF
zN6{^%al}e=T*<>Id)xMT=gx%9{P#@V@-dtbWcxvahs$s2%*^#Va%(~X!X#QQ0atm2
zj4amI_`RWX%Kw;Uk8?uD$Z*3kn*0r)bO*Ibw{6L5U8DuTpt7)YB0bHc@%^eHrQY3Q
zODW#mLvBcrcKhho8hB1=Dao|PZxnm5A$ne*e!;{dH>^U{;Q`LMw?R5?NZHG?JMacP
zhcmQ3-0*<E(AIO}k@2$}y@!ovsu_A)S$^pfM1v3Olyq>utK~DiBYTWdh=6_D%-q16
z2Q_Tusa9Q}<Z%OK^3q@PoCLpmpPnQF2tg7uA>GG2z&iua@*eiED`b2%Vu_nS++t9k
zxNAU?2Je+yQ+cMC<dQF%Z_`Th<tYhlJ(Q|?Xkks=#3r7CPvMG;S277bYvvtJu&iMw
z;k2=AgOypFQZ3pI2N-K<!Co!4Cq63taTf>58NKuC(@Yh&PvXBQoe~Ll{`*YascNTF
ziXrjf^4{vQkQd;~LyC`v1acf|gAVXtPSG%4v-!46#8wlChBV83EwQHhTa5ONKw6FN
zr0Ll>S)a~dC%+y|cr@sf=9-@BViDw&R<~7`Zjx7$j~Az{XRf=L(I{y~PV~ZJmuS@$
zb(5YOSJn_wD3oI$IkIEGz3<*?yStPRinFCT=#??~2HYL(b-J=%#MSLulAE5PTZV(4
zP=HCzs*Xo-TH^;q<PVqV3A0b5tNI1sw~uHpME+DIS929f>!Z60>LMGe6jCuc!tIC%
zLT8FZUc(XuS2k>Uo}AmMfSN&BB_9|nraY9zXcT8Bqw*!nTr+;gzbidNFGm<QQ1RRb
z#ykofeY<qs+Zeq9e<{hVCgD+f(b&%1cE8`#qq9|+UyZbxMQ>GQOUi>Dz<Q%7cB+Xf
zenSgF7)&qO+-zp8I;etOSXpEVT~h<2CIe;gOUvwwE9b0G{u_R|h#FQ5;Gc3+(*{{6
zj%h79+UmDmU_f}h-KlYGjZy43!9nkM#p3VwAv;NH1g|2bHQZdNe$Z6WqkHM80`pMO
z_P}2sVgyrI%!oE~=P|LSQ+d3}=7EVN_k0gRrl=~4VP=5te1dmC#m{1+rH?mKs=#sA
zoqeBebO_sLzAes9Rq{XwF)FEVS)t;zsOiANDCZ8=%jndtzVe+&a_(qQk@HuINCJec
z#ptX`i3%eb%RzCO8*?RB9Tb95Ouu*aQVuHJVx=nJ1T!EbzHM?&QMOxua(Zdo-p{kJ
zvD7N48Pf1&4*7UCay|A*T>ZwvR~D+aS$}<)#J03-5nJwd3mEq08Kat_f?!GEgG?GB
zk6y?zM$^%#kg)vTBugume1-Fw!&Cxp*3dv@2~hLojAW>dA`OX1&hk5M70Ic60k>T%
zMDx(9$FFl&hw&LEkZs>I+NwR7dcObb<rIa;D1Gz`T46d0&sG)9ZCH4w$smB!vM`-W
z3e@GZVA*W8qOp6R1LHozqHDMtGNkH(cwomFsZ^MdX@AWKVy;&V>$&EqVxB8A-nt^l
zg)`rdQ>a=O9)!#NCLrH*d%!g#l|y4`&&-$7j1LIxj4p551)Ro5-VnZq&)1^tu&Ed2
ztj{QAIl5kMKBE|7j4u6>X?Nyu*h$3$D8{YYk^&l`pHN=ZK~PEllfGI1<jrlr6aqf{
z<G^rbp~A%1Zh8)Puzf;9Q9?JwxD7NPN&h*k<gPj_v$ULp&@?*XW0Vg-GT$au!Cm61
zVYey@6ny0Q?-5_0BE)WDYF1BJA69S{!MR8}AjqpuN<PK6A<fl#Q5<;fst)s(`MkKm
z<63Ak(J3l|gP+xuzTm@uud;DDCwR1OG!e)x3cy9g5W>2^x+50<(}|J5D8aLljmHe<
zL(0H6%ZuyvqFw9g-n4tx1TY7vYdF~X98zUrgoW*yiqfrV*2-M&$GYB$xul@g+#Bd$
zCh5YPBS{J?G|gGeNK%yKf|!WZGldi-!$8-VAyuB9aw3ZT2Pw~}@aonnXfZlU(LG?2
zQDUxqz^n@oN6Fzh)p}!Ihi^=}Y8sI<Rdt8XZm+VzRgKL*Y*gMZjhc-h<VkIxJnoJ)
zs*f?g(!;(xK|Di}n08Q$z5qb#H+l_}lcd;x$cxeF6M2tKf|P|!^T-~ZcQ5c{``i6;
zXt$Z6s}>YIM2O}UOu|;)R|jX!MwLK^`hybHY=`vVn&cvLWvR2%mg(4Vr?fLU)A#xq
zo%zLbR#%=aJ;-#t)L<&ybijtaG0U)6fGUrzk7vDEYa9z)-{^Iv1%7LOt(Ut7`4In9
zU4Hk2h=0DU_*G!h&Di9TYo=gGT=H*cPj`sP#=KTZmd}f79iNIk1rK@SZAUY$zke+G
zA^=0{7~IPZH}55uH9bChXu~X$lmWR*HBfhR4j!y|LxGHGorru-|K-9_oOD(6)tpqu
z8Srsa;QPl3tf%Sc=!yhemG_e_5qPJuh`;d1(&b`|X&dV<zpbD==WX>m&y!QrCfi9B
z(<N7Htk|EW)qSi26wQ08-<0-nb5(=2Q7D)#y_B}rH$^DFh~f{Vig8MR>Kf@(Wo=+T
z_?wI+mP!Fxau3GT`?-Qo^C0o}suaM3qjKQts?}kTJk;=kdLtywSep<!vZmgOu&9)z
zY+WWXUDb6?A<ye|+|r~2KzxA7Ia2Ntgl63v`k_3zop_u<6*<<U(9R^aV<kizqfaVo
ze?++zv}vL^ah;c+sm)FdrA?d?>ygjh+(ZxFs_jY3UTwz@pWW`Nu42MoP?@xg>M;5+
z!98lol`c}1B1SwD_YVqRu9n}CMS6B+VbjB^ZguEXYMRN16{u)|<$RVnN0m59uXbkK
zw{&~pZ7IcaLB(GYBBV0B>!35ZXx*7bL?Yv}Jf$YE=ALf8s7ZQKioc7;?~~WE)xs!h
zW`1r9`Fm&K;4Q|&z#=-(H#xZpw>{2TQq{A0`#t}zXz=@gF!@l`AAV8)ds)DPe7^O<
zNHSzD@}cM8kWX=%ZfBR*c@b0i>E)qbG1n(;RljQoop)!=kj7q(wKYv{zTc1Pl6>e>
z>lV=UQ|QsauE6z?P==Tg)EO#`B}J#M>8bfPoQb>3^RRXO=5}I%z^O|+DV~HAZE7IV
zIJs_yr}|K|VJIS%SQ}`?Y5>Y9C-%T_%BHtU{!aXPb$I_NZ*7N}{VjWoGdw`F48S}{
z=L`HHhlaW{Ki%!pGgOk|qQMh7$wDcEdn9ESl^&b#L(AXY=U=Za!5T)o=S=#3x9%4g
zF<@JM@jYwaT~p3E14QooEw$2~#+YuvkH}UQ{iLZFTdT?ue$Wh-a3MX6RLd6v9szXt
zX<>qV@GsY>ncFLUzm<gPI9~b)!eIQP1dd#r+PJv({X6S}INH&!&^!N72V*NPkt5py
ze~s}Ty40-TMoc~|ZV6|+l3?h5O5>}W&S+Z6DF6rerL73C-&i_;D1AwS<E7Je3$wfL
zY;$7oo%@Ts)&?GJXG$LxSY#g+kiRyCzpy6JMBV<hS$b>_$8VZ)N$;DgST_7FXwgX8
znk#rs(X{F~QRJv^KS;I2wbHk_Kj`k(k~1hEYk-cE+DV>+>8EzNh<%uRN`3!Q!Ges1
zHLMWShmi_dqSXrkTEM7?N4}T{>nfR_^+vTsnpP7?CJ%SpiY(RtJ2L+_x`rB*i$n@K
zH1H==|9qMac1-UIm^&AIMYw5aC3ldQos|R#1mO0sXZIJ3|BhnNv$QU(QV8Dz6BXaH
zo^G{A&{ZWExpyj#D4kNKu)yLGN+4(F3P(=6WLF3`AxG=ntm~_ttn2(G=Aq@Insu&0
zp%TmQ{qB8PGu(&VflOq+G*`T^d~C$$V}^6XtDd(|xs8mm`sETH8RzPTp-DQ=^QP5N
zYgpcTiE85lqY50fWbPdv#Nw{{vl(D)(3W`+j7{7AjAk1uF|X2?+f3@+My{M{<D>Ql
zKXwVWk$ui?4C%7{nG2PW2si}TjAiVQf+sx$c)PyyyYYGP8lw~TT8?ggh&wIRK=I*&
zqPk7$;p}qot*7VEJw3Ih7iiFv!y=zHH&(s3J|SUlgz_sd_=Zz@S=Xf4XOwncIzFbN
z`+?wiXwtXZF{jR(Dk;SuG%amGJ~<pwlB(eN%3GX+oa9IDUE!vVzxe_sP*N$i8=7yp
zcJQ@cfp?YWibX<sF7m-+TMVe%_RNBY6&ZLutLVLqT<#4|cI+l$u|lWRjI12OY+f{-
zd$nVj3-Pwqq9UjJsAm}nMUPwo)|(SCMYA_cg6C;1yY$S!!TZuhA3zxHOv~z8!wy5T
zA@(Y-bJeFgLZKI{x5;sS-5^?~mQeb@-ayDuoI>rXvU>Q}q~JINR{u5dZOj8W`I1rF
z_j;xCi7?<L9FOx0U+TFK@!1wK<2Ct?(U&JU-b)UY6gXOOhXLcIGYnH}5+PkFk2<iG
zXuadB6XyjMG2I(%8t-e#-yGmfy}r3$%#Xi$TWYC@-*F#*L<3OY2tbW}>m3hVnmNfS
zceZ_$|3&nQ2u-vQrSpCen%q%~ZBnfirTfXhASz586KOKiaIzqLFFP@F2e9%6fHq8z
zasth|gt6lCoUJ9=mo+N+hOxN`YVYl<7U1#G+4%}ahKTZh096ml_VboNU;Xi<r|5pM
z8XVUJeVw*(0=~12$v66MC%J)=IvZ`jo$XOnv^R@+UF+g!HXk-*8=HtTUhNhxFIM9p
z5VgY#2WSo6qP2=-Wt(d!dGsYsM~zWGm7&?3Iq}aPzw%lIeeltngT(5D)v}^m7WFbR
z#$D45DIFL6O;cj6NTQa-Luh86U#qx{I#*l}O^bwib8HXmbNbfu<mhZD)F3X<KLsy;
z!6MngN#>iKiB<PGYUs7}-1vsoifC#1)936I883rkRe*1WC~9*w5y_pS({Xt*zkrjo
zhU~Yl&rVDa-tB21w*VP`3DK`3u|Ph^OAy0>1^yUGf(yS?@gj>9)whi>3zU6qaX_;T
zG|taH1ClX^8loP_m?a+JRa^FE;Gl5}x^B#eFT*=c`Wq-l*f_kE?<1`F)zg0;88Z84
zFV8IQF{sUd0L+AHux`#PbC~xd`^njNIU}ExJ&d*P=xZR4Bnmb?Ac-_pMz(^Y9`ztb
zK~egpbx+cVGH9@<#y3OmGaa`qa(ED*QP4c;Zc^DvKttuE-)q`<p@-PjV%CaF?7JsW
z=Kb79woz@xJsG3D<O0B~O_bO3_cRV8?(+r{mX@LkZOcljbo8LjT>WjkP}N-aAMKR$
zk}2%XUSoQz=#@v?Tf;a>h>M7ewG_XLYi14tZqg~1R{x7jl^3D6Sn9ED#)CM6+1V<6
zy^ro&8wf3&Gu^PX-qCui;WY%tvza2V)gr4{S~C>K&c6`4DsBL@-Fs(ElxZ}{Rs%9s
zDrQd6o0r!?KZ)wb=1N6XZYM#Cj|D;3hUo33t3j3zXI1SHFms#s!}M|5I-WtPRlR|d
zYb`KSrtBC;?0**ER^@ziogJ~KPV4=alAW10ohV&0qu)&a`x|4Z;YFuH0!8~6y!=x8
zLu9a*-3qF0D^={^2n_yJ`=Us|g~khVF>U8=qu&Wk*npUw21d%>s{^a3oQ0ZtL>8C#
zxk2J!5mMRPZIm<#J~xIm^Tv4kmGP+DY=w94>91*9rGxH2Z{DXBzcp1&I+#8-WUoBt
z6ZYj^zCx>qUEPy-C8cu$k8Pf7Pcn|B#AylA&)LRpsHjSCm++WPxC<Q#t@VgYbF$)X
z$erPTtZ^eYM<6fq^ozbV^jjBEmm&}NOhSj%8%G%ehrztVvK%~H9Gi*%{lbez)evRa
zmL>`=PTJ@UEN^d-_i=S9+=+uFd)d;Ck%B<d*ZOZCM}Qmz({I*4Ihq{!`b&?9Q3WG~
z`Z&;%2zjB0?}8kS<IU;onvw6#>312R2=L-<tvuVNX9Dk}nauVh3kAKDPG5pOqq-zd
z&qgNo-m-8Tys=(`5Pem-(Sxp>J8XGrMH<XdQHUqB5n?5BZB8W2ET<x%mxBVaU0!xc
z!co~5*>9CHPaXX%>aJGyw!e<n=lab)`3lC>cao$brYn0KQarSt<$>-TS@rDnKAh}<
z7BNWzFP_peBwh&oF2L|;wLRv!v%Z0mQ(8~M#%gAr_7JcN&XJ36krfK-@T}n*0*~Dw
z4<-rj#jpx`G_VF?|9L*H9N@1W8B1xZube#bU7TLLQlDv?rI=v0ttO)4vu3;Ky{jhz
zBVtPX-Gub&A;+!ihH%C>)QaTov;5@L6ubxI#^_vUq<-7^z6KpTV>JzCH*Ydol}SUC
zRKm~r8N%g1{Z1-D3ywFSX_OcblvAx->kVZ}os{3o%x1#wk`P7<OjUhGR~3AS*SW)I
z1xjpZ5YZ|_#EFY3?)kAl#ecm?WX`-7=(BN)f=il4wX~-`6e52whIO0fxd&J{xu#%-
zFsxsL$jN0ilMyx{t)##f6rh9*`{{uTXuey=i9Gr3ms=bf6C%H!v^<ipDr7YFv2>;~
zk{RWAS=G5mtSRQC_=T3=Dw1|J1ye`%k^kK@^6r#v(XyrB_)WFu^Ho-F1X97*`mT?(
zG_jp&=?bTB*y%^$Jx1^KQjWr9drB}tIlJfMl0xuVYZlFNq=vNS)ejo&*VyD$UQw&O
zQp|CUj%H9H0`J}`o7a~|9+#_HO4;7vW((h@+wLw#U;l-R38cx7RnyGd7fmFaOHJX6
z@$Gt~&b(44sUuCHCVHr*(r;BDS>=w4{(DO(y3v^)-L5ZKr-#j2f2#O8FWD~@1-!Wu
z^m=W14E9_za472Dvu&=96)`g6&9u>Mg((Lpc&l`&+K}l%3M`bkQG$-v`tjtl<~}gA
z``R|z027{hXk0?CbhIf?rCHtNe15HM{$zx;ipaT~2ULT|n32j^(oGdPU1xaYp+ZyU
z5u_?PLSb%=Nq98Bu9iTcMBO02W#?GCel_4&!9mQ;`Kl^+H+pQ4oyAaNk;Nk=?t5-q
zpIJeg8f%h`Wjq64t;MS=g&1vFSJ2<&=b6M8RE;F%1t^05^2qi#JgZW9Ti`zVI#$>s
z=3!qS@=$&(Uv+_pKmszW{menVhS5SLuRemLXp`)i8oX<@01Q5Od&Q1$p+_guIhsU@
zxtYC{jpm3%J#3IB@zhq>HaQt@kxPDxq&%pqCho88-U-(+wL7BHK(^W{y$`pfY!tyZ
zO-Q`SSr`)YMUETC7(;B|XT!J|C15CTWvp*&Y`d+Ibz3}9pGp`Ts=TndQNsJe;BB<z
z&@|p{IFzKq=Gx0Aw-?9UFfK}$eDdDZ5zrR=p%Fo48<`sw&=tvKg=i*~5e{?SF5x{9
zVUMjOr5f^B{@<$3Y->#fbZ=)cOEa<t-POP0^SJArAWpbj2m1@GZu1J-TAN6IV$I8P
zkH2T&b+{6dvdW_T1Ql9KmqfrEHc_pRSuaC6m2HopssxJzY?ULw?*S8nn5B`3nPPB`
z{i}RiofVzj!Lh1z6`U=s;fk5!B!i@BbPTS@A1XXVk+Y77X!-E+L{;1nS?p!Qyl)VC
zD@NH|RiN<__*`8cQ{U34m)QCzNm3&|oPni$ke91eT+)G8mGBKmJJ>hm8*lY&eL^`7
zuT>U?H9`;k%(PPmK7aPXeQ4g2hoVD=95#<tOf%c32Cm@@PO1nOshtVwqHs4pbcXBY
zc%~^7rrqingVAO`EGQ8yfjs$TkrDFw;3of5{X_3!pD<^;DTpm2sKeK_5Zhxeu;Q0D
zE;;lu`$dW|X&#9Fd?<#n-q~_A&-UWoloW&>Z+dFom~4yz#_64JQJsg=<~v@K-XbC3
zF3VojW2*U|v`toN=GYbykl}2!Z9Kq*W}^<A{QEO|PakFztdu42r(*C*$cj@$hiFeh
zV_3syTXoYb72+R1(?YdU9EdNVDSxmD6BkIi@OLg-y6hr4=K01I2aq&TJvXC_uds9S
zPvUv2s-(^oa+)#^xn`D;8~O){>u%A1q>=|yWN!LdU0!|3%>WP`%^Q5Oe1NP55IejO
zRPSrGIrv8EF7n>WMQnV`RR@(KIhX_TPrFVNm9tvEb-uNX$l9zVx^PaLR7AI3M9%jo
z!&P!@A`2g$Xh{gqCV(p0+ErB1rp&f`&lDo6ZiF~1dvk!F!+!GfbZ-k;Ysn5<!5oxE
zhL+YAN<sVLq|bYbqh?huYg3hLDI&r2@I0J{?^`=5k9KZfX56)qO3`Pz7rP>52RAG8
z6^_(r)?}WOIFRL97-KZo-r8XM$<G7{!Kh^3uv65Tu>nbuCO=?bc#qkp*>}>^v~zOI
zFJyQJ#UD%vldDic8tcGQ5E{Y-_$`JqD->*%i+|xkpN&D6jFjee*70c$&CjHzi)BW9
zs9i8=2Fl2clD)Vk8BAi9V3GB_&w=!((XpdE4EqbS2OAE|_r4te%ayISG=7Q*`r@sK
zkS`%#uGh20R+@X9bR)lt_RQXq>H&1S;zY$e%**k9-i7N5!SF<ehD4BPvw>Q_n%7&k
zI(vr4V?b_l<#<n8&t^B}$)p$cQPB2z^^$U~x0?^MyPJKTojQv}23%ly{fUa;6EqLm
ztvlu;a}LVeXB3=j7JMBm+jd8L>On8I=wPI6xokyHd{a*&@CM%dMewsTY#-NkVEl)k
z-ne1VBDYHw-?s6^r)si+Q?n5-7DEvY;)f^}`)3hF^oooYnX8Q{RwyMN@bs@|^6c`A
zO67!`l0Ntej`xtO;OQp9O>DKx&-sQcAL0!3dC)$*c`6hkII_CUI{-xVlB=PbNkap*
zH3m+F{AmEjZ&kx5laIb4qh2RJ-UR_<lT(+w&)x77UG}?)yJKGmWRR?Vc=5)cxF5Is
zg}U{Pxm%;>=weZu*WZmD9#5%#=yuDFWb*Nc)2|si9OJlKhuk8G9n{&51(&}C(Yj!6
zMZ**$NFSSe;L_>$I?sg<dE=<XIc)|@K7@$G3zKtq1Qu;GQru-o1&$E?uRg@6D0e%Q
zJ=t=rtIqP<bu<Y-!ECji_Yp8dXsR$7wr&UP(6#xFWM_1EgrU*_ghA$Ze+vu(e&z^?
z*Bc#%Ko{!0N#U%Z09V@l@>T?cYOK{0^^}+qr!I>)tb{7^yt3#xj909I`jGTWe_-c6
zZs4~(y(|8cxm^-Gd7;-NAH4K)Nwd!RUjgKW*z>wU_qbK%avz1$ASJfr2ln(O<EP~n
zf?K8zSs$z)+<NOriRXVlrJwNv3$Ova1u>;pja?aPm4xzqg%szvdATaW5huGOm5##y
zRyosq^SNMjs%n<PP1^SQnc~>I@`Dvi1y}o%etJ|9uP3RCO?nk|8A|uN>#P-R-gBGd
z#7+>4>z^p4S&d!7uRrT$Ty983eaK=J@J-q=YkGOoQU>Yg@a)%885o%tUIUs2k>JSY
zRAAz)j30uN*oHWyiWJpVMizV(iqfSKnD)w&x4CH=(JF~(67_kvuMYd6lVCRLlZkpR
z_wrBgNn{^Gbt0Qxdkh;D*(u2iPzHmF0Tpji3+S#^-m*mI)Vtdy7}+40;<Xq6(NWJ>
z4zO1cD6uH&qRckzoR-&nDfNve=pYvTUA0p1hOEu`UqqB^kBp?5pECKN<e=E6Xl_V;
zJXpocL((_v9vagavO2oOWUIUv(6}CB!Lz4{u}U@`#DctYfG{9bu~L?$Wg#19K2pq`
z;ozV0B}PI~dL;avM>x8!)Ic{%32Ony7-cY+hH2~v9$o_wDgl<tpP0^3L!F>h6cA@6
z`F*vC2?Wg{bK2T-tEhBotOoV=y8Ckcs*4-9ZtUFQV3j>|X%C(PFsh4tL4WbdwEoCi
z(14~lSZY!V%|SQXV?Sfe7Y|521Zn+JKUh!E$GrADjm~Q;KZsg+b1%nzo`wOqb6O6D
zECNncqrXi|T}L4j1hHy#?Y5K)tW_Iw1Wk{ZRK02GjTlNckpcWC2Q8tItbt!gaZA*W
z-=0GSPA8{s-e&3)<Fd9K7;Uc^kE6P)rB#-yaMBbKaL6~+lAd;}RSG?T71yWEevqA0
zBp_(dP;xD+E9qp)#@6o)Z^po|n$Y8-|EKC!tbQJ^^rU5xwLE&R?mJON7j{Giyip|b
z$PR{ex$msV`e=Cte{YlST~`W&C(jM#2n(u~#Q2qlml|hEVN|+Z_3n11wTZZ7q@~2F
z+^rqxUeDR8VCg~{Hj+|#MBesVx!SFbTdbr<PPFOGMv8bVA;qbTVR>G`r;b64?kddy
z830VKNd-Jc;fRn*C~B(iQXlMSquu;)1Vbwihf-^ubc2PgcPHPLob%F171Dk5RswE8
zwnlEHm2on;8L6u%=AZNbzn47XaoYNjH7}njjyKohzvmA}FbLjA0l&CcHt#Q~q<B9p
z&X^-@U!j#K=&d45X2T+K9>DFQQrFj<3X~;f)RfLvp~bOnW0hAntY?DGa;G7@N7NEy
znaXsGrnkJ$dw2VxLSVDvqbTXk*>LBt7f3y+?yKxuYQ5s*m`Bo7n1<mMJW455C>ukb
z{3A(2JK9{Ux8sBZXNWKu>7a3-COK<E{<v0Hs=^6UNoC**BN|CU8vPQ&D8^m0;<#%7
zj1yC{sp7u_wxCx1ZYvV(OOIq=;|9S82FA_%(tpp8WJR*nlyYk?Kon3v>$DrkIho%E
zPocmoE)jn{7j3q^g;itQg<XK>y$Fh~bdIbTzBd`QMx)WIPz)S`m!O%G=Eh-HU!wL|
zV4I(cHhmay4#4NSyPQwgy#VgnFjcpo#@`2r(&=Y?9*t`goneWc3ziTWl_lnLhMBUY
zag-7_&53u1+TvcAN5+g+`Q1kSQFlT{ID8oIP>LA3SH6%9yc8~WhPI#{FNVdd>bj~n
z4hC+OHJ0J=c&F{Av32Ii-QW(L{@cP$wbLXll~iyXOd@rJKISR(Rn^y%>jHg`Cf+Xt
zFyG--mNt9F%WBNJ(Z7rFRUH0gr<ezl^`y7^^hb=?YYpf|0kL}Fdx2I3VN<#ogS84x
z5`5kef#)k0AfB!J?!kEx*=qs(W1o7e>WTW?&+<R%0dCo%`Ac*(2d7lJNq6|Begm<E
zQd^Nxu>M;fs=n4K-c_wE<ewI#D4!rkL_PPrBi4x7eul)LVi&BQ6LgK5+gB~Vx}ajz
za!hgEYiChzIhu*YA!Z|YtF~cK)3%cWnU^4ZjMMPZR9T{CU>`!O?B46FMexb=egfZU
zUwhe6Np{nu@n$u>(A|_@c|cugGrKmWHc~}poL=c;NRd83A*s1tD@}18;Gl*<?}Xuj
z_)R6EJ)7sWZ3s<|NWqSAk7I+DEo!NJkDYf!@pahZ7SL#)>y>9w4?)nn;rXDYd_OK@
zQxLTS!~;wAZLhlB)k)7a_V}D)TQx-s0b_6{1A-n(P6$*DFPd+NP5Hy?#^k``>0cZo
z`Ab?~y)aeOW+X3vNckScak(WB-C=0+>Sq<iW?e#rB!bwFcOiR+K}CCFp3E>>-li$&
z6<%NfY$9Eu3idhKRki{H>#v&C7e@{;-bM#$LW*Mg2pY(nlg|kqUx_!rI>Evb#0$bV
z`Wl$_@kentEMU&(CeNjoiDpSQTYXk{CWoc2qenfMjJG(11RbNpM8F`zv{d%1>+uJ~
zo+5h~r&zkI1&!bHxK70$Oe~_&6SBe081|CMjBe@V!G)VXA~9QKq=iqQkl*%X&lYq8
za&8P6c`u^}1bK590m|L9jj&b~3P>#?%4aM5LtId9{aZDbAyN@^&)t!+eeYwL%LaOI
zi$Nq&w#irqLuf0Kfm?X^mOo7tNUs2}Euz-;XB_o=0_emn2^-4D7H*^kzFGPJbg1mH
zA*g*qAE>mOlqQZCdM^A0sjt-ysMS=clWX<?@t!b{Tc}Rhy#qj+634g2SSet%kk(g-
zT6pqv(;oy7y!LSeIqUk2c##ZSv&ciFR?xiu9TSKA8&MM0wBd`-bvY`4${4D8i?;m(
zehQx2ORvCg<gZNoijzUIOjkGY+zro<NA@4bD(~NbkfzCUA6cbj!ul^!e3$ep<);!%
z2;h{m3*>_};D%K$YA%BQD8-9CZek*}&ev1vo)+eA@<HiNE)f%>!H0%Sl~6;u0}+?5
zoYfG{YQ{u1_d{LBNQ>z`4+Y0BJ3zL*VMzg4!xG06yXyetRuvcbYHd(c*t@aU_q$6Y
z0m4$3!^PiFwWrOFg~7mw9+O%hI9(EWjI2{vl2g<@Cxswf*9&nPe77u+U!<Y<oa;WC
zR?ck~NnWjJ_YSBnu^HB}_o$3Ks2YqY#K;u=i-dA4{4da7_)qHHy_SUv5-1&H<WDms
z`iGZ+2`WJ}kCYmOjI*zfVHG2y!?@E3N_7Axr0w(=?d_ode@fIIbR2EUocf6>+M|%r
z=Hz;r(QY7U1E>#<&mI~d_?xtHkbfYa_^-dm{CmYgpdF1=5g@f7{aIE|@QjG)x|t{I
z@TWZvgqd2?7NB1h9G95+?IFl8q2u&Eoo1D_|NlQ*cL>b{F?c?}rcOT}6Z&Zfyzv4S
zEJ5I%0>6tMQMAm2bRDUjC^)`~vhaCq`79+x#o-{qK2J_Vq$y=V+d5NMIoO31wC@~h
z1pc8j?w?q2dm*sMSSkjbHDVqo|9ppKiHZb-leVC9O2{?yKi8xly|y&X0sH7<V@~F|
z-#@LWsAPiQKx9KCIzjW5lHaBWfQx$x>e}r)>!}BO45aVLUA}lU$gyGR!;PnVC7j7=
z*IhM3<s1j<dcrUB*SnxSfy*So2ZXBzx4aT}a+aNcq#oiW3NHm~n>~smYw{J&%+6O@
zuzl}{=Zd!0Z^cnI^QUj-%*g^e6QnWHRVL|Jv`KDL`K3I-7$Y`so`ny`YrL9{{3m+6
z+0R|am%coF^c@mtm2%m{%pQQfp<v}wg&L(N<)3`{_F<O<s}{E{^2`%h95VAaKE8i`
zkEn<27o~jY?zMWuSdo5g{VpNCx%@8m<KotyU<dFK^X}i$Ypd1_t@57qKUcAvKam^a
zq6pVla~O8k*dB;&6JyQ7s}PZYpWJC>cr3W%$pgiA8tL|)RJ~&VK2O5<<{;8L1pl<z
z=P~q1V7o~ZCAKt7T{y@2YyK@-l9E)R-06wR`$`*k1m2yk2>-G(=I`;(|IZ61Z#%)@
zGnFMl-X(v#!H(8nVxO0iFL{Eg6ckt-aXjp*8ciA@EgpMJwpk&}^>A5lWQF#&r6y)a
zQsVyaHms@My~q*>^6xRvVEm@01waqm6%>|9lW-FyajI?fc^cpBAsA32*nS7!WtR)Z
z_W1Ap?V$csO1x4Dgs#5@`vvf?$4wW!QV7O@RRk8-Rk~t^dz$BK|3;7OvCOl(xx=1K
z0^Y=HpNNh5Y_8ei@@hpRnCtTD2aCfQlDarh#_203H6g$6Dk5w~{(GkU>uLUbuwS@~
zS#HRWjfX`uBr60SlYBUg<T@!pNVB35x~3Yel=D6pd7x}ZSYd<Qi@2k8ej|1MrQ9pa
zlUmih<QdxN_KB@;Up5;oe5nii0Bx#`1wM89!#~!W`OjXiR*)qFmHqq58h(FJwUQ%m
z$b+~5J(X%t@A}n=i4_=e(N;dubjq_$hePA->pCU5^Fs%K+Xj#9sd;LC=l3-)TREm4
z0<^Jt)bd&i7%SLWrB0wI+c}^6IOgKDO{zxFV%MvPyaK63OEq6euV~XX*xf_D20Q05
zOfRL$Q9`8DqAjkL757mpYI~*Yi7WO+iPBm;(nYERBWSa8%lelU-Pxi|Meg9u^gEuI
z=5J{NizmHq^7|^@4PY>YbCiM7dH1eUYX1bcwD@K8htjZ}0}W#DqRBQ6!)LRW>ZIfa
z7Voi=lP&9ZJLYnKiuhM6U&o$<5C$3OunIE&;dKFzQ-F7b1!=|yI9j(agyuH|&%s27
zr&|iBaf)q!E3XXKxt?$pe8RT{DBHYp{3iy!RFI1Ps`l?GH_stqf?Q)Oxd%PEh{}1y
zS$T$w;tUb}w#x>Tgi-}Z^#rOv{BhsRicS9;7x_P9pUMA-eQA7}$&KW46&(*`lK>(=
zMU7?RN=VFzm5Ati*hu)&s8nrAF}|b}Oi$Zbr=hLp5s>;!zkPeYM%|a~>@3b65#^!~
z96;|&@r${yuHd93^+-{#Lnj-22Qd<JbuOCCc*8O$H_hqWtxdT6E5@A`X~Mhb8^tR@
z69GlQz8NUr-D`*0y>ReOzO&;zzn5@wF3<6>I|_DK?oWO-s(C`N&HO&Q>QYi3jgT4Q
zu<YqVu9j&LUtt46g4EAvO;mHwOYO9i?(S;7`F~!sLK6TeGaeTy1e>I!5kla_bDu!{
zXc1KD4k0^W*(f^*>R$@$91{JP5Bse6f5pr=fL?!MA3#1|@#4Qnz4RWC!Agq)_2P?v
zcazTiCrz;*>jcODN31Io#cfyrtfb^Z{yl<Z4D(hDRvHVhi{2EMQGVd!VQ&TpQB!&Q
z3+8#~AHL^!Gh<11<Zt7VE8YRcSW*uf6|k#Vs=1Uz0$iVCn%e@d<_c%Y7YyyklHjN+
z#O%Dggc{Hcd0A>VQ%mct8-ekSV4pwpFiII6P)6v4ydl^{wzhWaO){zyHa+F}t7#bF
z9&f)ZnLt`93d<Ax$0>yGhxDeF(m_p?wJNZ-iG0dS9}=D68DisNIywqAJm6{)Nm5B2
z5e;Yq6}R12Y+^=EC^Kdi+5tO>dIrFdL!iVlgidN|ri#G3i-kSH;q@2te>FidezGxx
z`Bc?|b#A<%oATq6luS70`ZpBqd=!Fd=s15kTrKy5GUdEHLN{L_xC4<G;chYyvRC=%
z(f0k7oNd{L5qp#)L;^$B9Y61Og=?ywSH*3;lV&%^iJF64zT$<O&`=@Qi?|nnis&y0
z_sZJeNQ<#Bq67#u-o58ST+D6lPyJ&CMALmC)#Cc1yuy=!to1K9MgW%+EKVVS-1I3c
zkS_n5{P*4}_)xb#DFf;9>s{CP-=fa<s<=kChLvqC_UO5`PXn$Ej*zYSMG<~s&20@c
z6yvU9s{o6Qe%oKp9>dSh&PEP2=(*lCXsD%%U}C!NEBc{0{%pAduHYBrtxf;0T^MPL
z{$-Tr-JWWOo*TlPV5<qufy<M0(?apUmnJW_2rSB~m5I-oeMUnrMgpDR!4*4=-{bTj
z|JC;VIq$3s@;*-Tc1<D?1d$&Ft=fQ|Dhd}qeRw>@9E}eftgih@Q}tk|cYR)ek`e)C
zTc_>bs_OEU<tCFzGCJAv9{0s1FASCvkZLyT+}Cm<GTr9T=<}E`=cpCKHk}-&<ueFn
z@Ass&fGYPFhip15$uf9LKSspYhvI}CL3j1<wnc9a)?~jwsMTor>|Y-CM+w9Cs}O>^
zB+!{Z)zdJxK0nLoiFg9^Ro}L){>j-UPc2EhDjc6PkrA~VVr%<O$KEFLm)hFW<gr}w
zcF<^c#smHVu{a|!6l+!BUB?rO-7yo}&i>AX5#sbafp>RQaQ2KFZc%{x-}2ypD97Hf
z5<u2(;h(V$l7aEc@cBoer`@UWCxerb6=`9W(LW7g;Xj}%Y~O9%>s^*fO*!rgqJApr
zOi6iQKA&gZ;cBI1i2qrQU$q_9Zmz$@R0+-!KIL5mbgYl3?wpDJ@B=7vBw{PT0*lwu
z|JrE;jvPmF#{t?*SkUH<hg719QvkmKBov64!wGF|EyK{FR9esnfp_x98$H|w-bK?o
zCJpJ*3&fp_uiA4by8n+Rb6Zv<U)`PDOcg(+k|zX^fE^ih7tVTVZ=TMliELs#&rq)S
z<R38hH}>u?zf!?x`LK!MNK3+`iti>nh5Y|J*ExAV01lGt&1(XMh<ey3jbT3LT1gAq
zJPiB5pdX6VM*Dji0@DG`4~JSdFbOAHOabv=znL9q0oi*H6X7G7>&Nd)#aozQipRLy
zr%8Z(F&K4v=LB9wp0IWcn(v@&8vs%<4`y$(ZrBcZvVwig%c}@UOIY6Q3r7sgVMD<k
z><tD<i`~sQWwJ1YTHPr#pGEGZ5nguNhf|PyM*7)wZ{tiB0ae>r!*`qYhL7lc{KE00
zZ{JH<+I(K69bWtdFXFRQ+?I*<A<IW>PIPuQ%<FMg2=<6TRPU#fw;!-dnt-oS*|xlo
zD-%a4{FG-1H&ID*(1`A-<Fh=9Gj6Z9lLe#Pfm2hsJ3qp3g+ZES^o6r1yl|CZIm(~4
z6KM&aGFtC*Mk@dnbb9nZ(atJjZ&O0;_m$A)A;^;Pwz2-@3cJFcVHJNdZzBEk9wsPM
zW_sY?pLGUW`Q&D8^*iK?TV>`Vn%>yfR2sfYea~{Rh&Hl~kD5K!2X)HtC6v55XR3eS
z#dF~i$fY)=68PIgTi?}hgjG+OW<OOW1H7MON5E~hGDj%mn>joFF*M1((-znQl^p<Y
z9GI5ia~#NVgquneCj!1rEb$SFB>D5?ghP)ld}f53mz>+Lh-%KX4T<slz6OD0pIHgg
znZZG4y{?l?h<`D>snC}|1i#0>V?-G<v5|OP^k2X7`^pH8-{UYWVAvvoIh$cwvD%mq
zvxE=4Qf=Ogh2Nr&@4D<7%)hVt#c5~+XW5|YOj=yFMNayBA7>7nY-6C5X%kqSny$M`
zUufv#KKePb(OhLaYItVBu}Gc~t7dE4o)~c|l0Es9b;HUsQ;nZBIN|zX?el{}8{%t9
z{@th~RUtc2wBYTS3l`3&^8++TE%57J0G9|)3n%~@pS$e~E;B5x@S20ZlPH|Dxoj2s
z^7hHNf@!swnHQ7<<wiPsFZ!n6-aTFCLBYD2K`Lw|jF~%Ywz#JNN2lsZa|>_>OO^mr
zyr;3-aCuqr`}&P;F)d@V@Qt?TB3QlpU+nZxI5nqSa|#$tj=OwKsXIRU(Nq=o-pW0f
z%Z#Ysvc)I#8XaQGWMzv=kQ(wr%=mAoS*e@fv5{0&UHY4gldi(KucI)5wW?W{xl8IL
z#%@`DM|#Jcfe*93Opp{Sn5s6m_VAjvEM?#5jZRmy@21#f<b|x}&|iit9S<j2Efe|w
z_iF^Z*lyJq`CSR6eo1W1>Ywq*IIJ(=I5<#eKj$OJypxqiwcBxxm3-nN@}u(MdWGJ#
zN`x(U)KEp;c@aY`@lko#Dle(7Pjg;5=B5T_ik~yI$R4bT2)tTenD5lyGs`&44~b_3
zG>NyYlVpfT&t)&pXNqU1E#&u25faSE?Qqh!*dpoHXNl;?D=TV<*-{>bDiW!s%9C}t
z>jW{322_iHWlzQLxyhXz8!$T&0J+KpY?wfhGPfjS!DsoUjq|u^b){zTi<5fqjXAqV
zK<22qY!d3lx9QoTTvBXTUaCad<FruK72dDrF!Lm7G1LpY)-QLc)#xH*l0rGE!;K>H
zHoLC3cM^3X3PxR9Cf2BM4>QskA3rHg_^$cwh-ZPaE$@sAQgHm)?o0{LJz%y;jUIos
z63k<$ud_4RNNsXPVwL$-Ow4FB&H0e5i(+I%{-0Mli1e6StCk-9gvnXq@&bk9qR*`g
zA5b9(ofZECk3<zMm1r7#+1IHtU6=N)q>@+>@>rv)dwufJG;M)NxKnk>yc@74?`>q?
zs`jk^&B>x)aI+Re)?n2^)FVX)y6|4!`)~W)S)~35Ajj$f$zsFu3*G6R=TuUi^|8jB
z`U?|!C9Tijvu4~?1x6~vodzq9iaw>BanK;B<jM<xWjW;{eY0lmgK5C1j0T3U2z0Q&
zl7{YIMU}3va@>FZ+U69-=UNs1-pgwvdL}&T76M6}wOd>0+`16?)VvtBcfzb*?0LG!
zmKpO%TFVegX&Yj)^Hjlb0G|VJ7Q3!grKg1+gh;THHz1Y?xr3BdQ<8UZt>6yy$3=-P
zjJ5dYcd=Us2hyza&kKwZAV8jH05nMF=wyu*<70!)HnxoqS4vOT;9n}e<E~l}E#tAM
z(ypOCT$^rX@o?H9Ld)uFD7id|pk4W!=~N>_qgDvDH{vDz{+<zEKGgOj;rkuwIq0(T
zuEpLv^d?rs#Krza?|MqI_EoMnT=u!N2sAUVG+T<%fk<inQ;##-+4AA@3;i5stWso$
zSSshdqVs9EJ5@Eyzy5_<51MeKf{~NhQ(a#4Fe;)WJ5Xq;w;!5YIU4IkWAy++l?iri
zf$ke-o6X%DOD<#j(Bo-G@1os2mZrChoXK{3F)ZrrUa);V=!)sBTLW^$NFj*m^7f7j
z9w&;67AhWYj;^^v1%UN|VZ?DGA0WW&yag!qIw0hA2IW4RwaLGyulI+;@O68}yODks
z)l2~skNmE<h~g6pfgT~iM?$yap48t`F+LK6eEi#tzpNVe)7jL1mE7|Jh%qrg6oSCf
zNC`A&7D_H$9Zc5aI{(ahALq>#|6EtgvVJ<PnSkh_Xir<b0H4T><&#OBpeFQfZ(!Dz
z>^FZ)KWa438n}L&#bnCtrR2FU3+okvkIx({*C|nYLPHQ1M*_ENHWG!2=FZ<0@C63&
zdJ(&J9jvvdrQJsaemrR^x3>@%?w|m;s@<?rDr-Fys4+G(V)vxppv(KSl=cy>Vy*q?
zAIt}c9d?%FvCMx>i-`6+qNc@KpgP!*F_hcP^(R^YeIX{Opz!@aI`00lSU-DVK;n~6
z#eNY`4CJHxi6I_H3{96z7jmKN7>iY)%_NiNfz}*t`;I$*5%+lSTpj<fS*6Lljfqfg
zlsRb(sR<}RJnCID=CQO@xeA59b{FFClmFe0u)lz&<zowCb))x5UtG{DW!dQO)>j++
zKCbUhvbrq%-|zH`NE4-PYsB>gwpOfRufJye^A4P}?!V0VV#kxHl9N2l<5uo9E)4YZ
zzMUKnx>@hX{#-Y=>Cp)Rlq|UhephH_(+@D{F_Uc|8|zZxGIqh65zYXH!pR_7|K&_)
zGXJPKw%g#)Mfz~O#5&Y2(Q#~c=`4)+i+a_5D*7jE2~cKGdbWPsYx4p{?KZHK7}oz1
zI4<@mx2CIqY}tD05a#dCcC&b~CZ>D}Kqmmb6TVhKvI6fCL>~(`O{L95j`QP!fRswY
zdT%SV%J%1f#o`OT8E(7nlv2ggaIa@$Km2nDcEC^|gIJzUTDPx2f2%NK5KIGl`r^Yg
z9=$VEJJSL#IA^H%0~jaej<3l<sNvN)VpcRX2l7NA(y7q69xsMaQKL=Xl8P+#%&PV7
zG~*5&n3P(Qt1cB;DRXw~9Ig{*Sg^!v8gdW(qW(rcIC?CEsv_LPt*FlA4pSt6nOYs&
zkn9&87Hm%B+nKcv{%r$|NEb`<ZJ(zGAG}Hynlq@M&_kwXJj}F*d&KPe8J<M~xpsKL
zf%rL(nesND)Xsk6%<>#ZvDI|@M}?aX{*Vi#v^&Rp{4xMl86O(QJVd%3euF(i7ZdSU
zx{5r!42E<@MtrgV_!#vkGH^gl1Y_Zu)=K=PC3QxTWjFKU&B~zIi98%lRkFKbN}%)C
zY+pL|dj6D-g+AF+FNfPU+?x`XZQog>Ot`zvcvwXt#1MQiX?32%I;e}uV%&Q(TU}|B
zU#aR3BIz#}KVNgS?pm2MHbq^r&NnIll2DAUg;~@Oxp*@C{bUYN*FwLpJTTkDml<wZ
z&I;vD`GidQ{3_A>Z2|m2)yJ~-(z=z+!k81ShCtNz(tg2+A#lFEcA0IWeoDoQSw)9d
z2ST52NuIaoaR%RAifWXk-t8zssHNLw^i@t*Y7@f(#f=I>HNi0xKk)mOjw{>jVznUg
z13-=djC&eA{}_Ce8+oGM$Od`6oHjzr@yxREhs%tZ-UJ^E9Jx5AGp}>E_>gq{!(T?O
zzfT<=kEPdGI&vB)y1i>7lNRxh+-KOZq_Ue_{S!W}wIwe*h7=a6u)^H5)B+c(IBmnW
ziss$HK9?cpzom62sJP+ggGx!FO&!fcUA4aYwfBYYQooJQq}f#-a#QRLej`RqH>hYj
zS~?Bqa(CW8u{JR;lkM8NamR2z*?n-j0-+9!p-`(}l`~h?#rs|Ej~SLB3t#I8pnGTI
z@)`a|FZe{7_Av?@b86}atBtLutGlWliUZDOTfV8e4V4T1wt>^gOkJ<fRI4s<E@pL!
zmqHJQsuSR`G;8S~HyvnDF7p;fc6ux9TLL!JyU>IBeSmd2PN}hET{Y8hoVMt-HhGa?
z-ErNo?6%*DueXWW6t1v+@l#HFmD=dMX-YVRClyMcHPsXf^~+bpzZFMGOHilQl=^H(
zYy9qHp*qV_RSPIb&3$0x3inpj(OU-c!N(68Gy`bV>O><z%M|lCQM(?_U}w}#7l=HX
zHiew`1fNg@pWDRV9w9wh54q{A)!ud}Y?u`0sr2YFq(-f4EMg#0dc^nhdeZPGEUhs*
zvw9PfQm5~B%8b!DZ?dxC<5fY_?iPb4z>DA0Cz)4ew}(mDYT1>9QhkrautrU$$;RV(
zyUp=Q;$=~o1$nhT5<#?lMSqJsCudy_Phl*FvzV;QHTYM|*Xd%@nj#Dw?s)#NrWLS+
z4qcR=%+x8ykWG3gegH=KYgRV^lEQKl>@58tJcs3N54p_Hd?GlI3em5T#i)uG#SiaR
zsLe9#!<vaI`MM>IL%Bat%Z4j@+E<lQ&GVqABzb{uTbKK9M^{1Nfz~~hO9L}orNkAy
zil3er3oMua^~bNssvqELX<2mP8=Ng~mI?I$caEJ-aIz>C>v0TZ;ZGCSsH{b1ZM-g;
zk{-tmywFKI54A?w9d^g~Y9n-*FC~*Kx6e)1P`)X3kzYF+tZb-qT{v?ysSysczbjee
z+2+h}T$S8G`mt$oc40nA&uz=^*U4PUT4ma&Ibx+8wW4$u@3eNse6K7UuRcQuTm3kH
zLLq1`HUXTPY&Yoe?`vGr(~pOa2e56b-4*Iz%lATuWy0K^J4&p|akz(KzJ%zmJ-F#Z
z|9G)Qqkj5Pf?HDrGWMR++_nIvp?!4m=Wkz-<X(o}+Wmyhm|C^7`C@E09QMXWDGJ=7
zsFq?9WJzT#4t^5rWO=&!n2^XO$8ie*7C8lmRPwD!cQ(;k2JbQD(MySQbIY047DWaa
zOfpw}Gql+T6O@FC0)~Ho2FwbF-tJzS9`3Nhb$g>A)A(tM1}boMxU*a#*E3QW23tim
zQz|e44AHw;Q=<03REP~%CK^Vdu=K1@3Y~cr2gcUoMi@C;emkX3wypO3i)IS@CVqQp
z!;OcGE;4e%__O>Ct~38SKZAn#to<gYg(I+>4u_5*b4rEi%H>BRt)N2s8W^{s;p=n<
zGbI71(cj2WpTiQ@jIc&-T+LRJK2(xJX^50%a#b{i3vT+S^;3hqi5u&gv$sb!`X)7V
z5w%8hM4Uqc;%@pmFPGf&Fb)pe+`yFC&5MrhL;z4zD$s?OE!MP62(?<LVTHE|H|C`X
zQ^KgS5B;;qYXk5({fH%n9_-n>qPTj#SZO#C<J%WMsGTQ77t=WvRF-qeLO9%*yzFZR
zi>`grvjAS%M0>%l*YIPEq1y<(4nUy{c?+N7Tn1l=D(c)?Qj?kNy*=Aqx2~DDl|0%0
zx+6xiOu3)VzPdU|p4}E!lH=BWLs&iy#Az?BxTfh|Auw7Qmb154T9_smq6blBj}OTJ
zUhGE>v?pZs+?o<Xl4RBF>>+hA%Atz;8E>}Xy@ipqIOZZ8BsDt3Jv&Ku3OYP-tc8Xg
z>z@tsX5}|zT$32$orRzKx#YFgm}?YEbBQR(_DzFoG_n-3{F`SDoE<#t#1@8y%e|)X
zHH*VDv-jl_@8VUn8m^-hNa0Jqx#EY2Ovbx~aEik%bh=02k;Yb7$Cg7^w@YOE+LAK6
z@I5J?{l<+o5iKbJ=iD943B=6*U)5(NpQiOdRruhPRLEe?WF}U4)&AN8;R9fWPFRYI
zRhPaX&zynB-eENqLs8(fLp2WVj#jGYIQh|o6W1qEDi;@!=SdTKRTV@>iQ=uddh!|h
zH42hrf4o?ot;7UqKyIlRqHc(8CJyy&Omdu2ufCy1#^R6mjSkGvBqDpNuM{+pu8nrt
zov*t(MEWTJaXvEpiVlQ>PmD^(Ik*^m&KnjxAWj&QCoBV&X8KgA7lc@Nssye!N{?Lo
z!o|xoql&hsc^pN3{*I@FSl<@EhN8YpO$+mY+f*&Y(pE1|7Z}NgU`DT_{xGkS7K^&E
zyA{)=4bk<T!VVoeTvia_Qls@7yh8c$$sk9=ih$Z?70*r7D5F}k<Ld&rS>;po^yerQ
zMhF6pwI?sH+$CqNu0zhzzgas)C9(UcUawFPs{Li&$cnFNB?}fSSvBk)HyiM>=O%Y+
z;j1q37EKE}r`bi%bfFEe6yL3sgZL1!fE74P9Jr@(XywG$Ve!f<4*%drJ65n;?RJCa
zk&cnaS5MVeN4s^t`C(z5U>L;THmv8^F(~%4f6uw<tF}nYo7GSX+KLhK{EGKfN4d2$
zVoY+u%%WH)6^et$G=4dqI((;~bI_Kfx3#KcR%bZV8tvyM<DuX;8HF>Mp<SMb6sL$8
zXW^&573SBM_DPPd^z}<5nD-@WG2?JpC$bk+3xznJuC=YX$SxXLV2lp^md<Gy^WM%~
zkkse&I3(f5)xQ!6QK6R{5;T~%>E_1sqQ9&L<wR~fQ2Cf2hgAxt95StlCLQIpwa%h;
z7%Y^v0`>X0uC&xYFPFFKkXreLSeLwTTn?Lb6|!muThOb+kNv<f%^xF2LXLm1EZuPA
zNltV|nFq;w0YlEvnA~(%p_z*Ad-g<LFf%ZZ^ffTmiAI?W{6FlycU03^_cs~_2cJ>U
zvC?4_1uInu9V=KUDk@#j&|84eOTvsDDJs&NfPhFB2%Uf^p@kwPK!AWiP$9I?l8|su
z0?eq-yzBnfU3cB}-nCx-m{I)Zn{)QrXP?j6<+GhlmE=Uw@i&QUEoDcY#`>S;I?3Y&
zRG?=)$nmhmo5h)BF-m&Z>2(v;l5)D9>U5vNwlcdCjg51GCG-ukcR(U9IN*2=qV8o#
z**NP0Kmom@2|d4m=zLH=pL4x7Vd*l|xE=~SXa`_b#oHM;N%IoZIueI6YrWwsXD7Kd
z;9X2VR$m!b`1(Chiu>xSp&<`6HyxXXjG8zdHzS!oLb`Q{y0R+NINp+#l;^D4G2RfC
zR^{C5+LkC$MrOq8(HV<Q<hK=xcEoYw4YZnbh53B85-|I#OR)|fr$p+CEtwM!4SL%K
zqT?LW2Zv^6LRH2V{|IV(3q<WXL?`ZC^^oeseCaiNN$=}x%Xm=^yF6!uP4%oyDT|>R
zkt6C^%!qj>vjUO?ON_hg<5YMr9IaL~2Yyw0%+uN=y)r(3!I9_+1y3adI!rF0$eth>
z@AdXvA|*{Bb#-|{uRD4t)*73crH9b(gyJZ#CDm@#>oxC<_}od`;d&cLySvCJAaM(#
zba1*~ajfjgAql>kryHHxt=WkjF7Bg;%9CF@@8^c@Oo>xv;C?~qe;^74Z35r`p<3LY
zJTvFr<m>3yZ`M*7xd{u@3zYYR?tMVd0^FhZEA8u5ue-xqj(=3ruzr5s)LF#cr=^%M
zalCY7JfcFzx_jb%aYn&-y~)0%GvDGHPb!DF`+N9L6*nXmGF9isJ>o7-22kDnrg8CN
z4mWU%j*7fE1vS)R=mQ5+cb<7C5+D>Y%Rm>9U4?^kcOhVj7zG`A(G6f&65JG;P}1UN
zW=pZqWkjB4S(2*~)eu2Q@y@YdCQw!SiHlV)P0X#`b$bW6JkmhCD&A?rNSqgqj8Unc
zp_ZwsMPca~2$k~NH0tgodM(-_@j^h*=VjOX`2C%j0spHP$RzhS2xP7fMk64RiTt_`
zSD?<Dy83}}u}m1-9Z7ED@ewZBB|H()q&;yr$VZv?_O0MY-9{6Arg8fwp0I930v|_U
zPR%#b)Bz9#`_Z{~gR|7E)DybZ@_Ev!s<MNh;^e9ZbVNH`U^dUH{_KdFbUwDwG@#uc
zr+f?rv)$c!aTIwTTAZEkliws7)%onHV$xez$?JUzx1xw;@oRehZV<@*rc39~+=v)W
z3O)BWZy+yLX4xL*RY2C)yEIZ-p*%s-)y<rqi`H>7e<O8F5cj8D*}UqRjPN0$ZW&#~
z(GWd%IS*OU?NBX`+dZw=VmsBm(a9K+g`0jK(SHXrai#LY=&nZm;qlIb3Ufl;q~4vD
z3_K|r7ysnl`40J(x5_ph#VsF|$Z@vI@j)qb=wlxVtw*6;9SR{(TGeZ7%*6?~bBn#(
z=ZR-UHlxDd_`+Zs=1UE(dkwnUs!?y>5A+}{DSg<ipwYyZ;#W9Z<ax3#oj+-NIHk9Z
zJZn>CKM?k^a5Y++B7MuQdi)eV{SC=iHR_RLS&rMp*eNfh2zG*IDsr7WV$>+Q<Zyy-
z;*+<8Y(>5EOrg;Fug@k(h^Td6QM;pphW(J=S~9hMt0<4}8Xfm230}VY39A6bmA?bH
zzpB;^5Xc_;`htfY`R~rOJZt)wE`L(&A9Oy$s5i09HwR>GUV&_h%@Bib?P%RO+h0uB
zvDd@(GU6;sA_!zEaKqh_3=-eG+Yxes^bC^swjIFPd+Xg&<RUfswF9VM;Y=k>`z4Km
zn2dZ71~`q}^(9&PEr1K8!T1ud`xPtRhsdOD?0~9rsC3{~H3`mAKodpUR|b5diAk1Z
zC!T?{PsOTSvwyDVXaQ#^h{Bq+pNuf$qXise=P!IwG=2m~79vu_)N_1!xLg((+4#G*
zU=GT;mgIn74|T3tj=uG1ab-aTa3hhIA#E`q*yDigXS>B$XVw@Pt#v;vm_q0}b`ice
zw7_7|?tpRuE>d1>^;>qRkxe85IV}wQpXb+I3gA_qT5K<a$F{C7C;2O@?BZpfvavq|
zRF~dgcaH(jns5U<8l-yxw@mLr8m!AQkew60KAgbG)9dd!w&Cv?=3^%^t^ez=^0SS|
zCu>oc_O%~|d98=+DdKFNbV%R@R<8B>(-8ch8=CP&zw++N(l+hEr6(39*2fc9*>*C}
zjFsTEJ_f)t^@jr-)4G;sPNU;WFbs0a>tHp_&5`Gy{b?2|#uHK6!wst-Z4rb!z)$w?
ztl;PRpCP7O-z~M~P{j5q+AxDQCIY$jn58o7LV@IR8u>-_P<ysW#$XPz6Oe$Pd*9E3
zKur3}ASYVPcWsQaX4_9Ao`GdkWH#P;>#v{Q4}!1%!2KU53hdQiopat^odW}WtXz;C
zZPt{o0b;u6v<P&tXB0-bIXI-@;fG}>$2}R{13dC2u7mPnah+&CZR98~)0R?#VJ?z*
z*XAclYb8E|t5Its__(As+Ke5u8NZf$+_lWH+*^MtLomEQo>7;?c(P<VXxiZqreCV?
zlPp>B!QoSfD9eD%Tsh>4JIJ}BcpL1ax05Q%`lG6<;E7A8dT7d?r#|W3f#69~SA%ga
zYq`|1Fs3DiV!kGZlUS>>>o<RI#aBa(cS=-uMA9V2cJix}(O_L_(%5wM>@|Y?tzEVX
zaia1w8x?k3pydUiY^T(>k|=mwNjYqYJ~q#jW!52K7DoLrBa^8Rm;`*S@AqILEgwtC
z-H{30s*tyKnc~HgKon{O)k`|8Ag4h;zIKOFg0{+*9636I;IENa(pOlUwTVkotn2&+
zzW?f@|6ZT2qu&1B4Y4(GI9}W%qA>TUgF>J~aK{x(15WSOLs=)GTe)Tf<>h{r@k23}
zSI0?(C}>gApr`eomEGJH2b#jt0`@IDpI|WoPyOrL+a>(P5MGqVo#9HWm#SO(W8?zE
zjgHj6s6Ja3E~l_{^izaf-Zhcib=g5W4d~pZ(&?{bx&os`B6)UI#r4kgg&6>z^v!kr
z#CeaJTPH;|o0uZ)$EY*5OQZYvv7V00jeSR-aJS-6%iD2MYp><baGo>N=}%e{!?drW
zbk@=;15ykp`+jwRtYu9Xw|xCNHezQQ(pe()+CV7`)-x|)(Ab-kM!MOqC(1mfw+(Eb
zcu*Po!!G*Al7`C#E_!qjX|=o;!o5SL?s6I5dk3|+hd*kf?=Edm$%~Ryd!XDUA5s@*
zkmgHUDr^!=SGw*vx@1W>B#Cn!`EA(LOd+>=XV1l%dHCcK_O~+TOE*tRdu|KHR8sw-
zUh`6(w!$J+ws?VS7K-UxCFfSZVOr{jnRl4((Yj$RYFQny(y7tW8m_0~{1S<R!WGW&
z1F^G$37>u)yx#X9nV9jOl~lp{Q50EEv)ie?7Bn$aofs`n&PoQ{Ce{!WlD3}wZ3c4f
zwWI7G8C*_)FGYZ}x2L$PCEMqh()8R|iTe+fI2G}t@G;H$+-K;W1)AeMj*v$ryZRFe
zLWJ1tPKgI%;Xa|vuXnu$J~Z%flb-yUGgl$;AfPPZlHQ8$M9}*^HDCl2XFyoT7NUjy
zI}zzkHY||CAF{ekLyj^;b-DMzSMEaeaPNEHWJC8&@C?_*#>jKIbmdA!#6bT9>6k&4
zOCIOB$|u`o+&nLTi0?KyxSXfysn@lQ8PU|?wLl6Ua-S+{-F=PmS1h``3K|qrHc4pa
zuPRgUw4&?;tpI-G$LlTUu?*r47I95CB$CDoIWG8*qry&ulP334M_YB;3*RsfuGw9-
zn2F_kVf_YbB}v_XAXl!@jcOp0f)RBSzWS~?T=~!XEBW_ES8fF<F|-P%t$OJ5LjBz_
z=*H6?dfm!}r__8Lw0owHn!v@g4(gYk?}6+<o75SM=F=CCjvSF>8_yaKU|Y=&Nk;S_
zE^_vYV$OS>VdcFfH}BUd1hFHtiqHa51d275=lOYl%!RGQB-MSv9Ht7#9<?o|-)+3F
z`Y^@^eDYKEZeNo;sGXh_#JqD)O*sC9LFIfI1LK$GHvQXhKm#Z;>a6rMp{=dRcXh}-
zV$+ii%K~pp^8N&4kXOtKZ$$<r^|1tChBc%#VXzR+m5bb5`F?8dnt01CGcbr&{a7FO
z@HUvio1-OpGO_gA!=ILa)ta*vbs{3ti-;nmY;xOQ@r!d)iQ#5P1!_jTNI_*Z^I}pq
z^v1GJHzG8iBfh`Ezin1w2z7ui!FV#Myca>_i0A(7KI9zQt`1h@13*AmpX%mpT~Fn@
z^0Cbkgc0$%uxy`kB1=uS^h+RZw9OJBB7%X>`vjeiy8;eGou;yxF^~^A;npEQbT#eJ
zFV7TpjjMVx^f4z14#x(BeZyDxDt1qGqZbgikeTR0bmA-2qeHTRsRpOFFUhxcgjd@a
ziF`gf+)&gl;Ugx7uO=z^euCmN(i&E&vl*xqVSS(QGaoco`^ZdB)shKez28_Sf!pY~
zuzg47B4~=h)LQ%UXv8z3%j-=wOR>L{ezs8ntLT6qXe%$1&yDKw;s);H6wT=`Pll$u
z+YW=Gjy?JKg`;%>oZgm4eEH?vcsUKDdsISF>mmCu>yfur`Pjc~PH4v*G`0#cHHi8U
zIiDaCV`da4(0b{*md&x57`X$>L6hgixbhk513d#LRX=8F+E3f{4|s9RP!^o_nzYuC
zaT8~!I>6s)gC7!cosV#OYv+BC4*dLWWfUN5$PQqccX-^pIjQuB<HYt+IEqdfQUBK|
zC>xDV-~GiQ0H_3?uI|@MgAV6II$mVb<J&bLrA7W@w`={KeK~up(6rtnz2*Ih%zd<s
z`}Z`4!IuP%f;8B3gBIPsx=xTR>Qi=Bms!|K3@8Nn(l5VUsEaQv7SCtPXJkwj%4v8}
zuSz{nU28#4q^<H8t!u1WaAo&Jz2(H7=$@IS1i!Zi&4WXzepZw<P#?rt*WYaiF`)o%
zD-b#@7nze|)eaXsOxq-wP4-0B7!zecrdK#ch-a8d_eq)yf05z4NKr2$@>b49G-6*Z
z4Ax-JnopX_dOR}FfVaV_>8#YYF_tPq4T}@?`D=z&_gxsjah;e<3u5if(an8=(3o8H
z^=jSHLks2Ll8%pOvEb7djuRt%`Fm#;s!mbx$c&kzIP>IyMatl)f<_BS8wk7tkl>^8
z+P91GO%Nsv)rJ4+dPDc{qVU^17S2`9{YN&fd0tjLLJ|6QY{|3M48mpy*&NqF_%B*k
z|30oMW3SfLegFPJftrI3zi82K{_BK1Wl$H`5?enqSR~NOT|BpPCO~%bMV(>Wq|4t_
zZkV&e+U}<RNP19`ly`Abg=-VyviN=0Cs_yCk2@KhR()=9A1knp-M3-aNXQ=YU1m^G
zHQ3gbXB9x7pJ`Hh*)9P3OxRF#SZQ-{Tdg2%m%gdEC$Pm6x*;BqVEMdNKd`F|wBcJ|
zzpw$Wsvz($yt$CkbC0cN$!VLrP^PDHeg<g4?S}PEI_&mJ9k14DJJXLpUjcSiH0oNw
zvIpg>wW%jBfR%A^ESkhKAbl46<cs{@yjcC0u$?>i>?xHG1ayQHZ;Mp4d?0*!$89P0
z$4x<wvT|37{^WWgTKn}4!GTT|x2el~7N8%|CbL52@^2fMS_s^L*!D%}6T5n;of5I8
z_6tkH#V=^kBQJkb1Jc$4JCgkstSn^r=cPA{+mipz9S0TS=`5pZp};Pwp-WSpiL)w!
zyvVh@e4om?bx`1~2^4)dj|KZJ00aYx?mP{ry)7`Adp)x*t?`P#qSW?P`jo?+;m)xv
z-a1xg3rMD7H$&Qh7J))wG!_8SnTWAyDpLr%Q^%*WQkKW(rqj!6*PG{-`hJJ7Axa>)
z{9&|iLB3stkvpuET6$ld!+*Kq_$&7MC$jVJzJGZN$V<lXt}texqR48D58WNr?6rQe
zQ5F07y{8?fS}Xg@mgGAS8!=Q>sh^(VP04fJFIQqPI|iqp&p%l>+i3plMj+Y;*erd)
z8qCUUbK7;)3fzCQ=Jh{0x_mXq!Rf@B{xIt?1Yb=@wL_#pO_K?{s++NX1%(W|)k3O&
z*|=0Cg2aj4qf1vm6-SvpHM#?l*t~360IBE2<46T%6=inL(;^ioS+9k-kQ<DT%DOE_
z<W@}?w`|+&yafKm!2)m*Ykv(f?;r<IK6GN(kGF9d9nW;F0Hm}&n+UZ=VB=B_G2~~Z
zQm9w|{gojb;(%m>;|nyxGT+>>`I?*0+ycBBU}>Z_ZhsI%vCU_Wp9A2{0)m>cagL1>
z>`rp3ULHlM9M%66W{zsF{1S!%T#>ZmIi~2EG3DC>yU~wZaSr(UPkfg*0cfE7UmI8M
zd|9xgoH<t(vxpk9mL_5f(zXcNT$qMEl0-_U#>}M6+jC9YTr-(y^Y4n7X&Ig_w6)_#
z{4d_4%h?-OLPporoNSCMIp{E)PD7$7--_)<{ZQz#ujuX%zen_4*qp?V6RqS}y@FX-
zj$@sE7cTMp1=~t-mdfA7=9%;u$k6eMC7O9q`-%)7r@j%7_RQPx-wF6LSImlKY^&6B
zL4^g|>_C2$cTgfkGN$G^^>{x4(j(zfk>U8!qBzg-Rs<+ZjBHx%Bl(dsiJo!Q%rewF
zFX>RPCuf%F5}^~DS9*xU26rsP!iuE`fft_t7B7do@Dvmh9vv8w$K9>&QMFUys~Oa<
z5=+Iaa#Riu#nt6>sPJJc>ZMiBs3Pr45B>YvfnH;lI>Rs6BLj%}ZEg8e4pkr7(i}Wr
z&8LSxv8>}tUFLk=V@Xi-!B#Fv&wn<r_)X7>0WJ0ZCvz&mcd#TI7_v)cNI~_9N=DDH
zN1kP3^^%WiQovd7D88a>I2>$~_0Rt(Z4&peF&PGV`l++1Zt^9e?a$h`dh^Dqw_Xz`
zv-C!H5Gip@i+aC#c`PO2_SDMDtay5EdKe(tyEf(&7{S_hfCfDv?Hy`g;muaa{!FDT
z4{hzcl(%1Q)vw-+xcfM9_t5`hy(PiM^z`9e31fC>^nbryH;%iF{ZhH<8OrDSpKS}i
z8Z7Uo%jSonvMLj{|En}#@RdAzv9ZTDq-~-0_x237B^TWQrFV#zCt^2~$dZczG1z8h
z(0W1|>r6ab@lTBo>na0&1OAhHelt~j;}@*ox*z_#lJ=k9CLae<{`+&AZ!iN5CpW+N
z?`OYUb}!(XCDQ#+J2!rJ^+Ae!#F1l9H$Rp<*>gd#ro(f65Wk<jciBOr=jP_1+9|-_
zv+-3qrr!+^H09eU1#55mu4Li>FnIsZ9{&|s6I3do1*=`FqArTA5nR>|e<vp8+#b&)
zaCmOaA|5#^x(bh7`yzpQOARB^nYH`9Ftgi<4$Q)}DHQLtek1ZIFS+^W7g&G=T1Jvs
zeeCd>1l?p&)J&TK6bf#cL)(M`)<w{M2c-Saz?mP2wAWPX+PKPAlL5vPjkyf8!_zp>
z)sI;+g6xx|r<oRMWPoN_Mkbe3s*t4AOEKr(I89vi*pSNaXEVC`r}tPu+BVBvk|)wc
z*JxU}B>LdYDb#cn(~2@mTtSICx-Q3IsOeM~YAWo}Qx&r=Fm#(`9B8Y>1QN;dS-k7m
zgeD+K_ehIqc=?)5wO4fU#sv_pVX{NJz|4<dBWBjcXjxVlMGO15mRMesc&iY|GWVra
z2B4#L75zs`k_&o#lZJuk!e_zwMRHIR8u|xKwk{;ha=so5t_M+SUASEvGRbc^dWrY^
zqxLY=>L>}rKr!;EUuIU%QjV{EnbFzrkz&49OLV9PWTzEWPN+urYK-~n-6FVX-^W2H
zhN|JTHt5A32Ws^iMUH?@k=K@e<dpbm@w&5cw`iP^o)4#DcR2Lb-|8zhz2^h=r91E=
z_=$~N@O6su?-3M4uf7J;l7^lNuAO8a8xp7q2Q-O!o6}K#bNOk-J;`s#QH-7Xs@Tk_
zwNW@zDi$-#i$qglYlUmCsR-n?60@DF(?rIjxV3KcmE$<CwJbnbmudn%5pm)(a%P56
z<&-o=4B+)hG3GRUjZzfM$w`q2Bos%;xDrOSCXX3O#mIj`uV&RibjkD9hd1|3#Z&s0
zim#wS=72*>zu>OHkS90Nr>*Z{zRJi4mf5X?k@kXpC#QFmz1hQ9d5Ze9IzZNwFUe!Z
zxztAP_dq36hw?<3%P2B&W<?l-a3y-m1YWQ+3kQi@eiP;#PWbbP@ovbHxXk9RFUl&_
zyP7vC9T;*(rQg|Edj)fS`I8{8=coHz`A4Jt1o+qYi8~)yfn;8fW7NqZgWAv2d!H)%
zBy^(Ih-=nsu^9pM(kzbb%MJ-n$chYi#KT<q;PCRrYZYqnsq_+Q2J<fe<^<o|8jyI?
zxyV=ZXPJsjAkLvVef(iLLno}kqQ^j+VlcICE`$x<^(ytG=#KMxX)xz7j!0%0V~K=f
z><q1V(}`DV#9Z0$1xVEnI(*jTa`E+`<WCn&o}i;n!a=^`D#yu<xh2;<rf;E?@8Ikm
z$mer{*1K4Kep?B8SVOWd*UPRyV=GJxF=xCgV`PF=C81PLOd}U3s+D|pduFCwNU(4G
z?EIW#fa&Vs2+?{t3m6}m(h5--J&;I)(<Ruk=D&?&)N6-Qy?kFz!{xq=Kt{-as$6Ac
zeKE^t${R<xhZcCJNrr{yO!!s<xa}94jeSu5a=(YhU?mM`EoPRn6$f%+*7RaAtL8f~
zbkVaYa$bOhX;-GZtHgK;L#Z270q>gZks{Ny)?Cmg&_0hSGs?o`+eVt*$_a-8gTc8}
z7{Ozo_@>27Ztf`_kT8tkI05C>lugeg&cIJ_LyzC6)7j=X_0&K#gxM4T7_L!eL-;?b
z>ju2t-ip_w{N%}L<U1;>jq#dq$?a12n}RhAgFe2pyv}Q>x6J9P>edxxzq&m&zQN30
zIhXO*dm!j>Z{bs$0>9EFKPX`s!oGvCg!AZn(Hninin;&LDh-|u13Op#pOa<pB-^ZQ
zn7PD=G4g35uw9i@X~V9ZYyX@O?acCe`j)@{UUc{G1LOCz7ymgij)PNpQ>pI*OuTXM
z6uJFx^*EqWHea1Yb*|zti`#K)BT^U^JuF+1l8<+<QQ^!4lDR)qN{R^K3Y^qz^#B($
z$x<|Dd?J8wEkyIxF9xw|OXf@#Y3BOJ%rY&>Ye~d49e|P)rQC8kLExyiSa^7$g}-Lr
zpyu80H&Wa-WC45(i6=UkX}c}SQp*qkZ-%oQ%632?_+Rm!ft`g}9NcZ&V?Z>}#mvPC
z{Lc_NU$}}{nO>W-_(bGkJ$~>R0$hu8x95@}8Q?B-xj_}UH75UZP=P>d%AY5V+Yd;B
zV;f>B^xZHlAm@Jj>7_yd73J<%!gD}|%ZK}SxcEv3Cf{!Xh?+fB5V;bh8ijIj^WsJa
zbr6V+a$ru-WspPyx#IoW%N+j!Utp?C_L!b7pr1;wY8@Pq4|^~<z$zse9603_X1aaE
zr=~a{;WhE=T~^#EZTNaE<l%1Fo#67u`bu!IcOJ7*;*vH!#lXF<`SKC+P-)C`YpMHX
zad@N9EzoegthP9S(NN6O>1FosGmwmRzc*Vg4_ys8%WV;TuGJ&(iiFK@k3a=q&FsK%
ze>GA%5RW~~U&9c6Y>Zni=qgkC5KmMcgqFy`e^ufIBaw`89~{Qrg;dlO1EB(Xgf=&B
zi&EPK>r1|8ohvOU+vVlY&;-xaR##}5h!39jDaQzhx<bPg;xb6gTg~u~?_F+!)ywDV
zkGsyK!4kQ1E2`7l$nrR|tQ0|$QNb@!KIi!V_{)J#o3l3b<~e0;fHHH)drF<``QlaH
z5`ydvyCN5eU)s9m(PL1sYk{H>{q8NQa!H@&#(RQQ^$^o&mI)k5DS%#C#nnFHsAObw
zJr*eOow7)L6LU9sFt^oR-%9$LzwlpS9Fl@yEqemx{r34)WtLTw??UJfM(*4-Y43py
zdx<mmzX<f+jw+wL0iU8xMk>{tV^fsxpg<p0*T>NyR=6aQaIeyc+kzM9`TF9k+d$S*
zQ44jqI@CdVrsB3G>nBhp(ti7;`ecn;kDa+g`?r6?j0s9fUjSm4moBR=PNL}LMdZSV
zw(Oc(JW(EsE8gmI$;HWBV~9KMHfN`3d2p`7h{y4WC%Jd3cNo?igBT0{N^fgSa=cJ@
zA~$cy#N`S&U9LOQZsO)LHrbA_u)KCk$^%8Uc@xsdJP_s7xokJUL^H9&6J8aG{NKK`
zC416;4@cXrJ^uU*Y=TnD1)+tBhr@UVjgqEO@>c+uP9mo%0r)d|LRL>m@z>m4MbZgG
zXL%dI!cliEA9`hrA7{H%*ZsMW=o}Kag;%8${JKHjJda4J5YR)z?PMK`D(jP_)y3lj
z1?cLfHMEFW@NPr!N_^NFL-&XoXWeA1j5k)Z&#+p!H|!>Vjq?B@DZD;-j*^++M}TQ+
zXc4HLIZD4!y714DXkDGVAL|`M{&12LhI12~b(iUM*h2;XxUbR4p`VmIY%N6~rm{;y
zMPLeTJE>D`RU@l6NAYH&mT`&j7z+M&ls`8l>OX($1%fMI9_65I!CD&6WbxjQ;bw0Z
zw@VeeIKW%J9CS42TzL$=JiNlv&i(xk*S+K#Z$I^{s=k2F?O6O&#F?*Iip~>VqbIZv
zNzdf!BT?RFler;oWJ*1+P$E#u@G~m53vw<b8`D^+b1`Uj2QFN;;3wqrmgJbQT_bIa
z*WyM;1GN7NQNa(D3WpR55e_`_fw(kkw}p(vKc3!hcp2lhy<?^)b?Gk}!{a~0yGJ(n
zyN@MAi<Eb4V-2=Tq+uGp;LabmY=86iL9EGRo&EMFnr?-}PeL5-l<I!vA-I$K7HRv<
z2-!ZL%+JYOwn$@X)X0oiPV!-V`kegLe7y8wGy3(iFUzWmC!(w&bZY8(#D$9*bgsHy
zW~kI+2(I_5P?3g7h6hj6M|oqIJ1OU+L&*jDuXK7~EA<E$Axc5inIOX+{mP`KGPIm>
zbh!fIa{Gb?oHTu0``fpVGovnje;eZg!J5MqgMBf8+r?$C8`QgBQ2w3mCqWtK13koO
zqx`F#aZ=%eXSJ&T{N)kL9?5qQ|B%I}o8`gFQP+pM`fi`oa&pY`@*15yu)a0NkeG0X
zVKRA1`3q8`(;-zYy(%<@*myl=PPAEdC`6-<ncWA`MZlzuv!5SZDSL^`ZRM}2;D;)Z
zKtX!0$reGcBJ>m6(MTdkXeIJFYYkQ=>%YVoPI#3J-qz}OxJX)dPHuvD(m8q{e=AR_
zL?CEfEG_h4fJem4yYImb)V)*!v(zP7e1W|1InNz`pS1vIamJ`Y!Xhow*>mT35=fuK
zl%-h>%t4~K@k@*03`TAR7j5$SkSaVcz<1CMQ}^5TysF#_PBqBvZb)cL*GDdwS%lXP
z!9w}Oy%-$!&}-taU690{5q_Esxh<JJ)bscdW|)$9A>ZkL6dM?$Vf*KsXB_^D`>5IQ
z*Gx*`El$IH>u<ALuhIo;&Jsf7veG14wXCl`03oc@16=Y6j&aq&v+gK73e8YnQaVI|
z48LeJgZ5L-x8_W*&T{23?|eGQX_%+NREDW@njZYyFo2r(z${?H)=xfji4GpOUpZG+
zfz(A>^gEmoYo$}aS)@TjmB;VyJ}B1^xwE90E3XF=0$sLDd2+{c#kjE41u6UsI9{W)
zr^`FcMO&z9%FAeiPa&VG!Qa*t9HkJ0r$DOggB_#pD|Qm5dk2z~bVW9BWFBbWIs*9H
z=zlMRe?RAekH@9>JLqtagZnVBA?wKF@3Rb2Y7A`IIzXuT`Y-2i8OsmCbj}yxRO}Dk
zz%#bLb4kDac}!wrUglqCxKuZMGcJe!<w!OSA*5}32}{p<g23z#uxB0|a_f$%cT@Ho
z-aAMQ_1U8Grt`*f({&0l-1+V{n~nf{An*j3?E25-nVw0&s`PThZ_7$d+0Xiy(o-u5
zJdzxnp0~ioKPEl6hi!r|F{Nx;kpa^!tfvm8V+tE52qb3av=<s%5l32LX41Fhi~jun
zz3dkSHUoh5UoYK$hNqW6$1V{C5wMxBOi#KII-~^jUsfrEmn!v&ApD4`PNsd%aaA#;
zET_GWa5XCvBT!zJDQs_l|J#gt0RM7@{)btW8?<E-=tDRax~tH`7Tzm4hO}`AEAw+)
z%PVsAB4`4-NM(P){c5d|cm)p64evNuShWUUVa}Dae9ossaR%_QbV1ZtYjauWNAvSk
z<WA7h0Lu>byId%$f6EYlOCQwI86F9n;nG)>g{j>uP*yN!6fAiae423tD5-9OrqL5l
z^ZA7@a?>}=3b#~+a`+!u;L0!K;2Rt+)O0G3;nSc3sthoXwteu@W2wXkEo%{<W^M&B
zcUb9ke^I3SnP%SRwlL)UNszo}7xrE*H#(vht$ldhx3iS)$X?*UiOX~qJ&RIfF*L)h
zan)J=jbkp2n0&wM_6>t$2DAhoPQIQR&>aVdHCF(R{UTpFSt@SEKb^vCCJmA&kVF-8
zg`{6mSFfeqz}gV`OXzc<9(7iqZkvxAPvsV1Q`~bj_D|T#VO`czm^Lr5c-KpeW|`F;
z&(=8Kog1^>vF3++;ipojt}}ft;mZK4{yK2*IZ(pc2d}mZR=l}{F>RCjeWCu9nKs)Y
zScCY;Y=vFInDBEd9+A@;g0vD>Zl)0Xqyz8p#P>sx6DsDOCYG&XA%vkf0bbw<9bscG
zP!?GOQ9t=eS}8!7ug1fh0=2`S9b27}9wL?RumfhMhgce3{rf`H)N>A@0gDqd<wkr1
zD@9P{4Co$xI$M(Yo^Gh~HYkm^@=j_UGd5*QZoS05skMC$+W>?)?4rwQnAF-W;aMCE
ze7~WwfU7HSC!ojvi^E@p(-5WijBm{A*SNv}60=uZHz4Sn5G`OuofY4yaa&*FFH&8|
zYvD+$h}0pGnR4^@B^Vb%Tv%${gTY@?F-C8;hw^hq3*HAGaN#M!@WyC7Y-UWu;Gt+M
zYv)Ls?@K#B0&Rw?P>HT$;>YPx>eElW+RX?r9bH27q9IG;rd;{a?}$D&<vK~E2&bh*
z+zfIcLBdSUj^HosDabWzXP0-)4L5nJOcP$xD9{~Aap<Xi{H@FEDIGSjc<Pu6pSvqJ
zRrz6Y`AK+Q$48iE{i~Bu`ELK*Lp#;=-X9VjQKulVAMjCfR9h=#_4pfd^N~E~wbIan
zIa{onz?C(G+YLBzCNo({&AHuH$Vqr`jUeOVQDS9g=CwSE#3f@1>JyLqMYT=)tnYSE
zov}5{=@craiu}3TpU30;#3S4uFmZ?}*XAlseBoWSO_tE!Z#7LC`XU7#kMcF*Tfod_
zm=BNssxz3vGBDuG;osi0U_G-sbGl>Z>iaL&_8Cm^uPrl<sfs1^DgD}OexrgFa&xih
zfEGw`d?(~qDjMp=slPJn)j6?nf5sc-1hgdsYo2=3Ehi{9^WH;;MO$3fx1P!XhOgQp
z{%*JD+8Z@5MugK*@in<~Y2tldzsISG^M)UhoeVanbWC;9x7^W1&j&;g8C>+i)msL?
ze|$I~20a+CgJxha5w%AJU+)tw`lx!4iEQ*vf?7}l_TttO57_$mdp<!{;#Rcp%7PlN
znWYl!f-4;6-!*?G=`TvAxGqZ+iYLD}$)L{@T%G>TN2@uc#X?3>I#6mCeBrmM=i@v^
z@;j@ZSmC-`U+xx}(f5Hv{3?GVt(A&bXh_R-&vq*;QU+w6KZy*3y)mF6rAVonQa10Y
zstZXK(f+~JtIsCh`IMQMf3i742#2j!KBi5KiaJqX;}h2n^oXG|h-6)r9SZnry}Aht
z=eDt{N<|zexC1I3rUxqb6(!Coa$|P}M8Ey70ZaGBRl<0nXQduY@fab*_$-cs@o!(c
z+1}wrZ|(k*!{2xw-<Q)riSJsWSigd9SF0N77L0+3xm>jwD5EWSJE5evWXxMtf`%#h
zt(cRtD=!=V5DxYFq#E2(JF?RAtd(@6QQ%=>zEtbu6ETl-j3&QD2bVoHh!M&lUv4cA
zDDm>j3@+*<6SH)eD^8=sdY<J-cP!%qdT;+e`DLg0`9c5RHL3lPqBQmCtc13b<*++L
zEQt@xet$M9WpKpH+2<r5H{|S{&dTBBTq)w#9PYKaUOC6>)XeX88Gg${6K`?*<HMm+
zq<l%b=4<&@)yxnY>}+S36NQnl?RHnEy0wLZCCGY((NMVBd_BtTE4{o?qw4!%w~WQp
z9g<NO3ei#}P9-5{&^rm!6;uh28~B(Qc%ORgT#%doS=d|tdq;BL{WjP*H3@4yBJ1r%
zW^a=C{YH7~%!Uxi=}3^}_<n^R01b%g(61gm{>sW^ZJRA@>=sMR*SR|F9o^Ihi5^@-
zy(@cytTSW?DWDYvth*&h`%A52g%0VK?F*iV1|~CRj@H`{*z@AXL*7DnqpG#?0!2WV
z*>`j;rEj0h2bVgh1tXw7b_l1?u>a6Mw=^D@fa%Z8<vztP4=zeY=p@w@d`0tMov;NA
zXm?UmNXZ4P7U5v(&4y*yhI2(ZA9T4~k_umTmdRlHNXBh(mvrUkxn|$+gv+ty4mdBt
z5y&q4hd_*4?I47i<zip@;8*?k?{Mma1dTZr{YN0SZ(OgLdUI&yDca~<fq~6Mo`?7a
zKMSk?x0*xxlWdNO<;B?OP;pWjEPg~u-8y#ral5*b7$-f;meUT$o@UpAe^(9!A;4|L
z1|^vG<-T}l(4{_B&}^zhAvwL(n6p%oOB{L_IFBFn)`Zj_a1xxCo_;F3aHm(a?P)oa
zHO`u^tYd2<SJ@Ki#|dvvyg&(~vx>l=oyrRkb_bb;XN7;^n)Qk1Ge|hfD}bt10EC}j
z9)_HTeEf*JHCzvedO<5`ljnc-3Eq!c3BoSO@E1z<D+D>b5wq_kokLSq|1%n$E<W7#
zAs$M5UuuJh?+Po(5{v5$T5*iAV~o=7mnl2&40{sZ<T|N^(R>6ZlKGOZoKs0Pq*0oK
zQL|fST!O!Let;yl3jT{^oghiSY+^P*-1VK%0XRmH9ZUi|ywwW794EAqm&7Ks%)wFL
zO-2*vRLW~0uWaUvijR2*t!Fd0KFY>#<~;w=e01}r5Jm3qjn+@_gf$`v<k?TyY7?Vw
zMgt+)TfbB9{hO~|$CwuES3nwmf=`>evl+jH^xXSyeA_qItj72I4gNm^zw2N4|NWqw
z0U&FurdUyWOmrwq1ak!<)v?o=;J;)=X<aIG<gKE+_E&F@3&S`LAt#zig*pZkBmmcP
zbt{B(A7#)9Y{#MUe6KT`S`}QZ+*g$r*vaN<=ruj^5O5hz#8t4FGyFOSfWy#4w{4w<
z*Fj`i$R-J!wkUj$MNX(9hwU#7J4KY&f+l$K&n&5)!fI0F7vUHh3)_H(h~Fy$&u|Hm
z@s56|{+z6R_rgs%L)?fGDfl*=yKWI|V1MaAy*ecx3yu1UmI{Sw=jv_OH0){YXf*u*
zxIt{LuA3xhFKWN~5ORrd@WU#j72wYq$H@l%D!v;0cCJ~#ajni{BOiFrH!9vl_R&^3
zC0r7s^$r+Kpo1ps!UFyTex9)*QPtgHW3EmG{>oH|hgRmZ_W>*D_@~%d=-XOv!Qe8>
z-FE!&{f7}PT^;<dhhAT<AG(?gO-{+!EvKhOQ@Gy%=^3TZx1NZbf-)qlWWCHeOZhMY
ziK(i(Jnctv8z8M8MPnYSFC$Ml1dsQxOiUOp8%-9vmY2x|pZSInzIUT%p)n#Rv?@-e
zzZzZUbUZ#aHM)F0BHi&D<&@Sga%l|p;A`(sb56I(K0P7#a8Il(Ay@i>qOmY&D?8a@
z><4@Eh$CBXmNv6moSqYK*gdxr2sFm<oPNIeh=uWvhkCNSTSuGXbaKi(lfF?Nj*cd1
zNP;spx@S0+?|!a-zs3i?ZX0@^U|=ee=;h?JJjgGngR80DiB5DiRk9v65G!c&+e<t(
zvrM3gd+hsMqGXT_ygUZWc?X%XK0OoIasN+V1{m_aXH5kEos@F~0bDU!trJcT%S5~o
zL}?r3CCnVYPEFQ3e8@}TcCtJ2{P;d|G#QIdij`9dy{zI1y5hR3ESDo$6FbfS-42g@
zDi=s(zN41PZCQwZ5%ZM8-^XyzrAu7bYEQ_~AH3+Z)KL$M^|n7xeb>`fxMpBH`u2Fz
zH#btegO_FWuXMzDMz>*QOe9PJNyXTm<6DLc-Mc_BR9O8~P@OG$&-O%WuUg-VJTZde
zXnEPXMaN1uF@SoCcY69^sgoo_Ro{_V$1Ea$^ts`vf_RM#LA($X;1$%P8xeN6<=75*
zsuKK55&oyJ+ZWkDUiEwH#%lu+?7Y=fMPKqX0Zk==8)N>WCSK==%)mhk&bc`T5d<ap
za=vvqN3dJ|l`C%Af#)cq<yFDg4D0AvWBoMQp5dT&Bz5%ub0vjNl$8S0Q>b1%Zg4-@
z;Go>Qy%^!}=T8KJb@KT23niJahH_GTPAT{BCtOw*cM@foH)ZYW|9CQ>XLYQ;8uv8R
zp)09lH5gl^misL0YpG!fq3~i$0f(v(3@a5I7C^|IVG8YYG*4x)w#C&ScB~S&Me?d}
zjlKGzR6b5`v-6r!hh@vB&<kssN*UU?`r3wh@jS*9F2|?tR;X}OTg<KJ$?0#5ls?E$
zr-mGE()-}J`h3I|9T9v1XOe`ES#fgKO3%o$;eGqri+)l)EEP6rdNsxMd2gED{7gPd
zwapEt(R86p6c$87M=X_IE<Dx!yzR-y`t<WYb`wU@qWXQ_i4Q&Em>1|QalaDzUQGbb
zVHOVS+&Q@?;wFH<J00vV91^p26zX$Aq~CE6@pu>weUUwqWy?>+_t;Hl-f49?(LKR)
z7QSR82L%H)T}>WQlsPl%IuDcPU3=z5^)k&M6C_VOF`xAj5{_#ufS&f41};GCx9Mx4
zUgLii<oj%=!)VXqmMdC1yYgHGmHNF+tNP8;q(+-)bIU8L+dNHPvU3C9X#Hq&W=Vxo
zab80rw>fi?7U`(PLRD&3-d{_3!TZ6m!+RD4`8D-$3^STg47|Vy%BM}9TW*Yg#~OZr
zz@5PoT#lT0G46Q*)txwyd1nIljl2B$8F8z4SBFWzats_s5x*TL+Nt62g64^6sTYlQ
zL=r6H(O4p!uxLGIx_Z`RSpiE6vOLU>a@Iy$+0aY$Rv-9~!gLT;D^v6nwo|EYPHJ`D
zzl|7{F1=?KE$;M*|L~ez5l_148cb*yf$1iZm7rr%@jKJkL{PaaqYUI7N@;?hHTx!e
z`sWq-E4C7N41#Y{vLEIJ2$agZ>+pkpAp4a^L?%ypQ8Qj9@}*0hfK!4dsq;f{mu#3*
z1zMz5@IjNsY-TX^)?>sG(YPiCGgl`mY+=h+Sx&<v^`iWtwF+?>WWApJ$tLQ`uOTL3
z1uF&FGN&9q6Ri?2EFP}&Q0&1D;o%`ok`qXOzy+wjJOtUVDRU`ttTf1<d@szW!K{p^
z4!^ez2K%-<9oSNqLkRMtEzRKY*WLsR!va5;*#{h}#d-2L1I(u)Jz7xpe0LGqkaij0
zY66E729Zcc`SvXqR+dRcs-N~GXIQT;6g>AcUI#^7KOri%4F|CC&i{W<$N%O~N!JR3
zT1t?LD;ctnEnyuRtu}F<1onPICs|c|84T-O5>Q8aDLUU+M?<Y8MCv=LqrSOB_Pu`t
zMK_#n3VrOS;c#}UZ?oO(oRi2*Y+PIgX-*rV{t?kRpq9R*C$D?BHDOO0?xO;9BIxk=
z9lp3LmJJ<9pHGzhE-bd<tIu2PNjnzc9`0g!3pWvM{3i&KJ}6b8=hmslUu;i%%b%_3
z`~-(3yd%)|QcsA_VoB)%6+E0P$7&(EAlnJ?8`rGT-N(VLSL!Eh@ntaFXanRHr|B5w
zAhsVSd1r{_I&1lFoHUks8<WE&6ON&@T8M845D7p>0q)_!8c3)eOwm;Y@S1DsP1DM5
z+~pfx`E8hm=?DoD@;;erGb}6H`s8~ASH^82<44x7d~eY&e$H#*gA3qiUtobItAo~0
z)je!<N^1xBF~0H&&f3CWVPsGEiT(`wdHY$zQLQ=aochm%-|a*GFv%bnLSyTxe0ah%
z0X?{+(;RKMMRam-RI$2YN~pW!US<R?vn@*a5z@4C!i;<PdOUqhld!1N7}*@XQoXZG
zDFHT+mxFfI8huInmY<W`HcFA`{z@x}2-fnJT%k0F+|=PdJhpO-vn0ev89MIGANEp8
zuC16D<Nvb1OZm!*_h;3%WtMFoj{adi>L8)qCbhBXrHJ;j`O6D5Tfp#@LVA8Tq^S13
zpmwCCEKhw<tiC;|NW3NBZClS_)gkKW^(y-T!#b>hlK}P&kG{H%womq%F1)-<4%)+N
z{y-76UxZkq_7xS>y>wU@*6&iE0vD4N5liWvk<TSpyH!7o4xlTMJ`Ws+E@!Hn8ysa`
z5*kFFG>`2(+|OrSU)y@+PIcR0yx>QKhVl?eOn7FZ$=kWaDOPdfZuGg(yrYx!++Ovf
z0{4JL>Wx+J3%$ySmAU6D(=9RzEI)i8;s<R2)WTFrbG39!(q*%Gv-i}DClqUl(4&U-
zOX6m-@dxW#r+F`H>NI*&#GgqKkkc)KbkxV#E19_km-g?9aV<ZI-<p)#bHgp*ozi34
z6v8^>I7aV{OoM%sq2mq@Q$$(Vn<s_Gp#0}r<9rgYtpa9!|5%yWxX#0sclbXRP5RGz
z_&OTZE}euz15hL|`lg<i)FUNl2~1n(OO8~kk(}4WXT5@#lhMs;VCXeRzc-3yik!XC
zX!~hvbH;!gbrNUJ!MWmp=-#CGOTObnNA^ykZ80AOpW3gkc=iYUIhRH^zSk%u_ePG<
zKfjO5+~Umxf-<79M9i@8N&z8-F_d3e|G6mV428?Etj&q(lpq%F+yIZ@Fx_Qy6nZW3
z<nzARFhEn(Ae0!x8a&^}m-G3K>V}qU?$cj=eor#*U+bV=dwd{eaArQWX}odSY%bsn
z_GD*un8tg&U589)Xi~5S`$if61B?aP@n@+jft?{9@<C#pr6=QL9{vjSYZt$1WJBOP
zLS@0%g8CGJ$M)a6_cS1LW%^Eh?e*8#>jbkbEpuwDl(i;{JWPV-`X@RL<&2bUSCZ3h
zS2v<KSiUHCEgpTDD&BhCd1^&7*iCj1=2cQa6#`Ly-Y?ru?(O97l-keB1l5UFDdI#K
zAL-e<GS`B!&oK+hIFo8dS=k>e$`S6!`ccAC-xOt()w#uG$M@$Hs5qgw{RMqc94wWk
z$NZL+A|@T!hK<jh2svBptS=^E<6;Es5cGcj+iR;abCZl5o8PX1+Pb}+xev|vX0;W{
z?@txNUsZ0!p6Fer!yM*K_Dq;Mr!bn1NXX4?4**!~!!)95`;c_-=X}>~^p>qpUkc;2
z_MoO$FT-ROTqPeWy>`T{Zg1Pk+dS)2Ik>xfbk1kj<%hXp=Z-|Miu4uteUG>&WCOcD
zbmLF^=^JP?@2RF8vpp%OrZxqxgHk!yEOn%0Y^Fa=G%QdEFAiAqyaKpNpVBO7L$1!B
zCXjlnT8#(`ntf)=N<nf5WxG}t9OA!Ln{i_-hhtV3Jfejjl<^6Mgn5m&?P4l6)-lkc
z;WFRu3ee<-G;FRPL%2@I3XaSnl{HA84PHCP0IhT+w6uKPJtW<wScGIaBBTj629IWo
z$cX8cE&~mN`iXlQ)~xAe3y1GU?f~2>1!JU$#64*WX^CG{al)x|3D`}UJeC0t{n-GY
z(HQ~<oMs;4RvkXJaw($iE~HuJb}C*A21$yjeI?W-2ycD7=e<+TC3&Gd@nC46G2)FB
zg-<{kFrA*d4r=Wz&R&qY;2nOkK|m|VIgYMnS28rar@kP_N5X@|V^K@ew1k~_&RsTA
zikzB?2K{hsgO!u=;;->u3qmXpaMS&DFV7v%Z0Qx+cNu7zNm6s&ksVL+LQq($bgaHf
zjDn;3Ax$`B`zRke)=uv+S~#d9UM}Dg0mt`Eu~gCB&rbUg^NXtR_?hl*jYJcI;$L$t
zU%jII4=Z^pFl@8<2Lk$JeiwYqkPgHw6{l0b89bEmz^ucsAoYE#OK1>_!sk_-hAdgm
z-?z*A8lDo>I@WkCHCDpdYrKn`5bF@jc6#Oipx?l=^?z{K_ov|h8-BL`2@X?Ih;tI2
z;l^G{5QUd3m(YjE-~9bdNQKTSraSePOK><)*W*4`z@|8jW5tLETG{*uL#IH)n8C=-
z;ZcI>kUSI$no~SzrLs_q!{>m?3RdwDVNEpl<x?j{4hehpl2Z35+KuA)PUA@GmrBKt
zrYu^Cz=;RngPNn8ZYk2mzui*1uP+Tc1za{Mk@JI!>Xp=b1aia!#56~qdck|tZ&~pr
zMJ7ESkH0DVn6*bCOBa5;<mIoO@ULV{m303egJpZATz=tH)cjTqE3owU*VPv#A+liz
zFR$3LZLCkXZU5;edv~cCmiT!ea7<Nw_F4FlKh>;yAe$?{n#&l3F*R~(@t9-yXxkhm
zPXItY^BTxay%JInEYUH_%7yJ9K{Y%wq3a9fVd^mMbjZh&15+>vLEW#;H9pL>%Kjlb
zpi{P0Xt7{OEp!wV(p(GJ7jTUPsF_9UC85^ucXO7KO)eM-Z`X+G_b$OY>>&5PuKtkj
zOvp`e0PVaMboy;4LDvB==s-@f?|pJRI1Mp%c+^Cmyc1c!3gD+c?RsyetwRHan!Og5
zJ3ts`r0e2T$OW0DY5jnq8-A4(Y?^PXghtMv8Lq+o(b093^h^<`>{$~zPepXj@$j8z
za3j^^OKTbRR?787Bit55P0Qc4T7-E+x&wG8IvIndZRnlWj`v6TYUZMgWxTKi=F56T
z*>De2-+L+zHYTVjjif6q;R5>MNe>z4org2^YS;q@5ry57tq=vh`EN4MV~*2@e6#HK
z@z?RyOw`3@2g&yzl<O39rERe~-*|(Po*?BAa+(E%yfSlpg^EBJKJ!Y+IBgiw6`P!^
zr?B-}Qa~#y7}wCg0ER}Ex<hyI<m?^O1N5n<1q~dgTbJb`gzGy>L_^rNr{;RfBK`Vr
zn=VL$_aFId>Wd=WW~!?OBYhSNKOw!O^8%~+UhK*g?>D^n<V#}qDF9ja!{07)IpQCp
zJE!H+Q=zA~rnX(txp7nj{)>H8&lFF|zC@9bma7#f`)6?V&pA}>9G-<V%6Y{*i9Kq|
zLYHK5n8s?Ajr!~Eg)i&?<qK&^2ETH8slu_8E9(LYg#DgFjJo`fbbzyTyL_J0tyFJN
zQRE*0Bm-+b6wEzT@O*!qcaVH{SHq-^rp^1lwoJ!9_u|*EX6uYsPQfj=OL9W`VvF|`
z^g7L>OfbWgQ}Tfnr4|`4Q-WrFdzVZRBj1%?J~0osBjg;J#G1!|<}(g=61SDn_EunQ
z4QFK7$s-V@pJW8?9BW3i;<=Genm}Hx)FY!k9nn=mgZug4?stIbg;ZtU$@mF-aJc~N
zL1}>Oa5JqNa7`-+X&C`EjDI=lKc3IC@;B0R&$f~@e-sO2sRty|mQj7<myH-eO@xai
zpf>4?!l}S_=Ka~zMia1MoL~W;SH;;~R!RSH#@$9_1J~+pV?-ODdCqgsDD^h}8uCO>
z%PCU25K2S-T+Y|NneCI+PR@gq@xW1Iw8D1OD8Z(W+V9p(PjxP|&X_KAB`})4ME9u5
zQ@>6==CL?1es|>r@GfZp1&8tzoE(=4rIodDpZVQfj)Cr0USowJ_%S<y&Qjt~O+Yzj
zvU!_2uLug{8Uv(!;Bn8)6_Ee4evFy^22jwi@;*f0EdDBz5f8C(Pn8)z6(f{7Ps(GB
zo9muiyT$ERAP#}Y$K-c|wlA?R0Wny#8EA_ctSo=)ktY}D>@%+Xo{0WZr)kkNGn=;{
z$Z|(0D?0LehMclQeNLp_JDJF673WIS;{!3+!6m1u>$z>UzkoJi^$2XRUDP?1^qyIf
zk5X<3>vt$|q=o_8Lhd+Igfu_4!EX#1zO4A8kLAgallcCW_x$^m7yjXtr@hX%_fGLR
z8Jwgk;xKJz!;%I>QKN$vkhx_eRuFi6WbbBl2O{+F$CVD;j49@e{HSr8$^fbH{Ykc)
z8y7Npz!)PHvH1p8`qc)C$bR&HzT|IJ%#aP#ptnZhOyKf30vy%nKT)Vt;l$ougtm8P
z3)5ITx}>85fi^^a=i`^vrVzJ8sW3|@=gEEgZ{8U97{nJ=33Zv@lzIYJQaEnZ3?#$j
z0b{2R`n!tkX1k6hxbmP{&$z_6mtwAUVg|Y%)}AO9pcVyHXX!|O@Q-Wca+!05?1h<9
zf70<h*jPTGoBI}`G!lm`=sQl33C!EWJ-h`tI8wxOW2+lq<-}>d&~w<24=#WPGNKR3
zMa!`KE~Vl>s?dA3(OU7Q_rZ^M#5K4Ham^NTu*#SHV~Qx9A<fmWo8jgT5V!(x^^#Yf
zjM}n~hwQkY1||tg9EQBmgcJAd2vt3OFX78&68DQk(azk%PgCWq{=&EK(7PxOyWH%3
zuL+}Rz;g-?kqCD@l99&<Nvymfmo3%#5x87-SV8n?yQ1-BrV&^5Wz<IcgeSG@JF0UW
zL+Psht7W}_2vr2I%ecmQP&*Apa0RlOqe~3K@`6G{3L%3*9u*3?V3zn`Y2`AfLH$RJ
zZ@F4^h}1``<qZFi1>D#eWEd?U*O=<B3)oj3_p&n(vZH>Q2MZjOY=DE~$*J?`6Cli%
zOnUt(E~M&GcZ@;8wQ(J3`7&Qly<h^p7lLGigQ~vcuNgfj5Kh`HBbhPi?Ty|-_zsfw
zUX;4Q;r>zd-13~JQib5RuR871h$d<~ngknIb7fwSJBNC&tTTl~?FdPOSExA;M7G7f
zJQ|h&4SY0O?4OfK5HY`YYqHxjV#(X7BIILht#{}Jj|Z?5j4zW<3Cjp}thh(#M`Km0
z2sA`0E==W~R@j_%ZZ*v)iK`w`eImQ@tzqhM+5J_!#2-cs!jFO=A%tQ@XiL~-y_Odo
zT#nA|jn6s*n`7{e-xW7FTzTNw%V2eLxU3o0NpF7i+p-7fETwer(<mXxjd#51E=;e0
zFSRJ7^P_dWZz$SPJTKA|<&?N3fv8}eCVWmN>z>l@A$e_AOfsnP{jF{6=z^i>PxkIJ
z_i)XZ;yh$%=tnR>-@2pE_+Ufvdsse_!#4YAz(bOw6d8O9-pZpH7bOsT9cll*`^Ds=
z5SXOF;e&GR@J_ymzK@vf_=T+kdXdM&5GFU?kCs1TLpok2Q>^rud)U$w&<S}5OjmIn
zKTkN3R?rxed2QgVNfg;UDeElV%*;0)nYeo9%(JMDfgus8yq-iswsADv`O{E^K&vk1
zj^WlrUt5Nrb5x#W#j=l>@8DcfZ4q$zQ^vl;C%glOJ1hUGYha!$o-q~ju3@<7HH^ZD
z7Q=^K)0QhcCSwE1`crA_u8>{`hpLRAnXm%$C2_ShqPH8;!&r(&hjI$kM4}z<<Ql%O
zY@ADFrmc|rMR5^-NSw8V_#F~Q39-z<e`zZ_yj*!S+bZQ<q^E`+#GD(U`3gF*r9vkp
zcVN%co)bmsNx#Qf8f!9(J^Fn^&*X~soHx503sS*{9v6|fU0WjqVTXBHLbi??KZPF`
zz=Djz=tL)BGh)Drj8lP5LP4V2!QH^mUu0_K7=rQGjZJkoDgNV;0=RUB*x`IaT~_>J
zAz-RNMoRcD-fU+^bZi6Lr$gZ8P<zFdB(YR!g{k0<BUqxuXmjj?p;i0k2OdO)l4+0D
zep17sfO7bBdE2%4iqG@|-h1+1X6=5?Z(HJ{Up!cHk0U<#oSb+9zmh<d^ct*iZq9kg
zf1$v8RG*K(23hT1U{4&So(dJ~k4!x|>6QR{0o~(8?<<O1;-M~-#g3(^^^9RAZE{6B
zgjl|qz{Nd3p-3ypcKdnV+r$C>>Lt73o_2XFkUAWNwb;KyAoxROfq=6EE_cLRzM%4G
zWU$UjilWSpU*YeLRk`*y^Ld=nrVrCcLOxv2y$s5>s)s7HzUozRoCv0f{a@{UcUV)&
z-|qnh5h*rAY0<T!6hY}FDwai1R8){EvWgNyi*yoDL{_D&4U|x<AOeXlkWdqlm531O
z1PLS{k{}@o5R(u>$UVW`eOG_K_df5v&%O7L`@B4PI5~4Bb7sC}zMuKdcV<ZGtXCHb
z&XF8W`rC5?0en8(2Tyu09MA*lb^j8r+OnFB^M%uEEIXzA%5H3PjxM>79rnC7sN(Xx
ztgEgcUGYObF9DEMe+3s*9{iyr*H;<BB1<n3X73juJKetC#}>dzoo>~UwAeT*N5ErI
zyw?M9rpOb~K2G_yt#~Wj<JD`v-Wa&#8@*3MCS7OU{-waPvUKpzQssMv_zN6?QN{aN
z!sjdhnt{Un1!q7S|A5s0$^!H{eBWdJ1?Iuf?f-ts-^0HD701M-I!K5)n-EoFO{Zmw
zf@)Ncw*1opF$gX{g9it5(S?!DS(GRh@TBT&bPb8qwK`4Ad2PF-t%KO#w;tTH5nO;5
z#N1QpO$y<GBY_L)l&KEn^O%LGmbQ!^?Bw4-q~Sk+$Th9{=f9&f@N95_LbAi!?6vhN
z8*e@}$2o0y_*~}v$Z12hcB^2>0po387|-e~Jc8B7Tj+3m4}C8amRWKW&}EPis2IK?
zP|qLm-IB7i1l;51&}wiQOqOgcnh_<LJ2{bKXp$v<frZCub|);zsqyzBG%SlHuHy#b
z&wvgJyJ4HybMAtO0%H&(`Kyw9H>vuB?YQT2#U=n?ncE4PY>#{)R}o4~U|Y|7B$2xV
zS_EupB)kAuD>vcaISq!rzm2bQQ;T!h`M!`|@EV4;H>VQbar6H;wzJ;Q-s0&1-sG?s
zj^k%bt!fW}Kx}9Mj6D}x4?iRHJS>6NV7R@NaGvEC|MvmngtE3(4_owcq6Lsw&s+aP
zf7%H2x><_<43H@|#)A8W&HIKZf?iW~n4sv&1C`VM?fioL^h>7F^7v+;_xFtsecfEL
zsUg%v&1RAD!(Wr8C?q-?GP}!ss6=ieV?}q)*DWs#?R`h8g9hvqrbUD{x0iH17XHAL
z*t`(_%)j<H`^NjUa7u+gX}$R|5~Cz{<G%L~8BbXm+GQ(?5=P9!e~u^6%@5}9@Fb)m
zs8P9)Qd5MhBfm$uU=T1rqQNl5Nifh05_Rxby<Gte+-MGXW^ugzzFi#;6K`L+kY)_y
zi2UoO3NPjo;!OuQv5SrfZ&@+Ztj`BAj)*swZ#j=AXJ_1m7w$hv<R-zL9tt*^D<Q&u
z&aF1Q>H8q{M#kRsWle8Z-d{J0-<1fDr%mR@tIgVcAnh(hJhLve`t?^v$jz`{i@5k(
zb>tBoQ4noI@XOo9TbSF<+xmlqd{Q~<-#>nr(6NfJrnHT4LJOR*iRPVnMU6!q&5Qp!
zp1Kb<Jv;l;u9NQ`-VeMyPV5~6T`lKSn_fWQ{87%^5)d_zb4jx&1V7rZx#{|GpG_&N
zcstV_cpLUlE$gjiv+`dAW#b}JND(5{rnBb?tXG*K)5mk#9v(>Rd69PljCs57nCh)^
zB8!Z)baPH%51g8ampPe%ABJ<xor%fQQ6Pl4lR5~lCZ6PjDwgpszKj~!Y6ZI^n!YXC
z;yx0zb40PsP3Y;`g^qmhqZs;pYW&7Ho_d%+<8|>2%$kv&P^+!-b{op?9I)g(<CXt9
zKeEf)5Z=gYUH=>5)+v(4M5{MbYK#-;vUfmUtHv(+ldT2cVk7H+=*<6|YYD4xKG_Ry
z5t()17lH_mxbVbGRr1=(p(Fcoou43@J`l++R~!^nlGsxt;jW+`D#mJ8hv2apJ4cjN
zOf3r`lsli4zWZ!+&-KZS0_-$n+WrtGc(W-&VjhC|FlugbVe^Sxk)`2nM^@S(A$12!
z{8K8!vmAO+T}Gh1e^vE=AFsk`LD`~^mp$=Tr$Lt_#O(S7)2b%Lya!&hRp2?<B8!*4
zDy9M1U%Ijy!;18f{8yd0^Xa)b3wFj%)5N3)<&ry7+xPQb&M8fsz3+&W=2{W%K{rrH
zVBjn6l5^iSE@tr8SHVS22xk9^E$}7h=PH+GMCIPl`Wlm-t8zB$*4LQq9qX`FUK9>^
zxQMLYlkq>Y_CN80+)VWWXWfQX4L1z*X5*SS!O!P~=2+~!+hDE(HRGI+_;<ZBJAcIH
zu<5FlS;jfdIoB%tf*O+b2*%pCbg6ZBh}fh#g*EaU>t4nQG*Z_n>dmI>x~g3-I9iL`
zk2wqqO6k3h;=9^q4yL+X3^e<YjYW0sk@sU$1tmj5NEt*{)mQdE00Jx3A^*PvRw+OK
z&}aW0Z(?fuTKp&a`1)lCk7ox%iKsyZ`Oqy}Tx^6d<E{!ir(BK+mGf{5wk7fW_ZZ@u
z>)+0c(6!&!;J^JHGQRxZ^xVkyH=F>&RKZ}V-62HDd0uXtIU7d~kOi(nTOvDZAcgFT
zAbY*^o)HT)7##*;j)kaQa&W|(@P+m5f`Y2LgmK)&hb{>mv9PL*#9a=C;L4WGF=T80
z4~!7v4B8qHU$N#m9rn!XS+(=Kr50dJ?z>UORIp`mu{ZOGO$d3)!U9j0tfDxAElxE1
z0SO<y1P~>htii1&d+r=BF2H6t1gf=dU|=6KLjqK2kx<3SGnUsL-;j&9d}0~s-|~73
z=qd#<4Gr9DK=ZQUD?~un6kT>C9jA5-N}n)K?-US5z?}sEAnQlx-*-qPtMweHlVM5@
zs}{|K?hos3%3QQ4I^julr)!<~ZDotQfo_znkV=*B#a8BHF^Qvp3@%eCU}uq|aMJX=
zwVb>ejV`=IntEJj8%rKv^0i>8e)#3uTQL*dbF6^WPwB&5=pWN>#*~;eZ#h2zi#T*%
zEP&LQyLy6WW1CzOf$=8i2-Ssl5kw1>r}49Jts2}J*kats<A@-hVC{qSr>35w8K*v!
z%k1d1wH6+i(76?j_A{D!aM(W>@z}pOtS4=_J$NZpcx^ZCg3poJ2N@08AjDx?a%61?
zefWb`f?)yEi?M5K=WP;7FTs45vRj<I&*|N|Q9_rpRQ*7*_^EC)%f9o`eC;nuVH9K}
z_IJZ|^&Y)isW=p@phDbjX?E~|8TpQ*<%4wO+~E9Us6+16>}yw{2aoYyf3Uqb%bYgD
zv^24KTl2Z%_~*0i*Bv;WyK^s!f@ZBv43kXW`|-Awv(GpAtR40CH<@~?_;S~M>fEfo
zswkKhDl)qLNvADC2QGC^P_PM*xF0sCvYnl4WfW8CT8+7ZVkKFVvVItOfWDHxcq~?L
zgzRO85_8o#<7F<ZL6DU}`^9uimPNr&t}R;rn^(1i+t`6X1tu6AT$g0X)*NX;!*80Y
zKAl(E=ucjE^XhjvWxWii@Ls<az4jj^yFMp7?mU{=o>Ot*;xW?2pnhq_2ruHOz2>yZ
zd!h40=E;DZ1Q!~hcWzv)`<e7<B&Q{7E14>it?C79d*J*2RaV;vxD!VSEH__C$$q-V
z1leC^AjnP)!Cg{n;qtf$#;Im-1@*B8Eto(m!z#@|Ws2v{`gp7|9m_a7@@i^(>_AS{
zn(x30!UO~>$A8L#py|K-bX2wJ&eV$+a_bz=!Kh0Ge3!T-QzE#%nwe)~EIDT?=IceD
z#@MSl`sPtLb3?xHjz#T0C_z~;8PgiayWC`Tt~B^T@U8xg%DuYjsikS+R#GH3wF#UT
zyzO@hTuX1)dyGF?`sLEPhj;3}SUjk!rrU3RxJzFMW-Rcr<{VQDJ(<y#oT<^}(!vC>
zOAGqyVI$~MuO%+I%2ob`Ry_CDy!Ag-m~c|)jFDrDDt8;zWIxd-@kFbi#K$ahzv!>@
zse7i3xo3m#ijIMW$<&sAbzBJY6+$Kg*ZG>8Mr~!7C{BKS#d!V+PhJ<)`)-=Va5jQn
z7hLZjK_ZF|K3{u<I--XsWwa=4L7T|fk5j*W`;7l?Wii94Wj{Z|nX|9TDjd0%Z@1Gg
zImaZZS+}@#-5(uOD70>i0CB<A5W(xZJKid6{4}y69y8m961Td47~OG>LRc8=i+-3`
z0B1+|HwNe9;w7tU2LocJ-Fy|`M4p>{@tFxB7#zpkXxcZ2`{im{nt=)SD*|MEUSeu0
zwzto8v|LYWJ%B5{x_2%A(AtNO_B!{^=S*q!KyPe#N7;6WDv4suoS47nmH$&e%6--E
zWPW>;--&|Gxitl(VE-CzQZO};)mw{?DKbg)euz^?=?(Dn*?qmgebS+1H3}V}Fia5V
zvM*G9Q}Ep#E=LFxwl}6_ya%#ez86?<5NGhBS={SM9y4pB4QY5dSZv!!y2<d_s#@5H
zKE1E<NZNkzpmBz3>o0dyNiO-ZsjY?~=G&VW>y4vtc~5S6obiQYq8p_I?k;?gaZK8`
zJ3<tS)Ctd>zRhw?$6-B$xHdS!nVx+7VQFBi?_U3AT^n7NpEC>;xeRifi6{0;288M`
zA}$$e55e<ZY72Xp3z*Kvckh0T|A?%yGhFbW{!4%VU!3geyj%SQ8*c`;$s}}E@Or7#
zNPNC8ks~i>xk|LvqD{J(@wMn!&y0RQ(kgNxS{-Oh`(X$Tp472GH*izuA3CNVTq4(`
z330-*k)Ojc0kv_@STB~f>$du!SB(Eu4mtbi2)wpKRY`Abt*NqkXsvbPnnh!4f4h?X
z)}&Ui_2b7qac3O}SI$H~_107;IxC9K|FUV<$6qwiXNXIp+Z*Rrtys6haBRfscZGUc
zRbH)Jyl@2u)JkV1UW?=wmWY)s{&ofM4#g-aWe>1GxE*`HUF+HHFX?S&%NM3n>JNXr
z0--kL<3fb$x8nZ4DE1mfIWb|ji$t!8LX*Wph(*Hemns{<9GH?trG(ke&5Gw|O!D&a
z!i1R0tzuN%Tp?S8je-lXOzI!!V^H(p?!83n02I}yYn7{>Aw<`RN#qpvtoM_;tf4Q%
z!3g1Gd7N26s(ARzj9zUM&rp}jJnECgWEPSe2V3l1DHNRK!ywJ;4X>+lm{7{Mh9*Q0
z3>5PCdD~%T5qco^LNZQEP?#&gf>fP;15>Q$66Y)9G#(#>bZ55XuQhDeu}@y9%mhRt
zF+4$js5tb-9#<gV%45Xc8rPN!wvUHWVe}H()AR@3GG6<pq>#Jj=c0{O@?S%ZWye%U
zQ@>*>MgyQ=lel;+%irl@a-IATt3&zq(F6Y|Q7KUz$+gIUbk0T4`*rm^599F}Z1hZ1
z=tr?PG$qmUqAuwDsi!_UMa+k-UvPaT-VZGWEZ@+K@g&ofcAWGecSyT23^S!V+>1|G
zBsa-_cjba+I~!GvQ?q2{6Ua=a{7`twKwQ?FN}Wd$*p>?Y%i7+q5@+sEKT_&aV=pF*
z1C@HN;PDK=%vd~I{zLdYW}S)}7n^bab(THr_2_)#?A%3_Lswg!?JQzANgblEL5(J=
z4wPEO!o~H-gckXM3rc7PmRkHJe%+xuRPtT<p}>5_(mh%-g5Ua%;AZken;*mH9mk4T
zN#TP+{q;*1*Hbp8#B5GwE$Vf+*pm|YB|?LyyDZUD&NG;(_U=93>gSdX1D5sFv;>Gj
zCUf2O;Ks?YXqR@p4diE|e5{{m%m9DxEsG?H=d+n{EdSCe3Nl?h#(k)4y{weQU~;A=
zz4$o=5%Kqd%5`r9{^^8qW=mXgftjXRQb6GKww8R^92e`^Kgm1!QK4SH)ljIj4B<)N
zqz2aTsm54OgWEN)2&K%VGM%qxi*Vb2TXq=D=X)m#CtvA54z;4EM6q`oE(s}RE>+y?
zt=ZSRckpq(e|bMPe}nMUTIeC0_8hH4<!90>njopY&-5HN>Xcqmd=Z1vEI<BYQAdN8
z*9L&beJ!ahplldxiu-(~#_DLB+iWwBR<S|G^ysed#LB(~uuR5<4N|yxk``2=bB{+x
zfWmq_#ec6oPQ8Mo#d-7EUoLcqifX}|_bV@FLdB0lHSHrC1}$H;TnS{wT(wQNrR}Q<
zF?s>3$j>;!hy1Ztk+%}zP9}F-zK>sAI<>@VZU7IRUha+?>kp<;+CuV3Yb08uVtYft
zh__S6A<VkmZVkXByq_!Yy+n`lPhTdHj8qx4ooecrmd|{R27?4%p*;BFDn<FTAbkP%
zr4*&aq!FoNC?x3Kqi9pWe&w`sBKFXZSFI!uCM<mY8DGfWGc20UtQzt5$CSX)c(t$N
zA@|nU>jRj5t>N_N@<XR>_+Iy58@CxyTn43ILzPx|j;J4$3mwU}n)bjw@MwEfW073O
zj~z83E7U(k9nDOBQEJzj-GwR{3D6(Oj%|`;8|F|6byImD%&Dh7{wKpheX2z1c0UfS
zDu{sZ<n!9D05h@o_7rP4XZj=j&Z()g;tJ*8>TKdH8Ym=@kxP{}zN6BF<#h?sgO<Bn
zANzs?-8-{(@0V?xyw?1T8jrsZ^I)s*<7}j8c#No5SJC)3W?Y1Gh4+I%ycwr>as7GY
z=P*{-gfE4p*@~p$o!-Gfbd!j8{HN&{_K=(8xj-y@3D7x}%Q4>b68f|?LF9=Vx03#H
zndN>Eh_^dD7Gcmnv8ZhOKwNAe@x$YxF`9R~#YN%@)5zho)tGWu=|Bj@ZDV;cw?(2*
zI%(qTI-9?2lP5c)sr>=AK?mLjeJ0Kz`|jkYTDeb%ZCg(vXvHYc-PCkkdh1{ci4<&i
z9Z?J0T6zkm%3#=xQ9afGOT3}_&(bOUf%}vsljrLR2cV=zWLzpL-xy*6^11iNHiRDA
zM~mW`C*{W&4F}IhhG>p4U@z+{WwjsQV{lQA^`=DWYh=NrAp81>Mna=xWO=DZX3t)q
z$Ld$q+2l04cYA%0WqcVfB63&Cfn^OzEV~e?jHj_pjb1`tSV<dFJMB@}?(50JqtSKO
z;Vx+j(eZIE@lVC_a+8Ja{8LSLdh2Me=XFf*Pwfa%c(tb@TlYNwcJ5L?+38iiPTx^H
zTW-?nr-d#SD7pPzw*^~VPn;XQz`JE^K4^h#G)8qm;`E7qd>%)FqqA8MRG;eN%9UO8
z#oi<fYgWiHE<Bzp>;39uzEfMDjo(TKvc40)Z{0dD6nU|S%hXa@I9=-O=5JS^QujMG
z`le1maLPaHclDb+OZ;A{|F?>LL6LqT&ZXR1$5!}DbN_zj3yM={9OlpD4gW~~hKv#&
z|3*f~vBWPxWkk*<$2*&1j{OCKmh)%P>WThC3#t07{*j8Hv{A38-hV@<Zr1YxD5djg
zC_*k2$<g6yZ<b}HXHrTOe4gNLK)<~QL|(_SzT<XRJCCjh2%%_Mo{&aZue|Yb>L2<4
zsFpEbZ||k8%K_iYBX__|_+c~Hm8=)=Pi_Adn6k2fgG9|&iejVYBv}v(sGV`hs;ps=
zsF5)>AB>RB_(grbY;Q{o;cy@p5F9J&hQQ})VM+~ou(6BN^T3poQaBPfsnv$R97JIt
z29_XL^IG?+Dr;(J?$t4saecORZ=_B3P`g?WUxdLrCmKHgJ&)JL7{18@0|D$qp7>zt
z8)uja^H?-pIxjqw2Aj6?yR_9k0+=(FPD8Uvw>oG=a9OLoQb6i3X7h^A2Rg-J*8xQ7
z><H&nZPnnC3h_{+=2&Lv%-W}ML^{rUkgB^1@J)7F93el{(xFA_eC@3*7mB9nHS$tO
zWQhj2k+DjmzmdyFSFDB%sp@PT=l8}fChZ$KJ)@l&d9_Eee(JiT^FEfBNx#kW1(LF+
zvMcJn=*L@fR?24y{sDFjJ%)n^#G^R!Rj?=Z`soGu;`Cn2%yf3YQX(}+%Omd=Fq0^g
z+IY47b@m{ib}Y_QPH5~r`szJUd5!1?9>dn}*}nzkY;!~m+2bsRd!o%i^@>v*$U0WN
zx#cw+2rm2Qtw5YKn~4Qxcw3f4c)PEG`d3$|otZsWghUz5>>$0bi;5DWN$L`hD7hob
zz5+@?d+_BWn&Zy|(-q?R{79q#*|YboT|u}+Uv9EPv>m#%CTi`z3Pzdz=_a4q5>lpE
zoyB`<lC%7p8r8nU4c}Wt9$*$K*7H47daKcQ$Dq&_KilM3mwPByM7~zSj%^0uA#IFz
z^ebzgGW)gQJ^sqoVeE9>SzQ{`gC0u^;$ri$t>=Bv`;c%{-g6%995gFwN|ys~i-^n6
zY)Z)QtadIz?zG5!l!x{ghuw4)*npNlZhswW!tSb$JY?AdfvN$^6p%pK=gRTVzA=Hf
zz=W!TGYd>u0gzlQ57m20(L}3qGIXi8FEqApSqiZ&WPVv9_Mn>0^(%*!g9Lu<oCuB7
zQQ*1SzV{U)#|lEQP-w7CijlXtCbUGoRBgBeH7A}dv2EM=x%sgt(&gBjS4F_fSMh}F
z@X;^|PZJ9f@_O+3+|rDSCSRcy=P5D3aZeBVl-eJ8dQq?n_{atbJsB30yG78jx|F2|
zt5D~tNm5B}<b>?Dj%t@wVjlL9jc;B6gIjNMPQ|s&?Oj}Ld2arta_%8k9TG>f4M>3{
z)tWb4REt7ph8aB+>d(fM_PfBkb68CeJi8I=Z0)*vcX}^fFlZPcz)Ri8of6PFN!xN9
z+g5jIc>~vLL1s@W)JM!{<1jl8#v#6`OW}gLU|88z%PY%;GNkv;P+0zEV44dM<M8Vw
zV&a1FANpyDPQ-%_W$*B_5e9pTk_z`-DkBh<1?cISZ(eQ0+-Q)kJQyC`9h<j4#S#hZ
zRzZhDNf#@8p$<ECYC%aG65l(gZR|H7f%g9(>_o-}4y@$Bg-gpdyW7HoAkH0HU1#lT
zq<S9?!RiWoODonS$IkI9rmV4-BnG8c!N=)TE!W`U30}Mlti%;T^=NG9zsw|wjj?YB
zY9UYQ`HceRe0u!2S8uo2ui0G@v8xPH=w3~i198o!alTU>^mzZ$(;5I1yI0ebqVcrO
z>Bx4OCQ+vs1SP_|>}x>YHwd};bLk?Q^)@5Qs9*u+dVTgECDw#=^l+};*_(Kxf}&h=
zRcGe2G@Z4vRzE?|;HI`nyWx~Fso?5^KOyAypAE|U+eiho>fzBnX<Heuve89h_e4ry
z%fq89LJ~ett%tp2?_0W6ovquukscSMXF6z?B)HDT_1Z$v{i~8|ISsF;gnq-pSTjL)
zXuM5E>!}UcxMLamV+_Bjl2jA!mH3hf`z~dJC9u1ByY6z)XraGzMLyFn5W{@IG`(2r
z@({h*zZtO$|8I$q5}`CuU9gtz9e4tyfg??3Oc=8t%*gss-sLpF(sDio;L<MA72ZYw
zwPQYVlRXy|G(~-P&iXGmIz_?Dqt7mnW+xRYU7dYZki(VF>5Sair|jY9Js6-i7*0<P
zr=NUr`XUITbzy~hx5D9zoyGNmpXLiw9Dp9Jgx{Fkp<I3E3f-@M9(t^ul`Kwf-xAl)
zaUQJ-w_W3&{KoVPo=ZaB6Ar!!c=*Ie*xUa(hD$OTSR`_{<7D^dsPt~J^V~wWu;7x$
zm@&0mV)SOMbldnkd@q6jOX?9=?OB7EV1{61HIuUf1l++-e2CrRRnK$JM#zOea2V<p
zohy$ja@-8IJI2$eY|R6f_}-+20o!{Afbm@t@yZi(2^r@O%!xXcjmG^;>$mSx%6bVR
z-TQuP%a@hs=~)OjFTQm)AdcQ8m>-U4JZrFavD>P>&Zz6Bx9#qUBo}^gt19S0snw@@
zyFE~@kl|c$^WNV5)V)4skJNt3U?=IP^EJViB3PM}bHQ_atG3Ly!WofApK~m*t{d?5
z*n;?=;9wp-<;_{R7D7u!Fx(1?w`|7?UH|O}JHCM#0&zxI_KQJM)x(b&t_Fi#aFHi`
zC4crgEq@z(aj{Bb<4Sq_hkp_9LePL*;{Ju73-aMcSRs^E8>dU3D^2)R1>50UW0UXT
z2ac3MR`Xxm&lJfQ6{bWco}kw(!zi*X_GKCYPL%tR<M}@9*~7wgu{PADUAb@C?74I<
z)zIVLz~`i)Vr6DF&xcQa@=?&`PYKowXm9)YxUGtLv17ux$*1>aEas8DIc=2-n&eH4
z8Dus=F2m{IDt_#~Moilm;v&+oC`DE~TUvg4kkx3}(yu!EGCi&T*O>U6yfQ{vA?2w+
zvsJvB&s!WJZScb|sRp0<DzgMNSPwTjHZMJ6Gck{v;o2>haG~>lJeIE{lE)+-Kqt`W
zW>Ua?`}tI8$ov}QoP<P%pd`iQ5a}GA;~^WO{Vg#Sa-o*O>yH1Kyr><1C*}-ZnB3KN
z_eyZ}mi}Afn+Up66X?wt&n6xI?L^MfW7paI;m+ZCzsfb;S56;GIhnk2dNs32FZJrv
zKxcIq2@-LI_DR&Qa9tc$z+6i{#7|AB;xI?t^Tp;`8~QJ*q{W1o1lJI;_Vbgg+rq}8
zf+5Z(G)Rhhmf~%G-Zs_)3Nm=EVLtodP}IbN#UM-E`#%bL(h{H_Q1;V4L3+hacg1~p
zqPD*e`psDt&n0l<9N`*CB`)s5PC^r1v=L!<fYy~{M$@fHh#&7aU}mO1|7K=miOWF9
zy=TkcJ*O_vwvO#xy<lAb12lrZBI6q%WTCCuyqnwr?qyZ4bt6`Cg1h2gBskberpjPw
zj5erd(Kq_H%*UqzGg-ueAk@^`VQRJS+!Lta1nM|p-5iR_74X%e6N>U)H##irgz3b$
z(YLzknS(Wx+NFiR3q&PE#~R_a5FBkK-=e6@i7@3oCiEMjR;ESz28QJAn-@&Ai$atZ
zf#by^-K@>n+G`y?{{{wQSAY<1@`R54@>l5#u>h?d-&~NsQ%4{&+(?n32B&WGslsoA
z2VlSpaF#vD`W<8E)6(ny!K^=bS)#NHI^V@0+DU|%<+2t!-eK(ylqN{kr6P0rv$Ffo
z<p{Y+sfZ{I;i*ffAT=&>cV!uyBeaIO(m7wLn5UjdakhoXe(dw+^brjlW;8aC+*@{A
zmQD0gu|7e<@{QWew!XoH*;&Z4O^<rHmKI@T&mD2A0pF#`*0Qez!k=&K*Z6;sR`&&%
zk@*}!s4pDnN26lF&@a27yuAFVLq`J~AI}e3M4@X!<~!}@d%)qr+?<p|(x&8(v_YjT
z1{KRO_eF}aWS*=IAr#E@N|?4;J^1WAk1QY(MZxZIUX5#6o5$}wmkaGiCt1Zr_vcm_
zcti911f4*1?FZt=cyVJ3=8HOgzTgbrr*pmvg%@!Y#OuNGnmtbfb4zPa19RYsxY`<J
zn|~`^CJ2vj*52h^vus(I+)gl$$UI1)B*X+jEjU%_y<YnF*y(n*!S+G0`tbSTFI}vL
zR+vJ449BB_@f-;X>q(a)w2a8pnHoTXJa!Erog|UnBHC+g1gB1w<1o1=7R2NC)4%|4
zZa55)5JilcYsUyruK<W|s+AKLejAIi2IeQDiOo<%Pc?1_PDs(YIcNVFPWN0=&#!Qz
zDY>r(EZ$Hszs@s^z2))~I8|y9H9WD2?$zPpsnQ7TFJ52Kq~Ex8e`p)a2nU6*e%oog
zI2q}EZ2XGOqx+AzH8Z<<lqD%Asb>3&cD=9a#UEc%(SlKY55FwoaDC_RHkE;1lP-oI
z^+GX*)i}HxbJF2xPiAtFR+$>;XDwJX)*2%>>GweZ*)|`HzfjX3UVik{BO9+I0bv^@
z3pSEngfy#=z8A&jf3{}?QevT*cDsbBvZ}<~!k7b`n+);%*6OP#{$R2WQEcrBKG`YM
z_H3<30Jhe6q$K(=U^$`Ozq&K?P2IW~4u*B}^JN$BXgon~AcgovH4&~&KL{;aYxFiA
zX$ThCOvS4$ZFB&lW~5T&Z&6C04!_FcmL@zNTRy|~3295Xi)rJx&PRARKC_>tq?pXj
z4MH?2Tb%;Q(|(^$*L|E-40Q`BSdOnrI0ieY`f$97&Cf^!D!EZ2>=9%j;MFFy*C8YF
z<a>INgQAdevzLOmn7Y$-XSl`TLBysSleB%KMfPjDF{9Z7jEh`kT=W)@`*&(jxvc|S
zB)_=1UFP1LoX<X=9N|5bv1n*iA=dBG<GfpAg!P<Tl;MPoTYY=Ay@zw?Iv;T#w@r8o
zxwppV81)=?)W$@xn9p#}lxu#v???Tgqh2^vz3Mp~<^6KU?^Oqj8b{6rmtig)4Rb7A
z_qD<YvQ4d#CdyCz5b<e%zZt+deA=9|5+EUTbTDo^g5cyZZ_f*eG%c)fIH;K2M9>;2
zgA>&*G*(B#73<UbE4+M(YMycTWgH3_j8LrCe?<QLQ|<iz$Rqllh}#1yiCqz{^n<~#
zErFvU7!}%T$7EQslCi>^-`pYjAx{64w!vVPH?+|rzKQfR*nAqUbbX0hoF^$<iIUG{
zB|8}2X{8+S?gWnqhNPq>0nrxMD~&VYH=Gs??emqw#r;U9sO|0KD`8yBg^6^RB{dRb
z*Fi|#g`2MOLw-jryc$m*=__Ro#oSC`O<Q*}XOUCr<1=Wkwl1CWvdb(0m3bPljsGzG
zdfHkT*O$UR`^}fp!3WzG8nqfI%pZGy?@e8~x8_V~V%6LqU!O}$3tp|R^bSMYlf8T>
zSAu<C6h5g{{*}e@lnW1YTp=@A(}KFoKzxbMuY>~oXC9OtqP&h70VLjAkCv+iEV23n
zu23&=v48|Nc*QZK!C^{?F5+WhlSLq6WVJK{m9N#_uFT0qwsUW72WW)(z#7da`e*Mo
z0EO8&XAqO>6iAt_?g@s{rrbfAJ5H}b)<ES3mBN-qSk`U=jC7V|?vhOk92eJ+Elxe|
z*BqdZ6am2+<)B{fpBl_Z8$Xf#j7G>(PHZ$9%2nzdfAq>GGw|N&wN`FP<xTdZTNUaD
zm!PPi^Ln}7;`$o(WlY{fBOpCLk;8dNz`S)*tbb0+QSN1#vm)#!ZlQ>&SY67a80S*E
zla!hmu3?ckOAPajTQET(9j6rQ_e%B08}W&(CpD|TBs~&-d2KvaoQRk1j;glE&5(Xj
zh}EYtEjI)9@h|I8tDYHWvqq|p87Xkay7;Fy&^11Yvf<#l2Dd(MKCt_n%4)2{U9FyV
zR~r^kCITNcAgR`yd@>xWyuDo&Vyxy^tox02(0FkTQuT5m($ozWxi{!kSA?0LXy+6r
zv$f(PW|6Rh@uI-CHhuPMSd?^#hUxXvlTQHk72Ec@-45%3KV3uNS4Tx$+yxjtM){Kw
zsvc>ND^kYommqfw8ltggJ_(46STpr+of0h`7?A9DHBTn+Mb*FBuV%b;*qg_#OBh(g
z{IY5g6j-4?8>zkQ4SnbtP`R2`)NUv^AlTVzx4LT>7cDWm*{8$d^xxv8S)96AY7sCk
z5v^TlrQnWSXq30Gq00ez8>>I;lMw7#{44~BVj{@Dn>F1hx#5wA;ilRER~nQ53*SZM
z{v+Jn1aC5r{kpKxB5~Ph(%ZKud>Me{Hj1IhY7A6{fhbG&t{X!LchBqkk4k&T(A-b`
zjiOlJ2}+P>lAfUbmBhAylh<JX(Su#)x@d^ghvI(q*Zn|_R+Fja^ctBl&a~PL$UH)h
zK22sl*?12(oW1)V@b*q^j{MM$4GYhjDQ-YKQlVZ(9ntUL48t|xf$Y1lFNpRv0GU{P
zZrKhHR(?Yge`Rg1*a4;~N61S1pQnk>EUAa#`2(^-o3qMJp$C624UpY965vqkx0lK8
zK#P(6?Hvmb?|9w#KXb>WNopV#-^!HzZ`SCum67PrPput#$zR{WL<>d+I$=>ieD=oe
ULo?4nhcw`L;OKtLzOz^V2ZK;u&j0`b

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgHostBreakpoint.png b/docs/GettingStartedDocs/images/WinDbgHostBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..114ee37e2bdf4c50caf5688a2cd2ce0412e00e0f
GIT binary patch
literal 160935
zcmd?RcT^MG_cuI%0!kBUN)@rurAUV$MO2!AN-v7^PN)GAREk^#6p$iKKtd<<61u2J
z?*wT95ki0vN<s+)-rRe?<@c=hJokD3eAjwstt2y<larZq_THb*{>+|<d1Ro&be{V>
z002x6?rRwX09`l$(5%waQoaE_T>3@%paL7~XaE(1yjaS{8K=AYcLAU(f#LYsS<3b~
z@B8Lp0J!M)=Zk9IQ6LBaP75Ar-F+NnvoS{(%HI7G<lVEELAv3U2>ZpZZ1C%AE7z>$
zthes3?5Qd~uGvbT?ndf*sxf6+#<cnCT3poUjI=&ncykrGdgUDRYq!~;lcWCm*@3~q
zd0f_}LExwtD97vbOx9f1T)JvH*&(2Yng2L~av*@g>VtRB;Q`_Oj;>D5mxd?P&*4(k
z2=#yN0)X(}cL7Gq=PRtE__fqxzAH89)0eqvYyBNHnhRK3#s6vqTnWAa&`=uNA<Y?j
z99-#sxWfaYqNqHw(uX~<nqCZlx4O@Nrh~F}CCzhE!#91JN;;!BEBBeYrPGaCOVaQR
z_1~=$>8Nf~*686Gb?>bH&xhr6rej^+9p1FdHIj@yluB0_koLc^Y`!9CrBPQ$$EQq1
zIUGWRKfdsv&W+Lu?@0i5KK5fn(93M-o?>orEGE(^J4EpJPmIlHr<{guOkuXm-GOX(
z14B8lyQ)W_>Jt-mynpxZ^nW>99iTrySn-&=?vFAV%kY9X<C~&Ak;|M&oEIz~HVdV*
zhLM^4hE(@0a!w5bXM=Cfh2TNh6id&7QpBOCwLfvfZ@^!ESQpV|5VAk16!7N&VTb%`
zI1~HEncw}?!!a_^Oe@Lc&W%RTbN)4W!w0plM5Gs-IQDb0T>0&;e$W+Mg>^_=-^Fhn
zz-|#5E<dN2pt^Ud&J7jM4?TG1I^Uw$N*LAk+Z~V}Q^vPwCV);9TDQJ1jMsZuLVmy3
zS^duA^;vnd@wF%U2(%h$YLl-@A5Ixs>G*%LhfmwvJR6P{Kns-Y2q6>YU3wCizb}h0
z!;T18o!4|McO(qi?Sat!x&1d=`-hmELLGsy#}Tc^A!Bg;V*Ly`!cL#$Sj~`{D71|@
zX?Ybm=?0zLZJ6B)gq$p!#!-1ceVS4T*Z1=MfI91&?Ol!%!&K($xunM4YBtZd&yMda
zn)xx<_6C`()R1)kr8@tezQKU;$UE5TQ8P8pm!qEJ*CM+=jP(cej!a+qsReQ#jeAJ5
z%?G<unTV9_2_Q;_q|bT69iZEXiI`igGrF{O@izimacZ1cWNbYj=<D8x6W&(O#l0mw
z6Qb=A3VM-&7}}IFu?_jqE!wVZ97aCMMU7k=RWvSG+P-t`pUgP?dtokZN7<)Ow_NGP
zy3ht$NI3M2_pVb8mr%Gs&;k|YfHDIyg*myV=%5UX)`=8;=&>-Qc)8SXsC9odD{%h7
z{#>BI9P|k1xBZQ4?1QPz15<0TcwJCcffT^67W%pH*c@!N{N(CZ5A>C9@~0@xa7T+Y
zJ35*{-&}`I;7eVWU1jDPFz7YKn(+ASwOnvXgwJ!En(+u%n~SU)!I2+h=-qiN0A4Io
zR|_bM6$awHv#u)xlU+^~4Z=YAI<X|Wv>16}PdVSO_`v7Y2}540+#+KG7WXAgl+_(&
z>SSaYo!9##0(1o+mVX(j`clWU3fncMH92YR&leOvEK17618s}n;RHM#|7TMhSgg_>
z|NStX-^O^OB<vit3p>C(w`$9xqJ=_x3(fhB>HFbZ_l=Wo=&x4yN#u)GAfvLw79H#X
ztLD>Bg*0?(0UuJIGr1_dkcxD9UoZ5EI{^?iPrNMsSqw1f`V@2h>Qv24_uS2mL;7&y
z$-4iX_Kbl_9!i`S*mc@ufiFl+P*pbCFdmhz`$qr@RmYS0xzclGk-w$uXkN&fC~J0w
z*AMDBHxP0g{tV#&Aj=HxnvJ>u$e7S)u5G0@Q7_!g0O>Z6$pQq&jKJd4BHmtMiTvUM
zOPASS;)KqAj&b{bMo57^9g>J|7$c(4>WDUyh&A+Z*$-ET8l6Dd7!Krw#O!VO&~<2Q
z?>cWxos%diSgxo}%<<NvWyn<@*!p3rdSSGQn*B0;?59p>OBL2=#L6IyP=yS;Z0z&n
zT54(TliGKJ>;}R|w<Djl<P7gD>=DAX_-z}l6sBY&T_9IB6==Hy!fF$InZJ?N6yFj1
zjRwJ6mnN2sHHAPP_UHF9F+G<zAbbLde7dKL_5s-@WZnZTPhRFCZ*Q=#b*uO+`G>h-
z>sv@@zmJ;cQ3I?u3`^EPBw5>F8D=H;$w>`M3f&JCcej-hrmZ04`igt(4eOoE_1Lyw
z?%*4PY$$CPQH1@wzH|%IuqMdKxPN1t4O(+?{Z44SK3YB=T$CL`J`$~M-6B=2KT<Sk
zZNFA%sJLE~k~A}Xl+4wR(QT)lAZ4V0n;R#k2s~94PXn7ghQNjH-L<ynlh=%cmxu*?
zPGx%XZh}pEI3Rssd~o>or*av#Y4NaC4@%^sEODCl4B_eA)F_>UJ}auNB}2Kw=1npe
z6MvFsFvHW){y*kq{r#EZ%v$1*`oaZNXF0}02#+DZi=D9b?PUEHwu3)JD?Y6w+OsQ~
z_8<`Cx7hE%LC)zh7x|$3biMIC8Fso4BWyO~tQ@W*7VZ_&YV0uui67tYA1kJcZdu%<
zFDVO-AJz_i>bd5Y8_O7;nfvzQL+#?EmRtd0vkTq0B76BN)mDjP^DwLWrBIh{!PGwT
zo84bZEQ>qU*{-dR3#_y0Q9?nCx!?;bH+_$Mo0eKG4~Ep%kF1yRBigJ${K3pPbh$%s
zz}FT#KI<c}yXFi$*J~A5lEZfAw^4(aB&q?YqE<)#+BOa@Am(pvM>JfvkhDOX%xEW{
zgFWrTk~PbdpvPh<fLY4KOzQq+3$#$shvk;|v09JTu<^DRuuV=+9?etM<qx<R-)bhJ
zy`MX(Nr0HC#So6G9<2ANy?dUNTpB;Er00$rj`nLCN_}>kTR%DUp4g;Y)b2gkvM#t@
zv5y$8Qk?$YB;G2yP8`-29qPs%v@vG$v?98{{3FCE$bJXXdM-4AF%`lruyj$tbMNbz
z9|nZa&rNcCwE2rkw#x4&lVxKh#K870{;f#fAlr%w!sn3iqegOsC_jIn0=T@^L5q>U
zScg-seK=H!{kyeJhH>^c-MhYv6UI#pV>2d<5%Xb1C9ct>W!F5RqVhztao2fAG&>7g
zOWx@9WfQx+`QNGS>+(M*$ZIbn+N`4J*ACyXi$tv`QZw#K9iHcSaj<k==F7`Sew(Sj
zxo!zfI<+Y0&eu!4m)5Z7k+o!PH=Zya`0j6o@AP5)p~riNiATm5AHJ}Crl0Y>NRsq}
zIk-)BLfwO!n;P9klRrxZ(xz=y`QekAUTpA99qaB!zA)<o8`Ach<?nJV4Y^ClE`56I
zGQ?@0{;^4a0$*3Xro%Wm-@{azC~gm9->n5NDCrD>aT{!V_?=m0l)nT60zqIaXF5o`
zI9Eu36k!ytzK3PrI2lX@2RG_%r6r>$r1PwjA!*ZAUT(qSMGpF8WAV~KduVS)g(L!Z
z=<rX>r}FinSz7)3&ErW+@zmn(l3(xJ`IP)Fb{ku@beP>p@2A>o-5>dM&ctPP_RhH1
zq{v!kbJ}!#n!Xofrk)qmkK6#7@5AJTJB8pu)r3LNX{gd-1l#I<`>ARcgp^Lu+U2CU
zoBG0SahvK)n@}u=)J|#_y0<ru{q}5lY72Fm^Vfl}Wq2bu^Qy!3?l?#SxtC{M+U`-8
z<pWR6*))^}wSP9^-QDIY#Gs6Ls$O?r_wS;@>WX|D*LOno_G$+9cC53}*hc;Jk88#C
zuW#i?UKyE=f|(A*L1#tg;nOLQ;j0Y={H4NH#+Yx@@|o)&yOf&ZGbLdSeY=NApw}L7
z-e#=TPt07lml9>djL6p2s4-GnwU?sgG!jnMaRd8jz}Gw2Gk+fWWHXE**Hp%QZ>+Ip
zN+MXtemtqmRLWV$7iBCeJ;L;arI8*t3Pc=5+gm5>O$@Q3gww+wBJ$B{4te}JF4-<k
zxANU>Cv~zl5x#4oG3yl#G$uo_)^wX(y)6sDQWd3H4DHMMm=Re?&VS}0xl*(pYxX&X
z`WaZrO>dD)^Hj61Hrw!b*OZ@A6SI+NO3TT^&H3kxi8^Cg+{-3HK)V#d053>TuUYZi
zjN}>-F3h?MQ(TrMjoBLHjSVWLW)m(^^)vG-Xz8Y;7_ZCWA5GL-vkM<P*vRkXk90AS
zYX+ap3;m{#zP1+^jKEbn%dg}|GPZpYPRKYW1+yJJc}*{#W(?}Hm-Xmo@#hQ99*5kU
zX@go-)ia$|WZy*WC^btA?y_eiGL<!FN_U^*cn1AjkBXOCdiH)HU2yPhP;1t8Vp_{u
z>7>zI!wUq)UD<>@fs5#iMBTxGEHX-GWUc9JFh(Hex}3C?^!fok%m+-2ok2Q2_@wR-
zzOJ6-WKogW&9f%3hKvd@M)_pgSFj;?$}&`JV^&QdeB?c0HW;Qam@ig33fG4$p@P;z
z(nz%uEptE6eD4p0y-H$pNZQZ;$wi!bxh(;A2nIniuxkyiR-j&pj7>30m=}1I5s>9P
z_0?tkX5kx>f#pL1JzImYo2id5Mu+3UtJl_)L$9`?nr_wwZF5k7hv8S%kjkItzu8JM
zr)xl0v2i4vsVG*ovvRzMA8=P~k&0AJq`x!HL!5S!GCZe8xZQPaI_}U}@O5$9nu-Zu
zfiu-R{$CM&TSEsl4Dih%cFt|Z+h?EnHqCo}|0JR@v*pwsEWIIgu@2f_2kTNa`qSbG
zxO7rnDYNuK^`Q2u)lP8L<PtG!dA7TvKGu|{lz5w{jqq5<IjQiQ!>VAIs+eVqEP`BM
zCdeLkTObKCd;HVSD!$ErDxm0XfL{NE!Su<O<woct*hwjMO$D)Z?!yEr6KoBJ$)W^<
zDb}td7WU9d1f$}Zu$S6hR7Ynr^B5$rWHRR;I(T5VY?zIi;IuhTmbbQr2Up$xXQozl
zrbEOe-OuSftl)8UM?BD2zjp;UZLPm9?~$+FC+e(mqVmxkna=4xYgi*1Fjo1>m|L#y
z&3WC2#lH3&xVdIfkz7O<+F2;XUeIeL<I5|@PM#$=&-@-_F@wD0h;&m{-20)bW5$|U
z=xNf9m8517zjh0^qqPdI<=NeiU|ee%-oAB2|J$#I=7P?pUyQ6RgEzgJA0&Cx=MADX
zD>EJUoT>y&g3Wab_*?X{QID)^mve~|_U9)-?COWkJmeY$e6Lg00Hs;o00DeGrk;7z
zFdO95xSYwQi}o%T9gG1Vk+y$8O2~5K6&3ZP3Dz??i$NOeJxZ?riAVBkduHyER&?|6
zHQAfsGSo<2yh6^P#~Q{EosDdJfmgP2BDbvVYIGM9?z9f|y4@8U8!CV5#eu&$>i=no
zjktqkt^=1K+}0A-6xkhK&D?*QBaIrd%^Cd$ZnHXS7>uz1ndJOYZ-oQ5zz+BCdjx_!
za-s68c^^<SMmY^IpPNdjN2o`5-_4r>W51ZWhW8PhI?GlK<i6srLv&$jh^fM){GZcj
zJOq+u{NHE?&b-ghh3oIiXn)=^eds{HK_Bks$~>AlIw2c6`+~HPZzNmlEI9D7J;Jfy
z_Myoi51nV<UhU1O34dDlQ(bv~`~qF;jWs#8NH15gf?%=yzP^0tawzeJ>XKcDo3imL
zZ5vU>SP@m9tfbW}C8>GFKg^%!YR8)k20v%$qvf7kBZlvW*7x-+jW&q)73D^M&N+JY
z=D7l`NtR|`nZ3!37NSrLku4wmHuuvHof$1<L%q3dC0o4Y9w{_4KvjS7ol7=kR!{YY
z3CP>s&_%MUBETSB;ofqiCe_Dkfd^jg&i<+E3e%k<(Fax$LorBxlNmElo$}W<I_A;d
zWR+=^pt1_2wz+M=o@6T}U^OA60%0HeHo~G)i`S9y=9z{^X?m!al>cBhKTxXOXTu^#
zkD6=*Qu@^jP)7Z+xrW8Z*^;duEqmg72)=wP(`**goH0~jZNcsoakm83=LdcAzIUBC
ziV*|`8P^V@qdNchoS8nH9MNuEqOtG@u(Affdze!3d65lnbh^0YVsTfh+@|5ZBd7Q$
zpCqTzAG5`>-s4)_vW^$yG7=5PF#UzEeq9uiFc*1c@1Kv=IHMD_CC07l{fb~@>(Q0_
z2lthi4MB+J$CWflQhU9_71#5{RBK89s4(~}*r6oHNa=R#lYHX{+tZ>&#8*LY&&?N0
z)mrDyc7SzLMk>#lIR9u=`DoPmZqlnPFRQuK<$?Lx0SOzeLv02Z*Sk{s=}+9na|~-%
zQr;Zya*FGs0kgMSv1)mG(SSnOgz3y@a8bJFuhvat!K_!NQqr=$t3%%(3J|%u$$z-r
z#{Of90raq)4_77}heMe7AISW{IXdal93!yY0z2)l4eREgu62kmET0J&IiZQR;u(BF
zA3nx4O-qr{{_mZhk`HPqMt`kj)@)hi3?-Xk%K4{(qV%cpm!2l;`A;n1|GPS0PcJ0@
zZHIu`vzZ33X!cQMF#xzWl%krWaXx(-kj^PC7u?PLJH1Pr{;z`Q&3F(Yn5@T_=>~+4
zOV3qC{+6nvdZA`wskx&0x88WW?(Y;HxW+=gaB1tD=B;!k1rz`jJ0PDi^w_)7{0N2D
zNA*Ylo$x<%{T~{p)B;=7BWZu{3M#<3&##L!v3s2M-JzZbQ##Avif7mO-*O!APK7?)
zzT+li?u)erD;nT)3N}joT0$|?mEH7dZfSvkiFd{SLq+WlH@u|LGv3)m3)~kUW3s%@
zZ^EO#B2#zgh1$O~SChY$6hM9F3J_0~b2}oj_%)abcxM6Useh*emkaNAa&`L=`Y+uD
z{y%hFUK+J$^w&-3Fx<eEIz4%J!C*ZPAbn_j^4;OTRA0S+WynC!Ye0cE^vi{ZaOS}~
zfVykC=aj}y+W%?5`(0gGMk}l*YCVoTr(2t&_5>7Oh;co5NVD+r4*I=Xn57Au#U8F9
zXRHIIE4)rDe@wszK5h;!b>kt%7@CDeBr3j6F-eMPw%Vn6DL%eITpoAddxolx`qW0V
zkm>j{c}{GoQS9CB83!lOUB#DO0Zj{dc=f_pj3{NfrhIgD&G_Ri*mQdNYOg0n%S)QN
zw@OzvcJ!*`LFxzgTey4r)ivMna3WhA!p+3mtokTH;=+%7$H^-Bz6TyKigD=I=d$e9
zfu-uKS6gAt{cN&+fpcq(!EcFkVRr*X2vu1F&8EgP4As~cX3@Alw$5={;y2>l#`eDC
zM|HdF{w~k!O!*L(gH_=q?)zs<EDNdkz3P~L(%7#d)QZ2NS$kTZnj>rdMcQR}UirDm
zf5+w7<oskYluL0d`p<YfUe`@A>D~-m?ZMdOLIs!$dWjiv%U2%+0~?~_+Q3FQ&<HIO
zM6~Heg!#<#dTkuc7QeLlyqkHem||epH52t1<rDAXxrq9NKFEeloH!8gCltE-Wz#R)
zU*ZCAQ|DIYlM{GM@PIMulxKQBx41lMfc;>*ZdW}~bHuN+8=XeI@Hos#?hJO=a|a(Y
z?f87Y>*R$04*S2&2WSXpNHy;E3@h@8u1L1MoodmtLrWBp&3syB<tBzdOZAt-0R~wR
zmT*<-G}3uT?(?QV=BwQpK!Gd>1h~3WZ3VM{?qY%?I3oEZ;2R7Qdsh4mXF5Fh?jQXI
z#Ry(J)8TJ#D-<VsfAmg0pzs8p&U9C)HiNHMhre#_(tlk0i>oWm<LaO$dYH05UiU0`
z#YmqB<<5~wpRQfkpox0>R``rT25<n%XwUNkscM~WL(UK)G#?*%9I%cOS($gw>Fxsx
z7pAnWkzy<pibq7>HRB4goYwCj8=`#6a&o0#*Edd%X*$>#O2~*CMv<7q(_KCz)SgeU
zOYA^$yPMDUef0F6nK_RR@?y;WqzF76e90)}yU~5x3l<&HUu|*4WX{}`uwPRgpShp1
zEWP+?peaoCZSwMO-#V5b9&7%~9z|hyJx$c66<WlP4)XczH671~6EDd6;mkprm>)<r
z;x614)RJxGXyKVh*RhD40(GJ4CM6le)aNSZx%AN-gJf-l+f|A?-pJsa)su@V&j>Vx
z(;dJMFSP}4GRkZ?4DJ?2^Q{T_eDl==`ky^$)H|RJTe?iOfk33U*|%0OY@&9&oD}Q=
zY(#xw+30AC+kD7?@papy`0;jzkA6LDIXpZ5*AO(I1W1aIrY6R)iSrA2u8s5C&H{0v
zF@CKv-ptVa`?#ClagOYP#gjExWc~6jv#R68o;XP$9;0mH2J^Q*gk8N<5-PCcOAMJL
zOu4j*TMJozIO$vmZB-tfmR%?TCw>|6bCz#M6_fVgC{{3OzA4L5-sIVVED)DZ#sgl&
zuba7by-<^z|92d<o2h9?N%>Hb$7~HT$=I{jIymZCG}OHJHv5W(9sju&PqL#e{><Q8
zz$~KO)@bC6+hrKEHA<wN950f37F0-|Q|ZSXzU)+2#&-~<X?OXz@2aR;s;M!X8(;R#
z1{0;KS>_mr3xb;VhvsEVj44TieAITT8xCu69**bzT2f-sbq=95*ZqX7X7yOmTb^$S
zpA12^(u|LWiiP#SXBb<of~|_@JzaUG`o3VyXfMHoA$Fxv^v^SFjvi^ec{GFEb4xX9
zD9(w^lvuQPT_r#}33h)B3FeGFY8LH$FP7gBJI_UU)DvqqG(zV9@_`C?H$5WPLQD3}
z`8SCn8X9U?6cbdRPy%+6KCS%K1F19G&$Ao1`Iu#1yvv<0;-reQxOe8kBG1weZ6lK9
zGNefU%d#A|F3{hI-}e7(`+CinthDx=sE=6xvP~9iAFCry;2)3e=R(VSm7?1B>+skG
zIfC0mGW0%&iRI1MF!4qj<1DD^ZC1{+N9`MU*UOi$M)pmi-nHELW!^23Z`;@F?>aHo
z1oakpSXne_X?-&tB~ps7Px*B^=m!(%#Xq{N5;gs_{`F-2+KCmq$-*+76fN~tmRIL$
zfo?MvV}@Bnk%*2;fq8Fh;(`R$(D#<^Om)sDDD1P69^|F}8^qm3MJHpn8h*-1j{GVp
zxJqE+Rk+_AfGg;VR%6ZSHt5gilx)8%z{q{CIS_TJA^%}8P-ZCoHI5y~cx7+Y2LCQ4
z`ST!R!W3{XN%&3g+58wuEp$hHvdgN;iuOz1Tlz#?xM@7&q|PxUax^BHld6(mJ!WWd
z>j&%f8=grE_0MJbQAT?MYq3S<GHzkPnwAV%+*g@t4_1;t)6qe0Us<_47>l)vPI1Ap
zy9$lf*Il@4JoAKQEsftyf%H=F&2Zm(PP*_J4>7&&P2@@Px=zZ-%y*yG%Y#)`H>ZOq
zk1|a`BQek`2q*Cl<0JQR{CV7z$v3|)xt|)(?%funPcS<VtM_^s?PVOxv;6SNZxMlG
z>-LcfS|(B)xP9jSH4~n3uEV)Lbf0Ux$x(rYT1$VJbrGsywgRif_(965ltdJ&5XXJ=
zvGR(-(;@KTFJ$Wcs}If%sUYZ<xo>}vioAQ3Fh<>GHaSv^$~+LG7RDhTBP<ibA3_s~
zb}yE<%~<@guWSMWxi-H+^DX9^&P>lF=jP2eG`($Qs>A8e=m*SDrc&zY_>zW20+g>D
zpFwR$KI&K}jU6Q<_wW6OT1_3awj0(4MNU@CU3q289LgnbZZOnNs;7T>2=*AD+BR6Y
zS?)VikC*e*`EVi>{<=K_{wTO>FY%?JnNk8U`P%BinJ(Y22pwSK(j7|5hYL#^jCQe&
zNoJ<H4W9ihcjkTk!jMHpRE9_!6^=gWU_}mb6K1i#Th9#vilV(B!v$!9Q>cv|W?a@4
zRom|=v_8wNK_7OSdzf2aPjkkkxv2ZsDqWO6A^3ZT&=ibtAzy0v=q#AXq}gG=Y1rwe
zx6URKtRFIh@JB$u5KfAtE#lSkLQ{*@i-H8+@1^Qd2v-k$-aQ~f*Y%wpJ%^rr(Q>^?
z*E!UHANaJgVX-wwORDZ}7(*C~HvLmg2USw>5+1&&oTXSnNAW&k;AzE!Fp7%j(p+rk
zy8fbyX3Tro=~uAoEvk3L?WL%!OibgwB{QAma}|X);A&6!k`X4D&#PKf>nYkp{M%7h
zakke3sK6h%OVoCCLyZky^kVtPIp@=mk|wYRwG^Jgv2X8l;xH3TSa-(EUIKV3?u^w5
zwsR5GawkPc{zE+K^MYen-xp>VW+?~8RyNofNY#0uKUg%Z>v<^q6+Gcs|9TwEz-hT`
z^T}f-pJli|4VZFkef*0pWs|D1*y<{^UDz3Kk<Yq7+5E9w<l{Ac%zgRZ>rG5H39u-d
zQc{yqmTNZVwuYG<vI>#-GEyaQ5$p=%T(`{0FvFN`-mI<A2^X9;-WY4P9=G=)(1;({
zlUnX~p7GM14If*ZewR*)oR@>I>)IN6gdpmPLbE5GVLbKMXC8?c?l}-^=I2M+MAwY>
zk+&%%PVP?sBQHngl~Vamrp}0Ks1dI}bbsAw77FrCJ@+Bbdr8Ge&*L5QIQ|*g!aI3)
zwJ_BB9?8IIt?oHV?X4&<*(M_tHgqG2!i=t4fE=??uYJYSNzIVCo?w5baNKflUAgrT
z{EA*yp-q>sqDi}CV!_{TA~SjzBMAi5C$-u%s@WXX^-ZmpgbA6C7R>qWDKch@CO~m&
zn89_k_WCB4G-|ssv~Gy?ZuJYPf2SW)DPp39rf5hiEenr+mrh(^{2b{Kg$X)OW<H0s
z>W8e&!79_xN3T1tvd>q65kAT#Z-eM=BU0D8RWr8E>0*FJiG=Vy=5U;jdd6Oky9*l-
z?diR1n2<5m$un#tk9@Lo!{4CBTd~dD(+lJqG<zZKl^XGTE0*^jL*LcN@MFc<djXcn
zJ|qowoq=nbAhz>WzQCDO#r>sBF7dSCgxp*iB15akbC&Qq+(Ie>Fe5y13LA$m-Rc5O
z;It1bw$@U69Ffm5+#%lfu+7cJ;__%FlD?<Wy`~Wyhl;|zZ0)8)TwR=&blqJgZz~;E
zQi&<(NxMwzq$$Fh;stHlBtFqTg|<K@G)vsFlC(8T$&b64fo4wU57)SX^_MxbQ7z2*
zv>o3sh#jItbffDXV@QLKi_vk%=3ZP<hCkt`{lc2Jfz94w{Fj#Ib)-L25QZ0(lWQ9*
z{qS~K3X3>uQl_rPbf$0(Y4l%c$&m9Z^iecfZH-qg)<3EsbVheMpL{8(MUVjf4D<We
zAxsx`4>5#ejgpFU6m02z11PwC5iB9^H4h)Xigd_P1{DJTq7*u5rDxl!Xge1DzvP%>
zzut)->Uk$Yb$cnJ|G5@CVAov21QW}Hb{+1Lug?(9`KIqtsuyr@?+&`rQ%p$B`la<&
z=nozOyiz@iCf+X2Yl9BNGt(iY@a~9#jwL{S!I`C;8Nx^OSj*Ax%vT#a_&H%XoBKes
zV4ndVE&tcQW@4&p``C<zN-0x=u&vBlMO76EfnHfDtBn})9ntSojhz^G{)sFbTN*6y
z%E0+iS`Ujpr5L@YQSG>p!?dm?(iNq~tJ-p(-Gt}!$JGXloH$b8fJI^KgnTQh_?Ez|
z<0|qI3RU5-6bRqrD?&ZUxw)R_`FcH9jqmCcJ&!Cs>9;0F^=V$jL%LUF6thv*;(KmJ
zisL}%r0#UYx$%iFEIZ8JqvUZ5Y7=<6rnnb$=Gfs$F(Y((sLis|$UUhu9l8GFVb0{v
zanQ99IG5GNnrP2EX55XztWh;R5at)eulA+P3)B&G6`TxAjqhnHPaRbu#4-CC&!TVg
z=CJkrn<KtcNoNIW9CGN;$8Ltj&{N4Jwv<7tN+rWdbC!^$bK#d0B%TgwSEEn+MumYC
z`AQ-Xjg>E0j&pCjEUc(06w)Nr&*%x7kS|_;-6Dt&hSp}B<Q{fr9QpELj$m0BD}i#H
ztI&0C7P?D=xOES~nfnq6yjqvOFpjC1C)im}fb*kMnD_*mp<&p?M1F3mFx3z~Ow&^R
zd(4weOYsfqZ8o6KHy3BI3~m%~o@rRec@Eu2bJ!f|%8fD2yZ}dD{spghNlucv^-jJ{
z6JyKJp2irZ(Wkw-Al7}9>X4SRb@k8q<yws>#;Bh{?cw;F2xzZE7FFdFwVTI$t}Xnv
zculg`%M(@4kA(udHM~dMZj30_v7>6?`~G64G@6<)dF#NdwWHKUW|PlcRfpDZo4X6K
z`^KpET6>ucUz-2^5Ve1w;y;$%<gDU`_8se@==VFkI_JZeA!~ATMCpcDM){;UM=`!>
zeSQR_LJw9$a5Gaq)gw1M(KQSjb+)we1MBNC{vV_vJRc_w+5an3e3k_U{X)Nt3Mad-
zdRGW?tcg0)+}HV+TH);6a$=}jYzJ#EgrffzTnu=}mfj|vr4*t42c`ZOIpQ-lwO#n_
ze`zDKvc$_k?E4>4BmF&&f9oD!S%sc33E3r4{lD#@n398agJN~kNkOwA(rJGwGsw-~
zOHn2qC(@MCwEys#|367Z%-2{S!sAuYe^pHU`)$E6ML393==VRC@c!4pCCc`df%I&>
z#2&qF`v2^VdHJtBKF&%FzOdKfe{KG?`%2Sa1%tq6#lK1d|NhAW7quN_EnGGlxRjWS
zT)9#{(-P~8srW1>FaURg7{HI_FW)^4^7uqE6aq)Ra8>rJe^PH%*0uhzKHb$EQEpiF
z^g}YSSE(1$#B5<Pvw$<3k(s#sci+I3pBDh9cPrN=M}iMiM}xIf=`q~adYJyk2uRtQ
z(=6>*ucJNO_rn{@%N(-)YknW4gmN4QGq3-~a5Zl2Bqm<}?g4zRF{_{pN2=S_2m+p&
zi6f^pFS}|HD^~_?nd@42_ZM)g`eMDj;y%fIWXWIp$W)l4Cj0gT(<Vp&?X%R8-RQ}L
z&RoA)`>t|nO)UQDPfk^Eao=jwbDkFQdAN&h@xpoU^;eoRT&R(4yhmPAvwLomQupR#
zw^rNM=9uc&lygzEIZ*pk^8IsZ|MPSTQ$dCpc3Ulsn6rixm-TNsl*LouTw(~@T3bEB
zhv!1OnJ2Q`qV8TqbB*Hw^Vtr_h5o*&#Or-=Gr)bP#&b-?iDhl|o^!MoZ7pw8#O(_N
zbyFp{4w`?~zvZm?rmM+WrL9{O@j;BUaU+T;qZmmF_ksCyxB)8Q5$=ylfx`O2&vi9!
za7l3PtlW=vzL;TsF|qGFr!jLzo%)ZAng~aU;?Ihu`<M2)Vqcu?NS}m5uOUzI^IV@C
z+)AAF?h2EeyUvjM^2w{+`+IOaTK-LZa1b>gSxe0UB$HE}ZTZlAD0SLGtYD)MGd42d
zI4Z>wSBO7d*CdV1wSGnJHwZ}9f1CO3k+GNV{{4zPKjP`=zU7nA<<`>GEX6um=fiHo
zGhSLtq&WRBNM|#zjBAp6omcW0_b=V|?-9J&XEB_<EAc5Kb>3i3^axpNIhOu0+3Kzn
zdye6pNC-~@)pqPM+*13S1?%2mw)L$qb|+%xHmwF}@?L_}c0bIjtXOpA5T7oW#ulw~
zP(ABO;gE&9UnHi3(je?C><59_-F+qdbZh>ymp`YzILjXysZFu2$08CE@Fwt2tK6cZ
z`?tizJ}cg>!Sq+P4gGW%xm7tJvT!P7NHvhAm=wjtb1&(pVeVOmhg$UJCP@cZ#3liS
z!0(w6{I=Qtp<@`aPuSSW;mnDUxFdq7Ih8lOu2>*u?esVc*|2hjBh@3%Da0TTJwF!@
z4KnmnB8@yqo_o&f(E7+xxUOfx6yn*W8?bxUj{x&sr3>8qjGiU(tBwhwruXhmn`Dtj
zI=<hQ=NA{n7M6=(ajz_<eHTPa`Uto{9p}*!&153M)jn$}@;^>}tN~<xpDZi>>@wzP
zY%|Y3-GE5pmkfzA5LHU}Xb#%P%}B27`bu;!%cI=$MLDeu3pulNtwlnb>goL1+<<<e
za7@4O`8eL`wlH~$(WdnFnVNXu?y?^5++X+>n;J8ul9LKn3=09UH&WIYyAt0M9uM}(
z+UpDISEOls{Gl|$$0qRUMi-(09BnJOg;zoNKhycxhJ07Dx0y$#Q<L*#;r??9z$@$)
z=m`$OTp&7_^punm=0^5>-_C#@!Q{X^$*P0-y}b`DY%D~mzv^eykDicYaP1VPr8wqv
zbNRrxaCxl1fTzgWqt2%tdQB7<td%1Q8IfUL{^3yrR`=xF<szVAUN=ee`E1xCr$2<(
z4;>a4P)-LK6JIO}zZv&J9Hsb(FIdCype5{7GrBOthEGq^NsQx2dP30r?K4jmi>ISQ
z7UhMW49vsv3GK}Hnzjv1Oa<U&g@4COisP%3)dAkxR!5dr*;DZ~WS)TdypgL|(nFQe
z&msHSemgyd!#>@7hU+M=yzbtQW5U{);d}?fSe=Xfu;cCLim6LG8Ez%3)n`$oJ=#tt
znBMH~IE~}yOyPxwIS*8*(`fA4T&y0;<|qYjKE%zm8!88Ga!}n)xVQoYp(?_jt4U&f
zi9Sh}uW(W<f9{W?vB<EB0v<JFk_69q@}NKfM^+a2T$T*xxl*7H+e;WG7{k<>SRoKV
zr*CmbGos_tImRC5a7Dt=N`}{}+XSi}(RMQZ1+<K}9fP%>Uy{y&l8WgW8r*+Uin!})
zd#4>eJ^4Lmf8?-m@AD-D(JW{Q*dCTVk%b&z`&jitm80UP(`=wDrAL_peR7f8DVGqe
zlxF<dS6(D3@+DzCnlvVrU|6uh$soKQxy+gHzFj=!(H=!<8BYSQ7TsKVqoeMm+I;QO
ziAY)SPs4$Hd;WC2cIX0)n*hx!`91innhBBY!3bU&sZKmWOh6zF-k>LE*Ej)zD!pR$
zzslnOjKoAbD(~Tyu$k5BbMhlklDrC5b}dHJ?ljfb1PJia^Gc@}*8lny>4y&69~*-1
z$smt+M4gwumlN*)G$CN}WU!0XH(kcyBFJBVh<@{xkPqCXo_=hi%_Z3wWgw>XTIuQD
zZBJ7!diPuwuO4_=S=l?2d2@HM40j&2mI<STjSZ94tVk@|$@q0(1%UnjAvF#kP#$ma
zf>AESSe$8>23G#^n<h$y)OXz4)8+cyr{y**Jk|zB>w>o#%0B9Ol@cr8O6VKB@t8Ip
zdL^=MQGVnzGsCY_aKvM<+USO|*-j2$?lT>xcmjjObB1uxCz%ji0}Nx^t3iH$;jAne
zYnJNrMWv9bWk1Ju-LofIn5;WB=dzSZ=aJ9@KH0DV-facvF**O(dF8Hca;E{b>0P~$
z`e0Dcc@@VYVfIe`gaZNxC$u0U@|67W`1hf-*lbI%OjzjZJ7QQ{M(@+IPnTsjZu(tY
zBUe%UkgagYV0v3zQZ)ZuQsG!_B!^Eco5H^WpFi&O_`W0mhrUI;A^s>lKG<E_p|w)%
z(s9Y6WWt8Eo{oIR-P5BfEv3cu7{3u76YO;0E|#?KIC9-<;1j4mO{-f)A*DL!BM<ZI
z9EUyU1$+L%g3}{YTUP2_wO}+{>H0^h{y3d2)?p7v)aa!896wdue}dnd<rkWT);rP8
zTbac1LOV8Mdg}*>C4|GhAUmaE3}v!dVqM|C@?;}V?Ql}*srjU6qrv{MKBfE(GHso8
zJo1hgu$A4TCE>m%VGm*oM+Rgz;qN)vT)tII)b4jcmy~*BUB}Ikd(-Qy$GeiBT3U*K
zy&pOi4taI**pFNF@m}MBO7M;>1Y3}b9gs&~On9{dH1@m_#U^MMjvjrOdpq;wYyi7a
zpGh^}OUWU(qaCvnMqXwKLnytd=IVy+N$kBRQTuiIpE$A-$+{#=k$(Kn$Qz<Ta02HI
zg@c%7I8Xb&DO32eQ0`5`Y;MRIS-N%=Lp5s1a_^n-Qd0r$+jbYkEjbTYg057)ULnHz
zSP%XPX2XoaX`arUO}!}^@#LqVpO?rK`w2+*ObMs)sr+*mM;!4gUFFr!IP+`qCZWt_
z1+xuoYzp$9fi#`>yGhhRpA|uWWTNG>ehgntS<lt=0V#R>(Ds9j9Qu9d?Q6W@clZNN
z$eCRkcj~m`wv|h_;A%5$Fla<sIDW_orpmgrAq}aiR2858g^yw61xjCfU8zi-S5{RP
z6s&B+1zmSlj?*8dUib+v!@FvlU1B`n&UrWYw9<R&-U(=vx3;2{Tx;LWY*A@P#W5hh
zM~1D&+@Qoii@T!<l9KIj;F1<@v#@Iq7{X=BC}BtU6x}L$Wxg-Oq*QS4hb=Sg@coeF
z+9F<BY3=7llKC#yZ@!Ohbu+NrsE-9cOc%`H;y&__8x+XFl!;8U;kzAI;dSQ~lsv9Q
znjh1?O5j*TjE73`?dDiXT|9uBM!(r-0`uwl>t3@@<IxxGE2U7}QKj|JGpg+=ZC>OS
zB<AVbqsAPOy%UrHcq#3_FcGF31hhDysE`GHp~#k9Ut~+jS?kI2R}xiLvvscqU2D`M
zI!H>qCpOcbRMxCwFqg{Xvv|ou(dnT=edQ$3=ojX2L?N2}GzQwVuuqujxj9lSB$+4A
zRhJ(*lQJ?-E@pZOI`)2Z=`e(HhsT@BRDt|`J98PO+*NkSrwys?bPNl>N<=oEB(0h{
zmN<V4mTDlb7;Rt{baAfgSZ%Gb`X*6==f$iV+udSLWQj55_LLuJ_k<2P3qJid8DQm8
z;BxPTEDRcRX|4}{U|sc`gM&-*Lc63zE#*d$S*R<}pA&r2@$&Vz`wM@PbDVC#qcuir
zzCIInK<B(({=~?&Y#=S>f)Z7J4vz*9x&S0RE#=G~#0+NXm=qdtISz^yH2{rZA6q4d
zgR_1X*q?sW7yDKjuseeCV|_BykG|~@Ya8lQQrv|L<G;0HSIz~FxtK_NGVvWOobf%?
z&hG=q&5Wmindlukh1+K^Up$TGtaC5B0H6@RX*)_+V<p=@wTA4E^4IH33vE2bF`pj)
zPBOH9_Uyrfm?@j!V8ss~KA59%u`U}^Rg=eGRh|g70YMy!{Lx|>!v|j;jcvzO#Y;L(
zYAl@yJ@5oFXYCDMWRO_BPBEtyX7!Fd6q1$-4MrXL^)HRxe|zj7*<L^)c2eYpo^(I+
zSSne+73t|GM^!<FJE^u|nzqOLZlskN{OS+ZYBiX?Tj}0N82;@iwAu$v9n~J8m#-J`
zGIx2YLDK2*t<CvU`=fWB<VnDlZu}v&5chlHq0;nDQp4ofS?l^?B86M8w9OQ`<aqe`
zCy0=`EO}N5%o(c%!V|TjsMLTwo~4NYH6)fd)A(89rI8SI4r}Gw>D&jY=hvj%O5L*B
z!1bdXsv=g)h*eu{81Cu4jKJ$K0zlWHuLT_IkQ}i1)v4?4g=kK4x&b$s>Q0ugJd>?z
zXQNH^51`RyEJI`Wr1e-zsbb+8681AcH<(X3Ag>vH!euS9<4D>aufZN9wh#Nn8h!?`
zXWvWJYtPQknh|;YlxymCn&);<f3+$}?%3Jc->(8GW_dZ6hkhgXRZ8Ko<f&o`=dA?r
z-uXbBe-Ht&f6G=;$t>PjF7n%A2Wq~3R&ohBe&_i8@vPrcc;NT9=2yL!I#M+kgiYY)
zIZlrZ2CscoZT?}DqH}K7P|<7nQ^N7t4%U0Ey(0~aI@h8#&BD@^G#Xsz)giB6Pki8g
z)hqqJ>k+e!P~6Uw*XAaTCA4kNPjkr@weRF><8^?t$u589T5q##P?#-*4>uGO^3|`}
z=b#yk;opWSEkNZxrWr+Ur3u|Topb_biyK+8WDi1>g7<#<`L;Ps9r_K1i()%t28!+G
zR7&Q(P;T2P90bQ_%1RDXk$$6@HQ3CNR1-uZi}j2QMVz7&=^i0>N42BIcYMEATBV3j
zf(PyO>1f;WoOOj`AMp3P>%UfKINQZr-)P3NjrZFtU$CyGPI&d|XRYt@!;<3Ss<sTL
z?g-82%3{YK)yNw%>&>A^B3bnZ>11<#xY<xZB)g%b@zm@aH(;2iq{}N1oxAzIk~duB
z*)4%s1%Bl-OwqX`30@n7rtf5(#4^CF-laN0(a2*>r-cl&9k|P_>ZVBE+YBJI>VRM2
zkNu<DuL95jR<iAGI^p?gDC?H*YI6<g3Wpe4J$P5N$aRRyXE2^u@j3Z8CBUq2(_Q%^
z^mxn6=|Gfv;d(MzODYWC=|jk9p08PZB(nCr#6Itmri~;e&q+)9K<I0bAGQU}-W?MG
z6|5Py=bl2r5tOhl?lF7HQP+#etwGOdfgr(rclcV8sBJ@a(LQ-RUH{YYjj0zbLq3d5
z@XkXY<Gi17;VH1ju)d5q=$O8Tg3yQeL3O%Q_zl}_Ak^gg11-{SZ4LH&ap368?tJ0d
znbb!EFMm%)Yi6F1LF`mpe**f))A3QR)s17_)t>7^(JR|WFnr?@GlckB9!t91Feb2)
zeXn~!IYuH4e7&`*(Yh!zhS7cE0;+2EHno|+`_iZ%z9GDxKRV=USrRTx4c)S54s&?N
zqX^VvusLks@cIo7eGi2}uzGrQP=q9i7Fp>n!NjLz)q*xnS<>0{z1<C3Zs~lD1A;nV
zX-_uATEQ--ef;uZjNVR}{mB<QaV_Svl@HBahh(BVp!Y79KJ%yrrU*Z^Si<#Z%0J4-
ztOW5E9+zb|JORgA`zH(feqPd*KQ=Rl&ej}*uKZ{-MN@g>6FdDz!g;JJF7L2Fr11{Z
z^<E9POv4s{ILr4sH}{kiPO1+Wm3$5qpFgf_Q)N>H>bvHXu*=jTGZjOf-l?yr)a}^f
z+D@m2Nx#6UBe@Gx>=Kd?{5kGh?Q}#Bx~^x+T2E1(^b0}Plz|naTuPRa{>x;M4VzTi
z)tO@(dT7ha2|Yw3R(C03yQIXU7TR^M#HwBG#cN`4|CA4w6%Z9H(x=VsydZo3%%{#A
zXo92%&B8T)@QpJaG7l$5$++$@7Ccs8M^z@F+Q!V25vC0sGlEWnX<Ox9Fb|j+KWGJW
zjp97IM+y*z@EZujd>(YRx>uNNG-t)U$QONn*4bcp)-3YQwO;7+3QAT9fw1yTxHFR%
z2Kn=tt+-71*uGsNe5|b&I6THMXK4ShJo?!{_=eJ1oe>JK>l4JwPoDCUc9bou$zamH
zjxu)26gAe~jbjz`7GwKMQ~NVdDe{Veo$<R3w3Wa(tapv-x+1egi<$+2O*Y1G;!Y~c
z39t%KAtN^^U|$Uy_SrqvgQfX!-$~ywg*Y1Ma<@TLJZ4QDW(}@VFe`dKXh|Ho_2tIZ
zg%7(86Pxh33CnMWiujk5yZ9*B7hw~&bVsDZN(+{?9f-7ByF-AQ8%`TF%RiR5sF){j
z$-`6@T>~FMN-r#TphP#~WJk@!Vt3wP^cce3+-M%#*xVf}#KexIS~hrc;hi_f3Uh)Q
zYAoVu6i<XPKI;8=s+FDNH(rY9Sf$Yk);;bo=3~y*tXs4+wkA_NKA)@1I1gEeu0GPg
z2lU^qyJ~U2l)o9$4{7q|n-law{yNR?*uyn{4aryBS~gndJ@CEIzv!iOrlZ--)p;pf
zBy}L9A$DtDy<=087f7&vuLIi%WX@_lcuZQ_s=<<f*;L@ty&Fs7D+kn?u5-AvG+6&;
z{Sp9d+!2wt@D`<cfmvPfz9J?F#2Z#qv$RR*J$rWR8hi5lJn3tU@$7YB+O{YA?N`~=
z{0`Vi2gA=6hZno9>J4Tk-?X8!n}(H967g<BDY}jrwYI9U(VKq@4B02Pl!9Aie7Y_y
zxK@CVyn5{-o=l{NIRMA)hI$3CmOHOb$WZ1x!TwjtTkp^LjoZtt7IibMuAcrLb{UG#
z3yk9WW4Alub+$D!+Y_H=r~{IoxP0=^@Wb#3i{2*?Xf_r3Hd}P<MTy(hOI<celn9tF
zFE?D1v_AqT+x~n|-c9&viXMsh5WPAHomu^iLXB19Y=<$nFfJ?ZFpd8v!s5bITjH&~
zs}D7S(3hrwN=RwYKEmdt8agRw%njH&F^0oT_jHt?*c@!c7n9Y`+nAAZ8GP=EXq3^<
zz4O!7miDtY)}dRS>d2km(pBVoMIn?-d#UffRZ5?=&$kb<-ajsUtPhY|_L9h(2$8$g
zr}Jg8#GX*W55x`)cBefIP<Ny2Alau<;53e%SvQ>%sA&yxbD>lS*SeT|2>L41uoO=9
z`fKw`{pIWYhkeVxZ`qk#PI`1pM4+MUY{yOw_s6I+G#0FHMTFcYh%Gb=KNj6asqM<M
z*Ye?fyU9znT~<dyEw8Mb<6DbOCGpbO2pVgCVzc++^X*0-e*ZzLH;m8;AWcBu#+K^#
z3^I^w`N{7wunhV$e=P0rFY!&lc_hUcQdcQX_L=%gh*m5dF3!(*)R1^m;d{fiQAB{q
zd;Z01s&Z_zF73Cgj4P)?Z#j9_XHs_cX8dS7<RkCV>(YlWCA9#J;k|X0!yN1%zkIpC
z%p}gsZxQs{c?yQj@M<e)=`ks43~KW^t@=Y17&PqJj>~%bf|9HBFobt`kiK!*j((5J
zaQ^i*M%H^leH;9mcnEeo=}(t&`B}YO8{GGlTk82WzT<-nPdsJ}WOjGU+dFBn`3X^@
zf9&|Kdv)BksP?<8pCctCOo3$;GHh<edOS~unS3xmPobYi3I}&0+RcZ=3pboNNB8-&
z^t#dLIH)fgP+F_PCQm$1?_v>1zaQA5{C>{@7IH}LaBINjJBG!suF~CX?6Tb>Jg0;|
ze)4KX_IRFCMNv|5MT{L|h<~}5WJP{E^OQl-B=mV<tr6Thx-C~C@(6pHZK;{HvRR0u
zYiE|&me<$*uO;46r1Bn;M((^8K|=1=bsbV7on-`ICJA!^x$y`yhD-8>@R6rQ0SV>z
z2Diuz<Y(K$e!qU#toBQ#4l`(b4Y!oXx(uCgpXb$^WeS5bZYg3iHJ!49IqSSm+p6A<
zw}t5##rN&5j<$xZbKZ~Ll2y2h;stadwqCqcm54wfI@ReRAT}|6=If9C&AAZc22a(Z
zPoIX(41NWk0V_%%+IXf|lvV0<enZZ7yw?~oqp@@3ezH-gl1^2L%w~j7s4G|{{OG1!
z_qM@bF`zrzhv`vdxPpmNR7`l_&hO%@KuSXB<U}Cl2K#+ZZX3DxC+TBv4FteaWdB*v
zYSyoc$JGUo-;x}Tm4}*Lzm)rZNgi80$TYzsXJ=f3n%egf>x(7aU)B<WCQ(ne0~Gq7
z^dal{7}J(jcIoZTbi^c<bqK+pzN9~FJKVEm_2Z{M<9rm)M==l1?F013j}|29gCZwk
z-o$&%I>D;SVwrm2bzy*C{yNAnba276x(kiuN2kf251)`zJ=pFZhjjq16Ki)Mn@yOn
zLnkz}7RzezR2xVPEhDdU-GB-bS3mPrIScFy#+Emr;hf^x`CPW4@0I-5v?vdFxbSj|
zf+xwz6qz;qBuBX+^W<djKItUvweaYlsWuL1jEIN&afjh^1V)Vv`vW2=1}KrAFOaQ)
zYDw2E;0YKuoeVasbC6e^ZGIOI_0Cg1=Af#?h3qqaZf{l881H$E(z;FCrUX6S1-li^
zWm=T{A^2keahwc2T!A1V9RVL(u`(nLp0oY=ul8Yk;yCi}j0@1htrZ$uql93(TkGj}
zzAJSz{8eKAC&(UrNCpm8vK@YrTTPjY0~CgYfKAm9QS0gQFHdY}J2FPE0}@9J<Xplv
z(pa_0>JWJ7a}8J`U)h&G?`3IJ?1ib?xuE1!1m#%~ZPC!98T5$i{;Zpr(4S9+&~9qp
zL}oliRIqoxE6%iC6H2$Hs-(BC(G-gC&!+ND?pDdruztYwSu>}unnc2~1G`6=4PI#d
zuIPl%0XQWykj~}42Q9M_@`)uS0o;8-Mgl$V=RNiFUp!d>6n5;h^>aO)(=XnS2DwpH
z)<ZR@?YeyLyovYY|3a)9vi-dK#P)z2UGKs5Az3W9rA1iQp;vah$cOlT2uUfE)h!h%
z@_%+ysSRyTXwFQ+2Id<Uh~Ajh5NDVfUfr?Ebue;6`u-{>G*=Z4;~lfLZZaw-*@%T^
zaJrj2&cX*dMqP6yB~j>}^>55UT~rlqxUKyBtRu<=1>Qep!j+-(k&!uJdy3+gZJGDt
z`1L8NbuJ4X^uBha_OGn=9E-k#Lhpm51^n^YmmKlqBD)wg5AS(~-5X=GO++>zAxmZK
z0-(da?RJPa{be=2i8d4vP`XBqenVC1A8HSW8v<qZ*zDF2?Z&>`+X-6(4Jkd9re`{6
zHh_btZu6T9E%RX{Gt}<g>6T!IIp4nWr!ySQGz(|yiv_j`r}dhc;mZTjl&e#QZ@5p+
zi>DX|>_%!#*63O-dQsl7X>|9-2E5*W;+vrRM!)cYlAB;d4*kaS53?z%B(>TK+8#?N
zRLheSFvr;yQ2?06cCIu4=uhxJ`NNj94z{Soft3nPIminGM8fwn?vk=YMB0$$0<LWK
z|Do$UfTCQsZa;Do6cG?fDhdh+N@hqZA|hFGMv)vP#{ng&2#87sNfIRI%nXWx<ealO
zWEjE#!!W?>Ip^H}zxTfPs5)iUu?lCpckkYNt+iJlld0-^B#;ZpJPM8r;6EcM^`NA?
zFoV0PMsuWd?VU%|-*hS=D!2G-iMCM3`O6*OhUu0(cIbixR}ANQ1C?fZ>+_Y9$eJyA
z`qMhpG8p1h9|k6Rai_{GoUfNe3)tOhU}SVMeB^g9dZ~t!4}O*(NkVA8-*sjuJJlO}
zTG+`!#kgopXj8fEL8BtS^+F0JxRS;Fu_0JCUkVpb?^K(NJ0C6IarwnMzA675)8DcG
z(|W1?S<?+PW0azaQ#}B6E;wT5!{xzmycaBc9#z|DTX&7Px2(tI39XAN7kuNrwx8Zs
ze!GY))}WBnSG&APt+FrSjZkY$Q;%bNOr5K#%@<HH@1L4J-Inw&EdPuXTi4JVFPWDv
zOfqsvtI>c8hXf<<o6`mQ3<**o*zg^iNVb!QAJWV&&nTIg5p5xkDQ;Nroq;)z4ZBZ;
z3@(pWsC}7LlYIj}=>O{OfYb_^rIm_>OQ8fYYl%DqFS69LcEe5N>+G%GdZ-c*Ae}vv
zMw~?kYR771>8|<Brco6t_bN#5Z1f&#XS*LxY>vDl5^`M>GSw8g-y|PSH<)n8BF}ji
zF;u6;<D08$w2D1Bsyw~h%v<rjzQ^iFSGW4=1tzt8G$i5eZ@0|4QzeB*mHG|mQ~Lsk
zh@#y)Bj-+FB<8Y+N}8bHwyt}G@AP};#g;lyx^`EP%*kLfMN0xti7=ra4nQuOW8^Ff
zib)48x!)_Ny_gi0Hc?hJMY$MG89d|q`%!v4?>t(wduOGKxm7D%Qvs7btcPW9c0T+0
zULf2`+EPxkR~X;zYj=nJcuNGf*`I-NkCwJDVfc0tyD9;}pVFd=WFO3K6Jb-B(AZbS
z%Sh0JJ-&X7iQF6diVaHWokyRyAMXyR?mxA!i-OPO3;kg((HT%LOq*S3Q!`Te&kzO0
zqpD2Dk0Za5i^dx+P9YHXcQIq}4s)&>XiRvIvoY?lx<C9d$3-9alP{esiQ~6yhw|TO
zmo*I3M(dwplSmLi;;BLD1sE<6mA|&M1H!Xqed85Jckm9^HDY%$9^Z*}E?=@e9*XaD
z^zE-H*c>ciqd-<v(j$d57E$nn4MIe2OBo(EA;7)?qEfXp+r>M-Pw^*taIbFB)YCj$
zc9zTW-BrQngJMm!)dfJeI3>Y5-SxCkSh||T(!Q<@F@02SbEW7^1*)8}gVMY#(wwre
z#M#;C?3W^xY_EK|%T_1)lWA%CgAl}EZtsPR;<T-JaF4T<_H4v8N!hIDE4lBN7A%Xm
zsAZd>QXV0bb}3+<+h_u-a_l)~>)umZVEaxdZgidyd@Mj!^~?Cs)J!UYHgG9)k)ktn
z(SE+@Oteqp86Tg(a(ugBbk0lJhfs1gN&od*(C0)>Y8tr{ti>g1@7o@$V{axZom5L2
z@j^{AtD^Zu)9RveCJkPbo;T%8JgJ67MXv%Rr{%knkG6={XF^3O3H2n;vp`a>%*ZHa
zrt7_OYl_@%`|Y#!_9IufBR?D3{0)l7ip3JSyx5k0(d8CFOH?YVPTuUw!6_WLc<8p&
zQ?*D-N!I+v>92r1XcB$}$MxOrfLkG=w?;E5kV5zXD=N_XGNt0D9{4)i+$ox>G)f7M
zP4?`cop_gZ8t|OhQl{ybFy3;!`|UE%0c}QL6}xTWUulz_qPe#uW9qFurrYa;WKLlc
znXX(IIOva#eT+-fjm4Pu!(sSYw9Uy#?^gg|Vs=N19FdJt<%KANTcT``(UBMsSp4N~
zL`a#<C0|IJRsBA_X%k<2DL~O|vO7)WA{Y%}Gi7z$EvZT7Xh5shsh0b(vnO3EE=?(y
zF;&?bWvb$(9{9dq@HmJ`C-zDAOYB<ry{G&{E|unY7#lf=rZt8DnIcy#9tS0KCdcu7
zT%qsNIQ2vq=Kx2hLHr?&?ds49vE0D;1&r@k02&Q*VD(AsL9)?^_&&O_Gi9`Vkk$Le
z?9A!MX5_B4X{%)|e~HBelZXJ}mh9@vEobC=pzpoB^^|^nI}emcMhHCh-pcSKuEA4-
z>QONIXC%hSm?rvi?9-<L;h_qIyRki)9wsX{k6tqKS28N7?gzBEDhUPMh3I?xZvI)h
zUkG>O*E2!Zy@~Q^{<uUe%PnYg6iu@I8lCSr8O#*~R^{sCP_#GhRL+$3(W%?)xei|^
zTl~E9u7Z0Ppjkt5+xjC&sBH{To_BCwEm4<z_gegMyA=$eL;chy$NJrDzWqEd&5!&I
zEO9l7vbc2g8kTYyK|`XwJ6`k6TO221y=(1m+@R`?;fuu}ogLFhDh>vv?Pp|yz533Y
z8CX*^<s9GquT<hg<N|Ise~qdZN%kg^xrln*+74?KkVd#ubv?yW5m;lGTZe*s`>(Z?
zn8e;E!w8esfWtda?+Z+OTWHl|20CrFe_Lv6El5+~6PL_9$5EMV@p|#26r{~FkCpY_
zZq=x#oh5L%#a^Pj)}MPj>j;0HOH4e6`Oall<2b3rr(1YF+JEujxF;b7?Kf2NR*_ac
zS**g8#JsibN3{Fr8cQnLo1Dt%cubDiPZLsbytjn}7QFrliufymuv#zOs_2!=6)hO;
z`$5I991Q2|D+OKHZ-s~-NB$c@Lv;7#<=DUFJ*UXByPNb;>J4?o+sLD69b+PwEi5M8
z%giIvTW_=8Bldy>woIb<n1W7YyU~YW@)Z$N$tv!ciORODe7eB>0^S(qJoHJDfVd8U
z3#V&Xv<kCc(L0d-E%@hA;2}?7adp%*hH|;bq+TOeE!D;fE{ig3+rutI4-QxY@0`E3
zzLsR}D7=;PM7H5m6ukUBd~eLgH^-WzXtG+pQO{?g$8hy_eFEGgkQ27rpV;3rn|@m7
z<#J5XEPd(VunIGmAoCmK+Z=f_xFYAR(=m?uNmuscKO3~}2fwB<m>*3eb%yrg9XSEE
z|Fy@qM7NR1gYtXBbk<&l=>j=WtvR2`Q1*8ngi;!B{Z$2`tsD`WAjzqK^|H2=cfvhi
z^vnVxtDR@r4O_oa%F)FwrTHuxV16*D50qQB*Ck#8!)P-SQ|#hSS3Nc+Qgc)i)sFT<
zXBoRU>b#sI6K0Ey&eAVB&op+I!Fex3YJ&K{ojFabx;mfV0Z2AtH!N$kJ5><T@0db_
zSU{@^?=3!>sQ1T@-*fqenw#?yo0%>O<5lA!Z_JmKsD%X>hqQMeEKTacW!(1&!6&0m
z(+`?E+p6I$<f}t<!d13|VY(#-%5@*PH6xZjXK~2*4&-zvf6b|mqvJfeRzzZ6r7Cy$
zhvCkvgGB4kj9EU1JQN7&?=?WLBI5splGmW}HHY`yy*1}8Ss-M2>^SSA_^Ih&#?SVd
zT9o(H!Pb1sSC2KZM0Tj{;)#`<Xc~M^n`3(1S3+ll_Vq&Xl&Pv?ICFp5!9j*aQg`Nh
zuChO9s?-G@M?(o!#)_vU8xL1+A3y;odtToXMy0p4GMODuQ#e>_+F)j$V}6*mwUrxm
z0X~09dbi>eSN}tB_2E1;JC>!=h&&h|Y?}gQP_p}1msn(}I-|+w?+_MWHrjehxm>q2
zz#_@qZ!*Y{zS)V>R2tra$q*-T9(6pOv&~IaL!Rt8=asu!*sxH@cgB~bTSOmM>GwpR
z(H#x_lh>&#PB-)R?V?t^!1Qv{!Ng!ss-JwPHwM&6XvCx%f0`WfN11?#nh?~}p7;Q0
zs~DpL#6lb3m!U9~xJt+y_fA7UFY3K08Im~AGX(Jg>{>EVTp2E7Yh|mB&h}9p9}Q+j
z%RCfp!j$jTSP^X$6f<S{9b&=15T2&s7NIa6eU?3k5ye-8R5n?04m^@-I>E74nm<+Y
zrD%Sf>^kW(*2(qqu&fuqyTz0CdOv>}nMMc4-wAkjYiTQ9QDN62(?>R%e5PU)$Le_N
zbbVKF`R-i$UVt&6wYQLA8oCkLn{(oiv3w6tWnr-b-agWiw~X(logUb)AzSRfZv66b
z?-0)V`OA#{B<$7fFVKQ8(5wV*9^RHAp3{wWA5vah&PPnzV&ArW%Nvzu$Ks8AEqrN@
z#|(Ke3Dzej12ya~zxHf@pEV`if#7G050quJG9AmA2p#wKaIkAl&U8V3Ob*#J4cfIG
zW_=BB1<)z2L@p~U?oZkc+*iAHmm8Jh2M5VY`hLYS<UKopEy!N3n9pJT^1+|f-C+DN
z{fSzVNMeq98q4S-fHu5u|1dn7qndW*VF3KNTl^|CRcFs!WL)<)PQZj0zGM9v&5jrH
z!m`pmLT0>?tkc%lmm}KBo3j0lmFQxVa$=hXVyB^OW#*(iZaLm~;qX*5e_PI3M8L3!
z=eh)rU>ulS<G}chhm$irJvMgjXM^j}{+eQMwaq<e#GaVrSZzP7Rq*F_WKxPOQRzgE
zaiC(5;5PoUwbA3R_WxF-%xQGMec@g6f>Mj$wudm?cPc%4i3p_X4d-um^((12frxI$
zUvA$Z1R1y9M!f<`lbnA_lZ5+v>Oe$i?Od3v?5o>vRAFx$P&AA%<D_auTzg2au76B*
zY~95HE1Tx-@C_v~Yw>($p6}MURm1%E7C`vNk0E~<ispbRqOC-F;yIf7=lW3Nx(Keb
zQFx_`g?Z59<B3`~jcNAxZW<f($yQcC#?x=A;(2F51CS+Z&ucr=NcQa7Z8<ua9J2W$
z#&;g_UL9hg47$QaC<?8@L(Kw?McH9^Dnff5$8YesGwxPJpkbPi_6<299}~;$aTvJM
zsw0~F=xE$*)aH#BPAnMRpcD&=X1vp^WN0V`%b?z8U()oD1oY%TfA0R^N<~tVPem{b
z($8-JTS>lGPgz39i79MB8$&=Ct86FZOyP%&tAn|Mj<aQhhG^t(>_fHBj(-=B!HykE
zpJyGVpZ%bmXtbo+n68Ot;@7`CbJU4Fknsbcbhpuutn@mE;cCaLY)f7zbcf4ayhfT%
zsSQEPG}7e~EPtVsNS|J5Sn;?EtbV*Jp=GwvI&R?3DThK$4Tl1O5Qn+`p=^@Nf3FsJ
zGrIh<@i{GQXVgirHf%G7(B!nY)^oqQ=^mM9dHpzD=X&bcQ(+k~JMku2Th6M~C#sJ8
zC8&+8HJoFXS!2~Vjzgoi|2x+)Kwg3jXmk^{#g2k5NQ#wsj)Tl-1>XZ&nx%u{%+7&Z
zkbumalgjlAIJa#UcdMSC?vp<PHJ4CLwt7Hb*wE)PmjmYf;3^WxgJk(R7U3O*U*F`8
zWtoyXuYzP1+X#94-T*=gxBc~TZOyWz{QT-SY52t8ryN9`SJDU1tFsYzmb!fZ!ImVP
ziy)r+nsFO5s4kbavlBa1p(kiJokP2~IUNp8o*HApsD|nW{F1DHh&RvH_YVrc%i7sa
zoW{#zcdWZJugJ@0*39@u%%I0&01}hgbd=BDCN3nHN^IVsTIYnnv1H`jpxSug_3c$C
zX2uV#8Nt*`g*HU?)+~aWrp59fV6Qr^CY{;TI|k;t`XF{qT;r68WEtSmj~@eFgZinn
zl)G5!2}aSqOMbzEE^z#GO76p^lN3yXJ8rqXSP~PV*w)H+Qf{%yDW5C1M_<M9#2gg;
zgp;)s(<4}twH`mxe`*NFWp12eb45=t+H(j-?3o}<2{psX{y)ADL1s!+K_zRZ51IFi
zGb6}#rBc2TZK<FMu&`+fZ@ow=@!SBikCQ1)B{0RGJXI`*N=6TJiP7;U{XF_*^OXh9
zjQM78ten|MOMn9S-EwSn$l|#KP8xP9pag#2zG|-}$#0BEL7d?1*LK^qwY49h`1JZ)
zRg-_JpL7wG&MJ~h1t^&XbU&SckR+4)s|xM?;}R782O5JRoDqku+rKQ}%$x5L4>5nV
z)ZZK&?JUoFZcGensmp9gAo{b~`naN{@0&DuGN4KKVF-F3vVRffH#sXV5!_vuKKq$A
z_Qr3cr3V0dRWk!dW6>GRX1+?K3(~9cN6oitrtT}aEs>MVF@GG$f&Umh1s-|?81xn5
zwB#&d*`qlxsh)Me$owww&8CmFNC5gI=1w@c{P{D{(=vC5uIJ`W=>xnpwD=(qTldGE
zR^eCo_Ap0Y;scDF4!LXO=ycXs#Wg8Y9yIKyBjmVHolOchr~>wml+apXC;#!#fZzZR
zaS|$>n8(n?keD~&>zeYHKd6B&<8+lB5<C_@Mr=LD4Pq-+l5W;$qRa19`X4=>NKKDH
z$}DcY@_lZ{!0uFk4>otMHs6ltmVW7LZnZAPd$;AzPh7x125IdhA+5nwr56p}y+2-e
zyW<+q8JUunCP=tVN+^(;Ewh4%O8CUnc`WWs5RV!ayBYQ(;yhY((cBMI&XiI-DhW4;
z=bpBNNk&C;Ms!6hEpEk+Zo?3j)IqUg!zAXCZ^0USLek=(Y21}vo|VJME*m*F4PS(K
z%2khF=bn~;xdlT^S2pMLbVPZwV0s~wazHq8-S6zX90tzyhhA0e*HgCco`nJI&*Ds=
z@{NXZV_bi#%vXhIV@)0{0IyuAuXlNUv~CDHnO4Q%KLuz%*^}Im!P5@=<7kKB`$a7X
zbwq{?pg}ZI;mfTrCvUFRiSFB&bI3SMcwWc>cyyrO-&U7@x3Qz1e1uHoa<{6*mYp~6
z<4x#uRcz0iHb4NKdPS&$meL*}(_T=U+(y~?+Vv=7<~!yq;k{N1p1*%y`Le=&^BN}z
za1mguY`fGWQ)xGR=?<|3kM()gRG10rH@ra`S7@$EVia^y=t((l;=*<QKN?$eZQ(ZP
znSe_BQK#+Qxi-#-zFx1bP6SryVjNibTB<!}D0+)BsHM=NywYj<A!#!>D)rHd))EMJ
z0&(C$)-2d`0cLe#LL1~oMq*CqcPMcv+$+eNq<nlN1$4lFW3Q`8!9$i9W85xRzzQHc
zHAaLZz(V5_mMl0fD$3Os$sBJj)`W86Hv;Tuun7-OtYl=<qD~IHal0)6d7TM$nQA$I
z<#`WpOZMZE?86^TBJkm-hGs{M0sF&V-?qDFw7RWl2L{;9`sS`vtaxpR_4l(uZtoo?
z6iNSknaP@$4t6*puQaf<qNL4Bn8M5mEjEagk7RCOVP&*aEuA2yI}zDXskhrH8Y-`)
z?Vd%1*wI}>$WjKaodqkb4JJ@>2|xgVnSc7d+}+6u;h+H$(@Sr^kTq-N^bc5?5`AUA
zKy5Z*{4`JCVib&IfJ(&AQ--XWAqNYSrBjt$o<jR}RkSW(AF4dgg7j^*tRd+jQ}1~)
z7`~n7`|b#uZGVT-OcdIjEJ?e_-c)6mEJHj7!nPQMZOv&fm}5DpVpW%`Enp_7)GcKi
ze&}Jr=V#zpSMaK40sk%1H#e=*HzQhRL*0kC$S}cDzWN>)6$h0^F0Liq$mtXP1Hcx?
zHCoJ8o=N5NBW6r{U={^()%_1;e;W|WG%>S(8H72P&2q9WETpUcXL6=G8zhdV>oaSJ
zeRFVNdOLk$eu$E2OOl<>7}X2ptQPqsb8>xx%7KbVLs#kJ>ScBJ-wAFjxSKUvv$66v
z_Iqjz^>2Vr$_b&AXQE`Q#w`jMHhL#|i*NmD*HV}(h$4Rook`?32yoo_^tIA`T!@~@
zwYH55&dwEd7S47?iuP&VL-MTRAa^_|Z-UA4gqJixc*4~a*kH0UUHj~I6bdlJ{6{O6
z15TxKFmtUcpXI&OlfA7gW9B&Afs5*5M$0YE`h30wd2LRGf@|(t+|r-LClyxFgCDLd
z1DJ%E0FxY@B9ekdcmpMm7YSOX(|5V+xr>L?gd0!%zBJB2&8vz<;dHlz{^YwE9J6Z?
zifKA(8*twARUdk}Mvy6iJMRjXZkAPUOikI-|DIWZ-!<<C+o~lhMNHA}nWBTmHhP2q
z?+RXYngFc!qRlp39v@M!+E4~HbWc16jk8OvT!A8^$)^Dbdr1m1b&)={+j)a&d%84W
zA2FLvHW@dtc`WLF+2vQQ)73oS;i4swwM#9Kz57;xzDM+CV?s}&FV&ubY|9HR#%J*z
zkauUC<Fk<S$d9otus1C*#@>a#o=RFsQ2J8B5gn2>fs?8m*$H{?{IUJ3{46LzseXP8
zhK?9AW_Z%zO#T!uWqa&hXh?tw$UEoNWwSvyC3b{;{}*O8KlWl_?H0r#26tV?s$@86
zvtjJMm2g12+u2%wF*q`QD?osfPDZ1g=Xy-Odhm_nnYQ4<tPh9af{?K%pty&sH>BJn
zs_>uvHW|?mXX@OTX<5Zm3~QV=Bo<XDgAPyGD&18XMbV$-+h(R?qI{kUy-~cUNEIkg
z<dS@Ys8kV~yoV)*Eq+same%d}=Pk^|M8!kpg4Qx`V`J3G&WV+saITp5HIL*G-P3pu
z_NL@0-=~f$Xp;ZF{dk~FL++VbKhsmYa2ujhQ$P%|0^w?!`2Ho_@DI5`XIHfh)|^?T
z7Tw4!#s=NN8Ir12kMjT+>P>W|O4V|?ld9!TpX&HzDx~LT-TR);gCV%W1TcF|U8Zaa
zHF~Uh(zm|2!P8<!MRa>;_~e+==-8e4mWd(n{kf?r>Hg^FfL(egR>XXEDkMx>$rO@S
zAZYJb?P2F69)&6>XqzHFh&fGNgEJYVon?oqSX%PgfEp74B&*l2^S=YSf(SuKj1*Ci
z0fX^ksQQ5YL*`0rv?={BxA(}?yLaDV2*mS(CEE#ne|+ip!D^D>M4f%j4Te(OkK7S|
z0V5Nwg};`2d^3QES77pisu3M<z1bpS-*pkN6g6YJgSTwM`=xlV3sWGw_9&Mh&7(;e
zR>qEwo($?yL<Ib;h6amHJh3!7U}51k7&dWA&NWr9Y8L1h0_&2wD;MAwe0;-Z5KjAF
z_1~MbL0;_X1wi5~JZq$8-Dq|%*DEhwYf=yR&_|aDrtfQkQ&_KNrf%KX6x4GjZpn*m
z7ZzySkkVr>l_s{SGL<JP$Oefgy2zN^UMazhO)c3BC9zEyGzfmpg6r5pcsnIQUk_V#
zUyr)+7G<*xVWt#y>n@oz-*|PmDecg)Y#6lIk7V14iz`ll`?l))>hPMeH^P<`ieZy*
zc@3&P#kCQ~^jEJW!62|w$TuG!EqX});bSYP@%hStImDL!YP^EbM6LPNgHegw@rsA8
z*fy?v<8+++I^iwf?<}<T7rw&L1RY}iDVoF5M<aawTU-bEAhn-&c=G?6keSsAcpuiI
z|5y)sJLm*$7O;|VN-A$Izr`or6cXiIc$X9bO2uuoq71B44|_D|hwIbnJ*e5QQ(2$X
z&V3*pT8zh9!?kzUgzc9*omcmltvxynj;T!czIk@|+NPqth?4&k@;T1|p}$H#;OsI~
zH?ele6gV{cy4zLsy9xQOW%iY;*O+dl9kWNORgp!k-l$I?j(hcvo6JW3$yk+Iren#t
zd~dg3>V&|?gP)U3ES=XrUV@Yt7K<}ET5>hwuSkm6qc;2Srl`T?p-i_>Q<RqcE{*O6
zy`>Mksa{X`uMhMP;MtOOiwu=fsDiK6V*VuB<jwB_<9F-M#G^dCO(Z!ln@;8O@`(?;
zB8&JzX%5GD2aq>Yi0Ssvl=*09ebrs3`R&@ke<WU?c9AF&$ho4Gd_Mk^GDYH6?ddT)
z4HohI23H@x-|4j+u|9gyQ$`lbe}O3qRq7H&U`s?H4w%!20Dt&*jg~tPGC5{Tr~C<W
zZe57YZtxnXTjs=2bp3uH9KSQO3N^{O(wQ88zl+-o=Ipx@t&*|M1BS;|6pFV-nb=ke
zghP?hf)~(u09GN8oF;pCX!Z89>M`qb&SU<>`+6K1M+IKuPohI#n!6__e03j<ACmSe
zxoGn4f3(;G2H#1{Uq^F5y{1j^rVf*_CoaF+-PfI?vfk{DhQ;mir#<9hPQ8WECZ0<n
zTU#ER<q#a1_wZqLW${*a2kBz|7H^U|un5WC-<SnfAqQb`?TUBTz+BkapYle!lFrHZ
zozUvDwy0@>cJKOi<-BUK7tz1p?Qvsf?tHW{8R@k(8WFT<2o2OVsHT?7?T%B8i;UZg
zD=$pz7qDj^tWJNS1cKbV{XG5Zb{4z_J!Wgdhq{VKfrfS|`Fpd?bA1Wlb%~BNoj{^e
zX;~TUCl!wac^O28<O(B{`#XVQ7|fRDpSoQpU~4b>ko9W;xS8OEmAtkkjgi6Yo^z~j
z*v>5Y(x7Jag}#GLPQGfNtSU#K0sCw2&NzdQq5?FLy8xYey(9l^S?tar7{1Gi3f1Lw
zDkJ|NZO0c-*4f@a8$_{qL342OR6*`=rFS`nJHG$RhrJ9-nU36nHwxC2;Lngnb>8v2
zOQ!C1`r)JOx65u<@_&da63iq_Z>@97*kI}nEykbU=s>GjvmIRXFiNQp$Un~xm6##l
zJd9$KcbsUH4>;P-oo*<Q?*z%Z+F_h2sh7a@w5;v?QmyM!zO11@Hf@@#TlAe=V9bI)
znLnA@_epN!<B9l8P1z^rdXkawUZ3?Ma)C^Cs=V-~4S`QJutW4o&-1dGkYW~)S`ZZF
zC!A#bcsFGBNRpn#*Xs3(^{Vx1ZL4GBkk%YWpRa7*A9owpG5eJ_h65^G&xv+}Cp3cD
z{Z1wF-(?8A+z7?&w6_f$XNj}K=YEjR8Jsn;Gyd!VSSVK>)f|NgNq+pqMeHzHc$8V-
zE^Q=-a2!Aq#5U!0!2}m)Wa_663#>`PgSDrRJ}^SohRL{?yp!In7l$!jc+;81X}4u@
zuc|E0sqv3MutRJqcSo>w%ZuJpJXu-s)KB_&E{bEMdM0a8#?{to<zZR0b|gOb?=39K
zvL|=QovKPB&6@n7LLqw;NB)WJOQAJA;c*(m&s|@6D1{pXVVe+KdF_mW*;>7@w0ig_
zJ`Oa0yoX@g{Xl-0&a$Sgq)1w)J1gvsn$!_-*=9pPSa@9Gg`&y3siy&rTw9F0p94%n
z%3Kd6(XF0?lDgZZ%|5}&{Ur<+w0U5VX?5W{@-r77$oTDxff=cZN|s_k_7xh}h57ES
za*d!Ie_3)1K{_O6pT#Y6*jpz$Df(Zrw>MF-+CyxV>sbT+8*6OZYi&F=$**r;A}W;w
zzx^+d=irQUSmq2!pZ28%Z4k-JY3;3@_NZpPF8f{H$l}W4@VOmr(uAx0GW)a7kQqKN
zRYgi|#VqZ2xs-CDS_J5bd%78(UJ3V=E*FmRPWIH7$T=aNyHj^llF-%?=9nJ26Xuxi
zDvxUS=iyQAfk)ezrSPMH=*?B7*#_%$?@@IBS@o=SD}_&c&y^(b0pH<WyZxt$kK3l?
z!Vq2u5TS!D@;K@X*l6uvHpqUK+~_zc`>~s`9^efHU|Uj1DVmSuj^bqXFaGcBr0rQE
zm!v+DIdQ48=ePm|>vv%E>r6!j*_+Ba1D!N}{W8~k`>1Ht&u^NJrI@D72G<LG=I?MB
zk0_}(E$p1ssQJogC=%mzx<TbW+84Qqq6}ik&$urrZtU31yd<HBFppRK?l4sws#|QV
zsvO6kl_+dYMHq446?2^6?Qk(L4If20CRE?r;AK}tdn7$BI7n>y(h78=HcLMQNt;i8
zFhEj@(CMpvBMboNA$0lHLS_I(v*z~!pn3X<H)qF3kv@dj;(%a|M?5-=j#bU)BhTQM
zM(HbF=aZk`vZw>_Tbw)tcljHU86hX)<hu*4>gi<*tuz*`kqqc?lp^Ww4NW@g2KNm^
zXQHk5e{Bcoe}#*{c02^bK8s^|Zttx=6=n-$Ej@|&T!*O<SL|C+4|vcf1N#J&mFEb=
zY5(bz)R<>)_(<b7_bD#<6%3DDCbH>HiXrA#wt&Urz&i!|pVd!fR`pQSCc#8oW)x1j
zN^9p?Ax`{nqf3<+xd`w15PmKLqee9bQ=+Zx(W#4{#RJco$Q%pcEKXS5r+zb#og8<3
z_0lN#?K0-KVwMbQjL}<J%sriA<c*#ZZ18uso}LmnM&gebGo(9c$jh!Kpl*BlTf?}p
z7l+o@JC{-8Gxv%(Al4dsV*z>FI_H2>uBtYJBdU^*j8GtU{(WB~D2G5Vdj(($sXMzg
zq#RVz)@m{O+?}+SFfk>NMCsSp^;JR?jaMmkI3o)~GJ7oN-)phoYsg8r_MW~Gt)oj~
zUg8)M7h$fmnf&!=l+&7BvT^@RP%N%~KbJkCumqtl1JOD1+>1_dy78=u%0$NMgZGl4
z+`i-!a4`gW8ID*Tr|e@nh#aCzMaddH-{-^QL*;eqOuffhFf*Ahtj>ZqN<3}}_5lYS
zZLl><cT=KL+r%@W@<)2{p~Q3N71@U^&J3%M$J?H+W|jGTa*x_Gpv~O#W%E0|d?|x;
z(f6XGw4kp{rJEnl&u3%_OS}Ol(fM?>HC}A{Cv`4Pyj|?c%FOi9*4Jj!)mL$&UNW2=
zb+fJBOJx^ocuif1_OR6@N|wjN_30=HGEmTi7U+}ADJfWrcpB12KGkx}%4Hf@z8NZF
z*O5}%?q>7n&$x(?vsmOWKFVb6yDdE3)GTqGJ3plYB{8ww-A0xKN$@{$<~ax640=D}
zIHM}5fEx0BL?kn9A#_~PO^Nd>cu6OX{<`Ut`FFiED5eFDv+M1n9aw$37o&%POHhYr
zppvo|T+_PKGvHomvRu|^?x@DduKoXJTth;}9fE3Y9BG?o%F-xb2p+AeMkVJIG1Fzy
zSWi7d^2sXIn&Tp$eKuU&v3F)#L+r!N%5Hfis)ZDdk4K%;5sHLH6lvG4luv!e>D&5!
z_M&tE`|9{Bp!Sv3asM!Gp)mMfm0{q=2jtDt#8zNH<?0XAZ9S7}D^<%ISd`-3-XziF
zkz$XTi)_+kbU{9>F%JhrT9kJm>GTF^Qw0y7GoY16El>3|Qhv+533)omueY#^tVI`(
za9TT349{FCh5P&3bb7|B<t7?7v#pGI#xf0_zXipuwOf3e3>$O4?*=uBcEbNutd#Zo
z@dJ#SJx-t4ocq4gnqP~^_Yo0dee#y#yE;_fD6wHhWe_>^B<5x6ekOyj&FSn=i08*c
z%?2fIH(p1cgCZPx(|)?5q}zRKqwh3wT0n&<%q;t1H7j_w{P6RLHsY7zw}Aaa>UHqu
z$?Lw;EKrRb0Ai^Ipi<pH3?ck+zn_8OU}RiN(r-m>VZV<tpyo{w%m0=y!i4e#4EhU}
zWGbflrK-s--M8~SLb8dg?v8F|Mk%{4cPZ)7u*a)h*c}oQpWYTM+vK`s$}ssPJ~5BW
zm;GtU6=;#Z+E>3YtSqNgeBhBq8Ss^ps>z^0fE%vnDP`iGEBBi-K?fTZ6VAQ}?|AgD
z7z?(}ee|imG<8yZ1!%P+eC$|2&P^3_%o&TT@45!wUSf%>Cw@Zz97gg)^xYn{A6KM^
zRV$=F9>#%PO+$$pABld_YVVVf_7(Siw3f%m8Q->$*+R7Cxgbeo<WIEKEB~!T58D|X
zxadVz5_Jc%61rTan8Hi=sJbn>C9Z_eX=70)Z3j7or{}ot@0i~$3~l;ghz4yp$5j3#
zWoXsab0g9HJ{*{hgr0~5=C7u|8?QjcKnxJcfD3fb>C>?>P%;1l^unbPZn|iEK>I|F
zZ6F7suf+Y!2nQPqNvP(5Vt7jC;5XlLCSP&3E;~-bDXIKsL5)V5Wd-SpiCNFuZatwQ
z#G06G{-o0!j;ZMZLsD2vCD}{^(&EPn1;xw&#Bh{P%cW?@@kl^8{uR)!HD*X65%cED
zNr1PmYRuujYgDs&4(k;lS<<`Kq1lXc6}<XDM{#DAsPxM1*maE|I^(@_I<rwd7odX4
zz9k>B?>P9LW5I6XS5q9NHFs~suKwA{U71%VEYQJf=$7~gedqgVR^c~d)}Zi1!~o0*
zFO1}q_zdZP$TDu>(yqEIj5T1-;QczEC;7`gygh%JsFXcr;))%XzC8myFn7bCWJ}Dh
zFQ2?Q%q9M(?>n${MvAG{bffgpC?oM)E7dWl_VU@k?-vO8`^<@CkT*Mf9KTnC9XsH5
zZ(3{Y>Y^o`l5pEy_8ULy8);|azP@ALqwfXzb>&6>lP2(sV-R2If|zd^KAvtk_~JC}
zt8wpMMw!Yr{K-Aj_?mB%Lb2PK<mrphm?W`2it$GdFC-R;i4=u&6(z%GZWfZ(uI^_#
zA9<_}6*&KB(-8Lr^;B{>T;RUhaVpa8pU~0MxAbabfrLdXG1Nh-SDb`M%su>a91G4f
zL9F}pu!nm3MhB4oS;Dts|NnifESiqx`pL~qvlCp6`>~^!6!=yzz|$P`Yo>l{sn3jZ
zgiP1lM3aF6C^|@YwxU27`1?BMTgrDb5KjJ=Z(QjG`JMw?^ITs|8t6uPHCu&ZwqX19
zTtBN-EF1HpMLo%yC!|~mO79TG>lO7tRL8n4LkznQIpozC>J8dFZJ()bV%Myp1a8hh
z86f8_TpeWqS13{%7eC9`$h&6kK@$|)+<##rN%1SJlZ9mD#=RW9WxJBxM!iuB_u@Z{
zP{Dk@t(je_>g4;j<*|pK+Kk&SL9D&WZQIzF%`IV2?Th=T6pa5@)cYMybNrS;#GATh
zSs*y$PpZD^$JabH6nN8*P)(iByHuI<5Z`e?R*-Q!yrhOgE@H2uf_?1)P2>VyP;75`
z@hW_%zspsMkT?upY~SDJm^~}U_RN^0J^dc%8_<E~pw3eyw8Xj$F;?<k$*BhpoE}>D
zqOkm<&cnQo1TFASR!FLYRB<Z*=*@*bA#jGms&LzrXdyZ|VndE(!)TN2pOqoKq2*4?
zjh9J1-~7{(%0#bryM`n1J!W)ppFe_tG{{@t0alvy0%9Ivby1hKX=LQrY|vxF!OGj?
zI9aVxVX`(}ts8s?sIkCOwbkkeTN7O;{G;u<)!E@yxI4>h3HuqGAJ6#hS^R0!Y-5EQ
zR<Ezo`!`k@w+WJRi2apK<nsDB|2YZGptvM-lC#TGX+5^C22(`0K@WZVR{VNQU5}SW
zhu2|P$LpA?@lUDjbWc#ygD{~4$LVgmS3vX$wzj|{{%OUTm-2g0R@sy?N#;Unm?ONf
zt*p>4I6#B0O5{m72a_E_SI?m=AA7ST<rXo}St;9Iq4+%ETBmAKNK~4@oZoQ1k6eCE
zV>*+xxOgYbW4&3b)?x0dVaAY-gS;%aq0uZOM|j8li@tn9g1997rlTDGFxEhhdBk9Z
zeESH_BDbHYc;bpRdN#f(4$*}r>`X9^B00Xl-TH*={C?%j8Q!Lmn2g0{dQTfW-mH&D
zF_Rb8yx(Dl*EWii_k8A-HP}^&^3S;cbS<9rw}x)D=+&L2^Ifu!wi#J_f%6M}mI}OH
zwqSNm%7p>7YiJ7Mv&kF~bCHp<voV8{xaYG@vM8Yy-Y1}80;U$T`lG8&76be2>tweA
z8Oq=<n+-2{52`O0R!3Ytq1_|-uM}i{)~`)=uJ&sO+<OBuO#G4@;|t-fmWVtE#X%0L
z{W-Pspb1!2U@P#i|MiU8j_4{Oa!w+R6ezp6US`W&;@IYUfi<!(vY61#Pk7a%!b9@Z
z<4;8oUC08Bebd;>(gUs%u6uJ&wMgbNQNk-P87c_Q8-Dn&F(Um7wyZ1Ho<YWaZ{cnu
z3PXQ*PQS$1;sWd2zd+vK<!5vG{B$nHU)Smm3BP&N);pk$7gxAHe{}Aj*a0?6g;b<=
zw(H1>n@84y17}b<I_bdAsbN4;Fa`tFE;PSzZyy%#GhjBp&#7wis6r3z!7n~9WW2vl
zBgnY6Bc_7-Kt;60qitCKBm^0N^S{d~?vxFl_Y{lMdch*lxwZwONUQESc=xr;?u>W_
z>odq9`eGE@kGE~cJX^J@(V0<XU_ZbZH|y@z)UD2=ylH&bp;5ux3y@o_FZvhi>fI)<
zF9&>-s|>_*%fNh|0&(_#$jDmaxt|+7uJ7J;_ngo)y+;c^h!_ofakkI-Wam7}S$!t*
z%iYU&BPLSQhGGz=7$_llDsbxHMyhwm3PxjB&t{^$C<;}d=}{$O+0L!G-<z9q&kNtc
zLYs^j(-%uT2L)bzHT7bF`^jkWv~9<yl}cwbtV|;}Q9;SZv=LW_=h{dxx5}^V?&KPl
zPHq~Y*3@h8cfh_FzUNG*|3GJN2&jJt(@wC~+XseH919B-3uo-EANNnF1pIL?#P5sJ
zP5YW{Orb+l8IA&TsI)Oz1r-$x2opIr;9PZ(t6ZU;o15c(T6D`$Pa)v5^i6jGtmYK3
z7p1)=9{TH9!#AHD`az!Rl*@1{zN3l*PT5g8B$xD#_p@Bq*np(9WkzT+I<Q*tME6W%
zBHVSPq4KUDI}~0rzY(rT6%o_&ICW@CVnB#xaq-3^3ia~sJ@-NNb&sLryfywsSchUM
zpN9u|^FCM6-fbf`vygKJc7;SP2BQ)38&@pNW_WB*1A306=2uoKe@?&&51pERQjI?_
zbmTYEYb^1OCi|Zv5zFWW;p3UD2KVP8Bbt97taPoj=AG96nfmnfCRNaZT6&=MY0Brc
zd1p@12w0y_2kp;#(l%e<2=|lDw@j58H>i}`e|j`rV*9&MGztadIF|BnJ&*e-7|poW
zIDv>RW2?OmgNln~?}FzozbeN&0maA$V3nI%UC&3KpqjyZrju_x7JCKn#09tB1bjrN
zVv}0Ygh~cA>galDARi;ftw;Gffw$Nm93|Ef&O78x{l?$xSE0k<xbq^Clvv8fZdXon
zRJ^M|JqnVzxVf6)<Xy);lmD%deIl&$h!(i*>&?=|`z<;8$+4YSrQzvlsWu1gzm)5N
zizCw$@)N5vDV?n|rZVIs_sn`BHD!6|7XQL?&MqAJSfemD_GS4Qo1e0Ur_~=bO3t_q
z(<5EkJwi$-LxVjA6`{^%{bIrRwTx0FA(FYfa~6g>CuA9?Q2;xON1eL;2?_sxT9kZz
zT#%<%7r@50<6D&c8qy~(&q2Kj`yZtCQqm97=9iX3n_Uj|h|`C9;}4V+Abw(#js9L!
zEc>@{@Hzml=+ja&+}*wLN+|~<zj_S@kw3bCkVKZHdo@L2_Fk<KJ^86_R*;0_Ki;mj
z`c!cfv36~c*j$OU@M@uZSf%MVK8i}A3;W>Sy#L31s}SKQQCaLQSjNN@;aDqg2X4^t
zOyAcXyNwUKCo+oNJ{2dR=__3?ud(;kE3QwVuhUWV+KsXDW|4OKPIq6aY(Q{>R?@Qc
z=$P;5NuBh55}WTMDpyrYJ8n+~qEh`4ezvVmvw_5((eF=5o2~vwUw@hL{6#37lZ1Wj
zcFf5!>)P(ty^&sr4m$Fhm(5I<4xCZ_0fy;(_f0Jy6kWQpMpVk5{Hrff-bAJu<&%K}
zliu61bGz_Iqx)_%7teFOj@6K0`kO_6r1x^d_0sSvdy@7%TFUaY_5Ny1rs9JI-ylNB
ztSbteJxWz>I+6-^UFFKG5L|zp&9+afcs6{|no~WRj${6FycQ$B{b|qS8M0ot4Mq8g
za>H}Cf}htFEpQya4zv5_s(`lt6p$F*asg7_DeDwU7*_oK7}(SI9I!$KPfOT$eBZ&C
zxPn`jRI({rTcNRYZ&$$-lMtJ?lp=X&bL>Gjd8<&@@LJ3BWqZ1ystw?re(SaFs2f?c
zVO}A5pKE|1Sj@d<-QRP%<cQ37z30SBk)LMdPTPk3^G(FYiCoePrA)qH#AOPnQ;x2&
z3zoF6%k>Rvr7XqNaIVtCA7rpuK+<WhoTmYKDW;qroGK;q=DW{*@z^a_798jjunu`y
zRR5-kqM`~qblczK9H^hOmV)Rgkk3qS<M#~J`JKnbj7|LtD=$Hlo##(yp5DnHwID6M
zwCO9uJ3$wAEO*~9^lz@+{rca*`9tc}EZc+Kg7xy9{{D9AmoH@Q=3}XYg0B>uv77GP
z*wPCtF2}!!o``<EFGUa?SR0)-akc!JgJU*2P^&Q42HY|#|Le4k%R8dmS|lbOUrGv8
zQc28r{Q@?iu|^eZ;6$4hZ>i5j-CbE4-|mI0e>hJbtXmhw(U|n*Dzu35_gDR4eXvg;
zSk@W)!sN}4w)<9>%~IKMyhPTXcEsjV_@-CB?YUd8(?!|R-<t1-EQ(kvyVU8Lf)WTd
zUJQ^`OH`vvqT{Ed38T+P@8?U-gen{gw16Q?_N(Ee5#;}-si`F~U+R_wzQC4HVN?%e
zMv>U>Q2}eXSE+2i#04n6z9#iX%)_mEVsrUAP^fDJsyJr0sER)lrSsT>^hldrKRMst
zVnmZ{Zi~?-AP3737w;8@e18)H4(|0h1QYf1D$UAgi1Xit?$}9OY#g}-?a##9J}*a@
zXickRk~Q0T+f#cbUOH2NLb-a#SU?U5%!W))-AmQZ23eZhQQN6L<%_6P!)o?#Ue=8-
zh4fjzIZy}v+~FP(%aN>MR0YkAR&4=Avz(J`OWBmBT7a?p`G-)!>4-U7&fCj-+p`T1
zC&NfA=<HInY==ECrDIL9HEF`@v6dKf1IrSInc{kxCWjjkQ$|^XK+K%8;6HT<n0y6;
z&m2TW@A`&0(fpQtTs|mIl}<22dDZU2m#z5r1MJEAp~0r59h4HHcvl|x*NV{Z`@RFM
zx=D$m!sNHoQ^iMZ#G@o%9!m$P%04j&D_rG@(-FE+404jpjsf9aM(5EP?(mVt{>~4V
zAU6%auUrXLv)!!JUcvW@7LJ=HC{3hFX~XMw+&n{o{nLB>=_sAe)S8Xs*NW<V8RdDS
z%7S&TY(T1S;u^I#xYx;Z-*TwG$v7wRJZS+@Q4>PAujt~~s|gA@P{F&M#>`i6U@wuF
z-|5An$GBriY=Pm8xg2m?r+#sGjPaF7$ydDF>7t8_OQh7PY7;2<v0oWe{{etVG6RXD
zI*N4m9x+^DO(XFSApcjx%xCVoi~PF;?iyruH9eMKH561u-^_bd*7Nwa!zH4WV`jU7
zKjKkssys=QFN%DZ(ZnMyCfl_(D7P<L7cY@dxd&@Uh`btQgjhSSKw)8*XAn7ICBWk>
z`soOe)r}}}uvYUeM)ZFlFZQBTCg2`*J@1tR|5TiDX_^0YwB6;IU>{Ha&C$tQ+vQ6?
zV%3-b!c~f38%Z;hoB<N^!PkaLw7z?755kGZ<{Dn2`~!?|zN<UlB<7|(JQqpVCPm1a
zyNbglm-m51kHk4j{mydstRNCmNsNZ4#E;l$Z{6UTq&L$KYzoO6h0dw{<Vw#9EimQs
zm+!1Prw1s}xai0@OHj5zV-0lk(3nhz#HD{TWPQQ}t)Vf)iHeMCTtSj|s}-r%j?}NQ
zEOsRO{%$p`_WL0i-fYJbf}~{y`oDY-P}PZ*JxwaKLEDrzHqE~`>{q!ytKKWha`-@O
zzRQ)KissVw32gy?FPzE&i8IYBY8{=b75hQ!c(ehxycr8|=b>E?U){_uD|JB2n$>Pr
zy5FB18`9Ea3G0$Mk<UT;vpJ(;Ke*C^(VN3-OJ{<(Mm0&BJ8UdV>XZIG?h_R6+N1HJ
z<jpT{iEPdyU%Z=Pyy7f;R3Upm;b0z4TG?d0DVTWWb`YKTbh_;8b2Y<j#a={f^TpoA
zl{=D8yi+J^IWFtqF`{%Pr&g5C(S9P)Vg{p;XG~DmnmKmlP2-ORyyC<i<%=1#AcwJ%
zqwOK}5aQpD=5G_vb#W`+Or9}dQ?fWN-lGmml);U#{C4UI2%e#YGu<oNPgp81R)5_q
zl)^~l;4<lXxMgF^0$KA-_61uU2Q*(D(pmj7s<~d%xuxOFe^3&AE$Y9LoaFhtPi8yq
zLH58?qOq|=FTDMHIKV?4;?G`1zf)UWNMGyx4@J<P`-@+aZ!4^gRi^d!gq>J_Gk2=i
z?Cek{!8~By2{G!z);+H6y@FdJ_9G6ORya&ztE2n^SId-ck@hA%@+zrr$2C5@CBc~Z
zcWz008&BtHn7Q3DZwKjY6<>Vk!RhLx#_Z36-Uv~MX_7Lm-WAF0`FZUkim!vuLp&6D
zhRDV0Lv-n4b)+cXk}|0KG*VFB$Y(n5rNF`-N@$U-$UeMzwfw$i;5>b^&+lCR+^|Y8
zEnMECVHnm>{%#5ZGK!>3P~2Mbzilp~9(1PNqvw<Iatbk>o8bALs649F>)np`t>cYv
zz|qy!(Jv<d*Jc^Xwz#9-?o0`Y_W_fuPWPRs+0zqI4WuX2+T`gOWE`HC+2~@9??Y1(
zSGGw06H1}oUY_2xKYDWTSPrLAlYTJbp2>YZesJaIlGbR)3|J@pv$_>s%`)AP+6rst
zx3?4Ik_%0ndKd)79a%545AAWgcb~{>8<!=2X4T~e?zg?#OqXiHn7p^R(krSoTfl&e
zQ_4B)OX}l)dNJt#Vb`nM#dqsg?$lJf2rwbdFP5FVfvmG)H9^e5VA;!Tt53!|%g(F{
zi~uvMEmx?pW)Mh=v@B5%4a+iLRXdc`7#R7z2d2G)`8xJR$LpS-C>|+#G*LCx+sW;9
z%s$X-LcT7p{MRQ_p_9h6$yKb=G(55W)Yh2v|NMA4c6P)=O@8XI!#`TfwF^<Xdu!rv
z4oi?H+{eh%gVW_!*5rYD57y=8ms_vvx<z%|S6(3ploYHrb2~UP4&PsVLkWn|mP)rJ
zQ`}a|6(Ig<xH`9VNSKNs$QXK38=h$P`_rHA^neC5O`PtJuFI)#Ejed5;7T(2aE{rX
zx4aCIAfC2`24Q{PSGGzCw%>iH_d-wpx$+=5V9d0B{-jw!9Bt;N9j{xvAENa7S|g2q
z;ss3V`>A+R?zV9p+0$R`ICRibWi)A=y96s+KC`MnE+ZnB^hz(vBT5aoq(8yZw)~}@
z`a<L5HY+K`$H#6%rWWJ4_pc%EgH1c$n+Es6=u*@~4f+vin(prcm8d#FBEY2>Mb8z2
zg2gzbiN80j@|7uEGM+HzbgXF#!2wTKOiD#JXo`)OvUDge8CCb{i|Ia_+;fKy627XS
zshMgKxAs7`3E%SDdq*J=MYBeRyG#b)8Sw|_DZ6rOPL}bT=Ht0Y1%-ySk|tvNhkYAz
zQo%Df-X14hKJzl1mdIrx<m4<bhT@;4*rEYM?j=z>eiOe95BHNpW)0IB?TMORxQLzY
z%42$m<3Bud^m2z~-(1;&`GB#@_2Z0X?NyEOTOzYGa!Ib{gPc;tW_QquQI(}Q7aJem
z`}%Yl6&1bNUQE1MmVD%zgPhibl4$;%RT0W*a1dJ2$ACl#<AaLxCzP~ud(vxWow(rn
z(LttluC#lr!{G!5zB5h%A<02Gq@mzst$6w7Vt2wl%ZA#Gb<|hNryG64ES2Q@#o1F)
zC0Y$-e71VjlTmA#n}c*YeuF999wj8i=DGD#A)6vqADlLjaRSHY6ehBHhP6L%$8l#z
z298ERP{fQ8l}g#99*v|GqGQL1$C{@`Fm0q{ZInR_B>%rP`rY3oy>ozDb3QjOC<jYe
za?_A__QM9Z9UZ9Boh+wJ7-&1xQO;ZHAi_L6Y;b?v4$P86dHUHq(OFS^eosou?-e^L
zdp7^e>~fMT5V%o#)|15Bc&J>L6QB0}<Lu)@)}3Z{A0*pMJf7IF>{%>j2pHhGNo)oW
z2dJ}hd|VjEeD_ADqm;{>`JM9#;F_J(9VaR{SRT;^el)}*;8&6BL2P3RyEq;z5h1V=
z-cI-RMmaK5u1~I{aTez&`#R?+Q|L$;J9Ia+8HzpK7Mrk-6?JU+!3SB{hs`L-MO^7q
zfKuS+yvNQ#;%dvM>GuQwb!LEZeeO*bNZir)qy6|;83P-U%S@PmeMufms>B{YtoTna
z;G5<8IjPmNBXZ3Yd%FULs}L6`FAVUtS+SCsO5(&YH*_rBixDd98Af-uxN+N(=>G4v
z^KFvWejyD2MTivX(0fP6l=Z25k5=$(v?1Ma^4b$eXYmW%(Q7=bB?7xGy{a_|5pe_W
zSSoD5yfu&+o%8PaWDAm>|3vMJ2rg)`dT^9eWSJ`vVD08wQ3z2Pas#uRuxvj*Zml*?
zhP=Wj0V!^O`YU|r><pd4a~5&=8Fn_>6;tA)mU^Wd&l8Nxr;3r~Dzl%ZAkVPA-xBg|
zOT`~gB<$;CWFV$A2JGt<6^1p{<<;ZxJO?-0X*m~Q%<4xXdT1_gA_Ar&?%U5~H;MJh
z$=%2rh!lMW<WcT1;N>78dg^dQ+V@WHAEo%sbDbx5-c`RvtoZ+^Jh551Yc50Ebi6c=
z8u#i`G%DJ=PqbCohbxPE6gGBbC=WWd7jJ7$)%_NE+~MJ<N;#~!GBv5yfUsP94n^D1
zk=zJbPE~r^^V9Iwwyjy^_tO9I%s}oH4#o-OY4}wLakyw?+}ReH{7CM2MSZ26C+&RJ
zBOlE2RQ~z;r;F^E@Veao7rQ6-nY-#<&FD|{R28d{R*x^X@h3lo*0@~v&KWqV2NYJy
z^jd_JL~FJ_3vsz!sMBIvrm{X;96c51%OB+;aS^Z%_{VVP`ddc2kA<z7fJgVPUl0xT
z;_H6olv=X5bJiOM9!(&V{90K#Rkb<y%@b-g|8`Z=)U5c!y_}mtq6E75&*~M|8y9u%
ztNDFyqcr2pdZ&<Z>5Tmzq(f_sss=Ajg|rCO?o-0A%Rrv!!3p)PJLA7A#9ob`tV=5@
zQv<2?m)!yVAHEFru17?x!hSR+LuH?OHtJ#pmXV{&Z1&@a?2o^W7T&6KO70E13gFT3
zic{>b;u6`b`tPu`<kcCyzRmXC_DsfRPH2qyV!zX7^0!_g{zW1CFwd<13}_73qggG;
zp`4md-x>+9R4^LW3Z%MuTLJ%iJA-hq$V+*yXNb>uM+h{QQh}-b<6;zEZB7n9fA%Wd
zXIU9D>8tgNcY_{#>GpXX)(nzqmE;_B`VK@HqBV4~qn15Fn!;R0L=5#v8^66DzOet0
z%@$B$I3XY+-fL56h_jt94sh`F@kxpKzW4}eW(taEU$@;=Pqqq2g8PvnLsss0UFNgY
zi>S#Ad7ieT<m?!(w$}%MVc2QvjroTSP8n{|<bKsfnPK%KrZud;3MLAH2Ps#DZcSB1
zcMAwc3qKj_dhm#qt<FAzZ6N8sO-VoqKs&CfUGSP_s5vXzD0VAau~0n2x@b&Eb)qY~
z0#=kE+~8E|@I|<xHnrc9B(?tqZR&yNo$kt!JC4drJWw@>k(Z>*<^5es8~UsNhqpHm
zgz|g;hsRQ=P^o0EgzWpiC4_91eJ5mJvKz|~k%%PwmSo@eeM`u`8w`f*#@NR&gL!T(
z@6YG`{XM_$AI~3;Kg!%=?m72$&biKYuIqJPuioLdYdyUnT}N>V^2`A9za=UVZA)H1
zL}j(b#8!leKerAA4<c737FkjF2J7*E5Ndn<$Wws+-{U)jT<W%>j<NSmBhOjXSP2{i
z-LvfNS<A~w%a%UdjXL;tnLBLwi$n|NVZfytuCFKk@|EDhi%{_J<bti&IsIJk;2v)d
zn`pi^VJn!J#_W^RS7%+9;6{CK!4GknQAX~UrJD5_nrI6EH4Y#Vt$bd>WrQsI_zT-l
zssI>YIRJtZ;4M(vOkcAM5Y#=&3_vX#Z#tt;J8$(k`#z<o;+a3?@d9Y8=)XNCmS=p^
z{*iHMyr&?rl1_?d<JJ`!)Nrryn8Tix2HkR_F8c1HF%Q2yosV;NoB0jaqu(R=)ItGV
zelbXueO75yXMCtqtLoX<kY>T=O6r;80G1AqgFx?8{Pmm12Vlbb4fD)I+Fka?2W*)T
zt?W`tJm<|nP8?90U2Ysg!-7OJaGB`<>fXcqcw`Pbgbsp-O|5!<>A=py15u>^WReAd
zT;J$b>5E4xt^*nTgA(D>H4u1}@7c-q`qM-4^-$@PyH(b^jb7V@#>~dHiW@h7@uwBy
z@$kQAi>#D5nGyw0Ryt|15tzojr>PnFs-&?7Frj8=$cBbL)aB;)@wny=<n!x2x2aqk
z^6|2PO??zd8(^2^m#mDamN*fW*o#|DJ}i1C40`zj#&?_i;_|}&_2SSb^6gfw;M{v4
zA!(0>;)8lD$>iyE_mWkRNaDSVtxx7RSbWC`=7$*5V!bzrP00c*y$T%_3d2DncmLP{
zP#c&{XU|2C!^w+)ossB)Rt@K)1%WGp|G~VNhkzzS73jS=1lS&l?S7|t&nQ9>$Uy3g
zo<$Fx9|^AqPU;!;iprggmqcb!sEGthoj4O~X&w8h<TGS@ZsfOdhL&uId%6GS<wA9d
ziN{erf(^Z$x0z5!`L$lFW{iUZuoF)w(sMGdL!|gf!*+G%O?Eaz%Mfw~dE~Tvsefcd
zoe`Z`_TAd|xA2n)Os$?4gbO?wzcC&1m{3PwI<{Vp2APx#nxrl7alIw#OqweFEdD!T
zMZThYjOF*T;Ky7Ih&u$1b%u`WPCmPJkx>beC~)qy>xWC)$jqq%yIfP%BABff>9PTU
zw*I|7xd#^;4IC@JOl1e%3UoN4YX<h+D9=j;Kn3XHZy%S(g;#n8FJ_}UirZH-w*1ab
zk>SKMBp3;r_%`>@Te=>DrF<IN!4SHlly~N29SaAE@SyZCuMXP<G9F82H@hvP+xIO%
zjfGIHo*%0NmG?U`g#S}o0xGIfI}HXU&6tu58lCfb+hLxdYDw`1PSCpza-2S3hL)F^
zvkXP~A25Q~GD2+thL7T9|FDM#GFAx%7i+VxwRpVU@U`G4D(QcnzHFX=y4Dc=$eg)n
zZJUg2OPPVr9*VeUJMx`MtrwGzy}sbek97s0fcAiL12z9ki6)e`oqn_L8#~b!h6Gr1
ztyhL!;uFFzL8)fN)bl_EeEM!azra$fv+qvD6-pqhHb3;8j3RZR2%z5N<TV*9C~=P%
zaMqvDnT;oY*ab^p1Z-zMA?qkfTs0_jq+3e{EK7Iuujo@y;UnC2&|T>rqJTn?rl+Jp
zjdW;KN5K|`x08JWVK$N9<R%Zj>86#Aa?^spzpL}aPiW+(Og!3HozhcJhF>Qso%%EX
zh1TrohCcsK75qa$@Jf*}cn_ovu<V!7&A)7TWa)lmCn;mry0S_NfByT!c{5pHyE@JU
zI^@TnWPdO~7Se1S72t8^N#!(33xak*WR=6n0_x5-4&@%C{JeS_9{MNHJ6Cf`uXcdR
zv!uH5(Yf~V{yZ(p<~t{zG(DHVkN|{60uK*H2XD*DwJc%XmQ_WW;mb5^jE~1(hR$Uc
z4Dc5*5-h!HLf)CIROK#4vSG)jWGZ|rOZ-(L!8tMjwSBKgPj`1F5cn@r0aSMoN-o1q
z{p^pKTFZ*+G7L>L)TH^ruQR;2+$}`(%fFx3&JTW0I|dJD8RLD$CVT>ST?K_gYp8-&
zhRU^?6{a=<3psK^XLennk}isN>D&!ld$o=D>rZE^KGbr(XrkX^w_O`CMy$UhM-SZ$
zI(+O_r?v7W4PldA6=`E2M)j=+VZ2AZ-kbS)+{M<5J;*$b;gYxf1KJZQ@l#IfS#AmZ
zN#m|M2$dKkNbSmRM1TexpfWt9H7*Exc|P8iLaL2l(BlE{B#*?)Yo|;ri)t5r8U8uC
zd@dx<c+1Nz+eYupZf0ucg;rp@V2}e6p;CzoaC~t6CTMj<EfP2focRR>6h{e6r31O|
z(}z|@4)?Y_oS`yJmff?)t0NBRz=l&$oR#aAgi^7ihrLs^hu<^_jlOBB2}YG0eHLk1
zeJO@G)e<O@;B|k~7xEkT@x%kfL61kbaN5+2Z@Npo=1di%c_v)>Y3*7oMmzwCyaT%U
zyVC;>f&nO$YQhI);kn6ATuldjy9ujF)L7>6bNwjuF0KQhzWQmp(mRxmZK7_XNS!!<
zaq$@s5avAvB08Ial)6g0csge!9LMW0QyYspIDQz6%gSOmLNEhC5+;kNRi!el%RC1-
zvImHwOTG}H1+h4PcZq<uZ#dv>7?-{W-#})kxuTzv=l#fQC{3={wPY`JSAo6myzqNJ
z_GuHO>#yDG@)_%<fURH!PUBQ8pnf@X;jMz^yZ<~#Cy+}@`Z<Iy>!Q!$9}tN#_CpB*
zx<oa^BwbO187;U|k8{6nGgBL;sZ}*v>+dH6qMe#+5_|zbNsbu&1R{ERw4dE^*6mB@
zvlIi?DcN9LvT!oPax!qr450(iV@o^|0W?`3UoMaX^}&Yc!VD?TvtF;8U!Ko4CUMZM
z{qMxaC=?aII&Vkltj0rpYnf5vQN7eLP&6vl=^K4y2IT#9xu^aeGio$=>V)&`RF10U
znBXwNntFB5`h0-R_&R0F(S=i_6Qm^mLn*KFcYq{iSG1CW&*DLq1C|TG+{*SXRs+kE
z2f(Bud=53M<r1(j4$!%5hYBzbuJ6J60=UGcHrh+vtd%vCmja65sOayz-&Cy?ZypGq
zhp()&m==J`YP|>GGCSeu?HQcX2h_(sy;3g$qUY%MFm>jC4P`vvZ$LSOS$s$fzKytI
zLl8)v{{vabVQ`ZgkE3_;ZmEwSfZysJUw$=oo*Es3+7k!Run@NH?$dz6y<dDUk-P**
z+w}HD1q_f}Z2OWTbWh~wzYKA4heUW5^vxM4L47U(gx`eKhy!HaY|H*9S-}&aUb}wr
zY6wtrx!~9T{|0Wl-O4iKMnK$-0{!il3|!E^(q~uZDIDwZf){|&qKrw!E9>bG36a-k
z{%3;dUu}^w5BVQilYcdYl$!ql@-##GPdfulfO6@%sRDQm$v?2I*$pN9uWbnGyz)Q6
zE}(ShQPMkCfSSrB47I?^|G5(<I0{a71eyJ|@@HPz{{is&mklnyr^5UX3=>ESAa;3p
zyO`*F99Z}L|M}>)Zg|eaL)By1sx+Y!vMVEjt!DbMu$bwC1i9sj?QHiL`4SCa-q{QU
zj!m?cV8j&GKTA2*_cQFKWjd8QF6um2B@h9mJM1K_$&gi%4*g5b2WmB8n%Xhbi(`nf
zdXy>KWOCYSee*zcaPm<4Q`1F(4Oo5Egw^!u=hsD@d;V`7sw*(F*_~)QL{`~BRjlYN
zonIKL$H0k$Cj6nP;Idl{)~3sB-^PIP1e@AT{T!Dryh*nqWOfq?#hBhH4G3u(O}aQJ
zHJ`A}#N#B=Gzuo}FLw0xqx!EZ<6{7%`6KUhz`{lA{PzBbpA$l=9q2B7UOv&PlV#13
zc;#M-9%Z}>lLOfs$8pdq=AWzFe0balt(O6mUCQ#F(>eC+vk_Q}Li(2$1Tr}09~e*u
z3TosHiieTJ0!YRdi{L8afLUswxOTBJu)jlK>2$*VQXoN~gQm!mA7KmC6}(a!ppe4%
zXEcIt;+x8|0Sz%FT|Ts5)Qgt`_*rkSUj^}BJF$_mWPTD4RD^QBcKgjKDdk3jYRzOo
zDbxTE^JVho&=G7?_RzFQOR@zh<!$u$r_xtJ0Q0;M_g@I@Qvk1<@J*Fh-TQlvA@oN6
zv}JpgQ{;`ti|<078Kg&n5AzAQV=~`{_UUorTk5_1ks^EOQkK3`zqdQGr+YaF=0P9d
z(3r_Z9H7yu4(!L@EeORd6YMLD_)IfKEGt4~E>vBEk|J|pa!LH%7#q~Jx(LMmUPP2)
zWTgtF9jMST`Awt@t%fIcNyOMq1UptZHd<x1JG{wg|G0dRY1_P6q^l7)SGyyHayKA~
z8bnC+R$q#RZdi*c<N>2YJ6VC)jv!D{0AgWfYh_fRoO5uwiV-sR^}rh-fNZgzt!IDF
zEe9&JJHT`9TF`7nI<KJ<M+?)n)1xiN6(qv_Z(NBm+Bfk0YStm%4kJZ1?40bpUC<Ng
z$56q<_HCl~Zrh#e8lp((<8^P*BJK5|h@&MBn)*&^P_K7}2ZN#Fc)7YY9*<LeeEcek
z>{QqZ;V4@90@99P`LB8-VBoa{=6Hu9-?)WbLlb!11GpIN(M4_5FKG^acS|PYfwP=3
z*6ttD$4{pNUoG94=AxL3e895NYgSH2AKLq-CM!L&^FDxnb^c);`mT8JNozr9(+kni
z)V3j>k@^$8i*XxgsG(Q=OG*MPx1YEejVnA*xcuN0fT;!-*E>)d_SSE}uDd_`rqj?U
zx^xr!yc#KQuOUkB-Mr*)nL74)qAD_jK6}5A!KBvEYu0*Ic*>b#+Lna@kB8`*QDHS{
ztj^rEO$_biBMpqcA2D93tT_PJOS>Xr39`GSuuN=n8a<eOt<^S{V?s|ftiEPT)!VLp
zc{~8REj9y{MP2P3|1epcqmPaqWe!75EtE8HIQ4o-h*kh1nh#p=O0oN5J&19k%3>fQ
zILmP~2>wROL)iHr60Cw}7h8Q}6qyLr1!pSTpQ6`{c)tkgc0Mx>E|j(T@xl24N1RV^
zBiPISXAT+o4o93_AV31Xc_l}FvT$5SDu3E7(ju|*3lKb2mE@a!F)Y3qszNFt4*~{{
z?XfjtBQUesaKJp<bd*f7{cfR}w9pE1x+Q3n_YqV}N6&cEv(%k4Bx<l=uFs9$?Qpj)
zs)H`qF0jD^P_|bZQx%tLnoYR!4NzW>Qv#4t)zflRP3+w}+80}k8gw0Q*ei%e0no(Y
zQad>weA7^1&>-&S(}7?a1%?WJqmRG8L%lWwPUgTC^7&`9dVj#jpH=S`EzXqWr9EF#
zFcGgAy)9S?(mib+>u&WFj9Suqe8P7Pz~2}x5}R^vk`|^tYMS=QAz_yy>$fBRFUqQK
z#HMc;hfrQ}6=M0&UGezU9nG`K>Nf0ih0%N!vw{H~y4L{LIfGxC6{wJ~E_zO>Fbz1K
zuwvQ$B_syi`hY-YR8^DeM!`ZJ^$(05^af9lSZ=0Whi@5!)m7%az+ATHJNa8M_BFTA
zlD5UAW7@Qy^oc`nljx0%&>}IEgxE>}_GXLSs(f-zT)gGMV)%jD3see#>xcLQNC&(U
z*EGp#ok%jWqEOIe7Vm}D4NogOjmd(DZ-PacB?Uxfn9MjW4`RD`Pr~8d!o`GDW3FzO
zY=>S2Iapf_%2Pr7u=7jC1wiWr<a42;C@7-@%J`WsuxyeU-}H~Kv~Ii#VmAap`D<<=
zB@4r4e4C`)o}tBT(lYriV)unW+BJ-KLDc~BYhQY5V6o@Z2cnNm1bI+pj$Z?Yixuq5
zhYI6S*MV{`v9)Sf``wZ&KJ8|9OVL04Uu(LXL>?<$2~Z6b1n`T`(IAnNqtzimQpO1I
z<Mx-7n1HiVBjT_6@k(6<N_wbfE@B-d5F#t0h^r1p+<cpd8r64g00c1oTK-i~a{S*~
zU@p*FfVrMnZx*kZzGoW7o;{Psz?xB7Wo$-|in#hI>9s*>y4Za-&`VzqFT%>2O5%X3
z`M7umnkKfIXS7!yj~_=*yuZbhFO$W367g7CD7N0I#98mtvkfPwlDEvL;~!)e@~7aT
zBT?_M9EGoo^8u5`YcErwyP}WQ2mwIBm=KsJ0zeaubAmj$t;AQNz6<~-`L2RsD!?hL
zw4R$FyX`9ziS0996R!rsZ)hr9F4OY3jijZT9TEf%97y1ceZ%_rU1<GzZD@gy^um9k
zn}`E$f@@jvpDkDL+TV<_aYQ~~sW$K5pN_f@9q%pbp`*TJmpR@B0c~=aUvfdVin;)D
z#K0JQaY+gJaE$CG^5HX|?ZPVGx0uA<gEbk+%6Z=D`W4d=G97t6PLZ1#S<j6L<Jw&$
z2%Z2EHatg~1kWUOZ|;BhCW(4N=FpY2TE(DLTo7--?=7NAyw&dKJFqA`p_FXJW-d0E
zT|L~JIB^bTte(zO!`m?v-*lKA-ym;W7Jp)GVO2oR2=aIcvgd!(#Fqj943ooc#%^OP
z=s}^?nUcm}%K?Q*g~tfgTX#CYG~b9y{it)tX3opGh`vo;CKbL&bDb;{iN41O8qoA7
zFg@1e><!!+3OlsY0QF_Iw<Ah28;u>_V|(2Gy+8mfFrZBUQ6W`GyrMJiFx^({vs4^r
zXfhirbxHU+-3ei<O2|l2(DsePOD>kgwE5xM7x7BH^~!G(m{PsH*e*?F95Ss!PC<%i
zYpoaTu8Nm=Mbpw-!Hae#$}pQ7dQ2K{T+!@sO84D^O8kRXjSWM3Lm_bYq89&w+JOz1
zu3ao~K;le@1k_lj_)6e%^MQvv$PfoCoQCArTcA*NP~ZOM)ycUKV*hxcs{zFpp_1Wd
zzK5}=>VBT3te}^T+<IwmUh7AJL?+xL_7A{pnf^#q9lcu;YIUhYCy#HPm3Q7g-#-wR
zOqa9=mOzQ;znNa;=uz+rc4Kb;FK0h|p%nydZvGW@D_DUE-DLk&`Taivdj`6H=08Z7
zu=W24jx%Nd5vZ640H6Q8zxe+UTmOy9e*JHK=O5v}Ki37W{sXoAbA_51Xw$!bNaZFD
zkuZ{fT?6qk{O2ity%TWpo&y7(k#;i`HIGK}uZZm-xEq{#<<5eNAL;K8Unc^nMlS#J
zF7F#pkh|rE-S0O)h!6*47$;2A{(3nQ&e}+j%dTPaJN66s{^~;O`t^y#4Ls7&y#8Mv
z=}uF^H}QaaK9u0^8z|Bewm#)naUlEka=qim9Nt)LUdeCo_3$S^_yabxb^Z0GB6s!<
z+2`W_G%QCA&)M|!3K&;Mxh5)I-!J6Y9-c=(<othaPM!g%(OZfXIUEl5T0bFc+FRpv
zJ0xKlA|Zb-`0KM->?=<J<oEg}bmexu?9Unht|oz_%(6~PHh}F;wf7!xmFTage5KUz
zS}oml9m(mj%vvcY?Q2ci&h^;WUMyD;&UKSE;&l#smH4jLS#Pvl@jvZlVT}qPv**sC
zl7)>DK!q}52C+1fbN(DROQv6PAUZUoGznY%w&h#<#N4-JrH{MS8ADndBhK%#r})=G
z?ymT_bSFQaBD)utw(pZYY&ku2r9P^^exxQM7fUK|V_a|vbhO25u)fIM^8Pmd{y9yb
zYA+-2Uwb?ApC-@AnQ&*|mEOKKb0%MpUNKl(!5U|v72=+1&6k$h3uJ=<65JxiyUs@6
zOkV!6eJ;(YG`^||A_?fd!}NZW;hJ>%FSy(VC&tka1g5uG35%7FdjEOS85LZ%@G!K%
z6(}@o$S=RiT%+?J<BvM@YhZZKn)})4)y0;NdGvtLql|;LcHC#8>MZt<k)|o2#5qO&
z6n-<gF&-{HCKxpf<8F+!9kE+IW`kZ$cr;%h($Y7!@~Z=$3e$<X9duL{hp{&Hf}29v
zT22SxnQ1JvU-SzKQ)n}G5e9i{8f4GxzN?p=z)EthUsoA=SGuJ_&89Q+>Dr2_R3a?2
zH#VrJ>=#;f)Zi0i0!N^P#6MpF{q+@~*8T%0Foj=JeG`FKKOs1hVc)l7am;^5K)=+M
z23cUf!=AWtm%voejT4CmSz4tl6fqM?t2-)NSy_oc(j&9CBrc4)cPrh5hMJAWfv~im
z^Q;eRHy%J>njO*_Mhr>(?-?OJ=1%mL>z*!YNJX3X&$3~@6w;77TPmvZklsl%*9X?`
zt>~UT&MV1nd0t{FvYD@=`o6sRxszpT2t9DJjZh6JGyP-y>p6~irBWE-qhh#RaBDXB
z$4;EW=ElB-buV6Vy&-3NMk%I2|1of+1C|-wZsuzKEpYohah_4Uz|H?(!<*%`k>C|U
zlJ{fduOD3-xY(|vK_!_|^|nj3mq#eg-L1_b_%RR7Yuhef>gqx2c4E^o0=Rk$MlILw
zznj8xcN=s|#(DP!_2i0K{mxkUdcA`9$XhX~i_@CqlAGhJiE+xdrR)p~DSjRXNna(X
z^|^B@6lla5SY~y1e!v;dc0ylcMAp0#|2UY9mG{DP0?n5dJ1l>XMRA_@eE5?H-eKFL
z4XPEf8YDL;vXty{agN#mNLQTRJ*{h3C>sDZ0enT{p1*H}q5j>ywH?^)lVHNu{MJL4
zB;HC%$){ZkvdJ3@!oVTJEx`*75>Y{>?*0Ir@hY{j+lG1ic$Z9a561HEglJI2i9|4+
zSZ41G*vS<JiH$&cTj=pk%MA4tiU=Tw6hH=00^owz_1mn#h*)drwfxgTeLs&q{bw2Q
zntU&C3bQ6EYgk_GiwfNmg4L38XM^PciXVQW+Gqf6J3!g{T|B5g6U=zA^^5%?n6Pp^
zwIz%=Q1y?u3^T)YnH2)v_Qq4Ckphai*4uYu?A@_HJznZ0Xwpug6yU$KH@RHV6j>6;
z+q5ry?QZE`&l*spi%T`B0eOu(*DJ#kbAZi5%|eGJxio-?9uaFd1`a*b*0Ikm7BtK1
z`V>~s-=T?T2MU>xB8fScly#Mb5>4pU$v<=PgUE(7*&+!fk+qTHb(ELK`-oKMw``UV
z*dA$GId2e00`yl1JZ|oAAc@%Kmk%8Fek@BCp!(+)f9Beqa^17k^c{tVEbsE@0fh!$
zZoqdfrlLGgd-gIcr^Wro-9_bun$UnA=MIL{RnGbAj!wQZvHjnrf#ZzGtnrs6*vQ<*
zyKj8WkFmM$2%uiW^#`Z>1z*rK6PTXS&XlBh;Yg3K4FRWN^SJ(FjfZajxYYD#csySR
zVs*|0UmURmr={%lZ-xE$6tzCeE|R{%dlFlFC0>v-{QKD7roY;t1%;zQlz<pp8u-JR
z|30VNJ{>M&1=;m{7Z4oecAl(_WXJ|TZ2!M6WRBaQIb${ci%m~-($T`;lW}yea&qYU
zH+K4*!;}5UInAe`S0^>etwsJW1OLZDImQVx7EIZy-{qv%e=5^}ABr3#f1mY){-#9J
zWx-|mHBeCCe?QEBufQqw0Dbk30{@Blj-LPZJO1~@*b#3hiR54=lg=g>Lu`FaW_l)C
z9t><n{+BNnyU@x}+LZG02PlDHLHta%AHJnv{(4^pab%WHBtV-j^b3L(Z~!cIppBk?
z8Jq=J>3`4T4_?`j7+wvpzi>4hH5`#YhcE$t^6KaieN%2Ir3C)(DSro<c&6GJfqP5%
z`;!3&**F5}xMYCZeNY(wNElJ<@Q5WH%xeU-z2uN93u-K>XU^bZf&hHN;%r_R@t&T0
z^^QM0+v>K~6_K6?2iq-~n~3I2q(UU&>V$(>c`jWl<QvI>=G?+OEp9ZLF+6wnm}Q7`
zws*akaGYh@ZAtOwd;fV&v4uPdv6L@<J*<`6B7-`O8slq3Yhx5?UmDxp#pmRa1346q
zYii3T*@ulxw(n39lgmz@x0X#Vu1?0xt#)`TwH|kTI_fSU9cOhjdg%=B3?`vqR_RVx
z!Fl8tDB@NYE&a1e2^=fV#J@82^PPAiqe%(Ygb*!y`U7G=kBm|ej<b<;iQ~^t&<GMv
zs|%~a&<2Orka=3PMTsX3>EvgmMzVB4R+WQax`NP90PGu9!o}iN)z~2=oB1S>`k_aE
z?}<vb-`>}B{*pz_!7P6Xml5>Bl-jkytcFH0Z=^wb;~^)DG<J`FYV{3_8NZ--Z>Dx2
z(f`aZjenTIk>(-ICx2$dbuk=?y=$5Z_F%Ne``rY6HtX<d-+^Ci4A`)2!ejv2i->_X
zkF)B-4;xCXV`d@?(#0m--=nb+ET<{nDE`qK#hJ$`Oyy2kq!o&H3WYWy(z7}hLnWy|
zD^rA9G2N@r($eE9HXRy@1Bp*35VV+M$FkmFD9YZ|p;>oudV&MNGFTCB;AeUZkl==V
zjG2R|0Gf2hF@C4D*mP)_T+-4p&p7Av)J;@lNrPe+EmAxz=Z6EWw~_n1<&-t3y9%7M
z&F;y8!?EOIMdXHsnA6^E3xnW+^a&wMS?4Iji&VqaJ_VCirMUfZuC~Q_hj&s`d2l&v
z{;Kzl*}8*zxtv#Ef)4D4bD5D+gXw;Ba%XdG!K}kE>+qlM9k@949>&kIj6nzy{K*?X
zC*;d>^y=!|9+yannXkF%I~~0ic`i0+Jm+ehiNnw1Jc{&BKc#EZ+@!nS#YdM1u>7V_
zLjquvKv69T*k@~Stlk~LmB~nxdrbYf%b1NxJ|P4M&T@JExJ|zSLnnKZ`K)GSEyM5n
z<1?7@X-&er_~XQTvk!)yh9-rzf#6Yi`hZ5~a22*Dgbc|}r!nkA5+S}iDz_*B=fq-1
z5l-;ds*RVmQ(qn1xBIz9zru-y#^GKmA<3^W5~E;=y6NskL!Y7&^$eG5jvRY8kSm7P
z;?u_~i|;&Sxu-4i&AlK!b;N11r!)1~>WtKbeQqh3pMhiziG!;wY~6jidr<0Bt$0yj
zES5$3v`>?~saT@pIb?J<nb{{fx;GK?UTO;KTBF=6=F9z~TT{U&4SW`~dauV@;E=Ul
z&@{;cCeOZ_lj@6hNIxx<VxC&Tc&-%2ZS6Bg$!?DV-Cdk&*>UzA{$=N|qweqoyEN-$
znY`u>#U>$6!U64@K`$30Y>4Zf!HhZbKGZwkt-jShXJZTL$c4t8@9s~r%<37<$YBPg
z5I=XghYFxjCAECR24)PcY*ODZQ%L#_o^DoIZ69BG7Ad2aEfnqkzPeay9WI<Ps3Ll?
zp?G1RAwQ^Nw#K|9)Mn3hz-t8YGReYE72vlIbI^yY{=~UmvuS9vo6%$j7Oq}zI#lfo
zQL7DaVU+Ue$=gACxVOYH($#}5b(M}H+d}=s$!W9&y2ym%Ot16=5owd=G|*Ek$G*Q0
zB74&i0y_E;?SAlh&`^xgGnMW-BZ%xmt86vPio}@URXI>f5(!?Z<gq0AFy<}&gL@#g
z?QW-9gZLb(-$NusdbcHZNqTML$!Tatv&v7v!zc<rQ4v-_(g<A|eLpeOZ~D>+)+}?A
z3sKAa^%<J7nbp#mi^ZzxXeAnZv96hOF4Bm6zaQwb70WV}y%4>(>nT)`qi!+1-j1Bn
zj%w`7Dyu4vy_G7dkKFmk3{p?#QuaqfU!*o}tkuf&9r=2XjSh;sR%VHy5B*W)z|eqJ
zy=XQ*-5lNiG~}OM6WArVj7aHrU09slM9MdlY}Pn6Y^=PJ`gH?|l9g@#w3F&OMAB#v
zb-eO)8OD~S#SdmBT@cl+B^<tc+X8o}=c$o?IaR}wW&t7P+azbpq9;5GcSuw5>mQDL
z0r!~w;-7BQMV()u5Ai<xf|_~&eW0H0`f|g(Z|t#zcPgc5;y{s(UYeYDl#nMwrbUfq
zWlQWvwJK}`v3wTk{?3io*!@*1d3za{-m28T)_7psw+h)f5D2}|%=HZs4$k!(92c&Q
zN`%4PQnBkX+1-Ppi``yxV;G_+-scT@8f&+&U`GezgEATsw^iWVQiFPx9uu&zC}^=$
zZHwF%Yymi9e8WQIqDsPb$=#NwnBDD@rHFq53gM6EeJ^>i@RVs@3*WSE^Zj$It1M~2
zxB`IDe~{@zK?Uj^ZW;b|ohm=LxiR+YW6}WOx6W#D{Go0hJGbWIpv}n7+=gnT391Xm
z5AKZgU{Vdca^HN-@C)g=P0!9Tz%s~9HqpUFA+|Cv)bwayap7g<{HPX0aOO(2t5+g(
zr1^Wx5tyO0V_6F9c|p!5jV&yxZcw@Mq0S-qoPsqr#B|1wYX+r*UY5}IY&!6#`)NyX
zn$QH3x)!rei-5kYCAVF@Z;K<LSmpYrLA2?Y0OK6t6Mb{&V6Ci@z+?6;I1E?xDH4x|
z`S&YU_ZT`*2PL221j#CgsK$ffaNhedceCj?-{30*I|3iDm7~DH#F6;(Z?{3sKVR9x
z73uMs{MGy)i~;oDezsQ_1ETCPkz4?;gG=+3F!$YNauM1!uM&0wPQfcbTMM#SQ!a;a
zWnAsNHdG%(MWruRO?N3OMMiymttQuLr=t1PneON1?g&)r%B%x%uGez{Y4?wKI}SCo
zFF9d%HoSsR*gQjZOFBKc+=bQ`ErT=zRT+)egTxEEYldtNt1Mppsu>P>4qURvme_?M
zfkyHYKg@cC#Ie)>jbkQEZp~h*SsuCN(HHM0?;tL!PAi+MUXN|?SIKs5)3EmG@qGr5
z8*m9r+N_t_7Rm82N`(febak;tnQU{<b<qI?ELYSsj;D`5#7LNA&+7u-HsU;XNZ{!P
zj0lLF|N7m`c1ELeI5%O2VnA<?+2`P^>nF#`ZhBT*Y7`Z1S=g_?dT;#`;*(<n>SOeC
z-Fu)Q=s}2b*yl0Q4IOTYK-*n<g}6sG8tu@#o|ZOEY(m%yWO7rl3*w9DPkxKJVmNkH
zF<s>@gSrPX1=&X9BMr&ieKugfR!;;$U%LcW1si3m8oRq)1P_3_pGFO4Nmzve#4R!P
z((dnWMI;?A=9DBbmx#gk+gAt40#aA`(_HVfl(?f<Z%8PJFkmb$aWB_JYU-4@T0`&p
zO6;Z~<kZ2Xy)k|g(b!Mx;_W^L`pF8%&AUF1C%#U==m8eMPEo+ST?Lt+zxXwZdX~EF
z2upo~oeQHp&ZDbrm9!)HoDC(&hh#JF%ig+Ct_>rQDyKiX2g<%d)H*C%ULWj$sW)!R
zgu86qAbX7&0i980MGiAl%^%OIRRUB8ERqjYyg{4SUdxNMMB@udBfqF&b_-&Rg-5HK
zHhvbUV@R*dC&TWI%cmdk8JjhTB|dtZW(a!{voqp$hIHNDLIWWNW%ik4(rS*wX=M}?
z_2zd||7XJwx{tVEw;4w1cIm3}!MC4nf*FdR*)!(wntdDNVL7Yu>?8ytZd;Mr@m7L)
z#;pCdh_vH_h3cJn0en+L<5xY9VSK4PsjEt0a*Q_DG%-N7`)p&)>SJ4Sx<j@(h-3Q6
zgi!`jSoE~!L~kYC-H?6SJkDkBk6ljrF;I;Eqi@!C^P5N;PQUquNyDO$+UWHS$`IED
z7SM{)EVnww`|7>~M!THF`%3X*1aO=YBdKnT$U|~L!w>wvYZx`hoX=+9xz1{?<D34T
z&3`)NTX3G4%8Ao9AdJ|d2w!Hmt}AxF(X<a_?>q>|0-|X36r2D`exH?1l7TV+OEOVs
z6U-QZ>NaW33=ZP^ykF+f5@Y1K?T~E%;uuKOW+=HTFmmjk0u?j1imuLr_G_|~p!`ru
zQReY6%`H!N=zJMU?J4W%n#hV#0BNj;xE@Sn&F_x>Yz%KVrof#y6@r~n03;e$M_#3@
zxQ`*$a204s#-Sz5kHKqOgMR<3!gx>+jf~90$oIy<)c5bd74ataAi<}Ei4cFS{MgCd
zrAldg<1$t9!zGhzU7|*18ghH@X%ZQ3R*mLmewt+yc9GQ?UP=0DDE&#-a?>C|+u%{i
z*PFyuI@@I{)UJ_&E4N)Et5&BW1EO$p6@RM|L0p7rXM*dtXr~i0b!B!d+4`89VhRRq
zaT-<D3WEuGes6XFy&s9s6=)<=z&a~jE5Mf(jwTq5I%$BoV_@)O7mU@QAfAdkt{H9C
za68QOegFmKDe3&f7wk!W5%;&=>VCB06z`o%>ebfY>-iol$Glx0p<MoCV`N0HcspXf
zJBGs1cFXu)nN_IbYtDDVam|kJ*SojZjYpJ0*>aou#hbD}!5=H=m3!G85Z6>U!G{Mw
zT*xQ;#=62t=F=cbURTOTX>6g1K}<37n&<m!V|q934Z1710r;^6*My|rhrjSG5J2FS
z+BEoTKpLj=FzOaH^vTc2Ps#x-0XgB!0b$1F+4q^CN(@iLX1Tj#tpO>6>UyQLthA4a
zn&#7rQ4?c}ofwTANfa9GzYtZl+I1>k4p#c%g|9o?3oc&m_o`-dcvCFOS{uQ#;FFf-
zMK(-mahW}_`?PnrAlOzG_w2avE1!Ay9rsRXRk60m$GuB1uovR{x4q@MQ$I<oV!J7^
zOXxOaFSQ{;bR2OXZe>)7P+XCM96+RJab??x9;d1Pd-qsCpn!Oi)L4BYS+T2UGlQoy
zhTu@y`+vC_K>>(IR@<&A`<}|6)si53uMM5Qk7>#juxd9!@lDeh(mV#9ruD}n)^l3W
zh;<rxLjGRA^bYC((bAyiwwVZ834X%8`!VgR;q^ystV>MQ&#%8sEj45jQyz9G0wXLY
zT}+tpDpFFHK6idnMnzLZm6K7bEnV_kkvdL$a=rMYeHY)LQ?WUVOTmlDJMc_i_)+z8
zFg(9m@ssu`XVxmqEp3zf^q!Vn0ef9Uhhl{1_2??eyr`c<n@;*V_kChZwX0D($n|b`
zv8>{0+6#u44g@0xr#?T1zvtVivxTUJ(`_Cr6-vr4B7YSbWUQFBO&^fIiEdxePzEuO
zIc0}7Ec$GnF1jpxh)B#aNMD{&C3o7Hn_cX0pT+Et&$b^thBUu02nTzTJH<8d(r?!x
zPy2C1o9zp)>ZQ#h=lN*oBvd@VQ8rc4?;>wyNgiG=eK|KMgwcpPXm$_rce0Qc4;=u_
zm9z>So$jBN70R9(+Z;bX6}`G0K7TCx%le@dfDWVd$?SSiIyPpM;nrnz5yMIM`XFx4
zNu@>b19A4NqWfElc!Tku3fEaoKq8c48TCYBcn}AX3<I21C{v*L9V`9zn%(aOEaAeq
z2ZcGtSb+hDHGB}L6$v~q!ql4XQk~a%zoQ9A=5Ny;!~{N6CBYzLYM14l?fUG30x-yr
zF)gWnEI(n-YPpXHOb2%9_h%?ty-cJS6pMo%XyYe@ZQa!EozHsstHE9V1PL)M(uWnJ
zL@kHp*^npdc(_iSAExEZ3gUr*?^Ri0Xj<p1f2hwdgo!#c4Mc;OAIC)c{FIawPs(l1
z60KhOhV9F9d3=`nL@nF=9KJLE(2B{A#~x^>ZfLtCMJw(1VWoz>r5P{2!6(2OdhWYJ
zDM2X1lzBVvJ;9sG!W~?O_Sm%?0quI>v=Jl9<;#XG6avj(RqZ6lT%5A9_{q76>kIn#
zsh3}1?cDl^eU7NikCUmMZv7~6ui~mw`)H4>qC+7icP3^Pe|mE#>zpn<hxq}FE|@97
z(!&G|`wkEEq5MP+6wO58AshqRT8k)~xKY!M&CV2`XrRrUHjfzOD8S~Ik{0;!#+Nhf
z>W*x=NcqkhCU>Uj*MIoxEwX)AGL=*8!|BAf`bKj_P2oz@K>_q(+USc=dj^zLOsAsj
zUMIU{p4D2xr*d+6<c+er@5$jWnQ~BP`p3)uKDkzu_v&>NVW6Fqj0&{qz_B?AAWKa-
z%5b^}F~@{H{#fJA{oLA+Jxu(0>;6jIN5%Q&SH*-pZ6*s6d#E2i^F_RIPKaq3q97gJ
z2?ktKh`KMI@ZR`n&Ea=pz$L(f2cBR|y=+C*@xADlSlbGBO+S+Tyrz9;mpVmUqyua*
ztB*HveV)C3<xciZ#brBf@p~6;^`^K4@K9TiwP~%^XW!(I5KiOzl2TkDc5Z1>(aJ(O
zi@pawm_(+~xY*m#khu2Tc#J((cC2RbO;-2=EUdAG{Bh?MtjEw`G2Wm?kFvyEI<rA9
zr4M#x6Hd9OUY(PM7PMZE*f~j^w!{gXL=HJf!ZQ!kxElRJ70YX&8q?BI@>}tZq4eRa
z<VAukmZ;Uax&4D?uHpTkyly5=^jlh~?hpyIJ&P5owVqyeLxVeH;<lVqv5Fn(W5B+m
zZDI`&!_CQPPLx6KLu(oze_uAvCOPz_K_NhbXKm9j(pBnu>%1N>i(Z=2o*Z*m(uM9X
z{m%DB$8sJRTu)k60a3W(gm*M^iyBtZ?j5Wog)81){Jc54{7tA#ECFu9&!nlbj(m6$
zL|$9jp`ln>!zVIdmy@ntHEJ3Z!yBR%i0L5yjC!r`oeh+YF>`sUd4u1Y3EwkovMo>h
zj=*cmJEJm!+z;bcQV+H-@S$!Sw{l$%Hiv0DcoKhk!p5+1K+}<IE|_+>PAbNZH{s5T
zH+gEW)+d!akx&h&T@m|W6Vu2UR|W4$Lx&wmob0=`;R8aRhfPJbt|rCG3^CxzeEz0T
zZ6qz^lU!HCk;m9zu}p6cM|lyoRGT}8$)SB`pWPcMrV#c*q1S0y*RBC-mr;|>8;c8X
z1~+G-OAAX3H>){Quh}>{q%)0RkHA~?oQQFn-fz>%iD~wQ=!VeHMcQ!tF)ky!-jA3P
zBx`rIpoPkQ6|91bjp6C3rTF2YTDx?)beV~`-NS7P``%DJb$O{lB6pvtxua|1D0{W9
zubxX^JAIYf5ZYx+KR5Fv8R=skr*yNIGIP<Z8gIT%#>(k_0MTFRCke~7Lbp+pdEpy<
zN-{~JrmnaLTUo8Dmzratq97)G^W$l@c>|(+k@<;B^i!wYc=`D_cOL!=ixYwDWcCx#
zjrmVkf>W<6GB!5H(1%MEJ}jqAUqa!3l2CVax)2ghe_E&O(d!~+8P`j4JFYzL4R%au
zXkYAtGQ480@N?b=_WTM7s1{^hzqlf&Ukk269kjuem}&laa&&OdPEabUjW6m)`o;~>
zcaACdP)@TZ?^2`(jiv)voJ%%cF2%i%nVYD$q|z<s6f1D6T!RQ^kEY)jTR8#eoNiLz
zr<$(+a3kHWrtIL67a}DQwl26-$oXg^X?qp(;>1w>z^wa=UzDPd`aa6OTk&|7m(IsW
zjFF>`W6yu|qgh#o6+w8jeY13_q_xCG=$Wd^uox#=;yDf>`N(`KrEIg$;xyL-3^z@6
zM>%cMXqiNk+eoYXd#0cbO*U-?=En3{KF%H8w;EJSMw7Oa3wCsEczf~f*YEg_%EE$o
zI`8O9-QTq*Xmt%5n5&5gWy3*d`w%cD41z9E0}dpasNps}&pHmo55!v;PIE@p&ypc8
zFrH_bI1da%^xv>5!02<uhyzOixoE3A?s==i+&;dHn6<@4EOlFf_RbH|jeaQd^Nq|P
zJL5a0H&dRpJ;oXn(tVBP`;PC!)cUf!+fU-%t0yfI%;;y*GWTrO-2~qD9Bf5hCCTOk
z7e7nYlkub@oE={YX?DSVV|Za6C#Ao+Zly0Qw}mU~LuwxDNzc*0m{K0ycd#S#;TtSr
zWNdROO?j5;ZC7mDQW)m0*L#zuVj^c9CL`S-;H?%psAmClo7Qz@u8hh8+njMk9k#^5
z!F$$NJw)b5`KFh9x4U+aoep`YO5))A3gqfma&cx{4iF{2EdN5mc$6sGGAbt;p~Bcz
z@d2E;s(3ooQX%D#%-`e}6)jXg$<}g6sT_4{Iz%4&Gii~sZi|mdl=-wDby`*BxIIiG
z{URr=Ur-YJLsW0Sbfr&7(vrODB%{h$@2r?X?DwqLPF4nKB*wH#qgisKRcOfKw{gPR
z>9mSx&oh2U4S(tnIamI;C#&b5t;r5&W>t^bH&*7=FU@$haq>UR2~yPFu_fWCdab}W
z$r47Gc97s0upQCHO2sq2NGVygY*=+|-;js^x*zZG^$hA@OT%-VR!%c&%f9Q@rzncP
zL-e#xWY5mm;7DxWZK%AXv|rvwviTFg&`Xt7U{P>vv1MG6&^kMw8yR?Xh#1~?5Upua
zba4$s6)i_>^o`0m8GB1SV-b2OtM<q8bCHAZ=Z~pPOp0RUYcTYSD0yo?K05=i@<JH1
z_)T%;%6^AqEl96jiMpy?no5$+#wbEKN*vO>+qH5GjQUSM+_Q)IV#|#$D=7$cWg2#Q
z$3YQg-c8H?)ELvRbQ}lNaXU>fYNpBZaA#uUVyWRH$t>aYI+3C^dYIkAinq9{XGgC9
zzf{~UW%DC@xq78+l|CQFugdUh+FAlwmS=$djVg0MU7z}yKL(d3Wt2u(y<yKPP#pW6
zj&<JUhp?4h%%3Weedxdw;dGET9w*hwF8&iyo+`qhg`ab&8uc-b7or+L1vf=vRui-q
zKuMJI;^xk5h`!sIeMM`J2X!t^mZ$veR(d=gf*n#1&=oS(^_)8{8P^`UbnAMWB>FW$
zDfq;DX3^cK)>zIejcleBK`%6jDI_QwaWXfLv*SEGsNkbqL|-myvJ5(jK9%hO43AV~
zVBC>lYe{l{)mYs7oIAhb*r_1Bt`KHZ8EI~Q(NBEMDxMh|wBYJv+FxYMzb>pcif~ik
zw&83U_qop4bvTWvc1a(;4}Wsn4`DyH66ZcuI^Lh`LR^!Mzz{?UqHWgSKs8&d*{M=7
z(=AL&FCoVI+^(ltC2<akUwv9|ZY@pH)qd7>U3_7uNzsQ+8Gdgq4UU6{r86u)neR#3
zE*{&+#Rp6K&!|Zz+m*Lam)oS*oZG&q+#0eAxI_nmB1yu4Rl?LJCo#N6&p%^4KBKDc
zHx3A-23Wf$4K(p%Kalb%AAuX&1KW!wam@y8j0N0}h|)%AC;ZlVXF+hPAPtWAiR3)~
ze3k=Q#l&MLW$nBii=4frR|LKs;Tcw)<>_y7%wO6)bzzT7QL3>^wGm|mhW7mNPc9)7
zOg30Q=Xv}vFC*Yvyib;^<cb?Kmeer-@yd5NSnQ)q+GS1_gzSb&FV(o791;B#PAHOU
z5BWLWDCj=U+kQZ79N|sBpIf5Wb+BE?Fj8UEvRngJf1&LYGHP7oaNJU<ahANa;=O|i
z;WF@V^%C3P*<4-Ey0Gm!G3j!aG`3YKT4mo`x$=##W}3gd`S9${>K(sOoAt+E0BgqA
z$M^(&pEGzz>)j;cPd&`E5XDfVF}RXcNW_%P6fPJwF>Q04{bp4?&G>B``IEncxt}Qj
zvf6@;U58_#5MK<mX%BKVzTSTsLpt9DEy<~YW1Yd+AoU#Xv5Se@ue?u>T~?2ITg)81
zV*c#;zkjZ{PPcZ*=6m?jidS#Vn2^1+>&JW)%^eMB(b;p*4>DuGw>UmkH-gH@JR<5V
zG}S6zB+O}i=<><>X@7FgSQh1vG4omv+l}&K?%mD_FLVCrvd262#_K8w>0EyH+$8(^
z2Q8WXBzApoohT%IbT^S!b7%KftF-)^ixGB>WlWOr$VkE0Hm*$QJR$T6$7|yfAIy26
zgEuJ7M$k+9K1<IosYH?%$0S+qf3%LXB^5ZC7&WtSQgVM{0A1O@%xq0k`Z0oxl+jUA
zJkqI?dO-tX@w(;UuP6;{x^VohLUQHmIF-EAmMwkPEu@khtP@%NF;1;#P6rZ1(1!Lg
z*TV)**ijWAt-7l_(nn4g?W_jF);{iRmUWyDW-mwmYWsF=(dylml_>$J^jyKp`a$dg
zvLBA7>;B<$6{Jog=3}sm(zu+y+;zS60NVmtZ(8T>-eWkcTZiK`q@_*^q>o}o({ao2
z1b@Vv`vK(Xe$PKPu;EFtK;*xncb0QT#Y-ljX%q%hn!hn^pr5){Im07j`@>DdtdkZ*
z*4VZhChPkHSH(WW8|T1PW7?Rw=UI5M!mnRy@kAqX!TM)zXQDkXFOn%UG=TsP_ZyW<
z!mD-n?^?{Onp8|*i%q2kcv%GN(k_wN>bE_=ht51u-QSzGzuRxHk<>*|uj`iUPBW~R
zg*$fNbI^0rNv3hJ)(iWQ@GRe3%>VjG;$2{CFnO;<5E4FS)nNR+X4I?7XlooSc45LD
zDg7K5&h<&^o>;}iL&EB;iQa5p&uO6ZV20Cgyc$bTKlX>DkkM`p#o|#c{*d$pcVx5l
zv45}7a5)0?bRFV93m<%Ii=+`VrL&bTUA9FGOeAJdb~%x#a}##o@r(J<j65<gPxLDh
zW{J~?>aN5bPPkEzrul@|rSfW1vD{SFcIp!*M|*E=>O7~6bF5OohDp*2wWt*@rcj0#
zx!>FU(~E^oqwUEGRUvh0mg>ed0}1+POO%zk$$h6HmM}{QD2;JK&$n_&?~KC)PZCGJ
zqkvmKh~Zu$nQvbxSU)9y{>W49kXjvNw*oGa(ra3fpwwshdoCu&JT>*PGNMlbeedh%
zL9x%Bx_D_f0w_9&@5h?*#Ezk7)W(c1WNJn)uHX6EJXpB=#Z-fiXVmYRv=W)PNGyhy
z+>nVb{*`Jf)xJQGBl|3UxU2uDN4Z<4pC0<Y@y@f+%W-_y7&e}*x2>}f>D7H`rUm?&
z!IaB{-^lyohJyZrsuv|tpsPGk{0;<Gs&Cvn>xug~QC5g|VHgi47|E*`eR56v;|XvT
zn*W~dzHNVAy_R&>&!WW-sUCBK#er2_39hCM7cFaixe%HM&nEozxU=cvzm@B4!{n&V
zkxuLe1LiDK_1MHDyEv_$K@8&9-s=7JxB(7^%%8_aIh36vMLO{b2yvm3)gMe#<!ED8
zY&B-YWy(jHwaB~Dg4G-=#O7}s6@T)1Zoke+)X|b43+@Kt46jm4m^j-yR%f$`cqX3p
zd}(8<8$H`8@!BUh#mQA_X7Ck9Ts)%2oq5IPNRBJg7bM|cSaD>XQE@WmPjKYfyl<ic
zIf%l&UuS3zAl#v3fP9LnQv{X38~=DUtl8gQIltg+@YUj(^e)Mzp($@`CQ4wIeJ>sO
znfYd5FPWlsA1dY9Jnij|f8>Nitq-0m;E)H>Qu~BFkktK#^el4nXhLWI7a|`X_`kb@
zcjedpTfIvM)H3DMk1aBM&M(w*g4Hu$Q?G6Mda17i>6^D^sT~TJQ<rO40%+6^2f7!e
zaXC5ZM+?$?r%uh=MA;19cqVv76wT3uJ15_Fd>GWWeNV<+mX8C-HGbV6ltPZ!6wp6N
zRKHdK7qbEi*f;&>uDAx1#Iq*IzPbu-V9#xP`(&|2`V{VeES+{11=;Azfy91n#!Ud%
z-n3w9vT<FW%_(P7VcjNdzXKf~*Q3ptb)*i1>NZ60V^b3$4+~@+{W_guS(tc7i|tPv
zF8?oW0Ll^bq9iKn$Irh-eQbtoaI3W(*x^huIRqpoM!yprhfB^!zF_n?VuN)~8{bRq
zw#FVh(I3Sh$nqzRDZ(%@WmBnZCB^0TS0exfT5S^xkGdt+oBj!u&4(M<F2QXaK+fu<
zMNb##(odEjE$S=HM3=LOCc@b64P&o=Y`Nl3aQjz-&+U`?INWn3^AY;@69E4@)BhPZ
z-6W=Z+9m|2r?}387+em{0>e#|{wG6MM>s*z%FTML{O|tFa$m{()xE#&CPMz(Mfk@P
zmU8?_`~B+H&n0iqer0!9m;-HorFOUi)qo7831D33M&|S@am$IPw|D~oX4!!!6n`H#
zkr=f#dnvR%d3|BaYoZonSUf`(+J#*&ssYjv!XgAHuYG6FvGL(Z!-xv=>Z;rtlvT)z
z>-x;0KbTe``DX;ST(r?UVJny$Y$y2>#`y%h+eGLyvj3CT=jmQF|A7yqG-;?GR$@K}
z=SYFvw$Is1vw+;{!GhvxP9jKKmH$|II}NnL2a!K$h02W9YG3#K8qga+uJ_w|DMaV}
zuWuz)@5z1#@8n>C5PF(flJoI|PJQP3{&6M$OY)RgCS0P&uqn@b&2(?D)JmnM>R{uP
z_OwAsJl|fs`8er8xmKT_$l-D&u(}N-8@wS!((2m!r-M21B=rBJ!YmWux;rwzzcygD
z447NLY=5mM<{|>5;qBrmk!W=xrxq7~)q0=}%r%f0PLXEFF*~L%Fnzcnr^)pkE&2>`
z^E{jAs@-^=O?1|Sx!9G8!&*tcYFE1*v;clGC(s`9K9b6eT-uxiQt`1!^0=yaB5OkF
zV^LFeW^)r!kvj`A?O+HVW9TRF5mfh{7v8fHspf$?kNybkqC}UaNlIs%{Gw6oC`rUF
z{+ZH@3Vv-Sf2Y32YMf-$l&+P}^CDrk2@L7Ry<>L>B(KX|in4Hn!!mkMU$*`O+*Pva
zVr8+a5v{V5gC5rAw7LF97HoyqV=r)mS^@udKu)0hEe1}vIN<k9we29F0C4^@FHl%9
zYHgEx48&zrgfXiDA1A5Ee;Bl}lI0so4oRd3V%ml@%p}VlE1Km?O9-Eb7a!X*qcThM
zkZ(VEvAXu)^{F`zUB34?DBSoenpUps9kY6mo>y5EFH}=u^2ac)SV-7D2dOOA8Bv~-
zu6MrbUptnh$&rHc*?j?QvfwU&XlY@Q_e(Zw7?7`8^ci99Znir3Ws<a<Pw`%j(yG;Q
z+=qwdQ)HAo>aUS`tA3<l1Qf=Yo0`)rS-X^GHmvVjgzAu6f+A89x~eAXMj)4+2KOcc
z;spC`nuPZxiu^~Xy>s1Ub(_=N5t}WN=@PLM#`IMC(^4d$hxlIc_*@G9`vP;me<Gut
zfBgErudT4zgB@oHBIgedWXzmU&3UCX%Er$$(I1KO-_GA4I=L74lI*emDG!sg&O7(C
zZl!#!vLHVjvco1~?SSZ^HZ}HKr5~;7l=GwJwSk&eS4d#hl)<Q-&IwJav32M@F>SI!
zwuWAhJno78p9(Sn)#zcRsM&>(g3n&gzY=$pjdA<b(dme_>hEcRuJkO}!iw!G;;2~n
z+Obt$E%9DqiKWSUBX!)=iukX1_B?T?yAsD)8@b%84@sIb4o~xH+4X(>!JH}8^%Tr$
zA-*J*=Ox7D{=_7$iE0r3#KZ#@H}F<K7-IN(wFLWPUt7okfzS>1XP-s<JaWlnbgPa~
z2dAN28`UB4y!ZAmZ8?OPWWU-x)N^dFxnFc9*(lj-K;Rt_i}Ug6t@o=U8>{t&qukBU
zt~Dv-o<zLM>{6}Xn!EyXmip}?ePcn*v9JGnDNy10G_-^g?$BHc$!h(7ID7MWDEI&W
ze~2WNqD@)Kl9VNBvkY30$W%&p%9aKr`!+-Av>{uzFjFFlv73pEA!TVWS(>pgSq5Vt
zW0*1gu0iLV_xYUn=li++=D&u_HLvTsUa!~l{(L+hSEs1`=iuFp8~t*;#|TtWuan%#
zCleibGtbqLwib4=m8$9iQWw&&ZHr>nPo}xpwO3VL@!<;P6{`INX8xlzkDwT`K-7r#
zua@4ed-sBwo&^)}!(QLz6QWubp=O^TuA9Jl;z-R?`dHuNT1ILgCoc>w@odWK%=9T)
znk(CSP06m%?f(Mm@DFTe=HK3dcZ*Ty5_44KLWeJkw^)~@I(aI<+Kl2YGpC%$hw85p
zTi-2OevWWbf~Bf>st>Cu*u<1IVFsBkQ){H|%b94*l`}S^JUav3@6#{G+Phjs?$l=#
z)JWyf?K@I)$5y1M?N)i^PD=3Z=D^m1CXIz<O&tdG;Jug}D*N^Zu}f7Aa585H`Ynj|
zg!*m&zA)CAHeI^vtq$Qs5_j&xF`^Ka^K6ZK)F%*b;F-FdyZ`d<2NhNdf8neVaN$Zh
zW$mgH%mi-dIpo1N7P+1~8@K*2tCH(!x@(XRc^B$u9nx?x^zuVB4r}`qd-7EXD(~Qm
z+TE6D8Ck~c(Hc4STw-^vor-pQi}R^Zqf1*_KjV3)!t50@FmVpmCLvgFqGZP>&iuF?
zKD_dW*4G+&crk!Ozn2u&c&<h|xMc!czS)JHJ$X7rELt_?ia50$C0_=!4r4NN1e8(p
z=6meKJ0pX-<Wx<2Gp2GY#O8|(-cdvkPm83UA*Jx6S8pmcqJ|&1+I4hA>va*$CF10B
zVe)pOwG?~@-X3p`fI^@HW8rlt8@@62;oP=Brvj|}ioJ-YaDA&0&AlQq8v05%uzLaQ
zHb!rKtwgx^?Vv32@EetygRL|HG?XY2Q(lAkGWmE)gnFR4C2#nw#mq<tRwuCG*?%2X
zE1}Ah?S@rZ%e%MA!i}#rZq47NHe=7HN$tORysoAJF7i-G$z3*!`>9bsdXKHR&gQB4
zMI8uK^|tF*jf|9lmBNU&)v^eQLk)}+kbO4#Ypb#_zx~UoWd|^#RU%@k&@IqY#;>9f
zW#y{ad3#0P<={b2FeDPpHpJSL?D9Y!TMdFaI~``xN0%@uU8<Mad9{ohL)xsvogQbn
zvzWQs)iO&)YRz$PJD;sgpzES|6$;z`jdr@C!dy1YjShZ4j5S9!bnZpUQ!x`L7pLc#
zQU&}t%zu)e<=hxsj~JiNru5U3SYz!Kvay-L9Y&1k8tXj1j$rF9%aj6{mK}QownNj=
z^0*<@IyFntr5D7U+IjotfWie`OkUerf+DNc&cf%rr%#Zr7i_LGFyOGH-9nHM$Q{9%
zCe8y(mDA<vjV+g78K+P!4CMCXmmIc5F9wbCzV+yL=C?L`D1ZFiH#qfB*4OQO&AD1+
zwwUhOAsWD?EA{5nJ~OA9{SIzAXVD;scw-IK`paGJ5=^-=laMHHO6tY5s&BpiHANI_
zQ^Y{Tm=%_p-(Na@x*)r;NRx0{m+9)#K-U0s2w4Ji%yaB`W*u?Tg7x$j`5mPzT2nWP
za@70Y=);*@gP8J+mp^M-onzkZcEu*9KB{Phdo542*ax4OFXAJ0kDvC`0$;-|d6#7}
z+T#1JfDMM)tpj^7!=5cL3O;VRC^cavec69vkbZMwCFz6KjHxH;u601J^K^c#A<dzb
z#6F?WBMhXX$Q2<;@O0H9Npl)0E6>vdZD3=Fz~G6-i!nnMfL;$~dOQGPJH&dJUYLrB
zjCo$L9N#s!|9J4OjEtfWN&$Y8VBF4VWo$bzz-wDoV1UcdjSF5MZY&Slub)AG0w?%M
z1gvcaDqDdlu!wk^aOHuer8a>JW0kRc>Ixqjcl%O{J|C2~<o4~3-xOGwcg%g1cYlQT
zfOWp5IqZGY2jtdX{S8nSbmpT=K1n3j;lZQG#|~NokXl3ODAh-&6Fz92jP4KQ7Y%&q
zRE7<0)Cn=C-W)%v=J*)QmXE}j$JcrLzF5`|cC~r2XaUi?(c~FDByZ<u_hh7K^aeAM
zgey5B@5TC%dVw<mK%<7VA{)&z1AwGQar$X$;z}z0VgQDUT_zQ=?i1ZRyUt*}4^O^Y
zJyPl~zFhW}5HE28*`y)QsxKu5^DQ5zd&<YXR119aF8KM>#VM}tUMlKdL^Sh0)+q+w
z6}UClwPZe-l79z%1r=R~JD)~xo72<Bq~0oAhO0ZLOQb#`_qGb`5-Fm@0wt3jr(^>9
zgF0`u?)jz6ZAKXUV>H1+mFWJM<)HD+qix>V_}#@8!AOcv<Do3!iB__4J|rS*)6*KW
z!{i6tFS7a&`OVepsC%jYv{z;G+(7}`$VOMKNOYOz{<O1aghik{gv^}E`vit5s@IYR
zuT|pg7`{u)xTZM?hT+%^T{c7InD2dssPq!7G6#EkAM+2oV@Eif6R_7qX^2jek65|E
zO2dQU>f=u25c=M@hYnL6PYOt<Yy!`%7zEg}XIfW(9=NxN&aAHMjTwK1$!+{eFYPH%
zV(Nm*;-@6wwumpEi#DfvD;C((FGIESBuI8G$;im3XWa~t@vi%=WXHhu4TYGlE}uKB
zlFlpT2>EuSZeQfZABvAN&%#hY=llc1(obg&9W3YjMrj&7Z6D3Bf+C+Ro8`R}zi78P
zXa~sMdVL!3a}u|~BYP3k)nk)_nyD2#lgBw#crIa%NgG!Dw0o}lT9|QfCG2?}Umv($
z!tm1vLD8kqXV)>~=YkI@Gk-mB5bMFy-_}kT!~3HpW&(D@&q>s!2pV_0X?~depdwih
z+kGb+Em7`?ieQp7jOc`*Edyz6L)P1)IYsi3WS`P0__>h<ji)%Tn!uN@%n~%7)@Ue|
zi~!q2%YB@>r3nc#LFLh%j#I&LeZJ)BLEl!fpTek2FR(ySFk*ENe3lY1XRXxxP6w>8
zx*V|5ILOR7%(_?KE>&;B!~*zCPSfrr^ED&sePQf7>ZntiC2>ikVU%e3x;t{E9G*fR
zrM%6#ZLsh7sxz^pP|!Fi4St5xzM3qCbI94kyo$jNh2sS}2<Xb*ETRwY87y=5{^xGN
z2?4|LKy+C8Dh45cLoArBOiO&ZsuFK`>8sJ5H64R(G8Igltyqvn>Jc>!&1I=&^+$#o
zjOS+LDOT(>)<sz1v$bH{%0B!%#{CY`94;MIreqfB{efK>pN&?xaC%}L53cJw`(gi?
z6nbezZ)a#s!-}~be6;jrC*lSl`oZ&Vlg3boxlaFv$@GZJPjgpZG(pVr>WP!g&de?F
z2zc?>@d!1SeTB(bBXemn@`{uk!f`RP&^3PGQxh0>sm5iJ4-`UJLlHui>K*_{i0Qt?
zZ`(LPfMohw<8*}<zg+5_dB!>S{44q6@Mqn^jOyfN_maAzr<zg{I}B3kRZo9tMrpNY
zuZ(U=Z9~xyx7g(duAU$qqPUFdO4ha;JALi;rEK!Pgx!`G&Ekt`UAdMrVoa=3v!!2#
zqr3e1wth*5VX)(24#Q`9t*a(!13pfv%4pmb@iV|YS#HQFnM%F56YHk&mf;L<M4y2S
z9gG$BCa?mnCWv<z;EoFWa862-Lx~@i#%1g8;A=BAyQWun#k?eZdfyc8Z;m=hDg*DO
z(84jX87fnRGTHh<Rn)+Kb`nAA*G2F#u&4p_Wp-MPomSqs!XFgljt93$(0jL&Z$rOX
z=S3^On;3VBLrk9D(;`BZJb`UPp^qOK?}~GI==r#2Uge!cmjs!XAC!6awj(C#fN$9J
z<B4J#!e@I9t~zB?*YTsDhds?Q(;^F}2mx6OM%PWx#OvkhK*2dKs*$PoMO`mu+boN6
zZXiggxyX-sA${g*MdT1ysV}il3rJQ}TmeJVWV-8Si~>C<#%QruvUVIf@h+awt8&G;
zF?9G<Kv59Bu=HJUwxZo6IOa-bK!aKCf>R-B{|#)fT64RP<%<CWGhgJk?3ETv$Ae+a
z_ba8(l%-f)p#GDlPP5IAcxH@5*T6=UP#Mj*GL`4VE;QeQ6ukd=&`}rsLko#(Ib|!!
zu7lMl_Y5`$3y}EoJo_WwY2EX{_41`{F=Ips1{UrJrtgx1A8OebtGV+V{Ao>_M8y^i
zUB+8?Uh|N!#e8&7@_cmXJ=G2dW2Va3YoIY<7;&!iA<Li)LjDwiy?qbWXY3>d3%Z-_
z21WtRqZzNYLM3v&a8cBwc5iXf^~N~m45~)kNrlcDf<S)tzYo5_W_Eczc4-rjP$iZ(
z_?&0h>_B<~hy*z?x4*Dr<yxX}(6Q^UG=p+k@1Rl=M{r*!dW&Py=6X*HSHkLcq~$K>
z<8^Y~x&1JoCv29!pM1aY`MZrzn@E8#x8D>jsXE8F+0j62mqu#I%t-R23L|Oa(p)Su
zV=^6e*)+Z|m(iS5a}f2TqD7K`z0L{5c00(Ksn&Ii$i2AsJs*I!lQd@ThJL||h1e3{
zH-a`MTfRkVN*`MuSEVELdD*+Ud$Z*elN&mP^i6N$cnURlzn>*bJZYL8xGtL|t^Z^&
z(eZikHG-#4%#|DDz#}SB{8(=>=H~{3?+zW+b{OMIU;7v$4d|;)@?ldzBmTqEADB@@
z2E*{&k<<(!{h$Dvf`0EQGOPBN1R$Sbc)g#kk-gECDE_SNcDW`;g~Zv0?A;I}24TKN
z0S6j_-WcK?qmT0vK-O&CnSyfK>}`UWyPUcHo_Z3`iNnH1);H=7pkh^UJS}_8`TKEo
zo-Rj1625jy3d+vdcO0`5Cy!=JTa%e6VMhYkd6S%7<f{-D)=Q(gT_%z@WM|}qyNsP4
z8@~BoctGWK!|vxTOC>Q{1jQgb@QO3v`zx{$JVhD4cQK{&0?gEVO98_NOK|kgP6MX{
zu%JimOvQ80xIrB7_1CfAzoN0p$qhJqN;QW`0XmhW*s?s$*S)KSL7**Qt_HkFd64U=
zPutMxFVYiI9>jV|@_*GokUCTpV{+?4W_0_DH?cP<hvGp-Wsd$DaJR!T?%6_>MN_SO
z-g38@fwep{F16mloq}5?1sp$%dF%S|U)MjC<V=^Lw=(Fn7mZazI?l|FsCNYo@4FkZ
zwWA#OtBuDU!a3eAb8^68DXkIMzw25<*ULmf_j5s-IM%o~T^crzh0|~Ah0<EDe7t;4
z*<Pm4WA3&L*6WdMgbu&>b?)aqDeYU^==Wqou9kXq#3#~XTppMEPV$^MPkTR`A?Plt
zAbI<^S*?AS*|)ib3@w95>}ya{y;Wuuv4q)ioXfCyg3{=V!K>gsWkRIXTKxuv*Q!(w
z|K{bl1rBoU)vva3`a#U&sf{g{d8D|4{DJeXf1E3Y`9aw9<UrefiNi5D(B><k>E{X0
zT4?w`cxL3QXX)=|9;PG;j0Rxzt9{MSU_1BrbWFOP;gXL@kI5m(G*6<1^Vo9vJFHR<
z((a9&|Gqaa7?P^LU<mSLN3Y%lP<ub-za5ImGdQnTK)|`V^b_roz&0<%a3D~X>k@yw
z4F9V<Zz07j<dtn_VlG@)j0ZJ&DtYD$-Ni<MjvQU`^~EkcOc6Eq9xH1@#eI!SM@)P@
z5_y<K@Ii(}i<UR@xMxdbz58{LT3Rwcbl$aC{K_iks)nk?9KqWTeUa6PP>Th`wMKT=
zI^O#NgM$t8_BrrZX%7OC*VwCc2r(oMgv`sz44oaC9(F!*%i}`*G3r<S@yzbbOW{Uy
z?kDw020AidO`ccY)Qv?XTmh-bR2A=zD_`&~fahLSS70(?JW|fJYT9;a6W_kJQ_NCw
z4SpVXPTB*d`x)%5TRddPEW1jZslf`x2B2S61gXk5Ac|2AEYcqiZk_t*<ho9cr%lf;
zbGIKOy-uj`$^rv>r%Hd$WICKB9YPDtV~V;9q%-a<Kh56q(@A}hmPA*DQYrm&BE2h?
zyxOmrL5_L!XE5y1Nz{mSi&|}nvZNCeJybN@%l2uiO86zJwh3!zldsDP6l>jDljt_1
zat5TtOO@B;%y|9VhN|BhT^l}B<1ctgEt(hPS892`4>$sMRnGE#p4(4UI>gTXQMR{9
z2a6^k`{;otcV>U;^yyuFFTcRSB|N~Uo-!yptqh>%aK<q0;SiI9neAZ}!^Cz_`R?Df
zs!F9q8amWwt0o8Sf7(_qF%V1vrUBX-g9k2(Vf|3LQx70mU39VqDpofBv9{+9lIH_%
zc*@Ms-Ld!We}uV87+o5c^hODnSYNNGq^qAFH0UfQT~uJ0n5#))!b|@LTW%`<CtL0<
zJE*!k?LfO6^RTprv)0oQFVO8%y%lxLc_xzX$F(Z$c7&_DS;P)4=N8Mjs^^>ItEyX4
zyB}p{!nk$kpb6`)qJ!42g7lu@pv8ca-Vggd?~h%G85x)k^GDtfmw#H;+hSHmDYq#o
z$E|#Y8}F<AwWMEQ#)5|&g?D+ESc3byzjR~o7)utOb+S4zjsI%{2TFOkJfJNxzZ6=T
z)Mx0wY`kL+D1=fKe{m}?r)U1bxpY}aLdd9#1|Uz3LonXVMKFwbs8cST$fN}JIe<rO
zb9cQ`eAtx+)eODN9t9Mq7x=7jo-b?Gpfg#6=vVg4<3&@svTsQ#r;Yq9T*LvQRW$UY
zP)KSnu!`2^)FqKt0aui_y42A+vdd~$v~u-Y4OvNhH769w$gC%|z+inTY}SR9`h_-H
z#bz*S{@<mhTDQ~LG}9qOec)(;-^vej&l@JeQ<LDly8L)8!sqi&$Zb54vDCS8ui)AM
zM)nHHV|IVM=4hu~<z5GuV;_U<kZAwZ3w;U8-rDmnTS4cvIPD(bs;NwhlK5mls~I%O
z9|?b6uu$20>(<O+X<C~%X2rJqXw%c%z)jvS!|4JO6#4s?X!RT_jnWEDw{7ug+%l!p
z%ka#<ws%(Ksn$Ln?t4H`5u@4^Wt>C&xj<1?KbJW2V}~flHfdhe?1^_&nYiBOm2wbD
z{34^#&+c+N=2n-jd-FjH<E3kveMfsmvuDFWw8W+>sbE(l(}#ClBS#Z=Ei9-g`6+B@
zNS}i@Q8bJe-ljIGPjx3yTVNUDnDLw`7&;*>+Z)^w>;<SW^Z>nLanN^3DrP{~vUbja
z=-5zh;)f=dDJ&E$o4kzkYNAt1q9&uL>AyNYwaLN#7aZrs<LPl>J(vs?$;L*B1pVp3
zczgmT=Qd1U019&qC@kom78if%DPMT~vlm*yU>uLhl<p!$DL0bchzxN@vlt0!i*#tW
z%_XM}(vxlGdhw~Jka-yuFXY?y5qgVwqv_7`ed0w5d3=P=$FACJ?JT2dZUzDU!Sz$H
zzQ%wcTR7V#pQ|AJTWzbY9*taiEWHOxyvQ3Nx#fU^S}3LP(MuEeV?y>=R^Fx;S-oo7
zHC$&zQi{3bt=%D;v)(-iMUZ`4?3$nMxg0+jTW%e5h)*bC!6ZL_v>6rVfR)cQb}W6I
z;$uem0>6K7)Iar6#<Ur%WqKP*?UvJHanIYyN_q4}=WQPo>|X+XB#0Iv@8_b%W`c%f
z@JHjJqh$|XwBfyj<vdn2e4Y7TZ_<i8^T=T^9b4iCgd;-3nhK4EP9L~kj%49KTXZ11
zT*W*QxK>~;h}j14tQW+RF4KU+<=#yVlaJ9`V6MAvkb|_y`vxfiX@UlOCj&1P`oGR|
z`a6zxh-M_mZwuQFK4?1cKx03gJU@6{YaSL8MuL}8qM0_+yABXW!X2EBjQwh7<X}&2
zjyOxGW4t7%sl`@&xz{0|Y?`hN#TClOD|xvdUM7$C6?(>#MT&G<YCC=4oKx^l3skwp
zX_No8&ih?h<9#sh#i&iu^V6c+gc;?Blx!%6-t5sXdSqOd`c1A%Q<rZy4wQ6ub2PU%
z&}vb0mvuPGrDb!L5h-)IYpdb=ymN+wuMqx*Q-cK}hg`-^9k84adOX%6arl7tk$Fo9
zDM@(*=t|AUvG%R(JXkc}d>5j1oc#R&k*yV9ntDu&THAHe3%?iKhZ)J2r7f$S6zT-N
z616c>pN)nqV6B)hBFrM4*1%~5((|!Pve7|k)8mDLH4fdpLN3gfjl`fzG>@6JL61Z}
z5Jjyz_C>SrFJUYA{M4ihw|P3V3}WQycIeU^VyRM~Muer)0afH5Z3GQHK$x3KckW6V
zn+yyuj{ZY7cor{R%a&p%kKA2yggC{QcM9IX!|^lAZ!@MzIE|+|dS$_IRQ^KIQRFHE
zo;BGQp8`z0ch`y3#x*_jn6rIx0D8*XMz6cyM{G4Lw|;cTdgoO>WRAAU@n@v1NVA9L
zUj(ige5^zY`_Z^x1RmPt8?c;~S(1`{<}UJv5jeO*cRaYKMsVjypb@C>r^&Ce#OFLG
zvH3=zMUJp@-kWp~xOT%9;<N-*?d%rl7Xa;B8T(^I6z%2`CD1@!pd(L@h#l@;kgRW%
zAz|ZHKB~Zp)va-D4_q4F!1&kzGX<+_o_$1t2Ej{=_V$bihLiWbrPt@U4%8RAB~RG1
zBL4$H>(j2l1K1-Eei~05Kq~D+U(`<u?n#KxdPO(Ctd^!KKCISMRBj#FNL668{@|0E
zv>lk-UNli29Hr^l@fBKfCQyxVW_MW&w0zhp<|Yj1<Y7THah4ARl1Xpn#jWa>mcaCW
z&>Wc+H?h%|Nc^Dw^7XCfiT1epCl_F(g=ER~v9;Z{HeEnK*_H3M?F=}7RIIy*+swrM
z1<Q?>SpLRz$H@1U_(Qh0;?=D4jro=rr2i)1++XyUfU~)T`*DuC(&B;biUDel8i7;1
zC@6iA_NkUy=8iM=su=~=Hh+?n*u8kf!GlGX(1J`<TxlERMsgrw^ODpWnsypoQ*X{M
zmLJJ3YzrGVWa<mRkaGc?0rr#-0~E_065CK+o1kv=*JcQ)HzIXPpS@E79~Tf`SAbh6
zb0q{jvK0TJ+{`LwtBeb3#9PY7l)vZ3Sk;fVkyjM-PqJt&0ZCLPI3P8Y?qRVrS(EJM
zgH8$r^QL&MVy`3gI}rp-Ga|SCjAh)j)i!TGw;Or^h#MxZuxxmww810+ZgZa%{M8Al
zioUH^MO9`qz56%%uXbw_fG@YH-4W-TU@^Z!ZZpS9rKrl;M|ag`YR*^PIs}Q3qewP$
z;lXlM-%EN8Q?G;fl*gW=T#7!N-DX^9?BD2D^<6$pI7nKaW#*^mDEY8qm%M7M8(FQ@
z!|i8M`dks%wIUosFE+|h-01i%5}?m5eKYG&^W=q$XL!1o^e`a6G9u}DY6*<zV2_AE
zZnumyD_{JJJ^RD&1vdPXJ$GUMf9f=;bPcTU$j>>xnii3+q@g$#D3<+3%F{k5!byOD
zFj=if-S5cppTAsK%rJ`}>k7?^tnH&Y6K8*_e-Jw$fQ1vx#A+>iF~4-&6tqF8;b_Nx
z1~Q5kH?O{GXI24QEzWCaHHYr6^XP5v{#A<bo^d7KpQI`|H}ck+fGSNmn0K@-@z^0p
zUPDhY**A&Il4+fpN5$q&y&4&c)m(wZf52$sNL*9#%Gq&4p;?t*yOV_-qnKX-<?Daw
zFU<piM%v`4sZ`>b+a9P1Cj&4H5uS0p=ZuD9CH5V#Jo%wse2=0JNxPpSy&i!I)&}cG
z=13rzc=Ju$firQBnG_@SQ_j^YIh*SF+0JG@0_3I8qs6RTe$431JJtJdLQE@#O|7pz
zVGzmAGj7;8Q+Dyl9)C!&S3IS7@!4lQJxJz6MNJ_uF_08zaU;17ab$p9-SYP5KGub<
z1hoME#chAy@iQ+)HCfU!!3TfK^x~yw1ulbNOWGUZJ)>)zvJT<O@t`Q~?2O!P;}7~@
zgqn39!5QIUvZ2Oh$Ui!?_@*w|sP%u^I`tfoQSKhq`0mKVu$PdcNQnilsVI4N-9CTQ
zyYar>O&<@h$rAEVKx)5aq#bX`^X|wUA>x$bl8y_nu|O1^tXEZ)nT*p-rvu<4K)dQ6
z)~f%ZpX6KMed4X)9X}M$wDEd7zw4(6<90{JI24_2%$A?v*cdjuc;Z$hrlG;V{O_R_
zE>rETe8nNlE1JsGPI&MfJKi<TfqW)+UJGwD{j)^tz}x|NeL&8|Nj{9FYfp!o%6#F(
zd5ifAQQKP1KA-4%sdXf|gAw3)SCyV<m_6+h=;_+&2~)-j+nui6>jC>|7Eg>;?lNi&
z%cWTpG&|?^TqW)m%3d8s)Y#+C*0ix47U~Dp7+%OB8|tOjPC&1fuu;bPO3M1!1S65$
z3qqBzq!IMy`4y)zIom(Isur9DZn%ZtHjM`xf0uX8<3!?>@jy4(@pxMst06y`cIQ4P
zlE?La^p0m^6(3O2PsKzH;WgY(6-*vNj>U6uY}L0Cx5#h&2kxtzsSQ@-1jgKRzrOjY
z#igJRdKr9~C{g#}3rvrpi7|OK&ba@pAQBBUT(0-!+I!A7r;#@8v8X7qo@9qV>nvaB
zp??}dbQ@lN77)K7i0o}t&9@3Iw9riOKE^zHMvj`%sjhRUBZuMo#awV*4mp9jt8tnv
zpZy9&C(}Bb4#>!-nrZ5OE8I0O_D6vi^{31T^JODd)k7a+5BD$pUV*MCwp{4FaRn-F
z9#1N7D7%|NGW~|KICIj)eCg(@N>bjc-GdQbKeisA(PY8(o@Sv=k>p{gi6==PpPjZH
zLxssofciClL(HJrS-sY-Jk2C67eCIWPaEsGotNpWxpFLc`zfKywaEk&qOdko19BqH
zzZ0ZnJ}{p{u7xx;g~nL|lEVD$>xFnPS84-Ys1j(}KtP#i5x>t``&tj>H<|QXysQ4B
zW9gZu8Q|lptXW?be6?kR&^-A@i<%6c6VVkHxL32+13E*%9ER}MrV;cf96Gdg7LJ$K
zH%bM?;{_Ya0pIy`L@emJ?fMZfRQ?Uk0dIv+H<}Ea>iXv6MtSm=;kF~+G`PAKuLrIF
zk4m3)R<N%B1K#_zW4&U~s9c_(4wS$U_)vz^Ev<MG_&U-;az8$6eHB}mZ~og6isU0U
znbNvZAl>zGTN7QT>H@G~{S$$&@4dby?pF!nIr01Llr>O?yu!Wc?xzCo#+}A_uYR&D
z726TXXtjX#0LEk_MFa-v)#w)U_AZv%H<%e(h}OZODTF1b=OY+KHp-sc_W0AYf~~1D
zIxw_e&}SXzNE}a&YArD*gMsGA`IOHupX%|~Zt#`JAr|{z^?0B;9Zx)))vfiVmdkI)
z#un(Dz~Y9L|Myqye-H(FS;e1gl3yqt%+T-lc(a@9hWpmPM0*zuc~4OMBK@cM`z;VQ
z06kIJWqrkiol?;~_wYmT3`<zE4@d>rC<EO0{)Um9s}bn@>v1O%L2AyoktqiuBW7I6
zQ>!vOuRZgT!213Z^2D?(3w5t}(iq%)^q=@-Q$lBa+{!ImQtQ)g4Q`|k<QXFLRoG-6
z$C@$V6rQ1ee6%OlhI-%XeyVgwCscjBEAYqMVOK`y$RzyJXcH3lm6$d$zBWse#67PR
zKAD^vOZiKhcf~M2^G|7>{>-EfhncMG{HZfXU8q<TJ(sD34LUR~QI6*n__Q@eqI5`=
z*)vfN%jUeg)|v`^JTq!LZwaXna`_)WR8s|HgTJQqk1sW8=jf4KN!Ts@@s+O4r}^L+
zi22jmV$niM4o0fc%>tLz9uh3J-P5gYaq8AcFuI`A)mYuq_z$g}X_;6w@UX=U%`VpM
zHZ0?i+Ft5)=K0rQIEaH)ql1;~xYKn>pRK=rx75+ul~Wz&742OF$JL6EU?CTxagZJC
z-?Vm?7Apo1jBMP-PJHYeb=nWAZ2kTHa%Y}e9P^{C-vqY7oSUaZ25`Q<U3b3bU*XCb
ze!aEQ<C^k5+4He67e77=NsJqsiK6W35sVE@OEYykD1Mtn6FP2^<|<$fy1};+V?=#m
z59$^;Hm+R$ChhE#$F3G7J*sca09;`cR%hyJ<<+@4w6-jdgDdK<{>Bwx30)u%6On7z
zQGd{)@F%v22<Vr9Uk9@-TxlBHQ7@Px(X~yqoAAleuIs=$sDLW0!#FSUkPCuJDU_33
z4Xmq*PqgX^Vwy@3xV`t2GyfZ>=wG60&XvbCl9+0H-}YT$l%1=v9N&_vFc^z$rG(G>
zib$Qz>qH8{US2v->xP<kNHzu!$lga@O)c0VuVppz(e)iGwxW)W_Kw@iFs^_1Vqx;A
zOXjVDk#A)ur}P7;;-H!0e=U%q+>6_JNjH8x*pbtt^&(JCJC56S*qdLR{IJox61(Hs
zgPH6-;YBPP?iaUKskTS>xE$OYx1M_s_0GSw83x(DKLAeA{*@*uc1U(;Q95s*d_z@J
z20Q>q(rJFDwU6NDSZVyqO!0806{*l2)wwyq8Z24WigfL&*q3EYb-A6aellJ8gLR85
z$6(AfL!fIY%BCZ`mW)#+^_nA$(^t?egJ>G1)Ij}*=+wcAI|E}ETjtbTogU-l!LMCk
zq0qVf9WCVs!PnJwYQh0${SVsI^`P9InihfPLRDp~v1aR>Oct~PHg)Ssqk>uckrtEs
z5$6h|f`}Ym{k<Iw;`CT1q2@rOZ4%W#*Yz^lYxS+S%RI^pGtprn;p^+`nd<Mt46Lx}
z(vG#an#QkFiYMfyp5>(bS+c{s2X(!UP!yUmjdLdK9tybw>FG>pem%H%qGXVzO+}_-
zfsPGCV1pyC->o6Ck2grApr`iBM-KB!yct7aCDV*esU|U%Tc3^j?6v;#aMKjJGHJ(h
zz<E{JHc4K^$-rG+`8U5`dxWZRo02d9wZ_D<{C5AzCSJLWdF6#TPOt3!l(&1!NZN9f
z2!!=Srw}ey9B)d^ZA%1!R_FCEoxiEp1+@K_OM?dl3zXUZmx0dzaS)0XEbpm)3qgv+
zJ{?6U1XQ>-4&0nGtzEG<8_PUQ%n{Io(4Y?L*-8ZB7K7Vm@CKs-Wnj1MJeMMhDyn1Y
zXGWZMy1+91m@q<|ySG~8Lhu8es~u-<7oJ-|)t-Av45n$yuzt>21ey!1J69|4quv)y
zJz<llW8$YovX!z3-L;YzV`Rs4#z|?|X=NOueCbGPQHp_t0Z!VfK<|=MH>$X_jkmS%
z^t<6Z^7z7<bG!z*3rs4DufSVjtu?t0>i=VaKTC&D`bk1L86h_jTmOiykekWa6db<8
zr{f_}?a*HSyG`({Lkhe2C&rX<wieQ(e#f%4KOMl2IxA2<MkHpwGA7z!05XN04UJhs
z3fH-o!~q3hdJ5&xl7Wa80bMf`5TLolwCvOz7z3{2u!YXeEf`=-OF3iOgZQai=l^k;
zhRaC(V}hgh@^GUZqT|K2>aD!AhXU?unq$Vj+lU9$qL`5#a_8Phl?(%pNa~l_(p?&0
z8vUo5nOF9-vO==+Z#!yXpT3R#|Foly-zHX3RT!-WaL5tJYGLY>R0PgiurSyf=8tS@
z7jotkz&#Oxx|(~$lWSSqQ_YwyfqSkm*H1mo_Zl4NxN|(-QbA&LiEnUB0yJ}~;NS2W
zM=oax$mO<N%h0wFdqu3umC@e2J^n!-x<6&#&QqJx4Wh8e3{o%Wd%_BvURO1x9R%Bm
zR5p0Lkd+m2J_y8q>yWpZDwff>qXT(Qfdi-h7~3bWZe{ZV!EAm+`PJCb+L6n#lMcrL
zJVNC?4b0AI$UrbHncwB+JX!JEGs?vQ?a{pQcMZMMx(5<+m2{R~%nR!>zb>ndJC(bY
z7Z!&B<LAgx9+Hxx0wFo2KcORtfHwg&j-gaV0bddn8f6DO=i6e^SZEAO>$`#&v$(OM
zu`nBO%xBfGO~Nmy6r!vICKvm*+r3{Zw4@>u<ENf4_YTCFL8zK7qOpel;zp~NT5x$-
zFZ=@6bLyrqBj$VMWQCiPFo#(Jt*vsx&D*QJE!3W!Abea1jV~W4ea6rR*0I|4o#zIM
z=;!BX!3n+mwh>9`*XdsQ#}CMdNxSD%Y!Pc81f@?HM2_)x*#m=k#nuab*4XJLgm+s;
z!!lOpPY&_pFT-dJ?Je$E!ylvd^<MDaxkj*SQ<d9A6FH0ZDO5bzUm==0wR<Uc<$l*?
z$rVy-^edXBv}%`K;>tU3Slt0yQ6lQn<n9A1qa1y4uy`_!`Qx8fQ3n-Rp3S6)5l3XW
z+G4Z>i%F(b<sB?@S>hTTYp5<nrLdNLEAcn9YHy5vz*%ds4ZI{g1p61PS1&=s+irgb
z$4+FEit<b2b-p_fjJp(gcEVf&uLRFM8-3zDc26MQa*|G75Y!##0nN<+>vgBcZMs?a
zboQH6;hYwZw^RFp*v`Q<sap_<Z2aSTMAjpBlM^QZsoU!;8?E+^Y60#0>r%HzFaDIe
z0hgSVUBu2=xw|CjA+COO1W5x>x$WZD)T<58$D;hzUeP*_tsYT7XlD>mAtpw>Ik$-W
zS}U*Da-0h7HSQ^F6Pr<KL{^B=i=dTM^<x(?dbW_m@>aBxr-S%(J(8dn+Xnsc31G$z
zZ`b&Du;A;oU5#ofGz)Re&0dZi#swP&w9;m0YFz7EyNtI05;wS6QCQC80>-KxfyM}B
zOOzr?<Zl>7zHfTTPG5ndp3RFjZx=4u)Y@WEhK)~PY{^D=bwBId1VV0959KP6c{UIj
zo-r`Lz=txjd3Kc@7O8cG?0ucSJ{yAGtTo1*0JPX|yEP}iO!bG%Be>d~FVDl&_v~z?
z%Qvh<fDZ9ZdvHHmGiUDpklv?}8~U;^GCmyab*(j~FNGpx`>N_Z{O?#Hl&i5jvgK?e
z^wgHu^v*;Bk-i0AekyZ!>g0XTYM;)EzvZ<21rv}K7a`8&or;W2EbdsQHT6R5$Uxrl
zBOR_iWD_mwlEGJ_0p(Bt<Ft<iu(f*0D_?1&9ntz_*5uS$VLTqvQ0CKz3c@=i-|GM#
z@Vbr?3egzVx8ye&n@DdLHd*9ird(1*0-P5g#Mib9$7qtt7J=7dI&5Nd1i`m;yCCCl
zPAf)tee};av{sKSwJI@jH6wYrwVI7H7OjJeLo*V(F|WyRj3?ymYkOKJL|O+$Z|7m{
zCNxxh&}u!|i4pJ4qg-5THLeNZr|SlaAl+Z5Qa}j0K7Hf4k|5CEAj0*8Uz?eqjMfms
zh&KBAkRP?*5{@z>=y2iHwq&x>5a$w|c(+JZRc}!}LCDy1YBxQnvfmtA`%BuOI8{EC
z{-~{?m#guaApOI<yF484J|DG-Sa=R9`Ju?l)f&CW0<-3(EV_bUc)fKj+<RA|1r%nN
zR$*1|b0MY$5OASBOr6fMLU-k(lBjP03nmP8j%;wP-bel_PG{17(UO!k`YwlcxAp$?
z?mryt{O8S!N!8!uY3=%FKBM<T8c!3B4Lh;rRzEPubFP1BNgB4hDSvPmQX_nL6%DWW
zclnmZXG?RMt!mNgGx*o|jK#sdsc~f)xSGPO2?(L}9a$pQdt&}`uRsjGX<;87n{zeW
z$X*Os!}o2}_|Ml}tk%Fay`ll;4gc-&=->7aMvxLU)A8j))4AsqnP)b~Ogw-;Qh8=W
zf+TDIXy0$aM`bAo>Z}*g{mxYoZVa-42de9RM(eFe&=pq3VHA@WU<_g#pZ~Br0cA8@
z9stI%%mP9^g)8T<!4Y}Se?K);oMQvru-^5*!<TW&`F7zy`NT|#Q041&%26BOcWk5B
z&*%C}I|ce6hbO!kQUaI(ZOwTpR2d4OLHhvKPrX)_O}ro|n&*Tv7Cv3QJoG#2ZvL-t
zuy#}b2`NC!yQkG9f=ev*9}8C!ZtGDOHg5WU&T{i_B!Fv?zt_=O`Vpm%*90QCk!PU&
z-?TfZhd*E-rFuIJ_C_d9`=kF=AW|<22t<Id#(DMgaB4RHV;t(!IPcCN&69oypg~|b
z@3Y|YD%HH&<fotC<-YV8@?f06U0;2u)@9!IInb}DJ7U(4=sKNQ+XOk48hUc&#x^`y
zR6H}#jAA+^F>n!EGtgM=g)NN5k)$em(uyVe4Dw~cN+WFhcUttznjTLO32;{`5_gvJ
zL*$bfOVj&L4lz#Lx7ZD6DmKc@|5%=Z@ftkTArvZXiMDmnUzq};%e2R2Hl;f^V6=vY
zl!SJly=t`LvycjOr3Wf>h2+~~k^3n56i*1KZ|=Y+4vmPil*k<3bbYm-Aq&tcKk*IJ
zu|6Omjl*kItQ40e(%w>b@_Vf3V7&%VtN$tFc$CMi-)V4`E*yb@f0R9tG3A*?I{tm%
zCxq<1ApK-gK)*+s0?mAs*KJ?mnb?8APK~_liVLEg&O<eEKcP>)hdx9uGfyy=)yH78
zF2Mr@&8bG6;IYF~wH=!yRO<>Xs738P62X6Ekj0$N34~1NK=P&yj!gVkb!2%GkhK%#
zkcq#8h?Tq3CF7nC3p7W5jb<Qg&7brp(pk1v4NEV40+)0Nd}%9H%!`2Eg0f}}{1<Z&
zRr{v?L^$6NI%Gc|zDX=+vfy+_;U1C{^$gX5$K9acghxHWHmfbN!m&i^#-Wl1IllXW
zT>7%^{$X5=p5c40BIbh}0kc1*bwNhbPPe0#C=bMeeSNlEB&v&Ra|&F2!CVl3Ouk-=
z-%n!nRNIY{n{TyL7vS}BZCJkXlkK%q<g+!A?Q-j|S_6X4u4T2_LznKtl#<yjz#*9r
zR*)z?g`-m^ceORO4vSlQ5cBV$OG(VTl5<q>=}0+p@c?!Stlgo2yZxa|x)u)9<L}cc
z65AqO$9~;3R|{wA!FqsodGEjK0Q5n`^B+Es4Gd`V<=g;4OW$+5h~8|_;k6MF@gnH(
zd_A|ghrjN@iQe(2a#de$<W!pTU;BPnR=q`ZB5;@K`(vPN?qKULdYjMT-lU0F3mgkr
zms_N6dL1X|%`AELQs?HN>Ule&_3L;=MzQMK&|i;#M|SN?PgryQnVt!g-hyHJEF5;~
zgYFVPPIb>B+P(16chV=8+FX2Jszma<c-vmE0y%HO8d=}-{Ah{gC3Mg6=h`h5l2DG;
z$HR~@ZjpJV`zxetuc%R&bn`l&I`12^E|%l3Dl`IB0t5-n@88_IT0{nxvK|9Az!_45
zxlOGkIfaB%e5sV6cEO3Tm`*X%s%5R?jQ-w{Nr8xkPRGZj3<_3*Z{aXvvLpI=xE%l3
zAwr_dF00nP0K!lvqi|T~{};ii;}DGY|4J~T0D|%8BS0{;-|RV8%pE;uF6I(f)ny#|
z#JW#4>eFcT)}ZgR`qoOOb+n-clWWCmGK;e+{c_*sZ|@l*IVcD)vRvO#eo7tCNTurI
zjWuPw?GhZW$`5vUzjSEs$~|La4NWePps4ZyTgyz;F!}y+8bJrUX)aSu=VjW#%*$*G
zMuH@T=$YX2MztH(y-x#v&s4&<woKy)wZR-;YBLOZZ6XnKs;^W0x_V<?;97sMzp-!4
z`<Joriv^{j+bHkt6D9P*&~U}DR4H<_I_3{oN!K_R<OsDRCVK9(o!Y{Jm#(RYbI$A*
zsDi0aCbVp|P7T9^s9E5ryL-gQOMv<B3>(~+=lVt;Q25$hh1%p#$QR7#(g!=Nh*nLX
zb?goGA$%=HxFt+J`Q`K`bYM(x85c-HVMC#|F^?g4au&gfWRPY9*SW1x&G_A~Vi;*v
zn#c8RdB1w83n&d#axqN$4fznbHz^!#MFK}#p)Kcdw93fl>|E9!1EVP^xC8V+<~+g9
zLxMp5`f*7`A$4lckBOc>ZpLX@RgdQ#-;<%IE_cr*S-HB69%m@oKZ`IU+y~m#X3Pe*
zl8v6>I<at4T66oo)7*79(t853x92P?vqF>lB@r@(wWA;_64SArcsrkubmw(@+RX%^
zh3MRs2vy<E+8el2!SR`MyDk#Lf6FXHSBYzOKYvsVAhSS&(SKyBND@x$>$A!6wrj+d
zkT08;IptKOD|$+VZPQ1l@5{0X8&#VE+<ti#wRYy@Vg>)z7Y#Z>BF1++t`#m+r?Jqc
zn(fxX@YO?@TwYM6>xRW=V<7(~s5oP+eN5|*!g6bF8@WVB-aK-ZqWX*(A22ce+*;QN
z7vZY7d;-EL63w|ruA6XOK8<K@H8)baCpX--k(Ram#=e5WV{YLpgM29>M^U}J(jxew
ztYYUjAuMO+T+>vD+_l4afB9EUg$1TJv~4vY2-a{4#SDP4Pv&$Xg98V@PV8Q@P{015
z2&wwZ*jGah`@ys)VP@>junw#Ce@10d>ol(xkJP98XK11kbkTB6Pc58xTXcOZ-X)WD
z*)ES9I)NfvATw1kmpZF1<lW)N#$~*YY}O={);TqP<IJcf5I+QYocM0BG|{P=FJPsr
zcwP|X7w}s*ky<@K9U~){YZ<ZcC6=HzO1E8i;Mw%~*1qKN8%rZ+@yL~iJZ#teA{rJ9
zWmZVAzl}|=uFwK$>Y^*X^8&%6i(LIrMtp%EL;8Rpry^#7AA0~>K;V@kydlF-dYCPG
zN|@`IQhR);l|hL70r|lS3og}cr7zo}6wmj5l=m*TO*XtV0Z<2J-6V_V2xQ(ib4S&0
zv9aOB+Zk_BY0%B``+EEz*5SBc11VZx1kMl#TfA=_v)QuwxrJsC#~=tTP2X0a3^iLz
z(Bk+5Jz*V(g6&tM<^tw})LUwg(nK?MYzOb0@<v{)ZQ2FoA~w;_DXa6Yr)Pa67#EC~
z<N?;nhvSWTt+;@^W3H!qHIJ-?XCaBZ{vXCbvA@v{eru;}gnbgdcuJ~Kx&9SpU>*W!
zF#-%2T~OR<!BU?v>$pBOnq^m+*1jXa2^!v4sPu>h9jm^`&?)vJ(*&Q;Gs$N_{mvU=
zAzR-xep@5pu|awj$dv+`Zh2gFAM1}XL9xC?#CUaZfu+Co5YG$*evTcM>V@G8p5C|e
zV|G(3<f_DqKv4hMX*hRwZGuS!61G5b`&?S9a_{Ab14@`74lijKe1l%+CFWdH*RPx~
z<26#?2sci=I!Wt`&$$7qHyS=Y$g5o>{{$&QK<q`nOuBby^=3|~bWg7L2=l^;^;rcO
z+Fz3MAMsk_GaP2pS+RQ-i+pL0=?#;15~)7enhZf+wA(K10^ANz|HS{W4f?}J=^By#
zZR8v~rY}iwtRuH?&H^S8yE0fpcC}bh`ajwRb5-4@>5$@@%kYveAZm+_lyo(i=}Z``
zr%yyvoWtJ&3u5${I8)7o1<#+xhuzD=V}eiYVsrgh2CyG?<*AZZYOjAun{!(r|MEf}
z91Ne{0a-pdrr(Br58M$z*vg8^&#??3P^Pu5R#1rcRP$I<Z0*x(*wwxjVE@z>TfcT9
zh<iBq!@^}y;Q3P*Hh(C$jjM2@*FMw`S!Xf3>ZIoByFc8r`*<j24@kbMK46<99oiSx
z&ns5aRPKMpD&V{h_z5)gy&{zv1KbHf*wzotZ)I6tBV$MROD}loPdIx@3I%Z#iZCtO
z!amhJ^c;<jO#LnN$c(AY6Ow@T<&P@^OOb1U%EAk=HM`-VdWi(UZa9Yer`^zfUe8Z0
zd_p11$eG${X@%+%W2M1(-ayAzn)ya#%hjPj%qT(zCXuCXB?!|<eOQ2|c<(0#e{;+o
zFR{`QQ<6_$m!b>a#Ns(Q5@{2EyZz+dvyU9ce};w2>9a|U7<QLKSZ~e)zsUS?y$Q%A
zIv>dIz(%K=qwh#hYEO-=UNdC~C7-O~@5e7hGMa0bcaN(;v_~#cd4(#O*~Ni2T5KVq
znY97NhH&bs-*DzR0AkAQe;CP#v`{~f83Bta#{ejG?&GHL(w84Ihap^g%tkw{jyt>p
z*eLtsY>T;Mnk9Gm$#X!;+vKzFMlW-53$HC<C*CBnnyZ!u%XLHFnB^U}8JK;nc+MSK
zR}Y_`NM(M2Kk4{Cd;bIoc==RiBpjGp-Z)3>DKKuwt`i#b+mVbCtyv9?ROc8mk~d}c
z>-4m6QEm@Iwhz{E#M}obevGYz(3}2Qh#nRU*lzwGnOO<nYT5A67k8@7P*f@!e6+rN
z!HJ(*Z2|osuD=|dl~t?fU8_Jf+ZW~c*{yWeNnK!*@*3u9AOO3%^M+>Y*|v)M-+1Oa
z=cd@az5y>6ep-FIl_gOQ_&(YGSLQ$R%%q4SM(S;reiEbmXgw-i4fVC8+ghHf^NxlN
z?9V0HLmxk8$G%n-dCfYeLwJKq6Vs2fKFQ@0J@RX{SE*v_+B3KMmpK%|V+>FOJo;cz
zz-_C#-*DZq=lO<o)T7+nJ$EfPOZ&dqV@__CXhYE>VitteyVt`u-r)GXqvK`|t2hb~
z{rG!;LWIhjm4w^$dMz_+z_dZt<3y^!7$Lf7k92%`K^Nkm3K2cu!>I*|+@8=$SHm{!
z@eWaV@dvss!;WMOnDq4aVlF~aaXueLWW!>V?K4vuMNr#G<q^?#>+>B7D1zD^`0lPf
z>bC+jkIE-wBh9FH90>js(#bt0;h7_^9pdJSR$c|)gnN^Y-WhAK*c2bJ1tMN!?u%wT
z>SZP37XGVCFPZY*HHDr!;ZOp-PPAid?i4YO0a`OV2GIOR2qQ~1_mwW&HO;+XT9Dq~
zl2zLWY=Slx3ia7<wGvlhc&4;#?=dd<*lMLes$mE)J0u!3LQRn-4Y&1eGJ3ABHG59h
zWwo7I|MOLje0@WTWoqAvZ{GCJUr6K=)QV><eM}|{&T`7cPe@-2><-{wEM48K!nwIB
z6*w771o3qcWcgB|{&>{>pCYoeY5atQNB>ZktXTE=Y8k**ytx+viOL`wP^f6gJX(UL
zMgGyHakiW%-#$+^1akGoc%Hl>f0wspl5j<7Z_3ckdh0=IBs$<-@rb$BK)Iq6L|g?Y
z8&s0Jc6V2<aITj1n39>|QE>E@`?}ta;5%D|<WwsVlKVg)ZPCBb5n8Cy;E`!C@BDJx
zjLKDRn=@QN<}C$RCOkY!XzE``#`&b%*HD9JpXV*{oY3m&I>358w}vk`1`>`7Weqk}
z%7Ve+JhB|Rw4q1|HN{U-WkULv7PFU5(^BvUn0tjQnOHx1Y(X>6iAdSl6lQ(9r_6=Y
zJ_D^g$+38=o(;U^?)JC8`{w<!;_(<f@U@zrZuq*c0YPM`?Q}f%0e;(h8R5#5<v7SF
zlF5_LzD1yuB~dhfTWBtYxplN9Z}lf}+lKyx@^?cX@aO(g&NM()U-Z#V6H>NdgmKn)
z7ggO2@LUrzK9H**J>k!!+d5jOG19@$M_b$12DjhqZ->Wu=eM9HX!E>qC68>_@HD%L
zZVf*P)~vqN0UY0@D;TE!_xU}IG9t%O@jb6WQxV^W@?MyD2UEMW)Y-$rv0u!lQc?1l
z_SefYi`i+zv81&RvbFiIACv>k17KyBHvjMc<=F*DDiYWXnFKtqP3dm5d2XoRD2(SW
z8_(X&9?HJuJ2cjAa3sXIrMwPztZ9+5*a=<x!2BAHxH2;aq$%2KDCk>De8-3+#B~kK
z_ysTLg!l1<&x{PX!7DxmCiaffRQ@Dp*Adv+m1C>3W#RZ&2j?wz4$c72D2>H<kpjMA
zEnY2<I}9*&!35T<r+qKv&qoIcMz*pG`p|(3y(t%+`h6w@NcV!B)Z@TCEAp=xT#D_j
zT%QhX5DnyZxjQ1k=JefHE?~uLnW+N_mz4O|!_XEsoQk#QxzBBuO$5yS;JBe_&F2<I
zUokb^$)}Di52!}{8UCMVaKsezJ(6d}LA5rpVGW<L=8SE$F6Z`%D<r40aqOh6fodS~
zMhmT~=&+U;b$RcM_)wnrnHs-(n_y9Rz}j>S3SU!Aiu3o+rB|s{-dvaVRLT7%?HL_>
zEW2+5shyL171jnfY75X=;wDe?L?}78nhRPQVI8amjCTGMZzTZ{Q+deEg_QkbDqqAA
zHKr?$GRFhwpjK!DbgZ-m$Na;I-trxPt*W!qt=sXjFr$@ndI6Yb(G262SP-?VNSWG7
z{TwISnVhT-^7X1Qg^qU@22v@OH>nXX1_ZBLN#kGQAo1Y0)(Jlm1-r*;odw-{^GvNz
zCy)}~E56hrw#G(WQRpjMREwqGWrnqw4>~JO!e?86e5nr`ZL*o1e(8xivOIPM30go*
zGcw$tXRbe9TKjhn54F<t_!jIQz#_&~;>iaMOb_{0QKi98jrLBaD?EbBxLbHNJ~Yab
z;B<6G-#~X*`#cJ@-l=@Ra_B+%r5a?4T@Jcl5VHEYvpYX^&&|kxx}YfLj#mK@P`{{M
zYD?x%N7B#lTCQxp3Hv2N9Y=$U3{d)8)D~W;AH~yUOk^FHC&37MV5_MrRnqKUb7*c!
zMdF9$4B}IN4YV;q6NuWLtk=%(%d?*fPhwi&8N<qP5<4wi9qN;ZEF+z9e3AXQr@L_8
z+AgWGAdVbpE#5^#eI)O$=3wlHDHsSfTR&)V1nkd#*Q&I_?z35+f<rv-uA7}~cesJO
z6W;WQ8k*<&b7?9X{W!*3cXL;j-0?+9G`Fpfmf?;UFYfX_^tUu43JgVTUMja$BUH|r
zoxghFzq*`k!bVLmokj{9(kFgipn5}+g-vWtyQF|55+FcBz?$G6QAhNaPo5MxM|n^v
zs0!$YMooFBmzd~`r}t1ecDv-*w8mO@@yDE8m`nB(h`U(p6EQ86D|R%ild$dJ_YKuh
zp_oVNO^t&IY8gtz-tgY)!U~UqE{vD%z18CXMK$E_+S2C`URVAoFnJ)sImL+8F`~a?
zEHqp;w9TLN@bJZtSfmrokVqa%6oR2<pON~?^zNDV-g>Yg2qDIxX*{5b$n}|iqf4+6
z^kfD2%a2}5;D&leO|CrH6E1b*O<{S{d0DCa(jAMWs;tYP#wq-cqwfQ#prk!Jhx+fs
z(L0WQ@1M*%ubBtiu~?`%LO!-ATZ`J16;|ODqVhj&O&<?o|08G16FlboJu}^H;zk!F
z&9ywcF@fCa2w0o24TsOIWxn7|25I}{Y0s9kjH2I-*2vvhC9yN=mT27>V)u414l;Nl
z60dK<&=&CzhhKb0)$Xp?8z&Xve`GDe;xE0>0NT^hEz{*^;lO=}^;8!kzfBl!T6nKd
zDyFeD2yAik2Ex~{wins7#XvFQw0PA?GEfpnt;K8Aj%$s%uq!-$eb17UYTx52tdi}g
z^htE_w*@XuramO;q#IpBgCyil!W(Zz_#d<O)QGXk^W~c%1#!~meTA^yV|<2v#8AwR
zCSg$iZ!6#0N&tw5)_i0OS3#Mwibvl7S@wsn_6~;J-eYV0@WgR#AZSpMs~BCS`FzKP
z0Irj;ZC|!px}E2nO5Y~aPoa*i6!17JsFp_RDI1L?)DCHiCv$y?H^Oe#0e_yKf<0tO
zCK;@OHtC~^&6>Is_dPG#tV@Gf0f#xEAgI#S+LKsgpatl+(84yK4+_kN6xZ2_v0`Of
zu*1+xw-MDy+?j@)z_)m-bu2-wpH&U}hmT3KrSR=<!1mk6Gy=b}kUflDDBg=~dM00O
z85G=%F#KO7LFTlG_QsaO(Y01g%uoq4EPQO~V$3&l3%G@TIpUQ5%TE$2q?Bjz3L0Po
z%zqt6AAJzPR)sfn&iJV4Cxfc|dm)WGf&kOPj>jdB5<P7qKz7+^@m7KI67Gg~b^jk{
zXC4pb{)c^ANejhkQMMRKwoqiRld_d5%AQfyvSv5dRtX6q+fZ4OWo$#l&|+UE+YAPy
z?8ex~m>I)!&(NuJPUrVLug8CR)x>x1x$p1y`druhs!bKxvIFftv`dM&W_u)O!|RB~
z*_U%l%#FYiG28kWcO&0XvYy6qJmt?uc>J)!!AxK-`-7xalFwrY*61P_J3maxZq~q=
z_nS5bsX>ua6W*K#8|$kPV)o!5z2ItvhoZ)<`go+VbH-+ZY4D7?;-9F;xn9MSMmTFT
zh3>zUHVv!4l(t`>^#3m|AkityK2n~NKmHWv#`0STj}f-<r8~~57iorj*b|yHp^^0c
zGnRB5Y;P;oL-TV6Mf?31=xvavR&TF3yW<6*sAUESDcK3RPGNWU%UWJ(rE6og3~elX
z|CNF8JbCK~xpIahNW1-4N6^l_#j{nl_5kE<>gB>r#ld*U-lg}RH{zNPK199&4JIJH
z=^-Vlgk@~+OMC?s&?{}FiCq)pL&fLT8`qDH0XQ=6jHs*QO7CQSFB@HG>Wjs7Lg1GL
z%n^VaXp(NUJ!Pu+7)7{ux*Xaz0Oq>p3WSt;{Nr5D1L6$B4OD@0$iTJ#4KAP4OOwAE
zJY2M_+~INAKUB>QF?)$dsTA{dH6x0&<Yjva-hQT&rOK5ZEIc)YF|Wi837RhzdP>_$
z!W}=@kn0Ycp-=*fa#__f6zF81u62{NxcYch->0s`Aqi2-BTZ;vMOS`oY5JbKzNMT$
zw)r971ZVcCFz3m}o_Yu4RAms!_UjD$o|EPLl>eX`k6eD~E*;aoQfg%x<z8lnZ|mmm
zG5n|^?!j>aQ>?2dsuG8Z_#G)L1B+<4fVg>fzoti(U=P~<A$k3iC{LHX9uPbFQ7>U@
zopzUUFBb*pm;c`+uhLf~QTZ#oF=^=k2hFSBvAwHClXR5C^f%3`9h#*c@yS{@Rkt_G
zK*29^BYq{~S>K{oI4obXN;V_nDx}+2Io45U1QDGg2WF~8{$(OZACcW$MJv87t*ZRK
z-eSOT>i%UqBI}Add-nU({k1j&XHzO+EQmXo_U|oW$r4SsXa6Jr?Bancp?q|rA~;7+
zrZ&65jnLg~djrA^gy$G!_^;|?+d6OXpT0jWuunrozle_11Ot1+p`dYsjJu`z*aTip
z1+k)#HG%CY(ie@AapLQvFI@-i<!}X58QaB3C7Ebk<uw`CHi$0#CmXAG@W0vc-<+vD
zBl#X-qPbdT8jc&*eshAcL(2iGRd>x7m(ieCcu=)iqUle;swc`mN^(igl>m;&-{?eB
zBIhPw4h?<ZSM;d<un5Vz@of_|_nV*{u4+zseRRsyy;+r+iTdLtzO+gqF0TM=XV>8Q
zspY!j90BB-Cv>96eeeWaBMq-6wt7C9n6<SJIKxk0Xgag%<HtXGCA_@cT##jKCGRgo
z0~H5zhF=ue-&}EJ(^8sjx>sSL)zh_@EhG&@ECJ4DV5!Ya^bg(Y{u8<0zv)(R9{L89
z>GrG^``M_a>225jZK?|b9s$hv;o-caVx*$FA)`Y7f6ssqkn_pr8R}S~Ffz41m*B2Z
zD033Ip-q#iJh|Kv3&Db_S4bl;<X;ALti{|mK)ecSh835+VaJ|D|7tJ#P;$9+2C8<A
zk_HjOJ$FX5aa3=Y;xFVx2==-oyzKF<Uw2W9UL{CIeH+pFRlGWnitAX3Rd$Hf8!fvd
zAQ_8kw{{V8dO^wY($rSUhYnR9Ee?1b(IMNXg&0&bqj&73y>`V7#eBDa9DD*hj(}QB
z3?VU{drG`uOd+(*z5X!2QoxFi&h%5ZLUysoI9guKg2w4_#dk+m3mG+YOtl`27@nS3
zNEr8k+0%V)Cq7!8$eF81-TiLt;dvmiB)4ie_)B0(P@=FkLw)4q#i;AUu}?GQtzkxm
zck{8<ciUb2_2b*2=k6RkY+;kUazEpzB2^nlSERZYeZo#>iBW+A5?WW{iu819y0M+H
zMwfyc`kJ<VUU=;QpxN>e3A$xG-;W^#)`Enoy!)bqo%Q@R3eXvny7i3x0jAb$4$z|t
z06i+%Hub4`bEOPE(^f3L4cm}MEG!;V^^R$Ck*GKHXe-twn+7*)yhAEGz9{sxBOlt|
za`B-UmvugPt~%tc(<@3o$@xT6JXBprEWkC|+6%mLwZ(Q;>UHV(NB5W^Nj1Iq(nR~F
z9y3-0!On~3^_LV%aT=g3Cp~fem&LS7S4Y9)nOAWgb^S61R8vbwg2{zR@nS(HCh09^
z&D@u7^F7P!?C^<fzlrP+R*vC{p<HmK;1!tgQnJ>_o+F#L9Jj-aImKq{Q0<sD$Gf2K
zJbzsDs@FLUsz)z#7Xp8cvZW8})00q2iAQvpmbz*-5$b+_$7};kA3)CmKo+DI((}AM
zyx&vRJH#A;Z}o1y1m`5&{TV1E4R`@I^}U<c6*`FVe~3RS={(44wt0_W%E1lReT<))
zZaezv4LUuhXb`;yOushCx&X`M`DgpIOMoip0NrR=WKK_D3Mv3^xPL!bqX7_XfG>K^
z{)eB6@r|Euq|nb3T_5UWtMVEDV?r%YE#oh25#oQuae(g?{9pr})Syv^LJ6<AKca|J
zkUf9LqyNsoBtNXiyv7Y%xBc;Io8g|HC}1Wx{>{VT>TV!#w!Az?0a)=8KMX0G%k`Hj
z$w$?3KttNtCG_(MZ5eIu)AjjC$~|b6-+PtmX$LLo`aW4eUBOc1&o5PYy7+I*)I8di
zlJGe>bV`5qb@`_CsKJs2og&g6KUCiSbuM!46yL4b31$tNk7*t%VQlI02~rdysw7oc
zE#LslFna3@?{;AR=%%4+lLOB%9x?L)#v`M`81W`t;Qcth<Ia&BAzDBEM$fI7Ta|{a
zVg4+K=2|9L@8ViI7OjJVr>o~ONPhrV&U;4Z0H6Y<JR(PK6WmIb_A>6(zyK#fY!8|_
zi(Ym(-1KYNp?pG++?USFG|e|#=onYk%n#CZ&(TDlFT->69cxflbiV*7W;3rJ=o#<n
zI;($HiGJ`}izr%a>kI}5<>z|kc*WQ_!U=C(=gv6}`Z?P5)a%&TA2~HHMCHAahUuku
zHw=NvV3s_8Onta|HBu(A@IxY-o0fe9BJ2I-Aw~YdqM@-vJp$GNcBX^IkDN^i;T11v
zPa0yp6PCW=d!TP_wdQ2*(n$(k68IG8t8DIhwzy|b@3kZ$^O9M7#+%Y1+nN}JYUD!v
zpVluaW^t!{jDzfFv!C1C^(3^KiV)eD-rv}g3{oBqv4b}+%i7y?dA8V<#W#@iICJYl
zts&=k-jCNL&id(?F;}Wt0jTo)bWe_$12>lXE=_CE+eyR=Eyll8u5fEd*ouAnP!P8L
z6v+y2a=|!f(tBU(g$7`K9`l(Q3Cr2NP@}cRoNv*MXw+!A*{v5?MuG#2^HJQo$a4I3
ze-RQukQmlHD=-k$Qc-iKb&&?1q<-3B$#hpjf1t|a`Zo0wk1tv)uQTO80j%;HE8x#_
zI|k89YIo+QK4E>HfT++Y^zUdgfp1U4K@c_gsrb984V52M%FOXb{TOrB%s?qHO5+LI
zLJESaB=kx@%|7_Ld^WKW*bw|Bx%CZmapZIHZLU*@Gh?0fSYEP1xf(obxj}m8O6awN
zV@sbbQqJDwbZNfDrd&Pz4z#UyCg>&idx<(_)cpHm*uiu?k27j}9kw0f;9p(3|1g&+
zhX*L&@jX{(BouQKC>}g=?pl~)S=Qn!{h9+EMK4u1L^+OOFL)i`^`L7hCoTV}rFfbP
zbDzOYWBcq=1K}4uC9@`Nb>^RX1HHT+vzX_%%h>T1uK+`_YobWpomOP3Fhg9~+Y$TF
z)`d(@WSQc@^6<C|U@7WJ_q+^`0toz(Q>ca5epG#?{!~ke;@?^b*WX`)3PMmf%5AHm
z)}|)@@_;x;3?j|DrC3Kt_Gdaen;L8&)I<jZKi<YA881G7TEe)rc?F))nw6TAd>zwI
zhhA28$m79aA{Er8z5c9QVRda!`gN5z@8C>Z*?<Ci)8KBsd+(H9`Y@UX4R>b5W0c+>
zyKiVz+rIM?J%<I*Vj%Y$02dRJ>CUA52aZP1F<ch$Ld2Y=9q_q~hSyvY!zUWV{Hm>v
zqGGY;A3wd;3YLx^EKbo+9OHKH|JB4KYLkw+bFjzMrWH7_j>Z=Xmb7j*O_33Y(;BQ2
zwMM~SPx&q=>PJ(`XJs;1q7ZZ~rCC}{HPH7D!Q15}=z?wd8&sap%F!NTfs6RJsZR%9
zr||$Yr{^|rC#JSCSX-J3ZZm^L)-DjE6x!TO);1SSmce6+L`BAY8a!tRQxS!u#f{X<
zdXMWK!}ds0iplG>E9nbw1u2S67yL~(5ivDMXrxsiK%`6cG)1*wj~K~a;XfMA*Rb>o
z&8IMRwl`_P(~7LcwsKU79W0~iI(U+Pge~~3gaxq5L;0R$1dAURovUE398+fR$O}o>
z|FDZ7IgtK(pF`KA5bWR%r)`ttOmGjG`<w$hyt?zfm^PX<#}zYocfqJzDV;J=O@ZCu
zeY$4K&fBhv!lF)AQ_Y8w+T#X?y)8U%HSOJ8T9?M8f3ac0#frdjX~Yr2(Mm`-%+=iE
zOq?pZNW(M_naNL)lP0NnyG*q#o^IO&l=JjtJ`Bvr4YvLXhEZ@NKl~x6{BSJw`2c|O
z^(SdMs;T=-A6JypM4Mhv5@~r!q}L2I3;^bi88OwaZuQ6rn#7r=m9-@fAse)hnEEa%
z62t-wzf)IUWBm9iAG%E=M^@`9t7WpaTyQ30W>HsZx>a|R){j{1`tJq3!CfnyuE?J8
z#TAjsbbY6#AM<7Y)#Ce4joc);ZAw@W4-dYNouuciB+e@8O4OPzm&SYaTx>OL&Y6(G
z0#tEqFSD*NPX2zLCWBG#F?-f-F@d;hc1*8+3tCd)03nw=2de%OUBiEaC+{<9C-4EC
zfg{FcvrUb_650(GtAY02sGBK`_v#sc2!LTUz5I5<_{o$zsgjjFq(g9-Kk>1q*iW&x
zgYmRjf@Ft6`Is?H3SO;#I^R$3wq*_&j#HgoBi9S6z#B3h_;s7t@W|3jnR%E$JNLCM
z9LL;+jS-<vmaY|PkJS$`l2(Zs4~WVWe$D>e6)@4hpkkUZwONq3<|(_(*C%GS{w6T?
zc+f3u&zpQbD($o5o3K_MCbz(?#}b{R%{HO(aNkrUlzL?2cn^DB{i?^{t`;Ew4t(h|
zHu`|{a$^2C>ov>0y6me!z2E+aBS<hu;kZ!hOq50qzPMXS6j<M1EJ;`Flp=A3ab@4s
zmkmAJ&Q88ok=fgKM`CI-inS6RkJI4=cksTUKe&J>L}c_YRG33GHzj7=o~{ib5y9Gi
zYEXsE7?$i~ff6xmB(BIq&wigq*blws>J8Y_U)7c=HN+T?0g79x3}aayM~%2hA*_|h
z1eYy!roGUJ3ao-X9n|0<vJ2=T=k!(srEg*5BJ^qKq~8-^h|D)VVkBtC?n2dY^5a0&
zwtxsKa{LCRecho-hNrR`^!=dJje@lcFXG!(Eyzdk4gXx+<ExQHL}mxqvVb#A`^fY4
z8Hy|G>`eE^!n-$pU%+#33s%mXzIgu%WvO8Q9|(0G4_v-g@<FSy+CgRQ>RG)gKiv?Q
z7XevUpz>Z9iQS3knp04kj{(O~K-ODl2C4jZivK1lrk%gB+oPzy#Ae`~d>9?a70!e}
z=cN2QqJ<`&-WQCY(r)&Xj!6lZ-n}u?+(?R(IyF!}hB|tKz$mKRuCu<>n}P|oL@mA4
z3T#u(3bv;`hY=`JY4a=jJ+N=3zc(AHQvIN}KT=apm!;HPEVvzxPJ!Z69ohh*A_9Pu
z_dwefM3g%D912dM2g+sbQQ*AlFiK-!k%n~8Fr`8^%W3Xzv$E1Q<Mn#VLcfDBFb}X0
z+!|IV{-dog3kr~xJ;5)0G(Ok+>vSH0ZG4-G4-4=WF%xt;wRY}i6xRvHRZIu-GJ^Q;
z_glm;pHQsLEHI~K3iVRt?~cmnAGvl7V_0h(nWG+R{t;=>pycR#Z}hlj$W?qRy}Hk*
z;Omd-K9028DMg8mCL-EtC(4`;#@ObzgWOxm#Aga(d7$%O%EMr4k^pJWH8>i`ch#UP
zw17~|kAPRWbWCdlCf}gXZZK5KQMxG5N(1){2o77_(6qHm6e;5SWY!fx__iuD6;1pM
z-Y|Ad|5gs;6!G6h6)g91E+{||o&|O&vV28&ZcMT+@eHM&p3I}GGz}J*c@0--DHFkX
zC#gh(4`$o5PEP=Zlx2}vXHg>!(=s44*0MH!x~LbER8l^kUwwNvjryHd+Y#CW)A3LX
z48~1!Rmd3XpO30Q64>|Ei2ZHFqp#mL77eLcU466Fgq2fplq29OZ1IRCo;4I?7S+4>
z4X_gcUjy6eXVMfk=Dho6;)Q0@<ETRA_hS7Sm?;ur)c(c|)Tf!?Xq}b1b70PlG39r#
zc#XgU^=9;r1BQYfOs_7)<S)B6xwdy{H`4ituK}L8BfR<;P>6FKx)u4#J;+9gCiW+X
zi&$R+*v7#A!KLw)?XRZ%-w84~a|r2EYP@Px2Q&3l>XqV2L`5!L?LJ)ChA0qVaATHd
z8bK;~`1X-798S#c#)mmD5?uI~8j}qW#Eq~iUmd@8GUKmM?@1Y(`;@isu9j3sUigpt
zJ!wZTLip`V{<Bi!-kle#z|ZHTDw``+EakmEtm@lx*<bEj8%M?~`BEGR9Ji5<{0{o2
zVgh~TZx7L?PDeXAz#*?ESTETCdJKNcwySdYOu*^tjgR;#0wygxJLCe3$xtjGXBv18
z3FL+71mXQ|E@rO2YmfC^`^V0U#SxS90z4oX^O|n}N1bbDw{&o0l3sMtwAR5MSNwx8
z5asCR9&q3Q{Y|q_X1<gml(10|ZxVb!KM+OG9K3$=@_r@D^^}<bK*s4XO<xblrzWAc
zm+*OqNE2`4u%9TcZjub}Od2`Y<1r5i{iBZ0Kkd4(diQ5#SK|0NKz5sQYI*sgzsgKv
z1sVwqbd5F4SE3D2mWIDE6z#<~#B?n3oAz=d<{AyKM~fAFwu+^ylQ--4W)kVNnKB9Q
zcQYb8TkNV`dC*XkK6e3?CcE<eBRLgzrkQJb8e@XjA*rWzolF^CBAJLxbGWoD#>dGL
z6|Gk+if@U%zT!;G9Frp*xN5fawYU+P5n!qjz6YSg7TX`W9o*z7(Kpl;ih*fEl>&q3
z$PX@3l5G_UQQfXd#-=sSDsdGi{$S~P3jk8PrK<Y~t9_$3RW(&|SP`$yZ!zBMd1~#m
z$d9!|gD0Q67LV<b4?MHaH9c3c-(4-x;VqYXG}q27KFWj3Zv;P4o{NXCTkRu1-xNAs
z7`=AD*_r;wVRxZ|68^~<)#Y39z#o68I-HZ51^P@p7NN0U$O!0(Ln#Sp_UafWOPtTf
z!DRifE9=>&63ls&;?anpmruJtvonlIA=$rRcEP)ziC;)lXZzZxq{B7b%~cP)`er2`
zK&%JU8zX=X4`z|6;fa6;Ayr?o73w~n<_cB1edH4CB48(cFhS<2U9DxP3G>(f6J`^N
zQcoOW@QxBhuVMmNd@Iz;-)PP+YMy+*TboI2OHA3UNcoMH;v2F>?#UJN!{eCri31rY
zk=rS^gqTy#Zu*Xfr|5I`-zhfCi-uMCf9gQQI`E>8Ka$UgGv@_;{%*!$^?hNzH;Phi
zby<>`PwyCG%|o#Cea@y32CTy`?jZa0AQoRT0Ybdq0SQ>^NCDNmGDDu_b683A`M0sT
zRj#8wH_pT}9W$$B{JZ}}GA19XO<^+v@2H{j#<(VcfbPE0g5%0cM=mp=!1#B__iijc
zjw~<VQm(se0_Oxe=jQq5E<tq<U2CI@N0au0j_EZ@J67j|o!aVF<3;cRWkfNj=Dyo&
z8pw;tNDfuV>YBw`hb4X=&gE)<)SM_IE7toUCMx9>L=5e9yU;Z))Vv5@=TTaLNJs$S
zI3`7dd^PRcxR{yU@LR(Trd{QHmy{1qv9barbNZL6=%&~Q@P^HAx!spo&cCRVdi~55
z<;65ew6<@>=%}kbE^O8Nk6B01$NOqies?+j0piiT6#QPcz=NtD(ig`jFMWt3kw5Ug
zSar70`mWmiABhCXsxNGA%R-y7lnbLy?;o-erM3NMQZ3~tayV^K^SeRD&#c-Re}-;U
zTxJV;JJ1=LqUU+(7Em|<W>sPy8wL=t^YZnbaB{by)<1-!Ueta6nA|9y5w^HC{!|NV
z0H%V5YWz}V$KUsP<+~ksEq|&kI!U>F#;<i(-N-xQ#k%>>x6&~X5-CB?Lq{V)lY}*N
zAhuEI7o#fI*8V!=kzVj><^I+4!w8L+o7dVQhIpIIWXb+o_m;ityiK6p#4x6ZwatF_
z`o1k_jwc<OgCP1r7~;=@!T1Xv-c<QmpR%X0ir36-YEPc+=QuH^Rs%c)d-bsie<ubj
z=rd#=0!e7b{-c`sckI>P@lK$W&XGpgqyedd#bp+JgOi-3ATtDs5`O8QUKx0~))f_S
zg1=jn+UM7ZaWi~)McJBw|E#_FliBj@uhah6i7@<J7*mMCmOHEVQ+|+d1=|w)J&Ay`
zn@a5_7bt;kp6_90vVg$slKu2DuRoAI0|VK!I<jgKy?hQe!?*U7Ey<9nbvCr=+|{c<
z_DtU(|0zF1x;Z(yt;=f|wTrvCHqB?YgRb0YKaT~tIeTCgRYj+_!e?<0nww{f2VqOt
zuJMQa|G+F>+>F<MbX0=xBUe0g(et&|E9+OM&Tvf3&zqQr>IDiIB1!^23r9(eCQzoQ
zG_V0$j7^vW`2~<TE8eyx)nNTP3~lCKY<13=AkWp6+|4nhEY7q!XtZrb&7#N0qx9z2
zyafG*n(Z6|`NO}uX8PaYgGhTlY>!{iL6rnOBTdZ#u3^iM)ot@Fr}VP}Kaa;e0drpu
z)-9M3dk3=(M)MwY%r9GOU7{NFQ%G;U#z{Tqq)T7WKOg*?A3vt8ybhyhE<W>Y58u}x
zJ#&N2cy7&H)?|FhocrbNh6%&Q5{)jT8aCp)bquqd#C*%WW}s;<J@(^gM$??fynBZh
zXTVPK*d{WE8J}6bUs4jfJaMb<GP|i);@G?Ud6jv#-_#L%maCwe53;w)=H%9TIV|L(
z0g5Mi(F_|wd+Buqm`B2b#;4-`CE8qQPn(b?ob`B*doS~l=G4(JSR@_Qq#P?}qHeR`
zTZ5LuYm@Sw3&tY*n_}?Yz*cOM_DXA^!utrya!A>J+`HM{3|ZPA+vjZoiAckTsZ0Jh
zKBo{JYwJ^)MUBd{_NiWkRWIMwn!DVfywtly{bTS)+$_@8qrSN0OH42_Ydp_ud`hJ!
zmm2Hu(8(3onFh0;g-{lR9mfpOr}YlDBg^&=v1injQtT=KK$ND_9;Wx|zspquz8JxA
zCcbTxlaQUdP5zdJPvIU`sGYv1%!Y&QpLPK_T7^hXCg?e=QHb<55CGAc9=46XIqT1P
zky2R^e91$I-}DzbM>T25-b|V3nY}=V`~pd|IF@>gJLaYeo`L6y*@5zMzk&T~e*G;z
z=TlHw-i5$G^rM$xX#P`qE}eMmj$B2p8?KD(ZDxnZv*)B(2JIIe%mC-SFO!`iG`%6%
z=SS%tz$nJcJ{wuWRe_s=5Nl`{`coHgwC&6AIT`5SUi3gXSGld@6s(96Q`s6QDF^b4
zvCMFhf>H&#@Y$zv@k6{yf?+QBo-U9|ena>At-eTYOx?>PYm#yp0T}ocP4V~}MSH-8
zy_G)y`?XEKTcqoL%v2JJOZ(H*Qs$!szm>J;a0}fgBg+|txPM<<$b=m!%zQyD>!1@>
zWOd@`?-9S8SGdWrgS%Zy>D(OPIDBcnSfFMqsy!eq<HLFi5!j4cl)~3cdleM2)WB`9
zpe!uBe}@t{E*M!}TJoF*WT4CeNyj8;JTh^7q~%j(c&|DB^pyLc&tZ7?UoMa6>TlOn
zAtU%7R+*sOAE@7!^(OClhh*$x?s`1NGA#+MnmCiKUjyZ|OshzHM(~&Oqa+YK1#iy~
zq0ea(h_*Ujb76wjD@<WV1g6(DB~X_HEZ`r(Cx|u>Q~Sq(?_?EMO|Kyjz@*Is{hd!?
z2Dq4+?ruF=wia+J6$xXqWN}h5kziq{G-Itou$|uA1Ld4Cx<GhI{;V=;#P@PSX1h3Z
z<<;W$2-)U=r!LC@wn9oR;;<B(4CnV;v_Dd9Ss!~%Y!e2eeAOXY_NeN@wNFQY9HK?T
zydOhMun&xPjG&ui*7-mHG%Hb$wp>wB?(|%vn4#1l`KPR3_&qZSeJrqJt`gMrq2P1n
zyOoQX7?75Dzsp|{GU|hG9{yHs`IZ1ch_xpflI;%#JCpOfOEjMW=ul^KbupUvx_OfZ
z)^7?7*yhwN!J^;00s)82xO!dHvPBp4*K)a8=!hKt_Mldhb&NRb^HiF4C5ae6TTW`2
zRn1VJC@wn}V>$#mSmxIq1g#MorE2O~;%Pz{lpMloXyv1Tfxb?zD?IYpI{@SD^@9fk
zQ$j6VUf)=f2zIC7aZ74lxV2qr`Zd7-nwA($@Xvx!V1g+@w62ZYIn1CuI7B@jLgA^A
zqrv7M;nu=8`j_=IRu5+3*3w|eV7~Px_@!VxL}w{wf}%O$6#|}X9|~$$xCME$SROQ%
zCgYQ~Jz=?IqF6!XIb5gatN-k`d2kkLeYD2lhQ@y2R{5d<JQsyBY>?utAsy*LZ9L!o
zHDF^|zJ@Y5HmeXcrx+AOc{PA43fMqh0=|dP=L((E2clHwU0gM!)UoC<`pndJj;-(_
zkfK6mD<8MtzHp8I)6U-8z*WI{so+7k{=6&i(hH`+<B|#J<Q(~T*(}KhcI()f>(k=w
zwh~A3yy|UCcdN<A(<D{-<tNlfOgzFUZ!W}?6OKUX5<bhkS@z%3Z2z?O>;h1_FJF-*
zD{X?CR<13TpdZy^?ft!Xl7ZUBf^#t&stWe0)4xfxZDN41<7Ltrsf##}BI*G|(X(%n
zwZ1Dc)K)`@M4k%?&J22%*?H9-<+d!-5!k2}g7v5I<jWdB2rHM0UH!pF^ANbjJvybZ
zWidO1eQAJYcZma;{%IOo%}4sn$#?oN)A#F}rK0nilYwWJeV@55;@Rf8FKxgyWCK@F
z3+FDz#;}Ti6xo2y1yT-XZ?wo?mQx@5qQG5?eFExkk7EjI)+uu&_gR*`C!QW!Y*`j4
zL;1(+Gc8d^45?fk{y-S3nx_~?TPbe^2%y|`*<wlHI=bjbXBeYWbBB`;4jTZVA@}(!
z0msG}pdnSDQ!m|!AxANHSu}8bHN7_~<$KO7U)~jFkT6v7XVka;oSc?QBnS$$4%rD?
zM_Q4uNxU6cR)cwnT}`L<1G^#d;M)J8MoDUv1c*#WL1iu}zooS<N?eY4vy8}QbRK}n
zBXWhUYJqa`v*iBI3y@9`d}!J_9DVk)s~Z2smH2DfrT?i$>3o4C{x;yI|BGJ;6ZOav
zv+u*c4z=#i9D(!HlOs10d>0>2d{ii*oLn}U#`quI$FC@-$W%+*a-;kM5B;a}JK$8Q
zLwaAe9#Fx0HmxyKBYa}@SQ>YNcx~!~8R3^hy6viCUxvj&H$(>uEn|jYK`gm-dL>JG
z+c}1_fhb&E@QQY)J4BU}yS4}jXMGKn*k<___yDa<FAvt6xrl~@b>q0ebAc1?>kf1e
zH^4?d@iq=%BfG5UN!<5V?oF`7UG|xlFWNF3b@Ay6Nnx%MOV`AQwQKw=*e7iSt7~n;
zLCHIk4%3rzF?;`!l!JR@0aCb!hA!?D+;VTJ7CJXGJZ|I5c#5Y3y9+Nv+WN<?-h8xt
z+%=lwgb82uJ`68wq17U5O@iW=ap<TE@7|1BI5jDVJI<RNcC3vFfAWJi0icoX)wg&?
zp*p`sBjaCnZmcO+8@H6j&xz8y{|!f82R6Tj-||pIB3j^ujU~0@A@S8jvjbI!zqDS|
z-TX9He3Rn@z&mt&Rxnj@JDF$74C~E?4??W>2q<H&x)-Xo2;7`e)Z@>=O9jPKXJ%CT
z%DY!1(BPz~>L3m^#VC*up#*5l`n1K%wTT<P&M_>bzV5KarO9&Kiqk3Z)G?Wqs=q9!
ze?;Y&FHLHml~7vh<bE*3Q;WL6CDYa}!wYy+4*2(dM`L_ZGNc%Y7+_gZRMDIi4dDvK
zB?pa602%Cxw;)F@;N!TQU*4}XY{~MnW+x?IFvykC{%D1b?k|&0Wjc1|c|!PtQaRg$
zoDAfI_r<R+Js1O{dsTchrE~I*6~~8-f;llj$WDh-<!l0FhF#Gg#Gi2Yaw_jqDa!-L
zL4k0d(r!QwL+>(>?~uQIDxG)Xl|Y=pv&_>C*RPI@F%?QawtQpF{Wn!Cci9o1^Ss^U
z;JpgK*T<;BOSQRop%;}0y(17mr%AgX;8d1;$p2>(9?_-!9%28B!Nm%oQBBK~WLtfW
zp0GR8@&<G3ur)#CUl8W(wKvnbB^NpL>{kvKI&1nao<vtJt@ynDJxyt=46hrSJ3g^m
zE}C||eBwM5EG*fVS7D}r`)-fOpC%ojaz*?03+hbd;5v=5`WMt4=bGvkAb&kdhf^Cl
z1~&!ETcr81>@F3!C3r3<OMxbOGY|eCL5q0r&#HZjxWb%Cu24G~h4raG31wK36svBP
zr%{+sJt0`o&Hh{>=w)vb)A&R8^|p&5$5Daq{3p;nMwK$s6p44avZ<hZ#D_~p4(+P#
zc|64HU%Ay#9q`aNYr_uZWWqTQ2(rFASF2F^y}n+VrTc|->BWJBx5-{E<d4GH%lT67
zh__x4tSY%}fuf=9o}p|TK+rPVh)-Kcv8k>oND3{$bh?I{l02})fNEkhX+rkV+K}0Z
zFy1cMw~JJ=BVTR2{~9vi37MVd2i2DArg5Kl>{_@kU5TqkkBg56elhXTObV9)m)-kH
zRb|hv(KCp7JEjH^19xGB4P&nNoQ`=*xjkSpZu2h9Wb8}+r4?_UT90H3J}JDa%*7v|
zfs?L(HCpszT$g|8ff?`hH5NE_zEK`|nVcXLlw;E51?&W|Tg2s5ZSZQ4TyV%+05m?i
zAG{&Q@J7+sJz%ZJeOr}gXDEuevGa{1<+IJ`=NFiS#M1qk)!>{a(EN$$s)$6}y&K8;
z$3ji*a%=QDb=xOLS;eAlgr5}9jIZCH%QkA-t#2^tT`UuSUQE;g%e{&sM${rN`KBc0
z#gxWy$MY>AG^WKIRTt0j-|)B(KK80KXb1Z9JB`C5_8T$c<`PZUu;pd3qO8#c2Ti3?
z{hZ6w8*avM2D?FN)}v9kXKKjS8Vc3w?GtJ56uKLNMQE{J#|a-SMi4QCtonk$4`r?|
zPL(6T=E!}~X%6I5hHH7fbzOJa%BcCGAzdkGWH#~mg6CeMJeW&r@L9p-tRAkr1qj~E
ziG)FFOOi=GP)-G}^Qoa3=7O?`Y|grmvryXu2BEq}!Cu8Z2_#~(kwIAklLEHTqTz0N
zY1e%3Q0$k0n$ztEep=mp&E{i6Fi)#hFKh)W7te9iSO14`@+)}taT=2)ckQawaKh!~
z&(<=`Gl5TfIIQrw;3w~fVwh%$3EZ`KE?>-gT5$eog#O`D?)_4Eqxa*Uf8}5YE9k$U
z{PHm2xk?;5K&e6~)-C&cn-<<7D1X}2eK|%gDW52z!W(u#;->YKe9ZHiZ+&60f9e!?
zxnDwk6rTF9?ATlr5gn`F9w4c5LEE|jaI|ENi3vNu2|AF8Xt0RwT3h$jSXv$?>O}yH
zgNYLTEZ``wYm*lbLn~;LWW+ZPEXL*wpKIo@N}YTWc1^#k`C(2^0yzWT5$_-x;(-%p
zzA>$lM3V)?;EozL@MaOas&ihbG_V9A)mv8}|5py&3FcM^SGDTV)>h&q>3%d*P)7#W
za~jA^k$Gkftdd&T1Lqxt@zhqs5glM29E&-3EuRf8$*Skx>YAA-$TLJE(pXIXV$9X6
zCNe{Z0)nHmBdbRv(4p7C`0p=luxL=MZ9=p0iHbFwR`kMY%UjybP0()(hROZqpse+t
zGiC>&L#^W8N2@9>c-kQ%L3Me^YQGC-yk;kkO=W`|{e8=xP!hA*;gDPS{`r+wBaI1*
z<g3C#eTyQFL(%H+NBYlKkerEyu$QM}OVOt%a#PAdA!8VIe-7JYF-*r^6aNNbztgOU
zJ4y!R%i(}6yQB~rqk;!Ed$F}I=5I8ANc$#{e(rv3e#If3p=zK^?LqE!OW?UPthrZI
zeF7eK8rWVQf=rKA3hzaEd44xQe`AZB4Q&x`dVAb<Ry^$N$aU}qX^!pj6EASB-GP(B
zJkO;3ZPZ}T--d%i?^L{yzQ$r#mO2?r$fbV!9w~V9l&m7gYc!Su^tG8aaU4?uH;^iv
zF5icGbSZ>4f;D4q?bE=rw3K<x9*7T;!o33O&9AL}c{Q2)D&gwpr7=^a5az8>Hs`j`
zPtf@y!{I8>x&2Zp%0r~4+4s7_v5+vOn|A`XmFf>S+epcl%fm_|kA(<ce|>;s_}UL^
zByctSWwacoJ%-0ImCYj$AFgt8zi%W8MbX#_$3;a$M8)qG>F;&>^TLY#w(k{$6CLR+
zM58Mk+>Lkb`5SGXC1{#*+hl|8`9tmUpvtm7y2Wjm-xUsea(7%RYrJdt0me1+DB*0Z
zdvSn-`Lw?-dnIIr5Qp-fk$tMDc)R57n&uZy;8*=5uI{(TVF<1MWoFFYjLWj-i-2S7
zJmqM6g~A(6TkRkd6ly5e#mX{e?Rt}O>gsMa=9C(4Kk`7yAM$<@+#gc%2t6g*91~{i
zS5!bD3DH~5DFEB2xG4+KA^LFN*BHr2&3T~O`48Pc9waoRTsw{A?*E_<1fW}Lc1iM-
zTD~^%c*f=y4V2F%zu`G>>6C9l>_Ly$uVOu)9(!1JEOqgWzMSYMv$Af%mc*FdLAdN=
zO=cWIIw08uuVIkC<N&Cv6S!?A*d$Gyqg55fp2`Px?|`j;3ahBFbXM$h^;FXgRC#(@
zQSG8;kPeFRYY!<aiAfFarY61$9fBe7{hswg?FfZ8UoZ(bP)R<e;HZ=;{?$EZGDZFd
zEWPBz_ECPjbqCrBGfK<c6+<s69M+dXMUH{j5q7f^t4fWruDj@(^;SL`czc;F*f&S=
z>a5jbA=Nmx?J`lz*XES{l43LJW06x+H&n!v)Am|&e_5l<y3oG37GQMxVWP}cpqz<p
z*A%ft(x1n~58?Y=*XuOyu=ig0E`*5XXnL{y9E^76Xhnr_h`hS_QD@&_{0q(fvMn;>
z@=-O7;<2C?ZmaNXi*=o*4^vJ}gRJsEdr+qB2|V`=YD(IJS7Z`t{!M~<(q(YlSWpX>
z{zh9G`Aru@(W#{vmh^l<TW$|%e0PPmSPANBkeb?U6Rm7Y`j;fEWa#??acNUc_HD5Z
zXKeM2zAyD>s7+=YRd%Sq=3S9TKo%WQ`VS{Ok}>1OV!jH60h2LKeqe16Q@mb(NMC36
zw%}^HYIc8!*T4hn@JepBZ~3thl_s;xhpD02RH|#mq7P54B>Z{YM0bqH3nt5YZ(DPi
z1-eq1fjIfiM<$I~f>{;91KvL36U=M~dnz?H`>oBr{Ftc4g?(Yy1`mq58VZ-|e>I|A
zi4IJil1N{AZx2iYQ&iJ!fCtBOj&KXqjslNGapL)NWX0=3FdoigxIu7g)z{)SVrxbt
z_q<PxxY`+=V%;q1uy_!*68EJ2wMk{BFpq*cw})Ac89ZLUA`f<@oA!K9q|L6Q6T_lA
zGu3VTl1yyOr-I%VrZr_;k&v|~YALT~d!*hn1bd%|Ti-+0Ux+H4V;@auJgrO;M~~}i
zGx5Z$AtF9d6Aya`xVk`QJf9(SCW9o7sH_J*Z7VMpHFYG%mNJ)Qf_Ek6shtMq&!e-8
zmO+v)&Zv!XSp7+g3y&6(;<#3W(>CY>gnCPEW#G}NcHz<sGHm@11xEPVP=|>WbYLt=
zv*tGYi;do-@C7NYF^z)wPGvFE7xLh>DwdGCX$^T)-PSM+coaL1)0_ZM<M4abEKRy7
z=V$tyYEY;Sp;txpa_yY*l~>>O%P?&C^*r-PMc|duFON7|qmH>TpE;;hWDkN&Jj{vp
zJR&MefUQ6axxJaR%Z@qbZ)CV}o?-6O^R;9FAJG3^hScq|#v9gMg#u}OeG)fb#G{LD
zMFBdZ&uB9>I0WYI<DsEnALlzxpiLMtNxCnVm&|DfsO%&?V%ufaz96tPz*FlBQ5V!M
zfIN#AG}mBvh#oQoE}FkA-AuK0jT_V%-XQJK?CCtQ76Z9G99C}T^TB3?F)u0NC^f*D
zUBy;*EW}R@wlp=W78~XNJcz42h+9Epiu#bdcF5vXj^&z9l=%;bjOy(|&XaLs6ZNcM
zU<6DJ=D0V`mpAb}paA`|s{*EN@$_e)J%wGG5okx3<t?AJ9o7)mOlt*5FFh}R^=k)A
z=ZMsxdn&t?b&3%fZy?8=j+o6DbjGO%3Klf*W9JHr(r&P}aAvQGF{5kBWs3i0)|Poz
z2TicP<{z<;XzK;pU-pWOlusyL@s+&oqa=v5%vU^7pJG<|Ji~996apQ<nkK8Qp!;$_
zN=`RQG>9uNM)km2B&MosKg3hFeT(eF_k^0HK7XW6a}0~h222}!v$#oDiG`HNq)pw{
z1iCKttd{XfBpWz9Xz0is$M6e~npBv7B%523mP$@?4W(k~bSDG4YrENj!SZtCUN)bN
z{QVsN?O6R+`_r+kXlu^#!{?^BA4*n^Gi7a3COhp{<+AzS&jw_b&uIE$PIrWi3#2F;
zT|0On9%ZIePxrOt67)3dBZ>j)oV$Z**gmqoQUo*ywX(jSNKiZDB?;cxS1gcu`2f}B
zhRPR)UDNSr73gB!kfj2Zv~4Zc%75Aq@?eNUT-k9afz~yz@@F|QAgbTLa(;zhxCtnz
zjb1@nM?1!nzFIG=y+Vv<<gE`RR44>Ir9qlcM&VmYXx^T_oQ!oRjmdofta47Er}r<)
zX05*4_nE^riX1LHv?H0874cDS!iFs+r;BoegE1%8;yO{{%#stKUYt9s56q_p_m6&=
ze3!CLeNPsj7{E+{u|~zbP3A#nesd2!7{?nRA^R7plFiV{sltv;Gram)9mkIG;Vj9E
z>GIqTBUTwbT(PVHuTAcq=CzWl<NTVbRQlk()DKSO^D97LK0Tk#sVrlO-i<B0b7aRM
zo}u2P=1^stnPx-rJPS#x0!o>{`}e05+Vm7_{&QTY$ueOcs6u^QG6$e7ZNHKAzy(<w
zhddnM_h<ns)ApG3F~b9r9xY<;pN+Mc1t;}A4u_eo+#EI0nXss_+||cfp??Avsh8TB
zVDEa7YK1nI_QuAyKRKlsY+)w=Y5QU5b_}0ts)yG2`<`hpYP?A3M3hP9Z1lro)|Jb#
z_Ea`f4lpDXBV32Nn%anLbdRh!DZVS&K~#SAebvW)P<~&<PrLkYjNB%4BX^<qPb0Ue
zuLWS_W|D&N+&f2~qs(}3=(!b72lER7W_mB6QezRQ)Ckevo&&yo(Kk>`?Lgqmdth1h
zCj7Qtez1X|od*u6Q9O!f;>SFjB@>=^{Y=Pr4Cg$`oXb$0!nRZ$II`fV7hDXCqh}+U
zf?6vh|L@(OpQ}saRaFBu3q8Mh*qRa#yF}XeMR^HN=v$AjKk!b1kOEW~ocJrKt}Pbj
zYee~84;9<b@y?kAWaLVur*qCvTX!~jW#!f{-5M8$T+QSp6_%Z>IuhDQ>}BkcTC}e<
zI?`sbV=%4h;Od~$@ol^<?U&F|@`_=w>`e3f&Y}%n{%<qE1oMiGiWg+k^5ux>ywIU2
z4p$Tiihmr|_`imM?m{u^ndvX8Cbs3SDzmT9UEO(Tf@IZj;(ox@eKtdswPWYkHfEg(
zOE&)Zv2ri0vf;_p2JQ^RD3Fe?JCg|!0D3h}O`u9Wr>FEs$UC||)NGrT*ml2S+1a+O
zWYU2UZZILm57N+~;DD$H(tYF4vfh`@)hGQaiJ6#z4eLZ~&SFVWm6|5Wv17>@rKr!q
zQpQ{2BtJJp_$m-6Uy5F(xOZ8=Wu6j4sRV|-^OT?dGnA<f)wAEk<5+1_CiM2YWYo$&
z)cRj0?;ol8&Gt``pkoW37j1aQJ68@)&6T8GU$R_QBH2b|-zHpkSKXD9;P<SXi>89_
zDpTshk`CP#2}iE!2o~_cT#qOF5l_Xd_Cpp^l!>SO0g%6W)a8vm1=}1`S(pI3(|@#R
zF!j(|G`a@|J;flvKu{(<hZSPC7q#Qr1r~Rs^!O)ie-K|<7Uu6yKXPIF?DFabu%nW(
z^B2|36zF<!WcNm8B!4<+QO#B{i_!O~<Rc_c4!0liMD29&S5Kda9fgn}6#b?Cp7Ga#
zW2isJ>6vf8yg<8FlqdE2k)sniizrgO_km(a6wK8hS#+>3xO+8EWyLg~HDBx^K82c~
zj&dHW60Usu!;4&9?Z$?}tZq5IU&iC^Y}RP>uD_v0eEt9OdCwHvC3J2TfF6w~?Xg%E
z0HF&t=|e&jN*?7_BFmCSXuGQFjk58fE)9=1+Fqu;Tdp)_-&cH`xWpmqP0E$U^T6n+
zeoo4mamS#WZvb6;mcwel?+bu6xg(CXRByO__jlfN7PHhBOu75ny6<5v;+3=6CNDNA
z%hw<Gkf`if8uN>JR{Trlr>TOKiI1fa(5BkC%K^GF5U%ZZ26bVwo(r9AfHxa3_69m%
zOw+~=i_jDl>?+Xoj#`hLG<8K%{GLUv6)tglqpC<?gdC~}IO@OYeSpa`z604u+VkPU
z8ptktt5r34a`HRCQ2eD`V>;B~=df^0{Y`X`%0~WZ8lh@gYz$>B2+zJnLTS?OH6&3>
zmp|c!tp1n7TUL%UcDzKO#G<6-jteu@l+v9hUL46P=eY7UF_hGojR>kzNP4>tSpBwY
zKAF$lqk}+e*2@9hXQm((O3?x@x5)#@qyUm}b{cuTJPUw=eQ4QFKO`}^In$M+p8<Q}
zq;skwUk~XFn*{FTW3yn-!30jpf;qlM#;~^Qx@NV%h3&kfn@D!mGs?;4dy((N@OH~C
zx0<Y!%zL(`s66LQ-1TaVZ{c1uYNfP7+rc4K_Xgeb0&ss95-{93ONOIhiX+wF3s4Pl
zcp>t*PW#Fsv-Tk~{849}hn~QMhi-fYkx|wjmV*5*|1fpe5LYPwZ>H|7@+@<YX@ZWX
zqqL+)E>O9FwIp3C>*;iDQ3Q2B<JHGtvNe|D{E5kSGO4BxN{Q%!YK6lUE<cBDT<&KA
z)T^n}jO@43*dVI=F^w({7tiK`3m4R{!p^gtVcFt#m50(vh5n!r^N*su>F%r+)0I7t
zo%ewd(m=uf2;zNv3Uue{J6W$!Uv{jIDeH%{?*eHpusr)`;b(Nnsc(^On)Qc|emB(2
z+;}!1Wq^H+0V=m%o?8fU<;iY!{2K|<e5>*kAVK<Y>s;y{-}gSh+tEqzNgv%#1vtd=
z!r$(e^gulZa)kfaIa%!3kG{{%T8>*y)3TV;Yp7(sUFc9zbG@wYg7|y4+bV3$vz$k~
z&6^IS7Pk6v?d**lhE~g(tv6a1R&|hdE_%fighy}YA@u^WT(2p5iwMkKrr{rkP$8fU
zVqydyFQGuUT*e|T=G<2AKsO#>v{^K+{y1e~7^J2Wv5@OmB(@pp4e||hpHtzV(Svu*
zVVjuDLB}0{06o*7(5o%x<K?p&CYOE<&!6I!qa^h_dpk2a+3yH%B0`xv_0P(a-Yj1R
za`Wea+`RY1EsUP>66?x={<)X`HmCh=jHO9y2b?GqaK&9^`5z9xm0j+S_&LDJ&u*ah
zr}+x(Q{ldy`ge~uuK1rGZEZ>pHHK&s+Rx=w(O+5OWjATt_n>U@kr3~)ax;>!YF(Td
z2v-z~H;ig3rTpEb4NC6ND$Xtg%0})7-bAcNjWnuV!%L#HN*$|ZN_)@S_m!tmZa>T1
zusQEf<5m;2iivOp_F=%a$rv7UaqBQm*v#Qk2@+uri-%@DZ%}Z-YP4v8Di}C&r0ZS4
z5`+S!pf;}hv93YZ@m~CiqeRN^Yo1S)>xvs=@a!7@@5zL3^Mg~y!Q<4f(1#UyHI?M~
zR8p2;7G7g{smpcElJ`7B2108cGw&*|`4B&)GDj<X4>>4tG^Kx-^pJ5^Z;zyZP!a$w
zfUmKoZpXtotCMlvqyhcz8{4|BMUTYQrfwF1lq;Vt017~27*_5+E|-<(_gX7Vl;y{7
zZ`+QkREsxqGwUw#tPeCLflL+7yXgF!U(FrN@m;*`{aToH<lG?7-{w~%>4DOJRe?;y
z`OidAyhY7FuLvLnW`ZPfE2HxGr%GCZp<#J#Hv;`XCsm$`cWG1d<bHIxWujRBf?%Du
zZM6xN_h5V*6nE@DGx_Q|CdwrN5l_o&{Gm4`2cceJ6-etP=rfBLDN_h6uh=zLMk=AA
z{7Gk0sAzZv+$k~lDloSC(!70%c1nhTMZ-jtLfbQHOuf6-wF$8<EfnV{@fBwe2t?O@
z_9qbV0dOpCG1kDtAFh8NiRv^yM`u$!S{P?vdB9Vov62?7R-?WKl;6~>Y9TE}ZOA#6
ziF?bY_W?rK)Ozqnc!PI??8Xd^NR5h#EyGb(mIrOC=GLcCmvC_If+;hdujAe)#9K2c
zUMw%e)B*ftGw=@A$kGJXc<GOfVW+KwID@MApOvHnU#NSm5@%9t*2$ao9gb1(C};Im
zPiO{+?vTzKwaL@{-WiLOJJ+IfE2wR9RJP+X(}oNLyis=N{5&z3j4FVW3b_&FFstZ4
zj&;Vq&nZ~L-h#88yeCGd0WgpRz~!`QLI;Nrb-hjBuB;+B71p)js=~|^lJIo%(obU!
zDpuSWf@?G3#U4*oYBQz9t&Qf#F<HXu+jMS?Oj!i&G&$xB%(7A~?4ZDgSW`w;>;}<T
zJs0llBI-)Iv^hiwX`v%Cf9K+se;&N#L%uVS!nB^Ze!>A1BJ+T>|7*&VHV&&1MX1*x
z*$l+&BpRFGjXonlbX|FOE1=qAeGnpYTXG9bIXv|%b^!RrewLHU2G=dc^p4?}&=A(k
z^Ty{!6hlzEL~UvoB5z;!{IfiPX=shjO@w&{QR1M+?DSCwD+t_Rrp%XJM-=@w*$WIn
z_z%)1ebs)U0F2_c1<}ZhP(NW`zqU#EgY6R^b%)KCf$mgGSJ8;DAy+0mUM&v}Eo*H0
zp6N2@<M)AMcx-CKh&xdyux^^+qz&o%FJpcCs12NAHbHhw$5BrP(@NHp9Ng4jg9qK!
z61x$|^~7&DG9soz>6|2trHm5w3H*Hp#)9U+tr0u)7vIwdRLzmfnmJk!y}^P_=XL#m
z!4-ta_*5LV@DE~!%x9fpi|1?Ahk!SD{jh`X@U)n}xQ+zg7tHAqV~j>1jru>-?4K(S
zA>$Lt92Tjd_8Rso(7h$c+(R68juv={S9&$;JPnLx+Jxr(RR+ti;W6}shp<pGKe#+U
zUW%g1geh|Q<Sx~j`*3w7PxBS`{;i|Mc;g(kzt$KguvH0*3SxNPame6-#h^95L{drQ
zdbbGSg8d|E{>-2tb+FQY4!GrPcWFQ}G0hKbbyCjHd>e)9Bge(uBXQH)uv2QzyBR;=
zPqL(e%yzN&zmO%_%Im8@^Ksc1elikVls*EA9zc~uE&zI6uOo^*1`o^#ejwFgYHLT3
zJ#!1v;7MWTDy}uQVxs3}#ZK>!sE0?b@n6L(-)eu_-Qi<Rm}`=Q-QZLGD>*QS7nP_m
zGx%}HFeNp8LDbm{e^0L{6JjrZk>wKpa=UFfeCEzl)y0ZlIl8nFnkE}xW7>p<t(h6)
z4e+2QbQ!%w70}&!XU#Fku1@90_O@AjPW%1nh+V(i9L#MM=uZ^}Xp+<zjt^TfNqlBr
zrY+9Xvtd(z3&71(r}6E=7WN<X5U1{o5+z7ae8%Jge)yM$dIw`pMXgg!)C#H<%#}q{
zZ#V=4-7=Z+h;oGz!V&+JOt?WA;e3JXp%Gj^m7B>*a7&I;^#^n}C0W%)MC<Td+*%K6
zl>ni?4<ULCmM)TG*o!HjjZn|JsPxj7%@8i&0DF)^vzp8)6!18S*`b?o)}{loKLw4+
z^VS67>q=w8HX?^~O}vGx@P`Go*u7C78%>O`mc=1YD9!)qnEjW)c8Is-4!$q5;R)Xd
zdU-<uGs>`8Pjx8mn0d=VfB(K2+`)P9eL~Je;GWH9*?*G}{HfK#gfyUl<kZ}&hVSI_
zj%_-ov<ebNgIe?Ara*Z~J4e2J%d>$R(eo(wihQID#twbeZEzWF#g!Wv|1rfMt61#9
zzrn&ZAh2aVwq!%QGIh;uOlRNU)O_gFjjdwZg3V%DNxhHR02^T-nbpT4h3Wbh8$l=y
z#J(#MU?Vt5)a@K^VsaGsJ}KSyivO+Sw{3D>g(s&<1+=#7SJPFqotoT3hq%j}dldGb
zJoeLMZyP;Rxq>%3nI^70TI(aV0aFl@tSD7`4V3?2QOf~`ezn?DyvxWO_sEkb2hjZy
ztx-Da@TW($9Gz#Uel*ltC7P>$^pb?klF3dVe!(G7b<55d#6GnjG00vX>r3wNH~CdO
zJ4RlI&Q|6lkkCm#9cXdU5CE}w<{?>p^@C@=l-_hrSvClZelFXFaY-Xsuf~Jk$%D~0
z31(WVNW}VUM|oxTtn%&tzJ#U9eeTNv4;=b9ncR|pL|qsk_8$#Nr<vCtv)G9rKh3@}
zD_B?kM@T302X0mAk7^QbaquvqL+tft_f$V@h!z?XYdBA431O9m?6*mFA(Rg#G)y)2
ze!{Cv6#<PdpcZ<gOD&_(r4YerbSan2HngjFnBr~P@+t7nkx4(|{Bp<V#Sab;C)9^G
zu=mxouExnSa70_@p=&Zz3INGdjVAe@d`SdqK;pwP{T0lTVXh7{Wo3MMJW4*DVl~hD
zZwC!75z^CcJOG_n14n)LASlFJK7j%3zh)yTNKEB8RZ1`h;7b->&d85xOCaKVf30va
z9i?T7e!lg22pY3&yF|N3I5%=tW7#z(e5KeOB|@wj3jRelI|i(?5m-yA4+^!FJW@VM
zc8fBimKrs$iFo{vHCAK}XuPLQNnkNugdH6Ij_1oOiD5G;G%GKe=jP<|b=rpaWcnI&
zZ@ym0V7MK5@Ep5(=57z1hZ~B4L3sEp2H{`6`3rIho#oeyr<4z+dQsm}OQ(C(C8%^Z
z3Luz$61-&{uWkk~{fvYl_@r^~cWZfqu3Q~-yd*a1bIxedGg?z89&47|577;F#G0;@
zjysW)>^6<_O&;z6?ZP#fe`sYbkN;KS^8XD)SRMmY+{SiHw=T+mDrWsg9gwrMPu*8t
z;aEn=%<54GRKV<sBVXbx0L6^;KNK_D!o>R~K0aNk0o82ps?x7>UX!|~Ao2Dses8qU
zIGX8|CQ#%uNiTA-88(c9{0oNAtzZTHSkE9#UTpT`jHy{2@mEh6HA88jOdIiJ-8*Ro
z@EOHB9v#R<`=feJt%z0uK!0?pxg#>FdVQTd)Y<;$3Z5=Mj{8SbTq976;{2oDcY<`p
zE?DXX1F#}MDZ4#Lde_E5?aN$Pu4ae97k*UET0$P8#Y)N^iM3QpQF*bZubo|5;1qL9
z|G+zDOE#TV25FWxegovCNDXgO;~apBkcX&qNYpijKgtkEvZmODEke~4;N=70^MVnj
z4<1>5K72d3;*1Ajs?`jYC+O%zkiWF@sJ6egn0;Au*|Xyfu%3vSCJLhNf2=2POdh_v
z9g!y_@QU@i(Unt}eIL(k%3}jv=NbWd%rZn8p#r`yhHpLerZs=^BFcFCpC$hi$mUDv
z0@-W2KxX;XM*uf}Q${FvVubv(3Ypusv^sXUBye*jH~sY81bPE4`d8YdvbC>cSGDw7
zXyLMbo6>i&znt{=tT*9*uVd+NN9^GxutxA<9pTvKz>6aPw9?njriD>hqfV1<PuZHv
z@52_@cutq2FU9nwC7@d@f~RtA&5unD&1np}&P7GveR(Qv<t40L*W5I~|Bj%I`^HhK
z6msv&BOTP4&i_N$dq5@qzW>8$mRX;&vNW@_;mBNRxd)Y+xiiZ>DpyY28?b3+>L*Ri
zTrKy?0ptQ3iss4%Dk|=Uhzkb@Ja4nUzvut^{-5)3vU4~`;eB8Cbzl2_y*~Cj5DWgd
zM%Ek&yR?HG0ZNbmUAU2mQgltc-rIduN9w%C?i1&DPRi96?0RytFBzzP)q(7#>NO1x
zsz}wPs(lQ<U?u4?g_W_+&Rp&<DgQcq_0De|6~T_^wGWCZ2y7TowjJ+H+Ai6i{K2nq
zG54k5JyUSYxLm2&t(4rRtW|VLY0QSLsa|H=x@fcehDZy3(TySyo?)0Kk5AXG9_aqf
zB9XW?U8YLZBYF$306>7aRcet)SA{)x5<TpI9k`UfR_)!w&i=2Vb2qT5oJ?p|MI&N`
z5bF8Xy)7T8*C+}gs(^d+Yu=?1;>3dPQhe%a&EDdwFjTLv$l+6m{2^+)OQERj#iUHg
zAq(~YAz~Vl)){`j<9k5F_Z3}e@J2$2RODKso4oZ0o)HUQlRd~mP)fBAErpN!>~S2$
z=Bt(5Mp0?*yLTtdcbgTzyI(S%{_w-s>%4OR<_Ar+na_3Y-$$0WQ&$YKCZvQqdDi~M
zDX5J6xqKL~(}vM%H*0d+c%+&SEqQ-%<BbJyqKS?ZwWyyR1Q~V1|L~rCVCr?*$eCq4
zT_10>YW>4NTmAfJy@FnnBL3}^Coc}JpHL(MqdO9_Cx7D;7#5fhR4Z8$rh{>q86l1t
zn`-##!%ZG)`-wn&)sMtprxMSNEaepbB3?rj!YJQfW>@#y0Ep??0VN-FvR5Zh%OKg7
zEM4cri25XE9_Z~aa!->h@*=SzZyJf7plt4Wh1*Bh_<z;8{?0Q3)U)^Q3^R*{?Rc}G
zi3?b|=vEHx=%{itK23N>uy@r1EyjLO9#mOzTJ0XYbr;!#e02Nd-f^YbAUafC@Z}B%
zZGGlJm8su&1iO7_l{uJq{Y3lvu5mM@H`~Ha@CZWN_8+kb_76ODKw&C8<8FZfmy7@J
zx$VwN5AcQZDbGuLG2VUdc(zTj)SH^ZwgdghqQ4}xxO_FIqW^-3+(snWYdW21<Mzx{
zGVK$g5!ULREFJEBect)!z2CPYH~^$b!5x|tX?2^=2b_n(G?o~QA4Q()O!v;@QM4DI
zOpOC?GHaU9tn6&-9dNDmsv&ogHia8y=RMS~c4@VIgTY^SNc8cl@mU6HJfYcjt!_Bo
z%0yGVd#<La7b%w`PpLw`A?gdg^13e4oatg>mLXO(7c|~k&i56TO>IG@0*(mKld}v&
zXKAliDUS;dP+)YW04M1F-zm5M6dYB}w&*LfOSC1DKq6>u_`yzu3d+6emYtgk68FEE
z5_{}H+aH9;yqbME`DbxbUriWV6^PhJK=09RU6(1UI)69)U}&a6m!BY^Csp25>Ub5N
zQl`Rj&0E6IZ7?OsG|}bK1VZOgp3aZx@Y~@k{1AYzZY>b;_-En$(u{3V+T?EB%ksjk
zJK+`Hhr0yHXD_1h!;L!7nncQz`r28r3Ahs}*wz0Nu?B0^!Mi?a{U4r^ZCuFTJSDG#
z9Px%OB4$=fWN6yw|360B+I10A09}BHr>BwCl}e|Z#QMwE9V8hjdY6A{MC|$EFspJa
z45Ur*Lxm`u)QEu)r~-A!{vO<zb|(ANtrmdnxh5HT!Eh1Uo=1A!wxs$$gVR^fZnKvb
z&N6u&rX_&+$vrz7oxU$4*+-sZJ420XIc)smA!lH)aM6Ss@D_kdTiPBgIo&A{CH5C}
z5M=VS-C*a9oY0S9)UJ$-gjJnl<_`cCCF;+`Mvdp|LiKnmTS4v|M>=a-K<nnt{(Y7U
zw79l&$A0_E|8j~h3T^;Ju_@8d>$exTr+j8Z1QwAyC@Y|Oo{Z$brDotyGP!rMm&iRE
z%5V~Eq<eP%xy{X6N9uJpIU+>=Br<)w)TGY*UeWfq{O8{EhEZi=tsF3yQ4>9T;K(-p
z2k@HT^Z)Vr%T!J*a2ce0%4KWM;&>pN|37$+b?+;V{AnZrAMhXg)evzwGvM6U*#D6H
z-kvFX^7jo;9nknQ%X;;oBTTJM+mwM>zbDz4gbnDj#J_3?yR{+t`0sB|KWsNJ72}9h
zsZAAL@Rj`{8jWMj7NZxkn5GAHRd5|g#F%5#@hDJ+y+C|NEe#LUHulg-`^IcLqPGDZ
zOUe#zTxzLxl+h(JRjF=atZmATTyCupPEe-8pX{%lQ|t5&G=#74OwsD?BlQ8C2b-H>
z6L)>NfzpiS@;yOaI}&1hWH(TK1BxLb@0rJVM&u8X!i6V-M&_->Hi-`A0&w0pNqC6y
zdV;`lGH_9X2h}MS2&h%WA1K}t>5*LuzoiWNy`nQ5>4|)lC)x#0+_%h^`=oNk6qZBn
z_B>8kJv7htQq|YCv2wCxVvY;Z@+BBvcV#{EcDdXnKWFLm4UpqoXEM=nP%}m6tGRfw
z<`#EaKtRlf1=HbPg5?@3TZNGZV_#+zG*&_-moe6fx!G1!jyn032tvV2D%={=$lz!R
z_VhDC?B^Nr7RA=pt($;A5B^*l1s*ew|Mz1?tz2=-wlxK<b54o<qW2y6>0x3#mmL+V
z`f=jQD$hfc)Vsz^{KJ(VHr?ox%jv0#B!HTcm^!X@Wg)9dmd5om`N`OmugIkOT>4KL
z01tKXGhVnaYnai09`DcwP!ohZB8R06&Z0J+_NHu8!=9z4Ax`2Wt^^vz(J)oXmxF5(
z48?8GzWP;}-I&bj<sV>RhaCQrum(Q`Pt5X$@5nO>`mUm@SR%?cCg!NL$-};44z+_%
zY#xS&@xQw2`fdNa>yN&jK%_F3kJR(aY>K(dqU@~Er~1!TyM$eTREH=oexk46DBH{_
z+t?>#t6;rm=V3p?<%{R(C8@ZXI85BHoDNHZ6iwe`;0zGipG~dT@!73+=4@KdGc`RV
z#5aS6EVH@opE#UVbE<3$8tM^fE)A^cj88;lmHAXUh7ov7-4Y!#Hd%fq1K3!|;)a8y
zQVAIkYr2iP#kig*(H5o{Ju(dCIm@`-(Xki8oMoYA&<#bV#Sp~3R|&WRXR9seIxSDq
zYqH~d+l+i5>7}stn#`+}7xC_+&4(L=Y`cXd%CnlwzJLKj+>Tq8J+GX|b=OjoXq|6x
z2CO@E1G&<hw388x)K3eg!b!iv-De+8`xXEk8Y5l*J4K%<3T)xID|lu86?sq6UdcuD
z!OJP{M%An~rbaP>?+`%dvRD-@mc-3{HDX*WEH0{W?@jXQ+NT8Gqy^k0`g4#iH_hc2
z;&B;5t5U02Er9*g?N$xVZrW3gqqEaG0RdmBoeq;-ml0Vn?G2vk4^zzfm4<@$m}Fyv
zhHw!>c*5hH;)==4O4XLrv~!7vW!N!CmH{-%*Tm(D=j}#mLd`J%jpaX(Q?^R92fe)k
z3f|wURrv8{nIZMu?fS1miqCBdA6mQQWD?o7d?3u2ar<athHy8LyBsUM++Nxc`CKE{
zDV3zo-=9r7+^lC15z%p1Q@nrKb8=UMV<Lc&C{v3vv!P^fvr%-XT{=Unurc>2o(`8H
zee`S$eY}$L8QX-pfijR)3~4D9rV?090Y!u#)uqk>y$Gf*dE9}l*DJqvGX|N-0UAO4
zz3RH7prO}(S<mM1)eAjJwz$&qn34Qd_uKxLhJlOaT!fU;cfxxQ=78KzRU&70O9>Ws
z6cy^?n`$FaO;-sIH*NJf4OxN4yP>r7lVQd3ml5zAHMZkfj}X?0kK2A`A-5XXc#KzP
zMTK$>K0906F#dT-3_|#_afa$jx93wwLu+)?>HaadTL)$M_?AuGGQ0Fv$Q~JetRu){
zqrJ4i_XIvHz8b&mxXToMq%<CtKfCK0t2hi|O-QVLCa}5e*@;CM(qXT%9e5isx=Mxu
zgSd~!^*YL0OKTxE0qsmMKj}q$e)Gyve=o6WlUn3E_XW4e(s6CXu*L^}+Vj=%pFr#%
z<5Jk)SdbwWy{5R|^qB+k1_>zROZ{K8ubXG&%DaF2j|>_={Gs+-h-aZ$?H0!3wDJpy
z6mf2vdQeg%(#WRtuqK2@A<JN2Nq4QY-=oTmsv7+QzUiOA@HaRgbVAp%pee~`xiPPB
zwoQ|92Nx|f<PnB0imsarhnY3I&fJUrC$SiYaJGAKLh8aU#)skDN@)vC$UhKaeutsJ
zy37jUZbRX)m1@z$f{6!+0RBRig9Mq-n$Kzy6-?>+j6~_CvctFT2&tNmPKV0^V=&}u
zV?jN%Bl58Sb)2X_8>g1v6HI*cI$u}xszK#^IyI;<DWC`TDduOdHo5;>S{ho}qq0P1
zh`bp})*tULQ!Z_)1vJLuPq}<YVL-n%CR;2@^={s-C&gEap6rUI>wkQ};13`Tz4O@T
zySADbnBr`|+b9m?uG7(3KeyMyH+lLDE^bD$cj;$%iThx+gQj>2l(SwYYiX6T`yDN^
z7zFQV??<a?c@5|{*EBeyiZU#QthpQMgq8AD-#Plwn41ow;qyHmH|zFZmGajx8EELr
zU}E3mTsUFnO{_G~(x`Au_+V~5z)02Y;XVtSqGfxxR$H~m{=5$FVcnt2(VK!5@K;l9
zUpaPIwx1~#1K0`AF&{D>)Ikt1GNk)oExuFT-@?KD*Lw6cMF^FVCZ%b@6<#>`Dk~?w
z$+^RwkAbc~lVHnz{~u2y&8()aay$R@J4?*mX`oW=Yxv*#vf6c|Uh;+q_u|>BZAU>x
z<k@<bWTo>t=aF*3k=Cz0)pD1fpZK*Ryh0w`ZHaUU4?p|ip$#gxCs&d10UapU6~Zfb
z#Uzxz&=yOy*6OMV@bPRqSLXa{88wyDUsy6p)DcTdj_N!8Sai-!M|gYzR-MJ}jksa7
z2a<WBFjKh^5f&O$M-DfV)91?|sKzuMTDoM~K~uBF3ZF@sEiy)^Zes61WL7jx3v#DV
z&sz?A&OvqOBsZ^zwY^cZbugTG8y7!&IDh=GH+l0*;|kwd67jqz3M~)2T_XI73Fyf%
zyh8JiX0fN?dbn06EwF&st6u_8l!3o-=>N*oyqHtV8#cWW%uWA4^#RcR|5%+@cO}=S
zcXONjmL9xdsF7MbVZ+miVu($>`^0DW`s)%x%l~5UjNYDS%=<0<6}rNNz0P_|j|yE+
ze-Vfbo<Fk`*|_hlq2RKe>E6?ZwIJ2e-Q`XXLu$MU&*nu=3E3$4-pcQ?*0Z=y?E9F1
z336cW$z!w9UP$coEO~!;*{ZHiApa7_x32u@UBqd#1nOFGNd)bKmaoaDIAE-5mW+?Q
z#co*0rDx~@#epe}#`_gBtdTbJ0aB7<!eN?v2l|ujN2l<Y8>tdmjcKJhF6>Aum$khR
zcTmr{{$foq!6c{66WkqKK5wz<b<@pE-Q#*BAOP98Ka&IBct!xqKaZ;Wmn7i2-*#?E
zzE-(@<ahfQ=pk{aNeu;ZemQ)ySBDcGuvl_<b$leRWMyg;b}YSz>3gVaUxEL-9)q<9
z8k@_5I`6t4P4=DWTjgXPk-O3Ii9y66tgc$)vwG}1;&nQ$YaHeZTMK7?9XH>wKzY_H
zYud0VyXTPcu3>GUnpa-;*unT47*cA|0+>8z^{Li6#iJG&zYw1X%do`<)C$)@o+kRk
zNI5j!`!MYi-i(4Xh>vOy4|cwgrMUWi!f)3K8ZY^gkmH`@BJJ%dLse|5zO#}<<sfbu
zl_u59F7yQ>P5vRNB!6NfeX8J+w&m~p)}=R#!wOUn_iCI17e+cQJx-SWN42s@C(y_^
zFl%Ws(vq(P=PyK-Rm%;N?j0`Ydj(t}w$wBLBkeDwy(#A***d#`&qGV6eJH$$%qr~9
z6sjR{M)*QmBp(RmBe+v06&8I9LcK})R;nc!zUz<j)k^O~6CaYjtak5<E8izA_wbv;
zV*6b8zSe+ub$6nhu4*4U?-B?uEN^<d>#eIKQ;Ffhr51F>Vtlv1m>Cl_GO|_O<3Fo&
zZNIt1wZ?(r9!Pm=<?LWW*F8jt_My}V{rOxSo`QQlHG5c{pT&sHc{O77b*N*_NvnC2
zGAzdzDM#~H&rUp_dHKA^v4wO_Yxu*Yo9^^apZ4KHovDhZ7m_;)7{!~tu-g;f3s(y|
z5T|&g+_hUNN+sC=hnC-8IdvatGF6owd<WiJ{b{UpoF6e%Q*I_7`TZ?0vnIv%ozHWr
zm?&V9@Y)a~^W4X*V?z=eB5tk7s-r$hxP47_rKY41)O@q1jptDJox~uStTo+4Jt{X{
zadfr{1uf=nLFZcm(-!`_05;1%NL`QrbN%OwXrM(kjm!6-MKEW{NaX27p8D?Z25&&1
z#t~<7zP|b5>T_|{c9`+5LOG*j{X!%{k24fRRgR)j*&YX@OLNx2Dk#QwJ{bA=&wg+L
zd78+~^;nJLa}jnX`XIioz`dL$Dcn4vpiFTfgZ&JiZ0@A-F-JBNwH}XwzXE)#{DEs)
zI8_mzk&MmX8L2Nhf8@rgKMv{_U|S?bqheO?Jl<PxpD5#al?U`iX8YoV#svHLQyOjl
zD<28qJlK~}_X;E|o$_uyP)-6)0vh&z7`Z{e%~QT;l&at?Q%k5X>*&T0a}$t;?)GOy
zej=qdzzrhWM*<{3Ba+%~5YZ^^mh43sX??L@LUJ><6!te`2W2D!UG6`p8F)DFnfW-b
z#k*Bpn;{Q-`7k$FJCIqR>;EfJjcOmh0pdjjBw<<Bn#|Y<xt)dG<^5lYDj?z`^^aX3
ze-qVP{wcAr<&>mv<?+%RGIw|W>dGNCsk$Dni)<9pc00cuM{X)Z5(r<OM<i~d6?N+v
zdTj92lwUAQ#@>+SnHUr@MLId8M*YA>W%vlLDQ_LTcXDQ@Ena(j=lTECc%pLu0oDgh
z>xqd_bE1`(xE!Tk9XD1G9@a1l>Ev2$kLfIq`4zyY55fY}26#ckCy<Pg5`cg)mQ!sf
zp_MzP7IBV4!)oU_f6G!#G^#WWG^K?SFF=W36HGl++=4Nc^!!~B@vFA<*Joy`QO#D(
zN!jU^ZYe)9$5BDFTb<SFic4Po_2fc_7G!ZKTrwy#0lOnwq5s=AbfkgAr#`jEiAIT;
zZLWVv0kt<@Py}Yp?i0!4QCT6&t;^lcmo)UrW{IC0lsDWrGy|t-#{{(rWzIX0d>y?1
z^{Lsm0FYlyuBspscDB;QH8k5~udOLTGn>oT6qdTzk$~jWlG*Im{3xf$YoajuA<$K`
zvqn}Ib=gE+Rm{6WIKrDc0QP{N4{#Rjjcl;fE^k}Dc}fvA>0|?`dH{WWf55%vO>AAj
zDS$jz<GX3nNquE$^knHRy&`x4p`5Q1I+r&6X3}!ySU}v&%h}n-?j=dqsBn{Iu=?xG
zVsaQk4DaxRViWNU9gQ4dWrVOt%n%}3te?{Wjs0)g*PB22t#LcaHBj&Qx#OKLsD6tP
z&3L|)c+tq@*>kRhl+$Ny)<uhd{QJYO=<uN4`PA-L@Z<-!CAQwFuJ;W^aaO4G&uV6F
zz%Z1{ht6{ems%|79&>$5372tz1BhS9hRs6WKK416lqP(OU1Z*Zv6Ca*s|$|&QQ6(>
zgolmJ-dvmBOj?Ue&R9KuEg^r{rnGjgq9|5oVJh5^bLD|VB5oxg(Y{yMDf^>STEx;@
zcbdzrH2GTPsMZAiM)h8L%>#n1-V=#S9W{tesu7j-RdgkRo!pUIDg@mD-y=Tz?`7io
z>J=W2YSuOKoK@!V8blwFG9qVwN^!nl`{Tq{=!~lVhvk4o)Ab;O#8v~V!#;@@-&Ht_
zT}aSx=oU!$NO#|i3NdXrTW_g$9-8@){WKeHD2F(h<a2V<HhAC5+5YS6<N=G#M`DHe
zCCT9X1<vJfKAIpR!ae6&`}H(xG17I2YT9uP-Z?$i(6_fD#92R#o|?mp*WZ7wRNGTp
zLjS;AhF$q>WOjyifI68A;J=7Gcat^L<bnAoRPCqZoz)WVVyU7I_v1#iY?|}(wmLr@
z={8DKU9YXu33To6xi37f5`4k4CVadyvc5)Q`VGT=DkrE4p?~!Ke$SIKrNYtfvpMd$
zO>ayh>M|pVvig?2S*zAVYe&`Plea#^Atpa@`Ci!*Q;J2VcRd?+KrWxl780kK&o%q4
zyup#nA&9c<OC=)q(ZAJc#QoZTJ?|4P-;5{jLrIm1Mu}mOxpGpeIWa%8R)3{LyNfrc
zM<AqiblhzDOjYy6R>$MImpP~aBj`d%Y8u|fU=ZnoZj9;EmrztRR^Qz?u~hr5I>@^v
z_|S55wKVoMBsRlt(_%SS$;PrdcL3F^vvsk*#%!u8Mb%@dD&km+h#hwo3{M*{74vtn
zc1u7Cqe`@YKjvcPj{V$ihxk5<&UIvDQ!_A|SzE|i5#@syqS@3^V=z+ytIBNBV~198
zwl|E5FehiZVGF!Q@F_N}rX_irhtZ?VdJJiuOk<B`rNWpYepcJIzrH(qyYyPhcUuS0
zrDW&C)^T;HpU4dmaRR1VHu>`J`cnA34N_KW)yr+it(L_#Z^A!ZUd30M-)*&si1D<|
z-hVAVjfMAAbd^}JrNhOrCq1LNJ|o`i6_!p2G-|{tHQ*L<8Ji><0>6zzhlxLQX#=lO
zx3;qde^us-v?LF~REf35Udhd+LZ9(edy3jdIALCMeV$Ne<9T=ddX(EPz?AE9en}cp
zVAvcnRrAvhZI&{I4DKD&lj1m;oK>nj>E28o3P^gwk>PDzd$`Kc#7lL&lD@XktcsYh
zd%L|)tHs{$${IVD!?gxKxaXe2ReBZDIu?WG0(^2Q@15^f)*>9FHg(eg*#4HfyaTAY
ztk3wO*NVv4=6ATybn#D2JEn3Z2X?0%yr}UX-xl4G8{$|85UNwZ7t}JWH}A3m2JhY=
z2RLRBiqSa&iT(~Tfp69U|BYa`XtN=`_s$y_c)ZBfgou8P;ac>L+9}p%@&#Ii^8+_A
z_o<p9XP=mE^M(oX9QkIL`M@UTjChNysMqrw3KuSbC6aBHZ`dqHtQU!%Iov6@K1;5}
zzcP7U6(b{YSTA&a;$#5U4X8ZQKDiG_UKD?YPa5L>=$*#!8}Q4@@yQ7D2t(Sr)V)TP
z8)LA8hLpG^A+>XfnuPWIwz{%|Y4qtZgE~plnT@x0)B4YBf_V~TXn8?bDjO#}5k;+|
ziy=87?9<IF_|<Xv<jO4hS=RqyxDa)tT#M==aHL&~-^OzH>?wnj;Bisk%Vp|s|NS%}
zEC!t<=yf=1GL_+@b39<tD9Eng>`tJ?bf5?s02J(1%@SMG%Dy%Kd;1nPfb+VjnTn)y
za-z;*o`QnoJgs&l6Jfl6%GqhbS0n>YcjsHBvbxvhW)%}8kK8z%p^smAcee3zP~rS>
zBWcv?+oan2@oK6$L9-p^O{LDKrNf~8PqwatW8?LEsvXx|+RbQZnpZCJy^vQwO!k`{
zt}gaUqLmLO@r)FER)~I1x!?MD5zm=4eSw}B6kA77I2vZnsun4h%E>G=Hzf|Hp8GqC
zn#mowcAYcy^L$(WHheD)z`^F#%E0()HGzYsN`qKcBB`ta@Y1vZGwyD}>(+U8u<t9e
zI0D_?YT*(=-g$gNiSYiL!eaV_rgc$nQc`3#w%Ak~B3L0B1rI2Wt=GWzm$~hi`H0^|
z0+1`cMl{>%bWs3A1Do&ag5k^~oIK5GgOs@wv3%aH<%&mfgvL)ezcYC`HQ|_%S9>Q^
z77uUwed@Na#_xm%YkPR^raic?%)IUken^&=SmWeTO1(QdQIOncNYg3r$xE7A<13V}
zf@>x;b)&)$7A2WukJKpV82P%{9}oUK@qEsfuRBQpP>XZ1qIkzW@09W5ST6=~Fggh&
zt_u7120c$qLobAwX8exDLVsEF0EF|h+~8O4n#ON4pFq_B&=E=K&O_A)z5f#@){;O7
zEZfr$0M5Tzmuq0~1j(26Bc01jBenmV!G-Wp9-GwqaaQ1%V&V^)^Q^d2+z+W&6Phya
z$BjWPVKzJwQtorJdC`g@nyxT!@d&bx-;aftiYfeR?k#GzVoe9^=ktF<O@nxUw{_|#
zeX~GQrE_-(kYtOqf7#14|Hi<-5tRpfO?L-$rL;(z9snOZ%Y*Lx@g^k@d4s3P<Oo4O
zJzU==Cgt_Km{Xk&q|`pv!Ilimc!~55Fjz+RUZ?Bdjy@dm0Jz<Zw3qI`P!-(sdxrYT
z{+%y(k;L-U$eNx>y#QAhX#PD<2xNtSA~)HuJ5+0w(vbEb2k7!VCOn4kULBXc!Mon(
zj`I-`QRW%T#Nz6rOjf!}DS0h1<%EIJoYt36ER^_BIVZ?bLQ=KaqgmI*P$7xpOw)D=
z;QVq49BaYZmt+c#DN6blkaZ2O8T303`1R;-8}9dZbnM#E5ZQ(;1}0--;SXXsEZA`u
zMYH!p|9F1Wpx)`2lllPvd~E(OUBBbO@-4p3UW;%ioApAj&nuV7k~-d}dPg%&LDOuV
zcMI0Rug3jrdg1%}%-nu|gUtUmOPD;eGn4G!Fr_LU^}QLxml(<~X-1$*yapZod0B!l
z$p4q2Loj__%+qxAwLF>2w>93(#&kqsl<T5|w{p{zc+@n;(>^R_bE}6sC_A+i!bfPk
z0U`UJga8yZ&9ReGO^efe+g0@kH{Q<V-njf;P=D|BkxxR<h7zN(HUfJ}Zi01==k8gt
z5F#zGE0r%1PuL1KeWRf2{$<>}en=i*zS|r~JUKKeIU*)GWDp<DbKB4X^_4C;KVA#(
zUmzKSg#68h`Vr5J6Q#ilOe$=X+o<mU)V)8)5ojsys9V1f?8Q1|T}!$lbUB1&@W6W7
zDwAjl=6m%+R^t4+QKH|qi|pZo)Qj^HQ2=VyVAfkc37!@!?5q~ES-&xei9A`3wJUuk
zP3b&w=`Bb+5L{g<)1*@+E%r*-6o6mwnuN`h=8JJ3%MDHz!e)jc?cQ;K)CfXqedarR
z!oS^5-Pk&LFrk}i3o(Yo__M#TB5#}&rdkFKhm(P@<Dp`CT`!yeAVfH)<`lg@?fYok
zs&7d8ICC7>F^fs=yK+A<{>qxQ5C6CXt{q8_MEd%-GUo1yiw&+tjP2Y!i%Q|z?v-lE
zsp<!;U#xQ%4Nwh>SYLFl@>f$mJgA?D0^rl5h^`%6i)qm{PGBPIJI`-<eKG!%-%X#>
z^y@d74>twKjDEkit91yzdRkIN@Q07#{&;<q)^MyE?!K6<s-M+dane~yv$NFFSQC|U
zuR0y)M2Z5>@#1JZom)YkoX9R)iBXDK|E<}HlRP7NSsaUYVGBGX;c-qG+bT4&`QNc(
zU?I;)`pu&;nAczIxGAb<T4J=wF~s!CM|lpCV{8Ee`RP%yo42x<I^Q+Wd`UUBF)xu~
z4?X%Pk0zEpiIc9Oq=Vw=f}oDnlnt(nc-8F%WJ>M$kl%{|;xqGS?FML|FqHUOZ4=k*
zz!WVtVTI{irLHa>i5)(km>#H<m>3}*Mb7OrG3<NNctp)8CNcX#8rQVm>nE})u$msM
z(V~F*l4fCP-WC8fV_<SY-AQ39OW;do<Ub(sYTj0iF<EER$=a}5#6C0RniY13{7pmP
zuYgC<?5}dBY%F|v`sVg4^TsBV#LR6ucn}atJ}^9CYXpkWCnPS~CZbH1<t4TdT$vdY
zQq8;upwQ;1^iKhap*jWT6M09Xs->Z`T<>K4Sz!xjB~?2{pNM8>^BTYXJ{0ICI@m%E
z{cxGA^HLp+r8bR<Mo||GmNRcC$(1@S<F>r^dvzyM;>!nH2t~@1H4x#28XiB8Xfw$R
z+{SqKrF8v5PH#uR({<55LB!yna5+7i#NuZ6UuMRFqaOjUWu2ewtq!<nKTwzfX#mV5
zfk`}f&t1&oJ9>7uFo|E`jCEpqP-6M2<B=!}g;YkUm#ALgEwgd4e8u8V^9UW!CyB?8
z=+fHMx(F_u`Jy*PQl7X<s^xdRb=;rv`9gCyQq#)8r1seaFWvg6-20*!Iu}TDRrtI<
zIg;Xr=-?}cWu6NYQN3r%3EE=!GX(D1E*D{_wdiWiQ9qE3`;(WH8K<~onGbI7>(_q%
z?8HOw<}=ry#ycI4*w=sQ*2|YyAKxCA?YV#MHsXQk!+%5X9P`(YRwzDVDmbIw%QZ5P
zJ!W?LM69jHb&VHl)kE4#1<!nL%j|Xjs5h8VVaW<`DY2_!rB;PZ!7`~5_Z#ZefpYF<
z2d+OAo5TQt;xp_b_&}Dl{iV#vB|h-R_Xa~aBP~_{yHHRfvLTWw<G{*vSqc!@>K{vi
zZ(6E#-&5WjCHdlmN#Wioj*-A-WLFt?z1CLcXzBr($j_Zz@swHH?l<-A?F8;H=;)1b
zIgzQhBOteHX;m{@l;waHBeJ=-P)2*P<6M&KK-t$k0hAQqGqS=Q)A{jQ3Y*&B(fHQM
zc30Yry0R|Adg04VT1V9bSeOpEmH@E04BGiqpyRtn2=H0jm>X<fgdff(Vm@w6fthYE
zN?B00*-|og<!d!&Ze8oP#)=+WXK5E{F|NUs-ITzO-5BUV=HPrzMu2MROW<1?fs9~3
zGQPOn2g^)2x(=fle)p67nX&**&{FQu3ZQxp+fZX~@j~0w)y9iplmvl<0qEKqF;>9j
zL6$vpK>bB7$%n|skIjmR5Li`=h?F1$q9o0;;?!Tk_;J?{jr@A%74+aR7sL!Szw6aS
zkVEjUL_3u+ZCumI_ajR8CUUyelv<kh<SAV)W>FsxnY?+MYAKS@xE`Se5=OV?F|`@}
zR!-L{?HCWeS1AEp^~^4L%%)rpU?WbdSFK?>IToX}R$Cgl;dHkbkS%!K$Bi-gH2Y@c
z*Wv_8)^c%z3@h4J#1emr%w{8lnEkXx94n4wR?A>7sWzBKl6VpC<vA98GP?Nc<syeE
z!=O;wAW?Z=Vcz%GPx2W1h{4Bhc!VC`U5{F;DyhjcPRKXk7v+6wCAbSpS(|1qg&*g*
z2uhc&vQYa8vU=S6@ZB}Y2=CJ;E{D#JZ~nTtch|>Xasuu2UzZgOLFqi+Q=g#uElo1r
zC8i6_!zRbm1m$x3SwpZE?s|%gR~PF&)2m1orTCeLbHrVRp955{n&?RtIt9Ygo!Fl@
z*5o2<H@?BiBst8SBg4BPWH8)t=`oo;YKwKTU#8l=5V0aeK%jO@J-Z;1ta)1&WlV^*
zG0iUrUtdw*A7xo+`2v?!Yp$`;6Oa+UHM#M9W)4}?aIW`qm7mE0j*Cd@S&&u+@Z&Yx
z-N&lc1N{TaH7rSvmk06R3zb)}T0NsD`^NKW^SQ^mccP<xA|dfNedo(_&Zj^)-`U-C
z#tEHjoC`ho2oY|735u|H?eB0+OLzchhTjDX8K$Tn4NTZ<;JEv;igToFIzNDq1`y8H
z=O+Qn69To6wxF{@*y4>uICcG~<K`5}X0VEe7^9NtG7UpPb!?fen_E9EVJ1ua;ZxZ2
zusQISCV3PhiDBSz#~cI5PO)-KG@Ciro)T%jG*HL8a2W)fXdo1xVOkUtV%;*mIh{C1
zm;xM&VMjR@XMvx4QUo?vJ;=9u!e-WL*T{LJmC=mFdp1WA*Ev4%{-Z0QGtVQ7dlm{P
z+gX{?A(6@I_Cx!~wYJd1T)IwlBORhXj_j54v|oJJXzBBB{k~}l-s~n|>n?kT2=2!Y
zeX7fVhWU+isu*3e1=$@St)>W@SO*RRZd8REIJ{1~M&PTvz_%m2r@<DrD|p;ds{AN5
zp_t7cXHVJ2!dd2y_FHn`waErKXfxb;>j!)>hP)0gi9E7lPhP?<Tw<?`>5*23$M;4#
z!tz5Go2O&l9863(vdlqtV3)Npc<n*oRqFlg94TC7bj<CeYa5#zzG4DLX-{iABUsdA
zy4tfVDjwr`T4bIY-0LTL!KrIf&e?BSf$;skak=9IVNWUREtiOc?7BOSW*Y#hp0>;S
zC3S2bM0t~l4%l4}#py2`?_6FHuE_E(Z_9qhIWibL<Z7#bz<Z^f`8Di<&9FEz;DLHG
zLoLhS!Ij-P`Gj%1*Q6%vrMIOf=`QgQXjlDgqGz_#fhgTm20h2PPlcbumYn{P_gMRq
zL*O{};05HPo2Y|};heU~Q_7kk{tT4&;ak_4huS2B<s1^^q2krV3QcT#u-BdL#s?bg
z9?Er!NL5x`ue;+H-XNm#>cqv<)zcj2Q-f%Iko1%a_GICLJf`IEGz6HZGZ!TcD=UFm
zn8FYNN1A??#a6Pdi0v~hm{vowsHHQ&`5UPuHe7nao|W|i?#E1SVDhr##^6kD>IDaO
zm)?tYHWlu+^bx|6X-EP#V=II?Jf@DBkrUPcp~mM3SF)Ty^WXO#SiNi)^XMShL{)m9
zrt=#f1^-bCzMIHs-Z}}zqZX$=1ZsLe{|Lp;WgUjr>AU}nACM)x^bwT23RB3aq3guK
zl8+_=PdpyKpJ{T5m$Vm2wLo7zIy`r=CgYZR!06yA$VyumYaE!W-Ew}~p4QpN^lDW?
zi>)-RUA>rbkQk~SH#ju_Bj$Dn7cjoJn<AFN+B|KcME!wI8@(aR*4mFsm%pcN`jltU
zXkvej*A!@{{qa&_M?hIDI$wjOL*)IX1;BXLQt=Q;ExHW#`~rLfQbNYcEwF!@H!vMx
z<zLwEOJx?YtlkC)hAqc0LNCm+-|Ay8@V$Uwm}L!?>@_%gqmfNFrCbK#O9K}e9@CQ<
zw9t-W83+5~b~Vr%$8+9y{`YPQ+Ek5*3!HGD{B{6bT1M56vtGD4tLAxQs%4L|(*?qm
ze`qf$h+Pu~Ih7NaE{l9W<cN`RLWkW}C|*s4=sEU@E4rj&=1%{j6=zxY<O~MuQ)$r^
zHdR4w#*kgt>|qNVQiS&&wk43Cqpq8?L2M;-Z-|j@%V2ocsj9Z`Yuqg_2k@5Kj8AeR
z10F&HSN+hA%KaVm0i8ca5b$T)F{ui#KgAdnNgjV8vTdK@AoOnI8OHlkNk9O}WI7p;
z2)(d@NnrUerLpgt4KhCR9%GMFH<Uw8fb<-oOPdN@DAV1H`t_n+BM<9E1qwFaeK<Iz
z@b%Rx9Jem?YunAdZUI0&yxtJPIw}<j0#4f39i6@x9nGO7C<mwMCEJ$1ch8mXCcI%5
z$${FCF8-j}VV0SStV@bD3+s{6YMArNWk4xmsAD2X6?=ewF~n#R4<?YblgVx*cxNaq
zm3UG)ZNb(IyMYQKBKu(oGM^;pU66{sfARK8fmeOlzko>=0l^>dsV8kn#4<|ZcaG6v
zx@GhRIXMgLq9vY|@&dle2QS%>pt77A64;rfJCQByH8j5?avBth46h5FvR<hy#b8zp
z6dT(PL<OCM9>J&ZnqGd=i~*m0Q}I1|IO*rpJJAK0(?9n_(b;z1N1XK!(2^`v9ZYAC
zvq~wOy5pPPg90e;>elxs1VHF@zzjLY9}r{!h6dw-HdKXHMa}{QppF%pCI3Lp!OhFK
z1vl6*Y%tHC(kc^>1`18`_Cecf*74e)AADD0e4+}FEZb0p1ISSre{muIAC*4~`knTV
zXfz?$;|@fzhY9w_95-v=j!TMYE!4)SEuirmjx4<fIc5W!T&-2O@yn5kJ;t8v#l`k^
zK=qg8hS_ehj!ZhcAawE)>+zT#i$=29YO@tFk8H3dS!@l3NU!mOVwcI8S&{ixB^I+W
zBXjH*5>X6XjDhxfq0c8hK^n)qxJ;>&9_Qb5qkQ<RXm=dnxD?KJJX~t@S-C7H@Z1IO
znFn=BQO#+bccZbu-6&+TEdc}VMHQ#Q>NEr`N=#|hHl<|@Yfb7yZyzZ_`=A1PC<W)U
z@<0RIT1ITN2v(oPj1I@r8)PkWE4=#x!DKSupA8Ru$*~C8YJ}W8s%!S=AM#%FZ&|=s
zHK{VJDfVOnKYRi3Pb6E--CG~Y@N5UxDYnH@2YkM4%#rmmgda<%0jIt7JNw>}HXt;s
z5^@WEoJ}*`+|@v02svWWpf9YN`Va^AOjZ#5TpuBy`)e9kz0>1{yvVypcI%#aH!&c8
z^oX~R7Ny+Z8}%K{Q$#nQ+kBgQ4?9o1_*oO@wGv)abyo_l>Hq!%{x!4Jvg81)<{yeJ
zrqQP&^7C<1YIH8f##D~|Rst>pHE9g^x=;_Zzz)BI1Q0I>xc=P2%|`&gy7EA?hGX%|
zN^0?ZaKY42zey@ga{640OfDIdMKm#^(Rlt^!A8(V7ONX>@K+$ZW<Afuej7v>Wtcm5
z8oK~FM%^I5Jb`&A^wEx#GmE%mR9nIjiN({vUWR5_ZY8-1OTy^98dlG+awX){AZC>^
z8!;xtUd@tZ!AonaQ$Sx1Mh@{|hmB#JUk=juG$xIl{b$hV&8W6E)LzRaEtP#UQ~?EL
z6rI2Fg41TU!uwH0-W+9?^SpIQ29_jl7B}1N8s^HdARjMIT8rW3C9k^;#sd+>d!@}T
zB_AP>G8Kt7n^wsmaABCOCqJkKB1*tFB=1+tj%2hDAaKt<lC~mXN~WV82$8Fa6zhfD
zEP)O%I^#pIB9lZ(=|RvosVn%E{cG9AYZVXbD*r_CM>sD2M@@7y^mg<Fy!zfzb{M;b
z86&e6-HuVW2=IudpzYJMZ~+7(r48Sz-NM6jH_A*mo&d)qj%1<X_!J9Y160b9k+n5C
z7M;mNjL`_-$|N9m9>nw2O+lDbgA*Vt16(rb2ZHyTXkHmrZv`KvjeGU(+|wIFpT!E!
zN3N{2KDA^Nm3f!HcfYi-@wwg7P3X%ncdz3ru4$e(bEwJ0&l2^^<T;{zFj%O-?m7RS
z7@t#>fdh7FpXQa~P#+PbJur4VvUx3`#N2K0Fr)vC_rkPOi(L1DQ@PK;@Pjno-Z$RD
zKIm2@;kkq|V*Vu&>ke9_8G9h8iT3pu4F57^YI0rhui*^b$FZ1!lYJ4L^@S+tL;fgI
zXRZ;v<h%4^DB&5^6S~^&)X?zV^k@ip04yAIX>Ng!S3p1@;aJF?wdl*ky7t<Pb4cs#
zaZ7seguEB3;SB{{NS_&!co9wT4xMjjA>hwl77DcJoiz=7yhQJ?J|{yMzLmD}9>6^s
zV^&sx!NIwg+T{ta*C0evfRDtB59eQ~;kL5|A&?<+5X`!=1SV~kj6s;w?Da8w5w?0P
z)*lF%a|yI!G93XJD**2ibKf4$g0B!?lrj_8zDrC;HaeDfYr>SUQtxvEh-Y>KpE|dg
zeFn)J&GR?o-BUklJUMs0{0Zbpu+Ev%!M!F_{eS=U`ONrN+1Rp9VpLy|B>z<*XjoAR
zgzviP=E!Kvp{Vzs5CVDj1xn*&I2PA>pI~tnaOwrClL03QOuzdapYci*FcPGa0e=S9
ze+n$*!$Er>UjDf2ZoVV^siQP&ni^TMfeL~7E%maSzc-|?YqG2&X^;p{dpKpxyTKAR
zCnC*SgReYTdc2+Ta>M76@vD6YIPbprkT+gLm%O{)qxAQv4*&;|TUb^&!l)qpXVZ`!
z{^G>gDDDOB(?p~1q4*iTbl%eGbIIRw+8%M+TgXPf@L48M_78~O8Ez^Wh7@QfgrCGN
zEVx#dINh%HI`B)4(#n;FV!|8(EF42Ww;T%W4&wufpt{O@HJE<SFRmSG8Pq+HVajV(
zvyUHl6311)q+&+#P(N_&_pu7Pux(_tK=^Qq2uX^?Lc=1Kys1`4sjN~Kxtg^AXFQ!W
z$BJytW=Ud|227)ePJ?oQZ5}Sb?iq}vDgIp&9`vOu^i+s>nAdp)v718s*gwN+(z?{<
zd8+Q6Dte54HKf7QUn&38fmeVRJcwCJuMr#~xSasC)Xs<NkP!%?JxM*G4ZbTKq*7vE
z!jQzjf0Si+7zA;|eG#r1z&8GQ>{D|ZS3pL9h0HK$Mk;eG{`lr|2$XfbAB%ijI7s5x
zLeDXX#V93a#MhqMhTylQU8FNU@sPhxr-;KBdTH|m058oud|BrKm}9W+YMM`dX)f9n
z1PR?0)(x^ETx~Q}j<4ak5_ry*Sn&0RYJ2#A1pYgvJeR9JL9=WDZDC6!TO=qer01i*
zBSv){)4W5wDCV<5`I)dh+^kQH>+p$M+_-xjPgM7shevmmVamPf&XP6Q(c<Z;mZGV{
zC;6(qDQY1p{S>w<DVXep@(ZzNXqVe9c30-ALwi`p1(1k=Llue+5FzC9)vi7l{P#Jh
z_nIB_FGVd>^(EGz)>M~D!jSubTnm1s=a*8;ol0R$H3JvS=<h3-o}|loI5D;=N-`(=
zSuclE3f2=cH#eBye9$=}k5GGvRoyV<;*7=wp*7s|HD$)je4{jmM-run;AR75Sg(Jf
zC4=J`1vRZ}EWm)1I|hBRnNZv@!1xBS04?FF=i6ViWLlCX2ct<~5!<Kz6<q+k^lI*(
zgCG?}|Kh+(j?aU>B|g4C<BY3PQ+?i`ASe{6kaItP@O68k)@@2?=%4o9Uk4VJ8;k6H
z!UEKgmXI}iTKS~0ZOAT-p%HKVrJ+81G&bEaAW3EDHFY?0!83QbiEvSm_>m$7StG9s
z4ZeZ+%%dUq6N)iPxnY*Xj^UTe0JM3NG!dL%MD{_44Y=~6ALZpFRFm&9@)-_j5`9WB
zXTDmGO5n(vML*EQy(UoyzPG_FX%FpPFMAJ&=g(n^2ZWF^=o0tPOLC5CrFM?fK<G0^
z0|p6m<h($4XnK_iFDVtqh}m^Z_`D9({$K^e;FpDDjm(@M9v35hDWhUShzHN8@@%=O
zNKTQe$ovW`Vmz`R&S6+PDz12-Vk!GibwFw!Fa};sjTWxg7O$YE5gw<4wlFR;s{>$n
zO>YLR)`N~k7QY>Z4I$|Ra><B(AIE`|Ms|AViHeNIRclWTu=E4V0f`zi#$A`;hJw!r
z?<0cQ9jCUf<Emjv9Z!_R@5!8W1)v&)2lXKaxlUET%JLaINO~g!dFkW#-TEhK#6;OC
z%>|+C*%sHo{45YzG}yM}|8`~%QqUFhPYav;@40|W)zs^?b@FyBM?!Wrk1X@#&>@k6
znZ{M|UV>|c6IQrm=zIt5X>qtsH`;xeA~e|<+7@99?jN0uNLAYKuGQbX`Q6fII5?~9
zJLAGWu@96ZNXZj&K*l7}8ET_VzR*iZ>4Xu{weL@KXAZ)sL{(IWlC^8tKkFw$#^Yl`
z;V4QT18E~tWB(EA>eWx1sZHtkq4{>B(-z#I$J$$vmk4f9;Mz*fTBWKo^n`<Vtp8?p
z+rWwe`PZ;3hQvgz5{D89shC`5l{-Ct8nYw3%l3|OKp1<wa<~)LJ4~Xm+XB@$s<gMw
z2yDlUY_~9?%*6=?xraa^=E=%;3WWw|uloml2Ph+yeJE{%GtUC6Uk%BMNPqGx5MuaO
zR9EMx)hrPs&SBEUhvrSjvu7!7ZgppTav|sd`T<`@s5gp<5Q5CdZTf4r8ZX)1xXTzk
z*zpv63pQ+1<?=Eg<4%qeugOp*nZQm(s&t_<wkoT%T6^EXe$xEN&`Sx%-%i;=$?j6h
zaAJEI6t$!<={b0bNQx(*MJCp!*W?MpxV19bb85oR3LwPQHlRZXOEZ<M(F}Y8aa*e;
zR%kh`QRb_Rqq!M%_O5iehb7eK7sYuXec(tXNd`;ZI&z1^O0#9>VR1dbf=>|LCdt*M
zW8Q9_#Fc{LLHU#+)}4p|a6|x9#Wm|A;0xQ)69YhQbALM#t(Q#l6yqFeE2!$fpzJ9k
zn;AM*MxQFI%~cL!8oR2u4sRfpAxvWiUInPFRO{OfPqgnotf@TKec8C?XW9?)(!B93
zMu;6S2ukqq3jMcEU%0XmIzITi$~v<~KT}96bY)nsuw<dO@ixhL%g*-a`e3lIEk>ke
zGL7Z2)@hXLM}ZZtPzy0Zz2!K=RSb9`l7X{uBn`ZX56Iv6(*7Edx<U{gvsBaKvkvh|
z4Yu9zvzh)llCFgEhbpf+c-U4X_*7@n?o`4zQJ*F~;lWa*DVCCJhc|ROpqpKt;k-HN
zx7Ei-p1lRm9#@kA6A<C5Fzf+@&>cthfR>YLnE{HG8I5b!nnt)3nv4`nP=J}<Um3U=
zoaKH8#jeI#qlYk4s<MF8^17v}*2F=XR`v4Lm})QhNKNg963fE5p(Tq#^4MHgtDAj_
zC84(lWTHzdtF6XdkZoJ^?hyD=rN$uKx2_AYDxCb_-hCKp_z5NRLJW5z{)wFw;1ew-
z<E*Ndq?P?zgns!a+4=0v6)FpVYys(e=Hg?=5b8fM*e_J4HF86Fo$3s^zCOHFGF5s;
zx4Kzw#phaPczDR;x>VS}fyF%ffY<lOgP|CEnsKmlCY5UZIL7X-cygMn!Q_BMF9G3=
zPRht#LuSB9!ON5D#P@Tymc{S2P?XpKFsiX6_dv$HFR{IIW#E2lc&1=QeE2+3tDT}v
zaVpV_A1X0>vm@_JlBv>A2mQhTHqsWQifWuER#8Z3$39d)MYJX9Ubz<Ch9E`Y$DYg}
z{bJ?yZfB7nS;FSpM0c;O&GmW4Xa`;p#+r<;vYYi|^f~onONNMRXSO}k@E?z)a$ORX
zx!$<!ft2Pa^S<S(uXlI<Ry7*%&A&`I0d!m_Z@tt5+v#{-B`51xkWhjoD44nD<l7xd
zhM!}^(6CB}!Zu>mCl9y@Dn*{Ft$H{Q8OC?NO`DulnF^|YSPRRj5*&(Hv4x1Ir8OzA
zaSN3Y14gjNq)!w<xlQlcZp@q#w{p3+$RxfEEk%HlNM;v11tM36Y7?duk<U1}v0B>S
zaks046}*81$+&1a87j1jd&3f{nD22TZ#r*Fvl1*Iz8T!!?*>bCf9oUkVVPlG31$TR
zD}qCr5s#eW1&Sy&%XNc(!vBbLyE#b>m|!xXl=j{?P<3?st*TjyZ-y3A+JN|FaF|T1
zIyZi2r45O#$kd$v3T(1S1}-qnDSp4B6RP`-R>gPkILb%6Ug+VrkGWZq{ocP?D~8tO
z$=lX&s5a3P!Z{M7i0++B9$S*29_7`d+2snutE#SU%*A#@k85nq4~^aN5giV7+I9Cp
z(B!V!`>H;J(7_(626EEp-;hkJ%Sd;InrTUY*Ol)t$EQVTK`N#K8n3SsoBqYjCbW#r
zsm(+i<-PB2Mr9Osgfk31hcYW+l(m9ztP}&?&uu%24)f8-=Xr19F<q_JQi#9w20b*D
zkqboc!;KkB5|z**W6r9815s&A(kX2p^=Ul#lwn&XjivILIWPaklrh**2?;vIh|kbg
zZB&XWV;ug>yIo$Ywa!i}20~9u<vy1;!-KGm(ZC8cRlE#C*k`^KH}4Pg8~HGPL;ceM
zGZmG{bC@AuGK(D6AFQaHHe}2gxsJI#m*S(Yod4O|$I53YvL>*4fnL<I8WOltD|d5l
ze-t^5X3KS=s*5Qmz`w!FKgqv3E}lHK>ATeDM8?Fdy??0WPNO;9c6#)3CUofzB>J%T
zd||le(DH%?zS0c01f^{IL6o)Yf>ko>AEFEWOD4+3fvl3>xWcH-h(?J4X8r;pgvR&^
zOJ94n7XHV4=~9eZ<}<ki6kSQ}8N{v#<3m=w`{`Q9LTl~_=|EfymD}AaBo&I(XON)=
zuxC}ku>w?}Pb-PpO2u}<#P4(jylbmYA5?8(N4_Xf<!=k_+8hWv(J#IoQ@AE?_a#k>
zs@y?aO|hkx+V@>RTN8#KznvS@Fgrin%Q4Xub>ETWGw;E)`ZDV*W6t6;w5^D1rLO5M
zH2;rRN{J|wcV8CVh`1oO8^S$#T(;z=QeRL!y|KLIO+|;a$jkiTCL*lEXZ!)SAb04j
zFY!rxfS(w&+aVfLe?BBqm;B)y(~97ZdsxUjLw`+l#ZgqBgtHw*z6Yn#De1Ospb<t{
z5}OO?dWnml?2v)t+TWjaO6z$K(+4e1*u;QBE4qZxl(gyI1ARfwZPS=EChK}c=sDuh
z22GjV;x{MM+GadgX(xy;rssqnD!AN29{%^>wBX=_cpoE(xiQ-V3HdgC?b&7f2s=`+
zwHt|4EJU;EryRbM1NEuJ2r;#LDM^EvcfAK>l_YBp27}!by60C=^BbKoa$${6&LgO#
zn!^W!mUcAUOPAcQ7F>W?Z;2UD&FSzTKOobc^*Hd$nznss85tqL@EDMFC(bged5M$)
z?|xTyJ1wL5J=F0h3U`o{^NoUVpZ-<lH;)<Wzn<eyR0(%9AUdO?+eryT>k@G8-146G
z*^fj=np3!3#>by)@hX|nxFHjuQ&dnRv%)Zs(EL<AO*EVS)gC#p(gma8EQTy9?1PsA
zqPN3$%AW(T%sJ9+M!H>Ec<OYFxKZ9WPMHwCYM$t7G38!{&!OBjCgq~Xd5|orbl~FJ
zRDk0b#T2`nli&G8RE*5lp{6q~xGI}<w09PTEWdKAGdOmpx<#SIr7A3Ul8WBmYwJ!-
z?}6AcW`P!_lIa7T`gcHrc-mW;`0V#yPvUha=<b%phAx*4sA%H;E6EFxpxxsKGdgb9
z#gR{F38Q*fS9-&R6kC>vs%RFB5jQ0A(dllAKT!?MZhOBFTR`%k7VR8T9`Np3cL8@|
zVjInA<>VLZ?=j=n*#YH}mwZTT@u;P~;FxM}O`JWn=%0B={n2f^U}V-)b!VUH6whv;
zr4D%P^K-8ae#g@I!M#zY+F=2Np(11D1fp_2<$z0_>LAx)$-OZ?EV|H4Ra%GIV6<LU
z)CC2lcTF;$Ci&R0VB&hDh>85%RLv<pdSOMe5<se4ZR5`9+pMV<<@;xYqUM%m?XFto
zn=_|ekqN5{U?h{K190_6U2F?BlZl;PglfvyWq+I{%zl~C_l5}(3WB>x4X^*yYOd5p
zA??xOf@av%d#p(D56rTYO5<zD`DN!*K~*ro4w9(TPV0K`lM6PL5IlK?9%15MmD1pX
zOwV)tp!NUo_U7SG?tk3)Z7m6%LrF-xHcJa*cS@>LF-a)f=s3tWW65reC@P_yY!emP
z$uia%5~{Ip!;D=F#@J_u8DpM%P^a(texHAy>v#QJ{xCD<zCWMOdw;!`yL}=q$d%}X
z3Drexrdnv?Jfwy`l1M$zz0a}IWObcFXIWPY5#&@8tX#!n5JxLGohw1HDIYwKay}p3
zfZqDv{V)!_13)o~V|EY47mMQrTwRXGD&~1YQoPE#8p(s_{Z<8i8L94NH?^kE&vgf%
zB^71@w;DwJt<pZ^Voa1En~~Q8WR_9w<YFs5$Xs^vAAh_YnZQ2l5p1pac8f3hvy2Dp
z%}0DBy{K1XnSQ?hvxJ7OYXmGB%Rb=~Xh%4B%5vFN1v4)5yui_7MMqBI7|~mg)!1v!
zN?yU4U%(}LQU>~T>!{JKI=IV;BiMe%s~)zWC=rLG?2?6GITS)rg-BHMm(-Dnk4grb
zDXvnoq*k5NcSLt;oTsezwbJ?4d@N%LFGUm7_Q@TvW0yDZSn^eF`b8_Bex{}$n-)SD
zj7<v>I~1^AZS$k7e8|hU(w|H7_DNpVuM?EegXE>{Dm#M+JtVEVw98y9S4bvgKKWkQ
z`8J2nfZ|-_&Mt=ztPyRwMU_FyLvSXtM#@yFr;aI<qY~T8Ore{~sM5tnyLJfNGy-j+
zym7ff$q2C(qdOLrd)w+9yku8_(v=euiZ@F=FGUTk2Eim+nGn`U$%x%itEA#HUB<+5
zj3*o%v!Bkg%|qQVLQOq$#knrDEPHLSsxP~<Y>%T@1Z6h9p3`9Cs&y2KZ=z5M7Z$!y
zCHp-8;LL|N{Z^&(rDzRuO|#C%(f(YzY$R_|in~Qpz;-2ag{1Dqx@kb($hKBW@}oBm
zieoclU`Ip$;uI=-@9&eD4%%4+al=cKLifVFY`gD?8a)|D?4gK^j0^fIzIpUm<ghm~
z)PG#C)Jk4%?8<L69J&5a<kRA4SF^%CkMmS%Mayli^fp)H8R^zLr|7S@E8sIpl8*@$
z1jPYET$Hi?8Fb$vB+GVssZDi^m_%WHQ1B!kI8JfC+$aB0*1Xe&Fz)+JRuX)43`*<D
z5QF1^Qy_KsH<i*DtmSU@2@PwXKS{VdtlI;tTK8u*S;72VSy|=TRwl?KXNNRSA7!r|
z1&x3Opcm_ddIs#1%Fte9<IbvivW_la{1Y(r0TDf}s^I==M6U})krH0B2Fl2>F1OG+
zIXtt;w(O3$n&{A!NbmgE>>nR~8vvh4>OzWdo)Glanz8(2d#f}(Tr^l8w)FRa<{jYp
zyJ)-RKG%~uR<`uW(}t;*Pi)ANw2{4hHoq19`M584a^!&c8<%}LV{y-Hla-Xe$-+v#
zCgKTKl~uykc?Zi9;gxK9G|StU(_-r|9@}jy4=55Y5Id(iQ%rJ~r%m~UKlK=3$g=m5
z^<a%%Z^gcMEwN<e!khD1e((xI4k8a4fgL4~+GscLB#=fY?-YxW=nFZ;VtGQPru(>P
z-^PAFEF4~sXINKJl?#bx8GG~RGgHukSl_WCcgVT?MCSSV2hvljFYsUQ|M^=$O=*J9
zm_76Sf{fJFt$lBDSazQ)JUm?I@bp_v5~Wl}{gD^0H*m#JqN65j?0pzL61y6e>dI71
zf;Z_D1S&s&F484PKW4(9{t<lod`_dc6p~e|N_iIb)#ml<J(+O)1FY;bi}MG{;jh{C
zjL}2n-MI+ZCDsa^h3E)!%;b<tTJsOC_=CnGe#E0h*Iqq*jGmT^48pUIPnwnQ_V$Gj
ze4KQ&!ZGR5RMgA(+%K+gd$E=|_5M1J8a}(HZyKVLZ3}x0NwOAIJJ)T+&tw(ZXk8b0
zXRk8J$!Vy}T-4aa0Q=(JyQNZAeH9`IU$Nf2#=h9*KOtzz`#}Qke?Q-L$Y+7nF5OZJ
zq?Vqk%()xCqHf^UQdqg$eoX4VDCyDI%xK+H*IQ^0aUwd%QVP!Uy*)5aQc7{{n&jA&
zsk0g;ozqNm5H0n3td|)CM2*eCXU-9Mq=Qpro7hQ<m@>9~DU$Mc^ATf$-(ky-Va3mp
zN{J5dA{*&)<+@)AvD&4!De6j}XQF?javT$hsCW$-B~8~;R^X$+hdUQue49esE(JX%
z<}OwqVcm4_drdV_%5+et6~Ys4<J#D{1y&);<gsHZ-tWDhZK2nHRG=&@`zPc<GhKIA
z#ysyji0U2Jf+Q;aUm3=;J=gt}GA3v6>%jc6WU89ha=95*y4N2>`6@6F2hY1<gkBf#
z?R{BY($(5L)mH%*#37$!Nrp8KvGL7bdrt4I*p|3Ddn;H(!P3>=v!YzVz=UEHJ<^pq
zQSXf|3XxI3i1xTzH)aOvwnvxFrYAWl_az|h-|KYS0x~9U3E#IWKr!ip-hH<3<=;ug
z`Q+u&vVAJGAvbUj;4I6{H{~#AdgxyCWUulRD!LC79(A{2RneoKc!TH-Msso(>L1ON
z=d)~mIF3h&yUR7gr~P#!UP-zZSmHYCEe?H%q@QY~4$xOyd+M+BtTGm!(#b(ls+1N_
z#m&u_xusICVsmno5J_l!Kj9L8)lV*x@Y=l*!p0u$d($+~JzegOJ|zJlY!CPTPBTEj
zukt-NP~Rl;O|i)V%+wzed|N-gjof0~+uZc$BquO7YcYn;1NVjJ%EABJW%n`uPXD5v
zuUfa4cW_MTy<d!Q@42*{zSEO|hdiq1)zv?%FQ)QS>NBP}cdO9Ud&nnXWsGRBF0)m$
z*49I&gSM7PDprI;(lw)d{H!Fzblowhnl8-f7-_lGm6rHsl`OPQpPbQ|%ad}jitd|u
z%#9*9ep$yiu#f9TU|Av$NnkfiG?@1F0NjwTy%S~;5CUy$M(VVu88@>fFN?a1YLBv~
zWER<<?m0!tCbiT}b1NGKtGu>3hjdB|!guqc7T@|r$nSpT7_ZED>$Ce<^eJgx)~(h%
z*RZli78FOJuni9mgk7}PW0&JLqO?d~3-OR(jVrNgN&yQuDH8Cr^(fSd!y(bcbjD5g
zz22*Hm$zs_7|UDLE=<HoFV$_85nIDgOSayW3rZ<*4k2K#s%*JKn(+!9S(HF*@$p>f
zN_#@NTCycTuDm_TtZ=I<*yit=A@sI<d-kaxdzbK9Sa&1;fn@7|?(iJi{Vc(ZYQjkZ
zY)0l@wtH-EU}fRG(o!4DY6jWKUwRj0!Rb?vVLT=G#dNWsOXmWF@`gH3eg9Jd!{Pse
zD?QFY%qEIrDt8p9XaJ(0x;1<owHo6Cc-8zrVqT-fPhWt}I=Kbb-^1!$fq$CR91{QR
zo$#U0_9*yh_oTqu(?8d10-hL!w%qZNund-_fj@5hQk>J$ReZpz$=<^ssK<1XENAox
z&@IYn?*>Y=4IsCRO>i?Iy(iuec}oDSs`#HKv8?n*rT}B!r)0fk%!shSJQ~(TGT2VH
zU1(2PwP=6mU1pPXDyvo#m4}MktINtpW%+`$(}~0NsD;z3h660@)bnrBdgf?OZ?4(Q
zl(jis?kJXCk1E&|lF-S*W-YyoXjV#Md9AMQ2kT<8#)*zjjnaURUeggCx77(NabRG=
zkJ-&%MNhW@fu*KbBEhcGb=S4CUn>?l2I~G(bU=o!>+!q*E}VfvaMBnNXp2VijQ3CA
zxV@8>rr^?Q<pM0Q)XYxSBPG_mh+#1#Sc!^LH%7e&Vy}8W?woXpK(K8Q#}p06W5C|a
zD!)fLiK$)3dGdlP^M(I<@3PZ5oM9qG{I+7LM)GefVWK25h=XbhI6tfAO!C8Cdt|Y&
zi!181KImor5S^lRIKQjc^j}4j@Qa21RQTKjSx!%RZRV-_eraR-m3o!>HEP6hm-sr=
z`Pz^g3^28LwNXSFmowT<8e^vx2VA<zIu1cwq9=`ef_$}c&0zHmP1?Vg7YMG2;I37M
zC(p8wnda4g-(~fP1v~D$a&V)Tic8J+-U?)%G+Vph!`EKQAg|))ZCB^`mR|_%w@zqh
z_%1+qewfnvq+&Etvo;i}1JhdARsFODSnAV-Kv6G}`-F58{T={n0y*Vk!CrkXZW&N#
z675gwYx1%5g#`ptZL&Q%?F)4Ih$qN+yVn@c49KcZ7rE2^yuy8(x$dZRV5P_6_HVm(
zVpel<q<0v|kCJ{XDw45oRB~!R^inwHr|cj8_G$yS0LyC3lyG<GL%Hlp@(EP4PZQv)
ztfin=E^&OaJu$s(C`~YsrdHjaWSe9k$vc7d9_z>JZjX1mw5K8$P?Kz8Rr%xqCH*?p
z#g|FC*#+Rjr59;OU;-ilAgWO29cK<!BaYs8W-n%$t{%A|V)0f!7|&2?P+3@j&b=CO
zyq)<{2tlbT%`jXdEfmhHj)F+<m4&pQqHKs;N7Nf#uK*S1mDXAdQ;EaXnz`5Yng%BO
z*~7*mz>RR{i&M@d+$JrFzl+cI9hG<-q9ymodDybFK}?u-m-(tCPo736SkrUXgwyZB
z<JN3kMz8cnkLlSWa=gKehRgo7WeQeZ&yZLZgehrn^Edv%V@8n7jr%JwAi>lDj_cWB
zvuoQDq-GMn^V&G)fLBeTU*E-C-qt4grZiZ^fFyGN?H}zLqd>{Du~5TX;^2hY0O}Pi
ztu&;w*I$U#?7gfT>vu{0WMMX_J-m-_@62DdU^?ym0na!I(>D0Y-F*!kF0)uJb}3M5
zdeXQ$lQ6v_`r^eYEU$UJX8kr_9M7zqGLdoa!#9DKI#UHhw+Bx8@v2FQ1J1r^qHV}n
znX2<hETBfSEn4xA8VMy^xqy-voX=$(eLxGP4+S7F$HoD{e>~S~>w1$I&OC-jS6Wn*
znRoK!apJ~3SDnU<w+1f^*&fw(Wm<gXn?auiDyrKnNNVZw!50J@x!Q2>$@-Nm;<s=F
z-Nt6be>ug1^;4wc=cB+0oY(SS0BQ?9Awt2>5uw4oWr1?MXb(V(V)h3juL<NAaM++<
zZeLobM)VB`n3M+GF18l6cf{=nuqcksPi3rcB)!4J$PXMvx9wA7A^n!hfud0~1VH{|
zazdht{*br&Fkr|-E>Z4~E=a2X0QcFJ#gzAQ5Dr#(A;$a$m&Enmk={z1dw~R}5!hs`
zDahXdK9Dp(aO1{V6lqLlC#{-*k=x`-C5-iAwzS6qI3D<99L!zogO83_1wL-&>~`LC
zuXP0(n?97Qb*9_^I9^wX$QnB`;5SCNz^WJgZp(DpLY=`bU#PAu&Q#)0Do6xx5zp0u
z+)_90Px#)o#IZA+$v__L%|5p9vS}AD!Gs+-=$X&_!XAcJ(t_M6rmg8D4#@VKbcxmk
zb-uysG=~d<Ri6ZlN^`Yx^gfjhD=P~Wd+$Et*5Ta&%_tsw-zie~HrKwN?)-ou1w=3>
zh-K8i(J&-h%IER4w-dur0*EM+J+nD51Ns*q5WMi4m8L<qrx;j=4klha*vs(ztgtC)
z<rIyKubp4f0iOyRK`XP`VMZ9~qB18>B2{&(in*%~wgroJxp{B$vHRJ}X~B2Z-(7v3
zh61bOht3fUjUxbGpRujM5D^Q;EwIGfBR_~UpHVU<smM)~^#beG#SJ?tf5q>lxMmvz
zb07SGesDv5*ty9MS!asM-PnB+NNP{unVn>2l(@L2)taJ`Zc8SgUOU0y_;c&o-KO}U
z(V1dc#MbW}F!mHyR0gE%z?!mj2Bt#FCAP?^@*e`=mlsM8E9U03Q<z6a8})3sYz6?a
z=QpkaTV_}YO*CDjAdWgXLtxDbL8ZaDJ2!!3lH{I{m0%U~T{@dNVqamGpNAd|2`*m!
zHkfg`u<&$?ONQ*<=Xqwo9WNI>i(mdy*ho-~*<R>8E@aN?Y)&73QfP^Lqf|EJlA|gN
z^So6;ztDk0#sMX`=CER0jIPyho4M?#X1snT+(iw(&<Br@vWEv`@d-ECX2DR$ibFRd
z>yCsMg;<H~YrLbl=<*3BNsQZ5DrysI=M>vxm8SNX8gQvt=zKh*NOlz=$Y^xPx*hPK
zOjcSj8;Kl?*;~io*c!yoy*l|<59}jX0;os9r;eLRj_KcWlz&GRIZCR|Ci7j_oH@M5
zR3lMLp6Wl!+n{mX8;X5|9aP=&yZ|4&9}pc&reI`RG1eUpK^CA!<6gPt&^k+S{|0O8
zsi%wVMS>6VyP80*UKycniY$HOb7k{n&B&oA72m>e`ydF?4iT-lX%?Q<cHq;!X}xB^
zRLrSEmW&kDb&;&{{r8zTg9&^ApH}f4uyx?HVGi-GExgwd$eOYHRBKs96bT;Lri!sf
zw#ys``&rO=ht`TogW1p5k~jC+e?oZML|%<!Mz~DqqR3^o@~y!X<(93@0`I%Jl}|R}
z1)lWC2glF?jH+UVZ$P#LLt=Bg1HcJnat#jggDOtq>$1zO$L8`r>nSV1io4s?hg^rj
zn%72LFtw#vw^vr&+bMQDv<?fD1X?v|#=_6Vz7}x^2x-K6^&AG0hBS^zHbn{9?=RmR
zjPd(@t@YOMM_wV@G*=>8*DuX?Hl3_NTf$HL<wYa*4L@yAv+MJFFEf+yLUL-QP8GbX
za`_tdP6CFvtThW|wgb)&x=&f3Hk6%?vpawHT`^wpsZs3fI_ceA7{daAs?OPTf;sU*
z;%d)dSn$S0$oQ~U?&94ZZCE@5zQGIDft9;XCJEN;l0ZKPA4mv(96YfhOUHTaGRu<3
zV}Tp@7fx6ICHu(ftJjw*@v4j@9~H~cdhc3l2T-c$!)_1k^tfu@Yrt#Mnuw4&E;f-x
zc||~g6k`@ySz95iOQfPHm$^4~_yH-W@>k(CeI9K>2Re2bL>ud^RXtCg=W@{4mSCur
zggt1r!I55<*ZE<r*cHfva^T`JXx=q3wt=i0q6Dywf%}higAJ_O1I6b%?wr`XJOMlN
z%SAT_bL(xvpDOGR`)39V#BROo31uX)+Hpu!?iTK+r@2;WA7HpqXwF*aZ)dsn1{ScS
zkel`E92DyIL^91n2O=VBdvtoZ727iA+_nFxPv5!$4m}h0Yi3Wts>Q3g7oT3&lWP_J
z!8K3Tc(h22HXy*Q(SGL+)|Z*hLAVv}!F><@huI)Z=Ay94P|nf+IDz$Y@mpWkYQW;+
z!^*gcO5^J1xP97eR^VKNGg<D@?`wxtzNY!X#ve*1et7t=6L`q(Y*RvQ=P0vm_$=jP
zN!fIhPmyJ;dsop7)0u>@PMV3kBMDdS)ltkwZXr0^NuMGGN-jdBsGhIE-2i*mdFYnz
z+NRf++;u{*%5;k#E3{NYStlRpCN64BcJL0KAQ`;}d{>c2!q?gxs*=}N`zh!JWZ(L?
zd${^90$5Vp20-Ytz>Eb$h!OEuzE-mrcZN_4bX{lD^>AU4!rTE!HrDHe(h=painO9$
zu749m>~;w)#9Hcc`2q5D&GkJ#6&+S(`I*Z~3v2Sa0tO?A@C<w=#p!X~Ar#9y2khY}
zE^8=3-nBhFW60_&+yzcaAvy0)@1?a~Ri==iJDmlly7oGm!O-d0w3}}k#O(+|Fa080
zvAq!YQC<5)g(3l!NH1r^=LU5>VihEC{QKD6&8~PXQWXRDW)Vn43}okSn){uGhfO*!
z)UEGS^ag^<0U9o>Z;AVN!kSJ7!?rY=bWtF5&y||@h8M>_DQ<79i8yQC$^W;(_!#=r
zltq|f?yXp`+JJKn=(#c=x+8ux)p2CB8)%70#S1*to6PHIXl{1Cf_{Ii&ow5@i=<+&
znbBM32n6~aSx7I&GdXr@lrg1T*I=olfk{epYI7Xpt!s)0#hejCg2vmFzCP4Auv^}p
z6%#@CX!}?`l${gWhp@9`nRim+CysGfy6|+3Y1igDr5#_h-J7bigVVQUpMJb+OI3>U
zQOVSsrOS_8cA5#;eQX%}+IBih#MVpp+gva6gGNH;E3`0$+10Mt{!O7kDR1ieCvC}H
zW!{k!1@m61u1`TW8STmzy>xK4)73hXOxiIa?8;(#UP0gNSrukx?)K?Pgqg#gp0iQt
zGFSt)gV6PWJ{n8q3a-trb&2CH((T)t`a%G`q8|bWUkax%Lq4CVz6Apkgqx;L(l~87
zhi+WK7rIUhOW{XLTGX7NQHlNEz{k-8zI$SKw>wM}(L3F4sDX!<43rcl7B&YIM@~A|
z*Z^8B4yJH*EXSO6MH%O>n~{O&J3i3w%2;b7FW;~bEfG$Y!Mg+a{<82F|1@yCyXekc
zL|1{s@@Po_Tn=1au{hVes06)>Wi?}?2i=my^lCtDslr*$Jkk0U%=%PTJ<c3zCKx%Y
za?U&mX5n(%iL7l}ocP)fE<LG_pBowhD;L_zAVq&3-u2b$ZMV0mK$U6&+^jbYyDBqT
zu=4TBOV;b%V)&-jNzC0g+BfQD4J!w~)XGvSw`+ZHc3o<R>@$@fLrR2BnIQ9Z=Kd<5
z340X-xBLvT(n3Aw`V94Jab18&@Tt9KXz=g`$fL>11zVAgiyt@o9YnnYh=0X+PV=})
zbVT@9Hdb`RQa^n2ig<+}-b9?DE_kd?YvXk3g~_?P^^31xS{SzHz~#=jkDpYOq##em
zrTP!dIAAMD(`$U?y)NMY73bUeBs1nOhmP1_+Vp2iq($pf!G(?@LKf2zhyI55b2qfa
zRjSUpJhOiU@01dkp(CxE!rbA$QgPX7F(~}D{FRCdYdI;XUfmUzCq?}-Aj2O?TfuCm
z)!ln-%R2sy`qoBU)s8%ri@ZjfDi$WTw67w;c0-H|ZYwTmlm$;Jb?$AdxH9lKc?98+
zz||z(Q5#|P&vF26^fov6yjiljqRZ0dWzFWhjEtF()oxcAAiAVgqVF^Ktt$65gh7YT
z=4l;?D=e}Byf%{WKv4}gCB3Iyg-S*d;Lt7PI4`sc;7uhEVq(BT;B)v1{;K_~tc0d)
zTSb?wG_kH$CuU`N<AqIC)gR-i(leJ^S2ODtUw2}f#~78j(N1Cdl<%R$)R|u2*E%mJ
z-qO?TFl5l605*^fi~nCS_Otw<6JzZ@XL2P!dkkeswzf9%RE|$a5wNq28GT659qW@;
zo~O=!>s6aym>WfaPY6ZkX=TpXb5%f;8Q124>N;Y{GiO=G5@}71Do_-^)Op6_YIZYO
zb!X;LQmUacK^DVa2D>U`ww}dabkIqiI!ReJIY@a$l!gr~N=e&CO`K}&d*wcRq>NOg
z30KULC<YtTI?HZr-jUV7n<FAl8=eB&n+;yOLcpMGg}yk_#kx;IP156vmyj2U;zee6
zqGB3W)A0|BA>g8d{nib990~N$3w$EXsI|k+J`oqX+UNOa;WX=(%O;W))OhJegBN%1
zy1>sBDR#sUO{A2Q$MoH9^~J>?!f~Z7r{r2opZJU-F1@3}g9<i-mkr;}72DEvCj!Wm
zT30uoc(%x3(*P&?Q$Og+q;Kt=BuuB<Oqs&Qd-$uU3^u}xkWBqDu)2FYQ0}KsmDv*9
z89P_kBn)1#UVa@I0RIHNhp=^?Lbl+j6!exHG=I+7zpzX{&Ut|<MTyQQrZ{GXsOyEW
zG|;D7qI~z30_yP~1*+z_O!e>ZQZ6MoFbBPq9hPk!bVQ)KQ@pxcjCb%J*YpnF*|4*V
zBJ4k7uP@{N<SqqJ`{A#AtgyvS-^3l#SbzjC?;2<C-SC7A*C_pO@8;?ztVv$Hu)k-u
zvbRGf;9Gi|ow}0DYh$!(iem*-_m=>^ma(9J5<J4yc?uh6C#tvZs^xUTI4)RXsT7^-
zr5L!yuq>*(6G4yk@Rau7KtdQyB4V@<xUoq4ht>YI0MAVH^h+E$b9>->Pg!2lTo>p&
z-$SrY9|c~y5nhNn)C*Q2QK6UldJXt&T3_cn*LMTHUPu$mIBq;UczWF%E6H5#MI2>L
zC16i{iNf?K-6T$sS6p^m4a~~hl&wH?xYF~(Y2@{&6HFr?xc^m40Nj?_rF9>)*EAfb
zhYEVX1wr0yO4;KZMtOQ@Wwc;*+xmvXH)5nOr4M=XbOZvQcY)sjU<a2F&P_lG>${6g
zPLDhc|LtD(s<c~5UeT(hg_-73hwl4l$2i}!i(SVb_F`clrda3S81U5_!b&FtosBx>
zJo(%EXyZ8u46@JtBl}j4{@7GOzN%30Tk1CI{zSGyN&llHWwH7Ne1b<pgRjeZXlyw2
zi<nG&Rr)TlqaOfvu9IQM6HjqIn`B7^&t4f&yH!oEtt$smV+zzrTqz1YB=Tj^-f!`<
z>!O77Vo#?S>H7pY@5TDh1sPERyqC1^rEZdaT!N*hm*y3r{gXj5MFtI&D;(&}88A;L
zU7p>JZNte4<8T-1&q=gg7-{rRXz+LO4%bHxk@COh3&|AZlR<wiIDcI`@u<^k$3=vL
z_5G4RzLh=-t}=Fw@xYMa?VBc4Q`hX5Fyl|*uS#tc`~HUVT$?@>2$wRI{YwDNsSgW@
z7kq9si^=xy3ms))A9qk-W|}YXjkZ??ZqGWT^{IZQQotmim4zi<h4OajZy#%0MnOK(
zo^cCLZ%wFw7`xCdLs+FoH+sIMRNPQy#V*=SUhtEZ3!q`g`;}Pg<0z{p)%xla&dej7
zA3X0;(Eht~5FRzGJOl`;SgkwrzxqY|RXwvGuqV*)FJ#_K38&ML&XKB&Eoxl{c`hls
zWg;dS{85exsj_`7wI(V`a_5&O%a_r@@Zw~)`KG(6h+(H!ppQzLB<+aY-^OI*h9cr0
z6q9$B>RhfN;h&5$k+&X9N5{l8mNC7W?^A;~5zN%2u7>8BfE4k%CO<C0?Q3$GOMkYr
z!0L**f?BLw#^frl;y7!+>!}`c7joOQ9yRDP8_{Ia>AirACk3S)&ko@DrOVjU>&If9
z<suS;I*?sdyk1=rHzHJBN3PbC#YUVj6dW2q;I+p-L`d#g&mTtw_InstN}p6&KzzzN
zJlo=Tyw4*`V-LP}NlyCRX)09?dYgsZjES@alEXqCeCRW}cq81)L|1?4`hiGE7s=N#
z*>?vI5*+j>7$K4Nm6O*3%B!D?X2RmVX4%BWiH}9P5FQir@WXj=G&Lb+W)i2a-rh$y
zJvzp&Ai)(R*>yA`1G%4Sk&d`SdO<oeZZXtswpujL8c2_zTMRMUAM7T06X|~KV0YDO
zMl>fwmgbBx0QXh54#56Ow@p>5YDWj~_pYo8q7=KG3~bN-t_hP%TD;FcQR%H_r$1!!
z_w%ZQ_jTCGwKt4PZjFYBKNWjTMCQc3(Q_(+PR?y&+BNu=>PU+NkuOPItvc5jps-@a
zsH-jgkP)l_{=*oVS)DWTedO~MU3Rz2jBd79G2Stovt+v<vrNOVis&~>6aAx{NzI=a
zx28*U>`K`Od>YJyI3^levOesEohR>b#kc$3dV~Z138>kvVW$vaTJX19UnF`zM~5iL
z1r~-VB!>IVU$v_Vb@G?1yJ^cSI7E77tCy5M*^=x~S~{y&$oJ&U72G>;ihN>7CSA?+
z)C?SVp>1U(Xqr-x&(=8)w_pv?%1rPEGZ=yiX%y{7y_e(V_F@b+^PJM=s!DOcHY4UK
z6R#0XH*QS186^}9QB!SxDdvF3W_1lrlS`3C-H!LDlzA_8svphKoNOt;a!|IuBf3Z~
za(%4Mb%tHeu17&`?Y)H&&Y&XjT*KaO@(%9#e2sp}ar%6z*w;yErlO0>{VV?BI-3o?
zO&IJ+y=F1|M4u*b!W1rLZ64#N^W2%EUmZ3-^klT=gN#*_9JEGUcgCJ2#)t>&0kAsp
z3%leo*%qv<oOn_fZPkqWmIz6l`vl}wHXM@3d3BQ(32V-ddM*{+n3~v!tf7yp){m7w
z!k{|ICc0k(z-=t)2s8LFVhLsW^?s93A1%A4yJgWzJ34XIr4C=Z7eEtHb!bC_rG0}9
zMyik-!Lb^EjP)9xu{l^@Vrr>5UuUb)Y8X;+tK%lmIfw64Cl~A3RSuKbJ#~+|2n9UN
z*J;csOM40U<I0>C<x`Sxx@qYwuXE^|M@lBFGq=)i$_~5y*6-U|OlKzudk1cNLGdYn
z?B8GQPuk<$G;*%N&t)v<1ofl`>n2=^+>l$)H$%lHQ8~S{9wdBV8_QEhto{H7VFB)(
zeOzq^wFFt8{GndtRqn!WjbAA7-yS$)@7!n%airJpz5k}2ugZgWpXI_TZq{otmKoqu
zvvvFZz==~%p0?U$4`HZP6-c}Bo<aCzIhc_CrUY@gGP@_`YGXtf%A%EdA!W9vZF%XB
zuNiuxB#zhZ-(AXoW81xV{SD*(p*h8S^Ud63>|Ba#U!U&C=!C{1b*A;iZw8VyAB?Pc
z)bpFsjnm4yiL=ykP1WYt^cZ?2)dy#l64W3orZF(@*mY{EeXK;<Q&G9zvS{EwD@hg_
zT{^h?GTVAK=v3~|8j)^nph>Abv-_2>)*=rpnZpYkX}Y+er9iM}z6VU(afc#k7l=)C
zM>6;AFHxI#u6TA{@(Neb6xIao7_cK-nrv5#)~DI~S+yE0G0z7W8&x?VmSVQw+v{~(
zW#8e4XR9wtH7qvdD%o^jm$3Oh?!o%hGVT4$gU4FUFkm^6+MRJ4UMTBH$^R4m-lm~r
z2itN+GJCRE!8*Jo8d;w5$Kff=8+O5N`9!J|BGetf$lf8RWE<7!$sMMl!5(OLD9cUs
z9Pd_ddf%Ya(<AvFml4!CvWEcmf^A~?R`x!vPq;py4$dih6TK0wfT;|#+&+cfH=~~i
z?CTb*Z*2Fu+gEBsA5}a*JXbDB4|=_N_Dlbw6U?oMY=Skjeo_{ZGq{f%Gq!KIDm%fx
zpfrYQle#4clGkr|alN32`uk#B8mhB9E!@5T+BOn<at{Z@b`i03{>)Op`^ni-JJ?<B
z$1Z|`hN)f={3sG$)Y!TLURODq3ubbG-zP5fkz9fCTsNaC7;ar9lxB|xx*V4+svzbI
z{H`4R+N;16&h*kUaHHm?oU%_Hex*25PD!9@I&=8^y-x7!-G)CfIAz@TCN{{Xc^5pW
z3e{B0_k?-=s#C`}{WHeRoltrgIN#=L3=w*(KRpEWsHGJIGAI!dcenW}1FEndm*uK1
zoN181NO1USSR^Wri`SKN-Tz-b*tdIpNNvu3yo0Yh@6K?;jLfT9ySw}^#pVW|Z)28?
zHX!1fwgaSGm+3Y4yej|Sp8Bp{Lj~SJ*<<KwFX)PYX>M3u<11EKvXw5+)EX8pllJ3u
zz}vg+T<2W+t*HUJ0`4eL>)_T8C$EcOf7gImo<ot$IEr~9w>{6~V<LbO$L862P$g~q
z_Z>m}+L_>inj!2uB?=E)ypGV+%GPTe{BvM&5iaws3%c2iCm)NgaM7K!h=yz<P9Fer
z&Q6XCIe_<n{J$Ld-bLpGu+}FsX+;6|JMnSN0Q<gE(j(W&`N=YW%rSwS)GJRW$p?pA
zw|JEExH{-u^S0JxZW;G4<*x#-Xu-wf{uQ|hSKV^V>y-ot=>vO|{yRE44ul))CMPUw
z)`8#Ox#M31;dcE6*9>N&!L5&Rk<MSKg#=dm89`=qIX;z{n7?H-BPG^h{e(CFI%HXG
zo?c1b3q!g8*MAVGx@NRFK^XOZJs26}=SoM!`q&mOs5@f`9JkXO#Lk*MT7T2<>JP32
zm(7i|riFvwA6Syz!o9@Z{d1W!?3H1X&gw|S%u*X;JI944UMq$q)=Lg7&Y`ab4zPkM
zckzW6Gat%7nn`evUzrj|n+7iU$2%hlm<sF4_8XO}{lh5cXZr*M^M#UvHJfHao1U{U
zVR`heMsucy<tlV?*q#iAVq%;3B{s27^rLQ2y94U-TxMo_56;`JAzxiyn-jx|A_<Oq
z_q4BmXYd59Fwqyvnh`|EXqjkMa{`5%mapI}=;p&wL=JSua?AIBLD@6OfUgV4w--`m
z0g4D^?pBXMQM23MW_Q1L@3BKu%7h)|ben;0jWOywmbpfAA&J1~H&D6b;`E2c`{uTj
z8E$PWxIjd7{T~`SB>cy_d2Ezy27FGKkLZAGZz}Ci1WJghq(WJ>^Xsth`p6LFb(>3V
zn{NUO2GWu;DRVI-$j&u2=hyal;rr#<XYo%UNjfhNoYC{Fi35B$gL9|$06JN7)ub_~
zS5jsrf0Z3NZR9LDCP?%OnsKAmn}F6U3uJwtPObl##*VXq;HJ{Q*<NGC0y`ZJ{WnWy
zS$zoY<5nt^nJVF~hhd{DV&NaZ88kU0SwZzS2aYUD&!+9BQ-wEfo6knne2j-H@wk<4
zW!-UNa<KHbOv$K_KMGy+R4P_EUlux_6zYye&!q1yuwzUh1u0cJ|2pXPrX-CoRAJPq
zk*tlxk?8%qI{pjh996sN8GdIsqiD#9ix(jy@yk8&<ZPf?0aEr=5i&wUrXRjIi!Y!u
zC}a5C%;MZ26#i<y(1Bdif^f+5Y42~Fr1bVa-?io5V$9}AJED&CW@C0mIK99CQ@V4@
zofK*rt$0`W7&EBHv>nki;uuO*FHBrnMKI*73`?LU)I!$RZtn?S+p|i2qR0^^i@FA-
z`swGz&=jxnDbmmhLjTyc)!0YH1_N_30nKQ1pes?yn~itGk9sp|$9EF{CY@(CiO^#^
zsMqMXS~w}5{Y{VMnRKt@8FEuZx@+}nyXO=S`SAasLFr2<U1ymKA}q&8G4JJZE{%h^
z9UbKMMXp}Pl=wx&@84pz7#46$BBQSTme&nTZRDK4x#YH$$pFr^xob3{pptjR3F_>~
zW+}Rry)5O;p4%vi@f${8o-mJ#YB6tH*lBx7pW}HdT0ly7aZpSU9{X*=f^Ztu&Y*c;
z#><$WS4VbUC`&?uedn%l{h^oNsGCSyJX-eg7$SmsnrKK=<@OoOJPysoQV&p<tjnW1
zz4I5Mh<jE7!Rbb-6Zmm8+TZHNHL6sChfdjy0Dc-?K248Iy<DS%>6C0Op3qbci;{MY
z=o2*Vr2N$d)vs^qP(6oy){c=|rXE;XogSr|brMwjRI?Y{^T5K0wLIsVmi-4=Dt);(
zCos~Jw!PWw^;O80hj^T1#cqf6cF&sMrAn_>ZIbJm6AXEraH86%vf-}HK1l8fo^uk4
z50V{6st(BIEw)yD6I5ueNKvKTKW&RKfLnRCQ)UYr3Ik>9=@B`4yOatz<8C;#>$day
zq_f|P>tm5hC+*`MNHecqJ6oVnunJ6~5X5BG>%Jr-960gHm6+OFe62M<FTGcb$g;1{
z>7#<Z=vjHq{!zGOThH628kP5680ojuXvhjgv<2hKp?1;8@(G<oE8dIDegc+OKc-6E
z$T<HS6gn1aDHPa9(4?4YI&XI2v*8pqdj(evHCpt_P?d8l(S^Lvuh`_fUQ`~l_m_Pp
z@;C-8AMZZkapn&gi}|U%^wT4F-cE)m%p&aUq0RwRAJ$Rn6dOi5xbO_P^s2{cp__e$
zTzN)rtk}~VExS2<A2|F9zCPuLcxPaq{d-Y%dyWXb0IT!0Cv^t$@>S~qrqp|hnnH;c
zHZdu5Wfsr1&<E%hac>v!3Q8JbsfD+mv&${Ln}ZUG#XZJDHSG8SAJ2BU{|Zmqzv+0{
zO%p6})Z&@tw*z79lI#{U4#$I$`9>)C#JidEer0n>XMYzlnKHI7RuvMe6TCq4)rR!B
z{vmEc5&F_l(mLQkE$_*#et?edO5J-#;{38s8&yI9>hye14L;jhVv7*Y>e~c<^fE5c
zd#-JOxiV~6s(U)QeVpy`S(WjT+Hl-6ew)V>*r;K!YzJ=-bEW^uIq-2N)1LI65I^Nm
z>P0PR^hX?3c#Fb8+1qm8zCfEY9mkP4S0;TKr0J!lU5><<;@4TB+A|;n>+srWCc!Zu
zU5Dn{7db6D5c}o$BnUG~cTna(4C;fN+O!=!v*$_y%yz&G#n+7zDQw9N8AAa3(`L?>
zR-VzJhppbQg{MY~@Im5Y#MDpTy*{9Y5yCRhxz6Id4?UJDZ}gzViCnZKO-|$z@T^{%
z@=ZA;`=Mjy`5A}(n9?H0C(lV^NN_w+@7iE4Xenr-!ca<+lI50(O~oK}TwKsMNQ>;$
zwv$YjH_7`pXK9-nQ58w@z0DGH-IQp}X9V-sD9^Fe%%qx3%bCR2Aniht)zSqh3?1#U
z(ouICSNON=-?A)vxjQ~O=6SrT&k7IuC|8kzgAH2?f7YQ%=+g*_+W@Ep8wtA=daLvy
zv!TGp944-?LO8?s)Wv2r3@XI8?}*#Dn9Zc>*4{hK0>Q8PI~devfirpw38%I`Ahu9B
zzM3>C@sJ0-W#3a7H7XaG;RAo6SFCcIIb@5jk@q?>ICLaw%oJ{+&vMb`D15@5AZe8+
z!KIx^sy#_P)ay;<<%u5bYfTqkSr`(6bP1~o2GOC(BbNwv-~0{{<hr_T_y0~cGtzzM
z6&Z7)aK!+lXIP%?m_(fJfI3>7BiVf`-np>wNwK|HpHK-3JX^65v9vRK>^Vs_ewxzd
zM0+}XU&%kf-QC?Nu&Z46hKN9v#afIE0(`kiKYA;yVmMpD8qlJMM@_oMm&eM5LC^JT
zWXs8373kcgI8L=&A#@nD_PAB`IMFW;d7t0$#3K1Bm0G&5%LbRW44DnEVjjgzKFQj0
zMi5>`SeO*%4{^VPOi^|_ywdW-#_5m!DS7+01cwp7M~aj(Ln7z33nEioQ>Y)=hudF5
zCj>@lR0ms3sa@!SW{hq&#X-U+BTWQy!an{2$>1F621B=88_!-$oLliE9dR=2<D9|0
zD-QI|4<x7EXSE$--7K_Lw=H%p9B?^GY~JTMFpdc5!OUMTp9sIb8l>ChdW`aWkuB(S
zr6TpddB<XplW$VxM>&~{6^#jJM^5)bqyu?oV!6cHx<}5@%5~r!a?I0$<%U$8Q5Q8H
zs3r5`70pILE6Ut@Gkev2j>hTHmjYmclV~L@#|(nrl!sW0QBMK%cIc6SGu#O=++U+P
zzo#i5ke!M-exn0cdw`_7y?{bZFL;dj)kN6)y>3?baNWU`Lulcsdvdvm-o3jv_xKgn
z<jvi(Ii1_I0#15hT1)MDK@kr>uKM{%y$`iz&)EUOq_Ee%bg0$lWXg2tIgIEv)dSy(
zjzkh%<Z<xgz`_01;YeM=A(Czx`c9o}cQbbcm~Ix?5u6?p;n5e;;*gc>n$!pOthjv8
zt%J+!%K6Pm;vLKD?PcH4?nUUaUbp!zBM&_j?mBK2ePRLM>i1Y(^zABDhMeds!HCy3
zY}2|naGF(DVr#5VE;L{soZJMqQ6d#8V_xB?#TW6>^w&!}F?bCAF*7^YK$`lzdM=Ix
z1*g{x?^g;mn)BwhNqDmE{%=$<rkMv?zdP&%D~fQoUiOjX8WuI%BPICouTD<EVeQX^
z{e2Xu(S3htJG9SXikM%7Yb7h$DJ4r;K9X|1`>t-HuO&@?v^8|3??6i)c|<g$4#%0T
z_6cya0Zp+w?md!=uJhLwo5JA?SM<LA7dn;YU*}c*{_?eG8~|3chWq3WtkgPk3qZP(
zc?V}Wt1+L3%unjV$2Ta6tR?F|N}-$Rk>it{EnylskeY(PU_&R2ZyL)qcM<<K6gY0C
zIis<Xi~4PE_a?E2xj}X5Yqi*Wd2LFSg9zpQ+p%c}7e>N%uNPW&nyv3!<qr0#bFaZ!
zo5TT75Ai|HEi#V2eYDy&sy>f`oHo1nSGXN#`ZjFt`($2WvrqKQd?q^j_=}n#s;%7N
zXglm*GO-3+VFnX|&P$iqW)p!+Hc-$}x+YPSyGvtW+-tgf+YK@XlxHv$0^H7WF{C0e
zEC|E>JhYDCg?;))tc>J^$jUBRabC)b_uY*+>f+kPw*#zMv!lD9m&fWwwAb6QGIEzH
zE*f=UoyG%4a(%*otRK8ZmC#z*2bOn`fn}6yNPY%Kul&!Wltxt^BUFK(ZX72FMT-9p
z29eoFFy7PQkE&~Zw(PDKy{@4qkNw<Iw{u_etl6dYJ)O;@WDd^{r<Ammtxvb$R*K17
zT3fahaJgq2*s=V-mtFAZ(y{joBrcDHzKU1{=QmnPNJ_@kcB=540C$nIhQJK)<h=;1
zY7O|`JBT;<1Us@uxaQk_WW%{Z5a|H(VSUOjwE4>uY<bwxS6T)S#n+0W+_bnS@AUw<
z;WYl~#{WFXpDP-a%Hp>2&41sh$u3(f#m{vA_6CfJ<kz!`zT6;%a+PQH>erQ$<O}PJ
zO56UQ>_7N$y@(17eB0HS=ahMrJDj|%EUm01BqQv|h-qtUD>GY_Z+p5P7u@h>BumuA
z%~`r-;^*4w+=01XB<e?V{XJYvM|eF3+$d=_EZQKxB%xw{hHF2s2fbfdOUA3}jPC=&
zoWegC*ktU@2`i-e9=b;xdC;pYeW-amVBuKGj|B<D+O`fBtn<?3^@!#O34Lm&w|nC;
z&NMIRdT`VGTRdq9mXme>##crB)o*~F3eRjxk#3eL{xA1dErA5#8%X5<q*u@D81A@c
zz>T<`8Qf65iBA7kz8|)F9-LKy@mO&x2d-?s0&Lx`-6Q=~AWvs@t%%)*t1E)rxe!OT
zI^T~bOQO$ma~`P5%Rh{-oGSVoTmA>2Wu(|ZWjWpEwfS&@$BpHj^40??R*nN(;SBy+
zhl<$`S>zI?!@h`XPdi~e)Q}UrHjhux!1C+~p&@$VnpCE(7xZsL4})Mm7W4%-!<)AU
z2m`0aMK6=E>WR4zMR{%5@ii8ks$O61$&Asv!KF*luULxC=3sgA^`=-u$_#t09hA#M
zPbFbWumJw5tK4CU!KMn5R2!8zly+|IM|PRRYADa_7kUvksmz?4<52w-b!ytgGrM(i
z+fq7t5*(WCz1cJjJH|Ez>mzpwLmIn*8yzD~!RDQ#on9*E?GyIgb`{8{Jd^jq%ilN9
zoXm|D{ibNV>^GJ)uTb;1ADXLBY>xd3B?N-{t~+y)5i+t3%+3Ne>+}P61xnvCs9*CS
zwz#9az*m0%^(|p6`1Az8W;gePU0Z^23r#))Uzk%qIKvHv4Ia9@*{>>3<q#0nuSsqL
zZuFITWiq+&dtu^969Bjq@#ncS*FkV~15Yx%!qpv{gUj`~)CAEZ{f*1~1rE%%K(nO_
zURnqAIG?cKuj0<m1b+r45;i8t-u_bbOb`PiQ);mFF9jQepA3G;dKED|Je-nV`_Z3V
zk)4zK2p<8?BJnp7QHK-EVzQ}s{Jg9x3lc{`dz1^ZcfNJkUw*rg{6LlBSFja&c6wuJ
zZjV6oDD%E^vaF<RN=(3bbLrt%nQVa&yQ_YFCYH@5S432yC#JfJ83I+d%;N%sHD^4C
zV`<_q_<+1)Yhy@Q8-rgH_JPcPVFD}&rTI6>9G$^~tsE_BxbUP|1u}+A6$PsDpK^yR
z^-2ENAqX?6U4k3}6!n_hkttqHz>UX3KG5Zdjv(;2k8r7e8-OFr&KFovgdZ^~<|v8o
z%*n`d=yoweI}B{wn_C6DVk>aI!?y|^hog^9m)Tu$)q|};u3!!GZ#>Fw2UZ5IH{Q26
zvd7se9vAMUr^$i%uvaGc6z`T7J*J5&CkO-?we(2NkM(EP;9OiKH#3T0xTF#qRzWl8
zW;4Bbve^0X_pZ@zs*W>qeXcFkm=d`#dO;(`SO!3}IdoaV1gseKUk0T>I34VQ1e>41
zuEE#Ye-v;1D>PWu3{f#>ITuB1rubCIN9Nwj!@fF7UXCJX%w;N<_$#OsiRk^p3{`hk
zc$~$%!K9?NwY*EO7C$`vexnESgK4xw2=1_N1aWVT%L9yGUbkG-qmEZpUYPS0R%c6l
zmPYQ!jN%I<!|q^6+ZLn7!qp=^hfhZ)y^AbP+`2%i?D2lYXXE^#Im;5}r+3D^K$b}1
z1*%HHo=82xDxC_2Z~-1TY<br7n_!7!5c;N;JK^|<HY{&-IVmjCQSWrqq5oK-{@wT%
z;BrlAuW$T4=c9}}@5Bzg4OZF0SI?gxzbRsw(P7CmduTyQ8erL+G_Py%pa9*pyEFI?
z21d%7_OPBnO|UXD!id#gwfdA)54vQM9@*dd)(rY1pGt~V<-w6|$9KhBg7JHb*<N_2
zNyDmh0{)GUcE$D%Q|JQGJw7+oaDm2?&(^s8n$WE}9*8Wj+kkfmB|yS&G7Ymm(>)qm
zWci@jV6%C+t@e-;tZIyulI(zp_4~{-8%xhjRyHQT49FntN+47j=j@ZLI?s+_f`=(4
z4P0=2;GzKoeY=O2$H0CY#{DXzrDH{2V7>CBDYWNOl@spc%}gbr>y~4J(&2vFB&I_6
z1VNVorK?uY9dd19u*K{Dlcb|(k4v|8@g!7;I!p4nsTk&1##7QvJZI$Gf#YGs+$cqW
zPNk1Bp(FxFhbt5HhB+@&fE!1*-1QvF?RW<kpl`t}$Jq<P>a`q6{8gRCmDz6yT09lI
zt;1{VT1fo$@x{r0Atme%xBp;!8$F&pL1)h}s}bJ8AwX5$ziqLb&n9!`&z|ZQ?*X3K
z2Y_mtB{nN<!j@~D3_~rCjq=(Yk>+LG$6W&r!Myq>Eu%~x$|0V-hPSl8-PB>?0RCh{
zdj%cA1kr-=V=1f+K%A>O?(*U9TLmp;LCd2y2iLv`Zp1*g?x0O{D)0^FpBYm1U~3o3
zUW>02s0v-!wH-jnbqM1k!3l9SJhQ2+>DamOuJRz%1s1ni1DsTc1RW!OoF2G&Q=UAb
zzeqK4^6udoTYdY?PWs^JrP{izd$Zt4yR+xR{$mN5p+}`Z3GldTyM)Q_<`xT8ql+v{
zs+7&;CGEQwni^17^3;owdUb^`$EtW?Er?KX5xdkKi5}fr^yfP-r|^uSpyE02U82GD
zg-{x;Ql$f;M+H6c4zOSMDxg(dEEN2{tsQI*ITDi_8f=38UUVk=#i|tyxeK$biF2%A
z9vN~<qB$>|n~han8g;q$i<*|XtFibjFC*h{_oF&|B+0=AI6moa)zfm)#Y|#{=^2|0
ziLzJFH*xNGg11g;%9}!MX!;y9E+e06HX&qkDo3OYT&q{<Ydf&>Pyg6#7Jd_{&sA#L
zfsb?qBS)O8#Of5>(GFuG8jL^Du&1{j;^TG%m`}8T=NR<f<L2u$XHTxLS)dVZc+mxW
zwCuR}suQhfum2_A=f7%gwKoR5Bk@(JgI<3(7}uX=dAGx!a81ycqP7$KRb*=&U{xG7
z486|bmSh8izM!mC@u)!C;j7>0OQod4(&PicX~Z_n?SNbA+MpuFC?CjL;Ey2>$k;MB
z*qsfKrOZe5L497#N%E3&stLQZSsOMYvi8V|e;Wmd6t<7Wf|oc}6vIJu5H*t0^o#+b
zoJ-Ov79`B`^kFjPBM-0#=r{XC*>i7}u#-F6p&$7_-hMXdozv#56rf=LBg50a-c<m|
zuVn+k<YD{`kJcYSHfZV7OfSd+|8&KH@BI9YU!OAj%RB2Ib-V_((SN-Qe)j+A2OX{8
zB>7e9z&~C|<cIONOGkIb{Ongw`LK}lRy6qS(9b1bH%1Z+EzSPfLq{XneeiP#hPcu{
zFTi$Aa7gvf?o-2xUtS!3)b`8p42`*8UZfnp6amiH*=Pox{QS!c@HSu$@8`|l^!tv~
z)QX{+#U$i>M+h~H==5K2;e_#WVhH{6jwNy_09&$z#8F&p<$PC`dlaX!BbxojEBA4;
z2ZsX8=dq6^D`SrRbBDu^h^~o5WXN-&;DLpxh~Xjm{()V^(f*)myJ~3}cxEn1{Nmz|
z4aTKSgI2p1y)qUPfnZjI+n1NHo}=a$2!tJywIk6SpCQ&s%l??T6ozM!BXFEx`Z1xb
zf6me&K|RB=DQfJWCQu_*mT@^0bmg!9h=C=%3MM1Pw9G0NjOC8@FZZLB`j=**jo$8z
zr_q6hO9{=(y|crHN|WD_Qq5S%b<mN9^!uXbKG#sM7R%71(jJvlyxJK9b4h+V$Y0Lm
zgXah1ihte6^ODkJ|6CFw?v^IDB;LbF9_*dRvaZj~);jEf_C^x!{zIBaDMYUfhEUTX
z;MIlP_ooU|z?qBNXljj-(Gv4@?M$FMT9eTD+Yf5RMI>O`gj3WfBO(2VgQhvGYjeE=
z?5N=Y9EYSS>2*!cca9X{fTLN}I#^X?FClOXw5|Zsi^>w#<K`vZ7!EvOZ7o3~rNgom
zJAH!k5t(9kucgvx&f7`HQv_ojz;NN~rk0<KDlr<t;-5Q>^it(<^V>f(v{+;}Z;o*3
zp3@wuARqD6tKqMh#tgdxy?zKbQ|Kqn<BFJy)Ap4gShLaFn^$z@jt0#*tUzidgN7ux
zqZcl$+RPcEj4;^UOC3=5)G!n^1Ur_*P6ineY`so>W%(J&OhfsX8qUuYgL|^&vpK@9
z?HMN?_2(_AC_cFtu8yRXUCN1RP-*jDkq-gOM`94BKUn=yimKAIxQnU7ZvYuvmsRnb
zQD5xEk;mmdg9!gSd^T|Njo$o@oMUAr@e3)2laYi0vq0J?=@DK&=y-+AWl1mCjS4c~
z0&0~&V||APvA%ne4gjw%5meHlq+2tyW`B^JQ<CRY0Q%k&|EL#N^IrL#F!FCed~mT!
zZ*S}@?)~&-gk^W)p{>D<zNKkT|Kaed+P+>%FY|d)C6r&%hgI_7d9EjO6t;SitpX+G
zjHL49nU;0kWFTlS;EF9pcil54nIB}5#Jt-v%1HYewSS1CQd|O6&S{bd=Q8ve0xsC%
zEKTcE2vqz2EwQv?smlu98*D>#{aV|Uqc~Z(QrjnuSP7gnKrfU>=rXj+D?ha7dOky?
zS@ybu1J!%BfsK0YW)KKLo34Rhh1Fv^`KwlV6@Kng1?rBrDQVgds6vjL*BB_v+%GZL
zk=YHlP16MMKh~9a9=UV@eN=IPzA2)4iLbG?FFJ_ka3|?rqIs)+V%Lj^@;`apmhsu{
zfQ-PWY@mc$+ij`)k|!@v;EuXMkk$`Y2S*>JYJ{`+<>dfM0R4y!YX4b;WnoA^L+d5n
zqa+x@4l94%RiVVeNSh&Uk30YPnqg*}ejmzI3w(%8?7%EL37p*@!6{jKBnQ`FH5<Vg
zUeIvx?ET&4NAzdNPA-6@VE#1oeZ^`kEFn85e#$GRax6VJQ-c6)bS~WykP?SgarLv(
z-~5j$lJ!Z%gUW16@MzeX%q!!R0S078T>N(PMuRPy)EcN3fvLbS1uWTP{@P-nU>nQQ
z==mt=rE%P<mz^`r$kwHx-jrFZ(RaxL1k|^>7c5VWT^*AI9ZcFyu>j}-f1cr6+_}v6
zglnqcQ+MXP{t?HH6J6?k@@lXDQ6Ek@k3hQiFZB=}i3Kj5R-AlSC-}?!7yVi<_^;Z#
z%;?~N=;9(d5I%Rs&B*7G{;v=QiJ;yuzczb)U6?e6{+|rW|F72T|Mg}dq5$Kx<Vv8(
z@wm53c-Y*5pG>ZA<X}E9>$3`<E68Q9%x$Uyn&M?BV2AgoQrT`?GH~P5z)awDKm?k#
z414!;+QQ+<E0=TF99AX{Y`PrG`+j2+kRaJaty&cksG7H^^4R+!W$vGUex#8-|D6b%
z<^k~$wZrONJOKH=r)C~1Ua+d<=HI%Y^8|huEY|^x0tXL&$p>ejD<zQbviAe$<$A!v
zVeUTzzyt1=w|Hdn0ZqbWZyV0$;MNOtK5#(DP%rrW#(kjQ8x`_%;kvvwi%;1ghGwmX
z0V}IF^C;UFSZ<)9w2WPCHxwjmYe!AoD<`p=Hmi5twKYp3@4!!*SokHC-;ls3E&Lzm
z-ZQGnG-?}tKokpzjs+DkmKm`DDo6k!Q4w`iiXuf?M5OmBEeVQ%ihzy^0zw1?loq6f
zo}i4NK<E%4fq+O2p@jsJ5IA=%GxL7$Ie*StXRYI(ER*o$?)TpNy7skcLiJl|=}))5
zlx>2q8s)S<N3?(P1yPNtFdH4{F`@v(TZHWZ45__Pt;<AW*qN5g(Br+JeRX+C-<TUB
zfSu;HtBIMZ-{g9qm>CA`K>v@PKJIxVbKk_abkKe4Z;;IcSw{8yhSjAup_ZaIX)3R%
z`Y^!uP|pA*S5{v&Uqw3V>)<`f5=Mr-2F%ZF)Zwfec$v;xLqEF4<=)T1u~7{y{9S7=
zg?N)C?X>G&2mIc>h3%J5>6PF00x`uaLvBCvG}EI=ii#5YkH8NeI_Q3h%Zdp&;ZNf#
zR4Fz)PFZa0>vp1_MmEXRpT6(SA7@#c`fpURHbGk*X^!Nwi~;w3<UEq#?IJSsP9XY0
z))k~m6HKsEl6j-+LhkPPXE-LwzhS-ew?KH5GnD!vSC4vMepklJn<WYM<?q_=AH?kb
zSRzuV8|^!=wL9OWhedwLq5_W(8K=_@)ja~gTZo%J=d<x>^X1Nftc`wxfQBnW%{Hx?
z@3lZFy%7gxkz@H)J`!`}Th#~tnO+<B*u^I{V`s_zYV+-n#%gam2YgtH;nr>_2a8kh
z%;=Iau?bn#bqB-R`yhX`a7<IRNORz&hZ_=&kYFUQYF8>RYH}V7I1;rbsb)#@82O!8
zHBZ^&#*{MI|AcPf35%>M{PXEtY(}qVy&#J>+@g}h=OUSLJj_b70o9HlY2g<S!1o4J
zGj`|Fk|N$dA)uqqK)urOnPU6$Z=YU)xsQ(D9lG4TX}KJQC3e&q&+Mij4NnaDXZARD
z5A)%WAS}Uw{@?}$uoN>&8W@e)dCM}IYP-R*%1o_Xmou8PZnVTp6Vx0)aj~ahhGKuH
ztp<w)w-PMRYq~oaKo+ZHzRt14sCPI0xw_h|A`U69yJKh}(~EAd-_BDvn?iP;ys#;m
z7w`s`+xNt@N0qwgVqAO%{H|-UK4qHHuF^2maHU;^HFhdv<N#m9qjB=MLyY8Lj8p(K
zrfOudbAXZryZv&vd;Ab3IWAZx#OCiZIS4wpHsrWWP|AVHPtU3hvXv?u!^{J0&MSQ+
zNQT_;PZO(<uhZ~2T<?9&SNThFq^cH4XEd*i+jdl3P3LFZ>t#kd1L{ezWJ;EI+ADtW
zOc+<r9C{_%n_-4rC61|07o_jZe1($?U6Uu%#-Cbuwh(##BaV@4OUPVs{f*F9He4K+
z#+-Dg$_mH%#zMD4^usY?NasSC`8iy!dBcX0>1OTf<6nQC6fdKyJg%{IiATKmA1Dpk
z<(o31__v0%lg0BS6>t_9w!X@o4|mmAa0$djHo2;5zH3ea<9rpg6}8CClPLN|>p+OF
z587xrPK&FJM2uQn)oq9Pf(ttQM;DR&gz9cgZ5+3_rh5wEfF<~ic3#i3%yoWzxUzVt
z*SeMe5wp7mjc^LJj4MFW@-3eTAT_(?%BRs$6aMvRzm3t^W2592bXZg6#8;MDw9G$y
z$_wsaFLTnX^$q+MEzA^cWA`yEp+9(>wyAeka%<xSu$i8Bz#lZ0IkvMBiS(WH#zM^q
zLhO44U7>eWd%)Batn{+xJ6;<rD=l#1eWS`+@LtDy)=Tb{*jmSxf<~`aOcXQ83wp(g
zI^gjBOx6tl8m~+Ph^K9*b*simhA@32^O@0kuKR2&hLx+M@u=@B8tGmXtsWF?Qo{^*
zqZx4<aVPSsNPZAZxF|)S(*V~g{L(kjx<M&uuMvIVZMc%W)!T=G>b|q)<(cP%Ep{+v
zGzTRn)7!{Xc1zB8h}rIL<7#e!122Wm?P<Q#sosK%nI8!Vm}+Om@+IVN6FHUJ6;@Hz
zJ0Z38hVmeRvAJ(AfvoC(4fE3d*+txH6=<rd#<?r40^$8kII^t)Y0I`7i8mzHdb)u?
z&t_qm_)N6#_iF<~OqH3wmzlY7`ueJy)-@d?(ys|pAv$HUC3udOXaD-p^J3M9jyd(d
zPI+dT0lQ#<QkbClRr#SMzF;8PLRvtYrrx*itY|6N%!JYb-Sr{t%AscEk&_;ee;rC8
zX?yB4pn*zo%ILRBdg(yH{+Y56eDGa|t!MEoj#z$HXj+z+>u*<g+^&;~cp-vs!uIvk
zo;}Qv%&n$`f6}U>{8-OZl~-}F#@Rj%PFD@r?l|rGuhFf(`ou==`z43NX<Tf$ZzxtB
zap#K2vFMmd@gG<C_suCHyZYZtSFCz$KVRf~tNzac**FOkImY{p0T=<efPYNjzdx~x
zf8l>#eCqL#+OB^i0Vn^DdvS2xO<`a}ZOi}u#qV!}+rQQSml+L$14+gKKY@t@s*(UT
z2mh+Mdm$l9Ger4kzy$iqm%Rdv0pS-Q(SiLwXx|$a7FOFR*+wUYS;v`QTX4g-xxz{S
zM`$WP9tnj&i)%q>Mi3hbfQ!^D$(R?1+C`ybwIIY4`3I8j_CpQ<f=)xh_d#G$6C3>e
z?$oUt%h=D)9YvrW3<KP7{jk;1N5fuMkH!ML&hyNs;8j0kJ)jZm%=CY&Cle+P(4ErZ
zw7kgd20K~oDmP)CU{^andwuGXZcV3G>*GR2!6lN4z}C~ZuklXtrG}ikcfDWZL|&y9
zAuG@bwT=4>Ggd>g(JQiB(Xn692W0*dHB8Fm2HZsI_XP0qMpMB}SqPFZqQMryI*Hp!
zWfqfOzX1ZEpB;Nuh%gVUpDZ>=WF~g$St#c`%6llc?5Qd8>7bj~gd_=o4Mqt#l4GgG
z;&@vyy8B2Q-!T|#czhR3?GL{d<8o93Ci(2WDal}U;|O6pa80A~-c}}P+!x;BY+Lgt
zfrODl9VU8W>G7Yq!pYIBVemBE0=qL+IjM<Kf~>-=<c!uW)cYysEpq)r{~aBLzt8+t
zb%Rp1*MTnW#Zr|1o6}c1f7fVX%@EJm*RW+7^#Z>70&VN+=&MC5Je!aGJ4%LP;<rN{
zn!yHHW~52gnfRmfyXuy&w5*hb_6#VS9(cgyAC;dR1sbx?B+DW&eybTd*JQGr(@t3F
z%Xkp~9fj>}QRVa3AK-o3^Mh*IHa7INTwl(xMsF!F3s=kx##gR;`@x%Edwb`7P$l4z
z`z}#ny8WH&{)Pf)Q|oG8f{CxI!PLHY@jo>WT0lOPtcN*p4hfsgPr<=J{bOX@c+s+V
ziey9s_oZXP1ZTr*&Nc{dRf?jO8$I{sa|B<<gB)=dxl__Hc__-XmJg}4WU%-GU2{sS
z&uVIeOp{DvJL~x?EUzgSJzsf<)#443pBtA>kW)?~kIaqI9ICt$a5wm*-FR&B<f3%w
zNVmzz01_qvoL3MCl?9b6_F7)~rqsI>rD+|JzA~z`kEyF&HRj^>TgHYfNhRo{TGw79
zD+Ad0Czbpt;wH*&cedn4{<p5r!j65w=3V7@ceL0Syi%DSl;Ls0-^;1av(nf%^xVS}
zaeu0Q+s5m~o-bmF)b`$imRi~uviEwuDhj1)yhRu7wEz4vU`$P{ntv5nm&NFD9Sdj=
z_XPT6&b{q!EN~PiV%(%DLWzn}M<7*mEV%uc<$U)B2~f=B^yBVC^ze%7gKadA4$p6>
zQ~IZ11G49=Py1ZykQQ*dcd9Eu18V1RnfJADQs@H>U&!V<xXz_~BC4nm_aPN^dQQYc
zD|!i(8F_(h_LJT^pec6(>dN$HKeUvqL+sVO-Ke=XWWhPwK)*TVL`+w}^^rvNxZP&F
zo%>xiQy{hWk-5>oB#<orsw)1@h4Y|=9yOaF_ji>Kj!ADC4y)Z)wHshSl;KY(@2kdo
z*cXbyr{I$0)u~pczN6?H7RFeX?)V9F_zsHn{m8o;3<pfdiT%CJx|<A$d3BC4r|ir?
zj{cvxph<N^Uw1Lim4|r7o@H%s&<T`NsFP|>oa89?%pF!JVc*D;ZC=vM5)GNE90qzH
zkK<x{)`ty`_B;*$Lv3Tk`j9`Kqj@P)$IuBT;XQbF%zW6y%eN!X!X=w)HtvV|rK<9-
zP*OSr-eLNtRy16^rzxX_>|<IhIwJXU`q_x-goO#N@#w7}*IZUq28*>dH{fXY3ZA-^
zY+lsmDPYy&P4tdHd83w9s{C1lps;@Fx0f*^9jrSw?9sm}^LV}PQWbh_CFJtUzSxb7
z(!K>Iv29871qGw7El8gTc)ZvHv|2Ohwl7_=?Nb?+j;5Jd%J2f)j%XC$ybla%^>Gj&
zzveU8Zb8e4+#Pgx(?)M;i9nIt?z<jwblM6m@<@vZ>((i%^-8;4V@6&c=vYKsT2T|l
zhxwi4yECQ}!o457q-%=ppW<IpeX~?{Gow9#p~)=xXua%hJTj{9EY~%34vB43>uYx8
z*ac?!Z4&X1kO(>XHn*m4&sNM}>%4~6AQgk16t0Erpxp)A!W@`?c^7DzFu3^Lq>X<B
z#TrHpWxgLZiFYr2<&!6?+&p#CJ5Xu;7D4mx=F62+zM|UZGV^D;*Kp$tZ6VF9@Lm&z
zI^uLmP)V&oGkf%Eaf<$t+j!1plANnd1NuOB(=1UlANCT*|JnOB9$seB-$u@#F5d)~
z=6@jHqZNTqMhCiA4RluVKWS@N9g&E=84fM(C_amn6lJ{5UEj(3*v3{-UE8?2TK8>N
zaI$;2QA6vnv325#3%%$h*``C&6>`aw3cpvwQA=E1&5OL`%SRhf+pXyC#zk`HswSNh
zjE`jx<~pM6Wo$o^iHHfY>T+37-2`LpJO!C{W2~+-UQ#g_dQ`M{3SCqbv`2OWFo(d)
zImUsk?Bnn-ez!~`(}})Syovl?y!s<%o6md+I%4DuREa`#9Eso#G~bU%Ivh$GgiKM?
zJ$YLWb~U^R!3Vm(zqnHGH802=89!@CijJR6wLO>WQLu4ewujG^pv0Mi!&{o{DCzQ0
zm#t1akMl6FqBv_}KfR>Y>z?&ffAx1>?EqnNm8n0$koV#j9)(ltK%=VP|GN4;KLfP3
zqxZB)H`Gmp`|Sp&4&Xiz^shV3*y*I8<YpAU%HP*P7+5Hk@Pewy^gpbmDlUDn+}RP8
zWUr{=TT|n4yzud74@fhwYB;~#)yy%u$M;<<*crWYx{OsfWe^w8KocToVwT)aP;b?c
za4l&HBDja5l@o-V3XjLXOb*$@&~_$ix+1I2QES*7y}C#un<UyRR+c6lAQJ%M9N6j{
z5lAtKJiKEv9HR<tzxqH{G8^|-)$@h6IbY3FS02aPZ{78%Nh9HA{zm0cYjuD_wwRoT
z*IXw?F@0xKnVWSPRFj1&Jwv=<@shT9wH;SuIuNO>&sAj<AKY$a?z7C+FdE_q^il}A
z!NAf5+8LnIJ9vR!Jp_<CXPVzzE^t^lWWCc4H<gQ9lzSNg_8}fv<m=eIooLdQM#mYu
z(32*r2aBw|<=R%))O%iNRF+PNM%7&>L_Iw&#HhOjU0H`4IqfDarebD=7LWp{NJn?{
zn|vG=tKoGF#eg)_K0A{>bcs`%)O#lJ+a;=uV$I|o&<5eA|6!|v2{T=UC~HdC?Ny8g
zwxbo_w}ow@xzMP+37U?RV%J;8w-jyJ)HUb^pJ$2WKM*yr%y5d@5>}^pP&Q!{$l=P`
zb!kt`IjL(j%5H%oQ#gLw-JEA1uI@mXKr}aMV42%4K4xd$`G$4jWU_b>8{<rc&4+Q)
znL{H-YN<@-{p$UzoIs0iqW+mW4X9uI`&x$}-VeK^I==e?v@`<8Gjz!m<;z<67|V@x
z&#Lje94~s&Zq65+#YqXZ{7IAFSw08BvqH4?|Lom+Py-3P0k+L|$;lrE?)NuBetgg*
z_G3~Yz>gi^O%(7F5s|k7fF)>U0rU{FC%*If%y>bM8O=`FHJI~9kZ`-@HQ&C|*z%}C
z;tQ-aNe$@7{CueYWl*-tSJ@NLAtrUp<58X4;SKEb{99jU*8{wS2>Hv57mf~wy2`?S
z_V6@RnSKIN{Qy+w@?pc0KHifrtY_B1I}+s=K*djpuMIs$|JYm*Bvx&nFLLchq^&%Z
zN2<r~#s`Jwv9}Hd?w;cbGw>)%5gt2Db7Mb!l-rQFG^fM*hR_H2>-&qN9FBSq)=(S0
ztk}%u^}H4I9F9txKH1Jg$^M4MeMsOGAse{3on^!Cx<*Ucb8)Lg@&#cTBlhM_mlO0^
zg?X$SK9TM<)!d&*u&^Dw0!2-&l&-vVcAt1SSDZvFe`rb%?vP1h^G(u36$f6W4>k79
z!1tcfaBK8@OL{QqR?6De0*u63@oKWYJQfp!h_EyQ7?S^tvT0|s+kg`?uB_S7jhi&v
zuuy@F$#H{@x;l)sI^I#&<J<4s^RJZ{TQ7r6O7tK{A)BLdGA3@5#iBQrvCypNp!U5k
z$@xZ4AsMR9CK#eEPj(1gwne0<Lc7^JbDUy`+Z|046c?1wjc(43IY@nP4bdjHltiN$
zj}xPQt`cBed=bCgD*4H$@LF>J+e_|<*qRFXWNKo}i6qk9wY2NYrCS2`6Va2O-@lX!
z5LRUMKX=zr7AirW>ao@!qW>}}79Eg8gceiVB?@t^8pUJFH#QXqK$8fQa%-{b&;Oao
zxiim6hfMnaR)!BxE@I4V-4R(TAW0-7@vw$p>M=N)ZRfqe4=m%5q2m{zoCFU7_e$5g
z5OG8(IDWm6+Fl=yiX7vBK;`#!Cu}$UbP;^GE$Ymj_NK?M{*G)nA0A|?GkDCS{T#d^
z?HD{v6f9DY^&eTK8*bF(!*^u3boZ_gxe&ZYW@88+SvV|uOJ?Rghz&{qXJIZwYQ(2t
zVsrXS;3DjYI!Plur&ij4Olj*{+SYN?M{W<`@aja*@}a|88B62<sM`AZU?$hXh^V@E
z!T>tDQZnizlR*$2*bIz8h$3~l!ENR7dtBcV@69Z=flb&DGKBLk?fD;*8xRkb2B4q1
zalVlML=yW$a%!I@Mtcq6iQKpF^<+Nu^-1+^7-vm+)wnx28>&6uVQ=JReJVgF>)|2;
zMF+Y@^F~HPW{?}!AVZ_phJ>xDYdxXEWqqzRiJq=~KiP~wNQ(;ZY*>rw8XWm|IbXPU
zdi{=O`gN0WyWlOG&gloPi-toXU+qPkexBLjctHGyC<XU$_0;T6iBUV0$V^q{v~-Ev
zwogpzLS*K&5h?i2G-kGiS1b`1I3Gri$?n{+5J{ElQ<~}|wcH{37bRrMMGIO{&*SHE
zuMd|Ic!YcEBPAO+i97b$V6DeCF-EBw^vCb<s<I4Kc2QCUZ$x4xN<MMkgc0{zd|B+=
zuDE8Q9wb~&WJaVzT5cp1iRuF}fqe7eH8r~V&CntzZ6VvlD>(hNu{KIF^rY<W6I<tb
zH+S%rFO*(@G;wd`Y^a1Ib>+G-52w?{nlFEQK9qn~=C$w0;uh}setv;R|GJ=7S1%X)
zTMK%nA}=oT=d~9iBf40hSA*Qii2wDpKX>+)qcjTZJ{|BH^sIs%ofGnxAvZu56)sJ+
zEkgTv@&!b3I!oO;LrC5cyKqnb{<@Hu7|Df6N((O^A265CUp9bpYJAN2+e#2>*>!CF
zb0Bgn|2uhUQg|G7o@g%!h9;?RhTMOH7C3QyjhnD;9l>~nBh@#)R~5FYOaCz;!#!3y
zjLue(0kRW7Gpuo5i+@3{Z%xG{+e<*0rT)#SSSi0<k@rq_j@Y-IIm>^8aqD`oA0V-a
zP>jQ6C{b+}2D3=10tJN<s-9&y9bg4eY5YG|(mtq5-d{jpDo)82TpFV--h&nwyYqA9
z4yuY=-}1%?Zwd8CLyS_@O+~B)>$qt5niDd4FIGxEq!Ccsq(F49h}n@HKJ5=w=xR?2
zYZpv{tO$L?m2d198%&r*7*qQ|NrOJsw-oqViFBk-;$x<v9CD*FOV|N7OTA8af_sIl
zc{9}=-X06iMV52Mg6s6NuCzXPbpq1J43p5m@TUs#Fy%{5ngjVrce1eQ0sl1J5(?&H
zX3uUrJEnrRRuq|;owde25Jkd_d!E#Xdtl69Er*gaVI+x??U84-t<k7^g%<hU8+*$c
z`|AhvLqF^}UDz<bg-pkXTE<S~T{!jHxXkafrtiz?h#~}&`=VyT^=mD>f&NC{R#49z
z=eaqoe11p>ovt7fe<LKN7AG|<^fE^3rk}-XxzXNAwG|`~DAeB_v?n5csg%z67^-|K
z1_Xzy$v^Z!A^WdmKw!1E-an?_N(%67Z)}EOFqqZ)Q&(2-gV(dOLf$JuoV&>dA}IpW
zW2G~3%g)+ru($90UiVnStf|)2Y#$BS{lL~GW<G5$OmbZV=OU~e=znVSwHI4d*NX{`
zRV@2%Ds#kH<?+c%nSuC1_lso+PO2Xj@f$(zQfQyujd-?1mqH2g5}#1K+qanN#Py3T
z%CXx;H32n(%diQme!TAtc*yz3o$qmA<7OywnIw`kcz*pOpnZLLtEn(@+;0HM>N;!F
z4;*|pqp;eXhk@rzu0fdth1Qi9dT<j+mYlieo6%73>0@w#SF6}PK-(k0Tu-Tvw?{TK
zuuGYQ9$)(Pjwv_TN#-VmESp(ERj;BvK9Xv!?%2~ue0ZOKy`{vKzXnKeO|J}Vwy9i|
zB!klc8vV&yYWf?fa;=yx8kp8StThs=u9IIsvvf=*OQ$~n@D_-=kYl{|-CjD7Yc3k>
z3oIWF<Z=A_S{l~4mYpuxCUO3*qg{VLL6AOlj#V<~LievPIcWid=S&Sbb170VdZr_h
z3Hb_Vy4Q7KLu=8gDH&J+f#A)xs>p54e^oT;#|K%1*AZLu>ekh=Q%~Q}5ddQ|B=Lt9
zC?ss#56`M35r4Of!dt+yi#55~sMSo;2{TZGRyg6vqhWT6{^p7k6u|Xc^Ej6)E@Hfs
z7C-BQK)4)@v&~>C;wuoT+a%Vwwhi<5bVQEO9kp9fxd<~7=@`h;#f|0JoGOaqDepSa
zaEMgfvpO=7<G72|qo@sbl^fCl59<3xa{R6^3s??Su=`b@*-@f5OZ2&ZRM)O?6vaf_
z^)XKp3@BVmWM*ByG&uPInPd69V*X`tpoN83f|EZNAJA1zK}cGxDYuga@#5fAZ&S4#
ziKJ^6&0+)Yd8$=kp;VIR`(_T4NpgWNtdnm<UlO^kOiCeakdatV&-ipg7rw(Rnu$NW
zHJ9qxmDUb(lS?G(2?j@}r}v(_dsFS`TBptov>C@fQ<6O2>c>h|tq-O)#QHMVymM4%
z49<0w#@7Me?2K~$bAmb><-DRyO)bPr6e&#zRq+5dxLW?T_pGs{>^W)MYTXR@&iXm{
zpBmC+#tG@}RJ37Q&<D+70WXzkA7~UKL)$vbXszOICW%98uV_)8P3_%bz)z|8$t|z;
z2Tubw^A6*1ywOcF@wdzHw?UW&+Dfd?&I5_F0{)>%S1TzZ$qF;&OsiDEbLMo`V~6M*
z&fq<yJ180erk-CE11*x>6(7O144&)rE@{nVsJNK0PZz&3FQGJ8l88YiPHR2(ut(W?
zCvhvs^%!yfu4Sk$p;A-+PSF7c75HrIq1z|!Ug57hy<l{9YTwn+_=9T?*X4%y?8)SB
z9daWktX2D?RY~WK&8O8x@zq9)GPC2Qm+MT_u*xoDf{Ticox_UTnXHckOZV7}4e=ra
z*L~ay#Nqd;@R+*3V5Q6(&6hJfS<X|egc)4T{AlfreVNb3xLLNhrQ6Qx>-?W)O0_45
z>D=r8n>CnC;>Nk{$w+*Hn0!hx=_C_%MF-}p?(SJz>X>SCs~;-mlG58Hs$jEBLk->0
z;C(|2MI>2z*uFAbKxRDH?8>po!+mH3Ae9H1G3IUb=2cS|o>OSfE!T|c#jWPBx(iCP
znr3To!wHZnTksgl_~EmC_X8fdA<m0Dkxb{^dpVdGz8r1?pA>Z~Pmy7cXJE>EP_f7n
z+Ht2<VYK6!L!bo@-Il1nGoxX1RqV=ZJK8KGJTTz&(tEkGlr~wWpwX;@`?7CXy*JrD
zsA<>>!%S2HsKn3o0$};{pWUJO0=_5Ppw_6|@nuFU1&DYYi!oM9SZAe!);wRAq&MAv
zndNpiJdoz3u06ehO4NHjcyBe<s>KoQ|C-e-UR|?yEhL*pQ*TUGG9Ps{(Z)TSRKGqp
zn(JW2v2aEm!8UDYHhYOxcmKyJ3JZobWs6kc(yTKv4s?~@p*80gMuOR5rXE+$*S#2y
z>CxL{5Wb$7SwA7Oa*Yw7L}{3Tv-tfbZKX^O)kZ@iq>tC_`{3UFc}$QTG;sY}lXV~D
zU%|2%t(-=<509yvH?cJo|Br6^Y;m8|)i&xsnB%6=D|5fT|04KVp3dG6EuL-bH#M&0
zrX;fFFmz9~5p+Cu{jscpQp0zaoL4C>6*WR<?NvU_{z#D9<(27VQr#18k5kYThRA4N
z?=OyQ*bLcV|Fv_sd%@Q>$e<NnZYXBSJa5optjVYvf9YnW3Rh#Z4WLF{?LB{rOoW42
zfTWkmSvr}kqKmMQ3q;L>x(?#|5^!>{k}!*d5>V#fSVH~kce$+e$Au0!sr{V7mzR+G
zy-2A%{C0Npqp%xpM+Ov{>i~cG1am|-O71@kXl%pHhQt7`8vJ3oOycIZ!)}Y|GOs#=
zyb4?HtG8}BHohkPF{#f`san0&=I`Cl5GpOG+D(BH6w>`ctH^_52CZ{BrCNth8(ej8
z?YVj8TdxJqhIXRexk(DrLot-Ec}(Rt$Jo81DXo~6L0w9C_2~?jix%xwn$C)S8Asi`
zyE)vZcf;eKNdrQl=v7!#RDg8e2nbvHuDb8%-@DYNa~NBQX<y)fL=6HpN5`}ciovi=
zz`yrk{R1f71c!s{xrMkpBm6&Nn@aE<pGx)*RQ>~I2tWRgX$fBetn}Sm`j5;1BLwpQ
z2v^+{{*@3C6TbfQ=YNCT!XSORl3U;5N7RyOX??o+iyGsFDQT%(RD;L63#f}Vb^e2`
zcI91~CJT`lvIF`tV;E2OlbGa}bwAVJgmBjrvL(uLyL6n%Cw3s8e4J!ys;KxV66EM~
zrZcUM@)tg6=g_+egLbBtsBLl55n8pA$4OEkxKL_}_s$aL@34krUHwKOEkZ(o(xX3+
z5x|Oi_$#XO{vUtfnda)^T|B29IcMB(of{aQ6qezf+1UZ<MqQ5A4w0ENjhh{QgPP@?
z>beQc%Uj<J+JQP4uSBO0%<EduEWS2g#X2$I%g@b;(8}YKS%Fb7{1uT=yADmFHUwl*
zq-3-|e#?Y8eY|}J3Rd$L14XD=4||UjT={1~>|#y2*JSUI>oXgVVzcd$kv@};d)(U>
zsan>;{4w``Y^ZI}<!)!(*KN8EiK2a7TWUHDiLF~c0=wl?_#xYiW?F|vYhH92`b-G`
z$thyIh;ziEA(MOM$@LiLdkIZyx%g1up{@p$al@5{Igxz#XVIiTAsQ8BH1lSfFTXu)
zdA_EIS>6Z=BxP!8p;KIQag`Rv%yNsZkzM|M?C3>iXD>XkBt85Nf%(pL7y)lrNu`Q2
zHytbX*1~nEI=Q#Y_AN{<@1qt}RZ&?JF8HqFsSMMq<Q4*PsC>GL_p*fAT;zGN$F4+j
zUl|%zW8s>HCQXjMR?yJJb(FYK7v_Z~?%wYsH*j-8=H-63IguTHpeWFKmoQ0JrpejS
zT9a1Fg)I;)T9Vj%_u7_wZ=k;`{Y0+It@%PUAnR-YCRZZEOXqT{)0fMvMP+4Z&sX4s
z#(m2Z0y}i?-e}1XfyzE|iHu6X5I<W>iRwnj&hfIQ@G96-t|~5DG|+{*U3ff?_w{hG
zVW^UHMi2A&n|8RJWkiW>u~LV?xJs$UN0ve{%=p4gBQw~VGz=mGrn1;MJWlL#OpA{@
zig!c>(qV>dzBwUR8OLS>B4xcB8%`AKhax5o2?6Km>0CmLt@Xl(xs~!M+loYVeL?%T
zH$)Zwx6^<z2FZdnvfVFWTl>N`hcL%<jz}AWO$=&;uW~C-+Ymyg&viQTK3c@bEh!8x
zwf`-<z~3IOujug?)F6JU2ddR|rWg7oW0tl`C``1}SxJBUD9!iYZw6~!A7c4=|D+f1
z9BYAbGcLWH(JEPdE>G@6a|&U2KG&R%e%yiY8?O~}OubW<MzFo}%7NM=@J@6L=Uja{
z(%Nr_M%!}*d#Sa_0X>L?c6Ta41?P_}V&u8V)UQ+^$ZVT8F7&tPgKlY-v3)?S?g(}H
zVi8G-{c|#>Tf3!JAYOXp7q(78#iA%glMt&u-QT*p`an^q2OQJ|>3l{)ENuf$bK2lT
zN%hHN0ulz{ZsaSF2|KQVgkcWJq;{_~EbjXDnRE!s68$hYstuPY*n71I@sUtNFd6sJ
zroeuAGSBM&@nmew*(YPo-Kk1ec_b!h;#s2AV`}W&3McTwf~5<|O<6ZjYBDgE<$=>p
zwcd=xRzx3mvZ*2$6)CvM$(N8D&BqYkW(4ET+OZvv!f(9O{h*nCZ&~^(Y8^?ci#2tF
zh^uWIH|LWd0Ac~8_PfyTl6GN|cK+TAt4<tbN7&^yMqGjf2^%^WYsH~~qD7fOvLxMy
z)rQS*!giTS!@EObwZ*DaSKOgYo9m%pLE+>&vRDmpm_3#P%({VRlq`u^T2yr?blLF?
zqx$(|$db#&lov#l6>O}MF-u#vJ)3F~<hs^AF4w0#g%RVh><0o+!Kks)Iac0A)`@l{
zX>xP@q51wW!u}HUImI_oJf**=R<~$`E4XbgsBXcT9^Y=e1PfRZr<JGCNro3<jC)2i
zNT~*e#W)7Wx|ik@X<m28bqfaBK`9fQea`em?~-gdM1|YI>Sd)cuq%ASie^n@)ZvH-
z{#TD*t9N^X6p1PIZMi0A<+Lj@f7QzacT#|*tgt+C10C8F9DdmSac{G!7X0zu#3=)j
ze5^w7!JMH*Pxcp-AZrY0Pz|2j8vz?xb+p;)2;WiQTU3x@F84rzGK!Tf`)2>)mj~u7
z_I+VnQ}#+Uo?vkZOeHz_1X5L83%uXL1v^ZLxj3Y|HYAAWLnBN^Z|S=;K6N=!SJ?>`
z#fiUZ`uDWdyC^M@{P9(`d>Ve}IpGFDvK8T?gYGI(3K%XpKdJrEO?)us>4@*j`z_28
zzoh-zfOHAUFoAGxi&P9p+iFpy4?8BiII#9+C7QMfL6gbJ%?z2h!@6V+w~s#d*ezJ}
z;znTwl5Er}rnV(oL4R?=<P4*<wY_FH=;9))Xov5V6>4R|S!T&6Bllxg*V1rrPts_^
z>ram}S?jRJsmqOHM}gn=agF-bL?7<=^?k~9Eib$C0%Jkijz?VHQs%oW+X5AYt(nJm
zNK;Hq#;d%vPJkTYAXp!>_-J01t)zQHhboEAwWWr5)T<DrmJqv`g{}Dy`WDWaS?Pn)
z4QCeQNh@8`?mdKl!LjZL+hm?buefTDQavXgG5)M8eH=emd_yn0Pm5t0P3hg}h%ID{
zN&ec@?t3c-+N5Y_I;AD2v=4?bqsn%yf@DceWZInai;D5_@N`NI{QBL*F)+z3PZqjz
zQ`x>vyB2$&P%y)VV$~<2@Lk`}@hkoU8ObA|+q@NCZMgZ7n_it2PYjCIXSuHg9}F!V
z*i~VX98Wi(>d1aP$=VSZXb?4}gq8Y`b0HH+(@;ex@%ESK*^JM#=YmaNI_l3Wn|IIF
z6@776qSgthClu-;+=--&HPxx@;>4JG*AtpY3mhQ}QWqg7qT$(0p?EbW$r4uFJJ4TJ
zSNSNMoZc5}SJgHn*(7rYqM2P#IAx{(&$6DAcJJE&%U&}0EPm$Z_CVQ<eE@Wjg|Czy
z=3N<%_|@4bA~T9VjjCf{rni3t<qH(90c_=^6bKo<0%*-mE8ri|mqt?k+gFjFl}l9~
zlB61Gz1Ck%w^F(z;7#>q?XAA+lf0PCm_a7CHGh8V$}Lz>9qB@Q5#A+wDcos9KcS;|
zFb}XGt7n0ObrzJcn(sWv+&~=uh-FK_kK9!UMqhP6Hv$@|{e4r<_oRF9<!Bku950dl
zgDbHQxVe9xiq<nB+Ajlc4Ul6Me*FNnoo%m3v|R1*Z|oh?0|lNT==9I@V&LKYzp?}W
zMUMWz|8v>KpA_d$w{C!t^y+^=t2G|ij439c(#2MriLHS=hTh;-N8TzkGt!0*{s_QA
zrvXp<c8;*>i>-GJvWh6IkJUf{(HJ1I@tJA@1y7IjKjoV1c>dtPblMjN3B$d3+tQ9S
zrN^hvn`E;!cROV~3m_U``zuhIW@Hv8@KuoPLJ+*pe(HN+84yOYawpjcBuEzXD_-vi
zLGLH&;!^K1Hq`LMGgwESL0z{~nFGd}{}q&+u_FQAmzo&3SlC)&FZ<20pDm4tN;g<0
zjm$aqlwD*ES$KGF88fo7Fs|DH4a_gf46{eyGA6Q98l2pA$L>9=6>PaA0hw`jLUhbL
zhJ7h|cx#8#ShjV3cn$hC?E<iGhbt|+D*{taN$`(fc>U+E(6`bsXCyJf?ahd{MX$8s
zjz+WsFzK~{ciRRyQQXt!0;Wb)cUFzHxArxq&yzY&`m1v?H`JAV4L#8k3LFQ$MAFs%
zrN1n_3-c=vxg$+p40$MTegI%*4*t^yP*}Zt$5sC;!2Vs<tdbNR;GSddpb`LZM=blM
zR={6=zk3=iR=9}B%$3Oqiz?5a@;w_cj8@c}&9_AoWy-Ivg4EoWYi};9*RLiDjR+9D
zTNea7p+EcRK#?wLmKJ!+w7)@fZw@GCBUuEn2-%=yMPyJM=}o(&&-{{H6>=-YIF{6f
zVTF?P^6E}fpd`<FhPyKIlv~x(e3V7`QLN=4bt^j5<nKI`JJyJFF>m_Ll(g8-7`mb8
zfL>4_?<_T;x6n;nz_gFN)w&B`(Z88gWyU{0P3S<?mbmJ>wxddMHoIDxp?0us?~)kY
zBEr?6#E~(g{epB)ER)%nY+@f&9KG4HZi0QE@X#xe0((lsyd`aV%`Bk8*#Yg_NmZGX
z?ZR;Y7={?9rtCT9L9Wuh#!n$t14hd=?@0q<EzPK-qL5w;X7>bNR(SrrTDkifXxIp3
zh|BKFy)9jc&O{j$JK_tl5$!_pey_hZH;fc-cs<GX7_EfeKkK(VE|{uhvWwSTVXwHp
ze#6A~yLV;AXXaCeFuR_PoRYm5HI3&~x>TT7zA&=ONo`BaqSk!fv3auU4H9vJ5jn4G
zTfTeQDxz<<wg%d!%h%uBn18m<y_0|9N}VTK%Qk_A=&iJBu3?Va@XkytjL-R?7)7m(
zmt!eKN>$S_?|6cBu3LuZ_t)w+xWY_6PD#B}@Ix-39S9|-@Sx{6mBD5ER%u70_)TuL
z6}EdL;>~&K)4UXO<a25OG#01$S7M|#RP8uHE0RE5;98HLM6L??3{1+AKdq7utoI(S
z0_9{2Qg6Nl=G4cTFG&??&NqT2EtZkOnC{Ue`_a*JJI^aj3|yqgF`Qt*hrXK=SFKRj
zYl1iZ@n1`Mvp7l^$B*cZZ7*@NMTt=_yumQ_r2AGL%q!mM5Ly?mrz)^+%H$Tr;Wka$
zXk0R}aB2C8t4(vI3ywdYS)}`XD7rVffHs9;@b&q*eIrYlTr}|MLdXD&+{=4S;|)x^
zU3)Ztmx?+~Kt3N;JPfJKfAnZveGn9I84svh@P001=e{iJaH<?An-fm-r<G7@PM`!i
z^(47QlhZIsZ1Q$LQvo*^?Mi(&!RxYO@VMNW%RL^Smr=EG&JF^&rHRSin={Jix^Esf
z1F`?jmWd1>#Ot|KF4ekhcta2>#U*Awg^_4+st8Fi$}8-#tLH?<G2APvc;7OlhX}U(
z<VQOyQH7sW$`JXCo&BtJ;W|r8OpUC!QEb)rHbSW{EyHyjt?X_d?<!Mlz9`u1Y94P=
z80^YA&;UGu(@1cFEpFH>xM_hh5R*R4v+lC`_5wCXshN-({-DO|yafFgv=?N@pqJ14
zgME$VtgjV$BD)XTZbKy82>lBD*hMY?H=3TGHhdvsu+54)>y4W>A2bW-kITQ97jNkB
zW}134XD5&^1RbPU$$aEiUmEk#-s=pUx*T@|QOSqKL5KSDhHoVU<P&$6+ImOuf*&Bu
zM*Ut=^>?Xj{8UOeF`pk=z{n?qE;=yNhS4d0L21@c3z~JYJ-*j-1r`e%+DDAdX&QQt
zi3jWC3bmB^8FW|?8qg&(LD;pL1L%O)F(C@b{0ymy+zpQ!bqrX0;hnd71Rj%hv(kI3
zb-V6_0t+%>-VT%tdh1{sQ24z0(&@S%(8DGZ06nnRhQvf5^*10J#Z9dO1d|_+By|z(
zi}T($Fut*y?+)`u?}l5<6<TZcd1;}8D%~F3#_vyMZ}yY>SnYEAbg?UTT&;B}ZN@$B
zOgs}$<7{qiwjW$YdPPLYl_*pUbrY}kp&bhy&ok3n5nCi8!6X&8qPG|DL;f*>A9~R?
zQw_Tjn_HK&hKhJfYHnZ~9+Lzhst#;I<XifNKK3V1gXLQAZndt@TTm`Uh~hFwoL{qx
zF;RuYSa~cv`?W7{PSN{HC4$IBLQf|3X023v^El#qJ4N+0<BEBh5x^$~ukZXzh)*oL
zC&o6MX!nbw07y!^^sR3BQVJv5VL3@vOwc)z#^!HOMx$09(lnxs^6-*-bXP8*Q|Q-Y
zyY_E^#P2%3si=zmWK^6p=o;TUvT%wt>DN*!_`frAQ;2#9kYGwKajbB?BPch^qhptf
zz5;x{ha~LbM$kjB94}aH6%lsriT3L1v)cXO^ys2!IuB3-QcHGSSXOFx;Lex;#HFdb
z`gj=p(C-Qj7L1MJFAwEAWlXOzysGxRB17+kwGgw2RJ-pyvKibUw|%gV4w<&vC+I)%
zil^q8?|pcI0f?iGMe@=R^}m*?ed4h@&m7NXN}U(WYR$h`IbF=}EICfDaB2uF)m%pc
z6=V!^3GudL2znoptcD4SkxT~7ZP9@$<@+L6BR-3Qw!ft8T{U3&6Rf|f`NOPH+wvcK
zb4$fP_NMrM?ad;bM^SO2{9$-&K!N``SN^w|9fL|WCbl>+E&F-lux$J(G}iPt5T^wH
z2Wy%3BT75)FKPYz2mdPy`2W)S8>khlURjhzT+^JDLs|sSb}ra4oR{lhhnHK$t?(J3
z1=V|hl<3p(1PN@CJxQHTH;yW9|KwGi75)uG45!j{t5tur5vm3X?|&=_Mpx!gM)*fx
zmjzg(rAX{DY5U3~9Fx0P9D{kYC=Xjs|5`&@iu@D@)N74wAT{HLPdY%2u@hv}X??Y;
z`W|1@Nb0zCqpA?&Ugi*9VRkf;E2Ut5_O4y8=b5v5>PqeBFH@bV+aHb`FWShrxB!h6
zE<pa@nzyP;ZA`-6)&6B!1A(4c`QR7#N!UT9r8}Q8vAoRA!D;+bTl03(Vy~~WCRCRx
z0V7NDPUJM+e`CCUb3(q?mA3}rId(S&3&@PE^{NdsL+)9x5T<a~3bA~Ua-c1M&o9#$
zYaujeGn6ThwcXk9)ydQ7Xi$^$u)2QJU55AIt@w=nYiob<4}oc+2#|U#Y=wog2=2`k
zEE_NKd#iA=a?k?ePgCNZ8x{)Lo>_?xREwS-c2~(mHAHDwamU>EMN5{1B<_)uXV@^x
z)%7NZ$PzLQ;+3(x@qt&u8&qqS7Wdt;h#9Uie-W;9o=k1BdAkx$$6@6}PN#bmb6@>F
zx=jX(!#&Je2;SpDuQ)dP-i|jP-#{E4pNsftr!_q*xmL~iN2n7T0P6X?Z}@PMv^&~)
zHf%aLXHhvuK#C--gf@KbKcW<~F$9m_J~DFa6!fmfddtyq$%`^0V^Qam@>p*yH`PM$
z8ybXOIL-B7e6k+1f3aEcn~pm)*)L<^H{$<ds5g8an|tPnn*8%(D?jem1m~dkXf=Ok
zV%>m7V^K7e|ITO1sR;=rhYvTO>I|U0nl2yZvCF>TE@!juD5F<K->LKmzG9D7(3)2p
zDPrHdp?uxMe(@HeQb11B<Q_rsa|Wl)5mQ5tA`oomr%X(}yfoc+)I1W$y)Z2!2L-7@
zts!;&Td%;6us&Sk_C^h@IyjIK8NCiG+k<+uLnC}i$<j1wKy@wBx95b_*5pS-Z*6q}
z;4y5)JU{c^5oby1Nah6CIqU|rzqtIsS1d$#7*lp`O#PsS^hnbwj>R@z*r8@@r<#{u
z;i&NuvQlxe#YSAa2S^1G?rE?q)`zV0xG$Lr;Mn0WsCC$3XWaK!?A$Pn2I5gQ``4Ld
zIYnqPW#T!GTWv#M%$LiJZOVdN(IU3!rOq>F`HR5sc4Dti^5Z)0cI>HYe`&B+BO~pY
z$#WJwB@E5X+^HOsvMdvf{aZt{I-}lOe=2ygX?CBiaWXEU`L+hh!D4{+(_Idc0r8T>
zBUqLRk#i$?sd#XjkDU(#1Gz>)bteCVo+{)g^05DT(cP$~%ysX};o5f-vy@&J)jeHP
zSY}Wlaa7ql^g*;qN<-GFaJJeBr5k=IwO-kFP(kk8s6?xDzaKC{M)ta_ND`6xV0xp*
zXle7Zx0{b+Of^Q~qsXAVM;YQxKWRPR=P#Tj+=^T{mhFr?xg-!r&i4WFpMmq~lBZMm
zWW1_fEq`^-^=9*B@_mzP-EFI%sJ^~F?$20Lt>H$0zm2RUAC(x*rYX4=ts0o(?~~4P
z@;5Ir?>cmNr~S>{x8AO-p~FlsK;7px7H&7ibgF+&wwXK@6n%|jv0Yc{RRs`MTu3Gg
z6E3!vxYL!AiE+^%z7wn&loJ*ct<vRn>?fU0TBL|6=@N=BUNd@HI>wmQVcm@fH7|zk
z+a`ALOq<Db@qW>a``^J4-9hZ2(-vDgA<w!OnMs{K$#@#ugC-rVs(m+=-M!$~BUP8v
z*&L6`i}WFAH+zD$5z_7nxWA<3T%<wpqBhAOoU|+)2Q>FW+$U5ZXWGc{8&~GVF4ghX
zRzCX;l`c){yvC@x_Z1yQ`lGhTog(_L0x49dc`XGyGfz#ueBIWJj}h2D8Ow-t#S>u)
zsAj3<m(vyNhQR`nqVDe8cqzPp8U+T#I3Vu?{O~Z%yBI+^H>!usK__3Hp54|``sH6Y
zmh_JsYm;mBpvG#a9u&O8`_<)jA){N0ZCt1vUHsKxk`+q9jB+v8_YfXg&bWnrZ=^F+
zpRd!oz%jFXR5nt0nX_YyHotHiCUzG{%>dyM3b-P$OZ`gQu*1`prij7BBkQo(Z}M0|
zLMn;@ze<5U9$r;wHIN<|>bB<^YUz5hX|1%QV}BjmQ$+Ssfaipw3zNJpXtuY!Rb?)<
z52ZHxhFcti!cNBG$zk3++ovNm11k$u`hp;EIQf=wAmV)kOgZMNfWlgC0egc`&x(0f
zSbu5sQq?-gW^IfqpVb*yZtG2q0n4)QyO~&-k6}iz-)Y~DkA@Z<8a)+@aqnZ;Gz(DK
zl53I8<WQ#j^C(K+;i>kQn9s#jROo}T@|r1=r-{Eo7f8<&E0l(H7=DusP^l`!(+#-b
zk5i?_q446fqTXAoBc26npQ-&*`n{coA>tgl@6AOPW&Ep6$w@sA<<yO~*#!-AjBS12
z46cIO?v48?Sf?>TiZ6&yM0mdi$@KjZT{SreigJlvJ&#eu(d12C0nb?nAjB@!&xN=x
z0(-la04foM!A!0TVKg(@^JIHhe(tGZXVy-XZ>=Y;%={N7b(o^CLw_`7NGdGHPY}q@
zW^cFxN=i_Yi9x#0dh;4O2q!7){dPJo=Qhtx6=LYcmjdyQX&e(b3})$pd&yq`{N+b^
z&b-)Gr?}_Tm4t<a@kCe3q)eoa3eHZ(oY3cJ{)OY{KAIw^`->a36RD8hCq-~KM8?}(
z;@|AU4F`>MZ>D7fQ%X%rtXllK)v+?EUg1HRp9=!@ygNbv@Y)=LPXU6M=li=i<c{%9
zzuQ=mMVX4*#uvQ_&?nUlF8A1_x)Ms8s_c~yD0oNvLL%Ey++vr*dSq0~Y0raCWaubn
zK#w1P`5DE;7n{zdItud3V<xyKU9%|19csL+d1Uu?FS&$;hGjE-`bJGqtHAZIEqRgV
z(T_$bIVM5oSsfXi%G)n7Iz?+sDiU$Hm}s~x)KD3WBT!0W8r>U9ZE?P5X?}D<SNmfa
z=P7js^uZ$mB#pc&gOpEt90&6TL5XVRfC?%28g|&U#WDD0Ht;C*R{>xxPGhSw1&@FV
zKg1Q>wdAf`fn0u|N+&AKj&@Nfhu##PF;Ofn*lSXRNZs<p_w0K+b#yA1@0;Int&jcr
zenPyE_Ga24)vBQb<j{u~#~XY-sN^QRdw<qc_U45@d7{H}RbGK5<a-|N&S5FNyGgFJ
zU>{8q#xKd++P%j;o;`Eh0*U@RFLch;g>$IHGSpX*x}ykWWJ5y10b$#l{sx}@nHFaf
zPdy<PS}Z+h9VcfjesR}8PuAIYM37kVpr^Wd8Kr$(0AFo>=+)&EbGTaZU8jHXq7+l$
z93CwR-s|eXj{N2Po&$Fb<93|9Prsi`7wfU;O^WKNqk(i5<FDAw;&eaQ=R<Lh)K}|5
z+P&IJZEZQa#b}6T8JEIt@qJM5rVn)N2<^`sVgt&C8Ox~+f1>WnxeJMAul^-?f;58_
zI;6MvUU*e5<ge8Pf{CUWP0@jx2Okwr9hDBhp=!V$qP8>^oVl^3`lL0U=w5?&835JT
zXzRYT`IK$a(_xj=@J5FCXX}awQEt59)OC|UNzITRPjOQ}q~gl!;>1nNr<f;8=U#Rz
zcSt-pIp4Z$Kxmb4W+IJ(CRI0K5M{IFg0cX}<;&8NU-UV~PPS`rcpq~lU683I40XTS
z{mW|r<Sl{optiM~{4UC2`sliWw9P=3&UEV<vs{BF-NX$`X4VO7N*l7j7MSVn49v|m
z&&za=p-7TlPIpQ7k83RE8-5#Mx>8XZdMYai-%L8!sfy%F9T0d0<IXW!CTcbdwh7z#
z{)1ySUgJY<V})G(c{F1o>fp^{wER+$V}cuStr`1=IBeW{%8`nxKF=!Mv%>TTS)i*0
zUViXpO@w5EJ~v|h4HSdE(n*;+hsSIyTB&ycBr}UtgQFWOES{8Dbl}0xlw2}n-LXzP
zSfity+*F6P^(f0Ro*5Rpo}0ts{A4Yc4faTrN$ugUNoMFG4Awehnt^P!tn0v#w0w5g
zhd(7Y8zNO%Gt<=NYZ%jnj6P#ebn(HGcmj3d9X&i%b|hB5#*DFp<6VgT#&fiQXe68?
zwm7b@u|jtHBnABjiKc&hj&_f=Ey>NNX1HWirLQ~LU{4F<K<yy#EbNi}*Y8kC35!iO
z8gRy~QCwxI9R0H+vc_R(-}sO(YxHK9vi9WVxn118+7K~+ZC9<MWU*y;$dyG^g;>Y(
zl+$j&={)_`_P-=Kk}h<#9`QCdetDyda!gSp8I+>$Baqd4-RPNY6+5e8RW^&mr<H$X
z9-bawrc5lbc`q?vm@=u#I46q=i=CPMYj*8wFl4aj{A6;vT%XUO?Fp8B9H&=ZJ~Cn*
z!l`ikVX^~;=T2xEKn5X(ziFKm_GuC%YY4mc>LEz{aL0IGtsK9b8r)_waTlI$U6Cc8
zHB2k7vYO(t`znmILsmUZ)*K%H)Aak()Kq@W^LIX(;JeN0;qdF1ewwh*&*!iE@nz`O
zP~Q7-PC!5SFV*q?@_B^K@i_4R>p#Eszc}-`_14+{0UO>7Y8(Fm8``<Ve6ttRT0gM{
zhIKb-7>I0Fmgiah0VHcbefk8FvK6R~z%y3t!c)`Rfy8Z7kdRAL+>@*kjf%d=(r-A7
zLILIs2E#Br+RnckWMtn9$TjlgIg#%6>Vi~L<C>3z(txRZIX2Gm8Mpg<wTkpNesPQW
zE^kZAv2?UdL@b2!_bDis=r^Wo9-u839AVmIsjI49C6w5sa$~}@CY!;azXVzM!ode?
zVNG=jtO`~2*Xun$DK~>2Fv$>ptz}id6+q2CES^3YrhnjxuShOPM!5I>M3Hh$!s+Z&
zI5lWWO3d4u&hGqJR3RgwD9s#>W2%Ul%0h{hp!G7j4(R4X5GPge=O?tMm54|0XydHG
z?o-^M56*(Nv-+ipm@jEqS<r<4afS$-XFu|aVcT10K&;rmSX5IQ@z52-`8~{{y#KhH
z4ZBkdb<3=0YA|K}6*%1A-|m6jX!oIR{Llf0{X%3xRlJAE0^?KQjqfWn^Wm=x>IX1k
zCRLcwq6)G$g}6laS(NC&Q084j#p|z>A!1%^>&DVvR?JzGBkM)Hd1sFu-@16-b(YnE
z$tD$0*gEPM0j2`R?>F=udq+JS7OEjt!K@F!QwwrpQ&<-n9aq}>w==mq`pK7qCKf1y
zo7B-&1G>G3&|L{7&#8W%C>4=+N&V6GaVe9S3bLjTl{@suHAUxhEfakG7Y%0mctMY&
zNq&;gu4ctF3(97uC~yd8e?%xkls$p|Iq7513K=ES+l#-?8FGePR+jNnq3c4Vj)XZi
zXh5vs(+n<<r+3WSM)<Pg`gvjmX##0>xD9GodEWI1N-jX?4)j<pG?gpjCmc^T_zh(_
zpiizXN_j6O+U{H;XTkSH`0^>!N{x$%Jx5V@dR@9Gt6!#3$44El%so+WY<rKX7B?ug
zliL;T+XEIC!k-VttPdGN6D<5rqRsp!NJKPE&!%S(!w2mi@cFgR|FLNdS{=hb(!4aK
zMS)3Uyi@eWUQ2lJR^12o+3S+7?b$}ktoOVE*@w!*ZlynIYtqkhG~X(ESmxVs*9D!u
zR!*0dEjwaq1xE5Y8$LE3EM*P8d!*f5q&w*$m(d=_^gwSSACca=p1OQ+X}e!?8B|Jb
zvO^5d>B5G2SN=v{b@eXXsBxu^-LNUwml1y<8)>`bgqxwh(=W@p0yA&L><#7@!*~SC
zd8^)Vrj6s33a}(Sf`1%I16O1%LFrF(bQ?VIBc+YogMSX}=%bR)>W>{<+wYa~eAoK6
z`%-Kb(-)h_&Gd-tR$E2Ss{}t5%{w8xq3e+D(5eAH^WYuwZA)DZZCRkIptYsyu@1Jo
zuHg$*i38e~m>W=TO-y1FjyGgAM9WhT`zuLKyGc_KumrbGy%N0X_n{xem==*!1%Cd!
z<Jg!}Z`xxBCsLdz5`iU{;mE-)dA7wLczGwF(Y_aqeaO)HU)R?rk^He0nd(DVT5jGs
z2yMpz>TE=MO2Qf|#HRYNYxUxO)??E519cBll2?F`_2+P_JcTS-dfw%h?WdZ{n;TUS
z{#y|Fm+>sL)29^smO3}ncG9@-R<A%?`b)NJ*qaZkTM6iL3D+89P;ckL-{@9LC1j(L
zc2Sq>q-Ga&(o4&wy`{*a>w#nN${~`zBh2kLD3jBma&`E78Rem${Os?yEMT2H$R0X3
zWTq(+9NhbVwfE#vO<!FGTB<cHR$5%xw2CVPEGml-)Yh?z0+otv0VxK`CVSXJ+=z-w
zT_EgfU7)NHL)ZyH6wm-c5MmNSf-xY3ge7cANHV`)T)xhHGw1Zo`DXr_b2x|m-g4i4
zcX{u=`|f*B&1Y2>^I*27zA*%9Tz8naM~!tVMA4{;N!h;dtOZ1Sc*-lS1|egtNV#P_
zH|aEmm4t0P>r-DNA+M?UZO_VzlpiNP>k4D87w+0AN=NDcP>lFY_AWbN53hJZhML=f
zbBJmY3*O0oerNqt>Yrq}%e+tr;P_u=P2he75!>9Tft{>XO&)AfmJt9qjC|+2#G$oJ
zUt>fM>-esf7@aa*>&%0`mZqz|sIVRi!=9~oAsCR22=i8#Yc(;{-$P&eq-oWq4Sv7$
zn`N-04b9d%6r010Yv>Y`9kwKFcbV*JY#e?mmGV~sTMT7~SoGX;&023s;rJec2YrsL
zrP*)$I*94V-zPjS`=LqBBmY|K6*Ks(BCfe$sA0altp<4DGVJ*ddeGV4+(FLd#aY{a
zhZ4gXIHD%*OwIxj1Ox2GeHuQ1Md7cVNdmW*(%e9;<o(WbZoEz<azn-TcP79SbK8F=
zw)z-;E-k&V+1RCIPsZ0y{PwSqD+j(rupbXT3_H$iEFEPh&@Oo~=G}2UtQEn2UPFlw
z4pb(D2VJNgOcKn>Cs_i{+LsHAt?sADCs6qdQrNYJtaBT#O;q>6Sn!k<ZO__Y14Gus
z@~_K&v2OaN!5L>lwG`|NFe*R=JBT(O2n)ZzRg*6CmswVvwz4qC>Qq+@DN(&(DA%OX
z$9d}e{}|N|<N=lg;9qT#bRV86T9LaAWgPFip{6YH0A8E?$&3MuK@ME`I1l_^`OE)B
zF}wdmZ~e#C|4zuSXLIlIvVMZwUqXIK47*5gFg%0*46rv?Gr;-cx;o&U5IW&>nc&UD
zENIcdIQ{f=B(WQ(y6XmEi*^bmBlThFWdafT=bFH(a-Z%%l6MRfahjyyHwe!#@^-R3
zNk=o~YpNx8tLc9*R$#$5DRxJ(<4E9w7{dA(&hjY+c+KqxpUwn+J3_eh-2Ci?%-Ixm
z?)`5rlWy6lpV40mwhqKfR*TlDpV_s_{aMu)6l9}!5-vSJUmEtfqJC8Os9JIpN6Q1o
zlpU)s=!2iqc&f4stk<ai0rCTcg~{k|F3*QJnBE(S^mPaPFhf8Z)R?&j;_S~VR!icb
z>=z)`%#8N((>FO-VbemD3SIyAj#5ev5KnCCH}$>1&rO#(Y+mT21dNNi#5bo8ab}gD
z9R$w1kGzJEG<TG3Gi03)wp@O4sZ6*y*oJF_Vq%wz41<PxlC4%^`tRKDUiRGd3oU8G
zXmDz5k>E=V6}bLA%&VG>G_K@C%iWxLqe9lWj38Geva%N>WTLI_jV2g^Mn)DbmhwAg
z>4#D9ln3~GsDzRNwy;8WTXerbxHfe2t@iK*Kk5{?n*0#S3juKc0b=SreT*VdjuKRH
zys{aj&l)4gE9I$5`U)U?8SDR9JBku`VK_M7t#|waDF80kp!}50`Z7|Ud@<;5!C=NV
z0>M+jDaRUHtwNu&30n=D*ds*cD$0BS_esOmD0qNeNZ%VbSVA-`bD_iTYX|er^oQ&2
zZt4;(-;>O(H-zA*Q(x4e5-Q{tmgL90L^KE3oQ7zBGT6Y_fhp<49(dOPw^ku*9ROYv
zeFh-rx}tXL>)DY|SoyqPwhrC1)oW|lByc<U_Z1tjh&Scq2|8QM_J_e%ULQR5`ao4^
z;MOgZS{U|plzW-IkpFMM3tJXptosVR5xeewGCCQE72){qfQS~9y~%bAH~)6p{E@Qo
z6Z$gdt&m35)*WT{r%^NpIM)z{w3B$XNC#*;rCzOYJHQyo-@bjW&32Qo#f@pdA>dBm
z=B|yazaawW<znD-*U8el%3x1@SYor<qr7(QbS9$4Dj2(-R*B7;%c;apwRp=eE!3xQ
z&go`)1xS3>-)lc#j?cjPa+a&ncvo~n2||#79JDvvZ>(6=GNlGk2>WT`{4l?tns(KA
z_7h|%r$+kXSHO9Zeu3fir)P8J_wYqeiAAMmS0Z49aP_b#VFV2u!LDgf)ph$p%|~~s
zC@8A61bNXb91w3^_f=Y<_l0)_STeA`KR*?Erx2M%*!DRkt6Y{n6D`OIi9@mG=B{2_
zFa~hox_q*Zz&N7II;dC!hjU+xP)`6S^~I|f80Y?EYD+F@nP=)KLow^kIs}(ct$W~?
zsHDA~PQEKk#D=UM@72~oz&_OVRHgYzhyel1-ul&koe^1icn)9Cyn-U+LycEi@nSmW
z1^t0{B7vS`5Fal`hy<oH{ObzkO+xC0+C(#F1rW^1YLV<B>@{7Of&wJCdf||RsX?)(
zG_*6T(7+IQ_&|L9(4iKC{mx%?7aMe3E(vn)-<LzsQup#J_bRF*d%hwF>wIj4-f9t~
zbEt;LcrRg$Jgjh7SWZk@Rg;ekDZ>|sFZO;Xmz5G|-+t%YV*Yk%-qbe_nMsH(I3WWb
zvKd>F0LIr}nDdV?%e^!>_Z#Hz`qwx2AJa-H*t4)rGw!}0G6Gdqxz!>h?Wox`<a&#S
zjg{K^Eb;ZMO`HDEkx#6Cm6kQ|9dhVb_&s(_X-a^yw9UnA?c_t3-RKtcE>oP~(5bIZ
z_+x>acpeGzO6{F&GA5d-Wk|-_f^FWho<X=EUv{k&?IA(;NfyldzbJRxgSUwtBzmHQ
zoqGfM*5vTKS=k-cc>5Re?u5kSJ}ku7eYk!C++XHewbXAPo;#3u^1t>I0NwuYCRn9X
z$ZieZ%=iW~lCY-5SqH7xpErEgGJLhA?#iv_p9iDTawwlS9qnw$VVLxu|9n=xxf5D_
z&+B2CZEWno&Uz%flEqo!V4ro&gwglykt5*QW?Mfs(39Z~-pm&BL>+WLK7s&ojPEXK
zfXmr4U~cc1&@;eq3Yh!5t{w&WjRA8HY%^8uw1K%8Clv^YDz`ud0;0<O{|3NO=6{<+
zm;qBv2+r~LmZP_eRAk4TGQ*@U^-lo_TgHFMBzBNW?X#TC3g{{pyR(67%0;f%!teeF
zRFOUowt+T14ZWivfvgAkrcWN<3{)&Zm<684Wry{(d|-M+n^g)3kyOSvonAvcA$<?-
zU834Dy+zTSm;fsv@blmx8q9$xJ?mIbaX`-FWVlLxerIV!B(}ZH3n!QO;2g(7Bt;oO
zxd$jxzJ?P!E*IJ3p*|+|00j|(fMLY5bai(CP+yg2k9x6aKh4q+N0B6}5IGPB<<>2e
zAXz~DnDQ(lr9^hqvir741RSrD+TH>6I&Vc$a0kCn;`x`ZxGo}k_7-P-0&^P5#iOO-
zR(%r^FKRs5j5Bu&fcUCX1rauuyGQWqCYApYCo_yIe@z|g_&@bAvdD(CeBxs{Hc&3|
zOYcTFu7?h+nE`4Y6$13lZ<vbCYAN|h3#vxMPV@62^nb!IrDxVElNPAb%9uuoQ$b?e
zmj6uDG1FAnkEEbOxvmezq~!i1Ktm@R0b-f&W<5wXd#{<?v~VfN;^5O%53Wf--W=hB
zS`SVC1GT@wddh?z1psq9rsM^K=Q&_REzasm3RYXjPNlwH=8uQBZQKra^tRNrThSsH
zWeD6MDq*}C2Nar8F2{-4Q!U1D4bu;$%u<yzwA2&@lw0_4${DN)`zfsG*uc$G4#WUq
z(j6dS%Qz7MQ7(&Vjkju?$7N+H9I)5}Tv@S4zxNIhPAO7t=*mF^m|Th1cm&odSp<Z4
z_n%<fee*<>fNYsB)QH&pMJ!mO0sX!k4~B`5b5DPVfoXJ_O3rS-O46g;Sog{VNE?@W
zyhlHgre62e#Rd>E!U1{)EPisT0+9B((ST^#^tr`>`Q-RSVtsuAF+n=*7x!F}r8$ui
zXO)-NXe_|BNKxVixl-GlV4&R5oT?OzDh9eo2jqkS0oY1KtzTMQ2`&J$IF&jy6sDAk
zBH>BZ+wBJ(yG$I{Qi6u_<;REZgq8K>Bj~~e(L*S=ZA>EQma}jvPMqOXM1hw%V=1M1
z*pAFi0eRfFfe1mTg_vPD4rKVc0P&$3gV$od<8b!+p2mpPwJKteuLna1%_G&8N7@>@
z+k~jmRgR32$5uLdajf+gzRJ;YiTF%Rg+|0OV<4d0G46)ObbW!Pm5Q9XAoMZ-I=V68
z6f7|g*Ss@rkXhC7SOxg!05v=5w8$?yDY`Ks{xp8E!5!i|lJH(fAE08JA?U@3#;d8L
zrKm}Z(5Z}^wB^X>UM*qu5LgCc_TMP?G$N1^Tg{ho4%(k3FGth(C*$hS%Iu<N)627A
ze48h+<7l4$6(FEd-yG=bZ8-jgiC?hi*EgdN7Or@sZe}hu>TmILTj%h=6TfLT{}!Q4
zzHcHF#ppgTW6&lSg|{p_Z@_y)QsbFTj6&i*`VH#HblnrpgwUF<o88%b^>{nlj7H2{
z5R^L}Sfe~J!xP!Cy0cc$T&sEu99GQJ55wWcc{gnq8f+J&R634uC*HU?fId5)?Q2;~
zJ_5>xr#~Bp!TupZE$bqV8olAotmv?_zcgZR8lUcr>Cl*Njb#yxVbu^Pt<S>T`$k)v
z8>ZQYR+`U8_VKw0nHD!vqCX6IUC4v8o!6y_Eqsl30Z@bFnT}6hRb%oLi^{srJiW+-
zs<q)>ip%$cMrvh=NpgfWyvI^TpswFK)Uh-_w{F-0-53w|_%38rN0&a@%?yX=hy&c;
zXxHMqbA!?}qj?KU*ca;YO&oq|*hD>)J3H3wd$S#%;Qr^}IV<nf)9@qD1i!?QnN1$#
z%2}jrEPgRtJL^S<$iH<mH{<G<UA&O(%uy+41qrs6(xEs@w}_cao1V!=UW~Qj8pAL+
zop+4BgZA1lc?ayY31TJO;FrL$bzh7vjdm{NXSR}2GWlvlj=^h$9%tom03)kK03%Di
zUp%AEF1x_^CrQy-9hd9B)eF2Em5`r4W*V3q?fG5ER$jRk?CUY=aDS@0ZO_%>n=~jl
z>S)tb8z^@!<#;!qz<f+vu!IFt-SdCyr_1=E!l6w1z~nxb7?;lY*{0ELEhUq&*Vq?b
zP}=MU>Rym=z8<0tWp39V;ct8FnDAr9_ffHG1~>OFusZjquceH1XEO4>^^2&`8cD$5
zjg&|9C~Z~P@JE1CMHHw=qm3XzDI7$EedPvA3c)=y8H$%%n;$3sxZMahdizBzkB@b1
zXQ;<7uIm%N@%QTM(}>vDlgg4Y<yoSt%jdk;We5Y>M`n5H>=|=cHhM1GzsCbY3v7@?
zyXSq09gAI%zb)du5xe+Ukzr)GyP}<C=uO6-%An=XB$b$9#yDfkkC$VcIODPIzM(4h
z+#rZk^Y#!KnPS@T@2<^q3uy@LC6Y$8Lbo5MPzE34tHrH5*H)Y(rt=TQ8N6z9@iDzZ
z<%K}s4&C153637p#yRyRfAOIPg1_-ev$4$hyo(*RO0Hm*&juuA3oJ4O%AIkxaweY1
zx96qOk3+d)_|N%vaccS3#Qc{U5&VQs{<9#o;dMg#FKSJ4>A(UhVkxhQsz>3^mn=0u
z?WjA8>h`7g?1vAxb?gLHCS;N-*X_+TIp+q$;!H8b4705J(Rvh~i!3qvv}P%f(%fvP
zNg<tIc&onDIc@I~mv{x7@v9Xu5}-!V;mzsQQ9oIG>jm6pemDC{^JLOwN8+G*{1PQR
zMa|o5B~6dgr~~Z~-1k$<SA0Gfk;m&8XnLz|P0Q=h6Yy=QW3h>d>jYezzfNH9Qg$%m
zkEr1rgk}?BNP_G!GsIQJV0Rppdv^Kj`8h8NzqbH8$GEpR?q~2WU1Mq~NEE?}NRdui
z|2{S%zYE~qU(BRh9c=%jzR6DeMFPcsDJErir_RM_yMQE-O!!;V*$>zUJ3e9Ft86lb
zjVyFb24pjYHPJsxr4c)7^Fpp2_VHHS5Wk4Yt6d~4TK3k9pO<(<yFb;lWLxM0Iz1Ke
z+&aD8Cc+`asOxS&JqVuinvF)W{06<rpQA<Ub;)RWO-u%@ZQ5H%hT#|ev?~BZ>SW7o
ze#iRicuf-BB>_*A{n@0g?HiIw0FL4hptZqnR=2ygK#UYWxSE=#PzBUYi5t42`wtj}
zC&?Ze_Oxwl2!wLk#np>r?vIvF^mszXTK8)<)JJv}nnxG=*^&%>jQdyX;~E>q4+Xoz
zOWy{E_dI2FPyx7GDjFSuL6MiHQ|Kf<Y`4{Xv0YF@Jhr689g$iSLme}A!O62jV_jRf
zt)<A6NqCo;)ZKU2k|Z=ZEu7dq86?%>nx;Oo#*I<yAWpN9jtYZ0K;z>%C5-6Avokh$
zGgrTZUUo;~GR9wzOJ`%NQhRDF-_32v#XG=@M)ncu&uiYqqD1QPb)ib;dSk(IVDyqD
zIOsgsTQi|Com=q1KtL1~26U5pGD$jm;5>R8h64<S5B84S6vGNsQ<*L1d4DGv99@n!
z2mU?FWH_)HB5GzXnt_!P>w}4m+_IDm5QhimjWpEzcEQgrM{UjD+aK@0Cbs-bz8(<B
n(r$Bo5dQnWKBf#QPK|PeSFH;PSOZw%kfVp4eyBWj=EA=Nx`><~

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgLaunchExecutable.png b/docs/GettingStartedDocs/images/WinDbgLaunchExecutable.png
new file mode 100644
index 0000000000000000000000000000000000000000..a2dfe626c4f504c9c97a2a72a866ec579fa7b471
GIT binary patch
literal 70115
zcmce;1yq#nyFRK&Nk~bIl!An$fG{8eN{FJAO32Vi$52Cu(kUv^4N7;+kb|^z=K#YH
z5<}-m{zuT?_WSl;XYK!5=bU#f7WuqS+;!d8eLn=ND9Mu&-5|Pj=@RMFC$cXtUBX3P
zx`ZQ1h>!hASXO>2_S0pD7xL1V3VRrqvESgDK2m&i=~77q@v#9O_WP^0PhLA*x<u*t
z>*MmY3A4+kOJ`r7%07DKqPsd}=}4`X&VN|fR>`~`xU=OY%G~o^|AVz&Kn=fQja>?9
zjf9&cv)Gue6MAI2+!_WQb3&8{MPMxML3z0*%v7u%mQ&-hJ)nH@_Vz<c$|p~5-kNV=
zeYY8a`>FU+zk2^!ftY1?g-N&YD62t%8h7X!!yHh*AU9svawIJ6v?uqlrrsTXRd!iK
z)a7H)#lwjf@L<&&!)K+qcvPVVn8)y9(#I?pPr6mpX1Ip|eVFX;XFLE!|FcnqF8KEg
zN=ci5+y2&fDSwZ*kl5*RkTJ|Nx-IH~iQRKgn4b1Z6t$bE<^j;bKk{4o{+aoOCFi?|
zC#1;zjg3}^-jmDX&g-Roqro$4Q_jdH0%nglI>{s?$nUh!hS+PCOo#5rCo(Pj8{ovi
zsVlTB_0A*Abeyd+-e9Ci{1o`KZ0E|pGX;~@+*I4Qb=S(RjWYmvecvmE<jNIZmz~z{
zPI(*M&{+JD2MiVmNRF|`2QEylH!}FAHqIn1r2IxAJsGR`hkvNJ&n6Prot;gaMchwG
zTZndG-WW4tRF(x*oaA{TF(%K<JkL)h-LZ<M5tx>qE@*Qp%Li8FaMl$E{_JVxE5In5
zN(pGjy~4$+|MXsJ$YVb#iZqS8#r^fl#uyVzUnYf?`yypJQ25~TyO-s~&(@Upe5<@E
zoT?G>`+-b}xt?;w#a+-2uRa`+5^W?5(9tUHbhKrL7EfUwn4l@~uJYQ2-#%Z0LX;(&
z2bCe7?K06cZUA_m7@_~1K<IXVeN8{%gcbUlKQD%I77y4yi~p*%BtZHLrXij1%dRcA
z?hJK2o7vUqbpN-9&ZxHvyAf*)uIMlt{0ZroWxa|fI$Q6joF16G%_>VWa$vrY`LZpq
zKiG%&?K9I&_PgiWVsw8D=Qj11SX3~{8=tbMuC+#k5c-ud6U%X&8wf#=4)nG8y4wVN
zL>B)A1sY_N^|_PhvKmXL5o6>mbP&M@>icp~wCE1Pn7kf^>gI14`RhO(7|~;a_7Cji
zzA76QD4$RKnQK%F!@hJ`yV@7{?n3JZTSz{<`d}Dv%Z<*I44JslYIVo+Nb^w?$7;#Y
zSNO}zD$R@f?p8wepJR_A=;7m6@=*a`=-L}*%?U69201cAB^aMcmv45jhPt#d6>J##
zn~xOpDTrSv^NVFI5+pA5x4Ny?l))RdSAT0CpW9Lf0q=Bu!n?4eaT4V2rB;%ch5>qR
z^gNKOZkVhyonYGOpc6zRJ1VykCR$cuwI&$RUw~v{n%HNQ@CbbnV0L1-pN6qYD4{zW
zGx7sZc(ok%n+SC5Wvm9C8__XqV`f_M@W<tVf%T7WVIqdDh`gensJ2%+I+i*dY8PfB
zptIZeIHlkV!3&eOMr6pazE(^R4c(pO6Rj1>q5U85D6?CUh6&bRwbd{*3$dTg)+pQZ
z8?*bY%c5`gLcs{Hj0%B?(~P~qmC#MmAkWqQLnW!K!vi0Z(=ZV^1lhUqs&eUsq7uCF
z%*~fGE5VNxMSklQ2X%97ni8kJfY0YQfndR~t9)g{Y|W(Z>3+{c#=J171W(s|qZhLk
z&pvuu<#f_0jQbR1qd=cGs7P6<#GF7nC5^y_NvzvApX4V>ix_Fu>k_(0GxSRT+}E@^
zetOgqPBwRo_07l29Y}GcJT9Bf%?x-={ARayuX;>sps<@}RyMSi2$_y&ywwQ2CCC#}
zAO7J9h9-~C5@V7hq%~%oC$8IPY(up%X6<QdV-%7t^v>(TgDF5Q?|6jn+50=<+y0iQ
zlFjBV8@zkcOn`wgxN{RNb@CXF(2h9hAuA5+4nRK*x+Js~rr&+SP$)jxvxExI2X;Kq
zU%IS@sR{DDVGzSh{u$jq7tF}jZk++`ri9}m^7c)kNUNGv_X5%%Rhl~=V4n7_vS;#A
zPLLkyBj9`2g9I{n1V4IbeK0@rT;!ZsM<H?@djGMH?6gIE;idP#)%(u%ADWG10Ft;z
z?RT4idtqgLWj#Dc#MT_i@AeP&V=jH)8(Hdo?l57BE6EP){<!BC({c?t@BBlu!jqKE
z<0T|;rPL~GtPyzN4(ranw$WAo9g02y@7K86<S(+dmUJ#`i)Pf8KSGF1?EiQ!`ul+1
z%lZJ>7%wwiIP!tM+ky@qiCc1U4KykjUR~9mLDGX{qYif0W-~MBlFix#WW>1r+eKjb
zEGj(6J>8YlM<Ru93t;VckiYO6<G)Sz&ix&c$B*h;KK%|Df>i$q7!=0z7ixCl*H~CO
zL@uQC<afaNZ2ix;!HKx=LI2MY%MR6ucd<Q|^!&E}s}M$EoInA9pTMfDU9y)rr>DjP
zhu3_^yml$ylX$VMJvbE$5$`oJn0tK;pBFtf(5<PswjJ}I`1flt6+D=H?Q6&2nCG@&
zfYyG>31yMBxUb#DdfABLvgu!;lzpxVcD5K*=TcKhhV(enxvM}NBSc&OxO2IaQ{3e;
zv+%*Q*^OE8k}mb;`x(<#W$U2>ZGS~x#nu4u+32dt1CSl%Vtp-TSob80kFdZMzK^f1
z455kHGLzA{G5qyEX}}}<vu9p*5fE_&355QC9W(&D&6t?|R7dZdbWv4uxMpXiw)Kz`
z*)Z1{)^w#UkIJ({tvraQ0`ETt(ZYkrEoK4Mxj`|UlPAjt=;|iB&QHE(8z(H9HSXvY
z%mId{(y{C>2ob4@N+6u>(K%(O3%xunLAxM?v_k8W3Y00;vZ+Nq)AMv!D_b#J`Y&w2
ziForI!;T~1*@|dvE!(aFLm`oJ55$$I1+J{ucQ1s}4Yd4y4v+o7EN=!=+Sq-72)CTO
z?wvU^y6>hq_&dq_piFH45Kb5&vYGy=8U-vq)2%gOIWqd)%=94ru}<gTlVh0R!KT$o
zXWJnp@a9hH7h7R4mu4%V09x@g7=EGz2Ml9h8}XOS>5)w^82a$d5}Se`(&GNB+3>8~
z>(0rrLYa1>zvSIIx~W(@^{VS0mGM#kvk}O^)B2O$Xf}cZw2J-T5Nu1>V-P8F$WMF#
z8hx6j3WlOO!SJZHpV?K&>T7I)e^0E3^%98{(StDsopThu7F0q%x&$qo?9hk7<gmmL
z`}J+$$iim^Xv2S5lLs;K6fr3Run%T2`8GZh+(J_u4ALxOccEg^bhxcaznRfOkdN*g
z{#$@^Ak4l>f4_b+UYNUc3M9$w6m41XOW>6iAlc36Fj|oySV8V$-${<eQrb<n*1v=k
z4n`qr#HV11$yJyNi0eHT7lilzv#J8FcB1L)5OJ&J)3*>Yoqwn$+#j5WATa(W{CTl1
z+_mNk2aaC*+N-Bdo9sb-iq|O`$D;@Ty}HcgQFW(2b3fy%r?_Cl=)~8}#FWhr69J9t
z^)~J64y85}yZ^%|r#F2`4g0DN^^hv1TFk>*&wH<1pkzrdm;Jb)3yypLPzf4%4nn?#
zM+jk`M7Z?nwbfCdfXB0cFIzmqo3E)rR@Y+FyW8ekU1|dlOEXp3Qa~e=YznK$rR!;M
z5+BOHT|g^rQ}IEb;^(y5p_#Sn@0XNnD<AneK=%TlRakTK`=+Lq{AEX2F=U#=knVlO
zFM}n1LM$71rV(TK`PWJcr5G&Kb<=<S{lCR_^l46ThH`=VM+Im!*kmMN6Pg<Y%VKAJ
zO9k=x*$pf00b05j{C9D);{er?3q;LzIHCzg7#e^`FWUSD-gd&7%!1XcBlyRNK%EiD
z(#rT>iNhAJ2Nl-Yy$H}|xmU&;vAC{GCXZ{I-gE9mPGmg>1aG3Nc86h4y`vfY|1nV5
z!`&JI05}E<{#d()zQ1*Bwsl#IScwB(RzTl-w$q^ts1DwKjeZMZRJiuHD}o1r=ccDP
zeEC!r4zN1=Ww1uP3H<V;eOqP(!YTF-@!f!5#ky01Ilh^5d;8++f}d3FUs1i7j(sW9
zKVBLL#`;>~I-T;mgU~OvC63w6Wm8aw>YIq09rZkuV4a9he>>su4OGIWi8c7{{`TT)
z%fnL*7@5{++I;C>VvD3eA<j-_nN}a1y52p-F#(Gi>+n-I6W@5XyndG8vFu|lp}_a|
z5&#tNt7m%^>WNht$X)y^=W^hWlikcr-eI4%KRo%FG_uF}^Y8ura+hJ=V7;ZE;PhVy
zZQ3$EQg>q(06r|pWO<uVnvbaF`x@|<<46c2LgH?fUh%}AT#t+~<}?L4i#CH4_hPt%
z0AP~of!@DNSh3X~+~}QvV3z^b1--VN?aqeoQQb;j*kA8~_gQDA2btDxslW98+k>@#
z-&FjinGIO2PcD8w`AKWiRaY{P_aiN9(0!~5eQZdIMP<@rhrzWQr2ckKf+8L-TWhCo
zT>+K_sVLRnQsbezHT5hii*3t!D@ij`N=hkeB{_6^L>&R=#AaN7vPo>j@W5nFmd@Xl
zv{-Me>O|ril{bgR?(M%uU-BwF{!n3~AoceVv$A^(o?zANIA`S^R(a;jP)fLPqE@R9
z{FY{7o&aM4{_nu}Q>>P6uVq5rzW-y1kKbS(v!?uYnE#(3nE!pw{l9=vZ!jY3NlxkI
zf2-yHU1I;gnB+H3;~Wk#S-8p3CXn~N`au$oB3>-d#3vyDp5kTn{R>QYZ~KCD$k20(
zC{K0syhT%=99a8c0m8$_(|ou><H)!Hvyo>dYXbg8sKDQuNY=wt+HU`!u}*_@z_8#u
zv_>40!7!)0Hv!9Z@cv;U+{6CjnJl`51mDT4Wcp99G`XIS4+;N`uD{mjUH=)m+o$Mf
z2{W1?vHpPwGq3cVC8eX%;vgssq5BZ#NP=9lz{8P?{d(ej>!6(y?RK$Zq6^HLDdRoL
z)pdip*0v|<Ey0h%rb0Sc6#ijEMxGZVk%>|RvjQdA6P&s>yIQHEE7StMn;61s-WU|U
zPQgQc?(Jc383tf)L0RDiLjLkQm(ImIq`wQc-%NKs_PkT2!&B@nae8l!J*<8EAshKv
z#GZG2Ktk)hzWt*}NYeA>&G1iYuqyJR-q?45q9SR8FnKA}uf(c<_=31;ePziN%aB+g
z2-tbCo0w_Irg9ZGUWJ@Q5CA9rbD-&#SAOs3#Z8s><3>|6#;aw<OJrZzSM@Q`<8<)z
zOpQXd`a(=bTzD2g^wUZ1w;DRRuJ~LF0LNiZ^x|*6(*Jo=s#!FB^%v2l|M?BrV96H%
z)`<8$uD{}UcJT5J16;8=G5#Y391rJ2bXqN<wDBwF_g)#@Wb|H(KWCnl&-86cSm8m?
znDQ+m-`U}mJ19`<ndn6BXol?;I_<Q*)15JtxKqXZ3()W+j}(bhC$FNX9@J74*egGc
z4pr4uk0_jzaSxWSEn(^P1__VQ^0lJVj5_5T2If=F904motF@M=kt$VE&WArqPdzs7
zCzmh2FmYoh|FuCK;@{bK6b>)(T{V2hcG6I3gC3RUt6qmSPWsE}K>=f{LeHaAtiq-0
zJ7_f0F6R~;ZXGyVKW?}}^}%w;8ebZ<Y0qhr#wmAMH5CT%|9PM<U1(jez}Kqedc(gP
z_12&gm9Ug0CzPdc)pZiy@Fgx(Wju0BK%N+h^G^33?GK{~MWe98I{P-IhC%=CtAV!d
zv3tPD`}05D?(3ehZFqcj^G2lvju}0e5L>tAYaV>rs^zub*gAQS5id$2`7nTG%2VlF
ziTjOZG0^HW(9(i}cRi%e@u=b0i{W(N@}7G6>zD)+=Cd0be0t5RKZ6TW6w;N8JdW_x
zO&@}+u&h?pZk(3bT#9UaNi$BUi!^Pn48=nFNS$V~pTI<Ql@Z5G&$8=xe$AC01*$TQ
zOf>C~k?p8YfFF+NusSt-56IKtIXCQO(^3v-cr755iOLj+qlfRk>S@t2YCHlsG$q9{
zB~q{-nwdY6G<ja5hR)ck1P3GJWk_k7SIeLa^@GxI?XWt?4U>6V{hUNLP7_|mwj`k0
zqw(09;?!HGJffhxR7*L{lQpk&jBK0Mdf@XsYzJe_VKvLn(=!0pxebtC^>lOZ*{~m1
zQ%*(}4|8Ps&cgeOp+x>$j7Rh~81~keO`neL>Uz<hR#BBry+YJ3IzM32osPEsR`{i+
z_naK!6wzyfF?UJ5Z|y|7HH!Sysi)V^SqMZF@;$s^Bf%=>(dmdKDlOX7B^lz)1y4~6
zW@u%vyVp0=8#UvJ*a`Uk90X9w9y|r>LHF~X_Gs3CJ#0_5TuSF-AreW|*)&+4u4gDS
z-u$8MNNe>trl0oRDbsE<A?Hc;T6vb4x@cwP-cz0_3eO*UsrAGO#7u<vrgH*$*``k#
zd`J{%CaFoJ6CJi6UhcTR3R@0_)QHgfHFhOVnrjX)9UaT#3Q5StvcZ^rpDNQDYJ?#)
zy8)q9FNyoeO&@Tuz5-Y<Cht(2W}2kJt{7|B!TlW9z%Hl+k>u9rA!3##unf8~u$qt_
zxHU1p8EmfPoO14NR6R}uz|^z?<gAm1nCLpJk__Wqwlm1V$zuqsvg8wSCS4QL+0uq!
zL{8y;U^dcSV5+{wCeF!^s_f9RaO{o^UQbOXB-Pi@BA}4DEmjXSe=k}0LwW_52@sI%
zWs6hQpuh?3`hGAjF^b&i!8+(wOy61(>Jl$O)nIh0M5{=0$pHC-m@1f|ley2LR9|Sd
z>r0u-lidy$hBh%_D#o0UFGn6<9lV>aB7YRbbDSlMqn_p~%+!k?YIekFzs<yLm90KX
zJf|cm=XSb)6gJ~B0>D^e<a;+c;)Y$stG$h3L4io60tbxCuG{lmiChMoP!eR96Dflf
zlNJpTasp1sM}0($Jj{`P=t=*mT<y#zd+kHp5W8gH!B>KJC@-gjqLA?osk?|Z4<)r&
zGy1S)@+EN7c3{)x#Kd={7E3UQoP#h5^sIf`FNHR9H%20~#NOLTpyt6oG;Pyb_p*r?
z?Zj4NyygHS9PfS9OuIh0fKw~iE=kGMq1DYhx|Qj8%#n+1PN1RzJs|>M=Sf&ge)^IS
z<z9&(`YA;^sRYR$en&~0_WdT<W>-g|pUFa8fCqe_uKrda*hs+3gU`OT=UeWr<1n&?
zMe!-mhvzOLc;_Sz%yOHuh2#q^B1{-?+Z>h?U)C+1mSCEI5kkIt_!TCD@2a(A+%rTR
zsI_hi;W@M}FZFCt;rY19yXE9}khe1ID~ZigM$=%=MsE3tbe0%{Fzi9!((MbYlT>WM
zcb>QMROVep2C$N6HzWqH+f7OqHB`S(_lXP!BEu#p1538KlHFt0H@lN^7FWSRD1R0k
zVqSNrd{7`ct0p-*y7wBs7O?kGH@QsM!x=iPwIzNOwZ6J9f7P_ns6{wYMU`-ur)_t}
zDyyV7T8@-x5CCVJ^YHI^guf16LM40%UG5CLQ8;3--o3tWWEuk+RUMcjIN$o`$}ks{
zk7TIj_q4c45eAm_)DFTh%A7WmEnMJRB7zrgPcpx+`4}Vs%&xjUjCq2IHWTlPc@cY(
zI+`(&x}i}dq*e3gW{f{7Vc_NKw*>6ji(F#%95a_YcY3iN7?q&1{brNSBwt|_D$~|1
zCOiV6jOy9s?b8b|ZL2=2cJJS8d(S}_Ou>WuzM#2Du&bk`iF;1!SugtoBlG*w@>j*`
z8oH)5uP*}ZN`|`PmPUk}L^?dLAwN06CumVN<G{EIDFaOu2nQB`@atI{!ZQmltz-Tp
z)XtzyMOBzYuKpb@v&=w9`qH}?;aG*69%W!!fXa9XQTA%XYZqj{G@pdWvvNj?N3U_P
zEb#H6Gjzc|iH8iECa9bac+8Pz*fG6e3S~xtmgGq7l8LFWA=wR;x`!)xlTaY<ex8FW
z6AcMa(d8W*vi(P4`lzw(<@NhUDRSd?ea9Ypf2^(0z;#iM9z*x}#!Uul%#Ph{O`yz<
z^9?R7Tv`;-L4me=G+e@r2TuJ^e&D7Pv1L8srYVi}NY3C=eyPK^7nT}>C6Z<Wo=m4c
zCG(#gH%7hIABh7uksw)c3UH<QbxIpyvJ(^(pLHM@n)SiH`=bvrnY&J(U8k9rr$ed<
zA$2k}ANE*1h;<S<Zon6Mr2Eyn)~N;naDS71MLjRI%TeU~4=7>N1@RQx96iq)H7S>w
zC1T^?9xg(wpC6{;D&vDC!qqjZ8)4hy4G8x^Tdc3#P^Rk<Le5H*@y0*=xjMtsv2?VZ
zL3Y9M+QrerTL|N=8eWz*0xfMb@!rjr71$(6c<kVVOe#(A?VGFvkGi1P62-I#Clq=+
z)cWqBA}+s9!s2Y9Ktrgq!Lg_2t5HiGB)bkO!DVpaqvz2tXwxV)H3t>$-{fswvkX?y
zz(lW}G!xV8nl35o^cm`Ks9NY%DMxF@1h#do#g2YB-1!)$!sd16kD%B9_yvD2Ke;1A
zh734E`r0xI6?ag^9}WLD08uQL1mFVP`UJceLgK$W^ORS47y432d!XvF#+yD`v>d^9
z4U}IxMGhesJfd6i9`I=yaeL?*pxivg_tAuH6RhuWVn3I0^aUmp*DaxB*Li}cauOs^
z!&5@=l|$Tvc$cXGekgdIkN2V1G|BTCPZsvD;pCTD&+d6VYm|eO%9NPlykqGiVnXJp
z=WX<243u2F4~}!l{r#H`vfO7^xr2>bgpBw*PCwb51`c>HOX@9;rOYa0Op2O{Byau#
z`svL->EU=+Zq~&bL=eW$A2bv{MLzZ#WtUDLLnRb2IaFzL(24qwQXOp<7Okktfs2T0
z)d{W$tFpZ3pv%l*kp}jgNEFjsh`%vohXK4WnNU?Z8*XXIjFWal`mi`zKY(?oci`0q
z&`*2&taL2!K&V98mrNnTAb83~69q;U2z|vWI&lLQn-q~Nt_S!?`&fMp%|=0R@DmUQ
z>U}k{eU9<e+P%8cKxyfiO?A?fjUzkU*{YpTZFXO8$wTMF0nh(ABIOfS$CdwMx|Il}
zJD=!V{e6Y$#pwCkAH|Vu@;ovT9K$zaUnxik%;9<)N@a6Z!=Z$ca5uGd=AG>f$Nc*i
zKSY+n<7u>}wr0@YFz?tXWO9e6RE7Kl7Mq6^^H`%m@mF#;Pg@OFz&jseVsM$)gUX6{
zh>#xQdduVgT!0ZK8YK-&Y9(wK;(=<yhOb4r9$A)-;~QmK=n3+QUa{s$<_(oNvaY0U
ze0Pe^Qw6Sd?@th?d1*qUuX94N+j{i~Tb&Gk<{V4)Oz?o3uw1|4)xj8hPfkf;Bvvh_
zPGZcDUjEKE`c>|FblyGW&B~2Ui+4rmaca<iTE>!?l<57*H^ro_&#9OA8}nzZ%3WYq
z*A}HUCug-J#p!Cpz3Dm;v&iY(&XvuzG5hB+Ct`vrw`iUT%0$ZQUjL>1HfLY4Sisd=
z;juqha_{na;==a3;v%GWvzYl=CLaHjx!OC9SQmQ4GRX@AM2s)U5KsGM`n201N(DRy
z8;h4aBVLaJLa@S1WhiT_Mn4CYBCC~3Zwq@6<K3-tDQ(u(5R{I>oW!i}L`|RE0Z_w#
z4*fB#i|n=QO&all=;cvcKBx?8d~K(XJY(HVA(;eza*rDuq`lIol;Sv*gKh|ST`h_X
zqkY*-$;7R3CK!C0{<;B_k!8^C<*u`Uow`lZC~7h8UGPA!-0tbKgP#f;r=PoskjKkc
z&a+*G-*p_5(pT7oOK4EGe(EkZNxOCZMvEBSWfu`>v<KlNNfIRx)+niWX*60`k*2ak
z*pHVrNLIU3Ok|Y*w2;v~*>BZ6-^%*Q)wt{Mt6sbRI<~0OyGN58&+^fn%h!;H+<J|&
zRZ{ZN0pJtkUc>wctqB4!8%#rENfa4@X`q<lE+o~4&n6n(;@!|X+}8w4Ea^?p_jYNc
z5rtBc5nPF^p_MxuC;I#V@ZfY=)5~h<NTK|!v21g|0Sj29ZVfg9{}TazmvZ8`j-Nv@
zy|0K?^?c0jrwshSgE4bs<R%5UIBS}Mye^$NA4WELJ>0c&n_v&U#Y`fc4}_i6`#&5$
zxw<>5-_zaTMQMmjoUTVZwN@A-ZvAv9?u|w#6?|ddaN<+inRd`?u&{%T6FP`$X1Ukj
z-DROKnKbj@>EtPzzp1QY@ke-436VsOq@MY7$_H~)!ha&I(M3J;`E{%@nyGIpelbcS
zUK14xXe5(TJ{HqWLtJ)XZtcJ|y&c^5HBFz(zUA2slU`exvJr+o`|!ny)x9*&_VSsq
z#I0DhAtN1*c-x1<Omn`sbZhldn(dKv{0A|iIe4T^?vJ&=Lh<71VA^YHt%mu8O27P(
zftk>nTZoDO1c1MG=Rq%b>spS8%^5N*K~0n@>#T6yBPXS*xmTn5AO^eQ59@zi=ARTl
zs&@O*k3!4G8{{|yc8|2g<Z-oU4eyo2Jw4>jJtr-U224k$9%QlG^szR6fi94B_8HeY
zyyL;4b1g~yu~}f;@XEO!*ef?heh3k5wk{;j#5eu9pwyDs(cI{drEMTPlMbAR7CG_8
zbo|==GNXxGE-tR1#><JKQaTC5o8SDjySPH&;Y_(*AVCCaf2&m3f^{&SZ5?FiuCPl@
z4g<l}a()kD@NAl)a(`s(%&O^eB%5Zk+1Va8vCv%PJ{AIg*@;>|F~+*M|F*ZB8S^g1
z!4LK2H>}$-2pHa-&Y5w8{Nf^8D{0fjs$w_a7@`9D;7jX$c*SCoPyHS-GERpYQjC1=
zRez++m)SEOR>%n>+h<1lH*$cZXghx8PBZzmL^uNsaDN#Y_YZ@Jet~=hGX3iAb%W^m
zs7N8E1M1Id8Kb)OOM`PYShVSBQ=bce;rZc7@yu1BM5Efh_OE08)JBs*4xqa0%E|!l
z-iWau?Vpy~Hb~Wmo<Cl6SjT;!Lhea|dstIkHFFsdwA^L_8l5MlZks8r64)O^yesuN
z@=2SC<P;NWKBeFO$<;jAkWyukRCI5hA6s9&^(W^K{zD2)V9JRGu&lsc3Yc=jyV}|Z
zqra)Ix!20L*P~>JKH{_~Y<{V})WaBhXV7<V@mGp1x>l?`6q0KC^e*S8)=58ep>5UT
za%@2M*F1J(%0vQe5SSyHG(H#AH4uhIG~g3QQyOaQ&Y+CvGE~^<t^mWkWWo7BY1Ot^
zdfTkQ`XYX(qZ}+}gYvotwQRhCg5R(xK2M2|ii82?Hl9Y{qyT_xkx|K*-sWUitdqD6
zUB-xASe#!Lu~BdNJsE1TE9UDus4dzD&|{ykD5C_gEK{jN(I=njEQ!}c1_LL&>^U9;
zrzacir?|osQvyLrDOG&}yu1(Liyp2KcU~UE<eV!$$2nHO{2_LR^1qCRZ?bSv#CP+2
ztNx*D>AAJ*9OcIUR>odnpNzf$5i1mLg=JrY2_eT=&b<G}!12?^`pX@RM+8>S?J?}%
zy|nI8y=={WZSG`b6aU_)TPGRd+H{qsndFuo{qk;t)#6}h((5YL6)V9c-d9f@_3WkW
z8tXJCOGFrfEr+kkrLHI!Nhdh*G_BP8^=ixu7_XcPig{2COf8=0CD;EDY@xMNxp{cQ
zXyTIcn^N~c-2A;s=IZK5|GBGv99!Q{%GHeOVy#)C(oUZo-{tRf$K5kt591mZ5#Y|r
zKmA_Z6#WV<HO+oBDABW9u7;Z{ztZW0r8@M20p`JbJ1SLknM}t1p<8Zd-VJf)=)C?<
z&7J|R?-Rd%*=K8AbbAG3RL1;t*!m92&l`33zNV`e)>!Js0GJJ{c1ceuT59{^lN#(`
z!4lmPi8Vo%{qta<YI4!ufo&y|^A<-B;qi_@KHZr*>XcnQk5uVH|M@)|IcM8y2@7G!
z$!y4*rw6Bk6i4TXpHuix?f=Qup{|Bz1`1rorcWp4gvf!~`sd9TK1_l1PXhsEv(QFI
zG9$6wkx?ye@NF5auL~Z#2*Nq6O~CYvqV%mkIPRbi_@vHVb*1Uhaf6?#<N~n22>jF9
zhI2y785@u8`F2B`Sg!5G12k{<U&}W9-67X;t?h<$YL)ZSWhE@L_l%ioBjBOfFIuLp
zI{EK?cD4NOKlsdu<$_pEyA)%i>#q+p){Q_MvA$@m!iJA2mORljDl#-@XQeM;#-R<H
zr~lbrhxVU-i19Szh9Ujbxf{PIv*d&OG_*A7DliOWUa_7E7<RQNAyWJ@8P5$Z!q0yR
z;m3cicD6fCM?9Lvd!m4j-Xq9c+sNiyk}`kG`$8|vq>?Z0-f=+}u=8`(pHnYYPCX#h
z${jV@Lc4xX5FmvqCk6$-M`U$B)YWCu)zc0tJ>+B9Q0~dk`|B75iU0p-@c4hVJo0D1
z7cDB-S`wBit=#y<l<K8G>L|c!mrRR1{5#ZY);f!B{avj(CPgNThjlzdx;2Sx>F8ZL
zkc#oYOx*+{|GU<NWy(gi=vp>;o6n1C$NSFS2hJlK=e%M-=VBb#bIf@Gv}zef@wojP
zmj}qgEL!`sbqjAk3Njf7$<?m9Zu~eYzmq;>3VA|Zs9hD-V&Un)SZ0IR?>VIr_YSd#
z9@)OZ&^&;uxYP4@Lex~-GFPhgK<nlS<f~+AR&BY+X|y>w{p7Rk`O@dH)s$bZ<+BxB
zYDW?GS^9U|j_Tu58cNqIK;=FfEhdsEpLd^h!Oe#^N_Y&Xf>L?tT<{PmbB8(O-ouf(
zfhJ(twP$xVa{R&ROV%;(5}Ce<9g*RE?0>IAHhd%LFtA_wSH6UuzzYk9eofRKO~J3N
zBJ@o*Sd6#_b+!G?%mQhu^ySD?=ZZR})SL|;>9WpdK|q*JtE9D_z3bf%+xdCJX)s<E
z1}f>x3G^<mIE60OLNS0xU!H=&`PG3F|9t`gmUmg2RyXgdrc8_0l}05{Jd8ud6vV;;
z1D4)J5`K}TA4=)5S9Kl&I6rcmVLP)St$;Va7IL8~2T94a(Y`6*u7oqe<JuU?cvYdQ
zY!*^%!RPh8pT7$oY#<YVu=L&30dV(_FPDV=jz=^);7W$(yT~XS6MrA5%FV?Bgq1JL
z0RZUX0Ii$n2^A@O&gf8U)ZYY~LGD3VCJX~SAB|KGe!EbC*3Ix=y7q~8rx7TzR60os
zpzz3nl)tt}+X!?)e*rl&bMfQBBGaM=qgyZa#5Y8<6%QaxbmWO?TB=K=i-I=0v^6%e
zRG!f37J`|}_ye$KuK&+7{{hCZOS2k1j^;2MXymG@?XTk<rov{&f_B_lUc@G5BC)#l
zg!y47uDIw?U%q}O)!HLR(=0i^w^~8Qq+Ppn0;YLl2=rPEDv<^rXWbW*x9<myIqHuA
z9X7h48b2J~xq4oF{SGEU{@MxWIMx(=(mv{TeN(_wP7iwfBt<8)$SA4Kc!>Ex%tTd2
zxYLOO0y0T%AwrhlpNBSldrmDu@)E*3a@3eFPR9_EKC*{zVe>sRB&$wlE$jA02XZ|Y
zo&HMf-*nbu^I#w0@ARmD%}NIkzjVHW0pE+#5*vLJjN<LDuT|Z!1-A3i7qI+SOY?tT
z_}7oVa(QsaNBJf)G|l7O!^0Wb6B_O}CcC*<Umupsxpob=C-qPnHp9H37xJFM$?BIv
z=QRGOq0H-<F-D~7W|`MnPU>oXy|%HA4Ysa|JrJ{{3#VfDh3<hjQ=O-$sK-3#{e9+#
zmWz^YUgb`r-uP>4OR@<&Cuzy7_Btiu1$@}vHy#qC;f2-Q!<Hh?o1d2tkB;n)o1ZeQ
zO7b*810)K@pbkJTv~!x9DOK)@b4IQWEf@Mm$yX>72)5DuUZ;BuF}-Z%@WjTwC#Ojr
zNI_v7;1~#gCp3&1<P}T4^c-LN%tb2NsS-6Dw<3j#?pw<}3p$E%@*4@)ULT<*WN0ZR
zsNGvJNSFXG(P$RvR(W?Gq#2)`7=K<q8k(>mM!o_`Lo859uKB-CVm#;~WD2Q$t9mHv
zzRqyXk+~6Cjei|H5jGoQF|;-n2$kU|-dF;(nL9Fx`M*z&>~U@@fuZS~AdYFJ@T+-1
zo7R;9!B^HrO{cy(qVD^N`GZh?7MAT8W+CJo7aEe(NtM<5xdpC+13&n4k82D%0R;A8
z3lpX#o(;3u*3-4JqolH_d|OeIbv-->x5`WcGZTynv`O1$<X02%=kN<D2v8+Sc{648
zCO&#?EZhNIduVj@2v9l<b4;!DAPy0UHcHAUuf;J2ag~^Ns^=p$1BB5)ePh+D>NGKi
zJNx)U8_Uf<Ch+seXA0d{hVHzES*OU#&ZjuSZ6EpDxe>Da@PKU>l3X*3EI~}Vzp5wg
zBv-73h9@DDPMS@^b0TVhn}W7jT}-zmyoik^@$fR!e%E4R<6+@!#NhkGx})L>8`_RM
zScZ*8q{lR9G_7g7$|mV(Kf~$h+K?6UJ#_yXgXmcJdryMCp@EPBghff_8>$hT$*}M!
zM2UeVX$UYnqacII)6=xzh@FMS8?)C1bbbtae?Zd{1d?fbQ)%4gvoqvOjRMVkg>QC~
z43?AkksybjS3TKx`c=^}X8p}l+-7m1;#V4b0SfF$QpB$9U3{yFE5f{K-GpIf`O(?8
zOE^8%wEViw!BiZoAW&$0{0#;Px31SBoM3(lyY1^*2=O<UG+w~*(4A0y9an0i(HMiN
zOrm?Ra>2K(EFCwo&0SoZA%w_PA;kPPozV9HdUzGAB;a5fisEVl8vSapPq+Mir@(~B
zPCPqyi`@sNh*;_CbGj5I?qqn>gJ15v9{Fyf>fL4STF0l=H=AHoX`2O$-&GUENBNsz
zLUo=?k{-B8M`Y=616q;K;MSErdR1-p;0WSSmGU%(0>-3Tyr>{f84LwBeJd7ZWe6qd
zb1Z2T0~MQ$#5|#kQNd&u7zKbmGS6$=Sb<?<feFqQ3+~S_*vbvDxq_0lOCvU8egRX8
zOKa$+afcJEZPV>DuD1T%nU$VRFYCrjTwaqiU6gcmbn37z+*lRc-QRDo9~}}-bp_K`
zlQFi!PY6^>zEXxt>An}H7nvJOC)EU1U*%9vX?5)(y2-Mgw85_(v?Gm&S}J`#eYY!?
zmqWKwAH*)TC>sFg;v_DhA{iap4nimy4N?3YCq3Tv3=)BFF*J!`Pp{hPcV7WJIarvQ
zUxU2Yg$fq0zBU#dpi^U4=zS?h@{EC&-}61Z>_pTho4|LmSDcobHc{%zw#ZAnqin(@
zx0aMTPf^cI+BT)c=E5H|3`;AmA2Zr)MKK<g;nbkwQZotl81>Z3T1vD?RHr9m0&8f?
zkv+70^YdMe6Rgj+-Z~{@k@MbrxqFk_zRIc7>@Ma-XIC7=o^da~YQ|~WI&p)BR?8Gl
zjrAxdjpH~H&L)YuFYh+Wo#T?v3l}Ea4?a0L5$*FNq=(wbcs}E>pid~NgFl+S@3uU!
zh&kTr-0t0ZN4zBNtkmN{b$RmJOlsNMTaw=9vf1WC78h~Xm3!|~MDOTz+?0mN1iIT6
z=Ye{>5L2}TmLpO6!-wIVT!@eb%Ml~wJ73Yo@`e!+78ZqwSN`Y7$Z_pAXs!=VeO{}Q
z<^|^9LOZqBhXOw(OCTabX{Q!zf~8uX(KPd>`}!^l+`Y?b+7b+D?g9$Ah&!!Tl1x`u
zlcByf@BwNoR;^odhx4|k8(TDYQEiy=?CWUmTvb&aU!yi<O#~JnEjRqe0>8UdPHvkN
zGp<U8%_=68oQ(lKYmBCQjoP>(vRw>(TmljZC*N$co7B4cz#O*K2Zc-zZ4Y+=Ko@Z@
zO8NH;O=&U`f{y4(=Szy+?kXj&#FCg9nR$tmdq3b?rnNAatCFuPXw<|LO03i<?vpWm
zh9D-ejiEVMQtej^|MXugD5!8+Z>#P`6q}yivO-op3ow}#d9hVT_(S#*hm8O=GU)+C
z0pDi3g-Fl^4e^CVX3eh(3n12J8f*a76&23ub{bS8GzCo#y=RxH&i3RndrkFrlC&9y
zSm(++{<d_5Q4?yx7{3o~Uu+$ph~;_r!}+f9E@#+{uQk`^*eCtlXf)E~-QSZ_^jG}8
zH-HW6=huu5msNTx?m^4by*9i)tAXX)POmi3-qdb>8@up>Txg)#`U?UEZfj%q4ukGH
z{lqGC!g9`_={&M!dwsoW%zGx)qr``BIyV=F3g$>@OmaRU@Y+Gh7kjjrj;WV1)+EFm
zbHb|Z>DBXJM}(`17uOj8tH};z%lYGQ6nE^}vKgKymi!_>-W$iJoN=z#{bUw!8{(YA
zyt?x~qWBUYd3KXL*;IH6e@7Q6KG<v?o8bP6lI>Wy_v;Ro7o`D6vB{>KS@PYd5MEK2
zr4O~#YJT9^@XT5Dm)P#&E;B^20c*0?A)t1*O=`9*io3ryOHLBG_WfhV(#rkYzOcH2
zHO`{3Ffj++CU2!9fQh6CG2RaH(N^_dHgbH%s*KiMYd<}w3NH#9A9l-zv&V-+LRQwy
zHYREN;cs4`5c4=2u7tR5#fSZNbP^U^G^>o}D8&5-l5W@6V|%e$P<ZX4=St!C-H+Xu
zSh(_PWTWvk!&K#k`n&a}zy+b{`B3U+dPRasV0^NuD`kxn5LM)TLdRdb$&&24|GIYn
z5Usi2&M{V6K}i~3Q)2#7Y??1NqAkVcMURX7kMYH=tpVdP^_Sdw(3{f0M}AJTVzyDk
z!kUNXw^l&=1~0#sDS-kj!rLi%Jt8|pnA@@wRb6UbzW9S%Tpn}?P*9NK{cDYpE`^}I
z9(G42iSU7KqH<@)4$zZ`6wzBLTTbiR^;m(sh$L3F?CNU(M+*2GLVx~@-7j<BVm_Gk
z%}Vy7@lHMvF{$5VS@)jNaGB8{Gwh!|C@C|DA(?uGHMAOQq-tO{2x^EPQLwV#hpi4u
z-}?^Ib=HrFKq0=x$I(RzQ8-vMqChwAzTFq*M=hT1%Xlb1;9jq`t6ZD*$hV>2wBjCR
zTxyIyFh#8gH$Ym-=51<diP7bU_!A{RzNX9}y)Y84324ZiO;g>^ynd0?jWWQ-b3nLi
z1g%l3CGoT?2D#a^A(kSq6S3vIkWtQEy8(#^-DrW^`*;&M>w67;Cn68#6#5s|m8x)B
zl~FsfaokUA%<Kl06hLW)5m1Ap_l%<UyRjrwZth2o{OaW3dlGgprlsT02AH?_&kkAV
z!%hj7y-zmUUFN!_#1SK%2xZVd)Ij-JUhVKJ^0K*+eBMuGbEn%e{+e6k3OxMU;jJTA
zIFZmRylba^;CJsH*Y0c}o3axY)A=yirixl&_|67qdI@cdV8zqqN~VCVl0FdKa;Nj0
zy64fC7HF})pMl-iQz2h;$YQ&M2zA*r-@P12VGU`-b)Kl+M9_Y#Z!D&+ztU!cV2N-I
zc6Dci&Oh;pxowV$W2T|XVoGo3F~!Q%_T%hu#$iLLq8X;e*v8%xL{O^{3Q9r27V@8*
z;KF%44FE%G`lcNy>A6KZX9{w2i7F}(3l7t=OYB(6pF_F2A%SpVKiITI4Bh2w&G-1E
z>EH|P&RI}5h|74!1RrcT0+N~I%hxTV0oUuiJ(vb@>U}FVT(DTRKugOh>P$4km?ds_
zp&G@1k{PU!)d!;4kFRwi4x7;U$gumax>pW;4PuVrrov2&z#DVA*|t&y_$pho-fc^&
zSlWp5keD?d88@3R1lYOJctq}|E)`;z(T4ITV)dYhWMoN}q)cdl8?seVkf{w<#2pGY
zf`1zVArhMk^t&yIj#!WRMURLu-1ndhba%5|88R0`C?30R&);$7&Lx~~F34i>K%nzM
za93ho@3~$<KkhqIH&cigr%iHwfCoQqY7+Lp0~14FNzqXnskMg03czTC<&dbc;r{S$
z;XQL=WFyRs2-#-+lTCDBBZ*i2Xhjk0Pwq$4mwlHdgdVDz)`<VexI_L>U!Rc)dz~`O
z6WT>J;0nuW$pePBW-oWzb!l?kExr+Pe@%t|IiWuo)+^&%Wz#}Tx0rvlw6a-{h0W<W
zUtbgkRj~!QUsqH!Qudu34WC&{>^m_w#qZJgRe`14jt=JwGP7F3U@x=mq;bJ*Q!@oe
zeFmmUSIjoXI8w+sk{8&M=h&r%DQbiJ6zg6+B2PoCXPQ(!_XCI5ICTPSXI*WnL0nt?
z+r7m#JLFu@VFPeHSe$g%$#9AohH}p+YU7vOUk6Dl^U9Mg*V;dpcyEa9R5bmL?HA}O
zt5d4`c(3h61h>58T(=I84&KcblFu>bb<&;rKd%4&{+j&4dwj7YtGz=~Gi&sRUWmA7
zt0x?LIp#f{?=P5A3_g2=1q~I>9S{&=g16Th+mAL00M|I>%_#cWaJg8@>Udu1fW0zY
zHqGlBb0UvIICntDun`n$itV3d#OQ0yJ4}W!Gy5mfdxttNU`s&5+hW$aJ%GGgSmes9
zhfZ@~WW^BGtF-{{U_bEmzK{oN`hSa3_lE|352w1bC&&HL!>P@zCRkJUoMykcKoP3D
z3}Qb-Lz)63X0V}Nd6Qili+CJlfX=PhEnsiRP*e{CS3mI^W>4uxFhaytU)Een;DV;x
zPCYh7x~m|ESP+JmMx|qo+y_T^v2IglVeXE?Zay$K_1e4FGI(G~@i+uh-|l58?U9Hk
zJWR#m52H7(TN}dmyapX(Q|^CYl%dhlKnd$LjMda*D@(K1Ox`HLdkF7hVi3$)UT4k*
ztL_gL6(>JUj4&myu_yn`ltS`qZL(YCOaw%z=QqlC604ScRgm1UhS*)rbrvyDGsn}K
zxc>%ZW&J!FdwFrw7(YXPDkw`KqH_bkBRR5Hqh_w)F-bFF7tTAT{8%r>$9h2O9r~tT
z!<|B*x221+vCah3A*JsHCpXusvlJxIloX`Y|FX`(nV&nq@NC`)xVfk9C{YUd9q|aH
zh3GG?0jx0|+0Ez!_d5}aEnz^QBQXIO1&gc3dT3ajn=f$712)09$4MnLHG;iT)N1ch
zZNV!Es$o)0T8AGvLpsk@puZ7Vwd!&wx!UgD<0%Xd7e0>QD{imj$6-tmM)u=-%o}+K
znV8ylaZ>eoz1IV;R6SG{V4_9n0xwH-drP@+FH_cT^}XuigN&9Hy$oUlcQyBdT^~zI
zDHQ_eH@kJbhafMvW(Bi)oRQ6KiY2C_6cpqCiaGU+Qg)PT2(${cfXNd0N`I=={?+LE
z2Yz)dcJaGHP~F#G#ecmv2l0G3lzIs9e2<npJBBN0v1WL~F=dP0Mx2`ewWdz_wUmO_
zfslo$Y@4yU)f!!B!wB?E2sQkw1b60Kb$^C!XI_Op6r`U@45E<=sIfVg4~yo1T#1E^
z&l~H0K2sf?Bdx@*hU#w_IUCH9)h`yhpSV1)1~SV{ILr^-2VzTq2Xe%t;Z1%|4_Lg-
zb(Wk)(*nSa59bJ6mP}ybqv7s^o#$4O_J_RugWbeOkrAE*)hd-<tRhwga$BuL`P@@M
zSSPzGWveo6!<D=Rt*OGRfQa|s*2|sgadMD>ZCYo}wh*y6QoTcr<lY!s&z8|SQCiKW
z>UGa+itgaTN|AIV%DQEwdWw?|;d4c2O4NBhvBDZlTQL1$)&9^Ii4yMDzAjLY6<6S+
zJM)TjE3dQB0}Xno)y3u%Ck?f9K!MbGA$`Spcdq|(bhy?&;)C66HbOdZd(sXOjgCIW
z?EHy<UiE^8T*%ikZNyt^QupHi*F7`gLEpXqJr^#{<;43Cq89p2)k^sDY0Bz1%N(41
z<8KcG9$OV5g7@gTi%YYyiKs;@NU_@~U#pHLPrcxg8br}-1Oc63bUB-&#yCPKI)EC6
zog-X;+PbqXL93|}EY|@UtE{+@rIhmV2wH)qzXv#|QHYg_ufH(zQ=_AU$LaR=_MDHP
zr}Wrf@n2WkyRI+xrpSZjIYz8=zYR39T(_PKQ`Vq0T8L-KM;2dA;D)7{$k!#VWhQT^
z>y`k(b!sy%^z^_e_v8&|j$vMz4nVy?Cy?5IJq(LQ3b>1;T_L>p512n3l~?#<r{`8f
z(Gy=h&jb|&8-dXne-ynj9(Ll}SR$o=a)8V9o2S;Rkm0Wjny<CFOp6P+w6JK9+xQzh
z)~mdFW!2z==WSOTsAx=`He(IycCs4NWKY@HACEWu83we=%Q+`6>ed*S#N9_G@UbbT
zQ~;Rg;)&CygMZC>WBserfS9>ez0eWWsd+qUgRZ_On};Ln-m-@D4EG#cJU+n|A)u?=
zuL>2wdI)Ue4aH?`OYDh6+eq8Fe%*bodMCO-+jkhPun-0f;Z+-}tsweJFM^6(NHHAe
z;4X$cvUYGm^<Vxp`D~N>ZDp47r~2St&%WB8;=0f@RK4@pZJ(f^Uo{(=^C$W_9|>~c
zWhuXhJ0Bgs4$+JkuT@R`5x4f%t?M248&0Q2>Ao@p;4Qap2qat&?~Pbf3L!;O9W8me
z&<QG~RX3QutBJf%=3llEdGPqalr<EX#k|kZrPMtsDX7R{xiRgR5mSs)+2d0oFHFU^
z?D4k3fYTNVvY%b);3dW9&l`IKOmy-m2r40VizeRR_`~HyijIEr_D$Z$m93k+g*%tC
zB6^aV;JySU6(-`6+*}Rzi&8H1+|H?)cKj;`j`#0>N#bQRo2+53LDZbHMtj|yJa^hA
z!l|=!z|9ToGTQ~29#uFLswRe**2eSaQ@cM3<fh={58m>*Wi+DB8D?3_uzKxiEyqwo
z?Lpb%MUiLL>cF7ax^T7(UMFu$uVy8*yE~iHX>KZe^k$6uRLMUgS0W8y(O{&}Ql__t
zkqef{Q_PcD2Tl^8AYl$4%uX~KMCgR3s!qKa#O-j7$ehy5!QvK9>(X+2PFA`3a&bFZ
zD(l%}>Vc)XT2_VQ?-*<1`v*pD$-t;Mlsjg+e{;D3U}V%{yZ6}gc1JxiAEfi0+{+J<
z8cfG;`0W{$C0-UUy@e$^e%^p{%O__s7TyWHhC52<^>h6j%k!smc2SFfHi|`tFV){2
z9vD+x^8nV)ovqhg(Y(iI?-88dlVJTiU2b2aIO3D49#_cpV~`zU?R|-+l=Ifg(=U}$
zWvDHNdTZ1U$5{=9F^~3|C_thAsFO$IXeal*#tDpdO6n~5dRaJ>GB0BHQ*c|`r}1B>
z8nVOzIwOs##};L<e6flGo*dWGfN4kjL!~^{>wV^r)Xb`AzWC#?RXuRKWY*IKnq({l
z@eLkOlXOWpsQaK2vLt+7M`$Xqjph&1BrkWp71G6s3>^lxi_po3G&Jlit*yx%pqR=b
z>yfAlCi!RXW62{<KL!0|B;@<hVJVNM4HabXv3%k7z*bEke72-*pT*(nt^DA?-%*Rs
zN#{FdS-BeEwtP*BvaXLo>FH>TdA4%JO<Av)nB<47T2CKmQ}U`PJl2fHHqGUy)V%Qn
zn*d&5Xyz7qhEWNC<6tL5V^-dYtFUi@<H<4E*I4WFDA}`w*p)eKCoK<a7IxamGi&=1
z(i&*%M^TgC=RoKd7Wal-$Rm`nY<Jwwr0;f2jX`A1<Vnq<h=ym?p;E>Ml2wcIEAvb2
z?#BtXMfXIwR3~m!gg2@*!cap}&o9b&Fh@VIOx;78GfV{@pk&4Fim1EGhulvc#I@!A
zV1Ua<eg#2k>Vsq1_g4?x1HeBp;rkA>Maiho7;EA{aC*>|KCvgZx4b=tw)3=be=!IJ
zvVWGorVkKfOF|_`ww_>M{wZunjX<G9L0RmsHM0mF3qB!2n&i;F4g@?fN63@LB#MMk
z_V<`sk2Y1vHUXc}nOQ5}H7lpK)TEtY@87hh+ars-sG{)>qd+VTe%0B;{(x4zBF-Nz
zm9JU&bcdy47vz#(!mhgt{3y(dc1LSmepmZV18w&1Q7v(;%H7nBCVLd$K}IwIT8Ljs
z#`C%szlVT6v0xW5ey@PbisH<%%VA$lk&1X{1;nQ<n>l9BkiE64#Gh;0Yg?B@PF%7i
z96;k2F^<SGVZJRWB3rVTcF0#-XUE6V`Vp4&<NoxV(4kPdcZIUE-jB+=i21^za6G%(
z{?@FQ5m}@YZu@fwr?v5O0;Sf|4g$uiRnG2W>a~m7*T>oWX->4|#PKU8(_m`XH|z_}
z%B^MHGftd2k9TqpN}QjE&PqgRArsC{h=ysWC1)2^#FZRsznDCCMQ|$A3Q!l^p3wWz
zn>y{KY9*CHfzWIX=QKg6O{pF!<+VZeqK9a(=~Z8EV};#&IjQkOaOLA~LdeEWDq^JJ
zFfeSB_sJ^gvkD=bk1!&??zTU8B+jM5wyT;a9@_;clj|M(yFzw{44JNdFF~%J&iSmw
zQrkrfE)?oz2dEYukiq$>Q+e&6%;}M__GWG<c#q5uvXysA!BnJ}7K)&wh1fGEi|~Eg
zi?gOk*#kLBoES3%avtLOS;@;v`HgC<4I#e9TnXK7T)WFB`zj^-aM)hC{`Jw+1DlQe
zCJB3U)N*<@Oc5(G2OB+t1x%`q*7x=obDFXTMMT1OEcS!FN-{?`_<-nrrWCK!dH60|
zuvHb~(g+DLw9N2&zhHk-`yJAlqGmT*W|en{6!lUKpoIJT0C$cpAdiXbhTQt!530jl
zy>?6Hy>zcj0;9KBM@Ltv*c`8Q8|@CEry`~~u>T>%S!bhaE7A8}SWb}04MY$Nx+3gW
z+3iWa=##*nigEd#MY*&smI<0V#@w|Z7$U}m#Yq>mU|Z?<wdkSi-c7&_(a1&62^oiV
zSM{6}&jUD1o6$VxS`pO^bS__Suf?u$J7>DmZ)0X<@fe6TNRYrbiGFoK^<(+GPw*nM
zM=4AlfJY!R*ZfW14(9=tiCmI99`sm3;mt*v_L(cjq{>C{i|p|g%~N0CF_{{upFhN!
zHt!HG`mn}TplD;XmhQToULoI%^ci7v<I%k{JKm72aDn%Crty-di*gyE-b;wnez3Tc
zv-i3{tfwK3GWNgR+==M7FCn+kOLSlj(fvQ<y>~pD?fW<0MX9RVn~qznEkd<+rNg*e
zEmfm5wQtfQV$>#SsXfwZ)JSoc+7yYsNn5LG3nEr*i4h?Z&!z1>KHtyx_51z#{PFmc
zmn&z^>pYM1IFI)@!t&7?I3c^}ArxT=R0cBa^-hmrM{#;el)<#S<FnHT9v6UOJ#SfB
z&I)ZP>53l4tQAV4r2W*}Jx)c|N}8<O8Eg03x#X6$X-F6@k~9L2U130Fcw4-Vt)s<F
zro3A*sl|5L5WX5YNKMXQYn-RX*Oh3^@Y&OFD}UT`x_95^7_6qvm=eu9DHd*bi<)o|
zpSD?Y9y3|`wt2g)>LH(Z%DBQ~q_SSM*I;LbZ$V#IP;CM1VWcg+!sez6<w8KuE<`F)
zq-xvDaIz7TDsrLUuS_8a1@%BrNA-5uPa!$lJqt16h)){?*DZ<K?E3bjNq>BEcn)!-
zCQ2Mjy!N&#MVb6yL~uu=mwZQNp{G&vwCihnf74aP9S+2?zWmtB`m~v4oaiY(t8!~<
zn|&7)l?D`J*X}Mzp7}xFScN=j#7YbPUL3g-_K}H#Y;pAr3VNnS{V7d1+1+O<=uP}~
zn>VkCih97PdM-zfjxu7X<J|$m#e&4^etj6kplUs8cAVuYwCV)D#rBaTW)kD<<dlVw
z&{6=IO{Rz%uGdDWxWs%k0>{s27fYwhG0b3s)NSt@;-X`))1X-6Zj=FI)WT{Vy{+ie
zsezLiy6;j~MZm}E^3}v_6HMH&imeG4xXA>}36HGyC>VH5SCz*Kwv3{%AZPqMVJI%@
z6rOiSb4PJviNkPxWBt_d%HyPI($!tLYSiyUx8o9$sj!S>s}ht}(mmD8cBM0Fna<i^
zO%n~Av$<TPWt}6ii))&l!kqn!c550L6PN~?+#skQ7E^0|)8!_VHgg3#hUUL4rvVl<
zL}X4Okutj}9ymjZ)gW+5+H`|wU)Lvd=iMvrc;1Q?qJUfbUShx7ggwE1eXhkzFYDbF
zMn$MG!WPn%cR>unsSw~X>p3(Q>9~Bsw%;Oy-mYT!$E-tpXh|r*ym)HVa#U!;cGObX
zkv1cA@1K3t1<UFN1*P+^HGbc5jtk$&*s)Uycs6gTrJZZQhj017w5aCLz=zZ^Q<x}N
zNdjZW^7tdcXRYAIjjnC*NLbJAwo+Quo%|HayfVt^BT0v^2A!S{7r@GP%f*$}mL&T#
zs?uUPS1{eU>?}g>77t9ZGieMt<7=u7&V01ghyS<&;rCWwsVFJ4D%9l<gy5NzDIPWY
z_^xZEh)bv&l4o;f2}AP&E&YWqqA6aF3A#(jNq>CTGiC~`!m^hV+8S1yKdljAyJXjW
zrWjTP%c*;%@at7b6*E_vVo|oaR%LyPQPTSA&UV8xL_fP-Y_Qaomcm5%j4C$90*?&S
z>PGf!fUPF{p*z`NZEpI;j*O_C0bhmWR?WF>Gf7A8jlEOk;+X)w=SK+bMKL-*4G&f!
zIZeujJQd%Hf!R|X2D@sz?H1=){3eXn?gp85aNL9xmqB*r##mDGYXCKnQqDxh@v=o-
zm)t&aOWmF9jV5_Hfel6?om;z3CBpAy`bN^_-@@Hov?%MZ?InvN$21L3QQ>pEKPIq5
z6JH+jD7f;t$M&h-_;jn}rDp2b#wnBq7}VWaJa!Ck77avoW*#nM7__-^Mai&TDUmeN
zgY2hRgU>L^wTs2$p^Ij~JZk8eoa%gC3^o~|hR{3v<F~!LV|DpG+I_KQC|!Tid&-&Z
zUPtY3C$?ZxHxn|Fk)F}5TgSD*Sq_ARmVU32a7|uZ4wFx6xWf8oAP{4CTNE)ecFOZe
z0}ZedaToIujU)SDQ1{IXdt6MsPfb!Cftyh%+#JZ<feY(STrByH#qUFMy}f#en!!39
z$m&Xb2&l9dY<YT~d$;~F@CR?dlo{~DQO|ayR+yEXwbN_nsH+@#edRhXW2uSS$g&m$
zdVq|q%)0G1uRJWX`S@W`9H|05jc{JbRT2>t$+5ZtQvfzDb^vv=YW4-1S4DXSI<ztj
zHHW6shv?VY;8xiH&1eKY5AO0&s1^M>7(Qr9jld$-e6Eu$3Hm7m;U4x9RmI>oO8CU%
zjP6V_^E9pyVpY!hNumwoCz%9`9@L>`8D@1Oxi`#Xzl?g9cR18VrXvN_^kI34cBTxO
zaGq|gPSwUKD(?cRen%g3VYn-;J8K4mp?us-lO}rPpf7Ct0IPHn){8ZyZ(@2(Lwl^a
z>E7E~a5U_83#0(0T8!MF{|;V>NakSFamr+$OBAcsrmsA&O_6pPow(Dv-Bn{0@8cUx
zAt;!P6wfb%h7qsKwSMF}KMNj!t;1*d92>#-r69Nyyx7>d8{P|wUgz16Y&4uVlv+m_
zZ$Z~LPR(Crra5D7?&@3A`(g&>UwGo!Shc!A2^KD*r{!o<P?)&eL!D7aaYm34f62-X
z!6J-ZQJJ}{N9-N&SqukvMQuNPUg(D49D8ySjqyjnAahI%l<p&E9fZr<e7&UJ<;F3r
zFx2`iOS5asT`2H;Bm_w-zk&O>q|3jy)8bSm?I)^D!Q5QeE;ndTN86bIS)-1qiD=_e
zlzV3|PNW;7f?v><w3<=jmSPSTN8j(NZEDlNzr)D@G~6>l3|LY(kW^~~hb<#)84nXD
zN1Rd8*<wZxqT0e=6Ta)EGwf57X6ar+IH9rrB~-Wq)MZ6Ae#}mp-sc>jk2HS;0r<%6
z6l>8e3|eu)Zyst!UwJK}m%1x(XczZtC$G<L6h$-VMD*{fJK^=g1&_2#Tl$erm(v@S
zze@adg$RW=om-WB9XEc;QUOFYznDeybZL(|A2(}X4)&gtUe^Aw3&zg}nQ}cgGc&tq
z1c>FnJiR^1o+g|2PCCt6rZfd6uG~v~?!UU3=4}BNt!``IHB18yAh8z%GMwK1%Kj&t
zl()D#J|ml3FB~OY1Q@F>7gg_mExkB`u6pw3_K}*YJpN9<PjTTxHb;=G=Ank)`D-l}
zwAWwf?}kSGMac#B-W(C{%F%>vm(@`IQ9`+KZm&`yRBLGZi!EmF^!I&UeDCH7xHfz}
z@;B%4Kk6>>0U3FJGv@xI2=K3e!v5j|e6iiDO=*49iYNwhjh|=)U_bVfaF6?kRYG^!
zFXVhLMEphV`+xga48C$#?%-IDXHm0PknCq!<%r~puI?eastC%eex~5sn`P1Z%2)&+
zHjJMgMk-Qz6!XpRSZ+uSspyu`p!=~4m(fdZfy0XrxQ)LnJiUTD*zd)|ZRq$H9q<=>
zuP%IiX(vQaMYR06Q80Sab=UsMdf>B^vvpS=Z`#WYUI`b(rnKncx5?YF9yE_Y@L1jg
zZbY2XNkUX(Y9tH$sgwM;w#y7!#^eVW!>71X5@ft#hnd{^iqOE8Np?BU;d)}Tlr|@C
z;&}NP2_|DG+}CXi{SL$DQJ|y*-bX-EnbQn^3m{Mc1n>U<Cnh@ms-D-b#k<~n4kyWF
zFxu^%!Cu1XQj7W$h#%#;iKOPBheQ$=GB(u6DxEnMKZuyn>lNGOF^SE`)i%$Zwo0!i
z!3Srhuk0x2f!CG!Ja;*BtC*pU!B)hQgH|>z%)%mP!hPCjiVf+$*>?)RKp8Tmt~4-a
z%fGIXqfC%O-Y!Wn8iK+uaC3hU_#ZF?<b>;fl6Wu)WL;mpskKjU^XPcUSIsvP)!{**
zh;}a~bEjWZgXH6&Cz(1n5(a$zi7%0s8ir$0xHdn^V5VjJ$Y7MNcpc$e6hT$u+)@i%
z&ySL{0VNkr4lHz9`%#27%$~4v<?;Jb$ZA=gIUKanRz&r^AtxBHWB%u0+Ao!bb!NP0
zij9p8p}K|-nvGnNzEK`qTX%Em8tnQ?{K@=A;Q`A#ZF5CezGj1pDfLqAV*$syqVR^;
zqZ3%sPGZcvl71zC>iIuc2DrS-zbc%$COC@MKP*T5eU~&y@MlM3j!pCpdzkf$)I&C0
z_IVfWURX!Ev6$#;>iTX<y-`*2v}n}9g$5UVKNx>^!mMtWr+=wRnqNIq4P*<$Y3H%e
z&+m$$kqq$%T|1lxF7r*Io`UioMqmdQjVLbfwM2kCg!moM9<%Y;nCc&Mci=aV-=o$U
zQh#~sf<KSTy0Sw%k+B&E<BRK7F22)8KKpb7o$=o0xQAm`8m(U2x9V|Anx0A^MO3w9
ziK~-zAB*Owc|z=4V)$rRJKI3OtGP`ea~}sM@G9U;7X&g*C?<+YNYA%)-A~b(CW4Z;
z3#|1vNwk*v9-kT}kA$3RlprRxB`%nhza&+7_5B`#-V!zVo8vp=VV&vr>xL(am6rv;
z%j>%U`Bkc1(=ZdbnVMc|+e%D~{&It+Dw=)ZnM1X@J)Z=mjqn(#(?5az+I-+-u7}MP
z^-{?aI}ba3@B`k$9a**YIh|1nRd!cHofeKgeAVUSq`D^M2MRoGRY_iq({!F^ie1Ll
z)+^!qGpycMlQ^7J)}<n=>YC?+ttNnlZ97z3N6d%?75~Z5t0qwR#~hhFsJC1bX`X?D
z{xfiuOXSO%j>pE+(k(SC0@*hO(JfV;P`C1dv9UkcE_L9<Gu-7Xtp6BciUOy^6fn$z
zO5-rNc8R-u?nic(*DdIuKt}<~PiF0G*wq(4-9Z6EL3Srxx!b7aio;_tv1VOaQnBm6
ziP+>_5pn2ls8k1uVrwE9sdkw1pwCUi(4DQMU%WA+B~0FK>Ew>r9c4sKj%d$)ugPa!
zm6SIAQQFq3i-wWc5f8`1lw4q-b)Lr$cLv66+gVw=EbViEi`TCxskTLS*=l>#IY;H!
z05+Pk{wxO$8?Jt>DPQ7}>Yt7PSVO?bL*dJ^S<7AbjT)xH(J5EgsuC_bUL2G2!)+<z
z%$Z7Fs%<9WZ%@12_q>g$Vq1BXW@^pg6-rqX>Q7Z(ID*77Bf3BPI?F~jqZ|C1smp%L
zB(aQRX<MV`I+47+?pd&^k?EW}uL)xzo)1zcJg$}w8Nq!ZYi8GR(x{UU!F#J#>6dow
z_KE9-uSo~Yiq>TI0_eod8eqscVeSG2*99%%<l64)YaCo=v|3hIP5##JnS5hmuB&+S
zjVrtCS&$7XW2;%}l0;Q_W1NT29~(9r5B!cGKWd`r1IZ2V0^{8#8u_=5mgAICTbw)v
z-FAmHr{1D(Y%zN~j{`csnpfSDfFIL?_^;$UtS$}cuB%4-&ya5GTr;9U&+?hE96Yy`
zawJy*val2DUT5@d@I{j{EXnobOaZSa*bh?5m_7LpEB<nS$^*HN$L}uLG1OTAuNQpV
zk68Wbmka6kwRU%2Y)Yzd^>aH$ylc@4PY#z=ee%1K)kHWF#y-B49|)iYfoQ9SN`@c>
z2ZK^5V{1N-*9`L>E#KIz03FW{*xJAjep3x6DT(3QIcpNk-7Lp!D|bf*R5Zw!1um!J
z)+b7Q(x@Igq^~_b*jh<{R2H={m<XW)9K$CY_xNig&;|@sqYd+2c<~X!deK*rJmECc
zMq-kHAIpISO7o+(+Uq4t&F*la%#{Iwe(ll=w*VJFT=vS|iStSP7cGwHJnkVTNfWaG
zj+?Sg4&X33z>#$DbD`!1xGG~I_36=xZ4ff}Aj9elL|>a`I>=pbw{R?NqW%PH9qo)z
znRZ+hvMLCCKcz8hI*UxpEb;mHr=-D~l%_3EohMv1U$`Ew*J-2E!m_ho(jz@5)SQj*
zhrE^oObEVJ9R@s&Y`@bMMu)g7?A#XC4;WKt1#P>VB+4Wii8{|Fa4D6|w^5dh=K@&0
zSr$6Q{V!yKa&8p5DG0C~eecv}tKl_pD7vb1$iQ{<F^Bh|_^?d^p^RlsvQoBuOlZWF
z)MM7yzmg3SDMn-Zw#qj#Zsq#zYTP(AS#W8MnI)w$MjrzAY7NGAX0jNiz*_CRd};Lh
ztD>grf!_G?h3hzFStS4P_Gyrk|0dt5-LacO$Qu6u)jjc3S0N7JOG)zCtxQWyXqn)z
z{3ZzywOUZb0`>;G=<m8ja{gfx+rTBUq1clTX#GY~op_&zlEVYHWpWlNc{kof+!Lt%
zlISvKjj!J5Rid{g2c8+wdq8t|?&L=kIC`LCH<Qi9X9jbP>wEi(GcgHoYKX$t?17y_
zGIovFmOujQ<Pq${3U}csG#+N*t>w2Ye;yPVbs_#hIXEfS38>_DbJaAE^XVh@i&xfI
za$+r8+wh$eW#Wtkf=YNu)#2iF*{5w*$f(sD=r)MHRkrE{H2c}qHO$&9OY-i7=*{P@
z-=~XGpVirHL&L}qwSlDN$+4a&I@zm9`ymaFrIl_Ru*?yuSA?)qayJgHVtOi@h#YT>
zZ(a&`o%S{1W`cPU-=5l&+6r>bD6v@XWg&93*Z^!DyVksHA?3NpGG6ntG69kXqi3$?
zJk+ROHS-y*-zP$fvc7QG?o5YP!@c5yp4csvjUzeHA&s$XE8uV^0q{-p!@u)b6YDiQ
z0J87_SCntOJRrjldq8ECNFFae=PeRfdKk6wgUG<=o+W#&N{yMypMV&Zjz(L=A~r^^
zo}Mw_$B#woUJu+naYkif4u9l|KJv3>iYwQuU={8@4WYT5QhS$5xx2kdD~Rc&a!_Vb
z$r~$MuOaanl}#3MH_ArX%g-X+T)_rJC2r$bB##uX5$4{66;8N+qVwharhUS06@IEh
zXr=Unt~x7VXA|qRld_fOvD5w=_k{0_Tj{so<NzTFrV~DWgy1IvxV2tatgswzR9<l(
zb!}3XdV<e&`ymt=`n*eCs?c1l;t{^}Q@pix<ZW&N@%?$B!6m2mT20{M0{$E?tI`}L
z;CC4Gep+jv0erbdJ%*%Eh}efLSip7iT8-ykAlN(xybSwM%HGLMNquL@3yr}(e|Rc8
z<f%^W__EcV(|B%GxY)W5oIv%FE<5hN%F7o0G3o*<xb{_qMzzhp5~Wn_(TKw1v{gv;
zy*?C9iF3Rnha&;=Nf7x&6RSqYmMJFka1w3_Ry(%4i(c((1HU2;RkM1gT}~$7Ipo9g
z=-YJ#e%tBWkW<irh!xiJmaYfIPA_(cP|=EGLk2#kZyz}=<ziLnB2h!rRM^|Q$aW_-
zmPf1f)IOglBht|+782W?oNrsz=xQ^IlPUl|Da>#Zn(<IwK)L$e;`&SFKjzID(ygla
z9O@x8&H78+pM?X{MBR5=&FbbRm5W9aru$3Q5x$xZc}I|i4&MOv{nwrqqNX@%C!e^|
zL6&u`7D7cK6tR+znjz`1VbwEVwXy-9-!6wzY*Hi^or5-qjN5beM?-Wv-gjU|fpfx6
zG86EM8`(IG-!ndX6BEEiXpY8S2n_7EzxcE&4jKvg)#YXc?$28hYc`s$@u^dN3LfAZ
zU)n|_SFCgDTkN!M(f7^t9<zQ-Cz*A-v2!GWtZO|Q$fkDt;EUBy?=OJHr^N+dSo!Zq
zeyn&3%>hk($%*oDUSMe-4A@^Mvy9Vwdr-xD3j%CwWsUoYV|8-k%`0C)<IoER8Rd4z
zah(>W7}>p7;%w}bDR&}Fw06!0wWH~JT=KTZd_|yy$P^2HU!-K+v5Z#Ds82$Q1J~(X
zE+lhP`gz13i-b(73AeO9&K*XLKQUaiZFt)3$hrz4W{;Qo{?qN}!L3V~&mL5tcSyZs
z6>I0<&uThpm`@mevEU+eq%*HXcyHnftx5tTUVF}bpS@U)A)Y?&+{Sh}u?0dy;kf&^
zQI&y{kk`rf5nzMZ&s^u&36Tyb&wd>oh&OM-TC-(_J-qn42NNQ4gb?l73uW|o0u-Bx
z5_R<s(fNF&ZQPE=8*<0mmfI!^hkM`>z%(u0lWB>30Tg6Yd03$md{D`RF^%uYqzLFR
zT)&KvdcNPNMG>GQIHW9TE>?7y1oUG!*<3OrVWFv(e?V?59qXLuz;yFoDmXHp=bTg(
zdp_;`9k~H&l6}cO7!X1yv^jtaXc}pRH0U;UV5~qrZ0Ietxai!|EzV%tAMkx><c4ex
z>S1eJABjBExvyW1R6R>pHtS<>nm!2({&2Xq;V`|x+K|LA^QbNei!T`Os3A=BT_H?N
z&%h}Y%W%rKR*v$zS+TLl<xfGi%wxI3auZvTh#iNf6U$cM@WcJ<=}TJsNUTQ4?w5~f
z0zxX!ET&iNmV0~?5CbTAw{$<mKp)@%gr%Rm*lZ~HKF3lo`~ye6vfW!~|GS5A<8GC7
zPgGl{f5T$u_cm>pf=w@@3YojnxZprOlcK^Y#M#bkcTVBrpOa;e&uWt}*W0_0BB(KS
zcJMnPM64y?{CO}}CJj1EE8XrO-|0w>QdvGu-#Yu157;8>L$J)N@7YR{(VUbLG1;d_
z!X6jk`j=x93}-r@7%gaomQ~f15JP!uLoghDxrYNNP1w6B?htRQvF%1W^ar_psGR_W
z!rR5@r85UE@W*Dq*F&E>dr&n$_U_fJdFN^|%L10iX)pBTP!i6GifaPiVGBx|vawnB
zI0)_5@)rXX``HnKj-t@o4-XCgzP{Ig?bP$BOy`34bE&ZwxeoXmZ#;}6;u}ZzYnY6M
zf%}iz+O&~;uv;E{mjYwKD@-wu6opG!#EX^%b<u(ga+6$m&}8B;h}??-$>(l!?9|S4
z?2zU?e4f~WBdN$|4WNQ?6ogI*%MYe8GOz8Vf0Q(EQ45=d_INbB{9T%V_FSvcY9e%^
z<)Gq=_!UhK7y~_u=j#!uHNSq@;uPILI-rVz^--opm;T;2`)&ArD&q|3dI!WLnAjUr
z7dUXw;I5~xPhFg_f8`$`@QJuC7Vju%L4=^>ZC%T;h2@e#=JusC!hutvP(z2=Lnwnf
z{sD>F(TJU{=*eS4;W~D4Ck@Zs>{BGX`XZ1F<l)?gGpou0ybbr0@wYkv;Z~_e$)vO5
z-1@!?G;e^6;&wnTa908o=o_c)0tF_O;nxq)XWYZIY5o4fmvupt!B+&ybWSK4(I(Yi
zpcW=|ht%D-%P+@Vg0zon0@^8aQGW%G8z2eUrIzSdmOGsk{6-C}qf(LP30&okpRo1}
zq&5`xCpR3-?HZ5I?Hm^jfs)r6fmHV7(?C*f!^?(3H}u*lFGOw}D+;6$Wr1d;3mTox
z<uw-*dDuUU?2}rpus@h9=~;_?4mT2f-@@j^8YvmiH7jXJ6R76&Ty%b8Wv{{y3dr@b
zN$$z~jMs-X!?IdX1Zngd#+h=7M5_+uV>2EPantvoXdmPqVdw)60PJE`=?u{i;1N%p
zZR`0Jyw1TGxHdask@WlMS9RDI<~MH#nio0vaVM3E*N@N%dU?F|%aC2`(aS)fIra4+
zGYsyK;1JFRfFb%^AA_F7<$qQSTJXEBfcI9*ib>ZhRW!wKT)j)zyciI5bY)86Vt}3~
zB|YTXnqbj_*}j#_$E^D^EoD~9pOdhuP4lrFtFl>yz{A4zDZBT|C$=XdlN%fq-&cuw
z&E>+o{pXG-iPOaD%sg4ST&kb?N3oL4z6dXRQ9;8t02x+_=hj<IsWHv@nvJ`M3@&6w
zt!$8&%GXAvr>1}i-qj|2YTzy5tWa%47eIi#QT^<R<1=rsL^)w1{_2p2(Aj=PhvK1f
z&_f~AS-sd0s}u6Rma`%36RK|ZT@iO>FP2~8?5&N2Br{qOY0by!%D2q0-VMgkQF7G9
z5zjsjK4&82m<uACr{;lpTA(BRDStbV(H9GCs^IKvU7tPr^E1#ZrFz<ULi9RN+6>ou
z!%c3-l2@A>v1S{bfRP#xJ?>=kkyhJ|VLO@t;IqH|xUJ#Z)@>{RV^7Ow!k2~WF{k4x
zOWv!cXY&DqJ$yx|c`~V!c>hE2s#mX|GFp4(X?gu8tn84n^kui!#*f%T5>{KHs=1Cp
zy0yF%5wbFwcym%7HhhKqSr_Gd))eHX$61Z16?&tdYb%x9$_8jTs0pWX07u8gwl6Ku
z{f*U+P?#fg3EN?>#?|gi)@tJoh;$FiY>o2dWByAyShQo>t0Ujm$Mr`((aXzaFMA(Y
z{$jP*FNJ69NqHVG(OAE!AafQ;3a=f~uTm{e#&sZBH}$QA5YHO!Zr`u@cnYc^k-Cys
zwWuv4&3@wUW~eiCIUjXsv*ajTLuEg2=A9_DHQ0Rbf&%eb#j2Ox=1vse^mNm=aDW2f
z#xIwI+L<$=^spput{MC(%C7iBH~r`j3ZNMGIdCpm7&FwQEc-r+$1h|+96>uXM~~!R
zx6r0#cC7;@Tz<NAu<pQ6SMigseW_ys0?0Apdc8hILd}NEn3I?mr8Y`>{z*Q+nw)Kn
zou~icd0m?%rw`x!xY4SbqoSDf=>u`<WBHQJ(XTW$?t20m$UKhW)Ma~(@w5z<oqqjX
zmrUewWg*^Y#(g_su6Px1FO%iLa|v5+;(qo%0>ZS?d<3g^j36=E2$zr~U-O>lN(194
z5R?uav>5zEQy95ylYG>}y;-r%1s%F`YO~_;7dFE4Z-`!nsVUpV=XeEK<hgmj5vD6N
zFj4VaY{vRI?h#*TCFc`Z!vt=*k+#sHpt>;~+j6LT`GaTbkoANVoBxqDx0T;EE^-tT
z)D=8#-kHVprL7k}tjjvOWfaVq&Z7^Tb~8V#W!6|m7PNlWbZ=57X{`6#%-I<QgX~?0
zJ#%}QCNS=jgTRr;CO!b0ub#GU=j3%GwI6VP6m{kFi+^<MK<a0F*Phk&;v>bzbC>D2
zxxTiOJ4ZYH)n_Ma$4NluVrz~Tpb9@r9KlMks<mwh$~6P+ca}OJ=3zWXW92aovtgM=
zR_|wM@jm{f6A~cxs2~f$mvyjxT`o(yV{r(LvI<E9<8?bzU$BIS#)Ezo0X~mgQKC-1
z<YdtDCyCz?8dC|D-%(ciE4YIT+myBm#K`?#6k2`R0*`v^)Je?BwE%lCH8V7x`fDz<
z@QQY&mn!aH)BugN;9sTPAE5f}{|TzMCEtv5rOkX>_*BE+R~aC!NDvu4-dR$ExkF3z
zh_gSP0BqQ_tzN;8SEwvwFb!0qD4m=&yheM^&<m(uxezc#D_XlCGe<iTg|BP18m?`v
z%D1v(julcclU=e_lQCDUCd+0D6|&|;tE=gv)ujuf)q^xn2jzfZl9<8D4y*45VLYM|
zP9BVfldE7>#CTDV&DT#oG;iGos>iIF9URctevth29Wc@C1Rk53r6+$zy5r}{fDU5}
z`Qzo`2;GgewFDy%;M!_1IWW=jAvR2`C#q}w8m=(1bDUWQCF|ip!08kSoKB=z|NAMe
zU1GcDKCEDiIoje;z+aRxC%h9jS-=l<C9NvbHm9>FNKIAQ8(2xul@N7JwGile)}m?a
ztF`MtC7=L5ckhD!#`!1#kQ~TnBrn!I?dK&KdOzBy{>Ej%>rVbRe$$L0uWz{zRK|1E
zzO5Jrx*qS)?V4;>_4fxrOQ2x2SC^3nOtiNEE-`R=w*qCfy+?jg`WNu_w*|*v-Y#1I
zxN`j8{1w*tIXrhDZm;c6H=7;Zd-OlhF8;qLx<y6N$$%i^Q_$Zg8NX=M8~|GW-;kRO
zU~3?K;YWXfmxRB0zC}g<8wdx`asPQR?9VXxVSzi>I^SrkkVm~6;IFKvG*`a{qrcy;
zz0h?-Uti*@k&p9@bDt#LGp)P#Bk_|1Th=yvKVN44^_UnUWM_5snRdd&4Ys()L`Wvz
zUo7k|p#K<|l<C(s_ZRm8XI5SS2K>o~o)Qd&zu^ZAj`<zcLBPbcd_cefS|=~jL_e12
z*qd5<ftYWnx9{}fqDQxU#1&`Vq3Fk+hnfTx13V7qlKqSX#9iy+@&53{on>`zbed-n
zOkwk6WS;V^&u8(+hdZmdd`I-Jq<Th=OWW2pFcOH6-i_$VyDf`Jk4W`04w5+@HXH}9
zc&g!~G?N&@n<F|y=<}(y9<f;u1C+L30M!}bXL|k@Xqj*X!yyA?IIp*BUII)7mb*E#
zX?Iob9tksb8B7n+Zy1;5I}lOy_~n&=3tfs>kA*T8<L#wCiSK{M>uSjhZdEIK>^fZi
z(3pMq3O8<I`9A#qR=PDIfta+W`hb3FnEPQtKg#pix^3v2iM3N@2KZuav8o}cTW7v+
zbSv|8KVXse_oNB@HEGU*X29Y<v*CXlAk2!!J#XSQTtCq!pqY3rUNh;dO!xKQ4BPj8
zeF)rvLsbAy)60eznA)LZB`N7<H$WMIepfJz99vc+hi+_Hh(nsSLZ|AtD42!GIyHfA
zqz%USkop%dm>7#Y`g{21Y1;jG^)|wmz?R!%Y#23oJ=50G`r}@m@;wPawRHoaAGZh;
z%@VXZtc_n@i`Jx{7n)6=zicb5|19$AG5&c-uyjRDEyx@V)RD)3Teuu_Y9qxlSVDiU
z1t|1Q_HBM>RL+nykQXG0&1$cJODs~!9p9A<fzn<r7rx>${<jEb1P@su;O97QBK~_A
z-+61bLoen0Ch$#*RXzuBBtFvANJJ@H_kgPwLh<$-U)p&Lt=_o)4g%C!+r>b%_sYI|
zn`5{A_^rU$N6=&s>kC9{nScOpVv<6J!5hFS*APWe(an+n|N2M|{Nwef=Mh&YS#QqB
z$e64HcL;lDV%!6O!ZVOPz?(Zu4;Pe(;JFZ>xa%TdFlf)7ek%5U{%K}!tklaF@((Ct
za4r98&v&GG$1YeYGo}yv3rKGQ!2G>kZFhc9t_X;Ex92x?hAqqAhh01M<ckLw$MI+i
zD!lzjv8b6ECnz^dy!$AzZ24Tm#g?P7BZ2eRUa%#sMq7Wj=o$%A=IgQAJ`M`-xFG`<
zg#pe7v#-a!FqJLEiO)>iJ>IiCwne96W?>tpIL^*>MlMqys86C}JT82FrtO>7#k~}_
zpev#LGXk~s@&EVA6DLBXKXRwtyel1W^Tc~@DZa`>*-v%32wE>~?mS9a4NrupCp-hH
z23IdMi{@mX!VEOY2BMb{G4^p!Z|}<4*2NWF*ikKy?P0pRE$WP7<n`Vpkgfvs+EVQ|
z;Zz~d$jN^CnQo8V>*{z-ZOVFK$?XDoUeixufxG7~MagXzJc|Ip8Mw(9`(2k72h$F{
z8%JJ#06HJ7*rfkUdeQzX8vScVS(~tFg5Ffqsl`uDHG?h<_P>_6@P9wnn$~(T*|sX?
zZOMLffUIF=rsMM83-G_AZ?<(+JrFW3W)noSkNnC>iy2ie<-epy{QvA={-1JM3;cim
z=^yi*A41#Aprr#*pLFl&DyD8>4L@&r7JI64jz-3>)PGDi_sKn7j7DQ6y|#BTTV^lE
zw-HBT;<>+%{gJaZ?nbJf85h)}5n3Mgt^mGndk5#<S^UEZ2MBI?P8J=l-mYyQ#YT2;
z4hyR<p999x_P1!JJqqClmZ^~=l4`J_m&uiYr*jkb9%+q>X>&f6-~-#ZAv3?p`gf|q
zMiAHx6b(Q>hZL-Dm=B0zNZUm#U$I{b<3l@sh7HerAnC4gRI8NVP4riAbIA7eJ#|qk
zAosj4UN~!#k~Dp=f4ZrGEGt&q_awP~N7qGb`OnRQirR1;#@Jt~f53u?I$~pNdGWf!
zPj4_RzRHDf(;LapoikLM(GIv|?M;4Vzd}Hp<(FC1Z8o5Hm>T7~K|#~3RbF%JpZ#s*
zJ9SH?4!9#bIPla&){6LAo_{_N&HfU`0)EH&N5&W57T&EmU;Mr!l!*Tf@QeR>s5x&f
zf6X(bu&1H~=+<%<&{7aE+81gL(#6^IzR@-djM)f_*#;1XpX`MWz=~{n={;S<E)2d6
z%f4Umu+>)Kf}DzzJ_uSxmm!EB%fGNIH-9t)vCP!2uw~z`9iH{|t=@har5iP^Z4Dn>
zBD}@;9RB)zDUsT~OIYh=-pz?jNlOrD*h2@^((F%~3|!iR6gL9sP*+Rs(S6JHia^>q
zXO-Hp)KIC5+%+9xJP^kS?SIO4xIeH`sE$U_3fPrQW*iz|P@L3*+M4KvIYW_91Onn(
zqd?nT_F;v)=r6`;7o!`sK{oTdLSYZHI#$h)uOx>pWp>;0L{l(h(TTY=o&`SkIVCZh
z)X(qwy>^D?sv_(PIm8Jlv{_7J%}YD?w#@4q?gPK=SVsfk5TR=Su9E|MWOA+0tvzt4
zq~_$4BpWAXff}Ze%PwhLL1!+*mF9J5C2FJ0;}7-FM?}cuG!^(HWjB<18R&r_LCNFo
z2<u|9WiYo)0<2@h4z>O{LCqE6swiht6KO_<DQAITS1Y#Dw&ux=A9&JBj6iz!bFvy?
zihV}8mYaj4h7CWIDF#@wCT|cLMjdZQtZg^5=9NV6SMaj(nU&iya;+|(grC&>zA$Pi
zJ774ewMefW$hqrCeW})!gR1rBMeJ0U5VT(slO7^lIA~01ilXpPfz!WV_9nD8`{@O~
zXknnQ)L~0^Q~U=qEStR}0HE9I*PQ?CQTv*%u+SG5hB4fDS3*thdV7?>^Y54Y<?giq
zYgd9~JTWFDSDwUGSI?Eaq~p{TE@DaZQb$l1vT4lS09KI7Mr|=UaAzJF{;k2Ep2Vg;
zb#OC9t$>bJq}+aHHt-nNh9dTlD|TF`*ZB(|C|$g+q_r{3%+5kCt)9ngwvqm&rI}8e
z<nPW5Qg$5xtHVSXic@fQ38yC3o%v8hA;xR2>m|=e@Khb*VU)@90}1c?Eqoka4N^^S
zb8L(T)6PP#1VXN9u3N6p#eiE*7gpgmTSwyMH^xF-R4zSdjv7~X4<Sw>n4r#WBP+KB
zcbTDix%jl<S@wjT=818{s=VRz-@yS#*1SXUQ=xE0a<62I>OBUNJ=J$y$yW|BUaHL%
z0Av7a1(G8#CDm{}aDJP+JJ9mJC#4e=H#1yoda`CdX|?`&*JSmW3qK=&V<F05=PdJa
zyU&ibb9v1KwO=q(4Gp_ScsJmhp?Ib@;R#(`aCaTqh?|PVQ+&n?hs!xr<B_`?GCMsn
zT;mk$-79WbHu&ja%|25``IxlN;ktzN!|hy{YzLg$&UaydRdBUpfQBLydsOL)UEySS
zkFG7)&b8;s<+zl}<l5Z^E?gT!_c=UYf3%Z{+?m<mwK;HV!~d@U4$-N0y~YAb_i;dd
zSt;9h`$frgW7<F;kZ5f3+v}ueSwisAHbAG7pRqWdh~K$yspwF_Il-uwR23v+C$o7x
zi@^YD^jvDK_%=t2aroP{*IZN4Ac{p_q~ORt9Gm}>GzKZ!o64JNA~n2CEcpQ&5oECN
z+~?bqEjlYlGsT_AYsF*7KmUyw9U4RUi0Lp~m6++`QKFWk#68I9yv4e7?TT~muu;jz
zjUBT?S~^y<p(Aw){Z<sJs83(QwCMxaIt@uMgpX<2@xF?AKlchlV!4OnGgU&~bO26_
zqGNS@3<noNC5P`GXoSh0bH#Yawh6FuKEC~6>{X@xkca#2xg}Y|8nl!8a&ih(lI)>A
zoPFBI#ZgJFg?B}$WCU<+HP8y|EDk+TH14agY1LCHj*3WpLhx>ldVuv*M4Y}+_8D_N
z&5g<s_UTcf8mzWdYzwdEj;<)HPOi~2+}#!=V~R(HBLxu?ojFl#gdoP{ZEO?rrY`30
zKSADJ2Qbu!Pab7?*a}PWGi(?nHz`jl{m>eOWmzs^1|F4ArPYA`&p?LJUnbX0?r05g
z>3z|ZHcs^$JYBak+o%V2o3EIbm056wQ~c?~1^Ib8Q2U8abV_3!#;(b{R*XN@#QM6r
zMFFa2+2?>{Pv=A;zGXwW;?!b)z(&YGe!wM__};DRG0sclj6*8JS-Uyvfa8OKanggj
zs*?kw3F67-P{k=`OmS@tOs0Hk`+oaF@u7luFv$sA=eBaqpwM>bQG!y9`jvSqddk2(
zE&}qvPRzqqlG2&Pqi{xVto2SOb(dZi``J_7>*NYjgj8xH#axrrA#M}mLk^bqU)1>R
zfYy?F(p}`j1`FMI<+L`dpQ<9+!S(iiRalq!WdSbPHKxX_qloD^IC;AjY$RGC<C8Zr
zcw_SN*RI=r>AF`Kf4(NkHz>UB_*Y_)2<XcF$bCLT{tH>!^NrZgjA7~rhc82^!n)mn
z$NgSnTi_WH3cs9xwm4vm?z7`<Fu5$b%Qm@dex**2LoJlQb_flUI{4IDo;PQJ$9C@e
z!ed3$^)?<2eeb$uw;|uAQyZb5yEAIANnh<7%pp|2prAmhO{a=cLuFvH$`HDe{do^U
zps7H?qRxrOWrsvAX*<<~b-ns0hdA1_PPjHZ(SsW&&O_g_#Y`TN)%)Z2R|Nqn4P(Y6
zyYcB@OJ%;O03skI7pbPWYf1!=El1WtyCMjkB&mRsGQv_4nNo#59c-171NtP{)Vvk7
zsc0AaMlBRB_pc2<69OFe9}FGd&)wsx)vj3T4PYjBinJRV|Jvm?cyD%-PBj0Lpy3G5
zRhu5)JZF(Nn)sz{<H5_}{MXt<EzoS7!DdS`gn4IpKKKq$^lw(oL`b21&q(ZO9^}#_
zYJzjdSvHkg?tW9~b$#@am?UM~BlT(bc_UU-qQPTT)lvzs(e>D<3-LNF%s1CjK6$$V
zBxp9zetz-j%D_cCgT1NxR9im1R&j13(P^UPa1UjC#nKxMQCbmJ^*DbqprlLR2$w~O
zbmAf`H=pMCfuk7MhTNH6A(~E>Pi;oT-c)UE#HRVp-(_T!-T(N2np`bq)_#>2>)Xi)
zDUn>_e7`Etb$>bT8rrA30lBmMxcya^C7q4yo#LDfNxL`<PJM4=xWOnqtEsrHusF)&
zCi-L%EgTA`07>&-1s?#t)Ec+v=qweKOaNVfaqR(`VtXjCVyOx!A$F3&84p|{`kE@t
z8pO0eakd&4Sy*%8yeK4QS8?{*MNP-r@cWLP#39+5&-jt3vlsj*TD~9$m|Ae6XxDf*
zCse+P^7|Lz9WREkM)mR~iSwE<R{2+AvXrP3B{NfHPAb5p8~<*tiEXd;lzq|wp1Ts@
z@Q_?p5>_opj|hV|;O~}^?1p~h(Qn}(j6n9=b!pza&Q-cgbgo|A?n<6qqZ;19Iqc|Y
zd;@nzUuhVH(|j$IZY&d|8EG!?ouN|zzS0Ma0+I=aST@9WgH)VIOrjsXOm8pI`uKDO
zJjPzveD!yq+h4KXIxe92Y<y4*`A#5scn*8sHz|v<iW=8rKZOp4R>XL+5h10dj=5e~
zIR>xqnTAf3E;%=fe|8%G!P2z>TKkLN+Y8jhIXdNgqJ;mP>oNtf-_v&hsc=Ce0l*x1
zwcck&vh{0};HS37rqe0`=Y*e;uTR>s=IPeP9_J~Fe<{8wXU&7pD<IY&r49tI3IE^^
zn#cf<uxo29)phg(0!v56YeLt2pd{bwO4vSMdng6(3C;7&(mR#byQAB@^khs}^^}j_
z5_B2nmG(Yk^7&edM*|pWxwfHkRMXvJD-e+8(jIOvKM7ZU@s0~MAay#x1A0YuLAYel
zc|=gI9F9F&b9Eepy$-s4T=7o<jq}&bKEL>ETsCugC#r-n2zn!AyQ{;#U|M^z&wM~#
z^mb`q;IkmvfVPG@4f7D$f6$nGhXvamIH|n-{dvRgF|T*zgrltX+rDlC;?0!@6f)gU
zH7XM`z$$?XegdmjyNNqSHIJ^jh$hECHF0-RnuwwBdF|81R+ZcVr*kQdETUM1-sj<m
zF@&i2D?*dnatnh`tyE#-czxj?Ja)tRKgM8L!ndEhrR_r%M8f3v?r}~kUW;|l^XZy6
zEAPYdSu+64EvB_Z0d;#YMUyL@uw;cq-FKazP*(9JiYB{?aRmh1JuB>1Br6+>SB7tS
zGH8J}K@t!BhbvJ}42ktLE7{VK#+fmm^0^wq*B29qy{D?MXXOGUd*I?>lDkt92H#FP
zZ%Z50UUOgHOLq=<kLn@<PBW*WJvX?5xt9FdfL79`Q!*vV4|jTY4VTP91kp$~Z08f`
z+;67?qA+OXna-B3l}cf*oV&U;3}cSB#<cXq-V@Z%R+0F7x(4-AX9cP}zj%Qovv;?n
zy#j)1Q`6a>(1m;HX!K&0Ny6HyVuIgF<J|<sKbfBMZ@NHj!YFj@VjcuAH``rc>E)|A
ziC5ju)D5C<9WvN)KE<3n3kG1HrT&`(lW3+#L3LTrmE8$U-)H$trvjqfAHw;ngLRiv
zBGoM;0yPh9@kAq2qEMv_K%!LO(=u9zsP58OucI(-mXJN{GT%*vhT2hrB`pO3wDDc6
zn#Re-+-|Jxuw?v~$;7p=!xRH$=238MWFkCBbT)F0ZlrMvZttmLx3YW_S-)eQVj{IN
zZptl<fb%SKEL%zR@OE}J*3}7)dC$hpQfO9=iyeXN-aBiDb|wbK@E-i$N_JCgO9k5h
zT#W(Sw}@9Dq`X60chRo{Fw~CD)EoS?;!%zDI1YlThw;M%yDyV3Kk(lTO*vazPqm9L
zULv!+8Nj~B*eC;DI(Bw9&fZEwz4ycE=MCLM#p`WOVi)`<Pt4Jtl5^>e`x(!cY+U3|
z9LV0ZVqQMODk%-#rW?5u@ScOGno2&`XSsGOmNUXmCA-bj#_p8UQ6|!5&yU|=Cp>@G
z?;_*JP#9r$P5zPa>U65PS6dhPGtYm(O%vOqa2#-{3q^UAGl-qr7oqP{fa|%ID=B5p
z)TD$Tr13-$A+IC$+K4b)Ogr1X9HcghY0(VWjt8y;$Q;4L;f%2e`dA+4C`RoK^X<Zl
zbkphAL3@DHAT*uv(sPHl#c6h*XGquO>Qr*rj9T^Tx889*;bgDTsZyk&fAiv1#Q@&x
zxD9ZxFK^c^`u&~4xiw1X%%I`{7G;@r*6TMUUk@|uyn{<tw0)4euGNE$%9opDa1vT3
zFw5XMuqo;BQRdd!LOVo9LHKs4NNohBfc``QL760T$QRI`3Hi6ALOETAjKg)8D`iV#
zRWd2w?ahjk{#`daVjW?Nk4dt(z+V#I>3sA3cbz~XAnJPEwDB7sxWxycqx8??NB0g%
z>J7%K8KS;TS;crrtNIA<QF{AQ1dFT(P6#NYaq6B>@{T&%n)tno96#+u`HK7S*~&0R
z3Z2&siPCIr=fV<Sde)ekDL)!L%w3^%oVr)K*r=0>r7voTXl~4m?fT&Sljh5A{ZkY9
z<)*V&q7aGw%7~}fkmGuMHx7POTV>gnLk6QDopz7g_Bo;+)@KGnDWtlB>wTRLm#|AW
z`lx=+9|t2b2gArjsJ71&ibMMYf4&w@rsi7Aqu)NB_Z7uPi=YTHD6mm%sD8(AdkSAI
zY~w)|0{)*iML)m%K=m-9`k}`$$+Cy_%SKkVI7*w@m`MF$e*dBX69r9+l4C3@vaOhH
zi$|jaAxklL0E1aa-GgHgj0mV560J-ycg{zLH#W<@Tpe-)Cx>7ssvkWK)z@@dmdu>+
zZIc}zIR8(I^~<{QXE5#ee%PpILLz6q^Dy%s=Q)Pn6={2L(5&B!dxd{s93&YK{cc;w
z*`s%PBm^+uGOKi#?T6>o<J!PCHey+w31x>v7L+CoJV@r7*R-^lhW}g>e#(-5<gB5S
zO_}?cMbk24g9=Z-rh;5oCzO3Y%!pYM6vDv;PAzScaqnG6&y+5&v<}~akXz3tkxktW
zVw6g4sL8&AMZTgUo253B{Yz%+HzPbH0jFb0pnU(92mzYBvHW(jBr<Q|1LS=b8!D!b
zmji!b)uRXhI++>*-qSk#(}wm(hLc<N1ELmK(nMLD-3?{7-6z|u`BoF2NUZdyHamrs
z`Peb7zKyu;L+9h4gA2!ETRfq6D^_F>=-s$A3*qxl3&phoqH*!drOUy9wkiXFUQPvY
z01a*BheR=7Rvh@>pF92niS++|XbPq>KjiW;6oL}2{qW%Z9PIYH7h#;b!pnPu`n%gK
z00>+bL%Gbi0N6P#Z|RiUc5UNyVVy_71y4!U&=`AuvsKE)(kBwl1#w=^c+0RDyhw5N
zGFz(O+QERzf`?<Vm2PcH)n%^Pe@}}P5%P<b{`!hDK<VBqSdRXyKH5aVzf$xmbJ(|{
zY*GKIMzA=ba1GkV63`p4e}%vAE2%PKJimk<URvPHF(d0E$)RZ$83S?p){Eg1x481L
zz^S>~n`sMdFYYZ}pmN;Njy=`>^-Duu`sbpXtcKh9ABUGxmzU7<bk~mpY)>*~izx{&
zutx#Uov-#RTZRh?6*ftxE1ysrM2L5{osi^FTps-h=0<_wu+<;4B#YEwbwP|UZmQhl
z<nV!EM43JBs?zu)*F;g7NVUi*^aRbJ!+ricCVn9#NDDhU;||n`Pl18$1i112T4*Vi
z`!%e(!*EJewQYHTM&$5jec~lRAQ}zBQ+gq7@+5|d4~&xa(Qz=?!e8C~n`xDY@&mPF
z)_^5+z$eEmaRHwM3hQdVRdNAvHVQzka-g-B`ESQP`#u%)neYrF?6g{Ct|M=M$kt)}
z?dNu7{_2Pmw*m1!zj}b;=7+-53olQm8-`KM7qQmnuIRW#_{BFp3ml=a^G}Tc&$@SX
zz9~fTv!uM&KML3O`+mAg{kSN*IzQqZ58mF-=e&T!_c46h6bf@BkzUm`bH~Tb@!>&T
z7~+SmwxY5Ec257{qQ_30O3nq1sj&ymj2?vAI{}u>F;zwBe|G*o@UKA9hecPGRIZ!5
zMua)IeB(RP+-`2g-fPG4=Xzxe)QOe}v%{kv7(Dl*4BG(W4kqARF<?YY3RFr~{@ob8
z$FI2vIGe79{7kzpnB-8YlZ<Im!+Vx7Wgqy>J_W>N2rVeX8dm!jiVNIPp6cKL+RO@N
zHUky9!|XV+;5YPVX2t;z#LAWBZ<Jjo$_Ki}lIOdNN~^=q|E{#AF`Md-Ec8q=&Ni>8
zSEaJhikc9M>2T+z<P!Hsf&6gr+?(aKJBfFIRb~$q93maQ?9;D#dh&tU2Z!uzynJ6C
zi2vf;HRC+L#<mRS_^Y%T_L@_}{AUJA+JEoS2I@oo19*E@Sfs?6cN=@~vHg*MCfhXU
zBY7zXyBo9>1#XD^o-$aJAquLa3OMY#9b;DdMR`^|$(b9B@^;uA;{|s0*v?U>izklW
z)asb&B9EAaD!UwyH&2UVoA@qXKF7mOXn)avMR1J5XK)6vYgPk7lQ=Qyeckg0fp-;H
zSZLiEtKogY+Qj|+<VLIzJ%TsLyh*uj8vxYYQ@$)?PK7JdpYI{`y#HFq1@<mx7e7I_
z<pcC$08lOHongZ4Q5674%I;l>0o-&}rH)d`9Rja_ET1<In<ApvH4zFo43fA1NPJkj
zv9XaJ3jY-NIt7Mpz2ddEN9z9L*_0q2y!&N{exTqHgP@Ys=KQdkeE*9d6B)w&DhoMy
zUf8p!k9xB43qB50*_d)<<Pt%_CGZX1b>3L9sCSccJ?{}<HFPxM>h02-bytkngKNQf
zx48v;93B9RKgu>}-V3y&CJwg><mGq>J~%s=<p?oAisD=%1!{-lq)O33le!yK+cH|q
zO;?o4P^7U!a<q}RI9z?Cm~ZTU>6$F{14aSQU8pZo0eo2i|96jrkOhpiYoFS<?|*lI
zYW>AS-Clm5-Xf-FHZ5VC73TMi<ifiW!ZA}jlITl>J<r5KLp0l{qWhCbAspOzkp)p4
z&%&S<<cvY8m}ANIn82mI^|19<!*3u2d*&N81j)X?*Koa>d?%ErVO%dT>#($=q@U}_
zCSKWDd2lY{Bg`1me)V(mmIKB-0C6?~z>bT`(Km4X4{^>V!)GSS%W5NAfzA|xvjth=
zRRZOS*C0L>j=4hyV;dcI%3mhshtog9Opd>+M@+<^0Ym<LLSIEU?%AWTG09JsFz}2*
z?wYuxll%#>TPc^^fm=MlVV;svp4@uWFn%Y0GSr-STt+OCo%aQHF{50O;Jh*0#;3e<
z&r^NDBn;XYF%7JyprhF98$MQ{$15Ik?HDJ_1{8+aIRyHB69Am1pq<)sfc^|P3lf8V
z3YdRD(ZsvgxGqd>>bOoINUY*%`x@D9t$P|vpA6<X{keMqv!q*K#~!u*zUiSZB5r|G
zb|)MYBOBd)Py$jlt&}S4gPDvaXcmJ2mk@^Y#jY6P^|@znncgiuUXz1&FiZS__+~1v
z|4sr!ZgyjMSfmg%;#o~<%+p;S7}NoSB6@G0jt2s40nkXpcOBvmYuk%Bduru9XX?Ft
zEM1;kbG9TmkND~`z<PW<5ynUK8+md5V$rwYqY%iHTHI5;MF=?7C!OU?zr0Rv4<=<q
zha*l)-MM{IevWZgYXRDa!c=Y`E_Wr(pME{83v?RA+`ZFHw=So5qX>)M*9gdJij*dP
zUcL)GB!E}i_Wm`d1~Tjq_Kx()qsqY6`D*<S+9$KR%BuA8+5NrBoZ9+{rhb76{a#p8
z+M9})a}TU}K+(mptiuM~+h@4_cG)qNBX(Scf^IIh>&3Dv-&>sg^T>A!{eOJ8sje2y
zK}MN=y%1C#ySbAHD_*+4EB8|E@zf76Ek-O2Z!BC5tWv|!pX$aRN#e_R35kULIzANw
z<iYDF?bQ8gnJYL5^pUu%{H;I48T4=N-I{iUGc~fQE0fO^FiY!<3Ye(naXVIZ3_|I~
zS^U<$g>dl3wlhf!ibr>jU~MJVT&Z^A;MUr851Ya!bxY?ZdAwu4T`GL7N^AblmwNwe
znp_$8<$XPyVEff;p`5MIK&3=BnJL)w2Ui@#CrZq8xsdJFH(WAUB+oxJ#5W%!l<sTU
z(txs^eElMaEL$2wHJ2DjD#o7<Uz!Mk&v@scH#G0T0$ecNoz_S{YT8B$45>C$*gD9K
zAKaAm2UA*6c!4D`QT!m4TS0$Xg&ie%xwhTUF6IAcgxTM&Kj(`SHcnh<H=j#+%XdU3
z=vjDP6C2DpVbw-n?A3x0-Ebj$I_PW>JLU$L7axCVxu+lA36J`cuYOTJLa=oZ^BVt%
zZu~6T5oN8;`g-s_5E$~a<^z`*N4hGy2Z}d>kDz*~evEEvRs!jki{ytw-eJ^Q7OWy&
zGE3#K15FT~{MED6t9*ar=1z+`0kbmE_hY&L1#SKk<Nw%&_s?4XemX%hG5ntFgZDWe
z!6k!s-XHH7p540fzs`SpF3`~BqG9O};?}Hyp`8Q1?|1E#y^Q!T$mCz?ebk<R`f8GI
zTXr=|FI#;(#EON186yJ!@J97tW#@mbaA3s)WS#$Qm_K<de<8j9%I<$sE&c+te;Kv^
zi(c>-{QR%24SdQTzW-OL^8c{+mSIt@?fa-p36T;|Iuw+Wu8~$L1u5w+B_xJ!20<w)
z5hSDpRJvp6?i!G0fB}(^VQ6N6VPHQjUGG}&`u+a<(?0fxeeC(-AsozeKX+XB73X!H
z|8P$M69r&%{<l{Fz-*uY*VqX-CMo~pWdIq0{|&)*fhUv2?c4zVh9X*^CUA-rz${+4
zIKY)~%=?ReQ$^_Q5%|Uhd_!eJ1sw{89a<nhfL*?n^1IFyTpBjLXqoa<;>)1`82<p9
zbz!nXLhi=@VysL&NZ2Gr(DN_%e<^iF_rKtQ3}2o3M%xT@TYZqe^!alI>2KK|0F%@A
z1Hgm<aH+e}ckMea+V3pQmVxp-WuTD%fagDHA}**oFUTlA=RUVNVh4+R*fjR-AfH{r
zAS)4%mQwxf3%Dt6o9s;L=#<b_uFJRD5ZGsxp~OK)V*@i=9T^^6J`S({WH2E?05A-p
zx?k{|C+dCuJ43?oL9qc<2&NeHlo&#DZE+ArW>8wA3gE8$ZInrW^G*Sx?c4qP@8aW^
z<Mhr<ob!#ycs>TFHSR5P_{AZ;H&TKX0F9o{IsO<E@jWS&v#NpnEr1$xz>ARDLYY3c
zPzrWG=Kk8P35AShu1M#_h9#zRF9cI-HdoxT$_<YNhXG37ik9Gjgs78eng?RDZ{bc}
zQC%l>k$UQ^UAPp|*foG6F!MK4=})d18UQ+#7V@Za(FRr|tWw6lZt;;<Ul?h9lqmlD
zJ%3(9%sF$AuNWq?Uj8b@mgg$RvF%%sN4yvA8=PfY-$5?j_}KG_-VybN7Vp(K#0shG
zk+Ndl?2c-JZ4hM#2)e!unuM7E1gw?6rmC;;eZW#G$z&rmtpC!}mP73ls^dYZhK4oq
zX0ZI?*Jhi4Jo+jkl>T!#v76C5ib7`4tI9CKd~O4Z<}Y@#a=ZWxd2XLdoSnA0u8Xl{
z6teYwLO6}G#qrN|(f?*r!RJq9kyLCv+EIho0dliW1DdggX9#|AdoVTMrF@!PS^E5)
zH6H&-S8Z|L%0?nggO;P?ZmtuT&~qVh$ixL>AxZGKgrT{4D2+7{{^JuFo}l-0v4+e=
zFp{oE7mS6B+%v%>!chl|uX7jhhGTQdo3PiaD~*jfyrWKBenP*qyE*~oV`ye$mSNR0
z6+9XGN7(;UjD<e70P*7mS_@djo6TKBLyvCjC+zT=0y;Nf;>kf2KtLPz`zWpe)2-k5
zFrrvKlx{(w8=Y=&(8_uvZT)u8>F`yCs+yFbB!_sC%fUgW0zB97uer?LxOPvfXN6Sl
zhm4e?@g1ZvoK*%1UH3g1xKF0p=~~S)6B7=(T3R}r4^`nOq+SVuTj22)sB7b1*5x9K
za8ArnFQ&?&lij!3{GeC><BRpONzskvToR+l?vGoH+c7Y7`-o!Y1E>{B5hhNPC}|no
zX<xw4fEQ6YJG*a?H@YSjaf|~iCq8k=H?oD_OKfIz4_jPLvq|m(dd%R}W75gKzs`C?
zJG6U%0(_^Mk631Z$n9Q1ouf08bZ`7a!%i{7@HKzxyR81gh#KW5Hh)v|5y?_=egAIU
zG7Y*yY!pYcxe;t?y6N{C&m)e1L$u=$odev)AFsJj_MF$VBAM3#q9v;+E7v3ig4+e_
zxR;?UzTuX{+73O;*IrfmX5aix%tu8%6HM!us@>$vR0G*#w2Bh6mW4oD#+&6e5fNhS
zQesi&D#fMzS_-9O#%7GjgvQ1Z!41b4F*1iWGg)TM1JC3&`5OVU1?xR|Z;N{7bnTOT
zq_U@BK1YncCop~Xx6RUjqAvl9Sac0hR5_6VfSS}p>|U-K<uH^*d?y-BFu#=hmRFt%
ztF5ppY5CR2xg~o#<F-=YFDXTcipml7UGuj(Kf0Pc+gNztj6`xwzpXI4$(PsK%8-VS
zj~uyjSw|`>=x*akB=62hOC_&fmuKUapdD(wCi<#y@W7mJm7|DtFRSuDsqP|ZI`guJ
zqd9#M@{CZ$@%&5`=}XTP#=o!>O7mO`1dW$3%}+|}8X-1%a?iF(_)pY<5|>SeRqW<H
zC}Muwv4;(yp~Y<%)WYekp2DHryEWCQKu$pSYYotNySOq=R6K_Os-eWc_wn7dC!ghw
z8yPZ(D7P)mJ~*#ikn<c^5;GkDJ=h_p4q3rx>8A~vE!@^EeYlrBY_aNvM(0H_nh@Ej
zvni-1?lV-_6u0U^dN>!JjnS$)9Qt0<1y|3mMc4<}kVdv6NIe|9q0usG(zvg~Nw%pj
z3kPSyuuAR|K?VEL1;qdaFjOB{dNIydx?mkXi)PtQLwd|Y$PQ3+zweaasOOZe_44KW
zBNNdb08y<Mn&)!RrQr<eu!UwB5)v{)Xx0zA-xM8jW7{<=0Dk=4#*Qk$Xy?b;)yO$@
zg|0H022<0j*z!p)5Ojs8X?nIe(1w`*z|y|-EWJ3oK%T%{@v-F_p(T&bOhZ}y;5csu
zL}nd}raa4=M|X<T3zFA(O|P@Pt&7Rc<iUmmfZ7Pk@<5f$^^5mQKAh=Rm1ofQUOiCA
z;|JK?;1Q@MqylpT#56nIs)?zloVM6$|I{E>soHD{;pdQ@>?j1Q%RMhzzTNoOCIleX
zf1;+xNJvONAzaQ*eMlr~v?t7cmJEyF`Y|y9SQqr1xcioDcuh>ey11)*CxLTyDS((t
z3mj49>)qT3?&|Pww}H^U{#}j9X<^dU=_|zLCP&%ECO?$M+4vWtBhMEBt~KjROC?qW
zN=r$^)3ZN_NS|Y~!yeVNc2IHWFOQ-v{FZ|02o#X&nwSKxg+=)rb?R($oG@Yn4olgZ
zLmh_bSBi(oi7;?EEc)00-GDZjOj(1Vo3FRS^$L0e2r#*Xk_E{K(iaZ$4)?H~MlC*4
zS#G7^++q99I-%J4>C6>x`Q55fTP^SNxaFy0{y74J*cV1ku|r~t4s6)5ys`C`@RMM;
z@So`1C+fe^n8JOFi??PaF<H$PP?AYN4NTF*ii-ZDQF&!Pe&Jh{5kL+gwMM&7pro;a
zK6=RSxw%atzZO10|IS=3(s{~6OK@YgE-#YO0spec5%QqHdAq&Wjpn|7u-;Y^X&~nl
zN6y5k9bOa1yV-H~fZ5~T2$mRx2$s<7Hqm|Vy~U<1UGRnvtusRPqA9$-N^E-eb07_w
z3Q60F^&+cs(e>_?8bQ{BYoQ!j9-S_99`HvjI)lyRAvXUYPP3L&h(p@rzQzc$hDW$K
zeaFNbm>v1KHHLp@&IO9PgTAse&HIedPfYQSjNTjjY5ZZMx!JXcVX>0#QL_+jL6})%
zO=LDy^9DFo-s}ywljlTS_t1ORyh^kB_FOaPnv{1Dg=1v-zc*6+=5!r#YN36(V~?7{
ztZ~G*iffy;4v&<kEPy<=qTR7>54FhVOk{VW?zjXJT2&KUI|H;TpAk&03_sHB@ShWW
z$&<m0gqF};y|KKjiJox@0{9lmtZzoY+Tm6GbGFg}ezCWWwop8p-M2pFu=nC!rEWQd
z$~@%*&VgIcH2?Am|2n^)vt1d)!0?!+bV5yd8H16%=ch0Gm&h2!gNEgL${MPv4pn*A
zrTn!+UEmB}IrTMUl3t=uEWf5DOWPDmYT;e(Dc=K4-S*O@IJv^4?+@dQ0z^`d{hkY4
zkV%!?q+@CBqZ35Wh?ifxpge=5r#`)wAk;*HS>wA2V1F-6-(UP@>rj9O`@Y8s$?yT%
z0$F3|0G^KCvdVQ{KeBW8WKozJjh_zuaYuqY^TAa4*nRi!BxvzW%+_`yG&>PIA4+=D
z2#^wFd%5A+Pa`soj_10}6zLKx1~0bSm8SiG70_kgC(!DOjeQT5@>T`7SEyDI7Dm)$
zy_cK(G?D}P*`r%bW%T$sym*|_O@U%V@6J8T`82`WrQx-5NK1ngr$2JLJ@J@)sm5ih
z@30$i6Egse5h>}12e%+bAq&zWy)9mp-DWJtUW25y0fsWV)iXADAD^44@;%TB1V}u3
zvY{@k*~$mDfY)TFOW|9vx}23dzpUG44k#{_@J8-Vn@|aCNkFCRtT+~jQzAEUHYVq~
zPmO9jD%Ic{{&Rlt`^KPtaTymGo*o)nXZW@_c#PUIZ1OCFd%L+)P^JaalFOVO$2ryk
zT>_dGQjENv^h2NhYpo%aU_NQc_d6R5URLV%l45!j=0+x0&|3hz$P(51rg%`zmQ_rS
zt=HL&PJ~fIjOBS8)qU@AgXR{79<|J_3^dO5Yg*nwP3hCy9Yy7^>>^oObguv(;aH;g
zm4uj$M>nXOS(8-L%14eHjv6VVdtxl66xX(iS-N7=USLk2`15P$u+e_&6?i##XOKsq
zJBinCnWlEs0OYlCSp-PQ0y-Wo7yrBHW@Ic{3;2PMWFk(TI|Q^yXp%+kFSAPt(5Q4t
z3@o(rcY2D0tkhHwUOgS$i=3Lw_?|1URIl0li#lT<X(*5+UjBNL<V}3i-7EJ&{(eOG
zv67CB94wI&E^{6^V`$^2ytY?E-em2dw(M%Rx5TICZkCw6c^*x?)qSXD)bsRXMDQ0U
zzXjNNzJt~9kpbto%lGTfPV<E{#-?acnI~bCR_VrbCyyWIoinF7GbyeBy}X_iC1m~r
zL&wA7V0C+(fX7^X)+g6b-|^R^RzqR0rSw3{B_x4%gqo}sq8E0wFXpcx?l%JdKr8V4
zk_4Km6_5ndgcj0OOM2ye*}qjEll};vwY)9^Q5^P%kGWieGo)%l8}N&<4bGp|-lP#h
zF^d#c9xQE3R5lu>I<HZZ3@(6760%t+$UCT=0qPAFCdDKB{@RX}#PE$LFRfb=Kmt4V
z4Zqaa+AiW!-o}ev&k49-=|dEV7TrlyJGaA2xZL$rusGmKb?J9%n{z9hB)>^$#N=eF
z%i2+Q^rNlu%OZFky(2<5NeoZAK3fy1Wzdk#ym|165a{_ea2_kWb3dM6ieVezU?4Ed
zI(&^1iPfRCO^eN+0=x-^(3vSc?Q{x9q(QV&x|JS|X1d{$R{Ein*Q6G*ciYczlwq#q
zfXjtPxJ(&&&&A2lZ<#PbK7|hmu>Xv_dHxZ3pZq*X5w?9f6DfK(b!2qn_3#$k-i*_C
zF)hJL$EgJ}hvMQ6bb7<cWS!Y?%ssea^hUj+h!>-L&(iX=Ul}2mjOpQSx2r?RY-oqH
zG#z#h`T$UEvhitaZzKO|p*=j5Y_vw|{2qwb9_%g)$rA&Fy>n+<3MdNX1~5g8vs^(B
zcujGmoIcpEXHBYAHOyv$^ZAk|#2j-0>RrK!(>?2<;IZ<#S`R&EtQ4WJZXNcwIuu3n
zL^Jp0{$35W>$mlGmsyMaDen$@X2E886d9nyy)_XiJ=u*axjDXj8<NeGEfm6+a);$i
zN}HPNK~63k^sxqo^->R+HN_q){A$OW`kgpA7^`!`O$U~#EI8FSWf5V?SUQ4oa-Zi-
z`mA&IbK95YSkREUdn}Lt9J>$sj)$(Q$!a%fnKWo=LWYwd(30?p&AI3eCdtt<KXOmd
zc3W%fE00VFg@wwD+p@q*pt+r)?aAWNwWll}UPrjSY($U?`xBF-wU+E*1TjCQp0*&B
zlJC1THhy?ENJbn27K%y@7Z)v;V+38=AFiQ%bX!+I>RVDucJ)LtocSY>6NB6C^Cz1p
zFOIB<#_+1a6Jc4NF#Vep=6$~G00~6G@@Pk^hV)p{vVPREUgci4TV^0fx6(2pc|8=m
z8q<}Kg0Bxn)(RSxkQ~R)t+hqh+0pMM>E^I0Ybc3)`|m2bqAV#1SvH`lstqpfnEj@@
zX8<OQO;<FUqS*X79b3Vxvo7u{V%ZRCqPjQZ+yF;62qS#w%GBmE>c4yi6nwZ8!DeQi
zo{(q4shfX1eJ2?C^8Qk4t;s&uv6SF$*%@8$fLEq)%^3_cFw)J?tT1dVTo)9N!6$mu
z9Rk*z%|aJv<kP%_zUW>kYX_->=f-<192qs<%N(_)f}EubI9t+OTT|=NKK>SN{M7rK
zpNjphk;vhSF7MTa)cFS<gC_d#THSWTg#dCaAoIogA2GwR@@0+-_v-EoqcRs2(OELa
z?jWn&k&5%{p7#;Zs_NyZU~s3Wv{I~vmkNWY2ucCj#x`AfUY3SGwJ^bE(^+g>NfuxO
zQ*>D4z)%lFB$tm+x865x(vwLzU;5DV2u=c^`mbd7CEMT${mFPR)ec=mC9g&@Kg|cg
z^9?AG)5aRx=dB-*Rim!h+}WN@S1*I29o{Us+G}ANIoL+!;PY{vMuFjcVc%9-)eDIu
zQ|g{f<UwjvpfAQh{O2;IB%ypt%&$ZJA4SZ3JD90MUY>kUTgQFxgU|jQcG#t5TWO%+
z%8RnKL$;;}10v+82E!kN&=@%-&B{t51~I*?0&BvU`vb5{S(fs2v(5ohYJ@QNYEi+6
za0|03U467>2)ItY9z1+d#6nW_mCtt99~{Wp;=B8bx|wwR`-D-N7#(;=<gT#4Fq|GT
zY;XXGzp5F%UnHh+6%5G77}zdZrA6<V<I3Bi59S&6?oyVU)(Sv8eQa3(7K4FS?ZDIm
zyHA_qbgm!yjRo)td`Iok50{OSe>fCg{$|P+P9_cFQ@iw7g!12;617lC)5XxQiKwFS
z!+2P=)CN?oy=g>M;U0kcYjpc=4b3^(tk;YMxK5_lqTKCOrNtcc755h=2mKa|1jYq3
ze|{w%D*9$^8WNm6m+x(1cl#Q`=L(A`eiG@8WfvC)<WZPlOWE}SQ{!7^c+UPSVCVF!
z@3sbeEX51A0;GiP7{97E^iVYuaclI`2@?quC)Nw^Bo6fmW7K-u7a{Kf{H$G}{-oAv
zt-qD+)*HWfEz{}vwGL-i$?i@1vYrBYwa`elu5pIap3k{7gt5z{Qk+gLH~Bd^H;9TE
z0NfDFBvn=ijYxhXta<BXE+2_I&Fr@+Pr03SRWy>NWpqY~k9{uZ1a4q9Cw4*z5{Rx*
z`<vb%R7`x$axP)V=iM60H>y89W~EJr6LRW1C&FvoQvsT@>73t;D%5Xd9(~;UyWi(`
zQv5=2R<yb*yWFSLUl+bLsV0srZo($}AGfbMN@^gc-vkhneLsqbf3|Om2_Y6GRh{-*
z6!?f{dSryr6sfAp@l|^5|M2zIO#)%t)l_U^{}Dgv>d^adPQpyKr<cg*H)Wp7dTqM%
zj5)P!at)BnFg%rdbuQ{a8V<khry+WNdye{4#%uG&;At&c)84UN92A1y;*vjWiWe|_
zW8#V<s&!kX9LEF4KUF+ppPr>R)NQ!|n-l$GS^fbB-1*+u6@CSi%WbK*IzYKhq$XdI
z3o}9zg$Y1&;#85`9c`)Cfofb5`6tI^25;MEM|W>pIn`1L6N`NsN={*)qJf6-K}ft*
zX*uL1>k#nV+bwx)uIam5J~t{4y47mu-J*h)ZzkuahouRE7STW5%Ci83rrnrwfNXY*
z<nF<@`fvkZc{YlFS(#Mt<$UkdpBo-u_M*Rh_W?W3_l&r#(|(-ASlK&DzuaJWu?{3Q
znNn+Xb1F*yXqZL!tu={CB0)7<N^UkZ++HH)V~O1En{a-!RcG|3IHR;Dqse@jbKcrx
z#re0&eL3wQ8BCPzk6&1mzqMr<7#TZ9t$Hrhndvc}pZ0fLHl@As{2F3DbsYOCVJJkP
z+dVNRer2j}+_3d?&@ATrQPzS;)S`vMd^44iy;pWsBPAfHwKSL_d=>BV`dr|HX2HX;
z2?fptjnIV!8M@X8_%kdM$#TV&4p4Sn?7xf<s<TgPPj{5J+GD!1l-N(AVPtxi%PhML
z^B~s$Yija*jSb?q$Tm_@E0^tPZ3}&6&&S1HMJ&q#!(3HWGtjDv2hQHwKzZcNmQytV
zqxZKb1$1|N!zQ7CtPl1E*ho4sBWUO`AXIF7LF@@sE&hJ-3t_g`^I>H`5c3wK`>D$E
z9(MuMN@>g#5K{DD`T%o}hbC`HzDc|iR$k~R`%!|d9_DW^`wGxYD}xp@kv61iXx9^^
zis@ySSkO#Lc)W${!pWK2)pDB;Q`1fc#H>_2cxxs%AEZ<+0Fvh`o03Lw+vh-yMP%<c
zTKV~}lA&TtguzQ2ScZbufT_r)lVZTK(=q#4u_XP<AYgql{Vh`>TXAiv-ZiP-;vJ#9
z6VuNcsHz(b%MQkLrfZtihTY+1b(9~f52tIaaw`|e#Dz<A2GfxDU+opp=R0AT$2aFf
z0O_-V888V#5%68)+5Tcq`0dCH0=kKriTrw;`FZc#;9vXcZvfi$CNsJs9-dhxbvGHH
z+7>v#aRVT9dmE_f^;0geU~#dWV~3MFlX%S6nt<sspH>%*g?{eKwN2Pg1UaAu1foY*
zSq_~<-w&7#kVz}%1)xp;7N#2uPhu6>cI?_~uhuuv4tA8>(9{7$A8WL83Lqdc9Y-ZA
zH{uvZY4!-XN*6J8=Vl%1kd$*lKW11?X=J({)+AjWAZsW=uH0ZGS>9v^$ahs)_LQ&#
zqYPf=Q0q4`BP2ZD!~X@S0B-W^-*esll+8Np@G!kAt3w(PH|Do#kC?F=;&s%oag82d
zI6jAZoonhCM`Wx|H6Bi4ttK0>R$C}Zx2eG$ec!$fK{w&q9H<i5_kGeqr%gr)WS3pq
zbSwZ%_%+@=`w>U?DZ4DnmV@91Ti%oLPL}Y?6cjszZ{NOR<@|J+wU__l;)5X0mMDat
z-&DTa#`p}O2KnS4%@fGVgS3KKKfMVuBE&)i8ovq(_0#3Mxh5iJqM)|ra=cZ$uamT5
zNn%-$@4W^emPT0gWQd5*^0s__itze_LoGdS`z@80dMvYS#K+lt{b)e@dj0oKZv!e`
zj9D8|S&!e?v1;2p+Q)BOQQd}5tWwtrydH5yeY7dayU*8B_E=4PNF4I48HO@es7{F2
z<3zA<=suLz^JF$qin-l##HjYc^nvN90ppM?Z!8V5U>cYB+7ua}7%%&~%2)>MXr(-f
zW&Nqy*-&Z3i$x75=C{hQoF9*FzU{x~Tv9=ApcI?)DNjBogKA7=Oo+S}pH?l&^Z~?$
zOD*%BlIarNom^B$zHnFnUPQR<!SC~74!lN;hDUd~T2#z{lrwD|2k}at*sct;-EGZf
z)&DNp+D+C{VDMTu3-hfRrC603BX(3zxpd`jvaOOK15JyHo+Yw8o!RBL+Wp?e%->^k
zFP1@FgqLBLA8QI-J28W>NGgjYY<eU1y>#f>tOLn(x3@VpGlUJRHobAP%W+KRqvS4N
zZB!JjxzbP6SQ;~igDi-M{dO(>9^F%w;(G1qs4HP*yy7?WvE;oWH`Njo`bHgDow161
z3-3a$LTr9qE5JW#?&#Ssw?lerYwPx5dh+|ps8#Q^#bC_PMDQP8yOJ7|mo0i9+uoJj
zIg<_rDPE^ByudDPc`aItzTX*Q{zeaLhsu(2B(#HAfnN0sQ+DH`!<nLB`2J*sS4+gD
zlHy|3lJ_571eBTwcrgbCY4^3>p1yabtBJV9htVc--HUY2UgwGVanrJAOWU|4|HE1#
zFa|arIyhSZZF6)?0}%qxO@8UIQmdeUj>d0s_h8_*7k@NC*AqWxqx>#0j+aK8^Tu$x
zQrpb_eFI~5VA4ORxe>#9cTk-_DK{mPUtbAx)6~-|<>A*4C05qP4vo65dS&c%N^d-Q
zDqW>MAOCO&E2)vqVy~vIjn9|O<JKb8Z6lvCL%po-az+LpS274Q{VINW;1p7O{hr2=
zHF>D~E%w>x>CD_)ud8JyJPcy>P<lXTO$H!;80Q1t#0*L)-7NYD8+MDrW_(;bnFGVC
z;rQ1O+E_(x*mYb_<MygeTMOCp?4ZN~A`UgC9&P0hw>Y>9HVMjr<_$>oEW|AJe=Y}9
zxjW1KFizP-a)+=>6cqEazo*u;)|lx&q~emK7W(_qPs-<j(L1;ze&2iZ^QnJTnLZ@R
z=f0kr!p$))ukHERIjUn@TZd<fbWg3zK3&TjG`Fa|04i-Q4xA3te@gbye@#r6p&v|!
zwW(y@XRPE!Kj@X&8(Og5^-;PG^jMn<%J`KG1Vl9rt%^gY9P9Lg^4dXIX_1&p<A%G=
zm4uE9IBO#mrVrzdt%mm@%c{HXz(ik<P>c&3pVRUAYt4J@&*)<Tu+kx<*Om8hx^%{W
zA)}`LO1mUie78&}m@4e*om!XFs{rzVm38g+q4mC<o1U1~)x0U!J18C+wb?P<AZw&1
zC!OY{9OI7_6TdkV7W;iM&iJ#<2DXAM`z!jIagG#f{CViL$+AZfFtJ+HcGRa1st41-
zlt@AA3s92LJ1brzomeSF3TlJbWLUwyN~x{k_Sgq&dF{0JtvN5DQav_!85{Ls;LN-M
z-{JzSgH50q`V)*^-{9P7&#nPAi_%_8En15y%E-dT;+lykU3DCpwoGYzj%0}a#4AkU
z;*)Da?}h9(t&YT81pJr9G%qeT`QhINV^_Yhp}77lL0BwvlGc+_Q%A+KeBs9fQsHx2
zUDM@~q)7$*16C${G#^t_56!-BpYw0C`j^F&JPTC;>g=+g>100dBwD@EJ_`yF?bWDO
zV9vQ(D?dMpq*eRWDo@v~->;p{0V~H-$!6k4Bg-lmWN(iIh;8Q-I3NS6WkLJQGbtW;
z1+dT8CZ10EIYSTiOA!zRzCEtvkbl=eClq%)1J9P|IhlX_d)EON4!Ar(`$It?4md}D
z9yKb8&mNwh*~LvJXIwIoqt23;&lX0m*J7Aue+qYvM=TEgV3<B4G|i!DK2EYA71DN$
z>%o(nVo(NXzKCxmlhAbM4ObGV2W<^K*5A(j#63{!x$OdhS%>=-U5hCSwa02KrB-h?
z6!-Yz3WQGEL2wAR2@sQ!?#5h<tzhc^c5Dr+tJLDN#T(D6Nfsm|BtG=agC}=dna#a1
zMwgj&IG;<ZGc_9^cX`L$qV5XN_X$pJOJfzV4jym=`1gIBfJM}Xlzo6Ae2Xu<94L}t
z9mvzQVFOZ%r*^#Rhfj;N4-ICJVl$=3P8*tN79*2Mn=HN#XiMI#1-P(@5xZX#2>L&+
zyCQvn5NBBkG5P}WR0EqFea>3;ZtN=W%JjhX%r3#nogQX~UN@e$FuK;{H4<Qymv7+Q
zPMO|3ZMO{pXSnfXu6T5j&oe(v0~sG#pAR>}CjFk*?BXzvD0hT<rUVa0O(*k1V`)t@
z+py-8th;o_AxjQ#qK$*3l1`YJ><3&YJaF*r1;1C`n&Y|CofqGxdv+YZ1LPWx*?^f2
z4^IOO>cwp=ax!><dSds}cp=L!1NYK?&r#+~$XY>SWNQ`5HM8aXnAxhZM{0PE{|HZP
z%Txa~Q#@T2?TeEdJ)PKe&6+@SA!FJc3H1!C{4tW}gXpUT_GMHaqyTWWCuOC%g$=$o
zqaUj|Pbe%U1cN5B<jKV24Epx3%poZza?bN-!4;;t-UR3!a4m#8w!Et2YOjAL!Wm|C
zIPd&FN4(~Jl<1A}!?aL0!i$mgki%}fmEEsqCL2A)M!5Tp_Up@>BKZ<*(WD(ABEbQ7
zs77sxZ{!)$wattKVAP@&Q-1IOHU|)!ccOZ6;gbAle0LRL$Zw*%)xg#uQngSY)M@cZ
z@)~Ku@M9|=IJl+|q=-$C(vo*%gKu@&COjEth~DA7%S~co@zTvwZXXfxF)^64DL|7e
zC@{vJOLLDtRDwNW{>hOi){{Ch!ls6202l3MG+7}qsG8>-_`Tcl2)Mf_;`Ra95}S5<
zTsHxLEEd5gXo=&GQ@@(YZN4^X*W_g-(*Joxc$N(zf1T!95ZoC>`{c;lCQX>IT)}GD
z=A0=6Y%p+L%!_X|lvi#N1>XWIHP4qku0^_`;OU{@HWH*0qU1sQoB+>2JqEexxdz7|
zurOLmqfgsIzn=aGNQW;Ak(r${LrYBdA$r~&k`vlz^H<@WH?)yr@9heI@aWjwVP$ot
z?*IX_fKbKLAE?-p@dh+zd1>MG9>~*RG1alM7X#E7jzhqs3-9&GlHOB|v33h{+!EM&
zlqIQM2}rVAiSIcUX?R?qmU8E}0j{1pDJ{*l&g@?4m(vWdQhMZXcQvUeEQ@n+D`+}V
zSgz^ExFjL<GSzOD`5@7}J-IR2`hzZEj;lAc`E!c9F(-(X@@8z&;jwY7W1!|H<A4mf
z)@FQL8s?D7qtar!fBHa?zL`!-Eqbwt)q<~mmHksYWp<yYOO5#ueNCSm52`8yoMu0h
zn>@+gE{ufuC0i3%W?0Rw_<ij+OwKa+<Tf}2ZmFgAQJvggWzA~$BZH12AULEM7SEa0
z+iy7<wA06t*$WH$W!Q=P@M(%H(v0;VMnR}7Qa$7uI-r886LbKqE6o$p0ZrgkKYBr6
zy$S(qtTHI3EWPLW>_%v|u<t*xn@08F`~FNlV%P|Jchfa+Ex(7d*$0D-@!x;rny~|8
zTAi7-#PM{9?RyJ1?i<?|QJ{U=AA;x0w>(qUQdjVWz5y4w&6dXC)d_#O+@*HVgiSeJ
zR@w@!@J<Duvyive8xQLv>kKQ><safTLfRH4pWL)jd5<5zLy2HqexwS+(I~j|AI3^b
zVI&KzY-}zk2X+{Wjo&-tJRJ-+?g%kLU`rkPcO0K;{aQY8X_PjB($=khX3xHDhoGcB
z!xEAro~5)?wTv~=a$w$PVt0wU6&ahkn)kUnK*m*xIrY?7z|wAaK5hs3O@F>tvc>K%
ztn_6@jtA+|jld}Z{K_H*(17ue#e6M0j>&F-TNVwlbEVR?N@M2S*sd*f{@PepxBT5&
zu+dBK+U$)ez`;~=WA)!p*Uhg4)I#mD&~fJM_H~dIAMcKWxKJ>fEB~x51v=Qel*(&d
z>2GstGNGH}RLQhzQ%UmB__fre(912gC{F)Md;`l$b?K(U9aRXLd@@R7_{dbJWV*=W
zBO*bU96W>GajbPK%30h57IkD={u1chqUtY;Nwc?<DvlZ##*NPbw)C&*nTG*rIQ%i8
z3Kh}4A%1_YD7<}Q#El;P5Z$9y7WP>>kBC>jx``|Ep6D7fn>$PJ$L+-p<cQPPqAfeB
zf|r56AQn&_noC%MUtgP!g*uTS9@!KY7P_7PWiGl$f{D8i#<FOP%c5g)-hKHs6Ah(H
zsh0gKWx&hs2*p%3-E+bVnw$>>%b<t>o`u?sEWDRc9=GJyQK#A+$GlH{5)w~uexA7^
z-m-(@%T1rnZ6W|<LFP9tW}VkaZVn6jGo=3V!a{xo6D#Ifzj2glOCy<^`vVXJtxQ;{
z6u1&{=a*TS#W5YPGC2DvdXe62=Az~i$W8GbIFwaPd~wV(YcUVDnRFx_K5Z8RlKb}C
z0zh{$58RSy_&GKw3Z_u5nYh<<J10-FpR(OR37ZlK!r%)z9Er(4elc%DV3+Y=5H}<1
zzfbxtO4B3JYP0PlwsO0ju={aiR!rQXk&MynN9CkmF*x5&YcuDz`dFiNAc+7RIpAJU
zq>3*P2Edr&C`ilx(A8{tjhs}f$OH?;W;#SehbYD;TdKuXdMTw(jCF|Q#2vl20#ToD
zUOB?Euh~%*c>Ms@TSM^%j7FAEF1rP~FT5J{3`pGJ(_c!JuBvdde()mZl5qR|O6h@j
zUua1=2B@&SIsJnIL(j>pr5>idXhA#{Q=hh}h)#@m6h!;XO3sO+afxDnr4txNr>usH
z_|cWQ1LXSV*AN}6I-sNGp?U?^qc1b?`7d`nHvZR*e6i6PA^~c&*+DONI#R$3gGN;R
z`%8GoJ3tdRRFMfP^x~o5IrjcvC+1g_aDig2D!;!My#?TS|GMp@fa~V!U#1-z0bphS
zm#+oRTIc`t059xX_y6iWT#WU?>kWSpY@4lt69#DLG30;0>V;teKKQ`i`s?lg-~CbO
z`>hgBcMs!`)tBR<y|N8O5=9^VJ;bt%>R*l+j(+jrM&4%49=X8i0H42NOSvazNQ${4
zQ{v(SN87c92YNqK*SY<O=U2eXC&yl+ZoATRdEP9bLYW8KUt&k}nl9s#WZND@mw4VJ
zDD{79bXe$8Xu*3@8W4tL67BZ|dUUG(6{KqjO=rAr`&#N!d7@>zW*Ve>Dpap*s)(t(
zTMOa4CjDh}ohuL@#K$AI-8D6$w<~dS57F8B1uCeIBO|c4bS^{(_?uw_okTmcdvr>Q
z!otHJ0Vv{&64AAbBpR^DBzIqz<UD}$&AmLMZW48=HANHD5A#h#0Mtkn%^z@ofQDP%
zrqY<ofxBD}^qPZ$RKONxCyoG6HPWbhdkH&Bz7sI7v~DL`_<#CxHX(mGEc2Yxe01}y
z_kpoD&HUQgtF20v5iR<Vj0)R1PGJ172Bj9A=9r)YK<pW{*HEiN^?JK&9SYFxg@<<o
zZB@YD`A^D#R++#=`~h6e>r&EX_syOM9Z9vCyMNTf6qZlw?yhr1wny*DF0LNyjrv*8
zopi24xiRa|fvx;p(XE~0iybwp|GOISpEZmiK^S`ZR_89&+`9rbd_UrMENm>>Ks%+9
z)ISOa!Os6^qA^uKbWP1I!BZ1Q!N6PJWBHU@EN?(gK@mdz@6ko=IEKMJKk*XTs&}E#
z?j$1qAzPLFeu^#gB1$blo`<JV<B*-;`4KuM&6k_n^a8v7KT<OqLhBNn49$I)oM;x6
zd(6i`>wFYTaLa=PzOHCj!4uR?tBs!unDMcfz`wk8JC}ha%`OM}ZvJ_KLMdMyt!6+Z
zrfcy{y7-q)W|Bs=>hY%Dnko(Tk!!@C-+p;b=8@x4Po8x3Wj!?<g`Qeq@I8e>4V{e0
zNE&`+n$FCdH}i^$<O2evfoLhg@zdhyw`@T!DaO(KkFMwXId%PI*h8OWbnBfrVKBK<
z1JV^ENC+WIa>UBd!;IzOqLe~2FOg@}yDszc7{ELH?>%?61Q%O|p|wfGoD`>05Ww>D
zJ{--`nXYr=K!5&hj>(XItftmoV$$&W^XEI8BN)_lITaiV?x}HvmmQ{pcMeyF_O_K`
zSHJgvkZ||(<c14=6e-5PizseG!iKw}2o=JqN>YP=R?@Jt|GYtOyv$KH`YeZnnL0Et
zp*&Fa<LV=HgKYQb9lE2ge%{Bk*JD3ZlG;#awk3q8csqjA*QT>;IS!FAj{uU<Y>I#9
zBs=;28_>m03?ns!uSv}wO764PN17!P^WR`H4(SLZ&&kd0>G4?dC9f|vQ}Tj791{UP
z=9sPdUKmVCO^vLgvU0`CGP8g;=b_t8%dt}VS5z_K`EC?-n^bq$9b5aSsI8WA$osc*
zrJAmZi!QTO(U~n7NhC@O5XI*_8<BaM34rR{*Zw<yX~nq<ur`mUUR`Jwyj)u|PiuQb
znXbV9=pKY_-iBuRAm~G{xGNqa@LbwyzCNVw;n*#LH$e{%ke!)L0Rgs-_HxR~*ZTYW
zop&wqW0+)Pii&uuej*BIDIGrQMpoHkdh_2%RZR!e304$vAL|VIn^Ur`cIDVI;(?aA
z{R?N`gv7TCa(EsE#sH(5uN%FF$j;8*iYRz`vF7v)zk(RS1X_T{Vxcn+MA7Iddgd@6
z5_F=vwS&4Vet6)H=9ms#6nJTJWg1e#V3zq)(P@Y@L1dv*Pr*b+h~Lwv9U2uyLRTN5
z>6{96c<AO<S;5=3+V4*_Chxs((Dsfkw;#m&p!4%psg^M;S$X+O;}F2PFn98%1=def
z=;IQ69&nZ}>~{Bmtlq+oW2&S#{BqU0p_k<+$Q23omaD4G7}VXg{u8!um1J2(b>u8e
zKRZ(iCCUn`7{UtuejpI{7x#`f+&Ls9BwfCD5^c^m(D<P@+kj13?y~$9OWAB^DE;2l
z`%*mnIhiCfl<c{P9{WPF1kq9)Tw|LI92G*GA#WT<{GtKTQ7M}qO2{6<=HKr=X!bEL
z?Q6jVb6aR$uJrbYRG|QwME2EB-IQ1D4C%8ET{EKYJyLl>X&UHDz<gsx@oCp`BxT%`
zP{qz;H=U)$P);f7j${c2nH35i<CK_!`LiV>!>WZ0j^$HDG?2PDR>Ly|B!lz6*PCGy
zWLM%89uL~b<=_`1l%A%Ct@M3yJ~m#a15WD{UHZ!g4vOTHqeq?7F;D=-SaMHl5SKd~
zK)PVF%*&>6w8{;S#$@2~{n|p~Ce%eV|9w?iz5!dt;R~*~-y7MhcB(w{AtczK8gV(n
zw^iWJE<D0;4jKl@g^~5y<yyYXPcxmBeN~c*v)$V0(J6*~rO}i0I6*Wxku5$ueBn?F
zUNRC}NEaho;z!Y=11wlIlua39%EI;Hwqz!0ABqvObShX)4ra2k3qIlFF28Lp1Ciol
zq}cziVQY~0uuxU*AolRYdJx0h;2%RWY26r)BJvaAy*avMk=%5jUN%*XVPMG0EWkL_
zj{>%RfcGlMJ9kX2ZS!vVbarNDl_;6Ynp8NQu=P<0IDhn{dME<WxK}hPVjHN+zAu#@
zh$&pRm6Grir&O3>NVKZC3j3;PHBe)F>fOy>?iy)}A!s}~y5cKoy_oKh^kt5<Q#yaD
z&Rg_5M2xgD$rpa)huIy?7tL5k$vgXU%gI7;mQqE~7n3T;6=~&uPWf~Q>1t&J6T83L
z&5|}4bMl+;9y9qOhi%=W6BG|lM#;SGt1HY!o@zp$1o14p{rcDQsQne}zWJTEmTR1W
zd=gJoBEFU0-MMP2s`4<Qb|LS^vYRH)Dv2AaV(@x{+QpFs7^yGv3W5pV?I6Jk?I>^i
zv;M1#2ipW2Q#s2A`y*;CoO;r{g9o8t+?6ZOawfxmQ~<5IHpq9LiKabYR3;wJmF>!e
zfV=ZbIArc=Y(XV!zFWKrQ(~LI5x=F_2_MzX%=$EsNlN_a7#BV=U|N>{?Y?fIlHq~K
z(~l>Vo(77Y5gMh=hw;fbnlGht&#%;9DcuS83FoziG8(;hjH8h0A$XQa9c>rSD!@PK
zB~iR85!s1PjtBHP1RhxZFf3^>ZDG+mv`5=}`LJdXk@t*yRWu<|mW+<Hc@|a}D(p(E
z^mp^F?kzk-3$&1YbSzhwWO{P6N+%8K!5l|m(;B@C&Wb`yGi@6g3YSt5Fg!ZLXot7;
zc0kI<^G_?mdE-}t*@~0So$0b+SHnW5`&envDnBVN!hEq`qE-zzOpEhe#c)oa3z9KP
zg&QRTie;;pUYa!B*M+~f5(Uk5BK+R@&8VLHsrqFCKp0BU;zj@wBFg+{OgqTlo9#-5
zfIP%#&8vu32QxhG{DxmGk!`l>1QnikBgTMb?S#dsmcFv1OGM49Zp$--OYw(}li{Z+
zafU+Tup<R!Hw(=BCsza4J)X}#df4`%QNIRj+5y4_jBP+~KdX}5GZH@;+;7qipQt?a
zD>tX&9`XY;j4EXmON!MVn%W$VOmWR=9eFz7L$YP5Cideoy<(0ZY+32~mr@1Z-|Bz+
zryDW44mc(kH7vjZg^YNO8||~p4d{{>M}!rQFaZ>+;iplt?=pNYiI)7~APJ8y9d=(@
zUt!>MYFvUY2Jd`P&|Fs4HmQGe7!gtHdsqON>(6#Sy+zv@-sQ&#`dlf7#=Qsy2`&0u
z&b)b)i6lxI^m<oEL$K4BI;ft!*7UNVbwI16XpCVzpO&rupx*IzvQ3MmNaNJbkZ<#$
zzFU1f#t-4Qv~Ti?tA(vjZ7HK2bZlCCJEQOF1_%9ix7N|uS(`UnmWBmw^)RaDI;9~x
z9$C4AOsjIYQzW1!ns#l2`U9&BIaPSwK+P1A2;o1=RI6IBGsM~9x&_3cwamM2CJW^I
zQUkjS5?XVP=t-NFmI7b@{t1Kgc~&HPbKf-g+$RXh_;bHTmIK=|09-7b-hZ8`UO*fO
zoEl95)&tQWz^+u=FLL{nG391Vo#&txer#i}=3^@~XXnDmW8M2hZoVJ(SRVPpoY_UK
zO{P8nKxg8vf80Cg%yy`<gW>g<vV8EZu{|fTo8^n`sblSe2IsLZ!aUFLr81U>obB2a
zjmKj_a@o0-p0wNSTD_biisqy&&Bughx*7FhBsGjz5e_XyecP8$U9GBiZ#Sl|ARvW)
z*APDhg?HKw5BIOfB#@iPj(UR@+Cg;FwSimHuepT%1p{k*+L;DmT+5QnYvCaGz2X7G
z7K5*cv}_vB&Ku+e1`dlsla$Rrv2(KOsGeD%02saJe{QdfI|Zfuk&F<XhMPCA`<bBk
zJ8h7-gtc{4v<D*4rwF%@>d{}pyY^*$?dRciX4VlS!@8+{%wYrgyIT>|2{237`2G`-
zpa^f#=nE({narDy$YQ3tvzr#h-EYY7>q!s6F}Eu!DqN70m~|w}J0~<+4k<`ubUpIk
zL3aMwNYOb?5zOL?JsFi1;Ou~Um=(1E+ghV#-{;t=hC`2rO#Gx6(5{mb_<6fA!_Fru
zg#^rcOBYwgd=FEXn<8`InYdf$N=5x9Y{{alN~^(-95I*mz2lzqQy0}kI2*42-BRic
zL85qZOW17Ur%>?Qo4O%Z_aFdZ`wubG1B8u-I-qhXnM_}j;i)Vi>O$9C7f78S6OWyj
z?bvL4C!lR^Rgq|444VTdEMfQilnGR7-2Bm8a(o`QY)R8DS9|51;Q5)e=k-^gZIbIJ
zt;~kilPew<_-)I89;AkGy8-$68n3)SD3HC-+yQQ1pmGh^D2IX2H50JwxY6a2&tt%B
zL1Jox6#&l){|5?tDaF7*X30p-hUL9V!-q&7sieu!)nQZhBVDczDF2qx5&PL|Nl1o%
zr#V3e;#m}R%lSL-!@kL`<iplGPp8hWG<Bauz9R8%r=Y0A*O}B&6{U$O_I}FmCb2Lq
z)GncVPwBhx($&m*+P*}58tpAnf2!vrcc_IQ*YH}8xZ<(Mi1n3{SP4cbm48q6P<Xa4
z;SZ-A2U^tkU#C$cmhGWz&sq@iG!F79D4*$ht)tccPKNJI{^})YgAa+}jorvzkg&t<
zQ^6|N^P*>jHVf~%PaB%}>~TW1d)Sow?nhrGdY+TcY9nUgKN#Le_}-LlP@-%mbs;Ul
zUN7TA;<St-*Y4NBa8eFYe&7T!q$cAY{2tn1)?w0~x2NNzkvFsW#l=is2tNEZldiG8
zRBcAt6pf<ANe_(!hhApxpyW>odj|(Qi;bXjOGdKwP6s((i>DfDgS+}>ncWY)m6{`V
zcp>vRVgz0>J7Hl4<a&I2hu}(Fh(04#Sn(61a&~K?jDYbYNH@RONwMuqJgG_n@IvhF
z;^xZqtz2%Wu1r>&rJyHE5R3Fe0kVDIzTe@hEEjPq^n00;XG5{d8;&{cfe5sNie;Ee
zhewdtGJ}o<8KUaNn#1rbtyv{D^dK*66?T(pEUFxj3A`FiPq>()qB=_zh5b{7$@iJl
zA`m66h}h^-tKrwak`DL261ZL*i5wP?T%az6FyOTN%(p8R8Se2gn`CT=$Jl1m>k;$m
zKVn59P(3NZ0N*Dj_KrXCcnNSAPLWJaJF1#Vhi9akr5h4DQAn!WA5j^#ND7Nt4Vbcm
zX(?pkam-x+w$cE!kpGF`cwWXkCboeh?wBB5Z#m_f-J|JKpaG)%fKALBFzy-lP$tc;
zcB!&9*xhhnbKIHg!v`IGhL)}7P;fBql5ScRW!%1v#mB3?oy3^jr#&6&ybm2_=~^gU
z_85g1x$+*J^xFV;eYE^55RQxI$^A{L#uUT1@z*PNa+^H{r;yWn8v#ki*V{o4-@J`b
zS+fdt(8K#G(|ld9;lTHDf@VBbm_n?2e4B-Lr}m(qBaJc~_va3kt+@*(P8{B!#2y9H
zZgMlpcvD?$?i_3Z8N21rQ#x;r@lx6N@O)uGKMRtYAICBDcRq%9>l|4VyK85?{~!S*
zCO>R?%*Zjnpi6u(csi`?5%c7xvO!Db)HXwN{*}C}4XT8tR31H(+&Pv{e3>Io;aGt=
z=?aFul!j8r+BL@)O)?V@z$Dg#er4%sm7{is{HNf)pX}0&E}s<WWgR~MT)y7^bIrwn
z+pl-Jh2=G?KN6Y5Hv6$!hOyp#USI#VWZ7l`GXU5Cq^gdvfZQ6XPOBUn8$?hT$Ob}K
zuaPd_^^gA}9<^3YQFe63Ld04mD9f;Rl=y<&Im)W>b~KLBkI9<z1vv5pg~stDvSG1(
zJ_M{N-i#83gB*agF@ZW$P_Wnx9|Bp0kUgGx2DOca1rtvOWM^;!{-#4huCYDt`zdE8
z_N!TG0|~bB-CBJnv~exbGk;6?BG30b^%wfSZ4$S&I3zt^C1@Js-!Q*}?^~$5_>rzT
z-Iuwi#gF_aR>(OgP$SgIQWIZrueeg_6vzHi;xe*vl)nR7TWwF*9PRc!=`N6k$pROJ
zf?0X?C>Cv^DJt}1D&I(3JI8+~8{fpP9B(c5%<*5orP(4HzK3W0{>UrTSNZD)y4D$_
zPROIl?ahbDnozKb^@DXTy)<wG-#uZ0{kqc0PyM>N9}qYlDMG~Bien*e;abL}5#5qC
z-z#&V%8~~#cncrFMRF=9;#d7!uFu>)l%hFeQ5Ep1^@&C3+l+crIK}sh=b4(Buv^lb
zk7vT-JwUtg1hKlj_K)%DkNHr0Mh<OGYjsY>MS1cLbM&F$<+LM(uq6h~b%voGlxbc+
z<GrW{4x4WztpT@233!-0K!*RzeJ82ea*OrFw$mO?mMNaixSg38OCG0zj}ob0k2hhR
zi~TP7R7>CYJ(lP%U1(jIOx@dNo_GX`sf~aE@+>ap*_ShWy0apHnhB5*wsoK_-f_&{
ziz=g+lg0j-UeNrFjsotO#u}LP{J8W+@ohB%=c$1O`TYpQ(Hn4`-L@szSAu{LoCSrF
zgFGDPn>Y)$ca6*~;+>2lLeX2Pd-uyF3a%n_d%CmpfhT$Y`6TlrPq2S(8ol<IupHf=
zsiD8KkynZdog3_4`;8khYOoYW%BfGhtoi^U&^vzVo_5ZdPP6<jwVVKfQtfG7{N&XZ
z!dJfdh<rh68X(AX;xKIRU2y?ImRb$XAeaozl2LpGfZ%gK|97DJ4awbJocMgs$#|O#
zp^KDJLR9BKdYFfXx-t^9ZBG!AqK@(s5~}H(d|Yk0g|bRkR%{{xndYScA=?)Dzw>?d
z4HC{dIhU_Y3C-s$$i$zNFzrg}z5&}WPg!(ys{*0YA4Cxm`kC*-`6oHd=V_20X6C4R
z{xU^b>!I1|aHC4<%%0-5jp_S#E15D~1+q9I8h%rGHvq5)hmX$8{L}-IjL`rB=D$*)
zFYBv458Sl}MxCGxK-+gQbfwHpU~**SRmGlb!Uv)koHvz2o}~$=-|L!jTO+Z7W&PMR
zD1BeKH*G&v(zfE-w<mrARAcFW<wQ8AfA6O|c1*PkGq0K_jY-4;UT+mDy?8u1I+`Vu
z0pv|Y{xyOM5z=`RzBvbJ{NgUjN2)$Nz$oqh`};2VApZX!{aL{O|He$Pe+3vq{Ia>@
z!+Se_-R{7q1Zp}!0$VWR63Xd9;!A|_pS2?(Egb=vMv7?mzg+uy6V&=f?X{taJo^Vp
zXSuOth3sbOs_R>g8(&0oRFE2za`N(7K%X1MXs5`>B_rj8bCC)0@+^#GTq0#inRq$p
zH<6XIxNlXgox`K0Zs8Roy!e_Y0pZGY1}3v{4^MLg51Y=m?T(K10%c##B_gL!E4SwZ
zTcGIJH(%#FQ_r~`_#JpQr%IkUmPzb=g`m#IV<oz9lOoFtN6>xhn#p+s$*_Voh*0TI
zi1fDkUm@_fDPKHL;nahB0mLR3MV^_|b-qC2sR6`8*s+((@^`;lgIyWle-wE{GtEDF
ze%Vr|ZQSE>nkelq4%MG~sr(=o8C<~(1UkGI2Zf!TB77djKCJV>j&dng)Is=lt_JZU
z;BV#Q)f2LjB8r}0r+JhWN!K~Q-8%FVs0PbA9^%eUSB;ML16R&*8jtS!GerJ<6R@<I
zk4>!?pWQIIs1oe~RU+!;lbO4<rhivi_<7`jD#nQ3vBXK?!tW{(pVLHR*tWfFD@ISI
z6IHM7oYSQJcU^;O3`c@^lRYhdHBx!^co;a%Tf_Q*X0eQTw(}3RMSyfh`mcq3U1I#n
z5#%HamIJFYmLxUB03{v|6=&SsGp{2w;hfYtx9^Li8b+KB*nIJu5p5BK5c=}Z`V{bM
zLEl-}-{m!1OIHd1vA33jO8iO*cY#9pHp_;w-z)YF8h{h@5NEx3w?ho(qxqPQ)xVO^
zEhGQSq^Ew2AW}q53@i<3(d-PF#JtEfFufH7q*?@?6Ih;CRl|g($J4CsVvgP;W`gfv
z-M_`*UBvqiDg|e`oINDXotTUY-Z8BgsSZ=0)3<wIXLEj00UO1lPaBXss^#E2hd+$A
zv%btPV4b+sb;7W-KaRi4+=+lS-~Lq1v^VqRM8@lIzxg)uS#`jj7cu|Y>p)=*sD1fe
zbAoO?G(#BzwJ*Z?FQc^(Cn8_v9OoP!deDH`!%|wD?k@dFfoV_c7Z6ak6LT_w&_G`z
zI)DXfMb*b%+{Doozc<Y3+^-F@$8dPJqe48K*OibO4Xe?#u&!M_<_Rv<XFCwOEV5k}
zOw!ErFh$y3D}9Zq?{Wy(^?anq=!yc+y9C2D5Uw643auQo;%SeAJvacOz1oyN-jSFL
zTFw3Oj&5Z7HQRn#OCW~bFw|D-6M)`5>s`*+CwM;DI>cP%gHCn)kQE0?t6&L)E~VZY
z7A<wTa~O`SSfDb1`Y_e_aSoJCYzHEuag$ynDYsKNyhSqCfQ*XSC!er?OpM}D;%7L1
zRqkb`l=V^sC*si4guq#4ehJPpau28kxy3?+zh(f4M(Gn2`a|r<*hRtGmgmn(nP9Z%
z5qr#T8NM;vT)B+U0F4U<vR&YWG+xg5L!%86?*$Dugu_~|RZh0lVKR2;mHMQ3@Qx|~
z63ans-SOWi3UX+B?-N6J$Do5R(=C+9X0U!xL#d45*`!r*)b)PbSn2gj0^Oi?VS9M-
zl#{gLRrlsTzpbmta+4&{Pg)CJMs)=>WFGudJ<}N>)r^&<$O}N{Hz6geUuEmi_YbEi
z*!=D1?QGA<pe9(s>BcKf6NOQu;1`;%8+O~rdQm&Y-$h~LV@63s`MKLm=nv$hW4hV@
zDV}CW*j06a)NQ}ecUh-+{*)uI2)dI0z+%Grp?>Rr=v4%s-!0Bz(78zeL5yMLlwA{H
zZ~-X>&^}1FAy4eg<C8>&^L%)<l*&pX{F+;5=8SD=P@ta^G0P4+-jcXH!GUCacw{~I
zx}mTK^yAr_mkRC=If1UjS-2#C(}tREd$IAliTo7~3$_EL8q|m*D7Y3aGUtSd3<@nB
z3Gn>CYWvElDAzq+l@I|@q+3xz8VPBJMo}6G>28LQ9zc+i)Q!@ObW039NK1EjOU(>9
zFu>dw_ul93?K$`3oiD7#V)4H7^z*C#Q!fRMtOZU=xbJpprJ@)a0hit>kW4~6M0u6z
zWo2^Dcw)|BS?_fM6KwH?(kWj+fkf7zXlJ)Xw@8@%BeWcO6H7l0Ao2;29&&JM8uI1+
zSdk{8*$S1oKCaSR7fi4aVf}G_rN}?#qGI6l$hGgE##HPXSRphoB+Ro5ehEJ{mXaEY
zfXh~6+J5}~Kyd39p~U~JgLTfcS@W~Npl+@memZ#=Nw@$|z%=Hndx$>Di*dtpS}b4z
zDw`HL+eNd%c>%cv^~0+frugcFACUVv9H)2N<T-K<ihI|rGc@H7#7Iu7EG6kUD6p^B
z^u+il`znR`mQ*#AQ#R?yrzW7~rO0+BrCDEZu2M94MiGbO&h7`l-GlFDwHIk*#IvX@
zK1M}U*Y|iq-t)G*PNxQaBShNGW?jRoYQ2OMtvyMDuGN2v{l9Pjiy`X;h$-aBF&{vU
z%4+@SsoA5yaNF&r$@_u1#*f30S-tphl-xIBTAj^tZIr=j?NC9F<xNn*epZbKl93aS
zg3}`z#FZ>BEBp8tYn$;Q_qdDtd~fLH6?IEonj`IEzS5|3$EbVcRw{;axROss8NV~e
zDFZV=GNgT_Zm=?`OIu1Zity#V!GqS&aDkmpc@>?rw^S^V>y_ac9y<;+)%Z^ZX8?EV
z*lY$%gJ`PNIcplJr@-1$j?2fW9d;(@NclK^1JL|T!FXHmqd#kAMM4pGFhJ=3!{q(q
zmGgB;$j)WamC(2i+cT=*(s+w_M5XVWMn)|A1o<DQ$)<&^4Sv4rjvQ%`?*?GAfMDyN
z!xBlbP~u~Y?P$+JX*U~DvK$A13A6XE$X7ZMH=_Z7Ii7E%ssAJ9Q>87%AAkH&=CYw=
zH*s=nrrN#}y5IoF6n(>s7a;FBbfG2(u^f|!Yg(xN!qTDH*&@3htD#Er&k!hXDM*Bd
zmp(ZVfpDB7eU;XD_vwq=!A0r|28mT=wuQi;JFleLOiS-SwPw@w@xgoJBW#dH<<HP>
z2)?zTMohPdVQ`jt3;t_di9vX!+1w}11FhuB9#2VeqkYp<&5m8{C6iboBoWv8eWLP|
zKl8pqk#p}<q-;=BCoH8Z1=?m%HvKT2^^d>{$MzP?2DE&AqWw>_K;l2#SCft?(Rdu+
z@uJ!7D?XPN44C1Xt$Q-PrfYe=^<oU8u}e`j!9w})lysm)Kcu1a^zx)-nuzM7`I$J(
zI1Rd7ztl~u_&2J6s~^(%Jqd5F#GW6Zjm0SK&hg(M;X@p9upbEf$3%3(fvKtV(c3xO
z6GI$tY5c+lmeD194$@js+Kb~gEyKA9gyJs_+t)6lC{dW=Q;)c$$uMpa#QrIHoxGl+
zrx%&CjT|OKg?r7X5l<PkO-J{PJVpP6_u>+Lc{B2gT_5^$(bx}Eaewiei8%6Ay2O|Q
zuI2R`9rgUw=D5Is{DmU50foyKcWK;FIhd)$i0{E%87ZfYmRmo6Vx=uQDiNKXovEm)
z1poyIi3>|h<y`>=@oc{bO%4#U9K)Hih-X-^=UoSAKM}sZpn_Gcr|J<+i4>rmfTGGx
zfJotScohPkf-6banBz;_2ew){K=}(`Sc3<hpkqe%9dGJ5hm`@0`yvJvK7&&3zNo`E
z(qPW~ur7}b*^cKpbQ3~|j-H?mfa<P)0*OeVFbblY%4#apPpL)XLhd1i&G!XogCi@N
zgjO6vd2w-(S5Rl>2~7&PY@GBnXn-qD3_B|ZgJ}fp>%dD%YzK<3l1QV3(#X<%Lf_>=
zMsCQw3Tr+P+5Uo-R<(JHDwAH5P9eMtRIm^V{)?<BR}$ja$qmN$RX03>>E<5IM-DwX
zQ2P6Qey!v_g#g(NDV{09_%P#c38YtS$^s6@{M_7cm!SYFYw8G8_3h)ZvaylM8r&RP
zyj0(*2bi17TH@QcBR6+O9rNp`X`VSW0N7#9*u$SeH@U6%;bks0?i4jV$d1t$c+s=L
zUha3lX3LtYp<+VWoHOiBygiO{M-a_l9RrmUqE26ud>PTGntnKW_o#BC(OErbpmVs5
zc2v9N@%Hj{j>j)NfWpNdDxYbdl0|bV$jo!QAR^s9xQ_=t1W0HjPB}-5K0O~lJ~i7Y
zqdqu2e|MA;e?J+#>E&>#d3Ak10`HX%gm~H62C}8XV5>Kv>&?c|Ik^{E6CCvPIj8IC
zXY&o0+r}MfQf~`9LcU+|-3uW1q&4JqfC2r6?D~^L7Z)9^c);lQ?`!N|!i8$;4BZ2*
zy3(V8nWrjo@1jPyYI0MX0$Ym6_EW$D;CUGb2TmedL2eV1ud}}>Qb$+|)UH9q{$7jW
zH2-QIfIvR~5#CBnj$|F~LvZj@FB!WaB=z_#`p$(+?!~OO+@mpBU+Ii#A%4n56cigo
zT{+DsgV8PpcR=9fJsVw%HXR~UjtOgZ@4rrkXCW)BE6Qg@kH<RA-;p8Dm6WgLWqx7!
z)aiE^F+Z=vW!!k_jugr&Q`+MS^Hu|&@M<G^EX$T9z6?~+WK59u8r%!#SZ*jTM7$hY
z2bfoAgL|KdzQ7IMv=5S*^-;H<5|lsrzB#g-N>*~3Fu#r`dYK7rSm^h<7Q;wxq<)H5
zDhb{W+1roa+z6%E?-0xPgI7p>_Cr~usELA@R8!L`jfK`j7hO6;y4D$~Wm^C8?f%Eq
zXEx}HXGI400<bIFc{6OsiE86?2QgtK(4FE<S)rp!ZWkOPdePADy3kb<{8SwB**ejN
zaCR%TIKmwnRP4u^>ss)aD2oVg@8yacYrgfSZ1i#-9(-y(El|fm&?y!Ew9otGzp3XR
zlsHUsQ`xf0tzYxGjN{BlzYykWf<C-hA^=!v{SuMq_x!c&B<t5EsqMle5JGNG{Bu&M
zmvjYFUpzTDH5eRTDPJywKM~OCzv-b3i=8SY5Cf7r-#n47@+|ky-L?T#CMCY9J_@Cp
zF%j+R%*I<HQ{tV4UAAS4B6QX$&0j2b&T_VX^)`!MBs0fAaOjQS<wRy>7wPakXdxqH
zqzdxhpKW_l_^1JphP6P?FBp1M?Er<2pt@c}KtO=;TK(AASe8N{_|_Gx>I-NRj9lb_
z;!=1#El_|^wvBjFaW89YK7l$4(f-3(CP@=U_X&{ZY_I5HObN71tGyMnol1sExZ6V;
zx)liyg)L28GvFtz(jj2w#fpHXp1Y#P>6SJH-qRZ+x1Lmdv3Ip=SLS9By|*x(bC{Tg
zC;yGI4bTlU?#$BXL!HJuyQ;=Atb?@0bW0a_?7xJL{sIk&|1W9?EITfvGjYvhk-@PX
zlr{GNuq`4#_Y@71I`+rfj3MCEm?GDyS!~s_lI#-F2@LBwa^Ct$aqHH;zGFc(c1%w8
z$`~G4B1gF6(T%LRmrM`NGoYW=#K-X#Mjym7-*>+G%9%7CuWT01c|fu5$(&?E8kehg
zVkN?xN7FsHH1l%OoTivLblXleB{H%wcBM*Id4>57XvY_%AJ4qQBTrZmAj4)_jy+aI
z-O|#Sg@;v(MkrzjW)iv11)SRT@&J|1e^;%&-@Vz8HJ>PpsQy0KK=q5-J*N|HA06T4
zS~lwl>FVz9Xl_oYZDb<XLX2&W4Tjd8$t9PTbjG%t3;H&_2nKJDm%;#w@bNPaJo(8{
zfsaDHXjoeS0a%Hkb2X22z>4o61zaBMp5YlKfR%|u<D?2QU<+%FSu*xuwFp7(J;gal
zv1<(h8v}TUI3G1YGZ;#0G(EJRVi!tzyR|}4?x90y0^PJn@2Q`6GedZ%1!hAfbubYW
zWtvXK!4ID>FrC+-5q&<r>Q5&#ige>tL+gyUm=iaD?>K-`bh`;o0#4HR-hSAx_n#K5
z!B6FFfo4*Cg2JWE%*}gFpmcN=--BLV)QEYX03sZ+=*C(CKLw8O3B%!``tE)$0vWy=
z2m5n&$|an%&WB0JsEQDTSI!!p9S>f(#M=T)cgi~7NC?0pifcKv1R%IYMSHEDelJIG
z42n$a{m|Y4X#3nz&dI>;2YWilBI?8?@orwsd*Tq6n}v7K$|6A2+kej^jvhJydgmav
zdIPqa54@Zn7&1U4>%EnHb;TNA=i#m37W5#PoA7QRU_-H&809(C1Q&-WAVHw6=1PHM
z<Gt?p9=?jWu_fo!M~YdPegR2rA>=_DBQ7uEJk|uzzfmjN{)ZclR*;P3$97h}9vM0t
zz`9+KlSt61DVh@}L<hE{GET|)@(`H-Y<v0<W<3D}tdh4E*b6HXZv=yX_8{IFz+cuk
zT+dRe7gO_v-(F}t5({&@NR`b!<FqhZ>xN*d11iF2A<n=BTO}10G2fA|olIL3DZ}?W
z2CINObA>qr;uP%kp9Ijz%~BovK=9s4Q_6Ec1~f14(9BFYujM&~9yf)SU~F7;=`nrl
zNE&^cvN%_JZw>x=bQPJ$;em<h+0ylM<AWEghI#V!h0;?wM#DDFWm`Xg-5AvAbwb;p
zI!z{4lG&QXE>6iu!Y$8DvKGQ}<nBHrI9R`+ywh(Gb=z5ZMf03R?bRIN3Bk5rkW>5#
zAPZGah|G4<of~106$|GEOEy>rz5&8*sJ;cs8_m~emQ<leEV3HjE$Ln;iE_>R3z&+V
z0F{V&1)9Wfj*zoA^Tr|+>9<*BW*crEdh_B`#D$^Pnqnu?+B31U=*xv|Z4L=9;_-UV
zJtNSUo6kyG{;*_d-~ZGE-Q#Q(aHWYUb5$fH@6&zf(f-z$asMh|4*2{>^83SR#&;$U
z>MD^{!a@vavZa&o7TUZQ0D`yU@?vv)TiV?G%RnYR{RY>fhk^Jwd^Q?~Z3Kz1Y)2ut
zoL^zoSuVFbbCHJgJ*|Ei6t=;FYD98{*5LY<Mm1Y}8y<A|>zB}E5W$Fy1d~BG$XuA-
z*XEYVNIxnvG-jjgz8#SXLBYqSeH~F&3MRbH&p(xoU$hvfE%uG7B?ra_fsTqzn+!Ue
z)Zq220i*!CY(0`Gk63)vm>Qa|U3rvwF0O)N8eMHO9$FbO^LWyq0Da55|0d#CyOmSY
zmPJmjSE@JF82j@wD&efkuJ@?qvY@uWk=u!7J*hKL-e{|LN}I9*$Fnu!8tEQD0WQ?f
zphm1214)jQzaNHdn7-H%|IA9Be4o+q_hS&iHVMcz^4H2Y@^{c24qS{C4r-QlX}`_b
z#Gze4(;u6grTZCOQ`9Q$mL-Gmr<at_TZX+XgBx)+P5a@)l-Qd=zVYudCnKh)xWF5t
z<*XEb3^C!>VDqJ2x?B}a7r%LoTdwF5jl2r+kl=s!mu)bxNe1&fug>fSyKWYrQx>1b
zB7l^MGO!`8!)(omEcs|wiZ{;{6=kRA-;$D&wT_L1_h$B>4E?&>5)Vy)Ww=$|aIanY
z5<$jjFz;WRM%$c&W!~*3bfpQ8bpIb;_MmASpz&Nnz>TjNvQ~Q4lu=CN`hv&$gu^2z
z#zsaeASg}Bn>YsI?vyUB=CNlKfEH!Bt6a3rVL)#G`wcTQi>0+q^XDK((o(Q^Sf_Yb
zv&*f{b09?+SZ#+qe)FhH|5&VgYdV@l)xh8Oa~UW!N2k~0*DtcK7zqB8Vsn@$CE!e!
z^!4>mTb-+SVuanLn-e%(0e}{3D$S0PR$F*O^jNu*vxeSS_DewnwV>=<H_NRQW54PD
z0_az+f}t`$Ftf8qgmy)5ZM4q;hq7PtE<m)oex=E6@4ma|b*gLiBmD5zg0n2DT7a&x
z(I+pj=yNz*GRTj9jr{6P?Y;a+xX#OQrQ<dqzrL)34RzD==Q3*h4jTFea;ByvoQBpC
zv&ZZWwVXOroVfsyl!?5`ZW?NP==)>6Ba%j78-VgUaIRbjSjAH{bMbh5Mf?HKvjNxg
z&HOW3d-K92R)FN&FwM}9kap;xhCto9aB*)AO-w`^M2p`kr`}r1>KvTiYB}1T$gtMW
z%P*Ea4I%(uQp$AX_2`5^`nNOurWcn)hLEG;Z~8Jae09Gr;i7~KHBKuQfb4OoCLKtX
zShdh4#x33ZgMgiKX~wc{Y_s024L+GwTRR!^M}U%|`qt)X8HkqzU2$i5Ih*?J+qao>
zYb{mdntTG#E@H3=|0s}GA?Q*<>#YWhA>f<5GKLIYb*R;{F%W!5BY^(Tx17_bs~J-L
z;2(Rz^H%yIm*<^&Fj(HD+`?Y;o`9W<)G}_7^7A&}$fFJQ6<eP0dEis+#lH;Gj)wE_
zsH#tduE*NecvVpWH?SHtt>_+pEfv>VBJbhj2cF6W5clLpfJ~tFxf;4m^nkOc#;F2u
zIa%plsrE+Z#-dWAY!0i|mfco_)A!V8YrO96?(S}GZobQ*f{WQ&SxM;V)Rqut=M1YQ
zlk_L_FD+(BPd1q{yXEe+Csdf{<&}KTP88PAD;NUBnJT{#uJ*0J-5EtE52&vVy+i*B
zyGR6NZ%!*6eLx+{EGNk^D(OGQ{kKzYZ#Kq;f6uYsv=I%9jU}gQP5``YW8>q?Z68E;
z=3@fpSgfBb%)d{mcYA1kLjPzxtvwVNfn%eiPX?I(UrlLlLcP^j%{%y}+Z@Ft*OVVc
z6D0_(siE{f*=vvG&_%4p8JZld_dS34Qd(7&SRN>CAr$dz=mA0$8Ucr6V46n~6!c&D
zoqp}3BzIb&AF9kb2x10iZK=LFEV#k>t7onpvjW%2V&Pz|N5IMcd^QmOL}0e#;I9t-
z%j^owq!7UUH0iL=-@-#&Jtb8Y7Fg@W5FZ|h|8mfRV4>HAszEXNe?GDN2Qj$k+iV&{
zfT~%i_1ViS3oy>Tbsmo-E5P|gO#!%l|0WBs`gFyQSFYqV%Avwxy{p<>2e3`3WY9s8
zfKlvMbN}hK`g7ntyA)XQvA=}7RX8x3@ybI1L2Rr&kU;&R;(!0~*bV$+z*0DZ4l;@g
zUU^myDC7A!^MtRG;79(RH60j>Kx=pL{bH$93XeM0|JQ?|pBfMP>KBC70CLE6b1`ZL
zHS^b0`wu~g<c1_s&dim#u|D(M;~vqhjV%4&?UTTkIE^J}YL*1g6ZHPOb>1aC|6i>`
zVjGh+DT8OJhHZ0<P_*j^%O_m?WpBG$V*c4zzyO#9Oq&1QzW<mrzx>C*lEwJ@nEq!Y
z|8sW#e|P{f%#4J1D&N;&mgC<v>Xkh5FYChJkNyAjE5aAWS{eGRa$31P2l|$l%x`9<
zRdp8vT__4a89LKja_I&1j9ph8fn3ehr&mPnm6+!*(_V09e|YZDr9ENgR>h_r_<dmo
zK{4lTEo$A5>M8+Wd-d#QQ-bt$Ivw+?>FH8Z_C=8!RpV}>0#)fcn2|AKh%!L^UhT&J
z{Ev)Udk%c(r3}qq&gJzApGaPeJsW-Ip82hbOt-1$``OnEl!+y7lag2{mZzm-abM6g
ztq{VweuJX#838<`$%UWOL@1j9mloh?{Fi_tOjv2>dzIlOPNLrd!%)qsm<Cyj)Xz1|
z&l8o)j!QTIFb33fcT5@~S~}0hT_t~g|FoF}axwQ5l8_i)Iuf;{;!DLj!OyaNA3zDO
z5X^s`EmbWI@TYw*C<YBKX)0wD+q1c1S7twuJSnLQ{?@}WS&pGxhUTt>(@{<S5&Pcd
zwW6S|E7{F`E+bnn`g`sSpPKr*T8Grv@`_;vzgVIF@=h(M*x%Mla(ax`t;C#hIUS6_
zWGBKw66$~;q{!#?W9EIwC1(O>CH*#c`LMUSpM1U%TCyfOR-aKT>03!y7zj1J5(-1@
z>S))Ck$Ah{tG-q*Es6$wfxkWHZNRn_k8sqk+y+ui{7v+plxv5DMoGBT1{ibCr}UEJ
zEcSw<E){c~+7EM*r+q@+zqSUXCeej)K3g6=^`dGZO9r?7*q0;Ks#;vFrM8=Ny_@Fy
zCHM=?$$hchYqu5qy4~&)t6E)gdcfyzXh^B%Y!oIp(*k<G9p{%ZdYS~2834W-h7CiH
zb@faP0`7DX#E@>h<kx%}c;YB5aOZSm>!acPqqQ$U&M8IdvZHYj;as5dvz-oq63d#+
z8^o%izg-lStS&Y{(gWdsk(YTe$+Q4e6X<Ngc=3+Gg(`+f42GfMJ3sJ~I878#^;i{D
zO15ow$~O@9L9!C*03k+9Oe-n|<=<`tc0}QS-<q>XrY}zi91q%I9Y&)Iv!5;>`@P>=
zxYQlJIEJMQB6(>=bh*}2i(}djM_O}P%hr>8v>Q)F&aFr2AxUnOkJn!R?*_3#8~Oz&
z4PeM{<Iel&P}k24&#vnYTs|%^ykrn;bj6B_9sOBC8CJSzri0}?pw}YsvlG$Y&kkui
z6)BplqhQftR$1^MOG!!mCI;+$fW_gT(_k~u_5gFcuH7bQ;NpuK9Da#^VPZDh143+i
zFO?1<x%?uREiZ|v;PR&MRG+TyQknjQH_@h++m7dU9N&~;S9(Ti+rT}|8-}?i>S|0%
zq+gbu^|7{Sl7=9~k#PTqbuaUWmhcF|rNZ1cjH_d*BN1f)Wo>d-sp<EoOH54(9A7x6
zo2HOOS)+Fsz8@uF2qrLVTu)IghD+mc3^f+e1j4>ZEkOY|$mAk?z{GlV8+G4-;FwmF
zL%xBIv!Fd=gkR0!2N`K9SVGP1dXrMm_qh5Br1`$Dol>9NbOuS6up6~(Hkp-`jcWC-
zua!{Rhqg6>r`~6zfgwQ;dUr!Wi9zv%!S_g~fvxMm#^q*FaiE*5)&|q%-Z&)x#t{q6
zqSqOwtr>pFf$K^~a7inxtk{y+m9~-%oTX1gPRfr9&5~K_1Gj=Tg|>E^^LvIR=RPgJ
zNoFr@|4<R<n3qn-60%?ZREWTEr?+iGcLdotpC$PEO}^cX)o>;G>f_6Mye+MFk6Rg*
z^1IAKKg<Puz0HQ4{$>u`D(OnIBQPpbJ!l2kc#t-z<(gdKY<M)ecog)Qr>uOqQeo%9
z>H)o<ZK*TH3a|=h0afV!wW21*9xIKS?@FQ1{oea8T;d3)p1LGs`uwDa8GPSozclR3
z)B?3-nlqT{D#Rv>Pp=QFs7(bX^YVAG);uz&&{%Q&M0raqGC9-6EcHp}dZiwuT8J*q
zPC@$o_?1~&4XiNTCXpb>>EJH0I2ErS49D^flLN{z_j-gTX$W&`>s|iq0Y5}CtYt&J
zd1#GQS-LN>fK4P42sruYz@)S(sdiiJzD%)7IRP&wVl4A~mzcZsk<|B0R*<u{Y>4_b
zzcvDJQCmNpXz`70lCP3LVu|a0SP}hH&=|n8`+8z26qaUWmeBDl(&af=b=HP?t&(Xi
z8u_vuuP1j5shj({Ml<nBB+`EgNUX=>=pX?CQGj*)>gT`SLqU&@x`eN4Wq6*>3gvf6
z`x+J>+)~B%v7DK1yZY;5yMWeGHWbvp><;RjsOM4ftW`>#n462--?B&+UI=xGOLWTL
zquxq-GdTK|EHW}Oue3BSF)`6GyXm?)S)9|78Xa(T_1~T-MOQtXY|Df83gj?CoF6q6
zQ+aOQ?=KXN56wQXG_eW96K&x>%}DUDd2xeirW=W?v3n-uq<x6ekcl7BH62zR+Y_6o
zp03oQlbOxzoLj@(1$nXJ{(QYFZcb1#Y}Urk7o8LlLa+NSUO(Fkio?D23>1vBt-Og=
zBj%W<*w%}_c8$36g^Z+z8IZiq$4o98cE58(35~2?%*_^j0iLmYm9{Ld30r3-Z!^-$
z$GGNoalZgd`};=rY*3xpD;1rj#eLGNKe~)#;_8H)pwE3#G0z{ZR&}9GE`0Z;U69kE
z@H7nX6%`S?;%x}QQUHYVfEwF-ujh{6A!+O*T6!nc_Aokl;1s0uPI<WSBkg@i;Sb{7
z)F_sHs_>>t>{}tWkSM_7x-8yqlu?z&dRBF6w{y|D^KyLS5e)nb^AHv1Z*fVBv+I{m
zZ7{sdSV%EgNjVClUTx!OdH8Loo`8+{-fw-&DqO`m`mB1%?lo`!&b0r*!6gySw${p`
zKjbT&`1>|{@AAV&Z5h8Z@>1UhBILr?2c@V6QLR9*VsT2%`j(V@Zg5W=*UIXTm`Ru)
z$PGRpnIhuO$ii~V+S<D7#}7$sYZf4;>k5NQ5&%beUCXuZEL%3dpg?qiRRvlMn`QCT
zDKV9VJidb7w@jdqe%MalJ#gtIg`t!u{1TwpWb0h#u!yjh-UL{Og6BD4{#zrYk`n#K
zGoV&2GJ0lCnrYGBR;uOj$sDY|=F2emknNMDb?%je;82(ubevgF=T!?!VaXljoZO_7
zd@{qHJAPK}X*;Xd>up=w1f!Kd9C*PXmIbvYH+TcyQSN@CF;Agb*qKl0gE?#W(B?Ww
zxHH$uOea~3MkS7FtzE>69#FMCqDIU5RLCwq^`ti;2)?su)_l-*gFXI2#7=0X{%&Vz
z>6|l$A>o4ho~(!fyTCM3g|r$%6G=7Vx8%!7gV<VOq)m*1Ry6F^$5<Npu}UvM>BD7V
zUhC4H$&O!VCrih^GI|9IZm<maOqD^Z*}Z|_U*C+hl#O$S{*HS{1E~whN|RFO;m@;^
zYVLfd*D!I_WA&#URofFakZL??`-x4Wh57KvadiGkf_-QL*Fc&m7dcLBI!dWUpzn2P
zjpvz9iYUoI+oNvhm}hN^8@#!j_NlDfRl#6)uSoZ4ic|vxf#?PDdfH;rf3Y+Y*cNeH
zGmhUX4LIW+pBzvsm7ocALh#GsD4d-hu@DY#BBQCWBM+Z7+=kPiOhwu-ES8%Q5-%c*
z>OCtc#>V2D5Q`50FME1f+1;wDD&Q9W5$)~eH8?yRu)pt2EBqF3!RLeyA0OWg@of5f
zG8Jj>nV?p!Vf#6b0l(rH;dOd1u@REY_)c_?^Od{NO0b3Ai$-U?JeAmdWNnjnp!^s7
z9EK<hLAb^4P70-+1~MjUzF%!uCw5?&_;L|N+)T(@^-Oz2smkl3N$K_pf!(S&uePV~
zb#v)TS?(NF@xTdQpZ9elwQd6!eyf1XGOBo@)U^OLPmXP~_Q69AbD05j+``;XUV$0Q
zBsW&6o>8lzrns`6X$qMd=$nXZy6++>e0re!$)$K)`j#Z+64?H+M%@siJB^h+xpRz!
zx*XF`qlcV{o!yqD3wLJ3$ZV=*yYFvP7#bcz+yNEZQ|dvea*t_WlhIEXX@e}Z0a|Zm
z?l6e>P;CEq{!k*qi=;4iJ$96F#f<EjjziYMg8rCZB)YMai%|r_=w`XGv^!?FGB?TL
z;kPS*^0-j4Qxu6{i{z-8nqiZ!nw`~K-Pp(~DIrQpNpUut0gOHOtATI<QzIjZs6R*m
zKph!!he6K3AeC@U&IR8loyA#N=$FG)EHaP>V>mAx`Uf?K9I7FpvDy%ohAL`?qjubL
zw#*v?_4fvwNgjzJsql9)<c>vn*uAXdh@V?^YIdnwep;YbhZO7m2tRU;lxQ8v2{Dk*
z;m{~2&_rp%IMld0L43Sa#=W9#afJHO#7&;?XzQ;NoYA)(F;!>wp`$QpwAW~*R8ea2
zgzc@IJygO?pa7j~L5o4LBfkaPUiO!Dg$|PoO54GWsa)to&+;0>d82L*q6&mliC;oc
zq2)H3{Xwh<5VWYS*wZ1Re)P?7dM)4m>r&E&0XAMkgqwD1+)K~`xkaMJ1Z6~%g!FHR
z=8W_Tb!pRZ0?&<-E(FJ}HqNj!mzUX^meE4_y`qJtJASX8x8TneMAn!47;=^v*v37a
zmqEB~jj{ktyMK}^$x@PIRW8-*lsJ_swV>{91v5*_tgm0OCrb2Vj8h7HP83Flkp+}5
zOmC3|Ka>v9VR$Iej661CQIS{^8^1?{jc30q?k<$7(n_1phpn2M+e`ea__ij>LQf0W
zE7jvnM|r7Acj)TqJxgCpuHu#I)6=9!T0CC`3HSNH*uM|cfes{=lIl4MjuV6N1NshL
zOU4)legPWDDz1+HeK!1u_ZhZ08v@qx?!-)HDG4bwxTyy7!`(wr!*jUeuRn_<{EZ33
zNgNMy(_&U&rTOHNgNs(yd~hN2csNR5rhABB();`dkMdR&ndvU{Cu$^)C3K-$8KZ|C
zSBQ1<4*ln=hRK<h*>u}R>sr-MMXhdWw56hN)EABnx;4^S4y1e;QQ^|7;kFr3<}bdN
zM7{~@jW*JV{~7f@{@POX$)xwK1&hU?s*d_vjW+KNQS+$#Mtt3b<p@PGL<C}bt^E4*
zCXg+n(Mx2W6ci!ly7?%6<0gLe&iBtlCAoJir1iDb)Nt|V2CVWd;kEQVR?Y7Qm?Ti-
zR+R}0AS`!}$nTp3|IIVmB)w79oC_SG*mBz0A=?=!l~LI9-05fOY$72O^en*@;fXSy
zt0vqT#jvv$19)+$d&7tP9Fw-06DUl6q1bn}&W8Znj+y<gYnc|@sKryZxLC^l@Klvu
zxRP>1pTg;4-IZ3%OM`Q8aC$ndsY%>?X7BYy|Hc}+XuX|0!s>7)H0M6+JTKWHAPK$A
zKM2%%6)-xiX8C9o1b&$0CVYtQ3w(Ed0O)tT(GHPY3xCcIRsmywgN>91(?OfOgZBF2
zYS}H<Hv#!q#J5`^kZYCTpQlYW4o>r~D>@SM*q_qQnf8jRI#G9dYyIw1Tt{QoIj`e0
z`h&ei>i0twR#v|g1aG%sn{~p0N|lwa>FEtb3v~7GzDj3Ly4Dcp%MYx0IPvpD$1T2{
zdaN-q-ZS`$z2yEplBxRGfI^9HBddIa^~~W2@NE=B=@#^VG|yfrugKrDTw>s5=oDcF
zNi9e);NHCHgj|*ta#jLz<F2O`*q<n1KSr87?kM|-l9i%=Lweo+ODq&WdJEQk=V;$&
zyWorTMT?&@ARZzChn_gH7<>d<HgWsayc;4k3a0sF!860h1<0JyXDJ>AushNmHQb)x
zJ3evLq~kB_Ely+2Vg78lB=g>I`44Lz<pp-jyudb#Lm}6#Ub1{1n|#NN#wUQq1&KEU
z@R=PIcUo7wIK&Izg*gss@3gwRYCPog#%9>?f*sJ?-d@-$Kk!5jOwd9s3?(vb2pDC#
zHx33Q=rw-?J(u%{l>8rKte}mNFm9{lL2e$kchqOojqhqyEg!f!SK4qiMyt~^%5R}h
z;BkeCVJB6thpvnjd-pHbnh87}V-!gZL?U16$CV%KJBYeEKA;yy-HA^)r4(m32nyf*
z!ea$2J=%_v*d8WF>cr#u(<Fp%6p1v&#M<!~=o7=c%+v0xzS5Z~yI0Dg8xd5IyTX6M
zwZmxiBqAvU?;;Mx&~Feh$<Z-defue>^Ofu(-y49FjiKhydYba<IFvZD^UP>%Imly`
zA53Mk);YRK<)t6<^dNz9Wm+alOU`6o*SoQ^b~|1aPG>iCQmS)QWr#30Z=wa+ox$(s
zGQf`JJO-XWc|B9z!O_0MvW$9?_QeqE7HQM1hfT*ufnfKu-o7D6;}K-N;KgJyoDsN%
zcxmpOFWIqwm|J!@(QIqq99Z5!O3#Bc#4lcZ&KZxS?dw79I(whUTqtl&P`|>lavvTS
zY?JA49aw4f0g8iK7|%CQ#q*%~-5I9BUIPcj0qD)>H>wRA!Ui$BgQZI+(WVM!k9@Nk
zz`MDrrp%yVin$4Pbjzq`=$oDT#Q;a<i6^tRhUpnsKq(-R`#VcoCHp7ru)5lP`S8^1
zD+BCFtH4O=!wn~-0u40{%~d)vK%#Wr-#wGK!&5@roW-JSvhI(e=^1Evug}kdT5geh
zHG_^072H4Z@W7BvIy;3hdysf}c{u{1gS0}<K>D_N6|**w@YDW+jabN!DJLww`QqDg
z8N(%BMXL6@BWCvR@7JZQJ6PEh#pu*!o~JXMv@(bVJuXM9*wFa!CN3pe$&Y=PVNU_d
zE3SrEEPudxI{Amzig!~X{!NlNlgr+Go>#XB&<}jS8fv{#s8#k1N+Mq(CjJ<t*dhH%
zR}7BA|H{ORdjLH41?(p1^dXUs^rslzvRP*kGw6_#yv<H>9#7r}P`pMSPQNDxg5;vl
z6M9x`d5C!jd`kULB<IMFC-Je%kJ{KFvoixS4Bh}8eDWpAYRg42YORhL6xexaJO6sx
zVU|mm+x&2w68JO7Uglf{V)PH~osj_~Epw|tBNw^G1D`c1cLqm8(-z~kuG++8L3W-V
zpeEBvmHt^H_g-OD8a{B{>*3$_QHIS2w(|R82;=v5sNuz2gM<HuTuk%W8b<?r&lS=T
zicesW+eb%7ljWv2f!pW<Y2NbJu9_>w0e29N{mRG{tY{--z82#2)Z_f+JRET%Z?On7
z7mIKY2T6INag<TdxVhhDW-`_~zMs_Cy`NcL=vYO0x~^Yj@`Tasr2%aTWP&ylU^4!7
zt=?+G&qMFCeg>TB(pYYLvn=u@AAV*sX@PJ0`fSRcZz9;wC*EV|K6!F28L1PkZ*aEx
ziSIu=_ZbH*eu)7uSzr{Y8jem*dJu|5UfqCq5rS;O0;Ad`um{j{?1d%6|CJ+OQr19Z
zT}vUFp}W82yd$i^)C$eXVfvb#{lmTb!`(i@g}SqPWM@So67eBz8P3Ddq8>tS;&*YK
zwCc-Z-08prMtka1VHCT<bpMjv!tGk^_due3xoIcRsFA$u_0vV+udx|(WqM8~6gvVU
z&AUyl-u~`6WYPqY!67r-z8k<R@R+UYx1~xyev+RjZ>rAg?Ch*!U=X#p=K%1(hkOsp
zw`|Y({OEJ&QiJ^Z(YLD&rv2Ab$={y1t~@_*YBQXDSIP#HMMt_F9-aKap=q<pZEtT!
zU83P%>>p$f=48VnJ1H6hDF<$l(3J5wS3^KEtDPnvUvJPfkUbU+KmF8$_)zQ7GA_uD
zsr6n8F@%WiWRjBV{l38g2zZf4qORUUteVQKHI%b5(KvV^dbWj!?^#uPWu=A^g}sA=
z9I&BB1Y@DnZeD`UH{N4zbETYOscjFdPUyouVY*si3Y+>Zm8`MupE-a=vMpad*KvRK
z1+cUezb&Y~t7<h8=4Nu*G8O;RAYPht{i!;;=BHp@j!VfmK5n9n8=#1vd$J6o;qUE)
z{8`(V$^WEt0n7g1#?(Ap7uU?pYAWXb@%!5{LeC!Wb_%fQbb-`^$DhR|JJ-3x4S>Lh
z>Ro)d@tyA=3sHZ=6bQY1QZ!(kv_M#JmKZf{0ChM_+BM1t13Wg8w2fawa&2w`hMV68
ztRQ)1t+2}Lnb4J71y$XN&||l_bAuvhuL>vy4i1hW1jWtD#^zMscyF82K_*)>GWC*1
z8W#-Et%A<0p>Nl^$!e8f8CFdw15V-af5UN6S4YXHC?%>oS2vse3X}o1`GmK_;@Q!5
zS5J?$o7=On0rIR1FOf6cGj47f1e09Dhe5@NM3NE3_ON`$-iirD;D7#AngmCS;?fW7
W8l7jlKh$##_`Hx+k|~ig3iv-=7i>5H

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgNativeToolsPrompt.png b/docs/GettingStartedDocs/images/WinDbgNativeToolsPrompt.png
new file mode 100644
index 0000000000000000000000000000000000000000..ca7f4447622b5ffa029ba936937ea19c24b2ce6d
GIT binary patch
literal 29158
zcmb4r1yqz>*ES&1B3;rsL#LE<4>?1lq||_dlp@^>T?0tNz)*@vNeCj12qHs@AkvIU
zD<JUSI6lw&{cC;SAFjn>amTq&?6dc^uWKI@OpJ7{kg<^A;o)7;)76CG;o-{yKX*t7
zfGhl@a47H#-w&pvj`#E}D;D^J&`r%y4G*s&jr_OcW#Dhpd%D(sczBe37eDwz-qp@{
zcs{{;nrdc&cHfGKADK^2p9$>fPl-+RBXr&3QZ><nAP`JgmzwIDU?NBtk8OlP<JzmZ
zMFf5{+1!hXYQ1Lzh{|dZs<h#n=cvH3F~#%#qi(nQmRZ{eC4Pq@evx^Ko1q^!l~2BQ
z-B&t!@Uy*-qP5~7e+wwRtvyi2lZX+b<_TTt0ky=mfa1yP+U|FdDSXnrqBZ2kMcLxv
zjvO=;h%yj)S}6KCR?z?nQj|d0`Ba-nmrHk(mNCpyf*oa`Mov^+D<+TE5^|Bt!m&3>
z)kz;GG}1+H(Z}1+bD-4}B~~&jgg%)jHI=Us(?hHbkx&YhC9B7DIym5n&gH?=!M7lM
znGBsj7tNiKzNXL>M=ObRAMQB$>)PxVv?jCz32OU^8g(or=o>`TO^@{6KZB61=11g%
zV7QkIkVGPyi8|>t8tzjg)V|5(>&rQcrVv#_I)*>pkRgOT#N(|TL$oJn#GAvIEH^a`
zLI2#G_J-)Yc6XYOb+QZ;HBdgj!TgwTN;8#7vtDjWux!eWNSc?}@`{IVA^&dDpKj1V
zLR~@SbObVd#c5D=I5)26*(RT*XqkD4rVs+~{yhl@$Z!qu@8hf*L3?Aemi2aZX_I3G
zvSL=x92PqQKx9h$u0m$^?Y?~WR%Jab<uaZ#_bg`A>1(wvl^b+di|MAtG<kUZnkT`}
z)PUDz@aVvxeG_5YA=F|-6GD_Nf<_P_uNUEmDUaQj0z;<_Wk=hO2HRT~Zv1$Db7L{=
z!*4||`+J*3<lj499Dff!?Eal*RQHT|Bs~Ijy~~75+2{2hg{zG?B!F_~didFI;fK*N
z7~$BL2+__c=@HEb(nQj+J0|>)3^55ClALF8JlhG@8q8`ge-?YCV&9%)p=JF*Upe@@
z+xab(Z}wt^r$2ICLw0tbh@C5(e3{({+jBh#U$XiAO>xtF=~Sr7VvfQE`Am%zO7e4~
zES`PkVVvv8?J;%tp)xvNxp<5P+Kk+oc#B0n$~S$+N+FlKc9`*sMvVKt%y~jaO`HWJ
zW@8jR&U{X0f7tDfGme}e^frfgTfKBy9Tl^$`F%VsztkyluHr57`>@E*Qv*CqDEQc-
zjvLY-rjx=FD<5S};)j1{u7`>my^|$PLw8ADi(8x@O+|$cB*|b=FB%L4X-o2z>7O?9
z;MH$kE=RHI(lY6RwX0XJMX^dsMU8L<4U}07=wpXkr$RzLgrA2EZHkSZ{T^s)?UX)E
zGNiZfvN;(0vUe7}y8q2@``wo*vJaAaMzmA|W2)*Z-w7sUJP9BTp$8RI%#~)mB(X`H
z+@=VOTaDQi90}nUgw4}+ptmSd%{(y^y1r;SdI|NH?o2i>?$`D4ie|iK<ihQ}4A}A6
zw>Zoz`|jXx-F9+cmc+8d8{iw3fm@-W-@`vzZ7;PlS}ujQnhM<^kTjYr7qMw3%;U`2
za0l5&w>vaBX}qa;HqnQ~hzd~4D~wVTyyK){25WgDFX>hC`h$s7?<%M#r{~b3eXj6h
za68+nYX669*lDZ%ncwMDcz56-<2ARCBgnvP{n*j?wY~F`ncmMYJoLfO#VBE4^@A2-
zV_+nCbNzAE8;+0z2F92hNOgY$mkKjK?!3%<pzKOr$L)7T(p#!bl!KpYay8j;<7$8f
z6{zi3=6BnlPb<DTKl+Uvmo02@S=|@2FFufA4_bQU2I_iKLw|kM-8rlW^leGYC&p>k
zseCUWi6L-d;QIOzlOx9}eV#8jS3D@2EsgN*cX2d~TwQAlLr*RINRLNXm#11iFAz<*
z0>&@%(aTD|Bz)9Mb_G@m=b=x_kVB$&?j8Ky_q7OcSNp~f*{P7`<HxPxJLkpc*4t7Q
zxg*^n@_}2Y8wc&@p-l?cAR>99CERyRA6^W3EenrgEVbU#gHY=${B_x)m=^af7zHmL
z-nCmWUNjdx<`dUtvpfSm)ef?CgtIPhE%%iXMFOw^*hZV*o;Q&i=P<?4a=I!uwtLF~
z_FXOeO`H7ZN$f$gW4}JvXD@v!`#E-b`oSW0imV{MIQE&*;L)(bjm>s}+N!?`h2Ed}
z#CdwpWsG<>>|lewL^*gvWtRAA*Dv>Ddgc6=HnC}y(+?PuVM*@A$V3{8Yf*o^T&)$j
zE0z+If7K%7XwaoZS&{T=S4p?H2=EqUdtzV3d-SINEF0iE9&TAb=6s_58f(*!`ye-Z
zzw6qVT9Dz`iDmfFF<(JR-mmjwa^-w42@b>VvoCi{j(7KRkwrhBm`+GsRnoDxupN3$
z)CRE<f&6RC-w$Ls>~8M$h<SdrKV0`@yc-s@;`W9A{7Y=jO*>wQ(D~l+!ud<{&~N$I
z3KLVM&i1RHCA!H#cW~Yn@CfD`oVIp*AI<GMpRZ+g7w)|8kUD2J3Azqt`Tgi;-REr2
zrw;@bHo{{h1X&+r%=|qafsm4<hl?B)$d}Q^6+LP;d*3l)c1k5+Tb1=Cb*!hnDP&~W
zN>|NUJND+P7U0cA`2X$jVT*tIOlR<V)wrQ?m495B|69PzrC&x<clYS$2b~BB*aoTC
zH{W?5`if+2TkEB-)p~#gL{)_4A2aVjZFJe=P2@kQ|FxC}h9kXT$TP11y>;!Xr`J!P
zE4}7oFtB)Xw3bf$1}jO6R$G*l_a^ML)9#ekCaoUe`p5ID1byqs|CvKDk>725IIOX`
z@bl9Oaai!j=&QEdFXF|5wi=Q+&iY)go-c2vDL<UHmi=fh=^1TmSs;-}^N7_VEP+ev
zm2eS^Ba7YV+rCD&<q!zJg`^+n;q<U}jLIjoS7w1;cH3gsQEr8puZy+jo~tC0uh}o9
z^=kZ(Nb-8chZ!zI;R_fJN$3yq5rBx)DIgiIzF=o>Xyw`XJ|(MeyVR*liq`tK%geTm
zoq^}`*E~M9x4nrC2j_LY29IItQn;=8AQ^axx+G}Ir>~gg33)}KgiaIuc0P1E&kd03
zo%cMjG>{}!+=?|LdzT8Dd|r1wXuY|wsW*^h1kK@xv^?U~0y|uaArKH<=ZpnsMXB*e
zCf?u5UW*t>=0`Hr;OzVnIJR3Vc=AE*?hReXL69vWeWcE<NLcSxxJlw()~=SnZ+^rK
zU9zQ@XcX+>mdg$S^Uf&k^v%C3Z)&42rHv&sg&=6q!xe50g51<Onqoy=`wRLI&|MSU
zj);MkF!S*7gNtA!gf!^%u&v7}$OP%#jAu+~()T(L>M@{x@>~;}TmO05kjK?sNa(ke
z9fENf;Z|JzG4Ws6;NK~E3r+co>9Pbf`opq0`HV=5|3hIYs)PTJ6+l1-dDsLPgY&VL
zh<jDPzAMti#u?Y}u^}88bsyE=_sog?34u{#?j>`_flJa5DiLMeXm+4vKGCUxtY8Ux
z35btA{B3H+5mO$K6*B6PT<pzv2z65QUt5EeH*-T#n$`&HYyCe<unwE&11{L{A^9O@
zv)Ly3AgHaSIvk}LU`vWlpqUQ%A8$~j_wQz;hxG7<$_o1y*0=iO?5zcjBqG~snK;@k
z`LU)dP!b|3>HYG^_2qZWW$eM1**&e!Y8kW5FJEJFq8-6yY@%-}T9?8U3mjsgZ%V?B
z!EV#|j%!Rz_EwHD(q^EO08lA=@K*`{qOorbj-zi)CJ63cl1fuuZXXVvP2$W8I+=*8
zU;x#jdD!r?#y&qTBsGGlBC$C4JDmtK;NQ)eJX|LivL<=?Ruk+6d+Hn)yBynkN4pHN
z*4Zq6<LeCw&zzrWYXf(ca8d$hyAE9XjK5LX=AnP${r$uAMU<>|o7n3f?stYgLLwyJ
zR85(XC^k??IdxpfO9Tyc1W(2jfLkF^wDs>p=oS8W{dHq7KgUBAkV=T9`)&}{WsxV=
zp`H1mknbB;y4o1;Vg^_I9WA!35*TRpt4H~8_UpDEJnK`v&k{O>3o<jdjvzd|()4y@
zU-j5%Egr#wwieHjPFw19Bo%cL=Bg~2+z1BhJb!SeRxX+v0@eJc+T4gJ)8AL82NP-W
zT6^(=G6fY-KD)6&FwCV5;p_xKY4tUej7hnacrm0&(h67mB(l=r7G}!XY)c)Ik<N!c
z>=V+E%8Yz1zHf4X)C+nA(qaiMBijXA4dP8KP)Ea9uF?#b!KTP;8d@VH!Ky@8^&aTn
z%dw>;oJ1$n-i6ubmy={jGm)T?sv<R8)bkbJE4X700~k9(smBI*P-ZGSFdI`cFRX+W
z4b32D5WRF6vd=mZ-Gg-A4QddVcwGVig65jA)giz~s?xWwbJrl4IwoPz4$4i{t^Adi
zcb0+aRFYUPEmw@Nzpc*H3!eSdo;OVC+T_Sm_=-8fJA!N&KTVrv6j6j_EehS|K1vf8
zLqVUg{cM8mASqEgkk?s!%9X0hRgKh|iZtD37#W~yqisYg(jU*mMNvGMW=Z-kb4J`I
zk(bMKkOAEPhI@FJYtpWkK>_`O)0cqzvVkgPJ|A_ANl_`%t3a5+Ld{jzj|WQ04d%kM
zlBICM#FS`UM<PMQJ<ZoDxI4<xxvA;n0m<(;C0i;Izq6r!4;%10d$^l=Q)VO^3Uy|=
zr@P1a79L^T`SA5Bk_pvS#btS_KsOwUYS4^{zWWZ&)x0d3cC2iip<4HAd9*sf%y_&<
zLDbFu5&L}VX_A*koIi&wmP_4`{w|$VxLp*WiQEwR<3C19V7$&Q@ZBB;-Q415Pvl6^
zR-7JJ>KpG5SH(QZeX5)HmJiLt_hJZJ)R8)>ss2M{lv*QmIb%OUD`-iBr1T(z8H>kT
zZAO!>Ir1z($4pR5A;r>~n2nQ649QN>k#5JiR!-d|r+}AIZYIFVTP?!|#u&b4<yxCG
zIpCH<)nILGmP7g#4a+>4tJtL~k~o>u>;v*)`DLTDo?QArMj6P&N?w{%ediO!&WsrL
zJ~l(9`fE+8D^EwIr~6m9zd~yB_@1ZhVTTQ{`4!i=CSGPFlBniO?m+S~bC|ib(+X?#
z2{LuDP{<Ah9VD(mfihUrjUbssMrQ0gyi4^rY$}bhyN|%Qv+f|%8Jw8|nz$F~JoHQv
z71A_jO2UMtPn#1eD-`0m#xm1szq9QiYvR><`Nm>nbm0r-9r`s3G#yFOvTK}IVsn}D
z3L6t|@p#bIK^3Psvz@xqwYxh|--}{UrIplfU@jVw?O0}dy(Nmbu)ON1L@LG#6*@$l
z!6}`lrCPpZMrF*$9^H2+J)pN!=<8@TYi6)7rjhbdtaGBtX9KmXM7@0G@gSI(;=DgY
zJdL!VZa(T7A@;k!X*z|u2Nze;Cj?6cyB-GIZ*398knW#Y21{k9kHM>2Z*z2?#x_Yq
zxkY+f%D`pP&@Lcf4f`8<Fq#hq%cNCs;o!o3w_iMg>UbK1(M<T<K?9-XtNj9`vB>JD
zLjU!~a}~hJ^NoNi1;lXgvY<0o>amYo077B<xZpgBLHBL$WyXc$U|KfAuG4G)FQBBI
zj5_wi*4{C4P%53QB+8Ve4+(b`$0bVdO6)#8jps_SEH*@O)BkaXe8`R4QR4a&vssye
zBFX!+Su;W36F#TlBDgzfU0avZ?6T}$ZspA2M5Y*+GBoWTgtYpK=AYOEM5D9>y>3?b
zgVuz-L|)`|U0ff1OjxE45{EdQZY4978#w*)g_4-%6js01@V<m&D)^9+>JlR%u0eDU
z3i*-OopG-%qMAL=KIiBywgiC=_G=gmTMZ77ZQbljfmDkxZkyfc@LCkVTns^>E_jAX
zIPi6oeD{Kj0FG@IWPy}9lxG!k9MUZqIPyyrX$Q(aLjY~N18qwbS&*WS9)XiH{9@Fj
zK>ZOcJNHs(AlDGUFdrE`c0wWP?mQr_jVf4vV`NZ8Jqbs$R$MU!hG<Y_t`1jrJ(C2V
zlB8(S0l-5JSWhQ~y2Lb$>czyEGG+Eie%t0fqK*w*NMMP;H5h{l8Qpftyd(f7n~1>>
z@dEq5a<cXpn5|>0*g8pU{6iLlh_~6nX68srhhe3-T}FudC>j>!u0i`}VCKJ(c1^p3
zSH!v-!d5*c!lo6n{d&x0RetwNUA?h8w3qvFe|yz9An&2^>(R}Cf>9@3qPKF&w3@V+
z|8}kflO+10*5hqqZLNHho8?$-b)mf9%s#W!TT!u+>))P$O)HD#AMW-iWErWPCQlj_
z-241%XLYbh^01$Fh}Ca&o0^B{in9N!S8C<jX;|OGI==Pst?SGXbmuPvs=J7PzoNBi
zEA7;eSni9zdhPn1;dHKew)=CRdZLLbnC`t(BR=@{q4mL!k4nLZgx62LHW}xN+A0Km
zo_c=wCWUM3;{6Yf@oW&_-<x?RNXg7y$$V{g<+3#r9FqgAXc&aCIG76>wBR#jZehXx
za4ka}yR3aP4MRAg>4;m^0b}^V3ONEp%n`Evdv82^e?mtM+vxHpRc-}QV_Nk#PpT>h
znF%0X;T9TA+Q0AUz*VF8J(lG+snI~MU(x<}Byn36`>ssm<mZp85S8=aduq`{ktL~Y
zic#Yj42It@A8*3;{`>V8OQ&9k$V^s~1Ovp&8?-ADEVhBmu||~AVZQ^NKL&lN3t4Ot
z!Z69(_b1tC1iXA}<Sx&YLo>hJXb`kn^q`Sco2ljZd$$rF3pOh4)X1G!dTm{e*hc&K
zTLVBI;BP~(f=<GKMa0C2OI8O{F5PhOeVxf?AATx>&s<Xoie)n4QQJo)iK3*_CJ@iX
z?5(KL3QNY|>lOfFqHlMR61)bH=p5n*FT{|{{80X2>4U^Lp`=4R$@p;A_Xu?57cU&e
zAnFRq6|;YN|J!^5t-wn4*AJ~fQWd}JvWETM84A4I^`PRhaf$M9T7~p4rSeBh(wHHz
za_-0bAMVaoN()M<GaL%-_T9vP5p(}}x^*~sK$!Do_3d3#GM7DeWC_mrSE`zWCfYT@
zyF1eQCD&W-FNHqn{NC~9X>di7_@POy7J@(kp?Wz|PTi-e!8E$Bp;Egq?n<PkGX{+S
zX%W;n>&L+8po&!A!usFw1(hYzMRU{aVt=Veaq~3zJQvnd4|-LImW0M?BUlA}S*mun
zV`)5~H+ZXr&|unJX&Gkvj&vZ->eZZXkGxBEc95h{GE;KNWEY2IXxmpug^=Y)s7n95
zaRG(@OgVWi<IgX%_0V!{qSuAld}yl3#19X51{haoR_HE2Zi{g@YkS`|#su=+VqbMF
z$f$}biWKLiQYD=SRf_Y~fUfBaaz6?p#X%u=V^bD$fAPD=!v^`WPro379>jc<2xN}F
z^MKbqKQJ4wSrv^;AQa6g#s8FD>y8y?X^P?E($M0*amQch6vcgoos^lPg}Fc0H6!bv
zsr3Kcyj%3(V_x1H+xMnq%lLu4F{Ewba||1KvZZFqNT*zcd%y3jR@+Wv`veJh1JqfJ
zJ5rE$BqN27z9G;3Tu*0sQ$f48K(}`5BiBgUs3t+ZE>Gljmlzw#>mo{Qx<m=uprJgm
z6pIT~q031~=qKfy*n4Rv&nBo0q;pj}4ua7bxk%mtN9bdczmipvpm5ME#njeGr&n|A
z>HYKSOEw@2ErXP!J{T0J>U+BolOml|CbWAVf2CP7Ro8t-51wqV@UL)wqtInKn~|rx
zWteuF$n|<#H|Q02*AFhjcXqk|S6uUE-;d@WkFUlK(KD!`|E^RVxRc03ha`Y51hdf7
zybaC1BH)|;>iH|ayL9hs0<#mh5c5;?Q1YY3t_%FKpQFXodr1<^mIt=Y^5@~DAYDcN
z!7rDI^xh;>mFpNyU*Nrc5IPVIQ(|Hxg7W+Fs>Z-aUg-vjyX$mRTAT2Tyx=wATWG`u
zA9FL~PHw{~3-pw{{`p~R_j2XRB)F)WP|!C$PE|N<iVOfLz2B+|M0$Y^&GS*o=%Vpx
z;CIMvGY+X%ur%sWlSxDqlB!0QVF+E4a$(Vz>A6G^M}>nfpLNta$S^=2%O}mGOBI$G
z!AlcRV+c2~&`vCDesZZR16oOfeoMFSz<CQ6fZ(2x13E@U>t%hxmt&hDps`ZGU2M7O
zra%02rT@0%N(R5jtG_P$yh`V0G-lYiBK`Ls{J1;6vY*FrDgx(!_>it96liKp_i{Rr
zWE$ZXT>=UrvzpdS$?p!*Uhhn-Jz}>Udt7Ya6=-)LZ|?V4Xfla^T)F-=GFZP-<?#n+
z(aC`b7Kzf0*)*ni`%6lYDTjZ38=ur{uE9gp+NjR%K{?-Kv2b3CTI=guEb`p~OvkY&
z01SfvC$#2QXTC3h2-*wQRL4TuQmU`#4TFG?PKrwC#XZDAfR2@=Wrl5W8Ui?q`hu_i
zGxQ+}bmp?uA!jTAs51T&jNMsck9dJZ8So~5kwcnD-b6?yE2IoiAE^Gl$lMR~qa8Pq
z0N-CnlKg6i?A|<Nh5ZT8pc-yYc1%ChuOeSWnNFRz)A^=O0<Yj&FmDB|t4%|uj6NBx
zM6Oro+$%JI=f5NW>DqtW05{8J7FV)h>@bF12`u&O^%domz~ls$XFxyYrfMI7T;v=#
z<CQMUHf_-xE1t^L9k9|)2jid-fI__9H`24_yf#j7d%9uwMV`O*ComO&6692lTvIi_
zCxw)7(x!#bYT>wh8pxi+Die=9bUj}0#uK26R~}*LN_a0oj!!Zplx$+*sC%TQrf1GM
ze{XYKhY~I2u|ASL)!Py9Meeb6(}nu6u`yO4udfFwyAVpexMF77Y=tP&-bj)LG%+WC
zC!k$k_$HFf+c^cW2mDv1Uj#V(>COfA5gtrpmO-v;jFogp=u}qfJ;=o{$Lh{Mnd57w
zC+TftGw{ZT)xH-+aszq3iw0ObX<#|2PU_chI(Zig`o}3T=cyOS444!5;=p$5On#3o
zRIsba%NyRtHqD*T=@NZG+0WPW1_G@$Z$7nY`FtU7I5JP%Q)6Lc^vC9YWNm!2^ZDVX
zcF5p2n7)?R`{c}>AyP#<9-AuQ17&o**C2zd$Un4CVhP66;$z$Ly6lX1h{#~QO_i@`
z+vkn=lE95fowL9*OaXh??;265AK<*BPOmI$3amWO@hvg}Mq#Unn<S8oxO?Oh*I7gt
z?*P#&CyYj$o`kfFl60O{*WpD$+#>OOTT1Gcm>H7{2wH(xcdtdE0}H#38h+nMQ}cq-
zjVL*P!b#kSnv^GbVQVXOh06n9{RBfv@Q#i~Qt)%qU_^}O$gM3JlvX7xX_jND=(>p~
z60BZ@;hZNGL-PE|DFx3;*lqpao16P>n3<2|DZTKp&{`kOYpNW7<a7VwQ8V1lFi-Me
z^mUeiQKA1a)~)dVe2nQ(8i(w6WP?Dl+{UBZacN8v?%QRTh$vZPf|8GxUKdZ?l|({&
zl`a*w-IUXk@VuoiEjSOm2!M7gg9RBc)R`8&HDRe=p?By;)I5W{v15_VbnuBYp5N&?
zSK<TLcp_~YWw`eF7Gu%i0XaUJ6q6qrd6lm@vw|qd9fL%<0a{v**FE7~B_U@#1Wdac
zlU|Bns%v2$bDt_YCZ-IWUt|ZO)3b@0skZM#DYyjvB}t93s6A2Ck6Qp@n@i`?pj7-S
zel&RYGW6u|`{E0??@O28YR1Kw`tNT|_*cPaHW+r}VNEL5(oW-sT3X<2wo7^e@2#jh
zCjGgTJE^()-!a4#3N}xtM;pP%)tbNgKVk^Vg<=zQ!<;LVIg}s)B5n@6ZrYO6)`V=F
zwz@#3sB{PEl+G)t6_v;d`LeUs!M*RvLZX@S>%zSOB9$f>?5;!Gvb{i_fLTpdeA?K!
zJIs?t2e~R+%ZJ`L%27e6Q=<LT;8D%+t@|EYA8k5*A}bS-IVn+iJ>bqJo`USLEAr;=
z^7~C^eG_zVLF~DiNqIG5)6*Ez5u^SaQA{I@j%G%bbd^XJ>cibqI;}<)SnZGjynlEB
z{gmPOidgDjLH9S(LhNM(D0I7rcpN~oIvk;NNYR_mzan^29|71KNCS3DkqOB(-<d;M
z2ZUTxPGe3Ww3@x`MM1{y)JFS|+(!9lt?r5t0(Hga*P5W|6n(`;v48@m?53mY2QPJ(
zzH@iENYId~+Cp?(SIi~#mbFxyB#jUllB{VBJak5B!Ya%{qa&S=H$(CcSj*O0Rf!40
zqir*&Tm6&);^M%23-*Zj*&_@I;BmDQFOsPI>R9a3oQmrxlZk@=*1NOQlV}Xk^N@F?
zYNgG$hf+T^H8(fwW$~-}=i1&ctKS*VgdKN<ERZhf8r+|%hBiMI7XwHEY^bq1e-)C7
z|7ePn27~y>2SOXT<)&A&(FCMedZfgh4h=k4#Kt~H62`RhSAb*FD;*ZK<fJ(Jo~a#~
z1X^?Ev1rO~rPiC%HyisqUUnZ%_va$j<#w6Fa0)`eqS5X=dT$)wu}n{^*EF3GRPl;C
zFtg)EP=e9IB6D(cqsM(#2O|x{+nrx$)_0%fM<ko^qWdcXVxHZ(A@rEwtthnXuQ(pj
z<S${`5puNK;yG(nC`Ya1vh*?(OMX<ArgFwqU-~oE{{TBld?bN9?%#v%8ejSGZr{Q%
zv-Mn43yj<HVUWj+Mf%8<?fyyO(D|wP(4UJt0K9(jJwvotE*R3cDFBw&qJ`t)#*S%6
zX^>BM*eQ#QhjaR<wKXiCGasb?&rO8@o1?diKSoE_pC%*uL-_w-Jys7O0rg7p)^3)9
zP#Ged{<va*yoi>BvT(6$qBNnnz_U^=ePQ$mpxD4Ih^cq@dcS_y*lqaC6VG$U;pHUF
z1R6*RKwr>%D$D<hX>yka=xSEnhb5pa&8is9yDpH)jadAM*F57Ly2A$lMZ=dGHU{_G
zvQVQrX|HzaSk@0dl19rp_>5-yB;X}RQfUl{*$F%e%#@_1N8<v89LR7-5A*+uQ>MC^
zs?$u%=x!7IZ!(Bx{|dcMLjuIC@b3Vtnw>X}Gr`8l!Xw?6Va?9-S$s{`x2})X&o-@q
zF5ihT`P7eQtq^yCi4XIdfQjo960HD;02Eu`fr`3nDt6JCi8f5r69|vVGir*YU>WXh
zcdJsf?Mvumw{Bhqd2mEj*3cq~5iq5A8=z`}{D&}@Pm@&L86zc5pFyIJ%6)5hRFPk8
zh4V51g(0U8;iA$-svnnGx@)o=>1sL^R{z3zNZ{_A23*87qgw5+Ru>I}C7J^P|HIxS
z54%1}Qvx?CAV7aT%4Pa5R{;J4=`>B9#=}>L$bg)v;P+t=>I)qJdxc8Iy+fo4pE6_W
z{7SDb4Ukh_|ExcfZb<MdzpX*3ecZUTCYRSVNKG1g9d|cQ8{EH|kc)?v#De5?Y1jYN
zrHU>n8dn7X%kAQ1fC~zW7zzR!&iS{8tnx(wFnj+`O~;<knm+)*TyRkjfVe}h3g44g
z2E~>nQQd}`XDY#);f+;dViWd7D<SRrh4179F}X#~Vn<F)8GG3R?6KV(d@#w=ZP_Px
zbR5@q2Sm7&)8oiox+&ZLk$?6YilFlq+(Tmas~U7r{$UDl>dcS<Dtk8+-8CUg$-cye
zM&?*S=2po#0dEalhMi%WGcYCl_|reLaj_d@{3n!}80?E%1w?E<R(~Gn%f1#+a04x@
zI>4TNSFiw&bcB=~zqu)P^jN>9IN0_=WGMJq`upD?CnMy&u)TZji|k8=Rm(b4dB$4-
zdws??_FnOX-w4MVUR60W%gy_V91XE+eQhd<DJ2l#BJ&<>8*99l&M5~bmei>{NroV~
zBP}(#xsWJCt!ncLwMMRciXe<4QFpj%Rlg&tUz<n|rK`I^;FB|=NzcONTRjXf9PDF+
zRBP>|7e4*3;)ALVvhx3^KI~lpU!d>^5KhT?4X3nnZOvuejLfGC-#0yWH8*=(DDQck
z%<Pt%Yg}-D1_?GDFTC+^rC+bABy12~WhfW$`<KtE5p(cL!tGRf*Ix+gXd(^;hfk%@
z@}WoPMPHd0EBDB+E<C3868O&XO^_w03GJSSQPQTkACch173cd;8s4l*`rZnsNHiaT
zMAYpYU7%XTla*<s6?vaKQmY^6Y}w`zWTI80DibV8RmsgDdAgryNLldgY7%oO%O&)g
zXe7;ed;7E>Oo<6%K4ql$m=vhpa%YhLTLuF-`Au8RrFH;%Jmb=cW4%A;xSMhcK#y;W
zFCK&~U4E)IJ%k<3==n+h=DS+db2`leJlUH+uD0*+5)N-vcFch~Wcsr}I@fc|kcZIR
z4sGRG37U_ZFs+}I&@g9ynm{cU(q=HvRAvJli&d4>l~$L38v<_z@;;b00T<_^f(%nS
z_GfRWFyvbDLE@5Tne4E?MPMtX(gOl||1ItqIk|Q+spc}#8u6xXS~1(JsR`?%k=~1*
zGoE6xbIH{ef!kYF7;I)@GBQQJ>>JtYxN?`tDjf>N@%Hgx@ssvn##5;V+qza<N-u@!
zsnUS^X4s%LbXaLS7dHP0P^U?d_?CK5WV+bo_+M@R{{eYa(yg@DykGt}Nm+Um5wl=(
zhhW|#^VQ=fOIBVJ#@uG8bJdFZ{aXJDAr!-|OE4D~Ru?NGbUXS#qJyI@Q<a$}9tH^(
z*R^qtVN&v~6$RonS_eEJl>ND9OB^AY!Gq6jU`nKoiB?m@$c#lv!r${n3NGig;Nk>+
zA^QIhZfJs|Ay>QFlr}0?+GX34+WeSUX?T0GAzU5xHXvU~AH8d__eo>)J7M5?O_tNo
zi5(AU5~K393(+yUT@7-gr+3yaB))1AAGOg<X;D)ZGK_h8r9lO_tVcC!I}5-`)%tfK
z(T$R@wF(!ut(0U*El@yZDe<M{%vue)gu#p6Kf3qE=1*7w!m=o&s=2e1H6-<#ETwbQ
zYd-y)kkf-%Lgxx!6w)jyfmbjL7hx~S=`%{9-vCVCi~HaD6KH+R4!?cKeVNX2{A)FB
zhb-uau4RdGXnF}ic>OFg$sZQ_gDpJpO7#C{YymiE$G>>j7#sC@;Pm*wbE-N+P14Qf
zbg~>sF|GgIFEx`R4?aG0a}|96B;A5faC83)yvVYYyv0f8Go%e*fgArgdy2#gvvAhf
zeKj)R;oW~+z7!}9BkfbKeE}>g^nc{G`y0L_zX9#|7me(eHam?85SQG$o+4Z(o$)sz
zB7n4a<nVjk47;sD$RA%E+Q23C=s#tH=1bu9j#O#r&1~2vEtru11)C)6)vntNc4=<_
zVT8Ov&H?L5?RbmbHdM(#3vmHk#7owa;*#ue^Is2MPjrN%w8!j~%6;v$rbE&mZ<vqQ
z+uf)?F05^z&c<qGxs}X1k96@(mQ3H>MJBiD3!&&pOA&<0thXQppH&X;I3%;;>E(jB
zYj+aM=QP(j)r&0opo=(cIBgGUx2TYY{`XXgX(L9U)`V;huk2NVzPzsENQFbXUMY;y
z&a*sbPC@j~0@hX`eX~KAN8M2nS8u_ZkeUh<gLZ&4YJLq2hIVfizbY?_fc0EOuKbpM
z&q_M+S`VMjpvv=G_A?u|e>0f}gmBdJxb^}NH5#eB*6(|(SC=QNII;#2gXcgRlu_Bl
zxB!FZU`BNW9b2B_R{S#$nzf$ptC`3Jz3?I-vyzS=QWIRk5frOkk&&j!JJ>FmIY&69
za6v@_g_OV=g<d@R;Vh0*-coPCM!}*}98hQiAh>D%0a|yUZY>tQXbn_nx{`Nu=d%@G
z=?ojrwnM9s*NjO|T3qyj2NYLZkG&b?iG}Oafn{F&TUg)?X@^_95=gLGzf&UjvD*AD
z@=7zSjXU<KOtlre9Y2p<x8{eNxR0436@1_3_@mRWudvyN5A5AjGfbEjn>fTR3H=px
zr%ubL4-2Wsb;NVZb|axvO_v=>W|!8^gy%S0tYre<wS{=$w?^HJXQk7#dNbov2kG-#
z^;<Mmhll<xG~+^#Dctu9n=`cve{eh*u$N44vQA1M)Gw56V&nEV`fI?qLp%@NFI6Ie
zi@CV<I4HpEPvkAWZ*-Zws|GL1I!};QYySQh;3dFdZz|b76QYR<=;R@4VUB!kufb$|
z#PCI&$~LVC;Yt<o`2sOi^bcqgd?E#_J^H%PzW2eq`?Tcz_hypV%SVb2L|yKGo!gnv
z;n3Q!v=0qf3jGPKtfT)1_=^iEq<Z&Y*1q1VK|Kim;rX}o)1`CU2a5qygkow*3?vr>
z!r95vIch|9DP-@%(pe5;Jyp=BNaA<=EcG=tYA5eTvV|rT8G~axJZGN37dvF^bx2pw
z59-5H@?fh#b~o0zQ&-26c4N1$_2c}5rO>1KEwS(;a*Io={ZWAI!`8NXiwd`~Ykwl+
zh^xVij)#LkMnCQseUkC6Ivr#AS~jIVKwu;LF>qC1tZS;$uwW0!XY9|98J*HeHSI%o
zv?xc^t6zF8cBq`~q=noyx3Nh)Y*10HQP!GxgVIWR7Lcm&86-@_4NQm1-U_{u`)`i(
zU&O~NU%nzUU=+V<s)~cYwaji4Y04Yl*omoVtzQ9keTpK#cQc-XIqI_f>HegTeVZ`E
zwuvg<X5AP*UaTasMQbFtOu^HM|EW<Yjr|rYjVxn*2spNlJhO72*zbDstq`37dCRpm
zKnawsw;a6{a`Y>9_N(1NE+7YD_(3hw9fKQEPl(i6+%`0>D#hH!&kamE{S<xmSyM*f
zkFK945R`*RGv^WA<Wt)hS5<zeW2orW{L_J&^QKula)_zNVh7y^m$l)HW`)LQLFnFG
z-j~niLma(0))A}_`L_sP&X?CwtYy-T52|ZxKWAIoCG=;OPdk7_@{keLbn+c$Rp1Cw
zy-Zrltim#l_#mL##I*0kwaTcd`fmYv_Ej_!VR0qN+h^Ko>?zcK)xZG7-W%lg??6QM
zK{9BS{FC0#1zzEflV8TW_dSx&J;vn2ABL?Cyzvg*x@x?1@<Kq==Kh;{_8`>c=t<Q1
zHdhM99sd!K4?C^i$6_w0wUILj%WW3=-OG7?_rv$jy|>{%7azPC8DS8!`@K=%z2drx
z4}X&*;*c<OH|*HlCNaYA?DR+YCG)9X>f`;%@mt}i2Z0NxYgxu7>u<!mHL1BjG{a9u
zrN%8REw4f9*RPwrYowR74?QrqVX-!+TW;TP-z>f~Cs%VX;Q^I2N$AP9);3Q%4SA|7
z6g~b4?T=<)7$o=ZkMMIvEhi8EN1S`*Y04-aHD{;q!*r0Hg;X~iI!Br9XH?DZG12}9
zpQo2s-TM*LCE;i7*yZj(rXEE`$)$&zY$lQDK{_J^EU&OkF{kqBzG=|c&duUraUBYZ
z+ksyjhMpx`-P07cZj1@~4aDf09!9%B$NH{AbxK$NFLkX>r_^zp@sw=hUlf0I(%N!<
z-5KK0@$^A*(=0BRB_L8Rlw-gG4X{1L95)<$3Hc?pSBKJ6wqIRpkD><*@Cjgmi7+xV
zL#(Kuot5v-_~VVyn%aC*Yx&@rCyC5bZaKy!VKeXDjEfY$xv3OLVuAURyS)-aT9w8T
zJ`V=A!S3r-BPPYeEs5K4S2&dKy>kfcf7DPk^5fn4kBoTOozz_Wu%iXP@z9Mtw;Yk1
zafOs@QE8=ZJ#&t8Kj&&dm*H{}&!Apy%S45bZ+HpyI}`v@F!|}>WToL;JxQN{Rc&hM
z_H6eVecqg3V5*k7X<~qC6(`wr11Lxj+Tk%Rm>k0%ok0|7Chh(4Mo6zF|3|uXZ$YBo
zDr^6EA}l7OlFpl~`(*J4=(I}Zl=K^C3J<j^jGuirBVmFJjmPgR8;yx2XM~AR$L)`Y
zpV4|htVZZZ(UKzwIftakBM3`432mR)ceA7AQZf=`qiBt9Q0vEk4y@8x!=UvWB4Q-+
z(E-7$DY8b&N6!9<%v==xZy!lqYIOzn<ICL<p&hE`ape=vv*maWqB%!Mq>@dsyx)df
zNod@Vo+yyk{8<}qIKaa&^$YvI!Y95b!{a4t*HTVLb_hZmVUHh9|1R<bbkIJ5_&!QS
zgO?56-b*jLf`8tBNnZHTCH(g)$B$=yluL__@r|h}S3n}++VlG+WQq5hcHXAY(pT9G
zr4~iJ>-zaI30mf|@KxgWV1!cVI`O5u69lac`!E}F;>(mAo#8wwcZuEcc`<X^L+ruA
z*GB*k8!sDh%c(gBlhaJbL<AauCp2q--@-aWO;|=hO$yVi&3*YJ4~T0A5OVr`Uub_s
z-lkPh*&+>xs3Gpfh9pzTEf-ymt}<94pkVsKgY;TxqxPnK1U}#c>_uRQh?ib3J3HIK
zu6j_B^JCmSQpiv$Thdb@LBZ`a#DOOGlO`i5n^00h?Ng%ejTRJxTz@hk6^nM>b{YxH
zQdmctnj|t)r&Hk{0c>i-Lyz|WlOav8jOVA#jtkH0s^CNGK~pnw0l~#f7k;)*6T5JE
z(;-Q<ttc?MU!4{m2$K7~-FH=K|6MOk!D~ToK?>Cj6bAh0K3Bdkq8-~6<wqJ!SF*OV
zmE_>;T0!U7_9clyq?cVw`8hRcpj?do){d@rFJ<4^uQBhizBlhW<(cqod2~`y15xP-
zpDEF86)=(lCSpo7Ak+sm%X`pS>d@~;Rk;H>9B({KVI9PwBLq#noMBMtkPmZSsiXA^
z0o)6GOb-aPG9R6`B6DKG*e(S5R6q7Am%E_Ls7EZ{<sb*vER}RR(xFCgf3=(OdeR$-
zBkZ6Rpqr2eTW*ykqkL)7A*C2XH}JBNX#k=iiIKlIdPMjss=rG$AH!jxq~dnQ&6(Io
z>^48ZXdePZ^ktK--@9)bR)F2sX9~dw5BSktr!9u>B)Zw$dU-hiWq*>VIr&AZ2%;#4
zP&s>fa20Ct)|~peBqePjy`1{aKB5CbNF?{(gm4Obi?79N%(%0YLVNBmi3WX#Cb|2S
z9(Ax}2GKXVh(20)*AsVI{A%^w!2H;I%ul+qE9nSPIu+E(%aK<qBCkl|^GZrkN11|T
zt`PT@*Spg6zF=Zkl<*{bb(0+v=seK7qC_tLD!Dk!Qx6P*y39PW4y;dB)c?`8O4*71
zG{JZpWi?WP2YZCUPF9sC0o1=f!O4}rau@(C6X{%lLlKf$RsJ*9Zp%k&x!Ss)GRcwe
z_*!0#4G4Kc<n0oI9MDB*^YL-pXX%u%kWW2oK|sOC>TgXafNjPjEm0z(WJRdm-+G6C
z6JIuLT<Pb+-PXmhUws^5j3XJaLUjNE5Lzi<E3)oEMvIlMm0}WzUAKuMm&?d0h~(w)
z8ra~Y+*6l3&d+{!XAB0u<5Zp~BTF@{RgbSFK@xO&K5dV)>?P5U;l5FmUmR_--(wC!
zYxT3E@eq>u0=6r6)bQR4O%3od4Soe_6G9qX8k(>)SDVckH#?offPPL9NJ@~eErg$+
z;<3YzNw35l!7>;=c5ch5;<w2R_XG=Bp;(Vi5)BIbGLR^82R|TYniAyY!=?z(x}R?I
z+Vt@icVUGGl4D>;YSau@TCZkwpP&Aa;E9KI3dMr83L=_1I}2$5mi;||qN=AH9;wlR
zM{;0KsBc%r+>M_ulcs5_Xr7_gVO0~k=eIKtLB2Ibu26f9Ai=L_a;-c${nxWC3Cy;w
zV6fdHe=Y$=$brghO>$%2kyz>tufobFmXZ^I#B<>Zfpz)_XHw+rWcC{wZs%nS|GhIs
z@CPKJH%xuUF-Q35+k?qHk<rBBAzll&)07UE!q0*Dd-912n{rL|?8o_;*hiP`J3PHo
zZuNFujpfpuQcu1ju234>&{_85Bqb&>x|Xk-lZcXrF5;@(T=d~<<0)S4>kJ{!D*p_G
zf&FLAWxxd=K_Mxg?Irq~=FzYlD=XV~7TP3~?-JRcJH?vPjkn6lhwqnjL|Os$At@0J
zC9pvW@`v{VDkyLIxXPFAD)7~2;j&m8r~(|r8{$8Re_08LYZ)r4g3@T#J6d-=(WlQ(
zuezz&%LjV_8F$!jR*86SJ17+vCnk0@K9`)hnlsx6`ttLI=7$S;8Q|U@3)qDybOSK<
zak5wU>7o7UXUkiqW?KSwl>E>)7Ouoq=j-!V1!s${FDDn>pHFCb1APyiy~u`JA;-Dw
z)`#k%A1fQtLcTQO66Kqaop-}?)*`kY{sW2hA&&kB)0XxD)8-+Lu{wqxkp)SX7Qsok
zt*08Pf7t4t)BifRxDotyM?liAU8or2E_pgaW22L^Op>WlT8WJKCrf+}n}2L6Hu#pz
zxV;cY=63(b$0D0g8!P5%AeXNmT-xFf;1)m+%Kzy>gFvd%p%wqQ``PcKLYS{4fQk*L
zxq!(ZP{Sf`$`;@2VMB^~PP(4+q$=(m2lz8HWaXBxsIFg}1gUGnP4FFX?C!5CJ%^vu
zZUdE%^u*}N@4vq6pDg_d|7}*0hq)FN{_ZE}#Q0f73?}Gry=^3H3qZ}TgiYytZW0T(
zIvYP&u^OyYUeY@M;ryW(Q?j_b0&U7M>NtBpQ>Wilfke_ic0~!>ML5KoCKUo{87>2B
zhmzg>(S2*xfkt+$mKIt3aCPs5!{_Vk+(nh3?_`E>>w@ReLzZL5iz=UXgO|XbAHqg^
zrx9w<4~J~w_xIwW(@HFCX6}D#vtA9~VQOL$lY%mgE0;AF<8nCPO1j?iABQJG_b8vQ
z4Aw1#C%lIr9!u;!EwGb#F!S{x`*`sShmTQOevHD!N^WYgBPH^|XK;Fb7UTAM=VJx9
z6c1X7h{AK}sA~OZ*9X6MP))eCb-`(>90P}mzW$q6o290LLw13(4(#ViIzFE$SuG{j
zXAE`5Up#L%{2(#?INs<*x^*)2nARK8$qTSD0TzFZ5P<j<-}Y5%?>(cJeTokM3HlYD
z=Bj*N1P=f8Ht*^t_H|m0L2#|}3=y0biJ62~sKS40#I?X@!}>={((DhJOy{4ULYtmG
zvDzaoLN|q-q)B-PzPuZ6l;s^%w)tt|Hp3Hw*6O)R+xXYAPj&i|Z|lBQ8QhLZ`9lHC
zSmV<CGvtOKU?bMv!l`aPdtf*uMK;^)r5OxLUfyx6GD3m&ae_p8exNK8xOE!ev+72R
z?sL1PeAxTqUQTATaoybyY)#w8)KX7Xvm5WT8NE2ZddaBx;r#BBpZ;jYT=rQzb^l{W
zB<H`0b_wPa1*tF@)W#tgeE0HN#{owoA*i2t0^Hg~0nyk0@HKpGXEOZMt5qY4n?|{o
z@&?+eH&I|`KWWqMlfrVYCorcu;C;aucXfEzUlu|K!u8Z?pcLcqg#=Ai3?H)Hxn`0m
zojOU~l(S;}V8&aec;{7o`6khMl~=)Gk?Yw;IhSc}vxn{cm+jlGH@4M)Ih8`}NWRI-
z%nQs9%%GXp`%8eJr`Dy>42JXG0TAX~X>_qsljU0Zor=+A?5-ZLW$bZVCI|wiBlpNU
zJW;qsKO=#RqaUjq+kY*|tX~PbC`(nqZIjw=q&j}Jqs12r^bvwlNRbaQql5cQS0$a3
z$)wfY_kx~^OUh5!LNpqV`B(hCFYidY)QO|0>LDlvVI1vrjubReN@cuitj8{sS5jA(
zoYs;7bmZ?rIaDPQl5)HMwyBfv^RBNqH7LoVJ@^Z%jc^BiS)|c78j(zozJcD<J~yVU
zc5O`f+>B!k!%RQ_zE$<f)qfZHTW;3JYh+kZti+tagAFH{@ga{#OP$j%aVZ*I=ahYD
zWtcj7jH8$?&g%5ck2p~^Suo8KP6b_5;8M0+T$PyL$h`F4@3X=a50ihrWbGM@rC-s6
zeu2VJ7pP|0_&ojisMmdOV{Cewyd?O$Jl(`n%YdRq^>=CVGPPsx9~@*aA<|cD?5u_C
zba-q=Wwdpl+-#-%_9)<uFrjH0m75C<ONmOjvc0tUH{k3{AuMr}7dNFoFoiE0^nPAl
zgG>p)FTI~*LbU|vG*3IR`Hg-h{<TS1W9>cy{khzbiH?KbSn>mx>xsPA4Qk%vqXX-n
zKGn8Qh94)4d~shh$?tk62SV=;XYe#V`Irv21!&$1y{uooB)P+DN$I%hlLMcwWxto<
z5UoGj_Sj=ty&6XStK3t_>(+)DqZAC<E8kZ$Q`bX7wUTtJf^sfmP8>aV3RDb8+cU`n
z=fGa}ko7(J4YF<bMRVq7u}GrRiKf#)IIc=dAKS_ye16zx-{G7{I&t+W0Xkdu);iFv
z0kroeArv{d`W>jMO~-p2Bb2z6K<(JZ`#Z`cTRY0BR1Pwc4|c(aCdOOT*=Q|J>~c4_
zj%hS!GF=@YL1#u((A_R)g|gm}Gpixv{ie(BflWk`%7DB`r;-usxB&SCY4Hn0ueoGz
zv$rgB1SKoPqo+Cc$$h3q5RCNI%>a(SCc;E`dy(pz{2l4~71&FH<`wH&Q6Q}ve6W>)
z8E-X#wqb7$QEvmbun?5(O*o4g#`k4ySD>xW)UIickmh4SymHgl{3}?(Aoi(MW<1Ad
z*)kkYhtpsrH)-o%X;e#15h9&l+)jh>)9Haz?VDBAMW}$&%cS`3R0+vQl#I1Oq$v&P
z3d1;woIGdQ`Zhj-b!{&;RPerJ4NBQpFJn~p9?m2#l~1YdpO(yqq^qDKYCD3st{+e6
zr1=<WG3Cuw&b|DcPO%F%M5~w9te4ZNo2pL1SP+7kU2c5JhGeER;mTKFQhyfVVrnW(
zg&M-g$P#1#?oF=&l3%34oB-M19Y%w8)LeRj+K7HE^fV2PJVH<-dMo>h);$Lb5GI=Z
zBuG{b>_jy{Dx1{(J;ckRq)@GkTqy?!Rjq6Bf9jFsb}ZJ79?+x*4pJdiZ}4$C@WV6A
zB30SY8Kfj&+HY?f^mO<{`Cc6sgK!bVJRE#wO_eXTRGMbur)d2ZG}Zm8jS*Fr?YNLk
z<ZggrN-2p0uMWtz#iQlaCGJ&Q1(SPE)MY{e-B)~61GO*~?zLyh0OmrmlE}y8@p9V6
z`m*Zb(I7PpG6~grLBzC?2pC&}L83v$U*1{|dwv&EB~1x@?D3Jq!;eUhLXXYD0Z)(E
z7yU`@$RP;-yerNv5~<b@PdpH-J94ldIM6TpykgU6c2Dc9H#Exq^rFlZkTVt0VVX-_
zglIcRYY|0cMrwAS0Jy9<6*rrS1(?TDoX6h>0$1v6LeZwSqj(SLqXY#uc`mu_2k|3j
zLU9Y*0POV-S99>EC=h4gQ0FgOzkWXvy8ozY0v<Wa8D|!Z@y(7mfc3ilLlJ|~*WAKR
zdc+7IU5J^^@Ppj?(c{nAiM3zK(@f(q?l&{@GW0U6n`6e0ao!B5PdukK38GIm<v@kM
z*e-Y=dVYBDUdDU$WXLb8kYSjj8rtiIio)TH-70^eTE=ts>0&dS)|NX`-x=d#1z;jF
z1MG=q=*gMb4aCgvyRR+13s1g%F$WrXzq`V0MD9#vrk6Td)7tHeLI2!auxZ}9KYR~3
zW-Efcf+8(Bz{yhC0%(A`{RvbHTGrWImfH~|bw(kgF#}@*kJFJarB^@v%q2n&^4RRX
z&8)X0MmKrdm2|oEVS(1Qr63NCfQS=cXl3-y>k@=kGD!o6KLpSK2WZvm#YO{=ARnD#
zfU4;PZrYVZ0I#Zni_X5CSgy#W=<E~xdOSORbl8%ZKP%LF=h3HTRafqEK=;YEkFxCe
zs_YO`CLJ)REe}*{7*hRnB={|I<rQJP1I-XWa8`&`i-e@48aENarT*|6sLj4OOrA{r
z*!*rU9O&Y>w@idydP4li+YE~l`Y2@Ly;m!b_*QA~=`L{*0f|*WZ(>y-95e8y48Rfw
zI15_<4GbCGLtM&Ye;{v}z#asCb(B1Un+>b8Z^0@<J}hZl4`sZgF<MJ670NfJ^KRP7
zO#^1pO~%BhfrXYbf(W2xQ$6%dJe&KT#VCC`>W07pDC@()xHO>J)Cp&$>)P1)7Ed-g
z4$1JJBwRh#+9Vp{_Dnv0JA%UK4eOt~fturW4^KKHFx@$`oeHN*UyOZhIHfY61l~$S
z?6HKv@m<|(a?uw`5;sG=1HCg%H8R>Vqp$XohdNvWr|bBZ`)5&y62_|Xry3q<3YM<W
zp>;cWflrM1h!O2jnyu`bTbkbrclk8ERx%!C39hHO;kQmNRUa)@(#U<x_#G>zUN=cN
zihz+IDdpe_zUf40ITf(Irhvd@&R^-YRg>6SdIA~re}?qCeLqp?>0F}=Ioc<Ntbs}t
z92v2_Cl2I>1TY)WUP-VH>F@!oG!1El4uU2|l~Jb}&p;jT8E+8w>*ZEmMUDp#(aC|(
zWZ?WVPL<9cH%{XQYoQ!r5CtrT7y(-`DGp4~CV{W<EIT{_Wc!-1EyI6Ln>!W<a-H@k
z=_gj`UvNpsTJQ?)l9W^6)Q|h0g%#pJciJOAV~o=hi!sRmeB>HB0Bi3A)Td1UEvyno
zcUr3x#2=knTuQi^2KyeIQEOEmo1Sg61(sk?)l7iC(SNv23fJUfFQiVJA2tw&X8e;5
zAPFgb9JulMTbU+aCm7J>rMvrlfsTZV!RS3NS6P9j(7c19p3_mr#1{vPa3LzO68Qj<
z{0zPInxVd6RP4RI&j3BL)F3s9@j=$p&O`2LGI^=$7;VlCS5LvwigGFxa7rAf_X6qt
zM?*-tPFfg1)&U&EAHTrYFH_#XSRqv3rQ7246-Ks$mmF9~)n~@(;*80N2K7g`NKWdR
z@#0LK1oE&7wBt2mdrO7)JJ|N&*MY8|-#g65=3L4;hm-9%HZLl%|5=PY*hdTON*6O<
zs>w<mvaQO0S`8u+9Ja}SwS?D>@;_$Kj@&hBSSfND;B@7B>M$?{_6f(XsJZ-67j;T<
zg;VCO!67;7q}5tDZD<!d@?i|I{04gKJ>pu+${A)Ldc@}9bQbV`AguR0TLF;Z-?RLX
za%5`)^$$57*SCoCQ!YDJw*f;YpGj>A0c|he(vfMMtA)xxf7x?Lxm%2T5i9(!w$3}6
z?fC8ctrk@+wW&?bioHYa(I7T8Yt#s06rr?cTdHQo78H@%dvCR>MJ4vC+ACD4J)UoW
zz3=Bd&wcKk{FU=PpY{EW>-t>R`xUikEPnqn35$%2kN;y59+VsME;6hN8ey{I_n*@P
z_TV(lzM4>DCI3@$6#yg?w~7gFHHV91gRasaQ2xz92f#LBXzdJ&@YKgl@SeM4B9J&{
zORviYO#fQuK?I40^~>*<8nPmCJMkTq2r+b}(L%MPXVhzh$Z=wsho)uuJ=Z<_2T2}$
z6xUjT@XdpzX$+KMng7a7H<%87pbmQN4AZo<=^2Y|0MQwlHa;4a(R1*K`Ghzbky;mK
z@c}R}e4%3mTB{SOILDL-ar6UWF_%$ZYi3ST0~1mp*hu{E5M|(X=*LoUaW8c%sRKiK
zf0-=0!4wTwfidMiV}5KOOO2?OJFug}Do}?TchRVIsuZ0d6uTxD`ZNvilSG9&D|G>e
z4|2epm^at|mQ%@FJ&XuTRD$;7b*yl_GT+BH{M7GW4&-ayO3AGHQPEF#DEh$wrq`sN
zE=r*;qxKK71JNHiBbe!n+8ZF$r;NDoMJ2<8nJRAN=GQu-c;hP^Ck^Q!nV}#Fm_=&?
zfps^q-3Qg<H@F9dTxu<{>dx795|t3P5p%+2!fnF$jyTv4PVGBvwzuaDe2Dea^ZAmR
z{J}ZeEtF*(-GGWwJ6CpDFA9+lu8G!qke~AQ-((ul=EFI5Q{PW|(@m&u*%>(<`pImk
zH}cG6(aXWa^Os95*|zWGUWADb)8+m}6Kno{tr*AcEq|7Jig6%hgrK*+o~p;wVyj~B
zYQX(^j-i0MPsp52AH=M_=uj2R9@%|<(wRX}N^>anj8-R7hg0J(0_P2Df_Jh(LH-Cq
z(b9+C>=+@-5BE50AB0YMRZ>vASJi7||F<98@vXEL@;Y2br+$rZn2aob5ofpqwvwxP
zLYVO(=uDT2D-|UDvp$?m+Jr7aSK24G+rOmvSA%_x`<yo^t&u(Hz^>YT%^UM<VfQjv
zHiXf68mut}cJt%6@B8p_jhKJr%PjWs!6`Ew5J0$M#weQDz93&05S-sj<WN9A$VXE=
z&hg46Q@&QD33|*HGNcQV&m!XZk7G5U$md;f&w;6R@%z0`qoUpND=M(tBhrwc`%vq^
z^N-#~Q<!FCmcM^3*)6-?QhCSk+87Q2W1IVkOp|i!n2QMb;KU*0**kgBkCESikXWo;
ze0bDfM`Y80jPjPEa@)5bCgkx2G~s$)NQ%Xcjg%}k*hu_iCJuJtoZAjS8vTDWW~x3?
zE8men<zPi?rmlt;#K%Ds_<&*5m%%IES~Uv)=ax4jv2TSlc<!l~utC^evQIg@jy7(y
zMeE(qO+XGQ{8ai0pYGoZ@ZE~Y70%s{4PJ<!=k!$*arjVqjUDqYeu-3zkFuZVG2hdP
z(OXfITOXG6_`A4z6s6T*JrxsP?+ock)nNS`6HG>WWDkC65@3yaHI^|(L;^GkIa(Xk
zBDZ?cqaR*(Cq{Zd`1I-Lzg>Tm6wUXjR$RYpvQR~kdU-Yb*9<PgiaTYQPvb(=QorQA
z{{j1phPnH>YMgsTW_!xKX|)g|zkh31oA1ZIvfR#x24!0E)_XCX6e0}VhFVl;23(Fy
zw$#oSdty^fnkuTi_x|fL{HUMKe}OQI#$v!XR|5#ffATf^=T!Oe4d&Z~yW}$ULK&X7
zg=qAC{uMHx$ECRadV@pT>ctG-2V-k#PHX8re?2Obt=#`?KLZ+ksu^!XiwV)QmYuv3
z7S(U!u!f{ce8cSd@XsKjG|F<T(@mv>9NDT_?)jme=~@eQu<<4{`WufK(7=bIR6@g@
z#ibDs|MO%;z)48@C&5n^w1B3i1js4YqFu*m+&gko``n)oC|7il!X_QrEPLWr-^Xo|
zQncSq03fs4tbh5Nn<VHcZIBMNh{<H|yG|c_CQuf<^o=h$6J<FHNDGnwcMB|nzBdP(
zC#XHXPT9xcwIaaFwWo({U^4(&xa5k%&Moc+`Xyq|gNj2j)RZQ+oA~m~ms2<701aqX
zxH<<hNtS0@*9S(8NV*|@ZN7JOg8Ekfifu$H*O2(Ts)pX)bHDrUeN2Nnb?!aC<ZQh;
z@!WTm-xh;Z?#)7?`<iYK^Zzq<!+Qtw^CURYEjMf9)4U*F$PdQ_+(m)^PSht5_GzY;
zuhDm23Cx#5ENx!vl_maBN=K#Y0y-Gi^E!E50f^1>;{&a|DDl-T407!$=}*UBnWg^n
zlw(r9!^%u9G)jD`XCYFWa-X~w^*G%*US)ep$-FCesl}=~Y-C<Oj|qvUPTiL9r)CL=
zvwF!nUnP#d0ZoTKeSd4|cdD9H{}Cq#VA+0`N;h!K45Oin=>GcQQ`^4{$N=dAeZl$5
zo#a_0C&jxFtOjp)QcQ!6Te%#9-gNBtVHr1n;F;1`f`bFx24qPn=&FJwFwKcn9ahSV
zH0VkyAg9)CI=BQh>Ktrd?>GRv^T4+t0n%AGuJbTkLfc5{-|fN(vf$GKoGKDw4SD;R
z5-sy1s+fUL&updYGd9bkG^|w%tGco*t%thOe=`zopt$idPl+!p@cKtR*^+Yuz@B|(
zm+4Pf%$BIwa~y7Z`I#;*k4C@-xR(3(x_b1AgpG5EuH@ol?$O?~*tpT@R=$l$B_Vqp
z#}f>(z3Vc21?^Q;CrM?1c$FoGVndf4Ie2n>PSO5%>fU$cCMF)M{$l4zUP|IYzIWD{
z>=flL8ULs2Ptu#_5Oz|Ix)+{iOr#fH$`HzHSX7syA^Gje7xAP=^u$G$@&SsCSHY*x
zILzQlAoS{nU%V2Mw}(n7R<FecLN1aG#M<7QT{F$^1nEAc+eoTJy6_Yc|1&;wkrX<4
z)T^yOt2%krWfv0tcvNWE?(5yJZLM)Dh^i3<O%j!c#WH=mz2hT_E8*+$irS}=Ian@d
z4Y+ZCup)sdJ5}@OI%j<EL+%0|i-%t~xytr;=36y@C8=1bG-}|YSliP{=1fS+Ua|7s
zi8=1o<Ctf)=m*>tT$c3(#NPt~4a|GVctLk9P0Y>5WrZJQrwjy|XtmyVltoBXRaUc2
zO_^ai>csXm!NyGB&KHv~VN$T7`gEZIR)AUG-mrIRfjM#7B^0**;#-2joNN%lVX{_B
z7hOFh8G$SEeO&)VVxfxTh2Ld_SP&wKavaTL<VxuHy;^;aSmZ^g3+;GoJqxC$SSO!F
zQMFs#lr+v%H?LE!PC#@K7?OVMwXi!9BSHf<Uwy8~IMIk?=?yBhgSg}!gWhek`0l%d
zbAbonoH3Bc)wG~5w?}yW{fpI7FRNL365*Q=R|a^q_e=tw#qE{r4HdJ8dbUjWx@vBc
zEx=UVGa{I&IR`r(;AlgZJL+6Z+S!@|srGfr4v#H?Ead1KLp5Hwnn`4xWBu)IchMDT
zNTFR3%5D45xCr#J&drLu4jC3NS!#d`%d9J%X`sDTjR2R2)9;W*5&?azd;P*c;5@(@
z;pO7tbe$22LPypZ_Ebjsxa%d4gPv`;%Ln!}5zjF2@H#xosC{jb*qAy4iaGd{*H`lD
z_v7vM2$lePb%K<BpDrZ2Qxn{Y@U9np@6(|OV-#VZE-ERNR)sZ}t{P$JiO9b&cse8A
zF_tv{nH9=I@pI`|2&WC82h9ng<RF}N<LN2Lq7Epu@Pd538Ndbpyf{1PSphtH{pFj6
zu3oXu?X|AWb2AlMhLT1#aI@aJjvCTgZdMG{<h-lJ!}X!qk2RpU!B|PSU_ko2E#x2g
zKri%9$z18$B?I1w4>n!pi%UjVbW8~>KpK5*z|z}|lCRg(6fz(ws(fg`v%jeasxQ<u
zd~if5PPv8c01@0lew_q;oklm_omrd+df3S228LfRt|YvHD2SI%%;=dUDQ@2xFZTO8
zdtqic6PWvWk<P+*QHFYEnN?{|=?y1bJa_qvb&4l~JQr@8fD$p5$=mIdduC%U!drTB
zCBdDpLBLZ{Z2;eMU8dGILf~5`Xu)XL(M`PnAOY;HZF!H_f@=Vp+Goji;ke=mdw|{O
zoIBh~T(#!&t3{|k!R8w?Ht;n{%$hK%+IS?@;d<>sCEnw5=eJ6{yF_Yz_NxvVm~yZm
z7wW_jMr6-3g}wGgrQtS%5L-XlcU$TBX8!gwR~*B_Gota@Xq2QaPsp}`%dEs46wIY#
zUT^F^K`qEt9}%wewzS~9GlCVG9*{g_3o#}mxTg+Mo!*`^dfCq`C;7m~nd|{}R%8fN
z<u@bkXMl*B-Eo#1O2y%|CB4!!KKyx`@J-M2`rsJ^FL(r^9~T*)2Qw~%_vQ{2;%Ady
zDNaJcIW;J+vkvq!na)>i=6#Kf*iO2@nvM0Q=s9suJwjW9Igi4ODqO=bYGHM`Zf3?&
zcpSFm23h^{Smx-2Kcfj6E?jR$3cd?0^u<XM!G=aoCnXN%qGJ5bEkBDRtC{8XYgM?g
zJ_EGHZkv@D!(PBJa@%Y=Xc$YzmS{!f_dp7cdsia)lt%?-9{XhRX9)IysU1~dS&z?*
z$nc;7qpD_n5ZvpP;3;iH5gj_?_4dsU*jKFNv&3B^5(`tQ-MW_+79DsbpT?Zu^CIw!
zeY)Xb!EC9n!gEvnJPbiZ0s#{Va{9Rt>^IqD`?^mjgU)ut$raMY;Z2rNT$EYTaM>;&
zsQL`za9|LBdrL4j;~`kB7wXGmjAKHjLlHowZ^Grjzn<mpmF&3bt>)ywq(xsVWYv$x
zY3?JoX*~lGTJ~+?YLx29XDl15MP|?I9}&Cy#Z-y?ri@Q}o-tHmme6X$IDsylPIt{d
zr4mS)zQt*%tta9}vuZT_17925R5};?EqsLP8`eNd3p^%|;Fm>&)z^-dIe*AQQ#h%|
zatTzC@}U<NS{q(1(1r$2SE;-Pdi;~^ZP*uVo;}R4dFJ{BvmbuRyjNWiW;xzi8R|VO
z8A#|(ngIjWXw96iZ7ZJ!OYrYx&{J($*McExDfkucozvj#`36RV*-v!L7jBnnE)%dT
z>zZ!$8l@Hj*LOxtnVWlVzg~HUDeM@k=z%^_2alCzbo&qcfYC};GgV@Ql{ftZMnK{o
z?SA`Yf%U@fBz|{h2hs&^%+S;Ch3Y3rDHi$R*y;;o%;(6Nz7OtQztP0v8CfTG{Gk_q
zD7u4ffYbeAcv3*&*4)uT3a&7n_t(0%IaU22VlHU+vD2V31;Hn~NvPq#8Fl!~E>7IR
zZ^yQItiE{$M?LG+o3>j}s0QO<%d6~T+MN>Y-LS=mfeBqnzSlBs(WZZ9K7x&SWheKR
z%Bp2RDAdVZ__TIq4a2_7osr%13kMZjB{}>O?j?aV)2jwUlGQ|T!p%BIb6!t>4`jH{
z{qCW2y*gfd>|`pwRUs604J1gSZ<(8H59_8k{_WcbcS<Xl26Zr``r-t(jY!<4eVW1z
z=Q^QDr7)+CSd<NL?bqMJmEM8JwO}R+HQm{r2RF<GUcCvVFyvHfG25i|#JsXVOxM%Q
z%6M*dSjFhX@+n`7*6iK_(`@AE%!oDywukZ^F;5OQJv`~?K>Ru*3g4~J{lWqdzRjq5
z<o?aW9HHjM3#Y)jn(lq7T$;Gt6JmXNtRF)`nd7rOY4}3H!LtYj+-)>ZGN|XH_!Hcx
zy?%5c?i$uTT$tSGvd7r{{Si^r{lq=Zp68nvzbJw^43xSmKjTz&yMWeC-R|t}pD^_U
zG`w3t6H^9~^@UFrx)u+GG7PmYxc6qNpl^j!kmuRi)K-k%m(VOY?m#skN;~Vt1%)<0
z^b0>D+jNOxA326)s&32+--FLW=j)%{FZ{Ca%mG*DP8dNHjavDA?SdxRAVN`m#IAT*
z5Zfr!%5(Y_sf!ce0yne4ykYaJiQZn#^_L_Cn}xkAw1B7G{7XE{tbTp8RBg>21om?s
zORKnJdD~B<PDYr(Mzu?+v;#)!+%JA28J*5`B<CzV`?(1`OD>sn$T&*l2r*nDMqkej
zq*uLxnXmD`??{3@<c(2WbLO0^q*_Q_TY^`!Or-@@$Fdh2VB9NiHS8q}1-#<@fEVYG
zL_^j30y4c2Me!*5I#du2IY|2eV|Y`_Wc)<wncf>luR#4|>-_gM>e^uJt+z1_A_Bf1
zwWdeoo+&%%UWZ<!x}#o=>Amp&<WO8P5-tYH=ALg_>x_sBWV*?ycei*hy7`ciNn0uA
zhu*Y1tLVL2WI=(FcXFUj)2?9hx!asf1xmdLRgvNPcVB1P>X!x^WAS%5u}s_IjH#H%
z?^o+@I{nx+@pV>rd0mMp>L@gDYO}Kozcb$-h|p~GvbpP0^ohi6F&tIMd)IGz6w!^x
z__4>ZeKR6Axi%Wg@y0n$^cd4?6|i8S$Tfcl4RigZgQos6n4TQ?N1<k-GnB#Tvy0!7
zyJx#fnt{ZnCS*nD;jP@;jwG{Q9eZaI&!{$xhMnCNdNUL*+%8|xec^h<@|BB{H!0U`
z+XsbiY!aJ-&Sg}-xUM2;Te~HzbtYvv89-a>vwZvJc|PY&*Qh(_G6}1SZEf>4&p51B
z(W?z*2|L~u3q?JKWCCu(NPa#2o7h_|$wWr2KGU65uBz{T3CaijQ4qK`R>7a+0<leh
z6P=yqU#*}u_i=J8A;ceJ`t3_qMi27pyM5ee<P8C(jdTrG3_E-0hF&Q_hN)r(Mq7){
ziOTRelp-+*Y}`erp7baso{J4zsOdEB*`Y3*E4-iBWsr>y<qBCWBm|Q2Vw}IXZE{o$
zN+F4Goh6l`%19ZR&rYxqUV>EYaZi5kz1&WUR#x_OC?7K>8QWhy8aCa4Lf6PEG-r^L
z%fZe3E^Y~?O+8Vla@tC@<_+$ALDzb62u9xEo+$mnmZEuct*D5=5LEx(T(*@IZeA~q
z;lSPZ*{!dQ9f9_IAL^g4%f+#QC0eGZ(j>Gq;troKTw}cKPVK^89`IHS=F<nPqiHjf
zYjMpBP19JiFcGNO)&kD4gGONw8)2Y~^d?y5;MFN*Op7u=7D+1ch4UkcvY~g;hj}nz
zLa@f2s{8~150ohxb8_7v$Wc@Dc`j!R3Q^+~WI!-npVu3kqV@RMZVeR0E(0Y;OasKd
zy(h%PcxkI;yHh^3AVm7@ZIo#lG(%!nF5rlqWqe)u-gC=GwT3=vDA-V3NTsF;Txj%7
zO*wOoN`#&U3;!zA`FfFoG$B6*M{&2*`cy|1w&|olT2NpVEMBXi!l4>IjBe3W6sO1N
zxiB$du1OrH&`+M*YhQCwEUY|NiFf6{JwsA`^%5C_it>_lT79!1c1-OeWb6H@sdH+Q
z;cXwZ2Z?{~P-Cbsk)_;Yp5o%Is5KduGQ~arqe`r9)=erz>}l#kXTfbY5l1%y>ToLM
zmWaxskDtS@<1{q;qd(!^Y^Yt~$Rw1Fg|}@O1{IQP>aOUi&b97PY@IpL-^)sGwo;7!
z=wGCDcgOG7g7x_Ca?w>*`w-r%Vm{r@*!Fz=jO?z$V2PC<@P%M$xZRVxmn%|uKSqNB
z?Yi4IL{X$+dol(8z`QHVg?!8J0*i^#U?ssXvThkN5?<za?N2AXMV+RFF|v(neP!$z
zkg3h373~!5_NYRR#uSO9BtBIVW$XMk#2Ycn@x8s*-f!f^HAb>Qc3W*-#Q95}<bBRR
zyC>Tv%@s9_TX=W@gTO5lK0F;GGW`4?sb*KB@J-lCn_fQ7ygZyJq1^11z3v}IvWF&f
z{q3R8f{!!{u0fhR0<Rf4CIyp!xy;HrQ7ighetQ*uaTXH<rdg8v{n}76_;jOb?P+T8
z4yENH4aV6sH~p*J_MOl6m|Xk)87IUBQw9eQ3u1bBA@*4{=y%neaRD>N%hl=iiCOs#
zJnwT)$_2SwxALDBkz@u`Q573hgEr1>w7yOoKq6u`I0i?BYN?DwmfYq;P2UC)#|N?M
zWduv<39<bmW7E}<d?MxjbTNH%%7d-3=#(jBI?v-*V3=af^G=z~BY#|h9`=(!&S=QM
z>eF?u8%C}dj2%-mm&%7G;=FHGD6=)$8)uUdt65ck*HP-C>6f=YpV*UDp7*F{qWtT`
z88-!az=m38@CTyIHv;SO3`2F+RP(ud&y%$EOw*N@5?Ut(@BBQ-{3HM<ToLC_qG*{9
zN!)_**5G5`lN=-+==dRp#1RsHO@eF8g5hWzd~L^8t~p>&qS*aO<>uP~!uQQY!3>|t
zg5F!}Tt_0@jq2!Hh|?4$RuvL{w)dUEY|e-^VoyArk*I5x7p~gbD1L^E?R}w^lku77
z?`qmgVo;&)P!$!1T1s2Ah;RHd%npdnxcujJ=P|}M7&BKV{}<A)7SHQZRkimM2ZIv5
zIfkf{PnSw-lC7GpCav=+a8OTb!ac`Nok;xR&0vk9`RTBB0sOsMpN+&M^?c^k&D?|q
z@<rM0xuuTlo<|)KJ_-x*11Il)E|8C(Rvh8IBT)pyx%v9AwGIc=ksjIQdX2#Gd&$c@
z!zFH+sdMH=`#*H+Y537OA_P%98l`T4pzW@tVseor^@FWWo}4ZDY#G$&o`!G78_LVx
z7#epO4*+)_mUAC<IWDPiB*H9C{R#vjzSkq}hw^>9lLTzh%OxykLOJFfL0bv53pU0m
z#PROeW*>zd1*Y>0zwC~oAHln>B~GDAVOZ$0Ja#UX>711ewU3~JpOlOIuD}_A@Z#3a
z;P(rD^GmS%D~@T~-5S#yydGe&G08r~ie?+9C5M_qnwo_g2FW)GN4#&0!9|f_ux~X4
zzprk-VLqqhF)N|$VSB<q5S%nxI;^x@wm2VpR6CD3QW`qex?j7)JD=xE?3#Z=>aEs|
z{optwJt=)e)cvNxU=^+_9n0k8tNVa|9mRkr6MBlXw#%5~0uMf^dm5oW9v~Iv3x?7y
z8!4&^4M;{mBubRH`eSN_DX=>g>e@!%j1LEMjo~ap(1aIHlhGF%&(4VFCjwag6&i%n
zAvzyx>>uYP!((PT18X?yo$B3xH24zZ<?S<d?lg;&f{p9aP`1mqW9in3(%uy~&2i|(
zaGZ#{%l0!z7^d9$EA=8?+swkAp}}}To!zjFYFm7z5@3W!pt&7l@BSf6I&7m2{G|CO
zhcK1Xm~^r1>}YJBZeB=uq2`eu5xIRlmwW&|duM)TgbVyK`(iH4JiT-mv6?gj{bTnl
zwijBE3VA<7g8uVuX!IPhNgEDZl1;O#t$zQ79r8s`VWzim1%a>tfd*+~P$U6>*^Jpr
z`}@eEC*R7bcf|37=5sej3~frCzLEeuAbm{aPydhr2Qyi64fPlguGd$z=cmCy;TqZA
zW5mgnBotKUR%mX1|3GT%^%xk88zJk{G>_U${9j5mtuq3F?w-z!+Wr|C@~J_kdNyUH
zNtPw@k);?w<^3Xc;VHSL_|ZkIWKk<xDL6y6<k56m>?8@*nbua#|5IN7D1vW#8mM@?
z`ftVcg`YR`P#clHFzF}H|G$d+|8+%D@1u78Kw}9|XeCue4E~OK$@{L(51eVT7)e1l
zSH7>kzQ4uH`NwtttMB`BpqveEnUvakab5&LT_vhB(pMiS`+?!wXm5fQbw`yK>O49*
z>JN_n(Z2z0w&2C-JQw{rdhzuu)V1P&Rua3Ndo4L;YuTyB$VcAic-^d;ZW;eL5hF2O
z-H3Cvy<l#6`(LBJvm;p%$mv~)qu#!`4A*tVnodIV|Lmz`1RtgZ4a>=&TuJJj4Kq3=
zwoeJKU&+7vPPl^i`++BBN-IRo3Y4nVPHlw*sl1KT-jCG(m9Utno*0pCO3f_k)1AZl
zmQ2pApFNzMRqomGk>7j|OpLVI;%Up`v@xS~ko`sPgxz_OFaKItv3t<*J0}+Z<+wGW
z){UQi*_&0mQkX$yhL?3$d+x>Lo5u8zh`X#Wdb_`n(xLXh(oCFR?kUKfZOfjLQ)N~}
zBRo8<ccxn>ipC~@Qwl?W%{oCnmg+NN*I^tn9f}H(+lJ}TsZGDDZ~OD1wf)7%tIWQj
z+MlHnZ5P{Kzomqj-+dF3WI8!(9%@)hC-G`q%oGU}zkG+YA==v0OcyLw+6X0PnZ)R3
z--wRinW^_s$O|Wv{hL|5<KYuYL3wL^zV&QAaCZ)^l>$Y{GW-7u=`slTsg`0gm}Usj
z5DvGC%xIFtoQBdL+4oMZtl$bz5)K2SVm!K8(q7mNOt#lFj0(!E5H#Ch*qi0Qm}(!(
z@W`$^r!#_#UfOwdT?7DLA{6G~gSHpejK2OuNS5F(AQMXb^7N8ek@NYje$9=jDQW!p
z>WU#06%w=;q(5CCF9-w&p2wGewrrM?NJMQ`@JkpDvoR0H!ayK}AzAA*-iwLT&uz1w
z$5KM(?VkO?k};=;bKWkGEI0Rp=UeTT6XsAvuMoXUmgbC*v#?=+24)Q;6#z;3X#mVK
zM=6|E&@%D>kPf~8ppmSB+m)tPzBH7)1j95mG=>G*8{?%GfK=`DVC(4<2%Vs;A0USV
z5TUI97u{3=AVSIMg|B%q_@Au<3<W?nIr0Y(FsgV^!Ds5=^DQUt&G<S%2!#Yb$+c4u
z<RY8ZIA*Jt;>J@3-zV<K-?WBN->5g5{?l>y%(Qj!m(P1w=&&xjIYO@(>V()v&5KCm
zd|O0gRU=w6<s4OoFrCwk$i?lOXdLh+<zD;-NJv0}(KTVghJ`S*YDXQEtS^wA-a+}U
zsHkXQVBq3##sg400Sd0ewzC~l<$xpk^)v9*_rG)aPGm7%mI{)^Z`Nyl=f5yd(~pps
z!_dGx(`R){#PU+h3+=H?mPW|MpR_!f#K-E7ASYRGAg&%+6`gU`^2x#<1fMf+@&a25
z;2H5{*?R>6Fa8~Hox8q1lDFsiexFJ+no%m2tOih$UKhDW<bQ`r`rfw%HV_Cjw;R&-
zV@4MF=y)M~4bT_@TEr-53djP{O`)-XBJkjtd4t`RavlBMl&B#{f6^ZxBt!;&pk1gH
zE9vnN-LIWcmJu^In3A{0hh*{j3^WY&?Hj_Qu9nJ?_bz3DxaQVEysx5<XTVY#-l)C|
zg#L`jX?$8~0U@zY`nPUoN!X98r3khD!aj5|8S2q6M7juf@JwFIEd?-aQ)eA5yfOQ+
zq{A|CymJ+{K%n{8=v@df6Qbg}a}M^075bV<h;Wtm8uwKaxphL;1)H~j&+P{JZRt17
zM6#eC_W8A~E*HnjEN`%1L`4}KtS>vCY31SPja+$3p771dI`MUMYdn&h3XAAjv+|tq
zU~S&$?DKfJK0NX0csZ$FzTvzeu<Xg{`-`I=S5E4IfNmF9UO~MKPT$$bU$sAagZ9yv
zMX#)^EKq64_TNm@N)|Xd-6|*P*M#4Nv{x?;#bC(YTU}mmjbUP}g-<&>TNA5CU5^UP
z!M1l}3@}F(D9uK3fV*_F@K{>*#Xt=>_~@9EasGwPMe|YHuMwT#ptZ%bEVIMrweqHo
ztjZ-Q7sM->KtBYs_GBXKj4skZ-R`GdfzQeB6(A1}CGEu#3u$?`-LMqf{S)A}Mw@;Q
z)Mz?A*a&~ARfubl?y)|++!0i8lM8-QoU~+KE?evNr_h*+GpKj#Lp2E1H26Yhe+{b_
zMAZD=9se55Ix0H|EzjZ*Yo~hT>OlihX;qyp%w^IG_|=(1oh@13x>EM^3Wf`3eAKX^
z>md;Azod5bsCA*Buc+*7FpTC%!0Lq<RG-b<#6&$VT_-~lKHIR@CLcf(hNY$)J9KK1
zmfI6l{GT}2`TNM7Ux};|W}-z?15_4evb8-iOGj<1$Xr>i`lVt2k)UVksG$9@YY-0=
zNV`AqpCuFSuXbu@<br<ITC~3mPBVI!BR;BDgEAig8Y!o=F<R|({`>IhRlpp${(PhK
z>ACx7^pSk?adO{7)7huBi)}>?e%8ldxB5_sfH)TU4jxZDpl8nt+##_!+!@~w1k?N$
zu+nR#4~P8&Q^2_(M{*v|s<)snjlYp56WQ41RWV>{o%R{r;^C1$U8I361BVmVoY6|P
zfD>it2`}N3UmFhIIm$R9_y2Vxj{I~mu-)<~)#!1a_-Mnh!NX^{)a0#nPlHyB>#tU`
z))ZQP>Usz@p2c1JGeDeGc-({13a&+LSjB<No1X8T&}F??O~X&ue)bk(QQiA^(5G<e
zmGY_?m<zvS4KYc(fVTOY<<9hdWYAiKg0qoC{>eaMM!9U`$sf#uDu@L_qTjOkt@|_R
z(VIoea!rphLu7Ot2QFcVuR(Gg$<nwAiuj_b`(lx>@I$Wn=yM`WUEx*;_VVKTrdrCy
z`9Man?^5=>_1>8&t!4Y_hvw|2gEED04cl+udt45prOr=h(Gvo)M+6;z6<>d4R)Frf
zPlcNW4Bnlqtw3f4Of%fEv>pJ&ff#TlRr1a*{yedo42GC%aGZ#Bt#h&5-|D3yL5F=x
zY#)rC=lt(>k$s89X2T#WPwk%9HuD)0p)bf~ZX&Zh7ayCJw4BUZux13#h0}c9$=chu
z7!We^9Vax^H9Oz0rnP#$_d6-#4t+Fv)UiMmu~lZS;sLS3u@WYGXTKG-UCv6^;rjv0
zjF^3)ms0Rh*QM#XTlLsddKolt)PdX0jZY&Xjl)Wcu~`ZXUJLou{A3*ZWT)Un89A<I
zt405qZUyEfJMM*i)U;t5i{_0n7&g0~qFaFF4ac&7)?g9Y{`5J5?5WRB2fDJRz|H~U
zwXz1kp(=1uSqtoN<zcbl$qJ#Vm1*lTcIWKR#<cg<tH6UUCw;kffD@c+b+omwK$s`K
zVEfSUHW<|fReasvyd@YT#4`76Ws-XWHM=~WxFwHnMCI-Tn1O9;#d?>PrRN9%m$2(M
zFp%I_gD=!tBjW|s(fH%`=8hj%Kdgq1rw)oe+Pu5Axz3m+Y<D~Rpsfp=4|iYspWu(4
zdVigZ$*4V_A5wU>``}WE{hrR!M|XqUyQ6tEUvx0rFYuG{rYPhLm5?PSXyy^EzMqxo
zRG~E(H+#YF*)E#k<3SAJQ%KCH;bjawMXnUP%lj|b+UsVB!w<ViaK(a8+D;43g8Ys=
zSS_j#H(2p)7(*a~`*BG9BedsR5!JI`#PmvZTTD5)ZBL?aO&gY9Kk>Be<NI|(akv!{
zRRMQ&qPOEI`Thv*)(-NpQtw}ZY@7{e&%F8}*%)KEy5jpDdq_2u{^~G{E8;Grj!aBO
zz1z&kuZ<~|C&xIUbFYi9ahDs7FZu4`eGzVob7<<})@FQ@)=7uFNet)?`b|~fgqSS+
z(rmKOdi!!d7A)m*kO)lQFDx;^RabB!lBfnB0kt{7R;kDzOFRlEU*i0Zvr(BuVv}Zg
z-Wwy2#a4&Sp0E7mjGK9p!pgap^Z6~xXLafqgV-t*RZX8|P`jT0Wd+%YBM;6mcB*O~
zDYds(kCAa#@5%gM3Anm^9@vs3oFkI6X{h(d)Sn1&_Po@`n$AhHC?FaRc%?Q?dpYk7
zsUyi0E=R2puFFVw6|k^0`freYTi|o<xdO#iUX<2QT}|LuG1*$}4MZ2^=OIcpAb9Q^
zC+l_oO)X`CdM+qZ_KvEf`;E0p4`tYms%nTWc<;?22}XxS+Glx4;SP&WeW}V>7D~kC
zp-dliOA74;Ee&cyRS>y4nRNppoW8NK6W^`?Twv5@5fy~74AleJ#?i6G#rySzDrexX
z#@>nR6AF;Z1}JnA=BGSGqE&+GJM9LQEPJ>{9Qu_kEqcS9GNeC>dtJs_7@Pfq<G)|V
z`j+j@jQxo=Xk>*3Ey^zTH*@;Io2RCZyiR<_0LBmLYP6pQ!Dh0G(J0?;#nKh=_GN>u
V4Wfe&_;1E*kJX^6Wy&^T{|ELTs1X1F

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/WinDbgPreview.png b/docs/GettingStartedDocs/images/WinDbgPreview.png
new file mode 100644
index 0000000000000000000000000000000000000000..7fe8864159655d266563d91d10af6b49309ce67b
GIT binary patch
literal 66864
zcmZsD2|SeT*Z+)cA%l?J7^Lh}iY$W>vXz}I*-6O0Gonm($r2$;lzrcaip<#8$WF$-
zO!j3g|GVe+Jn!4{d;gzGx$kk^_jRswo%224@40&QKvVe=1q%fT1iGZEg3tzmNZ}w5
zn3S9pxFS<vWC;8PcGp%`0G0HztpMK;+sSLlgFxl6lqVJ>!1ouQsTjF~K-8_j|9~+r
zAFV;4^AD;Bd0ii~bu^hz;?mp2zUuSh8+R+y#?s4fBv7s7Hhhy1W*ShsV(KxVl(<YZ
zkj66{L$QiJcz%se0orhl)Pj|Do=#HJa{W%sJ5{bN>w~l4KL1|--E^%b6(Z|LD1x`?
zf#>*WA0I1PP6j`;G;@ABvo&UyDY=u}a-y`*7kpNE!y7-XcQllFhU?}$KU7XWnS%t|
zC(oRp9Z<E3{@3p*I&a~xs{&P+<$2X06w^`gIsQC^MuD6w?0>%CELyL_ixN5CaQ^SL
z-~aM8d`Q$LD7Wij@bBwf5P`tS4#->9$p0DQuMglXlrGW~p1cSBF*a}m+p5kvwbLpn
zm#ZfA-*+PDp!!E!;c_Qmw#5GXo-*gouz_*V1LS`{<=#aaA-O8h(J4L{f0*)Lcjt0q
zJy!+dInVc9&KLjhUB!zuz^L@lf6vJGhbt}AIOt^4yTv^~{ZHG3(QN-3!0^jmga6mn
zvLQ_*>f~^DNQ<5G^1sX(CLOR_t{;p#v3GLv{J*2k!QdWyWF-F{PJzRA{31;}XUpk^
z%l~gYSA$b|@V}oD7tT!a@41KVO8qrRX2ABVd8_~aG$bD+W)S>;t(h0wxKjFmrYAbD
zk33nt-QxOxCorIiRQdl+z=Rl;akd&s1C^JTr)u^2*97Cp02k{%1<c5_*mdd8l?Lt<
zgN_d8W7#=_gX&m!ZJ63Q{`KmRmvqoY(q(!m)y_irpA*K00&jxd1r`&y^YY(!<iTG>
zWkmnA$Q)D@G%r^|{(Lsg_TvXgQFRE_pBLlEa{BN=2X}ve+TxEJ<{*u%<)QpoOqhgZ
z5_g#No4<avJLjIG+GQ5jG}on)`RMR>ca>yMFxny?YNrbSe)=|65v-t6`jRNj!tXH$
zZ)!qQzrlHHb|z=R<{eodR2FC@eYf2|@$dKN@O?+bLw~ZD9ybm6NbBzBfN4XrWx^qS
zmYP+4yBx*43!h&%n-VbcI&lu{+#%7&eM@OHPyEb(>g*oH^4H!C_FlOSGBcC?1-Y;A
z(CLQp=A6ixe*(yX;+E-U$ja@{l(J_M^tYxJ3a!x7m}K`-y1#9G^ezj;m205*m)$b&
z3K{)!WA45bHl*qSuiS7QlA;r_uD&C?t8(LMY})9Sa<TiH$zvnV!`i^Z`T<_>pm5;8
z%;?MUq~2Kk!^=?Nm8A=hbX<m^=Dq0qfBON>Jui}|?WnO?i`Lkfm3DQi&u8jNR!<BG
zm2p}n&GHS<>G1w>c8fPO!nvL>RnE|36!ME1Iw6|0F~K<<qV%ls8W%3)J;)-3Bc+dX
z?QzML+`1;&%A>di8#7FX<~hZgCT&3Xnqh&)=5*(C^Yi9*yVF_r@xvFoG?SU2ffYwK
zJDqUMkqRYEV)HMd)!`@^j{xQa{=e5ZuJ5fsBQ%73*O|a>c-}jsjdRSrrD**!n1<-I
zik$hepw(I75F`CjCq5~#zqaM}Nhr}=z7iHR&-BCnb)55yzt*;yJXK-iyz=|jYSEik
zesPZz$GdFg&c%D)M$JQ~0boOt7v|dBEUZGGI-d(+Ij5g|ZgetA4+_$2mou6i@+Uz-
zDx9ke&dq<glhvj^c}Tw+c^25yrP|c^fF1GAUJB^ALxO6oQl;I&9|s0Tn&fvn*H|C}
z_I=(vj8M)x>(Fo*;3wWwDy2GI7?$9G+>FhiRMLqH9Erv_<-Mj;z+U*z`kE7avtCF)
zpV!|iUM+*5jI4Jz9A6Wq?}A+!gkp2}PJ&O&NR%AiX^GI|k#S%S&Ai)`G_fRd#nI#}
zkIhEvw4Sp>2Y;pgXP3&P0Jb~(Sbb7ah>;!dd!0p4UA^8GJ-P}ZpE?ODj%^j_n&&j3
zQ`ltxYXcrB*cZQOInFH8R1So1W{Z_M8F6y%fP$5^Tg9F9ucYM#PfupPw-<Qm6iMI@
zSJp-{O;+m?um?RYkN(+>gE{rF9MF;$mKpi@*cERJ$V00O8MdR(RQs6ja^=>-|8in;
zs*!W~Mu|-~rSliht?FT;=N1H?)q`jG6wP@H$He<l5l8|fy>}XowL{oO$<4io4A6~c
zylnHwReRrmriSavV<kZ)n_qh>kv1{h+5buh>GMTo_|#3}k&pnKeB~Yx&+^C?BeQwC
zy0+weG3Os;ZaLZ4j4c)E#^0w^yX*-Ggcl7xJxb&I>d~JF_KNMQnpQ~c;goGKGRzEO
znw^j3nKx%(-{bYAksmN#SgI&#<R|N!aQRlu&w3K*!F|)g$Mz(LPn0s+l#!&^{!@>_
z`%HsJGtteb-{mR_oF#k5wVNj#a*nC%_`tC2?y4EDu1DvCO6E-S{(=;{UhlNbcMo*6
zJ@PLqZ3p`A)!t4@*kuKA2D3(_PO=#~GMsc1))Yvz)snm?w(p%3jBn=pH!_kQ_%$Wn
zFZ3@cS$+S!Yj0_C#zxloZ-e;ad>?}?pTe+bcMX;TwbE#E_dn#f!NLNj{}T+ayo~%I
z`cvMzj_SQslIzCCT+pxTF<X~en^?#sL&Rh$sNV79!nZ=x`Hh+YXN}GY4fc_<rb*|P
z>Wf*<$Ed0goF^5|o+ez}ff7=a_so4JQomP=wVc1W80W<RO(J|v2RU4SUb^T1^x#ER
zcE{rUn|m39eS8;tgs+q_RG%%{9D8k>)<U}`nwmJ(&*nKwzMXQo_&Y4uH*^|HY^Wv~
zmV~4QfBZXHW4SeMlgBki%kRqttgS@~o?>35-mNCTKiE<>rDPR%dT`v_Y-HbJPxCI4
zPN9M1Kd$>zRLhCil}{Ylc!R+`vr-S%oPSk+^Nc9QI5`vKCzC-A-Op=xs+WBH58Wfk
z=%6DzZk0ie8@DC6hX<jPfyZA*hu%H(j>Z>6PLNZ1Y<$~N0;cv|Y^2?3gIMKZqoYIc
zOo05O2MhTE0po)%$SY0Vi3~BjdqQqw`8%9h$2&32>x`p>&ha+1<LJ*XF}3NBcc8qF
zicj^U>dw`;Pe+yZeU9J$jcwwTlbmUw+Zem(kPGix{KtaHZf4sRiJl9OkE7sA_=8hX
zc+w5=_nD_?f7Tpmm<Q>9(v7Q!MJIbQ*l1`e>C3uTXlYW2iPnX_17Y}acBx8Q^E7!e
z`h`A*d~Yi0UYOsb0`6nd`eJooQLrW2c7r6;lW>6)EBE~PtAHq_hEVao{9a?Ry+fzM
z`|9l04Y4lstw+f__Z~dFY|M6L*4dFVwc<qVb5j(zISLd{aV7G-!|fl=4A5A)68^Yj
zzwqp>n4L&O;uc!U?7d{w24~!B@R^dm1S{BRdd8DE`E=R|5ofgROXK={ZP#F<P)VwV
zaq3wU<J^yYt+=#cWNizX-ed<|GQUWY;opm{a<@SVNiM$OdF@0!_+-Qd2{}o45<N4;
z9%*lVAOAqkXK%D+&D-g|ivkw?cc|nUY2m4jph~_EN#>wP;vjC;D>(;=o`EgS91q~$
zSHI3qlc205y)V>nq`ql%SwDMBlzY16aTPu+uF8>D>!veiv3WPEE)mBsaeUk$7kuIE
zStq}|tQI)CP3_^e0Jh*yKfCAU?JF{#H9Dk4F`Yl#y>r#27+a>VcBfq3)Fz&-M5o+0
zmA_!#i9CI}aLS{p1lB&amC9cm5THI<g%)%Wn~7w{a{d#r!s4c}irjDsr|~vXwD9Jp
zXUCNY&j;h%1~_4~ERktGu^YRgSGsIrVRSNH87aLPMEq#ZPd#u_^ZMQkN*b3g-3N?C
zLpMDG(x=Gju8c2U{=Om$9{jeuCtmW2bqYYdKCfxLO!_7oTUSX&9i7KYK8!|B5HK*2
zNezbYW9V@wj3ZlQ^3ILh-}Ul#whEt!zfxJ-^Vm2anA<h~UoeJ_3s*p5;ad%!YqWK?
zLPSKPqETx4g~Ze5M9s(|>SxjOr=DvgzHgxBf=TzOlUraeFMD(!&bd@G3F~nzUJu=T
z-&yN~j$sj*X#}~Nf6pq{uc~7`2?l&n@;3L#D&yL|j6{Xk&++^()!r{X@ALGDs}42C
z?_aqFCq2wrPGUXcG9*!%>8IwW6GZD5og#|vs3mQ<GMJYflsDcdA1#P1nG7GXk;Tkc
zt8_@z+slzw`naM;yASm2F3n#2CkH9`aY9~z#>!l|Pm)X9nvNnxF)mr$lqt%$cE-gg
zutmZ)&9ri(-JU(_9c&%acD6n!7Xxue=SKD0u(htUWT8hP(e3Ds&5ZMG*V8V~A@lgg
z6W)e2`MJhua*rVAV>M4LeB&J8TLhbThNMZ2=E$3mSTMEt!pBoV5Ar8m%2lX$bgeYV
zZ#fkXg?MIBj=nGS&_M1g1-k_QC`i4VQ8>&GWS+eG$C7yesJ(ZlB;k8^E7esO3>NmK
zrJ5m)2R^33S9`weUFFKdzsP%EW7AX7_F?;5wZi|_bhwAJSv1hK+fR`*UwKn-cUcqc
zdRudu-BXl#F86GGf4f1Kxl%c9^IUSswjk=Z-D;E<^X+e=868f{g;q^+UfUl2S2Zw9
zc6nnr%7t?D@+_<R=#_Ctx>4G1vqxB6p7y!SWpi-Dtv^pnlO&u8xFv@K)Ly`s=&aun
zkV);CSo2BE3D-m#=JC00L|QIQ*SZvMFT;@@4>aa+?w6sm*oN-~XTcVl$(ZlOM7gb$
zLudv0=G!~;2Ey9C3zf~}4W&W1rUIIT<r4BTvqp>$?@oJbF4*|>nS5Dr<7{w@)BFch
z(F}I^`VeEYc~fo%N?ct5|5~X`G2`&IY_%I#x2yV*BI^0_#%9|~ENT8^|6A#)w-V)I
zJ-nLrSvOn@B3`pf-FN<>6pp=QcU9f%Rc-H~>JynU{7D86T#$iv|BJTcIp~0~)w68o
z%wSRYRBn=-=msPi$bwI&Pm+%|3H+0UeWB1LVV#?Mg5YgXnx80muvV_Asj1=JXXCYy
zn(WTLDj6Mf#$<e<OC09@D}OpD#IK2?;Ny7SZTEDy5{>r`Mn8{tCY+C@{x<?BBg3sI
ziY~E=1`lYfzguKtx_#;S4fGAodW&A&+pn!6N^flNgwy6vmf5~m^|(`bd;NJ%Ixg-`
z!EF;><+SBz6x1Dus=ZM+?IsZnM&9qrXO1En57@w#%z}D@U&TR=8}4&$A7BckHbN5>
zH+O5cMK8uRw%3rQjO+|Ak2joZl4TZKeqJcuD^4U?<Ph2{-#nkAhbGA~nZ7+Pylh-}
zGG4QEvT0K2BK4$fW~+L6bH4h7O>*;9-UH=O|474|YRdj3$*wbZ@}KyB#z+58RfpsH
zkW5bF8@r<McJ{Tz5l}?uc?imNe`jBefW$-SDv6ozx)yBRVX!I^o35pdzh1KCT73K~
zN!{LjkL#yZm|{Q*32MF4?jp_F`+7)3M7Pc_k71vQYQC2S+OO3V@x7!ooGjo$ZDRA}
zY0f}VXw_KpWVv&T%L5D@wp#8*wOvH@O2g9i)OExBAwNSBtm#eC)TBLV+UCW`VV%)$
z3n^05%9zn?LhNXDR*SB|Tb@Wg!Bj#ZN>HptLa*_EW)UWRUwW4aL0YUFla8d#!C2v#
z{O^fEJYTLc&8++ym>;)Eu^u+0x~*i^*yd05(l53evzsBQn9jWMnrm^CdxLr1$NZa5
z@r@tvXkS0f^C?^iXI>JsEQ+P$qKoI1d5EmjciRn#jdh@DX>~{zywK9_=X9ZSgEj2Y
z$`Mg6LyuC(uL^8zbF&f$Sz_@7e#j144uK42ryDxRJ#%K@2_#i{5i_qyDWudad}_i2
z5C*j7v^Y0mcGH~_i^)Ry7z&D4uI9H5j%v`G2zn1Mp@vf*(-H&oFx%?WsG3rKaf1Nj
zEUX8lf#TL5-WVQkj8uOo%gWsz)mqtyM%s}{hlBfC`WK`Rlonr<EPe|Y?(=pxsW}gL
zL|WH&>iwjr@?M7TrmwWsB&(L(#6!}$j!FR4)ST!pIrwLY%hW6|+hv@r4Ebz-%KTY>
zh0OBsqu4Kw0~&IgHG0`R4+-Szaq?<j-EPG*EiD>okZQF3)2dv4O8K+tWfxk`*Ue@b
zBw_t#NEOnLr&U$s22B%wm|{a;>5m<IA_S68CS@ELP_Xr_>d(#fjrL9s3i|JpS&;aN
z(VJKooCO0EPFc~U(Z#y5#$Yeya@iX{tFOcGItt%CGGH4`Xf+wbxun{5mKMx^>imsH
z0-M_Ro5pLtU*(<Jm=J^oM%nDS>s;{s$2!6%E$0X4OpEayIh~3^@T<&y;n8f-`5Ar`
za;Ga=TkDm51yoF;?}wxhCf%oAFJ%Td4>kSzN}0a&?F#1|5ihX|WYp`@BIscUv*UL+
zo;`kKb~EOa>Eye#Bfrk-;PyIB+?mhMSA4o0!6&ZLSAEyTl234aa$mGK+}nK4<~h%q
z<c<eoe_1Kx>U$x<*N(V?-tUBR*5L><=d#BK=d#U&DZC}pH8v_uls1P?z5SUo1L}a7
z7OEo_Y@u}-D*ky*>e=)HSa<Dn4fiGs;A0nwa@STUOFtKAo)^qC1fD-|#M3}l-dD_P
z>Jd7rYvY}Uy@D<^bS4YHsV3EBMvSDUi}(iYTxMrzO&b`2SiLyS(d+XO>*jC%$nV8J
zd&Z%43M$sRJ0e}MOAX$}CHNe#<Tsk%_u$$johx<~V47@8C$1Z%V!8Qo$j8^$GxbX-
znRhDJYc56EWW$4nO{U@{n`UY^nFTW%vHe`v;5!T9NgQ%VuVi4-K_^yrhyeQ|uGcw2
z#?J!Gm3S}*gahSZ_vQl`23pRUqh9Y{#V&zr7vnA_te+~p0g1uT@_q%N`UxhV%nKh&
zf<Kkam%BE+3RnD{cV`~xPOa7{z^$g5sh-v99%W^&$T%MRkz|!8^Z?&_3u*)4Lw{ZU
zN{PI|(I5$`Upo>m;_cR}alDV${c&r8!=={DF3>nk*gSGm+RR-9qAaa%ZIoA@;Gv}O
zH%Wud32O|oc<DR5eQm&zAC5rQU1s0>scAi_HQ7P!Ui7?Gr~ASIgr$(atUX<&teu~8
z@>_b9Pru>8+~yCS#T{4gOSsf0M|0Xo76pfK9}6Hl-P<|E<2f474GX2a#UkVIfq4J>
z$N<8`j6RX|Np8mm3AXLiueA^&;^OLGwN&qG9BbA?_Cq__Z)v*Z*ipm<F+HAils%Kj
z7Cce7f)2mzO@yeM(2nE@=A>F)IxKPt_BkSf71ofLPJc_kO8?^cOJNJgV|?V9SrEC<
z6E}SlL!}W#5jeefw2sL0p1L5XC1J5ZgX-FGty>E*UfJ&*hY(W})ypOGw+{B>JUogv
z3LiDVxc&xUxQCyoprWnPtG@Kh>_oVHxo<c6r04a$4CeuRxJ;@-+>5eXO(!qS&S-UO
ze>R<bMeJREpWNG(Po#l+<h1Ut?5m@uqEY!02LoLAU9cr1=M)!QmjsIhUj>VQxejmN
z)def~kq9w@Tjihqvt47wH%Wtfj(+c1arM&ZM*rz|)6^u`3vKDUq8R?Wli#F}!7XBH
zVBjfqli&Ec0P{EfZT_MqYc#2w4BjBfP(V()Beu6Kyv>F}Fdy_bYR>BFNB+2YdMM8Q
z1A|`BB0osPW3V;jAOByeu4Da`Xh`<z{CKnlcx>dJtoK1Bbfrg{j;JlYX<6`~GQC74
zHYTZ@dU>txkv=Tb=)-4pd%AsDCpo+KPlcZVN^hHLSezH-%->5j<Q`S*g2Zzy+IP&U
z2Grq?=J;hB_yICKex<Yu^j6fh;>mN_D59_c+A8ZW6S}8guKxH3w{z%CUfNA13*Ccm
zwVV@L?(P7ZgjlyC=Z?&V=F2+5*mCg$qz|fy@4~7$^7MD;Qr3!Jus$lGpg{-jY<1XW
zknZy?dUkiE@rL9tI~m6I9UHs!B@mZKK-iDE8??Mvo)T=2xZ-X0TstMzaP>zG%S*;V
zC|ue8cHENwR@OpzfO8@<UFG4jN|52V@EGzqm!O@rcJvL<JfEf;19YC9$Qn#Sz9QA5
zD*q8Z)S;_itU=EH_%-J}4*Y$0%74}{H+jw(IVvdI{dHa>_$ab7^Zdjvc@piPY{8Lg
zh&K;3PkVtf3acY9uSD<qfwRea8|jS9)F8fZzU*ZwhFkt9vtW`9sM{G}i3f?3mmWAU
zP%dKMH$Sz*VdHzT61$IE)`wW)!QA(vo*9|#UtjZyD9W$pTY|1dv)t-*x);k)%wfYk
zR#L=05qBDq(x2VRa-=T8hvAuEzF`}M!7fctPp|syx~>M+U50LFm<SjtV*-kK+={DD
z;+{Z!hi5{YM7BEx?{#l0wghc=@abI+tPkfI)HQEYIUtX-O9U}1ffYDt{4Z=aFXLGw
zvhx^qcGes1(e9Md0G&G0^WF29^!bL|KhRe?!jR0Xcw3S5g=tW@Er5E36s*_JEmXYa
z!Ilw%BB6`h*Dm01*mi%eu<0s$^1Xn%(z=6AJ@uxlDtIi0s`C*qDo6{_I$7`j-7h30
zgg=r|NPAm;U!d!WZ&qe3`&~x0WZ`e))sE%1JuIH;m-#expToN-+;K9e&C@fTi2~__
zp?Iga+!N^%PN}b{Y%f|caMD#)(bUf^ErowCG$^zh#yG?T1s`oM{My^oBg9z^6U3A=
z!&NekDs8!-P<XKbM%rasx;i*8uxDG5CmhRApW%jP6frC6HEoMjx%77Mz8XYkA#w8d
z<*VusCQQp7gBgWQK9+<$)j_;eq4xfn!+n%R2(|}{_bOA;aDFGV#vQ6M&EEj%+{w#c
zU^mFh+Kc|H<B)%RCzd0<17f-{w}0U9a^=H-9+&<=zs`{91LPf8SLfpfs?{z~9aUX;
zSlDOVN-hbBnpT9evem)nlwr9gNqa13De0n3nz5xy6^Pcg++pZy^;B3GG0)YjmZK%6
zOt+oi6-dY1C{Zo%;f{7!hRTD_gLwG(3Kv?xejWbYi~^yfl1S-%g))2IN$OlG3l9(H
z78a)7+S(G9^!fE(&C=4c%w<NFR~&bzCtERNZTX<;eH{K84EA+Hq9=YQagCQi^J#8=
zejX-WM1*LI5ah#Tym^y5k{s9(v~b*cz?;ZAxNc(LgLUP+^9*h}gT<<NIxQG?oN^H<
z8U!t$aa3@|i@T}2rCYNf1>u5dURf|gGjQR2;O%IafYu+SMo4u)_B+sUw>Pgn-*HQB
zHVgS^Iq&{Imb<n|jM57_S<wo1JL5=qTXlN5Qax}`Ke^+Ef25?SrQto`NP;qQ_FzQE
zkVkyd$+yJBu&ZcjD0z8FR8&+*X=rN3M394M`C#%01#FGyhv$q?ojmm~z3F%3GcsbD
znxt_{O9H-7J#uZKSwNSwrg42>Xo!0LoT!@flYZP2vO-Y&k~SK)hI*r_rl#oZToNIx
z`6{T7O_Jjkmb88mcFj5s#@kJVXh{lOpK83q%*@>DIps9UhJJ^7x3@MbV38I3h?2%v
zIKJ}=EwNklLX(XQEsM4g_e`y>C+ei12vHz~V0?A$wI^;;$sRz_SYFyI6;UN;G@rO&
z$}x&OkpWBF==HHm<v;_ND8gAf1?1b#18=`eg0-ihapSC-eu8+Y4Lym<OaKcHneMfM
zL^u!0Y_j(C3#}afF(PiDjbDz(Z(Kk~?(A2%+@0W3{m?ddO6I)LZ-Q`KMza45Ka1a!
zhDfvPaI-S<m>5{snnS7e=fJ53&nF;LoU*NL9*auy(k2Y{<v2t4p$acbeT!!zF~ozp
zdz8+48`p8a3_IIYl$o5I&kvEh46QJY2f@^>%bK~tFl`IM{>Br|<GSua#r+lGV|OEc
zeu-Rh1+DN8g>c+Mv#u@Y=_VsnZnUQI#K-`!Rp~x)>$txvE6)f;G((Oys~^Yj;l?|*
zVKUah`@^k`1>#v?Wrz~2)b;Dv?+bV68X6<9;`(6NOg&p9iqlA$r;D;3&81`bYVsMM
zO!rqsH3<9Ed5#8Bz3t;xg6Pv-A3YLrOSV5$R26S4MowF>Wyx8b?SMGVi3=bA(?iuu
zV~vnl8Igl#y_>tk9#_x^r1T5B4Bz97g>b}3{1?~w%R5Vb1{W5M15|Dy5n(8*m`B|B
zNb9&SUPj8Kdkgg$gZGJ1M)pAUSRxuPANaPSBLNhjLZV`3X7(F4kZot|&c|JUUu7TX
z9zXxuDiItsRx7#P{4QUX%t$Lk?L&k*Sze(mf)N{ph)~f}($#$<#Szcx$63L?w!bHf
za~FDJ%{~@xLis6WAQ5<dn9gHW&zDbi_PN)brW*8wxEVMBxfpQFyw2CB9S7WQs(#P0
z)eNpcB~oGjX*_<7_a~wx_Fe5H>(o{F)jC?}<v*3&hJ+YmRQ>V%LCZOs1@Zx8;pYzw
zwdq@bP@J8WpVzp2ivijvOHjXCKahw54g8c(_3V0#rt1Fv<z@KGmjy2uU~GsuY)*^{
zNK*C_M}H^*2C*LJb%>Z|CqiU+D<PLXb64th^-#odHcB^9@VG#g520+8h}5vPdvk*)
zCcTO^g#wbeABbnzr3%imaB`Zl*qaQ=3reEcii((bEz{voN1GtN!h|0cHj(4uj6xL|
zyGHSO%N0(6!pD=vM2M17-E^!c{ahAnrkeCc8d_r*9Dx89WA_}`Swx6tZvb-=zr<cD
zJQ1a&DLm|_1rL^*%YDzWUJrZqi$m_Bq7sscS<D%BPb)?J5B+>Fx-Nm!?^wWnFFY!|
z^UgIA@}UVUMyOj~7utp4lFY3s5)zam68pKC>R#7uQ;BWd7r%H;7|0rA3hTQ64JF-q
zEIy_C>{%Jh(`3LWvhQ2J*gamR2E!C)&4^Jdp`Sm)Z>5NI-On{vA`Yvqt(78m$FW(<
ztQ>G93IJ<Nh+k>irPnh?s(40bSgIu@qVB}KTv!amdhN+t%LEqV#-F&tE=?_*<aQ#G
zZf7<E9=wJ18+>n4bN#DgSFAq+^tC@NbhAxad0X-LUy6P}Ie;4$S4z9TbBdGR2Y=n&
z2W<66kX0kb4ry|^mWojV3sIs8csa9l@=C7tXVatsw1Nk&TAhp+EuJe@PqiEgivQxl
zj5>!AqXZ}7K?5?1xsr9$HD=1Ce53L;yl(Qn@*_h;h~8oWB1CQ|TS7od>;$lsS|iCD
z9ex!MEnw{u5d0ds*@%+F0L}_CW#D5kQG9FkhLl%?cdx;5hd?4~<~#~gdJO17w7!F-
zGcDSGw0Z={d+@+_cMS%~<lE(KP7;X1RyKgwu3y?ipNr-;`g|loNnZhP4>{9A#rsQ0
zP*fRxX}7g5)kSvqU)T|UAQJDX#D=~35JuUc19+)5aylIZ?B7aIJa!v)Nx#%=gC1HD
zBPe1C-xs0#%5vIF)!qdd+3l%#b+R53E1N4>zxy-J9q_7nrQ?*IiP2LT+>N(%Y9k42
z)(lWLwu*Ps_i-i&O%;+zz;B|q(Wi$PIj?x=_BcP>TBg3n7>TNivq2zL&LOlc=|F1-
ztNxZn5~uAJuyfCkOV0~7H5x&0QCT_dk|fxV7yoQXnR>+s&L#w(Y{dra5+T~*a>vWu
z6f}9Gm_MUDB}JSjF^Xe&6xfGr*ajF`F6P@37o3M3=#9AwST=8CkSMpT?15fB;5$pU
zVp%{`L&mK}kkLX1xs{SG&sj`2Hzn=yY!YL;-`@D{wjGESH%3OWNe*6j2Vz7?BO_GG
z7VP$G_6s!$stt&F1+;}AS3X&w?}zsH&S?Z4HJBo!TrNYkNyOg~{Zk~6bLCE~M1bPU
z`?X|`!id6rc`N~I{hj0G!P_T01^MArVO@`_^pMN)fkvB=bWk_JiWo%3OerYd>PVaz
z#TGeTgM|b>r3(%Y=H&yXl9Yf~Oo~^o_i|Go3`O)R9V4-4K*4fv(UcbIM<Mt&;(qQ6
z6vRj~uZ1p)3sXpfdKXGg^LAQoUxb0p7CgvsltqHVCX@!Bt`*4jq-@Fl;;>_c%2I<X
zP=CI5S{>j`bK#uYNKv#but^W3NwD14;5=vzq{{a&sx$AaaD=D|?zB%42~Y<3701!H
zp!fwG;Sj(y1tZlIH1$`202R;b7N~^8Rx}VH{1N~aC_5)djuX87h7~NH^ykwWS5%Nd
z)iHV<ZvES}edz%+`TYaEaX}=gA_0wl8{_;<`{%-#ERyHat4oj^(7<+Uz|-xwz7&FE
z%J%lxY`askl9C+-M`u6fXMCLpWV4Zk)2^B+pvCE?;kI#Zd#-B2Bn1sEKM-kvHBD^?
z=wsMzpy<D`H6U^Nz2)bc`FW}iu;{mG74JnG&{-cc(Lxjcl|bTqiLsn#zsPP;^Ur5`
zZ%$?bIV2DmYtxs42KW^xOdcm@)$VZ(-i_gjAFarc?yP<d6nqdM#Y-MhSD!4aAhDi_
z_ZER9hO1V&q{RRQ0=OYo{D2?6sT2eRtDJNq>p#;tc8M6!A?sce;b<A5Fm9gh$pp|V
z6zcFRF)B8;@4`i3Y+5K749-jg#k&KeFYhE;4aScikFWfGEG@LTxp{SmFEc><RV;?X
zUtOlt5AYK0Q&+j);fE~&2&Ga0(xBI`&{W=T<(KtXC&H}(Ok%#M-wAOeXp5te2U{j4
z`z!B{9<~*IK;>`0MGuYr2*gA$cHa$6q_wTBmnt%fNi18LoCY0(ebq~h0yu>0aD>$1
z(UD|nyzJFLljFdZ<kzoX|D04-Q9(&bNO}v&;vT}*j7YG@duyh|DD3Yj=@+gNOM689
zp#stNf)P4Hm_CrEh;y2#`7}=(!u5JShy**@yf5Oj-2uGfBykkm+R!|)iq6LqOdpw&
zH=9e{muB^AscfZq`Xi5q-sIkN*x{YCR*nKlQ{l}Q1$*7~OHRA?sWkjcdk->(`L2yW
z43|A~T4}7{khL&)NI1i@cLmViiLt_5+Qo5(_Jw=X@{h`HnPS#Nh=TCu{5=}0so@fL
z%^ubH?}#_)OMLd)>5K9HPx*M{mIXShaHl%cX!({dck+EJnmqX1l-voU5!sYbU%+%0
zC=2wkv<Ij*!ckEr0CztHV1~T$RTX4+hD@UlINRUZhYmWFr=im&3&_8LSV_PgDq?+i
z76J3IMaC2r&eT%Gq5TgE+><FT3Bf(gAx2u1G;bx;Ms8374S+yoi1`3O)89$K3<!IF
zm2+H|`g@41hwHXv43Qq9Oq=u<orrRmtT<=AC3)jnWR=pXjg4($zt)jv$&BxNMA7M^
z+h^~PzQ1h-|DHHu|Fn+!(N9UA(ke&<VI=76e5PV(i0rEz!fD-s>IcD>Z6^5|{1EMZ
zxA=DHSGl_BoXH0sFu1WuhN4`s6{|5aVElP*8R@PT0fzs(IcEGl=!mXzUpgXafrc~q
z=(6+as(0_?QEO&@%91U6t;4<VrRUEZi#cKa8%y2jFu>`7Y)0b}({%72Pzm<%21wk(
zg6B2BtAJ!^ZDf>p0|2<7@_W<Xd~j>It|Xz>{w&4s;u*xKceOx3oga-qSTJ@3!`5tU
zY%GAvlSwY93E1;8KpwIQmrmZmo_)w}1=5Jr=`5MtGay?T=f1otpKKLx17NM(7lPbG
zh~r>Xf86}*H3kNT5BmTnGAE3WzL^9_my~beMo5(OQF7@iWrojB)hL#`9Ng{4kIN43
zgoECK@LMoAW6%mw8{bWOSq|cG7U|oYYFe2G>IkGEzitB*zP>bG&*S@JIgzMM3UoRa
zer;SJbZ)O~O5*%Q$C8p3C%LyuMBl<;GXne-kDjR4@h?!U&ss(xtLA$z9R|!D{7qUo
zJwOH+NrrvCeU{xEI#N3mRy$$Skm~KKCb3IK5w}TBLQaD6E4=}Rb#;i3>?uX4Kxl%4
z&k1zUihv9<a5gU%O-^Gpod9|(8`z*@X~>P?h2eq#`-K`ImmPV!)|MT4GgYgjuosP#
z^Qr;zA{nsXHAH|41F8fR?<sSU=50Gr5yX(w#IpdA<uw4t^ta|TgHVV4-#PCiPj=+y
zU-1bMwfPIajNX(d%KdmzNp{<web5~hcJ&jH*hQLKN^c5j%C#bG&LN-LWT%5L<)(yv
z)4U#WjfWpB86ZgxA5AcLcAYztR#J>>UeSGn9*L1LkC<okp0r&~XKQ4<t`Xx18~uLW
zz@)b;T6gu?L`F&e>FNGNb#rNp6`FnLq4zV5OOqTe3r%-(3JNH+q_@J3CF7S4l*umi
z$H<RjDrdZ#EPka;lx=)eHfN49HG;IPdk^sAXPToh(FaZUWgkS29nlzlX?OcFI*@I4
z&QbeB<W3>gF_}4hpfOlGvrdkBbb(Ov6d9}<85kT<<LNxrL}8AeVox5}W!;$#G}!lN
z&^yZSpE;b&-@lBpqu!mZyzbQH;T1)i8Th<?eTZq+FmEPxh+JkTYhLjSKU`L^>+RLU
zVuuOa<-{3DSw}7R4hJ67BPMV5(#Cd~Ap9!Z`lxb@!)G(ht<CZo{|WIP1L3<#pTb?v
z2<@K7Ox5L=mhFm$luI_0c53$ws-~MmK1c66bv9pc3|?uf@v3*FP`W+idB(Oo;RCMr
zUMD!+uPPl)%G*EJperK6O|AWsFguv?Zw>0{&b*tEW@V0_-u$~;goBtOPUJdart&<d
z|5)I#o-p|ub7Q8pSngwK_vgdYMFaeo;NmT#>F|=4e3q)_t%?aJQBz6)He7{Umrbzv
znv*u#JTu?t)w?KuC=v@}x2Cun&nC{~l61*f8&wx4|CISo^4@QFdg=*)3p1=6K#~-3
z!{GcP_o7)oSieM!eDC9hapCHA#X9OyD!+K(2s!}IuPc@$>b5OA=EkaJh8NX3Pf79e
z<&H+EL<7a%x*Bc}O&<5^GG7A&bnx*M0DAGkd#m3!h*6VT=i4IZZZkv(oGOOM+7d{X
z-Z)hP*y%Kb<<0F&s6zQ)HKSff7RQr@%_`{r3%{HT#02r5KIQM8eLpj?c@^ltzXT)i
z&d#1Xi?%y30b9x_Yk7FBlkU&EGEg1MR0cSBPo_IhwC>%EnUYpYHpVn?Ua7RAg__po
zZN$z9tDErN$6)(joMjfH;s`mRA<qJkg3RR8go4w`yQN=8Tc|H&m*lLRYCT)COkk;E
ze^1&u6RtsO*)!ovmFu63eSDrd@J>Hg_Dp>C1iaZa^StPqZy-x`X6M(D`TnlaFMNcn
zETxn8^o&DUp4H&Bo)uN*ahTmr9oE&X=3Sb#5gd{@oc?y&8MGZdw#gY5(I<OvC$aEX
z!iH2{)RSgzoy(pZOoh5iN*9RKoSC~O-PT*E&+K*|R~Lfn{TH5(zjQfsnmq0aw-@id
z-p_BNUL`R>c1Un;x<cy)nQ4>_zqJ(i{e)|?$)7R{c4x%oo_p-+^hC3P$b3*S+HEMP
zd)v?ILeo%`lX(+$FfT;-{nm|Yy3OgQUqM#P_^L;}jv}Rd-ZodDdp^=X>KL!stcnu)
zkkc+}jqO`kB|e@WGS8ULCqgD?bZozDDbEv<=M9I#^5n+lypB$WAW^3#Wtrwb^gK13
znMXIx@c;5&&lbJW^In0asbJ?AMYl<(QzoNt1~kXp`1R5m|I4TQEm667u^TPkrwiU6
zo%|rGzU_G7&6-w^>j2yVD1nMr9fU3xie6VPphE<ySR;e`GGq*^?BiFnxU?1JG~bGo
z+_3BQ(1$GVZEtT6JJPZP91aGC$4}PlTw0d<2%;6sNgl|S=fM={73#`S0$6N-3v(4M
zfv`P1J}&4^5mQvk=zDuZ`4-U?S8fc?8h`{wVVVde*0n<xCk+th(LHIm1&rPUs6KXG
z5kR{<qW~kG8{cRm;Bc7n?p;wyu}Z|oM6G}r?70HK(7nNWTLB>R0j{xzg2s146{+Ix
zHP);`X|!lYf<<E?m7t@g;4?dEVV%d(Lqyg^zu~VO?T%jrNbIZ@7W&gEbT)5PUvd@(
zpTv^##efMhq%-L$HA5j$Wz?G!<s5`S^0;1E1CO~Mm&RXRy5Nl;8y&(-B|0@WW;mC<
ziyZeRn~^st`Gj#_T{lz*Hmkb3cd*Az8t1e1Qv2Q#Zz?~>vnS_~-WY!&Uh!Z41snc4
zq2KZ!@?MzAY%U;vZXUWKGR%HqVgHLwm+PG*?@tP!Gy9nw1?Pi%#U2-v)klx|&Hnft
z#C8cwm)ZaQ)bCg=kk2{q^J=Hqbd`Zh-MTq(C{?@5aOhqMQCrXyOWbZreZ;quN%r9O
z^u@ITw=73kZsAO0h*Y@W59idFxlWRKCY#hEj$`!QWQPP+ZJR8fuhRzU+SwnpW2&jM
zZZCYtuV-U+C4Y%U;2J3!KTTI=K4O1fvb>0k$pq*3J3MMPnwq1|pY4CHUXr<ToJxY4
zt+QRcUbcys{ZE?|?hF7xuiZw@8i$K3o$xEy%Wv-Ak5N?d(=t0{RMp<fN|Fi7HlLWO
z{51NGsPHb(C=bqt4c+JfwNOo~-FRwB0vmeVfvi)1Q4NsWw?3D0@^W!;-B(Zf@T!PA
zQzJ$6ixW`VA^UWYSbx~l+>m;JUkXo>gx$oY6w_Yk8ie;M_C5k~d-(1WjeK^kP^?=(
z1>|k#{oD{i0Ycn@(o^i-L`!hXgd;B@dF{HJ0<2F7r1Aj(^4dppz|n%Ou6+Q$7RY)4
z&=V+VeB<F+Sy@0NMX<b&9F8LZKnjrxU{+Ix-vu!*{A?w2oe04XZ&&|38*lZ7n0b7j
znB0V{s)sI{8~hWdSX9S4d>e9{CI+dyOL`o=U^41iD|2^orwl(YON_$o^m{D)h&FIz
z7b3VFWUTp_wg_+b&IFz8JLV1AfPea?ZEQvhrzh9}1S&1(w)=LyddP?K2DyF4O)0WB
zQ{T8CY!|xsL!7!ESEM-vc&rbp8pX6qf!06EE*Fwb$gnl~PWexjDo>Kf3A5#_ZPi$C
z-W(nL27t!<tYbCaKlFy1&;1Dm)1No=Xe~1}RSlli<p8cCOGel-%;`n*1>rZ7TvdpZ
zR~k%4TmvARKYzqD;)jkin$1SspM5De&qU|<kD9aOtzG}ZW>^}^3f_Kv@V8WZKuUs5
zrVj@>_|_L2w+i5e=x?FJvuih6lz)(5yX-wQ18o+(vD$0eNDn(88=7>z4Z#OgLz-o|
z$wqexqi&+}cg>YDOZ(uxx6tb%4;o#rHBT=U`dB;?3d%}GV*pau44I-7o{x0{Xng*w
zW0~rGZ<3Rj-mt((tmDi{2|WXD@}%cB%mAS~@PWt*Q0nd%O~!%-z5?I_VUOJg(6gBq
zUNJ^ZjVAD<qPcN-XP^ruZCLO2A$72`2@+@m^Qn0{mc5@fy0I>`!cXl>KL-1$gbTX~
zAKg}jY4qH^424Nc0RWQ|V3!=c8~EY5Ew6y$RdQ1qiEYpXi{~v-(h#6crfhXhGjBm#
zcgQ!LpG`%-dyqnQe9P;4zr;d9qs_W>8R+5C@@8GP$Hou5IntxXiQqoE<{;;N#n(!5
zv;>GcB@W)?ahqA8A-}v!3qqWdLsn<k>h@Of{i}2`K5NUT&|snS6^;3p8-5QaKa0I*
z^%!U<iSNUejx@SLP4xKgjG#wP{cx1@(64r!IpsK_0Jc-16Beno@#Rwcz;njeUvq1f
zWCAK(m}e4%1D`1yv>ep9V;iQ<Sf=$FmqTV68*SL=<TI1M+62eox%Tx5R;M}WpRH2|
z4uO4V4X2WIvp-6Mf0F2N;T}029c1lE0bAp%%naXusG&(tdZ@WJ^;zfH-Ja5!(B!=v
z;cUQ}tKdVXn$V@Wwb%EgOGbdBFufj`Ajubj=Cv;QTA2eXXoukQ;pWo2wQ^E>d4Xfz
zZlbMQW|^`R57sKuOY$3+tAX=rccda1FVn?C+?RUwhOTxX8>u!MS^I0-O@v@NiXG4<
z6(Y2T5S&Mx_suT4-%TO)P1kHAIgJcMve8YfJHXwN?nOpMKGfCCCEdRwVzv&0=SC>N
z2y_lyfg-u93W(5mp(>ZgGV`%ZZo(BsDxi2)n6|Zl1;kwrA_?&o(&)3{gt2-opc=6f
z3jqs;RoJ*EaSQ_bAI*3gekxMZoEn#8?lQ#B53F^ee|6vJyEezA2bJ13&Z~OuC^D*?
zlsHdUU-kG4k=+GbT26p8?2ij9GOE0H@#@hT?hwJzA!|(`V3g0jmGvQ<ky8rxJIE*@
zrNMZy`8S{~7D;{8IDkU5!qvS>xg9JIp@SZK#;-jNP$tS%be(nnJbemnE`JCif_n`}
zAWKOJ6VW4&$hPo`NT#}(nztqF{-ZV_zUY#t6I0^pnT1EkW3E%01|<%oeJeZdt&g|!
zg~~eK@26h9St!3*^C@U}_#Q`@mZAr>Qg#0K9QR``45(yn_@1pGX3oo3hT(O_2(~=N
z##s24UNT2qGvI7((V&%1F^SusWG^}Ae|Fn1ETaIZse3Jm*Sqt}vxmlMrC-gH;$Kej
z3f1MbDcE`J`QLu#PhGNGho71{lC0S<Le@=`2uumVbGLJ@Ka82sCK==fySe-mSRh0|
zU`Zs!+|&>LR-Cu9Y<JeJgk)0~DaC!ye2`{o+|El6onqEU?rMXxU))n3P*6~wPVlsW
zoAC=j4-NeeMN^G*!TpruL)<^v#>ujXgG937_*Nh&@MG!KDq?g~Rcyj^uLFoAf>!7z
z?x9@r88b{3!Gp2~>SOu9DdH)hlCDSaKR`UkHs@L*3`{-fC9l5SRAY(ma;0V#Z>tY{
z1<*j6$HpD92q?CiCgd?%0>+cupa8=N6RGguMa-g70E>JAIOzkfY~{S~uboiDuN_Z-
zGlhk+96&LkyM?WOZL^SKeJm7jEPfh;q6E^A5iP4*k5UEJ8%l`()QYeK21lZBbuQp-
zt@AJp0vW{~J_jTzt=P-Z2MVp?(CK*4Ly_o(o(psB+lyD1H%RxsAD4vg3y1z{Us{}M
z3|PD)JK9=F-R2)hwCMgUvdB*I%9kJcl^s5I80T3{s*eXzPHCktJkh<i8=HQ{GmgR3
z8?l%Q%`3k_PDRtf(LB?x=gkA>CZ7wcuktt0bov?h66;02Y;+ZHdCWu)f{p`k&NN4l
z8_yr7oUfjouI;ZR^OV<W1YQdY9~ZSsYbOj&HmvLu>>J!Jt6CVahxUws9c4tHnomzs
zHExtHu&*)U$5>4#(ku$CqN=rKJn)3Qu<6n3Jf=-A#?#z-O(ol7ALjZ=8>YQaBWp4x
z!KRP9w^t1QIKDjD;HIbHzFW8THa~--XDt75qrHpQsORRK|EP|oWN+43-OGvq`)r4Z
zVvYlJ<B{22257qowVh^R;NFBQv)=7!|C7A(^OGSJZ5ahz<BAE=-r^>7pOnQh8b7dA
zLn%!7et>$~>N*8bCo|lR!ta+O%1!6>>qiOyiFk2jAw)Pe^~1)x1$%;P?Vfkto`C=6
zo#{%-IECFpLh<QANXrR_hDghc+ys2q>Lsf&gZ0c>jfA}`H(O39hcnQFHIT)Op>!f#
zq~>1@8BHQ<U60QJPWKHwu6-_D>DU5A9%nlZBi-Gvz9y;+1h$Hb3|%<(rcMPXEn`It
zBek&vcBkA5!%qv<XtQYmG9&qAT6$wmd$469RNED{)){2|MA$pNj|avJD3moecio!&
z{EvM+cK2SBuE5j~SnToQ8jO&*lFy?p1dD~aTN5fS0YaEm)o-@L7%9Csth36NJJzK8
zMFnS!>K5$+a1!Dv5X2TYD>!}M<n6doi)$pQ+wc-0U_=PBE?K2EtlLn&mVu0xHD^VW
z%B6U=e`Ks{;O*cu2#5dr#VEEM5^PF_5F8ph&*<C#3Pd{$N6*XUj$AJ^sl~&cTB~B#
zmK#mK))Capf~K8mrlUcwY>^WiM$crfyi$7S;jvE2-tqjZ@9<iE0vY@7iqxZ?qrJRS
z!lY&+4t8&Stzk@)Z?p<?k%rmCGj}Fc=T~3LizKb$MB-qjwVt(KkP?FnO%>}%_A3we
zN}S1ss+>fs#wyP2II|_TZj#=~Tl-C)294pRNH?db3|TX8E@Xz*S{(&BYI5&(hsX4V
z)p(}%nmiLUfZ%@^3}g$?g!xaG`fpAHG>Odjer6fe^q3gS$yV~m`_eDY+LtQS&u4)=
z>##XG%MUj$y(w7>&>go14u!jyhJ+@&4xE2EP*!|pdA9`ZA{_~O%<>fPFw>Z};U$k`
zB8yDAq47)SE2i1B6rDVP8=P&r41ON_kX1k@zN6mn<JIy_gM%HQR=n!4KD}9Y_Jqw~
zqJG>t=;1#R)ax3&8TS<ZJp14*OyB){r{#o1$fYIx^JzF+7yEO3N31Jmm=d?i85G;z
z>U65uq;)p3)tIv7h!voRLg*;sly#Bzb92`#qMj;eJR&=rQbL6IPT0<Ixz@%c(MxSk
z-%z#=mo)Y=v@&aNDnU^=c6Y5VEZo7R>@^(Au&>pxtl7xA_zJ@m3a%mCQgYJL(*$I@
zw*g$uGcqa%9BNN|_lyrvze_)8BeL_+;*>Ow-Ii^FGE%R9>u8KnZJF)hHz4084P?}^
z5zw<H79d%H+!dU>l#wtEY4QF~-$b+h-|Rj59`ZyNP{+8WBB*-3c{fKk1pQ2fh`N7%
z=BMc<40fe{2)#A3f%VU53y(SLZV+N$li+m|WEaYbojEb?HSOX9P`9b{5ia4rSKVbc
zx*ft|pG*gJ<>a#~r}d2N`sEhUXX>}_)KX9vo&avC2j0HS3vahPT;2jI>1%+#cVRA;
z|77|<nD{6g5K@>%A0T(LDdNBv8ngg0EXX_4H^L0VR(VGhGqq&9@;LhLtE`2WF+iI^
zjHmA_&orsy8#`O7MN4^^YmU%S1D5)(VLj~)E*(8pL|BRqN-s*K=(p`Wr06*5+^fT5
zu+)IOZ4|W(l<|OY$MZK$`Ajo-4@eZ}L$#%@&aqawWeG4)WL;vu#Q~^Y9L#|FL-v(Z
z?-2bT7GYcI_c5rFERb&-&<0`XLBA%o7!s@{R$7?pO>d+eNm7UeIuI)|^!yBSl7}XS
z2bOFCi)Rv)B_WdLrl(?$KZEq5bMhO-yC9Xs1A0*Q4r;Bht!&=Fd&(Cja!A?E4aD!p
z)fFE9=9fuS%z5D)?%eQpi#EeQj<&~b0z#sN$?xKDP<V6X2IQ<U(oBm7DQ#Rk_Ru<z
zmcrJ-B6>R9ogL#Ra_Pxs`i<<G!dTb$ej7GTcujz_U?)_R5X4(V1}2jGb|rzH7>@;I
zK#gt-Ph#Kx@h~x*k+mVURZ!Za=%=E{48wp$605N_YBFvV=x;LeQvt5RhRm;nx4)PE
z#N0<leJLB57gHg|q6V0L%20D-H2?hX4*oh2`j=FM0*OJEz3FMeIm)r^xQ+xdn@)Q5
zbSZ}U_Gle^*OD#m`<&54hdk>k)r6~`_N2PnUR|Es*eFJXB~kGEHM&jSLs+V`Zqst#
zvwTy2dQnz3Wpgd^ZKa*n;ycNdg>DnV{8R4A#mDX4Z=cA`W3)bhe3&B^&_-S@Lf9HF
zeI-jK*%HsKTwpbb;ad{Huk0i&03Cy7T}Pd671JqVR>O7;TlIWEvt^%6fndFDYd8c`
zX3_etT*4vQDgpn1Ukwq5n*B{T2B=hr>jt6V@v=NHyIsi?t7bWC=CNih6D^;ymo$Kk
z&VVcs^``}neoKVEJzJWHsBLPt_Lg7$!<>5--y#@LQBjDePX&K>s(Eb~-%=4tq^|hg
z(}peykOjK<Jc}$WEKm^<3LYL+KqDm3Zlw75@%z`8#QRHYh3G7P#eKO?irP)N;~>r`
zX#D)MCu_M4K{M>$kGMA(q1`8z)(lDGIu9bcpVQfiZ%4!@C5Hb9vtGY=5%aQVqAb7@
zYTNrZQp^fdF#p|6e*doZug3uObYY^#NoR@u%9U^wiriE4SSq#8C@h3L0*M59M&tZ8
zW?DGU&dyc?|C8}V4-S16-`dU2&xa-o7+3-?_@mKVWPg1uhr<(B-3zp${ch?LG%SN(
zWQ(V_T>;d7zfOU%<bY(gB*8C>J!wEDre+w+Y<xP^z~DGi^yRniUf&^6^-DBgU^~YO
zEIxi6elIE=S^uwQfZxY50XZ~`sEyYO6QdWpAt@<&jh|n^!Xk_1PV)UrzdPG1P60>x
z_{Eo&rK6(*+uM83%q#-~bi@^6y1Uicq<tP->eot>(0CQgr5OIz?kD1wXtVRY?fQ5y
zDBkszN^hsKrYmm*f9(5h!wah{BC~DvU3Xm1B4n0I-cJL^#P-Ew)Ot-6Ha=0_@o1vu
z{f>##(S9}jPT>cgPPv>k%OkJ#_KHMsimcVudoe6FSMInk@yBy5nVOgs#b|}KQ^q);
zcO})TKx06Qj}&LUnS+DF6H)V$#FG6o{U8-jlx`F;8JWPvH*emA4G#}{sj8~F-YfZJ
z!bhtH%f}gh*jBU-R{>xJu3Faxdv;Yl1qt-yaZ5|H0lkkZ>grFEfhI~jYXU3}Q733z
zrIMbb{+8EL5$L@9OWs8w1NI8dzr_Y^Uk(Q`hs(Dr3tSZc;m`I`=Z{ts4<MUS&9hL%
znF+#o9|zirLDsu&YKlM009p$tCrxgZiF^l(GrU28cD5@Z@r;$WJzqmEki{h?ei)$z
zv^Ix1i)gc}cOND7$=|;(?zKMo!bU*<6MyU!7a2|F>sN!R#=N&Q&4ZK{bca0OHTm@T
z;3;C#n~|xP?H-uUpjPLjKS~AN|4`AZvZ1=?gFQUKcI@2oTP1p;b^H2tx07|=;dBS>
zuG~dN?wkCKthG-u5y<Kvbq+TyEv@36*cwmkv~@|o{XeSCIx5PxYx{tJbSWJJ11KRW
zNcRvTsKgK=4I-gPcS;O73{nD$gv8J#4bnpkil87UA>9oFd?)w&e(!TX|G1Veb?Fu7
zwf8=b<F`pEaC6F0vZ>FObmgEEny~w7Y7vPfYu`)tlr<hu7GV=K79+L%!~?P39&)zE
zKU!s@@li{gU6KCz;o-9M_bZ)#h;r+?cSi!B0aV%M5^9tet-28L&+qazF*wOCHd|=$
zPmQ4$GUzSlj+EIMMPU;zAP;eOt^a*c3*mv7v<o?q;4lGKO1-gJ{=>0>7<`n5co<pD
zKyag@4f_SVuAW{3cQTZKfai{&YT$hW*BE{s-$Dv?reQQ+{Eek@v^q5dT({39kBtC4
zYbGA}jJA;pMvvpuGOZ@7Vr}R-pCrP=mIsx){wA@1ETnnc<7%wt%1@E|#i;Jvq?+xo
z`}z=tQnU&m@*PZPT*rnM&MsF+W$Y7<84`Nj%dM=82AqptQXvfp`I&g~8atlyFu+s*
z!EjgQ{ey9YeiA0h_=yuDIAKD!h+|F(Eju_0s;Szq9m;&Jusn?C$2paSNG)S-)U9>V
z7pX(f^rq;GIMyE2-hckQ5Ir`ED*CjbGechq?afw2l%1kpL{AGpNGKyoXbm`<E51BN
zdg6*YkVV7+%en)}9ff~izRl48|DAI+$Ac*x9UOFT{%V4&MwYE7^b;^XHE;2)MSn<8
zy8QSc6}_~}vqbZvnxm}{AFjUoYN3mfMd52+ekIMy=&L`r@I{>$%~_@{_#!{TiSGAz
z4cFT^)p1*zXo-I6%C}Z==fmrGQwbGg<d4J5M}L7Ok6%x$>^t^%)FKJZy-_L7hbv?K
zhB`4VKCQ&xCWTG;WR#Evtx#&C0e^={AWUNJ)q4_f^JB6&2GifJJ3p!VRQ3|<HoV5C
z4D<EJ<N`xf3sC3rfuCWQM^1fV8o0CZBZ-2g-2Pge?yn4Ek}PPbg&T#UQrMw)7o?-t
zk9#Cqv+)rKDim!M<w`M>7W4)fGHU*@Ue#9qw@eS1K0U~zjI!CBZgAieTJeF>z`oP+
zLVLM-1(d;v<*J&HcLzKmb#BGLSn6Cg>*Ych?>-RXu<By?uj~82b;Q^JFl#WrQ{{?~
zIz0zYx?P@eLfs-DG29UvCkqS=L=)GwpiYR!g;WTadLL~o{ca@JcsSCN-T1~Kn*Z%j
z^p0+IA_RU=fHF19<?7yiZBG=f*_FS16CX0zewbvnK3w?uB9n<Tvhr><)6^KcLcErw
zoi}+hQ8z@pZ*elsC?byd<7DR3hz<M29#PxL%*P1r${$AbsIXc~mq`{6sxz7~D!cXD
zx%GJ6;vNos0&rTW-g8!&kd9r4^~q|8{EY&O-!a#Arh{=ER*SPP_6yL!@*U%punLYz
z_fGHX<AnUhU7m@@r|*_|%V5tizuWZPG*qKBXy1BjLPxl(C>wfQwLQS({K}1~w>43o
zm42#u>VcVG9?cy;&nc)*#K<o;C0HlSa9lB^-T`9|WaR<$Tmcq{Y21Am?N8kYP3(Mk
z{OYy>%s;K5?X>suylqEi{t3ARX~LgeVef_iy6i8n&^Mrb8;ik5kbQAPjT(buBxknG
z5Fjf+y$W=rihwguyRYtWaZ6bWR%x=k&xSkle{X0EVpKg$bJ6<=-!f$*v8&b^7@^J(
zG3)bVGN;&w-92e!PTF@qhhRB1r2TQ<l9#g|4QBAjUefK3Oe>%6tZ7Icit0L=tBsBF
zYe@Ptx`?M*6gMI;yL*U|X2h}e1j^`=Z!X?U#rs6cNxQfQz3qPI7c=sspA!*TROk0)
zuCQCS?DD{)$DPb0uOCBFL@4Ep$9VE_l9eVz^<qH8chHENwPt!b8i!hE_ca8o*plK1
z6;<Z5vGEl^F^<Wag+;%#c^OYcUbLF91<OZ+?xjd}hf6UpszrmWrCID@sx`F_$I##q
z3Qa*x2VA%%tIW^=69NQ+TtKN2sxXMR5EO$Waws=#LYklhrpW(gvNKuH3cfN3hQ)^W
zA1_5h0yTiy^AzY!(|e%Z2*weKp=3S((LzG?R-TuO3wDK;qG8lXji#i=ALBCZY9CuH
zrg9S|fY;u3+3gVL6q?5r?eUZpsX9Fr`P5rr6<~uGYIV0#?&HmDf?kyWG1Qg0EPEZx
zEa|@?$I`O%fF)qjP||<ikf&`dbo#3^`*|0?Mrja1pU04ftS9S^dO63Zza%-uLY#lM
z;d$?TZ#2*cMP%-6K}&bEVftoWDf_ubeieB9IV2TaT&xccyE=osxbO~DE$y_b&?MB<
zy7~cRi|VU7PpnxUc;bF{o{1oqf3scUVy19>aReV%GX&nx{xj%pU~56%M3MWZ^A>eg
zsO5j6spOc0q3_mwxw36C0H2qbQB?^M0T|2kVqk@c8Y)Yx_!6NUW%NVX@bbpLO8{Aa
zV6eHsE-3&<K5&mI<95i>R02=m{~D#e^Fa6Go0hAvg~mbkQ~0>^D}MS3&I=izRWbY*
zzd{B(L|J4!%(Oi`PRGc<iDjxNn-P0<-LkTF7yWdLo};;fq7Nv<0ay}}M{Utnq|Q0b
zEB74CUbgRKKyohPkUB@Fy^^Ot)eF5(=rK|O1A+>%T;K0;UMzcbv9%JK4AH{irV-ls
zn3cMOpp}3H(^ILck;_5vE$L57@4NoS&KqU<GvK-`8nK}wKW48O(WOU!zSgr7)@zmO
z^7MK&sm^1Mo3y<T`KY0BV@GU=o|1+@@43F)$v7za+nT|7ANhSO=-5RMk~OHncu`sy
zT&|TOaDG2}z&&cEl3z}Pn^RDeD9;Kt1BHQbo+ivU1XTW8eZX6=5ml40_>Vok9X#JF
zxKO->`}4B3I4dAvxO@S*TnjoczlS>~M<+zi{E-VWfe~R)`?n3dbUFs-WH}f46d$0j
zzAv9W{l{0BaGj1lBX0hHO`N29>6C*@l&~AFKKg3MR?O_B+E9@jhNo1`$l+e-{8%OD
zN2<|}y{NCR$Z4T6f^DU)%l$Hi&HMNI(`VEc$B$mE|5Y#aJC~4rwy^C8$=+W*!^j>G
zCL(7Qt=^dicCiF9eo`@{HufO?ldO#>X$?*4kw8uDyK!!D>`gZz${O<VF)4%dM4IK@
z5lNgzZytvSzfLyF(vK4;Qlp8f7)^-~7>y#*)>7A0;*EB+c~bI*r%*Dq@HMYdg}aoR
zFH+e;F}TsdzUVNTqG*r`HwQ%jfPV;Y;2n+#2ppN>&fO129D@n))w8P6>HgzA9lL1}
z4luM)Gd~G+R}HMW!LER%jzF?3ss+au{M(YK)(E74joAzBxR7+vAjp!S{LD53ik~kR
ztq8Ia<65P#Zsw$}0VA$`=`^Usux0O>D!PKCI;?3P>jfFW13(>0zF2#k`i&{#Lm`(F
z;-RY1jHOLheLUwxV1!=zB?-AiP?YtA$*bknro!gkyGf?L^xgEcYTe^>@B^3qgW2Dh
zA*9Q4GNq3HiCmuebeEFc#`vF9>VRbuXtChDVz+8oin*fqI5$^Tb9iQq0H*az=zjGU
z`|g*4$@Bm`r4^6KG+(l{M5KkbRosrz>)-3XVFqFxIlDBTi!7Zz^(-aCaoyhwy}O?M
z<t$jI(xjZo&HF1k_tmvR{yD$r)~{ll2r+SbDG&jG0bS%Bal(&kJ1^jqGeY3}Xz{Bv
z!G+4nf@|H<43r)M13O?M-U7vH+vUV%2c;}=!svgsSio<+yLEZ71?*eE%&QAL*T8W8
z^?zc=7`gJT^GJ?gs^#?T20#7?`Wk!T*?_*$feNGoz3{mB`5y>mym=F|@QsYicHu+*
zMNRr9`f#0l0nVzb;Y#;C^0tMw*1a6fM<1$Iw7KPnr!O#=-sj%)6!A|l8)C3Ll3vWV
zsX-Cxh6-JOGTM5wC*+mK<79Z8P8kzFHk_bR;pLPl2sJ$Q)dwt8`N4>_d7p6@)5sg9
z8O6gBIvca+N<ZJ$xqMh9xo7vyQe{=A081ok^g@<R`PDEn>|1ke{pkc%z_Iipt+*8&
zb`Kk>LRBGw$3bkbA;hPi?IM^soyceNmli56cdd^NAEEV{`|FcFM_^n!dy|+5Sb}bQ
zZtsTi5n_)30IZ0PQN${&(GXl#0XcUtccB#}NSU^)YNlfcj(&YBSXe{~`@8#;tSG)l
zyoKvM;tcm(Z$@|{yFXjbc=sVD5TkOBf~W1nhUyef4~{y51OGwB<s0<cm1?h6x2`Ir
z9F8z;Ny>BnpO<`v<LXe}O>G0SVGv3;iwo~(DBOn~FA4=kf!yZO@sE+fh`QN8<~rxu
zo($*KD3iLEf8r!&EYc!xxsLR=@E=u754b)WXc0K7e;F)z)QTm;jD%vfFe4GzSj<TD
z!BPQWg;~Lb&e-v|BqSiJA88BaJ@IPe==H~YE5B-M@E3I$n9zJz|7c<Uj9Zs7Oa0_z
zA{kr1edzpZb7OWc7IiwI(2?z^V7QyRFgL{`8^r8m_cFVF#Z-T`K6gR=pcs;qb8>CL
z+@C(mL&8GF-B?`K3kB)6t87{pJ7gZY5kCw2-jKzy=TEB3Jga83$nB(A?$M9@9Oh6G
zUHp0VSktKwt$v(cj3{r5s&Aa2vXnJvHH@%V(n+Je8ExA{VG${ybU@fwE*qMdF3qi6
zMLLl1KKVr!9>4JRdjf=hq!9=?`T8L$K#_u41o!P1zUe|YJ+ERO?x_N{Q$dymFYhB!
ztJy`NL&KW)wdXC#1Z@|sJPu;=Yg>^e&t9l3R6~#b7_(|6Xa2*>T){QE{>t{TVGaT2
zSCiKjx>M-@7v=KB9ORSh-In6@LThSje*f~Cg}?4itef$T0m0hkGlNabhExz@^?SPM
z(Xg~QlbVHlVhmz)mzhREfxbYKR@<*S;#NG|Qa3QTr`gZ%QdovdPG5$$FOL^9gXt>q
zeu8mZXv0Jgm%gztbqy4@x-)wW2}t^#O-Noo<R5O`<7JwCsk$*l32#HrkwO(_lxKcO
zpne@o?~b&^_5Y<z!WQ~2QuLQyl1MGhDq$<1jc;-0R1sS)(o^aBK7<FZ3(Cg5BZ!+c
z@u%DID2Ia3EJpI^ZeFJE18o=Xaft2?$F53OZ~vq#w^FF+>Z=c{qE?RPs+pB$3x87M
zY|+92Yf4(=(H*hcmPXA2H`}RQ5F>nwW<KQ6Xk_+>U83FS0aRutx+_d9nEnsPoC<i=
z?6{G;f$De*O|$1^dpdIugS&crJ3(#~<XVXn$^$kWAL2s6z!V;gXs+m|G@b>rWCid`
zZ-SwuKTy_ZFWV{C@oW|t$XI^fCD5?`f-{-UDl}O0tz)(qQo9LLuO`11$~2n)FPLfT
z(~@iTG>nttN4O$}AsQ;rtMPp<&yU7G?D%c96c8pX3N17KwTzmscHQci14CWoKupU^
z5U0x`IC;CRf6lQYu>S-^-dNr(f_#G5PD=Z3$DA&Ud?3lelHfd;ZGb8r8P=@pM5cfs
zA6-H4NXLijNxVAlH<3KuZ7OWqk$>2BKs?-f#{01CYjng^*6-zFNZ~3n)Xf>)4-PrT
z+vX~p4Rwz%c7=3&<|+8nw>~T^nscnJPoY<Qyuk-0`JK8(pVYd5v~?=vq@Y5syxlvH
z(51E<Jp-|~n^79;lc;Q4hkh?$QTyG_SAaEo#@`*CChDXm6a8iPRu_vOL1nE3m5v)+
zTqCPej{58Cc@d8{<X<JitdzC`ohXp1PYvW<HH&rhJ@mzWM+ODDetN8l*kGva79;gT
z+*O00uK-VwhB>fJLKVO_wFpa<4T2^9LBM)W4Uq;W68!@({QImL4ASW`C*USO3R(pA
zGg{0Cwp)tIXJI*gJI!lizrOlvX9s+_U2{IR8juAwvis&>Vs<zmXll6m0aHNfAH8Y$
zvMm4czR0`RKbHbb|1Y;5wvRteKIedIRf;#-qF95E;tiEQ{(TL*YS^ZGt+(yCTZrLr
zcFc5>E9F4Touir*h->+PoO9`w|BA&$VtI`hBrXPBbNN9B!o@~_sKib;>`^hkP&pX&
z&6EsM)%No^Uhv_fHL%dLfqtK=qB8v%oLF5xhZ(PPS^qimYW>u&FkmrN^5FYz$@AfY
zo_S}Tpf!nqT7Z|n*Bk6+UiBlt-6&^211(s~DQS{<+v_Sv$cN>Ap#+!HdpV9}Q2hn<
zB9*|KVpgdb<TRnvP+9LVR;`PrCFI*z=i&=U6nR}m`M&J;TdW<c^(5R1DO3FwVrYg7
zweQ@Jo{KTk9_b;3IE_vK0qzcMTB`u=*VmL*tA8c6W*DOEnUyPqCGkz5b5t3q$muGF
zn-H{Wpbxp{CV6{W<$TgH)e5L@p=yJ8Fq<A=uF$VV$bec*1{S>jv$pshj?ZdQ!B66Z
zKb?_vH`u|fR%hyl54hEcLhtp;Uj5g=J_vm83=QVEpaX8*O)lrb6?M<^lED?NxlNqV
zs&pi>JRA0*HT#vJ<Q!d$Q-yUZUBKz_=W&zC*{yFr_1nJz6$O!0$#(ZY<S>%IN>3T5
zlQ9<M4J5D!RE+fE$f&^mQFT61?>nfr4|Zwq*#g>D&kQ$h8wwU@Qv99{Py#8ZV5Qub
z8Jv{U#0enqOo_L^-F)0Zx_V-DX{(_*(z8>Y`U+jdsLm_|6)C@&0i~&szja+?F^)&(
zEFFDX_~K=IC9{HI+%WRqB_6qRV62|=CEe{AEWU@cf9&d78?61L4&|e{(5ua@khq$T
zvTPP?-IdoY4+u^yZiD?<JVJS{rmUWU=enx+1GUWVL%tL0Ob-?lQKWUoj_j$%U0o(;
z&Vzju4cQ&SL%J-L&+VEevAmtGCPj&m7>b2rjJx64gJI6UAP$5;4-g^vdus%CGy^sA
z@w+Yhdo=90G5Oc-b=fRH%jYW6DfqeTs4j}}w!7Xu;#*;dvp)#~@{p!xv<VQyh^VOP
zz)NTE1X6z(8X!1ZEibADYp8gj=%1YcS#S*T>kSTdWj414V0*xW_a(~Ozfix##}vAx
ztx2@06D8z-!6kBPuInq=yhmuI_*`$I;B%uMKBQReRr8W{GV5l_#?60?jV47X|7zL<
zPdp{CN?{k}PVn&8zpyfc&gYTsRlsKJ{`ZBOo^nNIEUMd$Lt5fyI2GUf4XZj#KLEE1
zi}kO=g9$jx9)Wgd%4<u#d(>Ba1HQ3xEAM8CwH}P+yLv&VfhUdal3DL)@fN_ca4Vz-
z#jh3%pnv$BGq)M&ncqL?t;}dsTdXx_-&%i>C$6#BTdW}+c<nmUROM&igpT*g5|7VG
zDo^X_g9US6O5WSEkF`fWuBt$HtxblB;U|?+xfB^=NRCNwHjiVb#7Dmj&J}1@%?-a=
zfxp?+Bno|M#9|hFa#mf*E~XCm)41j_g>tN5Tw^V44jZquO>2}gh(Z=+#DUt{rZb70
zdixhuX!lfS#V=2)ogW06p&HznkhIrnz?ct*`ya{7>WFrNe1()-KAHlxQU=pq#yC<l
zgAj!S_<o6&CIdlf@G2K}2-C$Jy2IXMPDQnowK~V&UbT&1zM4njoMc_@1vL^S&`0`M
z|Neqv5cAhZ(y-T0g*_H>o=k7bzq@&F>h}h1biSYKtqp?icTk9UExc)^5~d|t(7jvn
zUMuEfjw)=*^{}X9edRI22p{pY%wAfs?o4N`=7st9|Fxu1DQk>$NPj54?El55WW&c^
zO@wMoOvQK?#m8odYCS@pydOWRH1@}|Y(4}Ka{qV$r#?smdAP5S6ylbelz`Dj#$bb=
zle04y2h~f>scv<GR<xl@np+4@)d|`psp4~};1r}~c3MI3$;T(&EiVMcjM>>+8c1aM
zB}=5)OQpr+tnAapqsK?5<t_k5`S`4-S915KI#1iFeAS~_<^CPR1fz+P1@&oEv4(wp
zROkZ*b(DV4(-VT-^mRP05^Ro&|F>c^a_Ft+P9?_y(Y-v@ZqNC<ML756Pj2Zx{MFNb
znlTA~#Z+uH@CO19<NkAEM3o-b;3p~^6hvphy!Al*zW$InEC#3Od55M6@vWF`qAE)?
ziZ>%i#7E`ktx{yyzBX!mHZ@pV=l&#X1|kWo%dJ=y&0pzp6iCJ@ud5xztqkUOG&gR5
z+NQ*&Ge<Q>Ux*S#4;9HvRC%Pwov6GJp-}_^T+-nYL?qPgAQ75J!{BTB2+wA*KN;Q8
zd532Zb)@>9;QDo$Iw6ox`~Wh?BenP|(b%iu!3#VaF2WcbM(HX$5~}Q4Y9-SIcFz;)
zupWb6=A&RbHYRFX&BygblxJrz28{6$wGO#O7}a1z(yKCb%EkxXT;RC{sXsvJ{oivp
z;eEWv;|Xx5N!W{tP*=k<_b4*<yWmD2w2mKD8~ZQYm$Px7aL8iux=ipfcYg^gPHTs7
z4`@&(NCobpl2FB6k@`VNY;qxT#4D35S#kCKUwPWL3FA%u=xZec;~NcUdMgbBqd14Q
za{vAufgkk#VQzzMtU+=&<7R)S?HKK?s`E5p*+d_<hUEQZ){yjMb%`v8{{3Rh#TG=+
zKyQ+S#kB3aaVw5JYWv6)zP~?dYT@i(Rt(H<Dhuk*ySck2S|aiyOf=*VZp|Uv@=rtW
zAO+iVuK8#N4o;<pNHu*Gc6PpH(4A!Y=#TvyoCXB#sA^iX$dhhC1*nL90RF8q(#Wl6
z%=fxzt<@cf@2Pch-VtHFnr;>qsc62WPAMb%Tz&0*Z(ZBD0JkzBB^z+o6Hyi6QU72c
zv;0|Ouc@d3IEPeGft!nqA7NcU0Q<J<;^Kmck2lcm1fw9ewJWtr4*1i2rW-x@{r&yF
z?draOj<eCc^?ks0os8i_{@l-MJ7gkIj0dw6W_cfO8V37!b0|j0lHtLYVWF}J?BjY3
zf@+wsLS0Pky+?Cu!S(j(n>X42YSOGV8UP^0%OlQz;p>5c<a1dUpVA-{HbCWOvz=zi
zmhun5$8l%$EjD2vu$f~KlL@`?_!v^5W{U+Mt+d~-H~bEBs}8w_pZX9)G7Wd6m;%ST
zJ1qHI_UZ1Fq|ctAWWXAy*vth(!OKfRa_0-e+b;uR8z&T$L1z)?pV!qp3VL+ZguL1T
z=+W!9DRfuOyW4YhPj*C|BFosTR%zy9Cm8Ks^6zl;HGByzaZ^xnn13-oG5>pKg3A1e
zZ_dG7X|R&Hg4Nz&XhhYUE7O}birksK9Wmq$GFEI4I!G(nxtRA3pIHpQcOU%uHirvC
zVp6%v4ILWi2CYg3w2|sf-kh~cUJN#kiXqxQBZn%<C}ew%5dZc9lt-3gwCINeUrA^`
zC*q-2r~a(*^6cfA15*hA$FUU~mK#7hIXIN$)KpcAR^tUsJ{9s7mQed#fo8-vl8MNT
z)y>vsI7H);^`n;isi}E^^sQ-y*{w43_LlTqpUiHZsC5Ld4-~aT^J4_)Qq<Jc+41V%
zlPBKXeq_*FN`Sb10subJp!fGXKeNVcqZnkZ#LQSkb?+ynMj$&9-t#EpQ_?JiEJiAK
zg{Zu&Cn9{a|M*-%E17<SD<XhdFqw_St7;w>IN{HU{xhDzbOtx!n#mm(t0Igeo^x~v
zQ~C`a)wGTb9kn)P#m$fqAW+~2A8t&EIDF&bRwVQx550_rV|dFxN9`H9V5i}EbcU8O
z0*u){;ym(ad`z>)I7=@tnU-cw1g^Tqhi$*2_0%3pp9W}*gSUHfu~%JkAH1hcr}Cl?
zTP#yS5<tg|KnI>mW#)o=H6$!=2`O>gVy|0~v&p(-1ajniKSS>Mbr}tXy?bNB%^#WG
z54anOZY0w{ZkriWGeT)O)@Ue;-a|A4*B^GSn---t$Prh2<y-i;Q+qCEDSzXzo{bdb
zELoQ|fYDmysQ7B>N(Dzbb_jD=w5?vN63J$9fzwkb`r$L@CRWNx;}ZV}=P4^w4Lq@Q
z`q@bOnvhcGtHpisZa|iyW@3tdeVvl;ZMH2!KO7)C{L458()guqqQMjcb!(+@7f5CH
z_44*(Tw&qiMYf<~T4<Pwn2DEy%H>tT@WDh~j=e*TDGNvtbP(1)%9TqFAVFY}mw%|(
zIoa57p+;O9M;J;O0H9fOHyWPU;1iP7Ami4AJ$@cC`U|g1sp-G(TWC{=S(J~kQO@-!
z#(arx->jxH<AnWZ;H?BQg+9KGt!?&)4~q8_-pP1bCDqkA_{+P1e;RD^6;|s8laP4s
z^0v$ReavS<6GBm>d3V%AU{rOTLPtZLLi-P|CoX?C48&RwOt=*u@|^65IGA77ng%iy
z`5dSunV)gH4$l|_C|Eg`efC_gN`z1+(<g^b8v3hgt9xu87h`0PD5^&4cyOU}ob$1!
zfqCy+UnD~6elA4Li=hA7It>@X0~G$QYu-(a{?Vi>?50lRU&n2cvQsbHFL=d>%jTD4
zr)5W-Y#aN1)?m2BguF2k(P5`e)KmI1hIg&A@{a}M9HnV!DVEIhW2&{a4c;NEma69u
zj+<~+6)QD1Izi)ju(jp(@vv8GTu6_&S*w2o`cr~^MGY7QQvy0xORShmmZ)ts4eOIY
zVBSJSQ>|R*gtJ4HYGg+fRn%jsS$!S}al&uwo^xnVs@j07DFe!00FME^iT_8?&-}5Z
zW)D>f4SN>unSrHRPvp3nEuYd)5*bT09-x%zen%uT046VlJNMy*!Yb{55IVb5e_no`
zU|GAuE#}uZEe)+~JPu|U#e*@u9N5<=Dk=ib5(6lVuuDCbA*B6vq=oJ0CkrVC^9$XM
zg)(l8Kxv+2co!QWCC;O8Nyub=iBsSl6noeC5)_YmbqYFP!R!hYcgM#X@PKd4yBz3r
z1;roZ=Il%BCK~9bY^L{94uZw@<xoCBXw5pyVQOakW{283uXNnwdAYZLHPJFQr~Ju!
zP`Mdc;(cEh*+4zGf7f_RetwtqV-I8T`$xz-UDI+a=v5Uyd061!<a@+Q`%YS=IPQba
zy$a3(HtJ+;K8~K&^G-JrOYOqw6vz#{BkSpYxwM*lWRBJ`RPaDL9owFr#c`$yD6JA0
z;0z6_|IYx&(n|wB0=aJxplGAXYah{S)lDLPkX%;(Wt@JKhLN$zCPGW~o^=n|I0W{{
z&lbckB~81+_1Es0H5>Ku7fDk8f$CY_7ovWInx{VDrsW#rhmleWC|rI0j{Igje_L|?
z27hSA+V2w%H7xYlJq!C-lAo^xPwA1AZNMztYMPfsJmBR;i5~%C>73}$`h|ix-G5q1
zK7b@-{HrsPi$j3m9a~c&9R7GcY(IUn&N&NhM1?zd*M)`x)|-2=PAh&6SMm_})SGYR
z=1-xEyazscFTVXcmRfZVM4U<l#!1ibOgehKT1cjRRd`}p*myyz|MZNYzr3}a={@*@
zTwl3uuHGR6tR!es6hzzMXYrS+y-9OdI=`5Q)`lTslFpwGrwPY%IrFfg=w*bwzo|HX
z>Js(1A+=e6YF~Us^aG;O=N%VSq&>a`757%C=pY!!H<0*#B;yp#@1_Ix{Fm{aHNU;@
zOs2+r5YtYk_-NU>^>f^r%!noq;n4KwIiaqgoHyL+u1{|IbE5)s!C^m{_%x&x=;|p?
z<3C^HHL8@sn|g5_WndJMs8XxZ-`_h%i|f5wl$DcZosPE43NR4Am8uyh?)aTuSoq6}
zg}e6Nf_irMU%RcGafGUnQl1xb!a1Ny3+GqZ2yN3_LxZ-=#RjFibE?qUqImyXy&OZ6
zs+pK?PsX;V-(bJYb-u$=?PM3U(ctbL1zjGM;n^%}G)vmxn=$=8e?^oqLeQl3%Fvzz
zPFJR<O-y(40i^5g9%Upgn}H~og6FrY)#}H+GXFQ~_F;G>K{P0ge8R@fW{e9B;3{F1
z^{z-Kd_dS45D)<GiDkRyyrpB*;wiVQSqz`wTfJdN^*%lB0M$n{RHU@>BSX@CQGliK
zRM4U9oMn7sMrCoF?n<-ark_=64+pa0<~`Su=BN^&)y{td()b0*9I~~fOWpl|8)hKA
zpuQpnY5@HJo)gqm@C&Ki`m~W+*0tQ#4_iL989Fzo9IaLGZZO=-XKO!A>NHAy`dU0{
z+~_5LPw2VvFdAtr^9DYCWiPs#f=<yy7AaM#SqWP^%KqKZ?7_+vrM1Zr?0Md@Jk5W8
zjKCqDF6UFYg}@qtyz6|NmMJ8{*d#}I3ezkwnpV4l^X$cBT(I1AsyC<@Y;-3NS~|Mr
zx|6qk0?6U(ws6qQUspKBB_w0`?Rx$z;L%tNSkh8*Tkq-Hg4U{j%6CB*OF;%SDmFbg
z9?52h#jHPI8}b33J^eg1j88vrDH2190-T2DJEQO`D2$jQ;8<SDG~qDHkLlowcBlpq
z`f&Z{JOu6G=U<<N|6$KQ4mKkEZ7W?uZ|<)nr}_TwCmENqo3NhSbIW~hk}iL27Ytat
zQwm>Cx(d?+rB}yehYl?S2G0XqAEq_>y6Yal+SFcn-w?hIuK(VGcHTR0+P+?A_M$RI
z;@&b2GYOgU))G*HjF1Z`=r5|bVvuico#;eruk==M90-5sX6;Dt;=}JUw1PjCGU!RN
z3@^nW$cg@@Z#cGQZD~aDccWTD#!ybd^Oki!23bm+#<rdS$xscP6t>k9yX73)m3Qzb
zt$uiB&sy1n$6x;^pMv{AZ#`|3u;&Ry?9Ob2&P6*ztr$aYT&zhe>l=d?o!Ae*CfNe0
ziU@3Z6n=j24bjRFVOGG7B9oH7P*X##z&D7zcsjxRbnuQmmo6@p+87E2bQRDXG~}rC
z-jN)v4Ezq?$u3ra1!I5Bp0l=|0a60zZ*l*dW(=~*_Y*??Q{EAAm`iUGf&!uLug)T1
zpn~ysS7RoCg#^unhGY2dsLX#{ll0$Zv2xR_kcU!p{D@2lLNg|7JLk-eP4PHZ4In$*
z>ehF2cRc7%P)2^N*O6u_nHZ!BRAGH+m@+8~OpJ~F7S%0tRRYB<Ogvkvcdhk)>Nsi0
z&6R8#v6}x$f(+!wXz%9Y#3;M{t`oZ9=2>7hTz0bnoN|;aCzj>d3dX3OByF9vDiM-5
z-_<P=Qy`8t#|da;0D9LNyDCR<QmJRVUbVq6-$t98>J)Nh)%Pscyp{Zhp;LFwxJjj}
zA%hd64^Np?e90V%(`4hdtCB6JlTXQAwvWnj6HJwfb8>AF#)!1=$iPQ!t^W)eGx2Pm
z`{9bF{Tmpx<WfMVs_n%pM8rWUbCW&aDD{nIf=;fwb?0A;BuG*3kK*#2ihPQx`LT-O
zl(@;=uRL;IH*D!=U@PG1^H*Bv&A`a)5xOQ}y~$T@o2f?Y2ZFi@)JFG;u!W6b+x;;_
z{B6Mrx_)hxO<2h&)`r{byDIs0nsoz|Z)Y4#6HNp0SxUOlMkvTfBQ{gK%R=a#IG$Jf
zfeRhZ&JpO-1m5yz8?UtdJ{C0V!XYB)RckQP)0(k>E%g3;rS+7V5MuAUnE(O5o{T`6
zGVqUCpFE5`oPBA-tS0m;TIazhi*Iv7+h#S4ob&{i`-wvgZSJJE1ZHEym6|FPILI3o
z#WBT_vD@`rT4`bgv!^L7kw69UPUJ9H;Rx+KeIB0zp%G9RgtNa#D-Gs!p1!Apm?lFE
zaChHr1=5?TMAp%>bM{&c%l?<!j;+&FESy5oeD<*A0Wk;VZ2+mqEa{$bkXL@Z>>8AE
zqs~f?`q>lnyxyDqKEa|91Qq;lB^guL5<TYT{9yr`!6O~Sd}8O!QMcn^^Ujz2O1^k<
z&VSgCw4QL;MyLd8RPXiQ5?_RCyxlw+Mf@TtsL)G)x0LzWfLmd;Lh9G(1ZM-G;|)rV
z?GIXh@DO;Vt<h%Mu4W8U)v_TCl31GlZsh0N(6>`>gxyS_&zx!{WU|W8@>W`UW~x6H
zdkKrMM7>?&mTE9S9+`}EDL%AV@BgLgA8XutEjP8#-4H4lntYr9*!XOm^e;uLs5$AK
zx)21+!p}x;9p9OXWehQ?<Q<I2Yo@tr08w#xDe_m~Y3Rl5WoxysilJZHB6t`{sf-^Q
zx`QSG?hk%$_OL6Gj`dmlDC$eXQDbAt?VW6EdiF~|JR&5AgfFQEld;8zsDN!v|DRjT
z5w<V3d9!_@jYQkHmB^MBqw>IU&tuYI_IjHVRMr)+i}$}UO1tv_Fe(zjZ!PjsjCcL1
zn*(n5BU#itPl_eo=k7qq_9{7~2}ZdOFbXFmnj-`IhFdx7V<YS2BO|}mJm;AY?aT9K
z)i*r4AT1G->HHONb7l7f+pcd<!#B1E5Yq0ns2;~6JXFNel<T^l+5Ox-_DJkxf-8gL
z$5qZ&n&Npr{Vhr#XX{m+l1C{KOXI71if~%p2-?wZBQ`kEB?j-#WLA{%)D2czi0ERn
zX&@%a@Xf@75hT(0p7q?%YYzP&iJi#X<5&G@QrOER6J<2`i|Msg`@KPmcmwhgJLmYW
z^$$dY)806Gc%Ih#iR@%YCXv~06Bge(;=mJr_tvR%$Jp-{ghn6Ca$IL2nYH6DtDo@8
zP^7~>A(Z3A0+@Z{<`gS~^TvM(OjWf9hh{Ux?xfn5Kw-cl0s&Z`z<*%fQ>pTT(CP&p
z_4FJ7P8L(X1nVFRztf_!Z8eUF6R3gV6c``>@4n>OLB}C872*S5)$nIjXfeOM%vG0X
zeE0XtRUn+_-=Bs%<)1xQ)w{UjAUU@ogXFLy{&UCcY$r7Y_vVepeFDq;LvvV9y*E}M
z{<x}J7kxV?OTDF7-~C_Sv~?`yeq38^B$vOx7FrdJE)8>XEAF#5il0^kN|*%*0T5AA
zs=K?3<-`Kl!Q5mKX`zB2<H>k$g^UQP3C-@Sic>NYCUaGvuQHOmtE?=6ixd>Uj&W#(
z+K|{iXU^ISTJSzKqb55IEo5xAjx1%|3HlDoIp+6GFp_(8W6aK+t(&y#f=*p2gHM3K
z%kxWqF}Y>8Q&8eNOHB-t)rXu&pbfE&=I6W4C&W=Q2UXS_v2M#nBD4y)r${wrLKjg4
zX)SW2w*CC$TfpRtK#GrT%i_;pJG318`FL=K<~6P5+sRD*5LQO<N#6SkVXQ0Thk0;I
zb%&2A5~l}zoj);m2B&DEb_PCK)z3bO&1|EyrhD<(i1Y3QzIEgV`<1%**oEQ#Tc1e?
zT?k-&S%Q(7!*<YISCpndqKj$;h!<B#eqqp~dr&TWJR3?6|A)zLupCXr>Lc*=Y2POh
zkQ0ezmY@LaC%vPQeC>>H7w!P4d;v&BB3_$MJs_A$je|(IciKmALV_RS|EI|D!ya8;
z%<gP#rST~?|CjlFAEtkxF7U*KzSJuurOY72-}lDFg$Dzb2dnnhB}M608xp<F{EJ8N
zBKq&T@BWUn;&M0TtEI01)6(w&GMJBWU6%;`W9P}wbMQ6R1!@BMCO#6}_luiw6!fZQ
z@zt<@Dcbr~k0%G`WZH)dFo3;5P6&nT_QTNESK8IhHQ`MvGCJK_GVoB;;gPwrs}f_V
zQ_*DllaPf@dXx~}!kA29!1;uv=iY=Q_Gh_{$GIV<ZTnODDc|8XJb8Kb0iwh~+31JQ
z{0VJdrvEjmrJ#suU^Z&7z-~)4$D0zwY5Fe*LY`c`xFFZf2Qoh!7>};;*3jdhhU3=j
zmCOh!e^Yo8Y~rcvw`_hylD@gYSEmhL$#9SB{K9tX;Imgk+M9PUw$&-9;E$)0j7?*x
zhmd-5Te(?D9WH+Vqd0mWmXujlaLfgL5PMUCy=pm36Q&~vB|&oD*<$eIO1126g=syl
zB<K8F8ghgcXQ+O~nqT%a?0`c@V^Ba1h?FF;dA5rj_XH_KL_{QC{l<AV^1d|hH3kHI
z_iq|QMPOPmH8rTbJX>XDrBSQDRN(e&2ylgg|It00(<;>%I?JWucMcFRi*sP!T^6hw
z1TOO=vbVB6RcJyKno>Y!(>xd}(0cxE%i>GI9|p0(jDMd5>Q?BB=Op3CSWT~5lDz7W
z^+zTNHMwj7=WAcQ7I`PjYNX|bmzVF}ra&bem(6=Hm)bovIXpKM<7OJz44^GNW{8Ud
zpr^@C`sQR*)PE8nFW`*Y&lAUG*?OCZ#Ao*Ug2qpLE-MU2cUR7aC(b>es_sEpW14>d
ztuKH2xYy)>xp(czT=lowS>^uJ@)K6qqrdQDX+E=NYavda`WGgvEMC*k&tBe{4LRA9
zsV#^d8E!Xl)r2okc8_e0W|o(016aYVcv&jzS)-xO;&JnqX3?0ifb-L=yo`K4I?5%B
z+47y!K?3!~hu82%BzvaEcYaRj==84sJ*yJZW&`*_PG3f9c2T1DC{zd#RBzr){ct)-
zoGIx=+sh;bmFA>egC<tqUSiOVH&q%gGJHI?PZ8gG=*S}Cx;&129JrB+kvpQJi8nPo
z2LlIK;d{suwXQ22@M<Oa&w-M_&#;g3{#;ZB`m#47i3z@FS%x)YH7uJU<!uT+ZZt$a
z4!Ut2*%kqwL@KX!LM!AwppA;tikGG&veQ`4#-DEqIlvUPM4l1$cG|s2%l*;NvTLpU
zS^gM*vv*KHWRl7}^wqoq;pn0r72K0a=VM%crm}wDeHg8Tq^mOblaFkEWBirgP2|?}
z&K-ybT!v~3f&4O(4)i+?gw~KQoLv=UE0WDa!@6Ky-Q7i+8Ni&+vjUo;t~-iYELLCq
zp|WylBD-!jK*HHXmgI6O!}42v!S0P@E@Dzry^gMD)kO!TQPI(^QGw=Yt$eMwIq~;l
z5p@4UL&NOSyuDbx^3-kD1x=X+%PM$Fn&ti5z$hhItUy+SBeJYZi?I_RGS!Q0Wgf|1
zKHOq)c9@AAI@Thr-ts@Ro0f8;K%PmkubmIeyQva>RlRp?GkY)Pym;R9^~g(3jhXWC
zaduBjYVXm>_e{YGap<GVu%;j^4*aAiaN7>Rz{<EZzI4xKALucbY%NQ!Ppwt|#dDaw
zWPS3@&XYI6<Lt(CLje56K+}SX@nonYNRN9tbBNVboaeAyJB#mUoJ~9$J^iue!aplW
z#-!kQrWIe*ZB(~7M?jV^4<h$g>jk=y+}s?s;g#Vmmm>)Y>gSnl^4Dw2f?8Yx<Y8-P
zha)xt3iFa%!0Le9kv^7wV)KV$xV^#Lc<U=Ai0Q&*m)4h#eq?=d$b7@%mf|u}b20k$
zNVV~`nUG>hRj28`D^$@&@d-S5;crf14W9Tx!IiRzULCP`q)hl-Egzb*z%}MzuJ){x
zpQm}7!olq1aUT-R?DhC`_Y5PwcWaKKEf&)s<M5Lo)QbXgF)iT*z#!Fint_o$i%(?#
z0nW>?`SPL*$Qn&?rQizH_ggjMGUnE@vv0j<KIIN+1|smIid#Y^t%ndgaEKvQX;@^-
zs>;Vznj9ARZ5=fzzo3QPLsq)2kzk~lG$oM>26@g<=PHq3LfRR<?X*5rs;Ym&2uryK
zty)N`UgcDV!Xe>@Xv+I}cRdh%qHLrN)GX$~#%o8`$C={{)$CMnQeJ${`S5O%IV*N>
zPV=S#tBQdVFU_08<V>pj9DuY3_}E7FxS}8~Xh(q1xPfB6$|oe_fMn_JQ>dJZP5+%A
zW%_AA_3>ELG4w;Yi>S|h9p~76l9KGF=o_ISL`}_l1ie}v-P8tR_|5@9=M(;y)Sti>
zRdlKX7Fr1!hWMX8xTz{W$q&5;*pO$U{V!etB*MtkY)g8QR_Gn+(-PLKKf}ob+d9ek
z2irr=F8bH8jB%AcewGp&<<4e3^YOUHDT#zjI8CJAc`Kx4DbC!oH02DOf__aHkMD>?
zYb7(5)okI;8SaKuqub?wZxt$1@4Ni^mL+8q(&3>1_AL%hIaFr7S&=SYJZeR!7>>Ml
zo+OA2d?7uY(*J3G6U!o46Y#9`W>xdyaRBOi{sakC@xt~^At9k9w*s8|5A^WzYN`lp
z3j{xGy5HEP90wW*!CKB;Dnl2-6_1Gov!H7yOS8&A#?lPbzZVpo$giNTHZK4wXC?0w
z9~PcB{YbY-LwBa8-G|V;eHM!EEocCSyb5ylelM9fnqNMkUQU4UJ8@5@xiVPNYCAN7
zCoG|NIX#uy!O6?3op*guE`(L>)6zF<ze5*Jj~>5+Npt@v8|GYENvJP#Y9$Da9<bFN
zWLNnL^$5;JtuS{~N>yrUdvK4liEhA++FjO%CBp=WxhMTA7&7K#)}#1^6TxVsdon{O
zd>fmq83?2O&T*%S@IuB~#A?_fHl3e_3+L{&&<Z&|wiQ)cFgJ==?{MY%n9u)q6ws>!
zWNk?9pl$%$$W<2Z?jHAp6rQMT0u4aX1t<_|Dyk1?^%7z-GW~N^8>t^i{SaUcB9)hy
zM@uzfKptb$G#DFK8RuL_oY4LZS2X=!AJK(@o~P#=U<j|2idMV{2&gi3mU^!*3Utnj
z*zi*)%24e`@$!2ZyEYZK4JmKN0dkCIQZ&zsCFFN%e?)6#ou$H05ZIskkROm}Uz+*#
zo-w{gZ!eHshOMhw4`t<2*X-KV^>Xx0#j^WEOjAtn)F4?5-O_iaxj0JBL`W%A3-Iz<
z@}Ac@_wIgwVPc+9H!&(zGgU6#^J#77A;SB#^=jwuSO^Ypv3$;H5Q~%#Tc2t&Xl6m=
zs6o=m!vG$f$JQ2~S?$cXqvLaaO`n0c73-Gw&Yu-%Ucd!=L8Gp>8~R35e_cqbIKNEO
zu{jQm^f}K5O;!(5VxQo5B^UQozC8rCp{hdY_zhToO_gC_b7&gp#Q44MEG3_F67C#t
zXdAw*lc9A3<Eg`V*qv!G;JrRjS-zcwzM#T&{jg7FpuT9GNR%+{dBQOcu}<0eJgALA
z|7ZXLO3nZiwV6BKlpbG&jThdn>+9`Z$ue>4!6VTd+s3U!7y~WR$#D4DjY^4JJd}?*
zm8lV_i4H5Ca-y*Rcg@(eS{BY{<)67OJ&2?&R2(cD(((A43i0~v-y&jSynv7I?*2E!
zv9Bulm`5NVio}D3MV4@)G|8!<yQXCT!V^XL_EZz9mmbF^$E0wvgWUPG6=+z>zcSm_
z=8%8Ub>mSXZ#hs#|70>bZq2l;*4v;31QZ+j<k!EN|6u-bIW&tUZ#{U?gyUnMCh`6T
z?wmN85CvmMJILApe@_CHa_iGO;}8<R8}7GFfwK?0lM?WR3x)5Ha3+S9_wav~pF1M`
z$DmcK;M>CUTQ9RZ__pVodaUJ~B((Kxh_m`WH`@C+5@<yBj+)}ZDj;^VlO~#9c$9u;
zb2PT}cj(Lg0US6kjgpqf(l^=T-L@THncKSv;pOGJ)qCO2eLe*T$6pjJyQooF?(E%1
zA<3!E&cT8}r;&Cc9DPfm8SJFZr{q5_mB-@8c)xZc!Q+&!zx<qpb|NTTbiQ(X%<syT
zf{2cpG+#)7gcs-|kuQGqjytYQp?p`tj5ClF*fMp?Ro#IP44w?xt(Qd;J>Vp%5IGQr
zQkuedRbWwK(y0!}a1P_NMs5ndP%B~EH{@?5)GWtNiH<?xokXr<RB@Yj>MjzB-o<l*
zLlqy&;A`;ol>dCa!|!Fi9&O67(MEpvo~nf*V3AMuKjOU8M&X$2D$M;#C}Q}k)y9KI
z3{rgl{i9gqc@GI$#*N?~;9IlS4iK2E5v3J$BC0(>PDi(`CI=T8R@ab!?xtFH<S3T>
zqK{v=^18T2^Cu*}2cUS6_yuFFBY>_p126^PMhhlm6vcO(DDyA~)<_XFMFW<=4Feqx
z<RiI*BpU8U2Oy`e8v<~C`9B`CnX+OW#+UT$W}TUMT`~W4c62{E=cxGxE$&-<7hkOS
z(k$HkLR+lmjQB~=9<IYz8@>`>u0Er4yDjtu`?Z{xA5J93+~!rp7TX*klbg$T>E)H+
zRyU#rTb;KeNBvnZpfv76<k#NH7dgMW)~xk<XNY^OZvIjInK6HQthFmeq0Fg)_fi}3
zyF%diJ{P0#$b$m_!~MP4?Y8<eYzA8m7B)kBWHvrY3pIGcljB?Ix6I&j3eD9fSN&eB
zn^Y+u=l-X4*Y?R_+WGXhAW|hXv5z4ECM#~_Ba^D{Cx*3RM_*dF#75Rk49?0ji!?2J
z-AC5~iV(Y4>*MwE_iaMEpZ7I^gP3*GDg^@YMq)}rJa?2A|44t!YKrckk0W}}*U^Z8
zt!oIVJB=H2v9(0MRySAcDVoqZ+!ad3@-&>1E|_B(6IabULv~3g^<MSMYbRrnnZ8ba
zC2&y~S`wI^lvh`#&@^4onp4!4z-Sk~*t@$7JyySI(H9~+&LEewTD5vY?YA!tjazDG
ztWB%CO|JLaO8A9aiEk#&%{X2PV(8lz0k(GgNGiAs+r1(jUi+?9%u}r=)>~&HFS`X}
zO~HIE1;5j)6L(!hA#WkFw1k?Yp|^rhOdB3ZmQhF1xl{^gyyrz8F+$#zV9YP#H0+>7
zIT@urYD_dzs^tDhgj)&d!ChY%2ZX&(X~?oxkS?SKMQY1Y4c(f-3n}^>;&<tHu2Z7z
z3&5J7knDn18eAv{qOCAjT}8ANYxcMGaiO9Bgn4VVN`RUU<cTkrV_!N6<|u!<BEi-+
z-^R6y1H-vod`!@p^YP!h*0|INvd#x8>T?ZBok{pUO86MeXqxuFQdqm(;MhfW4hVgd
zdV}c2KmE{#jO0r=G7rCu_dUaDL0vFE>h$d9dK^1)?e*HIVSpK>v;Doz<HF97Oe}@=
zkAgoRPlFhYjVZGxnd=wRG&OfFJiM8+<jM-VMV}YR#^J_$oW78ayt9;~86^72F3X`$
z3bVN**=QInIjg7Lbs24dQg^h;Qj6V7RGar4+BdApY`}3=AGy(%Xma>>-q$26AUH?(
zZ0B%lGOUMi!XY}I0MQO$Jba&U&&N-gW{oSvV0A(6kMQzdyDjSn|F+hb8df?*KHa&h
zi#{3>Q&oeys2EtvMrv^S1_xm}_j%Fr<MUk&#XRLNKF@@Sl@LGbim&18($DN}?=+;c
z<0}1gOVj*<TQl~i`3Zrm5SEPCqntf&p@aq^<64U??ED*RJ^40>W;D`VZMV-v<3)2R
zpHdE`dFSZ@llUTdAZ>NRjcDFSf<f+8R&2W;n9mysGb+tsi`@9kQz+hYn7`y=Z$8hJ
zdHMcY2mG0HTxUv>11ve~b?Gi1kfC4;pKn_T^^{H8k5p}Jn>7=B{T^wh?pu35n57&2
zMPGblTsRWTAU`6g5HUhrL7MQRSop;OMH5b6k&=76$Yd-6hjFgy=IdKRUE7QgM0%VF
zu&=#11@A(_;p!;ECvp4hSg_P#|DYZuaA`SqSv4O~x)EToCwt@fK8DU0o1dfaJ_$t>
zCKOcwpZi<BwRQqb-M_zCzU*EmCgW+(4d=577Y5Xc69{c;PmpG6>N(*F@hh}=3vUau
z+DS(gwr(=A0z$hepbm($ze`RIPuz87LBDvcXOYZO+FN#fvqU~2th8txA*c{jpFU8*
z+8CB}qZ||>{s;6t%~<)Wk+zuQpUe(u{<mn&{1%eo5|zh2B2JoeR?S|@2m2b*JB^9#
zylOcPWmcxTwLpcqLq5_wSMd}~ZNtTPXo>h0C^IT!wSs7MeuN3Es0(`;MyDV43(Ciq
z)D0k`94Rg4(uD^};=5B8_+X5^4#l$N_!z*-Dn7DUuVU2<ypqOHq_2fvYy>t<@;Zl=
zuHRI4jkmDXh+aJrao=Pj%V2)arKs&E?sVut_P&xu#jfo0H~3T~ujsWuKO!yoB}q*F
z=-{u%L{8LnGf0k7cKWA&_8S&GE}f0WBsnd>S+3?k09FFX@Ko6x9BIHX3;ub)O4rKj
z_IFSR!1CK@l>TgOm4|^KJq<Mz=zctB0CV)o^Bv1FypyT6bCX)Rx6%(%kg>5{@8$fy
z1p@oyr0@eO0eL`3IwV{Uin+`uz*t1$?Bx8b_2&51ZC8JmafGU^qX_7H+4yjAy!dK&
z7v(=IZ*q-;lTr-l9{;+}qTol+tsZY}_f*s%oSQ?kmI-BRN2T{GtPmY@<vtEi4Ju2V
z-DeXWX)Vo1Cl-~5R<BZJ8pjN+c%D?suTXt@#;OiGu;uzT3)AgnRx^_@GjC51)4U^}
z5XpUgx0375ql4oF`!a*x6!x0^Ow(YN#^~+n7$VJ5ouOe{bTKb8r-*TWOJYB=)^gkU
z21(Xus=;Zi&XfhsNF1ri?KwRo+V=!m@TTPBf3&w0LhG*3xU|M+5YIdV_WbpmP9JYm
zC%Q54AKkX>s48WUzOAU5-^?WKM;kHtl(>B5f<e?;D!*(xS{r3gG*T8?`kTlq7Jogi
z^8+vGPDfY+gLDA3+VGQTsgMln_eoLHyG#p)ENaipTx3AVRV6Qyjy(|s<2J8Z(Oqq$
z(6j=P9D@@MJ&Rv4U`vX^;9TxIoRjiP+F5KqQ9?F@q&pX38UbJirOBoK>-!%zeLLPh
z`E;v3`q^HRQ40lF1$HT`i`NDAQtaE6;pLG;Isl+ue+A6xVVVB;O%yFXm02L$b)-1|
zj?Sx<C5)qkQqS8d2Q(UtwkI<K^;H*oBNmuSv<o{xZ60Q5rrfbJk>EY&(S%df7#n;{
za))H7eXfG#4q0Es?0Ye8DFYaN(MnAYrKyN3<DZ_u4LmMfdB;u`Ju}wNu=$g&+Uzu{
zdf<~eZ1-}jQ3=irDV@915d%aCQOm`Lv1UxMqyHn^F;rSy%P;#8!^*pe;FTjbxqnT$
ziqiUO@@e#mK;>C!#}{LMP>4OvMk^3%n}oK1Js0s%eU*XJr{F}-?q?<Pd>2nv;w4>#
zmT@rk-BfQXc4Clyx}rHp!GpshBmHiIryr~;Xzc}896@;%NYtwRNPvL*gC$N-c`niO
zWUx5n_^$-GRv)sxEw^8J$1#lW;bSrm3MXzb%}`RFoqC!0?U-x+p9T^}wY$8dK}1!&
zU7;ofc+umv<dT7ZX`(5o2r$uK@SQaI)HO!$b1Q(vC3F)bzF_L4LjyJ=<Yfik(1|Q7
zY=toEQCeH~TRLgThj~Pe6UCM*KK?1f!sFc0-Uv+FL3;P8sG-Hy0~HoQ`DpC+R7U&{
znK!?i#MuUNNh;coV=IRS5a?E$5<fO2-bi6b6WLoO)GJ_s>bSmZ?f+Rm*1UzjRY~Vc
zYAD?O>WQoSEjanQs7PQp1-F8l&=0aLRV9YaI*Kb*N!|7B{orpF-81-F+q1FlcMW-V
zIA|fS1Gopa$G&xMr+>oNOL1=RLFm81k%}E}vfdu!QjnGKycMDK7D;`V&ibL^V?SKi
zFM^6-nGD#|y~_hOK=>kXPDYV|VIWfrNU0#z-Jxt4paHmkI4HtnP`5ehErf%}Ea-;n
z!1bEN{y(z5G9aq9{ZmmyKw3g-2oY&eI%cH1q(O4%l<pAe4hc!=X6O#dp}V`gyV=9@
z{&)A;clj`1P|*9F>$<P_MgQVb^TXt0kjLWPhgayNBU)Z>4xJG)*=%_`jTV{_oTet>
z$%d?ufG;e@GO9sYk|fhwv&GhGMyda!RQ^vlREP1;K-Li<bAbMf0Cow0qPtk<08+!7
z3;a|OseUCYu#mUdWB8Z?Am-x!PNRJ1*OlraaAfGpwB6+6WB@)k8R31}0~>K}LqH4*
zm4w^Wy67iEbG`r*4ZTu&ibcjR`Ap>b`N&8;1G)+}Y`|PqS3oDX{G<&of6d}Ct`(wP
zi}aaYL<bn{r}q%*7I6MNYQ<4~7aL~XTcta;LKYK=%8~zJGg{@a)q&~@p$;9_kBB`%
z)zV8qH4+UV4d;V}+}>QA`%j)_5pWt{y^_`p>3-m!B1rK*DwLQyF~f{j`8i$>Kv_n<
z@j?a|zxdrUwkCN=zn1MWrv4%zZ~+{(CXic%04ksuV!&%u&2wNH+d#_sU5DrS%I4<g
zTQb8Z&`JPG!9Nt|85qEW`43IJ=5@s5iT2PT(c<4POn}T0>lm<=J?DHr67*>iytS&~
zkg9|U#6TyW<#_tV#69XSp2}J2udC>$)l3~DK8EKKTYI+u+hh>f6N+7q0A`FzHcmZD
zEkBb7XOSbIXt_M@$bcBh)VstG+*_OyaPixE+i<A%FwGtfZ&r3T_Axp3`&|G9%XR&#
zl`c_nF}yNxoR$KDu+mdHqU?=E!v<{L{t#w?cpvhE8nkrjI+HYM;>$n3`wSo}UB2^X
zzv|FYb0WRKWv9I+=MzQ$mC})&N!vGt9en)!mc?2+z;>npx!_W7E@+;hSr6Zh!-rA~
zHR5FSHB%uR;E9EtFQOd!CWe?Rj%uSN69se^IL^?0k&yYT{4G49(6n$0CmiqxX_XYm
zNX|07DZr;@kaGurV4C+qLyE#mQA5@^Aa7qIY0cLhCg8M2PXY0~5d3hfJ9UN_Pf}9a
z_$<&7P?Y~?Rxk-5-Ld$|J-L|v6B332&q{$75Rj{97gkqYhd;4uKgu5`AG(PmW2$N0
zgc?7mi20!IWvArE3FxF)J)%9XH{apA38F@jQ~r7u$qO{&InqDI)n6@w-G_3*nR*W3
z&w2NDGjOX-&Ez#)cfp83n#MI(Av~2+O{~u^s=05I{*}Z==H<Kq&%fVlY9DD}U&c#u
za(U)6Uv@EKk=?G8uvcO7l!xnD@xO2Y;t0T|mkl)j+_OETIPIGSN+)h~v5b=nN(sOK
zyOcKjCD1FCGG1d|#H9%C4I2^{x++ms?D5`Fp0GeQyrV#0?^)b!>9fs4{2qT0@6qvQ
zt@&$uCADN{O7u;cw_T0jF5xWY-l;Ogfa;&xq!^Q346=`<Z-BK#NetV{mlo^7*WxXz
zk2*@%EH*8#LgJfA1r3pOM)LQkBERimlEJZ})I!(m^;j&AU%kQJW^oV12K~%tY>`yJ
zTkZ%vJsw#@jIXexWcQ&W=PgI5nlr6`HvP``2e|yWl~emo3M)oi4paLa8$Ym07trd^
zU5l9{qpW^yeT<Y02(q&RS{5g5pogKNXIQ#v1>iyieZUce5kY^U!I|+%2T%rR)&ECz
zr4XTA?K$AZrEQ8RM#o5H0l(PKzC!;3qQbn<@q(?FXG-GH9F@Q@<{C%6WAPL$+0vAe
zBh*>v%iJ6`i=jnf|CYid&&(M%d)ak52!Xv9QCas703=ybUPnlyKmYno-7h}_F7KF)
zOywUAb^L~+ycaC2V@FzLK-^M1=VCs{6?Sxj3JmG1qR8ImEQ)-+-+j$c|Hs9%FpN$?
z4Oby(eOUM?{NrB$7Pd#n^%EGkVQJq6C7?(qBr&1)w^T4#AI)Q1y+>Ez5Qd)kiP0nX
zw>Gs#0~d*N3*#5;UKXfrMZ%6mKKR$2YUQj`BPulRQ0{jf<6C|tNlYb|9`Y|cC3>Ep
zI_alFB2OoY)cluEC-jaAmEvpkh^naZ5?_kp#_or-O!@9AHe>ugkf1nO&FV%yUJ-(<
zT7y3@YK5bvA-^8{X!|<Cv~UjV#}6Ds-KCm$1iU8bB3F#<>7lcj(J8?IO`(g9&!=L~
zt-Z5@?)l2@?rhq#-)v^eae!;Wk1RwnKnPI5ON<RrXP|iMZh>w1ps3f`?W<SlgnJ@h
zPM+PkWJR0}SK<JP1Z{4U&dKI@+2Q2xKwDE&sjr5#v7H#krHRmJqg3E{(vW3P!G2{n
zBPiKj=Ks##UT-VABtP4h036YhpG{XF|Ni~%BR#Eva6ii!8++QG7~chTCUpHlwJ@xw
zb7M?!Dpo1y#_frQe6u|(;ho8`AhL3t2tZ(E&hI0dNTZ%$BY0|F0MF_*uj-FR;T&Ba
zH?(88C0SF|yW1c_r59&3iRSTDT(1;<nghff08i!%6*vBHfy)YjTY+f<k_2HXOWK>J
zL<$z=d_Lv<&YGC7=cPE%xc$Gzj}}i=uEOMjsGJ*Cx`a%tvV#P2#QJSCi_7tckof9}
zuBUe7HS8VTaydQ0EKV?{!dDDn6e{qEw$wZa4T@K&bPs+dqh+lBgD-kx_4?TMD1DGu
z>RSaKkpKn-Z^qlIIofstwOYP!$Psa!gY7!0(*#_$<gr%sKYfxY-YS6vWyGnzezL_R
zBJ#%+#jyj1r_6STfI%_<SwKQ326!9*yH@f^{WqZDY9(00E1(_F;F*qnjfzFet$p32
zqNt5wqWG|H<vCmQ43J2xcvjjOeKjPHum*WFx-)C`aIzlKd4kWT;66VY!Q?$;d-K!J
zeHx)%W_P*6>4eU5twklJ9RS^8JV1c-c#fAqINyb_y7}NS^CK4w8d>_blHDx&|5p@%
zLI>rG>ubc11z>Lg%=Hm6;T14OT!<dn5>%pSE|vcmkRqBge-ErUMhF*$Znmq(psmL$
zrLe0v6CV`w@-e#0x&(l(vJI%3fmye%tS+UwKaApFi>;lsHrpi-fG3C15M?j}L~;cH
zM&V=nz3KgXLFsC$6G7yNk<r%@v?>VteJ9BT1!XUwu@-Ow;5k;lCx8Oo%0?&iOX}Du
zM6qoeA4$ZnruQLQ70AH!sO6~k2LU_vGp*0DZAR00_0MR)=o-r`K8DJA>nWUotZZxh
zb^eOrrZ2MX@m!6XlkT0llvWuj|FXEl^C*RFOfn?q@2ye|th%qX2q7;P%JFpjQ{*z&
z;%J{oX@2{WSs~RP4^Y*g{KX+xEf~x|r|AF;zMneGyp16Q{qcMyATzdjBW?k*U{QD!
zymofN{!%}vZq=$SlhxsX3W0e%)qe;g(?DzUXpT$9gtl#sAXMY(q{Z`t`S80+wtLxW
z35*H59q{<m^r(PseV;s=JKg-h2qd3~gN?|iehFY%>u2UrGBJU&#{I3&#+(%=k_EoW
zU`_aR>U1ysRK?f!{xjA#r4MYN1Hvmht0P=?ViQIrXn7G<djZ6;(2XkqBPNLQ9cQ7M
z()^B6l|UE3clSvTUAyDpF8XLTI!Jt%^4H7XWh^639?!sL0;R^<gclpBawn8!E5xn6
z13IFey7UXtg*R?eS~%V`W|vT#C9o9wRIvDS*QI)};`!}Vv|4D_%Bv{}Sqk1q0_8pF
z_FMo&=O*LTGo)6)Y+MKVaAnnb;Um!gcAUI!>2<4Zekm9Ci}HyB@5`hZ0v6lfln(^#
zP#V7*#?Gx;x{~j!T6;mgB0?hX(#z>Eqcs9!W?Px%x-qoh5Oa`ZY|?jj4t>nTi<w0f
zlShpDI)a5mQ~)$PKLGjcmwsa502fYPUj8+(rE28YPxic@^aQ4!qFTMIDu8YLYjkvF
z1tSxn-k`<+ur5!Gp1qtL)QB5tZ4+wDrn0<+W0Osww5YCPt->J-Ww<o{GIw#xe1895
z#b5O(4?un#T=K=&`X2c%MK1=lVW0FAMb6I7AM*-D`U5}b7F!94nBcPe!J*5HL<s4q
zCFG?jL{aEZ#KX*_2H%R#+0IoWfGU;t623F_iJmVahZYh`+|`jjWX{$<POHJ<u+BzS
zb`upv=J0&P%eg*^#ago_|1Q3ae9npV)l;Xx7~`}5P83t#;gvk@<`XwV*B1?d1^Kd7
zxfSy2n4f-mrR<vpRmzPlVJ)m)*K_P7_rWI>)tBc>50)ik-DHkE2=cwWt0drdt&9Qz
zgBhQvs=V2W(mVY#)^A4w`D_1BIH6Bw9Qj9DwB9OFz2glzSMLkxaCT$o>Ah;@XY5(%
zC(INr@7%&qF)vJnRU521UWJ`@NRGUmH~R2_K|OFOKs6Iz1qdo7IX|B@MXJvihl}Cc
zqd9cjy0~Q6fGBHF7_ejH1dKc>0gX_Y=gnwp{-8YuX5>59%LApa`a5HJPoD2LVfFx1
zQZWk-I6{^J9ygUBH6y_KJf71!Jqn+KwT^=CAE|XfnJDKm^F3ge`qQ88Ife6p8G+Ug
z3&I+9m8VK(OZZZvV))H_?K`pet&Y`1sdm2p?)UY^CV&*AkA|cAu*)W1f{-_BB|+-k
zi;=|)%9i2j|0fzPHzTnD+(udk1Tb7|9kEd)<@u4|SN;*~MqI!0wZvHTeJn|rfQ~s0
zkQ4P(JSd}x7Uaf3-Doh%1J&~51@Xd)7#(X>##jQtpVUg0FjjN}Dmq{-q{v2oGh{%;
z@31)zJs5a@RmkVnz1ybrp%~3qcFE)Fl`th4Ee1IvH6{Z>=H43$2}0{Xxh+nIoB}7N
z0ORcqIhSbZVgRq-yF=l(6O{Q~sySCLDNw_qqI$?1mM9%1Tm>xp6B2LOKIw0uyh&(!
zyI}jG#Lo5oMfR`1v7RsGYyB~QD}<Kx+3d+ObT+L~Q2I{ADeAn}rh1?CY<asw!cB-M
zu<K*X#tY>5Dt!hm;?E>MJ8$*ILayV9YLH#^q9c{Q`ljbYySnH^?plPXJ_1D~sW2eQ
z<+YWM5!i*{eBW>7p&*VnU5rOoR;-w?H&=@@TWw{9pLY>4*w)%QRyOioGrP^@pmtLc
zhKWV8(Gy;bf@$LQkP7U83N}$9BxjH3n^v)GGc0Nz4?+n-4sSKh4}<uDX1RIRJG;|x
zj%7Bi-f?Jd$_MY%HF+e&C(AOs#zrE10Q`UG>p&%A$MGbcV}$cT>N^(MwQtAA0xrKc
z>VZE1$F)`AQ>mTGOS}W|mY`gOmz{CCMhoKalbtk`Jl`kR1Wsj4hF%f^lv1%kjPBNZ
zwfJTZlBX4|xGFj@xf68iK&*epQbu>lxv?iEr=TUR?)b$Z{rKC<E+NX(DmYZb6qlk`
zhVD5wRd`lt0Hc{tznI-N4J9>}=8Bm0i}WC2k1@*Zis!mq{-th?ydUW23jsVOMz_wQ
z0Wgzz`!nYjx-ud?MG)z?b=MX!P{6Nf$(C-Dk7>axviUAjl#<<<DF=IadOe_rUJ0Sy
zkasaPJ{Zxg8oIUS>}1`?3Mi`&sD&74IOOfdYAT1e_GF0lG6F@2zDqtP2M~WI=8V@5
zm(4K1V--0Mps=lJ0HE>m9e}OAcKqa(8-z=TNl2J~K`tOD^u(4lb7mEl#8#8hvYM?z
zQ^=OGR`v|os=>cr22|EoJ=-UnA7D<)RDkl=d&9xx%PiCgB7@&G%a&C+6GURPyK`hf
zUR|_kTumEUWjv@@h<?seB8hGked=J7Q9k%TE=d1efAigx<X`%pfIXkS@|8HB8Ups7
z>6tYI!W~&3VO;qy#gyi0+Ko0Tb(+yo9Z1?oO3Vw(aCJow01<~Yx-WoN?aNqET%DGt
zH}rF<d28@F&2E6<Mj9+wUcy(89;qZ9z~_c&En2K6`+(dx?STm(SKFwW-{ORJovDDI
z-!glwTaIrEx_Fq&(83=YxTzp|J%gM!>f)Fh(=_9Iydqy60NdPvJLpuj@{hkIic;!L
zxNU|ohpzB-0$wN}T%a`?yOc!}%&dR&wGU-3P#Vi*D()*FP$1<IO6iXoy(w0F+!Q%A
zCqV^n9Sths<Hmj9cV*GrapT?Od&d--92VCp-B#l)S>kZ`{QVjpdGiW03SBtaXBZ|D
z4mKtT6y6o^nu-%}Giex#0a)T<h+Roswu)?`dU_PtA?LA7+6RSz1t(x6tY|I<!P-VF
zGaja3i-`$9!=lEX4r4oM3c&h}AgSLD$gLj({hl0~1b(S*3@AAegYQ0u=lMy<>xdse
zkLUiR@rnEkrVb1|tb7sL1GEhHrb_d*ecpt?p8#>beRBwk<H<tj$0C`yN;;B?2zZBO
zy2lHO^ub+i8)q4SIv~m{pm=A$g(A>9P;d$0$7zpQJgpL<K;>1W?Pm<7JLi6xw0k{8
z@CENzK+7E1Pct6>jyU+Z;F7BV>=v?#qrBe&uy7PV6fXqVYCthDfB&?g!Oe%m4?;}$
zBsi+5#0y#vDkLazJ5O!)q-Z)mXrRZMSL=?P=!~Cz>kfa{8wylE`D^e$dBMjczkCTe
zou31BMu+~Rv}zRt0zVeb6lvnR*oUgwPa&DJILX<WqTltgCl10|_hR@7J~=abaGQGr
z7YbYwBVs$g#u%|mxP!c)0tFG*KQifexVtV^{<70iEW?g#OcOC6Z^TL-XVNW%4XBqZ
z6>$J`N2O%)G9aM(u!X8FpB!r>!T?$H{QEBUwPE7zd-8B#J>KDsh{~+j{`v{N-lEcU
zf}3+z12A0Bh8{D-y&80I$pmTs1%-G`zIF=8oc~G_^w$H_+2dJFqJmgkwLle!*SKt)
zik^gk9CQg2If<l$5A-3-i5@wIHbQS4RlmQ*2B^*TvW{mUycnn#MgS61!o!^B^&&$l
z&~1r`V><IW8m05`U^APU5q~J+`$G$MLkJ}Zr+{?ADtg09dmVv&j|G7duMEo6PZOXB
zys5)nwFYGuO$VF&aAjuG0q|@K2Kv+=U^8LjbX9pYFp+-kVBK<++DK3^i}4Nx6+|nc
z;Te-ml0UxN#!8mB2LZb~OM?+ZTkdqPQiIVobS;ER1P|&1i`+(KahpMSlgN$n)7@~D
z>yXCD=1BF<u8XsQ(*>oWQx?7y_*v;O{AlgXTSXFKOL4XdM2nx3OKDCk$MEB;)$rv~
zIH^Kw%iJY!@Iv}xmGE$nGs?R)YKS}*4Pa2<QJH)Pv|WKxp;Y%A`p&;4Bu^R--3Kl7
ze_Oe&5}Bqxu6o{K<m@pAhZpx?6g<10nQRW*)F#x&CwqbPZ#7g*fi8TZC&9z+VR`*)
zK<Z)TdNWl;x&-Ns6W(XTetxO1gtTF7f9f7s^~z34%_pDtA&0ek^O>k($A)(3asefI
z;Pq|hN?TWo-POK0fFZ~{X>*h$&PM9cF^vEa9zrv&ZiQ$aK7TQl&eLci0I?VF^mZjV
zfmRE8?fsovpJnOvqyq-s2v39VS{+Ki+aiuK^tO$nmLZ@yqQxaGSAhcKh@*s31g)lC
zCH;K5oV%lQ4keE%K&#8+P12e_KJ`EcD$d4I?QuD?P6$)Vaf)A#s7!|fW%g3HZghxL
zJB}dr(lPn!@zqkPQ=b{D$H~aYJN>1PyoS7B7UQ=mL|j-eguOx%{g6E*OD%zPwI1`Q
z<c8pDSunHhfSVGQZrodK`Bs6;2SA%GFaTXmB-4kLBCcyp@yRs8%Q#XO50~OYUzC8X
z5)~lNAMzhQ(mz}I$IHiQ#IC>mPAz5x|Kb_~ce&e-Cw;XTBF(@;4&x!Rm^dvL@$)DG
z9!p;DsslL%P7)sb=O!I7Q%+>BJX)6Ht0_rQFLR*Qs_b~a`g!@`h_0i{)jVjx9j*)P
z90J-{BSC<YivjfQ2Uz%D{rN373j#NU%t_J2JA!8QcKAV6Px$&Qpi&Z_)dJXBs5iXJ
z`1Nx7&nLYH?vNvmV64*#ovFDmPnems{7HXH2Sz1OZ!+3oe+=ja^&mVL2cQ=gK(ykS
zi3Y<{eK+9)e{G>|$9uWkPKINOyq|4QQb<{*yM*rSYA{j=*`LdzllW7=3U9&Df*xJ{
z8FuP%dRWQrb}~78`zD2%q+A&WU%1j=`$h8g9zwCI!0gca{%#cV7>!Lt!P%z-0tDz0
z11xP0Xw;vmNJ2t^LP7yyu^+J+xGJ`on<ozK-#=|UDHM|s*37iqPG4x-pkQ`;@e8s<
z{CnAkDF9Y+$$C~Agy#6}lfGE}CBUbr0PMVYFEvUq^SFFD=f2BG|HO?=%FF*^Xc5>x
zrzxI4Tq~52GPt-J0n%6<|3}zC(?dwF$M3b27AQ>ItPM!s$QIF{f~*rL2Y^d5fZfTB
zYE9EYI<JtReIpD6`w^fFJPYqj0W7jz78~Gbld44ksWAz!LS+Rlv}7uTcJTT*rvF`p
z2Z#dls=GoZdV_}+vau}ee+P8-^bO3GA5uU7(dvbWY+Lz)LWor7XG-ej?PYNOp#NGP
z`RY+7Hd%&J$~!RW&rT_}Pl%M+11(X1_5)-F`NgG4p2T{{ov2e>b^j=M00I{|c`#s1
zBPtZ|H1Rw;X3qIcz9JI@_;_5)K5j#nA2a^FCiaP73e}?iQWrJw^h$R*P)jFxzZgc6
zcevv031=f?fxR>nq+oHieQjtF`eX6nEqqMHB)<N$nv#dqB5|+@KYPxd+=^gtI9pmg
z!B*~F#5PR%u)`@56h;H<JAs~!=!AR)Zh1F?$Q=wUV7|PJ32NJX_3@fTam^pvL#K4U
zT>n;URM>;Q<qu8p(TKi3z_}Lu<iVZ-;=maUW%~rY!gjnori4IfdmD+!0OvBZ23HV-
zS9gc=XB=HgF67^=A|3`3aGFxQ3QY~7305ZiNKZ%uP+ECh5RkWP<9RLob~efN1ocIM
z*(~+(vbcv6Ht6yznhn#Fo;+X;4Y~7w^zyvM{}(_Qn7v<r+G0ZhR5a@Wgf3vK1L)2J
zvZ(Ksi`2r$k|>C|JqQ7^;uLP8kFbUyGv$_-sVUe><<mxfPx#OL6G2&LHiMsl{?#4l
zQtr*`AF_WMcc9*i?uAvCw*=LCIoP1pSgUeb=k={?7ME_r`a9K{VMZ`9z{G4MWITb&
zctuv_1N=-?zm}#4hvT&DhEM5haD@81qu)Tnn{xHwg{}MNUon3ICcEDNzocFa6NiIe
zpckUF&rkY>N(ne!C{jRNq-{9^evh%q0TR9ZDb~p-v|&1%58vN79XPw4gC2*4UF_b2
z>z-<5V2cfy;Q><Qyh`rIPgM6Zl!(nnzhx6FGA0+@zmkH?-@9J_*WnNY*juu}Y8-+M
zrzm1<ED~;@VI~Ite8UyR2dN|<_vPVSUI*+f|J}%Vjga%S;rMbBkQ;}vp5b?5Ljr)X
zGQKOAkSy8Ze|9^xLa77!P>6S2DrzuCTYn|j2nGgdQ;*G!mwUyOwFe&8txN}}Sfs98
zVgs=jTw;Xc(X49GuQ#N;p6j4@ac+`f|Ik4Y^M3y~Nu1fAoD29aCGv>sNk~##+2rXQ
zhwb9k=RJ)y!SUjqXPD2PA3bWA!P*XrXDS8lGwM0&T^sKvM32Tq4fx%U?qb-`_=hvX
zwDNPa@O$l-1wD3Geb+U%uMJvoK$7c7gB&B}!L6;LxO|N|4184Dj<_CM-*CaoFJ;~6
z6=dCbk7uyYhi&iM{Tbcv_JeJG`_h`7)B2oNR_)J=!mWB*;h$kc+Pv4;_Z^qonay~Q
z4+oM~Bhj#5!=tdljO&=hysSga<T{(+;sy6O^wb72o9dK@BaBBeTq=EC%57wf@~LII
z??(duu)oW6c2_9GhLLTT`u?ykEIiIu3V)iiC9EE+yH2az6*wS%xaIk{VKw5I`UVBi
z;|fN2{p?>~QrMsWJUb!eJ8s80+xt8?B+1k$#ME@<EvogVs*!-98BiNM^N!lA<bCAj
z1N<Jsx+V>}DY|=^nx!hy5V?8WqAi>5pKCUqvhNe~^6$>Nn26uYs87{|<KbhBthD}E
z8dq_z_@fJRxq*5lN6cul!s_BSln>vI2-;TdhNr|?%=4F5+YRmY@3Xop5H;4O#Vkw>
z3BZsR@12VBzrd8)hYQSzw#V7f&f3Q9&w6&$U9!^sw2G%>m;m2zrlKhcCWb`;CdOGI
zCNZ_T$Q13eloXAIuoMkN;X#JNOe6flG^0&ey3vO6&}ZA8?d`IdGsS5e7n`aGj<}Ia
zZEb-?R|^*R%W>bcc@QJ!r_>ZD15)?REUvSC{N61MroL<|zQ<ShMG?);2W&UHMxJ7e
zH!TJEN5?-WH%CWd16d%(qCcViBs;Spe9MK5Wu8O1%>xgY?HHBqUG2vNm;IQ#4<hfI
z&o$08{O&fa9t__va|k?exazgLnZBn_ze1sDq86Fc3pzB3+!K&cXQ86cy@NfTKjyY}
zSv?LM4qc|W_%&Vjohm<H>)zDLHu&iEuP68HuMf*UDj8Gb4L9HEUin!kk<}1Tdz(Dm
zU57n65_R8Qe_g9XWVKpwBR{41&7;!u4fZQ0W*F$Nj4j5wXIzh7Yr5|8)g3RrAgptW
z3A%k{tdy1*%f6q5+fq={Gwbg|oOV*xrZ-Q{(Ep+$-A=CSxw_U~j)5;&eWD^fmi+*?
z%s-ZOFPrMT-q>1`iJ^F2JlNF5Sl*t4VQxVjwQ7H;EGv1#$|S=%QNv^*8;`u7)e#!G
zVToDR6xcJtM*CY+Nw$1)Vt9|O@@!*=&;@GG)>vvv)TmV&qs6o+0E10Q!HTAYV2q0&
z^<OmBne*L$H^FTz%Z$=eYlzj-s_@fNuSw8SFA360(q`1BYUH#+Y-Bd#;?u4QNukrA
z@Q541z%R@!%PQFJrz+U0q{6MR(Rg7`Opy6`(y{<yxI1{#*vx{`{ji&Qo9Xd{X*&@>
zGTe`IJW2#S+-Lu4zRSk0y=Qu)h;5EI+4SW1EM6Pj9&E<y<!CxayXj1I|M}1t0l6QA
zpsvYo%RWAR{JKNFFZ~6XI1%+cgKI^~=7?SYgxm=-cw+W|h7KQ_VqpL`3Vw3Fm;*@t
z?w(b`P=R86>oW5$<=0}yBHEgx$ED+TwdZa1_MlJWqNh4OpZ;^99!I%n&;Rw*y^xL6
z@xNp?fQ?8SZ#vBr>UFRfzLoJt82D}3qY9`sNOj+JNHYAU_QYoh)K8&7#izSJ5nQnE
zQ0D&Z7Hr9T6<OE4=y*bGaWEyk-Z5X1evVnR!_8mdDuc`=UeM93Vo#cbLc<e=%tfmo
zKs%#vEhM(9t4?!MXioAch5^Y$_|${^z9M~0wl~<lqJa!j(G(ZkeHg-uVlpKxxqFU7
zExF@jEN&4OA*22+!$AHVUA?05C!U2xhOdUY$?^ss6)HQ&=$*81LUSouX5a?QD$`kD
zquA_Et&+WfsfmmMTEAL-@<!pbNVy8C8datqU87o)TGt11qU}&zqOHpH-R<*r3Vd85
z6YFsYbqf851cnMbTL!kXy{tAPrUGinS~aBZf;1DcS9v6Q@Xjj*`{c})X=oHuvYuy@
zim}Ees^2Wv^k_%6vbgAaqjs~PAh2ddw&=d|jzJbo(v6et_DFMs9(O429Mwe9Ro!%Z
z|0To|a?D5NY1ZS|RIp~{b65GxO48Z;;YOqME+*>mBZ=&5jb@y;kpFs0-MTaQUwZK9
zhxLj->$Bqzv;X3d{@pwk#X+GaVAZD~1nbungY~6|_D&Y&9Js%*JMQGGyIvCHc0Who
zC*YLWopBsJ83CV@p9KxzROH|Oioj7ErV<8zWR_i5j^L}9LUSGgI(3YK*6yI#=jsb?
zPr)faBip;CK+yqKSDq5>P0+_`clw&Ci_egEnAKs=<9jxgK4Yo=ZB{rq-vCRf>jGW9
zrYITD(jo^@W9C=i;+()KM~v}8HbwtzuED{Lw~LMbL7hlKd2z~y;<&t;5<`p<ikgOC
zxr)kYVnLNjq-?mNdD>(zhr;wuQH8NP1H-(kXfXTO&`1$lMP-JH`_<jud42vBdGoz|
zWo2y2?Q-JTUN9unNZVzcZZN<?{NxN3CUo+PX0VyKJNjFSD^1j4;>imdrjbi2XXPH$
zNVmyfMk&>6$O<VQGJ*8^LMLMw^w$m_Wgp0B-KG#D;{NNvk@auzzkGdPbcKccWn;D@
zyygh2cbEV9+Bg^L*hw7&o88ftTAj-!U){}wtKHrR8|@z77c+H-;gheRB4eV=lYu{1
z!_HE@=+~x&{Oa!{X0g<1f<ZgDYA-4T@E~Kmr5A8m7fKMQ>?kb=6nes@c7lwld8eva
z5DW@7wL69`UyxLMPh|9<pQ1$t6|s7j|N3)<g$HJT>%%&nbRNo@BY_9@UJ*55=r1lz
zn>H&jx!BnU?h%m=W%9bCW0&g>35}+o84B~WsfbKXmg@-BD@tS8SslL)F0b0%^f1)f
zY+7(z9}}`w*aycmWl(E73FCfNEdALV{MB2}pC)}!6&2(#yecfYw<0RAEGQu{+(zSZ
z6-1iGo7W6zq&!nA#YV*ZR~C5|PnIqHJd=Xfi~bUiN6H!n^tIvX%$6BE`ZO|y@V*FK
z>rT5RG}}>)b2ttGs(RZujiBKUjmx~lHMRWtY1#FT<ch*ES-LgHFAnXnCY01GIa&8E
ztDim{;fB{c1urTZ-r|Ax4u8^{9PyrG;ezds+Zf%pR^V<*cM-nfh8bJ(f4Fvkw!-UP
z(H4vehnH0XcR&Im`S_Wk+*O3En~-mKOyX8$3{gj&G^^)65bCLSsw&c`lPU_rnt?&C
z=tD!k1v@c1_{Gh_jkn=LD?t)27wdoi0{{L@e6S5ZBt_C?g);5x*xX^cjn?BOB1X;;
z`Fftu3Ou^*h};(+(sX`rq<Bm1%kW=UYCB6K3R!UM@LWglxK+Zh-(}2coGWwz@lkS^
z&K3g*F75{c>R+2;XIw9br|CGhd*&Ut`YL%UcDGDsW@_VTCF+gUOd!Aul^zt9A#i2}
zOGgkp>M6k8sRtpgAc%Flp9tcA0bUnzxw`-qvKBK~AwmGHcg4sZ1A{tytalEd-ExK$
z9yos|qZMv`onKILRI1)|V2VoT_FAp<$HK=&u~WM0(Wvvv3RUoZX_KF_GJbApb@;1+
zZ<)ayhk2aDoDP2ZRbxZJu(&)uUzhRmURVc3+>2vep`=zZxi{7*6kmNjaz0|e6)X#)
zs7-mrf<mDzFC-y{iM&4hqpLMQ?ag&8xvsoWmFEf9+b{oqVRR^dvm-`~$Lty}tQh30
z%2)kmH2ofl7-p<i8BRs(lB=R^E$&39pW=bN7V3<;eO`+?ra%Tmp@Gea@!g^i$M75u
zjaM&ZDX3V=A1)!!EL6tz1UK&3E3aGl=QYfK1pa>uykF=fkbJjV{jbOT9~OX5IHUTv
z$%0_goj?o*)O;S3mW!}IOKGV$a<B&MPgb^{`xO>%hhU8f^(=1dF_=ovA{TEk%O>c(
z%~e1UPup>27X`d8-V|L#0zJwWX^2YW73K<j4AZKzs1quqK?w-s=X+T{bC`y*G%mMy
z<{gc<_L!CM)wli2H-{CN8VXSelp}xQa;JD4D+z|A`$y#batb1q(3&{8lRVQWTf|te
z#U~jSMkgP9-~CUv%1QkvTe&bs9ljn$3^(d%PQ`5={CFKpBa3qF0aV@vLCn3%>CX`U
zeXKYg6(7C265EN`Ewh8h%}j(lOv%lR*Yk-fW?3TL<EVRRn|~#K<?r>OS5uS0joHmB
za%IwNI`=AGbWLSk^!P%}v?wPWQIzbO+fWm%TuJ&TzZhEKu}PD^!^Iyn56>+-B~Y>_
z#cdW;tQ8c4lNDJ&q|9bBiLpNc$q!>>C-%OgPE9ONTMSf0docQSicX)S$aE)5DYQ{>
zxF))X$YCV^hLn6>QHwg$0SO?UN|+az?q{4^+$&C(h0`Wp8q@4&R|?bASG;u?naQ@K
zG9%2g8&2?($v53e?`Nntz72D)s8tG4niQbRM^zkcOuUgz%0T5f94<M!tvIT;bp#d7
zm;ByfQWrSIW6Zt|j+>&GFzV)&#1s8A`8JJ59*_Q{_s;DTb(F8iZ)$@dR0i37$uNC~
zpavGBVp9#ZO7#CPs|i2PEG?DiL;R|tA<3rjC6na5wK&=JW_zl(H~-o9^CCy%tASa0
zEFq7#ZW@zXGc_5h`Ijl#oo&^*)?4Uo#I?d`D~sp;R$trFh<<#_x%pwHj;@t;^Fqbv
z4Qj2_`7M)z<|0-8Zu3WvtZ$e$DLWU*88_}m9k2*Kqg;nUlVev2@%>^P#Yxu?Q&*%s
z=Ov1LuxILpwsY!*Rt>24+Vw{RZkOha>jC<Hw9N(jdEnv;{KJvu<y%&}a|>>}Yf^jk
z<eY@$d&Svu{~MX4tn$f&-0;7t^)89%q<q2*7Cb_3JGpgr+!2JUi)s|JHpi8T>SgZq
zWtx(jn#l>XO<WlNez}&G<M9w9@;>l5?EMk^2{*o)(6HOx#{jgJuP#HY#|r+eIWn&u
z9!pN<Z3fT_oQ+nc{2cqfL{XVkCu*^|kRJQlG0$!XJw|3Odqbf*Z+(ry6zm+GAUpSV
z*HUi#%H9<05UL)gofQjJX>ax=CdnQd?p?WzicLcu<8}HWA?ia6ruOh92GgyDTwMZ3
z6P17zHasxuxV1GeyS?Y?DGEP)RO}9Pg``DGfIqJ(a34?P*zFt`*{Rc~dfrmoT{or<
zAKgN7$}v2okQf)!ss!PA_K#TH-%p5>>mB_44teDk9|*W@f7ChbA9tdBV*huY{Osua
zpJ$&WOw11dyzuwmYCWH|yS$g(T0lz8N9bCP-po5ZvL@tqk7Qh^$w__ru8F_iPe#7&
z;6+7|D`fnDOT2@ULy0_deaxLUxkk1FY9)WXrAdp9{H}r0!}rYso{eNhjLpv=|H`-M
zni+Z@U#R3d$w@9RG2^0tOHYpqR-E$W@8Y7pNX<OJ;n)UjleX4oDed+Sa_sg7!hPNJ
zy5NyXn7uiN5Ag%@k0Fdrr#Re?OP>krF3|URtpgJ-G4fVK9|Ozn9&Sj^XPCBEx0e&g
zAWlgMvonpy-XYTee#p;wi9dRU2qb7|m^?0%*EyXs&O0AM>n@j#>~@pGx6amg$C_+0
zEatRC*`yilbhav7P}UOM_{Prb?Uv3EO}8OZvvoJQE}K}Uyx)H$gfC3^Mnqf5pO)4u
zqM(rZw#*86ufUfR`Hxq*aWOP=TD|DqzM-v2$i1vB3<9Y$0)L-rtuP{b%>Is$r0JME
z+3n~vx63VD0Gv%uQw`3}_}bnaj?Cq}iNo!Bs8Dw_AiLE%n;N)|v9**{KW4qgihGGR
z6!ufl?rN^Y<z#gww0f&G)K%bM^cZN*2GhuC*{YqOuihm}u~Igc8!I1*mAuWEh(jAy
zX|WOe>N=p(W>7mLO(Wvc2$ub*jixYNsC6PDVL_LnYZ;*q2~Ij9+*i7DcgML7^6M3{
z^wrY%Hv8+KJ50f{0%UMaf`k(`(5=W#9OCgvKzR}$RpA*9xNCZ*CMmy!!~ADOa~6^a
z>2|F0`^<`=v^-6rh8~F4anSRy5INWlT2-j8__ZsSv-5<rQ<uBhw~dQ4=tx+OLR1A;
zes#yDLRA+ynxuZqX*E(jwOS3%ROwE<M+|Rn!|44rt5P^s(#(V*m;zm{Su-HEc=hbr
zk?IcwF&Ps}leDHEZFb9@7MgcgU+^H{Ok0)1p@SEq#%7w73~KWHr}zvR(&K2X-&YD<
zJ_&i?3weA5>MFJ!PG+I;WLFb2BgptZAAeTM?wH5P^U6Gm0Jj@Kd<Y5<j7>Caezb0H
zk$i|7L=el5$c6Z>$x+E}nUIlF?jkzEn`{LJ<a8I0bD!Dlv<!~nfSzVZ$2_3X?)ucB
z-?ypxIeY`n_wSP3k7!65uSxg8Y*HOfl!`k%LayN{%D(8=2~5{Lbl0v2H+<YosAO@L
zxd>vmk_8-=5vAQet9;MVm}aiTU1oe!Lb<zBL+bHX14BAKT5g2|hwo63ZzGT`w`;9S
zt@(%ZN!(i8)sEwvUAR<QQdqk2{kkWwAxLmpgIM-)HozxYn6+FCr5FwUKpBwOvQ>=(
z=N42_AOes^Pk50+K09x2jV1P$5uAt(#*~F=FF-?pEVVQB+0qkYM5b&$wHRkDyb-FY
z5Jtr`kQ6VL2;_`DeYt1d<oyg5W1hwl1KQ2fjtk+zAS2jZ`aBX+UR|2ly4mD#dKO)-
z`2vM{ttnci{eEV~Cgbq6nIljZUyfDt%b+i2HsNgM8Z45}EMzpJeQiE`%LZzau%Nd5
zI@_%==5oi*28xmO>{8Lv%o))IDjPOh;s#nFJU)TiOe(h>N_vl6gf2CpCy|!E4I3R$
z;MhK!g=ElyJjL-B9+McG9#QM=S~gkf*LM7yGl@WtL6-MdsOPRXMd8MSzs<%zG=oMw
zeYnxzjQoh++^#rMzyptQ$Sk<TSvH+w&AVMf>&_R#w@2oyO_r|SnYPfCbSixywttb5
z{Oi?j&s9eP%mQKbq|@tCkM6hiF-zq$3TYculAZL*zDDZ}v&7V2!L|;O-UzP=NE8k`
z2Qyh>QQbhRWmaN_68}7gN21m+tJ+Qc=4&5>E+;R9*If`GbiSpeAYvl(pc_Wsa$XbY
zbr}A#Cc*uu+KyNM^DK(IsK{ar!YqbgJU_g6CkJc1i5SpoED8d#N%t!@872b*!|oFs
zb@@_1cJmo2v{31>ax)MKw@cK3Rug|)^`bJYJ<8Xo<y0m2w#zzyu`;#F@pAYg`GsQh
z;rkeL&GafLN8bG!nkmFOc_vINXCiHP%uUGSa+MZ0BnP~93D#fEFnL5Y-2u`UF<Txr
z#5)Iak%DKFbi+88L6my`qVcxFbM$`jF?8Xf-ZR6|^BQ#a0DFjDz-h)1c?c}_JmVs1
zJ_nzt)Ce)$`seQdCEEwP1o<(3Q-U=_$+~qNy3e`Y3cB2`rVb-PZgJhOPMNk=2R)@R
zz&A9>4NfsL+}w@FKSQKHkY28_G~_y3=APon+Mfb&&~{IR9SGMt$MCpnWbrQ?Ju9qE
zaA}xbLG<q1WH(noPiy)LS!?Z4NL4?#JiaQoZ$ITWBBn(~E#HyS`RCO?@K7oJ`v#U$
zbLc(8o`v(O*}9^gO#M{VDQwn1_c+8toSSt<dAf6~`*v!z!&-6I8Pf@!zIoKj*r$|`
z#cil+izvb+`M0Qa-QaS6ubilP;(lCWbUd>R<&H`<#-3ObWx}4D@%*s^pC4{c1yq#a
za0q>z<!pK)nZPyWvv989L$n2lJNuc4ttOMHzJ{&linYMfl<r1yrL-5EXD^!7pDo3@
zCOKtQw4(ov>5M!i5?X#>R-|m9d0!VAiNybQRSp8uj)clsr}o#-E$(0cS=n4;G5>tS
zOEa>8&^C~|fK;}b7$#WJ>{B}|>5<gXd*OiowlKL|JMlV_o4y{wra~Mdvff=D+UQww
z|2Hw5*>Aa2_OcWTf=`!md}^;!2nxdwHj4-Kq91$?4&0)TOTPLXwURrL$b!*1!R~u;
z%voOgbwhw4=g2By2Jhxwg}kb5OJ5qKs<_!4bawS?j^iDV<%Qe3W@seF{GbV3558Ie
zkHCvR);awa!3r9Qa4($lt@3&B?=1T!;;u+q!(i=kt|w6(e~4~VkMsD<C@~q|OoKDb
zKvLk~r-5)M!NZ(Ug)UfjFA0^|zTm;np_eq42eq-EP~n_y)wqf!%-8(RxZ%4w9h0>=
z=LIo-`Y$+p4yi2ZN<5IcbPT-_#DXd+sz)E%M7KwP%k#iBb?E-jm9+@?+ImUsYz@A$
zzAizltTHlDG(I*oM6ewJl0M{d@(D|=FAVy4A|63!)tI3bY`@h<wS(!h<8Y9%uj!gs
zcl&Jo@Ll>yi|rVgQ;H{S{!iE{NACR;n<>P_cP0#7VRy*Dl#62Rh|2U`jadH+{M_rM
zYccgqVoqw0!GJ{tR=a!AvjzM|VF(aG;o$qt$2jl<{812cvjW*}*?bh>0AEujyB;Bv
z)Yt{jpp#~;Ec_gEU3*E==p^l4FN6nXoNr(<_lUD>ye*}5yIVVa{OxhE-aOI;dkpnB
z4u2E}J?tI&YFFn$MdNUJy4t$+|H%9eEuYy+7fVSZq+Z!s`((cP?WzRT^TlOrD>$<1
z45a~|f_$I`o6Dg=<~)wN_FIm#-hNUI5`J7~jW*h4_6>aX!vrTjhGm}=NuB!)GUQTv
zH)4OEVCP(<{-~8g)ef3|A8284Lol3#xfTdJneEg4{`{BAaLYzw`|#>iKQh$xYNeO0
znveKrhqT_!f%)YCJf2zE!P7*0&i^)kzg+8LdV9^M<MW3QoN~dP(3_glfhvZf-M-LY
zwS-$Grv|&PXX7tUxQyEDBr+F<96pE7k(TljpPhCNjZup6$;7X|EG^Z;MgN6Jq!0?_
zG@AX*9=2fE(P6^m|9J)Gwsc)0ziR7Rc-33u!%_u(TNQe{yPuJ&P^DcLN^<Mu`e!r=
zA|K+++io+!YjEGc<g^;gy%=vXaVOCh((E%GYnEzPtx>gM9PJT;V$)ik(-CnCp}3g;
z&TJ&(<NT(x)EupIrRwMbd`rLTW{u<i)y*y}j~`^~xt0kZuHvr>wMXPSUZXLMX2EYw
zQoZ1E*6EFvku_JkeVh1_vh9bbnk^gdFguH7sg<>PEeWzM+2mCnY&5K+C(w!+)OU5n
z6%7VOm2Ucx5eL8H8c9r%l=Pn=tr+aVO{FHT<?F_<B@QQ1mJ(=|(lpgHPvkJ1xN^2h
z%|JWlnj^h@H^`MEK9Ksi3?41}g3U6YWaL7Qqqnk>;cs{FZo$tO9PuGIvE(*eXHSAZ
zP&boG$~{BQlFO{Sd6i$Bmo-!8LK~Z~y%f1>cf6rtcRL@x_23VYZ#MF?`fBwE+~#sY
z|5QgxW(CH*Rr^2)Ep1s^TBZ%8XmPXJMGbsw5|6W7%vr9tD#)Q7&}tSG#4jF7f#&2@
zSb3ScTzs`31n2MaeL-{e&n<Zjp|z<Xtra5?#5aK-OO829;fWT@Z4Q4KYi3f|95UF!
z9-*1BC*~3*@i%zBrdjtG?3snpbZ1p}dFq)>lzJC5u<#gvp<P2hlbjv~^g>2Qzg*ZR
zBW;0K=E`yTMq|fb<s>gg!^%_a(BlU6<_ceXX9W&>l*awy@qqDIj6wzqb^C$P^|C8d
zC;8ba&eYN3&HK;1x^|37FYneky;I#1@EIqBr2;mExZ1fQW2W}c#cO4aj6GY$n{4$g
z+T0!P&d)jSR`K&tV2>ZFiZ<dWuH4M&a`-ja!z`MUwZly6W#f#o;FF1zMU>mE5-sjx
zL#q|#uNnR5MX^sv^w$3-QDfU$UPFIv#0A9|6u|Lp@4kV}h;ZzM;;U?<_DW_oY~P1l
zm@k;@)m*O_gl5<sS@VK(ZgSu(n?Kl!O>#IK2su0v=<pc>S4%iUf<jm<KqH;U=BL~2
z=QN<G)xz(0^cf3Uv7^Rsl6${LA3CiJAi45f{@hfL9uc`wnUHKWuOHA*zZ3Ci!{=4?
zKmqQNs(wiG$kJ_4@{82uQVa9G2-bRmKK6zCz7jgo6cTzO^C&3H{^VK@zOd*w+jW|A
z&$6eqKi#z2-acRbbyHfIcwCR!Z&Z19v)^7v;pW@xhkkhV%F3Wx;UvCBeK^r%JpHW*
zVsQ8%ha^XDbLSyUQh+C0A=IefWPb2ux`JoWP3&)ARvA@6Dz%DVqhZ4*+x5_#A9I!+
ztzWK5rgqGXIy-jbNK`lu5ENjO%CVy?74oZP;As{;Zc*U`J_jk{q^j%3fn9^x7g>YV
zVYg;Fq2$BtqU;~dA)V*{To0XI2muiSr9vIRbULdlu!oLAPI&wkZKY$L9=s6)tV9tE
z+Jwz#&m+AuaTSbIE*_TkpjXr4UoW6D>8-L*wBo&97EAjR^wRYfV`Ld8XZ%tS*hl*p
zFM4Xbf4tv2uiqJ0y#=Ne#clB1%EJg3;fbnZcZvM^+q_~&FTzW-uX&Fz*$yGX3`jBx
zy)ET8CgDF<7WHbCig9Kofq<yFWwysi&Ja{Nq?xweKmls0FFfJNS;;?havhIe?(;bK
zg(Wpg<-iuc%4U801*@++_p)rb|3Q1xl>-LfjzjX&{b`&K^z{sEm}L};q9s>_rt7*;
zWH^OEqF0DMt>Aa|vIl%FK2C$u{lO`(Z`)^F$)PuTH)bnIs=Z28(i`HekRQsuBD1QQ
z77lMH8t`H4rI2h4gf^{5UvuCI;<%EG_A{T~+Ns@7PmwnTW1^BizU13xIqjG(m)T~v
zeY>l`h4DgnI&(8LdG-r7!e(a=j?rl9H?ZplY-h7nGGMVHGkyw6ciXS3KNZWx;q7_5
z7jokaKi)4#zO@d>60KqjBbun1`T&MBK6Evi1ErGpb^2L1yG+QZqmaB+%dkWvV#fzz
z3lij&4!0v{yUGj|9L;k){}W}E!-5+N`{Z?1aOFVKN^P_%oS4!tjjvSmE7C0y1#~GS
zQF`Uu(VtG1sO9tV9=_9<b-!?u0>jhAo*xq?7r{cIW}9@aWptuM1_efM$jeeEFaNTO
zTKSN2jA2FVgttPp_m1x^geZ3jx=%MldQUQ#fnSAM=-k^Kknv%_q_{>bx#zO5_V4Oj
zoolSkb}Y6MrmBrPpDDVs{oePxHQi_NyA4f9>|8ANV#e?dFCM>~R4xqLek8~MFSM$?
z#yZ@NPNNkXY*H{w9W~V4evGi@K)vu><c(sV+p7K@+UNVrjR^vX?161RhG8%)yp}O;
zKx*#W)&B7Q-EE4{!7TKa$LbvIc%6z|1xrMR6`a^_UwjzJX^jZ9(VWLq_+NrLD1Zt(
zFAtb|m>py*Y3!KrUvsNB7yWo8lccbCUvs(uw|kf&nQ=7^$S0DtK86a*-A$=WpQlhm
zqB1ke6E8rd=};raq2Ik6V>tMehmEk5s+yaL`kiwHQ6|ld2Zc=~mQ3fxXKV*MIerV^
z{KaWm`yXQtm-3q7s*{wlzFijQHfn_`%>oG*#EP)$9Rf~~eWWnC%@+O{*E3eM<Yob*
z;ss?`ZPX%FBn2u<8QJMXI5-P*e-^jUD*ExGmsFt?-m<S3_cZ%Jeulwr=I7n_(^L}$
zw>Pp)wmO>TzEji_)A(;vaI6E@Gr-Oq&=w}V#!?C1G(!)60(|R0A&Z*%<uXx@;DSMR
zS50qs6q4ZY8isDksBfirq)Ctu<Ni?d8P1@)61ygsErw7|8ikn6n#0L4EDL$9+2Moh
z<#6<ACYBFiUh9)~rD+iQuQv7qcc1NYCdeBYQ`3~ux}YV-NuP!6yS5~vg<8vPlp6vO
zRohOUFiT3NzY425t$Tw>ZO;!l5AIHHjH8xbP@ie+jIR0~Z$f9BPeZMW6&@X;_6BHj
z0{_l?3c5};bdfZ(e%kOxI!I)~iwrg8za`x6`%Pq#$fAv)(SJoX+kN{=)nVN@TGz}W
zMM3U5x)$Y}dMe}S)(j3N|6ra{!=7jz6HJ=gZ?F6Y3Z!KbV!_s0GkDlEKK67Z8@^K#
z0(~NOXTVXYZt>{j#pPfX6PiIi7n9qye$(&WIXB6XJvMP;_{sLn(zek|vMu=P`^Ils
zl@hCt{TjZ`GF;h4Fq?{6RqwuAF(Rk4xN(jc0sL&SpzY}mJ*`--y6R+`Tp#%@qWnPb
zT4syaDK(Qd>kC)6#DSpu?0X9bGBF|71~J>DA5WVX_g)}Bd-iv=8>;z?=53Io`C+EO
zCaLMxPR7cCpkg%?qiBBOOR!2&&b}`@x7`VEa-CiB#hW+s(rLaubd&JKJJs@7cB|<P
z_kE>=w<w6`>V+hld=-a(u?TscV`Tt3RSI*h-D!%;{n$DWhVj(_&(7suCC|=w#C^`d
zXiA#GnEMsyKIVlTF+n;BQU?t4nyCBlA7k4P7bMw{l#CqVX4IXZ8##VfL%-=b#*yX*
zwI_Wst`iFA92YZ)Fu;FYL2lV7pwx#G&~}dYT`;!xu^=!b#G#A!1us`=Bd5QX5pkXN
zjjF2|u)iR|)FSBCK3!8PlC6_pZnMSix4UBexaaYJqgRk>8&%}ae#?pf;T`qCLcBrp
z9-TL8;DQg1XX!#ifC_VCQ~cC!1*5ivvvw+@1r$@;O2+n^&rv*eKbowip4)2tF0V(v
zb>Ee5Q<t`_J35HKvhY*q;JPg{h?peBBhbmsdWB2{`4$iio9f(1?yTZCor)Cn@2np9
zFlV$58z12D>pYnbs_*Q{Gpe^w5_<>7KNKpoKIzkaVV0O<l@J<Lxc^*tPQ+!ED}8m~
zl9I>j0Ngs^3?KZQQv+Kr+ae0ZpZWm*euK2uA00y(`czHWO0Nv-!u|KFxok7;Suf{#
zk5P4@uQF$Fbt=WVJ$%->Z1Joc?k|ix4=@J9qal{CL2BD%jt?ePsAVf3k@xj4xGxan
zJu(M<{}g2@=v@ESZFa10WbF5&zl|D(s%lO*?Vt9mZ}u7qNNMt}O2*4f`n{<??el-R
za!>VlHI<8lwU|$r=-O<jw=aex<&_Ojs#y^6?e9QGp3}C^6S=k!KX%I|II|^+uB9HY
zhv?0D)tWoU1jkJCsmt$vg;XmoPqZ}$IxTSGzC9FT2vo`O-Mm$Z5#DYm85z+Db(eDP
zDiB;3q};~GkM<yLaR%2{#+vq#c(8>pO0z_{d5wuxY;W^`J-ITl;mv1LsxT;U+aKQw
z0)3O{XBb-;=GWw_&-K)a2uo=aGh&>VlTG?ockczPuM!y->tGM=@^?Md>;uS=i|E5P
zlXPYM&eO__sG6G{u$yAhBa83?$HlDOOV7-d3#Z3&K)T)I!Iu`8u()-t_`$Yx|MLd=
z)dgTv2M+lD0tebpAng~~N?7Y9IE3XfR`u+mz7OQ)TBojPyg=j+0hfl#8vZnB1KWEu
znoHJWj#`97?+rZ;p?k>Z$@KiM?%w;Ysiq4XMHI0CB1#b?C@6{)5he7{q(~DGkS>Hy
zLPVq|0Yyb>R62nmg7g-8M`}QN@1O)iuYnNyw|&3!yyg4{=gdz#*R^Ldd(E1ewbp&F
z8F=E*li+vbcbGRX#zZlSg<HY&wJE0~j|zn@zFNq3d)+O3%gl673SO1nQX;}7CRyvk
zg+y`1c3$yx*$5E`=N{)KSj?9U5>pbgkITmn-W~mca)Q@z64@23n55Mr$XOSNs9_7*
zra5TzrY?o^^jt}29H$*N2O4P4T~1UxbS?M{ZG$on+lO0)3l)&)%O1Z7xBeEbAI=gj
z(qQ5H&4CkB6aaH>nk*D;wZ*wMlmd5KaZmSH?daSL4I4Gw*;x>`URvWtCb~ezB%?B7
zMu`g#Q8BZf`a@<LzZZz;_o88kFZbH9oY$0g5lkS$Ypn&w825=#SFWn95?y@h>syCG
z;kuGr9R--0+L2hfkkuB|9&d}tBf+lPy5Te-572pMVmqcpn4Rz}ix?}1*lN<vo~>Pi
zyWlQC$Q^Xfuv5GJK{YFEq+e`)rCrc~Bj#<J0~^>^>+~5`_e<7@5kQeG!26QdQwVNj
z_>l^6ul-E+CRE?N(nIYWFYeoN2V8!(X4{exi9_3F-UP8P<9lWo-|UkxC>X2whju3}
z-zpY+7v}<*%87XgVhBIkwb)I&1dJ@&2#ayRgs0pvRbginL*S?%JqX#<LjTdUja)I;
z(gT>?av|v^4UIqHE1{6)R?^SAC7!y_VPNf@()nP1dY}^V*@rRddksPO+4^q|r=_*@
zYn)k`ustV}7q!vRk@?BZ_4M8Mho1Khy=THfLW_$__3S-GR;Q|x_RpSO{M{pZUB)$B
z8&~&qK5sI}Lf4&Kk6BR3Ldt{JPCn&L`eO1v$!%e|3xB(k0sL(ZgVtn{JHA%~ga@<J
zW##q`hqwFdPS|!_$ub`>&z{l5y@-=}ckvt=f3t^w9LLhPkqW-5V|j59XU=o)9iG8F
zlRvHZeEHQ(9o!3oPh&{nm*2{kL4?u`MV>L?Rk1PS@ec}J&DO6JMal@vM0b<eI>QcS
z%_xz3{0BD`ApF7#f(aK{2jzx1Tbf|D`EG7J&As<q*(^<y28b;f=(Z>qg9t@Yz0RRm
zYQ>c*C8l}{!i(dg3dhpsc;CF;%mZE<W6ch+XG}d<srdYSMAY*j&TD2CuQb{nX*1tA
zMen03BWHT>_Oh4?Yz?^KkH5K|@6&mNO*r$cRN;q`k}aXtNECx_?&|ma$K67fUTABO
z*e-*(-9pt+<NT{Fi3_&+JtB;iQDV;6Ii>5k7ry^@1)edrAD>Uum%(VJH$X96NsH4X
z<VYztnGA}@E7*-b`un?M;wOhsm0G$x%O1aZBoc}b(E9qO>d`3N3l_)l)_hZ32d5R=
zshv|ZZhYx<<m#7PD=c%n1vmy@<HH$}eSNy@<aReWlb`JMnVs;mhU0;AS0E4#%#Icn
zbg^Sxm7w!FEGE5+bhvDJD7)Mj-X278lnsY4r%kU-qmvM8QruNJqDoi(>NL@NKXZhy
z`zG9|;2xbl&U@?bmsQ1@KXUau+2TkGH9eAEpBHm={?}BBhefqtqaZ4e+qvthwC#cJ
zyc`hJ@RlK&4Q<|f>=!L-g2;nn7K`WCog9iL1w#=JxI;cPly%)=w_MWwg%bB2x>utB
zxhF{a8`pqvSJ8d~7VMEBg%4em13i<fS~Zo_UfEY)JwURmHL6|DR8K^m7Djapb^w0T
z&RHL5?}hjp2T7q9Cfe7Wcj&tbRaC2|)Zm=xQV)a6qy1p{0}NM+lB!PMA7Z-W#(<=h
z&pz!9Y2P3qbf`?Yq}y&UoY~Np3{79?m|K3cTcfj3(=BI2hrvKjzRDd$q5B$*Mq2Ox
zwPpQ#iB;cdFxOEE)|Nb{XtryurV`HTv&=dcXVf+KZ+%;@$`m)&oSlBUn>O2_xF6#|
zzUsfJ+*OuSciwv}lvSVqSoklp3;lx^@V^>-TcEUg`mjd_&83@P)7OmYUwZt4Ve+WB
z!j?Zb7m+@Pz3yPq>=R#;nn1c>TxG>FI5?~ig{F9hZpOS59*cax`onJLSI$s4<5=&c
z(qxTqhW)O^(o_lmSKQ=GnLS%ciRUv7Q%;6NscZ|xPP^Y8BE|p9Askcvj<&Vw0=q2m
zL9*K?hYexpY0OkY5qkca7q=b>RG-}Us@zxrjG==vy(x*rdb-P!^L8%o^qQhql6*v4
z`|XNHq&7VP<Bx{@A_ibyJ-eGZY|%CY;Oue+hYrh}sochg>{1$4XB%e-=&^wbCFkXF
z2Lr8(QAXhYLam+Rmpdx)RY(Sd9P{)GJhh^COb1jaLY^4#oCloi@sQ>#3^)lb(8-L(
z{(;{KB*mxMAR0iw@w6&T7kB`{lh0wWrvbb3ZLKSUdpDhY@)Vat+iG)?oA3u9P~5px
zv;N{BtB7~bQOx9yB0tbc8txF<Pd>oz9}-_l$)XMPSv3GWB$jGQ7V1PdYke(U>j$@q
z{_xXlgPqUuHL2+KGI0N|T&?0aM;-$C6B4!;c#Lmd<WU7=mVZ2mq@DdkNB24C+TVu%
zU6=@=BK{fax5lJ1)zRdX^rZL(CLDb;#yp@BAPw%_3;{VWk9`N+As|TocxTnx^ddaR
zF?C<v_h_&&2njc&o;i1cr(fgW?frd_;S#H&0fHKE>5NQgra||`VT(m3ToQmTEj<nf
zEnz{0RI96Ukpsm&OJjyvIf(S!W^E^!OM04OJ!I-C%T@Wb{QqgsOTrFzitqUMo{Q7M
zTFN`*YLp=QeSQtV1KcVx!eW6*gKEYYl;l1i>`{5#X+AK}r=X>nkEqW4>%&?8RoZ`-
zjaMD5fJj#jRQVtOno$MpDPJIqAn^I7lHZ05a!Uyi0d{D}I~b&Bvk5ha1`43Bno6g2
zMu3umfkXkG?SIP8Mp5Dgo~_2|tu{<c-sI9^c-m9|z$Me}!~HHXx}mTMbt@7?m*>}f
zoj&}WUz6noOCO8Y7AWyJSMy}uOW*kEk1Gs`G8zy7*!m`NLOkgcIsP-fI8WsJn=9BO
zaxz!9Kuq!j;+hl5HxdD4HT^$-4Lkudd45W{mXb9fVCh>Dc)fCeh6x9fdr}qHrMv#6
ze_#r76-iDB92(+BkyFC5u8(C_R_LRYQXeSjpaGh&LxO~(z*WbW3ukH$M(4MSEKfL5
zTYLF~{XE2*g&A9m`Nu(1N1Gx5Z^3zB2;b=3*r<{6Rpp)_TFf|2=wArG@pJLRC=2ez
zAI3#Kj>;mP&r~vus505$jfa?Smdi0;EO^)A9I#3e_IE6MUyW++xJK5_#UbizrJY;4
zLgHjVX9WCgXSrzKRZF2cSL?0|vv}`rYc<5)k1h|$h@FQB&plZ#A%H#{L0=AtUKd+g
zZ%f^{+Y+fcaOl<XnXp@E#oUQcA$bblz&PcFLbehde<dYplUyf#&2|WPPmtcvJDTct
zSE^B$hMDyti2hHm5^DhCD;8;|c}kh}-qY1es_t|J<^nKwwNxyq>TEY~{~DlSclPSt
zrooW+Ia!WBetq=Fa%8PE8RK7RWAYZO(^hjw@i4IP?9eSuOzQCGPo!x8Cb1iMt#{P*
zs~dQ||AQ&hLem_!*#7t3!I&`zQ*&bZL7{Aq(QpQo6f&n7$<cUbVxc>*`dMr!)_{A9
zDs#$J;naJvv5UV|CG1r?@1oih5D}6f?!mAiRiu(lgGh9VUze!-96H*!am#8&7d%Qu
z_7TU)g7s;EEfE@X^KVA|K>7)iU|lj%6v`DYR4yuI5Z6TXdBAFvdGQ`)|2$TN_#oyn
z+A<BCBII8_Up&%H_~MGq2K47n1cxro7ajD~u>b`6&F(0mqs<szdtf5eUUAlU8;bzt
z7HhLYOe&vmraX%+2Ubb!-uUvxVtk%5=lh&|q3~?jGre!QA3U5cyWZPgNl9C)85nsi
zcgtP<OJy0@v#-TxQR(L8I<1szi;ZdfcFZZ?1>Qd@VDGYt6Scv8)47V-u=C(f;^z^*
z>;Fo{_tfFJ`Hl>Z9|&mqGn~Xf0=Oa^J$T|^$CyP_jPvbp92N&p(SB+f%7)6_qq|(c
z5dQXMpDX2UP&{yp8SxdYKCCyhJ@v+Lz)|mbVxkg|PILF={Hh?o@S67x3fa|Wf+PSK
zo^5{#%1>_#0FysP5WT(3524&hUQ<d3J{(O}g6uIPH)N8j%zhhYwG^irh?g*egvb@?
z`MA$IHZr2U+`R4;JWy4uKz%-}>70GB*uyvCIFTkZ=iZ`dv)4p;;FV;An-zU7n_TOQ
zHY4jjYe^Q{!e?w6TYg{eS@HKR%}PzVOsDp+vGr0G_#W(?ne?@ae$A`JEJIo!xts$Y
zym!>cXjeAJHf~432w&<DA8Lbt?OwT~y-;K;T~z^Vy3O~PjXQ_Zz+90aqWblLjt6H^
z-L9hgSm#jKP<Y`V<`S6BhpVQIFFttVrLWJj^A9kWoL8}0?xc=;tBYKDFUt9)P5~tQ
zG2HVj<Dke`7m=SMo&9VGD-6`XTAcTatKDvDDxS%zE<dOI$*~0VN0Zn+qjxJPgRlH{
z!fkt9%$DtSsgit64;rTINOy13t4nw@y7-5xRhe1d63anzNJid;bh=*3fuqf9QL%`a
z_MuqTj$@i1yf4~zo7LE`0lhx_9#@F#afm7tw&e?}t}v#SN2^*Ck?^<*t}tQ;`7))<
zsGb;^8WP5_AO9dpNhLxo8{RX;H9WDlp!O>+CejO!H1<(U>J<MN_D4#(_MPrX8q(&%
zfK1rX-ifd@)C7G-oa|kX40C@kT86pbEBbh>>+n;{?{Pw}opu^iN*wr)>jNAC-|ggh
zNlJE{gHmlz*ib%U&q}N~37ac-p*n{<&-w3^6_k0q8;d&$o;<OyNVqB{ZCHu=biI3o
zwA4ds9+&l7H?HQrp^d!lh=2K@#t<ZK`EXu_+}K%_JnigBQ*;j&BTLWM@lg{y2WYml
zwiA{J@0jYL@8_QT1`puq?+NTpv`=p~KtxDsLJ}nHnjaO61~ZT!56=QS)q_#ZWx##}
zGM0XO<9$Jc?FjUHkPODc_XotwLIl{4lMdCWzxM?2wS~1|OD2_r&c%0tjrz${$Mo2<
zXLP{@&qSH^3{1cOil2EO%%v2JI1G#m3xh9tIwyw5iA0O(-Z}05-9F*l6aJR^Ewy~t
zcNy9<M3$#ho;DIIF|Xgb981fG#l893+A>=y<ZEE6Uj}Q}_TQsw*7eyZ7B6i!MEtf%
zB1YIh@%jqGv1hw~l<kPlF?;pgSGCT&p$m3p1p1zT$pzUcXTdou(NbCMAyFG7zL|B&
z^mJkxV~h+@&7f_M&2&<dci1)Yp7(h|DDpfUyuB4GDQe^0I&X?&A3MM??8>r75R?}2
z!=seIBdX}nL3lawwvbWsiK}MI6)`q`Hr~eiSnnBUiaWswo+Bf6gVq=Q0dFIz_F+y`
zO1LnVT!HAsyqbvQQt?5>ihI5Juzaa*vV7SqezVl-`0jRP0j5agY4rgzgK+5SA18KS
zg|-&9Bz~aI<%gsMj-WRrubfQ&@mjGb@+}t<F0HzgzK?niNV05{zxUCqisF_V{`#8q
zl{J5W=(hk|)B-Pq_qz!^A>4&W+)eD2nw;LA=7=EhuMlT%wRJrprG>vtkPqBjzwB7m
zC4{|Cv=!rzVKOGSbUXo~$BqY*$8NfCu(%1))!f=!LJI>8+*TUrVyJg7WM8U22ZGW^
z9k~j}$*IWDBP$!+H@%2%p&JY81>+^nl-u4X0BI%I^{foZTJjff5`=b`?c>6<^P6X@
zyp6Gmf_1{MsdHOhr^HlC8H8PM0pvT^IHmKD;SQinM+zV@&uX0oB^zi)<HjKV-s3z;
z3W`5Q%4L&X#>HCFJMb?R?pz!Yd{V?`BpohHXoZ;{J^u`ni2+DLAQ=cJuu6LUwU!$7
z4?h=HY6EsiSeC{<7NiH5U7M^1G?^k9{5Ql~v4=Bk)*+#tX^QkXnz(ZV>USWn9y-y`
z?KX3-*LQWeJ6UF9i&@^3hAqxgTb}XP>IRnAjYl8MfZA8)6JjrRY<@)zRi?nZf(o04
z@31=;S3Fytgh!+FAa$*UExi@LkMH^gph<PSnl;|5uaMA+)<T0twNFpfaIRcbN@Q%H
zm)kXBOX!@r^^)4B<ZBVGAy$QxdFv*1sNUtxCsq`#HMabjcJG1%o7HS+Jd<NZ=QYb{
z)u})cUqXAZEo-GtEU(xdZDcw8i%_kr@k*cd59GP=JJgrq>2E3y<hM2r8&;S%B>!M}
z<r3}8W<C0cW}$J?wR}$9$gj)3zG1QHEjr7Lgq_h9La6U2xP76pujZ=rFC@2q*O@fN
z58T7x;l9H%(nDUq>XnhZ<1*xCZi1Y4c(ZtIr%S$@!}1%<`EWl&vpCCB_}to9dJjGl
zxbx#?L7W&XXhp8}g>&7A=(}bi4gOtTp=m}EHIqOSUdqcg&eeZCi4fW8I2aw~IF2{~
zj+|WTzipCH@hv`dSoD?xW-xp&Q+@XXVxHU_u5lsAyV#8ty2dG4Fk{tZB(#4h?n-!?
zaN16=ld922a{48{F4sD<My_AAKd>6j-e{8Qv<sR`UqfIV$KpO~U>FJJfHk2X?r03~
z{txe#tba=bY~ePh<9fHfvFz~Un>+R7&dx=UOuo~~x23N=gA<}wAer4DB;8PS<vSmE
zB(gIC*>|cTH8Zg^Qpyo!e(?fuHMP{@RemIQkk0RS5sK5L84yUlCPbl38<rcP8ZPa@
zXP4B&sLBM{9QKf`Og%#>=O2WbfA3zIjost2HmAnHZ`I^ARXk`-wzQn3zWFF><$d8x
z<!L|E=7X~N(tzc2GuOfs9i1B_?s&KKrgk`9V>z(aO%_h=kZUU~_wa%}5b5}e6dTjj
zzEts7RqA6N*bAB>kEl}P6q`5F{h)SBRu(sNT&(LM>Jc<p#F9To>&U4}$KFJ+DCp?r
z@pYmp;Z~4sHo~k_c!%^(GUf`h70)CgZsJg5IPqd_0_n5AQ5!7;OL|r6y{)EuY8bjW
z(q39<Nxg4$-dvqUbb)g(uO+H-l6}+x3oA*x@lM&iR@9i&EfG=0BWq7P+8x1Cg{ja!
z84pI>6`W=cl6z`~@_?<#<v~aZ>@{#bP<K^)I-VKF6~Bxer!zEj=gc?HN)aKwz43*y
zDh$rM4&fGeYnchC=vq&4pU@3ylXEspw7_0Dx||`}N%=#?%MrAh@VS+iS9N&97YXkA
zs-Yrhwex5-kL1h^{ko6&IClPOQFyjRlB0$)7x`I^gbJ~B&mPD0gL%35=xOY(MHTxm
z*2b<@aGKaXappXbv77wSIG6MlKbb>(i~|H!QA+YB(0hiDpv$2?)=Sc=>Y>@)hHmDH
z!aw91!|!@bc>yXFE1(HPQqWuf@_jQ9=tnz@XQmG&GI57J`885$rEr1Ub(E**jq0pq
zcwg;a{S#LCEY5fb4b<DxfoqO#=BH-9<TBg_?9NXH3Mh#ww)VKYEZRdsZm)V-lP>S;
zjHR&DQbT2q&X_MTXfyVUy#K0$6KV+2n13IUMCDKTd7Y{~%Q9>%CuYiGjrHnFin<sM
zTL<o!-8on(ZIeshU3x(1at;*xBpdS(-pQOKL;R$|;TGQ=C!b%@<*94?d%uBjIacb5
zwL@uK0{iRfl4A+OD`2_n{j8Rd+OE<`4V66Pas2XDQz&sgg+m{?Cxu(?NT6EB1vsp2
zAV0L@BwhfBmhEyMB|y{s9oK<8u8v8)BC=dkqo5hc4|1xtsp2BGpDj#sVjq`@u0uUd
z+VKn|7PW!+jo3K*w;umABS2X`uf_aaoF@;O&10T$bAiOd@5v>Z`*on4woBDfGJd@>
zy42SWd13@`!OT*>)l8Y`X#ISZUc=1nHi!u;3EiwWBfuG75`@O*ky5LxiwlwfmL==r
zWEtV|Kvfy#Ez@X=>4s@bOR`d}e`Bf=S(1da{S?uvs8F?deigweA(uk9Wg*3{gsbVX
zyUU$=ax3}jS5~NG@qkqab33avy%Sa}3AmxUkmL`^Z=*s*)G7V(r@29Wm?}9=StuSQ
zB%4=RC!1Cwd^6@eSsBy30~knvTIAEJDb!K2dTIifst$nUu6GD@2H>AC;nrjFYsPf2
zvk{=FVT+Ole#rApU;{Pr%;0}oP1O3<irw1^I(u*Dv+{W;-$fO`rRH6l?eTn_=c?n>
zuRYco(U`;XCR4RkOCtHvGyX5fr%o$kk)^Ijq_!N;bdcXxvwvpNBE=%|0cWQ;N5!j+
z(r#$L`F4H(D9`S;nrj%*@h^{6+2d-@y$+3#O+RvLS+ll$?mDseHJSI`uH6d%?T_f`
z)uZMzZEH$re>V$@iecV_M3K9<b&GmP?~9rC;WpcTQtE^%U$b<`PaSfUMzDO+i}enx
zcEjm%fR%v$c>wG@Ee)K3@6pUYz9isYcD@5dunR9Cs?M;#gI$ysG#6;n>75Pfk{+ri
z9}P6IMHEXW6;7Mfo{e2@i4=Pq=lLNYQzNX?^)(39A(ci&GR`Z8-Z<$UBaQuZr*7Hi
zkqINXWn=Hw6s22)Yn!hq?o)m;Fj8nUy>B8IEJzr2ZBG_so*Z_<c}-k`sSn<0decGJ
zd3lM|&GHh`ZlhMte5~c=341>Dy%FXoY<|?UL<le9f;6|Z<#fbWP0#al^S2rCsxac<
zhBC0ELo~L0AL(5*WV>XOTD-e1BDjV-b~%JY%s?{ap|Rn@nWgrqimoILOF>>eiaW3(
zV4@fGY0k@eSu9K_F)WoB)q^2twfkI%0rS8Q5*Sh%Gcywi*v)Y4*qx-q*bW3*o+sr?
zn|xxzRz$1CiF$!lub7BKqsNtH+S>=fycf8yA?bQa*Jo5cw}(wQJ*iksnlFo?j(tH(
zGE;o`$6kka_@D$Os4fLNijBWWFN;gD4CP4rRt0~q`Q7#g=)PUF&Ywc&#+Q<%Vwf8~
zT;v9YJ*TD4!ojv&3>Wc%Y;x{qfk~j_$3EuVb1Rzo<~Fw;!ayc5Hrm&PVAJ$0+-i-}
zBuO$&aS^|J(=v1gjWmDf5)o=v;Y#|~vJiCh;M{%&pcdX^<rQp1<%1d#?Xi3t(4*x1
z(i(+OnPvDml33^tV{|Ttm#*=+3?=-LI|C0zCnvVKDewMqiKUW0m11{TYRB({h|jF+
z4|OWnz}7F4rX%ih<Dgm4m=7Gzo9j(=(!xl&Q8ziQ7|FDsVn(a(l}8J&@4VVBbiD>M
z$0a;TrM9*(u7+)UA)_~o;1QDU<hX9}x7QmN@}oN?_9+P8#M1Esv4Z+|eI%EH3>YQK
zv|Z?(c^EVA6s=HwA~D**QNjdE?6(}B?ReYzkxNQ74pDOQgtH{i0Xfv|vdlk`<X!bj
zSo+A|($~X5U>(U4U12;&cto7r8Gc4uCjNv)->r$BM0PFO5?G7EL|CI4-*)6nQOMr>
zV<rp?eOnnV#qOh`GaHiZ9iy$Dq%wX(aT)EmB9bJ3cuG%%Rnef_GVcP3dVa5T{?j&Z
zc*=5s{ZtlSsm9oKZu~Yy>T#N5y4xkF=)*%j6bq3a;PMv6vC>`MgEJZ*I_QC9rt|Ce
z@Bk<U1VuS@&>1tTHS=v4AiTG{G@hw~+NeI=%+wkg)pk?DHHzQ$?Z`Z0)90wpkhn?`
zpMGMOO7MKQR`p3!aR=OTK}UShr~AVPSG^pa7q)d?hhFA9ADP$GOKOBi?LD@*_F<!4
z*1wx>%d!c3_)3<Ze6Jr^Y>$}yh;eMzXi*r0H#=;5@Imk_Wq6pob(Ati!j5q-A-deH
zW#As{3Y&-HNp^dp61QdUMX@m1GA|e(%MGPbu&p-s1=-}&YC?LFy?JUQSN|O$Bjbat
zJ31W_m0BYJHRCREIY;b`s>;Tu=7EgsMVQ*I!sVu6M>c?xQf*SY4{SgUA$}Ujic1HJ
zhacdHo5ozT9=j6O-^bIN>%pp5dnYb7IkJp2MESnv0*TOCp$51p9c?ysd>%QgP^GQo
z@9Ih9w#pSzRBh$*I|;h|Lbp4j`*%}D$}e<Rb|f^XHn&fZxK3o{s*YQ!g<PQx;z71a
z>}H+GBj>u0SM!QUiCj8kKU=hLSit&Styuj9mYerF*({0^lL8fz!dit6#+?sjSQ8cX
zP(7|a@F!fIWP0?alG6+P?BkB{%jI21fJR*&z4|G|=rScjr~C;#@x{n~Dy|pA`-p;G
z4SIXcxx#!|bo|HKN$^Wpn#>?6M`mkp=DG`Xk)<NyD5bpcD0psIwVG+sW7JLFn(**o
zoiPdgQA<V+8SaIAMHE^Mg1=gIcgrPc6)NSF&14;nLo1hOUYtdHy-^+y!xzoV{43)0
zi%tH*k1J79QiJr}oDIVkbbufAFJ-FR9Lolhp#=b41EOy?p2MP=F>QXU*Uo%3vU_yc
zbhU#=hV2$3rTG#K&B&}|xPK<yYjI+M%SM>UlHH7rPW1V0`dO<i5HFI_<}P7L2c;te
z8k}}rzY>VPUj@7|-vA&coH|s?JK(m!w<_rq?!hgY8v>d{6=x14?$?ul?Tcr@7gN6i
zi)Q~UdV`CWBe%nBo316*lKM_v;e;u3dnS6{(yRRZDH=7NZr3xKLZ6G`J|0{CX4!(o
z1e}D)R;0gWSzu~yehyKguCkEN&S$^uczFzPYo0@&0%5i-EXdq9BQF~hKSJN_$$&Ei
z!r;IjEwGb8OD}>}>jh%t%@|>U($#ObaEJbyr{jW@F-a*@QKfUi#!Ig2@(C;`RDZow
zz~O0{TU%VJKL=<fu@y}fH}b9D*5YAZG3r!M@6w<YDb`EM@pYUE;gdt&H~)*kR?+b$
z4LGy|ja6cW%z_~U&iMdqq8YhruraHO((&8q#CRY!p$1{X=!Id6^Y<S65(4DY;(>bq
zDP9t3W&l0}8v;O!i4+T8gGT@X889!d0Z~HO_`n45h@?s#%idvFeQv(=O;Mw&Cv4b4
zAr14N7Jw(9k>{sUUkK{qYc#GwmZWzgKv`5#9!p<a<VJN>l6d=!>Mt;4=y9<w+${#c
zc`~1Ehtt2+H28l(7MgLipMW9CtN}<MlxHYUKeNMgxWi}7z~RFnz}3>(Ot~e99w^gI
zJS3?uGYWj8o{IbUKk3at2I_Udm46%D3x@1xs<T2G0FwzoWRk;=R5PvS(POE#dtWx{
z$(7<+P7dkudi>W+r3cCYG7isY$6NpNMcm=47Bu&wpFW3;D}*IhWz+&=>%(*wu*j2v
zSZT;#Kt}c;0*F=hD`q>H8f>PRpf=1{Ay0=GY|q(9{RQ6sUHk)yy{z&Vo(L4Lep4(1
zAk*&s-`>>Oz@1Je%gvO^C#c;NJ-NN!KK15k4}q&2^=_@(te44yuQ)p64OAK}>F(QI
z=dF2^4U6SY^!*Dl2nuL0Y@FNaiod<}Z9FqUMi0v$q>94^KAA7|<a?1oyKyuM97li)
z!_?F#ghh^4f{wVjbu2+wB)jc*E`)I3gjsSfMiH=&u!SUwS2H+PRk08A<)7ZB31D()
z`bI{S2N~$b441x*b;)K?dxyZvvI?8L`@bsy$pd0N1fWnIG%%Xkz;F7fr(Rp9A0F9e
zrMPfw2T6O1`QNjoaV<-sd1&4$>@Tx~@}9WB6IY>lN|_kPqF+GswbSORd|`OlzyI?z
z@Sl3-rmES)h_qm>$Hlon0!=8~$+*V!TqYcN`;5-t*x<B9Fd+7TdH4MiBLL0N0~BDU
z#OO1}E&Ur;<y*cu>d}byhtamaxw(92Gi5qPm*zYxKSOtd{3*V-D@VX`@vri8VE)TB
z`7Cjl<R^2^4sA<2#kFZ_oi+3W_w#4_0iDI``;k)~{=tH>0ki-n;{FWpPA})h7^nNt
zcwsp7{gr7N{pC)qE&vS0RmP<v&NZVtIOkzlcd`4`9JXb6gy5pM?#Zi^b&}ajoq?h2
z8kn1_508ov8|kC*XLqNI?_)5ubC_PpYD-d)P!C+d7CsO*sRr4VE*1?fDTai{+$pwn
zfl8jYFrTgRhIQZWN91+~2L!*}GZ8D&l0fsE$LkU|e`k4H&GNb9-s8`)UgI_e?#nFv
z^W~>pBl>>2`q6Fg7R_CVW76OVO3AeUFvxw>?Y3kRmrEUwP@R)0Y!|?ck4Ija?o{`{
zp-HewN4m?I-D8OFM9Tuf-|#--weVcOPSkxDHkd|%x;4hC#pts=<JQs50cKLuSl2u&
z2r`v7L_W1w+lpVgwmMt*rwR*_-d%Jvz0wl13+=TP{X@QOhG_BKCXBq)P(1u+gf#_$
z5iWc)C}nW?qSk{qchXGh@ef9)N!f1zrbm{aq3@pCm78_W7g!$4s2q5rm3w1g;5}g0
z+C^)gJxntg3sV~%s%}deGx5YxJ5}-^)f`QTTOYu0z5IZr6$Y1SLA`cLC*-lAjW4qC
zKKImGBMQW!UAyS8Irv~Fd{p%<)VGI!GcA1rH#ODq;Rbz>%lg!S7@~F*@9Dm<s#3lk
zD>LPBdikShl8BUWTGvSTM8zMn;>)lINu4)>p~+|R@<snt7rIM%+?_VYep(UjKb#*g
z-1^-z`eD8$UG*R`Cvf={A&lHkv_1G8qNBMq@!3a~9Nm3XP$erIu&gIuMAVNglG*Ho
zj*|zA2`P;V#o$s?3R#jry0I}m#L-v&x8+Kav(C~46d+Npsvl=iNOD)22%jnvLBrf7
zlfk0=p%v2Fk*fBVkKJy$LTy1xe46%;@@`<ZQEdMxw({1wi#!I!uP0eeYFs%DTr$(#
z$Cn)RQDSf*_ue!;&j$K#>|g|F8Q3OFD!1voH^=U`UWz=gI!VPNdKNgrEuG&s?tDwn
zb#uE9;}jIgK_A}v(!|y6rZ3!7S&=qA>cf{Od_cnHT26(&b`L$(zK)cWBJNwW)$g~K
z*3=xAOM=O?58<JN9`Loj>H;V~-et;oF9=WiG^nz4AIOs^mF<avfX8A+g!{Wj_&LQu
z)pbofk5v#FSfiV5ayFQ_5wLU84(VnmD9qEc>leTM)xEj>+=|pg^-{3AODyzm@w%(8
zX&E5URgKpZ7WnBWtDR=E!7<$9rLv`}OFG53&-b5QpHOQM<Bw!o8L`@rdb~SOr<LeP
z4xhj6KiB;W18#AIsv$+ocJ@gTiD2=wST^S9Rh+BXUu*bZ<>f7J8@kV1zru>`^dAEf
zO#an5SnSkjXkuIvXP7gsa=+}+*!00U8v`wB=U*dc`6n2{BW4JswkoL~ix?PDwFG?=
zTWZy>3W~{^e0BM(zT*Cc5zX6Exi{C(D~fo&=Td-o|8jDe_MFjcWh4ynaadqwF1U(V
zydl`S8PaH(E4EP|9P!qj+-a|L8T*jK&r+si#3@qiZ6~QtNU(0Uyx#0HrFG{|zKMZ&
z+C&B?A=#?S3-=-<7cbI=e|4Zf!lmbMV+eV!Ih&6VtA4DyZ2kpx<gG?lg?5Rk*CJo5
zV5djGzSXJKbbQS!Gb04D?Xvc^zEz7BC4%^&?sXLV{b!LP7IJmlQYF*3$LgOQ6viDq
zU>vik=)xt*$+*3nQ?>%g)Z&D&+XE5RBCnD7%LQ_FW=Eo3@#DtCCQ&!O>mgxQElt23
zq-N_JVAcOjf3CmN-=p7S?AfHefvJ;2XUpnyi;_52qvw4Sw%HDAzXVJwlkW(;YaO=8
z&4Z_8?E`@HTB@FO?cS-l(T9KdCR?pCuqHU{qot3L_=iV!-}&~=@(kYyU#zndIG`R6
z=Xj?)JsGcMUNB`F5o+0*&hh9i<!}vgNz43j>93IAcztroYdiK?xqECk%_nONo_{ye
zA#h(GY&7|-0P9aHHjNZke&B1fVsmKgn;7_jI}fd%H^B}bRXU1)|H8DEkI(=~owDn`
znH2tL3$sWSAv$)+euOYN9y@qJ>bMnJWI7WqNrBfz`miFnEDQ%{5ERrMlRM5md^<Q`
zAX};#9qT6KM8L0X?)?~EY)C=mjX5NRc?_X%e0NV<CU=~VX8BOjRhAf0F7i4xjQb$R
zi|+Vr`!TzHC)~1wu2%wyroMze;N&d~$9vEGTU{Hx0Ci;;Uk3OQa;Nn0=!-(8ML3d(
z<r9RknRfogxT?a3ci%nA{ui<)@;hMuGeI8E)y6x-G*ho4f?GeK;%1b00KrpC;Lq8p
zrs`yyMeRyQ+o|W|67{N4TZ&d=e^;<pGzQJt!HGh@b5&K=RGh2tY+>#N_r*l^YjQGF
zJ<q9NteISajwXEel~Zk)`!e;Su39$>!kX~NlXhCjS2Gp<S{e}(i6}~3j+yEj{y=?m
zCoH1Lf$(UhbIiWRTdhC0tx80CmA!)8zMYNEB#WKr6?f8ID53D;IDyHY7bu@JLFka%
zCyv7=I=uD{gNHLqxo?Q#yrJB@9F!3*jBpYYsWPV`{j-lPXEYl<j*X!^uw*3+FOqiW
zc-0Ozd#H)+PtMhiz;i?0n*TYi<frmx>jj?iWljTT;Or^G=kT--bIzHt&8I%_V?7`D
zsVhG4`iJplg~8GAob+E(Kz!fD$;mN2jn=}KE^hB3M+O!$#PBoUp?uhrg-~PFj4=EF
zU%{#?sur(QaoFaGjbG^Cv^XTin3N*!jDic1;E@jZv?N+G>G?0MCr0_DkewDb)ASj;
zB_radO!?gt<tncgo~c@i7nS8&a-8tG;;=M}zha$-6g0d1p4zyGa)0eexmNl0b%cL$
z^TGAx4(}_1oJS23<D2L4#H)We=Cl7yDP#Kyn!8E6CF9Ez@suA2DQzVp^Q{3u+)SfA
zUp_Zve1v#FvR7-Fc<E!{d*2d=>fOSojGI<4pt#(tk?7IoH+h-|@BxaN!UMYz3#!Xf
z>G*3evoqQ&XJF?06a9Q^A(yWCy2<F6p~%*6+@w1|AVO#QkH+91;ZZE6?GT))WghCN
zgSvO{|E#7o>>zIAQ>n@LAn{CEH6cJZ-;#t(pCANZuwIo<6-*lqX?HZ9V;wVeNKtgA
ze|+u26t?+tt7b&o&FUc5klIr$IpFmc32<-&R%4B!<;Apv3(afOP^@7Pcs`U8ZJpa*
zSx*@H0PZd>z-Bmt*Bdz9pT5^JJP-su-X~dpQ=$MV&EF3n6FI0rn#Dmh93x_p%s8oy
z@I)50koJn;gJ<BdCtVD!O%r^7s)9JaO6l-PasQ!AF%J*3gSBrOYX6{KJClluTZ3T4
z%G@6vzi&cWPg5l%w?2#2N%3zUuT=FW+91|Ovg6Obp`oF>s;;c?{4Sl3B&BU=wabd_
zF>X+0`PIC<At2gK_vG-@7t53{=so2Z?5fM<e0=x(Z}y^@Lz`cJe>LO^lJ$N%&c<O(
zPyj>HPF`Pv>ukNSLVDM|bW^(;BA+9A1RWuNM$CINsE1hUf&LLMv7Yz7|D(s^y6)zu
zbEi#|?hAnX4zD?9z#QpnD!gt-31xnh)G+G5h0k;9H*^vdCj!PY;pxv5g{e2>$=_%7
z+1>l2CadXaH04Iv{_(>!75)wx9v^f){(7di?0G$n`$IV?PwpG_H_T-_Z2l@Ke!Y5j
zti0r-(=ul@_|whLae}{lU!v=1H0j@+7=)cjG5q8`d+?7Z<)7IGbn$P0p|^b)7+lI}
zH`MBD|2Yo!r9i;{9t}%FV+R~9^Y``tl$R}U|G)ea<{odrdSA{CsCUDt{sL2F=ee*m
z?f>~YfCgbMf9i}s;i~z><%d+u`s*!5mU?j$;s5i^FRue<VbEai71HR5ODNi&rwh-Y
z+WTZzf{HA^@!xHwJp`n;5&QiD&-x)7Ls{GO$@!s=hip5)hM}mNNwfg<vO>tqr-}Uj
zlW+o3op;L!hIyl^6Y1beIP+i4_-~#DIGWu0Z%)nneX3>GrMtMS&+|vhp!mTBE(PY4
z-H?~Y-!5>gaMpBO;L1wct6?@*7Tx);`ZPbi{%?16PrW}@m8HAF#v5vDNTWN=;9ARJ
zy*p3GtS)01>J+nm#Qfj2ywrdL7JrL23qF0(e6DE0>YDtU<N&sZeBr{&L02Y4kULSg
z58GJ&y9PV||E+-*;H8oXMzET6ni*fX0gm=l{;U593b4>!;GvO80}gR~wb!0;`8)ga
z{eqE*8^`GXZta2VHyYZX&<i5|3)b}apBK=ojkF*yyl0a^(p|QM>?ONT_w)VF``rI}
zKUkkeSLZdmj-Q&>Ddj7yPZh1284;(Hx0=t@p8PYZ{#J{91a$Vl>(l%U{VV7HDIF63
g|9R<Bz`_Z={<XICG>?a6f4@@wiMDc{;>&mc2S|H-Q~&?~

literal 0
HcmV?d00001


From 16e32ce2a89c664e871077ef31520cdb1712b685 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Fri, 11 Oct 2019 23:41:37 +0000
Subject: [PATCH 191/420] Address PR feedback

---
 docs/GettingStartedDocs/Windows_vscode.md      |  13 +++++++------
 docs/GettingStartedDocs/Windows_windbg.md      |   7 ++-----
 .../images/WinDbgEnclaveBreakpoint.jpg         | Bin 0 -> 478009 bytes
 3 files changed, 9 insertions(+), 11 deletions(-)
 create mode 100644 docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.jpg

diff --git a/docs/GettingStartedDocs/Windows_vscode.md b/docs/GettingStartedDocs/Windows_vscode.md
index 9ade373e78..57b8648551 100644
--- a/docs/GettingStartedDocs/Windows_vscode.md
+++ b/docs/GettingStartedDocs/Windows_vscode.md
@@ -106,13 +106,14 @@ Open enc.c and put a breakpoint and continue execution.
 ![Enclave Breakpoint](images/VSCodeEnclaveBreakpoint.png)
 
 
-## CDB Debugger Limitation
+## Known Issues
 
 The VS Code Debugger extension is currently released as an early preview.
 These issues are being worked on and will be fixed in an upcoming update.
 
-- It is recommended to clear all breakpoints and set them again every time the program is launched for debugging.
-- It is recommended to stop the debugging session by clicking on the stop button and starting a new debugging session each time.
-- The debug cursor often jumps to the start of the file when stepping and then jumps to the correct location on the next step. 
-This is due to the way ELF encodes lack of location information.
-
+- Breakpoints aren't yet completely persisted and restored correctly.
+Therefore it is recommended that you clear all breakpoints and set them again every time the program is launched for debugging.
+- Debugging session is not terminated when the program runs to completion.
+Therefore it is recommended that you stop and start a new debugging session each time.
+- The debug cursor often jumps to the start of the file while debugging within an enclave.
+Stepping again should take the cursor to the correct location.
diff --git a/docs/GettingStartedDocs/Windows_windbg.md b/docs/GettingStartedDocs/Windows_windbg.md
index 1d4fa5adfd..7a431bc61b 100644
--- a/docs/GettingStartedDocs/Windows_windbg.md
+++ b/docs/GettingStartedDocs/Windows_windbg.md
@@ -61,11 +61,8 @@ Open your enclave source code, put a breakpoint and continue executin till that
 Explore various WinDbg commands and features.
 
 
-## Limitations
+## Known Issues
 
 These issues are being worked on and will be fixed in an upcoming update.
 
-- The debug cursor often jumps to the start of the file when stepping and then jumps to the correct location on the next step. 
-This is due to the way ELF encodes lack of location information.
-
-
+- The debug cursor often jumps to the start of the file while debugging within an enclave. Stepping again should take the cursor to the correct location.
diff --git a/docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.jpg b/docs/GettingStartedDocs/images/WinDbgEnclaveBreakpoint.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..a3f69cfe014d2216cf6f19ab85e07af0d95f94e1
GIT binary patch
literal 478009
zcmdqJ2Ut^Gw=NnhA|lc|s8pp%S1D1HCIZqs5$QyTNUyPifWQX`C@s>ZgeWc4M5zKI
zQX@eK3B4zj5J=(X`_H-iKX>o{K4<S+p68ys$b8mZD=TZwF~^)^zT+KZarFCW7I5L7
zfw2ML*s)`PaONN22oG@75BK!~08C8*R{;RP8NjI%#{j38wPVb3@5G6J?EkI<EH3=F
z`rii@oPd+e9ka?6Y{B)<`rp?9j>UZh0KTLiO#$uzjvqVr_vgQFCr+LCdpmvd<cU)(
zr&(D3E@xQTSkIg}dxnMOEc@BBZ0DF83+s6f_H*a|uK#_LzkmMsub7{6XIReseZ_xm
zJNgRXJab}|<=Kg2mjTB)kDcH=cGLwBXSVbdvnT%UjQ_qJJAUHisng6Ron>QQ&~Sm-
z{1YdRGaGyABvagDG0g7)Cpk}XT~fY%n%lyS<#Hg8%Ja0sGZK1VzVTWP6D3t2J$=D?
zmXBXRP)JHzM)t~8HFXWm>o;!RxvOtrXk>iP%G$=(&fdY%-NVz%+sD^0C^#fEEIcCe
z<*V0m@oy3m(=*;>W@W$skW*A#Qd(C2siLyBuD+oW+0@+9(b?7A)BC-ze`IuQd;;@(
z5{oCy%`Yr2Ew8MSws&^-$orIo!@uP^1~~EG#QHbM{+(Q$Ou3FTb#Rj9Z@G>g4`Y@S
zoF`9RQa;Uf+k(X{ko&UA^D{hpX@y_Du}Y{~5_umz9X`t^sfL##{Vm!*B>T?^_TvAN
zWdA1EKjp##&M^n(an2K*03d+wLN5dQ55?nZb$(`ZBsUn>AE-Ywt?cD^@6mI6Ys1w+
zoW_?rD_Ook65R=2@rv5rT8CaGp(*m-&lOS9v17o~!CG41gAcYIwRCsA5xL9joUS_j
z`MS<+L^c!*o9w(#IY!*Kn21&)yeUHs7dEDEZJgC;G5Dzq($k)hOm*Cd6RRdHohtgX
zP?1<}=9gE1aNm<4dmRB@yr3!5Yoc8~`NXnJNRKtJD^6{MaklBYe&0X!GibG=y%sGD
zoSjbPx&x2J;<$@mS~rYKAct%81_F2=q#_Mp948)IRql}+ht5`ri>d)%02_a1<LRJp
zM}S7#FO|_oQ9f!nV#R4jV`}ZE$)2wzd<q-m4zF)a>hWbfl{QMZ`paRBZ6&CLu3OZE
zc!d%|Qj~}?CbbbXi@?*#<-!S0T|#XwJ(X>0H5t?QwzYqjWd3n!dT{J3?<}Zx|LZ{N
z6x(drt61gmwO$a{9LX?MUZKsz4U9*N_(f`@;s+eY0~8(?)z#-{ITdoL#HVjwnekR?
zdf#|AQ#=CIkJ)bD*a?kw)T&?4%}S)ZY-~3$?yXWc>o@i?d3T^GD4FoJZ{qdhFSYFm
z?A(?_%<F(Q(<mZ&u}^&*^%-5)%4uA>mdqt<?+I?w|Co#l;V<EHYpg3KzQZ+^Z`>i>
zF~zjG%q7cw1D=Ic({8vIhJ(70C}Hrx!D9u)5~{i7bCz)Pwd}w<A_f+KNeP~?tHVE(
zu9u5z(6UlpE3glStI8$wtFaJ+(G|)nrfk&_XWg8+iP&T3B^eY_UBYw8T%)m<!wnzQ
zkyyGZG=2ht&DT{()3K<gA+UUHpA*~Zuk)jmpL^=QG@JYnAs<?rJj(lnYN)OTQ}KUI
zGX}As)a*IC7rSVd)dIF({?W$%^w$KpD&NR%_#ozYQ8GjkzJ8ZG37*!Jqn^NLkNYWy
z9*7=ZSTr|n7@pQQt_tx}&;-NRv35LGknB-X#*0|vJ_pw!a7m1*ezbz;5#UtK$Ri4v
zr1jt?s8dOhl7XLj4kj3_>x$6sz3g_3tpKZ!VCxOm9luWO8%rp<ho9w5zg#QQWEM|O
zqkoPL<Ns!kJ<*{nNvsC4x49J2u8eDY;^BAnNLGHT#{Tmz`tAAt8}kiqFRWkH_AY)@
zxnhh9@Vjbl0g}e#zss$gGIIb`)-~IQS2pmfZG`dA^71Uv;2py)!$}^yu2@!jA?*ZJ
zKDG~cfgu-u$C&<+W>FEY+4*4AF)nv*ZA;jxyF$d<zc~Dvw$|iJPk7p!Q+M1Pf|f0z
z-)`@5ycUxpy@quk0ZvR(&X3+EdZ2Vh%SN^J)SD5z%Vo-@Cx>GSIHV6XqMkfTE>FmL
z!WD)!#+F2Q_hCT!83EI~Ns(aBFUdFaNLE|m=s%Wde~;`Rhkl8aUh)^p8mScOt)*kt
zRlqSC%NK*_W}N5a7h*|~8f!S6xCE+AB>W`Vj!e3_v#p23Ilal#PHKO5oF3mRPLcgg
zIYzaoK=7OG?!*aEVAtVKSn(vYm29Uk&9T1T+AL}}Wm}(&y8Se|@h=yav+2eQf3+H)
zX?9RpP_%As)u(TLkSu5cJz9|bxEgHo0j&_SGgV%;G&*MYQ&*TdYMwzm3}<oYKNIsp
zQP(DPFS|zTwEZd_H=9;*x>Dn~x%~5zRIwAAZR;&}7lQqRTF8uc?<|zYSN;tr%21{N
z?~H8e^7R!)8;nVhv}p%#y~%3HPK1|nnn-f3I$qX;`<^S}JK_0b#9-uWt)XBTr?+5`
zT&ELuCd{}hY|-@T5kR%Y&UbQPx-~1SomM@cPZ#lwoxp@Zk+O&cs9V*V07`y2QnMSv
zLvtn`0XC$(kaj|-v>HmeRca^WT33KH%(zxn^zz~$pZ&Z|U4j>KQatYqibyZ-JOWUz
z@RM;HK_SF!=TVeUXO*#UrHkWKco0G4Cb^+3S4n{ecl_pGq`@I?8Q_xsN7lnbVc&$S
zLZI8YeKb2WYeTnj*X+>o@DxndCC4=^3WSNR9MqbGSy_O1Y0Av5%a49QDa0QEUPWdi
zzM5(XLsGEL*}7aZy`OL%&54r%E+O|Fpv8{$m%~!P&<3LpHI9?!(p}4nM}XOq8EIW!
zN+86YSPIb&nL~)I9sxK4c0m;5H2K|_JLWGA4PhHFZ)vc~W2E3oxvSlm+}OUqI6Y$F
z7mzz0yw;L316Rt~d>sPb-5T{)pmRf|V|?|atw?L+7E*j-v{q?2)OutSB|_O@+HL;m
zOGV%btaQ5q83y%^2|M}eVcWKUNx_Vdb4h|c=U;u7c|EaP=i$uRT}#wS?O7bYgrYcU
z#`)78YI8rSjn;2S?EyWef_^&^bWVJiCszgElE+-R^4isn^;YX54DBiUC(jNcFNGSQ
zBsi=^B|cqfCmU<g7U4@o%`!R%Q<dpzLs+d|DAM~S<BE^#snL3lvy(pjj*YL~;lINd
zU|lU5$Z}_%=j!Y#S~gBTWm%$BU5tcIYuT=a+^K$g`4IrD#1)Rfi?1W*U?+VKw{hV+
zz1V2}Sh0AEn^9(7BkHPBuh;U9ozpyX?ptO*{r%_UY2I@cpls?-Hs*8=HJjS^hk(QE
zMzaZ^{xTfBsb-vv@gU>sbbl0~?vUbXyso%eT&KB!F-f=+#YY6CMoY}GnV;0n51Nx5
z?W~(|b?A)&Kf!i)w~5&lHvH8m(f&D8`vb3ACaodk<rsRl7)Klv;(z&&xY>-)6%Fcy
z3eZ#w!L<~Qo&kaaw^d#1^wnxRV(+n>EBsH5c|P~t=~}hP27eK}a_{QRoqKGf`QMZ}
z0{tNYIa=P1u0Of*S_~}r7Aym1+Tb!@_PcpW=Ic9D5T&?NjDNiChP!(hiJKtvR#$<7
zF(NLc)YTY!d-{61Rs2zH=*FjnAsdj-Bz?ZzmJ0~Ca6juX`m0Tj8spc9z7Pyzp<uo~
zpn$s&b5g{BCVBO`O5elaY@x^4I9M3u1~Op@*<}CfMwVPyikIirucsg7y~7JC)fZt*
zy^2O$aBW%nkjWhDRLOFFvh(N>04b6IsjYXylvnD$D?-^(Y?uQ`r<PJxY#0ccrRJI>
z!4kMAmnQ@vQ~p2mvJjsX>k;#FeK9)h9c9<dxPSBwn#`gpvPubUhWM=$;S4Gs9+yi5
z5e&-R%6%fYDS3l6T{*9k&cnjO%7pdfWMwk(;w|kt*8H4&Z)1su)>~Rn_ZCbhjISdU
z13bZ-o5;86IR$fmE{Y7}dhBLK(s*zk)&jD6Q*QPMfVCq}Q(lvxWF5*5+$WYF0$7d(
zOl;BQzyvJ_@4c4xjg6E#_KK{TGw?B~wlv6(<R`WA&*!%Dl~sd5jhKz>IeO5n;RX--
zT${Maj3~wP<0{smoG?VWhch1E2(jOtC@>uLx1D}90ABp+=%5JCjqI0jI0r^++B~gL
zfbgm__`#Z!e#pkPX827r8~V%Pil=CjOIdbk^{(9{*?V%#Zs-V57oW5TI}<ysD@}B5
zt^f<cQxkW!I7GrDmmai6rOFBv*Nw>+PWSho8=e|MN}i|?d1&{V(G6=n0(7OGWc0_L
zAZaFRiw43eY!67<454<C%~oPb3+YV3l5^9S#wIG8Q*ED@boz|KBFWRb?*i{FVPAuB
z3G?cDml~Ly-4vlM8hgWcY%x{61@v<;NI{!0I{J$`l6WwqG==*?FVOa!+oIe(0?b>G
zHin)vI{%)S;<09pId<5#A-VbK*1>IZqjFsYb#ML%z=!tHYB%Y{G>VC4bn6P|-li9|
z>EKOmtq8eO-}l~oey(j!v%Dhg53hsw7dv)S%apSvf|DIav$gR8^cwS)r{z3!U<BXc
zZX<c3VMVWGfqY|h@0GW7drVJj#0IoU77>30@I_2n5jeVz0MD@d3EJ%VOQp2y4W#_|
zc>icS2mx7-32?=M8fshe<@x?xto5}dh%W972A^tsQKPytbDGrHJPYS0KO>$muL9fM
zM84FWB#3fYw6&*$n}gwIf}8LUo{;wn?IW((k0&=wuJ^<!SG;*pdK2y|&>T4_6R=W$
zSd;pNsm~zmiOqYu*)3>)p}M+utZsS{N{0Rh9WW&53p;ZJ@TQ6<FgO`MexW48#kBI3
zy6tpj{7vlITI)s#t@#adR)FpM#L^#qm!1D`NgTJ}N&Ot=dYq1mb|5HdGMATRby%G3
zP4Nz3qUMC{&C~TL8BL)D<kWYeXw0E+y%BsaKS!NDKEG`++9i0}W1CuK@uYeg?ih{M
zl;L46A^90~G3W2ujICT9x{J~5lS3}1M>Z7c78IczC}8Rn3YDBdM0EK(ePx`bL>?Nx
zHbay-ngq>}854D5>*d?8Q5BwI`LdtAZ%g){M4sc(Z|48ezm2Zd?1dy8W}?@3=7tiu
z?#$C35le2KFBHqKHi;=`BYCL{i|Q9?G?E<uIDbMVS|^{4qh4i|JloU*LpRQ>9Ra?M
zHOKn*OyFkBCR!cG(&MO9+<}skIxRhOt1;P?jK=cVeM5>jmUpE-gYu*OrXzu8{)Df6
z1)hsG_l8!QS5V;9PDZ1^&-Ih#N%tDBnbjE!>}-nhgN^z!HNJ02yqcj`0B7sP&eLJB
zlHtX7Yg;Iw5b<Y^H?~5kP%h?*Mw~%LN+V6aoKJI;R}o%$-CEdH>trxulqUcBRosom
zRC!Nmg8re448jv$v%907dE?6UDfG`l1>L=})zu~JJG&)VZz@*2D<=+3Du3`x+l^op
z{GM?!`kJZ8l%G{s)`Z>YN?bVMSbVm~id@8-rt^{yzs_SCDO==2l4lBxbfUX}lj2!U
zDaJ!PTB(CtU6E}JS&f_B1HZ*7?;CT=lZ@S)ouY51>aI?fqzl^E`52~kQ{e*!xh;{7
z{p`p|#o+wIG~PjhpF$Om6RXqf*`Z@j#^UC~pewXMCNwFwr}0xfNlMP3(=%Yl>}Mf#
zt^4((3J7~+#P8`zC)^RhM{maXl6zfLv(UAgAh*k#OA<i@ei{!qm4%=P$19x=H)L>`
zhC(>)!woyN8qB|7!I61~PJVR<Bk!H3rkosJr5js#yEj#K{XEVOuitj{TUD}Yp%h20
zPv__VLX;k=;WF;+`|dgFgi?ohU-NE5nX{A$$ljn%(9|feHQ&baGZ7lw3H<a>JZ+1^
zM^{SdbwQnXHLf(Xp*w$lVq)FiNRg*ky$#rglxuabZipu!u%lhDV?aL$e|QGrm5R?H
z)A(KJMYvMDJ6q<l;|a}--_41t0bX(A9?c(4DsTD}cV5$5;EyN(8!PV9uC(L^?Anfc
zt?&Kvcg(GrEZy%{K2VC#Y8U!VRY^S1?7#^y6v50z4bc%J-aEtlg~*;&F^l6`WiMNf
zy_VrLy7fVN_|>C%^@bY7k2_KVoP9zGDSf#?&xfJkY*12bIOat6_`Zi@A0V6>SD?A$
z!?Q%W*48l?QeVyQUWLjV>FV^|$HTl~)^3;1>1EhKUNFs9=}JUXtlyjkYC4yiIaDHx
z$l79p!(zwm4r5&jUm%b62}mKO^(z^xzLD|)pA4mjigR{X{b|p9^<+q=9hR--YCvqc
zmzc1Pe*fLr$@L<=mF7T{25~vioGIY)<;a5U*+G+@!~3xpNOF`!c0Y{ScK1T#!TP$Z
zT*=PHcaTD{=U-_TWd|(h)6u4&Ke<q~4F7<Z!k)ZRsgn)<a*^1XglUI%p$W2XP7z9u
zvO)ExJ%N$0jWRAWM+Ni@yru!d9sU$&K2~r3W~gSx?l5Mv92~%K`8IOx=f)*uwEmm9
z%+eIY@GiqYKtFNpDu%30&+(@P&Q(D<R$AJ-8XX^g@sCm1eK)q5?{1H?XiAYv85gP3
z`H^;o(_r(mcbERawCR9}N%rE1FB3L%xwhzLC&tpO3+qg2*|vv@ExQ=^Nm;~OhA8x#
z%kGwNxMnxDBofkz=2Yr*F*kt-%upl<=UgR+cj4!$KUi$yNd9gr4R!jL3b00n9w}EO
zZ392+AQE6iTet*%|5>yq+}WPOa@#yXsHc$SIYQfQ?o*pqF<40Fy&kq<a6W5`9KQ6Y
zY)1A`bA)A-_W|epwe(S_QqKf+t31l&!1IwVIcbR43JpOE90AlIWM1BR;1|P<h~ikR
z_(@!Mi<M8|F5PTPf6O2it`GOE3VBR*fkPhII3<NyrW;Ckc^UIRl?b>!3uQsiHq5Y6
zI!TC*7KP-cj!ByO96WHBoqt`Nb3>`kMFiJ&VJNDw`r_2okKqfY0iKyBe+gcGTc5<;
zuvh_~hA%}q&LC~KeieB3U2T^L#(`b;ck9q#aeoWYWg0)zK4enr2wwTbt!^P?M--5q
zrbUS-M9{=ff0|KnN;aD~@NRt}Xqr7~AvWTx@PhT!*LP~g*ZhTtFg6#`^KQ&F;<RME
zCnw9jhYP2#Jl(@Bgd$dgF?|K1)Y#Y|N6dyCG0gN=y&PO|WP8*hkv_vPmUvtA?dFBE
z68V#9QSN}9wQX_Q%^-p%{d61e5#V_kkd_K6KHR58AgFT(LVbwQ>!7atb24A6`B=Me
zYwRUY&m6)E0%eYQ-e^>xQ%*GVmnx~QZc814P=c4bAcySXaz}vUo6rNX)PH{ht>=R%
zIs&}u?Sc++(2j|*(DY)(84k=@cArK*0>qm|8yo>XVqTz$ic3d;wB`SJYHe3K5lB!b
ziSOJw0sw9w0WQFp$Ri6%;RfoU@uM(K^s@Rag2vX&1V)j-e}96`T9it88*NDY#a#0)
zK)Ym^3;F_#adPNC*Y;wDgg7U2ECGop#YwCb=z%x0yHt0k7@{{w!i<-$XPI|xg)t0^
z|NRNXuN>Kbiv2%Gy$E#QdWFsYiklo|x;o=!wM}Dc==y_NM=foIMHdrUtb;Wj1DHP_
zw1+UM#2V6G7So^~s?-n8d%mqm>appbpj6(o4Be8RqB$I*TwayG?y&3_p|}ZjM@pvC
zE?DUEc7&edvAFf`i^xz<D(jzc>g-mMnw(~w)*#rR?ep_RDR;vx7Jd0!lCtuu&&;%h
zXq11YfU+Hi_TmxX$r0e{(%RPbJ1MI76O-@Rv+$ISh9&Ra>+K|gPA@c%JB9@IA$dmX
z8k7J07j#SI_&5D<Zo~ec>E!>y<Ntp&wEmUUYa>Sh_brMHB3bt|V>ninWCpJccbzjI
zVT>;J`UYwJnDMOs!d_Ttv7g7Cetl>Jg{rz~NPFc@gQnGp40JzcvKKF_UcqIz$KDog
z@J1P{9RW^<F3bqbhdaB-+sF>&aJ|iL+c#CG6wjqju`pQI=FC$-^`JLxRwb(i{K(Ng
z^STI&=|4X+l(NA*hEMG6W9B6v7AWr`m^b?OlYed3#O?_2*IQWpHm~Db<lhfxeOdad
zSay5#?IQ$ly`>59_IrwZ8sSSwppCntZ@*>i&U7P=@SmK^HCz82XiWa@e{D1JuXO!?
z*LWU+7_8G&neZgCE0a{~WN@)f^X*WB)?E$B(Ib6z{ZxaEsk!^!gU;?c9A=CKM^`bX
z9mWyG*IZ>d!!z@}nnUiNR<wAMkMNmXk&;4G8rF3(#O4pYbPKf3mJSJHw_7F@baaG)
zH~xc_{tqXZX1g8zPj$`xf5346ztQ9WO78#ca@7K2B3R=6RIzZDIsR9BQ-e+&Dh|sn
zgZZ=-_VG@m6`tjF9sz*7UY^JE0s?BjLjDLaw=KTkyHl;Kt4Lz^Q!TxrH)0A5c|4x{
znZf6wR@qZ6A=h2jzSI(S^Q>$US_tUE+&%kWr_?CfQ1%L!5A(b8CUn&z;GRA%ABnLD
z?fd;kQXVFcQre#M-%I;0De{ZOS3k&=o${rWvSyY3vj@}l*;K^f5jHhGg#G5_kI$b=
zb#WF#-ba7Tl8_NNnUeKyU7!-}Ik&-vpZFlU|3)1ybGt6f;<&S)W*W9@`-1&N?~8nw
z?B{BD4((Kr0PH5jUPhwkGp2^1zDIywxm@V+RhR(dYIqJ|uBSk17*7PgnM*Zn9Q`;-
ztMc*}``wzMUY)WYJN-o0>*|TO0Bg=4jA1_P{);wc!l2MrkI;UC+O!iMlK}CEw?uw6
zzv>iRZ!{@1gXN<lRbB}E_4K;HM~=czMTr1eX1T)l=}EKjo9}}2soVMrflz)FFEC}U
zc3drYYu%i8S!;e|?_z7FrhBxi46Xi!X{D(7$A@=h)sA7gpX+@NIr)_1V#?kQ`lYU%
zD+6m6MDbZCZpIgX0&$f#toCWtQ)htE6L)V=xdo<z=T7y0*PzYEoGM=-`f6No#CD3d
z!>hqO$_9m&k`}KYurTB5$Dc_TCCZ*yQc5j2Kg{%ehf-}172;lcege<1oXyT@?=(99
zuCA;0@mo27OL3<8Agq0)DH%*wY$Rn>sUs3%g|Tan>|N5V8+-?IP6d%))`q_D<}&$u
z9EFJp^_IF)Y5bGWZ5MGOooTj!yNc09M}TiJ*+&2=%%tH9N}}?U6uwX>CI~Op>#TgG
zVt}6wvG!#HTD!E)PRt-%jMu1d0Vr(d#LzF*4)FFBWPyV~;nhXe_BYob-T(w69-@Ce
z4sn{&%B|9JN=nwfqflMjRYU%1UFad{X>9BHz4v6w9;uuLgyK2qY%ne$5yXts^#wya
z_Zb(C0Kb|^5=>r}45DQ_KtJU%@$0QRYW4xM{at!^^x?VqIffxN<1Ug@?djD%k!MwM
z=i*pCT}Fjd0;y88`;=4Xm~jdy$*J?uyQ9^qoh+o$Fxxn`mwa{*7WCU5SGs$lTKUBQ
z3)Wvz=;AG}4>r~j+5d@_=*?==O+L7J?<;k?4lOPHfpnP(gR|HEqT-eyYx7YUCRZ>y
z<VZmil?di9X{Ln5iQI0ark&8Kk(J>|VBCXhh^LT1-;OJmpnUZQGlnGM;iexL$?{bx
zkx5cOyAbS@q&pNll5kIs7>qxqO{-=ZO3d(iI@5Uuq@mV`Y6xyll@?c5bi8r-F1xTw
zF(U5>@E>~1@IS~={Po76?P2wy677^a&IvaYuu-3jdB8;3@tx3J!Se`&EzCc|QK2aJ
zUf*x;jX<h!ct$6zPEzC0wT@se5N$-t?gpI+PwH}&s2j;Lev~B&GP5mUyHzXIo>|&<
z)>3olWMG%0gH(_t0!PVUu+poepZ<yt2_!l7W(n;lwK<edE*}Pz<6#^c@!t6Nk2hnd
z{1w{k_wC;9vqkcSMR<8YuS#x@+aQV1e=!n&iPyq5V(_>rHvAqYL0hRDJke+y`L+ez
zTXE-{m7qk5px`rOmrz15VDsngxk7D+cs8%5bE;Ku3uW)*(1uJj1-?o7=NE&kv@{Uz
zzXrlvWqt%+jbq~!{E0i;ik8pY+(OlmBYi$}(+ueuu`;p0V0DPMG**%XA^WxZ6>SqR
z80;Ovbbd~nlzekvFssw9?bIlKx?@D;jdggWFaFhBJ&K%3k4NJRY2Y~*cLrDLI+Su>
zmwy$+-iBDm)yHIPq#wZihjMbs!P}o((I~m;Sd0wqaOj}?2*7KIWm3*Crd!8^b%d%V
zZ-M@M<{=?d;r&XG%|1l_zR}^$u(B;NQq11lcUkn3jGeX8p}goI>SdZO1xHn<4B%5!
zV`ZXs+DD>|KPHRyuic_RBTE0+8=ZaRtG)4P!ONx6pqo=9Z|f^I4C=%2+t83+5-T&k
zCd6on5KFCy298Cugt&S0XFTQGT*N{fx`Ubyo*MY~3@;#m-0@z(#`JDHg$`980dk-u
z>zEqzgFV=eIpb=L<<o2}oC~z8l%HZ;wTsFr^+~?oqg~|>WZ^>#lyC2Z9SrpVnIRyK
zWDuKO2aZ!$A>7;LMW_8Qbr;>Wdql034CPUEStSomrv}z6UvIwUT*3uIL2oy1kIS=u
zAfhRgGclPny{E;IAf%By>taGMMRcvy&lAIA{0<p%zZDB+)+{umypTWiC8qpEzFc)e
z<d8ZZWvrqb`i=m)bqwa((QQF)1};rN2Z5BzPo^DyC1GYq0IhGhA^Y2FQxp4AgQg=;
zHd|z7UaaFi6SJ)f!i+FIK@G<dI~jYC@`a9&>dtC-xW*svIu=tfWLY2wj%vSa<h-!Z
zP+K4GqmSisPxo@OhI&CKtq3gZqn^bS-ClxMd=wGZK?qlKxkxe2a7EVZK5VSdwFG10
z>_48btZuaUzIM(n52jqQ5B=8-9m<s5hQlFQjntY0Xr`~Q!s)3nv>h}bPTAYs3yXy5
z`ij>AyHdp|m~S`ZyU__V{G`{}ol^<w3R2oPW}Bn6q5?nZ<W1-;u7-^%jz5cA4Behh
z1bBEtT8dPE#15f}X5w5lp)r&Yc2%59O~<eUeP$PKqEBRGlv0#~%L>@O^C{_)Aq@jd
zE;ZAGlEx>Ws($ae_(L$ZlIjfGSpzP@Xg1>D3`UGMjTuNwEDC%(Cu{7hfQey_<uLD-
zWrg|DasLJQdaK-;f9`U)<~QhXCk8JE6LERBi!-=j8yu7ehtZ8<VPr@Ky%}v5B{~&7
zv8{}bRh2PqW?bD?!k!@CCNU!#S7<y*Uk}GeK?9_yt^$=@C*~3rh^P)eg&I*0yW95K
zLl{n*bVqvaJoMhVWtcE&M74Dy$4Q4a=3RZ!wQ&6e<CLwOv2lMDLMdTptFNh#zA3la
zIGEAjo?F%!Mm_LkqrHQr?dV`=+*BJ<+#5)n&0Lj^Rqst$YA{H6?Pf#Dv&Yo|{P(gX
z{N4P0Fe+`FXA0Tcmp<(GN#w<yX$75ydUA+Gvygg9-I-CkH;1QTM1(a-3X>p7q~l%{
ztl2XO>cR2p22?S5{Po4Gg@tHiZ}~TM-z(?N^lgn<_fAuyaQz$lTJVCuQl}R;?_JrV
zJM>kBBDLWGDN|Aq7&9G2jFQ8FZ5$$$Cu_Um6~e54)lUryo8;ahLden;VeZ<`CvaA6
znnCp1>y1^H^+oF+S&lsJJ9{G^NS4DWp)}a;sQAR5BARzKp=2ll)(MJy^euU%M`LOP
z)RS<d_U3}MAF_7*mv}S;%E!hm6Bh!(>sZ{CD+t;L8Omd9h%`1G>bHN;{p~Oc4%a~C
zz*K35O#Ut0curiHLhX)(Bm=*+*$|WjR>ZCo7uI|Ti%RD~D~BF8pBO(<Rl?$PBtLjO
z_|-U&W#j4Tz;c^_m<0EV3q&j9Woa=aw$8({Iy^|k7p0iu&)tz)`nyfTP|oKslc>O}
zb?Mz@5%b?9IG-uIlJsTu_4<LHJth;{ZHV!whU0QtA1kO`V~5?njA`GpcAcf=>51|m
z8bG4Cg3~wKC#y4@BswZ}ZcwII>=G$1qjJVaddJ*eJ@<oD%V@y*#G+<XJow}Jj1Gne
zr;*09;kwvMOvs}h0!cgq9Miq%>xk*nk0-=;vD<dKLIr$V&LA6x5yAV<>vzEAecDZN
z;&o;2S%f<h##g*MUxPl$R*(bdA2cRNwl!Pc8w&B{t;E!9%(R!Zmp811(w%by*1SV!
zQq6KDqc>)86d6!FjgxBTgVL%W7pAh@AzF*^Ac;f2E!;GfFCkrwew^RZT)#gtb^Q64
zx`Jn(;T+^sB(vv*;hJAta9vgGQM3D<?e~T(e%0T`mmx78d|V0jYvAeo(``YWkjr<W
zA>Jp`V+usKITsUR3yK;SqZy;{t=O#(eVWr{I63IqVFw>?p}@B{xJD)p9Q5fca{H03
z?dG{5Xo?J)+`FDj(!xV&QZpc$JcMTzCB+zJ^iR`a<mm^iV&<7ku{&PT?Nm(I3>F<)
zt9t|bO^4=5V$q|t<3X%6`vxNP8AIJLLbt&!5Fb>r>KL*x{;@HCJphH_v2Yrw)l3&u
zSa|9fliuZFo3xrEr{pcFT~v4k2&j^5!?Yk*GyY7dOIF^jB0OD0@7GMz^5@CR*r_|+
zDBWlg%;hGE6#;VQcd~mI?tDlUIN}jkX)|g>@tuR;l@B6{TrwsfOKV;Guc;WZ4C-=2
zzunMwn@t5!teBZcBr6k=Ob71V+FTc+ROXdw791KVRxDi#3D_?p74xP2dGGwOamQJY
zw+#D3ZtdPx2Cg2;uc=O><FZmT9et)YJq7gj4Q@)px9!&2_v&ISUDCEeDNGVJkLe1k
zBj0MPmeTA#|6&MHs(SvSEc<d&jEt+CT-m7pdW1;?YT`?K3GzZeHTFlHQXWfQe<`SF
z95`Em#=5Fv8lV)DMrc5^)2Qy11JI<yc5Ju1w=Y?ACTtMBo=aP2M|o*CPG#(7@~Rb8
zY;VUDSfe*EEaJ_h@zegf?bdX{JMVe~RM%4yS7nt+hqTxpD0M@LW=aC9DAsXZ@f9H7
zMm_AcrtX#0?kq>EaQi=Cji*qsVP)SV%p%c%EIoUllW$z=Zur=b)mO&LpnBw2co37_
z5p26eFh7T_erY|bZhneV22!_y@8%A8XUTnhyDa6Sbm`ftlZ^u(h&R+Xt*!gtN}V_M
zr%d){uA#o{JGHORAj1^Zg)-7{P`R0vDR70OiHVC``InuE57ZM=xA97oRD(7W7tVop
ze$->s+jg`umDAu*Eyu|tqI~^;OHld4P5&X1tz9Sjw_!K-eEuwig_2DONlifUMysOg
zQAEaH+A0$*3*WvxUK#ciN^4EmdWY=te-BrfF??}()9`(5jJkgCy^>O!3CN7U@nL!J
zM#HFo`7jdf+@a<s<d^O!HL&eB7^z;oRl4O7y)rxWJG;vcT7MtL867dF#J1MbfR0CK
zD}jUXTc?v*EXL#mL<JPfpJMEQkCh|bitI;bB-4#y16m!WGW54?P9LG)wB0CHnhC+?
zyp*c1hcV@}OF7j-+Btf?L8S*OE2dB4R{cj<;YB+hhRGtT$Aqq2q$}&Y3p916pPvGc
ztNqECI4qYQjhxPP399IG9b{aQu3sK8hS$5Ke%NAWk!>ZQPojO;RjnpUh>TLIkrTaW
zljXBX95JtUIjbe8<DQx2a`7$D)0QjK^<1ZSq8I`@y)bsh6(&{}XJbf(LpvIEZ^nJ4
zr1v@yU#{KX&uZ-RCQk`+9sY4Lk!pKTCEph$wk+{5@4MvT)x^<Ur(RR8+6`Whwh@=D
zDCx}+j~VAmm9U1rsOd>$xm|zbj)}qWj(0bdB2z(u5rA)Uo|9fWz{JDLI|`((1|zOb
zLfr;@WirxK4ho=?foQgct)G~lb7I%%FKJFu;;GSc_@RU>A&w4cBL9BaAtN3b=eXlg
z4<?uui{*bxYMN_InXONyu9?K87%zH0=CNnw6xF?blzr6^TpsnQ3>JLgUWSd#9F&vH
z9hun7Y0rr&Yc6PAjb<X}REo^zO9B*&F{PwRm)PBIAbuc@<6gUVOE$EpaS_<Sb*dWk
z%8oeDR|^9X=i^TM55>&!Xd1W18s2<;dKSjM0_0Sbq@>P@U+5zw1AD?ERla8<Q$-p}
z71z_PcRqpzPgPz1kz%XnnI>{vx4Njx2^r(Md5De}uxs7V-(PPumOprOsMHDx%g`U4
z9-fMAfhkdj7_1xcXjh`$TS-!RYCYYs7o{;4t);X1r7S$KT5ZZif!{La5ZjOK+gwbu
zdGE}ZZt_8(FL?c0;$H|;5|w;m6zT&@U?w;2K`*TGY3M2vFNa@&uV1p?To+aHXiYg3
zj*~CC8){kUeo^gV`t2##J^lMd`3NR){Wd}zCkhnZQ(FuTT;70YSb~BQ59Is{cXV^9
znly7_c8?ARVJW!{%+aj?`5G%U9<0T2j$+>N*+;HYVd{6^;+6KXlH0+KKjOTbQuu6d
zRk0fQdQmb;!(rrgq8~-miQ-L?nB7C=S1&UpO+j5sAN~0DP0Rg4kuXpDUAiOT!S<PZ
zTb^e>W@KHIh>_Cw6;zi+FNC?8f9Pih)45SC!435?rP;f1a7^zIP=skuVG}@6)Rk~*
z7pCCKm|6uB@occ&`>erNiF7<gPW$A%%9r!%X{*Zj0d11FLh%$eo%P{7YdvHVLa>Ds
zs0g8OBmwezPw9;#Bz|+3<1EN$hAqQvB$&4)UC_HJtKVO5(WJs73j74O!YP}g@QL$7
z9{rg9{ovsUhNkIZJr)w>5Numv+_$5%OXD(G@PTXKTG4$gOs@|!uFmlq#{GCp+Z&&(
z*#qJVp(}OmfWm{m;U*o~%ZkfgI>XopeBlxD8K&C5Dw@-3I)4`4^67u+Qr?Z8l<R?s
zMhjOsP%;RfpT;*f)l4BB`;L$}OYBs~;RKA@+hSi3A=&hT@Q}@EKv|B{XTllzUS~Ve
zc35#xeSQwCK3S#Es`$MiYY*+T1BqQBM+Sr|B^?30pb1bR2LBKq^ajS=re5KT{aFzZ
z@?BeNc2X@V#>DWgm%q9#m|7vBsjzLXYJ~r&Af(T&oYM?8r^q1RM6;HJ>$LHbxJ`!}
z5U*RZJ{Fv58f#MtVbf8))qdAO&7_HIldm~WRV4QQ7n6YHMsk1H`d<TkqCC6pM}QjG
z0%hP}A!y)mVxM*dICBJ$_y0*#`qgG!7%n|C)gwfP5g->-jrPN^vG0OgHUD%~-U%4_
zK`N@@Vac(*F4_E(B|UZ!R$HEm_KFBbpIrfQsj(qm>54Zs`OD}*&(yAEHP(29SLa$%
zeP7SM&bylCQTu*QUxja4B5H#trY07RF-4b8C(djsnXlE*p;Z#h2-`U(iqky;;6>;K
zx_lHi2G^DrgBOwfkQ6_Ku4RTxeGbC*`C;DMw7G?)p-FVmoL6YxY@}u!N`Q8ER9)e;
ziy<MNT#ACh{j#xn;>6^s+jO}56E7-n%EIGL@-1TOji);i;@5=-BW-xECBAZ&sPm^`
z6VcNGi0s^!K(nD*llkTxP;?1nv;PnD8BLwQ!9r6QQN!_u=Q6mJE;uR<OnXyr>Hs&k
zvM$ly^cfLL&RyvpDA;@2(6E!FegueyO4w7^MmxbL;<-sFMY*Wty<xAQe^hoIo~>SK
zUB>CZKmYgne;x|A{9BL{WMZz^aV<vmV8>RjuYv@$nkXlJEK0n3_Fs|E5^YC-)EnqO
z!2agLWhFED|2;q%h6&~NdO|?n`Bb)591}8`SNx9(-@}`U0f(ByUMK!f4y#whw>eWu
z41-EYRnFyu>{UbJ3-fJ81FtU2vak7^Ymwg(V4E|8$k3~@Np>TB>Z3p}*@O+7MkW2S
z(bZi2$KA&#|N5UirM^w)2%vzT1y0oNPaxv6_boNOF2;fwEuEY+4gYw?WmVa~n+@@L
z^gp>#NgY%C?@*lh&qAElO6MRd!EnEB2&t|@aj>AIq4jy}{)+sj&-38e|DuH@XUfO*
zCebcc+byiv2gN;JkK^)7^Lx-2h4^DX#5cueVr!5rUj}M_Y=40kCvwi#JR$b%8dOv}
z#66JdHyMxC3yTUr7<HY}C)rR<qA`|^T($3BV6LqrpM3w(-;I&$G5q{Lgvps4xvt16
zl$Sj&m0qT{b#}15;nT)|)MC-gfC0}yMvcrtTMtVhK=$h+LtlNs6A&kgWoiu@njL~~
zzDOK;LsR9?E}HpvhV!-nK-kyanWgawz=!%!1^-NaYNc#;W#S0%*xq()0Hm#F{8sn$
zM#;0#rR(2+UiFg&{7sD?bQUGbQNJ>IosQP6cu<{E5=xfBHP?0M;VRxpq&FM^$WAyv
zhU92)crqq?@!(#-Qc}=kEtE5nqp;>QDu)882)Db>^lSZGfk|qR3t(FXlJd!GD?&eR
zI#<Y$Ee>*w{R8eOs%X5jN<Y7OEjn*b(23nZrL$z=iowmQ&Gp^I6tr68q{jI;>DIVQ
z4ZMOThLAV~c!X!^1Zqt?wF6oQOlpfDw5#6vHT$a}8D!twT3=sZOFEw)DA8Wode6w=
z=XY|?k8};L2dcu?CA8UNpT%~fcz?+wfL_y(d&BU@ihKTHJ)8qi`-EqP&V`!J_o}VF
z@%&wVOY&IXCA;g@F&y_P7DN!U2UvEe%{#G(gnG0n#g1xdSw9+m%&mHQZ9gO7QNi^P
zhk)Yd#;oa%Q;C!O1G1&aZ1o-7ng{+(zToI$?Xct~Hq%qF*2&U#C3JHv1Z1knQLe2Z
zfA^|vg$q);I(sw1KZL&>6xHXGS6xbM=ULH9aB^3bHXG^mm1s0D1FD)Lkh+{zTBl+W
z&~L23`SFG=s?Zj6H`N@`FGOcXMPG11`>Mb=vii&sU_}fD`aogoMv{i^75_oE`i4HZ
zBEeu~7*35@=tC7?7&ix90TL>EPI{c*w1sLsj3^m}07F;i{}}MJM1KwV8nW>8eB?w!
z^bXNmpR{)bNYIrr#-q6?K;uy;UKJ%~P>Qcg){9|S3+g@&BPx#eoc{4v%q)Df1Mg;=
z@9@)4yFzVxqs4Jja}3}6sPaKDJx`>$)GHGa;Gm;8GOgGuhMNV7t^m2CFS#Rp!axBd
zA+oe7Us`$U59hS}niJ=5ubu*9dYO68l1NuoV(K^aDZiYaiV{jFwIlnmU|Q)x)5zk4
zQc=rYPF8%#JNdxY@9xIO9>18%G?QUWPS8xNDKZ_!-6(koM{0s&+4J+o{#65_GgW2Z
z%A5!0`<}kielG2BNri9c_RCPx)p)T9iFkJr{d*7c-#O1zGS)q%P}$inyT*~rBP4tm
zy9G1(cv|0wF;*yu#bPzGHnvI|A!|8u^LIzoVXWce-I2So8l>@Q+;hf7rxhXXFvpFq
z&!tJOSh=Y`mma&s@vGEOQ&nyi9%n*-g)t`aijobV>&<D*uJFxqEySDiG{StDwl`&K
zcgkO5M*2;+NQ-kQ!e7N)H~=T7iiUN{TC?R{k1*R*x4Sys4oshFhhLw;mIuG9Z?`6}
zTBV|mcU&jzGO<gjzP)le-^xHp_RPW|Hc=LltNYhWD`w(?e=q$hWZp0G|8Ve+cw9Mw
zJ#?y5h@D&-KB7<ngGl|@5K&TnGi;)4eaj)`SjQ*HT|j|c>IBdicYGOCR}}5oL^=s1
zB0PrinBwswWR7RfPiwoxy9pQi*H>2>c-hjw>1|%GAtraS{1ur<TcUWE)zpzB?$A>M
z-X?*GO9ZLj#7+P2Q%m8xKaCn<E*ZL?LABP_3F6~mPui_#%eSn_G3#`$(A*tgb;->9
zVi|;<;~iMT?&@@IYEjEV>&SM>H1w9X)LfOg&`@Qs_vtTeJ{Y*$6Uc5-yN*Yig-E@0
z_%Cxlkw^AnJw~4A9PHT>X@4ka5{3}c`$pRV@4|1>h8m?=Q1wjkY#-D)n0bJqS_(kw
zaklsJm&P{mO)zug&57${Q$3<NkKPQ|qaI?%Xx=1MG7FJ8T@VRk@}vGV)>*WuspqF<
zChobQuEejAUF>($p7j*D5PGV9)I_Yzzbs+XX6AZ8qkL}YOXZy4Ig9l<mYuwZ8*9|>
zQ?W>}nS16=3)nUfwcH<wW*9N{z^$c+-1@OGjPI^ml>8vl(l=%@OSCUxi*q_0+1awO
z)s-J>^+~J!XL3kcx1@$*k6zD+j+Ir`jHFwAS!O-QbOz{SW^t0SCT3~a1q7~eRm9XK
zjlCZ<!B3$Fr?!$y+DcmfFvG9uFA`-x9&bW036^^C*G!a)JA(zg$~TP{){Uv332rs2
zZ|9;qw6(Tmhh_7GPCOaZs`H1m#0xC(Vljg_qGhg5)B_^2!#-NI!uO^@yG+-#fP<@F
z&f}cq{I=WxU0;Q{0+zHuSf<z8BS3@0Scc^*cXIg|TIuy}^2Ct2@^aw~V4a`|lL<@$
zFO-!dqA$=tYRggYQUZ3YiSUhG(n>a>9E4pJa+%5a<cqvoxhR~g)l}5<yx&;lxo5J8
z<eRyxtG#uILFn5ST#~LB4M^E2GMqD3V8}SrEQqS$nH$8c;HD*^*NYz>XQesvzsCwk
zT_2Ho;jkG!mMIl_dA2K`zXt)J8Ij^QAc$yTqDM}9Z@f0=Y!y35PYBs7&P8#uOa~9-
zjyH`7t<Fr4m#nu-5(UUE_uXF3i#c$;wJvMs8QDIl49tTgqvR&TeEmckTce<P&33Vk
zJ4h31`LcRYBuDqwd8Ydw_NGnP{Zj-(k_d0eU##+;zlZir+!~~6L9TKl54ebL?`<4B
z`#!V;-6$u;6HYCyQ)^Z)fP-A34VW*+qIz9ON=d=!Buxe{aS&CkUY~J0%+1^Pg!Jdp
zK2C@tLtw+<u7!k`ai%+^mjrT7Wt>$dZ17u7gg^i^EfP6xHW$QC!I?1MpAvG?j!bg$
zT~WE&_Xt_X&5B~#zhOUClF=*gc%Awuq3obJy1`$jVf_GP(#~U@Ym{J;br#~4yEB^E
z7uvGu^0?vY!o8)HZeHT~sv;~+kNyz|?k36fn7=`Zex}@0tAd{$>Fo_`d92HQ2R{{&
zOf3mg$`}4o)1!sfn4S@2P5!W`P)JmC2_uh^yc*m{#XYXqi2<c}B>)9%^U{d8l^DXo
z(%y<&Sp?H<Azw^Sm@?j_-{SI07ceb;E|mTB;A%oIth9(>`L?93=AFy<dQJXDtc#SG
zgMkXwj*5}NZ}m*Ow)hW{>rt9@@x4zdA%zpbdPRBA0|z_f7Vt5yn}xP*ob(T#1II7<
zo~$l>f63;N2J2VEU_HH5_cD`IiqwEtgd@A;pfOan@LZ7Z#-?K*1mV`yVB&AB&-Z-<
zPq?ffY%{rZq4jomC^PYk#!(S2L&*NBBTXf+benS-lIrj?<>E=X7No3?0}(;&nXgu&
z9#_c<MbGxB#C_Smo*@%-^|SL<+CXj0MB8{#eFKJ=e^>?AG|`kSDLQ0gceRouz%Bt<
zi~-YI@lf8C*y}`k4ZLX8G4@L-sCRM7b<$a?yS)P%A*p8*-y~`KIu^_rf*w~NU^<(K
zuV~8c5OKlqBx7as8cJ117V`}obr%jtj6#}r+|7_RXGqfeh>GU#3Bt&PVc?>%;0;L2
z5x^5Bx(wxJS^)GhN>ZmLcCi#s_r6uzI$G0EkrQ(-T!=>&qoV8;@n!#aUBKh~!MuEl
z$_y7FP$aa{H>_@Q*}5jj75$QdtlI`#wKIX@-(c|{fbkoKarO>zkRb!@5K_=pfOZ%&
zQ%&4~tZjB(1|XRs96i78`;IP1D=ZTidIRA`gd|tfLcAk%-rj8E{5>=1c5y7Y3Vs7?
zlnYi-=nAY)<I;6_p!SsGgJ8V+T*49H%B>7WpC5E(vT7k;lexfCS_!Ffv4UgTF{IPI
zrX>Cij=AX*mNBYbVYYU5jxG(2EhPI0Qd9bM{_n{T4El#3+a?qT8#)tfGwqq_z1&tY
z*{wE~JFyU`LW5jX!HCOcLfc-^Dr&kKJ-c#vTR-;6Z9EgDFkKe{ROk-Lim+HwNmHkc
zyW`EzcYmU^Y!gNlgj_;<CY*$uOxDN345O~^Y~972)&5+I$SQ+DG<y-)6LTD0L%cpM
z+3~vyR$qaf3%{ys8qD9`>`C=5_9bJkz45Qn);gUl4SRwNt&!w%{=Q>OUhv4e_*b=!
z-o47V#r4^m^p<fA7#Ld}fbbY=hz#Q8ekG+z_P`$jAc|2n<bBcnn$3F0sm;{nBY@bh
z_~csWg*CCu4J6O*w<GU^K89Oalg@p)@OGgj$sAc=G<UXK<!0rH=dF?_a;Z0B$6Yz-
zRnaO~%!}S6>5=I7if(Na+7eaE*KqnO*(pw5=*DNx60$#+!#<sQYOpY5LsDfJqu&76
zg@cX&ML8&Tirq&)5Vt?j4SEup)aK7@6zdv@Rh?}bY)&Mj!-_>8PW|>N(CbsLPWw^d
z)bFfqmb#x2+9zpPsk>V)7#xTkv<{$etnW@iFJ^b2Y^gvpgBIKVjkM_~@xn2?B}i9l
za^wQ@1z!`qxOlh$gwt17cuZI6Ht~?K=0vIZbY*--&|`GVU!hI0LK;R6TrgTw?c<$U
z&UyO26KF#0B=Dy;m?z|Tf1T96O)$OVN^zP~0D~sB#4VegHk>-iq$IeIVA+ghns<gp
z?d#efweZ*d8c$}ug%U<>bRaW*dX~N+^<MeN(9FzCCfih8vTsYB%Cm%&x3dVha|gEP
z`o{d;<Yd#-7gYZleUZ|P-%16Y3kC{?n?GPo5OE0#TvW5RZK;<V7m(Bb=~r8phTn<%
zQB=t%%u}GevlJZ?^A#~|9Z&x`Wwin&@KDm>&l+{K#st3XGm^NA4UUY3h4=??(Xwi*
zx*9VKwiH(cQSnT)e;eAb9LuDJepi8M$^QKql`K;20SbHw=grS{Ii@y_*+VfRBM!-j
zdWo_X$K&5X=lYl)`S%I+$CP-6b~c?vOLn&_f6WkFBE()}x_Bi^*P$G-Bf6|4yIwSB
zw9*&M$K2imo>6#%zm?Io0g)^+QjqhW;5*4gqi@@jiRp!no6dbQ8=SM>ncR;oikGRh
zDP$LGy$nfqc;bqX{%BUnv!6ft2P_tw9#ntJO+N-m+ve#0ZHEVLph<V;oVAJ}aW}J`
z^R=!1-qF^HDlfSi$9Pt9%72Sh=TzF>#cc*)JY<*t$!_j-O18pMvaVFL5($y0=EPd$
ze)02*nDaV9qi)CI*23pL6mO{ip-{(r&3UR9EPTa%79g8FmdV-s>C?-9u1a}>gL^rC
zZiqMZXIJ@Z9VmoO<p{6FCfjm!0TT|zJMypgP(di_shZLXtPgo;zE9~xNZ8HW5HU{s
z<n8ZCO?ZQ+Mt~e<>N)<8>8y?nIf(Kc4@;Q2PAX4`mGk5K1x|<|R1KP#ko4Ps!gR*x
zf31vspJ>!$m2h}B*~#+m%YosU_4prUVCWlQoea~5OcIl(ye14F-heJJ{pd&q!~3vq
zex(xO5)Ajxk%uGmLB7Z8s9K84mr~|59=qCcXnvR!pR43rvAmXD^^U)F+R<q@s=O!~
zdsC%Kd_D+7Ifq4ihijF_2w|dPGcj7kIl@ppL&0f{I~@9e@hkQAcula@&b%>yTEyci
z>7*r_>4v61%~rp2D8LR)anV>^nmH-{?e4VU?O%K1EHrc2ZKq@t!pxU4>`G2dO;MU*
z`5^xH?*8ZkxJpB>)>O{)QhSPZ7Vu9s^e!_B2%UGOFoCM4cNhB5T26>JrX<^&MI9IE
zjFzs{I)Dp1wkz|{bHJ53FE<)Y7}spKBTLB4Fo-Pt?a!26hIZi*AP|~qVqwqBLVO3@
zRNAfpcW15d71uI3wUXk&Shd&*6bproprym_+(J4<ZjX74`Ld!bLi|}yFf~?q`B;<7
z$#-IBkVlwtTmH=_r-gG)iJRKO1Uitw@=C2e$~eEKzTIy`ZtX^n%$tF8pF{<UpRL~e
ztYv>%^bAWP5sH<Y-E1$XfyYo+qh(3uuXiDDa+KmfekSofCrEPp95S+bvaPVC0|o<u
zZWq%wqg%UXo(YD1yZ(TCfcaleEX^shy*+R~T-PBoRaY$h-V)v`c`l#7^H3%U(xw&m
z$=Q$VPf}|_z`Dl^-?=(_c(FBCghQ*6q(_^+G<#Dk&3J8O00(a063{Fg)CDVrS4ie#
zIz4y%JCsI7vRx)Bx9)5xggL}_wn!}&KFPLp`u%mEO95Vuw5l!2x^y|g(OCGzD}68b
zXU8PZLgLkzwXN_}QL_oH@9@1dT#J%zby+|0ykpn6?x<9Mxz6$~&F0<wg)^5?!o$JS
zPEHg!^?zgUJ)@dhyS7nO1Q8Jt=_N{4s&o}3D$)f+Isu{rQUXMjP9R&VbO8YcA<{dD
z5IRJ<fb=GWme8b0LJg#N)*fek-?QKMd!F;-{5<FV!Ej~80m;4Qea|_sd0lft{6dW0
zqS%xqp%LcF!+sAY!5s5lh3l(EOb~tPp_B{70v&z3OpKodE^F@Dn<ma-QB+iU1=yu>
zMni`%6%Wuyw9q3s64N4(&jJp9J?r+k;%!-3$H0k(@fnyEzTt&&m4lFx^pBz!77k(A
zJg@bPZLdJxMR}9R+eXXtjkY<)E5`7W;D9}oxU|8Xsq)O!DJoqH(JrmPFQP-IVZ4SM
z1Tl@bax2TLe^}qFQ+r&_@9_I&#+c{h2Rk-PLZu|x?!#d9(Y5BPNXrnuz=o|%ZvnAQ
zgZI4`B2**=Iz5}TtaNovxtDF^6>iW|&Jc{+4aoN?_SD4YXG?%KZODA8vRMUh5&8s8
zG|bJ{EXU5+V3p#qkQpP6CTh-X-q+`M>(2MDO6KI0%QBEq-5_3cWvDv;xVjMH-q`*E
z8^wtfmA5Hd=ohjvxoJG+4zb*Id-MyhgTH^pHA2}UOz1<pvYB_$T%BO!vAgJ%g$1AT
zLj5gVZy*Px02S*fiCnHVq<YsGjoy*mtL~UrBeIjy3`mmxOBlXsKVGAF>&j5^$u*)V
zZmMu>X~eM7C7;CtIWyeS;s3y1CF|K+Ez#L;C|_y_`rJN%9RLZPco=ZO>zC2Z%Nl|(
zC|C~&fLT*c#?zI(Vyr}Ktk#@TYQJw;e%}#0bl<Y%XLHq6s>#V~;eRF_sA_oEu8y`N
z-;#$1icA~%*VpIlSXVrn`@n|Anpdu90^B1(6J-5DUqj!o9n4Z6{D|+^;<jA`E6(Yn
zq}LT=O&|V3c48?Y7f#qZE?gh;%YD)qv1IiL>yqw~Sup21Q&B2Zu?B%i>Z~->U;pU4
zo9q6zY#V)FXsw+!wh`1LdtSNvGt#ZR%tF>h@lI__V6Gju?}Jp5^}Oa4;wSkp3*571
zW%B35yWNyBz<*aFOb^~t3`976v&2Zq!f6t(esO!u4$zFDzZ8PKv3YZ$uve(^$4H)=
z*3VuRYFV>6?JhM}{W3)<xy!mR5@?>&A7`u7uz%OpT>=QdAJ^1|1R7kogWNIl7)&yH
zWqv~_adM0=*6r7Ew?W>~YD;suBz(##h^u+rY<tJ$dWA2?h}c44PliExOI@JycA)mU
zgyh~-PXH!L3UMFQVGF{8I<GBKWtR$4a4~nSW!Y>7N-}u%Uwa4U_ZBrN9x)4aG{RH0
zQ}4F<MuzjeMmR0PFCkP(-ek?qN${1{o4T^!7Pujri$yZcP5_$%#a1(Vz?0o5d(GYO
zwnI~rP~)5W8<&`Q5>gc+%Sz^r?KUQ9<^}UvDfTes%*@R4S7`7H^!yZgc8d0MCx2ox
ztp%ffy>iHCW&)vK0t3~mM3)B(Q67ybv4&ZjXO@z*uzEzLi7Zs!Tu*NK*ll!Nm<5x_
z+Z-JaPD@J<>dzN1?xLa)k1=0%x{SDOT(eY2`IUf92PZuheK1tJIqI6GUj(u3;j^<W
z$9|B?OY}g=X)e#mrm?Yg7r8vBQ>vL$MdaSt-wj=FimUX0HKB*7dIHx1YN);0ptkXZ
zIhp>9?P$r}BfNG(s|eye=^5F?&zEd(MTi?rAOwJ}xTL<MSWY0^i=8c!ly;?uu<%^{
znA;zP6XY~R-mPB!)gyw^CQ+AIxdB{Pji^nz)+$A;i&m0`Eu!A4LFN52AdQpd-Bkrf
z4#F)V^Uv4a>!FYAn9br(3&%>`6N)aHFqE+6O@n_ax$QkhdNqOd`$HF)YOh<HQ|B&A
zVV=hRp)>697#vtf)_Lzl1&Bwec>*CW%Yxl8?^N{J-Z5#)N4{;LIr?NoU%rLw7qA@9
z5RXy|l$~Ucn~DhLrp*8#X0$T^6j7cnG4EXVL)uOh(B_D?gALSzh(0WDnC{EnppQ0~
zS@iB_^%wL=iEZ-p^4DTZGVyZ(&PRI~xMJpLH~SMkeJ7_~*G&R)d8XPCN;skf*O4QS
zqq8k20CET_r{QSNt1E#zjrP(*>nTcD9tHfa1P!wWu)p_zi<Znw(!RBvHCYPIwxUTA
zH4{SAq>EwJK-%dz<`rlK_gMWow4%Yw<umiSs=fFYU2^=X^7D&G*P&yjg(!gT=88Pg
zm9~$sl(^-ZlH2@z29xAA#%y3(e*V>TP3xg6f`_z#gU+zx1f!OQ7-8l!3t`QgFJ$+r
zT1tLN&W6Fyzn=BF8p2~Ed4nGCL8X+_)X&WzvN1xsidgv<x(K0(3(|wUmG(ZDoqB!E
zSv-l!CyK-JjfmkH`wI-FDOXY96b}Dl3P0(YJz33JHpm{3hwmAUDS^-1V5`sMTSKvH
zoe|>v-IM+NM>?K0`o$0A72ZVQ_=Y(Aj24mY;PBQn)zxDZIXo&VSZz$a77BoV61Tgu
zDvNcU3VVtzu|}`q^}_W!9K82o)qW3tQO#z;R@~n=Sdc1RWXaw&6)718(q^&OD+1Vx
zj(p%0nafGRm1!^b_gbdb%Q*;KlxtviHwu&h#tp?cdzZQ#-sy>_XgJ-)gtcCCwT_z}
zwb0JO3*6Z=^K<uDO}ZgZUq-)C%I;rq&*8QpKVc^-SP-F-(7l9@>~goaBp|yt;q>cr
z8+H;+Sp!}w#4FY?D_h788&oa=Z*rJ{PW`2lM&8o;>||JY*LegAOR3bo<2gCwyrFdn
zcd=R*bX{?kvCV)g4boP#rL8yl%AvBq@;QzHjZI6S1u=4Kj<~eMnN4Kx;g#)Tjc65~
zDpQnJF(fK&XMN1+efFw9-(_@N?t87TyDw<^Q^toENuEVAQ_Ra{K@X8k&1U2$v|+&4
z6lAJ&%D&Cw8CQg{h>f+^raMK;){sFg3v<pHS&N!*2`NmA*Yl*vSVhP7$mcyOcEcv<
z9S%upFBe@%6HH%P*4^4Aoy=#@R)c;IU*pW7a?H5=p4e}!I_%=u#cY`nk8G%4S|xh$
zQI&8-swA-E!ri?Dob+p(kzf1qf#~QZ;|K?C^Q7KqAxctACcZbh*TAM0hN+Fd3+`qW
zqb^%x=1H(zTf?A$Qg;$y=FHQ_g=3G)QLM<GWMnJyU771Nu!sCr$ZN;vSG$lG);ka{
zl&%=tGTyR~B!(_QBZANP8F*J-ah0}rQtI?EAGr@xT3OA0eN9L;5a!IbR{!yfPuF?X
zcTDH+-P$Mx7|}4$n?of3K9U&-uIgx)68N0&Oda-w9yrAFMTQ#3&*08yxV)6ff%(hO
zSDh}imoZy%wBnSwE&BTi>V2@$Xg8CS+ke;uZk<6?!j1(j+A#5gAkrRgvqisS$u6Fc
zx!V3UL-l9qFW=fddR^rf^#0Ak&v|d#qMwDHW~yjx6(pu@Yb;epb7k?7JeQcsV8$BI
zl__A^;?#6;eB>Ba18er&)@+YjU!J}FW0`_Li0}Oysa#I+su8b}1Ya*L#31gI)q9C1
z?O7beo;XngJfvBZ0653(6I8U!0bk469q;$HhTR4a@D>fu204&NL?eam_=CoW8`%I!
zN_occ2AFtV^;pv2t~W%n#+|HO6PWM2{sRwG?`zW`rbqhwm!nBswDWw#rA|&kd1{^_
ziixymJ+h-FNtkNieW=)CFtX1~&U{W$?2E?QXD;5n{F3=|EPut>0PUDyZpa1zC_9A*
zU)ZpdCnXk;?tqx>{3=c{#(Tr=nsfyuHd(%4Dbl_(cdT4|6<Muu=ON21vT6GA*+Hd-
zLT*ijMO}X;rk&-azM{PFNqT4!9Jhj@Hs?$&DYjh6n1*fw{<|7){*ee-67NZfvSTH9
zG*=c-q=yx~2*4?UaGF$8P^w|KWYR)=vSfz;2xx3+*C`j>PkOLm@4!~Eo({zz&d3yk
z-*{Om71xmC9Jj8*j@|fM^3oWT_INq3>BhF=^ZwFXdNW#6sPsfe-(B5hfjDM2rK?h2
zkY^*3b5c1f3nb8E74hpXL9S>(mHu51+;hxZYF-09X3_@IPhk^_#o*9FVx>s{P}bo;
z0J8eer~kk5Q@nXXMTOTu%C(IfBL=$%6{Pn1+MXy0=!#YR-TMgrJEI5&W<y9`%>GQO
z?rc3<i>_~K8uL<pk+FReqKJGEz2w~2R`b1cnWeAc`*$JsyBavz9@KftOLSvehjq?E
zP<Z<gdxvQA$TEYu-1ic!m5#*Ej??Evc(){%KNb=T>WISajn$O9lg*M#r3Oz%=L1`W
z#%tq(a(ac*qF0D$hX@7-fs3TwoAt&AXgMtl@TWVHhZ=Zo%H^>|*>E+GXOI)&kfA=_
z(%wkbdVHGUI7wcI>*^;4@uCVYn!p4hloocE73em0fTS5!Zt#PnrwyE6cW3I`VFAK-
z@*X(JQ}E)NqEoL#O(kso27m_(YOfeLBik)XSegIOJp;OdxPpEbY;N}$ku|9AXWgdP
z{Qa@3ZpXg%x0Y^Ij>Ad57VWGjm-fLF)`>rK$Lb0H{YGtC)W=74`9LM`RKg!RF-H*7
z-iK{-6zwdSc8}6G+$!T&-A;5dUe6K->gIxBd-?_C6}gJSM*eAT1Lw>ItrGp7*Gt{H
zT^h_oI$EkcOOn~_2mr^aSpoG}l8%g5le8UvzHjM=?N@lXjj)H^#rxkEr`9bfs--wa
z>bU?AjS<+r6qNRVzhT+m`6vm>!Gt0E2w-U*+Zgi!94-RM@Ja5H`OH{W+L+O614Xce
zbL9k!5y12#gc^)_$bfODh8MPoiW$fnCC?_hPfpwO6Pp;qI%s-_2H?Xq3vXGPPH`ux
z`u$_w!Ax8DsDL!}51kwi!82G|n{A$&I&ZRx{Ou2lHalqn*k>ZZ6EL5`Y{7sRqj%L?
zz%&72G7wUYfdA0-{muuXR1V<7p9a4GlybBm^IY{K2)5izu1AfHfzwaP4o9j5UU59t
z3JpA#x!jB(Swl2o))OxS`LqH*8y+_PDQ8FYO3i*U^34e&ou7TWga6ka{D#T<D-Pvc
zV!x?R)9}7P_7r?Gc!R@2f7s1S!~0ND6#}j^oU%}VC<&SoeR@WR1X6fMC*^;O!xiWw
z!AY?s)cqxEUpv*TkE3$p9ro;_fea>Mdil}P%ZuL<-)U*{n~s<BdV0M2y62;1R$@{p
z7*H<K*d*JPxQS#yfbdX8te@`_0xIHwm36v4Y2i`B*wxfQ2A&R)NBLLc2EKzjgADA@
zgo~k$F1gr_ob{V+xLKs5R;p)-%ZJ!bwZ9mII^BAA?N^@P;WsyoBd&d$7oKq6@&b6x
zBtzQCI;Gxy`ykNY@nZ{zS+D)pS?`p5wb!MfSB3IT({r{vQ$BS!a}V?unsfW5rM;bU
zCZ}xg{On8n)+lnQ;`7z{!~_eSW8VCbKB^!v@Xhg=LdDHdhKH*0hQ@||9GT@5PJ(X~
z!Ucvm&~N`6^VfWC4|9LArXK>qzUJw>^6`D+wpy$ptKNE1`L(yDjDEe9S|{trqDOqD
z9i!<hpG+Vd$$OLo0A8w6z6#Xgm-&E(NH!VAyjdAiFvUl)@@3}}H&`^OD9};iA3Dqs
zP4U!S4#q<SavnwdLkA{}{Fiqe?i2pd-LEAM^h65}?*sX$uS2@q$=B&_*#fk-lMb&N
z+&N|L!!=b6xvLK8!?d9U^4K4`g*6~WH~P{E@i?wKm85pGbdX!#kslB5gq~_<!2@xM
zU!=xFGZ*fz$wQ)d4_0YTeMhG*eaafemY}>U_Mlo_=&i>)xlWg%J~@*PAhS^EKr&Ho
zz)!71S)17kNCL}ykdE4Pj<P%Y;18m+?q>8>dvu8H!9`X(SSf}x!0b~Rmj#PE{M_tr
z|EuqB@9Ijwu@dfS<pS@?xgbeOP?}8A7+iE0BAa$EU}tkL5cAPz;aj6<VeIc_UCxAj
zZM@{B&OSNLSXvl@jd7lyza<EK%aOdq6s8&GD!R)s^J16PA@k~Z{N(Z+q)$Gn%WE(J
z8^Xs>@XxOwBqiWsq<Q}zi-~mVp|1a-+t~x+6}tbYw`_*GP$BadNk=$NVDaOd#c?QJ
zXITlu8IP9ywqmQAsLc51AFWhm3@^$n0D7ir;vc#IBpD!4E&+`K{?}t1?}chHp{u_8
zK@MT0*NezV<yO`a#HqzhP`k24R1xG?>K%dd){L`#kE-+5J>CjiaXMO^37-|vIP;E0
zn^<@VCApAw#nLfs!2%?%p8njAyx;s1?xQC(qmtntp6@LoWqmpaXPus}eXbZHtAlrp
z{?H*&6z6{~K{-I!nKJ67_xg!fzZ%?!VWvru;(IKK79B`BQijFomcy9T4jRfjV>dfv
zty7Tz=TFl5ktqLt!&v8uz#DEcG`ccGotY?_)dDZ_({4XHq}`}W(4Wj{82y~06sR*X
zsT%lK-@_4!-m9jFqKn^7CEK$8>-+!Hj2mz5BP(zd>I+l95>68mDD3vQEEF-LTTq6`
z71qp*Uzt=20-F<7Qgd-IEA3E&f(*y!#V>Xlr%_c8ak-YYI4;JguKSg-&}zmGqZy%1
zeH5Ot19O_R;eMgXWz;Y7K6)H$BxBkTHpIt$bmf81lB&h9h0}j{^h(|^FYIzT5+Z%X
zDl3U-3h?I<yh?)LP@JwNcCM}b!`_npamwzTR=@X21xflm(I3lsKI-1oG1J!y){>CF
zcvcT}5ph>AJ7-=dG*@~m;&Y&_&@)HwWWDea<E1+HhA1B6D<w}am9Wy8r~UiosKuVl
z(JFU>I!-8<-k|=fm3bj*2#vuHV^Ci`(aKB_pOD&7(na?!HWA`cYOgog=|r0yo!`PD
z=@{Nqw&;45Hfkq{)7YL1a(RzCv)R~uO0F-`G2Xi?0p0?FxE3&#h9u_x%O+gPInoXs
z9Z8Y_48M0yS}|F9`=+3OZ?wbo|Me}MNjafZr;lb@x(XOjIh|$B=YQH4xO#~OfPqIq
z*4O=)B(hyHKj8|}1Nj2jWLT&pne{ModTbl&w1DZ|lWXc<*mECL7*wz_hcc*v3g)M0
zu_U7o^CMo5;@9Of`hsbvTgs_@-|M(M-!)jRSQW5d@2F4dV6R^b{MR@6FV@YOfwb@i
zT52~&kpIwGLw3i;G<er=+ToRo8U0MnO1NV;Zx&7Oz*48NY-bO+x#>rbOg&t|<sSZ!
z2h5CdklT;7Kv5XSga~ydQgtDTY(?^1ybI~EHcE9vXb0lR`f=7n{USXpb80V4f9gu2
zBW6E6Z-V~&1(uff$nbY@SGNv0Gog60vli4d2hk367g5mWAO4Xq5;rd2m>6<S?UJ@@
z=P2z8398XB{NgKN{*9ALxEsn~M36<D8>@}>j<cKp8P34{@!8uek8ZGC6<*=~`Ja{>
zbpR}S2Kgty5k<bT9U$XdO=T$q=_`Cumh|Z0#<Q#)C?K>99wR^5(9u(r6&*@jt=1ap
zHcb_M<f^3{>&+Q_b{KecJW#*r1+CG~M213lmXy^(fjpSMFTK?El_!rFj^cQ&&X-=k
z@_qSK{p!)bw`9q@oZ9<M?!S*HgOVMfub2*2dW!it!as+iLJ&+`inAXeBj1)agI(aI
zcE@=<YS_G3J@WUnb#k-!24N)xWT+Q1vX#4PM3F_(V0hnF{@U5h2$WmuWNl)66u<N7
zoCHleGt7TjbB@%uiPq)+YOnt|f5%Q^{#A~I_vUrT<C-T0UOK*}x}bh4WA+9xJ4?to
zZ{yDE+9|oI<&3xORs}d3sG+bwbZS@{O$G47|GJ)Bu(6G$m5@K#E_7g6HyCZmTH(0^
zKn+?^Xu)z%Di^-(-1*{W8V_{7DE58Fvb%^EzCe(9r01=aH+(Bog=}I_lhi)Aw^e)?
zqwjLTT|}-ou9r_yj#KlRZWI%vbC2ym{?;hV#et}H_L@Z+v7YK8_1thB2^~ZF(MqK&
zsYqQxt3~j1GOn(D2(&RTMd;~RI752f1t4%AybYZ6hs)g#SoD8*iez~ab9%+r>3n8;
zq~!fqbD+}}xB!I4xS9=yg+i}pRcgS}by%YYcA@6_OUY|X8Hv!KAGVS-*^6I@S}O{l
zy)Rh(kB{`vr5KHuml%+)-QC~1+}=CC6GWjJ-IxRz9;^{rqNF;PC8|Dd;f*(|prspG
zHcG~e&&oT{{jU<YM&}=;fVPSIDgXHm#O+0@c-zRlSYrPAjP(ZBtA#n~%&+%=F1o6D
z9}nL&YO7U$sus+fg8YY%Fv4$Y|8<8njcLh8K4fJUZ=$6xcuz-adLW+yIOq_t4=`~w
z#ecp~g4)=IA6U$0{i`5oHf0cJLHC1h@stAbWGaz1jA2s)>c&xaR|q@da79(ncDaJd
zxJQK&Ofpjg<e1v7_|WqAXDkX`C6Y@1i|)2kJUg?R8QhT}**9Q*Qn&7F5ZCjn58t0%
z4|FLQ{rVOCdnS4=zv*|ND90X#A_nHf{BkBCfjwE9{fDmK8jO?sn>nkY4TM(|Q8X*f
zdMck92|gyXQcwVzsy1{G0^VCi9*YBsQ~+1k(9a_rs0YwyTWz+gksyS%?wM88d93vY
z?;pB|GPGo=bISCjVyg4>ghutv$M?=gZ5TLH9H|-V0>LBcj^SyY01ZmACpEw(0(M<Z
zGaKugXw|@{-(8&>_MDEsg6VW~HH{q<1Kn3dfdA07LmmS?;>tmU4-~+zvU34^hjw`;
z5}@t7AfNV49==2G9M%E+Uxp*lNgLl@;Ee@%RUJI`u+%8LmFJ6r=TpLJ=y}pdGw(No
zsLOGdQj#7y09LekP4g{$knI6=_^jXB+rOokAQswHO2DL=F@A^HPq>T5)l8U-!)>d!
zr(+_d;ZlmP3;KgchR&sVxjypkRx*q8k>HnOdBgaBE@nFkMNGp_bs!^Jg@{~-M;+v$
zEdlv8V=|Z`Y#kPiOlH@u_C3tTX4Vg0RQM#A;#D79wjp}{-Kx7N5ncjy8o;7|Y<P;^
z@yc7#bG-p0xTU87F`~D7OIhGiJdKH@fPc@+Zzo1bh)~l8MZlkr*LY1R*2{9~HNJhW
z8sjO1k}#zY_v(;+eq+X|4aNAY&N`?I6-H5VQBMx?F0s<R_>tb-$=4gRt-|)MLHEU;
z!=Av)p;dLfFaORzW72>6WIL9HgI%D3%aQP}vU2!l<uRru%ZmJv_G5(dgk)7tf_GS3
zv_m+Eb_MAPZ?6)4-)KiEmV1U&*x?6NOO2F+Mj(k&N$T_x%Aamng6&b$Vnc_I2?cfM
znnre%64>o}0+H019PR91hcK2J^V-8&&U3p#sgu{Q#+fUpnoHTnWd0OH|A+YLI=QaS
zR$XtBToz(ILzN}%Y$Cycv?)6DKltgVcgQrg0-y?yNqL<zten9o!}KAvjlpT{py&_X
z7kA`Z26CYr$X9-4LldoXv(Q{BUe87#|2U(s4sZSZbWPQeb%!ruvQfRhiJNM6bc;0_
z!$1KMvF+}kNlWdme8kkS-MsBWSh~ZVxLlo&GpjdJl3y(^E(t3o$Zk~<+L56ygbkwz
z+8JczNbNqM!!LOFSKqu#hR|65?)^R8WYyr~xvBJnge^Yk@#?}65!3yT%fija6R&nK
znb9ZBO<Vqxp#;@7bxuM-=;!rdRzht?Hpv|4v2S~4N-u=ZK+tia7UG<8`oYo<ggl+r
z;aal!PAi8W)MV_SUmwNtONF!b`UjiMoBf5I#EsFnOR>5y^F0;L;iFX44Sx=MJ!U|5
z?aXB0WWQP5zz=c%no;Z1t1)=Fr<dn*LvR)Jwt}kzLoi90?(eex<l_Ur?DbJb<eHhC
zWc?fQH+yPNgV9*SEU`RW9phvppJZ76L0u9#vExZC=cktU8(nwHW{iGgQ1}3?LZH7z
z<E*++{9cDTs5zl)<ebuYhGB%}WG>tBeVI4Vg`$Mz(*_;z{;_Ca=*rz;rGW?fP1~&6
z&5apG$+}4{Te(TPQp;C+-7G^MN!^p?Io3TR9KEil5cruiq!&-tX|5UHS|(S|%=uTL
zx-6rIX>Gu9m*oy5DSQ-IwB-kie8NH9@{B5{pn)xTQ~N}=LGV5fI?aUxzflt{@<VEn
zo)Px6hP`1bV>>li&_yfkj2%`%q2_XDVwm4_=Fi;IdDZ+5>6<GA!x(V1yLYc*ob*8x
zpRO0#{eJo5IS5v7r1_ml{cKf}CcFG;j#y_MQ7u*0fBSGzQ(W-P6Zj5mN$VfFNz`)d
zvOl;3Ic<+iXlpU9Y`#WV`WDR5;<DVR!V8YvmU2|kX%b2HGA^FqP_FhC4o$ROc?lK-
zyCK7%)haRD`yhV5#2N$Z-ve-b=$1;I>Y|h1#E}MHQNPv_{o2ZUh(Z^#V;t-RIsx$k
z$k0sTA3E+zI7`y%#JW}mh|&BpOq*M`pmrqxMFJOlmZPFXU#c*Vo`R8?M4|y$ac*ZL
zF!Nu9xnm$dZ8JqW(SetP;1qUO6y<q^CV(NSl1}l=fnw2Tzi%`$R08CwZviFEs+sk>
z%^YwF7nt@i+D13&wXMA~h8)F8(>aoc(H=Yr27NcPCi()juTKcNlp~c`B?kN1U%U-~
z4-(xRqtR1b3F6zbILUI~wmZ3-*0z~T>wAx$HlU~P<fw{Gr|^X*UcA?H_tnMQo;)uc
zLvy!1EnVM5e{IgbUV2iKI2JkZYStF+7~VPdDRVCORxfr$d0*MJwKU&)bH;Wc?f~7g
zlCo@YwyT*KC6uLn)=B_!?S067`lq4M>)?N!5?aGs!-((Nw^jjOCGYM^OpG~9W5Uu(
z+-vXwwvAUhWj@XGVnTk0dX(FtwO5pD^x>sj_eLJv`{DT|{-)VW*3?gkT<+i-)GW%G
zB~)ZuFxw=Bb&+b{?t5eu<ejtNJbA?HJ<u`eA?WmGxO-G_Ycy3t*GI~5DSdzF-`Y-;
zy|8Q)5)$_Et6pyw94GtNJOklkB5oUep8yTphp?V&{_1Q#$*b8?b4OCI;w$>A&?zSG
zq<h^rn?k?b?kycfND!K5OjBiXEoaMKjCZ3&8^-W*cS)aYn7=l?bYhq26X_;w@To??
z8vnV0od5a4wY9#Xp}dl!Kp91f$d=TUp$@1jM_E>t!9NyQC}zaxJw1(u9Xs@{c6UbG
zrBQEx*GO8SVfQ}%6mE2oFPIyME0e2VDtGY<{g!0;(=VFbM)ZSq&}65Uw302FMp~!&
z_q0N8<u%6Nc$%~*M3?>O`-519(=Ci-hAEnV9hCwHQqBK;S#&b)@9$pF3fb8U>N}|c
zDD>-sVDio2p;`b%a%x}7uE-Z_C~>t;`Q22$QR$Z2V>({xA&B4byo{*IPSQH}(fw^v
z{)dXCUn&175}%*~b1Gz$Mr1XIQ6+ubb*1hY<pcOci&Z2<T@X+NiUA_bKXliO{<%Uf
z#Pyr)^-v{k8zvj1b$9JGL$zYw(a$)^+NZ|<bTpuU<pu5sT|fIbDjOngD!UfmWHC`c
zBNRAemKGTOEV^gZxR`wfA~1Pv#nwIYr4oI@A9*yweNO%L{eqUi(yxVo{g!|H!berc
zt^*wWimAm}PB5|>>2yDi8F4rA+dOOJH)&=_T|}~0tu24&pzXUE`dyzi(YM$T!+;T7
z!t@#teuV^c*pRq12`Zuc3G{Z_iYkJFUq{Nz_lrl}j=vv%4-vCc5%^ZYCw_Y%!0C{s
zlClRUlNJCl>VIE8tTJ}5ts6P6_@U1%3cHK8d$bF_K<iyNPvO8p;+VBaF2F&eJN$b)
zsV_*qzhg4>u=-x|-S&qgBF}i0(yc_#Yn}PN#jq-}fq;@&7U47O9m6hy>VSz;Jo9E|
znTy<-@8>}_d<Z`{-s@ETh|O-VX8GoHLHo5`;(rR^rEDCD*UA)=8w0ZLFD?9i?ssVo
zL%Kj00Fql`v*c;4bEGL@C3EdiO~1~~XWqemx#(xT={G*@&y^bG|9&r)ZpPH127c2V
zsK!UT$I`KP{#D`{{V(Rwn*-^_rZ|`jbe7YU<hu$v%S>MmDE_wo&*(<IVS9iC>%UDz
zolpPIJO8r=0P^}jcJM!I@HYbgKX&l{ZVk?4kfs1F@x~gh)g8QFBC+SXkBUR?8de}T
zSAm+AUQVTQWnLd<4q%I{9Sg6%h99BG-odYKBZ1N+R}C`MTA($%j9R&MWN~^@4$hPk
zlk$T9;!l$SM~XN#7okebfHaTodlpM~#WH(dZ9w0Q3$Kl3pGpUq#fzVfs&T=9Q1Ka%
zk?ud5=%9Uj1t*o`Wy$nif9P`Kf>!y2vrR;cKlHZxHOXM}Pf%x~h9t)Z*H=dLlk|34
z2aa~{!n;AWvY`|<K>VTC!rO1_^6G=ruA9~HO}bC~dy_3(Kx-W|5f!0Gwd?<(9FW=U
z`}jBpU3(|OCccL;A0bP=Z&bHr5ywb<=m4}#<!t><&592`LsFrAt3{oNIuFU;;a0l{
zV%KdN*E`xbGB_hNB)KH_Ggis8++f}P2xgK)1XE(HBdLM9z%+sMlk=@X|Lq1wZBYGO
zK>r^)cd%w}@SUtg0HaU%1Qh*cv3SsQ#$m*mnp~L+!&=ADjEzOL9riaY#@yfWfgZrS
ze#3q1j9U5;n2vIP1ke;)W37k1nQe^>nt0;<`0uRM-}<HP2}o$xC>$}UnOuWEbXBek
z!1I!UeWx)Xe1X|vM|jckW`*GAaX<NDn4(~i>|YjYpa*vXcqv?Lc!mDznd9Kwc1f-S
zaK8Mb%1%lQJAUF(VN}&^J4Zp+^SWC4eskh`(5Mrlrr*$34;e;+9>!Mbo7v}*;zb36
zGhcQ{1=+)wpolZub_39or^NSirYQ)u_c@2o)DGDnH-B!hb>hSdncPO!km$PZDQX6Q
zRwnTIZAdycXLQ^#ovM1!v*J(J?u7N^IjnrEb{9!hJ<K0g=h(1Q`a&=`>I4!rgvz*5
zx%$uhS4TQ`%YU5se#oeEH+5FQHC(HTKEjZswPNrrFd9=8QIf_srzfC}9~@N8K&QN_
zt1T8f{^CSmflK)CN^Zw4gA5`$-Jim|K!vFb$7qag?_?9q-=``lKG5BI8hAY+DJikZ
znI*n?Z`0;u1@xfLGjH4RdheXA5|7x_kbR6=AExGddkp$LPAt9ARo<Y~Ki?iN3n<^X
z5w`{N2}Y2qGK4S=&gtSibz|vNPIZQe*G#d{@8xTv-}tjwf>R)V@q^?J<Bh{z;6ap!
zFTc_X`zR#Yd`T|L;*-77F~EYMzei24LB%4g57y$<%<S#`VXQG|9<|#~<$*fq<i;ks
z!K&edNALM#=Hyt1sdbL+wwmg6<15MB!}akunS0-4=89a%3Kg*sv`C$38}A(0?PhoB
z(o}+JN}JEgI${<*U()oUXJWea^v<W~7C*RYQ>!NzgVC%rtP9p21QJ(_JD3ykn4q3Q
zR4^x4giyo@Dv&Y9$<IXTqj;Z<#-P8V@}pM|d$&es&c4ijslWaxaO!r)_ODh}WZOga
z3lt}6x-?CCnxa7nPFX}eOq)8%YO$xcmfCg0y8B=Km=l4Vzq&iUmj*Sq;~;3UC?jX=
zJAj1uG(v@l{MHI0UYSY*U|=~s_?#;ZMEJqh3zL-YYQ7W8*2ei6{^%N}8sgBln)FPJ
z^Zv@DAPdo#a@}Y;ou)}zSd0OMijh0!r2vFC@S8yqEI=z~GKOBI_Ryly{bx%py*}5B
z+vf~s@06EWE`s~{jz|8~f{fOv@+22gpNiC?ldxoX-ygb^(c1F60%J`Fvt+CZwMd=U
zx%JGLnwdY5{abAo_hh*vW(@6*-n873-NwiEi;NgL>@LR%pPe3mSHdK65f+HUbndWF
z90;~)QEJzKSz=vw0^^~41}55==##!*l2`2cM-+sgrMzGK#35W%Ib{2~EsLGR1?bLU
zQ~6&>4NC)pYdygdL>T5R<!aUDh^>CXk5N0ZM3|$yJgW*KN3ohcH8GDZ={3|OxI>+<
z9@UBAR`V1LF9Sv(0S5)buCY78zSL!GJ#Dm$6XoP2I$Qf%Lf>O-04^Msa`{1%ZHoT$
ziaWI^O{DhkUpw$spAoR<Iz~)w0X1JKZB{uV-b5-7`h=<s9!Ih@`!DUVuY=D4Y#?OU
z3^Zg1q&J~d$xdoCx;SIIkRz!Jdw%UpOVVOjy-1SI7p<>|=uwX3{;gn!;E8!I()1!#
z@VG#bYf8yLYexgg3RAh%QH*s>%@~-A@AA3ae<^PELrkd_eYD=CiDl4v+Vx)Yg^jG+
zgvi)taiZjtu>)BS*DO)OJQ@c~vb7TrwX7YN;U(hI$jb9C&{<3cNdk3}yp2+B@k>A0
zj$5k<3tbE64|XC@JP4D;1&)q2gy{qYf)`-a7!v_%Yq(8Gs^HqAng#fC(WDoe5RF@P
z?DYN)SHE6+rfBVH7<j8|fxO*y>k!gMM)xHLHrNIh$~uic`MN`&H{LWiquxB&@6eh^
z%>$H}31NTezD7oFAIS3fO?3ny6#OE_IxgqJIA8X<_^N6oUQabW_oYkib$@chHPyq!
z*pu$?il3z1ht=aX{r$Gu2IJTCGayY?=FT$Dy)PsQ7fbZ@-M_#@e@PR;S~laC+XZF<
z#yWPj3Q`_aRV6RgMIs<DK%GTSov5sV8EvtPZYk@;d0v&n_R*eXfAo=8gh{Buj=ICk
zI`Gn$haT7I7Xe3_{@cloNr=^il?EMAuT;c6wC_&ojqg`4X}WOJ*3zL|joZ_AUZ$i2
z!q_ATLfWI|N!pII0QwkxLt0%|y{WKza^gOS5(YrV6}pu9!Xn|n>E#Otz2J=TE1nBA
zpto-O2@wG)<pZ5BXI(GV`23o4d}?tu_<6HkJ2%Ay?|!FWb4*QDCZX`xW!p{P%M2<n
zJeja7hurTfbcZyc+N46Do1Wr`!`OkOcRe~SsW7B)T<|kFnot=g$O&v;{lg(*aE$zY
z&*wCOxUFyeny36iANG%YHPq)%UMQzi{f6Oe)?9@1Ae2U|RhbZy_|hATPp(i)RPz#}
zZm(Cv#JM-qk3hVB6;t1`E=?#kt$ZxokI{vTvxyy_*9ylv|9;5|G+^5{$<<}-0);ld
zh^RfW?K!MjWlDKjJMxC@<)sS()4x?M>PaZ$1YN=$b$rs-I!yU+M|cL?v1afxTlYHP
zyZP9@*)8J>ELMCZlvgcoy(Si#6Hwu@YPw4-TpB<wAF;i^7bGywOK8Xd-_WrYi4d{k
zS7zuH&}V5_W=FI3z!~b^lp%CgqMKD+vNuFTxaxS{vtgS*i1e&-{j_=Z=CSTsqkMlu
z6s|!gn<$pHC@ITfP0}NG)DZ{rHyXX?;>yc6|B{~Ul^GGa_pOij)*rf8pJh(7|KMH2
z?ojj>7ucCA-&$Xc&k}UM-kVQym|d{4WqhzHU32*QQIt@DT4(GHxeK-DSN33VBPs@I
zXPQ>xGdbv^UkXHk07k4#Ga5e}x`Z$$425kat(g%y!wVq2bd9<mJNR&3p}w4ZR)1Z$
z8unOEHJ&xENGSy%M8}qcxPg|H%vqQs*Cid1XoqJhj*j0QuZEmkj6Pn|_%hOZ3Gs};
zrxY3OEh(VVp8f`%>MmM=W|otlrRS`xdwb{Q%IUm&Ikl7L&)83ZoiG=Nvi%s=3#u~o
z6U-;zXjRw^i~giZp5KBG&5ahH^LZNKr0y^C2FY%cbi3!vB`F`(X0T(#xSibqM4ueu
zDN#GxzIhxWyGS+w)W5HK&)e8;f}b~y#~StvLo}8fzpm(LrCQb{W?hQBYZ0n0=G>|_
zTGLd@{L2@{S?&*amkeu=%RQScmt4<17Xm)A{L8-*3{bA4Xy^R|7uo~rA}JRBCBK@s
z-O@XBvUXXluWns^XVV>V?&H*{upPnfSqM|4n>2IBoyayQCrQ|5vS!YDRcuVjPl+vW
zeQyK#w5ho%gmBH0El)1w>(!Tejus*wSG2tveUHIiO=699bH-0FMop_2gQoqv?A;4B
zPNBgd*8tIqVmyo3?B-O`w1zPBUR5WNNv(b5(=)Rrxg`0Au_gD!Dk(NZ>Qo1YsUxUx
z{cxsyWrA9OqGzAWu>AO2Oea(^hCketYv`O2$8r`gdcq6LND{UjM}YCnnqw6A(uMh%
z{IE0&pLc^Z(OTPAu1&xHn0x$A9#`j3sWeBM;5D9X<;3<J+P>I0caW(Z7(SZQ5ZD<m
zgLe@)Tfg_ljD8jT!Coj~#ppOGIIfh&>N%t}9;g~nD1s4j^^?VSrVZgGq3l-cG=WwE
zCQWp&r-(0x?Ly*ljKm<Z^CjKWwnU$l-{-_(8l)850z2u&lJ%H3mFw|HxyHwx?aG|=
zNrBMUzY{G>w)sD0F<KKd)i$zt2}5xn&7hpkfzLMjPYKF(`Ezrw@`euBK(A{JU2{We
z=fXaxiPS(I%NLm>z;L$qPm()Nl4nT$odMv(--*SuaZsK3(LF141bE)PPUqUf%Gd6B
ztG7DyIyU?TW(VZ7{O!v8%oDqzYCWI5g*C^(fc;IUBa9tti56M3Daa9d@9&23j(GPc
zw$hb~)Cae7YW%hx>u=wvm+QRe{$1Ely{BTBqFYExpLeOjlJ7o{^v{~HsLgy~xuOvn
z7o8ko(q{7gE&%s}*Bc9abkwfWE=1alcv#ppTwa)Wt}~bBrv0cl*p+&l)E(FG?DFCz
z%PS(`m5)iH#n^eoovOMz!og9vRx0LMkj(0I4q3RT&GKj5*Pc1Y2WD-9uir^x4)y?+
z$=v{()Qvfe1wc+pD{t((p7X9fS~7u@K}6}2V6Nsa>Jvq`s1tcMO`za!LC$9iCk|q4
z8I6)QcKx=uaeP_2eCKl-h9W^+Zo%TNcRnd!`tfCb-cB?*LDlE?z3n5U_3;`|KfH7R
zkK&^F6f0lTn&Zd;&1ura=UccAHQhGs00;64`-jeTv|bSV*cG|UQV+Nm14^9HKVRGw
zuM9=P;aCWs@!L+qybw^tF0r<D-Y%Th;ng`ZavdyBX8Yc4C~p{GF>gjpqg<IhG9|sn
zw=j0rqF5-xcz2;kV#P)C&Q(yGXTe*BRy>L4<|6n{(|sQR@Mw0uvX?SmCAX{!W(=C#
z_Ms?)p~NK@iwFye8i__kxyto|1(_kuO4}0;e|t&*iAq*k=VgrZ-ZnR4^MhM43FS?N
zZ1Au({InGE_s~AG^E46q8O$7fbsCr+;Gav1F`7HPYd7s7JY<}eOSn3<#@J(oRl>NU
zB6(#yWFu&F89HcKkz=5wCEnq3*_-jJVJY!og(L`^XCOE<cmRB1m83%8YoF(?f2Zr2
z`?E~`Chbrk)PJi|Ho`M_jQvTLU~aLdminGMnfe57UVbFVMZYSD<+Dz`TvPgN{P}Sn
zRxg+I-r>M?=9u3IcoZ|@c&<pW^Ib{Y4#3g_W+GY~WeH|<s#w?w5yJ=Hur#~8O2sQ)
za;YoOk~;4FNhh#@q^Heg(KS#%d4Zz@?@ToVt)KKKJPJnFpjS41Qg6;|TryB(hcHJ8
z*uRT%U!5_fY-D`7eP#$~7d0)4aY?}H4Q<x}0cf*Afd*mqa1h%m$U$Vt&!)y7>i?=`
zNS%Bb?PS*fR)+qq&vLgGY^^HSZ%>O9N*J;s3e<JWhMmAW7B0G?SY-<VAbg(1`j*o5
zif5j_?)G9SMK{Ob+jy(XFiW3Yt!s(n6!gLPi@96H2!no$ksIUs=vHoRTgZFs)*`A*
zfN2Iq#xyM>jBjWD$<}*^%o?Y8FdJZaC;(ev^onDAO!VzcIOS*F(RELNbIp=?HXrEE
z@!$(tp<gJf-V1z9?M@cHVTUdlz&Os+#DYg!Wk@D@q_K`PK_!BXXK&Ec#+Hl$F|*j5
zTazX?Zn}52B_h7|v05LC134-nSjDALxE7l#!xJeU6BKtiE-;2gT%Rc0p*^vW;+eKx
zu(4s0d;(LwB{VXtvzV(Z`rd~)z?I1##on1!zO-<e)Q_v{0nc1E;KI?WD*Q6K1R2J>
zWiMFII$NkTa#nf5TzrzI`@Ok2+wX0aF6%2AUH7aGv2-!6ZyTyks>|Olt<&^(n;e`p
z)KhsC8@Ri<30ohta4a?Q!Zs$f_^}_hlJtrCZRx<EWCfxIZsBdSD$Z0MW?hhm*H`VA
z7I=^*{aW$Wm9Vo<reEEn-{<Hg_0Z1y6ZqPo92D6_EGjySF2j;&nEg7x^D0s1Q?LDN
zI@O%|AGlnf<RiUoeIA`hXP`Wkd!)c6c#Jv&HCJ}aVkt5qGOG2gjq{|hofyfll^0fi
zPuB-oUFMei1>Nv8>)FrbvdSo}UPr$4))LYPponSzOnO6B*ig>mA~KVp?Y>-hG=BtK
z4D~KXJ};XwfnbkQ538CJ+XWu*D7z(GZ7^G{kRY1;9<75$8&mvEtidrs?4Gw(t<?h#
zYo19rH_QZ7hW|qAuLEaZ;%7kQO!vQjOgT|RqW2#<TW#83=)3n_0Cgo7^k5wMi}@b=
zh~|}3tAFS&ddWs=<9;W2;`L+v4q)Fe?0!7Bz2w_p&+_J~K-0yED%J?~OAE6-7gRVe
z8z|5}w6$K7>RdcU9z0mZup`}I$Z5VqPlD2Zqr}EQiKcwq&PoY=a@I?K)p`K}Y#IR~
zrW<kl$!bh)BZMmqE}{#u8|R+ucygyI1r>TlziMb(Dk{6TyA$mr$VrkTn&X~LJ|~o+
zrj?I488!~JBdnUILqopG&7KdVKYfv|jpG-HNnLb?VnJ{VKxfCL{qPgnT|fjse~E?E
z?<)b40wy}5dim*jlB}h{mhj$h`??#K4sN~s#QGGLLQ<gjiR>C~kKy+u<vunu<33NH
zdDiCMwqys`8FhRcN{9Sejc27wjKF3$|BqW(pam!w$>|SWo(_Q&L+u5IS)gd2-loh`
zSV&Ab5Envd_&{1;hirDR(vak0z46k)ePHm+8!Y;z**2(J>Lc)<kSBnTnx2VWZ+b9~
z%)WicV2}na=Er>9`3oqVCk6!|hgN$2(D7IDkcJkA&LX5qiT<vQDV1S!`)_5Wc=5lr
zqILgX41xIjr%s*WKQ-DiwN%)h2|7fQoQg=LwhDYK;C`qK9WN|O#5?}hyUVA1eaz_I
z$#*1LEBj0eDvy+TtHvox+G4fkd%U^#o?XbURe5}F@Em>YYP05TX_LE!=g=<_KB}?f
zH<7%~D7U&K9u5a*+ngX`s@=uO-*-1NsfC#3nbvDSo0jTg<hoSK`1&Dn#t+ji_u%g(
zjXyRseR}<}7e{~a*ut(m^wJ-?Evs?NeySdMHr2!1Sr1YN8UQh6wmk^<>v7}>esod`
zh`++sDJ!kwE?+i%1$n9(E-RHEHqa{w>5Lq|eewVh%Pzecp3)WHT3Z}NF0+Z#7-#>`
z5&OOo_uQwN0ak-O3x*bx+Ui71*d8D%bR-n}Mc*~iPSzYpW4Qd_Mxz%$HSJF;1{yqY
zu85uf(Q0ocV=qB>(f`)kZ4btYDR6aU2nERgq8?(rP{-$Nk;Fa%G7`iOcm=H9@Uxgs
zb6<>GylRk!LF(p@hT3`&mh~hflL(Wn2JW^Y)<qCj5?|Pj;sWT!MpOGx)&<u)<+Gj}
z?s@scA<XXVdaZKDkNUWq>yqL+Lvs1~O<IA0_vvZd3Is?uZ)#P+y7F_Z2BDxFCV;Lt
z4}na{f`=yFIM{f88<1%{b+B^9*!r*kr_DRHW<lY|rJau~K`0PerrH-Gxr$-s+JZ`R
zW(;d%N3n11hfY6eP7b-}*e$sOjS;*FW)0>fr9sbg{|Ydh{Cw&cqR85anu^H;Un1o!
zb<;#Al=^#lVFRwakZFe(vjZ(r{A3x%VT<*7?w95K3m}R5`~a^cpWpMn$Dj{>*<DJz
zpXi-&wk2ln(612m+VCvNmJrzms!8jD*fQU*X(Fn`C>6e7_4ZsfxWNw$L1KUNyN6?6
zB^C)FSiCiGx&@eWqem$Iwjx^EztCkSOhx6AJCEb}GT$$t_FQo^q6LTHfo0K82G4!o
zm<qT%)_%Ba;D&W@#_q@jzGwxQ$RSs;ey!k{6@&%L!Cd7V3fSI@CfwRokNhg~f^&w?
zv(3E|1Ruq`!2i&4Pkme*(`H&|7^hgy$k)(X8l)<M26N-o)XhFj6^3<>6+c01?I=lJ
zmm$OEYJo6{d?R>zUX>c7_F4c)aSxb_72l^h(!#xkmGb&7a?^_+dEE535xiXqSmSiv
zVdyZ@6%-nv5~p@s<zwN-h{yF{YIAO66lO-N59JAc1FG?j*~bV_0*Ud}IrnNC)$>aY
zl=Ad$vMI!?=dqKf=AZ<)Y*$7R#dvAwl&<jI548rb&PsVQ%_rVG^F?Zz3d19Gap_85
z>z!&`$ahj>(xLNI6ZOrGV9`nqg)D9J++xGs$M8Z~xLCq?05DMS6c_;(LoPM}(mUT^
zegGy{2ZB<4cq#r9zI75<xE(+SHb;6*>m<Xe(yf(esG&6Obtn(U4ID}1nYuY+UR;dF
z8EG@If4@TJya(o`{a9?ax!HU}gWUudt|IQyw@uR~!g-&r#o%YPIJ5Rja$0QP4TWH;
z;R$HIZPspM(ivdfa+sU!^QOj@Py_$+nRCl5;<wtk8KbEq)GVbTAWEr`ZQlk1(bE`0
zrPyUFXa0dA>0#<_5npbi&x(zM1IYS-ML`=q;`QCFTpCvgOuBs@%{?rk6@Bvx>pccZ
zJl{g}33MwG0CF9W%<G3V!zd!mpf2n1Ty&XFU6JD-I-O_lPJdm#eEV42ngUY8N6$VR
z;x_TxFpe#}Xr-Lb;Up@J);FDkK}?Q5C4>_w*SK$wo86dv|4ik2X|ZZi{V`Mv6}X_W
z1t*#Pjn!ns0N9Zv1N^<HN)+aWfW(vrDULWg*gZ2pILZ3<)j3><9KUC1p36g=_L(Fj
zLG&7kAH3KMW}#i7JOc90f_2`hsO&M3o4rT}VX|8Mt*7CiE}!~7c+<06TPYtv!zV~M
zuI(E*c(k2rNS}c+(716o@O`b%?8w<MuV3H9r<RA7pkNt+!JAgLZg%RQat%F042^tN
zIBQxaqkbpk=62pzS5V9k`!*h1qS?10>5wxvIXPERIBLcKuz&?O0sn6glzS!%i<DSN
zN6?c^5G?{tbi)1}0{rh#;eUk;|3CZpR38GM;wO2({zC^<MxB^(_@e`ix-rM%7T|+D
zAYRHhwg4ndj?mvgZ|FTr;@<5#@({HVb6b!Ru)YgHsPi>oG7I3hbHplGX-qrfABoUT
z)FD&MA3AN`{UIzc<zp&AoyUc9Mlj94)CRk;u9yfZdSS|@$NWm0=P8&Mk9=knP7@=5
zJA;CEY=)Jj1?QIx;<@u0?v)Bh>0W)BH9NIoDP?fBgTuL@B5>O~Xld;AZnFnx6F%DP
zJxB;Ljdhx`??E~j*8&u&FMsHYVo@ijr)Hql4MX3I&H}#rGEmffSdPdbk{97|2bkDk
z>E<tlEOd}lVDRpJHMtwQrX_!A4;)lhw4Pn(vSw^UGW}eD^uqj|@~k`5<S!^1R$X^g
zUktg9FEcp*(eCn<)eK!*u?)M7*;_`;c3CblnU;zfKJJRB=0g=VKpZAC37DMSDDszB
zYe*#u@!#+CRwslAeg%qxMw7r~oWeZh;nE(^?Xw-ZB;mC{<}3#aqdBXs{v+-(N}1*h
zMqkkNm~k1b1840ohg6d-M)>P*mDOO6g=tv;ErM^m<kr4%JPf*4!!7;W8x{_Bs&&lr
zd4_#`_NmXZpl0CIRzEPD(CE;4WNPb@fWFQ9Gp|c*>Bdx%)!l4Cf1M;l2c{$G@O#16
zI-k3e-}|Sw*u^-Wpx&(7aV_ormh8fp&~{h{Th^LutTnw4eiD(>XJ|}ADiP>7*=|AA
zWRG%ti8)J`)Ll>KZ!6YX(B^5{C7sGD-~@iw_bOHf5^3os;?8k|QAXZdRs)Ch5=xog
zBuJT4vA-8yqezv69$nH1VakS()xbWGO9~m(m#lff5q+yoLgy;mxPzd!9xj-J_WckH
z7@9*-@TGOTo5ap^$AXXQ$u1Q(wh(2s<AscNZlDjA?}IW<`Da(pjlHx_0;){T3G9CT
z?Sgc)5rP>eVzmX08fbO*(2k#BR*Kh3dQ@8ZgInArmUC%rwG@R-!~ejXw!oXGf!e{B
z{N!C8UD^nEv^TGz5EUzRrHrzjXl0abV)cS&LP}uH(x9lcHfKhEs=qkiz0>s7ZzsD<
zZSK+rEtW2sx<Hrl6O}_t>PLhM`6}Y#2;vM5T-TfXtEkPXHPNB5(MO~v>8r#IpSyY`
z39kEhfGIsQjP2^oQxwo=QcP#MOak7BUu)s#jCa?!cz5HG$KStX-*#_(zQ)syvqc9G
zlU#ot<%){_-JVH4{xwiOK!BH^0)F<LjajI}a#-8fS%ci!<6ZHe^L~%yGfUc_UTzj^
zEV0W^_iP3J(VYLWHbC0Df!Rz#suXXW14Of;D%4j-tNW+!dY+)#+*OQ8ZH1(1j{`|t
z>+b1o!RsRT;r{HbO%m^=UcS_tv@`Wyw-tY@reTjW;9W8vugI>dsxgvxS#_`KY|WeE
zBdX#Dx?^yeXN(D0m&UMwgHBIuzsy>MY2vHce9M=9YgsIGc9S$_msTNCbv~(mcjrm^
zo@Sl1)Ygxv!(00NHQ7G!c|V@H*z5SF^Sif$uaoc~t{&VWl)j=t8Z(pBIY@i0nWPfF
zr%)%M6;wL)fA=U=hMrsBBh?Ccm+zHe|1a|1JRIux?;CDWDoOS=Dx$KLEQL%ZgqV<h
znaWN~vJHlbLiQqrnCv@Q#@J;KA?q-fF=NR#X2voGGxNPazw3UU>-b&Qec%5)e?Ipg
zj$>vR$1$HdKj-;=zuvC}dq39uAa1*3t6~7H7T{o#c&FD6m9NF)gWkjKZ~)$j|LJY|
z|9YGrd)e@0uQEMEhJJQZog>Jr<Pk<_5-HA~=%ls<)cQdUVus1PDDm%~^?sZOh9u?3
z;I{1j!vYS${c~rOHbGT8o)hZ2%w;rlq8u87thrYC5o@5+$+V5g>#F^PK8$$}43dx`
zA<3CXk}iP}p_Q;4+_ReWA=u=!-Y?b9E4%l*^{hgP$)^kdId*v_;cyA}YkcqDo=hCS
zuNnOEbfFvBrjxx3*pJ?R_kFp=!K?HJDS!a>=SXA?aXGFnj_!yD1jh!&xqU9_$=IKm
zb01DiHx-?V2+7IGfAUCu%vJtQ;n~nG`<rDNeBVk8hysO@#L^MT`AGd78tX&y+z8Te
z#3xh3ep284F2SBwbQ)FKCCof$N<O6n;%^4-!S@z`{II2BXj}HtsPsn%%a>^^pBulG
z77MZjaT;l(1lM#6S23&5xL=g%x6$4Bzq)$VmG^PPmWpIzejnggJ+;&Ef3mpvUJEcv
zV=52VLA$4l*V(`{S|flQ<^mD6R>!h{H*tu+?^0F<olxg+FLDVHo%o(L@2a`MH=xK_
z{p1b*{Yy2yqb(-7l&l|z7c#FUe3&CT)kZ(&oYOqf-Ee%0^P@Nv+|k_I8KOE4*po=N
zb7FOzuGXW{vVvmlRZC?e-Hv|_n^r$E&zpvocAKZ0#!?SYXI!1N>Xr^@3=RK0ecW+o
zx$f3m)yc=HKm*IOf$=Bzdf}tWU-%ziQ6bmI1}=yozgI{tEPB>c3K?;Mp8&%T)YMu!
zF1kWVz?k%Clt{GvnfQ48cWlgT_;v)iPRk2%O4w&!2`Ej`#$pG2C2C=6f#hMV6w}cB
zrx;a+1}qu9TC084|MfL0kgVO!6a+#6xYX^g0(dKe0IZwBtJhx9P#U*w=`3WCkdwD7
z!zHS`%QaG7*#_MDE2>*RcQ!U|`dq|QB34HUWrseJ(?w2`I@<PD5WDsxnI0U-RYPzy
z(2VcYQmr7wlK^T2>AVDZA%3P=cdWx-5~L9qWq&n)d8{|1se%Q;L~LrgPu+hUaFVx}
z+&@5ogGA?{k+*4yGx)Ofn2J)?xc4%*>qzscoF}KYz~mHfj;9w;yRFIOBh5c>$5L3t
zumL*K3iCl90sDTC`bgrefIYMS-QC^t%xNWj*79)5YhnL5I53{F2d)q^w!)g41=u>c
z(IWpj_G$>I7W1mj4f2&qLa;?<Puv5<lHLl!m2{w7`4K^tS%)0zUkjesqU(uP(MQN>
z`{XJyeCpD0sY^~Y?LEm5LXZYpXI>IP?IkenT&_%R)}gTBwMcPv+cH<=StTOE)RZC)
zi{PwmR<2X#L*H>d45vS9&NA+kbCBvYl0M5JkpwZOKlNxNg#!J(Bfz&F@itFb$B_+)
zZbQLtP!1XsqhC+abg#2&vRRE-b{g}wK9Ii_c1sc>XDY{|r+?v2%{Q~RvpN|YqSt6T
zi!@IFo<oL*NKB$)5-#?8cx=LT<&wSLyd2r>bE>ySDhVkb$)r?$-Dh7B|D>xl2{_9o
z0KWVD?YK*Ga1eR0=RF$`T2h~A{<*m+!&PFi%v}&9^(C}@!P!4>RTkh}WvaG?DK#in
zo~CW#o?x;koLj20j<i)iwL>*BUcQu(7f55PvgUnplzM8o-)le?VLt$#zOw+1<?FS`
zFs^9@8kD?Fksq&NW*v?(ULL((2$j1(d(=ibcWr?d{R{7@LOR?QfiVK;P_p1>R*2qi
z48vFK@WdZhfNMqbL-5mCC_PDTW&1#G1H$!OeA%}3uV|2h^ucKSq=Br}kg2p%5~?;j
zuvEMI0)i7ViWlUi0qm($-i&uB`RQT8Q1&9}!ju8%9o^t|L&Ns7>eYQIQpBz{KJ@;8
z`9>=z<<$8Lss-E^0q~^^w<DW6^moZl?hOO(cP>l*LPMtHR;sf{h?$0RYg*!{8Kk-B
z$swV2gwfcl>hd31Ob*ZwZLCb8jdY6<`a^sM;v%eQjo+((-`v}wnV&;Y>W$~Q+e7nb
zdU+`ZGr=YOT5*x2i{T(6TmK%wk6o;XUxN?9LI;75%cXvQShykVd%B5<ZF>YC7|!@t
zipSQ4Qz0`*N2p-hLjK(b<M&^(hE&jv%ay^kfyfw#d(rL7^}jmwlq7R`0i26;eQhS#
zEb^-12)%Tdjmf@54qwLfCVUjV%88~1*F~gT>n5ZQx)Q!{R7@!Si?btG2Kc?kB}6u>
z6#}M=lZBU~=O^dbnz(T%e{8w$Bba9gjs$0z-JqK8)W~I*Ep^Qzl^Nd*;08)Tv-dq@
z_B*>!PqYG=k(WFF4A@!n2PO+OZYH(h@b;VV8~DS$nrmPCtTGk%wy>zrq%T0wh=SN?
z;nFajAHg&vbt0)!Gl(^hJ$NWE1@E##e`xm2T@Pflkwe-0C0PcXv(o+|dhBFU*4Il9
zmG%Jb<^OzF+yC>fU;tNO5oILQo(bW!p&L)iTyDiESr^MH?x;U(?LF_D*uXr%de87O
zY*Q(cViF7Al<#ng`u6AK(g$&1eLJSkw&%-ESS%@ya#xjWsdn~TTe7tKMvw)uRTR-~
z*m?`p$rhkgIo(URMEb}#wN+nN1M?_&a~C0-8p6R6y3y-KZ(~$y+yhYT@*~~#`RkPY
ziefy1r&U~EGG6~)?W#7hs_6Ay5wuiN5@h6-u=Xi9fF_(WWyJ4-u=-Rdj6B8w4dH{m
zWo;dk7k^N_b#f&x!S}^+amHsz3K=Bgcvl3&=vSOD?_bK7>dzobVr2JGwYyb^sUmL-
z-Q)Yqs;Z0D<Q(~V8p@h_?c6<rHa5J;;o2jiKY0%afh%(v*zX=w#2E4XphGQtNFt@}
zYcy_NuyQhic7>G=_}>Cs&l>>j9hDYhxcA5(NL^#z4RKy-We1QAT`@9vTVwLyJKg&a
zix9oQiHZSE@Li?KrKH2vf1RrTzj2)U|M*!hm@Go*Nu|ic1EBmEEh-%>9Ss3aoIX|H
z%2sB888@R_;f(LCYSzr*d5)?H31FdrR5$V}ajR=oN=eHN{$gu0Yoqb&r;17Yx!67V
zs|$gc5yxtyPWMT(gVyJ%gH2*88CuO?MiU}&1-hl<tMvwQf(e?2zcC2J9C6r@0S=^e
zV4cuVWH}qOZf#UuS6wR|>-ya%@doEaPI9jVm!PFikX_39>NeJOI-JM+3Z4{a1&In#
zqGkMiW4+E+N;5b7F%D!QUbNP|v}hyqNcp_Qk0Z6MQx61fxRb&Tr~Le&=!2OZXH5d)
zfDgrSNKFDPZj^R;;Ya`Ng#f|cb`DD*xuPnO?t5SSpJV7#yi1^3XfKo#X40#{P4iz6
zz9hNR%e))CwT0a<x3t#(<8uVL<_X>6x>^mc+L9fS9U<IN&xTKZQH)Uu-6MSzJM9DJ
z0f6*oFLL!xN29?P{}Fdp?MPpI(e55tah6dmS4rX?Fy&PERb6R${9(8gIUrR!X~du8
z!Q48sRSGId{qwdd4;VJyZ^NTE+}#4Zc~?LzK)My^IP;IFRO25yD1g9b@OE_2m%D%#
z*(p>QDK95$S;zME%DC)8B24q;(<<qln(GpL#}0i>3_QUKL1F;6vi)Vqbqo4U00s1=
zKWS`fPV6x-`{`;H|8BW3Gc0H6&G((YpZk?c&5UHYr6X`B4$;61!;y!cseGwWe2eU!
z!38XjdHQlrysJ~Z4Y4mREu*UM-n~i~@DJnY{Edw7|KaczWyd+TJGJMbZ#I%|t!5T8
zsPMbq_gp<l**w-eJ(YPDSGg{<zxj~d;tS<~#dKf+XW1Ept2+i5pMx^!_w><gb)RaD
zOX|&BVs40^|Cd*;QhVBqD{-A*HdB;fL1t!FVdghSpBfq7r|eFPLQw^T%}qKW$k&Fa
z0lSnRSvh+_Y+8JQlmPcqPWC5MMrNsvc{)wVzOaDkS0~=%bIG|kJ1x!UHQ*uQ1<7s{
zML`K|7pB*h6>6;3&HB8da-(HN;|g^G4sRZ|^HToO`GoN+4M&>RfHA0hHVuF+uQJCe
zb6Myjh-UtvSH5dXN|YpE?Dm_dn{QFUgX`8Dsw%Tk%t^NT8agp%xu>-15xhzJc8{t(
zw(-X3v%<}Zxnxuz<DX;2(~&tvV{sBQM!L35Eo$f{jq?m-2nP%S7_*n>(t-#oo%dO_
zXa_~M>zp)`MXjF1#^0hU%`TE}Fe+8e=AUN;E_GVWsT);y7|&bsDNQGnOR3|uT(T5Z
zl?L`8fVo|n@|40Zq8W4M>7;C{*v9<jVA0X>VTn<jDNEbgc{eV{6Y{Cos;~aakH4zn
zJeGBe5tZ?Xk{am?;Q=Q8`4k0A`%Xp+n?6Oc(R|ux19@Y?I*jV4ywA^-XZ+;doWU&y
z{_Xit8+$CUu<q3w$m6$=-`4<&goe25C=JrZ4U6m$D&tx!d`7l^>agSCAy}3sS?81P
zGA(bs^d;$3)N^T@>g8xV{iVD{moMc(+tZewbt<V8kyPaT7{<N6Ttm7EovU8>l+nUe
zfR*Y2SAQ)_aKwki1MBTYGcO=5D4_SgZ5O8Irn~cJAzG!@uBny0grcdE$?YfY^Ed1*
z$8V(tZ&0mhos05(v|a*7Sjc7hNO^SwGL<>WH>oImuS}8Qgk7KZyz<#YGCe?cPJvP_
zxXjWca*Lx%eTMpx5kq%egkGedNBy9*b;<gH&(a!?tR|c7m6(~(GS>mgq#%|%K<d3&
zY^ltr%b~JDk}PRg-;CY~Lj07UruHt#rIvA4z}|NQhffrAD8C%`-Zsc@T*>l-D;GZ>
zxs%0J#Hd$D=e$u)iL>X5lSdO{zT(e>OL<9BpzLOHSvFV8sC9_l?*9DY+wyr#;D&rM
z-2Uhxtd#084swz8ZV$8zFN3`|reW|cCxmTZ>AtG<Z5`VcHkYB$e?97d@}jc#ogZjU
z3E_sraxXe1kxx<+$OeC7)j0}b8+csACS1#&095RVXFuYDRkzjNy|VT$YEIdAl`Z>j
zh?Z-z<VgNj9xO}%K*XSq5XGdfINu^z^c_Ni(3+iE<96YP0DtV;X&KIfS9e2O+b`_h
zvu_}8e6E8;wN-&Wgve|lxGPca<w5@43Fob7Cg$;MU*crT%b63)eV%@vfK|ekYca()
zk#fh+=Q?WNw5rW%H7YcaXd}`FChq$<Rr?oVXZF04foX+jTic+B8n7ZK7R91R>2l<u
z7V>0o*E|P#Ilh4a;av~mY;7EaF1Mtts0CRY+*7){^f4UeAK=iOBzE=VOu+5K$jvlL
z>pt~8P28TqZVg6_`VIumFoexesI-E*Xll>4yV`rUALmCDKi#?V;=<&yo%AJN($rf6
zebZ52q6z`iEp~ynKJdhr)reyEEnSKl`EfH*C*^wOl?=ngzF4sMmqcloCGhQ^uhk;<
z#6F0ft%ZcPU8u#e(L&B<kM5#gL<FP<{QW$am*VR1%1YPa^Sq9qM2#BvWL7#Zh*>e{
zXI70$X}Q#p|KZiBUCi=U-q_Y`#aPoAYO~QQ40LeT05En-I%om^J9?$4uFpKjTKY)i
z+{|jZq+IjEqE7eo&fyu~s+0bl4@{q?^^wQAxB;dC$Q3{3A*?gH9J4uDDggdbeg1}2
z<MEkFlnQm0%u7mOve<SOtZlEGQ&n!wYn{K9=HwAK^z-<&s<pwu$cQ~8?MXApz9=|-
zeVF(|f~ob}falNFF{00lb3ca8T)yaXvK`^l1Z!rc6yn9Ae049Yl=><o5y3pxR;C`|
z+%8K+uVy)H_A6i0lE1r&-lPSWyEYnr2WCvcjxv1c=x&4BvOMYKkeBb{b;Qw1D`LWM
zl^_Z$HI)W+zYv4C9~psNG-+y092rdCnkou=q#TeIo7pfd9`BBU>*T6@^bv021rpHG
z*TseAEbH}S-Uh02otagQ4ZHtP<awX1;&a<{=V7Z3S0H-9c2UiiwWAIQy1rsT3nT<&
zN#E)#n#l><Y4<wW`xibnBmP<D_0L*+KjD0ea}U7sf$1BM(iP-oohC7Q28R2_XmUt#
z>4WvHJ|1@ucj;z_%~zwk${Kb&TWV?o%oA2_x7HCehbwJ_m^gjIRJ|kZ?;bfp?yg=d
z60fiVpFFSVzRGVk{d<yUCgI)YU;Rcj1rc3_8dRPr6E^=~!6>25*5P@6O%9$srCxgG
z{e=){T8-7e%$JrX(Kx<CyQ6ZEHFtRs108atE1z1jvI~jTP^N_vf;n`@UMnKm4T=Gq
zaXShsPGiOOb)jXK_U+@aOUVsAgb(MrIOZxg7WU)iH7>)hL6z8CJbZ<%n=&<smtXy<
zt=nmqS<8BK+u*0jCt;Rv4%=3L+vDt?)B5a-tTwW)jC#nx?*TKrAorL6xoa82=S@dl
zmb7JZ)nYAJx02WFLKiAoEorQs%2?BcZ!gg2pC*CQWVU`=F8MK~{A7Lyr6}s)n|6Tm
zGPBhT?HP+i0X*Dm5DLR+(e5|}^RZU`91H;84qY~+qU81*(*Hh-);0U1B{3v&Rh9p5
zSVro-qk+jxg8WBO6^c_7o<{VIV|y}DOA=6yEb8M!dR;@U861gRZqT;qU#NXLocI8@
zy>zG@Ne1hY8N-o|5sS~9$iGwHT1EO?)qHEwO20m&B4RH<N-r&@vy4G~f@a)<O{~VY
z<WOz2C*sX$*i&k%rPv#F4?&v~%8e@LgBCtUyXhUdFxPYdzVOPyO#cM+HF_eLlDaX#
zu%o4?c0q;Qy<n-ve-L=#NCWbhZL1a(<J+)ujl`MC+q!0s){YWijE!HN+qx$v>q>XS
zyrSrAq6xuzye}_g<4a?{n62{?)82tXi<R1@nHaNi)Qu|?)+oiMOFpIRhr!=cHlQUM
zKjXKo_!5<UOwDeoTlT=zF$RP-7E2iVXL@9$<BqHk<5AzH@FvYHTJjN6^5L;}uwUZX
zD6K}1`<tyt8qTY8WsQDXW2v$h138HBiB?xT27OqRrt4k+WRZZevdyxrox*3E)g&T%
zd~53>&0(2>TMo*V64$Soo%F8%6qT`jE=_^vPR(l@Lw2#3-mhqJFIYv+@TKwzoubC4
zvgp?IYrY+l<BZWZbBP~4yT~H6S^m#4=OE$Lt<)}|{g2HSo{DQeMe#Y4BW(Hs54b)~
zVg<~-J#3mzzpOp>;Foj(bEwfD3zeMQtGoy+ChZoEI0@zb2zNJoG4rUMN3ZP6(ZcC_
zONl%&NgfB5O!dJKIZz5#-CkH{XoI{ACWFZvC5s>zwl*FYv6CbehrqgqaN>{}@#bHr
zw8CLFOWxM-JTvDM@ZICF3V99-^yYW>g%|c?_aGk+PtwBH)!01v&7?JASRSB$qQsX|
zTu*+Hz1;c1RQUL@lzTlv@Kd&$o!+jh=ooeL3M<9B#147UaiFhWv3zzTo@FjY>-;G6
z73(~!WL+~mxqlcxpI@q5Fb63>mJCy~3)FHgr~0QA6i<5Ya^0RCsIMSAF}+s3=z-wq
zL^Lh`4Jw%&pzQ22TZu?rEgoY5BQ38$T#pyDa^AI3EP}2@nBMK-#I>eUE$}s;-gPJ^
zuE0!jtk>-2%;RSK<sPW%-7E+#ML=Er{Be#=RYwjtRHnCbxBtF>!)jk)DB#TEun>*b
z9GN=teH_?C{?i-uzdSpZ)g}pASn8djh~sq_?|sD>!ca)r-i{8D0@VIJ<Tg6bNjvg<
zHbIP&7O9!ksk}4O(dhD_tiw$ET634Dc6+RSaiy3>`*`<@!bb^RM4IC81e_O`C`Ht_
zv42}h^vX4O-lW@iG``H6gYirFi`|CIw*A5Ev6FF3-FX1zeX)UH@SqMD@^oQ$@~Eja
zfZ((BHUl0G0I=Uvx~utcl)LkgH~GWsQ62je)}<=*FQR$4N!<Z9@=1hSa)oGJZ!0X$
z9a+E-Z+`v@)+2B#(a@MGSE!<B6C$T?bwrmr08_VVLRd`C9Di@tEgBel^Z<TiwD!hp
zUyd^^sMca{{7kmEo^Oz?!fF72wIZb9O&m4v8Osg%uaqnZe!u&Y^&>_R{664JL+Oo3
zrNTy;T=E|kaU7la4eF=0Kfg=(l!JDkY@ME!ZmF}66|ho|TU^D(w$&6gQFOXDN?qCn
zT5rJBbY&8IRysRz)7+MGrve1@OrHH{ysdxKV@$4f3@dnR^yJq_+e_#<7^r*x?0B<E
z2`s78FNBRuZ{-V?#JUHSUP3(eGe5dd!e*zNb;Y#(j((E=iqtSAVm{V$C)#chJLK0E
zpq*n-o^JfbYCU;!QfHfCXsHtHnTvSR&z?VB-(4{{y*dLOYUV!z!(WXlg2RC#z4;}7
z=LDIf+dvas1;|m}cIr33w<iA>e|IF@7qV}x3GXNJyv@N{bIjLBbBa#i18lTrkRozS
zHupCEN}`59!buvqComzhg02QFm<K%L-5P`IP?DL{DN;JA51sambz2Dg@=ADH5dSwm
zv6nOea0dF<kr2TR4WT%?H-)VWa3+@_{OxGvn5cLSc|zX&SoTR^UfO~rby0isv+UgO
z_4lqP1GNWMkkx29caude*|xi_i-QNY-Kmq*n~sSpAS<{D!4E|XtgRZFtFz24BpRRJ
z^vGAH%t>7P6!0l=G;%#b9@Lc6<aUTv3IEcTwx&@*AF!1daVQD8Zv}l!oWSN|H#3%q
z?jGg&bBK16=Gz4{4AmGtvX`mRYc}c&7NQwXQhTVU>g$@q=?@D_dnG*2H7X>Y`*At!
zVFifb-wr;;Y{!YVa&F+*)a7&FYG_L8M@cg2V=eeRR;$3ZaqiO?w4!TtTC<wJK1|=o
z@taio#a|iGb=Z9p)|`r{W)!sY4C1YcP&+af#fUG27O(cq5bON;{Jm^{uFAbk=Z<;_
zC|TZUYu_sa0pD7+Y2kZyFaGFelSO$UxCzBJxw+2Dub7ZhWs*13&p#MHkL{S891*0_
z#{y3Knf&<m?B;p<-`~d-Q}6h1HM}U_aV@NiL-}Vnf3xwB^>H6*+SqP%AC%ZcX}n<o
z&GSNjh&m%1?y(U35Ux^!gNYGzGU_^Tc%5jUX?3aB)X_l?e~p&6ZPVyqJ&JK%MjhD|
zJiQX7q7HxCUbMxD@wT!sy8!*JX0g;el7`5Je<L&;saaRmAT*a_H=m&&ta<dXLOlu;
zAYn+wIT#mhvTT~j?(Vm9OqGbeQ!OvAi=>DX9%r$R8uU`ZVV=%o@iBQaO%xvEYw0-k
z+h;{|creD=?_aQeT$~<;^8=W}YZzjoyYjuy7g{Jqtt;z1`TRz34$a!Sr7FV!-D0~e
zm$_IQziy`UdG2bWUzp02@wMB%)%gArt(m!I&&KTn68~KNoRoiQ%S4iq@zx!EK*ljW
zUC~c3FO}sUnJa#|ibM0qC~-_*X@(ynBDH^L0DXQ3|56!uaK<Kr{3TB8_sq)HPV11r
z=N$U?Ur$_O!*DdB4$`9w#Pd9(l`qsYg{^1+&AGhDB_&X_ArEIz;x7Br$3qTkuw<?)
za!%6nsUHEWd9|Y<3#4+}KafP{R_P46jFF=ci@^;eJ8Ec+Vj?p%L$;&qyBU`(<?UNt
zjamn&1@XEg)8A7FPabAzKi1)_hGB^EN0(@50y?@GaOONkgDjdyG>a_`dib&%>bD>|
zKfx|lh+5<~jDONnY+P{K9$+)IATDPxUb`jgEgK=urED={^xW+-N>VT-f%ji*Sf|)z
zk~V~gAGf|aO2=r)gK3|S4CvMrosX^Z^YD9+$V2DIkaImAatnZHE5P5IkonMOm9!Lp
zW1%7H^~=XuEIUHN1%3+fkG%Q^``z+05Gz`+>mo_a6$n^FNX7bq-l_V>zZ%aQowc2t
z)x9>xh_LL+(FW#P1AGgnnL`8vJ4Owlo*w3dwe<p9m10|D2q$gA88{x)^!3^OcJwiH
zl|q_|ZM{3V`r6<Q_|Aqh;d*mz@-8hm@p1SAu8Zt}bpUq8vPMS6(%DO0ReJ!Hy;>K9
zov0z?reJAs-c9B^mze6s5#{L^J$l{pPe@Xjq0e~w+Zo5dA$lbS0r&1IW~J=fHyTH$
zv>aJyCFvd%l|&sJmIjbw0rm-iKUY&xWuR_pu~V?<$sPRMeu9q&sH0BB&)>|%a=<fj
zEy+NAOm=cH;Fx}1Jnou=<niQ_wPgA3;W)tKCs#v+1|nR;bub`?6l!Y8`W;Z@ZV*v*
zQ73&;&B^+iQ&XlV|D9InF0H!QM`;qiNKuf3*crM>iz>4r-+lgu$DQ`T$`7C)vYs!(
zm13lEHMJv7nxfM)n^h$sB-af;iFiS{HPwuf(R$epz@?-<(4mA<L@Xbm(wIAGG%AC@
zJGg6z)sGjdARM1Z%(I`(n(7p?ZU~AgR59F)NqP1JyKbTzaA=*LtB*<j>^Yy_GzS*7
zye=h$W!8m3N9hbM4C<T4aFHx%k+8vROkf;$3k(}$YRI*16#dIpAn#9B^p0438|oCY
z9l^6|C-{Th7Tp}Y2<Cd|74Q;|yHK7!uj}e*&pq3WM)OTpbqnirF}Ho4TzRfG45<Nh
zbCr5p%!2!+R~wz!{SR9e@1ttt-0m75c8^R8N^Co%NG`t>x_3$NiQ}s?iaMsgj6i>k
zjz?C;`;lpY!-ZL{=wXe}5TKQ|2cBw8&8KY>aNwF#FXC#0EYIC|H8tBQRlH$t-7&9z
zU*qa;(AFtnRdr3Kv{6(v$pDK0gm2m)iCa;?SVT4PUtvfP=U82p-zBDg#jGph_fLa)
zlf-)20Sr)dk_4A7Sf5v{CsV6^q&L`=UZU%xmnGsPkIn0{Jgt(+n2Nk-s-{xM(_aHG
z4Q86_F{5fTrfttoOSgeDGtlKpe%mkLQj1$SE-A77W59AJxNG7O?<8qKxj0Sl5`!{3
zH>(ea$%Esc@~$l<qgDEm*9CVg5~EAc|L+Lv?SREXfMg8yBl(VXPxVkMALVSEU|lI1
z>+||Vki&i@L_Aea9@yb!!3-7gZUQfyx2*->W*I(CET(}?D21WTDz161A-CLvHM*a^
z(LOY74(FFx^gf@}vay1gLK5PeC<S<55|H~e5gAkaWV#tjo+Rmw$&}M&6+hBGXi*);
zuf_?S6xp8D7g>$%x3y8AW?f)3?m`6In4(`{px$)<_v$bGQZ&RU$;;(AtA|~q&cDt@
zy~TXWn|TtiALEkiU3;3b6vR;dvSzkyV&00y1@je815^gm=-*U9)9=f_sJP`)oGo9a
z0bix&Y(_7V6ATtP{?D;D`Vgk%*ZF(2&ojMW|2bBFsSwaX*@5kk>}gKGiAJVWTWoad
zY25gi<hI}C)sYT>R-)Rf(Tl%lmID9{sK4j-!A#R~SqnFHi#$~2y|@vj$RS`s^TwAG
zsc99ku$57cAHDu=&xB$2mgy__C9WF@eWC53E7Diayg97kMr$8#ez8UzD2D7!WCYvu
z&yfbkf_?Tz7{B)t&aLtbak+8Xt#gz>+)~Hf_*K}?b++mnTAyn^j?`NLzO(-_xPQxb
z<e-s;2TULUi)G+bz~zhPY-TK7(&e)G(j>D1fkx<+cwr-Gkc{4f_9npeO624U+va&-
zVM_7u4T8iWYB;)oS!+^Q!<9(vtBrB-mDwBap7K5iLf!eXHP(ZQToRvERhx|)7d}04
zbc8tHT(&5A7OAVVV-;9hT0SwcuM?B8qkheDpv>{$e(<HttRbwJw~?Lskpmn&(JBn*
zu7BUDGEhhx>&Dd03z8?=(bfqyZv2U75*Pblm`=_;O+8<x{004b$;&R7>`k3ddc=tL
zY2$)nhb<_q@wK)NFb?xEpNuD5I~J7l=7<+J&Z%{?JR&@+&Q5%i^E^%0(TXO}r?=+g
z>fhuyVqLNlT}K?cVfS~{c>gtyuDrFy5Q;_3%q0`;=R&T~B%wmnYaJMqRNdxL(&D)6
z78g&3`}Y^e%@z{A?v=>m6E2Az6nS$Tg<=sDrIl83MuQZYSQr89eqg#q69p43J}#F-
zb`aOLwHh7mc^n^9?383=eUfjjoceJq6GuFYx*%rXdLv|B71|kRcsM_d-|wpA=U`uZ
z<1Q+l^th&48qXGxt5DQr9aCgy`9W`6sU>~(Y00~<y=nYk_4;gyxI$Yfs@6Y9GTn1=
z*<)H3af#^e-(+Upv>GT5Gw+RLx+!)t7nBin11DG|UMdFeo1>e*4jgwC6}2-_R|6Jo
z`9{UB$7_9J?>{c4a3Og`j0dq$IL}S<s-#uV540n=)a?sk96Dok9Rj=agE6Ay*zVlT
zZ9z%>xiOorotrw`HQgt4HRjEv1g~ryg;>!a{!xEfu+|EUG{TgM=$rwIVr&pvq#-JT
z<Kk4$2eu{$%lyRq@zl*fc3Ld!QVBjbKWsLh$K5sb0C_26Ail~>zt}diAVQ{Wwf(u5
zk^8)>6p%{=U^@U&DOBemnfW=V)spcEv5+lGk;miOHxPm_NN@W6zg^`gey`cdOuUvU
z-vvUb5HGCL7Nf5_t0-^vr*cVQWjz+XxC0zRAB=_k6sv2-@iWC>{0}Jkli9wDNKV+R
z{cbVrTkOmXFrlFWqE@}A<>anUTWGmftBUE|D_>K34ctP8N^@l=Fw7GfAt^>sYuDm%
zq5ga&)7PVc)Fj;yIjpVSM)uyRf0sYmV1Bm6211Fa$Ve?pRt&Vr+J$*JyrN8FMo6M&
zhV)Y8r}VAqo1s^|6XWy3?-`9^|C8A<uB*5?sJouk^4$`at5ZL=Cu|}A8Y+I<faRCq
zHIsH0(TTUs!+7T&Ta#X~T2MFmtnJK{P618S;D(GuxCr=qW9`n;j_#{M_70-y&yA!(
zkx7?JS+NI&i%9xKZ#<-{+%5>HbJm5B@3!PbnmU~YvPSMqUy;ey`GY~OBFLUu?>&lo
z4w2mk&}S%Pl}^5dOEq`5RHAeR56!1Ur5UXuyfi5SZ!Z8uUv%S~wOHqLRl$DK5F7VY
zyd+1}ey(p_Zgy9w1N(McyY=~4ZbZth2Xfz6;SU+rOfmW$TA^6j9=oPZGll=~cH?^;
z@?>F|W?oF{^hpTV6)K}FeTAjC0T%kqS`8SaPT46Atr^7$-7S9G!iR26tqw_F`*ZM3
z=k!vtTjRu=krk^JSxkwQrxSBP><6?HGPMu>3>VAR;mdxbJnQB!HPrGgQ1OE^6x~qi
zP$^r>sL>Fcqq|4q0j70C1C$_K+E=@w>)EVSJmabwK6|@1amISx*t$HqYqjdvQzOHn
z^Tx4GDs1LdaoRyy$SC5ZBt^N&qX3KRB|t8^bf}$~zYEV`f3@Ai*V&Xw<Za};*Z!*O
zlz`FBUKOtwm+yLCUyJ7)X-6Y0UNlAMT-^1dJfcInv-8-}uuV=h1vGs`?QLb`?A2%J
z(=;h+`sDKNiRCi8o8uLVykipXu8!efwfOR{t(qrFnhyR@4{O(c((B*<dM<f-8{m8J
z=2C@d`9}sJBY|=)3khrhez>NbB^=ga35XxcW$O&l=Ee#h>Cf%|!_9OMb9r$B^s0@I
z?$1a9Ik$+lbJ5SYOyrHRCB4lOA5Dh%sR@4%GRN?k&pcoJX7IWq1ss)a=u>QkF#+qZ
z&pI`=Ms|)ZJe3uhtniAgH0E`ir@pDHo4%_tH@(<Ko)WtRTAkk$qu=mBGWE;agqdS)
zm((E(L=%0n8fNy{aajlS1-O15-v5RmKtyZ{+)WUnJC6eEL7VIxAuqdkR*6Hz23W?r
z=fpL+t!I=v({x`vxc-4XyV~p91vjzjzl&K(NBVGqKXBh{>viRH@W=12#O$^>@p`Qb
zzx+$oitcHSBnVWBX8A_MR*GB#oLx%+b8_%2OIcSb)>z>2m$n0=16B??mkRYmG%ti^
z{?9QVd!}Y16fo*CUq#Tl?5Tc~)Xl-8dmC09al43311nNj60VySyU>6;X@%{nY~=S9
zbeVnejoxxgJ0!adu<C-PaGaunpHIpqy2|=w=t3ne-YF<(hfiIXIKLp`5Sm43O^Q~3
z_PZvQ<;T}4lUTXD+2=|7z8lKr+Zxbty8M8`>%g9czs4pt(Z*ix^Sfb)sO)EMVwA16
zy-5&*-JNX#(+w2B2_5omv@zX?ZJa*EGs(Sdy4x>0m9x`}t3T$lnd1fCpI0m+yu$(~
zx3d3Th|vZrHhh-!VIqCx5SeXKEZA+RT38~L6Ma(;i1T^(fAh~h@PGAUiv}$es-oh<
z$<FQj>8UY*`1tq_G-Wb+hZZwb8+mjEzLSQY>%G>vIQiW1?`McR-Tl9bIfABxRn!$~
zPzCw_9D7%<H&ae@-<>`9J!;m~wD%r@P}tcDc|$j-AB6`T-KASs{h`}>QKUNpE92<m
z*J<y0e>-hJnlg;5qgQwvYb}V#&0>)=an2&T0&l+V80)y>PyiqRW~Hf6fztDXe%E2@
z<`KCUZzIYb+AQY22*|O^SHk3lR+iRf?c*Nxum#~;r_+9nDKu7JWJzOO%xTR35Ss{Y
z0i;@X)-IDVzBAA}DR<F4n7u~->5Y73=@h+-QAesp&`jO&ARc!l8>!iP0TFR=el<jv
zQWz;$3D+e|$2AXK`$IGsH?f@Ud0{D0AFsP&?(+L{c$_7Qsp`g`3e>yEkCk*gG(YY%
z#|L$BZ;JS4c>1>fYd2Z$p=?8jqW&PZKrmPQUX+s=Ln5abKl3GTjwI(%J8z{lN$*p$
zqNC?#Ar>|zXRZ2YHmJ&eYyHHanT+Zu?a}-C<E;YaJ&|%qubkn6fOL3@Oq~0*hM3!5
zqu~V#U$N$~_9Et^raPo40ED(02W?=%3>M5E)80(A9*!YM_T1-EJ@<alkry6O+uMm0
zfCVl3hlR+&xF13U*6n!5NOVvc&BOQ1rYFi)Zd>2ga&svy1xI`~=*oT5kfL){y~Ht=
zDE0TgJ(UlmaoY_i1O!CNzvlz7;JUH?ky3RdN(q}WDin>X0(XAZvK`yH1TSBK_$BpQ
z>f86eF84huVGDU@WXEC>S4M4VuGk{(cmTOxNUgy+sQbZmDP&7u-=z#rB<~wgdI2B;
zo6&*1sIE!Ib%~wZMINUiOvd;yka5MP7EOzWafurHWp>r|btQC^hk}(Z@7&yNfio5i
zZY^G09&>%BY}??c%8A(l3N+paa?EvP-W}VMnu9gC9xBz=6pvN;6xM$7-m$84y_en;
zjy8~JuAoTBE(j(Ktf3Sf-S({*dcNU1O^RwriHufaoF49a1Jmv?u)+>4aSPTzcZiF>
zuii=HhOp2LD6D`mo%s`VJmfa)J)YE&(S+o25A>pxqssI83k}9AIA3>H*btNL(`A>d
z6@;U=tKR-L1yda_KuGr>WCKxURm;XwW>0ZFBA`!=o}{zp7f0FnpUG&7fEzaKf1iv-
zCUrBwcu0pl)*1htDVm@|K3v;Rv~eG}=y-Iq`pU;XWa*;l9<?>I!fO4Hw>95g3M*6b
z-TJG8melXK)VH5*XFX&U7<{{Yua?4Hsoj*IB$>4AZ?<fBxRFm>PwVYGn6vSCt<BHb
zN4(yrwXHnX{JgTFQN_7nEoY8*2iXpq(d@?YH{ZyI>ok%<@0*p#Di$cD37BhL<L)*p
zShZdJ^XS%gdszxrV5&#uRI6W{gYnOc>zRPyiFQ4;9T^X*iGiDqwO)aN49TXsGFHjV
z+)9g1zNkC5Oe40m(sIH~8g9iNTz$+WR|ZmX69?`d<_13Fhwf@K%NuLBr65P%jydKy
z==`RJ*jk7Tk{}iOl3ami!C3j#NVWjjIQ?1I_JG8lH1!5f@pv64vn!^8@y8@Q=nAxQ
zJR&ZHt(GG79<KWx*3{V;>g8VI()hugYJN>5cQakm!K0$AkY%Bm^|Rp+(QnqKzi)pE
zm($GOg+Ot1$qUo<DJqdnPPh`l(2FUfbNezf%H8d*Qyf}FegO6PK)i{o<I>dpz#B?g
z%t}+<ZSh-L0Rm6N*V~*)*nv)vsG{^WX9yduPQP?cdB3Bve4MRhYJRF(c1f6XO7H5<
zRj7i(uaQBv_jOwR?^nzd-04jf8y;pUuJePo19N`C#2w;B?pUyxGxS+bJ@gWw{$>y1
zr$LM`>IM{!pYxYSe1i3lM1fqt@x2XeeQRlAcI$vl;@#&+SJr`7!Ym@juu5tU&3OTI
z!8Nd_0kEKJRQ_B(&8~0Q+KMUnAXXCfALkGRMITf@wu12oCN`ws{?@n@-xLsXbAx16
zvGHsJ3TdBa4C}1;o3bFbxiXjyQagcZB2PlUM3@P(_*~6SU_LTIU?iB(2W*HU>ov2t
zHns-rsAh5R0qGBqMf0*wIRKmZ5PABaV`-6^fQLP;jaJgh$X3^M&V%0>FZYz=5{`Rx
zI(}NXtnAzp$8YmEx&`I*d%)21ot0fSeojnlyji!%#&Rus|7Oqi3P*=W4##4*4ZY^y
zX}kk*!<AX-u|hy<q}D&jy3Lm16hgTa^CBcc^z<Jfvk(^O!P;#m%hGdq>S^k)<DcGt
z3xGNP+?Z@x?AEx7CPzm2vRiHHO*T5#rkb3=cz@B7nYuK@s+XpF&F^kE+5wW&ygsm~
z0g%OBLAhY1S^z5$Z~8-pGOts4_U|*luZt-v5!WYX0Y@$e+fL6XSK?bDdn-@R(?L~~
z$5~Q;WOijW-FgGOi`qr5KDx8akE{7DaJfh#j3eI+11|ViNZ>1zMgw1Fn@L5^57cn9
zh9J2olXoSbAj<}>&Ei1m+#jSr>y@}?x^wc*F%$3avv&uIwxmsTCSTJv^R02N`(~I)
z6|bll_2^{BXb15t$zMMGjQ=3=Okt4suQ=gv6dinR4;Ky>cPw=YgpXP?3id6P@2qn@
z{#_lMeuX8vUr?`9U*h3c(U{2lpim9TRUD^csal-sHb{93M+7;1PWH@xwxWy^eVgxK
zra7hXIqSOB`w`&IXqfW`NJ}5+ck*X&Zg$tnTS)tWJ2UNG-o={dO`d!x&8fL{zW*W1
z$xjbYmjejt#ai~0MqxuoHY1yra<T5``T0NhO7uK3yH(P~-CTOA*SJuy``BwE8$>t9
zM^*F(fV8;QD49^`hK*?RlDRIAlB$Z}6fwB*YK^5Uk^h(nX)>4G)>E!b`k5Mt`ItXO
zmuWQJ#Cm?mr2eY=0T#)!oKgF5K6VP*bwlml%?l6AA(#RB9|Qz5J2V>IT~ABG&wyCv
zKNetiEt)m@D;hI!kLzBS`4w~XO^0<I^X?;5m1!ug1!58uiSpp|&S#^0vO<d%31;XP
zU0JG@qSwW9VPzngA#v8DM=f%4zAX&8{ZtilIFWx)>*r%?%WqRnkxPOi3g)fW`BYpa
z!d9@RDS}^i9UUcZX?&k3IVRmfzrUEtk57$IBAulr^gN^A$K*~zp}DPD`qt*-SF+ai
zKdyvUjNrd0)azgca!*_si{96}>BvWAwv}?^w<6LR;Eb}pLFq0Nn#R$hM59f*(tfyX
zL7m3ci0eMnO3F?u=hyKstrKLrfAF%praGNI+yhV7o%LYy_k6dh$e?btZH8(PJ35IR
z)YqN|bph6XCx-@6^CMOeb10}AN1g`Q^-YH%=WyP02kX55CKdZHy0P)l`#k1nkF@Dt
zV+a7^4Ns3~3BGwY8D4r__n^WV+W6gn3tXK(!x33*SLQNm{v|VU$LVgYmMTxaRcY<3
z3S6REqck2gB}V<-3W-j|a>OcWDr($pxPt}XS@x&^nB>K*)uJa7Odx(I)A#PoCU7Ue
z3Mr4WnpQkiJPOfC{q%S0^$goy*_~0M(u5Lj=bUs$h)l=`Kr4FP=4zb~3A)fKMic8A
zb8QtuQ7-N6f26zmelL;j9vp1c5_*_FpL%)b4&N&z>=?TTU5ruTgAfF~Lk+7I^(|Tj
z){z&sta^Ktt>$x2U{{UHZV#_8DzDy<wG*^Yxi>WUYcWt8zX-XYV5mOe0qN5)V{niD
zZMa@P@R?Ld_>wxGIc%NNEKm4L=gD12Xdix`&YD1Ky#|whMvja^l?HPdO!xrz#FT-n
zuVN}2OMH^zhOo}*MTu^UuZwY0@6o)|?g&(G2a+9@+o>v=Pf-I{pXIR8GoH=&3ukHZ
zL(=7bH{z!pYUA?QRiDgCYYW_7a4MIilAxJM=<@WC5BILMxzj7%8Hb|bT3%uo+gy<m
zfNhJqcMc8GjkpNs#3Q+3pFb<ciJM_OURR>b{I~yDcZ!$xTRpnS!YcFT9-*G&of!EU
z#|ikW$z?LLyb`A0VW*hU6*v^0Pje%6nGs9eIoB{4zKE4G!VVRcRDbx@TQ;|5XLR$$
z0<ap0_qz0n$&6%)MN#Lv7?MF{i&O<JbZgv5>%@QQyZ(KkQTT784wsWFxS1Vunpz$$
zwL``39&ON`%unD$LIb?;^1QkgR<3t+1YOM5k5m6l`hRNJRv&Opd`i?YHPiYWV#dhU
zkc4F{P9n)V7PN^9IybqpGZSop!6Tp3q88Tn#8@`czo~pK$PA>KxG5KV?wfHAdU;UO
z^3O?pl3a0oc^Izc^u4^IaehwO-E)17<mr$%HgfYz#*BgN-w`aMqRDPBZ(<GrwS7qM
z+Riky66B{ft!PoDa4A|`b_@}!KLU3yg82!{-WUZd1YhkK+*)b4Dv)u*Nn=EkB2@c$
ziF**(e@GpOaIupBybR%>{VO<(gMNFl97JHo`rcR58zaj2S^&54pn~-s8LyH7s?$7?
zQ+z<}Yh@rqFQ+yd1@+h{EX$TYJW7F<q~bCX8v0g{vw7uft}cyA1?lp?#jvakDj$5?
zj)%<RxRls03>#C>q0PqF!U$jY?+y**iHVBHe6R>r#?Zq-;U+)KuQo@~T&Ac*vCY*3
zjF-zMv|$w%7aLboAzZ*1jy@cba#$8H0X&S4<i0{)|2wQ8JQlRl@|Ei#=BN{8B9@;F
zv|%C$ha*x#dQbL+QVN9Ngj{HOb*g5(Su8*9>dezNv~-<?)!$84BdxTzBHggKh%189
zSuIkkH$V97^T<yZ6*b5WZkHQ-NKT>~MhtV}z`&uAHZZx}n2>I@iZusZND;hn{d$@|
zJ|POpN`F|XOHL(3MvIeE!xfLfks1;<uqM6LjS|>v<ZZ0+P=Q5G=wqbAsfwI!J!EB@
z>%-fOoMtwvx6m-4$wGgG*Id4KGPqE?=Rtc<AfcsGe@u4QR(XDCln0Hfjd~d&Az(4`
z;9Tz1u~UG(C&2KOl3w6A;)6c~yb7#jgOyE8u=aVA(RLG+axS_+L}$*E1NcftVQTk%
zOci)I<qc%HFx7A7paL<yLy!WRni#-fn6+#80#H7F%VI}2$D!oe-1h@3vdgYb<fV*a
zoq~iRHC9Pd-%Q{KuvY>H{uAI6%-=}vCGx+_cq8T|fs^(E=r~-ZZLH!u#%J!)@}7sE
ztg=?n^{n=CV_{`k5n1W--wPizO<BJRfeMQ%^%Tb)e>WAb6G(gvVGpYTbDynYWm93Z
zZD4>^Ho8&i?~h8aM*m8W+zh2Saj?z8Sf3{0XEj(O2@-Zn=!t@HsPOYfl<Ih3ULDw-
z3YELT8yo7(&&A4_^L6aEyx0psR_a$(PG_a%;?)N2^{d9=FBkQP`BpJik1=ni?=?ki
zjSWYILAyRxrU~4=`GjLgXT;~Z4u?Qb|B+Hi9UK`=^{Uy1`b~Rx85)uf8d^j4{|?Fz
zI3ynUQ^OePAy=4~e~z)&*3*L*aPQ+vVRvk6F+Opp7fl;5wXy+;H}Lh*dxc|!TczD<
zXQ=J>q9$w(zD`>OLVj)_!Vp!sZVL>)vI7~uuUZgQG$5C{@TAkSu{^1yxrUMWXYk5F
z<IkptY$;2~+>MC;?ze<X9y98Bq)*gS*=sgsF4fLdKi#Qui?_J>Iapje(8>@O6iAw@
zX<!t99D)+C$VEh`occpxHbK`Qo1(VzKCQN19k0FbX6yFs)5Dvy7JcVGcU~%;zcF)5
z4s(nbdjZ}9$W70Z%HYyT1gA(m2Rn?PfanB&j4N12+wsye3Be}D?wQ7bc(Ko+r7?nO
zqi(cD626=II_38XN&HntIN<Gj6P21t-y%8Bc>vXMZ`GmHofcejbNLJ!LO;8&Apy`I
zr6_lvGqRfR;Dt#S==Uf+`31A<{ONuGH-6s+H5nq(r?^gy$=`5yRnGQZ()s$kY%)==
zs6;Q9ho|*2qFvtiG;ORH)_8<RZtfpFaubyu@hP=+eojksl2u{{8C9dKb>+&bYx^Bf
zq#nm>dNf{26n~}7<*2cmlbON{#F_2Zm2U+5CLd&`-hr2ltW8(ST0sradi}Gd*4O+I
zsc@5{^BWjHM6GGoXQ>anGaS+LEI-JFksjrf`qsh9`W~v=V_c7`KA%5cnD8R@*P|N(
z3nyCuA9q6ve;nLDcRdB&DC2jC=paJd6=Z7kE>%JeLZctBI0T4qR(rnEJYT_E?X`Q2
zm-j~Tj(2e0*g=mM;=?k{PwrbwdaQk|Ee6MW&;d&DULu7etJ}Ie3+bHX;Vx5}w==#i
zlsbvI<tBP*0xDOju3Pl5Km*Bl<Vt*HeV5Zy%DXNAtNnx)%V$M_#z6pA^-jq2(L&@;
zBB(n=7!qHwvZHg$RSx6-iRNz_^i@fJ!nRb=jPhvUdfJ5ekyhD_`kL#Y+~;P=5ESyh
z0aSY62)mA?rNrZ$!FN<|Q=b_XV3!kQAlv00Q0*C8X!#*evkHC#bQb2<sXMk1j{%R#
zF4oqCpXR%s`>g1D;HhKJC;v~rbB4xm;lpoYpTEkz^!Yx#??UAwDHKu1+HGKmSs3o(
zxC9I8WzW@pS?VH`8o7v$*`$U%ExieGGaCylXG~3T{>e(-oqJgb*pCk^NGI^hfAmo%
zx8ygYy*ExU#b2Jk?YZOVx*y;cRkeTnwcKQ%fD#vK9BF{S(_0Cn&^hax#bE0N{%&?D
zsuwNkNF56p?#q`o2ba0WIZ{r@LJWbC+kkm1fQ`iz<u&jVw&pw?ABvb&>qvaoiZZ&C
zF0W7X$e}-CeAQ5gKmLKDxmUoBfK8B#ZVHSmKwN8qbr~#HkNR9)ofWNO{r!y$)f1{o
z+O^Ta6oraE>zctgULsBx+p|xUjo4V*Tpi%4x(i#@7Bn*xx%iNUvz=FOxF=mBn=n8;
zjWZi_#wa$yJV}bHTc0b4SHAxGF(C1P^!QWvb+Z>I1-_l|`{sJV1*G=2Y0qw>=Aiq&
z%>E>nQ`!JB*cYG@)RuWT7hpqk1~a~C+=k((nPk2e0_hxGYuq>CEFk=vK!G{uVTZir
z+|_xrZ1zuMJ{F$zmOh@865{=D=Eu`DSB6u(cg^YCI6TM4R@RWA8W)Z0W55}^=R|=<
zp>DGxc@EIc7-$6%=kt1Cr(F>myX^n+-HQj*^_#Bp&fw|tN<?N(8+Dvv9jsSO8qPcj
z5urj3)a;^w$UiPXlY6%HvMZvhpp5`!14O(%`Ng)HgwNk;hU*wDThY;79E9y{;<Yfl
z%<6FQ-;FO*?)~~H=3!(pnM=HKeI8?A>(d4?9jki2JaBgiQ)4(sJoMiR0W<qFPO7Fx
zigk&d4UvU&WGpIGzC$61i1Refb`>G#Sd@Y8W^^dwM#02ZzIzdrdOL+W=WvH~JazDe
z_0e70B`30I3jrF2<kvU{ft#Ud9;I<Qoe&N>yLSPs(r8=)1(DtR3uKiglfE|}i);>e
zzN6kRASl7Q7acuW*t#_Ntsnckau}WTcR~&AF``JiV7<{#s>ISl<VbU4j-?~WZ-^7%
z&Gj~v`6f`2oYPXj1MtMHnqXNQn!*)!i$_<Ygl4kujSti$%AajyC0;t7s^NSj;)-P5
zlb^;d+;4m5sdxkAnolu^9aFym!posYF{YpQPSwk3jHZL9H2&~t$XZ%m5!Kg0PDbBs
zXhR6irTgtBZ#GHQ*v1x*E*IYPZ<%Ogv)vE&46$BAUWBVHB5BuE-ob6NE8B5rX@o^W
z@>XPpi<M#2{obxK#1xFt`;eLvw(#3CHfOk=5G8B3!(zO6Mg!a?X5pt0p;+VxxRy$6
z>d)aLTN%+S9=^W3F-&ghAY{#4X-S0Snh)OP`NQ{A`{N%9=dA#!yTLJXrL&QpBq&W?
zi8aeIH$eS$bcjcpO|+oX{Z@%L?gusLN*~zH)$CL<&nzQe77Q+Y4UuKL+p6FudVI7E
ze=5b9y>J-sSpDwfZrJ*{-@+@cPt%@e2qYatpFI@*cZF~9I=d$GK8D!{R5#h>{sieD
z-Fq`_gqfo`lGLPmN^13D=Lq$UQ45vM1@TMK&-1wC;eVgU$RgtukI{qwn}0+K|GV*3
z9{f%63z~=DR{zITzS!Tr#~(DrNThEgX}Y_(!!tk^jN1bc;X|7OS^O@<l?jxZ1S5+~
z$TZ|z%($u8fBh>EUTO@ndd2>qV+ai0eU$okbNCKcvr*pYIpW`c;{w!^NI>!QJv;%>
zNJ1#N(*rdet`}DS7jvm^a4mwY27&{36=K=c@;}&n&#)%fwQUe9Dk=(6qy+^8L_m-t
zHKNi)Kzb)C(hZT`iGuVJ0RaUh(m|T^p3o5xkQ%8Wq4$IuNQm?7Z|2x*?Y-Uaw`bn>
zm>)Ci2ZtKr=DFMTT;;sZvmxS3x!|owsWf*Wsz%YDl=Ftr-atohb!?Z6el;-WdNYJ?
z73l0W>R1<|o|CpBC}Q_uWZR(4b)Y;FkLM;viX<mLe^>U1=>Hl&ZyrYNS=hMM?dfgX
z3o_NQJiBvD`N|X8?q4(n(`c49HVlQ)3U5T=se3Q$-~K7pQ`+(7JPfL<y#2KAtVJv6
z_MFvp1Hc~h=8Gx-F*?agkhAxBd8z-4{q)5kwFvc8)tt#kqmi&1xE^n<Z$D-FrhPC=
z^zHBvS?vx)NZsPw-EV17P#d$0iABbxLY<DYx=J)LncQ2lMsHTYgh!jFfQcLrVD-B@
z((sJPZcM0dY1HM^?VH}9{-`RMd(2lINGK}X3}ML2<GEZlY+lY0_j;p&pDgSJ?^I+W
zFqh0a$^nGW1+C+5=f*=5dCYQt<}Ti&ai{(K^xooVW1#){C*`N?&jsEunT9<}*6?B&
zJ%f+F-^mti!1;RSoWC`P!d;n1$?83ZgCmW_WXg8|oZVpR7rj6&r!9Mvs)S<laypT|
zc_;@+ho>=)piYr&XF;!D`l;tlVkwUZm@s)z!4ek>^Oor&(|Mj@?wC;p)pexpsftcT
z_{Tfld^!uFNhN_42>;pvS)uO-AO~uJZnp3Rnz1bY7iYyA(_b{ELn2v$cF@hWby2s~
ziecfA)bzCOvxKC_-<oa(!!_~>+(t4IQ>&_>Z1y5mQ>KRy)$ABVrJ(1~rl!Td&!(ds
zbeJ+s3=Q-XB6xNn%S*y?sz}Ym6Y9fMAxD%*Dk-;l8CL9{x0GbPfge~egx)YPvAT0+
z^t-u4%ACH3yYQ~|ntHlsfu9nohj<)&4<mmEAR3<Lt3nS#C8NdtZyc_fEsu`ITlQGX
z@{TUpUwe8oFHXFzxch{#&wi951K{MK#DE5PNho;Tv^ubO0X1N|J%?Cx)r9d?L{}OM
zEeO6azx!1B1<gI4tRf!ks?oA7!@y;ycb1kAdJ(^pl$6bF&v?olc4u=7-HHs~qPC)L
zlR^Q`OfMt6Vs-{8sNFO)!cV%`3)Ui=6mfkx9p&sSS<#a-(aTr(Lu*UrRLgaFOZ6Dl
z>&lV+6bQkpWBM}5-kG?ieah>NpMN$*EgpZ}3#>f>^d8*M;2q@qI&pC~ZhmLSWSrNQ
z%jd13oKi`hKwgyh^Y<3XQO}d9#x)fU)HBoMvE>5Ec-?pxQ}tTOMLyo$Wukg<Z-K()
zgR$Aov62q#F+Wv;bURx~80zMdhew?hYFcmv#Yr;6wv8tu@d~DRx`P~FLAP}k?ecGi
zD<D}`>CUj&kGd*A8Ykc=5$eZ8)}r>ag~Vr59%35A0Hg@L7gjISgcuUanXr-KnTH*F
zl=kw;gjwf{!NMdJ0XEhb#$)d~f-Q_TB81eslyed%M=jphR*Y_{3QLu#JJvEoeaEXE
zQR`+Fw<@bp(64_M0onbdnh=}dXMocHvDuZ`A12gIn)Y-7g!U`+PyE}xSk{wpaMFVv
zbjYd|hY*eoVlZh}Kun33s~uOwbzSQ&?KgJ?ERqm06n8O+Sl+yz=@2(<ro5=?%+#Lw
zMH|NJ#A!h%M5ClL%to^f8egF6eSqI=VYiS{TX#QO={+u2wb-S6ndO)dXX^>%BS5VJ
zQk?L4dP<?FeaozAOR}=T@@4t!toIM8Hxy_#w1g6BNsKuwU<L^=<Fo@?`|e_BA+^i)
z<X{JM7}+Rx?8H^Gs83C=6m={r`M-`X29i9L7*<SC$QdCJ(@&D&{=-I%ULpM<ksY#-
zSuUuC%w~}xVI8S<_1e)l8ip@z%-@H3hKo0-AX4Z$=#txo8=b9N_KW~zvE13;%0oWm
zVd4-_(2Q<-iF&RYl@UE*Y`Zirpi_>{#eGK$f@?iS6g;;n-jGEm(!S!WA&DapAjgRa
zbx}x)sB~oKq%}&LHjCz-bdU;hEO2d@Fl*yH#=vy$U5K)uc-{qs!4YytumX8z#fZUp
z(*BjBY5PL1qpiG+AQYE;zo(I2tlVY(;<=Bv@4bvz5s~N1ogx)u%;T^g`PNY3)H~kM
zTgp5<vg>_A@oXHiu`y@5if;Ot&0)HFQYh%ll84}A!y}V9Bs~Qx-K<RqZxJe3QoLD@
z9-RMpi*IPhH*!hR*wn}l(jR_aNA5V&+jXwdlgM|W@_QwJ<A1?kkmm;uBZGb2ON^zU
zxWjGBv2iN-8+9-t=gA|)NA8*}4e5J<Dt)r#`75<<<<!LfO*1O<%_DT~(8e-p@&Mb0
zKJNq+&8Xc{BMr{EBrh);tZG#qff~$J+{>$d?IZsKdl%xtn}L0rFYU%+e1>(fx1jSZ
z&441;+FVShp(E#=W<yixr;Y4$2R-5Q!gR6%+P4J|F2!PRI>ap7m35u=x8VqB08P{7
zsL}|g1yPkP7vrge;|7hJVSbmL^US=yKyUU@amCp`c!t>)E{qP|WOxbp`(pg2llHFU
z_n-a6UK+UGR9XMfFbTx@F8ozgms>I&cGcASO<37?;V77B3h#o_g65UDlksj5CXw_3
z8R<fh!xc2Aa6m8Okitf;B(M3+&Rn3=C-|A3t}L`y6d1063bmQ`wsk2cEI3^5l0%kb
z+0DGl#!f4dKWw1_)<2(arAm288<FyfbPq-<I9YV#A84N2Fgp@o=`aJW=TXN_RHh`I
z`_Uz!i-VlnTYtrb1St<_3b|D7c>q;BXh{H&o@&}{Jlq8EiLP)9pA8$5s%2;!^=cWa
zx)N0yg6HmmdE4#9H%~aW&4|Yiv3BODT(H+s*01!u;$|psG&@~tMc)Cv(Qlm68J){{
zZUHX`xuE_f)VpnfrmyNGs7~#)c2ZiUPbYq_WJde7BJ-#uUH@6Eg}GUVr2`u#EMsu3
zbq4o%nd8eg!|nUUg9d%L*YxVM=uk!OkpONJuh7=IJw(=|+49!%plY7omc!ZW4dFND
z$6U|qp0oPYv``8pQEVOiFHU-SY(FHPs*p{KJT=KUxngSE0HB!X8MSXYl&M^MUvrnc
zEEt+?e9WX{1u1F)myz7hNs6m}hK@!h2k1bO0~&XEfx?5GTz?oFBovLi{9|obQ^RZ!
zW1P%>q_^fV?qAQD=~mi)NA6CD0o~P;JPbXr*^#hlwvtdqX|G5PN4aPX%VCKr9<p@n
zs^8<=-|;hj^Lw!zg2CdC8Q*=m{ry|6Yb&-KSc41FK$9Sfzp{E%qVcx9v?p80d#9pG
zfd>^~z2{vY>MGm36z__X3(Vzl^m{;-=qmB*Ah)fS_$Re%I$AS@<Z?!AmL^X=0{&==
z)m*qlAl#On6B0f+ptAV-6`?W!dGP&ZbRXGG;nC^X&kt^XQPYPRK)Z8mXixB9Pb}RO
z)}|^|gLb>nvAM=s17r8A#g!#nJ~K4vd>EMENYMSR&-jD+?yiD;9g-5{1YV7Y^E?cx
z;x9>r&twGflN_^F)0itsZ_-H!Q~PUaj*>%_jL<7)CMTFJR<5F+1qI&YA4TO99yzx7
zK*G7ChTWzVkJ3+GtF2albOOWvrsI{+a2N4MGk!KKFKZY^=t)?I@>a<=te%j!xoGU*
zB-o9;;+?p>%2In!%8!8Cvdce4(Gure?mf&~E?#%Do)bsPaR+_l$qq;$1=wv!uwT8#
za7)~*;~Qu7ZQabP3Vm{;_9P2j9C*&+2b^$RlzO9DhgrhF;M|wnG#tk)b1yGel!I*7
zhKHi5vN1qk^Lq97ts2<1qC~Q`-OO+iLGQ^pd2IC%B;uz*Dt9C+!kZsRqAz;|wW1kB
zB@`TS8%eq25HHUrA8a_c;|F(674_?$Lq+_T>#|C#c*oUVsW`R+M+o4%-p6YrcA~ZM
zZKH~^gy5V~;vHoo=R)Xb`@Ljz_$>(`I_C0_)ivFAZ<yrZq^u>odx$;r-64mRuo0sj
z@rZ-FE!_(E4KzW~-)A!?+TPb>tfVmYAXgABUcNK8=L6}nNUK_QqaMRhuZVmi%aF=D
zxj5@c`^1a0MnGi(!mtX%BTrrsGOj~tp@!Pqd#e(lImVOU7{)KL9wlTY0igIBgwwBp
zEw$t(1rf_I_>j<Cdo0V&gvA5(At!mBEH6D=eobhH)PlgGccq2OMu#3$xMA9*D5J~T
zoi!|hQT^64xT-)=rihtphG#YMmesPOl8KqJ|AdyzBWW#iC5-YBZML#m0!<h?0OJs0
zI1(-S5yf!O&v^#U;mFq6R>Cyqz$Q|iL%P3jI#ekvw>J92v{iDxf&SFH@<f@kB$tOQ
z!Z+i1d%e#brAQXB@9`0{JQPoi3R4We1pMG{KXq*&+v5I$B+-pelIFN~@Ts`tH#p81
z$&B>|gzD&NPrgbr&MSFueHs;juV2|M6I!crgQYAC4;}b!^kf+R1c)YS{`__GAJ`<*
z{>(J_`Rvl4zWH}eC5!O!*-jr&D|Va?x4wZcT$bfbMR8$f)OYD>)-${>^u_!Mveby;
zdYc=g6Ief=7D-`{=i<v}eaexu_C6ngw6D%-J`w`Td?9Hh$6qwc^i5cjB7mI3Fa7IB
ztIP0mB4m37LZbUc!!r+{WeM=@JunF<_S~rj@FgVs%@Fj?6UqgEk#iM76+!&V2Wu1~
z%3%`qI6y-Q{__tPv;PZ`q7IPBS0G@h5ui6{f<N$R?HG2la=-wbz7jpQ-)U%QDNBIP
z&o72np5YF>;4rRk8(WlRp#0>(hW9niT)c&Mz=<oR`V+aL5egvpIp+nF#LKvw*@ocr
zsKGT#e>JealpjZG|M7mTZi~rV5bNkkJP^b>0JRE5pWA3)0fHV_gcVy+XPXd7Qo9UU
z4NF?n$Y`*%V-Jg5H#2^HJ~9<CB#WClN|k4U64;-Ro+nFTPpl;SPbazO92LW-CoH_v
ze7x%^1L)rPces#^GfkZ$B5%J8y|)?_H(f6YKsyfvf5{&WR)3l71It_<+EkPvBG=Cn
zlRDDCuux!$fJcdB9>vmA&VHWmbe<`Io%t@hSyGhk26z+`7_rhyo#S7!lQZKNH$H%b
zjXnS|5e9GDN`HwuFfAW4Jp?G(2?v}fo!;>EP;;mAXV;A*8=GWwyok_O^)wH8dheT6
ztI-&i5&jGv3S!#z=g}R$<)@Lol6>QR9cSY{APrbR^4KstbuDhxyMmm@TN7@~tp71p
z(3bo7nl=ylIkjnAw3Gfd;C@xW&Mcd9eZ-@~xHyOW#3b7(+rn=XrC8{N8|WEAA3ikM
zpzUHd`+ls9W@5@RSGqE8T1yk+?kVI@H3d<16jG4HWox!X*`s13h8)|Q8)YdX{Tf({
zoyexc#Wv9(P?c>kg&t2IW*XWCWyI5lNJ3rohj)7DWc(C7pE*DOP$Bi|en8iCEYp~a
zZNg(QD!>R@i=Lp{TP6XLSOFu{V*rmBdaRSmY#U0wuEt$P)VI71RUCSpaC-HPKj`NT
zvTP@-`045C=Yf}4PSIBRT|J7Y&=VNj#?vZstDMg&qfJj%ByJlKPiGcso+`T|YdTT6
zw$1M7Zu^`&=*7L+`5CK$6~#6q1K*?dl3EFrN-SiAk~FpS_I^9dt8+i+PQ0TZO^gt{
z!n8%-1ngUZDuFg4K-4baCSvwtt$()Py%Fd--;g4gS4vx=M^)29s}Q*YIl&nNbL3P3
z<>TCW3}&PWP&?rSa+lA+Y@&O)dr6cVT>K~^h~n!FenHmipFG;bR@-6^T#<D`X<0Ul
z0NK+VdVTRG)JIOxv1}r5-u6s!!!o7T28ka<Du(u<37VkseM2Io1u}+dmR<A74U<H0
z`H43Y-LYYn!jIIQdd4PyHd!U`>TXFOohB`^PWcrw$(7Xry;0zoCG36=0hSw<Cj{-#
zO|De~A|gg!OggkbEUjO2xbH)CVyw2Wc$-HP*F+!wY?^q}b+snOF_I|tEC!DVM4cgt
zppKCc0Hc%`=>cw{|D0lOk(c_e0@!?LV|-fOV4bJ2I`Qhs(Zr3IYTgUQSIwn+^ng@9
zK~tN_5Bx)s4QNRf0qlhi0n--1PvkJID#v+kW{zf!=F}x*)&&ZMo&HH3_GGoZK7S0t
z%bEG5JSx*`dLIt<uXIX$Qs%3`l{AvTgsC4XJ`_<wV&x=J%TU)bw2kOE=m}{Wb$d`=
z6<5>1KMM{$?BBalpKH3puUop!HO-!9Q(0%1Zl4}Ejla>;%2>dn8)Rp*dvjZRtYn6B
zv)KaN2EdX^%t*N%X?I5^%!sE8pt+o~quy`D%pPzymL}SSuokW3q7AZRV>)a+Y;H7)
zgq!vZKt_SoR&*Dn0E_84+|1Kw3#Is$9JwQY(L69s`#cPuor13x!VlSoqyAz}{AcD!
zp*N(GS?$aAmI{QJH#l-MbGP=Tlvc^U^k>5OHtulqQxB85wA8v_EwANPg!<O0e5+iX
zr21#LPcEwuk|(H_C!(M4QQ3{k4ZIc~o}^8_7yI_P)`C@R>YH{`pyXmNO1q-YBa-fW
z-qBhrlW}s{$Ya$P#;_5m;mZ3+<aquC@+ZnA6{XWj;+046(?gUG?(?g;`1m88DIN1Q
z2(!E#IK0r!edHQcRc}bE#F4q9t?Kh@>kH8}2cahyuikBvyjVmGdN8EO&^v3L>{xW_
z7QBMT3uhgN7Z<PB3H;Rij^^%Mgv)@`AsmP{Z=fFY6qErtuabrpfnrcgDE>yed+rKb
z;q>LQ(pvw0(}y0O^zOEoFH|aHKb5Jo%=K?DX@5V)Ar`N3^tpkraCP+1AC-Maa=yo8
zd`dF7#n_^+zWj<2lr>QG!1$E<Sw6L^+ynE&=2JeL*-Xvt<j15N@Jmu3k{f!Rxw726
zIqdhrwjl%=?d$3dXhDvzEg{e9xuXKl_I^G3;&u!GA#v(r4F=ZaS+0j~7EAOrUkS5{
z{uqAy^;?M#ba56cyWOdSy4nUn|EDmx7p&?ZI*P^YW-7==;1`cR`-z_ZWbL~5NmqNF
z-@Uv#Ql&9*WBrMBcFfds@doZoej^V+-_g=MGIgPyUhaSmP(ZY98?Ug5Mu|A#l08%z
zRIa_j+MUc-y;yHz;c|xiwX)bFb)oWsyo`v`S9FwV{`ST6M?xv>^B<tp|4W6#3m$}$
z_3BtuA_O$%YvO!+!R<bsdryXhB@Wh$XY_dU_)JXkN;mpNeMR4+MP_4TwDN&;=0L!;
z0o3@>c=@D2u@o4AVoGU4jydL;OSYOfCO?)S$J+|G2->_6@k8^?A2arLm@mt+;*O}b
zB}TUTgoNXcR5;aNloK_=b~=q;^mhFm<S3r}d@jnk=1I-s>4YJp9f}9}kk$-t3ft$D
zWNKeRR`9>|d*IG%SeMY*1C^Z9?a7^Ny)bwC7foT@v}zPzOCI;ab;>0ljuA7^xMOo&
zPLO@RDR#xkF!^mHQ*4k*W9;V7bl17-EtXHe<T^*)e*CN|4d~2;<Su^Z+-2%;1Xs`o
zy9rCRtT^@@u;`Y{0#?i3$kT}KrP#-;kh{rh?-&CIZ@%_gIa35-^y-t-4lzv%lgKZE
zWrjXZdQ$NYB!0D}&EledRDRQvk7xe-+UIkJPIt+@%I*_~2Pwlw(W?+fiu26o*cQ2y
zWjr)k@+`O%KP+50GvFlrR#*KiZmM{0`m-48G4;DLob=D|5X3YK!Fn#SE@AguO?jZq
zW_0l<S5M~D81W)!Ua`7+XHG5{Lf+fvO1hYrBy2pic1s2_^Cu_(kaJ!V8BJv(P-9CR
zSbQp+$4EAJvxlvXv)qIEl)ZjJ^%jJL&R?07jrshhAcr)oF)FWoBi_-Y9MWpbMDED@
zY0P)4v}z4{5FvfF|7wSzHykn=Rj>?S%{?e-WE(b0>zXZLpePZGOLItCnk*Va6zSXL
zjl-21g0O%gHv{w5D`GttnV2wcQH!@c-p*9oK`6$Rgi~oBt?-cvHAKGl(quCWM$LMZ
z?YUQjg<`yMStd<AgtHxZpJHn#+aoxH;Bm2viY_5R`?@3WlJw)!&2?^Uw~!MT+ySf}
zXZ_@I?3hWvxA4}rCsfmiQQv#&-*?QMV7Ofrg}59rq6ix74_X+)jYt-O+cDxwoV{tE
zJVnPwcw%F8uGxs6M%ag~zmgVX)zj|j!zu*z1Fs(8eyxm}RR{vb*np{oO1i5v&nnqk
zXsMQe60X2Ua2yPkoyk1VQnF$H>Ku3RCO{)%r^r26sgz}I0e3K2c3JV*JB<10{@f|U
zfLEQZFZQEV-!Z$b)3`YCJK}MVs742H^#s<c^+i}3Hh)^je6t0_Vom~ji6EiwJ>O<x
zHjRcpH+;ONTUyZYEbNK;-L6?)q|Z`;x^jCBD#SVNy?)Y@JW24u=}9=|22}-6(fRw|
zvoZk1rGISL68cVM@G9?sU(T)@;UAF~gJzDevQ*vZk}w&c&j|Dk3!qG`pT8f36hJuq
zAYj(-%ph4-s-%1ZN+kO8%^N>e^yW@>LWNtLglSU;!rp!s0^O>@-**1i#p2emOKx6<
z3oCAttQs;J3h<um53)#3mtpCXbnD9QDHeRwnu_y<8jWqvy$qAV#-=Y+tV&<pI+t3~
z-O^|nw#sE)O#v8q^yyW*_o?V_|8Z0TL@|Gal*ROTY_z;mrdNN9EGTqC!dIq2S)p6Q
zInTJutMt~BkEe&#Gh}$J_|WIt3Fvi6tITmr6H*6$8e?2Ky6_{mVpZs4#_)pLsLotl
zhN_`Jlef23%_X`Qx~M8@ooMf8Dq8yBhEF9^`zpACK3HBMU$|&~cTW7&n_R0L3kgFm
z5BXA8?x^f?DWwUq`^Qec7D}l+$_N-CrnHS)v<=u%IS5f_F!57Mn2$BjqrL-@m~z*G
zRlBc<*Cxe<o_x9hLE>tB;6@71BXFwgJTr4Y+$|o>>edadSEyyA?ZS3?3S`nFRL0}H
zbvw!=Ub>w4k}$K~oG%KugV6mnHZ@mwE~uVJROb#<xOk|M&-2*n!@aK`{nAu7AFau-
zTE%MZO-lb<&nsp(ILh+7nx&oFGG3A7>QHq8=pk%rSvb^4dG5S$y_G$VmUqVb9`9?J
z0?%JGoPNU3aO*7k7LPP~V3$RX#BSYMY^-T~QvV_AcIKn|hz1Xw7wyS`Dk?H}i8>>@
zA{0If$Q7Oeswd^WaGzy&+oQ}diTe7`YJiGAZ79q6&b?0o_V?)%8ZX|$`neF=5n(ff
zRIIbR`zztTRXMuInrn=y4;FeEB%ER2CKkl!F8N%tTZJWk7fCE!wfoaf|A&c#T2Q2-
zLIZ)7fcZIF6;HOctQ=g}PDpvFyE$oe@>$40po>B@r|!lec`7K=KOXLpYoY9nx<!ig
z{!FnWAVQzVj1;<)HSha=<TUGj;B-y!>juq<1t}MLr6@rCt^yR&a1X<Ls7Z;R_D{s)
zyK+ivLNHG*AyS*~WOTmzJQL4Y&9SqPW59rrE+7{p=encJlOwhu-jf5CCNr?{NacD0
z_^mZ&gBQ`3#yh}03NGK75?@)LGdkfNaW_u&CcFHLcc-;EFrP^eI@n+cKRL$&yZu<8
zaUrr!P><*CUGAX3!ZX|jH2Q&OPF^;BBrH{Le|WV+Jqu$2*LxHpkT3AJOLX(kXahj&
z_wPNTcE|t4IQ+A*`2WMdZ_=-8zz#@3RO&f!r7(ICPfsQZ)G!V_fjgMN``bYK1f8RN
zAk_`N1jjZjH>E`ck##4i0o=c6(1D1*|ES2x-9<2Kz~xRNz`ONkVb~3b)PA^S`e6p9
z+pqlSuw*h0k9oWy_om}mr=<{@It*L~WEgmJCi9QM5)rTDt?>P8i=IGt2=kP&orjdH
zVh}j6L_&b~Ew9vGd6&FX?16g7xqG|`=Eu?~h7n${HV{*T(#+3Y<XLT8J?MOR4q95;
za7fu>(_wE~vnE8<>gx8@NHw0j2JGs*q6NR3(WCBBpAwQV6-rGXT|KPRfxk6c@~c6Y
zOCyBk&kU(LGLkYiY5~lHuNJJbwPGn_+RPw{e`B`azKXHtJxvs*!S6mvnKnxCtfiOK
zs7GmZA;aL{Q}D2a(&NYX)~>Q}Tk-Hj04cV=uk4?uo@s>j#5lrJc3(;W+-w#=wkE_f
zoI@oN-_J~n8B_p}0~UKpuCL<EELUPzq~h$Cq`q!HYeU*W+m3%Bq_d-**Yv)kasfot
z^(7(Hiv&(g$crJpmi;|#*CM)lkJ2=DnTHXCFW+p%HA+uoqK|L-RiE&z28`~%ZmWJ;
z!?gWT-|7a&3Gc9))KwC12oFGd=Htc@%?L&?kdI)ozr9>DBB{-$SOR66e3)bAn%{mm
z-eZk^O7JBEdz6*D9-vSpOjJQz6XELRgroMk05J{6BB^z!qQtW%+|}XfPq%1|zQ0rw
z`ub-7O_So{A7@H+FT0vTQ37x$rygI=<T4n?3Ms?a^AE8(!LGiO)1DOAVVWzx<f0=$
zGS!<)s@M8a?5A!o65?i-q9GS{y{_UqMDm5UqT1{WCxZ||Q!w}CR98z@(jB}8nB7a-
zwC-yR2Px7J<1WB}mtxbkxYxt+aLzmG;*a)Y?2%SH3yPTEK8n8EL_g85pU4yI0uTn6
zxlkYO=!3=+vD-x2Bg&OOPLfObQr;i;=8xUYn9){N`t8Up$9?|98vMtY&HfJM6-c{K
zR{=e8^8|QSjZXh}zfrG-5z}vZ7GQnV4o*8m=nt0wUo<r%Ek3II=x%1_%^jlY&}TpK
zJx1O0q^*JA^*hq1Z`WSE-bnuAqWy7eKZ(Lu4}HPh%dpi$3;F(IBu&D_*_QsSrDSZd
zyg?o+x<GQ6t(0gUq&8kwQK}`ZJZh-)PQDaY?FE*)xKfYnAFDTxZ%gAF+>{z4!L%!f
zpAx?JT(4r+<y+u8b_=C_SlK7efp6^m-S0Nf?@ZWp+*Ah(Eg#v*t->X!3)mGeme<s?
z)BGW8g}d~pNjVo>l?O$j*M~(LO!w>HsnGHB6ZbK?Pu1v;;lr+{wb6Kp1YC7s^K1r%
z9vXCp_$j*=dcn0~#9Ti+RE<`T3wJl=Cx~~)sud*}p89n0w9cE^G5BvTVnO@@s(yli
znyRLR>!=sFp=V)Rlzy6cfb``vpkNZ#pqUM5pkV-s7?@RFZb-v@w~s|m>E35Vm>0%n
zbVl{!&W^84=nL62-t(d*3+?&U5EkNrc6QsYqj2HuD&$_P^PF5;lk%dP%TJq*g}W4?
zl0S~gpX^_b`Xh0KDja}$FYMnG&KKM@1ORa9_-Wpw6zC3i%<Rd4pBzqsMVn}uojx&c
z9x3PRYwu+9BsgK7^}_aP8R0<hUgOY~X+e^^>nuQ!*i!Bl0b<pHK}DZ8R7D7R#!YeC
z6~8SL3Vy(PEkj*AI_kw!GW{P{@9*c3$p9n=-5r{nTHlZ0T8T#W6<{3G&gM~j4l5LI
z5keA6+w;6Ep<I2fZ9@lNa#X*bA6>Na>*Jg}f2=9Ww$dG7gKXvWZDPBaFCCt4?Cu!O
z{WX$-H>Gg>nlZPFQ51^nF=On))0u@v@b3=AmBNWl-@|HON|mK4V|T??*#RGH3!Nc9
zp*~1aCfIgN^EiSoVo3$9R6dly>5ZX{_00OA4NfZ)t5^}<a5gESS`&`gZ$bmn@UJ9f
z3zGQ;F_83V+X&HSDqQ)gH#&MZzkbjrc<xnJ?=79W+wbQx8LrCSZZ*pLtyR=3Q&*_4
zOst+y*ET!Y+|NBINE0S>&V+`^3liCzeG+y*p%ZK!i?jm<w4yoRVyXqj@7G>K(v)o&
zbawl^Fi-&DJR{`=v%CTbOP*|R$N8fxg-taCMAqB-?Vb0sRqt=zf^Ur(=ex_N-D&qN
z`OQ{b8A&Jta!hf$l#xdH-Lr}>hE~yiBH(y9SeTx<fdp{ZBbq==6;;*MrFBFV)Ocbl
zkl6NAD{%V8D;8&9k|E&wjbk<k=9L6geM!wFV=F9NEGR;^osVMrxpr@F$6M9=(znCf
zoDan7!Z25buiaONB;|8e|JG_f&PesP9IeK|zBwn|s!iO7ZF<UJ-%vRk3Gin0xn<e+
zU|XOFeRF&qFT6rE4`(YlpU*uL^o`d@@3)SGX`kPqi@(}i{pT5VjKgeyulfGzWgzam
zY8J*NRTKI$LLaX*{W)WViS~Dkv~lwHmiZNb#^>K&w8%FKzaPn*{t8KqFyP0CPpOp@
z4R(>LRIG)&g2I`F1-q3c+oBK)09??HMy2Tz<13Em1xuh)4Vt-rmk3-jZdiWZfd(V4
zY+r^+W%7qplY@6QE>xn7XwRuHvi2$aB7gJXOkxp_geuW=W?REIYExiEzi8Nj7$LO3
zhp^Z&4rzh%G`%8esiRAGSAFx{o#8L5stxl4s=1yE#`kS|q?R=}C>phb-b)Ysb}mdh
z9thD-0Jsr-Zxy}@04{WW{>L1>KZ|Pp-E3U>wpsMto7MaQxnmOUr9eY{|GM(uya46?
z?fRenckj|ypsOfmb3Zjw(2RFO;{&p&dQE-Yp|9{GjkBNWoeXXh)#A1$pV4C?GV#bj
zp)688u7%{P9;3kDdf3>zzU|%o$*;$orOzX_q3eb1vqZks_&8ro&Tnu1{edY@Z9q;o
zg!W7M8U_pBmS=&G7(HoY{A>YMa5xj7bV0NrG*%~R5%rUy5rwf?E)U#k>LP;$KP_L$
ze)lE{K(*sln-pBzN5PE3FL7j9N6?s_{ljVR=WFBF%T+AQ{JdXG)XW4vxcITe@wW#w
zH^F7=Fo3yw3btKC#YpcK1HKVOY<oWnb!OUY2!{zrmp3rti=-`3U#rWbD>tve?KNC7
z=J~wh{U?`7izhd1?yEOhRu1?Xll1a5i5Zx-t}GG~G9=>mEJqWT?zo;cWvb4RqwGqJ
zcPdk9{&~qfft!Pa2qedT<KS4k&mZQXjSk|WfQZWsJWf6Zm()B_LhENbC`o5=s>1&w
zrX@Nz4Ecm?H9o0;N&S&zBeHlhZnD_xBoRpEz(OoVN%#Cj3;S`ajSd<XBHL;WLq#y*
z;E^<PM@@|J_qeQEg|`c(LqH;T0%;q6yCo{&Idu@C(=VDsJ)r7((V*yXg763%XB+I5
zg0m_0CEhV4GH2qz%qyb-H;05DCYp*yz{}@`Y{MT(Fb3BJ%IGA7_GJ?uL_H0JY7&Ob
z3As@cXwrj*J4Id|_(|h&b4!uR3w_bv)@&+Va$(u;zQ2fm7@L`;)OY3M@i<zb5dIsF
zSxYK%2zXc)k|RvpP{tAM7yy}vLt_7pVflYzqW(;W_Ghaow`!cG!g7g9tOiZf-veiJ
z3+w#W!fO3j4(K+p)r`0X<P|`h0Dy_xn68XUQLk0h13Y~vp_i*P$vr}Z+1Ra__$9~M
z-yYG#B<*tT4bO|wo|^tEoiU`=y=OzuNcrjJUS_R6qM>eM68@&Gx(!1wXDY=ih!5W-
z>W}v$Qln19_}G-9m?;bmLp%O#odyKY2%b@Sx!hi-<b=h@7Y#%511Iirjh}EMZ8Oyv
zh1`y4d%;9Q#{SNFUKDKatgFUjsgvDNg+ptb2LT?cz1Rzdm78y|O!Bn3J-C!!i2fjz
zL)q5X+SdJLHS=2a8P)>z>kpf5)8LhwzfBD`B4$8=q74^j_!0Uc>=vp9!y>zmk;bXA
zCY5ddqH(ORCQh8<eWiAHmT8dPpLg|v?$*xcI#bYE%c_HSi||APZ~%OrHar%uE)@Me
zATVsejBJ+7@{4Yfqh?Q5nAww*RVmc1-&$Wm^Ninq4us#se=hO;J-!f(hnV)InBuuu
zr5P@^ftLS$i12?qeE%PNhyGg|{$IpH|5LA~zb0|&j~BA}Upw*NOlkdfoc=maK(^-p
z!`6wF>n>5aI!LhxfM@*_2^d1xXx0P4LYY7O(ddxj=r0=8>IO$MFGD-S=jWohZ_=B4
z>=vuehEiI9j;#`EmxXQUF&OR7*OAwxoN=r;vpEh>k%d~ern-~Bs?eQCaK&be<X!M3
z6i1*eVtrMVDpH3y?N!nWzPuAMEH9UDC%YT??U}T!dz;adP#T8%SzafapeTSR@DgdT
z1>43Yh8_%%wi{OkV52yQLV8uw1Hx{-@rv`}u`J?Mm6%B>qjS&8ljL68G)eB!uFVpp
zn;_+zt#tnMI8=PjvL#!xVI!op4|9CWL=5Hm@nf1TG*jgJ_g6A`feqfs9x6SozwSX|
z+&l!63-2knbv*hAq`4IdaBQjS9#D)U1Bi-%c5R4oz?dUG9}V3c+n_()m2SFfB!#*W
z4Ra6UtF8E|T{gj-@Hu+c`&*L^YvQfMKEkon)<P0R=mYTT*MXh=KL!Gg0m;Kn+9NX4
zR#G4w3JybFzC{7gII@e<j#HitH|UjkIgw4`x)-3QyE(5lCm+0QTa`N~;63w|Jz;!X
zOuVe)WcVz0f*tSK3O?o4qdL6iC+&{!Kj9VAsyzY#@<=e<VTlxl>j3wX#urrl$$n3A
z<psL7>c>p4KXmhS-`eiz*06O{Trn&+THX|1hr$yLWh~Z5q>xF%n^k1V?9J?Iqr-Z#
z_ypB|2FUF{N38Y04)%knM-c}+<^Wh%uM@-xB(+kCXz?Yj7TOPpe5i8a`M%)vX>)tF
zt^4(FzcK2MKe%Ugrf~4!&RKT9FZby!0c3D!`zV^#kB5M1x`0~+F?uDokj?8yb|=nm
zuDPYqsRT-0AHVw9ej(BEgN{*u)Xi{?#PQ3U>n?mn<JB4Ua2Hr({ErV^cemZjJa?B@
zJ(5!Fh0@A@yHU1Y$3d6OykuLzS0<PC)3{?4s;k)yDiW()Yxoyq1bJg;b#HrA#OTLK
zONo03RuoGp{dO2_Wt#uie;6Y#7tNLupmSe4-hHc=suLLn$;M>V-E1Nuf6-i*-2a<$
z!a$^frtdf1pIasCk?4a%0569QrPxt_0xG`90tA@^??5>pmBAew^=5M05VRyvYXM(z
zExv$#-BR;0Nyv!!)<dc)8pbZV7m!rtY0q051+(Xgxm~DkBM{w6g6(}H0etyw;In>W
zStNKXl?fy7Y>(Go_uXXla@DUigRRvTWriGLwURY_kvHZv8_d2ht(1#yYQLYheQ9n@
zDBjzy++4OPDyrNX?oY_IJ+g;eR1N~Zt{R!0{CtxdPz>J00ez+5Dv@6_iz~BKDu`GT
z??(qvx&xr$oFE*8cKJ3*yb~W&1gI;j4)4mWiEOyZvASvWms?n>I^2jckstMS=D6UJ
za-o$`=)f3mOo}IZwt>o%*1Gb&GTR51r~*Wlc+mUn14Y?Gg}Y|?PA8>eGt~C!X=1a2
zjgyj|*>Hb7!7m}BkTKy#&M9%nQg)`~_^%4ODC}x?<=P;7!S#dG%A-=CfD1MPDp&w`
z4m806-`;fwB58UO<`d=0AeG-f97yNTv6~aPDu$Hl0NhcFbh^dz^HFVNUo?eWkCai}
z*!w1*5%BUezP@{)`MP)Hp9dNEhvAJfl5VcC+=9Qf0F+KgI*%yeS=GIEEak`?j%}q%
zT1LniJ*~C+cdPehmx$<uA(8+9qeiro0!UM57LW;P(pG$vX^y>8OL&Y+>P^HOp6~jc
zsaCjs`^NXL_qe2^uYYtYGUdu0$Np(*|M*niu(c_I=`1cLJkODBF^re!87*&4oL=?m
zdo=O5Sv%oWmRUrrJwvJS4+gbc8~r@>)!7CD#Vrb$-<bhGH9{+p{_j=+Tn-cqr|HRi
zH+=+-|Ml_zvXp<V$zKQJf95t&9*}}dC?JydtiN7s0PioFKm>I}_C{ldd1Ll&^i)Z>
zRr0vOU2AKxfW|Y;S5Idz(XN;L;cNKO0ZPjqq;x#&Et*gOcu!13=6W1*oqios34ej@
zvEKWHd_IQmv7V~-wUX(Wjmbe}9|ci_K|$~rC8teVXAx|E>eWDbX@)2od95zgc;tE-
z-elH3Zs}~uaIDUW*M1d`og+y5)QhKo(Il(?qH#tXeJ!aYOh?N$D2E2C<scQKE#Mbb
z7pa1V`5GZ&l7i~(#hQBMR9@LkJc#57jzI3{DRRSc%76v#6abQ~<)nO|^W+YmmU_hq
zNpWe^?%<NgfUUL1;&G;4=MKp&b=8Q9)kaq{;>9GHDm41~mfH1lmb2lytZ_^>;l@Jp
zDIXY4i*pZ1^oJqOxWl87%#t8RQrW&9<~gA^JMkm@G}7DG`9hYiLT~%`caNnC6-|kZ
z@-Y)1-*my2mU>PP72J}Lkx6BWb8*p|s}>cGgDRL;s7phklzM^Ll5?-xdV5<Wxr$V7
zzgNgUs4X6kj7hDl8mzA*f&Y`)Oz0j(qS(FIn<1Cv?F*(zi-rUgz^4LlOXI94ud6IW
zrCl(YQx05F3DGx-elHj&**tE1ZSsm-C$@C4#n-~IoeM-*-)}oB8402Rw_Q-&qb>}s
z?GYpGHbz^#7%mNp1*hD}$~z&B5D4bo>XhiRzLBXUQ6120Vt-W*AXij}Y#8})#&vCf
zn@G7_pq{<XIqu>dX{j4mwyQa2Q9}E#>yP;7SqUw{E(8EQX0)5`uoEOl{b5BOlhtWq
zk{jx7%?NjGd2&Z{a77aRnX232yt-dCgBJ4jzWN>TI@|7<6A&>V9CP{1ItyMZJ=^ag
z(x9^L2lL+Gwtj@h)k{t>OG;M+84F93;?zoMOjtM19UHtFqAj>ZK3P4|B50ShzrE)Q
z^ozPz&ibub*G}4#wF{-c7#i^TqHS}(>{UzvSdk<Lb#E9&64|bOD2TiSCS(8_g|qMB
zttJ%xUo;sXi6?-b2%&ze3`E%;Nzm>;wvwhu5SnsG-b3J!%w7<SQP{OI%ntUlcCL0#
zxVqT%c!%%?&(l1Qn+3<OYMl7C=*LLDN@AHcME<Rrm<mD>jY9l*iWC7X#n~&e*(0b-
zZ)>ikbCcgjw^YyHoPH@nL(ls2V7}9Q)G>Cf=Vt-$gkP+^$*`t{<;KpUlUc5HNhABP
zOX{I^oMiU*xlGpWE*WVyT|=$WeMcpfqok+1TR+QxvLzTQ@3fcV-&n!&;=H7_h&K`d
z@(wylLtm()PSBJ0Y7$+yS0$d@lS-J_`mmJ+`uK+RAh7W<Du(V#&NQ3Ye0+4Ol|O^$
zfLV#>inmM%4`=Wz4JJWX)#Mf3s&#u$&#FDk(9i$6h^qg*&<Tq>M(IcKfq?T00F9fB
z4!At`I>1yoK$mws=^*V5(4k~Y)T2h&w$W1rO2DLf5CI_M125(H-2+^%2p|<5V}u+~
z-P59@`T;E*#~^c{3D#dU2Y~NJIR{zrq5bDy_?w-zgj<f0r6(o=2AHML=iCb<O^kb;
z0Uz~}@|kUUd6M`ekq`ds3SaxLIX#ujwv=y+Pr4e^gj@Ete-aciYPsfSVL3kWWg1gC
z6~Edv>r6`i^46JAH!*fUyRc3OtFe}bsaz|@@c$<>F(Ip&O$7AqNkh)LnMvB~w>snL
zFKGZzai7HSP}ulrO2MV%s->-*wUc}WqHU>phHy8+a$JHtV;51+X{1_}v{YSLV(S*=
zAq@)ovZQfYT3}h!$5i7><8D>&y6^Z(FLe^&S*u*#3<G`be6#ECv$bh9QcT4zPGi4g
zq#2>ZB08RGbLGzr^j{FJTnud7|HG9-0q$_1+Ao@J1uEzl&7>-zFJ)w~;}5@1l;`1?
zWnnGgGt5ppLiMj}F{b9m&MZoMEbBoVC+5Ow|9G?f5ydJn;gI+KTcOgQqwN1?)b-a;
ze@j*TwTS<cz4>cN{#ug1r}F+^I1B+#0ijxck}m<XS2<E5?@qQ4_yIX7BCigGdRpU(
zE>4(JI|BvQ@vke(Cpw-%``P8*$}p%+eAV;?$RrE22pa(DGn-d@3#3A{9X(E`G_nDO
z@}P*RY^kr7<C^%zg)=QPHn5ALAFRHe7HD;iNUJ)rtQ`Z|1|0q>G?~wx?N({)jH7Cb
zXIzy)f5khGuny-KA0H!8Vk`9-d=K-B=0$Pt!^nPuLaGh;u0n($!UKCpEauLH!W~l#
z`s<MYePn0;0am#B&BpGkP@@J;wPO_?DmxnOif66t3XmcN7pFXmP~(Xs?hx~wE;H4}
z+)I1*t`j-6aUiq-9?RUbB#5p>5`eZjaA>mpAt-dNKK=<=qAp?NU^|<xv7zT9?>k#N
zIZrE@yInE|jI$z<cwzolOLi2I1xWG|AE*=HuiXyZ!nrF*k=c>z616tfwh;tX!DKVL
z_68FmV>S@9aT0@l_3oMZ`Sa)L9|hoZy&xV)j}ouxX~Shl?7Vn={-)0X#MX9ycN{Bi
z#124-17)?N0h&eW4vZ1oTc46QICMydK$a3rpdse&{I-7n^Lx=A>(<TuGV6n0Nl%cE
z2d2$*=*(f!jJ>orCL`XR3acz+y*A|3k6$!`4l;Tph!5NTs(a@N-xKxJvjHlnX%O)^
zsSHrWmW77_&0y#XiO8PGqVKQ5pL%gk&E5(T#J|6!Bx9{&RtH~$9|hqw^4yT&;L8<A
zCWqvj(Mkw&^No}nMTL*KrB>oQg;U17g)X)m$BkV+uhxBHzTfjGAFsW!1b<&ylx`Ow
zLOhkJN$2HkV4i-_hW0M)SH+4<EiuGR9~03yb-rc0BH1y>(}ns4-zjuTJ!}&;xX~H+
zGoTd+ANFEr?(P6xSv?O%<WB%{hlG{A?eSjE0?mLy#q_=Gv}v_-lU+jfXEG4ac)GS;
z(`b|gv{%VCrUkpgX8Xg&VUd1!{PQiAQ9>GI$41L(_JeWzHSO`Dh3do~HWF&t!IaAC
zQ2X<53Vy<Ir-`|g9Rm7j7fb>=_|Hg3gBNpyf6;6L5nfA5xo6$x0o-sRU`_PM6KgcJ
zvg>p7t)Czo!bh-u>vkkEYdq4Rq>!q_H(V(lT_Or8P`?(<pwJfgDlAO)W**H2hfwMz
z7#qA_8#wV;Js`LN5rVvis6Jj0>LHRMSTF6HE-Y~)BOQQjvv(l3hk#1O{xA>$D-poa
zG{0y}aB%VpoRB|M$Jv!vY=nbH@{*=9%pC&gi11c0%W{>cww1zk_!j`@rF5$0X~Qid
zvq9_w5&hJts2Inre;(ApdQwDF`N2O=5<yaGu>VD)ATRoh#$TIyrD7v+ZsZLSOnvCM
zNw)n(lgV85532-ZgK@Tz4G*$4Y$c}IjTbubh}+Ks>D?9I&%PL{WBhplo()}_wI!xl
z5~#I~cu@wDP`f3|o#Ic$OBWpXzRi5P-~V#i{Ukx-d<xI=vWGwIGOcfRUr@~q_&)BB
zK=@t8M?Yw@6vR-JX8gf=Lo<!Twr^5&ST;}e^R99Tqz9Shw7*qmJFb7@M|wak5O`P;
zX(?1YVBPk#snV(x@%=FH;x^zdqRZgKx>W;vez#vV1!nWL$OgYyS28Wh39GKX2D|Ll
z+8V%JPL#^W7lGSk{q}O73^_>(rkT~~*i^?&Yj|#-^VVzSZpnlfK8*E{gpBcM5Rsuy
zZb%ldf=(`pA$Q^9&=We9Ba&BQE<EV1+3uZHg>ndTj#n}9zE$D5cl_qe<sCq|?H`{8
zj7w@z0s@6(@X=8`kmViT)|r2@lz=jC02&OMfaeU9ag~u#m_YZZr2L|JGz<h4Go8&x
zdbo$ukzf2C5<A<@is%ZY$G1VoaD{OSlPb5?p(Bw_J@Rj+s*25y*GKFiNY<N|;Qb3g
zuQmJy5LUXuTSdKssBj55namGB_KGa8(|g<xu9Bbr-+yoR`trU|LK;lj=bu;gpXV_E
zeCI_&??!KAGi>ZjC$0z^CRyZh)L=cU&B|FfUG4iae=qD9>}EHsOV6p)M{T^^v5B58
zTXOaOg1>0aH{$6JC<DNaTSHQu{$&D<m5R9T{#2lr1CT%qk>yMs#zkTar_8-X)JLIo
z4{H#f6dpCDZRqC|kA=#qAdbgi7wPMzi07(H3Ckct&onm>==FlA)Gol}E&cOxxnHE|
ze$mk5y*~KQ*AmF^{NrsjH}zDh{>?2_rEpJ604T^bAOJ??0%5xZaCL_NH-o8s`T_J6
z{g-w@V5p8RUgrs5fG*5xA1wc$Mj-Q_ED4*Zl8eJl&_7*X_&@xJ*3y4+;q9kRb>-##
z!yW$@OBgNpxmJ>i{+}ld{s;4!>&EieD*d%ef1RcO-7EI58z-V^Nk<%_p3NjU?jepc
zDf~pE_UTLI!xRe~Xjh!$j3g&|B>=-E29CpuJ1u$1y+6g7=?58B9FTYJs0P`lX?Xhj
z)9I&y#ia#iWbYe%?QZ3ceFt~}!S#UO)}P%;Wi&+tgofE0`w*|)H6O`<SHEbQo3PvJ
z;0-Y#_+Z*s4MOowk>cAlZ299*CJ<Tvp^dc#Ww-a4$7FBle=vVxyOB(Qkpz?0=x6CC
zs*MSpNpIanFW8rnJUAcu#uu7vpR4O0b*Pum%j#mk=o&NSxaLI*3T?I>7BkMzYmwiF
zS$nAmICZv?5J`CFNx86=XWWar=7}1f4zVzTCNe4Q^ihteyfk4DOuLG@N+^k;NZY#Y
z*Fkd{Ie++bnTRbMCHtDpBugZnvlPAE@%>HJMi1u&p1taZvO&pphW+M%(<2m6vE_rj
zl8_DIV%*S9&xg#*yraD^XQmeQ`3q4UHsZ%0r%WuA_>htSU_FS`OX$Zf)ZzstVaHa_
zrvL2qdnqw7(IqM>Um-kyzr-P8Q0jL2M<rf>MH_!8y~c^hUh)$pY2ynNAT36!vy$^g
z$k2)~Nm`_?qDxYo`eh!wHjjaVE;(Mr{1-q0Pw(i2h#<~1E{Xh5WD-`G)X1NyVa+dq
z{b({}QGQVL3c+&!GJxFul<_G=2bL(9e`C7%rnr4OxyqyTBOW^;+MXssSVTyqO!!~2
zrz#>IS0$c-CJXHNS}63GnvPwsG0sqW+e*uOKE9@$S(E&flniHeFr6@7f;f!Gvjf*n
zKJQvmkC|v`cJ7DF@BN?VKg)#+)$`ljEf|Ndf$^DyczkYDrG;J#igSp1c~v@@xzsTq
zB0fDisZ{>7IzqzlC_O9sDFf@Y-t}j%y0tce^zckF_Hu&>5x<R_pG@N<Ojlat%pfcc
zb-k-*6P1N)Pde&#vh1I|>Jedl@!~xCdrA(6PRk>yXdjO_?c)4q@X>X;xmZ`6rMSyt
z!nq`^DQN>ySc1C$+CtJ^AMrlmeb!-qN`NZ8Y@2hN_VVX6=DS`%7pk{8yld~g{M0vd
ze@?V3D$q~%sEndXm}s?R87SJp(nFRNuU3!V>dl^Gl<+C4$_q<+V!oE3{#d2nubf?Q
zkv~eh8C@D0<>y}DcPFO3!hH}W?2w$6fIG7B&Af<|Dce5tp<cj>v-{ze*_x5}6Q}W0
zo@jbts)?3zq=Z>`7@J}WUi8>e60T_2L$<11_^4$W>hf$mJ5cc9$?}POo!iz=qHr#1
zPtT=lwrD9H`FND04*9-+BAboNVVz(S0)!IQocDJ6b#V@(q{g=7?W18Z;p8F54z_wT
ztZ1UObUA>Dpcs@(GJ81Uc0sYDWpqi26O|FnZzFClkKmp(u}J;YmWVZm)1hB(vigAt
z`$0QX%nEFG{aC(CuOxOj+Pt4WDigrfRM(u^YY=6FwtV?|u}#V&b_rPyqcFhmM(Ym<
zj;h4b;CwGt?H`nTyh&PY*}cPzQxk<z;jb=3v6s8AsHKEGkIDKHAEC$yZ{|l`r@SDd
z+b*2Y7;RuVwb=T}UP4%Xqj<wmX3^1DB<Q~3R3v}WtDsv~HqMJhF$#s<RTtE8PcMhc
zHHvKdZWgIq9!_fkymAHRHrZ?g={gcS4&A*SVuKUD?=uoADwq(Gqy(~o1&KWKDYtb3
z1ZcaqShALnf~$2oxrEB^OnGacwM|^W+rBcW6TAEK^QF`D37BCPFhLz1Hj1u@&TZKn
zZD0ZlH>Vau`G~USboIzmpp2$F^{#qs{~%@Zk`#2DzBlbAx}%@O2Wb<1lXjh;7@g<H
zb$&#$B+L|VXQ~{M;_1q}LFO_k=1{0R6?i5#D|YKq9?tk3y(LRjjm=wz%!oieSb?XL
zc~RBI=J&#hHRtCwpa{qA-LK_NbY<$wBG805L(iewZ3U*iPRd<R{Ql8-I6#<3c;*X`
z;w5lmD3_4<k?6vBO*}m0UF*4|SgcNif$|C7_&qHeriL1FXk2}J>n428wd5ixw*D3e
zb)IV5?q)QEEQe4SLh;~r4MI$72Ng8p2eSRVvaMC;mK;6uUEJZ4s!&I@&X)=FhV>Xq
ze8MF5eS$gu69G*<D@SC(W7^<hTr5NGC8r+b0m2(IgOxHOP8)_-=aUD8vTr9;Kkw%G
zs03`=$){0_kkv(cY|^SuV+jVz;<SDZ-X@P%DgNrZKGfgeg}jY%wkCdoUG(EfX))zO
za>X6CCSrCa-Zzexvic90*`DaGek{a_QM8Kwt~IQ`2M&Y~9>K#voVyS<`$J3gj2Wk1
zlj#od{DrX1VyoH+<Ce0=m!Uro7*%?BwI(#u`)IlKf$(PL1DE_L+@T0IbGRBn7uwDS
z3N32TxHU9wu4?P*DA9lB5|Zb8Y(o6vb%n@Um9<nu$-5IFt1g20&wFtrt9IM`i`JV$
z>o4}z#*>Z_mAO36^NtdIghdWa8+YpWE$S=FZR4jY4k>ML+G~Ww+T6|p#TZ=01<iRu
z_skB6Th&<eHWYiSMXED#(IvKagygeJr#)t?o3i(87$ww;*FHDCB$d324RIqgN`4<t
z3fpBB;hGZOA*H_=UCxcAPbmGWVge{ZK->us%BB5T(MWl|oRuW$v~xd1B<b90;x&ie
z&r&hZjZe&L%r*1+V(!XuhWIclb4lUqoShPHo|X2WD&d1CjHGBZPL~*k%_s`wVJcfR
zD^fj-_ALr`M<;F^3JEhMO@RpNpaWGjP+B90{i0d!UO^#B`b)-EO^(vhHVF15a5*Bl
zzuCft{NP7%gOani=-zwc^8dl!dj~c7fB%9gC`uI(kQ$XHAfQN5T12D^2+|Qyks3n;
z=`9M<n}C3Tfb<ShLMM?9BE3XH385)Hp@cv}+~;%m-rx6o@9fU*?9A@W&V2vK%ri`$
zgq-KRPko)&;oMuedt*U6OkPJeS!eY|w~vsN!P%7~5Cc#cL199dK|RtSUpsXKiScgW
z{q|73$wRFKGoC<n?L(0O=V$kQlCC&YMvWe(o1E=?0~&5#u+!uIjP4oj9)DA+m~0CW
zmHu`md-{V_Sl54s%9e-xz>{=IR&59C6Cc_K$v+r1s@hNGREP2aE(#ZbQ+zy!9VtRl
z#|JW#Ro4Cg(sU{HS0Vyzv|UH*x+Gf+IaVGhaU#6DjRemf=Y4z*9XQ~XsK(4btqosV
zfX!4bE#Nq{3*!z`buPt*8w0EnAGNIZ;NK>6_1JZXL<t80o*MzIk*~M#Q!Uk@4X1_$
zCDn1%TY<r+B}f+1CeTHUI8=hYd%F;*HT`Pz0F6j6bN-qoDcT}=$H};K_4~5;)gAFW
zv59McX}AHUECAKBc1TJu6`m3^@etDqD(g^@)n;RcLshY4b2HM*h|XBKANh(=$nf6B
zuW`caNd`2vK+3x&k_Jnd7#s@v1K*^b-9WSi#cx+p4R@UWgmK`Hy6rHt#LuL+gpuz6
zsk%@NiKCnpx^zChWCQbjg8gZ>Q1}nwM9R1W6Vef1^UXMRj?)(L(-%%<;3hxvO&~hs
zeY*QSQ6c59<smD6R!uy0@K|mzb4DtzCUihAJXVKWM<^w5eoTug?A<E|mis*34L4FN
zr4!2C#GsUcY9n}smEFcvD}`S&V0YF|kLdJAg9C3KfpUXmM7wQ)NT^g2^*!ch@OkXK
z3-y{_&*ax6$HoTh)Fhe-c$w#G!NJw=YeeocEZtuk7%Rqnxwsq7KyvGP0Ica7T9&3&
zTi%x0Gz)#w5Mq7b=1IqUC0+ELw5K-;UPp54B(r3G^3ag1k!>(s{<E}_J#Wu>dPy(R
z&&$_!7J>KD*EsyMl2)!t%|j`_1~29TgrsIQ_KWShgX$zDAK=-6e214i6jhsQ>_jq^
z30$VF`?k2ZE_XG=yEnL3Uv=i*%B%`}af$-FfIi#_G)eRXg(7c8Ebe3hi}<2#E@Pi$
z+{;)@f+iMZ-*yVWB${%yL_3RD=$jR|#<Uq(r;A<QGqjN%t8SP4@t4K|q#!*7v7_+M
zCIqinCkKGOnwWQE(Azp>{q>y7%8WP(YrA*;!1CC6`DM%ch6#g0cOv7}7nga<Q}-Vh
z+}h?7yOCy|YC^Mo>mHUB-th?KoN$RcxBwy*w17Ke0^nC5Vz}+QT}fKOn8V>bG}Kj+
zj%`l%<@5fXv2-6H_vSZ+77Wx5blT>X>VUu?>(%Y5GK|;g$muI!(<HOiEJeT^Z6k}e
z&B)31H19YO-EJmp0%*lfEYu40E}Nr~B<c-qQ<Ja7e2}=o>(#6mX)5A#dw^F=E75*I
zhvA~x85GN38Yl>p+y~6P1qv=Uw~65sy8IhsDFVt)FENt}(_@9m11*FX7qcj4dH>P?
zkDxd`UDMEG4><{Ic0H4vzOkMG&&{iif1=aaJj&bT+{zcXChctZ^wtvE{yB0q)KM^k
zep?vVZf%911JhV*On7Cs^I)H3$-RJ8@H*|SG$USl?@RuCKlVz==jtr&Rne9ivMqe7
z@h{D)Yr>Y?D{9R@UxPIr1y4&_ogkpRcJwA&Cr7IBc}Vwvy)!Nc@%z*oPBkl`cG(@U
z>j9i#KqU;c$#tr322>5fi#b|GcK5bUtHB!px?~TbIfB`zRszY7gbDmb^~ptGw*Niw
zKGwq+YHm4v5rj9)FRA|G9gNO71OVj6R#hNk9O;N`MEwcA2vc^bwhp9i8{cxPs91?H
zOfXAYYzJ2U)_mk2dn1&t=kT84BF&ex@Rt&WhZ$D&NY!eMi6(dj_>kH9FAY$y4hf3W
z2=)P>6z4#vxp{<78JC^0^hKzIB?-!%Gm;4YT33jpwDR}I%cp$3-r@Ix=C07LRh|Rx
zdlx)vO#NYH*wbH0JwH^qY3_YuS`_(lBWKpb^{EY`TCtyi+X&*;O1{=wU@PBmnhe1t
zF%8{&8D`$(fPJB5sA8#ve-%#Z+G=1mv(?FI{7^Bv&EZJ3@6S07ywf%_*$pttb>IY9
z6pL@D4oT9z)HkHV?ZBa?adOq>rF{_O)$7H1@#HtPwzJJ<3`py{FeM9ChkreT$Q75q
ztd}m<ri4R-k>Ury;XyP`m3xx;4{iPzY34g^10XRo>|dIcGVnL_DII`B28`e${Yek7
zw0a7KXC;Y_O_~oYfgvL&K-HI0X;eo906^t10O>FV`URnexWE_Tc-qsKe`!iwu_Ss5
z`=1So-~9hW3(DUUoVMA?1|&gZC_bkv$N)S;MOzRWvI5`*w%RSVzvfkPV}=msQhalM
z9>=*HEcWr5{j<>!LH&{neF@YqQJ=W=8L*HFhprg-Tk1uk0|x=N%|X@$R&CeG=iu%i
z4%)qIjOfi4slgZJ@JG8A#I!az#1*)_io1NLel^DFtEuC4eST?T*XdUTECDG`@)0N{
z%T<-*cONyP+tmEgifO-O`yE{##9PvZ<)?5;-<f{&gl()=Z3$ju4>@&AvumW(7zZh8
z6rE~Ozsdcjxs7N6hqkWT_}7meo#Qy(#xqhG_yOYNQSc>YFmBU^9mg8JN+^l}M+Qpx
zRa?5IHXy}n!o8zb>Lu<Xx3ixu-8WOXZOE7D-U{<637*UWdFEhryKu}SQD8^kU_sXm
zbx1=7uw!I5d&u%rf9=*@<JtJYb~3RP+N$aLm*$(dokd~g_U<MyQ_$kkT9xYa%WjkN
zFU{6eJ>qnj*l62mw(B)VR*WV^bO0Oew#Akc;^6FU^h{uy3a^9@_?c&}dst=z#(>DG
z%Ae~(bOY`Arp6UJCAsfuzR^ubY}Ju9gC{|Vk?&xZKu!E=&i6R*Bf=wTl>(juo;C&D
z7>T}A6Q9SIKZI0$FQpT3wNEUn`rqBhu3Oe?>SCaVlT$b_ZU4^S?>K+!-!-A+U-}7H
zlfN`-vM4;5bcR|3pOk}9XsH(uyg2sb|78tc|Cfo-BJuz$kuvN^APR73El?Xgjnp$h
zk>Erz`nd1k6j=Vhj6^<}89u5nO<|?dz$@(jb=>(i0+;_ye|i6<)u-X8KO$*VdcZD#
zr=?H++fRUZ{C{lQ{$D?h|9J-gm;U8H&)`4j;6JwL*y{iFb5KriM@k@@_`<B9ii?4?
z8H8(k5%D8>1mU&*`7D!~aCydL-gg)2S7qTZrT;A~jQAg6p}}b#>P2+~xDnO)3#iBQ
zYC<)8r&ry!b}Co)V4lZn+_wiq%>Cmk?lTo9e!OrX9gbzL2Zb)29S@Yo1&Iu*<Eas^
z8&Wwr6OZ4_K5C}{m5K@_=?Eo3*6c{uD1-v#BoJtmc0zjKl$RN*w}U4&m+o1C-@h5W
zmps6ws1OA;Gt*u$d$QME+WN}vjrQ<_7EuUR^xs_wkYxfM%j&;{Lkq}z@SoCDU;=6@
zWy%@A-hPl8^hs~r(#erl`b#qv|M|D-=PL7m8~fBu6dLorJXP7dKHb4&&pqg8532N?
z$||v&JmK*l?)#47@|0!_RKutArsD$aX4$*5uP6Dg)B>#OMZT4?D#oTCWjg%Pr5sI&
zmv=<g*;j^H-0gBlV;?s2`ttdk|IP?}gcrzM%!FU+BDD6Vf$JN3{FFr&WLuIppwG5N
z^`JBgpCswhW1$Up^Er2iMs^_wGB<`Ur;>khpG>T}7Z0uxr(QP%nPI1o+g;!K1s-jl
z!oQCYV3hZ$?Ij?P)Dl*I>f1<tfF%-uATd8Fx1zAdm|+LW4evh>J0XEj7|@J1=q~AF
znjwJv7;w01R>RhG2GN=Kyu-R*mtTL1NcXv^62;9eFaxskl7G-E|I5@GBqn$b<leVm
zBIXvjkN-$Y?gBTe*5OW_dQPxWf-t&{lHod3vZIt0KGzp&a{Q*`$rXF)`oQ5W%LJ7r
za*#SMEf#s*H+e}jnc%V938{=JXSRDp2*j_S*nYMTQ;@4{$mQ!WHkA7%*?OrUTZ^_G
zsDL@aK^DQIcLUWj`vfj!ob2kwXfz=VFU)DNTNNz8`VI1Qf9MFh&*hWD8&#zPISD?!
zabOcXwQ!kV)DUm`?XkI8i+8AyRY7X;t~#-?#kY62WmvKUqs?n5h>5?!_Qfh`THasB
zdI6cLJB*QVfs})!pVFEYa(7ImCa*=iT}Cx6SIcI&ZZ~>oZS6L%TR{(ava?`sA>t!Y
zcb<VO(X*+Ko-=$?*}HJR8c6*^awv}?I>9xd?l_(aQ$4$@q`@w$>^K}${^H%z&5RGJ
zN#fR)51Lc`hCMC|JJO22yC^`&ci}_|j7xfwZyGNQ_g-lX5hB-UMst`1(9l$013og2
zqBN;`i~1eQt*lV6UJK!As9xMQVC21tyQ|~nPIO_?jyxlI{Y~ow?)liac1oW;6y+3F
z>kb=_XVJE?CzQr4v%(<<iM}xvFyo2KuLIT)+be+jvoDT(@C1MB0vLkq|4e&pjtiN@
zPxhU?9`}&)RqD?BK0b3JTPN~$fWQ^CeTJ+`f>_}jqYh9UYAiWWNRYdeZ{uZan+mq{
z=S|#_d>a<9_y_zt$M59UQ`YU>2<#p^#98x}y&zUFec=UZ;bZ6?!_B;AgO7R9H);NV
z_@eEmvcdaHeg4wCs05N$0|mK&4lG+eDAEoC`sI&^FFj53nD&7?eF7(nA3ja^J&G1B
zB5_eU?K+w5A3?1x#$KYP<(yZWCxo=Cy!kbMdz35Qdlr9@_TC>2kDRmM=O||CaJH-s
z3>bqV<mnEq&RHA!xDnA&r!!X`T<lo6q(-01H~o$DWVLx7Oi7EWCeyED$tl%pcsM12
z_?L#r3e4Azr5^qUl4#+jO=`!94|NqX8VCaR*PNnGLwCRj4()RIQy@7k@WN~tq+v{I
zG!>NWY47bY`+-AH_9L``a-{dAzI9zWEEHCtq{IO^3sl6`TO<psas!3kg|c50z9#AK
zlnph<uhD!-%-BWB1)7gj=>i1^=5dIIL{IpIbp@-QosP6SYV5i=E${2vw9Pk=k6Hlz
z4G+{MT?ZCkoTT-LA-Q_;1D#PJzerjd-;h8;5&E?~@$!$2fZnDgi6;9bNPypp{B)#n
zlYVU91=7S(nMYp`*RYR~&FLms80OzE9#DT=*igO7D^E4I_5YKpa?}m3IeJgAAt(;^
zVj8<pv>VxXCmuUa*tL#TicCp9e)XBsnyN1TT4=kA$tl(Z#RYzaI!_(toW4!k|E|hJ
zs8@t2%@m;utTyzVhiUAureD4OJYU%T3#)G9ay5qB1!hG-q|Z`#+rJU6Aa9c17h*R~
zyr$X{(u>tOK0g&7l3z59$Gzi-(C_gP*;OEokWEOxElK3%oO2|43lek@7}N(xY$K|<
zd>eZk6nMfu-JQRcq~`pw$H)1`qY%yv>vWOp>b-gLgEGIxG}Lq`iYQ6mHMmGlxtTds
z)JT7*szq7_>agE(V6ZcAcS6~Rtmq87(#EvFMNs(Arm!T<^evWO)Z|;pUUy{w9qO8f
z*dB**+nWcycl1Y5j#w6wH7?Uv`Y|3J?zwxuy{!TI6|+vnugB4~w*880DT%S)4H|4@
zZd&2XI38KtrEt*q*dY=^f;oKQIBEi}opmW9L3H{C`W0HTTB;t!sFDBkBlcNPnmn3I
z;C0gXYhf$z-!+}rJTGqsa8r>a982lnA%&cMIFT#_bocIgQk@<?HPj2xr}}lO03k2~
z(Gk+Qt~{aC#pfa1?Q=#rOWjhxR<ob6K5u8~(Bm)70K%wc*GDKV2wGR)Q|JO6%twA{
zZ4Y>jr6{V_j;eB3e>jj(k=C1d?Kywf;Jsv}q@>aHkZGYOrF_m!rlwD5p3u<Hh$BPs
z-Xoou)bfDBKN$v@e$~%nhI9igZiMS=zKOY->iC2yUht9rP%`3*6Ac3a{K2jP9@8d4
z_Ef`*E@?L7cY83sh_A?Uhf<QdcH1~wr#;L}$8+<SQ**1`o$VFt$aF{ZJEf8g<-OZ~
zKy^9W<@SVtCC7IBa!&>`x+^C}fS38LJ1*<tsuNFk_A7@N<B6)XWeZlSw}+zz#P0Hy
z#5KBC<jDB6z@|i<NYz=*DO2f65>^A&t6s$m8OKO-r`%~&$EJ?*3s7XH#&~8on`J|G
zMtTUiLAdUo_dC6~C7H!LkGF4~>DACE3%opm7~xtEzSfSX#`snLagnuhD^{sDwsl#*
z%_!a_#=Fcy!*u1{cc!&=o;Igt_;#*6K5Z$Da-B!|J;je8-7|e6M&QgXBw6u-?&^Kp
zXEGYPyD)G4$jb7vM*PkBRhU@+W2P^w_j=L$luUTo>|Se-{uS%igVW2D*J)Wv(|zth
z7d`8UvTsM;GPQx>ItWs6KE<w9LD{***iPb+S)+JT*IV|Gs`$8%KYnOm3%MY~^W!uD
zpc_+>CJvth^x9E8oDoZ`tbc-qv@$xGAzL9k+9}b;u?-W$QK?MwbrHq|GNnuH@>PZM
znIF()A~L9U_E7u?5NmSbX8A!{;|HgrI^&Ca))Epomm3@F!>)*H@j=2KnbMpCbm5GV
za}Iq4MXtgX6P}spVilZQ{kTyvYp9-0Lq1<TuebK`#+k%aITNPtk7e`^&iON6k)Lgy
z<Baad|D}n}`G)O+#b*m9SP)R1*oa`6DcpN#J`$}Ab|`t)cR6YBYLfFzNXXBJq3<kC
zrmCZJY8u~B6?=;Mmf;Zs=LnztWn}&RH#3BbzTPrz*s=J~zhI%nb=^HHf7HCrNUsnH
zzcat^JBEZN-odkW=g|FG;3jZ&0Wb?HFMgxUMbWG<cV^yV-L-VJB!v4?!2{7BXU~K!
z7dn#O63>vHE&{m0%?!>&d;~5&EtiyjBf(+<_@OV(RaMm7ah_fhjupzinv~mt(GldX
z_Rou`+(pB|Mo@_7Z2w+P7^qG(Jeby*-9`00-YzVVt8i|Px3uCwQXXs2nEJA;NHd<p
zRLa!EP4M0mC5BPFPlu!uZXR)<3Ien&x2tqvu+&y02g*@4Kd<}t)*c;=a@B)d+o><_
zi?s7Z`#|SU0#OCX#fDS>iE0<1?6d^ma$huz!w_@I0A|0D_klKLE)umr_N~UCa*Q!@
z^Q~-cB|k%bhQb81{n7uXQ06uo!g;mK^CJ?Za<VK5w%izDKL+g1z%r5sb;7+`;`^RW
zR37sBu9-Sm(!G_q`KIFgZSFIXJ1z^Hr<rX^i?9g#juz=q%H4d@qb|wj(JfDMK#**o
zn7w#V))g(pVDpPcCd;}n8HeIGYwK(Ts4sjx$<P(wzE1G334mqgbbGt+9hH~F-l4#g
zbj!!%507wB#*ubGiY3#{!goR+S=^Hi$H4Zxv?Qmc6m+~Spd$1W6ln0XIa0{1W_^rF
zlhkeUjwxMb6Ag>S@Ad%UD|Xft<YURg1XfZMnHg}n?aMbQT1z8gfX_8rx|%Ah|I{3R
znzFrg%jqVtE_e8B^2fV<044%KmH=j?chVsC%P3l3t=<MRne^?-!)@_d<LHHl@@X3B
z77}c|59s;KD~&W#n*H7QVUznHw%`$ePz;s7@q-+Uf#hR?&$RAy^wev;Dl!qvw!ODR
zRuW5ixouP4NbCH4(HOvtWF3G$2(a3*kn}pU`S7TSWhbu**_f-hUQad;CSK7kO%+P+
zyT8`18ZFQWtD**ft=Eyt^b=6RClepy4ZmNMJC6s}^wE)o5zrhrD7_Y9LVssyRv9bI
z6+FKiH`BY;_f&u4A94LbaTF6)a{yP3@m>1UoZ0>4&vfF(1eZ-*%OBAUAL$<+bMcDi
zwMH8AyJ*-)7^?aw0mV=4L!KuUE@vt92#5kZ%;0RKG!3>mu-TNXwcg++8*jQGoBj>1
zgx4Qhwgs7V_`Xby#DHse!-7?vr!lbjHg+7C$A$PdsAvIgJ0Xd<`8>_V?#^Wg2Q$o1
zg)?6+E1@flv<z%BDSbWxhxcq~aTz4Thjrrz?ecy46S99UW5&m)E?<>=slkxg8xv*<
z7#G0LoUMX)iU$3qQAShA9B3o`hWTGfI+lD1lp8+S{UP{njn;o%*?3)fw*tqpBLUbi
z1i;Hjga7S%v*as_7L`qD_jnC;^s8coiy}}@3jI1z2*F6DRJpuW_84#~QR5hDZ3Bob
zd-ynng*3c`Ude>qejxWp_6dD*!i-O6d09}CuV^P6O8upJo&3+FVCHF&{azdqXn+}}
z?fK1M8{>X0mHZ0srP7X5B?guU?IKjqH4=UfkBCO*jY+bbC8jGkhye1}G5nM?SIsXm
zQ<A3$J#|i7NjlILXa(58QA3UUP8p=)Mb+fxEQrP=qMG@SVsAdKHPo-b#?G?KT|VtT
z@8fSuA!GOX+#a$hP5=J)pMRzw$m0Kpw66S5f_w0PCbIwO9*$v(;b~SqC=SU5W$n#o
z$75sa%~G5cgAp&z=eoXnwhb2tCKY7fxF=>DGKk4$<GdS`%?(bYsUQH~$55@z=z<^l
zE|0u0>9D^;QDF&l%rKqIOl%x@&Hlr2o`)|*^k(t5l7qiAzantM$+&<@7BmjtHEY9p
z(&1U2r7C%LK+^5jw0Sx-`?|pN2R)&r3;p8!Gc`&20bW-Y0P$E^?@dfRu!5d?QKm+u
zr%_H|R#Gw*VEF-E^aV&gschWizaNtIKV1Gx^YTXwLa1S`c)-DyR;&K~_ocQ4G?4>|
z{!8<^DOiS7XI?YyWyrk#_D}ZZZ#5I=KKRQax;V3TgzoAd`7qsnUw1{jwV{(ceRDnf
zCixlgeWsa*5WQXKxgTHr{9Q;&)k*%d%}a1j_)B;MT;MPhs?}%5ganZ$p43Hb5s$2h
zp-!dxbe57e0<T_{HzmJwPty01w>{T1aVxj65fQSmFwc1}FTu6I`TW@uJ{p?uw1wWD
zPwLIo{afo2fwa+pO!cciCEonkr9@TUyZa#0qg~YR3}9a6Wx~HMTQ+Xe{^uq@CjSw{
ze^-wG2;%=(5E2oM^+|op36Xgpp<ZL2KVyGWt?e?1u6z9cB00-IG@AIz*YZF`@=@gZ
z6%jqErW!ZDA6)>CJL%&nyt8){jsuFAAMD9iebmdWbwPDo0?zxCie+!?I-2jGLOKo{
z&;=)6YW_<zVRH!3NGL&okum%?I8Fk%Yj8<{B4p=6b|OX)!y2;yh))36iE?Lx&z{e`
znDQd(YeeUtapj+BXogpB6z=ob9Es8}Ww+6&gh6Jff?o=ffb8xziVV25TC>%h=-0CP
z>|OprQwQEYm@Pe*;&P_?eaTi`Q>}-O+*_X$pIX5Az-vHB7YZlp`ovQ&`1&kkJ1eEN
z2>g|kAG`Rt%+k!v>n!YCCd!!WtmirhZpknuw#d`dg?`jlGNE1;0kiEpZL1dt>YjdX
z6Ic+QM7csBHrls2{k<!3S!aiBd?06EFM7vW|Ae;`xM3_V7a@n<$8^T}r_iB)P|uxy
zplFb9`;Hs3kuGm`=CDZ>eN4COO9lS<i`)-q8>(8b!0wi<gjwP~eu?eBFS=29pYO2L
zjOgNrO2zn{5|8Kjk9Sv({?eq)!&73hK)<)2m%1SNm*&93L{1?FzQPQEe}KQ9+!yDG
zdVTr-PPtWi9m+T$c+0)FF#R*mghfYmJWD^xG+f@t!PF@A<r|tqxpR^u@+1ecsV{8l
zcMoqhBM{Nd4xIm#G0F3R7_5<XTBoy0|Do<8x1JM|{e=w$37Hg;=|=KH>z-w(dKVRh
z$3_LZlsXr3nesfu^s#*2DI4HRnm43_UN>W|mG?FZ>F~I_MCCsHN}&w^AQ)Uz(zyiG
z2a%d~yiG$E>`lf{tA+}CHfoP86j#_m|6Hkg{h2yY!;zm*m9f~Q$`Z^Ys6q-+a?E;N
zEztPpw=djFgT4w{>OdXX>Du?7T^L?T<7MFg`m()b@%qm%c~oA^P{VO^V0C^g0;Rs{
z>Uemc&)!&af3Mj_C{0ws_En}!VZfpF1`_+US*^oXQD71ggI|EYT*fVgibk3WqE{v=
zXP=tTh|hga8=_&kgYq$uaBYiDTuqKA2FV|T^fim?i+Q5tJhNLju|I*`NTCmaaw9DO
z=W&*fhT!uCyLncLh3-y;f4ubr?pyv4&(mmH{wU+#S1K2Q4_H!&X?sBi``&#<xC?jO
z#7tGBrI`_XEi{_E=lNc9&omY|m_~tp<!Sg>RZiQBLF|CP*26t}Fu)b<hBifCv0ojp
z=+wFK?HZ-_=Zly>L%UYM)PPfW`AE23ohgba9!?NINjNL=*~g(9jW6VZ9}T?Cz8#MA
zFA{N?E~^?pdfEEpWEOST6{v@xpAMHs>b9+lIvdA$9J=V);d?~aidVeBH41&qkmWgG
zwQ5y{n6jLG1v34sE?u}@)7PJG4TgtJQ;IA(yvryx`$@jUp#Y17E)4%#u1x>vukS~f
z#c3?c#Oz}~-hDq8y$1jkS#d)NouCN$Z0-s3Q&#ob#`?HO-U1Bo+Xiq{<}E{yZgdbZ
z(Wz4%iQ3`@2x{^&T91Egon6V1&F8B2PW?-xP}%a@+u>X3%?@)?!44YI3Jmtn_zCv3
z3IC%>qh8glB&BX1?0cZ-uh2nNPGt-Nb^EtjdA0;5jU?0+pkB3QL*TbRmQ83zUObZy
znFzEe>r()1$gME|`N#GCKumIHI7fVgXS=dAdgVs{^XEHvMEcBr1w$)XZfgXNkol-T
z7lcTsWPS=)BcVFxAfTFNT`@Sl(%RX|Fk+>qwI!7~$-2+SPk63Vd+ePfoBBl$`s*IW
zZ;4tYI~<maIt4<QoTSDSFFf1GI7P;JxeEynr~c4ayiBAzEwI%HrO=&y<NyBYw!3>~
zUJ|MeEm!SaVnt~*_kh~GuGqrVBLk%S?42HlS^lLNT+r|n&VN&SUpDVB+9*LBs=K4p
zp1y%XIBnBm87NAHzeqm4|BM_cEK9m>od4EH7_K2I1#CXOX8Blxx1v@j^aF-r=NivJ
z4m)XA11~FIT?J7zh;NJ^`;KmOpRL%bsgEsfi|f{mUtxKeFYqqo*qq8>x3n9PLj!+F
zQWYqUY*WG=S7d4?XpdDRK5@l4ojYvV(a2E06&b}nnDy&|hp${N*>O{V@igBHHnXs7
zh{Es2wMoJWH~93Oyf}01J;tnTzPLT?pS3x!X($o;^l)ThI7LiM)mOt$?8ogX5n}s7
zOS`P1t0Q}{Sy^(-7nj~=(N?0n^L9Zt?K>vN&)n+Kv(jLQVfbx|bQ|Flh)tQ^3zvC6
zF5k6=6f*iNsMrm6=F9z9Z4cFFJ1g$b&|7h2FA^&efd@tG%8p$2)x`E#^+e28Dc^xC
zF$Qd_8`4mI5UOTWZDk%qV&f&!NNUB$*hbN9ekhEm+{Q&!K*<EkDrhxdwY>AdD7%Sv
zycFJXJ6O(F6E>690b+&YL`IhhN8z5wujLGx2Lt&0+hZH{T6BdFFGZeQ7}i~;6F7KL
zV=8K+>7gT+*HBqBnc=gOJToKPhKZMNt=7?XkF_r4D%z2Wj%(lMHLpcG5nN!!<q3qo
zZC0Q>giDC7sF%L%`@4fGfR?*fG+{7#m<iD<|2kCj*j*cky(J$@o7`u$C9!BYOHcfo
z)03K0Pyc>b&M-WfKEkj*wIfia+}CZ>j364@_sb`!<x2Pl?JAU^^hVdcxED^|44==t
zX9VfSlp$R1TSH395#Cdo6RjJ0Tibuuu2#R$*OC2_5sgIG`Oo)AvQO2w+a!~B0QW8s
zXoautZ1r6uXhpSwaZQEsI*Et+n!IwJv9yArf>NfmQp=-m+`SNb;?tI-BjR(?TiJ0P
z*>RGSfsfD2pDUQYB%PIHTUOxsvW!+7?qXOM_ZF=C-ZZqpqIdGlxf#V>UL@9RREFFg
zedqt)hI>cEmqAXHQGp8@m<>b}s^-?w@pq;>C%V-vCs%5N?$4Ry-mV*7pghN?bu$C7
zDgDtvBi#I3qw)M`$gDN9E^m6pxamB*c4SYYji2%N^L(*Wb`fBKHbz1;0DME>6XKLb
zm&z-J-UqQHmd|2!oRS{wbBex97w=l@yLMu}iV9U`uW|*^Js+d6y4;&Ql%Dx*kgaEZ
zQ@|2tdZ>}K$(Apnz00fLnKjh(et_dJV(a9DwKoSti|dP&#m3vwQPg}E<3u(v=q@Dd
zXnba=p}j0a_=0DU@sjpZRI2D6=91~?*((RD`JX4VymWeCLWg#ah1xbY#SU8&{z~)P
zgViI8q-cbf;gRd!N<cy7y-u@dLpD8z)}jHDT=F@3*1@B;XWL1isf-c5RJP1sqom5O
zMKx}ijE|Z9@*R`~_BF6HZT2VMP2zhzsB@Ry<wQEF4T=M?Y$}#Kb$C&_$w~Avf1mmC
z*u5W@Be@s%b%ijERKvsKx8Y8#(HWr7z>CY$G!zR!AtT#-(EzZ%t%h+~no;MippM+M
zy~ixH2rI!`Zm}SH{5YRMGi}>?nHMyJT4wD|;Plm6678BzxZ+#(W0=_qR~-8~aIl*F
zs*!!1>|T=afK2B$&&}vHuEfvJFLiiW)}6FT{Fud<O;1NB>kjR^r7RCs&$Lel6lP97
zDM#QWJjdk6(dlAfZ=%PC$~L#8v}qK3@LgZ<VpR$(Xjz(r1nD$WFh0KY3}W?#lTBab
z;;%}Hn~vW_X?~wAMv@9~S<*lpNfA!76&!_9B!~`e)R|PO&;%vCcP4Oe!L}<gd_FXB
zC~%oTCN>~R0fe*;MdgV=6_R#K<A;K&obF(SiC1k8R+pIbXT_gcIXWoWpoa!9pChxi
zh6K0?{CyE%dqbLq3Jjloi*z63W;NJW2RI<DCedqa8rFz($BbSPH$ihI`;?FJ+H0GR
zb1B7!dZLisLDz4E5(Tr~Z`a5QM)htPiT5f9#-(y}8L`hQ>slh}ty^cxrNaly+m}%4
z!Q22|lqFcsHH}l1nE*7t0xg4FxN=mGaaC5>K_)-ifLjJV=0Z$~v596#P+%Zlx~J0V
z$wZsPvf)Ki=96*w@(EgJYJ1nQ_Bfh)DCjM=e^&MReLC~rlfDQTQj$6huSZ7*(l3of
zP=$f^3a_=jdtRU_`g}XASc6H`U_$&twsq7J`>SK4)bFPAjiSY;Iq{){>Sd?SN^5=6
zGTzX%1<wy`y!M53W}F#6bh%Z4*vlAqUYU{-j=xvKTMxZ(lfV=v7!mPPe7HhPSHhI@
z&}#p!Yx^d-RAk(^9oq$c8}4OEmQ6~#>+L$GFSb|yR`;l}ZMxEh*JeH_)AkPeAq7hC
z4kNVwgIc_d1l3F{J1|po-OD$<J+M~m(+!bfA+s8?theI#zJl5xe7&R8VqS;t%i#w*
zz`{;;DOcX&J}6+BDd+sSBI~6u*}0YiturAT1Dt-YW%2pDYyFHhOvi%mzmsk59h<gY
zH*`_)a`zY6_RO5dY|mC@H@FyA+#VXkW-tc0i1kVhk60`Dn78<7pQtV`H6#PD*XeJ8
z4+)JSTV5rvUm@F?{MfY`ldgD~XI;-;(u^0D=1CgAcP`xeqc|~*kl%s9cBL!7a9A2)
zTJY7px!{DpHgzpo|ItJBnkMGeFyjlN-e>6L_S1S$;R3wC_(VG8JOJALChIVvtb~(v
zgh~y)UbYUpzZCF-UHvMr{Y};NC-TG|FtL-QhRX@fmLS2G!Y9lPNx@h))+ma{&aPaB
zjgB+H8v9HlRU4=Gp7AboNgSeo*s9L=N10T9ZGwWh|2nyc#c6y%9@Ek&j$Uw6uI)81
z*eK)})E(HEo&Mw$?ATyn=40;OR_!$?{Z(0k{Lq)a*On=*I|CfA3@Z2aW=yF~HmRG2
z{;rJ&c>mbapMCYPp)vN*tLBSN07hr(;aw<B2#;e<A!)zEKQ*^fcA(hW3gSJXA3T~Q
z!gixs=4!uENN6Mdz3Nc7o5VKjazr%prf=8xqg0;X?{;NbS)DW1stbqK)-k=sr*({)
zi6gvM*OGW0#kW3ux_l#vl|xG#f0z&fY?P1uT~ps!_nA7*_G>rn?Cr(`U6>SK!lIqb
zV`;VarWLd>6Q)x4VErCI<ajh4CWKCY`qX+}wt5Qx@-AjF)5s`EU&<jssk30G5g=-C
zW3>_XDKmo?r2ss8v8crYI3wjE`LQ)cWwOm-Q9=p6RbD=LYW2HE{$o+P57SupEr+;x
zPBWIFaIfcrV6l~iuM%q@4C~VQ2)qK7femN?X5X2r2RJ53c2Dr$<#}4=8*eKsKltQ0
zH)Op?^0^`F7{^!Q$lLHy1~S@fR%+lm_bQ(glMFEo(T8}!{DjvqwuUo9<)(#UUN;9c
zO4ZG(DmEU<Y#;}Hf;foYkO~5JJE6!|f*67iPm^z6B*P<uui>+fB7YOk4Q&W9uIfYh
zq|!vxE`)XePGZq{c6)cj%BLrRVH3n^7*naNk0V!KtYG!@D)G8%XLzZ|XW)1E9#Lu{
zb^d*5cFI1sTmNns7|1~v3$W)7KW1n}Zb=4mRk)t0EXmkdM=6u<@OMke6l{BAmcaqn
z4&)YXRliLOk|0YG<w{v#Lwrs+kSg(RZhKpwir5(HPgJtAB+prE+<H7sn3K^ac|8gC
zz9u%p{!@Iy?Xo#a$yUcKOsTcLB1LZ}>B+S1QR~|D&+;c(t{Dbm1xXWj<-J7-CV7}3
zD!?!Z9tDMCIol)%X==$PcsLNBELBR~k853UK8aPBUcX86Nt#_I{LH7sFN+CQe<apW
zGrR^96c|~ZG`Pf^&}$fmVyl*e3XJGYZYi_9YM3U-%4m<y&DlR`l@#gqoy<br{Jw6d
z^Z07_>;-cG-_uWz@c-;To^@d=sm|q31raJ?iP#k?NSUv8+)3YX_?3<>98q$cn$QQU
z@Kw%~w;TPKrv%_7Bf9(BxWGWz!5UlCk)W1r-e_a+xQGzrL3R0Yc23&B-$X#^G(T8?
zB9*!XX7}Ci$mUNPcit|xd1~EIcYE-LUli{}KB(gZ3$c}w{w1JkVV|qBH1aMZq7%g%
z=t@$-V|&t6#hThCJ%`?QRnte?PpK|Ah3|+JO}%7S&S`Njjz3$-ZTdF)2!4(vsMCJ>
z4dn{8`fXU(JSB*yCKof7zGS}E7$mRh`(A}3-Q?RJ-Kw|mZEwBx-(@MkS@|>o>-^SQ
z^AOeQJ)Mx5ww3M8Dq9^@QK~7fJZ@y}vWLxBFBIAN^t5iZ)lJd*^9iii?sA|K{&%O0
zZ)mq7HRkJ|+aFxyBsEVYtYujqJaq8Bpm3RHU?nknpp_7a<qW<G!23sfve}xruqvsw
z#6Ft|VN;Llu*T*HxcFeoXXv#RzL!XGlG+l#DB#V*046RtCq*qF03Kmw9<ma`|MZE`
zX=Wb8kiV%Rd&%thy5yzQdn<wG?BA)~Kz4)@BS<d_1MjsEJ_X;#yJg~(HoJH?$L%^G
zMc6rxi_KCN6;IjgMGhV5dd=@Yq%VBR#x4HCSVwaMU7wPnGcXUV&)jqO37oci{#GMO
zXVO)yQ^xfKaZ~KRsMk*KjzR+=xdjmm6!?pmZ4qSk;GYY;1bF1jaon_=+8ZfzgD@Q8
zr@2fwgJ4_i*T{|z@0Dyw9$s{t0|>2_Qc>_iU;92=W`aOzVZKg)Q{ko=I*rq{5)m84
zoBDt^#DYlxupz&ch>7^&OaK!<*#u*qbI!S>tcK$kG(olFk(qGjsjV`%Doep6j$1!!
z#jegpT*LF`F1CRP7{fRe!f<P_6y6ELqk7nHrIiu08Stl5EzXScDH3v@j^g~3Uxh>~
zhsSe+y+O}uX;ZUb%@$s$KmH`$IO`@>X}UGhqO-NLoF8a3oUeB={L`y~wUk4vnI08u
zt16g6a7F`iJ9G&ZRuy<gG)9mh8nJ?}H&WiMsLH)KF)k}?^OM~6txSz>=liv_y0!rF
zqd+jplrv2<TG?xHm$|4Z+wlvg2my7JJ9q5&p?`CYHQn#oDQ-hzIm@u)tqXt^lB=Ha
zzPW0{+MRtTrUzffUMtPqufIBXAKXRk&){Psyg|TvPY!pxV6&pjkAkI0QTR06R8Fkq
zYv@5~n;&jQ>iV>73WBYT6U|(Ld1xx)64?L1dk*)Rrn9az)6^v2_>R@O<9Piize3)I
z<oX=plY2umn31vus2N-E#?h<1g;ayRsrf!VO-Wl_>Nw9FxyIUK#e?-){DJw1zi9VA
z!|EMiVC0EMwY?H@gk@7!SggD;&t*2cZEQBVy`Z6Od*!Z--wPWWk(aq9{8Kx&ECdZy
z97Pa#%87GYkaCPh0K+p)`xN6xEV+}X(=@U1z3nAaABx4@{d>_i=5pI`Tk|7<R4&dk
zO}4E3`x-jE>oY2cR<hY?R(C<m2|cF@i>#fjY`zl~At#%9_@UU0ut_uR1a~24nTPZa
z#tZ4sRW{?s;ZV@UO*__LK2p-cgbhSGDx=LxB!}I)x9-<GII~&GWZ=WE(f+t^$gA#6
zZ!O_?<B{Xrb}?|GBrxFihhrbyy(xy|pqP*taZP8{3VnfWS|RG--KFj5!`HUF2P1-O
zjt!Ytxn+L%{T8ql<TuWio(al!W!rDpO^Qt$zT+Jv{3^AW#U;KxBH101@=za(jFtx2
zZC$J@cPH!`ssXP6I<szfIT!DMj%yQyE;EMYNix{HoR<@0lv<s2v-^49R+B4n$S<LL
zmvpnQ%P!2WK0FFIJSGI6_myUQ(<e6OPg)2nl_(+;k!m*Rw`{-HhO~dKbp3SZyBqd4
zDpFY_2X7#KIq*6%qjPx~LCg=}qw-ugjFdV&YIk{wv^X!~)e-N|O#3`a-HoAu)$=r$
zV(x@jA~uoOmqz$qi9GUQu-r`^VQO>0&BlpEWGb(dMyk_w!F}a)@7)(kcLplVUYNa!
z)3{f%py1sW^ruzx$f{>Xq3}3wt7>fUscf~POp3x)ME^qCszF|CzOa{LzBg7+$I?>!
zXz1y3PKYNs;u7fxxmSRr4j<Q<-&18+t|pKv-rUL2Bqew~fhK(Apb~bTG^;_1!)4k)
zx-iJJYUiULwio~}*rHc%9Yz;o{7Bg1?1g^OkB}AYEU3>|kE{{MK?*A(&3<n&?E3s#
zPP&FvY&kJ&g+ENqza94?WhH!P;T}dia3$U;?YZzLhcD(u!JW3O69?t20=^MCq?AQ?
zBr#ZqaAry*xl_IzR<Pb^`$$LTM&&$um~5u?Gkxy3Pi{WE*P!Z#=a<*{!DSo65~cy0
z-qX>8X~9s%<#hdJPHv&;jCqM-7B}B2NE3Fh*3cRW^UB94+br`70#-bH=P)b4biz{w
zWN0X}aY9{{tgKACH@A16Azz3oNf8}G{Rzh#fq}50K6BnuZE1wg1^C6p?VZHp^@~do
z>+&Jvd%~~c*MJ(KLkgFFnAuh3yDX4}@>SR`g=P8=RQ`=@MUs0pDOr6?*$3curngFE
zW}u!Z**qjF#e}*ueN?~BDx>UnRpu-UtMbznmx|Y7&B9z4mE_8kQsiFkwij$woV2P)
zB2^K(PYagit~OiF+fp}OY&T}%)~YC?=V_y?w7@LZf;7>+K#$*zDk3<Re|5%KyWW|Z
z+i<tGm21<y=lH3uR-Q)bJfi^3x@|fE3^ZJT9nCt9NLfPThrk<{)MaP6%9mI}1#9=#
z!F?Madyn7Ty;_xl67a=JQFS2Gg9MLZrm{1gU=^;miqoPk?b`2}(if*bJ?uH5?vnhD
zb%dTLL8ej8a7@ys`svp|%f)mAEF8`XUB*vkGNP`Kf|o5O+kAdUMa*nH58s$svxxHC
z8y#NL(Y|nZB%N=%@)p0S@vujje5?HWzU<C4aubTJN<=1%6sJ#ye1XWJT8<V9@+;@e
zew;KFB4%|^Ca0AsH`qDqfdBaf)zS)*EmY4ERTILmxM>^G>s{Z}WRZQS?&cURd}}pi
zyOXc>P#_LJvMl{URnFz^h5$3b{!OvAhe#*N4ab#s!I@;9%lG=Gzk7Y@jlmm@K(&I?
zT<~HH&{se7u`VwMGhqLmwC`)t#S)3~8MXD*b*YSe+B)<*WguO004|{yMo)P?wl=BE
zyHw3gs_n$s-GF5A8i$|UeDxg~J9hUR@Uea!9P2oUftRbMhxNRKWeI{;<<J~zJBzgq
z|IF7}=|8zDrg<mproNVs-`jmF^Xcih14L!sR6Cf<w@;e{$F;UQ*-m-RvuaID{A@v@
zn)M(MhhYWf_=hC}v_b$m&0m^25ao&?4z(?EWcI|ju7k%Lb=n$G;BxZNH)DEZ-z5H`
zrC@XPZPOVCjfGs(a8{<SjH9w+Ya%nL0|0RP7sn&{AXK5z14DiQ$j~ue82S)}j7L9d
zk6&7xQy03_ul_TEH=OBRXz0il-TG<yD|1OPAF?v026QuOeHO;O&4O&QQ@8r2OLaZJ
zIOcOnD3xR9p%U}fuuUg4g$~eB5Z4?e10F}wUxYJlj*<GF;@6^z2TS^#+{@IViap%g
zMSzZ8{>~qIF7k|)?!sw4QdMV>mEG68D_ek2+^NFeW7SX&A!bSUoHRGIv`@_c&>`M4
z>P~pmx0-M*_jRb9@Wuk;xMwv<v~SzK(t5q&%_dJyECP6|MMTd1kPWb)H2UaOQvN+-
zovT908+LeO)&$#&_{J{72!E-XWkW`nmIKw>_~}xWu$^i;g+xr{-0LG|-h1ws7`mHz
zAJ8TD`27m>q?Si`tt7j5$rD>jA%|EkF;5qSL-VTHPsr1*mxabU9^$nzd$C1H$c$ED
z-q#pXW%cBOA^>)wNa2Ti5lhgwTKJtfR}({c>4KIM<l;*XAD!zA%`br%^rKiHBY{?p
zl#9y@f^;b^BrZwv?7j*4OY^uberFn5P!3I!G5z*EG_-@xJS-U9h@>U8;&;ER$~2M?
zIMn&BubWYozObIRyg^!B<Igm!d9{@4Dp;!GZd8dx9qq+6Yggv{(puK6A+&bbiciYL
zfjgmcIgz6EG2OOY(b@+vuHNYPu*#od>ECF=KI@3@zJKRILpzZl{kD7fLyJT?q`0*l
zt?vMlt=B1<2t<CVJ9pS*r0+3cBj@C^s~W#<2^;*eOAvi^IvjnoYGM)q!@v7~@={hs
z<ASC?qZ#d&M%XN@=WGmph`#wXo>6Nlt8WUoXKLDKx$P6IlBt*Yt*H_4D{yQa&=^jH
zl;kz6s5cL|EYQPPe5<fea?GdXVg`?IH2O(%o}1w_vXKe9)N^(7Zj!cWaiKRA2$&M7
zSZc=+=tO3r#w+3Y!aDfy0DE%73iH1p&dusyf6yW8268u^=7XK8`FziB;I_6YF1faU
zs^5f4!ibRq*RSytQ|b8$b{rJR)41U4B=mRNGbHE|INZN6Z1<M3UZHR1l3}-sx!nXp
znD9D7d0n#J3ZAGm57Z9sQJQ`?BI3vA6wBN?6&7s41Zd7X3Rfw_D&;ggrP$?(+|>N`
z${=%lf!MxslG3HJ=&wmXAJANej2yCJLOU^r5tRGoHomi+-Wc;((U4iS_Oz!BdO>cM
zy?+D|9~)*cYCmo{#IR^WveTNMVzdIfc4OQ?$MOv`h%#@6v=mhxs7uhejvl@NnDA{D
zjc>CixOEY0@lpw2frHnGrQbbhJq~<YHD~*J(sOo_k*J*;^OHAa*y9llD=9E41OOnH
zVOxbutTa@tKe{Iq9-%5s8p46DthWSh1@n(1;^fCX6E3ZP?}G)n!{F{vj!wT@MO^zr
z@_YGB5$^GiPBN*N2X~MEppL#5z`1PmQun#u=QN4iM$5E+fmK&7Ak)mY2f13B4xsZu
z4qDi-S&7*7ZtzxRK?4PV&jNDz)wHf%{tb-eQM_Dv9IQJdq8k9FL##r&H;Dd+<2C~h
zFqOfME2FbR=W6wM2hYxRC!h6h4%dgpVDX01k=T0k_rW)PsUtcdCW>FVD-u|Rt`#<6
zgwQ#Nk!G#WaSVq<Dw8eT+?2_ANb}4qyo={@?CsZCL$Hlp;lc92O0<O7uR!8@7!mKb
z`faSzYd~^aTH4LnGXM6Ci&vE+`V&J0?{aYW(Xl=TfC#l@s=xFpUcAzIPs389%9PUJ
zQcxYRhwvH-n&0`{{H1V6<yrL*9O1o#tv-U{%dPr`P<8)|TvzzU5aUTcOL8QevOr!u
zsAFE#BtdUNF3X_n$+WUYxoe1AQ)~LxPE|^Zk&sh{A0{BG%5sjm6|3F}uT=p2nCmV^
zL7mi27@ktT59(??E+Ba=#)&>TK2UFkY*@u@x6-<MDdw@(X|7@JA<fv8lvux_aJT+J
z^8q&pGJyZ>x(eo}SK+<q(|-EYUo}hem2O-fZftk0(y<+6ds3Y5ayWH7OIBN75GM3d
zIG!#kFI>!A7VcS#0U~A1(L+O$X&i1)uUt*}s1D$buw!IOlBtK%V(upi@6*1XPd%9+
zhMX1wfCI<f5CL%lv6=sHIswNl12x;@y=tGdW|3$7Q_%dCaW@OFD8>DmQyj_>e3s%%
zi1s~ML-+7VM<Oca7Zx^+@V}!EVNCO`oEwatX<GU%q1ytsL<Wb2CwCYgR5-A>h`FWg
z0#F7`BXSl7QijS$XN<a2A=cFSPp_!ks@{qqk|+S)0Fh8ctFZ%Yc#B9Q4$eZlvG%(&
zArHc!iY>6Q_%S*{H(aZm)bz%pKdHaERcSy}0B8FY|Mt5-XzLii36z>b4uX`rfYGPP
z%J!^+Yf?Ic{aYU6+FN?c@s{(S>+aqWI!IHMZ?0`fa;dr=e$}M4HS8aTs3cz+mcw?}
zFXL}vLnzhi%9P!y8MlQslcn)hJ86ULs%d2OZr-o0l4=l1gZzvnO?)4JOra;xb_C1o
z-^yE%e_vs>@o*IBeNj0Ln%U5xV6SALXyPxr9l8i-4>WGUt7a0|zn?_JRWQcnu+Bo{
zlQvRU&)WsnHm7)pT>KI1Q!-6y_c><SK&vE06HwgLU%}@A(i%p6d_rXK4PTHN!M64#
zPjF1hrdeuB7$N1SyWbO~D4~VLvhAnM?`cIU1FcTWltuB3dI%%|8xN3-luN8X=0x)l
z%b`U*?$>yu1t0(5e)pRuIo=uhWnTU`eweu7Kg9urFqZ&`AeM%515ZpS_pMvfdPk8i
z^o<59=(bNG29+d&^ySNULUj1e0EXe(53#pZE|dnd1^*JDKmBTu3$&g=-C#Q3S+dY|
zB=!3=6v#Cq=Ieg$*)+KQBF)EczxI^%*~1P_N>$`&2Jmz2!@k33#|<%tHZIDdiwS&o
zzGBr<6)y+{rA2D_HY%;k9<uK3zmU#9OUBA$Y%030Z5@|Pp<pgjs)`UK4e)FO-3hcN
z__SZ>Zu1OrmyZ^IjBUhx^HTL@TkVCipInxittd22yXVNDQCT@<w>nR>b|qK+5lBPn
z|D}=6ZcivEsnYr{+gHW9l(4N*8Yo5x4t)Ut!1*ConvF8EdR2cio>`@2Crh|pXuREX
zy^W!p#vy)wN&kEQpXO^DY4FXH{fRe!uuwzSytd*c)b@Q`!aEETPjP&p3(oG`y3f-X
zXPDf)?mwt^<H8TF`!c03%le$}cP3+UNiP7zjn=YHgtT13InrhaRcc&zok_t5BUKJ9
zv9@Y@vid4X#KDX~{rSf?YU>&Yum-Aae%+YQ?9am=61}Qy)S2M3r(dOEP(bwrzh}!g
zO&Gmujd?J=Ehmc56q3-s?k#?i?yUP4o|$PNwT7~G*(#4wBuahDyISDU$`6xt3Z0J>
zMm6B270>JA=$JZn9^Mp=7W+>3<tgwbRFs;X&+OZYlIptzg}zg+4%?ff2P#g$3Z-$c
zYW4vkEBTy&0Ot1T3c|Z_$u<M^$3HIIx^(#r-C-Gk3w4!dpwNz0BBc2NzZlFou`5EB
zYoBf}opt#(A~n8XrTnvO2w|~Je~*q>=mj~LUE>T8sL}9?uOvVG<4@ley3D)F;p;uv
zDdC#d_bmJ5!oir^;+4#8rcSVAs2FoA{hN-pO#BEjY82?jn|fh^A)u~c$x)2f2UkTo
z3Ky|(VplqoUB>O%-rYp?vHBC(>IT=CDp?>`!x!5Lo23VMPXu-j8R2Isj{rJzDcO%j
zCo1%o^^@5@?_3Y;V61tZ@*Fs_hJ~D{2CnzjNJ*W=tH7}nfbl=n9l&)@LwU^}3hrym
z=TgQZsqoe#zx5$bpT?0DRy}O))+cj80O{p$L^-e{F9Hh#?1*3Recz$ynV<Hl%Hpd-
z4q8il>J>6}3Sq_8gJQ;=a(?M1HKz9Ud^nwLbr-jb3N;&(=AY-OqZol4Jeta`mjFlt
zM1LCPCA~c({nbWct0FfQUeCEl$t$=-ZuqD+q=iQj69C%|KtGuHVI9Fz_>q_c)AY(A
zYE+3@iB*)z*@3l3KU?2D*B;i?s^lq}SVw)du>{0X_>VZSv$TLX_`IN6hIqqnFfFN*
ztVM&Jb<P+n%9Z;lRI+cz^)mgr)=&Ct@sn26U$*CwB!uX@7o?~~zc#On5~308mi17}
z3kgHlFcJHjg2&X|`QOE|l2Et*jk)&>YO;;mMNw2l1OzDp0*X{=N>wRQ5fBlO-a(}k
z1JVP8L@e~8AfO<i^d2c85}I@Y0jZGy2?<3y2_-}l^6uw7v-el_DRa)h^MjcTGns)W
zx!1kcx*CSj{A%oAB~primym>*FLY&ti$V+NdK9)^<m*ELRLO(KE#v##{614?n>4O+
zNi$jZCoA8D(Uf#5k=)*acu`IfUa)aJ2MwfejIJtvR)~0=y@yq*#dZ1AHa^(Zs`vsx
z+x;Go?AYgm6#YHc@cm)_1?#_VP5<k1v$g*FAX~my`!e0w7r<}0QAl2Bb0=Jq=Hu~2
z5-oV0mf)=7qdRgD?l#Q%W^(Kqi{{ymy3(ay_Rgc6_Gg=x)U0vEkYo_Bn@9z)HfNh|
z-&>}w)g@V+HPswEOAXI^0KO0WsrdDKWW$|(+<lA9(6LpT3$?vEH*;%v=2~k8VIRU=
zucTtOqS*BVLF7zV#E3rN#eMQQ;w;E#)0iZltiH`nplSBGa8ER7oJCgq1VklTy!fO*
z#b%C~Je&W-Tp6e@6N0`!_h4@3klAkBn$DHQY)7t_Z(7;Dg55uA*X3u3P~36ciA*J!
z3c04qw`|u3*B7s#;7783G~giTZhP$gOZJPevhlPxfMU>?DE@Mz1;7bJp?Y0nq7!*H
zHr1UStsCp=Fh1v6z!%3<3I+5%S<b&@zj(%JV0MnpD>6jKFJZU+IKy|GDGN0nbRiG7
z7Sa;+Cf@e@l&xl6cg8u(J}v4~a4%%}p7b*OL}(QU0$9s@KY;U5xLUcpl}{Ldp&2Y~
zpyu?|a|{|rz3#I11SuW8#iSjxKlAqfk5c8(1K_JzSe?BFTn6)EtiX~Z7IuYJN*dH*
z?GhK#6@aEXPuLZg<QCHk&03l<kBj5(7iQ$fSxdg)X33je`!A1GOQ-XQ3zI+@Ngy<`
zMKf6mt5a<^XtDFDr{=)Nl3(B2s`n{1ir_2rm-7r!emTH3JO6bbkcenf6MyNRq1n<S
zdtDUCgx3w%CG?I8t6e*ufLnJ_+SB%yL67IXWcX^ThsOOsge<K^yy0J>f*M?+%NeRb
zJ2^JflPB_x>_06GxB^DV)5IUrRbD#yH^l6;d_5+00J)$|dBl)CDq*Nn{@l*7A!{aU
z%P*KH;pTBe;a_}h4wG9fPug5>cv}w$i%NZNcCpS{);Bw&cQ{t^4gakJ|D}|e|7TUP
zV67==5~mp}xBn>s*zm`{G9_TpG59&?gFoG33KZ#A#Hdq0%f3yZB7Z!CTvF(;h1F%~
z51uQONxQw~4N>e(kGL{chExG80q=O{3o+ybS^=pSA1$&c`{EX*uWSYT)fIPt<@tbA
z{6}`n4i+-l(v|kA%sYaAbEhi+KJ{Figqu?H*?Lg!uXL@)s@aW&_tgD<Q6E#M_yK2i
zK3mlW)8&L6<(K&llc|0AFWbZ^TdCSphXCHbI8h)tDyiyFsAMng^fp!KY>mp@y087c
zVB34NrD9sv_qViC6N*4=8Pt<BLFlQRan@6Ook=tn$_$ZKz3|AC91#6!(j-u$cpRa;
z_VdcN<O0@zeK|s(pGe>VfiuV^$Y{TYR_-1b?Q!j>3ddDycI@lD#Yu%dTIt<YM99@|
zb{n1ZA7hBSO2>vG!~rG<VRsa<9j%|g;GdVee|Ong%XJC)S2TqGUnPk>pu5o#WYYM%
z9GH`#S%`*=?as+WbFoXc<XJJ<wD}If-$M;Rhj8`OT>DRM4&E~-afUxlZ#!E>G&9-J
zG-;;Z%F?JK#YefPcvmMc0nq0BUw88?>;J6{ks;-88vB!9^|qZF4FN})w-a?I^Y7KQ
zy~JtMH(<^gY5P3yc_ouA5puU;8pfLR%Fr=ve0k3`k}H|o{8!O+Hr2i0Ta-WPCV473
ztZdEUO<sQK@4E+rwzdlI^dP*)hqpFgR8+7_zGXR)z0Bl=Pv-FeX~U&>XBsz9iYTa>
ze2K0QjaL;jzUDJpXWxXr`5@2pgY86u=IE)Jyr%zF%EbS(s<DJj*k;gjs7Yfjq7;!%
zChr8w15IH|dNVz`sXKV(sD7h1-s|t=8R>~jjE$xh6==<W4xOKYbNk;OPRgHNtcJ~)
ziF)@nz_c~&c}3Z0_cSw>WB8bjnhxo?chlxBSIGI)IiMq6cg{B^YxZ!*wy8~QKGsxq
z@OC)LEY!Y!>WsU4jKSmPj|QacnXIjLlZa=C<KC|PkI7O8-Tud?X{6P6m&tpFlSL6#
zRqIX1aan-Y^2f38iwWu&XX-8o(9bbaJqucV*Qq7wuSW&Xn8HqX${p7oGNWbUp4BX(
zlkD(aeCua__0rKog(~-c7PHJ;J=gd4JV|EL7El3^2rpnF2!TQk;0_~EXG}8jr*ZgG
zs76f{p~Pz*C;8sssx#N4hd8W?M>lsMaG%ea$))26%s(vYO&kArr~VO}^Z(Q1|1YJ&
zR+SP-O&)`@Lb(>Y@d}e!4}NXRpc^y)Y}A?68OJZ6Uq4G08ea9#|8YU2?)kAxJ4_Vo
zr0jp`g$w_qEB-%yI7G%1x```PZ^8BTzpg2#k;y1Cn(?LPe0rqW*oi~w<i$&nEVNc^
z+L#wla&^ng8((}kk06NtQ~iTz#`XXH&)I;wL5W!e?iSYSb;9&vW7ARM6P*KUDB$i9
z!toEwRSkqRULjS*YX)`xO3*nKRZBV98c(aIixV~*d%p66aA8IWhL%i58d98aF0I55
zDDa61@rT%FCrgS;<&_rryKnj{S+5MHzq~%AMU>fOFJT1Jzy-9fPE5gCo+yRC0>65I
z@PO)$o{yTEmZ+?W61qdJmJ-NGobz7-g6Esw=8mOJ=K)P47J!+361UGY0w|#9|04#r
zCLj3Uhl)`I>e1HQ%fI&hwY>%#nr30ES5_r9Ma-&00jA=A-1!eC<rMS(&g_Yd&Kv?4
zWcsZ&`F|Bl|8p1dugvLxz5L$_d+LAI_!q#Ndf~T#N|ax}l~1h9^;I-j1Mvf?^<4rl
z2TsrS1%=CGo$qhW;(4k2RONfHrPFqDyB~X-D057ghZa;x)9ke=?6VEBTWPz(`Y`=|
zOSXudvgAX>>1LDi^EEEhcLF-D>Y0m2`fb9-O!1B2ZFZl?J=?#&NE)aq|DL(4Hhc=y
z2xLpuDZg5vNLSAjgrKQi0er$Sr3IYV3&z5RE?)mzJ3H5*>KAUH{bBJt+l>WXU~%%l
z8sSGM+rMm%|664RG<yH5$nqV-nmeWbM@2ULk5{+<|NWkDvu;G}jxT}-83NXcv>V-0
zQheO-5yCq?W|jCeSkmO|>vNv)*Ip?%YX0*~Rnga*lxwo>x&AzJUl6Ue<_~294)1BM
z>VH`D+7m$Ay}5wq1Etpu;`~DwpFy@5A${AY%|`-G2(o*=`<v{qa8uXnbRUO2rCF%Y
z$=2VVDG#ht9WDN0LE0nsSRH!LtSH&Fja7%}wEHxozwPXzhmv$>_j}<lOA@4BN~Ne<
zC9_ytUpNDZ(QhR@<}=r4@udA%6QA-H$A4HZ`O~35-#ps?Xe_h)hdhSn0sKy=eH~~N
zR^*)&!(7j{FS2SL!NiYFf^R<Kxph^xWZ3yhkZ|RFzD*lQh1p|MF19xAvCm&7Y+o^C
zXm1v_Y0nfLJK+jb4Kst+i5Efu<ZcQqTAbW9cVVFK3iqws=N{L8Jsa3@<%Go4QI(&z
zEjg=0)%TWQH&VEtWOmM%XB93w+EbD=wc}z+O95qn?_at!cwNcS_hMss&5!w_HG_PW
zmTJghvm+pdR95|&>BDaj(j?{WLYGc+!cNwtLJsW?PbCx+o8^ZzyD(90U!b_;qt=Fi
z*|`r>sv)wE#O_ucuUS4pyv?f3a&<GX-+tOR;#!uPRW|BS=a;!Yztl-S^V?#23ubSa
zLWv8e#iS<5Y;hi!-(969*X^Y_{62;xTebCwe5l2JuI)AY-mR+%_+lUc6R1w{^0jo6
zfFNQ{Vq&Y(-L#VlwwC8_CfzW2obp|eGr2oScoE^(o)9L^#$Y3vIGQDUO_ij`b4ncV
zFd5n-K8-$wSS>8?`>dAF4dW?g4gp8-&zs<!#1B2ln1=Ou|LqGW&fn+$7@!qdpB1#P
zP8>$v7^rfxNK*GNp8b?R1T%xU=b^nWesV@smX(J5WbPHh59;ez2Uj9xItRgyVQqB9
z@!2i*=3reHLTkz&bu9L0KKWra*X|=ScU((IrQYJYD=)IQRpOe+=B7xXeW%&;%yl8E
z(%i1={dLS7@JARAJvj70*Nx9d=EOU0^$5#(y6v%K?_HaO#9CjiaaJ0q>o~x3bhCvY
zuSY%2E<ah+xNCdhI%Gdnyx~yLCPUk&H1`n18rq|Er4grAZ?V1D-;TqnZ>5I?AdRH!
z12}||fE;OD+*4kek?7zhJtYGpjy24m&0La+i?Rq<myH(bPikjlXtm~>O>Y08oUUza
z%bv+Wjc;b+t?~z4KvC*#2PX~1)!ojHr79X(wS-GfmE%X>+`Op{?vXK<3Gpbw6a|bA
zt(cZ7_>G(U6wCZv8X*_eOnwQG3f^9fV$+90`Zkj_yT#AZy!2_##2MuazIX}phOR=`
zB+7GiBY5+c-({77w@&?k?*HWw?l$1*_rR$plDKKIE;(PA!y3A3>0JO%X{rWxzm2nL
zEJV>l%h*KTW;aPis%LA;8f{>K5A5xE|AoD&F(rP%yW?B`T5e+mN{S7l-hfL)ZAzz4
zW+Qxw;ZA>#CdI(hxY-suZfJ)-WlEjGsjdvjf26r0X_d}neh8uxc{z(X_W%!x!+3rT
zan$-S@KWri%W26UlI6B<o*SNwK7|ok&#$#N(U`+OP+hn&d<q<9E*sQZjac>HncXUu
zGM5oqpHru4sW`|lrN*`csQWouJCP902q|M+cjo>MSDV^oXrlw6aVF&*0op@;>BVJe
zcB%3YC-GiJ*Nnq&u!dQZxB;s&+~l7WWo=gSA+`rELJJC0%CB;ngTD5`+M=(0P9uq&
z7QjEbnQV7<Na~x{K=~zs8qlT!=t_B*N93w}(R)XT!>ZJcxmKM;Wax9tq37d99q35=
zz=7?Y>?xaOvrLB~rr_@bfFDG_SyIy|2TA+wz}(*r;(FE)`Y)qj&nLi5sxP5tuW3Id
zvy)_2hwl)5pLp?#kfb(24NPw*iCZ#s+bPn;#BWO!oAd&2Oh+g;q-d>fEp(vi@BM7!
z$WY0Y!hs9>I^c*4Z)`#?rJM2wgqb`m*n>E3LYAVkJ)Z0eTd&b?g+<88czNb-dVzzt
z%h5oCCfcUD3aTe`MtSuLk2#w>DeS!1;TyfBROHEi@p}0sK|pkOB05v(65yhRj$?$7
z%xJR6j=v0GS;$4R&gsPM;yOxbG0qNd%^Mz>QB#@gB1qQLW92vhem$mYDR_D+nZMG1
z#6<D{)i#W6g8mGamCURDRw>DxSm0<(ubV_gx(q2RSC=7km_WG1ARw~fqy&Q7xr24M
z`&6NKIZ|o&)kgT{*1(98#Ksg^cXTH1H1Vy9pA>7}%uKaO7~P$=(ESg~1*SA0rvjbX
zgx%5XlDjMzb{HGqUcZTa-B^B0|Fp6FlIB^vvb%XMg3{KKmwRs}E4vAgx3`Xf<#aB~
z>8}oCNBCyjgc*O7lF6sO<_93E{CAQ?Gq9GKK!Q6SP+zt+>Lws%kBR}1p&6NSYde~8
zr*NGLBtU9*%~|g|D}gsv>1JjbdD1cZ*|WwRnm_u$l4S$4i+fezcHDvkMHfv3anV5E
zvjpL)6oHr8#!<zz%%i;<3@y+5CTPE}PWS5@s%zcs9JMZHK57|FrS8@OTtTt6Oa2_b
zY0#dQd-$`iXYPcYe|Si0(tC#HYy`<L9l{sS>hJQM)v)Zg>9RVSoeA}+bhQ;KtFdX5
z1}viH+FK^VLRG7iJ0?r7hKM(VTZL_w{@@43mJX`n?x@C?gHG}3EGu$fAH<8~pVVUJ
zMsmHdmTl#5)^*z9`k2~``~||$>8~vZye-L>J(YHOULLQQ|MOdZSOMlru|cq{nS{){
zp1{!(SVin-`WEEl)n>|OE+04n?sV*h8P{{$J>4&-^SXa^l>*iz9*q06@&!O$x6o+|
zmmSvzm3be4AiE*c4CnBus)vIiHy%yx*j2neeVV=LhCZ8kr>O8=`S6VgKE<9>sg=#m
z;LydH=DGDs=@c36yG7oeDo0CmxSTMXl<E??f1R<1+nTWa65$QvthPG2i+LuV^aG|&
zoa65Ly5`Ca+4dWM_%&hFuQcj`^Vp9o<`{#mKFLF@PYE2S5o$va1`#Dkv3D>ubyb~-
zy9Xn}$?1+9iQr;4VaTq*{&WoPhrx1r=?BY04AOOOtPpIIR(kWU!?Y{0wK~$Jf4aUR
z@A|EjTu1%g9Yw#K=YJfg9p_rNizks4I+%oICKqkc5+L_gcHyY?1&B_~3b4&N{H%}X
z`ldlg(IdQh`cprT6UReS0_DZ2@w8nZx(@A>r~^cU?lggtr$=46KUOs@5M^;lY}7kb
z|2B@j-^=ZdwdbD;I+M#~C2Kxjep{Q<l9|=$0%My!hwQ%drdIH;`AvS{RyEYtcEz}D
zRLV{Qk--WeC1TDihoABk$)>5rt`6U2>R;WZ2vV!UN;&EIDv^<T7n@iDOSG@)dOf-U
z>>rt9_^ZF#bfID2;ksngbmHF@51+800$%_wbDvUNO#982$q_A8Tz{A8c<SW6gy#mt
z-XLh4oPiRPiqi_2!}YHgg!<n@dB?lS8Ss3nd7tgjYiu)SJ8s;FuHEFb9b}%NJt5}D
z<ddzA^q4&DTq|&KCYBb6#S*3)c^sk|i72yd9~eqxQD?f&tXh*gMe`swi{otP1rxrI
zsj=J%%GzO^xxHUAc@!CB4vspB@Xo(UFQVTlMo0GqS@fC)`&b9KF#Za+5n6+58nD(w
z5Vg>@?A?hzt0b_leuUr5R+F3jW?@5P<9g8ARavCmQ9WFCop1)>Md0@ZVp9q6A<avp
z$Xvg@_>HHxR27@+W{s#haYokK%$55<!#1~?)3<Qtb(h(BHQY<T!6?D~n!&IytImq9
zfPH1)BqP<PpiSi{GsKmPIpkVfjP1@biw=W}V;huNOOTOB0_SCA?Z^1rdCu6-@mc5V
znRk{2zUgbfLSOL){5Dva)4CFqFn=-=+mp`?BJ%u#%NZ&&u3!zF90zG7_jP~0#m^{Q
zeJga?Ug%-a(917&a*`Z&A1d;COVY>I#_F2WQfjWw4l7EIK~^Ew3@5P=)9N!J6{X_d
z=?}&tw0sFy8|!Q%Lt0be1#OOG|4qt5d%PGMMLeMeM0Q!XB5%JAX|5K3!~<q}mX;mm
zt#n;koqFeZ^P9)*i$&G`!`8<0C?7aBJGq(hoTe%h&lK}+yZmdWr}6EIa1%v;DX+M2
zO{M2b_|VhLPB|Xy(_O=XX0r0K%Y1*%1eI2NDlZO^DmF+%a9bVC;1s8C8XP$Dt3GfU
z4k``nkD5puZP;Imkj}-K&ixz6Aw(n4AFbzewSl0v#E}@rd0<4dL6J7E?pmOma%_a7
zGE%1(;~h7Zm+trT*mDoZU-3I#p!%)uZ&)7!hwgLb0i6329I!Dktx{-McOJL!a4a&N
z^l?7jAa6=FCy|}hp!oc`br!Vo=6r@kefM&Mk7c>J^EU&FIx}m5g3VGRwVY{}Z9RvN
zZ!TB`7ZFrOSMV(rp%@$g417NxyD?I|f)u6604X|8VIuXD+9vZ+%I4k;kw#Tt$lD2s
z29%=n^!ZRql)uMW$g6LexpjdmrtD<#-?nD8v@Qy`H&2NY)}iC?K+%I9Sfq#xt_Q4y
zRTIlL6RHHtmML3LckaG9j?*w1dfUz0<@=%X>B8#-zt#T6qN+mKo}=7t`RSb^wC@@t
zZ799eAb5VJY|Pfe=D=}sr)>^}r<&wH2j+m^k;n95NV+XF--(Rg1jc+9Gfo-|n&a?|
z%xw3E_$aQ_Hd+jMVeJ3>UcT|}j$~Ef_4%vUFWGb=I&SCnb)YSL^LUIw{3~#+TC!48
zk$z?PFZ;nTHL&P}<|%&FdrvbYj};`x&zAbBK+D}$hh2tNwmk~5ghw`^jWy<bZ5Zhh
zjS?S&j0az<3t}BLvaKd<D{L^Ss!PofgVkW&w*Uy)-QFP90P+?E6GviOG>g|9dh>};
zm?0#fY+cz69608zc8X07qH4fmG1J**dTR8basXg*e9Awss|5W++!%u<8j<nEg@{h`
z>Y3R!w3te3%LE`z883^uA^G(TrT2ES>Mhs{(aHn4@jlC3yRkO}m2}f#{Nkhr5)8Ao
zoiQD9eK7szYDk8tqaRLsW23k_%d@>`q@t{#CAJUI;2$SVn+yZ+D&oQG;D22pv!!0&
z%4`a&1Vai}F;+oY=k%BR{DTzI`<I$e*oD3kQer<7TJ6HOITRIaW73*4EloAaRj<7J
zKD_j=2Ghv7J*#|u!d8$31mKdy*?cU$b<d9b!|uS2HP=t7Q`|gCp9B(XBx1r~dFS2P
z!fbZd(`h#;GKNRBjANuBw%$DUaS0503Z)s#(EIGG>w+vrb!$o5Brhi0KtGCU+Cbk$
zYnMs9uT%;%5EnL?o|DeVr216$%YbpqfjxIsl0>%^YqCwIn_Z?%`<wmU=NfcgCj14W
zp!^H$9pHWEd}{4+eWixT^{IZ}cUL>#aaye2dvd)&)<t9C0;!zYC(Z>F2_$vk=yQWV
z$I30um_4Y-ZRkdDv+TxZp=aH@4{;0Dj{vh`HpwY9il0mW%!7AkQPvAXkaiJ9iZAr<
z0H4=DJ9J}z#$a#UxtbdJSKQRxMR499H{J~rU@AeI^~qVU_7pAk$YK}_7fO93;bcui
z>KkP>8*#7TYsuYTGMBGhN*+jI(Oq>UQqEPISeI703=cW02TyJWkB@E)V{T-JIA!RB
zJDM4SOU7+|hlkWQqwXe9@@MdoaR`rXfxmdpUyJ}^#@Lnz1xV7NCH%SPQ?-!vqf-d7
zS>pM2^Se+I0*xz!-90J<YVmXsRgT=3tk!-S?<?%2;h<Pu^2#R?Lz4A#IBg-j^j7@(
zsQU#1I@~<dDed~<BHx;Uqh8vf7JbXe2V&b?n3yp)ZeF)M(5RwTabx6u*#Km{0TSus
z<-WDwhSSPh*N6H8EMcGai)-TiA<D<r^11goWqNs`P-xb@SSD||Ol`{x)5~e{<x_(p
z4L^oI^7K59l>uDVIsy8=4qOK2LaBL$Y-}&2d6|!rD2*s^NZBlHjJkH%;np0ob18c7
zs7_z#*m+g`3?W>8XaaOCs8ZOxy;VqUV{>chPH9PIdRS{UB+RzgzE})8{=fu1NFFpC
z9I9x{GEs-8(8X=cT{YH0Xn3=7w6+n2wX2<50^24)Gu<KK4y<n-ysO0bfaMa_mWR6?
zTLODT<TrQyo`mt#p3!wC=s_c0P!!W>w+g$TN(v$J(5>nvmS{=8FBxCM7te)PKc{7f
zVAVCJH>T2>6Q^)mS~|J8jb8c}J+9V2e>EAdmYbWKV-p&M#B3$LxBUqeE=xk3E03-i
zgQpQg_GruT_r?vUi}n_28wHiPc5jz`f6133Z_nCuNlP@T;%+@G^%t=G>Cl6jF8~+z
z(^d<Br7rkukG>A#U9oVqhXy%i*@1hUAN-zIqh{u~OF}qaav9j!s_kAd%s1R>$V){k
z;lOQ!w!i-Lcs?q;`qc+*nv*v?Vgwu<*HcGxXcKWqbC=8W+qfAZ>q**|c>$of>wr2m
zZFDdA3(gGs)QH-sx?PO9ITf^c_i~<u<<%G~t(0jI|C_pkM~&+1KvsCjHV+Jx*u`X_
zWgrCdzpS}A(M?NFWU=I^MtV?#?+ZM?u~Q>0I~@I@U%nw=!ktvWlujGnTAWWGH(2~+
z5!!4b|GV7tgLh>=s&%V4#69QV5mdHuF3m)1I{)sdKL13-F@3&A|6hODa)G!0It2#?
zkjtVn%r-!}bI;iEU-|q0JNo0E@e?sOV2lG#A-*E!KO#hxG$DXjkLII9Evgqx;loJV
zhFe<zzU|ym0m4(9mvMmxDKsL97;BQbJH>@)er7Q{y%b<mZ-(9Q{19iwT;F)NJf?W$
z7Jf?OQ~m@9cZDb(+osLnqX@o&*_Zyq0*3l`+YsC)6c~Rm(eFJR%pd?EV5Sw{=~zLE
z>wI4f{02-Xr?X9V9D!03T58PQgpVp{<>8@!UT-I7Fzufv*EX~HaoxGJV6tPKY>j#E
z%4C(_oRgnHF+C=-)c7^gt?S#e$Y#Tk`d_pHygx7O`B5@psvR`hCJEi`WNMR#zmSZA
zW%ssuou*fHFQndYZc4#TIjcJ>Y=v<=_t1RzV23?Uf$x$FnrN69k~;Hhp#<f&Fz42T
zKmQ9RI4{n*4*DIz9fxeW;X=1UXOotfNs)42ax+2l{r9u=gg4*CDFwDIkO;qJh_1;D
zp9*kxR;+(fRK%f<na#Ka79|qJZI3bekhlFXC8Q4X_OJPt&zC@^!`581gR20@%|8|-
z(h}rPGUN5u6m)3N(0iD>8R9s2A;j^r%m+o~FX#-3w#K>qS*NO6;w+@=>y0wz_B*O^
zYj#q4R!+K4^K>b{eA7w8AsMNXIymHJPuXAD9<^%5ki9%%9{Dnv1Kx}H8i2~#6zC%r
zUMSvuh=1y32YB&F)m;nYHCj)11-=R$225F67P0jECKsXeumOLujgpnP=gQ%<{<cD>
z!O?N18=y@7jH6WLu;25t;9s<yI5UI&hvhNi4M2>wCW20aV)r??xoCnG5VzZj#@KyP
zjRm7-x9ciBLH^o7<wuNfVxBB87M2TB^+#_RoZ?;F=b)O8&=f$drAd0tUWS9__uN9p
z8Nax(v)J}6`~LIWkDt0<&aiv(;)<<2{*bwwH;4W9$+aTUWO{`vt?5+lJ#jO5Wm_ZL
z8S*pRbVf`jTrIyAxj8iN%H^Z0M9KUz4-$bIJ59j!o{-FV@U$1++a*zX_xCUSY0C!3
zS-<J(UO_Hh=gEzZR$o+wg-(0{=09Z;+Y7aAoNyPgSmV(S@F>PZU-gQ~#O&Utgyz8N
zStTPZeO1(R?pw>e?s?+NW1vy+^#NU#7`Bl*4|?s;SYEb@aVafd%N}|=uCy=C1I}Vf
zw59#zCAbR;zaAfGq<{R-S#?Fhm|rG)5vB-;?S^TJ^GB9lnxT386VmA&niO9bkraA&
zcJZFr#Y_!_f?l~T7cIN^-jyd-$(;s5b`mG$R&P9T*g?TJgPM%OOGWg3GcvM$`yWoO
z4qqQ_*jyiY@0w8@I+rtDIuyz@I;yw~YVhAUMz??&Q`!??&YaZfG5}zSP<jU@RUXM0
zj(z@`QLQ+iHjMZFj7jrh`_Q{8>7{y=`<*#>Z5wCXVFCR!&(;+QZM)_K6V$+L#RrGn
z@GC^$nwoWcAhnpJiDN&*CopSuJnd}x1PxF}pID=5QEVM3>dWm!Isfrq6`kJNCr9-N
zfvm_ta-0dV&S+}dkAZrmWOMz-rE~Lu9;MfH8u1+g<SI0Xa|4F+jfY#Q#9Y&HyK%+k
zY%2k@P1BC#$qTBG6ECYCe3iWR_<phePA5-fsVVa-t$29`>nuXUWZU=#LJ;FK5vH@X
zI}fHX(_p@^$sH_1K-|TdjjA?>;N0(fgVeSsuAA`zRHy^qk)r;J8N~?~hvUPNP6k%T
z?QS}WPVOtZ0f_Z?VdWmPlfHQ(6zMFlYVTW<%{W)Pxo*jrW$6nZ9w6q|@QV}uI>IaC
zXhYB3yhAPfmAy!v*i-4)3b4uKWKGM|`cE1gH6x#78;kHovOt#yAJ&q?5<-y207L2V
z7MT*gvsg@M2Dntcr>X5*Qby(zDC9v8&(0+;+2re?8Q(<x2)4kX0<w6IGxX-?q{lm4
zgvlE9M6HoC#_9z|HPAkXZ*7e+%fW0p;BW`h>W5Dwq0S#$%IcIrcbRA5{kkV<>?Ex@
zaMvNcRu_%%5cnuvT1|WP2#ZV`)9^C3`_q=^Bk@92V5iXI?(Ez9r|PuN(@(+VX<-Yk
zpzd2{vHq7aquVkQYRy8Zp}T(!M{B&4JhDejGehf9Z~vyje%*b|e(^Y~MsUf*Rk`36
z@lu5)8OVN?`i#F3*sHkqy;ETgHEky>$qfk(oB@Ap9dBhylbvHKDOjrgQHh%TCRd++
zLn{T8u%#;r9dWKRx=>xUljtZf`w70|T~&aVfBp|k6Y7-8OCQamuy%LlIDk3Y;zc)d
zto{RFrNk?=@-mnh`L#o6IkMaKA$c;lr(wreGmG<JQN<Zz>CeOKq<z1*AlU`V9Hd3l
zPch_a`3u#C-NM*de`(BADH=1mF^^T}aF%h(K3*cH+(7d(Htutd({$3i?2*j3WPKY)
z>!-`m#20$oOV@>|`IP`R?_AU<aF`d1TodM`q25;N)H~UYoJF##$cLNuXv%5@4SAUa
zj+^@)>g(p8l@b+OHU21_W|M%L&3RXCJ91OKcox8B(WUI0D6HbvcIf0}M*c`X*#so`
zn>hrk_3G|t=pz;TUcv=wgWbPyzK|24WP}%PR(0S>$~B%V_RO(zVa^H`{U68CAh*<L
zF(nG&JK`MdE*54&N{uD(=&JiBlA7tsO7cQTwZwBdYDcP&O;q>grzoD-BmDOD#Y;)q
zRK$6BzbhBRk<2wt3?alo+{h;rW(>I!eYB@SiHeK%ZU)yds>&Y{epcNN$|cqT{+$kS
z)CG>D#}SrgO@&gCZFW66HEFi~!zR*LWA)IYQBhb^u@W8a-cpd`5@tH^g9dO@ILQ9p
zhEzdvN+BSHb0e|+-WL(Im?9X{#bT)@N(OCBcY-(&Ug1Mmzbc&=>la(rdY5%Z7T)d3
zs%_4_nMl8<1@ok(UtNK#jU{hDJcvhamwMlMNGsKr9B;Ca04V0yU@yemvp_D4OEf(q
z;RS)KVVj+1X2$FX#O2Ez#;&^d45W%-1~Xjf)6!h3Lck}kYjWD>$zfdxt`=8Pb)?}q
zysr|9qblk-<Ztr!Q>RJMilfwe{)hU)O6O#?0`Ews``T2jAwrOhY-QIb!qSZ4KP*ar
zwZ|C%3ro5C?+DQ~wx<0V5~sXy4=+!NP1$Q!j%kx|<?wa^f}7*FgD*UjaFjPrkGxTr
zCXGo8`;Z~XDe0TQ|LD9lyt*#BTH#BAQ86Y>&B~|fjF`nK4vk-eGUYgyKQGw$m&JKN
zPe)=A=i4M_X>D|qsRjbCufVANnjnrlUR~$pzW39S%&e!qBz}z5iHi6xqLKN|C)?6#
zd%Y5SJ%9hRHdN|LZ4aL}|CQU<_;1g%oMI8Z`lML4V=K*UsJN=teIGoGZFpqtkm4+Y
zkQ$B9_s-AQ$nkmypCZ(oHqq}m|7$m)Ny?S!#Qf=M=S9YCN>A+FRF5<+6+jE%t={&9
zJfrn=Jc~EHdSkiG>!=juBd2?X*$>Dj|8yaeaLJijVPw1s=wVj3F4x#%=8O{^nh<%R
z@M~U}yu6m-*{L08{>O_S-3({jy<zq=%_5l3Xmyo(;t0Qe2Uruw(;$9+&Edq)nFqwB
zuX#eE&&_`Pw7qfT#|gm7trpv*rTp^NpRPipsP1~FuC!0_6hzs@u?ZDla=GYR)3=Q5
z@GYU2=zPg!r6tSutEWdYb_R6B8g~z@w?}t+XVmL`vgIPl>2wWxdO8ZTwq4z7_HF~N
zzV6D2fN;m^UOg&m(BUSQ6#uIh#k4TR5nLH9<ESeaZFbkngEanO(O|z6Bk8>{b@Pey
zu+3H|4z-{wepIZ>55-akXq=Sso_s!CL1a>kJt^5Das@%WI=%?-F0R}bR^N;8%hysU
zy50Q)sX=0Oc2Zf~ybaRV<zw~$%SKMxjyRu>gI^O6V><j}bt)n?4rWpTjrn8J=$4r<
zz0VOpgh7kE*3x8Qbw37#MI+c?niLMeJD4I+TXIxyN7k9e;-va;QmGr3CjL?l$tXMd
zWg+M1#20gKkFli04FTq7S$|yu(;E*P#@fxol|z1aWncnJ=Nz%K=EkF1ZRpVSNpX4j
zOgnpv`g}WXo9agqOD~@3sez(NX(JVD4>#3^$f^1h0+K2>J<s(PZN%SC)@-sq`8yl0
zLWzwRWS*H^P}DReS3nbcC@|0{k(`S!Dbcyom3iJ7$Pe~$HIc#J%ur14k3Fb=e{aB`
z&P4DV!}%y$SA-Ev*+<5=JZ#f$nNp*7l-cRDcXOY!>nNT*o#X<kI_FYkGqRLv@#LPQ
zme;mM2m?XCNaH3wa}kBuV7p&gkgL;uaG|wsq-tBUskG^ru`woh@yl9Gqtq+cvTeBr
zgzCCN+&C`}U~%c_^pY>`hY&9ha$`nbNruicV}T!WV<M=vEy{5c9P;IF7rAZy5zUa4
zAESG&ZET-AUW}96-is7)ghrZ<Z(M3@oK$y=lu8@EQTPLmj*(yWUo`19WO<$2-OcHA
zRBPEQ&cO($-$(en{zj!HY0J+ax%N%z3fBd>6-pkC+m9UQcfCcNF)<P_nmdvH!p@NQ
zG%0n@&F1K>uE@IhiC{#mA~DhtbQ%!sWEr8pe#`EKT=jN@g$W#7!<d~V#{1ut<mKHm
z<{kRja*{5?0MUZxK|D~uzOHoumFifGLePD8795(e58uV*Y=#M@8LRhgeZMUgdM1JI
z$!$LSqUy>7BUc}X>!~e`fUy_D!Qi^HV?adnQ7L>&m!6L~oYn<cy6^Mv!NMpVu&5_=
zOZZ5e`dF|i=sWu0(K=j=y#4Cg1~L6n>^&3V<v{FC?*m4?-cyUI^GlBClgr_3Sqlod
zgA~wwGM*LNqE)O1*hO@-|8A40pWKG<nuPT*6(hf8+Cws8)`K<c29mXw!JmFql(X{=
z9qN#6shYGXI*68wYUf(TbZ7Tb1HH)vu*>BM)J&p?6r^)%db{*vHBo`@15vihT$8mn
zApZ-z1966-NjZb<ZiHWKPFXjbbjLnxIGEaJS2O0kYeGj}8W#?7JG<C_CH&p@8exOS
zde>#V2d-!4IBV^j7!8^p_~+E6IjDoZBxgg7a8nM_*^P4wt&`15ZRltFE5>T_%bdvQ
zZ(Mz?Fk6aNuZsjgRC$S7!@%DWuai>wI>^f%+Lx6+YgfzPj)`0^p4eW_IZ<{rSHKr1
zRHEzT<|`zXy6L+M*!Tcc3LqRtSJxM3P)rgLwb60A!&@9vSqRQL6f1^Y{LKDT&_-1c
z^qy|jpg(Z^o|KXG6>+psXnQ8*ec0diDQvyzkOTAL7d$@lfy$9CGua#NO}n*VK?9N6
zPt)|Q0CIaAlbyWXw|(wT$!dhn$CIr!)fLidN{`VooShs{w@J^IVB3I;r!Lm#D>RKB
zHL@kQU7&4KQ<|niICbY*e8_~mlP%y<nkO4wEYa`qR~?WAUa9_*Fx?K}4qQQAExBhd
zQ3O7eLD0n+niIOGeA+oj-fTh`;sq_LtJF;Nc}KG++7{upvt2<V)!ktd58H79cjQ7n
zmF(j+bT7gO@{R!%6%fw~5MD)H2VGFrXgi$SA8rb%iAn624-1Ht9CuQFul==7>uTu$
z%SH1F6l%$4qu4hfwgnTU{uAG9AYbWskTEwow-<rL-^$i)H0gn~6m1u{3d4W-EF_Aj
zg6i9ogSoj^nJgK8C=eIatb>|)t+Dhd`6x9^wRN||nomvOjRHy6iR~obNYp}H%oE!Z
z01PL7WU*G_+*R?@t74qY9twXRGSWK@+@?$c&vn-gKC9An{L-3f<wH<)TGqF|e?QZI
z6#0@+>)+M>LQE#nfxMMbr3<KKIVA?x?I;4pHAW@&$GNAgO*VF;GS8z_-fr0Z{>b)}
zl=p^yk|9qfbj!Q)PSXOnw5mbY>CScI1jh-<Q3Z8&&8?PK4}FG`RMRDsmkp19^AU<Z
z+nxJ)!u=r3XKt%%yKp^hJNSXK@Pp}oO}>l<o4QeTPn7fj{GxgR$jV6}z<`rvc8caY
zk9^}VRZA)Dr8kbcEYC7`4Ms<`hiqsOeCVIvX7*l5tl7H=n%p)(unQt0UlZ7$F*Fz2
z1pxtQgjoth^o!5osa#00PI8>dg9`;s26+SaKSz^`^&X6#7v74GeoU}ObS9IVXh0?#
zhiJo8darSzICshC1Irr;-9Kf#(<GP{e($V5X0SF+o{VE*Z<Aw)k_o-lG7oDh8aYSB
z;KH@3h^6eP0y|jFpiw3`JV-=NOVS!rl=19I^hKNCO`*GHMGG>kLh@4h(PmqmMP_6D
z)rekm*M8Z`gZCl+lha!M7pm30ft~)0$b4A*M*EYIIE^%zJMCR~KnV?D+w!e7bMW^0
zwOSEPVEgq!`a^Bi6`y6k6xZDP%YQ>D@N-kzPv}7F*dd36U$LjH_q5%ZP)mJ7#g(K3
z{wUcN)2qBCc{MShy6F!20(W;4$)c*LFkZ7MygK0FLlNx2pkwzF{TqFRmp)Aiehp6+
z&p%OSac{OrWyvn7{Djv_PQA|z?NOK}d1s_E6cf@!-i-N_{ZQllGD*2k@~+gImd+mR
z;4#x3W3HzDs=pqCHZ%SD%4yk%LkkqD6`yJw5MWs>T~n|~$ejgR%rR%Cu{HW5;7L)R
zi+s^w!qFp6&WGKj#57gdDfSkZ`L@Zmw2kj)=H5$|u=}w*Jgs@nUEpgM%Gye_IHNVY
z1wG%l;RQS^Dtxkft3|$aeJbF0FZs8fGc?C)LTyM&{H8#ttspND-u)m|LJgPn<62Sq
z{?(OoDH-TWbFjlkOPlep&i5V{aHiYswk6vm+q#alezF_MYh#<jx**f*&q5m{(j94u
zCJmFyfCH8*=j=ECjX@1FMfKCj1-lao;!4!96Oy7;$40Vf*oCQLVCegDlmiPVV+|4?
z(K1NNvDk<SJP(CKBue$cs51P=u2VmpuOITfUg3FR59GOr#hny2-N%Qqq|^<sc~CN3
zrfGs<&7FYyhIEj|jBaVWRv{kG#Wijk1%C-va8KH>`0<NBD6J!25=ZNzU!k!r<e@*W
zVU{z>9KnF{-8f3#>eqhdCYyO(jQ$yN^-$8Up~bJP*9B$ov-#atPm);hnyw6wtTS^#
zw^*7y%eD!`OxgGpPpUEY6CHw4MdOZ*IjvQ&^Z!25{!#cz_)ix}ay-T69eHrUum|wC
zY0M>gVI><z_eM_ma(x{tce>phe#!eW$~#GUx!K7~?U}VP#&9*CYzX3Ih?6w|`b!D`
z*~5jP$c`|aGcuuiOHE!>)uFK^`><D0+%&<s;rCLB<+T9Gu1f>10kbAiv1H?Unb!y}
z5S!6wnx<i@(fF3qay!N|4{)xampcZd1qIKm4h5*@)jil)WKn&=Qahjj5{P{XA#n@%
zW-EP~x)qxea;yRzq&V@@U+EstOgxL1gtq=!a2z!?>qfui>VpUQ>X;70#@S3~2>+lo
zI%1k&kYN^%nAvhZ2!iZQ?n;gNgg`6-q76}DlkN;BxJXiVwT$Ooqbmb|tvzQDJ?ALU
z!?FU;)qO`i%e(a5x7jfM`Su3v=H-B}`O5qx@iV|u*;_ttk03lfqrafl&UdekYvReR
zs!&aVF2i*5M^nx2P~LmvdRfVmyF%!Pa2idHY}_SYkM4qiI(50mL3P@o619<&wN05z
zuLk9Z<QwW$e{AgB-?0CkX1D8NTY>0MZev?F4&Wrbs@YOoMX6Tx6ocYIREvEMdgq;T
za*UN5qO!-_WF=c$0%~pFu}@#AGy#PM(+#j&1eNz~X85r~>B5RTpa@kaaCi4V8*^y}
zL$(!#=JUC^<J#nzlLVC6>kWoxX+KHS&H0u7REs%Dgg^h`FKxBpMAy3SZyPxm2F9E*
zGcP4X^6Wo&-uOcq`Q1!ni?4=Xf)6)V6I=C2($ys})hP)YH2ZY{eoRxi%OUqJ>CcmM
z1wQX)<T9@KoOvj4V|K8C`I6y&6c2RB5fqbU6iHFsia9o^a4Ms`znJ#Qd=zV6FH-9t
zkr~vT^^RrhxDz{{LJCXQwOj3cAP>ZGn9FF3mRrS2y*={P2;+W@nvTKx-Ime!J&PYU
zYo58sc)NL%lZ9^>Jo@~SrF;B<Pkg5+Klh8Q^I!TbPJV9C5hZDTFq<~L)>5+|T|K?C
zvrR58uE}3cjXPCMezhQgBI>|JQsZ1$&2X${n2EhPj(aH_I%c-{cfbozPL>B<3_$pZ
zSn&FsiR~JalQ!ZWC$Ki;3wwjeHj$f#-DU;9*IaJVo`xu&TZxc-QmvL+?|ZJRQ~@hu
zy|ty$4=W*Nu%7%KS1IPWVttgND~$a9Q5UF)oyvZA?rh6o>QIoDQ|oBfux89gJI;iV
zOD8n^%?ta$x;;1K!vGSKw8iP5!74Liv#1_juiK(eqr7|#)3aP(?t4m&op&%ST%jIg
z&>|st^&{l7-_5baM*;2AuJi;o>T1Pu8^%D+(Pq*=N-G4#v=%jPJ7}#gX!fsjp5!yP
zxQ0xJD<!%DblZ-{x&kY3X}c}8sPo?)O5?OuA<uI@r`roY*Hc(KebqDOH={J>j{Mtj
zWL0GhZGo-{Ri>tl2M;0yy*HzjVnfk5=l$x<-rRB@)g(9-w==!)4gHkmM32OlQ~3``
z3tQ_ex<kzC0qqs-D!WF`e(_*-J&fxsQ+&!SvcFYqqzb}?n+suAbW7;`WAS%O=}EkR
zkt9#tl);U^AFZv9PZRlqFCecTy@ZL%y!eO3Bb9SC4d#@y@bOKJ9dy{Z2y?3p9M5$k
zQQ^z$@SUc2KXxeZk_*u^AF?g5=w@$`3n}z5_s!DC8dF0Dt_!y=*M~!Ye&Nmu0v=rd
zYwO#hKdc`WvK+H+_aaRH>1eNO@2uA95IgpZNZx+4mzlBo%q`pgwWpD=q12LRsMK7F
zeX3J1i?u=j;E;0X!5+Z?z5YwATp2V@*_#$qrON}9%FZ;viBJi~kFg_-`Y-v5(H>lm
zoA~W(abJ0J!TgsVT*_^nBV3%t4J5%3JVNaQ4vJs>Vu4Cb2btz{MA!m;u6mQGa{i>L
zY|@<yBOhOl>n8c0<E2Wc6&y%dHpy3q{1h-X(mxI%qANn%HJQrMo6=?t2~Fp&`%76D
z4w*frl_=Bo#py@pP9>wm<>X%x?Z9+Ihg#d|Sr|7(rYn?u7ttv~+Vp6-Q}LVAhNj*_
zk$pILEoUh8$bqF6^Vz&X*5b~ea{b}N;z$>5<S1Yu`$eWQEGQXQ--NoAz~5SGyc?nM
zH=iI?fohU+-)f+wCgri`5H(*Q+>g8rDcs3wa~7^VG_y|ZuW4GTMeM`2T8&}J1V{dl
z5J|k1UubL)%ds0Qwmx)^>2>_gqb7i^2Q+@uwDBIi0C^;CZ~MFn66fvksgbiv-=9Cx
z@Vt=_H_zEV-fkQBvqVvjbeCj6tHTXQnXryy+YBSY<kIweY51sHBFduc7)bT&sr5!7
zBD%39MRxg-sgxCWzf}Cqnu<PZFgZ6Xo*`0=$}5hlhJoraUw>`yb3UaWuHi+Blf8J2
z)M~J2NwPb;Sx?X}Rf4b<uzjhU&(=(B2u61#+sRU)jg#Bhlw?g4eWkZat`&ikuxz8P
zs+MYs6GEs3JU_xhBM{qi7L@t)++_NiK`~U}{jFl@FIC>zI*S5XmJ%*bf*DIc$Mr6b
zHTPf0&}ejfXiKY);@+^NJ22o_;3Gt?XJcP8k4x9{Ic&#=i1Up22WMf2bMmO+OLpI_
z5VF^t+~@ri;Jp;K4S(`XkFEeEFA+g3`ZmtI1ePa>Lf~_Ob!KG+-^)Yz5-&xDKXSZn
z{n>j!?MW73w@>b(s?Z?h$R6RmrZ2RR_Qw4o?bV2y!ZKgYh+KT_v8YAo!4QSiz$3w*
z@0&NQQbW6~FEZ)^k_oL~%}KPrB_T2hA4b6YVQ*QbrH@e{TES!J2Kp>S1XAj@Oo)e{
z$AUZwoUk*LtXSq1m_9`?t_49#mhWnlOf{$IOclG49HUG%!10gk)AS&o<c!^gNZBtt
zW71B1lD6qkW9AwC1v3C-sq@S)AUL;``xh}ZrW%fnyRiqhidF6Ln*|d?72z|9uwSdT
zDylaKnER&#!_ELUR{k4u<gR&aqFSz(-miTS3L0_q>FA{i*qw6UOkHt%1FV1m+Lrf@
z$NQg%6-r-R|DD%TU>Pf5`US(zO~Hj}Sse$uto7+#ZPzH*DKSVeb^WW~zNJJzHUFCN
zvdquIMFXo2c{KQ3aP@@=%b3yh$Y2xMvSOUvu(5x5G1#{tDOXbn6yBqF*f5*p-;({>
zg}J$pxlbNR&O1%}GT)qfd>t<}%DfJ{4@4UPe#DRNl>LTs_X*xIjH^O@$Z%PvE?sG^
z&$rlhv$8%;GO#ha|Dqu$70Iw9N2PAI19RO0D*ZcVA72|@?oD;MM25GQ-7OErWt68Z
z53K3SU9dk(k^YAzgYD-63$J`Dt(7iCQ(k~qU@^0BS=6^|?1rt(U5aP*=W524OH!S`
zXFJiy^sb3{L%w`Cd+O4GE)O{-9jH8=hw#`hK8?3@lZ(D*Hri-BQV^iNyVThyEPJMc
z<vYt`Ype86UR1}7NsPvl{9y@JDcb?-BX7dL@%PqFQ7$#q+%Ys1hFhE43?2ETD@oID
zpRYiW&A7Qu3Vo;WLKE8eFrJtvttfg(QrJ`&&yZ4X6pOn`r_3ATJI&)~{;>ItM;E~!
zQ(}9zg`qj~fHv{$Z-zQ;s0PXlP8R9aWuIEi?z2E!r`%LhRMO~)^nBW!CBbf$`u3gV
zi=|e}4)I#kRN^4F_zEVbJgSUl+k=-)?}@O^D8dRmZ^tNk>1#^hs5tkJtRsIO2rJ8F
zZSsCmy70%WlThFO2IP4^gdhO5?S#uw5Q$0<0lbl4%N-3A()D}Q8JvE2C0_Jxj1;3V
z;G$#Q@7chh@<Ayj$Q8*M<KQI@EuC@GLF1B4Y?y-qWyw4&Ak<|4fzkTtocvyW<h1w=
z#u)%~TTsRgnjhuDM3hifEAUI?DqGB-o?{;2iVZunK3q7j-^*9^E^LKxj@4;$U*!C>
z{E?FHN-^B{L%&1o>m^*MW~!LX8)@sgDaUBL&9@6Y0MgBW>;CR(D=z5Meq0qOr!q{<
z0!z%Y*oRi6K0bO4+>bNcZ^RU6fKa;|Cz>C_@Szksn>_u8#poq;iz^v?_O3kGUMf{i
z^7pP(MxjEU`!N3}+0b={E1etIKW!(JOsXf#JG95FQ9?M91<ZKY^2w=AvkEU=RZJwE
zqN0BfoT$dIVw`?V2Rbw^!^q|G&g=5eK7Dek!rUkx$c_?gOuzozslHS+t67Xui?Q7f
zoz0y>J3p<SM>L9W%n(NefOf-Bm&Mt|*G2aY%mOb#x3q_DJJzOXrkW)6HWr99IGS`A
zc{K9GvuJe%Ifyrw#;b1w9>cn)fC0QZw#UT3lX*4DVb{ilwZ{==Sl;7yF-Yq3q&f#p
zM&CzzS26@+pY;5%?}JR%6+#NAKK2#Rqt9s>p(&m@AtBPy5$d8!)GkZR*gmJqyu8fE
zlXF$?%y_Q;EOmSFeSXmfk%VwZvcm5Et9i6_s+~ePigV6ZZ)HRUkrWL~z^319B+Ud$
zyy$_(yDHoEU3^bpZ%Bbp_l}yc<jn~aT-ET2o@pjUb0{<Xa+D>u0`3}v#zag{iwi)h
zX31h)V|!*Ccqf<*Ent589K-dO8sY3Lm?_gZ!7#vhEVV2=s?XfQQCFAZrO%G4cMq>g
zn%dp_{21OL&aeHP&`|n)d4dtOkb2Gm+GS3Q{_JA6hS{84`dl~Wb+6V{$?)p#Wm~r(
z>A!>_51%t9tm#Ozqf~7UufkOU%}2CKr`S8#d5T8f;XxuQ$`fo%<EyezK!>UHqwat(
zb4zJPvPMJJ<opd)GWt8FG#1%_;2bK&LoK47{xQl{bl5ZUkgl3R&Y9(=dAPkbh1D~W
z9?mlTGBU`X-PRlWu2GgrIg#|CZRxo8;n{x?tJWg)zh3~q#=p`GS85!<$whBsfk0K)
zb3h)-5nI<SR{;AF>=KTRMcGawk=w{;o+%f$Ur$ln-O*6DjOoX88_$$;KP#GNK+H3m
zVzHFKUeI(YarjlqEbI>LP5BHo-8QomcLTzZ0`o6wo?q9jc_pVEqf>jH-tYe8RUha!
zl$EMV=I%m@{HCRenDK%!)c18tIgum;zi*pVmXV6mwD825rs~nhIb9oQsH*aS(M4Ne
z)xw3RS^HBsdUUVWqAAQ+Bos%d8#*<O!X;>l4}c(nPulU2C}G&=4C^!ef=iFs_zFv<
zn1k&(^(M-OQsFvk4Hjm2YaKtVRaP3UhWW=mcOTM-#q5CQ3mtU+M7LdpdM%tvKAR;x
z^8Lsjrhlv8l{!9U6xCLFDvGlxRq0wFl``*sW&z}{%xOqLQcI39p9KSWS%g7;jjzLE
zspY5=ET<geXyo<e#QIN{X9(pSA+Cz0ckeneNA7r$`kXEq!|a<%4OA3er1&TDe{lAu
z;ZV14{C~TIL?MLAR@t&8>!h;IEg}0dw<OCnWFHx($i7SnMaY&cLzW@ij9tjiOlGpo
z49YUhC}S|@{(Zj3|MCC#;P+r2I*u8i&vjkr^*+z{>-~JnsKNd0CRkfx=3Pdhnal@5
z97~GBy+v+=yec?Ohoor2f_ncTRCCD)P4p_Urie_lv21devAV}h)-BCSa%%1Dz3q6y
zJxS$=@WepK_goyMVBb5}`POpej*eU-qDF<W+&nV0g^VLf=>jrrJfnQ0f^135?1>U(
zxS=b242}TkE`Rcfm+Q1AL7A;c97vZK&yHxy0KaZhi!2iMkQ*nPUAt*e$ATSbIk1n@
zcXn3ZQ??StmZx)Vdcw345YCZkrH#su$!~Jhbesp@3<y{8dVRlK#B<T2kc%@sf0S+l
z#3*##iW04Br7t9ig=;3mES9F1@Joe<!8w^OjTv*M)T0Gnp_i|XUN~y9_-iA15&4qQ
z7$p_cTPyYBRL+SPxFn3LkD}6ZuJmWk&FVZ)t~?ZaefjF`uF<~UM=53I4=wF4WUkYR
z^Evqa=14zEQn^f-sAkzF!D4E!gPjAG8_Nb}8uAN|=y@_0m<qs*$c=TXeV-ibl}2_h
zx{p~>;|lTFwNrgCteh`bAeTn;%sw~dCugR7{A=cST>&GI6x)-r)k!-}{nZ6WfNNag
ze|jZl>rv#U^2pDY0bzXc2`+sCX+GR<(61*TAEHBLxKsYMCoY@<d>#JGD3*H(T&r8h
zpJ^G#264?+D{>~32GS+LumuJ6W|{5pmYR$EDjNsYoN;9Hd<-MAZ=S1#ZV}%-C;aC=
zeOfGkCTp~;>gU`WxpsFSjfp=0ONJS;K6?E=%TG<|$AcdQ<VQp%YD3t{BenAK7Y8g_
z$`o7&-?Wr~-y;H+o6$r<tGRXPHn`YCLZsW(nZnP$0Di;@sz8{rO0g&Cs2&Ny<-fyH
z7v>!-s@%k@exID)eQuhgAopWeJL$gqt+AV}ADw^;!@dz=V2mZh!%FVsTxNX2RKd0S
zpk$J(qn^cQ$AM}GCsvJu>E>o}bM9?r&jUSQ#Gb$pwf90<SognUX`siBST*2OG1RlC
z{CDKMGpnA^6;^O!N&~7pa=u?{U!biuZF}ce+@mk8agG;E6uovUZGP#7&$%sEaYi{@
z1cOr}^igUzQHy<9eRW}0smR3dYJ;=Ozs8mCX46h9M3<gAagNVRRLfi)DMV@xtsMMx
z5Yeh6)p{V4{PuC>_5j%>cdNMk!X&{q(yeM96-wOu!#Q(&5saF329_G*>L2p2q;_QS
zdd6URM^n{jIL?-!yzxW}&)7@?ufNY1fu8$TUAg$Cb7`t^f!`O`AWvJT6S`X=sqNtu
zv@S*D_0BL#(3uqv`8s3RS_d^rwo22!IPlc9MmDtsV+y0MRbBk?((SMg`IuXi|A*xO
zgr6hcML7(zW}J5j7tS3>)#Q6{r_Qx=<4U1bTacfyhDXBOsYf14Nlca3h4r=3QD@+p
z5Alsq{ilE2rfGKFk<M<6Q$@9F5KlYhrokYj-jvBHrpmH(rJruo=1Ri{=amMI=Wb8d
z3mGC(wrsLdB|fV*$6^YXH?<r#(Z<dMidHI%hiXZbW=gUk!0)Ge^%*kGMD*gsVmWOg
z;pK-(JbQv*ZViS;C_zE-+M3r_M=!fKH{T>sjduJ~S~UP65xH1~JpOAk<i8_g_x!1)
z3~v12L4;L>i;ou4YpUcX?Mp@|CfP%<XDCr^AYgE%V{5Uz3&P78UEui(fE2YXI0JNi
z97-a!kSP0gTWHDWqJP$VlJZ8>Q~iLcV_*3ba9{X)P)RsJG9#{W;oK5KsI&p>6#`|5
z_u5HYs9!TPs(ucU2_0HHR^R=(lvlucI%~~M%y>KMMHN7+TW`gpo3tZ_wihhBnpuzs
z!$was3^W0{kPO>!0_g+r8D0QEK4PrUh3*%Go^^|>Lp?Uxx?nR+g}Rg9(Py`AJe=^8
ze3URz7x=w;C<U8;p!K`C@I2@#h<LoG^;fdN)rEWX;Q`L&hVhV-j8C<&DnmX@y`Jh|
z1mBR$KS`4<vob01%R~89s1ml<!Fhx_EB^DkeJ&whc3Qdpo<Vxh=MlN8aO|4vb@njV
zV_7a$ko?6zAXKDLbyTm^SquOKj4=aC39jBUP$VcLOsbVrDRU6BNMj~N_0pI$@n=6x
z{PU5XLWP%ikB<bI=P_-s_pQt78jQ3)P~pri7nV&r!HP4OUp_OFQwhOYMzViaQ0TlU
z1Y~1|9Cla=T6_lphyhXc#ta)0`Pp}#YZAlLcAz4#CKg&25%|n1c`yX35%kUVT{iEM
zHt4420J7_n!Li>4;)e-Qf~=;ghm2BU*>2obvyZKe?Aq{8#?JBF?n=W>_YGb6(yu?b
z({B-Z`~U>x1e`z2Vap!IECNrjDf!YvQkQ21E5{n|UY{g8d&zD+BH(7UrrRwe%=1%*
zo&8?jDnCe_prZ)G5G0w$QsDQ)dHv~f^O!!TiU}BT#V-44yahDV>!_OgP1U<?V2QRs
zXg$VssKe=volV%^=351*+z}?&WU3&=#ry7uoq(z3PuNyh6|Gw2wZpvNJXAc0ZY`Bu
zz~8{&O4a1&b7E=TnL%%8j$QE8`5Br6jJ;-z$QW;j{}YjYt?SX1=P^g@3xGXxj|!Q6
zkM!P(N0M6m(UcLV{V{8nXTaw<3yq?XU&0Sb{Tq($ZD5A-u@5p4H;;7IA_30pc`CW~
zmBDpnH?&-<*PRk~PKH1L3F?`I64E<2825CB5rcZyMwg7Pd2>SdqC5%)1|SWfR~%XP
zV>$|j8R1rGcV4v8`Q6;V2IqW}bFFRF2)Kl;TB+Lbe;--^m2?=qt4<tM+ZviXoFBWN
z`MVaj0lSXTexQ3$kMi@pfZ2Z0JlD2~$~3s<%TaDRtOUFm)~;IAcoafmQ7S%EtPvQK
zPlWeNh}#irR|=eMfS3t`a?g;fmzxpBnQD!h!s!owFfaj&g+y>K<co`rt|O}eB;p;V
zq}#YYcEQPqBg;^UCAU6Jn#F+4Jd@`4osr77-aoaIz4+etL(4vxs<MGuEJQi2WLCjr
zEN89|G&C|4Bp^oktwts5`RgG3UFD6ZaX~zb!U-*Rhe|7MoDMBHP-WRTuv|UJ;!O-s
zd|ug4@haU}gmaYv26|m32W6uL^0QNrNld?eNNPkr&nl+%{aGWym{AAWRf7>tKIP&A
zP+7eSjgn$B**T|6HDe<OMCbX&W+yuGOJN^BfbN~@pBJ5kaTI>Pz{P}kHqEr_GPtaA
zY-TjVGA>Uvh6TE~iqcljOiJ@q<YbdD&oQf(jJ7)rAej9Ev_KFa3=)>&N&c#A^A9eK
z=HA|XcMN(Zp=t2ZqMFqEpl_epqKAb5nex<tb$pLb<g}L9OlRA4?GB&u`lD%#_TATZ
zU)x(VoD-8ip2j{&t-E8}dBj#__JC>6LLMmk=<J|gBD7#+lH~>8KkKa@0xT4}SGJ#p
zXGAf6eAc~l`m53LGanz}tv_4>;zuz59qD+2-AW#VX*HC4HxgS{NC&MroPXaw`w9ie
z*GE;Ejc3}j>L@5tcw4We9xIh`y!%DRcpJl(K1l>uM2*v(SMLURh;_z4-h0l)Bk=Tb
z-;YC;gQv*B)u<sU=B;(e{=e9o!h3-J0z-(<H_Jb{I>QYf2TNFJMv8Iobljy7dUko9
zD<j7*XM`pV-Fl~>XSaSS@Y$WAp~{mBNw_ceJ+-MI0U9uq#Lu!UCj=kFwbtcMQA83n
zSbtlb&L8inzO`G|_sr?)w|R59#gPx2+N6RTYc~c*29*;vPh<c?un>>yhHZ0mUjrA~
z5WD`(y^TBDx3^ddTkMjt0o>MV;eH^dwybK9bDPs=aP+W*t?p6G>eKVASQWmNKAU_E
z0Yf_)2B+88Yj!)&eQbH7Ru$gBm3diWw&oYP9BAy2L9tgSg4<G~)<#9bg)O{XJMcAw
z9+`Q0gP!l>KPul%J90c}^acSJN?62M8q9k_Bl7-Q8J+weDdYe5qsrMa0Cv?EH3f^Z
zUaVS<5e&@f@ci${IG?v25=i7*vYW=O;~|Gf@Qk^mMMf7My|gmAa5Rsyuy-6u>cer;
z%;P>W{MoN?Gz!q}Hj%w&?tK1o%{n=U{qiY*Kmo4EAJNY-a|ob{dc(W0Lr4A<s$Twb
z|93^bus~Cv-800;562?MKtuUPh9=S8g}j{W&Qa3@(7757sUu}*PW;&zr4Lcp+QP5g
z|El(WChf!VTW3#rd4D^gv>rMyuAqUcj2Qn9BdYFJp?n-$zHIPpjMt@_DJ8(#q`0eA
zai>IpU+LyZkLn_REC%Uqd5V1(K&QbW_Xy|^S17pYz_mB@+xFeMM7{d^U5Ii8Ijby}
ztbYxUM4t)+#!-A1j<I;`r>l1)><)CKZ}^4@=Ni#y1=%ALetzzW<X0~*r%P8nG`xL6
z>~Hw`kk!NT%4GAw`O&q*2n-T*ua5~goqAh|Z+8LE8Q|Pop%co3nB{fk{o;~__IRtt
zB+9(Qujc#{>4V~@%r2zFop^3|Df))_pIo2Wf=QpMk3fj+k^cqRE&-(Co)_hPDkQI-
zTWXFACS=etqSQGT7d=7Q4ra;KaN!As^!j^(@1I;2eDv;5$~2_uQ*0I6gk`n3b!^qH
zHO7z%v#JhB{&wZffXAnj@MhU1t0wiU@^9Nv-#t4=BDDH|BtetTW+%+fNM8rGu#6;L
zu>==r|2nC^VRpmv$a$BAZcu7#b06|0=N!XzH1BM(N&>pH9c;|4ohFRvHdCz;ExFNm
zH$_-lUetj1^ORqiFez*$J8#}eerY;f_v=8bSDsVKrAq6!9cvZr;<t}!L;~(@DNz>{
zZN~rz+`OiB1A_MxDsNuk>pbdelFC-#Piq&g`knI+gS0Me<7hs(oAu=GYt(bG_GYF9
z>i{(1>NW6K_u}J8gi6(aM?9S7OKREwcqSsFx`Z`}6<1VaTI#J(5{D6XIL`27O-<8Y
zp;zKE>4P7UyB~RGGv)J4SIZ;(hhoy7Wc!^N_3`d$>xPnv#txh2l@0@w!Pc;iWJa<B
zJ*;c&%(_^4&w&NkBB%M&+#cRuOWg%XY8g`<kgg(qZcKL{*v$HLb_4k$>1z~<BRW9I
z>2Z~!h{UkZ%fIrX=b$hObLJ%58UM}VX}#NoJuP!3!8vOCneSVY>j~;@(C2EAK}-)8
zFt*MoPUq>y-sXJg3;<J*xqbdoeN0qiWS&ea_UZK8RL#WSn#~XO`$0A~u$DhTy6dvC
zCuI)gDh8mMFtIkh6iG-tGkD#-Oa?7!68Y$H*-#e#X9LtWtR!lC#o#_8o_*fLf{sho
zldXn_b%A&|G7i7pE;P|oN0X^v?*}B%>fPI-7oFz91KHne;siw<+zEdCRYZgcb{ymt
zK<*GB`*(FH`OCgpi{eXrDk*_Y9pu&fTj!#>cPYF6Imz53{px`%FefC*(eyz!G<Pfc
z_vg-Gi$cnN->fDGI27ymM6bpC8)_@BsPl!A`0wv2Te-j1EB>a3pO%$#KapU%HHk7A
z_Ld6W<PVioE>+niCBdYmFrSXA**OguBCLtM#k_u)6CyQ>wG?-8abh8Rbo`SwHKrBY
zWy$M<TN+4y0m)fjLGUHL?+dy&3<Z^s#oiu?2rcm=<VN-?yqxU+#=V-MYHcK+FZktm
zr$BB<a1Z}!t4GrGvf*v>1%lD!x6Lm1RdU5=D<bXhT+=+>skz=P)MR+yf5VDW1^O{Y
z4(n-})-wpHJ;6f#GqY8GeuU}xxCy7Frf9M3r~Gj7l<mpZH`-`^me*Jkh)0|vAJ0C8
z;0Y%q6P)r#(PxXQ*F@}g=Pwm7?#>;BNi-(Hi(X~ioazkh<L=~xm|D3^4p(U4t8!Oo
zH%mW$Kx96mVsd>~OY%J%DdZclzAj@`pS8Ezv{s*0YqL51sW~}pI4kBr%vXo26Zg86
ztLFeMi}8=i&5tYk^r?Q^nYdQPYk6W&F<mD0ylKX_F1!};$DZjb4ar~2HmiX9X(Mb)
zf9EQHag8DQ=v24n*VjZ@%Vo^ZB}#wZj?=evBGu|2zK_!T??{gkTc?%5#k6FCW<$^>
zrrQQn%+!S^tr-j7=jsfAMD#X40~e~iXidWB{>I4{qko`f1R0m?T%T{~h!FE#kMg*Z
z_z%(+Uk@s;2m5M4+gdHwL!z4NuN<PWrz{UlIAimd>8bgDb)J?X(k<OXG@hCkwM0M4
zy}EYRTqO0L$A|N2&{sg7!$MMl`eC)6I76X76D|d=qxUC&_5uCK)ui>UntVN1*vOLz
zBdhs)(;xOn-;CkA{@DJv?+w}4F=!eFM-I-#q4QjuLR&3-61r^An%a<!`LQU+>&Bc6
z0@!aWXyuTHoYN0Ql7!bO`h-}{#euRlF<wdWY@&)7#4LdKdgv4Y_kUYChWT<;*4Si!
zG*B1x5_bfHip4c@^@D`gM0B1Jk-bXR-MbIc=1qKxOcn85=TF_K?0cJzdFN5Vm9#_L
z<_GK;jh2Z9qEQoAE_&?N>%ZFVTGaK`zXyD7d{H)$C*BbCdqkg&e7sXWeB;bd)ul^k
zvr=^~(1!%x=FOBYyvSGyt2cAAz(nTNPYwpz7MUkAcS;wqWf+>Wy#+$S&mI;$+uXq#
zBStXgAxTn=k~s{qv93ZM&Xw=Es^cMiT>W%dlWL-vLk(=xU?li)mSa-Z&2zs8R;;x%
z`=#nn6`|Q@>ED5d%~%gI)<BK!l~BTXkn`#Hzdyaz=8PqH1KUIKwN3DMC9ORz>Yb5a
z^-;7KAZaoW*t|kik{id)ct^>N2Tz@w=FCvIgV(<y2C1=n@9>jPa^9<jnMtZHXs!p~
z-itNw#zA#%>w)yBmd3dejuk->_opxm*cObR)+FBUs>3DOe{3HSI<D2gltQj;&zTb}
zvz+HL8ti?{elAB{gutnG&Fz`}M9bHIwf3y>g!?m_nh$&OC-wd~J9}s!xtu`t(Ith>
z{DA-&=OVrSvu!<eIRC>sx?RO0T6ufl0_5C`uX#K@(%vwrXEpd3AE!U`1eo&j0A|%G
z9mJ%K{nlTp;I>kNg-rwD!P>qP5uKkl5Q~%fP^j@@HMC%L6{@S0@j^jkEbp&M97Gfi
zklCGU6L#H1SRRr&pS^Fw{hYnqeIjLhZ<dk%@w3;lt}?)PCS-|9t!say;Gn?94rAP7
zZqfPUgT=ogP@+Ef*@g{<EqSI>n;tEgbo%pxCkM2yf5Q~(kM5dDcAz<vQ8yU;w4)T2
zBP^b-7s_q&F|cQwnj>Hr25+l=yGpPqCGMzD{?tG7PT7yUHARoh6zEHJLAco}bn3$y
ze?1VnkpH(xE>H<UXXK`WS+FP5PnY&G)o#3(Qe049Vh`ZI-eh?{xIpFB5(|1;Gn2np
zy3}OWZ~eBmHNa27_yc0?ox@`fdw$X8k!yc$RcE0?go`snlad>zYML!S9zWLJz-(gi
zSF%Isl7KFAdZogngw@dPG*g?<sGI!5$=SHISzh45g?Ite>Ti7po_ue_FB+8FhO|}X
zNr-Jjbs^1e_juZc=e?6@f+uBd!pUKmcneMixy4--$kH9%cXINbO18F;jcA<oaa?Qi
zYOqd$-hJfNm<f2PHN9%GC$>Uho8iE7KE}3VZP9rKB*kasfb5!%Ag3v@VYAk8&Ag6>
zUDC%}&EzAXc1C{ZeT^LrpPn^4qnEc>zQI!iKhKP1`B1O1dFUqO<@o50t!F#p{@jV5
zurs;NR)Q9?Q%;>v_Wm5SoU7lSe-=AbI|Vw`ZbPvYV{1%eEP+u_&bdMX*Zz@+Vx&)B
zMdYiPn>@^fmu6}oZ#@cVlc*}MmV}twW`(;B%GTtocs1|l1A(>0%~^`rIAx8hM}b+@
z1hs~FHTwtG`#xn&T1CnRt+247?5F-D(I^=Zun*Pb0RPinwzQHjRs#!t#ZLk@<VF<h
zZR|obO5yexyRiy_vG1-0Ds-W!Ypk;eJvv-Hv%$zC@HqV_(GZZ(ypyZ%eP=Mw-3gOV
z-@p7(z4AKaiOQTPb;dvf@q98$4rm|t&x?O)o_5F5h1g<IA9n?c`!q60W!>+R>J*DE
z9do$;O;2DX2qy(Jx$;fONR*z);ubH<kN*N3Hz4>E5ZXpeSDS>tIGe0kYV7jxZhkyg
zWP3I6`&_){*oMzkPgjIlV8wO04A|gUzIX9v%fc;U$gXX=Ge3CN?n9;dWYnL@UAyup
zEnySJcvvI4D(o+cf9$i%@6bTsrl!yrnZ4+clV!uMhP?0gvShufUJnD0UmQ;#otXRr
zkfg6}QM|hRMc{$mV7NbqCidq+b3~kipqZkISk4XZGd#R+xCcC(uzYR!+IDrQN<#3V
z3K%b8)`FR;o#)_%2RqFQE;{z#41DZnc9ANp7e-Y8#YdgS>luFDE3q8k_=IcO&I#JH
zx)Ms%{cydr=6kn>S6s!VdySVoM<yqH7U=p2y*#UcwikZY9N(d_q2Y0QEzz<|1j!4?
z_1RI1^yR<Ve<0qVv&&O8lBbk-28B@BeLP3ZGs;iA4ESLSdJXteLKvBLEF+4gxDy=Q
zL*(jdI{~-{mBj77&M0d-S3FB?HPao0KD%s64K;A$4pR^8R2lh+IKzsepon4QB^^|X
zfh63<l&+QBm>vR!8nhG9wCVFltaaOr>rKz;S!CN5Jme<*2{b`F0&b_-9>DDs3b>u5
zldg^5F#h=OjaQvVc#r5<-B7NPgIA^={7f5ho_}4b3#_(snaL^J(1Q5HxbE>@o3a~%
zQA4WrcF^|`XuleKzEWiV%)}C|&c9Q_gBi&3Kzp|?kG>BHsel*S;)^3hB~9_-RoU5^
zkAKI*?T)@YaeTZ0GXfZ<&R}mKoEf{XR_NFmItM1z$&tY@F4?RB!?_Ku(_+_3jb9a^
z9=v}n`i9(#>OP$K!2j`gMfO?ctQ)GCN#%n;5Q!@(d)LzI0-IKoV^U;ulKWw{#I3ir
z5l+l7?CMr191v&ORuq3?PA5(PBRd|<Y6P8G6EiMzhej$*$<BOlnpDZ4orrn@UizXu
zEFNg^;A=O%dE-?DsLMaKfFF;MFu2XR4s9JdME4biM-BQ%h?Pb?t}oxZ5N%!|J<*}R
z--1g4T?hu$1<09pBPySr_;9LLj}C&EHEowrtC!vz`{VLcTg5wz!pHUdyb`*}S=vKQ
z=}Q$NRV*)A?Y%9b+WYo1*Z&-t`R={NtWE0|miM$0_dg75%(ye8d)#=Y8dW5Jb9gYE
z-YM8d(X@tA;K~k$EA^Oq`+3Li%O|cq<M!;jP0NHZtyx#95Ip00p3o{6pIt$CeBXXy
zf>P>-w6!-bLz0@2Ltoz<{U&<kuUxZ%48k|QbD^QBj&WweGJAi)V*Cl=aeao>@zJWI
z?~K16e=YOeln?b{juk-JVmV0hYe+-@BkxZ*q$%_k8>Rkz8}TFCBJYcqN2vO%55Ypy
zC7dbwTXUwylQ`cDY?GO5tLv?%DqF<Ozn}XrR2W;3=2H)3hdVI!xeN9Y>lKR)2!Fsm
z4J?T=C;!-XX^N6MgymJr3Z-%c4|t#sWn!m_FYO(3exs$hjreGYyCU@C)6Je$^J`^s
zB{zciJe9pdH`%06=ijwYYBq9UXOk|-J_wP&t~H`iHmQ)UT0g^V`@KY}??4Fxn;AW<
zf4`O{w8)=Oz|%mlsZ)9Vmu6|vIu+947J1#%87KWLQNylTTVeT9h2e)ZXf#7=LzMzF
z%H<hCe~AO}%d8v<NX!Ag8SHUmRbb>PeNX4b(7BPN>gTWjq(mgjwio5ctW_%Tf9`od
zw0TgwiS^V)Ypo=`Sb(a8G%{+lC(+kib9}>ESHt+9E<|i=Nzl-=NXz3ab-EViz7%G(
zgK=*_#Ncc*2Ct`jHWpg)yWyux{>_2l$(MezNh*z}Y`)@hgn3}6?{4|vo)!YCi2%sU
zBEpG2`Gck6NIzRd(ZA=|I0I^`fnlK6{Fb0GJdTIyl&lP|5PoLX(7ETQyLNq_O(s0{
zg7rNV)_qh*9Y1S1ZadlCos=8{&B?1-3u0zGI9x{0<j(541PoInDh&MmpsS&K;SjJR
zaQ|w=R9COjae{17)+;)RnZ@Ah<&U3WnLrvC*nA%!^zT+?c|hr&i14dyo_EUbO)Yb+
z+M<$L36axR_R-FnOb#oEKiU3{H&%u(fR?)hEEAU9yv%{kotkssr4P<hFFqE5iwE8r
z)0|*y9)8TBXbt#ZVkzs(Ip1cBdzH;AZDf3j=!&>hf707gsQCKwzi~48KVzkZK2$#J
zz1<q3X))VZjxNnzYg%za&k))(9c}yERfWsM5(hQ??DDKJctTVDU!U3EW48`J;{f$a
z6xd!>dLn)QSg<0g$spdo;1Jv?R@_>IE7!x8+{<-8OCk$?MRbOpJb$M%UQw^<QxxFJ
zY_Lp2KEWMf-$8-LITu}h3*;H9_~1Dy^OmpU!OjX{(Wi-*?TDcX6{&RLTl`&nT0#&%
zRvX3t97~ssMOUzFdO-B|fG<&ksiVS7c@f5Z{r<RD;pOX6qT23h3LZT<gxtdTYJjCJ
zwJ~y+GOz9TjJ=$<kx?Jb@OP7f3bw^_iC(B!Ts0A}M(b8!p3>?wEsY87TPGu0Zda*<
zn7R3SPRl0Q=I`MvNR`R4ThM15aUy3|X>%ct(_6^Rk&hZ%;PFSOP+%gR&)&@W>f~qP
zb12SjnF0DUKbv`Y6Xgm;vXfV6Y6_+ge(oU_ZCE1o9?EVE62SAo2i)ijJrR*ol;f-2
zs~Z0u5t*NJS%v!eO?V3Z{hA%P6cf#W?P&hB6)L@HZZJ9-`l-5URsmWL(`YJqk#h-S
zd@lM!$3O_3*@WGC%K7gI7=bykh#D}EJ1lMwhXJj&)3x1m{B~12U}zhE0#j@EA-vEs
zS~RRuw$+)h*BHPKAv|<b^0)+06@atn(4;>~v57TT?rq26Ik1oM3!YW3VOt&6o{3ER
zt;!8$-qj=g#A&@dJMqEZ-IB{V|Mnn2yOf)osbTuzU7MTRt2bxf*GTc33$59v?&W8;
zHW5qnbJSc&>uAc{Oip$bfy2wd0ltFh+}+n~kusLuKIDQ=&I`|({$}*pCv^0%fKj@z
z0vL5WwKq%7AZA6I`VyEvSO++0gpG(&7MDW<-7dby+dlVloU?x5uZNAT&2<Gtll1)R
zBKVR!&&yYrp431xQKeO5ARi#I1VkVC|N2&PoIwuYYER6M%VYXC9u{&8YKof|a2|&X
z>Y=KmKc9GAm5+Zdf1@FDckjHD^IYcAEF|0j=d<AH-A}F<e1P%M6ypBW*sOr+nB1+$
zqCVy4^NdC7U<PO<?hH{s;IVChAzYT^UoXD_;-waU_yuw_jkHX=%f0X+eVdxQg7X@S
z0iqea0Pb9#QF9&L4YMe94qmVeiMNXMU750*qPF?pGPNk5l}UPBpWPE#tXFaAn5x^B
zkq@upWy&IPdBv?V=vPMA?`5yDTudfrtCarm?c5_`W=0kv<mB0ksz9`TWLVvHdtrT8
z?-n0hgkjP(ckEZ!|3YOGYPK>+y;@-eX@^Ng6;Ge?_>HTx#b2{{8*Z5Tm7Gu${8+*F
zw>hR=!E4d-^y&-Ae5tJR-^_Fe(iLseC2s+frQ*iVmEB|yLrw9Ht2Mige#Py3ej9V7
zHdvF+MV;WX5%C?f;3Pkq@?cx!;Ij-jj{|o$&osyz_fiZO7o5DVujS-}4&l2+p^2jL
zYeb4}!t0_aAd56s=E+O5u6}-L27xTqTTAp>Ji(D5XyA^+y<9B(!MOMhgUhYcXt_Az
zws;~~_ebaNCF8C~($S{FX9Kq0T4xI@``N#k#Z0b#Dy&KLujDm8E9CMaZ?|}nhF8+p
zLyyRzVQ$TOU`q1_I)vfHOvN(zc1Ds|&UUQGNC0VPOQJ=C^AeWkD{Y>3CjHDF-9UU@
zX+L249mb0<Vs>MzH9^tHhMJEEwTWJ=`WHz3x=jK+>CZ;_KmX>)`>H>tvk%^Z3?cSb
zjwUK4V(Aq^m0`cPwuT}aiH+q7j^#D`3hoI*&vz;h!fRjbVo~sJCC5*gN7TtRqGnhi
z5KKv({C^6i+ywsgrTWhQB_=Yt8u`t{3}^v-0=VUZcmi;yEg_r#JMtxRfRoZ(?0oun
zdqfZu#N~TFe4Mmr<^SiYXqw`=u$$lZOl-bUzt)Zw&O$h6xTsqxg^f=O$%jymK&1Lz
zfJKq2B3n1((TMBMSDd%Y`Q_kTKNxuT=h4V(2G*ciJWXAV6Av%v+))SmG04AHT=?Q+
z|IR5mO=~K+>hzPWX4)GfLxfsO2?b6x)c5CF20&-|{HxB+8u+S0M;nkaveMp&-*+5#
znDswIx)O|0i5z`k0OT$kN#A7_x6%7^<X;ndTAkJ&8r12hRTA}UW*evf)DAhcJgq;t
zpR|Hs-&h(lm{KaZaCVBhdsxr*IWT|&B>4%1{Ha28a{r`q4G@B^QaTOGwz%IttYG39
z#x=V+;UvRTzoDUiQM%PX8}xaTtyH$aN*Z=3wD^)|H|3r^Kgk3KLz5kruX&m-Ne5QF
zqbeRf+Kw3wO_97pZ_1&N9R8gNCh<KGcYarUC2ey~&Y?W9H{HDG)zOI=M~A@bqbCIJ
z2d8T6Cfi3&BJsN%JK}VO#vW}(qdgC~{3*|`?b5&onQ`V1WuUW`hn4vdJFY2C^X&pI
z2NTi-x<{qG0*#fAygQ+NZ>7>;NjF3NtqYQ<%S_5-BJok;0H6MG4Vu4~UxdiAHcR~l
z*c2Lg>0?*NP)e^0HLlzee6PlzSNC^qFOzeoP9z~1_Y&~qYsIp!*RrM@=%BQ}pmTCL
z#Xt0SmL__F63vao)V~O{d3i4enu=<a%aotWPJ3?Qzu6)~m<x0ly=~^N?C4zHUcA9M
zkgQ@rsU-GI)-WB{4K7t;u~IACerV3NZ6h0uFe!wH?q~iQ&2P{9E%no8ZxiAC(U9h1
zg!^G7!jQhhRyoWmCN-6b#3Sy8sAwZhl;3N1V2h)ruHSe2hj6B37u9ZZrJGipsZj`|
zs)9VWQi-s4bpKR#i2vdk|2pp6Mu@J`)wO+bw1@SSbkZ+NGif`?pf$6QYp=JZ+pJFs
zx9U4HO<BtaDhNTAIHeEYu1mGJx46>a{~6+qm7p6@pai<_1NWJUa*;piE>e&px_*YI
z@dov&s{I2{hq<$Np`VYN7S5JiKD5zy>}leM+EYN85$3Cq=hcw=*4kAQ?A$Pel?Gl;
zbGFx_3Lo2vkpemMSHgz8&{ZfnTm;PtU=5k>3@5lBXcw%__ca2<Gv<H+Lwx=UEJf>>
zafH-qWY@iFgylil8t9Y^{b%+q)!$69xI&7k3JcfL)|9=etNv`F%6Q(WqbH^#aoa&i
zXnVI0@*|=zN)zb+-eFCF$Jrhs6f{2th&7pPSEz7Vxb=!UVlb;Dd#ko=sDF~|#dA5$
z^Y!4$fTYxNUs#hAx1KGdfte1}>r@M=9s@c0+)4!*c@m!76{gdlWl)%JJ<2oKSD|*f
zM?sDB)A;BU$2kYSAKDW+o7YD_F=KLoD8hw>(2NG_|CuQ(i~VdK9SoYx*aBz<qqX@p
zd#64Ue(|sc;Y!(>wdq|r57>zT89Qfi@zB0k_(ef}C958K4AxkcoZ#f`nbsY-4Q57m
z%RRDPK;5LuD^Tp&7q|u>r$O%PQYm7DZlEvoa{(SrHL^H=XR_T>bAU*lUW&e*LJ(Y?
z2v<{hpq6|oDfEy7-yVxDxH_YE9vDt4VH_58Eczz``6mpnhm4}hznXNrs_;r_i0cB_
zPd<8n-sGju(7W)vMc?)+2l}&S478A4%2;t$SPxc!6?+Ruw(#f@&MnA`1irFG+bguc
zqS!KCArDS;D1H<;*)MieC~f1o?M1V(^xcmg+IhAhFcSy<SRqrWVONNQ0tV8kNZS0|
zv$06rAy!Y9D>>@?fKWA(p2B`e$D=7>ct4f<(nif+nw#@`(>MMdIRC{zKlCDsj|dzx
z7?oZWiufRt%EwPuO0DhD52xf=w$13-G9d!<4&Ovzl-1&ikB?xa85yh@uSbAw;8l<&
zXB_ZVm?XD{9eA72=f_MK$Kd=9fJ32tO3zRtr5ro~YF0!~Y%JxAJl0t-3cGeU(Btc!
zqg@vkgw_j`W;n+XqV)X2SPlpdqME!40rA1ZtQ#j`Y$LAtrN-uVOxnIzEAZYX>W?&L
z4@z^(rN5Jg>0Z3R&+nU=`gbM3EOg}qWosd0+~QMKUUsX-Bb2QEmZt)a-mh!`&ezs&
zHuE9S#zZ)ilH7EW{xNR0_6*w)=1H}@)D;p?w3>P$WtTyc+e>&}CgQvFa--}^=r1mb
zKKNLlzc{#*GYdHr?8(v(qP*JyOE`|9@OUlDlh0z!UVrm=ilRB3zLTN<<D%fdu}ohp
z)`hkOdZx4gRLz!ciJ_7Vp`22S+wp5H@BuQ-0QEmM=)f3plZ8A)F~?YrJeAEP4q+Ma
zCPl{00{$fXFMD~ru!G@d(Y;oCB}y%6pa;Z@Rbg9?w?Fy9^6EkI1gG-bb}&v%wNDIb
zYWrQa^|rq1;V^&l<nGO@|Kz_iyDilenpMRDF|%1B3>_sdH$uD0VnoN|F*h-}e1nS5
z4rPb$;>2Scn@tM5@%PVgtaYzFCxym&?yWP+SeAgIqynJCex)@cPq12D&kr<7UKkIS
z(0Vwo48yp32Cw5IDu6A0In~c2{_yhW^Y>G_MIzhI)V-TS>(1^$%NGf?gReV&wCy=>
z0V@di3002;GDva!2HNm7Bp=J)sUy!Zt>?h*v`R3PrWvBEqCR}!`61_KKQOP7gwmNU
zMg6+hcD8hC66Yrs*NW>+Rq3v(_QmI>wFNVEEM@>_ONfGmf>XZjyFRba7Jk`b|JXWw
zj`LE!koEIujW`tmB^rYkOQrbOMkVm5{euUSQ4*|-DcapRe78c2vIahS-mG(0+-$k&
z=;b#lcXTZf=qg{32q0@($S=kclDP&ty!!2=1pdMxeOQS?@=i?-+5hyrEl61AbNuz7
z0A6$R>hZaspZZi3u7!-grD<D3zE4KkS6p*_VXQX>R;X&sl|z%oP<yt7q1-GiY&Ik`
z)Z$abZVx}}x^N8rfRZzyBt=0c`M1|{vG5TvZ6!VZpclDkQvgt%Tw8=fm@t!rXrNFw
zDl_VjEZy&V0gwkw(%7y*jAR6g0(!~03N4U|1e`dgFCBgmeZq46>V#Ixef((Gzhbf>
zJ2nPWyme`YEA7!FhiUBjkpm~Von_p@In6C$!~=#cmE}jA>eflg^=soBMR~%GMq0Ta
z@ZL;BjMFr`!`+|AbHzZJBlNl5E*wkFD+YU}2K7JE!I;S;Tj{8QBt5Pc?fgJdrP_%+
zGJ>h<EtPGr5jM8}_mqg@(Oiq$R&Sdz{3an=3!}GoYa^Zg`bM0pi<<%~w#~sg6B>te
zjZU{BV;M12NL<u0mRU%xkS}t!$;PG6^I1A+I3y%8=t?i3O46$UGxi5sl8o20OUGku
zqt0-~3(g;Y{M%u^-n}0?)0?X_`(?ViwvmKZc{n9cykrvK6LQJ^T%EDKl?=4S(ZSPH
z^ACj9SH2FBsEOhNwz}7aLXBg*EUDhGdH_Gk5rnhN%1!i3n-U|1vnm}16^pNnLr*q^
zBP!;ocKs$uV9-%({4y(sx+VF8)j*X`)&x{_qjCq|90PrNCLGpHRGc?SKRWprI87A4
zi*|$N?wIy-TWF1pOmR+i1cyP(Yf`m8(}sr$Y$9|<rqF)5(hJLqcZu&2JIO2yl32>#
zNAL&TaB>2NKOahRNFXOVnYp~`Hm?5u{D{meh$?3om~$JJN|O@gT=CXvilIV7CiJ`!
z`bA~{bEMZB=Xt9sEfuNY)EL?j-eA@?b`zE&tycMlwqt}SJh%=2L<MdO6<94ev`_LP
zV+qPQKJXBp+(X0`k}bfGCTr1~)rz!)h&EH%xY^>|*`C89DzVIk{J_WxUu8|oB8|F?
zPlOYh+m<F1(;TsYh4+xDZ09{U!k?zONHCDXOQN?e0^!jX;x3GnyTo>bbTE3j+}kOx
z!izlf##8)ZD<;}h(a;K~r6PI$*KNz(4#+>#Gz^eBy**0dY193h?JXZ?C=+DdDHP(~
zbN$3QlM`aBwl3mI*@5CJQmUQ576D?#0-&)0w;O;0Pu>eg@wu(#h9xdekDtCA@r@b*
zHBLY^d{bUZwDPbA(nLE66H;}ct`TSEi^De@F_yS%tMiCQca(VD<d&!L&w^(UE9)yZ
zD~-n^Vuds!*Ic&e$C27{OCA4CS`r>bm$%tu!NP0bI$1?!T3}X7yez2x{{y`QQOCI9
zUQW}T9yEN75@B&xxH&6h-`ic?OzK^whp|A_&9g(!KBSD(mCd+D%jmy2DR@qgmeUTp
zplWeWOywLD=bdH>3(gb$r%f(*`R$$e=gdjqO&)R8qv5r{4I(-bAv*)mzsC5`@W(^Y
zEpY%5L(}slfBP6e^7U(L{Tox}#H&HAbK&FvhWu%j%v$8AALi)64$L{73lf-NS1G#*
z!21|D{h-#r405?1hq7qQzP1s(YQ22-{+5qln9Rp(5#{`^K6riKdjb$?<~B);z)%`j
zLxxILkP%Wdr=)FV&p8XyUR!A)^#E}R$ODjIhcO=ic9WdJ*v`}_o<e)Us^Cbg3Fk)*
z-=usR51t6{d^Ys_{zl}X1ovf~Uzxx`zxWw+9Ptm6R?eD)lCEo>m@J<z8V`}5(ik52
z3VqVt(GD1}yy~;cE^-ISJiFK5DU>eSzQue&FGyyTP`6&T+g7ot%y)Q%*<v2JtwZY{
zMsrUieY5aiKiF##0dUaScrV^Gp_iwd70ccT&7XpLak!Cmg^j{5La5j5$i)Q}niHoj
zAiM+~V@6u3g4ze&-8NJUJhNwg#dGPI`w#r)tqd#)2MSk`Btfva0F?R?&be$A-dwp5
z+~)7EUdifWOn4mD1JC-_07WGMAu2sL-xo>V<4C!=_;7B^4budA&eq8sn-_j1onf;y
z)R$)UQXy#>v{;5~E=WGmWSN-JvB?bePPem+Ux^r+idlh$rF8>z;p{3QXrs{PKyf7c
zYKpFc`KQZ26h#efk`H_lZcQivcy>O(pNvd$Dl6<k3HsU>TyCG_NUZP2mX+H4COo{)
z7(1Ca@SL~7828oZRz^@NI&FcuJFaP&1OS0_L&%5XE;E9l#3(T!!AI#<fPQ}QSjS3%
zoT1E(BtxXCy_Yf3Q0Rm0j7(EdbX3M${~BgPWatC@YDn48uQ{7cw+hRx7s@#^ZfoBN
zER_Qj7FYLvSZpw!MGj*4S|;T7jpmbSepcmfh5;dbxIEd6pR2dt5T$PzZwfy%?ft_0
z<BYyKm_;H-LIJ)3kl0}JhwTj5Irp(ekF&Qacw$&^Y_2QT?w9uhH!ey<Hz3B%6);@O
zvm8ShJWTr;O|<kdL<phY5;G7bnV#qEOw-7VP5JQhL|yfl3^+-3#1q-2xtK{Y>4BVM
z`{L@pewpTI1HQlv!;^p_YuY$ztr_#rE4q2KQu>oCX5!_D^Y|LUUxB#Ug^ALVKmPgq
zhC5*w2scu(`1y)vm5gMd+i;;xLCVzrEh!36+W2;)5(x!@fZ0yT#(FB`N(p3cm3X!&
zqSU8(!23Y9zw82^=LvHDg+9fhwb7(IPmk<Z)hxN^w_F@6L!<)r{62%WyFsF7nzOWk
zNyFpp`xr+5E416JSvZs&K^l>A0VfYC+uOKW-%ib_P9Iw_mCe-_HcG$cPeiNY5x98!
zT1!iU#k=KFZCqK&0{gG4N@yI*o^wXK7@-Q_@IY{XidK@!QXSp64l0-BQ4W9c%O=lg
z5~!)s@&zl44x~Yu&~6`>yyOp;WoqcBxUdMT!wNlqI?|HP-fyZ62$4@dZjkI*yqfc3
zrKqa7UnU$zdsdtq?s5Od$ki+N&z2?pR9`d@WZBltvPzivR)4;=2{X#-L~vqS;nk+b
zWb%*4R(>R8RI$fZzPy)#JvBz*k~wsb0jV==GXOJ2eK>8P1_v27vGhF`hxgc`WN2j2
zqj624Z9g%ED(=PuQUc|jNnOD;wR-3NdbMNf8q4s0HI7pll2U$a>(|JMJZz1#+u#gL
z=4Zs1rI}$QJ~NwS5=lI;BLTAm{sHte$Rs5ypB$kxG+i%82Se4YbW#JooiNWhnW2q`
z%)N8HUu>BPB*<mA|6(Q_*3&}xf3#7#k`1Kh;mJk}t!TDVM5U8NP<Jy?f2J|nU!hBf
z<ZCza-a|>;o!yl3)^qT35~KDKXVj9sFq>n}@akc4ZXhfyv?zV$y$gaqz}O0|Zf6eW
z{%`YR9<GME;ZMC^ldhcEtG|CMTk+#Qj^@G8<%nf6`B-zGSfK8ObHCa%yMT3DEmrti
zQ|aojhb`H}hhLmYu02A%qXur)YOh;AKmB*8h0=mW+kwqw{yNtND(_BUzW=nT$0_ZG
zI=d_FB>6&kGG;aonP@+Dg;o`-O>UuxCC#j+SI^7SA+JLCd?Ns{)a@#rEjFDk?Bv-;
za_;tUC1_cmun_v-w^Z3k6KnIdk$Idd#U!wTC{l^mEV~}NnOc9?j`4&nE~cmTZLUlh
z^$4-)vl6FU?(F?2$HK7O`|v-f%>f<_lZO>Ssr`{mp%J3l7Jw{!9^PQaLi6ezqENVc
z&(`TH?O^z%tAbO;H72QA;nlN^y1UYI7tahC_UXtc0!G;vQ?#h#BaDKsc0+0(mH~MQ
z?B)lF?b1S+o<f>J70eA9AW<h8ff3%_9*`M$+)WzdzgwA7cd5!ptJ&mxR{L8UpP>=m
z>s3Z2(W!We!Oe^pJ1(^lExAlE7%IG%&OBAf*zI<zP0$M{BdyH?ULd3bNAMbU_$Fuc
z4=i>v&_?j7F#kdQkI}Q@Nq-6jkX>NxX_j@*z1C^HXH9f?^1Uw%rDULo3AuHswlfDb
zN1n+Ky{^9*n(3V!BiA`(naWzQV@P$5q5eC9;gzD-MqP#%{C9+cDR>`57Mjq|-mJ!0
zx8AAC(Du)Y8h$!4a$Z=(x;IqF^Q@!cUM3}Hql-$jXWHNzQRIab<&fCJ9E3Xgo4f0&
z<xS%v$zr#NlMt0KqR`!jZiDAXWCN0@r9WrbCA+O5va;K6ueR5Eg--lft@^x!jQwSP
zecvfCDs;g(Dvy2gu)LlBz~aZcJ>W>sb4c#lt#XgV_OFZ-rx&L^@pPo#ld(2Z43zmS
zrY-c!*nK1zcg{c>jwEZn_SZ86N+)CbXiRymmQ!|BghYP+m#3%OmeaFD6o*P=o_vw8
zK>Ru2N9f_%q6hYz$sA%@e5H?$8>YrP!^d9ambIZj^3n@Efwnu}kA3^R_VBIDsS}q3
zlJ=t-GbWYwA3;V+7pS`zt#i~?GS>b(qE3PQC}fU&IjqI1uII)QXrdoy=W0_l^|g9%
zXB)*2Pg18F+irPNvwFXPk=pMcXDkl#PJHSYKlWMX07C%u6|z!cYTmufJ`qvZN8T1y
zHOW!)QWkd>BU3T%N544kri-SGUNk$XKhDMs1Im^T`)Cauyof|K9(q{JXz+~OqwoV7
ze=My!dt2lDT2Q-s@t2e7Gci?XFP<|T(EO7~4@=lWF1{N%P*i!T7Y^{(42%4EFyFD4
zIyhZ?%!ccDBqmqo%e(gWpRwonNZ%6V^R}m_@EX*^Z@M9{vXNSF2sS5dLN4`&(Tyze
zP?stD-x+}o&9*Q!I;)2C&pwr+MWfMc$^N~EHeEX937R}8QEz%zP{_ws1F7kdNV9))
zwbH$uBTQv8Oz##g+)$A5e4~3knD6%jpMmUe&_(vqQg~JOepwBMeE4EUMNtJtQvG?q
z=W@zo%#R8nAO7?S0SG8+6vDex%ZKbTHvmDy_KhoB4a&)5+_S6u9V3|o{uO#R=M(YQ
zLtlql+q@{!1uNhAR$I)zvN$3|-in9)jXZ8P6|65e7MAW=PAtQ;i@$4w0STkS>Z+Yf
zb@~=OMzuRthf1W1`~^)kR5q&hYafTN@i`8oMN{<vye#4murT?D4EY2-vr5B{tgw4^
zaB89BwAbA7y%p2D_g^aLej7NQFcNq9`XuWfr7$6PZsaF$OY(|ktJ!I0Ov1SO1lON~
zM@41T9Ua^KZcF=`mii4}KcWTLBf9QKiL)xV56CLLwcNk8u!=4JLo?E7;Cppv2*k8}
z*-|C}<Z0|F_|rHe-n99+++<bujdDEp9A{j|vVT1fGw~N9;XwM)kJju5gff$!^$wIk
zF{Fn#<HIqqaY}NE@QKf|N{{m9Y0mY_$(CFGu6cG&<u9sAlAIlNcM&6++h)4{Pv`Ls
z96`<mhnuxd0bTSlI8UJM<ePNrG<d&YtM*-$FkswynvnBQO0<7Tv4vMX>v907{#Re^
zIUvCVI6HJ0pDGS3C@QDc?^#VLyPbv+|J=pSDP^8WxMpCZ$n0y1?k5F3Y4RP|sG~aS
z*)zB(wDv--O@oVk@_iZ3eAZwGvZQt|&=xs=$4*1d?}#$x3Hg!#w<iz4%&!idqnt?`
zPn5cJWZ?q<bPr<KoVtPb_-u}QoKHWCNM@Wnv3O(7JW$QMoMD3_nIV=kEtGSzGO%?i
z`8(Wfb?`<L#|oyg;B35QAuEF}OXZ7Tb}@2N+5@O)6*8zNRec~7#OHT5AHCokb&b<6
zlKV3DX@rEn9e&YL!~1uQ7Zi>+c{KlgS*jR#SP!s#YXw|%155x#fy9lyvO47}Ci!OH
zVg_IJ;$Ofkt5nk5oMxA?cKyleaifk=f+ugn_uDEl1qRbVJAnTp;$QkeLOTzG-v#By
z2rZ)WpILwh^=P%uG~tAc5>p$%u=9Oh8umviASm3%$7HS{i2pnbOul!(7d3%vfT2*0
zG{1GHm`=`3Tu0M*u)=>w1TD+wA-<vZmVzdpyxTO?C_E*p?e@VB_bj775gMFn8~?_R
z4`tVCa?Kn!sZR=OmLJ&#1^k}N*$sdDsL<8MvN$XhQ;q!z6j#q6aYS6_`c}dqB{>3l
zdNmX56CM->)kpWCzgzFA_{dg&ZsrMDp{V+K2sYGL7Abxt0NGMibl|`fU}R&?)>W+1
z5&8`}@d;?n$m3R%A^JCd+@0c{?_WE;nF15jHgQO5F*)Oy^^*0AqOvi;5buYa(yUFe
z(}ASvfzDPjYWNeYidLKKCgDkZ!U_&FyC?OnX%56K)#N&;jK$^K_e9^Fln6`2p7R0T
z6V63|{2Ph_L^>{t2ucMj;_D_9x6p5JEVG9Kf07pNo<x+L*f5yV`rvQ`>%p&nQ9Rbm
zIxtoA5qRFJqqTg4s${pd;KvWkYx5~yy{lGrQL7}we%0Tbid{Hn?L5B@)>xQW-~|Ci
zRxDCf4_4|eDZ$X#B@|q3&R#caiIm(YSrDu*qp#ItvxP8iPx!J;WkX$S-`p~omtuw=
z)<!8rO+l-Dv6omLbSA006_kXL;xhxr!8qFzcMUy4nUkYRB@;_1r7!hGg&$rzgw%Ms
z0p+MOJf3+S3<AngBHVytSf!|gh}IVXk;PkHhqGMn=;0mu4{@qI)0Fl?ra0X`HcEWW
zK(3jAPd)&97bt&a<<u+y!JM=3ZN4+!o-?u;#K+m@8u-}hD)pP!hRiZA=hCun4+yT7
z2fxL_%(<PH=5sc;NEw>4ih57~`e*ICK5E^&jfTxAgzXPd>}k97Dl#Z7WQ*5#{_^xw
z1^|yqTeq8RtmR*G>Y&B8^{pi5#7)lI3zJn_5#graE5BFY%?JDrQFtl-s7na7@pktL
zc<!hL7eEk^jFl_A(3;iXzI)`NM}2d%qkL<a%~zRgv_^Fg-weGxGO`Ee{NV5l(4e>Q
zg&nt!CiFV_#hiK{#Z<0ad#t1r5*&B;YmP_LY3tC2e;0EZ{?Tqn8DX6&aZ+^)D9y1G
ztYPa3#PP+pLVkFTdHqC<@(z;k=e#qq)V^?*QPh&@o@Dw&pnvkJ`GamPfno5x8x!@D
zP~QHDct9zMO0$0<J`C18r0J{<b6})OC*R0)56Uov2qAk;7YH%{Azw-{Gcv!{W5T$w
zdNt#U{WazbbjiE-Zz_86d)`a-ZlaQ3rC9P>{g87AyTeos{|j&`M5iAuv4TFiSrx+9
zQIw$oySs8BT=+toP_LD;d2t$dU)V#=BvBfnoY$}JjXa0`Yuh3`-apSXQ~0RmH}>&r
zg&$!kZ&>-sD+BVga8C)W_hEFDEWDu$M7Knq^ES9h2c-aoR~&4IX8+Fw+mftre;?CP
z06l1-N&ngW7<XMO@v5wJ&U3z)FaL+KbB$;6|KmSJDkSG)R77&hxt!KXa%wp<hgHa7
zM$W@n5pw<^6tQxa!<=TBA?J|f%p7J!Id5Vnv;Noj?*GRB@%Z0x$DM1B?YchK`|x@_
zUq7RZo29j~2Wa!ZGk4d<z^eC^A950^XCtbQeK2!>g@JN+tBkU<WY?VpJw5FWSxI}X
zso+(!w*iNBK?)M_-PgDNxO_JqL=?5ya8;QBV$Mt42Vs>$Qcc2L`KB~~0v*efAlN3g
zMs+d|tiWasG+sWFD{4Lawww8MAh`gVL#X{?`Czyg%JYH#k{U`YI)011{RtZN!$5=C
z+1`q$0&!nVDG1%qn6ffXyfUiiSy@J$=NjlZnNvX8#^jC)4qITNz8lDai81zcd7ila
zFd!_xrB4VgP=mFp%L*!2%7R2xD}1+DNr2ikHRTP+2&Jyxjb^PbF|W9)-IhbLk-_-R
zRS!m52Sx2R{;3R9vdP>kvK*UwX9$A@dbduJ#@dBYa8NvoU1e)?f5;S)`6$m!=UcW8
zIBsA6>27Z~YH(;=C}g)EcIGDQFKbJSFET}}-x;>YSli(xsjh!4rvUkL5cIWyEIqx%
z2@!9Wy9^b3mYD0rDGDnkq>AT6u6n-m;!+cub4a{8htyrteu1>0_|ewrl}pZ!J){c+
z1v2J!HqqvLS_OimBcx3p_XaY{8RoNX?WGgj(^8aq+1)i^(&J)7eD6Z*(GBDoipS<K
zrLQAOiDK7-5kZ7@SpZKC!m*o^eBqhj`892Be_G5RFWWlO+L%I^$0_mPOBPX2W9>u+
zs8$isU$n-pVE2hY2jY~u=NLF=kUHj)N^GOeld{V8uw^|-Ku)!MUN`7`<6ER$a2YNq
z4E`kO?>Ecl=jloJQ)LPk2fkH`g`H7vVdr%#*DK9B3TG&dGvt=JpPENljy|EV6GEdd
zHcle-E4*~F-?7E0exuphQs>^H^K0q^pH{J6c_5{MxZ8tj^yu`PuI%RX+M;qgV4>n2
zPspvVPNSzPmm_#iw{&K#^G&}c3??-mZ^#68j&0q{kX5KXl<OOgjnbpnMI7B*hX7pN
zvA%2_;JsYF7b$K-^^18jx)YofJO1oh6Ap{5Ys_5f?+z8(xViGhGgr=g(z1T@V03uq
zPw^z4G#?Q$*YDi(A=w5SY1wWRR_?5?VX_OIUxCYPM>c;zb(lq+rWf_#qvBnc?|&ZO
z*LTo(aGBXVE@=2IS}P{v?Fl2UCHrsu&GtZ+Y8g^OSc+oB6CLumXCKXwwKNNgwEmro
z{U#>+Q8PORp=@5B$XvO2ea82#;QeOAM6al+JU3JdX?2`Wa07@7NR)pWUATM5BbbUN
zfBy(mYD)rTDaGbv@xwZTW+E3a#e6=Lz8Gz!vBS0jh&mg9TB4nJa*-5E0KRotpVWCI
zYH8@&nTr(cUr(xLZ;1@b8*S~$o>--tvdP8t*p9xIa}8^~rK0_8YhulCCWI-IwQrhz
zEXq514Ses=_W*lbJ-g%kV6AiqZ%}-ULpm;lU!nNgcsCX<P!C>f%&T-S=#DT{D(FED
zUYTAwwquQ@cBCss&Q(={_btiRter6#kul5KfKBf#l6BNanP5@w<k(gnpt!f8aKYf0
z)p+pDTKhh@7fd3DzrNh#i3A)g_^$Rt`X4AmK)83=_%mIdTp4+C3H*AWhmF2-dn!00
zU;In>LM80N8&0{r8=rC54B;pLGxOZK_+4wYk~!mY0dV~rfEdE`_K)izVGR(wSFS;I
zDbyJO?SzG4JnLP=pT&h~RBmu4rHj87yQu|vmwEMpwX(PTnh>U}F{3?4M(psW{FNEp
z%t!Cl;t6y^5)Q4g^T#x+t@_Hm`fq0`S}WbZ8p%JwyeyZf1V_q|59MNP@NKx<fk<Tp
z)UD}2XzVhWyR%8SAJP4)o~5{cmDDAb#=LO+K~XaT$~}+BG#yubVkHwk9Ot*EI~)Aw
zMj}~hpA%8=U{IReso`Gq-xTI>2Uw>!pu2|om_uk`<$V|?6^N*598M6!wjLzNP9jzP
zKhmRbZY|?dbt`qRRw>FFm~?Ty=wM6TIw$D<_|Z-jka0#&52c3o5Y1`rK&Ar#<<=OK
z{;<*Z--^c1C7N*}b0#YSW~{t)x<Z90IT7V$5|*J>_vz<q=BpN!W7!?&Nxb2VTuJ_(
zLhgu_Gifzrta9T@sC%VtGbyUGU1Wbak;L}1j+(OMg1kjhE(;|42@KR3@eozujwgN%
zrkzgm=e+w|@D|I%>nxbd$65c$nwjD`52<l^RH>c=ZJpILDu?Y4F4|x2?#b{gI9hQw
z9%(nF)wH@WjF>K;0*f0T)X&4}#wS5D?aZ^P?h)t)AU=rsj&|mSkCD`Cjp@PeS^tzN
zAz4Gkhv4Z)p@QUa!2Bkt!r&XDCI0|0@=Jgfh!?TkZ8w=46mCX>Pe^Cla|?`g^CLe|
zuVp<xeU+8%rOEsEWy2~zLmeXqg2r$UaFwa4BM}Z+SBVlyhsz$vQ=-__(GW0fKyC^x
z3K)Yhtc;UW<WW6<XgCJrw{I&ah9rIP7Ta2B&D9zU*3i0cE_2;?Ai>S%PREO<w@;=W
z*C8W-AS{|ZRjxZN4#kHxXAc5%Ezr>><9nwYXE)$aTpKbxZNb=CCxtsE6$Z9_`r3)q
z|NL(}1RF{yZI%9VX$af{l_1EI(XVx6Q#GnhzZh_1srMo_3lXLD__QO1N6k2QFXZ(1
z?gYk6)YFZ|AQV4CliWTt#ysO*gVd+wm-P$__AQ~$Ze-`4HDAoPJh1)T+>*L<E9Vhp
zT5kG};*qsE*I6KB8-^Af+J|JM^?1PiB7-(+5{Vl#Wu<Sm3NGhn95`d5hGdUCYsR+b
zHHJUxoghy2^2}s*S%DI;@RQC{d*b31*lIP-yP<5uTmgFNCEa|pD+$uvoL9M?bFe*^
zqC6xeF)!0oj<mdqxKuq;<#yCZL}j;_S#Il|P*W<cNhhm^0KSS#yn37WUdua++Z{Iq
zi;iw0qktZEMy~5`)@l+}Xb7oLV(%56@}7BON_spyI9le3U><}sFP7`MTb%aoINjRf
zwD%|vo^voMao~1C15j4p>ECSz6ikYqqyMsa^-b(Q7LE<E3zc0cR1mFfOIwR-_>RxB
z|JJIZt<MMImrz%zlJ|B->ziC>4X;Yafg|5kCxNiqJsZ1cD+03%-_;%-Y;HyD<E++(
zS)&$!Gp$V)(QZBxgyw~6_I{Sr(VUo!DWCCbyR;jYd1OFC@Db@-gD>HVvHufx9^eE*
zkq-KxXBpP?n;z7Yw<qp@B#R#jk3Vh~+U;v&<8mP2EG|mJ+)d)X_NqhW={U=A5Ddi0
zV5g|WGgzq{o%r^b3^1_G>E?&EiL{I<GE`2zjUP(XZF!x|*(`%}ESvuMM(yixx`+}~
za|6X;a2)|6b0q2AE@S9Z_W@ZzXBfkf^2>0vy0MvY9Px0%S5to~`+2k&%uQQN;jl;=
z{{9Hz^d46FW<trCnD#8gL~YCKp^5Gc#InT^c6Y%)a70tQrUIvcvF}w{$HEo7(|%O@
z(HL~Q!Zk@LLYmX0W*k*3N$T~c&mNd-J-7D*-sgn?p<r~B=$Pc`_?-1u3hQILn{1qt
zI>!Wq^9*f@Tnxja3bAuPrmM}sBdv>=?BYJu_GyE2Xr-5`z`bG-{jp1TN%PeG(@43+
z>=bPV|G_dTMTRODhm5R7pn4X>D4RNxm1Gjvy1`}M3+iB@fVJH|4}np~+9$uHA5@4Z
z%yKu2eFnut>q)74r%>+cpAcZ%*lOlgdRh;@0L@*FPwLddQP$NvxOVS|U8RXG-<g?R
zReb~&EG`n(7SX?%0miO8Lx*JJMj~*;2LpUL^;WqD&5pR^<{{KWn1c5{c1I{OY;iah
zAm&sN6qX|8I)Fq#P+V}ekbTv@u#Wgz_-ed#;gGmycD1KTg7i(>?D_QZrn&TVU|G{~
z(?Efq2aHJ9D!e7tse*k8n&whHxy<BX-4>Xm!!um{__h*RO^IM}_p=e-&noXT{XOCF
z$=eK7$}?`iUYr<r->jeIg3`mCyOfpQich3ZeE+L7^x(=-e|_+trHa=f?WAnm-Q%>v
zi71(<ZjeZn$joo(c|Db75T7&R`yX?7Xvg2Sc#fQMmw9Y)QgE=JfbKhwgr+lkJ!~uY
zCwuwxlD$pNZryJ2`{W-Uf^W}nA^y7excH-Ji<}1L=Qsu>v$YZd4{V?VWK?#pF@ha6
zbFm<vG6tF2))*E<Y#hnijK{y)u``_XvHebcr-YT?GA#ZwB;clB_09g$HIr?ODIG-h
z>(=qu3Z}}DF-gIoEtVe;I;LY+pKv|1#H8J$U^?uvD0l0)nduFsrgg>49^||qaHJz`
zVrWJbW(ozfq?PUmZ2Wb?sMf@^xb4PSKc2yJnZfWCm3LxEuMYqi+=G}%{7VtFXZNhO
z(3D44g~{v(FAQ`Xw^P~#y%%f=1OC4}g^%Evn8$pBoZ=BxLH}3`^*0c`*E5ahBaH7K
zkEIycwkX4NH@5#c5Y2k}zsr|+^ou$+z9~br?XDca%UTD65o`I&m|6EIp#AB%O}M={
zEC7RKBAn=QX5&GT!e&1_Ca|1&hsrzIVV9%7pYdHeAtF%AnxSdlt!!-2Oim+Ckx3~^
zQBuRj^xWA;@k{@EPk;JAX*GB}`Fi7+ysj$$WociBkn;o9DPO7)fSl4n>I<4KAD^HX
zR*kUhgA~M6BelnZTGcHn2Qk5*^NJ09s4&H*qfPkg?%T>c)BpS6Q_<gR^oC(T7X^?p
zU8VpI48@1g?oM~`D$u7w6N0zo?vDMM@<Xbhs?UML#2sg<>iZkMrMT_d-b(GGM|pow
z$-nw1Y~$CKTSipKguY^ix%WGpz4z~R?+*^n$P#x~ZDEyuj-`?1C@-nggP_!lSi*#+
z?r^+%4-7-}!Yl3XPgK=+Nl=TQcX9SV@4abJccMReaWR@h>gY7%UNgOf0{O>c-AvDl
zpxyy*9p9h!4vpeNan5-$oq7y9uDpMpDmfP&JAYSI^fJJ+(4l^>B!mAmi05?s2_g8G
zgkv>8=MiYLw$bVuy_=yC72ZNIW{odpQ%5InK0~Hwr&tr9Y6In8*X#dN4qj45lX)(9
zisi&Hr9B~8zf$y!mh4Yq7vUbJaWL@|!<E=cSf2fo*995d^KpOt(U~hg0uw7csNqJ^
z8?-cR@cxnU)mHd7n|satX@6!XAmKHCOXdyS4puzOk5m!uy}3qPSZW0M*K1_t5^x;@
z(I1W6cBYZf`plx2MooL$`LDthOdk&*U)Nr+PY(V$>A?_?1_*V93@$n+_33b@*!LE>
zZtxjTVSXe3BD(F7W5W+Wvr`WYSGsM-9A*u)noY}`q!q58{Zas1<mjE%zYD;csi1C-
z&UPWiJ&=T_f%vFK<Q)L{g?sH&?a|y6d3V@BCbwUR9c-Z3uX^wBvujM60=>D6KKum=
zgqZ46;%3R1ZWVsSpI)(p1Wj%o*o9N8&LG>do#A}JCDJRcZEEKds39zFrGQtg_x|bJ
z9Dm$_+c6}=7}}bb_4i6>32`z_Wm5ScOYYfuzUM6=Ti>eTnjxgSYb0Kz57ns4kEl)N
z+z`X%FG?j4b$^379d9MMFR>?Wh3vk&6W`M<A1L|l4UfQM7N^ymt)U}Z^CM-X3tjA>
z;BtHylZUGE8q2A2{xG{=wJkxTvf@MRsopnVr_P+d7k`j()A~_QQ~od!wJ7<KI!05<
zygg>>#k@Wmw4v|X)$sMKejLV)FTz&O9Tg#Rzfae>FMJo!DIq$+v;4ilbf`O@^Y*w(
z<4w)MEvS|Jvp;<wZ;tpqy-aRelD;st9iv5BVBwIlGrZSY{86d_#K^XUhaZ=~-&kAp
zn72PIQEnt*G@kfn9Z%w$1NDbPDe+q|lwZBjb4cT*uZ#!y`|*ow#95b2XnpgKvJp3H
zW34&Bucdy+#8_N;Pdui=DOw)Qf%1`J0j8Bf3sOJ!m7Y#@^V-*x<6T<FTSm89n;V|Z
z(B58Zj}|UCKW!y*JInN{jF1x}|L89B`+_#L4_L@~ahsY_nwl#dJC^;}=%wGgZ~fpA
zf_P=q0-YTpUyod~sQl%uum1?hcdV^fqXLf{qUM0|!<F35O&>F&Om%Uq*yq?zAPvcR
zB%aovxF3CNTIah^T<Yd2De8Fn1Z1N)?)phFxUuZtk}^MklPy|+ue@I{tZ4)b4n{$T
zV2*eQuAy}^!=n-*OdAIv@alb>AAW~7RhOG;{`?yxmO+oObmrS#<y(4iah%BNs*yPI
zwZ%0*!E=tq<bQevJIu3QrE93BnmP(|`8IWy?qNo0guKn3C8HC3HMQEc8*a<;>E2iJ
zTInr$W>08>cewlE0b4g&Idcgd4U%AplS$E54A1zEgEpB0un<DHH;U)8IY(EB)rl#!
z=?!5a>Wimu`To}t7AjD!E;98D(ki|**$_(MWS-Ucqn@;-kWzxd9EeQv5*^`faDg&U
zYxD7|#-35uYyMc5==H-`;?PcY^P8LRkeR`?fb8LS22(URCP(uP1b)-OWv$Fc!{##1
zscFa0GxKnFzTd&YnK-05gS4klVUQ}vrA&bZ^YZWQTuf=lIYfY?Zk_-x666r<n0F?>
z*e0KAq|cu<fpYR~+>h?5BBUFAgA9FPAdZ{Rv-^~y!?{tusrVsr!EtcjWEI@(2Zx^^
z9Pn$M;q6TQsUY!~?<SbIvDgv?><;R;v4v}v=4Bh9T9kF>g_Z(gT;9X+t$Agi(rfE7
z3E7^@bEmmj-7iWcQqp)C)_6J~%xF;A67&M5d*?S?#3>BO8v~iqpola3N_X$#Tbms1
z-a_tFYxd35T+ZgOFAB9#xFK%y2_K-Zq}*B(g29s1GTKHS3jfF_W=yVaEhtdTA^kAf
z;(edL>f~Qru9SnN&=`hcjTiHBVsBr^<{+jN2Qx?r{;&nUo;MiLod|PRWspk@xzN|I
zgndGtLiwQLf!Q#_nkW??tnZ@ldZZuhsfb1Mc<V?^(adHIC+ZhE&NRPLedHD&E+5n{
zJ_WkO9Dz3Eq=I}RREP?_1)M(^79XbReYYvwNrm?7;m=2~Dgp*MVOQqA#S#B%BJLK)
z5miIQIEcolE*Br5Iitka(2c@9-2Bd;f$&xn?}h8YHn^gvXcj>t|E4UUOY>&kqunE3
zH=17k8EoKi8pp+H*nF2=w$##F*$H0~5j@kbPXz2{5bb~}3~Vg|S_bIHLNJjKyzP(a
z<8shqp$>$E;54Os)WC3dI%VCF(p~ttN*LL6Hs##*%=S0!Z0dRdBv05UF8R<(*w*&Z
zT?N(+k|4?#8V6!0K+8R&E>hVywR5lCR<2XZPC%8<ApX;{S`%X@2z<AnR<+;IR=cl-
z{Kpcyib>gfMvbaIy2AVhv?H5Q0t`dk6jPLr>r$l;IHvJ95vSLr9yi;U6x<}LUf2xy
z?1h}Q&DKl{{JNIKQ?1ge<UvMtlTsJNs8h)xPc-*$6feO%qMC?{CY*!=^{n%l-{S{O
zjZ{zE!TDjn-p8J+8EU+j-Pj*4!viXAYpR5YM94!lGE5`n!i<rQ#>M;I+PQBsT{eAj
z{)A7?Z7G$8ptyrnqTCi*5CuoHaYd0JsM!6X@HK*9C4x2B9Aq-4;iU<i2V22*Use}3
z#yK|6ZmvlSB&${V6JD`Ybxj2E%yN?36ZPa5BmKZs4LgWmH{9$uk*&hRAHTh)_>Hz*
z;6j%HUw*uC{Z5Lw!jm@0;UuZ+KPc4^48d=o2Ml5PG%;+yfzIzTB|E3efv#&kwZm2i
zz1OMm($!14OW{u9P}_};i^(Uh-!PSWX`n&(pv-=eIv)&X2jErnZ8{{z{Rs_jtpRf@
zn;#mLzqc1(W2--B7^Nep-LkK;CCAw<uRN|nt2A@q)XiHpg6AxwkSYE88HuBl{4D`F
zj<VV7>uH)(fD{@6!O2w*H*L3jwzI7<WvSWe!AqRF;=}PxT7V@zh1g0EvuRwDNgw#5
z^E&ZO;vJJZqVQ^;U?=j%e|ktDWVo7Y_ki*+C30DM2_F7seNrf=jeRO;|8u=WWR<DE
zhs0Bo%+)uwcfNfR$!1|h9GS0&_oYQiF=r)JCkXsY;L~)wo&w$<RT|<L{%)e`glmfO
zCGFE00>I8a&e8bn!=F9kg&G|S6YU;6qMlJQ$CY}*)j(K6OeIXxAigUHI4j`QJDtvf
zU$jEKnbuP^QkDxjcD}XuLJY56E4*o+YRoJCN0-)$Ul{cYZ5_8VS8(1R(McU4L@?TV
zTMJSFy=-U;jfWGclfi8qh#%Aa#egvKNPOe>UPDFChjsIk=>@%B0c;E52sE=L=f%P)
z*qz?YBg&F+9w%J`C|CA?u}IWxDC*p{hLl7<IZukyxWZTy*9GNs_BM~oS-3r22f@Ab
zTKSnUs+E!_^5&;}=6{k%^-W+kqQXTt?Q1)?>v&{p)!Z@?d@ScRe~j_>=SpMipE7Xz
z)Dyn-WO|ILxgLr>0X)HYo^Cj}D@tvGAYMg3vD~Ew1uQ2x{2#BWI#ORil7^6lxlUDj
zHj(M_#fmK&xXG&o3JUg*P~5ZsSY$_FmHvCa;ho5q(rS`Pf;NC&Uq6yLnvYa3Tpxk`
z)hyZL43^NYEv8ljHjS}s^>M6A>9!AMIo<?wm0f&sTQHUyx(r1Ave9p1cLco?O4b&T
zA$3nhmE~GKXEpWsvGFRH>W!)r)9)p3BWz?p`w^#TZ>c<AKr?+zehfQOood%({?NE;
zlIPso4|A__Ju7_W18Sp+MidYea6c&^J?`{LH7W{sKfTIuSqg~pIWJ8)c&$0a@x?$z
zC+)SykODZzstp_c>mk0;Gz<IE#h8&$mRy@~p)=c^O<qI)NZDODDhF5Ezk`eL=ACU>
z39#L8+aiTjWgpkr9Ot9F;I6bn;PrQt?g5@;IDbTV+#U@w{K1?hhmHj6OGdo)B^-`k
zxIg0d)PeWSus}M4aN-OHjK&Ixnn}WGNx7gTq(cRL0D6+nJm?~Z6qOSl9OpHQZ6|Az
zE;dA;eivi%>v=Li`iYa>=J2x86A%nV6kmD<*oZFB{W^6@v&giOV*C%4D{YfXTT3nX
zvvnU7!qTp1@XR!cjyUUm9eG<=#^5hnaxz+q?~OFr0dAil2c+xr@!f97J>u|-{nl%f
z>pj(Q3pZ_Ht@Ivop_DJFMh@o|gwt)nCe@%r+Cu9g+0STjsB}%X;M@0-&Gz2x{N^ht
zo1wv#2+ihkh7#2;MNbasibbf}U0YUt3m2)Ov2GNl_CzHmP1prB*)d=D@tTYB0@>OB
z)4eC1a*OYsc!eTZb1wzyMczrx)<#pTo$vN=lA%c!^iT_mU{37fcnRHO=|*+x2Yg9)
ziny-*i`RVjT-Bc{O6)8yZ{l-NUrI>_?R(9DweZRcE-U4lmx~vC`yb01Z#&aG;&4tr
z?Vw_>?`R_EfK>t1gW6T_hVE~uFkis#G%x^(_~oXOe=IKb|5$#X!lnM^1{|)%ClarI
z;35G6<*(w*1*Ly1djZy(+DWLN-2YhofdBrzc}>i6`W<^Hl&k&cN$q2#)G<3O_W$Bo
zdMHK98JZUeG{-Kd3qAO0SyiQ0#lyzC_OP^HY)D-CQ+;ihyeM0^SafzWAhqiV*GI><
zFBTF@;?OWZS62_p`Y2~a1mcy&ZLx(~Yr{t;%2`-gzMLS0_TuoX7$6spC~irKEAcBr
z2myUC=)C9OtWl$K=(lvt>;f^6KQh51&HG}OviAQ>4sT*As@mOEV)4EoxmVh|pe(cV
zj$dUHJsJ9*_4gNls@0}ldMU~l!0k!TT$Fl=bO%)YL#`bzd=tSREMkvW)BN;*$fv}A
zb5q(~bS=29>VnmSU+vcp-JZ2Z6D^5<Nj8;Zk+ehnjP2!O37evwKn3IKn-Yq-iQYtg
zp?1#E0~{p{F!S%k8i=-yD*hU4%p1Bk2~#j0ugd<>Xkw|wR$%jhBXg``!&y+kF3-|w
zEWjCxSsp*A-J933D4i!7dsf$Pjg5V<Fa(w(|M5h3r5FNtHkkbF0-hjF_)OafRfu^b
znEU<PpvoWzjKpGe%Nxa8d*3?oJVeYAig9&kCfPd|$thc0XI$nv`TFMP)?C9l;*|@`
z5EqWeuv+Tymulrdv?K!cC-GBL4bd!IpCGKpbFG)V(?~To?YWn@*HedjUY3&_*BO>{
z-V%m6K<5(rV>MB<%aAS~`sC=S_yICM2X{02pU9wg4xxUrMx5jQ*~9g>-We&@2YC%s
zHj-|QQ5J+8FXN)&e4T+{*qyndD?ADcrND}Lb#_M}dj&HcPqvm~YvY}!yNK$oj#giG
z_|>PaUKg5cHI<W|-@a(GA*uL}CEd;n@JJh@_D<SMaccC86&%4Qs=qIy*X^4~ty356
z95qb+`He1DrGGtJU;FiOc(lR<&0viCn)kpO=1N5VXPxI=z31ab>Rnzl7U-8KP{1q(
za>dN#^x+NiB@Av%=shXC?Z0$JWUxXX`)&8G(ua3IV(ZhV(Jc2K2MEh#&dnh8C`LV~
zSgA&p<hE;urSpj8&TwWOTX^-+@*_$l_A{xBQ{FzOQQX8Nh1GdSHp&(1-a{$tq#*oE
zMwTfHFLDiHH0*TXiEET3xQ>15@1Jq{Ev|09Hg8Upr6+!;f;XvvYo^aYr-6DOw+Q9f
zkdz(!_H4?oZ3JGUQl0D(6d@a=+~SzkA)=S~XTx3MN5w-S6Q_PJ%AflgmZpb=Yc23%
z5&_#jOx^`O5%a#LW|5+?G}R(+Xl>pqi7C)&B(->qU~-UmDcXHfjT|r9&eHRo#`HL-
z{4T%%X*sVO%EN#^AL)qHpeU=1A6i{@J|nFfmpz}ub9F90x8u0jhrxPe20X2ocNp$|
zls~3pvt9Um)U_u3`}6DSbohrBUZ*}-Kqzy??BS=8>sDeH&wgN+az#F(3ooKmCTY*<
zV;yaRR3s!qomh%1?kHDk&^jr=R|J<kDdT!Wumw(T)fw!n`%PJ+Jz7(pO}bbAKoCB9
zzJ=}1b*)#kyIZ}gy{e8&0S9&)X9p&fN4@{HG%h5pML>3$JC{c$^wM062dF{gGV^(v
z7Rgqj5XWqqWrOclU__q+1++K?6oat^lEP7}6m$#&z@l|<ch~>cv1v^X-N31~h}hgs
zzIpLIrSAf)c6|TzUcT1SI-F@!Wv;MkIfT6}#}WX(z#a(YWS&HbFGjnlL^FiRpwr5Q
zkLCe#ByOx{#BA%2Ua|9RsFwPBUjyu<UD3ed&Bt$o#y&x_wssFC+fJm_6^WQ!)0#K(
z%T9`<9UXu)8KKLq3f)a;4yGc)3TVlIPsq~0%p*0OqR?$YFK$o9&U&ecalUGP4SD9C
zA?v56MaUVnY!-Do*X~F^Nd_fkL`@f5q)MirYAyE+PZ=4FBE4H4DKQs2!`|~r`@ECT
z%)3lJUNP=zC%Y-U$7Tbi@80D0K7j86lD5V%+m^J|?F%PHZ*I#O>y2m488sI>7(DOJ
z5dUA`P>>g8ql<dC`ab?#aveSE-F~o;MeKw_5pUgRaa6e3<4Y><%TJaG{@Ia!UyHrk
zU*jb|Yq;Hf|Gky11>}ZyAyhaLnik*hv6W?Jm7JsDHj$NQQt#V;WhcV0UEM@0AjFJ*
zME(f@ZJnf6cIZHR8pn{v<Z3zcxx6JuU8(c0K96l<WS-)3Mtihev+c(o|B>Jq$x0JX
zzyQ;&Xj9V?@X_V4T&|GX-)T!J!Hs)O@%^#z?<JsY-s@U5bB`ZCc1@&V1R1OpxipPq
zp<yQq_*HNvlzWT$HSWj=_c_gkD4;Sk@#A%^;H{ZtcFAZw4-W!rMoD>-O?;T=S~5GN
zmt$$@<@>*)A?ciqI|3}ubJ@@I>SW$$y7VaOrd|u)n<9p{g(rIN997PlI`etW?Dm<R
zv$9NiV4Y{)BSRvFymE!n@P6Nq#RvovZIv4O8p&~V5otK7cWsInMvRL0*Q}achrp03
z!`E29@0owoAGZZ>k|}nJJ6$|y>3-b{XT}Kn+^g7<L&`?ex9SQ+s&=xeOy>79+0?YZ
zU8};EnirF&nj~Rq6pqb5i#)NCm)j=wlotIs=rG&yH`OcKSw)TxbI#GTUo#$zICS{E
z-IkLpXw=hdtKCrW&M@B*YHr#t`Ib4U8(Gb_r|`sydcJBjBh6^cdgp>9-hqL&omvDZ
zqR$7Rh3FCF_8!t1h5?1+r3?^dr697062K)4Gh}neJsxQtoY4Te$=YN{Uqra<nx`-F
z?#4=4GABv9!R-xx$H{m!GuKyPv>N1&iPI7TWc(amXx6Sz-Z`A1VPTRlJ#oT;iiPeO
z#%vM!-5(x^CR}>qTcl~%3#}t{f?l^>!A}xyQyR$MTdSbgBl3=ox@_(2w7FPV2x+3v
zZm_szei7`7|1wo{ccxN%Sd`|nBb#fe<fKBWgnGb{Z&&Q!9vN#3%L8-2U>CJF?;BIM
z*I?iFCLew!qZZ5mvFy4U0M^BD;F&Ys+JMm(=%5N@D4m}tE+{ha_Gqx_(EZ7X2qkzi
zbBN0O>RsN$X8UQ~F0~>K8?KN_cl#3xpQ!EsJyA<;;oiU$Y4`=>RxY618=JEHp`_fC
ze6rXgEFG<M>XhJfjuI#AaY2+6kfoN_@tiK+L7^LvlLkM^rug7}lI>NMeEA3Eo^xCY
ze-S>pUmI9)jnEIVZE7Fb#*|>!TUSOZWQXsR3RRnA-5gzce-ldBX~fjq(sS{lw)iQ-
z6;$m`qDF)i(EC%A03SLJ*%!Asd*oW-RdAu*wDsIiV4m!&L^C?uyImgoF&dc1`hJxr
zVHHmAJL@b>+P-uBoKhGP=Mi^H<ndO}rL1Q1n`oYkF%DAan8I`qGEcm)5d|F&WSy-k
zNSi4JC7rISj%m`?&f)vCeM9s{e~<4JT+G}e<y!8H%-+Zvyy+;zIRm1c+|HvTU~{w8
zD#F1*iwL<|EtFH=wqv!7o*AP(r4X5OAn|Hoh~IYUFkB#)tqJH{wnC95)uO`%B%k@`
z%_5wt&reyi6eq3*^SmVS7+gX^j;r<VQu%uOtm=OFK0Z?Su79Vv7Z8LHt$Cc1`nBfF
zX}y&bw|K3ui*jrY>2^XMreVBwN(yqyi0iq1Ikcm%@C@A~l2S<D>SuBE(+pw%8xmZ0
zujw2#5z2bhD2PuFwXAZM&eM%6ke>9xs_-m0d!@TT*Sy$^Riz5-8~DTOvLzjPfBcl>
zNV1b})r@~-Q>_m#4DcROu2#yL*uv}0xIZsB>tAA`cD#{k?w~nnJ4e(l`IbFw^{btm
z0m@t+?nBMEg6Z$z5mn|9lwR6~eSKT*E&TgL#W|&=lL_NZlZcYJsxQ7)$#&zp9GmWx
zqc5bh1aq?bhv|)|a}!umY&lZD(qVRf4RSB}!=Y{Vs($*N3ucLLb)Dy;)f4wx+Sz~q
zjZduFpG}c7177Lm4C2(Ij0v%IqWpEYlq=HVm2ju>ixOOWpU}K*f(Ym`Pke9Y(hm1;
zgKMMNHt!w0|03-smkht!?XK85cgb;xifWRqP70q*Refmni_};$^lYoTaSi_)_Hy7-
zyl<dMz=6-gPWBtG#s$1-RudMoIYUi-d3F}n!KQhdENRlWIJkdXYOwZ9X|KMjvjp@6
zQh^dk`*4gV{|Jh34Ab)}glQSb;{O+hGq{>;-=o4XlkvgMhP{K2`CiOSKBw?|_-xcb
zJ12vqX#H<UJcaZHqJ>^MZP-=;b0r^{B7(2RJ<lw>&z7i$cy1&&iO)l`drsk-a>~t%
zy#k@0-fN|Et)DcAh~U#pLO}iUNMK9)A`7CNIlPL-<~LWflO8nxQJ`gHp(FE0V)Y7K
z29o7qV-_YvhFTJS#PI<G)4U7XEIYc2lu4tt(6>s5DO2QOB0;yt%P!Zj1rh$WDTgha
zSB=2A!dx>e-+I&c?aaoI({W+D2bgCA*fb8mdJ4bW2SC0%Z@VvX=3yG>BnWQz-IG@@
z{Z{5xW-?_~F7A%Rv9hsnj7r}4?_^*A-t+91CGbfEs9R?>R{-LzQ;-4=4fYnqm8UwK
z$3ICWM_&)yaArSv6_jt)Z7bF@nNv3BO@tU<$l7fBdLRV5c;dFiE8km-EFBNNp1fHe
zXUF4y*6LMc-)t}rE^ga)<Tnf540rh+6ec~eTG|Nx^C!QwdPG~Wa%68hG>!oBBb%QX
zHpgcCb&L?n7FpP(!Di!ZMA%o~6*!1b<iAS`fDQa(@g>FO`gN<!#Pp7m=IGJ$jcGjV
zc8|E#UD`$`jfCp`)n?5_@^2hv#NQp3$faGwRIUl(nOT9ZC_qu-8peOy-_KtpLw@<O
zP5Q)3u42B^(rjXDL)TG`oi<%wVLc_0KEx45L0N-X(C8z7r`GC{7Dv~gl{_&-a2JVw
zB^3y$cR_qw`ejFdf)5&Jm;<q*)XXy9<8RvP{Q@WDicMZ{oqKV1<~XPQDVlAXAwf4@
z9un%^F{Soq7CL$dYzX~{YoA(xoyYh^`d{?&z+HLCo5QO2xzoqyL|aBqN3I@|*FY-M
zcno?Q2CdE4tbR0;7ulkRRuI=~ZC9Rim2ee=Js4F&f=V3iry;Y`(=*+Gmu<FJI`Q;4
zOL^i4_D3u%tS{JYoCM{UyeAWljqhd;eAlb5P||fCg3ns@bpC9tFyayIRkBR7ZAt}a
zE;ys{`y{JBO&c997g~X;#v9j@AVdVGr9`xW_)qn{w(6Gh-L(Tde1B%caX#{`l*-`O
zna0&-kO)$33<!xd8xE`LkjWuV^?B}zuQ<Hs^iWPLU7a}HVPE=v##-XRr<e5tu6q!b
znPoCVieJ1poi5z5wk-Sfmy5H|w6}YrkKC5H-rSqRz?QNL*M6cokkVRZv|kiV9FgLE
z*Fl)W?A0J`vB17%9%m3Wob&DI2=QHEC>6ZZYq??^;36N<wz)O{K}B8n4_zC`-<(~-
zbnRA}TfsdiTiwR5^_V~xTJQaxDc#<#UP4n$&b(#zh+SwOsI~XT_mnhxf3!XAI$mQV
z{pbb|Ys&JR<>ZHIV683HsdRD)z3E3iW$xIeqw-plTeu4!yO4Ed|COEP^h2fT!`g-l
z)z5tkPLeuP^$2hW9`vHoeJn^x4p8CjrLQ<Ta#}aVI#0LM-eV2;_N{waCIc+n=qzOI
z?#@+p{kABZ-7`7Xty&%qts3%R2nM6nT)lw_obOm%HszMkG}Xu=RR2bn)Gz?R%p#aB
zJDh~wIY|euB2jRW9w>to{wtdW_xzif$M=Pheo-yJ_%PvT!F~^&e{ncIiUkPW1CJ9F
zO8d$-3KXIv^doF#`paP>2B~9jTJr1vlxJ(WpL>w@^wrr9touf<+Mn^n6|lzGC*1+A
z<tzj`e+!PiSNj7F&#`>{OZ7XS>S{&*K%0>){$`ZaZ}q{#e%bh9y#n!H#?Km(^HmO>
zsmw`4Z5+6j^{2gAE)%rukhja0&N6KGaBCZQwQgdpt0Yqf&vC4jv<`3_Ejn|x%v__Y
zv32n<J8^g}%KNC{&j#79gXc8}fFc8OfHW`#4e&Q0gG+e;iLxeGN@%`k3B<kNxKNuq
zcQ4nq@qFLe-bx?b3GI{v-lI;1afZr~0o`i3k0F3szGtBGV-slsFY}a?bRWZXd>%vo
zid%uW`ut<ThY7gJq{jYF9j@^C*Kd*ta}dfEbr~_p<O7{Y-lRx2FG=*0h`Dhuy@JEu
zQfm)~MNv5?C8#eG*Q@kIi`HCZ$2BXR<;<HVHSL!ZX-oxc)5`9&%bFRtv~QRXHL6|;
z@K2r+5|*=wy<yw<#s${^o_pR}mEn63(aHxj7}fz=rStbocH~0gmI2{4Hkj6yfVLJN
z<P+*JS@PpzS_&|ui#j*Eh6i_pSZ5F@%iKN_K-KCpISgryd(dt1u;2Z84%qKxU7}DD
z>wU)Rb?|3qAM^~;{79S5*+XkngmV3Mxxk!4TmRTgk+MNs)KlhT?j_UK6enpbt`7HV
z%IjX;qC2rB?t@;VIT`BIh^{gtss~U@33w@8{^o;?IE{f1V&?snZQSS7p8Kbp(IY9D
zo$Y6knzBh`DA#|<4SMw&m?y<+KV}?tYgym+iG9kr#q!>5(e9xXyJZ$6%c{lO*3X&f
zW$d60lgY~rF;=)>9Z&)mt5kUj>30YyIrq?JyJ?wF{VhkmUBOFTchLxt;+~Eg13Dq3
z^CH|^DWVHkZ!Dng#Z|kFm@cX?wsC$SjZaSI{on1H-g+eOq7o+=9k)0_&@KcVdm~$>
z8d^H=_aWIMLQlWh-uPmXE%W}Iu`IT7H097vi)OdK;is?}ZjbV=Fq&=r1^3Cd+cn4e
zz5BCJ_K!vW;Rpa+eCvW*8(ko*{-Om_{QAJNINFQ6UdV;AgzCL^9#0tTNqJhMeUCJ8
zeie18K{WqXr^)?2t|OCepW~nfzENn8aZOWBSrhI;MV<MrSvg|%Ty5a#9Pw`V7f+iz
zE=ssr!I7dxGqCXNvU8cGT@^6ZKB12x+2su+nJ2Gc3NP`uKEA#B^cI(Ya_;ViyLXMG
zhKI+%y1va+`?ZwFxqmEi@e=j>diOqAHzZYvHcsrN+~_1BeUT2;2rJ|Nf=Ael8zu?B
z&*36Jsey_=(6$vOV&8}62w7ce`83G?wIt(Kc~SWP=7NVJ(t6tCg`py-C*shvYs{-y
zO6tcYZccDLwyilmLsZ5+9^SAO6p;CkrQ&h2NWy8B0-oR{^h_WbovNo>{QK`z7v{u<
z*u&@)$#?FNA0SSSYXj4BwY}7=WC^a=lQ#rmU8sgWpl>-v7q+0Zr2&JYH3QK}PVwW*
z!-jyTZm;(2g3q;=QrB2?Uw&n=ndlfOu9H}Ud`b*&oJ}*>p10nLgby@^)~|N1VC5rj
zXbKg9(}6)sQvHl3V`_5!8x=Z@vl(MbA-$-6U5@Bj18%zOQme{?x(VOm7!_MMhr`Rk
zi}_D^Z~Yir4NFRRx?o|nbHN6-_Gy(V$`Gf-cR0&Nf`B;>h4iY*x8%=i(@5i2pG&!B
z><j&T<w`G3J^0R2lhN{gZ{@7Tt9fEu|CJWly^IkD&#bKog_)3*X@@7jkK`Q(CPzZ>
z7U0Rj?>lz8v<AvxSJWxsHCcgBw;0g_eFVzg*LtGW^WHhOTD*=!73Q=`m4%1DKYV4N
z-}UR|emrtVo*LJKQa^3<J*WGTF}?pG)WjlSJ0}rM6vw9Qqg?lv#?VBBbgsMQt09Rn
z`y9TP?<0gTNBj)Ysr`)<TR>_c)g``Vxf{}4u)EwjspbS$xG*HGd(Yu5?n*+x-sG=t
z%*-q>wCROy=mKU7;f^*%{Me&DFRg~cS*WphakQ;gmPonG$(N~yVS$66OwX2=h<qL}
zceHMPkH0Z9`>s;cx1tOd09JW_jDG{zosu&i5=+=I_)&OQo|o)=F3gT+bBro%OveFm
z0qt%)cTJIN;f9!bYfn}yBhK{g)2mvQ&Cis-aQQ0E;(z|qTmeyRob|i`QGnn?Mefp^
zGvM!jJ$Ujkps&TcNj$whHZFk26?)&0uY(UbNiMT|0y2bvifM?N6AhSD7DVwQ$h*Z}
z;j}d5M`a&PaceyG^P{^g)X&$xoIiJ3@1;wDP7W?6(bP7-;QNrS{s9()`L>ZQ6wqPH
zc{5@(Cdtdexu=)r=og`KcbO+ik|&<___#E<Me5~W=YsS|p3YWBi>byf9sZR$=X-<4
zd4YjAS<|LK1DQ;<2iiZew#V5h4=F)J(LK60^<)RI#I_?J7Dm90T&St}%bcx74%FcH
zb?7F;a8Sc#VZQ!L3-=moQy+X`gR@1ZQ-&8wuMEzvsjo4)feMCk#Wh$3t=W`PdiM#}
z=woHtgRI*=ENb_kv%3O|;QFa9DINea$>bXX0bTnh(&ks|6m6*OrI*mhUk0K5zp9>^
zZ#CD?)`v>$W3*BouG+-j-!s?sDf0Rr0@3#PRwVP@`c3f2ZeM?8#z26TZDI@ZQ@=v*
zdq1J2%_-@u(Ii5ixyBrUgBDB=TLh&Q=+e8EzzKh&5-^C_&M0L<t(RsgpD9^Mhehn`
z%)4_w%c_~zbEOm;vf<qyE~AJ!-7Z4(A?k3q%bCw~C}pS5iZ0b<;ho!7u{@7D(gu%g
z)o|sBO=;!0-LwhG2!2q@%bNcBQTuIr7cGp!(G3!vL1cDIo}xrGFDYpc9!XY|drnT-
zHMKbkgOxq*tYH(LL|=bsq^Xk9#)gnuf+jT1!@3K&DS$gWUm&K8v<@+Bou5eHCWsWL
za~j35#*G4fhm~Gaacymvva@3GCR+2u^0#d?Va3a!W+)IASmO|BbG9yCX+=(9#<|P@
zrrT?3SQwHqW_UpfNKbEH<|GNwBWQ}_*c21<J6_6+yU%ce^Lc2EEBWKk%iq<y9rE7E
z9AqB~ayegLe_Z0*4oi{hWZoES1koSpnLa6o!2F$_%{e8Bdzy)l{HP5R_|hTnzi_L6
zsjXp>$%^3bZexk>49|%sTq#FD7Qi}6V!w=VIpCB7p}AT$kuKk7H#y(e>96<Xbf7ub
z+9bz=l2B*p-X!BmrO{F5fW8_#t~K`Z`C`jnVOU}J3HHag9tk{GwNb>EJVZ=*RmkE(
zkppMu_vkK7p{s4#jkTRW_dR>_<z&Xg9K%bACD%f1vDu&OS`SQ%3?P6%TNm@vPKuv!
zvV<W`0e7`0<bqztwfiv75cq$GA6jSJSlMN}POv(&`_Vli|BdUn=d5~Zn-xcTh?c$u
zPWnwMXJ?cc-LY^z$=|CIwxHcWjh&~pE=4$S{6z{E9jU46WvKe}DRn7Y-v7W`%S+4Y
zl8SEQrpuK%&Cs<wT||L=pr6sO*BZ{soTq<1zb-m?<<U^8T3C<UG{DT_3L1V5qGZnk
zh1Z4l#I_$(s99A{p@j0Vq5RRqC6Ibp|DbPw|7yM-zOeFPwJ|g&ryi%ca>cD^LR0k0
z*OIS!wjuU|(x29>N`F>My2FJsRvIjS(u)Q*$6Zw-jAiq3!VCrMY9p@$3o4fX&p*~*
zK^BHVtmywI1GmcAm3c=8d>pCGe4X7y0D?B8kK2!9wn2ODt$fo)HcRM3mf?RatUwrF
ztpEP6c8bls({B{T9F&@K*50)P@*Z`SjX~Q6oTv+!VJJ}ioo3iAV&V+gDLV-OJ8iH7
z5Jvf>Ak`KG$BX|&4b~iEAPtWCReeF7gWxbFw7!eeuK;Swm0=sJaOWOq8DW$3X%x^7
zmee>u*d6;t0@#W3#+b}D%qH<Ky5fyG+^HZYmma5*0unLMWPU^Q8R#G)mSh(A(mF%&
zvxvY>g(7<=&#B2=!*QzMxLbxWAxzm|=;AZnXB=;wd1aR3v3A#Rnv42zvw_Njm!u>$
zs+m&RB`HC97P}-~I#T7M9Bgj#$2QtDHlctyxg>*&yZWWGvtGAZH@e(*z!I5i8k7mc
zsllOBS(QpwwqBlQ)uIjuuwSD0Rkj0MoWaG+^T_{B7j!%%G)Ygc90fz5Z2xeVOr<MI
z`sGLixNn)nn(M#2vP650L^MbL<1cp5Atajq@vCJoxBMbH=5k{yi`Qwm>#FW8QGEnU
zI4cwuH4kXH^b9G|<Ws2&ypHTta54j2f-p71x4oEytksj8s?39BZvXgtIW6MVoc8rc
z2w5yFs2!ai*7Om+)shR@YKcspBPu@(IZ_zX$JEE}?U}Y?EugAi1t4nQ=E%`AgcR_?
zO)$9VjpilDQ59}Y_&sf%+B-Iwdh`PmG{Ti}J)@II6vAeUQfwa#7ImM_<ZdG5qGsc*
zM%vUE^5cXnRL4FvUn7qc{ks&mcQ!t!t676|h9GR<eOzQbKK1bR^+fx=Y{|dBjYa)(
z@8}J@JsM4RrRADV4CYJ)w@r>)B5U8Q6ejxp%u&ag3!CqJqyb5PiQzmQJaPD6$$A!%
z$2nvY_e_7ew|10SW@N$Xslc|c6Zy3qhL+$bju79XbC@#6dB^s5e!*gc{EI0AU(P=d
z`zg79xP0^&(bY@BhHi=<nInjPQm_SK;8lhqU!<(QBRk7>nQKka{`yCRxwYjkO~T?b
zye#h~g*`bVlFWk+L{}Q9(jAvDNl_e#Q&O)A<bWk&Y;azrk#Y0Hwq^vlu`jr|FecbH
z#&yZa=`k71#*v&)9y|C@M#@+)2@Q=hc4(`Bnr7Jq7`QBqfb0V*RdkzL^fl|Y1T3H$
zzz=U9b#;h>qZ$7J;e7R!O6W1&MA?{X*du4nD!lEx;PTsoKP%P#_tfBa@WSb9692p1
zQJxuU;n<YXmbmMs(3ZGkSDkaaSDRD_pS1(RDex^yyn9%|!@MOW6TcaL+AGR%GLw&?
zIcC65SLv1HrV73>xRBaYrGhj%&MPxT!9KZ6Up;fODzQT9ZRuLkXMfd{IzH;N(Y`KJ
zeP1Ujxt&W-+wULC8E`BX%CjyhOE0PjOQ@vp{$*}205+Y6agUI*zeTr89NgZe5TYPP
zC%z6qW*<OoZVDsHBB%691cQOm*8D~gF{QaCJ0Pnlawnv^Va2#L(%pTe_$M*3<@i})
zy8`LnD9Xn#9x8^7A;X}23|A~wlJJb$TefN>)tRKPw(GgK*U-Xd$~`J`VoBH0_RjZJ
z)3}r?_cKk&?Y#<8vqsD3-uY2Yztka}s74G06;2nrV~23lplpVUrns@M<^{-#yKVFg
zFQJ^cHd3G|>7*c2U#0S1<%ax~>cTDN)d7?Ft%0$S`gtu3{MwZ>p9hOF0A{zlNIN)j
z!*RCs(?6E7al3A*T3jcvtT8-J*E9Uc2m<bd7mSE9BoEcM^}`Gl5o2a<J7rea82t2d
zM2BMZjYn_qste8dzD&J;vVHMAa00fKxKiwT+XW3IybM_B;7>^JiDjS>(t(~1!$-X%
z(*+A_6RNg+6~E@%CpoEyz1Qq#e|RGx!?@qO**bGK>%G+`5x!4%ho#pHM|lWu2#x2C
zS?8M2AOqSazeY&s0Gb4tmElN#=}&IwT0q1*e{O6k=ykq7*!i~@FE)G%3Djp;_V#Jh
zOP0lFm~{DrHi(}4(NhFx2S{+0qBm7=ae`pwAxM~N(&32HG!I(ydTxKmcVS?`4NJnl
zL(<GXWgiiyhNUPEc+N5&#n6N(Z|dk><aN(bAxQa{PhX63&qVbs)M+yppxt1#z#^G}
z8ZZH~fjftZw*!r67b$5y)4*rM5U)At`B6r)NxcvgdW^?QKbw6+F~hv46Ybcv8B|b6
z+I6QVyT?4)%BsgprGM{l{nZrqoh5ArLDt7mCv$h)>8%mJtH+!}MvnWPq<W-?&<+&4
z9`wWSHpL0$AW?$3+N{0Hycf>2L}Tl-3?K9m<re30?T(RR`7YmyI7L<}Fq%M=EeUVI
zsbfp8!ol5eM>6hJo5+7A-^A(Z-?_H={-IUQCDqvO1MLi`<J?n;?|e5F?d{8-DbHs5
z0r+!`kVn<s>88)i3++<X#dMc5KA8%#?Xjl<iG^=BM20puw<bz!(C)z=zxVC%_ZkBd
z=bfR2Fry8Rpks}YhJX<lsUsNU@#G#ihaoVaa*Rz{vg;8gnT*O>eEuEs@^<UQ94cf|
zXs-F9#_)*%sNk+#M_L>)bn^&kl3M{flRSAx9M#z}hE!kP3IsPyVZ{eCsMj<LUxj_-
ze(r`ow*75WGOztLdDeQhEDCkCiLiCGr-tUVVVyre3ebsf%yfc=WLlMr#}0Q}HMTc%
z+t;i<-&33yaGTPmpa2PTe3SuFV}$X9tbg~&u`72E<XP9UdnIPryeF{U#?Hk$SuLgq
zDSvd)5#a|u#_OHaXn!?HYG9w3>YA-gK&oZm8D{byN_^?Az@@-f9M6mP5k*zviDx1_
ztyT3fn`O&>iO>cW20!QGPLC<*f^lTwj5ow3U+(4d=w^;NVN7|S*X_&q5%I1FJnE*i
zoc&8f@Rb)HkwxNzS^NH`6W^atMb)|Fmesv?M>H$v{yq8xr4TpD0{7Mv8Q9~R<&j{&
z1a#xi+^H@guA4CFa?jR9>qrLYO1{$%7eGBtC*%|eHa^SPPt8!4J$2u!=oNXRJg*0c
z&Ko+i@M=3ljZI@{1Ob(z2e}!^Q@C&khYwAt!3b?^MO|ukz;%eRC9+Hfa;PfyNRu=M
zC7Q<wi)E5c3|Bede=N_Yu=zVeOL-9MG-<EB_Ql0k17gJd6)zd0(VC#(p(<G=L0eLY
z^6P~GC&QZXd4eekK=(pl?<usZm<s2<in<gJu8&&=|F95gJg8L~`VspiGc>oUPNDqK
zfFi@5x|0NQtsG8`5*?`uBE=Z+P@lz+Q=&+QBPz&preq(g>fit2>^;NTe*f@q-9uH?
zDvGvN?bfWBF1w_(W{|duMj9!KAf&4HYR#gk87mZty<-$rwJT~QMr{e2rV{zypWnm#
zesCZE<Nv^sXE>5iuIoL{^L%l*&JL~I@0ug6o4p$Crz5`fTzi`+Ym;*?L!%Me4dhg}
zQVNp;iwgW}Q*qP9rj!41%=%$ucXbr!>SpD!vv!Bh`R(e3F~js{hlL>*7&8m=L?=~p
z)f?8M^H_2ifW4{HPEWiNX4>2u`LG$#;V4)^t|ma<OnJvfoBfjyRZcbVhgXDjwDB^2
zFNmL?aY8?!Hm!x+q=9>I2F`j$b`x%>$=}9=k35Q-?%&}iE^bW8>$-*ZQt<_mcD*|_
zHdfn}v-qun%7fx@V902SOrI$4tF0j&{=-AcW#kJJr`Bb^e02@CPbt4~ymV^|${8{~
zcb)pXhnsPI>u)I9cVUHrMUv-F!v3~#Q!h^r`nr^^Yu0Oe{aP2~G0*ZfLp_P-`nFIZ
zFMs@7O`*4YmCD-<Os6J;G_T)d`29TA0NGPC1$W-*7k?Bof~hSO$Ja-Yf2bq*QT2w@
zZgT!4K3)tCN1;tTdo&@A13&b-?swW>0?2kMU)R6g;qY&=NrmUZ{3bPQs3dz}gK_8h
z^^3P$9`aj0e#OVZaqP{B5bz7oMbDOF<lJ*CK1LpD46P1aB0WRy#J?ox1SFC&UV*?z
z?QFK_oz|&TR-9a4LyTVJe2~^J6eoKVHy;;ri-z2U1<_`VsNX+eS^U)cI9>iiM#M1j
zKyl!I)5klFlh;OFTcsuFa7d$KVZd{N`NsIIlxV5vu#9qfLy*T16t_^^m{S^r+gwH(
zd6@-=3<ALhoeAd$F)>rE_?p&<#EAj<JtM~mBHfj-K@9?a>xq!dYwg@<?kYzhE@ymZ
z5LU`EcmqpM_nP}P6L&K~lVFq(^nS`Jqwv|ayXV+Y{@KcE=1~TCG4~Bx2jNRo?b;|}
z^!0!Q2>hr&qAu1Mi;(PVlTYr~SLbTsq~fzS-+$iy@H|Z;K^Q9rZ~Fi<YeKAHJ+1v~
zn;)9=$N0xMEmesP4*<`AO%q}HbutKAo&m(CCK5p$ZK58|3bcr7L>>cUa{I65qmwT$
z-YvU!U0E`rTdp_e`)23ki?^$QLEr)wT07r0Gk+YirVZ)>g=a?gViJVQ82*OiJ1sI#
zeS?qh$--ML?8PJ`g43p5KUQn~iqeVc0S01mEKZtHm-6)9!tgs?K??WDwVY#sw?$Vd
z9|p*0$w9F*-3_sp5x1~OWMxV``M8AcwG-~dBXZj(+_IMz#VTJ#20tGSu4_Sz)Hl`E
zCY$)YUQTI#QRT@bIe)4$w`O-R;IzRzj8byYp<A!`MVLcK=4QGwupe007kzy;bh<n6
z-31*(zP)Ru7N@`8IVQM(+=4IUlI||2caEX59@Xv&uZUV9&#u>LoA2N0Le{l4)FqI}
zCR&fqB{q5wrXHWlVE>#GWVDKJYSB*WR9!}EW?4lN4_Y!m(NMzl>&go3UPi>Fgo>f#
zL~iCvlC@6y-+QpxL6!sqyEr^8!#)$$exb#@9HrT#4SvTKo?g$CPA*_P`)!gbkkBc7
zYg;;q8J-IMTG7vUi>PsPH+sdkWbTLMzdc!Yb&btV*+~7M^jeqBP=D}ud7uuQJH!VT
z{rU3>a}ET<oM1hn6}JLR=f{oEizwGfdcud&wR8uYymQaV?gD=;dnD5~y#-#|M1Q^N
zxG<%|)IqB<67y$Z&R1yZJ@IBeQ-L^aZs`l6;TQrBF-k#lK6@JO`N2iX(t)zF=zVhd
zTj$hNxrsrqO?vM9#$jMaSN^Afg2~B!c02iP3~L7XaC;nwm@eoGjD8om-T+IT!Cz?R
z6QtKtbvY1dgXnM58m%<%Jrz+%(BjgimHx+JwQyj&wZ@fD&9q|ijrk%u?a?nsEAhei
zzBBA-MqUbu%<QIxhy_l8UBPef)HmN>XWk32Qj2^#WHuYicE=WFfq%Or6bHt$Oq${9
z16$KN2bGYjq_kGgPcLVa55_1)z1-(n*O1&*Q3UbLJxctu`P*Zlk>#u{&D!nV{6kXR
z?2O3D%j<oTw&u`OeQ`)Olzxu^<9<s}R3<hNrnY#HbaAd(2d91nwF@TvtjTQV!51@j
zVuR_AvK}Fry~|S}dvHA(P6PERpGPGwYIcIoGse2bKvR|aq9jIh*TFaqM)ItGvExTi
z_mh|Ur17Kt>xbGqviD#6A+zh=h9CCM{q@^3O_9^Hrdv4Rgn=*<cPMOdbl`Bz*A<Mz
zBjgn)TPF2a^V@aNB9$m^a_&|(Q@e+1OKy+T7ba5r38LaXlfcp3LTw2oG_83%8Y-Xo
zbyM$fT=o8C$Lm=z*gey88|^-HB14n<mk7e|bYV`ju2Yw@>-!FEdj)co#(g*VVZP;D
zXLTajqfO(;*|=f2r03+?xlxs`P7?RKJp?_$As5*0NOS+an8cR(`&kq6@0Yht%?bnB
z^~Bwl8m+dcY+ZKb<oD9Mn~WlXViZYAroW*MN3l*}S=KamIt~zsc@iCr*!|S=@6~4P
zL3n30@AI)==JMq;i3AI3N!+{erO09Sd6pkE(RThAOP-cQe9Wka7o!BN8b?_-6hlaD
zpvk8b%VSR)8|pJ!qFb6F{we+5E0-P&%QwBRycxFga7Qh3&q5^^_s`0P@F`agnP%=}
zb_b9ExEn2P=U0tL&-k}}aGacwIUpE>n5>KGkL#bE^#J}>u$OxtOCB0KndXp?N@m8+
zl$(hv?c7VY))%dNa(u62iu1DmgBKA<tpa09NxR4&^VM@7O3?hklODS+CO(4ZDrCu0
zxw~_Z4pLsU@M6pQ4l{h*{SgS!t?moCH8W0*Mz8uMZ5AqL?CMP<BBqP3@8Q#}v20Fj
z^)<q1ErL+5lxIUtRNckMXrAzF^IWr6%V`q#u|dYRh!z4tC9`w!RWJw7#)5flI-pB<
znXWO#`Ti9!;wE0Xd?DZ{zNGXB&wUU6+t!wEIMy6NQTiM&*b;|%Xib`2P`0`6Jm>1)
z1F1ruuWv_<k&^XEHon&#8#MayksL>-Pf3Ulp_7>=FdHZy!{Q6;0PZ@p>*c^iVyjN4
zW{ye&^>EO$nx?orM?{{Ty=x4K!u75lw-DuQs#UT!=RuOXZqCllU+*6TMEq7}&12>x
z`B-VX4a=3Ueb=p3pv`D<;*s;@7E3*E&cinT8VN?#`?hr%EMIml?HSJzw_B%{ADXNl
zQ6EODGi1q_&^g|wk(M*$L%}ZXm!o=sVg&KIer#*Sm7@mIS9hyZPAKh0-p5+;j94)Y
z{XVt5hx-(ZW90QtT$|(%v=i;DKrR#fcvLaGwWurOQ#b#8uX7a!d>@3D!aAAVsibu2
zHF;=r`|=b*;nuYMV7tZqR3-K)b&8@NO$#G$$5N`e)_K<3#DPxUAt5_JxCZy_V#(`Q
z6~~kwCtNzJeSw?55vt1Wnffb!w8e+!ve5FQe+ebbU}SZ9CG`#e_@j}D%DX!)dFOTd
zt0&LpB=5FisGv<?ACnsgG(e^}m&NvIiTVb{2oB|AMH>&%Wj0NQq2Iz|Q8=YoA;cE0
z&gkq+K?Q^-HT^ew$m2_#C?epZRj`A__AGDGa#CQ?w+d@*)s$3aLWuQ<{&2a;ta@{8
z8+NsapE}&393w8$4sVYWlNkZ`aJENgD#b1&a>BD-w{x$Jt(%p42)|AmXx`4tyoy+n
z^^fZvy?8;g`uY=whB(zqTo6z?2T_k1HI28JkVPRB>B!Oz{p(X`(S?~ro^>9e{{AJE
zm(V+*h!g<n`~4a<KOTG81$lmzX!`zD$(r6+J+85GD(NAz7599mI$kcOkl%Rg`Jqz&
z=pS^yAJ{MPhpGI6xNykNTwz@urW~UTq4L+MZVC^I4it>ky-8`m#JCnL0KT~9KUD{B
zTJH)9dS)81JM)!lblOX7l~t@I7LHj2i=uTHdo&5MdlbvJ6n%RHsn0h|84PN*HUENd
z8moM_=P<};`2Do?XJ5HaSKAM!n2MK~y#xzWPb{v<sW-D^D!u98Pm|_5Wp%;HIlq;x
z;@05hv7(GW%lv?k184w48IXmq829<Nf!)v=(rOdHW%jETj~XgOJw^9(mCpM9Hb9XQ
zcf4(-Ievfp*A?IWZ~_G5P7s){!Sqzcjk3Tmz(nZf^(Mb~GBfxTn0dYwOM;8L-&j9S
z#c%eij1)jjJgu#T;u7qptUVl4vqiT2=ARel&j&Bz30psYV`a2G${^EHE91GvBf;Pw
z2V}N>$cVGxVMfa(_Enk>>MfT5f09`&PL-IMP?P4>8)1~@<$k>PQtIPm$<T)`xB!{x
z7R+KINu1tAlOY03mKjS1oZKGSbUvfpBb{WJ>*8C!As86ixSMa-7C||^RbZ@n^MauN
zlVc?|T!7Ij(=D$6(|L=n?BJ1^F-hP=Mjnj&K(l=7;WY}<VlLOvF-uSCI?5nY)`omu
z6c5wvGuDv8+1%9sI0k7JeKrC-<<4qN8mUtj&of!Vti<QQ*}n<+wp&5AV{S~t+%kw!
z09>gTtRc&%tuc8d;&Is9BcdJU6J#38VwBAt(xER(J6TPcfgZE7V>~kF#+k$Dy|uH)
z<#bE5_S|1?MIUWj6FQYHb5KXkjlkeFyOAO+G;O{Md6spb5n5qVj@D|Ror?JLABQOF
z6q{!jdUv8AcXL2M_VwU(Pn=1bOn<$1(Ir8xj<p^s3;delPI~4nWZA+zkfirAC$@Aj
zGCBK_b#}U@B2&pNeb#?vRDY#XWI?=xOPv0iI$2w^ny#Ha(bibCE_N-us?bDKN!e34
zz}ocMkxTAZ?;H<}s}+O)MskEqJ1ZX+pcR>FYdJ#g>>ip?f>f3bZ6smtj6>J32~^^7
z{meBLY(|N$2J_81{-32*D!S#+!?q9!v?;Z(8+jRJ1YzLLH<F<jJhc78(Od;+>Gp|z
zE<aK2wY-~9XmOT&#&(?5+aJzd?~!r*3W=?zy2-%q^jjstLe8?;X4VJd8q~8^+$2B1
zX;JML=wNQzzi%$N<NrK!>e0S)3<F9p1R{Oq+eya2tvuDybC}mAFb}Mt<dIx_g!YLx
z@uAB|^|6^X&E_l3Nz1Ho_voIlyM8C+@*txvW=w0e)<nDOd?YFNEn60q*d-=HbL|}4
z*LtmZ6oKiUV&8sm0z<&`2*28%oAX@EP;|Tgq2X{^{@P&6qm@}5^*vZHeXMPO&L!g5
ztRBQl#`r^~%bh334+3LYi(?>9Xsk9p(ub_a-RqFjl$K2^Fs15Yqje3)R|`F+GA;6+
zdt$~EqzP{%sTnsa(x_*S-^~83s_M!H7AW=Nz47;Y*r$@Av_*IzCT0tbDdIF7*}TG|
z9~ufr?_54R^m@AndDiM^5l6Va{hXBL^~TmD<Win+A~nfj1}Zsi8SBfhk1N{qPO)Ww
zkXdcUCywk~WGEZaa({yA)Uq{g*aIzz4{MmNWnj9_$GzoYu?0WlMjfYDM46Kf4ecH~
zC))d(F%jOsP;Uo&1xJ3Fxg&$f*%qT?56ygyGH^Rm^$`0mh3I5HTzrQwrOk=~ru|+t
zddEH*@?Bhj<wOG_&=VOBq~fq5c#d%Foof7Oe*O3sy-)4@2hO4<6WvCqOdrl#Q-MoU
z&#G|$LvrmVCr;P1J3?*%>_u%~gq$aTaMqfv!9UX*E38K3d|SkglHz2iXNB!uGtkVC
zT-CK0`Ndq4D!p!!0Gg5L7C-lr^@yh2;UM^yrQ=fOxGr{v5$r|5nLTQ44QRo8t8Flz
z5E5>g5br0MNsyl()qIqNV~@^@0?+_{7KkRul4#Qz@rCJHk&NR1aB+5aGZN-aA}A={
z$2FtM`Ti#titvd-^%;vX0jAwEM}&Izj57SqcG4A@k~x1TNrivvM&pYH{sLC2fTZmi
z2&6KLfWhf2vz)0r9ngq_s@N9$5>Xjq)8%LIjp5qCTXk_Ym2|t*+!qQex4Yt!-<%Oi
zKftwR6qyIBg(46X*wXu>9oOQ!X-Oy{N(-3oMnk>>vd_TNRoxB_tlLeDMly3F{vI(i
zdlFYzoLqkQ^i42ONxg?e{Wkx8lm6mNe7@8rHr>L9u1cH4m9oD&U#Eg&q|+9A#ZS*X
zq`Fn96{fWcjJS>N$fWU3x8j=<RK8DKiZ;#GPJ;C64i5RY&1i}{BQ%;TbgfO_$4(EX
z9_-gKi{$6wl7Ia4=E>k5#Z!y^L?`YZwqP539N69|6pX8Fv`ZU@j2w><5`P|3*?9c2
z%3GaKrxPJac2CF+Mix^aP;S*2MOErwF)4qMqdBeyK5I_CwI6%ybvZ(Nee`jJ!N+bS
z7l|*y(8p_8$J6p+<<08F+?ixxw7{z_9!r`E*EOS=-J8%ChyOj`e#esk%#vxJ+II?Z
z()zM!)oQNcH|u)?MML<%d>YjY9&SuDymliT)}@JeOwU|iZkuVg0CDa3BQhdH2VT7^
zYDs~nw+<l<w#|YZNZW~DLe$t3?6ZeCE%ypwb4m@glbNJHLxk+2C4Hgs9km^Oir4X*
zW&tOfXYTIE%Y~=i2i?#+tzJc|UBm+Yf&1_&jdqGPjhpWHvdjK;?)i1$F-Tc~j)|n-
z!w0n9vWf=@d8atONV@-SXI$@#-flqv3KzY}Dtt5UBGZP3eT(!|+enpHf0yJzSNhTL
z<n(ie$8V1e<eUiV+cE>}%>6VGc26+)KMoVAO7!C*BQC3QMxJbyvfqt#_OFSZ=`8Z1
zFrl;utr`c-sYyEIt^c})J_5L!D3PIf%*9n(sOJd!j_dh?r#{QN&ghGulQc;SD$914
zZya}j&jp|As{@G>cBX%`&pe`9FuT6k^;0kaYT_cbE>&vZ5Dw9azqeV}6(DgweDcQT
z%&|%ehvZT7C+u;|MfOeh*PJU*&Yx(jNnJ0QL>4zi9w+f=a^Fcw=Rc0~8xBq%niF2I
z`(a$oGp2>*M!Ht~u6M;xr0lx{T(_v&?d*rL<TI+AA$}HXN_D?G_iV$Zw}#XO*S>9G
z%;uYGLTs6DOBrEAx|jm6T5PrH9kv=%zb-bp{e7E1le5Ihw8dNEXhmG%+rkTXu1pcz
zfgWa|gj63D!pBH7re?PS@_K_GteZZ0s8r!O*9p%*vinO-#yHowV#JgcUNU>#yi;5@
zZgL{BCpWfToP7oehHE4bM@{LUi|sh5t9K_?oii$c{S~$;I-lsJ_R?1~O-O0B()kR3
zd<C8Dpt5x$rP<wCE;Aj^cvj>;IsyYZO_|%2jE4DYIcj>!`nME(Yv&45tk)kJ-EVf{
zeo$XiQ~&n+_wP~>r?12r@!c#r0*w3s?d_3{qm5N@xx%kOZ|1lWLESeQ;rl<Ac9#$m
zL{db(0!UuVKW0Fv(73C>&G2Dthr$^SR_<r^D3rI|W1fU1S49FN{r~{UsM9-tYD+hu
z)BslC;Ot>Dr83*AF=OV-TlmuEcHEeO%1fK0Qhpa@fLW^;Ba{r9*6b5Tb_WNU0X|1}
zScMU++`j8-^20Iu0OEOLyhMy-({4=k@#_-5&Ny=!syr$(^>wEGp0ASp<UC9An?jg&
z?LIC&3wIx^w|G&i+*$r_H4sV!M;$2laz_S=$LeYY92NkJ;)_4;m9Eu0n-S?*0q;#j
zHa}QTd4IX(`oAad@kE;n3VDw~C`1WtSnjf{t6=pGg!shiWu*S(G{vNF@94)VIQRnT
z+okP=%a_pv>fRz9$5aO<kpgTUMmmvB*A%;w)yWnd*{`aX(5uk2Eq90U)ymb>8i_m*
zO*K{!<cM1`DrDWHog#u6a>HFEta~((o?ITK$~I9{)IZWhTDnJFTz#P3)3ZNG5VGAT
z%A>0yx4EYDQcFrG%XdL%Qx^T_ZlvHg3XwInV@{2$<KA6m!+!Zd3nXg@@~fPKJ82%2
zlTZC`BooN+$1<wA0u$+#VPyfi?hU(A^=>!6jx^!D%f7}{#uYi;IbnP)F|z$qize-n
z4b31StmLq5qq7Of@$U-Gv1{u?ed)Owt5hb=GsNq8cW}=|>o_;>VU{!a4YUs0!yWEj
zVDOpI%vJ)02X5ZcDb&U_C3)>Szs!BHM*oka2xSY15znJdF&9IAib+wS-5D+1+~K;2
zl63(an*;0kQIC4s>H!+NHR@z=RiOEz<QdPW?*&uiu-AE$Nd`&*X#Js~w(lzM9QI5a
zjSR|7aOV@<el<$8YsUaXh?HOvQ{|dwNbcu9-)3dPG44B&fs>`82^r+v^J}vHxOLFe
zYM$PVc`u(=F5%wa`+};^+W$=MSKr&&>}NWmu#3O9R2QN=vzW@n5G984)5T~t=rvWk
z(_IRUKWj*Sg(mWn1VIY*1{Bc!0IJ<E38+eFHq`+%&TcVLnm{6D{^AT|oun6${`)Yq
z&#L9^+-yMuKJ)0?TZ>k6(2st{+9i{o1(e?P4!l+RkHz~c*!qtx;g56RN%6Fb{IsD?
zKL+`G^USPYD?Y>_XKi7a#M#x(({|z~%b0q&l2?f`dNdY+bN6~$IOpi(H1pxT3*I<>
zuv%2YE;c9B$DF~-yvG33lc{Za6)3~KhfVlVUs-(6c>AcbT6vaPgI~teB+iEX3?ctY
z@35-sN?Z1sLz<a0W0uK-mZxE2l-miq1{CnQX%FG}`Q*!>7dghM*>uCQ*d&v#l4D=^
zR{+MeQM3!yJ+%GB(6bjynW8e3s^}dtHRku~LZ#coLRX&QyQK_U9eg$3xdK67=g4BD
za+7@sIu2%PEo=2j^HY91_4<I*zJH>B`?mv5ihr;8d9(<A1WS`HILs1^QV()E+1WO%
zFc-Wv_%cFywjA;6m*>mt+XiA6fX(c%80vSAv+(F2Zah5aY|h-gJsuwL46c#Gqb8&D
zS-Zvk>W`YG8{e(p07xmsd;(jIJ&dV!@2L_*-<_;%C+jkz$>s>Ol>1ZcojjPO6L_Wb
zGLrrXJ<RtYG-Lat&JH5aH2;u`w!Cx*aBDn4k>Wg8<I{nM_2M=0^Q;H`+10;1lNOB|
zys|%^i63fP{Eocf)5C+6{N?fD-!iA4#|@bN)_{dJtipF>b|8O(X#KS)WFyn0U9vz7
zVZ9G8tFJSsMH18g<G6H%%ITqlw)ZL2Zxsa&k$)9QuHi*{8voG7>&<4Kzi;)L!+?Fi
z11Pj&TXEl9=E2C;j#5!uj=ad@dXq{i@7-^m99$CB3f}^rnMh{-lV98kL)$M7GvwXh
z0l6ofj4tG{Uf@+(+-iJtQ*rwb568rlYdTPTVH&MjzhhWI<xN({!*7+JeiOkn+!X&F
zK)78+v_l)#0ow<o1l>pE_(#35#iUjWtm$&?c0<h1s%e{DUprn!-mZ586yDv>G2qNk
z&)cN2*c6XjP605H;+-ITg%jA%3QV>D1!0Gg(3r_J*Jk~V{5CLkrxzTXdp<;g^@3sP
zUS<R=&%}hOPVKQQo)WlC-K3^%@~_}B{x5ABrO1~Zj*wEL`|ncTM`&45u$%X2^hHWS
zt;{?1oj7sccJgy4loOHwJ<FKs^wSrgRI~r|5A$-Y>t`q5kHWW4eCR*>cSBwsJL4F<
z6G=D>ksRH#P}Gk#3eriiTxK*+|AVF$Go4J-C)RPVNB-!CEh0pEwA0F6i`GfbMFF3G
z#p;=ILJBj@wY_7n#JE~L@N{_{j0+=-FCG^jqP7E1Dr%S_6Qe6rysnRlLJK1>bqb_8
zyUcONo|TTy?7Lqp->^o~9$KfoAGi%rnCZL>UP>6#oISz~d=>>1J10SkXxW^h0$Q)$
zS;BbiQ&uh`b=ky90_1ihKIZh1-QU1q;}n4XKCIOjWLbm?y#@)3Gi=4=<g?2>CHG!u
zMF@3F`>%91{KqlO*1KsLf0+JvJmjB&`mVQ!d}Y1gmm(~ly_h~Lq_(rhH(yqxpOoL`
z#Rvo9oZCe}2&YG6%?Q@hGPKSQv<Mll%(LE9_u;9FZ<&X!VDc{_7akGB)y>lp>$&~=
ztBNY$ksrs}iMn@yT^Tp+FQ6ruK}pz5D9!Yau&kRIF8-85k*?(RbSrxYl1T4(-WZOY
zqPI7*301s`60q7?{`jN!nsVmkMm<(L9Jqj_>sNQGtrF$^*V@?}zyISXEZ*NJ{yh!F
zLpKk}JEYi!?dk;#pW+VP;!Ab1dTJ-IS;~|ZuyYUZ_3OV}lF)dru;g4tVd<_N`vl6Y
zOPm0VSr~RuzP2kYL)!SOb=$VnUufrS9+IY8EU!5`=C9Rhe8HEWTMw;_eJ_brIBGZb
z!I3?id!g+FOPetryu{e+%M^dNj{sRx6Qgzg7vNQ#=IV#PdPg=rA5Pm9b-x-~8frUj
z+0vMC#_i!mH3jhA$S|CMx8mwyjx^1^yNVxuzomitJBDOg0wcNNT2rEtPo8U3Pm}Il
zF_H<-H2HY^p@>c_Ptv=TI*V<#hYHdn-n(#?U{mYyEqzDH`~WgJAJ#Uto!L4<C-~@}
zVf2vOqjHpKHem(ppqD`UQjkC{?hZY`g~_+uk$yTW<8Irt4<gqAShwVb+kh`ioca(P
zjp5Vh2jnjTx;mw3he=-?1d@Q#zx<OWJuXfCcA(=FoSi59dF))o8e;F2rwya?w=7h7
z@Sl7oRWnro8mbux-KhkuOEkF+@}{;S0p^9Ei^}!xLbh(d&~O9c2}>%U3Af8rqFp`=
zR`0#PenQI|tF@W}37+_*{|Ba5Ri^fMN6C2SbsHPGyHV6K+)`4N2rTQNGq%0rc-ubl
zw_K<Zn6`Mgc-Y?%<?(&g=lFc#7-twwAzEHG<%)gL**tpcE8}NJD#iQe>vQ8<c$pfE
zT!)Dk7k4tFkg*X&Wh421k?cdsihLg2XTN`FiYi1cJ`7zpxvjinENWS9(%I{gH9Jo&
zE5)pVEz%}tTrLezeO7UdF<;Pr%2d#5RpVb^KFb}7c>#{<2X4{w9ujx&5S$YEhAqZ0
zHEH3bXpZ4Es?#l<wBfODYwdsbh|bImeBc`BRi3NSbxl`apRb*N7ov~a=>VN&`2^8I
z=4}#tNRFBz@+0&2tE<0!scWpB=Oekzz?Af-_=+!vjOo5N$pELt)<}IUpPS`_vQG^m
z52ZE;6+6$0imE31F$;2v?W_!WWKg-2xan$+`bdjeg$F4ls~naYk@xvq9VweY7&X(#
zmcRD3`df@ie5Qu&*^Y}9+;_QPQ$$cTvIEHv+VW=_9-&oHfYFl+W6(_Sxg8^jEz?fB
zUW3{Hw1!b0xQ|(7gTH=0WHmA~!>NW&<IuTeCSk1VRa%nQCW)DK$8o;vKaLpEsottn
z*eG39%wbWXiNF7|da?WOSKyEggu7FXTz$WqinLc){gu=!xk8M@#d#sL+hHxTjSq$F
zb-)r^1-n872sEYAvKMp>P3__$z1g1b3y{3lx0KTh2K66){gXCyi<6g&;DWNx=(#9m
zFnM0k$DAG4RUwS@o}2ytuc|Ai6m*SB!z7|6E~ttb8(8;~Z+Dax@3@c5Q~g+D>aR!R
zs+zq1<LECK`UhcOKG6RECJ*8N-^oPzIt3DUW3HES<i}h;rrFcJ3s^tuV=;%9Q@PA3
z^Z$-vW_sG$38oP#b<%g7rijY_IEMb?fS&q~<BkIv-o$YIkK>9^`v#B_v?^~u_#}Gd
zk^6`I@M#yA(Bt>9@!x|_8Vl(!o%Pi)k`=jO<6UsoP-Tv&8{&IHaafRHOZ(lMBYlWf
zS3ZeKzCWU-bBm=a(0ZbRS8r&!T(2)hBJ)X?G@?M#Fv~jO*w>Tvo^c?HQ(P3@c8XS?
z(4qq;`%>FOcRaTe5`z({9u7_RT7u^E)C?Db0zZpzW9aW4nU#*n+ljqI`nOhE_xw3s
zC^FAOOeE~iiJg5P1r^-Lhaz9dBJ(qrVWuhWSB~~R{4_;LD4@ji-ezDZT<4Jj57tUH
z>h-S*9Gq)@FEJ;oKSygD)1PoESFG{$wc7qT>pcF{z*N(6Qg6&;&({JvSp0XLFoA9<
zqc~}mG&Y0FQXq~^_9YmNW~mW89&?+a+M_Y2MGZ;DO?xuMs@=KvMcV$R%bjv$pOZJO
zMFSX1B;ZRn8BwSYPBf~G=;fLZ8jL=wggL=q<ZSL~;lIfiX%2j?AIrU^ml9mx<BEa6
z8R2}E_E{(REN_eJv8QwS1sAHqbgd~+sclcS8Fh`c)#l8V<y5OnZ?+u_4Lbe+;>EKq
znx$y<!z{FjJH^Rn<ME`z%i=8Swx-5_>ECX9(mKDAzubIMkYB>_ghM{=uv`=U^boHr
zvk=8<#AD9nqliw>)ReDbgI~fUpSjK}AAS*c@ZTE7&3QmiuoM@}#V|4uMrw)4=iXJ~
zw|e|D=iOJJpY<jn0p}&#p~vOQ^EMH<He;puQt$bJJx`U*&pCbRwigN<ieS*R6ohLt
zLRPK0*}LRFj(~noUl7%N3vS1VB!l=-i#AQ;!ra2^ZcO9a9GI{Um%66G%ZnO155GpQ
z)cw#Dx}&uyejgPHU`l^fDJ$YPhMXxR=_DO_!)W*BCn^&6<ohnUt#US12ENy-6sL!b
zAkdnHLs+{`QC#Y~3y>M2@RnV{?SZmWpE=I%o6^7Ffy?oe$cVju6U@J<-L`dlA`Gkj
z`mu-3p#S>pY)j>Ax<MWgcLAgyI-qYe3KqfQu!9|9uGlOIHmBJzil~fhI{u2`H*Vm0
zU+}07Su$S8&+kQ&_q{hlUrAb+i1xbH;jXG^5S}k^G8O=FWg^2^PU=JB^fRJ8*a$q?
z-NR_eNB4G#KK!4?-19dlT`v9N3_R5_&&`;jV;E$bgjoaid}9^Lz0X-u|LPd)UeUU+
z|MX@-!`n;CW+m9h2=W7S0gNwSb818Xr3xS|4*gu8FJ#;SNe3PHcRN8W8>#ykco<un
zXRx^QI3k;os3M^xDQBqi>IS^`ch6W?FHRq3!RPvVvHX*@vcGFkzn-tR<79GRl>ncY
z%5w3##d^y&p#QEKm}*MRe6_>(%gXG2V0t3P11CWgyY^#W@6<h-U?S@dg-eI&Hf2sd
zApMKQQuU`K>mPL<HMA=$fgP(xrb5mE>|(P;!&us1@>W&UzN)`y%cu#$3m(9o?2mQq
zUeUr~6J?%PH`RPO9vAm^;GTGTiwRQ#l?)ujd}#4Skwi|$PLGW@gV%!Eiz`MM_3omA
z9*u5q-FYf)b1*6r1qr%(5?#(QP;o|LHFp|APKc-0lOv~JL(edhJEKdXjvlswey!yg
zk9Fx4o5Q7=U!3KiH<|amRDFM+y4D(_QbAL{3JTXMYBwQq1(m8_5BffuR!2x3oj(!N
zJJGES7qgp&!F=N&Q)yFH2uPMeQ6-=S?*>I_fX<;+rEw)QKwNBfQ|}|wkt%g~lHI~H
zPUE7KL@VB7jr_ZbEM6kTFN@aH1p;mg8%AH*|G>7s5F-7fu8|A58IJm$d3_;4rFzZi
z<@I*?qinZLHuZ9F(&F`bQyTbZ0okpU3Z<LWQvXI*U}}A1A@L3{1Z#DLlniwo5}FlJ
z`P6q!?7ZQtS9kb_qvNfk=uHkcQt^R0eYmY)HNV!%rrIjr$a08~p>~kE-<bJ&W^L=J
z#nA4oj!tXfQ^qm&SuhzCl_?kj#4Vm--L0k~qY1`%z$z4so$18R%p0#rg-&gq^gj35
z=(iDXXX~3i6rxFA^00M3Sd#)y(3L3wQo}*9gxts=afq;aeE!T#*W|{nRQHC)2<d^k
z<9AwC<a%7>IBkcawVL6&Pni!wx}ay<#HLa5b|Yxe`6779y0h#!@}+*C6s|abO46Z+
zt2<p$74H!v9ih%qE%QcXb$Gg-d@8Et7}Ff>M>~(h1}7WQ(yEJRU;GtATLstLdU;V+
z#H0E-@$C(=$-0VG#j8JF*7-@vwr!Of%o}i{v5bCrc?@B@aai?KY%egD%)<ZE%2mXn
zCcI4#1r>EniW`e2)cFV5Q}g)qk(BxAM<z7ADwg6ZnwxUEg7Aovc+^8c8?l|mJ0zG=
z6I_g1nYrp~V@L6+e|4+M;xG^6!OhM7mWc^pntI8)Q=%EG{&+-f72m8}2bLP^k^GQ%
zyR!|W{N&07p-@D5V<aa~Ckv10y3kY?PF64Eo&r`DGO@~prTPy@g`L-faI<^-<5npt
zvra^5O7*9g@qH4Ke*V46ry0$QZPip;hkB|r0hq-x4A34;IXKs{Ie^m#t09<~eQcp1
zw%y`8VZ59owR;0`!Xx7)8{hdVle6_4ouh{gZ4i?GTyTHtw%0_)OQWz3xGLE)ui7Pa
z%V5SDQZvX$6IV6kZ*W*8(nEsADXIag;5J>b5K75dVjQii3NtA&5bbs|_O!VdMAwXZ
zGw-)hXBqKpLClPP`mjvbm6lEqqPF1{0kF{YO4Hc3QkCw5{z5`FIl<(HL>;~nu!CKH
zSnhGgb?vK6IpZlc)_DX3PmBwZ99J-Jk7PlxFVaYeA2}LKGYHW;nJYB5a_rjf`jKIw
z&I<6)M~1X|z!Ku1NfhU0oN}y9Br5tN1fxH<k6}lZ^LW2fn@Sp)4z&f!1CvCqPw%x#
z^EaB-zFXPGj?Qh35#};AD*oC|l3siYsop9bD8vqYqHLzM?FTsG1mQjEL-|gM!RRal
z#$FzK1XPDiRA@0MLHk7#+e9NxYN+(od_ZUZW3fI7MKW1wf!uob!9MqeO>@`F<5h#n
zP(%r-VSh2%S%>OEc5WquNP~--(F9KJ+SL$1X~!OD+*?Evf^$X+vX*R=n(adOLUX1s
zPgUC*+FQKJV-80*Y8KTagX-o1l;()2kn7oMdaC^NfK}iwelyF=ZyV?79PO_U0R%nC
zA)`rX9cpnnSx<%8M-u%Tt!q>SYf31}N5LOw6nx2fX;C-zeg=<$JwIW6&F7ZPveVDX
z;ZEqK7H%rItBpVQK_n%-CpV$xK_*u&OA>3Bb|BIy@l2?<hO%<&rV#T@sf-*}0jQg|
zQmIwW3|u}76nXm#6P+oZu#a%t51{odks!luFnvF#8QbjgG`&!u%&1EzDqln`f*Alq
z#N9Z#TQlbbEj&F+Nv*{5X?<f`ef;wTgYcEtvEPoGcNni?VIrYDK4aEv--}=y%%4Wa
z%}mYB09<*CmCrQVgislAsSFh!Tkfpkp_ZK3G~XInZ!%8_*-=j=E!&JZ|Lv}t(dn8$
z`-eMP;~+JmRRXQ}V~cQTk6VaN3kv8i5;*sj^VTlp>f7^%XSTSBi8J>M7~wQ-V$<=Q
zOEhex3#};SATolW==}XO!guxQWB=U==>RfPkr>_>BOsr2WX+j}Cb+=elNiqvG8)+P
zJJj}GI>qRnf?DpmwW<mSb6@$}N{{<q4PK3rZS#G`Pr4#{`@`2~dWn7WCv}ag&=>|c
z4zkv3F5g+_P@z3eSy9(8*NgKqyxE|-JRbM?rHjn5OxdX(6Q*G{zJ^d)q#a#9;ULFd
zR2AU7KK7@=ae3(YctCsVY$d9)jK1t0yl(*{qRzj=z{|y>+T<JRsKa4sUy3-_w1;`&
zFI4g9<izWb+dQnsqYCL~d{vBOzK-5ON<NAB7iA;yUDuN72q;l7o+YfS2<i;wWC3}c
znmw^Px>ZCy=nqzL?zuSMCz-x_U+0Wd;x&CoUcuw>%G2^jjA*7BL%NR~Qb65#IH`bl
zvY?29dTg{Sb26=a-qqs!)z&08P|0#%2fo(ro_u{=>zw`THZ{h*Ua?b$Us{xDssLqR
zyv3&gNb0#6K*m}0nYGo_x7WHi#86~MkkW5u?z&v>Fl%^zq0kMRi7&WYQ6yRUZ%fn{
zE3f2ivspaqpyRw%FXnnHn&PprEG28`@vzBqTJFP&*(|!>aElNE2i5#D1_qCSSaY75
zz#dX{hHHa*mAO~{-XI2)d9<CKP#e^P5VKsP{&|~7{pfeo5!s|Xx$X7o0=Nk6%vjE6
z9iv91`<6=M%A7r>Zo&c$vs}1I>RivZ##18HrEI;<esh|Zcv$gm;B)5gFys1(-1v|i
z>_Oqace={d;hxONYRZ;|YSa!s>e{H}MZ*=5w9G#$3rAHsQdRWnH(>K3=&OKNTLW{B
zeFYYBY_bA<hdSKN9l{ovsCvEBGLCy*9|Vh2A^IrR3<x;UA~Wt>zsL7gy~uPd-XZ49
z4riNfzV~vvQX0B?0_`-f@}ntroycQ3W|d6$B2cz`za2<sO>S$p9!|LD{~QM)!CWXP
zQD3)-rWuKblFi}d$u#v=TjD{SMq-J{GvZQX=;wws(sQ?SxeC)ZcQ48IB3ZW%@oLa0
z=mnO}XA^RwFv<@kY!5C$!L24X7b2#dBlwLlidOD90=vI%K|ba^YrG<sx(LFb+T5XW
z(zEak0%dQ3xx?ilT>l2r86rac!!CF}_4oUjNVI!)UXGbvXK?hTy^jl8h>WAHkNQBT
zbWJKke&inU9Sqj|Hp&u&l^IkF)1%Ti5$eDfLnG}MGu!yzF&Cj*mq+f_$r5CNU^#~w
ztajNB?jOIF8g5`|%m#M-pjUnHS96TVQ15rM%rmq04pW)a&{Pw9C(!GvBZq}8!CaAB
zf>f;8#1lsIXVMVmM40(FUeuzCixbj_5(C%F_t3+9CFQECJKrg7$N4xPLe<zmf1oyc
z#Rc_+`pNU*Au2S1tOap?gUUG%fu@MqbAs;=lTa}o^@23h=Uj4e#!>n<ox1J?qDs)`
zf7ntQn^_|knx6dxSN}2Vi5G|GM$MnPP3$0&5bg4kv$@bAu~HhA9{q)(Md3dG!g4j_
z3c!V7*-LH|t&&t`Vlzfhv-*ov9EZ;F<jXpyr<y1njnF+`-r=m2+$SbjKkhd2Cz1P?
zv6J-JALAsQa$6g@fjLME;wyR4-|#rU+i~GtD9NY8?|+*ovd*jz(2~dMTC2w%wvE3a
zZRMm>lsRYLH^{zHMobuLo_e7)qfn;Nls#C@<VVT(LAlu{9M;+|s4If4CJI^_f|R$+
zmfFX0FNOAyCuX}{o==_rq*M9|Z1hT#m)okg`!V(rVr<QI02ibPL98xSRH0Z(E>XBY
zZ4iA!{75-07%6%vwX~4w9bDh59HWit6c5+GMvK64Ege83UjHM=mu&Gk`zJ^$bskeG
zeR=-K6TO~*-$cxe&mBhWB8C&DNX`{r6$sJAXYLV&>u|2e1p?O%ga;^U_L&rc-Tqff
zS7W_PC3M{}bRty%M+4KXfiAK2<k%Kz5>QPHiilv;ukEcQ2|RZCZfz?Wns(*<N`trv
z>jVHgVP9nrYswZ^kFf+1!6)10esyt0W)%`@76iU!yx#&Iy3)nW?}P_;%VkdZikZp3
z`1NU=z+SfuL<D<&te&{ZQ+mRPJW97^T0;HhlXvp{P1LrXF`ai<itfdlQQQ%%m-FXc
z#xb>$w2s<(VFmAhIhMf@UZ^L$Av?nm7lCd6%@crUA)D!dVs^FHi%058V9|QC$s%$y
zkn!aYc7aKUWqTN7>+N=~Cc&4UNAv&W|3L9s;hwEK<E+8`2E;2uS49E|<QL4Mu5|uL
zj6aEersh%{z<%1qbA~-b4->E*VBUhN9a3}E1JnD&BlYE};4K+IF)A3&k}qK_ngjHP
z5|q#5u?l6}m2rs}uX7(9jp&VeF}KAyD$nIrU%7Hwc-i{q#idV0QhXDn_^cLJ-vP>O
zffD4!*0=4M$eSzUxVZAWw%)PML(N8y5A%P=LFHFsVuGCMv%QYkMiktpVd^!f&LB>O
zY0%IV{XD6cmIseDl=%3IDEUD^^n9P|zH~!7$%vjx1^VaOg;tO=O|h-k>uIUSBuN)u
zY%kK^J$23oG%Gttl(=;Jo5`g|PS^+nJl_9yZA;UbG9D6Jl4hcS6c%W}Khui;reebL
z^v9+j^e+7OJVQ35R6m-^B;%IrvH~g`9attmq!M~Z@*%Nxf?7Oz8H;hMuTRX{%A_63
z+`l<dWWn=lbnl&CThgaz`vA3sK+r?GU3>hB-|NEUL#&p3Wp$XxhDEtG7Qua+Va<F5
z)YCkyr<DxkLn^R>5urF81IOB=n@-|zb1N&~ojPSAH<KMD!@O1axK`w!@EwmEqyFCV
zbq}Dq+@)foS_Bs{$2`Oo63F`^@t*P$i1Lq*b$TNvSKMO23Oi?BRo~=@^E?3`{-Yd`
z%hx7@He!U*RLw?)iS0b~Zxh3HuRg8#MRIZyNxZo&y#9N06ns?qqosuPhwuCu9b|Ae
zTJ<n1<jT6ZsQxL&+dV)Oeev~AmZ<J7D%X;R=|*n#OEn~0q)DgE{c!$uyBc4ikLm{R
z9a$=So}i8TWR|TqHV?tN3t4!9k<oVyy_@4d)%h<cCP(!>TgWe!HJcl0AfT|Edr~4e
zSIIV!l0E1C`SB&7`22`+25@Q)tyqAL3`O~O1mb#ADduj98q*4R|F=llC26zppm&$%
z49dQ(ew>Rkev}Mc811ylNajlb6?y;$R)nG+ZGvsom4YC;j)~d@-?{|&Q~pgA^T31;
za?M9;)GW}Q%(_l_Qb-r*G+=pm@0hz)OOwt%%<=-Db`FyW-r*Re_9$f$t>UKfL{nME
z;*$T-GWL(0(=`7`j0ZHbomW?rY_=m}_kv_o^m(1+nH>Z}V$S(X3q8xZ>aTXA;o@!n
z&=if!7tV7%2&q|px?%k(*()~5azg77y1!i0RU;LLYOW8~^21$zP8};*8T)NxnNW7K
zEV(YexzlN9Xl&L~c}7>g+!5Y%B71o<BRC((U8yl~LH!`~6!3iWe41n&dp^>o=7866
zr*}S{B+~&tC0&gRZo&|p46r}#enQlHR!aS4yKR2->hC8Qo-{4#R2caDVdVels|0|^
z2N?IN(Dz0G^aS_0HR^`LZ(=SlgpnXBZ9h8Cv{5s;md5vi8m-iC|Grsn=i#L{-g*j;
zv6q}hDcPx{*d!|$-2c*S5soyy8JJr3I6?SP(T<4$!MC|C-NEy(gWnGV88ahjIF2@`
zd;t)|!dYGmJG`sffgZar(n-(OHK)=PC^vn8eARULtNeS_X&NxT#0-urxtxb7`bujc
zJhZP}ctcEbLSNm{BP~b00f^gmKM@(Dmd$BiQ)kC2*}fKWt7773I!xg2Z^`f{Cy)F=
zM&=v^*a{%h94JQr3bn0h!AY42FinY>&Kaf7Bu5XyQLwI$xo-X_Y{59iFe+@wT_!;8
zvyvak1^E90|8|YhbeMre07vlwwfATe{~yPEpE5~Ndbg!f-%!UN0g`_jp>?!{rR&A-
zrG~X7KP>qZJ8S(mY;M3ar`)V6WZ?S<ZQ~xV(^vx4TCnF-fYG$coY`#6BTqS6t;fZ=
zDZ1Rh$VJVqr;9ts*)#f_)PxM+B<pjCjI6@9I@oV+J^#^8LH{_+9c&0)X*G(Mn47j2
z7C<a6p}qG1pg>zP3t#~l2A@b2kJcBaw(i6$qHiL~VA_@GPXk~GbhT5VflTa{6_Ilb
zb=wv8n7n(Wv(G{&+uKwn$z)@os=yrKJ~@}wTG^`mU0qCwDSHdQa5(FfLRlU;%vw#I
z#g!rSjp#9l1-@00?F8|T(p)3j5)UJZ=#YRsJ+1p_cHZf9-mXjP)odK+RfV~i$pMz}
z-=140JI7)}W<q!{fc2E-Rtl>^1+(PKHNr|))6-~!WyF%5`w1g1^+|TiNslC*q3IIx
zXZW^{-TFpzf5Wn*3DQd#>Wksj$-KffZGrTP;wr8`6L}4zOARqnF`9P8ADp5MSEN4}
zYF%qdq_}TdE+WNIk0{lN;1@_NqX@nje|FlpZfwS}uKw-x1DKB|+qEL;WvXSrjnUb@
z7sT^2y4G6b%jVc`lZoJv%%+jLf38~gG9izXM)m?G%3Nf%Q%juv{Y=W8fBH+#4LKLO
zh$<u}gKcp8nq9f1XJZu2Zk?Ue9ze5a8_KeGeU_OI3)}^a$O_YS0n~n&m#$J7!$$0h
zucYhkE4ijX?U<#1{>1^N$E3wvlL(3p;h);v@B0#FO~b~wldsskHQ|{%ZA2%mJ*bht
zXnAUIO4qhs3_jj9P*`GU9ioVA-_!9-Zda_zpWKpH3lu__jup>(9=sSMr2UOkZ{2!9
zn%wXqq8~AXP;jE4!vuu^tcKFVbX5Uc*>kwFa&285LfovumS^Cy+J^77`<ntLSL>71
zwFc3+x~cefM5{OvdWkT61O~W%hvQl-$%iU4_KkHT2n4#g_M_Itiob#vh`T8q1=`Jm
zA_BKBSA{Y(>DQD0=N3^u%4jB6_3T6mpD(C@I^M&Ohoe=dSEuN<{@gcAHl-%Ej(f{|
zv@tMtf_g4|vkTpZo^Lz5k;8w811QJu)-dkW$yPE>@WH4%^FHFY$;*1PYlvS?e*Zq~
zE*#4_(^&=NEWchg7&g&!N^T1IZjO7FWa=RclP_NUHd`35fAi9Ms-ychR<bT+z1h5&
zlKdBeTWTaQ9HL7xOgKYJpBn}06@IBrZ_&S^a*sSK4z8Ik^GJSgpJz9lDseO1M`B=2
z`1mu&bG+j({?1d|Ld4evw0}pU5evns>|rl=uM&*=I!`EJg3>%z>G*`UcTY<q_2p$8
zdW<?xcVm2@hAsTvWL7yaTz!$eEP3tlIs!SbWJYRe2)FjyuP(Kac{Ar`bw>b?y}!~Q
z_5HM58o0Zb1!|pA(idXX%pC~5g`m*THE`K4nE}pZdi9G>X;*>^lge{0ZB~+eos1sM
z^vwJVfY{)nZcE!FV7TNxtMRv!B0rqIAzS68(dd-D7~nKLjeTA4dVhKr@*N0*5W6z2
z4xX-|{V|6?CJV<}z?Jp}UZwNklG%S3)_MCb3c0$c((}vWs&5@_;sVh-Ya%J`k!Ved
z@(I*NCx-fQP_ZqvWaGv(r@75@u<F23&J4G=hKWk0K79ALT(8`karR}3GJF7qC?H=2
zv@<AE%uzUSF&YfbHJ7iF>Tv!=PHSE8=F;LiLxFmq!B+HyVv}N+3)fHwQk4qc9HD7C
z)8;!4A3dhpc1QUtpW1j2Wi;E+jJgxI>^xnW3P1#-pL~#dL+m$XOLgb9NCUf=blD*z
z9%wq3xdBTpr81X<cMn!Z+4s-(l0d<lo-#32W?UAxP^N#=r;}`e0OtWxQ{YQ{$Sxsw
zR2aEcOXl2}-s_p?S*f4ge4TsT32L`qr+LA!>7AxP(xtg8u~+YY_e&9BKfUHIL_uB(
znVbZ?PbVtFi+~<ROp$i)1#P1#BD&DPm5vjbw7BrAwddQzGeTi<J(nvtEn`Y8n_3Eh
z<0pgC8bmK^8{2%{olaIx_>-;K(<a#f|LAuo=t-RL%vS|TFK?Q?>V+bsw12vxX0%xP
z^GP)T|I^LZfpP-E32Y<_Ui7o$2Sd5<5z3Eg)`UNw+m^_@+bc`{AURO~@mpM+2FG%l
zdsJ`Gb$rEk{(exea;C}k!P%6})Tu5!Ji~ak3V^m{8-h3qn}008)`gYhS|NO+DTUep
zg!SVX_h|0-8Ozi~Gn#Frr)1-(FDmYX(6tvu@u@Mo-V)wP66F%IODZ3nq+YexVu%P4
zvQg)uve6H;Y6VKaTW!k7WWx6dCJ3%j(~=ZW8yg!cQCoZSn!C8BGqI`4Qxm3zoFW{|
zeEst!sa)=YFK);+$a(5t;Z%VMuuFWf3Q%d@{NMcOZpU1&e53j&@!#n+(4YPJgKG{X
zDu$H^$QJ3`fbeD{?N99gZ|+n+<TREEVVxQQrq=&)Og96TYwkbHc++7+nrrmfj`Y})
z@peIchPR8m(ZgT9azs)?F6k8Ae*^>LerJVJb!?hY*q?0v(h7+^BayH!tFWEd6jiRR
z9oHhqJ(yke=E{4cIuw?DTNMa%!R%jk4EFi=54-13)tFch7=lEgJ2m>jG%$-7OAL`r
z?$Lg!ufhl|KymhI$7N!p(EQlh>AnJw+6UH^p&xLW^wZlyJ_>$+Z%PQhf1}$sTTK(8
zivU$XJX?B*60h7nr$*I1s7pK*N!S2!&CZZ!P?6x!k3{6nq%%_Q^84i!CX?={6jmG$
zJ8Me<!U_vh0)YW_eZGTKjf2#)#_XB(|2TB87)asFEI!L$-@6GYwA~o`Qww0CGRLa^
zby|J+OE%AjyE9NVW6hpQZMAl4-m(=GsOg}UG`&A@^R;#VEy+J^R}SCj0mojDBh@`o
zH()V0N+7f4$1DW84llNwU#;!hkmPmf$4-;VOfHus$!j;B3oBa&f3XBRp=a5F@TGkR
z-0S<j1Cva-!7(R2^*}`FVhGn^tXeQ|N+(9OJf$Q8E<D-^dbDQ5VjE3<+VG{?bQElB
zA*Po!$+u_s|FHI+;cWil-@k6vDpgz2nzgG|Yjzk-HPqg;cBGN26)S10R;;3EDQeG9
zBT{14Dyk}01wpLZ2}O|T|N8!({r<;sKe&(MevpUB;kaDad410Fe7|3Bsi2GQmdt1;
zuZXKo5vbYpV?oMBdPlSN8d<F?-uD3wTxPS1yh2d$*AS~AbXDp;xz!F4aM0)RI@<to
z(|ary(|G?M(_<4|hm7PE_hvJgj`?KZ=E5Pqm~%LG&3_vr(aaCBt1)y<%s@&5Vqy6v
z9xB{`x)&Zq9*hnSe1jBoGA>^waS!iau=Z;&`B5gct*W~5g7^CymkW=_mh5ZqPjm&&
z)S=dW=TOA(xt_Ol1v2Y{&VXQ4`0jv)Q%#Ct3wLe5R?H7WQP}l-old56x1}v!iH_aK
z(_Vd~b=7t^v18vxd_t`L;miHX8AmuhlYDfz9~e^4)kpWHDFTZaBF~(A_3R9%ZLfdc
znhEogb&;ogOzPOf#RR?U$qyHF{a(DRK!;da=t=3RxZmzA_Co;E(SJ<8w~T>mYe@}^
z34J!N5OXXZ3xZwhKI#HH&rDbvO%|b<pKri&SryMOJ)+iCis~uU!76=$eve{=x<HfP
z>fpYG!1ZK|zoxU5u$pxsSw<>1#D<h@hGHjErJkqziZ?hvGt7)Jy~Q5!!zcCd61v45
zxWEU+ehf2MaU%>{{yf{l+i4AI2jq!EZJsBdpf1y|40g1rj5XQTAK#*d&jHw@drdsY
z(v-B6AP9F#)sJ?|fPfGW{40AA>Bsdr_KH_m<A1JC&TzE4I7oK2Xb#gY=1`o7+BsB=
ztlzV_@fJ$eZ*#|$zDaU@nn1tZ2bRvsIPdC;nC5R^Ev3WWpa)ZJ^!)xY$=DGFx+iV0
zwVsvklklp8qM34t>OM@e(Ev@$++(LWHXn%_Q=G@vI&Br+`ZJv^R7oY*=a+AOGWOkz
zSpr>*_dB95iTcLapKO>1n$bVX)9L~m2p1d{7x#eEq;fQ#sqKk6kaWeR!ezQ&g~T5_
zQKnm5C*cY!42F|~LUqUSPn{FWsEP2|?$}v}lgp+}1V6=_Z(#RzljrCY3m<W}M5H<%
zwmmao^4CnGD=>2Y!r!)DKE8&?2RDu^jcAK`z3^)M6bNV!PJbcldF8Q}6q@(2B=c5J
zfxh#eYRrpW8yFiqaL^f0_!=h1K-p%?kez<#b;IL?u2HMrHU&{n&9xNHpEytD!bKH+
z3DJ6K{X{>dmusVNFjeh6w~}~6%twotpeF`36Snd>Zmdl(83PtsFW02PmrQL_KMWOj
zWkFgXiNd_-6(I}UE=@kx?U#7@QV5{l84e5nq|h}8?8A$DjsT>p5U@Q`h_CefLzDqw
z8E3~$lSg^q^b3FmxK6)%$a@-1WdQI8Hj3nZngc*i3~;>k<x4FsF-&D+aWOs%6Mvk+
zZ@q-R0Gf^Azah62c}FB})52}}g_zZ_xp_$;u9!4TCj?G~4iFjqsDRiVO@p@9FUL7~
zp{~E0fM->Zc0>-0(Uf%2&Y3%CGL*=<8Z2Ue!!8P~Az)|`<fdl<k>F6}d|GJ~G!yAW
zdAxOzt~C@YK6kVw5PFvy_`2zQa7J4AoR&LS?MVLH(jESXVlFTb)~=r9A2!@%h`H*R
z^pCQR6&C4XNKqp)(EGTwet24yC_z-2K^fYT(g>5vp&MjiYbq%eTLEolmjJ4Gr%p`v
zsi9+OqkW{*ufG@KHP+R$I+K_^vTT=rhQtO*#7Q^cGBh_%KWo4M+yxd&OJ>NN-QbBe
zk_^qHl%{jf_=1fi!r2fc1QTcWTwhK&Cap?YT!mY??pXZSDr!XTvq+np+L!llf(n{B
zVB$64!hBD-Rp2tMZgLkULE0!Fl?n;_A2A_>blx2EQIP5WWG$Ap_QNW=7{77M^DR?w
z0IS7EV#t1mYm#IJO7+=|47CKkkME17bKQTnK4SwkT;HzDPfK=L0YLSLFsiy3j;e~S
z8e|?(;dL?na=&Qoh6pZ!9TfjG;b!FzI$kNqEAJC_$#?@!3nPlv{Yn0F9_ulAeBoeq
za=aWKfSCD~_?yt*CVctt3^yXGM@W<Qu?m3#!z3T%bSYWa{CNR-tr#IE2OBC%wcuL*
z0Fp8%UOoF_YAXt`>SP{s{t_qnwbC9n`G){eM~C0X{RWw)rfqOh>y?)J8P`}QFZ5nR
zyYHBi?9wA_%od2z<$qPU><2#@0&7H#nX$u}khKQQvY#>@$CgK!!utBmGeI8R@CksT
zj_VAQ?9Q-4(;a}z+MNN8YkV@+bbHJlis$3iupQ)D#11qi#c;WrI+NlqjXn7(F!HAa
z3!oD*7+TTrW~SY(M!Ul;nsUZEAtYN^XZ^%%1WhuJrrx*Jnc=n^g-s#@X)pJJtEwbw
z9I_oi%SnRb*)C#v_heyLD&iuwKA5<4w0@}yAMS9}tfBfZHB)7t&@w%hXE?k_Vrgvk
zGZT5Y^t|2>WDuCSIE|W$%RNy6DdN3eduXX<Z~WH2`1X)^v2I!~E2t<VxUxAA9<~oV
ztl#&DrOPnT6`|*-r*x@m(V_m-Q)Kt@IlFViP1+>s>~7s(^Zw^$ljJZ!I%<$8OT6as
z^TK;4+5)G;|6Be`03#6P^L|+h#~f9Hj&ya(agEBfQk$BZC2a0UCN-%j`egmL?S~>C
zn?`VHi*uId2da6}3|2iWr6tqV)}Q;kEv1{;_>{g1a{WK1*U(@)Ll{g|bN>k=v(CX~
z@6#|+#>olFld%-@c>riUyCEX#0hw2K#A>H>vmL2El4;RD?c>p$H+m&{dIl%{G3hh%
znzV9P8mGsKq35FL4~l4M(-p3|feqCShS4Vd`QdziCtjV1{>f*oGHqfe9GEuaHXWqx
z4Fzr-+r#*^5JsWLinmk$gA3%Sjy0WFCsxe|a}JLTOMv$S2L#9OFp~D8T-nF?ivHq-
zvnSqEUrQCeJ^Qz!S!dQb>KW|}ltMTh#a6LA_}nwsi`j~HZ?3gI(_q6AA@K2>`2Fpd
zirpIg()MPiV2F&<&vESW{(j=eVm`U~kRZo#diqq5TAR~^BkENRWUrbIrhOzQvi(Wx
z9tI7m^q2F=`Te0{&t<Y!SXl{(9`J0K4ZM!L<8LKYtH)JPK&o;YTsmx3)pbsbJ^Z_|
zt&IXy?SNzdD~<I?5AmS$Frb{$+D3FNC3mI+Ffl^Yo#K0#F4_2oP0<EVzPDX58sEi|
zK?7j20!<SB<{H&1LS>7I<TZ14ckmo!TwNu8<_*km?IEd~Y^-hvk@J@Gz`8<OLvqA!
zrpWTTE|W@1ZDr(i<}&D+j`5g}ru!{&sDgh?$~k2XJ0Je%EU7v(m-nYWTb$aJ6D`~g
znm@|nksBx=j&9by-DrGg_<ZjJv#zsvy>+VjnY%%i{d2hWBo_*CtBXjW;kyod66p}A
zVCsI{uEG~k`Gbqn{qU=o3(IWuuIf#Xa!<NwC_SuE6gwQ{l)GYhETAW-0pYBxkC6+<
z0F=mV%-W142{(#sSOm2FC^x*q3EKWK$3{q(qdYBso*A=HT|1^}C|Ajl9|K1|gkjca
zaoDI3{lW!n-I`|)zV}6!F9GhD|0;_xrC9qqq95=?&?czi#$%dcWhf}XVr`%6U)lP^
zTHWdXmEii}9!F?Wr`UP^lsYM~oT3{=nP5-=uD6a@Ps9dJuYHB{@YIek)gLtmXd06f
z*B=zq_Q`;z2$W0PAq#ilxA?8Qo{`-s1EcRv)_OVJZ!Dy2aM#u;Rp@q0U_IS{<lw&R
zHcfU%tTdw|BZ>%3A4vG5xs}pYYEuj;d&P5U^*r1Gw?qo+6VhKy-BVUr?Cu0#si%#0
zobA;f&=b$AImXddy#71pJX>PuC~Vsv$bYAd0skW;Lc;hBPUv#-QRlXomF+66(urGT
z74_{dkz7;bg?y3Nw=?clR-C#JJ)*Z5<b<zGnax>mE~a0j*5k?jz~h0)@5xrCa^9S9
zK!kT1dwI{-MoGv#biuwMk$5d8fOzvq4h!xtdrk-Ya}L+fP>ABiFb-Qk(DMpbCloCV
zUKM5+ybIeZ0T9ElWPsoE6rOl+54elTY^*eZ|9Ke@+hwyQ8w_cJ=Z>OtN1k&ywD{f5
zxbrlF@BR%$F<STbX{NTDyDU<+dtum1X`3%mtVrHz1kblXTklfx78ioBeQ1yzW@ej4
z)F?W0|BPO3B#AlIoJq4JMN&5Kj_eB^SDgu`j+ttYHbI`b!3enj^n(Y#Yy)sP)_5K@
zZ}*Q&u%BhIuL$fXOPE|rd$rT`EH(lfiT{}7T2%$*b~IzjTWt<d2S%|rAN>)fxjPja
zG>2^-(llV5)P$9Jj+<=Vh$}fr6DYwf>cPtHz4vyQ+BQSAtI(zWHtagmj^$~uT__!n
zBY*&mEoy8(0Qz}Kb8u;pd*?YkAD0FrXf*{wukZ;5Fi*c@aOvGxf%-MKcy9#zLf1-w
zXN%?_x#j`g`$b#r*s}u0CB~Ee^Vm*pSy~EZ=38)m%-kfe8-<Y?0jTg|pf8iV(|Ih-
z)IYqwkZB|8x}zRRG^nE0?(tCkfv5!fIgdFzOvqe!E~R^-B2=*);f;t``snqiRIZxG
zWRSJfR9a&3YXUHfq|B;>sBp^h{5%fCLmmF&anP1^^_f1BWsOsODuc%rXfNV)TyM8X
zg^FV-Iq{ld^Ete7InmEG^|*_JGaN9h{cgUjKW;h``gk8}yNU)llOB8_X`AAOWEkn8
zI`eFChgAucRVvZDFqdx}G<i?wG)3?FmqzZlq(AhZ$8ntEmPwo&R9WFPeQ%yFGwIZ=
znYfh@=LOcNQut=yznNA-*_y!Z$+s{*)G1u}^Pf5cZHs#wD(acW?I=7dS9i89#4j#S
zf4if|!0$fg-j%cB`XIhD@PABC;pbL$YMtU+xIv|e4+vCGW7jdZ#9ppb_<1C>f3W^h
zwOUH`6VSIv{p$#^Z0OXD^7o$#7UhVLmdXt^lx4~Ri<I6CObR%-fIt^8NTi!G66ydb
zfE|{)_Zm3)@rT}_7T8)3$?rN{0=f2B)>tWARlDgpX+PP!h}RH3xUWZQ(<bPFsXcpU
zDf8*=I<&jXv?S_<`$JpGlkqavImR&6kOAcRdBr|?F??;#v!_4r;n+7w_vh|M?3T&g
z(R-ws=uN`G7bantOjxr45awp2u5xGtjD*DYK{7&@E0FEMPI0a7T{Jf`3OEjT@%zVj
zrIHfMrt34IWu6>1yu?uqY3wI&ObprbtY@Jth_%6p_={$B#0?BeE@|tib#55+2(yR6
z=B1RSG_~Z$nnS!`q>18$XEj73iTApjVhN*9pV#e^M)L0ZU&~K}IYj^QEof@1WgR>K
zCz`C;l%;%>(&!kon%27>B-{?9Qhd`nseOkwPd=OIgR%D_sizjC5w|@TY6++MhJU7c
zRhR46{#=5bQc8Pq=`Pd7e)#YFWA=YcJZl+=uaS~Kn7MBeEyXm&y7kxJX9W(Bst~DZ
zO)7>F@#Eb`yCpxgZd|o2r;?)fjNaogl7(<hMYHlSVMPPxm%V6cC2>5A-z6T`6Bu>B
zci7OvwcWV+8FmLpz_P=Gltgfo4#f>K1vyvLxVOJLM4BIk0l!-P<Z}hv)gXtXQ?+;>
z9MB7cXHG(pTr_AgO~I6E&=IormOui{P21gTcmw^dM^-0^&3H#HNp&vnH>9b;Rx9|7
zeE+g?%5kOdwmNK-TM`E_Z}w*n8*z){zRNlnQSC~aJaf%n;77(+Lhp{L$m9q>NIDJp
zk==)tMU5jBn25%+?orY9tOFb{3(4n>=3dp6s=2`XeuRSR5I*;N)s_nw{j-|2jkU-(
z5#$y#&g)GbuHvT((C^NMRosofZmO>6>ts4)Gg>@oWImP-h7hPG|Ck8Q>3RC^m-|gs
zgfPm-OEb$-Ve1Dxd#4yN^3Q>RF8md-r_-1t^!_+j;S|l+sEI(AA~VZYRD{Zvghf0P
zy9bAy-jZeB?tHTe%Fz0O8Vj9o0uT)>j-g=MN<rwolzD@$cu8Bz@0LW}$nMFG88^c9
zrpqyN@ot0y2xoLY(+|S!$qv`#utW3;#)@d+9{|JcZ>??=lIn+Dvg5TM-UtANrY~T<
z`wj8g22_PT-8w3+O8|BC4^oAS0~WjdD7T_mR5>lIf)AUi>nr9n)gA=(dA_9P;hOZ!
zhUbU>MK1K%c(gV%lz*#ZLlR_+7G|$w_=4PZD9J=tIsXg4CZ;4_S7fxepFVMnX4yFN
zsM<M<1>IlR2&c^$^&QsL!SEUWtq!dhpfkG3aPxZ2qrEW3CqLB0Jb1jNt7Ogg7)u^7
z*~Ns|jfux>VMFS5qaTua$!~5}>v4L$>*7BX7uq0etmJ#7wn{{8_><ZAA%V8fwJ!t4
zdEKE<6SwAkJao;&$0LY&dxH0aWQOEa-`xZuVP2s@U}j?of<f&H8-ifoz0VtM>|D)V
z=gUa@t#;Fo_P6}2!r%?$L#K6xIXTJM;%`nTdP-<9b*S**gv`=EwaOGm(W>ET*SGe#
zRBURvU_00O+wHaqM|-mTI*CnsRX|>ZM<*&0N?se>&~keG3svJ?cZ4UaHvdk1Qr&p7
zU*s*@LXGJAi{{nt+7o(qDKC9P>L+)+$6G_Td%$(Zxfy7X-t%O`UKt|k6XA%sipbdj
z9r37b*g=Y|S93VEMG+{2VQ*RZf9$iNG(NcOCO7#)QAoTtBrxXkd6R3=>!;i=oT>)a
zde6tS#pyhW?YJCnqzLig%OJFLjeD$-cSNN`!b%_g^w8HXFCz5RX+^cZTb&Cz=6SX6
z%|EX+XW|{<sAjR8WJA|@&Wz-YX&HsJrJ4U)NvBAlpbuOEu(DriAhH4vZL*tm#m>-9
zP7!PMrM~%B@`&U_#u!w<&YeS-+9T2{vCqb<5&d0V=prNb@3c(!xDenYjMIcrl{&%s
z1D|c2Xh{|9E0$*OyhYy#2-ta^dSs#Yo!azPzr5*&bXYRFET;)J=m?!zsyK$JW=<Eo
zgLQnwSvdo?M|B#MGwdW%>$UAEiF6K~xt#FOGnC?c;g-~aZ=s^&m+-};sa2oepz_vC
z&Tpgx`ez9o8{F%@bkR)By*H{>2J<>J$*3s0RS5aW(1}0vK4mLh`?_N<ii~20Sf%+u
z)JJNcI$RN*)LQ)7aEb$i`Eeb0XD%x??1Y|q!6bg?fHV&FH%?QB<qh9W#8Xxdy{5-K
zg0w6fTb46dT5Fag>zs)4J!H2`FYb)`%(;8BlTc<`<>B0Fo(t;ao0%PvPd-NxdEy(E
z>RL4D*P8)AZ>h3|lK`T;jWQLLuo-q%P#sit9WlYra|A2wD|<K5C*5-Qp!!{im&~0m
zBhBPdD6M{mGzoA1CbZCyn?FneDKv<s=guMlzQ&s{Pj%z<{2+>lJvAqR?lOxThACrI
z{0)XTwv>5c_Zgoi!5$EAk}K@0QI%T8WS&`06YETr@RyeOSrqY{5v{lk(evNwla!M`
z^+(clTppu3=%Lg}Ryu>NyV<i?XJf{qZ{2@A<%ctGNElcCr%#M>8vd{-a~H_D+&oO-
zEj)9k1|X^*Z*XVIh<<N{z+W|vcP0vjDpJ$mZYr1SaE5A*clE0r)%naotQ0?}Tmb(`
z=ySZ4d~GsZyvasd`&l2Y>iGO%9<AJwdaQjd6f~?ULp3y0FGe@XxcC(76|HVk9>A5|
zecj>Y1kcZU{*f!UWjRY+oE{9Bai-7jYui;Bc4@#unkPbkuI%ARRUQkBrK;vSO%HP5
zx?wJDvPWGZMpKIn=b@{NDLb5?->5~H+CAi62FWMX$E9=ch<U}mDtH&Y_&BTbc9-yp
z<94EP`{2Yhl8?sL<HWAXlN)bzWCAS*`7!PvTj0}d-0C3;8}g_0`OP9_mP5-w@@~p)
zzBheu78^T3It~nk4&m$T@$m8np1$FPG;C8vMGM3;$2DCK&PzLUBy4~D)9D0&?Q{I&
z#HB4d1yNOHhct?huJenfXA4GN#_BaV+;MrA+9t6m`A0E484B>5s&5_t<e!Ny1{R8)
zfF7Ymc0@rX%nmgEbjbGS_TCyi>jk(z=XBY_yC-GeD5h*%eKoOA8<f1Wx=^t-s<pLB
zfa5{UrXq?aX!L|el|-H8Un|32>}ZZ6@Rp`LnmMyF=6HU16A=GPnggSm4neOOTZ(sl
zU<r|t*a16z>~&A5-z^!jN51Br9pn<tmGE%?4%~`SaePW)L-9xhQQi*q7s^4E+oTb;
zrqxjHPMx~->398qm=(Z#bmW5NI17Uel5lurV89sTukDt<??XJ;h~#Jq#@j)?{!Us3
zp<cIo9LQ@+BLLqjx{?nmVokdfs!(dTGA;tXmYyaPL(-xYRD}MaR0Oa_y+2nBY!E2M
z!sjMwLV^n5aZQJOFCsinp~<HJ5&3iJw^xQlevopFeUSL9CqIwP;@d7|(|mo}(;uhU
zg7Y$iry(sw+wJ85z&VNC6_M^6bO6e~=Qea^dU(J)$e_b`LKs8~gwJ1SXadc%vD0dM
zAe^>?=&CJ|aI25kEe-wRh<c~l#jZ~}cd*FYd<?Huycv3%kp!cQQ<396*<#ee_+v3d
zvEgtLp)Ru(IA?j>ZPaS|QT5_WS25AHb3iIVZczGrn{Mu-H|@>A=sOh$>Cj*qJ0qfM
z7S2|2v*K{=KnuBmSZJ*t;WzHt2qB+~poh)RoS8;6LS=H;SNNX|dk}UTU{7?DAEu}I
z_FhqzPP&6j7U@GHo;5Z)5mROzS~uj5v}m<$`&TfTh&SzXSiIEN-wyI(xCRr(pQ48g
zg4=KKtJ2~E9TR`)R#2_c#(+QO?jww12QB5zR&9pyg=R*IKRmhy*zjlc#O@9PlR=)k
zK{kUtXz=)(<+`uoW{ELkuT!4Xrb#`!vX!jr$*n8jcJpF;!B?Ofp%9#OP6AyJ>PrS|
zZ|RNYba5jkaU(k9Fz&j|E%_o3f7hS|h#RR&;C}!0#J+7x_|y%IxC|bn(vo542-655
z?WK)7>?*}QPo6P^V*W0Ux8gU~2x~Alap2DaRFceehuNHHAuTGdbKpWZcaC$GKaiJj
z=XuIGiF3mhm`C;G3cmeR&ymVIKY3p1JcaRma}sD$q6*spUr@M88~&CN_A|w;1UjDf
zR^U$3leS-zb`O||_h5fwMQf3}3m15e1M`Zj)OJUa;Hu0`)yfKB1evpxg7eG%LuF$^
zcAcBuEMG)Ok`p_tm}z?ck|X())XxO@znQ*b*{;8I#{;f7be&Fch=aVy)$G1};KJlV
zn>jvzP=sjh$<`XhXo~<SK2kdMzO@_GD57An*ubr9y*^<y{b%yP)-{fM{Q11{F3*z9
zbC;Tr(e`Cy01Ru*zbLVB$aAw!;bXBsLwl`u2iQLV$~=C`a*PW6oR=flc#{bQXGxKd
zRg0`EA7oL<P!2ZFlN$pIPB(XITi?{}`=%(udB)y#dAW+{u_tc~gzBYtfJNs9aGiXb
zip6x3ly0EDDE}6xs>L+Pdy9Nh=_-)8Q_#pNmTmU&GyZ9cMosmJ;mt!SoV=UHn&0t?
z)bTB=UD)RIQh$1SVa5@8j;1#e1T3K9TP}NMYcmSzFaZ75I3C?1i%6ffifQ6JR3^^E
zH%UR~!d|kP&h}pIbzvV~FF+vsZ%BYP98O2)3by!HmACLCSO({uIuhAvPR7YgFrAKI
zSbaK7yhG+O^&UrOL|?=ibcxujv%as?EvLDxYHGGyvp!|C7AqM7q)uDx^h|%>s?_9o
zs@ig3QBT5ZPW2Q!@)!S1r}0JFQBU@{ktTCl)ZF#qx|E_R2yxz4>R~~eM!!Z>{0}kR
z0dFd|t}*$^s9Lwq?|xvlCjhLr*&=l~RbUS~(~hsvp6n+>xc98S$;gEJ3a0@xmbhH^
zwyV!w2lb~~<$@Qv6!(K{k2He(==B@FUIsQF6KZ$tgg{i(-u+>uRHzM>TAxE6<VOg1
zK6nH>2Y5Oc2kM+AZG+MWxOWaHV4Mq&l&p|>?^4UeS$$OiiJCLf-_cqFZ*SIULtZ%w
z20-Zz%?)*iy-h35M-~g?a3T81zA6pr&3>50)Q<_5Kb$>BqvpxB3Tu}Cm{ft&Te(zk
zGrjeU8x8U&dE)y2_L1NJ|NG1vMH|I_<)NkT-pE5U4N&3q*R31mnSV?M;t$LaxZ}Gs
zdsLve&ri-Rl#6+1<xlAcR`aOwb|6*C@~iD;3m@wHS@<DM=a6OW<!=!`a}#i~N`|U|
zh1;`8(_74cRnA-`y{4A8x5!Xo-LDI2xDNHSW>0(LBI4>haNwnmsA-OBe<I?}RiV1A
z%XBviD!j=IlDi5lElKH^)iY-*bAn1c&W!%tBW8-YU!2T*{puy+>Ub25ET}dwxp93~
z0Z4oVV{wFI_SJC9v0a(lmI7KgqO-1mqn@^>-EV7@KlyoC^7XP1Cw8Pof-XdxC>$sx
z{+1iVV+`lnE(3kEgy`$c^}Tv3ZYBvvxFrUkZo7Ib>ZN&bb=$Cyg#g5ML&I?#q$4&;
zw8iCFEj>OsSW0ckx*;~BCLK(qW4<2Ljb=6)T5j|W?M-vFANL1W7FHq$kSChPgdi$*
zRcyce{dQ0lK^K_~)f!fPr^bWqdC^9xHh?><zGc~Eyq#<*%69R-<q|qz!#@PDhg)Y|
z*W-M0E|dP43dTk4;#a&e%EPP`_ia2rsrBWa5X)+N%J$1ji848FnL`bq9gLt`6#sD^
zHyRhs2zgkQHz}FA#GcHQeDi|Ht9e<YG5c39&jBem?fU+i@s6ayHhx%V+F?&;Kdnv~
z@u}jSZ4lCJq3soNqw%43CAO8i+>-%cpFEP2$H2XkhzMV!3_<Om;%&)yEj19FY+HBq
zcz3JL7D;tmtm;Jadt%{%Yx(gQJj^>m%2@|F@0ZU@0&kQLJElD{ax{|NLb(sdXE=4W
zUPg@d7!KP`Yl@c`6i!W-oq4l5YtT$kT2fL=|0?5Vb@3rzdryVc+v7H;^9wWuir0)D
z{++$o20v+aoNsE}YPczR>Y>psU(qk8cj`_Mn_JCCFn?jH<n2{A92Of>lwo<>dgz{P
z&u=Dh@CV54XTuevg#8>t%*JBKWWTTd#WM3kKCn%{oj(X)Kqu6M5he3lE{wORIkv_i
zxd4NYU`~%AOt_1rT0LAePS+#fDE<`+dKRd3f6=eI)y4bjGqUIUXCl+>Coe+Sh>lxb
zI?PCAT1R&dyPUR+m(#^rbYB>oEkz-w5EuJRv4}gMnJ}NNP#5v8Za`Eopv9WyJJ+M}
zt4g|agSWQ}CAp^wmT?{-*u1*bPwy>;t!&kR@j6Ve^tM696h<ZBliL8qL4R*waLPQt
zEOfx3XZ_J26&|fKcZE_}SQZxbWTdqg=GJ&5_*UD0bgWBmvGb!q!SiQUqGGQtmE(<O
zYzZ*9oI4LU&PVK5pZdeN6PEOQXB%{g7ur=@?$C@Y?)e8*Su+xdcHi9zD)<4BIoF3%
zRa+Q0^!<j_2z2(XOJ@Syxui`xMm`~L6mR4Di{VL|X3d5n8X6mw2}fR4#Tmv+o}p^A
zB;ih-NOd?`e29K;t^_M!T(6x41RtiDR9{U_=}7xMf3*?}qRf-!!>PEru}rct8wmxW
zp&aXXHsm!+ukVnb$8GpqInvo#5rgY<pIducX_7jx>^g}!bXAo?lL9QrCk#fuuqJqa
z6)vffy+m^TxPN8m>`Q^KD&fGqri><&2ZSgZ(BNcf$QBQ%)c#MVc;s?daN$_?Tm0Dz
zZgL%V`uBJboCS=05<F8MC0>!fB$FgQ?%-XIZ4BJm*0h(`xoq;xp2Mr)YNq$kwTbm)
z=tkh^UVZC>PzBnvTsj|xJ993P)f%YAe}W(JZpbyQNNm5aeyR5T$MTYMkR%3f;v_^n
zH}|vp=;860aGiEa1^qrP@mW3s`s53CNO?oDGcXv|@=^KF@41H=T<m52*us6+ZIHWr
z{D;UZ(VdS{%vU--))B1?p^%;C^sFkk0DLu9nvgO8m*RZSF`*D(dLWj!2i`MwS(lcX
zH%4oVQHL1$nv#@a8>g5VcIAIetTYiV7qgu93`|udJoG{6Fe7I}>CyOJve-ke#MFzO
zJny+r-zXyj%ywz<oNrr^LaJY>fp6F8PV=m${Tt)_P3Jn*f&~l9r)}Hi7C#Z5XFO&m
zSugFNJB=7Wtmm)x8iDW2k3&>5z-8!6Jk&VE!rPr(u;JfFbNjRn{${>dm@*8xT`KOs
zIY}~URqJ9*f*7TGz&6yND<kJy;#uVQp;H9iV_pqQam*}GO%WeN@3NY%8Dtwe?=V-&
zOD22%uI@e2eY+|UV9YU$2KPp3mvcKXP7gfF|JaTW9A~E|RFmH0UiFAoher{+>T6HE
zF_JD>x}25TnhsDneVvY6cES8+17^nAs*r;9&C1mft@Xw=T+(VIyqj%9A^tG^4Qh^u
z8sEC-ohekvXjRR`J!m9NA_uvCZe{qd_SQZ1%~+QKc2p5Wa}v;%y@^NUchuW1$9mTZ
zRGn(C5Y#cJ3LcljxkfVHMiX??%^r&My~4W?KVM`z<I{42=39Xz=wPEZ*b3Hk*jq$@
zdy@D^Waa$88X&45DHC1<*3J^(8=36AiorIpf7DF2`Izs1J<_jw)PYw;2x3Tt__eSk
z$5(CFIi&tw!cJQ3_PtAao4T-iL(b2tXel$GIobBl^mKB7)e#GtHcSRMPJSrQ!Si&f
zF)MOlC#y~ek~z_OWSQb#4xP)KVV?nR36G=41T3Q<hU1LO;seDqi)UW5$bg%KssEVl
z7_qx@LIO^giL^{ZsuZ_nMq)Gu=Ffn4RR5@y%QUG^c8#QxB@{Ft2`^5$UNp=|a2Xg_
zpC#Il1q6iF?!k*g>hga~xky4Qt#bBim)~o>ui`2L;Re1J_ZQ=97mYJ*R%%UA_9l)3
zM|`2Wzx>x)`4Aq)SXyo_RGX(c!e8sue*(R%%};J|9~L85L7PC#MKwD0YtlXaw#Pf0
z7SoUNN|{Fz1|%6M&_3u-;G7~$v$#o6aZ9{v#;By<SZTrVuNzfyp~984*jeH3qdVHS
z45+q(#+^cn$^H6NWGWc~ZxRi<xWGvM8K(T0V_3TXtm7c#DM|A5mLR~bP_PZRWMDGZ
zI{EYLXpVZv{kLXrgT+wJJ=eEi{(c+uwzWU;!*Z3%Qom~43qt23or`V~jg{8j_LVEP
zmdV4*Wss(u2X9JkOp+J9L+b;ZGcrvfh4~8sUeqwL^^IK>F3MI%Jyoqo7@bqQ6}77%
z1T2&ujA>t%$5u|R5J&cEp(*7y&kDclUlC1v`M6sBk^bTg_QO>N-yWnYo@VSer=><d
z7pJ^SK&lsq%ZA<)q<$SKB7B#1PKE@Aea=nFpO&Y87^$~`dVO7HY3Wa~lH@8I8_m~i
z6(3L@Pfp!%8(21o7Wvckpy<HV*gs&J%W(`S5Tlch+YW-`Gw-dwwF<S!AZqtCsqn5r
zHiS%PwkUuIb~+DH$5tF3m-|%q&fzCB=RL%}LF-e$@wSF7e(%0H#K9@`%rTyvc+pF^
zW^hB0;y&Dgl%<X}L+AU~Fg#AfyEE+5P*7-$hj?3yUPDp@zMJ}H#^Z9g1-16XUGv&Y
zfdU5l2X-xl<y0*mivdBq`gjd3)0Lq7xWe-ftnD%#QUWXkMt7m$3{o!xWWO=f1v}Y6
zPECKa)H+Fq85pHo;%c|WwB0I9#o&@3aZfwGheMwB++lhJ4vjq$4&|eIY=|Fet!7I$
z(C}1=o^Ezpm3fqIbC~-QR8U05!SrdhR<hw$tLVPMhmAYTrd*H8A~1<DI<<jOyR9^-
z*2wEXC_xB6RET*LUKj$u3bn*6%WYIzawlxq@_y<3;4C9Nt#SLbo1vg%g{KiG!9r#9
zuiw;I?^<DYydRjf3U#+mEN}b^sY0Iz+(jm4Arf1d@f7gtC$?(obO0^xGRJmlW|f!<
zNEHLp;o{RHTUlSa_|pPzFQ2%l8Ei^JJ&5X17tGG_-cPps-T9?^Kk()B&%S)7CPFPp
zG#HQqYbJw(j5j7{rwzMuYR|<Ne4%<oYu;=`MeRxzCq9ns)*DG#uR$)s>n4BPzv>^|
zP0z_JQX8m#`E7QU3@QJrhuyXsw<r$Ln1mU-tJO5(*K=kwYmU~RhcYqp-59ybYcR{6
zHl*sWP?b{K3mZzdV>-2D+z8oOvp#`$bD;se8d#Ni5v5?yapG^;fzr2Z0jlJ;L7IeR
zVU=X36TjE^xw*2b6{>w@&hthYOyn*UA}9Cs1J~>+v4p!%d_SdB9jS+&re2`~L7Y?$
zg&4rJs=$tNZ7)Ma3R;<eZLOtVHM2Phizxn3Kh|ZR3v!P7aiHzIzTUm;XkPX+JQg{a
z+KYE2yeBj!#8>LiD1fWvgd@_Hc+u}Yeed=8yZqQigX9f~<7+zpY9US;4-a3WY0_Jr
zLN^+KQXT|4dLS%F>(v%76AZZRGVZNY{Vujj%CB{OV9mX^c3-zn0)BIIruA%t0yko?
z$5D!r>#amR*OQ@FSxrsWVP@4Hx6Zy%$IuSDX6VCmEi5zkG8VnW4IX;$?i?iKIjX1E
zK?<!Lx7=T5*59I=)nP(xuzth7cG~gkKIPwusTrf8@=96LdjUm%SBX}R`wA;uFJ|f_
zl4fzVQ2#BV9$@V+d}^wP?5n*3G*X3i66QJ2B}3NRHEy;ya%su@1XL3rv(-lFAxGCe
zalxd*5-87DV_K=R{8puFV?){v{|nLiJK{+n7oMWa8)C!&8BY!XC6S}~xXsV}?jT>?
zH-ioh<kJG5G}ePPY?{A-?C(y21)EB6=X(wt!i$~KQ>+rYZ_kRy6><{M8B5#ty(^=h
zqm7uc<zge;*o#lAQac87AsXe%e*=wSSO+#!>R{KjWE<+7im~8h`6^{C1yGn<%K+~V
zV1SKl6=`t#P<6K}NRx~W<s##O-KZL9T$bRup^|w6{u%VjhD%(}|Kf>jH!mu^(GSTu
zsO=U$TjvxdOfkyg_fogmM{kLZwg~nSSk1a@v#XiTcGf#5tdgzCYyX&JM-gp*m@19u
z0>aBfnWzfu9pc4tnr@iE`8AL-1F2<fogE_ZwL96{WxE0wmhrojDw6v~S>xr^26va{
z$9j*f8|%Cb9v-RWH-B2R)Jomz7eW*N>>&g93K89JSMP;Ty)A>~AO)kNTU%Ok@GZ}(
zy;QD)tvSGh?8x}6&FMwbri@1-l}Mp_nT}0i+?(TF!LZ^8m`Hsyf}<OJXII%qWSi`k
zv{<L4RD08#J@J>}9kDcmM23#E`(1|<Kf8NGwY#&=@$F_Hhf}-vyjC#$jni_$8V-`R
zkfMO6zFaZy-#;bT77c^Sv7_?ighQ3Fm6zHww3z~$&b-3gCN_U~38);=N7`HJv(A42
z=OE^3zR{QE<+utXVp2Yl@zS)`W0q%Br_Pzvt)B3RYzYb~a*3+nT=d6L6d`AJ=Bbm&
zOjt)z;P)hX`yO8Tqkz{xA0WjMlcqF-BVL5aQQNUPFdM^f#X5=(KZl2!oGnRqoHjtL
zyQ^NFew;QY{_18AKW`dGhh*@krq6(!bduNRtvIA_x-17sbvOhcBvVIN#$@Wp2ahae
znh$5^^z*++!R<WSa;w29#m^4_S94o95`z>A)oP%nidRJ)OCzl2rm~swO*l9oqH@x<
z<;$3eCCgZCQEt%7q$UF&wrduM*G~!);K&}Q6QQ7a_^X+-$JaqrJ2F=fy13@csDG&n
z*p__QV^bIMRICQ7peUDe{eA3fzRZ`K9s$nA`oe<h!;5kJIGI2~pV=n`4@`59T*`}4
zd8poq@1x}RkTT<sJ9v#k&zFu<y=o}W<RN+2VXtxRN+1DCZ$Gx8)j5Yh)HV~aqRCWo
z12DkxB+t)l<BGq36T2#dgx!-T>>v2W6}GEMU1zZ{FUx!VNBD9mj9dl8XJef@w^#?~
zw&IBOv9lqD7vv<^PSSv-ksYWK_G2qZLp$F?b`xZw>mw#D^1RY|IsM3G|3!LjDB%%E
z&hLFt>Uwsw9Cl;NcEj+eod5StqG4c21187}BCr3~*bovxIMmonq#Xc~su{}WPM4bY
z6{-PRIbQy}_paoSV-GUxG^DxEzp>%fm$uuN;ojOC0ggP>)7r9>v8=Mmic)x~ok1YS
zcP4)u&YKrch~Czm%{ai3r+X5-QL`z?Tfiwe)oTo?me_6^XIrNHPNTNsWf`8AFOT%+
z@(2B{2a4V5Y(X?7kuHkMx40i%R(iE!DX-4GOZ{U~GVL`4e^>_d!>QF7|6_V+>|oZK
zw~`y3_2^4*;cchXa%IM}u=#E+xY=YF;IuJQkHZ1V2z8YtFjkkt4l%`dr#HeD0s}U`
zcRA=LB^Q*RWF9=t4z+De0Xqm%lareqegV=ZPEHd&rvF!;plMDM2PTg-;qA)=)Y?kx
zUtKJA_8-%M@CM*?7xn?BU2<zYK<oD|0mvbA0{>&m6US7Y`^WVCAJcy_m!m`mA6&Qo
z^63AvsRRf~0p9@hZWLh#v(>3*<ajlUF)XX<xJh-xh+mGZlWmuJ(-_iuGx5jWK#9f0
zz!OQ|zgPOCmz41!r3verdT#lHrPdG1y`J>@K-|Q?$#sqRaB?*Hq%@>nOp3h5-r~G0
z5NXU#D>kI0Rw%7Drbd2b9sObX0$@$PtElZG-_A4bJh{1ER(8kz8WSjg_diL}U$$Ee
zE-SmSb-GHv!>W4fVr5S8@B8~aR#vwvo=ob#s>S2kxh(F9B{MN)r1c#N8ubap2IYOl
zebq~ra(UV-a`|1K!D;rF%xea_jIcICy(a(>wyu?TWgw`)%aXsaz<0oFcw$P7TJh`q
zkRhL&7#wtYD7~!a%k67uI|WWiMm9dIaMDXvjlU?ZT5ID|AoC7UHaAXR_uR{KEM0~t
z@R05oo@^q!T>AT6{O(y*zgMjI<KtUOOABfyCVF4Q`UE7wcKDSgeczHY(c!q4%Y2;K
z*QrM7b28Q*qy93iw*<;RRLmuB&Rw_hNbU5|EsQ=hJz-(~^2c4Kl)FLcf65Lk%Yksu
zbe{2X?!ABjALV_XE8j)Y%p=?$?zdS!p9E<#N%;*JP1+8_wq!T2;cM|R?r#vT90tnI
zPgq%Az4h+i=@<9%506`BCG$!UAzijku^5jW&`5>KLzuUFO@^W2+mFuKJc|8SxWvw1
z9!-6}T~WZ!+{K+OMcAV21?9JwT7%0W)p}af?*o~~xvTr^b+`2|Em|q|*1bFR{JF>3
zR|-SsK+!FN5E%)nJ|({=S2HpU<+47dGvjz5+%t;#_XBT(SH6~L1j_p)0b6)32$H=z
zVa;-+LKzRKyk47NhkyI#j%0=&`bM}S6aM=uIzP>w>EuJs6G-%p&nN%qBcqHMHqci5
z$MiPv$PT!d-@dW|2H06j8=$>*SZn_dy<%&7pN^;E0{I36p9{IC0*uQ4IF)C(x>`4`
zQ#N&CV=0WLkXbBs-j6adwh>v0@?S>vR05iBhSiq#*3?0xubnWvwgdt`rv|KxuuT?Z
zR<;gxt1Lm>q`%#t3JiTh;JMF1@~z4xXD0iF>@$K_ws0S`l##8XFVQk;hSZ|ON<@@7
zLDnCpx?}l^o?B{j&o9{?a_p5J`!kMXXzPhh;EAsn<Iqe5fPKo8_l2%U)#yO7Q!S%%
zy-3%8{cZN`9Fz^#&Iv?us@az7<`!~OmCn7-duM%3<KAg9?#9ZC|Fcg{uFjQm&dfYi
zksPnoO%kdd{p+CLV@2@iO$#xclzICV*BBpZF`sna()7-04pt_|yb@266oGC4M7$TT
zTJr2b)O1{05=e96P^mq!Z1Y^ujUzFA;%^NHqnmmPba8$-U99zYD^XQvQrPVX{#$eR
z$T$h_k+rxSn2ukZj`N6HN+6*YQT<MLk6Q(h!NEW|;2#8@u}cn+UtavF5pRiIgTE_8
zzkYp~u@{yonab{bp||FafY-u?{_Qp~g_tJeBAP<Senx$DiS>%QW6tI5)$Kih9Iig@
zrNe?VmwBMrs~f-*#`$_Q<%OuX(kCjqaIT6I(xUte<_{KrQaxISU)Yh`l3ljh*yK6-
zzWV6PK5$o>m@A`zd+mD52*!``=-c74!B_4;s@;@WjrC6#kgjQ2vI|Q7;SBWYhX3vM
z)8&Z#$HrGA(8T!YF)=K3<cr$*y&{|y^Dy(y*KWR4Ll>qme7&3~rwBmw8FmWxkEt@}
zV=y`&1AL7#HKw?#9-ojSQTkH0B5i3-1lrJ7%bb5v|9~a`U3v2T>YlTSR}eX1ic{2<
z3e4q6HNmf0TU2XwaeWOAhw(1pzjsQPY=W4c2<fffu)LJ}e$n_^!mdGw<Bj1^kGy-O
zo`>-Xn4)RdjzACf!P8%zi=m~`FWSPx+fP3^vnm~#O2#NSjH<{82m%2b`+6T?yB84h
z9H8f}o?{jua}F05f&5o(9F@hnXJbOm3fsw^$~G!8r^n<m1x=CdmFy0NCvS=NRWJMK
zK`tAfc;#^Kj!5DfrFF6D^MBPxeH^Vk$U5L6lwb0DW!o!Vq_5Z8n?nNssr)ATW+(hz
z*&UV!F`26`ymtSez1jY+-jF><BZn@G)y9xlsX64<11_w>;Vv**yQ`9Gb1d_ZDap?C
zA5)bL>hCGL9>24I=hXBBu$njvk3}u80xv@De@usWr1>-d7m8Tw`QtbEsz|5p6Pd>?
zY{ze~-^Tyf#;7)}{YqZZAj?!6wSJ>U$_$IHXUn~sShAD_PU_SD!S$)+yGb1G%b;-9
zgGtlWt=z@q(~S70^OSDhTngP$c4*_-S2btiWH<jeJLN*0lCqQ6@5$%`oD}PfN-n^C
zbZTq4LzUYrFZJB#FfIdKY>aQR&6;jbD50{uKr^iut>u~9_)-O~-@U`c(msOn+~Pn8
zcV}OzrJ?|tz7}9nNg_O#m%|Q)1wmf4)yeoWMYw?H9!f|Ru^@VdRlwv#B61DT%Lz5f
z%<fVmOBw;x=7lUp|ICSqyt*%T%Ii;Gm1|bV;|+0X1@Fv$*e3zaU45UI{RUnQ3H^f!
zgD=$0045Cunqe`heHe}QT1&z>5CRr=f{BxB4QtZ5oYJq#@|iA;)R{Ow+XSxo{}f`O
zE7Vha&qqSRN9JmsQbk98>d06|N})~k{R^U^GE<N3zXvL<$0Nxb%t0DoqvoU5he|`;
za5NOxk8H<}a}Lk2nFBh#m;BGWT!f9ZP%fL^ueprHahh}m&Codqk6HLWBL`p7G}?lN
zySAcQPEpg*O%BDLjf>NJ<xh!;Z~aR1(}J*Uwf2g-8X~$Nc~Q^TSs>Ont(MnEZuA?B
zZ0(B(Ut6lq#tGq0Fk3f2rYka*oQWH*GBasN;1h%1E+EK>)VrTNe_wu3aY5v!qrR@@
z&9<RWSJS^0{$on<l>#mi9HbJakVow1`r^k}^>ymBO3$cGXtDoN>(t*^s}(qx7*(Y#
z*?eTr%9e4(`{AAL^}pKW#@KS}ElfeA=X?g=`+}s#NGsEu_s+dxo<G}!?Ac?`%mOLl
z-K0C|omNEeaLQB?`R%AOtAWu-oz8SY{@|CdujNOSy(@})JHk`HpW_IXVKldJ(!FR=
z#Wa@=q{P>j5o~!#W-~v;4|?RF(Rp(+^-6EC;{c28Oc~r1Tv0P;wAFaNvSb((q9a4k
zXlBS&6&2CPtafk%8euDS7DGC-*-p%L7n(V&HI+g{Xf96@&4;cvjPDAR!!G%y44nPR
zC(p0prZ9Hf;_|B#?@O5Ah@-vx6yeT|;LRi3;ob7+T`6umhN=Slswz>xpg+O;xkwgF
zavJ*}s9KfsS#_4Fl5Ot=?XZ=%6*?0W5P;%n(kq1oyQdd}&%FY8B33N|UnyfdvhGyx
zt!t5X-#3N$6knMHT;%}dGYLAgMLDN|82gmYL!(0STCYOW<$y7yxFH*xSMVF!^D_M<
zyJZ~CuMQ`3O~yy@q1|)5{edYAFcDnJ<?TK%8D!hvC%3mEXz{nkd$m91NaKQ#XUL67
zUB)PMqAoj2emy7CR--ilhf5%kZs!5XMJmkEu~-uWrW3!}9xZE2(?y4ll@LCDS>7<D
z#<ip05cS=?M6r*ig^q@I@&fPkF7lzXFWov5dT`_jEG|Loz*Ji&q4j*IT+s?rWVAxl
ztx7=4eRI5xxLJN>LN(LZUtndN`<=3y8J}pZ)cLG5rRz6x4dur-JpM~Fpct(099>6*
zlSS4tyu&f|v84_)Cp~I&b5A53JK1mD%U+mzI62+>@uG{@XIa63oR44#I!;{Qv|Pw@
zHN$Hkn^m#@k4dRsIjkW6en08abj4<?K11dAF8p<CZB9h1hw!EP#JStMYcQGq1m21*
z`h$|yFSZ7}*G*63vrSlD8Ta!(d7<>_qB+gxNCu$*h*#W4H07X`f7X;!`Wacm(O4dW
z2;@^!q?T5(YEp7%PO^BrB=0~FoPMQ>oSN7*ct*aWwXU$LM=tP4q|YJ5=t~2Io~A9_
z_))F?``<Os&FiN9B4twp*NJakzsT7+RqJ$DaU(~8j)L~lCyX_xL(q2PZ|f;fs$FhK
zxuH!V8te!`A4F6Zoa>KfkGW`~df|H~R8#D_g<hAho))Zz*n6<zinCqMv{!!d)yYlR
z!$?{Ynrb7Xh9RuD1(33E5S`FUX!{JarpBx=A1%LA-6(4h?9y!o41#%tLTkcm9y(vv
zpR_?2v7dO$!e*8-;3LGsXlUW1>(PL-A@dmE-Q<tx@VWv~T=k*B&G=cn7VO@p4XqYU
zS%ai&)SrX;dGzmIIEh`z7^icIf+_nO6DSICzT;Rs<r@+8Hq$&A>J)J-**G$3;&6Ae
zz7svv)UPA!YLvwLks6b5pYZ6`Cyl;6<Ri^N#{q>*oS(n>o7(s3ZR2II?a-X2@ep6X
zhAkjc0_9=MOn*M|xA}qNmlg**U6QN{Siu5MP?52C=lqbcO0X`v{Pk#P>v!kLd)J)P
zqfu^7X8<J2X69U$?Mx?sRzhsBik$Z5T4&=YA}0R3Sd8-s|Lk-=>yHyQk({YVO&0JN
zp!D;+I%ZdknjM2{-jl$PW6i>Vy6P0E0x(3<rp_oRt&F8@Pj~TqTLdPHn+KRXSKiOz
zW1w~5Az<UZD+HuC-I}Uf?t?*;+YVLOI$S4@_;Z7u_eekcShbmTx2Fzn=0&@_{SjI(
zTNuv&)7n-c!}QJ0kk_zfYt~r$Dn6h8gY7LO;R(2Z+Pk;@lihezkX0e(*GkJ-WDhsM
z9&4cD!6TY7UfO~*@{A#_4o#l(j;tt$icHr{W)(sB4a65Rmjj%SJ|vG$g=#Qjko<Hx
z>d%klc*%QBK#Uy)1o0^MQXf4o4!g+4-~Du_(mm<Nb#qu;a<m~Ai%m?S+YvHU5>Erq
z8}s*)?Jzoew3lj#JV6895#U;%=DJigZ=8L)DKVJ6_XE;@G4K);Lmk|>JSQ9_bn92B
zM%gNlVI?BpxOG%HQ@}xWbvuM6o1b8q9DC8*P`Y18^k~!iwB;SHEKM$ckQ!HrC()|D
z#&!=>-&A?@VW|JbkO}%t!23^rMuQ*K`is(1>nDhZzZd_`{D#gQr%=U1oh~2%FPolu
z9I1Dnfz(eHPZ_Xwu>D*9?P|*6O~q}bJ^yB?ASJw`<pebct@)r}WyW<()6Iu<tlDR}
zUvg3`@;WCB`=RU^6Yt&6yLU9l2XboJ=v<P<v|%8*A~4b)&PLlNjd!%j;(pO}#EU!F
zu9Rm6$zsH(OYpY0h~FhLjCaXQBFu{cNupsswnN_th0KjlOu!B{;#6_T`auhn*1)rf
zj&Cm)-kO=hCgeuvQH?9w1Ajf(s2)IOY-0C-vEhiy+J(i@IxxAzoUm)xENY6iIV%<~
zj}b>d6G&_pV#M7Q<2cJbzZXQA-s;FiU6@jfsjNG)i63bGaV#;iI4ZX&-h$XY`&G^J
zx4V5s2TK=nMFbzb-8#uVL-z0aCgV>7`Rt(pkuhwg1sW8Pn0d;dw~4&GA9~kSGxQ&m
zJkOFyZK-}Te!)1S_YW3tw{IA@;#<y^K2#MA+U_<T>a&%BmDdK;M}a7rvj!2z=k-ca
z-*jC3(rr8YwR2IZlBw0;h$HC@WA)WlkmNfNO4-l*aS=@X>uf4Jf`CgHi0}}u>G`%5
zn|+Ix1pUW!UM00SA+Mei@!@M7wma6}7Xmvscv?3;Q8PZ~{rAu>=lNJ2GpQ+i?|@Mj
zh*~>m9Nt>pTBidb`qdgy#N+WrlshA1U=z3go8-Nb>C>S2Y2k12BaHUL0!)Dg2I?#B
zi5)6080$S0EEg{Yy?kQgW5015+rMd$4TIGLPFm&R1tCYmh_mC}s<y+B#;&Qx|Btvg
zkB0gU|Npgzq*N3!Wql(gYnD;TI!OpIm^LvcCfS#nsf4l?F(JvGJ&b*s?Afz3gE1py
z8D=bFnC1O_y+7xC|NWldcFymQIsP=f?$>=^*L6RikEiS0=#}RxdN;q%EQ_Lk4s<^p
zSx7Ir{B+v<JQ;T7OX<kHP%};xU~6-t13}S&VQmR8r`3-}CyTu5bN>j7*1kJ^x*iv2
zTT}Z~V6(BjQd#7%r<0~2(TAKq7(Y*&MqjE!6zmvgc3?R1C{C>AH?=hN(Z-B&ji0Vh
zH{W*b7TiG|LBuctqu=0#(5syC<`W%x%vBf63HGfC74?2dTjCVF<k8s|%l2mqqHcO9
zkHwTLCQO{Teu<~?1i0*Nx^~O0YhiHrM0<bxy}asWuZVl(b@<(MM-RbdTcv-h`nxZf
z5oZGYtt<WQ>+97T5v;R@W!zDK^^#NdgMJcATWy&=T>twrKrORaPt-5Y3PDO9lBwzo
zuvSSDLs5Fn-*ovaY)}nYpf-w1c*coPkvY^+go+^3r?cKa7bTol(46j#c=i?kb<XKZ
z!S&CT>+sWk1AS1L_ZkQ;pCJWv9w^Gb`l*Nq8g%LGh9lYP<D|cK$-#d8Uvrn7TTX9v
z^cPnM6jI|AOu4()e|D7sagn{`ve#TeXP*v7V84t>G(iZi&%!snq_yLYUygNjSoCS_
z5UMQyo0s+Axn5$d5pI;|zng($L~Rtl93F(ioAVFXK8yKY|0yeD{A{LsS+IgS*)l1l
z;pHX{d##CcBI78x4}6rS6`^-C2kMR?2sbMp@vGBF>y3T9YH$7Z0VF!QPA2s!Z<1|*
z!nY4RM+@0kIEi}vG@tf+EBl)1MV19q1dQ9%^r|Q$v&1Zq=>6F<_Rl8gt6KPxN0a9j
z!aih+!j9qHGmf+Uv36l?_2EPh(GvwH^Yc7(T*ng&;C+83)HHIZy)8xS(|`57c6wT%
ztuYix?9>Tp!yjFly)-U|aF#QyOyx3M!xvQzg+%<1zfS*Acz5jZmxl)fOUvAD@!D0G
zDM_Rn$xURL;T1LER|>Bdhze!Hjg}>xZ9MhQm8SUzd#&|tgoA(so@Uq@n+a$!xxK@)
zn-osw)<T-vwE2iRE9V(9)#ORcoEy)9*A6fdyqn;0w$JD`pp_KXiDcwQrrM48DXG{u
z4y&xS7gZZU(##%zk}5qUOU*xYY0egq`Msdkylv)p3cWq5VH?>pUT@Esu8$)2UJ^#b
z(iY#1-HH5jiOL5h>e<TyA+98*8?6D_II`pEb1z{DQWeFzuj3#7-NW1co@v7{WKZea
z$16#ROZ~kjn+Hk0XN)|2r9e+?6^(la#_gsYs0cWL@Z8tB$AfZttzhV7baRwa{<E^&
z`s>D=H0Pn^ub|&#+CZdRKC$UfGDG!>YSYYgjZek*pDOCb!=|&vYkii|iB`;-)@lhI
zK!KIzQT;EE$M8<H!}C(|?9kqiU%BD|@+Yq4#JoAaW)uV<DK?0JL!||<rdEq?M3n%%
zo$$mJQGurP+|EqdI-&EgSqj9i%U=zbjP0~{b>Em59eFH0#FbhGRRy&6uErl=&bPaW
zBOuFHN|DcfCrkXCH7Q5ilSdp^{1eW@^6VZQ@_g9)%J9r->rZ6ufnmGQUX#3mWzGOM
zVsw+Rz1*7fjchR`uU#ckT?y%?qSC8%LdxDsh&M5fXAfg7XUO)$|MHYu#Ap1|pP#f4
zgnqW6w(i~FzrHu9QAAeZn*?mX^<M9Dp&Tq^i2Aq!7a3x<U?}?5Xu7?;_0=^qxjKz`
z{Ezr9eFz1#CO=1#V6t4QQ}^dh6aM9SFt$F<uWkDzNULAA!!+CWcK0QPSG<%uZQua;
z#r=mnWpJFWF$chAy2zHNmmO!;^E5!bFnIEQS>m}O$6lm&kSFL%SZHiofP!Jc^EXM>
zWk;+xDCuQ0YztVC`R0Ef+3|}8jv5};`A0ky;J6Hhd-iZ$_Y8%K;eD5`97C26TRp6U
zMCAWA3#edLVN;O~&7NmrZUF@2)Mu<ySj=FfA#gN+1475pOAIq+NC3sV*o@2}Brrb(
zHd-)NKLW|dH+fz;d2VU`%Tsi~|4Hvgjow7|#4micAa#k{#Lsv`1GPDW<^x`HLC_Tu
z(L^TRG1_kU&#1aeh0%qm-zAgD{6Vq_x75_{Oum2f>ZOUkDf!2WVv>?=g4uJ*di7MN
z3U?;9%5<?e5cOoGCyCDtA8fHX1HYg-lNbQ+RuT*C_j4O2@p4ZG2FwM7NdbP0@NM8i
zqDkVyQauC%cA!fS<0>?lFQhF7{P*@9I&`qQszh|KJy?G{<GW)^$P*Mlahllodj6}{
z5r+$wM@*$p1&6s9_^=*^YA{7I0|8-@VEb~T?f1Y+%VgHAQSh(&a8lG`lbADJ^_~@N
zdXWP$S6-MjO(Yo;+C3f6Q-Fd*1$}llaD*#l<(UQF4_g+I4|wE<_-=$Qsa!MeG#y{1
z-kIb-mbBQsKq#qob5pn&mspih>F6M{PMAp^-xD*D@34tMrOUspajz0i3?^cYn$nZ^
z_0=EEZA`BIL?59^l#mhpFd;K?6XLGU?S1Ess46H+yM!-E_2$`K<?2;jl7#84qdWjr
zPqFMZ_*_#x&1o18&0z+c(O9UwM+`s_?8C-1a)uOH{j*I$rGSj=4-@8178F7RNJ!QX
zdxnb3)Fb=}&9SIF577s;t`8&-y6>LUnf_7M{PkpV^063SyBpJn%O_65baK^(8};*;
z)n+@fPwwg1HZ}a+rLEOX4t(qxJpMp$)WrQx?%|b~$I53vUfr)x$Ug~fhRS$8C&qoX
zPFz?cRu{MG={ue!#9jE_y1Of$ot4;}?C5COGgw~b1Hk>xH9kR=IuM!JH=D*(3~)%v
z-;K~B_i_6G?Rz6;2)NHhK`Bq?wV?#&UXA^CE7&!FwZM1TZ4N^;v|xtFMpO10!J!7<
zT}T#4U|ql(nzgET?dWn-?4oC92uTUIMvN|gT;KecCs2!L4D{&M=)C)u3sEM^lgqzp
z*jo|&`F;P~vh!4rQ<43uYth(xNM{2r{{~&9UH@1|z_^4zp8UD=;fPn`p2%AFi^58Q
z*KaiE3c;?@Ph#xlp0GsO8Y4iQ9Fo6_9Ec%{(f#IEMB}hBGwsQb$!S5!v$7vbijaFP
zHK)lxA4TxQUt^B3Jlbg4j0&c`8>V>05%!u5D4gu?={TjHpcbrX6==Mxiqo~cL<%Cy
zrtKboO|Pv8O@Z0};1q*F9-t#$&6fpF8zRZN7hJ3B>KdxPjt44BeQIS4dP-hd^<Ip>
za^uOCL(lhHeFp}y0=hlsTDyr&rC5zzj4UN>W1R#Qdwfll9;;KC+gIq2-!ntJtJ%~n
zn`me6KjO(7D#ua}gthD&mp>Bdit$ra3LYv(ULJ3JRJ3~h_YZ}ZBQt%?R+rx?NsR9<
zI~xGAz5{Rrem#L4Ch}$#>tuAMqsfye$i>Fy+p6CIW;sNY=MX?|>h~c5=k~^NwqMiO
z8rvYGKso;#&d_Q^!&ze2c=UODQN3IU^jFqr<2mt)=aU@|4x0ZE@AtLIzpJo4Y?fQ&
z>fdZugS4Od8v5fj;6bVnO^DsDN?oi3m@WjR-3nB^K9*rmyGS~|qjFF)EQ4=Vq+&(O
z-@vn$v%TrWDIoQ2>9wRZKR?Rj%X3m5e;V%^e}sLH9)p$~y|Pnc(0-c039r)UZx@XS
z5AyLk?ivMu?iRji^eD-J|A_Sbh3oyJ7|+3oVEg#Aw#vXaWUuTo5yNDTZ^+Wnx6zY4
zm5J65EE1f&F6-re)_!?L?44sIMUFa1>mmolY77djq%txA_Kn8b0MWdZ+`l>zML|yv
zbu30lMve1cgud-uE?>yJ>=1TJ@Jg~k%k`I=Yt_}!x0@unW(*zt55-Y*?@IrcH1*fa
z*tUOlQOaLN!+JmRJ*J}OEm(zlbg-3s87boO*WbV7spm+?ep7=>YtOml71L7N^@^js
z={b5CHtA&%_#^6|x7-tHZTpsth0esQ3XjHih}1_(e1|v3))$k8^}q2%wU}sMOzo%F
zP>tq5ktBg_n6QV0bXB4uUF}Aybn<D)cgs?}x$_AFvokITtgG&u_86j}=GC0{R~l^*
zEaOnMdJG>kvBTvIAg|Z|6RiDXY<ucd(Wej#>#-Qu4+ZVxd-9SMw4SlbY@@rLM%SBU
zvKltAq=~v%y<Fpa9Xg>!WE*dP=PNmh!BE%Iv@`6ZoUd##mTD+CzP0(t&}AAo>|A>d
z1aWb=pEU*bDG$2v<<I_Cp8ulVD$9Uj`x|tq%LH1E`-@=tUJqU>4!s|@VH2@oQx`Ei
z(HA$nPmu{YmE)}}75mcm{tFA=uZKB5LJ!eJC;|X~&`-c)(0Np8p<#qt6@PNYQF|;a
z8u^)#;M^kQtPo)*dlZuth8jsN^ppSIstQ+BR00Sv%H1jnE+)4tf@|UT+lKPjfx2nI
zGU;V?+LVK{pXv6B;=pqZ!XT1>U1J5%%|WM%0)<=U7ivc>(pz!2E;wGe|MSV2plHc!
zK_Obn=Xnwo@Estc;7`yoWC>NH1o9wZ-&1>4&@Go4Vl}p2T#R2@Tof~vNgznRJT&k<
zC;OF|@xffjFMcnbb#|MYS-QdC4nw7m0rbGxoCW{ltc^foiX*XeW!29QHF!6xQH_zn
z+(pd^93z*tX9zIg46w*JLI+MlO0)M!N7H%=`m06Lie<NL1O*ZxbN-N6-E|)OY_=<N
zl?<9%Z5d*Qb=FfeB7Lu`Tq<XwX35BlmD;9lwTC5>rIaUaS4=Mgl~7$BZoxlb1gf$H
z8DI4USrw0gjrx{Cq|*W{^2MO2^rY>Cb-z#c>1+i~z8;9aWHk;%&a60o3Z6~$6z^j=
zmc9?kaWOeTe5=KO<d3S}hjQbCM%Hf&#425`vy_+dxKS4+rj1;ClgYqvWTfAd`3LMK
zd7lE#chp-<b^&td1ZGroFmb63wan=5HkQZjm(=g<LC1lFI_JA)^~15(Z_TciUC{05
zcF-t|nyrX8@mUF0T<R^0N6RrUvwR*f`8(~0R%ZE`btfiVj^l;tZOYN#9dE??<XHST
zAZaFA)pxBLCK)*Sp*(dP6GOsHyvDdSAzSK^F^xuu%vtu0@oXC7_1SXB<xynL;halZ
zKkm$nWq2ICafO$MDt_OQ<*2;dRI-ZF+xA$_V^6sgP#SxVyW7<pxvBo}+*v@r!Sny(
zb70BW%E<RX#{UsYTI~FUdrQZXgVN%@ORjDN{mUc8!E?ga4YpmIgeFal=82f<K;3(h
z-4XNs(QZkq?Jxhlu8I@v36>BPk41-ad;as4{>$?Y#B1Q*Zvdl<u%%M-!pO_i*@6BY
z3m1sKu8!}Iy?T#9)C=d5l>S<ga?s4Ley{O&Cj|DzDH(e_gTPS%NcqCOcLqWJPOBIu
zW^2b;>HETlNfMQVan68doL~b?zc-<wx0ul^D`#eyWqd1@Ebi*3m==3($Js?mVJ!tW
z{s8&LrNF-FRNnxAi4J%FSsS(WLJr4i0>V)7;-R5*Ze&TI=Dg+a@hM!iZbOmSD$`Hw
z^Ze+Yf#KqS<R3sv6~B2}fU|Jwqr=t3T4p;*XS2_pABi+opXkLWCE=>m99Hh<kknSC
zCuTP=_je{rcfn?yOoPXR=L35g@-*z5P>uXR6C=7@*f#6qBD_91@4Ug}Qglznr|Dbk
z6L(h|NxkY)J{PhZI`7uB!6r%VvllrZLZ8e*R}GHM2F7=YbO+Wajb|3A*84;5)da*S
zyDTV|G=BSDUE`7Q_s8e2V-Kzv+_SPQCbInTBur-yH){Op+BfWEQ!{2^WGq7#nD`rD
zo{&V@2kFP&`^AgOVvA=Ghpelr>zhVZo{f5Dd)h6!#$3T_*#X9kI+M7U-3tTf4;T=n
z``&kP`(ZRo{5udoVBSM%wd-s$Jy>ncAcVY<?*`Svd7GohNu{dg^Oogb8IQ1iZ}jH~
zpQ#0Y@~5i(^nF_&uq(KTO=Lq!=z=_=&p-M7iyKVnIt1e9s9Pckun^$!Ou4~!P}ILX
zxYFD*xHl8VJ?$Lm((9dVR=7f2#&-2oz*O#?CS5je+|0Gpv}?V33YDw!non1dIKj}N
zPjulW{ss?*xsBjts&w>|X8OZ-*gCO&-Yc?ha68@J2Ler5!bzIz^|J7{LWCbPa^s)w
z8_WNrvH&kjN^Z6@3-)|sX4dSrX@S;ajo3TS?t*QZQ!G(tSqH2<J}gv_%rR&cRe9HV
z*;6WrfX*#Mlg9@rl2>wBx7GBpN|)@lD$UNHF?|LtKD8Mt!if#F0`yK({GDI<#;$})
zVJMcuIGfm8tb1b@)~AV3;|kc-+64EdD%IyV-Clk?jXWK>_WDiNj>g%4d6odX(!xR+
zP-=pk)a}X@??O<~#3f`8AsDY13fvwa{+EXn*NCJY>T+DHnl~QtOYusxtH3okj;iF1
zmOMt;IechOaGo(_gw*!=sLJXl`5L9Kr!C#pVxWPyBZPgE>Bq8MZoWJ&NoyJm-#(o;
z4TbX-0x%Q!A0?*h@~X^Q?$_Rd7-MB>V}f*l#e)yMFdwV?IU|;Z|9Ky0XEvI4>^!S;
z&jLcZMj}Q7Sx-Qq)B{Y~Ft{%EnI(!~2Zms8J%Oubs{q##rHv}CwL>{$eu2Kd^9v3t
z*zd<TK4iNDSr>^ZK01FKJdFJrE}qXmdyH{|-bFn?K?<&X6~I~!Id*IpK^meJS10|%
z-i_RkaGNckArR9-?%SsX@GA4Gy%U|HZR~`fI~`@tzvqbfQ&N_M8zy)@UXUfCV0(GZ
zi;3*@H2?~&)uvb$20Iw4MGhe<3Ab(;S6{uGYSGchNa$`#$+NG2_9eyaT21PvcF=kC
zgpZ3_pD-;@JtT^@$`GJGD|uA5f)+_2-5Yv>y+5*Z-Io~sKzeL#{&V!Zbcsuk1MFN~
z_a1D)Oea#f6B(5?Yz^2?lt~L9M42=|Hjk8{i44oCAk5R|ng-&+#+{8#O}7`s25s#Y
zKb7n928+??FWpW0D*3-s?ZOkLKsxNh^t=pjRv_T&V4kDPwHpXEpPLB`-iJv9ah2=o
zaq-#HnXolR<h}Y-a%Mx)*L#ei!LYL))Khy-{qvU0f5tOu4UE?`bfh<3k%6JN190TG
z;4`D4;^d+%Ju`A%`mB0V9%30h@~5Y;qM)M2K-J)~nB`<W<0I&uuWmmWE*quzS7K&X
zWb==apMrS}?Z@D;^0JS5BEXVsqhlht=h;d$@xhKJCAJ_fvRwyVlRfz$P)SL-N*z}V
zPuATdtlyN*xft|ArdD}iJ;95wG_A?p11ej}>gcb74eKb0Rln~f^c%72YS|XLK^kHv
z8^KN1>*)iiP<eVPhN);7B{jkhp><AJBO`>ZyY#zWmF2&F9#<B$@bj_rqw{?w2_w7*
ze_T4ActHn$#)fhqPqRZQTGE`m!aR4PGu|p_I3pd(YildZjm9ea&%L$jlJ1xOY-{Lu
zKGxxLWB5U{HOzSf*ME7=Az-+;bh;&ZHx>t^pC%Xx8boO5dLrB6OP2SO@(JJ}{^wEa
z!w(kX3}w%o_t@Ri+%4&sWBAn7aEdQ8OM=R7dIMvq<JN)ZD6qI*+r<Qae3eE|T~buR
zb*s}SZY%|TZ|lNN7ND@!0PlOVsCReEnCrDsq<CttsVJUsp9*BN)!XltI%xb!aE`*4
zAEO>CL=TgA<|cMl^}&OH=ffFtW9-PA`l)`OM<E(Hi8o67Rxie$+_8V=DuAne;+@8r
zX4X+QUcoAlMKvPlN&rfOMm%quM3H7j$eCX?{#NGkfd%Ei-y8i%`S2%prOxi6ZN`)?
z!v~Nn0zAI&fdQ;1EFbEu<k-#z4wbmp04AX{NJ%vzOTAmwUcY8)w4LUH!I}9jMGq_y
zekbgOYpifKMhX#TRuLB-NF2ZP;pXbyGPPK;7ea2K|LF{Mn3X&7II|~jv?`WVrZiKv
z(d!w2PoeC>aNO*9141@=;tg9k^=>w~AJMuC26Du*)vuW|7=jf_*B`omw3P@-wd*Z<
zlRV5*r;F`E%VS!McLc*Q5_&2*PNC+^1M~m*kwghh6Kfhc%omX33Rd0qOt!h+jM4x0
zsna!P>V|*v1?xI+2J0NRg~t5_K=3uvyP`@Pt^7(%kU5hsVuo&-AF~L?^hx+iXg7Zl
z|CO%(o@6*Lq4r?oL@R~{K?(=@kdL(uMheh<EMPor6*@SBA}-l8*aAnQzUStBQxO)w
zwNU!S;_@M6`eFY+b;_%<=62<O7{5u$E4y5KT^vihb!bSpp%%9j)SEU1*(=E}jEi5=
zZSuFX(8!!ZPi1Td!zv;<vGo(&&ng85bKkj_>Bn9*AMB!-`T`F{LYCH?RJd%l0+s;W
zgMY@sGt&D>RX88Re;T5+MOCzGl@8~>j5${XoQo!Fxpc_9Ru}$AV6Pc7X-@p;AbB9)
zyWp=5iu7uI;}1zcCi$h(Xm8OiS+QpyvAuCu#OtOH%pe*4oMf~ldJMSZ`9|~1ZwDP=
zA|bU<{#ZMQMiC#3w@(l};N0(oqoQ9RCzPcBIdQk*hjm+@^cyv6CI~LeQ7&W3ZB;cC
zCfr3k0n^#;+^sQ#zF7`%9=HpHkmKKRL4hhQ)%AB~)tTu<y?M*Kj<}bQ{N<}qVpD(r
zbh$CTktJnO#MgZx;3L}aKy2W~S_D^x7Egt<>@6r3Pg-@B-mhiRfJxl*n)0-p!%n4G
zHIqf@#F=hB9-e?%_Q4jDnX<dg5|(n{1ZDQWuq>wr`a}c{xW9s()OcTIq2*LTEAGu6
zNHmgZ93O#ipf_>I!{KJos)sA3$2;3vJq&1f#NtH*kIi>tDP`}2t7{6_LAW2zCikK(
zAg;sfN{^pP+y*}>sOmO?`b)q2klm}OX6}>Vq2@g{mAga(uwEvmaa=o(q;yl5r^-Tc
zDG7Dm*WSgxX%j4fX}O_+6hn`uTDI{UM8OVl6)~-@WRCH_Ja@+%1rHq{H}u|!blv$r
zx*qfUS4DxH!?(weKZdM3fhH|mN$2t8Jm8=BMlXOi(o@Zh^w8)4A8wlYUc)f{@_-1U
zVz%!+CVVqhzB<=zDyh2a!pDi#16(flZKQW!)tM<-t3cZ6@Q%1-m(h^kC3R2rj)1eL
z_oC}pD6XH*qo4m8s(9CG#A^@Nz#*sHIx#2kaKQ`Ak)N}AG)4*;D8*|SI(hhSt1iM=
zYj2;!yq?m@*sHU|An^0kw~r@Z2L{y_4(IyX;1pnuu3~#EqkpO!UY7WxRQyYyZ7A4<
z%;;i>rAl(M>l_`zMCBsJ9e*k?tQA&+`C02{VL-;bW9w7W-K<7%*hbo?Sc=LC_2AnR
z*LsoPtB9AbHPzbjdV<z}SwD#F%4A~cTV3F5oI+*rX|_gUYpTp{B-;Q<aSnmeg|R+`
z#1`?s5kn;WNRF0p?jN7Sal=(V@7wZ7CCdO22JZ1w5DK;v8IR_pCnwSsf9e3DjP$$n
zHotvY_yaSf?&gpSSN=c?uy$|nX!c8~U@tz<^{GA7fauDo*p1F-_CBI3wzy~lt12SY
z&-<GZnRHs*uuW(s7~F99?r_JYD#)a41d#RP8Oy-7-ucx+D^`mwIm@t^3GN`SC#6lm
zG<=;+Ho&ljD9hZ@9oF3T2+BA3t119CX)$h=5sU<1C?94k&h^H>_hv(ZfwLt=(P4eb
zLS_-_kf$}ip3{BStLSj+^}}(6E^2k<G9e;sgLGo&K9DiXPgf&j;-Aq<OMvcw!fedb
zFa6M+4D*_%YP=c!458oWWw-Q8$6oB2YxVV^g*OKzQh<}1S~H@jHK!dP4e%*RC)q~8
zZ^Tjr9Oo_V65H#eJG?LcI_+#XYd|XOJeIQ1b@1}+%cY@4UX~7~^&HCvs0~v%<%}}s
z-R*P`gxk-O9sI!wqhbuw8uz}s5$c~iH|SIc76u!VnDq?iW&Z{_4c+H!J9g#g{E&$V
z_`f`1u6X}~+V$BY<EiDOO_j9?mM=4H9^XZUwGkqt!DpD3_lH9vA=wtRUb`O+mGn1+
zo9Wp1-ZH-(+CNb1VG12ts<oEd=itXCY`4nVHzpf8G9=hRbIYMY^Me8i7ZIAsdnL9-
zj!Z^aa~A~!o{DZw@Q__My_HOm*}Ou&R+uDqKtp}I@Jsd7o=4SIMRW2*qjQR_M$Tx!
z@~%FZg%~Dk_(Hy+$6chxG++cr-YYm;SeVZ{ob`|1v`kLC!0x`~1{gW}tL@L!<|`fc
z*cP?}$y7Yn5r2fK2|5LDzDQFV&&UZ?qv6|?T%Xm{Z7IX78xTQjfaG@g7`8!SsE5_=
zViV~QP)Z797O)O6vpdk&n3Zzjz`@okM$U-!HU#!ynTo(5qy`iYfY}=+XVq6P@?Vh`
zs_#asowy!5|IF^LRws#Oy1~4IK97(9Kq=v23=9<+=^{=$MlkqMvj>~fvhZd!;oUE6
z1$b_5YCh2=<ywf%T>qEH+rXB03tTu5`nAcn6mHeIAH*5(U2DF#MD&WIUc3*ZSzE@!
zXw^h=!7y4BGJk~L(G{N89M`$U(jf>kO-Ag_94GuWle%>$igYb#RrJ**l}{wjJIq{;
zfe_vuFB<r4qP-sUYRxm$hc>X(C2G`E<OJyI5zyM=KajNiAd^J(nBmwD>*2?(pFMoQ
z7zaB3J4h+U_j)F<GI^WPBa~&fEhmi=yBj*g^OtLqw!|1r$GaK$xU+UT0GT4qh^Wbg
z<^<Z@V@9JizNXOt2|W2r<<zp|IJ{$QJKzoNj9NI~ljDyrhZS9{9gxp=4S~%#2C?L2
z@iaH(nwgpqCAAnEe`G1wWel@!u<6(!MmmI_%M1X**h|?`v{}pdq(f*`I9Ge5ivL|%
zGbp3dDKMDQFYJu962G<E7v(<nMqBmN&?(#3^9FMURC|^=dI)v|pfyQ|(RN!KicrVe
zCkT2HqNZNqK)f!Ms$r&->)VjLuC2azn0GT0k`xeAt{Qo|>|3BBLxJAKR*8?0(57SC
zX9OR>!pH3iei8381A+ZQ=Rv8G9jR}xv{c3{;;6UWCtEA)^S|8Cy9_N(3Wl7}e6pWx
zK*cjn^{77g$D79(1{L$vnu-}<+J~Rs@?W3X@*EJ+7G)Jepi>5EOBOKhO#S!@kp=MH
zQ`%-{sxWu$Lk#FpM3AC{FR2DxKx^wTz}aEx2YVsa$hVsJm{>!EV$dU<foN}!!J~7V
z;Jxvc3)HC(g~`0(PFqw^<v<mHgB1!Dpnc7qUv-vk>r9Qn9vLr(=NU=+S7U`P`M(!7
z2@q4mtv^Y~VcB<+szly|>ask5J?|!0)V-N^qQviAqcGMx)K=#{ecG`jzs2v!*jH?b
z<R7Ir56!~cV#!9aUJ#yQLsXZ;FjpvXW-2t>H>Y7MuZ;7z!F?##Lg8geGG5CQ<Ykuz
z*>jc1|I8iFII01Q2k}4pjdM^>(>L?eMbuV_EpKE3!obI!fdZcxTPgHU_i9ed3u!L8
z_8}>-a^xCf9`u$}u@t3lAmaY@+_;_*g~aCw-;gLNaDiMINVdM^+shDgx?Me_d)2-|
z{({3F$(f77*wuQ4Cug&@x0C<nc?kf6_y5)l7pl*zEL1gH;K#VBE1`a@bLcj%J}~;b
zjQ}W&ezR#5MX`{yBB)r=jEPMG<#5742YBLHB55YmK~yB1I|`l@*5l-vMzvqxU<TB*
zALSHc$dbt*zUe@HKj{gPo1XUe&Sy^-RShP^S0}T~ONl@5uB-!TiVW985sh7qb2(4P
z%>9J7$FMV=q5J#Pya=c01mAtL8FngMMNu(0XeAWM@<g}cPl2y<e~VhaYm^Vl{af!m
zHf=Z2kNEEKp<h8c4JATUu@k>FrWu*6_=sU7f_6%4{w;M>beL0R@Fe~`8_G#*RLKI2
zrL@7woeVyv%c|umxK1p=@^na`l&EWTis!cwH`RsIy{GXU(G$dENz>-)tUP&Ry`m=W
zDz^lm_LmS~wbgC0j#cUYm&a~TIlu1*xAUt^G{ZQ93`{dxL7;aF^wVRQnz+o;^2c87
zOV-LN##t)<?1rP6uWm?Su&ly1P9*+G+4)dWCWz7iIuDl+8}}O&4)iCq1EK&AE$it%
zYsI%Zej6LgO5;<aw|W@2)Fl_4h>=Il(A8O=vIBcmsEP)4Di+V1S3SSY%L(UBk(NS8
z8yl<5`JD#9dXS$7Mj!^bXPFeF@bohH(nv8<=1nW21Y(;2aYZS2o(_6kNt%hU9)dh?
zrHOruGM^5DK6;MAaCtZAhio}TBJD1g;W@ORQQ7ghw|>sfzHS300$mAnF6$!7-@V>J
zVLyU?7D3f0bDVx7m@eZ((Kui4dUZ1j6^gsYKuq;u&7icZguVZHVkp)NZhJGBxj`qH
z&_&*E;AZ$OQz1~rWlxnI?NYb<Z??sXa1q>b17)=<-YQd{T&N$TW{h98!&r~d9o%co
z43<iu$qkx+JQ*X1a5+WG9Z31(PDrBkpV4S)G_)x9PbP>|f6VUH09xE_ceB@D-b?Q9
zN4=9dU#pb1xHrWWt=U4UtADA>$=O$iVR!Po{YLi+yBOE$;x%jGA+%j&7@jOyKLNBI
z`07-k=63xUyE2V|H*hLhw_OTj-U7u;bJXEgiE}UTkC2nQouI>9@xX%6CwWYa;~3j2
z%jB_`&8XL6qprjn#%+2Ln&yh*?0znDmpn!lLcY$iOSUZjp8L<1yb+LWuq(4X<hfk+
z0Z<Gz=(0CL_Et#~C`(`z_#}Q3;5M{a5)|g!B^1((CUEI;_Y58)Vl8byI2J7n|3H<t
zD66dZp7l-s9X+PD_YmjPbwQY#How7?t7!)bamO&UkA{Nb#FkwVETJ*=G%$(UhWC0T
z2OPZ6IvXJ(!haEaSE@=A?CzR88=&|Cy_i+ah$k4AJ;=lMdyvw1b~b@dTE{EH1lhJZ
zVri0_Lf@sfv4of`psGQE+Fi~xkN7Hq;Y!cTa&h=kN?p1&|8K9-VKLSNc5PpIJN}tf
zNVTz|pXi~}`^dSjw_@boRuKQ+Yw%$3d)eq5!en(uPQUcHrm=R?iF<lcr9;YBi&xIS
z;^kSa_fXV9|G6mKPukxc!>1|a<7Kq!?e<{%FzNqW9+dyDT%G^_d0DR3y#DjBue{*#
zIf!c4w~L8u*YmCJ*%xePyy0FNq|Y<L%IR)#>Y#TzN8`yM)sd|(;@Fn@y7u)GZq|({
zo-sFj%8%#vwC5z;?AFEL^5d+x7|Bel0ME=o3S+P(xH(g~%m+>ux1)&pCUjGbO&~8T
z53U`3tg<?ix^En{-Q09UySBAQKBtTnP`yrVAi-pwv;|q%8~ZL;UAM?v=-J37Ql=ba
z5YmZ5H7^BJtl}SxD6NyBZ=+UZQiKB~cx@jXJY+nlqor5G^OJT%>YV;r`_$dvjQJ2m
zEpTUZ;y)<dUKf{-cMgT<{Hn@HcOBYB+1SM!GOO}E9HXZQW;&COB@y3Z^*U~DQcnEM
zCGzoqA22PI<MPE*IBGu)F5+D+5DzNHkT{MO<<6F#j#sQ-v2(JhZ1#^X1mbMvuO1?F
z*Sp-wYwn=QWYSMIjFYZz8S4UO22hl&S8Z#WnQkTBWpFrL8gX{3=?f#=?L>@&UPI)i
z%Z9b`0|yT0uREwL*#HIZ8TMt2-F=b<@n4>dmyx7_iFw`7_y~*#@-0`DlZifpCIHZC
zV6-r-q(yOi>x)0hv^Q?}U0UK-;<vqBcg9%&d>i^btf>nt3K9CXdX&>}ftNJ`umA;d
z4s4aV8N>U(fjo31-|}DI<@GDVkP;cfw2{gObL{(+YcXdI$A4PN^*?Jfr6JLX-&4_S
z(pvPSE<C-BRsWQ`#Qa_q`pJ50W+l{w2AOY)%LSYXcbH)m4D)vLRYzt(r^{*DM&x#h
zIqSdVEvjo{P5r3j(*(0(+lRNI@63`Pe<W8nM07r2DpA}4Hw28hKNBibT3R%ZLcmZb
zRdah8v1mEkLeAB+M>T$}xUAb2X|G@OT>n+p_)l@6jZLlsl6vdjp1D;L$Hs0OgC1R}
z9k<1r8QX2eI0@~Qb*;mMxkFzC=ptd<v)o_YYcM`$kz*ATDA8+NWJYkYvLPJnR)VK6
zrDajrThUT3QK{W^K1%C@@_Y@SH-M3?ZpO<|<$>m|pZRlEa46In6;KwaYhN+4-8(4Y
zA?j7+r&^P&5&PULGj7R8i|+&meADR-@4j->$OZ0@Xn6+lB`|81ZDiE%pp64fc7m)w
z`7t~c$Be3*1A_OUhOd9?T}G9ld&eCQ?xlL=2aunRbbToiBlL~GG5CyHQ0V$N`nVC#
z<&~o#oZYy*Q?yD*lt%SvqexZ<*}|h&s()lhNgI{0a^Wm$La4p#*x?8plE$`Q5UDL=
zDzXj3i`D`t!7d<Ah($f~ZT0YKu#-*vT0``&fHLB^cpaob>S>&b-9e*>YdsDSaSuD6
zB5S0Pb^o4royO*FPDX|bB*i8#)A$s$&1f+_agSB7FI(fjCrBQMr2yyxP@~j0_K{j9
z89{Ec>3nH9uM*j;2F!%nQeaR;?KI#^)*0)lPzbV)NRq6^H$=f@Wu@JFMRx?_M5{K|
zIKV<t`OTH_Xg*JGE}u&eA@^~GQ6_C@Q9S(+yk^Kl-uJzJQ;dz1LbsUalwMQXhc`b{
z_gkY{wc@3qos8`lFKR;msU9Q3o1l)O7V<v%xRTw1Ez%gS>}ew8>H1)NqX~s-I2X@8
zYvRbnqUHwQeU$-vM`Wa^T?%=58^#awI766qoSA{hgtsFksQP&#AGAZt4`1q%`~3IG
z^FX&XGA+7`beww<h+sR-hSGLBPj%6VUCkP`bd!i;-_=;d`@>RWWq#+sjY?L%KT-3s
z-PPq`>`Z3ewXBLmu)I&U9h)68Lk+>#uWRJiG^MR2+66o>*kC(*h6EW-E#oboua^OX
z9F+k}0&-3(2AII1#2Cf&iLg)*C0anMGeh7CaDUJ%@Wc#jG}>qr1eY0WujC|9C2QZ?
z4?K`k%erv<@zMSm)X_GIauv%IsQ-=7Jb}@MOe9?wLW6~cUZ?0fLtN;B;T!6vkDKbM
z%Zbk))yG|*aF6C7j4yxuT#N*`dSF7<yO73ef>uqDO#`~rlbBtF`>o)DOxf6X<RkeC
z;nP;1HQ!|NQX1l?A{i6Roor@NEB;h?e)}N6YraHVtjrBGv>8_~`s+HPbY(`muJVmL
z)lt60$$;Q^>0A<*Jmd13<$xyc!T`t;FHN_lY|h!RUDTk{0*yS`TM8u=L%vPF8zax~
z8mk?Xcw}(x`GfR|u7xsmsptm7i{_P2A0DCDt|w{c&WmdfLzHyZS@-JdBTeIO6v^YN
z6O3!B5{!%-q~E9qoqd!Nc{Yo>Hd-C8fcB2DhK%JT2G}u+sXg7RgEEb!6Q6SZNwXV>
zAkV^ecVOeEftd27S5-h?S|0gsTOVXGwiB{SH8JU^PPtg-J5*ZazIiPO*63Vbr0Uvo
zFSkPV<01)|2s{Nb4KawasSR6N4(5!8F4O}0K(vIBOF<#q?FhHPi8>~Vs0vCTbxZ2V
zNzG(wWy^!jU0Jm&56RcB>k};pA#jW?TCVENp!fOb24e+y|1leTfAlcl$yK*rMA43c
z4)*|hFwul21?<j8x&H(<Fk*+xd@YO#{7qt(v@0UPhj&l8$n<HQ_NXRY$zI#I6lWtf
zd(7!a(uasc6Zq#DQOV0d{Uek>YQqTa=)xjrrJ5TjytYX^tEu57#cFV^tDVd0!tod9
zy03VICcosp-Z|biK57#u0YJ2a^U~LLs!Aq$UD6YD6}=B59?Q6tXu%cU=ggl?e^A?9
zWLP=O9$0p{OJLUkZ?8UmGcbc;G}fq<&BS!=FIG{~Ld5#PL<r5LEYw`)kI;{l%xc$~
z50d4oeOAoQX}UFfh|ownt&#Bte-39U$eegUBeju)rU#3bJ;_bRgLYB!Yl}FM_xXc-
zPW^uxUr|j{qD<FbSARf%%lh(T^W{tY{qgk2BlZ(61LLSv?Z1nkmaW47X<4Q!@735!
zW=dm~<C7G18+2#%u>-J!xL899p4v1o7{v%yd8aOT9RIdhPYDRVP6Q_glsa|zc>7%W
zm&dg(PWNrxWrg+<1?5er?+S-N!Su4oY<fVLpQo&?N&Nka)S<CX+qdt2-DE7{0O~@c
zvtUtEY7#IcTqLreax}H+50-69i#ni5M#|Oq%oR3@D(r(5*AgmViTl8fWHefmd4P<9
z+RzN*ZLH}4qayV3*!I%MGiV98b*#9@!{*l2$2Dh+3P9RR@_whaT@+VT4z1c_D$sa(
zS6k}RYapHwvLVWhT5Z=k(iux8&NvRXUv(yQoV6SDIg30}{87*NsEDP|+v9ti111xr
zcGp^9DO(6>3P*Z0*R^VTBx%R2yU4MtE{cLI4ylq?hE^wd`Z?9FtYx3$_k(0t!cK7q
zL6suW&3vH&oMhjoCy?f5*dey&xNkqq>dj1E`H0saO__&kg=;qL?@}(+cbX1r>{!NX
zWbm^O{PwdzvW{{=)LxPfo9WXg5}doh88JRHkg9lICWZLaBhSv7$M#6%!3IY~xD{tQ
zQ(UDVFve;UNP~DIpWe=A6&+)-cWzBN<WMm|y_FFAsq8sW_}4S^V;z=EDbz+QN4K?E
zvw}VzN!}K51Xq&N4NX{ZXr-EChtjmFk(!z4wMXKS1BV`pZimyGOXw`dU#22O9P|^c
zHyjEg$DVO|vt>Ju<1dkUR9_cC6z=4IH+=uN<e@&-({-rw%1<af)XMtD>}FyJbi*E&
zNUXQ4M<rGM9k7)ySe3IXY9JCij6-BlO|#v&^|c`vetKKWesc*cn9Vn?<lAJvYC5cr
z7wW>G&Q&&5B|^@9c<=f_;JZ`ykrT$${0l8*!CBP>mMQsD({$SB{99gd7y2g*?Vnn%
zNZnRhN7+FSAWHFU@7%__%R^O)>4Ii7?7NcnDrsCmRYj`9l~7#JjmbDN%w1ZTZ*oAu
zo>PuK33T$R^T-IysYV0xbw2@vR<I^ml5P<fmLG)Of0f#bP^sBd6}-0MuGQXQ>tYvs
z{GNHZfti&<v3}Mkmx3+1rT)QPmx(C`e8s;_yWql2qG`*B2dmTEY+u)GYTMs!2~SO@
z5!*pkwi6we7nz8buU7%42HNr%+~rJFHJ-LG7MDqZye>8hP*aMb%S<F5Hu2h%y4UfC
zm}G4s?lWf}-PJW?w+TAROk7Jq57lb|K<Y%TWP-1wc5G?e;g%Yco(o_~&4pu89O0}V
z5eHSjJp0;jkb$!Wk)$UQ-104>6j~DjPB>J(D!{Du)Lz3)&FzL@>Ee$t4fK!@DO842
z&lP8z)&n;NQC0E0m{$2B=Cl2!o4?n03UI^}H(XtKP7N;3fn9UTv|;>OA<^)3t^F|0
z-f4~)leIP<5;_vi7Sp?UQvP1r%lK;v-X08p4}z|)M*UFf-@U>1eQ{De04MvFajenR
zEpzo{V6fmJL><0<SXn8#)nRcY#;Q*?)^XPDrmWNlMY5CU+-pE+ath-%D1iX+hdKiw
zgjvlIKts&j@tc?bHjMiVyN@3p^5^9B@Ym)<Eq|y@66y86{PwLKDhq$}pVFX*6at(Y
z5?ufBdv*1IJls<!FZeV1Qh^CJnfH56)%daxyUGTow-!3jQecYR0tjx-Pr8cc1!Dn7
zx`MlvyLI<G=BQT09K=#T@8&6P_Ya3JX7~?J6)rA`g`-60Uw-`Z)NeaCt6qM@Dz9LB
zg6@gehaypfD&kT59d7onSr7{$Gw4i=y~P#m3febRmXp4&PI?o7IRYFzZH%~K-f^#o
zjU(HZ2LaMVaB6R;S5{-RP0f%OUrz3@30yhZloW_cdjSq-!f3?%!v-FB0>m!Oa5TGS
zLY*o^yo*onAM;ZcPFJYtxa<U}A|964e%5t(V)(v2h!M;{_ctfwp)WUgkb@O#AJ?8}
z$K?hMgckVB;EJ(oUt|g9iUEh4mgKxjyISx^^#mw`uQLQNPw`?1my>k=%xtDe%Y=^L
zJ6walBxTi>w$m}KStLI7<F=NNr>dUy@p(6+PwBPOCgUHtL&0in&9sh$zs=y9q2WK!
z4zWOk`zZ6JZ(AakrlLFdR9*W%$W1H7hC4T`C{`w$b>}xAJxka3SI1|{rlf1>bxC^A
zm{r63vjY>+pK=lEYa5C%1S)MNLyX&oKdomwN1D`X7gdR1i%`axDP$rFX*1#*FBAy1
z87e`_C2y`E?r)W5M#yVz#C$T-;+fP9k_w|4;p4#y++lpBS3?0TG=Lt-km1Y>zAFW!
zOS(uwI2u%kHL0_^ZTq9T?!t$+Cmr3vD|@*;OWQ(GtzXY|bkxDH*t=g>{YM5NdpToO
zmgV%rXUorop9`KHv41vE6&;hbhji_m_Uvr}h~UkaCx9g?q(YS|3KfrRBj7Ul8g1uw
zVehdzsZ*w@PQpE+A?a!ZR+arI>)Bc4l@E6UPQJKNWN=E4pJMqIR*i4pIPLLOfjLFa
zILYLa?$i!z2p$Rq6Wf2ADtRXJdMclV2kZ*3$ETc8ym+@#^~e`6cq}V>MfILl^wb_<
zx=`MIq$0`;QIEHKqh|*8U%9E>bFsovx7odWaMs#s*xTMqdD+(=(ZM~(?R7bcnS4Vc
zI~OsdtpWCHmJ@tspOb<c?bFhoOnKz~=<2V$JB6R`<&Ev#JU8c}G|Dz(-9op|9-?s=
zDHw{%g-|dvEfatly?_#$h!@mn?4-X^N9Dng)`AyKF^93zJ7skUEfbpmM=}+5e^i~L
zVo}~aAp?muUYwnhOywFG#k#oNI}!7}@LRdG!t39Be|_z7HqemL*%t|)&@dr%&EJ>g
zt@k(U`h6f7=~^>+K)3tao#_0yUP2|0X<#4E<wF)DsJSbUObBhbr$yt;bD&}j2_Idb
z$rPG@^g&AT?7)qO-ft9Vzh@Q38n{{5IA6@*9+8It!j$qQO8MQ!Q9@Prd0-DxwPHUH
ztzr4;2F^3eIG^=Ext$}c)nC<X>EYcmvEz=;ap^uMHu2Z_hG&TF`i?iQFWckifNz6a
zjAqFOLdo$_8l-S5wnbGfeK9T9=(?#RlCS@Ti~8t8!HY4^to<ds%0G9<tEvqaF~u1F
zxh`HeYXvq?<kAW}W|in~Zo-w;v#<5|_MX3gd`*eR_7ss<tIs|;$kqQD^3#=BT}~QX
zjBY@IMY0_zO3I!HJ6cik{vEB<@V<J#*w*za-(*?K3QmF64`|rwltZUVkDbdk@VjZS
zXpJR_0pHTALvcGGA>?9}{*oML0{DCX^lSZx%D}59Abjfn2ZZz=4C(*b=g`34tf;?-
z3?BTS8D|gbyV!4iGxqn9oYP94fd*U?7KU|f8uPa|SmsAu7zJF1AZHw0Nln^rwn)x6
zP*<A>M=GoDrTjP`$8+WtZ&@1p4A65KHlJa;)3qXe(?y&nJlEL>kKM20C`4<0bEGHb
zc#`m~=Sxl15sHZm_05y%pEIWq@O)f1s5-_@i;u&v9Rb8lS&n!m{Id{CA%Ziy^&{JU
zOdYxrQ2~tIS6gh{>!HhegY5=W=GDpdX%-qSwf&Wr3wlQ<^?t6$yefL|+iB;bYsCu~
zQ$(MOrdZjHTP82#beh-BCNt9h<@p)pxw+f4G=xCNqO+`EpPNBU!TAm14Yq$haHxxr
z!DV!vuFllbkGX+u&h!#$#yj?5PvGIahfPxA&C{uuV-MROFL%0>(I0@^iFF|ZZCszk
z6=oV;tre`$ID|gU_Nu4ZhdEBPgHAR+3i#tt)z|RFBl!-^@`O#VQbTK*_w&LhCRSH4
znyQS9`dA0|RLdcAWk^5q_I7o_Oi`6}Y@vDTSl&dxnaK#Wx~e(Wkzu)3sJJ!JX~R@u
zOg3}gFVqa}l&Jh{mQI9{GN(PRsp&WBI7N-y{7L}fpu*9QtUIq~{d{N@HF24)(#wS8
zh6d8`uf5V*L5G#l3W1i!V<5vMfCy^<e^K3A+VY%Mfl9tc<?CPYJe~GFz9+zQB8g>h
zQZfv?eoM>0DQT(5p4fk()2zcXw{&|MuB%k05^$S}-UsEY+qZ+&nU-YOR2zd1T+yIU
z{S8)m>sxjzREK_KDRx^$kl6JkUjqj=U#=N}-p(@68<c4`Q#~*f+R@GXdLG7uKFV|>
zYpn(RH@v<*Vn^z#UwY5haK%vUePqi5-24#NAWwIt_hQ|ph@!;A1xd*xRyeD>BbCtW
zw+yZiynsoQ16Hek-}gH8G9>qUXy*Ary7h>qe#(BN5uok{t_e;|%pL16h%%69w4BR`
zG!SPWLHguR_Xc?v@*A9IYYR7Au8q8ta69nVJIaDoRLJ$lWv7FEwnc{XrLiUGVGzw)
z<rLHA0W*j;NC}AC&Nv89&5sDxo!>Y$m^UTqWbvY=hUOTnvm;w;|KJhaJo{(vSrF-J
zLF~f$s>XW%U8kmCea{{sH7g~DlC^+Js@mB22Vd9itc6~7M^TM}1lLq)X`Q4)m}mWB
zt<B(3bt=ShXdRfaA(YHf=DLVOK2i=uu@p*_LyRW%B6L<mu2(#GqRe(cURPyxi#_!P
zih!+hk9i8GpRzJKC-Xo2w*Sp>`@i_}BBm1*mkRpXq&&XmR7H0kYa(8g|J|rqh@eUg
zB|L@l2c^n%(M``vyh?NeT!}lZ$H2CjR}-<+qC{Dxf>-)rL=UZ5fpOn-@TSlW0fDiZ
z;(I-Jjn9dHj`?tvSK>8gWAB`X<^DGIKf=@&i7iBIBVeNObIBxL^>oM1L4abQa@-IR
z<QBl!j|||?R_v0zs_?hRRN?0v-lI_gp}Q<SK;2bSS3@es2<4u0Z{EfC%%%@IF*W7~
zMFS_S=)P!Wnh5){=03PiKO$0#F)fN^OKbARD+6<*8)6u>jOlKy(@R9{f2_`jgNNKR
z1k{m)uA8*k_*{U+Jc7QwqUx|r@XYZ~t}fub&lfN6IDb4$`U}rdv$6qbMp&vq<XT&h
zHzNpuyG~)u>F?oBm6kl{D`#4eA#%HmHE--9jz0hVgs<RL(HkZ8jJu|g!P$JB_$7CJ
zoaf)HYA=Br&%FgP-{G7~jntsh^<KLvR)-P#`4n4+u0>5`LD<iS*;cf9GOWGd&@l4O
z$hHO@8@-MLW~lI8Q70j#+4RG~uB3z!C%u6QZ?lWBS8m?q^rW(i7%sH<n8pJ@7?+A6
zGrZUl@UsxWACYdwEB;%0L!@cr*N#?FS-Q!ckZbaf&7@?@rf{Wfyck!ZXWxA$(Z3D|
zqk!%c7u*6o{mdEmy3s}7*F2x5!iCO1vfk89FN`{BCimlD<2=KOlO@K;qG{|#Klc?&
zmut0meETubV}J2^KSl8{-_dWE2`5y|xo)3|A$lGOry5%06uEo_MIMfF>@)fEM>>;a
z+O?$G0(hlA2+kULF(DD>|2!7{@W;0k0rV4Zvf#oxDr_Nqdn)?190Q#Kf07Mdu5i!>
zJqt$`k4v3-3AW|Czo~sL0SP2i*I4h>_;deYEnNM4Q|laF=I8E}vXg+t@w1fW5a2d`
z*8Y#(M_Q#J6UuUE^UIuyzR;+~x(jzXKYaXg+ntf6p;YMiN5|f>ZYPMOV+GU{M6OtQ
zQ^At769yH>Izuwvf4xdGXv4=yhy!HY+PE~jl*K4JLo5(prYy`KVtn%LAQE{kHy`Wi
zANK1+iI;t!VeUEVS<se4=z{1=$YP;iMWg4~5lBam{^PVg`TNlrIm=vP{fIFthz??4
zBgr7@5i;l)GukAf?FOA9rgWw~11{hxTiQTkX+9<BVH3`h_>(2=9M16dWLe%T`wWyi
zKkhlkPl|P56RzbI<N!%}1jTitq=)K?T_^F;YGd~+p4Hl@eGj32zP&KSoY$f94I5CT
z^9W)g8>ZopZv!llo(W9cR9S~R*V1IQf4E!cf72oBV4`eKT2~t$7}>S%cjhzn1G=yx
z!l~zKrg9Uh!^EExXOwrWKT_X2R9?R4{W`J3&vvtn3Wz=BSggzc@=SJ6KpfTSdo_@L
z^dqIq^8PUyGs6G!7_Jm5F2b1dRok0Pd$L#LcbESBz+)X>!6P`B=$*u-Mjv>kbc^S+
zj~C2ayk9EKd8ZdwtRa(rfge#U`ODU-SgxTre{&DI>)efW6>Q-c!p0gkvWU6WNuH(B
zExrZZZlOK6x6YNn{@>w3=akZ;zog&Kly6D|u7Q8bvrKkNL^3|+S9+N%`ey;E9eI|<
zu0HJJuEn{{8uppCIc!S~^8l@qVi$=3@R90t%_M=2u2|(<A!b;+=-ctN-S<9$eQxRO
z7Vv6-|ARj5<5}l;H{+>;bci7{{eLm{=Fw39@&Bk&AtbUB6|z(IEm|zuk|ktfDp@Bc
zWf_c_BKsCX5wd3)lV!*@lRYF^Cu12iD7zV1h8fd+f9|>WocquH-E;0A-+TX<<G-0P
z@7L?OJ{F1)S+!S{gP~6IBZUv2q4hK*OOjR4<jH#K_nf@s^?)y!IOlI9PU+e{Uwp+o
ze&)v6*EKnBXB5NPTEZA5MH}JZAPC_QUi<njFoRs*!=^eAS|$l5b9hYt9)2gJN3!8m
zGRcU*+KJ@eR1VU{8@L0!Wz<`0Z_KD%b<%NLDWNmMM}=C^rfl5lUqnV|c=GT$m>9_o
zQw7ro@WOep{9Yb)o1aFQOQS%gyEwy^z4!h`iVBDRJKkP>{I`OJg7qp&1{k<<1@LpZ
z0AG$N4mMjDV(Tuys}~zvT`Ia)Ec$Cu%t}K2k5z5_)cx(R99P2dACVn4MqW0t^*}kN
zg^+UYpSL;Hp8bk(zG9d(7(C*a<Z>d>m+m$a{CGCz6j%7|uQe`zpLNom+DpSjEi5fj
zqZW9V&5akuJSQF79-S{8gdCJk|Jbh|b4V?1Q%8nZ!k{*QJFijQE@z_mQcK<6No4K7
z0B6r{)d9M5=8TTcw>77#MagNfLrc`&ZJKQ9jIWTMO=O!T8GOcjPNM~2_C3^yFH)fN
zD?LSt+gtC!#3PU0PbkPteufi9h{D1Fx7o@zKN2`v&oGSy<@7B$xjSpw>n8d0W6Gc<
zrr9pO+)cCE;!?`*d-Mn4U%90NUZe@5YSZ`Zsyrwy@u6RC5e)aNy_-Ua%`pPux5rv(
zZzY**hBnIf6U%@vDXj>njX1~PrVMxR97A*gX=w99BSMYpR$T79hP~va=6g7c>WvE0
z$ih3B?PpvU)rmA-x6_P~F}Y{Lx|7g|GE28lW{T+G9EzB0<_Kx~ieX{PgQAjlv2^;;
zB(P3@?EOEsQ~&>LkKQkwrDfmBb>*2w!PgWs(w(wlksLOYv|>*?)*5ZuFW;o3W_a)J
zDf`1Q3&>bE0YDfGO!?D=<Jw6K=MnO58mgk9ZR_m3td-N6N{{+w{)8^dV?4Z`n=(&v
zglv$2?ychx5x;kh$0T8GK|2K_oZID8>!0n^)SSHFZV<xNv#~)kp1E1qU2MRWv%~Wm
zSNoHu7yvtz?1oCB_eu}OgU-E>NDELYm)CXI7<%maFf4-NAo&&rES2g`IR0Z1(cC(}
z!Zf4;R!2N%FLh|d<+zR#rYi=fJN6RgUF2T<@%=n=UHMBAzE%95&P2JYH}O*Y(OOgB
z`p&5KM#Q<Pc0-Gr;~1-J&h!&`rkU-7rdp8qic>#kH>yCNrVckMzh#Y7S4*ckusyu`
zWg)}PLDaP*2k{;X)tu<r`P^OG{+%QUieWjv&U=ql+a7c8IgBO19v`bbTv=XX$Jjpr
zv?OnT{NJ0!q>+}Fr{#Wl{~zkW|EEgu|NsB;=ocj@e&jm(zvp>A{$B}tFK2b?*@!#e
zsHELFoLm+5_p5Q=E{k#C5&zVE%F({#1RuKruiK+=ihIXlcGM2?%nZz?%Sl3#vYxfQ
z;_@Wt0k>D#HLT%}pT<s4tOZYXzU2QpoiKjXXlT$uS4H$=jcCyUUY83cUu%S7WH7g)
zo-eDV{rT)g;8^F--1h1L`VIG^H-N>VEIB*TP|AFPeODP`ImU1&nFr?Sjolt2kJl8v
zY<#bD7d0w&|MGR5PxBYPUUVzhE%dc(UIVQ?@M&M87i)Xa5J-xP=~hEtTlyVvluOWG
z!<V#T`bGF<8i^b<$?&1zNW>(~l4!q4!19MOn_n1MD=%}`T;u8V4bKZ+EVa8;L_wS<
z65umR8Uewaq(?)}7l<OCRH0J$_M#yb5lM!#WK~_UhkjLgUw(`%D=rqiCN`RNrxKjH
znL0FUV3^B)6KgPrxU`lPRvstVJ9%T?h?_usH-A}*Hvt4lm0yvr?7@bDpZEQZ7%X!!
ze^fTzp*+4n+Qrwqf9?d|o$D;EC+=Afjc?q0kk2A+7u#;34l<WlrH2AykBU<VWtdv~
zHs1jrSd-9paMKUGn`4-(1P|ST*-e0Ms8d7chbB>lFjWvmwQIWF)X&Ly5)cjMeD}Nd
z3aHv~<6QT&G~ri7;mt_3>jG<sY@GmU-<~u|GqMCa(j6j)azhrR$YtecSGf|OKk;nS
zJ>GS{q0H&1FN@D1AB%D)G!9o8hrSjgWi5)TDlOvBPU6%wz(n{uD|UAber_Ioie_Xp
zksGmF6JIp#Lzz2Y`r^{fgqq-V!-p^(6uTi0&0@MM>`ba;G=M5gCEYLlGV;{P`ZdUh
z?<RZnM)7o`U=kny$CEd7dH|cm5L`K_X?E;0$TEzne{>Z7K{ejUV=D&0W9LE^{M<>z
zS3zJA=QcYK1fRoQeVEs3!mLPNDpsqo;x5r1Ou6c0sDc=tJ5Kw@^2iIaFnj`L);rk}
zn5<l)$4rG*nE9?>`JSkD#qK&wTIBVbmIOz~r4`)p7cgj74bC~Q%t=DNUT=`(T5hq4
z4ZNnw6`T|N-s^m6X=Rp@ae(P@IVJP2tm!sklSK)Bjhh|PnQ#8z^0%i7L2)^{0#8z|
z-^+}-#X8RWfJQSRY0|vsIDrWZxC=*#)hrzQ5q*@)v-hY`>J(4?#&%mBhnUtzpYQUg
zBD~{y!i0o75We?hY3h{RZb&uYA0gQ#$+fz||3-N)lLQgd&rC6qzr-OG4}!=mm_EC4
zf$FkFSBGn7SU^tEBIaXiBSheOlYeevwsWnV<{D*!-Pb#qkIrbZ{+Pi-O(gMun9!|=
zo<`y%aS^-pYaT1l93XNsb%)CPfjtuQIQ4ao)#bS!%rFnZm)k?6*G@{qul5cb=c}(Z
zeb*^Rv9EU&uc=zr){g}a>78h7Xuw22iky_bTOscKQK9k^iyR9Ji@@^))zZjW3qu*o
zQfd-h|C5hiX|*=NzXB>#I@>VVq90dcmy)C(SrU0|tq&kJgQub#Xg(Az;DRE%IrDhP
zvQdE`Vjaz6SH}<^q?M8@jfuKzZa)~h@hcQ^X;JUixi{!9JpM&-%hRrYH2v~b3?P?8
zQns@xZaJtj${1ZkWh|#Sf?pZ36*xdv48%xI*bFC|vzlE#TE88~(~Xo>6Q2$f9F5*s
z=aFD+;*JsJ>#dX@UF1R7Ax|vgWNe?cl+~P6>UE6k{k%85-~C@B{1-&z?yP4@2a;PW
z<y`!Zyt5b6cWz6x0#WB5OD=tC0VfI|l~9lcVqXF4EW{-yPqNGC_>cUH)(Xl)At*>d
zeWK@=fprk*q4BrMp8SaD$T%P-JuXU+DhYK8W<t?3={x3u91s<+Db;kKSe@Q|`X3VQ
zzn5Yft(k5F<6Jn3&O@gf0E&@fE-RxNjc?WtuVG8iSAFhMQ~K6n&T`z8<9N&J0e&xz
z*0sPR%$#)NrAf_4gtm#OlzyCnHFYDTA_q8I>5A<Bmm=kqMwcXJEH$b-O0wi{UJ}3j
z+wuOKg<xwqJR<`sox4?*9eis__i6U(C^*~)zWZ}m^)%u;k{ixO0X8d$Sjzs_L)F)q
z(LZ)0N`ZhNg#KNXgcQ#vW8VH|0f$ZdHy<TfP(0C+C*VR9vFo|!6z$grs`KqCzvpMI
zy$XHq`b=(rzvu96q_Yw*fKTrBI?eXTmZ3>WX{Ri7hByK~%$n#pA>P}6L2j##S&oFL
zvY+sBy3$=xEteQX$(CdhGjk&tkT+CK2y5Da(AAvR^7Uv?6kNBRs-zv9lNybwbNfA~
zs&@MsJzZ;B+Wpx~!m}gx4oz7_^Df8q?H#9Gw_tiSf5Yz)Fn(fsY?LlGCvf!MPz)wS
zzPF#WV-t&I8(}=E)If*U{91NwJj|TRY_fRr#h6bwc&X{?OsH;USkrnurNE6ETubKM
zivGuPW=nJHtm&f(O?if{m(1^ySRX|Llt`$<TdP=Uc;d3+5N<wSLNTL5^0a{^rQ9Xo
zY|`+g?{io{$y-UaH4Dx^KG{0b=@R`#H)j`P?&>*Z`$!67H5g7uiJGZ|TV~Xq9Pvc=
zaB?2&SFhV+i$6Ct5<SyMjcxCXAd}7cbJvEIv~8uITYNObu!nvio%~VoB|T(AM6s$g
zxTc2S6sFmH_x0}szb##t*~NyDR@s{PR{zH4U0jb*B!Y{!Li!R27K52}Nn9P-_yhV>
z9W<oEeUqSj@4ll+iigJ;fp@1^FI+u8^pMuNXGF84vUauzMx)`%v>?<nLMZ;@NCO?v
z&6=7atnfDe?1!G~wG+@6y2!%jy(2)*=K+p#0&H+0wwv3&tAN{(cbXQnU`gpsB$wkR
z+8kTlK0F+MN+2n>bz|~v8a9vJGxif>S>Nu7cA6VS&KHg_>?qou?*YYD>$V#UJc)pt
zbw&9yp|SiZ+ph%V!Vj8Kt+A6QXeO9Bn`LvAE_$$>oLMWW_|o5jvafeTY#&T#IRT<2
z{=I>#@+KClmabtM1q1tzpw{KwYcD$fvDDji6~q?s1lh3DkU-vx3^Y0oiMdtb-GYdP
zK+0E70q6P8^*E`F=L!`w<q97qPMTA;_JV0hN^GZIYAi$czYGb!G0BNx=9YLjPHKge
z{xt1%E;2Ejc_}}0#=*T5rk#wNFUtV@Lobr^!X0TLp8$E-V>J97iX)EXr+&{eOWkew
z>6>AX=hWUN4rw7<OX0K&O6F$UaZ1|jNC;6_QWOU0hAC0}bLVlw-c0t4UKf+zOf=Hp
zWyr6^IY7}I0$mywuY7+!-L&IN+UFYsDC3HO;t9}}#pz(zqsdZ2Z^Qh-0yhSHd8r?%
z*bf@t+oIib6QZ-lZU9T^pNK({ta+dgvYx!X<8_-L4e^+cv*`W)vajiMkJ*WYIW(YQ
zJP(W+8YXk8Kwa>Ug>%<0e6JoV2){`cOcU5FpEto#azdM|{oT9`hoBF$2bV~>-fz_o
zkXJ8U(a#1`98~$uD1*Jkvr@F1RX|oF;Sy>X+Gy|$?4wD<^Q^;{4dE!mUoLes3RQ|N
zL&{iT1Mer(Uv?bI<;DXScPFp}O~EZp&1n1gi_-IDjU%c#eu~gK|4GB{qBa|{(}pFP
zl?p)Tf!N`nw_tQ`CCou|uK7hZWT?nTPZ`x^k+u5Q%r6K~as1irJjq=s@IDW5cV?Ku
z??l2TQgfLcvsAIW)IYBn`avjf1n0!AqGg1|91*C#u$COS2tRdMu4=XPPiDQNH^o0K
zqMW8iG9f-<*lD14%Q(o>kf&RW6i0YKuWdj(%9kT#OhU^$+Cg?BMo*w8XT1S&rr#Bk
z(K}mpzm7_k9YeVru0u2Hcuzh5&U)o;kL@)3oL>MPLR;%ZT%qD38RnEG%T%&ZEJH*)
zx#7IgEvj)&RxTL?%PR^G2$D(SyYWnhz16z4f=`|+l(kr3(6nTwpP@}J%0)){4{Uz>
z)73vwemWlRc%XY<wWl=1<Hd@FVuuROf5_-Q1sHO>cOJ^&H?ewP7nAZS%>LAm0`I-l
zkdPNr>@!VMMai$MtC|OD7JrxlSQ45XqPc_y?vpS89#~gy1d=4%<$C9jH9n}1$}<%N
zDX1M>@)Z&kl=OscUTnH}kiL5AO_!XB&dtT51z8U7F`ok$d@Et_J)|i=WkP63KyEEC
z=WqKus-37f7NKQWRD?C7>|p?<%lxA%L(SzJw%$}Bm{b>&2lJEI_1T+X7$4x5yK$}D
z$CK{ydhB*-XXA*%v)d=0nIK;Q<1ITIUdDBrCFz=q4f{&iR&R1h_u=qska=T!hUG|3
z#3fJ5>HWNg98ma;v&mn1tuG%eB(bKGoxF<YX8i)u+kRlo?&w~KwY;+Z=#i=?P~PXY
z`20riofO#iN<_|=g_XZlDjNxc##9seG>GCpO!jdDqenGIW%%#o4@1|X%4pG9uFn>g
z9}nJijudD=JAMV6OLGE{Z;4UeIh%>HNd_nKxhdER53*B+v*`YGTPunc0<OHZ=RG*>
zrzG`0NB8`~vxoP7Z5fQzhm5!$jo2dtpA-x!@5q}p%PG&zh4?FO1q5$qg!@LIP2hti
zh&e;0kqjU>#layItRyExpH^4_@(EKZXNx~oSmiT1SFppgp?L9W8YsT5(n`q5@Im^e
z50TE+l%?XM4?qlcQ=;UmrU7q|JSj<ex59S9G-s%&6kEz7y%6{&BK_IN;}$={JsXzb
zGidrCb1uQoXK&wsciRzfb&##9wvCiGbihXh?zCcaj^s^X;66#hA7=`9LzP5)jo_vb
zV|Ixm5W@MsxNIh$(YeM~PbNn!E?xafCCm;61mtbHJKrn`$np|rouw7`V)ar<KQcl;
z!o+OasBRynghbs?<ddIkM}LfthT@-fJzGC^(xK->^!tow$(Cw2GZ%g|0>-yv^c<f<
zfre&1AOP8H`=ITci?HT+<a~KfY7~RFN(DvvvA{ex%+0t_OAD{0A-Y`X)~z;SiOQ&<
z(&_6l-X#gnxqP=c<-NH0<va&y%D}UF2za9dKG>UyRd98n%EQ;RnHMXsBQDV&>ea;m
z*8FZOJ9W3cs**eVjC%zA?bqWmPyPr98ODQ`21UTbvv1w<MrVK3IDIdiXoYXdF$1#u
zwHwQ)0-e6$*a5ErH(BadS8BA;S>O}0nY^m8k^-9CMrIgXcK2XV<uBK{vR~5SnvJ}<
zx++)sEcaf?JDGW(3;y|!B~_BcK%OK?QwUk#C%eja8A<@YJ7i<3_8zv%r~DT8X4TS4
zS{&mb^VVR)GwqC5qYZCmM4k_}+Vq!(M@-@%#j4&pZDA$&;$Yl7b73t^u?J948)HhR
zE}#J9XAG8m6z)Mz<}r(P#mh_@TtB>=TiRieZsy06cOEsK`r>MWqch{<D=AMO{!B+Q
z+#2|u)JFlV0&qu;(Z;MOt2IpkU5g(b>9>;?;*@GpKdKp+1*>_~-p(PHqBA!c<dmZ8
z;<(*;k(l{zHN(}#a;Rwl1#IwrA~G=hrYXw$MqrzeT(`MRY<7gm?n!~gITaeD8Zm*Z
zhb9^D02XO3$mkmQEl5DARg2^2AjnO$uy+mWkGJ2FjL56*H{FBM)-MMeO)Kc98PCQI
zwV2-tCYx<lLP>C~zpxiQf;7UTiKh=bUUW!D2j5Wmlb&9<WnpJ)_na<ol+_d#Jj#4-
z84ze41Q7OA3jlSgmpG{@IrJOmF<?+;hP?z2rzw*p;~R~R1+g>O$jYYNT8q=L#Erv6
z{Y~roInb{z??KHE(8z5|13o~?pr4R18dz}F2nyzNzC{)4mf)sAp=2VEEjgf<YpIv3
zwBvy4Vppuf?|Q_Iz-gO$^Yi$r1s%hnp2h>)1#pXab9j^8D8BvB1rM!zFz8g)sF?1w
z<Yqb1I;FB@R)n`)kGN_A_oAYir#B?Kc+Nuv3EEx2C<EqxOF}e1;xW-taQi_=jesTi
z5?d^f);@T)Ev}TcHjUjOBJ~8a!+KXzY#K!KB$75NXsr<o%Jv;uOwrWt@P_g1J1M%G
zXqj=*DOW%D7zgRnhIFWhNpk&{(;JuxSHnY{@_j%l7#)#xQ2b;IK!R!z=;I*Q^#~sm
z_@5HyWWE8l9)6QzWq6G8JA>-}^%-Gy&L<n8oEHdbH{7^<Wscy>QQlDZf-BB;LrU?|
z6<IOYW+Y9fyq6~-U->B6P<*Z6KPzv}K~fW?1#Cl(XLyBIK%AnTLUIG3nvn|Wtb$O?
zHz(FDuUDEr=F3GHI7>}g+VizPK`lN$13Q+%geJFwyfHV&aE)P<96H+opjn?hi&t&a
zoJUHm63;vuVe&AHCr}zFF;~M2YHL?e>-pBnvvYZS9w~~Ui&y9SLKKUJ&#CczkR1<t
zfKtRv&Lv9|AjRfY<uxU)ZbYL@Ld#}N{wKK_N%DRI_Ja5Gsg8N0Q?!uovD?6}cDNM}
zHm+~7eaY)0X4&lKD64Z-;iR3_`_6)N<Wrt$_r3yQ<b1Z_1zIfS?~T;X5Z<1EN9cBZ
zg4b9Ok_${AmR66r<U;NXE{0YpZ2f&W@Nhm$t~Nr<)d<}>?B^5|zBB<WZ-J~Efi62V
z{7!F4pjM@dGW-G3xpnodD~yMf+}O%xz9)Qv7KM~)8{vPUlzu1B1GZ>&@t*UH;T>14
z<T-%$54gpnso*|v?N*m7sLur&qheqbKzg^iNY$9rXak&HezRV(Obo5&<xl%kAAuT}
zk65Sd>~EDTqyO3=qjA<_m-Kqozz`<eL4mU^SjihlvCVtD-@z21C5KWr#Uvy1)hAJb
zdD`7<-6wZHky~@u_p<-4;5>OttLqyc^0$UM>K4B^doZDQ?Zw`As&<@_4^9-WNnry>
z$z;%0tX7tG7<qM0h1oZ*;`rN07t!%l+3Vb=n~A?|l-m%H*K;ghXMU^%O~6O3%L)Be
zbCX}_2Z)-1+1>RB4ih+V$4;`*s;E&NU<t#M_i0Avl$|gY)B+6kW^loBR?XG#M{d}b
zS2&jzUlHhdYgfGNU~fT-$PAXoRH40xQ0nw6+IUF1i~!A!=)fu)L5o9U`HXlEY<jP5
z<c4_MhV;YlALU(tRI28ji6~jvm%|;kZaPid_PbbI8%2f#z4<iKdgt2lgoD38PTc@6
z5aR)u5-(hmr;Et7g5$@E&rB(Az7HZ#^~Q$#gz{#I<wo4l*n5w?_sn+VZ0t?-NYO7i
znsjQ9WFnCd0D>W7nwV;%4DC<L*#zTsT)Zr`bhEUEsFQWQ4C3=t;Q8$iBgk_Ww)~f=
z?cssuM=Q9ot+BwLjSL)m%`Z5_u&D?O00JU_6GE{^irpfs#$Y8W``z*kPM=@{%Mu!P
z-_hFATzk9gWLsms%XH6)LXwIF+v=%3R4Ol%fKa7s$0IJ9QMyQ|)D#V)=<L)oNE3eU
zGP6IQc_?QWx)JzGkPr|ceS5iNSf)<oPS0ajoqX7~{J!;}Tz^j!;Ya`6q(5PK_Bl4>
z%#f-hxg<N+XVzuk;?OsHB+zLPNZ%CO!Qli+UI1tWB|%?G_HqOA9+H&Ym6n)_YJg8V
z<@1vxT`Og$`dmM+*j^O>i>q%d*Ew1oh5)+QtmPi_C|VQB=N-nnEXijmvG$j^l7l25
zel=n*{M-Uv=}~*FeoOr(^^{z6@rNaTiUNZCJS*PqXf&z$$p$`iHndf7^<7bOPEts)
zC1y#&yX?>vvRJcGnhHdYw@81<q#T<K4&b`@(b5)@&)ht8O2D3X^?k;=Pv&#Uy88M2
zdEvK@#?{gY7%U(2*PJwEKZPksGwUnhc|<{^QMGy@$kVG=*NFaYkVHs;P7|(Ca5<~a
z(!cI@k?tmooNYpF)t=uShdHWG1Y<Ust``z^NjJM5km0X6;#-=WK0<}dge>j!2>dlL
zqSzYg@5zlKt|B`nQ#Wk*ZjrXuQ#YWyZl0K<>_4GQ8y#TK)HEnUZ;hR+1Y?4Wp==u{
ziV%};D<)qOuk?f}GnD!oZpo9l^>928gdg+D_mLjUns}IY8r0w()V0fvxnp8{?T^^g
z#q32U-P~pG&R&cBiilx9uH_#~We8>#Q*T&WgavYb<WIOXr92rxj1a|PQ7)9eSWHBC
zmzMnH)C#wipEIs2O8br^!km*GRgmTQ-K2TX_NcwYqhhB$IHe$(R5wyW)lM|<sk{YT
zjx*jX&y^hyspQZXN<E<drWBo$bn~0K4!1Dp6Dm|kwgR#H9)F)o9Qt`4DOVkUDpnnw
zdVs8ni`hjd88wA$Xntf^0|n;JB;brg%2WHtVm-23feF_|$+)^`Nx&N$(ao9f1hzlx
zU)@**Q|_dm2fM<#S|~zsDxyGxDn9;);#MVH44F0YORaT%W3Kb14&w7Xtlm)1ezU;1
zU|<hAFa!)AkFPv3pPB}|a}v_&c<mWnt_`9Hdk<)Wm_YHuE`#eiNeh39I57k9DM82E
z#ND2>Zk<Wg9PfR<=PpvOE&VVNr_l)~Dl+enBY>|M8Alr!wxj)=6Qfx|tG#i@(VmH}
z;}{<P<ZD5~?sW-NY<D6=K7G-2t3}?*HpwLZT`T*-d(iv!3~0X!h=^$}#vw0*rJgT=
zW>s_B(>HgJV`dZMee?+uR_CZ*1r0Zw2XirWC~p9)Oj~GS0sk#%g>RJE*iM98=&cQ*
zY)*mhxcf`DM|D1CzTfxqtq52%JU*d0<lgBRA|XAh)Sw&?r97LN|1pRY=IUJI{-KXI
zO_*iCMQ55z`_hM34Ufk{{(?2unZI*(t^Jc0q(>o@HjBI9F#Je)y=jjZ4b3$1vt+h=
z0K%W#-i}Cs5x(d+j$4}qAF)i1%<_8!SgZ^Gt!_POP0Z`WJt`EimQ63LXak0%7oc=l
z(?6Dx{=1`D-QN^jXuz9X5W%eh8<u6o2g)H}F5Duk_7Pn2=p;n<DX*Tw({%P?PyNru
zvMjX>mPIE2>eIia)jZNkwS9o6ynFOrUFn?IT1&^!Wb}rOJ6mGId39$BI;l+^Lar*S
z8`)KMoMcCBm9u0f6@AB_t^XurOf|i8<r%C3n0Jp_QXm^4E&GuScPJ^BV<F*BH*Z8_
zxSZ{j{g11qBQ4wGpMPAKVUhKN`6ttF!_@b_92Es#vsmlR=N&QNnZIV$U-)Zwb&}%i
zc6s8;<NJ*4XDj}>!&$AjZg)$(V=X#rGPqB|3DH1qqfZesw?3`yS@QKzn3Lg_9o4fv
z7lImd2>e1DzptEL&X7B;X8Ln#Z}OxmO2;AU!8AH_$~BnoxKh{Ba%TlzKlFjJTWMQa
zpxEF#k5;^<IhGEnz-RbiJelwR^L~tR6gd$BXkSWv`O^AR$+Hau5^MHb2;Jy9CAjGz
zXq9qiEG=!tNwN2B=o4~;rtXUymMwrYXvt?_G0NHtXf;9OfC$Zrg5N;<YNtZVmK&|Z
z^+R*78z%<z>Gb!qRcJ;5D)DodsoCrM^X-ssYEL;Nr>8nQTWfMn+Vbi7eKWCB!G5dJ
z_u>scKV}g>!?U;d0d5VrlBh-puu8khx4Jq#uuaXjsOOMQ_!_l6cr`|~Si2p<oGRc$
z8;T%?905R0rC4_u1NCt^AVu44_V%T?qjNGpV4b1|gm>|>E|n9i!HR8YRO?^!Pb#B{
zt~PpQ7Zv`#%`3D}9-JsuMt1QR<P@Y$GP{6%GzOYt2U~N@^aF-WqV<y?tDhdmNVRRn
zh>;<E-RIS)D{oXLz?r)J2I1Xf%5B#Fog-nT?|sLvubQJ}kKQoFe=#o70Oom~Ci3Tw
zzGC?8U$0uM3!C)aY47X0_m!-J!D4Ny5eunNhRP#>%?5dvP9rtzC~?D~^nT7F@x6n%
z-|Z*$-d?$5>o#he2w=8yz_IEpqkkO1qA4FDaNWBIr;xhs<n^|+F2G#s^9Dl2tt*I>
zdK}OiZW9ZDJta|}YBl<l&OD0LsO^y%nCoYM(KKY~c?<K7?<FSK@XApk;~3>{Z?Kyf
zl`RD>SqOmPx0!vVtD-{~)CT@t&$+?q8U4+N4iClCUJb!g*Olq_7)C%-={3v(H=4k-
z%L3fNvvB=#0_-`^@$A>dX?{|Dlzhnpq;{fC5n0W5iC=EI=^>wi&EC(W@=XJ;c_Klq
zBijYtWyIQ3&Y5=&uKJ1Qzve(SN<2PQoNS>Pv&vUn_j*b$(j)%D+@`=4U3D&ku$6k%
z9beSj(g?ov1nZK`^!72!xy<}ga|~%@sB~BEv8>FnRz@PG@bZTbZnc<de7p3R>xR${
zeq)dt)rYL#>N2LLMnl_Vjta_WT|i(Tz*syWNRwC)!mnSHum8pIeAPuA?~;Dj(lE*1
zwE}*i)IEdY9A;n5Ig?SjLTw+(b{h2<M=d7vzRws;_&pmX&ZV`@W+Xo>DbJkw$0Ej%
zC*f$aX3;yY;XO==F@|~NO1?NY2Dl0LViecDO_E1S-n$2%S=DOxWO;>&HxNA(A{T7v
zQYKZW{;}9m)q%!GkM_c`vAM2x;!dlt64YyZQNqd|`fJ<6+0V{q07h>3u6Q$haz&w_
z3)?oW`L|^sRfZp{z`yMMiB7<n-?zxq)f~bcY)w3;w>A0B%Ct6@(l0Zd$FX|MA&FDe
ztXgis44UjGO1#^WG9;orYJOJzgrn!fW`pD1^qehCv8?*B&C3r26SSW3SiQ<Q*k^JC
zP@OuNhDQlliIo<fc#ZQAJD_`red@Oh0&(9|eBUr-1(#k<a=EMzie+Jx|HR|g<VJmj
zEGqBk2(cXN*S8M)5|8$hw~siFqB#>Uc1O6MyjflPea1bceKwOB(mu?8lxE~-&ANc@
z;yDR0%}mJ96Dves1KTJ2UR{lZq-V1&@iNDXFzJr(YQ7D6<tM#()mH@26JmiGd0&sC
zi%`753n0MrKyu#L`;_~J4Pi<retP~Y(<ynjl_h3+tbYN8Krj>l^7;Y~O?Imb9K$@-
zHUh<}xWelC?6a*$HXmm@j{1|vn}(6F1gkgfs0D>l%O=j+V@r;$$Z58{j|Dwh1r2Pk
zwlr;G5NxqF4Ot!VYgI7+HNYz(sqa@vL<@h+D(jNp>55BTI?0c`f=|Db)CU;^KJ#yF
z_+TG)P5Q0W<qSVasLSfcW^qeuTJ+GWk^%qXhYyduaP2bsy-ooZ=C|I@_RjR*Z+#Jg
zqq32`Vwij|e`~KEw+lZR>czcl=ZL=ek^3O2+Rln}(|afKS%x)#1Mvt@$T>#(f;dN{
zY5ncOUi!(rNUOsehttaF9&K55ed-!n+a?!ob`-N{-4COL!&IUdl%+`c9;2!0UNGM#
zYMpUTsLKH}iW#~exzci{Svq)qNNF4XW=OfNrMUUQM$n0@9zVofOSO>@5EvrYNKSDL
zu7-bHX^CumPI1cXJ+s+_9L`d@-OGFar<fsCYPBMR$D)?q174J0F5J?YcpZALIp<#S
zsl3_j2A8U-=L33cWkkX#I<`v3McMwh<wp4U_;^N(qxJSii~s7R;inO%EDYN1rZ!=q
zUrvj?g{7W~`E;0)4Mp-dWu2bqSHD^9cI9g%=dlk|Q08AJ#yLn2U^Rr0@CBc_JnGa*
zJO{rRxV6Bo_IqtZsHJq~wcrHfch>`xpf_vs;!n)Jnh5Mv=m;!7T2*-KZmY404hn~(
zYjS-vT0+d1+aKTrluQI1Ery79YVjoG9LPxh8$y^7kxee&kRmHf-J+s9CHY|LW@Gk(
zE-Ig)2Id|JnJHC5v6*-Jv4IrU&3U{nd5d6A8t$SG*RRbPQtreD>~)nNI2|sb>W@kk
zbfeD9AG~^!+!(R0_u*l}!El!(#;Nn@7V~s;<uH^g_0_&3Vjg5IF?XAB!+Y@B)?QM<
z@+aeWKFyM?lG;)UJ);Jk#SZ{RJE1$rH3={~+YeTM(0|rP`jy7*yvNc&8R_NOXZ2xE
z04RzfcZ7MWZ&YmeHsrU`^^&EVn$$2gL<Jvu|9#3>@11++Mb(o^RzHCQGs^zdMTq-B
zs#@E%+$I3&Gol;oQI6pym{C_)UmRRYqL8fYqJQ30ahMl0W&Ls5Ky5(va&jHK&elQj
zSIIX+|Cfh`8PtWZhx=WLslvZ#gPqw}-ug3RYj1q_wtYUo)_IOU{acd&)AiTK4;Bap
zeS%BTwGab_S0`oZs<8~!s^yTdAH^#0JUx-XsSD@6AMst4{v`4%+O_L)3z&c-JH2Kg
z(TsD{9mK_-fX+v3*PLRGU&y`MwwQk`7Ik0f8nyRl9^8&Db|yD_oHD&&{JkV?JY>Av
zq0p{fFC+0;#Xv)ol1tg!{FWYFLwv}Ce(&ZA&k2{Hl8HQ>A+yTg?b9JspgDMpOnAtl
zDrvX}%*l8}IhbgZB3rZdxY!N+6q}X0n{YUD`-@Wk6RW{5Po8*5UBX}@-0;^&YoKW0
z0zG|7_SsZXk>>3=;mfJsdi9tCi@EgtF|ZcmM@wTi)n<=Ei(Nn;n{!?TY#Aw&c>wMd
z`+@9dbbq2a%kh-_n|Hrqe!ryZGMd6FbWiY<t)Y1w?>$>B8fiU1Ns|jos!K357ktI~
z!+<jlpy1%(76Qn(Y0Ims-rBXm5Dr}b$Sk-bU^>au<0fgSMMIVi7Oe#=AL<tfObyIQ
zJH^P}M~x|d5s|+7GJ5-4=<xC3Xrv#C$CTDX)xQDk+T!87^GDj9VH-6WMb@8Ic>zCd
z36CW0Ga_Z#Pt#AmnZF?X;K{lEMMD<&BT7LB4`FN}Hk#p1w&v+1{7Epd_o!TMY{9Gt
zt5$bhOFG*-iS+>+0Onn<&A!C21YK%Q<)Lw!w9_)_-Vl2q$8)};ojEUD`%kx(P1E_b
zw?ic7mH!He^PPI}DpfEvISl3z_uDSub*V~Dk4eJ>u|2#TgGRXOg5R5B6-tWD9TKyf
z-fCfreJ5Lf`&F4LE0&EqWy~CQk!5?3obU^j)intvsw{A%N*bz8&#fN5*3$ZIdZLm;
z#>2In_0@+DqN5aid;?KrSum_I^^@}|!L5*Q7~n<d4MSguaaENhSk$F`yYL1w&#m3v
zvh@n?O4p}#Ia0Hu+5|`=lp?~QHI*$X&<Ar~0dEhR_bFCGEmhtKP&%#EmJVM{N#MAQ
z%|D7V;3$Wwk~~`jifQyt@Y#l8URcWh{g}U9f`iZ!=Y}4u#>wR-?TZc;=fC~68B%<v
zf7lS9p07}Psv%WxCA=4&u)0AX*tRZ7Z)EhRW&gQ%_1+@^PI<ZZiKA8DkXfw^c$O^@
zw3!XyY2mKp*yD)rb2`+r)RW0SDoCiy5V|v(H-FCT#v5@(MS;UBhPy~oD$skf!|#rZ
znT;~;lU(h4L?bG#D}A&?OVsCl)^EoAedMHO%Bp4f?8@!)kZ9mIz5SH2$3|;FjkIY8
z@*MqjgDl`!2{hIP<a%E*?B>Am4QIF!`q!@>h;WR~tFgyHZfvuEk2n8#-WAaQySeJ|
z>L}WFI!E4q1RAPWbtg}1j_Dd60840~Ubzd&B<%nF;C|SIR0M(0#cUfV=cTCH%(G~k
zHA4y*X=eok;{bqE0(5acf4ttO)<gdy{tWFSwywzm)(+QcJo8MH`y=uefFkI`6Fv@Q
zV$s#0UqiuaLRYJ6N|}$@26&`T)2txObCbyV+(V;IZWVH`P09$dLxe)!khsu5J?$3n
ziAz7({jJhCLoDkUyjqLQK3s~J%)eN7l!sNL4fjc$r<GFvSW+7?q-hAZeTRg0Em0^z
zkj3g!cXjQ9rAc%5Zb*RGH@XGXKFQZ}wA_+_b>g2`#5gWJ2bg3zmX?h<=_%9)SAX~p
zye;Q%unn*3%CXkz*EP{KCDeGY1wl$m*O3_24dOg<%H55E&8UXV@w?i)P5LRRRBsvF
zfVu~iP7UL<H<Por?Y*R<?F+DqV@z?zJqoT@k|z(;X(;^@ey>ysb*z0<lO2ufPK@mT
zZT!78#?<t=n&Kbuv{Vllu0Fd1DdyX9zVG!8j)&INMc8cekTzq=w>}kkV{tq={#fR{
z_<N`M7r7o|6KF4h((WINFx)T*%1+C;L3Mmv*Klh8_V^`i6Q2sF?E7<Sn<642-@etX
zD_i8xwJX$F_xi~|G$kzjuFc}r)7vqbyLGm%fmbsX+;v0o(iNQ+T0X0PA_x%zJ0l?D
z&ADBETi3qN|6@Sw|BLWh=q&KjEMEUB^y-?>{{vOixRKXsuYo30#vDb~+a$NKR+}q{
zLKAo1H&m3xd0Ga@5oBz~o?qos?{#n*1m+I)$X;-&n+V0`6;pl&el51skaxUV)7t6&
z&t1jVJj-4+pTB0xmF*>2wI&bi21PBkrZxjU_qJ)j!$Dx>%<JmF@)5an(M=uTDu77C
zsR*f63GScR3ouz1YVaEmA;S5XX2^?*`@-*}i$H-dE<JrL&?HB=bB6mxm-#HTxaouI
z*nu`;_zt8bR@vRF5g?QtH`n}Y9$J$%eo%e~xZOdtg|Ci>f07L(YhYkA8qQ;3Hl(|S
zd#!D#Y_-L-7$zGbWj`(argK#w<?C;eH0hh&=ZTM&N9Syc3H_gL_(47y$l<R{|G=N^
zlDBQQGc{HztYhWBdHqD?AJ*gag^<V{92>;#QVTUCdV^s^YK`~P^t<Egc%pvvcl@3u
z|8~~Yx#Bm~H8<=#Sn#*Xe1i#-xzJFrfRnR%07&dy*M)T5;)kbOK9k-?vP(sB^B)m>
zKLjTvw`EpichFO<n5v8?yPsCCO=mJ@r;#uGLNFO4iZ&+vcaQx~yxiF6Cd?r>72HvA
zn-n#JRQe}&ILSb_beJ@2X@al0j2VO9Djn8%{*Lflcqu%zD2=n1X;o>i;K2GNeCZLx
z7+~n*UQ6&bQ`r&?ZU6?LH|iBsG?m>B6~%6IUb#n9s{YjcnE%Q4?eo@_BNgkD#A`<U
zgov?PP&xM&GlU^(9a?NeLg7<1!5p*J3!FTsmt7V|bs8H+f;fOK%;EI$>@Qhjp6?U=
zAD_4yeL{68dE*uRBF&u~8--<AZbA0i@Oitb&|+C_j!G-N_d4fB=S4nr3m6A*Rh#gq
ziEi_-ZAsLV%6p)k3@=KF%YGEY{3ERXR^FV>?s>7h3CvNmTQRmuR^Kf0+1a98a+s9_
ziRf^6W46<V7wZpY)IFE*^h(fR($#w^zrLP$m9A#yQel3>!fxa~LUcBa2!a+~z2lg$
z1)RseD7Y=<P6cIfZ<PW~(TF%_JI*koN?B%fAg<B{itl8l9v=)UBi`XPcb>>uoh^B)
zkod0YEK3cm@lgsw4UpJ{OyInZBpoOsGzcu)MXP{(u*+FWJ(XGXAWPX-gXH@#i!8U8
z&i+R`uGILshDT;Gw3K<0;W6^xAS!B3jEap^8M{rr_Bv#5WVTo8%S)Z#x_9{mjh|M@
z$#RuEAy=*$HK4l+&cN+46qQ0?6@B6tjX?X@MA_|ah6q+Yd*Go3QjZ5cTYMCHUM|xR
zJTn9i@;_|8zdtd!NFeM7d?Ic=rt9zd+&5BIs@`d_2?s3_V_Jl|d18o7UVTt5VD7#3
zYD@XQ?Ig|8D&<c%;zG-3=796M|KnHb!cWWTx9_TbdlIF8o%^r9D-TfMbzFWLXv6^*
zVfK$8&NJ-C4f$7`T9h}_7U*Ylz;O%hX|nlC4{ikQnU9iOZd17i1kF;Dwj>{~%yEwF
zAkX=_Oq6Amxvc38m`D^NxhrKRw!7KmEH8+au!}^-$a=dcc{VIhU_+>G`)hkRa}7EX
zH02^CAl9qzGI=0#(4$EpfIy5~^42eRTWZMq1h8J=VQAAdDd7%avE_WJmd}*ZY4bAI
z>0jXK2W_dBd?u^?MRoE7tfZg4e{(!|AIu8~9TCq0svgx;$rKb+1GbarPD<{JB*ol+
zBE%UgGi@d9!JBz@<ANX;$fzp?GN&L$r)gA))YO#45C{aVET7V6Y268G-@n6HSj=T#
zD){!Q#VR%K1L6fdp8r_3!Ob~08YY_dk=ytGq8YhcW<Lr(_jRQvgX_yXQe%<a3>%VB
z^r*KR&&bA3cstaR+J4kCGsp!puJF2?!N>Rgl*0_y@jDAi5}^A>uiD%{F*_s$v4Un5
zFmG5?A69l!6J<!Mk)?}Yne#2%mdR|(TO}I`D_r6JD*eK3Y~E-(aUR`cBzS*WLYUS;
zY3&Z%Eb39#*ih|p6v_^<;;-f4e_mgEy5!BV`E!JJ)5Z$jJI||>7jvNPgpBPuMR&d6
z*Y|Wb1asWtOKDngDq!$|<TDgTj2||2Z^fk1RJ+f@#%|V)FwB6Sj@LI^Pp^8?6kP8H
zn(crDKDP@=Cc{i`7PARYyWlY8FPVz)hew$~xRc&`MqSez;k|Q`xDiZv@~v*69FP1r
zc&&}I;m@+1RG**y_5$~9_OoPm@c6#MUmPK1?=^HPmE>Qzz|kf`9v1cyRYvtND~=)$
zVcFK0$jezka#2C;f4XO+WHM7gs&QF8laUOL1s&=W-3aY&gT|xg%AXk{RU&q@Ow{jD
zbDvr1_OP<41tWf(r)nZt9H{HmDSdX}6Eyp7m%uQ;bdz#e%HBT~OX~SdbjBZ-+2K7!
z9~8O8AzjvaA)Ec^0bgbTU6I+5gYOugR)EGAPyh%Hz+<PQ*{w-?l>L|UY4`m_w?$r$
z+3bOyG|!|p4J~%Nf3v#H_6|`-(N0ADmod%o)eHIh*Zh0MXnY==m&}wPmtt7n2%i$^
zkh(VH>*Q)CH~Dsn>gKc?u#`<2d$Mb;^~2eeuUOcORM%AGYe}_qC5$wtW&z97;a_HM
zG;aDWU&0S`g*P6-Mrm`&%kIiEob-9}Wz-L2xz*&B7#(=JIwkFvU?1E#R@#g8B`_dk
zoI5TVEpdfvB?!blq-Q~5jzl|p4$=r9kH3!X4obJaFHau@(=y#qo!y(Ax(45v)|Get
zW{3eJ_swRPzyr+@_8}pE{ao9(BAyboGW_~+4F~P#bH@5FPc*JUR^hEsitK`H#}>hc
z+!xQ3SjL@(YJlS=4~_NUEq!sS)r&t}2EI*uRFgiZshm~!=S6+j&pf_qJ)J%LpF_Zj
zsQRCV;*2X=!H8qDDslnKYFJ}Az;oWRblxctv8=i+jZL?%eGrj;?~U}E&k4^Wue?6n
z(>Er`iv!R)QA9R4NIRC{N_8ipql4Ch%(AT~7&ad6A!nb7aGEGp&a1sKHM{V;T}Jx8
z?R{sp&)+UA@>(dYm`5=4jE1q<?U|{uGb_{nS-6OTfkT%+{gRZ<u$a=1Fp)qo(1o19
zo|%O~$toFSl*L%bezJ07g_mb~<oz+L2IXg5)dC`?7i7PS^n?z_BIna2E>CJ~u`Xj3
zCJnR*XMhKG_R-{zf{<taqQq`1qNf(U@b0i^;}b52<A!!*EVJlsQI6007Lp!zHHvYm
zUGI!qz+12L3!d0J)(CavtL+5DV1W=q&0CTiE<nA)&~2h1yON!3CRKJ_&)K%Nj2nPd
zat5AGR4-u?^iPI3<hV8o>BukD+#5s#I{^SQ5P<>|(b;!!;;>s5Et3X8lx(Nio*d=8
z4{jclMQJe!djnS^zxyjKeMwT-{^9;r`t*JR86m(39YrY7#`+8;>+2^PHb5k1HDI4}
zk|8hhu8nubB;X9*@29zV6y$ul!u%&i7mJcoMdBRJs2VL9ifXd8R#Xg}iR-=U*wpH8
zi3}bc!~Sq-Z4deN7fjfnuc@Hlq1p9zGZbiMRDg~g{VH8wRl?2H8{eYb9XH?+pVhfB
zLD0U}iE8`Y;P<!rnbh`{1dw<17%xI7M)RsM{+dRo;cg8y$9>jrLs4q!(nMJzxmKpN
zw6$M06ZU=bse^GwmqOiQdNn_upyBYmG(5=X2;Y>IJ%^t{*(q#U?pQ~x$gYG3{-kM>
zh8cW+dh^d%g9e%acxA4uCAlxQE#g!fDLiytV@RvFm)$Phd13pR=S*_UF-Q0J?5~@X
zB>}jatYnIzkS~@8kKwlOtiMlF?9Ml&%4~yXW;D{L*UWV>x1(+zOVduha`m40h8MbZ
zRX^8z%daHHdm%^UZE^7@k07ZNXJHpoCh~m!9hTTv0`Wv)v+Z)pzUES089Vi?MxUb}
zz#b8rP5MRS+2f;0QqS$>9s&3&&t%o^EJIE}FA&K_@J7g4CL4iT0N*2orHuL0d6>ix
z_UiEgL30t$56orLQ{pX$|5*CAUK7O)0_ZLbLn<Bsa8t@6gh<7!{azA<3%PU<>aqT`
z$4iZb9OEkg{-)rG&{sdS&tP^^qYY$BY3I5e^;BZZd=9lz0Z8g(u$I;e)X#@6NhzTB
zrGlLJ$-69Qtw|$@FkGE(LklM%Q1hvxK1~uTLb1m9Qa>$gSv$IN%di$v1sLg^?l8;s
zfA9YRK7o&`taN;y@?rFCJIGv%abV}@=;HSxE6>ov$Fe91VX^0y?Kevt`bFI$oMUoq
z1JtQc{!9fE%J6)4k9nK*M;9Nx-d76~zj8c!s&2ct)V0%3PIXD6#M3Y>P~OgIyw9y=
zLiX2)TUJN!fXas58_8~Xvdc@oX|L&}XI?R-?c1n&8vjbU`^7zrkY8tq(zZXCyRDeG
zdkoAs;?{!Ob|d@`FQ=R0;WJyvZFAYhQCFqbd{!V10Iqi#nnqLlof0YyZK=0@t{d2r
zIWQ>wP8aUop1nkp@T`L-rev(ds$Z(=PRGM&-rpX#J3o2GcI0zU8lFbX<*PJ(9@&*Q
z;HJi!fzO(ULcNE*O4lYI>))SrGPxub<m>m|^3C}T>0akFw^}NmyixE~H3}<Dttl*9
z6U7#g!bLR2T3r=R<ZRz|7c041tanP`W3AY$&JR!KC1P*jmEqQfQ>%{ZGCe7U#~(}&
z#40NJ7iPxRo)A?){57k4fC|<5QZjdR&ME9m*_Nl6qEW;2L0N7S(Q8RD$RL%;u|n5d
zL)Lk%L+6pPKrJ=86@=yn4RenlK20}=Tnv9-Dkf@dD)saw01KBy!5jdbi`6&AF)FAp
zCp!Bp;53L^IF-6!jacaZ42JzedO`FYnylQyO#@27oN>nQVbg&o#!1m<e*W1QP$*UL
zO{tnCZu)6qcN+1QZbP%g*~OJWrjO=<_7XZ=QUHzw`a?fj6B(S)h72Md07}0rh|A+}
z&KIS>;>!~B*)<f?WV-e3xGPVye2x~@Io4KthXR=Y5y?WG#Dv50ZZr=Orbh1-MDp%#
z0T}t9-QDk^h|=QKpP*aUO1szmxBQ;ryi!a8V?0h>X^WLXj1`p`u7Akd{Ks;j9?fLl
zMqAdDd?|l&2%^|oLgm}rS^@tJw!P<6f$Ux*N%$QakQdl@B$TPM$@wukZm~g{ODV}^
zgwS4{=<(VcGTrIs26g)H9&<L|mFH-0CjJ7rZNaoO3TWOM-H|HdgJqp)V=Y?A&N*Km
z7dRWd5~NSp3Kg8OEH{60DV`B~ddYuL?Cl$N9m(6Svwe?zl>Tb{D!e7ts2<HKJ;~E)
zlPDocTcO}hsIk#OJR3G=XbBTgz-s8yZNrgs5tCDws%j!cZtPXOb(b694sSHC$=XLD
z+Mn!CG|mp%rNi-)`!+*>2|#A6%#@@wa}Y<d&OFMu?=+Mg$Fd^6BNQ-{q>&p!sqk8N
zvi`eA$eFoog`*yle)rg&6W0wA9_aZKa8K`=lA^v{Gl6v%Q0_=h{q_;bo!9P&@znJ+
z<QU_S9cTV-$TS}$<53J^7BPS~$+2pa&h*Md;K8*{@mMY9xSmZijwC_@QSCb$u_D>V
ziJio=Dwi#}Pwmz?+E+|>H)h+~NcEoZuSwH!eyj9V|5!F<jLFfC_Aa1Up+(^w6G6z+
zD?njUgQ-|Y2P(>68m&f*A(dxq20gpXL_M!O;_6^gIRBLk@rlCLh2vq!Q8M#ik^DH#
zD3ej;F(6lMi@KB_qrcPzAEudBCT2ap!_qIkUx^gLs?b8_wYwsmdgheIjq2d~MW*#`
zvj=>`ixolFgH5Y9{;H*B+PLJ(b&RF_SQ~a4I{3$u)$ejpDqqn)X7f8+fuZfXJKIRX
zo*t%3J)od^Qo8{O2}zR{OYeDe18uTC%29vxZgutGwd9JIUMC$i%DJ9*`GdaW9s~GX
zBp>!TLwF2(7S?J_kwDLbd7NFn_uMXyVWtZ!hy)RFP<+FR(ra6z^o|FpnW*RK$Jkhx
z<G09-pTjG}p7Qp3cy^Gk_v@^UerEE)oq?jS&nBitHOWBn6VewJ((PCkUJm>#H}>Lk
zHyir}Twg2?@L<ka_=mV?yv@GTh=XGMbC<34JFhN=>zA)g9pMioFEYRXch7<I>*d|1
zPHG)~NvxMl*4W~lH50(4_@8yArH6aZ2yc2|^sEN(aUVURm-+PkXC>BEAJM}Rz4<an
z=yP^Jw@W%k)2<Ntcso$?{Hk8wQfz#i@N{N(V?XzYRK+f}gTcDJDGzDW)k+cK>Z)7;
z&OZW)R=f}J8n2|bOs5o3_7BjqL5nce4RgTRy_Kx}5+OK4vv(W~k`#l>QUwdp(?)SJ
zS#x-|?T_h`zje#vWneDOUYV~Wb%Vcv-$vdBmXi>hsV*{j!-LZFwW`Xy;LPOTE`)5V
z6CTbJN>*$g=7!acY6hjuk+;@4E)q7xJ0yPG9_%j6j1dm+OJ!b#K}o?)qzHYtaYR?>
z!nM2JEgDF#EO4XiyC=DW1M(d7FHih_+(SI@l4c#V4N)AV&&;JiK#zHx*J`r9MY1rO
zU0S1HJr0^7?T5>79GwHveTZKlq-K!I<Dm_b(FooV=7n3OoIE@<!AVQVHR)-yXLZF<
zT$YOG6qrYLMpq)OY@cB;bS}6ct&pw+<1_~p^L?1dCk(hrFG5ab0}3-?8=ChwlD5sC
zrmt*yEGb4mOBsZ9Eq!CtK^MAqUi4fpzTAw9`o|)~(5L<-m8CB5aI8ua=EU)ZbdzLa
znvz7AzhYi`Wy^NSqqh=rSX50vBKYqZ2s|8NGU&0obrgtaiuMf?*g8{Fej;Y}!2+rV
z7b#iFl6I7y^4FdXv3)tOv#;FXX5f{Bn@2KT2fkl_ohbs|{h})<v=>Tir&x9q`2zui
zGk4POQW7#jv|;XI%zn3M>1^qKG<37bxn^Lx2lBu1_Fh3vw_W=v_JV+jbRjArN>yn}
zi;XVQLAp{65h6$l5R%72Zvp}W0xC^Ph}2L*kS@}@1d>1yke*ONAR+GGbFgRj`~GLX
zZ}vXe2b?iXCfxVE*1FbJZaQ}~sATgO*4_?^s~s%Y$~9z69+c7mt^$>Zby-`jmi=?s
zWvqEtBG+hgmf5#awK_=j*;^OfP!81<{5SzKFYXvIt4&MZF;D%C_p=!usHzQbNF>}2
zz&Yoc8On#~Oxc&h&;yxZPuMRR)FfsuvW<9OZ&c0)Co$t3apL=AMs@&aV^uI$OWlp|
z8*jrBx)y(UemB2ePNvHr<nH87_RKCuS7-aJJZz{R$GMloBaT-j{no)Y;nOHmE`Q$Y
z^L~GFh-2|gTPFQ91*rkF(J0Sc?mzqZde4%+g5`$!h;XUCj|P$<P|~AXn#l{>iRXuH
z;%z5<kL&E|cZ<BlN)bt5hS;N^-2tB|;mrbp28bf-@CATcBgLHD(&}36po9g@?5^El
zsxQ%%med8K&>Jd>hgSsCD$7$Ys8^e7*6Lc`E2W3hUKn!qSD5ggyd%7!DbLhE7%<SZ
z^x51fywnt2x=kJ2dUc_GSQ*0&4N{+i0**Ks2t78ssIvNO{&ifI#DjNLy^kB-o@RG2
z?;@TLH+yWn7MG#X>tSCVpRv!5Tp5F1s)(1YPrLfQ>g3qu`HCa|^yW?57=Q7qSRtqs
zY|E^0{l2DtLg-1^=Lp}Vk085iB-uwXvg^h=`-J^QB6Er`W<jz$D3S*37X7v`fJyL!
zwF)W;1GHEy#-#M>S`kZZWXCx|70*T8jib;cMS8J8mCJVXB`eTkPFs0=zeH7lHR5NL
z!-;1}fx42OCT0g{BoFHuql&gNTV6j4&;=E<?lPPy(i3R6F@$HBXHeNGWoE2yG~no$
zAy2PqyZ%(No;Tq<wr6|I7jzD<ifY9&qGvGN0N+DmE-aMIXH<^{S8sbOuGs~K&v$})
zo6}!xN+8y(+uZ9Yg}IGACwGm5dx!=A8L+f+qfvAs17A$;*1*D=_UM!LKf$ovx6T61
z5X|HobLxrkZJtO|A{_fLLEdh|lIA{-3o&l(IUj!U@%E(gXt1v6^!E_4>^FEd78fI%
zR@DmTVi_M~%xImU=mFc1^My^W`H5$V<Yx^ZkDv0s5@AIC)}bs%b<qFWI({c1>iYL&
z4HLoy9UV!(M?I4xGp5N0$O0KYok|KtsL!gIHU`FjV%&{N>m<W^=MJBL$11utr;R@I
z1#Yd=KXE7`?2mJAV<9dx$XOwis4{Jm@9fcJVU0qiW-hrd4otqG2LNA8E+LPS-o63y
zayp-ZzYMXHFDT6T(hb=0h)Tf4$-T)}d;bW)e|&rk5z9XqHROdLOlHs)vwCX>1q?u;
z79fAW6(zWRWe{OXPm9+SLFPRX2UvUbYriU6r1~25e=C?14f+Q|9q-dihR}Ekgdr7O
z8%r@Zv1dH}M1a3$a~i=PFW+#K8tLFFU%DHdIO*nysqpLGx{$0+ew%w<IX6C+6Q?o9
zb=)RPho+r<yvS|+aDB|Pwy#f49s1`vZ_4YFUw%3&$5c6)o7?R+<&>{4udf}g_F?`c
zBP>O>nQArV*|nZss6&A8Gd+!5wHhcclrkf|+C}5LH>`363Km>BEr-w@H&**l2<J}m
zt8!=+`sC~X+FAY-@3}iWSHZ4{d>zzX`ln%I`Wt#;d}jCoDT3tRC~qDnPU<+;y}9|;
zh>veRTHE|&_s_(FtHmFKmwtZ4k2*N#`N9_0(Lw7DUbjZABpSS&RZv?Y-oN&cut|W|
z-ii@L+@MYTvq<$pQ(&A78O0;;#0TS;ayjJ#r?JEODR+bUahp1F7M}?s#Ia$|6HhrN
z26GPQwhKC)t4isxZqQ0-y6DkZJ6xXMP=%F>wlv63kWTUPKGy5Iela`dq*?t#RFk9l
z&`)Fh+Wt#5>D^iqmTati^X++av(<ETveCMMV%nGgqP&LxCnFXjHlzy}&zS$a^*9cT
zMg8Ui##R7g+P^I;*r}~LtS!z6nX{fyk=2rZSnasw=x8Vrb7}c8RTkROym=hp4921k
zE~GMm#qhCHgLny4iz#@f0DqC8^l3R0nU&81R|U(LVb=3whCT1$pQ9^;(lq8cTrY@2
z`}($I;AfQDttLUXEg!GR{pGl^pI1_R@5alI^VP0mllwJPEIkj{C}J%#ds@X+spM!y
z`H|jaG41`^M8QIRiw&nWY7emGLQS*))L!f6V}Cik$qdQPVxY>3QZXGSk(qN4{1s|J
zL3P7MddLgxD@)C9H%{9rT|wSEL_nQBcn6Fq?kpeNL0+><?oq~sY21Aj#x6LWLv{5>
zZllKlQ|A;5+C9sb{G4U+z8EGpU=dd*&GX*0AhCyby6JR$Cw)HoeUNc5+G05|<V(!+
z7$;TJ-tdScXWYX&;jEQEJOf>3&MK@2-|858%=;|)Ax%XJSqSPRJrQutV`6nj%!k63
zjhA)JD0i>*U~1KIpVuAiIy-InRpR1HaBX4-iVr?uj!SRVzBsPT!-cp#uFRA-+;~(U
z`m$`<M$lBk4tDQU%t?m~K~3D(lY7P?mVS%Y1-EqVOpI!3aoBA?h%{Nx+eDD}W6AlF
z{ujH&+r}Eqa%+6|*P<&8QvRgK2}?6T{agKiZ&Ts@r8BV8&|HBXn6R9BoZUe$_*Yf`
z<hzsJ^8vqN+<uj~otd;cR!97JMy&%NF>1=rWo>Yhyv&vb1#@`oGB=Fh&07n*>&AcV
zlswtX`{8g)MP1UHKEy7COgKVO>i`i}I)S}BTVP;jfJ^P4Cyt)&fakk*d=Oesa$*Ae
zh0sar=PcEJ5V#@RKXFvS^)8=)Le5>FrnERO3?fg#4arVfv(0S-(IMo78t2H6K0sc&
z^8znG-65qeh_2mf>^{=RDf8ed_GX8K%Cx?lkSBPcZe50QlCu1iy3D2PGc<2w&|Px{
zM_7P`Ruk(}*%7vnj!6%QspHe<7qD6LHrDuY;^Tv(Lp2PXu=fiB!rY5*`n;%uko~74
zn(L;En%f<~emA_a6g9{LY(HD_{&LV__C)DN4jTFBUl@@zi54|+d4?yA(~JT4XBN<G
z{_!M!S*E9V--ru#hBT<|@@nCJ&<?(s-idE<WC|`7i@H50y-}H65Wnnug*&gn{7Zat
zpsBrbel8AE0@d@Vg(#IrIKE9DR;#Mr*bdy@1VlTtKFj3oBO}e!X8<DXlE|=cz#edH
zZ?Htbz}g)%0FaZn=-2~bTtH36es>n~#wk&g=L{xlgwPm-R8d=CL+U{k9%`R`Pj+v8
zm{T|YzM;GbXL8S>!(m%TV>#zgEdE`lbXTq*Ut2C<3+xF#PGEsX3y0>Y1MxeifbJr}
z2YuPrXZ*O}Aj<P|AoN)_dcCJxwBEGt{t{k}(%}RTa8fY!HXMqb_w|i!FoOk4W*Wm-
zmGjzpZ)^6{D(xCoH@*a6Ct=p9HIMq7w}aRM>uA7hR7(R$2}%6R(Rua%_=Xua^aS9d
zrjg)Jk;jP;k;T_|K8Dhqz?&<8BJvbDaXU8q{)3Turn1G<l6kP2b<+I+Wj~|K-CDy}
z<Q@6lf*kSDG(~y|O|Pv~agz8n>pS}*EQT%j=I)q^mSSJ7Nkes*I(^A!RX^qTmi7SO
zSC0%UH+SNdqeZ8D(*<<y=af7$&aaoiIiyUa5pLB$$>_3?;4ZFL$v!tm(sP5Tn_JGI
zP1-gMA%%$r2xq1)(175nwV%tObhg;ww(%9>`bG`ceMhDW`u$Zk&E%id@CT-+<k~q-
zsH9NS>D_~PZHDOz>F6kqXU>t!6YBc)kM`9>^XhY7kL7JWjZS%SCcoTIjmK`&`7PjR
zpjtE6Jf%hf6z+{ZjtW|Wv+S%-B*;kHh1dWka+m+ssmJx!r=J)%TIu(=VTHC}3~5b~
z@QFwi<mz^8sfL)HNu2f-d)cfW>jo_LLzj2O?{K&He4Xd#VlNAD{ImRM_9Gm)R95Oa
z!%YQ3okqlPw6xfSBE%V)R`K%tQyU3W5&~lz@U|fAFGnLRH;Hb;k|)};{|O0VbAkSH
z#F+tG$RO*#9G}Fq0Zd=-FUK7J-XzcyE>P1uD}W(@9uvrTMXmltU^z&%Ur&tOrFffl
zCgx{w<>yY_s^&WN!0a->5%rX6J2|o871!0yeX+IwdV-7+&Q<<mYJHw?K+Hx_7{TQ3
zNDsBr?@@NWyHq3drtii)+j!jv_}YnM&3{f5p=O5uaxgkTRBQlj|IiYdp^ReRaOOa@
z7y*NmE|Xq=kl_Xl)^VCg3YM^-v+jvH*inR7P?%Qu;GoKVN$k18qSMpuKO{NN=^eS|
ze?|AC6}y%3v<O~mK=sCnD~|(wCB`e;zK-?SJmY-Zp9Rr(YB!0F>hJ1~W@Pyu{pZu#
zaS7mq7eo|A?T^}LACPncJjPkIp+VdDIrcy+)5LRiUpf>R&)Cl68^8hnujd5(pZ6Q5
zNMB*Blp=e<73m$Is0J>4b}$;~|JC-#;sj{`CAaS=*JZhqggDbw;nP2T2V-WDXIUl(
zpD~(uXB2ti%{mN7&<v08W0L^%<g;tO{JXF8Ch<ewN~CFrwb4AkLg~k4Gj7320E;x^
zOJdXoBlEWvpvQ48<u!5q1cz~_4a@8XXCq?%bR|pDT_{uo8!FW|Jh8G+P27IC-}t{@
zUDo$O)J&cAJ~;vbrd<XB@OKq)A{=p-BI|t{DPr#xE1iI@p3185<e&ZE%nwb%YZO&6
zPp?MdJiNOXK=zC&CIX(@np<1mMD1epDZT}tx;QMayvG8A+U3<ZQ0>tQ#{tXZp&;+0
zm!#ZkFG=9u>)ZA|;D}!`im7Ymvs|>2-f*5yNYKRnoKE+Csmm%c>}w?4gesQI*rk{e
z27;h!?&#I>345drkkX3!&ja+*nZNnDnCOh&TjzH1TX?F;8-JmBeUSMC;!$Qm<`33o
zVUK82r9k0s%;n~T&ow<JQ(JlrE4r~P^N1<+7&)dO*DZqP^JP?iEtP-w?PjfE`x|k}
zcd_qoBF>fIHD183I`=ptxD;C3;0V}G0$2JR+=KXBB3U^U%DJ@mIf#4xVO-Md_Ok`i
ztzRj)Zg_b6VBSu~*dx`2;p>m4`@ug~Hw1@v)e;=vyg$gjg8Qk_G|wF{u@}TlL;y|)
z(xCR-Q%n21kuFqH^XKJ3bYDVV5tQszjf=*wCiPs95;O5Izl#R{SN(_u&wSVqim8Dy
zBo$lWn!;ra)E(LpxcQGM(u$ojq3NR`w}TeW#=87>`JKz|1bxZtq9%&K4L77NcF3ZB
zb<GkNisuwLNN|wIR}o{(oAR|9Q!+u#73|~vNWWsiy@GDiaBoo}c-!}*cdi*c%Z1Vu
z|LDO-iC{!vh)zCP3eT)gZdL)(k<B94H+nI7A>PD2GHY^|{J%al;ZAyU8w9;hAXOur
zo>7DZDxsjJt-HtU<*{nCUMp>q6nCUSrD6QyM-BrJE}Hx9oRD-^9!2k*Rk|FsYf%JB
zgD57A$YD>WPJ@L}85`jLct32B(gy_+R1-RiK8h3>2G?x3jyy+BVZw6Pu;!jU*jR)F
z0`sOuQ0~PGE*JQHhX$Hrc=f@(Exl13I4JnAv1-Owtw!SG8^SjX$2WUU1^jvFr~dmz
z`%7n8RLc_;F_a+{{GFM|2?;?~QLX}DRS;9XpS@Ft_WV#ii<nH6d^RWC!>{-JNVw}O
zM<LMJx)}V;9R3NTOhdK#qOqw^`^8W`3x(DarIOFoPV=#D#0|d*N7YfL>;Ha585W%&
zswto|LH<-icn#sD34mRO`fi&u&mZKaVQFf4`peJuE7I2WIh~|Veb2fkc)s8Z4i6jm
z&4m*^$4>gxgP);d$yJM8m~f;hqXyiDI{T+ta6@`X-Up{x;J9SYfLbN=+qb_qsdk(W
zYY;X+mB%MDb+h5pjif6Q%Lqt^eF+UhPTlMxRa+9A)|cfqG<=d9A;Je1M^k)6eag4(
zG@1gdOq$B~HNrywkNR@{zb-985y1ElXnLK^gsOIJu4Y<#%f>OUkQ1>mWnOBd;|NBM
z<&JvFA*CXu@Vn6}!{eW@+8bPNlZ2w;dbyWU(ix4j;CMl2D$wSgEKi)<2&b#@v6N}&
z2}UIN@%=TqYCt^gEvvd!vcfC8e$z!eMEUCBTbqxl7IqHq?f6MEOmv*$DPyNoe?BdG
zUqTNvQs<hoyxNLix9Tc+3Hm~O_WSNP>#{@qgPgzoXMOsAbG}^R)?~{nYJV<weQ?pT
zNN*qwy)zb{HA$F$bRGu(9PIw=U9G-u+PzQzI98-=7O@15m`!YBj<9&@sI}=uE83S6
z=L92BRb?9+c0b31V;>3jWti(G-1t~w8TkE{^)3FES2Ug|U!k9HSedM$q1x|A8|Vr@
zW2(0yBTzuu(<0?DaKf6a1ZA}lHQE5I{67~k{N>T+nNQ+Z57HIb8cWSW`BY4Fxi&XL
zwXN&Amy^J-kMd&`StzEav(_8t8xYuiJ*V%zzLZSQO?S)U0Yxeg`*gZ51xyeGoDg>s
zqsdjx?ct1X69S%wjDX@(JBr7g3O=SsrSs5NlEQqfg`cQ#a+OQ+V$-8f7x}{*V?7FF
z0^TRvG`xL2p{Sa(u~}X_-V>Pe^RdHut9ecY*+_MFO_DjemWQ3pIeLJ{3DS%x;+R>`
z8AjGDCJG=p|K(6(TIdY3T#qf}74G?+{Jk}kpd=aUc1biO?gqyU@asHNb1gaN7*$Va
z#BAEhT-5_&UY|vJ+R~9XUW?gLwF8CL>~6@e6MhkjG#;so?5#Nd<#^u<hp~Sw6#V5V
z%94Sx&SThmpvgpb&m$m;t#Iv8jAmGlWocw2cDM{iZPV)m8saOZ#3uCk#Ikw@QY<v|
zE^<w^Cat!x#CBy7%32!)HpKt?HQ!5|L#=Vm#oN<Mhmo8tK=k|8#(;K+I>KnPrvVzQ
zsciFshn38`HQ3j(x1?*8`jmU5uPod+cdzSt`0GR&25|L`U7}?oVAS1L2+u->nn}|T
zBB+GH)0s|>y;WNWuf8(w&tzU7uBc6bTW&<SUei7ETKA&H%b_`>OsNsz=!F#2@M~p7
z*Yr`>ddt#wA%wo0B~M<wNSBSY#E-9QF2PtiJ9Mo5pD=(V_g`J)f8TN>5<bV~yj?&5
zXpgkTNWiLbnjrv-bdsW#7XW%KL>hrYgkb3*VNFr85*?h~zM4O#(jFc)Kgsci<P1=6
zg_}JSqd})ovrtrP)fnyuE!5uRj7oFF_DY}jR;&6)`lf?j=g73<!-n^APt%SkJ+1cc
zynPhzDza@9Ti0+Z)UZUsp<7z$%Ctk?)q<V|UsQ+<F8QUL!ZF9MBtoOw7c+BMSaLF~
zoc^ev?E2r0=?nJ71H7j2tYWOH_@Oa`F?H%8ZM=lH40k(dPUzAY=E&mHgt5GH_%(EV
z$;;}w&zJ-tPiWk^dUuU)CNaiInrafs<~87Ha~6RjFAQ&U#)fvQ@LbS)3LlC}n=PMx
z^YDH9=cB`%`N2Z<3Fl4GfP}C`uP}M8y}5EVxpjQgfR?528U5i#T(*YA&*Yoj>TbR|
z3aXT=lxu^SsKlm%FP{Osei(6eWTa0u6T*M}mXl%m_3_iNHQNRV5k|E8%b^mgwEACt
zLs|0~<Zu#$%)HMO0CNF^l}W)$2$t+JfghsFex)tg_f+y#T2416eQT4r=z&Kad;+X^
z`%u6Ldx`~kEC8=<e-<Sy^g$C%x1gL6(Hdshr8lxx5OK_^Dk9XgE)!B@B~%yhY8j}J
zFbX>iSoA7;HCHyTdNb|e%=Qro{^B@}lg8OW=$Km?Klj+qc>v~pG`I29LIy?G{RkxE
z$B7M*&PXv|`G=aNp#h=NLSOG~?v5%_CuNCVBMnVuBMP=ie#`J%Z8j=`rIk1-m5ESE
zrtL2Hj`9HE7SwLNxL~qncB;wb{*CfH2zTRxNl^wL!o}_EdSVEor|wLGu8#Ow07II6
z!tm&^8}w#rls_Z9zZYtB0Cr>=qengSx-Q?d8r^@b1Bb2hQcwQdn^Zk|14Du7MR5q@
zbBx%I{hsU*XlCE&vt1kRu4FZrTP?GfV<d$vIfA=Z_X@k20F%2#k9`p#KWzJy%G1un
zg=vomJ+xq=`OE}S?qlcpmoBLBNHuk~Y(_f;atL}!b?t4HT8C>I`kboXy9DuL1&-9r
ziyowwqlLRpy!E$28jCtQ4MTJ`nx-ur6?R6PE1Umw@Mu)zTJFOz0$ca;&ep6|zx>eV
zv$=cqx#y8v{YtNL4fnj59nFFg2i3|4+~iigSjr3{hc9h?qun?--dz5<LrIrcMR3Lq
zAvIOR7o}X%wL_pKOl0on#b+ow&%b(lsB`e_0G~&2fmc$mOmP9flsiAP8y#$3HB1i^
z340_r!KoXE3J}%UTk+3HM+PE;9JykyerbNJdHw%mmeT)}!E|J?`3OUNqJ!YRv$L}s
zm0y=)Gy3IVyeaIoj9!@Lvyy0;l7C`8ahx#xx7z9C|K%7U$AGB?qbSA!=w$P6%f`PP
z-^KwDqewJ!Syo@?R^gCwV@}xTC8ODa*a;DYpk4kr)Z6t%63L5?^gO9Ezs$0C)#kGD
z(ZeTx$_}%D!CB&<`QXhuc-y@xc<V1mHynUjz9E4Ty54RZbmA|^4*-w_IFHQ417VmY
z9@M;ZMeieU9;`I2FboOysV-WcH5E6Z+OUv2Yt)S{!U|`SPi_6ki7T#uwH8OmWHx(a
zB9VfOASM?=5EdC&tBMupr`fzs|6aAkG{57~gpGcyQ2HZh+yK{mSW?gLd)x$>ee2sB
zD{A%*di47Altb6N@tLpUx6Pu?loh=`DR~xt86Uv#WS#*0G<7I_ijRks#dJKVd+-0$
zrjss?28gM(EjS7NvUM<#LMIUnkHF5mn`H=|?0BSnK!`E%d1myNgCixiSqx;<BxJe!
z*}bW-nX1Ciu(z6M&;}i3tk2SH)=Y}wCY0yCzgV)3j1Ec<`AkVSzN;NC9c$(pF=8rx
zSn1pmm1@bGCNcsF;*!zLrm{T&0Q6M_#DyWx!}GrHCx$=4QM=-HV&hTPRmtl!)w^50
z(#i8uTbe)Iw(bPnxcU6z^C_p4Jc!vdbuDxp*Goy&7x}z39qs8#H%r2g%_n92e$MUq
ztLj3sf#i@8@$+dD_*abemlW85ku<AB*65f`pHqPKupcr#1rlOQEKl}>>J?;O{Q|hQ
z|Nro_r$+fxLrVl&J0Q1%;+`<4H>7#21pcN?b>dXRDV3z4qc{6My)Jy_o%j>(cCP+J
z=Kjw*SOT~z=rurFUsHRCr3EHT4F3s&h82+QNYfBPTFR}i4R4Hmjz(<YMUIE&3iCfd
zzSfZnFjrb7&k2g|mu@L4r;h(g`}SU=fT6thXYD5|YiM=9b8rnkVVXRCt4tw4F^94s
zl;oCtS18`iH8CUA>W+L4uio95P0TOpmSH##{V|o4A>Gl9zx}~(J~HligHc{dMBTd?
z{mP$0dbzS07ZMePg$Np`h}>fcFg2?cAmgVB6u*RoNf-qwRFsmSYUy!5&+cK>l6y2i
z=vW?_4!1georB*VNR7xrh%#kaG9x(N88L1UH^bQg;xyiQyWoSaTT;HCleMRd<FEM-
zJ6(5<Sw8=W8)hj2W=K$E)1l?$tphN~IB5=4IW^55AXl4oY`j_i*5#@kPvdNPF>56<
zVw!AHJ9YWZu-IKUms_nQ-CIH!K8Dc@P`DVS?2}TIKKph~&!8}h;+d74t2EWTTX+50
z7kPY@CvM*2i2dL*XJxUQcU?Dc{gAU0%kCg&iUR5!h+u1u1QZVLBytcP^V?SOh>*_g
zphF3iZt5SKn^L%vzZ}<XULkb{gn*ZlY65g>`{{8TD#Zwu;J+Mv@}|)A%zMzxw@6S^
zv#1H7VA$ICsbt5Hqykj{a$euSx1lmsP3BQnAkNYUYpBqTVFr{EiT$VO&}XA&rEBu2
z&`hFe(1OWgU|Ct7YRwqvCcBSxiiTR#qAhlb*t9D~gU%~AskPw`Q^Thlv=b?@O=3^R
z6so(8JEly0XuU!=D{dTr?AX5~@vek_9&w3j1+1p$XA~#XTN}{1?HGQ0Mi-D#10?WK
zJur~ZQ1L73VeP8pU2Dlswn8pXFHh@xFY2ZE9coazsJ*MUDkj*0nev=djM4OUr9`nn
zlz7GamBT=NM7W{~2+I`F(6@~-3xuD`;M>Qy9kEv}BcIeCt6D?xf!$3wShiGb<aU@v
z8;wAK>x^v+D?{tI?VC<`1wXN!p2S($UrYQg%lFl7PhYmf``XLCQLpZw^d;Q>RMAa{
zy_1z_0n~3e_HD3YsE#DtteNbQg^$O2Y@p(_uR}qicv0jJ<du;PMZ6?JHJmL25A10X
z$*C!~^~#Z~9xmSz<xdlho~dsz3QvG2@aps?D<|>W2E{E7!m1lLUW02)+H)ftP|++%
z8N<esaT^>pUqb_2es*dTO^u4ty+Z~8l8GnbQ(WiWU49mytiybkJV?^y38Rt}Pc56m
zv)V=EL^{fwL{@-(Z~*i@t~T@bjIVFNOUYSt{iL^{tjfDT-}Pnpy_^BPWf{=~m>ua2
zCfO7&qdO?hX<}H3`<C+JyPt#4xzD<HYqUnLHD0h*`Lt*-VvmQCOZ+V*!q)dDlpC8v
zL#2iu87f(<^<Z^N>Kg-hK{9JpmU`|jpuR}r^k{~#UsW^l*}HELhhQ^Fvl@Vj5swhD
zujE7cx6SEawI7mBco2k<qxW9xdwxIB8j!UiY>#Xsi)!C620|6xND5TNb}@+N^=OLG
zSO0^{gek|(@v$|tcD1DIqynE|(~55oewE0sf!~0>6}4?l(&u!5)BeaL$}S)`()BEa
z;6^^nx*J?DrF-^Er(97}sE3Y4Yqh%#$3G{JLW#&9AZ`qj8=f-D$`K>Zf&{$;?F!LP
z>C7a0V^&sTbuZg9W8umY{<(xq!as*P0wzj|qEZ9K42h#3=OmfWGl!=L<IflKxb1G_
z@82R<8QwHTOg$RF24LPn?=k5`2RNML4CpL8uY+*nEmDl(tPdFU!MIm;L(UM0V@$_r
zg@yX6WZATsOQ$<4<i2RlXN)DZYM`cG0&e*L(Ajc}tq5^pnvbS+&9ZAwJCFw!iTYn!
zpWxlzdgvZG66&5M?9yu_o=4eTjh_L>vw=?FE_$f}jftwZx2dQe_ty$F9Sl&e^%F)D
zmOJ4da3c<qeZ4VRRjCi4UDLIxik+YcYi+J^H0vQ=xS}TQ$1ez8cC0$TDZ+A6#!=M%
z1L4oD{*7v3H32_A+h|I=MZopVJh2Pqc;@mx@k+X*vaw{+NO<uo?JQa=IM{hQ&mWg%
zyiHnD3w*(rWpn_u@2h{G9}p*0Tyj*?z}4M%b`4}4uBi^D_<nV8&^c;mX9t?i^n5Dv
z&FvcQTk=i33&XPw3KNFr)_5jp^Gu>zsSF??K@_3TFzS7YhKfsf7*j?YD}<Lg|8nXm
zCYzk(yx!~KFZ#v&tXs-93-xWIEr=l&Mx|^$oT$N^AmeU|YI$~ul$Xlq-LL9aoe)&J
zY2rQqVJPKClIqQM2XQZ0IH<z84fVR2uYgwj=F2kR6g$1tmp{FdnNyD{^-`-vUpAQU
z)0*DwRvmwE+D-0939lih$MIHzUCpAo&3w8FlVAo>w2}@bqWKJzUz)`gn}*+Fnau-1
zj%u5})-?^)QxEr=XExT30q88DglDp=g{#bK9~`3$Q4GLD7Y=Vi?Ozl4veoTvGfsM^
z+r{R6_(jpDyzr|((f^zkM$4jSQk~n$B5>!{Tyc!H1cWU!R!u%mdPcf2T)lDnPurs=
zxHnpQq+sl+(R){3L7tbM63ri(++$G~BCuZtd!UZ6BpILQctqeq_Yxn`6cY<#y#1&S
zebQ4RT2q0Y>*klzJuXY#>Fvmpd+D$ng?dVk3;`TjRZPyc0luC*UWBz)l9y+jlhQas
z3s&sFAvlmj>Rc9b|M2xtzQ01t9hW=j>p$if$%`5{`e*qD#jL&$wk8IeKO6petyA{F
zu+7T(g8atX`JjfOK;z)Z)!b(!>4O>+qz82tLeKH|44Hkrqal2_@3^zUJ0so`GTlAb
z`tOR@Y<jM)&{8@E5mF2tYI9pAs$CvBI}pu+&gqU=v=I7gGfI~2xYGmeI{OLxp*<cE
zWdFBmF|$(Fr;gq;`(Q(MKHK~R76Cr58A{<f=S2vL2KHV!`!fRjtAS3}0gyq==c>!5
zxkjl`Xg)Su6ZhFx;>pimp|f3DfGTd%Xm+C=6WIU)Xtif1C;#9DGp}u5-41piS{Rg!
za#5?y>HCs4_Ih54v*<@}(Yy;cl(GQ*V(dRu6oyJ8DD)dNs<vvco>#1D+9#)C<TpaM
zA<7tRJ6<bgPVY^16JP6YI*1>C0j|*w7To4iYf}>eOb^y-z`W%d!LVDSa`TO~O%1^=
z25*#&eU%!b`O<i=ih}|B^?XJK)x4)wTd9_o8;^4g^DSfnc&N0^c=<*diHj%u_8Em$
z$y5<lkGgl7>r(EJ(?_ii<VFCi!GXh*fA)3aN3~@pE)51SG>wb!O_Vif+stA1G1>F6
z^2FXsZ&Q<XY_MCh;klPqEKw#mLXLX8YPRXVA+;=U*Xdl{xI%SdD6=??U~G%^I$D-o
z`QwV#$Lo)x&Rf>?q#0;At2PA`oz!UxGLOsN-OaM={_<I}<es;qv}pN~VSaw2?bdz3
zOLx;|uesAsFAD4liU1!*UU`<wt9=n(+QC+)X}>CDM9Ay4r>m!>Q@#dx-u1uqEm*q?
zI=`Xx;5j9-M?dhOb#lif{waXEObyKLwx47*qPP*3wZJrmqUg4MDcDAOk0-rYES8EN
z!;UXp%Hb#<nay1lqhe<TW0jj+9}EWYXSFR@d?7f)-<Xa1lX)`Wu20>4HPdSKAXm9?
zW~sVv4ifwt<Ql#2LSV?oKlqDOhs^BG@RudJ$xHiXyn87S!EZmR>>V%92Ps?ViLOo8
zPsPRk_BYHAuBYIq0@noII|v#JDkXFq+SI1sC^FvMG_>!yLflFAF*FHkmf!W(ozQfq
zFH(!z^%x_wWL~{bEJNBrtC-T=Mq`URj4;Zcrbano`4X<ZX^Ow^WBSmZ!Mq&j%Xh;9
zyc#Ygj1hV^FtmdwS7r_(Qogd>X>ABYZe=mqw#=j<oKbl}{zD(GF><!YIEDDnO)TN5
z+;Yjo&y&ssyac;PTa?jDSHnx^wnvxWbxBhT0yL)z=-HI7SG%XKRy0I)3k4-5NkKH5
zRp`0du@<z%RRd~UCyASi3|EXmRjeXGjRv#zn&7X*KWZVDo@Gi4?5di#X?p!x6}!KN
zn16HjWQXq1i?ER$o0O26g?gXz<eFjqk<3ktDZR}=19|ZYlgt4dbk=i*75h3u9}x9t
zegDQtp+vrR8A58ngW4LNOsG_kYU<=KWyYNyQ2Ds~jp)Fc&!rrpB)4@oE~b6;bUmud
zrXx}O8Cei7X6#Gj=^}LCYbYjBZ2nL!qjtfdK-$v&<Lt8cWyzqMaAHtcq2pFk_)UJR
zBkLQdQ7u|*9)@^7G)%T-XtK+fqM;~gf;Go^)QzF}twp<q3#8`v?%#HKP;UF1d$rfr
z7w}nD1E6sj;MZ;6J?<|W|I&Jh%rsoW#U5CJ)+(RQ%a9;1H}Pgln{UfXU&`<i@iw(<
zOm#DprVWuC<j!tN?dbEBj@9xeZJBsh(;p4*^}ieepvwq>dRk%|=GO$>fl;s4PL6hx
zq3y;4Bj=f=hWwDCC?6j=6{y&KZ(MC*ThL_2mv9`pI#_o$M<8k5<?+N2xq5<??@539
zm*ZuJ^S*aN6_Bg}rkeB#&X{~xe7l=-eJEg3`!d6*jcVTwD}$FX?W+c1XJk@DHG+LS
zs%jC(@6f;2>AIWqegKqI6vfpe)Hw>Ky$<mdt=4{9QwJh9JV~@;>C*V4Mjrk=X9m3>
z*ezDs@K4#dl50nf+8||9t&`(37qhJYWSSWS**vltvDH$Ty7f$_!54;njLGz_Wvvcx
z8#r}Kv^75iMT^TYs+ghhDxj|tV)RiIPr^a14ekfExm0FHV2(&8v~fux$jM<^wdkp4
zOsvo41j(Q%waor3T$TBX)0u;OmLroBex=J4@G4V`tp=a}%h6$+*G7qT6m8Furmm_f
zmGPDrK(0k_cEzqH8@krT_HNEQ-&T8vj0RG&E;9gEttjPe&&L%L@-+tn-PKc$P+gjM
z!Ix#SyGz;lrjzaTeP3mrRA;w@9-L3-x)-ULc@u8a4pdD4W=;||R;qI7LboddFE{2o
zj{dbity_q_%veA3bMoW*{pxvmxx487)F2b5+LYwx9wUvVbyBx|iMbDg<Q&xSWo>yw
zwp4j_x4wnlM&?CaquI=E#A#|35?F>+DQ)V#``Xyq=BOZZFZJ?Ri3e|i;7#Kf69Sug
z!9Nxj0%W!MTaU%xM9pOH$4|5Ym{QM7XYmbhlbP}|f@)5GTW{UqLYxD{;z^*u1|9L2
zBV>sAo5uwROcHEu=1>;x1Gf^MkH;1}YV8~li94NnU%i63S~3^b=YQALr989Zl8dwA
zwLDw$$;As?)dnKqyC@OaXq8v#ZGH@>!*Dz%L%iZ_wrBNweKAD+#lSj_)UcixZS$QF
z>qn4Iu$L;VPj_htb<WqW@mlRhJ=k;D#wngKz$ONTK(FS_15Re3@6IB~A<(zoR-mW}
z=89^|@I+aVq!^=$J5!~7;8j!SAIXmmilXys>usOvS!lKPs8_#w`&LgxQL6+#Md@18
z_=<QwUJY<}k$`1Ggr-d~<7JCrjsPtpJ)aSJC+zm?Db85o0Q&&k%^v1tAF-@u?!)DC
zF<<bTjB8YzHgFZT^+37>$u)wiV5xl0>vHv^NBd}o2aD*6&U*y*G=ee`9sIwSYjoyT
z2m(U};?9_+={QMtFre>ck9t8@gr;j5!#hAP-Y_4_yR>U6IUK%+=;qITW<?C=fS7Gr
z`Kaq`**AE14m&|~FxJGK)Qv2oruD4V;e}nhwZQD!N<)GyLYQgGvS!r7Xc}Fa`D{%Z
z>h(@D*EB-)m4BG5b;_!UBfa?MeH61MFv6|tLymo9bS&)B2MNXdR0)br9Ltkd-ZSGq
zk)Y`-_<CJi2HtGkFy`ED<6Z9X3ldnHE<kWuezdTp*)1L9kzkqC6Q1g5a~c1O*0pK{
zBv$K|qRG&l3t{)R+S5gJNCmRXK`|5N0H-PKOyJM!E=V{)pPM6_Lc!m<T8S_3jVtfr
z)Rbk*;TbGft-eA`C^YPN`Rsi_&8>5D0D8%alNlN3EmzleU5QKj%5arm;8JPf1S&Eu
z(8&wT8Q9T5xTd!Lb!9?-)T9>uQ(<3Abf^Gzj;i>|r^cBeItObJ9XN-0Fo8QZd%&kh
zQ%Jl<Lw;>2j}P!y6tEW<ovXK>%!6IJ@^~SGDk=N(`Qb#?xvp93L~0THRQC)hD${|a
zIu<a6I@;7dvX1a9B|$2GR8$Ggeal=zU)D%@HhFIK_7P!~9qASfzz}LharkH78)*~q
z?r4MxUfDHo!Z+8C?ueO(eSVOx7G!SVt8w&njC)e;my$S{f373B*<DVD8HXrF@kT9l
z<i)|c`m_bu>Ia-ziFV|XX+w_>ZG~EGw)Y!!J;WVkt1G7BGBb2GA6*ahi*X=Y7#f5u
zNn*xy996d`4K;t7+ZftljUXspLKE8UHvomlfjt0qJnK25n2H5}o^~<-D9sfX%)$7a
zmog`!cH(V1?aZji;sRnr)~`GOtEkDArzDW>{}w9CtK&NA&h~hx_U9lN1Ym7XHzIS-
zuq?RIv!yUWcz`!1*DTgx7zZhveCFG`DGc&S7bE<78|2}U*!`>HL+Wi6a}z>r*C~ms
z2OqVS>MZ_gv!JGlPJ7x9EZQ69+sy+Zq*I|+k}E@=p=;96_(H>*%}PN_VVKe&Y!Gt&
zXOCNg9v#bw1xB~?Ku)!`m|i~1i-wJnuZE~BZ7W8St^m{Zi^q0=p_L<%c+hMzZQGXr
z;^6aE&D77m`-$(7(p@FUAr$oik02b7gLEa7v-D;(vYmBeAS}HAPt8HwmE)7B>b%N2
z0c?uo^{>H_=gQ|j&lo5mr)h$#Z8Ob;Or{=fAP&JtA)jP4XsJ71n{(#vEAWE44R5HX
z`#}T?ML!6?zZE^7dVK4<9Hjwt1PNf<Tx?O+nNhs(A3X2yD(g^b*f+;#4}if}ehQcJ
zNzb)b6(V}F&hqH7(;P?m1x5T~#~-oN7XpKT_db4^32}q=ew>r4gpN<64G{AscCu1o
z0f_D9ijDB+cwVT87QU2b2n{noUl*7{agLU5;1SVoIlqSRi09sFxJ5KKNq^y8nkWSD
z3m+oHhqT2|E!u2R_^wGEt+oKL`fdd+G{pljGPFr$T2>%IL%7_o|H^ch?vM1R{Wnsa
z4H0J#vNcthnh-t+TO_L^-c{N6!8fS3>{!6BwPY!o=#%)m5BEM@@Q!_UQQ<D(Mk@6s
zU4sf*J)qbFCwClqX>hLY-;?|Ge>k}%(QMk?sSH`|;sPn`0KOYhmABq{+KYwpiHC$C
z?LwMNqMJQof`}K45h`>xvBQKLZZlW-na0_kS(uAnCZKoYstc%&^bE}wpEU~u^$Ptb
zMmA6Rq>>%>-sM%nJc&!F+Vi9vjJq^)m$)|LO%cm&9M3bkRIBvIuDLB&pvMhyR^pIP
z0e(2I?jO=236(a(A=1~F>*%vOFOaXO*wx$AjqgZBN6$7oTY<Ww@QLtgL^)9eYKM$c
z5N373R)6@6_dxNsBi#T7`%Nmr6VN~Lv$Po96j9>+b`eyR0-x37K|$dZJkP3PXeaEG
z;=WVvv7dI1K30|}b?Gf$evsc+Qv;U5>2dFZrgGr)Ysfm<r;;|-lr6o32GFayM$1!y
zV~%T>n>A_OAWc-uJtS~rDa`;!d9t*Fvy?GzWWo>M9R4-^n9=rl1pSaFpR8$e^twZr
zSoJ{o!RoaOWt`VsgkSBL5VQf@hFoRS%5#Qs#RwBiXeZsAuz5JN9mdyTgLRUeSQpa7
z9A36bhidX(E;ZZ~{c%{*{(iU=AiKQ5?k90EcB%Ult?a8q=39Cr>u5}w`8dT}J4}@_
z+18>`P2adMzNu^J4bK)j6F2kjUoe;5f#PAosEc}3d<~QmX4liU|88u%afK}CwY8$|
z{fij=bd>O$)cIXWvFEzz<8sxHX3q+)>UnCzm;sxPTJorXrp(5zr@dskoaGD6^vy-c
zMrdd^EL2{+YXDq%EDZ=$pkTWa!;v!1aZVs=Zp7~)6-QB{2^{PN>GCjg3?^#?qL=4>
z?emp9Lyfcy#a`67cIZW(3HxLR^~gQyA}~u}JKi}n2*xhnm!B2ZHqg>A0fo9G#MfE>
zJs-Pa)nmS!t*77VxAcV_qpHyj87QXOzX9FYH~s>{JI(@}sI}6`0M62>c&iz1iL_wp
zB!WRRe7?ZN?HwSz`^O90n)qwwyYmsvrvYfV;Xu2HsFTS{|9$u77!{M%2WhiCy-S6n
zZ`?(ds#MMSTO{N79{8s~ON<uJ5AQSt`s@xp+sL=qL+<VY>`yUstRr*Jrqxj#6+xz2
zVg%vNCKD`3(CpMeq(BH0(g6HTd6#j~$pHI0(qr@W;0L$$hXOllI2?}g_b~L@fKa~B
z5*CtnA{rMqM?Ou2^K_`Og{ghmNR~-Zo*l!7Q$yd)sQAgNxrAi{w|D*I=X{s$#gy<}
zYC;(TuSW<=We6!#6hDKC22oRG^iGXRF;Xc8IgcgY_ol65kXCE$aecq9-$3+j&b;%-
zOS9X+XV}-_Q<k*j*e}buFxt_xQ&6)d(xuVrM#ZywCuK#*1j4i)EadQw#DmMXmBb}(
z-w~*!`_T;rC(^tQJ{I)}D`4Yb{D5cG)O}B>HHUpQL7ycZox<Ac%!Sb9vT<~-G;#o`
zP3v02((-29fVi&o_-Za`piMr8nw6q)r+o6N`ctuz{(4_%u5L>{TMA3W8Hy0+Jj~Bx
z-#e-9pe7YtCO|cqRWTah>_)swwuKYGetH|(PCA1f4Y-!Mxvyaa-J7WizVZ@p`^73Q
z`a-%#{NoBA=$}%>S4h4QZD|PmX3fy28X9-{=Ugs=$(dw5F?^1@0kZ#F>B-lT4=%1w
zAD%gTs~FGE5~Gq^wD^GZ)*FR@L4xgaW&x?@C5RxE)z{dNQJC}aN3ZUlaMrU+x-U2`
zSnu3+D-g9cupEMvm2BxOd4HOQjkp&Un)=1(=M=YK^hf5QPFq!5l`tz;fJqWZ77lQZ
z2T=hGBW4Sp(qkeD_iR;fjzCzPeL`|7bxDN1Xy<-?@3lK<IwRyY7sT$F-QsEsQy1Cy
zZb@97RunDG_%yNa98-M&bF9PFG)F6s;{?;_2@9m2A8C?z<dan<Ra=EVPGCX5dUQt-
z!8D|?-BJMT2<urTHr9dK{!P;tJ!~&(uzt?}9skza_^~G?Wg;B2n=e$gd68Z0BMb>j
z8|K-#`uuub?fpk@Oea_d#f;a>of8^y0-Mg$kH%>gr)@7?EjLp;{;TfmDDEJC7lEE?
zFki4{Ta$8$tAj;CC0_4U6K~qADL4Uu9sb{Z4RGQdCRQHMLM3VQ(<DhZY3Gqrct$v+
z2(b6nMqkI*MdR#$f6$~bCyncFyzf4K-9{9S@i@RJ$0i;^PNJ&D>+=|II@9>zZJibn
z^^Q2?)zRik7&=84pXBPT+3$T~<8u72+}&6O18J3CUd_~p8?WsaN~OjY-?%m02i8|U
z_LD~FWv(Jf`og?|-E#ln06p|}rrWU`(yg9|q{pdAV>L(xb_<!CeVcWshNc${p4F@a
zkiDc(7kchll>=?Dn<&Y)g{ix+&<ob<t{&z?m(#fS`WO2B!^T9{3wjUaj}Gt5hheAu
z=1V??s7T^{tYJ0fjcfQW3E+4G59@mv%M#e3`-Atbju|oi7>f?obqu8$N9o6-tlO?M
zqYm01yZ++Be(#Mhl}4PU^_O0|x80TOB)V?7x+n2}_-sSyA+VqaF}P#Q2k@I+ZFogz
z;pI%R_{?8nF<?<>ps!PVfj-mp^_uqho{qMA*M~h}VzO5ll&($%#b}?qJCkiU(VjUT
z>-klugkW3@FSWvr$@x%T&<2j@$@e(j`_ndmqqp&{yO8x0BL!%a6=jWh&9P{?!K*>*
z7-m-L&+oF#?U3y-f55i6Q~S^$TNu>>JTlMFJoiTfnhZ%jZ8_(dcgI+Ip%}+DSuW$B
zn!72+*Y|9NE+IH({yFk;9NEFwO$AXRJ7BMaPM1Pwjqfn9t)|76Tgt}fwuNUqn~7MQ
zeO(Bvbe{W=-Oj(AY9;C)uqWmmRDIyBKVRXB_~lw`?HHz@xgJ+Pc9ch{OLEg#qPohb
z?n8C|!%D%u$!~SB6v0(GTkarF^B4_eJe~zmT_wE33YG!sn7fi*Ib>J=?NkLf-d>V+
zUq<@^S3)Ba@!H1Qc0(X*ZA=-LpS&5HynM~JULzpZ`Rdok{c@;(vur336(>yF?cyN-
z$Venxj^W$_yzCq7t57?_@*r6)Zo3q9OjN4rdQV~P`~AvKSbH5fuCr25+i$P&4Qp(S
z(WpmLYuA#c|DYM~wqv5x(9|yLW^LYzVU}@FA>q%<`(Nyc!C6oInfH{#QNF$lcN!l@
zwItsoTP*>{h1}M}*(InBBr{VsxE)AddXMWW2XPQIME&8eduoo&$XfYawMWu><&3Ck
z1DDy@8(M&4D*I&O1IDW&g;;hZ%@9(qX$G2-2FB-)DfUujks4b9PvZG_&mR#Maxv)7
zw=cNbrq?Y6TJPSp8>pNQA?zZ?8v{w_5^F7TN;A|J`TGK3+U^Bw-l}%2B~Zc+uyx3t
z8)yYb?(fFnbY{ss%b+tUT_M#-(3sQ^Ow$ChY2SL8X;mfFZrawA@Ag`Mx4I%iF2?e}
zW=8SYUFu4!b%;EgUh&ob@o|06v4B%GoUP%pGEMEh!#&k!Kj(Y+o%iv$EgjDYXI=mj
z`m%w!0icW*MhEk-E+$1Gv`~dm!3L+|eBH~NhWEpu%0Y(l;`|eRZ8JV+?nqQp1^?M5
zM`)j`8r)885)inAs|pU&+G!8}(1=Uv-;gWs?d{#vP&#KIIpL}7kSkMLi7f7}LFw1<
z<74#(=Zl1|b{G%~`2P$WOzt!Sh?I>_)Gwgn<_G95=wj4FS@ZrOG~mGC%!(nTAB6M(
zq7sp>>+xLwCP5sIx%%l088~M@MA;<ZncMcWnFq7@G3-;>G{cEGdL9ik^N~=UF4FNe
z(Y|6BmNR9_&HXSb^+`YI;(3RImJVbY{QsHsQLc&PPLoNjC@as{zM$A4H2vm!!qb1C
z8CNpBmWmpnC7u+4DrzXb5-9VjkKy215_Z-&w1vb^T`OqH-l3OB)e4@D`8sh^I0{lA
zA$<gVqyH9W+WA-WOn(+r6X**;RO@8$AVTA0b=>dl-!kbwC|pP4oYl&IrinNqEs|#a
z2tGN&c8kRwxPbV9gKU|>cy-J5xs$Szq_tgG{g8#Ht;h-9%KUJBUH9pd&~rDHwto~^
zxTQXg&z`ihbpP;?L(4cM(Umg3FV07W(j5Sd+C*?gWSgW;&5a7coO6^Tloz9BWfRvp
zqwb1&&m{$%P122RmFcR1OR8SemIT^gZI%ROAadlHI$+fe<LXfTEdJ>pBhs>=hFjsm
zCS|hx?cHpw*o?a^mitaQxy`vo?G?+G60f0OHCEoyUpcIhq0*lk4D~Geu=mvarJT{R
zt_z9Rre6GZduiNoP>j2DBD%&~oR5-i$h_ac<YJ6yUMpGVwKu78?twh1h3|R?+~OJv
z4<V63Yv+@_4EyX<hvlWd7$|3_l@Qf)!8;D0O<!cizVX(Eyo5?l8Fbg?k4;q>Zw#)n
zG(NS=hMk)-sZFLEg<Aef3<_5Hy$YU6^MG7nR`G4vK=`p=H8+)hbjSz$rTA=4@8$`0
z%G{Xx1cbjx9XoG!2gJv^bC8O&Ke2X+q8Lr)MEHJUD7A}ACV2C;2LfBQ2=|HVK06KQ
zN_utO<IhdN=J&(f5xwR<clh+-44tQaiYz`u9!|t{>O&`fTIc6NmLXL!dIRSPqZ}AL
zN;n7zvoPK2%!fT6`(i7<eva~B^GmXHoScTFg}BK$s+ynF2xyX82EDY8G3*Ojy5s9L
z_HZBnkz%{0<Fdi-e>wCUl^zy6?#!<@!7cvd=QYta0QeTu{TNb|0T6Uw^V~B$_i(vN
z>}XA8f&uBO1Vq^E(IFQ>j&sLNB)OrRnQXqr54d}!5$!EZuXx>SI(>~x!jjW_&R`h}
zhssGuoq`QL)x2wdw^Ub~R32%kS3>uagNBTpkH%7V238wqifdqm6O_ePF7<IbP2PXa
zz<+LL<zk00E={c=bui7M=7YEYo+Yd3=!oVepaOF;4$-9B>FOsU@wXA;69IiL?ll!7
z+Z)156E;D~Sk4P(k{!h88JX9{A-k)SrSJ(##4B#}+(0<~5LGLo!1dUA?(uAj-Z<v{
zkH$C~v)XL$3koroAO+i3-rp~9bd5C6ase8zKm0(qI3t4!4-SreeJhi{=)R~EH&n0t
zYTepMlA&V%FiXcoyXfjQvqz*LWSHIH9*iz<kPe=W1-pYzu&)0buJIO#y43fKWE!nH
zyE1JuUdrul;<{Dm`lfdK0~h0F{8Y)6Hto)D!F(+5GK3@}X%@uw2Ygn=nV}z`#n<7)
zncIE}Qlc&w#78iOef@>=?X76<JCFB~v<4!mO+(pvv^<^0gHky>KLgb=-mtcokQtE3
z?{(KTVxmo8__#m}`O;Rof~4-$xzwo(Fp2Aj_zz6jXNe&8D?1qba1p}>%(~Y*Y*pe?
z5c4M0e#=Sl(Prb&5>0`qtQ_1SD)WekShYQ3k}J#1&De78G~qxzq&a41GQgdr(?fB!
z5fj$cG|(HV31w#QoAj8gm^G=W+Q&D$m48@XJ$=#xc44G>CY=uCT>NXP8IC+gHHnLe
zr0~4e2I|+_<_BXN{tp^QNOZjh=m)nEN*ae85$0ol%Oz7a9Pvp~gZp3c+JF8ZK-7po
zz-xSZ1V!Zsx5j7-EWCI5Y{Y-G{ym<H(1a<hT?o-A)v#+#^VW4fFWv_mDg`$Mkb4>F
zGpJSjx#rhoUbX^!k1hL{k<|rM0<?dPntD-q)Uf~U)ii&r*Zrb(zg4rY9J&NeR526?
zp7)fuKz4#EgW3ls6FZPMv)VztEKW)vPnY<mW}4MbVfG9ZeR*A$*)01aCTPsZ^bX#c
zxBB5Cc;yzR2K+yL^75kaz5Kns3e(->*aHH?CD{N{P;Wg>V8$}d-x%C#0;wK6AKP6e
zta%K?BjlM^7<02gnC%=)2#8`AjHuo?$ub;&zO%s#e`!yB-|&7Zh#zN-<#7+@I{5bH
z|03=^gPQExwo$AIh#*QYQ2|kDiXbW_D$+#+l@=f>A|-@K2}J@?klqvo6qG1Mq=ZNb
zokY5TfDno#Ku9P`Pe4K-A@{!SJ@f5(-gjod`_KO7`;lSz!?3PgYpwG<&Z7*}M)KYK
z>b(E85Vs}4E_sc6e2fJrAx_uU0i5VVkO@eAibDZ&G!rMgFS6|L_Wq-hA{Kw4Q5bn7
zLLy=eP#0Uzh{O;C8N1Y2E*M6K7?_%lLG4p^$n?dqKu0l%(A~pP-_>rsJMPPOVacT(
z@Zpm6<5)R!&${d((oW$SKU~j+MY-|+N-oQ?g`7J$N$jJ_id}+}P5W{W!dg-HkydoS
zqnVk>S*q2?>>`#B8P~B$I}OK<%U8(i+N7-ep^imFa=`7SFw7OMKie&zM+F^;00HSq
zh<4(Uwl5(n?St$b00JSo#kM;cwErw)Wr<q68j#ABOn}8X8|(XGBjv=;g@@5%KG3l$
zEj5e~k|Tphq#y9mm2A*RzVzDTT&D6~N-r{S@y4{+6L`DW-l*y@d+x~w@b2DfD))dj
zqYN5<VZoJ;jl?YtveDMVN`u-<iJN$bqr%+@r(c=KdUdYU^&h$T^KaP&!{cs>*IVe1
ziaY96J6ALa>*jyQ9ib4H4C_nL7O%G;nTfUb?!=%ieHB(SdmjKr+H=&o*V(XL>~0iL
z3{AZV{REWVyICvHhn$;Mpqx2`^+n(1m8tqpt*c`Xr-_1^FPj7k{`i~K#(#D&dNd@(
zif{LOsp5P4V$zI?^djuz?wg1cUg+wv<-TdnxU`VFmOmj~GQzpFyYCA%2<;lD9B)P-
zGILll`+_<K3ZL=+=Q2x5r>7nsYEolfsC-s#-#|hyNVgf}8#+}aQcP!;|KYody2}Cc
zx-rLy?jJ6iF%VG^Dj}B;(J}{q$@r$?LKNs*kV;Zg4!Hv<g}i(U{=C6hm3;BkGWEB(
z+9=ouJTBV>!e_li-JOP{DzGn6Y3O9Eac*(p;?x1&$Ou+6`iM_Ck8=Fz)n&(rp(`3P
zXDhdn0y5zMEBTObDj?X#>H@5QyIj>yo*Hi)yq_SzZoEIJv(%xRE1z(7b6k5s2<knW
zE1Po75oA+eU6Uzv;Ed4x0$uhXKx^Kx8)6VIA~QlC6>qEsTe&pLPi6Nka{E`ef=4ps
z=-HzeV1p|QltD<*;}A^yz%N|8BE2Y*3ug>;jk=03C0}w?bR!?b!`fEpLSd6vrUb-U
z$|I%9L*{$GzH0n5(URwT!G79f`Tk7mcreRn1PDLF!~^*Z<=#_gMvxqgD7&q7prpCo
ze(RXElK*wD&?ldt4r#7sWE>f7KPPoyYb^o5^f4`KQ4#8lsi<P?d~q3I=aud_xT3E!
zJ!#oqNp&>2W6+v>brd}rrG~!nO|SD}_L`y8lA$EKmL?P)VDS@y^(mJgR2*%(5S-__
zx9r|(O>?C5@Z+bBd=DeF4(Zr3YIQznx~tujLpIaU)f6jy@S1MmBrfn~fRDb6Ulc?K
z=eZ7a>(4zgFl|&9XAkd(tM+axVc#F(5w7_RT8K?CVtoF9`0SbPMG(grH>6zNTGLfm
z-W|Ht_olP`rN-!YcpDr%uFA3jW=oj>k1G*qa76WWu_%@5VI84KU6TgJ`--JZ0i=Gd
z5Mnnki+(WWtUJ8E^6*{3+a`-U)Q(;nD3&KVtkV|?IH>(;xFv!NLr0vf#aBfibTwB(
zojdp3{K<(ut}sS0tBS419P2#KMql^BZkG1$EBQ6Plq)u@Ev*B)o;)V;Xon2Kx7XVa
z@V_mQ7dWAnuG6IXV{y3j>f0~6cOAnLCZRgm$2^rEX=sVYSXSYo77dd$Z!#Afwo*d!
zC>-rf4h5wWABa2$t_1EwfN6W2dyH*Lw-)tIQEndIgz_(pWo7yD-5Ih}Qd<pruGRjY
zPj!gGs$r`|91GFw9E6TfhM?)fJ6;iTVNj7tXO|^OjmLX0V-=rIi0Kzgr)EXpd-CY`
zlR_q@bC;i%wW3EO#`2UH$tf8H?8TqB7?dfeUL7fa8+_q6N!jXoi*8z}+RZ9~=Wm6v
z3ZU%Rm(tN^r&837C%cT5vFYAhQ=>r}E>1eRNXv|3WAfMnekClZd2`_j>-JB!QOk~L
z+nSKqj>3z=g$9Mhf^V5MS0gY!nWHsNKel!qH`|+ch7Yjh6#vE}5vzi^+QD2^D*FT4
z4c*E=<D%OMVlJ>!Yr~ViM+|I{da1-UF2!%_Hf#aMHVQ=V9PlEt1u-<!|2#yBtXtJu
zKiqe{{AEKWY`qq{79KoSuhoC1?yB#RzRUR8k!;Qfq9UCLAY`{EC1-wjfD;;i$LTD!
zd`8`2#Jr{jczF1nY#5v)mE$x%5n^cXUSzn}C;ycCn(SMUCHw*mAP0}3av?c%Y9tE6
z45MF)nyHVFDI<jh4Hz+U*bx&{E8o!}=#+q_?~jc*SK}n(S(98;d%jpMbe#BK%7xVb
zT!V`ZgQ#<7)}f9(>N?*u(O@t#np~>u9yWeVpZqe%SHxwL>W<4uBf&Y1TriW!k_Y(9
z7iKhtDC~`{spBI}!qWrd;~}-?wKWXuajunc-}}}u<ke5jA)=CdlswfQ1;4C*_^R>B
z0@0H=Zr=`2ne;;x>9NoCVTB=@orEJKyzmk0l~fVK`ocvrav^#)#zC>6I>Y63P2|nj
zDtzz<_oMta$Nuv<=l^HfW}6yaUl4l5?~aAssB?DM;9SN?*>--u@5;+6Z!LJ80X#g+
z(0#$9r1tI{_!y6Z5#a5abYgqZV>_u)1Q4?$`Mq!n#C3`FOjbYX`8(Tw`odg{F6TQ=
z@l}EF+E%LijEf~Li+enrD@Q!S(+oM*p3J~?W?Ls|cE#%GSp^$j&*`nr`i|LBKn&EF
z4D8gj)*LY$0ctv3Q=p5s%K?s+Vjdu=lg$TQb5yN>j0gZL6THV&!daCJFBRHolm27}
z6E!ua?18MyOg{l*(i{qV89(y5Y-DXjw;a$!&Oj5O4C@u48IKNhB6%zx4@(3L8lep3
z*cZ6JIbrD2u*=v2V!+cZS&9Y~zI{E(=fb|s$rnFSLTq<tK5ezIa2)UejD3Luf(y0A
zmdj2t<U4c9p>V5;ULEpc8YJ}Ho`MVGdG(X{Q~UR9{+G-Dzdq=!=+O7YoU@NU&O9!o
zg*iejmsds{8&#V{=W+(q=lz1IXeHtq>?P7L+ujyPOVox&{K~{gO47Sp+4B{HzWNuB
zWJbtPwE)n$FI0R`Sd%r~_kBI%=BFF}))_yAK|oZS1-p=Afihya=6?b@I+5sVFmO0j
zGhJW1p{Mnl?H1M^)aJ@pO`OL10w|K_s}(c1htabAM<Rfs_W%66hYY2jyw14NC4T$w
zNInOj=evs^sSOS;T~*1k@r8GA7Kg@=zR;}3&zV2jzv(K=MKj3(bdTr=<q(gqDM`j!
zhn4DegfNhMtRR-nxy}?%zntUdAjB?;&Z|3U=HPnax?0K90~GEZ*BO8<%+akBwgMTj
zSQ67*Mga~I(;-Xkt{PFMsXvA_l&Zsoa$uhN)V~f^Nik%(Zq?S3Bqzt?^}AyKUyCR)
zl%D_V?4sr@sWC<8`NH63q4>FoRkCNKBVIDBV-ZW-a@Gu6>zTMass4_k3Us(C+>2P0
zJ$s}W=6a%m$bfeA?f(-rB^TMD4r!&sabY^mKc77DDoQ!~?aY4vlMfsH%2Qj36-6mc
z_h$xT8!#QX_#Nw1ZEAF|%H5wn)i}XRF<a!gnlOho<XMIFS!YW*+n%1U%GHm|9eZ9K
zy}N?`&r{{UoQ(OrlevhVJm%{`rRKggJCc=rt#@DJC5n04hQ0x1_SqC`Xv<uW5;$az
z#kh>GQ<u>k4RqTXKrSx>FacRxTxB3nT;FAWH*uNh&ih$^aTlZDwzj@e8)35AXkX|D
ztr1zyU|O=?uw$p2O^w(Y(;y*FVA^NyMQ=XU32eIHXIRoy3qoJdqt41{QYo4+c#{08
zvrSO<z1(iqf2*?2{I@ScJQ*ywaru#9b;X_Eb|bAErOcEi_g{m*k2||7*n0&)UAD{T
zwkCI3zu05+qGiksQG$Dmq1z6`P~2b)#73N9dt7f|Oku<QXwta92LAnXpE8Xl6z`;X
zN^6`*G0Ry&e3ce|`Jz&b2f%SHm$d=Ed0sDA%1{E9dw#UZ%Z(XzcN8gabZ_|MO@dJ|
zq`-FV!mE_Uo_;|!Gu;FCjPIzfto^?}cVIja=aS9Qd{pt&hGOPe*f;QasKJ?B7^acE
zxBpCWXOU`?6U?<lznH*E$)+03VAv{IUGg4u(-tuMCKus$DV1qTb4+YA)U0}KmI8U3
z2R*lQ@S7N9vaK>?+@J6DEAID^9$vR=@QM+~nN6AD`b`>7zpeIc5}4M_G>CGnObGA`
zFZl@8O*a_GI<7Q>3d()Z(-T7g;Fte-!#3oK1F#kTlhe@*WB7-BbV@IWT!35cs3Ukh
zsY>y((9RH-?8)Zjt%<LDYjA3s$Y3xEUW5WN3;;yLharKTo<z_OzGD=9BghX2{==u>
zwUZp(5gUt_EjC%wtPJgynVOJ<59ptApqcGOn7qml-)3y^ZVHR=T7V{fN8KCopU>1D
z3wNumNs)3(k$QONb!URO&9!fQNBH*P!?O-O&G5;!FTLFDe@0bRcg+Icy&0TtS#9e?
zUQ3lvP7az)Z}i%BR2FBeL+yiS3-S_F*F?0><R$R^|NUWtUqaW<xd6I6nB6~oq~t!N
zcrW+VKYXuk*LZDCwY>MfurJtR?iv3HI*4c4F}54^cWt+4>?0e@Gv%N;{1fOuz0Wp&
z|HGHYL<0K9T|L001^>qoz$;$!sJxaf(2mwrG-LN4zAptvoO@g^z^hYpoYd*6Kh{KD
zP8IM<Tg*}wom5H`ovbk3diy+oB4OLK9a9aMOrf9WiZiU+MdD@9&mS}F6Y((Ni}!zO
z!wuKf-CC&Riv^d;$I_hjgL(JTy5w5m@OZWU_Zpo$Zmb#h5h9*{IriU~C`Hmby<<md
z$4B>;0L07r(G{s97NsjnM?M~fs<DB6gOMQmAYv5+*svLJOt33|EeQ#~2oQARe39_0
zOP0fux9bxEB;LtMia8U>?(u>-Z{gg!#LV7klg=#W{eSqfWmkHCYy+7jE<4yONS|{k
znIH^yMZvn0XT9R}NaP5*<r>P5c|~X7AlurU0iZD*kW|o8gzV6XG=Ute!N2gUe~nIK
zzkGRXcK`0&9(nzR$)kIdJ0hA$iuH+BwUF+QbxjU$tko_^xux9_{_({zq4>&4%M1IG
za`8YeV(PCddhGHXT~iL_%utC{x2Nm;ZZ~+wxx-k_PHs96+=z31%*;bm59TlX=G$pe
zdNrg4LZ||Yd$xR&!!?TY$&=O|0iXN)1TB>d+e}DKRcB7?Ua0!yuChPBa#rqwl(G$P
zzZ^lsVdL34mgw3v(fudyHH5uk!wxO%UHAdudXOSbRi}Ch&%A^O|I455f9FqepbZ1B
z$kIRP&aA!UiE?#ofCGVhI`=fGT!*s)agKpu!EFuBVqLPgSU<auXNmPH<vRPte{zm_
z#CE~1W^5o<q#5Wg1%chKToAMETZ2%@lpaWABE+aYSEjbPwrW_zr?5UHq}*p}ZstWn
zg7KrlUbX8#8Jy>L!Rzbipu&?tlP1}_?muT;39rc@KU+8N3R4YV1myOz)j;i;Gsw|x
zyU$E{LDTy*(+toRMhjtz4X$joMIDJ&AM5#$7q7N;ByC^))6?k@Kij<Ei9Ng@(CXA!
zFhX-Yt*c8xDz-yLBZ^+<yYf(S5bd#O$5Bd~{3SJ6bN;cii`-1qtLytpfHxH_8nV<H
z?37YG-F&wtIM=Q4b5<GD$tq~^_`~^2{sV^}VxI0%ezmeEWynGU*a!5~1ceLieSr2x
zT3`25h$&re1<cCK%AZI~w0wHn@2H)ah1THyNBfhz^-~+p+1$OG#Hw7M+S*)*C=IU5
z*SJ?Gzqb1fHs%{QOPt04v^As^dfI&}n(I<x{RLp!Un&lufkdZVZVmN4W7VB^{l2`%
z&Cipyk!djJJ3aQUi{s9H#3U|{U{Mi_n)GQCHte(V6t*bDmetBwBJ&bGR~43_@uRX{
zMG3muXN2E>+$U3A@83O&x=|CwiU10uD9>j<5@*?Ntmgoak0w3>$w)EqZM{-d;XmG5
z&B7u@N_Cn}1h@kK#Y?D+p)9YXp=g=n!C+Z#r*&?$KGRK&DJ{aqlFZ*<?FjV~x~<vq
z<Gh8<Crdli?33~P5zUVZN^T$VV=rUF>q*|ulj2mhG~XUA_;U8pd#_GZ`j8|cXWig_
z1Ht7H+1@{)Cb?(<!`QGE4vFgAnv!OuJ|~<B;kc5j)%Ds*PM+EDye}jiHo5(7=$P*L
zRw+KoZjWOZbytV3mG=%&c~b=8CU!7m%Z1UL8rOsjW7;09XAolZC^s823y*s$1S9a4
zhtI1Cw*By$OHzHfN23S3(bWRm4P!mrt>Wo~n0~_uqimQ$98jx*=ula1E61`DUww%s
zdDMvYxv?>N1jLuVKR{GGWhf}7G#v1J8fTietR3MV02FTRx!@dHe^l`wSLGqD^o$Tj
zXz`-qCqH?Lv%`c?=>;Xf+bJ<;ixN>jWx-buU_E-~w+$8GAc$+w(AelttLE~#FqHn^
z_x13*beoY-vij0osCMRpGHh}8H{echOXOoKPTN(?V8g7KF{z+vt`&l&Df%aEq5D$B
zM{1wn@pF}Jhf^v)kJI1iRQ*s&Zb|*2r0)3#T{B6H-vr5oJVP90H-6)3GX`Qn9d_A>
z_-TA+;bYXW<x805yD`tq^EkOwxzc+7s4EJ(%zZ39OgpA3yxnjgK>J)1WT!i`lW9az
zm>uB)(+6M;d@*)IKVEmilNN(Z?yJ*IsN~9RI|zKJ|C^dX1Qe-sC<WZ%s#ZCKS`%4>
z9`Z$L!jY^m_CJPQH|HEKNgmO9DL;23Xfjvzu&HhZig;|^DG)ENG`e#&D+$4qcds=z
zbVX7oso2H3Y8F{x179;gbX9vd#!!*#y_?57jM8JjrlTcL8mTvcXMrel`I8Ne)LdDm
zIp$5Avh3FJx+DHbt8-#@@1>+!n=GCnZkoCb7K6QFYtr4jUZRfD&o*78qmQ1>@otEC
z5g<NY?eTO=Rj1wY@hg16-8acCPm?ng{{3>tcHae3pDXaQp#@9SN;g1^FBuycSB3}6
zV`E=ZdmAAB>DH{Auq^`OqFUoi<D4Jc&kw}utc~xZtFLj7L1qwbY_48o$CL&$q7ldk
z1tDrcu$uZ&s~?*4p}9`JvGZ+}U;kXwxA#?iZJ(v`?M?PZH9d{6%7kNcv&JvxCQnLj
zpsYH;N;9V?YwWy&ohT)SaqL<S#0#K(MyNQlK}HN*5+IovT5R_wdGcfvei~vPIS%^z
zYG`VxV;|WEJ~qA>nsWVIl6c%K8e!?qj^Z3-|L&-84&k)yjKy$ON?;A1U&rtwB2=%f
z*NzrFDiQ&mr++PN$rr>Y%=+3&&A|x#fMwzG2FHV)L%;N5+Q5=-9ZfjJ4!A|q5weoJ
zLt4SZ#kQ<<_g<oe`ymcz4s|^ZsDyuKrhko5hY)K3KZq2<iHJ_#8OCTLkmN<)iU&+_
zp|(TDDLExx*R`*dtGiw%jHr)HHoShv=Z5(GpmgRbx$ieUUnLrIy0WS^Y?4g%4<2*z
z#kr3~rS1HX`<vPrF<R}6+kiu?w5ujo36deJGbX#4`YLpx-f%>_J(ZE-;A}2j@C4AT
z*t}brnf6r-Xsp#(F41xvzjyJ-adgY|zz?UPa$ZxX82s%BL3Y(Qf^>SP7~7X8e|6^0
z$lvxU1(+_rDVuC7FL>N*q)oi%`M2DQT|3ZDj2yZ}AI{YU_|S&{ldP?jzm{-Si~6ei
zk-w$kmiH=OUaQTwZmem{l~PVSdCpi3cT6>aL(J%u1h`b%Ayvk^&5xOL1J6-N8gy?T
zz$q3GNg|vyr(<o(vv&k8nWec-2_YYwo;#U))18mdrKege9!mE<2UnU{-cdENO<eKN
za9EvM>>hvbfCvz_>bo=)Jr>q;A#KxQt;jT}JT;ifzmiNd0JT7ckQ6h#i$8Tn;*;A$
z+V?;<J@hl@exq~zgnoj=nUAJvCi^o4uN^ky&tOuy$04m#`~;>Boo(OsY%CHb^aX&k
z*qBZyWMSzavT$od!P2SbR+k?&b8q^T@lD-QlbJvK_iv;EGN7wWT$^<&E67lFs2zNS
zC(u&*@0;oSxG^$lcxHH&JMt#)LP&Q1pj{uT<3_8wU~*F~VA=E4hbnxM31DRp8Mqmb
zb|AALz5VLvd<2@NnUL;9*4d5u6reOOguM#)?r_V{A2r`=bjpG+eECPusYP4cgdy{8
z6_Uf3PV4;Ii(xuQTmy+bdRyyR$CsLh1(ma=y)?^+1{iWV!eAE%^vl*1|D|bSWRp3A
z`mHt_5xau?jzHOe9w?m%sh-$QI%b8BVGRV{G2Nf6M(~MM`)KmXaR3kCGIq_3B^v7;
zGI)B|tz+tR!`c1W*3qbU`+BRZld4?J5r_Tw%EogYHd-~d&S7Ukcw(D82-q5E+5x8S
za(6NJ5u-UdH9g;X-1SdVjo{C?gzc=Yn%YZQe8mdx#CPkVzRFXM$9kXaz6X1PVyRU{
z-_VDbvN6E>@QWR^&Smr3TBbC3-D7Kcf$#qQ$r~=$P*(z?D9;`zE*v%2I7)aR?HxGh
zZLk%77x5YE=&0vnuv#uNY0jeH^Kj)^jg9tIR^zABYfHUBjC-1U|3n;2zXwD@&LrzP
zR56nx_6?(Sbdnnvcb;I?;7UiYcIg?N`jP9HVy2t{?Y||rCS*i|a>Y}>fg}K_<w7PP
zwqs?IGg2!2ggZaEd&!9)3!>pSS{yYTnwYA^no_VJ<%}n4DWx>1FrdCoa6%`q;;%Fv
zEm@GzMa!b}X3m@#=6dQIhaY(j|6F#_%3$)xns!=#GFCcNu*U9mrjDbm<~L%6CXmh-
zggLSa4`>5FBynY^#}UYQbTwRwBX_m<^|GwMS<QLe<!c?_q_bt-_xuXar6Q%lCdD@_
z3Gdg_CYO%m@(FLI3tf+o_7$!Nd?6m{ls6n%DXAra4*`XAk>OD`5%e6Xiay9S8$^Ma
zSLw1MN7(uHB=wbQ3T6C(R$=k=r(<UAWv|Pye37O}+x`ue7u~tmgTL7UK<jGA*4<6V
zv4`|D<-J@_*Ns+pb8U)UyzI3gM((p(j+S~5qpBbN`d@y!$6wKz#Z+d!)JJgaBEF+5
zF)^mkkpui}({H0ZIl$S8?(*m#J}XbW!?M~Smi{$nbTKqO`>w1+eTwjFRfh9Rg$&L$
z7p~a|Kp@1#7-|hg@N<nvn{*jdq;?tP<YY}T?K>a^PF{2>(4r`j3lMWWT5o9YvFG-4
zDkp;MJ{QwNCC#m#b)|I^`ugx5@XQZTb-|Rt8I`Ie2rxUCnp{o`UY#N<F9FVwM3^cl
zhAKv9*d@|HQmC8ERF(&8Wb`$yx>9UmRQZRO{?OC}<yzyc-Mu6;_wbbaf~Ds>hW~FL
zp8c38f&eop){Sm0ZpoCi<#jN4(M3+C5~ZOL1O&!=DM0DMbtMJkuAJY!GPtxEKRu&R
zl`h=4sY}&v)h0E*7dS%`05|is6x5X>uPq6~L+ohX=uH<1R`=(w_ld<0Edl#q5444@
z4tC4JZzy||Cjy+^N=(#)-E<U~_Lk`J51%wFTMVWJ8=#Hr-}gn?e_B+3x&`u0;JH{L
za-XQJs69)lb2O9Px_VfV0jPmoC+o9=Hd9^hZ#LZS{Y1$fBvU!w&vq;=y^zR;#=p3@
zL3S#ua5sbduy8?waG7m6quOhkXbGz6lmDDw2t6SN`F^@O+u?D1POnm%cHH*?S<#k3
z7ltYe7?H*#?<SX_f_+mzFUq9E`>`m2k3d$#C&Y}92SZNg)ur4V00rp80`<f$+YjiO
zF@UMG6ML1@q2;xed#a(4QI4U1c%lx24h9w-vLmzBbzeX6(|zB~S?IaR{FISE3kC80
z(*3qZ?xnA_es`l3a_vYe>=(2^@F|^*)GF`Mk{^DJeH@*Be(vt~+k9meuOs>kPBwi)
z!nfZ*yb#zNguTc9^swxQPWMk<flH6G=KL*q&%RKs3QsTl0S(t}4Ev1!GwO0JLt>z#
zL9@Lym3^zsrwI&7LB7p{gY8Bmdin=1_WH5LJVFYLKVZ4<l%yOXCos<Jcfig##8_)<
z_UNEKVZ^33-3P`-0qVp=u2tSRx%YF3w^hl8TB&+_u<pS_j_z5@udL@vA8=`}LjMgU
zd`yj#30}U-IUQmG-{%n*A<a%~v*#&SbC4ChzL+6t30iIZCG)RerQ+Y$L;!{_i7Z6|
z+ieDs-~^5%NO566_%B92B<l|Izz4t$`)ptS!aBwKuq#Zj&k+8kRVPELA=7Nm(JfG|
zrS{Bnhk5T&`%JP$(DKUiM9`n@B7Aj%eFJKu4%urVXwQBavB+J7Y&w6PG<ZB&Hqxxf
z6Lggz(Sl#_PK9`MC}@z7nrut1rW@QZkBzgbA_3GseAwex=CH#{u&0&Asu~N5{`a5v
z^L1f)<cNc{%&cV!eJNf?^SGC;(~;L<CF9P2Tu%*aTgI)P!oT_Cr8XZwdna^#qEc+n
zIWsBd0EI$ZOT?$XAPBJ$3@WfUlJF~f02@CBZ|1A6<D#Hysb_VSH|0^S9{R;p@Ag;9
zw0u&MV}Qz(B8lh;mS_Jf^Qc_K9?W2*c8!s@601vBG&x5R)o0eUW7DJ+%{5#$flzDn
zyPWvK2U70WzsrRHhe*XpvMMzj)x4Q>#R*6-NDp>$UERH1rbZ;6wZIajHiC%S<wS-=
z^)qts_W?GDW9)?yAWnb49Ems)!f_ft4LI=0%fOb#?O>dh8;c<)jPI1lIR4J`62G?R
z-MihTi|t^BtqVVG<a1N5E<2p5`YpRZl@>;na`KYF6F#VqHb3-iEGK+t)uvy25+|;H
zxU%EK5p1pRyaIr83G&lHz?#@9nlHG=z|WD^hu9mmvy9Pv_o9%*J0#cM_TXohkRLw_
zM(uS^o_y0f82d(X@1n)D44I8#-0h^+taZwRoSFR3H*qn!@(gJ7=H%5Wit}*bQnHaF
zaReUG9c?L_^VW`hCMs>{dwKt#y>Q!+k+;JUL)8ngGO~+$&xBL>M0Kru<-C>u9Md90
zYJ_A)ZC*{cuC#<~Q(f&am0X+M3Vm@#70m=sFUHB*T@{XwDGbf`s%+7~9=7kVAg{hC
zaQSSfq`|sF0qv*Pi^v0T*v%%r>G3A}P>*S1T<#eFV&W84GVK$p!(`31oA)~8NLuu&
z{|L4RKY?budF-e0Jxp8dA)aJIc>-(9MhHWt&A_N#;b>KCyX*O3Am^EWKM`h^PRJ<m
zvUh@vPY48y=Lmehb?Z)=k+;uN3&NVu;J*o4Y+(irnD&SWbG7T3HzO{M>huC(UU+1<
zA=MNg>yYhe>20pG5Q6jB_$~#ZSj{VWRY$g~(NE3vowI`nI0k!lW$5Nr*#>))KLeNS
z+wgn$U38MEk4f{e@O$}rW0PL^l3Fb427n|)vZ1YDX>AbSpIm8XS89_L9Vcu`Z<Y}e
zc7zNZ{Pc))sCGBciykAoM}$D5Cq<T&4_!4GL76fY+t4+&%c*pDP^+~<$P<Jxq3A$I
zA)z*uwhJ*GQIqg2tj)DDoC{ulC0Ej`q`6+(7p<7Vmgay$5~qV#@~2&Hkf-2A-+038
zi-_rmWxW9s+iMS-;v?VIZr6MMB&-ygT8-12b65pqn=6{rJS<?zvX7nB<rGuz<yWL$
zlN?Y4X)aFVzn^JBXs7|;K)z*<2-6-Dvo?A0%}|bB&GyRFqW_%;`vmLxf^17jOJBnv
zD_glcg50VBn>#($T@>_p15jFduwGXDTQBTy2Lcd4bO~a(ax?Dv-w)RIBM2D?rLov`
zNUnl2)Tf<xo=>=cb^36+^X(TLV|E+e9<V^A5z@nHfc4Z7eQ@ZsdeG+I4-vd?Mx_?D
zSD&T?97tYijX!0N{6UjP4e`xY^m`Gjw%Un6j<1Ea2v-9`V^z>VAe8P9>JnTX*=&6a
z1{QVovW46pG}8Gn()oQBc2_F&<xS~3ub=-~;c5c4Hdq2Ej6S&vvEO02di4x&q_)Vx
z#T^-=V(%JVnX=$uNeSC0f%sg{m%b-YfzO#AQ4CPYbQEhATovo;hk9feHu^UNRBd;Y
zC)KJ)<f@N3T<+l7rDBIaA?JWOUJyiY6Z93GtOGx*AI>Q4kRcRe0Yll_MCCl_qP?w)
ztM@ajUmVvD0ZO<Hv(~dR2OpVJy|;B{0KySa`82LY5swkQ%r*x^xVG#Ug>2m}N!?m|
z8C&CE7|lRAkaBR}?rFMOIW0hC9J{~rdHMVar5n6=9E&D&Ro6-~qnBQps$#-?3Ycpk
z=<hCYsv+_EE9d6=uR%4I^`#AP%wP5xbZZk3=ry&(N@LW-GH`dtPP2*huu^~u$WC#A
zSfsYGo=z?V1x3K=&0~~n@$`%jiq)^a-jUR+yzF-FeYxMLYrjp^c%Q|G^k=F)mvSiP
zI>`F5GaY><x4Zkb{wBR4c?Bimj^oEK<#r7cM0ZP2sx#DN8FXY|aMQ2`9&xB+24Y}w
z+=R3mxa}d@h2L76YLDscYrGxokub9fC1(!Iq%JqoQ;&w&w*nJOyrm7gl>KPl;NXna
z*U>VWAy}gM+KIHq)id`L+xuh%4!{4jzVS-G>)P&nlpjYH<;@N&W1F@-%jysoX`>2!
zWCz+?4f_Og62lrHaRmvXnd>3nYBP-X4r*7Pgl-~U+oRoadjZq@Z15ukh!In=&BeYw
z_tIFCC0#WqS+kY=IY;S^^5*6Qb3$#b*6#a*Q^wy^`uB_ldK(?MV3SyQcYLW}<+pdT
z(OPs)ZTU-@Y(P|T;e_Vw2fcyS4@1PX(VZRKa%O`_C*oJYH(;aejI~=q+XzaGVUdGH
zxFszkIxJ2(^^|2|ucP?rZ~k|uUWtYZPt{S`r^}1N5Yq#R*}k93*|83l3}X8v!kjce
zhAhQ8(T93KioJ;|lD6imr}p~Q57>rfTmL!;RX`otjX|BIfsdh-n1l~>>sVL03X-g~
zOiJuU7|B%1lq2_gQCL*a{z`p_)}hYZ*M1WpQ4fTykKJOo(V$W&RVFU7jHeV*>cTt#
zNXox>X4#F7ZWYUz9#4dQu{w{5QBs3Tby2ZQ|G5skK%{ee?UU{4news9tn9J+WbwWm
z3B^T3*=-H;q9Rz`&cd(xfB3x6lyqBmRX$g7SbraFE&eJra&s+yNBoVUwq>H8u&Qgd
zE?n+)!3_qq>Da^P8|rpf#DgE_tLm0}60}AlL;*b~-dbpJr?V)W24r4~Eg8xttgf2p
zk#y8AAHrcz*!6VD)vQBqA2pNBuk#7WX2@$!+jm*PSYf-l5t0LpP6G{4l;LT{20O~J
zZcI(7c2qrZJX5)jWP62tBUx;FNa#(Zv8;_^#@n~NNZ=q(WXs+ej@W;F1}8G!9ZIK0
z?YwurG;}gvs5h8(-w)~iQPe!QZ}rhWPJfZ~-lB<uocXQ$=H7ps<j$5qsWsQ0bBEPY
zN>wwFD!p)L#mD&SH}l(f$7>59W9HC`F_hQt7hnMOlAt$;QY>O4Iu!Jo<<0O*pAa8I
zLe&op+u4X#y7a2gvRH#R<<l+@9`vv7Ree~)XaI&0$4P)dBNjk?G&{t+a<%J#KSOFy
z3%RO(iekP2jFy~|J*W?nzM!+`diUM1khJ=d+}LC2xdBZ<@B7T|=9mD5{aEy0Ap6u9
zVEXC{BMJ;Kk@{gk>j87$aAl3II3kum)xQ`GGEFYuWAdvfHS-j0_qB%l-Rbb(FL-k7
z#@0*Ez#RhIhxA0vV<Bnk_V=QGkk-^^o3d%RRqp(2GAQ%Ptj{Hj)EvS0%1FTm!^apT
zr$eFnistFfs;WVkb8qrU83y*Mu&P~3*6k)%0(o)Cj%1KXTU)`?FvlHGHxXi9t|!@u
zFQ{`ddPG1_tqg(cSy!h`Oqd2LRprtJ9(j)53iYo#nEd9;Wq!+P#L5*vX6NdZF&oZQ
zX(cNZ?Q>pm>TmS$5Uwebx?+1WVcxPdd|~5DW8_}b{ro3Y+YNOi0MY|{ZN{36vmQs}
zEf6L2HS@e8<VSo@o1e&BBu`C)-^pBf?dIrog7V7O?($(RRWjOREfFKig&o0s26l)-
z{WPRe@8oVF8d<gw{LF{+MbNHyc}#5JRF(USTp-F4nlpP&V})AzcPW^CI%5Pkx=2zj
zNLvLEIfewmsav<4QVN@g3IvAoWYI0QO)j)>FqBzHjYSyBIWDbyUgVt_#wR);+(&$8
zLLXYz&xy_{8dD^O_dGprU%>kb#V7IxzAlcDP&$AI4?-j)=m!;cbt)O|#<J2<c3Gup
zXnd-x8wd4M-4lHLo9fQ!$F^kwM<|9Ts2R=_L%%?asc}_HLbQ5Y_s+Z6xB0L(x{94|
zZ)wVSmr*^A0*+Y1XWK+HFAvCatWbRHZstWgv=ioH`R_5T@8v;PHO4azbVf5TaMfua
zPW>FO>=xd{H!oi_zw-XOWA5m}V_`9gl=GCQZ;Ir!o$ZRPC`6*hefXx8PRXDz)-69%
ztli4|&xH6GTk*$Q&BEmPA}hH5@7N184B$+guxTFCE^3R%T)n46Yng=fFK=H5?n14y
zp{jwx#2*?-ZW?8YFSI>WROFU1j62o`Qe(+uai2&in^57bBn^Fm0w)T&O?fO)$HBS%
z(N`OdQKNGfxsUq<aj#YD&Bnq*B~yt{hzVd3^b?Wst@f#XjG;xSRD|fC^MA5rR2L<_
z7LGLczg5@x82X|8rt#BE((D!f<t|_PHBI&cP}Zys2V%xkr(I)dVc~b%gQ*9QW=N|W
zZC1>~Jo#ai)x4ASfxoX@+tf^C>y_$4TfE%t^<Ebk`@_o1+@yOhJTq~wU46gyqb&Dz
zk$af-EX900KQpQDjESwCf2vNy>5pTo6i4g(<*$d90{&>eKv(l}n79sCB}QLYEZ1@x
zBOPM7yuKI#V(xWH{El5cUM+c6xom^dcNn;v25(VZRqO=Y#1{aLNd-`88;G>J>M~Ul
z@&UG$+c%!#u-Zy>_Zl~N<~kjMwIJ)J-AquCsrfWl;Ja#e+VJsA@a3(YcTT;{cwVy_
z_rutY{Kl2th}znWhJRz>?${U~=lfruyP&nZ3#nTr3#)to=TJF>{7)HRTx<5PvPPN!
zXtZAG?lu7^%%9mW-v5Tn{XfdBd)kE+T7s(tY4rDlh#fX~M{rEYWvoqeo3HO5J}Cb`
zeAk`&A^UG9L_R(9c|g#)mH9nU$^WdKowOZ)<e|S`REM|6Y)7fAuHBFNR{(69>rEBm
zNqYabZ5(^{xvID`DINwJ&yTC{QkLHTJbxHdt@~mP49IErqOJix8BhhlAcFVlnNGKM
z;!>FGhl{pN?KbKJlCK8(Sw-0c)AJ7?in)ZGhnzEj@iy*L1D*|=7J`*}NjN-7Y#WVN
zx?Oaxr&T}l(Eg*}PvPCz;?r>`1W?6kh3K}H(yg@zc1yH#{KDstM)HFCIB`lIS8#Wi
z0zcA=sTt~b&8hb$SIHygWTlLE8*A$A_g>C9s@ODsE>!L<$iqIyG~^8NHs?wjboJGX
zotF%yNeE3fs&!KXKEZ3nc@A6f_&~nlqB$tqH7{YqU1^qVXRzq!myj4->&km*eEi;<
ze~0BL0HHbXiVdcL#CZJ;(8NuUP)P6{rbjGr?u2M#y?<N9xR~Bbu@-eui$BnIHck0y
z`*{<-$bk2wSzL)Q+QD?D5Kmx+33C|M;MyRNG$OzEn8fRaT;<`wM#s05^u(MnubG&Y
zi0kXlN(p-&CSBaO0+IyK4bV$s_336r37bPhw-M#MGhYcgXzE|5H5%NeOGQbnkIW~(
zyBlzUd_>E9&4~>92HG3qLDSFOM?xK=$%DU<uB%t)%GV68(1so-*mgSfm3)jV&3x2j
zf7s#o6`dUk`;OtS+WzBri*1HmM>9;SEi)tf8A<gNzzfn{rGGV}d3hL&UXii$QkfjD
zrSwz&ZmWUDqoyy#GAzFZ_2olDhW;*&+ErTb5@&=V?R&K<m~%p$cia~na&a~LqQC3e
zE4;f^Tbt59b@^fPsRZRiafx^vQ$D_{dlsy5ab0e(M@+GHy3*WP1Lqt#tMS>NY84S<
z+d>&wo}mj+Kfq@0Faa_^F_a5n=WKil#asCwzR?2F>u~XeqvHqOM!yL>*}V$u<Q)Xm
zE5iTq!N3$tR(mR4C1yn*aya5_1*r_XsXyto@B}W{8{UU+%K4PAw)(=qc>a09r^s2*
z=aakd@N0Y#WD@EY5Gz?k2|;vSQgxr{JGc=7DNPJX827e|z877;Pt*b=qy#x)bn{cQ
zTN`iBPm~IFNhUKRZ{ezMA^q&o(*4HjsubzXD``5(k3S3_%ox?VcX;+y3IDYNes>dW
zVs$ON6@r}sD!h)+jyd#Rf4tR(WmefX&-xvOH|bxy+Zdh=21jV16vw!h9F!;ekPbqC
ztvC}LjXK6?v&OV#Lp#vo-Eal$Q;pM+8}~f3ZZ##awvV1LebpW#{x(Cg|DlU(J&@FR
zdl>y7^)UDBSd$fF9W3S*p%rdv%;?9Kxh_tDm`7e8COK0=f>!BfpX%!(^-z0n0VK>@
zoqr1K$EZ?h4=Nw;C)uDJ19VUO*hXDf!;?DcWJ<e?4xvc6sX%-xUhBLa+3Y*tG`+-{
zqshJ4z}ClzC;<uKj{19~59n)=g-bmbZ{~WQBK5ADC~foBrhemeoazX0_b_VX?||DB
z7oYMEBclnol@|I||C9lV>qjhAnsaw_JUmLxG5fhb%+XjC?lDEySB3(Hk#EGlQijs`
z07o|Sw>7*8<|zoDqgcz2q<6`kl`%iq?RpWhuk?aO&iGr7eS2yg`3Mo%pvYZJpsc*x
z?WWN{Djz##XSH8o)ExWqy%$|tZr^%YE@VYz?SPUW)S4|hjfskoL>U+!WemJTU7%3~
zwR&QWN!oR4f7dH#d-UUmO=Bl0G1MHDD}C-L?cGeC6jzc1;+~`)LGjbT%UijY&}I1E
zp|<6|tDRMqp*H2DQyrrI7wSx&|Mu*FQf-&B`qnKpn=>YNC@{De%u-`*_I<wc5}pv;
zSVOotjoZGJ1!zB()Bj+00*6(5kg312rk@l7YltHZZW3Rj1y;+Nj2U$>QHQAzh;^F!
zja{8k<B^}qc_)95t3hU4{G}ehy1WCq32c)PE+1ncenqEQcN)<$33mEgZ%Ki05C^>m
zT_CrU<dw}OM0-ztJuD@9UAiAu&hFw|M(OS5`7FbECqjf;BCghw<O`}2+pj9ue927u
zcF?o^Pm2KGUVG_pWeZ&ywqbPv+--n6rJ}dJj>Ub>Q0`yUNSodE_m4nfG(4K|OWMh&
z#;y%veSFm6%RWAN4(cl_Ge<l2d+#kd^<~dJK0dw&djR5WCmq8m<hsmT!Qdd4`usw<
zhuO)vP>~J&lpCi~3g13IXnw-}dV!Zj!@&%g+d~+_&COk`1%W_FrJPZ`BW@#pP4FWh
z-#$J;Uwqy;JKeN_gqO8+F|sB`udKp-A2~j(i*K<vHQBFKnRe(zq=5M4l8Djw3skxl
zFo6$YY_I~7uvONphJL$Q`d6?aV4i>#W5ArTJKy{TmJNMTonxkf5)R9Ao$6J4dZWze
zcXKdF`43gE(ZpWaT+hm8HwR6Fqg$u{Wwx9Fp!(0ej&=f?dm7BZ0to0od?PhfJq~DB
zZ_N#n(Yew{a2feq6vdS<Kp8NaV`4vg0aN<Cg*)o_OiU3)8IOH$alWEUjPJ|Gr{dT4
zR+pCGeNi`oQOZT%0XTx^VQ>{y?Pgi&w7I~$4wdG8bJb-GwBaJr)i)ymThuZn;xOtu
zQ|BMPWQuJL%m}WH(<viKf)_E?oXaMh!ejeZvpHIIU=XhtbT~pSgkuFDg9Nz{k@l%G
zgYA#n97a%Juh1_J+rE!edveXlH-F7mt~`uUN|KrTVCd`49rXL#m`KF5;YZfO7H~Jx
zD%aDpCJL|-7>OM+#XG|LU#n=s=@0~9wj7r4`K%@iz?sF37#^-U!SPK70j0)>CtECA
z<9!g*Ft1Z)r$S6_)wvY-{E^&Lp#c+$aLty{uOV&rKao_?lj!QHKjfPYR_{MnoUNRK
z<Ye8__!)5Vaiq!5pd^tbbY(42E0a&NI)Bso+t7PL7H4jmB=kc?*%73BVK*NMsXYn#
z^-*c>jhV~h{foJROzUOlCodp4OPY~S+plmu`f;YEG}lP?<#g4%_Z92#<-et0eqFM>
zC>HDY=h@iJlFwzF?k#rF*|nh_yA9Zn-VAC^cPLz3zG0DI`EvuqR<j6&R)kSq1#((<
zOcS^UU)aTN6Gon27e{enO`7UbaS~6#FCh9)s))Y5Ip8>G_3!1<BDVkhD5u?ycOKJT
zfiK-oGs-h9oHRxHTgW8_Uxakjam&^_uPnHd0006ki87~4!}ZbApcp5S*x8z=q(8Zr
zo5wViUQHkBYa$!x`JAYM^eH_ME>cPcM-eN5q)PDkl$9|7#MJ}5<sc4+GzVg<WnIos
zy`21NIcw6$T0{Bv>t4E=-Fa`fi=R8OG&*P(VIPUU5^Qy^FmR<YG3swHzzMQmP4z(c
zL)nU~dXd&JAYHN{w&QbcU2LbTT#gCbs{HtRVBaYtq@L@78uqn9;nVv{j*0*96_|qF
zBuXczS(k#REACJ_IP#E1!JY<I>WuZ_sgUp}_$%*y4%KF@!4o#K&cO#tCpR_6XK1`C
z#?Tl*emlTGQlrWqo5TN}t%i7M_XeA898H@jdQ%9U->+fhf2CZJUb{R~j`G_rLP?f~
z#NHv@1@dV>G>oR_L$Y8W>|IYejMCTqUpl}aJ@}a?=HzHuLp{3>))(4Vq(&k>E*t<X
zwp|y3gAn$o#ijyQYgWl~wQSd{<$7$M87q3B@3_sKe?yu7Pk;F1|2t{797>bqCS;*m
zG9$#lGXXBfaBG@T=5JAetLmyjTm}`PSM8elTYz7|6oCC}2wcu4kTDFHo0W*;@Gnp~
z8Mx~VG&dFCHM2wj9AhvOaHm__HCFu0%oq-Gm2S-TQjC$hr`P!PzVUuBbA3MkXX^%%
ztQQPu955hRrT|rfzl*tYnO#TWxWvb;ODo8|6pLS$X$-~h`vHx^xeJ$DaL&v;bIs^A
z35k>|@Aymtr%J}9l>N0XQWOpI2$H*RiPLX`K~+U70GU{z+Vuouh2-?TF^Fw{D|W@N
z*SkCDWCFm}uacS&?SU6OR11r49XKggeqq!uESLj8$1qaWA4{`I#4g%yY0{S$H%9ct
z>|?t*N?eVN|C{3|F~ytrnu7kd)UNQfT^j&acy~{H`Kbf$NS|6hT16Nz-jPOKn1=jW
z0W7J=dgCfzYdLBs%QcST%7vTr^=)DTQyen}A3r#DX8VD791z`Q$`#w$pyO5?43$*k
znskJLiLh4#qB_L-R<<52ZuTo|kCL!&A4**PvzV1ZYk%}Bib36XdD9gV(75t)Se;Ch
zsA9`9uS<+SYi_>k7?aA4mwPv#GzSFh;M>y<#@|sc7V=q6QgO`qmXti<RqsolcgfiN
zhfkvzQF6{)BP{Utl<$t$0?u;VKqOyZhn}q4`AkVBGxf`_MKXN!mTpi$8N)K>Tu?(=
z(cwdv^+k<c%c0Y_wr$>Vlrm#2##iGn=Qm?F$?4gETcL3w<@;-m_Hp>p^-tS-lPjXH
zT_=C3v!R0+ww4Yn%50HxtGR+_A|1_Qj><?SlXUftVx<?~cG;^3{oemo%D$U~$baL8
zW}2J)!>3B!JP94|K@_;FqGQx4zhNNDL8!n22)~-nap4W3_aPUwGa0RHaC^k*hPp@=
z&Ha_5X`Zw?;+e*9T{WTh?E|sM8wKx=xq><Jyb*xD6SzjE(x@FmU=aJFEmLzvx)k=z
zG(kJZz;|lKhLq_g=Ca45#$Kyyw!>4s+kKBKBPwaoD&XEdPU-e!X$u4$=1y+0S#RmB
zs?E%r4_-N*zR^&VjVXR(KSNy+qEUsR6y8t2K1QV;REC{3W6ctYjnK3@kkO=Yn3z#!
zRh<UCu~JMqRN&H*CZg0-5@S5|i`BP9<p)ofVI&L{t-^Iih>?NT{9X~K(;xQrXN4V@
zxHuth%eP*xh_8QiT}V!AMmjHb?JTLd7OdIbBWSlBphT&xvb9=F$F5$%%@O;~u0wxg
zGs_o>-~)pRsv9I45RZ6>>j0Evwx~zx9j+3L-|?91V}z5?h2)ZjuT%0@=a9mtK0n`y
zH`VidIG^7vLy&Q-PzK;EJ)ML;@;6zs)linPo0_!76*yg!ZI>gQ$|^{ASy)i3lFC4J
zOFPU_)B;A|AXIv4cY!jb1zWh~xU*1eQS516RLLT4Ta0m5n{}wT1!eK=QYLX`E8b8R
zh!cT@UVyvNRa&42xke<-TZ8YZlfM=kP@`jNW&W-7No=_Yc>ULlG}Ur8nnsL9S7m(z
zh9*b<B~`V9MVstr+JEA7G!wjbKOjpX-sD7xv2@xxtZr>4sr%ds%X^+_a-a9E8r@s5
zwaoH>g>G0_0Dy#8)H8f(f_?LF4>Qt#YA9%>ySERQrL|Cru!L>RiO+*XxvETv?e1qD
z$U9e-X&U<%7_ej`%RlC743@+7dw1<Tl7ucrTE%*rcKclQdmpd0cPCsUeupQF>l|~n
z;)kH2LxQUF7&44!dy#V<5JA&%yO+9LMK}<y8x#6XBn8kM12Li^;jqtaAZj@E1-NQe
z13nsJGfN=E#hUCFcMrPz;+4ROs7Pgt1;Z^ad3RraIF?<9Yu(xgeHym^VJOTTXxEGa
z)q-R6_t7zN_O4e4QSj+L>vqW-9E*ytsW+P|>#J?m`kHL&@W_UTa}!PLXW~WPcljZd
znJO!N#UWwz)VA<|7NU3)k|}G%Oicm8!;8mVxq4~6E$bBLKIKNs&)%g)CQ@zZqNHJ*
zj903MiBmEr`uzgoweCy(G~8}eZX?95`%S&u70cyP;_dt3?v>`h6|Af_YLcrgySOwY
zuj~471Qj_w=~!*>&~QKv>el4&=xs;VeUZ5N_}Y{1+ZFF4`N7O3RyhN@+_#&{yI99O
znB!4wE@zI0(>_?=`TAn^-N|H+`kLA_S^ssjgglR1nNoeIa0XClV8j6CZVi7tN|JdR
zv9FD0E$e+XIwOOS;TD*U<vugSoaF>&*_auZx5w{=ynTFN&h2c^{#CRuDDf@|aCnKl
z@rQ7^u7cNF$3#Vlj=EQMgWbcD?XBK)r4RH#<aX|nwq|a-jA#Jx5meH;9^agSE4Cf-
zRS2-;O=RFXBdo?>oT~}jIG&&g$JQI@M}Yynq3F*wok_7J`t2$|SSZ$WN~Vq}kzeTO
zMA2#Q9PO9V(C>{srESaTl~FZYP7*5wh`!qFfvyMxc08^5nKcODg(%3wWN}B>xDJ9~
z9Rtt%l66)S15>hfB%7*Ix+QnMKe%S=*>d2;le3($T5C4w_h_%_=-9ci8U&UoF*e@-
z4O<B!q?Qecgp8RmkyFKpf<^L^V#C-VA04R`jWiF^>J8PmPXx_VuB9YbeEo&I+#(K+
z3+%>Y_wMvl?lcW)XnYKLM5uPiruV%w6YEqqSJWt2-Fp-HUD{5XpAM+AYQGH}7fHr|
ze8IE;l==BTMDfR#y@-ksbkA7NLIbSI1+?6^=wg;k`0<mkL@*jvAK1K;B2wUt1K3nI
zz`@N+_=aD_t1afp4C1;Yn6$BONY5kO7(|6J-B|e*K={{yFv_%v9qPeYYj-M&Y0}9f
zdy>N^GYe1Wv{x-!`yD2IProf41TpuqRhCljX97@rrAXHmv=?q11`JHvRTITYz9_ek
zWbZ2S=atO$Ua_i@)!8qPg3`OCw2L{6-!6H)yH;Im<~v9MPUT$qEa9n_IV#7sS;Qo-
z3B;OYH`8(B8@2%bMqT$F1ig<EQcf{t7N%3$mvl0=IZBcWZYM*yiNz<}D&B|(O}^s8
zsRFsxfEz3ANh}~8wIEF*H4kzxKr{tIAm(ApnNu5(9`(rytXTMGv!SrY5DUc@iJ@P0
z<y%A3t;(~wSJ1kb3+Hzn$@NIfW-P$<9XV4o=3Y3N&e2L>|7Jz7w`Z21WN3>a2r7zt
z01$yvkN<M%qN@_cx#yY~&BPeQ$=JS_Fjx#pjr9H9%h#b7wTJf29X%b4_>Fek4PYhj
z789RXTE|PEC718E+k_;rNY+1n17&65k~Wpqqbia2hLs^+zDWazeM?xly<Z$ElcpZ0
z7HJd*FHs;7wL?3he>{HFJ2wq&!gY6au=w@ioi;jX<>WLm8Z54VZ2AM*k;5NPP_#ty
z$NCVu^@(H=xJ>u?jiWM`S@~ywBz^q7PbJ|eyNihd8l@^=*HYHRf!-?0_-FNQ9wh$g
ztjGUF+?$6({l@>lDw0w{$X=FI)?_K$Bq2#c*#?s&%QPnYV3<<&ErcS35R!F_WsHwK
zgzTANn33HugT^ppKEL<p_dS1{bN)Nmb*^*%@UQn=@44r`@7L?~d_JDRPg1)je52DG
zoMRs)YkCAdDgW|L5xDVqf<zEgBo9hE_4b?vZ7=p2u-zy5KOEDv<Q;Y^(aPryI?x>K
zIPWeTNwXh3*`)lkQ|{GKR#7zY%dTbklh2g2oqRTmw3yEU@%7QPJIy@YQ6z8<;j1cc
z{GO%U`qw*Yw<{xE&lXAeUj55owK?T*@7nHC8aQ~WHD{yBJGTgMC1sv*X#ggge*(vf
zy!Y-NWRXm}DGCb)ueFMc@QA`8B5|Ie4#kO$2Z%?uKd!BwGvxjD!F8uRL*ar%*|D!x
zA5h-XaVTNXbI=K-CanZRrf}Ph>{f|_?GcMWv`~^t&w?oq<ZkveSa5b&9PDJq8CBHy
zaG=d^{%P~@^bR>C!9YD?93-MLRF)ErJJW=wmLxrC_(f?RFGv|0SHaHWyzpbjKIa<#
zaecRNQ`4$Gzh!i9|8m2jDzK!Om%0_Z!-$ZCG)!gTpDFk7*%ZIR)VZhEQ320!PY#m-
zDT)HUo@$aqi`*mI7Lg96ArmSJqe$`66?~Z2%T-@zJ^t=sx$4%9EK7+On>446IN9>p
z8ga$1Ym`IPbx2dv%J;CT$cSq|nXQn(di;6iAcdd_=OlKQu0IUVvuAhfRm*o=T6$RZ
z;fqPX@Ub8s&a*n+EN1mDoQyW*2q3e6(}5CD!E(EipzGoH@XFezwb;gS)dlL|w*-0?
zHvSp&YWd}D(%r?U8^}eDV=W7OguO0l0W28M5?!f45dP63Dlz=wG;YW^OK83#|J+)V
ze0%a`CCbPPxLfquC66?RCr@v8#Q(5Q*H|1pPYC*q2OLN8pypp0Xk466|JNqDDf0n{
znF;6<xuF3w?ZnKhW-B1gMk3B2b*J<k$mVk!b9@Y+9%oal=Iv)W8+6*m5b0;$L%$zB
z5Hiz$U6r!CMNlPow{3Kmu5P!ZTo(X<x>*9LHwJ4%&Ob5h`7g(dx{q&qD=kWXW>S_;
z`Ci!W=oOza;dpGj-Rs4K0!u=n6V6bu?EMiq9GfS@cyoF<Qd1$?*{|~frn%nNOYLQ)
z8w@6H(&=?_M8sNr`N{2XPcM;f2Nuz7v$pz+q44^QEf}RaXzcU@O~sBx+*lpP$3uJ$
z=9p0#UR7sz5O!x0hBYp7SQGXOnGF6_+$8{0#A!e5e|bw5xK<pgcnnD51-BN46WU%t
z1p6xO8ENb7D82|WBkmaPHv~(J1r&@0BL;}xP+vg{FCW9>#LJ1+cbifPoTd)ISj}5i
z*i*Xx4<6LR7b|sx;r89zKs(=<Iv1mgm4yPc8Ou1O6Utta4do5rwgNR9XQRhu1DoXa
zq91RA8!FFLgk277v7-cJ5*o78%)u_J8Y8{;iZZ03DmjGKoQOD$F}OLwHrs>n$ZimK
zhQTDy+L3`YZmZ%MZ=!ojr>`sUgbj%MTa-sgvs|#{kNbTeKeTO~a=UTfMe&biJPMc?
zCTD}%l@+@k;mH@#>~6+sQd^u@nxs^Bj@^VpE8@AyPfoe(SN6NY?(IVt_n*~#w;#xP
zj8|Q}`~bT7Fn9-DHC8&^s`oF){$*2|KO~6-RCS(JA5l+K6Ag4}G2NC)I9}RRTpLNH
zk$R@7q}$`GW>jnHot9C`=Cjw<oQ8{Xg9@1t<ZFBG)E_euuNkl1$dcwA+V6mLxRH8T
zNXKF3&g0QP;~OO1*DyM52Hdh3d?YTN^UV)&i#`X1S%tkXzyq)P*-X6f)v=_+&8zaW
zz&PrI^bqoCfAHvEzKxvy`YK-U?C7jg=M6h(Ski6r;JRpIJL>_tew&x4BYj=+AwY%R
zex)8B=g9X;&#P=rN{K2t97TzcLDX8<S)!@o<6?l+YHo%*O|fL0c;nrVV^{SAgbb@&
zq=~%Yrht|GpSfzieDs|N{cJ9K5b2U-%-poF^lt@IfeqnG?X;<-)z62^pHw14dZivF
zz9>F*!w^^VHfN=26gu3pUN|{y`lUeC>#{NIim^&%H+nT3`+X1kcn>YKeLQC&B_4=h
zq$~pi%TUwq(?<Wea8rY#NQbr~8iU-H`HuyOgqgGi%|C)B)tM;)3393zufCSLAORW$
z9Z^EUijh*(!>TUmET1(EUHLV}7CSOAIkf#)j>pR3QCZ;0p9Qz0pP$rvefz;+D~N<Y
z1fBEvnNuG)0&2a4+nplYGjeG$o%zQp8eS~3uK*3An|#`3%CH(<H=vy#=0~`gu;)z(
z))vn>shjGoi7W*g-f+xhl>t9XC8iVO7?|9m+6_5f95r~@;sgf&^s!g$6KmFpFHI{L
zZ@AXzq4|?hMX#n+ZMc!!Qp7CduvQhwM|FT#Z)vzU+j*$M)!hrBA_x89GJ)%abHa}4
zV_%#v+2!5$INxPbNcVe>u}*XG)>zQqG3#4*hsu{#)un$elB!AA^~;IecOiyh3g{Uj
zy-_IO&dG)7T&P^`1VdBK;u-z@qYDqU9J8VW^|cgpJTE2lJjXOPVv<kAcBS=bcgj}y
za0=Y4`iSF-7?T!A0h$s~-pza6Rk4#1TAAjM^S{?YJXI|HA_VkjgVzGK8XK<u`y2ny
z$kSQcBFZxNOA+o$#1!B+xPPDTHEJUrntu>Drid7em{iLg&IQ?bSnooO(PNeYW9A}O
zVG1|4HqonBz8;iT5C_4JpQqR`(wTM$Rgy>-u&0`K*-2d-`wKtk0$x3M252P`*ZjS*
zw6ACK8`2pR{D?a&X<M)0mFR_|r$aT7Kv#oH2FN+fe+8o32k<TW+Of5OJf^HJOM-$S
zLz@H<bV2Z0q;#Y+I-REKnTqDE4<3t{LE&C6R2H&{YED14b=xmqw6b%RkJcz26c1c}
zZ}-JjbnZ{i-`d)yK>g``zaGfV2M;lW#XeIL1e=vm#ratg`UE46I<>HrH9seUXr6mG
z!s4T;!@1X+JH0ZgW@Kf9_0FBOAb|%0YN<2bGFO`#_>1NxU#Z!oEDSRg;qfZiD@BZT
zbL!uz7}sAcF7g~dBc?;!&oCf@;2!7>b(Pq8;lOW}KiK8Y<M7gu(3!Br&>TGo`m_8m
z$0$lT%la_K+A1?E$ZqowX}_wucjd9rHYfoL%=hV!Xxi<q!Cm<Rs>pCxns`?O5V&$F
zDx}cf5${z8G1)qI0CoH)i~rm8OC4F)oi^i=!H7Ahwto)c^tXp)yYQsuk~muQT<1Z|
zYutr(q9ipUQxEi{LEGHxrQTPxSsu~r*&DCB?dY@jD_XP79J1WOL|;Gx$#(iK;)0TJ
zL{H@H*{WMVxC$8@fE)OPfm9>yS{rus$GYYOBLvw)bM-${%D{*iQ(A9#Nd4f&zp5LO
zPZ#b_TryM&3IYy9d&izDx71mAPql8kCW_Jf_hZ;6&-*0hZ*0*QG2kr*I6{hf>s9*M
z^cTzqVGhcWZ|W!8Ey^jHb~jG(@S7eVHMj#O*G$#ZnTq)<EwrxlHz~Jrvao?(2L^Y;
zyj2RbXGIsAc(;_)k*OIEzY!*Eu<6NLc~)ak6aE~O+@HCCdb^RdpbWZGYG%u9Kk%J@
z$%3v?%GOb5aB9G%ad0knp2{vdEKq&>HzYvPAp$5_pS8wW5mj^TB82bgru%)OJ~*Sv
zvLQpIxe#vFlYuvJ10}0kwZz%Mn*9D~4HXL7&@IaP<q-vmV-R&zyNZTl6|WhMX^ERe
ztMWVJk@gd^SvKPWMBR!>;Rc9a0{q;=XwdGE2E^56mT3*7LDwRIR#y$g23QDY(0rlC
zV;xMy+TkaU#b7Q~u=DC<&u`DG8Hev1mfs^cN*4B}L!DNUM;2NY0lrQ>N?^qf;xmFY
zbU#z%>c6Pxf)x0irj4IhU$mD{<MeoU8af3muno+DW!zldatCNyc+ZycS|K(79+&zX
z;kVa$<%<KsE7ZNhvvvk-2D=<f451xn>r<3FdoPA)^`5;fcyECo&FEf0{YG^|>U**l
zRy7`v04ANkgR=jWnpUS9<=?Ar%Dx5<R=mA8?5m-st5M_Bl^~Z8+fc?wh)=xoDBE&2
zF&nmv&THNETFD1P3x=bXD^7;HYh;^OZr0=aX;5$gZh3Yhi##muNjy5{);bjkQ#G#3
zUJ}2t+}3RFNeua9dd~3EE9XD%##RH@IgZGk+?S?*JuJn#ky7F!Bqz~H!Q^0|)_A>_
zcT#K}QPhqTY@l(z^Onc<JsoEe6sMJ+#Lo>pb8j$yp5{EtdMzTtJ_!R1?LbrLSxPkf
z%4mer+Mc8HUL5v9q$MBT3pK5SO<SYq1fFNDhs9;IKUqn*84G*3dSOP)?ST{R4R}Zm
zT8^Cw*YOJ9%$tImmx{>kF8Vp=77ZR$5MZ_k(*9OXRUPn{W?)nxOrEl*O~qrw^~OTV
zLaM;4)q_4Qx3<Ua@n93X3!eZRR?1-F5k3kJ?K$XG+YzkSLR_UhE}{KEa;bK5Bqe(u
z{Ll7=)JH-heF%DWLiWKKziGv`=0)q$tLYDuDbtcsLR9!a!+?7xsFGauR%bkP83<xC
zTNq%#Sgxe?;kV7vDF9U(>~d%HRI9<^?hj`-bo#*knOP^Er@=3x@nld!KH9E_FAC^Q
zaqVp^Ko^t^nB6FT^j%HW6O5%z<!j;{&36h-8_|t*M}(n2y6Zc}&&M{N`PsWCaB`&M
zo_D@2-lcrXxgof%^V#3#ntVMcr^&u6$lTHJJzI1W+R<T#iH~PgEtpcQ$fw%yRb7x%
zPl1gBbz&8ChNWLJU{D88=+qfSkEhV$^{H=WKGe4i*k8E2U{iB3>Pwm_zQ2Z2g*=Rn
zP(-vWSZ?$IHf_X?(SInHgiB20%EMM-hHtT%uA#5eDL-W&j!dpxS%(Y>_dB2cZKOk0
z08{YV)avB0Go~(m(F?S;3hLW!9-YFoYaRzu1g5(1l1n+^BDwBgZ_%gtHx-vm)*feF
zh*akh<rG63-!J^q<X&Ty{$Smok5t;3D*{XuJ6riWA|&eAL%;`!{&sOpg8<Q7VrpV9
z%O+|6_(?%O;;j?#?Yo4zTv-49Q_lNb!li3gPBp&)>`E%2w7T`5R_gz?ziaHj1|NWk
zvF~~F@*a#TwlU0{-3oNBex3IGzbUt9vquU5!O$x}<8=h!xa}W95xU#h$@ij5XmHl+
zHVS#}Uk+1wqkCY%3*XlP?%1p6|8i6T!lKWWFVV9|bwJw1JNK80+7<e?Sbb-utoHb|
zhK};z`(~mX%w$lmPR`BLC;kEzX7wAqghzSPH*QEVH2I!RF27;`z!DcNhBOUI%KgOF
zX{0?P-kAI|2H*AC9nggayy^FnB99xN&(n<Y{E_MP+O|_-eoFUi!~~5o)$5|3$?TPq
zp=w7VCCmGY<g)o<Q1!uBFegT2%FofM9WJ%qes2HHWtE?X=O-EZR0ugMiml=esN#Z>
z=A{J~MYgV<&502TE%Ex|4`x$gUOoZa=gyd2y8mO={@KL9*7S0(i|}Z~MFhBGizGrF
z?oz(J#PSx|yWSmEDBjHzQ1RkjeelJXE_#D}%IHQ>gEjg!FUw5Jtib*Zg5!(HR9vlN
z3&AsAUiI6M%A@@S5&i5Ougm?z0f(#Ly8{-gMX6gs+P;wAo%-038AElY)c!<KcWd?Y
z{Oz3nsomxd2FIvTZJk@kJe#?4%;ZaA+>YlTyX&`+YEn}MM_wL;+9lXzn0<wX>+^jr
zTw3iOx6R0yq=!E~09MgM&;Kp_>IAMxHq9^_l4@t$i9U8}3Gy~01L%gG@jgI21)=Nr
zeeP%3ek(Ub5HEv&x)|M&<2{*KRmc*ZuM{WsM!nFGKC`Ox{7u2?!^+mo+)~Hl%F0jX
zBeL;o{O5vBatQ61vd)#>uVcW=SqhAd;%<-6jKV1Z5P$@gA<|A~Vv-7Hh#!_}^5$Lh
z2LEK3z3xl-d6^kpUVTs=4{A^Um!mX|b@9Q#82F$`G0?k;R@l}g-Q(Z#ca#_xDg&_H
z0sY$l??cc3Cqvi&4+o^>G)vYi4}jnYNGWeO9<1qw`O`t%-hv^&2>Vv>o#&#-N@s)B
ze(amt{8(tL8qS}FuupO?Y$fK`KhGx}LfQP`*KbdjVv<zlYbM<4+j?@9h_+eF_Tbt+
zzuPlM!Y><GgQh1b*VPxKL!A;(4Agc6y!bCqSj|!x3NqzB*-ID)a{7P_%K3r_5F?Cf
z<;-w1Pw#+|W|adkOWWu5K88t6y})~iOf4!o)j5P08v8>7>3;6gUYWxuxxJWS?CA)N
z!+bqd!3s|Bjpbzbf|rP$aD!IXsJGU@r9xNtjH23>HyeANl>%JTL1Lnb{Il8vVhPqs
zH+OT)kW3bO^Z@2pEF$%c-4A2sw&{a(r5)@t*}oyRkeGitV3uzL0041zX>0&kxD7o{
z#*L`RVsH(4_{W)ACTTa%A_v~Q*OO9vX|lXQqMh6!_x@9Lijn>h_e)cp;@z(D{nChR
zp6(G@4?hzXjt`tSjh4y{{^+J%fA56C>(b-X>8QyFaX`fS^m`>=7oP~8VQrSQJPmX)
zd8xxP!zs#d^EEDN34B!N%c=2;!4}9@X#n>(5q0wcGJs>u4%DBr)^%u0vuNvB&Se4r
zCeoR~P44YVGU}QmxLl{sP8QEk>j}{Dnu}Pi8b_?jF<&vWWAB@{PsIG>78f$KspntG
z7e_rCKFRWB@VHSoX=r5;<59V>rP1ZlFL!-*%aq*X!5&e$l8*}FOs|^EB>#0IPxWFL
zuCy!?>TT9tFpVZ|-C7N;3;qL?xCv0v?|W~56TRS<FU|HP5o&$wsnVQn@H>o7<|D=%
z(mDgeR5ixH?x~((yj^qg1DrwX(6Df0P6O*$?8omyrd!g8WTPm;1Lgiwr3i%()Vy;4
z-sYzqmu7*{L?5~>gdx%b4f*P@uh@FJ6-?))YRBRLLmt)kE54_+5czCE<!?C5=TgE?
zpd^jI+}EIZo_|BFXT|=eooL@YH-ejfo?7)rb69*$8($iy=MYE}>~!>q3S6ihgsb5i
zYB1Te&s-(0FsH3Uc)u(<#9sZX&i5W^3cS?}#_&JDunE0z9w)S-Q`*_~#y~#n_LRy3
z?S1Nc*4a+Fzy3sPf*0F}k{nLf#@;5J_u)*W8vw15$QXM@K7DIEf)_~4ReIqzvY~kz
z)TIugq5Okk$}>UFr;BWpunA!?++l)$s;^$XD5L|;BBjMcNPm0`;yUQ9RSlK)O=j&4
z?1A(MEDdNB_w9ozxK0*;O6L4C%Hm^QY3q>WCVO;I6mGTVTW38Q7q+;%{%F$na4{@)
zIg{LRhogST=uT?m!m?)20-J|fygpa={Uf!v%LT-UB8ML{8V|@hR1e$Q`0BGEVv#8d
ztDLC(_S7UH;KcbKDHpkLFJGEyNMlqJu+Ge@0F)IK1)#b8_VuL88Ii*_V`zx5#S@E$
z3}4?<7Q8jTEpcWM!;N?P<6CG;63-Tq_kcI>im^`O-p~gKe~t_YsU>IYtdnP1p{JN#
zVo4*@DfH7jQ~qqSvySQ|W3L`7x6}u7ZNowo{bd782^+@VqP4a_!@RH9F!|Vdsx5#W
zHEh)<rWlb=zd#L6KtV0E7lg(ShUxVDBBzzA5*}9_i(UWE$!5=^id05FbeJ~Y;F7&%
zcv3M@ntDHl&+xM+P6We<qUrEOvn3{9pewJpKVN^4Z(bW_{=O-aGY_mi&ed!#mMV>>
zR%~B+bi`y9=m*kBzxBY>yc?BnfIS94sz#&Xg19>0(2HWqtx>JmO}P}e<2Q2OAlIwA
z5I!R;!Nal$Ib_6WK>m486weD-gy{P4Iea*=j9gXANZ#(b)dCl>5KcN;<U=fz-@fZ6
z9$%5lA3$EvD8NGcG_|3-Z93^mOtVTs9`o#6;wTfpSXVpuJRK7l?x+KR4pFti(QJA4
z7>W<4I5&rgl;%fjqsNss2B6S6m5zYcMAIvI%3qo|kd5x5J@dbvLc?FORS&-aV-(e-
zJVAzk1tSta(35vFa&5tAOzev2)<T2D&RNnum5IJ1)8<boLuYj3&F5_i;Ba8-wXeCg
z{4%R+3zwgnAKjY+xJBwNr7~~LFre01wo_PTa>{X+R`wgRB>%j#k$H&hwfp5NGTA(`
znd(*xnF`iwFGU~62!2Dg>tf}}ZBY?7sGDtMX;H+R$Ba~84_~shAaTa=dsR5yjGt0;
zR5t(}eYwlk_Qq%9PTjN4)59J#ZF(%wLh@&tAORHgVG4bi;c%)PLtsxW{>$MJ9z6{l
zTXxm^IeReX07i7b*-n{UMd$@$&~U0O>tEPs)eMhL)Tw|ZzQ?UJ&N1vrzvfLJna7^i
zGH&)nF0MT_nftk~&8{lT2TtvxmW9@zWMR>(@b2l*b=8cafgWHN2E{~NMEZ?j!^`^0
z%*#A+(&I?2OsLE$#RTy3>!lr$=i9)cxpJ=J>yexbX(zTV0f3&e-u2HbQe3~57;!YW
zN7UX<WtU+)z!T|THeH;Y26Nw$c@+zjO<TL5^_giiD04L_`E8wcDNE+CCPE77M;m90
zQ;Fy>tvbmV`nR(#D^qyywICOdEc(Dr71tzHWsHziV4a!tP)v}dS!r>^4Cr(qDozX%
zWoJK8sVNz>x)G2Am@dz(+3MJ$bt<mK4?oPFRoeVeUSq{O<a9-`@z`VW?%u2k<d<0%
z<<iE17NzAJJ}pbTXxH~1(JtO@Gwr6T5YW-RxeF135<$HH&rk;-#9s0Ccto>{df}t7
zQa|fVJONuu9C|UxvKl;h;(PV10#{@PFVusca~S&q<(0xQ%`n6UF2FevT0`PDqN7M(
zHDW6z@RkyEO7l`rh|K_^@Q7Qg&5I{O7e4KyI{6q^gx^q^<g8w0X)-Dvj;-QmOoqX3
zD(mU{hi0Ei%+yl4)Dor`EKFx3>&WDd^0ZoxKX=+gQH(35$t-7T8$B$A40^?uf#ykv
zUjkxHUfKV~dj)6v)Cet=dihYUG@>&he{BrLcx#dkm)-|PDM%J?Y%rZw?f~Ug7}&)&
zx1q_pO|Poi&!sAd2xS56c-7*e<z7_n>8h@OIXD<_OBy$jzFUSUZ9n)psR0r#@}h?>
z<@gyDxC_%$@#^QlARMnKXW!(H4fKzejOnn9J{ax{H`tbRBXcL<E|>+%VExx851iB;
zIn=DUqH@bK^dJ0n%X@p~s%4_I80){RX7fr!g$;YKHhW1?@mVqvTv4(9@r*16gNbs1
z#(i3TVI`~kWL`q7f@(*9OU<Wn7q8j5h>WXzmmBdJj4pN$FPZfUjs9rxi>#Yq{*~Mq
z6|deLC+pnb-+9%rP-W8zS2f^{Qi*3rW@aw!N2m~?L74-#&AG*h#nO#HI4M8HaW6$r
zbzw^iVTg4O^ZLq&F&Z1n@hyhh39r=fNcwCnWecaByE{V|5MDHv<<+*UV8l4Zbc%7&
zi~S}4WF8>-{I5DXnuomXkGGE{#W|Wez3wpi_VXo&+-t}+0P{+<9*|B33?mmkbsF9*
zKm$kgJdyeZW?s~}F3&c1t%l?zl%ivOP+dr!S<A2*EKydy{N2Xty7ezcT3bKOcBjRQ
zP+9d$;ftzr4rXX@uD?$|)MfTTXD_N+C51dJi0D{0r%iQP9$!K6%L_6pI`KlY??WS+
zt|S_3L@l8+m!_BEY;TH<B2IDfo<KIyQ+N<I7F30(`dL2Hx){sRfH3=wZ<VgjH3TEE
zw|A^o$~mO(?MTOiFz}A8H+hN^8ZiGZkvVVbfw2lkCAYv^tT;c$*6=;-_Sz)Rg&Hms
z)(jS5`H5uU{Wtu&O~Yh8A#6Z5R%K(8?C?2Hlrwcuoa6CC3@>2UkT~mQG+!SyMs3Y1
zv|9wrhuO>1!U*dO{MK^uoU@AmoEV!Q80kp^c%Afi$L$$O>25J3K5+VVhlSYP;^3aH
zv)`L|zr2a&n4gj*ss0{oH;_F1pkg2ZA<QAtJMizduaujW4H?W<4EQPz>UWKH$R0BL
zH`vcyPd1#S{L|~O08hf5XZSA+^B_DN$Jw2gh&6JU#Tj8tM%sa=>vc2f59Mwq{1s|v
z`oUg=v=il+wtCCR-8N}NR;RY(-^#p-`B^d5v(Prr<h!td9MStNm$Db%-}-p=9>IL`
zl=!tHA!Qj&&h$`F8tky2!qye4oM`sO!4z4uX*(n5+m3@ghR-5p$15Fo7Wlg6!~r{a
z{<DPpG+sx=&R6G@k~DGor^nMSL$EtqWHVTAb}JJ|K-H1nD56GAwYx|*Prx-=bP0q%
zSyq`hRZh*$4g_Afq+yJg`xwb;I>{mTDLn^>!X0D;)8@Jp3J_to6Lz+Z)ne$}hDy?*
zsWHrY_(FKe80Fm^l>)9T^;^!j0_0w;=UEy7SCr4J)3ob^hWrJysuy3z1@Gls#~6<1
z-yc(zB2}gl=~VDxUcc@8C-Og2Yxu-DZ0|fD*|{mV7Zw~!SpJ^ZEV@$2R6xlWVbVt0
zGQZ4;x49DXlcmoG@QKa<YKr2|M1%?5*{GB5=p@EHt>NX4hC1AT8m{gjclul!uch1v
zmAgG6l9=w{=>c;FkeR`~in}m@9*Cj(w3H&^PyNU~QHpD+g{^p;63Idn<R>*!ss^f`
z*m2R`EEEE?O5`;vETs!jgR7giw8k?#cUT74#xd4Qi!8iswB*yfTv+9!rgEiy83__a
z9CkwesCIJ{98kVOsmbZ2a1pY{E3D+gupkuglCGDXSNwbmCpq?gdD@_q?vTT2d_KrF
z<Gx|Fy?SJctfGnV`sM9|G8H=%Sa+_N*!?JJrl~D;j-{HtM$AHIplc`UgCW$1d;*=I
zjRi7_vzNqojzMr>#1s)%LS3?oJ*Vt!cPup`?j4p;&Jw2YR9<b$B;Wn#kzY&v(`LTk
zz4Q=JZ7<Mrljd}SXjN8tX&L@avY5`Zu(Nvq(PuN4pfo7ACF}FlK2ja}k)g^oWpH;K
z1V;r-GD!Y3Z_C*1?x9=~#mB1D#n3nKbX$&m+RUofJG|^wlTG0lce|>2f1lL9Zq6W(
z!l4V7Dyi%#n;jOoz^mZ^SMW4*n>>jR4v5Nj#@Q}=&hfNGi0Jyhu{+;5tLy|=8`4TP
zS_NTyBOC9ERe()DX^zb~4&U)L3z_xVXfCJmMFUZPoB33Dx1Bn|w0DkQ@8<k^tLxuB
zJrS?KXZWj5cgYU63TYEnuF+<7ibg`CCJr-PCpKcH16y5`kD0XK8o^~3YonG^VU=H+
zK4us`6}UX{CAIp-9qa$uLsi&=0Ea~xv>?)B3CI~IG^8aA{}UpeYcE_;cVubOWSSz)
zbsd5sb&j?8AD6N%|90@2@b^<L;=Py?%95l1ZK4=(L;ZGmjQ$lO*kw*v8>OhYK1yE$
z&M_ctDA>G}fz}Id9@Fk|(3|zt7<oE=_*w}y(iXhUUeg2t5yl_V#}>Z_G3lqMhb2kW
zJvM)v5QESjA<KXklt$OL@vrPmHx&4nd@~n!oHg}_X?|JhmQ7#6^xu8`uEbspCBfGD
zp3k&Ls#2r!yDZNlq`*lJJgYQ9aMDB<FQV40=a~GL(E4|$Jf$>~&G<5|xYbv1m?#!9
z2AILfD~I_=1W}Y0lOSR`Sr|FG3HC2_9%`WP*_iQa3z$jVPwiYX=^t(3Ongu5Te`Fw
z)$}Mc#~4K@D}IhGmWL7tOTPUryR_(0nQ?eCn>F)v3r+C|EMi|^|G>k0;IAs@Arg#=
zZnjFQ%9vF>O{gm~Gy+}XVyy5H76_M5YQ<g~I2QHHRrrh=sr|{53Dh$P!y@7oVy@jl
zjgds->zRzu87&_9UWL{kgKfT0{*p8j)$Hid?o-9=F>veHeDKS@y!=gPJ_geP5n?IP
zxRaDv&gZFn(W>e9$1gRGeW#RwKMGvA7_S&2<523AiMTIw4h0&tRE;3z4o8E~s8?)d
zFBiGyG0n0K5b4YjGyxWNzvUNP1M$<vd%zbKe(t)lpvftv#MkE)U6Uu<H9pA|*V%=C
z8=YFJta=QCJxR=d?=CquHldHREHxcnlFZ)#lPb9v+F}f3Rzj;{S-NCp5fe+kHCfAS
zt_IrU_pW#N*Z8qYa-OmBa*5qCTkf;<lyfXQrhp^Th-Q$l5XZiVG@+?R1>`<I9W>k#
zyeG_kKYod5sWVf*>WSHrv*Aj$24k$PjAE=B8gS>>(|Jc2<MIa5O*Fm!X6PDyFodKG
zwsf`~3EIs5F#|SHeFRTo>tl!i0`{SB|37VYKz<eB0i%L8M)rsfROaq|xXPB8+SqM9
zZVrjglNUT+Qj5t*+Sf`{{$!!JFl29<DMWp=rDI|pD6*s27uuw3m#^Eru{nvkzIZQ(
z@&!^{>9IIav|Sr&zrj{QwS)9-(!gZy#K0<sIqm|&uam4_jLuJ}w-B@f>Y}cvC-CR-
z4r0ffqY~xa;I+di0+Ni5i(~v<fZ=eYB}<p4+9{sGGXr(eaMoES5p$`7Uy?U}-`60B
z{-oXG!6?$xdU**!{G*zBQ>94gVGZjTQ-99ch@3!)5E`T4roTF^63<U)LiJ@N1aaHs
zQKEgNou~50S%Zh*%^e4n5NQ50h?{*1I@t`5#d<-Z{vjof(1+;O+`$c1*FeSY)5|%W
z@bef|ai90qcf=j~E3Vw^=nHG5>|Ier7XGOmaT@8jYgw%-sR?F|Yp#vz@Vy1qJ&2-$
z$?z^dA%HG`?kS?lY!5MQlGp6<=cVuy%5G<)jNPqcd1ii^Ka1oRTFD?8u}?y%Iv`FL
zMA~xiq@&N9()CnC5SeLJ(^3<y*jL&8^TNkM$gDY!fGOzUqtI)+7m4&XPC$po#r`#Q
zFp(7vM_W=X&wN1D*Uy6Q;6?()H9wx}l*JP}d5KQ(;?Hulv?e*yzMQgyK8RB_c89l@
zV6(&TZ+x!Au=Mj6O25CI<7o4sh|vA14K-gpvvhK2zoV<X4KC(ZeKC{tQT;AOerz54
zX5h@9%NO1?4qRKp_DC}>%|#Xc2f+x(IxnmmoKJFESETNL|JGJ5>~^h@e@nQKxj~-a
z@0ghl(ZxAOtIkgS%F?!)2AgS&n)0fZ1qVMVk3ViEN9B-QC!zjRv=|{3Xmj)dAQ!5>
z4WG~sI*mO-3P1HA%MxhpweeYk;x!ffp6{Hs{AwI1sN8%zVewWx^ZSwK7s{h77ZTl?
z%~a(w^MkKq!1&qzGU`2l{9XjC1$3wgQOvhRDA0X>vACJH5$oi~xsw%_nrKG{ENaG|
zWZUCM&s95Q3JSbE^Q|Lzw&}No%F&(tTUGLmDyBE`CgT+OR1$ZW*iuah;1>rL<fD|k
zRC>X8vo8cU88UN2c)K$D25)=m_C#cpQ`8GxatdXbnm<2dz?beqD*<q;XDi)XsGSa-
zTA%f9r+%|&7~5D?$d`>HZ<Fu$U3)2Or)O1MkEidivn@Bn-?+enL-$v*{#0(){6YpY
zjuo+gIijK~(G|H5CP60|$(>#F=>9uK@`Io9o|#?RebHmK|EiOJB<dL=i*7<iCE*kq
zo!z11+SzrC^^R(WuHBf5^O=0jw|-6rN23I|;q^bxZ}l9VzapxO;%xJ@<YE6hxKt2M
za=yK`;<;B<vZjS;4xIdmDw+9ed(8<rR3xYkleS0i{8!Xmcw>jVj&%OTKEhI<i6rS+
z1WbnVMQzBB!;2rO44m_}kFpxL*25ubcC^G>Ey0iAfSR{jgfE{`)p%^+b??`lap|6W
z0M2@9oXkGO{waoO2YMIrbL745)2Pl+y-WD1&Vwns{$P2>xo^Jcj@9*Wh0JT{yv0u&
z;?w)X*S<%zPvPe%JaC#C3&y~}$-3f-xmQP?Hc*$RE0q))lgZ}BCZlH0=6G-E*4;ab
z`qn463py5|j(o((@%^%vcYy&eWY}~#Zou>bt!jr8Tyx<3v;zq`pjz{VKl5S1q<B;R
z^{<_;ezx9bk4o{t@j|$BDQCf`j(?obB4StAkMf?>sDD7tGLdb#Yjr^^e+*o+zG>pl
zTzA#?;p{^&dMg|jw(2k6KR?O{AiyRnN1#w}W%F+`%FFV10|f8Zoh?-yMzbMXMpKa2
z%N^IVZ9f(n6^3W_vuD(j=QW3NHHIRB<fTj!mp2#UTLF6Yt(abX%$vXM3v-g5I0Gu|
z%K=jA+F105?Bc_3BqT${HB7rEQ#&BuqRm}gO8(jJV4vb(8ng?-2l8RUPpsqf@p|Gw
zuQe%<gdh^ncSn~#`Ilq0p~Lv7>2*U5o6F(9w=cDGJgr2!9+v)v^Rax!BF+O>yGbc^
z+Qeig{_k#RW_>`Cs_|Iohcs})+sGv=x!OgUWZmG|+S@<ln{M><UooZJ)FiI0xuAHR
zneD1|Ze~aeT%6)=U7ZVf;K67s`X(G0Ftn?&rCDYSKHqr@8(SJMGx9>D>VYfPY2Md*
zzpXoFYMCi*$6~8%jhUIrmluo^{un3SI_5XP=Alv7<`%TOAfis-wa^%r@@amJ(;j!4
z8f`}f2>r>T_tnayla}tf3aI(F^xx)?)l4OU7+0iU*S8&mV&()(8yH}~Y1`$Cu<X)u
zjGDs30+{<n0{`>{d=;WRPmD<p5x!VYn$+Sl4X3`LH&Xd}MKyoa>$}j2>z!)df#r_S
zQ2ouQU=O%VUGK|Z5F_3^qw*Su+aHE{I^7>gE4{#@D=RCZH{^XLUoMXMfJ07huI;t5
zgKglGti9mbx=e;YlV>&J49)Uwprn5<<Sgz27^!ay?3G{(n&ja7%w~yb*`q&Cw|-Nf
z`B|Nr^sFT<=*V<kYr>Q}6T}{Jl-?kDkXHh9D{WVi9^@pWZcNF6{hw>j#KsV7{n!t&
zLgGd~Pju>RK^^%76e+(aU+gyn)p<Z+Wk=V*^@;DM@KOaOcqsL@-C&kwQ&Z#()uM;}
zgvva_nm5Z{r|oUqsMb}Hn1hsQ3d>cq>){&ZvkSzyU`@5uOPjn}88H|Zbb+b=DM_7V
z+?Be;o7`k-0^MuM3ULl;L8G*0(pn~F<t&N@7KK}d(lKeZezo|)S`^-fuAD{xKzklj
z=E8c!NGG*Gc-JzUmoiE`f34)Z*S2AJWgAcXms(uU&y6!pExO5UBv-Ob50goZq^}GG
zCwQ!s-Uusr9t_P9hlqG}-nY1SKwNz2WaNJ?)AHG>tf}BUSY;~i-iu|u$qJ?;>kiG7
zVz;mrZEzHz0JK8cLX_yN@USu{TeE3|Jwo5j7;%f2RNva%SK{%IG~sp%g7BjN`6@Sy
z6Ts;w(F7l%e<9t;IXo)gcAZtkXP=wzyKZM9Ua%@$mB%XXw^%)Oc;-|c%N5?#)2{<?
zNQr|W{dCKs_`1=av^HJbs{Hmyl?ui=2e)?<0#qV=5&y9fHIa(t_FmP<`x8o7Sd|mB
zE<C;S0F&S&Kp{uTdxR-E6hCC!hfi_VwfqQ{dgBH1OyOdW+6J?arC2cj>vZ!xP8!OU
z+XDhDSw=<e=lpJy`kJxT=7=00N{I<a!>=Q9$9^HebTpu7+Ir(y+I2$jv6~x7`8YHI
zX1n(|*+RKK?lVfo)2Fb>ei4%)&e3~Sku}i!^SVL@9Ipy!XX<Tp!}+4WV{J-@8V1z0
zDoII3Mori5o&d+nj>8If-bo-=l3!(<9zVJ)6|g$))ZYhYHq`Drc>ReI^+Vri(QSq7
zxNI#4SAjp2($%R=)RcCL2<2dJI)Z1`adri^+`Z)7+WNlXu8L(w%<-G{`AVic9EQiP
zhUkOYJS`-cEy3{@iljpOi|GXMdylT`WOXuBUSt_IWjk>0^kVTjE0o22bu9m^l5y_T
zlcZ^0R1GQ#>#j}VqRsuozD#StEL2EytQ}Z1q=r;Xd(rn&d;Lp{{bibJ8!$<2As5@P
z{oyzsnm&yvqLTo`OO=!{z+SYUsNa7+o^EPk4L`GH{yAq77D-^*Z2&<u0{gGJ9uB8o
zzV=Q+sAAbKJ3H9FzSZfy%dAW4{+D|xO3JnIm_nz?sgmufFzqE5MmJM;4RQ|tCEbis
zKokE*YtJ_SX-oYt@%x#?Rkd4BFq6TTL{4`3V6F+a!@3{E8>k<~vAD@|)3>GHsNvTf
zRo?_Kb)n80t5ZW+%{Jh>X#`8&tyb*s;v|XdTU=R7ygb}hRLh>NQ^3-0OTcOut>t@7
z>2U{g<+XUyw>#(p7DtCg)UU?a#l7La-5(<Q<ANU_(+{ZzH0v#Zx>VeVe5!?VsyoZt
zVa43NaBg-@Y^J8AD8c-E0kq<k9wvO`&cI?>x~_qDlJdI8LHAq)ZtHta=J(vG>9zq}
z&I|PJ__~2GQgh<JS<|}ZBsQ2lCpF-I(Y<v_X6$n#=5_(Hp2<~Q4x4XqaM<o$>frz$
z>Tdblt{qeh+MuAQZN}*Ut~4spykb44p2meIn!i-#xqjzfp=zd~?2(W@xjKPfS#mz>
z-1T-KNLjFy(c4iogXq}-!ntGGLrv0*R<Ac;lzN2fup*ah?ccw=pBE7E^zx6SzQ=H5
zhQori1jKO-LaoMLAr15NJ*&{r*3pg=w;x-Mjh<~btAxoX-yvikm&|cKk(&J1WYpUl
zYVL;{^ini9xY3q-kS;uRH6_9ww)M>hqFa@|;n&91_6%s+zt+~#&r7Aj$x+L1HO{)$
zP;p-Z5?ao~Ub#xvG(!0>Sl^=sr)EVuE_=AX3rTWg^W@B13L*_?CFvDVDYc2fEpbMg
zw6GJSfxJBfrHdssS=RJH)o;~wG?c%-Xej#V_L>p*3wi|SVMBxj>kcEujif7S<5)YT
ziBM=BEu7TTE?c3l`x@2v)347Gx`pN+2O<gBd|7T$NOogR6+;mOEL5-JK?G4R%^dN9
z$T|;bGk%VBe7vr4uc5m{t-S7MO|++#`49dh-twv;X00y66%)F1;S%uhv81ifCOVFa
z#$zRejs%C2i3YD+(<GEzEC6s2p6dyf?&6b1NcW_9o%PJdp$jE7ztAMHa`l%0KL1dd
z(benyws$`#jo)88ar<m&OyusVwo?e(UQ67Rrlo*0zPHxd(kdCRThW=m^P_=gbi!w@
zC5c;7v7ZHOv0Nt^rt=`-J`%G^&;`PX)Hfj5vinDNl}+v2!W3hPcQ?~c-IY(B$G^pv
z7t1QW?$5e4(@SZkxmizvp3L#H92qvW>$bm&M)XvJ$uQu~eWzgzt{j*Fc2m0T8Uh7v
zZXb~WDeqsvxN3Tb-M9zyl4N1pN-#m2d0AJJKu~M7gh^ZT;b*M@wYX+*!EU%vXD=<m
zjDcc;>={!%*%Nu`B?M3U9zL@mpyTp5*3;}C>5$x4kE}AEpZuK0Wy1h5A0uQJGRrDf
z52Omp0p}_2wVAoq?4=mg=QZJ9W-SAs2*8b?M;JeU?`*;4&Y(xHEAQTTl%b7<qq0`q
z9~6F)wSp<*09C9;sJzf(J`V~8$eJXO7Vu(*$D>I&Zgv^q-3*cj?+u$xunL0@liARK
z`WBLN%=BWqpKSBu;}1_+Cm0y=Wsnzu7>AtJb1g%8IeTpr82KGzXsnt>v*hRr);rl_
zAq_3@h=FP)+q>ohjs?yGS<SEzLg5a24r;t!0KWqaFt^)KxmjW85;`5PxTtJN|69v2
zWFnB(R7jHM;XP-*djRts_1QDqE@o3R+|cnc4oZlM?jeFpqwYL}r?w}{Jap%MrCo<8
zrDGUjB)%x31TCpIHgm^_7L$JXDxgI->A{xMb%hTJUQn1smdNSF#r|G#_3}EkBld3s
ze>OBjwD9H=^^_UO@g|+E?OGTs-EJdPUuZev93#KrKd<&lO~sU>hylkDOZ>C3=i^Gd
zyXc8s^RG@J?*_cS5<ux{D{hULp(#$)s}sQa)qVp=(y3VB+n5duBX9A$AQBwMST<EF
zZyx1MP7=wUFiqVYPlq((WfD;~$<J1eN3`3(uDqe2U15RS6>~5jA|?;AQ<lR13hkga
zau)c+93m$F<q*S3GtzsrfuN6F6u0Aww$7u2?#vu`ppOr!G2}fusj^l*EiUQD-D6b>
z`W^{w@VU1{E}Bolmo*oK#zfCO+Nxto#hE0OZ^6n`@{dU3j!p9MTJ(F3)M&F36B`+y
zV=wz>zg80GvX(yw1EWhtwrQ=E({Lw1$j%dI6jvgO9{dWt7#=o1Ysr+hPxz5}sjhkZ
z=_iGua*6XxNpDL2=r+nla!Zr>2yjwXbbxuwdOp8}!gL@r<&<*n_w=yfuXEln&t7T(
zXyC$)&CiCG)J$cfY+q1pFW?56Ekbo24h-BqCfA$!b})l3>k|&Ef0)-NzE;Tr+Qv18
zopie-iY(t7AC(e?R0yO?27zaFHb-~vH161{UfmqJo4Gc-rz2V0RSK;*><}wvI554C
z+KlCe$3O@V)+kJ+GQ?e_pcLJc6y|ok1}c74e=^_K|EOX3$t<HKutr&oNuMoeHgO<g
zPLb_+0Id#a!PDDvDf_GI1#9DWgMh^oo~Y;L4w$FC87Q))6qKzy!jgo3o>{e77j}fT
zPBgVdla{O}wHki(-@BxJ@xmGGr=2#c6^e2Bc{<gI9?B?&&%@x(>12_&yOTU2Ul_J~
z4r9CK9YUG96<-=Mdx*EbTuUa6mp2P@sHX*)mpx2)--H|m%#Qu>)V5dvlxjvT0`5~D
z$IHs$j1ZclMSkb151m^08%ir{!K4rV^X{;4R>keN{a1wSKU_n;fI4XopS@0h#u%jP
ze@FlQ#S$kg`&*-F=d}`EPNkX_&zN)GJ*rn?(qw;I4unmemOYXXrEq61s8uXzYRUv?
zy1eiZ^*8;9Qq?X;@3P$3a#J67-G%-HNn<QK03=1U<8neymv*KOC_2zQT*Mx*liz8p
z8P}-j`xAY`HLu@OU`>YN%VSOBu)Q@+$o!7qTab<hJnRXRF2{1L2;@N{vwUYvjqo<+
zqX%zIryTAHMCqwnk+}JB-P$7@?@*8!ZFc%rD73~|oWc%b?fxC}FDb-w)7=?=46d<9
zf%dk*7+E1!GfDA5!|0y|>VrBed#BURKv2N+>PIZI(KVam<02{{@a59Xu|yATGAcpO
zi#o<W$xqEP#Q<hbIO`%!Oy9Q(do$RrBs~7d^t7oQ#3NJpPK&gzu)(wKXP;i)DEelz
zR<&A80j{}$O9CV4>Eb=YHV(7zY=3Y&erGOG8m$n?=0?O=j-XoxpRT)1C=)m5?*6Km
zG;$fwo;|PVq*<9Lc>i6ryN%)ni=QGvcZGHUKrmneBr5}WRlzaRUeEg6StsZALPjBZ
zxyQG!7)-zwd_HZmHe~T*q~LXBk=oF`w@9#hL$D_Q<RpF-QrOZ^RS3rQ8MG^F&pGR~
zijPfBy1=AgS~(b8r7b1Q!;eD{DGn3$v#Om3unL!1Z*99%LY3H)Es2#Eb#HSm%Pk0X
zu;dSGfLiy(<W_yFi1noMU-0Rhfx*?2SpBan!Tt`{uBsG7ADnPO1oMi@*gd=#Y53&C
zY*j>doAMqrf2OlAoX!FbhOhiRso2Su0Cu{&2D~iCaqM+CX-mZ7E11y}P&e}TVxc$x
zsx}5Depjh`=bwg(V6?c_;N=f$S08E%{X*V5tc{RjU1dZP&yAxk90AYtOK|1lQa&)3
zvzmH7I{);jd63eRoQ+hBykq$5$QsV5r`$z#>w!Ct=xxX9t;PSn9`tX=@0YSqS}s(H
zAXN_Yf#Pf)nDQ*g%$bjCB>1|ydleJCn!D_>bBkN*OURP|iT*zGzIxA1?(Dt)c-$J6
zZ}P;P?VK`MMsfpiE?j=e%v$hN+B?fEuF85p%j;2gel<PaR+2wXelw&y<z>Q<qn3Yf
zWw0efbLE8==yRB=j*o1SHQcrIt|?(hsn-?l1%MsOXQXOlD*!sZn0&slr9M-rsbOZj
zJ33R-`FmAvX<)FFB4d!$#>q0JV%`QS8x{clDTDEVFb#C}^JcJTS9**3Mf(w<EY*vT
z<tGf4{t@vw3{}|II1~$0W8>CK8KryIzZPO+Ob%Oc!iYCy`O;{Zo>`zgv7ihW=l)eI
zAtGD;@Zh+z$MLVf5=6frF%#)e4hp9=yZP0|OYsBewDie{nY_!4Ffz=BlC2uAp^Fk=
zC?WxcTHvdMaFZYE9HZxg8a|245Pa-CPH<T5Wn;jEq5cEp_d}85KCiG{H0wLCBmT?5
zOQF=;9iwH@a{#r!v$^>g%Mj4ORIEQWtr@L{2{WC>H{BAC$qjh9^N#Ib$vCYt81H=K
ziGyJ$O`0-IP49r5!YV9S81>-Y+oD*${&Z!*huce@TRwVC&$iXRI$Y{fSI8tmenJ$b
zTu+!+KuYGc3t6TfVMw;QEt_KLScu&tnNlq0A&Cc&IF)+XQ}Pu1>^^5Gr2$joyb_$P
z<tkX=1cn&%j>z5#u4v|T=Zt*mYcoGZc|9+ka?p%N*gc%AN+WA$_a7{DHfJQ~RG7r@
z((SU&n!*unU8k{WNAqv=v&J2WvoKWp1jyW5@xRY-eay2eCqj_X(vx=%X!j>D>PVZF
z3tMLqogHn|NWhIfO0caNlL^;Zg56s>e)ms({cHS1iMt%{TLR_dmRjZ#Aq{{w@Ky8R
zM1H)cvd^f#h6z5o07|N~d^oxr&QPQetcQgtSDu+Pl?gdpuA}QJYX7zGh6!pA)!x|F
zeXU>l!9zAU;)+>>0Ob0F=XX<MAf-X|EX%2hs+?IP*&7cFu-CgY3FU18!U9ss$>f{&
z_N}i3xa&&B)81+G?(EGqn0AJ1w?|x}@e<|icT-NRr!k-pb2hZ)^KFtc#D=Ch!#0;x
z*2Rizf4JN)Tx@>`h;G?@8Hb}I`>Ty@^AU<4!)X&C(3;h8J3cCyo=8oh9FwZXiMHX=
zb~^WXpygipyo}&4-i|L)&ZmJ4hPE$%mpzjxDq3`MLEemG%GWr1?x4|y$tAStB6f(z
zNicfJa(SYFtKacpP2a>qV(l6t%o@f^EVxSVe6(%QF~)sdA0VSVxwe2HIAMCFlM`H-
z4oJ2CV@4=r_V)@IJ5s_xg@lwM2!TcSGi$uJZz+F9Ox~0;cvPG``t8X1LW7+o+(hNh
z`qH<p;@O7#QlF-nS1{Xcv*is9cC$ruWhr|VZy94u3x@VQ7dyp`tV^*#L(Yn#>gro%
zjd7EI6}#ht&1D=Nj5L-sIDOKecPo9aR{Bg}@YB{i+Un;zTCex8dB(p?u&#g8SoaE)
ze@};9j1Ey=Jbq<F-nzD1hSh%^BYPpz`%`+TQ2*q&^>t7;YFp78@^@X8{R(=!j%D{R
zhfG89zZ@>LfK=>wvuv~6ufq7NxBd&p9sIwzA#4yB_N_TO4gN1jQCdN<a@;$+K<WVd
z)^*fWJ7BV~ZFKxUBW)-Be#-<rva(3i%+@k}?Cu(Et$t!xlS_j5npV+{Q>4Lq0M0+A
zQzx_4)5)>~zxK`|_)KTatUyg59&uAb3Y}igo&cTNRenJ3XOc}{ZEPvad3r>m&N`YZ
zsg&}5E4lUfHRsuo<JkP(v#V{QATPcn2<?BGVU@TnYRn_C227blNA>jTojWVpFLaOd
z)(UftycFWTsdpxY{?GWPf$SW^pL8Z&Bh>}5ZJXtgEgMra;(GCWKB&We-_>U32Xr)9
zASXj(YfEu6BWp)rD${}xrdTp&M_qfanW0mc)Y|)O6sEQN$FXAI<5wcRrOvDr?mha~
z+}Zy=rnR;)a(if7K96Vqo!L2BHShOt>Y{fqMBcbC{`XA2>zNE!V0$+^-C7SlXZ5+G
zCti(1>J`UT@0~>`vqftBW|N)4Aq?FSf4S`P|9l5AZ|YNGU4+Lq^ilW50tZEGUsuBG
z4{uMaz~C~j(aCo|2?fYTemfzP-kx`I1ON!yb{bMQ(@Q*cq%uwtroHe$hZaBG)hckK
z=m@{*lg~#S1OCTp;9^SKqqmK+xq*=Pwn!zUDjASBuXj_O=Ijxu&ba3)wnM*F^MjQz
zS;CVecfQd|ht-~koV$v-@wcC$K>n{QL>@F}pE^x4w~x5NvL0I+HxOONP@M_C5xym3
z7ul0zF~180yevfDEZa0cN_)|j-`f7N%O=C#W@W!^+x{NpQ{Z+hx_WVQ>^;+ut)7T-
z)}xFr&*1ncH?d}<u+z79OvjO+z>uQ@Dmf8U{fPwr^m9pYx#}#Jx4p98L$66pCLuj&
zs{a7|^d_K?zCFU0@`eZ+$OA!%77R<Ns<PE)gC><Eg;-S^8#TG@VfR0M$97r=3tlxn
zzK#4mqWu<;LSF7l;b#v*c#x{DG^1Wei|#gxf<Kk0D(o;9r|E2G92tJ^1Z&mZE_pRl
zrXVEq*6`7m=$95}BgV3_LRyq5aPKk~;5B#^S75TwWyz#xjyUeM)ds=<vqDME7BnQH
zV2Yb6xPW1)<|=lHK&a7-o&Uw$dxa(4|MCAe&CJZ5lggF5%yH*{%G{~tOi`)S6iLlo
zs0d~5S(<w1EN2e16vRz#&CJ{hDsFRw15uIt_xT?F&i)6#ga3gC9LRNX!RP&cjpy_6
zY|W!4uVpxZQs;7HkF=ajd#;34PXrM@!e#u#n!MSl3W*H&BN0>TaEG&MjYUizPXLAu
zNiZeglJAY`JSwAjYUz`L<8?=CtJKNUoy!J;$;z5{MejSEQ$)l8cf!+EkrX7~ymD%A
zB_qqJmP+VU3N;v791m!0ezrOGi-#=^gmW^M`dOZu_$wsO>XH2WWbF+O)Bo5`eE6T+
z61SOK>)Dnz^6aSBa4Vtc(Eb3coHOucEdwN?qe>Bh&Mwn4n6{kxz+UK{KcGMD12VnA
zm<i_AEuRb)VUgU339DNoYOv0DqBW@*>zqewOpg{uDNU~f45n!&p&*4YvoDOyO*4(<
z2hAh>3F(%9g7e(6F7;TDq+>T9yoO|Le}O$7hq!EUtWl_sv&f=Y=-h`Jo_XgNM)%36
z2Q=xzE<fzkA-QKQ_Pl2<-t-YYcPZ`Kjh6^#!wr{<*~9UBkq~%EFTf^KQo1^Zla!sf
zTV-rb#}puXi}%cB$3VF8ja$GhZo+DIiWsB576!FUwH(3XoMcUguw!9*4kOAiSHZ6e
zs<QuX<huInv!%PSWs(?nG*K%WFguhP!4I4Ua!uBM{~XNXzT~)4J*g`HcG>$|V?)H%
zUa=n0#oG^WSoC11*2!-gh7oye&<DVW=hGhs%_T>xmFsFq4^>?ocCrkBj^u9sK$KP*
zOs4wj^mN9$x;T|E`J+^LQ5S(P@fm~F&El)#N9Ng#q?7gYI<zVRH4Y;LNs-6R*}uT;
zUS1~;9!?tBMBGXI^i3!8hw7`6+lJ_%a}<4?2#M}B;4}m{oON|8t}10)=isNUEJ8i%
z{U@f66+=tbH;(lGLh$V2RXS#~NOc41LP%OyUdd|ELq*%e)qAZXo4+?@Ol`wfQ*Jo1
z?A^|sZwwm!I74J#A#&@0iabQr3pGRxV%-HI({QG>+Q?^jV&b&f%GhTe0xAxCJiHDL
z4q&1F*Tnjrq4bT#Wv{9c;0#L%2MkUp|9|$!&BxFOZoVSQF(8*e{%3Ohkt4B9<v>6g
z@CK`wV^+GB8sbQKZP7}<t^)9zCMV1vi1~kPlh_dMx4>%*0T5J$b+Zx(Rbb44iV%#>
zJxttJaQ+`;^#BBPYwIAO{Vh=X3*)97#u?ho<sGmA=*ttpJsJ5@LqcfSAB%W6g7se$
z^)j^G?%x}+T}^ckM$|%XexE$Di<~rPKXtNk3n=n>&SDtctO$iSUugzeWor&mS%@!x
zCRepA(p9j}a-0#6n?Z(4R{&4;cH`@w1y|cE(v(PC<9}>C_6WX}T0T$G3so}7xz{_<
z7a>-3p;Row+s04K?e!JS^!i_eZ#%$(Lrf^*f=Ff7)6#Z?pTNS+DRN;SKkc6sIqMr&
zw6w|<F50}l5`MjrW}ESJPC-c`%%n{mY8eHMH<eT7@m4N~`II)Fkn{74Yr;*o$Q_}7
zCRLHqom#L6>{H;kTcOtDUHPmg%Cs>e(k<7Hr;|7RicpZ74Y2)YJ88yQ)VQ*S&JALs
zS~se88(3!!4^mm@zX`?o6JO`@(KI8Oa#f7s$5cqtF65F-M*bh&y@kPczgQD}ky~GR
z8r?l+UKt6i?@kG*CQicKg@7{`_aEE6R9kp?aV9!Z4Z!s7fQ$jPr5+v3m@1w~KFgqV
z+p;cDS&g)d-B#5@$^hMdOkGL!pGyDT6!oXe;KB^c7>jG#_$yBl1*1gQ<Rn=2eyhrx
z7DXpSdyCo#_##5%Fp?fWOF8W<(~LP=xFqf*;)~Im6ep<uAS*p=yjQ8=B5<gn4;O;V
zRVHcq<Dk`q=b7=VLk^qI=aJhjP2*wE6ywJIX43isGr6BTj`(#yj)|ZGM9??1;*8IX
zuC-1FP-kqDeG$^mvcARZRCi`rwS$Ql%rq^rsO^{FU9mon)czzLNMGF63otJ*-E-fN
z1kR<dOh^>UY__rAs*QD?CKSFIkSHGp(JIOoN{zR4y&GlgMyN|T*;CW-RrD)*JHIBv
zQO+P6{Ufm{`&j|Tu1{!TbZoue!SX{<)vcf%a}<5op>ji8H?4(@AvdRF)e51SKtK~~
z(`OkufH~(<0Jn&^iXQBYCm}OmeQ#>Fb`Ghuv4A{PQ5yY0UMxAY0tI)nnh#>~t^x6Y
zDD7ELj1_{#Kc>S2FI^!_bC3Fy>qN%3TPvNO)e{nn;-n3g6rUEHc)a;teZN_t(6s;@
zFr5V$cQwW-L6{7$=kQ*{I0>`p#9C889jzRYkMvl*63R5n#%EA_s4l33V@B7d9juY}
zfOa}iHAm$>YqFYPSd-%K6tfm4F!`CIH))oQ{j?Rzt`bSGV{lO2+XB%-jAP(IO_Vq@
z!c?D~G8r}|(D)@lDMQoSW7;dZtHUg*eT^ZgRDx8d!IMPX`jdy~xJOpe$HR&EMPCf#
zbdfZ}xC^?Yv?pJ%9Peyt%Ay#X(o9Ti3=^2PG+cwlMjExm0QPnqESGHkZ8V#4?B(K5
zwe7L~_d%3~2W#|o1c&6*n>RA&V9)d8gxWHy=EzJHpU%}kx%<1!3e?1rJKTW?oHB5q
zHyFPB-vJw;Z7lZ2F~z;veE9HcW@H>}BIaow)YLzCDbe*#)uLo|G#A0+IV_jx35#G|
zKh6ilJLbqWL#jo5(V$M~(^)h2yTbuoCzr@JV|M1v?hScI;KyT2|6qpBzfm*#c{Paq
zwH!1UcRh~KI~4}>)_IhL3R4@mq76)H!|td`V?SkSAi<f7b{V*u-k~&Uf{C+7Ya80Y
zvo&XGf#(c@o~vA_8+PCfmObU_C7b@|bojlSY#Zv^wb(CA*zsqzyl^3BMUcc^p73Lo
z;UFF($Oyzlk2Sy|o36PuhfSNcKQ8L;xG5)JqZjlli@&Mj^EjmBgH`c?llEHA@IhHh
zDWl$gZ_pm=U8aoeSGt`FlRd-Ts!*BPSW?u&Q9Gut60w6G%N0nSC3J9wcINRl*&tb>
zwK!^0flO9qyI;Ws^bXAWF}nT2HJF;V*~{F=_8hG<q~jWtW*F6n#qn`wE4;jbvDG<!
zYjBsydB-BU>1sI;(-Y6RCRpd^=jBP0<M2_4e4qB`L}VWudV;#2=<g%sw3>csjxF{~
z{TuYW{ZZ1;icA=I;aYvvlfr)&&iy5eaz$Gu@HhgIZ6wI-a%*C!=};2@$2!BXupYmt
zwx;V2t^Ha@JP2nkN(aEf&x97)Q`oIcgyJFq;X|WyS?0ddS|A0TE>^Lyba<O+sF7W@
zkZJ7Yjm=YMO*)|QG}7`6rjz@eF%9~FI`D>R7^+-zoIER=+>z<;M>6%u7=$|%C8Yeg
z_P+Kj)IH-z&b0aq*C2qYq1hgGk~;<{#y0*3RzudnXx0t^QKf$K6b{X(Nu~V$h2Tr#
zDi++^KU=dUk4H`?JUQmm|L2HcT6G|O=wCA)dfs`jYGq$z{MXj7e*UBaV5^*H@6-g<
z1Z|kn8rz+(Q@fKTVKEX~Z#$eNMt6awg{MPtT9{A3Q}-8oQ>43!8vXoZzd#$@5~K3V
z=U;)p=6}$g*a<RM8LaEuYO-xu31e4s>01t1O@##%0z*%WSf+TTC#?Ec2JPtk;Xbel
zh;f!5Zwi>hx^zf@GK{FBo24blTrM-VaQ3Do&03sC%#lv`rcs)pI%e+$R~XL`A5(0U
z=w3C!JzMn#PcCX2(~+HR6j!EOd-X1Lo-dcrT`lxtuY2VDS)c#7=auqrm^}OobA9S)
z#WlR78SHbLm`!?h-~<>v1~`D<e=JIR6fDUa;KCxG{XlGqGBrmwblhfpK1KJ})iqSV
zGolZ^>D9ax{QF73PJ=|+4C@vEviCYNVST5F<NKUIwu3B5)T<HmDjy(awwjo1hD*P`
z?!RKWc<=re+&f6>)Ai62?l;+CQ~DN4A5zvBnti~xmZG<bC|AgO+;@Nxb?zJVGbT3@
z@1sJGbdeVNj6vG|cW3!grti@M1Xzk{Rx~x8Rg5Ihl8`|bUo|z_IAe<HqxEW{49|Z*
z4NbS~IlpyE9nf{1CNc!*7Jtrnx1qsQpA0${<5br)*mSpWW5)(xUjI4x%E#MhP^Fiu
zw>568BUUpN3>6y5ht2=7nG^PIEjl)}z>j;Y%&T0Rxq-2}mqq;8AZr44(p!nCLNf(G
zPrh?zCOaKMnXvX|%tIV5E=*+gT<-0e8sz4QbdT|UE}0>7U;H;RYx?kPDb4CTgx$Ld
zQh><JHv|N%4o$Sq;$N~gIQ#vk;f@}u$VWyhOY-Y~$wt?jyE|ZfO`5aZ0v;iP*g0`-
z({Y^#+ua2#`@lUPP=+%RdE~=)BiKalO!z6>C3E@Zcpaxg24}k_X{@mfeyE&W)Hbe3
z*x#4)Lcn<wa4AL$^4G=EpRtvi|KP(sf0U6nH%ypmK3^)NG1oF8hPL<!`;ScqUF+-~
zhiNrt2|A(f9jEP?A&j=iJ7E_#pU^1Lh0jTXM`kj!F0xlnC?XW4ay5SX*~6%2NGZm9
z>Ual4q-xz;Q5}*LQo@vaclQ-$NJ;HO;*;Sk0F@@*)&88N!3yQ{US)DuCg=@h<}=`o
zV*%sYc-1xMQ}zqPdq);$5FugxNlk?YTP{Jb-uJ0_TAfIl_7G1AykPV+*=-0{?!;+Y
z`>mP~HT3J3bojZeciy*)ye^9?cnzd5h_PKS5xR)jn+PF){Ev-1`ITUue-vp@)a#wm
zcywTw-$aHwn+D>(!DIn{$$g-mbKiJR>ocYqMxjEK(2~d!^YJF#@|9e^5qy|3UCw_E
zYG|zdVkTYtc^tx>n;w;L#tqXDWH-kDh&vE9HEc0hM{J=v9RB4U6KjE2S!Xh{z}m-6
zU`1#i>FtaIi2<97!g9A0h5O3Z#vSb1r$Q}pxY|^srbt)gjrD1{|JZ_cOztZ#2;M%0
zaOuX(6vEhb%xHv8h!`F~xr%l+j8?_A2q2&JnFLTbC^^8=n4B`8Ufo6GI9(1(-@a$9
z#a1-(jCg<7LgeqX^q9IA#B3DTulMlxbEua&iL@e}WuErl_3@IvR9C;KLgW(;TlUXq
zaet$-tJf!+eI#HFV+a;UVe#e$NdYL;^R$@W&ARH$ZU**94P`I_zQMGhJ<lsb-5c_+
z;$nIXHrZ}_gxtU7sd@Oq8I&}!xyw+VNf+%Vd~AR5c;T7L%eWzVZ0LR~<t>2ji^np}
zXn{o)s8B}H7ewwQ*!eXPOhVITlyU%<8oncZdg5Y6QN<8Q)lE_S<Neoyj@YmOYm@~*
z9S1B_Eo16fgKncC{~n2@Z8|-GK)}VGa8EH7i`0L}q1eH8#{7K=kgE#=IF{Qr2?69F
zY{dryW^dO%(SlZAm6<v`2oGc3Jx)|^@|q!%`1Gh5ZvkC{Ul-)mI!ar|u3!%G*4y87
z;KG#Ql_Rmhj11fKAfeuCx2_r*|1|Y3DiR$<1kD=8xgTd@yta}ATV$vM$)aYAv<i>I
z@o0RaY+FcrO^K7-@N9Lu-1C|!*IHyTLA&L*i>Q?0QQ`YNo3vf6oDZ6UJNmvpFXN>w
zyINE3OJ4nubneOm&sY&w-O_BD4yObK`)RlA8_R6v*VM~TVh!D&W2>uc<MCDbwfkV9
z<1(EvntLZkkaYuT_o$9B`swe@m50Ef$A}6FSKNbw1UuCWvSPjW6#7K}y_)e$ML2dD
zM;7z23pKjTT%?)OpU~*#M{*RBA$6-uNUM$2*CI?^xKa7`)xPAz<VPyH;Z+%p8|OdU
z&w~D8<E`sNHw->9*D2p*UbO^;(i2-U9HemS^yH7GK-(v64m(OzrU!X7TlB$_orRhh
zW<aECMu&tnwL8X(c{_kM|D8~KA@j^Ah5q58$B{kuYMg9nN{Y<X*YbC3uT^it9MA&|
z=px!%`U;KM+33XH;S8ce84xpSdhX$7s$ao0BIu@*<CNJyxO$^a$+)Xp_eDHL8hzwG
zoX8q)(O{k&Wa$tiL?73WY$S&_8N1KLgTD2|E=`hswuj7mCK9%8bK;XPKXvNV(o6{3
z7!KU^|7^ZBYG5*@f*xyan_eZS%Q4GLFj+~>f#(mFXS&1jIV!C4#<V`ChM@rMFm79F
zcO-T_fWym4$;UNf744}nCn{dB!}rqCWXo~>TC=tdKm-@{fC)UIO7C~5oSI<Ft-QZV
z-96l>2&t%8t3OG~;7#f4IT0)tw|PDO$kfX;{hL1pismv7ql52KVR1l<?NXHt0YPT3
zQ(+w{yeb`Lfhv5A5Ww!rx=b8@GCJ#}#R*&A5A`TAwSSgAm2oVcpHSG-S{p@PCbB_X
zw?t8VjDjQnm5}K-7;U8FeVQL4l?**D?rX1c*5iLi>eYGD(HQjaqv})tCQZg2v*pL3
zw-i{`89#1*5c)MVx(9b4O=dL99M!VCrkGXLJ8MNXY8GbzP&II7=$Q@q_d_0z7ejN*
zmq?@6vL2;9a<P{QVC(4<DLebj$mZ0ilT8Jz^U_pyhvO0ej6sQ!I7cNzRbte`bX|u9
zXX$$CKUE89_cxgG8<*})5!~^iHUhVj)q(?$wV}hGALc23XmL+uo;=3RGH?yb@xe2&
zSe7u&`rU`o3cL^ds-UgIgKwq0z(%sosPn^0bKqw}uGN(Qw=+Qko=B3_QCROMOj~aK
z<L+?VEtX)=gv&Ph_+~U6lC`)w!#Z-$8d>h^{uP#4qa!!(1nSOwk&!8ZEk@YBoa}d(
zqH7xaiutuI-F~JR@%r!Tj~~Idmgi1C!!0$9Y)r3sl_AVa6)LN0ytIY8bZ`fPB<XGV
z+F)%eG`J|huM0Di597vj1<k0TRjJ2~7W3Q@4Id=b2OnJ=uh;m9$a?tFTv<tEj+fo)
z`hdyKAMiDm_5l)|G9OkMJD1FlQeyPZh|7<0LEAIMr|W%-9LdJMer)MOzvR48rL&Fy
zq`Al^3yv!^`|XjH7h8qd!?{EHshGF^nCKRfnn8aqS+n1}VY)iyP%iMOk{32rYQyOF
znMWz+Y~r3zk+tKYRdzzcu+dlKn#8?E{U1ZNVHL;x9|~5U=Ny&l;@p>oHUwtlr>>EX
z=DFi_bgSSZb{%<1xtB)#k9p@!>gq?&etdc%@OQs-gy)Xp&gF%7(3qdC4?KISKEU)D
z^MG-VLIA~~wUAk@A&^)d^<qRG2j#nn*dgnq@24q5!`puKzB$t7KbzOyoT>o34t{Y_
z%i^$6L{~GGshoz#pI)GD`BY4<2A0mkc>XYQe@__2xYpxd(F(H$YlLN&PF*lG5SX;}
zEdjZ%v?P)ThaweP5+_Xa?Z(JgkBsHZ5ICPTk(4hf>#2*YyTf4?F%b9UXdrAXS)3^g
z<41PWvr{`j7nenn@_^YUA4)sgcyPC|XMM3YMRr8V{~x7kz_rE`=&be%)o8z6zfi?G
z!>CqaNL6)mUu>VD@TkP9`^0Efeir;U^FiC;wk*vsGqvKbW&`eo<3Fb_e}59V1N;2J
z?ta;A<KE3ZbkiW3=%xhSyJ<ZX9<7fEk(SEv!A-{kfp$CJ8zd5eQM@8!unGx;uO1;j
zuQ{khU;DiWIz>WuX+!s;MBl%xQjXB*aZ$P4(XpWzIIrYfQ_0}<;XzMhYACU4IozE>
z&H{rdAVQ!az0@US7`}C5ID#`kdgy@W*!1j<ek-4b)KrQ{OMZS$$)-J>SX^cbgM?ys
z)c*HC7cpJ|v$xlIc`Y{??DPFrGnB4)ETr{tsnoZK8S=J^=3#lqYXO*L!8P*K;(eAj
z?B6Py56)}^MO>GnqMI3BM`j)r{@p~Yhr>(=O|Yxm0C!|Fye4sBRPAF;`1Avf{Tqh5
zKmTQqM=l7rE&E;9wd;VyqQw~cvkF*DXYLh1h4*PfKu9DV8zzueDEhDbR=R<;<2N?f
zZ6k3r?e72z1446YvjyZ+k@zXmj)se$E(2m$oAsddjH{2!U!-fezEFMl()^qxUOp&M
z+C*DlA2lM$Nwhh=QQZ7uowp`W`^em4VPV<r@51Qb@WMbE(FGGfHjb%X?uPcFRA`1~
zUm5WgaK67n4JGaUp=P*7Q?F~6pSuGfd&$>|?;DbDr~01qesybSYr`HG(;R;$0)Ps@
zGa*A@Z28U`>sWu$;rz@vJI>;P>S|D|W5~Z6KGbq4&HY=DWa(Aq;35?fWBU)qeN~!&
z-lGn(XpEWBsYSPJ<dx&YgFZNh{>PRI!ya2U)4?joO)LpuJ5200-Qs25_`R2CvJb@M
zfo55y;H;-oEBT(B*G16SSA%b>uRpD8=8~M@R=%2hrwjs&@YZ`vnHL$YRFDHTXTPJ0
zo2kX{1;p2Fs*Vg%z1nfS*`*&!r};$XDz+qy3Za2XhEeSA&D#P$`@wu3nQ(L}J0}uT
zmj?G4%ifb?f8$b@y!y(3iLDKg%wrTb{erR82004`g0KKB(tf;JRRZR+jwVeHNDSt$
ziU)%n4Zjqwz{Pkb4U1ZfNsj9$uk)KBJU6Q^9et2&@XM<yitZSQbe3n7QO*L*ZLG+0
zo32Xhv`>UTBv$T=!+=n%i`ln7f4IzCMuaT3E!pn(FLH=Sn1jQJeuMYZnU&+oKy>?}
z-Bw>yV2x=_T@gW}HfWsb_-o2eV`wvrT(Yzk$v3Ccm7EN!k!dV<V*Li+Xc!FmsM2IP
zEyD=)nw=7D*R=dQj<{xUHqXo7uHWkovoD5?gq3?=Ftr4}e4Nn~RKmPWT`U8ffG>m|
zqRukj6dRxWtt@D?C)#{BSM*hjvwp{_=`~R9omVHS#?Q;y#%03cXdh-KZ}d!2NxoTg
zTf(GF@g6~iWeN`13Dph?G<Dgjp_?-ZC9Hl7o;yL3CKSmG4y#gW^Ev4tofHp*Z9HyF
zdW==MpT3=i2o@ZT-*9wPGqE?f=;;h%`po2n(vd*lthNf{4A|mgv_GWn$D?E`_231J
zp!SgHm@_$}WDC`aUiAb%eW7%3%PZTe2A!8n<qMPZuZ{q;;mgP0P<Ow0f_R!B#i$32
zoRSrXAf{wUI?;`*vm+4us<w+XTKlVC(&D<T^5swG&t43x#&u$Fa`j;Z1#%JDOGP)p
z`^Y10YMzrdV5tmoPb=TUT}wqf=xXhgC<3gJOpW@ZN9fjE?$lPTpbi9-63x2$Tiwjg
z4177uc&zg2SC7Iv!SsgavZ9~w!=)3{e8f`jT=MZrZ}6EInB9s-1<?kqXbaQI$Df+Q
z=FBwP2qJ8F8u1NgR;V`RM{vQ%{FvJJ#ocP1b8OEINaC^IwWCKz1@?Be+&+wJ-qQE+
z@lI5%{xQod^(f`11sfZO)NX#^NYU-SjoZctxAhHdn@2OD4s<V#t^5*;^c&$vaw;~$
zeo74`*sW&VZ^m0XK<~7my3cRDMhQ{lEg7AqDA3y@0}v0=y_<Eh;ad&WtFm31Ko2Yr
zLinh$9LY*UC)8(dYTt0P=5{VR3c8<nM#qmzo-c&dM}H6b^qcu$<^9rMt?c*Ep98N=
zm72RJyl)^m`J+p#KI`0?3)Ads5&t%(=5?>zb|}Dzcl8(jM?f8+G4i`BKpIQ)ce@g0
zd6)fK_1JzJMoi~wIebks8uj$kq;A*yQu5j8hc)ki|68f_9QKjJs$N1vnEgu9h>2B`
z4^5xq+_0K8-4C`4oXV-HHkVi4Don%eSlA3_l~tRpXnRv)nUV}l=^sGrWeC<nrp)WL
zM4OHR>h>%%ZR?c&v1wWXYw(u-g${s}makl9t|@b;rz#CC!Wy7lY5}3Rj#E+gAz&pW
z#DWTn-b)ni;FwLms8@<OJiT9SxbVw=ElZ(PLRAvEa1)CAQZ4uW-U2$)-d?YGqTR>m
zLLi;~S2FJUh`hn4C-QH;vt3}*vQwcU<|%K`C*Zb(X>D3b1XI8zOfH->?>xG(`=?Us
zl<$3bj-JMee@<s#7z@##0+$22Eam~_XWi5eYy(P7u$%pn$2`>u0W3`Cm=~yo4xd<_
zwLCG@Q_XmMD15J;X*k2V=Hvj4!OqntkXO<h%qj*z8H-UV+Rv@Nrce~-bAe~d4t2+g
zd!{>9N4JdOGpGEv{O+6&4<n+p0tvDoc1iy=Z(Elum}DAnon$N__bB3ezlzigVBM@f
z=M(2FOtpLMN^|};r^IedZMq>nlG(Yzv^@;D$C$X9^REF9L0L5L;%pL*$i=$OaGwW7
z%#1fl&M9$rItUDF>3#XTPlGu;=;?f{`0dtJ`S0N;X2KOraU>_nK5sIV7PnEHwQ4{$
zJsKy5fmUQ0x;U`y@kg+l{VIt1FgZb_9SNJmM!lauf^j=|WE>{9CtrH(Flp@N^Rnh3
zWxzGo`^&Ea|4#npaKyliT_?;eWu1?vO%G^b1kd;T&4HVJ=fq{rGgU55J9;$i(~Cws
zzIs}e9hkXYc&Z$c!m(`6^ErS7ed6;wPC?Epp`ceO6Mj%UeBk9{h+prESmf~Q_8-Y8
zGgGl~U)UNOH(YY>*qX4L3m|lDi6FI&elv|R?z7F>_ZS()2pZY+VitBS(>zT)!S<fp
z(N4dPoTNcr+b6|~>*4@1^SgvBLvN1zEk(4+a3(JX^ye^gJkeXdUtCS0uivMg4-t|%
z<uIU}bH4W_r6EG^O04+1o(lAXv}1vMJUwNZo)f^d$<6g$OwN$9&kSF%Zuvo|%)8iP
z)_bs{wwc@y#3~ldl*G5(MzJ54HwEM~R60vbn2$2r)4`zMm1?(VNAWScD_4^c%ilaY
zf8O0!Eqf3zoAE-dtXv8G#uLo{n>Aj{h<`X(QHl4tNP19fS7IR~G<LHmep%|Y+<R23
zNR-h*SlNx2X8<B^GEOCu#oq)((qiFY@!z{6yiTiHISYa5>19R_UDNOJ+?BeJa{G!k
z=>PLCLf)m&@#zpH#bKklDZSQM>HKPu3Z#pqazA5f6DVDtLlOl6w<5pf{MoP5LX7gK
zg~-G4_OVQ9RsnUsLr{>w3x!T9vRrE>u0hLgeVMwce|sjAhDmU+OKcK7VnhFio!I~j
zqx5OA9cG9Q=c^;v();c-q*{zB`uJq-sT2^mfAZCZ+uZd|(d~V&5&Yz=+p#EsH}J=B
zOv3{YE3w7!43Vkd--h!W8;qP;GX?)dUFr~)A|;XSWY2eBKAQpT{05mYaFIl6IlQ4T
zQ<n_iUxE9l;uC*FJ`aCbc<}0so3!YKQ>T*jFAYuw!VjHQnL`#ooWwsqN=--&o0new
zP;dZSYA7%0!@Ssf6GV}KxH(xF4U*S^_^i3Nj?~dU6c%1?uR7^a>zj7gs7>RxoMh4-
zP{0ef+=QY4f}Am9!ey4o=gH#1jj5=6*{fl=r`HHt3jGCBZJ#$buBM~9{ZaXCItp*H
z?f%?AjvLm~!n&j9M{&LCYo^vMd1lZ;&3EKRRjGc#po$kgtCtgaD^B#NAuU=RG+*O-
z75$ZD9}K=&tjpZkSXZ(n$!6NYr9YIhaW>XyYuY}SN-<WG*+Z0DI-6;0?o`{Y{Al`F
zU}kVWYeh)t?^s?SR%PoJAZEmzV!F}D-zm6~j(&DP+DG_COIwa0-yPhnkj9PS%bhN6
z-rlSNx2jeQHpMSVJ?tr03qN!GXF99ds?}M0v_%cmYM}-LJek~c5~(w~qO-;2#fFt@
zXtBnjG5Q9clfyxvHdn1aF}#$#)D>k}eYw3%5aK)rdd-pn4!zuXjiTA)OCD&+VeF<<
zP5PQ?OWgM5l7x*E8RWzVEeT=c9^E_nSqmw?M>+#bv+HDxOm4c}dPQ2_^jjb-#O~mq
zUTL6VAXnyw<jJvq0nRYRJ#NPJ<xVps13K579y^Z}Z4Yry`~qWY(6|yS_658CV;kT#
zR!>nppNp~&j+5<g7ZcN_=QGCLy^hc*;n4yru@iADJG(;TYH18BVQSL2_OLaM6WwAG
zj$bFV92M#${m+cJNWJL~lcna-lK>(8>bzz2_ZA(hd!qE<56<1+_(m`N3e!!Fr5LAL
z?>~&GgpC*e>Vp6S1PH(dc2*T@ndx~2e-9m%{DQ;6UZ&H>-e2!CmP)#p|EBl(l@s@I
zi#~vy4}hedVS#R?)%P_LW>SuY<|zQGw~Eg*j}79JCypFCYDMeN4Bpd(S{>90Q6+;q
zkN~vp<}bv+E%T3Q=f1(YMwF!*ZnW<AX?=Ksz_k8@=2{g3QO$EyS}~WHHv<YLSG%D#
zV`@(Kt_feOA5qaX(EBo(DE5&nLF?<&R)Jmhykwk`VF!?enSMBy3dYm<M_8@m3tj<q
z!)LL+i*Fl$Jhy$wAQ@c|i$mjqK}CDWuhbGxt=f+zt0KDtKE)1`Q&Lu*s)b$(h1WZT
zg<T9@@$(88>zwrX;BsB-m7V$8Vo<<-BSb$xsQ%}{aekoZz*2q++N4)~b<cB*Vbzg)
zmR8a|z>u*^0CTMnw9-py+%v?O7frfh{CxL(0vgS<w#PQ7MkcFLh8*E-LMI=(z+YkC
zH#Am-v(62oZ=gJeo7@8ClSz7=&WhBkXmy1!@G$Vzb3<lDtHTvKBHa^yWJ<@GDKEtH
z#AYvYUcYj)ssgul=I<dSHbBX9z<AgzAkpoa**%u1b<)zov(xvb-*F9{zR;@2hr8Kz
z%fUwd+On`*vnxI<I6K%)McHd(*!4&J0wPskD1W<o=)eozZ1Eb!LpAKwGGy{W=?|!f
z480D)hHjvqnhl+TnTc5U`V~tBUEJrL)F=4gH5Cke$@a^5sabLsl(2<ywID&}-SQGp
zp!wr_lsWb|Ng5=2@0h)9|M0k_<OSV!tZm4yCJI*F>rGWX;k)?R!1jW{JPi8Cp&@Z3
z`#-jvUZSylkm=xXyoGaF7pklmBOeE&ujR7Jywv~hg8{i%cr|j#%$*KMf6;lfn3$06
z*ns#cKC7q!18QJtMWOHAatDhWDRaL#utWEggfD+i^(AjdP1cVbR{)__7!icTSw=t^
zFsPUV|4%Y=3HfFNWnT%OKG{@H(|GG9_KM%bKdVnOi}z=&sL5DLgyH0+g&T+3EIu<3
zix0@oz~FHdh7q{?`1A2cdf}1#1mOUUNy}jYYP<}z#^(HOtbDIZ5NmpAd#Ja{)L_7Q
zf8B{Skm?+QW#$qb0{6h2#~A<+Hph_udJN-v3{Y|~yvx+BPR=lyAMH-GmN$r^Rgoq=
zixlYwBkU(aOt5>On{C|f0#dlO@rhH#$FWV^G|u_%*u7*iromvqz<EYVD~s#xY)h(4
z0bHpfWxDL6x|!vPYl*)HZs2)-e2RiTyL)Aa9>8zH1Me<~OP&%EWzNgVBAi)9k}}wZ
zt$n=8ubcR-e1a|7i}jOOQ{#x@VE9pk=Az??@EnjOHIbDg-W`oagUJ1}oz34Gl04kv
z?eM=B^gOq_Qi8EzL<EmQxzDK;BIEk6Xw3+;1Ttv;YzBW~1&U`hqa!6I)?OKx5+!a)
zd2MWq3zi~J%_I*sQ#x3{6~}ibJ97+Myu!08<O`=)h5Dzj`T5C_`Oi5f4r#yqqWTlb
zHrjV|P8}+Y_5K{SG`6G>=izpT_9NlOj~~b@;dj}?6-?4(rGK_4d;7?$1Yw{G<*T?q
zj}olw-Kcm(z+#XCB&(+Oa1&*9bRTI48zg!oU~yx)@{HyJ<f$%+(=~(Z0aej0muqQi
zwZq+hy1j9s?!#5fNx}u`n)c6Pt|I9@-w&Sr#!Tc7-2Hl-D@A<);cap&=%vN&bcuBC
z$LZWwiu&xPNY9Kn_4P&2wPDrz^mNO}Pl>PoTEF{YF@Y8#0$5#@brg3&|Ln2Mn&~hv
z0>VAfbi)|_B;sDOc=b%-`8#)P?wvfDZ1VSdw4#`!MnYxdg!M8USTOY!)vk_q%F30>
zZArV6HuI#%j~jNI_tyuaF&?0anr@IV3V!6~ad<KH3v?2>)}|$p^w!T$)L~+c&k+7f
zieUWb^p%uruS6Gjf)%pIe^Y8QHq=X)j)4A4X1o=|!&E4BSXmvXJ1j@|;Ih2L-{1RJ
z|0hklxs_|XYQpv3OPbuNOI42f#hP|bpp{T`2&Ed2Z%oI6fr&<39Olr3@N0jFBFuo!
z7bR{n1w?IVCJei|5wzGS>Qo8CnPQnWn-?=%s}=5<VX5|F>)FXG#*Y#PV!rwj-zEtG
z5xL2oTd_)jfT%5`9OXUiq7fuw7v6MpChz3Lsum<p?Lbj=Tu7^EG=at;K5c{4AFV0t
z;8hED3Szx|^!Qg?8t54vm%%zCt3U>X*WUF`*f28}n=V2vbXo;ipvA>GCrV9KY*vMO
z0AwbMR-i}DWAUH|FqeTG-~k@w+s^4z)DO-Az>cv5?q^myJ>j%67#W*?cj-CTJx<#v
zb_=%u=G3WY&}!&6X+dp16F&5?WaB29KY_@FGH;QgVFw}=v3T)ki1Kp8=io17hsjng
z$DWKJ3)%FmDHcjuefL&Bg)Qm_Sbtf(ZBd?*vW=^+w<X=ySRADUxcXTYe?B+-H-C<~
zS?|pp@pt0=JCKEOv50mCH3Q)u+%dK-HyGn{TfD0zr=-|0NHR)nTKJLA>D0b+;gUu0
zH90QD#%zvr7fwh@>JrxRNBYQ;`K2lvFQtRX$utHe#Ag|q^Lj%|quJGr^s!spl)L{9
z@B55+sme<7YW}mO4vR+%{4N@wZ=q>MuP;!G%3uftxZr}jAtAusxbp7Pg{~h-t$A#b
zF4?CZG8GuZGnAwj@zlpu!+4!r^GY(pq=_wmT}!TeQ_^gF!YP7o7f#73WWR17E7ERM
zN+IJ(K}Va!jpfm6l%Ph0Gu@Uj<-YC2oyfdZfJ~hU>JDQ!W(YyLLUlFmX*JGB!gsJd
z6}2@RraCkm@2M#m(nMc<x9+viA>PcSnJPvY@?0DpLr>)iV*g{C{nBz)sVWM5-San7
zhn7GpZVo6y>5k(SOikfx@jbTpbEo^~^7d0Z3h({8>+(*c7M#QgIx=MH0HKnJR(jOD
zWF4WoM1-D{rvv&umh3zQU%0KeY{*w*7=6Zk=Jw?^ry?_r`O5({W)M?*mCZ^gd`PpG
zYj(vVL~ZzB8W`^e@Awq=nQc)q8@@C<%OS`Nphmu^qd%+biQ%GP+VI48Ta3^O#*gh)
z(%j)lOeHQ<_-gaF^MmCT+wxH_X_`0FstO=a1}^+{zI2?9;{<Vg9!@vA)0@rb)*g=T
z+V4X9u=kt{R-yDzx%nihFTJ~tldst3Uc%RQwLAf$3mFmv5`Dr*`~>);DHoY;$H~WU
zg1;b<E8B^dJ!Z>>{J$wAC%u0clx+ri{$oRaueor7#1v=1K&`~+v0PBH{kYD(u^nK&
zSGsnqaD2SR(b3pfG3D~0q;QH|TUSg>osEqR8^4vw&5i!GibZK31>L|gl5StB86oT-
zOf4?HVJo2c5N7jjcnkvwz87pqh-+i8W45u#|2y&`z|j9LAZhu3mT^(jM!2El)%YUL
zdgB@P?O#L5)!QXju8NXgaTR|K?*4Q7C>N8aN48Ac`n<?GeVo|DLG8NynaXrl9Nc(X
zr}>OT?h<K(sudA#slhz|kYf%Aa$FSkiN{Rk-#ALFCQBu*lQ?^Aq@rMWxe>mAB6oGB
zs~bFv(d0Gn6xPWe&tL#f<_?tz2?$jRd>za+f*TM+K>lD|3MVEz1B#6P4v5Cb%DC0*
zpVP~`#*3z&+8n<HfPrdhW*<QO0cM(ys4{O6)UK`d<oq?;n!Ycdb^8AAOb9$Nf-|)}
z7(eAD%U6E5kla22`>BzZWGG=&zY@DTG_*41uLG)ha%0dpQCd_zKf%t}7#s^1)^+gg
zcc5FWc*-Y7;^FwM3oGN}8dh+EQ0+Ghr9$GGlGD4JiFF{=l)E#p<oANB;}f!-|L$K^
z|EJW@{mUbL0qOrM^5oSx@eJzL7og;1T{SD-qD5sC4197}1$lf3wzcZ#AL?9;+Wxh2
zC6*wds4;VigS|9AvS10i#wgC4&a&vmiI(dUd#BKH5NlKwEtD?T#8?DMe^7i^$O2fo
znyO1^_s#GA!oYL|u_Qk3ac|tZ`36vWY<{YHuag2@KC3v-cwOaGcbp6sF`LO_V|YV2
z{@DM8Tu?`Z1+@!myfTGf%m`(BXLy50>mVX{C`D>gJiF$sH)7~-e&#}WM2I%?ph)f5
zDz#>%#Oa>%?xH3=Ew4oWt#hK19keA=7_3Eg0*HznFpq`^623XN0F<Vf`MflsXzEiB
zq_G~Ka(m7jyz5;eEZnNTly?I1R3#cyqZx}Ahqlrfb3<#7GegT6Rm`Bu)v*i$-^Px&
zG@-F6T_~rv^0}+3?|%6okJ3dupN5(pr)Hfus}=NSR@kwH^4H@8u*gc@nI=i<Hi+v0
z%}rG<a4+`=!O$ZIkGT4azSk2{f2tlNS3ePbk?>>cGEb)&jY!v{f;PD3uzb!miM)#T
zIhBj;>a{r)9>8P)07*dGH7FV&{9}vL{e1kEF79$^?7~a+RY3N%cyjjuPa8^;x<98+
z3HQcp16O-j@mTkf$ZBY?RNTF5&;s<g;6dZd>8AS03OTLkToy71HU?>?CO{eeZdKwe
zfdQeJ+EB42Z=ja(_wjjced?oatItoANmZ|U=r?wqJU4BVD#dqlyLHF!$4%CA(%!=*
zuY<bIVAA-0!2O&L#jO6+gT6EseHmsI248UK-i2X9DbV<gsEJASB~zZi8KTy>F`Rq-
zh_`Fz^!BJptM(7q9hoP>HOsfQq|zsYOVK*a%YzsXV)(Qi6%_Lsj)MrnQ&)oGN-mbl
z3rv>ODC?d2^BNJ$$T)I=B00NAptrk}6O6U4yi4j~R|D3PIsfKO<nI`KQ(F93x!lkc
z-p`(W;jZm0$-wSrv~>{d{BZ=)%aE$V<U48yU#HD820C)(X|Tk-4R*u9Ot%sIlqGd7
zB)qkxYv5-5O+6mVEv;7mm%Ofz#{+o7v!#W~QbWUvNpJB4uOiX%#v<_{y@VW1k@th;
zD)&DWSB0h6rRCs){v4j7tKu0SKQZ|UfTX%J=EbIt%`7x}aNH4}sS({7_%-s9C)y$9
zN$|sDRoPa1%Li`f`PKw>rk0ufer;$`h8Ydo0aTa7M5aPH^YSo||Aexb^)i_5$Hyo+
z2xba@zTwyl*YT4#;+d~gXwbBk|8WP?4q{x7j%G<Rji~04zB9?OVE$p2jGmwD+r24_
z83Ff=#tH3QZh~K`L-YmRh?Tw@<iqA48<(0kRZ%1lu%RY2j;1uj)S4=$($Y3ljP2bn
zcV)l8IZOnaj5}@ck5v_A`S|@6QCJ{ez_dQq;hx)yrckpSkf-K`n7TEiUC|ZD$}pKB
zE=|3LBfrOU`k|kFb)K0e3{ABAiYUImrBD%*=V0r*pI=;yS;(8qL^Qw)3=6ZJ*O(-x
z2%H`YWas?9OJDkb^j;FO)OeP@De;KQlXB==UzuNziGXd(I{}jf1fY!_PV5g5z(XQ0
zLbLUNtO;ZT;KM-Y0MYUeyC8PJE&&8=1GJ)}<YQqUXB4pVb5<s<gGw-)w$1FVz)J`j
zcpvcme{2TO-z^~G9)D7NcP$XfM-BYUoyygnB{(4O60_KQ3Lysiu&X1XEy6rFP6J%1
zc|eZ}=0y)?qKR`V3`2D@_V!_Nb57Q3W>b1dp#RF#9skkX!<k0tt*n<S&mfKOGpDeZ
zE{pDJcS5#L<grfu$M*UB{MzNC>SZXPasedPWh-95X&LNH8Q+`OtEUch6B)AI9V#(I
zyZ|Lejloo&<{1M#0Cj^fo6)(U%HAw9w<w16YFg;vg`Z1f<2|+soH13JCqpgB6uLHT
zyn6ujH)Q;+x7sn6SC&ytW5c%=V)Uc>B;ETzH{`p65$qEimvE(ofI)ciB~#CK|2+Fg
zCO01?{^S4F4AppG4>g73bBj#OcEHtUVVnDV7EU2sezC{dV6jQmRffPUfUN_>lUV_u
z|40}9hTocWwBK?J|GR(s7x|atM|+B2?ee=t@=uHpQ2-&qInr{L0uSjbDkS&OOpS*3
z)bK5#kGD3wCF>(vZ`htR`k5&D;>q_9&g_qNrID14@gw<FP%Y>?j#`{LcYxw7cR&b=
zjHUzm0_4Psv6_nVqbd!h3377F&Fr1usUNaubvORe{9BmCRAJrkQb@5L#?MPNWyPD)
zzAeyL6Cyqv+CW1yleqk555}`{c!n5<GJRSJ?U$VB3`uuzjg;^h{Ly>rU~K==M^$0h
zL@M@;qs4kBjod*8kY6R?XaLB2eY{GC{m95uWHX}>o{{;XdL`s$Z9uBN2JP16Swxm8
zwAL%`Lb9rB%9%h2FJ$IJG7xRrL}L$UUBR^RxoC#VP_dQS4ML>O$c1!cKq3S$44+eV
zwC_BPw!bWM+H3wj6vBg<c@I0c)x!5T1eo*4&H$l%s#N^+M@#{OXimkKdj{@InDM_^
zL^4ZdcJ8~mp1s@nQ!2%Cg`{ph{iAPTOSsXi+A@h?SBq733${X(HxdvEt+2okg(I~@
zCAuddS_J}gCj1E$F|0pD6!oH-F|N`XNL_BXBaGwwe7L$_p?m1H%Fo~Xt474`lLs=8
zeQXIPr`9tuT@-PY7H~0@GPaK#Y38NAGft--P;=w4E8G|rx_Rbdq2_g!&xB`>L^pnu
z3T}{4jnRrmR?eMsRSa3djCtZ4qDT{81v1V)V~!GAiLyap&LpR5Ms0~Ju?D1IO)`ez
z2>*8)RzVLg7LP|@o_rMTBnqe}3p46<Y<y{cZ4Qtq^*266;@Yn1w&Ryf10yW1S}8aR
z3!J^6Zy?@~@OPRYUaC;{#VP2RWNBK{kdoS*Gi+Cbw>I$(yPb`laxQ}(6p24;a4_C-
zpGTh($?JkJWTHDEJct%W#%t1kM8JU96x<;(I)2Ygb#)5sQ#CdrVv2|%8Rc8w`DWyx
zexA+oeD`tTt`l^Y$mBI`)ryW{`qFNh(zuhhP$H!CI+prqRe*FTIqUM~1x+C#UgMK>
z?{~!Xt(G7v>TA;+$8VUyR0>^oq=jb%#^0nF@CBK^?2zG1J6k@}>&-Ri`D#G1#SG_=
za7|dC<i#zWIN$v<010gU>fBZgrCKwZCBP^LQpJ=r+8WZ|_!X~)SVR<m1CFbq5<=S3
zOgVLq{a)D#s+*m@)4}$y8=f~!0)0$>kHTyOj|;Z&O;b(ptW$k5wOOobb6ESa7wK4e
zKorogdLzqc2jam3YYjzvyN84~%&YUQ^ST#@HjOrbRktCo=80S4jfzT47>}E_OZ|nL
zsZK)eN|<&G7g&O+Ok3`x#8N~`7;k7IN($B@_=L;@YA1elKjqyYPE#YYVfeKnMR~%_
zgT$sD$9i6FO9oJ2p57fsUty6n07yzDew5Xkb$>*y8QNA=;*)HhyFI3GyE3sm^Sod!
zp*E%@{nb^gI<aw;VBp`@XwBp8+#JkXsdHl)VN^nE=5$&qymow=Cm3Z=+Ym5mr$P7n
zQnY=i6_u7?^n&o>RNzuyMzl|+a%E!O6y0&h4`18h>pS?j-YGYsl)rR)_-|23m}F0$
zf5p54X=6&kYn^zBX+wjW0U|~a94$&EM(=S)W+qmCVkwV#dovr4<y{j*)x&k?Uk3HO
zkfde*OXUm+3y$u9ya7wmGBz}+N8Pr78sY9|WKb);A+n`pR>8GDI@Wpa#(U%2(`TPb
zzFHJp7BxY2HiJK)&ro2nSkkcu9y`>#`mgC+7;cxmwYT%<V22(}EB=;`o(95>lHGyl
zJ;b0cS6VAELDNDU{~uf0Q&GU%dvQYJrefn8lDPpFa$rO0$QenddoU<R7RYG5_f7i$
z%NLJi3i}oO)ykRdHZ!iQQhA#9jGdFOr}1t;m&sMHR$rJQYlv8*zuyHD1O(Ioq+ANj
zM;mA_C&%YpJKQq&vam>3_!kwQ6`Ey}dG@`8&LvBa332`?$ybCd<T8t+H;m>oo7Z^`
z^=Q5^lp=w89HykM`>OA*MnhO)ZH`v2mzS68xbo`j;K+mw)mu8h$l)7_&*ex1rjTaM
zVRUkp`{FAH{UYoJLv4z_A_`~r{UXD-TfiuDYSjkj6H}cLqr>^-?z{yj44G<?+CHXf
zTkY|R<OuCn${sS)$)}l2$&e#WUp;v6Kwj+3PO=E5)d0^ONx^Zy-PKNxg#k8(q^mT;
zgsartf|)HYC!RSAF11ZsA@&x`n4TwNW0Pi<R(}wCaE=r<KL=SSfI56gh<4(orE!^>
z_<Ph!>}>QfU>ZurGSe&F?e~+F3XU|`{!FN3C)R-_XNU|LP&`wU+CA&@dK0a*;xmJZ
z00W85%@S?xt#EiiX;D%8gKv~y<F7cRugv$qQECkg@=twfGnA8E>IW}d`j3sXRAHZ#
znV6FmG-a%@ROYG9uO2weG|41*Eu(v(?m{J;)bdWsWgWhG42j~%2mrkvH>Fl3ZQ(;>
z0@f7D`*P58x{?-tZrrIl*M6Uy2N8Y2%h}vg=X%lmtn(*m-hK01Oy0P@ZV|7hu?9>6
zsLi3j>6XjSDD6a;S(?qat~)P4MgG8HzAiKm5Acc4^o|Caj^8LAT7iA4&Dch2Te3#;
z^O^}V$*~jA07dX*BvBTFYTk9Z%3ipmjy<wLcd(=xqf}8-26QIxGScFE?x|rVTn{g4
zzm1^PzbX!165i<WOEj3Wh3q2J(&hsteWy7tXNFi67SU}$Ha*Qp`wsdB<A4k&NM){G
zDZ5N_DLXZJz+Q9B>qSca5fV)bq*O<s&kW9wp@e3e5pyzFnH)p~qm~NwXb`*9Htgs$
z`TTK0qqV%$wZ{o558j3(WPU!nfF_@!r_r{6Je5gg*6eZ;o|_Gy*oMsdzT-W(hk$mZ
z6&#O~lppYQQGX<Z@~&Kw4A<On+KPizFUPm2ATi$$yNc!$xy>1+)GgZ#n?dH?B8I0C
zu6V}<DP5aqp1Ez8BCND<eb)Q^zI=m@t5=mC!?*ysV=%lW)D83p$+60X@69SQxuZ7K
zjAkFas!WAB3t!IFJ9~%yvaUx-iKa#~k*it!NY`nz!pyYA8MZPt%_^JnADlp-<2!Dw
z3Td6$4KW+dNiUVUSQ{i1hz;;L-D%#PBAue~{?wBX_Lsh%KI^!E0^Ing=~QADH^V6p
z1OwdQQIw~(jPfhv&j2#6$bSDwHoO7;jzpxlDCz0rt&K9yJQkF0JqMnv;-KcO*UUpA
zh&YvmCL4h4i9~m|5qZ?(or0XGteRPP0LKuZ8JG^NX^f*!>MiSCfUP~vLlke`m9sIN
zDqA@0tjbf9D97h-wbTyRlx|r)+K^&7R>Q(bgaKzJDi1f%xs_-*m)=b60!5QBQE0(6
zp@!2MK$v-za#a&F_{puH+BxkQ$*&2-O&33bF?)x5Y;B;I$64TiR)89d2!JDIC@~^V
zO|^kw)xizC2X^u0me;a@SVzZ86JG20tqRT-m8?#%>hA!b7(obki|k{Dc55DARq?2L
zB6z-C_R)xcUt`)ts76+x@?6qXG21_U(8<&P*1XnxAu&bGn~h4QTFoX$GeNU!KHvVL
zg@<Q`6|c(rCS87b?PO^7iPXu3k-?#~lIG6<($fCO@b4l*Io`GQd|pRWU=wStQhzmV
zYie^kVJDB&NPi35%^UOFkpuuHqA9^nQ;EAq1?n1a9@cR2F;+xdZtmr*joEmH=%ztW
znlC}PN{2xN#xECI7@B@ZcaZrzrbC-85-5S{ufy0Rhv_wk@sfwz(5!Sn{+A^r#RAzr
zX$QM!MouL_UjnasqXENpe+LA;B8Q6=lC(3adS_NUq{FmkjgZQZjD?ZKj~AQ`uiq9&
z4D53M(KKv0PTCuYV9AeF;U}7$l%_w=aiNE<x&(xNnVihZXi5|=di+uP&m)e2N4#>A
zCw_%&_qEg>Y?lWP4F`p}iF)KznR~Qk!Ui?SEr-(z=I_(iNyLwUVv70*n#_kDVsTI}
zVrdF9kWOyKV?m);fIsMBWep^%%Iovav}l?p0SMMMY_@!PMLT~<2hwXn_d5o*5^xKW
z;fyq~qaX13oZqbQ+FMJ!#o~#%+TaANFULrQwHbWf!RnJQANPE_svz3^O8m1@GoV8W
z<Dj~<LWG*+N*%iAlVhAu)1p$n;0u~`Ot`XtqQTNbe#Ig4fZMaZt%{}IpVAKkPsByj
zRgOPmX5Y22{b2|l`LK9F-#oQ|UX6_IrkepRT}$qkdqy*@W?&+RqA@w+ek#aKYTTl6
zu7Mb)jBm+0B2|QKng)2mhSR1hr}q^Gl>&$L0Ktt1kf;2%4MxCxuM04P0IN-=?p%)h
zqhVY|6ZJ#loXQ2Yko)7ReLi3C<SVMpb+#N{pv@l3$BEssK+)VV#n`bNY!UfO2lG(P
zzs-tn#Y%`gJWP&L{y&VpS5#A7`0k5}1yqnOU8xE}EcBL7kuD-Ay{SkE5u(%pAyJgx
z1Oya>D7}S9385y^MFgZv=mA7ZAfbe4LcYDe|JY;fvCp|U=OVWm87p(m`Of!!p5No=
zHRf+L2V{Pa2mSGI4*31L@7Gu38_NyX+)|mhk>A_}0bqOt)jp{n9q)GJ$5Xb%dZ<|b
ztI}Bp&lcNq_h+BC%<P@!dYMNJ5K%-UxqUkCi{vbka-69(hx{?eN0rR_gq?QqmExrt
zXOI(fb0gK0bY3@D{n9fNxN}EY)|<06`os-ldEB-cr60IG6${VjRn3PMjQiL^2|>6v
zZ4>rf{fN76@j;tZDIcwu{+{ukdbD>jq=}3@3s*G%vA=!3eGx0%S+Z^){&iFZd(6-?
zOlZ0t^7(Wjw|TAe=jltGM{l^=w{NE!$T09s8^k^8VOxHN^b4d^qNI%Oupsei+k{*q
zMZ{DZmA%|~CTrtGF22R{^EH<PmSAUZ{xN{2_XG$Ig<Ez1Ev{H6Xbo=xN?;zJ&)+ar
z(43fY;k8Gw?-_TqdHru1>7K8=cJI0l=qGr=zm9s0{*bzrMy|wCcqP`&|IR0Z5>IG0
zw@r&~%_|*UFkKPx;T96);5eFamo>22u<IueGjKK|ln+XtynpurKH{$t9%V;L_&w%1
zwoiYU;IMa0fe>(*W1!7)IIL8wbdMulLGuPl$LQpjt2r4bhn38^Zs;`R3Q|r^yZ!O!
z7l+9I+$lOb@l4=xeN({jp@gv!f=QL78`F9>$H6RF0M?aVT-s5#ACJ@37q~}lYM!Y7
z>Xl95|Jh!ah)eu>LoN4CLx5@8*L&JZ)kR2sq$?KLwl{47i}ZW!egaMP^Zq+sH|^{S
z=A_Oi8C(GnU2hL-aOhadf~2kml~4-BxVXS$zHL}%JZMb(r#`qg<&xs7&5Z^<T&G^+
z^-Jd(&Zmr$V_8D{-8gh~voMf#9SvA=VFnlA*Flo=Q1^5G<D2#Uj<=!5i!{jVKW1hu
zWc$A6aYFnzZTpW)5ewP9fWKEKwKp-9VcI&xaINDCIeaDklSore=oH-rN3yZs|K-Sv
z45812C2P|8Ck@0qsl5(Vk<=?eU~z;#HOb&q3t=3g7pxEJ(s}BGzA^y`=B)WzXAHRZ
zW|EtNA6<A9Um8>>x>;x$HhVuO+pnnnkE2FLE7mq|dFAYMb}2BCr_r-ELaHaS7Fqvk
zTJ*;de$1;Vs85!`Sz2h91zIXK#>sh2Cl}SBj`6+o&4#T#IS^dO)Yd%n;_JFBytAe&
z_R}G*ekhIvC@D&pmJPrYECI4GjMLW&61;fGzhT0MuDv65`9jXtcF5HtQ+b!I3q2Y!
z{<}+{O&l3Sy0M_2@`}6-^vjUiKX7opo1YlyPA7pi>RNboeKf_BDcL<R`7ZI`NpeY7
z+2G0SH-?BXrWS*_6uY@b69IHRK(K5-pzZVt{2hW1mwvrG>KBB|x-1LH;eu7m<=k>t
zJox?2=*WXDuOWexditiI_>#8BuUNTU^o?-240DRCi;B@1BW+@|E@5LH_Umn!&1{Rt
z_~tYBnv)buGKw^^Yu3y_0e68`_v5YN9spdmdTzQu7)4ILt98#(=!IFKa|B#GrZH1~
z*I7o5q(>TJoMr|wa+fqID%Fg;%x*LnOS;?#dAWHQwdf2D5edmxZLN9DpZ#N|FR1cr
z79YKy&!N@p`nm5sYxZqa-c2LT_EeIH6>Ty~&lUi)SFGKG5Hx=*k0jBNN?CJiDRXSS
zJLo5^wl)|AdH##{`ZIYS5UwG+3Cf2Bt<H;Z#PcQMne{myYG^zK2=wUoTiC9HCumbV
zcOM#-i{qn@Jgk&8^cHB1cq2IDaPXj9lq@(m(85~Af^;hzdkaEZotnDMdDJ9yrksJ7
z`;gv3SYKcNJxs+@Ovq;g$ta3w!GL!m2HU~sd6=>$7-fOhHMN*v-rT+VGc8X1D55n0
z>H8;^3}y+Hl6#{G!anRvqb%J8ZHym*=QmgoH>5+_SWVwr``B2EKe{Z)qw#JQ|HoOP
zF+1Sp9{4{&lXth2EC4mvw56iEwi$*&;3T`OH}IUFaKPnm`UKygk?)TV8LbLoKRK%Q
zNTrpb^ga6YQ9>kno*~D}k_R8(YP|?t4S2sY?K>=G7rjY92Q$=<dAtuznKt-w<Cixq
zqh)2|m!|njaYV#y;Xy^PKxEagwYJdps`ryyt{~#@VD{j;!RX$2A<(0K3?g{|kp`{7
zfUkt0S4SNnG*P!5Y8uScw7e3gKDCT4v^eArWErQM=9m~>`dNG2j;}WzM{z#~YBelj
z81KNi*TOaGuov8Gr`7?Hqvwa-XJ-jy-H6ybs^n{@mtSa|e73v&!o7Btb!k2cP?fd1
z9yT481HWI_`ZJNK__H;2bH4UxFQg9jZq9!jgbXRUktE^O=3AeclUzTdxnE0M3gmW~
zXgz3Q4aEY5U&i10E(_i>3^vn-3VY$FCV8K1k^n;7th!0wXi2{3QoLOACTpNXW=1B=
zx~qDUuO|7}Qyb3U0DzIQ!>A(Gen8j1)<M1K?TDLZ-ho?g0$#$!3mLch|0rxTZ_ivg
z{mfqT==`Q<$YZb?ep~ss`&201-)f5Z1u64mc|6-KwM$B2oOOFd9X-``i@jy>>WJ%h
zi}!nci1DVk@2b%9b3kFP9lT2|WD5z-^IutJ@PjN;c~j43PNM2q+j<c1`%K3;Qv6jk
zZS~i?li9yc98xUx%e&Y5xuJb(>FJS7<scg%OWbT{cPwk|8*HFdVbnGEkMBf$Aa4de
zi_uO)(fb+6)c!>#LTxxmn)CNx)z3NXrqVgzK;rbrye?_am|w>;B8*SHwLBkxFICm!
z!ZqgP7b`vnu^WA|6<h{qb~X@%Xm9BsegC@RNUk^io)uM|Up9W|fjDX1m}$>#c3~1k
z9i=~Zj|JmkUBvi)%;{oAe93PTe55-&OKq{VxWj)p6n*3S?%$`bEjkVGeP5yUS~f0(
zCFU+aL0QFWwDC`~t`XUmkpO;KS_jqs5AqTt!?cZIPhIUGjc-S9vqA7OAI+SVH&zXh
z20o{O;2^)L%qSPVXMZ3Hqo11|#c-RHu`V8>>(Nn~ntp{FZaM@!A=wTZiRundjS~sa
zmop*eKxDM!gp$X_wUtb5uA!i?smJ~FGOBR~^bl7DckY@K7=KJV8Kcg;ln$x)GZ%U!
zQF8f+S;56Ax%khLqA?E^v!MWCn;_$ptr-YE=s}9muK7&png&Uq?k~70qV4_GG6KG%
zy>J#Q_OeB(E2>yu5Zg9C5YR1uP+HR0vb9&y+&B#d0p1{D&U5>@J`BG95Y4(zyAMFu
z7|Fa{?q>i39?<Y6i!@OEdh$Y7Eh^V;3SzpJBA&i!Fg}&EFMjnHF^?shhw?^G_xGZC
z9g#yH5jOSUb9#DOe3+f<&g(xe9V_>M21W%~c9nk6&=;Vi7(#&2dJg#hawwWl@8(jX
zl^7#>KUt~Q+Oh`jHkJ0k@#b!W2dBUnqqUu_nSobKUm!h5F-Z+|0#5wW3?E}X2jWQW
zfUYu{WHW^mH@g8t`AE*np0IHARBnsfPPuL+cz<{lR{xj{Q4BqtlE3V1yi}5;Sdp{q
zhsedXdB7_-i>u3arK8<Wjf4HS1rZM?TaA`raR!pL)a`_Q-jndVy`55ut-~I}{9RYB
zyXlZxp`m(s@#XFxIqJ5_M>(GGwgc)NJho>j=`%|Jh-ZW?Sfuj7rwwVRp>r1|o>uF%
zXxAs3iv#YQ&wc0KnHR^ubh_YX`$$Pf2=<(C_(sofAyta8VZ(5zDO*wP5@|{s%=-?b
z>Q-kYy(~5F!C&8ST^qs7aB-$971j<&ehVun`k%f?Bc4Yb8Dk$u&Pdm7zhLukh)Kr)
zFTErqn5+x;XPFfaR9Ddsv3DSDri(50UO8sxTg-lWJcnhZMaMdgmV#F5Tvx>I2O#a!
zTOg$>Qpp#`#vgo$m^By<Ot9WJE3Sa39oYD7!YkR_VU-A3hB(=X_L3@vrk%dYh(n5<
zHUG7;M?9<El~(-S=`A5Bi8@_e6y<pF#tq@59(nOjZnh{;_kVDYOkC1PhAx3#%?shM
z9E=mIy-uJwJwa!t!XtiDjAz(WJYGej{JN~CKPpV3^XT>0_(FgO#<_-TWZY251=37X
zJ`(v#XuhnQu=9zhh|3S}33)Lu$|JwZ9zEjk^7+-uZYZ1HJkN(X%SfX^7gD>Vk27|A
z-A;|k(6U|y7fj9mmO9%!GHnTsdlJ8r<~6qUdI4s`cgH=5)vM=yAN}*&yfmnIzAj-D
zzpY(dJMxV_46(={0gBd>*XQlB>tU<R7L!oS++U&^V1jgHIoAS1lrQCap&kpIKiE2k
zde#szeay%_!)sCP7cn`XZbs6rf0AJ2=?v#qON@DQ(VI5(6V@{)#7G11eoMVhlN1#U
zqj{d}*768ykQ=eow|D7L;)5(*AB(ALqjrM#D!z5el*!!TfUXaC&~LIQCXmPGP#s2q
zbfF{T{mK;m3~+<n8d({op>G_3HxNUAAO|4_GuqNqtMpqyL;G5FO))%>9NIaJ=H8G}
z8besfR~Ijw?!%qx-k+Z7=V(fGNYSg_srbcnmFxaU%agS#i?;^iW*`>#*|529PE#$A
zvE@|o_>w5XZ3Ed*R=nc(s3hU<o|iXpi-YhcOKBYzv2VboztC73Kk8A@4PqgmPGGCo
zCUf56cU-1g=bu2~{vW4zFM@q`uO>$CJh|d3T8NyJQew<fcNZ+tFM`~8AxIs@)JHVG
znL@o+>nP&dBhF{~V*`Sgg4veMK?#?--fVfF8T@2wP`L=2ie>Y`lEETCz*N&J@C3#h
zMltL@x;}9V^#qqbuX}*jL>~Sm<vvdd%-KyAXLHS#!Fd-!?YdxY_@5w@G=dknKGmuX
zAeU}4?a-A@eS*(jZ-zcrH1;WWNPA)N8a^xZ>chF2v3fi7fqn>Dv+q9zZ?J)LU&CK{
zOwRn=9#dl<Hi!G$7C9|D#};v7G<S9?%=h5g663gcUJpU_7F_jA=f)In{8UL!Nc2m2
z?ms&*Kc$t4{Z=P{)qmGa4gC3T(gdwjzGI#ACtm(duQ;CGwsq{Pof6mjtq(lU!tF7J
zi=YHypl&E>kkY0;ozu!+wm2*YzgE=I<9nu8wkdMYG4@;2%t1<M9lEJOeMdUV{j*{M
zLV&5rs9P9H1a|u7gVzYNQs0nkF29lI(MIDcVr)q9`|l&}Gd&BUGfHvU9B1kRGabK;
zJewPwRoz7QyK3NA@kx(o9yI*2-|(y;E=8#3dn;2{+1$#(&jF4vm@0@CARJ{md}hQe
zeDZokl_R(n0`t8H?`A_S%>#Exbk^m^pq1%2%)4_Tr+*;lk?Qq_DG2*YHy?r|EZI$x
zmW1Z@7+#3-D0NxiaVygBm)X5Tu$Ue?-p{M4tGO6+T|<wH$q6U-_evk%w-Q3w{MfhD
zUC7XZ<QM>E%i+!KLO%`Yxsk1wyorbMXPY$~o)zD|@MdGgcmA_qekJqiO_~Rr|Cm$)
z23Fw$cX2?juR2GO$b*u12IZu$;u^2L`|hovHUCWMxZkCAGb7zz|G}BQ`DTB;VW&11
z=WzaF<v^#wzG+nWh}~}t(oEB{AjCdIZ*mC$O+H5Pu#hzS&OA+W_7_kLkS%n0eRyAa
zTY4~LgOvPT#uJZg5TRqwTq_yb75VVX^WJ-7m9H$L!_rn)<~;<MAwbgs^B`<;7gFOk
z{n6bdRHvo!3NBaW-hgC1uUr;LXzy>(9aWcH@cSrbovWnS-!LHnxdEcC_G0-Mz~-Hr
z5+uz%2cIL6KzwV2i`4Hql;q`!@|Ee?TNhjFvP5q?Chy7?R+N6ND$XsVp<WrNxIvus
z@}(Is7xFY6V#W*sKb;RlDT1Q0V?C7T#~Ge<V>;dJ_>-o*kZ6vhr!}q-mEPh)+c2dh
zLLSa;Vtp8*_}%BAmNc=uHc2>WULU7;Br~jNtL-`X&A?#tcJ#bJy(P4R{%C**q*_*4
z1^az0S=l|lS6AzL?WF@TGg#?PudiNB3=iQL(Bo>i2L#`6=cVAb*aRdG!fDJvoN-<H
z{F;Fb)#p*s%!$lT>EG6;VAYNaCYE0?UuV))ZLekRB}cHiU_32UsO#txT7B{oQ2@R*
zNj501wk)j5aUHDmr(M4tG_U6M^@@3cfOf`<9<N6^7@7r}tC&2LD&j7n4iaTK)QzcQ
z<E4(fbJl#OrcbT?RZ<ztsA{0*mS$$~ezVj|a%thR<?hO?%&MNWG$8J58|UE;f8{Dr
zLP#OE!))rd2wTCC;Py~Jcp^9Aod*J>GE15<>?^K5><d5G65RmHntU==Pq8u)7;-n}
z>jzwtOSt4P<L9WN*UPJ`d<B>*|9sSr0dTwi!05$>#l^tT-1HR}ld-SZeDG}h(Up<8
zi5)+aZeg*=-Cn)4K~-U0QM=<8LrntY)3~Pj-zej0c$NS!TR>VGp6dd1vX?gh<)Eg)
z4?3l^cEC0GLo`$DQXx}yThD*Dwd&71am~oyUIXA1We*TQhouJGKpac{r=>^%GlqRN
z;x0{3jF92E*oVS{7R0JBDve`K)Q+?}#*^LeQ7U<cCoXo|gd*B(V11|~t_S9K3mUN1
z&DU+}Wwj~rlB{jUK=D-l$L*j7dou?*h;b>TT)3$SIfVc0e{~MwNZq8RUp2>n=uG`o
zNo+Wv^h23i04W*tg2J+;u73I3n_SRJ%;<8{Z01`NQ_sU@oqvZMe(JA~x#F;tWF>WV
z%Z#h08aX~+8`>pJI_5@AU_|uJour~;5xmuFY}t`bf0jUCxyxb2kE=%ML1PQXueX?q
z{8u^79&Wgkvp3twSZT(qFG$VLw1&h_EIX<`W*~k%qch#Az&C5s&7Jfx+X`B9y=UOe
z-CWSI!jHOB7MBM#%&JogLpHuGp2D(nboN)KG(YL=Dykgj*spyr24=BbkP+tZFp<~9
zg%YvJcz~pmL{J!3LCDfT-KbMI@Me1%Tz{qI2kvK)gJ<Hs1TD8PJFQP2TB&mBwYd=6
zC)%9h2b&Pu#1cK4+E8Am*@b-#7OIc@9Oe`o<>y%|oGK$60j-39K-^k3NvF+|LTl?S
z@PWb2-mj4gR@9!qL$<Wu*TCz46~da9bT+4cXvjgBx0rY9f0&%)RjN57QQURM`g5{4
z$9^yC*kQUlC>C9>m}sC3#{;alNj*REtm>pu6O0%B?6*#YvvZvq?21)j@RdnzzY_Zo
zFU5=#5(KkGGy;5`)o{Dkla_63AuG7KY7IjaZ%f<!45^lwPGC)rdY2C&zZ{^cWvxau
zfd#*b-^4}7b)r9Y{hD+emHp8zLcfv2FXm>TU&=>k)$oKrEelq?=mcUNYIB~JOXkUj
zE!a{;qL7!MyDn=76L`&VeB7r<NY--qbxT1z1@$*okH}5CqGm9a=V%N;196F_l1g!;
z_L8k$t8G(w>j2eytLxF3qAP!mzU&q>b){5L{DS#4PPjkW^*eJ{`Q12pAs<b02ZsIt
zX+Ro)C<CyFMC^LbD!r6$hpJ;wqv%BCzFlHi-Io7cOY>s*gAqRqlKz-Pq*JB_c0Nam
zg7b%BhJnYTXrk3WtTh0(Fq@LENCg?DAASNa6k0P-^fa1cXPyYz{R{BjfpAUJdIDh#
zDKit#g9!~umb1&6AkzmjW#g@vKeWEPQ4lwH+AbULp*Vn{Lk!vZRKkUJ@8hqagd>w#
z5pY$bF}|U*ZDag@Y+i7tiON1sec5FG;S9M23vBsPSE$>)mOz|wCrH8vDKxHUUqS-b
z{^v=Sx<XUwx{43?v`g3LIVX!V-;(A0n3E<p#0#D?Fyt`m7*Y-qdYA{(<Ap6@IejJx
za>HADD86+YxW@Xra#7>!t|17=*pkNgW7njfWFOPo(_ZZw4eS^z!M)9J|7*i+*r;`K
z`}NNJ!@GoF#ezgj76z3!y4_-r!%QH*OYiu(^P)DLMu~e_I)8fUij09$_8^gJHI$IA
zH~uMq=`IzOi14eNF+6p+yupKwQ0NBA!iEKbFA8lfi=iFp1n^k`NBg435|(2go@f?D
z>NOpYjjATsMv(-QuRVtxmJO*z+Y*8r<8MCNkvKPVa`TXR5}x`+`h*^oI@wE5qoPyv
zxRzojyxVZ2EXC)A^H)fDU3Ek8^VUsPDtAUWt<OE$;a@JFolYuSwX0tP$D0og)K9KV
zTKtjtsa1Bb@NNaeQyeQVYQ#o1T*rY)u}dQDiNGjMiSd%RGZ)Lnx;yc7Pc#T4)v+~w
zkDA#7jJl-m90a;F`<}wa6`zLrb~OfbTsAaW1bV|_BL@rfF|mnP?B>Y|HH-Rz?oF;5
z1Jfq;jU#i5a`?!R_tr%kqqP?m1EvRdlMD4x!1e3#kSH{peWV6R7{A`xlh4oajNmCP
z{OJULvKC6poNYc&Q5dVXoauY^*bWr;5YKznUiNftD}ZvN8hcI>&LNDbE5xq;0q}iV
zXuN-LB<}-PZq5G^Kdl<m_e(}?WK|XHU9D`4-_{DyKkcNd7<szseS2O)3HgI47_lZg
zm#k>EEeVOweQnm!`c~3x%=X_2fc6!i$5hQy3W=6fD|$7fooP3ZddRp*kYrfdQA?wP
zEbn)VmEb<P``S%9l@ve8hI&JwlCv#_g3mvDWv*t{$zZddx$I5?d7rR2qy`n-ZpAQU
zDKAXBiy&^%Qm_k=$WHsVd<%Vr1FHmzXV&FUooY}O{5!#tCrPirKb?F0_ZN<Nkx}@C
zD1@^TMkvsFUM;kw3P9|_y;>e&7>_LjzO8L8?O^;D9kx}(L?@(YYrNAWZNP5?`@Mbx
zhv3~vPzRK1qp#RC`3-%FWrQL_o3I#R@<!KW=x3MWuJo_TVqM!R{ol+Bc{HMraY7Wi
zEOA9HS$Tc~m==?)^}e}5je`uYXR8m=QPRqj#ecvC5o-JHA{Meg2uFO;!m>1zL^V`=
z7C<bk8<lU!xJ6TV=}QW3zzL>#`OJNDu6+M6T~x5#>upuS`hzo9u|Tsu3du47l98D_
zEK^!Yg}jb;G|OYj&uQ~^%ZKh0m`G)c<lwm00k#x*@h3d>J~ea9Kwvz`QpD{s(YtlL
zzC75%l<=q}vNcqA>yOLJ_-xKsU(XxxGBwzpY$c$bl+okPi-0Vpax?nd-P9tz$XoMw
zsd+uAh&tbF{(<MrgE9YmU3!0P?|(aUV#H-(tD`VC>5p2rtl1wX2I-2|x%jn7aNmXI
z7v^Nf27p@jG|g_Sc!JJh2Fr5^x_$KLZ^9+oVMDR!;((%Y6Eh@5VFbIJpp6r0_1QAN
z9nxfBYN-A7%Xx!-!40MsP}CWdreSG|Skf_z8y7p`mS{ZhMFzD*XP-Z+-wFRI^{a*j
z{%;~rD;~sB!>xo^Zenya)xsuf<91ygb@Hc(b(F3nCU*MWtl6sT)1a>5xWapKhwaz>
zt&9(w2|Unw5dx=~=Br0BFlmP7y#|^|w4GVkY1L0Y%!#ARFDmuCoI|eMqU6>7vkV(J
zrLjoe?VAqmyVRkx@8{U3+%RLEa6iX7ySq;)GF#{EO6ilWj1ad?^m{TJWEE#WPqo_?
zo<e{dsri|~&#C<;5fu9_;rr_vbZga5Wq!BoV<JL<w#ds2J>P_?-Y`<E$pUZ(Q0{gY
zR7XdJyV7Gntu>b>vdqX}E(Sr)EKdci7Uw-jzvCj5V)p0^=gY4q(_{YnL&;z-cj*mq
zy?Spq>=>iJlfX3rxNda8yuRV?aji-~wCU>`mOAw?SlP7FSIo0-Q@i&zIVFO>q8N%g
z3~At~IrE4rl2kOJ=Sb~zAWo|6=b`SfrxKl-#`qs058jxl*LY=?hMu_Waq1rqA#tb<
zaz&jhh>-7Jls8J6!OXhbjb|lQOnfNT3bw{u3dvPX9Q-n$bduW|sToCFXRIxOlja4H
zx(pM`+)gq1)y@I0ev2Qlt)Qmu!mhuOZKL{Q%7J|EVl%(+^@)gwzcKp`tZyGi156lk
znkGU*fEV0(-F(>UlR**hSn{9p#P1T)N&AaXY~6cLWw{nj?d#X%_SLpuO4l4DgT40|
zrBx2BJ9RYPWP+k^Lv#On&UQ@ew7vnH@+r!+8`Cy+d{J5a)DQDyvA1V-g}lRv9<V7W
zS!9z4B}?ks1NWGDK_3#mvV4PWiw5Y6{biu-YRgWvI!=51qn-Cr@D=UjfuNJmt<0eR
zau|&4XE)9g)<P^vhhi03Z-eIZ*=hCJ8&VV~OwT<^dMA@N6%8C>z@^@B9NI(lcTWZY
z@L&k>X9hiEyj3%Dfyjf<pyrj}7Yku!Kwy1V4HlQ978)qG7RG7k>p3ss`(qFl`b+Bk
z1^Rq6xHh&MdlWea<bc1gK-^`7R%j+&*&EPw8U@^^ZjLdy8tAL@_%vKRqTHEs-E-E{
zP2|+o!0#;E|DGp2vDcl4po9PqBb7B{km4-sF%YhN?>9n6Vf>2fHb+>2^H6<-dd5(*
zaqL$|(~z4w<>lqV<HQzuK)4;KtT`Ld6ly>Fbl~y>Ys}E$Z!k0X*5DkXFJ!d(cMa3x
zjsd4Df}gR-{U?NQo(TZr?bbO?8jfXMYVFmMON<zXfFwl*_7y5n?WS9;)=;J~vVXNb
zt66_OUXB)1DwIvH!b-k9zGpEGS=s41a2Tu4cgno}^rw{m^yF`}1mgS%TaI;Vj4i#9
z0IHAlz8%T4E9;#r(DC@O_O}lbNfNJ8-~;g94isSf1RSU!Dz6hGE#feF2^2+&-tgsn
zowARxV8;fQnmns5>ix#wE8~LrLNGJFtu0$n^tQsnRj?_$FcjMVV0!(}Y{O{E2T!rf
z!OxyU2aL-8&e1pD+6Vqu`+Y=SWoR#MC**(tIMrE39WWcG*~KsV$ykcbEt!l4PvPPy
z$>{eI>8^dSn$kxXc~$N7uqyQ-KtAFD4YbHh(O*Evq6AeDr^&kR@lL^;Bn|8$MrqYp
zLvzBkb^xm0);&9%DJ49UaV73%^4p%!6K5Gf(~EO=lr6vEejbEHScgFY#p{D%+`x76
z;DF6i$K+p^bH%u>r{DW;a6L4;`n8br(^uWfh%cyGz=evFPI1!g0>#g13?tkzaI3qG
zqpkYTPmBOdUaQf8!QsF_xq#W(Ry<E!S`5F84D1M3z<9E@uA=@Xc6z}Hm6%Uy6X~q9
zHy&4kg|fL3lT1v3(_wXkcMkijG#(UBgzzTd#r(_3fY3#H9HS0pN*XRk&qmK?Ck6Rj
z@Z$SEY8lK<d&hcjW+50?)pdoa;GBWtMtGsw-2G%N0MRAIx`rFeUCb-0v3kCsyb;I$
zb$t@)a+ZJN)WG!yi#rm^M>*oJWo)=9A13KJ(qhT@7yIZqDP8Iyv52KM5z_)xPTp``
zrmkyPnz_u(JZ`4u-OqDg&JoVfm1P!Wk~3Rqi2z;nZWGf4f))hAF{h2F==h6NR=(&M
z21n#Ez?ZJu<-;4}{ycXjSxD4;ebUKgo_0|@Vr<kdQ`=&5S8=yw1f{KCO>&2ndfKYn
zULZ^=yDP=xb`plC6etD0+iwr?(L-O_LKkCuxtv6+^^PHPq!a!9KJ9qq8jj^$QZ4#v
z(U@{N6W4UQDWU4_^#IFYKxB0Q7@2sF0wKDA)Ppbd<}3Nv8M)6x>8>UY36Q;6F#r{u
z^K0Go@so&{&Yt*lSt<h;6pXk7f3wvXp%9wYq8q>|6qIi$_r|WJLvkv*1q_A0_4B2;
zmN~vZ()UHR8~!I=6q}EfX7@|;0sJW4Mc4Vb;5e2fEq7t&KrAE=>oRRpHML>)QQRcr
zoor)rQOwSiOlJ0A%!9Yeh?bC??US{kqn1)@eou-a>Mg%AaZXkcmCcE^kydwSd_~J}
zK)3#P*ni1>Cb*#~AVa0Qi1nb3O2Ck<qW`+R$E;0~ZWyGNGSa7Q-cvA{1^Lb~wNIK1
zC6Y$IeR_W3%QtQ`CopO(hHCZ>oNk{3_A#m^ITM?pCQh;TXG`2cZ1cD{bSdVXewR#{
z%DF6~>ha<H-QVZW4^r*h2*55DHVrVfuw5mLG;(>X5qUe|oTHOFRLme>?OhQ3sY~DE
zEa4rqXOH>r-02<2^4qBs*jW^5VR%!Q$i>Zlr9dL}<O_uN;-9^P+8jyEc1<1i{r=kM
zUAgx--MG*8AuFbW{4+wwPPl`WaZQ*~uT9GC-I>8Yjm*4U<=HmE06XLWw!^?w57`E#
zrXzJ&_Zjb*#w-!WF`BYdEA?*T0!kENP9>BBqQyz$rd&H*Lk<vFVp%TUe!9ijc2;=c
zR`$>Hl)2fHJ?;#pX-K{rqYPM<$<&h_8bt13uAnlO?vkXbYSR)B|2kpu>DcM7$gb#k
ze0<L7f*sjw_pX*!1I^@x_XH((PQ(o=z^O%A5RbDYC+iQLJ9Q$7vBz=U--QEXW9F@M
zDOXf;wEjuZmPwg?kiIQ}sq_Bmg#5-f0IXE9Jx=(Jp*S}YDm#9u?al@%C7BF6Wmzp>
zU9`?0hVjIYUCGf}d61l=tv91nV|TCHs86m~%)dX!Uvs>&!d%r=DlKn2(ywH|xOLrT
zoOF5b?nv2kwr#6lL-qud@dA)9@TQ=t*3!oq8H*^EEJ+tWx=>80IAF`+vi?dcjJO(k
zN&o&laC+v>_rCMidgh<<`Ww1a?pA&w0tBk_8zk?}NU+T?LLW+oZYN9<&mdf6V^Fo(
zIDAWH_0yXf0apsnOWuyLEHJ*``eJp2pvdl@(-|lF9BPtdU+IM|TJbWXK-|*Y>*t^b
z{Eg$ATOOLqfvdM`e1);6VVsZhZ`P+QDSiNG=}`eDg)Av*O7<dAbk>nE-C=MYCC$t4
z`}f(H$2czR`#dzF@^-pJr_zjhfmU%`4=3ECek+KSs)Q>jns#o{*>a}S{q3DJNFxWe
zb%+6CSaCI}La(`+J(@LLR7iv)LF~Dl$#%35a(LkRB2yn~#!y~N2Dy!5Fv1R7`&_CI
z8`E#++-Z*MyiL5`qoKMJ>XC$s1=m~k0C$e3Xbw0)AC_f+0kb2ct{v|NYHg&h#(+LH
z)jQ;$AGs)(^P%iwTIq4sGk(Nx!8_U8pbu;kxE2*}aGc!_uE(aTZwo`E1=P0_oQyO5
z$~!$v&R(B3N}02ZUrEvWPB}yi-hicx@M|ZC8h-y}oOYjX&ZsLws2moyN-qq(o<!G4
zcd3Z<y88fEzgnx;2Hav-@+D$Ui7vFYHR8uW7cV_gkWcZ9e_#BEtCKqc($wNh!K1I#
z@0d0A=S&><MFgs?ubtkk-rsRSAJ$rg4n(*b84&4ShZW%eWQg>LVS`JMd`X65u!lx1
zouA<}AznPD9$|{Rtm560LWdSb4UEV`IL`_JV=y^3?M{@|Zt&1)ghwOrw>7vb<Sr3o
zLPAFnH`1LQt6RAuo}bZBv=_espR`Zv)6!CS_WSiwPUR1&MPLu!sZzG606lcL_1GZ}
z=(6$BExVV29w}3LN^id2b>Mj_C}Ihgi`PvFSxs8-KtK=QA^wx@h}>j+T96ilNb%E*
z-+!8c2mF=v?i|8ENO^DT<krP5RbxEOWHYZ<%gdhmQodnjWXJEU3Ud$7O=Z6w-D$C~
zJgNIlAT<O-`c{z5PRFcggs(^NBnmA9Ax+`Q-I$4wZwh7x{Ej(ys(mu1n@-IXWc6{o
ze&swmkc7T`SOpA^p^NgXFIb>OWqnn^%PD{x{j_$&H&GVy*SEM8Z!Z!k_cZlt!g-fC
zJJat;wxJ*8UoxH8Lk8Cmi^1N~48uKef>Up&w2-Cxhg~?jv!T}TqEDXNgOrO}X|maz
ze!G1fF9t5mh`E#Q)4d3cS<eMO3nQ8iBd~|a6Z~!;BjV69imLaUvy!oZkel$1kFFc3
z-7u}<cldeD?u^C)-fJ85%Q@J|b+2~T*$h&g7p0>NS_vVVIZo+sW6-uUJ61o5mNdIe
zKoiDwSa6Y+RkwH;;Vfn!ojCiOq(-u=R7?xQ-R7Tl)q1FdR(thZ$NnZz=4}7Vkv2(B
z0mfyxa@3k+G8A$CFtybcAgw5NgCtNLUvU5;jIH3fwtk?K9s6^w*|xi2u<#o$Wle%a
z$+W$=`>HHeMXmb#3i!$Pls8#(b9ZT8)K_f23k2kXnb9WN0?DrCgT3wcPM%$%8AgKe
zn9y-W+vwX$A!>Jf6;~x5jgAy%0RBHe#LS{{<Z$=_K2RsEdGycdpG)SNOwwpgX3@VK
z-yW)OGv(~0|H50b#g)Hi#p(ALZ5~XgKAO`KIkq!wOSRrXPaP;UsXKHvKLh0^)o1CF
zo(VGo%Aj|)Z=NBlPl3%IjE=mPIdGZ$Gic-fI<43ede_3cANE#Ogi#{c%N+abak$<b
z@gfsVCjJq^f&T6TIGlgfKRL3Mfd}Ml^DhV15w&;Bxi{zpU=p=CVkCI)1S}D?d=@Cv
zfhpc!Z6&eXZsHCw{lh1s4ka?rUVeHfss$V4zH=m(P2gom;W{S&uW-n^tagEdk|9~6
zW3@dawdEHDUkpZ`FqL4wxjgnj5YbKTH>PbT80bk$A&eQ`<TZ5*ZK?jwERE)vRE_M#
zTzg$NMDD_l3*cp_dSmjY&^PL;@(18t)MfN{g=4!Q>gZz|Qdem)<z??%MadhI0TY8D
zUgsBQD~#R9x{2-zw+1f6XzYgdA(c0|l}A!MwFb<unSbk3_4EwdJE#T-qy)U*Y+Xl|
zq4|Rur3Y`Zs$TQ5Ef9>oN>1IddU0k|S{mRewi>TTAN6Ty-e1<qYVz~obc&v_Xwc1#
zPQIOf>B|={&OOO+o=mKf(CXk_n}A3wuT1s3+&NQnxbd~weeO#IML+(FbNqjO^e+{>
zFc1KaTu-7XJObz`5bCI<i|8)impiDAhry|mgM=Hk=r0Bebv~??QJ!qc<?jaqoK_0%
zpB?+MuA6^d@(Yjc<>dreyD-ZBCzdO9sPoX9Y!Zv(J!Z9VXxDptENH{k!ty;VeT%EZ
zeP-HF?(UhmX|K7W%OqpV&^f`w7Pb(4z6&Wm5=0a<3qz6fpw?9Sd$Bdm3RPIuiH$}J
zwTt)rCAI=8zDO2-hE7)MTu)4rx12SmLtQ1bpEf&Z&dNW*e#eFCT!WjBd0!%5Ag?w<
zDt882HYyP`2tE|P(^iEjC8M}l<_v45|N6X8t0uMIj+XzPru?PZKlb?};hK^u7lwyT
zZDV8BwQ#S-QxjYGDk%%YfZu-ePXkU^&YfNSmxG}Q?pB6Pi7d3{%lv?WTK%Y{WZt+|
z!zutHYoMC@PxHjnVC4ZL*Lo&1;$4!>pHOQnF$+ECH)=L|p6~3}R06@m1XbY7<76q2
z=31oM6!O!<{DbmNFdec$neSSRywB8Ld3d=$^ORN}XVTcZvEU&+{q8}e{;D#xxSCSk
zU~yk3Xx$E77ZvcfS-ujHg0@78jF8q5Fq$&`8Y~V~(@Wt4;uT)~%OTtfqA8P4zH;w;
zBQ4FKgU-2aw0nG*?iA|E8Te}`0lNV#;&i_EfnWQiy;+xs{ae+kEuG<hdq~S)=whd7
z7n4TKY?)gXofqCbyD7?<P`Nmt#FnPTwoikl0Q4RSAET~vO+CU4(Ct<xCRTdil&KHt
z6KxDpy2)4N*{3y~uY_+0r_PBSege|8eUU;fW2%080MSH=u1itawrHwvj=P+G`9gET
zW!vn4RVAHqriJ-~zc}&ga-%-CS)pIsBlMr;kCX!<9B-0TN+`uE{e>a3m*leOR)OEZ
z3&3`JwAGfW$?gd^dCh_p11NuZ)THwyOdiL)qbdHlX?$Dtq90B7)2v`k!?7p+?Hp0Z
zd8cpC8)*l?AcN_M93-5kR>v;pMF1{nq5X{k#V$S<y;A$Ss7p5PIA<BHqv!1-%(qfL
zhCz2k&LH1a>-2U2*tI=$3eZ=s&Rf`k#fMkFML%sxn440c9?+Ih`jc`ppT53ur19+;
zjtz6w(P+9QWL6$ONTS<AJq+ySt$V`)!6pj(e>8)4+`K)2oy^o4m^^k{CFqE>gJYd~
z6ZNbj58nezjCWdn<!~}XZtk|lLGBaZ!Jm7!iX^;>Y9Rra;*%S6|3c7Hj|)k!jK(R4
zKv(7ro1CY8sT^0>Y*pwxX)&^XSlv=!eyJepR>Ht!t49&TX~Xi>gK@Q4jmXEp9UV-9
z1K!~FRvf#oow(3<@qrhqNz3N>3#fVG{NoQ!b&<CcR@q7j>mLLzmd=EpBROJwbBLFL
zoWg>(THh<|$hfyo%i4wX7L*%|H$j3W_p1VLPZzvDR_Gzh`9w?=3)^sKcpn@ql^4>e
z4>jBKb6N{`b;nHxnE~6;+~vbEg!BSB@vr8~U}$o9Z<mxzqj1in?9QCH(e09}t#c1T
z=S-$VyPmfQ@h|&bcwwyMd8s5Lq6MTm6_#V&IbIoTu4-r5qOh5TX?dDH-j?=T4T#>}
zpyyCiH-`#3%Nad>;k_1Vj`{Td&YYBTs87WM;e2NYdDA1RA4ScN4c>T_vcom;i!+U9
zInD5L@4awqQKMPKhDAMnhg<53!iCCH^_vvv)IM&Ug8Q+4si3Uue|E|0lS`8n^+o9^
zv{CGR05r6pk}XrGPsxr|m$aD}eo&^O*YMf=%~98XuD?C`!TY4-vH<2gmyBeeOw9e1
zk9*}w1zQ=@fsn=Z4!&|NoT%GCsW;SZ2vd#qtB$pHnM<X?Isxfz_gPqbR!(dl*_~&K
zG{3Hayq!pgtKKOPnR_7Xf3>fpMizGAiFZ+jrF!sT5bOK;{kPIr#`9C%1{BZ(YLh{u
z+{%N<%gAv87vttqg!`Fwe9r7a+}7swJy+#hRC*!St^28jBKnHP)jKp}7mEEGV9I$!
z{;odv#G*f?@cr$C+OlVo+*dihGasHZ=sK$8q1C?_T2p*S-}iaax>2#peMr${HY!bC
zs1NXSFD=5RS{D5)m#oBm(LV{I!@?SEtxUB^Dbp}v`NJ90t*KD!o$`(R_v+B@dBGs;
zaUeO8-{ReV<*Z8jWkHCO%CE{`nZD#=Kg{Fw5b3Lmr$Ul4UT|@ZMYWMeCU*#vln5WK
zMW~sv^($Y?;==JtS5-=&a&blTR!Ty`FC;JG5iran#_GTl^)5#$6n|WAAHZ~FWjNJs
zh9tjCcw%-g*7&^V$%M5E;3;KlH(IKV)>#?n%&HH6ENB`^Knu5msrNfnuyFJ}_V*FH
zb<)?NWi!p~Y6a7at~HgK19EXqJtqQ8IdXolT~;hOdDmCTPgi$pFJykJnFv601iu1j
z=!^gPD91A>OhdQ_-JhBPol}VnpEpT<k{*H4?fe^qk^Jzy`XC)udlQs#{@&d`8rYLL
zzf+U<-u-7D;F2IkW2&RB5bNFkuCa$WHKz4CmFt!szy1^d^r5#_w@H0$Tg5@>|2ztC
z<J4m1CF8<ZD;d73g9DYWisO}))6hbjgjaXQD7ZF_xt&4s>3-eD2_MCnn{t7&XMn8C
z{~hyOYyP=saI>P~`uDpWQYF<+{*QGMc2NH*7*DsNJ~DD2jIyljEU78^>XGK_2X|XO
zM?ba7ZP-!BmlF}DEcZ3|g!W9sJ$fRQJAmsfEj6b8(5Y)iJ*5;TIo^~{vVffN|CAjR
zpwukEml=FU=iJ#l-lEFg^X#*fgQ>%zn&G$(`;UL1H@hhnP-jIy1Q3R4Q2gI(waTsh
zYMclm9{rug*34P$(%3lJ8EwTdEq3rs*H@ndUweF|;&z6R5~8f%^z_H+?0bPh#A$)W
zUzmmSt!7fVFdno<L%z6!e|^NX>p#9$GCd8+o^r|owdr3d*Ul&oK6`=lrhJ@N^8Ks-
zSMv$mZz}9}aHNTVKg?U%ZCany?Cd|$K&kF6wKfXO8S2LJFe1oyi3?1Mxvmu-JYj;o
zeWyN4(>hW@TyIe#H{{00G>4CVOf$chn=)Hik9@%ueHm<Fc!(4JcXOVk&>*~@JQ>TD
zW|Vg7sMeH4##+;&mvfM5;x}bgW;<@}szr>O%Z5E~;aCavyYPhOD#=xf-=Exfhns&W
z$VkVHPv*4PyN-{#l~=zs;-rXTFEYZIp)4f^wi<3_2^4$r%VQwD=c<J#5?-0LCBvkx
z{O}L!I)uSjXz#gW*pg#yMGxMJkMFJfS)6vOlDGLF@ir8qk(J^^$T7AWQQ3UIF=lOK
zJt$~x#PR><14sWqqi0vxe5kMGq5pC`!T`jOyPE1_c4KToZU5)IKmrkYgWdi&l)VD|
zfsp=}L-vq(_-YHh=h+sv`~QJNxy3;K%Q0r7gBAQg$+Ew;Pa=PiCc9B2VwW2qbr4;O
zk3vd*QPH!)xcG<ptA`b)_&ilP`q_H9gKRe2`LLf~X*CcuVsQCijyGq3xux{sDf^yz
zss(1k{R~?Hg70N3Spr>>czfrw-%B8%9Jpg@<U~3t6Fj4&Yp1qfHo7Lv4oyO?44~ZH
zvhU=--JUZ;@@KQBVa9)_^8AJ<lm#>c0z1nB)!=9f<>m0KUF*@u<CH3n;f2<k*uf^e
zCcloTD~D3g@l2b4hFfGSFa2PYGF_(_B4pRqR|wq&qBz2wW{^=@QeNf2@Y3ZwOoUyO
z5zxcq?SA}8rv$tyZ0)|+@TJjX7ey&#x*`;R0PU_K_qsO(MjmzNJ41un^%=@W#ceLJ
zJJa?S#pEZRNEzN>eKf1jS_pKt?<EQ`+!v%NvX$`F4x%($oT2Q-NGn)dwWbnkic<OA
z;Bkh{y5eou2Pf!rTV}J8WZPta;m7Bc{O`A@D=dnt;wOik5qS;vAselk7G`~6iZEvQ
z(68(W<vkK;)Ifzjn=ehB-xRM#1OuQ;YBof;+0a)kxbB7{Zfx%1YeUujSuV$v$uli)
zE6+T6Tm|Z$7eRiXKfVtW14>c*SHVyVxF4r5U<u5lB$Wr>h>NZTY(_b2D><fxsi%4M
z@Mm`rp0rf@rBMVIPz)PQsuJYjV3YAyRB1N~<Kza-aV_q_d`dQS)O54?Dtp+KtKfd^
zG3itPi)-BxSeD?)MUfXo&;QEt(qxf#_meCESn+!LPmM}gu}`TL?z6kWg<!~})lMm_
zrrLW}peS)=S%<>`;ye@3z+T5g+cHAT0D@novhrHMqiyqRvk{~N^NDa*!kUUJX?#j*
zfQqMg;AoRQFR2GzQpahNovFgE5I`_Bft0Z{crcEU&3ycRF{fi|U1eCeOG;Z(THqpg
zr(DEw#1W<ty!IQQ;<C+0FV4qj0Zs71yypvi#}88M)|EHVoPTU?$=0Sv*fGyr^rkp!
zobR5lzgV30>}Bj2>NN2wpiD(LA65|L5En*+{^j5YQ2NnSM;BkbeTa;{!J_{Xzww2P
zFs}=IdB5K;S5vvfv`W7fw%DL9eKV(rZ)UQ#CbDEym;;+ls2!hfw#wQH0e@p3J3Za*
z<W0G}h>8(zK+2EftOR}So7KW`#V^>sb#3)HXgOw%Y+`k7Ld_FaSJk0?qVJ4fcaSuW
zNO4_E{n@*KJ4n&9<*AAE_EQUK_=`;QRmDl(B^yS^%*lL{{CZ~Q^AYQJZ;oK!q5OwP
zLyPYJ8Eihz*WCuB6aog)KL-|we9+FW%g@QmTGO{cg;rvbRcbHVo2DLw<py*e>FYLO
zy1K(Bd*=lZflG<o(fO*h*v@%wh7^7Ji&%birO%DE41LNg@d2-!28Dvtub*B>d~)Zu
zTj0^Tkl|jp!sL@$dzSc7)A?c7HAza#FKa;A+OD(CTj3Pk^0siJz^s22s*$#z^@?c*
z2j4r)-*Zn8YpC&9ls*Y{vMs3wOh2K=Ux(bAsZhHWCdw*${KTkdNAuhfZBZI38cn?~
zeVUO!w1iK<Nrranly;(`n`g6fi`Lm<D&>;4igmbWFAKti!*bRGx#OaeC^px*u*Vn?
zG~-D_s^X>znHVo-x%v_*#&9>uCq)2%=**OAu2k`1^3!Jjk2{@uHJ##E(u6{z&y4Ou
z!8NCLMl>y|x7+;~5OF62VRPm7ka&v8d6MaqHuWtD7rhU2OF{G+Q*M`B_`S#)DPfaq
zJ+-nQJ5#>jd7wQ0I>e<fEP|TQ5`I~2+P>DT<nJ{4q@qpoWs9%?{Av;Q3C?#TIHFCs
zfjEsi3kGP~=ULwMfYK6t1P&zRB&hqTx_X=AY5b6p-b&|=^^AALpIe%f-DKq=((O#T
z68?Gg;l=`ta<LLhltMtL*j_uGkoQYqo>U4(0eU>Rmc|pUR@HD|ebUP_hhH!LM>=PM
zB+~2wsGnHVoAA^RweXQ31UTGicPHr|YjVHXOsz{@W4eSM7#!P4(tQlUxR5H`O;bX?
z#?X?Kp5zDrW72?dci4AlD4%SH@BKXR)iH_EGYiD%Tr_Y^8u@ARRI=qnqX~)Ux^>N5
zitUgk>N=WjF*s^JL60I@XgeZQ<du6+vnzY!#{Y6Cey2>Z@aw6c)UD!lcw)(ipw5Hl
zU#Z^Mjd-<Y|M&XK&*yx(PMuXY<kMX~b?VB4b03q)4a%$N6oZQl3lE^PcY+~b3eWA(
z=_#c--y6l1Qe&Eqw<dcRb-XziQg`)@s@sid1#OM=uvECpp1QZ>!{Rx1jv2;)g4lAY
z&qyt;2GqLLITPL`Y$^#1TsV^rIH~e04W$ZL+9}_YcXQ4UV?HqjPpc6EMb0$Y9SNy?
zvQN^k8V9l#Wc_HdJ#%Nrs&fsSsApp`%Y4JLO64?25KE(9DYG_q8M+5wz8NYdH6OoX
zC1t{V4$toeX0L%vUDi#SdY2C9Wh*$edW}SA3zg|C{k=2ia3!SYm)*rjW^%V)&P31I
znjL>D{SF9D6`xgHI(UJCqNRL9gxNBTK!EtsPLQab*j(OKJA4dv{&SWzeYf;!pESwC
zI9)?YI(#+Ys(^SOWNxV6S(!cu4&UOhe>_u9nuFjXLWeE3B2$M!N0C3=jx(?rXpZ}9
z7IaZsV0}(3P`J{w7%F^#7jt>}KEz7Ge?Y+B#6|0*QfHa^FH~(PrLu%&dYHl%L)>O$
zRx>o)n@dyEE+oshxf%@qqAjP{%+0u%I~G0saKX#tRl-s$WHC~+U7Gp;`>Gk4TspO8
zr$IceXY}Z7Taoga=g!@s#bNiN?{Or9qr*WDm6x#$1)h(@x}yK$W@tGU`pz8&s?;Ap
zfat7zTc!beLA*|F4w<L+)Ld@z;|Y<f_M%IVIuwK}l8e3QnS_0vn%Z5oOf9TW+al96
zk6aqL1naq$0sE#$YI#~cV*mV5j)npxmc&JR<=K=rn(P-H$^CBTnzi$~)P?$nEQ>C_
z>;~JgBR4MP@OvD4#$RIc{YE*>dkO!NedPB9DLbXrbJ6|y+CfHS&fJFEIA-sscQyp3
zBIRxCMXCyU_2FoQeJ4K){9~CR0xU`4Nolju<q7q(RxUM7t#F}|oKt$bP&sR1a7Vg@
z?2#WgGA8hB9)u~C_=T4=YWg2z`J4~o{D}JYYXiv|s#hCXybPnZ=fj#9qsTVDtB~)k
z&q_ak088U|dNqlX1IxMAQun+R#Ny%4Be*mW^C-o|wjwH|Nk=T}=(A+@+B|zU@^Buf
z=AJ+hp-Gh%|6F6s{eW$&52$VE1h+MO60Dv78TDfJRz+9ei6=>6iJ9LMhrZtsNg!N<
zn|x_b9?u6n{X9MgA$Eo~jZsXSm^o9GI|Y2t);GDkJTD$YzpXj_f##l-l~{#1-9!b&
zw`zKn!y_yh<z%7+!)kFMWza`ql%kGr$hJ(s^jYjYi9F~0Zs=>JL@tBV7M!3->g}4J
z+NI~mcH5JxF_kP8Do-MH$hK+heNkgu^DBqeFhvM=c}V{JW?;5WXxNfsz=B=%<zjCy
zQlw<=3KG)n>*TZA(6ttVrB}5cu80?pn_d2<5mFxtzK=KwWI&?@S+*D-gYz`(>sFI$
zxWAz=rW6w1-L?W4#1n+_FU_>xzFxcdMcYQ_m8%~DO~#&FbK?L8IvMQ2zizRmj%zyp
zXzFfPcrXqJtkh@Dw@D5uLfjmu^0Gf-tCXsmWaTGwsc#DzB>Kc8Zf?07k1b@5prR?G
z!xHXY09Jo-wL=<6o|I113tJ$b-Uwf`E?N5vw2wW5%lsn~m%EiK&9W~V{|JC@IP)Pa
zsk6OZ+O4wEacY`0&$c&X#lv=N*|J_==ZB3xnqg5g^Opiz%$BsVK=K6NyyYS+1zf-S
znk|QLW=K+7*uokO-((qyi}4D%U1EY+*9?8=**3ltZ!9@2R!vrl{2#yf1Vt^_WmAF|
zR6M$xz1z{z;1dXUa2(NR=omw5Rx^2z*@zL-KjnBzUh_`B4quts%Bg#G=T|OkA&jzn
z)WJa&`lLjBm8U{|Tho;$ykDTx<({7O<dTJEcl(k7`8I+svklZ=`O9Eun61eGbs30E
zst<s>*&>8t1W3J`P*>)>{@DUr)aS2xH=DmwD7rwRF@T$=v2gK!5%-=!O|D@WCUy`J
z3mpNacPumk$w8zUDbkA&l^Q}okP;vyiqcC21QY~Rx-<m>QbR{UdXpAN=slr?K+4(g
z?9A@$Y?&=HyZa-<OeQ}PzPCK(ey-cJoAV4EL8AW$8-ozg{A<=#nRXTa3f3I@c$x4L
zz9~by_v+Rb)t?Bjx8>%6qA9hPP#cST3g8C*WiclWMCDacrGPxFEATP$0cmD@&NH(e
z2IFW+4X_PQ1G(XD8owC6G0Vh8j?_2BQI^RR49$+&3gN>M^fxl360yArq8u8O!?q4j
zpv_r()jOlpwZ>--OmPQh7YvNFI(b<L$VCOL>*gq)UOp%O^(dRUu{;v$Kn%TVihnP<
zzdX?wI{c(&1plNKRZ}^0%np>-Z;*Bt62BDN0i?!ec5=jcTrKUs&{c<;QSt9Hwwx-@
z0&gvroM_;e4dbu^>iM3yh~t&`YRpAD;4I)+iAL&hPWd+}a$d4G3NF^$WA3s($XtZX
z{@%MTcId+x!KC5b*()wG2hr7-b`dV9NVQrECzm7joNiNXC1CO1c#o0#&9q>~K^*Ot
ztv0ru7t3e&6fN`F9K&}Gy0*8{;^+<_-azvovQJT;k+x}VA?aNSFS~0(eh=+CM0=}b
z3R02(NT!=NCf;^^En4+9GTV&X`SNFV7jtRmuJW7>_e$v}pVhRAP*5PCb$*!Qn=-v?
z53y-J_A1BD`r)b$a;UO%tvC+mSkN5Dfl@T&!aj{dO(*Q(ic=jqHQsD`E`PE%?AFkS
zGg<%KzT|>uxn3Bu1_;Kd3g!rywk;Vz93nRF4%k-^BWr(>_7H%){p1LEZ0k|dQ3Yq}
z_2lQzeZP07&a7o~1g~_V<AnJcnYj644YgQg7?A_G5_th*aG8Av4tKkHu#g7$uZnWk
zR$oW{bGt_-{AM+_XIqF>=y^aiUkz#B5~N%rpG^;5s5m>dj*_k&3E&VIhI>xkJqY#L
zVt3!$8f;$6onrU-$A;w-u_|9_*5ZBbGL-(!NMbM6lzwmLk4CzctiGn5!wPE+(-=n!
z#g>LaiF5pGpo?^=;BrKq_3-{Zkw<R_!ipfX5@q>cFP85b-v5fRzHWUk66CQH)vQW|
zhAkKic4uE0YZS^q%7IUKVH;oxw?}$U<n1Y5{$uq0lEcdjC)qlYvotqgoCMN=zRVoR
zxsnUO;E@(2gEpp0_DY99S60~B++5q)utbEH;<oGkp;9x)$~R&+ZSxS5KjJZ$7~fSA
zL>7e7x89IB3A4*NrO3OZ+81^6JTsQluV+4*IQZ2(-umU|{pUXs3c}KP{tDHV`i9b$
z7mZ(P!qKT;^D=i+kE}C)?u05pN6g<p&8Fit2U7D_xOYI}`_^^G?DIQQr&`dLwE{{I
zkangjDY1bFKYg`$O#t=7Cm^hlrIj=5{9Od8LuTfj_(kl5O?L=DRN4pR1z6msPyVWg
zYhqI2+VQz)FZgHdTm5$}$|Zr9<IxwFI1(4#D^w^FaC5DS^eWgk9Hlx9vB*d;P?tG0
zVyxZ#+IUDbjbzGsW-BK8oTH8qwj(~5dWctzYw-q`INb>k`u;P{vgV(>r)O>^=UoB2
zpBe;?+~9j8Iqh_njpyZc<#q^Xy@pY&T(2X@WP}hJS5orPnh*Z<AG_JvXe%o-Bk@-(
zlE6U_AtI!8mAr8O=a?4fg2;L5z@w@U(*r?YJO@2*>PVY)@)H8B;H4MY`dRO7w1MWo
zsSb4mG`Q{J3h18a90wA#P^M`?9;>t$EQ(AO_=DVtZh1aFI1`p(r$2mB-<DuG4%+Hm
z05VJFIOxZ@4j^f^I37<}*eKfaQaH%Ouz`gO4m13NpbBHLeP<8SEMSyR4v~td+n0nr
z(^8fEEW(7El;f6tj>0zJ`I!xW3q?>j9nI09p1lL$oiPP9?YC4rni1fRx$@0ZRhx}`
z7~c3SH20Oy*8V-eX|uF$@uEFz-sc}>Tf9%bGw=k^w|AK5c?syrV@Ij>=4<5i_A*_f
z!d&dW@x_&PwUFvNo@Uc{r&g{3is7=|o6;*ExsqPDU$S|#?4(S^%==75QSuo%-r6TN
zviZr}E3YlgGp%r>%^x%N)X)d%kCOQ|%QLQ6pHgV8+1*+^QRV&T>Y*`)6-%8UXhNt`
zrU3k&XOEFf49MxYchXc~?WW$cr+{K!_Vt(@?*Kj8__9MntJ9O<K2fik#)M-1gW@j8
z!0CxSDdkMa?89}3$+cy7DOw$tUJ3iXTa&^(81|joaPS8iqNGtnK<7rA)pN=<D&fC7
znH2(ikf1T`FuqlNR6(*beP3Ds@#df0rE_VgewGj8?l!_IoRFG~a$th6?@sp|7n2Q8
z2vQ?d@_5b>4I;(sOfPvrCWqR7*gI;MxSxL4E%&6P<=bYZrsn*^ugznOB&LW`8)g#S
zqAh^wOrov}ao(@4ded>4MQmKu@V$Ws(dg{Bao%%-1(91Db|Z(yp$3eJ!-A=>PhKe#
zHUX|ZJ;mFji%#eWtmA0;)ClZea5a{ugBq+C*(A(w7+cuZjs?h-*)tWS42G3Ue0_^x
zLBrd(rl!BRI&N~uxcet?+hq+|e(#}j(=4Dkfks!NDZ3-$WvBKza{AkGwgZk+9giIp
z25Yj6BG&<#OE%u)Noh>Ij03D|z18-4BZPVWbF(<fx{%~RRE*J1aW15Cc2;IVEXJOu
zg@M`!o&G+V<S-$s|5D&?_*2?asq{z9=!$m|%AXoX%HCU$*y$eNL9&t07Lx_$k<yv%
z8Bqxe<q<S$yF+$BwylEe+fs97>mQq!r-;(_z;|`<8`U?(1F+Pd@u=HJY92NFhhLN7
zcZ_t@_{tk`@kfxd+#NeuE_~`2gOln@GeBxlJBjx!3`iJ^7C*5J0+>WtYiQTP!(JA?
z>*UP3X3{6j$9?n)Fph7GqRawOT?7I`@fx`fpfvcA8jaLcsc3&k8TzfT5?#r!-<_PM
zJLSTXB#jQ)gEREhTL{r|t>m1^UgqV0SuhYjZT2}2Ts3ct!hK*QEi0j$V*0jGjF2{T
zu=B&{>7Y^Jz=f&Kj_=(f+p`4Ni(izDpE6Ebek%*0h<!9wGAEoV*z~KOTIECLG)nK9
zGHyh<<>#-T>iFIS+|4;5r_+qTNW4FBBklUf)6R&_P!C;nh}xbB)X^uuS;4V9^`I`^
zJ;X12Dr_LNA-IXV+6EWker!zErC_MRBwgzfc`fL|z!~a&n!Px5d<tI+FYH5ye?#V{
zj{c5x6_M8ZF4P&k(^WBjQsgxbi;F;t5rx2Q&B7$bLIQ_PheknF$qc*c4=_By^|bCl
zFpqdb^JvSCIoPZ9+MC^#gn*5KC^U9%i@yLtBj&V%B2{sh3aZ0f0E~G@x(tznou;8~
zEe9?f^O{fQTY{w`xE<3B+>vaSRv-5<QMjseTLv^)U{JlA8ZpmsZg0L!g?yV@6TUOC
zqp<1Ec({JozcU=+lHrE=b2IsO%(aN4*Y{vrpvJWxM<41)(I%ZZJbc`1EZ-+vZlzvk
zUt69MUcZ~{;{X-B=TkT(ti&kRIyJu&9z(ujdKFq<_-6Zpk!#WF4x=dJQ*zIZSh>eO
zjWdS3?_!hAN+jO%Txp$)1sV$M;NMuEDB!R{DNy(<I_^OI?yWvGl9u;T4BTq@mHzA~
z^2CZrmbL;lETELGl1Y>g5*8!PwT9+QT|f*ed5x82O#hSIySckQbkmV!Zxpzr{*gPd
zTWX3sJ;op(3b}%W!HKvyYrs3<><^+(eDg&>wC2<%q`kh;b*{tOJ}6qM&SM#-05-1|
zb>_&HO8)D}b%izk5H4mOhpeq?sL8?w@lQE8*r_|N{V5$D?=h0<4RCGPq5al1-uY?)
zL)rMxVvoTD%+?;zs-445#A$P^2BO4%PBaR+9H!ToOnzP6Q})xlHmIx07zSVM`8F>(
z_Edi}-a0ah<}^h;Bub3O&Erl{7rF&Z(u=c1tjLNV>cg5b1&-noQt?eoGgqGki=)V8
zqFI(pCvMAKKT@N>9d+ji=v*Q#%@>E6ob*S7aR0f8mr(EHGRkX(5q=eq#T=_T4;2~R
zsE=8Tvi5Gt_a8iBQ&|SFx>i%~(5|ndcm}n_5yUx4IcXwV(D+U3J8Hp}WX1~3c+pof
zyfQ2e%!>{Bxa~CiIwror>lJZLj;3APv_;7%mUdLwOt!JVXVc_A5@UofNUO5OJ(vfw
z{idCAyfw69Y#r#wd+cBYOgD!}Fne;^500^==2QWB9_!C4<M}VeO3m!s*jRey%ae+v
zN-mB~8#MGfP6s)E^6x`V07<$G=y?@YtQdm+Rhv(@87vqF?_JUF@+h0^KD6EiTcosH
z7aq$r?zsu^e4IdgX{5i==d?PkIP`uBC+{j3v=kS3G}T?~0Rl+D^QMz&K0NdXBl{m3
zjq_F~1iDHJJxZ6SX1XwHlexicioagncsH+kveoiZZUS&SNC76r7*dKpHJvQzM17f$
zfOKS>hYhVBd&j(lYe!uBR@J?-ZUND<U?qqfwvAtMkXJ2g9cDCXUqFC}0IIca!Gbu)
zMul~r(;ZZi+frXYcHy0yJUlu4$e1&uZ0VQg?Rkv-B6>bY<Xkf!a{%%q=QSN#K(%Q>
zo%`8L($5Sfas*BrSC0r2RjL#1BpQBNnfF{=aZCDs_jyQ0QO|CflxuIVck#<m@b&@K
zdV77sWGhJ;yZITryo?L#Asix2AC&I6RU15`Nh5=sskCp@Ju_2&AbPKOyBUz=L+H&p
zxxQ5l_JJ)$P8Ky&61@F%I^4a7Is653wtPv24<?jnZ}0sF=C}v8ZA>xwUY*$y=sOVh
z@*4iZJ3vr7AZkpj(L3{oo_DGf2|zDTGZ@7vKI$~3oAK43AxKnvbpY4x%)VJwKe$zj
zrGaCxA99D}JCYql4IllAynE{Q$rA}x357uaYCdzW%Kf$WO=dqtSQ)_3I6oSdrw5VM
zIw<x>tWSTA5-?`(9#km1x-#Z8S)ZCE+ni1@k=>RntTNxDouAm*(QNRpkqwOXKHl3s
zmg?W}p#|xoKOR6jE2c~d6D>0P)W)ENoihkoV~5~M<4_<KwBK_Z#M^$HK+X1M)pZfp
z<@!NhAgVM5s4M>6uq0(?0+~T;t}R)z_SrM-oG>C7uDxRNy)G#UE19s{#Y(wi8=?DV
zuUxJh1W&LrVq^dd9N?9yMWF5gI%_pdxfWlBJo7R&0lH#~D8SEVJ3RIvdMLixPWG7n
ztR}m;UdFS}Kg9Un2vaSjU7}y0zA2%aY_!+|Ih75;^vcHZo$2qukz~^6qI3J#7p}ZO
z{L>2$B|GjvEN4B>lP+FSsKteATk&B?sBUg!O;aba=45m0iDYARjGp%FY+A<Z!I+38
zU7p$pWaEh_LAZ0PwmfMf-amR7=GHuTpsvF1n);8ze^yg7|D)BEL76|c5BY!R^X81N
zURrwJ=q%*UinlHZq?PaIIfL9^Il)RC4bg^+FPGunVi^OMACDBu<X1K|tf9NVSUPV>
zehDbS9xK490fK~`|LQMsC@BcQq$IC|AAtDRp7kxihL%kmf3rW`g1$ZZq$e{-F-W>g
zKV%|>*_%^47lo35rt@fPk==pkbOBKhc*adcRT~Ro)d5pnTloY2vg;n7Gn~aMZ^oaM
zz6nu(Jp3I!pM|@|WP{L8QX!<BwnIGs2;G4&t0J1y`lqP=FzSHsnSXO=$)n)$-5BGx
z-&)aM@D_VlWw(#Y7g|C9|C;#}Ty<K5bN=6{4g2nnEbnc~vHJa)C%ryIg_`Yw!>UV<
zt8(5i#$Pd7ea|JQ4*4kE6gu_7#$n%k3fFBIU$<H;;kLx>Uf<}csj{9*nHYf#qT?Xd
z1MTQnK{Y%~4PbZ-b7safw$GKPseEd!0>SmF>(-s(7wpoSFB96ws~dyJnXN$9@yt%k
zl!)U%_^DNAFdQsL=c}x1qTI7?-oDA0LAiwHY*&1!6MHexom2fU%U0-1IQbCRwhaj|
z0;t^~)bzq%ecsM&-uek_MT}7Z(CC%Sf%^n|9$xNv^e%dVSJ4G}wzFTbAMFBRTWi)H
z1NLL~E-dZE`amxI-h|R-!W6&ufR^f%U#DnfKmUm%qoo(Dtt|0tPOueRij^?_NhZW$
zqZjV5wp`)!-kx?;Ta%@Tia}f@Mn$4z5Q=jh*?eRkfYNtyR<2s0ARW!U^uCp^BsD`-
zy4BA1n(+B|Ap$*ABiaKxh{_P!qh9THx=5~E^C}LRx`>4rv+H|pT?tm4W`}#7?F!6!
zNEIW3qACs`Ky8Uqfc-Iy<$$zP&_W76T1NTM@jk7IdRaw`cCJ9jtE#hceePD~j>s0B
z8Q2=`8r_ow*^;3tBmb$Qo&t)A)Z8u})cK~Wp+eFqX*NqHuT~U4^ZT-#_n-C5=YEB^
z7G+p{Kdsxxm8UZP_NJGAx7ey_ES|RE*G^Ns)MRDU5ZbS{mN$c9C{8?Bz;BErg=mII
zO==98-I4?li$mv|f;vN_J~DE@t{u-}$G<#V`k82|ar&ir=(PxV&&`fg;V{ey$b;d~
z2Ei@?;%fohHA-5uY;~AJO9nQhzPq^nq`s28_o-W*i}H^?mtQe-;X9Fwq+@8ZldBNE
zFN|y?NThq<)v;3<sb(9$XG(HPAwZSUybea(rSF`eDF(i!M#^42!=>wRo#&acWXM0v
z*$v@Bnm)7lI4mCJ9v#)e7Qk9_11kDG>R}Uayy5DHWC?L{n$stn2gSRVu}wRQ5XnsN
zM}KQ?T9fEO)y?=Lf)p&Y5f9CqQws7gs~mT5k{a=Utmo$Oe?=GZ|M)ZizbTx5^QEa;
zG+em(;$copq5;9AV1Pg4oL*9{oB647HL0J!#KdMUn^6?Jk=O-vloL1Ua0>#sa^NoP
z$Axn8ders-W>=3Z&E1U^l4|oAza>_J7iF-n?tc2rvuq1Y*;Sqp&R5zB5b8!7Ub>$8
z5gLpR`+~^e;31+b9lErp*%VZ`bvZuyDym6k^3PPdg4O!AA#7;pFC=Rsc^?#w2SK*L
zdqwM#%lAZyj(|+L3!2gKr)8fuUj&k|Uqe2lfx5}OcJHWholY|2S|D*^AZalHdNzYf
z`|<19YpJyB!MA$v<T_vE^L1L8xWUU;JS$N$k#T5hth|}Jc>pgMNM`nxm|scB`#Mve
z>#=L!FVk@E02rysN;U^O4!p_OI*dhKqS{!Dah2y6ty0o$p2k0SkKjM{J&Y+&PO=n@
zFypp-dSWWAF=WId^OIEye7ZJi|8Iz2;X~!c?cs-v&DtYCk8YQF=KsKLNEk58{yRsg
zcpI>F)nbHx=b9Sx+BjC}(pr_uQbz(TtjLGv((eCO<W4BEP`d8O>cuSrx^ktB^Bi+Z
zTZ>w^0E%@I8bpSEg9@vUB9-#jjv1dqQfnhiy*`Q>md$^-eSi3!YmlXl--39AJ?(rW
z%z+VK`k9(vfoN!LRtMAy#^BEQ6xbjlZ2zbf8~WBP&W{AKf6{$znoCYg^!7XlExOOQ
zCp^Ir%SBAF9x>RS%&$p`!}w>VWe79bl`|9ctgCa)t*fU~DwqA<JJ=+f`}x(I?Ap_f
zOMRvsh$a})oHYse2F{d3Y_!(SP3}H%Sj*-lwId3h8f)WRo<prRvF98D`bWg>=g(m9
zq@KUPpo33$#U<1b<hw~zIpV8p!}$Kegfcj8VDoS!8;Cdk2D|~Ib&V1o@i;#B=x<xk
z+dUUNHXDOzd~3}z)XV~Ew*k2jgA^o!6<86T>omj0nhZy$R+qgins0)AeA8|44~90=
zZ>tTAa3d9HoNEBJ8Fi|UL~BFcqec+Q6n89eqvaLPv)j!^6+0J`e=A=x4uksEsXctL
z7~JilASTrLqwHbhg4Mm?TygCBVx3dPkxv-5zN*@8;)1@zfrce<>#@ldc&A5l&Ta2o
z&1GHq{T&#s0m#0>z0o}&<^}ZMOhARarX27Fh$at!%swX(M6n8}V4OX_sm;plIfR_h
zX2qNYW{j?Cp#utS|F#yaPNctE-3k7zdwx^r1o%v%ZZ(T>+atvBa>eEv?Ya>_@6B--
zRnV3|>X0RBV^jpQAm$_3=xTJ8qtifbSQotXMykUipVd2kP@UtL_);9@x2F1Uf4uqI
zbf=-9Jy;mL*Qs3Ck}Rvjy(GSnhkdwn<d2`4b|0Pq=AYUjR0$&7hIu|yrBQ@WTXd~*
z7O9y=(aeM?oXM|_UjM-3AwJ@GLGDxd`iRSg9(^5}c4NbW)Ml+a*@5U5wO|bD%vK~R
z#Z?RP@BhRapV*w-R*-ZF3b(CL*uEZsk8L@6_CAsCq@Hth-jYUu3bJf9EBnX$(6UU^
z;f=B!ZPP?c3G*vZna+|PStHGY@{E+4v>|QE;5;^mhdNCh*s}PBlo>(>lp{cfB+f|x
zEeFd9FMozcnDdi{hS2DR``!vmHL=&f-}woC`e*ZGwdeU-BY+R#MwaSCpP&{RlLI=-
z^NC7POc@-h3||O`Q9KTOy?UJMZZSrK5=KG_e_c}@EQt_s(qg>7K@Ljr$8oO#JE!(-
zBh)!B;mVE^P|d4q9xAhs#9vt#j58{;jZxF6ydNKFaNf$cEC6yE#kPvB0z9;+TAH6F
zrXA#m@lR&(Cf<q%?8Tpc-}|#Gf|F0abLZNLlvmvUoEVBQ9Q6*hcMS4|c9#FvCwuk+
zUO|07ewNCUV!4KKbuM31jP;6Z<(wXxAAT+0#HFW7E#XL3_vT33==f0I2Il3=Qul%v
za+u*}U@-uGSgJ_1VY<~qC`NECTOAnHDE8DqQ>?O5%aeScaa6C$U+|5gf34IC^>)jO
zK0n>sk9tLAkZiz=TogMsrKNtU>kBN8TF_;zy$$0v+;&ble(!E$hF>zId_zevvi<*q
z#F0R8<>e|$TbwMDbGCo)SBOk*i!~%lFYUemB7eWFA+Rz&<sIUb?5Jm5Prj7fsQFgm
zz5Pi#7@Zo|x@?Phb|bQkTOy=yHS_R`@%>@!M3a!$1bEg1*$_&m5y#)q_z-ByyPxFI
zs`5N#hTmSx+$4|g17pQ?+Xb4kxx6H8OOERs(YnqRYRO!^!P<bU#%ysD2O@yR3U72C
zxiFp{KuRZMr6#;>7MQ5UuuZQYpV_SBHo{@c?Z=7W=TiRhGNF36;$wnTm-ZcbnQU8x
zGT{m1A(2j}yUo<luj>FG3eQ?sSFNG&saPhP>tanCnGpM2=tlC=!WlET?6=%J>JUv%
zt*cHYPO~C9=hA)-J2m+ftP~O07JBx_sHn^ClIiVGJMYhSVn=)q1DCE<Mg+Rw?N9Y~
z7^$ClFpYM@?=@|qCZ;Ix>L&GNeppB7x>iNTmX74tC0=gsUg^C~8ObG{jC3W{Sa2sW
zZja_X@Zm=~GI9d$fryaU>gjvV-PYfy+ViK^Zre@X9r1D4O50NTRC(w7>F0J5aj;L4
zFAPTKE;fo4A;j7NgRz`gl{r2~v8pVvO>B=`@rk?Vt%vcfFPhGZof}Q*^Mml?Tq`cp
zU8t^~sjlVN9FA^+;Kn`hKcmX9h{QeppVdU(=$>T#zxRhyQ-$mtU!S|ny~C88Wd5la
z&dH;e*i-WtdN**lT}Fu{<MAJN9orY*txmlN*K$A4&mH~y=)1AMMZ5<9kLxk_Gj5V!
zI0J(iAZlyIjrO&^9jwH+nY9lY^{{oP>f%xR`F#O`Sg2jWPC#JxiWpENu>dNl7gwm=
zwSqVTe|=Yo`^h>qD|Lm)+k%<mBzV6jVuYR`MvQ@DeAa%??1zSNepW$(ud7h?ZwjaE
zEl_HW4aW6PRow{(#N7ek1s`6j2!%)u24=Jmd2n3*4Ipl4iv8@9S%je7ApK{enpYj}
zhvDh$*p8HbE@FcZ-~?T-6w@q+;O*k&)yP<faBeA;?o*Q=@a*N!_!`{!z$M?oYU4d_
z#&-8yyu0kn_p|oqbEyjcBiYAZOo?OLscczwr2Grp`oN&lsrLbgU(Og8i~-9X4o}^#
z)>a{LZViwHi3aUC7lFdofl{pfctr*5(j%=iFj5Vp@h&4p;n&-)jC4xip07~dUSIe0
zBgqF(#s1#M1Tkt&P+H7CK(1g0OmU8A=Q@JgcmA%@MMgzyNkJVI(b@c@)FyIMR9o7@
z!}{T^cJ*L|h0siX?}gXXzJJqCJ@pgYZ85t+U7_(0kf(|IQABV>Y|a&BDN@Z>75J5Q
zaMS~uV){!;P_1G%Doei7JJIfT<!{lY-z?93mDk1+)MX^6-V5$7`TAH-2UXS7H+hu@
zjd#0_bln~FExh=!SW}Zmdhg7WYb@8DX|tmVnM+N+jhp`l+QsC=icro&7$V$uj6$X&
zBC}niwheNEs(*Zs-I|*94XA0CW!i4%4Q+01F4komI;Y&iwx71t75x=!TP60odJ_l}
zDj(!j*S3w4P(Oenrn8w}XKdpXto;90zfF14YQ5(U^%DPk1dPw*9)W)!`M#1Qn{KB1
zEX+k7YsXbkr@QK#v4pb6DhXFRl^9v@QYf$V`4T-!sNvQ}WDNrF-7Cq9zoy1FoaeS8
znNnLf5x}noT>9DRwV4K)k!2B)!ttKQYW!A#Re>+xim@q=WyI(H8Lzdr4#{0XV}K(l
z3TUEDzUfBEk-VBU>&ZgpQSO8tK6}_yTKe;h@U@YR%YWB-)I?cDYh0y;7Lr60{}GC`
zE%IEYL;ll}jcGy2=Zr|qH_pL?VlR}W;%h(J=lZZ9gUEgg5&YKZ>MijKS7m3Bo0oYw
z-#BFzGh3Ym$fmEg(D~H34yT)B)mngCi~)~p8Hf48gukT?o!u3yz2wjhKiTo8|EoHS
zV&`1w6{r@lwNBGWYT?Z?^n2uh1c0+w-F$5o{ny$T98z&M@3n;9&j$04X@m!drwz~V
z`6`_Ya28O{)R%R%Xa-aRYr#{u;)QF{l`|Vg_a!jDXYbx^y_+vyCMe1HWVKnAn{&s;
z-eXH}5)n4B#ZGpcqg=0I6mTX=K32Yoh@i7EQd}8Pj8yRwk;w;NuZB^Q*n`7;s<-ZN
z9_U<b{kzJ%N&Q0m2Q@XvgXArsKWZj{-XKK^J!)&%3Oq89$L}(>#|>Qf%D-gXy0|pc
zGo<x4f?fO}9|-mg_)YtyzSOMdw|H4Hur)4v9RPDsbasipLdvz<rE?yJ?QzdS2F0mK
zPhlySt}C{^y1uV;8a0ri^r~5%I^9hP(#Xr`#@zTG&g9S2g`J=58tPn<{-?+AWy4EV
zlUuPr3BZb|$9TJ=Bgzg#rts;r)m5EtAEdkTiu4uX;3S&*q?CDPyuIhlP<YX&(w#nU
zcb5T9MqQcKv;V%^S8^&2vt13|;nyKh7skr{Uv0R)RL{QY60cFh(tbLgh3&d;>^8^~
z7l*$=l8hk@v^8@##TiU!OKy-50V+|o;5WJL6r*joZ1p+m5!QJ*z9jpb+w5{hveR=|
z)6Hre79H-bb*Bii(Ur|h+Wz7V#|m<ADEDQ=rdglCulEOY6+gzvj5NQrqCcaFwF2$<
zNX+LArUtpIxD?@I9p^CAXf`)Fe%ze;lIK2OhicMP<)(XlY1%fw_|xg1qALQ4e#s^i
zQLg`Oh|+y;g=rs4zrhYdSOTy0<N8$V1-H>B3un%bSbN@1m};o6tQu2NV5A}ii>SQJ
z^J?VEZcDOzw3d4S-~v$?na3O&fA%AG1)B1>?Rh^QuaJ8UwG$*IPR5i-T~WR$=4y97
zE55hRk|OTn66z8L>p`7ib{})Lpkq<8WNbN>m=M}2tX5rBGogfyD=L7k)ZFpP@$wbz
zT5|hqe)ETHH=p6)sT|v~qSmhDx3v@Gl+c}tumRBBPTkA#0mYi-_Apl=XOqhz3RfB(
z8|y``AVo=-P6`mOC)4fO7ch~|Hc@T(Yibh)E$Ib<aW55^zld=(h`-5AT2|gWRU6g@
zlkEXY7vr;FJ5!1bO#jZsWor)7tq5UUPKt2^r4wo~3UCR;EI}hLt`M($|Nci-iJE7;
zef_!<bqJq%{Uib!BP>mg^6@R!#u8^$+rf>IMwh0#xj%mDa5j7WMx<Js_@{;N;@n*V
z(w)ZU(JW1kSWtLrN-peBIzL6%Gc<_V&$_~#!jIS_OCuxF`#gl#@w%5DIK#Dc-ooCY
zyvWw=<Cgcbgc#cu`ZF0DHN{N_G==rh_j_JKNc8xvz@>PZy!SUs;$^yw%8jH*y=fbj
zjgObn!p$IH^*~5q7-yoe5IL}HUg@d>RTgyhUO@`9aMsT03HY>MuwU6y_0CcW&y<+Q
z^aa1ZF75Kc?Yw5v*r(x|HMbgrz^>a5!;KL+7|>Hkr7m10Gm3<o>z=!$1)9&2(t%u@
znFbQDNx13{&!XsNWGxRcQ){_#F7*&2bZgp{erW<I^#R)Igl@7!H^3*b8#g@IgMLLr
z^)9ino&-QQjP%}x;#WASmGY@{O6rs6n_F<3pio#rLg3`VTwfQM&4TkGS0Nu(BmK}G
zS-H5h?5TaIBwt_iKD8E#IJb!*=P>yvm~0$UiOjC4Hwf^<36%#}{(o5v5fzG)W()7~
zU!A7#-}{CE3`D?0F(jDkD!PH@qKCm3_%r4@>ro}78ruCKx<;i#_3r@Zz~g{A+vlmL
zHNCwR`G>7EYh|1_f$>w&b7R0Twe23bh1W@u9F(Yax!7*txxde4gM#Wy-I~Alwn81$
zCE&|8{fAFa9Ni~kn=di@Gzwd%XH^B!v2$0j6&InmGD98D*)V_CVGZx6CaV7AkqaT-
zN+>;)U-6h3=nsDOuvXb|vrHt#X1TehIyJ42vJ`r38{e+z!!7<k|L$lq+`FJ@wBnqE
zv?`utJhclIxq%D?j0gec6y&dkDHU5vU9qnmMj8;e1c>de6jhB7sP(wBV@>3lG@F{x
z?o7`Zp|mBlUxrq!syUUYdkA-8P_&luJU>d9nxZr4-vokyF+93O_D92>8BY`5=&=2r
zc9FMS<hpnG>O3wJ1|mH&J-flYCM^7uY}0XSo~8gt>gFK=l(te#2P@9}tyeg!Kwr5}
zYe^&;CGlAQEo$WtlUkVAYy!G!Q&JuH6Jr6reIerug#PAi(GeTdMw-^k8F8=IZh|IM
z(#mUWgLmuGF5v{j&X;Iq;p0g^{7!k_G*m&TeE3tK>ziWru9Szj0_+)6mFAeAW%-Mx
zDJc!{*v8V#{aBJIRYs``K$){MKIBa_aux$^VKJXe9`#6GHEUQ93ph(3&&Ivr(^#5(
zQ}baB+f>irXFCCH%pp(}C4u&ct^v6Ko3PK%5BChzC`xX7km#d2ysY`5%kdgq=}IKu
zZ}S&Aivc$A`GN-ZyTj|iY92TzTc)3QJL}1P6Sjg88{?3B3{Ej>dO6aPk<iEs*c%9}
zB=Qp7-vIW|j_c_>8i`qO*I;;w?p{|-9Mp%8$4};ITd+jhy=dK<Cll->8_GLsj8ex=
zq<sBKr;>;RwI{HK>>Bw$FU;xx#ln1`=`Hos-N<r#CLc3_ze5U4Cv&!G6uc?3(=GNm
z9xDYNb=8G#-wUyi2M=4#4X#aO)2}l!0!-he*L$hXaW_lAoP>tOR4Mfr%NQvyJ>Nyh
zU4y@nw?61_7PQ;8>mRDi`LrNl#qC<MWW6`}`?qFuab9(b5wvI6XZ*{@XHsvAx4wvY
z9yRwEm0RYzeBP37Xu5V4{!$g;1w=~eu}EGTc!LMTg$!Cyim2H|)Z9~Q3-qI!PXT@s
zkwAZ7RBRpM7UWQzBq3iB>}`Jkvwly$!<g0?a#Tmi#MWzaPTPb%=Hq9o>4PEf{Sru3
z2hKH(D3|uJHUdwJ_js}Ns++}SYzG*8Z>sGKGXbM715yH>;`vD|ANH=6m`Z2Nh<LJ0
zn!g2T5`}lR8*{nLsPLG&Dr|Onhzz30523^XMyb~0bFq!S1Zd;qLY+Kn;(%^*Bz~@g
z=R5E2unocqVJn}Q?OOWX(CSCS^~<sO(Ux^Qhat6Pb@G{Gj55b2ON*g32kx}dp(%w{
z1+nddLN@4j*OPwP$3cE$`CHc<mUe|q0h>Z{1(P+Z0#Vg5F*g;$Y#>cPu5Yg2b&eW%
zH*K6YDez6nB=)n71<e|vYet69uS(g&M7Uvien${tsk5&Q`hC){{*yD<Yr2n;862I^
z@FCtWM7=!9mJzO8f|+zMpsM9jH@fixB&YP;zRxofuSX>6#>&JUBczg-dmQs*o(f#P
ze3WRU-W@>NnU_WA0?d{0g8?o?N_U3dQVDbk`*-tshNk}8`|#Gvni}&=ouiN7B~0Jo
zndr9u>RVjnpGdK$eJ^+5@SO?=&Hd(_DO>wH`A%_8OVEMzRQl}~l~owUp%4hT1Qr^+
zvpGhXh0RxN{>Z21Jf<d<P&39kS?y<aU5UT<%j673RHx;Z%FF!s)1+Ss+8aHZwsePG
zPU)xLWZ=Z8*o7^n_B*hgsxylkGjlEoWhLM|o0@w6ttI@s{l6@3dMkICD<A3(Dr^{8
zICnYB<jDQnp)%%m#7d{O$cR_&_Yvj3Aex5Z{x4_3N${CGn=6+-E4roWzS78s4Z9~4
zydHD$`1t<S`q@S8-0Sg}7kYu?@!w3dAgMdNZus)GhNkh%s{Z2mHhnAZhn{&k?dr9s
ztA}=r@(Xs1Az=gk=&STwRA-U}C4Pi17)HeK!T^Ut<NSz%D(=4b8J!*B1AUDnjUXR*
zp*@>;ZOug=Z(+UEG3!x7n(e~cPIykWWG>l&(m{>+I=PW{T=9Az2$ra5hru+~ueZ)N
zsudWeSvhVCJ&%6%=bz~o{=0!+fUuHE`jdTPaKB8gQ&@QrTgG!}HY(Ubxnl=tiaqam
zp5H+3Ro4uh;;&syjd;knu-gMa8J9zq%6YrLWzr8}r^a<LPgMbf<x~r^%0U&@=NQ`&
zg`nU|VDaz2wH}p-$4b_u@&CBNSiYaSP^jN1I^R&+FxGRs!RMQ~ZxwdR#Q3f!!z=Jv
zI&pr?sM%fEa>hF)e*P%g$gck~)UIh%F#dVwC=ga5kv8OW-JE|HTAF3adjEB}no8{&
zYtx+`yg2$JnWXdI5<h>gCpSM}u6nMMznPWUkJ2P3l*;)A5W-F#T84`a8{K$4t3#2`
z)gF`D+#-qSF+MQaSA|cJ7Sne<P=c?f?Xa6A@-+4;mOtM<F9hC6eB~~cv5JHd*g2!M
zImW7mtk2XBA2i%8RU~*Px65(`fUKU&<#L<keIJgH+EK60$*QKCo<zjU{mDW>W<&M2
zV4<HTu=UXVdSNNxfj%4z$oVT`L=F8m<D`X>9CpTytAMR-cN7Bz!)q-dXI-DI2uALm
zaDDdf#OVt*136U{aZG+d`1KV>=8e{J1jbxkBg@oD+l9r@UB{Z@;@O93Y8p$6HG#if
z-LKXw=6Gzs>*_td#2+6In*o9xpg4Jx%)7ZjGz~{-q;v|4G?TJ^l4fzS``-cmaGOs4
zZSLCon(PPuc7IOwehl1B{HN3Rz2{$YI{j*QOS9bgejU6#V25*+65^Jb>$GbB=(}zq
z%sRw>IaFHl)cxUaonp5b9Z5VFta_EWzUgLO7T6bk?{5V6Xjt?9R09k<ZopcFm*fL9
z<Ss{cjluhV<5jDgD#SPEc0~8>B~$ZV6+MnH7!Xv18>zu4KpFvnk#0cMWJ>rO&>&~Z
z3Koe_sL&EBpL)phIJhVi>Jm#>va=f6E>o3>F1jlp1|$SNgcIecu51M|_oumMWZw4a
zmqf-XGaXv5;PfSTYm3$OimMkRBwqM&_#mwriDk??y+v!sJDBDhPY_bJKkarJMHS`I
zRo?$3x!&TR8l5XO7LB}>KU^dt8i83XMNbE{g&cM(ajuD+^H-2EH<s!)uI)IUPgtlL
z_V;j!pJ|i0CYYJ3{lGWzeq-W`tDhuHD#m6()w5smW%m@MN+!!;B_0)kts{YKYv=qO
zTRf$e79gLDk%xyZ@GObv_wlR*4#(&Bxxy%UB)1Zp4)fRJb-YkiFFEZa+!avBTx9u^
zuOj%g_Lf2Fiq{7Z+aNpJpmI~nS4Qc<2H-(Ijv?z3(!Rj*J(=R^Iw_`U$3xztZ=E0x
zdg2!Pq0em$SR$`&xjtn*b}$86nBT+4@wcw=kV_wbUX9IVL9y5jpoAEa8GAsWl!y{R
zyfL$-pDIFhDREI<{Xf37$p{H65In>txy0mJ^2W$G=2u<&aKy?z68$DXvKY#5N2xNF
zs<qQwr|Bpb=A;t8lM|H6>}WE@b|rYlnO?`uVJJG}k+uL8*A3x7!;7?q5O2D9@ft%w
z-{Q<~;w{N91(Wth1&-~Acl8dLw$FiCg@E_ZB==k(@~DH#mv{s(MU@H=#BE4@%s9e_
z%^fX4#X@b2OjBKIY0l%6KaFC@goZy}pS15UMog)fl?=QNF+SWn<4l$)SGiFRJ-&b!
zPCOwRmQ=QsCFLduc(w`LJaO?X+mX?7!^3*zE!MpaiN5mfe&aH9d+%ZJwV#cxzbl>|
zS;Q_sKD6*uRG75$nwqwf2?~;~NJia2^`NAw|B0=fs9|K!dm^?ZbQJ2!s?D+GacY0b
z>9_?YY{fRA78`EkL5TT?H&Q(P=+9+qH5NmhgZ0q(<&@bulX19Gllay!We@eFIx}|C
z0b-d+%g!NrCjpd}|Cm$%XRmWHbWwm;Wxm5~x36V>@`e?aLkPU|*mN{SU<|jv@X}Ea
zZc5NiTe<Wv%dV3mZd0TXy=~oe4hVk$Jv5-((O&qMMc-i}2SiVgtDv1*o1>*x=#bEK
z43Mu<H~|pcP};sy)DA;W>>JsX{>uGdmRJ9>tln=9{lWNfgEX+^983ncAJ6tDB8~IQ
zbBIlR|43lTr{BG*2@00KaHp+dLH_em(s%Q-ohln5Sf!YXMsAuab<b`@lBSrSx2l$2
zlj3Ewo1e(z4=+9c>Gqp&R`o>z`T+wVgn9Y==akX~s-imyQjY*RN5vEJQuI$U5b|aS
zohKlb;FJ@}6PeZ1wh~o0XZgOc`E82~OmWpOI)mp*dW9Bz=s6$5@EZ*w3W6by-1q)E
zZUX4D<Xs%j%C#Xx<nyRaj~T$%{6||1vEoFngU>_4!9=j>oBE|~Owr5}YRP6YOrQ1H
zN9Pej;xJUA-u2xw|LMo!&)M&!KNE2$f&g?%hm$lFFhjsaW}k@aaFVPgEfvP9{6w0T
z8WE<$&f_<K)?ibU$JZe>zntG6NnZc<<1UnI%lgA__2RO;6vxex<iI)0%xkHcajR3P
z;-aR&+5EkG>#<~X<Q!J94$wpo*n{Gj!c;{L-6x|;iptZoVou|c={{c_?fc|;eV;th
z<7m$UDCWhHY--6-i~5Q<P1F>wdKO5BsZs;o0EV12MK$PxTnu1n>Q4Am130$?MYlqo
zeNR&+^rbUwUBYdrmAJgi>K?w}FD}UMotk?IbqsRa9fKBMNzLusJ=)0K+z+K_lfO1f
z0jkW@P;ze<Ua^kk^Oi8C%|q3eDVy#}S;s#Jp?qO|sjLC7Zv(Qw+L-tHhsN^IWgpv)
zW(R>i+*=Wnh0;~(A)&i1CtCaZe~f0<^ma^aMr2Oz)LbvowSLSC=#hF|xtB4`+V?4)
zFGhm)&-;?xYPJTC8#~Im6X}5R25zt-r>Tfjwlejj&nf|rF>eW2h_jHY`jCS32}_$l
z+M<kR`s1QiCrxtD>t?=bDvp3_cf7x2Iv#LW>!CaruDAK5{PPq%c^WL#)5hI)G@;sM
zlaTt4pyPM64?t8>>Hxi&W7o1MMrr~xR~<eP8Qsxzwc<&~KH|o#p!xTv#)eoq%@12&
zu&y7SdCxDo{QL*yD*b{@hPHhk1Z_pn`^=(MP!5x-WdT3Iv&+k?0K|^O!Cdi%IhGGN
zZ}iA@qG2Laz2=NhbZ62;d%aS)cO$$EX$%zV99VCRn*WANCJsA9BwM>Yy)F#d;d4zo
zbvv*0G`weR4jTo)g@rk(WdsJO1;sOh5=Y)?Ol-HVOz%=-&*xK=x89a3aabIQ@281F
zW}8ZFpQ2u{NNJ>UJ(KyDMb>A#7GOIzDFx;C$&C0F3!wXax{jHgD+OC34{bis*%_G@
z1XBzhzM$Z2pV_IcOdeYe?E{jTs&4mZ?CO;xWyF~_^`{B_CPdfNrPR6?B}*XELtG4q
z2PKC31#HRyPC=-)VExbzUBcb3SycO0<CsdHxrG3C@-iOAI%e1E=0>x8dyO;au86sf
zm8VInox!(yI+~*iwU?b`3N_ZIpreS`{if_S+po<Q)CsZ=aiV>0dSE^=E{JH%Yf3V}
z95CEX;HMsaH_9OPPd`i}%6OMA>)!bACzb&3kl~Zy8(>y8mzG-pFlRO}aU;rU$&0%<
z;>2>!DwoZ#Ig&*Mw`VpxwVifrT>v=9w5&=x$>;s6hPPG{XUp@$c+K=?<=@KthEHep
zKm7XR{NfqybdnF{6FI0;ZXhO`yPgDz^3RFM;n-IAk^+WYHTL~FS2k8T<6sE<U!U1M
zwhfMLnc~sM<eucX4DAHqwdX<Tj%xb@w$RG>&^+d$#J?;xJ2f@;>SK@IFxkd}ouM>s
z<O9ely80lUw;bB6KCz|b521pURD?9m#t50c8R%ML_=*8nrL>kqR@^TP6_&zy%~V7N
zlG8g(;{uN-qL94BPz`iP?=<`G^5*O7yjMML$*bm<l|BoT^BU~pt2~=Lb4Qb-_%Oy4
zpB%n%2BZ)S%mLO0j`(L9er&b`8ai3s118>Cj9Ki2+i)Glk?XOJ&j0GFIjOOu581h3
zlZpBTsT!c)&e_}|%&`DxGTI0Il>IeuH&imx2ll*Oa~MvC(-<`${N3s7JFnL)A2Y({
zNb~=9RZHA|=x$UH5ODx4j`IgQXQ<yg1C%(a$$gs@WxZUAKneSz)q6r}lx)l8U*#FG
zAN7p<nquQW*}o4m5F<&oXiT&Xyv-1aLh2CXDg-<;lto;_Jl7}T+dd1{qLQhW?_4i$
z+W01H0#t$T8tc+!5>irs4)4TUKF<|;_gIfx;(u356O4Haq<s4$|5dauA<ZVR#f>^;
zj+5mH1X^J2t^)l|0cvY0Tw(_AQe_fpB&F`geubq(q;GB1tUCSn9HiTT3PtsmWuE)C
z6bhw!;)KG?!!7|3Czk&=Ult-e7HgQpZ)@8pt<kanvMgGU;x@)143_Z-cWMPw4-RHF
zx&F&C$l)V2C;&Vp!~cFcf3pGrvQc9+0+^lE#UjuD@Rq*>nRwvceLqX({2#Z^Z#VO!
zf1UL?rh<;oPp~^qv@0F4^!>{MIrlG%j(xwwX_MGD!?9k;thsKQ-*cr{e$ZJKncNq0
zdjfng+Oj}wbgHf1G>$Iz<?k9^aa8ajAa9`SNPZ?g*@RvKbJe6#^(}oq^8dQ-@^tx!
z)-xJpJ;W(<LFAH0HYawhk#}CMrfMueGb=#eThU2WdyJy~=uvX?>n@ixq3!eKz8TB(
zXZgAd0}0uj6UbBfblsGWH2c3lN4*>M3fJGQ1!}<F)jpRP9n`y8PcXCl_Ivb2W=V84
z)wu|%Cagu;iPi!wDDgNIRG>rW%Tx#SGT=PR;57lm?d6|(H|5E_VluFFos(Tcyb4WC
zJqS-lS#wO2Pn1=d4S3GIX&5`3t}xd#-u;~Gla=Yq%!Maq;tL8&z3}1sr4-ZDm)b7r
z6ZorSJxl^!sbIt2rT1l_=lBo2eb3p`Nrqp>aF_HvY$Qlm37d0lC|0UL+u<Dp-<Jf2
z=!9v8A#<V8SN0af>kY<p1NOT^|8j}+NKmZzKz(!6;C!JqBIIRxnHtw(gQjQmBY+my
zvGzaH!Tu*o*nfZdYsyV^`nV<|pZR<#E|&Z{bsBj<5TVKrv_OQjRE<TtuX+lg^3lS{
zDz->aah7Bk#VG#Plp~&zvpF8bdHuxmx@0v`!{{f55%uVJNNsxC+$*Nys50mZBAlr?
zdj&7o<hsu|_jpVJsd=I9R&UYFRI9uyYY%&5JtDGGDeE&f7(%}iH_u5y)32JgGC6>8
znH-66V8FS)ageT;yLAIN9u>WxC4+-UcD#3&^j-S{Z*Ic6d{CERbF9sp%s~ycL@jrk
z0TrS{{YZpj`?S#~k=j_YQ%VK2*4nJaIoYGy`2I2*VK@71tb4SVZN|;kxW}5s>I$1v
zp^_7_k9WOygKUO1y?ZKy!j!zX<a&1ZCgq?dO~)c0$fu0*##1Eioqw?7SmTE@bMhne
zCr}NasC`Xf7~PYXr2lRBi9~tMg*`s5+uoV(X&0i|Pxf#W13gN}N&7X_nZ}eS9t3J?
zQG!_ebg8#4-YMAp&r|>1Lmko5tKN1Ut^%t1K$NI}93VGP0!W}XPIjbViopcP15nXM
z5xU=Yy(ahwAWYk8QKC&hD{qP$yMD86f99XaneKB(q3@IKAHCgKAxE2YT@~awpzm81
zwOLDMCq_jC%$fofZ1R2xF7Ek|GQZSl*QfF0h)=v*1@=dkF^*E$G#G*#FDC!y>E+7u
zKHco!YXf}1;MtQcv}CT^4oo{awk~6N31`EmoYuS>F}!DDFXwbDxgeQzu#e+XR*Dr?
zAlJ6fa&`(trY~?_m~;>_aS+s@WN|rli#ZqzK53VzPJH0q!kwz~L}Tv_kUx9}b%_9%
ztRQvPX92^#f!7e>K%$FRt?eVaQoRCXyx?1KSIe8w@gezPH=~<kQK45@PS4v2(qw=c
zXj`A@bCh&IKnR#BCJ`WKJu`wL`=fxfC$d8LUzR7eHR0Q88G_Qzp;=3bsD5YKeYqRS
z(vvm7$<ulVCDk=|m8rUxp3O_m`ZBO!8hu<C;~$J2h&tX*f(AXMjK?Nt#+4Wn5<cd>
z5K9`@t=-<0lYQtk4sKFCSUp;sHo>H4Y#4aEPy%IpXECnI)$4T<VIk$-PV1DNGN6qV
z#XO%<NQVMZi6$T<h@uDkzzB0Z4y!1U<Pkzt%vfJznsxH_sACyF+~umV)G?Xm@@c;Y
z!=&b)74J|d5#<Y%XACU!o(EGFpy}U$lJ9h8_(W^nEnRcEGz$10AM^Y7g4K)^z2-AC
ztz%&}oRqZaGp^{LK{lUJ<B%H0#AX%kKJp?7M&&glpT&?<Aerrz8)=6dS60<TRS-e<
zAIG<Le=z-%$s^_U<H&OXdOz9Ww+?!`|CTXG8&+6TKJLJ+*%cr-r3m1RYc1d)6GwCW
z>;UR(tn5Gk8w~IN9-8<6!}rLbw~$>~M<64GSp$-jguVdo-v4!KTUJb$_M0J!Fu|P@
zj5qr`jGl?lR1njEhNhjHL9h0P?5zN)0U2llKV<-0*blp^%?TvO%sFQ3p~&%Vd<2Q{
zFH2D#m}ZDj-5@HpaPm`8U0_6o%9g-}Np0}oQX}ypWl!5zhGw=duS_%rs0~0!0@(f8
zbm9f6Y=j&kTe=#lKZ&Fm1~S9gl9;&AQqPQz@xZppr+R5!LtccBcJZa+A5tF+5A)SC
z2FT!!aqaWepi-E|r#V+3{IY3k$aDs!UT_Yr89S56ZPar5(+dvd4yl%T{uHTpfitF2
zGjC0!HoA1X@!6>-tDNNsu+3l@cGU8UNTq2Q?1Bx)()SlXG;clnenv-3z~0hZqoH-W
zU(tkf5x_Fm6#tc#Yn6dRmEI?tL;Rdzxi<W?8>oJbl@?AOq+9d2Vs*&}lqlkOr_<h}
zGR?q4!4->*Fo*y8;>vL<nX7WX;!p6YKA`GGm1;z(F-ihBW353POm@00<cddHy?)^r
zx=z$D=0L{S;?3E~**Lk`hK1DJWU=$xyToVLr>hw-JyXSZ;LW`BuNYu5^0z<TD(k~h
zv(k?0TuHjxN(JG^?zwKzUrl=;fe%Mrn)X0*YG3$EMYkNM9#C+kZ{RgJU8n@xaa-Ix
z=Ih80@ppy~zE%F+bW6McqNf~@$w`$!$K^6UqCf~qO%MQ*@rldW{`hSz#5AhR?Z@DL
z(RJ`Gm4@!cY_#und`wIX-dt!|nKs@yLcuY<f(Y+%?pdMTIe;2?dhRdW3kO6QlgJ&7
zWogj3S6BmbcFuprTfJY;Ba?Z!PGp93`UIw>|4?%MPiT1#LjSl0r)Arb_9%8_gUu8o
zNC>LUQ9rmuy-eg#-7&8jRP-*0-D}NwV{ju)K|>`b7sme~YS-SdL$TkCTaz=9*#<eq
z6h)1oe~4@j<x`WpTTy~kpLv=wXD6F);YN@>U`O=ZrC8w;=c&n7?u?K3e~ZbF<jk_R
zw5LOGityZ~nq+=}LFi_lnD`}iH2#v#e7L3+;CyTfCP_t>`a5zy8rg@7fFt0gn_lo?
z{M4`npY1{di=~<R`Ohb;9-8p_*dSCk&Z%Z@k0jR?)Sgc=w}#B&7|mZZ94p+>YWbKn
z2*sG%M4AJZdj}>``^-;j2>uK;;+tpsIO_UXfME4lqk?dW*zaJz?|{gU+AUtC^=QJ(
zJwz`4hFd!28zY%1ig+_G@*2fOR~$sL0PMYc-BIOR6+lss+sSq|Dc@1|_Vf{;K`*ue
z`$N?FPV-9jYX0L>3X7(0E#Ua6r`nJI2kzcGsL3~c^TmRwhzL?dgs6ZhRi!B{qSD1E
zhzJp)QbP!l9wa0R(wl;SfPnNGf>ddVNK=Xkp-2!yXwpe2AwrVxdB4AzGqd|UyE}8{
zoY~o3W-`DGfAK!=^E~%`U)Sfd=nBCAn>zpg-A!O<NUY(GhnjNxtNhO+`Zo8=ZoK5{
zhNW%3bbpHeys`EHI37H~-rW1BfcaTUgXK;`#!}HgJW0zsf!*Vn+$7z-X~8elGi+BD
zo-WyG2Y9Wv`1>QYCkslJ8-ue5Ud6W^vn?8{qmV9$M|bdzZez{grg=PDJp?GABRH29
zt5zxqtHVlq*hqF6z$(};R{b(WDrQ8=)RWIwzq=!`zf9anu{L9_RaRP&qEOLL*7eb?
zK6O(mP9RqBIgLljTI5sbbG28?_n}ECcX0yg*m&Tsym+znF?Ub}Bo>9qKrlS$*}uRv
z)eguQfo2oVm0(rhr613s;dtR)=HzC>0z|#*y`gha%y9|dze*|B9<{~IdCs<}N``uE
z@p=I_ft}74Rlq1MLxX|b{CC4D5~ev<1s?v8oHbc{7X9FOuA!0Nv3;|Omv=ON*%*3a
z16Hw$O*<{yr0kqHeH+O(&rJN>ET(MlE=H6^V?dZiEZ7VX=mDddyOEC6BF%RDGz2B7
z<Ms%ziC^E{4o0Tmj`8T3M}2MnG9w}JZ8yRwWg}R6#NsAD!rp*p)DS-D|2bU3EN&_B
z>N!7wH>YxidE{)aN#CDI81JE>+7eDZcH8Zb)Zm9yE?t3(H|8#!j-^Ov2Fjerw{#Z2
z(TEjZOVqfewDh1coae1WtL?3+#^Hd?s=r87TZ8vVKu`f9(7u*MWvmt@a0hYK%vwgw
z3|}kk1U%L5u^8^SuC-=EiQG_pRsVs-djFiKM`I<}-+$7g<8tDCUV5|T={lX%qeOj-
zH-j06q}hApB0<06au!D$Yj$7E{}}%G{&8<g^{H1%X76WGueI`LY2)IlH2{|!7DYPR
ztiws*6adRotKD(|?6wC>;$&2H&ad~4e`@aKWV`$>qW(a)Zc&u}`mS;J0Nz`Ofoj}!
zl=F_mLv~<725=Dl!xM@V!ycGm^*|VPq4YJXF~c?5FF_1HA2Hq3cXOTsUCzFaymJy>
zx77Wz^6KA@9|R|28ICl*R@ErrL3edgBP|zR;9jy#={wU}(Gk(I4K1S;TNAL`fgi&q
zi$^9rilP@>gaEwfb(IHGJi|-iee8f4aHRC<VU=dDDKN{15?6uuadma()E~k#m(|bS
z3Y@>WziU1O@{W4d@!%jv9O$y<v3-Yh;mG`PcmEBvczb~KDU#OP+#?lF<1a}}Q&!)9
zOMVVTIDy`IC1xfisG7*3)>JG&)~?^O1}$utz1<PLb0bJ#Yh6!YeX+OdnI2&GXbrev
z9Q|*WB>!c3^1sW^KvqQX74EjZ-WRieU_>5GN#(rg`G@D@>7V7m76;VJ_!8V`Icawv
zex~uj&FG6IJh{;q4`}^Y0TC9{)V~LC;~gY!yjl3Wx(f#Xsg9;08d*SbepZ6CJOxzZ
zincvZq6Y389&~yjB4X1^R2ahR^6r_i_|55s)eJt1ls~rVWIKJ?p>3Ce^;LEur&qZ|
z$54IsLjOfOv1bQ9tQ;K4?v!I_y(S?NURU+a2)ImlwWp8d9e_XV_1Iz|^D5sCYDEdI
zQ_;s9EUA|z#jYglzkaU!yDs@%lKWCWgoKUXgM9}}2iD8F{Pvt0^oQdy6PcsduK1Ku
z#KMb<xy_ru{`=3joFvI2_S1Gkw&Q~C!^I&#R|<zz(!_m~?i&qWKhQuaicU|KIo!~H
zyA~T+Y}gHOP}ASpv{!QhLH4O;@jVTeJo7a}GlRYc4kIcz4Hg0u%G%`LFLolf@ORy&
z>Ke5(e*YC$Gjgp@G~s=BOW?dx!;SR_Mi2MsAO+UmAES*6=U%}6;POS#L}wP^IjnUn
z{&F;hc}gtkb-iMcr^mD3RM+^2A<LNP)k@x@!&W=Ul7$(p^RV~E<Z^(g8(WKNK1O-E
zUe@+t)pcN!Sv?Nb!q?c06>^!m4T58PGolHr0(ALSq8?fK4-jAr&$V6l|7nqM_0-xq
zQ)|gHPJFFh1%Y6;$Sr08qicnfgHeV>?1I8|4Jv>rRZc``UqzFb2EI6ci9dz<=e9(i
z0^{7o-1m(&$s=c@%kDl{3c92klx8%EEG`)LSFnsT2{LK9{+KYEl!WuvkNCGyTDE7)
ze#nU=im)FraGiRJt=LQS{!m|Y3y8sJ^YxQxEER}qHF~+21pPhfV9Kx5d4QSAwKe6=
z-+wg+jDW$cOV(Y{BzN$Bw$3p3BDS9jtYX@;#ht{P|L_QSZi2(s@lW?|wR#usuCJaj
zmEJagsr-W#7$dlGac^)gVVjs8x-kxWp=Ft>6j;DPZtR)&2dhdzSIuYuR>o!h&=TM+
z)t7Tvv~qX2LPp9~kt^0~`7?@rBWI6RWthWd5ka=H53CbSWQ^Y$Nxb)hX>ozqseUvX
z=LVw4*wQBprU56n{)yoloCwUV8lyD4wb!F6fzKrRI~4TRKlMCV>Cptc(3*4Qo6P2`
zhj08E0hIA{2I)9<I5qC+$0Pc@RC}n~Sp&`S+L+sQLn0H{oj(_B(;%sH?3c%nKl-B(
zt<Gs0GwAP6y}i0rn373Z7^r~*f>6Z(Il=4};C&{wu8{STrn^=(=+r5dvVvc%<!SL(
zZ1La<&(la^6W}@?T#_^^3sh7qN#cDc^>GTokpze`P;3#aX@T_)66-vtE4ua~{^^je
zMGo5MVPpK5?bCSMwH3MNuVOCW`*DLes`Dzu?qBu7>>^eb&^?DBF;*FEyMMyBT252j
zQjvJOCG9h#J9e*)dw$iC<$f!Aw9WVET7|yds5tIdB4PC|N3Pt7{P$7+(V0lE=PyhZ
zF+gO^rt9dCO%}I*m#;nZq{%z>4TkG0w#AuB15TDMn5Kglz*iRG(p`p7y1(bH)EL(z
zT>WYFKZ`#E+Q%*oG2d9NCGCBU23Q0z4zby4?*@0^bbt7^syO=`Jsh9M%H1=}pt%r=
zCT-Du9;=&G+bYgY{Lke=ohg4c1&+iUfIb|p2~A-DL51poK)&@^d8!#>=j)!%7*?Fx
z^HiDo5>@f64rr*>o$Y8YZtQh|zBEhHu5r5|^Id}1MS82GpoWZ?;{#_7Zc(9SdI~|&
z0h0o%M0ZdqPET8h&|FMN28aP*ip`982o8aIoy~^<f!c!l%)7AS!x|Qj4#O*|z#Yw{
zDzVRQp5J7R-&Eq{_n3!ik5caZE;dqioK9W6&H$MCoN(?HbpNzg1Y4U3WLS>p{#32;
z+wi5H?6l^Mn;zF_->@r5bdEQ1PJ4gK{uQMs>K)!<D86(M(VucxWwfr|F2D|7;2w**
zZ}mcRy5)LaFJTTzH6{XDJY%;kwE?z8se7HaC%$k=oFed*;{K31YO2)e+jqMAQ*Wth
zT(4)m=u0_!$V~ybO|K1BGJ|^rxL_RYWMB!j;p&lQdm4zJ$||!O(zvk+h%t=ue+9gJ
z0{y$c%Z9^S<>wEo3?Jk@h5PakPYk%mCd!rNI!!vcfIGIX%Rf`5=2royobDIc33(O-
z(Vv`K_f)wFE4wDt>}7X*AnldF`OY7^W|z$FH|`(-sM21bmbeSku1TWv@z1#1L=~4*
zsG^=tkf|FXAh%&_SoCibA6xt=|35s3#@Ki3SrL2S?=;E&6CKY;0yb8HGlheb3$`(>
zms=<*#HYR<eF;J?YMTG>Oxjdp2ea$zBZ-pOU!x=e$xhr6tiWPjqg-84o_n^CdQ$_Q
z?V}t25D}!9+*}=Ua^K}VmE|bY50_)yrO1***t%x(T3+wg#3F@LZ=sOd)Q77|!fEyV
z-S)RfAt9AznXEiU&{y1nW*PZNUBq<4aTeGh{C2d3Idmw8yfPDT&G2e(_pA5xeb+BE
zlRH2)0g=t%Jzvaqmcxj)0vrfr_xv<1aMNJE$A@?L15-%W%RJdiNZiuZ7n<QNRR0FH
zcaHmWcXU;tkZp|wVohoRuo&|bO$YSJ_<UepU6xJC#=3uRQQ&VI_pHmg)n!_zJ-xWL
z=5t3j!0Zgexnj4>f(g|RALmKDgx@cUUa<pn*mvp4@gy4F)f4~~mm2@Eb+>c=9pIk|
zPt@vCa>}bPkgzls#lwJBXsZGsPd@3MO*bLDe!~LW{Pa~lp&6~;7gP=xUK;V*=XVat
zWIP_%ne#q$;jyq_?;$c!S+t7k>M+a%$JD-Ry@-g#9PpdUDOt|709b{i&)xqOu%&){
zi=kw+i}&@+tmMBwchzK5(9q=KaI*d=`$+PP$WA~#aNqd0r_)BfGN|i730c&x$S9S%
zz}VWO!M&3>@pC+?2Qy5^&WBsxuWWn%ZT7x+>{cKfrWHYcNQODo0sU8`hUdLWLyxtE
zq#D~v8P|Bj<3@wuzMKh#U1mS~gc?iY9<`;{cbw)|&Wd3yOrp&@Mvk;=rHA3)rKbDm
zRC@g>_um|^-gcv09@`iy1B^WB53-K{$`IVlPK5s>R?pOY3BpJDYi5!4fQrhq(EDVU
zuHA3>aqXo=Ydr_=et!DHYuKQtta>8|MuzK`sy0{-bSnlq=p*XOsuNhrO#O=7=6Yra
zFwuh@#{Qsmme7scq(Q(q&1AL~2;$f-BUIb|HX0QwpL_rPME6&xC&yyC6PlmLE!L^3
zr`)UkYAn@uKJC7wcbVgx<A-kO(J$H+?&)BUa474O3o14BmUjOWZ?U?N|D^8l2FB^6
z*#}KP7j^{y4^NR~`jVnM?&z8NYZ3p$URX1rsF-cG$Nd7|{fFl_{)J#D@H-BeX;ubz
zabxRqFksx$B?(ep06Sf)ow_Hw4dPr#Bwgp8F_;nLLklv`4LAD`(6Ek4iS$3_)xgX=
zqDJ|Gg}7yPQ?`j4ttHF0qJlUfRimu+{;hH`=g<29ULnv>KM3yMxE@-|FS(2e>e2bu
z91{~bBW$SaakJ{`hj7ay2c-{dOp}h{oD#yo`*jUfK271m!GajcGROhD??E|e@BX`=
z0sM-iMB=I8XfZ=M(^dt+r;i496s{91fMV;*nGBdd;u1={bfnd0G9-Fc1E4V$m$C7s
z6sVpcFk5s1{mP(?uDUY#n0S5dpQDePP*IeMw?+1kN!judp}&4rKVDqEu(0Y`f7wyj
zP1aGwAnNc(o$0PNe9$xy7!I;#c~!7fzkp6{0o;GRL1+4WGDER_gJSG0Z9CmEEX+$r
z$uu;pp1JZ}{~P6Ox5%{rfi==G*2!CR`yVBm33+h4JCwN@ckQGxJ7Z5u7+IkVa^=Rc
z#N^w&<4QM+`}cn$s$lyk_X7plQ&+@H|3S2I=SZV(oN~T4Hvv^*?7nijH|FYP%Nsmz
zLv9qu2Exf9fK|$FffAt@j4bmWx6goBTPDw4*P9)O)Xo>68lXLN+_}jGN>?i^1a^qK
zpM8gJ6ACz>sGZtB@X`@^%lfie5CMZCO5o__uAl%fmv#S<5yCOAvaxTy48DDLuup(h
zVmbWh6DJfP{Ty5LCkl~$VMkf(cVbL{M;^XCKdcM>*rSy0Q7=}P#K{7wsMe&}&OAC{
zC}XzYNf>7igx5OK5~8?(mHx;O@eEq<9^ED3VpiLY20AC7Vjmldl~#0#?U2N7+_g6N
zJ3chr1RJB$I0@kz0%C&uS=v&PHhbXl@{@*jP$;!JAI_I?%7QQ_dtbqm?@1ibm-}%l
zzY8wx04w+7`m)>hJhE;rCEVL4))84-Z@x!SRejMtVyXx&*)U!~J$0M`NweW2`bxH4
z@~Z|pt$wI7IZBlBR<LN|{b!9ro;G*Tzf#_M$tKkh{UzNKKrB)Et*@k`;Ah#tsGSbt
zp9}#qAL<0!<=S>?TH#2o&LzijoSVxtC&a08UFvVw?@{OPTs-T#g_!1R#T{o+t%Chw
zg6J1B9n41O9~p(qHkv|u+pm3O6pf`i$+BK`GYt=>X6cA-fE$xdt+WA#&5n>)ll(x#
z@wFOlHKHA<+V&HEdOfm6`TVI04O7v3y%wX%X9n}WMR)bKKKuCgE#&wROpTm8I8Kns
zKn&XXAexr67rQm785B&zJ7FAiHCwsSP+2f7q7B6ZlnTJz2`&ieHXO;$tb(a^A#|e9
zv}9*z^%U+?pUk2Vd^6FhnjbV)7<uD?3E8u)CL#c`=g!uQ==g`{6W<rA6l?Em`k8ET
zrCP%N*1&RmcqOsqsd{>5R6~^frFo<B^$T;B`;>lrBbNJ5a(lA{no$gu{?2qj%W+_d
zdxdOwp=K22s|by|JJjwY6i@rvT_C6!E(y6~4T~mKfxjli6VE3+VgNvw2;$Y@oL4~8
zb5!@bYw>ScGxNjkNk+XQV$Z~{@g|g%<Z?0!|KUj{<5(&?h#xpaU8=WA5%CXa?mlj+
z#}<4MdY2;t0WK{eF>GxzR+&qNRqcdt7c^!V4r6S~<Ty22f=8)08|7x>P%4A`trz+d
zjj*;tX{SV=2`baUK%$Zg2?(?+XTjuOH7gdQ`P+6!k^#hsUGVuMHJJ))!AB*e%@H<M
zB1(f-P!px>-mVf^jw_Aua`F(}C5<+&3~I%m9Q0tzC{?@Nvt1OU8|HpjXzXT|79Uhv
zmVFf)WX|`*Cn+;iru79lVtW;8T{-C6BW2})o*P<MUbWPTGn_FvgH$UPIA`+3P|5Tt
z&#42VnRaIPKb&MG*=%}>;Z$JFrG97Jjq>&`!RJ3@PZywW&7oK_0bd~D+I%Z|^rTKe
zi4S?@fq~*^=0W!64rE`%BR|Eo8~o3c9_JpBYX0@@d9U~P{`17<3Q#Ml8q@}h0G}YR
z?P&nEm+vRWwluJC$BtYh3AMku+4p4QZ&L0NP!LaFL;UnrZ^Y+{((RV=2@67iXY^{5
zs%ql(Me@Cb^J9KX987;akc|nE1eOge<{l>%3+j+A@G4bqVjD4ddd67tcQ%FZ^9#M)
z**T}#!K0IG`nK}p>Agb~-kSP&xgWoV&j0y&%qAIK&E#iE%ut1?2)p%G-0R(uPo;N8
z#Zz~<LgY11&pF4GKv{H*&dKjerW%X8nsKhQKIu^ic@<f%zIWJil0uo3i<U&cy_tLd
z;y&vKJpX=)#;O;&64!TE8dYtYR9*}<ju)j+W0u&7brIhIm6jDDoB{(@c`UdZ6uzAk
zc;Rg+=4O`8H~d<D9pZg>OtIR{ehGoOZ-=_>JzwZ83O}DPCO@_Q+80MLXJ)Z%5H!^B
zHu?`q{Gn;^QI!lqrjkWK;rt(DA@$NjD-q{+DuX>AoD#7GqZrXVbdl8{p;k}Ee2Abf
z85&sl+ukmJaFP7Zt+%pzzoU<2qvvC(ineRA4<S*+LumQVI^x+-TY5m4pPQ~-WnqKV
zS`zQq<(op0hTnY8KRv~xn%3lbt;6hLY~pgzUuu#uAc;#>ec_e5kxztwpTJES{~!T2
zsc`Aj;C<Z7XfRi3LXaz@%Cd7%0_fbI^jpQ50b}}<?@V0v>INI1t<u-z&xo~=0jiNj
zfa7<33=rk4*w7N%OxUJVxM&-Bb1z!YxxkO(wFMuTBv+KGuMoR;vGV2dl_#Mv2u6wX
zhIkTljG>5dIPxzxtaZ2T>quX44$HG2(%|+!WFYNa92BmQU-8^O!K`5#H<m=JkK@XX
zvB&^GcPbdxsg1ZjlD@hYhVUw(ypMl&<+rxPgPghNZSckDM(k{!;?l>DRQv0C>o5Q#
zC|{A@0Sh+u^?5hANYH9pTt{(+3mXFfP0RU^=!+ls|DW)A{}0cL?8n&ZGIXdFD=avF
zQL9let|dMj;olcfWa_)oJoq?=r<@VSb3^CMn(naS*sGEMr1}9fA#vaZFpv*^0s@TW
zlH+EitlGI}#4fv^jt|ATmg{wVh(Z<gAkRPRo`2GsK5Z~^;<8Piv>`&my&|OR<A9;a
zmw)HPeL!F16=`*v3RJjqx2(|h+#6IT0|m5=6LSibqu$v3S3$R*?fy%-(1`c1^S%$p
z4xAc)YVCo^k9`^31^SU`aP2?jLDW~$@~mw90&)f?<_09)(l};P&nCNW|CA-$O)rTF
z97(tJtT+;P_wJBT%C(*+qUu;>Y(KyjPi8o_NnfaE6ovWzVv7fP1?E$})8K28J3rNx
zsy~w;YDe2cVnEks&O99C4#M+UGq(V-$rSYz+M?Oin`wuf&tV=}_4E`qkF2+wxbv+y
zCwkqQ4=&L!D%jpnN$ICuA3|xMj<CisYI*j?h+_0Bj~u9^eaF6}p1_oOlQ*Ax-`-q!
zK5qVGhFqj%`R;-8$jJS=I!O1rAz&KPD4E+R(y~b(eLU&|F|Q2{Y<Nic8xY)YIylo9
zai<<S_VIJ`qjwOc6YrlT-Vx|6w(Tyte$M>Lfw-=ctc)`;O77j=-EC(>-xz8)j}nU-
zByAr7kHGLhBx<5GP(8SdDuL~u6dqs)7nstZ>%5DNb(uxz1mhO+8n~w7Sqm|w&$YJM
zl>Ir@Lc1Z}9IpE%pD*?eVqziw)4V<9Z+`YH(18i{6*PVVw5b1WQ~$@O6npNc65Hk@
z4E`dnIp77h040YX5<ZqcU{YW&_{q|E#^z$ly9c>5a=zWMA7JVM`jDTvsSntTsep_H
zE6&Q8P9{VGgcq6n)lHQHHf<KDiY3hvwWt*()V7R219H&f%(>>KYfkTOy!_m=zBI#0
zY{t>Er~Bh|4d|)Us$tDq`E0|XREOa$hzMFAiIoh7d^d6aT$4h*SCuH2c0RJ%Tf%5t
zDeQnKA;+z3KA`DE)5LbbTniPt(YZq`(SJQ=_Z?oCDM~=7q%_$<jYfWSC9nugI!lor
zVV~ND)nbj)aRv;R#7`Y1zo_WkE{iOQXvH(*7SEj`FF$F0lqedZJhXum_Jsgd6WtP+
zn%EV!{lgQ@6&NiCh?IMG8GgTs(k*qPGMTH>nGb&$g<x*{xbXYT+FAME*T3yvjW+j_
zZ-iH*7pD7fL$NQJUQl)Na-M|-&X~0H955p$e324l=Ch=x!91*Z^9A1oVLMKi?MnWm
zHN35@!}VO3hxcW@&ugzed|doZ<}8hUg09+$I=tlnmbD20JpSR4SYXy+Z{b|g!hej0
zDhl`A?34ZT;B$oh!K#AB{m{8zhZKh|=4xw>!j`w$O=n+}fiy5yoQP(7Kt5tXe?UE<
ze-;gc(u>-tC&$r6M&_!#!7=Sw!PVlg<c8vA--NkPF6`;OJ7jH{*K-VUat6pW1Mp{>
zBgCs?ESu?3_BpH|YsIiDO8I1)d0;v8F(*vv!`Ni)*N$UXJ4DV6n!{oHAu5m3hVyp6
zMklz6^Fi_&vB1OGqo!z)oPQM$C1%$^7g351BdeaShyd3fTn%nTYK9O?suGVN@-Kje
zb>(SP0XXG&TE4qh0GI#s&^p2Slbghauq4Y@=N?{Gaddh&^#Od#A(bJ{^c^O-k;aTW
za01wi=uqR~3SGy-33vb{JABJl9i1C}&sthBaLu#(TN<CT;{Kiws%G2i3QJm6+1aar
z5`jvdL-?MLeh?U(^`Wl52L;RSWq^3mU3Q!|TnYSW*E-NJIXXXp%&Q@L_>};h>)Y1z
z51w>RL-A(Qmz>{SeDW#sh62m-Fh8mdM!ydp+v&uf|1_|Li_hlMKtdmUjvwsq2Clsx
zJK{+ut(F&OY-4n)PwX$2P2`avIOdl0bw4Jv)wx8Pkx*>l)0|D44)Cv_4r+~jJBZhU
zabTJ+Y@2ixqsP#zkM?z{qTBpxHvKbx1ublEGHH7FAu<<LJ$A#{T0yt6vk{z-T}6m$
zhVR`*+f4tvSOFcj03#w|3)+9&-WZSe+wN0)NM4hTMkXAy@lVWu+jq24yYD4`NWMl;
zvgnn^C2|Axn_hFCT(5y0J5gmQs?>Zo`|4g+SuZ0P%Cs8Nwc2}xQD@bbq0@g@Sbf2Y
z53#|3dO2TRY&U<j&%NJE0zUE45aAe^knVN%5F}N35DVz~c$7)*31g{U;Nxo*r@v$D
z^ZJWAeE0R`_cla7<<7nWfmTLy?^{{wZgH}D>}%@PkmK{?8;dy)W@%Ow<t?gxqB-3(
za9iJ&<wF37C9S|j^$AD{qs6%VnGR}4t(5iium&kXuo}&XQpu;1KcX7M(6Xj7pQGM>
zZT6AxJ?^z-+$MM+Ap&$vSBF;Du=o6@ZxizJ??5b!qWeBYZ_nF*ZTy4N%(d^!(4mJ(
zscK2^ppp3%3b7}*xxjgBtR9ipdGt!G*g#8jQoTc?kpkCdaOH3R6nG^Gs0r-I<!qTL
zSX7n(U_pTvED7po<{`L;Ka+-QmM_U|I#tDU1@2B>jqW=eHCyX%sBosIULM9IaMIYp
zd&X#=_Q{hq3~I;<d*6)Wfu|*lFM#F*u5Mj9w6IGv3BTHWDfY<8Rk0np3q8(B9;RzG
z4}GFP1j?6gj_g7m{^8NtS%OP^?#a>yv$V+dJ!HrEe|S!FTN?{wrUhT`?zDl<jI(Uo
z!AIC?;82f04C(O6v$aFM-*f9MFGTBP7>gfezPXm{#NQSwc}Nm626%gv8GyWuj_61i
ze2u*Xr*uVO>}MpYq7w+ND!tkr+CeGGI5|#nuq_E*e0%=tSw2+q7mckjQENS}XK-K=
zWS}RFp!gjiPA|Eh%Fh$6L89J0w!!DF5UO<LnLL~nU|~vPjt}ZfvqHP1#Ti8rY&DmZ
z7rN=VFxLTsjO4^bh1B|*<>Pf850kp7KmKUKo&pvy0&<eJB@+Yz#kKDBGR!6J=uj<G
zS$OAbVjKbj{hr^TxmaAV@pZshx5CCR4H@BrKBl)DU1HI&*|H78lCT+TniUPOAoj}W
z?AQjeE)hFQrQZh~`(D`PJITxW;MDSYNaKLC^0w+pduVW`(zN_KCvgz&VB{cX9+{+*
z{1QBsE2y=qSk7`~djEX5gy@&FA6s^~(ijE~_{egn%$h5H`!gqOZ_ZO2c3sKNwewdx
zu{gI-`=UHSv1v1aG!dkTSW|hpzJA=UK_71$s7&NQNt;9jbV45v6r=?68D&?dIz#?7
zR^m6tkj#~1)u~s}Te?D5)($f4%Rha#B{=SvJbY?DL3iV84*%*i>ZKjXYi<1&+WKqm
zDKgut*bsOdyG(2AhY7j%C4v5LO8YKKg_=l^PA?Sa>Mtd7U9x|tlh*^*i=L!3lO{+r
zNRASI++p|stsejX%isUcPI85uSvmpN7bZ3~rYi<PAF;;@l0))M^2J=_U-BGGd|}hg
z<pKWp5oko$i_y?Y$Px6;O?pB*l<<iK>7W#3mfIOe%021Z-&yi}=Xu~l?9Yrc^zE0&
z&Qu-R6=$ZiJV+8a*91wl0Z?yXtaB&ehiE>Hg8CO?(5-xNf2Tq_FqihO0w#%HDcQ#{
zY7G9VKb<{z=$Cr2*9Zc`0SWsmH2H{eD2Mk0<=4C0<D!FVMI{NnV{>7ah|_jMHFY~!
zczxfdsiJ*BKq=x`;k$Jy&U%umH#@_VX;U>&ILwi0htVIb^DR6_@9t7t!6!A42WSs#
zy>eMSb~R+AVL}9j@5bhp#5vi|366hX+sO{*9&2{9J@7)cqn|Qk%0kWr^L>2*MC#Zu
z1UvQ5S0Nvc-=+^~_Ni;~zZtFW5728VKe0}UnZJXV`FxlVK0Za1<0R>ybq7_Bu0p34
zFkn(UPPo~48VU@BDZ!1uaBgh@XAquyy%{o-4;V6+9%H`P*py?`Sg+`O%!*1DKuZAK
zV@2emlfE#ePmZeN<?ny0AFc_?xFnyh7)c!072Ej24eDH~Rt!Jf`q=eoR%KCt!Hn46
z1lb$WO*T_CFB@BS$+Wos0hbO}mAlpf{%|J0wz{fz8&b}xMA}UEub5Bw3!4Df8O4V`
zoArv9m~ZS5JCs9tg_EraO<|YH2J82-(dbRNkUNScZ_OH(aIWjp6Smw=>^_Ece&cAQ
z1|K~<E%5nS<K`g^iLAl%UP-BMCmLMNI;FTAP`XZ{6tz2CV-QvVb-5kvYqlstT9)x6
ztQa0@RynMmpmrNR_4b^W_iqOSF|6OD^5paKGm0iT_RZ^dKZ%;?7$7xMJd_Qh0mfxr
zK+HTLZZ>eoCcQ3MbiU}=k^R6X?m7Xre{6WL>UOoUNcE{Psbu0EK5NOzD#}`BQ!tQV
z$ZYl;-ZBq5GS(dvT!dr4En96VK-LmR^~7&-8n^bcMbUX}+B?8mAL(#{ks8j{P>p#?
zXBLTN>diM5wcARq%+@q#jZHZ5OT^6^2`D)6>V$`_uXarhv4rT<Y2G+uZ8;n#x~|?N
zC}=xoc%<cXI@{CGIZ#x*+d!sgGc)Gc``<VC+QBXfV?~{(L2MC03)aiYeXLL#<Us3`
zh4HPcEb_D>tH@d_(cxEj>40f4x^AIIBn%Uk`AFrl(fETgP8!h0gh{XjnIG#1{Z{49
zv5e_4RwK29eUDp)P6E^0{<2fE)*HjUZ-c{}htAqBG(cY~m{{47O+U*I+cVA761|qo
zXS!$p1XP>eA;2}rhSbSeJFNT3M*oGKf%--2N$^yTv=pGJWi_o#o?z@mH*3+?oa-65
zs2Zq_t#7}8X|02Evh(No`KeZZr7BM15q7Ny=)=`xFxJJ<1V71tU4DKjesq#08M%#$
z!it2O<1g%*<5m?VGjCp;l##ttkn>h{)~W3H;j^Rh9eYAl%oRp`hcc)gb_}Zl^w0a_
zo6U>SAwM=-VIuPbTYr(Yhg3B(=d(4dpPufHwKtdbF8|ah_GJ8B(CF$d06M%gMFMP*
z0xZav)2UJFz~z!v);21%_y)nG_$<_=T+J)rF!!#C8WdF4x?R+p#B$=BFV6XgN5xg|
zZ;2LgLon<E%T+BRHcjzn_!g5kPrInVg`v|_o2HSS+Qa~39AlFiGXSitJ*ne5Jp!(<
z(Po?CIC+4egU(C6H{$89UJk^IoiQm9@iy7$ll98YQJQ)qn1%Sa$^r4RKvSvhfC@U}
zHX|bZ0t@PgLQH21QthBbLP6mAsc?(Re%X_^7Ztt{j{PXldD&B95CgcKc{!=uq*!S^
zmh}u?+?*jEg`+*DPFCdQxJfHyw`teqxCS4+B}1|A@bWk~a8>57H$>PZ#BlP+(McZ$
zlzBa)E4xa(BL=X*U1FutvZc`!<ax=+X4K51+P+(M@juos38l<iJp3zsZRYArypq$*
zK1h!hf6e;jWO|oF>Od3sL&fYw19Ee7lCwHUK?Sej*MWa4$zxS@8q#?UBUp?Ecj+G)
z@w1Qyf{Y^CHB)|e5gr*U7|Z^QbWJg_Jyw|#zIZn6cG>&ZV`8ddfEuA7p)*_fAD#}y
zDRAVA{*a9O!IyNAqM5mF)x8ltF40;I(8VVwU1YqZ@@_TQ*8epdJVuJf?PuSbQ61m;
zqOTeO@u$b9P9br(hERj^fU+f~DdtevelcO;o?}JcCHJcnk4ONQwWo35>4=qKdd64q
zA+`aXWZ9h1`gtISkr_`YjN88liJjLejH}R}Ogcrh5+6Gy5w6=RDPd#g@2<S=T7<*i
zA6|6r&fSG&q^UgkS%jv}5z5a`q>vD4ezoOm6W_R37szZq;Gj!p3uc>+vf%=x_@s7u
zC|QnSRN$3A!O6ZG+gA70lro|mYc8lD+auK_pU%vV1xwVbhO1H9@_=|;YCC^P9(*pQ
zZSm=8iqSRRIbvg7)cdT1UQORS&Gv<0B$<f~tOPuE9CVazlgk!j0Zf?yTGFzYg9BwL
zODfX+*~Y-Rs8!2g%j-wOEulXiy+8hPE1y$Ll*U*x>R0uOmMqbzX;ifSDN@+&)1Glt
zRB6KNxxw1HY~QLS?_0qLrGZn;wGYG1!xDPlMcRH)bCmpiQ_+HJKAA}V@f|s=tm^kd
z{*rmmpHi6KI`Ml8(sjY%-$wsy7GD>gef~4qaWtRIReKD3<hD~aR(=J(GxFACW6Xi?
zIpeX5#LUssspjKaj&LMcocmjvk1iNZya3;AbFb3`AMxE&TtDI7`ODn(OsadoK)!)Q
zVan`Bqm2<2%)(2#4AD(eo8Yg6X)$2A9IUORC;tdn?~efzr+@)tobGi;PF?C4DZ;LS
zR1-Pbgk`u!wOhy*JStytqKv;BVc=FIr`Kbtm5?}fyxF9H<TRljB0>N*Be>s%Iw5;Q
zoIpq2hn<x2-dsg<H|5&{YDlL|@oS<5_Gj?9kWu3vr0Cl4{0f2I;XYSRwk!DKIer~6
zAUhahQ{Qo+CTb0Lgyg{wj>L&Pp+9Vy%02^BOGbGGnzaRwSXqi^mc=5Ml5|yF{d`WL
z(`Kk5v5CdWcYB=@V1!hhi{Pslcd{jFvPImfeAw$~NP8BD>?z#!h(T)4W|=9i^iHd1
zO&;Wqw>%l-<qLeZPsqF5zhpPMCf!tJm+MIlBTP)>C*AI-$1Ue_PzyE4rfdPW0;gq-
zc#LhqDNKd^1d<FkP3fxfDky^I*22u^Dti2zM(5Ck^rh*u_bxXituRAuMHCz20&;M<
zSXu5bZLQb3_W>2UAj_w1@**o~8YK*Ob*LT0sMlqAym&&<A6KeR6=O2m?FU5Eb0#uo
zjgHP?g8z+Umjb;4)fvTbfd0)%)o4mxtsl(|I|lS9PnxW$>p&kt1Jdf0$(@T)W<vGy
zM-6lnfI|OS|4EkBjC?32(2E9&Bwnff%<?Nh-+D9%Wa90I9b2LpuBN7)?>2K6yKE1w
zPyhDix0tcDv(51iufp-LYv%cvCjK^hH*Q<TS}h0a)cTGjnO^VKbGGdH{va;fV&;;@
z;K0MXKe*HxkQ5rq?B~R9qfRdDM#QPVS3(jh4*H)S$)WYxm<}O@-R5c=G<`ZQu$+$*
zPU;x-z9K#sEgfAkWoE~L=yyqB%F`BB4nwNC=2I5R+scN1h_Ya_c~g(vtLDtl`OvWB
zDEU6y1G9hp11nHwbT!Oz&YM~!=nI%vU!H$m!lI-n;Nt`<!D2`w2-;NeMsIFnVy&F<
zP4;>Dod8SH`aXr@Q_9$XgUq;s+;(YUIyI7el0~&($hQ%W!P9jXvni)#2bZgFdA>FA
zm`%9nb~F5@kB{uZkjrXs)DslqoB(nAWELEfK0bjE9j-;J7J8F3G)Y9FO@uPDu5Zhx
zrT!vN%4_<?G=UCc96k-z0<Rhc7p8v!k!~Hk%dGV){cSsT<Lt(?mbj(qrQ5s-y?-R+
z8_Fnve6r}PT>&A&Z>(8<hNDFz#nfJ_i4*TiP0{?c5U_b?UdMl<qm>vgQLs-Y3-M_B
z86%VCWaO#J)MEwClmXCTH@a&aKq{cNYU4TtPa<~b>OKV&y9H=6>*@!(&Uk54sC^ed
ze{p;zX>?_0ISuy`CkjX*yRv{%aXTSGOJA~{zOt*CfoJvk1sxi2CHs~YJ8!PYMAHbd
zoA`1AnRJR=Z1-OFtmJ$gCBGD>EW(8=#1Z2)EnxoRHRZzO?9{)dV8h<uN{vO>3^_zc
zO@E<25QXR<2xI~->+~QBe^zV@xLW_jtGBp3LK4<hYR03UG(O4`)_O1g9j<@VBsTm>
z^Q%@Cz)Clu^+z>og+p8Qj{vYnWKjF={ZX>P;8bP&=3O#o@oD_pJR;*WQpVKbf>06V
zSmJT(!#0YWIAD=KrN*ZG!*hbDfX+6d<1<(Pyuv_zrU_vT(=xjvwyZ@-zX&D&aozZx
z_QV^6%Li+IPy+~odurU?EN#v!41~6dFk|6L*|*5sq;LvfxJHv6a8}+4wHol#yW-p<
zSoe6mRj!!|Px6s1NS=Ot?qPQy=tcSm&Zygj=l1K2QB;)d$P&}vbJ;8<_RlFqdHJrb
zg(~OVgq{j{LOIwNur<;j2!>CJvVd!|v?+W>u}`amC@(E=+Ak$at`lFd^yRK>O+$^P
z^QN$QKy3NVn~!qtEwnBdu>eyj99EMZ$+oBev7^@~5T#k!=H#<Y#KBtgVvqIo&h=iC
zHRRe>PeZczKzBx7rnAxAn2n^(UQ#9Ca&e;L+Vsqj=SNUNOCaePR?&2({-|Z#6n*tW
z+4Exv+1Ol{aJBuUcc*H?x(_`*z314ey*e6>Q4KD(b!$wGtXMsN)vyqlI!O&L3r@vV
z$VH#%;-;I#tSRK7T;}d0f;3uMzG-<bT6~8+7=$BAuA(Rx$&^tDY5hVnvwHTv|3Hx}
zbASy9{0{zZBvwP>8kI*HrtJ|Bz$e&eY&JM<KeDzR6Qg6YikCPi{_ksHsMLPQrw3%W
ziKCF1i$nSsS*o;&oi>sn+vF1+TgJH6mhOSQUf)n%Ip~++Q`&KiVHCnZ&DN*>iBWbx
z|8Bp5+pjCjxMw&4^qvVrzEe-WgLH(AoLU8t-!Xn*AzSzQ#`p*y6da{jBP463T#=*x
z^_iomu$DpRWB-jN@YtW3<gS%kI(TZAtp>fu6=abBE27<YXTy_`#>wo$r7P1jcW-~_
z*}NGNAa2TES`sI0gG#B~@oC$$7_Dq!Hw5P;E%qQ$E#o8YLk@GE4i&X6Ahobm2gD+>
zJY^NS0@O6wpe<ZDPK<qEYJ3lQ7il%E(Xm>Wq1@~?Lf625YIxIY+jj9{zRIvi{o~_^
zKCT9KAnP)Tljp*6rE~XM9nK`RIh=usvdY?tm#VVwRg;yS6CdHH%-t%K&2`?pye$YE
zmWh|yXz;3k&B-TCWeH)7IC!iOE5jmb+WJR?V<|#B>p}x0D*ZQTEJiP>{KBxsZcAfL
zyUO_GP*nF9;|^zxHz$gqE4pX1ps!12OU<apWF5$E1ClH7G`D8cgQE#SMZeAUvx9so
z_@P_(!gT+>GOc)2o-1+8yGqe8eYh*b!X8-e;wUY+U5|N-q}hCep^8H{m35lrN1x=>
z+xTnf9|CsDhw9lUus_7~)fg#JXrr`gD(hymMLGI~pxW)hdF4|P)~Fg?pRU5+#v09~
zdrlXti=VX#YkkIOaZ1%eF(5GjCm1Z&X7{;@_2N6SjP*8AWZ>aeaX?kPm1>$SL*`JD
z&`QEtweY`)KYF*A&si;~JuOy`K{cKDo_Lv)ulv-em{n!#>9Ov+9zk*b{e1j;%Y`SZ
zMbSSF#wwW%G_UmH{6DsU!vUdKKs)LnkUe$+>=Gxo3p&i!iJyhgz^A*MQ31@p^V9d`
zM&1S@dHZVnDS;^$8tsWrmae_F#v1<Xg>?=eepk-h`Nnv|@p7e*iMe+R>7#dDf%)~O
zd2-n{T$VhnsKxM6iDCZRH;YDB&t$LK&j@I4-Wc%Up6H?-VcXL9m(fMRuF#qgx?M*7
zF)l3Wx~Wsx?WeIWn)37W{Gjo&X_qKE=nG6rV;r{cJH4qZJta*N{i1u2=9kF_87eYS
zuE@TRNaAfTb`C3eg*<;CsI(i?((g(uT4`Xkwc_gMlcvj75ws6khsl@&z!nuO-&zeH
znLoAuIusHzQ5)zKe*e_5>NgDDeY&}U6~;h|BqVqdXv1$$h_`7Qe+8XpU!?1&PMhf7
zDz1-gcB@Z!KaAr26=6Jp_v0Ve@lOW|?_>VNJC>j0V7*RuIX!zddt>z^g%TB4mDG32
zwdvKf4qGPKYRuH_hm^Gs9=SU^uEFHH%V}lm+>fl`y+<scDdSGnaQ(w0N*Dv5GK|fT
zr*GeRgrutW2*u>w=7-<<Q;wD`n&En;`>fx;@C!`nB#2_He{!#2u2j*r!gaxTwCaN)
zPe%qZCpchs!fmAN_>;s5tqLam>T$8VFOl~;M#-g)^obo@;^OZ1Uvbqaxv}6K99?~p
zbnpKj8~(5Sy~5@WpnxP#3-0Y-%-#jxt0---SL2#PBEc*Cg}4RI%@0^vb>HE3418}=
z5?Ib*{oM5Rvib^{8OS7^%6YAV+Zqjq>SvX03XT8&I0=_~<ml>eZ7ty<&m(AcH}_-S
z93e{j>HwgZB7b?2`Wh3AV%XfPVF;7hKr|UV*fodpeXoIFP<7jla?nFI6{Rru?Lg2a
z32H5PRg?x;)r3*{$F*X0)o3vO#SJ42yv)7votU>-X=`}4OI0ORMwB!AQZ&{pu?xOS
ziQX!iDQRupfF&}AQ3cs;uE=e>7AV4)X48!r3NtA!2{LM^K~2~++GGO4GNjJMGQ&&y
z&Nham>S1++IbJ^~2(Ldal0tEl6*g4A^D$3m|E)`whtE!hJ}k~{UUXjz@`}p^h$<q{
z{~Ckz0i$9_4Gb;@sx*!rx2qZ=;0qfEkyGaUpYihXYZjIR$^}4)ypVgHBCnH^r0^Ok
zJNg-;Mg~GASqeX>ou@m2`Z8LN>P{R~PxEcMPJCwN+?*<Y?Dd78rpfh}mG*~-1lF(O
z_EeT(wS}p<EQgtnbZi9uub-lxdHZRP7c!7i#G%0@#p0*o^xq0lBd2hnK3>?+xp>ZA
zEuHz|(&C}XH3&pD&vg?p8`_K=tT(SC;qLB2$@bb||DAB9|0XErf04fhK$0<BLvzxe
zfID^9tDz#d0r&rK)YpQ;jzd4(0;C}5MqtHbGymafumiZjfczVfZUM8ly#$T~$^mea
z{0~@hKZzjHwn%(g2Y6#&Huu0kJUK@h*+;m8)Z+jF8g!5D8OAu!sy!N06MB*Ob48;E
znrZf}y;V+lJTL8};|Y9&(ctsv2y^aHP{lG)obwuc+1)_`@tVP#@Y?Uv*3L^8w|S_m
z!Z&d9;cs2fwMYNp;>tCUx0oKl7|nF5Pq^y~R)~&@VXL}MLDifk5m<Rd11)@ME&&QP
z#pgG@>EJd#|7v^Z+#N_92urBm3;_<*L@&tf$avG1X=T}()t`+FKq)Mo1k+g`oPe6_
z?RCIv>f5sSV@v_6Y6a#7{chZh0JMAWctmi8-T0DC7D6<kr#?VfpUG?Ep4ools(TmE
zTj&1*<55ytYYv>j9cEn^z5h11CIdF2y!C4>)5!LIq2I9^XWv}Cq4D=S4QdaaiCB@^
zy9EzuRL+iAg|$m74H0F~ZO|Iy^y!VkT^fF+{2A8n5t3H3A2>e(kdY&DDL1&rHhT)J
z^)Bu;PN~L%ims|y1H;Oa<x1l>(ZHR6X0MQrE&7b<j*@$?O1q?Nk#?2t;C0`G1%%05
z&F|>Gw-ZnUBd9wK*DZ@xP#%+->s8{0=3f7GuAL=}C*F@iji#w5zMzOB7kB=|VpRdQ
zCiSIYjIIITrdV(gdo=xSSv$Nypdw4yGFNkR;x*d4TV$=x^VAPRomQ9_Mv)=^#S7?T
z5-$J@1X^IC>B&cAzf+#&QjSVhm$NjlyooJ8wKi44cS_?gZ0`!9akLE;4dTTpa-vEw
zke}>J(}Ix?af0}Rmnjq&m9lij0P%c-cSAWRM4a@5cIBA+v}}M-CmH+m;qJ~?+-bJ|
z0LID-;GD|f(VJgR6XJaV1m>cg`liOp8p<Q5{&Caa%C^G%u<wDrO&O?+TBMzsiq75N
z#K(j8ANOGKO-QHulxWk|?+~;Da~VNR{o_o?-l)T7Vq`cu&HMIl*ij)<;4^4&=TCUW
z+ey=p2u(^NMJ?ok$y5Ksk1n0nR100SW*-5((i%V%P0OvXlM(>L27o<hn+RvD%9xKL
zQK~Di@5;RCIq2zR5r4C8O7j!X)CZgHPYYaC!1)kF4{EpLX6CV6W;(gTqcvsyhktd5
zY``gURnYH;hg7T-y|gIKu}H}8oA!CJeVhGq|L_Q#<^j6Ze`z~>Y~=wDq^|tl<s~g~
zhx4ObEK8~dSw859@_G7pS}YR2zZ<U$e;sz-5S4vc;fm!un;>=~QY*N;Ji{J3dzU$%
z87QYhje)BZkz@Kj=>TprfWgNW;hWNWUAx?;Y7OXO67CGEk4;k6eyn$%_SF)r$`eJ;
z8oj?-Re83AC*-ikI67|z7K#y~DXYT%bth$l3`S-{q;xD>hR@d5kODiOK63UyB4cv>
zMt+Kvngg(x@CpuB5Ve-G_&J%r=25xLtTM$3Rw?>ac{(aw+1BoF)R~e7m-qp}@-^J+
zQQ+j|4QI*G>_JRuBg5&maxp`ISVGGbqcD0*Ml{XwWA$%6%gw&T`lkx<Zt8yCS=%6c
zSnV{Rm<6Y(!}*krrm9gtS>{No8zsS{esNfFrwUo-F*9fbyN^M!n*8Xnub-Aruv9y-
z>UFktlZG^a65UjG___JrCy8!zX*Qsx)fD*qH)5J)S*oml8aM)Ue1?IF)-@<#8Mh(N
zTm?FOk@BZ+KjeBIM5t0Q)h82M{Y^werGWHa-=UMQ%!{^xBJS0={nn?^-M_fjzsS)(
zt^{@rbQr6FE>TxK#I|OkrYAg2C{E-p*hyR1#MO&Em!mI9biew3?F(Kojs&W~z3iv)
zjwsjaB+WpCZCMUoD_(hjZM1aQ^+`SzGLpy5)}D5XjQ#*0(slM@5T+wK1u51~kj4gd
zY*I1W959WYoSU>86HDZ7dyTHzyonr+xS;buX5HouE2H&|JLxdVNifRcJfkS4*?fi+
z35?b?$|g;Nr!(fsp0bVM&@{1e^G$BsQKM4|f%gtQc$^}amPX#0gZy~#u0_G3czoni
z{fIK9FBhS2GPIU#{^IMAZf>GKtT%ZiVq#K_Q$Re!zRn6OWEr=EPw1Zf$RgNY5da$w
z`Skz-VpjM3wdP`}_C(ZkYyXnpUtT3aSS|mi+;g%mTbqMs`VXPc`B|N<(&pA93uC@!
z1pLMNRB)O`|IKmLGsI$8Ds9%R<vk@X`LrlA!ZDZPz{>6j014~5R*cEUJ{$=&#3#SI
z3l3C&cpsYl8TXqKDq*0WF$fN<;pA^6yv(kIwSgqj<Tk`KAr^E(S2TY?Ed93T{qGel
zBGcU3%P~=_##|PFKR>g)ym3Y1n#W&iC9^EZV7!bOefN?w_u@tovm!q^oj4e6-I77s
zv{`64ZBb9@2c}%g<&&$ydJMklt_Z9cMtPWxtXQgJ0(szDiyDZ&8!nG#YU9;pOq%wo
zXvV($m@>s<D%yiN$jL<kTC{*Y_f1-VJbPbm9}r>$51NLn7mqL{#L?$<pks59VQrT)
zWzL@QJ1F=D?3OSl(?Q(_o(kKIc<l#~UZ&{hOu-`3L)>@$-=v72#+I+dU8+ko&#-k7
zGE6$15qM6=7}gZmKVJRSuB-JQ9+o^lgO$;hr4In7>=6$1g8E40wv>(qT-i5bNI7Nc
zup_w~KWUh3>*(yIc=??1q{o)okp~~1afckGC$~O$t_E$r@P!2BU0Xh^1u(d|OEFa>
zd%ICQ9tkO7Ut##rQdeKmq<l<)k-8LL2lGnqt>V6^b+LbV3LdS?7VTQRURFOgF3D?e
zdi2+|zCdQ#-W810PyMrt*poz77~_0@hux5>Pm$Xw=nUq*bPi6~sj1_DdzMpl4pi>J
ztI(|EDUvw%ECK}FGCT!elf>94Q~_HbP%qO&7-vpLgs(h}4#LZ~`D;E~_G2@gEG~ZD
z)BpAK!YQd<ubPft{LJJ&PA*mqoxuFXI?2fEfQjgfk>Z;XWy?0&-x50PFm0_AQ^3xA
zXE5LIT{$#hZUYzSqyAa>_5No`>2rT~CW;F@cZuDDaeot=yYH%x<5VcJb34e1NtKZo
z*c5aUGm7OyAMa{}gw&EiXs{8(q4<+ZX6};RcC&US%l}H(T$^l`N5Pm`$Udbn@plpR
zgnn28_YlM8i|QDPS@aWQO>g|uc^VvlVYJzdsAU1Ou+T?b|9BP3zpm-mVv7{DJT)R2
zn0lgP?u}p%GhwBT(*#5~kJ0zI!U;NDVF=4;Ykd`_6Oh3qR2$E)PyATjtIqOCPe=YZ
z4)M*UmM0+tb{>0Bp@rqv<~QB1jBUy-ii>1(nhSgzJ=T0dC-h~|IGWaL6man4gN*1u
zLW{z*>{7~tq%t!rT@E+Ry-gNZ>dupOs+6*@WT6;@R+5D7In_wax#{&|tg;*7#?clK
z<KeT!>bRf#mz<;0_T4i$`{AV#;tz;*=|_PaA%VEBDEyZ@OynHnLu!@~eS5g7rx1{6
zTH(p|P1?a(*OX@idB6TmH2NYE?zk};VM-?fhRrhW5LYt8v~m!8-C-FE8ulacDStKm
zh|t!{f3>Qd*TNe&2!pn%d-v<!({y@}I4S$M1{gs=af@2P6YnzM2sh%=&c(5gfNGqU
zY-&o0>}1?`Wu>tl!dEaw@(ZYj7r(_lz~~BPBM+r7O3kJpsz#P5=UtP#9WMSPEF|%O
z<2C){96Z~WP6%%f%wySDGPEML{^1cphsh?H4XpW{dPW)=xol??a_FgSj)-uF$khJ3
ziqq66&>2Fr4se>CU^&iM1kl!M>3O&5gtm1N$aIuO(D;$H{6XZ%ph=H$(c{PMXX7z}
z&a=nu3-(`m32kMA_slQ~48m$MU2>)<M*kv46()hM?l_&l^Aqp@TNix?Tz*C`)e#F@
z6Z-zPCa<F2Iw0E*HGX#fPI-yAtKc2iI0?M#A|LVdzo9FMi7kUf%Vu~t#5a?8-!fps
z#=OZ>rF&I%fB@o-XY+DJ(2eVD+)Jz`I;qWW`_+A)!X@IRPu0!!N;&UzEzK$#9$H>K
zWWbk0u&8T@-<Z6f^Hwh0`gnX?gFWPI$hEWa+Z#5W2@zmnk|UgZ9pgcV#1KJC=_+-O
zjPN{KUr^iVCG`^L|BJf!4r;QE!alJ80s^8mK|rNTQ)x<lEp%y0Z&8sNLlo%*qA0xy
z2oVras?<mcp(fI$ONUTGf`F7jLJ0vv-hJNL-EVewcXoDmc6Mf&;h)UFz*Fw~KIdH5
z?|OFr_C2m5k)uL=!^&RUQ2W!(2@%Rp27tg?xf5T9B^eNqTy2Zn2{=RqoZz^&pe7_8
z0W*ORTJM7^@7wdZY^|F<F#pnX`k{p$Z={0}hhfRfpg!(QnUhMzW|!OPK>Z?-3ND-M
zog4L%8-!_Vo&4?TuULXh7vZW8!uZHZrGUV6;o?b7I6qyBQeQ+IKD7?IfRPwntR-@^
z-tUI<JRs~K-r%5(=+q!vi(Elh^lnP#MDIuS%xEMM!$apA!>~KJ-~b+1f+~mblszm5
z-WiD7ZM%9_*+6@*)=B2s4?+5{{7Ys_`$DCBqY_CJX*E>efjVkZxs`>sz1ZZf6bkB_
z8%@gDkN;a&yW<QLm5*=!9~&lzQw;W6fOZ+gK^3D&6%m|6Ey+WzqUGN@z@>J5BZH8Y
z4Sq}Yd2!$L0Gr3J`UXm_raWFKRjgEMEjmgUoS#0r5l62i4|ifkVM-_8DpuYTSv#Q@
z9D+QSNK<cL)>S^}v<<X5aCkOS)SN0il7kuDRw=VC=KgbN8542-{j3WO(M1K3AB6#u
zjbx%&Qk9PU{DWsieKhF89Ok{>lz`<=zt@Gq@vh6Cmv?w$9uh5Tf}<?#CN$01^JnL=
z2rXBc!&XV8wR@`1)RXvxlRRet1mn|Z8Az%K4|KkS{=3Wv1oU8WPdf9e^Sa<Tt{$6l
zRHBb|Xh%H|<R0qr-KmA){3q8XTMcn4CB{mC^t@fA9XZ=z`6aIe?w%Lbgl^k@D|&%E
zghhJi%1qUTDGI7;J6g16>?~O{&t?{Ry^x%~%<=S6I|*?5oDKW?=1>W{@YsZ|s1{yY
z$>v*&M$UWI;eFgBrUtbw=YZbC`TraZGWi%Uz-0+9g}I(IwFr|lHe4v8?-oZEPabsP
zK7?=~-xMr>ZF%M$aUE>UsGu$JxNCBT{k-w5nP-;uC;8@<n47T#0cn~ZeUH^mK)nV{
z90!EbD<KDM+{rlIo=%FZCl#0TgA9#T(ozbg{u<Gm&34Xp?Lp1n%31P)R0Q|MZOQFy
zFXnY=LT5nM$(>E`SlB->jzYRWr9Q2!0E|{2S-0R6@>&9y7N-n$7$|(cwi58vL}X^r
zfrdDS(_OISp>M=qetZWIE(Zo~|0pfqV63Ep(Ni-CN4>06@Ogp$So5oTcDvDBIe`DZ
zFK<?s@9Kvu{yscu`_%t3W}UAT1eOWMCuHU39s{V@wj_?N`X)bJv+u}6##NfRHQ?rv
z4IjqkMbd*Q99;rBx|E0E{1olnW<U$=J=>{vz^^=K1j{(MSf`fyK(gVJute0&q_tZ2
zi7U{}0<v7U7z*9N9pBWo+MOJS(~Yac$6&6Fwnzta$0%Yt2$A*Uf?e5nmSdF)hE7G1
z`vnuu{nl?BN=f{)L~oe_P#{j1P^8e^uJYNk0MA^v-pl_osVlTf4!Z-<R;jkeCkk)2
zIp5eO|1$zrTCo=r78E74Guf5Nx+W}ooSAIQ0|+fHh+_jf4;h(Urx|vC%77A{$x`mY
zxg!yHOYa7&<@ExMD5f30&!Jg|$u6jD>L*&y@%?*CSbkcq3E*sP+i-N2GyU(xj;DE#
zzy@WNd{j9yYI6m$2fR*4W-iE#UaE7O%L5vW5mxX%wQyGWbY?NoU5d<4ef;6ik+15S
zsyaL?E?{lLFUO=x51+-T{zGrfZ4Hyh|K_zFgp;k17lCj}{As$Fzz4cD(22E~#9X66
z4H*-o^Lm{;PV2WGNcRy6QjDtyeC5Rb+@7U4VL#{yt4F{gC*Z|DE{e4D${^uRELT2-
zdC!)iI^p9la{EZZ;FtY3?6Cok6xq%{@Y*;f?G)}Sltp$SL}}%dZFT~m!QV!|eY8oP
zRh?>BKEANz7gntOBo%G~lcMzyut_eL8z!|BO5xsK^-YNj>GF7w3{Er<&e1|4rC2BR
zy86$tj3q?eV`=iH<uTaA0Fr;8G0nD=7ON^ICSq#<$gv=g7ob-*e5Z-p4qKAD6}g+U
z#>+SDi()gUx1T$0Rfx@`Ee6Kxf)hEGR=&Y0X~g<uq$l=Li$Q+SeK6?4e2*)^lDV(W
zlxpV|3w1r;rxjnHD*2F2sQdE4<B39STFy~uyt%C^xUQw|Q?L_q)CbUiNaK5DG}n-N
zzmIV(tJK_+A{G1$m~fKRTIz|pO1b3SG?Dbqt>kb2OP{K$ZE3r!7Cur@k}Ucb_J1r+
z4F=*&Tf2(W!F==W3(f`?CB`bk?J|F!`l4ty_vJsKI5Hc%SPI%PVgL`|j6E67$XP7u
z5BX6NCV5AHqpmog1Z+4XSMbfBNM#8*E#r>1=qw#T3mLoJ;z|Jeke1{v03Ff)vD;M6
zI(5{f`Oz&VO@~1()~hVSl0JeStXDOA7H*?x{)^7wPJxj*6OXUc=78swUC1^`5U0=1
z##GJzitUVc7Yy(?GY3+TG4wOX7rnEhKhX8cY35EEj7SJeY4M}y4fPk->#OUz^_lG=
z64-x8+VM#UVx$;-4#{nK|Jlhqg*-Zuq8mbdQynKRJ@z9oqw;yMNhv;9p0duPwaZ)M
zFX~&THe$dLYkMw2m9IaxZ0UZH-CF<P!FO4ujM5O)C<z)}oMU%yBLK51r#o>ZJ=uG_
z-7XeeFD4YuO9OWcIjLtHdBoK<LmWos3axYRl*GE}eU!T$#s2exV8ZIz{i-;uM))OK
zsMARn)?;{vyIVskS<9mgNdFKjiEhy?_i{*Tel3;ueGQ$#8rC8d01(E1LJAT^B$HGT
z7phbKC@xn+g}cS6qO?Ow#u5?R*-Z(2tK~|(t0j4XA~~QDkddKLk!zZbD~Lh5W+M9J
z{AwWvc0``Y%iEpzZy_J^;JAzqeH&cn_ew=)b^7QHfwH5;3sv4~fAenVB5PXJ@%k;K
zqi6P*Ta?^n@^<?HZZ$>~qW)mS?^nV>R@67YjQaYNB&0;r{rqH`tG0Yg*hGvZ*}pgm
z2W^Ln(x%sKjNZJKiVQ5cC-ULL`OYN^EGlfCVf`$rP*g7Iqy@tt1SbY=mJ+vlXz%as
zqM)3B&ZKp85t}wBWId3<C1ft^{8jzjDZNiVFF3Czw*NYAsJ0dndQwV9)0GZLYb$=w
zT!kjCaj&44pg_anZK(S@A_q6Wrwx#Q5av<pm6gEu#w!qfdyskD>|3hgypfH~<8x09
zuSUqFj{|-g=2<TtwT2%Q{$!*xU9&!8sZ%H*9nL&K{p_0fXQwC@bjz?`7-FyXC%F{)
zd0!W|K1BsMP!Z;I;c@YaI!?gJD^Ko@22470;K0|owaJ6A>0(7ix0LjY=fv%$d^=wl
z)Vbx{Bj?SSbc(Ss_-J@)F&XqOTs%m+bGU-W-tGwQcMcid+U`QE6?@-a7kJveI{f(;
zNuo%(_LZPD6Q{D=Z|ZtBL+rLosrrGWJMh3(hCwpeT_#oBR4F^?zc^6551tTMk2sN{
zJ)o#{ESb0GaRzmmMD5@oQEU*9atA%XxY{0Giv0H)W_OD=yVGZQzAWaV+USo?s`6<@
zl(F_)j>#6*rI?p=NO^H|VNizpn8c`$PZrK3CsJ>9_5yR9p8VubAG6!%r2k-NmO3=1
zHdo2R)LT;(F#n}WR|{ICPTseT`lBQ?@RYuGRg2UbX%qc&#o^u`l?$7xG8s>PWQyM3
za$JBzw+|KaYW`(9Nk0p4Z1szrt=GEmq@N>^tc3PIK@apzTo_Sy!FMfIGq%#Q!c)?*
zf~}eXp<&8;&w$|Rz$k{G<JxXecBh6|^fN%^KPC@)f{h!2`YaD4pgbv2hagsOMf)GG
zxa3x_G?~DzWIj9kE1EhPuQ%EfR{A&m4#FBcxkz@e1Q%`yB?MgPk_bp~F%9&DjO1EM
zB=S=FdfD_O?Yn$;y;IjoH0P6k5Y5j|=70pJL7fqq`;ow5?L)W}t$^xHyGC(02N19V
zbUE@qDpVMH`d%rxJ_MhzmH5|gdF)zK#13gb>+h#1qmqmHPVmZm7h8bFtcSCCrwtaZ
z9-|{L=Y<ub3oOF<=yws;5b5r4WueI;XaFMqrB4NvFuq--&|#p)9y<o^t}5dm0NX0s
z?VBx>arr3adnr7I+BA8acp2n6I)g@f^;G}NZn(YJoc(<q6-OtWq=qX1BjIS0c|M(w
zBG7r_v)Tq{^Vt_3<nGJ}LG4!+QG#ZMu3Z@R<<t5zM(+?AElfb)E>pYAx3L#eZg6fq
zX>=mED!JcrZL~ea%xZx$a;Qx@P(7IaY6-f*m}BtLVgPRqOp_?HCl>2+m-e98Q{Ah~
zQ;fR>BpvNP>-<ptGotx<V{Ph@uB=wkJ0D-6`|Z*%ZQxz=u7H&bx%q}%-U(;k=e``&
z-@fCm7U*yi5%iV@?h+LrO@lq2EjrkGq;5ID^GEb0izW1WZ~=Vqi(3$WP|2jeie3jb
zId07vZ4RBom>$hYyRBBD>M;&^&Xz91$1HSPG9KWwHZk(P!rS}DwqVjor!}GC=%v|G
zsOm8H+;@YU+MP8+yPfMBD!#(8ZAL%sPnUInG5_EPy#Nyh-sfPL6L9DdgfdiVsiXK#
zToi)HT~{<P8F)|1v%)gfo@FDLS8BckeEM`Zlin9Sb2m2g{N&raGnL4uKur1Iyvz47
ze`%pGr^YaK+e1|_^gwy8Mg7>Aeiwl0%x*J#GIYsi<x2`Te<`U5Yx_=ynT_>dHCl0$
z%Y5?es@k%kga>cXFf{|{nXD4|vk77s=)kn)J+bvgr^<<d<&*-%pJPexGjZo@;6<a>
zHfvnTo6{_&;X$<A9_w*H$TU1N)#<`9QqjUe5IaMQZwD`SfmOoZbRiJ7YQLSFxs)Mb
zl_$>4O3L#-w~hXMl~u(uPXoaVaJM|1>wRDp<>zREzeKBAA{r#@&q}1k;f7^UH8rt4
z+fqPoy)T;kINQQiMk+1DpjiAsYs+Eh4Zi5`t}uMQDF;9vWYnY@%Y+}K^pJLDn^snV
z5mIF@L_TM>wIJ|FfbxbKK^FMQ!J&y14Z^qUu%X6ZcvebH?Z=0yX_i=KSb60<xNuJ5
z{6|g~3bZSaopy#m&y}BQF(sS`v{!ds*{;B^-<<VYyAt`($0L9z()Ta#R-1gokY0EY
zqf7UK&b6RpYQ(sB3wa>qpbPSZ;PD>vbP}d_N&^~I*SP5b-iVEQFfh6R=)Ck})2l=;
zh!6}1N`EqjH5Mw#Q(f@WT1rxhWiT`HY9!2qa(eh@z2$5N6k4{<9~jG-FfjX&pK|XC
zVhdR(FDrcLJ&@AvV>Rd9q!ik$>3Qhpj<BKD_h&Y2^AD_zuNDcFdw|Q=8w&=is3rzs
zBw@2jFR{|xQ#2F-6t}>h+=&qY+9h-&LN9DEt1A6_NAL@V{WXfp%U=N>@2y5~h1fvb
zm2m2WZPFQ$T^e^!E+?hN%Z;B>$LT%$m_Ks&htZ$rm-DFV=F7O(zo%AoN!kLjI+ti;
z)DL4V=7G?PAW)|RzJugQWX_9LDR$&g4leB#SuW&}xjpcrHf}^Rki{foHm<uy-e^yi
zn!W@~BO*S*SSk9|MP52Qd0h^o&EIrCyv&aR$8(<MaLd%KQxxy(zuE|f>GA9+%*^l<
zD~{HD2u7&)hh@d3?b~|E`L$4Od<vEW4v&iWcFl0j`*ndKVfKr7Tp$7235~I3@Q@EW
zmCkG|$dA%TLi5*fq{_)}9?Lh4V83_<Vyk0p<_f&-+)*8*z5fsLE!^&~zk(>ELudxY
z-dQiVA%Px&OPm_Q@%EN+ExzK9F5BB(uzGv%tPnXlMy`M{Dprqgheu=C_cS>`oQ%Pv
zF|dpDl;2<R`Y}K0<13ToziJq}4l{;#-H6n9oQlPaYjvm?O(wk3pMrHFgElwvolN;w
zyX;-IyPo{)dNBsO<=r<mV7P4BuM!Xw=JAFum9PHk`4Tk;ku|ok;Yl~$I(+`8Dhrcp
zeB0YmGH@B&ysA)%n)?KKgV(YK+JBg{Wb5Qu|6ze34}J2=_urMd<zZ#_pl$)~mp>RN
z|1h|Hnw=ya5Htvkl_<}*7pL9>>iSB$z!JCc1K!U~_2fDJDS?cSk@91Qw+Al`lqUqg
zVsn4~j~x!<2;8S37!SE9def9R%x{p7L&vD>{q_S3H*y&IZQQGzxy09WOO^?a7`VlJ
z`y7$WPXAr_c-cr-pSHwQuM7(AxPeCaio;PeVbsZmWC*o+q5m^QsT<Bt6CjiYb#!KJ
z<q>qx*WEHZU|dT(7S(h^c;36&v@@V+a%1zO9E+wQYuu`iaQF<K6{8$fBf<)_&iR3q
zI;2yBL8^kL0Yy7~f37UfzORe7;?Io;qcd-nUD82UU<#C?sUERJT>-e~cY+2YiXrT!
zk^CMbI?JzP3KR@)6iZ<ZLk|yL6*b*lbt`~})Rx-ZT=|6IEs~y>z={PIjTwX|G>m;p
zwVba*xX;p69>e9Ju73eh`TyOq(0H!GNuiDijg_dFy?7GZgW(u~IaVCPXO1L+kqYEH
zJ~-jA?v435BdHZ&eEsF)KfQcpcx=mMmU41D^&eU~QAsGMxf7!aG~>^7IJEvjEXZOY
zYDAOoZjC9BI;`&I&BA99CFx9VdcDu>Gts)9N~eR$sqhm7+&h_@R!)FS#qZ?_4<mz8
zU@x;U*&-h%)Bbr;??{l}2uYnOlaTo_JJ1lN@Zro()0c5qz~cK%w#28Uy7=(P?n>GU
zxTxZWTIHP^P^0gv3!~|JgFf}kamx-Hp<7{JfeR3DQkYE$oI&Z*3<Ww|yI7X`&8ttc
zNxJSc&EfwtDZ}r~prHUvc}osB5CfX=wv#tY2BcQ<uqg!rgkpZfJJQdL`M~tJlFR1S
z)Q{4CwOWjr1acIO8%w#0#}p>cFIl_a$`ps;*%-e?wI&#+gFFcRv~4GJ?G#4M8_RL2
zhi8FJHCDyZHGmS?lwx;MbB}d~dFcGRPrn3vW92~ZTcs{LJ|?}m+QPhyDov0{>)!1|
zGtVY001fxv3oCb4%11yPoN*^yjZH~?IHTg!JI^9bnwy!eEN&YC=EQ9$Tc9HyN<flM
zg@!@_?@2fd1=XDuFFEJH(h4rsF1vNj;T}h|h2hmp35!z^;dsC|!c8_{u#qUX=95~^
zl#9ddM_pfdGB6WJE&Ct@M9b?uz#8y0+xb=7_bhf1{NY1YaI{~Im{K)usuHGpQm1o;
zR!&X*y{8+Mg@|Sdt?$yp=o&V=X5$I39f!+`24?Bg5)pza1+{j|k%4y|8)v;IUw;bD
zQ$DcX-}_K_0&(+i%?cIv?d|g2TEO2yPBfE>TEqWLGUREt9WGiUbh%QXr*Q<2)4HE(
zROES}k#GyN4i;1pzjx+lszn^z^SD>1r1^f^{y|0qEGqLz7uAy*%o&&;#iNTmasx==
z2`aG4JrbiC*B$B-&i!Ud3=_>R8S0n4aO<|*V8h!f+w+Z@7Ti@jqQJPQ9z-&wWGV3m
zHTMX)CzE>|P~@%mUxNa>1e(sjmdM~oL%*9%-tLm@AK3YEPr1c2<>Li@Uq7nvh-zha
zxRGi}w$q5I%T%*@x>Kz24F_$N+O65t<JKvOV~2H;_{NQX3OdOT6qU<|nQAep@Cq0E
zy*Evt9W;2{oHRK(ahqjL^5chlsVqikvdCB*@Yp5lTnIuMjrxi4nS-GxnZg5OFdm9h
zl0@St<<j)3y;uS|_Or}@<e4+Oud2QViIF%cND#%mQ*5Sww=2ZGgd#LSe^zb+E^>hB
zj?;xy6`pfy27FHRC?D9$b!-`pkG=8`WBK|$p9f~1gs-eK37qi?^!z)GZ>9ubeGn6^
zh``E>royl;@-Pu_3abWL`{P+?1sxcL-#CL0-WqBJoF}Dz$Nejv1K9|zgg-W*b|}u4
zFx=DJdLRE2qf0hVR8;v`e5B3lgc{EsxOENI#!>w!{i(XErg>4g7h}3~i93>^byBE{
zMs7Ovbc^zl!;woHVx0DOt4C79yed}Tu_JR{k%|lBCAK1re#(o-o_%ew0lFg4Gbx5r
z-#lJ&mcBPe=Yacjp$XeuG_|3j%c|%69*$IbD8S`kAp2F+Bo&_NSU10N@%R}0hIFxn
z<T4rP{KOWU=G50WTi!=aLj5}Ya%swcbnSb;4;|@<8|n`hC&__uj)cL3u2QWt+@0KK
z2baDZ*=ya&S}yng^)TFvWn4Gwme}w?__p@l0-`xdj=Z`!9IG-f)-4MB$C0XuFV2)q
zZwM_{CJvGnegs?gt&h54K%Yc|Hb9>@aR*7di-`+ordl+M9uP#t+pyD^>$MZxkc*~)
zT?~cLh75a1denxWdQD%V<_h@Bud-6Mi-VgW_6q;JM8L*g)*>zSzGMa;^uB8f7nn$Y
zhMbY?s!IFT<;HGrKMT-XDf{X({lDVyf61{4!z;??q?!&2S1)@n7UDhnf1!`neb=*V
z%%)O}T_xpILyZdSnoW1LA20N2tEZv$hZ}X|=&#7OKOrofPkMB2lCcqc&81y+>RDUm
zEICm5B9n6yD{hawtdoAfiIhg!HPdPdK$tg@E`<=4BGYxak1wu+W^24}R%KIdEc$hE
z9Kqq1kI#k88eUz&D#M?O#bPvow;FcKs73kpl9Gs0n+U(|IT!HdWb={Dm6j%xd1E4s
z|L|K}n{ns)u{0sh?=Ld6bXlFe0V<*`LF}A&R`@rHSR1e{oe<Bd%qtm>T}7iNP!C7-
z2KdQs4fmkuLn@|{;<m)!c4WL+Mrau46cbiRCEjt_HS?`cO!PwA4@`@s-2#`x{3f$Y
zF}+?sO`%(Ty^JE5640g;OJoRY;3MeP1gyZ{a%IQtlS@ycEl?M~Gp7wiW(G3-O!<<K
z>@Y}k1ZHY?X-nna8t@2M*kYa_$a7Kn7;*`C#-(b`ri*&FZ$6Pfclh=X4-TuQ3wgH$
zjndIPDX8+#d0>u)3c=KWqo6`-jLYvBJ^8bkI{7SJl^cU^)Tz+f2XjqweWfY9hNVJB
z!`<cZ%Z|WFtrnV4mvhFP77o~DqN7@F5jad_%!*YW6waH7<2Bq|EuPlNdhyJhY70y?
zu!<J-|5c`1JQxu88V{gN6++9KaSDjO*;nS)Wf+80b#6}hWdM;q1C>*%MF16(FCG}F
z6F|u^qHH=^LwK5gcO&=&nI|{cGZT1-UuVFZ55j%EOhG^?z9vNT7%{S5n3BVY%4aQc
zSHhi2ttV1gxO-w%5VBhrV&hR~Bm7ki$GME^U$IZ36<8-!3?Jd2?r0|{-0ZA~b8;<k
z&B9sDDP8u-shjzW0%`u;uQ9L8fK7SNsvbBN?AC%bE5{`B<K%8f{I8U)|DCY5schMA
z_)tOTDxfh`1hf(b`|Pi2A4kS)c_<~@K~P4!fbJ0(Q?<~LoTwYx0jFMQ1Ue<o`!A0|
zkOKx#J>Dn(Z_)EDf_b03kQax<RZJh=yL0w97oPq==5XbJ7*I-p;>6o^E|c+H9LN}i
zEiQq&aQ(NB>zGuUL7ibQ7y;G{a+xnkd;a|SgG{xzj=bTMVwe1tK0I+UB@D+Qo&+s~
zX4{U!IJF$y+SgrP^hKOvpRHWYSb}e#?eJlnV_Nz~8E(%LrUy`@BXtQ<V=ZEY9QF3B
zaiJZjwXDkS^03$P(#w%r{f_?cocOs8Kc*iB>^3+8o!UhJcj8Nqj?of0NnVT>;{uOl
zE0;TYqXiHa_YF_})*Ros_Q~~z&gkiS;n&^VwPt?fYj<VlVJ7pq4M*JkUTwxv-6%-e
zCdcb>rC_52=*-FTm{+-DcBZ3w$hrXd;TUu>-`#V(hV=ZD+?U0%vf}qe@TY%mY_5A%
zF@IrW%5a~TXtq*Z(VkwCIGSkMk$i!36f-c-Y`Y7E+y`O}<p1a4*?$AH|Nnjee;6_4
z?;=yf82RmUb*Ho4g7=&7`-FrDo%CINhZ0R1(UJE-^v)RU-dCFAlc?SM$L3U3)MVp#
zkQYYm*x+dUhrPKbZpP<q$&rdB;qu34f~7}~<GMVz(EmkAim3*TG1%q-H$QjMKKF%n
z%%yRuhDjyJzQW^n1+WErWIy{myI@Jnm}}0<szR1K3@?H&tgctnRtSJd0ggxPIXa9Y
zS&Slbin&BP*4Ct%nwmVE+81FtGBFZVo;A@<Aot2kzJ=b<f5Dl`B$2i~Znab8;u24<
zJoH-odYA?4hp#a_-qO%iNwQJ`MldL_ZI@<ptb30f+NJn5OM9X_<;^!OV@sjYl}W=A
zG$iul=Rc48HY-04uzh880`=oTTh1E-J)Aq~pdBL}yfO(v$*zvOPfC7Sv9Iz`6j{xE
zexE@#y4>B_!C9Uho?m93o%Jsh7_Nys*seMLSWu#X8CtNx%%kC<I&hlxF)z(vak8KS
z^tZ`8rg&n1LuCx9>J0P<GHT0I%Y0-{J1;nyXj#ezJWXl({@jjpZc3UAX0U~lr>G(I
zqa+w#30<GOm0d6&RzLNqjuub6Ra}Ab_}o>=Nr}+&=ymgRgXOfnyL(g<=WVLvhCKuy
zt}9yi_m83b@EN($No!)YQPJOE?vvry9RH>v6I4$$@J6lU5{+4pCqF8;SQNfox${XS
zsi)t1&dgDor4fV^r?QhlB-<N+s^j&uB?aRN8y+f$x!{I|d+y-*+?S74D=Wt>RN|!s
z4J{gOVAcB?0JfNoLoj5ya__MI#NKI$bbuc=2{%%D7z_mKya&$Q<Qz<V5%BBu{5^bz
zdZnr>7B<vh)beXqK_xRhE^D#)@;*J!#Ow(WIe-8XF8rG9Bs$Tf)Ug+QC(29V&#k6(
zNR58q-&bar?QUvCaI5~cvQ#O~%0+L<pap{d2Ag+qzjH8e%Zn0HdatGYEm5gMN3=TG
z^hY&wks)Lxpp4&lfX-##>wZ@v)d;CX#?miw6O`Vg5=D=C+SH?<oa?vNvxJ;B91_QM
z#4;t7nSaFD<23I)`oJGC?;1(fzbpvU@x}S2y^Y8ECmRbV(9ngGZRGbxTj|<kO~;~o
zRB{&MD!fgTAxt-?OcoG1J=&W-O*xEH4;)&*2rYaAy4-31SanHK^Ukk%1#MKbY{a~f
zug?Ec_MNpG2r|RIWoW>h$FxF`o(%cqZXv~7oOM!Z0S#?8B2|ZSmmiUyuKLC<SUvYo
z|0}ku=fh<6^iqu!vxB`LIu0S8n&?10TpN10u^!~Sx|v9r2QAtl$+K3~6scB%NC+-e
zlct)-<L!_$KcM`=FlvVw*w}XVU9A2{JF!WOpMGhS9!g%>ZP&m@llGyU-uwn;jbl~B
z-EX<4n*(mXTunOhRsOQ;QlfV^w72x-!MXY@aPfjIinQT&ApSG_e0Udz2Po@J2EiRi
zI?Za0VQ&1{QYDoexTIECMoO)QBcMXrHR3%rjZPQ7!T%@XAJx$y^deWv63~LQ?Zj2Z
z1CGMQOdpRCAK04f@uj)@Pd{(koI5U%d_{P>elr;9kpHD{;m`NNij>{$7~SW(th5f|
z{h$)3QJ4{t<1h4*WmLZ{MXKbx=j4>ktt%s5X-?Xoe6Jm*q%v7z+^#huO&RSi|1#wT
z!*7s03+tT9pEu!4iMm(*WpYzG&lnXlLx71SmaY9d&57~4=6=nM9CeG)EvpNX=w?*v
zUBb(YY)N`^Y^>sOJ!JJwB_Kn6L4cy4neWLEuSRsIN;EB0X_=H6A-(0}F5W&WcM{%C
zvAS{U&N&X|pRRe|z8AenGpS;PLh)_~ifzrNd$axUU3jRL!Q$#>2?6`IW*s4VWkd<_
zWJ*YF90f7AY?|1I80w#k^=NHQb<BKx)9$)fq{S_E-b)VQ%Cu7j^!t<&V5C~%S+f8Z
zWo^zne%P>El)U-G6e?Mlh_aJgx$F#FwfT>yn35gy%QGW0$}#^kY3quwf?_~Fq9Ygz
zK}}0G6#Z->{(|Iur>!#J@{U&xO*|bKQ<@z9X-dB>-JY*rkbT=?dVbIgkenpZ<tTWE
zQGe%9{mE;Sb-by<oQ@ACp>+yoI9b;1YXSkv4|G$fne!Db(jQx;pA7}NP89_s@Q!c?
z=KaP+jQB|+V2B1qD3G^1g%puQC`ZQbX>iCOwG@^b9Ho~It&$2wrC(XOd-mH>`=%T2
zRyjGD>NCnXhjZ!4zejY;R28skXrA0ZdEngo@#;14W7EB{N7tQ)Y;F?x3R5B?HqC2B
z%roaP$A?Feh`HCGY1_QrZKY)cD&H#oxc|@=tatSea#L>j@Bpz>aLm5T2wSF?qw?SW
zzx8322l3#ii1^a*+bu0+;vm1X?Stmrg%wArhMjsZR4ed84yC4HR^D)$mDPvq-qoXd
z-r#?k98T?)g}3Q)Kj{*ieb9az=rF+BpTa^{;huo$@|WjqylWtOaF$WXyhB+IoXPc0
zLICF5zcg?`5KhDw-=6gm>}-$P2$S6()Hh|BwU7sqUay(n{gL!cTqQ#9?d@NW-bNpm
zuf@qEH~Tm%pwm;0@iJW@dWtcU+n{Wqec1;8QpkWdYv~fPo9P7IBvDl|Jf`IdA*~!N
zdb$OC!bK>_QmP(sP?M<eDZjBDB|UT1jq{?Kx{P@9|K>&d=2=nS%77xP;<q^G@g@DX
z&{k~g7u)~k!dsq10{^Ja4#OHZ^3Rq3>rZX-U_K|wbcN#w-a@Jev2|fj*K@^`IW->x
z_F$5L1<DBVVnku^)9=A$L#Fx5zKJNK$5uRB<Cf1#RjYRxCBU^ApgkyuDFHZgDf6f!
zSokGT@#L=f!Zvv-wc6V<lI@0suZ-R)-e8lMm|rsY?yl|SP51mf0wV3M1dWQZ;M8Ln
z5;ONog0hIN5+fV@<Zf5PKata2=w~-(Eudnd0nDL;ypARP+s3*_#wH_@H5bRA8@5U(
zvgq~Mxx;>f*e1uKZiJ4^n12pH;Qo^p741pY(DY_p8%KTLleu!E#pc$6lW~T3U)cx8
zil_Nyd7n->L)*<~rXJD+3fJp(_<k>slKfj;ww+teb?oUIv!&<L`ZF)bZTXr_Tr>EG
ziP#zu7YL8Un9d{h_xHyYidwdJQOFJVsRA8;Kw!lTq|vrgxHh^(uab)<R!U19+T2PD
zLvof;N$B&;1F~UWyyei4Y6K+DE6KERNl=i)5P<QH0cn{UBQR+~j+C={2ScPbslyz#
z`yzXj+^v=mP05^P@^_awP+j+XoD|m&rTw>LZE@QMV)q#ay>PN6awZv2zarYU*@NKs
zNB!ki&=h?1zNx`xR?3)<!luGDF?Gdr)m}VB<ofxaokWX&W_F*qURoU9%mbFZK#kU^
zXum|ebzt$rWt5hCPc==J!mdBAmOvm<2VaeJbG%IGtyahU=1>c3kGr<j)#VStX2qdP
znlOQEp@Zrpk_T#xW9+ZPjdtvh)%Pu|6c0;EabyuK`@y7YqQ0pM18+`ID+L$gT@2qz
zG$2fq7VVA1-*PD5H@SJ<7q9AvXNP-0E-fZvS_LBa?)o**%`4|=@lQlywPD4KwfE-g
z+n4LNu8Nd@5cy<_9C_$x<IIO~@LJ0s>kVM@-a5vwR$-c2VfZ(3|KoKaa|6t#HeF$u
zIZd0OM}|kLD)D){Tmdc$T~8<5>opkqTDvlxZhPqv;xB)5dpi15q0^W1Q<I-8%Raq8
z$0r~v98&2PK3_mqQ@zD`i^HrGgSLJ#+}L6l20=OVQ-g|d4SU19hvP2~zUVw_3VBs~
z-^GL@Q=Dj+^3&)u&s%&aY7V@>47>pa4_e0jIko1ey>Dt)4qQ}x?3rWSB=)>8xx4jr
zoTOmy9aO=*-;{Z;<ll(fuf0mj)?qW`KnB}3pd?$g!4`OjaJ?tW#bY^fs!=iiSU{4r
z7s4xFmQZhr2eJnn^{k}$?pr{H7UX_mUntR}{4r@Iw6w=G1OdqdRDNO?P*|SnHQU@9
zt<Asx#F^^bZ&sOoMwmVYc^UDxXil_OcYGJ$X1`G&RYFp#%-U-ykV9(rz}5Jja))rv
zx{k8?!+oP6A^&5&uw|p*sa7MpUP@e5X~gd^yCWz<{x%>Gk)BX7+*(Qx=)FShBZ_IW
zQ|g`jPTe^ptwYfBkSUcj;=8P}mCQq9JC^f=*BX4l{(wn>i7|dLlXn(T6IuqPU?Yz!
zUe)67Nwovd60MjnYM1|9ic5vhKsy3;Bq{Yj7-H!tv6%V`YvI?jNy>o6qkTcJFiK?>
z`!XoWp2d~DC%{PJw02osSzZfP2fc8V#{Fh-bRO7g2gqZ`*J+RbigE8@Y5L2@-0i)K
zjpP;(xZz)>*cTsXwJSU{cNM2!_;(hy4Vl@UaWOfzrfbk*DetLYXtz8H=(j1B<o~c~
zLOn!I^UhtDHOsYR$Vqk}8;=3CBWS3`>H0^=Cm2BVID3+*XREwwEm~=0GHFy22q<mJ
z4-79Fb8&bGh&>#$0fnOV-Yfyi3-wI}WcYlB4ksD1l1DfeJG&OLUlQYQ>h86Y=J1Y`
z`Pp%1Hs*t|`&n_bU3$#cS;c^qjXa<Ra~I<d|Bd5J$|DYPt?c_XcaEzZmpk?+>HtiQ
zM)PJ>)O>S~cFSi;6TR!H6@5lFSC94h*d#?kI?&uK`lsiJ{LuMY7at!0U26-)n9@n8
z)I%Hq^SnfMZzaFCAuHAv0sMmn;mN9t>qMmsLFG1+J_Q-K6NNkc{ohD-HH%-b`TWAP
zLjC+LsoIuXz#_jygA%xT){o{9(OUn&^pJmRgF-E*6k(=i^WF#bw`*z*Bsb9tuLjs<
zjLv5-S+ggU-2$0fnilSd`5mgdV@TR6)0gTOuqs=aRb*AkPyv;d7R((HE<y{zx9!+@
z<*{vDZzO-N!8Fx1j4a&2>1G5K**iO5{tz!-)1S7&inRV8Z#&7e>{B)bQ?)(Vim!?X
zU6UzHb>>5)lGe({2FS_r*c$F=j5?TSU1$OuU$I?)J{Fz>cw-YVUCHsQweoLJkpnFL
zk9YX&1JB+zLJQBzR)%*kT$sQJdxl>`lTU!)K;84-O(nJNmd^iG7xH#xe%?@%aXG~<
zY@Z7-mt62Zh`S+Q>63jj8~(Dqd5$vt9$xG7p3Ko<>tGvMXA&=?%F(FGv9{$?f@vME
zdeMEj<x?eUv?Y1<#&-HleSTFy**nKY>CGYnXy$#Jt&0d*EOLpw6(9V4&b!v3bH}*G
zX-?<xg_OSgpGD@O38ouwzn&s}dJ@u%nLP9=DULUnoVKw+=P*JxHp-_44|Kd~z(#*|
ziv}eldxU(j`9V)C(T%@X8XHG8OD6X@TBYx0ELNv)`W=>pny6{coq_U(TF=<Bck<ER
z0YA45cr|o;9Fk*H^Vrv)ID?<e&U;f|fkPsz(yB~PJ>f;*V9G^BOI4l1Ro6b&bjSIY
zeFaJ%ff?#-|8G$=)|n1acKd<ST6bwUrUD3X)Spt=FBg_o`L(aW4I1|oo>7o^ItY=V
zDtAcy;I~+?O86x#!DJ-KkUxoQ;a(Dp)L@P9(Yju*BSQZ2(d65M!a4IICr{t|x2|L$
z_>otrTf8+}u@iC4vJ%Q?wm(^<8ux=scFop~if3J3DsICOy?>_$C6dpOOE#Y@LRsk&
zQ!U(30w0Eqk1K4*bBeZZ$g^sgT+WMiYi?`|mTvg?wj5)BIo*=?0?$A31c6PXMZl1E
zH2JN}(?K^zYEsqY++Hcl)U{J11O45=Ju*`vzYzc*dOkZpu;64?-prZs*5J2_#eVBi
zIjkOCl=Ggxz3W3d!aE-5SkerDtJwhPtNA%J;Vjd1Loz8c5x@|c*V0mm4}W;|A0`Y#
zsQ)ranUeaW^|{j;E|`Y6rySq$3=!ytco6w8u^O}v&{*YO_WXU5%pwJ^Gn!rO`a`a<
z4-7Y9DCf@QnpfcI?<E6!JG1>J;XuhLLO<A@{Ff;g)0C&d7{UICeh&u=w&aO;F>a1;
z3dwv6(-`YI>PD0di6e#*3sH4VacmOyH`@*FFP6R8snUc-<*~Q|W?sWOXC=l(lkz*x
zf9zFre2yKOC6mm2fQEp(=-Wp2J4{>vF1$#D@1u!r0AR6>SfQ{a20rtL_*21uT^2w$
z45CbviX6e;&X=4ee2U<{`hM^kU53V7K<B187SNR10WvBmN<~<&y1M%OuDnGuK|x#@
z<Lf)rS^ZxZz#%{0r+Ir7jAI~x^Nql4|IvxS9ITcAr%8#mgIK{r+WW~7(DMtz<E|4b
zDvgsU;qNfr+s5u3&v<L=0$ydFQ($iD;n+;LeKYa&UhdVC7`hk`jm}2Qd1FM8j#2v7
zVyZ8!0P4)j{Z`=U^tJPiUa{#bs^zcf6@9}~`iGyQRxlCyA8@E9@a`BLG1q(+)f@&l
z`IjmCcxHFIYj_&b4i|=ndJ%KL<`lQQn2I{;XqqM9#3~O8Cy<2h$wnCbXngxCyL(aW
z6>CbuL}Dmao-7utb9$D3vx%&e4H$70z8LXUrJsfPWVi{3n4C{ZPnAvIA--_?cvn&Q
z^<d}(Z>q6YIfS$t@GlcU91rV2s)K0!^i-Fa!*x9MGT8)nlOp{drEtcMqW_-wHxh#s
ziv`GsodN={nF0)`*=s8~mTVq+2B+2C{n$6{y2vF|PO@$rR`dZeQBIG-|BWc8DPCf~
zu5*ndRZ0}jQJYC}kn<Q<lvZ1x^Wk|p$He)OMJFyl2Zy+g$M)gVz$4S@PDm(Cmf@vq
zl`KKY`^hOr6iC#PCMvk<W$fCKwdbaAl07-{@aI|JV1+_RSsUnP-$wL#md&^4&iaA?
z+|x7jvveC;qI5ipQ=n4=8e0W<+`VlHoNi+Fb-9O2|B0668?$qIKutHhAB&DW`|how
z?n6rht7FK4<IdP`T>{3o6>}2ie@9!nZO5|-(wdW-M|CtY%n-a5cQd6uj>+2M4&dH6
z^ObK9=63R>P8WBko$VW~_F=X~b=11>u}9PjShHOCbGDx?|G@<f)3d)qj4qWk84j_r
zPJ8CNP;1Vu<!cH21XUv<7*}ZAoi4)F<Z_T#_|0H35ChlLFj?h4Ch=VA*tzRZ>fr0+
z9~ao1Bl05!Etsuna>wUsa#T1)6C5rwqB^6Ry!mH@fSGIow2o+gHRIXH%38d+vSYiQ
z?5%c7yL=zk=SzPbWQ)g|7J6Z+H7>E5lGCE)>7-ElcIeT(^m=ku9nj$o?0|F9@1rP^
zc^~%AZPlIFm<IHlhk-599{w1Yz&Gu1-YQYMIrJ!1J@X1Xq0s%T@<lgVEwIuY(?TiD
z-9kx?M6vVhH6U;R83*Q>-e^k7_Cj{>!y2|pl_g0W<JRt`XxXdN##fO2AVbS1ZZDc4
z%VXvrK{iLN^nDCgJItJ!hB_9a87u)<qc;_vA(gq`2%ihlqx+n!c9`Evn@>~jx3Il=
zrlNdK@P@kr!(Qe?>5W1?_%Tlq7jR&8&nC~&H00o{f05^p!ip-!9L=9;Jr1s(>v$tv
z*%^5K5f;aPPd30^(LNS9wdkprdF@ZFwss8v3DWIIp2oLfIbhO6Z2>d#z|>^;O?ODx
zesh10?}js{K&s6ak!n=j0FnuQ_9DRA{1eliitPye5BNI<Q&6q~xTA@y;i$6ei%Ps)
zrE8~9Mx#{bi*vf}D0TFuu#8Kn+aEV=rZfM$16jZwSaHPRB`Od_*)B<KP0OLs-PY}c
zjdj@AGvGp!XwYJqUVP_onz@BzbJ(+%dtABxmG=NAh!NVSHQ7Wto3}xJfZ_d9Y``71
zEm=Md|AEw9T>$kpJIE?r&#!k>>ew+9t?>=TV3Swy3;$;w5T^eJAG(+<HE2N~lxC~s
z_IN_N{|F$Mt>^R@UOG5vRtpA^<yTL>1R@JIe!=dKmh|BH>e#NNadJGmRhVRH-_lP%
z{qy1}?Voq{v}I5@y@y0BaSuLm6JU9)cT;rf^4z3hZlDcp3oKAjY9P*sj@`_wJ6wQL
zAzR8Tu;zfRwV~JBPD*t3)kIx_AG{qn^{|I80VY!Q{v9|P;7-&6{j_5>tqR!ekt;rq
z3XdO@o2A*87%qKYn7e#YU9k*5V>@#y=Iq<hkIH{FtYy}77B+UdT$_PO;B#O$^!5CI
zGs<7Wj0J^%nf83GRMq3*e>efG2=M9A-5WxWr!$!YLFci5&ZwWj#7>yOkyRT61pO@_
z_C^9av9FaL3K7zJ_wMjoT3EJu;_J{K{PP6uJQZ{ri`KKsHSD@7g5VaTkN1DOrOGOP
zO_X?b7gu4I@bTsieAhPaKfTteG(#vq*kVoErP)#V?9G1Vxq;U^k%@LoDH&H~e)V4F
zTh^_s0lSFMddWRj6qcfbjVwXR%U50wqIvE|Ve~fxi9${-iSl@FJD!|Oo~x{yvF#)s
z>0?vcgqD9nP(in-)CkP0WWB#)?Z`a3!iO$fTIk@C&HwF;k@Ob`Jx^nKES#?wSAA7t
z8H{UN9xop+0`K$|$$9U4dF4+zHW#Ow&bM+SdRDD}jBm*LmUgKNm&^I~&g0At`bH;=
znx%PBI(zx0L4lz6T|$!e-ykBJ0S88{{98ldyW?;)Z(q$dsv9e=YAR8tZu3AV>-J+~
z%fLtfYc`Ci$??<h@yFr)3@-9q6Fk}-5JqXeCTi-k2Zb67MD%fFZ{%zihbE>5Uyyih
zyhXe#c=o5h1UpHG*Bf(tQcK>QGW4F1$F&h2DpU6xwYFalk~;$q-nGZ65d+;|73aA>
zuO_F!7t27k$<cHWP*}kx75BMC9|RJ)<BnXi{Y4N-s^!9V`HW%gVI^s?*$`5EC~)vw
z!gmL+J2aC_1@!RQu)ESpSU0igQRn~sr-68$ZSiIShU_?sW8;_O!|??}$<~Hk6GYU#
z&kJgw${&(M)vi4L7OaPE&bz)@2e_-KD@W9NgulISucMpk;NdI|fP<w<((sN-jWWo-
zJRG`RNU44MEr3|FFh57v9^0GeCPc*(!mfQA-3!XV8;_!T72MP*_s$0;3EZrV|CRDx
z_{*i;OCUEo3m`uX0r(!TiFtrDiAPJh1P@4wvh)!e-XW1WKfy@B%0IFz|1!OFGDK=0
z+Vi>TXWZ|-9>JyK@O=Ymq6aLR#y05m$&)9hicxQT6bvetfxm2rp|hX0CNXi8n@2Dg
zqv367`$Q!7dLHnWR@1o)X8@!Et@b#8Bbjvg$7z^*`crT{!)PfqRqT7!4o3YX9m7pC
zS<IvJ<t;^}FXB0Z0^2p5hu^|(g{tPp7k4~^Ds(J(&#t_PwSJUX=N8lZvzLg0Q?Q#;
zi`ZCQ4(#Gr7j=qgJQNv}+#Y^y%8g7K`fA!k7gug0Y{-3R8tb^Ip!lfya!K^d<Uj2k
zJVNh2mB~C_%^3Mme0*GMiH4$zaSGO3gG)w3=$d5vb~$t_7x-YU>Ie;yPyUUJ2QqD3
zV#&5WcrLnTnZr6-0DnofQAI?7bUiUY!ml=Wvu-)ZxCG&|$jcSTC)g(84SP*%D+Hbn
zmKJ~-9ptPQzj$(E)eht6N$<@PyzX`7dg`g?yl>ggNW6GA2opbcU<~6q!zF?c)LRr}
z5{z?E`;7%9FIMG5y%RT7oA2OcT6MWaJCGWrxSYaaCgh*|+|Ukc_460sI-dMwct+``
z4p3}IxWO!HfGX_uVx@E&gKKhIWnLNpiUJYa)#9@)$*VKdCY-H(wTi~(SK@bd#WdZk
zN7C6<o%i3THcb)Y;FSz`$j_arN<F_X&w+<Z)+juK4oe0D$#(LvN3>o-s0h3p;4jK8
zhKV_hT^+Cc`?AGRr@B<>%ePKj3shu_MN<Lig3~VN3{%Rk0G;ck<PtT4R=U)x-f?tg
zCrI<>)cc1zQmIQX9qKEEZ?>T7qkSCYpz{Uh&0ynE{W4gw_o}W3K0*z9TG#DRRg86>
zHfu4tugl){nl}U=kAhyfJ}3Fj^8*jiL;84{6!GH&=g#|&<q24tL}XPS7}y1W)8wS`
zuBJm_a$aGfvXDWAz5bO2<=p1M{sBj=twI0ivfX^^T@bVWiQc}UlgAceRdXP}L(lOy
z1#GRW$b4gkwGp%=7+s?7sJiF;3Vi(FZ{@KWx*cA#o<~kmieioD>_Lc4WBPnB{j~un
z3?NCS)@LEmBaRkGfOa&%pA9F8GEcR5Et*H+dF2^0K>&M=i|#?Dme+Re=oE@N8X}ic
z)aTlwQm@P|7zxY}??1I@&{mIwKS#c6LeTl|`n3iUl-je)mH1$a4HHYXtz=A|ghO#*
zR(p0lQX&7kNwT8#{59r2v_!&`f@UAEnYIq(rCEI;t=D04nlvlDF?QqIqK?5OmiHOS
zE=}MG`xA<b<FPP+sv=Kf&*W3`s7iEkhI@6nm#*uv2d<hbqEGA}z*p-|hUJCNV--&t
zU;5~3(eDBAblkDP6JVKqAxMr`6;DujKtObWBAWtGgk&yo{SWo%&38>Lalk6KS@Ry+
zbnaVyjG^rTPorg>;mjeHYG5kR^Dk2^XtQW>cDr_#ex8EvOcrV@_3D;Fjj5JiJg`C-
zjwxP0JcUk~`0QwiaY{Vv`Rmn%HSQ3tkqtD1g@{}^bk0DB_(VI-IqZ1@PJh{<g?JM*
z7+QTaq8DxzKC{3+7JdOZ$S#tVI)J1yX@XA*dHB(|lApHhLkF{WNaHD%7ijc9;%G1V
zQMMw(_JmIXmtj-C;i6iO1hH6MvK4d&-8Sm-H)OvfNVqFdBlqK=$S5jt9u=oQX7KCQ
zBk@n19b7y|Z@pc&Wp+*q0W+fdfsTR4q=NDMX_r5Z9;^R#${bft@=g6x>zngTfDJx>
z&pa_)lNL)L-I%gQx6(YSq~4Wj&skPH8KQo4j`~nu?MZL`aQRjAt7i#J=3$`I!0@IT
z)W!jw6`*GP$Oi6w`lQySrFo6r2OnrI9mBsNFGe<{-jSlyv;Dj>JU~jG3nI~jX&?u>
z?MbDM2%U?DTGTyFLv~K$)Z;MHPUc>Oa@nVu*t+Ep*Zg+*&cDuExC*+32)$`N7gT2R
zx(Ko?s2S)R5fVJ#ssRbO*py>7;(MGHa^x^{V$&p==wf^PoH3df-Um8YNq@o$YzqV_
zFI20#fm)sqe`xrOzsQfYV1uE_k0K4L<Nl(hdLDOrk^ZyR2O#TRhhSlX_mfDwp}M=o
z+%giVZ^J4`sbhN<Z8F{>M~Uwgy*=vKmMcnoK#b4hc3P;YT~`R>m17gQF0;th+_Eg{
zz;^ELVPb$72cUd_o`E@2I)Xe*TBhV-59P6Su4De&T;2|x6BG5MC{I@mI<i>rC5vYV
zvwUN>eh`Ru<5$3cyBXbrr=}urCWYkg+{cZ(-X<=t`zUU=u}=2_z!*bgJ4AGeK1GCN
zF;gOlbwk4^o#lNICXqk(l%2~KxZJ)<F_(CE;#rK*>h*6<!H=A3$j9El%Y_t&=MxvE
z(u=APsJSO-Ipb{?yn%_*PvWc8E(wCvx`XUO-xsgmze~t2sqH&!K2{6Kn{jfx&4h(W
z^|+T>a>v)!Z8`lG&QJ=`LZj9F<^+?|h@&@mSR*r6s^6zYJpb%#6_<NV(2d1{m6EY_
z{CQ<Ttc2u*mU~|}@}_YLt3X6iV2O7wSB=_h?N3LrTWbi;mm;5sq~q*xMuBgRf85(&
zmDzm~A83kH`4lSc5$rp&xg>{zc)c3nGtw`5kvd5=nR~PRp><8q!J%)e$xIEamiNti
zRkx0{XPagjQqr*j-OMAI)6D3$5JDo}dq<~Z_1<fxyu`#6*I(Vk2+i6CSJpR+KG8(z
zdDvxgRrZqh{V5xYe^eR-TCsquRZ$Q0x>!+j&CTY<5Zl?ZwA_D?Y{0$93DTG%@`|1D
z(_B*$ub$A6@uD8Ej4qRkJqObn%NMV4H6v~qf1H*+D+(^ZEc@iO)%*!f$!eAN7`N6M
z=&Y&*Lvk2b$<5eIs^ymVUG%E7-kc!$hnI}=+O{<fZz2fT80;0er}_KvQ`KWI^+jic
zHX$c8zlL*GTk+p;86{1};VWJ-OAQx#yyPNro$`-@ua&z}A+)sMV}D>dR*F@+X0NDo
zj%K4jQ4#Nx#4Ruvjmlzu`bu;`Gq~p5FM*h#B`r#~%T&_AVc|;QREbp1ApxzH8|fpK
z;MG^*y>QE@xqEW;gPYkAHtF$ecz@q=+3#a-jN?fucCi2`ENbBiI<j7B0MtDj2(zhd
zku9cua}%1H8Tzic%~>7&G~$8iVA3oGGW$AmX#H@N`kcl_xkOE+u@ZE}JTU;F-Ia3R
zG(g+&2`%>Z5=S>hOWo4t`A#2Ea<u<O@O2YVwQ6si%5*EQ?V81!^<}F{W*H19eauY5
zVa>B}Y}Uo`<z9;o2V45{*4%41r~$86mTME12Fb<_#y2c&y^To?C46vk00`_|bb_FZ
z6X5*dqw}Ld*N>=j=9j=X=RFuaGAkB8=KFab^}dvPkz~vK$e4J)=mBK^`yYE(8{q5m
z*((up(I+K)+T5M^T8~an-OhfW1(6o=|HR&V$2GNWYr}C{P!UkNQlfzLVxcJ|BGN=a
zkRmlIf)oLfULz{KL{LCMi1ZH9rAE4fh)9zfLhmHhKnm~l-0wZx?LK?&d(V68clkqp
zCa~6=Ypgl?Gsc)oV$PUOC=7M7JNc||;g^Z&GNF$Ef)z{!pvBK&G-&L_+N#3xZpv{(
z-eONat9t<lx?ZSBy*#Jac(-in&1ytXkHA2Jb&l8T0s{+cff>w|3eH+zm3C!LGU%r+
zb<Puh^W9vm@#^A46-rIpjOn|^NBDR8HlXP4Q;xW&T*t>Y*zwktklFORIR;j+T+yAR
zQG8?T95$fq#C`}Q>4DI&t<Bqsc;vkvW893nruP>e66gqd6gYI}FD3sl9P&Tm|9cxL
z#}FT~fEu}-2eRp!QWD(;Vm~#sEX%+pwK)YLw!~QA8+2XhO(C-<AlADDT?Bd;3c8J^
zh|G7ODC$jp<R@#(<kr471Q<nyh#*o8A!gb<SsFGe$&tg_CLPUiW>a@MEG%d}2g*NU
zebKw`L9oF?mMg-0Y0uGKsDo;oz&FYpwYHB}e@}leph>Ye=QfVd>l!@EN8|V8pEx#F
zaQKz^^@S%5U+wiSKq5D418r|@)~)3`P?$FxwFoA_RsbcWcJ6S>CG;TFmQo)}@!FC%
z>nQb=Dfcq3p`CY@zcC{y^bt{7%Z2#T4(7A+S%4wtm9U>adlxMTah581i2bx3m7hNg
zSM5g{C0EB1jmP-NM@CpcAixz)QBV2#bByWZmOO1Ub#fk_ffC>V6bx1dJmcxk-+j?0
zT4&yyS#X-tO8};iqLe>)ri57F*3A6=o5|Q)g@8IyKwWuX0sTPZ>w$@)*#<%r&WPWA
z^RVsh&GqcRe)bC%--JDTm?qEzm}9UROB|ZQ0II52Orbx0W-nS`ma_?2fiF4)q1Mj3
zgRy~!`Vm{A$e%t(7`jsL(sGxUyXW%nO#h$G<D~$%tY0w(qkgqc9j{*<u(9%4rM!G4
z1;I6UQ*r;Dria{A`;k1WmqTkFw`6LY+#{Wi3nY;c<DnErM7?1qq64(UMPv0AzD0Zv
z8HZtoyJ6GgI}mm_E`>thu1N8P;hR8IQ!ajQaq_zkg1Q9V7C_Xuu#kYhd|G@RpcRoM
zM?^i+^8Lb0{`ns-`OUrh-^yGR0+Ta-yyVB5ZQQ5bU4EDN|5J}%!D&3A5zd6Dw@#he
zmQP9RCl|FYtr$9puewmuK%XbQyU63KA9<c{sxYyEFw#+G>}`2LTxN`tXr{Lu@09i<
zRjBQZl&IEyq*16$KW$5aLDU>(<pG8Fd$mtAu)-WNe`g}hfs}kT4Hkoh(#cAVAsOAB
z6nb334b&f7Tg0{B?XPgVZ`yxK!Q3yA{E;{O1}myxA3cDwCrY3Py$iS(Id86dS1<Kf
z<qxffjm!3(`mu_rKye2WU`YUm<7KVyHi{_=K@WC}bN~nUmpz+fa{}(~%pt$sTaQhC
zS6-w#5%%&W`<dg%_aPss=5g~5m{}Qtp6*5mzn8Q8J50IfHcYweqOZ?t!F>{`sQG3s
z(}KO=vG0C&Zftr1ZxR-L02In@Kka;Zx1!5A9#r*RRuD83-<NfgogvI`);RGL?sNRu
zqImz@fKNo0rRnK2rtgcDO<B)L_U^N|`3v2hJxmj|e1xR&4$uizmL}CUF7OFSBZJVV
z6RW|zZI5(J#~3aKrx7n<+#Z|`|K-`Zjrqfb;ha~X*_#cAQxochtOeEyzZVO8GW~^g
zN!;$dde2(Fs04?`wd<9Y$VFCaW{<;=!q?GD?gh%yMm<Jx(Q7s9UgA}7<vy(scpFPr
z6LFvTK#|F|wxyhM7SXwjnKi@P#=1TnN?a5C!;imB_=WYwfswm324fBj<S|tPeY|U6
zrnM`}#fStiY`g2KYW3qe84vIDVLL95R@Ui{FVq;GRi)hDW2R@5{ena7el#X|WW;sQ
zLD#F>y7KvT;~JJ60B*_$wccI)1)}62dBHgh2h3c{UtYW~)vy%JL{L%hDLur*w6C0D
zK#3=e>5_KLod<9BBtqB?GW#?<&!y?;rd1njO(u0HCueC&a2KnQu}X~k$^r0TZ@Of{
zS07PRbCs{_*5cnm>eJOF5w345_3j#Ch3R7X4P0p7-Qoy%py3|7SVLrKAl@d7k9OG%
zz@NG-A981DdN}V%c|Jyc+vPyo{Q;NZBCgAwYU~lbaeR&Oy8C$8AJKgg*G}tN=-SFb
zL~#tG;%q0n;5pJ{p$!k*0e@VCR^W#G0h|x&(PW4!wBdnOZ|5u>dxY5)$)tU!4f|gO
z4AHB}#?3|5AIxR$x$SSK597al^kBU?o9kM$bjvl}Zf!A7((sj%Z}=SuHKI<gc8@!>
ziTUDGD45VgLFQSzQM=vCyh)JKEUzqir8yaOf&S=+xl5-2nnMDEs87bBHVlG=5m*-7
z@;7e_o?=@Ny6k_uWi;MK-@t7uI;7b_FMR**5kp3S4-f+-CANHn@~uIDrg#Fd4D%$+
zh?AKF;XLrYg5k6sPi2*`FdAD5gVos688BpJfA4D@uJqGH*%0#qf8ESMf5Ee1hx4!<
z{lxcXbbvYi#F6{lRn&2E-8U4Z0&~~A+{LrZ<9T&$^%Ra73=R63NRGdrs+{BZ93i`{
zt}jum8>f$$J=K>yGwTW(#y2q4lvWCBE79+Z;L-Ni(|!+t1MGXu1c-u^Pa`MEF}0`M
zS5>;!edLK)&Kge;DzlDqV4<9-sfaNYTj-ix8E8rs62EyW#oFTXVSk&=!~9iK)AN?K
zL|8lD%A#}o1&@nXWRSr8Wxli64_CgBhAV%MVJwh!O!k(*(IUs~6sBV48=2)fOUiph
z&F)<Lv?;(E9riS;u~1m+LJo=*bU@MyM3-oyEUW><6m&P~$&csOu%-)gHn!80F}NLI
z)$4pK>=GpM@umFM5R>dyIp#VyH_==y$((r3TapmW5@3#}YQXHBFC+*#kht42t@O(k
z6$XnP`u8Rg<z+JqCl^~{P{XXHxuiWfXb^=B<1Td_r}fl<bSkUkbo*4GW6EG#`fwZ1
z)Z|3e@U!NHuIB=lI@g{SZdK%0hCJ*s+$Iqpf9;(uk1qTE9-(xULxl5KsYk~3wM;l<
z0GK1<x~kB*mM2IpC%aX#3UfS>i;&k`j-C4W*;WV}3&s#Oj3$-H(-1(%f<tVFGTxO^
znsDT_!2YxZ`U?rNnSHjZk;?hX)WTM@mmkTr@>kVR;3vysq+y(tR?xdxUeH^itJ-)B
z8320l@`aQj_;1=8WdtsYNl=Rke2VnA@sUk6o;}7iSF(`jRv!aCeggnS0|Lky6ewZ5
zX<$7Z6X44<Tw9FI`=v{DMU+L)su5vbS!4aW?F7xIXHATIJ#KKT7hc*F<c|oK=p6Rk
zT%SWJKQ~IPH(Rk@*Y{1R5y?pF{q!&59{EHZ5#)Qky3<=Bb+&RUJhNre^qUQHmW!?P
zE2{gE?*to8vL97pY9ml>c!OeVj`KG`tgQi@4TACY?o(`IUrRoSyO$n1dN%l8)IoK-
zBaQaoCKb;f_T-!k3DkhUvRbrVmx|!cwXVFX6<PIexPQAKN*2E1N=|e^(|X^+XEcd%
zh(1b`!Kb=zTa|R)i<xUt?y__9V4jsNY+U{DX_+UAHDzB>=B1;|3-SWKpWrmU7i@aL
z{6H}24BE`n>*$k6o#3DVs+k|l#(c{=cUJEsA7q>-Zizo_!Fq+?SZQ_Dp{H!n$JimO
z=32`!!5zrWu-6uMqvQ3}c%tU-MyZ38!l^FjK_52F^5Ww1fZngY5&^8I6xbgmhY4m!
zFkON`q#^pSMx?(l3n;rz@AQUaYp9xxWK@eK0tz#leD0h2&a+PHn>O%K9Y3BoCpgJ;
z+S=yfjjW3gZ#=Qii|Zs$AMxb`kq9I~kM}w5d7b=$u8H#JpNc!HF$9&hH=p|>+l-Ah
zO4jX9$pqC2B{a}&D3aq5*m!x4IoHiTeb3ksZ__+e0;;im<1Op0s&0FXcdZWn)y60H
ztyp6QS$QVn){O+YH3U}IOJk$DlqMExC!E_j^g5%NDFRMv^BxjjrnP+z?NwF%#vSXZ
zei<x0h{6T-b34;poPa=#bvklPZw$8t=AG{LCTwgyBqybubI`~sEx&8W%KZyKb_=F3
zF<IqspZFG1YPWcI(!#=ZIM%`^avWWD?>+RGZ+GH>E^n%PIX7n#srr^B-3M-Ukkh=<
zGKYF4-v}rX759f2a`@dex|H<F&un^3<>~tTasZ2wnBTe<9RaSpLO;+teWMeuS6C8u
zTUD}f$T)WET()cvWc1m4COHkps{&1R3!B8eO%J=ArRBKiIy!S@B;dM@EPcEmU0uF$
zjvPr6BhvbQ9$;xe9E{H@NnmUj8X7)G>GYEQTGDlmVwC;M=jp@QOuB-PAWU<*+D2D3
zwc?Z=L$0=M17O;AZITkB?u-AIN$>y6wg1V};W>z)MeE0E_d&}0a`?7D&iNZs+#2tQ
z&}R;^=_~shgGiq^stP|3jZ056q4DFFs`2nT2PSJzZyFb$OlvnVXjB05kvmE6xa^Ur
z3$lmDU|2pp6`5fN!ivCnB0$_s-!VEd%~{@;{MZtoi#bty22qcgM$#X0uH#3n+d{W3
z>*ySWpl<Bu7>PO9st0ECG-7exB{bhQ*m<>}0mUr*m8*GWZ^ja6)}R2h`3NaKDq}C7
zULm%i#e!(K1kS1ffb&3u(Zy&iC*|V`X%H&YPSlF8f?5rhI~*T=y|H}tp^-8AR`497
zK0wM+PVPXG5#w~kWi1d+%>Mm$YdaCD`cgBwbObe$!VUxk>zbjPBPc*4T|~Xs7~M7>
z1t5xQ*LEP3t0@Cwv-`uhh4xbD5l0c7Fnl0+GXq56^q{!spqmwl3WmX!YhWNGn7I+U
ztzhmO@*eois7C0T772i`zRyA<MXUU7Q*z0aXE!m)Z-2KrZ4kJF1;J)ega!(+3&eE=
zkyhwb=H1=y(suVG>~h&ZFB2wzPA%R0S)!@qit7hzUtxKT7kRgv$3XMmDxz$5KAxxV
z`BlFVW|IY%&#dFU8LuuN%oJzrwDn;{qC1f3-f;>Uic2AKEmM5#VaveHKKykedL{?j
z&w^N;cie&aA_>~$ND!KkFNbb|u5SJ;ztk|9|M>Sm-Y9w0AUPLt7gVcu<h78uVOW(7
zB@AhM2!TnVFq#}*(?c$VqPNyT%@bOM#83H91>%{;Na7lzKGe@Fr0_Qj{bmafggXCt
z$D;c^1zUbt=*JBxy)RI@`Qt*r*}*%e-ACPht3Pl;@~Go>IVr|xFXeqDih}H#2cTRB
z>uOuN=I;Ps+#`?a#sJf6R~X2~DwM!#jltHIkq*|)Ca>u*XFI2BgeS>!y}s<d5}{r`
z@*7_*N>;STJnoh_^JwtgdVI?F>3GD2G&?5~uhfKEc0yr#_zCf639yGbOu~DJ`j<}Y
zMq;eim}1XW!TT<Ux1SkGki;w|UaDS+?Km1`zIsN=u0zJ@^}W~nsD*Y=u7e*%5q|-p
zrJ1z+8$ZhefS%d2M%{7Pn;DlMn|Z0Xe84x>!NHN?=(UGj`)^0q)lo&(r3skkP$}l-
zB7zVrCv8z1bbu*4?Tnd_csj}z8YfEKCUjdQGq5rE!bSe%vVYLc$jatyZo6e}c5C0p
zqsQkC60f+-Kyk=#h>ma+c?*uqivJRm@8R<sxU@0l7?ExZ59$QaLKLPuy`S0mHyRip
zWL-GL$j^t%-SQKnzj60rWbyucg69~`MHbGtOlu~mrcC=Fu=;5rOA?X@?e#v7`#g<}
zD6q|K%Chz4c^9u){;qpbuP(0BKWtUaY1%OwWkXX{bdz5ORmzJRLqx!6z147=8U&xL
zbG9Guvl#c-FR-YU>nIR4zb$c2yl9?)pOnN^49MSJd|_~}&vb0apsI{w<~EyL6Kk6Y
z-!RdMyJ6ko`oeqr;b4A#pC>Qqlua;JM$o$7)99M0jN4XcyO}pI1z(Tde^dYv-n#Jl
zlC9X-QjL^<Eu(wNjq;m!-+@SJRc4GXhV9(tg}q`fA12(GIt^Ix)1y=Y2x|w32G)T^
zCC}7K>Y8tlZN_~0fNITUB%9)SBMk<Py*Y2K?uxKY*x&F&!kCWtKK<(Yu(qb4Z+!>C
z-CMt+?Wn(LZYLY7_z^MsLY}Jd3*r`tHJF_&w{5D$m;0}^yJ-h5>WHF1nQ`{j`FnR$
zjlMNh3?3a&V)WT~9_1U6UCHckf%T#9xYl)lv4kw6=_g`mXE%PV!H%9^H=OAKlino=
zEd-*MJ=drkHrM(<U!zL2EqP1i2*0v+25bB9puzAuLK1jUcWnL{SL(mRHQtN3<+0cR
z?+Yn5%$|WkYi!gXT=EP)JszX*r(T<5*=J$scYGhG*D+%>uBw^^;0WBl$LMXTb|6eQ
z;j|QH!o5aM$s~_VkPkpt#~bx{e_RqLq($O0P4>iC@Qgw(EbO-jUQiScPChITuCLRD
zk~DNZw)Aq1OFwb!ZMp~#t(6!tnY|btkmbM;gJMv(e(;>@9i{uUnvU`Vg_d{ut(z@{
z?$phdiZuaAS?XDej@J8_6ZKbiAXP7-?mA!pr4iHgdOT#@nU31p_ZXqi!!C8U?1X7`
zjFER9Q(EQauxa9T=2MrBzuzlgUs?@{GEbj>k6zydIz2V2w`6I2*@Kd*?o<hMd%qO<
z(1-xw&baT6A#i4>iyXEYs&9ZPGveRfsRGnGhQLqfPlAnS<yzu4LsM}HsGzQTsYJ;L
zA*}^!5xtknBCq59-27xtS6wYzJlr~Hq)-|{Eah*K&dNh=@e$JFmf~!cU&@_s-2|wz
zzNt8$IP1AkIIaq0UXo;*V4JJ|pV#NA0kR=(A&BLv@1C9BDk!xs7$gEv#u0CL{=ksC
zTQlfT=gpltFbnFkU0z6rClg$k##@CLiA&6r8;3^E$sWBLc}RIfC!Yz!3UeqpLgK_r
z1uahDFkuqyRPQksz|X5{^wgD%vi4<Kt*<0!e0rxIEO~iW{PDo?FvrSbbLlkJrqn(-
zftC_6*KyC~UiN`FR|<L*eL8Cy^OyS_g|Q;OFM0}37bMaWD0_R%ho#PSquf`xuSC@j
z^imU{c~8$h<Pm$UUG&?*gx+3(elEc#<w>f(5;WAxbEJwKdoOp^z$oL}ogVoXrXdH%
z4K>3U8Kf}B$c-XtgXXV#k9eMFD9E7;Vn3E_r!Kxlz+<-xYTQ(SNBq-E%NJ`#m1_o$
z3gyg{(j6wWU9?Y2v1Z{FFTBk(QsBiAfnp)~I86;{(Ayu^#Z<KN^SJ1(#4alCKu&3K
zAo|q_7j__7F|SN-dOnzZJ;}C`(?5b?G*CvFO^fpCRG(t8zh^t!Uz?SmfXqi=ZRas-
z*Q$Zp=w}3+YQFC$2yO=ad5du*>2N3Thc8xz2*L8efkJ5$r@@P*>X}1y^!tEcO=v<X
z%(XSZp>Jz}5|~nem+k_^m98&u^O{M2Z&eQ6fjrN7myF!KdY5Xur)8H*cBR9vRNU1D
zyE=5&cG$I<c5TI78+q3^_;2n}-6CBlV11I^>8{(|cyD&*>%ubAeVU;z>nN2Yv9xcM
zZz{Pjmw$@fBbfTgDMF|x2h?8Nhi{#XMQ<>Dg{{q6n@V4Nkv(=w?Q4iml+gvafy30<
z#v3`BFR}%ZS4KK#(Df#u=qG6H7tqGxpcta}+YaR0<*psbRqg`y0?Eqo)Tr*v9f*O4
zgOHctwXhZ(ByI^HrokWl4Fl_d%gQR+s~qzAJ7gM!Aikrl(E#<K4&okv17Nd}ghcfZ
zgfoHSqC=J-Bmo0h9)v#>7h}BxS;g-_BBTh~t?xUNL6-Z6n|{Z1!@gs>n?Yjb!p#%n
z`fdOZj`)rT5C0n;93-Q^1Hv&_6`?<0oqzI{Ri`25H|zaoE9|*6CxpO2^<UTf&Eus+
z`=uz|0|@kASNvfo58sMg<u3pDw10z}|D6yKyN|y6)^`v5F0b#3x&IdlUnfjqu|ge}
zr?cgR;`hgy&6Za-=N{LhW1vx<z8{3CpYJ|KDiUf(Tfhl?_TfaB`@m-7iM$ElQ{8V8
z0wUU(yNg0g!ZLDO(p9JjpGVI7asn7Cmd&e8#!jfAyllmWrQA_Nv`}31qui%r$On;|
zzwCR&es;FE0AULzE<ED=o_qlCJ5rzl8&AO&V{aN2fMnoZb|AONGCPomr7$FHBHf*Z
zQo97YA4M5i24dSi$H(>!^k!M74G4D{4GQbK6}XgK5mR#oQ>#9{y9A+1l7KaeNL@!T
zxx;meyOt#Q*K%G>BueuH-#v_zy@fpc1^Oz`H#$wOb_de^3W}=4EVPX|&=U}isDmV>
zHw2;q9zuBH=!liZezCuW3y4n}wuKJp%s(`1p@fTk3owjj=$KaF5`OSLY*`p%?T%K&
z<$``w8BZjr(R&CWWzj52Ve7urMKX49IB!*{k)wVn=BvlP<kN}z2S1#Uyu*F}+zK7Y
zcpOSh1L=g=AlULcatFer{kv~;GC1{^1^}pVuo~?(T$@*#YNQ%lJpo$o!AbG)OSQu#
zo~?@%FOnDewYSEYEj$8xczt+p%gD(}d^+04Yg9%AcIllwQ#|o{;KlSLFV0)%`>QmF
zITa}fMUtZU&CD62ZO5k<b|7Qw9LD2dfVFwU2n?@R5U~W+#?i*6&KS_Udl}Z$6bAGy
zUMyWRPPt(%eqp7+B7o`o=|kd)H<UIvNxYu1<ilnF9f$6Pks?)o`mBB8tZolq5t4f~
zL|dIQvT0D$m8`FyrEBloX`eb#ojT|+vD8!JS%#U$G>P@MHNxp!pkWv~mv*W#sxW61
ztMQ;2f&1E*HMZaq82y~itmJ^BozaHK{E0ygoAAkzk4M;`?OfPi7~dcm&xU#=&xMBv
z__B~>aH8>9)(Co8mbCuTjK;+x;{kX1gFUBWX%#4)9;B$e4Ej5uQ`;iz(PFaD@2LL!
z_n=>HH)2dIpY_%4cI}a9&(T~o6f!*CEC{1hA1r8UYoF+{*(l8)bgKyu=Vi<B5$u(j
z#a32F@E8XtKW$+D3QEe8ECmmJJZ$)u_MB(mCum6`$}!v4Og3WRP(BYlXa_<yB|y(|
zD|n17G5i+huV)xM^GlRF(;Dn2a+-8Bm^zpd-0-NDi{zHavT7dYV?pBGrOf3Q-Ci9l
zSBoaS-&7BK#TcGebpAEymFm=-YybR(bCvp{(t1(<`R5Ev7wy|qiISA#Vv;^gN*-vE
zIL9WL0mY8MkoiC&1DK)#PXJRSJB=fWAQAUH+i{zWGN?x2q!BAh<cBD0#OOJY<NeBC
zAoUOa7K;1ghFR0}b_A)pH55fNg(zR(4th8}0Ev_*^Dl_%009uY#TogpTN&EF?$xpb
z*&7IW18R~n04E$le^?6<0yqQgn`QLOYr;5X2QmvIC8+%T9F&fn5g36TwsmrQQvNH5
zNLo--Qnk$-b|5rVJ|HkL-2w%fJ~gndIoQwl+VC+0mh*e;_ZU{6z(y=(uh@zlSI8=Y
zU?sD>%_k4iKIm;=gMQB={r+ynbDKyC6&*!YzCx=6jXREroMkkK-+?qJU=W=b@GayW
z$XCSHMda^p_IENXthf3Ax$vlsgj7wg#!ybs5-GtQ5wK;-bFigu#LstH*scK}1iuC#
zHR<wiEQ*m1z$ZMFn5IBF_@}q=yIbAsS%#8mp`>R%yKi>)&F=E-F3<k49@v$}yV7`9
z&+h8ke_-?MT2Q+d)UIv(mtKz<oCvy|e%uGpWN-5$cOV(+R}24v3o+p<?LKcvD93GR
z9B6x=C|LNeqFa0mj0X!BSEN_;+P7rfR^>{JEQ9E%HMxwQamonJ(6JW~;3X3l;#M!<
z-Curwie(Zi`MPN__+=q8Ib^j%^?OzBM|?q0I<EG~Mvj-&(h}#?NUwD2%lfb`E%uW!
zhZ`YqzQdk+utga24&)0%1DYTMe3nRl0sy>m^%Ri(*E+~z<+(@*=^jW$jE}>R)u+hu
z8*qX`ycWEaoPrqi?XkBc#w)kK9NdhTbDzDs?N>m~7{hG;;_e3ATPMWIY3P72DF1%L
z7l^>Q0q2oR-?f6M;w^`3X`+VhoimfgS)#@@R8N)Q$e+vYXtP|<GO|^cjzacz&5YAj
z90DWq<YZqcNdWKq9JpqT?(=mcY<;CGIqBAw`K5OEJThYtB3I6;&aGH{&@N#wY%yXk
zD>ty1AMECgMQiw)g1pU7>udkCzw2EHD`enyOOtKEo_@l7U7wkBk<KP3N1##JbA7+d
zfu|Q0x3YgJD!aON%k#u&Et~HM2q{nwwTvS;Y!jIX<{3lop$53cioR+E2RoX^GL}vK
zS8A3k(Q!&;)~=ANkClz>$DF5T$zq=*iHobnh^YH(9Y52X(uH>*?~#?+fjp@|Z_$_E
zFG%WMNP1TuClu=S)Q~Gi@<`OF<3~~-C{Ue@C>4=nPI$@ZqYbh{)`W7(qeKo6NgKkD
zf>kz9p@^A7SPY2+_{txmJGC#dFaP$t7l_|pV#>t0XZJq8(rlMLztUp&{Ot1A|CJ@X
zeDS}5FAO5)pg3)4KM0Yc6MN^!GwKG7a|}-iB*iv++Nd#PH3$jBpYq#x)MMXusy9Dr
zlAo22SDl%3r|)TZ{T5T)QeoQsHfI_%{$8eax#O_WFt6$`dtp?>xq}~g9F1Q5wFWB8
zvDNq7pD`eozj!}ybN?z|wE49}NZZkKwo_!|jiH`u*cb<VY+rAsPsak$oX6-^Z_Ig)
z5&XOM?0OJ;PW>i?5?)l2xpQ9G0x2Qex<QF8_}n%<upqpMn4es!+Op0Mtp1C~skn`x
z%`&IyDd`+C9#Sr9625<&NBM6mdEZebg)x<GbKKIK0a@3Fb8U8~iqu=I7Ds$C+UU<c
zZuKvGm&tQvl%eTHsOBdI4b$WBzc5I=tI`p5X3lg6Ng_SM-X7Q*btS?gmiVDW2pLd@
zLU)(uX<qmJ?7UR#lS&XR4$J0sWB03?EqHt)BTS;>X(i1xvZMy8h>z|`Zp)tCHf=K*
zFuVpvmPbAkDY?b)VTf&iz@bZW-Uj*B0~^n6vt}<|W8ThdGs-QieEq!o{>hkIS4$2a
z<l>UwbnML~#5Zn7B#eo`u62nMg$6?hZ9~&-b9&2EdwKm;_uqLIb*<qoF+BxeP714~
z1LkctYFoiWd)_Ipyh)BzdALlDP20Rwo&6B7ARqcZevz6S?{#3COY1MppX$KTzQreF
zh>%*kufANS1etnYcEb7Gf%YuEAP17g<eaBVNDFt1i<@O{sKa5&rX$Q7%3-Q$fwU~<
zSU8E1dvv)8@kk#{k0m_8(y-M#U5zPcG0Ly9u&=ahJCax05F96+E);Mqc1VG$Mk*bd
zPVN~lHI?YPPC=W>B!>TF9{y~;>S?%*FZ;=g;410ZZG0tgG4Z20nPYL#qo%gZxY>uP
zsRv)#8#XGLygjUVJDByeE%FOM4#8*$DdYYH0c%w?3^#B!n8#`ORA0f;Uaq*h(TD}(
zqJZn>{Ch+#=x^C^bIf?EM=uv(S@?WM<{ZrGy5iGOq1tAZCAIh5{$gwTvHsqMX@unl
z*NeS@S=QU1k=d8aCEa?Z4msMnF&xQ_{O~j<i#<R`fhkF&DZ}y*M%M}b7iZB~_d1o#
zUn~pSSwVJh^yf~`E{%52(Jrt3X<T5JMRr+amqq>?v4|6l0d^nt6t=%wkJo=(ECfwM
z;>%Y$(YozhJZ39IovM6X|ExOKyCWB<SS3nv&o>_7pe^&%Z3TM>gZ1)~rCk#@^V7e$
zg!){SxpzC-z{>P-A><kDA;w1)e`!x>#OOWd^*FA5l-bh!(Hl43m+W9x*>7T7Kl`I*
zH}Ihw&+w9Y<3u?YEaOG0kaXOTU5<NRJ`aFeMGUrnlB9NJ=aF(+T0I(hQYrjeNETPc
zT7e&$T^2@EBuN+JRRWgc#_A_09^XtgE$%nDGIb$u$|Rwvg{$c8N6_B(@geOVYqBUM
zwyUqlBqpL`d)~p=cB-s@VEWHDX3FH<F{VY}x5!wS2k?@{T3W)mbs9;w^K^udL0zJN
zl<>AzknpK6*|%!kdnVyc0le(qa|V`6Qg7u3iCRtQwSBl{3M~M2Ok7PF(_(c`si$zD
zyO+d8_Ajo@TZ^XNT+dQ3N{%_X*XF<j>5oiJlxB1ZUntCm?(jV4*`DeXBeXcPEZ4lz
z##&cXW8JO|M9XCNzB_w_ygSp?@1K0j&b%fT23=9}2B4N(p=dJw+M^i|JHGY36@n9*
z5iwy@3e5W2S38ijjrGw=SW_G95rDkGo3^|aK{z(3-5PYJRTFP(=YAhIQhLvstN83k
zB2h>!SttL2;u)@*`7tCZR3E*;(gj<q9jO$IH&Y8#97P=^sN5(bzw{OLW~|2Xg-g%{
zk4WQ13%xRILa|j<34A&+D_i-(5(Yi`Vnvrl?nq7qr>iAPo?<%wRDrCB{hTYm&-V+O
z383NG-KCn1HnQ*xjrvlalEvu+qh+JQZqRM5$k@2fLFCiXYW+LCR@1_<S||9QwWbEM
zBeOEIGnNLsVkegdhEbKJ1MR6%MM_#;%MZ6&7crH6S2ji#=O}v}2sfb&FsmI%;Q9Fz
zZjCu|iVbK+2hjqOjQQxz1#f{j{T`lSXW`*$dDqGxnsD<Vg{8v$^IyuIeUQS|V0NUp
z_L#T87YTwmCb;$l0hK&&CQWHj_2n2LJXh<nbC6XMo@%8WynRlQqg7>Z)0wz#JG(J`
zjSraQ65V>)l5Vk{s`cKpNaHo6afWN0^|!2#ttKO=Cm=LGIMUlMaW5+rH)VHu9J};{
zHz&33jZKtw@1jS#0@p|8gtOsp?{iT?!gkU7-A_G~&dcV{6I74WH2s9-yqURtD>+2)
z>S6xmNB?8~5n46?DC#i_iHV#8reXL{jWt)8JDNK>2%s7-%EbjOko36xCS?hA%KLnA
z1?Tej)U`p2GgBU%{JK_UN_VZisHpt$=g*%{KR$ReOoj1S=HbljGyl?vQ+G}K5>%8j
zQcKrGk?>Z)-3#<S|HdluEFlZKrI}%Cp4(hJ<7po+wX_7+)sIk8&A4JU_AS6Q+KKZR
zANP$>H^0G+a6){xdrnK@!S0e!=mELf=ii5yxjK?VmEJ|{2g7lzZ?R50oY`_54nvBZ
zWq$wFVVkz$QsLKi>iH^TA$6}jwO-?o$^JU(8M+7axc9`KV$x;)xaZQ0;IN==?CP4A
z^`t{nS)S|TjG9g3Ni+u0pqz-+tyc5$NGG^mf7f;2;6}H|BIug&>GMgJhyJIz&mFyN
ze~ZO&-;rr{y#WC~TqvUMoG-Vxd1S4WdsPc)7CsOlrH-K)x_R~Mj66-b(lg%Ri4{?i
zRKrx`U`@mRHZjN+>W=r(zG}lU1c)PSMwGCL9dWN8>(tCkHyjCV^HOV8JUGdI?zKIK
zD$QfH<8pc+c|aJXD8s2hd5f7A`DAsvtq!ZNpw-f`RG}0b9<FgG-|aTP#B)Bg6iJX*
zimd~3oCUzyRK@tafk?}<LTw!EhON1TU(4@OrHiH<OAEu4ApKpm9@nxF3P*j!8VzEl
zFh{E|6u2Acej#08r?WmqyyA$t9D|>O+7d55&p69q|7wz+pPts>J*Na7>4&gDJ*j0e
zg^sB_xs7XIABh~xv(+RxdF0O5LMsCVuJP6%65&%j^;$eKekN}z>EPtKbko_*G{%QH
z{CV`{t)FMbgy0&!i&O}YHuRPp9OafiybhB`-_zPhh#&0;^raz`H-ok&f!Xfxde7<b
z-j%NoH1Wf>D%I6JmUb}R=URn+uQrXz$s)axObVXIFZsWEK`xL#>YlUll$=6>jRDlD
zJ71&0$S);08H{ZrGrBY5D*`KCZhBWsG-gWS_~S7%QUB_?YlHiovQvx9*O)`>Nw~Pq
zy0Tgub<n$lW$1+~LywwV8k$1Yo?$<{y>y3k5uZ@d2-|DzIUF5Pm_9J4KQHbYmme<~
z?{%LJr|xhrH}dU_-V5h(?tP2eN+xl3CD-(#6#gq(mHub;*YO4!u>GKH=&_-<9QgUt
z{g>v3#u3-RF%9NR1Mr~S+xpcdVQ<e}s(Z^5-0Z6l6S^HhtFVsgPuZ}-IV=R@Y*ld3
zM{DlR2)Y^k;uUzD@he)Xj`QnL2C~JRH3uLNw-?v<n8An-rJlGT`&V^ABbPiE5hEyb
zk#(FsGVR$wOra0z9IIVqt@4A;V7gbtXw~5~^4E%jTiLM}_lHjv+h(>~SW70|iBht2
z#^q?(N7=11v4>^a1wT7TWi$OI>osGa&>()x)d!`LU&VCjVXedb^dtuD>>Y}0!=l2f
zt)-rT`GiC)1%*vu(0V*>gnxi5%~r%BnZgUV4z8p+uB@IXC->di3Sdw8BH6b+fBB2B
zw^*w2?6yU8dP2s)$p~uOoBFJ`wLA3~At~Pumn&I+!mN{>i%7X8=fmvC2vdh`%!2|X
z1?F2v;RX~8CYko-`AU4`4aFhqi`A%}%1R~ADcMVSl|6mayEJu;$(_`ERH5@GJvNYT
zV?WbrPATFED>O5S8mnPmk6_Ao24i5sgwN8FFW#p6TFW^F-U_^knHzGV`Q*(LC>`l{
zn>_WCDYD*aAcKEGQ4<S+EgS>c<YcpmN6xyyF!_FtZWAb{-+e8a`DSm>yOwr)jyB1`
z3>3m0OawpV!LTGEBHSZ30zKXU;=gZ~fXK<9_FSL)Y&UddnQ#Tz2U`FK+%iZ48vdyk
z0QI5}Bp-BhiB;y*El`%mmjMdl&=h&hxC)8O6G0;GK*kp-5-CdTpZ@&vlvjQUzug2B
z7d#7U@|JfX$Z|q&IHS{<^Jpx?_d-9+4g~6ePoW%>gHe2TAoz_P$cfJ62+IR*KddSK
z<7SM+wLiW8UK9B1j*&k;jO}X5#{M1$^j*~BZOzzBxS0t_iZE-JJ7i5GIm^&cd)iPm
z&Q@cB^bD@VrhX!k+5Mh2@&a>Z8{Gh=5nkM}z=4zOtLNm!g{PM~;EGxdV-+iK%BABp
zH?FHL+&YGiOlw7&TUVH#Sh0vYvy@`58xW+g`8<d3ZiU0dKz!8l(u#H3M4Yuvfu`7i
zavag5-IH%0s{M0Es*%kiZ{INDM@n@5mP+1{`M&)qR(Vm<l@nSG(v%Yf*QVNIvvB%e
z2L|i%%2c#fwbxtWtAj&>Na3Ixn_HhOj5lw1JZUY(8ElLaqBAkxVt6T}H~@_gxbp!S
z`&5jiZINcxyQz`werwQ3(Y;W^jVE1b6ely0R#Vn8kn+i-;%mx-u#6i@Y?#*1jwI6y
zX|s9x1;@NUA3jlGSRj+BzVaI0@o{ht^CN+Ods=EQlA{2~JsEXWUfx@k;N|Fo&AYk^
zR2+R$jFX);uBvfci*%~6w0LNsO}^9}eXE=M)?;RO^GC;dl`qfG`u1kOxCaf@>fBh|
zG(CJ?hk!^06(0@#TgNefLMf|G?N6=$fk#L=<ig9p*nrCUy)wT!wXh!#blwU6saxi=
zwZ{wJb>&T1xt(v$ZSi`j%DE2v;aE%DQ`vz$(<mT2YE1|>$^Yq@*ZCjKlK(#R{1cf3
zKkI!3zaO=L2KtWqEnYIokrRc5hnXFH*HtPoT-HRJlYB_*q$`+MqJF5rPp&D7w&z@C
z3SLIUep`rl9W;86SIyV&n(Ud)@G2=;t06PUe;?HJhZ1JI0bL>$hPK2!q8@8M568v4
z8ea~j&LQdckYFC8KDJHUO^s4VQ2m{<Crq+Vhv!N<8XL<E&GX#3a`=G4u<cmEqEogz
z+ZY(?7j6daa$fI2U=wA}kEzShT#?<tmux4doQ%*23#+^GvbAWMBYXVQ)SETWEQCv@
zriRD7ruK5i`Kz-RT#KzS*_4&(r#DtAUt6q}E+y2G|76p3FdNKZ)cA%0zG*FX+q5hN
zo4|ritQgPvFlJypJN-8CBX@w*khXU3WL@jo&tGZxP$iO|q3>%2VHhb=M(z$xMj}gD
zDYi!JmC18usKX?!Q6ijnxDjvJYQ28TyoNsYlX;vN&s6{BW!a_y#W?+PUCht~YW$Fg
zRm>vaxwxy#ZFp_Oi}B4Wv(FgK9|ihP+C|h-`@d3q{D&Xae;4(6c3teqx53#ydSMwu
zZp#}r?@mHJQNIyK#kq(Nyz`WI=oN`OsK1a^0{@}<_&=JWukZ$=n5Xg=3ECx4c6WmY
z-*aCE^j^;nOueE_vAS!rh!C{6J5(Vp{h{4kiFjmYgp-T}<5UX#IQemi1_WeQ5_Ys&
zLCW77H22%yr$3P0BD)!!(b`qdSaJt1g1ycEVBdUrm526or|UjO>g{DwaLEPwPRUAM
zOmYw9FvSb%{)dNoMY){l=&g&-2qRIMk9yJVX-FmM;76*k!_+!G3rp$D+xn>6LNp3r
zWuBfdHZ?Z6*qnZfhxhdGaq}}tcqrwt#5nTtMa%M0H2v&0XA+*PrA0E4rnt96?8sbP
zM63%_Z=A~&G^M39YHTY`$R$d$G{Q}c=XUkXxa--&23Lo5$~Cr}`z&84CoJAWOhzY^
zT02+ysyUf%6}T*V%?`sC9R66XSG#R+l9Q@U@q<_J7U(c>)5`<P4MxcW{kA&pLN{^Y
z1wnbKey0tS-}dZz7o6f6#lm?v`<g<-BO=StT$;-!-)7G9<8VCOsqim&x#H!gKQ%@F
zJ#0y;*QDE>BF@7Gby14U&31O(35|F%%4^Oir<Ecdysi}irCt-SMZYb<pKf3GUx+cF
zad_}0C<SG6_1)dJ`d5Mq&C1HQeYF6#*#cYuFckLU4rJS*rhuDJ0Se(1aVnJh%0NnF
zsWr#b&!7jaIhnCya7>KDzXL+Zxxqt6ItWS$1LT3RH**KyM`1Dob~R65zP5IUD7F;|
zyo#TH2mbPi55S&&X&Nse36^S6)Cx=rf)KZs2O2a8NURHJnu)e<D_|qEXcYFiaNNT-
z)%5vq8n!qHx2p8#Eu^5eM3@d@q_;wrdDwMZ(L$REB@PqitCUi9>vCLv7BI8>wx9}#
z1}L!P*3P=mgFYDF8#qRRk3Vmv7utXrjDv^4e<^_naWWBLcn71e)z?KVzAWl+@Qy6&
zl_w78%YWV1H_LwXjgEi58U2#3G7oK7|0WctBX*<%iw<-%(t1qca({A@5bKr={K6-<
z&8^8v);{T5k5_tU+8#c;jIY*7diLq|(9^B>tA$@vGY)hYI4|@WZ<H;UB{*X)bB*()
zmU+pe5XtEDDjOFRu4Mp5K4J!5LVb=dh@Zs4u*ed`HfuGgn)cVv0w80FI+7fCQ%MB)
z7{}6MJYnxx`tzi@5pGVJ+TL|J!QPR!OMTugPiOnoH=fH#C+IWCRo^h$ib~$vqAO3r
z(=C#*!+V<z^vCOcrE77n@nZmkl1UgD82L1F(KUTFuh6f-ByT+1<l^O3rTe%R?xSDn
zL@z(J5HOA&A^I{Cw^Hu)#YqyPhw|7~fxq{JKrE^pe%MNsu>*$fzk=qSL_?BRpZsw(
z+<PlG%x$33Lt6$cLo<D+F35LUpZjz-boxfQ49k?snU;M{CIBs4r&%p5tC)8s@c`kK
zSfIDqIK!x&TVq>>5si>)H_a#44{#~2v72UU$>fQntw*I-Wos{mxR_vs&B`5#FF43B
z52m@rfhEW5m?8v1KCyNJl`MlKm@h&p0b(2otX?)^MFaXfqOZUQ11X1Dyl|_dvCRPl
zH!O<72DqoR&Y^=|1;=MAeZrfO*hN#3YgyDSvh`j8Vb#2fG`V<{DY~;Sc&g;6$1)Z>
z)4ln7Tx{782i!MXs7J|?99m6%6pqs3sKJJ#ACE^HIXXHWd9HfL;6;Pw^G}(KFI!$6
zbz6iACajS~ytagF-O}Q`&ZTLjN0+({n%)Sp?OnOrW;`q&{@0st?n8{eNu=$R$TL<m
z6>8k9?8zHJI;2|n;s%eC445+yl~i_ZYG$3T=y$A{u=<3!`}*x31qYYxsYHtFR%*Oi
z_T0QnH_~OM3O=#n8!;e<Qv3kQa(_OBAYW4?i9GVQfW#wzQQirZnn&j7j!*JYeC2Y!
z3Dzu=yaC3n&m8#lBeAko$Y@T3-!Xm)g_Q`Lgrv|GI6=<_MS5;lp(N_zMyu-qC7s;>
zdQ6ce0*%Y=fo<{r{M4S4j81Lu9;W<*or(XR_ig+5QxZ)ZqB+58KM9|Iv<LQ;CHBk}
z*k7KK^;Z7r*awp;k^j1*52T`sY*nD3Eb`~)R{8mHYaWJNm>jyGJ%RY$(fqwUn1Ata
z61K?^{}Cj%L6R6%##lmXnJLYQlD#B`d^#FJ_6W7R^YHclCXbCn7L@_e^B<#)E}Y?k
z2_1pjmrj;L%N)YiVg2I`I}m#!%%39Q?l1-mtfm_eJ!l?b)ic#?cjpzBUg*xiQm;iE
z%lq5x^N%?+54*6>398Kv8Bq40X4~fNA?xJ}44iS{{HTT|x{AWR)CRkZt^d}P{3oUK
zd&QGUx=n;Dj?#sBIs~{BK)f$?Im?+F1vd1WiN#Pu7t}*%lQE16N}V-_mx+-ArN@p-
zV;-|^jg$j7430wvF1b*LA_LJZ&<4;^d#RerX-vq6d1S1~<)uAOSwugV`g1q_M2iUN
z$q=egZ+t3}Etu(G_lvx?yd4M;-n6RR=GM;UeRZ9GC4I6BK?3==#Uix5A>7jQcgNx9
z(|>1X2U5NqFj&WVuG?Dy>%i_VV}g^<uuj3ao9mXA#_Ly9Ro@H`)5qL>mpFnbDftlj
z;&rB7UF-fk7d!l5C8g!fsAGiChRqQsyul-qAy%&pb^S~AW#PD4yL`oXuNP6D$EHS9
zQ_o&|l$sWu^q@8MNU4AvYCVOx&{Z}oQ{-&C12Gz0stsNk2?8<LpVjK`30+{4{4X+K
zm;V4M{zLfhpAm8R4RU0OOI3szLDk!3HANnQ73`6&)BfITY|%HG?{`8;2fjtExC1e{
zOR?4$Sp7GN-?V>=Ir!g)Lc2;}SI_?4?*4C~Xa5;K-#x|utxmBPk$c9~Rf=A|X1xD|
zbekxKdCunC9$8StaAE~X?R~CC))X5qrC(Os%U#|ha;GZTg77MjN;h)vqxZ_n50oEh
z_15P0!X_AiM`!}yI<d9cfTmxAKZO<Z1%j`Rnzfjxf1A<2zcf^gI&~)KV)5D0J-u-+
z;!AfRc~q^rz~!os?ERjc(g9{`JTOM^+2fS6Gj5#62;5_NI&2;E*4xdYIsG%m^%TKc
z5XniZyea!BuX)cWH)-Od98raWE96&bn+_UEHz(V>%FY3Gxywzh!?S%yWC;f}`^E$G
zIa(B-c`$vTbVFAz`|<(Y05%0NlXo#kw>Qbc90Mv=-+srYob?8~<val=2Rft3(#CxS
z2G88rz1yWUZoHPPNTa2tBRv%%_5nnQMGJWzNjmtPWP4$0e~2J@!vrz%4z%$JhBYG>
zz<+8SL601IM7ZUj{StCB`NvyXQQDBiJ}BWBAK}aX5Fx(CxPa%Q7&^Gkc5@nMbn2|@
zis{J62>hkU;;C?T*&@|XOviNT4TB)RsO2!9>7R=^Gi)@Z=4kgIR9L6Ub(uZ0L9n&%
zt-`*eD*Lp_2>1g8yl=$pPZs>+hk$q-C?_5w@HL_e7hCFNW=q?U)EW*v+Ge4tNZq0r
zLlU3d&U^}D;tRM_z_#x_e+A74*(T6ojX|ryI@xO5HE_Hj*o>j17-xZcRI2w??0yP@
zepWw}>wT=&>743^Z{oZ)tn4PptKQ!ZvdlRANIhsjAfx9vnA8j4bSF^v*reCIw)!Os
zTER&0in!8ByUASmG%H&7)g+7#ai@dYTM~a_F6Lrj5brzq9?++dw!TAF7}dX_?8Nx)
zrXNvZ72|a8c0HEmbq5yyZMlAgp$i0uT3m8XjY+3E)4r6vsEFb-9`vx|E^#Q`!%911
za*GsyV9cG{59CsRvlUp;IAy(svQLd7k%~DN6_ag*ma`E1tb>re$C}pK*Wc-3&9tQ~
zG=V%t*h^$<AzmDrEsFyac!OC+sBznE%)wY{Vz^vM!U^6X?tly2CF=dj{v1*KOZJw!
z*IzS7NWv|%|8Pa|3sPtjG=6@rwa6F&pIi~v)&p+u|J{!`;_pY(=2D@O!LMhklN<}(
z%!lE)wD51J8TAl<OlZiz`*nMPk^T3)o1O+2>leXze?3-+CSmVt#;-fJ_PY~O@ar~H
zh@!A%6U68h)VS(@_KyG4*JGN5m+>ulV8sRzSbD<w=5w~p1I})^xnm}?210fo)ajEh
zhKI}OZ<^iYVckkjRQfO+w}$!ScPN~XvP8AZ6jUT-NtDNd;evkS@DqsJc_0TCzAVuO
zV|AZ@-;w9;BP)_WK(LwmI>O<m5uR>!`$fB*@Us$x)jMjDoH~AnGb0bGY@|pG<?p3D
zHM25COx#1ZTW%7ZEO7Nx$L+^24OnC(n!gZt%n|uWRGh4%Udcc9z-j5XeETc2h#MN_
zZ<2IlCodpIwceSg$IUu4L>G{`V1&a9?tB3ttDV5f#wk?YTWviq76fHnE~PtUO5j>>
zPoMix=a^<9D~fx0f6;E7_K3=6cCzv+o0t5zR#zAVVVS2mYVswouSqP}SGMr&TT>~`
zLOjp5mtsbv<iiuapGUw{qvp^lQ`ygu`)5QaYlMD1St>t>?wnW4WP1$8Lk;6qJ`|xx
z_B_3!AEsAUWE%NL=Tb-ekA8EBng36Cc+dar%MKLoKu*RNYy-^0hn|q^?JMU_=}R5S
zJ)@9-Q<>KMRpxa4(!>P+$FzR-PtzyYnCzwam86|9<7U*9S6iCXB))OcyE39J=Nq<v
zT2?!DXde2CbL@@(NJX=<Gx}H2=<$c*<*!~=?JaW34#d*VydM2_lOzBO@P+nOD>>$=
z@S?z|I-`VyTwkVFOY)tZX-=oCCU5V{o8lU%6ZTKKuIE%+8~ZCgevrXg3DWIG#=f@Y
z9roln3uR5QIGKX^uH~+Z6-*2Ko11oRAKJ2jmO$&{)nLX#(01}TQrR5oWyiD>e6Vw>
zwCsh*d*|0BX-tu0uh<+%{GCh_FeHZg`t8^T+i>31#u4!<yk18z7ygMmcFE45Q9Y+I
zhuy&DqkUOU(Xi6Hr^X%!I67YjSq?A3{!p={PVz~v+i%W$WjJrkq^`|9pUHcDCppUa
zv_njGM{RhXLyFJv7WxSYUoO|O5PYZlK;A7>)&t@3(B7h(bg9?Yag&KzJmNDjTEwqE
z3BsC0eQJ6YENAhLbyDiOfYl$`Ltp>+96kC&{b%(j7fGYTfsqLW4w^`dro=DXexQgV
zK7Jt```#=i37EZhW_kGJk0PaF`-@5%K`c;uE6ozRLRYh(Rv_^EEL2B2fA%s*r&F2j
zgNjjBwUY>pu7?3)bpS&lK`Ele$L~}dj2bMA=X;+e2lZj|lU&j?^7ErJzin--eCUl|
z;z@Y6beFE=kO7QWnRd^(eAA>UK!VvKh&TkHQZ@&@wdeqb(9!`MreSZ&iDwUD+9g&j
zx-zj6(n|>)Q6vQM2%+r;Ij(lEyIctdLQ*It+)EvtP2|P71+9BkL1_rD#^0*y+;d+P
zm0jj?Z;Whmw859HH1Y(q9Yk0{34G-t6e<mztf|JRu`xUV<axqeWac#vU&y=Pi!q3q
zUA$BLsO9O+UT6LAm-`N1E*@oA?~4Yh2RUG<F9YDw*vv{kFy2eiWCDz2>a3e3(CQSk
z>gJ2?>qzfC6E2<oAhpatZ$(3_eamHND*<)~#UxgzMNr;>l*qz1mI)>rcq#-+Dtcq@
z*!gS^!<FLcEh_t=`>WEJ@~M1i9RhdF7!inIuU2@7Ie@U-fpA#)p2UYy_ye2ePZ!aR
zCGZO6__@fTpE+;sZ)*~|_V%j7?SXLS>o1Y7HUj^6pGvTYLp88g>Xi%*y+ow3WMVYh
zePVK>bZf+6HA{q}x5^56k(^e0#0GU7ik<zsBu+#Su8{6!5JHw0HRq>{2ZI%Jz4VGt
zjhvzFtZO@rFJSVm=M?ROSs+5qr~-9x19Ky?gkV^x^Oo7zZ3mi^xtKn`)3=XV#J2hS
z9nP%^Vk?Z2&;F5coO&421_<P$sdgZtnf?+72Idhh{Q$40(Sl!M*v#{dAzfGm6%lQ?
z1#c&O*M=yeJ=6O%VHVf&-VJ(WupYsh@1mhIXwq9s-R7fmIsSSmnX4yvtTa+oJB_An
zbf~#gq~%Q8grGXKS&P8iW`ijy2=#Wf#UVGm2sLy_VE|7om1<NiGjn%c>Fu{uH->Gv
zOrwCEU*AlB>(sbY^%jb+-|WXtrnFY=KoWuDwmAy8$wfQl>RDqYo*H^Ju`5x7rVKSp
z!&f!Rh!wEcaW7Eqsf*?6#)^|#P~S#Q={~eo4b@owbG}DwHC|X_qnX-YI_*e<b|NK`
zK}}go&TWURc-|SFrB{whEB}_aQGDng)%?YRKV%ENPm67H6bFONswz9zfvZ#AS@ISW
zwdzWnLPE=TpL=pO8PotIWISwp0kLM>`QvROjAgPCCC?8|@eZ9mH2)Y@v#gpt$prt+
zgE{}e%iq-&<&SCL{9UpCc>mvU?{_ux|Hq4`f$3Toegk05Uy~HDG|b~#rQM~LC1=_^
zm!645yB%qNmt6d?@Ga|&j~rCot+4wA-xSRV9r(@n^0GM2tfUz?$;yo|igYQOUeNu?
zwXTAw?f!AA9`x7I$h)eWkUWm=>`#*E@~{7pS(1ffQf>0ay3DeM_tnf?jUQ0U0NIF~
zg7ae>wv<B^<A`IvU$zm!r6Md?(L#?@@2i2$XWe%oy46+Hc;{^$)2)xGN^Ap*MG*(%
zTNP;9F3;1QY3!0I@JRD*@D(m3T=2q9b<19Ku=f=&Z?tff9l74s5p*DJl40`RBB$zL
zIhzz7?a&U_{^6J)1(zvaASHnT>anRSg_v&!FSe}Jj3>=1;^)5Ulc!-)12q(z<Q>RR
z)LK`v>Xz2u>P_5iP$kCRW>MC%-0rf5+3pTzIC4bcUNh@WgNv61Br9L=o}(#QNayXJ
zI>zo_7IQrVRQa1b^w-k)<rRz|>JtbYxPW=xl~c@UI!3LHZls5plhXz@{ZK8v7|+vz
z#VM&*rE(d6c($V@KExpn5b;G0OKPrNwohy3;Te;ziz{}ulOV+L$CC7W9AoQOb@!WR
z2a$~bJ(ungBl!d4A^#jgJcmgmcPS2gcXe@-D;ioMT~|lhe4F(fX>jekkNM*{`Hf(@
zv`f^#G0*?11N6U%S^jIDb<eLT%~9W92wrcz6$u=p?_?E{X0|6Jx8+_(s$?3fI2WER
zzjQTl-`<FGLL(CUUpdEjNUCBsMZ$v&*r85v5t0b`c`Xz`!(sy^sN45`u10@d%;$T)
z*e6u05^NZ;@6nMcO~@}uPs;LodF0jJ?lp(QBxanOpNlpk*<GvQq8v_<^<ClD(ef7p
zb5dMSp3KIrpaz~$RJDMsL1Y(qATwnc0PS(a7B@)oN0Ty55%|{C9Z2{HO_wj!_Y>+^
zi4W)Cf~N~AOdKgFb~d%YLYSl0@^pk@@Wf{JW`2GQ8Mrq4^8OEd?-|r&7yXOcP!SR7
zO+e{V6+uu+UJD=~AfR-JN+*U$4-gUs=^z3E0s>0!krG0WbOjOV5=uxAke(ofK#KQy
z&;4*_&i|f!&&)k@=6~+o56>qUNcP^(+H3vFT2QXS-v#kM-xS2l9~bNgQ;2}4@n^8n
z-y>sD?V)=iT>rtSGElMrxLp2WLkv?S`T*Qs#}v>N@FjPOfM08<o~23Xlg|S1%%?H+
zLE&u;#oBTs!Sv<XTbFHJ<IZS3kcj#@(zpz|Z=)&EWzMBf@dJz1<R|l+7RkQapGV|t
zq<$N#a(3QUjT6fWnwwqJBGtcj8y1#>_=jw>%anW{^$iO3d^9CpI59(h>o8SJ${uT`
zfHzQdBi2ZMgV<CzDmH_4ftKJ;go)qVx9`m;%j1dZ3N_1BS9>S(DJ-n8D(mSRhiJ`X
z=2!0@MDtj<e49XdOC+E;aBjGS%z1graB@R_(!3BklR7jUtwA`u%3k87c2JwqHc|tv
zPPEBTTo$6J?_2ii)M}>7-U$Z-Iqgp{G5-a^<2trz_2yiTsedrM#g=lt>`<&>-`N8%
z8)E{AbUB;6a^Ix)SfksU2##7MvdxABx%Km*czdbghc){pY@B)|k^YBdetykaGQDB)
zgvMJx@a%o^%==%xyplY8Z;Z=D%I!B*UVm*}_izgf2-?qv&b5og8h>}T0sEy>|JaPE
z*JM;Xvn~NUp+>{j-1>;nCqE2LP3BqyA8B)`ar$|1RUmau1`{tFy!l6vU46abidEAu
zo)57okNg;s9vt}rQ`H(Q0dG`1%{uR?X<AU-kwq1Dxi)uKIV&lvX(zJ$9ru;Auup12
z)IQyqe*hVu4?~Q+*N7IO`P+_{Od&J_7wGHl4!t6cm0^0xe&>x`s0le)vbF}DwU7GW
z+I<V-=-3(sPsemZDc8F7t|XX`KV#e>Dqo|EbS)3twPTEwaMAP2^2@eci&lRWW~*Kb
zWjJ1y%@wzOn8*a`+D!KFfhxfwd;HXQ#AwkfZk;AbpSyvx&fCYL{xjJH5jRMvWCFhi
z0L<r*JT{M(GVZqhAd*j_t84NX?gg}8Uo>d18&xf7^n^*nMQC%5)on=~qGi_CGnDQI
zT}e|U*=*jT|HE*gwNk8D{NQMotRp~s)lU+C>_SzIlDkZZOndmIvd=FkdsDMD-FqQ8
zuj!ntr(Y{4mKe@~O(D2XnO%U%2VvMs(VvVg%Na7XNU-e~E12373eYt^)QwW92`GAR
z>u4sTmGdp*q#wngXG>oa6$`G_>_*2CcvW?r%Dr0lIsm&K3|4`1gXcdSeYW>yVOG+C
zZsHJIz5S1kYwtHd_iIb<O9bMr9oy#gLg_8*RgI}jLH6_eVkX)<dr(I1ro`5ad5HHW
z?Aq93bE@fO_f!FFR>Azp)w55Zxt2>^T%h#nBLf+F%*qZ;eY!A$ox;DLfN)zxi6Vd4
zCyE3ld|1^J$7FVs^}WJ^wo7G5ozHwqUQhGmsa{Vx+Y4SHKIMNZAcOm_Q+{N_VsY%h
z$mJdLhoOj@;{wbo#<zF+Q`G51(<Md+Y<ghppsfm#?)`^)jRp&&gFJB@!!boMok&r-
zwwJ&U@8IW7UX~6`a2afyk^Z=q)Y+<XdEZpc$0=5jd8gTcjWi#peN$!CFuQ3V(r7~D
zlp#7d+q`7hy5aso-+n*1fto|UzN*0~NGi$qD5AA8rR?H|yD~d;n#hEo*+JRbCU$b8
zznWf?PoL@MFp_CHsU_l{Hpd#mHC)Fm;_#3zJ&9V%{KrM~@ip*Sk0~3Aj*$;zH5gGE
z#<fvxSfrEV&P{{+ez$pKY&hSgG>In!)6X(MZRAIJ(FAgCKYvESVTJb<8r?a@J}f5T
zt9zQILuZ)6yNHsnvaV-hkG+ULfs|stWbwl@jmYWw3@I$$7%n~;CMFK$avBeCD1)xJ
zLSkL>M&ZSIH*)!Z8D&ixiq2l+F?&CmovA;D+nNQjYsk!%>_Yukv;g6kA#9)^pM(~i
zwv%z)-XU}YFbgf2nnIhP-&n(!#;a~>Y(l!hJk>UiW7Qjzr0J*QRUe}7r4YmXzFzQs
z*&%0zRT4_e_W{BO2oA8gT?DcjEDGd9x!z1N-{j)5oBOOGRJF+Z7Wd&F<tKEV^UE@w
z7YCP3GH#?qAK4v_0o6`*gJ1d4G}<(Y5U3bZ9PfQyTs)p5i;=6waRBUMs@l?-*1lIK
zPd#>&9qIMI>9K(!CBK-zfFT34D}fho@|h)U=hl>CN-;~Qq}5(Zp%Rq_Ap%|B=l&th
zYwWyDePksqTug6jf}utOWw6=V6W-a4<+G#vC24c0j1C;gX`kf7x&RSGk!|ufJsIJo
z8HW?JK(UdLr`R#h#FT_T+>J_;?u!E+;=YnkWOx2~V;I{%!M}V{bz=^OhIe-%H7UIl
zHPw`BUDW!YNsw-687*jFi(PvDamH7eyWK~&2M57wW*^5}qU4T`m6eJcUoB?TfD@Nw
zR_dp|Z&yk>@7X=v9;6vuWvU|a0RS8QGK$aQAGZI_bK&3nnFb790k~=~01@qDexU?G
zzkVZ61GkpV17PgSb+jYxU$ZBR1Hd!^$@yvrwJn*n!pP<7l%StklQ=Y(C<@}$dslJT
zSS+4g?Br}*HG=OM)3W$;{zF<aQlZxkzRtRv<icw6_<LjosxMS-s=w!nfAw(9K-GPe
zVV(hSvJry}&?jcHjwU7l0olA)R7|Qr`@M*HWWb5B4OrW)Md9V|oo*0F@D-M@nk+nL
z-xVrT$h9s}E4cY}VR(i>)Ln^hlYpUD)jSWY`(mnoXEWc_P3$WE7Ugl6yDi+M#pZDI
z-IGuE9uMHs53Q^8P9p)dkqqP{uSNDcihyR;NIq{(x!%m6Mn9*L6#nh4CvE9cXJ@#7
zBu2^kS0rb>)#RjbBLpdTsFKW*4n=3LmfqZzK3w9WC5>AdQ#y@F@_6|ALB>?0*G0P%
ze%iQqKTpV~_%B2GnWnL1m~`(*u8u;krqbPVgNn9AVWs=O!vs%GEQwsT&FTo05tw_c
zl$>3d^(dh1VVccbzU)xgnN%O9l%P<_#zt{)unV=2ie{F#NzeruC#G0Z@U<P%R5wc^
z&TbUXt2?pry-N$akesyhRZ2l#T3$KB?ZG!4MPe{R0QC9q5dqd&z_?<TPo|TW^J@?y
zNj?mlg?104`cZ^w$#lcX1!vK)oQBxmC8gwK&2N&|Udg=CT$+kwXqEw%|GTti5=_|h
zFuIm*f>5RrO5o^4nYz1abF;r2@2?-n8@$g|({i#iJCl5Qmhn<3{P+SYw#9rilVZa<
z!v=ujpRW*{5sDKX+}P-VYGk+`L<=+cB_Kp(anLSBT2?teDg6r@*U^k-FPiq-$7+Xl
zeK)LgZxpSS4w~fTa|n$ZUH?^i8)Gz<ukNO0a4qra+mUHQQH7uJ0huku(p4<EkO3ZN
z%U4fJCL7I$4YCeDl8-MMWYP^7XUV7@&U1tZn2|PUp*<wy3PI8^kWcVR)t9=8Yh}-C
zj-L5;^gH{yQy^S|!GmR4<j?`f^|ba6+-`)({s1eObU{o<91_=MLAyNu{?T4gVm3J9
z=BGz)He6;!*tb?Fbs)8cuRO5O=R5LWAEXK(=SL{16L?Xb28_!kjL<0*k(+jm#h!w=
zQR$s0J{dS9pzB)<yU~`bvNLKCBz5MfN6PJ2bHX+QE0%=`@lIeHXc{UEle&gCcoU-r
z-QDTfRPEXiPkqKLD8TWlgQw+gF^fSkiD?hwR1cUB-c7QJ)=+(!Ic8e!9A4jzWnHY-
z6jZZMC|hjuO1}$bmmke#*$Z4qM{|+Eu}OrD<MivR5<(hW!cNEmJyBW`Ntd_ZymTm7
z-u6k}^-*FQT~CItHUJj4`_lQdwI{G7Z)|!V->O+qSFzf-T@h?l40Tv)-ycwJ@~0Y8
zC+0?}<%+Q4iS6k_B!RX_ogkxMpq>#<AUNB`7`NmSbixXqA)(>3S8n42uFRZLQ>t;}
zQOu3;wEZcrrXR+J)Szkh5I9(3NCKf=ubC`rIHiG(zG>Kn7F`n;9y7;htXsUk5y-Cd
z?*8Z5r$)!C-2ZXK556%)0J!#viIFy5ia(V^Q!Rm;o07Mq0>DX!f(be|7IQhet@Wf#
zE^&`71=cmSPHdH$Oc#Dr!%jcqk-MDwtMFL%TS9%jk9FDJ$o#d6g6!2mv!S`^?Uoil
z<7<_2TfP0zNAE9PRzJiH1vIp*7eWrTih_O?x1WTNb6D(CMDy7E28q68c7|eGeM{RU
z?ujx-FUXa*qRQrQ7pvA;RIYSdAwKqN-l;b?E@lq`VNHf6)pfYCnL=K%hQ-_O#{lEr
z=(>080oh#&F%BV!7IU#nzJ?iqXzt%kunT#Ts&+PL<cq8)w(omucf=!!rrp$Kb9(hx
z1MB(ub-%ej6;<nv`0BC5=FE1%fhjZBnhD0%TL+V@Ij_NB`XxFK3y&0Fw(D`4E+(H^
zWnCN#$O(7eHt@v6UW#5AdPbLiTx%k^A@^}E_2x_GcJNCes0VnE(F`6K@pVcet&Y$`
zIF{U}YsZp-h{&c_IeKMSLy^v>VNk%)1e3uUzJdLuM5nv3OMx=_l9M`kX-23gxX45E
z7s$&Hy&E(eG;;Lj!<#3lA_C>aobaR4FIi*fGGIPiswWhc67MDwGu*OXy2}i7&)3Dr
z*CU4z%jHfT1AFSBr5+x&#hw*@nXq}#TirsFA-n)2FaSTxWT7RP4Jat=46BQ9ZWqK0
zZ#Ac!EPO)ZIzJ8fp4XK;?VhFLlW=;jr>^gWi`VQeC9SS(Mj)-0+}#VRbCkgDcY$7*
zkcQ+skr$c)|CCBjvA3Y0eRNK#qan^Jb-E}hC96Q|O})?6OM_2*Z8|`A=t}5~;~$Oa
z3N`hB!+!?hMD|<XhPS*h7(X^kVdc<=wG3>&akEz5PJds!Y+ou}*pRDy6JJ!2J9W2)
zR2&?lXvZ6CmiAtJ^<nTTyz?t$(m_)^!J&TNFP`NG7*|k&yC81l9GI7N(Gw{)%DRBC
zC#&}6YMNoPzYq6d#U+~?lX^gSP0ds%PT5J}2m`4o=wM5;MHE;K?7^%-a<1o{15Q;W
z!;<-W_Z>``Aw#!@uXoRDVm$@f-AXc=nkSv$pPwj~eZByF^^mx2ubw?$ShpEwmBDQG
zxUA{sV<=FwQGqG{Ugd_-2noh4=jD#Y8-bl&$Ld;{!)1YryQ9173FXJtgD4GEe25--
z>BSxN$}qK>7GB^@AX@-@Qi~iQ$r4|eIISn?c{rZ~C3~-_o?6ddE>drDReT~IO%090
zymyF~<o4w#%~IS<k>=rN?oVv`C?PM*-3jqiRrxsPB-_M&@HCkF{4iF|$IML4H?O3i
zVKWl`E(nTRxV+WS(hlSirok6nSYsP9BhyUkK`C0PrMSXD97R8moJI;VJ3t;#MUqG4
zhQ_Amtw|LX=*LLA2zeO)hb*GsAYbZ5wl^s;Ixbo|Hq}#qD(SL_Q$LWxtRc{+?LMf8
zsoxYyww2O}Q1va#bzWLbHVMDI<osQp<KXIDLYorzQGcD*xLF9~^E`JXNrJ(b*0V{m
zBDpt{`>93d34j>v^sGl`=vH;L)9R4A@60WTzd+%+ylk%*pY))Oh!?%C0go~GRXJz%
zj7+FrtAe?HTW*D%8@g4|d4M*a_R8A?>3{(=eGl#1Q<-x$yTLY?;c+I6#Q`RxZ;>_Q
zb#7_Kur6xkzhcR%c2)M6h+b35F622e5*ct5v$&m#{(I#9`i2M#r6-O0TF>zQd!&8<
zh$?ryM}Tt?h3#(L#wSoe#84x^u|sry&f6zwY~t_nMUfjGplRH6zQ?f(Ij>!L&cale
zmZ8f{PptMW(rkjvO$l3NMrAd1e&w<m*>W{8ruNp=@^S@1JK(lT(XYGl4~*IaA*SX8
z1w}HBT110V3_pV;5TZcF+{@$rhSp8}L9-*GPSUcONRMP&OnXC&MYdJbaY?Ub(|#eP
zUyq|@n+el4_h|hTj|EWQP*`VU%Pfi)<&J(e!Vn+L9<bA!#Tr#Qehs3+!PkZzPIEu_
zz||a4{{3pT#|H6cPT8MoQ1iF^!7QtPA*bFM$MTvG1MM4r4lI%%W?$8l0CV5=af1;Q
zb|hxfs3T<D#!>oB?|j}iw<qW|`*SJ&5U55+(ur%%*BtM^`S>Wq_RWj$?1QhbCFUva
z2vU#M(JVsfj~Q3<sk*QWDluH$O#Kcm3~?M)KkxFCH0{G0qt^%c+>g2|(K4{CcYG>)
zHNS2@k|F%}$jL4z1mH;-m!<S4s#XUKuCM1BlROveB74wF4tI`&()gZq8|_?ty7R?I
zyVjvEd0R4PESvq{&%?LsTlvc4t=cnpb4tb<^940p?0>9GHDubZS7Rn-_PZA|`#I$n
zPJM>)A?{8>_e66AyF%3umwpLY6wVo)y((<yV&i7HbnA$KMc!hyCN+?@Qp6eqAJdVd
zaNNR<L)F2;s}H=X4+woJbNYN=#H{rV1J51(rFdo79}LVfvCuUney^uHvL*)Ux9==&
z)9f0Nyb-DqSANzMeM-^|SdWyN!F<|Dl)*Nz;5)U{H)fkO=D!u0;ol<zS2~UXl|ga|
zYW1ddK;e+_Bh=@qOwEQC*g>YkGT3c3*q=?4-qemyKXe`tDQ0y1sRvL2MG1WyLApNj
z2a=DOj%24LkOY(VWJVFH#4xMCaNkc~KD#PN$}i>4rSltFKUQ1<b23DkAF2WHu`(MQ
zTZ1rNFc@{E1(!|_R-wD0#=6&+*(Pd!-9-2V`c;Nj^nNQb6m`8reSXp&M$@`O)Qs&=
zMRlsQc|nP}vVWZ0Mqmw_K8t3U#IMS8)tGTVvtws7&b(+A(z&EX`t%;>FOszLNBcT!
zV8z!DX{6$l6I34_uv+RgirIt&Ec+-}JLSMKS)8N0u%8~RGcgO`neJXd6EUAg#Kq<v
zrJ$mqo7-Cq-NkU>fNEot8{_IWzI}D~L<D9FgBFl(THTjHMmD6m{yqY5;bMa~Q2=-Y
zpW-3yQ@uuz?41ikFuRs9@e!DYk;<iJ2Z+VZ%aAYAF5EBJd8+PSP<LzFXR#-dB;r^+
zl*Vd__yBgqExM^KL*x^velIh23rfVK>8B0-Jz}$><3+_7o}J0H?L9mArnSDU5xL%C
zI_*8zUY)wNB;supnD{;;PHxb&F%9ZH3S3y_^V<z>ngW}JMjAnQ=HpsmgYytd<Dh4N
zMi#;K`VUb2y-Fi)M@v&|Vl^z^01V-3BjsJ&7iX~Mw?8TFNz;h-k4A$&Y>+5s256xX
z#SVg~z7ExV8Ia2hq^7QvS2q4MkOM_C#w@3hhS#>1v>q!_yJi$+{p?=Ko0Fr*8R-YD
z^fQbLw3p-+))_eAT!$>;TnCxipMX5OW{>JoOvt}ryOxO!%ES&U1I-$XGWaF!WZoa#
zo(R4d|6nQo2Jnebu*f>7hEtnM^cyrQqGrFUFat>g)AfeJt4zy>7beN`SqqiIE^gRQ
z!5LRICcb^oxzpUAQDpGZ+B7|;bm*pUMtSMCNxX5v+t#Aggrrfku>{0=y0xU^r}u?{
z&`0~U$BW`aUmJ_kpw23q39U?gLA;_`M7;cmWB<vXGl%_*2p`;f0x;&*Src%!-|K&c
z+Tid2JgPkHX}15$W~Z3Gs9%si7EsxL6(T1yUjiGwd;8HH600rd$C@HgEqZeuTmta|
zKKbV(xLxa9=L6?c^arS~?6iDf^P`i1ztyld>VUQg@aVA6=l|#5MpjR0>nt60K>f4|
zI(&{rJEJdArWkN96jf{#wM&FKx7$6O1=gzU2*4fuf8{wI`TqontmlgYJ-2|05LgEk
zQ*(YQg#m!HX&-4)e~&zIx&w3&#5cU|@)+Zfq=1NxIh3%^Eio|~aT@Oe=1d;}xs7ex
zs0z8J=9nYigpU&O@Z_}QmgT^-_2b~Of+X*^-Uii|wFZ>c$LdYJvmp=1rV|fVKIfB7
zhF=jl+GJda0O2!4fpoW=%allSD_O+}>Nr5WJhSAU`5Km=(EloT=EyRTf)EML$AQ6C
z`vCsK&|zKqdt@m$ES!J);o{lDqB-Mt_#tf2oL%G09CoPE{c87Ud|f=YK<5riY;OT{
z$b|p^_wM0EE|%SdDmU;wHCV#5{_ZKfS#=r0bwa(`a^A#bP#c%1r;<ItCCpcpaxbYo
zJ-|)I_|wIRTS90=K`bRGO!%^)s2zZVo67+wl7GXi`k~FNFQ}fdK_P;tVZ@~5NQ5A)
z%8mxRe<s5^JGwc%k{PdYH|bKm$=6~y@sU0U&y}PQe4(5!hR-G;zSpMLIzx(A^TyYC
z%QPR;_8Ff|>|DA~S&eO_G;mV=-~M}C|3@DFUx(lg@B&k!-xvN`%!Smwc7C4O{xqMI
z8CUvA4Mu2~Za--BtnYv8a&>WO1{=Q@FK@5s)}(8r`19Y1W&b-q=>N)QE}~ALekH;U
zS)UtGhnEzmHIffb%%P?PSq5#eg=9ub^1r~Kz%Ve4TIQji>iU=Pa|LZ&)DJ)x3SJ6`
z)z1kWe0{Hp?eql{<`m;iejLy;Q_GWZsAyI#)3PUM5Vpi;@$jfV--DB?|A95!kq|@m
zM`r@B$Q*DY%mnt<C(=zn1MB&}Prujyf!?%QARv%Z{%<9t%@iC9#1I4)VhTuj!#6`D
zdWR2gN<@ID{6M?Wq{@36vf)>OfYMtz-9U(PmIWrQnS>>T%dXukPKs}PcF9lp-mmip
zx5N}b)Lf&+wog3kI7KU@b9IOICtx56?8?xFTouSYpPFooB{%0S_{F2gGod@^fh4Ry
z)cW@zaX7y8lv{|t_ozeljF-$@W2!yY#a_*#T-XFs_-lK5s#8<qLIWX^z=eScG0c*?
zskk#$ZT^*}kj3h!1nbE?(_1P0%j1^6oP`Re1G<i?^=760QWR0}WXJ+3M!dJgiH;L+
z`*o62@iM05t7dH5RVXP%-eE4-VKh*&(!@!(`h+*<1Vf;TqW<h|n$!n<W$`VOyCbX{
zaP3ainLuE$j416R5fm$aoa}^))VP7(WXPdC@zr(Ru(l9IlEaP2BJ!zt3xyZxi|`rv
zw0SS8emjogy8z>)fgaMN=(kN5fW|4S!IsmVVuVPkaT$toPqGv|-r*(s8Kmr2s?o=!
zCl6nHxxU$E;``~7Qm5XM*0kKU;?;_l2@2Kb+1IJFqn4KSfieny&VNj$OMUJYu6#n`
z)jw<;G`qBf?Q|OHs#XD>w7KT&{cPPx>eq2SdDVyx9$FoYe~zJ>2(Rp#%-(*rE6lT`
z>Z7t(DPI~LuD@vH+IVmJhvC^E))S9EXJhZ)DI4FY(YXq+wL0V-JVacM&K2Jwv98(j
zI_r9Sm~U|d72Be7#f1NDDyHFF?V!B!Sx<*=PkZBJo4DfglxfwJw1xgx2wjruOPml;
zT5v*cPX%(?kLX;2oh;SM4Tl90m6Ky<zVZs4`Fo@arHVu%9&gjadO+t{(#ZLa)0Dvd
z&)ae0+~mF-qOME#e)j9ya+;rhW8T_|c~jiCpzNZZ26$Zx`(1ZVX_U&`H=LsRx$*_(
z`-%sSZ+c}vTBpBvJF$vR$SYoM|L)^8XK+}St8w91j<Jnz0mgprQCs6kSfdYKH+cLo
zHC`V5W%$8=8#Wb}a5EgNGmww0Zv?@a&q2Xp4&I*0PzA_T<svTj0sQ)Sr&6lniR*Pn
zY~7BI+IKE1a7!iK&P+F{$S+syL0)EkL#m+gCsA?WvkWM3C7z;1+K*iNp|Kv0>Q-CF
zBg@&^>P);8`Z+h>r<ii*5rf(7?A$x=SA2@|cXAls31U2Z2=xfx#m=K?;N_6-K<>__
zNIBIH67oDW?*tkHTt{9p^(W5fQv~q)4wQQ%%7qbYVX?^mORw>(QGLHp&V4L&S@wZ<
zDe7%UgJ4Xn#g1e$OX5`r`xwHMq$&cp<PveVhe!6Hel{Y-$ChQaCPRpgttl%ZllMlX
zUcNoxy>^rB0U*DK1i6O|pJR>M5O_4W_>8K+-g>9U+AjHXtgdpH$W#wabUO<e;B~tF
z4BytiXw`Cg&!t4O021RZis1%<2#VPxuaK-$ifQ#-dVC3;EyY_{qMe4WYR~nn#(%mt
zJ^1(9-VF2A8Cy*Ls+lgfHXL}{ese#}Cw*;Nxg|_-&UtEjR=pmpFAA<~xRHZ>c(4gk
z+_zSwsV-uZ8bEmS#igaa22)=m;Uvw<Dxo{OG>$b?@H_LGK4QwP25^8rx!qcvdr9f*
zNuubRGH-+u5CCd^0(8?q4hQO}lWW$Yu;hmA6Oe4|D~4y@r5_ua4_=ClQs*hq0{ZQ&
z<%s!v^IG?PHvBpbHqi+ZWHZt21QA@KM#8q3-B1m!0CdI-9YXAB{zUhQQcsI%#{8M^
zQQi{2({f~l@Ay*Mb89DEZ7Rn^oBo1%;-ubn$`USCV>pq=!Kve8sV8XqISsjnAC*^L
zYJ4?o+@r6=eLup;E>iyN=HzRLnWgt?fRp80hx*WYlkA(D?OVIwui{!UhaE|Mcz|#l
z9o-MLpIJcsTNao8#+^cIRC-k*WJ-ac>>?Mb11h8C_fkAX^h$l9o|!kJdWUA;G+`o6
zx?@EJLS%A-V#j#~hiNeC5)3~Iio|21_H=I!HQ*BJXb!#XL=<mLZ6Wx?NFe*f)3!Jl
zhd~>Hm;9W_`Gu27_IkQ!)~RROez15MS21K<Vs!v27RRy2z841Ob^48Z)-bWPEnrch
zF&96~?YV^yd0%1nI{8!Fxlz&Pn1z*OOuKfc6+EH8<>bd2ntxA>!+4ESn*^Ug<|M(r
z2`dm(Yp%01{r-NU2k+ozMTH2d%%?3T8P4?f_ZoQW^W{vMQ_;r6#No7@WtuOdV#;c)
zrZzi1{6_j>MG($)#`)+ehCo86X1<8BI$Tvxc#xQb6GTT$Nu0075mf~Zeou4cZ(L%B
z)rD6c4{7E(F#Ns~L~-sVyHN8frTu^{p`@Icf5g*|A(Lj^Hd;VYo{GP3U;PuK*0cY7
zb<lGJQ}5U_atYFqlDVH}>v-H|VP&Iy5&c3>u6Y!pOcA|}p*`{?apZ>To?Pil_N}(#
z$QqjHeSb4~=C0&ijkBfZbXy!>Rl-GuRAp35e(g#kQs`DW9Ar#OagpexukHyy`7zU7
z6Ufw4oXE<a6np3tJ1JC}m8UeF^@#ucm!Gr#38_W7Xhq%K)`n-fXb&Xx(d7QLb5YuR
zOarVK6SR-9S%-KYqOHCK;%JwZr;_$?aVSpJOJwn6(xAj~TBKbA>@?zba*s$xlt#Rg
zpTpXNei(<>zV}$6ykS<b{uLg#qY%O;V9LTa54@iGmb~=3k|gGDRhz#c_$n|<d24$q
z`?6|DQ#-E{zx&1Ei+8y$iN2Hns>SaDB>$#dyub0Vm;fe>WE11lkbjbP%9e&Iu=UJ4
z?IeC$8BJ<PbTZbPR-s4H<yGqk<Muggd+rFXwOyiXc!TRa;sDY91+VK!Nm^D&5kvb&
zhgeNyf&EXrc}EWRnhOMWRoLSfiXn_1umW$i-*c5rC56i-&f6XDUgcu2y(UopF<c8i
zJM+Ez$a*OZ8Hw5LNXbJFIXuiaq(hN2p%NQjA84-Lg5ta}_LRH=d{7$DM;sI<NuEy<
zel45rRfGOzr1Nf4<1;&7oldI3%PZeje>nr`PXs1E&iMlQA(Dd(i$Oq1$^7tT`e(uO
zzme+kf9^E2MVe(kFe$@GV<kyL1-4nUw^RGja$9-#ddz=|Ymm(oa1bDL!c&L4SSmEZ
zMO<`fDK#c$PeQ=KOJpwZL*{uSSTIbcCa2<_YZUR>b@!JOj1q%Oc4o_fVHD_#&r+tD
zlgvfn>n0OGxfI<Y-A*~tf1gYotAb62U*GCf{uozNlFFvv%p;g;H=SjRs2Gq6D6DEP
z4TPBoV-Ee5pKTFbvn-vro7;=`@z(8|Q<;wf3DwPF*H~wSD}XMXNh<4~gG?x)pbLX!
zD%Tl%T8jJFmIfO}kmOsY(Q<P-;h2i^9mw*Bvk`*f6=VpCmnCIRcS9T>)3JL3TbSOv
zr}I!lS@bqV315?5u5^7e33fT<L!;W}d=L9Y%cNG}Q@*$wpf=O30rw)6DAsX{k%hED
zOIk$!`8E*p&=9ZO5CS-Ut9P59ZC(5`J~uOX!ZKz?nv+h%q`$c_H3f1R=4CvjBu6mx
z7YPzS*FyWFHZV-Rr3Nmpj%3ar`}f?RaUNWOzA~-1Yqw@c?>oJF|KaFeqYiy}bXdCf
zv*u>004yCb=ujCvlJ2&tj0)OzZd^{!H@y*p*v46XBe2fYm;Hoq_s#RBb%D47w*}!I
zU5D5>XoKn*#JvPZTwKGnq}?vlOugYw>0J7|XOHN&uk|ay4vzY)kV+YRtzD?IRVtX?
zdMB&S7V{S$DD%aY`lt)0FtJ~Q=dzx~E*LnkzFI+~_NB!7^+d~fvA%;p$;Ih$(YA?`
zg(NO<8q9G7DM+&hG$tZ?35D>h0ouWsX1d^Z3CKGKX#e&bb>p8DJxZhem#3SwFyKbT
zkpVyq=OGcBe=d-Vd(FPMG-<`QDp06;a(=tJCA{ob(R7!ImhV$3%S48@&(la>eydRd
z`-c4Vx#h<8G_Nir=lONZ&^3dhlHFDthobhWj!iG=Idn)#W{W9Z1lTCU-F$owiCVc}
zSEDC53!&O8K*%Nw=CS8#-R5B~nrYHj_cN%QY&||BsnORB>>gGn#c%)&1qUfV5h;Rz
zFyFh7pNYIK4?)8x54*y}#q1hpOzq5~%GH#Ay|_YG_p7+SGMN7MPP0_X#6v2c4=2>Y
z0e`ywkP`R{C92AQv7up9hm)89;v6P?Yk9Y3->NV5yiIyUo~>3i^~|rKg?4{x4K1HM
z(~BoWGQ7yeEFM~PxVs|P`6NjS;~y3E!9kvsj{LIODoId7jIx}Z=Yvw2O!GjDPtL*m
z=sG4NbGv=?`=&wgy0FaJ!srZr&Z&CUohHGD>a+%;Pc-VR#$_F^0-8-H3pC2`m+L-g
zn6v4-il+rBE@2#&n!=w#;8c52Iiuhlm}XeWZ2`n_0J`Yz0ujqFu*j9}mhZ`>gjEUQ
z1u`y9uybBnWGkkk>rjR{`&99FDtDmI+GBSk$=hjn2du6}>lKqwG&$%HA->ImRL#{l
zvMR3LK}(S6G3WB;^~8BMj(CVX>d4e6B8U9;`ItR_IX(XCaV{OG!h>spdQ!{`#uLf|
z#*Ge2e{w^(l_QxeDXq89RIXdO<mYT(hUWDI4?fjkofK4m=bJ(4F`mvBk1Q)v%x1@z
zRCaTAyvF<+_l^Ek>P`-=hUL#B24U{DZB@vJdJ=2)=ka-0>GH^*NX1XITSVNM)ka>1
zAuV?in4B}aI<k&uG+GCR2IZjVdUocVg=*Yh%NK@uO5R&|n>teVFv)Igw2hOF8V;k#
z-6EqB5F&YkQ>7IB{m8&!IU9OlUV2$?38(eM$DA*T!_YvF=1C)gQ`Sz=IxE5*0O%JH
zye@G@9mGMPsggKLG8b{D*PUfLFcX1XTpC+BVJ<b^YG6lOCp(#O%X?+Z$5Lf_o=G=a
z)2k=~2tcP50i8oQGV>5lMCKjR2`Y+P2TC$Q@e^oW-G;V{nD(ekSpCMj5J$sf(_P9F
z;$A{0-93V&(}Q8!2=owtpijJ@&tbE&`lnw7Yeu_1rVc}2D+$AyJ{jwN*e)<l!8w=m
z@4%jzz!h@RWNOQB{2s8s?C7l5ImPz2rsXO%{a-~3GrrglNPWIIFS#va7KC7<`@>u9
z0IEHV1mb2~ts`%DgX6IollCVo0W^K83a^V7R&sdoiLRjUQ-4HoUocok+;%*IL(S6@
z(41|bT}3r)wJ&~E6@YQAi}Q#JC3heD>JouBj2DIE4Bv3@*J%vO2qFf(h&$SOfUiK@
zWX3XFim)$sxda(zbre|laMb=M0vu&#&MB(=bj#$C>nGMIPSelO@1pftM1q5hbnV@Z
zpqQk!+~#!Ze(*+))l5~YWz5}Q<GHCOH~wg8iis7M=Ga8F7R@B))O%m<^`4;+67w5Z
zdH}g~J^xgE1CA5hJ<PTG_XuypFo(lhM&9N0JzdkyHiwhB&re*P>8tcomnSBeH)W(=
z<Nik`JbA{2I!t>>8lEm)Ecr-Y?1FH;(%}#&Bpxsv1mkB+CrRVb{!Cwur0kh=ICS}v
zh+%8A)smS@{O#JfaAD9wUJl4jt3wC~mtYpUzZ7`)@Zf1Df0FDZYj7!Ko@JPYW47ma
z+U5&^7IO7eDE%*yvNXYN6#phd6{ta?n9H>xPgJ8i2o<YS!OvuxUe9lD`t~Txyi-r+
zol(biyi;0jKI@Z|x|A8jbSjr7WTcG*Vu!snzRjX?%*pd%Av0;n%#PBr7Ia(#z{0|B
zFWOE9a_Fj>j46xkP!Fkr5%Z&braLCmiMI<BB6{DwI3k@*0ZnhS&O9O~P?Krhq+~W4
ziX_+_e#d$=FmSBFRvpksO@kfb*{U1sVP63j*<f~1)I{C1{@W4!7n8GU==PajY8ZU+
z`)0hLUQ><7XVB?gLX5L2r3T}ov5R%qo+y}vjRsr47A~yC)IEx2J0X|pC44DC?Awag
zrQ1o(GZ~XXdo5TZiWZdJm+hTu?mviw(A)0-ODCYm!?+e>Hx(cz*e{aKoNV?lShHFU
zjp{9q`j`tXXvMnb9hKfZNsSx%=D8+x^5OxwI~hL@U}^Ww#eUB#<v*BWi88clDZoOs
zuf*@QyW7EZR7;$_CW9MO=S<XE=X&{v7BC@2@9w2ESl$Dl>jo5jUZ58unSDk&a@BB1
z&l{RaU&rwYv+{y98+#ZvH|5X8R6J>Z`KJko$=Oc>i`+xJm9alT1CQFa{vKhmZ_R6v
zffoP0^GevM1{^;;1ICZg$0i%lb&%Jat`;~<zwkiS+v@+CLBF{_EFCl=W$b@BP5zJm
z*Z!J}aIl6Z%IuL$_{3aBb-RS3kqLP&td8MBqH8NM6uwc0;}E)l4b`QVR!s4DNI`d*
zv)enEqhKDz@F|NQCD+I9Rl525QNixbnwEy2l=D{kU7L2OgBLAz{2$PUD55<b{4_yw
zf1e1rchjaPdn$6P&5C3y*M;@<?2w(vm=A+1e{90hP2UG;*)e94GOv8u>8ZVZX<lxZ
zp8V5_<dYLlo`-@+{jW5VX^$E+gY4Ddt)H<XT`K#JFl|rHl|x%t91rOryjiePnp%;&
z&8a#HYGVxezxFGy5Ks>aZ`VzmUKr=J^QvI>dn9L`IoJBl@NaRKB22Z`^g<h8XV0Z7
zZ=b7k<$v>`^_F(!4gsp_T2w$VIC$?+UuQf(zr38@;_ndttY*wB5R+zvLAvK<EF*9L
z;_$3ek#LHkOOENxKS!XA_2Bo?nf=t@#I{F)5Y?FK-GfQ|KHc)rwWCFod+tjk@tE0n
zdMr%&Y~=6cBi`AQn1%N1>ph|RHIX$#$1v1<2#QKmmSIU7F`B-W=Owz_Hc+eZJ2iYL
zw{f%zp_trtbN_`-IIM`F|KsU|<fKNf|81z18O4xV{G+1-k|6H`%@UeFsxEtZYC!nT
z@@2`62(n66<?s1(W6(gRHNkNT2=O=^wvNuH>F=@vUzlfE3Va_|Su!{pbi*aM&4;D9
zJ`+sd!&D<-q5Hp0s}&82tMhn-lPa#exO#jNnC*4uKhs<<#dV1t_7=c}r^-lz6FMah
zq{O)a1*~#DE7q85>cYCE3El&=FeyMgXMoj_cIg69+3Ep>EBhm^gu@+)J7wtO%relg
zR}AyNM{2tbfS=e0hAqJ*Hg5sHEk{BzUyEq6;>RkDeA@L#@(%R*9{npPJeshGrjbVh
z4o({orml9)w}-aH{0Ga8o7Hn*ss7WEkpFK;(Q{mjC<cnA%IXF*E+usQ4k#giCjfK;
zwV_ysS{1da`ImA^22ePFeh37JOG22lA;q6%7PFAdj0)spN_mfJv*+Kp(6^vm$8kmJ
zXqI_ra!AdrHjX+O*S>H{=c_%#eq8H<Yy7+30pqK4nL^Fll6(ArSXp$G11;vWINO9e
zDhkJoNj{IbJti~NFnk7&asfuR-6{T%$m|G)-g-ugYx{ky(($0m{So(;-LcTA&in+t
zL_aR-P&H9U(^vU>Qq9Z(S@@}^dt$^RQtI_?LnWW8*GU5{YI*vhKN&F+5v7~8>YL&o
zqI0@dslVrw`ixb*{07rIY<xoD@qx-;wgUrKOMj2;dTor1SvZ^1Z?Ptl=(;AszP{vj
zl4e|+ZXv+qdaY+~#X(%D_A;Mloek}_3YwbaV|Uc-dVMcGI_|Tq56RZt)O}Kg93dla
z0QE|6PtcCHvqWZ3i$TY>n`}z8ea~dMYN|^!B+3=?C0Z5`eLO9GaiZ*(?X-n$Y!}7%
zZHN3O-}{F4tu)Ietfp$akCSn_Z9gd-Cy=>38lGd6m!;2V^TzYPOQhNG5>=CLf)YD!
z&<2UjYCscSzYwN;^YGBi<rYK%%>M1R>^a*{bnUI#ijy{M&Hd1SLfH6hBq%0}?&;*T
z9zFK4K*jLeUW_m_7nj#2R7CC0bEt~XzOmigDx_0Yq=L|vo9J_+Qx97kI$(FjL^pB{
zWP<mlgZOMf6bF(<G62m+v7{+JrTpWEu&CYET>CZcN7i}wKExFV{`0NEw&Kmv$JY{5
zCad8bebzW`9gYH8M4xtS)!xi$4UT}^+XE>>B40kfkUn`d`X6bJ=7O7ZDjB%%RQd*M
zA=I7;gQcVQox+zf|ElTv`x%zB>0*R5g)1Up&Y18Z8zsKp-Hi`(Fi3neD{7L{KAPdC
zD3J-dI1sI!WiZR5kDC6oxSUKkVrZxJ;Kdq?Aui(8<(_@ow9y-F>l~{aCC{XqevUdc
zTfI+LxM!7q%*Mt!Kl1?HCbNZS1|7^34)1p?2mhZd?<@z97&F72EDZ`eW>?fnvnOR9
zp4NM~9kH3`0Ke-MQlzx$FO_mxQb1sP=@Z*)8^2O5smdh>{NE#r#i;h;KkQ!O!I;fI
z^{7<XuQ0d&;tsIkqHO>B`EJszj3zZ&p~h=dwo|*fbGI9>7Jk8sME$aUUVkd^m`19b
z$}MSmX~hf2lwAw3P?@#4)C26}-vrm0UE}R7LtlX1JF3tBjp0ti7BEf#APN9?$2-IZ
zfH+qFc-su0;M6IQAFqF=f1>`v<D=u*qIJy{32AjVy%moWV-mMJF483XZN}SF(eUeA
z<g4LQcB$V@W*!Jd%|qpyBA1U`nO1y!<@@A7(xG31*|+a%mNpK+0n+xT*yu-+bUL_9
zvg9atLvKx;%zN|6OIc^^w6D}rf%}m@qYL{N&v}Pnu;_)HpaWSZuj23+#Y?rfc<p<9
z{5P_Ddmt(K%ujDYylgqKb?}R|T|m2mNr+07?cQqxY=*7Lx#b&9;X;$SnuVX_0-ygE
zIRgOl_TW(wfLb0Rf|(UTW){sDg@goNgT9^@8gFeCAE;oL`(cxc;AA%L<|neW#}K+9
z3)^CFp8cNeJL@bF7_Wo<KOM543~otJuCw)w-W`ei;2ypDIM+HrR!`!IM95C{zdZe~
zoL$q6+&ItX{JlEnBf1kfAk36MWpP{lH;x0rTM19=u}?2a{_s1f4h$wZ87*}~&U)L;
zC4V?F#YXn0ej%Ip!6HHdSW!!MLgxk%basACAT(+!PD$ck>Q6gu=`o|TGp<p3mY<Ew
z7Q%m7^{Tj`Q(JdzjJKCZ9MR_6+NzrEDQj<muOZH?Yty8xFHFTUV8n32z9~E^1|wRn
zWNZ3y$g9Gex3l4?qFtkL&R`i>=dOVtkxxLd<0Ntn7~Uhqa6;2OEXm0UNC{eN_wyO&
zIZvb{ox|~~hwt)f6;kTJGSHMcmzW32a9aEE$<49cdnp*3iju9taY9?{>u#hsXG}qs
zb8)&l^Rc^l`GPlH{|WRr|G(zuf1Rf1f1>7Q2;l*!6?93%^yAK`-!U~A&3})?=bsHg
zCla`T={)O6RVrzflKuY7%*we{&HEoGsMSM7wPr8Uk49+C7N^%$4Fr82FFmV&V-l)w
zr0Et6S$D;o&bZ=nfz8D?c1+Fd0s8(kI$>Ur`A!4;vf~OZhQz7ZC4QbF_n9emw|+_^
zC%t}5d3&=*lhb>Ohnvsely7E4`0W>EuqQM|Tz3(54xZ4Je~KaKyPySh*h>iQ5m%z9
zG(){S2P^Rm(1eD=%<7%q7b9R6b-JoB#jbbUuVj?1PjC1KY9S||6QNvSx0>x<O35)F
z3!w4fCnskX1rtcoc<Be_B9d#56%<|^dvWB*Q2_Y-zmNbS2Mv?8kguiIuTV$R(w9O5
z4qQ_!g-RtL1xpnNnb($mP5sv3O$bg~%S7otV?{%#i;%(UjHy&$7~VQ`T54rG5r--5
z1as41CNy3mAwhzj#m$gQ>&iy7M5BXAqRQ994fR`-Ufo0{U8uV#4sGF9p8gUgqn{*h
z<E7jlF~6@r4hZEzr?+%&1iFL~4?6fD!zGS(X7w}X&tSW%mq{r`=c2BsKfWh*O14FU
z7CiL=Kx%a<xW7lZK#8CO4{HPm{RBdX7DDkbqVy&bcvN-F3vOu?=g!wsq<TWT`cKRt
ze%`kU9_^vj-uqej(Q>5k=WM)TTs%qT0#&EU=qc}mifZ|>OkLx*vyMwL8j4s5cF46_
zXgfSlyuNgUpxi!azp7$)+icM307-|qrc%A-3vi0M=l@%M8~QteCSQ|KLMx;$w2UE@
zXsrw2SF8)OaM>9aw~?L_?FlAH077V(ttomohfx%QZl{Y3Dw%w9QCxcaC@uJRIzLa$
zHD?<}Hq$sU+f=2IA%ZGy7d}`dW2r{u{66%|8NkWTCyS+xcoZ^DkQrd;RKu!Nq+QUs
zhK$4Nvz3rDv(JR>q?MK2jZQ!Q*4Ko4p?94u@w!8dHN2mXVOxnp>j`}&7yO`wF82Ew
zu*6%ZQoSTwG*yH8=C-4<XM_+NUmn%qud(WI56UWA84gqKGZlOG%DOdqzUE&AtsyP(
z*1rorWIJ2_ng|M-^8XV|N>0|1BX<MfhB(0#fXZVu&_~wv1ZaVU4*k`G>UzMqw3+DE
zXvOL~N18tY_;tF(8A?Q|nv^zLh79WpqUN(B)!>nzTS{MIhCmC+JpeM&a-4RmyUuf7
zEDYW-6Er?$R<EhaQ5UA!YWXCqFxyb6trk6gDBo(8eh(KiU9yL_NW}#di|)4X1sTaF
zTBl@o*PECw4s7BnV-+TDVfBAbE%qgalL*mB4q6sT*{1WRU^hA`|GWz04ypQ1U#N6T
zf6S#Zy`D+dh2)1=LF=6A`_COZWZ&Kr8>iHt)b?KmA7P2ZZ93=KX?o9CiU<(JBifzT
zuM4D{z%*U9$$a8^aJV>2b9A@CB;hCH<K^bG;Ji;#>R-;(DS2!gKO12udd@tzVKcH;
zm_6kFa`@V_)EhR7r(lahlybH`Wrko6_bmO|(o6QdZT3>LgPa80$#cJ}vPaO$Odv-6
z8bGR|er8soR{17&R9_%3z){pYv~;=_E$uUsHwEZ=gixJaqVRY%v&Ja(_|*)}2gT#1
z%KpB~5mKq9--`#z&lu;|=p3gD)9w(liB)@>+P1W6-|(j!l->%)17P~Rdr!Gl$K)F8
zp0tqM(Z$E-PIn$jwyw&(-n?|m%Sa{+>Slr19<G=%frMZFs>vn;@5TD;KSwG0c`^<i
zz+bsuATN^JS9)OF^E5$AngTF=NRJI(_+U~U7u}-squ0Y<_><@3iNKRhZ@leaarn!7
zNk`8U5i4Gj7HaXk!_nZA0e}yWq&f|@rGX3Vy!3P^``xDYgO=kXCeHA9S29B|hyZ=_
ze)es1yks<V-ae@k14obER9M$HeqY`_*J5Gnlc`}-Nbr8&f~&9IE?QeND8kf337gl;
zx5rpc)b-+O^b(;n4#|d1K)Ir6w*?KGX*kt{rznZpu4c;l@pDlXIklu?MFZIA--8&K
z(Hm~9<Rv@B^i*NA9uMMjBgML%JkyOk?SlxWT++zF#UdrbVO<`N#4ol&PT(RpGg6MZ
zI1J0IyzP-WzNGf<9@D3wv0Tq1Of{}GU_!>VMFvtG5EP34M!)RTDqXYZGf+~!2g`R}
z4Vi=6FnBXN1v-u}Gu3CrRQv5u^+<4a6ry|!z3tCs%H|h2Ot*ha%xJXu>hEV-B<FYA
z+Qa<vgG)avoh2yTEDmpQV`<NCl$RUX!TZN>NiTU)Rq!-bFJtme29)o<+4@*n_(!+v
zFC0%gJoeLxKa3>pZ!{D0lUSFq6B^a#B#rc;_NK<WKlCm_=Ebq{!a2%pQNOsaEhT>+
zaC~v{`G<3Zoq0SMvP9G~b%-#=Xk+)M_35JVK*c2E)$sr|M@OAB<9W1Hz4)*3KbjgA
zTL3&8iCV71Y;3(p2W^=vf0S3jt%NyL?6geCjrK2l^q^x|Vife|6p_H|Rm+e9{F=I;
zMVZW)?cJPkk+9*|db^_K-kR+|?&r}{=FQldrO(t+hX%{f0#A1o&_?9rEVFAwb7m$X
z4$u`^p+^;pNv0>c_~D^+la^GfBGh2s#LM~n4n+Hvp=D9Oj#6sRg1Go~8>@(-^PKvk
zqcI8-(=~%&w??W>$s7i&krDsB(!Q!VoY!l=&Uqrl3148dK3G$;-UV7H-xpVEU`FeB
zsYY(8KvfGN0^=Uo#=K?QfRABE#~t-y(*F0@^7HH@Q>0zba;FcZP$YUlQ5~FPe~&y(
z#!CV>>~=3G0x3)Gt0pqVztismtWMg8-=WZ-<0l9Eu6o<Nsb23f)*Dv2o$`<4`7+3^
z714YnhX{*wR$xt!?1AGlGxJPtEv@6Y+wP$4H=nsO^A4$=!OySIHP1aaFb#Fn>Q#Yl
zgDKWn_m*O)^vwLEf~I`grpICFl1Jd&oWl_4I|1)O^hW|_#0wpAaMZ%<NMB-zjuAOt
z*Tp)r`~1D^D8?tqWzODR2=B>E3%XeEq^xkB(RHznPOp3+Wt987j$^+$>DsE@0x>KB
z!|tBRBJz`$DK98&xM|kp53-N%3h#2hc78qv89!ovZcdY3*U?QlbZ0z}2Wh0ikDpq1
z(~$aB%HNP?{Tpq1d;R<B*ZuYuCzd0_gqB1kh$82l#VObG1-n3iGGdISW=BK*Jz|6%
zDQ%-AXk?o`6WQ9g5IhYHpjU=>IC4Q{TJ@EVx~oc79IAFD$7J{5#6L3gpGF3ykZpPn
z(LJK-O^Ko*RVv)YKQ5h0R}|Y^n*8D0uzLLUE7pq<3p1UDbiJtwFONYEEuacc{5T}G
z8O-li9w?y!IOd_^EzZH_ExtJkc&a6|erFqK__m-6>cR1`_#rj~0ll-UI8k+M3+%#g
zz?d$FrA1ZFhVaUM^r)V@Ua3@f8+*iPdC0pK7X7nF$~ul~N`h=X%=ViFU@#HB3`gu_
zL+&+OYy)|(cY_;jU)*&^$J_qKL#<0rqUle*=tL+IbRH2~Q9?Ap(Ph+@_8@x7^5tf6
znCR+;kA>~|`~II-mCPf%`_=|RPKZOIXr}bbaPR^)UetDE&pgg1)BL!@yS?q$yo*zt
zLA57RVBulvmsl1t>`iB1{3Cbs#$_3SR1*i~w2jQW4Rx)J=<xCIY5!_)K1_3BZEFL)
ziX9}=&_wix6x|D9JQjFE=PG%no25W=`EYAtQ*v@z>FJ~lrg>6t#G}-q?}NFYbn6Rd
zHk+62tnB$r;XkOKD+{M0QJ#QB161Fbxrjcu%2N12WM=J7e^06CQc;rg5A@_O!6N#l
zWQ|N0HegxLKXV_t>2qhc59>N@1G)G_{5E>qhXCL0NRy|(PZ_%hTy`CUf2b%GpT?;j
zKq`xhZR4s!Tw~@FnICI(KysbhTxTJnL8<ds)1}F?*%LJ-)W#8lQNZ%aT=n1Y95@nJ
z1ljZggmx29(F6dKjr@BAmd~~>VjhDOUJYVN(~L_$hrVhFth(lHb?f5mOD^j1;zotF
zR~25#>PLD?Tts)s*MwO4#ao8b_rt+Avs<^O^pXqWo!$CIS{yX^eG<|;SEu#NLjs|#
zyCC2t2|<d;0X<cw=TM&II+D24;DzNJfSDP9{{*n!)2)yKL%Ln&rrZV&DuDCYL5$!A
zHJzPL<>YR&Aufy}mEmL5r({B$`e3^Qai~8*Cs;1JVd&uinE(&CrS0`&kPoNc=+31&
z82{kWhw~A|&lPv;;@7G*ZWx>T{MuaC3+vcKT;5HZz>G@gU<aq}?Mw%m2ek}*Ka>Ep
z^_^<Ft>9B|MH2SaZjNmLffHbNeXvEI*#W`=hi)ZLn$F*C?(wZk`-%}f^8qLe&h#@s
zAO#sAQ>bU?n3mEQ9VarCaHk>0LBPt9adRA&Y4G}9^^4a#o_n$X2Yc@s)l?g<>te%#
ziXcTmKmn-&N|hQ#0Ra&~Izm*Wgcu^y0tBKcAYHnG5NQHZA|*sxB3(d4x)2~F2uKMe
zln_bCx97L^kG;++XRkBP8mo-4e!xh^2xZR9nfHC3=f1By)ho@HFa4@o;s);8wufM{
z^4uZ0;4_`zrZ_X)!X&{S(_mq$^mtxwDQFU`M4Yew1q?6S`~4~CRXzIMwp~XS{MGgV
zpaB%>fu1&HG`&@px$`RL&9l{@sHqO$E-O^Fp*%8(smF3fWPQ<1pB#_bPL9soM{{cl
zqf6*qxC<i#(vmYU2P?uYIIhW4jWV4fE9sdwZ}VQVxwN1tWKO;hqS`gY*1SFA?7Uj6
z^web)H%?IIM64x$r>axH%nMgXPj^emCR0*La$P*(Jhx(uUEMAuv6&hsA3CdhSf=lW
z;;BW?1Kvxf8(IA=q%j2jy3GXMSdZ(SlDmGXEsVI~oSnR3Ruu@Due8f*+(~;n>~0A5
zPqT`(FoqS%PpHf=atqP{R;?u2fqJx%(@Ww)d7~tu?Lj$YQmpe-Lf%uO3n>e@I2pB@
zMkbZg1#i#3ylQdz*inownh{AmfIJ1zEmamNhucs|B)(?j_Y)J$n5#5Gyi|?}Z6><*
zjr~+hL*}d_QH&T{1(&$Ac|bbEPc`c}Dq_&FOQ=K??qYQ5kBOox5PVSIV$*14KNDx4
zle(fU+ca~p2iX|VlH*`b0`$MF7hG-(qP#(g+1f8PNl~HWFFIpluzFrh2)XMAQhvv#
zl6|)idZe*2+Uy7}PRA?Kwc^L)`!cbe;iJZaEoPf~Z;j64IDd<cE&)><p8xDA&i_nq
z{zE52|8A2Te_$?-@f?m2L}XKDAj)gXTRCM?nOchUPf=ezq+eeXIT%oosBKdOsj5_M
z9(t#<P&obbw>%~q2n7ZooI*Ywj^ITajyAi~bwRw7Y{eS-_exDn5;i{E#bs2J`-Ve~
zwM7czVZ6uik%N6go>s3byvqs!u){HhQY1f<j||1c24!WB<;cuP(K>N)H}c_u({Qtq
zs!HVmMjc<Nwgb(%wqvlG|5nm-fx0mKqTm<D^m&T|s!$uX+Qf8Mbe*5i1_UQ+lNL8B
zC-4rfmYjQCTr?$NvIb%h>M!3D!Ef1;k-Oz!I9z~N-)q?}Pn4dWa#I<@0(2@~ymAjY
z#jn7$keTI_-0CJWLirZAoAJwxJN-v&?!m;5@=osYJ|<7CTX<Hp@&K(^WCp^eZyaf?
zNr>Z!`|M19$O|M+)P?xM;2MYrc{~cT(6FGR7YhR}=ff|@3&~_t?kREl&R#DaPWP#6
z2=I-w$-0=Hoh}Mfs60y<ty~wi5-5~-RJVgfx5#(fGMH&wt6PR~fY)*E`}=>|*eHnm
z17`rMU1aueRIPR=gC?Fk-qu0a%!|w3US_US1SC#iFImW>w4SI)z4l~W_~egX^Ora0
z?iA14EPwFO6bB}%gnaAx&?@vo*23WS1;GtBVATDeAg<r(-FAb8OzV`CxIDd0g{%>z
zknFTAOXG3|JX_1kA<TKlFslH63t))B#k^5<=<dG074Pi1cKiw2hZ5l!O{>#;ImUx3
zo^gMw`dn)?p0q^;Tj&}&rJiWhK7VI~=>!~<Yc-wo47cIUIWbbPMUsTf92wVyA7u{e
zU(cUV$=|P8Ol_eMjTuqu{fC-UnxDLx{y86+*l)7QfQExa<T1*RhS)(PdGNp<DuyiK
zwOH^Mm-3b&z5s8<oCbco)nEj#8`OT-k!fKCv@pA@xDhC8Iw+p<LnHh)WpYpj2yx75
zIPV8Nc)Z_N>*9umE|stJLKd1vqV|%oMX1AAIL~ruU=9Q&>_NlDoo?gExw@O+j}|PS
z{@5A9--XM>;D@XmHO_xIAzFvD1kGsnjAyN7DWgjWl6Yd)h2ESjV^#byOAI&=lfsA+
zTp-okH-(c?6TFnn;ty`FkjYFmS=@eMY;DXwIt*g--QJ9EB--AdEBfH6t5VJJj9Yu3
znmx*vC6DS$&#fN-YNl@b=~lwzjN}-IEX^4nQ7yvaupx6J%HNJCmjvW|J0$n{ZuIfx
zpWF{FD42tK)3zIP*zdQdXZoydcWfVVMuDUrJHTU&v2aD-wFXNu4|9&a)+EHbY0;9Z
z3)#A99c}`&%o0kqJ3w*)ynSI-t2;M7e;OHuJ!BpF0eQI3VZi9dXa9NjBmpqF%@*h`
z5W;4~)+O0`H8frT$iTE&=@gZCpLantWBzkJHhRrl6&6+ZkpF&&j7hZ9&PDL0#H1ho
zrfHMfYm+-mUj1Gu)>F68kn#rElGT|VERZGq7uSX#i=B%vF2E~~0e)LTEJ=v%#nN7>
zMQAWje?gr>`eca)F!C-!6R%qj{~E-akz;IY9i@^^E54HDGc_1eGL80lWHg0tvtlaT
z_}ePEPHqCYC^7A#F$v9HKr~Bx$u#>ay^)DB$JGpPv%U`GmRg=&%a?{C9z<Vx<i7EY
z|H|~RsZiR&;B<LlqZzf4<TeKT%|B?|Z95bS^BNfUq8Z>Ct9P~q=RwuURM#TT1o!}%
z9-Z3w7{FQ0q=ZZ4eC#fFEFP`s7l@u&yTng9JSm}LREGFvWPK(b%)3`kn8k2}_j2$`
zi0<|$J+z^D{Ml>AIp^!?yd8RAUZ`-Q4A0a1LysRtUk_LN((5OaIarsJQW1rFv*5Pc
z;IT3fTMw`NI1aOK%)h4dVQ$zemkMuYiN^ieZD(}QO##KltL*w*TH2RM;Y58svVC>D
z>sTOIpgx(kQjVzVY)LnR_%UMLv3Vkr-@^j9y?^LQs`qu%7uf>p96=QI#e3xCaiGr>
z^Q4^u^Dz+W;(<%HgW^y3<5F+JWd|d^9dp*}t__`PdiHzaawgBc%G;Mhb@XJmnubW>
zqfM1|gZh0b{f{$<8(83CYspLcw(A+kJk0Q9_RXCLoAYYzb6FQeq%y{BnHhAowhfVO
zouZ_*nIUK^^myF2>)l7}_zEAH2*3{P$9FOJSf)&AhC5AfW#$SU9)*<il4Y)vT*s8R
zzOFAiPIT}!e>-rq)vCAQ%E4JmP43OMvm28=drP2^p-br>d((q${8%~Q{3&ZUSJs7y
z@w_8@)tu8y5i&GXEK;e`)w0BCdU-b@xyofZ)mweaNQQNh%GZ0dB$PaQRGuW?dZ3MS
z>38-xm5(mXc+nzpg-(i+Wokp<B?xPc6QL`X*jhZNH~wxIF&^>gCMMpXLt)-E_QAwa
z>ocVDp&g+6zdnYi6IUMLp!muQRk)efXt!xqFGeLir@qA@FKZZzemDr0`c0zQ>^&Se
zqUB|kGKFU5x<PzMo%bsehdw3Sd!MH#;HpjFX|mj5#?_t>uRor|$2QiV(?nZYx80nX
zyo@|r0!NY_+|e&a;jW!Kao!j0Jc^BnA2chuX|I=aB-LLcS!2Vcyy6bAeCF*mSn^^*
zV{dw)-Q6swrzF<6H7jFXrN{7N*X57JW~1P~0pEI@8fz@Rxo&Ozr-nmk#N`ncLta2^
zD^GXmtmK`G!n_QGi$a3(PSZ^?=9)^`=Zo7fWF$79nqJCm{8&@b822q<=%<Ep)v2%K
zGbs*?W#---uLv7VJ1B8zeB1Ky7tRr84w(w*!lKc7?SR8UE8jo-tj$u~vIz@{aN_*X
zvCqCacjeM8Y%VB#IBv#QiLL)#$*o^UW)uerFM>EsCH!I}+-rH9Q?p%LyY1VfPF?;t
z_(}iU?6waugR55Z_?Y4O5N$&qx<Hnw8yXH#GWIJ;_e#<<vdww#_uB8ZVTSb}Y4^9o
z^&kHdk)RAXtqfo&Ze$t<TIb{fzHz&GR2{Z*hpq0Ftcs~4Rw}U^I(3aZPTey*-7}B*
zncuUKJK|9gq3v~MDZ4}o>-(!E83}A`uKs=6{)L#ne}Xfp_~;9mm2LkK=<Odv-~L-Z
z-q*^8|6i0;+XMeMi?Xxn1NEi2Igoe!w0++!Dh~9CtzCg=vj6-kb&O~>v``nlyi_b<
zZ@0D>$#qI6h@{9aB?fDa`hJgVRz|ry3pUs`I0psS*0$tk2ZiZrur%&HqWsDH%?4C*
z8mJ_<lQeK!?)5ehH%A^}MLGP8EexOSzYS%fj;>5<l|TMOT$eCsW`4iFq`!}nZvI~B
ztAy5!)?I+|%%Y&qBE;Gwct;J7aDJpAKy8h#BlS;AgJ-{PA4OXDNq?P@%AAD~MVEDC
zQoY?B?WD7vWc2>x3aaKrTZ8kvJEk5zDzV}*QPvtZFCIpcpp%<={yiqtjWSI!>4Czm
z;gUlKr-5FYUQw#Uu&Y!We#vPm0I5pn?E(XtCm^7fZqw6#-i(44K%Fl-JG^?7+?L0u
zn_l(xVbkYN>CC1cEac9-P*@l?_K)F1%H>JqB^(`CNvLVG@w@S}RvqX=2+215krB4k
zc=q>7^2FHJKCN8kCbh|B+-dy>7hQQ2Yu6AQo8q?-bp_44Q-L}|0q!sI5A|JPrM!a;
z2y;_KW6jM#fj#Ea6_WupNR@*uW10jpaSi+2wdaZju6ew`>OcFypi9P~Y9-^*jOS>I
zLpw+efokQP8>_n+a3YihrhRK<pg&%NUre1euWk?XlDT`s>$7W{y}i??yNVSCz!(tN
z$c&A#-+)aTL4zfKiU#CpUaJEkWYVNLi(-;biPem!nzo7tzf^e;Zg3v*2;0#38QS)h
zX!^$Y=0@fvVXx!<&*#y{0MYo2{9X=Qj<$zC%Qhd<AP6B$+foqPwk>09CE1c<W^|W=
z8^X1Mg2$zbP%_QTb*D0j8Xv#@u|eAnTEXf_bbmPg9iH_#qx@|XsS>l;TaY!~Cz*|3
z>_Z8GX5VR(gfvlSpu#h{wK=Zz8xaDzZkz3~{tp<_#~^aN{?NsbQ!Z2bF#-Du<PZ1B
z&Q>&r2CoX2BjUfHMJkZ6xjxh>DEf>{eN*`L+doh>WZK>+w&;#aAMEJoj8}1vQg08Y
z)^gtwAy$S<8}mCfu7_>SjAQFVmF?<pbekyz+HVq}q`(#bMKR1z#m(zXD_Ylh8%GU0
z$dO{Jj>wHtk(R;vdo{xjP0dawrQ<<L`o@J#kcFpZy1IsKGI}?Ci5vmouEoOST5*Qw
z=wneIp)+E1F=%!|y~L^LnejXIEX|Jny+cZ|i>cpI)Gnh3Qf+R;H@K%4>~;#cPU8U;
zw<avJ$GdJ~IlDHP-^`^4W4o3+LtWkuCAmy1Apu+oSOP&{yrpRa!<l8!AwwkucXwB|
z0V7`S)wT=f__WiKQ5Zz}w7z{~NA2fB(Sp)4sp@qeFPh=3qeLc)BbcC_C*O?2GQ-FQ
zciYm!Q^$KgkJ#+CiD~8O=(jV1ukk(6>gn5;l7NmVsLhqXt(K70ks1L}xWF`baY0@1
zxtp5qiEa-IaRZPCL-u<u@C}D&fS!S)I8-?NkS^Sjd}3yTi6VEE(}*`e{Xm}5aM81X
zwt5~SnlgIgZxJ5-85NOw(pP<6vFrBVI{8zz;~J#MdeNj7Mhl3n8ndns3OxK%3upuz
z`xl?kAsRl|FuVhnZ2lhfD|~rpS;?HxoKSezPMN*^4*Tc3)pw5h;F;21wWK7y5Tue7
zdp{^RhtP*VxfjU}DS?8IP}$e$q2sPJOsl06JV5LWTbTjfGe7vLu{u#x>_bzESFTj<
zWsOT;iYlTC+@;<W(8k%P(T;$77GY{b19zMNS<n|>Xb$i%3pG|1le_T4n8$(rMo?lr
zPrOD`w8;^wuZ`{JL>!U3YaB5!vSnxfG!$1!B)BxmRqYmgO}iS1Nn~38PBjZK^LOqm
zZYcI0Cm6%UM(_%36Q=TqrN-O&w9RfwkwD0OXgM{k?a6Ol!|YW38b065$>>S}`b*dM
zkNP*L->Qh!y-VoYk`55l5idmt^xxJ{8jd5BZXb-7qmkl}swZ1Q9)us?PoxSBJNuX&
zRL3?NC7hXVb3S;#`7^4pw9MJimr&w6Ml@-ZYdo3hf^yzrHDT*xqNXDHX0&LgT_}Da
z-GI~qn4>~flT|ANLHrQs?r0aslqyP`UWm#?Pm89&`jAR;tfPfs+u_7}=lYbMa3p~4
zf<H69J@3-6JC2!H)H$0dN6{ehOASlWUR%1{Y0idxNL8A?I?bp1LdP}*HkV?5C1dhx
zkz~1if#FI#*mG>7HXbZ9C#IZHQ4w{aU-)nx?#~Bwf0<s(^xC!|oC%c62mb(L`v*YT
zxq_x;g*S0d0j`GHju}&iLk44j+9QXO4t^IDA`zrbZtf=ps(1frWF$+zs?(b`^h|kx
ze@^}N=-ed-o1%nB^%qm3IOALIizUopP-H6Z*S$w`+Sb0r3^uU|6%s{jB5wobT6Bas
ztt#ij$RsK{pbsWHW&sdw08#2glc)K%)wTy;zxTRw0Ps6>fq#y7%&0MA=aek~DJ$Q3
zT0}hEsO^Mam)2=-(4?^XMe7_?9b{a|kN4+V_C$j5eA0q`H_wsh_M|OAK|4^0oNhKQ
zjO0QJtITB?9Qn}l&KB}JqY`-A2Lf@|7m{C*XjUTnkU1AH{}ShN^7XN19&R***3n)V
zl8NVzoW7cS+~mG5{%1q<Qwj006#;1V>#sz>VFdC7y#kAAb`7$f=+f<3=;M#Z-j9+@
zYiKVfSMFYDX>+~iy&H>1G-qUAX;tv7se|CYoxBw@BmZ$BxM@9Nw>~EVh7FooTMt@$
zXIJ?vGut~O)qX<hcO$$3kg*B^$qEweV7fq~RlK2$H%^kr<zD?*bW91tZgsoNeiE^E
zzc$N8J6Y_iTr5v|otdk!*PDimA%sZ~=coeBbZ#}<V+3@ZBlugl!%)74E>Th@7x`GW
zVJuZF#h|n9yP!zs;(~+c#gh~#aQ^PoxHqik%J9tWZF?+>t+>-dt?bSGXhu~k*=!7=
zHcgH#)kxRZC-qKVd60DFL6nh{RFv(VOI!z@aZzoojm4H*AqD?z0sSwwOaI6H?<avX
z(EsCOcoJBA>DUH=7{;*-1GMCysxp8axLCI`HwP9R)q{abG6aVRTh&U}EZj!{AP4u~
zTI2sAeEmzv^M5np%d}&XZ74vS$^UroVlw;#(JWB0YhRG94FFd?KI@mNxa|)X0mhxl
zh+58<arEx_Wm?_HiV^=r9i9O-QM8j59xd$A7$EMFIt;mJDrJRiWoB*#;sr(MtxC%W
zg#9o}lI1L}e9()!+2q6HC1AODRnU2{-(9UV`RUiwWBB82w;vn>w(21A0l6vGHvkqy
z8hF-s`ntv=evCj$y{L|R;G+OvyTSAgr8&}buyC^~>yi)Q0P+FQt`T*3sehhg^?cVP
z)~gDtt>pE=g+zSiD>_;wBPG9(t$-^~S9tA=|3N&dAJ)Y=OBap;+|?>`U!FiSQ9|3V
z^qnZKPbY^4vmCHY)JGp2ZYU;xUjbo{TI*ygRU2PAZ&}2X5YgiDjD~0kJFCmk&Mmaw
zyrRiklv&$K)V_V{sbwAU>B2%>a_q~lk=!e`nYaYkR8saOSQS<0N)ax|S+8~-MHFTb
zXvwR3G{c?lJax`cjwLov$?<XBPa7!J$V+bLiOKipZ>=9?)O@-4<m<0zFGtH&CrxJH
zlaPort_X0aX!!h0l=dqPs*nGpNw;!1&t$i5=lm45tw(ISqsa2${nwoqTt}Ivj6Y02
zN;zplxZCX#O*JNhZ-sC`108d~f*Gb9lb}L9nONKh=gV8u6Bzmx?GpQ>x;(ths9m)5
z=g_T3yQxEq_RYYO_8cjj<5n}gHSK8?<#rBAbm19q!Q!%5*RM~de4`r;$s33i7@6vs
zns1grNjkurX;ZPco9dY7^$jC@J45&Ny_7V+bl*Aa+YDIOq>+``ob1{h)LG02t$EXU
zVnVi3HUo##+^*R*2Y@=g1GoMuPzR7H>Y-)}8dY*A$;8MNOJ*%){dvS`roZ284xDK$
z!>lDok7+nzB8Hzfrql+FR6M}pZJ`&dRWB!CGOg_`2Nj%(XZBz<@GZs5mO6%+Y-e!g
z9^dW-;|K&0W0Z=Nqn9(<uryNV(Mpbn)9=5y_UVI!iGftzo3mrC*b`><yDmC2MmRBU
zdovyjkyN8I>X)ljXL%Ew56@v@P_=uD)N3JR=s>g@Qohbm;xm0Jg%DG<{VV%sRbt<C
zH7<<oS>Gk8rzQxkPXLHT<->HSt6<v4s@-yyvLG(i^+3i1Vcyzza^(Vd<+Mt;Teb<~
zH{rVe1^S{XJ*yief&^jfM+(P~ydEWBu;oQ>We*Fo&Z`@(eL|96;lzxqy|cJ0)bjr%
z8Drt}-PFvKB<j{qK@PMa!J~iC*RGQK&UechSK}H^EJC~V-Cpt;twfFN&T$lwkB9L5
zh?rJg-(q;FB`7(NOr{!C7Mk4jJyG00vt*%`k=%!U?QvcFTcPh!>CNu{Jk_JeP<(oW
zXT@+NwEwf4q0PPi5TZqcjBT-?u>4BVWVlAc)T5@(jgsHngL>gh#)6wDw!oy_3$pf$
z9GBE($!Pa3EfDR~<Ry+3LpTfcMy39BM2D|ouZsFc2sc>$GF<SaJtP<s>RKH93lsdy
z);)mqh*X&t<mNl(<~1bXF#i`<w|qbt?|!6b)7~3jeeDM{Ye1WJT=LWu)9~js;-Nxx
zDPW>eg&lfXeX*j^A&Y^nP1W{pQwU6x30q{J<{>Y>WUJ4iC6)=i9697^dT>;rlFN~`
z0MJX05T_Ghiz1^RPo+rYhaDzfc-58qQ2_SZr52;;Vh(+)UC&xCv2Qfq%Np;qQ8aWL
zfYpyp%1wi3T$N$2m@QNiM{h}zH$oM`+ZtTIo8DN`p`bc9TpXzZMOfw%CNFHpKIuy*
z2bDkC{<6^I{O9j@+q>_PkiA-hCzzL6Xcgo5!xxUcxf2@L-488QT)Oe+ZugGo%Xhws
zttMS(_&Sk`rHGg|@Cn1?h!^B&Y!O=tz>Qy{*SZdBl#^b)76Td$iZfz?%}FAUzoi&o
z3eF_MsK4^gr2JI-eA!gYT{J5v#>F+%-v}fZf>GA=4wKn+n@P^JVO0u8H2!|O8)6(`
z$KJ;bDMWhH)>qrfAigRzMfI2y`!1c4E1n>V+zrYIesD0fH2Q~=rA)GT(wC3*sm*ax
zJg4DTuZ<?(q9s4uZo(X7_L9s8QJ$zHY~Qg}%|tco!3dGz!f?fzbt|BYEOjJ+Tzc>3
z%GqaEWubwShPPmFR7Q}EtA=kj>n|=uMdRf7joy1z{egZ#<91ZTZ59rLPGJy|P`;?6
zhy!+X&D@1tih>LclTZgbF#QHb_DJ2a2Vhw@H|4)6F@7Vvt~|gp3TJ&8aqLea`X}U~
z@baiOY;+gz{^UtX^3TDs)?*Or$#q_GMfVg-LFe)r!c%ue_dmymAbI=aDRNXZN-5iq
z4xS}EH`H`wTc>P!Z-cq5g6TY~M<Y@pKbCN)$!fi&O{X(+N{8~FnO^vsu6}g#V?s#b
zNf^-~!tHxPUasr18L?(Vk<hTNI`15Uvx5(Y#cB`YOO~SqzjA(nHm)IIe{tRC`HO2$
zE|p*i47w$MqRF1MA*^$qfwTRx6e1wEKECGLYzI@U%jBpcF4pzHy2`}(aVy7Dg%f>m
zM5>j2k~cn}7@S_zXqxpGm+W0sjNIHW{^5+kENzZO570o3kO+-<Yk#|#V$mmg29o{A
zO>%VoB8HM}w(b20D-`N4J6+w2QTy(ED;IBTBmXlveGZgegFv^5YOnUt#>trYiU__X
z&Pgi~#L%$Wc!Z);eI*&i`{8Yc>*U1J;DkP{xO3R$raR6|MQVeBOaHKecgkUaN7k^G
zN(^U~-AEP;0;H1|C){QXJ5wWhny#F`cKq8=TbY1&{Mm$WartI4r>z0hzPRPk0xmaS
z0ZMe7BpKMVY>F0NIeHbsKCm=ZT=g(an8<FRafBDA3&f37rm41~KS{>xUk0oYcqKX`
zT?5Sry?Jy*vq=Z3>L0=gds~Y~6lRb8>_`=Iv_CR-Dek?)G`em*ra6QHj|z>#Jp*#x
zeut*Hd{;SHOYTdA`BE-@-Y7^CBbu1;2)1YXjXc)*O1kuc*1SUTdkWUzpca4al3%1&
z&E~yZR{gbxXO+y?mzNYc#Ib|-a2n|6oJ*q`2&DKNMwAe(Q8bRU@+bE}&GKn2@mUj^
z186^<uivU~QN-->!c$Jqvj^9cIY&2VNw4w_0j!bJCG2aX&7crJIJrepOi7IQ_|)$#
zXQSc*rPkoZnR_ChHi8z4t&x=*$H~Yvid;AP7$7vN15*#d=PI4Wg*GWdStULZ{LzcQ
z(4E`{S0-Ab^GY~|RjG)P@I0v@&oyb>;=#ovn?fBUbo01o)}}^oMkYQq;Pyb7qfmKi
zFEqn^e8aMw&}~sk4g9gY*&ZQXO^*RcQ(%k6Xx6P!<-+E=hA5n=-|;wcajQU&b1!~F
zdz*t<?#}GX%rdWh=8G>8hC@ieBWI5nuczmB*z@G~qn--hf2BH!pA=jOd}a>2;r8G_
z#E>Zd*m#756I-&GrX7V<RpJQl#ITjf2EvR~?-2_xfw3Q5jXqzO^_!#ZEP%YXc<vVw
zr^+O+az+Va`qC62ZG1+unpV=8s0wV-ejvfc*Cbne@_O&fMlK1tU~#yc*duvI`lc`L
zsP%hBo>xsZ&5(jC`q>q{Ul-PvG_;d>S2sfsPOJ-#4|P3bQq&Tov6Us2vFm@Oz7XTt
zvO<;AE*S+&7+wbYB?GNsLBzUqBxmI&Eh59OeCGP2S37E*2R%(4M<;9>jy(}c_xg;{
zW_Gi}egnc*i%O@G7eEkHrCuvTYZo0K7=EmGEDUti<u*_GR7DowfciznVSRhQd*&&J
z9=<?6;E3(veDVCaHp$5z&PA2@K>D8S*xj}iAHKzo6u@RFIk9MZCt`39Jul)MjN5;9
z4>!;oYZ)d<#VDiOU@jEpn3oai2(T#~+{Js+#S}%Gf}C2BP#pK=e0}^N$1K6sR7O=p
z=`37^F@DEHxp|1s#wO%m$*Q}(;+mO86HcrYkNZ6|Y9MUiq;sAssH3OUuU(&#E;zbn
z-d{(ob;b{@?P=TK#xz#K`kV?sV;d7aqaDA`r<~be!TaPI_lGK%+2H5ChQe$C8Y<ei
z>cr@HOn`;58YJF#Gw%$)*5jQX8~=4z%K-ZXcN^;$0HS=yR93<!L%!Fizc_G$cn6ry
zr~}{r%i*H;<E#JTI+ugl1unI(<A+@r{vS`B?{Z<3_Hcw><Je@@u_f@XW5#mEJgR<&
zoy`DV_`p@^FD?uII)Qov8^F5w;C~3X|2_m<t7u(^E_lptR&-$3n6TMsihBd6Z**-d
z=fj<4mi@wzW64$XXRT*_|Hfx~7yv0~l{Set#|q^{j6Y-tK`QS81ntld^&+#4yzJBd
zWK2|@g@O955so@!*B8Ct#d(s5d`L&$A>N1+l)mA5>yYsst~*>@T#6*N-pUu$mIM>v
zs>GnXB-ynXctOjAUr?A_|3#Q5X-^+OrpvgWHIS(&sQjIL3V2mGf|v7xB=#2<ZIcO1
zhcg4cz7Rf{whzRhg#yrL9sB80n;p9{r=6XqS0wrMO)D-wvBdSi><kXSXeB0)7^f?!
zd={4YwJ1zeke^bqd?!Q4T@foY>^2kxDc2a?w)7qztUSD`@E4aN3y*pO;Mr%hqyCl5
zH{dK>J*4IRl2!-%tQ1*PF6bM6<X5<<#<G0q?=Lh4P^lsjCw}692i+%cBbWnoe1CB@
z=&s^VM)c1}Fa^WI{R(^x4e@DrjFYS>l4n;Uq!Rb1nr3E4O|9@Prk$}d*(bBlbz4Ao
ztW`Pq*e{MMQe=>$&5R)38pG&2dBEXU8ccuaTbD5-W<S~A(-;#zW!@7FlD=&7#P9Wy
z75V(49Z}fhr(i(50~C=5>hy9!#?ACVYRd?ao)k<!9EY_!^}VuAg&$@_3E{hR_-lo*
z&XpdS?K*4A`W?Z_PXI*Ynf!y#?&Cvoe;>~V>R?2d1TQmuPR}5;-H}=C7w)c*c?GK)
zXDB<e`sTHX#MlC0cyhDqrPsW8k?=g(u^>*h`1$gmJn}#I*#Gvj|M&Ph6#jppBvmJy
z`v38>x)1yQX^(GIsrN4~*!mw$synBx(SehB!CT>RXfbeY{Ozqi4*q8>?q7zwzy#_9
zK<H?+;=EH{8827Nc?Mi)|0byVzsigFH$vI}qkjGg3b;e(07>+}PVR5<|9>Tw*r)uw
zwfnFE$Vzgkg%FN4Tl&E@GIxY_Ek{x;!~_vPjee=6d_9*Csq1j<o)?ub?BfKI7l7<Y
zMsFtz`-}_mI};(g_r_jNyJ{5n_O?vXuI@jqLYxO@i1{u|Rt{#hqXloD?A?ePEyB6f
z4_P$9WU#(nb&m>d)H26Sdq}mINMA!82;neZ(r4x}GgmT(8X@R}ShUX`?{@CQS5_`(
zzmQVuFD?GseA&2W>E(Wpcy+n2_8PW>OiMsgC@^Ap6nTV(9q(we=!aUS!ub#niJek+
zaE)uYqGbpB%*HV1BO_wvOl2pE_s>{a)2ngL22+`_h3u!a;7E?ZvIHMfn|{3wbxQy6
zY!iyx#~(~&TDc8kT|A;mhz*C1djG>_v%CTYcKh6}((CCp=s2LLA)RK<eVGxXMU>G@
z8835MIf6rL#kG-o1a8w(3yMpugb7^$cfjrExOI<A+I7*kva>@y=SeJV@=k>buR`a@
zlW%?k9%lV`J7=^8jM`9CRP4EIZu_fcA=~WsREp`q{k=NKwTaEA-2prEk*T3zCk1V2
zlfUM=Mi2;ld`1Pwd<&h!#7P`ren+3I&_DdZ?;~$Cfp2Y<s;^X9**}#XKV=Fnh3q(#
z2{zR0k?S&gyI6NY%Au}Nt7gDCJ4*}a#84#p-MkHTnXr$`!xKFeo|Q^j^82R2LhR@0
z?`F<3!W$pbR0X`j{eKg>o3khmaReXLSk7tqiD`r+MH3yf-OsHo)?wp}aBoxiXelk-
z9qj)=4^h|YJuIDAt|4qBD<an2=Zb6RL5YDm6QC1;SMUefW;BQAY^B*mt2X73isc#c
z+{X#EkRf8Na#gvXdKZ7^kD7AB#pHQKr>xFS>x3r|E57Sf#m@S5D<vnvUWh95w5FVF
z%ctPCMUx9=__);cxj^CI)%C!tv|=owv1oC)J`wE<+~CZ&%l~XCL1xik%&7tqeyCP+
z-)6m8*TbCC^1qnilcgHD4jn_@jTh?5Ki*1IZ)|^R++H<eSx^0}aQt_9_U=&gjOxT@
z-(Dr$Pyq!6mKf4YDH?|1H4(AU*P{Z=p|w#un_8<AM7@Si5Ba`HBkQGp=5RLnk2*Ln
zv%$gbJ2dDIY~vkpm-gIcH~##y-btW20<a#YI=Q7Q2LQY8TpP!qLm-%$7VuYj`Y+m?
zgR=JDypM<&|8-AehkN#BT#Auxg_@r3iRVm7aSkzyRHxTJ2j*UxT!_zK0oN|ZVZT;9
z-hTRH!Y2s#x^+?d3+Ha%@p#4J4zG+q>CZ-2NGE`uOKybh9=gsdW(ReWBkkP?PS6*B
zKg9&!!H+d7$d-IqnMC3&gW?z|B$pn6>RTN}@lQ-7uJ#hMye#P2jI*N=Dl0p>T@7=k
zYnq9s<h)ASE(5V;oTPJskg6cMeadn}##8^|!D>Yl4;dkkR|zGz?cFx*v?kmH-4EiK
zuDF2h2`yJ0`H|#}606b4fT<i-Nr64oaymgZMiProYPQN}qJZh)Nw!!qAO<y!W(yar
z7|Ijqs&T~tr#zKG3^>)T=ImzX7kDntOfu9YuHt2{Q(U<QkOZqJk@b<O3LYy2Zbsgp
z$b)$Gp~qD!qrO;|{9r$K!&D<_nP5IQ<AY);^Y+>|ug>M>pnd|;Mm(A<m^&HXk;vPw
zo3Rreuzr#mX%N<y3Juat`)NGy0=^~?JXQ&N!j~%+klM8@CAQC~-|8N))A00GAD|fr
z5crpaf&gRfugoo1=gvUw_y?&Jo<)mjF(GZ3$=KLxGvwKzn&L--_?zgD_G$5T9tu#H
z4YEh0zNY!n@MtlNsB?*)F5hbAQ_v!Iud<|ajVk{kHw`w^BQg%A+4jq}f5}#TB}0p-
z^n;fo<Sgk1{l%3-*!imbGO+1`2StiEQwlAV2PW_K2PfWL{pNHPK)s+C)AX#?9=62?
z_ARFW``^0Mn8<CA=x+dJTx02OHC8Yj8UAr}F}rKbB4niB*W`T4F>}Yu^7ggOfFb-~
zBcNm2hqNDjM7J-hMF8-X%PWm4`CcA^E!{81CTYt;r>><^>~Q#y#Y0_U-ybOoJj8AT
zWGi$h=?uWV23|k#O7vt4#o&7DB>IJh*_Pz7zQU#5i=vV50rgA>ys9WK*!%wCK;nL5
zteu6rg!52Nu^bTFmgeRV|HOH(w5PObMp<T!2-~(!)U;PDMB>bLRcwia5G8Z-9?hVN
zN`WU<EE@!|ivSFtJO>02X}5rJIIsa0c3ElcXf(#WD#o+yp8XhGmK~9HluGnWjF(it
zwOoAtsM<}z=4-5b$eYamQqBNg_C+gob|40Isu}L3l@$i1e8{>x60r0bUL2*V#COo_
z*tbZ98`cB<kpfpt+zfJ@_Ts6{*UQ-=**h*S@t~KxmTPGS<&N|!Q~wX~+!vY$re^mu
z+ZXko8g4&v6W)7{3?%mf4Vl};^oIsvt*C=oM4;+P$P?!MYaf?`7z~`yCl?=K45G(R
z@w%E~pMX}c6OZoY`*(fb#S8XJKEIvg+F-jbyF1gPk;&PBKJvG=lMpXs`>I>9Zwn<h
zUI_aD<Z4<4g$YwLsz?Yh;HEDwgJfkn2NjnvP3;=6P1ub5yh+>IjMN)}=QA>%oqvAt
z)Dg@{=22EC(0<3CWd^&`9a>k&xx$?iTsa++o_M5DprsKxfTb6*)|C(cr8=?bU96U@
z5|#n05E=c%8%!aIBbpfK|1GjX9l|TJ^{eS0;!%Y?6lJ%Sc88!)hg_J{Q3)l>hY(UK
zmu<qYl+^M}ekO(?ILr<VrqvsOomie}w9U3jbQJtCzQcj_RBYwU<6kh!t@fx_@3{Vu
z5)vM5_G-FQJ$PJ8H%QQ8hcKUtDLrt%^aomcnTd;>iYKl%fa;sHWYN-Gm4MzKK{Qlv
z8I6!!&QoDN@E|91vF#cx01j>tM~?GjwDLlp@aGy=^X}E^ZePzht-HTmT|=JMod4=B
z1z_8O4~z_YJ42C~Lf8Hh!ACoh7@b3&HfP;vk<ejzaNhd+Hh2drT`SQK!d2ful4=is
z24B`M6F+bmxJ8~39{$B8<^rsL7Ia)EkE$>NL{4m*W(EzB+7DZeR>?&RM*{3NdR1}K
zQht&VsiD4}-(2wLeF2?GVfN{DXF4cOKM=z<0{B;&s8fi!)-<N<2CEH!N<tjU3b9pa
zB#;6FeAf!?>|$%r`YH7m=$mbfDXIVv6xZUuLAD|FFRqsU!df#qp&Xx^mxkuwU9cy%
z?cwG6p?i7u*)2p!xzAfuBWC*?usvXbRwQ(?2igah-2~{|`It%X-Kp_O*gzKC{i1qL
z;|wwErJ5m0j!(U@{L-Hsi!UTxNnGHb`WFecF+)+O--M$adGN%~-_C8!EUM@<j+k^&
z7C)T$(fFW$bs{P-Sg*_Tl^QR)Z&ja<rHQB^88cBHlywmVyyFzp>Ly`O6S0asSFeO|
z8908Y6I<NyIr~RJ*YQXN^KVv)&+Sa*0NMsai0&ElfhpEzD8tP1qJX1F$JZ<2b>i{}
zSS7YRxmqiLi9K;+x<|atg`&<Xca$)Rl=^1+rY6w#3F56L&0m(#{%vY~jDfpQ=S<4)
zv$T9Lgp$07<3Lrw8SDMwFlgWv$&;v7Z=^5<o~U~}85T_Y4n7XeyC}h1yMaIN+ygX4
z>guQv@o(9uVxBs;^hTXvq+N=;k&%DL$zd6uj1t`fO|%1+W&IF}lWhDoT4t_RN$A6U
zMc#8Z#5<RH8a`X6a^LJZki9YRf=~n083a$j(1bqDWZnGCwDT%=gK9;H!jHkn^OHhk
z8eoRXX6u=x9@dQ{fgVV+2~q#Y)eMKu-R~tVcc!!((|r#994)LbOimU799e;k>QbLP
zvCB?MCO;oA4D1*DWLF<6@jPQ$Ja`JtnhDTx=!UEG5t_nCmDu{Y{w?ovH}Ij|(563B
z*!Vy|bMOsdof`UG%k=L~9q^(xb%+i`A$d@9Er#8#lKfP*rTB<e7;;6g#~quz8hozr
z<o+W1CpE#Kjjx7@1rd`3K25X$E;>*(T9-Fk{~AD{okp~`#{113(48*g-QNc*eOwK4
z|D53JQhkc&>-T#{#XN6k#R4u<-Z%iI>jnCo^BM)jdFhT~;`9~#$vH05l3&(~dj!%t
z=QXKA`1~t*SGkRhV1<1>89G*~6=MVsnK6z&g10LbT2akZYI8<MWp_U2K*^zxW8aw(
zcESw1cY?H#-wWaW#oi^tXIh3`gXhb<<}tPFr1EOZ;@<g|wY}3NCE2LvCDfNc-Q*p%
zpsE|wm35wdV#H9chgQ``k?XWPW^lWA6HNaVAvvf*eOOnY2_^R7K3T)`lXXk$aJYBA
zs0@ZuW1!nn;Ov#ou)S-U?q0N=FO9tM`q$|EJK&+>4fZ4S&uqJ~l-lops1tQ0@49rY
z-wR3Ns~Dk&HmlVu2x*`TK4%q;KfrX5h^Onde_{^LPUm*Vut62~5V}r}F#!tiqlIb+
zb)u1VLklxU4F`_{A4&QauiCO4wxFnqv<{$R?ZiakwdoFt7q@d!<W<pc!6^41_;zSn
z{rl=tzVmq|xFo>@#q#Fw?PBlVRZrFxDyF6f!SG|w#NM%*)ZrO|(!BYfB1%El0DWr%
z8m=7ff-6F7QhcA&;=kY|WauB7-ZQO?hX+Mj)}xwds23mi)x4k9FBaIp`jH3LbN_N$
z+y-glH0Ri1+AyQr_4Y6z`lPAkQ%-1Gj{?NVVrKUE-R3YQy+6v*gpIlL9qI+0iuFV9
z@0~mTB^v&u%7uKm%|Lq=6Ak}6vS}qgY|rcNxC|6$?`N>LI$kTU_)+U(+UGmh&KpHK
z&L>$<Z^DLmIRu+xwnkyg__P<Qi$v=w0m@nNfcWHOLcP{=+IN;4-7}UfF4yK@sEChg
zZ`@mZ5nMLiGUV)1KJC;e_$B%R>-w89V~5~`Pq1gaD$Hv@iF10ya3A|HZMwUI7)JHK
z5zPXayUCsSAb6mGgV~5mWkp3%JzwIE@EGHp&5frrpG}hQLrw?dk->YpY_mDlxIA$>
z@PUtfP|Vcsauz}d7Tns!M^4VXEnC_-Ay6q$PoJ9Xl`(rCJC`DNhtO<qdQ$5TDV8w%
zrqL=XLW1el>O3B=X)(af^zG%WuT~Q;YL9bdnljB?+_Go2NV*ELdEO5lGu*Sm>i&-t
zWS=w^rM2v>Oir?fAyrw{K8lQ;1~@`NSV@QUU5j+1AkC_0U?vE--NX8&zelJck#z0O
z^+cST2;Ctv;!+QM7Ib6@e{LL@A`v>)OZp%oVT=zUDuLGmKlD9$ZR}enj%~`!SV&1w
z3-PN7XaxNP!9nqP(zQQ0=MXDafKd#2qQDJdztSEdKN8STrGmY(RxBFzEyX-_y2kj>
zCr5w@HK+YnOr2jZ+@E30d<zF`(`{yCbbPi-%$(IJgb%SjPjy5^U(}bX8C|dTM>MhW
zQ%l06+qt|4S*a8$k$taTI)4P+SH4R&=mMII$NalrGr0k#6p!RVA3vXLzOhM4Z(qL<
z&VCgqw7~Pbv-8U)_<L+~r!tR#h?2?H;u-I?KhF4dwEa%aPKZl$#;#2IL;d~|xk0e;
zULQu;wjp)rQC(R5-T{U%v$H(n2dJ9RE-AXw&$E(ufi|DPD4<{e)verq1MmJ3b*y&n
z{$VZ&wM)>^@;s&mjbO^WKqItscxii0&c7qh49^Z<eCRpVcU+z?SevfJZMJ5n`D6UH
zly!!axtJDp*n;uf(m*O}1=Woy1q#jBYyU-CZU56+`*&#5{d=|6;uMo(u}q`_x#ha;
zXD0wQR-d|Tm#}}ewD{GXn<8K4WNf=sY^;-3KX>*_2$y2eTmK>Ixv}nFSJ;9eSZs;+
z=9QVH<#$;oTfS=6VHTP9DmR+^hdb_;`I?56V=O@?=t3*cr0lp&$pm!WFVJy)KM%6y
z>DHM`%tQ*ST>7I$0TaHepoMmC?oz3e#W!Mci4s?>PxURB+t|EXIbJEYg_*S1!%Uh>
zMmunL>7MarZr(r?N4ISg^zbl-97T1{)3`KkrrRfwm2#f{MqKB;LfvOw?y2q<%<Qf0
z{roMm74KEg+^gJl`4}`RJ38WGr<fA&<Eo5Os>>n;!fhD_Du9Aa=Epx5kbQm=p|^CJ
zGw2|BJd<R@nZeOkBV-}pAPn`#JF1UQY3*@5w`3A?g60+m1j36Ysu+J{NwYbB4h*SS
zdB8i10EF;2YH2}p$($q=MaD!*=#H>K<&G;^!r2aySV{3-#%sVwo*3Vi+ErY1cQH+h
zYP0|KN!PG%C1=X}`q`;ZQBN(|aS8Y8+$`21sx5VRuX1ZA!~OIOOo!F}-}rOYNfaf6
zptci6({gueiu_G#<nJHd_w2#zqatfi=el?IWag9y-^rE;%C7<)?lO7#Dy43e_*QZZ
zLAV)cRuaR_UGGu^vgk`gt)iOEvfoKm{y!a`J$j!s+0}&3`rk#`F^7xU=SG^(L(5#2
zPxs7OhN|*9<~%ZStdfa_WE4&Hy<&Ws&6s-XFyD34!NH=*EVMoqtTl8pkzq-=QN@`r
z8y^H(9-Z)4W1zzvVP;xq<2#4DOL*a-wLoYo)y_FYDpEFM^nhB~!;e=FJ^QX^>WrOL
z6>(<YpsB=Dc+RXz)s8<tH=;Zg$fIbg0hNm8dVPjlgexU);ay-O@b=|WcP93}Y+-k2
zNJ`+fMpnO%d<8}vLA=F;&gQyzIFFA1tb=j)!b~`GeIfd<&R>^F#_scME4y;XteY$Q
zt(mco*@RS~uw0*DP`|TMbo1W(Eirhk1UKy)q}25u+h`c0>8iLO{|tA^Mdsv!<u`E)
z<&Lnc*9U8H2Mqe}6%5yMDht^+6Ve=9E)_J0a5NxKkfB&+(AaJaV|47f_N$>Mu?%at
zc!&LJG0t~WySM1X=P#g3R}NPdVdGLKNHiFzQ*%SoLE_{1pQ7>E;XnVo=V;H{$s3z3
z*NTqOU5rOsgze>!|Kd9Fv#-oYJK|Pac=n8ps`P526Y<#5wlcX-8iHpU3?0|t)|R+j
z-}h$HdW9+16}s<)2rM7@`yV^>57P}`FOo#6SB_~#i42hUK&=rv%;y!5>}z!HS{V7&
z#a}QUtEsPP-+im@AAjV%utARL&$f~>s(y`Ka@$XzNv2=_vI~j@BHmn<8--t8%pVC@
z`FYa4372s&<!i&@@d{r3%^TtK-w2g|ap`F^)s34zbT)J#u+`bw5s3!bc&y+YL4@$w
z0`)vkuF=&CIGPS^T11us7GE|euUruwUtC8OjSfg%QoRs+y!ua?3(<n#_wnbA;*Gty
zsE-Ta@$JB6@y7xV$;*=1;%@{AP4xcXpyLtenAm1*KMz<1G!)hqFO>5^^P8F4y0G(0
zZRHv{2e``NE9C2Ek1>u3mA^%S$LD@%1^ri*vHy>J{r_)J_W!_g|69Ov=XnLKXkhYU
zContmL7xsxjscx$zD8qRYhv1|Mm3xHlUd?6VvfFZmw&bZ-NmR8%Zs<_k9!`x*KtF|
z;|gQog>FgwHes@sfof(xhl^v9syN4%hY`_dD0~;4U%39}CL8THq8QD2UlBhP3Q#Qm
ziDIGL@X%hQp#%WStu10wy5O<Gd2)m2vWLE}J2F!!1`pgLVfe?gN=-`-5kHF_TmLBY
zo_p+TEdBi(qFtuL8e-mru1&xDPNBtB&Rol<z;9v54vb&C@GW&>vbFy%!_N$<=L)-G
zxi#?=Z#VpQd5!oFq}=lcSO2NB2a^<WiSs@0=w2aV_G8v0JXv4w1GC8(%QQZasAT)<
z-qOa+$>v#enwERWsRPwNPm6deUem!;msTuVnp>wW^#j4`M%HW{%m(i5y?!HWXK)tS
z%mkdQj7LdtNZuHcp#$~H#0)477>Ak`vM&RDZd4$wc!upp+sc!o&39EFVs*|F-j+JG
z;mRMTyej$}a<*XV2<=wUPM!=cp2>SN8JP0D>;=6NVxVf};>Y^HNxjf3Sf1-)0CjH&
z^5J#Yr#FM*#jhKs@C(yvfHYPR(lDGZHo7^zM$-2&StqF04Z{Q*r=FxH%*oW<%XAf%
z$yZY8*#N)^1nJE*%dFWibZP<$E0cE^_&c|)qVvSyF?0mY1yBvW=`25Sb0WOxkKCQj
z1S!iG)cvZpv+2@j`xj%H-De3$foLVpC%kO*3gZp!0n_8@ZtC|y9!K)XHy{Q`_^#q~
z)r+vw2FRyYs!_v<&WQJeE@SCFw*IMuJvfO(i?<r%4iF8r>AFjPl&Ej+l{Qt!PMO^g
z4bIRSn>bjY^F20Z=%T&{1^$eqpFPFQ7n_yHC_+k&_|~Q9jGl<9uS<mvyPV082~IPM
zYi&0QPJVZuG+ado>~1GW{8b>&K-w853aC)MI_S*lW^Pza%;Zkr%cX}8Ae<z4TQ~u;
ze&fb^+ndc@W8(+TYURMhb~`nL^o}w@pw2*aO1EIk>;46a#<wecWLm~@n+yATvpfq0
zg?1<OlpNWt9{`aN#H|Tn_qZjwem8n%RY4^r##QGV9Br-2mo3TZJpREd+E(h9EQfA7
zz2frXI<|>=Aq+Zn0X$*J)^D^M?}jvcx&Ot*!yj-9QJ`$W(!QhJ4xYRP7(_ar^RLpr
zyt-<4W$#w$TIJZr<W0w~<%;PKlLkK>bdR<<hJJEQu*E#dG3%8@h>=;)uPklFaDn>J
z0B4AMcB0@hiB>|bJc*!T>pN~=iC8Hnh2?=+0Ntu5o$UsM!Keb(t09H*Ial@B1W@h3
ztB8Hm>~llPb$|hPg{(q=hllgB!x7mGaoOH59o1rAUk{4}wH^ge*KhBmE<jh&F+fTF
zGD3*iJK#2~nH-067`yPz&j)bnu`Mc`>VG}bqx!DTN8Ua&hlJIUqtEO&ux}_aSw>ct
zXk?5fI@#VH=(p<g#SItRB1ec0cVH8%YqQ&K_t41}&_A8D^M*WAD}Z^U3V+ftUb~AG
zZY0Ny)yg}}z7XBF>W_MiYP%_rle)0zX}=>!H4=aO1l!J*V}{WPU6T7anux>gyK=4T
zNy4X*S4Ot2n2r&rKe_aqI_B_P6yltJ8B3t}`kLknB<uA_Usr!s*_#0$bylRGVtgzh
zzO~>?FC<np8AD_;unSE-_IHhLrxz;!xfeXW(bI(AfYcF}yr4yYqX_^iDc{rzsrCe^
zJ>2DseJF@69l8w3G!%Olp2_iw?7;+y*=j9G-AowzlaSn;5)ET+4KNidCPzTk=-3?7
zG?!=+HPmON#+w4B9@)BE>XK-gzwzqzr5f#n>E|QY6t8iO*CWc?gE*IIqnxx5+58h#
z#RrJy4DI2cQw5*Sy;*!d<cK~TlQ^2baYTQdhnB;zp%Gf)0$SCD%V>U#N**`v@(PJh
z{~BhJ`tYdK48Ux?&MrK8`iThFv)jQPwhXL?b-C*dv2xwBZpW=3Y&(%BVc5kN7Yw~k
z(p$lR?~=pe96=^?l&%PxI0-u5i8SPf9=6OOv;D*`Y^#U+o?az*NsVHj@euk9JuN@K
z{)?-;JA`&p_4zodF1b|?JyFNJZRugWg1ny99%VQ+=>h>->R*vv!8z@v;jc^a{oUCr
z$2R0Ncd%Z}f9r9MwB0_Y0DZI<m_AQ{M~v0?4H&Nu`|g5kh|@3OzALFqTkv%nh^aWj
zk;m@EB2DF@*7Cah@WU?mKD#)ru@i-<KTr_8>j$eXWsHWutI61OQO~?qD$|h^MWDZA
za(MT$Ir1yuBN58TQ{&CNs4#K|Jt7A%SgTJU9E?6$4DS_&=?i7oQ5?dg4o%&$JeUae
zEv6l--aGOCjfQHN;nbzzgKe^MtH(8NkEsy7*M6;I>(X=Vi53vTN9u*}?Fk69<d5kb
z>7@j})x?W#=qx4<d=%+4OX5e2f5}W+0w2*3rmelmcTEhMmdQJMZp3#E0AgmVs`ntK
zZ)mMuRjHWvqI$5j5vr|atoul98s-^N8$vcSJhg;Z#?rQ<lO=zW#~fI0s<>;9%jb(*
zT@dP0@=qU_d?#n`T`H)1x^vGVXnXVJLkxD6QiQiC?w23AlbTUK&z3Es65qP1wh)7x
zOcxGQh23fG9bf^D*d&pOW_ZvDt7QLKGs!l71fh+#;>Mlh$a;*13$2{Y_wYDDOX$SD
zYyPZlWI!NHPjd!HwWye82bKq0dPx64xg*=Hme$?sANFB6J1IxX+2=xFY4*_i>Nx)`
z3sVs*MKcN0GyL3ro`h@i1#0u}9yOZVY$AIL9Kz?Q8sQn0mE&@?d!$;zO$_@`YYV8Q
z2a^Nu0m!Yw0ca7ZA^!%F2ZQixZye9A@WoDZhx?3lzGygjYQ|Y>BZ%BQ#Le65pE5_F
z-9mG*Z!^PK7ZHZ-6rpnR(nH)2>cg6$N~A(?!LsQ8V(&e}n%vqpVeAD3l_o_{I?^m4
zN{fng0YQq?sB~h8AV`2fRHR515ZKZpT}p`b782<K0@4M9kWi!r5`+*)aqj)jcYHI?
ze%^WCXXeMue8;zc_yhmk>t0!F-Pby=vlz>23@!g`M)koOwIAfP96A5<z*5OY=k?lg
z`%oY)7__oDH2PpytrIDVm12mqrvPQKDmbcf6cynI*dN2q?$lEjrWsK-cB$Q%x%y!;
zr;qAT^|$MFw_T9c#g>}syUONtm`n?v1Nh0N+tsc$x<$^OJYveqo2`pAsI|M4EnOAu
zi<hm}h16s|{4^ZbA`|l*R5oJSV&^d6cz+XtU6yVvEb>$;g*cQhk*ZA)8|y15ztM5G
zz5GPV2Kh9@kts=^rs`PIbxF!GgyY(R%&Qc~zIRR+sz;c{&P6NP3Xgczd>%}8Nk*L?
zex)hu+8W^r=oC(uyti)$$d4PxzB4UZCG1PK%-i$|%6;NMO#WzDK0PpmggR<cLN6!W
zg%}8R0&QgDlBrA<+WSa~=Yb{%`8NkMM$K0I`R-M_6mAEtE>1$r2aFYmOiHg!N!wpX
zR}UAYtfBnTgy*T<k_a(|3mrwQ3kT5bq#YuvJ<fETR>U41`T*1>&bO$J8<U#10)?iO
zrcm4&VNk^?+vG*lv4zJ`D%oCVV=yzk=6C#FB`~k`x(-7zdv%()?XfXqN2j#uZNStA
zpl0&^?;`U3&pgLw3^dQ<|C_@Byel-jiv5Sbj2`m+6N|gq0*j#mE)&U4W1ux4PHFkE
z^{dpb65#bt{0W+MP{)~YPk=x;gxn&+oSL0<{wdR~vbY|=BK|)^E&W$0ut$zi@oW$i
z*ocn+3y<Lta-dkpz^=O3D-exu1hf@bI<Bn-(7k|eAP{Z`^yT(o%@_$fz>}2Gq38n)
z)JS$>jpw=71BJ4={{nf^TrZ>8LS@`KZN}47<d^ySnjf!C8}k1I`;qW0dRD>6x8P-3
zO|hVDXOGgr<n@|Bm8m#6!w#?HXj8NI`u#caaR!}GTb1nQ8}D53$E0TfcV>B%=OFk3
zdlJl92#`qnWE^oBq$96GFERDf%qacu3*o_}q9}BAv&{VlM~t`*#2*5?GI_gBKnd~s
z3c7UOwX~43^J<>1547h_P)uVUk<3KAguII>1NR{esC|b}L;)l~HEt{pdZ_zVU^XwR
zH_36cGkQ~{yx;bZbYjBEd)a(eaqa`XR-5&m;{|+jcIL(MEh~8{WefahNKL_Ao#>yn
zsWEG0IawfTm%!e?hcX6QG@D260n7X^epvsjWWYC;Mm{mC$kr=q?5W2MV9ESOd+Ix&
zB(HPW8;Yh6{O@J<jg(r>#}+g?Fp$1ilMT1&LXAU2Q_Z2+=diR87T}`1TGW}9T?@MX
z5tGUm2^|Ynr)oz6;N20X2E{v#dZ0s8nBo*uM$ZNCJlw^!JGJq~Q_ycZBHf;WQXM0&
z<Rn9ug)Ua|$hloC1JVIzKL$CK&Nd_M5?c21L60bB=mUn8^-Wfdqu$}u9kF|cM`IIz
z=mzqh^43pzFn!@b{PT8Qi+8z%)_E*J`Ra4~X7QOAm=(ff#Oi_|`bJVP`bMTj(*#7a
zhII~Cl#8=$1h!eB=QYuTgNR!)VcU?H5S<ov*qe2zqIU{L(f_2;o(AX13l?|cglxS-
zhq579FO=Kko_#&5K<Qt*5sTw8BRQ&(+}pB_+!}wPDNsxw*D*QLkpvM6t>Mq)AzNcK
z$F5b{_ZLEZFQ16AuxNR6yM|A)xTD`*39?Ox_0<AEuW2eoFJm&(^@gmjMw2I7iXSt{
z>_w_JKHsy5rVj$<muAB7@j1}i1S#Q+CyG*zP$jK~1UyJHr~$~n1g}p*LeqC9UqcR>
zmkm}pFBE54etaZtxW6t61W9-!CRigjvD5wyu7wq(Y>))v))t30pa{#Mm7w@6#kj3c
zg$0k#zqw%hR#!Iq#`@FSkw<$wjILOv@YgKHf|E1fS<OsuO-~e*T!}O2$tXRCmd1`a
ze<jl)m5s1xWFz@L{1fzZM(b~mO0f<_<Ga|#;TlCyt2(+5Jza)AK^rQ_EK8CoK2cV-
z@5IsbFLdDnpUtL*+qF*uuK7)3(Kv4Ki6xvY<=~9;u<9=oPl=ZRXVJvez;jhj<b}`y
z4PCi+fzN)FLLc^{U-;4zvAbCf7SQIhkr{@^2Ud_!J>GZn*R`||5&o&w{$|DE?NLA%
z{SpL43C;jI<ZUwn#HC6~*Nf1LKMINflWrsrP#JiQB@J-?uvIE>rahReyQ(WJx2aT)
zZLmExe>o9;nSo>)(TNN`fU}nYG`H!8JKIbs>jfdXP6;9`;9_vMq0XUNJ>|o2wub%p
zTy5Ay*bn7DvMu9ZhNamRRmK)bQHqfA^3@Ej>gUq|I(gilvYm>-efCw0P-%4I;0mTn
z`)e-l{x=}$ip-V{9oXxNcdMdo1*L^+-ueikrEAxz(lVYcOnvV?vFTk`J3~B?P}kjl
zcfI7Rw%ZUzjl4|CLf)kuiLFV9NDWeMMMewIo~!eJ!bvgo>Y%i_m}8jgIj_W9B5Tgz
zX~%x*``i;@KR0($)P%|tCe6|or_7xyA$PWs(vO4^Q>1M2OqfYcj8w8mc~jnUi98Aa
zzlF8b^*&e`Mhj*pZ#Sn8hnO^gt7%{ea|)b}^cgn?^E0mk`>`LcW`n0nipn<7Arc-l
ze5j5wKn(PPd8?M1ta-_p*TVM4!H6IBGimiN^v_<=zYs8`{N>qdFLj6XGeVn(p7EzI
zkUK#2YK0bjw+DYO1MGo*xe95Z07<*2qhV2J?d?fTLy7h}qni)IzX+E&tt_UF;d{uT
zo`j0ai2lJD8iUM+IN}zA3-~CwVn(O~dzf&Nd87m$Y%%1Q(I-3?|Au(d3wZ=y$AIaM
zK7N>7*@EPK8d5l8;2x!}X&7mvcfU?%@=u?(t7Do_K(nhdIfgFw`t<<F4st?4rO3TM
zRGX{S%cyPp1tiOSJ{<pespJC(2k(7TQ^RE!LWxl_IH&}-C}$`iRIt-nO7TO@l!ffm
zMNp|4?Bn4S8zP8&B%gld0X>V-*ctd?gbU*nI495P{!IyLH*GOVl1Ahw?G8P1OpJW{
zLro(XJf%Db&<I<&zcWZO@mNh-l~?+ahz-?qO8WaBoLJ>N>kuFNGP>g2=i+AKz&V?=
z`v$GQEN9|&w2Y$Zg!{wTM+`nD3~0Q}Hs9|=@s=}Tv(0WRzjUbJ7#Qp@rqr_+qH@2@
z=c&8>;XlkYp(2+H8WaWA#~+X9Fwe8{s)2AX_eiX+JJEl<8Wmab{d<=W394a}Y%)@S
zf2*()<YF&D;JkI(peX%D(u0CjgW=v(@n!qvb9RKDzS2EM*hGg){>a@t`3{pc8Y6iM
z*A#dy!?0?}PJRJ2A)^D1d5Qpk)6|#)MX9H?OsHyTD4&FE!qYeR_5#mbQhiY7Z~sQJ
zDQTo9=4_U$LXy^(SC+C7Ai42SnN_D_bPa0b1`xf54fx0u81m2JY6bB*tg212Xes*|
zPSMkUn&KM+%iSWzrcN$yBwl#06zhKZO7ZfjG^UVd6OvorOtzV|G2X3a+YAPzCQNSz
zqdr*Ld;#2oiaPNpS3x!4cGv-g29=Gb$`iASBCE5ICL`ro{b!`$V9sSXY+X}rm}PyE
zr;>#Hp{93Nzlgu>$#XN}F29IgFIGe?O(LTq13n=|0*!T~WN?_x+7{4<%764X@#Akz
z)&DsC`M+wa>IWvpcdRPuVx)vM(8*O%rO|Q)$(q_BzXtS$#zs&5l$79x*%t@79P4`U
z7q3nC)!0|%VmQIy$HKj>l&rI|*48%M-LkU#`?UK61h3;<8$qBg6S29pFsuNj=pH4Z
z1s^TSLw`97Iy6PUdOw{_Xbqypl}ssIV{|3qq^kZ<H{*a8ocVZs^GIA>+&iWXLz|B3
z0{Y{Gux+zfplZn(Zc2HYzhdU;Y5End+u$=l3^vuG3hISuosIE^lIds1_zV_P4Y_`E
zOqU^Z-q|eqP}Kwl<%U}aV@#@tiv0*`lQeAqk4^I?M2U&smtRW@TgxrC)LfFr`j;hB
zw#E(eHyW*j9L3HdTWzV%03dJ*zz8!sPzOV=00Bi@eyhZ1C-a@Ss_I6!?f($36M9t&
zkJs^*h$MT71EJY-6y~gwa1LcBD)a)=fYppRO<LV}NjRe^L5x#t4eE*nPEP0hl=&E_
z)@VP<hvyHns^NkM)m8jV)K?(`wqw)#(EMC%P^Qabb<1GPe3r_1jYCCo|AH$y5Ej^7
zT9`6alca~Ta>&f=pV@#0+Cl8W@X{S%Z{t)}{;AXa3yyamP^Q&j=>;szZw|50Q!%ah
z36v`%Ls_!n7jv5V^XpWV`;+ybe9OF+^@SrSW42re`y>YSbVf<*9R6@Vo)^VDumA$0
zA1J1Hp3s3wnKlMK5_!7XQMpr;>zg-1`6C$O#G8D7*q^LzU)ZD@Y_NfzkA6`2*h05n
zg8RHHw705&p26Vq!VCB_vYZ{LBLPC4d6WTbdPuNlka(9!5}}(nE+|TR_smsM{{0V9
zB(5ZJs(srszv%NWP;_R8eK)^g+5ZN(j}Uz2U3!{2VH$w<9UNdY{g-R@<e@pg;_zz#
z3pqTURa-%+Bk4sFvy2#R>H(36TcXWGL)E5phHK)RXv~LbjaBQ~`lJ1EjfT$tr%%4f
zaVsiEwp>*a{7DyY1i$gu&;Y+y^ED1qLO*WI==jv_bLdw=+sPQ=+B^v4xs%FgkN135
z;Do}DXh*{v3?LEx85q4j!$vRHRM%8rjl15dnK)>lw%~$eNVzvoYoHY2!R%xHxgPBO
zbaZYv32o>Gupy$H$Nd~{_xH#LCmcc75Jwcwhe@@U!VtguIb+o_zgWt4K!AHe1t<o0
zS(gN~rQV=UshkUL4~h({0Uh>8Uee}E(;wb?pnB+*|I@KeAc9zP{aecbO6XvWS4pZH
zNZ<THPo^uk8?6Rss)<>g%S+uTeKMvhB`DYBxACi)y^7}Vbt!|#S1|;p;E^`;tE%g@
zb^OR<TN%^R!PXUX4)H%t_)i!Iq8dIQqDKCkW9Ka3Q?{SJ+LlT<zLjN6Y7g3Z#Xjam
zS#c5>B2qqwS&fj%WN*cXwIj+-)FhH+go{<GEc9I^zu)7}MWcS!Ny#btR`|dg`Q45g
z00EwYm|_}IuIur#-q|#{;Y@5xH%bgOw4O9ceAcv|!w7^9vkz0n+M3N~>pH-ZsoE-o
zu&qE%-O_2e*ZP3bFLeGbi4M;)6OGNA#}hM?u2}iDg82YM0|_)_`MXM2K~IK4Md9}M
zDQI%qcR=sxtrOyWGBXZq_{Y-<o)=;oRKOH9C^y%VC?z@G;ld<;O(V)FXE&eZ%`Xs?
zDTBe}Cjqp?h*7<Y%)}mI2+${IRzL57<8ZRJ@TL~P|HYesqpdcTeO4WiH)&qN@+Ym>
z#Q7@(n4IwCXZ6*5O1f9x#*x$i4L^$t8h^typF<;o8x!J2DLt%9^aQF!Ep3L6@`ADo
zp6bal8D%p{^8);ZO3F<Bn0w=7b(&<Bw!9)+%%|-g5{N-+yUfX~kk)3%wqRY?BVUH&
zQ){pdU=^F(pn{q`QTf?~iPDbLJ>@nAAm`|93q2p%8l=m9Q`+TBJXGNrGy{Jep@>%O
zYaa{ezvOb-$og@h<?)gmph%#&sEbk2Qu{n}nkv)Y1Ukc1qPvGcLOv|(v_YY0hmbc_
zMI9f#q}L7B&k#<drtLm&s+{J3tl5#g>?LnwVVYOMmLA?MoD3<?fNG}=b@~+XnN3I)
zr0=S_H49Zj&?z+i0m2ca>z_wWUtN`_wjh<3=tC(Pu*Qx(VXDmV5->U<n})uV2)ks0
zB0ib+Mno=Y7#>#}_~GS6Ow4wc8Lf+=*GvJFZU?lL;L2^HSBAY+R>{uyMm4WJuC$K(
z)V3Cc{z@|W{@q$&A1$?Ye*7D+wL@uIA{i3OKMg@@?C#*Oea6}98U!kCDpV{<^CZ$0
zECx`@ZeifUq@DIYv5s_6bZ(rqAXb&AM<H)L+aC^FNHy-QfxPn=9quuBe8QpH`}oDj
zfR>D=K`)@@5f|b!=3vp;$Hr9?POJ)<HW3+7I5AE2rwx^f6R3ODAx1iZixEdo8$Xdq
zQc2`+<=blJGqZi>--uM%P2M)c<W5N5Hq=jnmi*f!4NZlt?f#q6ArSJc`&kIdEUI>I
ztf3fTF~pW}a+sp~+1kHXSR+H@V$DNxdhQV1dNefSqg(9z9=gEnSbzNHaL3c#l~2O+
zOxfe?2>>ik?wA~iMhsN4P;0+ACIyllcF)c*u=uOq%((CUqy6$jfLH5A+ay8$R;VR$
zC$Om@cxo5alm(b!Z!(xE4L}x#)G$IH5I%%n$%ZV9YAU;iJo4oA&Yih~y|#FJw)k<|
zT6f(Ej$Rj$SVL+g(Jh(UO9Z{a3ScCMJa7s_>wYmr&V$L_+0t=6mybXWJ-*e_!ZB{B
zdp9>T(21~U=`P!Cq>=aYoCHmao_Mvp3_{?q&a&@p6pQ#t>3XgDQS<y*ajsNL3|U~D
ze{p+kWq0hT{vQ!X)0`ilEAI)+GGiZ$3n6m94ppFVw_&1A(IG9_3hcgyrlIXDE)%yK
z>$C9A55F26r?8(^?zNXb<6lsg=#zQRSmwi3=N7NxncC&nA;aEeE#aCCSI>k-v}i`4
zM`~8OQ8&7#rhMZUCLRy0))+i+yLTrCe-7$uABadt2rRooA5I==YwA-U;xus6tFNkm
zS@Yh`K5*9Te7?m^t8<jD^IUaALK`erl#6mLCx03~MHF}sbLK0G6fmIs1Q&i^TGW(1
zGnM5AR=;rects}#+BGAwfN{)?L~o2Edzs{k+A(x^Ql;ZHHqPJ|_Y2TIRagXDiYgPM
z`G^#Sa0X68PPp<0S!H0YS$k+`s*eF=E0-E;bQ~8fOvH9C1f+V}Keb3KDjL*PlMe@A
zDDb#<ukHr`Gko#Se9~x+{~P`fQ-=H^y~?h~Z>qM82mZG|Na`{jF$1TUYJ<X2VF+{8
zEaowvgW2BMO>_PyiViQGetWBhW3<z7--JyHdy23Lne1YP`(aoLMynvA_9%YIfU3^|
zfN=coMeGKxoEk+9SZg4KLje~r<NBd(*2N*x%v!sn!vIY7eEWJnZwe@8JR0Y6#!hrX
zm)Gh~gmqs()AV^lTWV~6sZvGZsax}6byH(zZS@E<(njPYKl<6+249y?i6?Exx6J(e
zL7OC1UtZzIK1n`Fp*3i#K3lgG%-~!`?SWzUn5Ti5#mhu7#(rRHF1;?B$H?=2i#OPo
z#p-gsCGcoksNNuFZ)(8kX}fX9uSggsRI<JeogXMJhjpd{H_01RSd01zQBCSqTY55?
z;299z{w4d4_?_>%^#>$>y@fAF1HHbNK#mV|R(WctLkJVSAw7on$8bB;qDl@<ads-9
zeU3UMRvw5$MfE>(%A?+An;HWVt{uNQwo<$<>Pq=fhk8gfd`GrkCUNh{YG3-zfdkaY
zY~4Ke>4a0r!CTZw7PSaS&ryU8+A&mFmmNO;*^X)#+q#E%^qT|W`J00oqtBEOJ^z~{
zH*AiZF$Xw2&)X4l6Ws8H0+&F<v(zIjUa_-Cf)GGR5eLx6qg_#;r4RHrHXT4?clqm<
z@+L6L;a|DwdYZR>bLbxF6x;bzUGb&*pN53qlchoS9z8qo*P)3~V&P%zXzp0hMjYrj
zM<OINS}UFX$KON!dshEmtAB5+zYnXw&(*)bR{z3>Rh|fo^*1}syh2&b2@LU3U0|m{
zeKa#_HxfzK&M#kFF}%)ke472e={E<eG=V`!cGd&U70{-hrUYP>Y7b(aN*OWd4nOdt
zf>jX!u!3yFc7Ucy+#`eqHNKcQ5aA>-qOehZ0sCoa-TQp<b8?d8-JYkuTt|-_JZ)Fg
z%k=)UP$F$G_Rk=fB6Go<hw9T8ve85||1S$XK#T6RKc{^J5a8>6;ymF|@IGNr`Q`^y
zYf;@d|K48sVkAi>#x>fCD?ZH3)nD_~(VBTNyFOMvbRNsf!iJo<jIHb?_T4&tI^b$W
z?OP6x6|;h;z||MrIv|LUrVBud=xz4`T~l7y+9AUH((g(lOWfDZ9GiKHKJt74V6uZs
zem3dx6;Nt|;o$a3q~*9G^k)tB^-S5m+(1QDKSZGUhx1X%A0?j+sM?TzGPAf_#2Cj{
z#P;+?A?;$DK8*p4RIxoX^e8w6wdn^sh+LEZh+GynKNl{s9GypkhKe1B!|shL@$1(O
zL-QL`oH?2<%01>ibNK1?ZoZ%f3}CyxsgJb<CK)ooI<*bA^YYI*_GA(qtdhqED9Ba@
z=hNNEEEq|Q11?}W$mVC7jsZ$<&bw(&!<zD*tOORCEA`b?+U|7Cp{i)<UmuR6pDk9r
zx72TNIkpNu9IEVr6lDu6;VuE(t2*^-O|YMzUEk!SUpZzIZ7_9Gq@uA>UG3shPaq$4
z<1;2^Mu7E)D)=SPbBrXNly4P1MV0x?lDJbfu9}fjHLSQnZdW_$HGbwa?=utLsX@Va
zUlhR}&`43OIV2Z6rWJLBDd01EU9}e!6VxuMKvin^&jbS?C-i5yrbBc5xnSY`!H>I{
zLabj&0YQ2hMMrN)PeL1>J=4{1Z*}%E&Ae!A->K9M>pOdG{CQ@kg?*FaxrrU_u8k>o
zLpt{yCyO6+nEtDCTvTij$fJ}<ZnI9UJ4Qs`n6Zo}`KOcQq?G3!D%-r0`>m%3(t2Ry
zlyUO?LO6;RRz*j0M>6%#tZIuOc|C9!+$uvP?5pC?{5r?tiRD%)m<wmqkG3KH&95Fc
zrxt@dQ(i|xtKFp+6);ay6adkbN|r_o_<JE|F!If$vrd3`izvkv8_)mt_NQeiG&F*A
z>!({VQklROSh0(!V1Sv2n?|u3Vy{(=QLpx@>w<V8HGZBZGcTM*PMkQJAs6dY$JZTC
z6yX;>a!lQ#smOfBVK8M>%3MROXFfmEF6`YS{=EA;sctoweHRvE!0yn1ELrwN->T=0
z3qBJlD}YO~E4TcoAnPCg`CMWK49T!^%e4g+aRopO5b-<n?(iSOYi<+kPT$W%8O**V
zLqIy*)t4<_`@f_dC@Z*Da!V1V%C`Ke+%La*v3H{1tVnt8x-R=9%Gu@})0u@~s#0{i
z>;O|P$T?rqFC&U|-duyz(AjM1iVFD9gOTcJ#HNd5$xVxWy%=QQG|#={KV6uS?r=7c
zc}WyapmeeMSfjOR!PMZkA$Uw%nozsIhCnLYEyw-%3_4m*Jc&5(8}n46<x27lJh@eQ
zR!dw<2C&a!pSPc2f6Z35R}9sVD<h34o?JWW?QB?>4p^Q!-+7*TdnuZc@!Y80(x>R+
z+ock_Rj@Cg9jx|~iJ~{^@p9+3gsG#W25qOvL?d7b>NKemnhfXcw8o#-<jkeN>ePrT
z+nzeA%ITMNyC<<v=u6HE$;101Zc4g0puL#$!>;s8n!(OuWJ8&kzd49J$;6_FDI(KJ
zlOJ#;a=Yx+W^oPdsckr-Id?SqA>(Gu8eQsW*VRDc##y>@E0_~-WKe#S)5t2+JR2(L
zfXlDSx;=K?|Egkso$g3a9puBzijv)vOTqWbb$lHEi1HmvQHPL?E|dMgCiyN+8OiIH
zZjL8&-%pQ~xxZ_P3JxwekzYwlP9F703jy8p!1S=h+d7@3f$h_c9*91T+qZ0|->Rs$
zYRHpy@4G$3P`X*Q;*EuVpvoU*A}TWQ-PUs~^$jsw=J{#r#W|WgcwYj5Fj5K;W@2$u
zpWVL0LokSX(^P4G)Y2kTW@?YUb;pz`m!Mfw(#cz3t)8DhZd@R69fw;ZrDQkO*3=NJ
zgp~Z94XevXU_aN3rD}e-OhQbO8FnF4bNKi@{We0(%mIoc8CRfGOg(N)-&%ecCp5$3
z4x_z6kQ}ZoTz4#)(0Y2K7%=<s9AcmHaynHrg5EwhPc3W~h%7Uylu)oaqodL@<n7uX
z{P3yK`VINbIZ1@o2ZZ2I=m`iwLOG$mZ_uw#*<nmms~p_x`{^UfW+bCcmVa^G!8_aS
zVMhMjs#6^O9DIwvISwm@9yh{QX3zuuN-^=n@cu3~zvR*%)H`-*H17|v2z>Q>YjDk*
z{ZbRem#1Eo_+XdoNjOYMk*RW%1xmhht!#axfJ83t)x&6?8?U8irn!1NlgF*^Db*$|
zg{C5`>2b~!BoX;W)4sUFUps>sqV&_cF@DslC`ne_)A8Qbi>Vj$IUbytlk_hIw37dd
zF!v=3VEfJYgeoJyr<Ea>c}J<`?<snK#c?}`W1W4<lYde<LDQd-2Cl>5BH7wllVGl7
zSFOynp*poI1)YK}@2Zp*@7+$S=~?w<*cv+O>XyQumo(X<ch3;au9i+r55+oWW~MfI
zESC}r8ZxH95?eu)SpPZbRX~93pKuyt1AaVMEi6|f%t%n2-#j0FB1wDXP{#3m;w>4G
z{g7XT+1m(#hH>@*M}$ZSKP-;6_u7nl2CB(TH$Iv6eUbegz#-nssY&(qe?_mGO}^H+
zLWD#D>25njWUTf9rWb`fa?31?AfhBq_bFaMQ9dzc9@YUL@oW4K6q!25c#!Qsek7>N
zi3X(VMYx}~Pq{cA{jRt*FTVV^ljmkv`YP6`_}bj_{M2HHHrbI(-tu>un(2$laoMz_
zp;dc1>8&P^zB0%|>+lpw|0VXSke7fB=v4J;pN&yN^m)a0{_X<}$<K~h^!kW?JGJ$M
z{CVIR_%u^2hKTM@VQ5S<&yC{5CQx)8tX}rH3d$BIO@r~Xx*8H!IB~L4-87@{m#tW!
z#EB{D0&-t2-R2`4GOGbUxdoH}UVr#cOVZcxOyaHyJ8+*u!l2Ugx9Z3oF?sX5DA&`^
z=8vxw18TL8itpaR7UWd@r*-A~mZ9frZg`HuxJtElUAEXOrZc8C)z)>MrON>F!nf<p
zP@(gS35R}b)E$pzD<JqN81lYCrfwt3YS_Ld8Q)&IG}rttL%H^x&DS)O4AYAxy>3wF
z8rhx?y7eL3jHeEO9)@<4o~YcmFk;{7Ll0eB)-g5N!NF1k>l|YH1$<)N)21AlgnFy&
zG@H!{4FUv$Pa&76^TO;WkZtQ@Q(Nq^0n2ikIaF7c7!5hN#YuLXvS^HKce*f)Rehq6
zr|;6xob~VxA-G)P#ODgZhwAd8@+6cX{U@OQ;9kR*_flYbbUBPJS}7(EUc0;~HZkeg
z+}HmdhA@5fwNk-1((^IaHR=AMzCvPYulO#kb;6GYA}%)Nc?fmA@<$%`L{_`MBIqLz
zd-!@}3qM$lG<rW}Rt<>>k3W+5en<DJu6$EZrlH+nf|kc{@UvSWjgcaLJVmfDdwkF<
ztD;yMuxj@gG@3>qGXxL3M`%pVJU0Pv<;|vbg-Fcx6}>4OByY>RQZP{%?A7PW5_hgR
zOkOt>)heHeP2Nn7kSK{Jm;Mx^OK&h=gkAweRSr}&_B%A<CqOSf_RSB^&;Fslm_~(k
zqV_WdXM+<C12|%<AgBX&q844)eIuRdFEd;KHSG}&-g2u}YV%tV+8=IZ*Dz<!xOin%
z_7>j8#Bl0oh`O?lH#oFpS<p~fSB;PE9U5m2&I&!uN@B`Tt7s)urAX=>d*(w&?pd2~
zqCg`pOVZry*?WI0_F(Xh_g`(oEmIQTr1L1`I2z*ukuTXd=t!zSE8(EO@?^=cRy7p&
zI*!|8$LVYXb+vs)w0SJXC_ScU2TBVVLA-Qx{<SZyH#ki2KtFmx80?r;Gt3U13bA5k
zk1>p^cw&rL@9ej|GAh^8sz+%t&&SQaArAtjh-M%)1L*Nr)s5thVmZ<g>92?NVqlk=
zqYWQ#{&B;twX>z};%s8vG^7U8w-N264!EBn`PhS}+j8LUmK5!ZBW=@s!tDbpp`wFp
z?lp-Qup^O#VA;r2m+0Fuvf?*HRRa9yaYyOT33uo^RGp4&u2D_CGEd~bQ2FIh)j?N^
zX_#~jk+9a5{~*rMZ&k0p{@B4<8=C<}akgB(^F^QY#c`QG1vO;XXHs`QWR06zsmkE`
z<g3^60uGK<dRC`7O1Yq{=h5@1t3%@~(_FlA=ykd`!wKkF;G;qnM>P)-2O{yp2-jjb
zrXyfR{hQP%Q|-i=Nl7Q+FsnKN>zD<_{7WAhcXD|fJ-RK}wqg&FEvlNQi|9PGz{a|7
z*bt&vl(qnN90pUd#~k-O<C!fs44r;glZp~{bd;-!f22fEa*GS7_Tts!Rri4!zqjp>
zFYh13g55H+83m!m$McgG7DlhFF-m*-0?g718+Whbs3<a@ClMLH2ediFxai64fPcD+
zzkS_s>Zqch#=a{pw9>TtY{f4wkN4k{en)m*n048cLYOn|hJKylp{Fr|;WK-ngK&Eb
zY6_txxIsbnm|v76&VDQ#@?gO*TJRvw_Vke>PtD$m_&5Z7=AN_xkmR$PHjK0I;MN)O
z3hH4rvH38KU|&}$ZT+oWoHBQtR`-Y4(zr(3%Y#iW;y1W{$f>@T2bCI?+I6l^4`n@A
zX7ibVk<oh|;Z6=I4Z!D0zt_}mkD(8(jw_p<*gI`L<JeU+Y3y_LNd)f|jfYt!hYd-1
zrQaOR8?OKp2sOry&^G)jO^w`%3HoY>sCcCQXw6(h%}LYFRm0J9Yd<qI=4-7Zctn)$
z`UGBHvznA21i6?U3LW^(!OxUTH)}T$CK96XUWyi4)*wO8#_3D}r;Dju9qK<iRIY5)
zt0R+N?yqNDj$E60u&6$Ky6@=d{Ak<zpdL9b0V_{=TwDRv+b>vEC^5Dc(YSlV2qd%K
zqzL=LFm4qSS__q;KWkCn30LU@x8wM!eI+aWlcOIaW@cJPXMg3S!`CIF=bn5hDe2;k
z7mV1}?d9sh1HipYhS}j|!f`+bz<@<OXLHw#Dw-A_ZsLmL!|I(2(UiaP1HICDSgHNx
zomb|Ie$$g#6brG4^vJf2S4FMl+yMp{2xdP^AG`A%ciq-{Sr5;`RA=P4(vUSD1!UIf
z4B3QaZ~2mf>t)7yM~YM|LPoO6n>t`J1<5hBjlRF|?)^JeNdIY+8`%Ymf+9^z3Y*LH
ziPKy=_ujjBJb4)WhL1zRinrnb5WW^5j#pOU4in|4AlG^Ws9wXmRj@ZgU^0*9b8Yc=
z0wW5F3)J^j=|h55IC<L(=?`g3cT9(S7L1!Nvo6zf0DJd=b};P(P`wPAI9z{Ybp6I-
ziRSEVL?Vhk4NIIbiiX$RBKJY|OwEydCOfP1_voC|1Y=gN_EEZi*Q8=It2|-OM0DJ~
zGGh0%(&Gq{R0_YYo+}sM=L@zkZnS7Y$}l~s?>aZ>H!uiMR?-vp*=`~O6W2O!l-60;
z(FTuU2rv}Gw}Ki#c*eey-fs&A*5jWrUsm7IuL|v&;T};HO8`it5+SsvEN&V=W}+F+
zzZ}!Z^I5z_{JtYnx@+gKbK>)vJBfGTo!mK5MSM|Nvdf-^%9PH&>OHhY!Y@NZPY7N+
zPH(9*zXto5P*$D<DJ*r|y>DiZ@<f=?Q8`Q@iq^&(O~VjYM(*<BWgnmUZnd;Ug9@2m
zp(>H4kFz4~GO_71m~_xAMvNPAV{YTSSZ5ME<L2P@>bZSrRezxf)H%|Fqvel(d0VR2
z_N9`q{X8pvEm_7>b<>^6o7M?F%CsT&LE2`7YFOD=jXb(Ov4~dmVjHTj$DV2!mq_tW
zzmAnVgzmsTA2?vY9$aeuel&gm;K8`FyW8>?J$vkxrppL~yvo&KN3I^fACtz^$sObM
zQOIC*cKqs=aT{1n1<A|)CaOS(!Jx&`4YMp6lQEckk_vxPTj-AG@y?dswEON#vtK?O
zzRTa;h6&YNqJgTdQIu|SjReNa35Y0DxF0pV27w-GzqTGbwX+-k^ESur`jfv7ya+u^
z<tnBKShDJ|(Bja+@lZ~bQ9a#cb{TynPUso{JUv+HlK|FwByI{NFIYc0ysP7x`bia_
z+>eD3xw)p6(4<0oG56XO2I&@3T#)Qw%^s<|B=0SL|G8q%3H~#IFZS#Fa<s}>E7>$I
zQV(hVZUu2lZ$V(b|BT%oohx8vVOT$n*mz+wlzU{Qn+krTtf?WLS{o`hx=s8D*7wwS
z(Crm=_e~g&zZy#APWvAmQP^(ZwkJ=n=(mF?cR~B;{GfPa5-5VeA9?`rGM?eN1ko0z
zJI_w|J$l-wzzqv5y*#RXZKjJc53Uw>xSl?HX2yPv2BXV@nUQ#R0z*DspPlS9(yv)r
zB)0g@dAU!O8x^9Zl-+-2G29TT;KE*dhCrEwJQ<4|9I?rOLugI(01`{*R?RS0hZd8-
z<29KbS%~?rbf2u2?)lECBQ^HW=GQCCzHlgB?n&$x5CYGZUlJ1uJ?H79K&b&35k-;P
z^;m{HM%(}~|HDQ@(#n6qpiNfO66imN5&}b@tmo<%{|}~g{`Zz9h=FHR-1sc_S~pP<
zc@NNMlzM(zq8a<{Szf+77WU<?=F9op0-7%F=cpYam;bwNG$1um6vxxg5g*9J-^j_h
zT^(;Qf3H_O!|&iJ`1$xtUU^iclg^S4s;Z8hmct%S?-;F%L}-zgplkR2JGRNyrzcy@
zrf>INJ=67xV=t2n!bt-peMvl25WDN7FaXVaj;=WYiC#HOCCZN=P~=vxql`)Tr0%Oj
zt?SOIG7T~#d;7i}rxGT^*al_*`H&%^0%P$NS@jluY`jVU`uLyzWcl3y$YJ-i#$LLM
zKpF@ShB*%4_d=SjDEco$#o=l#L3#;5=M^wuSO-;><y8Gb63?e-5)}E=pbWWApG=pz
zk+HfM<lK}A0E+g%2ck*8+2q5kI<9FSrj!?<SCUz2#)D)j95%xllzhU#amwpe*YW(>
z{ifFsj;ZG7ZPdA>F6ds{wP<or2R=j0JHI({+yM~>-P{;x<fin}ONrd=W;_T(N>LQD
z0-?;!ln?{1*ZS<~6x{I7b_oW-RrvXw7FS5=w5B2n0_c*RO~zEZal?fxV--%5CKbtj
z(RaAwYF<1_IY0YCFK|D`BGUz>PzO$zR^@RRoX9q2B~y9W;V4c3K+#nO`po8k{SO<o
zjVjfc1f+q4a(X;hPkU1X>~Te7tI9#e{7tEhuUKroF~p-ns6u!#QNU-P&GQE@j_vn_
zN^V1?7N;tm&`a2^5Mgq_rd{2pT~#!@n-2Jd-W~`Cz>VBApyMpB(P4**!wTf|eq0e1
zp{zasRPE8J=)D-AuwL=u*tz7ZXTIifh}Mw(zc2yZIq?9S6a-_ZO%3)b5ubGdgMLPj
zWQW7?iU7qg1!#Q#q;j*4Q$y|Qesjn}zNwPE32k=g77O4*iiM~HKl%sTH|y_Me7${M
zp^JlAa!iXux*i%pD+dC=F%h_v)bO1*Xho(f_3(ySC55#cZJl7A&OG4p;gCZ1Ly5HG
z0`%yyXvHR(QKgLTN%_(0p>^8fwQ?q*+l$bx8aizN`VU7_3VyRE%)AFXtT?CkMq;S5
zn)YhOqS(XrQdxuv?t!%KL*ClCny7>O^%9~q0r=EtOt8jLuj_8a%A)*rm!^6HYug1M
z5p%i6`vRU@S&0DfiR8E3NfRyFlp}Pvu-Wg2QnKe3q1Tvgx99Z~Noio}0P~CmrvjEv
zJ(K@9vYKV90l-3~_yf~A>_PHP90L)=Rr)L!EGBM%jp=<pr2<wjC+E-kE|@*`Sb$FM
zO|q^Hf``b;>FWZOO<TJw<Q<uvtEs@A7$Ax5@sXG{Ft#<oPvAtggSO;5cD)EpG{z_w
zCBH79InEXUMIo1LVm3$dyY~7_CFH5!9N#bk3#G`-+UASVH^5ID7V-bdXf4fq7~une
zZN`86z<8S<N`aVvd_)4>fqenkR8Gph*1tIxpg~r=zBuBuKIDJ+Qw@F0OWEPf26ozi
z|4w=T@Ged%x+0i*hhN~oJVER)FSAu5yAaa)6WHGWusA*b@omNn%=Q1CuRoXS-}Cif
z_sZYv>%Sf3fA7ct|D9j`JVZjQ0#ky*xIN_ka6G?$Xp0eSXs3AKp6q~#*X!a-2V#Nf
zt1UE&Zl?}o?$Kj_3Y!7&@2)!X@eWmfiVtA($7lTJ(8h@aCvWI)4j^lBOs(DQtS!BX
zNNdWUx`ojPc!)dvi7JhUKb&?lnArFDyo{j4^&`uU)4Zzw5C79omjkALJy1F_qy&zc
zJDgGCxctm^J?UtzE(GBmccFHqazm2#tz@A*@7`fU6@2yik!nyhhznunoV(Jv7RuMy
z)RaBeI$e<ZkeYvi_hpU!PHbD?y*p2?X4;_5?>M_Y(lQlb3ny3r<UlPd@G0jY0(zK~
z0fZ&1z?t4h`ORTL>2IJ!&Z#e}S1JU6CIWny)$Znu($IYcU+;gAy7@3(P0sa6>6PrX
zxkxeqnN1MdDpqEs6M!;!Vofq2L!Z)FRL<!V7tr)o0lIkUgG1KlAt!E4p`T1)h8Gh=
z?av}In(Q$=-|gw8R*|}cs0WmIOg_@{M;}b_>tnH+sXLBBXI)?_p=(f%Pg1vrxvec%
zO5RD1kmlSnOpMs%^Z--Z!fHsk>;z<yZEUln2zLJB2ejG6S|_El-xne-v(SDlHM5tB
zXebnSk)A6H&DA}gn5$I2KldYtERa{n2VtN76OtL!Vqx$UGQ1SXpWEKH;#=>Hx!SGm
z>3p&FH^=fkK!lVyODvXh<%8+6^?UG?c)AVy%?3FHs8=B!U}jyZ)1e`zFy$AiKY1=j
z>@}*o`RAK01L^9jrZLUH@>Na|9_X(}mmOCu+Nl)=-}7=T20Oq1h}IwB)9KKbuAtaN
zs4BYO&sb~pPKGFwe@qE7KRVxDpR(k?ZY9HU#^<wYiqpk@t<1dpf;K6I1wqMGG1i`p
zu__xAEukMDiH~Gl`9jncH;POdftf{2HPM3K9Cw0Ak?ehKfUSh=Z;pt$5&TjD;@)qL
z&)1Rk1^;Y8>N!-brdrX;-V=hy@V2qXhNA2D?!^xANWIC=mwMhly(v*&I!fw6$uA_0
z)YnM$3FIUY!IL`eGb-OmBYr?<C;Lj$m|G%m??=z4*Ik~+wHPX;yo<0td)^N%Mt7J2
z7^=CqNCc+vvKTYX9)AGnW8M7CQJ)PAtYC+)hiT2KWs5L{sNuA*GB45d*paO$iH6bp
zI+WT{jDD{Ed4;$T#klIhiHMsHAvt+H`+sxzxm7IMEUa`vl^lVRrf<${Pf}D7(756f
z0d<idvUQPK#5%(bv}9)q2EfxA*SAmtp6WDou_sME8x<ImhxH*$-SSN`c|3GJk>AR~
zh+ofU-;1745@A4M1p8)S5mN~!gd99ig|Sa=C9sWwDoia7wDcAZl=z4D^nY_mjhj)$
zNQ6lC8U38PD1Yv?ZK`wy^uu!3mn3kt(~mQsIyU8@KW^=29M?#6lsax$S};b?kb&8&
zu!PoyH4tpOQr0pic@2(_MS8J<Kc`)Ly8=4O^#2J~NI3Dl>buib1=j;f7wUaK2%d78
z+psqK>(3~UrvnNAsjF>x+KCb57BuCV7(Y(I19Sj)ZYA_0RrSZ1x@dfi)X29<lR)tZ
ze_c*q+07<?*L~&>l7g&)YZsl(VRxK=bF}%afVcF4IOkar5Ysn-?yY6aj@s$qW*z_<
z!SUu47%h>K))g~tH_)~t^i@4IazT}yf%Z__6U}*&6tP)wt?pZ!+B=3M=lR>Q&QH(2
zd#F)TXF8P|>JD7(PIeU|2Sxt`0AB!?C~6OgSih~jCqdu^QMkm|HylTwjf?U534^0+
zamSK=bHLtg_%--{e1d(W9c)k#FOd9oY9ZF};>m)#a}yjd3>=D^0OJ|SDMk`(@EW)7
za{${=bEQ`|+s6G1PvZ5>`A$Us<MZ|ZX-W&mn6B<0;9>g1?vYkWa}G%c=ouh}y`e6)
zGeYmzV*It}X@i6EcfSaJDltAKZygWpNAO=}%rXF6JChR#l~kl4N$F)J=F#@L!W??n
zUElF(&%ToX^bKKN2rm(SuhOj7Wf9-MXfGd8Q*W4hYz|s^XTfkv{L+PYoB0o4+7$ch
zqOB7)okz7qyZV5DD*t9~fb3PaO$NHLWJCXu#|~Zm7%C@tOkv9R$~jtHQ06DYwliv-
zQ>JGhy^t8i|KqDVj`CUKVzV8+pW*??B8_!=BU+4pgd6aB%KPWje%jnPg{$jd`Tcl(
zKUDnOizK5%iocsdWm<l7ME9O+hw_~L5HHB_D6D4aUe6Co&#fbGZ(**`A*6FWMEzJr
z|2}2l6?FZBJwzmf2HH;s+f_k(EH`SfBLy$%GKb!huS*=<59EP_^Jb0Bj*e#k%OfFz
z1hoOX!{-g3GVJMKhTenP^zuY*ZaBu0LaO&Y_DjGF|H3HLJnZ~q?400@89J0<R@aI;
zJn5khZiU6ASzpur>boj13{i_~=*`-(NxL#2qi~aOVe(SmaSqW6-Q#ldiZ4r>ssIe(
zFXyM&U*@!YCHls_2mkqUYs~%kR*(&f`I!E`2=Q$6$%ZN>LaaJGcI@(5XD~M$Z%tXd
zoBvZ;6ouSxFu|5N@!2QS$7x$v*<GMfw0S_0!cDeOZi5|tuoM)~3XT)tw+rHpHnCnY
zv7@#;CSV&H>yrXa4HxwvA3pq)L-^krbz%8>w|QmdKP_tWf8Js19}9XSo&V*z;3jt!
zp9XgC|N9k^@6nVgS<*g1t-(You!Y&9JYd@&!hewPbilxy!S4+ZHr!ULOT58I5H!tv
zD!+VD*4*%yVoPbcO~vQw(5cCSj_O2AD=7M@O0<=WvApkKk~ZbXyo>+*=`~1is1Uq-
z3aDIOVr>hY5Fl0#*06-Wxr{;RkTiPh*HqC)U`6rURm&Ss6z@Fk67i@lJzi4i)0~yD
zd|Y-uzR?@KNoI$vVJbx%AyxRVKu`t16u`d{Vs#eeGB2|Vl)aT6URwvQ*0I|Or>4Rc
zgym1Nb2L46&3~0dbm~1d&<2Xazn*>TAB!OCW{S1{`rLN2CE3G$RQr~3JJDhaY7UA{
zA?iq`Yccl}N#uuZuA^CB?-!kScaCd2KYxacy9FP^587X@JU^%{z#a_fE54|Z*RFkW
zR8#LGk7OX^BiK|Nbh$fL&iiWSiQpPuJ-H{`R&M{=aiD*ZQ$+c%hvh$)5di>T^6FpS
ztpMEkAAfsn{B=b>D*Qdd|G~HO&$IXMIsEs^*}vD}fADGldoTa{mG1v@+NgnQ7jyh!
zl2D*}i<sao?#R5+GRF?G$^Oo~IaJ*%3q|92m_c=Qb-K~Axuff+#dXgf|KKnSTpYPl
zwhr<7Dz%L_%pxgOPe4nl>~CUpb)e}zU(!M^CD|v4GNneC@*kL2>1lbrr7PBxS$*r(
zl}<+>&*MJXBP#h_!zIjj^aaoFhb))Knj2e&*)#!-qL2Ik%$UXlH<_+l09bgG1sEh5
ze?TWp_OeZ!N$#xZ^dfeW@dGFI=17yFvUMft_?a1k^>BWw?b(ZZxwQSZZ)Q0T8*0g8
zMsad*Ztzff84RmS6rK|Pp3NB(xIvzehJWXC@prqB^78zvOSd|F<~}x7yBmh&kI$rE
zYa5~YJDYELvcB#z=8D?M0Yo(>kJ#s+)bKJxVsfB6(NW%F+}siuR^({n3JZi6q@)O4
zmwfw1&?u)(R6ybtE0_6*r2O5cQ&jU49ZXUdgh$MXy`C(JUN6(sC7sjhaKDACYkVcI
zu@F4rt#sNo-njJ<_kuC)K+OS#*NpKt<SS&AO-mD64|x=>KMM<Y8&e>d;*<4<wo3VN
zH3-<N`)7*b83$x1?!Qd5#~;}Oy%MV$O9(8Y?;jxAyxd~le&pj1CDO}OzIeMF7YNS3
zpmXipVFQ^1e1mpHTDGHXcNw5a(CyHjoYZA31L1xAalS<2+Hz~gc#1A^R`J@lnXOdM
z*jVjqx^gE@5{?Ais>Rl*(m9220*R2I%ocCU_ZWLmPYYC;obDih^|Ala^33N(f=N8d
z@D-MJ`&6;a`u(8xyq`d*NVaSkaVJhwm}ESk4myYkrX!*5F1YJBY7xyKone@6k0fg>
zJ#I?gi5;kP{pzN7&*)`BwI+xHrahsgMPd!}J)L;yVuhaCmn}^~dxnjNh;`$9g70-l
zya2BB*Y;xv9#&}ec>**P{62&j@yk|-j1gV8VEMAc<V-<aR&CayN;5AjwCm}Q$0c9q
zo}CiB9a9~9+%iAMPE}n_cdF-V>{{~;J2S?lY=OH)jNi02H3@J1Lj;E2X~a9K`ohf4
z(vNAQDRZ>G`0=j2x>(h|`=rA;=pS_Bb~|u_l0P@+3e5*wuCiS1mUy9}v8L9blMbC0
z>HIpb?Gh)rXFnIoj1t@78Afj5W*R^obhBBrR*cB1s4NASK}l;1m8KqhR<g2Zg+sZA
z6sI9CGk5cjZ>}f*)adT@4P30&RzR3i2vG>BbJ-};Ij+4;sF~^JY#lz@R!ra<Pq?+@
z?0)##$vdHEyDE+MfCAkq%P6(#T~jUlH^(aUNwwV>ljA>H2fvh1zZBR$aJi&)3-i?&
z6rKjI)+(%HXiufEzp*mbG>!d>cHM4{?Ial|oTxvNSUF^PR35dBIK{=iOm_8jI`nNz
znP;VOAwHqNcGYev++UuqC=tJU@3h>5*FzjaCea3t?c{?mqle6)wOJT`95lERaA@@R
z3~+rWZ#Ov&N?|QcRj0<%b%-0}BSlOkJ!DQfmVXQ<iA|p4#}GI6!7a|oJkS<PhgD6L
zZSWAvrK+L`X2=r*qRTI$%5Kfe7A24RK{nnH4ykT%!N={!YUxMj7Q={)vs?H#L7k<v
zqeU48fzT;SXXrD(!Cs$homq(90F8Uaad!Bd7?3;QRlWi`QLf43GmAPpFgw*CWV<D(
z68wBv`gz8H8{~2JeV)r#&e%w?y|E*wLi<o$=ulB0raa-Z_VI+)pii-2kJ6keB~;)-
zzE9U;OI2^kn-dqC-Vq<)yu`b&+9k!zv!^b`xTxu(FVn$&=Et6tdtXKzac!MFgm-k7
zE&AzEzg*PT)VM&2JJ6bn7Xr-qP|-ok(O4i+oa;MNLdZ2DyvTFr>WB(Pywmt-IjE*Q
z`-VBj&KA40GhIyux@p&^>U+R#ZWLM(Wn*@r6BTV|7K8OHqKCDCgp~T<dwQZB>^<c;
zy=ZUy4${mkTl^}^lDr|W1MYp6kRAm4!Z9=_y8B%30QV0Fii^pKc7W@tMCzn6Zr0R?
z@SQ5wtyLDhRPyfj!Qh*d^-J<@b3~bNrLB`XhG}iuqRGai8(euvw>>{aSg@aq?TO98
zX^dQ=RqrRohFkqNRWqHvqH~whw-Mjc)XEwh$FpkBnFVQPDWSUc%<FO&hlg=RI)GUH
z-&}A1Z;<l;&yHahU^0VuubD*=X!0w_Jwrvr0K))oXC{m|&PwomH>#>A0*2#t;*HVT
zVCiKEb_-sqqC2+p>&xUI;_&kY*N0`=Uq}6#90TswSKw;vuvOSMAL{F}FH7F<{9Gy_
z_r>-6+gr0?wmV4fYEA}}UvNuH)B~Y*#liD(x4W=X+C{xViO)yd?^ZN@kbA}V2iGya
zQ{g2yv>J**DL0Hv5W8iT1^%wg8Ugl^v-xam?UVFm47{`jIyVrpr<{NdcFm_F=k#Bz
zgs7QkfE$}f$qK4xpU5;;t0gz}Dd-lylTFEdL6`h^Pc>8?u1~Uw2i7Jb3dDt#3JHW3
zFt1bAGua{;mh`T2dg$g?hYtDLV&xRb^Suu|Ik#a2Nm7h!1Ij<&;wJ;}N3k-+D{3}r
zq5>3h$MiM}SNcpd{fVMf$3kPt)Q={<UXwGq2j4Ed6%Uu#U!^Vo=O)8x5SDkGu2Z;Q
zVO{<65A*Xt8qd|{Nu`nsu!Zl>78(_6_$1|hvoH_syVVRUU1eTx37o#(;9VC~^wCl7
zmlVyS4yBR2S!JS_Jy}?-EzYV6RiS^OALwwB9NHHCg0Q6owC!Dmu+N8)9BE-6^h->5
zZGii{`*JE(MZKhdsN@sQAn&cFk6!!kOZ9>HIv?i4VUQQpxf7=W<e>vp2OHaKsN4sh
zIEjX#GQVE6!N(28r7<r4uc+lR>8`&yj11pKS@GRE!96;o#(Ezr%)CoQgr29$v=I)_
z!<-`es_EN`#<y#lu<;WqqaV(E32%3GdCPmmldDZ6vu_SHF+kh^ngjd~R%fIrVqpl~
z^5v((_KN!V2NlcL$>JJSBEDb32f1iH#T@I}g{c=&HAUCum0Xn#8tg4o)2tzd@qM-B
zJy&SYUe_%w;IonjXV%BZ%bU+MYU@&Y_ljPUfmF<?cDte&RpszKn{cdhQ6v0*mw=EK
zAq@7Td^Mv_{l<ludo`KH9%qey8I<JfKUrBH-En=ogQ}8ggX(vsgQCl|Md_k*9in0p
z@=)am$+v4DtZT9_PwO9C(EO5e;F6WzK3|{MaUVzjl4m^@8*-p#!rt&=e~`)#iL<!G
zXhsSi(=9~!3*`L^PnLk8L%SviI+PQ{P9hA6&CUj|r3<K>E$UUW@q47Pp@Y8^FcKPT
zn7)$Rn(vc5eoCL>=YJ+g8+iSjg9ocd+&E_F{t+IjQ-O`VKZ5w8q)dvw)3-J6YWq^~
zplI;v2SPio0~1pnV7@u(Vlff_YBDYUQM&LSOkMw?<z%mJg$velhlb_eT{(EKO!y+N
z^I5*Ol8*%}zd>~RX2_E*&#SqsDMc*A9!M+Lwh%FqhdRnUK+giw%<nW}>3PCB(kVRl
zwshR?`Yd~JSaJU!#Ky*JZ~sesXZp?7zQ*xZIZkV8YpP}yJ*Hb4xmOLH#8gs3&8bqH
zBWNRyP(!0aPSL8GjvBg3(W6pD2_;DdiK(T=gW_lm2^|z6QDt9^^zM7sx-ahSeR0;h
zZ|;lz2kgC{-`acse$Vs$JVSqjlXTQsDXw8YCQH}wI1LD}+Rq97opV`BekyE)gt7dt
zvz@s=R|Intt(VAVdvl&QayWQ_$CQh*{pGaCx2#w4i9UHD{x=htbCyaxN(MQQGN%wQ
z#6MR_TV$aZELiz(G0HOmxS`?=52v<fF5_HKklWk0UKB;Lk<fs*kr`7#Lb(8FJ^{J)
z+Gpy`N42el3=1{>yGXfm8#@QhI4({)6sKq+$X6+=Aso$TU9hCJmih~>;mu;BaI_cE
ztK*xQv;J2K#av$m*r|sHCVnYU_yrOLk|y!iCsN;>#T{)Rn_q0(XDu?wqQ%@NhP&6c
z{G7X}+`q9D(d)%8_yODFW~aQaB~~8tY!DHbKU|s%7L7NFcKM3T`X}CemQarl!{De$
zzw`sk!Lj})2oDY<_B>QsV_#iU&#47u`K8OBgw+l%79A2T;26IZY3T$HAw*Xzm=CJ5
zZwDDY%&DT4B;U-1-K$p}B?bBe=Xse?eq*M7L#bOx>Ky)N%h<{?wSigcU3@;MFJi&Y
ziEr&T=(q!WysBcQDs5@NION?*hxt00wRPsDdvmhHo9G|93U+A6Eg8+)BpOg&ISW^}
zlg+fYVIcuBU`>N5I*k&f1gj~pYme^eveO;bz-CHj3H1BBj)cfcKMB!|%o%U3eo<mN
zEDjVMvy;3UYn=96-U7FVq78I;Y40?=#DZX;(f;x}?={j~Xr3-I>R^K7;MNlmT?aL(
zTKRDmi<q2g-)VgtuC9kvmdVa`=?KFI7az`LVw;3Rg2Oc+I#u`}(1@gw9=VJs>J13P
zT|BzG0@UdDYyuVE__mI;UxB;4=o)q!9WY&rm~aj@T&z5hjCdsS>zp}0!v2d`55PWL
zJh*wgaaElZ<t9Q>&6`B7zQTc*oT{#)V|OiWM_}o<$8-uDZ)P%czLPVbt{2d%#p+)W
zV5~;uWnw##hk$E5f7#ANZF$z?{EExw493Y{f`9KIVKa1_T=Q0Cb+YmwiH`AzNr`48
z%&d**Ua}ZIH?276Ribd}!pM&t`mHk<`<Odk!5HsQH|rjGlr8?u)4Q`m*9)z5`h&7{
zfGT59&C*+qBYqeuoTatv(K<EOYE(<RXAU=u=$oBGvf^VReX2zoIj#&>I8Kj$f}^O@
z5%LS;*Zt}9e%*RAG<^6y=DmWYcOAWimS;<*x%ouIwG2|x#$D0td7f4V3<LHX6`|VQ
zwbI2n;{J<Mq@WJ`_K9$MOv=vpEFoHkyEnEt=dKPcF=MH;LA^6jd0_@N8iPn>%f1Hj
z-FK=;Eqc>$gwRx5BPNdSU|WX`!uH8!RxcR&IRG|%D@B-c1rXTDFmN9Ab7=U2ERqil
zt`B-TUN3NeCgtv!8BzXZ{>GVb>fq;b30rV>a;uUG_j?w;MOAHyi{-vswLLeJ1@A_O
z<@zFt`LapToI{B->B1Fa8fPzsFEfhV|FLkewBiEk>kfBD5r!gw^>E$rJ>hDL7$0%n
z+V0rrcdd>^__Ten3Y}F4(l<&(R-L8Nz^85`SkIdh=DH`Wa4`QG*y#PF0$Ac+GJC#Y
zaOUIc(EyEduR66)Dp~f9E_1!Tyd!~;EU-qNDE`|R8{zUaEI?7HS;2cD9Lr8!K7A;P
zk9Ra}H9_N>xi_LzuE;wLY)q<$b(NF5BWJ8XBhmtQw8)8yIvCfLGES@V5vmK<qtoG!
zi=QrRY>qQ(tK5B$QyuINJGxm*OQGz*V1+qDs2E?X3>A;$1v4j&YE#(y1%)>HEZ@Jf
z0$eH$7@HHcSCl=8M!>HU9kTK;D!s+-=>n((>}~Pqa|yNyHg75Wa0M8PB(A_jN@h51
z^iq-j`&g!8{~%h^b0hY-$lw-xH|S&RBPME-&rY<U=1UJye#E1n0EH{@a$LEbCx#sa
zjsBfwYjYvRZs(lIJvKkEg$w}8uRh-RJzuzzx`*U`x^<sNhu*=He|I><XhW=^@|;P|
z<P_RD!&9y)Y}LBo))S1C<blLP7M)C^II1tI!nO{VTPt|hb|bcHKA!)Jlm+v2;YC^@
zym_)?bFpl~O#D8VQ|)K&Qd~hekyjI*`ROXR7hX-dX*t5|qJT5dFKuJ`c!(}MB31M7
z#6&;~K&$c{dJK*WGK)8usDTqh3((&q4m!STXe!XYP^;}-Xr0=hi!<hUCce}(87AX}
zYJ&thiSmJ(#%+}Qs4<-ES#4fZjoZX*=Gt2}G6|*<QkH%2dF9?chT`}1(|%uc#YaS+
z-#10l$R<EM7!?%yTpHH{;eT=8;)v~@j!l_){m_j4Dr~2u$UDm|Mtn;|TM4XwINH*}
zb+|FXSe4OGU(ZCx<Im>(gv~PD>2A$4{CP(OYO1`lFS?8!nSrICLIu;zm}>*x35!|y
z>Rgb!m(NU(jc`IjOPl+CwO8@{U*{P9zg)iyWR?7S37Bm;>;(`(G7kr{ZT|@wwfIWg
zs;;0v33yCWM7?6UG7iXv=j3>t1%1j@tNWa}Qy`6AP}2fbvS(d^E0h$gb#EjLyc-%k
zN&ZM$=mzY-<ZDkpN20<A6kp{?Ej*HFv*jd7mo~M*&YXhmuR9+4P<S3z308m7glr%Q
zKy2+Uol2JIFsvjuegf5?v)dq8zV#o^%KpY6BcbsftAClV1Z08Lty?mw5*eM%(Qg*}
zU(BJku|R-w8<7Ose1E&g3R*q%?x8Oq`tPA#58Csg6AwD?zwtmIZwK=AAWs+a^PwmQ
zit(Tb7mDxygunu+8<4gGDO-@P2dSEnru$7i2`SqDF10~=K14JAKv59Ofk+m_@xD&}
E1NARS%K!iX

literal 0
HcmV?d00001


From 08e1ba4d0363573fb68b3090204bfd6c4c4aa0d6 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Mon, 14 Oct 2019 15:41:21 -0700
Subject: [PATCH 192/420] Address comments. VSCode is launched from Start menu
 now.

---
 CHANGELOG.md                                  |  23 +++--
 docs/GettingStartedDocs/Windows_vscode.md     |  91 ++++++++++++++----
 docs/GettingStartedDocs/Windows_windbg.md     |   3 +
 .../images/VSCodeCMakeExe.png                 | Bin 0 -> 36690 bytes
 .../images/VSCodeSelectAKit.png               | Bin 0 -> 20323 bytes
 5 files changed, 84 insertions(+), 33 deletions(-)
 create mode 100644 docs/GettingStartedDocs/images/VSCodeCMakeExe.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeSelectAKit.png

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d767ac86e9..0ed878ba82 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,11 +9,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 [Unreleased]
 ------------
-### Added
-
-- Ability to debug ELF enclaves on Windows using
-    - [Visual Studio Code CDB Extension](https://aka.ms/CDBVSCode)
-    - [WinDbg Preview](https://aka.ms/WinDbgPreview)
 
 [v0.7.0-rc1] - 2019-10-08
 -------------------------
@@ -21,12 +16,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Support Intel DCAP attestation on Windows.
-- Support enclave debugging on Windows with WinDBG/CDB.
-    - The new oedebugrt.dll binary needs to be copied to the app folder to enable this.
 - Support `transition_using_threads` EDL attribute in oeedger8r.
     - This only applies to untrusted functions (ocalls) in this release.
     - Using this attribute allows the ocall to be invoked without incurring the
       performance cost of an enclave context switch.
+- Ability to debug ELF enclaves on Windows using Windbg/CDB
+    - [Visual Studio Code CDB Extension](https://aka.ms/CDBVSCode)
+    - [WinDbg Preview](https://aka.ms/WinDbgPreview)
+    - The new oedebugrt.dll binary needs to be copied to the app folder to enable this.
 
 ### Changed
 
@@ -235,8 +232,10 @@ as listed below.
 
 Initial private preview release, no longer supported.
 
-[Unreleased]: https://github.com/openenclave/openenclave/compare/v0.5.0...HEAD
-[v0.5.0]: https://github.com/openenclave/openenclave/compare/v0.4.1...v0.5.0
-[v0.4.1]: https://github.com/openenclave/openenclave/compare/v0.4.0...v0.4.1
-[v0.4.0]: https://github.com/openenclave/openenclave/compare/v0.1.0...v0.4.0
-[v0.1.0]: https://github.com/openenclave/openenclave/compare/beb546f...v0.1.0
+[Unreleased](https://github.com/openenclave/openenclave/compare/v0.7.x...HEAD)
+[v0.7.0-rc1](https://github.com/openenclave/openenclave/compare/v0.6.0...v0.7.x)
+[v0.6.0](https://github.com/openenclave/openenclave/compare/v0.5.0...v0.6.0)
+[v0.5.0](https://github.com/openenclave/openenclave/compare/v0.4.1...v0.5.0)
+[v0.4.1](https://github.com/openenclave/openenclave/compare/v0.4.0...v0.4.1)
+[v0.4.0](https://github.com/openenclave/openenclave/compare/v0.1.0...v0.4.0)
+[v0.1.0](https://github.com/openenclave/openenclave/compare/beb546f...v0.1.0)
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Windows_vscode.md b/docs/GettingStartedDocs/Windows_vscode.md
index 57b8648551..09329774e4 100644
--- a/docs/GettingStartedDocs/Windows_vscode.md
+++ b/docs/GettingStartedDocs/Windows_vscode.md
@@ -6,7 +6,6 @@ This document provides a brief overview of how to build and debug Open Enclave a
 
 The latest version of Visual Studio Code can be installed from [https://code.visualstudio.com/](https://code.visualstudio.com/)
 
-
 ## Install VS Code Extensions
 
 Install the following VS Code extensions. Click on an image to navigate to the Visual Studio Code Marketplace page for the extension.
@@ -17,19 +16,33 @@ Install the following VS Code extensions. Click on an image to navigate to the V
 
 [![CDB Extension](images/VSCodeCDBExtension.png)](https://marketplace.visualstudio.com/items?itemName=MicrosoftDebuggingPlatform.vscode-cdb)
 
-## Launch Visual Studio Code
-Open an instance of x64 Native Tools Command Prompt. This ensures that cmake is available in the path.
+## Launch Visual Studio Code and Configure
 
-![x64 Native Tools Command Prompt](images/VSCodeNativeToolsPrompt.png)
+Launch Visual Studio Code from the Windows Start menu.
 
-Change to the directory containing your Open Enclave Application and launch VS Code in the current folder.
+In the Command Palette, type "CMake: Select a Kit" and select the "Visual Studio Build Tools 2019 - amd64".
 
-```cmd
-cd YourApplicationFolder
-code .
-```
+Note that this example uses the tools you get when you download and install the [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe) and choose the "C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK).
+
+![Select a kit](images/VSCodeSelectAKit.png)
+
+Open Workspace Settings by pressing Ctrl+Shift+P and typing "Open Workspace Settings" in the command palette.
+
+![Open Workspace Settings](images/VSCodeOpenWorkspaceSettings.png)
+
+Search for the setting "CMake Path" and change the path to point to the CMake executable you would like to use.
 
-![Launch VS Code](images/VSCodeLaunch.png)
+In this example we are using the CMake executable that comes when you install Visual Studio build tools 2019 and choose the C++ build tools workload(with the C++ CMake Tools for Windows).
+
+![Specify Path to CMake Generator Executable](images/VSCodeCMakeExe.png)
+
+After this is done, Settings.json created in the .vscode folder would contain the following:
+
+```json
+{
+    "cmake.cmakePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake\\CMake\\bin\\cmake.exe"
+}
+```
 
 ## Configure Your Workspace
 
@@ -40,9 +53,20 @@ Open Workspace Settings by pressing Ctrl+Shift+P and typing "Open Workspace Sett
 Search for the setting "CMake Configure Args" and add an item `-DNUGET_PACKAGE_PATH=path-to-openenclave-nuget-packages\prereqs\nuget`.
 Add another item `-DOpenEnclave_DIR=YourOpenEnclaveInstallFolder\lib\openenclave\cmake`
 
-
 ![CMake Configure Args](images/VSCodeCMakeConfigureArgs.png)
 
+For example, if you ran install-windows-prereqs.ps1 with -InstallPath C:\openenclave_prereqs, and you installed the OE SDK nuget package to C:\openenclave, Settings.json would be as below:
+
+```json
+{
+    "cmake.cmakePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake\\CMake\\bin\\cmake.exe",
+    "cmake.configureArgs": [
+        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs\\prereqs\\nuget",
+        "-DOpenEnclave_DIR=C:\\openenclave\\lib\\openenclave\\cmake"
+    ]
+}
+```
+
 Configure your workspace by typing "cmake configure" in the command palette
 
 ![CMake Configure](images/VSCodeCMakeConfigure.png)
@@ -53,7 +77,7 @@ Configuration should successfully complete.
 
 ## Build And Run Your Open Enclave Application
 
-Build the application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
+Build the application by pressing F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
 
 ![Build](images/VSCodeBuild.png)
 
@@ -64,17 +88,20 @@ Run your application by pressing Shift+F7 or typing "CMake Build a target" in th
 ## Configuring Intellisense
 
 Intellisense should work out of the box for files within your workspace. However, Intellisense may not be aware of where to locate the Open Enclave SDK headers.
-Open settings.json (or create one) under the .vscode folder and add entries for "C_Cpp.default.includePath" and "C_Cpp.default.systemIncludePath".
+Open settings.json under the .vscode folder and add entries for "C_Cpp.default.includePath" and "C_Cpp.default.systemIncludePath".
+If you installed the Open Enclave SDK at `C:\openenclave`, the Settings.json would be as below:
 
 ```json
 {
+    "cmake.cmakePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake\\CMake\\bin\\cmake.exe",
     "cmake.configureArgs": [
-        "-DNUGET_PACKAGE_PATH=C:\\OpenEnclaveNugetPackages"
+        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs\\prereqs\\nuget",
+        "-DOpenEnclave_DIR=C:\\openenclave\\lib\\openenclave\\cmake"
     ],
-    "C_Cpp.default.includePath": ["your-openenclave-sdk-install-path\\include"],
+    "C_Cpp.default.includePath": ["C:\\openenclave\\include"],
     "C_Cpp.default.systemIncludePath": [
-        "your-openenclave-sdk-install-path\\include\\openenclave\\3rdparty\\libc",
-        "your-openenclave-sdk-install-path\\include\\openenclave\\3rdparty\\libcxx"
+        "C:\\openenclave\\include\\openenclave\\3rdparty\\libc",
+        "C:\\openenclave\\include\\openenclave\\3rdparty\\libcxx"
     ]
 }
 ```
@@ -89,6 +116,28 @@ Fill in program path, parameters and other values in the configuration.
 
 ![Edit CDB Debug Configuration](images/VSCodeEditDebugConfiguration.png)
 
+Here is an example of launch.json after editing it.
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch",
+            "type": "cdb",
+            "request": "launch",
+            "program": "${workspaceRoot}/build/host/helloworld_host.exe",
+            "sourcepath": "${workspaceRoot}",
+            "workingdirectory": "${workspaceRoot}/build",
+            "debugthedebugger": false,
+            "initialbreak": false,
+            "initialcommands": ".sympath \"\"",
+            "args": "enclave/enclave.signed"
+        }
+    ]
+}
+```
+
 Open host.c and add a breakpoint. Start debugging.
 
 ![Host Breakpoint](images/VSCodeHostBreakpoint.png)
@@ -97,7 +146,7 @@ Step over the line that creates the enclave. The Console pane should show that t
 
 ![Stop After Enclave Creation](images/VSCodeStopAfterEnclaveCreation.png)
 
-Note: CDB commands can be executed in the Console Prompt.
+Note: [CDB commands](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/) can be executed in the Console Prompt.
 
 ![Debug Console](images/VSCodeDebugConsole.png)
 
@@ -112,8 +161,8 @@ The VS Code Debugger extension is currently released as an early preview.
 These issues are being worked on and will be fixed in an upcoming update.
 
 - Breakpoints aren't yet completely persisted and restored correctly.
-Therefore it is recommended that you clear all breakpoints and set them again every time the program is launched for debugging.
-- Debugging session is not terminated when the program runs to completion.
-Therefore it is recommended that you stop and start a new debugging session each time.
+Therefore, it is recommended that you clear all breakpoints and set them again every time the program is launched for debugging.
+- The debugging session is not terminated when the program runs to completion.
+Therefore, it is recommended that you stop and start a new debugging session each time.
 - The debug cursor often jumps to the start of the file while debugging within an enclave.
 Stepping again should take the cursor to the correct location.
diff --git a/docs/GettingStartedDocs/Windows_windbg.md b/docs/GettingStartedDocs/Windows_windbg.md
index 7a431bc61b..cef633c884 100644
--- a/docs/GettingStartedDocs/Windows_windbg.md
+++ b/docs/GettingStartedDocs/Windows_windbg.md
@@ -41,6 +41,9 @@ Build your application by running `ninja` and run your application by executing
 
 # Debugging Your Open Enclave Application
 
+Note that to debug an Open Enclave application under windbg, `oedebugrt.dll`(found in `your-open-enclave-install-path\bin`) needs to be in the same folder as the host executable.
+In the samples, this is automatically achieved via a call to the `copy_oedebugrt_target` cmake module. Please see the Helloworld sample's [CMakeLists.txt](../../samples/helloworld/CMakeLists.txt) for an example of how to call `copy_oedebugrt_target`.
+
 Launch `DbgX.Shell` application. Click on `File-> Start debugging -> Launch executable(advanced)` and specify the program name arguments (path to the enclave) and working directory.
 
 ![Launch Executable](images/WinDbgLaunchExecutable.png)
diff --git a/docs/GettingStartedDocs/images/VSCodeCMakeExe.png b/docs/GettingStartedDocs/images/VSCodeCMakeExe.png
new file mode 100644
index 0000000000000000000000000000000000000000..86f58ab1c9ee1c7efb2980cfa058a708b7905b56
GIT binary patch
literal 36690
zcmd43eLU0q|35A{NhOtc2MMRsg^E%f<Z4u>q(bGC<YILsxtNKDjcqA$I*E#?u#rk~
zF_)W*T_`8YFfm&;w&Y@L=4uz%%zm%woX_|3`F$^LpU>~}{p0tC+itek^Z9zd9?!?~
zae2SL?w#>))n2n@jhdR8w%dtc&#9@c6sxJJuV1|i_~u97<Hf+ois*B$N7TwYw~hn<
zXapa2Kdh!!nZ9=M$`8Q*T9GGwqSe&aH>>_uv_jupRZ~mjx&3<hx3~b|fN$y5U?flB
zm(ICwK<f5u|M177IM=wXA^*C6ddmmh7oT_BJoElQQc}~`Prsn<-P!i_Wyj|Yw;@fC
zCe3w_qlPIqU8`(UY-+S>v`p7VTWawl4`@cu9{Z*6M6|WHV5E_=7_+1hSHBIN;`EYA
z`0Q@i^I=XYlG5PwQzTUFh2EvR_bteA4|ljd-r-jA!No%L*}cZH>lE<$xaRgcvFdY2
z*-tA;%a@pa{GTpC4T6;dwA1ye1@saYZMHnYj+F}IUWbdzWA7%S()mW_s_!4accHjS
z)@LnGbtRu$h|pZV&&vZ{Q)fwccB-y9r$09LhVyQD=$>`r_}`{3FAx3KDw)&U*ox($
zYyOMV&);2ZL5z(1bP8-w9Bp8FG>Da?8bkZ+@g@0`i7|Zm(V))KSDl8D_>K(h;_#pz
zdPc7?NICATC_0M^Kl#rBDAQkBK{0UxAwg%#c_z^fw|Jj2mfTr4{yHaFDMByN9-_Gm
zov{s)+Ygtfn|0EKRcUJJm!Rht+i;6*krQ7k2Rj|69JkYzlT%BRkyE6(^-TZRfe-<2
z{BP-eD}~lmzWr&ItW;2xbCJNW52#5J`DEi%Dq=IFPSzR7nAznbyLc=ey*QK-OOX#0
z-IXORFeyut=0ao18!J|O_uoSQVBt7<Bi#@r9*j?+A!pY5Uc831xQ?%DTXI(Nl#csy
zH3u<YF=&k#I-0vACA8XV%%;nje$gEv-qX<%<HbVMKtOzoOWPyz9$c)3`B80&CtB7M
zyLI&QzujOl2Q7joD=4+-c?(a}?2lPK+_lfkl18O53rP#5rl)ngeLUab2qQhNq~Ez@
zH<tmWgtElE05)f$`cUr?!bXOJcii@2|0x7>y4VvL8Yd|MlL`-{|FicEiDcN!2ff&%
z!5d!Js|OrK7_zh&UWaoUG!XAmSzZKWpjzfx(;!Dr1IanUKxh3!_Jp(Sb9#)k7v<md
zr-9H<h=7Z78VagU)|D5KmP%G2IeOoEN2H-h2sfb5^*xB@L+h2xuD!F|*&ZFV<c*ei
zx0*>Dv?c$j;{=~ufE#RFB?t{z4b6s^CKB<%@%0a|mRSPf++j48e2yzuCvx;g_Wh%s
ze?CLwCueyef}zcw3jaHY3hV|OK{yC&LuVi$iT%tH$(t3}Gc?21^q^-F5(JN&uqkh$
zC>2vvs1*T66o%aSmL3MJ=idbF7dLpf`BZ?cd(fImlCJZEP2TPJ>BJn_A5*0<u~@P#
z7qLjqS>bn>XOiyIN$3XV|LJK_K-Pk*!U8pO-#5sIMhW=Hg(#P}O8F;?rpB+g*B&QT
z?fD-MxNnYUcm?&$`y1`mKf-71>Wbb>;cTnm|8qny_PKC5-4u^2#{Uc~?cFygc=`YF
zNdA{k{QuVe{3lG*fAf;CGXI2`4=RgPleJEKDU77IyqL0;D@lw?Q^%HVrl83MSIdb1
ztg>g__6NGc$|M2HwzFpa|D7RdveBW)%W+g+j-}(mC(p?&3qv-N&F0uFe!?!g5&Ts5
z4gLGRhbzdUPKT7h*0cwl>15lR0wF#~6CoXXf=d`-%r2l-9#&l)r9W27Kv*C)L`~HV
zrOg}^04kQfp0bcbfnOp89awe&EbUc@vRcl4<D~u^C>d_q#KYe#?*~+46<R&IoNoe3
zh%3=yfMW+>fsLg&#VvNfZUubhHbL-!(HVmG9YiBWSUFG{*k}R&bPAv4m42`i+46{&
zx--_SCa}Pr1&$Zi4iSSup?#%Dl@F?se;1b1CRF^kUxF4=;p&G5^_K0DWK-4n{SEF$
zS@5g%(&)aR><8&dyzrb6X+&cF6h~hmiy@ZMo}Ou?S*BZe&2es>06V@;4U%;jZiPGp
zW_}q>{k}ooNn9yE%J4UMsrM^0^@#V;hA+p9q=t~D*UBv)O9HN!CprqQJt!OqfN%w7
z!uX-L(VwL%r#9Yi`F&HJlD=pJtA|Hy$88GNYJ@3%dpHXBPYc-a8e-A4olTv;-g;ha
zzp6`9!oE?%F4;x~c`8yHljkyP1(x2DP7Rea<0U5sgq6*`m?}Q}<l*zk{-4JfRY_nB
z;c!ElVR)cJBB<L$xO&cOMT3!Rqm!|owph4X7Jxis3Oz)Z0K*?=wSIq=J8GBi>|J4v
z4K%G`&>nePo10EwtJizEK!nS#*kKE}Zuv!y1<zz-y@CgUrimb0*qPvZ#bXz-RJDli
zD1-0&zay0wBe8ion+x0H`DSOuXiRKd{afrbd(}7|8(ye~DpGe+1g(?cr9MM6n=quT
z$XHPs@!18;eu1Jo4GAG&)nxTo@|l+eq_Ns);)*6iEqI}e>f43Df4=oAbH$xrzA)(T
zuj&v~XFhLS<@EEw-?c0NxZp7(@w;%cRl5ee{QYXxRUt-yE39humo)#gLzbh8ONUn>
zRKp%$c$m0+mzSHb=Bw_oBjg8zvHyQw((E+XZ{;}Mv~s{wwe<Lm!~jFUiYuCDhFVjC
zodiBbWx)$$p9`DGNV$hE8ss>#$J2m3`vkX+Fc8BI5ompdtmcLsuw6dLC4kC2z^_R(
zhJ5w-h#o6QNv7^^3=eaHvA$APF9&xuh;?Gt_4})20vrW(2*#(6eSEatSMr)6TAUti
z4m?8^ls9(D9wdh0NHKBK?=)L~!Um~3#dX@>R@hP&I?96ZijUjVQ;kvcgI0Xx@OBde
z>KpHsPLemY20WJThJ0B{e)JH82nxsA{>-Xky+#%u0iLS++45aAWOp=mVvfQaF&jLa
zXwgS36ige3-nD|wg4Hb=2}hi1VY^=&34J{B%e{xk?~G*byvhW5*-F?4JQ`D{fB=bu
z2x#q=dgd8Ii8uVfbI{O6)n+f<Q;F=63oV*YkL*OecPs!2;xHv*>;9=9)ol+ye@N{`
zyoYL&wdNdy{f|ULXbm=wcVfhD4wzsk*z9o^#w!%^sG0%TUz62skseNgq~Iy6*NhBc
zYO&|?x;asv7kPNZZBxjmvFJwR@Sh4xb>#a<?MC?03q8{HgqI%Li?vRHnh-=H#%xmj
zIbd@UO=>f5b1T>=&clh{Q;si#vGB!)l0bFUf;+F~Gmi`WLtIHLPI=K1dci^&v~E#o
zxS}%E1v}j-oUlGE%7tkyIFOEb!s#)G*&0i9+=!PVxZhFAN|an@s@%`>Yx&HU?Qy&|
zd#YcesULoui9{;L`_}?f<ahQ8wlLtG4O=n|(4-e0b)97*Kp~K<U_(-uzdRpBy4|T?
zMY@FZKHiv$4FVmdZHIMZfrY(XSSRkLZEO;hiL3#05#Jv_MJn=t0%ec5-wM(|)EqW~
zoG6Dy%Mp;~q2Ka7?Ic>#sd%m&FMG2BBU@-k`ex166t1sQq!J+6w!2=;y}qrQ6#aXC
zb`3<Lt)|j%UP@v>H-7mrz7)}1EJE1JZo7LS`2W&DWnOBW|90Q|{q}Un7e@S!B47nI
zTK~<^;6I-x{V#5WtCiB0`kdLb7E2!}D);xYR%J!yJmn%5x{$4$1)l`u(#=wN^<F(W
zMdqzkeesw9xDVCm|Hg(D9!*)V?V7fAJSz{Hs!dWEj}R||u~*eDA02^XoppYFo`aUy
z3vw}b`s+I@#?-&qJ|p!{fcdiCxmXCB0Be%0iX7rF5?fB(Pz74K)Wa`d^W8>V0@Pr=
z`6g6xhS{8{CuZyVt%oYkA7?kG=;)Yw<myv>Mjza2AZ9c?CHQl0etodIZG1b_<tlde
z+A-~6@r}j#87ofd)90FuS4g8UBN`nsoeRr6_+v{u{@i|GnV*3BpD>K`&Frn{U-i2>
zv`sghJtC&$HQWy;BnM}`6K&~a=XXX~oFPbV!%|<(jjFLEu-vckmXF&5Czt&Y>*^{*
zh-R9xQ^V#%zFymGw%O9cT=Hs(*9Y>#vn4eJ`viM}o#ZW`Dq}CXFZ;J@{JjSMEP)LI
zSye7P3dodoQ#Bs(&hE8(r1mSw$G?XXR>d;BI%O>HvW%Fs?B7bMi(P38-=quSIhI+z
zr9~b_+YtiQhPVT|8gnbMZ*A3yTacA#?RrPt3K(Pd1uV8|px7mSOL<t%pZ1cI4so3L
zz=AX#nD2Rq^)*APd>HUXF*~sS&^y885zMsRRP}^)e&;2QhrcnQdcY?UW0Sc}=v#`z
z4r(fDwmDZR0va!$&K%KRVXRoE3Px}4T1l!oTK}z|V~L4Uzs_JjeBe_+^asXICwvxm
zt`Qe=%fog?&f)ty&k9Q*-dv5##sUOoM5RaefMe<2p&mE2w?Xv`s<T&I5<r@IqEc>q
z3ZS?i8SG&Jw?ySHYv%O-kM0tZx$Gb22UAkm5shWO<dFIDR2}qubF&$Ep)F#eUd&>W
zW9sHO@hL@4!jOSkcqblsfRYxVu3-3e9LO@K(_)E%^Cc8n$;^~o^eV*yIew}UHuU2D
z{w)CtzPHX?e>CmO=ysEZkJFv8<mmZYu)H=xQLV}qb-?rQ^^&0pLx#;(n3>cvNw_lD
zS>89DMIZ)+4G6$W*}+W8%mZluCBmEYYsC{vz!X^iZcLVxLA7oBBaad$J&40QEeyzW
zq^Sqs<UTWQaS`BEo4o<AT2`qXHgz@t&DGPi(PCFLy-cU2>0-d*H@#RYuULqkPBL9L
zHxSEJ<+5*my_Z9m?3dPaDmSohHkON=n^x5o0>8kU4LJvh{PQ?ILv!%?v`3@Ldj{rY
zQx->>eYrBm!QB$pMDiSw=M?y5*Ujp7JX!q8;z8o{kco2sg42;nRo*{nM}v1V8jh9y
zo^SdxirAE}_*K(cKiw6#6!6GJxj;js>L#kF$!sVE8K?5~nkEU6ao=>YUm(>vRSHex
zxP0IJ%W2A~?k(FlsB%ve4p0V2_wJ8}Ay$+6lNG@2alR;pgqeOg!#B5{<vC4R7|lsh
z)lnks&|4nau3eh7P)5za0?S_Y$lSlE5{}jpz=^L{)j*P=C{a!`lPs+r1jNB-JV}_&
zjr@2qgc<N|*NII(*IS-;)*w1e)&-h%IWNtmn}8JKo;s>RM2a5q>kmT^UjH^1XVovQ
zH@bBSrd2x^m#r=cp&9N-hqni|e4W4Nnee+G%}_@Slk|G03wH;{Yecoh>Hh4E1&f|D
zQ(-;V_-`FVA3+rs=3rRw`M`W$hYrTdB2_QdijX79g%4@pGFh5VY0lw@U-yiTmw*-g
z$WJ@7bET_XM+K@X&_xd?8G14r+h~nZSvRh7X|C1sy}hV+Z3oGv<EeqeP-jg2?aui(
z%t^s!Z@+`&6-{`S*<v+Il?)XP7^$_57jniABS)9|XecSe9tb^wXyh^D3wCK7o3<^&
z!Mh5*kd21NF&jD7WUa_|Kj_^QZ1|!oVXOy?w*h8x*ff1bR@YKhHYq$}q11&|Ce`?h
zmN04+sJ|;=V^_MdlYR1u+ds*V9N4w>T#DJ8MuRVu1Y0+vLGXL$;j*)aG=0}%E8*<Q
z2~E&+;=w<v^EA$=Pn#%bOw#2KZGRjS6*()$>vY2JT=q0cS#PxE=nPPdvQFlB6TfX9
zGSn2m%h>~sXR}+D>Locb?R#MQhVrA%3CVe`N1R(rIyG4jsX1F~f|PxF<q6KBXSA)n
z%!5@JgjNNy;9>pM_SAcjsws`Wfc#*SIICR{eG{Z*#Ap_|&jkO$=3-}Dq2AatnoSpa
zfeJQm^@I;FPg#&|I!cL^F36VVx~RM83v%a$3}*w3a*>w~JwCiX(F{k7O7Pl+D@(PI
z?{e$j3sfip)z#P-g_0A{jlP_t8+K02*hvEHqJ97=K&sjoM==?jz5?}V)@SwD!d54m
z*5#z2BaVp=Z*07-byMTqkpS(WB#KH@Wg}X*6D-su`lc(=&Da_s^{a-ZTCeJl-U@0t
zs#XLk%Wlv(Cj03NdgeZO>y*YD*i)|T(TbM8ayI!X$|X%Uo1);+Nwz27Pz_hs21u;~
zf8Q#Rua2`ywAG6f6{MMp&aPCXfW!rrrO8pFf84N|BNn^ZiQW<EUB;07V9-;pD&e-<
z_mJnVOGgInM~Mqf@}%~|Pw~*zr)#H31x-1=M7JixE$t>SxYw=`pccDjCCO%sH-is(
zUlI<a14DX8X8zDM^$5?q85TXW04GawO7cjvm?UWVFo=IPozHN)%&Tp&^d8Xq6OxbJ
zi@jU&UgH9JI?d(eWhz8E$3-jk_v-$p%db0`C$;{9-=-JR+&e*$H&P6n{oCp?Zj~(5
z?{p$O*IlEPlJsj<7$vD^s5L#EK+v_RC*?HMzsQaB`wS)-Ij-)7_~XwCHni1m@oXC1
zzOjFj786B9OKXj+wqa~n*1hOl;%#3^a>0T&{n?`<0&~BN-5ovQW8@HhO23F0VGH@P
zpB=o_k>{R)Xmo~!9A(3W@qyd_>M@0GnjTey9+-bH|M=y3Ah<og{iCS<yvJ&SF2BBt
z`Ll~D(frScM^|IlaI{8Y4ql0WG-!z-1`4khDa*3VmOOx=Rp>q@h_>+VPhYo{9CwNT
z0aJ0pW%!in$357cgiPJv!qj%$+SsJUTDVR0@g9S3zkDGd&6RU(rL^EN!RD|dlh#Z>
zEByARs<bl~?}WE}%vtLvd9@$Q9-U0q2q8ORS`!$~iaRqE!egLDcmE^1!GE|aQmteE
z6?w|;9p<a=T&=eFEN-@k7o+Y3^`Jk@OFz-RMqEFl&{0n7wAQ;X5M4m9yP(+B6Fa&@
zqibVVPs;`;wK#vc0fmc_k3il==sBbFUeecJUVkDVyJmdfN)n>(y+_@yrkVOU&`Q!r
zLcgwT-qNXj(u<(Tl8fOz?zRtL@L|zNLc}v^bsOBs1DR|r##%&`Bxb6)o-rMsS@nZp
z^&cc!mu{9;UbVWDk|#2VZ7Zf3u1px;f|c+X6I;gWtK9R$or^q;IKO>$zvcIYR;RTn
zR=(3gMTWPcqMtlHc;Fg2Ax+ZncDQaakGqgpcH_8qF$~FRzighGS9!2y!b~7ooUyv~
zusvrJ@oZg&3wr2*Z5sP>r-7~L!@#<5v!Oq0gio#n{DhUQa{}LPHQXU$@nC-$u1`QM
zRi+~+E~eNb;=FDlgsndU>Av+U#5gZz3!m-c`LuI0tUO}$LI8iH4ROTLlp*2ATSU^<
zip9^Q{d;p8e%e}rY{|C&n4<{;qD)!G{Fs%X_W5dwMwGh!Hp8v#q^Ui`wAGy&Hv&u@
zXIWoi&&{S2qU{A*OB$v9FPuvf0`fHnGkt3WPv-oz%dvy2p!ypQXmu`JkS1g-5?yG9
z>Y1OjN@#whS31)pVfCBbcaMY~O3ysFYAOB91!#|QBG}mhe@bmM)V=^C3<^((c3_Wa
zuP%?N#)e~&5ZrKKGQ9x<suLuVLufZ%Q6|C+#}=X-k2tae7Z<s&)9p<}>d1jz?=Ti}
zD)Fk{4SXUdC~bQprk-l3wRP$kTZDMEUKmZBH+L3gTI@gV3;2~si2*WKElIA}9a$ZF
zKjVXjOhclft!`P+p#4P>3TMAQ=FkQYrvk@|W=Ycu5lVNLu-l{fRer53>4z%%$;(*8
zgLX5pHRKROnck=oXLTokz>Ir;wKxey-cjKVL<)NkcAZj=eNIP-^^e4C8Dn>~Z%2og
zB!^}R8jh(uy|ef3KJ3q6HenjHln}TPn{LyWU0Nc4C6O3XW(<e2xf_WkaPLW=<8!+I
z1&y{1^s^cneaq}?$+YNp<J$S?q^+kSM!21N$4)-3@dh##?5U?bM#ugA4R3slinPVn
zajr+AZr^m8@!!#9`jX}gW?s3FkAv>j7;5{nPW-&ph4O5^&LtvI)0+p^&8+Azp=1yL
zh-_(Z-GP98R~-m3FBx8wh#A3q?D&nDkF-f7laA1$8D|+;ghVpIy#)hXt`CJwS#^aK
z=D9z0)g~uhk4T@oE80>~jQvXKanX^TaP|ohTZvPzaDvCQRkhu2j>;GfS!ELXqo`@`
z9a&#b9T+tnif(k;CUf&dbk9FUXwCTS3NMOKkKItgrgaqs$Ue!6q4hZS%K(n!WqF8i
zv(xt^m-Amua(UWln^`FvI+c~DEqgf?&==z<@S$zt$T@TCDH2~w?>;W|>7Af<p<}xo
zIX7V24`ccVFOH-!_R^;ME~BUFd6>aAGu%Yh)aFKsa?I~*?M<K~l@>79z<eO0+K)bG
z>eJ$d7kc*^<wV~N%pKyG@s#Wc#c97M%4WfJAD*^oVg$Pr5E@I(ZsDiviM&!l??76$
zQ?VbzVl*%9en$0{Ul%@*?j=SSjpj{<^B2qcD2z}!6&(^<DhkLb3ANa2xMU(y!p|QO
zMy!$r4N2N^yo3ikWt^#*;;OAh(g%!V=_U$sr%5Q~ERQg^<yA*sEXPiy+&)x{JdQtw
z<qaLG5|U)qe*uX@*nY}ZfdvG$%|E)sx~P|Z?|-br?yad~d(SS7&Vl!i2hm=l+G0`T
zTR9xBq|kP@Ttc_}5FL>ZPCK@8FyP&x>>2qr!olOCPrmx5-;iH=ZSL$D{A9*aLFcu*
zVmu2v=?g27%t#FLsBD6CoNXf#%Pub@Y;7eieqTiRBd`m-c#6yfXVw%tQHWlh7CnpK
zIvZr2c9haR)CL~~f$|iNK?p5oq`&^882$B55T3eS(Vrmd@C_V(dn|9IETYwmnTU#)
zgIj&)$|CMaY690~*2*78$vQS~ZfOJI6?kFaQW=3`pH<`z<y_3>IacK&gbCBcv^zHl
zfoU<};!iS`CQE8wv@Y0+vX4a{ayMkXPGEc)trZr_yBRdC$TpVZ+B4aN?a=RXm}BO_
zEU_CLl7pzsQ|j$Gg@%<!o5w-U9+%tWC%k3C2lrvsOWa-?`X_;rkO*`{9Rz~7JD@73
z=|$So1g!=62^3u3^V&A1o&6&ayHuwkVC7a67`KQ~gv9%_o|Et^B0g8nv4R6$qgJ`s
z-f!@Puvz8C)E`A>lwbz)!ho?*K=cG!i*}PC*#~DolDlmb7fNZ;cOrV3VtBr?oLv6K
zLBKoV1fu)ypmzu7rP%MHA8g+{q`Zkg<|KQWE0e?#Sjh0t_<?l$w3x-Q+Gnqrn$%L)
z(M;j%T(YPkH2vrq${ZpX2?5I^c-tjC7+xvWa_F=PO!4y&dp}UqD68aHl>I5mWP+bA
ze)|-Kni<aCNL^HaOX&*r#qg3+M&Jt3Q?fv`hwkQ!KPxY%oQ9VUUA7An=2noUXQ|hn
zYn6Srte2@^>0;C>Nq6~^*_f@c)LL##r%$I_6P;MOU;ZJ`>EIPR_G>KS@%!!aT>N=y
zeO9lqOK-%$H;gc9tN1}!lx8a#w^Gz7Iz!n<<2^oB>(qjfjKJvL^WG0=>`Kv7J18${
zMBGXog*#0CiLhHGb|aY=QEF(23Nk({J-%&E3GOf>$ZxZN@5fkZa<?7$r5xINPEeT(
z4@BnW*mHgidS-|RD=iqzSflv7o)}*z@v*#A-M$E62|k3$taR@Pv<@p5EcRA1tBMst
z@^(0TKTOZS7m5w>mWQ`q*jN#ddxF=d!u-4x%zB`0ndxOAcc}F&_4L1*193i#mcWh;
z6l1r;Qq6(2PyUPLWlMF$QDNctvt~XvY?&>p8H%V}O87x`42^Xc9`#KR;?EqCG=#Gc
z;8VB3s;7i8)g};=Miu@btaR!2cnEs@7WkLN_d!Oqg^^~9ZEY7_6^om~(0#MS2xx$^
z7KMu_VH7~hZ(fCm`i0EBG<6!UnJEenT~{rolu-jcej8PEPd*{A|72NEz2sRpel2Sa
zlx~FiLVWm4$gfae@smIobS6Q*q0yQ$ZgH){4XWHtYw&^e{b<U`b@a%)ML<^eGeYJv
zTDK}=I=fxVGEhI-?a!QB0@Lk7T)D-}w2eRy>keJPmpqZd5;DDT_y-LZB)Fh<#10ll
zdV{1Ri$#aRJmTft7pVt(?O~0=r8`yj-j1WN{w&Gq-cR^z9X+KA;gepwi&w*i_;}>G
zV7?M^%vbiU5>#X!?TAythiJsB^=&p)euCLA#>^OVNM1N)&LQ}-U5I?*!5x@^;5UQ7
z5#<5rR{gcmr)Tv_O9tysQiQVWbKBW&VA8>T4O5>5cSh{X5&djSMlbW+F;Xfl6dV>`
z(@O00m0dPr2ZBn%ZGmb|$b*?vcfiJro1X23qVM&BFH7`-+5{E{F-$OCXwd^#5F~&u
zyF%MT<Z_Bq9@r?m=(*{lck2g4TXfWujHe%^tcB;b%IoqKf?_awhJYC9vo#i-az^64
zQG9ZNEwt7+-Mk1j@M92Zi3NKa>nIRiGK~pCc@gl%L$APTw(N1?seRa9JieG!`B_sU
z2&)JMB#&6Eroq_sPi}FIWvp0PU_h{flCQ)=STkSJHqx=IUD3yVoG|n--gB7UwGdr%
z&kjSucq7AgAmBW~Ywm|<VHn!;o~_<|I(#)Fh+I`3K}fR`Jp}m*b59GIzvZ<{O5qK|
zk5BEIBXpj^_e^q$l|k&jY|dhS=h<T<d$RphNb@{jdCy0|9O|?bgpoK6*IO?N7<QdE
zf(&6xZ*nZJ_AhpZfVpC3d<TIAf(K*^7HNB__E*>YVBsAX;Q@kkDGfr|N1Ld{GX!Ru
zGvvp<xiQJRs5EW9;C7Y0aeKTK-bhy=4#>Wq4j<sMzz!B4{TNGO@@k+6e0(U|$lG#1
zar%A4!a~&W$47%*1xJHRog=?CMFLgSD?r{CoVjmh;AL}?Wm&RR@63JhE}=y@p8*!z
z9X<(H>}(OqsCdOO2b>a*I$fqIsNcDtFm>%&Yj_F|=GS*^YWQtvt3#Obov0Ky+7XW<
zrad}%HO=6ZQFJ5pd>-KvF3%HBvxy6*9;kf)Z>^U4vOh$0Kue6EMqW^5D7Tt*&A)f@
zsO<M=5_1BCr5LU>R*K&pvdn@<_q|Y*D)oeQXXk2-0%c!gcL@1g&%;pgQpuPtZs3xI
z@PIY67UJ)Gm)zqzkZsSr-x&fe?+ODG3}M(abMYq~oSkadr$3_<!=KkuN&&kzO`Kz4
zxA+ctX2l~t9^lH@Y1X0^{O7PcEa%-t#=>#jB$bZ3CF#=<r}++WW6TZ0_*Ix2lJc%O
zX<?DD+6XNSzTm@1v`>9CX(Im+&7wDmTI^uqg|=L=PrAsl1{ZycLw@bq#*%q;r`3NH
zU|=w87#Cs?_@>o5+8!G4LO2x;G#)>%o&`#T&5>*f0b)ic6g=mt3f}9D9qVe-lwGZ9
zMh=jH7eG(QeK9JGTQF*8DqlP@nD<S#wqi;Bl`$pqjW<<vs+92q%_kf1DFn%#rG=es
z%0hgqP3j)x8N&WTBR%;e@Rw37zj0u)R6!#L?cdvWP4U8mJ>kF(Y)mbKP`AUX`zL+R
zw}J&TPa%nrGwH2(v@x6{#y`5jtZK+(LEB0Oo^vlan2K|T@)T~)&jjYQ&>Yxin80t=
zk(zmMbb|IXwt!|C80x7W#uZgSWbNb%H0&9q-9ARB9|p%kD)P2^@tKMu)V@>lt#`~t
zUvda6jHJ2?ofa~nN3VZv9Ll}`-T&}Lu!EzAe-L%4TT{*`@j45Fg2VFcvDKp?p=hh}
z%ph)eu(dV5rdWO)T|4<3J0`8z8@$r7yL=A)`&*^7jtQqlLH9SIio!4WGe+w0xDxx=
zQmibmd6s^D=&i7NU{?^V-7Dyw-&KDjFfu?;XnO$@z2u^h&i_^#Y#e6Crs-d&5r_39
zX9%4uSja%`cuFhBCiqial{U+rv_H7xV35T6sE^aA)BOphYER-Ev?P!-rq{8K@Y$N_
zQ)90=9`6Z>0gVs9`Xpb<ZmPwL%w8}?Xkk0O){Js%H!mBB8my&UKUku?gyj`yES<ys
zo|DPT4wd03{~E6zNJqRs0>|I2>9F`x>U&e!<2m|7CecHijrb`}v+bc`tb|_3757fE
z>BL@yBV(!fD7M&_(28g|PdNMe8b1yQ<Nh&!`TkBEi1Rr55x%TJCm)&TD?909WC6SA
zYA0utLA#-IxPc4tzx!9BILiB_r_e&wT-q`InNDf-eq;@<K4Fx+uY~>DWV9}VBJIl|
zypemI#gQYbEZ#&rSr^qnn7vDdjKG|}2)2cwXIFG~)dZLBc%gc<q0@v~oYMY*zI06$
zneDT*xe9un=Ht%|O}FF6j1@6aZ_&~ca<YI}ty3TPO1in`lc1Ub;aLc+(D1wpvat@s
zQ_*>)bI&RE9tidgjuI1b?a9FaM(;w$A`L+*l={kBh>EA7rwr1~y^0`uB)iLYtt*7&
zT6QVSmkyb87CoMM4W$QmMon2~pyDv7CVZ%2jU4Z#O7iiBe60rSNYNtD+Adto|9M(>
ztorl;5YV~$qhvvAL~A@n$HbU=9cV36eXtGQV5H;%81nVCKQ5K0>Q^1w)yCI<D5P7;
zUKpJ_PO5oSV<o)zE};3|$I=Y*;uK~_L|%Sqy;Mfahqd%G)%NBA)f931CcYL!&oA;Y
z!DB<HF5~b+%Hk}w)%A!iZ1p>>5l2QOn9bv(_zZmJ#`2zE{<%&|;kYRzj8cnrEP@z;
zWd;7)^A_=aRJ=M;d&Zo(v{Tp~0D89TWAqR2GTb5Ai71%<7|mn}oA13#n54?qflRuv
zRre8)JYUH+8%YWrZc9-Ag{C_hHc*2bxehHXGHE&d(c|fHT*MJaF!6n08BLTV1#Cd}
z4Q9+?MU5*|{umFn$UAM7jBuDHvMpZiStaYelJ6Wl@B9dh`^qQk9k0nzwQK=Y8&z>k
z&!1k_b8>ZgfgLSu`iFP*+V4V~H;>g@Vo-(N*)XErLl>;?P+_uk%UD<=vHoGz^_2=b
z`Gl(dGxz=Yh)%?50+y?Z8r-j&<m0*;mk57kCSD-M8@^{Z7`O_pf;Pimt2?njfqwft
zkp|E*g~DIj@3^!Fce5?Bx2r`55m#MhY)p#2zd6VUvqqd0!uX879fyB5k{Jwiw%EnM
zc$kl~!~pTV)o2UAQ$Ft}iMt20d?Wf|o@yR`8tJ>zf)%-y9tO0@6s0cM*@TS&{87W1
zvqurE*Xy+8wVrernq^Q(#!O{eOi18z-&neSdAc2L%h1)ZaE`43lt<&`rb8<*weHe;
z&N%!>!Y@6oFXZ*%i#~O!cW>mCKpjCQt<ZrR{gXsd=Yz%9)6okoVc#ib(a!ON<-#+&
z!`ZziC-LD17yY05rEPr|ZcjyoM}N*hkKVh5Z-01hrJ}xq9bJsJH0z?pKM<U5-|mc?
zukSU(b?)lw!O!swe6Y^@7*eN_QpP=c+3cl!q(4`HTQYxs9*bD0&LF<)%V{hovuv-v
z#%D02*t-NgQj39Z;3<khu+WxIK9~-(yU0_TjboR?H=qj?+@3j8=gZEuKNx-%N|4@I
zBPV{m7}IPydQO?dtV~4B9Z09H6N^thB}y2+wE6mvH@?N)=#QG1RR&$~sX*~-&#<f8
z>v*L7W6tcSZ)r<(MLuf4<D~^(l~MZ&#tEH+^cem{el&k{;a~g>^e~Ent3$A`fA(Ul
zp4U*O%@b8?<D$p>A$Z&QT<Kp`n1?ft-X|l-3!^<A_%~F0mKP^r@GV5(rVrz9eo3{U
zEY_4*3$=DDuAZ*Oe+qP3z_ANJ!fu^(@!fEO)3%o;teL0q!t_hdrbUo=elV5=FAj2y
zGPiU#(4&Q9lw3DwW()|^Oj-5qqRdwiBP&U_cl>St)=bpTu%2KRUEwO#6E~waR_qRJ
z%&b0bC@Tc>dzl-Mcx14NrMDMuA>20Tjp)5p5LO<c1LM45=A_491=4Y60h?TcPX}C?
z)FS#MoW-!i+ERr0H`&aUl8d8{?8mct?MFvbU0I9~dnIiBxeH+GM}7VmenODE=2f~(
zM%(%_!Yuj(sk9Ks(xh48eS%>AqlGU#kPm98PR|^SgL|QbJ~oc!%{VrY?!z9GJeJg4
znH;weaT)2HxVIb|0jQUG@q<0TRxqBjWceEK@A0^uGOD25sk}B-=>^*le`(S-78~mP
zD#%LJ0ikNSdYr4u&DiE~A?ll-=Oh60b#g0+XiN=Yi>XqC=}meeD*jxH454llmQzY~
zi*GbC4#`FiJ<2E#Pam-lIFm)T^7MI~DuvmZCJD*(8?`|YN^0RGjs9sYrlmQGjS1pk
z1F>YV_RLq{ECXj#aj|!+ejiQj*;rEEz)zLD8Oo<1a?b^{wgfuiQ`13M@k`S@8^U2E
z%PZ?fckqB|ThIQ$c1y{R$ULjbON3DQ50WrBp7Li^%`0?E`w&r4xIVBgs^yX0HKYTj
zdbBX@5gzd7;f0+?Sp;fGt2Clv{B;lhi6x&0d)hz>^lXfg!!aY`z8>i*v_!eaGAkG)
zdX^DnVEP3$TKc=ck+1ZblJarsbnUbAlmQyOZ0I@x+$+5wk>V;V-G*Kx2?fp_A=<Z<
zibn(n`wz6{V`ZXZDc4wZSwR<64uEJPv?<JLy$k}@?XCylDKD)V4)+FM?l3inb1=F2
zn02+nhZ(g272oV6@rvI=k*pwiXig2z^o;PH-o<P@1Rg)zI~nExt<DlWWszBybY$t!
zi=`K)g`%v3*4biqPJEk>tBLp+);#)~hr&GA!;D3*1h9e%987>ehq-aB-YJIO5yxuS
z1LeJlC=%+VS_xR7Y8?_2?sVM8n;NR%)LpB^g_7WMZ)_3KI3-3o+MyYTY1}w=2UhFP
zZY7TVX*o?aif5-u?4-4+F$V0Pqfg51Q-o2B%6*f&pYI)dG}54;ub@h-yP83CWUlSf
zC2VWE|2~@Zn&eoXti_`wBE_EW-o@)^*h(O-=wi1@Vf4_}Y~f3sbl!EK^{vzTS~P~{
z@Z(3+!7QKFJX9QqeSv?9_vf++m{N(#k@wdhJW|G^7=QljTuG+s*zjNbqpC78Y7pJ6
zGR~*-@h@y@-C3esWTCRb^DJ}b1b9!0=`{ct?iIj;Ff4~4b58O<8~o`on4eHTu6+?2
z>}Y-m6(8**cQ>#E*E)I+&VG>^kQBL>Xcw*K#GmTmnAub-sw0$#C&{P{HRBz}2Chl1
zg7PCq$pfgixIBW$#yT4)lFZmAUxJ2u2*|xi3;|sV<z>RW<hD>yRl9Pq!JReyg~7YO
zKbXR=3~S{uj*b>cebQI*zr?fbN`+o2Ji5>D8mB<O#nFAQnoD2@aqeZ@h-{n85y>yT
zdZG*IuAUC%F;46gTrYOPdRUQk=TKQIVF~=EweENSDdlO0^~OHeoT#ZJg}(;gtF<W#
zsub9>m^PmcvunZuuX!mjH;%6BP0w)gNR7kjmLM#<@$Lheyy0TKn}|@f7dy-||25t%
z9>aV2++KJO3}I&x*e{3?DH0ercwe=S5P!!KpP_r2UP<S{xEDtciW>4}fC9<>_-O2G
zX`!+A)x!!P9Q!Uf@LUEjwb8cITtwVIM@NS8)L}W|Cw4llApb^1jnKbf3S!28`kH^v
zwDpjnii|Ilj0#O?Y`eT#v}kmtqpMSvO4&+B0u16fX{4-L7D_*w?^$~<W<7gh70rj~
zFuAAD-^pfA`mvU(Jmm2*Pm;Z+5G9elKn-N?5!U@Id<3!5bc71<Lm?f{9q0fg%?ENZ
zTd7&iXWXcberhLpkjHzL(V*;Jxc2=J?kP5f=RO>^OP37a8}ZW)6Wo^A!9&^7Gg-Pr
zGRG0|S$S(Igppx}VVeEnXeq53sl+6FP8NzTVwtn{z;T2JKy}MlRp!CwfKu7)&S}`|
z0DXq<n|l-eY5P#V5w)fenPp%xBB>T-2G<{R;1{8@>h}@+RdvNi2%O*LDutY61?4<r
z5*d7(XUwe`(%LWVCAuJYM23C|m^CC*n%O&Y*@Qncd@#CVY$?c25-jAFE_~D<FDfre
zPb~mp34R2wVLZ}_uDDhoN;qtorrV8LGXg_B0=%GC^nvpiS~t=I&4pilMyb73r`a{M
zt;`u(33#rs(+!6!uKb-5^8#OlQuyTZYC-y5a`X=N^XG+^CnU9NWz@<yu+KT^9Hl2~
zRKLoZULvUO?_5DM&|!~1*mu#^`gn)|&}gV>Vd-v-tUBj;5y%JYVHJv1Q~3P?ftw#B
z$5$u1I|EkhG*UYBS1^CCvJ^5)#4Hw3#GmGSvRq{+oofo#r`MDO?ZJs`pwC=AwhE+H
z7PYDMUw^e>hqZo)lD!d8@@6Uqj*V7Dn3)#u8G<|cyz-P5<DswIWvAIONa3A>mXi&_
znA|t5Khi%v<=gYS^^lfmh)=};f@pc6hFvsC7Z4TB-EDOOK>;2o@P%RfO!!rKaCx@f
zNJn-iQxP&}0YQk~A=3P%xcxn@cwa2dw;ZR5|FqaUa|V}IA3MPYg|TD&Jx347H}}O1
zED<dkOr~d-E&B~lSc;4GZ$0HKoDc4G&BMwNe94D8FWa#kNIQGI{IC*+?gq==NJ^yo
z*K(gql$yf2IAKlnrCww>I$4TZ-zy0(A{!f+1iBldVwiT<TeB3uqeYHGkFx;Gnj8Py
z%U2kpx!2UNDEzaDLfZEGBi*+1)v5J<JBb1DS0MiFY-h&Y?crS)hn0&Fzn3p8R2sg6
z*rI<d8=}>cF59LPRKYsydbVHGr}_1hcl83k?Bnj!T)$P{BlpljkhCqhkAhaJC`2=r
z-uw5hHEreX)t{8!JA~|Le0&Gyc-Vnia1D2`3wkZz*+iLL|2U_lJ~+&_6%88wec)g=
z@g2#x)tBYI3IX}$_9B3EI?x}(hOpO2TGLIO_gxm{HlY9{U>R(2+Vl@5%mFAr)xW=Y
zGQy~opd;l^TIV(~d`)-*>Te}M`CK6C&L2_2g*Ke6WfWanuVH_83=pW##BAaN(7Y#e
z8K#~p_)6a;g74veKs1kc6t}uqDEecLDhiIK9EYg@%Y}ZQcTDU4<+E#=_ZEc#61d*x
zVy~j(wHDJYE^Pp27|C(G&aNU4fMT^@8c`+Mnksl`Ne3`ZVUkP*#`&J9(JR*97LR0u
zL7+{g#Yf}HuQaZbA*`_@vIPW-{<TA-5l#1%_t^l|`k@of#Enfh)u)|9OjT$|3D9Fi
zi^p7@5sT|)eon+(&Z|iEGw}Qa+H9RJ+>F3@T{sFC5+cmJ$JiAriwJ}Tec27U5Ec6J
z5>l0<ZW^s0Sppzwd`8H|hgv<>XLxW!R`3rpmY#qwl)MqF=AAGYvw-fV3w1{YfqXh1
z82R`@HULM4nqD#1qG=74o|*@c_Kczk?HLKYEiAt%)t-bGm3J|PMHF)aR6~`0U4j5x
zRs*yyH`FYcCn&zzZ75%;YDik71C3A~TwCZ!v#IK!mk|WP&&*~d?kmc>2+&Q-1A#?C
zYE+<_x{)kjywT{R1OCmnb(=WJi$V>VxN(fo&$M0NBrV3W1$&^a+y55I{{jck`0_yy
zZ0=@QJZE+GG2_8^AHT!<vCZMB;1@f}48ONf+{$-AZgXhAx?Qqec4VXsKR1>J348Bx
zO~kU@L73J9U|WQ<?#_^b<(x(05w$Z!SB%<qvbzCjE_ZJc<PD$f-ZiE;o%s?5WNxas
z>(i5$?p^X{yWIpTbYNI%>|-;xoc#Z=kU5%ik(QETf{LpH5}U>m0LJC*N~-!%0s=TP
zG1ML73H-ljWFBt>s=di77E9gq`?ZZD-EV<gcCHn(D{~T;W~mk?#)z?kK>$lWnRSZg
zr-H>ytMC~`SNw4i|Ex2taN{tvZZLTe&yHYUc;g&5{WX$LFYc)*_m16I;}kRTr2@(&
zN7UDN0TNhAdU;-y%X8$Vy3iT|2L5?8W((Wxjp;2DyQr7Gc->WqeW#{&*d{I&nkdGm
z=g`Wzp?e1pKX-A58+OAnx?=!V@A5o@K(3WsQ-k@q#<z{*$Y;;6&)Eu!GaxFg!FQZf
zda*CCi*LNgdH#8>|Llx7nyoFVR#zmh)Jz7>Wtz9p6EG(eTnf4*)u#RhRt-JYRZs@Y
zhsq8i#A6qlc#nb@JzN#LKn0^O^^E7!QT#909=Hl{v5!yXn>w2Q5^U$)5|$tAugxsQ
z734Jtqi)BuZ4@2@+gzOZ@pl8xd6G^#Pw^f9+2~j3%rofu>A}I<Yxj>a?iIUWE8PF^
zAZf(5tsX25ekRcx5^k2kfdd#o;Npu?$?TcyBC$tQd}2fLyyMgl;fz}Ev7Yr>GdQ$D
zK)X%_B8(qm0kOjCEGZv*;s5N)-_V3e0Ig`Tbu8L?tKSOKUvyuDb?rK%TLUi@9v;YB
zCEL=yr*I##B6mq2Afn{FihaypD^8jX$j1#DiPW70dpz@Ly)~DOki+F_jGaw}V>>&V
zpDY|J?=1XB-(>Yk@Q8ZK*o*rOu(ukcF-|K;s}x(L@gt1}V_}pNXgcptkYJrOrzrMu
zW1b6l)dXHx>cS-(ba}~vR1GLh{(Tx)acphT)6HYL-SI)S?q%`#L{N~qX9zpQ3V3pW
z>*Iqh;rm25TVWec<QJjX_@d-E;E@ODe;)*Z#gTC!z1YR`;%I1`#V=mYD=-^8ZeiDm
zA@i>T%EfcH?M7;mp7`<evW{+tPXiwLw5W(@Q%I`fw|ppjREofZDWA#sqFk7Wv-;sn
z_&+=K?@BEfp0)xIejk#=Ny0CiN{TLjOIShS{OIW;`$`qRF7MK0yD7w8gnQwhIfb#0
z<84+CB|(hiM*!%?zir6!amHwu*A;s2a*KESM<G?+R=3HRNQZ=o2XhzV+)7^lBV3?(
zF!kTIDk?YeUnTk&3Ll@^Z=fnv48C7$F_DF}P=PPk8`;-LwnFmqUT^^@ytZ5_6lAH;
z(3b!@+`sps4r?UxxhWICOIL0t$DYy_1724ST=%#p7HApFbnc?-W~zXitPV5Ia$U?#
zqz}MbR0g0)cNnOG%+Aa-C9d=h@~d}7EzU;*SXLbstllHf9>#)9YJ}gm+1>o^jwXS{
z+`w5C#ebz8t65RjzvrQZ9_$-lU6unWa&E~x_!`poCKf<fMMyG0%Ru_^MHOIYcfk_C
z+-d$n&#$Y@3n;t=k+nZ*eX;(_3u8|={mJyN9zBWZwVGs8sUVuqJflznO%pn0$7Dy0
z!djl;;krLj>Dwom<n9Z=6Ll{H<!3K_R#~Y*fFT4v)Wys{{dMHegxfah=BBF&u+TSY
zEN&@Ji|w^~M3R=sGKR4w@Gdl?7P6-VdTzOvi2jcSNiT`I!=UYzM(<Ah_tU=tM&*69
zb~l`}O0w6R5zS7BKktN0<n`Im!VIowJLs_RwWat+fM{<{s^Sg2;ppK=&$#j^NrT>4
zn0|SI{l!j0b?Xy6_>p-2uZ@_IApe5z%%^yOS7HbOye{do|4~QULO9~~jU%z|52j1@
z+9P{uEzF<%v7#@i<fSU=eg|R4N@G36IwzREE7B@|(wChj`(Dq40wjz=f5iB!=6!_z
zs<Hz*>Nk(Tj;S4g@5J4JEt%8${L>EIR4rO&ZzLAA=_UJ2he(>HrXI(r^k)=NlBC3q
zE^_;<%pxSR@WlWg@S*_KzyT1)rX5|(hXJ((msCoFr@C0|1K4jWaaRE$%Fgc`%u6=^
zzJjUx@xR2+Uj`WczbO1=i3<7LGGha1V13!Q4D3g#s2v+}Jpt8w4!<G;$Y0Gs#MTg`
zT3L-hp!c}|AnW?P1gw-q_$-b>mqw>emYUIHS&7pgE>ln30gVGLU5+wyRot>VfG?KJ
zRSa;2Spd@5(}W|!%%w^YBTv_eHKc!^D#Pqzk(59|`emCf^lzc<n=QslYMn9MxS<EW
z!qA-l0Gdn{P^uzfrjau$At6A1f(sM`1Av$@P#(h;Ka$ku0qc87`T)Qr0aU)&b>Iy4
z0DAmYHU>|&-aMu?n-tlm)uO@E_?^!*6VpSQ(QR-{1ty5T)T6@!%yZ=#!ZH8bh{n@-
zcoUWVh*!mECEAkvK+uJXmNb$cyX%7h@Azib)Rr&t?{azc5W#En6~ui<wZD<hcsR6J
zoyUOUhn9u3T(RE7#}Q}S?lwDy&QBJU?!z5+d{<B2bE~)uW2?2h1mXqY*)l~>rTLyM
z0{~*tOa4uJjm-8-n2|p~g>7!uaduS2<^!|t&8_#B0}@R9<aicsDB<Men@cL2f|2+0
z(ylD|&=400#NZ40rn`0DXmwa`AS8mk+r0uh)`)$wFLRT{0he*?9KEqZZ_kqZ4re$s
zX|d}7ZadnV?9=ROuVVVf2v&iATHt$A5bF>%3m;uUmPAqB)K-*`i7N9|hN~#g&3feN
zyMro1`gCfrV_=vQTM2;KZHOcLpnaF-WK0Tb-6Iv-g231p+N-`B>c~MW70s%*6AV6b
z1+t~sDz2AG{mKBOP0dQLL~?TYwBt6S_P8T%r1$4UG9#?nRuIO8ncrW9;9mpt5oH)X
z(%7-UhZNwY2Pu^K`xJc@!9oWb*KC;VP2!&)kp1MR%L$nqwWYwrMYGwIggAjO*WPhZ
z%X19hr%kLserU&zs=p}{ho#>s6YqKdfiiJU4GAzI4mr+$y%YGAtdO$5a}Jc?G%#+-
zL&a{n1ZaDR=IVOC%F@+;X@tBC@ZaSUeZB_8!Bnwa-&+ad6PHx*KK&{$XXM-w;7ta}
za)6;z)gO^=GaM$_@P~>kkdB5VnoW}Iosw#n*)M?d6C)NROtAB+CKWGYNbvkCTGU~y
zqZbf2*dG;epXf844G;pFEfn1rc?{_LK^5F>zX<)!fxFN--2p{K&jZXE8%Ig8=Rm__
z9gHr*z)V>8SXl-|h5-?&VT)9&1Pka!3u>7H8ry%P^@195amd6uLDqvcCM$%{^eYQ0
z26$YGnj&&%?u~BRN*%`o2?_z&Wa`{yCn5aK@IioGF`ZfD7&QNvDX0?mLmqkFY*S5P
zt`G^Z`3$LXy0>jzcgJ^x1z0iMb5iTu=AFd_I(c{y^k#)~I2J~%Kdf9-UYqROH563(
zReMECdvwc5r<QC;Kfr%!<~b`DZg2&luYa1A>vJ#WPnbF{d^&{fw{!8)7PkjG{iq7w
zQ%>!#zghwu#hS+D#9>M7sl2)FBD?;vf=XGWHaBu4<umTL*6y#%_f2V90wAe36Nbh<
z0WYA?Us^3x_25RcXlum%p`Q6m?ZF_cWcP?_(|l1fV-8@s48AQXXRRss>nK|9Jqd7<
zOx6=P2!Vc^7T0<Holc9xnoSq9-dH3Iu5E?T)nth}376Lq!c#7vcG<NX;7urJ>U7|N
zi6G!b7}zv90Q}E{_uOx4i@h;DllKp6;_w(s#mSd?UVLp7ebT6<WvNRCT0V0^jThIu
z@KyUhK!))OG%*3_I<57m4Um=G2_5RhO62UW)rlAvcS?A=?RI@<`8y*+jk$1(=wE$D
zAKLBuLpcDL(K=`XVRh>*Smw+wZTX2NUPq=qHZ_qqVJrWz2$J{FI9sX#>kDWuP)AI%
zcs~GDN};jT_|-2o4uXm}X0GK;Mch`W$s5g$T*YKrBY<+G9dV)Y#^4@xrslfew7#U?
zpLTn=!+g_zt@04hu^nBy^ST$p;Oe_$3(ln9m~Cn5!ANTk&TsN#Uv}TnX{2s$WvqS>
z5=NqrJXrA$I|Ap&v~PzhKB@)&oC~}fV7><N(=XLVN1TR6+hl<z@-LO>mWQ@Bb*H{o
zV-*wgyVN9m0&~UhEFro}^_Q?CoUOf4Edc#NF;>G|$-X-IRM2jkh_N-$H-$#l$blEg
z#9&qFr@nU}fK=t&Ro-5?iCo_%d*kZ#*4H%A$;4#vt;4o*ZL!x#b>x%mNU9!X<Al~s
zeFw%OW&1kQY17l2TzWt&o(P$|J)VZ;7o#^fpca!HwCbK?*&lTO(Cv<nj~8Y)xqloD
zT#@7#QBV|7ew9F=7CG~4SAT#Ed=0gOMjn{#pY;4AI6z;=`?D6E9^{vrE+GZsdsfNp
zU2AhCl8!{Yqv(_U5y#kTk-i{-WoHe*6>bFFx?5N(l)$r^NE%KcBR3{&G#0+*tiFx|
zg22_#gb>cpz>=wlyuWIdB!!i$S7QK%M&#`n@=s94W&~&T*xg=@E`XAT3{)m0lLOp$
z-3kD@a)AyUm&^X~cR_)}9Y27&T?PPu8$oQ`HmKYQylr9rDNR;{K46R|4X{5On0hY)
z^fC(_ipYUtWo(M?=(n^TPhaw(<hg*kahE6KyzW|f<Tf0^vgKg_d)Gw!r!Ph6r9fEl
z_u9=SlEU6^#@^>uv+pNRof1<mdWQHQ7#mveiM1WL*>f@56$D;d<T<0m0RTNCc<hly
z!uEBHl5ZNWx9tZX+wQ*TIzNd_##FR#9sx|H+H+c+mj{xg|CP#_FLm}NhUN3#S{=qK
zazU^-uSDAwQRhKJKy^qoRTD^AIPDO4xgB6+nYIFCgLmgqM-VMq>h=n&3;Y||D+84R
z%95bck!#l^loMAxE*S*4t*JRP1neUfuK+9LJ^0feo3O$Zsy5xC39bkMn!+LVD$_Fh
z4<jI{3}6KG@Ar({^@j)^ZCoFOalx2PLlHeWEfNj%ZU2bR*z+KZt~+1b_l-%~;@^jr
zuM2hpNCAAU&i=i$C*oyVfT!B)RJ>ooQVu}psnpqUU9fL1fsAo&(?1HD3V`+iTVHc3
zpZDkAoPa<_6(=AfDA>6VBxePD;;ml`pji<bSEWyo9!8TJzS=Cx2;*!u?*2J-r`WyI
zl`C3&oFmjmGl1jY^8fVqrg2H<ec$&~wpdwB9!)uJH7!n~X6mT9TTNM0X=QG?V41r>
zYPg_an%PX5R+eTeXqLN@3y=#~SyFD8A}EOFm|`GqEGmTFzrP*Fan5nRuKT{u>w0j{
zgL#1T=fD5H%jfg{9@jjY>qz~GH#Bk?`{O#^ObtYYlOV->K+;dJ#@`=8ER^ng&uUmL
z-3sg`rqj={lyLAmr9#J?j~y|?`hK0YOpG#_Y6aSJp0@UxPrulb7e#6^Z%y#ELGZO_
zaN{m~e9E7kp@ntF6z6Th$L8Q;5NG|rfS^vj4ftb0bmrVr=mn2kwhOhnk<gb-vlF~8
zZl%5`O`i2WNFR!?gpr6RETJF^^w3Ye>XjzVphp#;9$2(m#5k3Ej064Y0r)p7D_^R%
z)}g4bn=0Qs8MqGBSP`HgZx661>#x|Q7`~;gRY{Su5#~P^Y$Es7<Zz~V#0^K58k_E%
zu@%>yh=(@gatCZE@mQkyVJg$GOW+yHtihQyf`>>GD<EUbJgD0};}w!-A$e#}Kbz+{
zrR__B;#G`XifZFs%1Ox#n`;fYlpQq~!y|Fd<MDef`~6X-zC+g<sWC!vYh+IyyK|of
zhqc70%7-n+d&i7E3V4|7IKlH?;(lxfov67F{fnpZ0c0$qd-I4VaU`D$s#+O7gB2p>
zDU*8!;cXc9xguxVh#~o9>(7Yq;A<R?%<qi{HqqP!)kn^Uz?+d{zM?F$I-X}N&glS&
z{3?aRDDhEV7_<`-6I$E>UAvq+EK^QkvyOmI*TOalKL>R7FE&0^fVX3V$)=XxGO}ub
zTs9>1?GdDnN{PfC7N=k9j^E|buX>&>OZi-qhppL{TO%*Gr`_sQ0TG%~&WkO1oHF4;
zc!RWU`Ug0RDOpeXq1SQ+r%lK2^~rGu$Hu7Y_y){nie^egkxo=j<B#L6PMD4gr#yPd
zGsRMDhY4$9995mZL_h3-4PXk5Qn^ofH5kQ|wCW2bwQmhFkYQNeksCS}n)<HV5TrGx
zprCj$u|)SvdBbGApk-&L$n+UKI3SPJKc0KtPg95F<XYk8(9if&8#9Z3=HRe{qsl=4
zb)+9i;Ol#nN7?q8t1vH8Qg$co3Rc5h(dJ+Z35+t1-5YxXo?U6ZtJ25?H#bJ=1QeB4
zzQ(y*R6cdKF|{F8FqVz9+1<s8DdAM|H9FKI&YIEIPtf*edRF(Ex*q1(ouhF&<KG<$
z)}HWadF`vIiV}Q?g>z!{r|SzQ43=gM=sUE1gXhd>NrqjOsW<!>m@n`q&E07dH@^m=
z<L5rQMJgO-ZW`2PB>%8m@j_d#$5nn2$1Wmy<+6T230`t$q-PB{x%_M!r?o&@5d{ga
z4twEQ@yw5FeSdfNHqIinJLTH4kvz#zr-I@69LATD4mXg_ut#6A{65bgB-OW@b{p`c
z`y8<TJ!6m-pERbgxXvTuW$`<G9hXoOjC=%=^QB3@49<_6?XzSSi>!L7PZ2HsoLgdN
z(5*7|*K)#{W~DRQX3kJ9I^csc!+sN{8}<r=pbEv_5^~qtHYkRSUX9acbArrtU!D?u
zzVdAGO@OA3k@-2FES8_c0se>6v9sHq1n&MAhf+5OnAO;`)mF&N9+*R5^?<r>L$02a
zj(i|BV7)JB@7A{Uxm98c9T*Ew2N?tYoz<GMdVXnH3r+g@fLsMv)D#&%UWR+fthy3Q
zB;;YGw|F()o1Hm2!jf!5Kl4#xbpP>OULbF$@9$n(A(pKXvxB4xPN+OcP<`4<t0#(C
zqn)LCT6l^R0PeANUzK6h0XEegM&=&Ptu1n7vlhE?G}(`r%>8Oo>E)45g=0_Onern!
zVHZFz-u$?^Y3-#f)7p;kN7a!7aP^Fc&@QTU-u*(RF*D_PDy36Z;e@Lq%a2gR9_Mf|
zq2&9c?(%FSt^VU$?yj^hX)md$gE7DV6kac&QEzQqyC47g(u6VR1CYLuqC*8AZEbZq
zGrcn}tZoW>TsheFDC4n6ZT=yk@fgoE0$3y)(3oT`JaJANO|ixlE<NlWDd+&Ni_R+W
z96pQ4k9yNnIr26^b)CZ={-4MB5nJ!8-Y&%jDha>nVw`SaV<iFlqW9sg!7<2`iKEuL
z=!-<T#dAbMr@cp!*DVWXWGvC3HTcz?$auC802e4>y^6_>4ZdwyXH<^F+|Nlqq$_|M
zNAwGH<PS!RBivYi6B6@2@3Crl+v7e2a>$OG5)^DD#CEVVOBPCfuVm3QbTfjoF;Dd|
z&kzj*PJ%ASN#^_T7ALY3$NI}jM+@HpD|*~%Vzx=4#hkmnZQauo+QNZE8^OSZ@-o^z
zL%)=BG;X>f!$O>{D5I5f2g^qXsn5P<0dupOXhX|AlocUDgE%y3TFB1tbR;>`Jb9(e
zyB9lsxel`7QVd3ax{t%E=av^ZOrb8oR=uAo1`HKYN@bPGKTbM1=4M7}_xVd7p#T~V
zUQM<3N0smAErqIlCQj9km@A~RD_&fxX&Q(nP3>ZhjEI%EKdvU;SDk+U;mo7-&8-6E
z^TIOg{vg2_eU@sek0u+tn**OqL#2c<AEnd_OVZzlHdVICQc%o+r(B)0WL)ucY->-Y
zS*3JO*hgPint4b&QH8DA89DLZs+VQ|&Z6~v6DjK=E2G9*nvHcELhN?Uh?TpfH8Zdz
zxd{?hjIVQyN2Poz(6S}vVxFF{H0UP`#wEbdOPAI5FiBXj<@=Xg#|4WF;TfXf?p`$E
zR-UcYcx0@~)ti+-<r`i(jq)rpMuz&R_X9kQv>$<F8nG3Anw*_otdT7!521#=kW9YI
zw!ec8&5Q&Q$73EUn}Y4enF{BB9$9i(jPH#MCCtU=b$T(M$1_+yvgg(uhio4V--W_D
z<2+Y@sNv4}U`RupwXM}1Rs{Jmt~+67&@(?b%|}xk87$9Xr<#H)+XK^A4CP*ia;t;G
zmhi0)R8?iX^_$wv_phW2lo{ot=p)W;#w}8%OvBGfL~?wd{>U?gR~l#u#|P&|YVzFz
zI)n@<M-fDBj$le!oH?^Ovyn}){6hhE>qv(!lYwaEl8qf#BmLo-EQ>+&eP4|I#98S)
zQaN9!4j-3;GHSZ0carr~exB27c%CUeH<z|BK{2(<jYK3$;!>rB*$4}G7ESC-zL9dr
z&Nc*J$d<IY5rurTv}W!}5U=pEmvu5_A#VsYkQ+3y4%UG5U=8<bpt!eDFvI2w$>epr
zv0e1o2xqwve#4X!`QB#M;*%lmj;!v^ZcImZTV!0Vub$XivL;9q$!DRz;KO<sN@&R_
z%F<?3DCgtkTDH&?<&BoxxwHLF*M2ZX)5<4dt;T63u7YP?V%g^yOH=p{pwtJyK4|cD
zupXWGMwHX8_lwT2R=j6Pqtds}m|5g@U&{KoeSGCTD1ox}s5{Q$L)OK#NIff1>*>v?
zuf><ztBv?-V*D-j=4_6_<fpRroLuIzM=cx~r?~FlPUQ+th0beX-|NTKX~O8DE-J2X
z_C5AF9vx?#47B{ZOrjjv@w9v5LxP*egr{0EMgSKG6I+g!XHqY_s0sUz3yTgEaDhEw
z>5R-*aRGP%deQp)Uf=B!lXs$euDkq1yktk=lK7Z9+rRFzmzN_)b}>H%^HU$oLMScF
zIJXq<uh$=?wI9zf%N@zfK{E(+Cx>kBhCEp11k<86V32PWz-4%nM#@G4FkEsm=Gl_?
zuowF*b8>r{xoL?jXEeZ%9T0ox@e^K&q`V-7hr&BKxVOAQOUZNc%1#qW&FSn3OF>pa
ztsjTzbquct9ygj@b~8xA)bpZ@jHZ<K>RhSg5^$lvc@*KU<VBr7l8c`GH3Wzn?p5C%
z+)<1dvf#Z6U;OzZmi-IdEIRz{j_ye2NmWVp5{k3Gs2un8qpQr%S`Z%2Vh$U+dWOUY
z4S9!oeD2FnjTn6Fk>x~6hb*2xHsKoQXm?^1g-EHsf}yyKXP2cB^^IT@OdEQPl-dxS
zc2X>Tu4TZ$@M4%`+HERYZjUEwV#p%^Vri6NK|@&vIq?wu`SuXAQ(Syr)5Ri0W_^w9
z3^(Og)wIP4d3}?!WvX=PD3ba!fsp0i_Q{+E!oj%+W>qNfP`3f6^xKK`i7%8A;r6*D
zb)huZIqT6{48ShfNONtv_eo-!pXsmSw4(W8<wj#EW}|AZmV+?_%`3KS*3sDV#QOaq
zb7~KXB8K`}LF`Cq+I~)fgRET0mqmX4s&S<*^-MNo*}C|n!&&~H*|lD6aVlXyQ34P3
z%6?j>_D4q1_T;@nEpSH%?YBC~M7a6qAqg*njP*q(5UmE1Jat#LRU{_w&8_fD()Z46
zw28@;wi4CWJsBVY5)KneYT7{C0gC<qH<&h;KB&nFxCEO)KV~We@0cR|{2{#ns<bu#
zsjAb0qSW(RK{*>D8!e35gAC!~22kYtbKSinhg|j>Bf(}Zt3wAweWVqVb+1H;GVe`d
zNX5V&68RaVK(xe*;K{62@?0_Y`_)*J`4)AgMzh&r+$*ej{G)N@4^9sK7D}=bGri7j
z%e8uD7L>*u*>kDdbxq=dOIkwsc&&BZ{PeuPT_PF*qd!_y8vSuR7Wvb`Wa;E}T;rcz
zf+hr6dU&Yu@N4PMZR%Up?Ag;_L7nW7@a`?P!KgT$8dJ{6M-0xtUo^6<^~(|V1#wb$
z`4*IGZO?GJHPaQ}S|~LDa0t++0eY#7>st;9_`muowOILEC)|J4ik6+Y-YDajk>Bj|
zQ_fU=X;p+bE%!HHK{ngR?uNCFi$MR|))&KBi(zdUK;U^qdWx!*qovjton1JZm1B&G
zn0TP?ICqn;!%#{-b2O&qMD~x}LFtBt!g2*fL+dny&JIO)YTKm;SNoDV_0%=8(u}=H
zW4CSc%}~Kjfj7dhWD8|KVhfm~RZ@F*%~e2W6w~tIC0fC(>gDCZV{cN;4DuXu<&h~?
z0h$tiw(2?B00}<l2oA|&2x^pw-&{WCegwWURHeYA*6Egg<vud`o>OMod&%$N1niY;
zXHwI9H0l0T?wY}iE#WG(hrM<~QV$k!lsLq8Y;~u5`e}2@_(TI-O=Tyl^*l}{k|Lcw
zA+Bfb{eLw<pYJ_!b>dO}8uXj}2@g4Z4$A7OH=N+7{Ia%!oW`=yqZ^qp2W1urt$@|u
ztwk#_9Hj6Ltppol`*3f2fF=AalJ*!*7Cud_gL5W_O2_|G(U5Wd)yY@;{=t+;JSIcb
z=ymlu2T$gj*6O@HU*w%nI9!*EmW7gsj%s`Mc9Pu3jKxBksZ!5e`KwbgLgSIo<|CgC
z{X%sxK+@Lb2sHET%_s<j=`2Uk-iz8#TEgH%&;fxK^510@ryd-9;_*7fhiCYDE8K0*
zg>KW~2R>OgTd(dH-0T_%A4D__-X6ScJqoAPYpL0efuo8AxB+I7V~bnUC^a=39x-=V
z2A2oPpQez6^Qr?N1fR1Ym<;$1E>_$g{7=;f&r4;A?e*W3ADz01aj_`R2GA7$yLO}7
z{1N9<L|H859jpOp3;zD6|7j;UcM_uX6ua&VLP`EZMbgs0rXM2VL_-WJ+a;0hR0hbZ
zxy`m;n{89lDB&aps6K{PEA#*jOyOIkcm<$i7)b8HT$=Owo7Ur-CZ(lromfeT#0Wf^
zfz$|l(S7BDLt^yQ-IXn~5DuXheFqdXVuvDdq8wu&BS546tru865VPQWd$+JYb?j~{
zcjV^$77rN5-1WU5H@s!!r?DN+F1=o>tpT-p47;2%c_#BUxg;2WcHa>W?2*|9esqXA
z;5|+)VfB2oHv<r45GQ}JT=C!<mQf}a{Y{zh?U&Y-DVNu*#2ADYbu{XVm6uE|=sYZf
zWkA5R*6vMCz5t#)xJIl;<_zDziVxQ^W{TgLx@TO&_Wmz7Mo_L+;s9is_f`BwZRJ_`
zAC-cTK&VB_e@1wGQTrh|p=r`XW#WEJAkDok7;}=h*>!AtokiMzh=2x)FA<ZyGk{<u
zE3e(TN|qJX`h&9AicSh{g69z=F;~nn#|&PON8zAXRU+4Lw~wJX+p-t;<l1^>!9M>@
zMzSsP)2oEx`I(XCMTNX!l-CBm%6HqRUTf>zJI4F(Z+by#)B|;;-Xu;;f=zJVphKQx
z@z@;!8x`b;f2awSr6t=0?6PrZgJ~AVH=c7H2M%I)5b@u)(W&2FSOdEeAX>)*U0hfe
zjigd+KcBOm0gy#KsX~Tf3#0FcD%X|PzVCC8rGqCAuzdy&s9s$NjZx2Wcld)q56KNA
zWQcNf2Z6>V5`Nv`Q>VI$HKl4M$85v+ow5lcMwo_vSfrmOF%~l_d^2k6|LX<RM@9}o
zLcj0nHH*+HbM)6sSvxUcmFa1{e-CqDCFb2@_RJ*1d%ZY7)biE>ykoXLRc68i{msc)
zqK>J$BaYwEWu_-|o{=&6D&pF*s1;&hs|o&uJ5NhOJKN;j_zC-hJ=nd-x}vo9&1hus
ziHj=#Ql@loZQoFvbQ*vxJYEI0>C=(~N|FJKL2qk90(EZRO5YRNF|MVt2~-kt$S06?
zK~9i6W)G~kQ$)rWFpqL+CBhdfgL^IwJoHP+x>Gy60H|1D>}+i!to2I(Pzyc<(hqND
zGWI09<X<;Qkn*}eYAQE69pBO6%TzU0&Q)e9<Ch&>TMG4FKSC*&fCg!4zQu~D!N<kv
zc8>CT&$fOo-xKlhrGDv8oMRkq`LVogvL@-=(4IgZD1Xq~w?*S3t-8|^7Qc?%#v(ps
zKCAioF9n(Y;i=ZxWAFEbl3rI=>b#uoBUSh*mjE5qG*`Oe4Zr+VE2+nxU@fSDDNn%V
z<z=H*of}$-a1*2@d<dm|zS9C1P}xWJZYs|<>vU!SZOxr<^+r4_v)1FkF5k`z`%Xw1
zXP@kJUlpMuWDMWe?XA1n=$+4N4X6ChEz^eoQ4zcYLDp7&Pnm9$s@V$nw~^cm4M;<z
zKfU9f1cJ!E<N5?YP(|2ZmOuqb8$$EHztQau=4{6~;ilW+5}}3GIYI`jI_Uy?-)Az)
z&HFd?@hHK1%$`0SA6F+4*m0}#I({kek6<O_NQnpjQ-t??@6KPhzTk90Z~Bax9Nj);
zJR|6+C4GN^1LX+pXt0Vz+>eO=L3Rc_y(Cm!Mvd3x`uEYC7lRwxeY^~QB`d1h1IBsq
zB4L{BjuIMY><W0xz$0LRWwR8Ow9DK6`;I@Dc1OlIzWiLZ#yjz{%2TD|?0tu}9_(2w
zaAK}GEo&Ff38ghQoY3A+Pf%i4vPawa9UCVc=IF{WkowUp*f32&xv*=<VWl;AmEu#X
zux%8Oak{|%tu0b`sw_bP&@VtW!H!m1kcF*=;>K;DqYKZGnl7U6G=WH^_Lu+9N;cTQ
z|7_~P|7t7xAEDQhQ;`E4l$n-Au<^5>KMaG+bi*U4w!IaKV<tFc<RKsw{DbEX0g*OA
z`k_^p)gY8y7|l$h2P}UR3_*Cl_tWojDx><Xki}TIOaKN9P7s1-;kUK!&#r%jb%D6n
zdu~D%)B^joPL<CORR>~+G2cFhYUQuNI^g^!matg9{Liz2f);#6?;@|8aFTrcA+{%o
zf|cj@$pJtt=liz{8S*9R&?0Bvtx17H`*1I~XF!@zW$>kwvqgg0xzG1KcroRI5Ffnr
zKIo7x{g0w^Xg~iq0sQ~LSDx=Z^f%q*oTm>5xUbcvLJsSjkOgpzySHx1OVcp#*0<DN
zzEIsVpiVh;aNGFY)R3(P5R$x{X;F7<2u~Y)6el|b0`seXz5TNa;KGaBh)V#U3YVl;
z*8`gibckh;D(7{%o#PHi_ry4_!W^_-jZIq+=KyFcyAj^>WE>pQg<{}Z8T7k*itSZ~
zJ@X->z8i8dTxGN-Lz%B6O^Th)nYH>RND_dYN&m1)PjB@q3`TW@^2|4dkpjBrhqMzG
zK}W<xc=7KavJ!ASD~Fqrt0*p9C*17AVTh$U4QR_7H(QIlt^yc3N&v5?0bt??{oWMl
z)sJ{8AZcimo5-1f?w!7&{nck4^vI1Gg>YcG@QQ)}(GXA)#7LXt4>gXN5WX<)?+NOK
zc44O-ncSrMGE;55#*_TvkelN@oh}xN?b$RJ+hj)7qAp4ZX)A7hT8oPpWe;h9vVG<7
zUv~_&1Y2{IyGoAQ#mPBC*yH$$A79OYAsCxk-m!4<<WC#LqVLBb84$7~X3G_bK2$LZ
zVJJCRZq-oMs<8rBd%$*sbiXPy(3FjhvnFrnwty|x2CcG&+S`cLi~ActLfzrOvbzb`
zg~9n2vrW(jY36_3RU4CcpEA%)lk0lV+#ZGm6VV#cBLo(<cP6<7=(UWfHnu=Fk$bN5
z>s1u4VLQYT#h-(?R*;)>&CZFq314k>!V8@%s)(1tC*L=Xq*^8e0BO^YT5;2_&lz-y
zj(?YMKT_#!r25Qbnw9^uI)Vsr<e3Jp!{#l>m^P1k6jP00;2qHZx^VF3&Xa5_aQ)cd
zLD)~1$2yNy|Ede;lzH^p0n%oCyr5KG?vb$sDH|Hs|31G2={lHZT?Vj~ivCVXDcGk6
zrhw`7fa$r?^l(4}?6%7)g&B3`ZpHOZ-V|P1TZG~a#PD)`bCL0K&ay^lrVgBvjbbRH
z9s_rJ_mh!3KPa1ja*0O#In^sD0onopLu`s|?56k5LAcQXMm(f}`Pwn`wZm<x8IUlU
z+wV(`?8C%E+-_S=Zo}H><^(ep2nUtx66KP|i}(wmNy#KO8R=#<6+>5_Y+72JDOib8
zhoA_gv6YN?VF=6;tG7#GD4oL2H8ew40pVrS!)1<+sKl9Hsz^%;pZ1GXi>1z8H}juY
zeI%K@-5%yRb{n8MqM}y&4xciv+i=68{UZ+`R>R~@w5!ajT<5{b-LwR=c(+PCCjP@I
zZ=(Y>bjjq_vBh^_w1o@h$Ir3VO~S|?o5wdc$9-Bg5>kRlV?|66yQ%x|KzW@aiH3jF
zT2_@nbk!na`ko-5(E`8|Yakff0dZB~H`Af<DO|J@+ivO2cIs8#ILV;K`^@3JZ_nJU
zhv2ck_lnAkRK|dK30q^i;&zt{?V6y1?2v5DSN+7sJbpu3_gFbrUrJ=cn`-jj;qQku
z<y0hhLfv|g2rs{Zpmg&|_dQ)rpH>@;Bi5Gl5F2r1+Eufa3g~I=p;{S6yvO&qW$(0p
zIO<6MIL9zNE+r$#Dq<)KVhS2>ne+N0JbMZ;XTlq!xg@xn0H6pX*is<%&<9uhqVHGb
zx1N---+2*0`-7nDhv(_My*g^G2(yf@aI`B(DSP5sfnSdjx4m4H5th&|XIph?x}8bS
zqZ&svJ%;r-1z3YF)wjw)Nfq9oe)?_iKV~bYfI>)@W}1?vTSN&vldl=2+O@{>0~Vr`
zcIwPKVcSpf{XK!`;|>Iu)eznB7C-G7{D;q`m(4plCHd(MJEM)0ueO<v+X~mQ8}}c{
zhA^YPLu%S`aiJL{$TJgJ2eir>yDOuMz_083R_-F_mT}jKCw5B?)O~)?!#<C<R4bO#
z;=j^Hav%}EmJN{RAa0I<=78}CI@LVlwM~tFs||qMrpd22Ci5dh017VfGwN+vtH$TM
zI<4~uZr7F(PPRrjr}+LB@9Kr>ogOuaj|qw8P>hd1cy?_0`hWlX*4C{_v64cDRJl*$
z*iGSCPxY6cD*kE5_lQ|CzvzhO;p#R0JH^jb@)th6zA+;6&f~4ezR`6367rZw=ZBTW
z%7!}=A0{BbIQHqRV^!lW;xT(_CH#DBz+u7xx!aHiXrmm}L0T}T_WLYR=ieEm`cWG6
zyGh$$fU<#gM$$skkk4SaI+inqP(o8P^HoHjq)~&#fh_1f#g%ETW!sFX(ffY!RS&&m
zMDpTX`lXAf@{2c_5p*Lech%ta;WLo6X-{-bKB+>;t^(XV53tbHwq$%iF5rER*o&)A
ziazqatIL9wp}_y9%^Ny|sKrWi>^hyVA&vrBd7+B<tG+}jv@(eV>vBbY3D^ifQTF<t
z6jF#pT#UKnF;L<$RQ@;|i1(|sBnyj)-np_hhc#g;xhCVZ3qM!*QR;w)AJv48=ck69
z(QJ07MY_arZ*9hmA1xx5ysWvd%WdC<nHf7Vwoxd^g1^vjEr!XDASVw^);(}osuSd2
z-ZUGq<BKg>1`dPZ(Q=VPB=idxhrlEH{ql`%^3q{7!5v`pCCXEt+|gf<Dhm?nUnOVl
zzvHb(CnB$os=>2=Onvza{?qY5-kAiky2(I?(_Bbv<MhRj^;|;}f{5Mui=#U-#VG+8
z?4Fbw6NDEQeiAj?Z=9{K7}t&Rn>e0_x7bwS&5=EsSS^hK#WUd=P`s-!Of<opIP567
zg!tYmL5Iw$!EtD+g<Ge4sN4B3HF5O)HMpzCV{K~Mx6hv;mJI*Fc`O=RA&iYrCL}k+
z_^+;eyxqI(*h&GTu`|T7%*u~qc-~CN5Apf;J~U#k99Wbhmm<sbUB~ed;8xqbm~g{%
zPmK!Ssf84RABRWr57naK0eAiG1La2K4QMIQi1$u4(BAEKwJjW>=Kc1<rxNlmQQcok
zV$**}j%d2VL~0R>4%RDdB}IrCMDzCm@%xXLPwAPN&o?vR;y2vLQR6A6_)5ZMJ;pnR
z{@egAH*NcLz?W*QcVDhEuG-Y@Mm-ohP)^U>A+<?QleunXV|y|r!jRj(tyMx|HaQKH
z^IJJnX2nrCwY#$5&$v$$s8Tajn{_qe>(cP4RqhbKP`DacqpXI18LRT8eN$3A=XPV$
z&4>R2y%%=9KJ~AuRMohxpmJtCdoy^z6mPbX{T*im4?bNw@=3Z7C#8_S+}xcAvvJ~5
z&z-Yf*(E>UC@e+Z7TeUodS7&AYeL-ZYZuMs*=Fk=H^{QS#$1YWiD~6GzPpgu1o+cr
zW`vHt;_~6fVHISbth<pk6t}1)4C5gQ0h`#7B574BQITRD&$1=tn(iSJ%GjHnIA`2=
zZZEWjOLt_WkzbXYG-9E0wE;*WPW|@D9HQj|{V@V_H2j@~!yXVk#vjkBRcAMuI7DB{
z@`<5oMx_vJ6MrGUV12UD?P7JM4C1Q<tI^bhX$GCX)`xSNw$UH?P=Bt(BI-$5>+L1k
zll^$v-C585j_c?^LkQKRhQrcg2l{ZNuQ4?xW!28|!gYrgK+`Gc+Z?rOT4y5MB+Ksc
zy*?&<DO8i3!7|U?9vSecs9dG1cvlwMonA2!<8^Rf>UQ5NcqkH^nZL4$gB2xj@?(sk
z-r4{h%3WW)lW<J98}M|^X?L4?>4K4DbwnS!W-S=lfP8i~l8a*9C6t8v1~*7L)_R}P
zXc)v-6qIAbJ~h6wA$UG`#`OX9<Rs)Ug78WNlIDPyzpSEkuCDwCPn{Cr{%h9_<YmW(
zuU^v^2RDc%>rr=R_8wxHIt~9pT^FqUUcxtb&9;?RrNJLbLUjVa4_^@ZQm|(U>qTZg
zS%7~~Xdo-+JpR`a<ssN0o&Elz=vb2eqRejbD~w|x${yi7u}FOkZooEm{Sqe(Aabh{
z9*7#PBZb)q?kjSMUXyMoi>G$AlU=6(l=B${l=JjgxK^$cQ>ssBuEbJq)4}MRAhYSB
zSCvhRGQ(%R-yO{xp|^yoqZAFFlD52Ahe88MXGCsU6@{Jw)K=@@O3&gtbA=Ip51VWU
zLyUDbK5l=VZnR~MDqq>hvwzefG0EkKDfz7N+JQG*s<PpR{QI^wH0QY_l<fHui!zBS
z>h-IvlV5MxR1HrYhV<`uF<q_|Y2WTulKS{-=U^LMe1qnp15l(+GaQS4QHfcVXm((}
z?opaeyCrn6f%4J&k&O%Hx_d;0+wyJY_bu1{oK5zU$sn;?m~BMpg6$i1V`!*SXEE}h
zPhODnOQWHNt+3v%scq<!vF8-$t&WxeK|5%4FDHmNse8<u*x1#BV6+CIO>>75dh*v#
z9>cK`sA&N5xC|fudh1=#U$;%4TZ1^P(>?+M!>eQ*sK7(cjjfCqgOwnIVV?pXIqJ;h
zuEhy$GUEo`G48de%_*vSybKiUg#brftE41aPAB=`f=Hi~AWJt>ccdZ{rift31P|!z
zFaESL*2XeT7BCT<M?k60@BQKl*%Xr@<!zCocU5J(XpXhuA5E>IvK+v4pm?w#K#BSP
zud{nDK840;K;5D6e<tzV`T*Y{DyA8FyFt@x+K6PYYafp_LrUAU=)p3`MM(rF>VbxN
z_?3<QNy75oR}FSwQy+JwL(}<&L0%niX%j!9K6EG!MBh6oU(O&c3ML;e3AQ2CC9O~j
zxd@%-t3ZG_q`QHyVU51F@h^xncA#ORdS(HXKFPp`e#C-~Y@BJS+T<z^I_foT6}93l
zPRh<+Hw#f{r$Ig!JwLUiXxcm#O|wjfu<6&pAVC!X?rX9g0CjNR+@wVu<%e<Y=uZjX
z@<^cfe(r&-6cT5EOGgM)S+z=cJoQ1+=P|8324KV$bff6WZL;3ik76p{4}rli%VP?L
zd+>|mX#i>tjb``YO#d=><rBaIHgorhdp_1OVG#sf3)9aHFhR?Sr`7EH-OZ2?emK=~
za-7L6;jZg~lF&oc`N27=S*i#q&rg%Fo?-8{HM=&+dWV5=$wL6;?m=A03G=BnR#6_O
z(6gr397xc(qa>?cEhuq(Y}Q5Cw9<N)LLa1H^IySu!6l1E5Nv5-XST<Oi4(Us`pl;-
z&Df^Wf#x}CGbHAlo?7HK38cipye3Hc4`wRRnxTwn26e=4Ol7rfs&}Y_yI#E6_UrWg
z#~Y9vVMJXkCD-gQS~9{8A!u?w0+ZjrckA(bmeMTvdgG;6>T3akNrYb##cL6$K<Q2&
zx=70$?lpM3I}c*IYvN>#B1A=q{?>7zeGd3G>;Ssqn^p1iZ;e|QifKnTTmKq2n~v8Y
zTwM|u*=j<$=ge)JHjsqSlL;7MNHY}VS1mfbdYK%k(Ms~4)XOVhGtL6(d-G=O^o?O)
z6;UHp^443xsUXjE^hP=61uVIbp%x*J!2CST)<)XK-Jld#IamW*uChL+J7c7`6ql{Q
zd<E7m;JH9H8YfstmU6%=p%gS<Pjw|r>Idzb>aYq{JjTj@zy<g_<~Bnq-^)c5A(p$N
z_%(niw;1K)rcZI$+d*-EAQ5u121Wx{!H~XV-VzwmVcaMs5;Rk_ZEcd#N9G`U?chnf
zEn}iZhK^OlyCq2WvpmV8Tn;=E0eZk_Dpn<dXKE>O<8Y=o`pb^i{XA4#?uvm~7>xdL
zjV!=wM6DUhhYh=6;UD&nL~WcNdjn<uVeN4#*KO(q36Uv(3a!Diqe-TzuZz2I)A0LA
zHNaRA0{?c!Ptg6H6khp?l#g}ELmo9x8+eM$gK2+tuZK?J$oAo|25SLUWELM0S78Mi
zmuA3>nsc}6YxCj44dBjO&NO*l5jQE1?3VIDz*{@IoSSUB26Vf(t%jpZ^<9VEJGafy
z!D0pGPK>N7=bc%-GVTbPZAcPtGx;|0qDkYP?kqGVgI=6%wk5h}r|TDv$7GE0b+grO
z{y8;cU^dpba?DRjyc*HYYpT@!A*-yn{&iRloMfUt=Y*zE9~{NC2#tjaD_Ep`;NCte
zG`gf|bP<#omR_cErj}?+^V(q8$aHd5hr=ps*B<5ift5qLNHAsVwA;R4b-HY!L>?K-
z<3}Sf1TddU>bZ^gyM@3m262nfUHQ{JmWB8oPm!f+WAsW>DQ^3BWRVllK^NutkuuFT
zoCi(xphqB^`l2y>XEJ)^X4eN^y+~gK*3Pc=xSCYmZlwU~Khj<}{`0;Fc9<V+8wE=G
z1wg^aKjN(iYVoB7!@h{;4b118@aapC0|{Y_{OLuLXFks~CL<vKKz_EtJ6}D==r^jQ
z)@a`wLNK8MH6r`5529}esV@Ka?pl$#O!hpw!gl_K?T%G?u3utD-S%`vaI6kz=yG9;
zvzaurb$s#wQm4xp0Tz~=gY*F2LUrAb<0YrmIIZxx2_5=Ewe_HnkESbop**%lO<7Fo
z>X_T~LJ?9~=l`|Qmaf_-YFUkZIQ?-oAJ~FVcGrU^quX4p+cc{?0+&EF7@EiA(gb}m
z^y^=BFhws+lQN<?wSy4q)Kamqyv7?u3nau7d290*;b5l5j#6dmJSfLlF7AIRR6@&!
zjfF{<5oF#5`TS|L`gqXMKrqZCwsNAzF>aS8XY9;({C$D00Mb7ch{w!Bbb0FGd&01}
z6;Z#QJq{>6YazwK#VD{wTF_qJ#7$Z5ERWcx1?Ccbm!`{8@@rl2pM$JZ9xyOk>Q~64
z7i0~cIjiX54X{ItLG`f3QJ7Yf-DEETD~Z-MhXud4Slr0LFD>95lVcz|)UuHKL8tMe
z)Cyl>zqm;Os(D~JhRVq&bz8yz9@O?j$tNH!{$G78JPi5!p!Wl?rZ;&U0Hy11o9y1I
zX>lzO8bt?1;i;D>u4F)!gVMtX&pIHP1K^_WUS5uYY#Ux-397=yOo1WzN`U$}9?Upa
zfzJM|Az8%`KLfv+JcN})9`UF)m+vFmG>lo4@Cs_oQW{feqJNSN^5_3rdUv)Z&4ZeH
zD)Kvq-R5ON#mF{nrI?KTN1$=X265x@<+3MLK54mX#Yo&*S;`b(se`FPxzjc3hyOH(
z#v75xZq6J$F!mXGDU%J$yfkC!`;=rNg~i2W;Y3ekJvfSPBWP*cd6nL<6&Nw%K?%C&
zh!ygO_Sj}S0n*ZSJT@O}yGo=v9(3yG0IllOs_W*L5NF$Nz(s4WCk)!z5-LGvSbG|(
z;IA7?n$=Ss0MA0wJh-QDti|9MW{_yYC9i4hNeHR(tg20LgOcm%n_HPq1ZKtIOd+G}
zlXAP~3VOY#T2UHAMG$l*nqJ+FRC=bbxYD%a6myP!9BK0lv*s>nrb|*3g+j=X)(SL>
z>89lYmTGI|W+vXPZmgs7_FW^FQ~56oWkI|eggQW9droKztEq_Hg1)8lqb<Lwp{l8=
zC9J5{r)HJnEc2pGZCRWW^T4(~gm;Jp)ha4K<#h!gtc@B7jb|?H#ucTJ@R2zW_5f_+
zvNl|7@)i$zP@0^BT}TqB6eSfV-S)Qo-TlZl6}$V_jkeXUvxsrXP0IJihZ5F=WfUFR
zEC@MUim5rR?UYZM^w<pFp}sT~U5>fZVC6qyH5S8-XYcLm*>}kZ&JS;}Jtz0cvLE{y
z6(DIAl`MqHD->N+lCLImBLn_S8?b{5Hz^pHd_)F^>QU3;jAz*dbgW1trm%e3J*lWK
zzD%1AcDz)ljZq?}%Z|0|KiLf&gy5PM&msOCs<49z{Bup|2(NtPjUD*~D$YBj#c$RM
zw)$WGrMSz0^Qj79FbZ!l{mz+)AP^Wqtb|C)%rVUXu0sQrW#&7){?`b5Yk=->8wwr2
zo5>SrjrwqevXpplThzq<0vjP4E1*h9?!E9@LP7mqM$x8-ZVn=Z`O>X0W#M#u&Diy7
zjXMulk5WvnkaHy_gae~ltN2xpH7!|w|MVKK*p)-4kn^d@(UqTg5i_4+GB|cH`R`nr
z|8>(I#9H*8&o5HHd*X2;fcw+HhQRVwbPjcEXzU7|VV$-V!`J$Pr_AS#+XwiE*b)jx
zxg~RpJMFBz0Mmj4T==o|*SK@_c(}sHtARklyswW@v_ElVl7&WyR`$ZBuS7&^$<P`Z
z37$*$9_lR*JJ-28;>oCc1T=&x6i!C0O3Bwsx0sB?pZAvIoikBc0btifsm^Rr>e5_R
zZVfL?#L0zXtLk<%m4ZW7;ZZlCj`;weX7E-uLvy?+@od@lu3+2H8}KTsH2b>KQRg>~
z86gK->x)sbnCA`+n<y9p|B!p3Hli27`WV#!&k&8RMD=fibGAHL*7`Il|5+mgq;)3)
z(FfT@7b54%P@g>;Xwk*)yy}YVWvcgunwHh<pE$1=8dnx${lxcup{KjN9&VmCK`##j
zI}4bmL20M*2;_lNKmZ3Yo)6sD=}OlBB8=EZ<sR4H{fV(NB?+(BV{`bR;AushNZbLq
zV85_gG9Nu3P2W>$0={#9t)mwyUBNRPrevHWcdCxSZy+6o25sVW48E6M4&AkZPIE-B
zv6ze?7%$6SR>1+>J9%)&kJ}?2kDP~Dip@hd1-k=5DDA$XqtMCHAIGYfL_Z^>+(qxt
zHgNzorZ+$Y6Sf9@#yv7m=h_yV@Q|x21>1Jry!W^sZr$3m7IhC^T~QtoYx4Cv7GOI4
zLhnppxZz52W;vEf?%zA!VBtU-^7g8Tc%=9);&%^zH*U1HO&Z*Hs-d3hEH6UZ9QEb}
zmEvPW?($<&ylG6TlxXL!&odX)=u5K~92FMHq$%9s%N>>&{{x)SlwEvJW_4&o>V5k}
zELfEf4!X<fQuCIt$C3a9>bZAA4!U^c;hrF15bf3iUXh0YY2$ZsPhL=z;n14H%cJz3
zZ3C#H(@HUwKl3J6fW>6l@CDYV>;#Ycg}}pzk2u-*4Nyaex-=Kh#qNcc#V=n$)u;P5
z)P30l2U*abil3pCwc8(B?*DH;u2ovQSxX}oWP~j;kWb!~g8pO9p|H!)qNWyj#|kMw
zVOv{-*DI(fl7JNr>=KYg1}TrNmer@$|Ff+b#kN=}|5#w}=#kc_2C6aOrN1Yr23k7$
z?t*DJG@yKRD07qpFj5*E93q%^x)g6Kya*2aFLcw$Ug&)UeNj%*UilTkUC8Vm<7S+v
z35$Tq0)|e46`bG>t$kZwa_B9z$d#Ctah2UH$r?0>5>8$OxpxP^AZF}*-QYE}VGx8N
z^q%C|fkb59c4)b;uw6y*hkC0ovJ-5E75p-Sjc;xO7VO>M{;iMMDljKjC@T->w=<ad
zwaXS*uLH_K&lDPITeG}>LOVKKDsk+Sti;IO6}7!G=rTa*@DoU2x*TP6%fM_Fpu+s;
zbrH~)_j@_)XalXux!7i?)i85vzdII~l`SEYx_QCizL$U9)@`Z#ROO1T4AYC&7xn25
zZIbof#a?XhrP)ZUW>5@W*bm+XF}btz_tWC8%-<cFziZ5|Xpk*s@-*(0unb1qd#Y1=
z7ts2F);q>cfUWF-3!{IHEN7y6BaW4R#=#Eq4&%O8Vn@13?r}Ip-miSQh)LbU1-WxS
zh#b2fKM_Puh{26-Q2cDD<V7ZS?yo91D9~CGwVnKGbGJ=LHaBje3HH;3kSUhw)+t3D
z=Lksw+3n5^I735{OjbII(nfQhHDc~MQVNS&>|*$r`EGQhsc0vMCNKst!a?1G$ThF{
zAx2*;wdPy-x^O8e3W6;m(Y%R=i`|zNKSpIy7l*P+o4@vA(b8EB^?x6R658PcTlEKr
zKcIFhLO<fo={%(4^@zW+ReN%*D)`F#*qA2|(%*pTGG{uFcZ5}5IAiLMzq3b6agE(n
zYn%Q>Mpc16;Xao=#C^NSG|S#$OCxNbEgbs;5c2#kWjpOkg|mcCbD#|H#ihT$J=R)!
z=gE^aa+5;nF%po{=xvl4x*J~X1Utpp75I^wd!v3zGJpDRK3AI`8nwiaENtcAS1@ud
zupAQrz{3>Th%UB8=Nc0zEP3fA?Z;8l`1>QasGR7Ej?#2=&ET`awusO?mfrG19iTcM
zklV*pr4K5*OkLTp<5^yyuXDs?<LrAQcG-R(_5HjvH^um>X;;mkeXYuQpLHdGgU5~J
z7aU*-*T7?Su75Ee@yqGg;$wSbo?<J5jhH0Z!5>H;ly^%?GKFU|BE=pwuS{?TZ2Tt2
zZ}5bF>e1b4alKVHOjGX0&=;AD=Zmz~w%oUnM1xnhQ|#BGv8$yj7=P<Y;LhvGh!q`f
z>fiigY68Y*&ep^F5o5dMIMX1<T#YG<<aT@bb|U7A=NBEqiWV1|W0NGBDeS@dK9N~5
zW8kzW=oss>xcUkUBt<49*~Q4~gLn@jAOCo?RS-_<$@pj*(QMjhD&UJ4&(qqED(al%
z!D-r@-?L@)N)j;8AaXDShT@3LiBpU+Im=1j8j>urs_r-zzps1qQdG@mJr?G&Im*da
zAttruj1ie66%xMsSgI|COjAZ-i}=^!y_n8=iUkdD;{JWA&HINxm*_V)sum2^=UlBy
zRZT~qfAitA^@?D}&>&ZV2w)4^lrLHLw|>}4-(PefO-PD3;+!cs^b1qs@SVGVxtMN*
z@zWE#@(lgp+53qGSG2~{ur+D!bP+qs0W0|Pil$?02-l*pe5CZMM+SWMvEg}d*!Ffm
z>rLWj->K-{7=ofU;^m2KJ>#+3Y`zYAmee$%JBpgTfi8Dc)Sk3X+<*bjKML337{zqU
z@s{*aw8q&vJhlJ0479gaX$b^HTI9%hj<7ZmA5#ou^R~dKl%IQ}BvQ>6xe=v_VX;Cy
z;)4-<QEi*)Ymw~9DHv)ZC4!I2sw?*`p;a;AWX*Dd5J0#Fjw&p8k{w;R8Gnz59kMJp
z-cC5jkF8hFjWmbfs2-%_00+}T_7tWSqA9y<4PeWwS_K160R%8s;&10upxj}_sL<Jw
zbB&R{*CFYU^6-6><a06Z%5&@P01s_qJd?NQB`FPkq)%#stb3Y*IdO1}P8eLhr9(D|
zoynOk!61mDCzvl@h5^|rC2L-#)G<5e`QfD3AdcasO1>0%;Z5~;ZdYJEt_%w>I^$SN
zFBA4mg&suPQPO542udGy;p$`v787~>beYu-Z3QcgIdg%C0HH~%c_I7-lJ-he?>UE;
zpkQnnvC%aXM0jju#VTeM><gKUq)6cu5?+t~<0_P3siS`L!{-JJX=pmU2EmVES5;cK
zJPepn<1qx)b3cOfhmr6}68FiwC6_S`+O^L&Gl`?3jQ&iEOs6&u7Xi=qYtODJFYsb_
z&oOd7yPah&S_NPTit@$t)Lcw1xp7=0!2DkeMKGA(=aKVAtxlHYN{LFA<nwdf{4?9n
zN_S<#4;Q@bEoEh+VBk>$h9Am%Tl%y->O70|;e(51vX7=;ZJWmEZ`HrcNhyA8KaG-1
z)yDdPRDGfGnv94<Kpt~)kyq+Ghr;gS^pUp_{3>fcL*iV~9L_yn;mWD89@{UcoKSD&
zhg5T?wAj@!%A(-pucP93kE<&?9pO$q(jxvnwN_+!6Wy5F1Jm3b4d#U`lKtQqtyr2d
zyRKaBEO_B)<?n@bK+_UTg&NaVqIXy_@-opkkmg11$>>#FvRtt3wn5ScJzQxH@j}6x
zejDFX`E_=HP*>Qu6ba0&PG-IiG0t*=pvRtr9W)a1JstFsQ4M)s!ZId7fEI*sO5m&!
zV`m-qqV%u7oi%>wN=3QqW0%;UEK!N+)oe3(2?tkuCU+wk>s3&0Q&cV_SpQju>F}uh
zSs--c?9+jUsALg4+7D;+==|)fDGY?sj;XiE0B}Q;V)!hD>V_bn%j95un%21p>vKGr
zRWA<sma}K7@4C}~cdoCW5CiYqG}4YOglEJWnF6kU-qb_@qpHT%ia^^na>>iOg@~}!
zuIX|etJQS0-c&3fviyOF(VyzA;0X1}5t>450c+`}2s?FB_Gl!Cc@&3pM@Z$V<kT>J
z44jo(Q&~p1^>DZE+EElP5ML#hL9BABsBse3%h?Pjkh-%n=pG2N39*qYOpGKN@N1Wf
zE;DEF!LGb`mmwcdi3w#p?@-%+yx=YcB1NMyHXGWNPgtux#X1<d*`lf$xW?;|b(cSc
zb8K}Ep1|N7y@o^OJVVz_oa&giZGIF?Fo%(@uNAS<opS-y5YszI<<?;%<^sNHtgz%p
z?S~!b%`kx8-C0|q(+X0C#(jJn;4Lc12{WWJI$pYU28=u1l7K98CaoUpt)3xJj<L>i
zj0e5+qqhA;foaDYY~VFbR<lcg&>}<2v(bt*ikY#Knn>$PVKjfyPtV<7eZkhwOAA<$
z>Atcv?$X^DKeZHKj66R`O)h1dN%~o&18o%ZKkAXd#`?;Lll3IcJ;I5`NF{VeWe7qx
z3H#KV8G@}3djZNjqi8Ij8{g_)$tk9(GCBme;0!6zR#q&xLe`~54bDcAHn4lC#g5wU
zm4Pr`9tqxN2WvmaC6FB6?TEFN^XH2rsJxe;fU_LK71sbEc=-7@qW8+{b+mG>GtzhA
zcuFNUjxiN1-1`L8hoME*LH^m|%-KP}s+6Gy9-hlY3rReE*M|~m3B1R0q1EkGUtqJ1
zzt_~~jg03Q9B^~D!Q+EeQ5#VnDOpuTjt5!h_bb4=92RQXCeF0sEV_;Dc`O{eQeWXD
z|FDCjXqTan*p#V2z)_4!?+kgohP$Z`*~(^J&J|d=Fj;k_zRxk<r<_C|rI|KP$1Pj3
z6qO^Ft(WZii!5rf{gz9oAI|g%EG4m`W9l!2GWH!YtJ9T07}Tg0JyH}KC6jFUf=kSS
zv$x>J$+AZHEm?$)?_)Em6!k%50aLRLhSkWv8zsUyNcoRr(a*{|b%cByx<?_to_j1~
zd;bA8CRiTaE0e@nZWofaS2Tw_GCWP}*NxEl7Lj+>tXjKiBOthHgPdYWKeI3go;P&B
z;a9ZIM8jQG{EsfoZF1HcKKFuS;&yj~ci!{1FZbK7MVrP9`SwTHb?ti$MZzK9-kbW$
zD{`AmEDVa($B9lni!QS3uNevHW)9V+d#@T5QFN~bgt#;%ukL6LxxrdTc;vlM_hNg?
zRch!gl~(uoMucRa1Of19;JViC0X$1i-6nC{o0HB6zqi#xzup5?;%{;D#RsNcssoNV
zEAt!+RPZ$jIV({X1Gb(z=Q{5p;9*`V>i_~;k}MO9m;`lJ{=c>f&*PB}ys@M!i=bv$
zTX3FE<8I8BPc=C&@MbIbKuOv^lY#CBwF%f#y#xq*SLBsdlp={y{Z1*4(5?F)xk~pM
zv{v0Ocn(jn4UKqbuQCN!6uV9np(5sgB{b)e&+RGf&hXfqIFDJ?S&jt}w*QCa!ZR=m
z&`v=Lf%CRY-p$r+PWb$yGb$2c0RMULeW-T%41jVoGx7${<55YH0aN;;Iq7;Z7o<*M
z153(`6v7vvB=4U!%>M)3E2PBzKjs@kebZ;#z;yY4{m}Eh|7Ho_9|d*OyKSJy`C~4~
zNy|1a6NhnDb<Uj;%-+So2vA?GK)tR9%}!j^GL;TW%TAqNg?aN8x=^hUz_8+#!w%%C
uxRuyM3k9UC-6(-af77{UkHI!CX~%6oSwVO0c=8?i@8mIu-ztyzB>q2HE?YGK

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeSelectAKit.png b/docs/GettingStartedDocs/images/VSCodeSelectAKit.png
new file mode 100644
index 0000000000000000000000000000000000000000..8774a99b06352821089ec1240741ef189e0c689e
GIT binary patch
literal 20323
zcmZs?b9fz1_&*%mwr$%^8r!yQG-_<yP12yT(Wprp+iYwb@Amor^v8Q$o1A3#oINwM
z_uTWrJyFVv(ui<)a3CNch_W&gsvscXcEI0XVZeajcwLtGzze9Gs<aqL?Igi5@DGHQ
zsDda6NPPnQn+YWFKdiHijvELF(!jqT&|#+va}W^4Cs_$mb#KG-JZOK7{rAsH#S0n7
z2P9IHFqVEe6ws9r`yx23W;$ivs`mwh_qE=Z58HiekLLJZbpnsKlZvklk|@y(IwmkC
z(8-D2UKejclRk=ylX>kriPr(WOc{qhlZ{Kyxxh=D|L$NETL=lvzvBuw{7P691>)cF
z1Vt<JKc|a55<@8dyH27jJq9;>K<sUKCAeP+@8DXtE%86^zB5e?c)3H3y{J193nX}5
z;}f^O+FP@o%itQ}2z<_h>(pqI|6lJE>Z%dV4%rPNcu$<DO<Xx+>y)omUZrBHY5OGH
zVf&wNpP@%xBq2rJcRe6e#?N<kA2A4#q=Ju%3XL2bKKRK^@Fd~vK%5}>u>5rW7ny*k
z&U7f+X6}0*iT;r}7Lz`Y)209gx6N#+(dWyOW#jY7LREkBBn2<;vsdqH-h!=zo~x+`
z?87Pis`ba)^WkJ(Rb?e=t}kN6b6+U5mAN_0!-YJ)?~Dh2K2CxRJu~yqrY3b~GGGKc
z=+-YqHSu5bGq2|h!B6{dkl2?RmRYS{CQU696C1VMUQ<Gbm}2}r;*B4&Dk>^8sx-sH
z!dUEdbXHcI?cm|yGBI1@3JVJ}i~_TC)?gua=PT79W8_=xmTKehx#6&gypOhedpUU1
zyV0o?d7kf3ZH`Y)Plcbh!D$#hW#KUP47@g)&4%Lz{T^Tx8G~N~BqfJBJWe6}s6+Lh
zVsY7pp7+pMKhLYPxI#NRE_+^^bQv2D_V(P>A3+oa2P?TdT=Vq$Z0cAP^Y}bA*tR8d
zBFaxi#MPf3)KQi$q}>&|T1z62CZs<dK+JA;hhh{PQxZl^3O9m2-(Mfj(W%Yl`M+c^
zg^%rxrs#31d@)J#e^{}ab!5n!)_0QKM7`C~);@YAl;Ded;tA@QXs5UTz$jNppKi8W
zTGwn#Z~<eUJM+lLO<aF_zBO5HvQb-m5xERr8|vYE^E~QrJf@$Fe~;7nP9u})Pi69b
z+;Ldiu{oCKe(LFL!!t+zX<6r&rWsdG@5@P5gin6ZhYvIN*+VGk02){xW5D3`K=N9*
zpO?9LsdG)I%g38f%n+OPG)W&*3L*gy3gYA61Yx*`Q!uEjKWX&HL;@o}-0x2oJUl!q
ztae<bNzO^F`Q;5|)Z08u`lf$@i2i0V{PE+*X5gzsCjZ}yFDTu(2u;Ps#h~C&FrHZm
zYDNwY=aYH-1pyB$NU2DforT5AVc%95SXfZvr%f_FGogut18-Q(GAB@Y^WWNGFLok=
zUXIJ-^R`%mqPbl>6C&f{!nMt{)}T0Q%XN?>rTPr^$>|=B%L^Xrt$Vb1lEp1ak|6na
za4|m+H*asUU=uXL9_gcSHTf<%U-#u5we+awI8%{7kHO2z@^5M2hFj=lwAO{(3b{o-
zsupaSV|*M${2?TotR{0!;$`5KxIUk!g0AAec-P_y`L{jp)3h4D>9;utXZ5~6=vji$
z82kGRAk@Okm<FO~`cIpfrV4VB^-oVLXQB?oF!x0M$mDj)*EaATA>y*fK`?ceh#Xc6
zlT%QTJa2ZGL4u6PJpqE&IAip8EN-YQ)`g6Uex$1{In4nqI#t)_$LrNMmF)cdNxVr9
z*gx3HC>#-YJIFI)lB|uH9OHz|3=uNQe5t8rG>bJ&NSt_x-&r^!n)=J87Om}E7$xi<
zOQaL1sHk3U-p<KuOTgRXA|t=Tzs$xH@>410=N1$sboJfV8gyPwXzC4FAiGT0LxsaP
z(4B{w9_Z<3J5U=+@!@A4jRQCN*6fg%MWPE4fZ&ErWw<!SYGi`Z_=PZX#(MB^rP1m-
zE==g<h<vjhz0bbI>(bEWUcy)F#F?be<%{HkXpq;ugtR+$n_Hr57K4CQkb#J4H>p0A
z)`%FHMYD!V))vy}W@%kkR_{r@m&<BWO2Wfe@d7sKEmj-^a_RWNJP}_A=eMV8L_|bf
zT-*|=xSPjEVdrg-3;)&)&o%BX|JzCaOOlbh<GC4fJ-;iYcN{O@<9bGUl*dg!X2-*y
zy&t}gju(ur>#AB>(8#c`u(GnUz=RBqBoOds$wze=vv+X4O0ZAB=SE`vGUc>`6elM5
zxb8NbKs;<f;B}guj5g9amch);#TES=jLSXN)g`blx1vjRXR4{GDI)Sq&#9Z!d?fMg
z?2OZHk;JmTqi`H$suRc`qtpeFeMw}Ftrbn&o8I8FaQP;V1Kv^{6>y$di2MEW?t3Gs
zP1zY-e4b}G1S(}$T%KpzsTjrRmNJI&!!;8FgHh<DQ7uke7po{T`|<o2%e_IuCkoXI
zT&Xk75s_t5Cz&XypFlE<;xiv6Hu+j1mac4`rx@Wrvk1fKel$H-uGA<MK`g^$E@khf
zj_Ql&NHk)*hV)SX5w&REXJAJ(3e4@q{qyd}&Cqd4;;#e}CxL;1Bjs{srj{eVi^4;O
zVNjB?GoCaIRG@b>gIM_Z_}JKwhr*w@K2qv9JhMBauKWD8_pudMaXcI8kO}hDUCyFY
zt!wA@PwVb;3T?uq7%^eakR8NR?5&%=^tvdRkgz@WD{KNV8v&0S6?)@n_PZW8zx%<I
zF7ieAiyJ4h*sW%YC2?-7`C~Qj(xr(5Fqk5t4UpnZ-D05pV{GcbwuM!j7K<RX4N4Jo
zKoixmBJQ4uBMWkPUFfqa>ib^xL0?w{y`Hz0=#Q}AdpQTaT@PQ&heXh{nPEJsqC5@8
zMNJq)f?BS__xJZFLX;96nA=2MRWMklEwGFqRTUGv>)v@nWK1G}d~0grkeH-{W6B(0
z6=3Bp^gy|t3VdJ>7Yi0BL<)Lc+hSvX6S(>X9+_T~yn7L4GQ#!^CJD4WdnaWV1)j`O
zL?Tvgm7c|7ClEp!L4=~umFWdzEn^6z^e-OnH|X)v5q79bo@Il-68n(>Xri`ub}Fh(
z*i{@5qNipD5ug@>u}%KZuJzWY4khh6^o_m)j8p;w0+f`HNrm{4gy0z$UAKxhB{K8`
zkkE=Xzu8z!2VvY5OXH>CwT8sn$hu+}GsY}3*vuEw*m7cD!-hs*N_p(H*Ul7(`-+;4
zIhYK)o;Zm((zZ`vF1FIr((D<-1ncX|TNgw8=)S<%A`HOZAjR9$V{M?yB|R>fRO_`O
zxtMm<?`?-Tt$!dBA55m1{u0MF)!lh_mAQ2T0Km(O@3?|Jv+-Cuqq78+@aLP`WEDJ4
zJr0FTyaH|o{XEV$j&YbCzeh)kh%d@jvls!=c%(gySn#eROsx8AFvr>QRPt^k_}@V&
zCdP{+7DGlM%f5mxMABidp~{lGJ{Th+Q!D2F${mWZW)2Szr=k5WInP*ZQEAq1TICJ`
zX(B0ARn)Eh-bUu&Rp)bS>1}!N@Ylwjq;(v%kWu^ON?AjLGJEI3w+-x;yh>g^V>&w$
zQ80q>kxbEDcT=kqMVc&>@gf9En(qX$85-QqdYxB0flR;8J-X+Qrwl8IOJ_JaAG;JK
zfl9YGQW(7B$<u)sCn1ugx9cNPlaM8TDGWOmN7Ll{;}$ZuL<m!u%b=wg_44@CtQd6X
zX>BLVowJ?D=|HdHPw5X-OnjqEG^?rnZkstOENUVf?HK@Ie2=8g_ZB;QfC<4Dt_njI
zdLrTD%WiLl@y%#UijzQP%+bQ7!Pb8o_Z2`4$63xoSBF&R94n${?tNqX^E$7lRF5ZO
z-|2bY4<bQ(6*>7PBP!s1Vs_Xwnadlxh{1HV{bMcL#JJR~%gi74fvT_=h5C&gqkl4!
z72E?!dc1fXHC%Fot-v`9UZkZ+O$VX2&JULkaRXsu7;nQNSL7_kIm}w>OCNIfX65WQ
z@dn7IvgDD>Y;b~4XfxXh;_Uzc%VvU<zt|^;o#C|Y&C|@n4HGK(ULk<4pny!5ME-eH
z5xIg>t>ww<s^)MBIXg4)@j+FKhP>t`%)6_W-I?<Ht3^Ddlp|7rH6`l1l7i;Mi((E6
z3R>GLXe1(S0xS4_H)k&;GTg6hrNs~Ku1o=K((1Y|$3;{cjmxd562roh&XTi@)}!*<
zm?)OXh%G9cfteYbflWtJGQ3JVti;$>5U1FF-4qLDKNVw%%hWU`YWweSf*D;fuK1D%
z)-5E2RU_0Y5@V!})V#^8YY|#vn0ufNyZvNMZS6PQgdf%JERnpZq7H@3uvlIqQKqWs
z41@|1u}E5(Uo9==zcaw9oHs+eP_O}jkW$}TL1%i}ny^odC*&i_@DE=NPu8#Q>grg*
z_}y!e0rR8jqBi=NDK0XYi^V+9_JLKIuAyiVR*_#OJll$~&(M4%EG&r=-uZZ`h?Eb;
zAP*NCF}VX@K_Ty<qGMuMp~>hZB55HZ`?yo0GT~|syZ@9DS%Qb{7h8jgqC`DC#VL;)
z41N(+7M5=@?QnyOjEDAGB2g4!A+@yG?}Y4t5C?&xBI_n+<j>cg$sW(!skFo?rolc_
zDAY8_AS#Wo(BPWuS0Tu+<z}WeEhB|mjA!YLLkF_c9FJHZ_zj66W-$CIMeS5NB_-tu
zGM#=MKiN5sA)e%_9tfZCDF{nv_ZF(*HpZS3czXJ2v4y8z*rbr-CGp=W{|Unqo9PJR
z{A*#%-xN<afhpf>>=K1S{17@<K#tWc`IF>8@0=`;oD0ckj)!dG1;bc#B^u}Q(ge3V
zPB2@IJrj{&5u9S_`({xKVd&D}kTXV*@dp&!T2Q<C+{DDd4%o(xM$pF3K*~^lTWO!5
z6ozb|9_xRTyHas$h2g)5vP~5_1X<GRnHFgy{({+sKGNlV83w9pd4a-b;~u$f8HHzg
z{bj+>YTHkTudc|CLNPC0fl5(i)@0K;prvnPzJ?#X5i4dcLj(6XcIn3?EGsA}7^v^d
zosBiTKu<AxN1l&BaPT)3TJ80nG7|d)$qr_U5VArN7LgclRYqs&Z(2VM<3?Dk;A``P
zx%$<QJ%csn{2W!!+Vi5?v63b$R7(fu=Ax11g8ict)=~1TrQ7_X8{g~F@JbsjC-BPC
zzR=b<U=&X{!!=wse~#Ecq*gP6GuLR1TEJ@coO`{Yx1iZ%&<Dx|?aA$~Kl~JZ0V9H*
z;qAJMZ3!Ngsaj~@1<T97zljG!-Ob9$B4su;Gcz$pHorZXFuPDB5ytUWR6`r1SYsB+
z{gTdLa-p~_6dmz#cjwLpT~zCgY`tK=Ms_yie0MZM1LhZ>y4w=BP29>VV<kfm(dPhS
z`GmpL3I!2?kS83}W5+ELR$-#)#9|z8oX~r|S3gWNkQ*<pI?w37mrARq?;#L9PDg+k
z#?N%YH*15Z(|-mFUd7j917rNv%F<CdkAtt&_{6HJ%T(!tLYD#lcRv7qOhlSXTD@e%
zA7!R(NPiA79Y$4GGnC`PrhVScDV22kW>xw}AVM#i=NnIfnCf1QTjIzYO$T`^{;Crj
z#^H0Pp+avnV?*VK?Eoc`6I7sui40zB!Of5JmG?S&W{6M}alcq?hIbLOD$#3*&>MHM
zw>G1arbR(H_Dv3Gqu3<ZFQC(bZ}5PYnB1I~l2tK;2*cfXT^)KbWRJW8T32D{;=kcG
zCCKs@cIEzeaMF-x?sg;z4GF?k)Kiucv++ZylA*b4q~5IK-!qXy>m)Z#Gso*qnxm@B
ztDzd77XR&*<0!11j)o#Gr~YfL{bcm`nP=#EL`<u>FvWtkAWbp|i^EVWp>gsUALF69
z(DHKP%Q{SN%ioO{-@iJnwTPx}+rT3K0Vqn;w$fR29ce_>(PK@(Ck8tqRFs-4i~r3i
zb(Lm~=|v_Ax5Fxh&=GlLCb9O|Q-<NrQy(<(y4O|!1Iz(~Ke3QM&Zgns*3g024ao;4
zy=EOP?2yT2eGAX39^`kBz4N1)k`RNCH7>C@6BIGGI%r>+Uq?sQO7QrMAz-F>VtqPj
zAkD#SV3|X{p(ShkSVqn#q^8{BvnZ)bg7+AW(XxAohcTBoCH*?cCIL`|XduM>MH?!?
znLjf9UXLqgcETrexEqNgiB6kb7VDd|vF6!-#A}e_RZJjm;3s<WE(&LLqN_SpsH(W}
zv^O4CH5*I(Bh9;aLkAq5ve6ujGswR=DKI+s2co5U<Vjd~JkSuN+S>AtP@EqxHg*vb
zX6W><5Y-_eQmO=oQb@_dL~|{ZSksB+9dXFpngF7rY5N4~&trw6+$CM-2b%Mz@NltO
z2b@0VaHr_Uk7&t|WHHiuSt1)=M5$KJ0VY-!!$P(pT8xQ50wRj_JVW*%sd*FL8O%nO
zmE>(l=-$~jsLC(a5fvnpi4N|hOFaA#>rczac#A&E0nip<a2QI`Agys=Gqjp*O+QU<
zZ1f7KK^|jvLuSI|9LANn-!~^e>$3+X9GUTHqM0R}{KK+fL$1Kw>z??fL(q4?D_U{y
z=5`@wD1+<1iJV;xFEL4`j{TfKcf9^iB3iTRZQAd~)!yJ_D%?5oee#LzZm`@o%lT;2
zD|0#HW+#I9<;D)a#$vO}r|l6Yor);v&E;A$7zrBLwl-m?O6%uEe6dMi2;|&%1#|{9
zfOPbDoND&XW^MPqv>)c9GsNq+yACyDH-ie)i50?NNqe3xlLjO@P-li}`h2J%Zn`kq
zczQn2|Lh{u?g0P$JMI<W%uLz@qhn)!$7LB1G5j*3Xc8IWj1$pSUqkGWL(aeU)ydv8
z4u<LJDkl~iR`LtGTgY$hZ^P?pID9Y?ha3?KEZ)Ve7qW9@`+=8|zyj)#5F`EnlGH*H
z$=-^2{<qQw^Z%!`MKmZC2!$k(@PT#?6lhTc>Qm%qc<!ghU_Nw>C|Vw56Zxn#pwAU&
z%&A>|Yl4z>7f=*0la43&r`cJfmP3x@Hxbbi3;H%0cg3q~Xuwky50fs$u+U>PO)3CN
z+?}C4SB^T*0}iUJmsc^lOL9U;)ISl>msRlQKn5=P2!llogs2OG|6e2T<ecfvA0_%W
z)kq*^-EnrWjK#wvFerdaGgW;x%59W#7s=z(HKf2r7JK6>a>yxz|9Tv0h}a7?8YPpt
z;x+XZgJOnNMjEo5i1*#PRaaIN4UieT@z&vT9_k4lQ$s4(#4b(I2}5~so>;-oBT>zo
zwX2~*gWF@&;|!QGftJA(TcLU%3HHrPC@93qm8sLDicAiycfNjEDJ6-D7yUufzG0U$
z(T|RUGqNsONCK_D!Jz%$$I6{aP4cTks(<`Yy{7T@jSVR^urF5I#wO$a-@OZ4GfC(q
zoy7xMSXbW%6}92msOx|gvtr)@0SU>9{Oe^Y_`lIPLK>{DM3E0eZZin2uBcG1(x6Mz
ztyCY`U&o`+3n=B332}xpO<qdMO=|xqc1k#fcam~#VEG{dEmSOxh{O8t;V=r`YXT$u
zZ?u6&MaW1qa&>hDq!Hq45T?G+?X>^7a75U2MK!Tx6qHv`5OjB>(#K@7@I&K?iH4>P
z5LIGgVzNpSnhq7R+uGVbUw&>i7~xh|Rz9CKPGK_}HU+-FkW078Z~9#_i;0T^lm>oA
z$;4#G?q|25j?VM6IG})eC;EU(m0SbT6gDm{Y~!f;%hTV4l`?>|mIi%(s7jY(d_J`H
z0x{^Y-sVylf{4%MxYd)F<;UJ%FHMv)VcD$9_*TWy*Vi`=?(Ca#@IpKtcve45M@P3<
zqes2W9}J{oVDP%%ZpK31UqZlkU!}?vQ6!K_E~5^Xh(Wt$=jhgZWYr7}YY&XdROr&q
zmi&Ex=WzVV%*5$CLRwGca@y?jJlBnsp)MqGsRWt<kHzqG(Rq1tauUWOG`(z%CSOC%
z!oosIYBG`C8+gB<wH43`4u)OB=CIlXKxAZmF89GmRJ)~*fvG8_ySY}U{xDc{Bmy2D
zVB)W@uXlC%OZ4ykO{3TPxXHk7wO`RyRc$aIMQdWM6;pLuZ8|3Y^aix!M(eVA(jh<#
zL?!<wt|KNVmcQwHT5~v65J5gh1S&xY+oW5w4fmK;6cR;k929DNBj@UR189vxK_C9=
z_kd736NwX@AoM~r4#>=*-?85~pU>7>ous6`ZSRc$;x#@Vo`AvqWPdn3vG+FU9_Zlj
z-@ei2^A#!|A0N<21Sn^WtTwY0k&|6rU9+>QeWTFIv(Uu;C{s=h7{6)1k=jBTWKhPf
zGZ}QuR|W#{q+9A6(rdhX?NUsIV<8IuUdy{h=)7gJs*;)ja&gxAI$P_O*mnMYlhGR{
z;r;pk=(O$m@Nm9XRaG?{haZu1JySAFM^7IPFHo*jz?GE?Nv|imUS~qyD28;gT#w$D
zmF99Vj_VH%0l`wG$E4pD$?vX?(V8gh4kh18DByi%k`JuxJF*}bmW{ZCO8T&t^0_=J
zblUtV=H!Bc@8_*sQbd|R4bN9g97#|LeY-#Imy99|F>?Q#r71QUAq0ZHcV{b&355Ju
zn3(sQev@M@dC<vz*F(Ks_lr4Gf{)cR)?s7$f_?|%S%{&h-`Lzq@5+pA$oTk909jYH
zMn_Zg<nVCV)C_@000-2~&CSG9A&J!(q;(6CaI{)t?W>U4+D}CaYU+}N03c!j$z7Ki
z@qI>`nAOeGlZ)T!*Vn`4<z+xBi&?}r^1tRJvSv7-3BlNjcgma*|8HFd$ftfH?h*+=
zBjk%QF)$*1oDu1V&Nb3G+`0h442#*200##q?JTwU@hyggE7kXWwRr@yn&Hs+WWJJ=
zl=L5{peO&AQ{5TPH4*`Y)87qu005E$Z^B;_H^=3lQ%-@m+XWwYU31YTkrmIzA6ElG
zY|=*4)*L{)q<<BOM|9o%sT!Z*99nbKgAsN+oD4XvX%*ZLzCwi=jKOB^kSh}nh0<Y2
zzdf9S_mn2Vn$h0<a}5AKJD*HUla)V|5Hw-mj}U+50-9_XZP+Sc8*n+SLKIx}x*x0F
z5%d*=HCj!53lHbDnDWzZ)haq1Y#xt|jRl8BBEi?t&~SF)%R8q0Bm-OsNqay5$4yBf
zi?m&;HL$R-02X1aA@2V=M}h=5dp}{f6T&}BQEkwv>D-Nq6DLK}UZdCAC*XD<e?Vg^
zqyi~7I>iiw=)seMjfS?mybQx=&6Wk^tnS{oeMxVbFSk$GGv5&LQH2o{@hgF+Hyx}S
z0?Mb_VGkvFM3Eo?SR*mf(SYg<&OWFkAu+f!5V1n}6(-Bum9Ol_(kUQRAiA_zO%Z7q
z@y{HMBV<K7xt9ZC<BIH59>3QG5PJ!6acO__TTPzn2^@cl!IRmvq(46&7Wl1rJ){Pq
z)@a5^^RROLOVVxmJTx-voIedZp?GP?^p93W1~jy^0Ej{8bvl|tJv1}~i!E>qOnWE@
zh;<<6W@5^@{Ej_7vz!{4m@w!Kd<V2!vIPi55#nmS$4v$9ve#s?9eBMKds=$>FG@<-
zkN%`j>r8NL0B43rzKRtBIc9bc4f6$nBI#4U?@481B1)eI)fYKAI$Bzj-B?s&Vq~Z7
zU}z$dpT<8AJHbd_-)^UV8g}FHsjj;{5-lE|d<6yPz*F$?X?I?s&%a>?1MRk3Vwz7|
z+n4><og;Mu40Cz;@tG27$m<bu{Ug)ugFl`XMt<iDlwU5s+P=NrGH(a&jm!WcG!X9N
zCbpjc8#?4~^OE7^S}SuSlTO2)Q_w5_D<?6k_U+A$X0<j_BZuU1KSkI<FgSD;aj~EX
zWY5!XjIw2?*JU8!e5`b=0vfvp-NLV6qR(uuuAMBa)h3%zXykMzk>YO68eI>-gp7E`
zHY$`0hxbQ`R6Gv6t5hrBj=LU2SCX-)pr20qFVt%4e34Jx??;lzZJTvpZl&_Cl7na~
z3V<6;76=ze`~xH|c{WSDBlutvYbi<}AKbk@C<PJ3fe@?LSymsvHoZWJ1D~d}41F*)
z{k8arl)~WQ!>51*=yI<V<eRU9T7)xz@6<&rC(FuZ6Ws>qb)80tgM!SC?qIglAO5)E
zwFM;KZHoTF2SC7}(~x0V2ME;oc$@Q%n5rsTYSvv_DUhJ<%&P)W3WI}##|bm#sbqeA
zyuY%eMs3%YBN%LziWV0a0Q0k+yJzDYrb{>6J#069ZQX9Wq`s|3|Cf)v<u;eUo85ju
z@SfAs{r9jCItoH4e2Ef8cRNbZPZw)K#dN#8S=W&A*)0A5EQnhFZ}4sy8^6nL*j*b%
zF`w@p4LqmW?^r<9+yO(bbzEyf6ho0i?E{v4n%~ThO8hQI)1(y~2heCJrr1f|$fpl<
z(QenfL(oLtAWS15{4`Nc<zDsOhg-1oM7scHE>o}h0Fc4ccdvQ?!$vCh?>Nm8@VXA#
z+^#MRF;;oc&dx&keQ7#$nnf`{_w#zn0c2p5Fs~!0*`^4?du|(R#Q%eI{=<YovX5L8
z{lD<%|DK%b&*8}7a`-bg#_v176M<$RN^yOC?RGGZdd4W~G<zp-q<{x}m<R*_4@ABT
zIUE3T0!-F_CJ7mtSe;*CPtV84>t(O^b+NG%tZJfQ0vFB5>J&8`6)=v)c7;X_S}fPo
z5*xZQqP``~y&HewXh-s;@i9tot`D|A{vqrRFb)+jo;y1spbP(wzW?8L?l>dOK63vw
zGc!A!$e~`=OVF*sl9x~t6@aEC3bEgtv3|>h78$ntcR!wg_Zu3Lq$7e%@P4cBEC_X1
zP890#F#x~@Ady=u^lkdeh&~7a+yX$^AlAhf&c5LxU5<$%XFlGliO-_qnb0VYT?3U-
z>sAi`13~eC9_$>|UR)-@B~ShbqJfsyg#L%dfhN!J{dcc_&HsN-cI@YH%*@On3tWlF
z$iR$SHu?Y*2bi7dd?5`D4Xs;&{JgwAK#ZHZ0;v(uAS2+%XO-*v-2wxJF2A%`&lDfe
zm9w+Q1f4C{13teA6UcS7Q7;kH0s10<UFYZ3J=2o%^4@2^FxTid%ef2t+)%v6Bq<3!
zm*V7P232;>*LR8l0rG$Pc=ErHo;M)?{X%4^Li0QK)AiWc*%hc#w&x{$eP4jNW}vMN
z!%M@%IVz1~=(C?TCH(3CbhTq+W1~!0R#patc;(NZ5q>HvsP6dl6a>(Sc<wKE$DbdU
zpPPUu4&)oaB7?`amJ98x12Xm3uOMM!_5eSstgPHoODrobrJ$q~#U}gV1el-zctEF;
z2bS2&uG>jrz%2zpb&g{P?3Q!_k%drWL&HB~eem+|kQz#2FEQZ?q~>{1&uJ$aM=tgp
z@X5r5(9zM8>Mh37`+f<OM2H5H8l)FoKuVNWkc-9z-6n`bDth2BYIO3<jMklsPki~X
z%&VKtesJ?Q=j!bGA>xeNB9iYVXQ=nbU)NH=G3(jyDJjEpjNUb~1bsXK8=28G2FKd)
z#>?)7Svycba;R(NC0<2;mAX|2Vo6b4m#O}@vKCuV$@3()y$gA*5*Lu*`@FL%I*~wK
z$X_>J4u719Yo<8=y-?=>Re3+`(GFlNaTu+ncau0DF}^4+%5nYcRS!TeDBM;cB>mwP
z1yZOKI?h|x095I|(+}Af1>Jx)%R){b%7`2Ie!qmG2dw=TTDXvqkj@BjaA;>t0KL3F
zp8IEgg>-Y;uQtI(W9g#kYC5|@yZ>8>5@lObVQez<@({7x*pWfBNcEa^Yi6ud4?Nde
z95(Dg8}e8Pso<}!#7hHx{nlkH!|WR*so32PO}-E~>2yII!#%|R=CiFlUcyg`Hg-Z^
z%(;+`qh<Oi6nMzm9t@>p+qg%*b*MVGt@&4sGV=~Ao1fNobSW1nT8GY^jsKIx&DB-t
z<H;;f@v+M2T@E8jty~e1{62uyulH#e{(uY&)sib`Y-}v68JG$^J)6cXVG$AR*eIBo
zWvZ0`p~>Xr<h+jq3{U_vmdj`L>(}bHg9&m6zInrl9_;=BY+F>@iEK{Q3Fy)WC1+P@
zIXSquNFNXua;=dZ<3kOq1_OP4|A#Xj7>j1z0KnY?=-BOMvkfx1*f3up?_PEniCXuC
z;>4$3#fNo!b&Eusz5#<>b@M&$=v|^9*-FXu8IS!tj{~&JxAE<gmxrKCKWP)>C~SEL
z$dkFnPfHz-q?=!_b#x66Zuc!awC(LgaH`*r8P31_%K@=W*Hnn;Nz+R55@JG=S?q_?
zMdGzLNhbB$aBy%CG2{Rwof5c3aK~{c;&+Ep%oq4a4h3&U$Y;X^2ayH2?G_pOF8YC5
z2h@`&>in-==()Pc^F_w45W8qeq3^Gcy?3);oOOBw1tI9?S)#A@Qk0@iTZhdO@NE+0
zf^k#>TA{#Tm~K{8_uKQ%=xWEt8qfOz&iZmscAE@5P@AYap$g07dpAdfYT=#iMUgV9
zOVayofoSjeR6EFOuiF<Hiyij41iN8#99YH58n0wEEZ6}L#mTWl`DXW~7=NG_m>}=E
zi@f2DWtDEJjVByJQs~@=+9_p6*aHH!@bS2EAXEimE~_snnU<~fR+TrF3yet*Itn+N
z#b_t&TmjMZ7$fQEdN=3s;-SfJYOVmx+md;lWbAi?lM2{KJm00^y6>BhPJ_SnQIz(M
zI=8{RB*3J-6*KRQI_gU2{e;buz{_+KmL=%NKtkB*zm9!<wp(tX>@l&FCE-ek#%kBY
zCOHuHF1)gZAT9esBSR7`L(|gkcIcawfQgBjXhcg(J8sK?XEHG{VWC@7U40ggZTOYV
ztYI8pIVCGAOGQOxcZ^#IjgZiR1&8DwU}liiUa1)wITHu}Q;EVrLsQYw@v`3T#zM|>
zXA0<7KrjwXxXWl@5dXovXK^m{yPv)_o>f-yRunis3frAEY)L{4hSV5-uC~!FvWJ`e
zYTuw3s9bj?)9On)!r=BvbD^L&%ydgpx7Uu_@LLyxW9ycPf^aVB>DxBCmPiqpWZZ}|
zes4;NS6kTNzPNDremb@Gtm5)FW(ippn(uc1R4y1>gSxU7j=#iiW0L`65M<-j!uqz6
zL{NFqh)Y2iF`Uok+ukom^zzL^&a%1J@|#Hs+sVy;r(FILo4+VkJ|Lf@1isAq?I>Vp
zht(}1)pmCrI(blLpyHDqs-@^mG)FShxPUc6{f?{rBV_)=v-cN8$Z{g_V5kIh&~0@J
zJV3QfKdxsYs7tKt&{R93Lm=cO7U$>BwtBZx{2}}v&Vt|YcwH&hP7Lb4>cs|=2i1Gj
zp~r;`SzWXr5*>@mD~S~KgR_llqLZS(-W~tNI63{<E2Z;0fmj%*CaN$z_G~X78Z(US
z`Yyjb@=bgG2s4Ag9KE!tZs~0S{mPO%EUL=4B@jukyJa3S(c+JIK{Wo{)vu5$&$l#W
z(n1=(pC8`gb+fR9?R%FfAuW5j^0Co2E;_25p9@Z{*X+_R;`;9!pB3B!ko2|v$ZK8)
z;%+1c6R%@DPNx@ps!K;3bTZ%CB<LWsllS8YVM(H7Q3me^^|cKBU+i#5Ai!T^89$<4
zXV9uDq4<>Wa|>f|j2k&H2wpMbr+tRX7x8_rwX&L#w>%`V8SeK3r7k8NIl1=;1Cc>@
zYHIJ;`uk@XHQFQ6Y#CE&ggUN3>)@~j%xW1`Ng@lJ^U**Dpr`1C8ne17)smX0m}wNV
zgAzM088PCrV3U|iNkAp`zA$&+Eod3RdV1vo1!`$phQR>N&-eKo$K5|LuvDXW7*LXx
z7Yb3O2@8LW5ZQj&`?+b)1yIywUYTEuFe^Rm)hOXcfzOlxuedB^0OJ22ED@_Ges_Tz
ziWercJTlHx9NvwXIy<vB+P%ab86#|oH3)`wB-bOh{j!^ZFhrg#kdB+s=wP(uWwdNr
z&*m24?lH&biF@d?cnR4FO>#zZ2|;;Sei%lAyz8Em9=Z0Er~Z?A*^)!(0P}O#^FgqX
zr#@*+Lj<C=Uk+GFC{=#EzfOIyuR+G+w4gM|*Cf<spXM1_SpttV)Jc5a_z9JXV@5lP
zK64#(Bg)BI&0nI*>xUaVoRUB5-lT{4<%{<E&A(j1P{mTw+y~dZX<6%3eb=HW;Xbw%
zO3^{`(DFe<QA)Z-sHy)JTm$K9%IX+K_Q-P>zuB-ut9OGy!=71`tFHH9p7%zQO3*r~
zrDvM;Dt+{YXZ5d?SgWicjiP-WVh3aq@RkZ1z9~ZVv!KSC>2gJ8=1x;WE+s>6B2k{(
ziZU5IpOlP!mQeS;WCztoggS}5U8^X*aMSpaUiY}^+C|+1AuHsI&~>pJSBs@1ok>XI
z<geA+%JmFr7f*kyw;I(;b&{E!0f71>mJ@``M&f9`{shhJ@ETg#0rH2z<u|(yzhUA9
zZ3M*>9I?RVZhE;SDr`pKAgn#T4ur|;#E09(2RG@xu|?-7FrCw&GQLB4xg?=&W(I>g
zsgP$Fd^{+@6az`uQcx@Lnl=Wj4yLi^)vbSixa{H=E%NMMW`yR9S`c!B9Uyymqg-@n
zjT5qn;KR~8KXy^iMbuXz>=={1*m-_a$8?E_`L6r07<t-IT)droGblB}aQd`AZDmiI
zScB?H{Gox_>NGnt?>n~3IgYPZ3o~{@Vu?mvZkFo!S1b2T7f&u5g^eK~1!{kH((A=V
z){S%fKFw`JuGTuz{O#Rw$?^Cf|8OKx);)N+X@l)WJrm&cp`P#9u25Mog^R)xvPacl
zW|clDa&S%xL;e-vQ252BdR)sUbmfL(cHtWps~6PT<hS@L`W_T^OJ0ia&cRbbW*UZ1
z$~%mZIH|TlmQ)e|cIPJAub*o3;Doie(+hJjcN>1Cn2HopFK8=We?<PyRz{;3z{ose
z?zHS|1wp8G9j10-pNCwm(7c~eD;wDsx8*=XMGqMRF=OCj3f`)8jycp$*l<Dyqi_+9
zpC;wJucp37fX)D{g4~f+TfL==P>nSv5BZ$tE6+cPkuSJmnZz&jtvDC@_D_Ng<2z-&
zkyl@*1RMS)&wAD4Mux2sa4!vz@Nj}=0HD&I-Jo)DA;a(+c}U|Pn$;Vr*JsX^+xfQc
zkwHsVJaUXt_UG!Zn>*4h=IRg?-#0Em-Uq(dAmV~Yg?i(~Uvg3Cn((|9>ioacfFQ;Q
zwkt)qpxYuQtFQFGNX*Q;@=dQ&KF?odNZbOx?p+0a=>K!&tF1umM=Q1PQ`Q})?QTa=
zY*Z9#>=J5tKe6mwId#C9r$C(Z*3+`RYmS0t^J<Nz9stGl7J}6XC;ipWcjFcR`40xr
z*%kZ*9v1Q5V99;!lH%Oqi~pRO|2V3P+2)XDrF%%!5p7#nj00B|9#B8VfrohuQXS;+
zWVZEZI46ic=bxMc_m7fcU}Mj8E(7=c@32dhfS&mV7y<zEj1jj>JTKqp92tqErT55U
z)~Cfd+X&rkgQ}c9;be_EsiVni&{_YV&!Gs-MtjwVhJ;Wl=C*lX@6xJ$U-!SA5RX7o
zke9c&w`X8>x-WQ9p;>+9wgIFuRdsa+?d-2+0Ri2k<^U3>0S^&#(!t|#{2sXN{9ZWo
zLTXlX-+V9|auI-56k~E|LZ75rC0S`7C|5t_ev6&^kI^&5nEF*3ldZ}b7}T`A{G$Y-
zmeY@fWlYaS{eKH4&Xb>hkN`GqyKx_wcWp(*$e%wQuKUq)Wk6L2zL3AStE(%3Q#3Tv
zwilpRf07XUo%M!<hEC<$e600(t=B&RM2VJ>acZKQiifxOYAJlZK^+}6f~zr$H;p!f
zUfxINAX(s`$Pe}6XP~`|n5Bh7UYXtdD6KT44JD*3kc9(CAy)!VPHRTJkZ`z!xO`Og
z?TvL5)18;nk(F{=*?hK3+k#6%I2%^GF20il@Ik{qXQrp87ZmiG3_z7*4&U9~0ScXX
z%0J+Zi`(;2YV|rL3gBFq$y^=jcys^jA+0(wq3>mJ>mB!NpKn&ox7*QyBW=Ix*^MhE
z1XMka_}f*>qGFv!x+#X;f)|bLDpGV9$E{k8>r{l9h0Z1#+ncefw%x^pZOyl)<CPOE
z8&?Krrk9tk*<6U*2K~A6e5n2j0gyVa4yf`-Bbb43ln4Gf6Q(Wn9CBsjmRwQ21hiT&
zv}cx8H8ueyE1_aVs$=I^RcW0rE}Ix^oz193yp8hChl^S2wpnp*8QY69=>B4^S>t~!
z#L?PSi!?`{Ff3e~Rm<x1@Ek_Ctq!m<2FY03OzEE38rJ2=MA!W%pTq1GDo1wue%G+k
zfxn4^pQV+tm8qf&3ewh+evZ3zilOqnjP^x4B@n$v@xSuiXYBA^=C`Xa8%&9|RFeQj
zq{0?|QU@ZCg8=<2B!%3>!~`gmW5+=t1`JqF&z9|zG$fxCDU2kRRvO}&CzDpD+n95!
z%36k%7bQIfN#hrJHyxMvX9Noo=aFiQwAa?G8z%T3LY<VwAp17dZ_Gb2J_OmhrOKZ#
zlioM^a$X~L0>s}q#!<Dv7yf7sBb^bCV4jz$X|?X9I|ut5{0<l7WdQvaqv4T2z-MG}
z0W!hON@ne@{p-}q72-8cN<DEp5yu28CR{5q#6N7*lyxBQ5u`w|r0KO^f$T|%QtL<~
zS~q6G)XB%yE}Q%(x?I`p)D*I65BpqN6@o3~>I%bhPNE%{MvJZ+d;+g+nkGHF2JdU~
zYt_5P;x|0Uz{9WH!uVF0h`Ci1Hf8-vKkKfpX*}@KCf1jK`2_2f)WLjE272eZjrgQz
zou2aaCL{1*B)Vy7XA(ysG{x#ojfCoIUh+a63UrFn{M0xu|E;iL%Qn`HJ=gA-<E*E}
zrG(h$qr8&mdNH3JpXF6hiwtS*J;J3`B^NWjUf6!$K0Y!b);ILW%O0|b$J64J%%lgx
z{{k%@ai_kPpo{acG)=~Je;sta{px8IOCNWE%cPWJp=g;&F=>GA!I{ZeP0)|&`<lIT
zJk$FGdVK!Sh>3Fc5KcDxuZ6VV7Xt94XdKFF?b)Yu;u+flG(h4=OoVetRW#UGwpO8w
z3l{%v=lZE;rAdbg7jCk+U5UEX5~z#r^VrsBG3@2^cWT2!338>MiOYS5&}&^qS^4TR
z=u^+xwWzkXwzTwL`PkLloYM3H<J^aVz4N`TCs0IxcdQ1;Xk7MBzL%Te{g7TX?{D|C
zHgb7=x@syx7nvqc5buSoAN5gk0fjF8`e~De_=&caH7%)FFre9A{RbZ#1j}0w)0n<Q
z^Qr1$mfRN*VEU`IUGIn=B4cPU9^<<dwxRKX-CTR?+=D|;zN;JNU>pT?$v@%eB__~A
zOEGVGL5Z<b$^^AEw5&>sB5|D*5GJ+JkosH7k1S+=a}Jt#2RC)6+gBSv%lzU}!n<zt
z{uWuf_A14KEwkX3=CRU@=sT&m)%hwpk${{-fSanK`92n0Z`%%*fpU8ZHT<|>7lS9y
z!0?vJt-D+{83rpE$UFNR*ISx52qsJzp+C5O9$ZLF6zq*7I51l(HJ83{J~RiJF3eA&
z+t8W=FIK_Ym*d;^{LaxEIAW$1X%m4m<S~M+op^UjBm4)Rc;T$BT_e0FXj-39c|A85
z2V?{{_<>WWJco0woI+x6Z!&)tSqAOAR87ISY5k8o6FR%HG|392`IpfeDsK?BtO<&V
zayk6sByQcIrZit+gRirb7E;H=#S0_aB21Ww`LWfx#7t&^o+*i}5nmXKX2V~qrg2oK
z@ZyAI9Gt8tL)qENxCWIRZ_a|5$sG+2eA~Ikl{BsDbx<WHGD3Fr<>OS!HCD1uTVPu~
z_UlQvMJthDW^BRVn)uq&nqg{B_AQG%P)c-(!*ZGu*|5_zH|ISScwVkUUbp?xD;V4I
z;601Dl;N1z+1zTjw;X?mg?$p{AOyzBY}DEsQ0NapN}agV_<b$t)htt8_CNZ6CV_`D
zp|%B<Tq(zqJ6>QW438HqsL@&oeF;wcx?`)DFy~*4c2$SH4iqin%=nN6E_aoS<U`Yr
ziEnEk2e3>~WzD*gqTikq#(vB)FB@5HXUBdTd#W$%KvjE&i(0|#uD_FT>2Ng#f=UGi
z^);5J33|YW%V8I%i<`bYLx%ss|HB$XlZF}`04+fk8%M;$%H*T!uUf5XXyCe&I+}=w
zZD{1YPxceqcaL`jusEcoqym9TCtznlND4ooe8)-sEffuXxZFbSCTa8iE{;LbcKqGt
z`nuk_`Q!xeI7^0mJGgL*<w#O5K;eBTC9XXKgD+rXsK7Rm&zf$0QG!yP=<Pcxy_%)l
zw5Lr`u#HLZ6k+eWb)!-=!ncpLR5do95f&~1kQ>&YlNcqp_}245ZZ&t7A19x=9dHFc
z_i@Gk2<r62xU+{TW8uScRVEu+>c^TwlQGDC*YgWMYq6kzXe8;z4LK4MVnzDC{k^UZ
zmLlXJqu9QTpt2uf^0~FYXt68v&|G6=C8hpjYwYbVQ*fK+QKe)csI8x6JpG}K5O*5k
zt*A9mcF-p}VmSIIxc;Zrfq%LN#4`^c14v+46F;;&sG+E99VK7v7FB(ja-}+snjB@1
z-w3t#=@z%LQ!=e>wP*PkM`7hee+PZ)x3@O{ZUD%vhy=1cUJ4(*G=p<-iCdWXssh0!
z_~ZpDMW@bBqJ~uppJSRaUPz<wg`{L%eQ3<}3632C@(-Rdr?t2kMsBd1=1DO)2V$JR
zb~~9ewrT1DeUpi=o&w^j2VC!!Na*bPcCO$zJ`%;Miu&z`zC^os@&5Z4=Ky1#i?)Lk
zvYgCl;#T)QownFxmJFC~UEfN|)Q=>le2WU22mzjwd*pac9XUZmXqu8<+%%Hb#g(=^
zv08mTi#(iiH`X+%yi%Bnwi@~bM9`QC$J)l-5*T<S_`~-?53+^yoA0Gy9z{EJZYgOo
zatQPxYYt7TbWqm_OMFQmi6ilb?NrnBj0!87$7W#eY&{rA29ksIqubOnhDMaPP6ia&
ziNR8zzdQbz!bdx?%bd=A$#AxZN$}X;p0I;{h+P!skSd3lQaTXw4b9e5v||c)%Rsqm
zX6*9vD<9d<uKV@Nm@xxgKol6##Rh$ErtjtUZ4cZ#A@CPw+YL3fm6c3~WIMw4UCtwT
zSuyL0I2aWNeqc-7XBs|naUoV!?MX`00U06~aJ@3*RN{JdGZicgH<wd1;$UcGr-8Z!
zUdPrdiwTgxo(zMxC_S+AXE@h~vlSm7A3%4<Jj<`FsUc)F9eln$v}18-g?NcGwuOFM
z8CE%6avC2O;CEO}-QFf~BAd0;h#0o+FW$F}t9;6C{xKeV`3J3Y#oVsCbwPvsz^I;k
z5k5cXNoVV-a)xv)x%h$@1>9tqt56FuHdtgmYbp<#5El=n{BbQ;4{q2^!$TNDv*9b*
zKnOUMB-Hz@YEP9jMiv%fG8UGzo&C|<Q(g7Rx2al;O$^8CMqS|^b>o(mxq-Mty3_tQ
z4&UaR7<x$tnM5hbN5SxY@lb@Kj}s5<wv1q@a0s!P4`prCY87#>4|PL7uilCYUP=|+
zURf2<xe{@dUOCds`8cNvA1d6OeDW*e!^Nh%5m;$M5!c?>1@=hzX+(I|-7NNkwOSN{
zZnI`xZ4Z57p!_}`oK>twvub<3{^*_+9D_4seDZ}ufJLZZHQmk)i?(+8{3dcc(mSpF
zSHE;IoZ`&N7;9sdcydVd!OM#j&x<4yqAG^QQXfG@Ol;y3mK&=bnz$Lc!-AHMNO+ea
zQ6d_K={(2YLJaOr0wNb3zHQaUrro^g`~A)AZ>lL7K6L|q&19<|%-jpyTcoMqdPG-!
z)6v8E$XM2mE9tB#Q|yXE$zzKb_;U}9d!>fQM^aIXRAw6ZdL$fSSS7+oe+U}vi{c^z
zo56Db?3-(hsI-EM-6M(etS@37t~iLxD1XE24?WW_$;1SG7mpRgZGV|xSW@Sb9MK@W
z{e6beNmmyXIZ4Ux$g;+HO}c|>YVa&sR&hFZeq$^y(WQGNeB^!IAh$?LX&@QW#Q9z<
z7522Sps6*ciwpaMLs>^<Sh9F&7!ht>Y^rIUk^sNo%z)S1%@!j-&b{En+t|9Yqs`Hb
zR!C1TCO=jwl#ODvu;Ol+65{P${MA;zU*;}kAkw*y)ip4>g3rKU=um<zToAjljA>?l
z3j!K@9a|z^GhS|<LxJ;R<~KC%nZM$+$Y>E0_@Y_{h^tQ|sl1bxl&w6ryk=m%gh~kv
z!4`L)c3Qz$rOrC`Gk%#omYw{CRj+5;A_KgPpSN-3Kn_QCAo6#GOq-^BW~R&j;@LG`
znP%O0z#u2!_dLsS>OsvFC|NoUdhFZ^09=|Ld-K*$g3`Gvc17mJHc3KUY_`9OWxb2v
zsPFsrc^w}_O)&kqxDE`_{M)Y9QhEFv&EgR}m#?d;hR!lej!YDEKQ|yTXB!h@o2GyH
zy-EwaofT&^CiLPH1T~fVI;lW5o@o4mh8_}q&a14(oEQi}Y=dwaeM8_naf*lYJzQ@t
z3m}*D8dOuZ3dv%$wM^BBu%54zdv~XMize3#*z^2Zq~+ZfI{bBO>UYF#zuzV7;OU!G
z7*uX;MYsO>+tW_?pFeDU^P?10RC2_qGjM<%UQ>bMt1G?3&13tuXSaM{at$Nc>_uwv
zz>w$fDZK5~7Ih{rJ{%HOYF+rvudkrTMS)%QtgW;y%Yfkl=FP2~*WIn&Q8796*T{D#
z;zX*iPh63J3{)YCuYIYpLfwRW_?XFP^dRWCuWaNaz)}kG=KF!XZ%B;ML8=uAZBO+{
zQzFVhM7H|~5pn~DdITDzHw{(dyn`C6VEKM6X`654?cv7PCemzr2~9(ibA0{8X<eIB
z7!IvYiinFHIQ%k;g98c5tfaxO)+zE#qq1hs)(wjiWcT_8iB<78o0PdP8g6fnr#~v6
zpAdLB;ZErk^9C_9zVFEq>Sy~E%^q=4$JfB-N~e?88pIEav+CqaW}mF<u^M!SnIUys
zCERN(6!8lqUCThVEmIQk*OUei)*lyrxq6~r$8*>-wGLB-=xX3V2%_O#RVtfxPHwPX
z+aaeeB7c7o<YA+P5&glwH34ggn?2``ga(I}u|3&qHKzd-<%)}o2i;d05%RfP562UR
zq*!s_O#oFcAHZ%QVgYYu=NtJ~%)J<9q0b5KwX&a+A`(Dx-1zyL*Tw2Rao;HFNcyiC
zHN*kOWcsuabiRY;>YF^H<%x?9(K*!L(8&2?Rp^0c$=y=7LF`O@l0T?ODW$_81YD2a
zeu=!-p>&IunQMmXK3n?UbRORB96k=933a40OHqRDM>x6IumE8Ebg%8xi>b9OnE$nn
zf%atM*5`J&zt|mbW@<39P&<!UEn=LI=?gmfrjQ?EN6OIl&(vN|D(IwNQz9i7X>%)i
z?~5%JB-fDbBb74v)C4&_yf!N-dnIyAIq2A$b}dAvx5NizM;63?v^1%zDIZ~)-Y;RQ
zo|(#j$!0*|Mr`h8yh_f6stnI^n~rb)R@0-;36BaZqy_)`gZa~4z00KqPGdfoVj$}l
z`zMFq0Nffuj-D>ARr#Vh^H614l;ZD7WVgj%XiKss(0!V?Ss@T_yA%=LvbIM(-fD?7
zw<$_OKEMv;&-blQ%v=F<V&Wj6{LOy3Zf87;9e5Cc(gF?+ZV(iV77w_SiF6?wgeTM1
z8-+80D%V^w?H_N~t8T;QhVL=VrWu^sB$Q@NAG_IP^Ls{fP+hKkhcY&pYANsF9`{(M
z#PJ3_v}B32GT!J$gF@>1&x1)Z{?$k#SMPz=VkDnSpPmP41#~}AgT71q@96$i72+#Z
z>e~D{V;d@uaIN-P9E2edWTgDN->`aj@z-G57w^q9qsc|ip*og=+KTge1A7$-uD&pG
zW+I==*8E_V8r^h^s1wXHwv|>N3u~di-K^wf|2~PPIM5mH1bd!0pLTr6s4pqz<xBgm
z9$8u$4P>${hvnn&U5pgocg4$mGpj1jGf<edQ-2(IGvc2~`Jgn`lSM&s)vK1^hgFV+
zg<Rz2#QC9YT18W15oRQ9j~1J*?1TX6!bnDD<X?67vS3PjIu}q?f-L-YwaWPu{#4*x
zD^X%eVm`7fcq#Txk8^yyv+=Y$ySVtk4OK!<CMrj$W#?A}rAJ5}bUb^%MMHMXr{B(x
zTbJZTl0kCiF7m&nOBr{ok!xgag*kl2ZD)Ui4SL?ZVR!gX!u%rekUbQ~&@N!~1YEtV
zjel40U3+Da8wsK^|ESlZ83C&Kn6&Hu?K}jw2%_Y!7pYci*6LTzSa15@DpVo&@=C)s
zKo6uA4{q;HpVBg%(e>^EnwY3Nm!faI)rj<TNC<@2hKCkV%O(7Ajm!*v1yrPDWM_8-
zygmRMk6{!I0r9NSB{{m3AdiOT>Nw)@pWsI%m5`KB`0Rw`X9|3=ZSzad>jh9-hL%h5
z^!m!IT?eoOcJ?{xXPG;17O~RMFdbObBEx@@sG;~&&Zpj!pbU%0$vjZA*tjC#x+haI
zQ=v?=%-l$_4KNqS&hr+acmi;SUvFZB$)b^7BwdQ>=WeCGNUNy*ed{a&)KLkgvhqzt
zz2zZAC7{aGVHK$7L?Yzlu=s=F?fD}dsI_I(YcaR5fc4xe1PZmeQwoAKSpL5@?mQf-
z{f`59q-(~$MV3JkCVN8}yIjj)RCLV^lO=0N)`lj_WZyEh*wvtvC0VkQv1Z?{b?obe
zAthw#_jP~&-hbzL&L4B0bH3ltIp_6$bDkWx+mcQ&F*UtYhx-=IE&1vGRHro=M^8_G
zcvzJk@ujb?(f14Zj`&EY=#8==X*cO*`w{E;e+g9sj?$VCACE0{Kv`IffcK^hlBtFN
zzLsFvZFJAt_NK`nRM6!uUag0cDsN(Yj)*^mQHxUxZ7saa!PE+Vn!N9hTiuJ%Pg=zs
z{EAC+uXVZK_h$PZD<2DnN80;CHVUM(2l|B7rR!g>-Ev)94a5RSf1Wmz3uR-Az{`L)
z0K1L9WmPyC2BrWq(K;CK3u;9;_X;&te2<DVL`ij1mc7ld$D@djj#)hJG}MOLW)q~|
z_Pi?3YLW9^qsK&(_IiTbedY35#KNFiIwjln*d(<mR9dNEn0Qd$KTqe{$3h#0?n^*O
zx({+hD=ark9lHbs1dew;1mBi{?N!zR!&sb~m$$UC(g?!l*+IWtU0hayKMrTkd=hjk
zWj!UmqO4=MgCG)f?~E0=(k70`Pt&z%ADJtscpGP5eHBPeI7mOTmR`FTCW1#`1HZTT
z$U8V#blgjDbPt+qpE}gl+xUb~@C=$W2{o}Ofkud2Z5$uDqXSMv&8glMQDFb%gTBRv
zgoNzQ1kddB{o&8!%a*j-LrL^WbZ0eFAEH1Ray7VZj%lgJrd*dV+jkmamzgn^W6#mx
zWGvTU<&p@K^2^5(Qg8KAI9#s{Z8j0%I^EW|DtOS*dXu@qnJxVRPR)a^hHmH`q)KN~
z=5^nOlD3QSGgxu$G?H78(5yYAhg00thZWZw9cSga07HtFB$Qm7To$r$j`8dI`qg+m
z<#}{QU~OPq*$eNe7Y0$0OIs!G3I)^4JbA4@coEu*ub0|=n?`$uko<}Ml`;lbRPt^W
z^2%lHbrn~%IHE=}GWaOF`NhK*AtcNKo^AW*r03I^m|v?oPbctg1AMDO;sfc`=T}4-
zS<Z!QGV`gf$<wVl?}|8e?tcp@%a5^EQaaoYACeX3k7E%?v2F0K8li6P{*zVbe;n!d
z9O^Z<b0*0rvd$u3y==dyt19p~l1b;`o1dA=t@yq0A$~3ETBoQ~1>>Oj*c<$pubg+R
z3+}CL52jeSqc>*c<6w3yhF1J-YThU%1DYlm<YoC>{IwXleJ_24sQS%OU!%TPn`%Z_
zvg4q+>5YuxEd>AMOqb^G)0CWw@k6AcVPCeO{6`^+uabxA`AN@t{FK$@yq-}RE(c5t
zA!IEB8mcHq_p;#ZJEyg}5f}{Nx?CjOtF6nLG|JLuCuSXc+r1v?SCyz+xz}nk_}u+n
z9PC5Y1?G6T%=?&U7R*e79x@M$E`~9^%-mgiC5aahOhED#t@%O;t4k{D_I+6zYH&Ce
zw7FnVD9^p*=L`c@=agJHvRLYWdkp@39c{!Ur9yolcY2=ty-xzNtMg})Kr+`Y+?ZoP
z+@#!$cp>{g_q*T_rr3L`dYF=ES;tf+IgH@7>g=RhXp~4RY#@1Flj}I@ty_%8XSC^_
z4=ECBp|o#K#}|IKDmftaEb$u!uB-32T#J`rmiE3xPe_j$S1r!6b91j~H@ZgvACM=E
zW!_K+*~24pMV}g+6|1o3aQJ*K?Zu@o*8ucKMD_8>dZ59^bXi*34Y<4N>S{v0G2ole
zFgB0<K&qp7L^2z{9WMb|P4)q%!#@FwE2i&436tG4?g`d@nnSP~5_|4}D-c#C^Hxd=
z#dRQDsYwx3_<SkCF+p1(T1iqym~%N^RP_n)>)#gIH)k4ugJ?6sJaS<U%YU@KmtTN1
ztxeo85GhFhYxp0?70&o3sn|66hWxqmM{7nq#D`@LIr`gKt$b)pL6oFDgjE4D-uyP;
zbY>1IS3CbNTK{WyHF85!G`U0ZTFgSrk@W}dP%6nGufr7W$|$w|X~4J!Y)fz<o<#uf
z5D3JXt{r>83E4G%+|WLyW<ReDNT2z2jaL5|d~QR7Fo6Z!tLtR|P7?~8MfuIm%o+~2
zjTy$PeI);sv<5UuhBvm!He}Y=)YK_}nVsEv#;L5ju1+Y>t2O4VAw8W9ZthGjvotqx
z7DOy$$eNFTDO6K=aUoZ8d&S@6%R@;yA@~esH{OUV92u&iU|~z^LLWr*;4D+z<ts+N
zG9)vTr3J|C`;bh;dUzaP5XH~rs{ZyT@3jk5lY4ttZ?;^IgzI_o2*1c3BX`Nwxh&iv
zx>_D4%PeCtf!AM(MioCfu=!q{1)jWExIFf^mrO5s59Xpy+C1`%U#e~{@-m1lx&{Ru
z)23?efd76B(goawi4m4XBQ8pRFfukXg`VSSDLOS<`+vRDk!6&p>buGz#Mum%M|No;
zyR)JFVHAhKA!b7u8P*zUc{T$=6607}0G9a7+um0iTJu9!OkeOaTuhh?7SpG%gz+mk
z%4%7O4TuO|fERusLeo2bjgu!OWo?JI4;txQ*B|rA^NjqX<PoPoJykdIH?Fi_;e9aU
zVMe_8ciGPy(FO_ClRe+@n3Z1-p?~Zeqhya|ICXxQSRU7oWrqGhr-5A==>7y@jljhY
zBJgvUQ>za8L3<IHHy(mt<Qw(~0o+ue!=H(iYD7A3%{E09m6U9O@Fjqi5N2jUHGdgO
zBpWPnd-03n-8NCkJYbkVul_v-%1Lk$JIm>w!YU6$&73V1KoLntM+ay`qV5Db8KRe#
zr)p|y0Dxa)O$CuF?QT#CVo(D{x6^8fubZ1%pgSVHCqmSo3+$(1_?Dj9^73K0B!E?*
zBjxt(+wP9}AUg!ckw~tM;qVKj*auV7xjO9aVjO|q0)1O^%^*Rbs_u7`8|GlH6Vc_V
zW-y)P-d*e6w6Dj+UQ($m(aP$OeGBos^qTerLd*ai6U&<9O3IlNzH95Lp0XX3&t#Pr
zV_X-k{HV1B|1ss!fSqg7U2%#uj9d%9{6$Uf-Q$%a6JET;Bx0sMvH8QNfT)&dn0La;
z+26BWYRcD2g9{70mtaJvZa(RvyXI}(f3h4S)3?jN%%>~Syv?kv+#w=}m&OA)<U$yH
z;_r?Fc;T$gE7wj3@ZeeRx0nj1*bImA?GIBp+-SRHP|BlFC;FE@w4qybv{gRMVMRf-
zSLZK{lq+^lzEzFp1&WqC5@_prsq>O(<fbZ?5Lr-Ti`Lb1OM4<32$4O+uA7o~M)C6t
z3n0pJzij*v)Y8maFhX%ajAQm8Z%k54AIy=vySqW7lj?1-Vxgoy`K^s8!gyh@qtB<=
zKW~98PdB4F0$c9F88!>l;OGY%c4^!63BjxP!}vAju{AuLoW%5WD{E_YP|pQoTDlUn
z@v@cKrYEL~y2_<!4+lZI+jL!>ohgi?87dby(zr>CLuJSBUms*!6A!~!Pk{63>Tk7U
zaTysI;6d~pc@40{6t#!NlKW#HOR!E<q_J0W8Z6udC}#*HM9!hnqs2efE`kY!<A^jh
z13kTWw=Q`#AAx1#gc_-9tNik=xv72!J_aRC-gw-y@lk=M&VQ1uj1o4++)NCKHk2v@
zmyZqOKE!`>x`!761StI)NiP;y<76U{t{tRhN^=tXiNGuMKfCb)uzwR9GD3|G3A%9b
zViBO0Y;F+LirG1q48;R&2_hAI8R{Xv=H})^DYb-?X&(Hi*6MF7qItm4ZcJ9PlZ{Ji
zo2fE6!<RG|kzmp$5D4J5*KJ0pDM96^R4TyF(b3WK{GDLXZamuX1cg9bEN*6INxmYf
znbBc#l-h^#i&H6zcjNTM9F_p0iY>qZvKqMa6{LXp<gBCi*4Ea>*(#K@Dk>_PBUp9C
zC6b}hMm_`=qN<q#HA_8!3u#B?(hx3husvx#i=v@0NJbP#ePos&+X?1hjrV<xb^n)1
zKuA{F|7H3A6VB@Z0n)OwTvH#b;nM#Ke3nP}fKob;7fek(Ar}+jCO?1EJ&+oJ#gk{D
RpcwBIO3(Dq;%l~q{{gWwCu0Br

literal 0
HcmV?d00001


From 15122199ba2da2461e00255989039c07657f39af Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Wed, 16 Oct 2019 15:14:19 -0700
Subject: [PATCH 193/420] Add .jpg to list of files ignored in license checks

---
 scripts/.check-license.ignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index b0667ad985..a0e18cad83 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -4,6 +4,7 @@
 .*\.der$
 .*\.docx$
 .*\.html$
+.*\.jpg$
 .*\.json$
 .*\.md$
 .*\.patch$

From 365547fdcc5a4d9c258a7552e5610ff0e38349b5 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 17 Oct 2019 00:34:49 +0000
Subject: [PATCH 194/420] Add VS Code Build/Debug docs for Linux.

---
 docs/GettingStartedDocs/Linux_vscode.md       | 130 ++++++++++++++++++
 .../images/VSCodeLinuxCMakeExtension.png      | Bin 0 -> 19504 bytes
 .../images/VSCodeLinuxEnclaveBreakpoint.png   | Bin 0 -> 113286 bytes
 .../images/VSCodeLinuxHostBreakpoint.png      | Bin 0 -> 103130 bytes
 .../images/VSCodeLinuxRemoteSSHIcon.png       | Bin 0 -> 319 bytes
 .../images/VSCodeLinuxRunApplication.png      | Bin 0 -> 13777 bytes
 .../VSCodeLinuxStopAfterEnclaveCreation.png   | Bin 0 -> 102312 bytes
 .../images/VSCodeLinuxSuccessfulBuild.png     | Bin 0 -> 103583 bytes
 .../VSCodeLinuxSuccessfulCMakeConfigure.png   | Bin 0 -> 98499 bytes
 9 files changed, 130 insertions(+)
 create mode 100644 docs/GettingStartedDocs/Linux_vscode.md
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxCMakeExtension.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxEnclaveBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxHostBreakpoint.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxRemoteSSHIcon.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxRunApplication.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxStopAfterEnclaveCreation.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulBuild.png
 create mode 100644 docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulCMakeConfigure.png

diff --git a/docs/GettingStartedDocs/Linux_vscode.md b/docs/GettingStartedDocs/Linux_vscode.md
new file mode 100644
index 0000000000..e3ae97cb5f
--- /dev/null
+++ b/docs/GettingStartedDocs/Linux_vscode.md
@@ -0,0 +1,130 @@
+# Building And Debugging Using Visual Studio Code for Linux Development
+
+This document provides a brief overview of how to build and debug Open Enclave applications using VS Code on Linux.
+
+## Where to Run VS Code?
+
+There are two ways of running VS Code for development on Linux.
+1. Run VS Code directly on your Linux system, which will give you a native Linux display of VS Code.
+2. Run VS Code from any modern Windows system and use the `Remote SSH` extension in VS Code to connect to a Linux system you wish to develop on.
+  a. For more information on how to use the `Remote SSH` extension, please follow this blog post here: [https://code.visualstudio.com/blogs/2019/07/25/remote-ssh](https://code.visualstudio.com/blogs/2019/07/25/remote-ssh)
+
+## Install VS Code
+
+The latest version of Visual Studio Code can be installed from [https://code.visualstudio.com/](https://code.visualstudio.com/)
+
+## Install VS Code Extensions
+
+Install the following VS Code extensions. If you are using the Remote SSH, ensure they are installed remotely too by clicking  Click on an image to navigate to the Visual Studio Code Marketplace page for the extension.
+
+[![C/C++ Extension](images/VSCodeCppExtension.png)](https://marketplace.visualstudio.com/items?itemName=ms-vscode.cpptools)
+
+[![CMake Extension](images/VSCodeLinuxCMakeExtension.png)](https://marketplace.visualstudio.com/items?itemName=twxs.cmake)
+
+[![CMake Tools Extension](images/VSCodeCMakeToolsExtension.png)](https://marketplace.visualstudio.com/items?itemName=vector-of-bool.cmake-tools)
+
+
+## Launch Visual Studio Code
+
+If you want to run VS Code directly on your Linux system, simply run `code MY_WORKSPACE`, replacing "MY_WORKSPACE" with the path to your development directory.
+
+If you want to run VS Code from Windows and connect to your Linux system with the `Remote SSH` extension, simply start VS Code on your Windows system, probably from the start menu. Then at the bottom left of the VS Code window, there should be a small icon that looks like a greater-then and less-than sign ![Remote SSH Icon](images/VSCodeLinuxRemoteSSHIcon.png). You should click that icon and then select in the menu bar `Remote-SSH: Connect to Host...`. You should then be able to connect using SSH to your Linux development system. You can then use VS Code from your Windows system mostly as if you were using it natively on Linux. Please refer to the blog linked above for more details!
+
+## Configure Your Workspace
+
+1. Ensure all of your dependencies for building an Open Enclave SDK application are installed on your Linux system. You can achieve that by following these instructions: [https://github.com/openenclave/openenclave#getting-started](https://github.com/openenclave/openenclave#getting-started)
+
+2. As an example, on your Linux system, copy one of the samples to your local directory. We will choose the helloworld sample for simplicity.
+
+```bash
+cp -R /opt/openenclave/share/openenclave/samples/helloworld ~/my_helloworld
+```
+
+3. In VS Code, select `File->Open Folder...` and specify the location that you copied the helloworld sample to. In this case, that would be `~/my_helloworld`
+
+4. Create a typical VSCode project Settings.json file in this path for your project: .vscode/Settings.json. Make sure the `-DOpenEnclave_Dir` option is set to /opt/openenclave/lib/openenclave/cmake under the "cmake.configureArgs" field, like below:
+
+```json
+{
+    "cmake.configureArgs": [
+        "-DOpenEnclave_DIR=/opt/openenclave/lib/openenclave/cmake"
+    ]
+}
+```
+
+5. Use the shortcut `Ctrl-Shift-P` and select `CMake: Configure` and then select the kit which you want to configure with. You should probably select Clang-7*, but other options may work too.
+
+![Successful CMake Configure](images/VSCodeLinuxSuccessfulCMakeConfigure.png)
+
+## Build And Run Your Open Enclave Application
+
+Build the application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
+
+![Successful Build](images/VSCodeLinuxSuccessfulBuild.png)
+
+Run your application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "run UTILITY" target.
+
+![Run](images/VSCodeLinuxRunApplication.png)
+
+## Configuring Intellisense
+
+Intellisense should work out of the box for files within your workspace. However, Intellisense may not be aware of where to locate the Open Enclave SDK headers.
+Open settings.json under the .vscode folder and add entries for "C_Cpp.default.includePath" and "C_Cpp.default.systemIncludePath".
+
+```json
+{
+    "C_Cpp.default.includePath": ["/opt/openenclave/include"],
+    "C_Cpp.default.systemIncludePath": [
+        "/opt/openenclave/include/openenclave/3rdparty/libc",
+        "/opt/openenclave/include/openenclave/3rdparty/libcxx"
+    ]
+}
+```
+
+## Debug Your Open Enclave Application
+
+You will want to use the oegdb script provided in /opt/openenclave/bin/oegdb for the debugger, by setting the `miDebuggerPath` field to /opt/openenclave/bin/oegdb in launch.json.
+
+The rest of the fields for this configuration can be typical gdb debugging values.
+
+Here is an example of launch.json after editing it for the helloworld enclave.
+
+```json
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "(oegdb) Launch",
+            "type": "cppdbg",
+            "request": "launch",
+            "program": "${workspaceFolder}/build/host/helloworld_host",
+            "args": ["${workspaceFolder}/build/enclave/enclave.signed"],
+            "stopAtEntry": false,
+            "cwd": "${workspaceFolder}",
+            "environment": [],
+            "externalConsole": false,
+            "MIMode": "gdb",
+            "miDebuggerPath": "/opt/openenclave/bin/oegdb",
+            "setupCommands": [
+                {
+                    "description": "Enable pretty-printing for gdb",
+                    "text": "-enable-pretty-printing",
+                    "ignoreFailures": true
+                }
+            ]
+        }
+    ]
+}
+```
+
+Open host.c and add a breakpoint. Start debugging.
+
+![Host Breakpoint](images/VSCodeLinuxHostBreakpoint.png)
+
+Step over the line that creates the enclave. The Console pane should show that the enclave has been loaded.
+
+![Stop After Enclave Creation](images/VSCodeLinuxStopAfterEnclaveCreation.png)
+
+Open enc.c and put a breakpoint and continue execution.
+
+![Enclave Breakpoint](images/VSCodeLinuxEnclaveBreakpoint.png)
diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxCMakeExtension.png b/docs/GettingStartedDocs/images/VSCodeLinuxCMakeExtension.png
new file mode 100644
index 0000000000000000000000000000000000000000..414ac858b3dca3994438ac5c88b02e4656a8e413
GIT binary patch
literal 19504
zcmcfohgZ|f_XP}lRRk49nslOcq=X{9Nevw-3J4_9MS2rLC^mZU9h7FF2}l4TAiax#
zln@BLNeK`Lfl!{0e((Lg>wW%!XDtY6i<vod&YXSr*%SFtA9CXw^R){XF5J-4R5QA8
z;UWTfo<VU1c+5e7lYl?}cpE`fE>!$rT?bxVc2w3=zHp%`{`!eE8Swh5ho-srg$p;^
z|NQ>b?f%j3!Udg9Ej48mf9O^&c?MnQco;*>gyzG9FML{R4=yVwaLMTWVCt2*UT}x0
zS4-<64L7H9^~)tz6FTLGT+9zeE#1#rT3WCQI<Cgza*cA=8{6mMSjP{IDyENyd{8;R
z^RD)%@YB+%8v;KmKh^9F{yd@Mert#}{`=-tYZJo%K2>2%Rruf6ZfX2~`ZcAu;o%mC
z0#UJXY;rc|XQ$F$OB88fnA@OtX>XbkOJ2wsoKD!%Z1+-kgsnY`DzJ{CxV}6pF^7Q&
z6Mhh6>b{f7F-^umrg)*#Xi0{gpRnT55-qE&PY*p$wI2>zW>I(Z4LOxYo;<vuPd8gq
z=pGdsg^*&t|Lj&d6!!J`*fkPiEBc;}a^XkxURPKL4<dyjdy=o&aNd}Xo6Zo8S3cfn
z`dK<?wgi_?#mk}uLXd&lC;rQ+re6XMp0g?jN^3W}Y);i)AN%|$`rc})f|%z*$1`8j
z0_qSO{aDz<-heZpD%{qAMd#1VWBT&QqGkjt?|1YlTl@q&J}%PE9HCc?-62bVu{G5|
z;}|v3`i6XFjosd9FiXO%BaVYHV$&7d#Kf(W7W0A<{HXMCCt(Xyn0oyYx~4aVMjTmX
zLZ`0P_i@wwsfqhMIbs+&C|_3k_@7K%3j<(}u{G$ePo|aZFE%Hs_3FD~S;9Hgqoz~R
z`)jV>7W7cpBV<<d?r9iqqH7$#Rzt(6K-+zs>7L8Pdx-b{oQsP*`+4X7^Itt#?0o+>
z4*cEEvCm_SAorFy)6cOT$RBJ!iLFbTnH-@Shp*KtEE~Sq^(OI|+j3Rf_ot0FHH+B0
zW1Ha89&;~A0mB9A+X^p{Vr19oJaFf>iW>jaxy}4;ZcetVbf0Zr8!yk65c*VD{edsa
z24X*SsW6~)VzawR-PEvo;f~ApIS)_h2em8&Zg>rvur^ieoRTBTJW&Z#a#jq<sFt$n
zpm3S49}e2WDc_J0=0wDBXftJR8ZtKE-cTt<Jkd@gR9H3M&Xx6zO3NoED+q(#C%?4n
zai&<|UnR53c+Cw;&32UNWl!5?bUz0s`t{qzP9Cv)2vOVr+qqY22XU;Yw1wUIkkEVW
zRRyyT%7k;s?Qu6$qadI^mKITuO_bD_b~!q+9vAhPdvG{UiAE}XREFFBieI-RxK7ts
z!O)1+T)%?fHOka1Vs@He#hUHnjT|+^_=8qZp@FCK;UJA-#C+8xFN|6TmT}Rz!cxXB
zhp)?S?dSW76Qejjt%3HIP2-L6^1{@4N$y0=AUcf|d#2{J0Q>wUacj7{;`pHL{@O6-
zXR8#6?ewM<Pt>VMe0NL9rWV@>s6@Oa<$xRYe|yQKrglKE9?RNbl-`&B{1_B(J_GB<
z%0AkiQnmJ1DMajs>C~4@KK$%*WYZ>qh*=T6*zJmW!|WiN-zD_q>qi*c_B2IMn}su;
zj!f}kn`Sm^`p7dZ<XN)9wW(j9jPE8YV|jZ>^u;m!uLs(X;W=3n&NiEqRfaHXTW4F{
zNwuz+%}lXw*F?@l0Yc{biSvp?aa2ZIk1O1@O;*pz7L;ia$L~txnbK4i|C;AwcT3FY
zz1pu@eOX&JD2}+Ku7ILS2dG>2WS0?eqVX42GeoK#+ytG{(#{@Tb-&sClG(S!+OiQV
zJ^Y@&q(r}B7<K2V_U(B)*M0_CC|aD;&+@bVuf74L;1l9AC(&MLzGBeB#ur=9NEBqY
z{b@pOGJWrk9z^I7_!tMegOCVX(jg9XfO?HBwsQa0LZWu{=MKxLh7hOdgfu4obqUEf
zcGsBeWX5&V#ZtJ9yIe#D=~QSxC3hz`IRus1Wi4Mus!s7;gfQ(Rdl9Vs0;eKXvBd>^
z+D01o;G}&fv8M;WPt9tNWv|2&*)N4zYM?Z{Mc<kG<!sKd35?Eu04AUCu(}&?l9wfn
znN$uv)t<W5t5i`rhm#$^&deF^)DKcvt^UX@9BU^CSs(@P<-!OqCA8OK0u^rHRt2C<
zL_K)md@AEYszTx&_HZZPjd5T5xPlJXN;}Vd)2xhi!}}UbE=CTtLNF(n@UP(*Nwh7C
zzu+s3QCgCtGdam6jk>5T(p8XN-7pD=ikogGmHM`<vU|Kdx<}NP!lAzQm7e(GwI`L=
z^>3`j>lrA-_!);e`GE8M?cJAp62}8Yt&<gue-DsL43LWx#{{MsA~r?)y7;Kmt@+(8
zUoV3LdOQbhX^jc>tO8ValiN5>Y*oZnoZpSEx284}%Uvl7<GjNn8sZJ{>ooJ?g|>l%
zXJRd;B@sPoQnAYyV>d;q>bNUS2~At8&c=iyaEd_<Tc9hg9LxXtx=j7y?{aKBJqX(U
zZa!|!kPrq{#y@ucSsefgl<>Kw_#^LH|L9v_#uOP;0wUG)*~MC|JP5UBNIYrz{S|yG
zWkdIm{LQL?m;YQUI4#No57=f`cNd#Fk*5ba|N2OsYVa<{zr|z<boDNxdWcRsQQZ8;
zvLZEqN#<Ucn9&b9@s-446SR9@8hnU-^kSj{zBY3uRl%u{KTx+O^5YGR*}bR&F8ghN
zbTZ=LCi@xfBF}k*RJf%t)7;N*r?-E7TI<2~%ul8XD2#u&F$x?tPwyLCb{NW2@IM$c
zEk8P$*C7nRdfpAxI*sy7y<tik%HP~olsCUwvNM<?Givp^+_IsXM9=?9a1l76M{u<D
zZ*{6Iv+QLtJ>g;l`$QXBro=n=d9rJ_)HN^bbZ8d+<Z;%uW!KIYoTuS$|E5kDkmUlw
zyg~6om6`F~E6A_veUU}GmA_gSjWk`W9amC))*H>Cds+X+qIY*cdtm^m0vo?v8r=Ea
z+H|*TPQb8jq5>~$!jHKMiwkDSUmA*vHTY}qomTRObUn3?F6e3?U+i!r)PhNAZ9Hwu
zC|<zgLYDPEXNJ~T?Ntc08mEuT%;rmI@slN+h7`8PZVLEbJ51F=w5d(X_b>m8r<J%g
z1@X^PFBan0l-8mI5Go(s$R8q27y^IyU@JHptk4#?cf%+mo`7*zO_RC09Df*tPV=!n
zZn$5$nMw7W0*k}rc@Z=Xctuwo;%Q)vhBoTVE}k@yA8H!{KhH-);My4->H(*%po6;J
zm<5)&%zuNz@9U<0PXaZlLh+@&KuBk{YQ@|^T}6Ex@5n^)glLK&nwA_A*O4a{YKayv
zL^w%&V{l}gUl_{CY=iLWq_AtWj+dF!9z1w^7%UM|?Wp)s*`E?FqDsM44XNiEfFa*~
z-DQ8EL9tx=P*WFp>$2eCx#6Ag8!WfE11*`cNLLG!pv~2#-sBlRu5{lcwvf>e27V;l
zKDRq|{b_^u?nk*xJNz39(^b_F<x=Cit2bFsXbX8yUIt$R%T+_%G+~E|yoS~L8<UE5
zj097mttc!{_>G&!#z0Us@0>|R#RgL4D%o%%IszZIla{+X{`lB^7?oq$liI%2hv=JX
z1PUB1IXEEy$MUXCz(Y<Xl_Nz8L+nl`Ww)lffnmzS<+wD|nDfo2y?ZdrstvihYJtF#
z{ew*sy>>cF%$R#qsOkaKQ{BKUlZP@0G`<EE;WI3_T%wz~aJCo99~?ONks)0XRY05k
zXQMKx94LT|x$ipl>-3n;i3;@2|8T}{=Hq)od_eq`0fDhsJVfh_m{Ty0z5C_5<&U(U
zyXQuGL{d{32H8>07gfL~>Ivy%?<|9!I!uPlQ8g)SBbo>+_ND|&j?no1;8VdqQ|3^(
z0%_4KT4ORrxIrKwdo<L#u>GrvHQ$Hf|6yesQNNFyp|%HEs>G-3;EG=d@WsDtY9Nt9
zqWi{pY`wx2iC=A5T=YZI1p@4%+xxy+uN``b#cuNh6NpNB*05+7ukyGhSZ7mihg>7(
z2uuBq0!^#CzJc%Z`v^tc4*R<HDjD_7+L;(+SOAff(KX1WT;A3x`EPt~zjvFWpZyrG
zr=M(U&T#JsoYDjs69q>mR%4?-&OE&vaDOez*nPjf+dzSiJHXEQ*p9dpx#WMExTJ~5
z*EswO{j~z84XYv4&OhIA6Shg0+BK}yhl0~B`2t_8H@>~1_qgEEL7cRL&n={*0TVY|
zm?_ED`*<m1*UT$rVl59?MFC%Af}Ad)t;%7`T97!GCE%xU3{@LyrfzdgRSf458ZU%)
z-jv1@C^maig|pTY<Jlg6(1|;X=Yh!nXNR78TRZRq6m@&D2Ioh~1Sgw;HLj`5Z&*|0
zn;vJ?VZ-hf%gya)7*3`t>7*=0u2DDV9r=5i)WZr9f9zPmCA@tH9bIqgepcWd_tQ$P
zPLaBrA$cD)<tEkFG<}t~JFW{`&`_wwj=tSHweL3{3&D;2H}@zx6#^gh;CJ2kZB&cx
z&mDoasnypyQVi!K6D5mx>A>SRx;5gv&Z<M*ljN%v7OjYr){nCqAI_gGG0*%hqPT}W
z!h6_pV{)$>u7{}9O$fi!!BJdHY<^*-|4y??aZ=od>n6&GCu_}c?=9QBpRH9GV#gt>
zF>$*YA@L2sx&R6&xU*y*-}b03`1<A)Uhc|GRLl>B7S&ZK^<|DAwr{y=Rq5nU7cEph
z%7PEF)#8&NioHHmNXKssHKW)!Q6Y^w|C!<1_677JDgYwlcxJFRvT;$CK)jjDI?wq^
z6ZU}}_Fip$-t1)RLf}+&BB#Hfg&Gc;o@;=OKVZUjzf3uN=JU5YOi@$T?9XEvE5%%t
z^E;1|B8RDjZ_hSVuNn}WMkYRWPw-h;%a{1BhbQMw*@ScYa=_)<aFKK<lI1YwVCfRE
zWB!zPTa_EwTJ6`PpC1Wq1OsK|@|C;72x^15A9;s`0{&Z#LE$&KF09keZ%pG^`%E*V
z63Y?u{n(k^USldX4LpaM`)V>Bs->ZzZsQYql>lCKGGkqtQr8ze;_L(FGHlh9=la#a
zmnoI28sPlIW%%1dcrextBujX&+SA8QRtiO>5$z`2{ZGqvo=qGy>5wX_lAC{^n$=U8
zafJqjZqnlKlwLR>?u%tHRJk<va|Sfl$j9WGv$sy~Q@z`}<Od9LdHDL%g}d*6bnayF
ziwv};-M08zL42QIhY61hTDw(UoqktUBe4Eh1dBL_Kz4o<>aF6RVLDq=6(PinDZp4i
z3IlSvpIH=&|G3HWdPZhc%>wD`$pu!~XZJ)WFB`f9{5GW24r<XjRJnz^z{5`S+mdxV
z2y~P1Z7A#if2gEtUPBa{T!`wd6u7|mgS%D1Tk!1>$n&xDTQ}~#_}(z=ZtITKl@h{;
zW$`9K2o8FYGv>zD(5`U9Bjwm__@~F^%s^!s`sxz-lTli^fPZx5xjGtpvN<`=+$}Tu
zYtRda`S;5O&em492=8q{vTutvwM^VsHbJbdq}%1P8n+VmW!hF#n*(B{3cNlMq@}C{
zZ#EHQK*Kt(P-vru&Hgmz?3$vsxo*(UwLJ1vg;}6hXUr6LM3(SNCEr>t@GJiHohXvN
zO>bm@zZ^AAA7Uc???(0JsU09g_E?UaJpU2GguF483*4ajceJoUzjr28H>Jfr<!`3;
zfErv_?!q|&5H%VR?A-C2Lub+iS;3x^i;qCxObZcL?jeSI6FJFw^m8IkNr#YD*X_FH
z!_KcxqaFbA<g*KmzAY3L%Oa(rLu(cW&zP7VlJwb}6n%2qwzu4W>4#&Utvl&5GS>Be
z{}t`PA@!DfpT4xL1`XHCE>-Zs8^nke*(2r}8{d>IH?E}+^K5a5>>kqDi$s%(SG#No
z=p`51!JyrvX@M%<CA)Y-)FTjk*S@(@{p*Q>8L5h$qa?*^`TRlDR9<T7&0Ru=1)B3e
zh=FbXte+lIHgc*DSt1XjuxB4e=N`m;B}yZhDfLJR8iyRB>dJG93#U8A9DKCc=+Gqw
zxCl6dL(;)2$shu!&SO^HO#$6q=(MV`&3-;nv9-Mlb2G>gnJ*D*ej2hekV!iRj=RcB
ztA7vM^wze~6@&cf6Gz?sD|_fV9>9!p&oM8C)9@<_Qc$xn`$h42vPDbE^2CehEDU!A
z&WO0lFN`3SpWobWX<EIyMTr)lE!;bc86pW!`YXjphQ3WwSRSV}`s0?aautP+Ex4ae
zTQcG9mh*V-AcvHp^nD3eUq<ll->+0{yXO1{uPLUx9y*2$(4#KVp&au((C50cf&up=
zpm3sM?6$fM2_^(X6sk?Hri#0pS90yO*=Wc4WgqGCM_u1VU6|s4TQ$CjO$%TAV%>hl
z1Sp56&K_8Y$iOoeofc3OcwbB5KCD(0h82fJA-egzbj63PEGg3brTDV0w8ZMVrQUA4
zzfzTYP~h8HQISD`+)V7?xr-e#v{AMP`%v(slRsjAWzIHwO?*9&x$mqxf8Fx<iC<KL
zBDIn>3@^$1aHlwUQqhG=(b+_<>sej|wl!znV-3AOna9Z%rm)K=Hth$bQC5Ftd|%$C
zIGD2OVVQXi&y;$Cy)In5AN|{&O%3@*IS~9ZX3}#nQ4<QVP?rC2(cd%i0KkZ(J2nQO
zrfdM_h|dDKsdqqpvp8Qmi;U#1V6cZROIIByqcTP=ahp{`pna+A3|D4?lIuM{qb~M=
z?|sQ|a))lAo4d7YXM-EjDQu!PY9`<6gd4Ue`$(TLf#<YZyn79)^3}7XeCzT44Nkm>
z>-KbmRBfy;0z=C}qfH3RrCl#QWS#7Kx!x4F8_;)(^}@;yE*^arPr1s3E_^UnK0)(`
z<=L*xg)BaH9PW74#=x*H9$Km1n9OJ5bL%lm^fK(L+ijt&I&e1iU^JbAHuUY9y+=>P
zn+7o(&$Rm=2|K6EGv0IIi6HIZxq;J@r+uONialOcNli^2#Bc9BTT&R7RGb^<I#P+2
z7XY4e5jo1z%eg5&IuQNn)kU&t&7~x6odf~Xif2cto!8t93L&S<jPTLHXpY@H7TS`|
z6a$`nu=Q!2LcHf)pcEH=vJ^^kf!nHVT)Wwtrr?%sG>0nju&Cf1=s#?LTg^M8)0{Jp
z;9?v2v+mET;WxLPajWgw1|x%uQ&X<VAY)52tc!(9!=q})IR5vRHA+~;?B#lc3eq$o
zF7uGl(sj-`#MevC1Tc=RiTm>Bc7MO)!)FUUR)wZR1yyfMi3>FA&ge6`sHPK1hr>YH
z58qyVSA=XA2w?&W;N;#Ve(Ja{obYh(&_&H{-N{68&ae*#k(7tdJ_d?KCkdIPL8|vh
z|D;@h6`0}5Kvj|rdP+Oa?L`wq<r^sc(q$H4rXJQf=s7cER<~5!!*0xo0aRctau&qO
ziSZ}OhDB-?9-d6j)nmF$exz2)nh7Ty+j3-7n@YmI@mU`^n}{)>h4F#1&P=dpR#m0_
zpw<M1qZ35uAVE<=iE|nk6q0S@ptBmBDBL#mp8shF!m>smgDj_1T6BOlkp^C5z-`*g
z6BI09WbW`4$NS0lE~nxf%gz{ypRinq=7*eIc0;kh$6O=JF%^Y6mH1~r7X+D+F?T9P
zAoH|;ta4vFCG)N47PNgL2w~mA>3f#u%BcpH*WQm?fzyQJ<wLpABk!jQsit>_6@rPx
zyD8CW->I@S!;W61P>Gy7Iy8ES<t}INFvzlaSz^fUNOr7V?9rS7IKbhSkn`-3Ngl!|
zMv^_AB=ES5(KSSOQuwPFaz&9vkU>)scbRT9c%d}^kB>-w)4yhF(#+%`r7c&jLd+s*
zjK$5ox$?yH1T=8#^<6|@%dSH2VGevN(bf1$q}sqhwNd`jS#6Mh6E3Ksq6&(3?6<uZ
zzg6FHqKk=h9dDPtctlBBeB6^)+1$qnABv6PB&`_`?6QxR1G`K<{GyF|`}R*d?fY8#
zY>5JTy5eXx9~}?C()qCcT9=U9#R3Bl&Uq9(+<snQ?MW4#Qf0*2TO>A73?r^}_jqSk
zi60s>CW;=gfo2xNe>Kfr+f%mu`pobvmFT&cQo1;bf$UQ>1KkR(d5RC%DE${3!)wu_
z&FKbOz_)#IgUOX<*04#Xvt`LcDc32wjfu)`fRwX6Jw+g|3muYq8QRKV)Tg3z#9^x=
zF9f%vaa>%NjS2cqFTmq|{uhSqP`mje%`44|`dOJ$JYOp&$Cl%t_T{<YnZFM)9Uevh
z_V1@zkqGU}-Y(T|cw9w^&&a3x<1<f#gO85(gX0DQE}fSBYa5!7pr^s!d3PL84$zgv
zjbM>3ZvLb{h}Yx;^t#It(bQ*iSLn9{Nj8aMopv|cps3QG<jn`OSCk$9{Tk01zW5Vw
z9;AkMi(oH=SFFh-`3bt;4lk4bonn#3$@%$%|4v-ob}v~k;yp)`$c}1nbaCKQZY8Bj
z>~-=D5v6G(s4(kE)-628f?oXf)>|>Rg`U(?D+&*JWxhaH+gF@aflvBfw?C}y_F5@+
zSeHWP)CW#J--Zq>h166Jz3}8>m8&U(TQ4Eu|13M>Ro0#5mvhj<pPPAJ*549DFIGOF
zEK3{7(zw!;MALBb#FwI6;Dv9e+86uy9R<D#P%{H+{bGNXAqWoZC#B;M&F6!MHRhmx
zc)u4WaPWTcxbA$S51zTVX~i+NTXYn4G~oQqvVp$Zaig>nLC~%LL*!)fI5|K=e8a@F
zpajM-i>f^l9u#7Xy0OymL+`{#%>9en`TT*+MU`3tK+RGxBV+OzNf~?3_q*R>_gqi(
z5c9Bn6!h&9+YeU;)MDHcTZkfy{!)LO!jOF@CX>Bou@G_cU5hw<l7Mg5)Y^sKso%O$
zTa%;rjHsMOC6Dj%)D%%%YNeq}cANQT4WI{UpS1*1ItCfooDi&|gj!Uocg?=AWV2B!
z*bV&=o&)OLaF#FD#|QQXha{#<Cf!<9(X!-vyV<*{j-9}6ytPa&5}d8U-gmc3a%1l&
z!4ntJilC7zpJ02M<~YY#UpPjkDJYr>IG>zazQ2GEMb=e1FyphAxnocFc@crGY2w{e
zrnyP%QCv>wLcX!mS(@y+vnaw$v+`D#BT%#s7vo$^iiYk50oW_O`JTi?fp#yUUc{aw
zj(!MK>*B0|k6R*W;Q0d31!}m_6N5$Kb(t?5tH~b|_pF1&q#~0ZzHa69Ir0@i^7^_n
zG+o$x?W!*pc{LUFbM-}@ZDk4<nF|e_={}xb7MMVP!d+H@$Ly`dUQ^44QuGexbBU<$
z0zt@PE7*vm1-AULqc}A96I*kTqnLh*0L{<pa?Lz}fVicg$8${SsH42Dk00`W@_Hxp
z{lVpH4HQ8p1RL^mZ-;1NC)sIW=uNH11U}6h%*fWR!IlEORqv13x%<zh{X=m)>(Md$
zosW;7|C)WJLMAu&l@pQwNXS_Y&%xfdQ|r?I40~g^KXT~0VzdF<<K-W(vp%r{T@xBL
z@XJVY1%~(WebA>p)%GHo()`Mwch~!%{yb%tzLd5+P>tBI4~FHzms1pNwDToK7^0W0
zuEEN~ND1H&hCo?Qj^>Z1gNgEedGYoZkt<9EhwxU4VYwq4;T*vf7V>NI(W2&JciJxj
zSq&Wdp5c4Po4n|skfGfz)ow)}&7^9G=<~@hH^$vhI!~XZeD-Z=6FAWHS-;LV!qBr<
zp}M6Jo*)(CzR4zW`$LvghhgO!({K~*Z~>eS#gYVR<~w24mn{nxmU~_tYywogG!P##
zBRciSOfG)Je4-)Ba1q>)WLm6$SyUTVMC^P4Pj55*u<N-b^b@o}9{WA>W;q8JILzL{
z{XWiaUcO>2=*S3~t_oghtuLGJ`S>5B62Zlbpf*GyiO<@>&&COY_r_#H`)WBO43C++
zSl6Q?2s45~zS+TXfuUhG*0aje6E&rraC3Jk(w7Stwx+<Mx8E$HhBHZA_58esCssdG
zEE~+eR14C1|K9*_fdOKEmz()ga&|+#F5?7DKEkijv&~26?&t3E2T8pJf7>5(JqCJY
zOmFyeNsA{erye=5LK`dO0kFO4uH0FWVNzdWQ)Se0`}zWSu19CcHt+?+2K4J+Mx&Ki
ztCwB<V{kjttntk8zT1IB-y@~aJqeD8?ERy-eRy%D+i2y(`VKk9Uj<Ualq{QyhAgG_
z7Jp&_@XSZ@Edl`_bm+eGhx;DotLJtD^xyw@fp^J8f3keJeAs*;xZpLXzkO*?WOdw5
zC+yfJ4w!NPv%1cp%7pBUhtnos;A1ZLB7mupNn&tC6B@FCd|v>UQo{}OlkNKUGI*9v
zUe6%vI@ks7{8OZrtnn{_aXFTY6G8Xx%8e<TEr?R#e5vEZl~k}*U($2xHoxS38UNz=
zKOnSpbcs?s#VVpCRc^j->8kX4L{<=5^7wE1)CN3X;B8IuwZ)kB<Ja(qQm)VcWtnJ9
zlHxW)9ozQkyG2}nk)@RGa%;Ejsi*9yN5YDBBKHl6f$GN#96{UyWe>*EG4p+2{dVjd
zY=F`_i^@8qABp^f{~JcY4LN+f96ZYdpa0#_*V;)53R0gZz6gz%HHKXg(l4}2P3C)a
zaNU&XmZWIwBz13ufoomB+?qa$!6mX^ykx%gvpuKUQ0&SPKnieyv)1UpY3(=j8((&0
zlf2y*9bh2;AHVln1Nhh2(z?J-LrSKjTuwjUU9aUKt9d+c(8_6`;RtVk<16ia&cKR&
z8Iw=G6hrikaRs5w3yp^kbGo^vHfBf^0L*WpScc`P6}0no&;>-KrD))j-`u*rscf0|
z|7D*NH242hb7Rhx@1Zrue1_}dri8Z{MPOtiPzEI`o(aKRrS_UcD94@?y7oHzcMoEm
zq%lQqU+pcVvKXQP#3FCH-^b8>bd7r_wta=;$WY0O`9GV}(V#Z%dl<Jh4z9#Y<1}Yh
z`JlVvrbHWopm9wY<%ntV4+g$RP6A#_+u`G`;S2lg;*&eW5MtnOIbw;Pcc4=QRF}${
z7_}0)7G%0>Z~4)LhPVHAyBs`EnW#$j{9n)XPyT2hUtrv#Y!O&b;Qi&c#~t;E_$yVx
zm`J02d~fWSwX?569hqY#x>N4wxjk*3BjbGqqj<(h&TG(dRKeyJk;e(I`V+xJ0s##7
zQrnLDioevFDc{%3fBdgwc4Vsw0Z}Vt;Ys%<EM!A-<^$jF9`;c1`=a<ZNS~?FD+V3G
zuF)Z6`>*wAPr{~oj$+W1J&-IXMT1#|30wARc$+GhjYwb_Rz6%fo8^&uvtr8TvK_IK
zl_1HbLPUQ$xI2*(QZOfZ$RPBDjz!ANXWrReM$C2U{^o28h)wRr*OF|J%3o}tD>qr!
z>h!c19$=LM4R)t7dmUGr{ag-uJc-S7B#(&-tA9|S#n*5_3t4NH!69RjV_}oh$2TxY
z*XZA%Zm#Bh{_)PCFJGm84%L8PAIO-dJmebggPNGQ55|8SBXU9S`LU|^<$GK;Ij-Mi
zu~-+dI-uC2&kLO%s_X1a&7OXS{bc;1K-z!pmShauoBlW0n23c=Z?vS!J_lF4<>x22
z8CVsC4JmGj%Tp%}E9kT4FrpY%0C7R1Q_dvN-&kC!(sMI{+T(t3CU`S#YUQuy;-s2!
z1E+yF!<S7Y+SeI&@uw1`ffHIDT@M&}VXmNaA2e`YW)A?BPo`KI0I^D^RODlVnBBlz
zdx5y8b6?z9Kgn(P<=wJazs@yc+Jz2oSO}KS4!L-ZVdEuR{-*cxc0af!rmM=fyUObq
zrv8}Vk;DIpPi3FASI$-q|0AFfUhT5Mn+56ROo#D@_mB0>mueS_3c=jukAAA&rJqUG
zie_-IkWG}&v2<Z@PfOi@z?1(}@8Uf~UH*d~+@q(c7Mtjk)i!}AtpPBy*Gg!7x&}@5
zW>u~vJPus97YH<XISu>%u&J}ROCO)VWWJ#UnXm3Hh)CZ*ir7!B2%u5#4|=`XKwhX_
z3zZHeN;eZ1uII?Z_jnXf_l*VFC9WyyvWAPtbsUkl<<I+(aZBcEIPKcKoAe%^0?1sz
zk1ofyjfR`}fD<AiJm53%tX!)|tf7)VqeGT%Pc@gFcBaf#%^9o@|EfF9f@n}Grx?0V
zbTZf}St{x-yr`_M^6Xf3z_!L6+G=gVrBFh_*RKtgiIZ_qn-U00sbUnh>Cm&!{6VNu
z8emvs^dCiE$#Y(@o?02qF5IJW($PKWBuFExl0?&7asHYi#bxl|C57cdRXbMu>3X5%
zh#X_wZj(QT*MGw{@4?hOTa9}3?U`Rncz@)gW)?$<R?CTX+}+(Y(fD3b2bRIb>iiW)
zz69HQ+8>iN?ZK@5X`t4ZcUM_6<-%0#<1}cSiQ4%Tu*>=HAAZv7$yt>6>LS6IA4F(q
zcT{}8IS3MGR?^FTU6ZQaX^kdm+&B1hz^X@KA3^q-D-EyCPL#bBf7EZ?b$w|5Q@ASc
zx7Az|mkio$S0n2uqa}KUdWzEq#3#ag)k40SD2E_jam=DZUL<Qaycaku3R1;KiBEXo
zB{ll)vi+Jfx>D+#C1;veNfS8(^{(vM7>8h5_a^`YH8X+rOpw%JS;}x=Z%%V{s;OhE
z7COjW9`tdmxgjYk-aq;DTa3D8{9>m?SL0yIUNBdnkQ1A%j|VIpJ`gatn{L6xH7Ez2
z=C#-3%3bZq?#AS0Ox^YEWu%GAm(f^(KQ$L0d<>2F1iIKC(4CGkiVGR^Vb69=kc8tg
z$7OteG?DrQuFrK|2UH)&=fvp*gXqAr4~ZvQfZbe*D%FY?{ohaClg})t#rk_!voy$g
zE~v!}FiG83LP=ekm9|-NM~}~{GD<-JC_r!38~skKV*GQAK_49?S(izL=UaDlrS3hX
zkBvS>lXSnD{dWBNf~!7JO!R6}x8&{@==LHE%}aD{tb8#wGB}a+W8&3*_v5<E?I1m~
zutWiinX>Mj`(#YwXaf6$<ZXu*ms8P=FR`x<8L^VYsnyQS5Wp^>%X)B;_`B;Pu(l?L
zSrptZ-<6e2yrpiiIpIatYRdAUXv8Nr><LnAB?I35n)uuF&go7nZ;5TzI&x8b#zMnz
zn~o-TbNA|Waev%gY^x(%rd-s;;<)-Y2A6e#$MYh4x1YQel$m<kCwG1N;|y>r*enru
z7c&%`ID&J;udi-Ajy6L|6u^ViU1Oi+`JoBVZ&0K9h}gs?&~ww)c;C+pWt=HE`apIA
zg%b}=wL=%$NCsRdRCv?D9Jj=2Z`a!u<FgB{LotMmw`vUwss^gVn`kNO2ED{u126^y
zNDNQG1JdFkZx187@2Uerw+PhCA=QE5g$2zio*hi+r`4vW`{0{0U3Y4SqRk<e@wTda
z=;M`{?iN-9?`hZNrY-UQ%+(ILGtpM0HcD`4agV4Q{fP}Jicd?d+8GnZiRukh)mb}(
z5?_o}SYZNm@$!4MG4HkRteP9DB&u;E=raFctIqJ*!sjSj|MyGQK&B^Z!#quo71a}~
z18>>NdaXExa_dYqTy$&{A=(fcaSKtLh*^nGEWhk6qOer8pVcC<2EMRXDqm=8g%`MR
zJ()?B;~PUy(ehw>v?8am8qZa4l`msX`g~$nZ>=P2#e@W@H@WoKwR^2Nmt-bqmn%5P
z9%d&pXstG99Jh-NIF@JyuY>Vf>#uB(%3Zo6O|A>DnsX!Qv1Su3(mXuVbR-h}!kr~>
z3*Y9$6kX5W9rmk}B!CL4J1`~mA5|}lb`N77i?{fl*tV7R!%#`HFu5W{xVs02RouI2
z@Z`iL)0Qivd#{8V7PO3PvGvL?%7)XcYuWulJZEp3U%cHG*=q^xp;t_Qs+q6)-bgM{
zVTh3~@DrP)J9@qk^IkRFrgQob+wNE6IB&DzAgYGHXoW0iy&I62#9IKV7%L5P&-scD
z-Q)C*P&@R$yHbw;kFS_kW-uVoD|WWoUz(B`>M~7#AL{F_sI}h@p^d+a;e-#$Uacz*
z!V+kadOQ!^NfaANeEPblyM$J`ylKhqJ`f!PUfRpjovkdpJ3+Bm)ZXG)5D0Qax8{`4
z(V!1TbkGMzY7()UqMlfsO!(%4v%*cnyF)R1Px|^8Jwc-x5U6-A=9L;D!vU+L?N9kB
zdKnN?9G%vxA_o<{0*i!<T4FNM`fiAgLyq+onLC0*hn%pQvP@yuq%*{*dD`CtMW8QN
zzaSCy@gw$g=|@YFbRIbP){!==SLjembG^nffD|afbhA;s-jr&c_hzaPL&2=_{<p|)
zvPMW;Um5CN&lLA)@NUdj19N2g;j7D;fb$)A5Knhi-{*r1A2`qPhAYtP6q>K--u1@i
zS;okCUK5k)v3m;rcr=xhV2-8ZNJ|YctCT_SRHmeU8|;mAa*!KX%=mIc&{;piD9n&D
z^P%h3YSqA1QyyM^ToCgFETkw{%MlS-gy^Srsw=wgQkXg9QX?ara<#@l?Dl5el4!Ty
z52}7GS<>B8UTm=c=pdd)#Hwq?r8Lq{aKVceCQ=FX--}uRLb=YtV&FcqJ%%O#(>r1G
zq3CF%CMCIAa8WNk_}H0zbkLIrdH6xb!6ki(+aW)wRo;OK0|&^PAgNLGi{^;|N%+v4
zttS4yT$O@Eh2TnTl09VS_`A6O{PLTM&8r+i;3ih4WuRM<_@}c5<hHpZ4(CKsXM_8$
zqCXRxR441)VL9gC?5@V?1(BN~{HTtrw{8rVZbxB<ZaiN|53BWPCJ1EUjb0^0Zu1Y%
zb9MCo%Gtcg%|oq8;V)SEFe78nR>u@*?Ypr>0<CS~8!X87y;M`fs&T_5p%-_q86P(p
zHa{rBb&ilHk~#s+N`u02vm%xrHPh(VsD!v}`ndc_=u9%tT=+kgygk)hwZ~&ty|lxm
zT0_^9&663^Pn21Xa51isM~nIzc7rk69al7@n+y}*{*?`LuP5-?f#pxM1g&1s1<jsZ
zJBk8*_f|h_oGb!^iVZk|L^WZrl1MwcXNQUW&N?yqJIyRzvkl&kP3DbmY?85TZ}P*a
zy2v0qHcyZ!=6-t%(|y(k+F{NKmWkHTfU(`+M25s8>ey{=d$nylcw~phzRi=fZ}cBG
z0YL>9n_J_ip&7Hp^Y~(cig$sroIS>NEzuPD2I~UzN+ao&M18wK1u}HL>nk|k^xJR~
z0IM&D-uS^)x3`r@gik-S^y&C<dvMVpPd$D`T^J*q<Oqa1jBO(388ii`WP!T7T+8ZY
z;baC@ob#`E;%bK49Yp3AyLIX&LYHaWz!qdXouGadHeH0fwRii7(O`w~)d?8cl_fzf
zCF72+CbOt>i<K%1r;a6S51XIx<C#z5^d{I_4Ee1BaaTD;I~*Oe!qktX83Zg|?xc_&
zt)B<)y!KxW{<6NjdR60q+3$POa=IaM%39vSAM7Pl4FT#_F2DB&n)$^_eUCPy2D6o3
zgcx`O$VS;7=oa|9_uR4!ahDaIs0aXJF+W_S0F2QHp=cKfs8|A697N4Aad7@=ZPc?w
zA#tN3pq2Yq*KyWRUd_OMMwce66b7vfS*MtR0{LQ68-}$ZCDeS^mfy8Az5jd!1gxnY
z0t$KyhzhwWjIU6&xqCY<YQK4+aewISR#>IIg?JWk0fSH$1Ajn@{2l~<g;=AmYUyS|
zj*o76E65K}Q~w(;xWN^WCOJ*lUs5y+U@HF1-XR`JxZ}uGmD((?{({p2OQy+!y`q4K
zZ%Z4r_#?kQl>1H-<@pBNc0h*T397k5u*W=LZ;PN)2<b<1z^Mx+dY1jdRVD5f+7ko=
zaR0wS028LMsmC|Nq>buWWS}v3kR$1(J2&N1on_fWs_)*5b$gxHkFXg(F*mCUBzs(8
znfWw^U7k@1oD&avA{CGKTZO9+A%U)RzzwTj5~9D0x@qdNY4)%7guWXIpG_>LCp<W|
z*NJzN4$+}sCa4;BBn}mR+Fdg;*^J`N1KTT5{Z*~Jm8?@IaBPolL{Ozc+xk<f=GI>~
zTB;E*rZ(q*-PF52baMm|zWF<EJ@Yv(X4sZFzh$(gA9*dh&z6X2|Kc&PB53vP{#p#H
z*k#kzp>~5@j7Ai6vsn&6z7y43vCp7B!=(AKG@z%z;nj>Jvp$XQxYh^i1k3l2j^qFC
zulAa!g<bq?X`LO~&?jW8h|{+*q5QkPT|8a$_ab*HFS^N>ykb;squ^idMQ=uTjw|0J
z%s;>R)=E3>OSClwNs{s~r=DD9LjDa>9P@Ol?33BowM&A~CTYGHR#Dd3CMA}M0AIbG
zKTP3`4Y7aXo0=!?c~!kKRMO7hn*O7EiK2Nj?e(VxTfog=STGW77i9ebQ0xtitoB$p
zKk^rBVz~DB*=r`pm3Qr6g@grd4ak0yjC276&B?&}Bm6FU-A=QXle=$7D7@8}eEw7h
zXWROk%uFQYpOv9}5U)l&bLfzxZugM;e(Y&=Id_(0RGw5;-3M22)1+hWqv?hAAXlZI
z%T|AGJzVv4YuIcsL={7RmJhAQ{oL}gHvlNVYr(Gv;I}y+9TWIwn}i%-xzPa=PZnMY
zeB$^+6)ZJsvaVm3V+ljVPru0#@OpR9SS|wp&1HJB@*|hUxhsw>I>?x3e&W45*;g0m
z*cGxbE^;3hMY!rBp8WJb6){SGW}{&G*Auvc+&%#`NkZ#sEv3dm)Z@wUfg>g5G)<eN
z=1npr=Ls6EnOMP})r6)M56OG8r!?N7kPeD5-&Z5_)ZJWdOW3p%E1Jr>w(OAF`BLkW
zh;0|;0MO=t%A=bTp=YbHSSQM<Fx<q_j|8~X#DZ0UEM6+>6DEGRB{KIHJjLoK%}Wz|
zjM-4;U#HN@wqQj^NBs8PI?d$t%AflbD3^d%ehc*V?FU=P)@uxuf5#mB3_8A}+n`8K
z7Qz?1l)fE{S_`uE7@sc{nMTa9%hyPgLvtr-7I|aa2bjb~y-PxP4Dw>=+r#G%duc5j
zYSi%y-&}NtZPkW&?01Xjei@ISs&NMXb%=mzF|>DKK&;%;`GxCzM!}T=0X)q`U_72B
zfd`M#Os|y;t6&LFoakOy$H5*{>-cpV?EjE?Na$fAha4y6YKHyVFn+)JRcuXZ#kWa(
zne7m=`oSPSnAW&Nw>9UVOFOGEpXygAtRDV3B~YlX0PdcVEjdz1N98%Ok~ER_gWC!f
z{+I4liMC+;YliiMOipji?h>AwnAXhZzt=FPNq@#uy<8cs75<@cw$lCX>DULhRvmWM
zVbavA0*F4ut8X4JGTpcVl^0hc&x&`78@7ea=lWq=8*$AnWcKb}Ex|+*sb;r^)7{ew
zDZw3oGWOZ&wS0_nE2%r=EIj}Gm};u>>_=Ak&ifmrqyK5l_`P)gs7u0PWuLZ^&(0Tn
zHB#sKW$Tn^&NrGLBk$T)6#L(|@}v9slTo}S?+u~Fr@PQpO!_s$QHQH;0dF;ASloUn
zW-W3P;L(;JpgCdE(j)1c9%4n%+-vqc>B_T-L88`eZz+be<(b?Mw?kWQ4|ap&iZcJ6
z+S~!dA$tSqYd{bW-?QGm`*4_c-`V_+c97ero*T#zc~_&;*_A)!<!eMtdxIcX0nuJw
zV6ec5k~oO!gX^2UK}@~D^f+q#Vo0Nlyr*+A>S-i4{U)8ld{MjO&F(f291^iRu<7{I
z#ZEkiQR1Sz@A_+{4=o!2^^@kx4`2E)UcR%oK`Og=+tfxN;O%UC`a@XLiDs#}-(_TT
z_GI5%8l<8C;5~KWm(%|ev6oiB$2Y-g=upZ(LhsAQ$8GtTn6GHZx%vCC!#)oT22SiH
z`%cYh{jv?FvCoG|)32%zowy+F2`&bJMY5PXp+nIqq0;&2->DwWKLm(X)<Tx??bSj@
z5NF7pM*ZqOQ_INcwX0X@XKEsq`D`{CBg=L9tT$?a`0+w$di-%<otuTW@w7erC*7L)
zj-}D2$6`y+_--+S2Yvg#KW)42=r#kv6U-O7lpf3L=320tiXsZmWK}!Tq84v<v&KoY
zzL;bQBOjj*El@RD+&Uhz_8SwEHYU+qx|*@HFc+-4qaUl`@?EnQ(b6ZEv%m|S0dJMc
z9pv(NJ9)0Wk0{6SAjRIlEgu4`(zkUN(7FKPN<v1<n*6miY@|;^U46ukx@JCJYJ$0l
z0u=St+}UOlvM9Q6%xHJ67_!gnw#XU4foP>esoo@KCCF`FRjn54y`^~S{%q{-^~a9|
z!jdIQ7m_%GTJAf)R8rd)1WKX0N>xy)4;=2l<0&t7blo}Y7HpW7W}(+IoAE8j|9hKK
z6*LYM&Ab@dzJdITw<9&t(MgKoym{uY!bcBO#{+9ck9vIePkrx<SPgDR<nDI3z5{%i
zx4=>3psB#I52{<>*VdZ8w&m?%2X?7z*AI_x-}#=@_|WG2BBQC262Y`G!ky(;n}qgk
zX>54`MB_!a3%xKHA7|BG+j35BHDUFoMC!@$jf(TdmTl9r4#>Wyis158$DLbH)-M;6
zC4<8H3MVW^X<7bGyCc1|^kyOHwZiyUi`f4x+WJ?nO30|&k%#gfT^(7OqEUal@7lF!
z0B(B|@2BzVTC50ull1J+TS`8F8^!seHz{vz%j?}{(88A)YiGu!O06(nUd5L$Tx)Fg
z291cHp*I3&%M^n{YPC|<PD@>{r$0fZKMC#cw*bMqaOW`zGTA$+dA`gH73bH_k8$Vo
zsCK296m}N&XJVZJZi{d9C^a$W`E&6hCoFq7(D@noW-jR;iEekV(OI*ATP^1Y?z%Gp
zdnMJ)A7vdb37_xz4PbnaOTHRz#LZ8E&OPEc^sZm|yV_e$cwQJZZi?5|b|d_u*BWym
ze$id}cq@L~CnUxq<RUC2WJUogl$)_g-!q9m-Yhn)gibcW#gQ)Pg=)KAnx_2`o$;oF
z-(%h(L*IZxVtjwnsQigU85G3~NS%-+-C+|@#0}?(3iZ?DgYxyO%B7FXrwLNefALKP
z$AP*%fqPEF1X6*=e4AO5zvuU(OZEV5yoRX*i#h(-97hG81{|`65a+|U8wPUaq<HkQ
z-s)vbHsJn2Hkf=edWLP1`NJ|341WKfsx6gk#x`fguq!YFst}KjFU2)%C(E4dqiJrO
zNLwaa6yop&#tfKu_DC2d6ODw%fN`P54ZoI{LaCO5j<n0k3TIb@3j?+q*&xUA76~ip
zL8-SmbgX8ouOz$w<|C75*1%DA*5ztLtDrJ0w|1wXZlaYZ0K=;I!s9L2rKTNX?eDQY
z!#4&N;*sEsXs<0@P)QCTrj9_+&J#34gqi2`!YrzFuvXalS-!!1Y4e<*ux#65{`o0r
zg&p<6IN%*uM-W0%^bQ@l_RVu6OFrM0v(x<geSCf}cL&HXX|t1jyx$i49KDFs2?4H9
zY<E2VWW=4qXV{h%-*mK+4Xlg_8hm8$9N_Za#b<jOExX%wd%X3V*#{woyYF5;9N}|b
z3BE>c{|Qiw02b#!9$gAuP4gNBZW5UOIzHG42eelOI_bjO{;1t9mhIq@bTAA{FG~ou
zsqtFwd$zi~RW}>AJB?T9_{Qgp^cjal+GM+|OG-=9JvWwLYzL$!qV8DvCE#A>)EU5M
z*Do5sS0Ov}{@xsw(kGpDM9(eE6|vb%TaUk;1363gyQBAGuwt`e>4btmFMxqcar~AZ
zIl(KxUWjCSgG5``N~3@Y3V0QTH6*WGOMIZ_9^GD|DJcsiu|Ov=JNDCCvbFFlEYH*1
zCvI#k@IsDlNT~vKDnuf^AQI04a<O^9casBA?cNq<usd{q!XRE3LairqMObO6`K;yq
zjq!?sNg#<+a3*9t_KL=4^hZdC(`+Vg7Xv%@8f6q(O8R0Bs-wy~{pZ}b>o@HD2qc+9
zytytn=#9DKJ9!oqJny)KYmxtq;`tjw2|yELtK@Qi^KmIAA9i-~q0vWR8K7iBJl7fg
zbkFcD=hnkmaW^Y$6=r`uv<LfrOKxKp{=3>D4Bq^0uhb%62D;+xRLEeFuO~h4xq#Pr
zLR3iO5Y4&3fB6Ki5_#s?2q-b!OcE-Y=(EHf<FfPHzV~Jt(v(o^Pj*H#_!Y{=aP%tn
zC8^Pvr@>Nw_=veoikLF<QP5GjiGxSY>d@H0qrC=dh<@L+B&Jh#u&Hcx+|B8Fp)rf3
zi%0R>iydNgH{8UP;)kl<vF_m7La)!<-%ekn+E`@-BCOMurG?7mn49`u6g77?$xast
zU*<7=qbeJ9ARZ?M+aqW<mV-lFYn2VHPvsp~f+IUp`Hgv|f}26QKs9uA2!yX5h@j>y
zNKM3di0=3bGl|-nBzD_}aJBKR#xHW=sDocM=LoEW`pbb!C0pT@Rqs=Tt-k$IsKl=h
z`OR9$H>+(%G#LcW2PyGuf6=`4C)Gw%6<VbiQuo)&NHxe42AJh(6tBdWl!oTvZnPC`
z;1)tb+Ee-U66ywaLv#v>3Q>9d2#x^cN2rThJeA#LRe+7Md($334k5OU%a&2LtBT_^
z(2DCjZtdv{`}k*9g##-=$h=wNQ`$=^p6}jeT)dl9b4K(VzPz~93Hw4SEj3ip$kM~C
zXtT_F@$^UR=X^U6=%a*fVDX0&EoaeaIeqm~_oLPt;@%$EEsy;=VS%&}(qP2pYk)qH
zIXj&_SHEZ2(b95`SMuL_b7}~0nml&15l{v0h!I|SSp+Z1=8)#4q$>3Y()t56D?N4F
zl82bCA1r8R32*YebrhpsNpK7(n6$xzz8SXJds!&?4$K>t%%f*%{(j99bl!Kl=W4n=
zQ)t11ukN$h+&~%6mgC>0Zu{}HB6!b+bT}W2TF2{QRgF1D`}w6jZk^kvH>I__o$5l)
z&)j6LS#M3%&P)ITYA+1ojD&0Ke~t`}c=pib56$->Klr$WTOGEQwyaA?bsA_t1w_^_
z3f(qMfeXKdOJ->da6$HbueJ%Y>$iQlU)dhCT?ap1=!kSv)c7^Yv*I-Q<vj+vl3Z-U
zFR-=bZ~U0=J}WrxLk<Y$DnW8mi7etubQsK1-*O)=2o+G4m+a0ZEy?#I+TL<>62!##
zbaF1L$Kf*5ge;Eb)8&;?jQi4$uus1xB;IdU^4IT*2jP&Bt4X#Uq97?Z%apYv7M5lJ
zM_R1rfmfER%;Ne<dr%tDuga}U@CBLGhPq|LlzJK;bTX_zqjAnc9%dtFq*Oy4zdRlB
z%b@c6n|1QLdTGpz$YA*}80d{lb6!2Yu!fg_+E9vu@xFh4o+<Fat{(qz|Aq9!{fG$m
zbazxi-H%rVyk(wd^kGZalV!Yoi4N#%FE7(Kt8pL%sB)uu7-O15ZE6>z`wb8GV=cWY
z87fZaBYuWVQ{<Yy%zz*>9mXL{MGtn(E|Ni}TG!aPwa!ErYPXh(Kl=O+nB1y~tv2XV
z2E1Bm#g;VK96(|loy@F;Tn%(5rB^I@>YlCoj3X@FSzIQMT{sRMM47vb1)>;v<utq)
znch=)a4ahdyL*bIM;fKIOW*ZYv1jJ>*mnFHO)JK0`YB(hEN9IeG|DHL^OOIUkyJXp
zc^$vCS0y8v35TwHSRF`ksHH3$&UcfJQXEuOo4w2@eR9K%kgC%2qNZtSwMzXSKg}jf
zf8U4zsq^fiaAv-W!-^w_pO@8Cqti~yWT|hQmyq3GFue^V3KOmYQ;WepC?C`XH01Q>
zZZpC7j8C;J`y%h^Yu6RTYabkTMyT7{dfbUar^O3YxMk_33nUs1?~}<Fgjz^EyBpJr
zEeP<^-z$#iW>OnA-zuxD6*dcFVr9+-cyZh?+s<cq<GXhwoaBMLbJ+^$kxd}`4T}bA
zdlOMNG&5bVo~4ygRj-sTD|(WqDlc*5*ZXpH^T3yExUO;oK=@Teo_qqe;Betm;#gwf
zn#c}qqX*dom8-K`&@TJSac#;CB4lq=+QP5-E6omtoQ$Gc3^*R@7M@JnRUX&J)(4#8
zDn4c&h=%Cyb@2fb#*@QET*&*~MvL;J%NDbGF7^~S)06EFN*)U*wI74pO+mi)?gNl+
zcbf9azC6FpCqE|H^$3i^C+mkHPk;8c5C0b3*g>|2l@IaIN$J<;%nhFA?90rH25`}e
z@H*>%%X!8fpaEZ0)WAr~M1405Gz+7Z*;wuP(VO1ZeG+p5Xz0;FgOZvvG`V7AVPZY9
zaNWoYy-PwOvUY?wNg_eVK7KY*h2qUqLa*BcGU5;L(h|<&G2@_y!&nvDI5rXii@-HJ
zj4Ki*gm>F8^--jEqa}sUwS9~@ERl*;v1RcXT`BuM%=m-t!W3?^_4o&oHY{emL*R{7
znAU1=30^*HSyyd|(dlchP8=Iq+-fq3A38lGE0Z>2N*$1Bk4(ogl=L_3OGvs-ef2!-
z57C??chj+uJ`;N^$VsiELB+Ie2R)<YCCdRY#N_2igo1(qe2Y4E0h4gAJD{jXjOws>
zJK{C{QO6eR*VBel9IqRh@xII9I@$kI%$bKJovm@a+tf9!Oi^#kkY0C45tnqdD>yoe
z3ylhTRYFbEXfbzl!9;UOLCjInQVh+aWim}_N(*b;a>1Kvrs6^YxrK=+L5Su2w14OS
z`~P{)bDrnC=Y8JudEf6BEoF0_0QbpC66qkkc)xpGGJmKRSX;0piNc+=a7_0j2Iq>C
z5w*^}wR4hrJTk<~xk(i@nwB0Mj!Tr{1AS5T4j*|hlD~@ADJJREzIbx-VngF(kDhq@
zVUaK+iq`ciF~u#aY_FQW_@vDZ((?zOr#b^rVd?uaBGS2fyqfOx6$pVBUvPh+*D7)W
zQrh1w5wc(_3FhMiJaUuXwYZ5A4OX}3WlnVUf<t_QCsjUziL-CBc4_y}HVvy>f@TjO
zmFH-amR`S*Px$9@@@68<<P}XZsEX$LKI0?atJ+Q@-KtgRv6jsjQ2Klc)U}?@VPE*)
zDumEK+ls4MZWqRZX5+^gAK%`47HxF{bBk8_iICB6mfZpQv6$niUA*6h&@5<UM$SZJ
z+9y-PuyN_Kh55&Ynl_X?F5FA^iZu@2^;`GNo+T1ur1vQ_mxuI3fKADln`)kq_dTzi
z-j3S3|D+HRi>>f+dPqVEo7w#<T}&Tcv_aB2`mnwbjbT2r1!h{ttz4HKOxQky$rhsF
zyF!`stNgSVCLAk0QORlWM4KJU;@dO}_O5K<_KT))61fj!#62!6{zTA=j_8s*I;qrm
zjM^XavfS}IAbxyuTB84G{=&B6*|i;eoNTq^%yXC3V8<e4@<hz+vBb$t2WH4pZgT;n
zhXEhl`2mR#UooNAnI3O4sOwfrA;g&sq5(0Xh5;pl-mU-|$$rSaxb2h+#)WXMq4x8s
z+4Z>f@uAkqhQ?67HB`?fh_xOi=ULsNXSb;sekm6GAsW^hu54CSc|{Ue2)`y%c|Z!r
z2|83}I`$GW))tX!`W!9ZN_Rez9UXZ%mUC+FlyYn9nb30?KQ)zWjxi$MefwbH{t%&!
zpqRg5*XiK7E5IWgn*SQo@I?}S)h+$i`~J70#bwx)uC#?P4#U;AKb>U{)$(qy-g1&#
zh`v+(v!bfZ)cDc__34A^o}v`blJoHi%&d49LMUq2ez)uU60oMzedUSMSwkJC4LH6o
zMx~~EY(2L1DF6L~8*LhbtbU-VTDp{}Mz0(li6QU896lN!PNIM(x~yr(HMMo~l}w*t
zuSinn*E%rv4)m;}-E@w8mAl%Ryn?iS2&dXBqVDacXm*F{T3olp*ej*;!p9dsol>HT
z4ovI%Rrne|byM&a?^`}d##A129sfDu-78S$DWYeGsLL!Wdz6h{0Ttb7uEd~GSDjYp
z44*iCd-;-@z>1MwNlV?Ob}hPo%x;Dsv;(XXi*zHyoy!1raKQFsmV7odry3sJp2II&
zdgA~2^}_wos}hbmP0@5@@%dU7aOZ_3UqC>?rwQo6XLS(AF^J=PB0FcENwf8dp<McS
z|DoWE8gEj>UFDrpW}oNo%~b57im%Zz4zk2@ZkMKs4Yv=c|0k;sGN@X$L5KIKUndo|
zrdoDD9G6{pORH?hG6Z((d*Fr&V?CcqHL|m`AW+Ko;hE&lm27vo->#ztq#M^v3)tdj
zO{e8G1`KJmWow3_RLJI2W)uOvwg(W(|5}yQKBs#7H$ktaM;Y_TrP!-k{84v9kzBFn
z6psd#&GnW&xkx%=eR5!pQVs;N21h9aVWl7e32{Oz$G3ANMGIf)+dgt?Lue_}xY@(=
zOFcD?jLaZ`STl`9&~8F)v9dGT&V8nI$~?uSP2>Atit*{06y&mz8q>&K*ccazu4jR9
z@Zaqi3n*S113q~}aA{U*0WsvtS)Mz+=9!?xY#v-$m=9n@jPxj1Yw)4l=M#oRRSC1#
zZqVii(XPz~_wA?L-31D>AkZ=CmvS>cj`5fgy8+xWrT>ytv`Y6gTv|Tv^lh2iA}3Fb
zk5+Z9b>7$T^M^M8n1@jSRO)T36dm!#3w=C|r%!TIM>CV)*WHSZ{QbWVrQ&_q8(fr%
z6V*;%y}NJejqeACz%3~?&F~Xx!+P4V5}2libKSYE#{Cz<Tq=T~ku!cQg7)PE0@8zD
z)I+|Lrgv+pkL#7Mqs{?W95Ig%T3EW+VUVAvz7ss-Zaom*(4kaM1QXn?%_?@0-W>{$
z<TXVtj@~n(%}tHUeh{?;Y+}$eAUGFYdB}EIeuwHPTIMgR$_;SqmPVo<cZMc*qUIuA
zPt*n)A$Ak@B^BSq8-*CogFH{=c&i^gc*J#xcm3Kg_<XyPN6Dvkdhe;j4jywIax5jN
z|7v&!<SFzx;BXl5DpIME^ad*jZX+DO*fZ#BdA2Yfn`H0I`18LT2bh*=0tcu;B6QL8
z15iCQ+1(FGamPA>z`B3Dhr_lh@NLJE_0d0Xwj4H~AkZug5o8R6rl#5hMoM!Q^Vn~+
z_mb0h1Mg!iG;SW6cu6DyP9K1?(0C_aM$63`w6ka&-v)!&pO13=j>q?ww;F8`-w@_#
z1>g!*>ixun8=#u@8t^kwZEJMpr@ZHO!t5TXe<f~i)MDeyMW0yWT!x-qbFiWJC~{5)
z1-!7tZG^%i*k4v^8Jx{z15GlDSwhTkv0Ux|^vtY^(vn&NHkTazzxz~eMlJ2{%&~CR
c{PlnQDYuRZNr4Cem#;0JZr-j9E@9b!0nn}>FaQ7m

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxEnclaveBreakpoint.png b/docs/GettingStartedDocs/images/VSCodeLinuxEnclaveBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..79474a78bb05c30660fa07563fe3473de8772291
GIT binary patch
literal 113286
zcma&O2Ut^Gw=GQXNEZ+xf)G?nC<@Y%BA_5(p-2fu6kh2afrMT}=~bE(MWq+%5CTY5
zsz?hR>7hdcA<4h-eZTLV^Pl_O=RS`TV|MmlYp%KG9CM7hh&Fhj#YlIFj)a7SQAb<j
zAqfeEE(r;_Dh(CzKa$U|`oIgR$3rbOlCpuz>%bd|7kBjTkdRcy(VtmU0`F;EwM{)p
zNG^1o|0V5q`Sgs0g!n;6<IZDW%Pl<Z&&y9z=VEM{l;Y}Us+*|3Fc(k>-h8irAQ~L@
zJU)JifhH_WkV@x@sv1q_V^v9ZvM{dKrjPlbJTiDZ{6zDKq^BWzyLQ{D+#3qT9Bnw`
zjt&l9PWShZV_JMH3HmDoC^wt#<cx%jxiom`kr}t!u`-T9GN6Gd&*Im$+?!+}Yg+Y8
zXVB^>j#-U{KkWPmo|=*^d`#tEZ^I5j?7Hkm#D6{wV;+GUNEn*nul~6h_@Pa_gVeD8
zzuv%!MOQq>KLfYl<v(-Ml;g_w;`^<@#EP&O=l}6Nt^SbSFiH^=cU|CIb|o%Z0rwMr
zl;zQX;Cy!W`y)I`$lQ~@82+#4(yXgIW!3GnY;3%d8k7m|W>h$V&Q$o^c&rTZ-SDV>
z@V_sAcTu-X^y$vP1SVL)b_eq%w@JUjdX7-eQu2yF)ioh)?j(C|&k8qY3@vq$jTu82
z`R*dAXL^%_@yF=8xoz0#XzuCYP`R1oWYstPZlsFi%UlUdZV$*oJ3XYHNg3N#YEs!=
zlVmfWZu>yYOl2f?ljLAhWSn)IrQUcx$9j_X+`v8as|SNBgWo>tWqv=MS)8b}b)IST
z`p771Qqk73*Tv(!jj}0cBK;iF+w(1RhC7Z>zKs%bc29bI^6A5Pz4UQ2XhB58#rs9z
zCPK!yNhzck7%p1*Y`3F_v|YLHE3}A$E$T`mgv3s#)u=sGkhk~M!<Ogq=_A5X(x$z7
z3KU6}y2(k2O;Rf@+3yjzolj94kJ}xy$2BQFSSm8Lzf_av>df}01M6S}Y7$<EUrUeA
zBO9<ralX##Z+swqG)-ED^qC7BZx$9l(wQUwy~9`L)4<dY-aDKl!Q+vQK5Y?IH3%lZ
z9d3uEd*tZ;^eN4ez=x_(75w2N6)kLMYtB+W+}MEAR_n4wS)B0cqnpkbbv%l?N51=t
zGOI7vNL~Dy0$V?jf#`VX(L{%CI-VY`f7J8cEUkO>Kq6RXH!1h5v(&U2{5(?y-s->8
zf<dV>DX~}o=6@n_@--XMDBbEkb&xro<IVQ*huf;y?8ZR-iG@#>*v=TY*ZPxLVhI~j
zNR4Z-omKoM*BPc2qvQkJ<DGY2Qi#qJ=&@d6`I+Hg;~@X&A|f-dyyvw8CUOE7lO|Ho
z0VX-{yfxj6?2r-K=9xRJpEaJnR_;}{Sl^eXX5l;>vl>ig%jHO`vLe0H0*)#4XPN5p
zKv6B7vDoA#8TLEpZQgu@;4Q@C?`^OJcqK;RNX`T!0`zIhUA8*FUhV$WX9mAw5qf`&
zwuwkXUs+ea9)RD3#(hu7scy!MFc(`IsXP^O*fuD`xgV|>!p+|)-F-jl$0C7X-t}Y%
zgso5pj*pY^3uYj1q?54d8I?YL0_k|oYEJy|TIk9X3GQ^MG5p3`NWC=Qsc{Ze{wzbm
zcKo_eSFP*}w`}VYVV1GHkyaY=83#Z5L1ewteec{t4k5G@tb)lC7bw}V{X~khtrsdD
zO+Gti(}@+QoQcPgy3SknY`Iw5tF8OpNAt+ggeMfI{r9VvPt=28+L`;2)OgL@!kle*
z`n3Ya!zVV)$5Ss80)MLGcbUX%ziD+R*Gg)+XC<zD<sNe8(#MF^6hKFqxas>2(<m<c
zSN6gbPDMTPR;Sf4ENgzwDTS3`2VsE@&@@|~@%LG53zc^pzGq@LA&wJi^|yu9h(>py
zhiPUOe0)C1wpq82*Qop4X7ZK0uHiL^!Lw=gTyd8{8S2~xIXrtQT=x0{b*|fH{Albw
zl{+H=YbQxgmxb4Tnof1JC+9DVzk&~Yz56_O!F6UGq4lm%Ied<>ebYj_QAKca=t5sf
zE4z@Bxx@Rwz(FT!hXZET0lyK{bL+Q=H<b=0*oB6Chhwhb=c}6bUt8m4l-0D^1Il?y
zLTD!%y^3*b1#!*xWR=Sbb0@L>Tb13qbIs3MJDypMuwyo56*mWb=b^XikNmgmQfC&a
z!1~cx*wI^HIRJx)(d$Wv&~_$(h}iBUd40vbuoEu*s4+x*p~|Ov?xnb*GnRIcq2T4k
zn9Lf%%XuyeZ6NmS`7oLFNN1kbHMY}>$GscnXTxgTgd)o6sA6LJdSK_hdyOQHQ8C!6
zxiYz7Cu>lyl+o6v9IewD`Dr-)17fgd$S1r3f)}51EWwn@8+O3PS8jCYat71eobHO;
zQxjV=deYq#TP6dhTvp@3Y~_nKqpNxfLrd{ej%MAwOX|65!_<L^uy$j5%2&-3S`FVB
zl^2S;MbK@;6l2T1-|o6zN=lH@pxROsd-bXNnM_LXi7u3ObH&^<SAo@=L#x8IUvGm~
z-5&DtJ{sVd$ZYu7am-@7I*{F}TgPoFavCtUrz&lmD3AR)y*qCEvvLSDc>xzn_zO{?
z^f?rvLbBAArj%VH5b;yNZBe68pDf^LPGY^752C76V{Or~%ece4tHr%|U*!W-%_R2r
z2sF@zLxrW_D<ghbtvLszgqTP@p!eRRZrqu;t5_2}F~w<D;Xu6EzQ><)3vT+pRrxMg
zsB-G7tf=yCj$dQASB}3F!&XUD&vxZCMZdr8OgOkRK92ho!?pWOct9_M6P@-;h5vFc
zkXS3N&H7lhx<`)MCD}&AVY{KA<^1t5YIDv|Qwh@PTBn2j-p`MUP)YjA4yWw=k0df~
z`n|@z{ax1}?M%#5Sn2_do&0#2yDMT)vtta!L0D?UXz$k#sV>vZSqrplCtBs#ky5aC
z_B^$-If7`+1qGw*4P!G^oOh>;2{iL7qR{kZrtsFvI`Z|*){~`2!go{&6)(*u;P^;7
zE3-JgHtcd--mLzmf-_{zDM!~|91ir;3)rCxTMII(bMrC!>uej=W&~`%azLSF^?Mg<
z+$lZvafkBLqo@4WQ@?)`t3$CW<TPGT9@eT{UxG*;nj@i(3w~B7b##mUN5Xav-7{6|
zu;=K_6B=97K$iK;$K@On<EO13bpB$(C!Guh)}F>;cT+ZF7{m|1GAt{0N_Ht}JD%Py
z%I+rlefrKmq9X8+R_B7v#~Ir~qI@cI*H7Dfnbgtcb;C@ZiIVxcT_w06{p734QwfMt
zdl5(dW9x1cL#^ZAI}&}%E}=h1aUst4`{v1^8CvKVw}qT5PGpXe7=|kzA8|rns!!q8
zNgmYGYcV+@8RUQu^T=SW%y2ProvbR8-L;2i#~qDTxpyZxgJe9LG>5!c9$`qQuXUK`
z=>@(SW(o}GzzeEGe-5Nb-du{2`Z?Nty99!(D9CxEIdE%If1fRLmikxvtu@ZY{`z_0
zaj3m|le;*n65qs7Yo}15g{WooZCN9{bFhD#6{qgX_l%`kI580N&fM)A$47mZ5z3^`
zqp0$71OSZCVm@8B${P{kK4~aiq!(eESH*kjx#d#~v9B1;%g-u83i!j#>UN6hQznJB
zw<E9fDuHnAY5TR$i`#i<pYjgDq^%4;O}W?yqB;rX7@$7=K&*fNV2#|MteYjoeKU@)
z%O1ZF!MIkdo_Xv-d1yvhD}YXL@=PU2S}R<x`=0xTcbfVBVG$v8nyxXo@v?^?^kPYa
zgAeGL^34${qv`jM1;zCfMx3xmS$9JB^OUc2UHs#@$sc%qCJqDM=O{y~kB<UODi5*k
zFu}2x;e|^vGM@g8AXPXr`DApOmD&z1&#ALo8LKpqwrf6yJ4ID$%dg(tO*m$jMe|)F
z$b)MQKi08yoK9a2lRSdu_zg|lL$b&-I2*w8kz6LjA?}miN>6O=TktA0e>_xP?5Xc~
z^^j_0h0IPqkDZzPH!CQ2?ZsMX)vm9@$SJ)6$Zl%z3w2@atX3c@(sQl^w(dIu?z4jq
zX7Gt9|GqpFsH*sKw!M`u>bjfj8_&70LS?eaNX8>ChJgH>Lm||-6L~aGt#xpvwpk;*
zLg;At9b5_G0JG*HnSQ0nAH^}yP{TRpDLQf3O!DSQH-BL+@|I*eWs={)il5&6$4uw_
zxZhSBgBxSTdUMT%bYMgk;pO%l-W^}qL7)2eqC+*xG;MBcpnjD}z`Vk>09ayKqWnJq
z<_8`4p(RBzoWFi}@vcisB%Hym`XUrnDAXIo6kw<oF#YyySk>SDKKwef0a(X!q(11D
z45`;4NN7_3($%eNqfRk;rzLo^J5%w5O*vHsso5HDLu#)*JL6L^9D1Yp7Ux58{4YGm
zP;NzuX`)RYgVQF2Cok?eDG*)Worg~vAa^X##nrv$V8iRlM=S(H;=fOgA6S38Cto(9
z|7Dy`r(4!hzgGS5%+zCYz$3vkr_i>1aLg6d&C{(^a<wp9-;Z{hX;6BGIxFqz&x^V7
z5+7#=rI}vwI7Jdz)whFpk+wd&TJXKw#S@ir?!~-s$d4ANGiRArEyt6j-tTlYn#Z?B
z{C<^lR2$@N01m7k!fWz0B2>HLWd<tXuRup`p!WI?Wn<-qe$^}AFBOBgfIlx;n3>!@
z1oA>L-0zu~tG+QE8GKx_0(l*x)^1zt(({U3_A!ATtE({cNn`DJg|8>c>m0l`$<v!+
zD>RRzK4LZ=zZ!Ov>w5?-Or8r7L0+lRcjevu&bO(rFR!+0YIEq`6{{b~cI&8{X^1KJ
zN-DZJYwUhp#k>8ciD(xFv8<fSKG}zA4ORXtn+NRWkC$)=@f#7<5}j+X<nM{bcaOhu
z$~x#sxh{2qr1qRRI+HP1NTMNd(V@sf<pTXRvkBr5lT36ZUU5ePDZGIM;a*(`suA;A
zD7XDeen^cDThdZ^7@_<=w-FL@mM|9hEp4x2r!<7nLtMGfy`tSZly})%P8qEn$t;|8
zb!!u1zE&{H6nIqmtJNC17oAzTRZ!-v@Mi3S1l)aly{d4jY>+AF)oJ<*bb+{y)%5G|
zleVJcB)@yW^8VVR{5x$Y_nukvtmgkz=icbu6AWd#tg!iRboH<L+{e_b+>Q>bk1X4d
zI}S{y+GWZ>TT28{yNlMkEx9+r=z_WqAY#u^FJDR}guxZ8Mwf=i6$3oUK4Vyz0-1R>
zOz{yGi5gq#YiUkFwFaDfhgs{e_vRRu_q@scunB$st@3S<<0&lh=7U3WZQYi*V-`-F
z6er1aW9%El@k+;soOU)$EO!Q~_+y>xu6>G;qqPkSq)L~Sqdwvql9dA)f^CCAeL}Gu
zY)jo3`+$4Aa>hrJ!D82Izvp#c%skYe;!sgCQo6u6^=mGWq&Aoj($}HfF9-HoRxmP&
zV`jChpaZ8_zWR))+nTHve%_(axP<?>IbI$&xgURWAxUtcY3r#^S1^2XzBac(8hW-#
zW7NWY9+<DDlQge!P@50c3YHMU=RX!Nku~%#t;Fz1^|?xSrLmn9*vvF9M3RfZ!=91`
zR-95S$0bcH$3+m9$W&(F?{Q!_wljjTDPMsUJ}W4~2`RJc*NL?@IxEEcr4s1uwPN2M
zv(+%Rz7n4=?j8|uKcQ}%%Tv1iNF;2D`d4LJvpr~?yl>C$;Xr~b%rgK>_L(Oqx8Av8
zZs6n_YJF3mrdzCANl~T!;MPl!mmQ(RL`wOJM}%z*<b%%9Q_`gxn><DbCcz((IVzJ~
zdlyxBLm3{pG8|QQH@qKwf(^qpUg&cZTgpm!X_l-110~&Y+<stEM>zyqk4z2^lkC8k
z_|f2xxV}NBM#kS_HwfVvWheC+L4HykSJTgqub*&&ZJb^PoVbd9JXMeR$0PE<UmoIa
z22{Bf07xra<-o|VKUyoo7*Yf4T^^^@C-{7Xt3zHDm#^Ha6=BOU1X9up*$&-)X*lF_
zsJWsUuN=9Q=)C}$qjxRKi(62fXZ!t7IE$Lpjul#$*Bx6`GtsD0v4E<HHJx&!(>c)F
zkXCJa80$gTa~5&*RL(n$;g+jjGf<O%o`1J>3rT^WLckFY<eR@r4=}xx)h{xSZvvD;
z+euo9&kNKM?#VIXXW&UVqRiu0i;DDSm`S^4UB#&u&AKR7tpK5#G)va4B^(@fNLLCj
zRcA!0dnHcjoT8NnJmQ$89#2$QtBdd2JSm3N^#DQUYHCm_1)IcQ1MWUugxn@+Z}?j4
z*%@)#<JSP^jHbsvEpw{tuviI!MNK~PO#dRn_gI`=R~r&?z_R)wihO~1k9-R=>c>;Y
zP!Z6V52c_`>OO1Iq~TXjN~L6z@a`hR#K|hH4osdF@~8yntS5#2L#@QSBln+X|11>y
zAv6;iLc4w|{*$*l`xUok!$=rg5kLVkSWF3|*M$5pCgxiDwe!LJLlPAd-&^IMPyKI3
zDJ-548WP>U0s7}Hv)U;W9hmNaP&xnY22$ziHyv2{3n@xA-!eG;w+}`(!=h)}+DP~d
z--eB+d+{dbb#rrCcqZ^TGVplI@P{3;U%mV0N+3nt$q-dHCI)&Yz@5M5k1<#*sg4+{
zY*k@Xd#VL}@ykm)f{$I7hQE-}M2C~RaW|dG$u*!<Ba?ygu*Lt=6<U-r;#DfH&$#t3
z7#ti{bD<1k{(@cal$s6<kY7|Kg)s~kzTYEdZnqlc>qStV&ML9fd`pxbR2)4c=+Zdw
znnQt$>Hp)!6SUtFA@Gy$eO!oV|Bv^dNO-1alzJrthn^#ZoZvH<N95~UU9)@dvC)Cm
zLI3$lck+!aEcQ7tA0UB~feZ9dSHzJS!tTEwT0iSL(|dz$^Hfls{6F7?1-blP8u5^O
zIt_)uaw5>MC0SU<zouG0@TFMyTKXaRe>7-CsD|FG#eO&>V3@drDaTKhXUyf&@|T8g
z7B}`S#~k@&7)WqW8A$Ml#miU;Sv*^7w^gn|?tNu-lDavB*+w!X))+{f{Fpn_!-ydE
zi&ro&)U-F}PusmN(t+9aA^^Al4=X7FSjU(9x62t7MG{mJp~99)n^e?fng(4`5%X7Q
zIBkH|7w6(pH7P%q<zi58g^9U*j%Lb&Jm%2)0oN8oiFKxH=>WUQQ;{ex<+&gUnwrNx
zjh5lQ1bCDc_(pm_133LG0=G(RmZeDI@Q-UWgN=`2(zXI7EN*%`b{4U{$&{!ZIaYV>
zt|J!g495BpK+bquP-DYOmqUE8Nr-#E)1zsfI*O#=4El{FjEBMG-HhMU;=g8Ee*HkW
z=gj5!d^4{*iY}hXR;m9nLyU}^QOf0W&5SMaAs?l-Ihy(gZ*no_FX6g)?g~#R*_yE_
zA-x8`rsWT-Ar)B{Q0L@3$YYExPq9zR3vTscdR}7{0^PEw0TWSYgsd(l3~EVd$|b@;
z0(txuLMV6M5E2o9*-2sgc$!t+510rD=g~(h9>o^|MoSxrg-zQjDsHlHEYU-@`Q(N3
z!dL2u8Y?pEXSiwjf_K2CO1+cInL-`<h}bcM9e|!xNolgtT;<s@+wn$t7tFOD__+AU
zD*Cic`#x)F+6(7FwWuJbXAaiy$hwS~SHp@`DJB)+&&6NUf{D%I>5t*pi*O;mztf-#
zeDE_j%-O+U6K)4FR|-YU9=;T=L%A2@CI?}uJXkX~s(*W)F-xr@_a>jeW7~{tNByhG
z2u98ZEfDXn4ElbfzCx_ry2XF(atUcJN;cO64AI5s1l^6Q-{aIeoBnaw|EoR|zDwLI
zzW!W%nyU`-6dfL#*-BKo&!Ou%&4PTkWl{}AKU+L(u;gmk`$_EAdsqEwmXLgMKX9^E
zmZ-mDJLbd@C5VB+>J;{=G4&h@Y290oR`tDbtsXH7hrOh-cE`)<El)HgDjnbDT}d~0
zMY`5Gj6TPFmmc&TUT#>;@o4f!O9f6-YQ%ddGf_RgsC!Y=WS+1OA&%JLLzx0fxil-O
zfFL{5d9QKbeY13FMmSg3N9A<5rVmsfVO8aKV1nrYJ;2Cd*W~#{j7nUgxT*0QUNV`-
zQVr<ZY1BeTq+TXf;5qZuIMVGsx*=IE?OxdA+k44pJt1u-v0%>Qe(p(|nBS?AEU|5L
zJKv!iEl>AdVP&o=VdZ>JqT2)3?>jG}J~$&=Aa`STw($D(9^#D?W$HGf7L7j{LCUC_
zA6asvwv&nHdskP1GD)g}B54fMyzpxl-sj@tzch&YZpS0wHPxG1klT>iicvxRybp<+
zd@gFSLz(#7zjXokFx5)RY4|S)vo&gBJf!y>uJyOm?lAC;P6rRvSU15g@JXCA$ZlMb
z7&)so?!d{c+g4`mjn(o1KZvG(_GndaFTd|dAIekx^_~hXxV^1S&<9{lA@72C6};17
z=%5fCQo`9F5rtpmMC?)v)1Hir4|iVD7Wtkf*WYq5ps<abBeqgc7aK#@X9EuOh}U5l
zl*dGz@FDzniZN=Ua;bT696>nJ<|W|?=p@eg%)P~4`Dj;t8ZLFH-q*$`i!zAQq*=dU
zG?J309x3h(f-BC<cs?>`zr*dgOY8Iwc_p1e=&905PQulh!%gR6;gOi!SK}7P6LqLX
z;Rh#p9b?DJ&FfQQ>EClz=9IAWq0YEt^v4!x+qwPK&h2k?@FQWVX>GV}#x5@R5N9iH
zW;=eB1+1GsZy9*>1T%6U@=YV@cYj*b4h++@-IH)NVP6zTZGW6T*_ua0#MyUq4%cl{
z){JqIg<0L3Dd#m;^h$Mc8Jj83IOch9=4Ww@)YtsOo0N;T-EVz1LHJe|+u!K!jgW5~
zJ}t}rR_ZxcV`8B_bZLpmtG5N-k@)56^rS}0HsD~y_)H0h5C@l37`rZs2HSFhT@09A
zmo5mdjTOrbf+G$T5KDxOa>5s}{ODWpMnN>el2L2?s!`066arm)OWk<yHHaErtvZrI
zIf@i?JroaUR9-3;T6GyeA)TxV6h~LK+Kh3`YVt8Dp1&z=dUo)$3_h3{H^XN;vwPd4
z`Y#M5)+GVsTA@(=sKxH$#U4~(T%#f97+=dJxskWfil2I)n19jcSv|aPp1&=^4upSv
z0nKI9DK58~pGcvdpr?sVRvYF%$Yi-n`OfE4H4fWvWoM(Jzyhg?hePVyz*c=TrlUUB
zL@kYG*Ofogj->&U#4THeQ}ab53nU3bCAZ9qbz7c&;G|CE^Go0Ww|8=TOU+&EiuE#9
zI<!!MmH0NShZ6f;3Q9&HNOYl<l*5W3B$4J99b3g#gpj2{MoU2Lx&1hFpMOtZ&v~`M
zbJXpjakF8+?=EcWLZevvn@e7KMHyB3p1KmjOsS6vM^K_y{~v2=vw}(b_#gBX{bm{_
z%clmcs6l__A^3Mxu#*LK<wD$GA<O|uAwwhAsHdjATA5hZ+;def^;$^PpmL_6&THXL
z$9F(FSY^{!G(0IdN!DVuN?wB7CUDt;asm3bv;OFp*`}8|KZTnhn6LZ}FN?0~L=KhH
z73B>pC~mV5ns%S(+TbYS!SIG8^=RGpLGPg*lvvASc2ebh@+^37&THJla=9(Q%5wQK
z$%5beRnuvSLD{*0Y9c$dGx<P+`Odf3vdMqET!6u`u@^L_85h`}E$!WQ*xQkN)|-pn
zF~nj<a|u7w(5Qw{d=c?5_w2?f@kE7KREN|b_s1WN2g(ufb;RSj0A45RC}HC6jN{ms
zCz83AcVfV6FRE>5&x6u;fM46?^<LlBY7VN{oI!Zg%gjElW0V6{=;e;e`YMUJAGS0$
zM(91D30bB(7t?_~j0_|kQr1Ub)C=bZ^u-8{n|r+VUrx~4$p6FYo0fAoUQai7?-e4r
zkhFOxR6Soyw-Sg$pKb3LZL_Ap;d`8L>(dn^5Mor*wO@5osZsDHvAC(9eT@%xGQGn}
z2fj95e4hf_^E$;fJh~?3XF2fFnJ^I+KVU0l;a9)c<+k0yRCMB#Qexq6_&ru?VxD|%
zNIWY2O0Sd#<z$2}e>-{K2n8EfCtnmN09(5~G1uZ>H+OgB&9doPg^SR%y*luriH(*C
zr(_2~@Tfeg#{GM^9}a|}JrcsS&Wm486OR%Kmis9{du(Ufae~aU-mYNEREAQZ3;Mt6
zX|Q&-$uXZYQl6*JCK_o>zz@*e2}W_J)qTM4qy9zan;JC1+9ZbLfI`g_bw$9vN7-@r
zThT?GiZ8d=b(zg#1hF~8{UNmJx83sn(O<_=TA;w?!Gq_WtnYVbLNfrZ(JmgGuA5Wc
zV}WZ&?A!6=Vk<Lmm$vk}m%C3gV*EtSgxerwV$H|mqefIq;5YpNKkxGOHu$>xL&;G3
zA-(l(OEW+TzG>6@?$*mdIle)^)Agc2?(Gat%iHosb*8}D=w{uX|K<_obiHFvdAXlC
zHu3CTo^43<(cu1%P#_9vKkX$=q+k<!W^V>)EE{H(iKpSdi!P;>{9&GaBI|t}UgK{)
zRItdKn3f&AVif0M2yLGgZa&l|M8{q|KSqC|+9-XE3rj9SD^**nA<wR201ab77xlAf
zg)vo{p*h!~!VbUF>CvpZhuEX$h;GfTYoRl&cN6<aS1fWB)VVK1MTW)IiUGClLWw}|
znvfl{T##L81zDzJjIRx;_3|KLYf#{bntY#Y;9RmKQr=$ItS~*tq0bHIz_=W@G$+KI
z%Dbuq1>&UGM2+mjBHfkJX>=JJJ@=}@=_LMG(rrV-XPgPsq{k$PnDE&!Z$13_<jQL+
zAzF6>nybc^4IiC(q*nxp9v#@Gxd)XLo{uEfZ#GaS)j&J$Jaie;AtPX4OzvAT7IGwp
z(Qc{7$3Fp8eYvV<MN7%nVxv*e|KY;o2Ir5DwBS$WxFYmFeyihODbfcc94rD%m2x7#
zpC{S$HTopWfRD7S+Ks`-Y?;Ty(Q=DXss(rhV+yvd0=`o)E$pFE=UuY6{X&8R@xc%f
zN6@bXwc<b?SG&jG@i=t{^vMa3(e@=#uqCfADJK6xBmy<3+OZ{<Xo+_ibl4v4NAZ7(
z+wsKKY_&v13Eid^*3a28es@#k-MO_sW{2n$@%2vP3Gkh%FRW+H5>r$YwE=w;i_9?Y
zwMJt?=Z}_ss?j3d#$f{Epyg`pS-(H(9ljX<7n@Ttv1GT~XYWOLrbZ{L-||W;Zad~g
z_ub9O@1|zqA<=h6$`|HA%BAu;+DiSY)Gx1;#tZ7&8<Gn|G@E~ovJ%LTu(TudAGr_R
z%Q$p5y+gs~*g?Iw_c@S;Kl>Yi<w7`{)FdVmDy@C*Gtyck+R2VJqlRdu9kJg<(glS^
zDmFEq))nEIjp@N5KkKFjr&T6**h~3547%<^C1syV40ltS<VWU=*DSpOf&<%B#HGKJ
zn-TQ%9r&+jz`CT>ws(G+>o<Y;ezl~?<P6;5`_6C|SvXpJ?<Q6#tI_J=Bw&YUt2<|2
zErBKOl>vQ)JZOEc^!Zv9cne&s7nzG%H%@d^teTy{wli+e=FXwFPY#1J5sg`#+pnz>
zBazqA!)$0x8r(mun^CdrGVC(-`p@p)oR5R2iZT6CeM)K*3hShbn@7QLgo*M&)laH(
zNns2@?$P9j_n5CI<x;20=k?@I)8Z&q#L`I|ueNTnsmaIv$?@6>a3d~zYqDr@)~j2Q
z`Q(Xz`BC4sXKNB%#wOpM7~hc?*16rM0sQoyfZV}diG9%bmGNlgbX?~gW3j@FxIC_g
z(AK&+N=8=XF?d|Zg@`i+9xAVZx}j4Y%5&C<YCOO-#X8Hp;CDBX8nvZ9>0xnbh6tZ@
zt6RNw2)xq)Wx2q+dH-bbLA8Ife%}>#-9~&Ft71g;dBrpOR?FSH1qV&G+CyY2+l~A<
zhFHL(r%!&Mx643i%pz@A;#*9q2T-=@61_=S3TccOVl0_;8^uyd=)hFiNI_*6ze~H_
zDu4V2pcwQ@3Pm7I-fs``wXrtij6CA|JL18N%8d`SuYs?8PU&`w-z8(YQNxI+c=(J`
zi;I)?R^Mwnuzc)AYZ9AqCv6nJP<jx6Ex+CWRewLO`La&Q>I}il$55zJV)Gi1CML%b
ziJ?ou?%#!0Ec(0{ustZ3i3%hfJeIVdM-}Um{!I2;TI=%N0gH``D4fkQc3|q@md}7D
z=d>4l)l&_^0;ih<(KIA_t6zoXE>HtjK!~E&AC0+88y+ND?!MY?SbZgG#tN_^>FZv|
zFb&fRH+_6Ux?FKx24EWWaU|W$McrM?MCTZxppa-%f+0}&GxGpJw*QmiRg_rW8=vx4
zc{zb}QB$eLL}ut#t>b5<FOog9Nhe6%;_j@&|3<r{=UD+TX1&(R{djV<p2vA&_DLlL
z%DunTlA@RXtn_v$>Ay)04de}~7FIinj{hIGKnZx6ejOznX}(TfXCf^0-_`SzE6MYF
zZ+C|?kqm#>r15(-y+f+!>kse^>xwM`>G1=1kU%@nR8Wd%LLUA9=^}RBbDHZva7KR*
zKF{jBo9aJOALqkkqD&$b*ddo8ghdDn0^6f^>8C#<F2T>@Doy<UT@CgOg?9(ohc3Mo
zntEn`o>#enCwubIf$`@}Rqf&QEm*_lIXH2LI8*xc>y3*dkYB0*Z<6_cV8A5Qkw64j
zM-~$8O(k^5&qM!H<RyU0^JM!!(+c~)Auo~3#@}}a!{UD-kAy;K%M|{v#8i4T9r(pB
ziljMD#J&h(k+80UFWLqXI^b)B?KynYwhIxBKofq=otkaC5Pl$ZXs(l#@tCXB$GR#l
zG`1gwZ<gFh&(c8_GQGC~ieaa=dyW5V`T(hP($3ks20M`DPe1#DdqLdFZGa!f5fX4X
zzzR)>10O=H{wZud4c03h6c+F3+A`mWJPO^U8D}dK`G28+gxPgrn{}{$fY8Ff!~KR5
z>@fO-UX?wfNbEBvqIzs+9CISbT(%zO%DeEY-79>Pe%$n0y2-dO_od~Fy6^C}vJhwe
zh?`4a+rM!_0S-$k{OCg#(0_M52@<eCzg-8%)y)8W8?l{OE}JOVoXkpOBg7H+RF0!(
zRj|~=HsL_{&JJElO`FtpX8siE6}Cw`&T&pvp0j!jryXAQ7P-&t<IN--R>ob=ORhe#
zr!_rq#_5cz{xArQNLJw04nUs>!X{!Hc4Q16BkJEyR5&ZY&8npMfFvHvqE?mgl4_i(
z?5eqbeVJ?Ef_#D1hzc<JSF|FgfYUnL%vb?*Q@qrjd~iN3AKOqqEkW2kj4g=Mh*fR>
z>iC88FFqAT9)WFWDU<RT0e7ZxApgafdOl4a7TsOM%+s4lTXOB)-C{lxS`fdWiaUB<
zzWu218*7>PI_Mw%&AH;d%W$%X=o*<%i+wwXWz1b>QF}){o?!kc&qNLRYz^?(^PT7w
zDg?aB2Vd0FxXrQ$Y&>~)z1~}QD+}TOI7%bZJ5!6#uXDz4HTz@fOqTz4!#1G7x<m0B
z#(MsitpUFzWZm!&>UI<AW=38p?~20Ck~0H-Sh`ei99}}dqX&i^BIx?`HbAj)24<U%
z^K-v4koa8bx&9D?qz2Uwst{2J>qWVZfw<!gnV`Vr4(iq^Zz3Ku-d}qAp>bWDynMt@
z|J7_Cf!`#p)=B|<Dlo+rdS>$0JYF2Du%i}6p(avBjfRq~!g)r%?!{ov$MBHyEdSt4
z|9N|hYYkg_NzTIsE=}L`TQ)B$xwkX&-1=2A9#bRF2~1T~KJRK+4QR9Rs(KnffBI!P
z_s*96J`v}EEIG-{ikIW!xra;l9qp^b7_hG;n5PV>cqph_N^S4SQBbjnmUvT$1+2OM
z#P{mM7G<1KYZ%SL_~VjSM%-s#hxnCQwd&Z8rAz#G=aHu}{DrT*LeVnWfbj9<NpZ7*
z>q^FpcgHuyEqw|&@1-i@b9kC;l5mSa3h752rj$2Irdg~HG+I3_c>o#hGe2)I4U6BF
z7Nkf@5ixGu30PIwJ{pJ0YO)1b<M-m=TYNC=LOP=f8F?5v4GlA^8tI+sDvBf!VK?$<
z!um4W<%l#aM2D;63uo#&;Wg7xWrw#~=0#xpxRvlY8a^M)L0kGRP-41xT<VRXfn%kn
z)m>>z2LQ8nfRUO|y%uH#b<|hE*YL<Xn`=niVd!Mf-7H7UrbXt{od%s^*_(d$inNMC
zTTwFs2S38YLZl<JmsV!*S)97hci`=T>)*@MVWu|~BGVyn6r4)@0@U7R08Rm9un``H
z3@vw!n{q&}k;ctCiA11Iy=f>)ntJ7Zcyuw4(gYsbCur328<0d71Zo5TU7uQlvD=|h
zm(>#ENj**ZkQ&G8hFay9hb2jY?uJeB;vFECQnKlEY4*fZfXITPc$p!cREDaZB!b%l
ziB_O|)obbRb<c*WHm=IldRc7USNJ3{ZB48)Y4)vzPQI8F-K}TjYYGO~h5k~YM*A_4
z_cN&>gt$G^wCQ$-FIVvO03|SLHJWuspg&4iZJ0t$HPwVn)UcgZSK}s$0NCDIV<X~s
z6@I&E=a(&*7A)XSV>IWP@dP4T9RNJKO^YT_QzKY!!(M?OAL|t=rgqJI{$Q^gC@EVW
zoP7hg2OW>@1zps=85Md8^k+S!cB_n&@iOnMS~OJ^Y>Uws%hUuqQJ=3e%V2esVic8i
z*t7p_$A+}l*Y^AP9rzp`XgKU=zfTetY9PoQOd=ze6Q-uchor!bP}yrr(Bf>y==%#H
z0{b)*X}24BS@hdmNuqgU)8b*>jmV3n(M^gQc?n^b!Z=lWo~OG*_DBkEzsHn4bZmR{
z;h{s&pmOJqe6zS^U^%b6H1`V-#cE$Tw@J^uT@NjoB)_+=^+*geAIkLZn3+YZCO(fc
z%%E_{>wpf-N^TR%A<QmEF~c-D4l`0JW;hxG9ro`Jqk95+2(pNiAFpsmj%wQe6iJ0)
ziuWaGjYI4~G~hg@<F7pePMaKpdHR-(CnMv){MS;hUj*C;J7WB2V<3OTv+KUQLw`v%
zhTV^X?KAb2L=&~w$scIJmy)AZ1?-2_$4AK`o=^>O^4_0Tx4s)-$ahSNdl<+3@Y|m$
zD;jxTkz{gm=xue}e5M=_sbc~<I;3L@$cJI=nKsBL2lJ;@L{M9o?<t90T)+!9K1ht~
zr0Z4Sj0%+*x){qH8>(D3!uPjhDE=d?$WG*6arlLJc2z+8X;nGqLr&CX`Gu~cSo(I~
zk(^{5GRV<k`9RotC?zQI0?nrFX@i$mz-4pm7nS$DEp8)^+g37Letao#@V;Pp;f}^e
zo??mZiMFU-LW8RAIXVL7-2&8+|CJel$4mJF(C$35|DB|Oi>M&~8ji`I{RXU3_}^e{
zlj{E8G9!2MKS=6NQaZnHDCa-$i%0a&ocN#ZN?oH&vhElFhsEbCrom6r{<LJ%tlxf-
zeZaxQdKU9B&UH0bemYy_^s>)(l=XJj!i$E38#vB4O5<-cZ}q*+kVoMd6^O;#S+99>
zClLE(l(S5BpF+7h25?`9S@l+)EjgW$aV`b5fyb0D{6L+mlYX2zXgsohvH(TNnZ1N;
z9TTn*k~y5Nv)GJD)=T%XR(h_Ge(Pl_kED&pjlbu3c3Mu9zaBhid03O_)*s{i^Vzg`
zR>QHTto3lf=r2=oH>T!SZ7mxOV`#+B{dFo^6ye2%dg`)DN53Af@eeOim5q3LpRcuE
z8O5Mv7_V!$GsyPzXTyp-W<&ZVimbo(q{4rpx5YU}JQFb<cvbYgkzbynla7RiB%~{=
zm<qL_u+l_n_7S^J>jCl11X(VEA$(?>Vs~|K57Kj7?aE!nyf9Zr;_?{0m~HzKD+z4*
zuYV?Cckl32wK!rNcS5<Yshhok{qAoaIMaJ15E6Yp<J$Y>85@|r^}tn&wK_<{tG|G0
z_f+4@`m=_?bEl<q8@FRFin*WjftgZvuN{c{X^1Tum)R}n=DoYJ&%bkx7LA|mZ}^}-
zXeoa>GyIBfpB#tJe=N6jo@(s4=X0ioY0`q!InG$+`yc*f+s2lrmeO!9HJ-_1w&RW)
z%tX!78h(chqne<Z_EQ_E#zFkrPcLUplh#F240<PUTB$<dT6x9h<W9qmQj>_$gLAk`
z*V4X>O6b@S(X6;ZE~518YedOV5J`ypR{xC)$?BrW*G$RQpyCG=^3SXm(!WnsFv<J@
zERk41rbWl@jg`a3040j?yuE)r)y&yV`o+Lad@2OGjrZP0tpjwu)hPqV0Ad}3%3?Hr
zSG(<+;*Vp>aUCqJ2Bz`Ff4hKlW|~^ej76&Jt8*Q05_H+!$Fx@5W4zANQ^o)J7l&ex
z-FRGRoOjdLg#EGY&pYr97$$n`i>Nc)31N4>s(sYO5+s0Auf~;?vm?JSl+4GET{6id
z&7FK%ETUQgDZXtGo5FWZi~G28gCZnau{P;qQ?`hTJmvXzTxW)2+d1XC02OZgyd6=z
zexA%{+NtgYJ@jI+GkW`Y+65yMbz_1l@ZRq#mnIG^1X^5MBy+bp6M)$_>~0<N*<)b~
zL77kM0=K#z#JextkUfSyscSzIGp1C&epz{uaD;%Bc1dr4c*{6_%9-Pqi;(ExJ>{)L
zth9QVjFq0;+~`IFL!iQBUnyfQEe;6CjjdOoQZb6Cf9pLw*ywUY8g)N6FSijkWK=fM
zyR`3!T2hYtma>0$3yxRd8No|#4<6SaeGLp0ZC|3~IsLMF3#NDpX6@%I>eZA(KIabK
z9rkc86{qiAQU_K$IV@!@$?;mcXY|n~#1qiXD16Xg3pVXu{(9riq@swNu7U7Bv$vYD
z>VJ;iUGOs0NMquW`Hr6Y+HV1LXwI(wGIQ}FCnsmg-EWxI^FOZ1tgSbc+1k*b=?nA`
zo+!p0lv^54kN?hXbmQEt>YKo18&!V6?KRRmPHn=7`Z*qRsK?WY9a4-id_PFRyxPTg
zy`hi5vyFki8=fGZSl02|xL~IpJ?F-pXi{nsW-;{nm4>T~m>Jw9!YpC7Yl^^t`H?Go
zYIh?1s1zrBq#Rzk-}QhiZGKfID^tSA3o&J+rg%ANs`=Ru;sQpZjP9!+9i9?<tIPQ6
z?c+v^Jvra~IF#_9#n>lX_o0>pt=#(6aWepm0!<YH764NJhL2U)cGZgG^Kxn4i|{`e
z!hnv4B|hJIQX(SXC_CSz_g;C0KZXm_D?B<A2fO*hX>OKTx2*B6WZcYL_R6_{rv~``
z0&r4Az0S7#!l)%!D^7XoLDp^Sshexl04Mx2MVWOZ#zc0aDwwMZPK3$&Y@@X0j(v7!
zE!M{+cB%n9EKUQ4dUlkZDEXW?MgE1`oT-n5m5T@XPOC#2t^0^E_gmQ@xJ7<hbi-Yx
z!Eca8%E7>HMq^lq3vLb-^75B#z{3gbz9fbkGWgg|dPW4{JKEw?XiXf&$llt@#5Aa2
zN2zC8VDKdW9etkG-nN}|f4geCM;bPfP6f~#Q~~hHL8p?FF8pXzEQ`j*N^G`dnU!K&
zH?0kPuP5}Y)UCTu>V|7?%?($gaD>cZ>|IbN1YPgHflsXR+QxPl&Gf4GbqkiCcfpLn
zoS(M#zXeGS=y6HTzHP92lj*q-#N)TE?Q`;mV>`c3IUpiey5ymEt=VnAW-}%Ks!WM}
zGFjO2$!u*vmxjxzBrZ6X9_(vG01hS{t4cKBwwq>VTl{A_m{hjTML;Owa8$qPTMTFB
z(SePSNK1P#`4Xxdr0*j;%f+c_K*bZFmib(Q28{1KKR$GUx3Rm1Mc~}_l@v(^SJppT
zv9icily=5{N`F|O9ulozA)@0OB{(3Nrz$)TQ;1|vye9fM>Ck@qMg!CINUuWTiFV5+
zG_$UIxAQ{@+NEpOWZmTWDeQjeb_)h{SZP>v!`TG=jWX#Iv(0Fhm3y6npL{N}JLdD~
zcD1dXvD|s%kkhmADxR6w>-{qkew(O}=z|ukD*uxQKC3BpP2?}Pca^KV;=GL^S?l09
z?)3{!CM#v>w|dbQEkoHyDbh2k_fEdMq4B-5NL4M$B!!*kQF;M=<&#3F9qUwgEbnHm
z)AY)@n2Q1S>51UY!`_&bl0!OXb=VH(`Qw$V;;&Hw2bzEDhuqHq9N|~tTw!NR3!YF8
zz*hABDmA-$)K6V}k02}Sr1Rv;a7e`0_D*xJhly5+sa8dFVAGI0ywig*w>}s1U(yLs
zzxip>rZ<4aod(=sBYQoaqSDLMD=YH`zW8VHPk6c1a~8udXv+M%21aF8?HuPAsK?-g
zZ3r!^f0PiQ^&YfG{l5A=Q+BZBaOD0he0}5tfZ&a)MnwKgty^$zxfRHeXB9FCOtLeO
zaI%^cO3n1EUq4&^_ql9{*^3TLzW=71&%eY{mR*fm%Vu%!(oYs7MHt#)h-$Im!tqxX
zo2XpzG#P`OB6tfKC0io(CY6~?suk<V7zdc+i&`(g>~`L#HbV}jFE;nSGPFm{j{gp}
zV#U77`%sl@EU~BKc5ej4!m4_OtW$$2i5*$U*YvJJ%P9SE6b;Q6^RN)bMb#_@q@a(Z
zzquC!vheB0=~z0xvAu1Nos-tbjwx=4B0f#J)oF|wS{9N{(OvLsaCc(GOfDqlT5iJ<
zk0{SMV0)DSh^vo2>h2Zat*8>bFUqnj&PD?U4%)qU7;L|1^eT9>9E1iAP<$p>2&F-l
zrJid63VX1NJ*S2)Gm;`d#8JJOd4d1FMDQGNQf#N+4%*4YOO3<K!4Y#26Qp};XB801
z3Wz;$y6efkf3z{kTRD%FMt~#u3D9JXmQ;7h+q+8Zwm;YS|GX;D-5E`u;(^Y4C3j{J
ztAE{p<8#r*UX4nh3nCD%A%U#@sqX*q!6^@5$cs9~+M)}E(;?AOJeA!ps(LqrCs^1N
zcYR~4o*1@A*BaYIikL|4<<oZ3<s~e?par)HPkn(|FhqT$yk`|(*xcn0;UQDkGl)9m
zuUY4M6|Ny*8bYfboh>O25_xXCMAya3BK}w9htdty#~(hZRMGU#Zi-8UDa+^>ScJ_)
zUefmAdeXMD#YM8*xVR>-)VBZ{zMfG%aPpdZ8p}O@Ag(x_Ep3xd%&<BW+zs>NZ1fPp
zRV)bycmKG=F{$zbYdY&P;Rij!RpiCS86Rkhx^91}#t$+tu^ky)JZ%?uYS*fx=czUH
zwiKe8>O7{j9XukeHT`6RZr$fW7XoZMtc(@nlda@m>!7d3x4^9eYj)7@IA1U^v%5_@
zaQHiaBL1`U$$q_6h}1+YrsZ5n3+)LS6h#WYAvIJtf?G|q3ajm@(_fv^PkYI)v1NqQ
zJWZnvqhk@d@?Leme&b8=nK00{L=kH+5oEHDU5XnI<WE%%Ln@!CS85*bT@Rsm#LV~z
z3ZUW%Kw-qH7C|=F?UZPovFmmj2sJa5?PP5-6iK}?-LLXUZMwF;l5Zy#7d4(^RP?n_
zi=6`TvyY<On;2_#-idFVzpVzIkUO8~RpW&>@<b0UYW=-i^wv4gtRfkwuVqSL)aJmo
zvMSA;xcdzM%?5-tUPO@X<cLX)eFCTMMR9ZcsnLqW6ia^ex3X)vlff872L;X~kVScl
z%pcg8HWWiJn^EPb5_c}M*w=tIUR#9#N9E=YU$YeF(A>JFzma>aPbNUwNf&jos!F4i
zF~|uUozD9D+AimUdJtC#Vg3=Wg9+$sHA<tgzC4m^B5R`7!))E*hB0lwD(m}f_3(3-
zzBvHv__ObpOCawtlw3s8F_z4?y=E+#4bn66v-(DL+&#$sJ8*&8TCIGM%j9+!ZsW-n
zHqJL?xO;D&8%4jj_#BraA<!IDqFk2*>`Uz+7X;pWG_|Y7VYJz*%DRJUG$-ObsQOll
zP$aeZcfYI6hXgW)Q;KQ4FEK?@NbZ+N45J-XI>$nyuN;*g9~|o+kH(Mj0^PK6rTc9%
zd>?{)^1?YRRCFX7PF6B)$zm?**5`)_S_9?WI{U&^HN$o-nD!%+xEWRLg@W5acxYsx
zpf>FdPT?{U3km$!R2W0TfPWHDUP;Z6Gb{BOX+TkS35_R%w$OE|%sx6u;rda+dZ&rL
zR(EfjS)-Hs*-=AwvUvLUcenau_^|6%{W(-QMOqeT?3H$ZT$VD5AAM%JV2~cv!!H65
zC8Rdwmhazb#kUo8B3ogRI>31=Pzx<i$R5<0fF6o?<$$lIp`@qbo<MAtkxN2NO{;9a
z-6NVFCS2Z2dm?nLLs{7_llkr6OeH|TI|9{t$#L7gSfKLU#lgI~KUFI+gA7(MS`5YI
zr|~KLCM;4*`?N=xSZoT2gGbr!cVzRbhRx;}s7h>6YYO*Z!)g5VS*hjq%n?d97A1f^
zvmVW%g7E|AIA&@4|6Y*ky13&%QqrxLcTarM+NeMl!h-B<R|I;NZZlsFqT!f21`aT@
zKSi>1g~tb1<%dMa7HDz>nOO6%);&Q|EK+GOnO+ybEfh%U{ASiH)I}UV!9_v>IY>1(
z9EQUWW&b900a~vr_!?=&+c7?qUdg4`v@j4E#jGruMpm1Qkz>ynCR6SZuIh2!lJ53C
zritC_A}Y&D!mMWHgm|aq`%S-a4=P@3PNkYGY;c&aKLqpo39b%nfxOC__g_2QUuxVe
zI|%8uOS5?X_a<7%@)+<|@QMBWy|*yR3h2D(m_ddvp-zuD@19YMFv}k<sfHaY{MW!5
z98Sb#VV$>Stvh{XS3)G6N5aXSmm99m{FXMVkGX-{&A0`tF;lk9=TSIQl=b_rJ%~+M
zZ5m$9-Bjr|cP)dQBQOjUfMP@q-k&M85v)M-%d&8Ytkcx9DY2o-)g1qU^JJ~QVeEby
z?J7j~hZH*}qtBPvTdZlgG`$t&lwLO=mVSGV9^90+<LP7R*Q8Lf65BYJ8ZJH4l9@VA
znbcCu*;wRLa+J%N1CNC$)L5I&z<wDI9C~@0sYjnT8tow3^yvpPq`PY(FW+`;ixC~S
z^e_FB47Fdxce}J}xzMcpl>CeCD3o1Kx03Q$(S-yxpY8WM|L#lq$OQCOC&HPi0+>L`
zTV1idFHh~Pg+u^Es`o#?=HAWg<IA#~Id}Gv*t}WRbk=WPx%dny{0NlgzAtF`kimF>
zIsfaaDCxiTgv3kO^|8^Snf1~06waXVhjVebgcp$`r|-r>i;<9lc}^#Tk98f;T4ed?
ze0VXIGRxzJT}1~7;TS4qK@D-%!-r=*Ragx5-LEpf61YpK)*8bPfC6KQ9K0t&e9158
zs@9^cs+^`}AR${o4^Yh2bGU@N*c}Jbw+K$;{I@F6{~YN1fqk7tHF#Y8jir=UJf+F3
z@Y?(prN3&j8Ve7Y3iNi&w*LE97?hG3s=+3y7O7#SREXQ5(3(3Lvk|U&@JT8{_4oy>
z6b;9}2Z%@wbrQKyYp6whePL0Dmn8G-l#zmM&n&PzU=9upa4)=6_a3KiS@ZrqNEiwb
z84~t^gI*^bV3Q|g{FL**D@sdl44d@Qooi|5D4`>Q@%%uwcc!e1Hx9ESOPPe8uJc#1
znC0E}7H+8e+kb8XA%f+>Ir~yhXuHQaZ~W?wQeCTnhLMLAPkV%=Sctx<8`&P2S0$Oo
z*3#<Zz)E?_;(Ik>=1&CB@0~txE<HIDf2W*3#b@*}YtAGiL_gWON%tOy?yg6hOY6x;
zf8bXfOoPLgzuhzXqXz;dKwBSclwe0BQ_(pG2YAM+Y7ogp*Xs)b;xo7U|BNAM{|6J~
zb2&}I*yV|ciag_(c{W_tB88Xm_ofQx+$QJ5xrm<NCqnjSjtgH{9jKk|TTCp-0wJN5
zL9(Kck}%ON+*e@%23SpB*<O+I=EWS}MOs<wb_$^NqU2dP5ZR*vN}1;$c2J{SBA7Yh
z$eAUekM6=Ip8pyrDfs0FI-?9M2RP+)Hw8OF-Eyiih3?!)P)rs`*UganrbIkD*akRu
zg0YKeZdGL>2S8_le=*iN0`fQh0vi@+A@pP*wvPiCssHZz9MztlXT=SMmZucc3r(7b
ze?Mrj=^<sYt^sIoUS#hBQ$=)n4gInOc%~2?LTi+yc(R;C7<UHHw)Lqe*?)N+SVw{u
zc~vo+Q?H_GxkdrM=T<jRbDns^;=Nse?Z%)c3&8c&kmiZEIf$;bw;*^P4_AH9TOQdy
zy-b<ex7^b0Z+R6)(mG(@I1cbKj`NE#TK=Gbb|yPxi?2Nvz6;@eGqVPHr6IJlkM`Th
znd*TE@Z$&2DSEih{_mZbs%MF$5P5LCH94C71Z-~oXB{8jVAcVbPVb0k`FzNHg=T>s
ze=SFQj$71?h*>I*#(*Hru0@=x2C;z?&v;N?<73+&(zf?=3$&Opc1%j11(|XlAEBZw
zwQ}tC#a8Fhp`K0nLA}uZ)b!&A=M`p`9OoO?M>2C;7nM%M>JBrQ6k|Xtzdu^|G}W1U
zg=N@^dlFYZzC@jVPSRE2FT|YJS4mnD3DBSGvx9U8yni#nc2a<TQk_*eYJ`0D<J~Pn
zQHYpXQ6+$y7Ml$@8%}&w%sB6f`=1q>9j;9~?>*XS)Qrn=<$QCWQ>~9#mziFYWx9&f
zdgsiPum5h3)zX*i<l8M`#WVV4W~;Mv?jNRaJGCA5w>KhFDJfX}RHE;Ou_=ZW^jCtq
z)-In@uYe!)Jv&(W@mx-)C^@b5m<%Yo?(5EaCjBjJHTjO+a-Nu6#qL)RHnqKl*3M?D
zyb36Z{g_LUq?IbReDBi86B)hC<%_YPP4UKgGEC=d&F$>BX-%|OM~s6_0Z2x6P7ngm
z@nppp%N@u(5I-_@t%%d_R4&?&=4=v(Ab4GNon({_U?AR?`}+T}_LpH%Zf*ZKZh(L&
zT}s0MB1owy0z*i*C?#Dg2uL@BjHJZK(5-;dF?1t1Fd!vJNeV-Ecl_3{pXa{!bA10V
z|8KYZV6Jtob*(c#aRP3P?_yl^m&OG|KR?iC82%lb${0I&im5XZ+V9R9`!k>V?&vEk
zyq&#+w&uLfxAvHsz_muA&LK*D0X_fY?ckB)#=KWyC?RW4!As4`rguFjdb>WCY7eew
zBOXtGc=81y+2nsiOIST=Wn#SU=gqK8lRoHRHI_Nem5WsGqW44AXU8HL%;GqeNqpj}
z*9iaM<88)lMqm>xXgU$lU;w*0kNhcY_MLARLUQueSTpb}UE&T8kiHmRLX7@J(Szcx
zsJ?5bT^dbHu4rK_bAyoSrKD8#%CarvecJ#<I_8E)ovF9CDOq9}bRQ2f>er*|8!gMv
z8C;CC=$f;luM)Cpi;TQi-821dOV(#4m*SghZ0fl4v19CT{)J8ebyH0f^7dIvQP#Ls
z;e(4{!_8RVjMt2>?P{VGlt294noMt%6{_3InkQYXDT5}}y9pN}<hn!Ya5YaIL=`m~
zeBz&`1lakot@O|`>eifn#R2(AjX>La<kxY)BfbI%d(HBW#hQ51A(kH=Z!K2rHr&u{
zR?rlAuK_<W^`IbAQL{6cr3q)&p_L{xuGn3o3}zb+GDK6})QSIO=QMRVU#m07x4$mn
zv6@RA^VXtlF)rXgncr{8PnU)pW|o$IlH@OaqNdkvV$Bmr6YxCIAb_#Oz6T9>cjoAJ
zC9)g>R*PN6Z6EP^IR5M<sMC<DW9g9a$aSnjnzPT&P0L}qgnR|7M}UzeDazd5D}4n`
zL9S8^hfqOhdg*Pjl!$=^c^7c+g)qi)UA`<6%2pyFU|mHkX;Dt}K6|VGXUEu2KO!TG
z-rY<1lzqg>UV9>Eg2~4;J#LfZB|p0u7#r0}z_)r4iu|2#*Ege!e$i<iHh3DD#}EL%
z;v9$;D_jLfZ7-#eyRfJYaZV8I(G%+Fm8jdY+Et$=jNEgEtC}-eaNkn&W}nWzcz@yg
zW|^PwVPag$0^Bvtnb{_6mK#yvMXNXY?@;{aW0>_7Bv=<htyqDE6zmmne0U}D&-T&=
z-@G(hl8DD6!V>uT29FqMUvmtrzub+ifXl2Dvo`F)C_!eqF6bv=b94&vq|bY15kP$O
zA%?ryAwW?o-{NcB9qj9X-MeJL^or{O<i4L}ks1O-w(iyW`5H~IK~WV@fUZU|{2>TN
zIHJsrM?vAi-Xq>)C~E#O>9J!~BdoZ2roJn0ybfiqa{d4y&Jq{Q0}wbx7pOTsTL|{H
z^KbhV`#E~V5uFr&#IxK8$tTN+Ufln}BJ59rjuRT@fDJQyE9sNzXWHoj?j6{*wtwB5
z1vU2YRqmmcP2s$VPaN@=f;qQBg}=D7&5}tu-^ls!_zo#P)uC)^u~9G~WDu&IP*-ke
zd1_h67RHhq-9#c`*d5n^v=f*f+a5FLp{ZfEHC%?)tliyT1$WRu6lY=sxPyjafjG<s
z5Gvf>FI*}v(D62r=*cC|Uy&3+-yHrMqy@S20bxW97dnMfp<9>8{`1gF6&gA)Q-VFA
z3uulJ+@gCpE)?!h)qF5Ay)q@;$S<Sq({`66m<lGV*urT!jZhyhw#GC08f+wj+$Eu0
zF@E6VKN*;29IpA6vcm4-)jjbCWP;b8$^y6MUWpg?-2>iAcU9=-2N_eATJ<ZCbd7Fb
zYtI(0JbDYa<q~h5&WXVWm<vCS7(LXdsaoFGZtNuC3#_&L@FtZ&B7S`$dER^8e%0H<
zBw2K_jIys0Y>F=G%OowE8UBiHiyt+s?z1aN(IFC0(+{NImB<eiZUl1=t9u3!?Y%Y-
zY<l-Y{pS?>`ol$_SO8o46xR;bE4Pjj1ueiNQMW>?Nnqhp35+42mc7s6M9A@I{(dt4
zLEHAj<a}Bk$d^21ZDG1c6XfX$D~E>aPfxq<=l%^%Jn@9}Np1S*qWS3|t1rhIQb_Yk
z)71NGMLA{OB+ms{AtB-Pw6*O~m>R$ds0pFORQdUZjv+Zpy$=IujTYo07#8_zSA;5G
zb=}6LNXCIaITCMA-nebg##Nzy^f*Of!gj)#JsK**q2~sT;&X5(pTng;Q9g$w9?yMl
z+1$ry`TD$`n%T5F3=4sh>}`5%W)qLemRAJ_Jh{W{a3=6bz^>{Y{i(=ue(vAr|5`bn
zuuc3Z;E|8kd6bSe`ueH}kb7mxQmFD1aVpRtDQUf@_=;=LzD+|!a=XM{dLe2I*Et!p
zh<QFaN;PG^-hiX868HN6tqot`j);na+bwa=Dp8NE%jeautI}@cE<EF9R@l?C&V>7?
zZfNf3->N_dyJsAB4BX5{?Y56I<ic|?!_{UDwQj$+YD`MpcBMf}JE9zR+`QehIU6L*
zyFHuHEsBY2+MBug*8A3qK27(I1Bj(7{K;b7qYWsZ0$KwNsOL=e+DLh6{bbm!`(yEf
z<|nRz7zQ#i63|uXxWc2%g1iAFOH?Ywld34ZoiGz*<O<E1CKIKKwIIYayHe*kt!Kkm
zqP||6X_*$ui`I6DAw@Fj4WzfHS!hL7d5(`MsudXPTO+={m{UGVr<9f;r4SVs7XNnL
zbTm@lXxjW^D+y&Ci)$yBHGgvSQG?#R20OPM13h+3!**z%Sa3fgj}f7i(o(+7HYA8@
zCBALj;Ze|&@MeoCnHZn)_l$W8jAV58p6TV?3@1H~Lxw%U4~L;KvfcN2U`{XaLmXnD
z9lG@MfqSSClKFJCnfM28B(E`rU8TvsEZC8J1h*sqZ`~m!h2?pB3!Aw^`m)I75jOuF
z`u`qpMG6&`*tR7~4+z%|cajmgN^XdXrekDu^w&?y0!_5en>jEm1c$$iscf9G&>di4
z)O&`ZMAaoXTIMcQQj3PXY!ql6InYq2xV=spd_7Vm=U1OYc3HK`K)Kn_@v~)Pb6B$j
zCj;pR1?g`&T(8SLa-tPa6pW?6w5$)c>M2Y2BCMqe8{zXA9wb_k4a$w0^ZCE3HCT6b
zJCY%3KL#59oZ6Z6$S#Sj%(K7ba-0a*+c+qDU-ki|)l*<SIU`0qKbiPJ!I<6ODgK;+
z25GKi{_u#RwQyyqC+hlO@)wox0<wF_KgcD<F}K^z0px$}skT6ZfGH@ycBpXG0B@5F
z6Gln|u<=j7`(3p&G5NfvBV5lKKdh*e@~UAWNHK0whe)o<xanltj`Mmigcu#=SEXJG
z;kfPaA}M#W2HHxu`rLWVR6TXs8W}5E9nxtS{};cV!~28lHlkL}%*@c1hawNAhJTv<
zOoFz*dg!r)Q1=koHbX82y}3;{+!MbrV8@(MLL$S52%$r9ILF5D+MEx?%*f@PfnlE*
zdX-bDFEQzC^R{!dBEv_gY>GiG%(m01gkK;+`TqX1FN;o(TZ*o=_BuBb-nz12+}>2w
z-xm6E*0KPX(pb)i(ao*i`B60USI1_9=h49ceRM#hJGPQX_{1~fM6=uEA`mze;`;tp
za7AssKRa*}Wa^6t3A~5=s|U<~u0_&u6G`Iz=I8lS=HqC-BW~RHb>zjV-A;iu0=>I{
zzPm)Z?3?*+ukOLLby}io>l8NIwSJg<Q0vTNLonYwca9^gAT`YOxj;x~Ih&576(cdr
zX#@h)HX8>JqyVk<<nCjatq5DoZ6asgO1RI-$1k#hn_j)|#7PHrr?)fBW#0S{Nv0DG
zGNDMTG~xB^4((eJ$q$}n4_K%kiNLC~nOrd=1Z`aM6U_)3mAS&CnGP0DuvU#g+?yEw
zPSEK2LC9v=xUNaq=3tj0<ROl7OUR0gT(PPn>>}<xAuIb?CKT!lY?<EA)H!&jI_QUX
zIuwK{y|?_(cM=IXxNfuNst&Bnox**#1d*pc1`i)WO@9;V3AmX`(<<K3SDeF3D}IT2
zU^}Lz|3Fd8GS@g9uRIDKV#uGAZ_ZdLe~fesi#1Mls(MDcoqOCHKQE_O8;ov671XDF
z8-bNi_KJkYaqJb{oVVW^#%|~P{CL~D^)AP^EA_|60}+$I%Ym5ppT4x{v>M+w9S)1J
z8{VOY9p_thobKs8kF6>F#^?09r@A?%);^`OeSTw+XFT{;T<vxipBt@;{*+u#b>B^c
zit5{Mr!CK%mP&5g_2*Mlr+u~So6cLZWPe>~Z$4)<<>zy-1O6EuHrrs+`coCk`AHWC
z2I0_u+y{aLx{M&i%)+VKFPA0=R@wV^d(`=K3UXssRZg`r-=g&TQECDUnvkOG<&{YO
zh^4rt$~Ap4l+q6+7V5{YceS1C1{(TT6SfU)^K#7Z;hkE2;$uS3$zYz%zs4FoK=!^s
z&I`Iu$js#k2L<$exx0vYa?G%YxqrW@VvddOU9(8oK?jYF_YdKdlh<8E$;PsPpA<MO
zABJz2k{D#)2~&fg=~-&!V(n%b)DVn}c}&W>JqY$>dS8Z*T{<8B#@}t;=3IP<I81<4
zK5f%rrMe<#H@3((=9xz;&w?~LhHL5ji2Qu85ftyxQgPL8A~D6TJ=Vua;Bv8Hoqfi6
za^>9Z%9TV$yR(tE%RqHfIOgEw!@PIT>)n1Dc*AoY+V2|M!&7`?YTrz}<nL5q_WFl!
z&I<BEJ;_Uvan;sk_Hb%W%?T@@sL>Y);S^xqgs?u+YnN({^KA01mPgXECboU!NYctR
zKKlxrkhwdu_u>(cPWt5+jr|AB4K1zO>SgJt_>s_K8ST*m|9n&93XUh30SKRxv)c43
ztx|F#m5QXZT7MPrWOxzWX_#TRQWugE$9CgEn-`NGh#u<<BnZ8630J=NCI-7({!Ue{
z4e{8J7E(lBr!oplHt{Yq&66qJTn(DG1dVhkcPHU$jYxCqMahg7oKa|a+cje;nDwu#
zru^949-_RZ)2}^q!fA0w05no7JqN*I1a0FTksTnw8UrHJQz%UOprnIu+ci4HMSFLX
z@dUk5P&x5(66(J3c^`A8;g3r^arez=kF%CQ2uIMfe7uMon)&9d9UnRBKpxqqVb-!U
zi|fmt?t#Q$e4#gE{B(bEoq4nYsF&+Zu9!&7Cp(RC#2HLivLbCJ8^%Xv1QG<z<;2%C
zKEM^FDs28($6g(N)zg43(=!nBh)pV8<*PhcUa$Jv<Na4}3+*;GmJ$TWXio`m)!|a%
zZ?r~7N=KK@8-G7*$~<Zu$3Krt0tNalX&@Nu<>h*IC!T5sBXQOyezL)ia*S@OaGLKD
zOlm<}ZI6EqGR`LE2u(YP&_CIISIaSZP^f=0Tsi)IrR7!qm(FIZ`{T7k`P*r+DWB{d
zx=xhGYKID)nBPsVz^ZIBYHi!i+)z`vYH;;6u-H^1hfYYLa7lS%smJ!K(qtJRQ2nI;
zZk(1<RfgA3_4u3M@sVgAk5VeEr)$hPD#?DcKiAeIFv(%S^^pL!PdDWY@M!GI6RYt2
zT07OJJf6N-da}1})Yxk%=vBCw6!_2YT=X7xuF*f@bB*FcxR_%ioGG~?9Ijrat>#dE
zb-4BABm&8MC;kB-P$!ZrbE+k*(oF0lX;t{Dk3}AtPCNhR5B+-oRc+&#+lPx@186z~
zsV`_m^!R!$yR0pi>$uY&%mwnWyP)_he%BT`lydb11M{Y>%p*(CYS_6OCG#u47`EoU
zf4V$)tiBorAm`B@Ts{UKZ1JWXf@w`H)%&||p<(SWL$`4y&|P<LM7SmEx*UNoOBF8v
z4tlh}u0DaW#}l*rfU#qV@2uZs`prd5{$S0hp?^J8;R-qaD47Oyq$0=en6%P1kN7T`
zM47@BQ(0n83VonsJQ>NIb*XLXio56NTeW<fR0fd{^=%0M(+{4w0o#qJCq;G!&-vxO
z@5R4Qn<y4}b>8GcKi=v=%qB=ix%#E>VA++>imQ^Zq0`5G{92)a)rIu{cz93B6Cn~9
z$7@{2YRC!FQ{f#X1ZbRiJjyuBSkE1-h{u~ClPh0j0K#-~(t6K`s&_hMSjM0i_9XS1
z@PWb#FN>OF)hC}|dNzB>9Wwe885KXnq027?6z|3j*Lct7i>&D<4GjiRaSsU+S`j48
zb-78@!7@Z04}}_jWZwMWH>kStRs@K-aEbJ}CkafJAnf+TpF7OC(VX!HKDz^JfS&7C
z)Oc3o1?U2&JvX~j#YcDUUFFdO3VH?DP6qRF49BHWS(zwTG33?Fr%Z9Zp8*H-l6KPf
zK%ro+5t=I!dMQW(Lb{R?063-xkQ{IjF-R{IVb8#dCYV3-$<PuCZ1^=Ag|nSK5oRqY
zF`ts&&#<K*f2zal7R4pZ)XNS3_c7$e@j2pDQ~t`O`4%RLy~-q*CFVl7VdYcTE8}|N
z7b@jby(;+QN<fX1H{{1CxFIqJx6U6Z<?@;=-~Q$~>K{pa;Mo6RwUghseRK*Tgl2Y`
z5SbuYO$Kz3Q?8$XgVa|-Cxf?xs{I^(oYI-R3(&-)<Q?@mUahRxfKR@H;jDd=-ZkJ9
z*4&R=fwO~JEod~ln$(w~J;`lo3L17Es`j^0sF*10n_iKq_v9e1UwTS;ou#DFZlX@1
zdKTecas_`nn2@)`=aeIEu)|rL5%I~@Z~LYhkxb1i?N~w(K+`TV4$wlcl@vH^-79z5
zylQzcR_pm?a-zik+hjw{7B}<`uEIHjuBfl;E=%x>HQx1P7%A=?3aauu(CJK^>3Bw3
zu^pH)yNWZbT-PfvW^!u!uFK!~`3CHMtKq`_)FYpjJCFXS&dIYat77{`)ii^`Fgfwp
z?`X;}{3)>vrF{mNS4^Ath{0YHNSsWOcG1?Q->3j81q@i|S-yZjY260(wA>qIN)-!z
zVm9}ncI3w*u?lw7cEb-mMToY0CK1aN6#c18-q9pVnDyg{&GD=A5T7yv)Xbqv-bq7U
zBcuS~|DdBk<oDQe(qL8AkiisR!jn>xpZET0ll<0)w+lR4_KUImW7eT<+Wfe(a4{{t
zD|oz!H+8Ad7u4&<afcp8i-nV-VoRf{nd;&PPUxd~<dE$xn&F^Y%Uu}1eJSS~{mb^r
zBjj9i1-?@vzxb3E_CXt9XRtaUE)4iHD6epY7kL&|Y@cw)NqOZHS+Td}Y_3t%b>IQL
z8^&ovjk3e-&U1jP4?x_;9ON@?fVSUA;7^6Eer6pn=nXM;rX<w~U9AYgM`nj|^*B0J
zjL*{eo~8uaYyL?s#o7T8$Qzchzq5r~k0XLva0)nOahr@(LeApQH*C;Yfeb(0FU%o+
z*<bL<4i<dKMbON<<&4vWOnH7c`8{Q;!T<O4vlM+_L$spUL1;MeK6t#<G`PF=n=y%f
z#h~ifj`|Ofn05h81<s~}XFscY7l7)4)#J5p$BtcoR|&?xf0xXJCG13-m~pIM_x^+6
z%JjIU1XrZT^gV|wMmUs15@VE)4v9?D|HzczwT^aLt6+(@U<!3S8h4}^Uv;{ZaVjJW
z|Arr>InR4og9CS94_}x0x)DuSIs#s&M-$!#Bd5c4Von_9>UA&`#BQk^$F~b_e>h}7
z$xTrDs%wi!!*ykNs<3A1?jw(_nRxYQ|3zzv$z^eD-M#fmW^xr?lc33ssgz^*uri#e
zp_7YCN1@^6VY6Bj8uB!AiI+-6#nYuz@APiYB(80l<0RMQ|LFl=gL@gh#F=!Xxa*2S
zqqucH{@LrmELHmTSl)zL+dDsmy^AUEtE<X|@JIjVm*yfyZ_p@_tE|;+tGP|1i7Fki
ztw(s`8{e-QU8Dr){gJmtyR(V3#@@YM3HQ0Cb*TP}(cmh7xa6gF_V~ZPq#Br#7}*{|
z&aV*i@^f*W1^!v+EBHM-(qrvYWSWioHHS!Do%6~{rLxt}lS;pSxjc~7p76)2ePj;R
zlaR~x^&3V)UsJOo-aHs-6X#nN+Z1$){)%)JyQ&ZW{vy!?`G6)`r;tc|K61}g-uN_m
z;Ha?hOB?E=q5i_Vud0TX(6s{>Ee<;4Df3UHlj};ptIJ%e-l4v0u-8+Vfox{+IVpOS
zN5QY1dcNQkd#1z%EZy7MU312I*me(avPy&HOWE5dZp*d(ohz&@bOpRsHU0=mNYh@0
zt<DR_(>$Mq_d=TqB2KTSe^M=6GU<#LeC1WI#0@8kb;iyIl@Y?VxZ;dq9%xcZ0@K-c
zt~BTE`JVk_GCd8~g<oHS-~DTYlf>XeYk$1<Ru&hQD1Pz46_2C3mS`8{I$0vGM~O5R
zjS#M!h1M!*Afpm(yvGH&voRINjJ7;<%H;VD^dWH`VoO9ZozEX8C?)>3?>2K{V8>K-
zTHIfd$4@hvg+d1z9zFK$crh@)aq!^Hz6kHU;te3AQZHYh=M)QimL+Wbr9RMyPdS~}
zi80OmSa)W@EmYy;$Uwfk_CSP+-dMWPDbj%iF`0+G?Q~6Oq!J-Nco;)jx;lq=xN&-O
zJv?CU(P0fK!ev-{=ZSiQFwvsr7UAVgNR!MbjC}-y$TX)~GF@p$sL6a+5-m3dE2e9i
z-tiHjTL0kUHh*TwRccT*csqe6aQ+4Eb_kM+Jx85GTi%zuvQc;0A8)jmf1?*lqkjGN
zL5(7j0p#%hO6m+AJ7b1X^H^eg!n%AJ>`bI1s&j@;M|zqj<#*UNH#%{f$_!H!DDv9n
z`krD`e`CK>-77?yRZo$4s=Kc_R#`D!9Dn{H|K?eGkx=0Q-SeVK=^2rr42ZFO`)XE-
zalrZq)>oqi3~$Bvr6ZOfOPBZ_p`MOPrI`)kvDWwC+~pl9zP@O}lO+37{x;6)N1WyG
zQ$c+GFdtx(!EP!0FHp1uk20UHNxU+O-;3H)N<dMGESKtZ%aHwHLYcWR(mz*xs}Y;(
zuE|=#ruf2|!o+6^!NH^29iqk0+H@y%!LlnMMmGQ~Oq01;L`5uZ`T!dlYjHT-R7F8C
zGP4aj({tCbsMcirh@s<8_BKyfmWyH_HFBDb`j81@p9yr&m;U7fGLddmiMfSp&6Oug
zPncLd!@n9U6UEzBI_4K_Kf$;#u>O(Q9X?!LFz|9r-Ui@#;T@}p!t0#CZgJl=|3ReC
z36&rWd61Kp`tg9~Ur2U4g-US^o^D0SVuJ~CbM^^)wE~1SA;04Jcm$_V4R40JU~b3@
zUO^?6heXB5PF=m;Ga|YAVKFT$Z2`r#=c&;74aJqG8GJ{n6Kayp3@<{MM>G8^bnv2%
zhM!{wzB8%wC_0B{!YUQ&8f%I+o$l;<^2oFvE@I_YTZ%Gfwt3*a+I*cA`XYk^%j_eh
zdA#8>9;)K5x3(1&ikhi8x_SY*hDSNoXHReaLs}VH*)-Mn%%ic<bJx05%}781<is4H
zl>C!P#5rzYc%_Cf-U8yXsQBjkS%)(_ktD+@@QMwsIxAs>xCwgQ9pFFlI8I3Yt`!w7
z$17UFtgfwTNtQD|T7E7+n7ki`$MLp%tJ7+(s_*D;&sTgqLy|}qrN{FQ`r-*uBKMEp
zbn7vqxpf2tdlrT8qwMXZkw^F3y*9TWuM|xdA?{ZhbqWg|rAUKLT+hviugfcvY9fT@
zGus8h7P;o1KBP|#!Y^vdT!sqMMxN;)T=ope0p-r4;YS>2{Ci+#?I~)sbA98CqV5>I
zbx%4z8x%T~C;$Lo_QR8Q4kqN<D*ZA35-jmvd~~dZb~fju82<k9Onlo#{*w{A`Zhu9
zA~J|2xxOF&>Z0PMY)-C4R0g!&i7tIvYeZ&r*8zWZFdNgYup_yZ{AbU-an+$^+A|+r
z)MoIe8TH6ael&IIm28A@YqDZ9)0e*@DG)KV83DAIi?gs*<OUn|r&2nP%n?}_PtK%^
zwUdrOb@vlY?!46xVW?xBb>^<<hcc&Ot~0Z|GI8ZDy(5w2d3PCG+3xL~3Vn&eNQW$@
zZAdycv@-$fit^I%p7_{F3}i;1=0&}8fag2PJZOKk!Kc>hU7)}-(08^oA2&Hp04Mhr
zk^4%A5Ni&avXNCamqm!~@Ab=|Id#~!&Dd}c-VR)k#<g?|XIscuKIq$3xA<V`CpVx6
zGOzRLx;{ryfun(sL!W*V^ZRgQG9H}Iu4T=5kr8w5Qj=2Q<WMs#J#GiF_)!GR-oMUO
z1S%f7;}J-=t3Dc^!KcoHmHLO^C@6radQpCTNIAk@`ruhEOL^nyf{m;I-SQ542i(Ye
z#J0nHBbWV&C{-F=DLL<g>(CbWyZ?iF`R@pUJ$}RyFG;6Y`YN1O8ON}G1o%e3i+G!5
za6Aq`bi)<67lr31BTn#8&G2?OKJgeaf1QT0;gtwR(ZN{b#&+fS?6RK?KF4EOX|N^e
z`H9nhx9EC*hu}9H+1CgLB((D0I9)1iD=N*s_}(twCMHYk8<sfu-l+)e#Ql{RS*w&G
z`j-nNc1Q2{`>O%+on(Ju7F5(x_>pOf{SEkzI%Z(^2TWN+QYDX6@wBAad%H7;3BmUp
zBZom(gmKtBU&>%wS{Au{<Q-LGcC}Ap`2;Eam6_F4EQG`7XYORrzkoAB5Inqt_<7^S
zjutY`P9X}z-&7K&aTv`$j*n3};n@Ka4ov=UyJneL&=*<5x!tb@318+<m))uaYM^*k
zt`NocJ4;Ge?kZ-eh5d;CUa~9{!WDu#P^dM9ziTNq`&`r~A41L9@Px!hXstLr^T<qH
z`2?TQc!@=BfdIId^Fa4VnZy<<3t%7btvuCi<drtgV;qi}W9N;+emJ!!u`sAnz14W|
zv!RS@6P-FZnd!v7QY1G=HX5Ac^DM%(MJ@gRT@NHa3~WZx9S>aQH>=R90ULK2lKt7i
zrt(6&&|tA)J7v9U$k=zBN)^ybu&@&>^D!()m_>1()c4?r0zBBCoG3kp<wu}UN?2fU
zk(!!ILd-9?08z!#x0pqUsLfLZ(WqIaHwV+nUj!^*b@4P4#$EwA7*@9?P?+R^E-8(U
zklOlVuW2(o>%AQH@G*^oE^dYz#wmtvi1i6NCr!DRr=f?=JVnd&PD%0OA2g#_g_o8Z
zK3)4)nI-L+AT~Kg3}{7eME;SYYgO!;P}`9Q#tpWk6$&1D;M9}#;^i5ay@AiHWl5Y`
zrR!dSw4?9dQsm_L({H(PlhQ=-#XZPW*{}98zDnd@fmBE_i%PLn{GA^Jr!76uj1}PZ
zRxpZ6mmER5{;+siNxvs$rk}@%w;H8=O}a^D<f;%;w6gx4AqQs<!XxVL@G_nSL8=5&
z;$dem-4u@5V8k$ROeSwqn^Rv3+=e*$!xqn)zhPejV|L#B3UbQhgBzznCr|c2yr;~#
zc5oSNu!{g$dENOfQ^N|&4jTS=piUOkG@>z0XY)@dqNwFX;Voo7r|^K3A3f*lLPC};
z`lL@btYSDgifSY@X$E72l-&ujO7-Bws)2H%TZMl@n!0}%+7NphA(!-h%6?wj`-(8V
zH4@d3ZqUl@BgJ^}ef(-r+|57ybvj^qq-(-(fYxO}x9esyMq{5x=({s;G;|WoX)OI@
zcw?N`!1qHP)=@Y8JR$%cccxf7ELY9Pe)HmT`hRM^wS^atCQ4f9)?yhA|GrW!ws{&7
zCi0di{`ZLb!AqxQ1Y&rbDJy*en(w?^apS&sBKG7Sv3IBAT#09L=H$>iquoK~`!urH
z8gXAEx2@zAhzN#bNUGO7IY`rNzoQ;WCKQi*W5p(pz-7wQ0k63oH?@b!dqWD)X(kU^
zADys^YNz1tvD@UT4d<upwP`?MoM1-uDU&h;1*tulgh66-V_4gB4wn73Fhtx)6=i8+
zXWvZTd>+dUqK-^oP2*`(6(pWAZ*&u_OQz8<Gn$-voZwHahr*KEod`%cy#n)&JDwGP
z82_sEWvOGxZin<SO$sS$xx_x7g4xyE%(#+hhfa`lGwNU(aZpoe19}Ui**xY-PuyDg
zu)l@T^3`j^Ru>{Oz+YV3nEC;x0aXi*0{uz7Dsb}61jBtG0i<D0^ZFInvHLWNpE}g9
zeB90At%*#2)oIIWnnxGEtx3^)y^EOh59T{YO{DU7&PN$>E=dT}JQxfk)ACr=1(aU^
z-PWHuBr(<%xUBmO9z&$tetB~yge%ql{;N&_pAHt47t$<=-pl%vTV@fKq`it+kOXAe
zOQKiWecV*4-&*AN<$pHUXma}W3jX3x*;o<`N$Y=_z(g?8Z|m<vbo?GnN$6iMmZ*u?
zyV}Q(^4U(B%pdw~i#>@#8&<yEm5Sr&s{TCs9lEq|Dgawxj@4ULR6$FLF+Oi)9+{yF
z*la#iu<;ITDB(waZM@yDT#|9aM>%(N9S6t%KcMstzfV_ycHR_MZ_YyeY3d>IEVtCu
z<Tk!GC{P%|C?uQEC0ch>1r`Tn#A=Q2rSNcE*SIG*gBNwJ;`_q`j3q9T^&NwEF&S;r
zXWK0ERVzR9IZ{s1q&(XsMsG&-8;alL9C$r#uP!_8C@xv&KVC=*z5x%WGMx?=x>ZS5
zk+E8HJ{(v5G|62)XyBcd{-^4g_}dBkA<Tm@XY7T17+ryH8@g8vIk7apo4w|PE>HE}
zkj}I7mX1UTB?J}sXd15warHGsP!CcYM^A~ti~6q)R(~Oyr*9knMYDvxpD+J}Cti}w
zkMPQ6G!Co%F26@`?b=C4(XpmLyTWy!E6*2vwcaXzpB_1HgR@*lQseiY%XU`;&AMFQ
z;lKTqi$~#SG2$##Jek%uPm?!<cu9Vaqd37lx69VFDKpW2(43a$a;{G(;^Euw+aZO<
zU#7uwYK$Hi?hJ>!KTDrhC_nv%PkH`0LQrSdL)(YAd-KhC|1g=;dez8gc65ge@-1~(
zDsebE?ojOs(<WVHb-Q5U!mfFzYUsfMs=AFSF7@5AJJ<O0txwdVN5k5Y+c&Y#<}VRq
zQV$h$ciiQcb>_P&21c|u1=Pm(cSMNI;!wFkWPOxiKX6<iD$qXj1h&hIxUC0Jbum9;
zs?D0JemawK=c5S)OfiDuTr(xy+b_=lTaEE~2_xqhm~nX|>)-b~&@7FRdR`U6B}IS8
zrM|c&SO%k)gzvOgN>C;Yl!+LIPQ6UAS$9Zh3iIpxMB#`mWcrgnxyP@|XG$hwhv~5q
zBlvF(OjqpB=q>lev_`{`LT(=gp5?Qj7WRaqLz#*eJUBM3owSwTPc6?k$Gv74`h<Q9
zdE4E5`lhk8mD;Fw>hY)_<Ndb=H#@zaPJ2`TXjrEbb0yE+rZ-aG74~k_TG^P;%X`;#
z^`hwIUmlh}X1oP5RM{fz3|5Np*2%>i$W-+|zh9(t`P0e50M(QdX`gtr7JsaIBS<1U
z0L`>ln2^h}Trq3mCcx%8pbejC)q?vPf=7+>vBv!ckSf2Fss~aK?(99)%H^m>ir3AY
z$oJJV-Z)wz1hMWM5Rpj#dhXm1J@5Qh1^~fXBM2dLB9`GiSa-;QOwLFWRL6|S`X-ja
zmVy6m;R}g@gA5nVh_?!6LP>(JvuQhhI#VAPF1b1z;2)=4J$};e#P>q5h~C_w%cQjs
z%&+iZn%>UBAXeXuEr<;}#i%%UPut43#yxqRO`q&L=b}n@>-s;t{Eu<Vy`(Z~P685!
z4a9UXsdj=%dB`456fns`A|vi@LO7VMjM1y{C>b<Y?m^nn_0~9hQHS=Y<)@xD2=C1v
zg`Z|bQm8|zw5a(SIFnQO0Ug$fo>efiusn_K5pmhu@PYWN5)m^Z<*3#e2Qdoo^cSmL
zDLm9{=Fc)ao#u4=J^CLb?&Fqre9P%ovN;nfD<bc<s8OS2qtoAG`r5hstzQ-D9xb3A
zB@A=57KRWH94KzTHf7lVd-A5!>1qPOJN4QunIo-?HRgAs!VQ@srPF~>|4*z>Q`a{x
z?%JEU^NYfx^uUuZx~r%kqDeDOt1_*q;NL&P9bU#iJs_N+7^F4$oeRH-c5|5aI2mmw
z+ZrDkog?$jx+lKzeI{Pdb7e_qUazoQAufgHfpoI-MK8Ia+U6u|+tF?j`3{y02)wjA
zT3+|(KVrDTTD`w@mp;_V<y8pI^C@jjlg6!!Ml|TECMITIw<2);T|UC2JK(Oz+D+84
zq}mpG@APNgwSWVMA?#0Uek+pP7d;||5=&q)1@&#ovo$?r(t+1Oq7TSQIFD}J;ZqeL
z^5u}%PFB$S<7@~nqSP%2f$*X++MGyMQ}gAIV}jGNpId($cZMhfttkfIh_Z8UD@vOi
zKx4VtAb*#+4hT?rPG()ca%L$!kvS2i!>9sI<IRR3CmK$x&HvdZYZ-)<!hLfsNJ`SJ
z?Um!q?w+>8+``&cmq-T#^BHlbspJ3*7Yq2C+JlE$qCH8~P$`STr5RCLNprP~+1s_@
zHe2ZKnlxD=gqOX6Pk#RL_!Ck|GUW(md%oa$Pn#$VZA$6Vrb5FSaK#S+X(RVPX5YA~
z^fKN$ClUFSj6W6kdYLY+EY0*iByDV?Wi@(aquh|J6LKU6T&JMc#=|XK>$Gl)x2<_c
z(<#v_nJW7?u}xJg794(`eNxI;WBJm)&gXM}ma*#8_wJT-HXzrZlHpQlSVEi2_v9QT
z%PBDG>}_Uit|kFjKSV4w3-{qJMo^qPf<b*XG`<`=QN@>7HNobjW6_<yjlXmz(n>8l
zBt0e7y;&^A1%>6?4OUH?UvV5W_vxlHkKP&HbgF7|P!XY#=7s&*kM>e>9(z8X-<GWP
z3&k^g1WgftJz$>hli1J=+@@6jeK=v?^5BYcW>l(jgo<pbZ8&2niv>`_o_wZK3A`x^
zFj3FzxMFdqS=pG#>gGj)+NSXz{>VR7<b@GEz;OTXf5u^Zto1kk!zuV*NJQEb=TJu0
zheON%RZsqhn)JUkMNn<siJzG{S}t<qZ#V$@9M@#4bxWL*e8Owp=iCYmRZIay;Qw$D
z75JYvLAc12A{f0U>d%grKd3zbQAFV#IJU<ZzX%>DGY-J3@0;!dw_DcCM}XaWs`8GA
z^OgjusA;mkn{zJxyFVXG+;eNs{2bQ2I|k*tCriE?`Z`;N3-2->RA-~dM8_&B72cjQ
zt;G&37ygs1)=0KH#RhhA`5sm2WKX<Zns?XlCQ9BX9?K_+EvUTJSSd&=?o>}99SjFR
zbt1JYPNgdwdLi1y_0-jXaMu<mh{qMbJt34_OVEwDEd=x^o6qyjIZot@K|Z-8h&~%O
zN5}#<*K{?yC^Ahx97zL=`kN&IVxGC~6#7!z@tT3r@4)7V$7f|FZXlIHMM&m`cMkua
zB~<qPqQA*B<qnb}TN`<vkE$Ggm*(vv72PH#aVH*q2d3&m=$k)sN8s84ws&SXP3-jt
z9RYIBJ#QBO9dUqWO3Fmx9F@YE#9Mbz@7un#kgZ$|W+QvRlKjRu`mGf9?09{D)KmoT
z6RE^WaRYP32ir}84QfA*99wCH<BMj`=2f<~xvr$~v(sZBcJ`;bhm;h%Jd$POsVLAC
zw>#rc(XP;om)ikX4AMqXapoD{+Z8pB(FhUv!=u)CowFcJw3-ihjJN^8TvfmftpHrT
zdz;}QM$fJkhnHw<kg+&R{`zH^O<VZl@-+Q*wo8^J%@C^RWvV|3S!Z##))hFR3=&`~
z7(B{68xxc7tA9!{qnY_Oo^s#@`*d<nNUMA6J^$J6?A}LDAq`6W);xLjW|=SL7)|6k
zE&c2p<^5;GU>d=~-qYG>43a)9Pe{GSZd_hl7abgNFK6;F8yZ0g?se&p@3LSjZ{hK4
z=J})p!@IDd70-O~{zK%G*VN5);jr{c1-Q$oY&X7PkJ`7W(QcMi-JxJ3g7CfVPQAMc
zwmJwmal08^;qCyr^UQZmf`!jzf{S~i0_#T_T$nN=#b3Xv?CWW1pSOP?*9*RIgUGY_
z$FwE$UmezaEt$|dF7)$n9=_U1zS#kHVqF&j>Xz%*Iq}I+GhL4+^C5ImDrpdah&wzb
zrX3zaw7r?kq^mK|&eOdT%=ZBymdmb-*Z~0<0pvGH5Fq^nFRZMjWRbcFvKd;F6&p--
zmNqJ9MpLSIg~fQ{v_T1oRMUd#hyrCFDB7}MqcXoiCq5T=p1zz!jtI~5zBSN{B~w4j
zRfO_=R1xHa@t#yIwMRjmrkObn2TscxGSi-FA?H=PA}8avRgv`zutJfLPxd60B}g``
zZqU5yZe3_a%<FEI=8DtDx3QuCA9y%u-)*5rZ+SMBmqtvTm>TC_;cX*=k^VTYkDTYl
zGIT$NF8X6j%ydT79@C;H*W9jp*~HWw4dbCoBMkeQB0i8wZvlGhrGj7%I3fMu68U?f
zVER1mg1xja>i2n6itq90X8IV$k@ejI*U}$dI1wRpQ_~&*-;RJWcHCifCcg16CoY=A
zrMPXGCJ4p-5d!aa#9+rlhLol>74>z=x>bdG|CwGDJE2y~V;Sz)wt&y#Z@aM=wkM>U
zu%*q}#V8Tx%MQ$<es2#fcSZS$<`EJVMDuTGaxf!LNH$S33HPIPN4bYy1}r3N`LH|D
zwZ7FBkV-B#;*Is`+(wGMUYr-G$k>juSJO4Q(R9e1@VnoMb#nLWRtl+9<A+08{cyUC
zn-TK)MgC;SoA^=54|rnVprrR$-A!VGqd5+r4i`_DQp5(?N{aR7=@j2P+h`Gnwx|&<
z-uNG~7k6A-1D}3HXX9_Y*^wd@92lT3`I{2uthw}!ldjyK<lLN|^|j-3c5cNG1g-6(
zql8Bx4^M?CxJJ2@CT4zeK8d}yX-=LJ<Sy~U;{G8+4)XQHG;~j-Z=++$%_t1Z^4Gmh
zMB8HGIih^P$eY(=t`joo`p{KeTb1ymfyAyz>AaXU0G1vHiL=JP7!B(T;+je(?41vm
zn|rWpkiEy=Ba-w$*jS>kVyzOII;<_cEOtq@+ew-*M-p85k0z>q*8`PffKIHxSzta{
zFZ`NzAVi$$s)LM8cF>V&HI4fFGS<Bf9Y<#`$^8H_O{RYq9YvPU`=`Oj>uXw<PvpD6
zHDb<N?axa?qPRF*t>KZqS;<tCD(UU2sTSRU8<=d9cBdZ1BXaJoPW`d0k)oNBeAs-;
zW0GqN#%tB;;)8<@!Ev(}yXcvkySh*XD1JRwVcK|<Z)Kk%2sv}i)!4C#suHwYX{Ce1
z-s5d2Ef_rn0{iW_x9=2$+1vkRCvzf9z@Sjzy0Wl<ef)VD#Ami&&eA$pce`X*)#1I<
zv_8x~==9_34xo1%>&%5ug<5Af6;(98fmQ_cS85F1HO0F}dYf-MpVp;CZXQCjxRO1N
zY`gSUbdMX_VPd^E5ysFktck{(wfhk+?nZhj;_@t_k%(?ndy@VLL-X#fU;@SYXEXzz
z;pR3W?Am%T@O{C;b`NP%GSdCA*V}5=oD3vbHjgw=rykU)9l^$%P0D2%wlC&u4t7C^
z1=K0f<PXBBye|96Fje*j+ry1}BZUa>rg&4yFI1SA`AEGZQ<wbsT=jtkw|jj-K3<0O
z!zQc#@~BJ;Bt>3+)gPzyrNKKwd}OOnAA~4_MdhB}r@XJ2EXC1q9*|xKSJZ8!VIRS~
zbmZJqu+cJliizkBT9X&6-f!@rlw=?sctr<zZ&ZreP7KS|j!874R^39u;T?~IqHVP;
zx~HA2DXiFGBwUmX>%;N6t6awBdYLKU^Ri!Yr>*Ipo_Fve**4e@8B!PHd$S{IZCq(-
zAm$pdR2_?D*cMDo@d8Y(zGoL2wKae`ITqFLC0>}~0Pp;%SUyARql%9)`QQya0+H`j
zMF-T-_)rlk-spG|w!oz-1!i*PUpVK?E#MUIxZU-rwsI0SDh~R|cIzN(@qN&^8UF5|
z<eq*-yvxg`|0pvr_-Z5Xz!~`foLxa?^+Z7)FDkFF<|i>bZt_?(0(5YFO<R@a`KxD;
z!3A3Xf#-2ec$^!o#jlIjy#j$%p2?NV7DI)Gc3U&;kz2smz7IF=So0fdg_xGlnO@i?
zIGXxjzkHF@fmCkMa^!A2K#_kmCSA-c!MSr-l0BR7T)qeVl7?DO0syO|Izt{YxX+L4
zh=aV%i`8<h%7J{c?mxoUi+u5)#873Fxjg}la;8-UP{7<b^|UpeBwYmdP4QiPm*Via
z?+sx3*4kU+<HV%L4rZN?`2Qnu{8z&F{HG`|E%ejqy8+Mwlixhbc>h8A|CRD_uYN5u
zK0g{dE&6M+t3ZykiF5-h#(2R{lmFnn|4Kx^5^@4NC)iho5ie!raOrCVttziR`Tu#L
z|AT7a_%>S|{QL0sWD%z&OXXNzLFUq?4pV?7>rBSgZ1oMl`Y+g;ws^0}B0g#NyHceM
z$}&&jKM7||vwh{t!p|@J+qtk*9_+L_^FGPJEn^1C9-R1P>i2yM1I)c?-`HCDqUuer
zS-OIYv=jJ;`%`66HCg=rrfReU7-Y=uk;{?n@@(luMuf*;R)q|V^>q^*zhNz1Hgw6d
z3oNz39st0#I9deInRb_Pp}Y^T?@t9W*Wjk3>^;!f&p<#O2}qfCj=9v5vpWaw3rbv?
z+@J88^nK|nt+0>F<VswYwcQRjOnWZ!%wSlEQMt9&cmvL}$=m&PR6oc%KT&;yNGr&B
z@(?Lfs{B;FtsDSX^s>@h$V+`K?#9Ovk>`s~`DK4i3wZriamxyT3%J$`oF6tz9Rr5|
z^@Gh824E;VigWTG$N4F?DMefT{^oJ<!9^Yc@H$5Oy@un;@b=k!L})N)0U;+Vs2pyM
z;R@||Al0E&DZcpySemVb8iqoO_0p9Rc914;2)jtTbl<RYo^lBt8ct-zUvQoC9x)$>
zR1<{!q8Kq!qErEDYblv1U}uOC-|c@ch{6M7VSW!8*1Fne*4+Ujw!2-y7b+PXnT<+U
zl?@(Dc;^nKsEkdWJ$+h@QNo3agz5;Av+*%#<T@E^KC?&X7hO2^IEqY%zhh`7oWDKR
zjy=&^4nrMEAGYlIun6UGW6p42oThRuZ-kU$sI3ki@%mw;T16IRc)>g*^|L%ik8;%e
z{Oztwqo6UhF{8wjy}x1~!>W5-&DUlk6FwWIz!CiiSgTI02rRictyV3p6Kjph&}^s@
zepKxrobS+{{HC$^yqC_S=;mKU)KXTMpcpfx!lz->DR3AJyRBR(kE77{JCbdcA!LQ5
zR1k5JiAZy*CQ@zJ0wa!PS8qMiRd6YUp)Ua^rO-p1U%=|;>^E%ic5{UI9Q1I8a{q8X
z&CArhH7sF*gmtz*=lL#9C_4LP7`O`$%Zt4~0GqRjLk_ck0qJziU;I(F2ovT!)#58;
zJnGFgmc1bAd&2!@zL_BPOizqbGPNi(<+gqsbbfkcRv5yy>5;?rw!Eqr4|TgzP^YQN
zTROW{OPwt57<G2dwMmR=g4QSMKx$OVjG42d-6`gSKTJEM$EB>mT7uq(cuoV4a}&{N
z`gn5SRBmMi_O;>Q02^l>QMzHiaY_=rLut9UDKKw*^o;(#ciuexPhum=5G+zeG3`ey
z%$~{eGiLU<u$3@<o4E|6qIZv{nY&G`ZSYU>9YK`q>J@IX0RBuah1GMn`JMB1QEby6
zs5#%&@5UM%ZY==^591#RP#;h9YoID_SOZgDmp2nV(n4bL%ZSNU1p<3BF!9hUcsJ^T
zWI`ciPcBs?0bM?~AUe<$gwMWOaGKRFna%)hii@BO9_5%XYkIH-9OJl?8&$Fhnttrh
zo;uP(WV^^z&2mFD^Ay9?vz;9cvJzEhRj)imK{U9&4U^1C@3Y2c<15<cHxelpC2R~J
zRmC}1gH{*ZGce_eVK0eXNx~}V(eqE9bRQg2qcGk4)cj<AVv!<wM<DGAixa?9qmC|V
zBII8XW>bXa4PxG;L@x_K91Lz@uI_4fPx02h`+AnI)R=*}X>vm<ZD&&<<$eZpq~I&G
z_Ch?k<6mY)%R9CrnAdUGuv^Ey%KnZShvXvP(`7rHiy)X)v<v@H+5=rSKD!G8y0Ez4
z{C>7HI8rK@<+tMl<{$Wj={oe5#Shuzbp@Zb0)To)7?-(O>;}_FgXyVT@oJ3)AWw~*
zZr8E%P7gU(wIfqBvu=Mr@QMTW2eMy(2+QKsZ;cl#hoYCRDcX8U4}V{I3V#=qXiv7R
z|KPH`0g77f&h9X~qO}}66%wxyrrW0<K7ah010Ctn=8*h+{vH8rOzyP5D)!*ZQEuzN
z<3UC+$ityOe&`tkbDlN^D*vHMGQzYKrBDwoG2_uJ!pZFez@>H>=QIU|Cjb_}awBqk
z;|FOi5hZ88511L-8;gs$$5IM@%uJ)bs6-HHNBn|0$o#Ke<4k}i@;YSbH9@H4^Myd?
z0w-0I@h3km(J`t2A)}qLGbE}aMA03F#})a~F$4RJLvR3+?=FhM%TtSxdE(b^(V_I0
z8dcMD@|Dy7dMRlRCVjy@GWk*3i*(;`k2Zy0V0s1$GxwsU6#Y>_FT&xG7YVU8v!wOd
z(uv&h*Ps3I^q3kzrvE9D9DoQoYB)6s({oBORsTP0Qx(u_@UHePdxdQchcP1t7t*L`
zHmbUCjD^Zgd?v(-O3IUmb2!GGRZO}W5uq$8P};u2r{v-M`M(FdM1evXFPOt!MIMjh
zG$QI(CGQ2nMO~GP30nQEJx%?|b2AQ(ueZ<?yaDP<lr~nG2ob|K*<4Yu#-%(=j3sR+
zbVgCwsmJtTj@{C*c5noHu$Jgxcr~g2B?*$4Hw5!0&J4Jj#NDj%{brfRnV+2PUNMmR
zo&{i$J`d+wQ6zKRQJD^wgq$dmdvZ1mkx-pcwYs&f<R3M5XbJWTw!_<nEq5ODfD;U2
z!ut~nl7>(Et~X)#2&B<~r=a2mm~mgJ0ZaZ8_<Hs6%n0^agH1Ss>p~%5`b$LI4=@X*
z<es2q+B)bk{X=!RjE5NWUy!#eQ_pIl_+{G!(PwxAMQsq7a|lLRZoAJ*)!$RhU8b^<
zN2b2lWz$l<(UST|N+pewES&gud(N7^rOMfmx-&ff6#|35+h74n`g~V7`)JpHJie46
zB#SJRelLR)?ymo}Yf}zhxGax68LlRa5X@#?baOFCFjL43htHQ4z3ub@F{1if8NXQt
zZ~O}Z40T#mJXxfRie@k&XNhsnWYw$b`Ii$;j|Y3=eU(=7m$@_>|B6vcE2KS7G=axe
zu!UgmMiu$2zMWg5xQv*V412%+TU{bW*`yu#vAvvXrFW|Vbi(RSx>sa&z7yNc(%P2&
zy37I(z6sOARoBg-{n(-z0Jwph?V{({I}<>~C9f&I(@u6J+TCOXr%dkC0<_MJ<;MzZ
zk?0~Y@vrFTcQ2)lsHRwcm@u6g-dW`~FwEcKdCrpV-ymE3A8(Je#Q>mwrU0EizYBr0
zP`p*G3EVB_Z%YB0G8uy<F%7RhLgK8-SnA3Y9%6jV0mBGpRitiPs*7#<CkdJd?zd!!
z;Ha<raYwj32|S4EKfOtdU@#2fLKVeoA@JL^Y36U!2Xd6m2jdnTv#u88M&s-Vv1wmL
z0{(!T%tL<Puk_+K4u1x8!hipji+mR_W^8FySYTyGk8gf2nqNp`;rmyeaM2~jy@8H0
zLxDx=|6j@G|DT$x-vEg%oS)gr_bBV#p!=`!w+9be=6u#j$+k~bE9$i(#IlckI_pbB
z)=JlgU$5=t)PnJErYWLln^taHpDdRJX$l=0&xd!{{x}#rzkOt2{Kp8pR&tW~`S!ba
zG2>BYd$q1ZHq@{ZQ}@n^Jd1Fi<|_O(uCC4;2|gi-0j&AaE+I^<WG<a{6C*!Y?K2PK
zt0;8xJsFg)oG7sr8WZ<Y=x$V8llgi+_0V}gN6L|u&Hu*B{}z=0H~pl0b%e7*x_RRU
z+Q#xXB|L=op$+Pb<x6rEmcSFUw9z+z#FECmVusflQ8o`rQk=8Y)12M(E2uub_XZw7
zR-t`%O_?&6IiCsSa9Z?2I`4LH@+1V>3&rD6vc@U=iZ;<yeXq`2W@8Ak<o%#6K%Pil
z@zTuSYqNlHt>rNGUZ_peOelRsZI7DoT*NyKOR#xz|9w(Hw>1O)KofdtA~1G^09fj{
z0hb>)9YdFxT5N>qk&Zw+6=#i%c4Hk~RK@K%JGU)or|BQS0o*yAaC7F@mCC`<JMk9J
z5>5JIX2c1oR7SdwK8TJnONh6WS@u@h<qm!2E|y|AJE+p9jRoH*{l%06oW9ZZqgI}_
ztagIUMBSfI$mg^R2$w@eve@1C`HVw~guBP9{s_;Kj}To&$Mxg#lH$~U)sF>OSwb{9
zT7g`pkEvy|;&;|^uq1ixPzXBby5LA5enjT5OH#z_`Rl5hE7#b<3%O<}?Ow8`fsXQQ
znEdTTYL#@<c43u*64PemM!3Abrg^CSOw>XmqW2u_Aj_0>8K2U@cry1loj%s#+XD7U
z2v)jtoY>pP__e96jf)>|_|o-jjFn0PX))Drc6h|D_0q}Wmn>B6jG3tYB4w0-y5(T#
zA=fzvM2d#Awr9<+ZPW6ECKLCXYgv9g?j{(#OBr3{wBKpG06S}9Tti4bN33Ut6qI{u
zTOl}s{ofNRm20fbMx}$|mDV9vU{FGuRfc@E6>Wr&tt{wKq_9z`_=AaiWuL#~5Yrlc
z%8m{pq=442yOQ6N_PSYS4yNl=aKJuyk~yZY>p#1L;(X|#!6w_O&F&GP_|WbLO&KNh
z%FI5!^6YQCC~LhC9u<m^P<B)a3#yW$&C}x<2<10V8e;5QQTTKm@fIz6#|rjuq0oeg
zO4|sYoqNTOO_)5cp^u*Q;WLJ<^Z3_MS>buY-vWoPG-d}!EB@5YT<<Gds3uEQ)^cFy
zd<h{B>-aeS7`C}xF;W?3{z;&soPIF-kjRXFUUp`Tcy($s$D!x9TU8n}135RCUPq=h
zSnbt+=2l^y=8azCcflRcmmlEmEI2)0is@c_?^>+K{qY9;QgPrVGMj``Wf8Fi{uKwo
z8B+p`Gn%hQDIBWo|K#r%eOlM{1t0m{i2a#B2)gxH;R=dFN+4vIQYW58O2PfxWGK~Q
zx=gwWh5jBmFd8a3>E^p7CYoTBI+Bb{B&>)nnCmap^d2N09c47yb8S`YG}pnKd6~!|
zV)*5o4OeRU0aPpXviZlhPYTjzh7z1Lst2B%0ONB35^iB)&Klzp+EKqxu`X(FeofA7
z^TKS>QBEK4iy)p4uP<!M;kuvUOr*zRN9o40Y|X)B#vW$GJR*P1Mf^V@Kbs(%`o4CI
z1(UO@($fJH={!xpLz@N^CfsQu>_I~TNV4JlCpd$Ql1LCVpq78Q<3Z<-jYp#oFZ?#J
zK&~T;+@g?a+{)M+4vjP^V*~T9Fec<G`Tj*OwZ|if@2*m+G^2&q;x3^tm+2_N)mMzL
zYM<4_t$N7yLx@MX(6@E+5h9eEgty=!DJQSP@{-^o%m|0V%w)=&CEcY5RqQ^Sr)`3*
znW)39&$i?5d<sqU{|NL%dOn=S{C||ac{o(>{|8*MD~7Qo*#?8`D%l#cgp94S?^{u}
zvhNwPW-lhiL`p@Wgsj;^*~`8w*_W&{W<2-NXY2cWuIss;f4WlUoO|wbpZEHDzg`Ry
zp~s99OTeCw>VfXnd3{MO+xm#OgYl&VuJboyk)W>$`dx&N=St{Kw^;ln1$BBahn^gm
zBmE*Rxe@!cYEI$~*p~oRPyh$@UD#sW5`+853}7k3MB8AFM+>6@e{`;Y&whbHJwc(G
z#Jz=TU`$l~X##17K19X=nU{8;dPaQP53p%s1(I`yb^L(8=MZ_k{u$?S+Ek}O8&>q<
z%=t_2Fj_vQWSX}{v=%KN_~?li^bK2TIW4rhBn-&Y=w`D~q&D7qDdnv$*(!yTaki(t
z6<8u6*W#4$x<X#P(|HejZpz-uTWM<6o3<Et{0A+tX)B<c7akU-_1p<z*9xRMmdm_3
zkCD?;vmhLzH38>HBYiZR9U-o||7)rgH9Mq?QGe+#WsC^+#^%yDaly`1-i`{3+`PGM
z-yUA!L&Q+Z<m<A63_^508c0xSp}^$lGE6}Kz8IFj3jR#@l}(DZ-zwr_l7oq3md*EA
zHuJve^EFwl%6pg6nnTXKsZx}|E7hZ}wN+Bq%a{xD9WGoX%t%EYx1pgsAyRy=Ntc=N
z=nYKkyUKi$?^4ZJ=8L3(6-l2C^6?Yt68ZhFks}`nV*CkbEfqC6(@$KnuL0ex_iH9g
zEk6(l<;J^Fh{k3XKw0}T;oL93=hVo}fw4R$5!oNnp?0=S=Uf^(L&tWHQKW3qAf+yp
z>MmKSO5KI^@H3-t!(x&CO-wLaww*n%;Q)!-hZyx5kyCg7lHmwoi5W|ikB$p2c{z<p
zV@XU3q3n+a4|k#Bb2#Yr&?#a(0jv4(buM^&!uDgY%d&HT$7J2^tMX$_7BtVDpB08F
z+_O^TskDa47w0*a1Zk12IU0t2FJkEp3j`Jo>z*w?O@Uc*i)irJIISU0C|P{ZnKp8X
zDiGK}<X(+=?e+4!uEU!<&ap0a<X2M%o2Mz`8%yRnio*iln(ACs4ZOWL6%$-7hATgz
z<$c*jK)kPg-XUIln2{}5>(UmyOGP8%#v*7(@h9YqVYKcJSwya>CL_d^8xwtpz~Dp2
zyEAp<e%)$c+4fB=^q!6z5Ke3tFq%g&UxCGbHa_E{xgi)iEP&08X}mq&S~i~mQ&9mW
zd^I&VwE!Rv>;&5o&Ak3Ij`Dl94OvN1HU&dGE7~T#CHPK(B%_iu)fAl?_CPHpJSpV*
zi>ij)^f`(;{^Y9{93=HwxQ5D@o@%V-TSQKjQ_pcsA+*{Z6ceV6pWnJm!<(xG28eC&
z8|;vTtVdxD{)TulxpI*v6CaSY@eqjK0))zV8|ygHo>Hp|On8_|$_Ix<_2slSZ+;b;
zQYsKCZvaV%OGrQdYaYEOnJQpH__CniRY?_B^%G4@Dw-ntlEUoNaFg!CYlsrSruX*P
zEmf{rnsHmEZyM(T6Bh0TH)<#xue?RWJBQ{t-)27;`&S$Md+MHr5^u!Okop!fuuh2W
z>JUt1Lt-$RIz<5cDP(8hD9W*k8s$CWu}K~D{wL_LO25nt{SfuLZGxL~2Dmwp<{q?$
zfk}e6a{lPp|5f}a{u|Q%)7kh>P4-|s@((H@sC^Hv{F@dC@>Jj+Nml>wQEw`yzzjfV
z1tXF~L7@K71+>07Q9%Rm0=JhhaYuf21>S66GJnB`?4VZuSKA*#*Ct(qs+b@+8>yg1
zOhvP*dq^A^;6eqJLp(RZwO62}LU#tRg;Wgm!<jg!*jMg*Hy?clc16Cr?O>E0{0an4
zV1|CkHHE5M2LTxPsHW5q@}Nq7erv#fIa!0tnL{Jt<gHXeJ(=NlkSPs;Xh=o#9aP_u
zl$4yHKPfxG-CMjU6vY{mRt+Yw|N7d`T`{ddG<S9^gy6ajNRA&(X&At$)?ocNBo0P7
z5!lB{J~@xde*~PnwfP>Rrfb}TsNE+x-oaJy^boO!>55=0)0O|McL;FZf`VoV8^x^v
zQ^|+bD^d_w-$+W{xF@`S4923vlXkVu255~hl#1U5b9JD}e){=qAqAgB5ANWN<o%Mx
zh$LBHJ<)2SS^<3*8&mkDo&ni}zgA3%Y0VB?)&+u?Afi$`^Uz~At%9LcU9?pM!Y$X+
z!Em9Z4^)6PS<3!7;N;#uKcM?6U4z>BqNE%k2`Ici`1THV9TcPSC^Mh9s$dtS4DV=j
z1x>noAtV<FWru(5IRHa`oDvLe0W5qS;jXUj02_G;jJ@UEzX1EFV9S&8Sl+uW4lyLI
zY@uukp7;jpn@+i?N1=Ssj>l2|4N8?uP751>=zrE7nK;7?tZ3RvVwU;(2Ep*wjMI1c
zld8*<=4m#V2<{jq@<Z+7m{u^g0E3I`vx(>dj{W!1pAIRRzRWRx?j(g^cJ3m9lFn4S
zgLmAHDMm}k<flw`WMjW$8m=+*!5KSMZnv7<v}pYZnc{s=^ZH7xmj$^X*vCKcFcbj(
z4KW&~$}HY1I8`UpW&?dOO8)b1N7N(-D}4+1`|4>U$QUoEow;-8*51xqfMp}=qn+4Q
zo??~mi`&A9HVC5Tuey*F+(o<)p+aJawHfIk`G24<Fm1^XHY2(CK<$}eq)@vEFpbm*
ztTIm*M%CnvI%Rxmwz$#LpN1S$PYH(@0qHdA7d6tXPjel*Fs18V`wQ$w12$Ec(=jyc
z_x^nG0|3De;FkrbW#9=&;@f3s6WLeld>HHab=11*HB*wZ)forNxJ<*8wp0)EZ&3Lu
zQn~(MM0*`Q&#K*5w0Fiy8!y6>V8zJi$PD;hz(DMO+B_h)Yu%XZ9c_;1Ag0d(NWWpq
z#P^z@`Un~@knJzEuLvY46f~L9WVKa*N<W03WOfwNd?LW$4)5=Z!;=r=%qF^I?mrc8
zq!p$MR#~S-l1)X2X1vHIo)MxWV5E}-nqfT)e|{fOlUf`u>+BC)YhoJ(jgk4RpmnX<
zeW0xnc&q+ZDit(Py~K(>L{4Vf&FeVutu}>ECaB&xj_QR3BAoT4P5)H%0FSgyQ{;WV
zYvmYKp;OqOET^?lL+)Q+eI>yOLjA=4kmzh;j~yUy_@6tU!Yb~qHY^Wb$9d-)7be^X
z)c#*<XPDQD*42jB!D!-=GI{F5%4P33uHa!Y*}WWv{hT=a5TWp6sMTXjyfCs2J}HDe
zFim$}@YEl^^N|M;9?ctl*p|Y(>3I`%W4L8wQV}ut_MPKqMIUPhx=LB4U>fr#A&7Y=
zUUDLa2<BE8d8u##)-7pUz{>qDgd7+}aBMB%=%Tmeb~KHQ?euQtla$<^KxOXv`D4&-
zAb=^*H29z22S=fUX(v)dJA#6awH)fLxKB%QMvG)0=o-*NuVDt@Y5(uTW~n1j9Gu7$
zcpEzCnEs*Iz6I}EHN#T+OgkM<1bS*i`(_C{KftKpzos<gc^P@Ct=qRFBBO7c(q7j`
z+;SW3e(6@_c=KG%>j%pLdR1S3m5II>JhjNlRqQyqz*>;{sOicV601tHl@a%_ZnJ+c
zlVdZ~R@LMJR?@=ztD)7RCRxo+%Do4Cm$w1F$rqX%Ki@H(sI&|Y;p}$0nE8+CSa&OE
zc>HfSA(r~uysQGG`hh->a7jZ^g)4yYdvn|=d^1cFa7psQ+x?HSzBQor7qW7x%uU;#
zv<_pG$zWuXR?E27n8+)JbvW6Org`uDCyG?**?Yj=v6GePNY+iCg~_~yB((SEZ1zqh
z^l<`G{qdIc>x<T)Z$_f4YJ}!G7i#<=4g)~80R#b|5SJ%9nwktW!n9I^5I!U0qJgHM
z4@P!@Urvg1IgN#x3?^}k>#7|y%VE5Mq%#FAvgyDhN96X%)R9{R%su<@is`U*Gn<&%
z3_#p1H^KcU7h+jN_UvWx-`@alwuReye{wG);r{F&PeL~=(73!!?TFMfcZyUWIyh<!
z>S5Z#tIB!u^_Wtom?%<TJ+XgpsnfF%d^*LMTXnG_ga;dKJ@!DZLa$gp+H$VUt#X+!
z|FYfB58*$bx%jJNJ`W&n{M?z8iYv_weRervz;?g>7q4t*>=$;(CxD)`gOqa*Kh$5?
zSpuUjLvg$V%{Q2;ei{<UsD*as2Cjve`PD}VKf4oAf9kJ*Ax{&Ij%46ohQ^sFDJktr
zr6HUX@fHVvKKqo$9liN0@bydR%mGRj)l3ktU9z*_c1O=(Up1TQ3~Y{ET@c*RYPz)9
z{!x)DWvAWmwVbMH+o`0BpEHE6IxI`uSz9Y<ES8=i7_RY+ze+9`uq~Jm>B~|rZx`W$
z)J}pmUjpLRL`9}R{@M5aR=?_LYO3tHl{j6#-ZjCrc&&!O+q3S1HWA=`{T;4k9#Z)P
za7cUh@)akyPuDc?^SyLIWPfHwt1#j9fo#W1IC9h=hcs7%u={-Dg6QEGjFy9LyqvbY
z(fbf}e5zEL6jNvTtLW@me(CE@f-lnd%b&Gu4cp=n!~(9u0gD?<E$SfDg6Y4q!93ut
z^jV6%)hdwQw*=E!B{SJOL2tDh>ziitoyI6lSrkyHsffC9{c-9!3b+PqLu+e&O??h;
zm1y|1Jz*nH-IzI>RrI3{?QmpcTF|gU084Ja;Yt|{4|Q*crPs^r=mQXcn(rmaZqJ<7
zvr2O0sgk+_ouAguG(VCRhXTJl38)nNum}7Q$+r^c(KT`jza|Ck4F97V_Q3u@@xVdY
z^)T8b<@zSIQT9af$-d%6$F5+&!3Y!1xJrl8(q&~0%HfE)$-mF@H2Ab_2alCT8K-qJ
zY*X)N-b710sd<_?n@<E?@b*lK-7F(IgOwkMwp?(@7qxr$BYTbnJt|e)8#?4c)AOG@
znlgjJ|DHV2L>G{@-*f0jk9ZpBcs(r^p$SpRF}HN>;jH5yN`KX5px5Q-jalCg*2y?6
zrqVZ$j5QEGBZl3P5xXGB?D484ud7(+UM4TLaY$U{;^M$bsul?~Zf@RN7LcVq%#5a0
z`R7gcC`{Q-b(%Sk%&z7JqSfL6b?47}BS%XhEMAG;K*y!2)UCZ-(;Oviv~}vT(miv&
zJP)Qg&S-9fz@=dR3yZHl_CCpa5=HZ2yl`h`-rP$!0>1|653W)ZaA#)yXSMBHI+)PP
zK`t>l7b8v<-^__=jDOrIz3;vFOU@s_g~592a(U8hZm-Rlx^<LRj!YHSPN$)Mg<Wrj
zkKgk2<=QIk!oeWfiG#X+jNX~l)CRwv-^zS=02qcMo0#4omD&uo`fQh2mDV@`FVnb>
zcFme)*-o*0W!PXGA1NZKuI216iCZgHl^wxV!S4u@rSZ$90&$~Fk=9Vgeo*3vz{vpK
zMh-&r2u$nZ!b-s#A%Fb&bDq6AZuL!9@=L?m-I@)DM?c=v{(VLJeB%lZ@#;RY3{<=O
z{_-ZrD9gLqjG6;-*?(azAdXj~L&Ebu`_Qcfw$dTfM~FZ;>sCPHISK9SpM63<tWa(%
z(Jy-K`|s1^u-TxVvh{6Yr1xgws?6$_W5yTf?W|q$e66Ri>18n%+jD={+N9wfL^JW0
z)Z;(=8r?25Ur~Cm$MvUQ1P?fe0{$<TQC76Im0DMM;O^yG2?UKAvx}<ouG8@IiY29y
z(%0fIl=r$2G!ZOfSWOp3E!eM{`Dy)25lK@c6+6<~linPFWcP0>px>EGiMeE$evUdr
zP)Nu$t3<5RnwksZjgu0m-Vu%<exT!eR_4p2l@LGTMc<iqN1zqS;kPp>GP?fV`ZpK1
zfPF9<-yldaH7mJW!*+NR+nw|Qgy>Mdj*TjNBixlP3|F8FlyI99?$V7Wmb!W|SQd}y
zWDWSK<^92Z!(Omr#}CNdDV(>pt$WqtMeE2*!LY|_Z@w|;px*-IIRV8pKiXN(zJIF*
zYO%z7)W~!zJO}g&@aC%h{b6u^j6#i$*Hc;T(B9%Z$aY^-Fjh4<Xf+vg4JQu-MbYqn
zIqf}lW*h(f?DE`M<8tli9R=aH+m(*}mu2ecH(x0T8VSx0O}XE?=(+2|mTqhP<IdEA
z50>N<mccnzBCn^mT0WIH{W}+~>1&XgkFg=Ej7Cn`)0~b-a^Oh_D)O!-c(weXR$vo9
zL+k~sPM6p@yB!+5e(o`0?;iC&sj_y)NPNfpU59=cMoUgqaW|oI@!hF7tE_AI4UV$f
z&6f(nc&`Tx%hJIW^`6_6O2h{9(af~h`DpJv(yGq((^*k-dis%h(pOx~9I4N<Hc+N$
ze7D2%todE;!nlEocKPk60kt^KJbDvU?EUH4&JPn7s)L>571Eah;y1G%FMjbY=!Ahl
zAEeKU;H}(WYaREXDkDl*$#yH&Y~#xJw|Z;mexOM@@2t2W!LV(>4iyNY&>>fd5(-~}
zU_gLd-u1H;fV;F&)W-;86}Qg%4l=mMrO(=BnC~=P8fg(VU$GY`&QeJDfWw8foM%Z(
z*BJyI81X5Lx{MetQspASN_I}TPVJ6I55{Ia-gm_LS5QTJum`?`Fu`F9Se@@DZd%@R
z0R1%{P>JRJ0xFHg8RTR!j)6o{=nQGTq4v8t*Dv$u=i`UnYe(sj1FQyWTW28{SM^f$
z_SjP!>Bc8EOi>suD?nQ&fpv&RjLP=|@A`kP3JUWQp@2J8Vid^A4uYq1(Q<Y8xt^8U
z@$P&yPtx85mD1|eC2LwF!Ob)7M&cVkUAKEfyrO+e5+Cjo?u$K$e9`5nh<t%#A$(82
zZ%M}-X>)kIXoUp`7s-yvTYJ(OR`YK>MP-a65+_1Ol@xxsZPPs6^h2NRzOQlJE>V1E
z|9#n#6fZxoa6BEdTZSWOUU!7?wK?tk2!iQmbX#q}^;hfNiP2Z11!lFjo>b}5Gk)X)
zGAwXv?w^51BcO9`t!HNp<1TTgMt93PdwzpqvWUeyCczp<1JTJXF?MTL)a073a37y7
zdpnqa1-v(B|9)?vfX<n9fij;WHN19LZxpxR#tuZ*+s0Rig$VP;H4`B#-)k3iYd3vI
ziV8z`FPBkg+aU6F^=mvP>ru>TnSiw?yo!BW0=wH&7$)hekI8x_Fay;%8Y>r=0iQ@|
znc(}c7#oDw&AVEbt1kq?t@>cLQ<r?FPG_n`?rSF!9T=bb*X3R;BlTOWQHfFaQAFOj
zJr1G_f|-qS4>yYmnVE%c4-Af}*(tvS)UM3CLBowj@kGA)D?-gugkQX@sV8#!#*W`)
z<6<~3He$LlL{0K#R?EZ0k!U}s0Vr{3`{%I#9V(eghM6Fg&oJVCb&y=QYjODDWs>E7
zft3+CHLsrrjZumwd#SqeoOT^KLRIL56K}R%V(c;X2uy}ej`}@B@lBBni=~v6;0J~W
z7Ai&5OrKtq8?fl7kc?{rF`yapAi_cRqUfYiOaS(AxU%GGYfbS~j&2+#CWK!jj$<H!
z_Ux@tJ<x}gpli8`6a1_vmX%Ri;c;K?diI^m7n)wCKg7gHHJglj*%s=Sk;|)STK{cl
zf$;b5qEHp4wU%V$iJ@tPDf)y1wiGlSe=q>TAi|lLn7EaMd9eJuKVsu+qQwwyM{n2h
zYiUw*mA!<+FEq01$WU#9c1=AeHPRNr4d*!_f>buBLp=1V%UzSzz7Mcn7fkKNy9(#`
z6baLW(Zo|cGWhA?j>o4}Hzb`eORmitWVL*_O$&9uFG5G?5w8gLD2I=au(D)v8x1c%
z9VjaO;FCk7MMwlT%`@$8K87tc6*+c$ilDEW<_si(erT?yi$qZ$K|X>awJKlwl;5N(
z&B@?*^^K?CRgy6N4FOtYHw%*Hj0l!ICrUg&mhXXoeTX9}WWz#Ltu^ai3I+TPFj^au
ze;ew5603!0g<5to>eg>0W6p0eRrNL&t_rQ^80$p7&_Cm&HuAEGl~>IuhnW#w@B4ze
zkxuqv;KSTlgyAIbT=JviA?lZSuzmJ%(FV$rFTc+1bXGSrxn;hvS0JGh9I|ufxmk`B
zyj9GlLmDz7n3<1ez|d3mdR|AZB>iW<(LV6MBVm-$H~cB%oe^m84R4aZ;n~lJECJ$h
zV;nRt@xL|<SR11dqvMGaCL)>}f#`@Dz|*O7=A{x7JeCe|u}^rbr@znexN|XY693?x
z<!uIcPdX5UzN*(NsgWwx<nV71P#cz1XOH`A$iMdW#AahJ9sdw3^8Qz~_iltp5_gd6
zm56$++<1C{0vHz)1$@vrv0AP1?nk3K<||znM+KukO}4_&%KYL^)O=&-?0UCuEMhHN
zSfz3zxs1=2-h0X_A`=x~(Jj{wL)+PtX|+6+=Gr*j<0CXSm`l8rP-rbj<rx<RVl4PV
z<?+@?Ft7A?f=;r=?H%*=7~Y>!hkuz4+>ar+D-j>Lb<B*PSvW=kiX|X-9&R;xeScFn
zfo-|G9-N|(|20IF*SZTo>=WMAP8w%8k%+#bt*<Rs7p`SyLkNpcNnp4(O(+HV{1dH6
ztUyH4?V_5vWKduHx5%n=+61(-=@~XPFWt{cEZd;ndaCH1;eVZG&UCL*7Ll0glrk=-
zvTk23LFE|K7YXYT`+EgI+VU<P+lRo!leZWYH=fYAtkNtns^Gzq9`1~WsDVMq(bn{@
z>ohG330GKqT{fzar<?JS5?92<n_CM-D1Q~TlR9jm2nh^84u0^=3k1x9a6m><{s<LZ
zVS4VM7!t$}rkSBc99Ksi2YKf~NW=E?mCf4_Vt_>K;?R2$P#pGeg!F2z5zjywl?kS`
zl%uo~7rb6fSp0?S_n)70Z`?~UsR_DE`1v$(WEK~?3_&g-4OQ!ePB3iM1r?dcC=<AX
zk(b#Bc2HS$6wsaX`EYVPmc50r6O8ZzrQrW!t^pjK8UaI#K1yn7fvVAA0uc8{2OV5Q
zqBf_a!1SGc2rEpM$Lpk`Ul(B2#P|(F-a#M$#3>~D30W}&RWvHGK@`9LgfYqf2@0~%
z_{g7iOi=H2vI*BSVNe$8&Y?m<vXttKVp-8TjVw!f)6Vq+he$8-+Cil9=ja|J`vM?k
zRuh_bKysKd^!_o5y2b#04G^%_2OP?YR1|-D!Cwe_r~npr%n_zqB1RrE$tUYS&#2ON
za3L@^VzGfGkgAn#D^-Rhy6#W0EVl-;C<I+5rkMIJp7zD}jXr-p?IOF3QV1T(+<FX<
zAgI^3e>(UV2c}exw$_}G0EeJQ2`ad-SyOX3M@V>Zp2BE}nB+tPJ%*1E`tT?e#Q)!B
z0|1LJLqJW1JGF1DWx_8=ng)OO9qrsY|HFu*)MDe6-^5*brL`|kehH;eDsGhZ=xy`j
zbnJlVP^RL2mtR3aBd>cmdo^R?ce^m@Y#$HMBu+a!ZxKsS3hJQW1qw1bl#R#Qkr60W
zbxAF}>16+yU&9w`53SGEM<$P~2!xe04gr~u!EYGqG26E{zTU7#=Fr+f!a5reM~WyI
z4>V^}=DDvd*^QwlPhA==UVqJ-<CRgjs@dV%zyB$CzfA;fE@R>k<KL>Tw*lR3Y>0IX
z>wvpa(Whu2ceYoh-o%vs-5(Oo((D97R3IIE>oJM&T>%s~VNqQ7Jbq?1xb@5kOYOs`
z`TRcQD<%NR_%s^?;WESU3qcIcA|fN20ko|uqJB41<_tk#`N}R@@rHdI;%mz-03l)G
zZh9HVVtAp+?3jUNlm5G=#wbWR*N$!}nqBAT7d4<Loa1^b7Ny%4>t}nJ(_KhWz4@!x
zqrqYhOw5wGpn3!XEbh}p1Ta}cL`{0$+)(hkW`c=J=`}<Cz!8!4juh%~Z#^sK*N@Pb
zZZE-aMl&K@$VCh=EDV#=Trn#5^8D-6B#Ci%23%RtV6ryZ-`PyEH9-tR)7CR9psEj9
zh)++R=3{8A$Ouz$68QBqZ>P+lx--=Ifx@g|nwemLn-COD-A-Q|uN^<ejZ(Z^=n?=%
zDa}l6?F6T?K$HPr@K9GhGndf3-WoJ@DRPVjUA4-SZ#2*UIT`t~(2Rc#aRsK(*@it?
zya4cvpGp*cA<Ho*TyYAL1QF7<188E#eK1e)?|sc>U>5*pW6W`oVn9JG<EV38qu>-^
zbx)ZvuzUv7CLLo`bLl3p_N7Sup=C;e$kAjMLEk7QS{Rr9`mCL+2VI|i16VTQgT~U|
zu{h}ZrzqBjgtG_&-oI=crtHrw$T^G_sYSjkL3bulSyJmG9fS8_O-<}m>aE9W_`wpJ
z6wcx8;W(bJA9NLD9KUcvJ63VzKW#LzID{R|m^~9IR#))&5JoF@H5nA|&fkV#cFjx9
z)kwwP5ao-}n+q@Ot*1@C@yI_SX|M4|qY?(bcy4gEVBlC??%S1FF=rR`rh^jEhCFyu
zT>dkR64Ct0EmVm=P1fR|;`qO%nh7g`6~XRLfoK(lt%l={y_R*2A;mYZo^%Gx_$FFG
zkv3$nw5rTv3=*&CwDFa$GQx1H=Uf85s*1i5T-5HmSf_!0<yvAadAPfVD)^f{D=oE<
zb1{g`*W+pU<Pt=n??=f7)-Y7JHr+A``V(JdVgc^&-vuc3iin`w_y~;j(q0qOkZ$Ft
zuBWqHt*z6)+XsK|HQ`~l1gOVwbMmS()z0VMZNWkgspk<$!2byhL!L{39z5!y_>Kvk
zGuu}~RD6po+0bo^E=qMN$V>=9RhoY<7{Um0D(Hp>Z^YkD{6AIp|K?qPv}K{p(X`wn
zxpMmx<Mu~YhTrb*zzG2u^C+0rK?j}y^C3VH90ea<rgY*6E^;}v<+hcWWcBfnLOyg0
zU?|*(l)h8u?v=i}nP<X|p={49*X6bWFEt7&^U`xEIt|gV)Bf230WDNTNXHF$$Td3+
zCYb8_j>|}Sx64y%Foi)6z26k6pgpds^k;v|`O$&o;Wl_Z1L~f#@MQdTB0e&qOGk@F
ziHoU;qt|i!RUKFKLiv7N2l`omOfgIzBE#$`M=Q&9<){M4tLw|~a>S>PdTKO`!ns^q
zz>yhl>%{T~hfLmOn-3-fsYW3eL(sEKSR>?}=Uwkkmj!v5M;v8^Dm}fYK|3_{J?`Om
zy@rFbRT8Bu935~F8l>4s`z*@hx(ciIV&wt1YQnB*G>iukwix#!`z|%3Y~yovrs`t~
zc08<GyjIE+A5kt$420-yFjMfA$b)^7S#tc4jF{Qakoq^qU!wg|__239T+(#<`=<pQ
zilAX<2cWA85eQ`g{#awYr07?w;p}R3fU4w&;Y>x~`xG4p56*@rn0d<O@uz?vgTkRO
zeTzc~N)ws;ar#fxj|}QEaoK1*WJMJ*6qA$Q;sgO}qYXpZd(NNII$&?42PXI&oy;3K
zm$Wq{AWjlHsMB$n96~#aMVmNgJ{KfUJ=QXM-NN*DaCH>Kar`TMawi5R;NOlo=TN(t
zwDKlqM<hO-xS~cq7<uOjcRr2%4Fv!-ia8Dwd}{}2H}4Fjw4HG}ts|K{K!)d0NfZ~%
zO$XikOtNk9>NYjHQ=^#wX$zYH^o$mq0!SBV`@y8hhgTaE)DP`Ba-*C?L@r*&*)o(-
zEIzeJcLuDN2kU<%^1IXM6RQvM#<zfey)1N}gy)lk8Po?jLIqf8@f(29o7Rp7sih>c
zH^kvyzDp+_vwIWxTNhO)>L#iSaj*amoYo3=9g3WKV6#%&CY@MtTq`&&B<G}eQ$lCX
ziexvziDAtv_`H=0B^~g`@S{hMmLH*_@1tP!KS^cR3LX_u>sbved}EFTVa&wcLT+x~
zh2J{Z)N?n%&ViOUP!XP4K7YIM{AyP?BmJo7fKG;@z>h*LCT_K(ut{aE7Mjqti+d`E
z4-a3~pyO61kJf+OwRz$4y<AkB4H?XQ9^nHfR;e#jk-*3^C~6mJ;RLQ3iK+xJLQnyi
z8elgb6L3U;9;E<K0|6ZUYa-gZmA!e(rAr69kh=nEN=ZISDXP?S+)xx0ZDLoQPwr@n
zxHRYi@Gj6V{e_6oy7|*kgv=;q)sjD#8#rOdWMtYQYQ9N6xqw<Y;2HjXJ&1?lUqD7!
z;Df5qhEI)?oN&7T)9(KVV)35|z5kZSadR{PhwEFJny2L1a?a#0@jAdQ|6kjA4%kk=
zHIWdhC=s25vwy(F@UK}s&j<1s=s)a$ar)Pc{=pjY&uWQipw>CpoA>DZ?*l^p$8vtR
z(Ex1*_%OxaC7Az&;1I9`MEclU@R85j;+{a&;0=e=yozsYtjI`tSnKlQyUzGsCKWu}
zAAvjcDNyrnx{_Dv>U(nCqWHUf*^dfNH$qt8==0IQ5emMG>Oo=<HwJ2NRTat*db64V
zm&8c-)6T}y%ELn!xkWkdRHqVEts$C;-iw-Lztfr2hszJFtL8`>dN-?TTUVV^z7R&Z
zOB9~lO}Dq4Ad-5iMysW8P$ZT&+Nuhb?I5253Y!;H>KqoE;G^Gyef^Ww-hKZuJc3<g
zt4wA~(6V#}zKCceE|rHhZ`VDz(f`a19{<q}RO*XqsOV36fatkc*0Fm9)DAgAiaTA;
zxQO*)YydXdy#j!hpF98B8E6?1d34M?zEUsKCr@wGb?D#;QqqBK2ZLxkT31Hi2d;Sa
zuhb6H@t+&<Pc*NcMgruCY#3*a?MbjyLY+kxz=V9kO7#L|Ffnj?O+RNU^g|`ZFtshQ
ziQ0qd#T}1cD@r0@TBU_sBHmeRaG}`({=tkNoT{V?Q0D=N&^j#PqlKjXe>{c&E}Dna
z-`uO+R)hVfUdIKk$AsRS0Ts$begX`kPhavg35m5apXYf)ExoD$pf2MVIh?fTZMjv#
zcaTj<sM^(fx=qw!G3-a<M5>w|-Do$BM9V}1sKLG}JbuCD;pt*+mwP&GcS<g3N&xGw
zK(TBY@IZ^Yk$DG@+x~P15JuSq0W|2(weebfvX@xlbRJOe>Pl>i@DXO1&TC3QT?1b8
zWp3fU-^$t4?DF8%03#o4N4X6`t!c(AbGR!ZxQV&n?tH)p3bjMghY`%5YNAh=MZ>~W
zUCj8qhl|X~j%?Yc`VDAQ0UnUo%Yq`Od+ZJk@Y8n@BRFeb@OkrQY3`p9>IIDpm`l|6
zpNWgwip~s#pNVdXB4|wsP}x;b2Tr5K15zdJ{wnZ9i6T{J`Mmah{lxNU4+A!Zq8!y~
z!CY~lzKDDLhgBn3ELodN=gl^AtGdT28OIO&h$ZxTCh?LTJOMJENCz;gXvp&>T8y8W
z?M^gz+Oh8l#c14Eq~;TKmcu^xdDB?+0A-r>)~`m*dA7yL($XWAkv<!-taY)4!JEe$
zpA+a5fNVw_h&yx-T_9f(tg}CtR?U&GeaIL)P#?i2g~*rZd3%POMZ&@<xuNz7KWXZ#
zTAf;p%si3?sgj~RT{kWJua*A918I<`N!Hl|Q>y$82n+>jxbSLC9l3K%L~w%-soY2%
z6idxJtc8eZ?DL5hz{90@<Q<wm@nH`Y3q0UWh(7Dz_AJ!Nm<~A<={g{cO|ohPgz(3V
z;wMJ=wJ_9;_W_~h)2D!=8TbN5^ohg{2bvQqz@~Y(pq?I7FOqnnKpWtB**@GbXbhMW
z3AwRTG0cF+anVmxYvOx>N0f!Bfkz3W=`o73;Rx}|qrOwS*g)m#*rYjs8tl)V;QI^G
zBD$A9u-*b{kkZE?m>j}RYpC7IR{LE#Xu%*bT3&ax3Tgk+lugS1{W9F{kejVwe0q_9
zqi@!uj`KiR_zoXF=Vo)eAVf1|hi8f`;*Ne0tb{tdZ0+F&iE&ZY<c?)+CArUFXKZrc
z^*O<|2H)79zSsz2q%7Z5WK{#ds0Pl_dYeKf2A}~q<e~HxfOR1jWB}ZRqXEb?EXSpe
z-w^gP>Bg+WL69pQ@dWr1Msx(-#e26O`K+uVS}T?+M_=81vkfMXD)?O;W0Lq$(NFH=
za;t<XCOi#&jb!F>Ft^j>6bm}!@)S)@>8#pMr6rYuzlZvSveUL~1YjQc77Jl2-~Q)q
zu`E!A3}*pulC|6zfDC0Lt6KOw^^T>3RuXfaTCK@hm>>{fCp>#Qg#)6tHD4Drj4B;y
zPJOj*-CZ1zZ#WPcmM#ZNOaeqAbXJ1sta&51s^)mEb9I@4W4mr+Dc?UBrNjQJMs1YY
zq@dA#$6Y{2`;GL0xrIHsS~ruTEq)7d^1GhsE1UWO%?ut?<}|IKU{kfO@md!hl4Tj?
zJ(P*^E(22zP*Nufseb?{%QE1?bbH7mVuW3LSM*<u2q@gxon{8)WM^h)cz>%QOUnYr
z#1GJ1leR>)!<&<>4S>RSjv^Ict{(p1PydeX0v`5|ry5)NH^m_btV*1c19!itk3y;i
zVEWO%h83C$V?zTXS?8hubNjz9a2WuaPG7%h6lDP*Et?uHZk0==*xDu_2UE4*7z5V{
zWQ79%fBiM_6js0BAn0H}351_N5y0rZ>C|=$faY-dO@viAy#-tZCYebP2{PyTfWDIN
z(3brJz5EYe6%3qhEe+4=K9-%l%OuPJpf!;G!9q?eesh7(Tg57H>8$T;rf){+0mkf~
zT>o$F8s2KOFs3zC4>bpbtYb`e0blY61Qr8jwo_Uwg5XOfY(qL6&Yj`^g>?K~NBlkS
z6(&Shd?X(&s&FD`Yw&t?Cx?60Bp?=M`ZZW&8(!9lQ&PIt9``>VPpzX5l|KktR3DXs
zp0%aVLpFs~uGFqb4KE1RvNQoCBqb@}(PDo5f-4g9CV!L+kmhA>-cbzPTZ?1Wl|50m
zF+P$25*u9&%B>s7zbaK7CF;LpnWSu;VTx2B1m6+IyYuX%WkN7u3$klfWjH?rjf$@^
zPDE{Inv@<CC17<9ZFgrYi0Smc1o00aGdXt--LIqM-iZVR0{aKbi&IqOj4rA|VW2v6
zXj{6PVV_9Yt_0Lf{q1d_-t7KY)SY_?+)_1){sTBy0+&kxG5P_YMD`4jm0Hh<ExkFD
zob|}9qP64zeiTNH93S$_CTtVLZ|}RUs4u^{+rXDYQ)&PqVns@&>jG^-jkLMsS(rS8
zLOrOHg7ZD2bRAG}K^$BMK@(s@cn9jd$AQhcGBNhd_@T1sg@*$W=O(Q(E%JM>Yn{Vr
zapwq#{1&1oz<89LciF4ZG6nVlJ}B2~+j^)_!&?*#%6Y>cBf&`2=D@Kv3QW8yXcK_0
zTmzWvlk-``LNkLznZ`uW)U2*~H3O#SeZheJ#tPE3!s{hf;_6QgcYR9hXwl2xjzUKs
za0{!YKAN@G->xf-7BB_eSv1tlh|3W^(JTOyYaq^>%U(ym#v7}AlExKe|IQN7;z7u4
zbpMmR>^Iu`x*(pV^DCaptsH*)RnyA$GRxT$r8akC5?`y)OJuz$owvL6T6D@fo}#jG
zyIxD}_d7Kw3aT2bD5hx6;ZoOMgdI~GM(yRw71TMP&|L<|7y=%8tWMMg+yjdB1nGrQ
zBpAg6>NzyXiSdzu<YB2<GKSLkV%m~&-t+g_)Fm0REsa9&3uBcFiq#;lg%T*Tr6~%4
zhTDsM@7tWE;c5u;$T5E81?Z|QpOjYcElFhnUuzWI*Pa8u$qTgw3QQ~;dgB$NYatEN
zj3?&31{4AIm;&tA1l_qt`U0jp5-=4bK+}iapPWibprDD#1DZEq0?_L<iSP%+YY;XL
z1n{AyY$E999oK?W$qxjC!o>=0FjA_kT{4WP4^X`@GNovt_2cmc=x)$~V;fM92-{f$
z(il6^(Wj$dw;!4(o6``&PQbk<;{uAFK8B?*K-m)_HUju)c(f4gN@Gialnc-qonzX3
zz{PU(LXIhDz6t5vkG4q>x<ft%sMkRSm7&WBV*ls4V-d3ZeN)3Nb{%kt5cZc!rr7>6
z?0emBx|g$>8u;=r0rdR<z^eja`zFpT0=A|SarFL$5?R1}UM&u$xnm^kln0VbUOeTl
z42wpn(76QMjVXz7-HEe7xH=z>%-5q91`1$ea7LAS4c8gQlVUm1?&Y-40Q}jDTjDl3
z;-Uy9##HY&cs=RDMRN-H%}q^%qykmh;@_(Q4FWVrup6;jU>ya&&jLm(m7R(aqHG5I
zYQy?$`3ChZfnF9*K*53&f5Sj6PPAx_q-CL^dEmHH8kvBml3Jl`cMZs<a|t_a)s%=x
z!yhzb1_+T$2ocR5tG*%1I{t6SgMEo9AwDZiw+e7}`KrmtDr#cWECwcIOTxkUNA11S
zlIs=>rH>fVC4Ps)R3hlaVn5X=UgS&cd2*680I;^-8D^3*K#X$yh?8w3EF}RNZ5hcg
zG6TZINzqRb-!oaY4^gCc!1o1CE>IL1uH`I09TUk}us=&felOZ@QXOu1E@<v%J}8Z@
zT`_)pkPMc@0K;01`Mm`Gjhh!GL5fdT)yXdkH&CNHk$vp@3%bK<Z7R4Va9^QDm`W@#
za8NBRS5nT(>;M4OBMu_ATrm2AGa+VkhjwGA)aV8yE#vs?!as(!+|E5IwW*+U29#i8
zT3G}l&H(bY15voWGe*_=q6eD-1`D9r#>zsWhuFO=wfuBJqq6mBN6c>aQJEcR=nG7)
z@R&H+k|83axe*o<w~kYbybzHQdmg=tn9|tMjK4q2g7!kkWUF(kXhQ4>e|Bpa>%fVO
z1rhrH)Byi(sQ<@N{gF}sfu8#ROws?pbK<{sC&B7^jv+t56PLV|1|>&=Z;g;`1JfFF
zH_iI=Rr~##*?{fE@{d+G3vXCYFZYzb!Gv%Sm*g8p-$j|pp~5%)g1SfFo8t`?jE~{u
zLryjkYJD0uH)UcIYKLk8=ce6q7IQJnwaF9PgecbX_i3(@21EWv)u<qgvwEcCCGy)+
zn81h=SElzweX4VCF|%9Wyq6Ql&3=9}FGb(@H8ra|x}swZFv3tE@|)r6e+H6`K3T~C
zU868OnI)lzn}A7Fd!2R^8{>myCsRwMaqHcbZvE-renupy<P?@#fHRT)kZlfgU1Ps9
z2`dQl3iFh$Yy_4%rsZYpuPT(%s}SMY+h=P~3=6Z*ZWQiF6^_L%-AeS3sCnN|Ej#|!
z(O^jeG){-8z#qR=JE2a`0tIld)L}fpy(Y5VNG6wYT_J~-q^mm><Fy(3$=kFk)VDkL
zbuM}JeFtiXjWWlL$86by0ld(1^fPQOzde4Tu90U=_N;%FeaPNPZK98*gu!0%(S#!%
z+T#iLUJl+AdN%ggG_rtER#db1m5#@-9*CRjx4N>zT~^HlbnVLciaJX%1E_YL58U#5
z^u`!;eFEa=_b)yV{qP3gXZ!@KWm^f~c=AQQTjtgNg8OjK%S~TiykWjOzh-N3zLr+Q
z*m3g`tMH)xX_3|hu25O`?hnP&GJ%R1|8zO6bq1!r61mifH>bJ`gA0D??$zHOH##pP
zbQ?9O<&nwblWQHaIOvL`MJ5ld+2_nQz!&V7u*@v>GXp<K8g}Hf9-<-j9}Z!FzD*7L
ztd7DP2J5^Yl4Y@6VjM+Gi$HQov8J_P)6mNl>FcqLo_lduMto64Mh~9^WmaA%scipZ
zSoR1#nh_Ed1xo=u)xaG=bf$TrULVZ|(`s~k@BrioTn&Prb1}1)mG7%FU;{BKr)dHx
zg*WTT%QO6bxT-R7tR*Ihi1_$0vFeSi^U`F0cJ!`Iwzx}JQsnY6|9T7AcqPX3+vBhB
z??Y90NtlOdJn7XI-DAB$ngB-^yb010&hDBqs|IEaOW$)pN}ZPyPunnFEtdLbw)aFL
z#A;ru!5-&vGQva&-jUcSmtShUhwpmwMbbynZR`CB8?Nv}JIAH2%%W3!n$PQvPlkke
zsOi(!k*l=I`z8+UcNi_H0?9+Dqi`_drF)1Ga@ff%0-)_W5XnH1y3YO?qZOUW%+HTj
z2_rwJVpn~GiCw2Wmfv=bB-8wWQ-S%&)R{-HYy3gjM4s-q@OorIl(%>vv8&Kb(Xg!B
zXY27UIp98;959<TE)dOjJ5f_;8dD@_yDU9al5nIg$G+Rs?lGT#%4XHh^vjm);fCYk
z#pJFn3F*jhojIP@?o~(PG$c0EXo6q=YK*<fnSSOiF}3h@pImQlrgjKR3^kuh(DxWI
zz{EC0L6MsBP!7=HxVu#}zsAY8mcUg4{u~2$<Vzd}VUeM@M6hM4%R}q1dX3v{*Y)X;
zV}cn~jqnFE{Pn$Rm<6qZ>+jPaM>NIsyYt)Z+7V`iZlPi~)KimJ*<0%2+N&9|T*dt5
znDqv~?m{q{T@J78-x)Y|fhVwIk^Ef3cQ%omQ$g#$ut}fi?M<7omG@*`t0{1mUGmnw
z=h-Mv`6Y$5J+bMhd1LL6Qt`9x)008kkKbJ@OgzzpLfs_hXK}Ol>(TE?X|JVw7T<E&
zEWh$YRAp#0CcQQ?AA}{a9%mu!eKb3U#*P<hXAT1HK<xQzC6$h2=rZ>@7lu-UYr8){
zuRJX#8sTsCBldy7aG87I#yij2`=Afd@<Kp2#(MEsCI3;z+G|W3iu~VH18r+xzvZ7I
zy57roT6`rYFZcx+!A@hn93hXYq5f8dpE>=Z;8eoI=&=XHOGNnl+~T4BMY(sKk7U!V
z3kqU>32RBNeNQ%_@l5Z2{s5boI4G-en|u6ZZqq6G&@t=Hv#gar9}8G>f1U1zaZXKz
zmprq3!a0t+w;)LMk|gbRR($7Ci|pffSTRSEy^<8VE+R=6ng|ACARid{E@sF`f+oto
zQdt^=e0A`UzBRL2q0dD2$WRahDzU0Jr5qGZ5~mN*BCDxVDxB&~wB%=uZ||`MKA_$u
zAG$;aXF~FdT+rmt@VW_T*?WG#GjqwME>_jbe-LA>%*eg#Ic3kR+4sspAn5C^rf&V+
zYY7_173AOCuq%JERg)OIl6{utgsa1shgsuiL~ET2ZYZ5LzDU8(shW>lGPAv0ZIzO!
zI&*Su?Ww29GnuiR*~`GTDwOWp8xi!CB#7k>;x~$EJ4_uGDV!d2&zrqWJR8u_Mtr5O
z5c4Zi?nS&oe7n3g2Z;uwHD7!<Te*k6&fzx+2Y%!F@(yLYE@^*}xYGH|)O(y}pTR#_
z(|=9V-}d93(AC~Z%tSMNbC+vToQ-1XFcu-xl$doq{n!Au%LW_r(T6>L`u6Zkw|iIO
z>s*yyhDZxfkqb{5*yta3ZoVOqES-FfDSjQ<BjlcwygsE!l>4&1yi$F`QmG^OjpwrG
zJgIb}`@<G+!0)$)2o}|ahO;Ar<bo8bj5RBSn$XSf5~2Q^pdD7K4v!T$=Z-4<cA>28
z0>~cISFDNS+{BOb`@1{imPGe`Vx^HpV0WCZR}KD`QuT7w{(`Ep9*YX8PGKwnp}L~#
zzE_tj!;|htZ7U~)_Gx00y?MB#vTm7{_5;2m{%NiK6o9G`_D&^e*3C%zZ}A#D4q25G
z2>g+>A4R(Jgev8V;<*qa%s)No9o1+r>Z0B7r#I*Kf+`D9J4c7V9m(lNB?S{MY!7cR
z7_tOX@A-_6GEC(y)z484_P+h{?dgC|?Rcq}b?1*+ua1^)Pk(Hm@$IC^>fL^PntS7%
z=}ILXU#CI;oJN*&=NHp=Y)@K;J&%4TJPhG#T!~#9mVczUaU?{8yKN<b_#tS#n#+4B
z=rxXLn5VPF-dEM>7uqLh>ZUh#<dkCF=?dTdln&<3W<xqo?|sy{&@VUTucLf!)Z~TQ
z`90LbD*F9;ln;hl0=x;S)rt|TCxx--)p=v<8*#`}X?v}>y;l5Ci!8H}5axwuj?7(#
z8D_<*J1Vt9Axkp9Xi{N5oq<;S=lYwH=^aL~!WA5g>PR3mqe30^+2fY$;fpA5&y31A
ze)C_g!@Ch$)Tg!T94OyANtc<B;Ui-9<Idoiv-Nvgg%b8UR|tdN<NCJz;L|<~EAQTz
zkdd-RBbF%xleOyjBVhHmzZUb{uLT2jalBsPVwPTkn^I=sbVL!2F!r;WI-FJj(C_RN
z*wJ{YGsX&>!miS!nC)~KyO)16_Snmp7sf^u1tt*Pu_up!zs8~W4JmHnMO1hre$8z3
z-%Go*y}z!Gh1H8|);SyrnV?!W51!MuHaox82!9tVAZaN1QhGlk2LG`(D;1+fO_<b?
z2pybH$N8_k)UV%^B3|mqhW;Ijrez&2OAboe1DxURnbxjx$z+sYGW4Cc+83<W&)<|E
zM0%YYh(psJ<RjFRNnk@-&@AYWp#piVdVQS|i{;1SZz=FbG(4}YvjW%p-S>(*_&|~1
zzx&G@;qfWg2K0RcbN+w+;s=|mUu$2_fhWGXkujXF=OquVo0_U|42W|EeHSsVB`ws}
z1hkuvy$#rHw;r1py|7&bZZxaq8$QZX7_ymf%)P(UVvNK0<$ViU4d)I*My|*{`<38Z
zHLXVKP7LwdoMNlpxgXS@YjgX8DVuHurZqgjrIxfYza@Ax6xyZw-J)#_4b_Yi;hmB>
zaY}+THGe&H>$-WSz)vnC73xXFIkzIh)cF<v&J*v)S0m3oK9$0=5PPZ;Y$V;K-&-fk
zv}Gpg-y~vHT;aX&t-@wKj3LOz8$eewgWGZgO~AJO$_4K-9ZClz_~1zJZD@4}Uf$W@
zE}S1eD~x@71XooZfL}-~<k~1~QQV~I^)Gc=TkOB~>L{wXLX6!;TY3=njPT{_^vYGj
z@EM9!Jw->Ec=xfO)s2CJ%<cT!eoX5F5#w)7On&=>@!F8!S%vYzc{lBU_loLN(&|g5
zp`ceYs@(W4ty>W?IGM?Oxt>8P=>E)Szcod>vx$Cdikpo+u~6Tnl{_;z6~iW$#K0<5
zDuh+kM%f;;^&9NmDc~r}_1(@;Qm)N<&33gru`Lgs<ZWM?{qGlLisc?1mo%u0pz_5V
z3QfX=NH0?@Q!%Y_MdDaL#)dd%X4y-;Pnj=#qj+#dossY09pxRdUwmz|zU*5|$c0`=
zn!S-uqJ_dWj*6%U;3VsT(^j)uYuXc>lN&<o$PFGR{fJ?o<lasB4q;-i^`M;Lh$i%I
zs!(qq4;04s>7^eEZBXlnUc@P!^xVIXvc5L5mv{`GPAIob0ZWoJm7JqxKN3{=@%H73
z|Gh$O%Jh<N^@8Qnz`LIF1){BV)}&Wo^F!vV^Noo!5(PEW{++evvky@YKc57qD@J%s
z{sd<Q17>Z-qGXg53dpn`tb{Y8JHm=FF{tym`?&)+F&Is-;mj%<TK9Emk(=%>j(%DY
zG(V^d`!sgYAxHDHCyYZkjg77Mrr7j`v_qi-WSYW_|1@i)v_%zK9I&u5ZdyH`Hy&Ey
zqylKPp?fdbcgBH{?AyQ-g?6>ce9w;JG6T$I*5<W7>#+J!@RD0jhSuhij=?V^JD_WB
zUY3-jx=4rgz>Az)9pUy5E>-Sn&r+v2R!(f~#Yy_F{y3)>ADm_;E4MWLMoF?#yzSoJ
z<lw<cqZkAjcY+tqUbFjNGoGO)fV(0y{#_T?n;2T;sf?iU;qhR^v{_Ti2a448^zl-0
zWk_4etl@0%_UJbLYo>y=X~Sk$x!m2Pcg$$6ke$iRa$OmUru)#Fyl`B>zh&fjr=3E?
zufGir$CX-2paIAmQKaf)CdrNmciwW}-<tOg-S*YnToX<;u33NZ`n3*tzG;ng$knvk
z{Y2x!y)~+SkEORjmQbB0mcQy%BIe^PYWstC@(f@wHe*w_5El}clmW+%9`~0`|2+Fa
zuO`>z;EV?s_hMSdcNIcsuU=@J<eR|le!jj8{5WoZ_uIGUUJN4IIha;+Zem`38Hr?^
zC6=Iw|11Ku2f3jeGVCetTsib}1{Cc5UfrbwxVKcntevTsh$8{`+}Kd*rZ~p;n&JEI
zLDL)y06nW7U|E;TDmo&Fau_GbpC9ZMbmr%ayxAYJdo`OHS5murSK{$cLj~TG(xb<=
z5dYeBA0x@hUV$LHTvoM-UL0w|tRvjx!J1@MV;&m3F9HU2GhqvQZ^WyAtz_Y^()4fe
zK01X>3ePSazC(-TCap&G7h0KQ>pww6$5Jv&eyVJ?GnbxwwaR1u-f3Fu)_FrogOm31
zB~cqEn_iT*OufCK5Mlr156k|!gBGcZ6W@JijeiE`45@$H`ypU+UfBFPumYw`64<Jr
zEa|!=w-{0uO|T~&(q5gM1uX>gtIOUBOs>1dZohjbHuQ$7Jl7F*>R9Hg4q>dHfxTwb
zR#H}Yp*$OYC*s(zuLI2Jda0gK8wqLPBo7Xs>NP=Ne0b{x)vKuMRaX?in9!8~#f^%D
zov8g)?l(|GwsL>@;0ax(L+(j;&{^Z#&RV!%mSh(}_}MzVNSah<d|z2u@I=piI&ved
zaCX8I2sOLzSXAU(%$uFiUZY*y5wz<|2cs@Be|opYT$}oF-ZipMAOyh`gzUA1?ul0y
z*WOwuZP)IL6Lo;ANSk?s(Ms+V!>)ep46kK7a#8}@^&AUs<%f$sS``r1;J9%*&F(J#
zm9C>(otljX-d_D!zvs{V;x4KyO;{Lx=0D*DIPWK=<Ji#idD`WqWbWN$qwTzq`8-_~
zt&=Fn^;gE#uQ<;|E!#S3r2&*A1zB*8YOn>Na7MFPq{2$krYiQRm51_j6Jx88^lHqp
zP5XBt7|_?2T+{n}bgq0%VQejR!FXsRaPLjjv3`zsob}oNv&m~1n$S=+^+XNsV6RQc
zlWj(Y?nLEpSFZ%;_gDQmo97j}*b=gMH95ClwRpi@WxMDtf8l<UULn^`Ch(x2@<>jb
z_36R;mbdXq+2L*vjD^T|jP0&^y`X?UdGVzFu)d9c@`Wati@u3%frHh(k6gD|RA239
zhkT4=6Lr##beFKR(Xf|4&*EJLQ?dBO?LU)z<?czV>ZQ`}5)rC@8-{~0A?h<2DkLp`
z0(0o!ni9rIOXF6=w!*!(mt>#PYxll?6;#@7O)Z>VZH1>BL;b3+AemZTKMnRyAOhBr
z`qzewHa|!#AocGP+w=E>zg#!QEql>tQ5h$O66d}y>G`}R{+jsW{w6B~KX=`K9{#%H
zIL_~ei#X0?Gz7l|einrSt&^<axeGJVa@MYK)E46#1yQ$N?HKG*?N4wQC<U*#*Y36F
zE0Ly^+`K=A8eWJ0>(k!&ZRT57<9Aw=YCs5sdjBJwdvD^jR8Wg$0EjpOzXkj>9()6W
zPSK7Ej~+HOiugdHkkqdfLbN1m7e%<z9=$G%Ud-^G%#B;fOf0OCGukj|ul*3Pml?mv
z{>`VBv@>6Kkrg^nv~eux9WR<t-w3i6cj7nq_f3iPC~uXp?`)xKZ2h6{p0?F)Jd=2B
zMHuQYMYa4V^ug3qzaWAj%5U=^oI0)a>vX>L{-(8FokL=-&0E!k_crUT!})m(8*sMk
z;@CsKP6)^9^W%Sfp)xlGhTDT$6xb>@_c6lQ_8TR+%W+(ulkS;8KUKNSh(m?Mp^BZH
z5YjdES<id_Je5j`v9$!>$EUCsA8tEZ@`o{_x7z*L(0=8iTlpd$p56<w?bfvwo3+?I
zkrnAda>1rp-`C4dd;9CjUppUmbQ0IT%({#l4iw$;UgX1xm3F-@R#LqpDYw)+VB_|+
zIa32qg6p~{J<{92wFkxr?&Qm!658pv*Iiiqn&uwr`h$J>6smwus(SB@$|vQ+Gs~D(
zXIy7@aE8Ow&5QQx>F-4;KtMu0+inL$XSw`rHk%|u)~+6&DfoFsFvu~=7<FlE_vF)m
zgP|ieu?@i+$K3rIEZ>4}(&>-4QkpQIoE)Sg&C(uSh{CTIDG^fPf}t8}6k*rtcut8I
z#Bu$|Z<fXj$AiJbsn0kv_F~~kS0&>+DSKWCINMyOB2otZLA<6L8vlLJuF;d??sYo$
zP8LBYy&!=fXo^(#(?*Mulr4qq!Y>Zu^2tLc1vcxk##MHkP=GZfBG+GNjU%t_4Ek|;
z!CEz2vR>j@(4sxJIdQ&_G>=b3?gghpanI{o;eU^+c($_i<~cM-DU@bsE14y~DQ?q5
zU;qA0(!)60F2bD+JyOHQRE}CAcy-%bY93$rUZzMrL2!<A4Xw19qDYZXPcD32K!+6n
zg`ntn9GRPHd`EFV8`Drji`+HS1t-P+TDKBDKodAvaB8wZ&=P!MEuz-6eq4Nw1Z~_d
zEBZ!q9W8QP{ODu+4H}oLARgdv_QaLQ#<zHy&0Y<gQlvxP32hpgv43SFZRBFg#($9(
z8Qv7J?)?b9d<vuKQ&C=AhG~r$dqM;caPrVWw6~=OG6^>3OFJ`GV)wv#4y9j!Bfp(9
zTgBGh!?c=APB4#)k3Ig0^Q~+As4JG?az*kXKBCpB&S55%<AJwrJuO?H2taB;DO3WM
z8LdKXs|PK;jyrg%CJn^ABssnDP22sAamL*(K}DGz`xkjwq4K`kbZK4T<pQP2>|#8B
z+ck<*{JAR~m#$wQ*aCOeoV2aNN|GKtsx%2jJYz=d(z4@K-*7Oam+_B;&o@ll;@z<`
zy@KGD9jX7^@*u<`a3GoWE$E?~XxmIyt8OO9giUAXMr($dg}&63+_lhC_Bl3Wovb>a
zNm|L1gJd!7ul^tM-aD+xZQC2QVGuNNEkKYKv4NlzT~r|vvar&W5|k1U+#sR%mPCq1
zk!A(y*ysdQIwaCUlcqrE9TIv8fe;9MZ*Z-(_daKT=bZ08=RWt|bN}!kp7@qI=R4;3
zl`$qNYNO>u8r<4FW<Zh8BmTBfX`i=pokZUSp3^?;r7mjh*2+U3u~xTRfyFa27a5SR
zu$i^rSFg$S7k^8yeQF3hvh^zA*>TPU=E?0qM2+@8Htj{H#x(f+(L$D5OVLv$4&;^y
z_2A%7t!}<Q)0tMyrQsxLa5h}y{L*Lg-rAQ1*&Dxew4^+{Tk^LbY%Jic7*kioZ(}Bv
z;eEje6P;%#nq15<K+v?%SZPD#1cv{a__|UUeh*yk(rh1Ws*mxG90pQx!8iOmk&j)r
zf9d*x()EixwG}&E;%Y#TW3n2bY3{c7l?@y?jVb`(nJW{R`CX8$*^5a1t@Y%bt#-pA
zv*^?x5xM}Rc#7}|srZR+fe{A-*K7g)X%(ydJMg@FaBT~cy)~gsB(f%pwmJ`x);5&y
z421EVPTuIJns5$gH5p=c6`A<V2j24<!Vuu?sfRV;zU|i8R#gRLD<s#^m7Szm5w`fj
z?Mt%%bOzsmgh<#rJ$ZZcn$9p6pC<-JYt#p^m|f-Qv*0b#Y5^g!W)h1~vE}3|lfVbC
zvoT8OJPU5vQ@%MtFooA_&lPRg9Dp-J;2qN@D~p8VPkN;td?mEFzzyYBM=ACBLFan;
z#iU%@E}stglD}5Nhf;4hY`^<$|1rAO!@4K^aK&nw+801EV`EU?atYqG{@=fMY4DQ}
zU~U}G$v)uOl^Bi{0F@i0%-k{hrGBdVwV=M#>lDJOs0hMMf<Tc4EqLT9rdb8!?!FN3
z$d?e6{&OjCo}9y2+<q`GqY9J|l;+!L|6&{X9D&lvKxvK`Yjayb1cYsWOz_{>6cFJ*
z`O)#)nb-%m2n@Ke95{V=?@~k5F>wJ*IXo2c?w^uXfUlr_Gpe-BJ}eK!j15n23T;VQ
zdl#mly^``WA~p6I1+5v6UGPvk!}*X$OaZ_z_=YYUyZAXxAI?6gk9qqFzmtGI1t1%*
z{L1Gl)aLgX6PL|r$^|wxrj?;+o<jx9W98f<lyWee{R=Rf(Hldunz^f-s|!f7!(Sy(
zGDz09oZe=^f1BYFUCEm(44mId>b;TWtWJU@1~_CIg_$-?zC*8sU>DyA5yyUSQN%na
zQ8gA+6|qoJvZRi<xyBYF4Os;5Y1qMwRUCGUt9W}0WRi>>f7WS-rGHLij=Kapcugr1
zoa!E@j)w5;l0HJ4QQ1N(B7ow_HX*sd2Vr2=z9)f9U!hM5{GWMFKX8huUF{%@KiEK^
zlI4Ni&p!-RYUqtn;pZUklw+gX&j2n(3|)*}dWtG%(XPP#zYhxHmtQ4-T(BOD=6Fcq
zPx;u@ZHF8CBc3A2Fzs8s(i_Kqg8QEY(P|hj?Dxf~XPfM2uD@`g@+B0>uUcfVtx*Cn
zmjSU8SOQf*Z7%Rda)OA@0j}q%z_2lx0g{^oFZ75q;15>I+pO`q&L1dTAj3+McW1Q=
zzWyr+Vl;1tk_@YcWR|dOx9)uX<k_&0GqJn0U!*0sNb3H)0YK6Lw@KQ8>RJtW*h;El
z^6{JbwnMmCW6|$O_vIf|JC{v;&Y{s}pUm$slamT#Qruh0O!usd{GBWV*oK|A71&z4
zQA)C|g8F)?&TcHk?rgchB{-qtkNx1ENVY%zUq!v><;wBO&M_2@!*?cf5=m|e^PfE1
z&mc;*kYBGc)F<GMO2W^G?mWKQU&AAJo-+$O3-j<l{`D`o#91D`TTh8-Mz0LT1hUzZ
zOu)`Uw(d5YZPlfj5Xx9+^ljzK<y#+y%2+<66?#@OJ3i))ANR;$YFXu@pBDxL^HMl|
zkwm?hrHmbg=<}R{v*3f48jBZkh5k(oZ2c@yF1*CQU53mnQ6?2@#T(x}KQ0m4%zQ&3
z`g>6a;3ceW3ydq{mCv?MR&u~VmRSWr%sO&r8rXv60mku$B|R5)NAUU}Ys1H6Xge|)
zg{h+_k>+uOK16#)BXql`lNYtzSVmR>Ud)wQKI0W*vPN2-$cm|;X=e>#`u1kwRy<r#
zm?57CoPRd(>Hp)S4|B<FC3T9x{X8t>{i^G*E{t-)^1MzF#J}d~yC8r2zCPW$y;2I@
zB0wxOjJelA3%)Z?4pu-amO%Qw56nx0m%5*UZ8G(^Q>l$JmY-S4x#c#D=>@%?<dZ~b
z05I!?4+wpW1wbbd99<Aw(D_EImRI0fhsiG?!FWLf8nTZtFxf4slZo*h+D72$vK0VH
z6WGd2@?al$aRoPe1t}M}^*Q-;ABS;n=g=|qAH<&nb_^IWUI6w1AME0_UwBR>hL6^7
zZxWL&)(#0=e#8pWI<N|`n%1!km=RuN5tg+KWD0>xc7v<m0%lI-4Dt^g`VRum)+6Qe
zk>B@oaED&RkaDu`^i(IHX>>R4EIch02$1>(p8`0sf5U1|z9MuokzQn;)1NFh5Zq(s
z!+xzO+#xE?w@C!KJwC8tTCsJ?heZ0g^T`F*8{7=l;^BJ52`f2)a)HaM(^F}%_NG7X
z0s`*x++wpG3Dk(a!Bzc^8Ai3fk={wM5)vtxg|%#)0-kj5dqdsM<?hyZr(KQyz+s<(
zA*%8KHu6(t%-h!6{M@w>K=e3{Sv-F2T&&SioViJ|L24q&`qwJ?A$IVBIlBr&u&9_W
zLzQEPmJYnQh{U=xs^xI^v*2WatrGnCIK_B?g%75ZXk{jZ3U?>Q*M-gXYa^jEl&wvC
z*C*%jSO9`+^ReIRo=ZwkKK{6`O=#A)a^IV<(*wmoC?n2r4VAF^`{q&Xr)!%l(`Y2_
zZ;b8rk|F|j`Fqx#fitCHo_~A_zB|$L2tc#^v3w(AcB04bzke<NPyFN_Gk1ZN+ljWM
z$8|!s7a@ds()O03`44=y2;jotjCkQrxZ`abu&VY}-(GJ;4fqUUvN*_y-?MGbaVMyS
zx|-~SEiPcnMrIcqet}*4E^t+?tvPKcCcDbf%c&YJ46-tD38?q>us&#WG2S}iulH9G
z3A_`!UE=fbnS#&@{kWabVfnDC&QM>YfMvHmo9wjDMyRhx-NX_gO@SC!hs}Pq`@AQh
zZ@jlUU&&sB=do5!L}kP1@ySk_kMxvRmnVvHh`_#^EACHAH4)b;_TfC3<F|F;mc!w5
zjz4E$VCj1d(NkBlj|(_#Yj|1)wca>w1KsGhI1lg|hWFwD_ITgFNErvTEBBdo*LX`p
zBoZLN_a-v9@=-YlpdVXvocoLOCocee;&cIUvc#R$27T=E`)v-FiG;I%z%^7N(X5Y-
zSRfaG-va^r5+sqf$EnA+HDJ)=I+BHO^WPQ<%=su2`jZ1C0h~qYcii>}d=qa1@n&=;
zWb~g$C7)1z8-<L>u)%jdH}{Xs-<Z<J`7?l|!Zq<m5f|--&lwmaLqBJ047VATwY`$O
z_2U3=_A2d30xrk>=p2gq5M|2Vz-=$+v$mGyw%r+H0Bs@3f+cOaU}ntFaD)<Ri$O@P
zPmq9rEnqzvnzJGFo;<zjZZVgM@}CA3g+$?&<hE+BiDaJ3wIJ^ESUZx^v~@Q*10vQl
z+S?bb(A_b(5}>WTAMOSB_V<bc@~YTL1JZMk_2mh#pgqO&p5B#ZL+tsoFhKA-<}vUY
z7-TT#%itv81CLm{TB;w4t84~61c3!k2vvtfz(ZYgK<N%I&{JRmo$0-Ylos*CHJcaM
z+NxsKgWo{d^^Y<@U)y!cHVaksiAPDTuP^Vu^QkpaPqic;OWaHm7M+9iXcgi)O}t!&
z9nRL?C9uor_jInqQwCQJo`s^PjM#VNr^1ek(fII!T9;~nm2)?;02|PJMa|LSbu(>v
zvB@-8l;DO%<-QX4{2L!vU#H}($(EL*3h=bFh;z_t82xTiAG-jxQDCU_08LJh&{$Pm
z7{SaB9o8xqRIMS58ys7g+#XNPUSND>_zCE~mVFJFZ~4j>*ich;lS?3m(d@#`;=?Yi
zxqK-V5YSOEz>SFvnL-aP^aIP0xM7KVOCNuspSv*v939u2p;iAbYO501uJBMS^ZlXv
z4>D5e^^|BmZfidvom1)n9mBOPfsU-KL|5;93{T-@RXTNnT#Kg0I78=qHIqeam)t<)
z>r}RK`DjN2>25d8(WUxy$*b@LW~^Qv{VLo&=L40PD`=GXVJd9b3OgQ0cj>BqaA((U
zxnDbiuXg&Vx@x2q%bRp8>VNSi@rZn*Hlenb8$?e^Dv>+y@`N)2HtS5}ch8}6{ZRA+
zrwcT_H4FP?Dd9I$qhPD=`waRpyD4S;Bp|SOM}?gtt;dr}SR%MFm+TS$A#FaQKb=EY
zp<gqFBLQr^4`_5G)1@6wVy`BvjDT>9_&WnUV}BQiFZ?ME*TJlB&0RPm;($NwedXsu
zswogx+F3`o->1Ycy${jlDQ2k<;pLtXWc>%;?wjUN=2wv3=CtNEhkNZJd<oKugawUw
z*A3gev-o9Pe`{RdWP6UpE@DvJd_N3K?dGhlujL=zvr3R}dK2|5Zn!@xhv|Ix0W4DD
zTW9v9TaBV_rlwqiC)XH2)r2nsr=3ogBCL`}ABKswL?4nP%R|=<f6?aRn_5;BZ?O6%
z=^wt}ZtM|sC`RsDQIY*jMV9{KT>)Uf0mBtEWLhIjV{+q5*=79zF-)&{8F*M<VcviH
z(c!9!`VOS~N~cKJes$#wlakm`NfQ?=J$~U+!MOs{w_9|nxW$I&xUJUhb>VIQmS2JR
zsEL$!<3L?)6Vmf)No}c@p67W)MSE!?(&6C(I(bhq3-3&CZD?^f{TQ$+3IZLGb7qDV
z!MQuP=68p}Y#FIxpd%XHOhhzI+}^etb+nG@0F7SCn}itHEW$T(xknAouFGvtkh0-k
z-y8DVdj|JU7F=_-_~@O6Fhft(euxVoi{7n#kDU(2j<bxo)TA#Pu~UN&u=xdzY@^Q!
z$ygR20&NsnjS?%Yj@!>HB!{m9#GtRNH!vurYhMPVW|g<&B4*GiYasLVHXA5d&?ir`
z=iNFr%4gUjfEak(5Y?c$x>`iSFlzYpvxyu<Wz)K&6}$R5r{eQ@qqDzkoQ<QQRlXV1
zEk4<EV)_8mUDTH5X;b!=Tl)||nyy?q7f8!eHm5fRwU9C|7|ZWoKqM<i0tc(UPAjW)
zMy%~Rxe^@=hCW;a9o9%!nI<S5O~WlQ@W-G?sD1yVS$}nlZ(nArw+<sv4Q|ZoUAPsm
zbgNHUgz>KiaE~?I8<6`ISjYVGj|s6%k}SU7XZ>rBz;2r1QqXo0AjW6Ht`;3RCnR}W
ztS`dNg67x(9Ntm<nhj^YgR2R|L~oveu3w$`VH0F?Cbq3raieZ6Z6&CJoL2t@G|<)N
zr5uSA*!Qq$XY(CcETvR9Gtz*QaAv4ix1gN@iiJT`qZSPt?`Hr{FNq4CcX{oJ<MtK-
zGB624pyZscADa&8wq^OZ7*(E3mOn5O2yBym@<xFV<|Vi^$ctyVaNHwzlFieV{H)rm
zpZ4(&?2YIfj@$mFbX)dsy$oyI<5W0ndXe3+y_vjC2MFwj*0Ct!`77?JfthnG3v6k5
zNS}#F0L+^LNhsjH6t8cQe)W8s)u{Hbo@_|k_b$n+572Vv!%@M%pHnfqSie05XQ$0n
zUAEh6VR=8Ga$g&}XnS=iN%%xRj&b0d;X@(Ms2r<3;qBt?m|S+$7n9pQhi0#lm#&{>
zVDuAaZ7h8%a0u=ZOWS#*J9b$T=gyu2ZvjLZZnJL2j@B}$P`z!p&|mUnD+tMoUf(Wi
z1=M}MgY4`@L4X<W6v2(_&Iu_1Ty~t+qwU0B<-)H*%dY}DlQ9_@SPMQsJMIG5I-r~=
z>j}B^HsGpe44S-@l7nkz;Aa(%j&(xR>#ZmoZ5eLsh^VG%(_Wg60>C8jUt58~<<wWE
ze(k2T@=*3%ennBG^lMt&sPmxJ^2IEaT8+YG%yDmHj)&M@a(fVRja?>YDZi*tuq#NM
z^&E)<bA{^>dedPJmA|uU6eor-!GgEj=;qc`pqGH^E8g+%s5obr_O7jVtSup*8khk4
zFd2|PUE)X+UTodaA{yzu5`COiMr!k}0PvX41*(iH{|(=kad9?_Lc+3*Cx_M(hwjgb
zT?h=GC?jo@nH@c5Hu?haEa<pyvmx0q_P12(1=4ztVc@bdte|uyj#6k-V^q1X``ae(
zk&e+PtTVxYhon*ud1(pNa4r92D4UZf_7pD=H+r?|MS-O4AP3kKOD&$^6X4xcbJXKF
zD)M#>98yY%pu)G;XQEzta{*~zb$83(erC!*-UYz&vzL5A4%y)eosPGD)AT{2YJYlD
z1b_0OoTRxM3_Ew8I-^P(e{qU)4{qz9%mOC|wLZ!m=OzVKw{p?1{W=^+49whd4oJ*~
z{gre6H>Kru2T3sg*B_cZIM)OJ*HU_6%Z&;-Q_M=UoF!&lSMH7m;n@%TK{3xPz+te&
zl)+69ekRq2=Ou2*-)GX3HwHU#oApg5+jV$UAuC{w#58ITMRU}*+^7KoeV~cbbo-U<
zlvfdzv79U}>!J_w6RS#)n1`)cAW{gNB)AhvVs&-`+$y^6;bEmQ!d55AzY4X1#-00l
zFW2$+R^L;CpM;&J3^L#H9i>RW27;56jzNmSv$u_BOacMBLA)`yD$r_fgI`-J(&#oY
zk!PDw+cP+gKdu0I7JMy4P-hru$=758Vdn_ujP%|E!c1C{zk>z8A5ez2@O<V6wCpTU
z>oyg396<YdX9s-55kF_5?gr24L(;LE$<Rr@({dIldd9DqPrwEQsLKF3N~Lf?VlrX@
zixf)Tm|HXIco^~WJN=Kom7$}&?gG|QSU_(dGF`iwP+7RP+eXu^BlrLzTsy|CehMP-
z?eCNU2XhG<$pcQKz=mn%!R1lIWa*K(otyljnui)JX+1p1lDeb5#T=6ag6`GR7LEqp
z(dWoainG+)^tRw{aO>mA=I;o>PXhgRpH7Ayu)YASMin?G`DgtA@_ZBTtLCMiQ*SmF
z5<BZ)tNA9x1Dt4HO7tNC8mrU9hHZnN*!l5<ZOP9=^%u8?4X9_umNhNSmB^xfH-a#$
zVAw^~g;S$6+xSndeqzVJnQg~vi>p)phpt*KST`n)d+B=Lk5_yit~fJ)VIy#;Nszv%
z(K+QU?`)r2wjXx~I@-N5=xS2fe4AVF74W*{R?DR^<-_9(uW1W!+KR4KhVBU!lyM-1
z9T$jEc&-1=)q_r0E4ElX{se`zkPGvD#`UI7vP>e>ZRf32_H}`R5#wheLNsrXBlzo?
z*jYgwO~{`a)6$0c#m3KGL|FN60cY}XQe1p<VjAC^SuhjWZa6IMOkbGpvYOrK%WqHj
z$Kh??=BoO4Q;K=E9<3fYykG$HzHjFDrWe=f(pjDBJ_>UfoGzALV@~h}5YqxTMTKy$
z-TEHDM^8C#QoJ;CRd2M`Mde2&JalcpTKPWphz|2!0ur~z+vSRR4b<7oNg1TOa-@H+
z7keAp(&lQP=|PKcnk0W0la4hK8GiWYaFq%t;6O$9u&uD^v|Se&$3|1kAl+Ygt8l$w
zkJ9^p+ZGN0x{Rz^dy4eM2M=HbbUsc#l&kQ0=CW*n*TsFU0TUN9R->J2KPV}<C4Db#
zyNt?zOC?Ir->_;L%SeI$hHN#H9QrVq!IsDrD?p2%ECcE_ufdKYh@Iq^g+o2ds`h$@
zOHm51V=P9{4_#UzpYk=-$wc=fRoZ|%>d_tfjOEY#I`)Qn!wYXZU;^6ZDK|N8f<2Ep
zZUVp+a;_%yuoAG0#rKGYuUy&>h<hl(-)DB~KD-6b``#M#8X>?ApXh|R(7vZFISU?L
zdjs^@&&8aen1a1m)~$19L=Yg@`rop_Z-6%X<IY8q3{~q8C01N~Q{^0w*!3)@)&urQ
zFz=QGbne5+L*r&Mq2I>D%^>Sm;LcoIFH5i4+f=Rr)5%NUmY<%Rus9#FR$R$;kW0@|
zm$Lh$@ujP8*sT-u;2<e(qu;#w!{irMU9#=)j0HvbG38!3^iI_0;6tP7=q$y`<hm!~
z#P*x!VV`^BKQ#yTD-G-W(a}O?%C@r#Yh3fK8>vr+j?zJ8Uj`;F+h;Eb^o(?RC|!;S
z>Yu_$i#Z-@9?3q~a}wN~RyMTDW+tI16&UlP6t=9Yg1yt~tIvmJh0nzPHk)ZxC8Mmi
z&3Y=RE_H_{Tq1bo<h!qx5jWZ0@6SP7`h%Z1PV$|SNZ{BpxLplKi5_#k1q{uD#a*e5
z5F45Y?Z?Os&}B<6sWEFa$R1i-TFBd8wS+0xwCcZg)}3~>z+|~_i=D-kBM#Q&n)+&^
zAbk7+zft|K8YhH(AkVpZyD`f%=TZwDTX$QK<-0c0Mw9M9k_G2<-3#Z+)$PIzZSFNu
zelXDeUlgzOhCc)PSF#DB_JN6Yw>pGGYvq-Z9wmPC$!mI<5cf-Fs>=y&tDBh?6mNTt
z!XRc|1f*cekOD$^<wVa6zE>Lagv5WcpgdM`Cz}%k{n(8{wie(7ho@*y8Jb^0<f^=@
z#Y9*@OyR4Lut^ijC8vo48UnM5CZEFY=BVz^omyLC+&cVjRFHY>$a+<gyOx<>yNabi
znqvajY}A}JOC6$^i<vkZ`V<gZ58+mR3{|k2AVg0_!5Yz)5x3yC^{4;i=^gpqJVz{J
zQvg8%&m-6`R8py6a$fFZ`r_NsE9~nLEb0-R{*R8nHzh;mbpdb&!lt-;T8$p73o-zm
z0UL-Wt+<Ao<6*8E(PCoK>`N4}Uoi*O`jNC3{g5>AE3b5ebm3Aac_A7FS%k2e4bf9;
z-NoL0E9jQ+iC(s^-lp(T!WWGzhDIWHrROsk!@c(sHR?PHo68rg?_5XP2*mUzd942k
z$@YBM+BCLrh<8BLB6)^27_3TncQ~k*xShM0z*Gb-Qz~+?P`tjd;mxc;$34PxLAmd5
z-zf&n=GW;3`jf({movK49N&e=`iH-gU6w)SX7_!<i((>{RHeW}hI=qkJvS}eGtPgV
z?}qh!aAG}shuj!Q+iWACp;zD~3+@Q<GUk&vfj(O?mo}<5>;sZpZ@8m;aII1?HM5=`
zS@PbFkQ-5G49ieKwf<;X*3Uo(q%0h|P<)SC_j*t(#HW7KK(cMG*s`b9kDwN)e1CG3
z8$9=f`f1N%Zws<Vv55|rSzWYwbtogh(=^j58m1Qaj*Q+ir)Qe}25L|%OEJ}e(*nTb
z=r9L_POXK<uvDaQ5xn2i!?5M!WM>cId`}f*{nd~|)6wUhjOR{^>Yl0yXneQHP$94~
z?^+QDHVbzLB)J&qsl$g=m(UFsI7f{_ZH0}1il-orq4*T_^OpI3*@lI0pzf#ua+`^D
ziwC!2)TKVBZ?DdDIq2JC<IL{G6i%&``;j(YLRsuPEDPviWPzMTg-hE~fkl|}p{Z)5
zHnAOP-Zt0%ImOErW#hLZRJvvH#~S>ZHhM#uyPHPZYDTVsF2X(6N5Ho=&hmKPyW$^i
zeOAf-My|r3GWBo<bMXUWP*lB8Pqxe<;B4bjwM1g;P50(xbf8bkWhF(burlGx6rmJx
zuo)vgpWpp)G`6v)kX{u@?O=!ZJkS1tOs+fNCD)Nq0;7n>#9oxUY2*5`PuD53GEhpY
zSa(xK5_=9a@xD(o7hX`<H-2zvyowUy#;hiIK8_+hPR&v&s~DcScrPAZ1nT}?x|E5g
zEr0FKFQ`dst(_Y6Y5CzDBf==tUw@WZ+L|dEO&JyRgw;*@nmB|5TIcy8-rg5AndV(=
zxTNz$9mYmKz!bymlFT;uL8<bNyakf1pV_g-KF>UQNG5dN-Un}d>0`)ia5UC;FHY)*
z=1r%yF>kS+EKt>%@g~UA$jO|-y6?3O>hB4$>f+5qbg4HdN;bUnp1AZ}CIrNaPU9UA
z;kC_*?8cyRuz&a5xS?v6LPRa<O&D65s_48@9$~&=N{<#*w~M1B6e|Y_z03-`tM*jC
zHf!AvuB0gE_*uM{*HCrIw~di+IFo<qQ%-kBF0u1;S`w1gfS=SY>lOZ#<JV-_9O6!M
zng~}ahBH)cmWA~{kPUl2%sJ;8tlh>8QQQi2)rpqiQrRD(j|Q)Z311lBn}?*|!XVq$
zRN6$!@J?FI2b@sIRtdGF?NjbYw2I^ZOyy@KQbH2JdZOvmBatw0i56ag<z?_A^*KOb
z7}~TyTbQ=vcH9VZmF+&&C9HhD*{oFY$T%z#t|P@(yVAB<lDobq3RU7=LaoKf=s8{o
zFOQ6g7Nz>>*J{{l^veR#T)*}9E02L@G`FW>m(wvrSe;|Z0xM-~CMaD0v=n4GfP0dx
zu3ZGVr20b`sk9^qC9XZB@{4UvYBrxa?;fn*`)MTK8t)dLU8mGhZcO^Bh{?XNB$GBA
zQ0X;rx!~M1Hr->Tydy#8b$<CUfqatREaI9}p~Obn7hPOY-LCk?1C;ECeQqUv(fSRc
zt(A4b1iHCxwT<v{M6PF>&zrhjzw16N6<&OSgGrFuaSsVFiF)qY=RalE9WW#=O505F
zucw(H3UYVtDs{N_yQWcPH6+^*a>CBKrJ7O!So}1h5GjA|ZUJVt_D7qLwJ5mJ!^24-
z0qKH(JJ;IqFLK{n82oul&Ib>6`;{PgUgfczalgURhb@`W3Y{X56l~50CF)TbTAr_e
z>+FFMXHSA2015NX?Fh1a09%24xcF-1l6+Qo;?rCG-2#EvtLP<!<Gl)kJKAtwz+d;-
z0dx|fW2ZRsvgw2Q{Q%X&`J0O6f8i&xww2=#<#3(T#&E_UVCP;IG#Oedrw--Nb)e@x
z+bV8|YjHpPhf8vPkB2RnbVji&QQ12>C4n`ymMj}*aMtf5<fs~r)lDA->gLTgSTyLD
zPr81zRD2id(pNN~0XXUbK=tS2ipmL=TD^VSuvWnykUXDjeD;l*d`aNC)6AaGZPDX^
z=JX#pr1`N9&;IU@MgYXqBRbGOR%9kQbIulD0~i~V)^Rn7+Su33XzX#HKM+I|2SLDJ
zSo|jlB7jEy%pg81AFO_Pv0)}|_PY}LWKUab<pLcehx%5%W|Y=fS)5ujFT8ml^VsG`
zK=th&B|8aoBiX>peS^zu+e_20;9JAOxfV*s@~Kjl&99M+n}?bGR9KPhb9F|C;f%=h
zCazj8@<*#*tCj#7v3k8yA`f<0^theh*Gokgtvq(=Roar6h`P3FlIJ7wFrlW~R`&g|
zb05BLrSj{1@mY~Co7ym4-?zz3_~<C3)G(9q#PGbFu)X;6C#91#Yt)!DQ>0h&QaNJ1
z`-9WOJ%{ZxBx6Wf<CBeazpOEG7lN2a4QQ-u4O+50T6Bnc!g7?1vk)AQ`@9mkDWsU@
z9FW1;P>Z`!4Sp-hxxoCQ{0dc;X%`5Wwl84nKk}SbU-bBzva7AZSblwz3dbQwg7X8H
z$Dc?NeKYGH40<S+P+@OIYaicvUrBO~?B6tcECeXD!4EfT@UsD^G|2$g$q3sT*STIf
z0!rg@FN#?usJD`tcsTM6u*g~<;2^9#+~|?GJo!?QcwW$6SD-b2Ew$wSmf~txj@isM
zyvy9lCcrT7DLWPP`4m(-?I-kj5nn>ge?puL5(^wLoRjDayWw<q)bWE?Y6S7Fb}PoX
zKj!P}IzvsIeQr{b9`Qz>;ReF!q60<!syA@R%!|PDj{>uD@)0w;<9--z+JsNsLmrk~
z`c;{z0k0>oE((P&tr<2;oCP9<tT3=@m%lP3kuihoKKhtU4zr*OVE_FGF$4Pnu)K(e
zmtz@KJP-E>Xd3;N@?Z%#zb`qww$S#w@rY)jLp#|f&hXzG$^(LS5^VYJdykp}1uGWW
z*`VJ96xd&{!$Ehz#sIiM!po-)XK~=l0#N1i6Rv1vGygx2R#NG=DOLyaC=*=Uar!=_
z-Q+G+7X&avE}9z_?spB6fYg0**%>Plx^B)4Zg^_xHuVQIS1tlvjlUZJ_&i8Z)PW>;
zRP-l4H>@Gd_#Wh!kh-;~#vxB5B*c0V{$S#?Ic<zj=^N6<Q2xN$almDDcsQkI_e^gA
zdL~53H3#tuN^V<2WP-!Xrwz!}N;d6R@Gvp{&aM$1{6#UPESOTz%(NK>L9?0~6T5rN
zyS7S(<sS<;xK$~L%u%DWiq27=pH@?iogfAG0>HHMkMalM0&5-q%yN5|=bxRZ6RL&@
z!ZK#Wq+Hb4#~jt~e+%~v!p`9)E{)BozkW*|mU>iD64%rmudMHW3lqJ!xA7S@w2+FN
zD=kC-NkR?YDKI@ExfI6CL_aiNJ6&)zEuj15T<PU6&n`?ZPc+RS$;W2ghmFk4-<fH)
zj(L8;2hB($`^&!Mh#LJ?RJz|mMxT~pMaX|{%%3%`h!5l1xKn-VD}GdP{GqAu2VI@U
z15UMX-O6Qu5nQcXmB*AjupP`BNq5~W*13U@&2ySi{AKH2f*^6_6}os3P)SUFU#zM(
zkf?ro++hYMee5Xf3wrna>AlKV0)gU%;zP+dkR7xY(ZDm7L1NC6<^HGwv8sF^(yawS
z(?!K%RqEZ2b!dj|<;P17hJ<V9BA~_M^^xFL*pwOY6WD&S`70~e=JAG6?;1aT{Rrik
z>8?!b?L^ixFp<v#9L>v|Sc-OJ_c^S(BsL-(*_-t4Oy(g4&R7FQE-gu8s(pX6WLls5
zkd+U_fYy@DDNU2oD(Zw=@WMmq$lO*hj7w#LpQ_^iv=$ta1Bigj3`B^TL2UcRb-bmf
zKOq~Q3f^yTkK=S#mxNWIYOU9eW(^D5H3c=u*9F%(g=J1Xh)5!tDawyuI1@yyo0THa
zjE-9QI3@#o1-rgIi#>0MrBMo^-X-_@lt@H5-zd4KV-Y1>r!@R-@?qiHdilvUueG&s
z_iNuGTb;PcckS%|0nqg2+~&6SxFrv?$Q%dgJRsWI(C<DN<KpY(=UchYyI}Y%2r1`U
z9F8U5$~HiCW_&vr%RPG)mz_T155_1SVOeDg@$HN@WVhJt=2t5IqAfO^j}`>>Q_GvW
zM1=^=x7HOyDZhyGshO9_j;Wf<oQ7|Xm|@>9baXqM?Nqu76>GjZrijb+Gd>#^Vw-4T
zkeviw(Eu$gY8Oa+9L-gA<-Zcq2X!tjIb&x?pPog&aU8*KHo6o{9Bi2OZ&30TFHJ~|
z(sj&oF>^QwR*)ZZ#`ZnXXjPVyOo9UFv0ywGUMSx8HkMs6SR0bGplcw0l+dl-b*Aqd
zq=cYhW1l5YRSk{1k}{_>*~pJBko*naob%~M-%7w>`4FZN!p5Fs=RzK5^`^PlYjju!
zbAXVKw%fa?$dxh;|07?(^XRit;s^>sv<v9Ypac*`fNlIz(1Y#!S-bZ9Zwf<PFBrp>
z?w8^6f$rIGg$wV;{1<%d^m9@7e=IDOi7T1AeDmh6yS@X)zq)&-cT~1OEU?806Ufs&
z7Cq0zZG@g4>V1w5Uu#zVT^bfR6|D@4%6ZY0+bjOm{gGbUg2zj9I#qbcBKMhYa|yXw
z#)*|Re;DDB92Ri4Fhk`dhwI22Q}u$|6rP+}>7=@84e%=3<+c{ootkX90l>)#Z^L*S
zd1#A>Gv9XO6Vwfq>eT9!8U36&CDm%>l0}A<=+>f)*yxzdU7B=@vmBG9*E88Wx4ZC*
zbNRGzsXBm{&*f7++)9~=bPiX<S)I0N^Pi<b;{{BvM14=pq1P#7l@4l$$`{Ee#wFPs
zID4lA=fu1;jci!p44+Bv#h0H|i3sj$^ZMY18Qjv3ED)C3Y64%*fZwTDyf=i4N#NAo
znN0}r>`rqDYds?7P`OV^I^A^_zmSowfx<qK&DN0o=Y9%%0_u$qW^CbEyG1PXQqCPE
zRy+<8i<nw5>R8g^c9X!3KfBUJh`UG_^zK_0tWp3X#?Bf}nZ{r29k3RNo=W+!_dRs*
zK|U>&01!>{b#rQ;B;ynH@PX^r?d|2AtEQzYZ}2MuFY4Z{2Z*2YIO#J4R$4mOM{|?Q
zUVX$$?LBPc=Alb+KUNYV?tO9HsKr6YW(oOmG_KJvLPW#m1O?WmeiGFBW>QgdUiaAk
ziOjdLEu)4@4%opc-DcjtZ2W4Kk)FD^CuX+8-!TNpy$Z5i3K}w~udvIhem`;xA3352
zKOyNUqW)&8?+(rDV_IU%$%YwAM&9?!;$=E8CPQmp=1zQ3gqU}+kGgEYacj|#uh?c@
z7@3^1umP^f59mJK0gzZ;4AHmM1)k{sI8vRkR(AsLZH@`_1K`BPKLC5Hsko(N;xDpP
z#(BiZG>WD!{yM7+q!Xcig_xBrkv9jbDzS<&MfcbL<}%e~8oi;iC7-%7BdSTKmQM1j
zV<&nik_6XsRPxWL*5ji*`X5bd2&^SAT+4>(nJ^7I;}$Pvf<#-VX;F~Qy6EQ#;!H>+
z0dyYrCPn?hf<&wcoqqtfYeENY-cv&gWDW`@8G16~L5gYh^#@@0n;z9Y5+gf(67Msh
zo3Qs#R`OeF2noRpTof;n&cgJK)RuPoEstDN@^Uaq_=SO^;_1}xN3#n+)Ep4s>nJU0
z{`rV=-Gnm&c8U*%&%E%uPhxzi4!pj)nX+&`%7XrKJ|SS{v~P<#G^~NDC5mmO=MTF*
zI@|(qZhy#R-$M2#LX99tHGG*tUeng&XTSL|OOZ5jCED0-ZOHDjJ;??2o{o!KOZZH{
z9p?&R1OrIPai?&3M`qKhw(i=Vm~WHN8)azi2Q7UF6Okr%;IzwQrdD^=reS8E+Q`O6
zE3aM)J0;N{G2eOSb?D*3zr(Ia?bU+{;(rq;^SBu%QWmU#%@?+2{QJeppB3od`hPv=
zA0klsUv9B~&~^TJmH(cfBtVs&`%SlvoFp%vl(i`RQtCl%IS#)OcoqJvY`h$N)V)Rj
z*#Et-=r0I5vN?R%6v_>L_F3I3rB5tRbyu3zC)8%D4Q&LahJa{?Poz5ix8a=3{;?Rj
z+4ZF5B@e63+hnJ`TaROkmrxY0lF73gP&gUJQ4_|h1a$xhUr=Wn)X$djW@yuqmt(Y#
zks~=_zWM^N_0GD`pL*eN?hJj`P)%FIuJytt4d8@cNm#w0-wB+tT&T?l4*m>5q(Hwx
z1jMY;#D5p{oY^g+vh#j{N%4~?8yDb=a#*<YzW^@(LNi$!&iFsUEfI1<BA+Ha+7dpF
zLT%2<l~qxAhLWJRHUYljJB&2>p<Jvw^Yena#yS;O$hx9G;LNf80TsXN!19~-0z`U=
zua#FJwytazgF#a3+#9#0*a*p9@kp64(1zRiF{(vMSMHbhX_Euk)16u9p?byFAz~P;
z=?sh97Nk!+nuYiXPCZuAmt%v`>rROvPENYJmTBR?JM?+%iA#%0yg-dZr~2((?^2VX
z7uR(mV6lh-ncIm-v4Ac=P370Bhd*!Lz2O(5Gp6C}O6uixkbyM5afIYBlzh#-pvS5S
zlQ4kk&rr?TT9Q1<^rsZ;AN4vqhVL57whB?1?sd>zq`JMuyLj@)jApNXbi4osV6EZc
zrZBnd(9wWzn4k?hmNx1`-mH{$@+tX6cqTyG+n13Lant6QkAL!YkQu^5MFs)1oTX3A
zD}U`)qdL*L8rII)lWyo8yc7SE)F(dw%ms9_09u{65_YyF@O9BVpzB~E?D1}jn$f!T
zK@1q97C7~_J_~$L-SNT^j3<plEsC{x7XPsRJZ-~Q43K=vq2SlBL5cl$k!Q=_67UDY
zc;Y-X-b?G%-Wpp~DN_lw>|8Z4E2KV<wGo<O8@lP|;9H-ro>uMiwoJNEo00!%VrGh^
z=-eB3!ijuUkVe@;f`22n*qm`V7<o4~KC7g^+>d@zvJ<45k|XM;XCHv=%tc@PBHni?
zu$zqUWoFET5K2wzy<Bd^yOrW~dvejgi>TVjqKM_#dj~(sg7gY%6-xzH)b*|e2o>kL
z*H+x<Yt+>C$U>(SE{7)ZtP0EA*3Rz|-Ah^7*ziB|_~sIC;Nho%BW9|pIpy}EgfK&;
zmOVT0Aqg)`*-`5_-`9Uw1f;ix2jUUZghTf5iG}TBC5H-%0nTZ2^g(aqXw9gqy%grx
z7;-yyIwMWb6YnTB33OVZODY6~9et473bI(wIM@t<mp0I^M~(xTo~s;Cy!&4T8K?ed
zfeeey8Xe-r?HeiV5zLp0R_dt|LK(^K<&C@Er6tBf7Yp$p>Iz`&j9Ag}@B!l%tzvr)
zo(9~AVT_QCA?${J!eR)ViO6x**51uA=ijX6{YBdK>SYqoL2QJmi1cY+w@Ua2O_2b7
z^`%-q4W84?qn~%z+k({f#%bp-+pH(Y3nFUTHmA+A^rNm6YN>d0q6)w?Lz$bd_-_!e
zJsNEi`XD7S+UD+R_PWs8m|B&M79LHxr@jWQt-<{69@rGMk|=Bz@u7GB)Vp`84&{@r
zii9w2kLc{rykVX65F+&w@ngDDjZwcMC~`F2ZKGOOS$V?I!7`C8{o>qaG-^GkFhSzB
zg<Q}6Rz%E&mHa1845u3rl@j|W`<h)u@~G?kCu-<>llVxl`x$jzHfH>vNt80*HhRT@
z#uH-#@pWqV;@2hC3hWL#2~4Wv4d~oo2FT`b?&hq9PNtO@1117&Yy29ZL!=H7J`6E-
zyBTkM@7&lghU)u3>xza28jp)$YPkl)HF)oU))Ze~iAtRr+8JlSDZ;O_W1&O4?Uv#(
zxJt8K$yz+7LCSr&KPUkv_gmXX(_mt+hvUK8hvk-KqUA1*SSAo7o`u7D7=Bm9|3uDt
zqF`OoBtXSL#6ahxJFDMbLVCZi6C&RYDI6Cb!+3z7g+Wki<IR;eGvlAK3hUk`r2d!!
z1VGAW3E3wGZENU}>qfsGzm<8hrma71RQ#!vbYw<?(?z*iU%i3W*mDhP7=~Yh!J1a{
zn;DNew<jg^UlsRXDH-UP6#9k_4(_WVxsOu5BlSu#qbx&onQqIXu56%&5FWmH9nWNj
z36+L@?&BpA4GT-W10I~q5h0X5l7)nencbLOH&2koQq_Urdy^w(^<->hH}3X3ht;Hd
zI7Zri;6RUK^okUXYuSzW2DUv$O|bpSt6%V)co$4nqu1JwR=s{*kN!#&bX0AiJOAzO
zPxFs5-tHzyYtiENgy3>M_Ij$;{)(&Jul?kVhzHN<V?72#-J9hq$AR2qO^w6#v;mMU
z6I=XlK+I(K8}J>qORSMYo2fb=?Sg@*J}+B+rHhH+_2uff@BFgn@;%+oL#AX-M_r+>
zsb8PGI!_dH95pL!9~-<qcZh)~kRXpv#$hKexq~!jy_Yi*I%CPB1f5#NS9D=z|G~?-
zm~6kR;G_%9XubaUO9vZ`wG|R;(?&Zt%c1dcf`zvsa}P5TeANM#JcH4_zsJPU0XgLG
z!mw3_J&vG%v~W7q(^Y<tFsZ4!Qs{nJq(7OJpx_sgc55tS_Pe(-GJPYPxG+=Pds-YN
z2eOE{4@NA!14kTP-rb$$mqC=F1&Goj2C9`(CqoMfS=7T~t=qq<@=EmUZqa6r02ZZ{
zDG2n0lz2LK>P&_{-ZerTXSlBoDIylA+anZq)UV>mm#H;k{`yE7wyI_hAgJfH|M-so
zg<^yyPhTR-fPVX*20TDeUSf;KvqMq$>y=BtYYyELFPl6wpt{zjyXY4H<A2fmP-Qcz
z==T;a?zECct{17v0$Zao#4rA1QRNw8Cmw}Cq-70`rPqQ+w7E%>ui`(29VjTiq_C%C
zd+yh92Yq0id!8NzY9Nu$H5S?C=!6i6W4isj!i`1MhpuuQKcKow+qxzrx;+FBHBA%0
z+)|Z*Cj>m4w+?}Aky7ywEQ0g{7kXP|N7!Q!V~J4eu=q6BL!gNGB`-?8<UcNd<Y9fm
zXO{QpeK6yNl)gR`u~Y@>xEuOs^`jsxFDJiy71gk0S~poI<FwvN7!M5qoF5_|N93C{
z?q=ZL^eNU{E4Qp4K1MWhL(~e+Ckm#T?imnIVSb6ixP9Z|TV9>rPBT1vAoXp47l4pL
zof?qtfFi~*APQZE1l0M)8qc<9pK+e$ft?yz???VJ7yGkDw_D>c)$3=aUDeXxjg5cm
zMgPq|amDr*yV<Y}3le9ei#?~lPq!pqe7bpdNrL_R{BydRZM`Zy=o|LL!lsUQ;%Co#
zke^$RkcXoj*J{s2=InTR%;R@2oEl+NugCHWsmZNf8<&^;A%^oO321<=%6?{xfP+Y_
zYZZYCkRiiFXVBQA$x`%U8bcydcj1uTy*@x>x%u}ZCjdQIVUDT%-m?54$l2%X<gSF^
z2J8|(G8K=TI;g>~@ETv3>Sj|Ivu6W;OTK-uy?XZJg3Scq;+RJqARwP4c%0U2D7R1X
zyLx&$?j0Tzku~gMpS)`cJYfSET4FNTX`3b*v(l3D?<R91MF6i-Rno#4C>%siz6aQf
zqI{o-Y<pQmqg%eymuxx`O6NZO;kEihP5e()8Bk1ImXo6kkN29f{F^v{Cmz%$HXy{5
z*t_{IGON;h5ru%Wq-MMpFw)DItn?#mF$Wy|)CE@Xlhb}P<7Hno3gEvNyz_1ju`O~L
zf;C9mlyiUhuc<MAtqH_~kZ0oc!$9Ny8Jt%p=r=a{CDe3^dZ{Tj3`<^~#w&~6RUDi<
zKDOx1nC>ia85hpN3&69zFgCQWl0)I05{7t#=>EB`e3+yo;8*kTP%XAdMcgl#Q{CPC
zqpszRM{_}2c~BraG1{-+W<~<~Ew%Smc1u>I#!PvNNR#N}+t~aM<u^Vqi7OYQ=C}%8
zfhKec@m>BR>ba$m=n<qxGLWBlB$#Y7UmOgqn7OlesWf~EG2>>Erzz^?RB)O}S81<S
zRtvk~W)c9HLZbTiZ=P|%9<rHv^bHF1g#F(E7+PSLqUoMlFTYCC<c|TD2l-wteQh}}
z7R=hPF$qF1CC5vPO3LF=+}1F`Pgcvl3z*93cP`ka=@Tyg?bCh{f6#Ukp#~gkX&2}e
z*p!lMVFs;vfELT#lz&8o-tw{<H^!eAFJv5h0011R%$({sU>`L{6O7{?N@o%4QCsEr
zx{EcJX2TvLR~Yh|H#I$S@kX^7rVjn$c7piUtX^@4rd83ldk1YQa2&_cqF?*qNxQz5
zCXbIQiYA4D8Wtq7u9?UCW}&G)Y)g6TY%;~~tae1@&4V5uiZSuZE=l9>S;s(MUY%$?
z;M7X!^>V^@*@!%b^f3)Y;9i(TV+v2nyspCqy|uhEeO?jvC+xmWG{sN|;hJ3&Uo#4e
zFBb(T)lJz$_EL;<i+%2!sixaIdmZX9Noq5!w6r;uC1uip1`F`67CgG~08%Sg&zrw^
zJwEm&UvHT9n6Jfg*&TD2Zzrp>_$97(v~>BGpL871gW&(bW^A_&T7K0j2vl1zW-x0N
zSVkKHlH*be@C-R(f?B4pftqT_=A{YR*BZ^py{X_^qA4osQzP6ZV9c=pv5RU(tf1VB
zCs{(CD%tIlB~U$$Na^@J@mPawD^P#~5+y)cQ@uW)?>1LBMM*f?RIsrGc(l#~H35-7
z^JT-C%7P}ffJmxiyx$1E;AJjZTDCxgx|{~OJ;jq8Q+I$USgKkIqcAGCJSHbPgc8)Y
zEk*#(5<u2_DSJC=L_58>(36_pWO+)?^1b#IG@y$_B{EmA0{98TeEpuwAd3|t8H;gb
zuKDevdk|HY@R)~zC^2mxOZ@Y@^0$Wf9t`ATI0XKQD}+@}{*0o)BDYdOzRR@2muBP+
zM!K8hUYLXBKl{9x{g159dOuptTPf~JgA2R}Nys0F1H9N&EkPZl-%3`=f{FFTCi%9R
zR$A7<dme`I8|&o<$9E=Z)dN=RZYue@+xtc!`?DqiJ_^Jo!2PrcxS!rYr}z1%Ad<k2
zYHjO#A8pVT=Igvd>q5bl+$LWzC9DC0W4?w?T~sU-zEN=K`;{vm9ln4K%2MFz<gwd!
zg8W%j5T-RKQ1_<O<BVc7ShV)$*eX8W*}1W&qg-vn__P^Qg0yVrq>A`dYWe9<5?<Dh
zX2aJv-S=8J1aa_NQT&jSRV)2a;}a?f5S`AI%tYnX6-xaLNAOunp$721yh4^yit=hy
zq9f+ftwO!h-~7O-lfT%PMU<Scy)$>9S>GdzBQPZ?FZd)cBS@$lq?x^=nX6MGcOV5Z
zDP{=PqQ%XA+Pf2M=cpvEoRAISrgwF13>m!Q5Kw|%yvW7J^dT*O>O|mXw9&=hJ;1p#
zoCa`1{hTHnW#g=sI$7S+{OHoRR{@%GHfCp0KA4~xWB@3x6hLv=;zzhjKb_DZ%O4T>
za*86f5byEWD3JMG!UZgDCK+Q<pmAj4V4~g-RjLHQZp1S46Y+5#5%EBGE#!d2qe+;+
znyI6qo6dw|pPzM|$26Agc&%$Ht92~2RM4TtJQ*Ez<6B}(x`ImM+()H4D;Ph2|LLt)
z09+%wf1l%{B;V<Ca)0FFJ~C6OvN?iOtEofQv>7K1SS~UWKQ$Nh?RC6A;M=L_>1Q?D
zedlf~b<}g|BK3Y*Qv?gJ7S`(x*cpTC(M!B)$uySmS<MKy^wtbFd;MRt+;6XKxAm$F
zs9FErIwoc30cb~$O4_(yY}2a)tHwXfpkc;u^<TH)9i1!3IsHdUheyr}Tmaf=Jx$}0
zplSHf1Lt3yv6N3`2AgXOg+W<J4d>AARhZRTsmMF>BgV?EWQjC*Xx_p99T*XMD$WAJ
z>m0T}_e8*_o+;1z80ZnPW;3U#4^LnCT}3JQsmGD1H-T!QwK*%kp-&OwYZDGG=}<uW
zJfcilkpVrwNV6__p+AvL{_P0vo^)<T0;RZ}uH-&v(~NLmOt^39F*>;Ku0gJJ*wk5=
z0AZ5K?(QhhYxcL7)0wCl)1=ht<<u$F7v422W0}M!_*+g%LgSR@9MJWJlji~yA&sd;
zuP*csZ*@?^8_?>ng!KV;Vp)mSfE@#as_Rr*V*0Cw-M816O!0%P@0z8Q58F5%WDyts
z*^6d=qllcd9sry((##oK(q?T;Hg@cs98iP%Ywi?6smN-11cLKrPiu1v$QjkAM7^yY
zi-Kd%1GaVB@3s4t;XQW`Dq9zv`G>-SRu$Xj2`-@qd;H--zy`#ze@+e81Z9fP)5fA@
zJcZt&K#F40Q+C;4+j93yKTJKx%UDPE^kI)B@OnQfAV=uXUpq%|l|+p}_^y*$e)$cT
ziza>@L*`n{`?(E;@x?z631q6&IoS^yy0zYh6!F3c(?2{+Cd_^4!h0+tyhQ3>wknv-
zm%(UE|6^k>4m9p%iU*e{=(o@9HE8)lex<wFga^70sA}U$eg+<4;R(Yp3LSkNyRG|A
z1G2uNOQ)QxE_6m`v+)em($%8qrqk0>=(MPYoFX;s-dQ<jmcoHr6PsVdoa(n^oqi0>
zDSZ9tUZsd0@iw1V8aF&Y;*qXqQzE9dg_(^8Z1OBwdbgtfR7**bb1?NAJvBB^wq|5a
z9m*?i$35c6;d_8ax4|z+W^YM$T0^I~_;?OmW~Z~I!;H+yrm%>rLp`LyG4IN!C$Sb@
z6;h+xM{LEDXCECd<Wz+Cxu(!VrX}8iAn-grjqrqrsu0u~&p`El%;vVij<CWUEJ(Jf
z+NgtOYH_z#YIN`d=bhx8ITKqx&NYJ~`!Re-R);8dKySk(AYStbTJqoQlOa7%)$e<H
zA`#{~Mu2^|Xe6JZ^p*F5MCcr+D(PRD=N<;EXiL4m^dGwCfE)TWv;qRUZe=jZ?$(A8
z|5EVfSM9B)JjbT9)LsE)yak8(c6MEn|6H%(J)+|~vABT3Ed_(Lc`Z(?jXt*JS5cA5
zgvNiFs0J)+&zb|@o(vrT8npZ=;WRxw8@t)Ak6W9TgEPN(QU*7kccO{Zb)SYQ#3OL2
zu`EX&HTAU)KK>{SDs8?<u;Vuol6fO&Xykiy=^ggNWi}xDI~yvMr}JrbCjs#5Pct9j
zyaQa$uYsn2|4mI1{*7l2XvEZid))2`WJ=OKCV?V>Xj!+JpH*INfg%YWufglb<YYx`
zA^{&7EC7_8n6UP%o98Fp9%?!Gm&qLXSN;F%RX2Y?L>2h|`|4-@u$BMU<()D@a6?D=
z;)gZaWnJ;<yeUX*ccmb#Q~Xm-amVS?;_3ymU)qt`v=Tzt#;@JWzS1;Eb0@v4!RLN}
z1MacImAN=jgYys(^IV@C?NYEb5r8NR1pj49W8N9*qlY*;LZb2s|Hk(ISE<W(mZ3(<
z6zbjPKbgl;ZzPk;ENn#wb1f@MS0l`ARJ+@$_<~%QgJR6__<S|n>BBtF%LdfCsG)~?
zX=rCzP?3zMR8FCWWQrfFTh$}C<Vc)yv`Y@(`KSO#jqwmwqq66nex3PtiGrRsZ}uuQ
z$rZlzY4~k$Z2wwT1t1utBs8qH-Ej%2GhW+$e$!!|lg-Edn1<q>2N8TM(8nxe6tMOh
zEj&t(-{t0X?Zb&n`ZF(IaXZuE-~uE-oN}g#W`ecjK=gV@mMd-$VzJp03-A6gC#$Sw
zgCW#|2}z$791f1_Ef`K&q3ywT_v%l(*~13d`-RM?<%b5;)`?tmJ`GPa(Vzd_K)qD4
zvMBR*!W`b4>y^G-EyNOKc{0BTJwu8$`gV7P>{45qN=YvS+o|<W<=tlFA23G_O^axO
zZa^0f@6DGvV%biq-lxsgTq1r;Ank63TR?(^D2(6`kbbVu<5G-5IAbfLIIXLisvYox
z!>+cz8SOCbS!Q^$g_WI}pDEeA=UqW>%YcMY)O>z`U{(0m+-dGSSnl`y#dL^hn@Oa)
z<QEN+1EoOhPL$IznBy42X|sb-iL{UzFICQHRvD=N=txm~8<C(8BZsmio!@^uW^Y>W
zsPF)fzj)d^jf3XMlF>oH_nGpxq*Kwr%uh?7D<I-k_FGeQWDuIg##Hdvq%*l-kF|-5
zISFkhmcK<JYtM+-?cT5nh=sKxBGCWroByxXpNMw-PpLoIZriKwH#;i%x8;F#)SfxW
z!n-*POs)Ylz}9$Y{_E!-%{f)w`5I?6av4+lwd2R^W^@0bO6+`hIy6<qkQ@$C5`hMQ
z;lP&gKiq;9lRKzPWA@5w7d=`T$vQqnlaZyZ(r&k@6%+E+{SR7f?+nfu0NIFC5Z0GL
z*54eNK8M?e5(Zb`fz~^nx4JO(r3w<EZNO*&%H99JMGnD2t7Wze>68Dk&sHFV4PQ^{
z^if~nYHdhb+w5#wz|~DRCzlkkwvw6aUVU{B-8jIl6F7ddr%|go<_~ue)__qhHaDNg
zQ}5aKefM{W%P{2LU%-NKN#)^x=9Th-yg;xGoF3;FmwZI2M)zw%$`S*m?G!)eGi40j
z{#SeN9oN*_t_klgDk?%$HXz*!3J9XoA%KWjD6*wPKnRF*LJts7Q6f?m=}meE={<-*
zLhlfICjmkz2{jOyrJn76=RMz<IWym!Z_dnzf8-}&k*ue#`?>Dxx^9&@pm=F~*#|3b
zE3S_|cx7@l;}*{u9|ui!W%IR6Hxbzt3?K%z`CdMTkCzKn36!&tDU~l}iW%-N8=mbW
zKa$<)s<zP9S11*+8_I@1VW`QC?LNMh4mMXdoXPBS;{)W3?M#c{?3G=~yiz|5wpAW$
z7G2-9o1p;p_55wq(lBe~6ore{9lG^JB|{>SNLZA(hauN~hvQuxFVgV{!Rz(4?I_+8
zdWcR?HEe9ZV+B66h?L#*$i~(jO!bouSHC$=xYkgdv&CdcnCytX)!;Zb!l>&6A)(?d
z!i*|Q3)mmd{@{RIc7)&Hkp_%42{G(%kFTttlaOBhtb9*2Mye}iGQ7$F;*Y)hKe4j*
zP@n71QzbJNo;>v4dYM@;-{iV+`)DauPMl?lg7_15xwkr1A1c2*vt9qDC*SdCdjcU^
zXmvZxD#F8Xv~0Q|ZT12;xC6!>y`?egI8aY~-I+~UkJXgGj#c~0X+y`3-<or53*X(O
zJ-)gjhvsGcM7t_;)Daq=G(!71)*_HUW;+5jvHQ*OJ%cy-Gwu&oi8@}Jq1C}J_2nu6
zaArB4Wi%NL9*Eiwd%9XPS!tU*%<L@NC*f{r*}>GRW4NjfoHlX+UCl@c6*8PwI|6;F
zGWW)6;2W`g)TSxj^c#K>T8D)T7ETG%@7&jxoUdwwVx?21@Z*&y!FHWU6H>()<ODgq
zN%zFm9hSUjq&*e{b`g0no($9o=<`sc7?OPK3~T0G6ZE{VA^}GPqqXn@+YMi%gI$8~
zqT{uI?*fVR_vinh<3g;12C#qJx%PRL4}J_WMIF;&k{bn!y;wbeRJ20Z9VmUR8x5GE
zD}E>6{M)A!>Cf{QpJ`7rPE>6cJ$5_TR?s{#B~gxamj{vxqI2JvfSt+N&Vc2<;d%>J
z8hcQU&o|u5;?}8Iy_zqby8C*CGVWaWMtEEZ@bqLk4Tv8;dQZ}T#!|)ZFdK0!&qs7H
zs(G%Zyqk7!I1VVRzW7mp@Duti(67oMMw;%1vVhSQ;Kn9+1yEG~KXS|L)oM;Oo}2%-
z$z|W~(U4R&UPze&{8I@gCx|Sb*vDG3tEk$t%7e1nYTyM`4Ok8e#`PQ|0$K2li92gx
zbvho(`=C>&_+G3o&b(o{>9&!C>C)M{7?(GB$)lQ&YfJ2?=r(u2`uX}-Z6i(H1RMdX
zQ2yZG&>RJuoCI`AKqP$kL=_&ObiBOOOoL4@cuL3PO}JcJ<lY!8<CdkC@$54V7p?a}
zvEQi^UMDnQiOlQ(wY(NRaOvHXvklJk1k|Z35DI)lM`PQ5q*y}Qk_$>?yWIuY%a^|c
zzW7(#Cx2GD{s|ySn%FG_oC;x%R58^){F7^|YLUQ;$?uJC6O(A6*Q6h4+0X|%%U}~#
zWF1cN^2PVPZq^W{(FaB$tLCq1@$)l-BItIMj3%~Mx#KCx`GE7Mm-{wSc7M0%VBSjG
z01&4<=~`9uIKjm3i~cj@GxvlhvS5$?!*E&aYd@22Hw66y;u*nH!1(<|$TKK^eX@E<
z#m?v;XVtY9N2}d=(7}=~NFAlsw%cDy$T{$Bwwj>w6Tn_t+wBQ(6Y67$IC{YD{XGAR
zcR&%(;svGgz{XN<V*28Rtt2|YwN;~5;n>GvTy*|M6KWVpX!t+)N0C(Fvv2v+)i_9P
zv0z9J-K9>CSIvfBmcO4Q)6r~@x;J28wa{zGt*V7w*v*}w5I3^DZ`ET+*8>v^04_bn
zt$&+M?M7s|%vTl)aQg1Tg<WDOeJ2LgxE2JwX8&$f+w0~s_(E{C%?3_sA9zaF?)Fhu
zqQC0z?;p5s;3oD$&AnO8f7FEdCkfZ3?Z()M>Z#mp?dpwmEg{dLt@J17?hZx*2iJ~Z
zb}`!=@2t{L&T|oh5WTSqNAnK}SHUR>O%Mk|<Y@_fZ`k+qC9fbMHdO)K<ll;pgaY;m
zo#S=py!e`X9C6l9Hzo2F-oOb@QL}Z9d0T<A8(e9l4-K)V5v979n{|qo!9|Bjw!<Xb
ze~u*EKPDs3(dJlT^KwBZUrQJ?z0NC4fHEa-lCl(7K_l*G<o@HeMM9A`wf>LL7X73<
z14{K*E#0sDd^l+Da;AvO!Q6W4&pL2YzHZ35IAyHUKwKZJ3(wo@B&#{d#=3K8iXIcC
ze%7gD*aXDWe0hMxViY<vY}1=BaXZ{<YX-<(nO65~a{SEHq!0L5ML2JAbPkD<zk#f-
zLjpAoEIm5r)IfzjOkkm4Mo%FpM<+xc!GjLh)|x3S?z~_1&2btF2=@uLOM~tgMtIB%
z71SeY9vN0Y@DCaQY!0}j))uII46W%V359_SmGi<{l}-5u6@|8~Tn_6ZX#8h!PqmZl
zGS8LZis>!CRY7-w{c1re$dLFWbCZYQpele?XS;2#mjz@J)Mo~dd-hd#ZGsabW>L%g
z@#=zpLu(cEbvjF@iN*`CTs3b#9$E=#l?dGrHP+7_`$=l@1av4kq~t5E`H*y)7zU^P
zms9(m0lP5HDdEKW62h(c`VtdTJvVAjiJ}^qi~iHbXT7_dL&T7bkJfHXl6WvMbgXf4
zM}ETbg3(V?h-exmSYJ7HDlI0)K~yBa!z-+r*{dmkPfNceBquMz+6SN5%1Rk*D5aF9
zq9@PLkcqf5`a!a%kHhrN@11};Wtjpc6x?_}G(mt!&+m*Mo%^u%z8wnWX!b&Ohj06q
zo^p&=$bcUmwuR;?7if9hCHIa3LBC2ZzWs*@#0s`&h4QjI3qkQ6P#|9Y!L8H&LyR*2
zpmrqLT%ItALX+l&ov1Cw?XD+`Z~tPK?|ud802(sD{UNaxaDP}dR{zW|)dM{ZEs)oD
z2wX!+ARja$g*ZvL$pUAGA<Yq}dPmp7Iv^<nOdn>dT15&oC9vi2R2A=jPLmhQPhr80
zqD&Z#j?y?57wPn6^R{r)I21)%HNztj*S1lyS>7-T_ha)(9<{Y}JdIP3ud|sp0%qL;
zKkpbAM$If4<1ydnVL@>P)N^~KDtLM-o`y6I5sw*7Tpuy0lKC1w5U34Nh@eFW<zC(N
z6jWuYb&M~q8qEL{PQgonP-O09HFND}vR__)-MPN=NJ=ala`Q?7Uxf1kC^xV-m+^0U
z9MVA)19ZgCVhaG#<|pe?gKDo-1(e*n#aZn1a=o5?TOo?!y=4`58KKEg=8Wn^BQG7N
zJ9Z^9;ex8Ti-^YAwHN#GO3fV2V`V-no~@$pWA(F7WC4>90o%L<ZH6nZUG=uS2`##T
z76SV%8U{}#@?pt%o7rJZG;(%QqPH5?P;;{3vw`Lxy}F)!hV7lZ1(|T;n2j#O$QC~g
zV7nCuU|E14P@2m|uBgODb&neOj@@woK!{Dd{-!0@Cj~ox^Wr*cW+!VX){Rdjz6Bs^
zJHD;#T--$kW!p@zZ8-eV+vVOSPv!!6Zu#&!%;5QT#6+T)3uxp`G~+NTFJ8f^9LVG7
zlecsfPQ?5u4E5a-?YrqiZ=D~Frp#zJ=A!oe&HJ?smXaDh6Ee>%1tduj>giWDvS&Ju
zRW<0%+)sl8*{Ro~m^I|dR3rR}Xj!a?(c~IGR&cAj+^*42rCA>A89O6-XC<>7pMxAZ
zmY}_{Ad&5mR|Thkm4~jRH*LX3-q?b0J9)~4tTi8<``r^%HyW8fzxn$$bG?}sp8dJ{
zE!1jkQvHN<hJ@mM)zydkqSB&EH*G^V27RN;7Fo*Ef}MH1=Kk;$D$g6qC{-K-IS0i@
zL_0R#3TN5tk9=eDJsTuy>J989E1Tz^J(ZY>F0q#qbY&-9k6M+`h$|RnxOf0|X(|J<
z)DiHd=yWIisJ>X8BW~x3GMHt0)gwOmSn%yP_M*SmjPYMy2md$w8~keRPa4^O(<NbQ
zuN*dmrlea+4PAsS^rQkM+FY4;bf*<4exq0M&P^eXUPq#+_s4glmL$y=LO`VHLSfvX
z;i;t}*VUnBxX@W8-jPp;4#FAZaRu3g+<y*NeZ3gG5>`BROt?_#l4A^L`gUjRq#8ki
zBW9evqowq_VaeaDH#{x!D@D%!UF_WNG-Jyz+kd)mfjAXF2R*Fr*GvRJHVQN7?|d{+
z>a(PpWaN;_1g3>|5`({EreE;T5U(8j5#B9F4pHtCQ3CC<Y1d73fq$RoY{3ZH@C!ZN
zRolsRAJkMGRchDg)Slz2^)&9>`V^c%Gt+s?mVH&Jx*_nOQm{$Hd|_u>c=Lzy{a1Kn
z?`3~t-Df8;iDs$K=bewO%rhF=NuVf=f2U*bp4AdifNB`o{om(<HTa|tycMOqXOh{{
zgc%*t=TbXHO{{Pqm)sGwQ6qxXi5U>`g(2cdnHs72JSkTc<!RRx-YM@G{oXsEpnB<)
z5x=L0S4bdnO8757E5LyJyK%;UmkZ{!(Cb#_A5cHipRJ8WeXtUsm7?r@8Q2I+q)G6+
zt%X$PyescerjMb-evxNKw71Vqy1Zpb?Jvb2y`#o0W!@ozy-Pk$%5}brg9YazJ#Qi{
zwF@QlB{y@(uWbb!FFfCA3?~Ujp*=<?y-Ha6w75Rq9^%p?*sPW>g5`XT+7Y&SxIZ2B
zs55G}RyXpj=o<*P(4bt5ZryQMUrB%TWarF1(8T;T!A4!8%FuH#FdXUCJ0bzO?6<t_
znf{j;fBoH2{~V_#C?qf#{eK#%{_jx1TeS<@tJK!!N4!4IRQr{-pos+)#yH&Kk6z0X
zH=7Z7=4}n?#ltgTM1H{8<Ib-w1PC%Tf*6!JX2s7eUTFONeSIibPza%mHjlP2Ss|5s
zzEUA6SRPr=hWNNU)i;w-c>T))ZR07IFX=8DnlMB{@+=oS);7kgJ*vQ<iW>-)F3*IO
z;$Qr*n35^sGN{Ta!n<{pMzMJ5JYKNOnf`OcQPA5xBrI<g4v(GmNQ_A)I6@}$Z<-sb
z2G(VgCzt>=!*SqaT%ni&njuk%P|o+2OPZu<MLnnD=fQx0-A`>r8>Rzh+WlnX)TJ0)
z(4*)z*AnKezZsI8FASz_obq_|c|};Ng<n$h_#o#9FA#^xI;>m%u$*!x&dhVWzvK=6
zA6Az95;Y#CKYm&k{-n_Y9KV-y_AjPaQ~vKFR6!l3`9;u)VA`maW5kChnu3J=1jaJb
z465LlfV}FTldwRTF5eGwEv~BPyU;8DnD&8e^()y=-}A1!u&SV?ewwL2NOMR<C9>8C
zbYa?*t4CXzD;T!||J3$j6d^U(P-dNsl~HE+KUIzKmk#**8BUd!mqBC0UWprNkoa$A
z4$fHxvPa==jIq%<aAUZ6K6%Amez9+W^?ZfNH>esVPotQ4MX%ECtipmux~c&e#Ud_S
z7C=szj?ZbSSjLGQtz;vJhFnj8mX5k2y4L=)Ck}oE8aF`<PF_!BOxGu;Xa_QpABt|`
zrwE3L9)q8QY5$Npx^&8O;8Jfv-M=Os{mb+1COuO3AfieEDei}*W94Xw;Iqxx{_}uo
z%`k0*=8uHU0->OaXLrX3c>x`_y;!AoI#Ba=@Mry`L(RgWX5mn?@V`~F@M{|Y;`x6L
zQxD<Pf5WQj5KcXWQxD<PLpb#iPCbNE|0C>Te_<hqaOxqP`Y+PjLpb#p?)=Yj>LHwZ
z2&W#xssAoR&wn4A9I$yhgi{aU)c?xd<`7Q(Z}PBz;V6f2>UTykhtRJMIkbQ|w1D~l
zjRnlFS$_zp{`;Np58>29IQ0-tJ%m#a;nYJo^$<=yWTzgoQxDmx|KT;74%w-P?9~6)
z^^p$Y)E{<#hwRk<VXyE*IQ0-t{Z*v(7i#p&py98Q%K!S3Lpb#iPCbNE55@lfb|KM2
zIQ0-tJ%m#a;nYJo^$<=ygi{aU)I&J+5KcXWQxC=d|M|<!AHu1JaO(eD>BU1h^$<?|
z*I4Pl15Q1><hzO6|C+9=!R~Z(Q@i`IsLhgo40y9Z3w4wP!*|5>r#_C*i(BRJrlfmU
zQU=OUB{*~-du|6@PM~3+8Fy1uh<Mg?VjC@{wSrjjP;2gFG|?P=O6Fb8_u9xN>^PBx
z-9Q6dCpNzq?NF<=D{UT1<LChs2BZKB3fl+YU6YwVSJf@k$ToB$Zt9=f0Ru+Gy4-wS
z=CLIB3(%C~GtlVcV~oP0LYt>Royc-6N1XQn(i^?TwSWukyh<|c_ArfDp-Kc0kr3GU
z?$Q&7+M}}}yV=Vn3XVzM2?us`7mor}$^Vi>Sav6sx;BFmamS`5AJ?V4=EPMj_$<L4
zxIiDFDbEUHUi)#yBOMB}kpu;|7rbf>Uskr};48QH#_19`E_vY+r3)h}r;AB}w%<1`
z@`b-YSX_A^>8-2=#fP3c#>*43V6>g3JaZMVN4v2Y0}F@<@;v8{#?neP9_=p+&ZeCc
z9(k`ooz77NE!j{mNcob|%B6W79kejJ(I<vh!K)?5b0Lt{y!_?2l|0Zhbd)EEdV>)K
z@{wsy_YmjWVRO;~Os-_c>i4`(5mBJZx=SIxa!}-8xYMnyW`Qg0pmM*1BkmCd#Jy7C
z<U3%deR{4B+e&`8C+!pps`0M$49*ohO)M&iH7?4NCz5NPth{A#e4ev)HWYVM5R->?
zBH4NdI-e?|7ct*naUfpvwauBv_nQIOB<PpAarZOVEsI^_anPFN6~b>VBJKeZV3)mT
z9#qOkm34E_?tP>Jirb|Ey%Hj{v|Sfly30H!Uoo5q%eL$F@m9hg<OIxxZ1z>B<gY2*
zL@nOj#I?up5-nqd!D<7|bc%xc<j5m36F$|H;kJ^%ju5r!B`(u!q2Xv(^G;$PNB1UD
zH#fp*9$)D%PiEAN(C*ygK$9+dg5#>8ONbRjn-OBy^o6Q(%{yJI{79?1Hhg1A@XC3T
zO!#dI0kv9^O_Bt?s$TxENXH5-5gkq*_U<oTmjT7x<Tc-p@5zMuVBRNCxPbahh>*XM
zIb*bvrVbaFy;l2;he6RCcY#txw&^QKEet4^L<I`|jcE$}zNIi?<BFWQIPtxyXhX!i
zOv#u@IOi^QT%}HxDqhoRXK6U!5yiOa36aXOF{By?tQE?0dtLQWArTypZk6~E3*f@2
z<=-jj%_!VF;ytk?jGus7?1aiqY#~S1gy(nn5<60H-tR9Og;lsi`?e##RM2lX%EH`a
zh251=yp@p%!!g5!`AuD=_NaU@(RYegDz&CJKTTLNzJqdaeG00Oh@n|?=MbSC8&x=A
z%>B!UYD-?`%VJ2TkC}{<Ru|dCKLm`l<T?T286l}~=S%L<Sv%1_V?b?mEtA-+T%Y8X
zN_lAFbNV>!XhfwW?vjD3&F&&Bobw@Nc@tCynI%V}x6w;%CFq&07lF+r7%p6^Vhw7i
ztCZ>5*pdD{rU~Akel&6ys6wf>eur7wx6)9-$)mjESZ#|Rf&SI_C_)#ZA}^q@;<3s>
zDM#F#)u(dZei7_C;|b}ym{9#_yqkDEvL$MTDG!1!31;LXgcvzh78I^{NlDGa1!7(X
zN=U@KcFs5eWv)aGGXO*Q;qM_FQwZe_sX`t_(#&`He6p?@1?4WsfMq`^$Ygj3Kt=&?
zO4>Qgn1T)Cq($p`op@1WzO+oZbH)7pbgGJ1!NaQ7sHI-~fu#yNByj8#TiM7+!{(r*
z6FJe&I>92|^U-2&!v1<QzgMJ`)zrS_#HfrG9^@<-gVQP49+ku`o}9x#v)Ak_9UuCV
z?l3*&-GUqEFDC@4+NpMUa!|RH#^^Zb8D+_ly|P#G*RbMZ#<m^kueI;>7JK!a-+s;l
z%3M|P{Jr5gJ;6@t)2eWy`Zwz<6b`z6FCGReO?rO~G4R@(RH^0e^E-(^ci%5-sku=}
zgD4r}9IZf4lp+ZoLAa`gDTqWbMI#N@$PX^zQ3%OjOvbUqvB_fjE|i1X%kt_C7TKne
zKL*Z~d~S^EH}rP33@Ca9FfJUJfv4W!uBOCa<t-tWA~VR^31|~gm8}N@bmz?A$ZVok
z!3!!Ye#Jw+YO`I@3cSAmp;NF7>X=8EYf4`sR0<lX<(fxysyLw2Bi)?21K3-RITg_D
zaJ8I-da8<eH4YCk_ps^(X9C69bLoVG+eb33nC_m~z4Q+a*V*)bMOK&_l-IvNUi11g
z7qUo|e$s;SY%LvTlYOrJEIX9nmK#J0Bo-ilQ=iG-m+F$&p7CW^FO&%%39_89X^V>B
zGQ6WjiGy6|=n%3RnhW4?tymnmSDG%@xpfu1c7q#QnvT=lV(k-QA2u%}?w;Z_db)Rd
zD3>tj<alJqLBho>8;3ZJcCwlaXcT|b$-29bVsVBPb2)a6BFFXDFJ{ALibjfpFbstk
z6P#@b)t>n;*WnvptK0ZlW%8nfCULj&R>y=;SS9l$%!8|ngHJG!dQj$y>nzpKjL)x4
z@=o_!<GtK+?Xt$*)5zaUpRm*O-sQN&*6?S>%ZzZ}f%)V5tVciaWeMDmGW;EM?ei18
zYadvTwH7=vy^q7Jt_lZ-Im<posO40Rw@AZ%JvwW)5VxlpqdfFHh$XJeZ8fUT<E>p&
z@owE_MUh-1G+`ZGno9lJ=<`KvgT^KS!j7M#pSe1b0x9=>HXDzH3TM;fnejR$zXdPA
zf3GqeQfFx|uE-7!6h`L=xI~_ZwsB<e406T=F5c`GN_Gj4Ecp!@vZfQL$UIDFtXnND
ztFfs{rw_<nt+oo#Rav?zjE<CeqVh#blAU^zk<24tI6bq+dT<Lx(!jG(&&iHj1prqx
z7t}YLhvMW!>e!&b&*z~7LVtag&d)d6D2)t^(10kK{-fXj;yg4!x3;a_*kL{qDH>tm
z(0uD%HmT!Li4O2#ihrtn`F;WL-;LHjhEUhq-Lckh7*1CM!WD_N21b2x9zk5QSz4-I
z4$zuQnLNL~!i*2ud=bgf6YIUd(~jC*mU=IRk9CZGswU(72bfsgJ1qXT`7vt?pRHb2
z<9lJWz(>p1B0s+=$B4%zlEbM>zSXcwg4A?52I4yA?3ClF#ObWTUN&M|RkBua`c_ig
z!%Sv=pyMB8og9eVxVPsq$!=SoxU-6sHNcI0_<DTsNX#>KYmGU5o9*mp`}ZSj8S{Er
znsdB)J0_kGgffLH=abAVtV(1*tF0&-9XO|6biA=yCXBXr;&F)dTzG6`$;o9N4}V^S
zkM{^Nte<K=yP1NoW-+jruaX6d)W!e?h{-o%$f|$$Q?{bP{9UYy$eMyJu04o;W+B=t
z?>Z+>04KArgx86HT3zNI|D*cPLM>mR-nnetD91MzBV>d;p15KS`mx;pX=--eSnp4{
zExlT?idF^fK+`_3F5QG<tHwnf0_+q2+%uQm9eUoIrqceF#c*(`1Z$YQ4MNN-*o?yQ
zaoDA@39n?gmP<6cO&WVwH2j%>QN7ZCw2IAs2C*|25p0`O@q4}(y#I(#^~{g^gJKv$
z=hkm@v2^F5j%`&(mgeKlf;qd5@0PDD<S7P-Km&%lqvlVBb|RJ?bBktTCiZZJ+Ypzb
zR41=9*bSHt#|>exbHBz8a&+{CV||=mL&YoXkr$)w)vO@VK1P`#`P9ac9^QhoSSIPW
znc5)I5kK&!rRwrO5BO!m+x>I%6w{sFIY8q+T(nUz^gQxt{l@9bg}jv3<sn?kL)*EV
zZ4|;@hP52$tads7L=G|f*wCBcrR-YA8r|Aa?e6EFMLT=2pJ8amM!py#D`CEn1zx$B
zLs57UAjd(cS&J@EEbn}tqHaD>aT4O5T-0*1pH4U8JxaPqrmP#7uhz<Y^o$bHK!s4X
zumyxC?skGjD^MDy+l=z$9~xG9Jy@)d!%DrU?1XUrS6^7-J#j(GmwfA-V;x<J0n9Rb
z^K<(Fh=<~YyEPDJby1w+{gU~<Z%>@>QD%cLV`cvs3OSax7$kb%$U4czlzpQly->a%
zEvR2t{JlB%X6_j;1fpQ0*Eo8shA*cPtrk=A`(!I*9U>+9cFzj2MhQ}j1iocuf8?!7
zWQ0?!??VvywE1kMLX(;npSC<0Tjs3K`cqC|>EP<`F@%=YQi;TDQ5GXl*e*z1YNeW7
z=)|)l<hADC{yQy47tY^8+TvTblrqU<rDm(J`0q93a`q+$eM|u*yiz$NTA#uE5Z>Jg
zGgv>vy_*8M;hyA4dF+272+Fq6@D{p!@L=F_1QUX;ETc6=*#!A+i5+9}=`C2DcP=81
zFXnyAaZUCr>tns8{*u$Z$CG+)hmM?R3JnzRkW`ehP;)x2p*(^e;u>;k3UqfJ5-sI@
z8m1nTwDf{EM7rcg3#<8U(t2D>Qjb*2MUIWdmfprL&mWDufNcJLzQU!1s<I)zGTBF0
z<7HM@=XTIyDB(wpdryOUn%R4|eNWy3$?mPH$0z>11cvRCJ6^w1lnd||Tj>X8rfSI(
ze}C>9S)@yD^GA@RreMT14YhC;L=P{1K|e&(<`tMT>)7;@G{}6WO2Lh@PVYD8Evu$6
zL!T|75xLKXUE1%Og}T{l<KY9Lr7v=DaGEqC!9cAzZe7dhow%=J|8eyVB_<Z)J?RPi
z=_>aonVEpw!?#k3xXo|3Tu!JKR(t-Am~7ahP!XB#pXd&3u2CQ#4ju=GSTD)~aqBSy
zczg1B0%DUj)qB;4+q$<Cyt}kHraBoZzOSXT0~{`cOUypJ5@^=^$4RPEKGfmQF!l-G
z_z-)fF#xIfXrD<6-Ch~Fz;AS;kRr!S&DmR;c^x20I`VX`(kasAEPcg(Vu00FisT0)
zcMZ{uS?8fsX*Mj*8u;hhQkTP2Lek$#Vsz8_1k=pYn~M=~#IrWq3uB7bYH5q0X-bDm
zP-e^u>H<6R<eIp8S9YOV06|LVQrP$qPZ*~|yr3`cHv0T+?&DI*L9+YXx9Hb}2e-BB
zjP^+pBjwv5i6}-@@jBoU)aDC3F16`wyO5G{Suyb2tb;;=I@3vy=n^e#q;1vjL*T|E
ziUtDbp63_#6tRgRBpXU`#jpzz6l6f}JEuVZ))Q-?;=e)J3j-h2ThxKWFB%zs_O}=j
zp$k*#(w$*|Bozsi-BzeZ`%VMv%Cyk|m~!pTnhl$#m6YU_(Uj8|&wy};kFtHwQ?|a(
zxR^p%KuCNXw5W-8!6=m#7?}79ab+-dL9GlPnZv}3d^mwICIU}k>p!wix`=eCAokv}
zRWeH={LkFxxZ!p|X#b1UW-#^D7<5O_S0Fls$qaMMn2WArJVUIu82{E<fNo}3bV296
zv*{2dqocgMErh2+*Tq&lPb@rD=0cTO#S;nhGz+YNhNwJpkXujgu~5lLhpH@5l@V;y
zK;)Hx8-<RSxBN(W$+wGKJ>0XJdP{W8T987u;>QW?4+xTCm<9TRc8*ZyUA0>#ajbKG
zb4T5~$NSHF15c96!V%gI+n))*NpS>gzdg^d7QL!INGDWnKQuw_y`Idy!7qW1q<{D`
zXi%s-+k;<i>d1H(dtHH3A6S0A!ezmzX}LO!B&XP`-I?F+bzI4FLacARyBu_Wj`i<n
zAaH5h75jVx2^qI<$IKsjM&F-bV3K+qApCs)v_s^HeXaBPVjUkHJ7rv}YMF2k8Byln
zTp!zqG!$>u9#C@?-Zo1g%&n$WljBzIpd&>Tf!kqh4&F7Va5WmWTKBm`5n)F8(vbWy
z`vZfT_dr<k+$^fe_{jHoWcN)Iuk23qt(ssOko1=u{sDZ5YyBpT=b_C1(kS58280+T
zl)(o(on;Ill>E6Fc;OYV?0aXF^a5rsJ2uVlZpFfW?Ha!#qth;tlY5g@m&K)~`9;LR
zqBg^QUPY$B?#b2YsQmrWTh=B)`Vj1y5+)zzT0O&=y!|laXJ9hEh1vpU(f0^T^bDhn
z@weKE$)!ozrLAGB{LOsdlLY9OYKKrVA2AXdWU)Ew*on(2>aeU&Q5p(;azhJf+y@OV
zi@!oPvuV2@K~ZkK0tbBdLwjD;vZSOIDmh3pD{#c7Y;1U2=Qyi6E(K`7+AEOf=KwKu
zWLQe{Ga%Od9={PH{5W~+n=T@Y^YKenE2!jh#}0{fiMdZt?@#rrO65{{IscBwPOWBj
zF=-og$J&28X;ujYtAG4Mq^LZ1^VOcPHr0cH+qoYJ`R)X526q`Ui!htA03x#KFZB#o
zdA0i#zc`-Vr6M)QjehOmeYO=Kc+qv-o<a&erU~-994I|;u)n20J+bK5Dp-|M@;he9
z5%MuzT5Q}6N`5Qknb=+*fAiLfqTs^o{BU$+<J12-3~ft9a#b#sut#EguQ2tSTz!3e
zCN0L6ZRt)X$0hM=vv)FklI!m|@Zp=TFffKxw-}$}<U>c60MqIIIDo>Ha@UU|w#H)O
zT!u5-e)eyGt`raf7e;INhqawm;^-drB)9v-@`OFTEGeMXYV1HP!3M?N0pjQ)6cDkW
zU|<BlMi6q#N+;a1NI$}3U~)0A4;UX&h~p8zJe%>vz{zr{_F%u2gCiyXP5o@u1a<k^
z{-h6Ryu<h|SE3uVZ5Y`4ZhuGpV)*l`3oGWr^`rAW=lIRI{$;?2pD9QwZ*Rpv7OE+x
zYL-1>>F;Itw~zdST~lO%%<?J+=qhP2S~v27*ZejuZcUcA{M8U?;5J?t%})CZ*&c}C
zXSfgCqLe1rn^fs*&MD}**oSb%aq!)~lh<i{*WEL^0oa8HX#0<j9Lt|wwe0x5J!m^;
zN&lEKK(`lO<m3qze=OJWVg5`r!zm8lwUW4&SLzZ<S>-SW#sw(SPndwTd`+CbVF!P_
zJNtbe4xl7;=6=pOv_LpL{$`!-x4WhpMfaNgUWFdv!yi?pOU2v8%gu498_dpzsx3Q5
zHaK(}pELWMKw^V3tBKUPB=RapX79c6`}rwWq4aY%qXu+=(^V008e#HW3JXS&*0jM#
z^nZO%JaEYnuoPpy<EAd*=b>70map6Aee$so*Erd2%O7j7jm^B?YrP-%WvJ!rz|}>1
zZup!ghhcN(-y`_fK?xY)(3-9Bs-b^9O@1Bo{#sZpQp&(mWzb;E`FX$3sU|?Tpxa*k
z!+~ahsg|?E2r4Rg;PTbzUyfzKAKhKLIW(yeXZz#!fR{+G|A{xAyF~8o2=9tvAX}a7
z=0eg1%3}Vhi|b%7k3p{XWLfcC`0}!mh!EIGo4kiO829ydUKKRkhue2<?We&vgGPoC
zVc&1ST7wHUn}T~wyJDSR5xm!W{l`pvo@>8*u;WIa2dQ!AvLx(mY_xNWan>Xe6xY61
z9OT0{JB*60`fkWpeC|(e5mS5a5IHGOv0Wx6Ry#p@MxN;0*NVajglF|uxxFB}Mr$X)
zli&;89x=RmHDBP9OP6DK?J9HNW`vpcY;X5MnX_3AMWpnJ@xki-9&&q;>!@Cu(CgjK
zJ$Le`Os!#Io%;99==|*)qmwpORNQ7|<py3`WW>vx5VN<O-VWhKq{0`|Wp%=0<bcKS
z{9Ngt+f(weV`p*DxdDHW4LEU#;?FIXZ|hMBhqwB)Bg{Q(1jP6a7!zu@%526u_ei|$
z^%3!-(!0n6v3!{-=SFYq$YJAKenqpb5mYF7lwU|>Sd>btR3E0_8rwH2P$AF%=_Bjj
z(R~ACJ=POzUvJhr8zL5-d!aK<P1+z$v58hwkENJ~b4Yuk_m(QlaI(#VkxQEC+R`p_
ztVB8Q*+TC@L3+EXP%+4O+QC}2olS(GeesLkV634{f^sHFarGQ(Z??Yua)fvO7-JsE
z%zpMo@;G0oz-KAmNrI5IRebeYkDpB1{MO=a{b;FL$7fMswT#E2a&}9RgsTDI*}%0+
zEjl*#pXi;#bBiGb@)3cR@66J!%kqnFeL1-s>l=3-6hP;se=_|Fu|JJ$IFoCoe0Cy?
zhcYa3vgfL;0_F*Jr}*4GsY3dG*a>ps+?lMkFM1nKS)6gXgjfzShKIePo#f~k6bpBy
z;{qGmiHvR)x|1(cn+xAtbksNWUaQ#D+wDo-5)qQ#MyjTt#5;`o&La`!-6`AvNNX9y
za$9D7ryO1!?3Rbx@1ZmEzTLqSB{Z`mW~v-iwSSp$Y!K)-IjIksHu3n)M=yyBK5$5F
zHaSMpDL(|yY}0@dt{)H+O%WUE5~(}GN4-dpX|4F+XJZ@_v6SZ+Sq|UWs)jFy^Xutr
z$R-63`0q817a7Ke%TjTafrpM5;RGY*gUMqPwir93IG9)Tb7@szn`zK}O{U@X;oy9e
zUrCN23d0;eo&j$RaF?il)aBq&&=q1}T&!H*ObGfWuFTV2wYVO@(}Ky9F5+CO4rlDO
zJD`AxUWCqkTiUE|AH;`n#ey0BN)_V2pD5y$?vRk@tX$~5BDzAy<y^grk<t^oKHkH^
zT~S8u&u@u|LNgbg;Wb!Hv2|+Nq4ZSp5c^;He+!|jw;W_*SC$MniLz+ve1vVMxfioB
z7sEX4uN-)NGZvFomIZ<sdhDwacbH~wlY7e8!~)9lj@?aJiH#E5;h1$Z6jKJqPP`Ib
zZ`q%)uqbQY?u+Wiowd#{c4^zkityrNe5(#NKjY?jxh%aotMDrzNMSd<&1f8k`%B8m
z9C3fmTP8o3Tt^P(H*0`9vQdGtOQN(Y-;ck|qv$AtX?l+r>^f)*l|Us$KTX~foE8sy
z66DT`U1H6b=)ChFFR%Aa_ieoX;}@u`r91TfJAs@e=fW1T=12vjxm+~1Si@Z&s}s#+
z{q2Z8^myssb^`7e4{rfp@1+>X(2Mk;z>Y(jTEsu%QEgcxexuSB?6zNECTYjNzH!i7
z1`%Pqy*`$LZIfpRoyo5)-Wi(#i6-o)+m%hx9PDsME0xNOc@ne8rL8dwj<=j7PA%PB
zc>ZTiwrc09I1{e`&2Bfps_v#Z(~6d(!>ISb0mAW%ASYvl+0B!epdah7?nfhzAJnAp
z=i|n`_Y#OG8P@RW?7d5B@A-wN>~C4fBWV_*j0}6@4Wxa;$<IxO`Y)6wR94x(&ZbM!
znN5*dzf{KN(s+C=N&Jn@^Jr30k2CqVicWmyL`cE$3cHiCuAO$wi#K0goXN`%B=aQr
zNJ!I>3(dF@rFwxBestiLAiFm7c|4xMx&pVSl@@=YVs~Y~GF8T~a)87qkU!UO>w~yg
z721v4s-U*bw9PRn1MP!b%!6He&MGv6o3cQ=a1(5-d%Y-;1ha%Vp2R|VGd$nK6{uiG
zR9KG1!bcHX0hPzrnCd9JL^a!L+&K<Lj)}Eg>V2%hv)l%~AQ`ontDj6u3}cxo?E22_
zioyG<0h^g^d^c{lyK(HjX+BnqDnL}qtA^HA?a;PU^~>&fJ1=YjJ)LOa`SIT58TiHq
zw$$<UX;|ciB8T{U$RiFJ+WMYxZ>7s*oUqqq7L~y9ue+`8@v(67$W`|AG28U0n0b-s
zsWy^38sUL577B3}AjIXQ#r4xH_r?>oB4diR<K0sbD!!O3H;9sj^00JJ>X&C-jY=FC
z6+LN1(jK+eDnZYWCgSEALM>{xIeP_drxy~%;^d~WgKl+nrJ7V>>Mp^1?h6g4-%t&b
zP$9lwb1PlA97cE?dgEO$vrWIV{6chbbGAw?m%4ZL7u-#U?Z*2v7hA3dbNPizFUlE}
z_{rSTyl*<@C{rv?S%gVVCrK~XuU&=Q4qeQ<RS1&~qBij8b`P{9-|9<*u@In7xfWAT
z?>z9vX=6)`7ZkuY>yMXWbhdJ4_usuxe)f2?dw>3sXXz`^Mt&iWuee9ql)KJZxk>!-
z_I>n2!+nBtnH}lYtsDb7rpftz;d$VuHI8h-w<Ql{hZOafg0uE9`v+Sih)<7Ej}jir
ztLDhQj<@vI_NKu=@Z6GC$!b~Pz$Ywo{k2RG#Muo^1EXD@sj0^YC`5m#s6(zoZSKKl
zK9L~tRT!4?0f}|K7CLtiVIoB;51Pt@Hus8}R!28J-3UYr;y;Lz8l{<Z!_l<0DHzzF
z!lnTsdGyrja)MNTlM;3QX{s7c<vq@$?hPJiA^H!J1Bacw6CH$A9ONAa`)D-{*VWzc
zZ?c-FKg__DwRC8L*Ez7*BZx59j}9{#>#yO%51jf%gesTLVUA+@orOE6gq695UT;54
zNXvKzL1(9k^PH&NUL7Oy11I$T+L6^zF@r)UhwAR-lVqC@-*<$0wW_}H)5Jb1S-g<w
zd$XHgqDWlD{=}E&x(l<?A-7+ZFU`Ljd4lvay{B~4?2qU9l3`*k_jx7m$9qi;eMt84
zG^(}iE!<1_U_`;+O3570(N<mYp<Ls~bezdj?QCFV6u)k7P`$Ru-wu_P^w1r@$au~t
zno+8yt)Y&M_sTbTPlqWYoppO=UUJRt1~T26Vtr;qfp?ghY;~#CCeY;q=pO5-t<;PD
z{uPUtId~tf|2h6Z+w*8t*tkRh$JmRP9Dl5dxAxP&8-5zdIg8%b0hvLohC<_=*|8mh
zV;6%8t|4pIdkTgxB0k+0Z<!WH#ow(YeWvx8F5-L`YW<B(tb(JmAx3JmfV1e#NSvQb
z@Xlben8);POD4oqSs=)7^my}ovno^c_BGzc^JE3=&Zm(x^&D0lXVa>`Rm5HZ+r9}K
zNKNRG-~5wPVR7Z72)#N+x$g!VPx)|B=3=~e13&jh0}LV`({Bg4r+<$Rfox(wB55^x
z7Kar#bk>xT7_cfpP<;f4DIII)mnFF*4cms37TGBQsHf8K^Q~+krcZv@=OoL~M%c$z
zKN$Xa<vp3^?A7u@^$0$MUPkB*0#j#dhWVA@xavxtYcd37HpI*NN=v%J5Z0NOo`qC#
zDV5jj3%wQm-0tYyLbW$er7)=dIldY>M3xQL=6l4G)XqoF3<|);<qBa*wiOm&haG&{
zb=C{n?SXEIfns;tMcZU&rD4>o$=v1eus@K%X3jC-i<fx*O4Qgt5A``vfrIB0Mzmi7
zi)om+S!Y2)@^W$A80LjV|JLzt>CUTpC%H`lZp1N;vwe(lbWI9^u$G8cm~w?q@HdAy
zpUsu=;w?v-lTWKMY&K}SUl)SS_J=$F_7?f4v-|O2_w^&BZjN|?scs&_4^wNCdDW2h
zxNFsvdZTMV4aY_s9bQq7Z%w>4gt0R54|4H$aPrR63nv-((OD}eLo<w=Uq3byj8}dQ
zn=zsGsd<-=9Zi2&689y1vrtpnzYvO0Ply!jVN#P(S0Y`IT8yYKK%HOCx*QyqSI~Pk
zVn*861fp&j{$U}DhIAjX2ny?l8P&=<b^BfRNQ{Uty&wb)ax*n$&)}@c6^?D4Lw#US
z&$svh*3`>kiR(jgr0>0%xgWV{5B<7*c{D6S1(7KI!J0<?yho_&PPMw4nb3yttmw5^
zo6y~yOA%ODf>%qnir8+$bxsrNTDj#!@vNwlN!*+68@4@~rJ53N<u_mEfddz2wGj~0
zic17K1Tp4KHzUvEt#h3dyD?hW&FclJR)Y3z8*h1)$8{>PlPuLRwa6C%UGbyo!lTXs
zu`jl=sLzS&ffJ*yGn8|zdI8r}@thdAw5EppiIzD>;l(@4)k)GD$x2~h{&}9UB0+Vv
z^+_FejHGMf{%rm-@db^unTK{m<w@-g<;UUlVR6}>nnva$Axbb9hZ&{^h(YS4ZLU-<
zMzcWh46s6obkLNiE$$|K5N8$&JnCw>*QUZFk#-Iih&wC1%5F9IR1Eiv{Z-<DdRiGC
z3*9QqKc%@K$JHUbsp-yrTT1!afxnvVrua;g*-m8>!<z?A968R&hXPW5^;Z@{$b7NQ
z6y>}93#{N<m<#ptb+iaW-5#}r)Ad!BDN}bWCLZcb;uM_2VjoO2G-8&{uS;f5d)U1h
zaS!ilW@+^ksIvMNbxf5<Lb=P|F48_!YL=Y`<^cV8HRt5%JDCe>+tO#X8H<MpBhUq=
z7)lZtQkpfLd3k>^MY<`7Wq>1SqtPB4*|Y}Psho9)C0>Grp@rjJHoHZm@+6b0l?9Ta
z{kj`cFw4u{5EVmo^x}oM8EcxbW}86cIrXSfF?HIxC}yXW@kd%Y+8A+PC)Lbc$smU$
z;P~xl^WF@3#@TPJNzPVVQe*R@mu~QREw0o#aQ3^oWK{$u(OdJm0rk^mh{s&av00};
zq>gt7i*vg>e?a`_ZE(zQYiw4C3;LV>8l)oIq9pHg<txSYBldf~C$V26%JyLE$#)e?
z{l3iyEEn3HcICvE&aIgY@bquDBe2*AO*s0P|8Dih4bt`AlJf)G?=95RrGsvN>cme=
zFZ3!}>}aA<j=bSe?ir}$<`vMbEa`c5n~K`B#6k-u?UH1++f3c}-)CEk&_gyk#lq8m
zr$Q$>V+1|!>zh?wkF_y)D-nUWU>tZu@jdDN>R^vr7Chjvm$BFKG`KVY7HL`|{zqPv
zko0QREqXVRcVfS-zkia(78-i9mtR8RtGYeG$2IVq_-T8|Go7w?lb#+O5@+xgSFVgb
z;Q+osqon9`?}1laMC)~<Pq|-Wx!tcS?Q}m?!<^wU@(M)CSoAz5`K@?drDgS;NqNK$
z%$g_<)RtIo=uz5Z+@JluiT=HBLSG_w`)A^LWsipH7`#y8Ge02~(6E3$JHB^@h?q0t
zyQIy64~uTg@L^x3?Eq&XT6|Ah&ezU1Jk+N&o}|-#lU*E(gw9>IHDGgBTCpf*GH%h_
z&<u4EeC(d8kQZ8<*DQl$)J+%Ubo9)j<t*@VY9}TN!6makvPWrbMe=fOZAf97jHl7Y
zcO!3AM>F<95yg-38n#xaL%DWOS5V9z8?R5gX^{qL7E@JHy21UAs|HQeGiWU&)1-+!
z5MmF%1f=wAMF+}lQGv(e6vpM90gK0w7*{B>*=O%h!OKk-?X<aPx367p2|A-al$!4~
z7pC0Ue#%+hypM6n;nYVoD!cY1WB$zfj#3`MAi`<qCc)RY)XVq;eUsxW_I0O_Cud=C
zGtuv$Z!l33xX1ejuI1gc`X&Ym{Hz6mg))@n%Y|m_q!$8b(%I2&$`yHQe-5?h&}X3%
zJDu`0jpdD=iek*C#WQ=36;7Ww=@il4xF<7H!GwVwo6CkH^j_rWRlPKb8(A~BsN(){
zz*)7M7G`^F`XTqQ;G&#rnA(MGweb`U#JLfMV!!gi(nRv_X49kbHsW+)hBxilPY#FV
zi|ze(C%DvU=ys5w8%O<6S^>x`8IJl$lLM*{ED$tB`1Z~QMi^Nq_|9@^$?}09LJV(3
zu62Awai2xc8FSwB=S<t5CtR64-Njt1dCB~h=q#fw2ze3%AvvNrItrPBIzSTOm(ZS>
zG*UspY_}ld0yC8YrbN#bW_Iv-r!B6Zl71~Mzcv`$!Pi?+FoXS)cToQP4BF`GbTg+s
z1DD+RtC=^;uboIAYCqODe73pD^I*6aEJ~erOis7S@??S^Ns%!SFWyLPY*t+x3}XiY
z;k1IC=}kXA2;;qKxoodj9WVv(#szJ5Oaa%1n6rBN?8o%zQAe4q%SN*fI;K_kE1KkK
zH#H5vWvRiK6r9aNgM`%v9#R{aHxh-q#Bl9mj1{Ozu~HFa_hWV{=dN^_9oL1YG1jpd
zHrVXt_?wbVTq(_}OJ)&+f<tuT9i@rw6{?AaFn@&loVrwqqNg)h-dYNyZmT?VH;}^=
zU8>|z?eynJ<vKwMRMJQ(vhEiXGO6id)R5Jn<`znJOrc<L%?=kv%HI1=y&#XS6uowQ
z1H!G*jb@L;+Y-N)1S!SAHSxfB=vYo%CO+kno;GNHxB1K;p*!?`v&(le@>a3_NXVKc
zGYG*bhVBl1?0;;76FyzR(uyWO(HH3;M;co<tUuszRo9Y^7!)5UPgdrrVkN124_Gl*
zu3w3-yp#T1rsM-}yp*ttSs}s??>zc~wj_q^kD4u~Bk>(b%V9F;Dz%_*q=mgc?)+BO
z5^g;+EdI%I>5|8|==<5yw(R&tjx+>Jd3Nn={d}Uz%%3yLk{`<!CoC)u&YKcua-p*6
z1zMH~@dlN7&bch<uYg>Tah%In_Iy-zA9sE+w&lQWW@Er2`A)2Eg(ug_a1sO~++_Um
zK+Ek$DCb2fNzHWEHC+2}X=>;iY7?3tYv8u%*6`lWby7X2MdgU068+-EklK$$J*zC3
z5!+g`^{tlBuYS!bA}e%zIgEEG4gP!XQ0A&z*BNS>>@>s^$nC+poCCuZW#=6GEDO(~
zZ>fb^QyYUvVpP3SM>coGYRwyjVV&c!k-`-uYtf7HAl1UJI(BU{;MPdaSKm=bh|sj$
z9Ib17w5jd0niIV_aXhcM&u`bg;?;ATR^*O`JUlL;yuTMojj7#UHj1#Y^2_6W>SCG&
z1o=ui@#QX#9_Lm|yukL9!7%e6l#q#UT|*r`Rhs#Mz$sEMZRl&R`J!<<m$U+_ewSEY
zxc*8hE3M6D`=p7ERcQi#ulU55x%&<;Ny1WGM!4wRrrOv)al+5L?TyL}<8l<f)Hg&<
z&2CIPx*lY~0rZo{{gSs{1{6StED2uQA8T)r+hY7=DV17NC9I{}!+}ww#wG*D4T@(<
zyIIKm$6TOfl@MJO9gPNzE4F3YutOn!TwhJi{4>9#m40Uj7mz{t4&E!Xu%nGlEVER_
seq#3Lp~|u@k=FMA_y)K4&>pX0Yu`$xtHiC}fPW7aRqy59efIjl0HU(!Jpcdz

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxHostBreakpoint.png b/docs/GettingStartedDocs/images/VSCodeLinuxHostBreakpoint.png
new file mode 100644
index 0000000000000000000000000000000000000000..a916434b84e1b341e7c3d5a6688edd054c1e81ff
GIT binary patch
literal 103130
zcmaI82{@Gf`#wxUSu0Aiwj$f0$T}6JLWm;!k}U?2C1VU(3#sgh5m_qxGJ|2p60#22
zXD~`qW+5_zF*E<$_j$g*_xCQxdml$f%rW=<S+47IE$4aOo>|;B7UVm@$HBoNc=LwQ
z9S)BDRva8$`UiM`Pb^@17lHpcgYOt$<)|8#{0;oF-|LFm6%LNtH2z&zZs7NWfj904
zb8rZC?fv8I4Jd!W!ND%MX>`Rp+=<LQnBy=3liN+t9ek5p;pEoK!-b!?^T~cr`NIT0
z?49FP{?~T8uMh1zvwvTM$$>MWgKqo1T@N3T6?mOG<feO^>w2x3q_H^e%x%wgPtSr@
z4fb}L#!b)Hed|yX^rQJ^b6FI9vht(-T@)G<QGl}w!D-WH?NJ{C=-Vr^_SqqiA0IgU
z@73J}ick9IDnB4#_3w{K&)fgMKYkgWqaL&(x&8GG^uY+S*JC{H!$XNv|6D}{=SM*v
zpHr>{%{Z?1dk|D_VEN%bf3cLf1~cb!q};z>Tk$!<Z)I0?KTGhAOYc<4>NYk56Y$`H
zG%tADFhuHqo^|dOsN@Old^34C>_?sM{IG#PRu<;W9^inqoyiBo=i4`|%5E<elyx)d
zL<FJC5gppcD--D=%?xd<i(*D>Q-~~z5xoy){#5{x9X9{O_?WWY`$?-uYXyrr4?{NP
zpCMu|<c|fuXm8%PEKpgnx9|w$pT*t*Vfa>;?Y%084>U_f9GKmz<cx8sjP<Q*zU~yY
z?U8%I=e3=4%Cu|$NHgh2oiXb&k5cp9>$*#+8`aqZp_rqA6OFp>aW?Eaf^T1(!f~?O
z2nq89FWY3tCA|L(6~ocriGRp=;A}M=QL>gM@-*)%7vfB(Xe*{cu&9eCD)SQcW+&@A
zEEsG*al+IW;Y(RoGCcw2W#QsJ$?XT<EEww?zBYaRt$PQkgx<M)s&e`Bt*&M9<s>(Q
zDXLCM1!DiM9%lPz-paN%*=tT;rYIF2^%%!RUFD(&9Hd0Xz_i1t4uyka^xeaoEk)Mf
zH6%kNl_|%YdoK(>nTQYhgMTD28${PgU@9Pq^8Q4-d<Ol-k=`lhZpMaPP1T$#8D5LX
zu5mXrngK2Gg12JqmLr&(Q&wW7e)xu)7<$`k-`5h8jTO(q9M@s7Fd{6>$x*>AQ327s
zq}@z@XVSBb)H{2+$Lv*1uvVXk?tI38Kg09(;>DTRndMnF-x@>l+HAV??S4z_*6TaJ
z#3~dkDw*+lpH<~*n9bN6At@c}wVZF+9svSYoi9|KycFQ&ce!Yk#Wb)GS%bDwlI`@d
zpY;%Nx3zk@>=GjFLX?n0xS+nWz>W2{$3j&)HNUq8=>OTW)Z216vx$}`2WQ>e(pwC>
zriSnh%fB;eesz4cu7=J5nZuTh^e|_@q2wH&MRtX|INW@pITUjl_6~Hms(k9`**;v&
z-Cy;7X<`M%$_Bil+SDf#WtBF4hz~V5RVUtlidwh2lWIYBJ-9?#jGyr=x|h<$jO>Y@
z67h1lVx1Ndl(X-E^*o#nYo_6SgFVK|%(DZcHu8dge0g=55cFBd3g4TOX-<s1r2<``
zr#kCJTB;C2uc#2#pF4zZNUW;{MBcn^`Zm`WzNyGoY^Qv(wv^MSr*Z1F$b~obUOv><
z$N(!YJ>R+JX8t!cZ)?e&;09mg?T_K&-RFa4@HbgMic)g{lQk)7U91+@=V&%d_5`6F
zgEts{t1V)S?45?0bKoEnD04JK@-)LBUTW&j7J@gBK2+TswT%$VXogRJYeR*EYCnS^
zdpq^#PlU;I=npUPL6upLI_u^z_AizXM3KEZ;nkM@X?c(|NXr1yIr7{tZK)H}#I+wa
z3nyB>n0iK+X2b;T&bq-`ucHyu@W5;cHe8>^tnD4aT&GV@Bay;>xTyJEcjp)7^eL)b
zoRlzqYi2ndL5`AZL|DVZS7&kl+MNboKJmEV+T|1fvEaTao;jjfRSmtJsoMdgqLL$o
znH$`NX%PZe4y-8OUIih_rp@=p`>qILIW9!4x7%jrQEk5?@%hfK$OO7Ty0kq@+5QKb
z$gDbOedztdGBbu(+Jcbvu^d|3kS2W^(e_8YnT#Q>hB652+uW#|(B7QOgip>aXHI{|
z4@I{lF1;g&C`wZfN@F=@I}~oSwz@6Is@`VPsz?5&LZ+P~rg;Uf``MF|rBb#a>CscG
zLQ%UqXc;PUZt=%zIuc8>EhY~*v+ABuF}y7G9X^SdoGT-$JE(!1QX*mYwmrqLO54!1
zXU>VR_NbF{kHOI6dM%Wis3QztRN`XcL@YdVm;TA&SFf~iHdK<yd`$G!3p3o;(73Aa
zqOXUKnsZ;qh#`lWvu8SBQb++@BVDRmnDK-6>a-jh;Y~_7KqYmn_fu*+PUBmur~G*-
z<_H5wKLxr{wJe<-<U+7>o=%u^8vhfRCR4CDJ<Zx>mKJcYo*ss5?e28sz^WnMp5QK;
ze%L^V3L30y=UlQI=?;6F1}S_-AqEX7KVeYVvo88<FXC14oky`(7$-VlW;Cyks#s%s
zGjU#;t74HQeMN#GmUY-@T8E6n>Sruoe3!4!JL4V`aoHYiCMiSTv}Z*Xnp0ry>ivxf
zuZ-=bU$_K?a0nhb$84nRF8)B)uh!ZpQd(l#ppi9Ze|->ysU>NNK)N7qR0bJ?S(G+T
zWw$ggiYBt9w-Ks-T!eM!Y~|pokZdL`)S1b0^p4f3@EzEt3$h0!kY-B7&Ww#`#*w$l
zk7}#Aaih}A84RR(VAXzc6+xJ+Gz9xQQ)!KegGF~_GqxsCn4>0du0ESTRLa3JxLmlt
zSq*oThW)i{G}C_0XLUU+<rUE(Jlg?DLM_#u2KQ~x_Vf-79z{_myjV8T_BQ9)*&Nf(
z`@<XLJoWHFbZsMMr+gOlDi8GgwPsp!FO~Q9Bu!X{@x~&6aIS-z#~9#9qXJb%WP9ZX
zoyhFw4yR%?2VlapOEptT5g9&=CHh?zw6Y%ESq2#!!Pa&mjvPx1Mbt<a5WqZSb^P?^
zt$5f5YL&(L)B`TlxY>VrGF$%`YA)1%p79$n3Awm3m<T5%LMuk*C$|w?m9XX!EOWcw
z!*UgUZ<*@#&VwGl1@mFJy@O0gEVb8$;_RzxD6VYspFsM30{m|plD3>2A=J7|)8nEA
z3&{7L#y5vhaTvvlS;wjBWPXxcyF0krm65tk-R7cDbPO7<$b=&1aJ6hZKd?WW8r*<l
z#L}k47{O1YEYgB@g+^&dA-j|r4?Q{qiA|r|BtMy=^j^)^jowcd8Rn#2L_;hSbkM|T
zW*|-~Ypwu3s1yb-ej!qTUaf@-kU3_kh&io>j$l+9#GO$`A*&alt0e|lEuq?cGy>bt
zU4j~#{H=;4W3FeM>nt?wMQ3hiH-=7!wcchpZPmz78T?daG4k0m^-r(n8iwG(up2qH
zgcPQP<JZe!*PJa8ieVDozF?DRSPu)Y!=65px$oWQ+2&yPv7Pex`6H#Kd749SH4c?e
zBUaCJ3tRQPNXJ#_oX>_l0j$J2yIs~~)31-s-cY4Q+StiCrTfAsOyGwP{rY6Y>chv2
z6zHohjuvoGR5`NsAGMIOPmzs2WuiT%k@~d+XZ7+hf*dy!Kb1`RmYoFGt8p%`$2Qcw
zAo5sHF+wuH30_c1Yzrvo3L`}26EKp~0g_&1ej5J(QixDneGtc-f}|l}l<*her*p=1
zu|Vxv=Hr1!DP$R8eC^E$8Ni}55SJ_=S~vJM_0J|9Cml==`TSw5zdwG;70&XzKhAie
zLl1Y+r*GJK&*)3rIa5g+^wWNAL2+%^=>)WX7`UAoJ0=aLH&b{$Zo-azXjyA+U+!||
zVa(K!m$_H93?!mp)5}T~v+<g=U@x4ae;Zr8p7C^9-cSnfGK1m4&Mvc+S_Xa*nD;sU
zl8}E0?s<TR)Haa5AFh|SNMLrZijd1HQKTIhVTzAtyU<Fm_Ck4NSC+fSU}}}2e#(E7
zu`*=RI-QH`8#oXd3LgbeqL}xmouPVux)A*^0#$voSGx~3Hyx&guI{7Y{6&^RwaJ&h
zk4Ev#!Y)gMaRh8L9=>a%80*d-LZ-Q7kM^*)4WSi@I*^$;O&4(n1niEK5k&f?aZlFc
zijg0r;Pj^HseP>4Ai{kXGSWK@Gh0^!X@b2Q)>nyk|4uWsHjgmOd73vAwJ1RZ)myDm
z404$D;eXs3As_b2CA-a+4xwWbJ<C<PXHNH;y*5Y=`{EJCzT~o2aj}$nSCw@wn&_-h
zbi449C0^vrUc$l6iFmyZ{N70TGr)9yK{aq?Q#kfRMvjrDkvHpmWmmG#_LDh4<d7H|
zUWu+BnBC=cdd2dmKVfnP7D~wO^6#Qzp#n8hjEG`na!8FzX$*mh9JopO6sqLcJQolK
zS0<-9-}_jDu}FXzGbLLn<T}DUOv;~8gX1hH9)vinRGO0mrlG%N0^neNWpuA0Ns$ce
z4gx~M0VteFnOQcVZ~649_u)?66`R*;g|pOwnu4wIbUD-|VW|cegLP6^YwptSW=RJz
z{^HETA9n>15^>D?f3v%2Gmu48Sla1ncOSwx?WnM6W*y0eJ$j7NK-prrrN!r~{i+h9
zNgL&N6|c+!Nh$hj?{PBAO&16Wo3u;Kl!nb&2ztO)X8DXHKU(F*!G4N*6LSX08IRJ6
zkKSEf^;N40m^LP0(QK*#7ZUJjazuElKiKwq8`RGaj3-StQOHs6^d9C>Ymv;YRq>sD
zY};mvgRQY5Z$_~yYS6!H6$jR&Z631330tjg_6A^?$b)zM#P=QDePN6AyI%;=25g$D
zQI$U6AL+<5I43XV-m;qZHK4;RXr_ZG*c934-@G1=JrKw^p9!xEZI-*IhZi}8Z?W2W
zEgJg0TUDG64<y&2%|kh!PQ^K!vYuhBe~rzDar&`o(=IZdG;u~849Ecii8=(Cti@Rk
z?lfCrN-bHMtA>Ci6}1s;j?{psU$A#-rR)=c%AtkfHiJW;tGBvFiS!^>I9Z9qKEeF~
zJNk<D3WbsW*XsattM|abG!HV~gItUzqe6(js7h>g_+wrd+o?Gu(dJ0tF4+sG%nv2b
z;dp^_udmvW5;DqL;0yZ}zAy^$N&~u^rIC5(c1<#^=ml>-`A=6c9e&L+VUx_bsn2g9
zMumE1GjXwOanvj>iy?{d3UfJ1n|aPpYKhgL*OUAQRNTRVRWEiNTENLH^~o*+f(|6V
zd@mbl#Cias>)=u-d=64PEUnw_TR%Yc<)+&fra~o0$_Qyo(x>%$$;b7IgcvSF`&J=(
z&NT|Ji<CsEi#~)vWnGt&L*-)&u#hluf)UoXhhz+G4-S)}+s=eE=%A};c7FORWZ$)S
zGGXZM&X!B(qGVVGvCzS}sc3gE_)iN@f(yd(#pc>9Q^3wPlwJCmcsdMv2x$ftps?^1
zJknM;gsOwgXDYeP#H-U+W!r=KnbT8Gk<{gW0~Bc*i)x=Uuxumsx%QK1>X+uih?({Q
zZ5OMn>g&fG*6ZE6pSQN$5e>m*fVh_ZG6raDe-zpvLlMD92HIY?Z*hKXjy2M3dJ|({
zUtnE>6|KEeF_Ea+guM~?^t$-%;Vl_?wBz`;TyR4@b_>ET=``?W?5AbFsjSBu)u>Wc
zmBZK_KoacstqYlkhe<I^24UvybE<T)d@O`8>8N#(c8S1jtjTXeh&6<yaRXK0Sq0V~
z-Y_gPf_*Ww3(hQT6T771FM$@8@0A&+X?&NFLBSii(N*m2&p5%XbUn<aP$~|wg!N}&
z7zklDkPpO3_{FkK4`-Qa_XPT}<(8Vw{+Ou`oAHoo%9UxLl0?8>&<V(3Mj=p1*6tm5
zz%A}k5mU7(xH@=ne@)2ut6=J70+U=c$kycyp+2#Xg$3d+0@ZO1Lm*txKd+p2iHFK^
zaSVfxOfqx-;$oxhYany(F%b0f%NmKYBFHp@(-ukjPUS7cx^;>w6$=xv(6_sx)H=Wi
zW|)ITgS6j!72=R1?{{fqY~>P02=1I5A2oud;OZCxp=fU}Fx)$hd0BgSG<<b;G1@qz
zSU6*`*^wB}L=gg=^C$yZ@emQnoK8h7?isD1xtiCnxd*1afH8Jukf*+B9Nnz97={{;
zkDWB_z;z6$VkLif34=`?bJi!Sqwa=MXFp7Kyt(N6LzlSy!u0JW%SzSjr(F32-ZbA*
zA<%D5O38f5zRkRL8v!-2o;rEz`BQM<EVx|3ag8<Ya_y7cEiQqiOY$oT8y|F|D@r4D
z%Qotbjr1p`Yu!CIS0-vr3-s<&itl|Vo8Mu)wawX=YIUsN0}YqWhOm*5zdz$r4N!V=
zU1ft-1d+q>9WsP1gfi>o8z%uPdCJ<%XRmP{UKZPvD~t47!w**(PO)TfI3L_RqSDlx
zgY5zUlWL<bQSV%kA&Y|dDq)w(y@%{xXcRpBif8Qc+?CtY;}37~CMaZh9{)Uf3RD<L
zTYnb8UzL<p9%iCvdh)+;(9rSHL;r$NM`K+1{{7MN@c-|}M}7YO8a1-!#N#9mTb@w+
z&(ofF$oy?Yp+qd7?jqDE%P*7Ul~p7RBAfm`fH7#NPu<EqX_#>6XeuKAv9GuH7jeDt
znjNi!hcm0q5g2XOs?DjQ3$8g=jWR$G+3VH^z`DPe668VNBeI(TM^2q5-nDU5wsD?I
zjNv<6BHbl=swmDUR;}pj*33;gts7U8)B_hTi-TOE|MSGve#Pnsg;$OA_x<xlF7<!E
zXnN)4S1g=82%WHD=EWuThixy}e96Xqz8s(QH4Rw0WoHAYxaG-R^80jMMQ)8dhu%Ac
zOx#@|o-wk<s78KEK4(#@VGZnyrQP0&Z{=vpo<1Lk$p8DttK=_f%Df7*^RW5*bH#D&
z&7|^31bcURDcO0~?dLMt<Xlrjz11$U(a5N=2SE1ZUGaq}<%gm|zxF05P%A`t1GIS}
z@c$WyxI0A5AnsJEJ|4Qgw;#W|K_!W!7~-4q6Aif2zZ<UnGr=_IGhu4x*D`Y%4MlEt
za23<+s?ic-(92-#qVCfAY@5~IGy%i>c0I3FzH~X4@0-{AOaC*duvOqQ+)}o)3W71a
z{O@#k#><9qIWnani<3nSt~p=3K&J2P7XJ5LZO(k1qO(}e?5zd${gi+sUsHb_S4}_W
z93b7ea|RMlGp_rVEAufVb5hL%IUC7hdo46iCh#%F%M3EN#Tjp#4=V%qxTTSxpfAuR
z`jI>8`txGJ{v=>#a<Ewtw-%z&wciWOxW5_j`l0>fUbSY5?rZykuz^_h){?U$r6=r+
zQ~LcFoXx*C*;8bkS-`H={mow}kCo?nLoC@FSG1)YH`A>@fl6TCQ)Wq8y|NpU9(IKH
zkEI<>j#cM*7MR<s-__K|T%kpgRJ3=XiA&Tp`T+j)r}wZ(=zPS@?N3nD(Q72b4GC-v
zXh{nVtTZkQ@QD(Ut_<k}SH6j>&4^co0HT6S)YiM0WxKrh(-ct?(kJWxZmL`#Xo-qm
z)$GhN`Ie{<j``CJep#y_#*M%Gb)4jX;alH}0A_3jY~ApF3;WvrsK2d#2F%2|MFLx1
z3$tFP?z_lxk}8$GFtdY)XXascmg|<5*k|mAS;o!VscirL^Wx>Q7w!kIo}Y>O>A4ZP
z8W!4@ikp}9eNpi`&wNgvzPnI3%lyNci+udCC93(*%ZfY$wXE-*8N@H~3NrzJ0ap^8
z`rd8wqqbK%T}1Bom(gNlkBN_WAEM99g%T($#7Wl?CsLW58(?@N!H3HMd5SO%IN2w}
z@_4Dm$&$$H{;hwm2dfA8NuDz|*naN-rMTU%d+<!}&u5WRfe`QFN_(NV?;F?UODaUJ
zNn~`7UWj;`a=-CzPsQvh!vvwBfOG|*mneid>2G>3MTS;vlI(ws8WS|Y_La?b6Q2?X
zPNy~G>7bO4PKtDiPXD12`@TE&mNY^h6vDpt;O?vFVm9fX$9g_<`>vC`R5jjpR<5#$
z&w;ap<Z``blHB5a^Tfrdj|a{CF>CDXQ7g}7B-nE&(h9kh$?k0!om3XvmjR6mw|KF;
z<$wS2KxgYt?O1PrzBAfP2nNTd<j%gbaaNHi^$t-<P%xU%2oH>{a75oOh}!WHDc56=
z>+2u{%|^(bPSy(*WUJh*3#Q`WsMfc7PwqHDDUCP0W07_;-Cv!o1CCuR?^c~4U|JmQ
z<QhJ1x_&)YIvcq$v~CRlYy9)@03vezSu2BzenN>j(wfEoi(sYet+mHKgyD}e#IM{~
zZ>)w54PMoTv!1pxX@sxi<4QwAT}%04^J*TtVblu{P5;?)n&rm=$x>4SGiMOKBb7@Z
z*YY60v40wK>!)_VMWUuRsmfk4QCKDmO>Hr$RGe%HApsjLb1}^h7GN{%#p{o4GsCc%
zf7a)ri|X)8A&Cm4$;K}MY+ATgq9#=bb1nH;pP{h6bvm5`aXPY~K}QTf2WK<YVLOi-
z4Q}dF)MfOXL+Jx`-+ys$L=FtV&x?pv2vwxN-|SWCuMA+PrnGrJa+-_V{$v_n7r1OQ
zh_OCzDy{|1J(#xEQcF%y7+7U~{9q^%mVYMogw{1pN%q{VpKKUI9?kl^nhQ+eW(N^g
zL-}j=GYDbnzTQ<|JJyrazLZd=`Ew#O*_F>Sq7jvr<=*=u_cFJC%kOiIjz^A{p4lHT
z4y1IyuhpQNyyx-B=X*atOaGCoH4lmnBT>=9%PZN+=-cyvAsps@kCl~_luSh0Lc~`_
zg($UE4D70R@{~WR(V!MaPOJ<&%4fAOZ!XkV*Jkpb-Ol+?*Vz^^tr~Y?TCNgv=lMY^
z3tl^^E!e~@d}jt~KEghVwSnL*H1*~0PEerFLyc(EIj;g-fxcXz4^Ap<*0q045<+cW
zE^u%>0(6{iT$wMH@`6Ib{bMtlT={r<4#<Ht4y;Lf9FKDYozRqRBy}IWdF!AR(tqxR
z??^?5tV}G7Tzs$k89J@xZ~prr1Kq%1BR95x75@n$Rc^-|+_QL8K7X}7#r4+3&Ceii
zkMI}b;#!y;ub+4FNYp20czo{<{8`r@(>Fb#Cc*`lqyPYr3OdQRa3tr};E1;mB>iq$
zt1t2qrE0Mm<lcu_HWOc2LuDiV&+hl^u|BRss)aLR+ThQD(B(TsOgMc#&4Ogo4T_ha
zJ5(OIJ>XmwUf2mbd-A}|Lpk0d$MBMu0xuUpsm(_Fj#92=a-HOPdU*GHx4QJ<oI-(t
z1IO3iJ)Yvsn2Fy1?HR;b-t>y2b@+Eh(b5W?x;vBlbv=4mQl;*LzZZ)qkX1DX2q<;?
zOJUL8o(D>@7lc`|7v8(%6xlb|X{efB$(=m*T+j;Cy|y{!oP9I>+^5ZG-0t?qvYCA)
z#+rI?=Ubx8t6U8)o|TI}0#+_m5$EhtlS%P#>Lg&_L$<P)JBpRNIJRko04>h`SEr3l
zUA|A+A0KyfOi-A(3mlU}8N0))rY~c8H@MPusov>n;DUBg$qoHK>M|0g94Z?fgNGbE
zV+SCEg0AS5{)?eM8_!)jfKKTdHm$vGHp08}%-iQxrf_6eYt&#y^JYHwBF^$2MPmJ)
zhN-yzqlSYPN)S&zrKU#(+vvdc&c27R4?wyuA;cXN(SYM%XT$o^1g)#kRSfWEx&;Zu
zjS`N&)8BtL9mEYOHO+Oq`aFnhZ-2Xlt^8&bt6SZ8sE;~D_sfTBnpo$2=T&?p%4d~D
zw(~0p8<bW?&ttkAjL|=1?y7tLT4<$ZP0G;@p4`9hsC|O$0+vl@7f3`hIC--m`7)hN
zAw(vX@r3gLp0L9&rt%|R!Isyfyw{+KRJ2+%B6r^O5&buoHN}488;hxh(_kINXe^7>
zMA`>H5VTbHB=tA|3#J`+W4g^V-Z$4<6?v9iR&(X^eAD{(tI2xXDoj=565gXf5SwA+
z44Y^V&Y;Y<5gN3Ef0}wmhlLfU1vSb2nyL31&|Piym7deYG{h@xyl7M2;OywDMb!;%
zpz1@oJ2S3wxk;3g2`JTowdWyf?n?_Du`wL`C}aV#u<OYZ)?1uHNcPrZTAsSDVh?hR
zXDBM?o4*L5hKcsD(<LDCW86tK!n&d4193N|&t*LlmLUwUmf7`hlcU=PjrmP2LjQb^
z8zh~0WwX2v*1aS|{ZqdxxbjE54#CC9z1mFS>d1$&nREh76@r~UhHqXigCQJ{`Hn(R
z_FNF0NMZSqnj<1|o?<nA2EeD|_zCm7{JFJ1X%3FnV_#1xz9`V@<*3r#eK-*-TJD*1
zWNKG=2ISFy3dlQ~Zo69t*FTGxzu{QgAysSHq)lJu)`Z~SSJ^zbOHkM{9}9?Flt^F-
zk2iVTEWerKrpnz}$UhKn*ob`Ot@=^YE@z*n5-0t&q%IeC8gkHSCw9FY#Jx64ytfx?
z7Ss{lVJfeo@W(f3Sd{%amE7ar0Y0!(m)aMI3Hvo=YrgT(q+FvNdx|B5WCPo4M^-GT
zJg00!yAJ7vaq%gkDWlHTTi>oq_z{qeBgbNr(AZF!UDn#KL<K6~0Xw}1A(-{dvY;i}
zr7g<Cj{N*17Zthpj_y+jY*g&_{gtU|tb$=uoJTwCj>ROF%~79{{^YgXU2OHGm|L$2
zybz0HiGo%?_152{*kezFB)D;w2`yKF5LxJ&y%sIC^?jPaSyNfhbypA1d5-5DlujM0
zOvXU+A;|_HmqyqOXQN{%{UC0xqsD``ncA-NQ823u-%K{ZdxSa9>R?wNDlXRtZwytg
zQv%X7=-2Ppx`jLG|C2DM?5T`|#n^ViwDPXny519;macpT{Iuf)4~dk8Q9&(a0MWl-
z5q7!8mEd}xA&FjXX3PdGR*^8v)5dXnRNqHnbX7rQu6b|9Ox>UH)x5fkX>gnCsV1Sa
z`S*hTTc<`=K5`NrF8D4QG*%t4Gj2H68rkdgQ={(mjKmQQ)04LllardcdQXB>ZrsO2
z#w+xm1)J+{W+-&6VqLr5tWPT6ohFWUXJxyMmxn%KZ7&Pzp**~B1sC0e;%>Q8UR$Jt
zt`#??8bU3Xl0-^H-{d|umUt~HQd+3|l$&0lh;i%8h+;AZo>Df3Y!;<<0}-Z_w@17K
z;^P(k3m15$qh&cfycc;C<5w&^yAH<jv6fWjgSig<b&nNCV+du$`J;E2>ln$)EZ;D?
z*Z>P?^!>Ofvr!Jy7`6^G>LI7b9loJkF>YNMf)Z82aSBb}Dg>>7d^W*n<uZ_^yj~dq
zQ`7+U3)#YM`pfKc-gofN`8un1G7KRKWs7EX3tBaBmM#fJ&UKVK3$a=jCS4r|-5&7{
zAXCx8$Ccbc$-Onqu24wMH=(F5yo+{4K0iPh@%JARZHkE|hBanx%*?blU)&Ivkqf};
zs|2g`3tL$vw1mw+lPTQ_0j#=H4(eX*f(Zk7QH3qb>l~RGNbp(3B4J_d-6+dMg9g~j
zE7$&f^MSXO#zRXgs7MODKcz8j|Kx}FKKX>D1P!>`UJvtH;~`mohE70xP+;G*#HDpJ
zwF=LE6gyxF^5I;(6L)UP5v6C7s2bC*<gm*!RlgBagDp;0UVV0p&#DO1SZ0y)9RRD#
zCc59Xl?Qpd^7X&;`*xV?=T+C|5;?N6oP^=ZV8+A>Bv%pGobh=jQ~|m>V{VOnPFy|G
z+X-qy8WTKFlX3+MUPHa>VljD5?R5t_u8ObB%I+H}lPKMCO>{1e7m`=hGVR!*vhasK
zV^kRUIc9eq7VHnDT;fEoCMvi>J{|nmRGp%9bp#;S$gAs47RxhP;=oyYs%~7dHw^*G
zutfON9%}>1<!i}Rf*I(qCrTG2BHvsOIUeq0nsekRXp76ap}SbuwkLW*P<CzB>Bu*y
zV=*+_P~HwZXuBVW-`L!X0hu3ogW0L?sDr-Cok%jv?pH4&wQ$qX3@H0$SI*VTGdhHy
zW4-w173um7s}d{8K#bV!fOwH+HL1({nA12<Yh5MuDttP^mbaRhKqGqDFC!BR!gFyn
z6f11Vvv@)AbuFYlxYF$G$xEGD$00x$rM}rBF`=1holGHa4SH&?qr(Q)=LQCqj-piP
z6JKN~i#Df4HiI+)oM0bNqXjtSjTY<fbDw<=GF3P-FH5n9M!4rZ^_Z2N<T-U5B&MO!
zjqOm%Vh%*ldgx^xEhRfC1*3*vb%8I*@)}Glj@>i6OK52@U|!~owUp4b4L!z#Z*q<0
z4>_RWx5nvTQy4E0{z6?Mdh1&}R=+_})AUc*DTdveB(tS@j_C9b1h6>KlrlBbXP<IF
z+<{gzSGDf-4Ec<fzSb&i%-$Nz*Hs<q$;N}aKcxYf>C0cjo{p^OW3iUHCSA&0j9Hmh
zyiSI@qkt16m)Mhd<r4u>A{fNUoTj-#c0*M%wi!>=1G#d_F`wSO#R)B(t3O~Bx;l(i
zy``X4*v<GMEklPH!alh2?TkO=XEP1KcJfDP28198gUX6w8@RUtM42^I^Ep3pI-TE2
z9oMLt`FLQ8eF_B|d@+i*zN3r;7s2BE^dH4;ORTliX>Y{k|7}3MJ<k!Df1+|R73x~-
zM%P=CfR^ceukf7(yl)p<L=7myo{JuP^EV5`&84S1!cA9~63A(+RtsIt{q9`qu1b7F
zAn0JFXLFS>S6%zR5w#EbYCcy~GJV7)sI+KsQd6{p6l{2ejFPzBw5y|(I2Zg`g+Vuc
zl+9$#g1Ts~u2Kz+B)eZ-#8SuW_F7vbG%=4*$1p}XRa#Do04*K2%6ZLv_@nJ-GkfC8
zUMB^V$<^0;TskMucIaOLuYV~H8oF4&Z}ZLku~H76tk82w$^c+ai1d?^9-WlB<PK{O
z7PvqO);&%mfk54+!uBr=x~PVhemUQTR=V&_lzY`q5NXQ7^c)-|wG&9Vw&^Gccss|H
zo3EWyQ`~=I%)|Y&=R$3-+cTbQko?+!c$9=o&>yDiTg_754PwlxUhM&1%@B(K1S15`
zNTJb!7gl_-x5szp<(nG324>ja<KNX0kN}pd+~AgbquJSsAjVY18wFHr(_LB{im)q{
zbjV|<E&r<l#u0+pzyD14$j%7J^yKsE$t!$-livvtvie$Ok#i(W^SKF0q$65ag3Hgs
zMK!rLCMN!6N1I<yWf*BUV50+hD117CLWneAZMln-7tRabYZt!m;O#Y4KZ1h$9GMJb
zTt*;=iOvoD{8r>T{o9&xA5b7}&NKcOk{9;VZ#-Gf4;yTJV`er4G^5m}MWL}CLB({7
z{)0NouKgKO#va4P&Y8YcnA014@6U;105^z5MzsmY8q$vl>gMd%GUbGWehWpZ{rbEh
z26Jgo34urfeBP+c3gz+?G0IlEP&n*mvWNY$P%A}~qGPAqYS4O*5dn}xQEV3T=O`vr
zuVuiW7z&-Z1C;Pci0{RiXYlkH0A9$0mJ|v>W<w$`MQI+W?H!eNmXu&fKZTO#a?Si@
z{O##EEhIedZ2v54RCr}AiGIg-nI=NheuRn%BHIKUw37Gkd6VBf;8&_dC_;XCZx?_?
zxd4EQFbi1~@^T;G+n+%tp+!86-GkR3#cw_Xol$x(&-;`cg1n*7Fp~J%#t%>&-3%;N
zj6~@2Xl&j3QDTzaCt|MW+HaBl_~kx*ZPRx<_o!ZFwU3f!L+$fg|K2f{HO<wkz9}Rl
ztw5SW?Z?xt4_I9OWOAZQv}nbBZ)D7`Z#@#I$qP4P2>$4~U1cdTyf5>wk$_c1&K;h{
z__$3Uuaq<T&`t#Rofl^qMS)9E)WF;{{g{^QUF)aNI+cV;n-BkDiK0JoIv+3W0Uy1f
z`0`5!tREhIKduX)bfy=(GTt|34|41~0lg`(DUiuZ`K$Ra+|}8fE!mvC@9uwRWTejx
z;AEw82@2yIe>Cn$LM;9PaRGT_`OY2|X$~mn5&;ydu^o5g(SK1);eXfj&)qz+c13n0
z25Ildcsz{a*Xq*^fFSa5518E)eU_lmlnlZY91MB%jv0*8&z`bzz$c$N_3`Zgd!$$1
zIqHwT8;PV88dTML;rdg=HP&~Yn?NlA^!5FJ5l3K7cVz%Paz){YpjA<!{^Zz7|GPH%
zQ$==P|M%#tT2YHu&7dU{XSaXA*#8@ND`>StUq$d+fkqgc&g_tF6q`ou$L`p$Z?U$)
z?B(@j>{jx+Ijaw>fLGn^RJBkoX(NjMHD~_@XToVXR_<;x{EzC7?5N+_KWw6wY<^fF
zuI8*aSAmvp0p`fC+tY&{DgEz^{c_X+I9#OE0k%02w7rx)0C2k6!3v$K>~+<Fy|xT5
zu>Wwmi$#*fSrvgZ&sL5`@vLdYBBbJ8vwsqICAKG=nRmAVFcuQkgW2jH5C@F%@n0NU
z{$CusE5iV`^W~_G!^!`k*JB7)!!Ev>`6f62>1FQN4*0ezyX4@#?{%C4o43Q^3MZn3
z*6L&LD;$thTO?^9wo|snH@ZaGVakUsD>Fq)Gj=NV<;)AL8H&AMUY&lHbO!*c&5YW(
zR7l&MVi;NMrajh!g_7jbAH3DUE<AmsLv}>aDoNg8cXnZ!7i_%sq!V{E3bPiRfY92V
z{kAL&PQ>Hn4qGbkJ$k)T-y7`n^-Lo+$eT-i&uX`kM&laWu6+Im$@dkuWF8Cbu3>*4
z-~asxcYEQ>B))pE#@2QR?r>DWT5vo<b@wf>^r8ku1=E`%5LrVbYZH85R#L<{f$x5W
zPfdhpFLSeF{SA+{4{1D;H(=DqB2Mq>HDBS2n)iFz2>|$Clm4L#(v=TyI%t}9uwSEN
z_*Aa7F9;J2_8k{EVi`&E`p*)AVnv5<0RsVt7N9mL4@`{ovzdrTU<=MjGj*P5BWs;q
z$r*$K_{JXA?*kw!d)&a@Of<DDYTrE<yazA|G_QVEirS6;^%VP*zI3^PdYpmcK(?w4
zNztP{niD{TQ2i4&&XtqBn<WM?kMWQ84<@^+`*zESYCjD^ujo`^yT*M;wv7>#M`uDJ
z%a`k7b+xQd7CmSNd*N{>4_n%SO#ifQ4D0SS>gJOb_tO=ji>X>a0Ci^;(2$QQEh-iO
z(p;I36bt`mlB9mbc*eI;WN*tauBBgNS?*F5Bw9RXP6wsGMd%^rfZ<Ut68_C-mBVLE
zbZ3qgABowwa~1K+{u4?^SJz{CIR7j!kB#7QB`dnjK)iggw61Es%oDSp2HT~BQCn~S
zLi{YJ>K|_77v<?&7OM+Fv?Tc_c%0N>OZ?v!&=TNHK|6naa@9R<IpsG3*sO@bLYf<P
znCGnK-x}9A!IOY~^3u12)4#@elz`UUoZre%yy;}3OwPh6kA|h|a~bLuBf74vAmTjz
zZPIzez4=YXbOOp*Gnc@nOq-9Jme)h){jO#_F^5^%9jnY7sBY@aaDFr~@l|hG=eI_a
zT7Z-dzDrbod25e3vs@h^b!PZhx81|g8ms#N0Au1ZH=F}bM-wvvNi?Wh$j|n$rpRX%
z?9R%kbFDR$cHs-N9?GV*o4*DU&dSqKziEq8+puO=J^)4m4nX;OLpnswuP}OJ!bG+0
zj4F1w?%-8>d;4IBbkvrsl~CF3e7^nMdmZq^yE#Fv*_ZY_;{>GZF%<`S0M?K{4{E9l
zfaiv;-4`h}oo6;VJX!)!e)-05ioXOF3o4P6*<=1z^dpu$3^XnF^vJRnR}TH@;FXEv
zQE>4Jo_6WXKl(HxO#8fE?G>JWi{(TG|2CPI(;m9M-Hx~b-*+;owz(>MYPF$J=DU2q
z<d_aUo=r`ont|hgi=|_tB|wF<DrnrCfk|$@8t`z9bn{PR3rD0K`eQ*Je|HEIn(@|*
zMt3Q#%QF}ll<aOz{<B9#7R?t=&1-ZETOYbA%6CUeA_ssHWdn0l1nmH=+{yPfR}y8s
zo9ZogLEVnXj^~sqVbfV8U`Yvb6M4r4^$m5h=!dr)!OaDf)&af>=qc_WJ8+~yCyqBw
zpO&M*&o5N8FCKJ&Kd|d=<?VFqoI68P{$ABvOOHgMk$cMXa{8|cp!|;MN3UWO0fNW1
zLYCXl<<HN&0G_A(_WrR42lBbyxCA9CWWQX_mq?mM`pZOPY6Za{paRuVJa1Y%(&KOV
zNv`O@-W<H&adz&PkawZQ%Lp{R<B(>W+$-A0ZC0te@u9~zEcQ4`Psr(~p^=f1H8CP&
zPl}A$nW*juWc1aOzGMMWt%b|l`vk&fkilG{49PWMGhLro8bZ-#_SM|ys4d+9#>V=d
zta=>@EZGMbPLxk{x248{qvL5C`K*$~$a@M;LuLe}+)zT|^XG1fkt2I9S}kmKE52qQ
zXF{7&507lraaY30Uu#`__K87ShiaGnW!)IPG-?~&NhGH*)q?<ZAJtu&v+952J9wq%
zg8Yd7>Hi#))8{SPg9ks?T;a@`TWCk}Y8f5i7mf7UefZ<OGa4<lqx`c#;Za%|+N`Gf
zAmKAISuk*KcjX;{WPA9mDR9oZq#_CGS{58}d^8E~-N25lMMB`L0a?c%T*b-7lLL*;
zIPu=rd1cJzdS%NsPyJmx73+=-T8OS`KJvxg)F~=2NPcW*<7jYX4Ft%Lz||)9563HK
z{~tbkMgPA;?JXNPnjQZWQTJvNA-s3j!7(6L>|NtfphyOI+|atSdv_Pj$No=L-@AKL
zTHnC*HvuJc*z)7<PBmLc``qof<ykg{*r-S_@U(LJPNOs9;y;OX$(iM`UE;iR_V*b3
zJXb99+hXFE=$<I`@();n<6mudwEn(|$zAGD=6WA;r}#n|1Vq^pYO&k#TKSW-M4}CW
zC>9AJBgVuSo4j62jW<E08P;fzUoq(kwgYA=@i(R}rfVmcHlovP$s@cP;BucJ=Ql9v
ziXB3tY28_=IhsmSUPsQEy*Xo;AfUkapDlsW>Jevqi>@V)uRlDl>6c@7`;lq7Zo$^`
zSvAK`r-9X8*aGO{(+Gg~H7y6y`xPEp*~`;v9v)~Vf`+4Kg^YW@v8mKKlJr|SsbKq{
zn4Xu1xy+K(-a`uS7u1Bu`6Q}W#2WMr`l_WJa3Dt@;SC*{<PC0uT%P7HE|2NSOdD8V
zg$9h0b2+DoB7*cFRW(Od-0vy&(S_tZF$nIOc0k;e_XySgXRZK?BG-#=^qp9L*sglL
zvbE*d7ufQA7K%t+A4K|X7cqW>*wbiZb;<#4c3n|e6}s}*l|2hg8qk|@;s@>?D&Os|
z-o54G*&qE57OY_k%Hz^7A}a~&)^mM3&|mB41uvAm!sq!MpdoT9pWZ)9sei*yOWi2|
zh~2}Me39Syoy!l#9Rp(O#q5b`bwGj|4{%Wvfn9=H<x3MIqoeP#Y{u$(v8QFQjQ2`b
zD=ACn{b2?Mr_l{9Z|u&QV;E9Tf|~Eyyl@QqxtO-(P9j%Pb%K@N>YQfP&V)=l)7`g+
z7YFJ#(YXED8iUY9e<DE(Re2x00*kAH?BBWI(eE2LPyfPH`J!6@=rza1!euCrY@D4x
zGwxcjF!?i5PRo;CY0oxvT4<w^Vw9W+kL^{60dy8kKlqm!M98E^9X@<^85KoBnU=5T
zVYl<vf1AVc4%FBgiRcd2m)~a1;^%UPVsd3dvv@s23x|Fjoyk3Ii>wD*ybwPnZ!Dgr
zX3y>VyiHX8<LVi&6l?xHn}}|G7sJ|ySe2T-0y>PLJ-`KF0Q-?;@Ba$GjXrH=2923%
zeOQ_R`OjWzY<)v(W4Ujy{XY6Ie{{Pda%-`=-=MOp^xl{HRk%DZ^kGN|Ue1~MCvE8y
zBX*#9(duVylHMc(dmcR8S|Ch>-@ErXvod_gaQhF5QMc(y=-9N;V@^<~0w!0TY+@<!
z5U^7^<HYXN+a-VWg4dZNJ82OJz6me-Qdb#$2}|r(>v**0oGgSuT&gzFHJHK8Cl0f6
zU`FCQUC?jv+pTr&&`&E7h#IFGx?_p!1=;`EuU?+>Ir&cqV1XafG=G(K?!}Fg=+L^#
z_X!C+GmXC44#7hg_jq5CQg4dOVoz$_gT5n;Rd@U`+n$ZBCk~Z*FHO|nxgEJCvdyYj
z%xqElbo&b(zMdfY<<meFBOUR0dm*mkF=;5`cH8J2uHOqQQx07$toK)%X3>{EpRcUC
z;E5QPIglk2S<GmRmrf2BdYg7>(vhJ3%Evt|9u2nD3LrXAqdp3KkpTBetNvY*Ufspi
zuU0}tnu**Y0jP!@Dy#$0dKWLKJ#(8MxP*`)BiP&I9kM>-`V{Ly77p=}i^lBy&-&Fj
z>wosQA*L~`Tn(7~>XWzhfeH!IrpV#U;s0!c2`tdiu2Sk~Rttz5KC(JfZ~Q_^_uO9L
z@zwxlw?~6FuVNU3?39NjQ4@(ThYnA?-rFd%JWX*x+LK8kpa#Z2SWSc;a0KL33KR<E
zA*{qjGv%I>;9_r@&4A)+;alwEn<`7q@^Us%hz%kmIeU2E3QDPXW9vy7r0nhPuh$NG
z^B+`YbY#fD%Uj=FB>Gud-xj#(7ayxJ@QwNEbbAW1Q*Gzh`^Rn)VnT1~h8M+_UOy>-
zVTWbzOxBZk?4&Mj&M|dDsHAl#uOCrjaj-oH8AmgYgr};#xcQ#!Wz8Jq^(NFJ+Dsj%
zprHoAkwLu^;DUwBr8eFIs(ZnlIVI$cK?YrKnBg(0yoG<3)L$I0fKr(~2Qjqs`214S
zM|xJNII(eHgwxRDPuw+iz50~R6Fc-w<h$7SFx%LM3j!IhQe%VDx-`<Hh73!5MxqCI
zxJ<VfOd0Va*K<P>gnr4@>)=hn@?C(CRR8YB&J2lwR!cxWaFNTkzay4+>4h%!B~UF|
zI7R$EYsDJ3GVcS#>l2%cUwPCgqJ2n2HjA!NP4Q{ONQ#^@%>dq4Qhox^P#)hpuK_Or
z-cqGJuva*6{m@HU`GfpcSt^d_0S$oWp_ZnQ2@8bl^QCy{H#wYFT>`x)AMrk%j~*Y-
z);PqYZ`vnxg!xi_7}?2FIqZV<#d5)nxsOW=1aXl(e;~8@`C6Q9=xV8lCHFr~h>YP3
zorj(vgV&rqji_N)W-weNUfP&8CT6qlDdRg*kXnyU`$JdWdNK+ZdP?}MGC=L^;1^rk
zjrXg`AxzbEWh|&2^!4pG>=b3Zsc?I7@UZ2b29O8gX`aXER(xHAUD@FAi*s=b1hM&3
z&}zb2M)s;2$?T!;Yu&7&*V&;}+0aRqjLrIUKc&4w8s31G6zy%k)b&Y~N_OzA)C?yK
zo?c-%gp?@cO}`=Ah)&&l2<Ufy9CG~+%HmnJwW+MET<0-x><Lib{{Wh#OhF0FAC1od
zXa1}PXYCVLe^746tE^n<$x$@H34}ks;(R~F4q<b?Aydw`QzJZ(#+_R(Id|N0in#e>
zu2hc&{935<Z9BE^nLmKHytusJ(p(KD+kSpe3utz|@lzWgB3#tS+1Bd_HV+J};x_i=
z@JE(RU5mPYYMVg2HepOj4mDjT^m>AEPu|5NrMwVr^r4D0<IRnE$7AB9TdN*lmQ~K1
zDlnO+PTjh#tzktL5ZQn3bb^p({cVe>JkLDQ)BZW@mF94rWp(93dETo$`xSs!EXxj>
zHE2#Y_>BG7UPfq9mT`z`q=J#e7g2S$&o@MVxb&nPE0?{Y9kmN+=a5nQaq$WVz=xjh
zt|fvm4Cm{L*@Z2%b9Sk4?EpPIT6ui&@BmfwnY?3zNWfW_d;KgXBe?#ygKNw)-SqD2
zPofD5+&oSzmsNDzA5ZZM3Dq-Ou9%E-ObPrjjEx3OUuVhAk`wFaE)h`UoK?CtmG^So
zUaUUR&LtqK7R5EUc;Fn=DTUrMBM6`LCy;*Miu-^zLJ09BAFtMz1@!k1etk2d)fdQ=
z$^*2kv^PRzm1zm~bsPjV%WpPlC;i}i=tV>Z0M!qJv>PH~lyWcN2X%f!>dl^8Zh$-n
zbJWg7x2I%Wz4AOBS|)4S%w{nrcCI$Wm`YM8#S@pic@*|2G~8T>gI&&%V^0fH1@Bm-
zh59=mdn(q@3-j~?OKACjS2|iGeO>p@J;S%T3N+SvJI4|LO9c*%AeCG=B_veLLwjCx
z#r1-|se;KA>6diF!)hyWqh3+4X`gg@a_*GarPBFmoj~H7B=;(zSu;4*w+}Pfu8AI3
zG97hFe<Iw1UzSP_>J(Le%ekuYQZe~})%s)~Tbp0l>hF}xzGKxeZP(}bwN^ub+@7pe
zXm)$3OEmJVoc{&gC+iOy4N}^a$}20)D$|MtAADcu%51vA=k5AjxxU`guW4U+Y7`W%
zue<SC(CScOAs9d)R<r>-UIe}Y#fmQITYXf9zx0~vxMxA<P`6zjF8W2)YVxPID`Qvh
z?Bnx0{SCzJ2O2*Mn*O`;d@f8wmNto#f`TvA5Q2C|9KT(eZ@HE4x--VRY<I(jjth_g
zGSaoUv&|7$wjWeqbj_f?ANrbYcNG7JFYYKlDr6Ia6hB%ztvTFccj)^hLDLcjT`Em`
z2~cyotC#Ros}!-rmahRBPuWjbzN-f#t<vs^dC<r+=S*`i`exb5Tmw9~i|70S%i9Hd
z;)*x+$VMPg%7=-kL4-p!`6jRBA1f`CTB*TI@*XZp4*g!~wJB9<oupg-c;FVFS*NwU
z>B*10j;`hv3(u0ujqGy1ma*^htk}zG^|!k+-?Lw0)WgH!zjc2-6jy`f2z*g0#ys(h
zZMgk#P`Ox|VmXg}mv*13yY{d?MbmcbFQHLrCyq0f`JT97@bfU~-C#g+1RB!t2$iOz
zXFStxDl>hqK-gd01@Ddkielv~isoyJ4G?!ndzB-4yhR?UBQ#w5S0+A9?8xIUm)b7&
znu9bRt|=QndMY~7DXOIhydaetnwv(P=TQVa6KQtpmJH>yJr39%bB0Xt26m~RU6lO-
z5JLT_(}02$<FD`?zWe4_sjMHz_-WJMIRv*(-u;s4HVp%Vg6>OiNWE_&GTzOr6iW}t
z8_U>AYp9}uRfti@I`WAMiUf~umFYvLCk=Cnp&hioW(a|4s5@RPgtOFiTLIOZ={eIE
z^v33CF`It&N(9K6ccrfV?{B7?%08_IPp%X%BqZ62IhR#T7>@!u$|Y7%*Z%YH@!EIK
z04KC=2npP{U*VpOWl{o`;}vKH3dmGJr&-v^qQ|4RTQ^f&Z=HQCJRNjI@Q$pb>+?{b
zYp63`Ki($=Jxf(&m0a%oG(e9{lJ@|@Z^xkEph`!I(BM|Pfbbygay|e~h)di0=Y7q|
z&wcHaSksxmIco4}rXj>DHRa7{hOaL}-s9dur0-O(zzK<-%kN;f@63X_Gi`wY^J*`_
zR;E1-Snp_2w5hTt75@)*2+U|t`fR!WKSQc}M!F>MdO{0@T;ucq#4LTtFE+DpFqE2X
zTmPt<s}rZ>O&UINB^UDVc)IS);~SE$&mdg!H0_%g1+5ld8B4zc-YxzVVyPK0@7I|D
z=v>M-EgND400<Lk+#~jcz(8~SB;K>sCF_7^w15owvr^vulc`LB{UY)j1BN?4J(H)!
z&*t1zcm0zz%QPEId1WdkO-VTn1s^4#bbUV?pgL}h!|nzVsCYTZq)Ewyo@uRfaBC>V
zuF)wrKZ-WvwFG2>>K)Yfp~H8d0wtSQ<3E35AmY<i4J(kzevQlLl*C=L4&PqDoO6lg
z*XuPE-ZP^76`AzxwEoR_@zdp9#rbM(t7UGCP_NYKWqA}~g8J#{jA|$WsS2M=&Od2&
z^P;fT!mrWdpPp4fvtUVrG3cvWoP#~7690*~|IgLh<phyBAzwA$-@Pv2lm4?~NIk+9
zEg%K5K4xxvrb}bMHsFqZy3$+FExQvuw~RL|iXp#beNJ3x*V7c1cInSDqk<?Byq<<a
z6|o@{8Z_NHP61G}UikKfU$s?s$_ZMD=eeFH4e@V(j@(m0W@Q~~bUcZ_oRCzW1)ysB
zdoZk#QHGwf=?rqg^ZtdXcNGPb3L4kVv|RgX@u)BJq|iRr5;TZZg}7)*y^jWomCn}s
zW$A^C@oil4vw&NLdT;LAXbS$V^gDPW(^D#p(RTBEr)Z>z;J(*l&XJ>fR00Y&YkN%N
z?)B6Y9{!ri(Dw^<(&NMkQsr4*g+jpxNl6cH>ds68BIrE;qHnBI6sWuJ0VxYmOPrJK
zkQqL3o7%c@yS_pji1I%MGn@V|f4N5jouwbG5)=Bkxp%Mr;jWAy;}=YusVyYa8+Bo;
z^Ov`Q+&?%dI(WT9W;|MAB1=P}yX3z^-s>tg%Nz7a2mWfq&?gcBRqaQ_%*~eZIeV;5
z+1%0bEPdSHm!{IUZD=R8cMfns`P)^hk{OkHI)zhtCa(jD)a-wKcC4flXx}k`-$bqE
zr!U!FPkorBV0GQZ$|^QRV(Q$`kl};*)|;iu_!P;RGg4B@rGC>ju3rPDZ~UIRa4R7t
z@3ik^g&KrM3w6_Q;DC=f_-;bO3w4i?up1_!&gztE>1prD+NIQVF%v|G+1E1HCcLmT
z!*i0`Z;Ezb;Ud4)T4qmm>-zIqK#=+@{>&qv{{sJ+2^@Qna>B7vCC8TWIEC_R9B3)%
zw_cQ`iu9^A2{>g*5hs*Q#oHpPQ>e3$X^;nX_F3JNjmGs6LsZW4|6%L8<Ed=_e`O}C
zXvnU_$vRPFlS(+s%HEuVtRj15M5*YJb+VI#>~-v&<e14mW*o{MacsZq*3<aDo?rjf
z>(zbk`?|0Dx;~%xx=Kc?airY(SiXNw@}iobF;pNIM`$o}-5FI=$L*F&9Y)E4Bv*Qs
zg{Z&^Xh&;w$>$&5jVHBZ_FUsUl*vVlapzC(8+>dty!7(rOH8Hd5KAGu)u_0yhP|(9
zXhE|?!d1VJ-i{xUvB*ywWgmgY58=(#a{*CTrFth(nm<ftuk^*4%h&BR6n{@suB%tB
zd|DW;Kmrv0B7C`lF_617F_OmM4CdR<SO4r3X3T|IPd`L!?V#9k{QBW2sOw5MUD&c!
zQvZxgV2fw15pE&~hNTwPpf86bAeI4uW&x)#S^6b+?36#hKZ`Lrg@d@r>PU(&_C+E+
zzbB~{mH%<l3zSMl@B=ZH2c3q1%p)TK??>w5#o`cL#&)rt#wuDx?_4$wf7cZr&(Y)i
z)!aOVa@PS+&^j@N@107(mjlyBjKa|9yNrzH7mZD!tTy(m<Jd;0^pD<m!ZnNGWE6AN
z+Y7ISE!#i+`2M9wqz9BUKfe(zfA)lp79TftqA3-JYT2V_!kQ4`)ASq&&cSkFZ&<2w
zmIAeC{&kc{3Vl7oVc;TH!YDP~#Kw|1zvjLx5>{H%EZiY!ek77O>T8VZNMN;k-qN0Y
zmMEsE-c!$L;OV<CB!(7sNYFD@0h_T=8@r5gwbK&o=28N2axU~VvVZJiG3)VrQDEgH
z4LrBu!sZnaMwd+G!+GENaf^SEG%u%0^ybp+KhMB@l>qhC65FL^O@0KBag}YBn`h??
zf`YS3-?dHeDuQWPQqQPn^&UfcDIrySeXwC=irdo3g=OeXCbLAoyph|sPR_!&FBFK)
zxtqd-A&Rskvxm2+^iS_@Ay45{E&I5XNI;86Gl-NH7!iI#gbX)tN6z1gsrO9(z#xj)
z>`jx2*XX6O`XbBxsk`F-6PN%gn|+?&(g$*$S%-xyhpE_xo%u*%KK*9VDM>Gx>*-UU
zfJ%ux2=*BQK8~w7oZv<*7t>f@C92gq4fVatf0)-AE2^lc7o=oklY&4C>4}T$A%@4M
zM69itIQb{i-ZX&~fkAxi^SWq8HjL=??Xi!L**6n(|C{fwCcfXT*e<CAkblYw6|uHH
zV>LMFnbGf=IVL8+`+iMI>kQ^ytA>6;1pf5mD~Gu<6M?F_^G9e(*a&+_F}Du|*-m}<
z60<Pfj`eXtFjGtMU0cPo$t+=5zMOQEhW1MjEpv1zb=rNVbs658Fxh=2y<io#R)6Fy
zL;^yk#m|i#$f!@fG`3nu@t-dB#YOQeTMU(oSl_?@s?3QS2R?Gb&gM2^I8?)-c?_fF
zKKV7V1$?5yYff$6YD@k7F;x`DuKZZEv5mQ^7KJ#=e|M<Vz(pV)Ss#&WYiP>0s9Vul
zR7_N_BYazs(!1{+b}|SC3pmt3!<YABiKJuMDsj7oQh4X_hwIEG?Z!dsmKa86OlkBS
zAfV1k1KOahP<?J?!g8Tw%@ct6_f6_`flX`hSxG`FsNy1Cvm1u51{WQCWC>{z@Fzso
z&zBL3OrnwxH-+!=F^BXsH*X0mB!!zQiNRBD9MiNNJ7K9s#li7#ds&eENcTf6s#G*o
z2p7|8&>EFmRM!O?KSw|xz9P(&YBBk(c}%#Fnkg<rKlC*9ReB#l0OgtCF;@|C{SQ}W
z!zhk~rgJnJZB4W*9rnd2>5TokJAx3z9=#oT7Xfc9LA4n;g)t5ZBfHa4)(-6U3(5YD
zLroUnI+KMg+gVn*uAIO10*=(d&Q3`41o!b>A>L*hxYl3mt+8|sBjzdgkKxDF^zHXa
zm3H5f4D^fYRzN#HmB1@cz81OO8#Gj<Jtw6dUJK_!*4H!Yr;)LpEh>&4Ns_5Zh_5>V
zv~EJU27w7V_sh|nr8{UCrQCyOp{L$G9v$H)I#|q-bALNM`+FFE7Cqt7H)8xfQ^(j~
zZU*^gQMMyqb_;BmN*!=uW3&JrqvK)~5eLfj$()J>p%x&{u{U;nS*C#7(q*6-5+w^8
zt)50{I7BZ?&QxFGsWI2ZvKQTC=402ZsvUAlwf=T!pwz4&qd`gwtUqn57eMP}K&^3!
z2arQ`L7wO^=9p4~y^fh>W)e$SX<c@9iRsf8x_d(+d&nDr(sAik?AK;Ie<<JCCpJ$P
zHdwA#6Bl{iIxXIImI=TSV8|!Aj$_8~o`ZuyXoWLk1<kGMa!e@S)<hX#rQf<yEMFCW
zv+HuQR2~~PAJuji%yXfM?R@hl6m~Q`lj4V;i(4qxt<u9J<p;Bf`WCHSixsrBzjL3u
z^d)EU)hX+^N}Vl>k9FQ>gJPXkX-x}tf8(K+e~q5QqWiaG{nqn9eJ!Vz6K98m3ljjE
z@^UR(T5Voc#-^8V_1g9zliyn2OWvH)>j~~tObqFjp!pW^T({K_wfIE8`c!(ZWH*VQ
zO@G=U-1JM1aB_303bFZH`>^9$k}0Mp=%Ld)<j5^_<%BLnx(RC*`_<Sd2N*qI)_zya
zih(dwVfi@({q2>J3qMJ7vcIak$_w=od1%g<Mn5#?tH~<Gu8{v+;n~n*mrgj7bg3>X
z^bMyx#aOI!Q1esH0nazoOrlLgPNdNtW7QX`+=C9d6voaw*q+A~+3eC@I+#20Z+LAS
z9HMu(iLs8y=7-iUz5I8@38&OJOCf>-^`pg)JePs$rBj8K0N2W3?iA`Ba(Y+g6kR5$
z=#Y>M2?%(g8&2hv9Vl~319ma}lCQkDZSp~FV1GJz+mR<Q5hu=elR$MMED3;78Oh0V
zE{h{}3*pt?+b%!LN9UvnIC6fl_`ZA9fxh6#U^6!S!2m4>{O3Ne$^JDE7WeD~kl6r0
zA3Q{)e;#S{x`~UDPR!R4VKQNz&ffWyu7e%mIF}&UP0&2c2b9=hu-P2-aeMm&Rt>aD
zT2iV%FBnmI%~YwoWbI0a0n#4+oVm?NDlfm!*ZeMkgZ{nGx<p_ZPJe4SIMHsgJbMXx
zc~DygZbWUgHy~Fs0eZ8TqW015*_wRrKf|kPg$l`@20~4Uc=OT&8{4~xpX>~H^Y=k-
zY|uN=u2WY~apx*@hX5E$I0ZIbSSoa95zvz-Kw=i~??!PgUOa3;u&PhhCp{-K`0u`V
zPVImAAhU9_Syzl$2SZm`VFrVqh6D2Y_s0cRSK5XMqYJ>p2R7l!CnaIc3)`;Xhu$9n
zBLUiPi0J16LV~RyH8@%C?JSgad^ZmXv#@UpZRKD@Sx0P>NX*t@`2u4-`2Ab2f3Q9(
zre^8AyJd+}4O=G>Qk}~A;_!fd)nJw)3>#M0upNutW!{>c$$#OaM!_SmA5np{(<s2p
z4KFRrBba*SNBb|XA44vzsza-OAZLl-2<K?Olbm$rwAAXga`#6`Y=j3cP0xjFAG~h;
zS+v9(ls$RSm=o+`<<OT;cw*uLM)oZZ5S_pGLr}(zlO(a#-EJB>#dO&@<^{UX3^z1Q
z$*=0$wr1`$&z)-}ilpQL_p70WY8i4qWt$jxOlrqx>D#&=_B@8BrAM&xYGK^>)6Q7B
zqGIpC0;nNont>WfTprujE#|q?;Bu*EU~8dN9y&zU0z{iB%&)9kOobscYHBRhfBw6c
zXj`FhNtiv<t)~*PBm@y#CLyyVG`~Okk_jrPi273-M+P^whWbaEy9OfE%a)0y<BEW@
zzXax3&)+ZY<QsH>ZO5b4q4+jG$JX`Qi5<Jwt+vNoH4jJRdOk>iRe(mFfYqS8e*)@5
z<k&ptE{l1tXT@E6c%7Ez8V4v5weVX0BCiymr^5-|{7r3KQa<rOf|EWC#6-Wxts4!a
zX-GAmp!_as`|gU0vHc*wu8`raP}}g2AM1o1M&23d>f_-|qB(7{-cGCZtNmR<-4WRa
zV){We%&1cQ{LA-j7%0OI!ulEB&J7kTFVyV&901YH+=;D~hxup36~B-RSsy=z=`T-j
zdDLrIC{i@iZaa>YzVZFtUz60@l<G*t=Xel1Q#5Na_whVtc&e=rSMAMg(GtZ~wnU1g
zlX|3V&$QMdQ_~?Sa`kFV0R>yBF5s+r0A=tA@8Y1b1}6YBU>nQQG)Z0a*4nH}ZNY=_
zdRe>@Kya*&1B_1gLscuqVI`d^{M~#2#xZ*F7aSX15Oy&O9!vm~$p737E?q698_SqI
z0~|idAWnf>75EdcF<@*53b<5_V86Q=Ddn3nLOW{ir^kQLNUUwOM1Nv%bqU6g&(}M%
z)$l|MuxQS9WoX>-0Spo7)@CkQttpmmd{+G44KchtBA}iwv5y~&dV5a_A?CeRB)Ksb
z;8y^wUa@e<CPNp|05GZ6*2q}<azzju2xDbsb+-%o-@bQpX}m$md8WHlyw<6vI^5%W
zOu<~a!>3?Z=}RpU<vO(S(aI1bl`T+w=_CdbvAZZ%$Z4$qx^HUiiLw-*8?>sh^COn=
zS-Qfa!VC77iE>O=-|G(IgJZWbNi4+cOyZByThYQzL-pn#o*u_gx47&o+Nn6s77JTg
zOqei@z*WWH1S@?>I@~4c_PEF*>N7b3Wa}h(4NTH%h=QuQZ~-cmnZ-Xv@W;V%lI-G1
zi7*AU{-|_T-H*i_PeODK+*#sO$CX{Y-GDP~wvkDKxm1Mt_BY>8N!48=gC<54M*4};
z1F@@HV6x2(S7-w~Kid6#@28l{=B;uyfV@M*_|Lu{!U9<P3L$4Y!SfC<lAW;9=KH06
z!*<ap%?*`(dC(96_7~jxJU){xsnnw$DeXGElu+q847ks{0LQ&9E-~NRnaYK@K$u3T
z)OpKLl{r15^I_hOy}H-}{DOPa3-HdQz-nK*-@Lg>L^pw!8V!mrA0C~LyQ)i~=RU3g
z34U%F-Hf5@Ffxjnnb`@Lza2ud0N#QE#7@#zK<vcieN8AnrXqz?Ly^!%oF9@M4p&TR
zD+fi_0G~z>QgXEOUZ_yXUTXX-vOj6h&zWMqEr_Fp?~VPI0=j}08#b*&N9gyd$;=JM
zB$HT7gv^zk=1j4&w-@Q~zDK7qh{w0dxsse{)zYnWdzi#JLLDe@S8_QJktjXPcmA>5
zK(c)B5xeJqW{|qPe8AjDl|HKN4bmSpTXm~?<S@vWC-<z%OMwni5WNv`7IVXB#2l4n
zfIAvUk={TMD4lD>9{ur}#(HQ?(6Ag3pRPnx?0om>(|0tvJNq}@NK0@Lw{{)D)C#$I
zOhf4?Svt9C2vTrf%yIH*+4xIi2L~kyyTKw^F@fXtbBrZfI={asE>6C~632jdMm5yN
z@;J7?#cOEm{_U35h@Am$2|`hof>N#M<g@WQ=Z2ePCnyM&%%L06M+p8=IYJEY9|d#y
zDVvrbIqfPjz>!+1{5<dFn<ub~d{jY@Ac-*%-~xsfS^yWg50vor;dXdzhVzE}*)^X|
z|Jc3+DNhkqtv^#n9WGA~RTClXn0_QFEM0+VW_@wgq1S0U<K2%Sm=++eLXMJFVlN^d
z_BjWj=dvOek{W6*H027uJc}t6MjE6JO<3%!xv##qwD3(+Z&LOKA3W~Fv=Dm;H^>5b
ze=idug-Y)i@`@L#*4hM%C3O*hl*lViAo_*M6Vq|Uen%bM)U_FSW30+o;X>sj$$_Ua
zfkso|G-v&VHR7C)*^1_bv?IO`!7Qc4c*EwkXUa{s@9m2~&9jlesgk2Quvpx}K^VcH
zNr;&JeJ6mU6js^}2sy|90p65q=T5W=<wq};(#LRIt3ygFM+>xNH^5Upgf&(K8`Myk
z8$-e$=*;|+<u_bfqCT`n<Zy89e=HPehw70_!KW|>HTTt*;hYl%qo0J4I4f&=w(#wX
zfck$qihAG_d!^{btEgoS<n7sXgMIJdqT4kek7MS0NSK`f|8UJc{|D311*kILPTtxb
z%XdH-){59AT1O7T$vy%=W#-`*-P&FC2e~J+?Joa@3-5ROpO7R9u0D*;Om+>1jr%=5
zsu7oWfjRU8wFV;TxVH@B7h_$~2W>`|G`k2AYG!0G)jC-SV4<}F`?+<WVoT*qp(JFM
zH5e0nG3WaZ3$b2HG}1n?tZ5_Rbt>5_pBiPNA38-(RX3*r$ct&X3}0jyUjyr7Bk;r?
zRPP24Z}#<_lGsHUm+1z*NVFN#f25j-%AnO4!^GMP%>$3~``+m5zvTo$dAi&&Xfw+!
zO^MrngF&z@6;wc-;*rs*l%TVQrZ=OXH{Ff8D$IpfSPDN=qw=s&@)83khPmD6tHwgC
z`WO&199O%-kEpxH31G3P5O``ziagj3to<4I8th7jFB)&+v=PjbW(vj9O3A-4rryG$
zRzyaeEzdvS2$u$1BLWv*htpPm2nNFdh(UjchuwqfMQ?&(06(hPd~Yu4I$ppQ$OC-e
znMd`D)|7uQ5xs>Y>=+A^sGDeG4VI)I(I2!q)1IK!UjHE61fP{Ngp+M!MU)fA2Rx$;
zhP$m2jIUbc84UMx?26y|G-h)#R($*EWfvQpOlnr~?x9(z8--eEU{=4I(=n0`crnS{
zA77?01)!r=#dE3r9yCkm;~0yWyz_OBIrfDTM~=UXVG^mVgzn$=VSNM^FQT}e%zE)!
zS^2}K?juF^Xt1jsn~#0-W)cGIm8q8+FH>qHm6eI*E{?pr2sZrJgqG-74nUF{T^23+
zJa{hzR7YJvV`_rJ7Zrg-gB}sz9k0#yI@i{#`<AYiJPqWc8S_umU7+qOGx~tgNPh!X
z|2<Kn3H3`fcZ{7sQextr`E}3SMDG)+Gp3Lje-emA%5-55b~cu8RHt$a*m1nR5XjRM
zmiP*&^)VM!{ha%<RJ>yx=Zb@!MA<($Wxt#PMY-c_)zbQ9CIFV%DMV=fPrVOs+@E5T
zSS2k~$&&<T;)5Qv%4c0M;(ahIOmgLE89P<A_Mnln^QbqmIWxEV5=2z=DZT*@r+1bl
zvM3lvc>`3e9cok9&vVyGuhJ)N?9#81{{0*IL`0qW=yCq3&j#zlwzn6gFQqqmYrwHh
zPOV0Dq9nydMKSr(*U!ADQM2EgdDAGgjA^o%?9xwN>=a2!Yq!t1ALAbog65%<-Y`jG
zDO6Xjc3+*6bx*Y-K`ZfasY2*rb^i4Ah0JTj?Ecr8p7&c`J6g1jcPhKkNA<5AYQeVm
zZqIJu8=NANY4IfZQ?sVtc!%z4|6z7tnJa~-+ad}_-L-m0htT@cpu=GZ&l>cKcVD33
zPuF)FW?6kIOGcp7%zLr^tpUreB=J{AliTl!iP=ugGQ1Rkx+Bsu!6v~YAKlv4(*QgG
zro9bwk+ZoqMgTdrtB<fuaQ`?oLPAI{5!U-?SAJK#ckVTYiT7oKctz@aQ>ukX|4s`K
zeBih8aN;9+g<l^_isJ>;t!4;~CZuTrh=dkihm!Zsu;b9s#0~vhd43#ZEk1dE3i_7Y
ztH~<K0K>Uq%i~`SP|_ZQ(ys!i2eo-FBIKU>1A`G|!g*@34MK$@Qp7;c>TCNAxiT74
zTjq)c8q`ydzdJP0!(Lz3+!aa$q)<$3VL5WPFBecd^-qqG5F!Dzd<psKRkGt;f4+_>
zl|QA#><456C77*<lNED))<y8fAfbizp#dH@`;tWpezk2qK4uIDWqzU3(Bnp|nD269
zZ59JFrhm;g9rW-XXa5?=FtD3|+RJvR^fM_p<vo}AL9T;E<5ps>7lC(5h{G=aoi%vb
zd2&=n#-5%oE((mKj4{K<MV#K9Fs15!*pdgrF?1+e(p@bR7zg{zI1kC4F|&+IYOOgP
zLZfYK<u5c}z=m%ZVE8#LQ!gUK9#y+~H^M<*+EaYZ6xS0FL{|NoBKj+Jd}(d>fWyZ3
zxw+Qi(@5~FLXW<wYS=IO`seS>mq1?TWhmqpz`J(`2L~;dzcv;)&-NPZf|}8Zz${`5
zM?zYX4BwSzZshj*JVw%vsFmRnb0p^33XmnCnLnS?ao<^PLe>W!y^mMwBo|WT6}f%b
zlP)|@^};2D+_&+O#T$S<`qmJ{?XvB{)Oo5!hxpGdJ1!Eu(OU7wR;`B)*KFiZRLr%D
zz#cW|O1efrJ9vjQu_AWi4Z(DfmaNTjwA#B(kT0SPR1}F~(Z$o*#<1^{8nn1g<><*B
z&g@WVtD1fWkObESDz6ma;HBv*A0uBK@@eSEGi`7r-h|{)AWDg+gm_af#=n--Zpm%(
z({Tn&mQMb4kYsJKkZLwt7sY<<K`q~Tgq+mYXoYJo>@L3Q9%vW4p`}3`CKp05mYyKL
zVDI*pA0&=-&|J1nA1_D_sgRQVN?u|gW43)WK0eay<~%Pzcl!@D`ZVS<zcZP7W=I~$
zwP4H0hhIDMPW3Km;dp5dQ|)mdvW<BwHw<{4RDk7V=LQ1qGV?C(X8Y}fdgKB??}LkQ
z1&Ye8PJtJ*vmwFZBWs%$Y2(rdAsIHdEPN@quC_$LQc^QA<UYQ%c|A473EIyKUryOU
z&1h)oDUG1&C4%s}z7ITwOgpWAzMSB8!!vKq8k8zWfNb%U`}mX7A++jG(|rK_taKgj
z|JVW$OsI=Wnlb+S);i^nGW4`z|90r7xe*XMO3nJJ%GUDhhi5{r3pWNTH}wwizg4`0
zG1C7vzkbxGkduXzAD#^Z`jK42Wv1I`^(oeEsKg;4PR2LUJ+#`$d+nYup0w^Ls%R|M
z_bfAW8+ORC)u672cWgob&2Oklk@9w}Q7;2vwYu0^4Kk*(7=gVG?3@tZ1httfI3CEW
z^%KMTN`B!<eS}`Ck{=kr(#<&q?o<s((0p#j59~a%z1c0iDPGWHsLM(WKrGS?AapVW
zf)aDK-EyT&>licCJA-iL)3h@`$u!M4c;o5yHmQxUvUk;0mH<yfF&V1{)Tr1=;qr|J
ztD7kx_~$?yN=kZu1I4zF_c&BjN}tn@U03ID-Mv5F`Wv$g^mgiqfN7lAUT5=~5Ugj|
zkqU8G%wOvl=~c#yZXWve3_bKB!l_Y(>W>eI90;<4r$)R=Vmq*7LD(COUW{4GeGs7l
z{WL(Hz`EwIY_lVT0~WoX*x@fKyHZ_Xm6P??h1d8_n&Jo)gq_sqj*i7z3SbPoSK$!2
z_3!Ad@v)jJk=tK??yx>ieG(cpGB9Y6$Z_Bu*OZw3q2~_Eb=S_0PJZd?GQ%yulwN0c
zLAA!34Gyf$lKr{J)t|7QAYhIDohG|m6VDj9-#9GGB>{Z}TFMg(TO6(N1y!S#LCuYe
zh?rOUHAcT*_%B2aJeSb@?)1vPA1o6YBjmH=RvZU?;%R{H15~9z?u!+Gg=M5+C1LC%
zs|kM7Jb+gltQ0yo!}>S!t8On_0ceTu->m+Lib@u`uUS}BLKp46dJ(<iQK=o$2<Li2
z|0ZsD`7Jf`(7WD6{e12oQ(XTu)|GmE(`4J-cHHMQx^%mzJh%Vi=y|yi5N)(Ny(k>U
ztJNCb7MmOSaAL4kXd&Zmwgw#_vs9DwF0_G2$)C)f1#wpb0b+5U@UZ>0LF59)Bp3{g
zuw^KO2I&Dm&xEbMOh&e%z0oy8NFNIEWieC9U0rb1oSm+d7#}T#*bK1ahk;KYl9i%e
ztVRKR08`j~njC;Mo6VDz;c;N^HNkcE)gK-3tSq8svS8!4ZO9qDmgk$}n`OS8KTE^Z
ztv#sE+**xascW<A>J+-J_wnx4FgrWDf=z7k)Nx@)aQl?kPk1tgt;Gi{e%e`HT^$4_
zy1}Gu!;ZuO|8>*da%WTg7hFpJ0JJoG{d|Co;ckfSrf5%E%FM3x>ZPhY>m7#4+$q1?
z^yYM^>mspZA=-0g@Ry#zM+{8hdwM5K|A%J*@ndbGyRzoy<~eOS1SgAztY<5c*}Ri@
z;t(G(%aDg;8&#vkG)^(I#6p-A?tnC(c_j1EK>k6{F%q&al6*L^0-oR3dfG!HXj+He
zyN&G&ij8@Tcr}lvVy`{5&~bO-_%3*g+<%!FU2Lv-Q$~r!1C2~c$K?*>7OoAfX$B0K
zvE!pgAHci_k3su;7zhMTTRAkGtaZ{4emn^<L3u&g5r8{J0wyN&a1AvbyEGqAP~2<b
zuc_{ukwRSd`w+GeaaGB107t2@;68hDbNSfuFYYR%O@trfsW~lm$D${@o&?;7G!^%>
zV5YclrYWh#$u|M(V9KTz!~}~;_LDtasJZo{nVf4a&{T;E0RJ!S+4uq6%L(5mowxOr
zLF7BTRGBq|Uk7W!Nd>T^ojnpBFX4LDUZ>#EcXb9#={(>C_-SZp$_kV+iSSetE4A}v
z#Mw`~pE)~|R~^51xr?RufZtbZ1lO)C+omaV9v5Mf${Ln@OD(Lvlr001=Y^Vpwp#6-
zork6~APJ*}g(OS-j$S_z$R%R&c?-*VY-T<y(h+>XmqG!Mdx7*k<!yk6aN$cFK<o#l
zItbP#tgpK;l)@1iQFC0<dRBf+ygUl&rh=)PQ~xY@FuRmS4{oeshZbetFOH>3&^ov%
z|9ElMXawL6nl_+UQNQl*0lfy0>a;U(QA9Go#fn*!qfXpKs^mrVCj9{ke}VL3XNkjT
zB@iUcr%GW*;xp7~)|fC^kq-C$o;VG>pt<TOM~U*kM&xQH<22+{&?z;QKV8zgsIRZB
z-x1}y=ujey@8Kq#vrGkxY7bcV0eONO(gs{yO!#$5L4c4GTwI>Xw2+!U<8MGpgc<Cs
z3NS8PVgj=%)*U%2R6sqN&q-B%YM^*xOsiPxI1<`NA6mWvnI8RUUdnqzx|e$D(J&7y
z(<7m^w)CX%VbkYFuMQphFw}5i|6*RUX$Zcgz#b^ko;(pH7g*i|diMLyV2Rc|sW|jF
zs^AQ!`!FfDh|b}_bE88}$?52eH#BuY6LMl_>4Gf^QsAn5Gm}4AB&UzZ0MZ78ygV`v
z)!>=SyMG+>h^^)m)PALZ1X96ZQzgM^<0GUoFZ~C2OE<IdQBUtf6X(d06Qo=VqH8*o
z2y!|$Tejf=9ud`L%UsP94G|zGW~?=$C<qpZ20O2&CwL{&ySYM3UK<;nT|fhQU}B<K
zINxT@-0IXl?mqkO<B$*=1??>Nu5egDFi~`Vz8t$a0;VwQlHe-P%W~h)bO$$owjT9<
zV|2>g@_m1Sl6lMtklj@}9&|dAR^wbl_=`^-K+OQ|dJ1eplyZkU0LQs`wJ$6Z@)5lv
z?NAGzhP+2DZXblMpXyHDeQMp{xK^cdzdi!*P-D2);JZP$(&xL|x3ZeJZy;b;egTxP
z;Jk=G9tCm`SV#1Msm^nNo%BW^Y(d4SYV4di;<Lj88+_AIjk#(<FI{Umj1g;5(>DEe
z`A#ZSSiYA#rjc{M;$o8NPO*?hy&2OLmt<<TlG|@E2Hf*bz3B4ll&P4ekBZMNzJ0hk
zwfXAkF&aM67sebZ(>bj@FAehsB^?sVKh%0y1t??%6ddi#xoY>>zTd)DLO;|6Ydl9W
z_zsB1A^`tDwdW10?3FHM!R9ijX++)%-To4tBXQU@b2dW$Pm>Sytbr}ZBt6a=%rp!@
z!m+Ci+z7b``4%lcXzb1@bjjWw2F&B5^r-C1VaIZ66mu%9gO5rLPG_}d71r|Q;>%hh
z2Fk5layz6bvP$+s4S{eq$#$Su-)S~UYO6tL>w2gEO4N5=lI<9BAm)RD8yMb=`N|Ei
z0QsC4IE7_rcXYqXz;)Q!uiWvsxCjs=AvsOKFeVDYgKFyi!A#ao1<dLnNUP0UUqAK{
z!b&s@+Xkrh)}D)Qp-qCmn=PPnmHdMG)q6-)d$<E_5Nf@UU!J)&>K5x(!LEyo3l6~7
zKsclbP%d8iVA{4GmCEmznaX}>eU~U|%Ok`(%<k!1@9k`M4GvyPx%E<rDPaCs*&$po
z4f93sEek>GOIkqYGq>^Ot_(lu2dN|Wf27Go0`!Jgb!sa>W`hKrh*3g<<kiZ0Rpm(}
z$A$dCg@8V<92_Lk-{RfQ{?lm|4)i20f9bt2xkG$T)9sN1eeLitNccr_gr4*wCGWpo
zhRK}Iw@yx=1ai+|J52tOAdG7L6q!u(aU)&c7;DUzvWK=z_y=@|qeFciy)W^P5+7v^
zaH|MwoyD@4hIsGIWai?)76}m?(ZEnVy;Z-L<OLe8uAw2@!Bd&{O>tNI49@#5pZ4YS
z-AeO?0FBGY+x~kCi+guK2x)cYdM`*i=JVZY@{Q9ss`4n_S=`^PA&l-;_*(Y5;y?aD
zu6`*IL7i1ZV;zZn9ThVzvQgX5TzK8K^fCaUG{S@=3LE0%{ii8tS>W^eL(KQqgc5<>
zxtH|PKA~pkG+Nrb9G&X#>$yIsh9?nNs}pythE9M2Ml|NlIyxVY14afivOxI@e^E${
z2MQe?c?t``w7MA9=th%M6sRXd&V7a#5r?~pi=)P<_BiW=ib4(B7=JW7c60<YLqz2J
zDP`<SZ+$z@blEI$(AD5KE-sbX2Y(_*3+=S(ad0x?>E#w4V-<T@V8+_{;H6K8if5eY
z*x%_OfXG1YZN8x2Nb+CBXo3B3IVeW8fvj$*^x;a_{ze$;%_}W-LgQ)UD}Etb+SI=Z
zlizeRh}JPIMCCksRCHUpMfG1|sHM{VHNxGYnp=qzP!3R3rBfMg_1jNToSXI97t7{N
zRwkPZtUkXTDlqIDsl{skd5V7}s+H>X5g5!*<zcB=BOla!K_nyJM8c&(@wFrXr2*Se
zTPtJ5i`q$$-|0XA$L83N;oTpkyxHGi-%r_TPTWz<0c0HVB0{&!5t)<4`1g-=eOXJ&
zl}RWzkaqt;?v7b=)Xm=tYF#B1+_mX@K8N>Fm~!@C)qBW7+xF_@or)_nBSeWw&rIfS
zk>ZHqnz?Dk%v@fiFXrqdT7Gzu$c<OvwY#4tw76y^W@+p|x6Oj=NHpADs9B5^C#2=J
zhu^c;JwD`AD7GLqW^l4)=C$K;7gt$#YUwDNg5cF%{%t$ub=UVOXBZb^d7Rm6$xeF1
z!_<{Jw|Kq{fGU#f{pKs$zH8ck1+fm*x_f(z`$pAk*$!w?lISD5pV@c++3DEdltI?{
zla;xA!KeU*JwSX<>C`}+Nk}2ss{zGO__2)cPBSRcdt7cXhJg}>d?<4FCoQO1%mOmr
z5(b*8{kFgs6@CX=(VjO+^pq!!9LK~U7sFh#vlOi3IY*tyxdvp9kd!7|eK0%XT2-wz
zBZz1wXPZXBoR2<%-5-Ui4iL+`6Pp=Xgx9>;&vjIJyp|Ll=6{|G5cp|Al2-I(Lceg?
za&K%ROXN$X*!0nojd<_x^>vji;0&^z_@_V&2iUQ;d5I-Ena=+HbnId_^!y-X*AESg
zqR|}j*|ysx?(dCGlfmFXQp11&oSm?$5yZ(Xb6#^FpEoZ%MCiAnWA>3a7jpNYR%DF3
zTSo&~!p>5vE*)dA^#=M0#WW)(%(ZcU8Om=UtEq1fFMBS#?nXpHX-AdDZV)W82VWo2
zg6#2&olLuntWhelx|2A?5?7$B#Pys?W1XFbl!w_^g4dzCL<3W5_X0eIhasr%-(fET
z4)Zn;ZoeUnqnoDcNLn2M=P8t#!mnNOpq^*7GQ~aJZ>^I&48%&dTy%}WT8S1s%==D9
zu(I5?W9c6)T~XGK!D1mTA%<l>e^^@E&>B?9E<h7#Cu*T;Z0%qN&po_GNLPw^yW7D2
z!lwf4p)NfkAd`?kmo1vOvA;LhvB#GSDZVfAuV?q42fd;ZZIs<`xlJz)C=RdKg3Lcr
zpqc<Jpqa@q7;cV~ScTZF&57w2SK8{=nNHiqAk7lLQVLfl8;2Uh`%-`w|0BQQFGRHo
z)jgxpuq|WGDJm(6ttE5DW`Sa?`_}aG^D<b&LXl~WB=?exQ5~#_euHG8(>-nBZJfb;
zkEwWp1VOCNmB=12<vUQc#(UvTj9HY^mz7;Pgo_D-_}Vb37_f>;34f&Ka3l=YQjz2!
z4F4f{KDVFlYR79a#;{vX^|asNhYd+wC$QelCM#OSe9exX#YadqY4OjBCm4oM*&JC+
zEr_2NE|)%rp17Qune92$uwL=pvodR8cU9W*rWYGk4f}Yasa+yRiLsjsdVM>tLtU+@
z2vaA!R7mfZi}T1`l|Qjt7&qEZwP)*60^9JB9dp7Ejj=hzVVN`opUpFygA#*tj1o3v
zYo3#7x6+1Ktuz!ZE&4k4)DntE#J?DpEReX5S^Dxg4U5QZ$qvS?O;;1L@C3ipw2Js+
zG95Ot+NaJQFzoS>!cB3W|2$fV5Kfdlzb!HBqB<rcIJc;s)*1xEC%Eh1i5KT9RHD=v
z3q=-A0y?<j`U@>4k@OnfJzVceOlxm;;?>JUmb?)S(QG(0p@OvpKV=83f1_*pc1-RV
zj=PBV^)mlUp*#onLhp(y8uYqEbUSWMCZ(#8^cs)6L{>1es9{S*p5oKTldn|_%Y?1p
zpTHRS?yiZ&kO%sT4n2@hqCsJHhDUefH*u3SJ1sR=MhAtxw|>aRf>H$Se7vZCPb*vR
zq!mLjzzWZka#CKi<?tUPm3vB~x@1K{&s@;Ib|CmoG8rI;xkwp<d=FGAi}%)JJ%t;~
zK+~jDP^bdm{y?WeAIBk^Z&wUe$Lb_x7-sp6)`&TFr(x$2c2|r8_o2&mA%)onon7}%
zStZUNTf^?>Wwa;?2b^+HrRQ<7EauV5GFqV4Dj;cC@OxQeOD@(v_VLF&U#y3(e(Dq0
za2_4*@%!4@5KWVsdD+hDg-Y`|_F(#C5>=uODK=h8YoT_?R-$jj*BAH^-?B;+vJX@j
zkQjAW1Q619*P{!!zgJIVIy(D~xB1HK*eUo1RkU<Zbgz{=ZBNzY_@CR#f$y#oU~5(D
z(xb_V$oXlG!ZxQn_{zk@baSmSOX17kv}rU1qAL;y&&yncf8bS!@jui^&Obodaf!T4
z<PYR>5o3NcC*D<T3j%B}$V9)Kjo3Qx8<SBu%O3tx23J&U`a-uaC;G`4ncQ<j+Wo4E
zTWrTjxpmr&7FPRxN>~{wHClZik?xb6dj=;nzdw{fLcCK~vN;ycJ|utB1|NG5Fac^Q
zx6sV(()&BBWkR0MI_~<cFns^^4K7+Bm$Z@wil?cCTI?{8lMtZI-l-)O)G5}cBn-zm
zpVHhMTKZrN4wZrPHU@FWJTaRM52AlksQwfO&;Z`Xc<ZmhurcG_fN9`(v5ZkCE2h(U
zyT<|f`1YoGH=0;cSkk`Ly$xa0knN@f{n3+{((z|2GIo)#WK@@Ntz#GVOa$R>L<$kq
zQupxb!H;Z3Q9OAvIp>U{Gdq2z?Y`Ky(0(hhJ4S0JY)0c!b=dj=zCX%oC!c-LGn+M$
z$FJ{8Ba?y4qU$G<0m@#qTv;JIs>X3U1UrsziG1?O_odo)YH`?x!PLCMqtVUq{njRA
zsC%-xPM2rAFZGWO$5!*m61wpw>P5o`5+}v0)e>vI7fw>R7v3otZ|)Ouj*fIzR7D^0
zQ_zkHKX$j$LzuS_-Tbvf@@Nn@rP<Kf#T1j6@c3jic}9a7hL~&+LZY!U`?|E1f~Zh;
z;pomww?0ExG@Q(>BcdKhrEzF<D8TbAM_YX#%Xxz`x8=8+^21m#{0FTY2$|B<)6;8>
zT^03R6`fM&D9Kd^wAhs;d3xU<p!@n73|~M>Mp9{<c}LF$b+G`^1wO{A?xvB)r--@N
znT@72+=1VULsb5P{83&d8jW(nj-yn8u;lUE$uf+*+}EsVU=6j0_qS>H4%JgXDxb+3
zl4T6wvZP0DeP?4t*TvP?-!da%m!NbaerCO(P?baZWL?4m&US_x6{Z;1mrf^JJTF0_
z?yB#`wk}<Mq)v|d_t-zkV<{e;iXm*Z(mr;|9roTgxI9`|No???E7~KO|8f>%(dSH*
z=)5~JyD}o|;O)$=1XkEEzdc=A39Zds-qOYKCcb^)sC$FUFJBR>D^>zt1F{+AqDbTt
zUl(H4h^}aD(ocJS^ll{@=7;9~h7aO(TQIs#`j2Ud3<DQ)7Nd+X*S@PO*m^(xqtewY
z(kkg-&2&FORD@Q<IPyg<B0<z4JVTx-A%zB&XTq1$W>x3(?F+Z((YtrmK$i5;Q+vR<
z-@)eqv~jmyocX7ZHhO6YMEFf@f?z2d0g~$*UrTs_-a?Ti@FKt?I8P^VkUkR@CTmHv
z7fZ02Ufo_Z-8B<jtxJ`nR(~1}8Kw^>Uqzw&lRiAD{V?*V*VqzZ@%JIqY=#uWW4FT!
zz|UHq5ZML4$;>!OCtZQAQ_7Jdm#>pke=z*5E<w6hNs0KF_uAMhMTBl$-^uJw9|fRW
zAdySN#+!UQwD-8E!ncSfi(Tvx-}R#;bN<^e*Wx=AO=ODaPjW8qQra?i1T=}&cz^JW
zaz*SCQ(kQ(28Ya08Lh0RkOMsPR?Yr+6JqoZ8RM2NZu`yTS>RtrB|y{G|I8vAY+!(A
zK-s%9w}SQj6@=OXI^6Yp*u8JA7Czo!aDl>ZGCA1(a^2A*jFO`T$Y(%dRTrVlQ)u^~
zQL+C;)KP|uXWH7@X4bpj0}j34VXm%^!)7f9FudpiUd#44wOL3^)OAGo_T1bF(hK&t
z)qzRtfo0l_HUpRlLf6+REv{zct)jAF>GAB|gr`(Mwb_%@hIq(%8?=6R?+Gp+4uTb1
z+KbPUvFM>q_c-RN5l!tkns=8`s7lh@0ovOfh-N(MM5}BgYo`T8v}u5ZaAzycxk{`d
zNx_h8QRm|Z>ZD^dl7)CmTKi*86d%eCM~T4aPIwuTG4?N3)|HkRYOtSY=_C)@^LgW!
zRw8J%TGf*xOmfGUdB9wE-9$qol#IOp^R^+6>Zjh*+e~>o#0Fc55<xN$f+;?@zA8O2
zoGX@_eTmC7#Fr)O#E4Bz?%cHD_R#mHOKw>eAa9lZ+-TU_P~T@OBd&?Q=Laq7Bf@<s
zHi%chQz?7}hf|<=+z&tFW_}y@kD<Gq@-3?vvzk+75|Wo&Zu-X3F_v56wBI>djDzr~
zyw6>Oo#%uV+TdY44b-n8{|S$Yi{jnbd*Oj^0%4FWW2Zr8CjcG462QJwTX|ehqE<?C
zZ}RTmhoapSnXMF^ab-{$Vz>)UDUUGd2Td;kW29O+0P!GwvDejt_-v2|^4{G&44k>L
zwNjI>uuUSkt)QRt(utkH)w}h29XP{MW&x4(6=a<yLOP$l^Om&{_0+O(lV(Q>DHo1z
z{%h$+dj+E{kC13f&{I)S_gC6Y2U8FDp~W9iP0$^hKP1*rjlG_mne=pbonmqDardYX
z@$#ZaRYKm@Vs=6@_3e~UU7!7j6f2ue)a6Fe!lf_Hn&8(~)+H9*P^9FUn~7XRr?XrR
zHC1vC@<#Tl_4oE%?eOly!}B3bt$mje&HF5+O<(~k&wObp=)_lncXt+RFK_SQ1(Im3
zl_T+aM3R*)VxNla$aaF@nWzg_gi}9^9-gY^Zf^~LNoYlUpE*ze=24r^QG-46n}M)b
zG@9jm6M8i2Nwtf&3B*hqjZ-Y%hM+LxD#<-_+(2P@YC&|e_X!@7yRSYKYK22eO+I~W
zYpcL_>q4b)RnSJSPPI*;3Tw72YHapy??Zv}IQE@7c0e5Rt_*%<_T5|c-RoG9*=yQ|
z`|9jN0gA0JPF3pqfE+CnbV6%QAC<|J;^pXhdNsR$O|v1WJs$oQUoIO(<_9r;cgV;^
zy92EKu4DP&w*~$=N*;1_;{AIqQ>sX=TQMj0t~Mjnw-yiCp+X!17Yx$l-QLzSRtdO*
zIN>yTOQ5ko(Vg-hWJ`)t3G~Um67u+Ar4e*tmgu`rY-?p0vRwy<<V5uu`wn}(rrYDR
zLSHryvX=1O^V;0(@U<VruPFn_$U}Tzhz+vX>;B6`EjxEaeZMTH6vXtwgM?OCs%DHM
za7NiBN{&PI+ne}TH$H*Gy-%FxMJTFg`%t(Uzos@URHZW9daW@IZ#3AN^kFcH7W8?T
z7`M4$4iKt7Lg@D`DUIG7!&vQGo4~K<wL5D}M+y`0^6Y?+t<g<zLbrm<)<2NXV(Q|v
zQrZ@~;3dNTPU8M~!RigOq{=gY_x;zaj9rq>#5i_va7F%T5zjIc(1-nl&SxC5&w5-}
zap6NSnqP_&(LC>TpZJ<%$w^&sT8JQ&*e^%*s14I>w54ZzCeSnaM%MFcd4WWgujEA$
z_j&-<a;r{CwW!=I%b-kX=_;=AzgQ0-@9y+0qQlAm=UxDmd0;6>+|y=qllI!7|1Me@
zM$I-dDmzdMva=rO$XK)CIY@*+82ohh>$Aw(SJfz{Fsm;zt54TD750Oq%eF=y|2B7M
z<^E(Pxd5<4?{z5QJVH0m+mQnSsofv7+FfqZ(89)oaHj!)Fkk(JDTf{Z5=5Bs{B5-O
zZ3zGufulb1iwDuNUTO%U5gx@zKxkNB+FcO~Ya8Z^^Yd1Hz|UW-2t?o3VA}<UW&^^0
zmBktEXz|)QK%q!}02f)Pvftke2y7t&KT2OkMWxJJwrUtP`2X>s{_qJP$||t_a<ObS
zrvg!XI6YR(3FGbs3^x|5Q#O!g_2L;I#LGRZpc;zo9+=Jp##9gp?>&{Dkx>^RwN%>%
zrJfdM|B~!rS6hWUVg%FWHi75#9T0it`C1>uq5Y3n1{gZ<ue5YUte?4uqB+mV2e)a;
zq2t90Z2APsz#%kF9ds<$K$=0BD3pKt%V+UDUOdd0Z+w;=I3IanfGW5-aT*7raoU_(
zS)RSgfDYLjvOP)4qhDfw)fvQNww}N{I6x=e|Fpea`Dt$@0Qf}=5J(+!3dG@_XaU1F
znezHs6YFZ$)EY{zeKd>B6@AEkQJCGih6wp-LKh(VzX*b3?B9O)07Ap}Pt-u1FvxF%
z2y-a>CLxgQ0wCuAI<a9)DPx;)B?y+P>=bk288j`_8o>+g&DM_wAJG|%W-So4adb!#
z;|^qPjCM_R*^na>tn_i=1J6+(-|PRoEoU^GkDBOy8Q;$-Sn18zw+IO0$(b<#u}se_
zN!qijT?QY0Dx@$#s0O29*sQ9mpHhQiY@}v~DXw6)niB#cI%y=F)+m+B!C&uEgYzNd
zoCVqU(kq#@v{euCkI=ei2G{xxgE=n1C*Eb+39yLqOwW5n3*ef2u!bK2V0Kx1T3nFA
zjyY|(aUy;g39&{I*Gxkk+TN6Peg14#{lpTu@K*VySEp2j2vwU2JWoK~b?CROZhcUe
z>rx!$1UaWb1YU$v0dh|k*QARxKP~lc%peKmHkG67tt<bQ5>w98&t~M>U+xx98M5P1
zkw6HR?k<Fgu4hyls#pMd8$9qwdMeVRvNq;<Q|%iV8C)JwTmTxwRW;q-dk#k!d^Z!O
zCv$R;6`|6?$h5fXX(=%&{!$j#QxF>(cZiEQs<iIb`iTVFLuLt?g$VlhZl)pktWb~@
z=-k@^z)_CjUE33Zg&{}ha*LM+UG+<fmeRBk>>VkPz{6Q3rn)RoBWX4e&vhdBROpSh
zllRirPNvb)zY8Q|;GsLF_jaZ}scIOQgG`tRRujGEqj!CFmxqLm7-ovi<)mH%<d0F5
z!w<N(DC!vi>BLB1+D}gwy;WLx?^3o=1EUOInb)Ax9i6YioOw4AN`-Y!ox)76(R>>f
z)ZiptMuqT<QyhV`s6iAL34st7qls0oXJoIgqZpkE$QArpveW+%+lv(i&AePH>7{M0
zx$g-+@qS4Cl7%<LE8S7tH2Pse-89TY7l3~9j1H06Q{YqF<-)cUJBrn&j_AHcuY0#d
z!)UXPx!L2NEX$Mf;h8R)B&N^?c()eFGUG=KJJtj8YTF+@Ojgm1pC8SYuTgXEzsR;L
z?)m+dw~BxS3HST<YLOBL{ws3qrUae7#I>*NO?hh>kf)``Kkozir9lLv=XW|wjHcf~
zV^OC3kRJ1>4|x&<4@Iv5+hV;yWAibYg6P%24z>f^m!>i>+-=+y@iOnIB97Qp6DUU4
zNdV<>e|sdvRO!ipEFm@82<KJ%rbon--i2c<FPY-VaZzx@4vnnsC$m0z9sf?!7D@}-
zc&q^c^6RQuyC=$!E%c=Qs`dP?$#-J;{Rs)u!ej({-@O9<)dqUv8c-mNiQ(uw1Lqmm
z3;>C!H>B)Y<cTR=Tkwd~9F5+56#TVL*{ui-+e9|DBGfE1tq?I^+YrsKtA0%HB-<vv
z_1(REFrD<2&LPm<y%!po$q(!opC!A`Tz-`I0!S*%g*rZe6zG_-dJQtX5W31J)(BI>
ztbnyx3OYC;-T0bmguDIr2Z+N1D>;-jH6LPauEL59aLfuW=dF44B%@@PmbLTlS&DU0
zyF5YfoboO}sLwAwMdIy$*)q=0q=2t54|w2lz>5h^p%sDW1BZFM0ngVU?mZ8mn6K@(
z9?COidCo*llu0Z5`Rz1xu!@j)GN0J+BTZ1C*;32xS^EKRq>(i6k;s}2;&S_dlyqTF
zL1FssO4qtqq0)7^CYwSo1iaCx;jR1WeQ>TFAMW8b`wcZs*{+k_k0=E7fG1}*s9-_G
zQp#`p9mg59hUlm8Mp6;eXbNQiz~$rHvS1c}2IfT*Erm=k<ZOt+Qoco(m9C7<Td(be
zSd}WnTf?j^D0Bfx;JSj;IZe=EKMXPzUx;rH<q*47cv~m(<OXCXJ7>r+f~4#^?07k`
zUisnLYHx(pV2Z6grXyb2lCTx`dBp5Gb42oRV6Q2PY5rr$6{RnohYKDyPR@x?wSof&
z)#XHPL#`;HfbhAwa2`F%ukCQK<m}LYtdgXpFG`}>x*l`Fl3eKw^|#~n{mSlhV<Q4!
zC4(0omN`N~N}^ZlSCGJlDNVk8CTo_BnMFe8alUHW6JE94XC9Ca2Ucp(G$KewkJ+%J
zPwL;gPXVh%!*X_*TZ4L#NWtCa;%6HoiKU{6Z8KDwK)=vVkQ|8ZD3^O`hd-Gf^MI?=
zexzh;aw~t$=gjN)<+s6Cz?d;A0O{t(?ow^4g?N9Ep3fyy8XWTT)8_;UQ;(A-Vm$>W
z>lsMTJw#zXpzZw26>@w({jhF0du%pkG%xAnbnw|T-|#ISa|Ns$HgaUR`Xf{|i>1zL
z<JUD=t+uVK{S=eMBdj^YkImjHUT$F6KQmDrNT%K`d{79ZVRZ#xtLsZkE=fuR0n+*{
zWDwrt0e7<}zW`a7O{ta=U{5Y1U`Y`ijrG(gwq=4SZx6kC7lVe4wcmM0g#c2ELjj%=
zPW5!^L$Ud9S=K}z@h~1qs!RiVXj%HejY4G*%qnK(y<tkVF*_)o;R+n2Ygy6_5pyrX
z0sK?Nm{!Vkq3W*vN2-8>rTfBh43zs}XV=iW3e;Cq?&cFFb=q7LysxL*Vl8G=gQl$l
znE1{-w-E-%VF1O8(c3Q?;PZG4NS&KTZsSkh21KY2z(2%41de?R%4n)GyJtM{P)$97
zlpdauI*>_Df**n0$7~+oPB8%Bv~CqrA&yirBhXKT@F<{EOcvGyYBQ57qN162WnN$d
zee9civNkKi4E5&U9zv_+XPrm}X>Hg<^z@kZET+<#rj8?HOuKq}QAf!B?O(u=U(rC!
zFrLNuHsR*~D#F~Ih|Exs4U}HveuD`W1LbK%@#~{d(LaiGxfCJ&;?HWSN9e$oI+G0~
z4yl2pYX`~URDau<LH$&0(>E2VCjHAr`@0C`dPt&&`@8Z2QqgltY#{mNPYHP+gy2;^
zP!ur4l|E3-2KCXonP=d)&InK7J(l>Tbg-k{g+T1(yqPU!`di5u0i|44d6uw9dtI{x
zDqr;OH)g96P<#&5_|^bog94Yy$ttWNPMB2qU%l;>t5?wuvvnmuOx&kh(No7wm85)Z
z?w<K|=e%U5RP_v!K|SYf0qK|uY=LQ^4G}G=s~b1V+$uG)4|JN=Zs@x}c=oTTG6J0V
z0gfp|JO&3T9LOD^)Lt&Jdq*|Ed*ld{-b$C;S!#F&8KWLOdX$dm1(A0DMo@zP3N(E`
zJ;rMSz_GENQdC@wesGAWShj-W?Qw>sUoyo_wZ#&O`;1;Uv3VkBZiRreh1s`yu-Z?5
z6Tq-_AvVvNh`jB$a76R9|IIkLbxh-dFJmjh2y2TjyNj#!BZ02^-W2!Y8AH#OSu#6#
z^6ps3ql^}Jet$L{j`;2`OX%WiSA|r)Y=Z4b5UFpB9NPreUW=urJt33Z#s^&vOVn;f
z@nTXYQdPruwen}=*cH3H7YaqQiS8fDb#i^>6AgBuHV7Ds-9yFoL)WpaxX*$KVIb`n
z?|_o}VT11j$1nU;#r6R6EI8T3BIa!^QhLY30-6Q<kf=roWTD460*5aWM0|B!E@_Oo
zYxG&5WgQ{fp%&&?R42ri{{l|xtV8GbG@BhXN=MC?yg)3N6TvEMe$Z}UzJ2Ibc49$+
zR9?K^Z;!d&(#cPQ+UJE4<5ECo3(gaUblAVd15mF-)MUDPKLV82F)fdmdYaE@r?9N;
zZLRtLYSonLkW%YDu*dMmY~%7r)=6yj3z_QwksialC7b%0iJE15TeCj{;oPUtmKK{U
z1PqI@$V9HO;O{x~%UBF#%gZkh)}R3<9;g)V(ANvX0nzlo85IH`qR7$NDp(<+1mqc&
zKD5KI%_d2<+eS-!7eq6qLRkw3BI5&@>_K53C-V*x&mCWrObvu>uiL!}W&;`A=N?b1
zsL+7e9eZ$+m=?;wCp%8OSXA4RT}>JYr3+tdMe<t4u3RfL1gg3oZ^hSaOkkyv(hFsm
zX$M`92Mr_){rTNCdj-(doI-<P^mq*l$*xrCgTqC$bPGT3m{x(vO5M^2$uM@HbwI?5
z@aKB7{Ar+-TYy6t{HZz$)`NHAh%yk~-{t`|HIgfz&O;~3#SlQqJ#L6YO`n_gzrqC|
zI=22Df?#TY<2m8D{2+q$<CoIh<~T7Yj}P7|mteq%7eFU%l@qInwbf1X0(Jt&CRW#&
zJ-B&e_VYhNtG`}=HA_DaNbmgTbHgBVyI#L_WyX4dd1c~OerfK}1*a~C1siq63~CMd
zc``XFe}-%}=w#V1(?B)d4Q1l}H>nH8#h3*01xgjD2DgOOvzUZYpTNQGb_o+*?4*J|
zu^`p)zZqi%PzD<RO=UwMn|6H=21F7z`AfrJ+(Mb#-`WGk5Xv1)(<yy#Tl^oN-|u*d
z%ENY!0A~SUMi(ikY3C_lS@Vz23{Ur&&jXWlUx#^^6w2N$fIxQaRE&?^|91gujc|=f
zI9c=@#}6Kh?sT=O*|6noDVJe@SQfsJ$;z*MIB`qNYvV!AC@?%t4gOK%Xes@)n&RV>
zvjH}5xt@}n(R3d0*C3)~Wh)&tw9xx*1{#I9_kpknZCCr!3)T3%dX~XD3!-43T-3=I
zO*AaB`lqa@sp_+>f<mzShmx%^eP3JmKRTII4uqVJzd|<Kw0W%)b7eo_{=eZ4l0mTM
z480ijPXLD?VDa|C9f=+@FouXRu{~`@(RgS4k@`qT^7Lcv)9?3`3Ltc^7_|EQfjk(@
z;_xQ0c7v=ga8|*1Ws6sPoS6CblRI=gQOj#hgXNU!55Chaq`mDq{U_(?pz%BRb_=LK
zq5lX^vA|>P+=285ovD!IAN%>MzUPBN-J$bj!dlRr!96{Ger4<BA9)<;W<smDA$epf
zXuj<vfY1BWmeOC(q}Ya(KHDmL@OkvHpVz5tLp=<OP#2j0lOWb};#3Ui7t>u^GJl?d
zuC@Ynlt3J=1T0$r9xw9m5=$Kj6S<wS{?d~F&)Z=6wf$w15#=A&oGm*zcj>=-HLTPY
zDnfT+Tg(QsgYS=u{))#q5N$$H<bT%%U>XI$37x|f&kqtqOb3sa{}LVjRRNG1{?ac&
z9waw3-G8t08+rL<8i3yPe{wVay5^tA3+S5vS!JPD{L5hRJIW4B%HP8<t6N?lQ7!bn
z+6Gx?kS$<-Bl8g(Gq0T<E3%E1S9GZFQb198giXbSUfH;g*7R02h%i3)HUV<v{{F51
z7AT)+8Po2>pH0UXS!)=vM@GGer^?blu5-x`n3J2eoFxAys(JM(jGj7@>+K>N3q~ik
zvIBf9!2R;)X0^Zp=7HR9-7|)iI-M@xyHY_=^*b1%jze71%jy-`%^=PJH0^>oT6%$J
z$LK<UsS<Q9D+tE|DMY^?SWD@$DU}IIX&5j_0^^s35g|vfBYcG|x+qfxw8Q2(-+g~m
z_Vo$<=R&;#zgsyYx}wZqC!I+A)h$~Y=PGy+)=pc*fM*4$*`)oU^16xVKKcBv?5jr-
zYqvbCPMpG!67d7r?_WGw-I49vECq&OTrL3Y^tXQ_QXM$?MZiuU0o2yT)#_a*FgH4G
z)yiHwcSbG7&$XMH1_;6fR_073L^p`!6F$BHy<yJl+{{^|#G2Z<f1Xw!<L!2xavm6K
zraOrnz_P1adyC24G#bTtj}z5)`7E$iwXkFV$J~2IHQ9CFq9Prnhy|4r5CIYCFCe|z
z=!$?y6KN{F*CZkcN|%mw5KwxN-a$Y*C_RK~0BNCx(78M4i~4=PJH{R7j&sKO&ywWX
z&)#dVz4lsj&AGW$?OY;BTeFQ;g}H+fy#H$iFJFAFHp6YV^#+;_c@P4Sd9z;dradS0
znS`{W;jFXt66MsY_>G~Uv6hJmh6eoLC%au*OiH9x%a6xV7Ib-h*Ld5+h{}hhke2JR
zG_NkDZ=HmiPrg}y*E6tt{d=te&cgu~kz-@ZA{376KY5P4-p}1@<oO-BXc~$9KoZK!
z(URmo99;o{FBXNCSecPkcohZ^PNg@!&N8Q4uJ9{ySR+V8)&>JXi?`HNb+8+dA*ftG
zC`YU{o)KVaHW0>XJ)G8{{xg*3dc}>B5t*OXJs%!E;>&Tm{)D^_<7qOz`!vJWp3r$R
zqES3JjOpya?c|#2*K;hlqVLa_kau2qL#aMxt%C?6wHqCbz#ceagZD|Y6P=ZSH@x=O
z{yDGPd`57c0MlR72e@t(JUy+F@jS{FCq#K3=6mg*WDX=Hl3l3QKA)bq7emQ*Ld{f4
z9?PKmaJ<)0AqK%st#;FwW3`mwQu_CuWjE{UnjZM<j*n7&ZQ$ODKZwG<{^>-1Mp#!z
zB<_vwrai^<1G)lM(d(o{cuhrKR_zy!X-U+X#I~FVoMrtUBOk_mCnmk+L~V^I&lAW*
zyU6ZvQ>RO7BZNHtigN8wDc6E1KR2)ll&VN;5~|$j9y)60>$@LT?DWX8r5)Zkn*(tA
zCS1&Z>=cULf!%R3u&N%{{Be)!@BjM;fZcInBMx?dyvoN{o<D8vn1to0GbTHThAkBj
z%Eklb_2ytmUM?MIF#UBE_%{H-`KFH)>HwN!axx6?7rb)Yn)F41V10h)5AM~?39rG{
zhF1n4Oun4ref{AIYmC$(S&YD}U5w;DIlt4QwSxLL>kn}Mdxqf0s3Vz_dgrrmSpIW-
z?)~dYuLDo|`+hdei+X1c3j;6rnugcj6mW4TMv$J7<YKvfQ1Q<{dxblt7tU!G^O|(N
z6J*;X5wM;5EbSf+a@Z+ufAHEEgBj4&06NFQp@fH~g<wuUB!FX~NkEbXzPoQgy*+7y
z2j2`d2sbzL(A3K){V>jJl2~Q`BUG1PGSc4tlTe>PKm>U$)~^bitx0=3qY7IDT6LO>
z><r=gFf?7aQ@@Evseqc6PVa8~>~QK@(Riia=5t4l%?{@!SncK7!{&#@$|ybdS#JGM
z=b97{{YHR>f<gd~Vp@@2N$%H%(ShUcf$FEQrE!l#+V6Fd1_H@`3k6~@?SpwQ_+@ob
z$&6gBFCc>bt~0(9>9Ns!TZEQdH)L~jQ(EkL>K;(Ki3+3>CYrw%2uLY2y}daMT;;g+
z#JMZ??5<rT>TRV;Xs1xW?tNx5*_%}3{<-vrV4z_syiJ)Mv&;$X<K<VP#)dNnz_9$m
zu>L(Tnyv%S{s=jodU)$#xAgF1fW<-8BM7*S%F>8G#|%W(?wNdBjve1)YYfi>xmjhv
z&E{#S(7RFu{XyY+AM_6@oM;ROQ~$G`KzA<P<A-8YyO_bY)>?-3LCQar2QNq1lmM=H
zlGHR0u=r#FzNqDAn=|k?#fnxPN$h)eae8^M#lA}Q&Gn3x*b>*nGdbQI?m_KTagvo9
z<|`=unzwI-Pf!lfN?d44dZbq?7Cu*Vs*&zJ@jxe}j+pz6?YtL?QaJ8vkMoVn@nu_)
zYuyARpG8c2ljWaA7alroLo?92bn46K+eG>q>j_Q}a}uj@AByGGcB;SztQfkC_FTF*
zL}0_;#Cd#ulRQtr7|QvN((1s{vRI{Rz2&ya<ZgUZyE{;q0(*(G80e(k*&Vg-j#<0<
zYN!7=#<7aFo3O9Fe27wyYK8Cg@kGyFt=!4vX+u}7@O=N8b*Q_ezu#0>agPj8I<GNy
zD9OaSf$i~NZ=!!eN&E49HK|}+Qsd#cu{z|uP59~bhk`LNp%g?F#4m<X%Q964c@*3%
z(K62;KJF>zGCT2{sNK`1PJ3_z<xLo~gN^gdy7<N23)@p~pIpN-ykD}g(2~ExC+9j;
z05lCYJUyIrnD-@OT`l!mnxt+GucYoe&NlevE<JDg$4+dS&!L3wX@;Mq>G1wyZa0Fb
zXlcdh*^fluj*`*o#p<9sGn$jh8Ua|*wJI6;@Ka#dDp=yQm(<RiA}bs{H-CqMR?#n+
znq-rnAWkh}3Ad-o50!$fcKda;nL+Z*J$(x+UvF_1+^aR_MS(ggC3~IpmZ9AFQYbgm
zk9RUDhg9|yjevZP%N3#Nf`7Y_;rdj$Fq07eaFt9=Gvw(!#<M10N)OTK^m4%z;Y%dq
zDPyJiF#5j3INr7;e#@0jK5|mlil+<F{8C9@7z7rzwBTI@bIZ3c&bj9`5fED)w(<32
zbwprY?!!oKc~7HA=j$hTBalv8v)MXBv&>)Ip<{e?HQ#rx=8xY}mc4&DQy9dM5%auh
z_m3}0Wrl6FhtF*d{ir72P(0XMd7l8r`(qOsbwEHk5<7fN&(Ra_K2>~73WW=@o@Jg-
zy?&Nr&2eM`nRcp<!SpfOTDZr+Y5y_QW&$GQ!aeF7zPC?#D#-{^MALY-7BVaGd7%Ne
z1fBj+g+->OqnGR9lhp6u=hv%^DVo(*AYMr$UK>SXEAa7dCwFU?ZY2_9G39v_-SHJC
zcPVDXL1Fy$HNXviysLBiOe7_Rd1dmaVC}&Rpv-W8FwYzCHPpv&^eSzI(p|x%#Bf+$
zOlV=Cp1nsjbhD54(oig3ex>!;sgnpcixu4)|B!^$j=LHvWE*KdiJrnNMNV#`YkOmc
zYddVe&{OFWy&8On)Z%g=iEI+%K1Zg0d1Qvczs_B6&VE4I9h#1=n`Jx1ph|+5Dt0f<
z3fh?hx^+C@Cp5T}T*0}b{E&uCg-&-f6=U!REsk&!hWScC6lTjYE+&PyNJaJ~<;@j%
zToH7(;ewb~S~M@nAFP%p1}r|VaDNfQ5beaXi)m_we5fEh^^#95kc5txcbW0A+3s4Y
zNl6}s6Zr-M7rfTXYrm{TiJY~9aCh;EEP*p(*mBq;dwth>bj*<|L<xyz=$sq#5i#vr
zT?tnGVd#g2IV_pgCo!|{M57q|rK7)UKz2kH0QlCWg$Z5MdoD#h>>1r&)h%>sy*toS
zI0r!Cpj#&VO5Crr)hhKjYygn2b!oBe7OAF~#_=kV8p?&lEz5+Es>;rva`ySsG`;p-
zOn^1d;0u+?OT>qP6W7I<`nd0@EeOcsQ{Qw-LR14~0fFX#mu9Ek$`DRO9Zq#)sA}Pt
z_>0%+3LR_>bRLYq1^$HEwqvb?+-YTbDKCQdio+lw(V89<VQJ#!IkC_dslDx(Trd3{
z=C%7yVBd+5dbQy!iIgem1J|W9LoN@#9k+f^O`6)!a2X>&v#L+0-=iS^01p^{e=7I-
zn{RB#*^f=@+Cy@?$L)DB(oL8l2GAmdsh4`o!H}pvxIpoo4n+I?fG9^q4A>#=(EImv
z(UaU2SaYU@*LSGd?hgyY?&Zd>YCFb{;WAqNsda<-XHK*JWw#(4aicmc^h?@nzvAXM
zVZtl9#82gyZeSV~=B%x4eQugx?s5tZIO)$Hr<?%p8HB#_;Q@r?HCNVW4Vdj`bh*D}
zz-5|)_LZMK-=V-*^MTFrAGbtp@RA?}`l~6t5*4Wf^uFp!o1dX@KPG{st=+nLB)55_
z=vkDwpN*3;s~8C)J5J~Qd8vHBsw84N<&Dd@vXPK_C0$X86*M3CfVleK?J`G{7c}Wg
zaX0QIxG#&G@d?KVMAz_wV^?#WPys^(`4CpiKmRA~))DI(w<Aszh|{tmTatrTQ7`Jl
z;Ek)Z_EN-A-$65;I&4K2b`hgn>?S1^Y|vqe#kJDL`qhgZfOe6O{r7?!{)jpM&7J5_
zLL|Xn+uiJdZ3tq37*Qeo@IZS1D1-9xiVuh2OJ3HsV3gq65W5+w6YJD=wwRGOT1ixi
zlu`}f>$UW2qxdK<PfTOE*JaKdC!7ovf29GxZzfYE1iow$Xe4^LY|alfyLj^ibr_4s
zdkgdG4F+=)8M0B<2#fBj^XTdq1mjeVo09-eZJlh=o5zV5GgqIh=I|6zIqjv}*W#Xd
z|M7Qw{^?;jyFXgAPfrMKUby8s``&uSb$kKNjvXB!Zr8lKfPbjc+_{iTC3<B#VV~g{
z!^i#z>$U>3@5*s`0jY)eo~hGdXGgYU9w0PdZ;xt;DYahR*iKIXQH|ZdW}AaMsZ>`!
z^s^`pS2&uR))r1GaDkG`+Yj}J2dSpgg%JF3fPNaTcXxjAR<DcVPCI>vJcX4q@;2={
z(R4ZV$EA(R1!qR7@%<4aZ;qknZ8;a^W%CsS`$(}D3dU-=K0?ETpn_GUvYW88J8({I
z2v75*mts|ye+!lA4h1YI1;j{&E_v+;w7g3q)y>Ojo#JR-l(TU&zCjp~&VYJDc<y=x
zg_=-}=2e0q9%^F(m{2BrK9z>XmVnBSKeG&)WR2lZL2qKvUb6UZ5xisA@pIO0FY(tB
z&~8vy;<^w}bZ~JPl^u(*A1+(Ad*(hlJM3t08By3%e|X6?+nnjiL20R<p`Yke8*I^6
z!?x8hm7de|cakLSq(KGhhot6QJ44cUY<%q!;I-RE)kE*SWGsaa8!BKIKD(o9ZgJh{
zZR;CMtEMF-kdkpDnIVIYcSxEA+0)iitux-h^dMC?qa6oXH{K~luL(Y@J^*is$tpCF
z0LAC4yW?V<IGQ}}1sn~T>#a@aiY0|`a<xLV^MOd6yVOa{L-zH9XvvEC^{&&e#=BQ|
z)65gIbz?0O>$~+~F+YT#RQhZd^|4mMFpaF&K-BrW^aC>HDg8o9A}p1oHlGPNLDvO-
zJIS4jHl+`t6pCt6*c_#Jy;@G2)>nM`I*0>L+BlBA)9@=g{gmo`^=4MQMu}09E&*h$
z77Ror!}XR<D{rCtE)%*dE}|G$FBX9^C;cd_XzHez5S&h=i>X~=AYH{3X(eS+1M$RE
zPn!k3brvt?Uvfk-7_c<EU+^6^GdmF*2B+V^auq@Dp`nk<&6Acs4I1d21j!&GZ$=@e
zAEyn;xNkdnh2^%N5nx21OE?+EZdbL8n6>nw#;Bz7zrbcH##Ijmq7M(AH;k=&(T;ZO
z=A-u#&-IB(A;xA^_J{eaF!ZMJ1l@-ZE&``=oYzWYlD9?2fa(wEq`(|VsP_n6clmf$
zf5yl#{mq#d;J~Gjr)+J84A)%|<4kjBQ!MGCP<%N_IwB@R;o_yG?AUl#xXMNZ(L+>7
zsPENI>8I=DUhc_LVz}dgWxt_z@7#?9PftgElGBUh5b>K!&K3tr$o^ufS$urC6$57{
zkuA|GDCg8ZNsY=Zw8T;0VE%=wtDdJ({F%+|YZ{Z?-ZhY#i3K5a@jByH-tcwb>R{BD
zR~#|pbk2^iE=vH^W|tahE9b_Lc4%_Eb(NBA+q3vCOLJH?QBCW)F1=D+ypNJRb5ANP
zXrlXW*~DxoLZ}24ul_O-xd-i3*qQao4E%G;M}Ab#m?6BD`;)i#<1BAe2Y0Jp3ch~y
zlwRgHF1iE)vvdNp6oP@4^*UDBi=I+Djz3~zz6wr!A!qhW-OTG_sCqFNZX7)Y$=Jgq
zD@kNnoO3kXWzg~Tj2(vQLpL2O4FT%9%}pxBzziU|CAX9|i!RLyoZhT42`<iZuYGBF
zck{wFv}_@2zdRpMtBAJ*K6MB1jBfc>B2JTTrB*TQ1k_IQc6tXCQVGcD`nro`55>)*
zyJ0qn<=J}V`2=UUW>F$19GS1pW+nAEeM$ez5M!Y9kZefScCVW^ZLLE>>15H(@EDF{
zLj@T1nKJK|xn(L#e5{cts2I#A)g!yFz2Y#9rBxC2+Rv@`6-p{d3CiG~;~PCtitR90
z*EhQCbrDgk8I?@6NJc<}s)D>CN@-g?wePXDo0P4yY{qWz%+Sx3!gGHG=F_ooFUa>=
zCDof#4oHBXV5w!v83cWOR{2i``3x175%BvC-QiV=aE0&iphb71b~0G{T6eJPY|Iy|
zu;Tux^Zs60Vr^BoPA+`Ww=!{C#<c9o$o)%yraSsy=1Dl!UK)PI-?y6eHmk9g*+Pi^
z&BgTSn5$zZVty8{?QS_e+yA^JR|D>$@FAm#dwq~eSA6fq$9$!_GcRsj3nv*cJYjo}
zyTa>ru4nkJ+Y~HTwTe2){BhiH?zqtNTBCM^zFL3d*(H~lg9=I2WqWl<A<z86ylA8+
zR$au$6xlJ`2e*F0VPnDn3EL^vHJo^6SJa=OjBTspq@hA{RbFcVaa;_0`WS^Abr4|X
z1^@U4?JJ@xGWo`BY+khVtmrJEL(aE-nDO}fvSeY4ln1<5^0HFvZrprB<Jk;!t`Y4b
z`Mw!U2#~SP@(y%c9hm1ALeH+drac0Hg5z8eCt(z3XgB!<BpisRlrpwkK?VCT6i@L5
z6eX{kn<|u0Svx5V20mLi%Q2n^wsw5n3q^aL5PU#-D5rBcElDIc_k(6j4w=>NCl%dI
zsq3|Pu#IovnDm&~eXQb9ykU^_&<PQ-5WDuJgKbNkdn<xZwzNUMo1xG~(ihRb@T#IJ
z8>V>|o#Z^uO7z=>5uv72`SuM#$~KkT2rQO-oGC);D&-0>+A3Z&glE!m+fYI4Aq|de
zf#d2z=<Wc71yKECdKhvYFtiiCoN2X?VQJQRU6WwFz4cd<)sW#lA!jV#p#*8oAW$&2
zoX)kzs=DUYyVl~*zUnxLdjLx>oGqB+{k+72E}O>qRzo(2&R&GwbNtg%Fag3zT%JM#
zH!H0b!aqob8nr{NfB(Lp$9-?af#RXMz=e)w)fF=~opfIr!>^kaQ<;mf*p=i(dwq#s
z$zaNaX?KGEr~q)_ndZ0{DjY~WB>V6%`l}$*6l6I3N%>)fs>Vb}d>ZvuIfq@{yRJcv
zhc~f^uB68y_s^b@{D>y*UX{RAAAh3}E~JOE0V=}FFVE)VpJFj~x*J`GVz`;B!|cg{
zcJ+%J8CU-hHSEA?B_vlkzqWrzc4C&_A73+5G*0J&B!=uyr~Yq>P5eKG`rl=h?&m-b
z4p*bq{9pV&E?xpGOMfM6%|4Q-`$%0w1GXU#mqwN9gEiK*&+##CpWax|=HlQC4wFfb
zv>ZM2`f_>(``+cb<YeU4NnD-Xj;IAe{N+DKlJ?(#*Kz4eAfJhvUmeZK`jkMOe!X&;
zZf!C?xQ#!JJMt3|IopF?>;hmPwp(>E(|5IqaO+Grpd-M^LNqJ{1gj`yRKmhv*Vu}W
z@^*L|9l=DAmP*=u2!OB1WcqW$?o+2TiPxuU2CETb`YF|PB_{b3E3I5q$EvN~Jkq*g
zdfmnA;L{xNa^o4=PA4g@M_n>KJ10h+9zA{j)cx$jU^<Y$1<W&mQ{>mhLxJOLx>CGo
zak>mypQw_I+7q7fUi>fsnM(8FNRGmOe;Hsgl+u~<r3*Hf*-p-eLy(ko<=sxKudfmP
zq6Jt+gczFiQy!?~C%4t;ONEnF<%X7Om!X$=Z(7HmIjsiPLF3Gy7RB)jv<Bj6y~uUR
zykFcj*Wq{ul1fs$#u;%X*gK?KKH_}hWmaXcJxeb-uzbi*_7(POishIzkfpiw^+K92
zN90J&g*mZaUe-fFnTfJ+`t-BQ2p^8C{*v5;4d+4j_u8LXXih?AKf3V6@md4G6096w
z{h1geWFZqWRr1ki<0qr-hD=2-=;ZUVg0sonNHZ?BpW2W!lYTF(#Fy+HzZ81LE<o3C
zcb@1f+l#fGAc0i2TjS;XL8k}8p^Lbr@Lz=_f4aya-lq6BDG?fv@+j3im_RH*N-kGe
zM7Q=5kCmywvA*8jtug%T%?`!_&%3NZq6uRe<T&FRH%&8ygF#>VbL3fs0%|~gH73^e
zWxEIH_I{TIS`wE)n#53HPw{3xgL6nCxcGRJvf53CoU;o!xnV>z)E(Lw-T;l=7s9){
z`S5nNaD=E6xHC5W>58*JzO#YGo9*GPr&9(q)7)BeXu#Ye`}PZOT91i%&7xBU@k%`&
zyoAT(1*8B_EbyB~8kb&Vzw(9$9Ua~7R)wO$maB~;4HZm>=}YqmH7%%b0m$rs1aI^O
zSVg?0Sa)85rU9-0WPhbtAqSl(3=?7kH|+L}i5ERZ4-09|5IGE%7qPDG2<|~wOYVI)
z;T*QSLYFRWGhPjKGAPoJFQe&qW>T^pnR&&=H>L$9>p6I<IKXubM1sOWw`bI;1@ryp
z--I7OiC`O|Ua6t$6@e!FRW4xj8El4aZ4sO}@DL{gr=)#A4v5l!u~=xMsnq%R+V6eP
z;xE!@EBnU}eCaOO_3B}~C~zNsJDUjCkGG|10dy8-4dH+f^TYn{qW3^i1&KO;hjir^
zMU$(b`%DHIwc<kKYLHJsWD2|o<FDTVl1OZ7_3NMwtR3i^J+6r?N=swS%fa!cuql;q
zj+p-?v8Ks`D`}m+CkRdomHx(Xz{f^p8UZLN`J9Kl0Nr-Ppnee$H2wwykc8*Z|3MWE
z_zghx_yiq=V`nKE1*|H7ipGFj4R?1O6Rp`r*BSs};Pio}-}Ck_eaI0c!S_goG)~O9
z%lm3cHc+Qz^jN9aO)7lepIIkbgVT5#t9I|NxbbHm;HL&2?tK9{{Tud#kQNABJkJBr
zr~?d3a5OKWq2kcK8el7bGLmgjtDh76yYT;K$wvdEp`)2d>KD)E047*m<AV@RzZkI1
zvgLIGy+!4HFqiA|Q~z^kibf+&oiCb+0IR&ZU^Cnes4$f!;zS)mGb#1w3I4>g@x9bP
zRvz#V$<0>QT#GWWR>UP)Ai!Te5L6njaxEfNSP7K05{b0k4yL%z=rVzKQNqn3De#q3
zS*@QYZPahb8Q|+GbjMoZU?5$9ZCzlucd*XBlyU`wOIbXJM}!3NqK;&fe-Y5Ub_0?Y
zt$;_?4)DqV9()JD;8SQ~x48&Jkg9g(v)F8G7xXsylXa}CHFAP~19Na0040zC*agBR
z&l{r3mcl~(cufGs{+ElmbW@){Nc^dQ_XkSN?Go5gqXd=<K>b?FN(g8qvE%q5XY{YG
z&vpyjXot9qP_^}(#|z-%eD(W1ntV8Lyq(~-k?9zL!zqAm;EG#LpzVc~lA*?_?iK~)
z36;pS0q{5{py>(4fgRhj@rfzF?+jHqW^sI5PP_k`SLMDRXzqAMwQQ!*sm*~)2><be
zhgol!2#OT*tAH8fu)-&!FcS+QNG3w7%B2$B{kJT)I|83A*?l}VFa;T2Aauey54&0%
z9dQzz=r-%axYP3|Ga~-cMrk<PaYyDxq08#jsEK%!8z9N-fE+wJYy!-tKesvnb;$Rg
zJa-)kV`pRvClo)wlpcMN<A~VJO#-*!r~t2^hz7a(CvEm7QRn42QjJds{>OVnliW0O
z;y$C)KlRyXZQ3(m3E(huKXEb|)p$#Q$R|t~@%{o}2vXbqgWsHsL}^ir1yT42s4yLo
zWc`}geqL6tm6SKHzsiGNXfo~vobQBhlFFX*<}7{}0Wg%uzn->7(T&Rt8va3Kj01Uu
zuL+CevX0(395JBEMy=t9{cnntKl(|d>56lG;kA>vpo&!q;9iRyyg4qGk#f}x`~DPR
zqs2MX`v*Q|IFu_d4$KC4=#C;VT->AHHok%z1`Qz2__M65!U1m-z!lh{aZ(^aiV|1D
zjXV;3aX9{(xOLU4j|bqFwVRE1euqlE9o$9*-;x7;$<D?AxJ8tJF!=<u5#K*suSP>v
zfqfc*P66E#1B9=R@6uyL36(Q^kN>iQFm6zPgmntrbTxyoIBo~g<1{$|jjH<Ed^RW#
z$AqL56$#{Z5wVa6=La}F-1MRePaUJWwdiIQ53o@fBtOA*z<UJXynTxQfz83aW;OSb
z8%CKM?7oYWaMz@GfKxyp-(Pk{)e}QHvhWG$qGevHHTf{t?jvgBV>O;ESU!CcWdOzW
zOMf{D0IM)dgOVf7kt1;RzuINL7Qh{4A}ORM0%!_>Lf4B`@QdC=9FNU{m_FyrkeXIZ
zoR)bF@hNMEtpEifCz0#)^*c^J{{BE5wmao$=EL9E?cC1$(hVCx<rFK#(&SXC!{Qtg
zg9Lf#(PQXDBoFp`@xN+gdpIeAOn@+J<v>|)>AQEIl~Q|i=KVvVv##?WGdiY~g^|Xx
z)Zt!`Ai(v{Ng}nFeXe%QfD(~Q7x&aeKHLh}*!@eFE*WE&k#<`vlW_pPrU*EE?Jb2Y
zN6vmo6m@)_6pW)MY$BkMs!$)e>S)5rqEtScqxHRoN9n=Bsc%?Yk!qEX3wA3FtVf|W
zj=MAhx3Pd3k7rp+o8w0~k3+R2L1y})4B5~y8wsDqil<s*<fO>Ra17^x5{*vYEA|qI
zSW#0NA^W3?r;ik8{!M@a4Te4-vvpC1tRX6YGeQk*s8HXNa*GU<4t7)Jl5p*1Y3p`s
zxDAlvhda!Gb))-n%7feUTD8}3T+Wa3Y~^SOIIlKZoB@Gb4Eq7A6rd@b1pNL(HAwyq
zVqo%a#K7!+2CO6x7VX^KE6bhFHikcM)t^dzbw0Y_rJeVs&HL}H8Gq!K8v43_1Tqip
z`v<8zl=>CZE2gFL-5(}V65zdyn}5CcLSy)SrZVXllSJ%71O=0CET@SXmeV93MNeVT
zMF0Hx#18p_sLhG55TJvb`9Kcp!(on!ee`%zSI9^%P?!2;3{w~MuAR&stuLp~TMhLz
zajowT4D=5ap^&=>t{x}cd7zCu4+MYB__5=-Pn}YRRl=ddW1utx&GBjXxj<FR_dMGK
zNe7Y4iEj)g(Q1tp(jXDDW_^+l=sG|-7kplEXg+i?nxIKM_O%)~2*{rf=@Bn}6UBp3
z6S~YT;SV{$?tls!GHUuPnOOECZ;tpDo+H?NCf`qkbivg|NO6tvfXNvvFXQrrXTjDi
zbx4|!*}qbs6*M`pDUo(5-8BaiR=C$F#wCycdYp~aS+RBb%G-WY_Gy<cq<<z?r?x7a
zyqVS*{w4nkOJTwh6K|%-e>^VYrOoG`fW7AO423j4r8gw%qp?+P^*0@&Q^qF-N`lX%
z4?){=AknPqS1np$vE86MPvMB|6aPOwt>(C)LRnQ^YDRsUWL!LsWKrPQ>-~0?dch#9
z1fqRcj)ZZ5FaH3FP)F|A-6Q&IskPMQlm|aaSp9N^y*W1R64!q!1!jWU#{Uwi4|6G<
z_X`fJuJ9-7>QBdgj6VAlk8^w>{Ikpx20(cr?gM1YEI6bnPJUOJ=J+%QpG?b`9)tjw
zpN3PfeSb}<9@3pxz4;C>I4J|jPFl%bpvUw};Dh78LnPrrQ^4<)?AQ<PQSrD*q78P=
zbd)(d^S-_YSx|5ceJUww1HuW)(SX%l6NsX^G?```;~OGyZ1SXx#XBHgAv$@MfODcW
z3(VV(&$u|_gBfn)12+LKn*uUqqb}2dGq#xd{^y9_tcMXaKqX0=6Q`mZQCwQu4kAUl
z#wZ2QnMen0whjEOoyCQzs9D_`bJ=jUE_aM4Kyd!c0fm!J)k+NaFHz1#FFz(S462X>
z;X@OyiUmRwUQQHF7~x0?c;<AGx>`n#`f=T|<US~olBiH8$wz2hY7D=`E7Odlb#)|7
z1ON;1iUq(B@;`9}!Ovt8yrc)7-4B2n?e3pW2QjoH?fVz;F(-i(@4Z0|Kwk9kbd%f$
z_y%zGm7)#@jery7<2aJhKIy^ikPnLXvW;iOimqs#2e|Db*0KcJ5|C7nx11Vqe#K$s
z5?U(p?<1Zwrf(J9KLKd^x>XazW40F09^=j*+1w4Li`+77e@RGw8C`In^pyJZEB{T}
z@|v~^L=yK}aaKPAh)y^O0Ug}(+DNf^zvFMk4Nb-5b{Dmvkji)CbAaD`Q|ZJMAw6iw
zoOi<&R4=Dw9$oi*I7YJ1mVtKa??9cY9QEGpw<YwyY<C&8M*q(w8<WU0O<nS&9pY~)
zo>_n-=a>+#(U}UEED&7oHBGC-0nn`^7b25$25xg4+xHRZj)rlicJqQkpv8hsxvC%!
zx&U+=8ypC4J{3;wB%&)9>VhhbV))1jCvPzg@!|k>aQqQFGjO+uh~R@ht`A+fptKVx
z7;1B@^vF@QP6tadUTs_q2jKDIyeEIsZ<3wkYNl`iBb#TyjqJM8aK51&({<ZPxEvbC
z0l9|j1YgSftsI2QsNu*73`2nTIg6_rJf}&2tVw42Zp)AqfPo~^4?us5t7Es+p~vMS
z_2c*YbBBZLEvtoQTTbcNJ997V$et04u_}=st>2UI*M~8@gaV4Zjh`v*fQ`bQrIknd
zsq#m9>`BXPpq70Pu+E%*s`DE;@mC>QLa83AI%@MBK-&u+*T1ZCx(7NzR-5V8M`-_F
zuYh~n94?YZ&8Lc&)==&Ecz)zX>OhA(EtmGUng1CS0+9a%j9rKt$8l<btkA&eRf0>E
zKWH-|80iAinm`D|=3)q<<~J1L&!i;4%D>!=i<5+o5HM3oY=n%$c9%SDz60@;w}2uH
z#l2l0aISO=i(_{Mi2C&s98=h@&Gy$QK&vu{-$THX=}<C?Um&^V(Ji@~9aC(Fuq<r_
z_x_|3JS+nKH#=!D@1rgWH(w8HM=#wmQMsBZSD01gK+x2)5HrdM`%^{e7WQU}H6`<W
zSkpXR#XNsWFlArA<_2sw1~5K~{3ECN)KR0vx)O=bO~g-AM*T>nThz(hbzKzgHV)pl
z8_p=^09BlKu=wuC?U=iJW`v2(v-ZnX>C4?}wzDS}&E{sU)id@s`n3V&H0OtfvS_1;
zICOtWUo6geHNcHZp&qJ24Z~@*J?BlSw>am`13>*@w;|Af@(ysE8hl309}oe*n*c_>
zrYYk10GfZ^g|%`JpgHZIe;#0|xB>Z%TCE`&QD!UEwKf0@w9cRT*l~i7^bb@Z<C(dq
z=#1@{09$eQ%j+Ybc+);7CXbr6X-hfKp}uUQVVZV{3})_4hXJPDO*;#WznB^IvN*jB
z$xMEY*+ZcFNa-eS%kz$IS!o-vSd+nAJ+|lqRNAQ6Z=~saT;i7S>Hu)o_;?Br5TMoI
zKKXJT>x^_+6gUTfTl4cVIxRS%I$59~&)RTyUBGZqb>58c%if|ZnpjfIRBTf);?k6S
zcIkYb^4hnI=I;?Lz5Bzt9el}0#d`p>>`0K%0i6?PNNy{bm}O1yGl@@8d058&2CynT
zv$htVRpX+Ux!9EjRFm3!U_g6irq@yjq@ccD-Ia>j<bS;<qnBT^RsZziArih}#1xW)
zCHi4Xed&IbA(4avG=KCo3A+MR&#4xP*{{DBSJRvB&D(UUxnj4gn3V3lD?Vn~h@yT8
zffwVxw?>SE4?2(flaX8w(jH_QS&~9W6G?LJ@Sz!Ph}!oZD-G<O5?{8|@wCGj?G|RM
z&1{KE?^#v^`EP2!elqTiU8k8#?ST=G2iLj(fTkB(Ms$0x#hij2RD47$GMXg{AjYGx
z0-<nvIe3ul&Fb@&d8u+^d9RITNcQRVC2!Si1__A~qT=na8`^7L&YNFUlfNsz`~Z6F
zkNRM8a&ih``#Ym1l2lTAHZo7aH38cSasf(D?I!B*hJmgJj#Jjuhio|m*B9jI{_2l-
zAc+7#M9;W$1XHN;(h<%+q>FoevFJe$k$~nX?AjYcg%M+72ogTzOrdE98nq<F9=>M0
zP*J#q@sz{XeHn=Lj6{}Pth(WKNnpZ}$TVihUZvKw=R1Xd12Gq>io0^$X?(9{YBSJI
zBK!oDdJc<X91l5&^UQ+>6i&)x`8p{aDoe5$zI|CLL#vLx5L56pGTm{Kq#G%@9F&#@
zXXHoN1s4rEPY96eOH*fK4Q|7Bd3SaxhK-U3Z|1jjSRr;@uYDTdDVTp*gO9fSVs?3>
z*sPTHP&}nxXuoECmqIF+c}*X9+i*#i;26#)bk0)6w_!GqUuy;N5;7}fj4oY=TZSQg
zK;#sf>4ZP>&vA|mRN$6yp#W|4#OZbtMbNe{Q%#|x7UVcOd@TZ8PE0ypw9|!@;WLS2
z59WAGZBnS3a~A8^d!hus)K%1b-u1+b=C>hd7!Ah&P}|TGECc_ErIZ|_w!P^XG1H;E
z+=DoyUZkp%8lyO@e((v=&@W`8tMz4~09P`GqN<uv=oc%oE+(O|$Ad?xMwlbkvt(>_
z6)U)Gdv(U8$@AbOI&7Em+!(s5`z5EfL2<Xd&(1a;YW-_d6`GBJYz;AwHi6Z8cHcYo
z3gKHd5b(ulhD?I{qUq)v3gzs*i=1wAvY4Ph3+HFKE)<v?lOyP7Hl95UhGVIq0!;0Y
zq0bC)(e*c<B3AIuMLR}VI+u3mLb9nS)i&_7ZfWOb)xF?y8lUvy?;&!Wm+p3@T6HTh
z;MC-avPVS4))c60UU-TiuZirLKBra&k=wO+#o^Ggwqu9I>#nx+C2@ytCkp<;L5i*y
zP36T-E@ruQPtp5+z;ogN%vk~ZC3%Q}o3*9PiKw2z_a6FwhNWl^t3tFntaiRziC|s(
z^;2spIb>qYUbmlH$4S|sC{McHog$SB>1yKOj<J4Nj79fuT53SqALUpTI~|rgA}q^=
zXPVzX3eQMMN^j%u-FiWw^q@ndFNq}W$|Xv_@XuuT`dpF-#9!Yre6@ALgF#-N<>8Cq
z7k*5kkDq8?7!O{%IDR(({eD0q(Q#{eeIH{0vF|D#&^1R_Z#tK5J~Qv)+nGznN;cEG
z2h<FXaJGh1%a)yV@LwumdM3N}xjkIz$AOu`{#-Z59e$KwfkZ%fV^9>*>FG$|53i05
z&*u&+=MaqnhynUhA5qFR^O?GmhuA*P%wRodUMznudLK@S{XCiAvch-uiA`RP-q*>2
z!t&^GMKfoC$jZ+yDw`#4rG{>dBJps<7LwoE3X6VnJ=(~sg;)FW^}t5%)kmN^iPcF=
z$JKxJyUT?}ShJB6+GR8<q)dV@8IY?rm34^6l1GO}jnB}oEeWU_Iq4wf_pAYJ+!gf(
z{!k_D;4A8~B$H%4TqP|p-@iVT8+KE@+$2TxS%NguBer|Bys$NVss1xnG?ww!a%CPy
zjNdUST8zNn<_G0dv~jFb`HhXytSmO465`ZNY1h{V_QWM=6^>UI=ZSnP5L2$!1{Jl~
z$Jo-bZ7J#HkM0B0%ab*dC45CLeOrr(N*vRxDq_1s&K;jEW>#u2MlyDfqm?-L$}Gnw
zyCwMd8o%kxE{M(QF|eC0Pwc6Ttd7}PTd?iUMJuFVFW5c5Ts+x;T`J;8+*lN}cWuDx
z%(PRE3j1u*>u<SP4>w(~UK%Y(G#s_)iZMXORj3{eI8ME6E%1CNuFVp&=G_T$O$@Ql
zRnwNSQBVafNSEgo^#PXS#pRo15!;z9O1N?QirNGCygb>J7`t<>vxdr}PAgY2*d9je
zTXT=OxG7INUC6Zbrj(-{s?VN-_GdT{3o~qtwQ|)gEetL>jl-xDdZ4kYNnTG2w91yJ
zuw2CD&hwfEST-W7z}9M$sm+Rm$1YT1PF}kn!TO7F;=G!sPn`U@jjbiB#$(mW^Om5n
z(Ol<DSZu&^8hpL$Xw)WOrJxUXfNHt|wJG8VL4UH2@;)(ozNjr6S=y34f?l5+vo5LN
zF?GDYoYtJ%4810ae!pXEzjoQ_z+;rfeOLIP!!}RP@%ns`ZQ|jYxuofsQ`fjoEt_k+
zbGrB>t2Lr(ngKmjwWAG%mK|J)DP+8x?oHirE=kA2njiN^D|&<+JnFS8d(oR<8-@AG
z2u+jN#h7Sv+R+4Qk!Z7OQM8hX{a<D!9D}nk;kQd-7b~3aSWpd?)}CS0Wm6ne{zSE3
zsUOrWAe;xgEjeX><_^D!M5q!evp1)7>Cl*QsFDa|r*zGK!TrWYFwbaLXzf*Bo$~!@
zs?z+07Oh;a{oAh5))`W|zOK=w3%N$wF$?TZWy^p)|FMk9Y`7IAVfMz{{m&l<&!Lum
znD~GA<8;j#RTk?d&Q(V1L0oyDG!=#$M??KzQytuC1lb+xqy?n-)~+Mp5}bk=sH)Nq
z?y9<do$;@k^B00_c|u$iw{afFr%*Z5p*5V{LVwfiXyJ;*!F!QZh8VZGU5TNQCDD3e
zRUpB3MWKR#tP1O1i=A1QI$ReHhVM-a8>|o-fX|WM<!3#brpf5Phe6o-HbWf6f!%O-
zzf5?r3@G<?E`mpX(tXa4(#{*JnkF_VaeWE@J|o!uPmKGSOIX<1jDdQvo|+6vijH5Q
zfP7tuXZI|!HVlXsbqq$UOk47}Hsn~!fd%1J4CPpOYpg)RtczFCwE1vll`)i~O5i4B
zJvqCLHO9`3TOy`V`9YOHOo6h+Xw=FOn;<vMRV<sPc(TksZ@sNFKT3bC3%9t26o1)U
zOUePyS^aW&Un--cziuc;#_U=cN5aGk0a0sk==ZCnp_YZHNbfgCkM_1<{mbYW$wN6X
z@mKY<abNoy#*u3L8otp|e)C`;7!Mh`b%&o7%xxLXf6UU|GokGIk;ZM%D=}aDD8lIR
z$6`Fn@4${`pIMjmKSsxP_txF8dq-<W13cNB9((Ejx8c)Q6czYUm+z)H=P!mTeLO5O
zQ8O4neFkT`I)4xG%z>2O!FKlH;n@j>YngPd^s!gexjkEr$wqhh7|YO*uCZA09}CMj
zTPa;IMOIL=wln%`B|0NxiprUzBQ2JPi%zlmF<b0qIP(X;eDkjzM=GW+_2?|_sffRx
zirbB(?d50&fxGW<=JoBbDfsCcz_+qh|5{YGFx>hA^WOQt<l_$mYj?|IA=@!pRxs1{
zb)oKM<6Lpop{hmV@d8&&QANeKb?>Mu%k>~|F6is8cW9dWnbnxKMVVRY?+0mFCkzj~
zqL#f8{+G`va9uQlRBli4987Vkx{rKYE|~U2*y)#RA;S_j-XlgB!TL1JTZCPM@}q{w
zx7#{{JsMf8I1Ri69l|_@*q_;2l-!Nz%2jn8p0QLXeQUXo+cV+m%Zw#%@D-C-_J16~
z3{rxV33FtAxhIfM+?DQxxSVWaZat}6d%UH2mQ`<tau_=1n*Z9Iel_YwXk)U8LHP!6
zg0BeuHSZE`uoi!K^@&L;xC?H9Km-r~oPamAW_r7>FZe6?w=Q3t-!?R<XcEGGfZ5wd
z^2nk&zj2iueTCV3of+pg9>!P|Q2hLtII5%LqRqkI^4HIL91U7CUB?2q>A~;J%7t<;
zd*|~bpU@pWM)n5e$O0pNoJah8aKm;8&TO)kN{4*@Ybe=`a*&;#PJ>-@xaImJ<X|#3
zc;`d#NQ0nBpQGi^AAATV{MW$gn*n?3L}w%9V5Kt^vOjk>M5g51>7$P|JUV_GL%2%|
zDO&nRC_BTK8NF+`Vcsxf+(;s}JeV2Zi={>P>5*AJMf^BbdE_*X2DU$;$F?_x4rNpC
zVMD7O`S5bt``-ogTsvpnYi8Y@UJ89$a?sZr+pQjVU+06Y^I0;e`6_8SlN`^`P%tZG
z>7oom#q4NiZZN{Pc@9xrdPqK(hBFEI+g<3ru1;FmB<+~y?Te0I`YPmpEs>4|)g+7L
z6pIj#$0WHh4{X)H6n86(r8=0P8XJ&U(C)6ddgzz8<=4p$Ut_02*eValb@A+^@KoHS
z65s!!S{p*RoHmU+O}Gj}A;UjV>MQr+x$my|X;nR0$MJ~M!CX)^VO~biQ8Vt6tp!OM
zmNplS*b%3HB0qmM3K%n!+8vI~kXU+#cv!(LtzT%q+GMcT6l<`PW-zihlD9uXXs{h&
z;Cipypu8$*7sr!&Fk=SaG~;Q5ZQO=CtQSCb3uxEI64pv<_m>c`TcYq4V)#l**F_Az
zZWjHnp43jJibaY+ZkB$8q6%ulZEkwE2EEI@oIF1@vM~7g$LLAp7=sRh2xb;N-QDUW
z3Q<8}XwKY7k7|5yyl(t7SihO_Ovt)xhY@3uvi^y|_zu1;cQ_i2j8waK`ITstp8vlF
zvPnHZ8Rz9o$pVX><V}$$w7jvgh4;#wAvaScmsLz5y|0l{bdJiE=Qca4@Rbv0<r6_o
za)x5ajq!ctc=dM9_)bozK*DN32_r-NvfPkhNhbD!13#m)KCVH<8ufhfnH+yp%iNG}
z?>i<nJ84p%cl2*h-6djGD~nW$$ZHMf?(OvycXA0O2*0yRa3{jV{#5{?zIddpn$l#h
zUMixzdJY}R(Z_kd#n{S<bQ!aFxqUrTL|z0tw<gpfpt@16pCB`cr~B;|cFss2J{$!d
zzB_A8!W_q<wQ3}JMO7bLF=#pHHnCGkbFD??z4X8P&Yc8f^WB$8s)H#5pW63~R26w!
zz2iV*`ND=1Cf|#aQcZ(Vr0qT2xSieuWgEq0dnbMGOYq(u9pbq;2S@{Vfd&KLs!)7D
z%Uip7!AQnkQGGR&fpkS`wasa%gK31kjB?NmcIxMa@7vrZY^txU@<yzzI5)VIhca%h
zw`tX^H4yh3(JehsAxv*W9xOyE;dL71y5_phhAqpu$yDg_41T&t6T(09exautOQ;L6
zKLAePhNQxKj~`L6A2UG209k4So%be#%o@T;TDG1BA00BdP01)LL2sMm^%`P&BS4Kk
zX4&TQMTa#Nvg)RBDj{UOzgz1`H{(I|gtc&gSOkH~=rrhyKr!A~n~SH*btW708)3aO
zfeX1xA?uUHS+uyfJqhb<(ySR2MLP34UVn2DgGstOtZ^qj<N}jSlCd9r@s%+?s>(~w
z<jaSp2mHXY7(8J#bPC=#SQrvM)I%^C1pc8Mp{P`uOs|iUZ&RVPS(nHiT=w5N*!#On
zRJxgw^3Hz9v-h*>l#wWUXC$dwY5x76!MC#s=23V%VSz0PwZQ2HbwE3ALuQ$i>&jz<
z;Irtx_|Ds~@3+U&7u23#zKM!@t2W8Nak!UwxXyL(Hqq$Vbuymxy{PK3l{`vyx423y
zPVJVSgpF-<Z*mLOofNUfJHEAFgElp!)LLY^sI=7cPtVa@=^AbE=;{3-Nw7D<TB4t^
ztK#Dxn8uy}tl0is7zYM<DO^3z*~sN(YFlt9M|hZv+DX}p$JYubMd>#Njs37ot!L}2
z560UbB-*#04Q}H5F{6o9T5vV4*}m<ptG`aBHz!}ZFrN#Bebwx)L}<*e6#O(+dl2z0
zpOKtABZL#v5;i!*7{FImA0=X|W{Y<=O~UV-&QSU=mnyM!4IUh$_S*#}i_w!ZJPw&$
z!oY6yGB@9I?Y}FwpEg8wXDpY|N!NFyLL$C%bWpzTH7i(8I8TTYSX8Nj7LUgdg3t%F
zP$s9(a#%f&iZZ#SJbz|Pi+F$&>B+Y6=*NvhQA!`zn1<i=B*o7^N8|>!%VwlTa>g_i
zZ@`g*P$ZWVX+L~<7G{OWK%5+8jgb`@?0_UDh7!+QLQ8(5chE~+$Ysb=I8T<Rh&xe(
z8hv4NzE(9Tof?z%bm8h}yJDG&F7yrY&ST|BtkRD(Aaz-}BRF?(TLG*3Z1BpzC#r<^
zy(cFt@K4!&nnY5-q$eMtT|S74bj&@T7QN{_WXqttuK0BqZ81~BcJh|)AY9r%__OS4
zUv<0l>W?YPTpjG(dP$39zyJXrwn|5iG@P~dtZEX|!r|u#_v&?mvd#BI`){*9w7$;t
z-9hi<qDR;yL>a!UwN<mLpBPTudXrd|7PxX?p7<hB;VY9nGL%D_u9G=xcI42|B4;7j
zQ{=9genFZfcBoZ+1~arS45Ed%X^{2p&#HT$mnvnq_O~d;S11qy4jE|CM)dGt?Ez*<
zDmE=Z^su`6{J#g_60?IZOD|YL)H^5o28`BYsTZpKz51v+X5wmnAEn}UDtUb^kTvX}
zPtChE1L>Nd#T{@yXa!GosGyy)Ro~9MeIP?$frGeD!o$@aBX;$@thWn;r@~&SF@)TB
z{O$gs>TC8hRm#dLOukj~=5Wf^K$YD2570hizwZU+xp4FuaXhcM7BY!$=(4@_8$wK|
zL9CUPZQge3_7`2FE?2SY%Ffv*5$hGbf<02*uXgUIXkcFGA$J<8+d&jq77y%-`R!V!
zR`v7BTT)Y}gNLf7&gBhxY)8Rev%qVM88B|<`xZM&BS+9*Kyu+%NV3?1i$;X*77~m&
zi5|s7R%BITH{TG{Qu-cyGM{~y6)#8?H0ycP^_Zhb;%6jebM@cJvmAm*W)>;R5)K<d
ztJseMG=k$$tI=?UJB$^wEyISsb9BumX*s$FA4O^lbz&-8K8!VM(auRH2E$Rvt4DF!
z<b&gQ=;-hNzoWYbM<46EWD8%LL~x@U{Qn+JO0An6DBWO&U_1}UJK3eyx=S5fd|*Fn
zv&gmlr4DBgI%d8}&GT4Dt|X)FbcQb(MVH&a#1}o`PV3)m_i2UDo3w}HmQWB=#VY?i
z^3ZGCXuJBvU3)mUw+#^T*gf3tj6$xy=)CPQVNi8-Hwo)H*r_Fs8YrZmKpw<OmAcMk
zjKSAGLRO<jc5o5s&pqi39dxFc{2-3~1}SsxEE>x~EqA+rnSqY2*FHla9V8F(Y7v&J
zDcNBZ!ePW?XdVmwJ*k=&C##h>M}9D+Cx6W^G@buwx&9Bt)ArxZ4>GVLquZac77H_5
zb5zxbGsWGop_y8EqO<ja7~|SR?WgSlF-XZ$X%?-9FxJ|2a@PvB)r2l}ZH%h1MzEXo
zB`3nF==J7owoj{iY~Wjevkl^1{(R=vbaGjD;9&Xv*@n>QyFMkwdk<}^6zn%EB&3Gg
z=?y9*b%lJJom=V0qKxKq>1lj-c3Hh`ijJMPY7++)i-pVZ31>(9#Ukb=c8^%Z)8NH-
zU_%@GEgGGw*rD9G){BoE+GaKyEO6XUm4mFNz-TK8O9Gqapy0tG{DQRUPtpr=m(oYB
z8@4gFImK(WOkEpJ5tQj>G*UCk$6jbX+lgPGsWjk+PF}b5Gnzl|``NQV1-N9U<NJoX
zZCfJ=-PrPr0&l3$`z>#4b!ZAzj0##3db#qSn3o;MZkM^KAuVJ){IkpWs;*s+91-1%
z1r<|2b$X9n7Ik~W#At>~W}P`!0jlMu9kv=4_o_Co^CyTa3c^N%$CgTXT6#FZ^Z62Y
z)w4Ok<ID3G&~K?5wnP8D-z4~zE2mHr?)aM_KYblLyxdkj?@+hm#vt^f6V+#6m$hs}
ze<59HDpi@+(pcTn|GH(uK^eB}HR5W`C&$Ed<~(w@V9uLml=IGayKa0+<`S)NOER$7
z?g)188DNJjqy<bV$2^%oz{fskzlg~ZnJICBypz*_{lmsEmX|~|m0VL<kUokQ6t1}N
z?KVcIOiI>BCUHa0F*6Xc%=b9EJc<%tA_|w;Y|X1&E<=mhAW-BV^r2n|eZ<Ma%q+`#
zOar%(w&P$863d;-(zC!v&@_$;s(&Em=ST~0TRFU`TJ0Q&H^Ai)C25@Ad?_T}|DvTR
z-Gc6r$@Qi?!cKGL-q+M;U$&6+EMPF&PL<|LnO4S7E0AL3{@2MZee5wUN7M}jmMs_C
zem}?+W3*!qj<dcrT(v_KX<nQL`u+6AXz3<}B@b%?Me@uK9jWwE8@W0#Z<ZXrxTVhe
z&SzZs(F|v}^ISYlaT-<F_l?-sc>Z?m-swVLuZWRMNb6H^6W`|Nv=z}JlD7%4%j9{5
zIYnuk_0>~zmKsv8f<1Rat=c@Y9eH$IFf||0Gl-|$ujhjWzTTw^)}Hn4X4r6t=;;!g
z%tcl$%p}<5VWSoE7E=OS0(L(Nrd47usLI50Yc?$PRbvGS3mK)BE6wIEP~!(Xzp~3)
zzwm^8eWD=Pt!_Yb;?a7+JeyMuH&38;U~p1E#iJVXc&nWj%0;X@rU_KPPL(<7jcEm*
z&QtGpCYdxnzJ(@`jb9lM74k2(Qb_1bq2xpoeHHHN8+5+6m0o657+k;{zeYH-<KX_P
zr4IF6N>3+G{k}Zi#-nb$7UA6&l2T0TZP1L=m#0K~J0(iK)>>>l{9yHFtSx+8I^Kf1
zxHFDR4>B5dHPc9dcuAMGLNF5fkcD%%;BMil^IFgFf>J+E|C=~U5511eocNAAB_q<c
z`l=$BFSZhxQ7v6(GxcH<vL@;2Z~f)VxwWU)@U&U)iF5Q8Yo8e&&mm`oFBhoug&>!+
z+6T83f}G~<?{@SBN8y>|!Xcu_aE<DIT4IC9uA*|04o+-l)+!bAsKxJX%U4{#DD+Vy
z!A)pI)_2<q|3|FShKrbOCdIQ-!`u$ca8rvg>RJ}xf-(KDrsJU94!h}Ea<j#QfqRx4
zg;?PF5H*>J+)mfl3pU((n>v0h=2&{@it1EIhA=R^f9qJO=VQ*G(jPTnY3s0iPO9ls
z7`pA+T-L$sd%Gje(|t_==2G6y{M=%wsFoyIo#0{{o$^i591fOBWTZ%sm*hr8tsZ^G
z6SaB+hYGIBk&^SDyTdY<iD7nJwSua;K2D!c#&i(}qPh99*6-cXH_}6JC4WOkXc&CZ
zs?B#uuw7d6-kFX#=pUH=SV-N_d6byNo!b)U9KC+zGiN*MH)H0czgjXu!$kUd=-uTi
z<j3PqZ9c>25+`CQXRTS6A`4l)(9<<d(YNdJ!2LP>ZHJn+E>)NBIfw3bF>9%*MZLHe
z9@X4wCbD2?RrEO|mf6#FqBOpJ;AFJ4$q7?m(?~bEW*V>Z!BRKZU%NOp>|(1Xoj6g1
z2>hAwBlXCkYVtAKzVhCPK<VZspO3a;Z1Kp#SNx@SQH(lIlskGGt6K(9PH%=oANKGp
zC|Qc#&WJ4(<*5oVhw$h}bqUmJR(o;H4OX{&LxHM5*uQbn<^v_mQwuXCR^bai5z6lm
zDh6BaF7&ghV`_dl=$0Bo*WIr=HX`^+Nz<Xo&n#KW<;xP3TV4hgd1~BJy_1R687iwN
z{R(5bh&-(Nov0`G(PG1Isni|#>?>?PTCUulzQ6RDZ6>B&-S<=>qd|Xg^m<W{VA=jy
zl!N26Fm20x?YH3*#epqJoBouG;mDVpdbOXzxR<ji7`@s)@Ju?{1#<_-AmlGPa!YCG
zudYrqR*$8RoMb_+DVF?zSy{xVId#h<G79uus9qK+?K<c2*>oq>VB~(@Y*r9Pl25%H
z=$<7;%Vg*jgy&{fj@)$*zKH$Gp%)s(?Vx60iwwm?<AMB+Eg5s1)Nj}K*!~CHm3Z9v
zIm<`Uap~u&A1ZdFICO>S)JIf`i7lOqhu<s3K3Rs!Rq)KsQ6`<FL$dXl4lUVzT1{9Z
zol_@17eU(8j#^-=9Z841a;VFt!#uAHj!3;w7O%c|MnLVbsv=R)XVg6CD;0YFt+=HG
zW#P?fj(8UFgqNFh$<X-Q8w<A6`b#cm0qt5+aplpDPRgBUhQ+@w3Hgh1hbCJOYE7#d
zseN>lvHv*GFW9u;nx?mZc<u`gdFkor9Tl^UE#&(fvltennq`!#V$4^GljWk3@dhuf
zHH4?-%QqeiSPJr(cT_|NJQ)}!`l4<yO{l)!9P^FBFJoTUdC7gybznGm)d?||Xt#Wh
zHtJ%a2FawyarDr*+Jl#pB_^~{xlu>WP0QfoaA&Phuz96$Ms`-~2E1?+WI0j4V`=b_
zeavte<&HVlQAHlq@zx(_$Fv_TzXqXQ2K&GFEeb>Bt*lSAtjJbo^HaV(m+}@8yg{vF
zCTTl1I1Kz?KhyCif5ylE+jE_p^pgv&XpbrP5=Z-$;)FctW~0*%nE{mW`o0t92?S|g
zuNC!#rNj=zW#_6`Dhs0WL~}42gY=bc23mXO$+y>4ZEHUo(CQ|3LXDilYMor~b~J3)
zp~-7B4=MsM$=&IDCa}DH4Ma<yp2!9ks>dle6!CjI#;r+1zpxo6QiKQvZy@^p+ehe?
zEv*X7jIozm!=XY0L+=}>=IUN6XD0f)--Pv+Ak^Atpu!0C>FeX05>Iu_(i3v@j7qwz
zM1|9zoX@2VKs~L#ck=O4!RF_e52sxpEewB_9Poz@Oo#-1)KSWDR{XNgK>3HWv&fEQ
ztfNAOD1VWpW3pt-*pY|u?^<P3;w3J_n&l8fMgpsuDD_4DNOh?51LP<8^#8-#dxtfZ
zuxr06Dpqht9n=7k!3HP@4!x-;SP;a3s1O+GQbI|g22@ZK39%qWKtQBRB4{WH1QiLr
z69Rz{A=CsCS||yDvv6jd+539;_wH|>ea`<}K-OAW>wfP0_uOlir|WdAi$p)(Y8Zb=
z?#Nsr&qX)so2-LcR0B@6Lr-h&6Dp-nkF+u+yc<D*`j?NM;MgAhFk(xag-0)a==$)O
zc`<8fNkaJJx_KQHbOHB%x|OskO*Zb1p<w$f4R1SM(k?G!l1>is8N*-fxBCY9=7e`J
za-Kab-up(|8PTzeCkYCii4Efs%64;2>wiBa@6L=OP|QQu(WtV^{44lnE0J<q>Q^%<
z`7<(+2LwI-AE4;Xso@MQIThw!NOcZnUAZI<4LfK8rat@$mh==8rAf3L4RZd#z0)Cc
zPzNl%U{VTIcX_309@ZCZTN|*$J-AgGQXxF_KBM`f(_=CIffw3`B&jHYRo@{9KPWh-
z@Sd{E)!s{*cy(jKJIcEb!)nXM$LkBPri|?5>&4$PKW6RuUNU7YunodHVH6XL<ycm_
zW0m<lJ{%aD5wv|V%eOWdw8<LR#X6p(fmwErZ;K>_cZFW|Cam;;EBZ;bP1QS=U`+`i
z?BQrc_=xPHbU0m;CM!RZz)qtZ?=V4HX-){1AAI{UTxQ?DV$2BGqOr&G_|xfNuS2Dk
zoR~=4TKQ4XPhMoJ76RQpe2`eKqH&3wJ4DdkA-jP{#DFx)7zExe-Xi5PnX2_E*${$W
zhiq5*c-vA}Fs3n*L2k>QX3<ACd3Apxn%lMLCk4<ws&WgHjpoO8t;6+>*1I*vwN{%(
z&;5$kcdyC!<j@1aMM-K4XNush5~bId_jc%X^$9<i80JBQZ3!gX2gGMhDXTLblDcD4
z23d%9%INW;D9wer$EhD_eC63jq`xW%Lm1-7;WB2i2F4!FqvDf$Kj`?Q_%<`tBls7}
z@m7^n-6s0q2AAT!o)5p8{~BYxWIx$ev3xD~8<DOSIWfl0Q)V>8Wp--AJ@;g^>E+J{
zL=Ut20-|3xWvXU`e7qh*aa4d13uV9vtXD1E{C>`ptqZZijRAbZt}v+eWP{_|;BkrD
ze@7>f&&FRgCCnI>pJL0sBiIi&h3r0y7A0&&(m!_YyqwLuYD_Mbxhl-+*R+=)wvJDd
zLfyeH%LE6&IilJ)Ma|44zvl-InBZR+7=8^dtJ!E1C#|>srs3C1sREzMR%TCegtCjn
z+Y(Cs=vi9Uyxe}#%Y9%=%}tY!j*{W{gbV&M9QTG;hT;n|ep{hOqfUygu<!Kfv0vtf
zk%SYqQX{!SEpZ|v-koFFct|(u!KuBcEF4GC9r2ZrC$wCGpM+C91@uVVnYU`dL;VEC
zJ`kY5otyP%!rUj0<*VL3T)4Z|N@S-wlmDb@i>I!$+WFss7kc2Id~y6O%2iX=)<Z9|
zp~me_Bhgokjs=ce3aq}BgYqY9b>C;&(zJ(FAr%~7P~N*CsQnhwKV~o3heIJozvk)j
z>2voaTH#5%01=tK!hV?9;lBlvRLEYamFk&5HG9o`()57pBMSZ9L()JEikdV{zNc+I
zY-qoY;3<}_<!_+!IDBm4`hIVyf3U95If>%<F`egd#Mn2Nbz0xA*5AvR)qXf`k9^P0
zsCag#rWc2#sOLhBQy^J&RaX>wG&+?m-=+KWd!5VXZ?shk<=)?+g@c0hx(KUfg*b8I
zPZ<f+6^1$QiHG^?*6fnqP+Og+pt|d+_g40$sy|myd;z1eCav(r#8k1s>Z;x=OT+Vx
z_q^htnf^4_pyzAfC%GKUgtI;a30c{S4lXZT*@aR1xGms#<{z?imbw0*{ZJ*H*wW6L
zJl&GjkcXy9eZl?xg?-a|e5=L|LUThY@Twf|pb-r@i0Dh_=Gx(T=SyIbyZmNIQS47*
zJ$X%u-ZzxsWFta)yVqD=e{)<e`7pkvGgwyu4?d&>%F~B3<%x^+%|{JK&Xjl|sx3ow
zhzVQQWa#vajs(nO?ZOJI?nEbxLAiKN0qcfWVv&tAWO^4wEoGHaYHcG!_w#vH&K-tJ
zof_}uGYsG>X4RhYOMUz*kz2t~KVP0RnLSt%!L}~QCt9JR{j&mYV%8%HfzqDV{NkDP
zS&w)vhhFC+kTiNh>2#Y?nD~pD4<JdLLWUU;3R}B;@;j$*T*|f~_Q6y*g27vGa<c-W
zLwu5$prxE&gdTO<^6Ot3Kz}beF%Ri^XgLj{sqT5K{6x|Y(fRBbe6ial>-_+|`dL#w
z@+3iyp6TsHd3$*wqp8QX;&iG;xJ-&@ES5p^CyfeFl^!+%;MK@5%cUU02NQX!?^f0e
zMl@#RvnU~Nr2@g?Y(m-Q5X&7;`Pz1((^$@{FT!#5ct=eJ-8?lfKE*&5E~v(-zG#W6
z>%4K_^To1d*tZ!tQR!owpp%;6`db%}Ma7JTeCw~-p6I?^?a-r~S%V=swQP@I$`zT1
zd!j;<-9GUYb0ExVD0LZ+qD{}t7iCk-ys{`e^SBC?<uan_#xB2muhB0Q;KcZYm94|W
zi;tlpomZUUEIDYAD>DJfx}HmnS8K;e&O`>!vB`7=!#y9&ekr|P!PK?VEFx33vlZ~H
zJ!egR1W$?|xB7&1yumzXhwM(rJY=(1={^j4>lHxH-uk#d!xW^)CGBj%r8&Bvx*;5a
zZmR8Q=0td>S*jQ+&M80%xQ<ByDd3*Nt(qd(u55v^I9c&X(Rm%6-aPEsKEA#QziIU1
z%cKLOOH>;^E#Y3xdTlWCfRQ&gd8BM`lWqP9B9ytOwha0WMdBWi0^@ZebMc|tkzd~>
z9d*}ipX5h9qj@Oj7WAI5v8~xdMU7|SC~sp3PURJX$>mphycHFTQTqZoWAWOsac3!N
z_8PM2rsG9J+3nSjJ(li9Bd%%A^rC0y6=#bNf_|%XFPpp0I62dhz7we)SDTlTqtU3^
zuD_{>z+_9+YSQ#IWucAkrdfde%}O}FAFGgsxNJPVab(X*UUSV8oz<{Qup|eHC`bPo
zs<X^1${Ca7gqqgwv;8px`{;FVfp%q?Bo*Sg-L@{w+nQSE#-`ZL9w9?%x?k<~616Y&
zIP2r(Y|j(<K#HXQ!y7i*qA9h~-Xr1@;!<`Cwig|ROzlm5v2n+M9dYzfgb(`fAJh^@
z?Ca`%s}xxCd7lHTP-pa9)HfCGimKQRKezJS+30S>%2`puxzhf{8ml7MLm%`Hf&RY}
z_5XX9RNrJ#r{=Idoc`H5ggoCP**l(pn{V|TZZBVk<q`r0Gr*;UpKQt&@H#R*1$gWa
zb^PdsgU+k4C|%WYc1w!DlM6bf52wk+0Jjoe{qyP4yyMVF{Lfzl?1M!fMC>%bGyB!{
zNP~v%K*ossmh2yMfd1ZWy{q7&G94GS;UWz*B#D~awESHh*LT0Yvg{_0{UMHZBLJUR
z^4K5ZSnF?bOgx^oOwKdK)HvUVW{h5gJJ9&QOPJq!L>Q4#HR!aPa15RNaQ(zUH+-Pg
zbt$izx=Z;7+c0nW-ol~kD<wDI{)Lf-wNN_b<Njp!Zgj0J<=(bGMKbS0BGdVJwt$;M
zyt7IfW%>tPd$*u}H!V#0;#t!%N2b^%jRpO$PJ7~^j#+{4dFv-)PeuaN-3|wnvn-r$
z|7;xpQ(N+l4zA-EqLswEb>tCXs9U?@9{O1QxJt~c`_?C8()v%VLxx`zw%Knc?4J!{
z+TM}xr=Fo=Cg|d+unyY>c6z>G7`3!{k4z`_`9?@mQ?v3@v$4VROlePJwKwwxH$0Yy
z#C@QXx#F9a@&(Y-hL2Nnjl_}CU1P3IPEjqNVaZS9c~Q9zmX7QC#c2kbPcyLYRa;7~
z)EZZVpn33$qMHjJr?rp&H}$a!s_=@)ANi3bEBgAjtHlCogwaK?3L_3cu<;|A?2!J(
z={MPATCslgbA_7UafZtU)7Cx0$`+Cr4OH-Aal5RPQ$-)=Zs@23C3&B|4TM#=M{v&E
zTDc-)6v9_GMy`bSQV8{<2qRbfEt)BRk5uoq^FWH}n3oz5B5m_yA&DDM`#{eRNH1M1
z`Q)VzN&_;`-m^XAL!*cPKD~_yWD?ZVkL1B5^iS{149WMss~wglSjT>A@0O8|nroBM
zGDc^ZvuX$}+v)EEQK{vxgC(wiq#56G)Q+4;ub>lQsY)5DHfN<yskT4So6nH}yiE@l
zfTGv;iPtrs(fxL7+S-(J1I}xa73G*snmBU(_OgvN{8t*x4c*eKgb9GlnfjqtvA?h5
zXlT0~jnw!dSG^h;tb6AE1usrOUIFEI+O*w)jNEQaPN+_ijcW3f&yNoDI(9Uj%BHhe
z=^g<S8L~cwxO<el9${S3(yarh>N&IP`v8R|MJ)TIA3Bi1b=F*fzylB}h90K+NBSJG
zgV{oN`#<xRlr_)G^HIp`a3^Lz(7QEK*n3hi5+x9*?q+}7pARZDW2Q%k`0A$3U#al^
zRR)pX(d#ejG*E=|)eWu+pPjIRUD6yrr2bos-BEPtqXj?g*5YUhoxM(?Z@;41Rid+D
zuDw4K6COY7KcJMl9hyXsbXrs@4Y|tL^HKiwVsnMVuMFh7{1XsVzNrq?qz0$TLHI!d
zd-+CdJdIj>&^{rX%aW$XA9z7ukd|dB|6*r&UQ>hGRW_s0%6qJpJ-fdQI=F7mx85o0
zQ)rijy<tR6y<@cfVq~ga%sWa0{$7wiw)4c}o0>=O3flrE&ZcaKWz_dsztrZs^3#jY
zcL`^Muo>)pv|L2+kK3yGdB$mNa@)^<@#*DqMtrQSX>U+@%GEHWeAl>c1knPK$CS5s
z`p~PLX`Pnc>!b^vNI3u=qZHLQ@vrEEX7WIRGV6viB+61+E)O2mAz97e2K!XnOiWJ1
zdmX?AE&c*+{CZ3oDV<{?u>`ze-FD74pv>VA>CE)C6hW4kDE~dc7ppm!)DugsQJBPu
zIPg^=E|hefCaWayH{7U!p#+}eXVTT#mk;u0cN}6?-zSd@Zl_A*6gR(YIb-Ymp*I4@
zo_!u@@j0^LLe>@xMmQMyEqgF)$)uvD-_e3K=oLqKm$ZAs5=;-Z9yGKYAu40^DVecB
zLzmZ%NOSL2wth_QrT)q7a(w_h`UgW6tjOM6e_P&?1Ne)Et&1)&7+jsI(uui|&D)hV
z*M`?fIC=PT;!!Yr^GC;K{~QfVBF3HC+oMJ;8RD-h10ttP|M|<E)YmxPPtXwO(HG#^
zG?bVmWO{te;m8;W^uD@*qg7h4c6AKxg)I0=Aj&FnB{7Z!=X%)7E7eA(b%+&zmYo;U
ztzp1yh8W)hZG7uZ^A|=_j0GNz(oW0T;_*BO)y$S$)Td+Ij2Y<Z$iauW164RriICDp
zr)`!b^&=s%HLFK=^J`VHdh;J?0ZRnV*-$`?YPSur+NjtZ_`MZ2anhMMufffJt<*E%
zJ4l`%4Uo3dI1K*s2i^RqJ1jQ*{>)6c8RK1{#Z0m1>!;b!qa5)sFvrnSSlxZ^E{WUj
z89<Ez-RDv~ci7(<XP0K4)ECnnil~P%NDMfd#3Y;$m2q`6^Fk_8&!VXNuCJ~`UzRu~
z193EHe^QPW<Lmsk&OmW<tw0(dnpT6nG9W_m=f+tUliB9f1~V{LTjW4XsB^7$azB2i
z_+n_Dq0f>w<K<!1Y3)f%-NX6QZ~GlpGxM(@9bK=yew@2_)r3@Lpf5pfc7Kx4fmxH8
z03YH|Ci!Z+l{nc!3cNMHXzocxki=7~;L0u$PBkCy5W(THO@0S^c_ecD7*w+*Im5CA
z)wg{$$<{-<VR<mY<j6^WWDIf(?H~7CH#lq2#T2AWT^hLnI!2|g5(bEb=_GeadUTs1
z>S`87Y2l-V5Phbm^GL~j6KUJWfq9()kP)>3yA9Y1DBvJSE6R3h30;Nfx`c^rkPO)(
z?nHZA&vo><njD^Xp0|N{USDUoRbGEyC1r=6MD5aI*S?_Oq2F5es(icU)ix=}I^8_E
zp`;f{D_snrYMY|@4cdoX7<v|@XE3~Vbh#b;q89_!GpJ+SnQ-i3)Yi@weac+A-^A2v
zPy5n?(D9Ti$0)O><|(iogN}zYbbRlcMVj9NJs!{A+_Wh^=`2|(?($T?V_ZcDoTM&!
zEW@s46ZwJ(zhU$q$Eu>{-G?T}Ye?F3f<v8c>y0ziNi@WImG_hezmige6O0HdVo)Fb
zNwyT>j)ANnvC>0U`V|Ljf6tF~6YQ8K=Xn`am1Lk@F~vlob^LLB{y9w(1=71wq=HAy
zZ!K&cM2iK$a3A^0xc1sIF!IIThg7LZD}tZp?VCEZfjl^CWquqmUio7q5a4Gu{{Gp~
zyAoAFLjU2sO4c_uIStu-xY^q+&wpB(-g?7tA9*5B<E826mF6S+(1!qkL1gjsgGCqg
zRykYsA3FFCK=l8JjQ)Ea`QM;dTb>z_xi9dN!}%uuOYS$&=STWzj@KD0{C64n461eE
z8z3eJeArx>zf$r=T2%}Mc!5%`z3Z(XA$c<EQ5bDJ|BWQNdH?06O(8s|`QZej(j37X
ztm#~^LoQkKuR}ALt2Mlt{}eN)`T|InvIMsBiN6ZjX9BhzmPRa&QzY!O*x5d!a#ZNp
z6yXVDLoX1>lSe5W>BLvtA*vlWXefvmP7DrD5I7!!{8mzZOV!pRrCK(G$Cd#8V6`0j
z-QFsIVKM!29Dyi&CtD75M}jUq0?Ar)TT}Ycf^(=lYMT;Csnf01g?OUw>Z55gtIl@c
z;j0_fy4TtIt3iHO(m)|K6LZVnn>XU%$?=W1mwWwRW3?Wd6?W-d_I&>#UpICwdIuha
zOe<gxIsW$_R4q9({B)ETkt6;aU1;wox{EPG1Xp;!y(lq78^%fGaUGWrzXA-_4NQ{L
zwzc>>Kcc1sydW#(3#u-WJ-+9!^gAY3Y)SfmDg1_RF!ky~VShTN;m{dYV`)>e6ZM!c
z2VdMZCaG(p`iV(g3D`erH`f`QYV~cY#vcPJ8UyT0VOI>=LF3iY$mq;{<5`W!4q6Vm
z`Fu6CHyBLi(ZeQ#<I4b~-ul_!O3>{E)9WgsjXH93fj;FIMw5{&dukFBR9{BBZN?|x
z#7D-{r9d-(#@bK^)~;4{oxU%&somU_d&^g)^HLq&f>x0SbEjjKG4T!8%)!#<a=|iY
z#<j8%5gFl6C=is}J5>6UL>By<505;h*sEjX4(?Nm>A%j0Ebhxu0shOHTMI=Gta(oa
zFfwN3e$I-Pe9Fh^gfcLZ_x$ALef+Ia&jbakN#Q7A^MFyVDtxM^=9j69p=}QX4CXB)
zyXg|P9=3NPVRgH83%p5Rql?^`oq&qT4u<tlT^hVF^RWii6o?>#`%U;HN-3uo8M*5V
z@^7|nF9g&{1o}_{nVsPhKj$rAe&h31T08HsCX1fq1rp9MxB)G@S4nTPvbAuW9+V;x
z+ucotpPUWfoQ9W0l=2XkPp88V{f{&2yr{&9zP;mYdPZgQWw1*8<fjqz=+uE6!`GX@
zx>E^VrTNXH8A9mjee7pt)eP(be<x#B;dZM9x7P@bEhVJc&%M_S1v1}!Euom(!2QhR
z9~U*@43*N=0C<YhdJz(5;h;O;Jw@AJbkLElUR_FXG-~=xoW@71o0ywNS+&J^q__@4
z)fbZLE*V8J?iukFtHSc$c`Fg35R!<^q&-n~F?03yVzJtL+WGe;#y&lM*E^|Z%Sp>8
zTQV^jz4%3itdtPz>u2owCed`7hU`)LH;AUe<#fZtGI~E<MaR9PTy~b%3xzn>7*G2#
z0V{BBQL$fkRMDRGYbB7;9{VL@y8A(1FM5C7MM^4|&s_TE)yA3Js0L+1lYylG;*V#-
z>!{qFib?&qMxAYiloV@?7SA{Fo^P`?C`d;`9ovb9pV4r&?#L9o5!HQlC#F+Y3+_hO
z+(q%z&Q)Md2-y_hbEEka%Mm91{#Wx&m)hET#t`#e8ZafaqgZjw(BZ0@pB|+)G~b)3
zWy0PuLaV(mk?Rqr)$cmC5-<%&Ro#t(_VRPCDH+h7N6psQaRs^SD;7prkVfFLQ%OUs
z*=%eu*fl;pQ`P3@?O-e}^c?jBD7)T`6<XF3S}@;lf_coEw&;ls0nU}we>hjpryAve
zSLSL|d$uE6vbuYVEV^_dIyWUU=oj+s7WUFk^q?iS$j3=vB39is3Z4ttU!?Pq-Op;3
z`B}Pt_^8hENt2Yph6+U8Lq&UD_EY8RxBdP_^5Cp7hY<wpTJJY3C6oU6%0Z-y+`4to
z$rsO^v1~jQpA7(?`s6&Y>Zq%XhmWvAWt>g%R*s>DWq(-j4#M8!jt;g~7gdQi;`WLy
z<pg_oj8m}a(f6n0v`Cf0*6J;!Lf5()$a^E;LzlRwCagyzhGW)*5rSCe54F<t`t4y6
zNpK!CP9OHa%aO&5-*S`za?XD^m!628Z#raEs*4qpJWX}Ef#io>D}{M=X4Atp`soP}
z<JDNWIf%fNLLkJi-owClkKO%-(x%UuFKwL56^pBn7#yA%s}AeA<prrctMduq7wBBa
z;bWU&qkDv3cXS%!xvm(wg;yDKRivOp<~G=H&$fU|qg$}qY5GBK_M<<Eg8E9Wb^G_T
zW~h>`$}TBT$m}_dV6YWsax;IRaKX=F^rlP;UDlXbf$ON)ICO`$r1yrtgCYIQ7PEI@
z@r`elIAH62$Ro}3d~=a!H5xHBd*H--9xtsKQ3Q72e25vzYcWEZ#^9SL-KtR<R)0)r
zxdGgMoPRj~4_TjG$hu!sHpm<!5`73$;l3wq9Cw_O!hxlyJT{yF^umoxe+?L*v!%9k
z@xJC+V=4o7zrZ98eNtBX3D{g25Wpv2D1;5;mtO+U(Q9i9FCJgkw=ysBo}O$4Ud&eT
z^tasUOTP|}q>mm29|a&xpT8GBzOQ=#f%Xp*<$v2RySA8sT}o*34_ol}?q8WNv7b6@
zKXbT*iWZiH3BA1Tdc0f%n7JcsWU_`za8HABy<(~$H<h?_57;bxLT;UwT={HRnrWK0
zJw;x3qjP`E%Je;trL#Rb=q&>$fo(k?nLht#G95A(39yoMS3}Qi{M4|L>5?KuFv+eq
zAkyyRd-!;p!v=zF{m&TP!Z;~1&+D&zdX7+h5^&&zS44Eyp9Y+!dW`jcN-Q#*pOIgg
zcd`Z7K`Q|haqP1DL<+cG6=}_WRkS^RNmo0<5q`ZccGO^@ED7it37)MrF_?+-8~tD?
z{7|wr;;7!h))J~h;lRb8o=f@n2aZ;&Z{7KPSFN1+61grG$1oISug(nynel2RR9O6m
z%H;;{i&;5nD#$GS=bL9|jb>YFusYzQBe<V`fBhTl)?{}5>8<M7^%sq2jnS8I&Ew5S
zn@m(p>|I@{@}hRR{dS3@mcV8>tnJGF*#rA~fCk;L_5vXt`}#3{g^edy7w0)D01I1+
zW`Su2{E<uIq_Qh4Ih4$o&d<ApjZye#ritv}2=A}yPxfm}l5WP^f1H#+7X>oK20FDG
zN}z+j%BK1@B#LKh;9fH^$3$Sq&}}6u(_>Vc^sWl>I}_(IcI|t9E(13$xF~1q->jH8
zGYwvyPU0=b0NbDdknFZw(L7Ahp~+koF)IUCW>dp#WPIMw81>}5j@TJ_Tt*A|ZPrL-
z>~5Br&H2cBx>@vG%tWi)wS^e=g?DM*sbUT{#3|;}uC~jsRA*Grb=9OgZ8%xtHVU_z
ztsAvD(a|@JdgXfQhFiZwxaYMboa8sVP#+B0T=>zPbRO>s9)Bt`cQlou(euTFaFfVD
z)#pP)G0F@Yst;0=KhgVO&ExU#T8{H!H@%cVea9~wx<3wd0OX|`NQl-Tk)nq!nKD+I
zlg!0sp@d5mpA16G0pQ)Et>}}ISwqIsYOBrr{|fnk*CPpbq0YC6+6nGk8(SPJdY$8u
z0o#`Q{q<8=YqFPff)o5)VZc_Kgk3t8zQ%5|<07_2zR|2)YN|T7%}1+aAg^nDYI7?8
zW-8%j$C+kM>2;7yD?7dIjCiEZJ{e^wFIJ|U-O33%E#Afx_46vUo?cJ%Ik0@SMQiNU
zH2e^Ug(t#b>0(fbbIK0lv5xXK=?w5h2AGX*4h;VG+Hau>c$Jc?Sgk~VO10900aGDE
zzX*p7wp*VP3sFhA^t=>f+n_=(OYZ%mv_NV<QJn1nW7T9C^M1KYT%S>~ifoaz(76#<
z;f?D)R+v7?PGcK%*&qE5Axx}62<-PV|Jh;nXZSMhZA}Co{{#`<KKv($PzMs+Je4>I
ze-Ao3G)!{H+eh7Zci}UkW#`aX2L0q0uiZr!)5h^^TfAqNz8A6T;%GQ)WlKpu#dLOL
z92<<?z8`zWOY)Uto`32_RHydi<GyKjj%u6K`io~7LfNGeja=B)BC7z~Y(&19qgjO~
z1e$%>8TdYubbfh5>0^zfXbFuLqC64F>%E8R!h=v_^qtV49p%wCD#mgb40=D=`u9Hj
zJerHV!P=6M(4O_dqBut%{nMzTX7z=IzJNvBbyy4FL0Xy5P(K31P6pOzwWOM7!m>Ie
zwu!$fJGX7DH7h(Jqw1H)lQKhyle1!}C43EB{+IP;Tldo1##4&IjnZ*Y!yL)O5X6?9
z*^z}E0b-6B8;$(O7N)J+Pt#H)UbbC#29~Vg#tWx=b-X(zk(bmCW}J&G5$94>W*Q;<
z;rWBTJqj|l!CxrI3o1ocB@+va0rpT^t7fIpI&*rP<S^UY8n|g%y0K_p6n56N1^Pzc
zKQ(`|=4sEbA*Uz=de_dd$tPD*DrfJ}xF-X)jIkx2cMqXxWRD6K=+e@4);jo#DSv(E
z#mZI}%gM1S$7BC+f9t-xzcMF3?(e$MEEnvCFaCc6Jv{ms&_jFRLtE<b{A~T_8#8kQ
zGu#>+tEaj?vArNTHB#ArQX0Ti-6R(KeBD?qi_sqGvAC4Ih{eTmI|JF>g1OP`!Rbv4
zAYlR%i|!OF_7%tN?ad=m-pA06tz>jtpxmN$7(hTRLav~}U#tc^SJxN(tjL_zXMPB5
zu<2Jzy0Bj2cIfYLt&s6=BR-4mp8;e8G?#`g#(A8ZtnAQrj$|VaB91|1MA1WErrXZ+
zzmPfrj#P6(FMAYy8hy0lTiBv`c(>(9-KIJpMw6~!TBnE6bcdRrs$uJBo}En}LK9c}
zI2mX0=t++f{M~oGV<;b${apTz_R8Kd+Q)%ge(olT4n<09xAE@AMN0E+7KD>E)U)We
zo9Xp11b+Sx&LX<(-4Lzc7W0QCjV@W*^nbLZ`Mch%S<;L5g0?w{(vJO?mNenJB|Tg9
z@V{k9!&UPG8t)dvOsD{yF_rOTI2rbhj^+o^%fOvTU*9mxBP2Ig(S~4#OOM)fd~0z`
zDy>fZWtqKl@Qxu}j~2I>+{RQfyRwBFr6K$?ejg#JvWBz_wX249n`31TWSD6>Tk$#r
zzC9U%YL@7^blT7Jgu8ItT$4=K11D_Wi&-29ykdaXWsR7csoEEr53Hc#ONS4R7D<0a
zyq^t<&lNZSe1;3EoCc|IkvSR3!n_hr&19<_6?wJAo-u7Cjv)A!`RFVk#H*Qaa7$Kj
zEZ?U@F=ge8RdS3%FREp7dWEdl<fj8vVZ8Kgt#BPJUqf)TaExz|cZK~zW2T@(Za>{B
z$t39Md5OT1HoP<Twd8nuv^A|VcI`O>Ny>y(Sq<m9o>D~IecfxDUeo&+a7o^S4cVK2
z`G<8bjvkw2r$4EHu*4WQu9uaOb6r2!Bjxe_#<eCgr*%@}zn(#$@+YbczJ-=__x7mt
z{wB-+{SXi(SlF_)u41KUph<0|h{uPkFQCE)Gj;e^dIb{eu{Xba#z<fM#DP;iCk)f(
zp(4~xoc{GWUg#Fj1DM%IWeHZK)98aNxM^c`i?0k!m<;O~_RU+=@@3Suo2Q7yE|uq{
z<<mDoiY;v;TQYS_(qr0kKS`we%fbh%34=#SP>N&k(p|mD9Q&EZ(^BB4%La~eI*iMd
z@F4#7s6-*Yc;@E!xIlS(3VB!agAZm|6XD=@8@KMa6Mf67k}eW#FE1H*9ez+;S7kxW
zi54#b?~jxS@02@LB!(vXr_ALRht>|gMz!xX3kMIC(e$RuKJUBy&;yf6vAZbt@)Qnf
zpeo6xc?MUSdF2OwQ4$@?O$!_<zCZHfn;qOjBi~Czk#-`FCy{|g?;&P`{mP6D;@B^j
zeDeA%48Q5<b3+SshK3ikk3!s2;(aG0H!zPW_t;_t4;;O5-<|wGz{%gQ`m_L`ej%Vf
zZDu<CYVP#Cypj*jdERxLRcOG!;!GxwNM{Xpv{jq7YHIxcB%bE$V?)v)NY*K3aaq!1
zeqm5=nVRq9Qc_f8!t?QE9;JfLZjBR5973w3k`gX5alHA&C;Q1k6*Z0cOx~_Xxgkj%
zjOvfSGG(WMCOa~UNDM8V-)9-u_$;$E9{;jDsNBRk`*d+&bm68|1r{MrSQ_A|{>#kg
zVPYt8?R#`R-99Wdu6>;Az;m|sXuejHKVqg?(rOOEd6+8xd1n6hiA=rx*v17g0ej@h
z&SxvvsC9ySSNY_7YlI0}-v1bKc4VSmQ?2%grH_Z9QvQvl4~eW)_?s}P6aOC&CKfw7
zuXFbD4Gi+|GnZ?;W18ch!Kg~cGGk{RzGWPf%}~v@r?+F{#n3^~I!?@M+C7o)@N(V5
z@Y`G4Rg1zDQc}B(%Iy}CZAP``cb@`FvG>|=8M0jUu0C2o2L6M+DBz~^8Z8|R)5}Zw
zXx*sOLkMF+B28toci}*P`=h_lW>jw2&OCW1JX43c<4#8gQBbJ?@X;#Y`Dn^V-#2SK
z2^vmN8Ow=0oju>Q{yfMTzniRJRk57YnvI|m%}O}D!A((jWEzP3Q`Wrwi!cAb@%FQ(
z5)_X_-JDGFCkHf+ge1M8m`-04#looRMl&+C))k8W6=^^fNV7UGpKjM%Pd;ow)wXsd
z|MvRq<ap$YPU0n3Ybni7{dpjeLcHvtkxkRfvVe=;*36#GQ6RtCU`BgF)A+;O=^S*b
zV4=dv*m3U{<loH<HAYDT03+h|qK7Jz)G(nt@etfx?#W)YIld_+bPMqk0v=n`5M)=?
zbi~7D%Wbb8{s^#q@Sw7>tI`dglkYqlu`)9eX&q8MD(zO4JO29fA2k?%^+Ui<N8S$e
zD0$&89ld7aC;7Z*G1S&bk>?l68UdDj;?Pfsiq;yd8Q<r-zNr2;=3X37mT^xq<SO9U
zDEw~~P_+C+evM$_w+<^Q+6yNlC+Dc|B?G7I=^>mH$t2OOPBa3)$-e3_rn_E$y3IN-
zW}?fwuuG8V5d$5@D}BAg^>E+o@6b+7)#dl}X}ScBnC-1eQj3f~eH@rnmx}s}xLgnX
z2spZ{9^H1}3D+^~@Dku0cedDU8SwdWP}erjF6h6X{9>?G((AWT4SHlZatj1>dt!f2
zg|V7*>XlNkT^cY8=7uVB_ZogeM4s&_=iT#lPaf{Qq8IzuENGQjlwH)2T*+<J2Y+>7
zx;k#de7K?1A9)0_aek86b=*0=tW+hkaX|fb$*wPVE~*Vb4_K@M7Y2$rmGJFA9m1aP
z^G#qCsQ*1sl3>7%o6+T!!)ND9D$zpr@PJ+bHQ$b~RF7ZIE9NGgY#AdZ<;PlBj}BUe
zyKc}W5edK@eC>nOc7FDZL2D4`Zf5+)22L?$H)Zdc`x~;-y(Sj45B^6syHue|DC^#8
z=)ddG8k@a-;^~rq^R5>bwm_6T@>woYm!eS@YjblZ<lu*S(y^FyNZP5o*s77K18c|c
zBaj_klzwhH&?*2nsB^C*OuR6CcH-ivciUO#zC8JAZCxpuZI<PRtC)JA(pNs=tkOG=
zkBAs)qJ>V<?B09(O<5)@hOWuC5e+}jBYfJ`oTTeO=5PWH$;P~<2|q{gR0Q$AM-HBB
z5+>k8K8VeZ?;TFEL0mP|*=S*p{v`!^Fr~Hn37JP^kt+{j=V;`;9+=eSb+~-}MUJ@K
zU(kxO@qL}=nsXm`>)#1>7>JX6&)SidvZ5?7>jS`RNNkKj-cI>G4LQ(WZ$xf0zutw>
zk)^u_WuV2y`jFfkfAjvn-v{jPbk3(~UvD@+S%uzAu+}e}7PuSosYk?@^59$LD=h((
zSnrjX47{bL@b_i3to95|G^O?lHu!0u+R*_1v<o-4{K<Z_k{wcZ%OJf+OH=l8S|ztE
z-B!bB63ny`N50D*If?Jf$FXstXQ<$_r9|NP?z|~Ho#0gOs}<=KmBzGqE)kqV+Cf4M
z?{jQ#1Ln~CSAaXnILNV*HW2X_xzg#usyouEdEYj_KqDI0AawY^=7sF@a+h2WWt=I3
zHGfA}Fz^3~uI$ofhIB;MT#XhOr&6#UsZt*YroI^j>My7Su`BArp_+?Dk@M~xA{rM>
z@!Sdk2^Ummx-(Ga^~E^Mf*eT!4nCwSK6%%p+FrH5v8lo^crHVS0LGLxSml6v`j%7-
zMc<xC@Ek84jrM%NKDux~l7W?AykY13p2V@OkF`%>z){<(9p^%%cTda(Ue9&pgyx;V
z*Ir#2lPsf2g`9n;R!4Jv8zZ(LYjh^i73`b=@SvJf&YGc16@tM~_JV^yFEq&1!_;`8
z2-s&`>l8EB(jqSpGe3&*D^_%P;+G^mywMz+66bGWg*1}M>9Aqm+_e@Z@zYeSL4QWX
z7Oydy<dfQKk#>9~-9W3voJkYYr3(xXyV+MyO799b$}~S%7$@K5=x@a89#cI@W%dPF
zrpy!y#0iso`ulq=xbvk2wK?U*Ng(V`?c+RCi`1y3{+Ap2NB7hu=*ET*IoV%Xm)<ZO
zbEc&GbrkU#y!$<ss1T?TNk8VFbd}k6&EC-EY>LJ+q<r7FZtOD^n0O~Sm#4wMtBeQ|
z;!^1*&Nwnf+}*G!v;N9>R<cnNrH%6zFN?FZliYF{_`lykQ2!MW-hblIzX!rCkL%dn
zerrRtG%T{V3|9P@TIBt;7XJ(iDMY^aXD?}Ke0>~n+X!PLqqI<0V?11Yr+JYuCufwj
zwsF8vTRjsRoJdC$rkRRp#7qRBDT#IqR?c5U6CqQ@wSJSLK=fpGht%0pI?y(CRJvB{
ztM66Ty1D^R_EY1f=SDKl(z^~TRpe!dbc*{tEeH#w-Mb-vovkN#N(aG>66RDDc`g_z
zyf{JdW|%LPN{%f=V6KMAIts3@LRe>PBt%x(V-$z2bLoo+<V*$ycR!_Q?^0VpK+;dO
zZT_yiojXrZsb_>nqh|a&Lo6JbXY~CPXv2wD++SwDzEa$}p4c1VZgfJw-z>*4{(%`&
z&eZE{{vW_jnG^hptQU?HH0HqTTs*BAX9dG~v$elkGHOp1&&h$2@7W=CKa02Z6sSp9
z!Mt57Jv#zA#Zm!A<-cUiMNnh)f618Z2DXi(z)$hwKIuAG!Y32Koc2)kGCq2lJ@GKN
zTZhZC>{0mSlG?xpsgB%YjcC+cvww44z9pb$87vS~UY<$eoSi}Hq3*44Y$pV8`?731
z(S3(5AUAq8K9bJ%Fa&0cFH|6`*B`i=Ep|x!l!TjN#%sTy_pL}FWF+!qa*McRwr}5S
zi<=dxy0O@V8DI9NC{z7iDtG+1e0~1}Bx<c(Fp+iw0~~TV2j;mx1$lfV!2=?i3a)Oi
zF)Ef-!U^xoc(llTvTt&%uP{q1iCLlpU7Wc&Nv9&OI2O#R;Y8oqNi5jzyq)Sai0D30
z-th+s<Q<poq#(b!2w69R`c47?Fh6_JGm&jGBM6fM9PU2Zy84Ii=Cp-J%H*QiI&5I8
zm-u$oy{R$EF89fW>ut)*W5Rpsgk1CmJ5?lj^mM$C6U5QFZj&`}y~k4TYpm&Lm?oEc
zJ+fF@7E1oGcLd?jm+3UeY+8w#fJO-qlk{SM^h#NlThbs4^33rNGdO8}Y*u?z!(DbM
zd76`#&&gJr)v&uhJv|0wIfdDk2ZB|AotAiEuCKqYo*6VOrooRnzFp21P-s27CGJS~
zX+0gE%2#6tQVCqn=jLG(X9k+eD%H;@3c?$W<LdTI`1O{?c|pV-*a4$w^r!M+o!ni0
z8j+#w&q47{QSsLH?#b~dX<34Sg>rxaYIyBfjkJH?;5Zy=+H;BF#$D%VvR`#yg~yf(
zP4&cUnrX;WHkvOz-JX5tiq29w<U!(L4ye<pZG@cP3vli(nQNT;B*3{dJJ+Xw0H+k$
zEWj3QnOuLb%V9WDGv<3n233DZH9T#vfA@s5d!tFvvjxB`jFkCgQoZhGDvK&PSBg_8
zPsP19K<nj+=5m92##z8L0gTK`?-EQghif(Ju=No&PeT*KWyJ-)hPth~hgpUBNNB1I
zHPYSMwd#UD=5~eseYzW(>lAmFVI^*GQu6z#v7u<@{OpCI+9kqVK%*P0a35y-@T=YO
zdECt3ZO~@N<TtllA+2=_n;a<>6EBtP#AxziPZ#`i<Z52ALNC^&0~wl@#Ko+M#}av=
zi&i&9Ps$|j67f1&_3R3XCq(?(Q8(M1LM1DVgbalu4rbvk2D8|cX(z<Tp%a-q0mxy#
zbA_#shp+~|oe~c~_^3eT?M>3cI>m>%CCp&m<*)V(b4*QcuBx2}cOCI?)oR?h6I)9r
z{5u2rWiH-(0CdJ{-f|Qa;PtDO^(yTl$ECxhH+MemO1efw>>XBpg}3{{CK;G(=68rG
zeGOu=rwT{9(p!kyQYkPRvwHiU4xPB#AYgYYqe_$czsSvh5l&4{&6od56Y&lc9^|D0
z>GpBO+F(x^%<TgEK|n_tJbnht5#)2Ve^Z85%6A&0V<t9_TqE?3=Dgm%+^RR}V4Rd^
zjWlpc@k-OKaMH_~D*U;>l5z=&Bh5p@RD$&JNC|&(S!fByBV@ibSERglGGxA=465{E
zY{J$3e4Qz=$XgO9o#QikI_W4}1_><l8!`ZuB7OClKj<)L;S*tH5Rb|OsSe9enut5_
zE|+4dQWE{4Q&z#=A0iI;%hY>>L8cdkblejgjD-|7>iJHnuHbq!r=sSi^~$|`&y)k$
zhHp3E;;kK+2Q-?72hf2x5a1?8r^<k26p2Jfcp^HI@om>oo#aa-v-zXa*jyEKOXPC`
zPyiJ7%&A`et!xe+L=Baw0O-m{<|VYNQK`1Hj{k+$&U1sRV?guWm!{0%g^iKaTfcm9
z?r5R{Sd;$6EL$V3U4C~vb(L_tp}%f4TxLi?T4Vg>4?Xjn)k1JT<^KE(Xwmzk{b~JW
z?>oHGcm7+T;*T&jisD^9FAqNcQr=i|5g5?4f!_mJY!DQ#@~R3yp;mJ!ohE8$eIycf
z581_trey(j_rFv4^6%^XUdxA2IVt8LEyXYia?tEr6^WVsPT^DW)yyWKBKUm|p2;v-
zxHZLp)BUKRZ#Njdms<;)80K8?KvUIga5J>Mt5E}O%aFdu7p=p%ovv_Z!gwMn*SFmC
z(GpVd%Aw1qi-De`E{C_>DpR@T*oL0KA2M{3X`cP%3;%ny?;ogSq~{PSQ??s*J2fIw
z;}sk<X*8h|k&8JwA3b3wpIFp#q)$?%wR%UArJ>Y96!>?dQMzaU!Y3{D=9$SOvX}l^
zY$ckRR<nxaMuY|+h+A@XySht^(F=tQLKM^^PL1#RZWF86+q6X#xP3tSZ-Td44pau!
z9y(aml64)_lxxry*{G`7AU`$Eb=CWb5gCX_Kq-ECyqLVCdGC-Fw76z<5YuR<U{vD%
z*9e1o{kzcN@G0lBrpCTKz!IqVXizDs9{wl+FH(+j9NRNy3gEd&k{=hCnMN=Cm0<rh
z^}yEu$EoK`#Q$OHx%BhZ|NE)OMXh@DcTKa}2LEbH)jZX8yl{_HP;HwD;dVst5vPnn
zj54*%uIF7a9TEAZS-eK{6U-VI{+hl+U23x7blKl(EO`c7CvxCF-yA$$L2=sVRPM!x
z^1r7Bp}F>KouqO*LDurCv*cVa%zlmfBU7Q+t)ghb^GexZ6|vVI%U@6<8}U(32Jth>
zE^{YR0ZDQvg){hcde<DVaRX=F<K>BAf9hNsDyEiQMOs&;u_fhfp??qOpN{~{;~b`t
z$?>TcLH+fH&dO@D3DZuy$3SOr)axK)+AzBCCg0y6T7wXI7sow#Q*-qDUaIkpf9|C|
zO7SL-|A&OeC%^~b^Mz9S{QjZOI8aEBQ7{3?Ft9du{A00FDsaL=*Us67MiD+`#Fj}u
zPYFkTA`IdI?sTL-RbOC{0xUN64J&qHJh{v9si9NnBNtRNUuYP(KC>z>%QjzrTY&?*
z6^8PZOYBvxr1MXlbQW4Nq(9E?)25nZ&%A_!s-2ub!*-G7gW1L9zZxxN7!LIZUN9Yw
z9O9h%l8=>Icy1M@$eYNRXx(?)6%BJ*aMLSI6;yOHNU5?N2VS&QcmmWV`tKuUq3I_9
zD!!$8xMk!jXc)Geon*u2)R^XU94UfD=%ORlW~wLe(lz;vEZNovX5LIbM3~b^r7fPG
zG%2<$Q((lt=xo&rN|~cpy{zY~zdaW}w5@0?Hl;n=pigDazxV{euI(EyD4Z#4T@zdn
z{kPYNQ?H!S9em8|Q##TPtpS#30TTT!1dW(D@WJdTuoBX$9kmG^2=&@N^B|CI(5xzT
z3dmehWYcQLdc1b4_AQ9JX_~;#^!?Uey|%YR9lV|a0Nm@3gq}dp@Yk&TUb5aiBOvFB
zrliDvNefXpw5IA`4HiJ5@>&6E_8VApGVH}IAWe920<mvg18}1+V@r0kTb$FsZ;!VA
zxjm}f)Az<CiG!0RcI&Dev|^lJCUKI2Bvh?5XM$WKLOMU^%?4hSKId9euVq<Qks>O(
z!m^MIc>{d>>dY81eytpnupe_d{>HUvC(UDac@XADzW>F}1gkaKc~fek9@qe6%!s)&
zsowF!bjS0n+{jN^ZCcobCq3!Y2{RsB$FAG(GGY!NFXZq0Jrauzp~w!_5h!21Ec^6E
z)K~id6!lVIErj0P6*TwD^Xar7f_|D{nnRxN_)~NO49i+aE5t(6RU(P<9R#~a(X3${
zu>`r}vIU#|m}$l{?3u^S>#mK|MIKJ-{cpPTB{Ijq{!g|+17iQV4XT<{1OZAKEh|y$
zNg-DT2z2Vplnp&2p|`jDrZ<iz*Fbz{6KIPh94-~t*b8{f%;_{J8b<66-cK_CW<K^a
z_<z>f|M<vejJsV;o(#*P^z*M#Deu5rtnk7pPTV{1tCHuFgg96{nUMHWnSs?Pf%7+@
zA>tAL#)jvwD~`=o1&^Qauelc_gIWjPE9Qibu{LaF5woU3i9v$7>74nFY_@YYwkA0g
z*r^`+;Gm`+cd+-6Ar)M@oXp+kwMUFV4ay9vepkF#mWH#ltlYSwYT{l7Ea#GQkpWv%
zDut(0t;FYl2;iuf6szw7xU=kAp=|YQKc|X!Mdpp`dfD)^J)HrT|4IGgS0OpgN5{1g
z?~Jz8{IHXOm7Fi#(c0vnI$g|>^l#xB&+_tDJ*to&#xo`@gIlw%g3i`|^d0WkBna<I
zlzh0hw#G@n8k{nP!L!kDPOB>;`N<F8{jyU<YA(5LAj!MuSD6$qstF=m@H#^<GW)jv
z3I>|VE&!G&KC$j5W4$ryB_?LGw$mGM)L$4l?`=bU%048hKjsP6I;E=9x-!|wp{r>(
z0W>}zR9(wakMHc7j5~pI+=k6{c#}X)Kv}LjH6+`g6?Med6BDR~xxP2q_^aRpfNR*^
zqwbEaP)Es{vkMco6h@$pddltjI!$8ry1l1;ZFFSipYn^piOex3lcW{9xgfjgp4G4$
zqe&e9-crga%wSTjOD>}02PX-z^E=%Db{>&4_9r_ZZuIo1p=B3Zw*!~fA?a`Z7#4F4
zb+g6ehH+OMK$;o<^_&Jsv$Cmpm(|N!J~s;14EHzONI%hDLveooWld`U5u5w5k}a1k
zrn5t6)0I-r`h7>?^bJOYm=Z5;8f*UP`MFCYJ>znZ&w9=RR{Pl-W`F<o@6_4<UD@*g
zfSjMy{z7}9y!5K$zYuum3y31lO%r>Qe7wVXLs5V>F)q~Vn7zs^WU_p;u#eWM$kpU~
zcyerS{CujewK$I1sU`a&)1%&M@M&2ZGDaH}jXzCMZt|U&aOyhEx}N$Xvo98@6X6r`
z_p`~j{>rbQQM6{G`aoesrg$pgFQIYIOnY3z@e$z?2N~T14VI!kxG+RO`+B$3@Vd^=
zX8*ZTF5=FkUN^2sa#u{j(Gy<{TC8ghz;DMRy}<7!0smXQ+qD4cR>HY;;OrJ)4gtzx
zfWqrFVE@SU)19Z17J*%sA4PIpzp>LJfVe~WPULf&4IRpP0cujlkr(dm(D-B^{z6>>
zHCo$g+kMpK@ho>L<XLMeCuX6qe0r&)E;d))**Ye@<EEqXL=kRMY+j}z>}vGF%@5yV
zD~}p&8U3@|@DE%2vFB^P*`}N%KRR~hRo>2bG~vUWk@0|~4RgA~Qj1hWwtn)L*hMg>
z*JjbLN5*6ua`lx5HKM%rPao^Ddl<dUo$!_E<ULRJbu+R-Ao!;%yJr%?3uzUSM=}B+
zSqa3|PZjiw#%Pb2vJ?H0BUfL7F&85jl*YmXa(J+J3Jbwa7-h<wh3FS9w)IA<Yy3J0
zsD$A-G<lvHE`eW|kIG=90yR9Cr07kiJ;+B~KnGP6uT&jN^xH8asA94s>-$&H{a(Vp
z=j*-zZ(pf)hAFq=NAQRovt6{dK4A9BY&{x8^cydj{m}gRKn5&^<Yk*5GPfhJ7dmon
zi(K@NK*@X)sJ`upMUsWrX(axN%7Q;*`swz-p`7gGV6SghJdlf51T=o3n$jh?uN?Il
zV|1D}c6S{d?LZQW&lvgUghoAsEz>Au3WWHZo$_UUw9orDcH(#Gye&Od_xun6tpW8C
z7^*VRDisp5h0Blv6r1bi$?)Lnw%)wZZD29}VMgrI4US#$6dP^9Y$|E9-9-hvzI~w~
zduky(c<$m+uS65|hswN8t%+@uPBffp^(EBB1v09=M&X4*(FfgDBSMX+Q(bS3uxF=9
z4{6de%GMdUB2{jlSu%k8D=?D3$yQETEEpWUc*9>ckr<z<p2c4p<1&C7Nq77|W8<GW
zF27_Ap{p2PMd&J1G+JsCQfFOf6A~x_8PTYPqlpz?9KZPyQgH<|1%>+<sD7k8b3#n8
ze465+e+YY;B5B)wX|<@$F`algNC^@uhAcYMsR1uWpnc5W<is>de}qHFx^AExG4CdT
zYEeICosld4lvSnWQNKnh&lwN)9-|&8M=6$8R<gZ&*tciXvUJmUv+|I-wJmBJJy|XB
z*GGmeX@-$sMqdhtW|<A>Wzm5g+Tu0qn)@@ijFVumeJc@|#4jST5({T;e!cX<2f@|e
zUpauoOEafRo!uh*!SVuJ`jt1{X6IjK+ljAhz1^<~qz53Ee?s>O-=X_)2^n>llxX?h
zJnk*C)vu-ooe7wFoji;k#bj%Ml_7M(a>Q|*59qFr9-H39QUvf(4>k<Ed$OqrR?^^8
zAVw5iLu<ysDhIO@P&3e*o6uCSs=Iw}Kr*5rh~DLY@5<rbt&^dXQG(Q0M<ECC0D*(i
z{1!eERX>t2yV?yjq2*vxg~rS3HG3|z8P?#{+_I~jv?r`iz4K%c7W!%P(ne?)OmiXX
zg<$j2HFS>Gvsu)AfnqP9y(0eJt2eLiJo2o`>$}UT@|nDT9#cUVJPd@vZ)ws}$VNAS
z1F>27F;Gf2{8``6%q8#^pdiR?bb2!zaMSeFW8`)0okx%A&CDA;N%$8<aM(?qm8h0~
z#o%9gnb9nI-jw3${J80II@YMa=PtNtlMHa_)sKA2YB0@O$7*YmF{o#)_C5+4ntGw;
z^proH`f57?Tt`#$&M1;tgYq{{j#)3vS*Kd5bP!5>4WIb}YO9a7lB~Gh3RwA__{U0T
zmd0bxWD(G;QHtzn+PpWAjw}jw<7iaHaN>^pFzR^qoi4W)2j1pqS7`7y0Pn@CMOCNw
z=IF*Ym?IX`V|1$HgU6rmv?BML%R!?qR`8rm3{2N*{wSHnpTU^RgxyIAuFB>zYPCTj
zR)!AEEjnG_=7a6qsTiiMbpEQDt5~OotQa=6#Mez}>6VG^^7GWlgHZL&b1hoRk1-SP
zPzq#fvo_<aE7NJ44rjS{Zx0mtO&m4tOHjOAX@INEtFY(Tsb(~F9#A>P8@XAH^ykaJ
z#}*SBk!4)>?B%DaeZqa$xQ@;FhEMhmL8XeQDhO#EKtm+`vnN9i5z>)^dCLx|%HLT4
z^klsCVR&lY(WT0M?8yw9NHa}BbMIu#3)TEjeljlE`u+t97N4<`A8UR(H6#4p8lTU<
z5=JP14P}aDNo<#)qQFWfsy@2ez;h;TB@k)ov7?M8oeA!z$_LVeq@93;Asv$dy-kyC
zMnWCz7>xx`Fw@QZ;_;zca8=I4t5-*hZVDL611NtrgMMUV9OXlCI9(-&r&E(>PhjTR
zPy5BOA3{^*Fqdh(N3i3h`R;rAu#%Cj&IYMd=XLVzk;)eU^{1!Pn>EtY9=MKSyN+k?
zxXG$y;fhRUm>$foMI9+iVy{W6fb+#GSQP?~q8PEu_=nyBtTsmmV6_SORX|v|c!m&H
zp!zUgU23^?(pg9b$tORA^#Sgat;!D(02IKzsWb~#dm!e8_Wy(w>lNXrPG8H8dyrrC
z>S8(IuEqa2+MqA5rj)mYT_(LSn%h_Ll3CXLc#p+s)dBeFx}!9XZ5Qb??$o6>he82_
zU-rj;^#7w{Mi~9WF^j>jv<kiLzLN|50>Q1eGW?$JZkamiyIYppAW*z1fB;oLmW~vW
zja>kbHW)*8v9?d)tmOUC;4A!UI!_hkaft8Z7-JR_k6PMQOY3*-c7U@-UG1Gz9NVZZ
z>7(p@jsd2Omqx5l0X!j4+q=sQc&*4^+ty}*33^T+8jh^osEci&N0`gVz8@`;2){h2
z`aJQ#QJF?|NJhvVHD_i*x=`^5WPUR2|6%Su!<tOne&4ZTO`NfyQX+$*SYQAFX+cFn
zr5h2E5~Wxup@yD-BBHb)f`F8ONN<AD5=a!JNbdnch!_YEAk+|&5VCKWd7OFHyVkq*
z@vgPkUSIqW50blG*L{}%`TOt1D~em5l@+Ov-m>~ADfX9|HC57iojx@BfGkU+#Mv~H
zz9cifAUXpG{KK?pA8aYRB%U?@gjECCh6Pw7=G<6RE3-!e^-O7eBe1euD%=L8@WVsO
ziW}&q;2_-uk*u8f83ltz8I9}$v5&AeK_rR?uVtd@8U5eEXh29j+biW;!QQ%yW=T6H
z#w%151JJzh@m$;)yt)qFO^@=U<AUhIe|xrckey=+CycQ6n>je|6NH~}JJF_y-6|vE
zA<%WE>@cNJ;A!CC4G5gLY964!hV1CL#Gja%hb0QyWB?|bH2Ih6TylfV;eqXnw`+I>
zPOmclEO!AjccU>*lK4|FYH0yoVCgmV5Zml>t~!?_3YYKuWTNJ5-eA1qJ<n(lX|R1s
z5f4LHbQI4jTs3Ez^HNIuKuf9Sst06^s;XsIeQApr-u(XfDWSw%>}fv%+o#-Vvyn|*
z#UsLZ?5g$J83fW|!i!NUG^(=`>}YI0S0Qu%M!EkJRl!&y!y%kuv8lXurcf>i_hnog
zSVMpM0c~XZU+PN{F2PE;!6Al~$ZaN|eUK1dXyiOM4cXr7UQjl;11~chwzm>u<vjzM
zT(5@(2I?ccX7GJ#gfDT<il9Hn4M{o?ub90UuK0j9R<z&45RaICESnr_-11cd{g~NP
zDY4u+<AMHFxBdp8X&x6_fWCn?jMw9!;2~12lpW=8&*6z-WcxsYYVR4(g`6J?uvDA#
zLiA~?U8sF(t4s2;rt<wvw}y-8p85STKC2oa-17z~W0Sd9j02!4jydx{@es~5{AvW|
zJDO2xR&xyy0jfbKhR4;X^o3vN_;J4FP359|!aZayfz@sDcbRsZ$Zcw>DspibY=JPs
zRGK3UWDw96L8?xXQ}q?yUZ*7CL!fLFY&Owf$Z}$7*;2C<bHmgSNTOXdO7d(DbRYG5
zXuo<Nk)%qD%Gm2<iHL|-Nrv}AtSaLydMC?n^i5@8yd*2cjhznHeH78f%oKWh(Yjd0
zz_61kDo6!y>A8#b1S+cq-nrA?<hKkFlFcQ}8_-@T1;jS92`aFPJnK|tg;S4g<lM<4
zype`3rOAI!xe_r&jRh3C$Z%D-D5nLv0Zm|4>=oDP#kz?DNebcT?gdn@9*I#`LQfl3
zgM?Fwg>6oroiu<un<qls=u30|>PrJ4iIud}ybzgX%LI%NE4_H@0DZnt2%cRmtm~gB
zlGPRh^fO7<GP@={Rf+bRCWVZzAhBavKjd=rlsx#DCXF&nehh_Dk(w?dIFX8ZSlyPU
zf;UkTDq*D-%5!gVPPH{?ula>jynYlFyNGBUI-1@VVqk#$j>_3%HrUZ;x5-Civ6S+g
zD#g-_6|CC2Ujm*B9==T)2EAEB1GSmFpHo_Xr*Zm~_iXNNU?8q>=)Q=LYU>yX*T0&-
z5Ub3M=C4V}FJe-vbpH_hpr*`vo9lYj=uy*%>O1n=-Q|<vja|>nBr8!ibPu#ib(LGu
ze4Z+$@AOo58*i#f8*R*NzkM!mCih$~6JddaE<Yg*6-wi)DF+(6wAU^QYmPF8R1Wr!
z*c>zW9^W&Id#w*uf`X2ws{(~w4-z`{jQP>s+<d3;2@lxqhQ?-(8QKYKr6;6vJl3y?
zf7eM2lMX=ZP{I3ZO#U$@i`1I>aDPnp32-r5-6<U(6MEqwHM6yn>{dj1r{@M|tR3Kt
z%?|_pSHK6Jov!tHoihd!vqq?UXfEtVbxEtK619sHLK7xHDhA`iC1|5OwAgP7SwMew
zA`?vU(_44C(R?WEWNF&FcV&og1FO5ZoGVL_EjDL$nec$TFnc^9IaInroTXSoChJYU
z5g)A*)wpZpG3$C~Gpft0w|e(N-XKOJ{3KQTmfd7K7Hs=?mL*dZ-}!)1DI7z3rqckG
z6Pc_>lg4m)$qQO?wBd2In6SrVE7w^--@u&}zQm7K5&icO#X(0^f=b`^J4k|A@AKP8
z(PRF#Gq{14F3((zNACGsw%Ms(bD=urdu<bgg+vZ23$7Ro9RsAD#-=}|onF0~isD8#
zjF4A@Z=8i+ohwa_LNl_gpIbQP5yn>;+~pOq-#)4k{Ue_??9PQRUBwQwALV}`@8`*&
zWoUd;GD^H<V8%7ay&u`*8OfbPS6kd7W=<c{Mec4oL7QKgzq1Q<JK5dC6N#QY;!c4Y
z`peLSRQ>a}B9n&;2_IV<z5+yB8>@Aq?a5n|VP)iM<XnZ12C2tqI(G&-j1ZZL+E$7@
zGOO@xpUh7NvXUs+X%LUIN!JfB^@^>`k;Cf|Ygx6gPgwrb&0yU)t75&}q1&mZS7=jm
z9$4Cse`dg1JK_Kjw)-GKya9dPdrkW9kmyg_tN+Yg>%UO%`HwzdfXq@Urs(Yq<G*7#
zuoRo&4mZ7vbQi2o11{$oQ0Fpc$;;P|ASbdQvO2=57U-}0A^gu|51<;PHlM`h-l^kf
zqN^Q~ck5b99U1IfaF3K+i%4nBYfNibvB{|noK0>ah{C*r3ClCI%=}ouwc;PaL)K8L
zc*!g119>}J(k-mRahNS!V~1fHPzBQbR}~0LY6FWAJd4fmksqn|0P{r2>s<fS4~|X^
zB63@i_YfdhK)7uvz3k4J=MDuQ`-5gJDQTjx@(b@VrPhamIP&^Gf}_ey8n%+Hm;9)<
zfD6uqR%SQe5ZfrDpLxuktssuOux#Qr4v`!7Qcu{OzBTmXpI!pH9P8=}nNkXh!pkoQ
zkdcegD&YaVw#8r9tpn~pe7V=t6B)7|pF}|oICvl`j{HY7Mpw!fU06-t#|qT;6X+H~
zK6JiB6amBZ-!`q`h5-H+Dx7$w`yuQ4cfUBjv<Sysr`S1fE^V0hJ0g9hFDTf0#;&n(
zwoRNQhdhQ2Qu=gN#}vF2b`HyN1rKsZZK`98tE6Filz{J6Gsn{jiVZ`DX0_b2n=tk7
zYk3EkE~)o;Dfh+js_ELoHr#CVZnn;&vlAb619KwCg@@;w?%0SpDVln{+^PCrc*qkV
zDRlZZibA(?Yuh>xe|NSFs0#O77yY%L-Ust1RY-)b0VV^^GeCxt?jx@#u6yMFCz68d
zaSZ6Bq%Byert=Fx#8x|h8{bjaGOzM`g%{jA)+za1DVTXs$2pHH?Z2ld&I3lbDexPp
z$zxwdDO0uGFWm}AdSx)^-7*9&%%L5uj?v_5F-y}Jlm7`(;o<y-4S?tOyR_VR-IV^v
zDDsI1F(y3V1tqLXfjWE4I)I9fM;<ryb0j6{WbsB&w}=kmc!H%D5U%|@d!RrB@DXS0
zYfKzV^QB&c!3CT3la+>L&Tw+q>ptWER`;2__!6l52q|bj`i0B56v8vm*>*(pn)Mle
zvo<D}@n)hxkF&Su+je7e3&0-uqVe*bs*-z08#2w@W*|bbqy&<9ycu;8oLt>@i+?k@
zaWa+R`EB@B3TQGK3&KrRT{(%XcHFu=trkMM$e%yE(*LC4Q@t({3ZXb-R2HJsDKc{1
z-abd<|KtxiB}KarG24Wkb@>xsfepq;#pggkCiZtgR@bxLM8sS+Z=uJ1ZlCIoR;TwH
z0gJoY#FE(Ma<ig!=)VvUGu*cO?^k)2*Jc+HWK&jmoq-+njg>55_>f#(8iCP$s7n$m
zN#Anv&oWO?;s2=2GbA&B{|XXP`HQP?7I#7+xWPGhy8o0FGm-ZMD-N$C(=5guEJjH(
zaw2us=f&|xNW841%D0up^ffg|)j8kl<cpb8_^@>Xj`Gi4875bH$*$XcJ#e8`EH=>-
z^p~O|mU`+d5Ysv#VJNeWlFo<j=D*<n#DnW_|3dMYY&Osz>bU?AK4X)ybB#QZeXO*m
zs;WqG+wfq$Q--tS=e}1}wksDl&$|z(M2T_85v2evLjRj-LS#-nQZ=p2Rb>{o9JzG%
z$@1H{i9+{JXGA(V3^|PxUu!h&vwfav_J7T@wFBS^k@2Txplvcjx;ACU4?)E(`7d(K
zl?-A#>-lb2{@s~s%+dV~wDb~b4lo8U^LK=44MbQE;<Y|0eR2#Pct4e*UtDgNp6`|E
zQ6j2c`s#Ky^Gu<62~TvN_F0t}kC06v%M<hRwtS=0<bxs1sP7w4{}2_%0XQ>5S7`%~
z>LD$~BD@yk{Bc!SAxk7~aC^XcnO*}&>y%1$WaF`^c@zE%70szTLF8G~byH=uyKDZM
zTJl~aGLS*sUH0^i$}66B(R|`icM-}MCVSu}1E?xzqfWFf6u&mxtVF7OO6mVNN|WwS
z^J%Ike>7~lNHb{`BT;%W6CUofxLm~Gqdj(BtT3gn(&pJ;NE%1GOY2qtJvHv1DEWf)
zx5;hIW%$$bT0i_*wHeGd1n8z!rE*!}YtrK>O7_IRas8XV0J#21>;|s?>;|sCGfYrY
zx&iDDEH}SgN@-{^-ZRuDz5Mb>c7PS7{iqgGQD-v5i*+rfOk8N--F!^jui}Q6{FXWh
zZIWD8g=>*#l|ubk9;D5pMHQb(f9ZJJoYFkpCd^8MI#gya?y-cXlxl=~_*rK8?F8Ve
zsFd^#utE|>&IKcTRN4PCD8f0ytk;squIN#f5TV!GgsM<Jmp0`g>h7}C{h(PCCI8ED
zQ%r7_egQ3Z;qBMKhd_65ME>VOt)0K8Ko$F8@C0<g(z4?2%9o1uQcc2c5*W0iIJs^t
zd-f;feXoRt47a)BBy1_pMRvEc&~NwRVqX9#CKvwCuhY7-9~8KD+c)Idli@cIMDY9T
z5vIRMD}yyOITx-2(T&zW;+~C?%>Sah=>I$b0+6G=ood*X6eo%(grCNyR&8)c&-in8
z!3a$;XuPlS&*;WT2QH#_1j)*~DZLTeY=wXH+fP8mx{^$HV*oZ3R;0*1qb>M^+-p5P
z?m<(#O5}=HGNFstF`iW1WAT}7@Bki}gTD;tExW?{n)cQB{DVyoLl}Vvu0a$M<VzfK
z+W`!8Ns;)oETfuBAy~xpoE^}PAhkP;hk)St{&OFk&Wkhr5LIojaw`8gs1Sj4QtqXz
z0&v<X%qzXlp+gRJ`!qdKhtxg@QSmq}l}v=|HHbsqAO8$Zmv1Gx1^G5=zYSUjC<^Pk
zCA};!EcBJ-TfIyFvAwnP0MOoA_uV|u9~xmv(SKksGrj-g6kwG!xzYOh7TqaYOGJ%x
zUI3~kAgT(<Pjmkt#8m%nh=cC<SBL}BvlP2UX;{%ckBS5(uMD4nJ(5hcH$S2N(<6y>
zFYS)s5%~rD#|EUHSmSu=UZ>8^-YtCV=7;E^pfV`uj;!4Q=cWTNHUt2Ye9Lxjl`F5~
zb%^FJq{~gtp|_#-fmxIY#W8eIWoKPHG?!Y#{}o8$rhmI<Pb(uG&aUc{-DKuGRR#>M
z>*jX`Atw9lGPR8Kv~2>#d_j2mLFr9f)deesu3Crq>r?oH#fB}~i(C2j=15t)_lfc(
z%Z9I0fQp*_mTk;0<dX<q3A(`3fAHtiZy2n^p=>V|f8<fL_uqP1V)R?Hi7a3598|Hy
zy7K`!esS=G5@^%E%#WCmMsQskS6Ul44;P9)YB<^DU3r$Zbm{UlZs&;Yv+0qG7gQ_$
z>()mJyb-tD#G|j9vJH*Gdz>Q%ZUXb@KD+E&lG?=mqv4-M%=`iL=LeQ>MPEf1h!TC$
z^Dfo%<q^AHLJmM1GVn@P9^$>NJ@ZoXTemn_alCU9?G1pkj?xO9NdT&b^bby!o|Dm3
z{b8Vy1p}*I%N|zlS~oW`%8Dp&zCmE9#Z<O(EU<{8xx*C}Gg%H($Qz;eY)sp~w1AHW
z5_~&G2;Ih)>cP?f)lQb;kyJOw(cWeN?8BK%{gV`xd>J*Z&;Z(G?(@L=kpJ{&n^2Uv
zS1-rkgE(aoB{~C~C90?5%xwz5!s?w-GWe!~@EQ*)&p<D!eWqpOj;=G;BLD3rnHy0M
zXX3+9@!lauA6M#{nD@NQuRQC)1*MVmP3hd}A3<lG9_5t)BB%OSP9|RGvI4B7AoeZV
zc4EESvKz&|nLO^Kb(TCtw@BC$xC6lJzaise#?+R9&L{iL%E@*WeV0s8IRp`%a`-$<
zPmNQU|CGSM94;+#!d=)TPr1-~Dd2{x_wT9Pvt|)-P4tV0s(Jlo+e71cbo9Nr2GjZF
z3#Oc-!lRGNbz6GsoA3Q!AJ`mWX>{RtFJ<_=Y*W?2m#9Pm9M`_*cQ`tGQH8%Mm+Q}a
z9vOU`;x<d0cKdMt!BQGWv8EwC4`PgLuFsJltbj8=!t<)x#x_5^{ciz~P2hnH{%2>^
zXkd@~i@xV?^ot=b{RjNam707X-Z<HO|CY$(KQ;0A_D%P{Mr&R7I_&ZYBQC4e2QDbF
zbe#b01dT217emLV|8H?B3iQLI*`BsMt2Si#{jOXT2FC`d!Wj=`l*CrFlPFZwXS%BC
zhmeQ%04hqoeh9BIG<#Gb6;n9mN&zA`17&t$9wRfN-pJFG_(;+czY21pq{~@4tiR0v
z_JPcL8X+TM(V(0;n4jCGOc>mgSGZ=li&PN71(ZJZ<|6J*>;63JeW<6A%wJA_=ycjF
zwr@yACvi<08wk}2xdRvw{cn$GtlpVtV~l}dCO`6_6L`HIV~N=1_(h8C6KSvD;eN#p
zTA!+t+izWjac1Q)3i*B(_Q_FuO}xY~(sYlY_KaNf;@cYSDeaHT_hLK7aQHRFKCAzP
z67~ImkrMUumHqsKl;|(~f+f(-E!F2Vhjv|meYEKKO@z2FdVMJN@{W+7&b@zHeg0qS
zzy3dukp5r5H2-(=uKp5b{-0{f{f8U0Jj9v6tWC5g4liYHIJTFu98#fH0xroJIuQiT
zj;(y@-(2qBOfLY21L@xk(Qf7er@r#{I(yf4E`>~OYF{Q(*Ot#w{Qc&`;Qq$#?oCz3
zV(n+z3m6F>hi|u+F*?UsFcc)0C;xfPl*sLUSRMJ;VoB{u1*y35?1$?_of1OuKG5G9
zy=|<H4zaV5!CXS_w*yplFBVKsY_xE5gI?yuMUR7^R9y-2qeZBORa}~DG!?JT7ME?n
zj#Z8)R_Xv07x{q9`pqKRO6@Gv3#Q6k$U}!*4P?5v^cxG<ZSsr*>A>6F>E6k^xNKJy
zPx;{D-=%NTEOO>At@VF9uu2G5yyXrHM;l&amW=ED^HqMJM@y$#Qz~oP0rJ6t@mX;*
z@lnGWw&M$YP-msQmr=F-A8o21CObS@whWnUf{bOQ)S<x6qGgX}LkcT{7(<J}PLh6%
zkurG_TLPEWF*GiAJYD6PmE#sxCu@=>2`Y99wV9+GTt$k!7(W&1@Q1SDR=2gnW22A9
z7g0`ge$?^#eT>6^+1j|v#z4ehk}c^Di6-SMgqMr@N@EmwZng;jpzaLdLF9a`+Ig_k
zN}jRbyoZ30vD@E6s1|b@M%*Z$HmdAbmUs$87em61RXirXocn#7toN5bC3btmmIH7X
zYObb*L;eXGt#qqLIOqt>{Sxx1Fk{M_duKNm-0NIK-ZnVHU>|@1ek>?d+qi$*)fUuQ
zR=Bs{D0Fra>P&7!-P#kkLTSCuHdkuCJ$bu&(A&IR<dOM!yu!h875D*ROol=)a1DBI
z+l)Z>>!#=zN*B%lGKpUPh^_8Thn^~G*B6GRww^-3QrpL)xbMKRYUwMYyQd|#Lmz}b
zAy3fWdFK|^+uedUU$u1K%J)-0Z<SB<ML1B!owFAouYas8tbH~@H|uqYeO`JQ5)`uU
z&Cfk7WwTTGCy6d8W04z5_Z;K<qaG`Kd!U>6$LJ$jpCuQJICH@9wq+L$C0U!<qx`^v
zCsnc>EKWV{HjCQbG?iJ*DD=$BM_gv74Wf3eTu!>+ZzJMTptYlF^n`3>)a>eJ#~dNy
z!dJ0X%+3*~toYD@9*YkCqm)WWG)pc6?Xhq0AQ!^<a0bv(ix1I0HZd&b4;#_jua&-D
zUYiCIPG|F()IEG0HuU<8u$hO+s8Erm#!SamY^i}w-r*kK@{fI+P~y4fWzFDLE$-;B
zYh|H@lj56P7`&uzY8y+p!R%P`Vir#|C0QeDyTIYBV#;YRyu&JT)^*lH^=n39P^`go
zhx!||48J;zDOP#NAtl1&Hr){-VV*g7qu%Dksl>NJJ+&tB3KABke^+->^<yF8{`>o!
zj0V&nYlS(U)EvAgamJFt%aBDq_H&s-S9nqEr<}A=e%N;mZMa72tprq*eyITUN|rg*
zQ(v{X8>f_f7R6a<>#XyA*6iuJumWQuKba&CMoxdlGNXnDqz6<(`rg&YqgSKGXrcM-
z^NfdC&8QzZZayLEYTWRzTAE%%t~zRKRpfVX)BrRGc!?|O?!U)@G8Es}e=CzaY^pr=
z$vrvLhV{g|Cw`yik86GdMm)ea=G)ZQ>=~Jgb3;XGi~ByLC)ywpm6ZOw4Hew0WQ6~f
z*x3oX*F#zP#?x<*=$sUX!PWu=8RG6w2@5_TE=#f2Y0lenIcevJ>OY<yrK@O{j_ubI
z8!Gq0DBe52Ido4Ty9x->Qy}QXoPL_)eRq=61D&$pi=bC~DU*5fyo<yThRbLek0D}V
z%ZT?7`Z%~9cR00Kx!e61*iy__$Nm0!&&?v|b&j9G1GAJ>vRxm;h`RAdF*zzyng=BZ
z?@=H5S6Ch0GWwwotG49nZVhM>inCf+rX4EdJSe~B7L~_f(q%oMe;hihY=rGHo9)%c
zozh`9YD3s3vNg-ewC(}-8*_Cu#nWt+(1K7?({>aK&n30`ge>5sBAXPY((m-ibsyGZ
zrN4&nno)lc5{PYi-B$DpEAh<d9}humwDXIKJ~{$Xd%kpJF(SUHqEEY>mzj?^MF9cg
zy*6gyo+?9QWOo@NGOwku<K%KGK94HI`B6N#WfN=o;kdB3NG!5sX^f_<BkXWd*|Sn6
z4jFK3)~GN@N5j9Rv<}PMH|^O(Xj|3-GzXO`&ovP4V!KNNR%s9-3edKh8~rZyp&6K&
zcvrD7zt0xGV%^?|9;L9GZke+z`3H{{wMoS@{NR+Yxljek7uD@220h*PeFzpj(ZV9t
zRUx*5MmETC{*EbpxwG;R45gs07+Hc3Yd`fMRc;P#FM7JscWCRvn&=i!>!Q_pPH(IV
z5{R6mvG3}qjch}HD8H>$)RuTA_fse<eGfJv6oQ-Vu6DjC)`Yy6hcqcyvKgH4spih>
z9~&cFua%;nk~E*<TX`fl=i<qt?)m}A&h8yp^4(X&^!|t_S$hoR6X{86{VxNBU_f3b
zv;C7!7IQq?_25Lx+uck|d1BuF{tE|ZrEL=(C!_ZA!bv^e;Xk%f4x41BYwW~W)?Z)C
zcBbG#<zi|M{s+qeSd&xIQIV{V4Jz+vQOG<>kNU5TXA=w=TJ1sX>pU4~zbUp`Wk{T5
zNmF>Zc%Vzg7di?b2SdHaJ|C{sU(<V(bUw1=KENz$dbWf_eoDN1#)q}?F1?<7iBO+<
z#(e^FMZ46nm^poD0jR-r${p>_S$VcE^Y1MGiIT~hsTB3zxq&~7$7fL8jn6xpIfC6?
zMT87<w!LPC=_4((DZBD=Ayx!}n%z~XmU@flAP^gD@g*857j|hJB=2(SpwTV|umaPd
zQv$q8z_V3`^+ounPQECExR_JlHC{8Mo<8KX9io{{I9G}f+j-0UxN=Fc4MM%cgzxeK
zGZ@McW~XmyKM?AZRnCaXr|+`sSF%$hRQd-)wP$+aEEBy}g?I*UAH|*=5i;l__9)WJ
z7ceTUrkql0j9_U05lN7m56J!W;9BOOW~gDv>XBA07Ii?QwBCq0uZ1C7I(ZHt)NyEa
zCL&;_In5DKFp2|e-oL0hXolw4GSq*hEFe<4;xJwjcxxE44=@|uIY44TF311u<yB8k
zyFaQh_)eXeb4?ye{XnlkCVIvqL(*+r8T0S3zVYedTiPmH6F!8yt9|x#U(GdoEeU9r
z4*h)S^v5k;OLM2FDpEJ^&0GojF(!2FhxV$0Yj#!sd`&qw?!NWi=9<<gThJ)wFD7GO
z!05R;HPIT*B6^mMo>AW+G4xYO@7JwDvTf22tVN?lRwe!rX3+TuUdA+QJC6xpe?Mg5
z{l<#VFny@8N8*{o&%XhHvFpL<|L5v^076?!$|JA}oLfoLDVsvj$dxeo>W{D@3;LOO
zhw6ZH3MHj$CH+Vct-<62M6FmDUmQ?Sw3ixNN-R?cf+ED<wTT+A$<v^_vFYJB=J$hz
z!lLgl81)975^@JkP*y_thwHdTApOi8DT17b+}z`mr*&z*z0<@N+vh2>c^6WEG8XJ-
zX%-M=PgS;-f_^DNv+`c+scZo(h5*^TXvlGxXUK(oxre~TnFgBH|I(QC-)k3Bx)3#C
zB#)fiwK%bFRRz1KA`CGFAWCUzUORie-4Ay+Z2Jt>VFhZaRv?9pxvvbyZwVPY-c(QJ
zMu_E-$0ctJi^u$N^DMK178zF2w`Kem6{&9PbxxQiDbC|&6r(3~;l7=O$ll*5jXihN
zdQ7Un<1Wolk1A$q(9?^p<i%x7Q8(dTdz1N+L$a77zSpH_LDLLt)zGku1V5=f3R6MV
zVUPV0ezp@^?wv6axU~lVkgxW~XqgJBs((15gJ66=NbgM3ksEWVEd{B3HI?hz)ZCDz
zmcPq`x5>dH5I~9?y9*9%*sk{C3AeX;bxEaBV~pjZvTb2_SmKZ<6!}X*SqqCF9alB_
zuCOfFIDcdx@lmsSmqiZl4I|T^k-(&zlj44mCKr9KieLbtRl|_?3uB8(GH-SoV$6S+
z4AhEj<CvDpq+vo3j+x;9Ww(`!@ogk5(#n~J?&Si)`_Zr_;PNM>{9WSsAVGqk=eukl
z?3p?ilurtwNW4*va-Ef<&(*SeBwnmwKvzvXJzQw$8QWc+9QDm?_g!=o);H9pa`O3w
zye(#+H<H+nC&^ZZ0jk-|!SeFI4qI8VPZ!y)(cKGa{Z-aog&PBn^`Q<KMkva|XcAF*
z!0w4FlZ+Cp(?k1d_>P?^fi3D)v=v%aAY3#%o}62F?Z$R(>-#t1rr(iA`wR8GD1i^P
z&=*8qJY4dTs@MA7KWlafzcntDnd|4_G6hOLMsXLaDV?Op`U9vVarZEy_2YNj6S$`Q
zyVSbP_W5{1@y9;i7ti+rFPQ)r%~zP>-hLj*1W1V2Kzx5u`aC9JwM=hzC~a>M%qD_q
zTy;9x!u0kGL{9i)n=^Y`LXMBr2YuS;*id&Id&YI)u<H!c!cT3a?01?Ia9u3`X24&$
zhF#j0nhBRpx?uki&sC#aQ!gf?gWh*+(hC6&l<~cf)h%{7u1jp<P1}CDMa0Xd7`=f8
zsl#;_!>u>D&!-kNKwbnvhB3c7q$W4C@Q1FJpWLdNtJ$S-x)xN(>EFdZ4*L+ab+=ng
zCFQ#v02u(Rip)v_p7|fH%g@s(vL2r|Md_T>Ir8#wc{fs5d*+mv+MAU-tYDxT2~d^(
znsRFnjPTVERUL?efQk!3uBUAwcO9PEmpT6f5GZBj={|CSgOi^U3^nSJ!zRRduZ3pv
zxorX3a@f#qdMtf&pj9`0;^n9inGxpx0zTo6?HCDJ%D}x!JnGCCf@I^0ud)LzS8XgD
zU!hr-272zm0C~>4*Lk=Jd?aADC#%!`+9SxnTZ5GDBh@iOdtY*Ni}fh(iC^@sDqqN_
zsT6mi1QjxHK}E4YAJhXAfghHVx3cE;c|K$s!5Y4TgH%0`$fxthVnRi}pO?#wz?f1@
zuHeqZFDi`kLBiCR4%%k4OR`#(A#280dR*)<V3QlIhpJy@<+Vvp7lkan0$7<-7u!9R
z+duQ&D9qO$d9o3C<tAoXaX0|327S_gAEUT-Y?eEo4a}vTcRrpM|FTov9sjJMl~;!a
zP}Dpnisjj>y_&v-lr`W<{fD<SutW4cJsuvdwV~vp{S1lMD+vy1UL=oMV7~U5%h8`V
zV_(hrbWHjSuH4J1no2G*VWr{G={46x_mD~xP0%3#Kko5!r~W@y_2{1Og!l?t9kBcl
ztpR{j>u{giPktI%eZCXyI8{5gs3_?6b7F3|R>y5BTb&D|&c1hlUb*^Q7DaWUw#=4S
z&7l+?7X6BExnFSo)4c1fEg+rv1M`HSTA8?c?aU#EhPUG}<FVt1DB<JLRDIH>f~&kX
zNb9Uk-P)adCzq|_6ju&7G(D2ZPVz>&!;7C;j=yS$XxJo+`ere}KYNQB2Uoi~WTjk9
zluoVwZvJ-k!ZS-Qz(HfwCJ}BVPB-^o<88l_*xfQPRV(AZazF^O)G35QvXo<O@)fUV
zhNn>oPO|&!U9r?naivtis40|WIMe*$A+<8lz@uBo6f=ArCN%+)2X0xy`sCO5xcWij
zagsGNZu0JQ7w{@G#pbDJ83wm^S4Pl~bc+TYw~iHqjn?er#yrd&KkPbB)d`oReXH;+
zQGS`Yf@jO4pv!ON8-@sb$RCRH5@{s?C#4epHEL{auh1xKC~ycx=Wyu;@*Q>y)#5#-
z>}I_(qpWgkRTIsUTr#W3tG93v{oY(|L*P@RT{Mmyjic(8&sAJ2av?fYPhEXZfbb>Q
z#Hjh=yH9z0kMeR<9p7PrcAOQFiK7h@t(y^}>(<(`O)tcX5az6A<?Bnk#g)r-ZQiNQ
zRR9{cSy6^5J5)}!65BO{L^5lV;3n*A?Q+>DKlS1`)w*B&KIqCL)z#6P&3c1))mvGe
z5hrjK<zy&B7~X-*SJCrhRtEsk==?riFX3hzN%D}mP@=7SGIn8rKWvv@P3cM6!gWjN
z^!^UE`F1$Z0@|oFkndLHp6w;FwZz`k#?7%W+>BMw26I*mX((YN`#~?3A!$Z4%j0gK
zB?$rGwtP<nGH4S9m?K#Uh2}9Xxw_(UK7SlE#Kh5D6W%^_2V{>Qr2#iMDNRLBrg`ka
zl^;ZhGoSKoiVt}7p^mQH;of;sYW>C*5Y6T5t+Sh$!dR_jbdJjmQGKOu5pYjr?@ofp
ztnGfmLu}bZk^N}D8<`HzEG@DpALwNcw#Oixb`8l+_sOzUh!*7@IR&;z42YYymmM7^
z<B_V%ijH$CMT3@bRD+0}>{7^dW|IE)q6PdL3Ei3on#Z~WOo!!+w$RL&auKvoT!Ern
zhNo^DtVB$+Dod^?mmm#(nR&y#YL4CAV2eoMR27tb_w-^}@GJ%o4x~dx9eb*#8CCE&
zWO7WAMo6!flKX6#QK2fuujOL#*1~G$;YOipPjy27#Bxt@9hi-8GBmciMZPI(o_jXD
zzLu69B!&Aj^A%y$YuXE@T)5xfGh1hKlUGxgAqTS<#Wb``9ZW|}T5Cg~hC@n@bq`uK
z)42BRLeE_1+4csoMi*fE#-3Oh*GlzTQoGk=FiARmq1OPDz#L!ArG40*Y$&Oj>G;_|
zU}>HZMmdl^zb~CY3LPjl%v_BnE|>zl*^Ldv92`Wr^n@ua9#C9B^k2#NLA<jn{D5M6
z3kQF|67KDhh1pWtD&diB7Md^|UVjs5@Pmh^cYs9@<CG4>_i>o`WTD)ZlL5vVLu6eD
z%W-r_Y1S`vuw3D&?xZL7v24ICYAn)~;o;tThMk)p0eJA?%W$TG)8<XLs6(=y8Vkr9
z%6hHAHc!Q1i+e_24}Xy`YpNVKDS@u_7Fm8#5<@#sZiQ<jSFR+iUJ}UBKa`ITlb_aC
zJD8^#OzE2vmD2k=1H^Q{<?b=3%(jt!{e+~5E5zP^JuEj`A{LrMo>(>t*;9hvYe_wp
zY*k+!*BdYTTFd%*OOHEd`siX|*by8m#lsWUS0I*b2`!W%U-B~yT=DKqaUjvky6X2I
zkQ9-grGs7LLnnKN(h3@in-)|T!u;wlp|3R@O@+H_+h{Bh6L)VO$dP-W%pHh*rD5H}
zzAL9I4-9bJ&NO!fM#p3ozQ`UxkC>_q_FV~&ma|WX55+R$050*;ZvDikgU)Q>w8$JZ
z-Gj9Ex|8O(aM7Up^*DwHrfR8=sBVJ)Jcjo^m$p3S0S#Jp!@dGcY;tFt?2}Zf2ZXK0
zBrCA!0$)~|-+*j&FJNZNrK4Xm8F}$tz(hk9;yjcWC{F)0y}TEteCT`GjY6oqNm0iN
zgdrrSg~b$oUh90D?%k)_dJrOMYg@#?m#7vt-Xhv%{dI*0GyFnu#(N^4Sex?l*6{g1
z)W;eQbirt5<B6ja4dmKK>O<NX4P+OMbP=Uot|~Z{$G_}^m+h7H|B|I;(^t1!U5e36
zp1C2c!1bh1hK@#Da@xIqg*!`yClc<q+rD1C6jzk-Zc%5&KgTr<%*}<?4yh+D?0%0g
zQ#;^)T$=p?TtV&AuGR`C*jwN#kJ0O+JU`7c=<!FvhgsFPTYkQ@VREeIJxk460?Drd
zK6<6egIh1MoAVioyx_7~*^>233#?d}HYEw($PkvxPHy(CCQtISTaMH@>`bOyhT_jz
z(VZyT97?Q@$i3Roq$R-beas5U%z}G4ow0<&^jI@)xqu^Gkrgy65!Y#PK?-VRsnK}5
zV0VenY3LuJbuy_zPz}#im4S$Yc2Z%>jGI6)4kz!t1?FB+|Ea7%Zn5n0GA;#{iq6wG
zD#We?3U_BOp>Ryl(iFvbxV^`_0s&k{KuksYPRo#=Se<Gz_>v}<E@qcrsc1@!k%5|c
z3C|)3o7jZy5lz~9oL-H@NNeVlM=4k};PgVfjU+$0t<pzn%yb*xlT&?R8@fZ5DDnYg
zyUTY9pK`A$q_V#|a@mq1>Q0j*DU1I0@n<M^tA&3#(|{Po$ruqiz~tD;bAzvtJD)$7
zXDo&781TK9FW(l!R2e$S8o_0HkXj>{c3!0kZX6TxZ94jiZaFvi?7%O2Uo4C)>@6d9
zLMOyO$)#DSo-bcNb&8tH=*c3&V>iwF2b{mDnE+dGqh~4W!Uai6OtYyhcA>ebx>Y&~
zl784;JWm`l8p0SV+Jy{#Y)ah9g0b#(Kk~O1qrLa*IBYCa-G2iQkRv|#h%PS=`I#4@
zhC4Fb?sL=*lB9dk_SNEPWe7~R&C77=ncKq;q(6y7oY*G|AWuks5HLsU2+OxE8|KeH
znv1ov;%m)9U9Ez&thJ9IfjLs(+8Vd06P7Z@wd5HPvsj->4}1T(K{KA``{wbd3cY=k
zt2yD*nX`of+?2Nub)ABY9od^Kmvn1D<hh5VTkO(Z-xZ{^7Fzk@aVmghtI+wv@drQi
z4j?%BHBnE8IONTO_i^poW%u!;M}%LNvs5SNd<AurPORp>sXRT(g<BL|Wzd3_>SPd4
z8lOQXhe{{r!4<8(dm2UvO$b+z(qH3Fhy<$G3%d4-?}zN>cGq7i{t8)tSQ7_jOI8o+
zq8D#ePiF&s%nY~_-WxD|fDW&;z{x%ABt*Hc_Yi$`A^wG>qvo?V<yB+#^C^wi%II&x
zn1pOkQ)<TyOSjY8?+Ck)JXOt%aqlOS)@~J*brqEv&9a{?Pf!*6j<y>Mm|m8Gv9RXZ
zr;dk0(|(K*I^r;skJLxOPOo|ubi|x8xf!4Vu45o?lD1P(reQQH9to7N3g8TqMax8b
zeLogV8d>g9o$S3JleTQx=|4HmWL#8QxI1-Vw$SOJ7t3i9SoV30tt7u43%V%U8K`am
zshr*JQ1BX_?ky`en=_w^&Ye}X`57cUU(^!W<n*a39Nx5gnN)AZis8V)wXMh8CGz)9
zMM6Yt4)@V4L8BuNx=x%u)xBxRPHW%4?u*j}&84`#hM6uOMgq0W%6Hnpun_~TlE7aE
z_az^{x!!ZRvw88o6f9o3^z7F0Q{Q5;G-e(rI`jLStG6|&4ron+<U{5vvAoJe2saHf
zSjC@lCVnRq`Q(RFP`VBD!6Jpqr#OlEGqTVOx)A!iP}$g@PCpqiJHQMGUJ`qW<esva
zMCLA*74EOd3|Af4Vxe2qoUP%ROL({3n7t?QgSqFkeTWQm$6B8ni2<tAt`v*=l60hs
zI@LlRz-+Fkj=CLcx~OD>-%qp@-;f_G;+GOVn*nkXrBpw)3TTY=*C^V_z{u0O8ei4f
zmF<)v6q}L=*!8?B?|s?6Hr+lfC6qGv?BvjG)7K(Zr+xmo;XilxwQym#oyMh0l~cFe
zw02^o&DDRsoXj;P+hf?WC=;Dh9lK#b47G0TgWNIV`42d>Xp)|U+`K+@Nk7q$``!?D
zipMPya9d4Ly{48!0W8x1R+%1qea7cBInMV5X9XizY4!4N@N%@84>kR?Gd4?;Kbbfy
zSevD)3pnk>0+7A@lPk5SDo5CgJ|n7@?LY&!d?-5JMXWKLQNbSFYbRqqrt>Xk!v^M2
z`T2yKGrJ`805;IS60(t0+a_4bLX0`IsaEaKwR;nH-P-->3gvbf-=6fcvEl7vh3=-f
zpzz;L7y0()A+Bdf?eShrq^j$^4~*XFD;yFnY?XB-=;ZmBsyWZ-#rIcx)BK`Ehaco>
zLf5q5Hx{l9^NyT=5mo^Uqj#$xp;I3Zoq+WmdT)r7ct!>|JwRp&97ql4gO~hRq#Cnd
zO3RAd6^DTSkc9sDk*-liduGbWJ3D)5B(|1A<(daLkjt8wH@u>ryfu=z{zu%kCvWwP
zet%-xi+maUw#p^BP-`dn+x3%nRldAIEP!db3(%NNNL9KIuFKaUyCZ!^tDw(ZAnUU!
ze^ok{Z)C3a61k?b(NYk8Cj@2OCO9@Ci1lAo4p^j1YA#61HbM9kI?m06c@d)P;!1<&
z+PkE(iHpLjCWPITOWJ@vj|SiYl2~3fcJAZL1KHoU5@!oz^ADf65NI15Epd70PSVaE
zBnl6mi~+@7C+Jpq%U_+bYmT-JjY=^F=4HOc{CNf1lB=l+3!1B7L9NoS3w7|-y7HKS
zIiUcT#KUQhOBnm>HQpQ<51}I=&zj0n<Z`DJcGY+(EB3A4-0>>~G?SOX#`1O4bMNF0
zuT>a)b2H@JverU&ne&R+OreD}gV&X|yRQE+T3P6Oc}Mxb-Frd8JKIJZ2%x1xhZ?Sp
z8V;9@2?9J=y6fvU)pqmFEoomb>!0^t&=NF!CA+rc5f&lk=~nQ7eBTpiPWgS)wQ|$7
ztlR%P!|-Ji@Eh5VG6|Qfx!DVU-dq=1|Enk9$`f#iKWMHr(b;E&hk$amW~qJfhb!D+
z5|np83`I6s8@j-<=pgx|FcNAsQ)q>SPxVQxysJlu>yDoO=j?%7CE<4xwuToliDa~Y
zh~RpSGRyxvuv?sC`9B+<74V5f&XS>EsUV3o4>|}1eHBcvWMjD5<_ymawMO9avRn5k
zvW=^4%TWOs(y@G1l5Hr6f&a=cc`dypSkL)q)VI`Uo)OZVu#vTyVDVbYZCZnktuNce
z*fw#$=g|#;V=x*}Nm$@u1)M}-!d$ShK=07CZ2!g(|Hj~!k14GDFx4;0+-z~PA{s?x
zV$|~2Xfxn31<EDO?}4!Pn@mXZ)K{QH5-Tx`7k@6Rknrx=i}wA%fUIq3H0Z|VM$JLO
zJcoVa5`%B2a6_*V%t1OLZpx4K6t63dtNT?F-fe9p`L~iB1@K+)qUMHcw*<-pI(4Wo
zfI>o1md$+w9hz3`ZNF*I<uC(fSA}rzO*d}hU%9{Z_dr^JiLkDqq$%x{)*Qf9TN4iW
z!VZc89g?j6R1`3v0}i<pVETEYXt@_HcJIwfaDEdofj1$}%NDZeA9u=wmzc3&744;B
zzMS}9_|0rfk7h(2)>HAiTxh~*uk2ZkU&0DCCqUhy68t>M1}d-ERrB-Aa=hqK1;@O_
zo2SGr!%x*38m3ejMq{n*WdfIwXu}a-vC=rJANpol=IGoR8TYh7OS0jll;@{vz^$~N
zJXN_oUt>y-bS%O>x$`Le(Jb;iw~A1IWwGB5SNsP2HLY*GG&nFFtH<e*<#&~VmN1X`
zQ<0i91*nZVojM8|N%UNgdXu&Q^qCtT*CrU59clU@2gPhXK3^;XomRb<gY`8O(OlZ$
z;VI<7<nQa1TL>#d@5pr4yx=+;l5-kkz$ukY=7+xgVPtb&N8@X6KN1x>C@c?sqnphS
zld)o8lo-16g{Z|`)k&CU7of+d`%g10HTk_>nJul~B8~Af2z($V^mSZ&UH));UCz^1
zgfdANx!CkEYgw^gQA*Jhn7LayMKKX}1A;p3MZE=td4cdJ_P7kthS`^Q5(b^$ujzVb
zarC4n=bav)Xb!lQ2&Dca766MARx@%jB+)WE<Y1Hx=z!>Xk3TkzdaPs%iHzd5kSFeS
zu`G{pt|r7y1)j95Vx$iAcK3lTd4Wvdz(W2nsL44cp&4Lo!C^YnTHBI8o`7H4E9t|9
zRRYYlsrox^IL}1OwW#>ChH+7+RWYGbt45_dm{U)iU0h&_s&F6_l<=_s$Ks`yx;=i&
z$-9$fL*p1(9;S(Qd4r~ERYX-QOLJ00QiE`{`2Hr8)y>%%HTWeyt`OMjHr*D)g9R4L
zu|@u4%jp`cTka00)o5n(>CS6(bAmj_MswL_Q4YJW#%z7beg!y2f2itZ7mA<16!NQ>
ze~+_9{|nz#*GDjxFTYW?i6WI&3oc5AHX!p4;+gxNBe-3Bpv)oTnI7*``SFwU#j@8~
z0iX`dN+8c^YJD)=oIC-H(ix1-S<2;jN)I5fwE(1Z>UVA?V=`zB|Ll9=;*;g{@g16@
zi-o?$BIb(q)-n%b{POFf<2?zF&Q_*$QwFAIC<b$Dqj8L>l~nTU_l?(YJLOrLpeGMc
z|GsXxNOy?|xTxzE{4A7l{k?b1SP&qsDx;33`|`I8w)3jm@lpS_FAzimG#jUH3Q<Pt
zz+O+6Cpw=z*b3DXt4UG`z;B`Km<HO91@YdZ9bwft?7Kk?VKvNv3>0&CAXIFE9^i3I
zOFnpQ2^8FB0N`NvXXU|<DwHD4NLj^5N`K>~M1V5=0fY~aOXc@`++4DaZ;298`mr18
z!?9@5o_W*3c~?B@Yv5H-RMxlBx0b!ASVs%aKk5B4YY-`yQvrdU?K}va(1Q|p`Kxoi
zjsASOmod&O&z&n~@?QCb>=I}O3tnGd_&Oy%|3b&{^||A>7$m9LrY(?_RA5yCR+BT*
zBY}S)KOd1p?&x_^1BSK@rQJxyi+@s6g=nKY%LR3nB|S<}SY42rfw0=-g4SVQ9l87t
z1EDLEZx_00T8XIW%WbC+6PZZ?r$f&zTt_2qriDxa6QHU5Ull-o_Osjr`+Fy?aK&EV
zbb9Hj{0WucN*v<mbCzFL#(%?Da(`3YJ~8*cJ_#{+KaswV-FQan6Rg?;aIA=gW~pW`
z5>C6%Y@3P8Hv_^CggEee`Cf=;4iY|&&aNgCyZa31-=EZYOg<!L$-jvU(gS)VQX88{
zMHk#LPW;L^NY<nXl8aOAkO(K;9e=rL$s3q+dkci+>}A%)aSu<~2;p1!ODNrP>th_t
zCCM|@Rr|k!k?wM|xAJkW=5!<8pf*}Mv%mI^y$moX1)bMo89BujDq2hVS!i-`-WB?m
zYDL&|?pCCXH$?`zb2gok5^6Ti>#7V)8hj+GAp^rzpKE+j%BtAs*XsJM0}Hg>DG{c<
zv-6u<6(&73wZ8|I15BQMUx&ZN7;<6^2c)!CuqUnB)NZZ@r0;0TUMvv?0$+167<EBG
z=jUsxJ(>CWl9|TPv#D(%t)j<k?JkzQm-3SC#=GNeci4Tm10n)Uv=;ESPd}Q<2Y=lm
z7=L!<MSxz&`$mcvwVDr+hOmqwNaHp|JL*aV)m!(+sIy>(SlxRm5xf!zt~f;vW**yr
zdB+d_@T{z}_}W~E^BNZ}5b*;%YdyGXQDESkfw(M5){m$V>^v#)>q1u?!DI0ig!77A
zq)WFF#J|DJ-!kjfSdY>Dzv}pZr8^Lp9m?4~c&6n>o%`6G3Eb9ig{fKH)K0rX@CbQr
zpd2yD_%qnsku{zwNLYx;QnyRo^XqzOPJe~*AFV4LP2sdWL^O-DvUQxAtM{r}j2C(c
zC6sbn+Wnj8Y6O~^Qjt%qgVd$%0|q)fM%*TTljH%e2EZ2l=UmVFx98Pe`gUMt8b}sq
zbkNYr*U-s#(^JH?DP=e(7VhIJ=!Nrp$<C{t8YQ373YwOIs3d>y^=JsM7(!lMb`~rj
zZ#-sB)}+fp$~WvzIQi||d@^v{4H>$j)4Ey2baO}W&seeWkkCn3>Y9xisu?V}cUxe)
ztV<ZxMZDsC2d{lMXR_D7y)_TcXSA;8VWq2y0gKK`*!d&aV$Qnh=8Q&3DPJyHdgAg)
z9G;8v8I^>T0)}V=58hyJhzliq=PMu|aqj;!Rcj_pZ!7OvEUsPmo-B{m`VWVacN})w
z&~LCC!8rxapO=Y=WFCY0tnjH$i^R1$0g0|d9U~5|PGkA9%J2nYK?@xvJ{NeqjAjC4
z6LeGbm??q=c)X4)VOPIlt2iP7G-pS_ue0l+D8kNxm-trCXWB;7bunpN-D}ZQzz`~9
zNhCdeyKh9&$MW5kQv+@-woO_PZpVx!eQgdbm}>>xhgX#;8*L}xajNP40pz5xE-~9A
zaFu|sG`sRqP~KX!8n6~-zVgb8Q=|m(Ftj9PE-b_m{Sz;^qL&{AcrNy2L6M6ubkwbz
z0V^R>$L3cBGqHL;BfH@hK2zpYoJMx_8jD)#1DMsgN@)G29UvXhojB~F8$Ei4xR58q
zh@uJFCd9Mj@&PB|<64QQ*RhKil<hA+8)a&)H3(M9+`d~%A2(kY-a<5hkarYKCJ&eK
zu{V>$H(GA%tH3nuqhV&%YP&!aq5J-Yvo}eAbAlPm2V)lI!0vw~2FAaSK~{qTTwd7%
z8P+w&Q%~Ocow#uAxwl)e8--Uol>{jMdok0RTphuLQYGjF4EXK&kL3dPcIZqubmm=(
zL#*I+z=C1f&ewMhcqgIrvxq4Zy6WW%CsOus-W&Q3(ftVHelpSF#|^5iX73)U_R9d4
z)w!}*Fz*AHT*X8dkqb{^ISJT-rWflqvh~$laW@IDM9LCO2MkEv{GP?knHs!xEoyZ=
zIA0eOFI?SxRefz9Lq%6Tlu5X$Nv~DYyY|ildEDSai?Py;x8Y4sj^ALrrk{w?^XUw;
z`sCC1acz7?<NCg6$twIa2gXw2!QZ3-9c!F3lu3i4d7uL)ZeJNr_^oiWqQvhpcSdY9
zhR(dKVM#|z&+Wv{?Mz%xdMP!?lUvs78S6*rQhI@B+tjXi9ENslux-*@4H3+}xw1=e
zax5fZB}Dc&Y5Z~6wfCnIYSawvZ(f0nkGwTq3uQtC2{$sYd7T5uobec{pf+G-i9CG&
za#ygtl}6`g;JfoK>c6;fBXzDA0v*(P8oU5I0Sm-%=3KF+goRi#M&Kd;_W@LFf-G{1
z$X9mx^CKaPBZBw-Bf{trrB@3i0T)j7CwZYr=U&DDaK_R$YQj7DIm~Ly2^h%dVH5P*
zfp5`9ooZ%4Ol$h&?LOBSy-ld4hEDwLD;uj)M}6fBcz8_^6EH8kR!3h1l)85l{_VyD
z2gvgR&I<zHlz@j8Asx_hmG*(Er3~5X487^MdLwVYHcSL$UK3Y;aufLV$N-N#uQC_n
zlt6DXS~?xWnGnC0G$E<Ee!77twM0=ZS$;xIc2x?&&u##>VB`MRu)a^fmY%!M4q&&E
zs;2^~`FBTW1?~cNYx6KmP|5l32h@Zjow=FLgHk7Pqc4N@09%oT{I+Y^6GbD6#qZpf
z@SxI5n3J$<*yRid<=~TsIKScKcLAsKfS9Ue>ycQ=p!_(J*QaMLr`3<tl(VWht<D7R
zOop1_*PLkSRhrq_rgMT9Zvw87zg=8c>a5>$i*tx8@?%D8!&KfUr|4&1$$C%rlq5$2
z=q;oDzlU^eY~-P9oM|?S%GO_7G}{mat)EREfH2tY{dtRcMJ1KbB<`?P69cljkr8l!
zcjDoJgX^y>TwUJ?O?|c23_4uf;IDe*<iFDS!VO7R+gr9Dk?8MoIe2+ua>>ghtUybC
zEFH>7SAwjKKnOl;!20@j{f5NuUqASlx@g0Nd;K$)(w_pQf4%_LAEynRr^G*YI-+;n
zLnwMbV!N|oNuc!S0}osQp=jHtz3&o#`SWrBANNNbhavV+wr;H0^?%j{Rc=8OQWt-I
z;t6o*MXo4sT0ex1h4VoqPYT9l4;hk&SSY|ivqqViS^$pIRo;}j(wQYFXf0ZEhF5c{
zv1_D6&6N!7;A#Vwr&-1pa6dvTV&OqppZRgewOWiIY{tP9m{!{O+K~kxpq{eQT0~fO
zkZB7e@+7H5j^-@7&A2`6hcICzV0bkIyE-y+ghc`{Kn3TLhvdx8C0zb}%tVv>rj^KH
z!G~4_1m-}2UWEm2=N~`ftT=Xwnj8wXe|4m2ZJMr3U?(aQ=a60q^kOTOz@bq&<-q@Y
z5i3#GaGoIxv*;xuCBY<EK%;A}u8;@0&ELo2+--?eUIL`@<o0&QslP@*Mx^Ga1gp$e
z?Aq`w;`ON{;eg55cIs*ySg_cNUFA`SS38RYKj`CD3)`IVS`v>JAOXud<tU(D;Y*{(
z2?k7oQ#V{~2L3*TI<VU0Kqzr?KYJVShKRn#33nD`0l!Go9GVzs2Cz`VNM~-PSJg+4
zkDOk=r}M>dLDD(moEnkfvzAEUAJS;_C4+3y3(Dxq0{5t(Lc~_|J;@?VKA~mcsV3L#
zM`E{rU?kiRXv~7Y6#4TsD+?me(wqsLUNTp(D1t?qYef047zV8HW<R-o)UWYyJ6IAH
zu#`xw;>4N~y?ITjlctx5=xb{p@*$t`uHF{}-LnE-tMl4tO|nXNC@Nq9Pb6@@$@<+i
zCrT}49KNUQn$LH`Xr#Nkie)`NKG=0-u$XpZkG9;=5vS$H0jJdczCI(})k%s6x9oOQ
z)2{g~fVCLFpTs)yy8K02rJHn+)=fp0QRmh^dVnHQvTVM)jy}wZ(7ki!jqU`!Hiw%f
z%gxtJf9Qq~znO)FX_6#bz9c1?>ttoO>t=;fkKps;3Z1_xD6n~u<mq!hz|6uE<RdJf
zVV6d|@4#PU_StYdte&88kfxWh0=?F~1Faaeu!kF7o{PFU105a6u8>{L&+uE?11szE
zE&}4E?_Q2Jo%|>KA61Qz??U5sS}R@x9@}~U1<kb~!^(_RVfcL2%xW^Do0O$Ur+xVr
zWBHr(aqVjtPwlMXd+|q!gI2K2t-IK8*8fw~nZG5SMs2*N%x0`8v$RE-%Cd6dtwtL)
z#j@1Q+|6+TDmBY}#|>yROH<P{EqAFXO|aZIs2oGIM9UoocN7FvWRdOrGS~aV`}_;f
zbKTE5pX)y7Zs3g{b5{DQ4CY#N-4@uT?K9PyO8-;b$JW9PdkiZ`!j}9n@McTajDRP;
zpEXKU^pa#;j_y#q^)>aTTlaH}Kd8Y{i1A5UAXQOY6g0mnLhd~|qzJGBlK_lDY|?7~
zLI6U~1)hZpzEVR1^wXH-AeL+LskhYrsqo6My0X&W&^HX$-$bT0sXu@*a~el+^75x9
zdnZp7=Fl`{mvHkMgmYw8BOBzSSc58BIsCb~y!s{1{C0lEkF_H1`@mbFtTSB#@51->
zH%-a6EsH9F?%T4*#?TS=DdgjJRzq~$7hc^?$IGxYaRGP>esS#2(#2g9uPPZTMxN!c
z#@_x+bOJYCAdv2S?McEl59_Q|RtQ)HB+z4Pxy2}jbDEjF{f&0Z{CtPHS?l$`@^_>Z
zM2Lrq?jZms1QFoKRi{>MDE&u_WytbIoleSxp!Tp<GP^fjy7~*~aWlcJ9U#@McZN%H
z8cLi@9WsD$Af4Aza3)yh$WVg1Hw=Jk0u_d1BKc1s7`jk#nIUvCA+7Q-N&Iz&Afu6T
z?XCJwtnP)J6Mk{^|6K~bqO;@sYhaKk?)ITq2znTjubc;bK0<m)<T#szKT%~?6z0Mm
zxuwoa_#d>eO3^<b2rL41s0qvCqFm%^g;4?dpQkmjREwM|Bq@PjgIbOc_Q|V`r@2ik
zeu);A&l(%$H<v-=D)GuI*#x9CZw{|@l3MQzH7Ltme<d`08SG4cAysM*AXomsHU9Lg
z>rEzteIG=rHP;N3gC>I~B)oz`9##t(ed|Y{-b3TRV=|PT{r-3LiDBE%&90aDq}sAY
zMBgFrI*6F6#g|5LMT4#_S}~E_*|?X{#9MJK!hqMoVMd&uQ^N}D(kZtN;L@QxUj$iD
z=}KWKy59}L`ddHp#Y`SD^FRF@UrLD7)C#|8?46Dl)I&yP3W(yOkEfS1iBZs->nZC3
zg)sJ%KkQDYuaZL13M3lEpT!8LY5w|kd}P_yoTHf4QpH-sW=f8718M8OX?h3xtVxoU
ztgb)#5cDF>h&5q38!vil`Ra9CiNi*ghaO_>2yI{<0}PfjhK}HrrY!r3pPMONyj>HU
z-!1p7A{BE;*f=ocqpaY;zz`t>n%Ln}FW&l$^-o_ydOp|u#X+lh5d|Y#2h)hOPCa8$
zu2Z}D8>5gb655`ap$?sw|0r<ZdGY}eL%8=0&S+sI1tVEWsU4y~AbLl7wcby-7vDVp
z5`FF(7GZ)_(e{!r5FFQdq!_kEqWDS{-G-f*-A`M3on=|$X}OZ-SifsfI0mxpg14t+
zogTKu=yv)C2YAv3ZB7Y;!FuS|J${D!>dQet%z0U0N*^Tj8CHP=1fnor04Pdw!#6pk
zjc5ISX6m-%&MR;W#fW`E#yzyVkr(`4K^6Xhn&1SY^IcI=<Ms(jHX>)S1h>B@k<i=)
z@;i#K@pJBJzJ_QS&RTNwU7MNd7XZOZgex2r93CF6)n8aqXfNdg*p)4KTPoOuoqB5V
z+dw&FEI8TR#&1ek8PZMKY4jjW5yV|RxJWKVrmlYg1I1gsrDC-<!gFmbv#T5q9nnKY
zQ};wgQziK8>9jv<Iz)$cb|Wx#BxiHNbNDkI^j}+w4TSHA72@xmcQjiB)#=fCsm0NL
zhBcm_TI&k2wQ568v$X{Ed$CR8qRAF%`@2AQ{s=GI#o#z%rZ}&tM=_a?jw-C1RDjUy
zxU<Sn7#+@!M)03<<jPbMA6~-W3cfHeNs&((SH8j;Fljbi1<Gy?y_hj!xg<YTYOQ`!
zS554)dj9ywvWuGnjDMeoUU`1v=hWpt#uiFE1t+|QGp^ddk_mZ0YP#;$D8w=h$vEt!
zz50pNQ0^$d)*2+&ShMvxih9v^^==xp?(-&V*BK~40f(bG<|OXk(f6HcQRp?bis!p5
zvr!+XiAD=~LA?E-O95-nt1e)A@tOMTt*DWQ;YNf@cnK@gYKw0w7su-Bgd_^c?T`v=
zN|HObthTn5j<qe^>Ad=tPz4WloXyH2SP}A*pmnjNgg3-76DG4OZrOA`F+LC0@&f$H
zHg>$#2roYZ8Mv~=JpN7Fw`{Y;c{u-VL&si*c!h;NcwY)zX=*)482O<;=f;`U1cTR1
zT~N=A!p(m!&f&?SF$r20PJ^l>rZ@j_(iofAusc@@5>*};#U(no4Ulsbwk^Uhp&yz;
z;c%&K>e6P6;&}c+xwwt{IWU8^H7n)UXzNA9R^01C(s!?tJ$XkueCNHQoBxRRiBkCf
zHtfb>mTV7+G|wKC`_fu$KB%Bp-8ieUot&6++%6XKKC9}7x0Bs1B(Y4b7`~<JgfKdC
zEF}!Zo*t*%zyUEU${l@yl!LzZftt4+1hqD8$=g~a){7-KmQBA17DN@ac~ROfDb7q8
zokxet>Ps22uV<52geBpt>lr*?C>@FhX7kaKc_dw7QCKSP#)b2Si)!yW{d@DTz2YX_
zmlu+5{<4T}jpzd$4wbL&Cav^ns!Cw$C#@<fj=6u{t-fG63-0^v@*k3we>X|`uDqNL
zGRNOx$`|05)tA;1@i0w0aH!qgW&4D{eE$>H*Pw%2`jqVNcjrU9d85{fdmx_O6vs7r
z=~0&GslRzaA91C6IkJKQbe6U;4<!!@;UEjbIJQ*MAIM40-iWaB<?d`rb>%rsRW-e(
zznm7vf=Ekqn);EeV05-p#1KieX`BkOwP1o@`A<SITc}L-%a660TbnUC{2;86Ku^M;
zp)9OX6ILbubw1lHwGA@t8S8F?vXYlWmD4Q?i9zF-MIU&?F38f)*1w(w^txnb?%%ZT
zf)Xh6!7?*KB3gx)gfX#nhzW({eJp`1Pfe2D`1M&fgVycI`gY;8W5&J7l6W^Ksl*xz
zYy0b)GpY}jaaFrEa|}N0CcJzNYPQw+ZQ`;*-og(@R8liV6pM!StPqcoK}S(p{O8*a
z?K%m9vlXm8gYbe?$itqpLQ*U@F1op6Zf)F!=%1lwVcTbsP9GkRHWqyV|It7Z2Bp)U
zX#28LgS*Y7**syK*a|UlXeRU|{j3NEmAb}SYcd`22iW@$_`A>Z-yJI!zWIL@2~0iR
z*-MZUEei!Y`_Myamr;S;z)AwRy)ytkk3o%fuHWV$-!5mDLuHMmn)N44d3ys|nk*lq
zhC|T<gPTsD!?eW-T5Ez%t5|Y85FgilAkF-}&AW`7C*xhGD)rpjI7SqW#`10!(Umir
z684+BnA+oDm7^((E{77ymZ%5YOEa*U54(kDB1FD?5BFl7z#tcCBZHqoQ@sEx!t`cJ
zL!qL9BTUZ4K@0DvJMO7orD({h8pP2+3gEDklBH6RWEfVa;uPLYNRMfZ?;*c8!@r?P
zqmyhtvbq<o_eJENZv=i;i|D0{toe(EU`obX6l~_Oj|bU!Un1PXB+mtmCrpRNR9m)2
z;v6hj1+=cy!vm@UU*(FItAat^QLIU9$oLk@lA6iSa9odc(D?EZ3%6B|VLaLIoqw8i
zHZ*^-A>P!i&%83#2>yvMHYLh&foa$72<Mqx9Zi+P3Y!&oY}?^Sky{t`{ZQqRx|^#9
z!zTRn-X)(rX4O1Drm=8MR^*7OH+<OhwvZ(7B8ZOYlF2rv;^ETwn>SD?3uWJHA7;RD
z#Q17zTmaV#ntQ^>-4m+w#BfBH!D^W_YaeGn(L24c;9rB4E)G?}7H^K_#iE}MeNQ9X
z1;9QCZ)h-@o9jR$JU^vPF+TA_(0B~OZ+wDpK-jmt_o1Zp1fU?(Th_CnKxTUFK}>{V
zh9Mc`kRFZ9wKZw<R+0cU=+Mwc@Y(6-n<OJHZwjBM){K#pUs$P6g_6W>%IbT!ot<+p
zaCGJ2?=6>48Ymsq>f7uc${y%G(mU~*F&AV`X%3svKUI;nZl_}|!0+c~SAn-r=b4Qj
zmFGI4zN>1>obvEtzbmT|+4pp4V4>BagfGZ=>G1C7&QlwwVx^3isywZ!==xV>1`+73
z$d-!~<s2q6tS8=Mv>nh8F&l*M9LhXNO<DDQ{i=m42yshb7^Apjx_*t8oP0hXMJy;!
zm*Vl=5r(GS^Q;<LEnY{TduLcMY`9QwC@9`u@5HiEBlSE9`qlN#n=8M5B=TAHAoyDj
z(jzvp7#51$M=IHm#P@epIG#>P8e5J86GV#TD^z#o<9IJRWlc~Vew(y3DRE|vZ<2KC
zv6h|W)0)t<=d|<1_&ZsQfgT9zd!WVv7irN+95luimn5<tAjW$n%U_ud-;?9PwEhQ6
zx3>i~vm+*U1i*aXO7cI%R4zF$q+3on#^~R$(<We7=1ZbrQdEX<fF(hHt-NXLSW_tM
zC8M>t9@vThZK6mRSltSq;!oV*LQL=W4GkZJuNU{|$Kq*HR*6TdaH53>`S&~t`K2^;
zDFW=T7u(gfCEssba;QqTGFD9!Rfc=Md*Rj3M*WF`Cf;4A+~)9!B6e8@fn)qAwQp1<
zm~1y`Ek|{LQ-_uVG@MFzqd6kux0a96`d@+h8+%h_PFH(Vil}z)WK5{!!4C|Pd9X+4
z8YZH|48q+M=&XK1a?zSxw2gVUetJWdY||L*PnR+<z&LKNyPzu1C1g8HCB7zg4@xV2
zL?v1-uA7y*jv1iS?7-;7(!raI0ccru;<`&|aq^qO4ch+dO6v~+#T;%B=$?H`JX@qn
z!^plM`>f}mQO8$mvdVN!XU#1P_Df8^O;a{0*&Wk9F<%)Gc8^E=dm2P?UpwQ$R4ecH
z`gb(<-GsY#9QJ|AHG%gzS$?BLGgj8;1YH;e4bwp_>*WwhF5Ev^CZ|hXzyi(d?V84T
zyr#v-=U}~_c8Qx8*_F1Qonhn_`t$FV8R7rz9btcp#kxqNy+rkNzkIY-IGE33>@RbJ
zrbQM9=N_^(6^)d|JLCRdscdROq-jRL{2oy2oyr>&Gk*P)E>MgM-NI>-7|ls+&qPcw
zoX1JI15u;83>)E9i&V*qqAE<#xR*{?+AIJ~#8*}0+46xlyt{?-3@vZHo!pk0wAFLt
zd=;>KPCjp;`a5PwK3c_j$(EddWQqtV5S<Gii2UL08t@Q`jpdaGJ^}O6P2AW!qui(x
z%co1Pi->h^ubB(50$i2b0R&TAUX&$HJUEMNgnK;8lkLBbrB&3A1++B(s>U99Ty>K|
zEy}v`{^OkLL@>GQJ@Lb!lW5yaDfNjNRHkFThD}gTMIFfId_y7{5U#7{K%A63?@ji4
zf_x^UkO0n9LL^vx8-$4=gTz$Ks;%fL862+QgXM~OKtcuX6!y7jKf#X?dy(>ZUt|E&
z-(DUxTjg*yXFNs;qwZ6`WLr&YA5ua|opYy?+d|WUJr|CB3T{;M*EgQZznhF>jw~Dh
z02JEL_?12Vt)H!X?l%Y_fVF1$(#rPFu`|z_K3zAO*ifW@jvDKy;n?AkB+UG1Q=IdC
zZl@!NWD7D)_Kh7H2~3IDEf$<5-b{k)Hg|(()-`v1*j}W0qqO#yQ3$ksIT%Vp>22fX
z_Cwn(j+*QJAHr+n<wNVMTkW6H`=g#O9{a4(7Rpw#vOJpVEJ)dzH2@)kVYujLIuNM-
z;!DNXTbPWF-Kviy_!QWe9ZSvJ1Ldgcv319rZxp_wk?;4YqsQSpJPn1xc&Gf0AKMlw
z{W~4EOTV&T-GwQe>q7>(5={&b2MFf>!*k~C&oPLFng4pZP^n@rT#oR5=@;DxEo-k_
zb~%WaVb9$V`P(<`UsjvI^vcUH29FOwNB>N5`+Bc~p`PrqLt$^QiYKwx@H>?Lez`C6
mqVv|Np#Nf4ZtMd%^8kn>tOgyK2DfZbp39dUFXAs;zyH5c*9>|9

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxRemoteSSHIcon.png b/docs/GettingStartedDocs/images/VSCodeLinuxRemoteSSHIcon.png
new file mode 100644
index 0000000000000000000000000000000000000000..06f3daf1897481dab7e9039e28cbcccdcd97cc33
GIT binary patch
literal 319
zcmeAS@N?(olHy`uVBq!ia0vp^3P3Ez!3HE3M$U5qQjEnx?oJHr&dIz4a#+$GeH|GX
zHuiJ>Nn{1`ISV`@iy0XB4ude`@%$AjK*1}XE{-7{-pK;lU4QK-R9s<P%(q|`^AxL~
z|K+j~-|h2K?ZYZ#W@zy-MDBZb>Ei$EadyAtH*DZtEfq5(i9I06k|X#DgO@IQ;v|_1
z#RY%=uhy6Q+aGg{_gVUy+28)ZJih&ZcA4J60B;>NOO~)0i$DLLtyV8^_p#gc^#9*-
z{r~A}=l3m~CgBq%5^z~CWjW&n<va#i!7VFf&!}G)3@K*dSiWxNr~Acu%3W4YGqeI7
zIG0%n26cHBF;tl?VN*NFxS;8Hf|FgCWs%{{&IwUK*E7FqxbdH1$=&I4j~<>X2l|h}
M)78&qol`;+09)XBN&o-=

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxRunApplication.png b/docs/GettingStartedDocs/images/VSCodeLinuxRunApplication.png
new file mode 100644
index 0000000000000000000000000000000000000000..145269f5ae9e539801f37725982ef9fded9f3c16
GIT binary patch
literal 13777
zcmc(`XF!u((=Mv=AOZ@C^e%{iG(mb56p$i_D7{FN4$^y25RnohUFjW>5<)KlL?CoR
zXrV_4J%kzvEpUR*`+aBcefIbJ{7CNPE^Dn>Yi8CpbIl#~Qb+w31vAB!D_3r5Jb(7;
z%9U$C;_s3h*NNXc)MU?yhpS$%)K#uj46&{g|NLXG{6hK46$ps(%!-uwpZxuEW3MY$
zs5&k`SG(PR*j~9J@lNBJ@@sz!Y-VpMkJiC9$};au&JBy1j|zFnkCSg>kcW9cCO>d-
zN#Ab%Sxh2Fi;H@$mq&fa$8%$MlTxnXRnFbUoV&cT@BegOyuH|Ci5Kwdil%$9l_{s2
z<<%NaUF#<<V8C#v)HAypei8WlZq|FwPq$TW+$*>qqeeV@x;^qqm791_x#9RbFaEYC
zcff9prFKu@!t(ulL6O8uOKOYeOP^dKQWHOIve5%SePxOAi@#e%XQ5-kU~%-D;X1U{
zYp;M;VST5QR}q2b#{Bx*%&xGfO5N}N-qN9N#Y0Gk2w*p+gX4TB@`^?NAWO3(A0uk#
zvlOev=``{)QaAKulo}2=tR~S7+0dVpv6T^ICch^|v(3e8D*(+f`>mg~m((F(dED3G
zY_XrF`j%=XP)v8>DaXl6J{qOnDBVwaxBf^>53ddylgJwfujNLncpROrDqZXx*0(9p
z#=(Q;_kUyj+D_*p{aW`kBUcsija$K0H~%+jgs*m?T7vLYZRZDIhL1AeFun3AtMaQd
zksO3I^~lR18gon!M~c>MzuvhcP4QcuBLufo;nyO-3C=z!vyV{Ob9E0g<x4^B#`&4e
z{Jx|6W;baZL$cPv2zKZHFL_WjW<?jokx`@059{a7%RjJRoa5W5mCkoT9jBK)N1}))
zrlfZks6&r-@NE}_5ua8nf0=+c%6gxzaX#Q6^NC1FoK-AVE}~cg>lj(zdQcu|2wkMp
zpNX-+<-L5Q$r7y=+ujBa94}S58if=)H_LgVs2*>2EkZ174Y2Y!yZ2=HvtleHr2D-$
z;>(p_Gz;oRB-znOYOA+@ua*VPi5sd_p*D0s9d+~KF5h5>b4{%+V9P68Yw3e7U@vjh
z=mVY$9nNv~R?GmFiW|c^?|-BY{<8xLJ>zB_xB^Bz2mvV^PA&l5gVEyWa;Re+hmJO}
z?jhB-8Un`hLN<7T((;BEL`GECR(UI%I29dp&3+wrId)fLQz6bDrSEOYO3Jd=HfW^B
zk)0d_*Mweb<6e8;GnYbLeG{@jwKX%)2zi0KvR3BMI?qCLn1<Z2XXSNI(|HmBO0bWT
zG1)d3L&4XR?a&LBU(PkT)THB~=lj{WS>&kSW?N<F{n|T;kcd`WyH?ivB>GojrGwd!
zd+6y*C;p1-yit39FVE&W+Oemlq2b1b@VXpnKs28!ry^D8L8)bk|ItEZwWvQ=6cQXt
zz&yPZ6{Zg>8%&?a6}>FD3O$5ngyUPbLyQ;rNV!jNllsyn4xP)zBEF3`eLhA~>I=Uk
z{<!)9>F_i=nYb)<uf?5=uZUG<wR|b$yKVkR*K&SUg+k4|XQ7rhv^Gy~KF9`uZ$`a{
z;5sMFpw8)G$<b;|l$+mbArW6Y%_&M=&1ypG(V}V$K*pK7TCtJrlA!xi&y?IZixm$_
z9;snIBE{4(rON3`^)-$m_fP`N2$5FK)%NC|tI<NH-nq|DmPJCDEb?<yAd!ojCkN8B
zNv5>GrVrtQW&9CB)10RBA|F-Jo{A?3&^uM`X(%KtHBoD_zk8JL32HwJ|4$>I&P!IO
zOGPrSHVWBG%ntS^Y7A?ZZ60T5H~4UU{&Dv4z)SIIP(|Ue84GQc(&-eO%95~QNa7!2
z9D$ahP^&aS{18zx|6|1}Y<d<$X&|h1Yx-k~BPEHDKD?Si!uC%XQ9LSFuC{{y>9^Hu
z*Iw3#6W6UKKNPH*Ut@JwgWcalpld!3Nx0NG0uLvuf^zu5#rH~V0(a#qn&aZgHXQd<
zYM`2w=SQtGp&VQz;w@*)u+6p2zx47YfhfI3wD?t0WcE3(_@$8s;)XHb{lafwt;Z@N
z8c(8%vWjO&d*Xl7g_v*%u*hOmZe#QE*_>n4p!9QHl1y6faHFsZeYHQ!OK(UbrY{{!
zhdW@OrT)qI+W~wlzGWOxNA+iwUQfDj^qIWsv)nZxDIfhZ+6jC?Tk!U*&#+aDz;)Zg
z-CR2F(fK$SKxc&Eb{uq4<+eay>vA@)T#sS6n5KLU`lv0R-2U;OXY9jbq_}>gD>8XV
zb;Z4SNAtBW$RlN=vl#pphNcjT8cDtt=(QIV9mENW?N$bzx6lJ=NRFCl>tAi|nylWk
z)j&ijD%Ab6)E{c$VySU`NlW?Raim9r;jqR^E;Wav7RQhBD35R3$9*T)#Jn%)|8QOD
zt}&;B#;`^hVfb@t--gw28}PMqK4k#<t3)Y6)v{?nG#Q1nwp0i$$+uLlB81UCh%dhU
zd>@OQbrB9o)gWyCae6FZdNQ!@2GM=1V9<`ojLZ??XV-eTLGm<;ziX@FNHI774r;q8
zilhCs`jFYRoe!I;C%s6{P2ruR^wT0{98jcZnc{EmgiLMwAc<3caNflO^bPr*8m%Uv
zYr7V@Y+bka(d@8lXgZ_Rp)<%#@k*pDEQj!u7FgI2aA_JaqRz)%qYQ`)^~tyw3e3|3
z-^$#Sho)vnmX(v6igKW#d5D$u2^{?wi<vh>!*GQx-y>z*yV;dO>(pe<0Ax0w)qs31
z_B+(zT5?dp$wTX%bJ)ZR93T;yYY(;$f)P()T8J--M0??X!m{ExWqVzhF(^yynh0;|
z@QFWjh<iZ4DV5UM0yXueOMkli1tidRwk*=T7xz)srtvLpognKnw_~TtVvFxW!*rq=
z(5#X%9JIf~j4kXpo-WrOs7|fRG!#&LRx!~%%Cud0dl>8d0Z6Hd<vV=;Tnj-K7_CMq
z(6d3#Xd!;sOhu<lvG*9UiS)F~uUC7u$OH=R*iQOphH`P}R@YjD;n1N6^JyjwZ$sYn
z=~oHQtGZ>E1*~1W8N}e_t%rQLR`6sD+w>?=!WNoCsa#Gnj6t^u9c>=X=OKvG!}7iT
zE-b4!_E&$e*A8)`!0jYvpWP3hlH9rqu9Tst2kJ@(6MZZ-HJKAYl>_#+4B2*l9{y+}
z+hfc|ccF}^*8QZ>9^b-?6Pw=taz6et**De|mcpN-+kegEx&`;kzz|(~C|(#Z@uWSn
z!<50%A1H~-{n2qxC?X4rM5odMP3oYL@(O;KygS>wxEI#r(dn`AlNi=`{1*Y(HE0Ut
z$!bPTue=Z$;po_q)-UU3Y;s2BaU{f&2rd$2!Yoh~<ZpSuLIjybh?_$_X;P%{uY#lB
zqbf5ibhb?miHgC&z(qZ939`~ZB0WXG)#P)s;iw)1@M{UBiChXRi0Jv&2>#4U+mXd)
zJ=Gj%f5=J!hW92K*HzK%zd|ndvoB@|g$y;hx=vyGGC_zN?;(9WQ2`ClJl3u>o|%Sx
z6Tx0d6<ykpjD-YR-GoI4U#?GosL*Xe*475b4?>GBZGcyNgceoqU%~ODjgrQ7e9U_H
zqurO$ChH<y<+MR^-Sk$Bk-H=A$WcxPsE5I4^Ny98*hq`=gM+jutIRM*OXZ;;)aiUD
z!&>UDtpd?(bKX{QY%kWHV;%W_6;zI(cfqu_{y;9RXc^kKld1k-%11S(OpLtS5{xmA
zpVceV<G%X1v`2>SvSUYhw`<uM1ui|2B@^#<xqFX?zf9w&EKsrDBci8Ny0wbzw>;n5
z;hC|#I6;~RbpOip;P|7l@;GbvW<7O|dpYlbIs@?2ZO>#P{=2H0a_%rmuk-44uaS9Y
zZcaj;9?V(h7d<dALl|ev{#9ZJ9D9e8QniR3?31K&2g`Tz@=AS{c%K=R;rkhO{b0v)
zkM)mZKJCqu1LmA7&pe`wjs49@Y#z~r6^x6+R9=Si=98T~x(-%gD!4@ivpvAh<{o^U
z(DUB$E+X!{PBDB5DHky2(Be$y*!D?@7=v4_l`L&X+^AloYc@m2%k#+p2DIC3@>j=n
zuU<Z?p>jy|U(JzEQHb!8Ps#lke*23@@7r!yI^6#>`y3jR@wI%%GvRAX2NCmLqG@p}
z#Pdr~t&(<m$K|OPM&eoDQ(HFen!88SFHb!CAMb5!mp|L-h>T<p{6YRNIRDBrKxwga
zt$ywjniHR0y8hn}Pn9`9eYSTy&>)b!FMelj%n$Q^_b9w$&aW7qdX>q*?HTy=&rrUG
zC9HXyon0Q_(NH)|)3QCM*=_0Arzpqa+-YK+&>w&s3MYjG;@;yS-P8>AEsB>y7)c5-
z6Y{W7)%=$hmJ75%6~5<0BiFctUiUj)3|2MOKRgg%j%YQ4{1q|f{flUrWI6+oZ<?a&
zfpDz@^k!X@#NYATh8*gP&#Ses$jA3bXV>gJ&supy5wUoZ+rY9)Ho?!_F<Lot^fF^Z
zg0#g~(5a}klgz9A?gY7wTDEsj#p%s+Hkgx4(UJBFrFpB2&_s#rau}3VpeOP84iUKD
zR(Z}L$It9@=Qd@Yqf6;mMn^iIt&`jv5Y;HlSV1A?V(S`7-fGtsgd9Vk8v5>=mzt&q
z1qQa1tuG|mcL}e}n6e{$STF-+cQGazAKX*7pZ=%K<}-g;vy)fy84!no=?Ot*l2`ZF
zRWuNKljQ3sHi#bwkSd*r%=#BjN<5IOM#Zmw6%t#>kA`VW{wp#0>DhO+kaj<M8o*U?
zFBw(z&51rh0C)9^JKphOUbZG}`F~1!*>_!kG60n;HmH4lPVF*{s{c-8oqd}w^YX~H
z;Qd1jakZ8g@d;B8Iw2<Y-UKZ{=4$IYJU_P)FL6ZV_db2aPFW!sDT~&{y6u$cZtUiX
z0MsoDf9y|Cdljj0RhT{uGucc3M=o|g_sAof3q!&`R&*dok(IZ}gero*9BmcohD7>U
zhrC8OoL!ZBiL3hC|H&jm<oCd2jG6G!WHBW*zu-;%_OJcdtJwn;ZLQCkRr8Be_0Mkp
z(>VGqz;y;7W!#qUz`A3HKN1|5h{~j`BwxNJyqsiY8uZDcdE~f~%=usSIGI#N_)FX%
zRrf>qhwLsgQYf5!CaQAdM5V(fG4lMPyFVfgD~>djsrws)Ry!i3Lu@CHNP!CRYlFp(
zTiv6AjF%E);6xz$H%@JA`d@5|=2Bt5KKMH;M3uPvcNK}z?SBmD_K0nDo(I^nG4U)p
zUI6#zN%7-zpA;6m{lJWaAoc3D#1^&^^AnMyqfo?Ju%M|NvROg>@Vq3HZmq2G>+O)L
z?l$Wh7=Dr-9UnYscna3dqy^b-9}t$yU4N|6oS$vbDCkxTbUK#qm+bP|)XxO*uBdQF
zCd%3xT4GbPJI3?$u-R{-VXk38_tnkDDjg|sJ#H>8(~lo?7^GjMd9((%cE<ele}bp8
zTFte=YHurs81gf-q)s<=Dg^O2BL0-A<`1u9(D<UcpwtEiq1yekB6?u@R!g#HZtgzw
z>6-k2{lgfwg`PZ*dPz1b>h)C@NO!KMhDXQ8<(Zo8JW*tjTu8s792v6N!NqecPjn{e
zl%LsZG%(N%l;<(i(w*m_uF9Rnl);!GqX-!#mywZS|7P6g20!7tciSnJ<tRBu4aWn@
zRX@cYy%yn(&lw#9uMS;Jf+Px0gUGATZ07`(S#}vK&vDC1C0+Tm3<phehe{1z0xpZ|
z`C3OC^K*^Z!ylnShDk$44CgT(F$DoM)Ii6rC-gzQFs)v%pES-)`U8m&YQ^DQZ<}QB
z=x8xv84znWT22G<*47aDa{zKpAj$bg*0|{_e1m7srJ`rP<4BV#$cwFo*Zh7_p!TA>
zZvFo4L+ouOlzn6N2x~>R4c8<lBT*r!I^4zbMMT&HybO$|`{v2$MP|AcyZf>g(U_Fw
zm*q;5HTTZ)YI?pby+s@yHf&SbvON7z%fV14b*6Bc>b{Jivok?^;PH%n+mZ|&9y{lO
zwTkN@7mdOM?qd6sKf|BE=LJ^YKReW$Fzl;NkY5u!CUp91i&-}dF^{rlEoV16bXr?C
zkS{F>ir$X{kvoO6qnwM?!~2xeo@dOePd&)-fdo>0`X~LMibeF0fd)SH=({l6;SsqL
zI+vhudr=h3M&tSs^>g=;qDIK04bqUOrx|PQZlm<e1%M_WU2ys|Pn3va&F&4cWUyFh
zxTs<Ep~Wl-XYJJj=T!oEzU70qv?FqW@Qrik33X$a#G~c0MN$2FI8v@J&Bx;qC0_B?
zkcT0`V`}=CN&N9fgrZ1fq$r3=6;=isH$8S3sO_|rth2h6uDjZPB4{p$uWk;d*!}h%
zubxy$!1lZS>0`H%S$`cB8OU+k-Pn^ZYT%&j3F|CQvUd$CV{a^D<S;I^LVinE2)vHs
zl{Mu6I=|SBuU!?@ICG(5u+BQttB+_zGbe7NgE5IN<qz}x+U*St9JlE<@5ncA1bjxu
z-7->|bi$c2gQ5a53mj^Ebud{i4%$E+R)&lWw=Wtg4BzhaO-#`xLEPG&zTe`sOstTY
z{(RxeJoOC|cR(Y?jW=FFQ3dspo1|pA%8OiAb=uu=%|aRk^3N0jz=M#kRP2$;YJ4@~
zV76BJ0sG=;p71@zKmg8*nFRa-eJomGnljqAz=|raWlX^ht=a~dGD-o3mVZC9!fpUw
zVj7Q~x=qd1vQfS8XH4mRj$J+qd$Vjlx13i27VMa-B2)s{L9@`Wr@A0Yu&d4sk2hY)
zae<0BZ5#9yYDeSA>2wfvjgU{Xw;SyIH5ue|E2qslR6@-I+lj1gseHRVD0$TChaC=l
zU2=L8+<chj4390=ci2B;ovs{mNKCcoh1odix2DIab*oAEo#yE!Rme;|)&Wt2^`}(L
z)W_FlGgOAlsBCgR12ehM&==s|kd*ZiD^P0Aizyg8Zdr`tHG09lD!{ccwaRq^KV2rI
zj2~OIHe87j1dXt22Uk%vqO`D6)5=Pa-p%AVc?Zz0_x`l^O@w9t!beT{cbWhuz76bv
zNB2opX(K1?gw9aK&DyNA?9Rtg%RL2JI7b($lbcU;#M}#*Nr1peNJk$M(g&wWr!2`P
z5YXK=zhgQc236O%0UkKYd8LyTHT-PU><-Y`M4rbM1U5L^c0#`$;5HF;W7s|~xnu@d
z+{rt@;h`!`ez5BcdO4Amd1jJ{`UyPa<Noe%niY0qA@A^?zfP@B<?k$FYaKb>x|W6O
z@(XWu={|hKI~iat|89kK(jCF4^HYY2B9L67HXyzD!|LpHyL7c@cx|{rjtQaB{L=Os
zdM6XuTt-;(Z?mMD$mb1~DEXwPmAa%8g~w&+xnuQR4Ob{L{dB0_ohv3=LuIYYZ}>Wx
z%kAa3#xO|LOtFr;0$JTUZD6KyuO{TON7FGmX_VYuwWa3<7`lCl<n#@i(}l+a5KI!m
z1K@e#gjxX{`V4mSNP8IBxzpREtX9@NhDz?QNJ<#4OT*naK~La}k5(ft=Ih3>eS~<J
zT@_-g!>R(PH)2rFA2Szr)YMwL-z8a-J~>`;S|+#38YHg4>Ya{wQ@`MIcD$y%#d%>p
zOmgy%xo&LtKnBUF0CTv0GS?g4Zs4PSpxT;GWra^ejMxO$?+35uPp#pnJWp=~3Is6w
z#()-$^0jtMm#?tj*w+qwx63%}JK^f4AEW-xD`8esgsxPB1N;IGIlob5Zz^VaKLEL~
z?KmWQUgA1CR2$K0k3KcAFvO>RUHzvLa<gd)&oc$|A2@PG9@Kfg;z;RM-Dvy+)&1gp
zysJl?mN)B66NuH%TOgUlHKyRTBPWtF_=wqaY;*vGb0Q3bx0vE_3KH4Y+GIsP#;@*@
zgOle20b{jE>LleYa`7iu#_;btDqQBog`>&@SM!9cFVH53Ef%JU8%%aQia$47rmmy#
z9<x8-Hq_CwN8U$e_S<i8WKr6=Y4#pEN2EEA+}Bv5yJOb*Hyn4reazs~ztFbnd5rKI
z(_gG_Ct{)d*Tpk32J5LfZhS5gtq5<DT8mAl%ma$vj*|EIF(PvROP2dYJt68sB_S>(
zTpQlD9=yBoV`fZIY+ZskvPZ)<hK;=TXlZOQe#3=2f43!iydWL<&P8K_4Yp|S*;!Fp
zF~pYc2SYKs6NFlOr%h`-q4dsk49{(f31YSUV$BlYH_ZUd{j;CNvr62Zb{)#i$D4hM
z1e0AC^(|Q@5A58yBO{R|Z7@_#)<m?Yy{T=cO4fAiV{3HAa>j&nWpP%=uTE}^$fSG^
z%s<oq&CejP9^VHKc>l?MlT(FB#}N2fXjhLeogsd2-et1T^YLLRG#T>K(&d{^GL#i@
z?m3}@z~7ztRA%glQ5u|GJym2fj17n)?tOOKQJ^z`Yqd(h@XFM$hKe<MbOl!K9{bQd
zH1y&^xAAKq`^2X#8#kAeU0mT;SK7seF46mrR@{k_%Pk&mzEya7ukV4DZ?f-z`e%Y}
zWmp#vyy)%q*({^WDtNIsGfHP9p78OgEkQi)3rdIDf(RB@Sn*4npJ}2!&WpEciP1^1
zdPcH3$}~}4@*QFlCjWr!5+mBmC7dRyzGU%n58&u3I<KkZM7kJ={|gXHDgVNAsW|r#
zjOma*kIHl4DSo>dON?v&Mrl%vijMysul*mGGI1~(whvg=IjeZGE#QS~8U%m#XniSx
z2wG<dO9L1412BPP!!{R|uKBG~7F}VMMbj$<@}|G}QR+^I-C2t!^Bm}@$|vx|O^Q%u
zt5WdV+L1FAO9*h%vGEa%@6Rl0uS^pdtR!;)(0IOBJ7kDZC3wp88V=SjPK?OeH2W8w
z0@$+4Rl4jEcrBcKm+*FTvTnYK_)k`gLI**PjpFNp+9Q2ejV&w@6u6P65S!{`NgoxB
zIG5IZDoh$2)*3(HzF?gMC_GJiv>}GsY4;W1bb7V-{b348fPCW9z?_;x$5eMRURoMo
z>P&N_#ZMVYn9Ij3-YL36n8C4y05c2ea$i{@<(D_hg0ths37#8-gznOX7#$P5mf<Y@
ziTNp4YWDQhay`v=3(S$rEhk^nY{8Lz+UC4A5Rvzh;Afuk=CQZ)V)fxOkYd?nmxQy$
zmdt=^%eR!X?@1p8wZt4Si`4D-xl)o2*H~04v%Om&l)2Ad$p?OA@s1B~XaAI{(NRJF
zCY#A+AxH9+zkBcxnTPO{w?6CFkJDE6rhKrSGaSY56U-$K?F*~gzS^jF9ZOI2M!?K(
z9}XI{n!`%)TI^ugt*(j&p}nBAL}fsi@DX+r+KVShDmo`-Cl`A}o3G59ek9NW>*K%e
z@@ps9PVuD5KDu8xP<r3egYdowv`+%41j*70q+=&q5T73vrQFu}{dVX_|K1C!9u~rP
z_qD65Bcsks7-c1y`_^ICm8d-3+0fM=8Aq#h!>F{R>^drBZ)F>6&+gB9Sj&38&T?#%
zlVK&4oS2@-`3Gv4#;V^JdTZ_GkFnkgUr^G9gbo`X=2~!1r56V81UpWUW^Mhn#F*Dp
zw!#7fZ!Nng+E>LX2Gy83Gn_m!z!)AlPH^0j(PzOmNuBXNUh1tZ%BW9<9!_hHg<OBt
zQtGE{g-V6%qZ2h&Yd&an!!a53Any!UT`xxelc0TdHV~8{AH3mwEy{EPSyJDfB$a;?
z1OBsZHMlma2`%++9NC%r5NGp~WhIW9^z$K^pW9%Nok>SVbr$NneD<`DS2Lt_18;3w
zNm&&yCkwJ~&KvS_>y>?&rBQLyVXjy~3gdTiLCF58t6Kk<0cfNh`$(-$vil1IAFvtl
z{!79e`K0MR^M`v6%BViGH`8MzXl#ShHG3(yi=S0S?m(mVCb@KO%}{nq^eaZC+kD?_
zGCw||v9hp<GZ%pQAL<RaadM~6*v2Y5>PR;vgR2N*Pwn9R&96|C9S_GJ4@C?>*!FP%
z$m#EC(GfJ*1>~=&=X@|J0h024IHjla)9axC$6c?PqmqTuvM;+snK_26a@!nq$W7KN
z=kX}tu@K4rXnR1B-#z#P`DO~mI~VN}v!4SpM;ArW6*eIo8<tKW#WWvLU#_euc2ZRG
z1S|RBBw@7F?@np+y&jemHl@SGjm&Zulx~2*93E}fBOat0%<gGrQeC4&;W2D<A?ev*
zXE-nw07%O>@y$rx$mr{XJugej2E4xj%oU@j(*g3CjO9su!0Z)U4RLgNcI_KUb*)w{
z_`80Z=XXgI$;5eIEZG(G7EW`z&r0WpR@qGOmdQOxT}}6dibOV<pR-cK?c*D!!d#@X
z(8?dqHKFpB29R{g_TFq4C7+ky64!qc*4GP9RvR_dN3&Nz^$gIu3~x}UOl@_JQ)=})
zF+h!+BIMB_Naj`by|teqt|4ii?e$8d96uVX%h!$5Hm5pQB;RB&)b?^1cK@DITv#8A
zw?{l!E-ks}^yi~NB~Md$1%=#!MF|@V(*_$F>F-QzjnD9&;M!YatcHGovN$ZL&)H6j
z8|><8cJ}A@+g-FW^yA{wOlJjPWLfh>%7TMWLA1M1C)lF8KgvqXa5FA@!{{_IgQn&d
zjmR<vet|m8XXT}G+Nx6;{gFHr_9vEOM`}K{9x#z2Emz2cD&%tKitWXc+t#iA`rH)=
z^e4YN{rSGeG_Qhn!gC0pmzYwY{~4vRPL<n>xe9NWTX1`s9=+P{2|!*&GhX<{$(WRn
zY~3eroBN}0R-5bNHnLYA9{*HYI`}4+X5*rP|KbiBTKH)`bY=_fJAS72ORo7<z?8*^
z?O|Zu(Q1B{9M}r>Q?$~tH_LS;EP6rgf-gZj)>e_J(%B|6_f|w7sf$YJH!o{>+WCgE
z!O=E{>d^|<!A;>F4`fE~qU3OKJt&32;;DLJX$la@h*^Kx6%)XTZ--hqqe>gITHDDU
zgevDnwyCLoEyUqAHHdRm3c;&o=CuX@8d{Mj(va-XA_T;6aPC|qpD{sZ48>aBxjzA)
zW+fw!xy$l;>BT3}MunWsYNlA@GUW5h-Uk9_uHF-MtC*?I_@f`blMcwKw9n=(4T@gF
z5P{=?7_4<>6(P68eZ$-3BTtYD$mgtlW~K3gF6?}M)*X1Y<U#>e?E0peHTwaYmjyz-
zDGL#bigYZUPU><~4t{eA{j8vMFn<6qpcyn<>ys%3wfA@Rq9P;*m?mIw!$`}4W~sH0
z=Q)_D-IxC8s=9>p3U^OS+klh-fukW){rE1|9IfqZzQXhQZ=+l#Ezv=^V$mPyW7&k$
zx9luP&DC`xa6a};L!rYhlp;Jdbu+;#BL>x_+tA;WkA}+bPHUg@xW>I8CUSQz_!Fdc
z69j!YcM>d#HYF=qkxuGfKvWhvglACG3e~TQznb#+*eYSYE1#AFYoGk`VSL_ztg;B4
zm%Dw13RNJ!Ns+X#wG;C0k?5_H4Vhe21)Fh}J%TFK{reds(wrtnCM&?Q$T^|f0DQco
zx%yKcvH#Q}8U3~54exIIlK~M4<kI^&;X<&KML#p4ynEX0hS&IMT3fz+qG8mTSv`3z
z*{a0t{IPDmY_d_2>4R5zV+D14&k&l~Z^(VY0jAB?Ad#UC5l)Mn&o4ACr|Xrm9vnCO
zvr}MSHA4yb!c(%(10RE_{x0Y?VldvU{jIe7x`I8b;e5ik_Q$kMND8bA`C`7bam#`!
z#B7S8rIE(9$3_k=Av0@Z=&@Z`Rd#_k!e0F7$Ib87pJUfKbtl;EqRwss?!1FNc=^(0
zW0Wds(E1zexBlyr(hxQ=(Rtk-!AA<xR1CJ&1p`rfmhk#g-L^2eHy6|K)Ms|;urF1*
zu99*Ur!N`5v}#C2Jy;3fM#|o5et?>+HC3$Mb%2W;qkqWvPas<nAy4Hz#iD#}4G4AL
z8<pty%THyNg9BU1&nx#6<w?9yG)g>VGtUP^<I|^&>b2G}Kx$bzNxpy+`RV{OMP6<b
z_t=gjjnuw?eEbUZ^Ia5YenvLWh9Zfi`Z%+3Mthkdvp_DFT-3p2YA0{)_L2XR<j1Yk
zLV9pon_A8MdduXV@q&E%*~D<O@(LWWiV%5+y~o>8?{X6y<SE=={b`Ks7fj?JhP`y9
zDTvg@vu!Zscv@9u7Hc$MSXIp`Jo5$>q(_V`dE96B8()m1!W0R8Y~}bzRA_ZnCd2{C
zJeFAd0llM0f1k6_fHm3P-deY*KyZe`kg&OKM<)kTtnPW`rfE^p4cP8dwO^(~*^F;H
zzOHnbt#P<7l}w;_GEAx@JI%7befm1=c9rChhy>lG3dVGL;AlQlV5#!iHZc($peQ2z
zYOz3`n|}qZL$53}*6pUV6>-tS7h1G)_m0ZOB&ZgA7+x?K{crV;r_Uv0(d&P4iUOb8
zYu~sB;$RP0x`T&KhFun=ROr~6ZlT(?>r9RQMbfixj|%=rszXwMx!<y}8phxohtk{%
zP6k=jACI#P;U8K|80Ox$^jauu?x|q&aFTC&-s)+0VM*?3*Oo4NtjQ1H;J^3D%<qzS
z;9B^XchKX1m14d*pSr}3?`kafY2KW^R}9P79*CF=;azcRtbH0Mv_;GdoAFm@ASOSn
zqFbd+5e>*|pD&ZdUj>E$(Xg2Ye;B9<clYT*cSqu`O+1sZ*>^u}54-cgXX`d~UbMid
zE%gf1DoSki=6s&~#y6$H(xYHbCXro=h)!u3;$qC7mVCcOrrNdI{Z$)n$o22|t<T4~
z=AN~Cwm}aRk297jVA<gy+==7OS4<VChe`W46+g0@v>uq_(v?CBjKtF#`z)1t(QRcy
zy%FLD#4w}Io>!Gyn6%M*QS~t}nd?4Nwk4<M?uH~03N>sdm5pazXJUa$>d*S8u8p-0
z3kwK9MJDZb(FMV7F;zPj$M2igx<x0txr<>PG_Fb4o{Ap33BR>9U*jaa$p%UelJZUy
z<ON6igbEFR#tarVSnmC9eIfzx<h718ciwbg4r#Ab-!|jBV4TvixG!UM>N<Z%<;GNo
zIT2%+xikol*|okye5<V$KAc#VxtHn@R~A{jU##IgxlBi=mz||Tf>8}{8d_rT+6CR0
z{nT$hvj7fpl8>g1i4lD;ovQC95nSZ?egXk9jOS@A>|XRqxajx1b5i8%*s?!)zbd9x
z+#A-rkqKi7928rTPdWy$U-ljsa;}}<RFH@)+$AZG88cOKHuZ!UMlodgt#{QO$%;Hg
zR`&11!zdZfVS(Wy!dvF7!kj@5&4Oj3sEnb(IzaV!>s<YP<qrG4B4c$W>KMUZAqB}v
z^pd8baNV9DK5Bvoy7k2lQ8(;1F%gI{Yj++eQ{vrMYx4YdTcyW%aywD2@d>W$6=U|G
zhji_8$6np2RF9@Cw|)@}O+Pj)w9ExuekJ(P(dk6xRu@(o9u&S^Oxa?G+)<24g_rE|
zg&oYvNMuU|7rCVQ;Pxwf5@tti<Ou7debvymRy;*Ro$AH9|4O6$>21Jxp#QNlk-+mL
z5;s4DouRtXAN+gE_n*0CJT{N^m>cQ#5IW{B`sz6y2K{Z4X0xf1-nywT#}ccGo(s~e
zH^qNm^vL;9FEk=c3DigHb#6S?6Uq6hs4qDfI0JRH+B1polIH)tD32+%sPg9#kA}_H
z3aFy*%f&JUyLd94LmL!gYh~^(HgvWT^>An~?$VW8lr5-apFFY<zRS;bYh|RG@GsK?
z4Q+qN5R_c=M6kAt(tKUgJfnCz`NYL|L833E_V+TDmOjzN3t|`pJ6P0P>dCu98&ao<
zkbZRHStn9w-<V8i)rfNPH8KfE>5}aAYCbG8d{93f>d}zi%gz|n>kW>*f39hFm$>#>
zY_veb@G~)<%K*Gl=3hGKlHhR@yYy(?+Fc+Kyn3G0zf9=tOQLfj+B<RG#v}gMg2hYz
z=l{yO{wIo0rvom7XJr;eoNZ%6Ykwa<<Y;l*58}#HimXF|XN_%<$;uZ8cX)Z1bP=RF
z1Pmv(?RKL6P_<V634{OhTgNdH{hn{(V|d*?hQNvuWTen6UYce9vFORlNoU&Eeyh<u
zgos<^cetTA#qt524uVhc+;e*=2cxu;GGd2J&X2#FEPYVzfoO;xqFNPZ)*TCi9|ve6
z{OOy2XTK0{J)BM(!^1a1f8->EJ6L*U4w>O>?&5`sGV7qzXo0RxRL6a}-ew5@GrO7o
zERkjOlrzHr+G-yeJuvmR@n%yWk(J{n-d({)BzD}<PZ+a%*0mlr(~gqpWzqlhknA-v
ze*FX7Cppip@kQJS7$ytsou2ym&U+sxGL?L!YRNf&HM_Qpq^`~_(;L99G`@Nw4)jn%
z)I)9y_Decb<1Dxi<ilr`vvZKr@2X@hA16!~@Bbn=w01Tqx$zTRpc_>{_=C2?b#tyk
zrHI4K!&GePwanbe3BA>hGmfw+-}3sb)EWJmbaUSq=#yXx$n<>Yx4mg)DLAqlmS4${
z=;KsXeB4*JG*F4w4od0BvfNO-_X!6{%)7&4P8IHdMcbxZ3-Vf=qAUD;r@0cVil)Kt
zOQ(MLkDhD0ufF?GY}aNkR5@^X@-z#-Hhm~}V#=UZ;tIPMI+FDWE*kAA51QuXnF7S}
zQncPm4MtF1gtVF8QKHUctNWvATkomWr3eKt>8SMFwX5eBGpPy*q6NykA*S)wpvBWy
z^97xg>x6|ai*0a?<<7p~i9?oi$c;W<)x6ll^A|l7&t~3vP4-rov_R`P_U|s{di`?}
zR|V0@Kz(If!T3+_a+{yF(y|=6S;^nH$8^am%M^Ir;34x>1f(UheR@29Vr+`B2KT_f
zQK>|<Kx?74u0b+M{HJfMHZ_rwk^HbUO3x^)RoQpT4kQY+`-z2jK-5*%uSz~zaY$rV
zwpGM4<kXAOtDK$EyL1awxA_)SihQoOt*CjtzM}C?i@aN@cXl$nvo|@j`<AV!Z}4#K
zcFHxjg8)&{in$i4kmi5fhloi}WVq!s%bri5w5ssXQU9j%15b#YWKUF;?u~mPoBQ_6
z2OksI%rePZ+KH}tpQ<oE<t#Q@@N2IYtOM4XmmB<qUYI=x`P&(b8tEE$l*5(8`7EuT
zAVn0A^|?aHEPN~R`u^U3R+TH<L)`-Egon$Ulum3TzX8wtto6p4sg;x{0Rt}l3rD<5
z$!k*>B_;Sq(BoHCnENy=8Ff1*%XP!?AZ9qexa;Wz%NaoA{Kr4R)Eo<_qRn~MeV9-8
zbs4=w@_Pj!f}&&6(+6@5vebd$#L&+`25PeRn3>G#fd~^SXgwLL8Jw~%)*s2<d$twx
zyLh8GN8Kqko8dqUe&E`HYBVP(P8=OBpB%2zub3!6>#mIxAg_HlF>`knj&|7y4toR6
z`ySS*N4ZjU(}s_YW7#;8Hf6~t--eXWR2il2U}>PNiVEx<f%V-SF(2EmAMf0;9!{D|
zx0!D!w|;tqe6!L)Jk`YWE3E(5sqwvS&M|*Xaip=Clw6Jae?|$9r6wdFhuJesznfaD
zeoenbWKf;gs-2%Hv4*T&m!n|tUDJn9LJlT=S_ZbdtIKJLiaC>UB;(5dPAoe^A~HHB
zrs;JDvw7;l6NBdkO@fJRA(N$k)LjQv^2Sv<W1~Zv2XzFVSC-_)v6;cnU3@sC=Onib
z1}f=nPmU74S4~}Z8$|YWfw9|Wt82l!r)8&=XJ!{1BPX0pN7y=Y7|X@V5fi3t1g?RB
z;D%>QVW1F35wb-iz8{Sr*Pjg7kpwk%`u24CU+j2NPcx(MC08i)4=u@%<*|PFUFO#z
zTz%M;xo3r$N$Rf`EwOerOf8M$ncm)jGRE{I9q(12e{pEu3m%p!Ud?A~!cC1Q+OP9q
zSAwi96#-lOUc-fY;$c-T-NGUq4+HB(oo!{5@OI}9UxBJ|3^p@~_P`e7T4&CcX%$P-
zmH}B~Q#*G9tf%!Y17LTV{eX;J=!-fG>ibG7(wF-1ZE(?P1EB52r`w>vd(S2p5kJxZ
z^S)k!fwzds%bJ11YnS^?<IT$?GwAk1CCVBpnigYmnkte@0Ni6&Y5bo8p9<msx#r-1
ztEm6GK@qEU1Vfi~&KU$#9-k-wvsxNV%p-3{d7q25F9Vi`G<_FD9<c68sIOaEKPPa7
zsE1&q&V0T^oSWgB#o#-&Ld}&J#=d|$7Uoci%PsJDs>T5qlfF+6R0#-CUA8s}gcOr9
zNW);so3cd?H(U8I19^ztcgX0*TE%4f(zO<TXH5KAZ;L*hgD4!6Sz;b!u#gtGK~uMl
zTy#-I$LsRKd$(d>%+12g0%qNLqCIKwj6W9&lf+^sIeR5lv@7cp`r^z7l0YZo7|%p~
z=3%kCC{&Rx?{Q_7pIES%+Pi<ETPg6Jnx6i{_w&1G{gNjZn>OsYj}}#R!UNtxy7D;2
zU1N<p+OW~H0e2Jpb6v#RskD%6zwffMnl_ao*6Hh!cDF4qa!ywhkiZ+&HXZ1v7iB*X
zz%v6YZIUvD2;V*1oNVe@C03S^Olc4+hd=o<Y1?>sypC2=7Pgox@<2-Ivbro3Iri3n
z+SPQIQ%W>6I^}ErZC7e*rzn_D$?$@`S(BA$dt~i!GRvaj1UB#NV7t8^JFUepcWnN^
z@mOYuWrIk#nG4m-B<NJ2FAl7b9>PNQFi?uTDQVHs2N6iMU2d)h3M_M;Z0N!R;)oCi
zvAKs{UmB6O`4=}w2Wv4ZnLT@4GOKN2g<bZQ=^6;j)4PE&SoMbGzD>=hE_(lH%+995
zSbZk*_?O6u*&{zQzloW8RK4?C4YxNilSlPT7kcyN&2e0#%0@X_nq&FQTIrS#)ec&w
zzW5|hDH%PD?#d$&*Z;xc@nhh4|9o4SX=H0XfMBg@99UwT%C-42(0-4?S)?BGkO4?y
zb#^DhS4>xLAfHr~+cvT>d=M{uJtthh;U<w<?GCrd4tU!#uyWPe&?ukl@!uXP&h!t#
z%~{cUKJG*ker`ON&U#kVqF)3CB<frzAX~gI!qYrjO~1hQ-(I2_fYF><gXMh{ox<-m
z5qzYJoFuX+W{Pf8BlxZ^q9Pj5qPV}dn?DICr5V*Gv-&8^?{o3_AXd1kyh#c)!GCS4
zq+HAMBN6fm|4q!W{b|@KqU2)Vnulx9iL~5tC*T&NF)3NFnkCaJEm25*DAs0EQ@HDW
zJJt3e=^WRnQU^>ZVcoRhPycbwPOw3e!irk2q19%Y`%e5&^}|X!j%})&`?+LU(t*y&
zSh0ZewS(_kJ9_MqOf7D>_+rbVj%UW(^vdsg<3vU58`ov6+&n_Xt>?Iow98%hVsEQ_
zf&UAXUwXE8E5@d3y^4O`;r)H7s=X{Si~2j`wk7+r);O=lw?OkCNP2CDJ1AXC^t;lq
zYw8w<?P8cksROIXY|>QSfUd^Xv0=Hy%#$)<mL<TbOtDRv@6sDfQSm;y&{$H?_BK<C
zFDC?yv}dygJU*YO>W1jm8)OxFaY=$O4%y+Iy!jk+ip@$@Eyf_9#Lgnp)(6D5a0aNN
zVWrBx5TYX9`!vgGB<}m4B0;I|FJfTp=$r_SWQzw;^Z&Xj&!<Ee^e@9@$nf7qQp6zn
z;?&^3il(F(|NDYc)&ruR{jFa7KiIJUy7~XDu=@XcyZ>7e<o|!otP3z_zdz!b=5*zn
VFq9M|zJ_&0LsjQlh05Eo{|8HV%vJyZ

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxStopAfterEnclaveCreation.png b/docs/GettingStartedDocs/images/VSCodeLinuxStopAfterEnclaveCreation.png
new file mode 100644
index 0000000000000000000000000000000000000000..db2bd2cdf06e8b5515bfa23fe8e67a9a2d380e82
GIT binary patch
literal 102312
zcmagGXH=8j7A*|Yq@$pSNK+{)ML|Jo1fr;jfDNUEB1Iuo=_a9r4J<SZ-GWLl0Sp8X
zAqq%9DItZR7^9?76CfnH5AS);x%d0^J!3E!$#`~Kd+)X9nse>kaXIfGE45onNJvQb
z%xUliAt6y$At4dlt>VBpdcj(az(3*W3l4TdwZnV<0v|+!Y@KX{gc@?CH+;o_&yo?R
zuSE+9$@Omj31h;mt_ukXUY!BkUW)go^CXM*oP_JbXZ@X7>o0msM8rpG3fxI^VP|S4
zVA91~Z)v`b*(a%W!cH@txpPZoZ-h*toLq{~k&$P<ZGrtJGKW8#qy=FXhik3bwGb9_
zHjYDz!-OOW*z2o2n(DZ#n##&xb@jXIfw@{E>{7xz<Gselhu&LUUeGqCRpjKzY3=>@
zAyGksgtd>#XiXW{?0=uVnqc8fJ@CKJHXBYm_6YdDB@T*eNge**r@Ql(T}zh#x2V*a
z{a_W#=#<+xNX5pXm`dZYfpaag+y3*oLfC{Z9zo~y0dug53H4z6A2#P#MKSgINPCyD
zI62A=A86!CQ2h7pm6HJ(dIoOQpT+g+X*A<{Zr$}6Rh6fhAGrb-udIK&T4i+59DJjs
z>y#mWsn+ur!Ey=%)Hg#z>?o@#e92^niC~?JE%KAR4>3DA(?lBv3FT(9IwP|5r`2(=
z|A8tc4#A02B<XUj-v+F9ba0udsPW5gZ&xnu>7X8e?e1lL_9v^XVED#yhZ)b5=*%n5
zn?`{VetmgD$pUTo>c4lZyTUy^7>%{oJ>*t<i8gchQ0>D)2>jY>r{}LHln)t$RoWxc
zJeNl_1|9~O4aUFeh+Jri8fCVM7@`sjWme}PD~SeA6~xj!WnxKYPO2MMLb_9YK9Q79
zT)XN4Ev1J@dDJQKBkg=H26sOJXQxiOg``pIg(2EGNssHh;>kqpl@{?)Jk_0RDSh!?
zsfZx_<GAvc(*4*QzSO;;`-U5QvcDmIM7zGHemdJrRiS44*-SDmUR9ThZdjw&em|dE
zGpC1>tTiegAmF#KBFrucW}GDBb_&cqi5*%tq|Djaw(_Ck(od5;v3m>{yV@~FhZDv#
zVixd`GQ=p3Nha?AlB^d-b}#0__TQPM!Qlf523IGU%Iq#2))CjBQxTfIn5MCDq9(eN
zzfL=*ToF3ecoNO&WPMqr3@*+69(w9OtQ<#-bny0iyVpJsOI)t@T<#W|jYC>%`Rjar
zST5cA`6OyO?_OBKp*IV6>9%_!*a(SLUjAO@7dhS8D#ZNb3x71OxLx(&%0ssc^imjD
zp2XkJkM@b>s_-AtbG6Rm7W!!V6lwQkK4csI>TI`-KL~Prq3<2Nj(x3<dlz<hX|1Xc
zn<8CTUY8+srsVs_;gh&iFE}+u>Y%$4rT1R)4Wzg)#t+^uSqMLQq%<V1_`-y<-B?$E
zFH0Ezf&6NupGQC}e$jPO6@;q|uG*wf@oQUFGVJo&D!kqD_Jew_lw%vMz2kF`t9x*i
zHtOY4q_?)<^+%hocs0FNjM89yXT0|?KQGZ!pRSv#)+*0gQc?DHei13=YCSioC8c>f
zLBQis=HAy0=YK7+_Lxqj8JNe?ua-gE0ei6}6)E4%N*>>1az$nfb4v>E#lCoQ581g_
znY5a@F-U{t9l1#Tjfe0D1acAFgO|s?4D+@pJ8(Ybuy+aVeH$xqKHFZw7jDpvM>%a&
z`V;&R^L@YOfApr@BJ;9ZFGccgyWuz}-anHUW3Ln^;PsdwQ(!Hyj^%HTDFI3MNgUC6
zA~KTOOz1z-$hwG&G{_Jn2*r^%66uA41ly<F3^`V3P1E2RdXx1|=E6i9cPlf}&<z)|
zkgHh0V3VS(9A^AMiu|MpQAxzmq|onPNZwDAAFW2p>^`+!Z4^E?C#vIo2L~sgH_O^d
zn>~i-ed4E~Lb-jk23D?hCi~b2Oh2*(=99!;`mMo@0(W-Bg0$%IZ5XT#hI^f3`Ih%`
zt~ZGaj~(2`Hh+J4)k-<3HgfVn0B`?H_z17{%MP}B8(EP^g`=uCBOr*-dKE^YkHTt=
zeerX|8=>v}d<T2&!Mdk%wCC+t>dNnlD>YSEkZUK6rX>|hKsuqhB-S%cF<~kGGz-PD
zX@QzcO)I{FZHTVXSDXh=ayD%1Jjjo*UJ3V_<IZhu?%bdV)Mh5~56)fBQf#*_|2bNM
zi~JcU@#^^BS&ei*f$u~*Pb3xHAj{2FV+*G#5O#9?B(&g!{WB}5H1)1wW)=#{Iljhy
z$*8lQ(Bm!^c7>LpSSeli(I3VAk}a0+@flGUFrP>}3l@SQhYCpkKPP=P>LI61NLY38
z2Vs`grJwkC#*gE{D>E7z0^UL8^#)8YMcn}bB5`(ONfAO&Mw0wh`CKG~gKKAH)I@{K
z&O|`640@v(Fbu8NX3bWC{e`KE|L`M)o7iwaDk*e68_A@#5Nx^M-#9;y;+A}%wPRlG
z!67G<k-n|UF;>LcEb4JnBnZ*<HoS+M9j$891=kEDho}}zVe4U7QdIpQlbkc*b^t-X
zszLQvz3#^~Bi*_<4d)`vu3`m*R+mgT@x%!FR0QM+&!e6;GYVt2wqk^6ZGxP#2Mp=K
zt(u`~Yyw$*VBy)wa7h}y;e>Tr4M`^_m%DC&0FAt1+xVzZ@MM#Lji}`yd!-IjD1phx
z$MPei2vZzfO>ZozY}(oer?cLSWzeE>W!t!!)Iais6XeL;%6<e1A9=SIk-LFaMy5d5
z>IMtiX&(mRNvJxwz_8g?ZK5TB&&?FPS4BGMS3<a)I}W$c(<2+|#IU34yeTxaeURlb
z%PJ*I)YyZ<AWU{kmt@5S&HJmr&AL<^4KlXzw7|l*K_?zAuGAsC)ZweXEl%xHnR>I9
zI-kRh+Pw_%TvXI(L+P)L;olBl&+TYsP>gsiq1M_<{4W}GkWhTH?sY4C6vrIQvv<|!
zfMwX}_o5gYdr%t3&k&5F*vHDJkxr>3GmeI^)d!J%-3!94!(;?UL%%zk({hcOG-H_6
zd1|ck9KoooE@}$;qg}9GuQtZT3Uf1&@y*=ym3bmuvVJhwfAY`{_E$2R+b1%}x4B8n
z-&bvvq#xE!Dd^yQ_marPIe1Xf0;D|WYI$eP5=g?G8&!_ra)JgcrsHacNm#o<=E6Mp
z8@tbrP`@&e;?F2)_4Fn5@~38hFq@EqKN?U5S$Rb*9?M7&r&D*i<Tx}((}-O#x2x@_
zT8OgpMBfPv+`E^piX|;c;0ZCegVSv2HmFj6K?@E}<ddku;T#D@gAto0$}3Z+teSxd
zZp{m=L4^xM7J>hqUK@l(g@Ja?5mWa0lt#$a*G)n18IMiz#OYZ{%z8R|!#}W{s~YoS
zo(Rk3`TI!p#|r4^a@i6T1FA|Wgl^UYBVA=rwhX$~lleiagosuTnK&;&{7-XWS#{f>
zSan_1ExqX37(C}=7B7MfiD*@8ak7fb1tC*7BtybvDpIc%7L55`;J`Sves|roop8c~
zdu<EdggrU2hAF60+PZJ2q35pW6AruA9kY!?CiJ6+PdxM!pr7nit2p;!f2mh=t7kLg
za{C{=GNmxWD9=*hHQa?0c-<&YJXy;NFyaTCD68APrh7yA{4I9+eTSr<O}g+xYu^vF
z!o76S_xY#*9MZa+fbeu-A)TexTk4bvy&!e|LN~m8nD3tvvtgPX#fe#U2_uWdnbTqR
zYHb8IjmV~S!)K5CL+T+{kukU&m{UBnD=cY)9)gL!y%wWELc|aLV7~Fl@xR`6G#I1v
z7gmqy4QNfdW{y)99B;==l0ivBq{(e>&L29Y?48BqHU+q{Ea!-`DJw*5NO=G!J{Z<s
zhb89%t703Q@2ARS6L~_Md#|nG%xHrAz~goO3o$>UQ?OZGGVCVbDXjE#_-)gT^?K~J
ztL@TII(4|jjhHAf3FL@jT{A73dm3S~@OG@g<5uBlE4NkX&m?rV6=O=`ll*T?_U#Ka
zFO%VBAe`$<k<+y_4is_-=by6F*i}L*@IqGPh^_Y{=?yI-MraUjlERX}P0kdo(fJjK
z>TqsTeHS|(7mH71B1r+&xzUfg9~xL!V<Arnr6ipJMiegcQzcKPjhk%B>?SR8#_f^_
zxv?Eup&C7gl@A1*EcR9T7<?lN+HK4x!23f%yF(|{rK^KV9iSI2`OHm^vEffaHf=!H
zM$}>L0ltI?u3d4Grx4~7Bde-pIZHvz>=Ccu4DB0OIWw7fm=N^$+pC*|C~&4;sryp0
z=dE7VewJr6xc~e!9gzYifCg40yXO;V=eUF3tAj#aT^GQ`$0Jjlbx&F06)j6px<mVa
zq=&T57IFo8AGqnfRuTDTTaRjgg3ed<v?|1Y*FXulZ=H1WWMDfh1+|C0+cnoXj({9y
zHWAQ!VpU@WB>!XvZc??yt2!;_2#LUK^*VnO(&Fzs$bh4`A-;%>#tRuM8OEWObF2|y
z|B%>BS_B~rCO5w)AdDMz1LlY5owgUmbGg@or>xc8A-=3b1-%o89B^D(I2H&uFwT|*
zXW%>Eewau9;4KyQ2&`61w^_A{80!O-Y^<D3!Kw`(V3W04odp}|4ra?p*ebE>B*Hwj
zlw=A|;v7%4E<mc4%#!6$kXSW32wzc*R6{`M4fQ6Xq?M1;X;snjmx>9cT^cTbcBPRZ
zp%`>v>$JLVYca9}1&vdo&Av$Y_nquJV%zQ|-U>oF5loqp%@uPzn1MK3mK)5C<B&-~
z-KKPMsh51+C_`efDlYc{!y$>ZyS12Pl;;5bZasn25LnwoW;7197E9BDDaldGl!7Vf
zDsK(bk5=D1$JLU8_pcVmO&<}yYheE{6|wJ1_0?^`9<`qpUPTTciyB?28+@4Y{FT2Q
zi{~uvm5}B+w!#%wHX`U2+6W4T!yvB~oxd4!((gJX?FD<p&3Qlmc)o2F)5imu#!iuR
zE$6#KK7vm3CA%*D`9AF?94cVrd^A3?Rk-P}B@Q_}%YvX$FiTVv%e^YkXrQZ$)Dw`j
zicW&t_IeO5N3h<Y=8*~OhJWDtO<_w>b*mr$u#(#AL2SV~!FbO;Zl4&Xs+HyZtyF7y
zR%4&OzbbBLK|?OHkvsvbBO&?dpQCE=zFu(zIOI(CLQ|=At3DkT2hvDhA#yrKj3-WN
z#MiE5%%(WB7F(b9rRCcvA%qF_gnJh1dQBL4EJ+}J*SI=}>^$c&-yT7>M9~rI8`w4q
z97&|ETA@VV)nl)CUY%6SYcKVR^N3a9rbNe#QNQs#mJ1uy*;5lYXy6tM8rP+w5BM%;
zy;d$QOf`m$6ZU@Y6$?4khS>ro&L-QC;QE|hKg<JrXST)QB)HQ*W7;tKH$g%)oPrqb
z1|gPXHg~+8v9YoNMGXP~q0iVGgcm76(b_NrwUy&jF)fpRG}j<Vnmn(KV6bzd@5lmo
zo})taXQIXTSaQv>j0xi0`%%?dRA$h~$3|}PH&`x_VT&_m9BJl;w1yD;tjF4ExL9^m
zc7XB#k!71q-MJ2U0w@Wa4-1=YAh&jtYyhY^s5P*$wnPD<*C)@z(dKovO-<iD@l7|!
z-*tSr@b!iH#ofDie`MX+9{4BqYt(2tnH9s$iu&7xP${c%(|?i80ByjFlNMtIkAz<A
zXN*}z&<1{Rq?sVi<3}oGbOSatbWvVoYr2umO@bK$-!TI=!j`0i0+GY~*%Vl$pdpH*
zL4?_Rbm(|w@!}>M1o7=G$u=&9FG39`AY&$-Qmuz$5eA{UOe)ZG{}d!M<jh^fMh_{x
zYZ~E1nTLRaSz<Z&2>ncvfrXQJ_^FNAS#~bcXL1Epx{B(FdW=!V3<D>_#w3&+Cs_J{
z@Rm04_e$DmM$>5`Nkj9~KRuO^-sbZbE$Dh#l=W6ib>>17b^%U^4bvEFov}tD?(rK1
z2_pl%C5wWEYwU0f736u(KNvM1RH;|q8d=eWTGDz9C&BTYHL8?HVUs6kkauq8`p+=s
zCt^4fP*T?!fz_W@F~WrPP8>2xP7<Yc5TDtpksLrUWWt5k59xq=jMwXVD9o2|sv(yU
zTS&s{4}_L78-(M?#28Ix<TAmXNt@@iT>T@#Bk=W6SfAE=vFxQR_GZws=K*IJBo_}h
zUq4}9LRj&_AyBfMmML`THJs__L`|>7>Wg63Q*L5+K?rej3o}UxiG{1#Ty#Z9Q##_n
zFf}`+4YiJq#lc558}q%-q+QYL<8=c}5^CJyYHL{WZ7zXa@b==HcPo7#*Z%aYhU?pa
zQ+%T*KcAEUefhu;S^M_3Ye*%6nl)zu2D{Gp_4D>RwTQ8DWiK@+R=6jpC`j0MM%cti
z<cwbmr{03Iv#aW!9gnQ2_ClE!{QdssJ?y3SFn@nLRt!=6=3&2z<F5)B=;6IsxFh=3
zPilYi^OF2glbvrFcd|duIGXaEcXlOD7-s5SqRmfz3K|m^=L<T;^(Vgv;YvIf@RfXL
zg!Y(Y)r`77U-cAttSeuw;>2K{`C|AaXkS{Zl@9bt&|7GB_R*ponq1h&*De>KKG}9H
zGHH`XQ@0ER89k|L?Y^6xz1{`3Q~H;>s^I5nN&S~vlKH<Jlpj#=U+zjt#QuM8@7h(N
z0KDCI7`_p|_ni=f^&q?I%71t*sUPxeJb`dW&z4UvV#l2ZUviAn8u&9>`KoT$@d$-&
zu1+dP{6t+xSEt@WWo2c}d$Z)-x}GSwu8GU+Dw-8=&w?+7Y}T%QLN$5Yj*r;$jHq74
zU8bQ$>&5BW194LUg@cqrd7p=NVAvL*LlvUIX@@K9fZCkGl2hle{~0MazW!NZ#Zq!x
zKI@yKQNZSl;{SP3<jB7-W~T}T%+K^Z<=ia$Ppu1mg`W%2pENVF*Tpy4I>`}nKXAr;
z)5Yh+YkEZ~sX~;-LBosxbQ3+FVf0M1Z}_w?V40TtfYn^LG^gxx)!LwssUvm{l-Z{J
zS{yVgbTn)S^Um9WDO@7eMi;X2Q`rO&1Tju|Rs7(mz{3%IN&4SW-v7@i8?^3PN{b2N
z_J~+9Hajmb@)(QYOItU&0`Iv({j<MG1a~<(U6RF9AKk+H+^<rA$KK3MIv~%?F!t#d
zG6BlI@#Ox~;82jwcN100Ph#gkWo!I^vX}f04+<Lt_B<Wg-1Bd5LExTOR?3ju4Qq`r
zVY*rsi?F$irKSjfc=kuY5;wQm=h-A{Nxe!bee^Rp?LW4&X7XGVDrWdHZFv%qqGs0q
zm#W{7TzhTMIbn5k<qUp#DEIpJ@1RSxgEjvBx7!=If}ol9iA*W(*c+StHC3)!blNq*
zzL#jbDwc(1T=ir(?khQ{{%e6qdnMwf2>^%j=t1MG{o}FYQ0D;yashF%;yJT$)W9Ic
zbbQ1j&@+(0`662<Kz!vB=lc<b$K(-?fwdn->GE5Y@@8E<Kxb}b=rJx*e|dMAi$A66
zeaGv(Y6{68LI)Nk*n~`-n_B#%V?O_tKw%={E-_bEA6A2qr|`P1)SAM)E_8^4YqQPK
zt`(21u5gqtxaVtt3SfT5rU?&&%a7)9RoYi3NQ*zRG<L_=ww$?3I^WQYKKn|xKU?ZY
z&>QxCl?q}cM(q?X>cEDA7}gBL%`%Q;UQUV4Kf3gc<`mpWdoIwUX$V{jG!kvEOp^>e
zoCS~Q>l2_aD|H)BhX}W;AX$1_9g$sZ@~_M~enx208fXw{A~+LvdlpgDcvk$tR>uia
z%c)rOt;z)W3?YfK9#s1z1~c*b!JFDbOT>tF-0j;}0}V>w)<O(L_o)UtKX}!qKxvKA
zI?Gm01XfaC%dNl03BMjW{Q7i9F$!S12cI1a8H+vhfl}Zx&YJKY@ut10+Z-)eHc**$
zRZqkOve^7VPsX+C;RTz0lMqCw`5iOUoW~dqgl8=}@vXiG@|=1S{m4ZiXc(O^kT^f=
zo{)E8;!cHZ|IgsvpfftvQ-+FH!k=v0=kUArOJ2Dgbi}l-WW71c#&V+nfx+T@FXL%f
z&4lL^zNL~<o`rWRCKO1~?rBNU6IrZ)ztgkd@TR6CHaDIqSLb<=HzZ7GeslS>MH;p4
zu<ysOEFSr8rXCY1qIK5s-UrB;-DU}|B^|@8ID*0jliyS%$d~PR5y{9G<ld;P@h}wC
zjpNrl=I~bK+UH(tC#)z2Ip<kJP$zS43m%>;nttR4F;uMxjsYAmc--W6d|EZ6%eEwO
z?ttP;tEC~6Mt_W43-rQAw1cw8v>V`a&y`qRJ6~dTpsthcz8^sSHMxE_j9!B7?H>B6
z@!bRc;iCJS=65T;Hx0n;3;n8;T)}GY*L?+`wO@(}tWM4%enmUpK(Gc91huo!-0^jH
zH+qohkI$26_AwLMOBDA-$I`Inx3Mw(uU{)Eq&V`i08|{y6lxkiUCnlVhu%{$gy&@I
z!{@xNEr0SbjwCttXlgI*38=DHZ3e)^;Ao`-g-r-|qup)s?G;a0{gL&x@(P)pzciKN
z5e|LALLeG%Q!SquLy8jZ^JG=sf5jo<8sFNh#;K7nyLoBLTg{(1$P%`3ShczlW7v%1
zOeY1f=~FjhkJs@Ot9bO!oWg){5_M<^Y9x4it}_biQ@kH~d$EJKF-#u#bg1C>xYM<c
z{&XG3SVSM)@s(ZPnI*TPk*#&AgJIc?i?wynESe)H&wOh;V{-lb0vY?2AK9AQ7~;HP
z`Muvu_rU73gyng%k0DLPObc}M`SFlcN%z_$zi4l-c3=^Y*Rt6Qi@%;Y1B78%+Yj*;
zukE`k@>D8jWE1CmB%JU&bpC3dOwythS;Rc+08Ae^5=M%|jC%6!?wI@xAit;YEn(};
z!1GN0t%1EYzTA2uMi6d^|Jg!FtZ@$2;QG?MGVGMvXixSv{_HkZvAUIwA6A~wWlQ^t
zv(LP*%k#5S8cVq%0f*dp+oC{Ww2~i{3O1<1fUmJ@&>HZHQ+pyJA@_{BL^ay#`7xRR
zZGCEN<?!5+)nVdRn9f(Iz-hknrxbXql@Nrq!?II_kJw2LiEgoSP!TWPm7XaJW+X;_
ze00Gsk3nd~?A8xC+=kKA;8u-?{ABtcfa$({ftA~1ZhXaNJ-Cs0I~wkiYCKl{07Cs3
zQn#Y;>e;$qcB-)zM&>>Z!i$bR^YvI9S_jHdjAA@K9Q*TVQzymC=<Uj6DX*@5UNqvZ
zqjuo+=4RxVXIaxGgtkQ1f@gLEeJ1*~Ow20tRgH&a%G1L;G6&=6aiDsR!veGe(YY3O
zJaA)I3;GfO6K<-e<{2T@26xC`_-6(*_t?5rj9&|mUY++%U{3`pN?vGIz95&bycIkz
zZ&<L9T_zfE^;CVbd?iY*Y)E|HR;N&|otD&Gg`Fa#Tp{3V!+7J5@|fRijBv8fY~8Lp
zWK71&8odd7Qd}wj!ny3!+0`t>YF7CVQF|rQ+<0+<mefEq(j_!I^=*1x7yrY#=cZmY
z61RV&P$(yl8uTURowXhbjmPcLRPniEExRhZKVr~^vxU&Z^Te7%N)?(_Cn8cEJTg-j
zYFejnratk<<UB3=RMUF6sPBV}>$~@Woi#PrI?2!XdU>tceu1{Oe8Ffq`(|HwiH<kV
zm30*=T=LP`YWSun;Mng|b=EPIXU91=6?dh38TtoRT%CRWM`Q!s-28cti}v*f1@;p+
zm}KBUde43k`(CBueyPQ@sBVF&qF8MQ{Lz~CaoCqz{~DE$ci^H4nTmdlYQ~5knDqS4
z1uZ>!7@M6+5Iu1q;7pZ!cB-jK;Lzb8;C9=)Y`cLUS$ar%zMJ<E5%zH{sZ>SFB<+LX
z1(E#YQW<)KY{O$%%ip<$oh)Kt?Gvv!@@^H=sCe%rN17rxeO}lW2$_ZEL41thv+M_+
zkH{c$SRO+Bz=Csl9Wx>fC=W2+qMcH8n(>&w1~Fzd?kY}kM@1WVnan3323u^&I1m>-
zGfILW5X2Z^tZN{*{|H#c4xopVWE$W{Sg>!zDLvOFm$D)SF%w7c+Y2Yxra9<B6(z>8
zfHsYR_jTx-Gv)(q1|bN)DTO>uA*rR<4E!i5qGC&p0KZt0aEq`CxX^3MzbqSfDHK_)
z#TF#+&m(J3WM2r@47JZolaT){>)v1(SamBVMl4mLxyi(xsG=Ws;)jG8j$fH;b8~>M
zzl(5QRiCSsiE;|<WwQ!yFhUWr{SRt-ZRq%xLkjA?&#(4dCx%*fmEJr+Z4zNesT=6o
zPOU9nG_DId=UqG~pwAo!gb=h@6(;C2T#g<jMM27o#<F=p_|NHV=J|O9Q_-btSkzQ(
ztT~+*H^_sva^KWY=Kyg79i%_KRwlV4wqvc(IEYl!{sI2x)yXR)5;RBHGkSUaorIpt
zR|W0bK0>3`!2S1|?(N=}CvQIc=URuQJ_)JoobWX8OH;x%2HgALec+pn>paM@YvDoo
zE;iytzk%b~aXY1?FY@9ZSNm1pwmh&0+}?<tQoWXBTj4ZLMK``VfW2KK&mluEnaW32
zeEMh6>XV}Li7S=+qW)NNug^8UO<@;I=xz~_S%)6?NfTCm=R@AM1s7oTp<F0ce2;XE
z93@O4HNZ@?C)%v2yOE&IJDH(w*xZAJdPqaJrMGcII6W-+TzK|RW-h80@nYonAxOer
zx3JtavY{+9G_UHKo(r&b6=(Y&JRc%|0|2s<%Ex{BBFwbZ#-6mSqJS5lo>)CyhxJKb
zcucejPHQ+Gn%y{4K6(9HzgNnXZhVgM*bXVz!}BtzOA_>CWz4kPZD_Gt+0Riq{UfVZ
z5i=*kyq2M~P><!5ly{6lxtEMalyf{&F4e%YEk<I@6<WV%VmN>^YKY?goLGaod6<_L
ztA>Z>hr>c1w{yO{yIi?6w@G>0dUQ=kk<IpKh(hDRYB~AV6IHoVuJhOGF*rlQ3DMlJ
zs)lIl`K3K9ku9<Wxj{S?2Z%0IxN4ji#~Nd^mlz4T$DN8<p$sNi1P&E`eZ%k0t4Uf$
z8HZhH6#3)cGP917sj1yP?+9Kp)c^o;dCa+xp21smij}|R<Id5;_DU7_?|8fpp#EUR
z^Z)_en9|lvy`x)lIAE0%K34U*BgSzD+xi1;@xp!8NkgnP=S2z?NgsM@5_m4>@PTTt
z3-5MT1UDligN<J9iL}eJGjW{{?tKKDRLv*LW~MLpxt+^44xaaEkD~f5DaLtesOLQ`
zHrc|csaNQe-M&#Kq99Zz10|k#<)Stas+V%Or)x+oAZ$Jb9;)d-8OL2Fpep7(V-X8P
z1cS-<n<8se--DJF6LO^q9LO88^X|hUuSWEh^i081&42MHvQt&R-~j;adZk7|3<)LZ
zkT-stnTS--PmCA-V)tld_fazSzN%e};@CED9Bi)<6;7&Nb!R3|s->?}X6mHF)F%3>
zcf>smB>+sYt+9ARybJ*pI+?kPS!Px(ThNPduQw31l*tIEsEV%sXHIK8JWNU#&MXcC
zn1)&bpznaHBo1j+>n?<f4&R*04I3gy2us4=r62-7PRq9zv-u%}I1ZMj9P`JX@Ww`^
zf}U`8XJ{9}b0X^dB)@Rz8p6Y;`0TUs_KUSif1PEmCh;y&{Z4yyB@l6?)m^$9zk3ve
z7W*5)D_d+Obq@J>-mU-jEab}Xx%pYSqL_OK&=VOKO?uL;1`6ylT|s-!Ego>kHqDqs
zcdtEo=>u6iE6QZf>{LJEVyINnW-FPxt)4-&Xob{F7qtJ()N^8djar&|er_rT8~SKl
zrNi%*)@B=$kI>*QI#&d)YP!eb7OuIaX}5k}`LL{}5bT52U5%*K0C!w+W0bv8HH%p%
z3!>8+>qsPsK9@U-oXk=5;li`GPavQDJ5@U1NF(YLDz5Z^$A?>Q+xKr$%7Eu<?#qj9
z&5c^s4Lmp18;PEK_g;ij>n`g$f6vNk)<VY0NC$jJYUhTq5guSB_xqR4iOa`_8Nniq
z5GRuKQE8AG>lp#x|2Z?(lRq=T{(;`v<#g3j85zKtv;*<!A~md=2LTuBYL<I)N*?aA
zVeLBa-Oeh9kzF90=evBEr3V!m2~z%pftyz1eWzf8-icm|cxxO|U_-EIwO;NUOo&DE
z5Eq`qQcErRk;2#()BN=AtzD;^SC%!t429IX5iVWWP3YqPt%;&@SP%2LSBkD32=ij<
z=720dmmb%dqlN-Zfhh9>t+vB-7857h-*(0~d%Fp^N41hC<&2PVt-r6@h1V1nq4)(>
zteWNYH6q$`QTH*8c6l(zfFEqJsAY*P%DjZc^@(RsZ+a9?ywTY2qj1w+d~o=~301S}
z5#@4PnX*>hvP#Vnn<rwLJg9lTH7m9+QxAUnIz+mp62fWW5&!_Qijl16xy!izJg5T}
zCh8+cWS>NSzt;Tr*Mk7YD=TSbL#gJ4@zCs_;}}`j!^f8;8VnJd_iU?*^M4eiz?kyx
zP_=;uL-88qQ21=G&o~47O}sT39?GpZg<C2QY`|<)+Ik!>k;h$zgCruBuBPj8*%UJ8
zWuEHbPgqoLE*D*n9#as5-Au_4@XIv}WF(VHq3uXmoS+*~+Te|lbbV*d{geTj`I4dc
zl<NNc?1#TJ#8ZMzU~e$=;DHB>+#4GE2+p2CXc2Y(w6MwSbyCBzsM)u)ujhVQ+Su%G
za=Y~VHQE$>CrwMrm9i=<<q3;f6<D3yZJ$@9b@uAjZxA~r89H4^nK&4E*kuBqgX`42
zi!jgWJcogX(>4+#f@)WR9pivtMO07e)^7SK<NEvDWZYrVI;^ZiJvmJ8$0DtMPptDc
z6rHTt=f&nm+shELGGaz1YD3E95zk{)prmel0wixLhQyd{PkK=w%DQvG8Hj~-bL5Mt
zeCIu^=}to44|Dj>U1?iA3Pm}eHb(5_2Y0v)NsooBdt`6f<$`~zft10LAk>DKct9NJ
zzP}=jJ<<(G+?u$$-ee^c%TV)m859=0$=?*ohs+{9P_Z=$&1rsd0#fXsUa0bT+_Ai+
zDPht5XZW9v<UHlt{Al-zCHSg98Pu<JO)G5c?tM0@?Bgg7II=a%m}}EsD%@2}LE3i0
zn3FeHCU^oi<$ayk@Dp~YbA%)o-~zs!o{cI|3+IRHep*#*angR(&O0<Ql>gitXDHFt
zguN{fj&Eevp1)B_tVKF+NqyuO3=7_j{0n1~x5xmD&{&6^)>-0|u3?R{=oThjx?VV?
zbE8jOZ0AQY&f>1t>6#@(u>`?x#Fy3rp{}jY<~lu0O*C^61}Q|A7kgpt$b9Y7SIG<!
z7~TSb7&X)fHw?0mPtCuYwo?+#ZA;PLqDU0^CtjWOGd*_fIaLqEKoZWWn!P+{cR=^I
zyQFI%{e#C&tBuR;KWnKk-@^R7tp{APOoM5Y+{1dejQZ-+PDj`)%}YFDmMNz>$s~?S
zh!0$yoba{g?%|bB%SG@QS@|OC5fZI{lFCdbgnh5AZ0V)-hP2dSn96hVY8Kbk86lWT
z6rBxibu*ycj`hLhTv5zhHOuuv#WuGqOU;e+dttI>gG3aP_AnOu8X8zyZJ6oeFTdD7
zkTJP$QMEkJiXnyuuS_mC-l!!u4CGs?7^kX-fv*%QWTgJCCKRJy1oq#B-h6)cY!a6z
z1{~e-^CSy~kl3z@!{E0Gu4z+#fu(I9*TGx2?>wI;l9Fm_`BKRpXaD7pDOfmtUt7u!
zc&=L7u8rn}MarRH4H$KkfGS6e6DdGU?*co-Y5I;kZWq@6%E|k7!#;%yefP2b4!Jq`
z4^%z2Ft`Urb<4)J9{^iw1t47SN`Ph}cq@d9vMw_P9%0AGuV(F%YD&>}wa#j|4EP`)
z*4r>-9=!~5Ty3%$cyt}2R7=FF8B!Z`&vU+&oQ-h));F?#FyD07zJuwd#UD4WoyzZ5
z$f#Nemdg$a+q3S%Qb)jl72l~;?C<M5Dy}eubA(idS1kv<>>3sK-y}#ChdY};cm8_w
z4JdJ01E5*w95<;w*b#6!I`{wO4S`tkT`oYDu4v1+t_x-A<%z>j-L3pDZ3ZMkzOw;X
zm$Aab;J+e=i?q+Cu@m+e|JyHo@4tO=g<JrFAk>!GpaK_VWju&WZ%Tmmz3NohTXFQp
ze;LaE+fqQ5-o-cPkELv#o3)7keII~Ix^;DJ&B}J*JRRuaQ<t`aEL*bvHDm?)C2&Sd
z;r*>^YJt;PYwy`7|DV?3v{svZKr~p^-sCR{z;HJi>i;p9c|B<oR6C{HzUyDf8%}Gj
z0ycS|Yu!z7mJjed)WyNBjlsoxU90y_ax);SVsmerInPt!e+%Jf_){Qm(4rB)uj?UX
zEg$j-!fk;(afV504X~Ee^$Lx_S{2WLDaqCo{vYQn>zXO68fcd{Xw>Cth+g$u3Xm+^
zvoTl4f44zH@anz_DcDMhr)|CX^P|w?D(@fRLI{&pg6*!gaQ@e>M-agZq|g~Q_x*P`
z{T`&F2$+&_D_}^Ql=nX~dNFB3A)q^1IO>ab;b*E1$9!%14alHtLA47|%r#H<XwF0U
zgNPej^4mh^?RbjQkh_^(A{z{!ol<sZhUV7+?%AK;zoF14Xf4RD+WAS&^(=2k$rD}Y
zcf5RmI<5f>J_Zog&$8DgJkd)TMz?Kk1Z&vmMrU@-`0kYA=bCR(lHn79@&4>3%kts#
zap?fg^7_G&Mg*-U^^(>2{Q0;l9&G!zR|c`!7Y6F)%XrN<zK`(-%4L1Bv%kG8_PJ9P
zzPL#w?`(3JM+_aA=@nRGX5<U^3W=wIFBS2g_mJiJIrE(Ku0tEJAFNIOenqUoKF_`4
z|Eb{P%vbRPZJ)YjF920Qi?*~K(Am}(B#8Z|J7y<($j@b6fEC~hFzdit5@Lutf?<UK
zLPGSBG{p+{_>5#h6oqBB+|je)wx)IM+pumImI^9YaD{aLXC@^Jveyl{h>tu?v3ZK5
z2x#xYVzu;OVJTq$ybIVAU$&S1Gmz*sCDqrs6B*e9L4wzG@-7izfBh>PSoZAnUtj*a
zIAntTJdl5AeEqD7@%3!t?WM0#Ym~zGE0M4p-6vF9f9pKu%!D+qzKwg3k^ACFPDr>(
z4Bq03d!2R8%N+R?uUHpq<^gb?K8JOVYq@{#J79MjPs2D~n=!gBZK7r{zZ2lk78fuY
zgC*8UL&orTYe24UIbM!ZfEorkN$9|QFu~tzIVEcO#$bcoL=4xC99B$F-+<1>=zDh@
zua|8ldKG3repT#q&-IR`Fs$5pxn|s>xVX46iNk!HmO7XzQ}{HiWGF*dTK#XqntZ2@
zv<BkhZ&3UdaZ_X!?b;1A`}lyh%^0XH&1&!25_X&e_|m=gli5*p+!1qt#2YF)vafC!
z-{7AmsWu;gt7{UzBWoGD)wfroJ6iQ@Tlv=Y=AOIIpvmucN*>|>S16$!-<)#pQufa*
z3%*Sm9f+?!TkBQ~jGV9UJ8gOTD*AT2q?BRj@`V<g0o<^vQ+(r}JFPD%?^dD~v<r(C
z9Su>Q&y+p)iDa7nu9<zeq98V4ZnLS6jUkrrDQsqz7SzEQAyL1FRF0kQQ6>W{3MvZ7
zIi-%L$R79@2***}Ah7ZDok+D++e}n-h8|KKHuX@H!Z#(sH!Ql0%)mX-dF{ZOyj&8S
zYLF?rJp!G$(5FnH6hcgegF`|>YQLt*+XN5%7<+p$C3&VhMWo%L83iEOsKMk!g6Ys>
zZO7}AwO%L1#0us1=r?^RIifYN49gwRF7$qly!W_2B#yAk%Q!$;-Bj;f1>eGfqri4x
zswqgsR%%POyv?fS(G$X!NxkCRnfeN2s6p5AJF<seGA%&hNE*-QlOf^SL1rS{Lz>sd
zV8oK55Ndnh$uLAcWMqCGDQf+Z;??h?v9fgw(MOmPI|XC1uMLFW&yZGr_B6@8SiEp<
z=CNA3-mKa5JLG|v_&POOThEu_VoQIGO21tBP3>{Th&NZF2Y;A4U+$9ZH&yme_Uxc<
zXt!VCsN9cq+2b3Uy~Qy<v-FsavX?@;;4VLr52Rd)Coln%5-8a&*=^bmz_t)ci<enH
zvf3I@bU8)H_Pu@Z{O5hSMUC~{ng>sBO?xP0c42((=$Q<?@!O18<XwomLj&fY4EXgz
zc%1(=)t4Or)4i$h^h>#Pi|+_WuLWw>*HcU%))TL3n0~HLk=i0N)^3{(rLl$os1oMW
zw#QA?HC5Ot0a;Y0&53)@W^T^h&YhazdfP359;+$Is^T-FT}QPKo*sD#Gj~4bjZ*Dy
zqeRX}sc&kpb8(w_$!l|NT?c`7>)h)aOwJR1L?~Mgi2;OR+4J=1?r0P}Qx7S}V3<NX
zcjmRxb}ClPtVtVnC`@H$KYp{hvGh*Q(>{I_5|v^v7SwCnUJNlSs2K}!P{ZSdbPT7j
z7HlT?mq9Z1UfG>anfd6=_X8r5^m>Lu#Hv<CjeWanIxfm=YXi?eDUK9VD0z0IzYz+}
z1`=LX!&KHkmWkwsnIpqn&w%sGfyTD&*gs<)=#5Jj8VvLCA*89Qr;ACV-8b&czJ#Dq
za_a`aOY|ahb5Tz9b&`Zn$a}J3o2^%|H}5%|P2RMP<sW1~*h8VMigcra)$&vWOdX*O
zhKnJ>J?%4Pj&N4>j-6;gAN47_?-BiEC~3aMvnZ9yP>p?R0abgyyN)F9?ecnsdg%A6
z4`I_)0y?(Yf6lM-_5Uc<V_pAkN_*4575offKLHx8qW<O@0~Xo;9PB?GLu~4}|MB6Q
z#d*?z69z<O-K(30_s&7quV))a%xLbdc((YwYwh_jKvQ_<?k$@pzQEJmtes{CpEdh6
ziQr9A+z=~n6gN1<?Rxjjpp4ACgR{Dp{cedb^{;!3uYWqBLOgsTGq515Rp!yejR)VX
z8hV;lkJF=6UcANZE2uL+j%l`6nXuIm$?^_U$9%mpP!q&;P;GipLQTt*KMWm_7|6`o
zeI0L4TRx>?lUSb;04=RI05VBT3Ct;F57WSjD$mk0MW)ba_jets2>xe~^HW%O!5%lS
zn0%nem8TwD7(9@3EsEd|c|-^di2+7?N!n)VDfaUlo0S8KuQgBGCJS#BSBM(AN-{je
z#uk{X>J}{?F>&~k$yGjs`B>oj@QB}#i=y}aVAY!iZ}ipt@#QkKvRuh~?nC=hccMxd
z8qj)K?#4jzcPG{56ys3Zw?XvviKm@#J5BH?TawTi<K}5Osy{p0TzqW6suXp@uNJ#M
z&*J%ue<o=2YRn^l-ulYTgkv)r;F^vPwRuUy=zXk?@3Vi^rWW5bA5B81ES<mPbgX>K
z<iWj|?PuTb1E!$acV2GmMTM6e_&T1ukIuluM<UTCXAdWdnAp*)<t(3wly4nq2n|Xq
z+aoL$m{}$>SX7*PZ9ik_nKb*sIy!T+@w=O<{>v@CeJLUmLlhGr;ByTue}FoF%oErV
zK!0xCx>ZFPZ~i$NK8Rsi8y?ED@Tbf!GIAl0JKeqBUHLrAf_bPz-j3({*L5r}U=|x<
z0>i_L&3B$J-X_4&t!L}F4Y#?YJEqoQMq-5~LrJq?WP(|1%{9;*EWHFOx_&fZAS7a%
z^O<M(*|H=PWj&@Gufd3PgFrrUFT3#3oy|ra!!=lSMQY44z0%wee`IA~kxaPFZsRZ&
z|8ObDLoD9jy=R9v?;k0?_R$plbw=PlC(@>NCkyj&Q%>zF+C`lyPt{|uNCZZeeO<mh
z^>pu5WRtZ^j*6C^gG#{>OEImxoxgP7vGxaLU;1YUD8Ux)L8?Efm;`<{XeIgqDt_Q5
zDE#hZ_T}3vM*wcL|HxDwTfA9x^u}X%Zzl<epyBrF*uj?JKetcWY%I7@%B~c?ySzBW
z)fg}-cK3QKH{gcY@L!uNpNV3w<|XLw&0Q(48^|@OqxN!2A6>Q%cwe&a0^eBg3GJMU
zjo@8&hP7~3p06ZLj{9&S*6EYK(Bgt)LG1*?Rh2vG{L1M!b}Lh`wfVPcYpm9&a}j$s
zCM$ZWy2G?@InL}RPI(h3P{TEoKkvO-s#vE#Km9IoTDMyH+wgLE2bIzZ0fWCZ03dmx
zty-dRIamaC@Si-6yUmKB+Q*I_{XE^7MA^K2q-Gggq;N7s;<;IPLBL?a+nD^Q*#~Ct
zDC5ZrClA$?j7R-UEB(wVy;d`}ay8lxEqG$~E5h3=mQ=d&5+k8|y~QJZB6{w@H2ex^
ziFbme>NWhK!G}vOR19hU@T~|oXR}A2l~~DX$xy!+FBj*qhgQOP@wvGH^O2-c{k%2Y
zFb;G%i}IlKdam+%RBjxcJjIzn-XXG56I(spVJ!4ad>hwwz6gAT74QNp&&CRFvv0FY
z5-Nib#)Bl?U-huA{|x^euev>orHiaX{642KkfcuK8Poa`d0_CXCR-^W3-+-(G5AV|
zL&iA3zZorZIjln6(%Toj;cEe#0LyA+>|zwaHWvvL-_=~yhYHyP(GzgypYcG39ub$@
zqh}e%%zJ7Q^p2r`q)&Hx0J%TF>gb^>*L3XGaW1JYaPuy_1!>b%UVKsbB%~7=;ykb>
zP5MSD2)L!rip9qce91NZyf$0BzW9jgL)L=rlpwgUTV=ec#L1CfdI&alfEeC_kjDI}
zeDduM^aag0pcsQ46kD?5!ecaCCz|N%?rO(ZI(Zf`OxmJ%&@Z@hIxIJ_RB8;x-5&qo
zNY0s;^q@<;A&Fo@LuuzZFKp68vAIqA?3{-4{J`S0h%@U5midNl;q+h2?7YnYgDInS
zdCv>!50Tqyj03^XkIIJ^EL7qHem#8Dcx&LYu|?DUmEGd<dB{h-FJYI`nvcrlH$3Q#
z&aE`bRr|W{)eYRkp>_LnYxC#0+86tu#+;H<*}r6gKL^t51*8esWv6t#%|wb0Ha<k$
zF0Z!MupJ;se(|}iLLeDuG!L}!NwG2Fhg}S>ty%coF`vYBPM3f;6q0nd#s~u_gA_ol
zEZ~q4kOKYovrv0*i=$=F6{#)TME7ky{n0LuGFZ5&{mZ5sgn1ns3(EFO@XgW*j8NF6
z^el!b{LD<@*a}4^*;d}QG0h&d=WbI?ea}0S&#Wod39@TXhC~{n`-4h5gR&)cdU8DJ
zoWH1eO0pKj$ETQ6BF>fXC{%gG^>RV7y4O>9w{pULI;&^UZO}9>o$0>;lZJaQccsn5
zCJr`oM`M^Bw@L@a@3zAXEWwiMPwJ7ct@eW(>b@NOT?7QrC#79uJrgQDk0soxE*?J+
z-T&28YhYO0>`O`rd!Rg@`!(@9{@E|&j-_9HBvs1risSX!j<@ZY1hpC+@Y(?Ta-&~j
z)&YmIREz4S154TK!i8Qp2VNs}xEFhGoUsP-cBHpGwqoP_15NKj$lt#0B_N?s+`JP`
zdc#&OPc`4T=>2@txO?s?Lk{dab^j8r?A5Dr8LMWC&3rfCO+T<&ey04XUh>jzd|AyE
zh@_0`SsB;n6IzFHG3&Bwm)O;AV1-dfdDnq$TX*YoR<hLY6^-!?%tXIfIiRL{noJ*Z
z+Gtcsxq+7M&oUifk;@-GV^8l#5YScYRj|>VGjJ}BPBk~G9zo91n>gsFD+^Wd>7>EE
z_DX_InKk0c482!fn_lWbkj~v=*VMA>L!W;H7D&#mf2Tk814KOZ+Fxgh{o5-vJx?Sz
z1_38SK`^xXT2tT`;Pzw?-pIS-D)eHuY4U;VLq!cb-90iY2EgGSwXrJsT^!0w+$!y=
zkf^z_`a>QO{K7iPw3!LqQ_J)cU#4d1#d=f$aD)Wi?g||}-<F?zO)pDMZQ!eMWQLeF
zb7)6bEg<wO?TUCS(njz8=4EtTZ-`A3*LM~1FiDn|75eC-x|SB+q%j;j8%n+)fn+8l
z-L>wTqe)T5tsrZRN$7|yznf5ZG3QJf=)2AmK5w$fJ=-r$wltv_f8<L+zEZ{YKjmO{
zQ;9}}Ua1IIJ-Aen#d8IPSPzlY1kaY(TA_%4^0D;(u}jo-Mt)-`KHg;TW!G231E=0<
zN%5)LXgA2qj2)5ZiVpXP$`_?v&^yr(5w4W3_Yb~?09LtE*$L~|{Sqfc0Vtv0?Wi0_
zY1fY*<(nIXrRGM58H08+sqD7g`;4Ha-v%%8?Zz;{y2P8=CW?L2pp)<4D*-q<ORwFw
zSdEUi^&Lz0-e$V%{_8BgfWHZ9ooSaDF$dGAML>`;<sW6Uw7vy1rg~a}>8KbvG%k$#
zi-j3XP4318=8o9`0{Bx-*&EpOkpsHmQ9G4+8<F<LYz6J`;*GARd4-b*S)Hp3_(H{s
zqL?Lb<!!Ew@%~f4@^)8*65B>^3(%*f5B=<R4*4nG2q=bbv|ijG0*}X!t?S_d%nv$!
zN3|?@X9dpKlKUz1VDjXjR?cLTi4##ltVeQvR$r+CZEyMGO4`nfHjce8aL*3EC=pkn
zc3o^mZco|@v--|7JdMVd!!2?RwTrq<x68S9i`!XmNjq0pi-Vbo_=fX{4IB{>ltJ7K
zQE~ULn)hQWuR$=E+6<9c!3J{ELx4{|e$U}zk(0ebER**gx@&cp%hl>moGxd$Ig<mQ
zyK3Eq&Q`w{(+ul`Dvr0hg{^OublpHN<y69W)9`KEwC`x0jk<t(A>k_uPjGmD&lthK
ztynSi+|0Qq7hr1c`lczR>*_j}+}}}l0?4@GaX=4Io*1NrC0CSIabDVWL@wqkgqD_l
z^Iq)7nxGZ6ic8s+MYjgeN;!VKqz90V64qMI)!lcptHAEr#y;}_;&UEv%mzkW)2`2F
zrx@Q}_EFhH<|ZL|GGFv7(FuNO&F4dg3@X(bt~PDH$=B46FGn@qH@!N!OlXo@PuF^o
zc70@C`1dwi`B3=1L=?0cNM^FIa+n%9r-9Qckq=k#!~2)g6Ojf54AaLCf%J_NK7jIY
z(<|@H6P>3D0StW0O_&l?=wdY>{1>SlT^%nwE-V$SbyxM-OgrHe>IEh|Tx5p<SdyT#
zZCss^?t$G^vEP{s`t@6ob4W1RaSK5EcMFTZq+QdKamlXw)~q0=B~qrYbr$n+r=o=>
zt_c0k>vz~Qy-oN%Rw=U*tFm(Sl=*u1V*1IcfaabL!9kO@=9{SBF{~s^y+M6o1L?+m
zQ9?kHK+X2nbAT@BADClI__QR;F*0UAHLhZjeT}43+t13n+K@-IAiK=pHY)_+n{ViB
z?ZNH}S#gc1w6DHbdU9f}GFYVOW_?O#v6^2{Hm?3t!PK<_c#F2T`V$R<<n@VGAhRUN
zS&7guZpcIfS+0P`S-G!uR(n})ENZ)~OBoW_CEM?MpBe6ct2OZIXzgm@#{N1(vi#nP
z-4}y(qylgHm`Vml_+&~1-tvi+n4{|}4E^bjBHZt%pUXREnXbgt&t)fkeO+Vec%As-
zwWkNc;Xu>rdM}hs;1EthT#6C>7*JZ#jdn_^=|qHp2Ta0-vHXNrXJU)H#!1y~g>A3S
zSoTbqY{r*>Gd^@wQOxAn;pd`*ML$wh)QU(c7U@c{nGyv-u{mbYQDDh&HY1)nh1xQp
zMbQ9c4Wlye+I}4K#RJ8m==A+aStUGmfBx=@JeWDwUfz2D8|Tt1w2DyDhw*eh>7Dv6
zG{9WDHo0tFT;e9_o1LwfkP%qnb7gDb?fWHGAN8MK(|nL7Bf4GBWN@GO@4zga%KjpA
z<AA?KM4sc2%%gK^>I|7}NnJ{WR!hfEHmxbA$6yzufcQ`sTHyHV72pp_4|#XNJKgJg
zhHZe1#zkT@_A+lWAv^n^Eilfeqd@Gt8PmQSIj1xv)pI}hz+it-K>GH!a7kSE7VMFx
z-eI{0lhY%Z<^0(wm~ZCRx%psVTDh-qXwtR4Z1Vv|Yzz0b5Aq%f$rvo9_yv8sbm69!
z6cNTD{nn`gGL~FuFyJ&X?iu|3_4)X^U9+&vHrHpsX>08d9J^p}o)wTPneavKhU(}+
z|5MFpmgWOhK<~T&{B*$aji+{{$>7y+caJCfPmRyJ@6J5yuync-`s?tG-KL+cOyxEF
z2CkfA9cHLz1@_7Um#G+R?vqRQc|cD8GnZd$)Y3vA)yN$xGK<MIGrMw<Q0b6+*3t1E
zzE<IXkQUfgo4lB|^ZyStiKd0UFuTn3?AotfK}7nMSVi_8TsnRe=W{U@IFNovauySe
zXBr*9S}_0Vg3?B#OzI<L@Aw`ob*uOh;^Cbp7lEHk2nySKFR5&1QEiM2u(sL~dS(A*
zplK@qnTKCDwC+yiNI4pSr;yO+lBeb~R8qcd(y)!cfgeqHWODiEH}S(@@QrWh>sRy{
z3fi2D)zlATiJMc1&ffH&lCHJwzjrI<>^UBx>0$$1g)~tVYjU1HxjRAx9|b5>|Fi!w
z;HL!oJk`yke-Cwh0Ak<)fS3CUtD1kZ42Nlt_n*r<Z@xAv_SdFj{2vO%8gQC7e@Cf|
z9q-@u?Q!Q9fS9b*_b~Oq<4--MIu;BaraXAi8$fIee0s#c<LI$tpI@GVej{4h?KF56
zh_CpHYjFBDI_fuY>cMX9v{MiAZJlPXe|jm_7)G-A9vC0}{Alz2M+IL@0>HH67sW*!
zny+)Tzw;N%9|Wp-Odp56mDx4DUu5^G_q>@%pFpqfSZHbf1%QbK{U5fzJCMru|G%>L
zDI(bkM`n~gGD_KpgzPx>A!LV)j8ckYrEIeIo*{cCdyi0#m6>t)UALZkKHuNx^T+d7
zk8|#G-`9Oz@AqrHRgOBi^4oy9Cr(G?LbTAcq>jt|eOF&m=Dqn+ocA_LG+X1j*QYw;
zgc2`6FS+>T-oWL61hru2+TUDYmzVMK3WU=rE&bebJa+r|PywvRfniIQj$fq&W>1%-
zngZb@G^&xgdihZVj1}z?^*cj1+4;ePiOqR<Q%&{#2nPYVtpM_)Dg%F*<;zxo0^xhE
zdy<QyYd&Jcrk`%dsZ2-fJBIx58O|(6x@l%hJUQkw>u+4>9~rUipkwFZKlI(reOdl(
zmtX-NSBIgcOtr*z8P;muQ8u(xjumJg(ALlbv<Bwe_K&Zd-&4XmVy>GG2t}rn8D}`c
z9t_C3%{56~znk<BKy+N0Nl7w5P{*;g*exg%!j#N>qXC;`+t&!YozDSbT1w!2C?D(_
z(<sS$4yR;SenZKj+V*q4wL5<m5c?{0pVSwOhk~dd4V+tvE9;dXOb4Gy6#esAtr?IZ
z*wUIOGuxU3H=gcK2Lxbo7MS>tMI~#o$v5Ogv@&{j9d(eW4_l(LWS~zPnB%4*IZR&_
zM3jPUO;Lu~&lvY?2z4?L{i$oOvvf2oR4p_raHMHMSk9GY)42&9m*x^=|5)D@m8PP-
zi$B+G`~>KjNiXq#lCY~qdaYIF(p`TP;Qkq_^zPleE}f@ypF<X1813{Vf~+T6uim>z
zfq0y_R=LFJ{v$2g3{ot|S%1Ojzc2dG4WU%x#hxVunpYxk%Q?Qoq<fP=@Mp{mjd(qG
zK_pAE6rXCafMeU;(=CYpU9DP(j}aw0SEsO10=y5y5?AD{?Ci(~R1%~nCFYLV)TFT`
zL>f~*Ctk7AKHiBuynO#&0SXI1b>x@i+tyw;t#D#IO5HXe?Yj(DZ_a+0ek)jQ_y*Aw
zQLhk8tv_%9l@OAp0y?;Jjj*FJa__gTLHu|pFl*;$ojxT}TuD*9OS8T7Ajk#bbDl$f
zR#Iaw(=E8jaY1pbxcQ+$DfHpxvoCh6g9Yl`YijD2v?$9e7MdU9yws~+i(dD6YUur|
ziRm(jp&OgF>u{6WVh0bp5)<T(wXt6q+Mgm|Qe4`tO{d4E^q}^7gzI^>h9}-|ecg@C
z7z5k#P0Q%53O6;XDN5)pItT;e()G6&)FxmHaS6vyZhZkTGv3&l^eHV?d6@#=XHEF5
z#{!JlXRPG7Y-=8CMRdslJNdsK{Die}@C86xLjWv?gDjQNc<=+K1S*MEFQv<LL7mCB
zzow=kQ%lN(IznmZ(^68J2gvO0A_AkX_Y1hEyW85>2%6w9qI^J0=-8_O+G*1}<k6YA
zvED)CQLh)@_TR7#?!s6`L<J_L=hkY!sC6ZdpWjR>Sx;(&rQMMzTy>~){=vK7a_qEt
zfllH|+hYu3&B)tdfqPucwbnm-H*Uw4=~w{NTh%<dM%5qy!LswIP|k+M^Iyoc065_z
zz~ZdO(egfwU1b8mphZT-?{#!qhn=1n`DoZeR=ZM{m&OMDo&vNfD8CzES5YAYef)h<
zherudT&GQ!T|Ri|1qzpT$Ss}7n&(fw%QUiF^Ym+NX<3nckZ7`T%k*naCe+TjuN*`c
zdG1S4CO<_UUfXh8I$(o-7BR25>v}`@uH=27;UL7Nu~YX&1~9t4Rydq6x)VH0z)C$<
z;e0HB7Nbl9T3Zu*Su){IkNqhnT=^ExqAORu9*X$Y^>GX}@75g;RR_|Q{QE1cS>=DA
zBbW@{tg$|10FMYUt*IE?=$ZN*`Xb>Q4*P;C+;o8>be|6dZzqPcDAEh%1XCtciBqzv
z2K({j@0kD$y;NCzcBr^S4xQ&j)5W*BvGghg!2Z&lY|xqo1**0D{b0xC^m)7{(f~$6
z4OqrVS?Pu35ha_6Gfg~PZ1N$Vq7(-%_9B@6-;2*qGCQ&pR3>2EMQF%UO;<USbW5r~
zRzo|?ze}t2DydW;?r=y5f6J=S;fF`k71kL_E7*cI8O;kjd{1vs{&@liX*>TIXYY2y
ze8A!gQqG08H)So(ZxdiPj;JsAom}azF`ikWmxR>E^ynP-9u)4~zjsa!efd17lEiqv
z_a)}me#Xa+?yQ7HR<IC9AsAgM$vfr^d;HaLWPrHqXaQW*t-Eu9f?%EZ19-Il_fGlv
z@8QjMK6%CvUO_<2sGa+cL$BQML$w0&+RGwjCv_~piQk0tutAaQx?v@Dcf7mEQw^;b
zZD6wITjVfx|Ma5E*J{2Dj3Xt&s_cn7?DgKR5<pk2Fl1=8mf3&9G1%7d=H$RE<F)SY
z?nU<tpo|6j38I(82;0P2!=8D3HoHo?@R3nYcq^-&z6}ONIJenERsPDSQvEt0oZv*&
zOCd%}!$F17>wtMl{G5RGTRIM<`e!ftTk$Ggk#ETVSyK8+AdKI|HX=6CPoQg8r^d}8
z$LL3hb&!X+O{%G)r?I51>135Nu&S7~?18hS%eJ0Po8mjp>IOaPr`vwt9oie#Ii&QX
zQD3h4Uv9m-HE}b2^3!>qe&{T33-u?s5h{d9q;E9O2M((jg(kOi|5*Zm%fgzgz`S|6
z7l&fPjB$3RL8ZuJ=c#63EIhyN!20)<9Jp^S#<uQj_Y&m<q4a@vVRQSdS{(BN5NJp5
zZ!N`DooBrhqp)q_Q%ivQIa1~JGW4DED<UO!RHZ_T>smx-&?^D#P34EoJTHYhw+(t@
znDH>i*o;vw;Cp&>$3iLt93CVE_G40%T5+Iqu=q_pg-6Q=Ul5}F+;jBo>bj%`kZ!9t
z-%zcPCF7rKWD{9qlj7CSOUb3A*;N_0NVfh8sx$~@2Cvs<I3c3Z+|PIj-`ww3_#R`X
zR$3q&m?7Dp06{@g;EfxD-)yN?DF6HKE>sq-6d(jV+={yxgca_PH}EZlhF@nb+T*6Z
zZsl9~k&ri{!As#_D-^9EM|EVj4bY%g*z;tToKHDn4+%93C`M@T;rErGt$k+ghe8-*
zBtUK#I{;?8(3d2aJ|QdaTC4a^Ee>uvx+UqAqve7(RD`?mR<?8Je;Bk{4lGf=u}5XK
zK4G&a-k)HR3Ne|<RM6or_ZYDHc1;wBGW+TH(R^Ru-NDcQv@u{GO$)@sGC=Iw>HphU
z8gsb2D(EUXUFpQ}yWSO3R}3!l#(I?2OhH~!#kb&AU)7JtAyoWbm=6Yl1IQx&GmrxX
z!*7ofm1)4jXD%>y-60}DOn4?6w-Aq2dELMKPx0JLgb>-f$_VvtoS;IEoC#uo7(Ay}
z_tbsRA7D7A9o<XHWO?j?Dp-+=Erk`nD+_XThgiN1`BP5t3REZ@b5qhZf+m#Fb@7Ff
zHs?PNo`yp{<Y0&4=*drLvB1)te@1zqkVrsw%kyb>!C@{3u*0%=X$NJfirljT=ccd5
z<v*7)nD`uC@wD|rk{{Cb12`D}v_7+v>WY7VTl{Z3t)k)kPIox?71&P=T89fEsIYA3
zw2{G5gQ=r$q3^LX=&pL}yfHuogTn9c)^lC{9=ROao4Fmfu=bI>b8B6K^Kfml8K|g;
z|8KKJ%l}INX9rMWY0eK*NKsu+6&O4!Ih_)O)ol59<nEaHgc?u0XFtV4#H`<t_Mnp(
zSA)zFy9_KKxTA82f)T~kq(C8rA`m8R8#JZGCX=fNmcd;+$IQ*j{j0u2D8vZl1l1L)
ztN>g7Qre?n4OW=nMAeh%r=};O`x`y$F|9wl=W%x6LBDIFIJ2MMnm1STT%8uEWiM7U
zjwRI^v_{eRjRFH=@HMsn=*5AaBY^yw2ksRH5<Ro7E`)#y;w89n)|^||i^Hm2r3rOe
zlW3NhTashFIv;qPhJoyTTYqGB&tIXOqJ%-v=6;@cdw1-Da(zazS7Pq!*Qo9ldixG_
zVdUr~&A^>L;W6WS^+hSZi{M1?ee;=2wZOIsCQ;Q8Tt+WM2?%8b>OWs+;%<4`p&KJz
zXB;f-6DI<>SzAbN7R&Jq;&my%iDIdwW!(v2QGE4Sjxw4|=4h1N&ho;=Wb_O0DbAMv
zx6{uVksg<D1s_6REWT0U)_Oxw99K~D%mUq-ky!_C?TS+6>VSV%AUsY86|TVOF5mNB
zl$AsE{TpDS?gWj&U|A$+BCT)#K4};G8R~n$hBDy#pLoKuGCJ^!K!!so>E)Xb-kIm$
zSdHR|<1uX&x@S87ShvLTVO~xy3JuB^^TfJJ_W*ZWD_X0L2l?@QfIk+PSlw07B0)UJ
z(}zrt?}*fP*Cx3jT(xGigKHB=MJ>pmzN}L12he&h0GVwK1{Or<@^qLU+FKNXZ6bLL
z2(<pLQt(#zMg075Xf}{zV>Y*Fnm##{tKHe)A7?gRhOF$vMN&vS*0iJD>6LWtlK@K6
zm?97<h)7rca7{B^xqaNlM-zDOfKa1{{`=B7-*(Vas}vNOwTIstR|Exr>6L5pg)+gQ
zs_=^_@F-7sBnJ?~U+$(f-nkZY1LUQW=Ocky<nKxMRTdN$Etx3JhrmzMB{o{`<CAFH
zpL&lS>b><6Yc&4$%97b3FywaACZp^Rj0<LmhA*OZcRO%wcD2!&QJRmY$2rrvG*eU6
z`-w~s)B648YnH3`L{Gll`!TQ#;W<M8_DekS5WfcDPQFFWFKOan3u89<WauU!XzNmr
zq_eA#d5~|&!@$7cj(U;y2OG#X>5SrW-2RS;6?HPVWSFTmGP>u*BCqSvE&Q!XlA@D1
zjW>#Q(s5R{{E3zG&1?;pj{Bn93>LfdHki$^Cm*W&TF-$VFnKKHIovzW8AEN}GRd<j
z#WCM<Q_1tt(#Z%|s0}$-6<(w9NT_4<oc|P6(z&_!?CLyThob0tQ|L~i7XZ7+zYC&x
z8`UK+mI!R8IOzPCDU;=vP<p$e55r&BQLI6+MG*hB#2Q2@umE?$j4RxXIi7Up!}hbK
z+YR?uru$U$RQJ3s)qc06L$NR-b-;ApHnF5!C}!AqSjhO+ZhCbcXiy2r>E9Gv^qNmS
za~3dZ#C0lI2hAOjz*KRTuL2lJr4lo0kq`-pYTU7lN`ElB2bcXKCaYcP>>%;Rt<g#+
zi$Q-%ZKI0!OS>2#DKIEj&gIHcs^Zg!N?rq=Y~YQVZ~wTE#_@5NJ3m4}N_3uEZxppx
zYkCKWB*f<e;1%_!?YzTamir>8>ZXaJ9O@~bDty*C&Z}M%*b}XV$~Z?;Q`5XK40ZRL
zS6k^FH9&Q&4ps1!8WWY?A(;xI9kvC&jscf5^n_3~x-<*rxiJ<U1))oE9vz6qq52BX
zl+epUA_Z%GzM~uS>DlIS$B4x||J8ZXAvw`9>F=AJsaD@$qcztKZRFeF@8aURos0%$
z(Yw1YP6d<3xW$@LyatyogM`nTbOP@fJGf^;orH$!F5lYT-Wq>o^#@s0w6?T-<8`>(
zUgN%{YzzuVw|Mhs=d6J3{O$@;%tJlA7X5Jm#<nTIC@8les|plh47@fC3p`~ii3zqM
z^LakAjqakAW#tsbsE>6O>d9g<EsMk3qwvb%^=PO~<$f5fVSPz`9oUg{b}z(3o=UpW
zUpu?z#l_~`#OQeq=B_&qo&T<AE+Q795nT>ogLTxWd-<jrRIfwYa=Bgd?FpzNJ=Jl~
zMBJxxjC2h8!ut1NU)Uz?;B!Ws5hOYu9m+BNbm6$X?mvhgPOO^Ypf`D08ih1S5XyI{
zNKe62DPS7}a3=&#NCM&YRdJUUb<76d<sI)&esTTrqE77U5B_DeIb+TTE4lI0HB%r~
z1kO<bpxhY(D>0SW`x>i(@CTxTh!;fXYRZ6bX4n}gc7+=~^{lCWyCt9R)#c<0K~w#-
ziKcITlbeeiYMn`{X|JQVL2nqz*0Uf%rPlo%ZZni~eJAGaqt1=uwqNewfPr43uS{p`
zOkglv1=KPZ8f7C277B_KF~ck`ggrl7m`C6?67tCt)xKw=<Hxl~7Qs-D*y&&V5Yk_%
zXL#@}RKoFYCdPMF8$0X^HAzH)@b=6~;IUMX_dc-tim%!3Q2Y)Q<1q^txgKO-KL6c8
zxXu>e<InzVm_9G7?)M2ddW+krPNE#t3(MW|?e!CPVnZ%CsKKP45e1UXj`QeU5JY&K
zLm$y~REa<+Kn6X){wxP{Xa{bn-cjy2ZtQ^?_DXm8wP^PZlAGRfv)!ovK7l(A*?ZCF
zbLSng6!c%NfT};HESdt<RjS}Vznvyv>=r?4c?q@Vy1eJ#>Kp5PcD%%EC<|n=7y~dT
zol!UfZ-N4EPvgrNwH$zuJU~HwZ$5y_Y&*v$71@*JO^{ELPm!<biIoR3*=!k-yBibr
z?^_M>0*@Jz0|?H7=OY_#3kQat>oRw?v8u{G$jO+Sp7+%6MgNcw0fZ5rKcw6e165cG
zKe=9sE>zH>AOsJ9cWqb!3V^}b7h?v-1!^+27{yL#1gvH^C-}B*fc{`!d@r^P!s*6R
z=#gJtB~AU%O1wYz_f0+~jAoa21h<or9bF?|w$W7ygg<T~6OM5iF9#NUB_L0RGZ0cA
z*Z`akWA;WCqL^<6bPF^nQ;Ex^jh!V<rAz)U97cxEPIM#|cG-M8fJ(B5Nm_SE84Z%p
zl#Gsqn!A@Xl!G7HT|Ep@tK?Jk9fsm_zW^jp+t(7DT3IZL3JO6vhP7k3>^gyZc9pm5
zHY4+6gxo%pTYI5p!EF@dmy;u*Kj5k{Tor*q6~O~8LBur<x;s}rbYBQjvLziR4&WPh
z$bk)ymj|?c0@mPTtyww%plah?bg9>%;wiywd$;hktt>SPs{!^CMTOcf*}@Hv()nA^
zxvqOcfe_%&PVP#eBUe9An&Wt7^E_52VjBsS+Rp4fuaE>~LY>dPjCzLaPYqbc8wowC
z(4QJ%_7`hu+u%x%6FUsP?qXw;9ZE0SKhbH{7(i5H+;EPT-}qKu?=id-h6hD4I2Dgv
zH*LvS4Nr&e=)=CgX{%OWP;n0xR}mrvl-u4K^S|*CRXZV6?+U$a*aH2UG7%O<u#i)+
zZM>8*`coo}682*Sjp&rF=esH@Do_SS923VUibiI6-^Innn!3XXP+<`&fg;E192#f_
znkO>u*l2SCUiIFvf$N7@gRlMlSwq_6bL}q|#tqir*&Ot)c*xu#%l~lbXvrey^O1o7
zY8`r)*-oRKv(iOaUYsaNT#_?QCo+#V9_``(5z{}lZV@M+3Em}(9(qyd<@<Kj#PrhM
z5^s$rL%<<+m1ws8=RC(Zz)#<#O#KwdH8lJ*c(ZFbp=0tstQUL0?=)=p_Up7%tlr)(
zACuPjeqT@C)|f(X=O&#?#%iO);{y|CPei_)IJrF7TK;V%fGnSlQT!`zu~LDA>ze+S
z$jP!O*1PN;8l1BflG|@8r-{62#tgZff#9bN@FmwE&Sv=DJE3Ry9`fLGmNF(Yzj=&9
zAfXUDe#d_X=j`40WxP2-GtKxMBk@db@-mM%I}Up<+XZWUceecfSpITnyYX;0dXe;I
ziFcizcV4wka^US$@DaD{y1gE~_A4zRDvDZgNa2^?PvH&~Bgx_i=~ElQp$6W?05&k+
z9vtP?B0@aozrF>jWGK+4)WjX-c9WOk`4DMJl!nVWAJ^I`yqnO8O<e?Sl9RKVt*8F$
zT=B~uR^+l5su_((hekbo7<@b-GqH)MF$fF;QG~C?v<nXB*MmCoNeBgCcl3SCeC%i&
z2xVXM5bVV)dGq^<b={JAcAnaM#CxtwNJhF$jr$N&B@;Y39k;$J0J6=Rqiph<cC-I^
z-oKkvw)_##<e0;x93$SQMOER>2*w}bZ#$_MmuJJ3c&}qj$~sDi4Y{_KdWBg!zN$&1
z?B;zP2gYf+Bg!UN88GCEU*8YjG5XN05edWFla<ja@;N!awV!$~LU|w9XwNM~0`~h_
zGd?F@-LGW8tYo9O1E@aQiP^20B=fNL-FoJSl<xbKl3R@3?@I?P9xjUzsf<zny8BI<
ztcuR(yBA*&Az)(6Pj7vHwnWIdCg$#w*A;l4kn5-b=WGY1{Zlp?w<jl4FDqe9LCjZe
zTV9Bp;(AFR_6SybA0fx77fzpS;wu;W;Q#0&Yd}}ttXbOWuKHfY#I9;N3I!Aj0dS=#
zZX&ey3!!J3XaK%+M5sy8a>>h_F|mlPuqE_`H7CSAipGk)0&p9D%Vazt?t52vvCr77
zjpk)DW&$Y)>0uHhutqYbg3xE5hsK@HTUH?L+8)V~i^t)X=yDOtPZ+n@bsA9E2Adv&
zRwLOk=>J|7FtxOU_p8W#%bYTXSsD0T^CvvlYZqxePB+F*uM%fy54qNW4|nrgT^${z
zN5GVgg%n1V-zo;cby|6v0Df)Ez@0Mn!Aiptx~MaRmtbNQGJ$k~6=(6rfQxVVgUno+
zT!Oa<xasmg$Il#m>Y^+sEeI|1t~duTk7lgI?*DxSfw;~wwb}=JpC14~gQX%Y9Sco&
z@Vt`<q9;P%d!%I+*N=Q19gVGCZwI+NNKmq+PfShYnqu|rYX>D-=cDV7kf1qxTT)sI
z=`WE0I;lJW1@2OZFlx-K1JE3%%S=8;4xrNg$eCa2`SCuF{MjxE_qh;`E;94;84?HI
zQv{G5RHZ03z{saw1nQ95*1I~FKqJb$@_5}M`HL*owuu~NwO2K%<x6DFVP7f5w+@n3
zF5?ff#hMe(8p-5rbxfkq2Qy!ishADAa9l)(p7|nGF7t{mc?LwwBFD#8g9;C=ERxS0
zka{vC{(dFMeo3AHp0xvPW8Is;tk5leAMV5;_5|+4YtyS&uL0rC;cFx`sfWQ2PWiUI
z&qRnZ@jZO+q>so3cB|S=v8{>YN4*({6vsVDD7?GdRS`XY7|$#(qwXi<CgHLYLj)}5
z57`u6(_i0HEZi~fq+pV=jXIy4$cSYUdHe}IJXWijbvZc|uv%9$(Px@B`63+r&kNu9
z67_Q;Zz+&QsO#}4fAb_Gqr?0|VfjLAa!-$JVKR760Mj*NY~fOI_63tA$O)lcUMUi1
z{Tz6O&|n2A>h|<oq=FO63%#Wx-(aJ4yWW0TbiuI6@1qFx9+X#4jOD1vmLV1n;Cj|x
zYy<MaMZ2l*mq;OoeOckrq>hVxc1}!LmxO{&|JWG3GpakPtZZeAP02i_s-<OCz)rsy
zcv}qLy}NAIpDJW!$H?-MT161`#e8Li{l|C9>&WjU($`FVN(lsY9^ZU1nWqP$ehKu9
zY=ANZimwY_O7N-sekP5va#pss?={XTmWF$U@D6C1EX?EOpTmDilXOP&X=AQI`gjPG
z1YM4{is2R3ATz$+SfFy}))&z#v#Wi`=r+T?bu^?m9P<h4%!{lCB_K+JUZkKM{Xxw6
zlSDEPBL(Bc)yYY)YktQJY8%}wR)WPC<CA!|e=IEgV%y2ns(evD_uN|D;056Pd+{ZP
zJsp<}d(kle_bbcBa_Ow+zN${JA1J>y)7}-UgV?b@mjqHHI=NDwg0QfQfXY>G3Opvx
z*ZzI3X-pWWst1R+a8qT3fLPZ^?Dy0s){v}S-b?*G4A~S&=8i-I(_z}9yK<V7U3VHV
zpD}~KZw0ROjSyl4P^?bZPfHv)M@Cr(KQd3$e?ziVwS7vUOI=e9o+CMAV?3g$O!a<c
z0d(m=iy+~@o?gbdpp!r39ZLY<UTYY)ao`;vGR=*uje|>x>QoS92%>J3#E<jW&m1?%
zW;_}nQ}UkJ$$l<)>QxBWRt&zdt0V!=)w?UhZW|<Zgen_eRP`;Um_k&JwoQE(4g@i3
zfO;yM#g<(Wx)*z=Wdr~MVQB-86Q@qy4bbDn=aDZ&T6N3*Ghd<|fSEHFF4u={{sm9}
z;MCe33lgaitcyM^OsucSS5|=L7ZT)_ik->@f`D8AI=>+Ba;SI=lv0nKbdNMBEK)%a
zgOG-C$U~Y8u5=#3UI$a{qiYl`Uw$Fu!J)1B+UR>>eT<;R7t*gic}9Hye#kqb-|mdJ
zV6W4Ph;D0R8BMqz57yPb79%bv_-hE4--LXV-mw;grJZISXwJ$V3~<x_Mu`6^U_h7!
zfMymV5s*Xl6wBS=?uH>ZzqMP7LaW3Gps|31mNTSXFb&o)jUU;qc<Q#~N(%H>pm17>
z1V$&&C;Ww-A{|Xf0q_CJ<(DNTp?~Nk?uR$J(Zln#>fC|wo46+Ju?Bo?8M7+ZSWr&b
zh{?x_l*+~XEZuY8iV$?%(+nCElBfDlEGzN?bQ<4<7=H*ND00RO3Rr2x>9$B}mN+k;
z1t_8h{A%U`40){Ow6H?((QLZ5TKNs&(BX_wsraXKK*O4Yj23kZjD2(TD>WYK={e2Y
z>YZXQ`T}~8j98^9uq^-(p8fpyc_A3Z+fX4cv&jh^2H`S5eH`mzIW6%tm{S28^R@|T
zjmfwr4Yy|+H16md4(A;8tSEVX$()hLwkdB~<jLbapB&S}Ld>h*99UP~_~yUO+l??3
z3RScdwX=9$@G+nP&jhgUIx=8Dz1som-mS5H7GfZbHRw%f_uDnWRymuDf9*&aImKz`
zzML{00C>WtXn(Vi#{As%NK*+BT6xRFG5OJSa;w#I@6cke<AXa&Y~h;%wEG*Wf|oWj
z3ha^p!H%6)=0<D2EiEnjakX4DZRzfs3tZ#c?SL9X0QHT0AbHpERRLLwfmzWGVe|N2
zjO9%hf-wk%>L{%Fhe!4GRzIFwdzDVwTPSt#PCBVuLWq>n(wNQ#JK4FkaL~$nAfs1p
z__d9t$bIlhv8_>So~C{0M*0Ky??*;$D}#E-*~aG}x0KcU6;RZW-Fw7NyzHP0i%+Q~
z(>l|OV(@#bDa=4o`-BiYLCCY0i+{xG_8Xl`e`vSA6Zv4B<pt3d?-GR}PG=++t9<3w
zs`j_mUIpdxn_f)OU+K_Qj0Q`*ZO@$ytRd!A>j5WFoFL}YN|SCczK%0xL<G{pW8V5Q
zpDotFCvC&O3L(j4fK;WOmN2X<Jkd8UBN`js^$vc7S@CENy!ssM4%c3T>$ri-3W-}L
z-k6<=TO7tgl$aWbw{=89m!#NGaD@$T4>MBxWw!UNUFG8>y{ZyuC&;SMkVOmc)v^fl
zjk3%ul*TEbP4J1mn=P7OTr_{6=;Y)y<pD?>u$&cx{gCCPy(o3R$G9vZWZETls0u$1
zaiuhRuz|fufg~fognn-UF9(_Ya9D`XQQ>mBRMyr`;_`rOEjCZiFzN@!fy5o>%}12X
zr^JTz?B&S!!Y|iPMIB-lb{J~pTW7n?L*iwcI^6)i(NE1G&v}zRLl`j0cR|*IboJ*z
zc98EdkI$;pnzt176QIi-5X}>ihznc^F*KkosSRiysutADN|KU8?`%d<-xrB)9pPuC
zd1kyA<TU+O|4cunUBL6pLbeW_M|Gvnr8~Cn>&LsqB?g`vJx<i%1VUtiGZ8bay;x_3
zB?CX&uTPc)p>Agp@vB%77Cs`NAHN0FNsTZccEu47W4^<}@c<CGLl-}@^va;Rsw{go
z1P+PwUx*jWlOR6z+?R=&>ru?4?vek}L`-RmYwpAB_Jd4UIc650X_1j_U)Yt53^7p`
z>D(ks#l>B6{V`|nA7xB(*4??5B6Kq>jY-b<5zfV1mo|rvoo;t?v;6+qfZZ|?M395<
zgGOq)^hC0;F(F{(2SR|fy`nf-mY~Qx!Ts(>5)e0*jQ)oo>Zl(e;6KDI)_Sa|Th4Pn
z4dCGq&iS3ky}HJ?u0yC8NWo;sI62B8boZx4_WcWTAoUJCql^YoFsDcm+zV{XXZ`sE
zH=b^PJ1+oav81%u)$z%gn7b+Ix|{}P-7zIC69SAuuP<Nq7Yu`FqSe)^vh`!If~6OY
zdNfzCD#00>zkv|tpFSU2dz1^2;G)?KgZ<Q-$at<XB+Cb0rG2|o!vQ^uW$-KrrO)&N
zT74f-JZLUgRpD8}_!RP9aq6;fAX*L?z?C6)c)j?}!t!C<fE*f>&RWOwK1X4j!aiHV
zn_CGd`n>uT%z!)57?1iFDfV{}4fB+y$~aBOxFSonx0q{ae4YWoF?pq{^8s*|X-5o!
zc{3HUZc%-Y6Oe{!K&9#+I1(FTDoabX?!2bwgt!rDlNtb5XbKzO64Iv?FS~athRe-;
z)!#4B&n+w*_U87>^o3<WwxHtG0J~x=S<=8dBs01^xTT_3Vq@Q0MyDb=HtJo-WT~m7
zL56^WC4a4huIVi>g&=z3C2h_{`W&_TpvBiJ<P1L2{{;@?2VH|N@bZ2CZu9sag+&TD
zuhZC7g8><T)pgpdJT~^};c9st3{PDcYWUqYX4u_leB+cy3Lno7bcvCf?+;|+q<0OW
zCOw?jM2%~g;>9f)3&}gys@Gd4#4N*(3qtE)1&L3W2O0%Y**t)8DI2#F1XEh_Kk7{Z
zUxk{~e(F(^^pU^5Q}<2ZD#yPtGdR9)4=>4~LxCRTTVo|}>1*&7U&{vBGvxnQ*%R@a
zb9M1c8PuRvR^j&k{I$U6qf5>6&}@v`pz1!vBxkp(!Pm!1JG)%Uke2?VUozy3%BFjI
zR4HeeM`A(9ax8->=0EX*k<HxlZEx*|HExBmT7q^HA`#a|>fVqf(hKUZth{@qB_ZEH
zE)8r=>@tp>J_lbDI>znm8Q@OXS*GJ8D09=dNGtn6JCH%1LpJyQRal0yyvUOdfbSN?
z|D%%8(g1t)|2QrL0I0H92nyd4nGN4WToydWFa~jRS*p;<FnZA|Ala*HkhS7d#Zy4u
zRSJMGUMA=7ox3)C93BThK0<;8;bK$U$yA=byRB9J{WmO1O*+pfk1PSLLsqPo(`xB3
zlwt1VW#XeQ1sXb_NE1T6)cOfKHLQV{iF&m3VX<@s;6q{ru1foy?D_ERO*p9;dSZZy
z9E6WXNVoIk8&p3y?mgL;-dsPy)(c~*QS<*QN&jdRN?;2`WnAa(sOnscFt-=#4N|L8
zyv%OI!<x<=X+jwtvye_ZeD~0gES(XF)5^o&OM{wVB^g@pku)lDPp}GGIL^2hy`}H9
zGsu2-KmTN>zGG#yxI2gHsNCnoyHpam&T{;h=!EUiV2W9NB-7Ch0nmiL9TwvKFF7ux
z$}<^arxo%Jai0?KEG3eSLWy53elTU$cs>CB>_BFf1i4b<yePW7m@{RyY#S`#F_fiW
zk5w653wh*^);Ku?dP!h}xo$n}@bB_`kk3MlLk}H!sUp!^Gsi66v<unGuaG{Q5eYFy
z(+%7akB*v+j-J<mSzFc#|7RWi?M>)}Y}-I@0vJ(tm3LQ9w$)C|?B<dO72Ic^(<r}5
z9=r(P>;GRvzR*&H8R9{|eobv<Ma%gQ?*>}?cbu)Sj7puCWdNlExW5MdDF1}ZMaa8V
z8($Ud#ABqqs`Q-)wJMR-d9~M3ng6npf7BY_+)hu&|FKrrDv<{SsZis_u3|0NS<#zW
zrYZ>{Bl`yjk><%GNL)5Brp<?A8oTC-Q(p$Y<UsA@hje?w@sEVX4lp>uL>4`mt-aKt
z_%~7ml+Nh7JPK^+&zi{1_NL+XuemgxS*63s_<Xeg!)otuGd<%1`IPU6U(7!?d!6Gr
zHkdr+Rj*Q4UM7QzNMAWdN~=BeGT=NE9As8w`r%bCJt}Hw6%pT2Gd#bL<5lam;)Is;
z*<GnVsk8rqPN)-88>&Fwe%#x=Sh45pq{V&e7^L|o8#Z^`y%N5b;rwL}oQhw0FbKuq
zIXY3tRBoMuPe;lH;(^0syB6SKFuH#`zmKUu#@rfxB|HT`*`PRKhVtjS<DMybAO8wF
z(K#MIIWTfuh}2#j>wb5$GXP#b;izPcg-Eh%J$ZSnfWxr}EoOQjzOUV_HGUo;0Z`P-
z8+wQTC}y%23Y?aDx}?ZS2ed(&)!2aZn%{frsmvj~oiJE4x2MriX^~W#^XsR*w4rAH
zgrpM(L(g(ur*{rY28@Ek$;5hkG?y<BBL?bhZXu^J8Yk>FGclR#hlK9CgLL0UN9}Z<
zV#VcuMDgbGnzlr!Ew$*`dpnlfJ{Xh7dcO22=6jFn;8Fw1EP$3!vbPzyP9p8TegWdE
z8$v=^tB2VD%MFv<)iGv&f%HeaPPr=_H~IXca6e1jl^{JG00(6uIhqEXf9g*Ol|fI_
zuK#%Rn+?TfZ}BTHfWiVoFW##)kRhV@j2H=3Hz?Rf4uD2QBklkhJQqNG9DU+Vm%P1F
zPj<!n=9}Ptn!QS&tZ7(U5lG8&EX)yo>VLEyLgZUC@?NT2w4%kFEt311yyz2GW|7gO
zF<SR6@oHq?cuVlX-h+G~E{h!+x(ayWdrD2}#S&s$BcOHBwFA8JqH_s2DwSz1;$3fq
z-6&ujn>mk3v~Aud|4O~uB1A5XO`>15t$!s)Ko{-(<HFaWs4#kgHgt+)nK-1oXYJ@C
z57Q}Iy+cX|U(F?3yqQ=>e~}DPa<Xyzi@hu88{;3o1=ikggYyE6C-u@NThhHY+Q1i<
zd67VSHJW1mNR>PaH3@phPRemcVOx++C2Z{$@qTni)_Br>MVbSE&2b0K5j36U)l=Pr
zmDn+mdx~<`kBRhCM?%tq_+Vn74v8G->thBuT?8ae`}7$^I82af0i~5npP!iC11nNQ
z{}=b8r*_r_;*ukLy+lV$c{2l#2%kEL_pc6ofUL4&%Hl2`g_aK1uoo<k^WT+uKL_Yo
zm!sW5t+ZP^xuxvKinueanZh0xjWND*dHQtfCW(=mT#mQiVx_-JjuX>v$k*qcyRu7%
z9h+e<0ftQvoeP(f-7t#>LJK{GTAd!REy9vz-+l7Tw6$1zAKxpx=+=d?!Z7X?VAp0D
z`LbP4YI=3gCj>RFEBvz18RuwQr7_e@$I2`f-ygWHauY`AO?_@%OLyJbTO`>hYHM7#
zp}u=c2ydE#@M+KXap%xh-Qg1YC0{(Vk*9Xtt49`@iQe@`1K-i&=TO&vu#FxT`-EHM
zlp8JQj&Jx*>=jFgKevlx@?u8y9FR=A46Qm$Zz-g%?k6mjc5{)CA<{dN*5AL4j(@Ut
z^Edx#B|7k<%>UfU*T&<+W%MWv+4^<8EmKngX-EVdC%}~fIQM&MZeOmY1d<7L8jaR<
zphv3!Ex#C#GvqlJs0GYgi7RbmTuzuo$%7_=1KCf0o1D2RW{yfJqzodTY^Uw)!LMCg
z*mA`7TG?N3AOnjEV?w)H;QddtsHwfy6${eGhYdYZ<mrbq^_aYB-adRm#PRX^$<)#I
zPb2K0QLNEytfZ$)VmHvKc2yDT*!ln(n5ZNK91H_jaG42(Y+-<dJsV7>x?$;0L6<kO
zV>rE)MFiwVI8@c~`M|GNtiI;GTmb9{KY><Av8Y&yfBZ8A0v5w8Qiv)o0%E;zzjI$-
zusmf~+*Q)I|FD<Vv%QMT#IEj87720W=T?iolBRZ<gl>yknHS8F;h#gUaZ@*Em2!QM
zQFOUABA)m&s(Yq|b|9wi15$I{KDz{#MzbqJd-tN7!CT^$a)vWw!yjBjvGcGiPiB5F
zzWh{H+}gqLCJwbUcDSzQeW+7nYO%{YuI-Ze(!=!)ed+YEqYD^;H?d87AeOwp9#p^j
zz4x(wtjBu~Lsz@$qhT#|`RR-4K6Mglb;DCj;@ibJSO&8)_aUpey**0jF5)8;J3clG
z*a93|DGwJ2f)v~q2obRNBhT2X-%sZWP}jYB^O@J8DZIATBT6OM&-mL?k-NW!&q|np
zvkR8BXkQ_=Oeo+wW^AVjR>5ps*g1Q$mKULL&X*{vIC@9Iu?<ClCrh;@E#h}F&jLV0
zQ|pO9oV_~@`CBvnj1#Q4ZN?L{RvqI3-V{sME(HpwN&!#KUN!Gc${*jq^9yIlyxFwy
z*|k`-t1mNfbuB+?PdK_~S9u?Z;2(@6ewO`Z(gYK}@pE`fjtVfNNkrx!MygU-BxZr(
zauX6rI#@*gVj=z&y*{&_Bo}lk`M%5ni{b!HA+UX}pFF{<A24B8dMvrFlt6@-;B&Y0
zQVX67WbZi9%?>y^`$F3spY11syRS^ObmDdY^r^Z&p<Uxrd0(u<#r-P%=ey$eaprn1
z%+V;l#~bg?+q}V$$@`DDl)ax1!}d+ttp1WGs)=XpNi1@$m&0$rQ_w@&@&U_#7zqZv
zkxd)samydugpTp$dVO9Ju$N9g?1?_Ikm7afB4KC>pTZoOCi+B~GG^C!5lWl8t^18<
z_WgWyaMT^oA>9^-3@1~mD@!ZS$x-s@pdu9WkVWfT&JD)t!h5<d`lR3EzaevG9$$zS
zPY%5j3U$Zf@t;<xQUG*ol<;{$qT+;zU13Ii4#cS2$x_WoBIY>7<j)>mpjdPF+a{LQ
z4pm<O74ITR70RD^!TxyB{@X`sY$ix=j}cz5KiReKW&;xe(?FqK`iVmNh?Wg_OPT5_
zqA~Zc$(uZrMbkr=thZ(IbNFsJqo=9vL;^9&O;l|m?Q-%hyE}ISFK7T$?Y3bcB^4n;
zR_?8=5sZsNM2C#C>Dk$na)u*cf7+St0o}^8aQu5cGws`7#V-l?i}*~2e#Vz@*;rUh
z5f^#wVQ`*!)pd$lf}gO9F+wCC!Q^H=?uwthR<<Fr;`IdYod2bB`5%J>Ggc<oXP8B;
z>$|Ua?!+?uS~RRaJg$6HXW_mcbi!zfB^VpF4h}aMo?O2r?VjK1*;}(S=mq~#+aryC
zU?IAqvrwNmQy0WkeAKJ+z^YYPcIt4ggF;z@0?}m~KBeTavLKSq>na*nu1Z1q&P@<;
zPEe(<oJ?zDqV_%^aF+Wl-V;*i^k!E)uAjUY0EZ-hdgJh|8eqI|pBfRFIQn+o`@ro>
zvQ;`c((ScSOrc+4g^)j9ugRxpD`{e0w}JoY>VseFGY$Uc?qAbY1kAf)YFsMrTlB_D
zF76BVN|^HQ$$XzH=ZXR+DITHH)R+%1%{%5JV4TM51Qcbw&C=H4jtTY=-%<mc1n{Yb
zLm<&vlbhy|BhNlRPy9TkJY-}64oqu<G=BMe2}Dvg#wqV%w+(u;zJPRK(r*-Ep0P5D
zd6M`t4GoCLliy|Hr3w@k*Kcu&^lcG@>oyEu%<c152!hYz+)60>U_5f>_*O}|PYGEL
zljsJQED;XI@9@>mhu(X}(xs~xS=O<HwsgJzt)lf_pFN{om9cv%Z+;~Ny;vsF-`r(=
z4#PvGOrLC+rrUo!M~vlJz)m=TOhw;Vb}){%=1fa9fuhUqJ+Pp*F?OwlWC*lp@;8Gy
z(~Aef0`*cMumvDe-~5Cl9Qz5kfhZnKcTy&&A2I9TMvn?rG+wpE?*uUpp^J;=&Yq=N
zSuDgOMl%h)v^G0=w_j4nj$Y%d-41_f1cXVNT>Pe=d)Q_8=K@)qyX4Qh3MmdKM?R86
zzY=y)+}o#77F%v4GcVl*!FCYzh+=<1a<=0bdzkIPNdeu$%GewlTT5i%{*@6=(bpf`
z!w>t-%`0&8+sW@T%eRl4U+6m1%+O{=5NYBsCitm~jIpLn5~pzDOiACZCersLWFp1m
zgyhyFP6UmWzL7%AE9ajY;8BgN*T__q8)!1IQuW~n9DBbz`>~wQa;vs<UJyschi=qV
zcb8dH{52l_(3e94_}#W4nnT)xqrE0u@p3*qsirltvE41H`PzKZ{M@WNvQ#G`I&3w=
z-bSOn)w`8n!?ZSZ_CNxclzbi2ZHAKz3$^P~C-}wf0dO`f-OO}(DhE{vO|qFq{5L$-
zcw4v4@Re>79RXQ6s>7|8+N2O&-h*NH#6C$x-IWifBth_bg;&u-fz+|$cCX##Y0c4q
zK8*!X>b-+8?(nPkZ^~DKvCRuiCqJ3GZP8E*x=7YHc6ROU=0~4{kLjz>KeQ4X5Cb)-
zS1g$f3_T(s;p+1tDA*b@0RZ}?L5+TVl(Qn|<GbjeIsnw<JE3ta;d2?~v#Av7@lu@F
zxsJg#vcxf3R(>;=gV{~^tc;F7X0@n6H<C*5tG7E6h`XE_;1Y=;8p=n1#KCzWeukKs
zbf5;c6htz5Hdf4-c%I^D<&#KLU72itc49Dgmtb}5*1)v)`t^19+W3Nl_1q6Br1B}R
zb-hm<2sZXxNj(gs1v5e~>x}Pg?uxIwnd9PT?kBMAIbCM6udi*eFPJ(Z)jK}kvmJMz
ztX+LU`}yO=<ZnLY6Z5)Lo|9i&@}fnfYFBHj=q(JE)-U#$OL4i&sE!<-b;llJ*qPV8
zdTB`SU3eFwF;{<fv5vh*IlOzJOa8|XR#?<_mkW{pqUr4b_!}|}kK>@y%ZayqeOM!X
zj8MUj3zPYsz=iv5NXyg@1D~4M3!JDi3kqc#w1d!XHqb=B0TQ*C(W_o4>U$S}Y!EU;
zPss1?0q~+bdh6uS=Oq6K!e(+FmR`%}@oreEKZ-uNa<b)fthV+1p#Eg<#Lm26MrCsx
zl8bF4k8AIr5mb3mDG?Oh4{`?~;^*4CeSwGHPM#}A2=(#fyeB5L&Y<|}7htPv{8;}A
zB_S1Mqn6e~7UD>@JHZ!@om!C@2lZ#il&Kc#;0WRX_)ox=dKj!Z#(z+I-t!xUhU6&g
zl%PjHgFO26Go7@3km;y_DJGV^B4h>Ra&kk%DE5(zM?ue!0Om<woojx%0MeN%t?Y;S
zo(nzufjR1Q79n|_VgH*eA#NTP7f<iSh0~gEER)^nx^d*^Pm#qps*C5#oMa&+dtvsR
z9F?Me4vg)d6?hM@6W6!9#5kXXsHr}eqjCy~IP7$htozmMzu6Ch8o`(m-tz9D^$_5t
zIH(cm(2j&HV2n;Ym~T1E4!c1js{P&adLHS6FJa#xxJg+0v-1Nx@c`bF-jl79HYiyR
z&KD^349Y+S>l~1X87H0OFdR(`ZQ{UH>?T=uOsA%znK>M<oQ_LpgBQC2sum+cgyW%p
z@!>t#FY(N1r&vc(wUsk?9_GDfd=5N9xQ(@{SB7p+vqZPEJDBQrWC8ZTGhv32<DtQI
zAaZ8-CHn1Of$Cr4j}#HES?ZZQaPEIXLQrZ$d|14MECe}2=(4&{iNhOGhMRZaaR{}&
z>2g9t2=pCVfk%nDEv#dtJra*3x35>2+{&wyhCCO)xzOdCzeQT9K*Vy6;*%5Lz}Mb0
z5+Yi<=-Gg^pldU9a21e82$$wk%5DM1!qCTf&fiVDauAgV#}G@6fI_4G*w-N?OiNeA
z#a1vh9XXJJSR8hs;np!;2Fy($7Ydb<TFbC{8Tk*L&%?v2BDx$6;lU~7Ew51msEuG3
zxL&PC-4CYm%ffd0={3!^*_oM~<rEp^<2g6~@WOwIOki+<J%YUT5NQV4$W#i>X2glR
z=D9xw2(KAtC>xMhnd~qiFMCFGTm3b1V07s*g#WHp`Y#q{W;UQffafa#AU-S31!E>2
zEcPbYmu*45DW-UteQ-jhR#u7@_>}tnkDsXs{F}PhQL*l?W0^0>1$8US#D3sBwX^LE
z={fa6B8)N9O6k*l)KktGqynpf;HKye!PfviN2C9e!mQm+T~s0OVg&#+J+VTC%K-$F
z!p=hS4ayhB?S1~*VKe}DWj0;s1*Gp^-hU8xHQ!Cyv-<%A484O%JVOqL88<*IOEtD?
zz0Gsj>|`C08$ybB{iO4Gn5yE(Q+6>V1kmHhR{_fRmk8%1l!v_wz+)A(=pn`B_*GBt
z-KGKhaz*V<7R9Tl4xx+xNiBybf(}nL-fLIa%F0R$!#Vc<0Y$I0%73<~{*XHH%WPte
znjcVkKgQBqzh#y;U7aBIKHHze$dg|?XvqN+`~q@mgApx2#3I%ONc`2+RiN|o-uhma
zo9aQ1c%Z*U2AN}U4a&u}!``HpuhDIed=K9Fq`Nowg`(5b#2L>Sip`3Nz1mWlHzkJ4
z>`TioiE>K18~tQ_hZmytQPrWP91BnLdIot6%3gh4JNnr(B>=$AYl`n-%|JRQ3rR@o
zvjl<4WM3;DFcYzx$4`4BWPy5w@UQd`D|9!6n60tmY%s|}8JX-`!D;V1t9)5K_$+ot
z4$Ehf?&+NIb1vXLfT!~kmjw+ol<^vJoV!v#m1nVULa~E_3|b%;6TLcBD^3$*JZgC0
zPkYV#P%(2H)*L`z+Yn5oyeq-Y<*}@yKF2q`pEEI4Y&-nLB6%h1tE;zyYA-Qw>xa^Q
z0IgBJH<P;{+}CE96+tG|<>dT;sF8|Kz7V)>AfFZxcmgZt(L2>Y<ojZ@>jp*)40QR2
zdJouHVs54o+z3XxKDbN&5Po4$`~HU^?e}80o?W26n<&9;9Fj%izw6=&a#@h*lvjFT
zUefzJ3QnDFDjCDC@pd3}HjtX&0&<OtPz9FEeD_x0qb5rI{`nr&%n}bW#L=5?bGp4^
zEFnyOp9I`()e5+|<=ZiIef37^vcG1#NfELXxI9Z?38WN?9jBs*3|nA_lRCOW;r)R?
zS}xRRwQ$}x7v%%^x^s#|8svFn)8gG?U=ojA(?twq`JyXhL}t+4thv{-;=xj|2850g
zc$ABA3ghI|YKGiE-KW(e97d5t;$}Dg{AUvm_c$$^aY72Y|I@ClTXf@72EDufZ$9<d
zIwYyw|FAlpFISIn9${z1ig|{-@lxRxpJ&hNsS_%<=i!!NGFi|WPFR>@YAx8wTnBvW
zpx>L%_?%;1l%63J7RmR0iBxK0;gw2uu;lF_<VD(K(9422szzWAB#|tNUJdA_K7A(W
zbjY&Vd-LdAFN9BemlD)Z;k<hF%KGpal+n*em=~I9jJlo{yc-lUfjKgd6qpeB!GuK`
zQpluiD;^EY-SsQL?Ie6;`=LzVHrP+5j-hM564?nmGs54<<C>%z$Kbb6Cq;?3VCQpO
z#Iq#_+uH$x1Q00z>k3$<+%W)8?BRrxTZw0K#m<^X<o)UBt?j_s1|{c`Sol5?l+p-`
zkCw{8b3pMPQTzGh;a#D-Uwm3(Ak`7#9WZC6m)>mu9+(9A%AWuL5_np8O@U24pv$SG
zuoFbNrGnTI&7p8z0;CQNFp4hD$|-}b9KtKdr3xXma#g(y<da!dTMx-=2CXL2W0KbT
z`3xQ{qw0YfCcGudUxjX^^I0eF%`mu}xWuE;GP*z3m*4~7b-QNvIruF!;H-rlVXOYg
zs~R(@e+fVV#~xtHPLGsB)1@3w;H9pVQt~}}<loD96UT#&{Fe-FyaL%SB7bma2h2(k
z)Att7!317)`@A6L!juA_e^kW|@FH@ISpW3#A~^d3JkhAh1M7@o7~7FId+m<hcf@`E
ze#*XWeBOs}%Jii>g=^hrlD>zD%rJypbTF(L_ohkoS>(tl|M|mPU=#lWZj`a1LN>6t
zWa-Zo0>Q<oh<(;m42VsxHMld0;#!O?5+CNf4(`!{4pRd`M`5Vg;Y8lvXR_?B`3#d$
z=5GLgQ!yfxD3B`icgzW@O2Q$C@hDLkO;=8+j_&Q;5&c-(9B>mZR}FAEU@}s%vqGo8
zl{4GQ`Z0>4iqUNXuZ!(7U_8q=!)F~Gy^1K=X!?KvipF2FFFk2t%*HZw+s|QaJ)sf&
zm)ck_6-2L$$kZB?p<wzT@evn~5Vu4f2k9j#@6hyyUuRfSNW{f^<57|-iB_^9<&Gru
z(m&RHUCTtw478m9ZQB_nSAQmm(BBt+O_tr+VK^6IL-`XU;b4C)Zjdr{M9KYqr%RD=
zq%#g|yo}@S^(4i|lQl*^+ILJbSQxu_(`^b1$p7^kyceOF4t!J-ba?eW{z{&Y!>CSQ
zeKwP3eE73x^SRh1$0Q=ZHzI<Fxh`IrNx5Mu<AV~GSI>98*z4Sy-)aKEva1W?E~DhX
zN}ruWnluDVyG~SPsIz2|mw1(wB&LG-JtZ4$&z)1oekFzYg#LWk=m%epgQ}EyWwf!b
zgY@kQql@umKpB7f1RtMJPJr2=tZQIapfC&ZMm+o{zdQncAyFsh`lAyH7Qget^ql7G
z#1+MeWWVr7a#WuZr+UyEI8=M=*>HtgGCE?iW5m?392G7T;jN?5t1b-X^d(YY{LYax
zDq%nxGB`d+U{Q3zzsE1%Zs@2v5&HI+Ls;(lS?FEU1xpB&KH+6$h(&j$&bwPRg$@-n
z9AQ7dwnA!0XLyrSNkizx(B@KFZZ~oqd^5i0A6);R!tuTku7gF)j3_TzBb$t!-jyt9
zzmEUu7;m`4m<XxY9Kn~61AQW}6Gjjz!`{yTC3WYwPrfSYU9zz#LFeUxK3Z;IDZCCW
zRfDU8*8<^QF+O}3KXIcUnMc78RnV==9zXRlXZR@+AzH#N^W~E92)ItrZv_i<!L2|#
z1&Df%*e=z*de1nxzjZ%)>oGMkVmkRhRc9BHYbw{tplA``rk<2YCKXf^vK?XOdXU5a
zPe1xs*k@sNT71Z3wf=v}-ycCAC`*8`$?H_{_NS8lM?=OJLf5H5{a+$FP)q-<rQ*{V
zl7SVFnTFTwJw^iqavFjUl21$5U%=D6Odhq$w{8ofRt%1b)h_+f+(q{PLuUX%@8Zft
zrC>1=4siI>9RrV4`0noRE%%!P{~Z(rBqHhQ>{}S|UxN(Xy}v_LGFy#iiT+-U1~^b}
zG??m0%0>a&u@j&d7!mnO9kH;4=&e@q!Qb-4!04^3U{b^HYCDYzjOB_uAyftR_o>%=
zSsE;fkI5`RK&bf*7($~6n4a=qZ+*=W@%lBnv*+`_p<0TZRLP)EKfP0k6MzU-oZQpX
zizC8&%!F3rtG#a!?RO0X>`hi_8G5eXgr=kp+)9OpQ70Lp{_|rBqcJ0gNdc34K+4hr
z<Wn1e?47{}mjEh&RpY002ZE_ZDY#q^xz=!6Vpae&i9!qW^0_zoa)b|98QI9iu2^dz
z0Zb$CLzB>mu%1S&)BrA;^wQH<-=!3eus5?Q1f6fr;~;_ATHwk3T~Ev>lju&6CcWss
z^%>vl!;s~eF>RQou*g=hbK%rX;MvN9B#=Z09NSy;&SmtgC~<U(kpvSkJC{v&d3+x(
zQ=|K{F0326(391!g7SzNN5<o>>p*(8Lj!VIa4$Vu5|Xc+8w+t<==srKSkR1CGa7`_
zpoMx7VU8sYPzwaZb=IMf3C?8_bV3uEY&>o6{_3<~8MZox8eQ#~MCT?HR!J6oDETWx
zr9MIz?ozgrB0!W3s6m&FfRYEr`Va|XeirwEw!2Fb%ERK|;o(_yWIDnXXc+_>3-Imz
z?b0}bTYicH4+c(iQ1Md?$c=bu{<my7^hWRXT~PJqfpM%Lk*AIb0XgAxD;?7~Tf^FZ
zVTMWmtmVHs4B$fQ3Qglub9uz)%>eRwx(Pv{Rba##_v&g2WNgbLU)>1a92&Y4dn2=Z
zz?1>q8apWf+^LSq4^IbkKtTlYgFs%z$st|EJgIQ1qf4&)2qIzrpn&|i8#S4kGLXeA
z`$2bSXlH(u=11~x%PXuMG`#PvqY(8_par9ai;|O5aTQ-_s@iin$SI2k{|SNtAl`D2
zDEEIwtFRb!2g1Q{jVNc#P%Pg76mrU@6a_-NO<USP9O&j)>%SzvZmxb0wCN8d0BBGZ
z_|rUhSFU3u!3>p6F!QJ#SVqmG65Qs9oaW_FA4L9JU;tcHU;k!Lv`!dPcY=tvSh3KL
z4%6XyB-Gm>hf()6fX@*m)7Dq=T7&iPyBR{s(Sa(TG(Tt}y;#osKcyZ0A|(j&+zCD)
zHtYoPudxfI#YMtntz^ay(-$UMQ~4&!Q^T#V$v2Qv;lc@(OFSxo9z!MJG)wM(q~-nN
zJ+%gsO-c2>p#<MY-LZlSYZde4TlCStm>>Tfr}{hS<8LEv#nN%GgBdKN$^|MN{bYa7
z#1W*v&GYHkElv}6shwZa@CkJS)tEqizv+0(UmxY)KmXZM)Sd~FD?E0rDW3(%=sk64
zA*HP5%_|=RCi1)l;M4y+(T3j%oMdS~hRa_4Ri6Fzo&yf=Js=V*ZV;F#umHWgptNbI
z(QF~644{?Br%5fFK(oI9Ca70>_r4d6u%QFlX8&L_=)gey(Q^9)(ddUDhPi8{^_FHB
zNHwbB(JTA5g8;oO*xG}`TVZUXfd8HWk=E)K2|B;p=YaIO6U>TGPJCp4&2vyoJ66eU
zg09Ww$&(m`BSi}D=GLgzzrT|UkA+zF0vPWt!h{n){;8Q)8wv;qGQw{_MyT2>hn8&#
zW8wn>ikI%kpDER1o&gP)kBoyLkQ6fC7xmn=y(jIIL-x;f7OpgPFxo{KZQXn4v`+w$
ze~?edBY1PhpJLIVXA6vMj|KTxt(2X=XiZTDxbTY41ba$fmPr5z`#b6`@^|uBh7|Pm
zgMesb9xXIghzDaz7njec&afB%y2v;oPrY}mf%GEe-#X<fyyyQ4xgsC&eJR|N5PkCf
zO-XrqHp-&sJ*}=0=YQO*OrxHZhR_H}&)t}W>vt0U;@ajI;c5Df|B9prFHrwK;@&(Q
z>h}K|u4E}?FJz}OQkGoV8EXp_Qc2NNL}lNJvF`~Lq3n`m3)z>kT$T{ZGWM|##?BaK
z4A1$|rtj~2JjZiC$9*67_19I+eCGU|%lmvUulMT}agTlCgHv;c7Zfyr?g{7$I;k1~
zQ4jnWXP0-35QMexg-I%<uN{7P=EtS}1*|sbFGJMjO^Pdq+r;i*4}Y)KuS}0HWfT_N
zGoBtDw@#PgwdY7cT?+7&@oR9aMvVXQ7IuyN*EfIf%^jrYe*)_N@&$g<jQk&ZB(Iu`
z?FGGW(2aXSNlqO7s~vFHB(&f&3soY#&d$YWOf>o3Hmr}nIqhbf{Q0p%M1gg(fs<Co
zp^lj+2K^R#%??^74wjrB3c)1IKyF|_)XGo36%AEYpILx#4&_#OlMi8Y+>NONp}bC~
zMQ`4ToG^`ybcR%=J)X*rxjwl29N2NHN%W0#o<a;XktdQD6giV`rIxn=<5=Los}bVn
zK|nHc(z$cSkmhE)BfwEVL8f+I3-qqGbDnDF)jP`WZEPx8j58({XDzzEI0O<<P`*oz
z4B-BMmIu;`uDTpidRXV6!AB#L2o`3~=&i}d&*B<}+1&lA(j5}Ib+kOmrn$yGAqExs
zmXhUPuv8SOt>HpFPFjKACs!A!nI3*^Ro*Uf@M&NLO0)BdlavZxc>Jg1r_~P37v)=Y
zq!DD7n_>wv#%16QE<M<_zjic}CBZIy4OjvSDz7~OJX`Td&%M@ayvbq|^B>sRL9;aV
zSg*39W&6V68uFIEMeNk9mZbK9c@M8%enuqg%?}GLxIC{{JSQXaE#T4LiMIQK%PX&t
zY8Fz6`i<r!jkMD}MTDVVqQTT83cfK1oXM8}!YlJ@Ckj(m2Lf^{;0I0k9glXYaZP5S
zxg@qOa>_W6kq#(a%`5eBm5;ethjUegRV&N+QghX<#pNgkGC2=cS2p)b-Zi?e9pQAy
zHXr%4f6`Cj;5oG=N@BMPGxl6k7D2z!0|gnlx?Mk*K`HgJ%bSJPE7*0c_sItk06taX
zU}RGhLmoY(6U%;VZ?8q4Cj6-jg&j)qW*}3_f;WHYCF8(rLxqf%<2f8afyez{R~|fr
zdcPBvY*#b^xYMaZP?l7X&HKm;jMZ;$pfi3Vy~;8(V+LEVB34x+0+sgg*M`#giEstY
z7F8+YfwrC!98Pl(m!gfaQCnpcP!n?K_cIAp3xF*ZWmz=rm!8Kpxo$rtHMsBZZj(C+
z)-DpV)W2pfgE9)I_VpiSWP#{3U^EvJt2*<KHGLG<bu8sU$8ZF1thkrbqY9~vn$<{n
ze)XZv$X>c{$Oh(aC;Px_lZCYVb-(dxY+3~P!%8Y$hwkKvu3}1Z`E;>X0`OH}Lq39h
z>7Q5Gaj+KD04W$iLT6PT`%b5mtoria9&LHKp2FB_2QLQ7JRf&cq+l#f_mzmp?w<FI
zsTT_4NU|x!P{DT#`}ht<6j(67lg7z5w6Ah7CXe??;|ScZhH+mqij;4J2}?a$KxpyY
zE`GO)m<a)(%VcTj^!{?_6*SMO2{9OtA8y(SMQC=9tnJANP*?^3K>++er|MTAw0pvK
z8$HOsS!W^xLKQz*m*sbt<K^`Yr9dz0pPI&RYkQ708MsRI`%eIN2pT-NhMIua(uw~s
z&IMGDu!Al`U)b%qBWcgi{||KMF0=NB><hXXM){gb9dMVY7)@q6f!s0-%0c5*cJa^r
z^a0k-hI|qT_IPy*+z{8bb|OyzuG=9hp{)nB8#m2Vk+nY>YqE@hjx25>E1`lPE)m*1
zeYl$F(8jZn-t6p(OcXKvMvBAsR4nK7%)M~9Z5TPYQ8>5&b)IP5=)Zn9Ep~It+n(ne
zprmQ~=^ZfG^Def}oJJi68~vjol>PW08F!<5iCnLB+^5?49$Q(_ciuQ=n#_Coz=2(P
z_7k<kG8@WvC49kt+Whh%V)r$!_`z<jx??-F10UR&Tw%~cm(bdd7(@X)Q^fvV>umOX
zdlWm~j9Rgpz#xfH<E9BjN*Q85>Xd5bI%R<cC%^!O4(ntT0Z^i4A4n*_<<saAS4%(X
z4~wi~NPV>4U)g@f5O5djKpE^`8|(CEH$dh((t$d@jn`$R+;o4Rc}_PiOZQ?d17*?|
z5NSdom;<OxTuqbO*1J{qx&Dx2jcD1ly!%kPQ`#g}t4qpaWveZpDLGR?2pgy9dc&-J
z;_mwwFQgU^ce5(c)ZM#nh>{AKsu-x@h^6lS%2P}&g0z|OnV^%3fVDeGmtp2@O7!Lr
zeGal~Nv;iS2Q7)*8@U}$+0TUt1c6#wiKk)b_7_>HQW4fC0@O!HaZUq(z^^8ZomiJw
zw%|fKLX^QBfgpQpYjJ~V!-bo9i{#ePhw^IIxqfa%%YT6T-u7l0=11)M73JP?9?9R9
z6;;Z;`f%p6!$A=8_B1<-F;iNAQkSxl4QOBxqP?6eb>E-adVQPF(-}a?@z57`^OS^6
zo|n=>m1x<3oHGGep!{&Zg!EzBgHH=54#|Jzm0>t2jeAoW8_uh{{aWJQISOa1c5c~6
zBArgh%P@{eGTTu_6Bxam<bA$iMb9=%;dk)z!uYXKo)q(`Z=_N?KJ_-o0;6LkTm&}R
z{==Vj)p_z~-PgLYb5XsH>$#s-+f+^N%-gKpy)Z0s!0XegdRH!&AzpqBz)CXSX%M)N
z=9>0V6VT7;we}mqeQSM8YdiT^VinKMYXXeK5OW<0d%z?CGzUjt10*UO=F-)aDgabh
zJZD#Zu`Ps=ybViZOZNS0{H4FJhG*Sd?&808R=nm^pIm%gpTny<aTG`y3M+HLV#`A0
zBTr_w0TVwzm^y(g93yFc`2kOUxL9&PVW`lGPtbsPtvh}d%lT}`Jz{Sq;r8Ww!)rO5
zx=2*y7`8mBVorrc+Qg-S{}ZCuBEX~dsUMQtyBv+>qL|gp4%<hvc*hjVq@w^X>ex3R
z*ZZ4jyoSePhP87K<(5$pUobt8Uc0v0{w`iM;?rY%Mb!F!%D%U~LJAIEUOGH+LCJ^h
z2bEI}=sz_PEH1CExXSUlEW)d(_Rti0j*8fv&67z_w_Z#2)sGbV5{2>dvYR!!`5<tV
zFjgMmY}k|I(1sDVszByUmpQc~q&Hzg#$pkKJkTsuCEn~h=yflp9h<4Q+2%tc4xs(9
zR}Di5eX*e5l|knSh#l#ECJ}B0md0X@gQ8Z}2NL&t1(PxqvO(PO0jH;u6#%P_fqlC?
z^^$`VpArMJ)EB21k#DLh4J4{iJe62<Abfo*ey`v6@Eh6y%KOU%IZ?GBhZZ2PQC>NC
zR(^YF1t&p@lA((k^J<P;yq!<_=y$j}&$%HL=+>(Bmm4uU=g=ZspFYlMTjg3G7)MnO
ztmPUy!N<zaw}NQ-)O{$N3V;DMyTk*RYW{uf)9m_r>)G#kX0KEjnF65jVYOFG3mk&|
ztpB}RIfk}58C=tH_P_yYmg?==*f}}YnjUuHI$zkyLqRCAu`%_x3X0}g&(A>XP4w#4
zo~|4B7N6~XqSolS*Jhzgwm%AWCLd`LekXC^(FTc&bG$*p<Tl$k;T}_ZX71wtR?B7)
zqc|QoDh<oc6I04F`1V`bVY`;tu@Rnx@2V^d<f+~^@4c#5SH+v<j(RbqrYWx4bqoKa
zwiK#7WSSx<Un0>Vx$g3O$jS$_0{?!$OVU3tw!!n_zoPZbuC2PZFJCZQM^;wqF&i!L
zsIeHV1!6t6Pm<1~@KWa?W`7u;`TC0vxpncROBdrtT4^>w({zc1&N9(&v+8*9^CySP
z^C*<(uI(>S6!>Rd+nBnz0ti7!8@2F?-47_UFikY4o>3Tjswn-bHE%?No=~8U=StTO
z+{f5(+N$gx_1w_bZI`_&R)+WXU^<EhZ%Q)IRA!sUL?T#^(WuQ!73auwSZOUXh^l!l
z8r_7ceJQZ%o<nkNkk5C$WjJ;E_%*ly<3hm*Wu}_iks9C&AxCZFr7cE($8Px3gAn&4
z<w>;(b8t<8Ufn-F4Aexcqi}FDR+dqRa@RJ6sPt2}7ey0jnoyj{IW%|YM>|BYiI0dA
z|H!yRh2izYMFfxYpQ89*aW8%yfu5(YO#;0UUL8L?7uo+D4~Ps;gn@_xWEEqjZB)43
z7L}nCff7^NSKtnGTCn`j29ckR07w@`nkFE-eR(I8!jth38tkX=(ywOWpU>?)w)<b+
zjbAJ>D7H>&fP96=%qD<)4lz@zMm`^9kKLl%5n6g*jx%s)#~VJbNB{+SY@sW-j{Dv}
zunyhcX`k;*+dX$0kAISd0YxD@$N7Pn-Y~ECl@%3+P%-oaChwu<U3lcb3@1*|=<uVC
z?=YtcSh<@P0jB@GK8^2GBZjN~5p$;TmAYAEPuWe6rSs1mu0kWv#Mv&V(0)h$JEzL?
z4+mwKssG{Z0W|0UN8h_^Rw(}jmGThbgUU99%Ux{76!yluoEdW6d!UlXf38-}(FCK?
zoQ%*btU$kSch%iz7t2po^dXF(*yWkq))Z^HRdKq4e9@{mIp@oFQhcOW43;8?TrpsG
zhv)Pifh+>qHRkh&BE_k|%TFf>?;J93>Q%C9DW0(!b$d8)=53_p37hTgIMk&A3%}?#
zWC7@3Q%SIz;n?L>n5TjZ=8^Y>EN;Fg!0#YIiadPddli@h9iJ^#r?*~>e1|Rr#tCEU
zxr%CaM;R%GGj<Hj=RTZs;E8MF@WrmBntocy#<-N15egb;bUr<w7jV8ZZ?=fAdo5?J
zVJw#If36qJHq~E#l@w1Tbu(Y?@w&0kN29!TrJ?LBnF@XZxb;^0<>-kyC;sxb0R9(*
ztlO6ZmtD_dD|0USoWTk6X|!!LQ3<|92(xU}v(kv|^Wf-W?g{vKYLh*!Z@0fJ?8m3^
z8T3gSc^q%soK3J@<6fC@U-kNIv92_qZ!zTlMSuH5FD~;f-mbTN<iTUtEo`rYoke6`
zyYjZI%RAFO54IL8kEpUZd>WoNO;wE;6O8i|koHtUjw`(fRS?(A_9!{AFAH)W{gDTB
zmYaP@$@}FkNqMRfL+BvF5c2u$d&!aMIhwAbOf+uZtBcJ?h?OzOR!%IpJI|zo^-NMx
z0!UA0X-=JsVVE%c{&a5PORO2%xS6OHc=iSz5*t#!I^H>y*E+cTeTQ$Y$S}yZ`qCP?
z6;AEEa3PT!XFSByaX||?B$K>IV&?`eE3YEWUd>6Y_cn`4kk6Z=+qYgnHAd&Se^9Ff
zH^%Rj3`j4XxLwNEq?w04tbRFh`9hx9r;vN^(pr3lfKn@-7Sr0<i+A;YZ9p?tP%yXP
zIu!GfXKAA6qhnw)ovfV?8>xI%+2}gkeVmwBBi)mHpU~Nr8j4BphK}?$4we|@f|b&8
zG<yLiccZ`2hDvWfSJI&g=SUJ-A=6|oaKY_D%E!_pALj@!tRE8}s+De0l%qh$ZjL3Q
ztYXN4PZubf6)4QpDz^HV+L@F8;hp_deKCPX$GSI(BYM@qKYFQ=ugGwEQE^nETT$-4
z2*G__S$$0cO>!qDRBsaWnAhT+;_Tpd)s-vTH?<cwEnE}i@Sxqj+b-IHNq$@R;a^8z
z*%`Q0lmxi4^#dH)H967Z*6=l<^4Nx&7AC=UG2mbMa=!Qq&r`nScvNGdCDJ?&knyQ9
ze|Fk;Y>_JK&5S?H^3jNGAxJ>emQzJ>9V(e!v!%FeUb{LyuVw9-e9Bs$f?}q8k*@~@
ze-zxe(6d=xnqlfuN<pErh;VY0S(hzG3XhU$Dz9RZg${QSGfG-6hF(T-%xfE`Zj7|~
zR`OI1<0KafR=C%5dQS&bgiSR1!D2k5EEf)_60ZlojC-+z(O`~_yT-rb?iK;&+fQK2
zrP@_=AJ%Kw)r{1PJej<8lB*i^%DTGkZIOj}vs~JKc-aQ&P2?)(@C}aL_rYt3CYe$w
z8)&QPDO^m)GSs!4{9+hPaW`<(@MVWE#~Z-Ux8F2=e|N)5RjLxZmnf;UFDB@_M0+DG
zPjJdwPNzd$t(nGIwWToKt*ZU~ZFIJ)rJu;5Syi52&EYwUq|(9g<DYmQR`7hw$p?^U
z9{ZCd{pTw&G_IJuhQ6*cM0NOa*N{!c0eth8!L6%-58}tD@{uRimQ3S~DI)VslgHy+
z7Zqg^1av1W!xSF)!)CDhNgnYMEvE2d3&P5<C2gB4JfpWQ5@p$w$yCHM<GS0P74UNQ
zR=7Gn0tAem5^Cx4c4058W*Huy)OZy5lBa6FNSF9il4^ey`DP+Wg6y33NEMd+uXciQ
z%I<B6svM2CbQ*NoXW1-0-d~w45XupMp&T-Y$Y^e-wx{&=wjBynq0pXi_IFp@L~3`R
zA>_Zx`OHvP?qB8Z?4de|hc&214hE=E6<Y>A*!KeSs@u#}l|@QB7Z(i#P0SR}*=t3V
zYr1KSdxXxq8Z{quf4|%o=7NoBBuHtJ2MC+w;sjKA+nsEW*?_WyjlCwt5Bjd1*_{IG
z@=g$S^cd~&JKMP=7@ARw`er7{62zVy9V0k2ArriVA?_juEm2m2s1PwFJ`9^_b{eYU
zmAlw-CQ61O^q_#Z1DkYg)XMyDlIfm_%J^bbE3?%iMuNB19Bst`PV$6>=!Y4;V8`;y
z9tsJ9gpzdnURJyVp0l}%l+LM|Z#ii<gObW+k(OldBTe#PXE8y@xH`I9%x;EW3@41f
zp^aOSt(Tc~7yNl?)Cby+0|)S5LTzkXY`dC*6+ZUP!MK%uPrIj)@Vo^VE1uplo=Vgs
z9*|-|UUeAZ3+`}g%cWiO+mi6$h>^wHvEi(ww$I(_RSe!Jzjkc*DyIUa8CMkZA_bE{
z<yf~-Z&r?fX=SeYy^~+49|9Q6+Q`@Q(<LM3Tc;xrxlP}sW~m??rO~d9SQPCcMiJR&
z@1<QBrY+TrI^w~Q!1al$m%Kt<KC`EqZn@l{K(>|>^U2G`anHo-e)3BH`8g+ZlkJ+Y
zNO*Bu6Q;rQ>=6C7v#CpxQs+{k3PR5jBY-Zj2xh;9_2qgy?6^|2u)ylhc*;YJbC|ww
zP}X4&q6W9D8WA6U9O5R>(e4%?2rHhK1PatiQrD-aMXTs<Xm|j#qtRK?#9g+IrLA>^
z=fQR6=Z&^pncQ+xRDhh6A!a^d`L553J9R5<3|S_9^UA|Eqi=kH{TGI88gTTk@Y!6U
zv#ZH7yEh6xMC$b!FG*(gGEt3)526jZ6ZA~B%Uhx%I$6`~AG(19Tn4X3#hAx%@AFG9
zKp)Y2Na**adzi2?6SU@HzsQLZ+-*G}r*nUF>Zl)VgK$eI@d3D%l>!mj>HZU2qHb3x
z5BKUH@It-ir~X*5QF<_A%DtbR`H*(-0~J9$d03`WboY$}s+Ag#mqoEc{6L%glbDLh
zE8hbK^*ZCFN0_4f;?o+1Hj#c$Wv=9mnus3H5W$2U-@hf2FRh*Wv9`o7Nf!lNlixYT
z-6^s^KI|{4slVz1gC5)G0Go0YlqZAn>D}Epp<lkvr2lF7L5u>4_N>jQm8NcoRXV2b
zgV?WX#;>w!9@ux!ekb?x`I?UCZAt=HnDNBD`2mn?Qxw*H?{>RBlzip!qxBp3GPWas
z3aLNK5l2-cjDOXS4P~(s%TAbW$`?F$Sr)OF^@k--TTQzhh|k{8=)6{dVM<rzmPfM6
zR*Ax|8||ni@Q;{#MFxiS;IC;HxUb_rT5j8HD9;OC$AmW&NKO!&I3jUnC%Gb=a5H!&
zMx8Uj;RbQU4`Lw?5*ZO*+wWfME0le~l5}GONAIp<V!s($dY2EV>AbRXUwOOy?E=q4
zten$T(920Nch_yH&Ojl)%ptOyRVCt15lV=M+fCc@#>|8CE~RQ;A)>p&);#4#bq0Do
zvf*Yr+MHOhx1G|3AUxtwzcH4FHiT=aVWhb&X-rgdX?dD^$rTot^~L*v7S2Zo5Ka67
z&_2@_q`C6BRKjVSV}l1nJi*?-DN~^Mt3JW_KC!Z|Iw(Wbpmn7x3-iLt0+HN(#Gn1(
z&^^@6)dGgPg^ts5%2cm44~rjM<)YDPv7x1c-Ry064wiN=SarY*zeA`mc}i{Ldz47)
zp{ni3&EB`D)6Z*BiG>GrVQPS#!RjMmDdkG$<;{(no>IQFb}jyzYD9apv+dsVlE&Xm
zt{9ujt#(dOGNBuLR|;EmE+kYdSIQRa0nQLfuDZLy*RLifHC5h)ha4==ep#enyfDO|
zZuOR#@iN#KH)wY)H;{B6UT&_0p$MC(aN3+LJ9g&{)-K66DgdAz0m33mkqzZf$pu*v
zw_}1{!uyS*+`5J+P7GghvDCL7v}UBRl;}CHbibC)sy<jsq6T&S_&>4Y8uU7+3y|XN
zPRV>4TV~!>HbOFLLIXvIb+nHn4G#LA2KnV1;GF3H%DvP2!Nly_S;w_n$r2^54LKS3
zW4?lxO3Q$K5|S>v5?2vHjh8f5_8cut_wPHblWA*`Jmq7TA_%G}{aY;o!%Ff!QS8G3
zt<E0?0oaw%(NXhiqqwc#Tn0yM^zav)T<f7XY)I^y-1&>TYq?;tPciSF0gmL&fSjYO
z$?F5*pl^7-g*hwpJJBKV0Tot<PvaKN%eb%MtTeFdz${w2J~JsbA;W*o895@ZKRBtO
zg_*o%8s8uz;)R3?g`g7k`xs?)PRJ{^NW0*&ifkpWSj)5lPQeKS1yxXsRSTli8AUL8
z&lUTSj)5+?Xfb})gZg|8FeUg&FY@V~x$3oI4lxdM=ycUhHv$AGEUbS$`uRg7fX2S$
zJzagahH2ZD+o|Lj5zvw_`m6cF{6x@84~shFtm)}i^N~Unq(Gz?E<*g(@v^VdBNyFV
z8vX@0(wV5@Hb3J0VV$$hlf`}&g%2piewLVjW0^iMq{b#lpNBnI2-w#rx&->$vvNS;
zblM+A{A%Rmb!i`}HRbRuE$Bhv>XDO>v?Uu;&v?mhFEcXlTkS5%7g#2q+e9uE>Woha
z^;#U~NLI4OR3IG@`8U))Fm*Zcs@e2S`kfFT(gVM%0gOWC#{d|pBt`;i_NYTRGjjcJ
zD8=?X3B?;wMD{;$%^+-GEn^wYvzgp7wa(>Gv6Xn!B>DQ)k!JXZ?cr2;08XX_#xMgk
zw9a&8OhC+^{WtUsQ`aCF(jT=5Lz!)fWdhcty5*t`c|*!wKRbR!-yv=*c{>2czV%SB
zQ#7Vm=%K+rb%2@&vK3!GJ_)qN#yK?sX^*s4v7oUxX4&F=O@JG;bL&ry9G@wo5^+eP
zN@V#Zn}&v?r1nCpY`oeKtGSOdJD{JW`uQB<>SN}2!yBNxasm>_14X(^nwpw-?|cOm
zlUD+5@m+cu_&?~WrzTJh4D71<NImyUM@1{uj-D>QWzx3geK~f$|9j`^of#+bQ<;D=
zxHDasBLCvzt2b-Qv4C4eA*aFwpt0VQi*3d_|BLD$l*ai8WMCHp@*aKT&mZXPI|Wge
zh+OQgM7j>iRsz~iy?D3fO9diye{vm`rPC)1VxikfgHR{xt^+B!H)0hDG8?m|aADNO
zTU2^sN)6~H0<<F+Ao`pd<~!Zp-6sJ&#Y5yGkjlMsj|&4pU&jHzyf$uEis={s30Su@
z@GcOQdYB^d(cO(`aij610PeG(0`&S5DGm^d)PC+Qwn@3o6Yy&>e=Ea4aW?1?Vu;|~
zQ*F+Y#Vxl4^;JlUqBiq@E-hcq*S-R?D`YUVm6=^4e!GAA6d$B(ba{_ADS6$YxZIR5
zKlq;eYMd-kilMn@Eu%GnSpN1a<qsg15`0ZB=HnB}=KyO&JeZUZ^iUcU;Lh$8S)SW_
zz&)wqOv71`mE65epkYK10E_59=eE-kw7%{7{r?8>J1p;n+XGj{3=L(k=^ZFwOt!y7
z@B^6}wI6bAP#}>8h6>u-A!RzRJkZJ22!f@{&dW0yId2l{vYdLGy(}v?ObQhLz<-25
zIVS>?a|mB!WjcICZ2AS0PO3zJh6Q=k9mFOa%Kd@q3*~`}00N6Nmrx~RpqE<GD+q~Q
zKzs_Wai{N=_f$>5=O4<!RPXE;EzD&3&4_djkarfE_wxTuZwZZbl<(lYmG>S%V`%}{
z9CgeoBFg4VH6idB4xQ5$sUJYk(~8eUk{os44+^KU?Rp~U_c}m7uXp3CKCEg73JP<9
zYA{O-l-sP#dudEw-E#q390DWn7r|7w9V^>=aKN_tObKy^|Gu?v0wT=*A?*n?@IYXF
zV#ZzYaf^x<@L{ZVd!aU!9~7w6KTtI+0J;Lpv!DJxFd<v_bZZ0q6$n>sKlr`kPpTEP
zKJ!vG1G)B`nZpmWuB)<0P)v9mNTXBHfQ6qCuk&Mg>Te%j%LGyYZ^YDbs6Q`s8;Fxc
z&92`+V3Oo{=jNH%pdT7E;2@?qJ%5-}JQ`fyd!i1|I)?UH<^IYpn-}oHa^W`S&EI4F
z_U({z{lvYT;?u~gdUk^U;|Zv4XuScUrq}bYFudoze#z|U!Ck182qITJ<QeXRN}E5a
zYaj%W5MB=ACQIJGgBNB7{r`sFkt5}?1{psUC!x2QadL(nwFB*dUocY=7`Oq0qo~eW
zb|G+mcR~%XSJN>gKpq-`ngGDuF9J%&|9t)~fA_Cv{>>^09pO~>0Mo#iOMp+c5%Be&
zh7fbj5UbYaVgNh>{EyyI(YxluC5GqU0ubICNepR-U<{P7sNz#v9+C=>#ST4mg%%`h
zLW8J4avzXU-0gougC(g4+RpZf%K#k^U`_;bTKjU10uBhu%E_(FnDcsTQ#3yccnIeO
zC<C(6zuDOC60c{5m@}%MY}Xg>gQ+0<{^-wxtl$pH3ygPxm9Gg<u%1DX`p^)6_>*u*
zlWAk#2_+1fzPnt!?NuR+zCx1wHwH1}!GY6EcdTle$~M7qrK&m74rqYQNO^ORM@)u9
zGItl+p{Gklt$^kYV7R<^DXZ%M(3as?qGz0t_hJpz@#tRf3;TK9X+}jzUI9GGJrkd_
z_v8B6&xnABA)ozt*!!kw9#F6*>4z1eg)KBb-w)fAo>t_-#lwfnFz_<KsbSXf6G*vf
z`wOQ4c843PR4|z5-M<I4ffAkk(!b1;Oa2^|Vk6W|)%5B>uHlF;x8v(z#DZvm1^V#i
z&u95R?(`r1M-96PkPzEh0NcRyApz*8Bm!Iz0rWL6!utep5v6&NjL8EVYr@N8*tCxh
z{?nx5*rCKu{FJPdvIqo}hRiAy+oW|aERyHz^CU02EL0H2Yw6)YhT1dE5Sj#T8VPgu
z_>{P~^wBoXT>R}v4@kKZ`UX(4lW|8hDAF4gpAT>s5J4{KEkm7%fRgeQQ+FlP41jpB
z-F)|M*qy6PN_JD``x#add(EgFqj2QsUR-bj+HDs%X7o^}cErqcY-$<zpMurSG6Ai(
zn3G$n3X=ciCItXWZBR#Br3T(Cks7cc2>AhEFO25etgWkSS&0-2aQVL6ZA$Sw5}o92
z>&w3OGNvdL-`yWxTk)<wr)a``TL(!k`pw2UUq2b>Je}nR4iNzJ?wl^t!@z3?_aCJZ
z832qnJmA+XHa)@DF3{?1ZVle^2a-k**D8ea^NtZ*W8yX#^(mZhiFop%jp1QMc`D_R
z)(LURmPSh6=#7y9r{k=itG*ofll%|g890lwvM{tzxHD9Ss@P|Nj*nQ0^#evJ0>JVA
zvJM(MX-P<~%%t$rEe@xf8U@xTgSl@;-xClcQB-SMH9n|0B(*L^fPF!gm^}&{UCYYk
z08%9Plb(BNx+uyD#qCHO-T-72<GZa<!M*w*j(5e)l9!jP<nI9JBw$K^Dq1GQVtebc
zFAP*l01_AYK7b1A@2~N~fF)*l)6?uU08u3>7msG^UE2A!w}j4<b7~`(fzy<{`g8t%
zS*M${^G**;-#j8HEt!724r))%z^gbc_4$K+AQSsbW3}#;cu1iv9jXRhL)AjRt>Fny
z5Q{JWnmcS5^N(b!g6^s3pdK1HI#k|8dpcQ_g<M}yhy?9@^LH%CRhiK$e41-$mmLiv
zXyZc3AZX)4Ar2G7hpUeSR0+%8p_NootJacGH^!6y{0QirHcSAb4yCPz5HoV;4nrv9
ztw9Ge;gAj>+5{f1?hjj@jHBlZuE<RL$>j}Ih5rBK9lFc{YxV?y5ubu2;344P4kz({
z0S^9!u=$1g`0G|l4`N8o%DS?)fDxr-6^Q_J#RXTGe&1%`{`rnxG7SNsqbH1DSph}2
zx9C?$*J`#WSG7A+Kc(=J_ixYc7u1$h;pso7*w(lhGF!A+{=??i?WH^PSkN3n4GX0J
zBL-HkU`K$NUI%daP5{RU$VgQp%Yec|`Gb6&-y?u3Nn)Uq<PNZfUc>vn4zABZZ*8#y
zBkU}K_RI`llmB6k%bxqt2#*REgEGggzCwdPehKKWl+%P@EG2mW;kT2<ow|152e(u?
zC<O8~`188Ew3djNl0~N1W+;HCW|=k*?p0hD(*Bw(bj%8`WG@UUQSpVADgwWu4syNH
z{bA95wg9PQ5SVAtFS!!f3;WQ~E%e9Djevr2=KX>?JA9p#C#$A_+nIe~9jKMGf4hVI
zswR$<s}4ADJ=S7k-|P51C6YPfLlOC{*a?PVs3QkZ#J+s>Brp%q>==0Nb3A!4^G?y#
z-JF)!7=nulfHrJOo0oS<6jN=7x{?ZJL%HpA_y<jE6;&3wSI6}Lo=@!6iQ;%x09>ex
zGaT(E_=1wd%OVAEZ3O#(%>$%>HuYhiu7EvJP%Hkjo8%t=*inPhG5_Q4jSvUi`61O*
zCbr~v$E5_0s~!*nqV`WkYY%|F|D>cq)?#S9U%<f-1Zk86zkTZt+)gfl41A_E^*3c=
z*R?5It_XpF>`Bp8;DzjBF4<Yg>qns1)d)=fs^SHrA;Y^*r&9-Pzwg=y1;e&n1hlgO
zjW*b-h%QYRPd*J|%U9!yd#b_`<*xBPF@k`3L`TZ!3Pjs+5-igM<lSFaVX-)RaKNU4
zYw~@bC41iwp_d<ogEtR~U~;2oJhxZs)`N`h1T;VW=)xWb=wpe?9$pv9zL-n4Hx}5;
z>yBoJfz;BueO@4#jddV%G{2T(PEFfxWETaS*dY|m;zw=(nNjhg=5|)%My`HSVmC<v
zG#cs1KVn-Dkp22+HmUj(AZz6Wd1`ouhkzjl2<Q22lU#t7$ao~eb*|tEqVD&cLAgSR
z^uT{FWO*PkV)~OnZ+%#_{%F8)YY^bRAp%i5Y?lIv1cO@6|3+2+$}uiOwhD;e^qh`(
zYgH+Orb4kK74()mm?h?1`|TuyB<zk3)Q+nT1Y{&GiKYB|_&kUPh0V~}hd-B%_;c*D
z$OO{t%Jm`a%#ZH;_bNLGB8MwaTEc86Ti8p0i@(yRJ}5Ck#O1V^ArAeCNFiJGv)=!a
zDS16#dl91ee9|8&tViX|%xaPn!Xb6lP;^%e`}a47-A_u=xGaAWgw!1%{nBO-)xS$g
z5omW@8m;ph{x_f*Ik5I$m?)vCfFc_sTPUFSlwYi(umxEjDwP+Y=RiG_Q|4vaXKIP-
z15Yu}L@S}jlD7V<yZB>wA;7N#YE*M(Umm9cn*e(U2g-en7>L-%Bpr%nmN!@0GAydd
z=Mw&eAz+4293GpPtu6XO=$34(%d#7Hjlr5?AJ4(!sa%K`Wg5gt?rskZ1htB&aC%u4
z*=Zt1*mWht(qw{M8^k90LMBfmBO}j8ZqA*s$py1GrL{e94?`Tp7`3^abZyaVQqH<^
zDG#7Zac+ezn9HLc!t3R733k|Xcz6F`Io5k{Rk+6;*@?8A)>r3l8!9U_)NxW^-Es<3
zw?Nh$!d=`u3MR(8eGH`T^e7k)o22pDgMNVk`OU>z7yQq7TzSw02+91!S3Cw`V-#p|
zJNC1qqQDZ+4t#Id9u&O|?5Z}3?;zEOFZ3sy4(pt@3ZG1GsS-N?u$H>2e8D$j+EnFF
zHhvq@T9INOb6!)QEO^YP5#*s-(iV~LJ|)@oVh%&j99NWUT?^jk_!|EVk5*8LN8+hm
z91Cyi(WtUCL69)e39_CV2dD;GTf~-p!i%jJpiZskp$gY4yhhEMCA(m(@1Q;pO2Ka6
z=2KK(y56q=tOAu&6_eeb0WC4LbO5kaugwiSHiaI})lfSDc+aHnqqSzN#2Yu~To$Mm
z<xJ$(&P5&@Qp+rwTs*woA$StxsK1eVvs=WID!qP8AK;8cKn6<*cI}j$9Ay+~m=Q5s
zVDaZbMt&a}vTRMd4f8%5t0&G}_d1CTkd<Fk`U_tI+W6$z?UK(?a^v)q-uOCtm0IEg
zIWKIlQsEFs?AvP7i-!K}voL(M?FHTl7~Y|m?1&~%tJ@IIzhzQkk)XlN$)Qi0TLV%a
z*BziF^@I7PW}Xng1*ah!(Nk=J(k2Q%rbXN3M#t7Ory9zg64_4^&~wPIy~u;y6sXfA
zm&U9FLVO*2=lOzZ8Ie9yzF;I~uuU^DOohbd2H&@kN{DGHyrIb4WO{ae1D9GU>Jp1=
zHQ&BBgt@q7bBHW=@Cg3)Y-K3D3yME9Mqt&>d1?PfUs<0yON3JsS3dR&{m`H&-0!6*
zIcaNl`{4q{=fq&^@>T2PG=a&4CA9#f5Tn4*XsVEy>Ag<<J{B#?g(u#YRZ%o}7GI>I
zW8?A~KOb9o`q0@6c_J4BRV@1aJWqMG@8t{9yd>$zkQdItR8v#GelL69X-lg8(WDBy
zR#DBi?6e`WdsNHjS*Q8TG=BFNn4<2oq5j(&UAGrn2jtWvCVI>mCvvvBP^HAoHezOe
z&Wb^a?L(&V`0Y(>PCTI;oAvAjz{L&Eu(vta&(NY4Y0(K6M+m8Ilcw$_W>&%Tdze*d
zST7Mg2U%Gz!jiR5f75fk{?AB<puEuyv5|PKRNh*_>jrI#ml!8{iXEnkE0R12d=s<n
zIwUJDrh0nc)-xMhRn{b>cU$<qnuX|qqjD{o^reoxuJ5*Qymvz0Iu-DGq_#=K=8M(F
zO^2^tS6mSxo?DB04leH0tG!-DlT$Z!MjfxV(G@Qg_D|S%hPJhp_^h!p%iICIP~Uow
zeMy}{*9sKMw*gS58I#8S;nuBV4K5pe#0~#DB~zsH+O5WA<q7XM=k4&8?Z}1!y3C;J
z9;@EB+nm!?CSAz83)Xk3rCIM#oPFN<4JfBdZf)oxmu4`E>w8n<_z%{-63pBx8AMG6
zi7=}K!!+{<h|{i@?Wv;~REjT_QqKasfed2#1j6<vY$Vb(`1q-0>u9|fevb9)X}W7y
zf?*fxiHSGp_}v#rO3l}#WFl4rtZi^rb^#)C24ZWi6kq<W&XD<ZnEQ!iu-Ry$<Q+m)
z^~#{VQMbjp1XG#X94B19!9ceiPR!kOYd+*5@{=R^%2ij?+Y)veSiI3GQ>=XneUW*a
zOnIx^`0I5Ix<y<eow26-#~izrPnRkuJuBrVzhEErE!de=%V5olPI4z1!rL>Wobuxd
z4oldpAI;%WSo~0KsEODaI0H@~1l(mU%>tQli{uAE(%T0jD|?vc9j~eBhqCCX(2VSx
z=Ke%V77qN7MH&yP9DSvgJe!arlH7R(WwnT=&RwB?QxfnJpY%Z6aUDoy=RTk7UoNW0
z^m<^c-@zX#)LgZ>!r5tp<5mn&c8WHmca{wJ_ZcE#Z91X!X_qeCA?vMpk!^c#nZ)aA
zx54Vq@#hBnjy?GCiUzFx6o=}Z+_PNVxH-_>MeaGBxncJzv$5t^x$Eh=`^8>wv%3ph
z;-9z8Ro&(eN!J&B%S$S>wET*5shD#$@x|X}dx1VyT4B<f6DeuxBo>}?ZqvJ$DD;X&
zr$+wo*YkdGK%Lo2mob$T2g3_12Jos!2pA!0gaSCN<eYBxg)C9DtSdj6suJ!FU?XIK
zrJLyy$`11BGaodfPFHjq^cv_duEdj$aet{5*cirL9Up$3W0*VAT9_V-NnR<7X})4B
zf5J5zgJeToxXOx=^>E63yRsDbmC~$*%yycI?Z?82y|)U*wB8=Fm6zqIPmCLpDLcng
zM9YY!Wy*Uf+dBDhv_i&5$ED7~h7VI|`lPiL|9pIVAVKab<B1jlaNsX8p73Q537_9v
zCJOUk7Y)uLuxM}M6bE!~eL-M*;TP_x>GNFNyyt>ruq9QlSvB@3KbTo;_DYqDu6XOf
zI5GRlPE+p;O%}b{oU(0H@q4-_b`ChP9{gd>$<~RL*JlPXvhB$6GLMD^0c0Do^FpzO
zQJh5cg|BUE>Jevo7S{6HkPT|BC+X&J(k3jFRL@{1sIlE#OY;1+qGv1YDk@zEyIgGF
z)3q$Tk6Sng>P}Bmj4}hyHY~^$Pt@wq;t1~_e0R;!Zx+bK<ldDWUgPW|EuQYaV_|An
zzGkN?=i`!p&eX=iY^HECt}RI7JeKOoH{&4wCgz)>F3q(W0X**gGba*;@BzAD?RHIt
z*7}oB_w-EG%lrM9@jRuT`-GA?1r`+F1=&%De&42<tG-9W^`WkJq?%6IA*7ve>X2Oc
zk%}DR>U`CEilMR+fkKNh*#*J|#bV&RowyfWVjW_nRCB<Ib9gB0PNC(I{qrqfvLtOP
zbKne$H6Jj;;_zfv_yzjl$e`H4B-&m%`njTmLPZTjp=0Gkxmym5ABAY_OUmmuWXdE0
ziip%JrIVX)O23wo``<C_!P?$rUm>}*e%!7MwIrv0?3c-~vw8NW><uAzv;6I`S6N^3
z2R2A!jJ+!!)uzFB+`CFXEIjXD63(8E-RMboUf8s2Xm(?oIDj51e7ZgopeGgIMF?ot
z3Whbm;MbtxGvFPhShGB-9>Gv!*g*V*IdX64t8uje=S$-BJ9T|lm-F2<>{wbsxs^<g
zjpI#0ulSp6-vu&(JK!S0v*PU~u(_<I^0vlR2tk4PB;uwZqDK8JwnMeQ-J|K@w!EFg
z*oa#s*7C2}ca;K9nQr$mMi>mKCV5;Lk+*aA=A0kjM03vH>&QtrxJ}HN{WL`9@qw=6
zlVub#bg9LlQjEFA;;+-`Bq5aS%b-HTcly7)3;1i_iA#(RWv;0m;Pa(@=UO%Nb!XUo
zzMtfUl22a<hVl7Yd)d?Xl*K^ijL(<hwczd@0*w*OjxR&a^1Hx1PUxp<D8DP*TQJ#q
zB7@4Ucov=4;CunouLMm0;N@VL6MMqe%dUQIcW3<K8;%T9$Ft!3Dm~x_c73qYWnhfE
z=;>O1Ld9gd7IH?wy?lX-tmQTe#D~Gvkw+Y+-x`+dqgMvc6T&^v&{K1%nK@zQ;_NV{
zU!VZJ@Z0d+YcMFta<R1LK>0QawLSB!a_ZU5FpteKJp`bpkL7RL3l<0(BhCGUzg~kt
zss2I`zVRijM**Sa1yr-G&QO3O@S65avOKPSW~8Xx7{7n}$=8g8$7hQUvKLj_>XL?I
zGB{=^?9;VM7s8RyvC1Ynb+G8fZ#?OETt3&wJkQAiP2{D&R*B@Dv!tyy@(M<jrMI{t
zq8?FeH=-Wl;59m^9^#-p=9pw;*di?)J8<fQGoQ~^bxl2;dc>XaS73D*YMA~WvO3vN
zu-tb0KF`{Hr^eJkTW68Vz)`=$q6XTlu)62h*z{TT=V1|SKX%0hFn@nGxFbSaEj>Yg
zy6>8rj6CaIHTF~9>w0dna^nk|rEOf4VL!G&%3r$_n9JAN|11@<=vacS&>?kefNgkC
zJt{wWXYVl7=={A5tOe3%ub*ar0^cu`Y_P{jodwx6J|Oyv%bWj_P;%^%3#&nqzyrWL
z<sDi@YgIw(I70XLO!;Cwk`bqHC?3jnwP2#ZG2}6@Ry|^*oZl>^8`x6MD+)e|#GJW4
z?#a<sy7CI9RlHUxS3i_|RCoTf&3sf(Htjh9)PN-PXt2XC{<Xtv>N|57{GcBNTlqhB
ze~p`^hssIHom~?9*ItD-HME6kn*YnO2Y-Fv<*zsRzjz{_*<d>K;H$bhx5%AuSTo~0
zzHlmN-KrQrL!V<QpMjH;hbF5F<l)_(>A~|O*~emXxSvgc4NZ@^rI0^I3(SJ>UlW5|
zDQ-}(#Dhw)>sQ?baIbATV;tmi1~L|cz*#NHB>{{1NgA9_gqlmMQ{@A^DrPa-Zcg))
zuVpY@Ka23%*V5?k8~ABa{R)drhP-)?oqK3iq2~6&ox6EYRXSL~^hy0SeI(zSK-R0A
z!NOH|aF$6q;4D{8&2DJ}yLA+scT^|d!3e+j!u_lfj{hJ7`eKrA&A0w+g`}OqEBqO}
zJYa34+gUZfSm_<Rwa@;>3|KAbNIl-M`KOf#o`-*a<mk_j(D(db{7CcSUY^Ch8T1?B
z^!mv40FU*V+%V+qvFyhwIUFF~fJUyk<HsCLbgl9qbVd<eQC%rK<f*O(x0Z$w??ZWU
zp+AQI`Z#3nZh6k{<tPl$ie3zQmHp_um$_mjxU%?sbtgr)>QKeRz_9hee67h=Kk<+`
zd;hP{Eyl3(=(%Ct6Pp2;BbxR1E-SwH@g2VhjTs2?Oc(Ahq4fE^Lq>9OQIQbyC;~aq
zfHdf*Ughh+&uKs><<p))3Q6;Z*qp^f)jd~Dp>eD9@OVt*Y(}0l#3(w~Fat`~)`iX1
zE{XW15If}OZvmI*?s!Ai=l))BiHNv$UO;xvsEa=RHUrQgW;;O{H~zzgEK)o^(=@KY
zV?xh;Vx~iJu7j$<=1PA=tLVl{(Gpd9`MJkha<3@oQ^%m)$(8q#XSt)lVOUtk&}JNn
z<!sD^ZLf#vZH`5fuF|dH3*yrUm~t8}hCUj*VKmc|RB}8j-e^@3E7PX0fKS&l#C~_!
zyZq8H*c49c%}5}XB-|l?7bSmZ7j<8H)<)b&e@(F2mPuHV$#5zk<1)2?19hKrA`s13
zmvG_HBK2do)(YbI;;dYn@3azQ`Q)k!`j#;Gl$@D=1!rvy@gEIspHQQHo-b^~FUXVy
ze0*lMfbcFcqYZzE%x&%T53#qIBY2BXb@r{As!LJHIVd>VIy?_xP>G(r1=N*5IW7Cy
z(JBYQe0oJ(z9P<mPo0v5Xy6EL9dOZ8PH}%K)25%`l(wf?Qau#Fa0JFyd%uDHqybL*
zhJ)>y-Xwkvh4DlR*G5-4*~d|$AsGShWfobTN^1gF3^91a45td5VTK3LJ9*q67J8K+
zV*ch1-jz<4y-hAh)NO<oZF`Ook`y><_jy6}(V0UZV2L#<XM!*Kk9r>zG|+tCgyz@K
z8=g|)hL=n4JC*1>lG2oyu2N4PzHKys2#{Q5Na!0ttU9T)5F?)<&lVK!Cp=x?ZzkO^
z3v`_SHeqzj^zN`-MLD%0we?rF!IUru@&saQg4z%TT$NzXF|-Tpja!40TLV#_-T-l(
zZ-Rl6<@ceOS5aWu7-^svZ=4>kP5PI9&fC#C4zE2gi!=Z)?Bk;wc_CDCnrHdp!7Y0m
zJvJLy@@6|dS-YQlYRZ10=48nY9+@TaxDf0MN8-7tc#<qa`{C>N!iU<|QsBfC+&<+q
z!Je#iPhPxha)nzfqz#MRoLbbXbS?|#`gbK*uYB}06@H9k?1>j;ec#}A^G&tAS%_>G
z#L6YXL7!D``;xoa>?xx>7MYjONv=hd1`Bp%e{eG3rxM+IqmaEb6+^g+ZfoR}%0Wc`
zeGeKE@nG1F_XXLhLBFT4(c9Dv@PDmolC;haCaImB8h^!1grRsIl~S;hUsA3%=0L8D
zsiVXCcBdA(6E93qvbm7ZX<cEo_@X0QY~O+#Rt}B8juhZnp|{;<b7kUYE?RNW>8yju
z7j`n<^HRS!iw=xNn@yXs4mG6m!pl)HH%Zd?AIHo<m4s$GFZYATPI*eJ%9bms%IBrk
z1P8-jP6#W__=vx46t8T)@s(1x+~ZPdL0!dA8S(gmPm@zQX2FhG$`z&s^=@&F=*Guc
z0&NOt5sIEyVWhh|t9cn2cLC9#6kb&lBc8B&Dd975Dr{@YuGBI0sCK72qaTZ+*D_Rm
zH`~lmAo2e)X=SvW56Xu}0&L)%U2F5&DjZ0BVjbW404_LN(0sT6*H)8sy&hSKhguqb
z{dqN2qHu_`E&{83A<dOF(CpQ~(}a0B_W5&Bcdb8`n6`)?)tO0?c$9`ns9dZ$AIWnn
zx&3OjvLE%dcdoZT&bl4(3})H?4Cd`hR*V#XtE<k^R;M`KeUlL1O?rW!M0~Sx$r83t
zVjj%SC|kpSxmAG~%qjIJRJg0sjIhK2Zx5NU9+Xf_thd^%@6tpNzvm+=iQcT`iCsl!
zR4G|(8dZWTYg99XoiKh8e+-~~0DqDX?OC^wA^H=t<<d`bWZBaa4w0%G8@g0Oap89f
zX)7_L+k4m^w4z<s2M@C7IL{FYcn5B_CxVXK2Nc8QmXk;#aKoXbKAi2vZAJPd!~33+
zM~?S=xN=12qx{9fqi5ODDrE~f#`4;yKg@yr%o#Fb8;|e^K&X(lfYR5UxAU|HulWzo
z8RWaWAvL&fnYr~{Hfwh{Z0I!ReB*_-Gh)Zi^K5lvh<7sdfKYUXRK@fa+;&Q-N`r{}
z`mhfU*%p157_MB1LwL_SCEBCR9UuR(O=8!>J?DqLIgQr;@!`2#+%3rY@hY9TY<uz5
zZ(Ozp)aXs@)S6sENe-nap9oI$^@;PgNp3Sk6J?wBF4X8O*VT<4B#(;OeNR`#xTKmd
zvHZcTSHtm$)}{)@$NLOi#VK4_gq|=a&m?UZ<RIrtd%jI8z1Ewr2;A4W)e}bU;WF~=
z&yn<!z7eaumUl$QQ~b87NL#@+e@`FUkizVxP5G!M5;G=<i$)`JFbpcv>XYtq*jGRi
z44trVWV^v?-QVg~LXsRZihV1g0?1~QG>sppv~6SVzWi$izi}CaPrR|=ti<ag;Lc%q
z@w;<XBUBYb{+IF1^eRJo4Ypw|EUF%((TL+29?(@TwJyXW-I*Yrt^T|ZVU%6sBO4Wp
zZKpjogj(Pa-VPcgV!egrKhVS2KIx~UsQ-ONqxk;liE!1s<gR#Cos?G@vLBz{R(m1u
zex=vx?XVx~xV+w!%g{=^(*=>KsLk*8X3t!+c(N{ZA2VxhnC>vIJem<pIBZC<=7MN^
zeK2!|dUGaTbfC-tT-Pft8?yA25qcFfH*lt_M%*jWUCoHC<t{z9I=#<C5ec{N6Qbl)
zROi}Wq^8Hd3p)`dZM(v~T1Uw1vV10Bch5XcV#m3+^wLWC;5m%G&;EP$@5>D>kcX_u
zFFLa?o~1Hk>z_Wf<AmKm@aH40>l&>m{aB0%_;c|;JQ}s%p2aLx!l{^*E^g!H1CX;0
zZUve@Uu0kRJ>X#z05@zAyy|Jzw><so$44&y{>Tr9&$r{ZIoS!<z%rltU;2oF$$G|x
z`}(Ew;7+C)vHkz-P*x?7^F4N=6EN`6A5*u;y|Bb>y14=0#;WdkOEiKzam%MYkaxho
z<N2vb+x#3~rRcA}`F|U+<<hX}7D^B9j2F#OTrnCdnnPu}&21C6^^uroTiC9Ktt`T0
zlBk5ooX69gE|hyK;tf~-`{lIyBy`R8y8CupSCRaB6x~`pzv57XA%Zet@i0%>mXZI4
z>r{e!Rq85;!D~i--@Du|uh7W^m_+e6i8nZWRA=F8m-<3dXVv+%O%x?1pmB$y-)3`d
zdWNA|k_cA$Lu&;`{SPv|NdaM2z^wvz=mmGusXOi;U+;LhU5s>BaVYz8#WdeK|1;Pr
z-*wp$UiwqXA9@l;eMXIDQ7$8Mqk#MF5qM0ns?FTnvh+aPsR3}E7Q6l4j`Vw}IktsL
zqe-u>(>>#Khfi8nw)JYwlJ~r$s0+Vak4_j*38>BRICyU=ZMDmT%V6?fzs$Z2cdl`6
z!hMgC7C6tHv6pQ#JhevIW9`l8y`OS=q`sX&MS9eCjsC0MdR(+jj4&)L>)Oth9H}~M
zHqfDn-*$M-5k@g!)%GP@rnab5#BcfAM4;s8YI0D+@eT3%?tK>#tOT}f^f%|}6PV8q
zrAN~0E%T0k#5in5TiQ1CU@;!9l@$qQ38D`k&NUJ~ay0r)1}+UzXSb2eu6_<ReE-(0
zPKo;o0!&vpl$L=U1BK(Voc2hgsZZ}!gXzR%Zzbwcvv6e^rwvKe)64CP8?26Xh08k}
zs;j#N-+a(de|dn!_pvEO*TzB<i?U6Y@8rCqLvMA?Dej7n1>cyROu!R_{l-g$`o`DG
zh88Oy6{lZuP4}KO)fIOnXY;t?U%_<E@{ArCL=|1BvYPnPpJsb=A#M43wJG5(uB6mu
zq9SeST*EoRb553T6(2;*f25UZqqkMXU0$BQGshZ2AQ*z75C2)90|EQEo=7HfUsEcT
zzGz+5?zKO>BPoUZQ8<q7i7NHWR>y}hk-l<6YPspr8`Le?3Aye)eN^^nAG-pIp6^K(
z2kV7U1L%S06CssEO>wE*!>Y?Yx@D99B5{+qY)c&z4Bew*lN!*RMw`r31&Bte30<Rq
zS|4IP<4ce3;V8?La9hIjzPI&<_h<Ww9G%c48<l3XE#DZ+;IYhU)syOW5WsGz=U{yu
z5mBq8b&;FlhUg<;s|NnI@_b9GttSt0@ptOcM<=QV(#hxDq5mhD+nBTddc_c&g>`QJ
zReMqZ`f9?M?CT~&r*##nLVNgmd|C6Lc5C@yj2TDx+<0zV^@g|yxdKgYLv4E)ko=K%
z<=`&_94FopQ~A*%GPT(}rPcW7cq0muA)j>zzG^**z-R-Tyn-K<s(cb!cfIuy!Qh#U
z%-n--2DS>RWh=c6WeLM;EKx+<W@7)dl*UUpjWQ57+~+yX`GKVyng4C~TrU<5E|T_|
zyi%N^JLCR=IpjhZ-C0$J+Mbc-nBXG0#=~A7nq0Aw%xx4;m-Glm*HLM<SegFglYIVe
zb@cWta?;^Rf!+#8{-hOMyUvM!r-|6f%SMLX_{WxpQi`^p-aj{kzpFjDa)J%Mc6aZF
z_f|HFf+xr?x*U1RRCR2!y)L<A{Hcc1Tux>8=1p*=OVq9SWwJVcNvn5|Nq6QnYWW5x
zdt`nmZwCdkt{0`*Lb%NR+2l5-c}J+ZO=rYTv>Vd*a2Xy_wYlH#QDYE;<AAlw1PG@!
z$JuX;&{n9*WQtv-R-HcftYf7%+9FuFRePxYiX7@R3xeg<=*(mfeP%h)3$4#@%K72k
z5MD@drlZ1sY#}!1-IZ!E%P+zaZ(FqRT9+p-+n7Jl?Bq<Wea5a^${t{KTXjGnXF%*K
z`FrYCx;*jCOk$hGjraAm^=&RDAiGp7_dAm2X5#v|%G_5%-JY(h*@X*8&!)FuA1zpO
zQQo64gywRuAN@!~x+yfu#9{1KD7&n}Ev9eM9Y+PZ8>dETxv$^1JY{OoF?n{rndKOw
z0VXoR;t{QxMOojaDrob8=i|cn0=3rhFx&-16g?rG154KJj84p^T<AZ3azygud~U2m
zZkr)(<KvLYZ!2ft_cwUEb>C{EEkPfPI<)2{-{>fXxPijber|o&KgQ<G<_2B;e-5Ws
z+<c<)9feNcX3BsTPTpE|r5EpxIy~-3vnl1Lu^6@}OXLp=R)KEQKT9-YA7DWzA>)a#
zv=5A3VJ0!WekWX$NB5Z24|aH4mge}>9osAs!w3+gT0i}52DG@i3Ih~nc|=4xuj0^l
zD$@H|#5Q9_)g$L|@|s7r+Y#Gtc3^1Qzh@PgdGKe3tIvL&M04nmV7Gk!eIfnt`A9r}
zj@yK=o?gyfLxjg{gZu0ZKF5PRb4lyzcbO8S$#~a!{lRh<JA8<#e9Bycw=;&=U6ehv
zwN{ifwEA8uYo+~*1x0Clkfr&oMA4MVRv{jPt}&2T?6Kd>&21~#d5f{%nHtw%&b+{D
z^aGzPMrwNt0{I=!sD$J$4AiKz=&(^3Vjh|#nC-k}gZeL5XpKeYI-|N@DAMg3AIKMT
zmImfs9}0T`%?h7yS-`K^nN1oVo=oT&PHggW_<-VeE7416PouP7#8=){E3utu>eV~;
z(PA32njzFUYA1DG(S>u!A7KDrZC5o*$VQ+lE2HRN)>%#X>B091q(vu^R`;JBtS*_%
zoQe0b?XL?H{cgC@B%Oepk)k|=SH^!utITECc(qltEN2NPUq|KoC=iXKY=V&;_<vYf
zbG~P7IQEN~Dq^!Kr*D$lkKOF=aobtD2fx>j+xzL_cjOuG4+*N#JjODcHaQeRW8tQ;
z^JLyuhpyCGLnoU3^HK_{8t8Uu`_csNfXy1cBZuwxm>Q(@k7deyM?Qa+J6O#wGu?O8
z-cdc`{~_<a<C;qMb#awZY$Q6MAXRLLD2PfTEr3yRM2bd0r9_Pd=@0?}Nf1#Ok!C@Z
z7RpGK1dv{Wh=eAD9$M%jkkBE71Oj)Vv)#_w`*Ygw{_Z{J-2VwI-n?tA=lir*63VUB
z;nIj!n#FJW;Aks>egnqTB6dHW7VUOZf8$pDyi;<`@4Y*lwNVEUxIL(&%8UzwBJ+kc
z6?m)V)~%RYkKh(Te{2?viJ05DwzAKG#r{sNd2eRvZClo@;si@UCr>|gk!Xp}l>KUn
z^f-Pe8swX^6c2s_8;v&(aO`|)8wINz#(mlEGptF=8H?L4>mlyPzHAX8cM}`)$}n{%
zRit#%L;U&B9D`;eNbchlfUQ25_KC%;e!|s9bR&W~=2S5-e~IUHBr9td3>o9b8`C8X
zrsQQYR6}?fd24$~8qi|?q|oF?L9g&}iO6%C^#j!S0k9WMGTX;m)_>G&#jG4%51B@g
zeX-@cpYG!g;0tw>jiqozWENk~+|7k25wVe?M60D8ax0wZvOQYD*DA(UlCmbt=3BFF
zNPWAeAekcxL5#d8QsJe_Hb(2vU@pJCiJ?EiL7XP%_3Wkvy3{%agMq#JdEmz_E4u+?
z#Zh4Nw#%5rcvYjV=;e)ITn<g>Fb;pg@}*atsXZ95W62QmT*|cYJfhGMT=Rr$8_3PU
z3V&q&1%l!sfV&ljD|5TM!|p1VmdQ5L!Q8UCXDyXCIEGC;aL-avx&wk7tg5zKphlGy
zA7YhwxbZHR#O^0Hk-WzMDM+pi-?nIVdyNwQjQ{&(J@ztb88G0|^&0kQZnpaXa;?5>
z<3h);%b4B3v+{XNELdKb2EjT<O-6uHtB<sM>1L>-qQ&?753)cF;c4E=YWa^P#K7Fq
zHtp=iRMkcH93wk$%dn0BKXt)cUAG-Wjc27yG@GK6mNXod5iV_7OWp~5$l3her_AvC
zD~e{-g0^SP6eH4tRm;|(zq8Aary}?%$c}&NnOt)bK1En_YR*r})s{ApEqfei@6mV;
z-?A^TdzYH>C@9jBs+dsVSb4zKx`bdSw{14Qh0fDHEACM*!*4Z5abe5-q8hVw96Z@|
zXvoff{$vP@Ygjm6a>-X_`5e`Rz&0l=Pg3duq%|J0>v9}_M4jYS#ecw5Iqzxza*vnK
zcAgbuZPz=W{xKg#_<G&EYN0(UqqK;>j{Q!dM-YB&zN|#TwD-<)IvCQ^aMTk*&yXEg
zbou)udjZg+z7xa?Cv?|;F3a0cWv%N%@ZbgN1AhYenW&e41GfLAnE7wlCLjG@LM8Yw
zeJ#!|mZe@8POUjPdqVTjWFa%Qtv(8B4!EdJcC8pLuF)@Tz!_WowpX$9f8?!(9o<7y
zg*WuAy)9`{o<3}gJ}>2aHDTb{K^%YpOT|X-Pu%>-W|lsYv+7HdK0!o1DFBG|e3Cpk
z7G3JpiX_~sjp4JSgT`bZtHP<Zsa#dQ3hUkezG*t`szP^pLA=(a)c6DZG^*u(Mc#Pi
z#~o|(`JWW|z@UVtgtRCk;5Fz@u_5=Itj&?`FPJ?ue$^&=x+mbm2Pv*$Qj*XlZ^cHR
zqvymjWMrJ7I5{Q4Bbm?#7xS?QpWr<@Z2^5=Bt;PCnFg~u9yxTRL+XaYqcS+}ZL>&F
zr3w`a32-}tgtJ4ihT3TNci?$1Yi+1xodgmA!-InQ?)50&G%oyvkD1Ggu0LnjhAz6=
zuqImq&!~NXDDUi&sXAXjl$BsO(J233sIzEn6QmN*r+0^<TbAv{;b83?*w<Fei3D#%
zqj$=_+N+iw&E63!h9IxedANdC=2JsDc<c?bs7gU)+BviYd#=I3wC9a(#1cXef7py_
zLDP93g?AMp3VF8~tKR(>r4!)N-Jsug45_74OM6W~UC^iHt4t$2Q+R~hPU+Xhz$x@S
z@ltQ9uW$bT27Cgb^6i<|o8?7_fPHQ<8DXC=k5E}1J2GMaxx=QZ;hHrL9`IrHk48>&
z)%i)lSc>dULZWhSEr?jsApQ{F?D}gCTDhtlImNvi?Wi-t+-fDrlrT*xXD6vhTOsZ=
zZan&}9r5Ylrr8Y71gbzb3f#HZKg}GcM$~ZcE{Kyd*uHqQc=SqdTk;H0nP!!-k*)-;
zedh+Q=O`B-F*1z-R+TWQIXYE6V<9UUHq9fVMHbn(Ai2m;2R&hYYhhdTO{(B5sJpsa
zg?F7}ICe;uCenfEU6!Pb1jE|jc5ldMPBikSf;#<F>5@y)Os)IJhBPFSJ5JG95yn~w
z31b5Df{QyfS~=Em#LvCdxGgjk&g*<5A2Y1W8;ylFGVH}ihA*+L1dILX1W09NdKY~2
zcQyXo<i4rnY}S}pzprq6)XDxEQHZ`cdFpu+sS^(SJloC(3l)Hbs~eN*6DM=aTl|fs
z8jp~IWod1BUH*;t&^CU*gBO*N58Fnfy&;0YLPtwRGBy=oOo)+_HE+{)Q=y}E->3$0
z78J{pM=FK}@vovMBqNxY@U|b^c-SH=C(66B8o)c-a_j_3!jj0LYk@4k{c<BCw#sWj
zsqVL2Jy3yph?YW+Hy(pzy4%3q*RM7Pi_lTY4d6VMWfSTCtI0jd_d8xsYUua0P~QU4
zV-G>C1iwi7w5d3)+AIvMBa?Bfzi6RuN|o*?H=IAXu2RvHZ%Y;k4p>>%agUG+fZJj0
z<#xej)s-F3nOie`<+2&-1LTn)^U%8%Nv`LknDPAg_}qbrkt0tskN%Kn;r&rZ^`$f%
z5_074`c;k?2p{6-?))V}Xsqe{E7h)H7bG+UwrLN<J14ad`e9OkB5FenW^OdD3L4sG
zR>{x?rf(<9V#lssCsBp&nz5o~NulPG+WLsAGPi4|QhEJdOB%QkrhP;~W`*TNGZZ6Y
zQk$8bT#<3-X%z$inDkWnd<3(IoPX2E(uh-@Iy1G6`V8sE{6Z?uLe1&*DXYJd-CFv=
zbawEm#hp|4X(Xi1$FYec5_L&fLUZu;>}plB?D;+*56Si(OO*2ro{<<1ASwEmER7!~
zRky-)r#dwDG*8SaN)Zz&{q7o`#4&y1b5nfSNq$}om{xVI^Xk%-YB{H&-fmmj(Ya{P
zkZ>KWy9AP%lz;^>F1cE=5ec(fl9sp2fA==539$<jjfZNX=H!7ylH)>-i;%-|&a;+7
zU>W+R`l<q%h@F$7CoGGP4s}}ADfFF1S-2mVy4shfVhX(=yQeZ`CXirf&3Jy>1eq*8
zoX!;Xr25($UdH^cSY`*3=3N#X+C9d;jc7<3WX;oHW1m61aC%zZ9#;C?L3+REsH?x0
zMpH(fRVwWCqHc*5w)hc@3O%e4D>ogzn9H}q+r!+?!Ir#B=Y-XfQE^%)tjUEWMA5TQ
zJi(jdOu8Mz++i#0>rGS5Hzu3m&dez0T}-ynD8??HMn);O)Oa^MvLguJ*#qBsH-Z=T
z0b5~A%N3(bH~VJ<+S8&7`)s>6Q9^-5QG+J%O{e~H<NZP&bM3g9)zl2E%<XS0vv*^5
z^L}-TP0QC(z8a-_#QrElE)UW<Ug%_1HqYwCU2X^)8wNIy5}uevXGD@y-=_DKxEgzh
z%iKN;++$VPs9C^zT1<H=OHJ+G)AF8dWbH7i(3)$49+|Z)M&5R`OyKt)&W~bA`#n5-
zqQGceNdbS%lktazg0hZUe(~`3?%~f&KbMXQ;+<*ZvSc{k-L9PJaS=)*f*ap^4w=##
z8NOL4^fOp!<=C=EUX$SmtIOgC*s712AD+Lk3&vdM7$C(%>nb2~@%Y?{t>mImxI@V8
zR&CWC;^Yl@Fr%AuHOVyzV$Xhc?PXhst+;Ku>XS^(A2$_BH%i+fv*Rt_KXfTx<c*U}
zZtA><%%YxQls>&!hQ_{tq#rPnw;*@AiRDkyBN~hc!%DEOK4N9e%eW9eJ<rd`-T>-q
z@0w1IcTdsy^0v>ig(#iUrw1yvTD{tkW{g@fPg;(w_2fvYmn9?F*8uWD>wchJNMF<=
zaINV%m;(y2as=k2pFDU5Iv1aNJY1A3d|ggcO|Ez^eb$iMmN!|G$_#g(jV~w!)HOFH
z$FX!z6Oh1KeMq(^wktYog=PGnk9e0Yl0BdyVU9kmZA#|<ZoIOR3fq@IfsL!EO7j`T
zwZ^LwlOMx6#oF9~UKydntot2@f*3*G*p?!=Kf4g`zvH_<?Hk#&-A43%{Q;@WqJhNV
z3g5;}!R`*dIZc0*YP#7TJ&|oSvEA3P??A)G(#0EsB$A_Sy2||0>6OPXhV6pl77K~I
z4P0d50-pN3`we0As!p|kDB3b$Fm~3v0b5`_U65u-y*|M#dTzJ*j#@jWF&P^&=Gx7f
z9-7mWBiuBR{Y2aGmE#%cDD%iQNu6ka8wtTqY@;fkSOz_fMDVM(Knf#3ToLV{?mIB|
z_>qjRjl>72*cqhyM&veSwnm!cWg0xVY3>SI8A+LaT*`VC=G3Mj-{(IcI<^~FA1!3R
z#(^opB(h%o>Z+v=hr}XfnfGC1nfqiW&6&^w+;AzCDW%T6+wc)1s^v(1hn>APod}yd
z%Q^WZ^Sc9Z1AtAAgCU+|Pwjg-V_d@zU2lSJHTaHS9R=;paj_W#Z8CUVf8$}1{q#y|
zK+BHL#~%8Fb^)TrEsG!6>y{*>U`3RS64sfaJ(sd?h&b|a(fHn!|Awt@c8?yn%C}eE
zRZa-Y=f7eBAD{nVwEp0eOz_`7Eg`c`WoVN*S<}Oy9EF^Iu$9V;-)a|8xMs=xc|iY<
zXgkVxcQX87qkaI7lmZwizQgSQm`>y!IGt=mvMwzmldE;W&mC5_EBk=*mrmC7wBW0C
zBBVwt2v5jBEdvW+jvg$<pcYSlS$tN;7yViS)+ns|+`6Q&HUm}sm;sGnz{M|L-M&Y|
z*_fxRDTvyA+0AAovyUUERLn2^%>^Z{Y_apHn$Pbg(vhfYhqWQC^9PF(yDvaF;U*h6
zuq7S9Z8?Bty%6wrFZhv`5Z@@^&9~4$)-&L-Ul=SB%yGW4#J&~g&Dnyp(hG2%N<a5n
z$($IC!z5`+>@TY~-*hKR2&$3RcO0|1C+YVy<FX{@C6qczy?dU0_Dgz}$<PS7MZ0QB
zzWUWjql*BgN-Y-<hwK`1R@N1x*dKP^IWT3HP*)#a@(3&S(u0nPX{kCLD&vD&mVh-d
zHxLdVO)x+Y3g{10@`^3>V!%`t4FTD1POYTgTL)N{(}3mF^GWDZL8t|e=7FPi`YcYr
zNAlk@`D8(NnE<dQ-k4a^uFd;a1$|{+H3rtM?Pk0n>S9nE7eB>~?L1Q@jx87OX*$&S
zv_W3y7Y7(<>C30w+wl%ISipk@_>SZoZw0`E`q(>eEUBMz>1e(cSRumI7(U(rhW8jm
zOr|T#^rjsv7eIs+hfUX&Be@3KWi~uzkMaXdj&d5e1Qt^iZMe}6pRZ~yCSuW{$EbC0
z`_K}#ALozUqf>)F@~tKoHPZ85PsL-*Fm2LB6NbxgtX9i*VUN+4(NiwB15~rk8C5Cj
zb6J6K@~E}?i;~c(IFf~v*oRg#OiPHh92^T5sIB?C2C~s(&ks|*d*{r++VhPpxXwI$
z%Ekk>I;Z1fb$ZQS<xDi*D5BzTlJju7T$oB!ypy@*49K%9|5$?C5Sf)uW{rDYoC=fc
zrLfl|-JZ*5n-<fcJvf{Cj}VsEm3Tw8Iop6MSr?h+Wz!Nl2N@HC+cj2&@czgRDhcJD
z*+**=&n?y&^_)Z#iWh3SGY5*8fcgv8^UxibPWZf@w)~|F>>%y#55f?s9GeevZ)`}y
znQ2bqJ=BKwYsI6t-}-?<h7%VID=)0(1)QfGH&Z8u0R%QhXM`&)L8}~LpK(B=yLrRz
z64YFFssIy$1Eo<-W1}C)v}M^!38@dWqi+U8KeT*lD&<aZKg4#iC#K7M(y8p^wO>Z7
zJz;MmhJ)SupWjZPquY3rz!Smpo-%GHLlib3YDV&`w=)C0V0GPRYFlC#a@wT&7AbAp
zkc*$uxKF;e<Bfmdx2j2Jx;eK1T+3$6rxssQf*-R{&-DVZU>b+ph2C>7o9GebE>+N<
zx9_#P$gU?{KY7EacM5ggBIh@wq6efYh2flqQ)Ikk+V1n%?X<-|mX4&)%okf-7P!%S
zl+N?M*m0ad05IF(e0&Bjxu_S6pEYmt{T;trqcOo^gRq?GtKge4I^B&jB|UkgSmz>%
zk>l>ubJ8MuWv*7Z*bRhtq7<)zGqB%C(>$p;ZxDQrmP@U7V7_9{J(S@XXMAK?ge$Dp
zCSp7982MA&@V}X5x!bveni1$LI-Y~-l_Bj1Pkb2%7(~@|T#OO6p0?~wAmOTTYlMsP
zNrf4V?5-=;oHTR#<qHG4oDpc5XXc{~(y`0Bj8W%}#-6o^c2^BcPlDV&%%`Eaq`a*f
zIjJeGF}<of4>JPH;`h}`^-lY9(&aRO1=_mjgLcL-qUrDbuP&FkP6=Rda?e^=dFRj|
z!xD+yYo+E<Bu`4Z$v(}XTczFvO1jAP+-GUUUFJb6vCW)Az*`3Xsr(DLE4Lo32{US~
zc*#y6$-WerbjW;K-kZOTE)TLj8Ur>GuaGW+r*#}SKmM}C0o45IbbZZR<J%!$CE)C*
z3t5<v?C=JK{F7?>IibMXpu>}W>_rUaSJ~3H0~WQ3T_aNwhNG^Kwkh>7*Y>6w#ZBC9
zjKTRK8xNhlV0GZRQ*bo;>(trQr(z&e#743H>0#lcRp5IXHe=K8mo(hRk29UuwfZ+;
z+`Oum`!mhKf1H6_J=-~QQ^E+`zSS;?sIyDzYRViZiSr@r!!cT-+9*3xt*-0t2Y!=p
zP#^r5Wr0jE?R22l=!o@fvwU}Na=|=)(Asr$h`Y0C%3-qGa_za4A{^`0&jy`s=<wA?
zVRX-gNEbTlJTmq4Ex|vYoIu4T%DV3fUGeId(mdL1q~mI}Dltp}hir)Xf*2Z?(0D}M
zDD~y&YSR!`29Br3*Qwe#?y5?1DKxGnjF=bsV~Oaa$k#s97j6$q$M6l7BC5NUU`n9L
z7c<^~qL=cyAii*N@JuiI8jhV(Xd1;dpEG3!c;h{`k{tb9qR4$~v}N6w-vqa>1KWmM
zM9UygEs>qFfh|+w){&0GcetL88*?5DIQiD%?9MiPvd332r%mW!V-if}xMrcVNBoAT
zq{|ta8OQopKI$xeq>)~72K_1g$mCKo!G`<!7cQCX%NcWMeg=~Zm8P*;9;(i-q;e-i
zDRCBFdGX$#WVgzAo$}yhB9`K1!%C=N$Lds>Qt4K=!_qD6y=7zZ7xPLCh4s7WDg%(P
zRDmo_+7>%$TptBWpS?U`!bAm0nn&bIT4)~*<!KAkrqt8DpwH^6W-mss6nhnw)J)lm
zvotEiIWC#p&${_$whfdpC%C6ucdQD>A=0Oc`C0JBI9B)$JG#JWFHczkJ|%a1F#U^Z
zey@-f*3_roVC|j!PCa$sR+9_7b|*o5+cxXz$9ZK56_Ik;r=xLeM%KcLw|CU-$NCup
z<qADR2as@nMCth5`&<pNcA=PgclRDJMYR{xNHu0Z^Q+%Rk{og!m^^Dop{2A3Y!wBD
z5KZ<acIZNpf6n<P=1}X@x#ta#t4s5B_n_A7F3e^*O}8o4>eV{Svz<>T!}Kk*k3V(Z
zGZrX<IQQZkC97&g{5@L)e_T}T_Ct<eILM;9owRNpclkXS<k#B}@9_1F+@`xi1xes{
z@;Z&l-n3_i!5lwDZqO^DGdCXC&DpzmUu}&mC3Y6Y<|Ku+M2c1yM0eex&16k(o8`#v
z;jN!FA1VcVmJ+ZfCgt;vM-$uveiO9n2!D0nYNHLX#Duu%Z{o$1!XKzdMM%TM>z3li
z*UlH+kXF9|&=0uM?*C)Nu#4jJ!@w5yQGK!_BoHuAuOZ6+usvw)lI8!s;8AFHRA1*F
zW^RP=vYESXU1-p6XZ5an5C@80?HN)8p19vt$6oK%6`6@|sniK4pCx`<cg2J0H1kqh
z&Y-vt1~}8}+Wn5n_9G7SZMhHar(-`+iB1oSgnyDo8IQ)VoE^yICqYY7kG-}>oPD99
zSaNjR+}Zf&kIiXiA^={r$tWE?r*flo_@K)5ZgcrF>=8D3lHJgeclhC9P<Yv2R-^F1
zQQVG8JMZd5pV@itrbo)@0G)ZOC&;MmQ1!9D;%AZmPm95Qi-v4MGdp<(A2uAe(4J4m
z&^N7!df{&TGLH}#sR&A3rxB}-w1-zW-`egj2>bmgZZzDASCig#Rz~N`wV?S@ej5o^
zx2^insEKk<Qq=~chq%^M+~ZGgOH+9%8oN-zU{;4Jwj?x>E^tA<xa=(hRg;5XNcQ>l
z93&iy+q$u5L}KZhW{%(RF!I=PTpeRU?=S9u`*p&qASda@)2CezOKC<o!I;POrG()%
z7fJjFa@p&pZ?cWMFgx1y!eJ_3w#z`Em8e$v>*Qj?u3>}RjHN7z{PhCsl%3g3bxPiN
zXuU8>ecU`IA?msMO*n6iFQ#8_wNZzmGz*^_K>6!}x?_xUnxN+9!b2Wbnrcb$63}3r
z)L*`<yF#bGj`dgj2Kl|~8cmM*{B-q;Wx(e&)Q5~>l9x31eo98Ku?!_Z;<?LsT;L_`
z&D1^l+lDjiq}(&77OMT0QC~Z-&h+|YaUUBh#Skc4X*|i2kFBQR7#NFb)L5?2mvqdf
zV(ymtc6DUrU%u7Ob)fsw9jAXEYfOjmJ==08*}e^ofUcsYv?>=L|1MT3C=nP#rt5G+
zH^{*<PsWB`ZQ{g{$nh@4{bcoyRACkn*XgxJrFzCzw7!)L=$kuIhEefZ2&Xxet5CzM
zR7aF>a693*nqAf9jmb|MqrS(>fZ5Re%Gu6!GA4q?^gO<(tIV<+5)+i$<}LFp2D$c!
zHTJlfty10wzF3O)JD%si6=LcHEV8cCpbBbn7|u!VO6Qh@)Ca)7O7}FCm%52mYW%_v
zuy34nSt<?PZ#38@=)g)xMh?Ai2gO;OSe|@ql+@4y`xo1^@m8c??ABjx6OqEW{^NDN
zMgeE7+Z0X#FLy3n_>xSdm4Yy0n66*L*LKbzOxs2C0X_D`3|#nD{y{B@<ThbPooU;W
z(0B0qV$e`q@3j>HIfOlH2AE?K6ZXNOpzd0iQf|p?t;)S{5^Bz6=eXU(I<KO_=@pH8
z|Kdh{X##GJ2xjR7Sb>`10lgOm2jB(X9heD|x2YSy-~g=sr%f;!umVK<0(vYh&G{{`
z?yUJbdC+Q3r9{wBi?Cu`4{p53z29VG^<Tc<!n4z_=5edm0XW~OmGGb}lJ%4R@oe|Q
z1>;M0S_wd`<lBSmU-wo#9|B?--)z4QeX1@%ZOI46-jYHu%E{QK1*gw|O`?kEvr7Go
z!o%~DX9t(e{Z=UX@lLg{=L}hOWYl`={73i9PR^Y5=TM>(0t84wXL|T|4th>UvvG+l
z{OyRzRwVNdq3GRyj_Q3ndL(ShyK^51iHNZm9`e6Uhjz3q_g5uR{T({h?#n;v{_z5-
zs4S;s%KjSi!T}^x?H=X$T{O}8efzFo4xDr|xqVc)Fx~}K6tO{2b>(bRSJQfr7H-z;
zmX4XXNp5ve4(;s>0%v`}M4BavX?OuIqnKtwbBxyc1k7d`(`)Nm`3U?$Chu`tAM;{C
za27A@m>WOx%BrPAS$%=kC)t%j=mNXsq4fdgP*sXu6GkQc;|?Gt52&7-fmn>CwEcFr
zzd#~2AVhty1(g0N=`;`q9CUGv^a;j|#s{<qyo*e?a&y}11vWkVE^wQL*Hm*^jUG4#
zKYA9NmzlaGPoFj5E)H*$oqQ2NsxHh3?EZDs)#pexxRT|`=5tfMZE?S=YO~OC1+lZg
z2{15SRYRT*<(l=vQ|hifTudW0&%f$sP#K{pTII!07q%dA^Wz_I$+Z>)K}%}UgBIhA
z<>d67z5*9iX;VT>RtewVNXjDEqqOT`pU<kmu6rI3%a4<N*<F;zLne89(u0#BNpX0Z
zMU~g3(SBLa$`L`o*HcKEX+HB8vE<MgQFMK-NslgB&3L}B4>cz*^~HpfMxvNjIZBDU
zp`NWL+!eQ~E#{x<6>Q2+&yDkD=&8S&j4$ln$W12-@iWsqn1D2)mfQwgXcdO_VTkK}
zN<(Mhb6LkmKZR=KM~aRY5~^=W?cp8NNhd4PzYG<v_pXgXR&<m!F$1m-ER@J-tj4H%
zXByM39G_75H}*8cS9*kr0a%uOyZW`qtXH4NgJZGKPaUamq47})$ox1C5sx*A9i@G&
zUn*Wav$^<(!B=}zht^NBjnpwfwwaPL{|C|L)_2h+)TqCx%dC4xmp%WXu-vp2c{;EJ
zBq1g#hNc(P8uP9Q+;uc{w1{cmqt->tM@LZ-><I+kxIUn&QgBGUTTPkzZn^c^*euVD
z$AWSLUwBh4?6%?V+lo>nQ?kU`g!N%x>)R}eR>kgbUfKFdJCme6jS9HSEONs{BX)el
zO1zX*QI%1QoPAqi0+M=&e$t4VsYu6!6eJT=foi-dez@v9M%_70nfM}OFB7kEqv8{0
zBBF1pHADKUm_>{bUC9{4$KoHkNLs|>Y+$DX3?2ougkUd)co(&5w{U0A4L!8_Op4r3
z&|$nbuSaqWco8bfN>cJq?*1U6WH<EPQSUmNRfu|(Qok$e2;{29@g`F6-U8_hp^!*&
z4IA=Jv2p%Mu_1eYh!e&Yk@AixPpPK$;fA^}EyTBb>T<hhq8HV0z$mF6nZVkywot;f
zUfLL1>wfW<r!pf~vL%(u+@{ncv}GI*DrqTmMX|@+RExA|oYIZxLDw{}QLqp4q0zFW
zmI9t0EE5IhyVty%HyOQ~@lsr+XJ4XvF<!ubXXs>JehtD{dhK{8>|99J%lE6~rAdoE
z135vpT~O6t9jxJ&VfuZ2&vQu&>%FSlYhaibVCu@HJJg1-%ahu5>%+Nic)tHgB0p<e
zM~deFpw?K<8VXioFDq*+^ZM$8E3VCN&$w0Nl41PJi&#p?qDMd7@#gQQqU|;xnNhlZ
z(@jh%ZC`1dp=85oh$nv3*&9ZgC<t;Ugbj4v-9x>l599go=+55nnanrCr55SURv$he
zY`$zccLXWs$JZ#`i`3Ss_6FUt3rvGw;#r~lt3z4PEWm*r<qFwlo?N!@o49*5Y23`J
z!2}tjGPa2dk2pEp^vp4L;v%QKTzGI|uzTaYCs|K@X894IaJ5a%qUN%cW;^@XF*?<}
zu3s20W@hVgG0le9`K6wd{@%OTS^*|=n|q2w3URZ!EYU#YEYpS5D0kq@kYdBm&Px4K
z<1m@XP{-vwH}nOmJf*;Gp1dt|NkEA5>t?y$K&!P9r9t)jn{RplotOLswF-emc8&AS
ze}!V_+eH4*HS;=9B|!nsp61vE<=1y!tJSf8Fa#CmX0Riy>BTCwdrriZRHfi6scHa=
z*aF>!=0urKJ|Jbow^za#+_z2${3V7xt)Ov89ixdVYNger*9)E$?Y3>OjJ4w$d<{0Z
zDksfwN5r6ZfX{8BJ;O1+kPecf-Pm6k$s_I&(YK;37qQ1d-W}oFS7taT?lA7>@5bVj
z-Ov;Kbyks3Yak*cE1?OA7@fNo-QdIAhw&)9T-^OSMqWFzI8FZ{Su?7)Ol&mWbF3?x
z6;SowvYn%I3Tgy39&M2{lgi`#b~Hi;klMTDpVa^T{t*KH|B-emwueR--OA75H77Mg
z-TH;q9Aq(5?v|weILxclPwjb|nlJYhc_1}(p225lYXp~<WA!=eERSxGM%FQUHAeXB
z|4nVCGkH?kEQM{)!XcS;dI4qJ;g&}1S3Q@d$dtIUk&RL)R2cVkn3T7_!-k@O_TyZb
zc=f}T^u9o!!%X=n6My$>0c-K#WaXiB$3+{|kW!9bqE!^s;nagEP>kgBAbWF7cw9I1
z8Cp+;Y*sdg=y{nzZk!rg+;;vYN%ip{vuI>nj}N13Nn6Fy0-t~o?3IEwxX1*0*G{R=
z4S1Cgr9rgs=Mvb;MES6`YcxH=ta?(N1Fa&IDvZNE*7ID4gde9d6^k(IYTu0%WIw}o
zPUos<C09>tirE^C?N{g+w$|u@&L4Mt#p`$)nQtpzkQD4m@nMKzj}?4irxcyD0;`>;
z8q^nJ_tb4$NHab|HYGg4N;Q`m({nuRwl}6mJJ(xY2<7@x5i!sC<fo~;w|>~^EK}0-
z^4=+&Y}w%J@#y>PLl1kgMvPZgkL6;Ev!Vlj60M|0$`4VYq^cmu3i(-#Mx1>`v`}Yi
zql~W2P-B8$Ir-DQV_H^_hpUTvN>7}nV&koR4?Wr8{^PkLm2}Hbb6&Io^~=wi%>93<
z$w1qG+j>|&TA#`iGdZ()2`CHrGidDJw0`=8qcfuzoiC=fu#u27jg?Kybbt38z&-$t
zCh_C0{?8~Y|EVc_V6ec8!{Sp%+;LT3fP%b_MS%9Q&u1U+?TY2pOBb1w!_hibU%mEE
zE!Rx`TeuYNQ)@9L#i8AQ>zcfxp|I3iFP-W%YTP0>i&L@qGGLeXYT{;($%my)-jQ<4
z9rK-;$BIXeK5>rvn=8(~;B<#XJN&b1c7421r(;X~ci<=dBL4BCJN}@HL5#i7Q;wIo
zSK?N$1s=YksnPGqhnd0FYs$8~cH||kNS?%}QMYXggyRw#)Llnu1zQ*V+qd*jnZOoO
zEj-`d@TnyYYavZIOO{*mFVC@7>UL}33?GdDGgNx|?7uV_eUMr}osH^Bt$5~VPj?fF
z8Wg(>dR|rdU`1^KC~~(2rxcI&ip|TW{eEJXc;0;Pd!JW+vKoTMXR`LU5L|c>;F6fB
z*{0RAUj_LBZLur=U?XGYYM5ML+gv+m3c+pV??8FAGGWfz!=iau2e+YJEw5KmL5#b|
zMax^=v@JN4-NPU_<LIBEmNP)8WmCt|v9L|%M9b@|ZfTBP^9ZFiR}o-8y5^K)bN?tX
zZ^GMsSPZY+8S?7N5-o3xb`7w6@HP?cq~KAyo%cRKV!Pfx=36<*uvO#zyoYy1asAl4
zx>C&Ov7#o?Fn6P`YP2&hLcDgZCMG_#KEQqlye*w9X)aUjVA&Xaa1-{8m7C%eKsIuv
zdWh|hC&Psqmx=;Lyu^D*MWE3N;%!1ydSPp{*-{5WZV^i>+_cPrQNZ<8d2vEItR7pV
zOeTI`fWw{Ph~*FbBsbAe_NH+~C%g!1?mR*6-qY?m_t9k!%6K^pcs=ZtWZT`n0OkRR
zU3T_a&loN(PXoWj-|bhwe}YIGd!&y5qt3TYwG*I*RX>e9Go%TDwK997*VDRec$-8#
z`;OX))}%vhr9WX#>-s~0w**Nf3WDu=WajC%;ZFlmOO@v0qp8`a=EImzagA|r*%VWJ
zZ3HWSsgpP0VoHZ|o3#OJMa4BI!mPI~OiOtZTGL5%@oX4Qrd*7mCfAvl6`BY2oIIbc
zTijme8aJaB@;(K2diItham00^EB9mcRjJ`e-i&JW=TfFQ7vmT(f)bww(>ofq-C4^w
z(;IdPydYz-E?)kIV?^{9Z9z~W07hw~pm<W9F9PEdY`;;R+tMTne4k~@y~&P@xP%Ut
z^r*F`Ya??`D5#|)&}}_!be_w(vcrJ0UTRo3FEb<BnN(sUO`1h$<i(FvGmX_bT35?J
zKM!9EI~EVsH6049mx(&-K<v1h72oXp4DawuIYZYgr)l2MI^ShpwK~%`(NI9Xh0(F?
z6C0hcM{U#|ZNcT5x_E|O7EDUfh*9p9U#}7AApj&A8w&TPHi?-Ayj@$Rf(0^=^il6V
zs62i=;$_=4-g|Fq;rN)d()9tCLPEb?{PQM8A#v*1ThRyv&e?W(=`(te)~`Opb{y}(
zHs%{N{1I?Q#V)+$;lS=a^_?6xjcV^zyp@uz*q7|K-|whvQ20>+m+sNWx8{%PTcfl#
z@doTJ?wx{Z)+(LI1vhHu8Lgo${)_YpM})g27?QimmRLe!d%SB{`Ss?<k*D5H=`Kx7
zGT-}r;e5eO8%JqM$j=~jsrE0nzW=cpl%<WrIYuNz!Mid|UpNdi#NF)Nq)vey)9W78
z*PASnU3Z`P4!zd2g$;df>h^zhm^}E%lu`u{xj8g!!}YNj(kO}Npvg9pYA@tIN^v#w
zeQ=+2Pd*Xpg_$BBzF+M&E1SsQr9<nObT#a|`nAo;x-hx47Njb+^tum4Hsq;>f3zAp
z6UuCz2pYSBR3JgPqO2P!>S#|QT}2hDd>QBby4w&FqNgRc$5LS-T(s;>iEDF)Xapg$
z+sf77!F6D+{Pg%O^An3zw7Rfx0{zA`FQ&OZmo4P>p!Z>$nw#g%@ea!bD#`^IdY`w_
z8Ryq_g#WzFWSZ;%Z_+-bvfvmwuc}L$E2^c;$R@6;<2~k{z%p*--m)NkaqavUkK&xp
zx%v#J#R8H})2{gkbMFn`JB@w<+jeQOdM663_4%wrE?YZiMgB-E0RDS7{I3DSj8{vE
zi`t<qbn8@}jN5ICq8Dt?Tlj<t=6BVy!XztolQKVPui}-|Xj1}ZnRJP#7Cy&<y5fz?
z+Oq~tbRIT{(WJ|u>*Zdj2V%P@Nz10#-Vme8r;a0VyIV&TCc)V-cUzddUJ)Z|GTnjx
z3PDwx7>2u`kr<INvz})2xj1QlsVhahKs#3*C1@jD<RoVUbN>euT4(DLxgo+2<TEwH
zLZ?djQ#@>f*r{=(k@sE1y;JzT(1q>Yzqo-jZcXBp!)BJ(2$Hofyg%*2RgWOvU6-<I
z(xhNr9gABX8f|DJhEj%I#qeaxzWv>84Le2`3<oV6pOf00_+t5Y{#$s0rV!8xx}=cX
z5e3VW;>|<2{<*8n1hP{yg?dgyD^G*E;d;$quxAe}dA0^s4yMw7Ro^CmY0g(}(Ko$p
zfwpqv8^yH^pt!#J8OAzUhwgD$#))cTbUXdkg|iXynvWVO@#lp7aK3*!gJ%59HV;6w
z;KdsZH_MNofjtAPJKsX&r|g{r@Si<{`W05ZT>R>JS2luI$HwU<y1tGgCSe+1iVD7-
z6Pu-ItO-MNqt|0LT-<z1?(f{+agBA>6cHlUWAe@8Dsq2|SS%I3t6dqrR&E3IwZXq#
z=UPL}cZtUN#*dHwM5_K-V)MV}M=Yh+0%WV5J;bTE1<Y7)GpJLq<*@MqxfTN33b3^M
zN6#_eUUwRf(do28z1hy&tI`XlNYf2`@$Dc;F}~Mev5DhQD?g-h{&(+DW6yu!Mnwb<
z_;B*n-RGyVhL~)bAgMr1-%aB=Ke;HFRNh@0KrT4`=n)YS7nZ8<x^Vh@p1RxKZik{y
zvE<)fuPyIAadk)7*G9c(S<=J)l;AOdnw2xydCpE>xW}-ss#f7<6)Lj%SYIm=MKR`h
z%ImqL7`LkHg9MW1<-Ls>>z8F}t6&%<6$IOu7aq;rmWC%N4L~R(@Vv$`yNd$!t!2oN
z`+D!i=Y1Wdxk1kt(V=pQ#B;RLe{j360ntBXHAWu&6Bv3!?w&2ty{S}jRQu}AyGNAm
z$4U)W4+(3#@#96cJ3c2(2DsI!(1%`$KP=F<ChueB9dR^>s}rQ|)e%c)X0ZE`CsR4{
zl=&1YuHUOxfkWf1t31V6l|XrRio?u17BFY}IwWQNR9EmUSMpyFGU`$NOV9&nMr}C9
zIGL4XsFOQOAU5NND8Zcb&)q4rEWnOz4+KbUhj6O`F3F*Vl%?@$@xMJ5P5pSCd2>se
z@rI?qWbfW}sN~zdPaI>h^vCVR{24t@fKG%=O$~07A3y)MTM8hN=e{JdfeQ3%PJlbt
zAqVT{U*cq$`)t@$N)6PnA-xwK1qm&p`5Q{X9CXvQG<?~%77lQmk7GkJ*iRn3&q}iz
zH%)9zzG8-s=r9a8-GcFDz%4l$?>!bPlpS>IL%uOjTTM<@oEtR^a5!4`XA!9Pb<7q<
zdLLk{ncTDgdK~@v;h?rf$*L;=jl(+*nEwmiC%Ud1rHQzHDs>%JALyM+U((12h~sUG
z0gm>gvYHrtrYSQJuN~z^J*{1l<VI5;jKx!W06#n1oYF{Rd`c}UIG^`8dTGo?M2MD)
z#7`meT}>|AV?b^sE%nhk-g?Rd`=<->yhdr|^^i31;swyK(#&Cno;va1A<ULC+Ys!^
zYlO9$Pn!w@NiO(c4^%Av7`eSSV_z|BL@P%^3=<&c_Guj^W1r5JK_2(J?$z$H;U6M(
zpXN*4>G;%?gzw8NlFN14>c$_*dMrCXM(#>0SmU|4!FDvm;@kI*(j2P*I5|I4TgtTg
zM)&~>W$BGfrp`o9{3`DL)}Y4r!*X*e({jPBApFC0L67ltZe!)>tR;=R`|Gnhz@x3U
zf*Vkuu>;K67^u5FY_$8}{bqQ4MD9iF66fbZBjbRR@IIu}Y9p%i^%SD$h2Cy;%EdP;
zYo&=e72N!OlB%rV^0eB)Fb{$ZW7oSb;ZYe2U`#gD6jZml=PPOwg`;i=shRhhFO5k>
zhO(-ZZzg`nq%}~^(l<;x>;r{@P)#Ru{0~;;!Va<k2Q9@Nz5C2H|Gy2<<EnA>u}&Ls
z75W6H`CnY)f(a0pu3=t$#RN|xf9S+#+!=qnh`U+=GQ44_Gxl{M!!axi&U@CTn*E6q
zYSuI8`gH8&?JV~EV=M=tRMf*V6w^Se43B!>{W@uVU-sdw>}xx(TE?t&DOh#Lmt|XE
z)ZsV``41^AuvJ5tzCux3o>H5zu-xzY&z-~@nY>MmFLOdbhQO?>F0{UiSbg7z<gv1s
zX(#$xpHc_qVlF~wnx@cHiAmEBbJAz(_d8E%j4ag9(u@zoD$P2R9lNxhdM6=w?~BWE
zV0u8tqG+bOxnAC(gLqhZn4$0!E^RX@c0GMc?k`N(8Z_;)vHhO}OubgGtbs8*bef!O
zgzI(MYGco7x>mfg-8F}fc7-fU_rv$m_5nK}-}*-Xv}prWxkcZ!3(_Y+X|!d;AnIaY
zqpw_Rj%RCWw@Ycre4F8*ST;lIg1!s87dN(i08~?_z}27emThCE^f_pbe#vv&Pm?(w
z&=t?xfx@E=i(TXJ!s_$x0)%=xESQIUH*0r<+2%C79E;CDRmS6|qZNtjc&81p!{)nq
zIl+d!^u-dHn80oHuL13!uNw8p-NB8wV#gl?IwIY?yGS89*1W4GU~q)Yl5EZ>cuyM9
zQ=j(+Oy|ztwrC1JT_>Dne3wvEd@Y{%F_nvpQ4y9|>3wAkpHmgCoUluHyb>vH9~7+D
zJEZG4z9(<XsO*i3o+Zn@Lp%~*X(b+D|MGyk)<3hzfNYRlFBbJ-&9WX$`qwS%#x4eV
z{4-^tLn;!#ktv%43G7G}=hbk#DQ-!D1Mis;$IpK8bQR|Cq+%KKYXEy=XnNOtbQ_*n
zT;Q*3hO!dI)iU2I=UahwU~=;_TQ)J)V@1j>3CW}F>kr?L9I8FEaJPa+o{rvEF=djX
z{ysGN<}2?p=f1{@0z-fZu<cE=>W_qs>{$&*Oy~Az6BAjxG1{#X+A3<y*}F$oI?`cV
zcxJd?XB~j<DojgnhN^C|>t{8zymqfJ%owB0TH2j7f&$H!SDBT5p7Sf=dM*bdveB^_
zQT?8C>fy$++wc!3DXy|-uKg&Lv41NZrPWs=d$MbB>5x0?QML#gbSL?Y$GZ4n_;b*v
zr43QJ({7#pf+67yAR+kB-+f~w(9HJqZ_ge3xBeoNjmD=#cP@WHsyJq<Bh&f^bYe=S
zwjOTGSikj3z%_Bedw!<(nu2276K7fNbcF5}`EkD=AD1{U{Hd;>JbbEwer38t92@z0
z&NJn67hrK;Lzn}9kG}tV)OX+$0E7Dfwfx|lhR@cC>gLFZ0!N2XS-^3v&zGMKqxk4j
z0}AGA7<xte<eFr!P;B@0rM%p5<r3v>A`pe7c9q|wQN6e56p;<p?^srCb^!|%oqoz<
zjw7JxKgjVqhCbEYQv00&q*S9kKNon`zZS&2iMj^fQdJEJSW99;zw?iBXZ^Qsc)3U8
zu<9GXp2h-I01&UB6ccPFMjsWAEnVaNGXC%q0vH1Mc3&4$VJZg>|6>ZX1E7xX+6olQ
zUe00l+NRJ4d(PLVFR56J&a1u8`e&$gXa_LWd>aU!uk~52`3M|4LU%gYCW90}*_aj)
z`#{85^`o-PBp$6JK-McoJ8tqnoxTKke*_yIG<KP=^obK@+%cQm6l{J8u@b8KCIUBr
ze(Hc!m=DevQ2i^3^=}LHpzEut5$ra~(%%x7o#Ra-QUyeZ?G796MrCz9v_)-Yd6Z&4
zR6PM~p62$wV4}HA;th<qk**8BLtT|-xvf%U*kbN1VM!Yzm#w$ml*G5S#Ej>;=t18|
zOka0zdS8-mJVbYLF1`UAbuRn*<d|$E+se6&r4a`%4#WW@;1%?Z36wD~O<FM}r)f(P
zI;Z5iAA^=t(CO;su}jaS^Ip6_&VFP?H5+OXr81LCcxplQQaJqEU5?c5__@A4ABC6J
zcng~kq;Prd;Wflwt>Bu>P3>YW9+YVQZTmk%q-b;sFzS38*UtgQo~m_G3J|NcRsk>c
zCQG|ShSaHH+{X`w2S{BhF6(Fm>-Kc5y(J*_UDFSQZZMj*Sekd+N}Y)^l$+`oBG-vq
zzo4!6JL7koC}qx5M5gsk-e(3>nPR|n1Fm$~-R-DS+*)98x}c!%01*6QsJ|jeDp|n@
z%1FV8wW=#sqGrRyjn!IT3hne8Ap2DvP*@mQmup9BaJ}LXCNvqopSpz`i=@*E0ZG*A
zla3n-&h1E@^UKgMpJ#Xe;Y}Ia19@NEu#-D~as-g+t;$aLla+;y+A7tucMbO#>)S~b
z5CyZ|grac2z}x9)z%WsxN1%d_8=;h%H(DmP^wA9Tj<yNghY59l&U5`-I-B59QfoZc
z;r~slZ=Ev{X#8dP`WCB<It=l!|24PpHlou1;!nZK7N{qk(p0s#Vp9l&v*h0<NWmfE
zTA-o3=HraH|2<-rYiJ7yQ|19mw2O8}t7J;yEScDMS7XWGQGKNNWN8NF9ASwywTIC>
z^f<oIMM5+0ClETR^cT+ke=G(~<pyyItpXiE4=T*g<-LeNHfA(AG-?%OC?~5y;S+yl
zh&N+f7@03_!`}ml{0p{1A4%8Udgr~qYtXHuz-i`Xl!x8X!S9zV-aznZ=e{ERSX=2*
zLbN=P+YDj>CIwV+of;0IYF_5ah+R0M`Nd=$fe+<D7*$sr+=I7i$0G7iCK=#jO1gTC
zQ|#hLzA_5k%f9p!oaK~Xc7(R6Z<;Z=;~djrZnS)3w)VGtBTKxkqeso2yqc#};i1d`
ztD1f}qzc^ZUyo5LU-5{L$^~}Bp60~Dbgw7O;*aXPhw>J?WbM$vcvSGZu4sk1NUs;=
z=lHkzJK%n;y9@q{o*>b9j|$Bv4-Ao4&YCwS*GE9Y$?-xuDG%mSyz_^=WX95?z9`<Q
zgNB6+wwEq7^L~?l8DTsbI>^;Zqh2oSc5i&<Fm|4(c@vZiZ<D7ik3_mNbOj*S(Fs1#
ztA>-DD?7oUU2RD3tLAA7Zd3)r1^wy>OZ0N@FIW@ek=X}QQM2YVo|+oF#Eag6GoGeK
z7wA;;J5qTa8^_)_0p=Nuv5__@=M}iJ9@nP!hlPs)vfj^ilv}%p+rQ8{62vk0InqX`
z1vIFvGgkKzQ$X7-NMpIQDxLcNwuEHgx3nZVGQzg_amkWzPsd4n(MIhY|3Yq|E@iH4
zjUbu(i$&r86<Iz;Qb&Ajx`U;)?asl!U{9B&=vsx)jXGK$2E#|690z=`f3k@GIYRWu
z$1hcE@)%W!uG)+rB#A>iqE$?%rwI+cA{)g<+t+POg@1SsnEU0OKD+|-_|u`WZ2$z_
z@%Nq;$o52`{<}T>wH{1I#fRhDV1@%ct*f^tPKbYNiE>u`|DFE)2NJcS(uKon;}Gg6
z_#w}{CkyWb&iDFrD`#g_1%<r_hcxb0tNVn!<DBp1y`roA8)YB?E3fl=p)3;hIKxPQ
zSyRB&uk<w%l5~cbtn+@a__GA$8dqfDl+I$-*vDHI?)BFJ-uXxLd97pPL%<W%ohZ0)
zHa#iI&?WG2KqYt|eB=6>?J}<=>hv6KdfraH*ImsLyPV_h_K7}^`+(ixu9c(+M3V(-
z_m-~`#D5hF;Gc~_4>yurc8!Z<h<@se$BrZNXHVp=yhhe|lH*w1!e1Rx_OLtKV#rCY
zI^q<klaAt<0cDH90u7Z|@fzNuD(i+D-QZ^t{2NtUbW7(vD;@=^Za0KxDjMx%WIl|J
z8bPAuyhh_Ww~|I|#pzLxd*Qn-Ck=jn(_1|6<k|>NmeXkRJ7&+qU&vo>)`ofd26zuM
zlw2Lt2lIX@>LF~Mg=cy77Omh|u{Y#yUkc>|M#yCB6`vTe$v**~5<^qT%FMML{k?MX
z->1&EP|Sv`NRVFOB<0mEh(I!3D9EY5C{HzK%WDUU?NDm4VoD#UJxf+p1K?`2Jar1J
z<AZJ6Ce+tgj-i-eEYZirpkYq+qPR(J2ex{X>eW(Kx=UMDH)SLJ+U-yGJI_VT5@Ep}
zW#tpL#{gB>q~Q;58=^<KAdUS9HhyFQfLaFi4{}4bIlfen7`so%Db#W!)_$ADbYers
z$S>ZL3a%aJ&*N*TX-)t|Q{eb1c6Nkz9O5+3yJc3O?G(`9bN{RCI0AS(#AlJs{O7}T
zxV~(8f<_bu^d^pfAd~d4h$(X1{m6*n=tvFim`!QAoZM>#KF5A;MVY+gv*V9jDs(->
z*uF^iVZSeDWP3sT`8udg^%BK2>VkFd<)L-NiuEUQ*4`Bk9XSInn{sLsMGJ^|ZICCB
zC|GZ~Fg8M^WFJXr)6-3rmQdm>f_$}%PHg~(rn6*=A|}=M)=5yj06`HkH{jw@_8aip
ztV18tQ8O#T!mP;r`qJCOv8pdOc9s7A`C2f^<>)z1`3o=_trh_s=orKJqie5lkCJ|@
z=%jX85ecn%O0M{k&nU%zG7G^Jw!jbp-|KJOpq7*N7d>M3PmbOHTFUJ$#^2qJvjRl}
zRrPn2stXAr?Z=(1mKa=s_!r()X~xv$*1qzC5#(-0Q_O7SBEj_ozurvbKMEbzCI1=<
zKu~PcY3qpT^l#cc!*tGEaAk$@ysq~A=AXKO13p2ohd?gdPj(!zMOP*TiiCqM&D-tY
ztSsD|7@XuZTNIoas^>2v?ZD!Sq%U1wO43bsl2sbjBTS}e1l9r2!lSRiot~p~kK#Jv
z4wyU*<w!l=AxS_d!P-KV=W;Q8X=<mk%dLRI*B>agDs=CLyT$<)HCsdL1iv7+Sp_Lm
zF*v94=z?gLA7ZFa93b~L0SzA>sHzb^vX$#0Z85Lw>BE)V@~dqcfNDJay_Rm%<8KUk
zu=i4X?z}*KxHDEZMP6#>HtXxmN)D-3gOP|0p4`sM)-O_Vk9xB(fDoC}5^Cw-5tTjU
zm6@t$f@a`y3FLTQ3VwV8#MZiin<p88MU<7@e{B$Iu;PIpI=)*QZg=flwMVSo)O~v>
z07ZZD)~<O24>bbbNZxtly~16K4@8p<W92k@VnbatmG}23+$nIsPC<9PFeb}?$s51W
zn@ToCra6Xbod~=<1Sr%cwc?d=WFwVob1HZ?R;cs4tCl8xdNz@7c(j>TnG|hU*)~SP
zH9wV^RVp@(IN55>G$<;cYh-NqbW5;sD87Pop7woMyy(6j7wcqVq@@Em8tgd5%N^M9
zK<on7iwSlmL-aiFlwi@wWH(Vc0gM|oU|p#}m2cJBz$Ky_3D^w&lR<=iIF6M>pBq_|
zs@-QUPl?_M7)g{WJGR#7F%dX;#u|Sn|9rmQTz_6sbi1WUu2KLTXyfbnsq${xFap>k
z5O4C%IT1M=Mo2L%T((BlKWnt#S|B;(fQG!81zU72)|cbh{P*VE$>*;AmlObdF>(eS
zJfTdRH>|W2jD&l4rH}7`X8}UPNcU?w#F_<r{-F`Q;jJ<UGi!_1i6=gdJQ>0468wrD
z`W5hB7t*gXCBDF4lw)oqf&aWlNrA56!b>fr9|Y<p#9?wl6|(LJ{d};c+pqIFGd2?X
z6zP`5Fx`leU~?;YgfJzf{vcm#ck*0c;RV2(-nvEyUkDu`vUbK!H6(FWHu7z)iy+DT
z0T;yxi~w98-10LV4RD22xo^I8@-G@SxsW3w$K@y#J%%}ubN+dehwr~y<UwDLPLTna
z@ewF3M@g9F5e9dn>4bk|wY*&oS1e0%wHBOjm>Q#Lm`SsQsqY3Ohq#CO{aj677<YHP
zE(@e~H>DOd)?;msU1EF@=(SfF)mJHB$j1UMnhbAOmgoBz>|w{rbfP>x(1LF(`x;(m
z-cTT%pA5PGp^T46UAelDTKs$$OC!pwkH&Lt9GKGPojN6lHt8WBIx<S~ET?ox3~Pgi
zDY3Vr9!<upeJ!PKJQ2If${&=g_59g9{Qr_(f6Ep&vR4jk-=?Gmc)kf$q|*mAnVm&j
zVxa^CZ#b(zfa!P?Fw%ZM`t92hFP@n-bM<W1#NaZg+sUBA-N%`_?nm5&cXXZ38NHdQ
zl6ifbafC>(4!&`#e2@Qq8}m581!46A@cTdL=m!a&%t@3RFLMSrMa{k6D!bCsSsedp
z16?w1FXnfQ3*h@44#vC$)OlvpM~#iZ!D>I9U31HAT}hCXC2z9l*v3#?d9tDwA>had
ztC8<%Fy$YD&rj*aznx9<zlZ+(hu>0gnh5lEtb8oA`YF;>O}GF{(xDXtH0O48CRO!g
zZ?&dRb}{AXo>@KX5~m>bwG7b*8GCm@NyKy_yZbeqf(hEeZ6wULFP#@~_9XSBmNfwR
zfRp+xDSpd*0Jg7gx65KA>yD-bRE$k7j~x-#f#4wabwq%6>{&Z~?)#ZN${>h8C(Jp>
z9zCj?*X{Q48}M7yyOXka@4I-vUs3ASBEeEEKs%n!n|*=pA)taNa%i~mr;w^s?=8rw
zWt1QSYwpbBK@&m>Iz*bUMtocvkJ+%O`8pKGGP6!<C(J6TQ^l_eVCJ74T1$#nv!5Cv
z5t5q!43&a@4hj88FEu5(vz!P2S$?TYh^1Tv-B=oMB;iu!(_^I`WB;qY^A2k&ZP&dW
zN0jI%h>8%!Q9x8i5s;P$h>XKPKtx1JRCG`=AkrbpvZElPqM}klQHnq!U0R|dgd$B!
zkQRCi5E2s7v(Ab$dp^H%%C*nl=j;N1<hr;ZYb9&F>v^B|dGF``(T9`5ZIS*daxR^1
zl84@qDh|tD0^`-xI}P`osKWf<UxHK`4nNB+50Hr3ObZd8o~v<7V6HI1tvzU!-r#?-
zM?YlueUTQ*v8;_=eSqN69ms??ar%<BI-v9y5#-3)p|YoIQ+<}t_(Lusw8R}#&ZL0S
zLX1%FS%VtpKY#0zdQd3gP0j=Kjco~^lKx3XdcYw3ZzX+iL(W3};Y(rJ2A=N=^-qz_
zEcy)UyAHG8L~WM4qN?yPS!Va-RhhPipr7QZmhe8HFsEo+!B-AT0nuNE9Z(8U{YmqH
z=4h$!Qv&<7a2g+o4|a9rHCOmIEq1Q{siQkxocIzJ9VxQ8TIA)Ls4K|K{W3B)!EX1N
zQQFSC|7dqJkxSZg0UPC^^#=9;`y5ixx|Rh_@78EvVc73($d13l6tv?Kx|5*-hS<VD
z-#<FR2-*3@&ytd8Q|cL?c*dcWvBejK^q7H?QLeVfIOA&naW~iPE@q7q|AISEE1C|4
zm+4}dp;=@kSL&3wg(DCz8ahy<?)F~KNP??S{B#WWeud$~J(smLdbD*mQ?tZR9$+#I
z*#ZY!Q&>CcZ)I=G$hB7s?w$3c?zE57)_1&|;eR>>tzve?@Sz&!04|1x*@9cW|8oBY
z2a3<h-smoa<wm%<lV&iXKN{oc+6TF%i>eD5X>R*;pLrDzL5YDdc%;wofMxr(G}%=m
zR*+i9f*S+x$s2!ueNOKLexlEBZ<tZfFDHUsXEgYy#?ShP5E)_eqn}2O!{axD&|Vr}
z4{BU0RWa6wbEY5bP9!(ipW310{?77<U!X+D)s5>T-pIXN$J6Sq*&4aUV}~_}<MkGk
zV-dnfw2jebc>c@3)RZ+nU`PBqy_EAHCkD#467a*9pxzW!+D)6B>o2vL453?EK4n>F
z_U|oAoD$OSElV3;s)Xlye3yhy{jEsyzibW~6WVl=(EWOR^r8M`$8#zng5}?}E9th8
zN#E}`KuZ@l1r;s*<Nu|)l|1%&N0O#<^{J9&(bgr|4B!F%`yKiDzYE2fd8{8p1u?@w
z`7g(HVJ|vNs2I)Od<ltuf{cl@N959@@#aO?r4yRoP_I@3;nTJd!LU>l-;^rc!Y#wd
zC3HUX9xh!vYG(}jF@E+TUUX7uV{Q%aBLcfT+tc@f+75V|k#b>FJiV0^kbSTXmZ)2$
zM`hZ)mm7JbPAJON0+a~F5Zod;PSAYndEGtH&Fts|XnzHocG5(bTzJE6bH5l1?0R~j
z+`Ck%nA2{e8IC8#`@+0Yn8uR;H~p9-6I%BxYqtgHbIGK+k)%p`Sh>)3*PUdR>gJ))
zT~Oy%W|4MH8N4RSv{HX@uZ7q1FoOI!6YyKf?;Ak#8^c7VQ_*+0oHuzVT3?@Ru5zHO
zFr@WJ%=}DqW^PSQV4?1^Qe4bIWzL`%7xD$)^L0{Qf_OkV{i9&>c1=9di~L^VM696C
z4Hk`P7`4Ol28OoKlHWn`RToZFHX&YW^*bSgTv;|RagGX5<!BK+N_zrL#e8ftRb%55
zxmmqsez?RG7rCVPix0HpI%C(MA+34DYKlej=o7@%8#XhqD{&UEA^jK8ZW$q2f!Dpd
zo_mU&Y(LO$)R#VZ<I={p^Wc=X#n;E?mY*gGe;jt<9<3?f22Ia4Va3&p66$`SeZI{J
zhVxBiklpS~mfs_V=$yv<LnrospL?nmH)YDa<0}1%W!2)=KdT~@CY{5AQSS4WYPvzL
zgWMC$bHA;|N~KFzVz!*}|EW{CGy8UW{R$==c>z)`R_YdLH$#57d;j|O1%c>-Ky*PM
z`v1RKX+a>mAP`*;h%N|3|KD{kEeJ#x1fmN9(SHN==RcG`Ws*`ziTWKtYe68oAP`*;
zh%N|3|6tK92t*eIqKE~7=z>6WK_L3S@oicVh_00RlKx+`&@Tu?|Jhdjf<SaZAi5wB
zT@Z*a2t*eIq6-4if4xBT?>JuzGSUBDGSQRSciC;}hyd;$I(tvhAs3A@?cT+|DJM!f
z=_E2JqJR&W9)PGA5S^n_aXr)=GNX)~HGLD}h&7$WF(H&#sbq&vNUd|3|C?!R3dfqZ
ze>@ZdVTCm&Mh7Ik*TZmX;r*vV-Hr^g93)CnR!1=WTXgpJTURu`vz)r@c3AKbCU|H(
zLjc8NBzX;)(`BU|X0HSFvbAZs2{WY01tNP{WWglOFjJbw?`SW@-_c&A4SK<jEvGa3
zKX~mq_0Bey`*GPc(ZO<!l2J95wPYnOkCfXEFV?|1T5+u~-mxM%ICgf*=+>3Q?>GQO
zyHe~P^3!~TY3=FQy7c(M3eIaCHyqRw$o(pzK}@LZZvSY=j6ACdlNlb1;@?7@tQgfJ
zIai2BbbREsP+?uICw#C&Do#4s0r@7b*&cPf(;IhP;^SnWh*pVKoxO33ap<><=rEnG
z=FvPye8ye&9fR_L%RN2nzi_p0{bc(cd_zUqK2bcZL1#TxMI;{@FsD5Z8`UM0c#Gb`
zL~jGiqRqk?Jx^v9rJC1eL0l^1Ra%OR`^2LLunl&HESKRfSy;+59j<?n-?Zx#|6pxM
zZpvh{Y1JCI?r+f~!D;I%)!MQIh)N{`oy8X-N3>8c91pjge2C!QUfb9z>+zR0qXjH3
zWBe6Ytt?nyOXZA(#@=T<-!>*T{H;SJWDFHZd%nX0Q4`6F+GhpXv=Rz$HV_HCzu^6G
zaaU{JJy<u`A$=qL*Eu2R?@H-`T=g01HIVJ26P#-g513a{L!9}jEpdE?3ZJb@7H>zg
zx6?ebrqcZ7HfG#bj93c6s4^^<DXk55B&Zd*+hthF(<Y3Lk3Wp}|5BY5O`3n@QPUBx
zzKT>j`oS>$?qKOAE9BKaxcNI9=*mMTU>1o%kkUE#e`ZDte*K=1uuY?@n9tXG^6w@w
z{<y;O358`Kt#;16Wsuk<P~9#@Job@}`ncmbRshFYM8$rlW_P>K=f&ozfqW{VP<Mms
zxOsY)L9+4tm464GD!kjz>n)5>w79({>E~p*=XTpZ1}woPU}zc%Uy}7}gKlroNx4vt
zec^C;-51?9IAr%Y(g_(*7)(*`>K8hMua}d7wxxj0pUrk(Edu1){%xQPYV03e$oi$M
zh>LaLzG`-!4wm?KnsJMqt7lT33|UWh&c<kh{c!QkfW^aKoAC3h)6t=Asa-c#Vk{`v
zo()D8`<Mq^^VNKXWfbEXlgo92&AQQ<mdkVyZ3uTqyN$b2_~{mHqqkSmw47%y!nH4C
zphB}Gp-kVcOv3IL&_gdaPh`B&_!bQQKzH-2=;Z`PT9p3m-<z79lcc*7om6}fA$R|q
ziKfp)((k3H*9@ug-W37&QKABrOY{gY%wOU+q3}~#lKKs`TS+&}_xu#xVnIp&MD=Y-
zzw8<wor(skPfB(jYlbYx3XO%k+*dv_Rl1TEp_x<!0l*}A_9GT6$0q(mI#bAte)xCq
z34A60?npX?6no?38(8O7xxCw$ky~LS5J2K7;Y;osJu3uImkBYy17t29`nyxG{c`wz
zp_h@kah;UiC<n~S(Oa70_<o2nzZ2jrTv}Ne&tu(F#BZ*voXm~JO{wDIzNnst_Au3<
zOZ;aaVerg9_7U#%DEJQrofrz5s!c1-I=wrNjr+x5e~mizWbGG#j^pJpUq|DI^{PD{
z!pUjN*faU5<?0TiMHL<l2#Rwt9bVD}wTn@?ryabKM(aeS_}GaloyGcI-?|8uaWh%p
zx(Ma(j8>nS>fHQn3r+YWW2{TGsZ6F@{%wOjc|4MQft#XSF+LUhY02#;6oCOa`r>nb
zA~!o9@c}(<kId_%rt3A=rf>aGH+E*xddNQWsLY%ja)h->^5KuqMI|0mC}6ejw2d=C
z`oA-U4+Xj&d55aGGM#sS?Co{}*5WSa>!Wf9To(Cw@79oWimBBQKs)5APJ|gQ!TljA
z5k71xm#6nl6i+m~GHk_-JNb$fX=4}{k=2S8y^=Q`b_&ee>zP4njP<`cmR!GyJ$|^j
zEAX|jzkew!kTtzTXhKhl55~WTtnVg+1i6AvCBYPv+Xx@VVs5Z&f(4^w+lieBA#P?<
zWkp0lqD4l?vKcpO4?=K?`$JWF=PpRnS~k|u-J3QwHJI9`!A;CX6kE5*JlNjU=(E}K
zrFx}nUdk1>j}(mlmVrY<eJ7uHr)12s3eloM20i>Ep>~9!J_+89=HCqfX@G=A$`V33
zp!l9gEsL<$qviVE2}jVibm^}UgY-uk^OK)ee`Y)6t`cWTzbm*CO)kBzSo2Ht@W#rM
z{#Qu&C{~f7inSno4@NxNPY#fL$qM6H8d{{q@HV!S_$AeWv0lQovqbz{o$0h=;N9fT
zbg|kTrY<@&etNTVs7boF=dZCsqmaT9f*sAg;YGdQH2z+R@4d;JsXg9r{8kSp*Yq3Z
zk|6r}@Y5LYgm>b$o|(tGmt*7!u<A3gvd15gWcNGS;;D`sP0T0WL^pVn^;~rpF}Z#z
z)c^VyoLXe7fa&^bX0O2|sDD-Wm6e|pcV$zMr{C^s46D$zWAq)N|67}46RRvvgL83B
z)|zhNkI(AWWR~S?A~ezS=g}SW*YN|ptJW9dX2$R{r48VI)NM+<%${^WQD)i$dF=kz
z>tA%o?NzF5<|{<`nksSH%a3;}4fn$SzJYNEH2XiNLTF}`bQtAcKbz(l7oq7vxuy?w
zg?-F~+^C`#W9AE9oQ<i<?=rv^<g%2yl3Iujar!R{g2HX1ERPgrC2VV+j{8)Sq>Rp@
zbF{o`PoT$nzQP2zFAymHKO6nx|8y6nK^;9d5L-<iR3e=OZil0H*J~W(SLM^i4RkD(
zfROT|K|VGC%6J}s4=rc$Y^K^4pH~^(Qe%62W|6r{_y*P0^UL+U1}5@8h^Vkr5Ke4%
z_4KL(&@P62B*Zq2*rj-^4YjyRevf#p5#UVHbe>5*>WDw;z9{jRdk*0(eunUU|HLIO
z`Npr3i$hwi{|lEmXG_HogoC5WhZm2ikOx#6CHFiKk3KT326#!c@KT=X=)P!YWoOM-
zZAhS8>w7Te-vKwmmi{dS{Y<L*Dicu9ga#fD#~>zRx}^IO`JXh1)Ra^P!8+&~)X*9E
z>O0_DRD>o$Izb@sy)kQSQ=WiI;xiHJ3R=c6Vsiuk`;zuVtv}<~pWexz_ompb9pF8;
zTf`y_*{vQh;LI7@sfjwNiG_YP-StquZoFzIz+_4)3KgowT#A&|^ett-we|+T9uSbS
z)g<FqBxxgEQ07t@%<&f*KZN~`2Z`5L!TsenrPN~aunb`yEgg?`2fupEaOFJ(rM6EU
z>2ry^@^&j+n^g`(s3d#iP!vYrt#6amjc^yIjb9aIM=RaM-3z74xcZkwoj-g?_FWbm
ze_L;oBDW5Hkb}G8#>4UBUkis51)n{M-H545#O2-@kLCd*gV)CIcQ=gT`eK~EQKLzC
zZkCnVim$d-kY(TaD)sI!6HF*(m3=eDkR6>$t+rI;i<>|(*C`A!;(!>*o_?)^o0zQ9
z!L$BYSA#dAXC6WJVeLhGpt8e7%?IL|XmQOX4L?mg0v+2(D#LsV4WzP_sv%9;yi><*
z-#Hf}iE8iCK;>_J-ZGsQzw^!AC0ym|Nz(jmqzAX&11dyNI0`SUOegJwdVHX}>--X;
zzGwGwi9v<pbdW<hK@gP?%7iU&NekCBFF=fl&>T0{C@qs>1kEtXTN#)3JcC9=-l{*c
z=T<rAHT?>efReCvC|9kJXdUca934wk{l||{diPk!qyr(8>J)hT9xA~fdKl_b>0`i2
z2@{k6#lis|-^Yo`_X8Uytw9m8Oh}M^L|-^>ECWpE;0KiP16z=iR%C^+0Lrr4>5?)a
zNFpByh^YW}j|-KaWBG(?Iuqm6gqxW=0Sx(IuXMvdZp*m6mK;h``uSGGZV{9yzL&$k
z7b<%L{BVFjS<%O+IJN1UE2d1-_8__n@^g7*{Qe+Zj9^xT@|z?CC(0}UB6~l;DyTqN
z>DVK(_pc)=6qX8Y`T8+cW-xUUE=dInLO*+`<&SDp*xIz|nhw^kl=5$6RBn!s8@$=O
zPu$p^3YR?B-4vlCtmVh`ang(<wnMksiNM`PWj<{&ZPs!A5X|}c&OXO9$glLur8e`G
zmc77ylk{szV84T=qO**d2$9?<7epAJux??{k%0ZSvTakDHg5}D!}+kF8l-|;*Tt6D
z$}s7Rz+Wvb70G#(Iv;WME`51>?`B+MFGtTV_pExFtiEdb8YNqQ610q7tMjIr7)A+9
z@E{z{6h4w@fWw6N7>3=t5kP=O0Fp3FzYMe7BrG{0qKIR`t8SW^)Azy8P31nlBz@Yt
zkK0)4HL{uzQ3i8PP*T=<9!x>J-p{%C)E2PfUCR+qQzXSsbe1YT7oUjj8^gJ4Z~yDK
zJXot<hmw|nX?v31qfEZgqB89^3Tg@B+IATZGXLYfVDS)~BHi3{eBEn&LOAM)oymky
z^ZAv#shEtD``Z*0QKclMhU@Be6uvTemYeM<nd6#P!6MYLFK>AXIa*4qG@Xdps!3>c
zp-uvWhnFioLZ#gDNZMe2Yt=3+E<8*L^$u}(-EstLJ<^v8m7LD3p(U*T);k1U*^eyW
z$CghBo3&EJ{5zIU0C6<PQeCcyht<KP{jfwOJIEKv?vVYu+o+dqXYZ1WD)mTEjzk&N
zJ#qNaOcx?t7@$Uh?g{_m7{cB>_qM)!#rq|YlaTE6Ta;}1p)mA7@>_FJa)jo4S_uDC
zleRl6f=k01y^uM9%I@qzge`|*0?4k8wSm|OMv)uY)D&D@dW{_f1wrSE`9e}f>a{$~
zy4Ujp4g0ng()Pqm^}4-;!(Y?xsynaJ5)S_op*a8*fYw@BDmFV|x8Q!Ul!ZCDskO4w
zWU*ADiJV=Ed@GdAO((uJl>hz|#OzL)t@i*u<|5Bu6!q@`a;N+VqMmlB+{C=F9s;_)
zOY7gqF}D8^=6*2K@<|s}=WV-&^E)~xD8=9MNiu0}Tut-&c$TT`%f64?`heWniW?kO
zN8B^twu2x8B*=mi`^sY|{B<+u+_OkP6Ea^qSM4L717q8*`{ux+(6;TEgv(R|T&qD&
z<X_xcKFOjT9tvZM$2hIbQ+D>oLbvehBx<B4C-dQ#D3!{{oxP@nBP}|S?K;n1|9s<q
z*CVrzZidE5^Mi`+%LYiyazTR+A`I1zdU+S}KjPoc6Q6a)f7ngAP!x0hyX#$aH&2_u
zbtY8oeK4yPv+to<QR_O0Ms;c1IpuHRtSAM&OJqu)Gfkx&-|*Lg{PVi=*C?~feL>tl
zh+Ch3==XQYrmN!Rk8I3P>6Fy4_eNMuIQqwWS}@-Tr7`r^Q6_^$4h(;r;ig=FK4TL4
z?MxlXciEj(L?CwnE*;3?g_3xe&d2}tlm2Pq@!f=C^)EV#?_>X;E(|l@xT3$u3s1`@
zyx`FxrvXl|2q^~tFp`D1x{Hq;HuNn$`p2{iJp-e!?p_`Ak5T)5L_))(;pn=NPZK*$
zzeOI|OI(b4-Mv<u&~HOl_M-1Ord}6@Wac|Hfr&nDrUP-L0?EMHiJiFnaD0~)5zj*7
z8YYVYHl2iLj^WR8jgb;KjR#7#qA!ia_NNmOZ-qH<$#t$54gSYz2L?m<1l-3-Wsplt
zOi%`f!u#F{n_#9vq%liYK7F>yiNYO1zC)x+*_04LSFEi!ed_q(<ZJ9Va4ESR5RL>9
zr2ra?Ke5wwcke40%a6oox5FjXq-;E>OwScQHNehIdQzkx+DT+Vw-dl;fakeZAlHfJ
z^T4}@D5k-seeDFXl$niZSkXJ?(aVs2l1L|t!~x0qSt0T3e7NkoLYJ%elMcYM$U;h|
z=_i#@2X&-9+V1a!T)21!I^8HKN7^4tFA+|7p?e;5D@E*}%sqg+cT1xHp3ey+h(VV?
zUtClSy*&qwmVC^D{_CrTi?Y4GRuXom7-*j?24{IrLS8dPl$cL8kZ>xQ-flT~)}tS>
zVrxR#s3#zag^KL0#q?x3XL$GZ&(UCAQ!!5AYBP6@*%p3{7mc#VfxI?a+HkL7VrRur
zEP1Falm&h)2J8KB$CUtXgF%M`6r67|q`?$brNcac*XvH~sEV~En(MJ(c<z`J<;u{c
z@Ttg_cmpp<9dE6jT0$TX*a$QzqPQ%yq|c}OU0wtLa8xMeLY5A2wwv-}=P`xZIFl1)
zJwr{+<?kL?Sg<a8FUHVAcF0*6ZvIHUtc!OFW<FZ)?gbAyYx;KYECzo2m%(-lI1~+D
zz*sXd7i?M(Z5q{sUCRW6;3zRUnb(S#HDUV@qy0|qiuD`ss7#*nkdNcio5QYNQvH$+
zgyYfSKP~sVI%#Nh1V=gU7Doi%_%uGx1i_ZtzQ;5opc1Tr$wyaca)8cbAQ05#arpx2
zTEYx`dbkdZk|1|b1nHo>QHjkaA^1vIQ6H8%m^<sE)oZ~#)Aj5n^K}T##XY~#l6RAv
zKc|iih9A_K`3Oj0KCa5%cuoibZzVEDOK)(6s`(R5>90G6PFOy%S*59XSkokf|3Tsf
zi0L_`iw*;~L?nE75K&&EOwoSys&j;9r?4oT9vX;RcYZyk>?mn`KwwSx#YtB5Yn%3g
zv&uk^kV^xngL0HfGpcVMzSonF*>wi@-tlb}^?k6zl_qVT!*Y2VNv`_~_`}(uAaE|4
zn3Z|l5nw9!<qGd9Lo=_7Jt8*vX5$C=$IdNAoG9)Z(;C=f(EhWaX>cucJK~5t;Q0-F
zw@qDk*TydY>g{q@IpLH;IUDh;w^5BOW--MyuBg6S+gi|_qtc-gH?Gy|!F=&LlW9hb
z?K-^YX}#7R*}ZVOGaBtW2LnvU6iS@vp$(0E<epm=#|WF^_Uk9k+aw};bsa(Fcdoa6
z6I82NpZjstEF>k!ER+itB-%U9Ja3-66eHM}8m1N#E(FhM6xY72MAz<DaC2asQAj}l
zRPZeDcKns`j+fWb(itDub2i?On>?=hXo^3Oq#uV3*5ju|6psojqcO6Z9Rqg9I03WT
z$l}m31Kh>#rsB=jqaY36U+C%eTPE1*sbo){ilP?@AA#(~b`4-izJrGncK{{A+jMbZ
zyK=?+`LT1_9=F4j2hAchD=$w58B8c4BC6t^S4ksDAuLsRl~CXl(jr_lr;Fz8DBdu;
zomSweYRmg+=A@GXJj9}WC=0BeR7G<sL^RFkp;ec0h&}v?D0t;SnL>!-Q~VIU0x!8U
zwEePU(Vz$HIyHJa*@E6#?mB!EI|E?DYqSk#LCvv#kD^T!Z3~rE8GhtffM3VvwvrKP
zF))dAy|8ZiXm(ld#@IBn97D2q_tW}))mH;nic}pKI8AErOJ{b)`j3B^65c<J<*n}F
zloZ#C!X^z(IO4u%k)azf@+@7d7%=35?XIO;{6l7j^_~5spQrpW^$&@eg#~*=*m<T<
z4RJu+w?0D26&&|dqX=sOR&=BAptkR`p{J+_u~bLO84mGX|J>)Q9>-N!1>i8;GNw4U
zh?LhB8ZSBeBo=Ju5s}N2&7mZX3=|4qpuv&$81nR_;n!6|;`JIg)NA3AS~x-b{%5U}
zq<rm+;75y1JKK@quGRaIvwle54yJS)HT^tC>Bp!!^;OLzL{$pFw(*cw>PSDA!VRNF
z;3Q7Np8Kn-Ob<hMN8tcP>Vpmo1c}Actadn=q1=Ja9oX)Sg;swiH3H4p8RJp0+~;%~
z{Fo>HoMd7H`g2b!V*cV2;h}C0Qf!!%ug1<OXB&IqMH=|o9;@1T;Z~~7U@H<h-GQhY
znLhsh#r7x_hQr<qt;nYKW?;Vs?CLo#3VHq`8T52vwp5}5Ilj)c$omLe4P57Ybk!$q
zBfTTX=~=30A5w%FY8WCcOtEs<>%0S9?}*{N7ePaMG<NLN{>?Yn<QNxIk+r8|_tmt3
zDxh=?BTR5JUb;^QVc;F+G>JWUYW?tIrzRx%i@RSEa4B{-=}==kt>O0NT_^UnHCBl3
zcuO2yA5Zk5^kTX0UXOs!PtR_8d9$mr@bZK^l-9FT00cZif-V(2=4LT0iF2L~%|r95
z;^ShAxizk^3UJmLd>-R%t9p5#`&{?F1Ija`uIfSg0rl|?QpaBAcF7#CtTMC%2_n~o
zByI|YhoY&?qMBqhIE!M|XY$&c=fad{t8i=i17VL|u9vh*&4<cSp=P1{bi?s;EGvo9
zi03X;T$0|PU)M-UOl4DM$p*gmSDR{^7Qu4s(Vtg;Jr$8$&VSioDgx|9>vKFPR!2&b
zaQ9GdSN4i32qIQM?hO%LBp|p-YMGMxNr*^HATj~24V_&RH-w^*dgjW0No$OZy9R!G
z9jyH+Q!=Nh7u22CLJJAhdS&-xKOsWFeED*vjTf@2V4y+qU3FFW_|x}iLY~^xmU?54
z<qp&EyyC_Pcnyx_1uwNoL=2ArsuqN)6O>Ef#!ipy2vfiDofU&VC;Fqz_YI-IahMZ@
zlYj=or#dYn0;LnkJGMvoOXkBBd0aF1OzB?kZ&&X0-N(KTM-AOK&FDp9)%9a(l{wXu
zA%|ADhR;xi%~il`9<>5#60X*1F|A-^OktRY76=w8?Gcwwwx=Ct@x`k+p=I4?vZ)Q)
zlJ?@vgW*^?v<ETVN$}dMY8%i-tzZmxQM$}2=Vos@b$O{x#CXpXdQTq2vev*!YSg{K
zJxWbw^{fbb`4@z~tuIT@482}&#RNOo!l<H``!0Gf%z~M|`6k^jC*YImPym|xLze{3
zn^a+=BuUuX>MbIR(xMNz>~}tW?$fCj_!|`PLhP16tXt69{87xxrrWIoV=MH^@K-LB
zZ0A1hOICLZKZiAp?8?T}`c5--X3BW?o`?GU)IlvHXXaWXQny@YlZ1L2-c81NLZq3b
z-P07Mc{V6FNj{-(Ma?#n;imf5o&HV5dz%ur;DwaENCk;FE`P<?7s2wE4iXo2G(ye|
zB>FSY%<6sMHiMBfadd5~DZ*sAw|po7#^QhDLV4g6*A#d$=G4dE<B8-*SvsQdEHofu
zoL~mCT03~wMCYwLuR=rn)4}w+AA_&9R*dPNAEHCck`XF?WUNVn9jAEg+7in>udXSp
zH&@i_JX;>IzLRxhsj%5PZg}z_ano3!KWT6!J`_nK%D;-<r-%rCT`^~!SFkM$XqRi2
zxRxFz*@f^fZKFI7M<vbXYLeY6X~B2S8K0~n59G`iCev|a(Ma}aSi8{OC(ymb3MsLm
zzn%-1=ijUx2}};tos7{GAI-@{rMv@r<J_fe_^uE(AeNIt!HnStGc~<HgXLPeKh<XX
z^?El+e4RZrRE=l0?;j5YCo8(=MB7xjX2zU;)i3n{ZWiA4Tu0TX+f?kpGpM=beWhw~
zJVMyW(|qheEaK_)-Chp@{oA%^KG>W^r}+kW58o6O?qR1h{L1*R_?O~_OL#!fdRW}@
z4mi&uPu%MIb9JWS+MXC6;U+YACcQp(bmOJfrKFNfzYcpUBlI(}c9Nj5s2~&GLq-R&
zFxF9DedBtD;=mYET~76c+7sBumkvxT_xU>+p_Wi3>i4+f<5t#tYUYYzM+qY#)OK}6
zbW)hk2^SA$RwhqK?2p5e$nOaJ4~0@+8<#O8ySMMb#<!O6{fM-|q7vrRW$X4eZi&Vv
z-b63&hxRJ8nxx_laYe7^<ez<hv@x$x(SoVk^~9JmFA|coc{Q^>nelC?6fspt+^M&B
z&H)rTG&NdT1An<qS|O1Fg0Jn-75({LQm%*r4JC<QDiQv0KthEQW-Vi7`~G}1_i0vi
z`Fy|XRg1Qi8$(sMJakg{osetujK$M-+-qU}552FP_%?OBO(Hgkza$~CpO6yE&1BIL
z`0Xd$pdPi7QPeL1q4BxlUxAR``VOCE6)oa0{~pq`$(QK(==G2>mc<3-;G3CuQ|R|T
zq9<R>8QY7mQ*XwGnYJB*8Q}`Zi1@PbqO)5VL#Il66GggDvWTiGZ-UEKmr9V`q0D(P
z{(?>0{I-&96|S`M8Yix=jb)-!lg;^>JB%#;Mz{Lk444I4N2K@l^Ro56CP4s~rBRu=
z!isYT(i)>gTVG&4SWN|%_7I6$8zxL&pA47|HGw?Yf`3H>D$GO{r!K9qkTj22OC6D7
z_x+PuejNity^z7qEJa24Ji(X4aJ*V}EiswfKc5vZIwk2a#oy?nUR_e)l@oQ{d!%WC
z<3u-qccGN)LT7OCD`T@lL*TRc@xJa!xY1VK6>fcFMU!D=`?>D)r~A-tPLvfBg7HLo
zVrzE=0i-?LRHuda2Pd&U7O}0woXAucKh?zTg#jg9cap`nIj=GA0fOlDrn>a8H={N@
zJ!-FMRoM=|k1y;f>qiWL;hZeG;6->-<5h8z07mCVGSG{2YeRhZ#ybK$PvF(`Qu2vU
z2Fp3zlwXQ>2AxkQ&3(Q;_@TQ`u-=oWxK8tMb0brgW&T5{)=nrnS*^6;_`^eTRq{Hv
zKU3=4eINVvmO7aoMvpx*!B09I=-KW>S@KC6$F>$;go}(|M*IXVH~JPRB#7JE<vMP!
zhepO4Z&0^V@mR3OY^fAezm%|cz`)V#4Eyw4WpS(0&v>C%BH4S$5mSu+I*lSp?BfoR
zq?LWNr3xySKLYa%LW%T%0xYKlNT9-p*-h}X<AY>I)_zy(2Su3(@%*l=v52thfca9n
z5LIhn%%bopy?H4mYmpP-4mNw*TMk}(6Pv^ODHa>?rWInVm(}yRo#lQ}YHFj3_U}Ab
zqZurGv6X8ms{N!S5l_(N2&pk8R2VVnHPQ6_-hC}r*gR`ju|r}HWLwq{JeY>|onV+)
zl&otXJ!w4Oe3UR_s$h>{y%7ubaKxpc8<LzV_chrtW13hQU|bLovMFE3dE$6C@w9y0
zj7F)W=BsF0vS2hZ&`pGE(8G|4+MRap%RC@1Y6G*k=@Jqulex4?-5E3C8BFVrvOaVH
z4O-u90!C-+z>?m%dW^4WS{$p_59e~%24vo#6tgNl9uoB6d#PLa`AQek0dLpNLnsZ6
zX1z2Yhf+gU=k@0o<~mFDXdgBLMYJt5=3~mc6SkYJ=7K7C&4R<bEd(6B0U93dH|dwL
zWse|0tsh&%{5<ShBe-u~N05GC=14h@{C0<(lq7{rmA_jPZ>E(ruCiLyVSoJ6XLUC_
zh068bOO`K@%+YZvOKwP$3G+K5G+kj6q^n%=WJiVa;p3|p6DN4UW~Rrh=yx3J3oM^0
z<@ys9;+O_o@)w&>xu+J0i!5upAOM53jLM~m8dSPKfl8kl?5R1~ff|QhDSTu>Zmp~|
z2j^MM!%;^N{MSc?$89xeW>ZqTAJwF~EtFgYu;@)fxIx@HC_}CE@t-~INKxA?B@|6X
z8Uf=}g-~v^SMg16=^6RBFOm0~DD*PbuNfe#Jq$vChql~=l?Uea)F*ZsjS3r)g7N+B
z8V&2g9{A`Iz^%ypr#Ggt+>;Db`~-Y%+RuH+Wr_bJ;i@ZbGp44c(G;Nx=V+nIcj>6b
zvX{Hkde-_CY8~hR1+M=4BbK@q1Ti&cJ4*s9`lvwPxLG=NrY%tLs`HLmB@8}E=q8n(
z_tAoiEX%%zdz1A}(75=^ZccC1G6d6I;yyq3G1FTf*SM2lFj6wPU2Y{n5`~c-c;+zR
z`?Ev1f_zKn4_(2}eoh-?+5=5(W3k<5KX>}AEXm~w^;Zjy8W$-BaUDR8ctUufn&2l+
zO(3yD)f5c`IZaus@*bm?VExgY?7$b^)Ba5@+pud`KD(+*+IrX!xMi#+Gk5p-^f1_Z
z0_k2ULac`5pcuy(zarGT8<<7eAistL#&TgVyx^WY5c}9x6oJ>xu_{czwu$&{!ohx7
zhN$);8tE#TfT}-}AiovqtbDc2>U!1#62lENA$9+hb@v$fiM7uma(j?5RF(R`>(SgY
z`@>p%@@}7lyF#%hk@V%}Be^QYKOEO6Y#zIYP4}eFjy(hB28!b)nPWEn4Rtp!Pk@{t
z+y$ssLIu8d?jV_Hj!CJ&n^`<jCFRP-2h$bB(VlJFYELN)%+7-2#PA0mzum)~SQ)gG
zBKC17BXo`(9|@lo?^>C-CSLhWTz>1$Y)a0oHB^lqmM7eA(aASGplH`OXG-@gzsm-F
z#va(Oz4PIx)%4U<joD+3?v+PBEe*bQBddRS@s^%|?5zjitt37r*=db9#T@H?MZWI&
zruo1JeF49_<?`cbWrw+wKleGl73+F^LE49O1jKFt?pp=!Mx=y(&3312Usvh<wV=kw
zqxDskdBrauVui`lPvk|H_7gh_we2#CJE@~8Zo2ZH@VE5mF?|GKQm&Y1r#Swy<96-}
z(%zN!i-Ne4L5Y7&zW<D43H?c<Z?{jRAAx2)XW({amHpWyC-1g5q^bAF!)6;fTS-O9
zKC^)3P+IlJm2O{-q@EJ0)ZL-1R&*Ruc2EizzCpz98C|sU&~xap{EfffT@t4^u}Jpw
y9=@&ay>pDhw_n8TQdY<R%O40!p8R-}t+6J>MCG%h`3l)T9JRDPOf)}z<9`4udcR8m

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulBuild.png b/docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulBuild.png
new file mode 100644
index 0000000000000000000000000000000000000000..316ff6d126b6193dd1093128e17b7b0d1c7ef806
GIT binary patch
literal 103583
zcmdRVcT|(<+h!ccaTFC56_pYlM^I^E0cnXk2r>$hA|0Y40zzQuHHi%oDNzv+A&COg
zdr1r}3Q7i|L^>ou#1I37P?G?u`{Mk*-}mkA**&}G>_5vnoV<C{p7(z5=ee%?y6z|O
zijC#g&HFclK%lKw7tQTJpr2tN(E6HRe*w<i+a&e`9@d50S)K<~bg51OPk#0}XMGL?
zs>Uctu5SRIZ~E(^ODG7mt!?dp9VMvfCI}>dV`YBMA<A<`>R;u~#?D0>-_W@6{c}@x
z77nL;wJ>$ZFNbt%b|?q$aJu{U&udl3Ek+(Zd4J_V^2ZC;Jf0|o>R(e)*?04<zViBt
z8gtTLq)v+WOihYnc+7Xz_R(%7HT^;uzj(4}@{v6!jGu&B`Xn>Ul7EuN44}*1Ny}Z$
z#0b>xg+%PCDJ^E8RyVdX4&|D)T78mcdU72wU=ZklMbu9}4!+!*|M|zks}19uejJ=t
zXjS@gaA(g0%^wFKonL`~to^xua*GO~H)!>c->#NUr7fehu&CLFs;xg>eE0O0XKR}M
zAX)=C^O|f0W}wcfAy>#Z@o(j^Q_qtsw=vfLc%SOg@2a?*xT)~wujVcMOuvt><<A@?
zQSF~-tQP6@w_E=8WjAcbI|_Bl`pB90_%|4{`N3v9L$Po-dI5ecm;Jr>^&bf*%uuWB
z%#E1L$C~)KkmCgjVAL6@Xpr0mrA8!qQ!{j?l*ua}n^HT#X>Trbs5F$YmY+q7(<q}v
zg?*}r<u&-70+TmhnhJU;vzQEum)$ZK0Ka`^5xFv+fE@{;>WnWYvESWY@3-{*^L1<)
zoD7l9CqOTA2R_RVSy(*O)O3&b7Y)_Q@nN5Q<}UfXT~sm*v<5R4dLN^sKWFyXqGj-h
zs8i7KL=EE03DN!C)-lSrb6=nRfVto>&}Xne4PoCKQfoV_x#4u4hVjx4oUb^8o=@`2
zHB6L3@TWZ04AFr)eG^8;m3hosjY|urN6?y0hYn6=(a3(*=%l(-UGcs7iN9ZY1#sR<
zW%Rjoy`=m_TTWK09EMs<>q0B`+3=|T3LIP5Ak%~fzCWxD1&85Ic|fz<Zw~G;0aLj-
z0v}Fsx*Ob@^K3f1{YKxdK9UZC(QnRpz0k!WjntLn+HZ^hCRp>(%Z*HL1l2+k&8F5v
z`^eKAaU{VHdxMh{7OiIT7-|zbyho>0>hGnp9Jhl}XscHBd{Pz4$q8*WUJ^2b^hom)
z1V-Q`vZ%kZM=%J7mo~0^OX`iCYtF>QOc%S3o&lmMUyk*(0*ghK!)PQ&VXCiQxxlM(
zBm*LRgU`o|%E#U%W{y2!fCXLXiX-Ce6kTPdshFoZrNOe5)AjuZQ<&8N*@{IORNm@6
zH`aV;IZO9I!;|FOgBA?VVB@Y+JUGIqcSCITaQraFg%u|i3@YDj>L!)2=z@<!cBYD^
zh_<H&e%b#HEroY+1l?;+xuCQatsVX;OzjI(Q97EW5fkCgjOJkfjJD#nuQL3&eId5U
zwBSsxu`X7;6yA(g^gz#<lFMsdP>?zvr9gj`Y_`9VY`|TWNySTE^$XNecfn4q(rpts
zCCq@6fXd8e7L$DGj(OoomI`yP>9RPWug3aiM)qgOR41P5O(J(ql4K9376K?I!4xa;
z+btn85<btOd!=4&EzGLL<B869YW#W&&SlM>>SpGUe$hN}!qg>nV0cO{EYvH+m<i@;
z<g6CO9?Gm)4kUu(HsysDvG{1&H||v5lJ34b`HGvI)Vh4y4Waxqdi)DaZfV8SIgG>b
z>2=bDUgH_G1K%F)US968D`IZU%=eHe4>Ak>YR7<_*q>0|E6i#y)gKN)N!a-=+%L}M
z7{jrsyu}e=HB=*)GSI&4#~pywu=?uYK6$3#518_@!MB}D7rbRZReA-53*#W|0pixV
zxkuo<6{)F{HN$RJ(~Kw(hnP8j@#2_Amr<4VZdZnjI0Kbki8WGpKW*8CEImC;V`n|q
zShzo-QxIFqu1_(rNr6j3xlRl(3Pt!Dk;gO~7!Z9C&BSRfOWo_#;3|cuc#35COm%8n
zN^DDe;_y*Sp3mUMql`&XmtSjIe1AmK%M}Fn^WxHL1k@m<L(c1FVkU!P8Nop%y$#>F
zFS@=<eCZjay~~niaomV^^Wu>84TdRNR~&+_cz#Q4VmgS(q9MBp$ai+RgW;C9qkdx$
z5SQl2a@4jfyK<VuvyD?E4o-oQTH5P_D>Gu1@!`mYkNj#)+31%{xv>;l*#Ip!S}OaK
zfsxNcomLu#Z#N#8#5|F{AB2hX@}VK96D3e*5z9&T8kbT4MNPYLtDv*{?`wbu9KEVL
zEQcc?zGCUk!m`@nm2k1tA@%6~N}hlEupG7Gbp_%Cw^llCixpj!3*%aZiSSGuw-8Z^
z6C>>g{I=}RM6F6lg&ny;g=~&j69K|YDDv!-+N)QR?4SgwDH%)+7I~FZAiJ)(nFw>)
z{9chj+yz!BUE+L>n`d12j!{*MMBv*UemT28EyW&z^!-Y7qFoIXTR{5<f-1``dGJ_X
zy?Y>~Pmi-qb@v^$g}Ww{S0d0W(n1Q|Z~$%;sIASD6RgtuxpSHLs!8YRx5Xo=Z#u)&
z-HzO%I3O7{5t8yQl=6qJOkh5tI@$bXM`-zFuSM1Z88eXCS=KzpouR=~V8}=H)eA0Q
zk0LO53zr0LRL>-v<O=AJW9djy@KhmFaT?A>G5w;Mk##98&GpsZr##J^JV=mqG3vC9
z$yiJvYk^_`-TiJ=e_y?xn9uO9E0e3-?$b5S>>F$UM!8C;)=#0^NY#ggVa2^?`tc}w
zOO<g-KRz3U_uI$QGQnT<;niWg2?pJwvbh3jUwp;_=dp;-xDigk?k@$C>vb{(ypO3D
zNDwbxIo1|EkRW8TFi=mImKhk;EtcnRV$&VrYQj)=D?CcnvrDCk24QAInV@k(yhu%F
zB(ukZ<ia2mm)i#)bafmuGJR??*K~5@kpxAs4Gk)f8@gp+9Ixq<6YVHMyGyT#hT6y%
z!LbtNHpw6nt;Njx#z09@<nH6#TU7aizK~)G<te73TuEr{i1$4(t!y1R#gU)jDJ>b1
zch?aNwn=RX9SMlE>2h9NRrT--hXOo1$(RRT2xqSd?3MTRTZO$=LT`~Q6(Ag%J9C56
zk)PAcFJY*>-WUfsWKW7ULeSfu&*l$#9-xQTSF>+j^3oa%(mONboZ*$6k)2e~5&$1T
z%cb?KsmyLzO82y6fe4Yb*u|D=(e4*X-HXv;X>ARGrQW|9oEkH`Y&q<7YEK@)n)*3j
zSTAp6pDu^7YNg{8)fBk2v|Nh1KEA@*)z5t~#0*h`t7)Zk3sXrb3r^OY6SV{rJ4-4I
z!DUiQpbOkO<7!mrHTrX^3%Vu6M>-ts!#YZpMqn;+iHYgLc$o&npcG~@Cv~<|Q(_io
zTy+y%4Mc}+=?wSNX6t_mC6}2I*a+xwL%AN8wp<=lU&}GDA?Jt&Q47+&Zkc-aCQ{x}
zYQG~Jg(c|94XH)V^r5$L@La*gOkSOT`ExWi&)CcnFT#F-xsj*)#=w7&lbJAYH$nHQ
zM7?4J2`?d?Obu}%L$B_^Mq2RtTBb<V(l_`PS`D_duL}(K+i$<>j+lumwqezC5IhGb
z&%uDzkZiLQYEUJe9t!tiu(<)T4u!#fTVhh#tWK@U8Esco_2ly0MMaoy(|jwx7cV=t
z@d#cz<I`qPt8Z*-6pIj521;B-L)f4~3<7B;1@m1r;Zn4s1h2m8?TQ?Gb6+T56rd}L
z_@^%+06d^jWJRk`=a?D2svg0;Q;%gs!!Z`=;uG?OVc8=(xNEflMOBVv%f7sI@KFxe
zu_x?E7xRu3kHDR0qI-kwu`A)3;Vn{k-x1-r^Q@lG(%zVWZ2sGkKn9w?iz)m1L0*?s
zB`|VB<+QkqFS14Zc-gD!_j!u60b5yR)q<F)isyxr)jXziYe+p2&-Ie&sg2VT*_RMm
zoSI-{4pXE@MzYTUAevObDh*!|tOh^gDOO84U^nQo?8?v`tZoQKHeex$P&fA;7{hO5
zFDxrH*OVU>6A8JT2wV{s-*l0b(_R1(^wOhRpj!51gFyHm!D}|Z(bo$@UtvBCi9<<c
z!6ewF7MR>!oZI9n_PQo@i!~dFkwE&q#Nrza9U*z_*kH}ET7zjy#xl2>UEYPWqz=EB
zA=$>(>rgMSf%UlCpa{Jn9w9DxB@Ml})re(#$=#9kxd)YltPto*@CsS#?M5z-83_x#
zz2ydt>P-dc-P=<s-E*2cZo=0Tlr}q5;Kxnv^7eP?5lLI>r4<zRqKq`ap>T+W<v^78
zn&~aq+d@lfk%tKoX@b3r57N&Fefcse@LKg`oawW+v?SezBT_b8=G`#YB3^Wh42z_N
z4|*sQ)CT{apOD9}274*9vS1+`9T;Sc;H^#-`IDbRghTSuZ*QrAT|7BkQAWz02{PbY
zTA*k6mX&3_;Dge2eO}T!=wC4b?4|N4#o|r@<qE6*1XLr1si7)N2z`b=f&dSJL*yGr
ziY|Ng480^=%0--%?OowmGm2u;SHs<~DZ@m(f?Glgb8dY(g+N3!yIN4E2_7m$Gkj&W
zg}Aj7F@kEc0Oswj(qg@IzflA^p#^KU%#%i}2(3AH)k{AS@ufwu6ynt03~{3>r-*|>
zn<G!FIhh5y2I{^{4I)8e-514r^vtDb-5YWAWot^8T$k=8mD>GU7K5JYOE42s6E#k-
z&8w$!{6w*@Imeuuaa>h9ya;*4r8i{1{k}&Rhw;9q9&Ks55`zqu)*$?snE}h<ks#rS
z95K)PSV^UGs|lZp%gCYX{)K@>SBoH0y|+0=DqG?nUCuUJMwE56-=w9ayw+BRI>IYZ
z2&kCSk}`05`UU;pxiCHVstZmYEzw%O4^CiuY7rx>8Pn-3eUA);m-r7(0yvEcb1cvw
zntRcn%W>r3OTn=-6lKA_1>{sAB9hdEo@FF5IW5@s?+hzanQzu&j86cvrE8#&W~D_#
zFw}K?#I4hJ-b`HF2IGf+5IL%C&~z*ST_98NatTKZ;p25PD&(7p_6CDo(Cg868pCy&
z`md~NSi-|2MMF4w!8Z(~@uak)6hIa6%W?wrgy_&s^n?`bSKq$@u@n7b1_O7gfIgAM
zzcE|(s)4?vYe;Q%<QHifqB@%Ob}mzx(*EVttrROSEef2lq_>^lMD@W<7G~JTnk|dZ
z28<HQ=;D^|_uKOX&l!~h=dAWu!J_KDCUS|hp!Kb)*xk>Rt$^YkLU%hgtKnB634JgU
zhVRb((!h83;?t-EnX{O{b{6!?^^!6KTwU=?MLIfScD1H}HA_?M4w1dU#8i0qC#YK@
z{m_$zK|bPQKN9ItYNf9lp@krQeS(3GDGTk+u+Pe<WhKV@P(Fayo9)3m$@Z79zN6**
z-ma}^NC`mtb0Pda8_;C}ds_ImNz&0lzcO&YB_caR$;3$-MU|CRXgg)4M7t9_&2%Zs
z<?z9c<+RS<)|L+H3V9t4o(cEl)<_Q?BXW#&T`jzNLZ<&9Q(`JazDU=BWgd_$M0Q!1
z?3Wc(GJR!XW$>7Rx>T=uHrbXu&?Uo_e3}c*3m+B%EY08qgBMWRySKlv89@>CoZ&57
z(4>T+6CytZZ>|Ja%3KV;Qy5|r@dh9#={iAP^&w`2r7j{7SsFv$N{8OS<Vkz_3JJ_P
ze;uy4#+VE%#|leD_A0Rf;X=dCN++I#soTHGo39IG7NY2@CB`aw&%FpdCpW=3R}%8h
zE+qe<W~OJ1pUjL=?PXbR1BXkfaM_8`C{{{+LvWbrQ<?_FGdNZ>R3X1L`I-zvFLpwm
z%&94t(0{$u{Z*!zCcl4J)K+vq=sOqVFkCsb_mqXlibDakQ^Ztv3tCMW7A>HkaL#)@
zYX4nm$(Ww`=I(h%vhopQji|SFEL;$K&-^xlNn8nDRk%tD^yg+`6$yAmlLdDwrlqKy
zseGGD^lo`BhD+X3MIqVWb4O5#sqw<3ATO^gB+tHKBfD8JlT3fC<A%eFn!A@)N67TZ
zZiT#%M&8>@j%9R9Dv&G)`32;#Fp+ms%}rYF53D71*dKfr_EMO@L<^lM4Eidh>WqXm
zfx)84lG6@62aX)K$_hYxg(ZjMN-hWVT<2DMhs_|cxw1~CpREbEFizza6kP@t%!wUi
z1zZYuFfZs%@7n;A{&xCsGy*x)(C}q%K%DEq+$A!cKO#&S@S$49;n_=zXXr1a4RLF8
zrDnu}foUlR!+WE>s3L-l)b7Q3oH58;?}jN9w!rGE!~LQenYVq|H@Mv|q>yE)b9P8h
zOG=6#fidh*D67*G^a@LPvHg~eZ<*CH07@e)7`Ho79|wl(@a?awozad3GD);kg%hF<
zR_2cRn4u<E{xEPTroy1xIDk>EO%Ljh3iG_ZkGB-k+@grqwRlM<q_}YFLT#ukipe^e
z_9kdgP?8mALJ_^v=4kAb=^B+A%o`z{EKB>GZO9>CP<H?8oHO%dPOH-D#9_k%43f>{
zo6d9jdY&@Q-Mkjj^7skRmx8JI-5I~Affej>W3IVQMYd|(ww0dh$sg26R<Ks`Oq|Y8
z@z4t&4Nw4qUL|D*HWVu%kNDR~ZcOcb{ORzSr$z~yA>ZPi3Nbv%;FK2wjgx&`mf1)2
znN{Y);BOBGD1xkK&|U@X4RcQ)&HwypYA!=@vqbKg?I&h9j_Gf&&wAjuS*b3iq4s*;
zs1oQ7DJyf{+y)Yf6p=?3?L;34oZh1x_g#c_cOH>HI_}}3k9Kbz-*n{-bHiwB)0cJY
zZbVp*yZ!`v0bAOG`=N1xv@QQ<g>C!4UaLD``j1rSd+vXd>ON8+(kWQsq3*}KE!Ts-
zbbzJZ;B{U}U57!S<JdK=j_P?z{}+qI|G!TB71kh^=@pXYV)EQ&ULGp-cOW`<y!Br0
zjSTMFg#WV?8tdkY{9HbTk*#33h+CZwg$B3XN+~;Zj59%?cil$YvoMQ?I+`A6atAA6
z@)eByg@x2!r9MTp*Qrh)1TxP}3|8jwR$}NYqxd&l^_ntmNP%vr&t^rJo#-!4p^Lng
zsc1P<zC1NZmW4YTR&a2!y3$HHSN;-hA-L4hnXc8_o}$ubY>TCvhg;`{0($9o+$Xx6
z50%2Ez_M|04<PcW43k$kU&&3$N?PhNfl5~>P#g4;Av$epA$$<2+bkGxTP>`QovB7f
z$94)Un}x2%s}udC&xS1vDV-;Bjq9t0(A5suF+`t_gL29x@BIns9cwD)IXLJ}iSLb(
z_;}4dui``{DjUON0^VB<&QIWCXFIMxkoJ0|Bj|NU;ou9H><liD@EWGkOP>vwLTpEm
zY<84o%Gu}+ujJ`N9+WdS%xuFT8z_)My?GdjYpH$KbYDT4zY_Km2y|!u<^Ug-CNJum
zWWr@^cmY~eh<=#~I!u2-x^mz(q6+lk$n&ae=6BoQ-`}{zs%eft7UTX<b5BlDN_w&E
z%j-YxN1*nRy9$Df^%O4G<(yZq7a%|&v+fUX6~MT^cQa!Q%NryOmodoEqIvUm@v^DH
z^rNa*Ko##Mm~t^1zkVk?XxFJp@VHf@jvJxxr(Fs*4je|rj<um(TWCvDf|(x8wjK`9
z@r}wgXg~<@@>M)X^_98GNoDJU@kQ?E;-$%St#?;IxfJiHZ*AMPYC{A7QQjvg7m9{Y
z>4I@ZHm_6RnxJb(fULSc-tkb1#u_xu_l~iY$5cjwb5HcAY=)g$b^7(y@dG8q`H40~
zXj%MTSI5Cm=;b+?$Kk)On20%Z&I|9&_YL_<<zl&v%sJ7>{YbwsZne*ICH%J909jfq
z$l#Sh8{67tep{d`?-h@|emYRh0VDag<g0V|xxy61E8lnKTny7)2fFidD@>O(@r>_;
z7C2?8W9$u-753wX++t<@WRcVADq4b(>jy9{)ai%5ev&(dIJ5aM-*LZ!aaptCY5vfx
z_R%(_baA6iGJOcE&BkgHDhh(rBXQ2q0mFY^BAeEfW+Rm-Yei;HR(CoW9y7H){&juo
zvv|#o+f@ICBLB|)^6sY{3fp(xl5o+|%8k^Lpwe2xp7YLd?>j6?-(l10;JW(mrGf}t
zN;ghiz0y!KSHTzNtd)<$Z-e?5e#`^yz^D+>lz-1MSuVYdDZgB)c?u2z^j{Um=a2Uu
zYIc*05X#-{pDy&OsrT%{tz2mv{H$Txy=V)!X4#<!APuD(K*x7kCpXTIcRW^tsmFCC
zB4vr44G%RDckjh(ZdQm}xsoA%_kJnd)iJVorO~J?1$_UfO&j)zh7X%Ath2ONF$=oQ
z@$+C4iY`Zv`NkrKhaYM-uqM{@l9Td1xZn$%ogk3&$o$Rf<lVSBWNE6#O7{utK2LdW
zgYMc~EqHRCw%cZC^gsmB(rsvGGr|&q%&r;9uqDg>xXox)(wU=hxa&ZF0C}8r!nE6P
zMzwzN!(|L*6O8`T2Jo{}@%teMsyQ-ze{r)c{rbgWPdR^&dU@@osBhwV#?B3@wk9xc
z&BA^GYwme<O>mo1Y-#H389(v%VcmZ%BguXIa$`{;9vD>ssi-2!*Xw)k(fs*!2|sNW
zUmFN+RZ=)38PzNa61{Vl28gb?dW|Qlm!<#$5%U+&7bPHaMe&*!kc0E)Y3O(mWbb@j
zR4!-po*CUO@LPB9qeNA0gT?ODV{fZ!YOIU>qi*zJ>Vp){#F@an+0G6cdH1pmx_xq1
zXlEA?jgQt)<80K4XEMLvnDtF5bS~Us@J9lEeNWzM8PprSGLEees<!ogU2Pb@KR1MH
zDN*~)@fO@DfNCBjs1`hD*_nWGkJL-ivD-j<A8WLGd~%BVZL`9RjiOesmlUDbrX+Q6
z1OM(Dt)LpW@+t=W+!_1R#?g-J?CIL3+O}jB+=_|cOZrMg?DFhqsKA|#lC)q&^E|pp
zcN8V&O*Jo%DL_>ny-Vz~YbvbQW)Y}0?I|CoB&uK|{^ORe10C22M8!FFc`R(T7W$_$
zG~&2gxTM6j`5)LA$lSGg1-<9&^YO$Z*Q&Ok+hySV_1gPKvZFV<YaBWEHwg-36f8Og
zhUr|qXns5%$AFeIHtwIcl=o@e_F0Efyl_glUoL>l!w>g$!{j5&2yT+3123^M9)F<J
z`rji&az1(u$PQWm8<YP*I?maAt$K{e=-C?NXEgiX*pj^S$2w=c<Nv{l&zGVW!EzS*
zvV2}q{)F3LCzh|GWq5yN_-+JXu|54SKL@-uWY{~Cec)yeTF#IQ$#1N)4f;jX$LM=O
zpx?Sb?A?3#2f~KE%$(2vkq?HzWCp-5QKS9ck!})TAQmVA?%}oJr2m@}z0Ttu0pzP3
zuzUgBCj0)auGeNg=v5jpFn}F}opy{mksZ{(S_lA87+~`yNIzfTf7=VXb1`h)nq%3p
zU(3|x&s=578n7!I0M2~b{m&S5?*LEEI{iZ)8bE74r^i1Lo&4#HvL$xDxK30{eA7QT
z@=`X5k-r_gRd6}{b{?TV26(5c?LYh}Y+X*$Qbe2?LNZJ1d8j;gsnDHRzW>!HQ%3+S
zEfCV0BzBe$&I$t&`2tLVTS<mAOBSiCJ`Rc?P}RtG+!+<az{^naFs%o0C0|HqBgvN(
zAuHFMHDfA5>TTWN%k`B=#1(Y`z}5x+`<Mwj%Pg?`t)1>|H{C+~Mn(0q`rU%p1n*{?
z8<ZWhR<P7;17*~#UBDik^PR=1(m>U|sp<`yfc~JM`}RP>4ya^Y@uZpK@N|D^uYz9F
zld0g|5RdauhaYH0js#nJ>XxWnc;9(RulYG;Z@*<jYOnzkaAQAxtl0!pM@ts?bpOgX
zz{jc_eP)6Ar3wldYa%%+$M3)GfAE}3<%#~Iaq}1?-m#+UeQT1hS$o2P7I&&_+KK$9
zAu}!%6}awExt^=;G5c6>jI#=tQdy|#Lz<Z#ZQO`icda-{_fF_|n-b}p+g!obOnBy0
zb*0K~+>uvTuI1t#3;w!BNmVmCzWUveob?a<`?{<-(04jq4aPf854xv~A(uz_-?M`r
zu6ykHK(?4kz6^s(!^&-PtIi#~*ZOn(X73kYxfb!708P^S1(_*b5q9s*-vaA|<gz<Y
zKt25rwakT>d1Dn}psyEqdVn~st!Z1ua$`i)cwsX|ugUN&%iOyJ7?JN{<@U4J&pHH+
zcX(mU92NBI%4RQiGo!(0im;>azx^BbE6K7L-P%UaGLK!j=i~A4!h!2jaZM3c;1fCI
zjBWpmszY=*f2iD^h6l{ebB#4%;9{&?9D^9uAT~B~toY|6FX!cePaU|$=J(AT<1Pj>
z5X7rLDS%%LdByL(Azd-pV?F|0aym+~S9|`r_3MW#H7AZNAYHP|^wz7REfeSL`Oe;`
z=*0GIpi3@5qADoBbkX0jVbdJ4Gl^l2xmwU*JDzy&ZUJ%P5dfY$`Mn9+o40CjuLhmF
z-aghG`+orOL2E;Hi@-<Q{c>dU28#`vJ2&jIjk>Y!o^#dLKX$qiw2728n)(aU0N|rh
zFMI=9v|TH-ljs-s;fhj@GF)Hf8oRX*u778@doA7xnp!rd(ep-{!d1;<-2J$^4V(Ai
zj%d%1|KT#bej{zr&qeC792x4Y0{vyf&du8VHQZdET3`?}*4NeB(220knr-S9(rebL
zrE9NssEWz;Aa;=Kdr%KkE@fi2*q9$Yzi+Rz^DAR;{`1$CKv_mZsGR^7E7ePN?k=~y
zs^3v2NdnfO*SSB9_Efh}c^mG$Io1H`y08y7sS=Uu8hxXH!g{dAH59F0p5F?7GPE>_
z(79d7@!o4kP;QR5<j(BGtw1D%=ZKf|XxGe?!6GoaFgbl~Rk;&ir`@JxduNe@mT{&!
zH1S)wm-ajd7*4__?`z|ky!|+5@MiT~ROh?4mEfUJrY<l|0R0ftzPo;bTP?j#L(ks_
zZy5j!w*GT7lU$?h`XaafAfaFHucIXZE5^0=v#s;qd(KQ2Dw@P$JL}8tDQIaio&)sA
zLJBBcciM<c4vwi8yiXi^0f6C)d~X%pr-zD$A2#msXjO8v+4aKw_2cyVcuicVwzfV5
zv_M@we(0D|%Ex6km-?igUecs`AIAs*RrOs^en)yyId8se&k$DKv4A3DM3mV8Hr~cf
zu46xK1Vf6(HXe2?e0MG~#F-@0o|`$&dZ;P0d0Al4GAa^qmtba2BrrLs5E9o&XaPo|
zaTjPVshU~)*8e>a6F)nHY#(ao-g$riXWOA`ckgdFH2ufHq>OrF@Z}<CzuR%U3UaY~
zUxK0@e`LBY5bRq7cKc5pW=1lR=~pbF(oiO`99Vy^+5N{F{sSm}0}5&F*zOJ6f#rSj
z@xMlN7I^YX3s`5~)hK&_fU(}G_+Ni$`q5UHjhR3j1Ts$4z0*5GlYg@u)~BcfD`>%&
zc*C-e%1sbt*TU2bC5#Q;U62^|X+f(;(@{M=6&sBj>7eBIbMP-9;lj?5z>k_x97Nx~
z5+5TYRhH3s4h7zQl*e9B92(bx>c3{hg(DV?MHmcZwrIoxSu``0mfFSh7HrTgU_qpb
zmuY$Wejbj6!JP1A$_?*A&#<0XGz|_OjWU+4uuKmAbEO|cUan>4@loBkGQQ;H+3|<>
zo^#bnXUdr&j@wS#ctqMY2&T49ebR!d|Gbxij|teOlL}=INhBlwu+RUD$VJ7b3%a{%
zC}e<4_f-?Fl<<@%45t6^b{)h^sOYDeq?L@?W8+q*G|H*dx}z}>s0uuZcR`a)$sCCg
z0z+bryuJ*`7S6(4g|DY-=YKB&LPf>@q#!l@{$O{<?1Apl{SE6s%zmpfG2HdA$eqTU
z-IlI(rW<?USa0ZPN^YaYfV;5xDY6uGbWH|%w-)te;LhEdx)q7biC8Fkul9R`+aHk;
zLmsLPp@)dlxVf(FX2eDlhYFLk4izWN27#g%HdAhfKw=sW-F&^qu)dlrzw;wV+S1ae
zN~DANCOBs-WZwV<Lh?p7u<nk<)@fd1x#7E@r%U|*nx3wU{>0mtBpQUcJ>lVfoN(CL
zFGIEZ%UaW^??MmCXX!>)R3hbb?|-LZTzIv+rzDycR!$!K`mdv^F#7w)JAQKweb1hf
zFj{iD$bw5#eZ5^3#H^$CSb7nnTpe_L4hYMQSfB}|S3F0?2a=`2D%3M=QzQ1eSX-l{
zjyU-RzoiG>`qsLp-4I5Tw=Pj-S;z<weQBUDX;Rk2@&#x>(d8qlL-YBOWvq^FcTF2q
zkJ%urB`n!AA#;Xw4ITPY?pQD1M*BYJZmFaI`yR6mW+DVzxbf#FS{3vzV@ww>(#dGF
zXj~Ef!V|FP`J;0vL$iesN>cz4*qXV|iT^DM5-?n&qpjTU@z?vq*Rd}0$;h7eIhi&9
zo6TXefsG~W9^XsL`nPg|LB}0YGhO);U_%?#qs~YHZqNnIivc-r>E7^HwR^;{_taW7
zwshJKs%&Ulo%ldww@;z{JwmlCzX!JKmd1poNTDzOSJ<NQE#$_I0F9rTH?h8JKBPEN
zkV_$1S0=3ddr2k<iT3CdGZ=v;@l#W3_J<F#cR!nf+<!OLI7v1s{3O|SItAU`n&xuQ
zG|N;7&)!YJ=cJnP?uGRQm-cMp1YXv%amG@wM)0i)-{d)Aap>t)3N+eIRxHYML>UvM
z9|~!m?Au=6rMfK;Y*>%gR7K<LpKyS1^a3tDE|A2|$XRD9nQxm?VXj!rvX=1jI9c>q
zG{@W3f~MS-`%n`u`KH{9LGkl0>up({89sUPDe8ckl;69G9(IrcanIMPY&zlIQabr@
zA#R1O$HedBo~#c^FP_E4wm6h7X`2EBp(%S#?LU}Zb|C#(+apD&<oKGpGxV3WXqbk|
z_)lgB7t`&dNkxIXHfRCdhsoBr5In8$%CTmGGRTuZy><2k`r}kz{Cy)q^M0d6j&52>
z_qwxCcl~sN^i{j8kYLA*eeI_9hiyTlM&Fp;oW`Z-fOFB#@VeSWr<S%nxQ|{#8#_NZ
zch5fk=+Y)>{<!myFq54UBNj`t7M2O#-=ong<!EyA!or-|{qZ4pXZ>$cb$Eq5u5_r?
zWZNR7G(oeU{qP&Flu9M4xsjW{F}@q8bRe=By4Xwm6Tn{KA%itA3qC@sm=P{6qZ*k`
zyB`tnO?Bfu8emgAp}L_@2g|E(gZsMja;>inGAdaKnsiONGKwKx*dK}aj!rhH#w=&e
z4VISWQJKk4${Ce~Lx$-sTygoT`;%`$7VH;w<&8wW5@fnJ0;$MQoc3`L-*+JiABVk1
zGOd;4rrw0n3&cHi1T5dn24a$l4eRFgbf^T<pn|y1-xHQ#{aOLG3;{e^GqW@$9g7sR
zjJA+uB5vrN#jp1j3jlp;ORG}+QCDJTs_}FYAGkFJCd(tC{w%j6NqcanqRBiX)o9r&
zXK7T^TM7_^oY|(OF8+X9&>JEXWilGUK-3#}T+mD9v}KYd*L2QSe>D$pL3{v2YW5P;
ziZk|?QvszV&><@K&iT8EK>udz-MKhUBfyk9V6tNye{UH(;`?Qd5>=gI5^8s~roA84
z@Us3pR?j^fo}Vd@DmUC$ek*Jp(Ad;3T-^|jsG0P9tLXV<Ia7}-ZnbjgHX#2M$*t))
z%W}Tun>DNS{5%8I#kk5$HRh3ZdC7Fzj25C%Ncj{K&|?>9*@R#(Xw|7>Y&qw}GVNvb
z+zNldi&9c>qH9dljz5#0R&VFRjD-xPHYuJ`XDIdy+0g@xgoU|35crfyH-QsLYQzXV
z6JWou(5zCOySQ2;2;*Sh5QYcr(}~0>cZ5qtiZC8Z%thYj-DbG0A}5zmI}@moC5Fe#
zQ6Yb*A%RQvD$Vh!m|Gm;#4I;mnJOiC@VFJaCV9?InJrY#f^2=vp2MajpwTMyuiP-J
zgI0a*?qS^*ro>D+Dv%t^YOnfyq&tbV`fdI5;Co8d^EcaMWE+(W=Q?C~;RFReTB-u{
zU;Zcm_pfaB{D=QXi+Pd9?%t;lt7*$pcY`lKznd~3Z)8e!GlxC&26Q*WI_Fy}?YUJl
zq)T6ysMaK)%*HE<-#wcC<s!FlX%LR~`cg5o@m&~D1SKJk#%uDFQtej1)m>@%JEJp+
zDN>M4i%JFc)mJqFc9PGe5{eC`j<&nHX}mZv86V3cV78|e`+R_u?+rb1eCQXQ$cTpN
zyJJFg#*RR@Fw<rNOMlUQ687L;qVJsP5#q@q;lM%)sq&ZHaK-+vL)~Y}w1d3Dqsc*B
z&Rr9ZC9ie|a&VW}&6Tm-&)^HaNh4JrNVp+>u6BElVYfkDWvz@@s8C)S(sUoV4W0V^
zUFn?*yc!z4YkVwvKQEy>M(Q}g?z*0mM-S3Z{c5V(^Y*cng@#&`HI9(`tCJ@iYt;Q1
z=(DtY37S6GaL1Nx^T?d!%{Iw_qqb3t6KSxAf;@8|-P6W!d5Vi^wt#l1ZAw}skuNI8
zUH4%JDw%b8pA64yRobxLI;dlZ0xV(<r7h<lOgg__!Cd?7l@|;5!A%fnN2D9JzJ7bF
z=-7HyXo2o{VoF|l3eK>8DIi%mg84X@j$D5SfclRFU`j~H#k&QY&Uwsz^kpds=}Ck8
z(v{l;n=Tu@FS7ajafeMG`W0kT)@$$4hNb+!>x*@iE<byzf$(_FRhhQF*U<6~?7t;Y
zMIyYa`Ma4dnO$A%XQF<HwqXjEFXDXt3*1Lb`|G#o7{A_V6Go!Fc){0{7~pn)sl8Nh
zZou$1kob)w`0lyz%%#FHjj_zO2!ZG?=x4j~%7;r8NNl&!Y1cs}vC0Di&6a%+8}>QW
zH691~Kp}a=lB09dLyHP~AVF^AE^t!ki=1=WI~WedgI<xJECe1VdKTsW4ajfyJ`=QK
zMxqb)y%dbuLG-Oe$VT=`z0(BkfRX(9)u~H^p3iJNqXUeW>@{x|=FE3A&5UJNbYh_4
zBl;vsgF@FQwqZF`vs^TxKh@N)`R24{`KNGKPh_#|xxGz?(H)4`eD3^k3o;f}K@lbI
zLP8$X5kpni=a&@VE9VW0X%}4P=O<+1IU0CN?E4MM4+PdT2napV7MZ;UZ#`<7WSO9H
zO?<VDi>mp4PirGS^adWCTT?M^<@V~@cw*~MV90Ye<gfWSY(~GwF<Ia?e-`D{+4Fbf
zQ4yP9aqqhOENIz4wdF+8Io69cq<gw$%>R7$_XdzI;qVR|AAU0etNKFH+OYUje}`UC
zlJY`&jp*ls;2ZhMo$Q#~dZ}LHzn2JG8;!f@CrHv2C7Q-(rN&^-uNb3!kA&mNzS`r2
z6gm?jNN0`N-4am>i3r;}JD%4I47rK+L8KLD!Lmp7=k%JdO$*cFF)5(1`y3KgNCUeT
zRV#>7ytMB%qLx4ilhO}Wzt42DS3FN2B>g&WCC^b$9R?@qip$0dtUL+qk)qpkM6Q8K
z{alPJa=73<>I(c&7iY7y!U1L2I7jx&r)hWlq~}ye`xsAs<1YDROom?JlQcvlJL^fD
zlgfpaV<CbArqN#;s3EJ7v!XauT#qL7DRp;2ktE|%*XM8=dO^e&rRtDus0?Glx#~5^
z6pyR{9&$ELlGM2;?f5Q7ZgT*afSM0c_I}@{ggjo>Vx?K)9|~w{oOyGm>GpnNqNgfN
zIsPzuIg<P-GUt(c<kl;lz)MxN-<vMgNTQPG^L4JwAGESB8ehLNR=v6W0#DGi<&REb
zE^*!$3zV451ZKvOuaEwR()b8a_kAS%-kK&$3TvKM<9_r;pT80vY_^nJKWG_r&!mjo
z9Hj=)(>N||DdEoPEj>W~U2Gp4teT`@o2T(}z4txkX_9q<Ai=eL4EgQk_n)hB;`rfA
zD0@NsA0R3o97~P%K5uYnWZ4x>MNyHv7{gYx#2C+QEr`O1E=P(Q*3gqQSIRKDu{IYQ
znw!0;(q6V|YF9kn$aQ$RIsEFflT@`<YCNXj4LM3%U2)$$XtZ5$(zQ<SH`_*`cO$QM
zS|6eRE%J3q%k1M3r)A_-vqBNagZ09)%uR$Q@<0FCA8|<3MFzJ8bC6CFbz-`gu})Of
zVwcI>1dNt4O)v9kG)T}i91XK~W@^L)n}Ty`XA&Xi1S=iWqtlHKHD5}!ex84S2e?0G
zPF2?;udkd?PzBT)wH6z;tK<9l^mN3Z9&Ji_s4}G6yKzSJF)d2&iG902fzF1lbJuRT
zDljCkTE~z5*6`%upQlZy=Fc1S;Li$WhV^m!jBHRuN%oHNMg!ZEF}BPz3tV!Qt_WO4
zRt+_9w?ur~Y2%O-?m$31A0rs@xMK#2;%%B9<qWW|FLY!;v`|#p7{C&C{JoGIscW7_
zyN+yI-JY)KFxYMSbn8TmN`_9?n;4I!7o9A3CR#@vV9sQ}t)QRiGIEEie<PL~M?gsx
za<yV9B$3x!(`3ys%As0H#*``5g|WxKsNYE*^7*(hS<UJW#-GNv)${gi?k%ZoEEtf_
zo0eeP^17<`wIPSDkDiPni@Ql<1CikY$DE+-hF@V{0pBkKpi~@?IowjUpXgG1%i7Zs
z9t0e&<#56p0Uu9jE4du52zguU$oc$Vj0ZWw#IX>6n|uFfouIq-6~PX3_ji`se|=?Q
zROXJ%h>Umv*fMBMYkL*uEP>JT1U*gal&&C61mlc)!PaXrKr;K?8n<#VjDGoRGU_Q9
z_S<)jmp`+WyO)}925p<*?#v2C{`yOd-@6dn)|bYEwtbnf&m4J?3Yn@4<CpaImLyfu
zyjMf7q`IX;#S;%g4Zl-jR4@?53wWbk6^*VltmL{F!E~5ts*poF+6_a_7DG0M_m^Ca
zuBeC+6cR^$_em+;scI&_;Dd6Fo5L-srDG8Bhfe<CQ)!~)v>w1@+jGYhs5P!5Rgk@@
z8O`GlRa!*`Ym}!daP-Y}Qqe5Gckp5O_it)&m=lVn*W-;LXAI<^UCKQHCq<=RhkI%B
z1_|Sq_MIbuob~S7!Fxvns@}c7w?pvy$pxw_R#Br5KdrO(=pfTUce*V>IVLdNm8f{C
z52K@0Uwem=@Z0{(X?*l|(w{|nco}JqF|hGk!&=M;6Kwzt*Rv#gx0Rc}zBYb3CB+09
zk+RBsRY#9cxvKvPEBI))n!Wx5MAnhkW2KDL#Wsx#!-PBx=ZQJ~e#rYw&rUot1Yqim
ztQ4Be7_I&ovhl(>3L}VYcG6PpN^c1Fmuc^m_ECb5m_{#rRPF^fnBckf+Z15C9v6A8
zON21Z!#7{7Yl8e_jz{JiYxUBsknL7}@0o<9nOa)Gpl7U3nSUPa^VO)3kGq{72oV3_
zDSSQURx_U1_!0SAq|?vDFM3_S7cfQ*ckdUM%{jlfJ0Er8LdGYiD#&_|sj2Os`P<Fm
zI=lKUPyG!vKpjQO#Z34!CSg6u8S;+;GV#JI6;PS%kHjF4rvRVWG5RvEQmbXYRiRDP
zQ{mAV@-<iS@1$u<AdS}p#>&6-4&j0q>=WKQL_*hE<Rne%7`((Y-2C~&hhjdz3TgH-
z=erwTeng+Dz0BXEVm9Cw%6CTa_kdlBXgXO*7dFA_LhEYbNI`$t=hK4^5a!_HdG}uv
z#6lhwtgBS7ayTY<3up~e0gvQzX}=1QO*_%;gZ0&|d}0nBX^5N~GldWOU?xNVbf};R
z<A5DiM!RfH6fX0fp*p6kGd|F4ojy*+r;oW0G}jb`ZRRLI%bdW&S38{+H@=^?*@gV6
z5~Awpmp)dICjzK>(7^jdfB~)pJu+8b6W}frHz>l^sv^}#BcU`iqa(K8@;OiMZ&W0V
zW%XSBFK*AfFt;!B6QOvq`?d>w!TA<RZjx?iByKWLDgIdQ^7+pId4#EK0-aU<q4HgG
zRSO>}shj@BJ!v-R^J=0}&y#pGQw`bUH&v95@4_e5d|OFd^2t+0ek;CzqB-10Fx|iU
zebeU!K?d$>sUw@z(203KGkF^9so8bZwA*P58R*(rlXi26SMp02<AGihYrt~Su!d7&
zts7VuWig{#G|##P{NlTvtAF-h7}<E~Zfctv3srs!q`FRbrRUPr3<FH#lQczJo}bPJ
z+xU#|eRWNya%t>47l6@(@OG0v@5_$-UQ<hyxyW*MA^koLl)Lq^GvT<lG-Y_4z6V+=
zAW1H+G%4-lgnugoP&}gpC{Z$61m!_*>|ti715R486}&*8mut+o=EldzlDmLh6gEsi
zxD5p!^t}<)pB_{8$}4Bnx5r^JB|?BwYZ}QJkdN3=HX-1mxvbEeZ^y>Y1R(JvHIPB4
zA!iYF0E@M$mbrx+C2WF$wBbv^oJ2_KA1?1UY34i$Dm!C0Yp~EBjXhI3Z(iK9+_Kyp
z_VwLe3D3wj+e!<*7idaaBWf9dkLVrK6vFPT3*~gZUy6_DTyJpH;Y)XT&(Tp0oTX`N
zTH@^b_(R$F7uOll)6-*1H;_i=eyV>2&9LT5j~XScd-XnUBs#azMjf>>E&-qG{5AD?
zqjeK-V^Y;{M_gjos%zqRUyeCq&-v9>z#P;7#HQje3aJ~&;`{|PuhHf_Llc*7@{78&
zQN!otKjG;MSLK6H*ju0Wp~gc8oC#3E_~L~leLckItZ8-CzPYi5b$_q0bTJp?HfyaS
ze~j4-7O>t*qnggirSlWJi0~5Dv1OO#?G;3rV_~VtOFEHJ+q>#SCpa(w;D5I4CpJju
zblL$U2aTpI83&imo8$c#KPbWSfo)NTJmMBUUeAuVYdQW4=#>?K;m3fQwPR#dL%J!1
z_~fj`WmECu#ED;FF=<^7ts-!B4V$jxj%;JlAM|TbS4k?dy~aQZmq0U_%j_PvV!T~4
zr>8LV+!TL}IoNScuBZX@{pF(aGgw*6i7JdoNXI}Y6<}waVD`?-eQoPcQn%iFb-VF9
zgo^CFN(_zKd-*CgmQw49)A??+1+<rXrc#Nr8KxdR@stnHm;9|N1`h-Z#c|hx1tJa5
zl6IB35p{X=daZJoT8%P%+4ZO%V;6<+?5K7r0X9>AIs7+w52te4jgV}vibfg_xsj2d
zI2HF$)0(wSV={f-T=4PCF)5o}>Q(trFRxCOMu!vy77o~ZRJ4F!ZfQSLoBCNX2V2p@
zx(1&>c-W11*qH%0zfmD*vRQa$>2X@GKBe*^1s4`3TTM*2e3OSUIfk5`Nna(=<3u^E
zC9l|)oaBFnJEyb~oI1V7b+t9BLOpK&J%6oOU)$0-MS;o|Ud6H6Q>J_XXZDplUUh~s
z61Vhu%84wxT0kM>R0~D>(pP0EBEo{IY1Cgg(RRW-pgkDgE~?QN8<Zqv=%et@!*3uB
zQ{1ST)aQ(A0dXyGa-3117SMB@^4ib+X%Qk*I!>fyu6nV=eO`==5G<i7qjwR7e*|R)
zxRffXz{60(#t79nHBc_K{nYK~Yeydg!hrSN#Cu8`j@U|n_v@iIvdOz(L(>h`L$}k+
zJCr_t?+EW5YOpb-LL}z3&2!hXGyaTvHmCb*yXPiYgL>md>O#O)SPZqFVsI<UZpt20
z%6PUsYPT5{GHhr1BZw7HGkMeG_mjPE+-NpFp3xz);;$2cqMyHJDM;KAUDBE2)di7`
z&sCB0wjYyPG1+5tr*b<6DvOc{!AONGE<bEx(;XvC(V^vCu)WzD1+D`cc?Ng+X%jWD
z#A#%fz$fjdzZX|WQ*4X21@A9S=@uQ+eBT1@ACAc6`nrxyGtPrpVxo7S<*<$Rkw>Dz
zrP0Pn4yF4{d4=j9y>EZ>X84+w1ku6XS!!Tl*TP*yCcF?quCM11AY9rsqn!~J_?#sO
z08dwo_=u|&0#~!Y@*e@A>$sQpQS@r)ll5aQC4o(YwQ1Y@@4xPAvh|uev7p-1@K9R6
ztQOD<goEDR-JsauYlKs4O&hiusZSAjbH%|O@tT)}s=wTs?F?dc8%|F$BKYMd!q3JO
zT*UiVUAUwSvzY#=XcuH#D&&+S^Y<vg+npFR6gpGs%AY0$FHjY(^~caBX@Kj#Q4kXc
ztVfEtQrg;1<JCWW>vJHG-*20MfsnopXjMX5_cYG6WRC$Ecl_)y&>$^h>!Gu7DAANF
zcIan5(B*f*yQZikPa~=Orc3y-C8geH^#Y}<@IBUnZ*sO<QVHp+n<7cu$ks6d0$VpO
zjMwMMIyT6`1KEgV+=SDz2M!rTaN$&X1Ja~CZzM3W{VSC|Fj`+e9dH>XE+5Nu0kfkg
z#PeKj;vlhBhK!ZJElX;LKh#HbBJ7#21DFkGcK(2m-|s1P=f8#CP13AJ00Cvq=M!7n
zJF43IPw1-!eRH{7X357=ypbG~Tf0kd_5>Z$!3s+o69yCY+-zR?yDpzIOh+ucwkfG_
zX9m>pk^Qp6m0ngroR?K+r*wJ++YW$wizNg#WL|0u!jjqG#ViX26j`;t;iZ6E!)b;i
zxXgayEI{V?-Ik$~)hMaxy;nJhM`U*0?Ev<sWHLJzza{B?zhb_Wl$UCJY>>MEv|VoG
zfnz3LOP(IQUC7oYOBSnmaeD!%1lk)u{Im<Ho1}Q<RJT}Ai5}gX^T_&4_}PFPeo8QS
z0fBvUNTYm5cASNS4{~+U_q@BX5bx+{LwJ*Osx+lNc6l_CQ-haGXx@(*^}EKc5o9R&
zlgC1~3`B-0KUhG}JApof0OSouUWi*}ClcDylpmZfZXfWM7$nz1e=Awy#tMghHnOMT
zNPjhgy24z5e7J^<szK%luP&5yEvq2>9rh#+ltTpWP^$2q-5w8+auP%}g4u%HowPvG
zY}@2cvAP*=-Bl8U{1DFmU<!kHAibs0_a?asN>pK@Pu1*+?Y>it^N-JwM6;^6PxDAx
znG<73$Fx|lRM>y^9j4r;isq`x^tdXnygcC6s?@>wp26F5<}^04P3A9sh+GzBA)@Sr
zL99)K9y6>r(c6*)K)>;|Iu>p8#r>z3BIFk$zQqp~EX~SpxrVm=LGol0{3GLXfTW#z
zpk(v+u7DyLz@pXr{BRY<@rMV<8BR}f8?E_qBPO;JfI%Yp%2}^y`UHKu;)Wnpzl;09
zdpGXlzE{4_43C}J0bN&b)vWPWR){~#crXmpJ~Uth&8sO$ECXZG)2Xg5yUstC(nIus
zEo;}Z`-s4v9u0=afIlXMsb@{K^h)joT>fP5tN|adt0Y8W$_1*qm+yY34@88kE**?&
zYWW0KKqR1UyY1>6CJe<mRNx~<I$6F_hU^QZ&Km(<A#^Xc%(RGSRc4%|bzaw{jFo`q
zn6eP~FRGh<G!(t7tDT>yvu4!R5==7&0%LD%$4yr3Y-D+H2g>gUZK|7}kS;U9eMf(_
z#m?$>Ai?N3PtV9_&ar~iUDzYjUI1HOtwsUemg@8IdT|FcKlcL=o9Pkt+n!gF&rFH6
zNDOp3KYgD#^s__SO*L(6jd0~V8ZR2$+B8ZA#$cXE=wa?9ARN9SS}0RTM_qsK+x8j5
zD*@457~`hW4ellH+oj$Cq!80-3VlU?$cv$9&C<R9tbn&i<vvs0i>oCj3Pi`>6aCgg
zq85pEZr0Nx_KTdFQPU)N;R>S9z{P~iq?e-C_A`d3a|db&*4CVgeui+>SWp=P-ShS0
z_8-Q0!KnM3Y4=D|6T`f+xz7>f6Iz(qITH%&G;#X9A^RiU-`&-TZ*=sw7xD$b%XFzg
z_rNR3DqbEPv)G~8CVGayLx0e#QPq7jwD0G>WRq%w!N0D@U=K5)ovlemWtU-f3Qv&L
zTnpirMj0VnTnBK5DUGTacso%^C9_}pbt81IHfONh<W|7Wxj~hb_nD`8p{&8z9M^WJ
zo>-5O=?!eSg$eRxad?8%8>^OALk=+=Afhr5Jdyyx64bfdH+P;Q6nNiV>-t!$bs9-y
z(K|;Gxs8AJInw^i1-+cTHMMAT6lnYo44hlzZ$KL<>#@cwgS&MdWr}-qYaVTL$V{xq
zshG)Yq2k&m6ud%zxW=;&(++f5R=>;5c~JU^z<ADG5TGP6fnpnOpHGZAix95DAPyAz
zhzCS^ne_{$aCilx+aR4{7ng+~))Ng-+0q(s4;T0>rbgQppFWH_LJ6R{HS?6*$aAIc
z1N4&1oTqep$WE+^CyD%#V9o7W6uIbb)b{?Tr=b^-Gnn{5(>bJb{^v^@$2X-q{CDS<
ziX`AzbR?)@DbnS6<eh5^&m-H+5kDGWew2Lx$3jw>FR769RI`Q2u(fstFPO1$rdp`v
zv1CQ*Borg&YxZ<g)Y2i<i$(6U;vXF0;=kPe13>3}UBg$AY-59`Y$|NJA+4tz7Ie|a
zb6EVO{}K_01)~9;W@JjbE#5HImt@n)Zo#mx{TT3CZ~wna&pbdCarB5o7I3sup+-na
zn&uk}IQE7yinn`eQVC}LKceyd6v(@9pp2c$a0|3*jNt7z9r$m&y?H#8-~T^6B`HKj
zmaJ_?*-B+M5+#M9WM30yo$TvSNg`3%lObfuE@td|gd+Pgm}EDW31b<C-?^0c`}6($
ze!u&1Kkh&7|0<ffu5+F1oY(8Qoq`n+dCCeGIwlh#r?cc4nQK&1P-N0VjPqGGm<LN#
z>zsBDGv@9Pv@M+c520Y^%u^tWYptaIo{b4_(-7)4dDCO(E0sN5ETYgWNiupwaHn%!
zk&Dw`89RiVv;@U>IrkrO?}mPrFZE}BPcm+c80Wq`CrPieY%fc%pq-PLl5IkWN=7ZV
z<0i|uw>C=Ro5>$J##g@efF%I5Q^23GBVvqkqX^fD`K`CChaRDBHb_>!X(=6)7XM`8
z9%bbG{qlPL%vjeQ<ahh!J9FAr?r+nXBQvWYyG+5wRw;|~+r3B;Zva^^_T+lWBepk}
zmX;jBoPD#ax%pDyFjQKIB2@07hTZI90=k$E)`&r{gF@ftv-!Kxxj#z8&<Tx?Kao6h
z%%yMWBpYT*G!nuuwt=JD1s*gnuElq*SKMu~8K5ok`005Ta^_Z12&GH>Q|~BsW0e_e
z%{^MKA$PAX{FqQE=xP3R3VQh`tHeAyQ`ODo!R$EA<2T>18TJ1Eu$Q<$?Hl4*i9Mz6
z{%%J+n`*gSzFB^h%pMsuK%BhBZX6M+u(jqh*;3SN5?A*g?@%T}IA-BqH`|wgsyE)L
z`D}?1(T*#+$C{{B;mhmZ@MYcE5K{3x0+`F~53)$;&(-(x{<l?J<8WD7-TX=G($29y
zi?Hv7A(-d{-K4D~@qjZnxsCL<M2mku^_gq}Qn@AL^JVS}t?pma)rhPCaL5+vT+-7o
zA?kfAtS8w^zDL5BvS<iBQWEr?iK}~we#o9IeU=^|crkO@y_kC)@d7>*z%Nq$3sNIN
zdX`%OPg&9PL5S_spXh*Q3#Gz?JC|L$Mp0|i<@R%;tih2t`4m>_T>$XY(GJJFgM<u5
zX_Gd7UCqeJTu~Fp+8Lu%T)T3D`Mm^{lU|5u)N;FVsXf`ClH0$T9L2NoqhA8j%Sr8Y
z#D;FmJv<dsFJ=G+HG!u!^*Rgj*|B@yMB3)wu$54FuY($lN+3FGiWV=Ft>>p#?2Xs~
z+e}_GgKn^#bWv?t{|rU$X!}x$PjcAPw^%RqsD||ZNFtX{tNiL<&58ujTm;C@7oVzF
zY!;dx3)c-KtLIcwE>2G>Y<rdh?5B<*VW2~&$M-mSa-n=lW1wogtjH}1yHK&(xp@%`
z!6iVD-U<+1D|ZFMVK#CE^X=)?a2mSGXsBM!-y2c#41Na4wPHdbVZ-KRJSi639PDKv
z>3)<IOCk{XRCoLla;0{+!{eh6u1&Aj^ATLitz{c=>vJ*`decZEF&J6pt0F^PVoqTZ
zE0^dcmY`qdqkV&hgOl5ix9hTIs<~3+SkNm?kcMNk-+{8pB9C(_>Mo!coBga>=umOy
zYlC*^WbsAOR-*3u*@O}yo{E`eBOs5>jBoI4ny<Q%W?w3nEj1FcIoRB-(_(|Sk2{E*
zFdKw@sSV$86RqH?)cJhZ%$cOYu$3F-YL1ge>ij1u8I$M4{G)-hz?lr6NdRxK75wkg
z7%oaN+Ip-f-}4~)#Zv}aMxC73$|t_S5ojGIKJDB|Hca1S^wg4y18^2`zerb0xRum)
zQR_z1&#`tDzVCo<YrCptW<C-WbvNc-f_jpxA)(#Fj!Ma3F1;(5<P|x6QBR}t7gnyd
zQ^FqkV0bgK(1v<wI!h#Md|X7Xy}&?&2v}6<0@yeJRgsxG=yP@!tX5Obw|vZ!ekd(_
zU`K#3flnum42}QV->NAt7d6z*ZLBcI<sQoV4DRf*`5T@BRtt9~WHWAV$Ac0_Iz4m8
za?o=x>@&;XBEttw46Qsi`5}<^xX)<on|q42;n4ezUWy}pL!s7(S1Y5dE=)XS5Ium`
zxC*J0^d2ojT8hiItq1TP$xlPUR&A+yG;$BD6uezvYD~53(h-+#y3Gw-UK3`CoVLIG
zscPb#Z3k%8mJFSC7FHmuu<^|iuRu2reA)!%><wKb$7`aU7PQA6B%oK`mdaZG8VPa>
zMyy@?5Hy^*3@Gf0yb(NM%MEz8!s{$248e8eG#t`MVZ2gLC-C_YG6``P3f3A0a~Zk<
zEzP7hp`Bggvzm5lo2XXByx{skZ>7WmWCTt5a>uRpw5zO<)cypj{#FL|T(2bkOi5Jl
zC^4r@)Q|Pc?LXg-C|`y|3}*z}HSQ)lk-K$u2Q+SiFBY|8dH<r8F&?(EewtpzCGf@7
z!<nm!FPh0U1@<FB@*u}WI^o{|{^7h?!nI`RvaEhNiCM2(va^q_xRu<>g1!@4$)iHd
z-)bv$ZTlJL)LOMF>+d>~Hhk2DGCAModfY#9I?hQa$0)WjNmegH_2JO*mkl2lwa7D_
z^Uq>EfH-C3jS6o@MD`BT<v#5B;G@rNfS^17PV@6ZdV$Mrq}Qn5`#Rdx*OT;J3bA~c
z_M}dlTk^bIy9I-}ophx=9n9)a8IafrdgMDmE@H!~qvs*sD~p^pbSUH{nvMj4t3=%T
zviE4Wbp?fF(5>&0lrW=2?9?m7w1`#7<&J(~H~lv9s#&F*&$Ua-U)EfJ7gN46U^_jX
zmXH%+KUjPr5Pm#SEPAO;L4gpP^!n#>E{7WrFrHS~--~zAetxKs>5v?s(m0H637wx<
z>pCMj;e@sbjhKth3<`u(Fjhln9D$>5l2rxwOAbioq~+S(&un0Un8#am)x>i=(q$xo
zU1#8x&@QTe@3w<lW&%aYpsHx~q@Clex~(ZisdObnw<9>Oa;Q1bDhfTlYE8Cwq+T+}
zC$C=I7-P1cdtU78yWAS@!Q<WWAq;VY4i!9;rzyd=#*cnv=B!8e^J|i<oW}4Y@2#l#
zou$F+UL-Nj`BIt~UQCyT8QOcoQBA*}yqLdU0!Bb+jx|g0KBPkG1Y`6*LFkcIKiJlU
z>>H0&NbLt68PIUzgO3Sytjyt;(guj7$BU%Jk6?sVUUFgVH0b=6-ozC~w*{_nV;4>0
z!VsTi3ULItg%3$Nj8?2YYhE}zP2KDStz`v}JH&I-J8Mp==7&06CtVI9%-8w6eds{Z
zOjwn*zG35tJh^nMAkv=p@u|N0Iu;8QSfqc?)af;Q0S^?&ph&-+gWH^%XEBw?nfe0o
z^*3OZ?~||}h^Pzak#z&Bi#|6%`vaYl_#*Ery)e1aF4d%4JQCGLJ+$}L#G}+tCvJSL
z31U!LT$(9HtbM0*D7jD@{<JnpYV6?;K77ri?L(`?8mzB#@vk~Qn3R)<9`GZnKt_i=
zAibM!B3tGqF~_07!xgd|4c=v7UaFc0<ph9c&k*>=>dMv~_F6m%oEO)tB1aAnafwyL
z=@^s+u1JW=z9&Ti=3n$MFmo_9dzI3O7|ah9min>RQ?k96N;i#9x&<mvGzuMGQj101
z(O<RBO(A3LEX%R8LUm;ODICw>P*VQg1)X*t;fgJlu(F}^+EYWvScDCwdC9&)8`orB
z;b-DDz7y}7`V#K0c%x?h$x)3d9e&8ma@Ggf7WY*O=I%Q=8UT;1J~bl?ij?18EwcBR
zcw+P$&8VN5kxqT>(sHr-NWXaVwUoK})ywB1I318i%x2TFGsSn;mo${y$Rk-^#8#jp
zxxiBe<Z;VEX{i>-GXCD_k^#P=#m;paBeLh&bDa;8`*1x|&KhK+1&MY#>`b!!Y@B^m
z!5J3JAaMAXn7AkE#a5oXVd}g&hw>}ya5HLu2`Gt^kp8m|@9HucRCyBx<e75)q40%@
zAnXi<g-|orw>Kd6AWGy$e(A7y-H*frg2!tkDTbF%QiHHPL(B}qn&~;oRfoovhxYCl
z$_>G1*x8!qR}KRK{hZQvaoTZ=3zvJAAGcN1=M_&zERSco!_c_fwKmy6c<Qhy5!IHs
zeNQ;ju_qM0S?(knaiZ}Gb^i6tGv9L3=|Ecl$qGv%YWytlZgM|ktP36~2J_qvEaTVh
zEMA_Ma|D)>?~Sz8Z>|y?lG|jD(4PFS=3oJ84wfvmHlX%J0<l5dghpu+8l_o6m4f{8
z4<&yT7I3+r)eGl8-fwyaEQ!jp8us8_i*}!YNRv$?St)~5pa=as<@H=}K|oU|_>vtH
z5#IC3ob*%RvsU8ypYWa@P=!Vg$aJ-t{TgQ3&vOFD%MMcxr#6sM3g(|*Njxi;k=-U{
zx*%jHd2cX(7?EukMpVHY%r)}hnnx>}eIIhI=4CmWX5`*1F-?fF9uDhvyn)WLch}LT
zc`W`In0lSb>l!S&>{+K)3Atel1qW)wQ*niiwfosU(uH%~zme+0&{2CD-q*1Vm(mDx
zK~^RTFyg#d@K;x;`uz$uR$%B*a;Dc5>ROnN2Apu3$w-@!y|sL2$tiML=y7&-v#VtA
zyqs3-P^=R`#3p^Jd&;zhV@b+|;o7;(LC4U;K?tEUHnO4r3<XDX-u>UTEb2Bd4;FQv
zk!#;q=HB=u|DX#h)+RO_j`uA=)P}Pu!hUsyT|?%g^Xx1Y3SW8a^%UpYY;-kkT;PZ+
z$`vu>vn8G$uBu3NgV(<(6ZhHRzFxR*kEeXQ)KgN*i36O^ulO2yWsyTUF&@bc!)C1`
zO-2ojW~y46PQAwNAIU@ju2SUgL{1N#`a}RUbESWMZ8#J%S+ToyPq*A(z5~$cGOcB!
z7JU3!DDW+3m1sgArR{MNxDwnQ()^Efw_V?*GL0BZiOTNxz~4_AScwn7N0V#AjZ6=+
zZ`POMLIen8w~GS;_*1UTCsIY^tmol+*aE(R26<uILER$sjPgc%Cb%Wyc^8hTL*%Ci
zhK?mQ`I6^fU#Mm2MfSN}=ax_&Q7s=HS^GquS@ox(n>?)iO|(A7*`qcdUR~h$Xa5)N
zr?U44v75v}b+PsLL(Jn8fQ2{>a<ZpElIUIwYJw{f<3b_JI#JhGeIMj$P`eDDYHSZu
zOEfI<3X+jBBHL-<4WJfScH}p}H6%Hv`)F4HFUT|f2-4WMi*0I>gO8M$ZY~?mS8Z=C
z$1nK6aqY-M!ZQ{UyF2aA+j$=D809@Tw15}cG2BEQ+aim!TZ|{3W4W(hTlRea$N3ZW
zzn;PCg8We1`{%BQ$oBAJ#t_MKQ!S0vE7yi4{M5jp%qBaUcCTdga=Fh*#mGgOCwRVh
z5Z0dyef!De0I7z=6rngI1y*HG3yvSeOnf|?dSSit96EaR-SjDLKS{>}9ek);3C>K&
z>)h-x6(APSz!%EP+O}9oXXTOZ=eT3ibCIULwkBcZT+&!X+aRbRk1^cPP9x9M+1`Bs
z%HB`R*+`3aF9>TcXF{vJsO5?b`=l_Fo^0b@D-1M1P_dZH+hc)5b!t6yBA{2tADuDq
z#s0@2#Eb;>Dfjn1^W>1L9|=+~4s4lTQnx#5bO^bhWvaQpthD^newt&+R}UEK)(9*V
z1^He+EV!zI^oy$_AA53@=>nzYd)7re_LWZ4$~Ur1=2XTi2Zi}>3k$J}P70SoWoLAQ
z?Q>>3Z&PE|>{m97#tqzEWk(<1s~*1H$-%FEh?1ecWqjprUFg03o3DRx-RW-#%V$s2
zi)XfMCZ+IcyBtC`=LhV$e#hhJLby5KZ?|hFZc;VC<|z(%&XWXSXmoyRfm={B*qz$@
zQhUBuTUc|tM(<<eK=tp*3lYBIk@Q*_S0yOrNzBGA_Of1^699?>Id;g9Sm`~n(<Cye
zy3fuMwukbVVCO5R_8w5nJ_Tg(vI51O=4Uw^;fG<|P%$?Z?qLeF>@~)4CqOfMuCvAG
zKsDxvA7j-|7Cu52#C951s5>+T(AO>GCYEz__*_BO8m?>KJA~MM(a>U&@+Iqpp~<Ia
zTT`O^SA}6MP4#u*pvsp(l2DcF6PqW5DW`|v7>|<`)D`?R(CRZr$D)9Gro`af9(n*5
zeai(G2V6qa673{q)AeLob%?mRSu!u9wa#8i3b?tR0%=?8?Dj@v=5DEN6%IqPeJbep
zz7wQUoT!`YZGIR~Ym^wlEd@bV)9SFdf;wmkP0q+^@y&D&%nnz`Mn~^?*^oF+?wqmb
ze98gq6y0e7%}UiT$pKY{;Az0ks+=3Q?alc<{%@hZ^kr`ZP#Mc-8;~>dUTO7x_)&ZH
z5Q7@)Jw4I~{<;~~f~ho&P*+~Ha@(;2V0H#+i9H|2yK%f5mgK>nWXm~6X#_0h`YvMl
z3x(flwG@oHqwV_(&IH1BP0_A@O8TYowNd1ajn#z(V0%3A+?N;OBSpu1PcgV#|Mdud
zeG4epF;!*t3RugoT#Rjer78IsnGV)@a`!Ie<VwKUI%_5!9v=zh(?BBD?{77L1!7Wm
z-Cn+3d`Scn$O%ieuVm>vU+-(UV`h#D`>k#A9R5p*iO<&qA*WSQapuNsD~s&|qSoQ$
zE2(y<uAW>PSSn!BfzhklB@WC?0O<s<n|uv-qCHEX^x&)n7ABwD!%u*Z)*amsPa-9q
zjo~<kiEw|hCIO_|5?=E(?1s3i&nb2^u${n_D??A8!Cyj`!v6Un@D&EkFKfQm>H+4t
z6+Okkit)6~Z{bd!B9j0TM~awMQdL@B%F{iz{sTRnA3A`v8bNL^W0q$!b3>24=b&ZZ
z;&K!|%y|scx3rjjnPTn!b}DTFSDvYCkA|J{$`Uth^`kiqQ%i<W4XAbp?P?^b4<z&K
z@z^{O&_oIZ0yF>y&;U`k0J!^*Ywx#Woo7%^u^z`Ryps>vn_$9+{;z+JNboEG0*pc+
z#Q3kzJQgQmfAR_dh4l9A{_l(*@q)5$vpb`qXSVyVXMap$><E?dx#vJC_P@WJKV>ho
z;t5Zh)RG04pvDH?6qv@}$8qW}(gl7H<M8)$AP-*WtG{;y;AgW^0QA)IxDUSBX`mLH
zGV3S;x~A0FWk4Ru4FMM{z!1%TU;85$k_6r!&4*wKSnY^IRZ8nT77rpRqcf0Xo^Bdg
z!yhDJ=NVW_?7XzX=)d#&73n@x!y!#!InVi$$qtm?27Vb#!PM2^4QrXz!KMB7z{L}9
zBnoZcXIT3IH03W-gs<>k{aKPeJg|2cjM=%^H?)F~|JR^s=8id6GQaYZ7qkK^Mkij(
z9P?c}e{FnaP+<k_H2EJ3#&r*Il}0|ltB~Jnl9b|u51r@NdU&+^te~{d+9Oe0dR2fD
zn)!lT6n@6lIg_^aItM)yS$HxlA+I8^L#0YOMuNFnCzX8_@p|j~%0(;Qgg3*U^G}vD
z<8+wtZSA_)wq^Owv@VKq1%mp?bQOguL!iI(ida`rySP?)roVJ+aZMHwJFEJ^zau^w
z-fkGoshvcXT0G)ja#T2p<z#W}tXWnZUtoNE>flHd_y2%Zw5}xmtgmGm(!c$je`SSR
z9*dh^!!1Ez&n6^W0CUvd8gP}dyejsgJ}mS|iE`Oer20byg`cOqDH<05ub5mgn!u}A
zCR>XSaWsz|w&bk~Pu<c+<g$3py*&5~9;s>Vrr0p(0<LMWHe7yMb8b+0Y-u(5<mN_l
z;Uq~--?IPv^iLGxX5b1Fo-t}}<7f4RNl9&e7}H1jo}41U7uR_|x1>3~k%uCrN@73N
zlz!yUb(Jkm&nfFzy-`8Eq=$P|rjTl5T0u^?TYADgGx}{K%^(UVKWGYzk^$4{xTMq@
ztr1my@IvQ{|3-}f3+3Z=U|MEx`P&soJDL^1Ks<Ft(Ctel$M<tp@LO_(a5s&po?llu
z36unLg!Rj1q<Yi?rrS>Z?1c=kn2?vOw|`b+VwZ{$s@rC%b{-DwBdQ8(B=hD8nm{kK
z3nQ{HRLT2tLy|q~rEkJ0VzUK<@1&R46Xi2woGN+qHE!!}AAF~N)g6+YA4YJ@Pl_LC
zYNI=$)9JSF1l!|Ndq<jtzX?da!IG52T%%P%oUoqv?<WWUZc$(n$u`98d&)9&WO1XA
zQdnU<cgycauhl|oWF$o)rHE@wFx%(rOt)`eV{mrWLiB2SwrNjqw?9+WutEyi5ar@}
zd!?NZ54ETcB?cAk_aDyUr^=qesj|9O%>~a7F3r}450~yohaJ1JFMRuC{a1GtM#}13
z;E9erbyk5(fs7Sp=Z&_F8*?s%9(el+T}HO;pCfKGTBL3kZ1D*DyV{mtL~qC%);eCc
z*Tq@L%YyoMM7f+jiIK+N<ci}DS}xy?VeaEriki2@xI(kRzvH7mT+NWgUg(j3u0?bR
zU*P5Zy=wNuPpZ}2tV1SLpE|TBukXJW-LD{7XcIRVp%@I15icJ;Y{&u~?7S@0h6+lR
z04ZN*YrHHS3a^!Tv?!jN0sj2S4JK9I0mCk4|5rCF<~K=CuKAiA(p6*92M*WV1@J`-
zw{1pR%!HpDamN&D{5npqeTfDABZI%H3(AQn;50C%S(;LVyweVr#cghssXG<_FhtND
z7L_8Qq<^1yl3i6ApL*iHAkFKOh1R|Js#klOzpa#yu2@*gE_$J-k`bF6EtPShy5+{k
zVdU8mV1YDdqaO6Ra02IS_~bFO+Tv)r(XA@2^O{j5<nbTohgmNTIbP`6^6oYCb=%WC
z<toW_L@;(MUPK*5*SvAE7Z+f1Dpct4nV{W$W50Jx=+p2>A#auov~WO{-L&n=$|y>B
zZ*t`Vqp+3s-XQ*Jj;`ntl`znF^PE=nNGeka{&@;#O>cEFdn9N(0oc~>m*ucy(ko-e
zB=^x;fV+jAF#mdVT7C9%gNa}V^WLrpn9Wse=5c!99DN2y2p_}=(R2DJpbu@NsEciq
zHcFom;12S2)VW4IKGd*6{M8eYuChI!I}uGefoyeH|HoIusoYMNz;dzJ{H#jJ<MzQT
zJ}>U<<FM%^%8CjR)d~k6GJvG5saM%&2d7_spw374Z_Vw=i}{CM$s^ShtdB;jn<#mR
z9}sy;c~YF??D4j@vn=yt5+9~(LHl6gbNJ`@ht{=58pFo=m||x5I?WQO1E}9l%B?rA
z#I9UKTMyCG&pf$`jy(@M_-ZB%C3?a?D!xCh4&6(vDs7wOz;rdR+4XWXdbxdia^o&~
z?>x<`84GedD~1D?^JYX<T2vuwYW0(hjso`0qE{I<VQ!&txk1WFp8ET~;+2le%bd1+
zFukK}B65(2uoG8Bom+0;LZv|ZV>Ho_a1#WEFydSPQN0=od*NGC)#LWJMQekbI(;3u
zDHBhhBOa^^$3D8RT~Ub5KqAW8PnR+tG18wrZvh~v=z{$Q1lj2CA>H$rVq?erJ|4vs
z+VukIlhs4R+4<L-eXHZELv|pr)EyJznDrp-jGQBiFJr1IGF4o<_t`e7#-Lg&zP!x!
z?)>TLJA5lxem;H=X|*Y;$zA^d>1XhZPW<g&@W7y+A!Cy;Z{nSJJc^3eT;F)p;<a&p
zwcEqJ*=~CUrl<DuD8^^{mg!9eN_$wx=QczfugA|PKDQR#E0^Mpu;5&VN3kU@{sGyp
zolsrJ@@)H<M~vK9a8`LfqGIUL!K`eP;CZyFJJlDiT9VU|PT^elw-{~Hd*cXqlt*a3
zXr{O;b_oz%!Ca)08KbAOGxNi)nh;DFZWYe*Ovlfyl=EKIUZ{?_<<YT#Ur`;#o+NSH
za#hf#V5tgtQi=kW0`d*Jsd{Z1AZenGadciV1A~8;<@Xx#h-GE?f%94=wbbiG%_Ap5
z+^nHrH;#ck{xgw}t?Ow3prJ(b4iFg>)7#haZj>k5mc|#UcUSw*AI^9#V)>|3Vm@k=
z-mJ+0c%uNw{PjfBE6HKKvkHJO=mb1jxWeZ0+gqX;UElwG&T6Gg^$20N5r3BHfKyxc
z7u(}ctB(XN?`1Wtl>YjH@ca%H%af6lnUza-v75|J_O0#JNBtV+#=KDf8TfpUN^W-U
z5?MMgy?f*EM?K$=Aa5p4BbXU+5#M2JvFQZ@2G^N5s<PJdYQnrzO#@hY>cSr;Fs@EA
zGFVWCOPXkr@wMSLgh+et5@UN1IqJnis)^^(XAO-p|Ekr4r;DX%);xV)uwbM++%JBB
z_LJgQ%_GJ8+#B?anRtR_xH4Z|{6x&^%gK*I4b1aLaB?TaN>td>&-Y}Abc&%W>S(KP
zU&<#bn|}pRYh0_`(zl!I0E16hnIAGdyOcy}5iJuQa_Ll$EO6YFg;!5Y$Z*GsNsm3;
zn0OzQz7-~u`iA-TV^v%F1emZZu(CsR<EFlVSjF;f8DiFFr`WxbJ9b)-3{|u;QA5Y4
z209czxvF2mLQs(ys}$Lt2`Cdc*O`n5dtg66ukhZ1;TXongP}F07$@_LtT%B0nfGXs
z=iIm<2F85^sA%I~id9O{34(aE8z90=qmto_S4(JG+1<hrULwtX5Mardn(Id;PA_*N
zbBpHA?ZW*UxP#B(>q|EV4IS7vb65iLQ)wI{2iaacHP~u}sbmHDO$5;j(yLpILP~Nn
z4;&bR{!!nXm5O|&Yw!g}Kzt>nCYRl8_`TR7mZrk%d3x5FdlyFCDW2_rjWoTxY`e&F
z+CIU#<35y~b0uh|;m9tW4{G`IL!f0g0<L}_y8s3QI!i7Iy90#aWag-fsic?t+wAo>
zs{8u^&K+j)oi;jc3AN!Qv)v;Ggygbi{}F~%edN@Cv~J^3hEA}1ZO5KXDVgzs#Gspx
zlbFMyTqDEv)OZLgvlIhRh+@ATc#@6zTkQ)euLxBA0aC5^^kz1*HVrE+{Nj$$gxn$;
z#kaktDdRzk%yTeemLoj^$Ab9AgN#L3-uqo+0AO4|v!m-Z`bzSgC6qPS325kW2sx!;
zttgrVJ>HF-Xg&AzKOQU40;4V09f6&?5wM-Kf|El&3yB(GB2v@GF@r9hQQX&kfCM;}
zH`A`}xorm|&{X>;ClOF`nC6yiuE~OW>tDpSM8ht83UlEZwWI8R+z-m!o&JRZ1i;85
zLuduV<X7}4pshD%&=>>Gg_aiIt)+zAh%mtV$T5M4!^pPn)A8PQ#<9E`PzujpdRhUB
zwIw|rSo{_ys>k38>zUlI*SwMw6<dyiI(qD%8-50-m%I7kz2o)lq3FuxkBU^V_}h@9
zjotJ=GD|=Dc_n)YGB7*pc@&s$o2I==O1!^~^j;jTn(uyf;6Eb^fmR|HiY#<bDW|T;
zMpi4%%`&n1H3l;aG*@3IZiAqQ=$6?Wc3buUxTVKPZ-%ShcBQZl$ie54&`G-hZ0qwk
zAEvm@tb<Ie3lDWyXkg($2gY8vOA;Bs8wPfjMV`2JacE#dfbt0JT-<#CA7zq9EXB5I
z4@|X&L$4&kb&*2MokVp@gSY6MJ;YF#&jR_0<P=IG!S85=6mMVvTo<v*KK)c|Hfzv6
zsj<W^74o~AB~FV--y3O~9|{{!K-|}QXa<_B1N0YxyQKI3Rd!KK3TUUbcNFU&Viuf;
zB%TFC1=aV}Htl88-aFm&0(evh5br4ne#XuEfS2w@T7s`vDL{3Bw;$4$GKUtqK`xea
zeEhP8(5SDG?tiD%WkO8WBes<-LFg9tN(}(&X%RkxE$E*=*JVU9%d|I#xO*DH6rVf;
zIVVtH(BtHc9b<A~j+3Ewsw}Fo0xLXn@NodEF)TV5^iJclmy>0{AgZ+jN(|zKqZB&F
z0B*?ZgKzCbD#$OLBzGxt(Fy{9$_lbNILii{vq{6PtW{c_0<$f2Cx|dhdf~0G0`Dm~
zYX(-I8y&1RYme(ODkxhmZ+Wr0*98?*B60=~qDl3uBe*m4Qb}%@9?Q|oGmV6^7M7qV
zXS)ep2=vQ3@qlG})C&nzPU^iTjREwc6;)NTJ`uO%TtRK{Q_n8}>1LgWBnMyf5z)h5
zhHd>15{zvn0a^E3%4S4Wi*Q-4ea!U4W9I#Ge3+?{r?h1Zb<z4i6B7`#Bv%lFPcNF4
zWp`)hIEI64F^AvFL}<OEFU=O&ly0^kCU6FT8?=M201n9WU^^{$WaByywM}1pVcO7r
zSto&x&*yv=9~4N!4Jx)5wR_7t>zbGQ{P3aO(`f?~e#I8UpFiv9x;GN*XIQ1CG?;{R
z6UO6ttOh|%sM^`pfGeBBij5_J+%*MXf(Clc%^pot?E~5I)q7jP3j2&X7#!lIcN)Cm
zQ#7VzPI&3Y7}0dw%cD1_9q+m<4Y%0<aG(pl;dS863LE|Z&p-F)#fzJld6N#rTd;7+
z-@ubwko<EDoFsD#*hwrZlYzM;DfdL^z)a=~$mQi@y9g3S-Y)2ACEmvJsO&<sMrwZs
zcTM0pX6m#0@`qe{jlz?W+2BB{9eIU&l%R4uu#P2>J_56yC4`%GfbWRI&&<g}3AGNW
zmj9qIgoSjnz9#HxFy7JM*d{^mX_-(>P#UVY1fZIoz)aD-42Xc!=u=?`O{~wYuv#|S
z^OWa%OcDREJO3c5ieHTgPNyhryxT<$|1z&TD=y0+WK{4j9klZwAZf+pU6d#Fq?~^K
zuZMpknRfoe{{zIdlm2rB{Fa&|K#5`R|6;kjAJ~o?8FB%Q^3(>}0R1jgb}q8eWSn^}
zTl8XTBs29yHo?n650|)zt&G#T?#f_;lv!@4oBpY;HMCf;UQIU*LUd=O%i(r3-{O7K
z05D<B1G{uej<eG;+89$wSsR@WO2aT_XxJxN=Khx=>K`Rk<4Z+i4@Z)W7S*T`2i)5=
zGKE!zgu?A+H`sXs6c#i9oLmDq6rsA*m00T*j+4wrPeW>fbcg*TP5XAJdMye7NAi3Q
zU)r278!*a9h`3jQ4qUlz|3EBI@Rq3DS!{)PWz=Z?s;1~tV_qrx-Pbb9&m;AfM+IYl
zdFbL@m<MLix-<dufoNkS*+{qn(U&?^PPY8*dCAU{0FSJ6kcmME&IDR8uRI`ayuqPs
zd{HoA_GfU50iRLz>3D^0Ez0i^r4!v5>V?81s_xL@atpF41B9^|=uvbZ?Lv?@%V^)!
zy=e*r@Q>2(eYx*rR^UktM<tefE)&dE&!Se}(jzG>P70|Nfs_sN`rn!!i*d{ybn{X=
zI3zlZN$#D%M#ba0K;DZ)g+UQk!Byw^mTaXqp%2%tp%NmVs4RGvAX98(SvOMnq8MAt
zHp{15-waDVpM1FOacQ=UQo1LRbEIkSNxA7z(!T0@Kq~a|T20ViR_{uy@9zpN8biMv
zL>koYqvc(3!x)f0jPnk}>DW=xN^uZ0_q-(#eTlPwmGAD14eIjSa^srPmvcqFKHGEX
z)%h;Yo@o0|WU{?OjP_)c$Au$VY63-r-z>JPmMk~6h7QYjyFR>{eeh!yG4cHiiRbVc
zcPnuWe4J`I8uUAF;o)sVjhVn;OQAi=(m4fL3PCv{vIch^y?G_WOQrZ<+~{n$J%o7W
z47xm%wkgZFh>a2>6~p4gq3{IVf%zOoRc(QB#M#hsy%E(r{UJTRu*6W(eKmLA-#N>x
zRaAA#&pJPO(j0pw3sywmV-c7wKN7Z9aMN|n3Tlu7&jrAuhXw@CYnH6Rl7R5b!tgrP
zKq}dd{=~8#I8DJ$T3*3tjg)AAhfiVxQu3S^$Tw5!>OqAK40zpC$ET5ZRIWw}MPYV4
z(1X7XJ^0ej`r%KXffun5y|L09FUauW_+hCUymM{Yb>a7UE7t_y__O!+>bYYg(352r
zMprH@`Pg&1$&qgwwEGPkA`WQpcdc+-Sy4Q~4cz+$##G#;LxjaHhLGoY&hj(o-bJ(t
z!pr4-o%+1x%DFzoBu25!*F3|m%B?DVE-%W}c<YVs7Wg2rI{q{$3B_fIE-*TVN)}im
zSK0|n&;D*<Wf`?Wcc#d947-i}&Kphty^Oybt%dIofNS+jeHxvzPa{MDkSB}ly<t0o
zXdv(f(KPwSd-%AQcH2u#DtWn?tL*_y@GvF>(mGD6ZeH&7b^E!wBz6EFCCr~!U5^2V
zeWim8vRNAAY!YjYpLF@ygx3;l2o)bDXBNo41dhTx9!cav@`+EMee1*SkRdU@KJ8fq
z#|3q~u7hofh5|2<;m_76Fl3p8n-Nt0?fyZy_~i17OV8nmyswIi3V8>H=`Xnf&sQ1y
z%|buXm)W_D=jo|)#^4l>H#Z3&yD;mPz0l}<pqQv~FnnB{#X#X;7P0|t>cy>YX1`b8
z5M`M(U@KefeM(56B(llJRk&n<DV&;WFLrn3+Jz4}4rvWqYFJwf`;JS$=Q%y)_7k=A
zQKs6sT*?02*-kT~_R7qN@i~+U;%&4$Q3R)ipCEp8$6T5X_dJB$^m=JAiR)&>mf-9-
zU(`2dlyJjNg0&*JmIdi*!y;n1|4`E7D<7_Er#Ug4$cpzfdd_s6d~WH3KSoGO%iDYS
zV;D#fuk@KEeu*x!Pv}X$@K9JMO`O<^3hbt-PJvuXNwOLcS3=0KI1xOLXg3zr+6a<)
z3gE=WipfY>tK&4GSBHnU#6`O}Y=~v1y)G&t3wUQ@6H71um2{2rSIlQOM|l;RLIvu@
zH9T%>sL@@223N;x2jd*CSJHftnIEa|4O0&rLc9>bcbvWd@ZHbV5IJ7o1d#u#&}})>
zDD*4L+)$s&acODv1;vJm&1)kCJG2CnyAkc9zusrQ5C52mZn==f%K&?*;vt?oWiN}F
z=@Kx&id@l*pU39m3ON`KFL&-e=$(~UQ$<dl?d%nj`mN9%xHnh}?E*YYGw+%Qux)f_
zp6@PFHN&Z+3ljM-ORY-B$piFA;lo;{k(6f2CwtrdcszrC^M#_-p<MTx8<y(>#l+)q
z*Y>eu@z|ZmoxGJ+fgSc_M3!o3*SS$)^|@t(Q8i9B#Kv}+eqND4g!+^E^ii#h-YuyJ
zCLL_9Z}~}2d^0(H!KweD+@Vh!CA>0)@j|b_F<sr!uUg|pM^y82dPemLp;Lnwl70DL
z)u-h2uYlN|GNF1g3)a(m{N`aQLzj~pZPMEKj}+l1ZIWGI%_LiY`y|H41p*?)Z1ITf
zwDP6;)my-5bOH(qIgD-ys$%(qGd>)C02y4SFuQcuiVG8wp#GL7q-KcQE$wR_VpEu9
z6eme{syp#x(E>l~r(l}c;0D!4C?~1+q)3(@_ry&!xRVd!?!;@hrK@QJU2LKHy@~;j
z(_%zQGhR#0r`yVk>TMO3o0BX#Z;)V2ZZy{K{YLR7ayZHbqm%46eo9(CZ1<5<<Iw4I
zTVEWw@K9%d(upU#=IWfD&Z?4q`MO8s6BW<-cTNe*6y7YM+%j8_4sTw*jU$s6VXOy`
z4PDE3zo0frfz!Xp(a&09Qu%A2?hl}~JZ$d6Kf*_R&^Z|i%Ho6F8*MUL74qP8n9dk<
z-UrKU69wu6OvEU5TrOJ)t@qfXjViM#v8VbpG%UXq7L?gUq}~9L5Bt8gGU0Q3Zh$Y%
z#f|gMpq*RwMuH3<*!xg_)XnrdWCtE+>x*eFMjIOHj%Q1KM@PG3Zn&1sY-D?}t4SZs
z>g~rPKZUp1#CK7q=$Mu2f*wkL$kEW=2q!le<ZKVr8(W-x`eZA`J8v@)J&5DGRY_Cd
z{2;1RvM+*V!6feCJ>!L{3mh*ZMsw5}3`12)kXZ>ei!}(R#ov$64<gY<v(br_s&jg)
zxVi>YVsE$Q7f)6`hEd!FL{Hr~aU%uCM`<jQV~gckn#q6dWJD9`%must-xX3;-$q}h
zOGE5~fSu8+1uaDVaK~+5XARaHdH}>{R!m_Ou;cOdw1y@VVxJZPn?+e6U`HDVuxN@k
zp)Z-dWG}l@bkrZc%U~7t0`#Fq6IYX&Y_`1#svGyYV@xafQ!XUx)w0fW2aWE}^Z1J&
z^GBtBJPtVF>~9azFEx|<)zl6m^Qwbo6+@q0x#w1M`mwdj-^w%pKrrr0#G;{Dl#PdY
z@)kDU(Vyj_1IJa5y@j0%2T;9x&LjR$_2mvGv-@SB3Qgtu|H700iLm@q2s%f|)nNzx
zFBdJ0j)0H}03)cKmXikIbDbbYAsXX35$n0MHX4=&9r$ZR0Jy=f4$p3&Fym;9;Egv0
zJm5M6Y)_6fLF$F&WIn1O)C(~Bzjn;vBd7T$lV3p{dZRv^C)~}XR9xPp$#HrraW^Yu
z4@@N#^w=DbFxYK=Fcz>*l7faHjb#A%T631{p*z+G6+C1f$n!Otd2pdFT%l?`Wtoq6
z(}l7vPnuqiY|+u#%PPN{ryUNZ<^Y*^6<1GDyEvqg_gbh(NL}#T-dLXm-AMF2u<Grw
z!p3OwgW7SJnE|v7BtBMF4B8uxg}?|k-Vs&0op|hzFT=QYLKMNW6u?R^B%CKmJZ1zH
zDe*gz*fXYkf}XxD03{&I3#zWq0?@4yP$Q5z0|t@aJZmK7tt!(km(q>eQE~Yd5K9(b
z7sx#M`2OnrP?1-e(EYa{VL48aAL0u!5P3ffY{O6Tb&Xx`ZZWbBLk}e{?*LK;m`?}_
ziLyvUBp=a%r3^}%1_8+BpqrN7B)PKLm2XkFA~lugSkwCq?Po#297gbkRt2p%{Z-!$
zJYhnd_VNrqIw<NGmkP)#h7KbXN%M-NsdfT_gJ}98M@XplJtQ182wnFLaNT+yi>L+T
zNZv9hODItdj4ntC1{m9wt!bKr4C2CFnz4IBK*9!7)LoBzu01+v!Lhu`!Vo{((7neP
zjI|*e)O99*z|i9!anYR7{Ua=f4G?E%H6Ja0JrzcZ0<-4vwJRPSPk_=mN5<-Jq%#*>
zPK#s2|7F48-nVaaI}1v0ee_{?y`bx3_KPpt9)0B(4SV<cZ~ZD*o)NUJCFP#O;%2Aj
zWXp{quZJV|k&!0O2k+l7aZBah2O99Y)^{wSP0Jn<BSFmKKnwl?ik)&m73Jgb=|*$p
zLAo<q-ubwp5Ef85zF@Y7nU(CKbfC?Fz^0Dxl7#o5q{X;Q#=EzwP2{$Yr(wKoN&)(5
zGgk(<hp=Q24^HWS2C|h&R}=hhN9kYrRrjg@N?kI40i`a1G-yjfnt#PBA{nGHfGvM(
z*|E0(@IxIsanlzH^&B&dPPQzCKGfni(1p$99NuQ*<ntA*&TIU%su<LLcJ_y%JBS#f
zfYTMgv*>}lzxxltP17?t6lU%P1=j#<O!ut9#_Z=Mx~xwMLvMZ&OCgYUG_oz>_14@9
z^5g1)USzA>Z<ZpjNYGApVY4JHfsk3u=f;OCbx#j7Tv(3c3=lTxneoZHcOr!L#5mp|
ztK1eGK~aeCsiuLofUNKxos8kpk)U}gtw%|Tr$0rD`Tl-c(gvd6&u5`n{s)N6CJ$ss
z@6+u)8-sv{0qr%L-?(T|5vihhtKTZ(e>CRUsgWHIja2?5<e-4u5la^6D_JuV4udfX
z1dw#O4u-&9cXu8717ri_00NZ!!vt(HfgYUa40g7+a;0b)Of*KyP8_^Wu1S1?scZM$
z5>s3JKa9yAtq%~F;eHB^ae(t^k!_|bS*Y%OOQiI8#HP`QU<?7U0gy1k-<JT~LyCAv
zE%whj0jYT9T9y(3_SKcChg5p40i+!XshpT@&(_^j00`z7Zf1@7x%|?%i%Uqzl@i(5
zT=tJDT#w(I`QsmT`^@8Og;4+RPZL)s1N28Rz_ri}O=L*=xVZ-DkZNA=5=B|iH?mMd
z^mmqvN<Xic{@NWnDQgNdt?@QkI(zltvhMS0Lb^FwMf!^x-e<D?riTi}KV6jMQRDMj
zR+RC$Q=!4q3l1AdU(g)r6eBnnQ_6cARlb~dca~Y>DiWgPWTTKWDO=17j%2LHXis-Q
zZDLJ9oojc4d@}CUMavP1<%S;5MH8;FZ2ZbK<1};+ftMf=CcE%Cec_?s<z*fbRO7wt
zWbP^H!d@}LwQUYbS{E!~&?^uSA5|K#YNvd&ktVR2-0{Y@a-quKD6v+Y?{Y@-I2L9-
zWdTznA@FE-7}ziVI11pFUxJTWL-tHy(D_~iGU2C6nANcM_$a)sG{K>Xixaaf(5fY+
z$$Z>OAm6`<0)~)N;$WLQUHZ4x<b%Jz-S-TeX<iinK?<KRQn1qdwJflK;E&;4Fpn!-
z_1|k~dLarp0K~C6Jn(f-o<sQF!nVbD#ev2;(g#MQ&xYV>o7u9e%}0aX)q=T=fxJ}y
zH0PLh!mz)k0=j3r28)(&blwYlbl)(Kr0gCt2u>lt9Bt&(lxVUi7+6OMpOTpayC1xt
z3S}K~1U4#Qz|1D&|2cZ%Ju7wc$=;&@rz}10)dUad^+Q}t;3r~Qq)5oFdZ#Hu@#}D*
zo91d@p)c{3`TCEA&Y8}^MbF#3gNHPq(;urKjs1M0L_O#x_Wno8AkvpEd}AvGoyP>u
zCEk)&kC5HR;ZN>WqT}2rKvngdbab&NbmTZDkXOU^?#E+6Q+m#Jwu}v<9bNROjxRY~
zSi)J3GFNMPDXRQXvj4g6=tg?jc^<Yod)XsH=1@}YMD8h_*GW4!^=%?s#$*>3d|xOi
zr_~QdiYW#aS$lc6ozCu~Y`DxRdDqD>=rmW~pWEMSRUZ#mXX#jJ$`|OR=cBNU#vUYn
zh(+uVUsB|XdoA?ik>WT0a!t>}C&wuI&*3~YA;a;UHA9?ldkL9*sDfbzhwC|2jv*o&
zS$vp>riOjz2MOJIb=q|=qAG=4FH-QRwmRnzqrNKxZ5iz&O=f(`uD}#*53(Y{!DPa`
zOb(M5MK6wZUX%|VfWbo5z)sXLP#f;tDh($*xd%L1rK1bi^$$qPS<@@9hCs-{NVARk
zEnAP<YVYD#g61EAUXVmL{bNLF-SLdv*}boC-WaV7dN@?+n@CJ4A*NJTg{D4AVb2L+
zXNoaD-<gM2x3I%M@c((GF$=e#5&(}6Q}J6L*;=W&Sy!UD+<R?9x|@Kq2Lha)gD^di
zT-NaDmo)pwm#gJ5IX+urooD=3sI$!|-d0Nx6|)D%tq)3zl*<9|@pyq19ZW#wlClos
zk`MknNi>|3YnUfO*M$k`<$m+q8M%zXLy3*lCY0qb2iG1^<kJUH1pIkUOv~w#voYx;
zbH&SoU!C}<6l~L`Al27qk9r-4;i~>`Jv0-(5$utt3^wM)2(rvG=zz(qbrOXKHynXr
zsYuoeXzhT|J-IWd;<EA9Y(iRR4n9hU8~rVBehQfqE{2Z~MgJ;t8F+x3nDmt{1cEpB
zEwwlRHnS-KmK4m6AjDGr{B`}cHo4zks20wBAX7b97HMPUIjM?r8oZ>{eOe+$idkR`
z@t#DX>U)SUNxj!>1Bpg05_We?O&-iwDYQ0Iyr0}=VqQc%T(FHefB1lZ;E@fxJXALp
zx4lG{2VgJ<+3Vz?Tt2%87b>SX#^=t3;ST^+_JorOc;F8~L6c>GJ7K(7)Y}m>Y4kpU
z&-+(e=e00j*=*{sd6(r23EwOmbM@myJvX}xXOdn;T2_DpSPZbu$WBP8p9qd^rFQH3
z2~>d6FOnjzR}7q}osj;ITV`$Xp?=YwjRN&MdRi;l36%<Gdu5?RW1`-HQ&z0Cz{Uyz
z43`hwTK4%}We?v932z<}yj(MxDD^Hc%3XN*(mn=HCs~m1faWYOK3K_s)Ygr=)aLm1
z{YIv+!sq!K+}xU``Gn^YETezq@KXP?eM(<S)i^L9`!JG}BB_Bc)8fWNG&(2~sEu{6
z(+5mBy_Q$B`Uwxg-3Oxqv&Q=je#+-p@o48Y)BXgFs;yAP{!dF{>bkzfN51&br>sJz
z=<&&pQWZ>Fi(YKn>oH&?jl7~%Q?o@Sd=ES3AgI=k%oNM0_&wfU!1jD?%MZ|$4}2M~
zqbZN?pLlu*v?;gL!Bb`pIOAog(G)01ua@QG_%wVm&Mg=>cAt#u&Y(RLiCf)Az;<$I
zFT+RtWsgzj-qjw88<bFUq6?oqDVP7+JWoyGNBZ!Y_Dc<VVplF;bHuf$IG^pweP|lt
z{%*OkM<Qc^2#($0+6O;6x1_a^m4!o()rL2hQax12#tcZSu?s6JhUl^eX||fa`{yxR
zTOza@hK-j76Tm7EM!NrurPt)W(pz9OcGmL+83fHBx-Y@V_2$R93yld8bu1#IE$ZMf
zF_M|K$2~G&i`}!0I|~e=YmY`6#zDc$htt>Gj>myAF&#<X2D`lOyvCa;hhs%J+55{&
zpgIHs)jWVDT~RYYIklv)-ZHpjMhA<b2jiYqN@{j#*M;_P44?DnCzsZEQ`KlRHQS}X
z6ZLUaCqc{FuO=Eq$vyeiqQ;5o!+QuD<vmhTpgJ`Ka#E&gUZ+}8WwO*+EA{*+)}z0P
zwn>Oh!zYCyPmgRHk!{%RQF#0dnArvJ-NKIt;`ys@ca+I~^inwtGkXUhMNM!LM)la@
zgW;xT5Z6zapq?q|kQ2elz&slolG=7U-zz`y10(P9owmCUEm2Qi<X@@BY3VP!ov_Vx
zqApwHAFf}`p4_s(V&B$s;bk*uJB7~x87xD}NH)(cb@H6lN7dojAEcF|og?=0F+3Ia
zFJzN<bhsghE9}$G%B_#7CTOrPNWWHK`O+*Guz#zSC15{7O7q7L*2fPyy*FNAqS2Q{
zi1>90K&f>LDd+QlWJF%4<(jd5PfD2$1Ax`-U5@4e^7@a!DwFb!FU@of;G`Ie%;-zE
ziXZDV7RiYp&dO;Ok1XuHz$SM|B=gZ#;7{lWXFOk2X)aKG4wqmv93DP*zip3M{=eE^
zCIq^vXgxC+DYdk@9Au%JdeLDR12%~7o3Zc*_Ulffow~<NDfPs4F83q^2<Ax<89Z;v
zZ@z3a{wXZ#E@3NM(UPls19rXi8GPI;uJ-LB2*}M==&6#2gNYFFmxu=%W6{tpWtpX@
z4JW;~b#Icx99<j7c8)pFiE>RMDO=KCV&&J1`MDshHPngpliyx;w_CGxUA^8};LBO0
z73({&IPTF52v@j4^gtUp<<6O^otRvC$plzk|8r;>NEze=)o8?)zsop|X|hf6jZlK0
zq%ox{t^(C(eNY1iQ+fUmPbJPknTWqjlt}63%0VV<E?YknfaQh!bIJb)P77`i0vMng
z*m|hc)tm~dFDPcR1C%SZ&^cHCNVVTb923$>nZx7K3{e%A!I7+=*)UmvF^?uZsyj3d
zyuF~qh3L`0?AoK-E{#EZSr}A7K=6m)y)1uzD!2R7j(4>zN&qZ@<rVLW^HQL*NMOSD
z|NIK{16Y*AU!X+F8u|h3)-ELS{u1<q#~*h^;u^uVZvlVMt@k1cHF}l^mgH+MpwF-V
zzv3x|AU+P#S^*C~-({dOF_Qr;VXY;8S7LMpe4QHZuWM17A0jQepkja8o3LS0>;vMf
z|G4pXI7cjKNCQsMBa>u0KdPVpABr95zQCa(e?BfK01nwum}K9*2i}axm2;5#T^PG-
z8hJyy-$hq-bA2Qi-0kC!{JX-M({ftX9}-V}x@gG-ZoB&SpU53Z!@iSZ!QbF$VL<KT
z>liqsH5AfmqDnLc2WW=OO!NcwF0vO<D4F##%V&z&n%cu9WLXjxZGe5Cj}K=;@AM4X
zlG{7RVUVLGAGrF=USJ~Cf7+kGtriE#4y+*80CXsdD!$PA4&W9|4R8*|AASDT?j;&v
z%IIX6zB_=N`10Jnvj|!7R!7;D;U4HX;=(%U=p^V|!y}a<0+^6iv(n`UJ{*Gme31{e
z?~i9861oK+G9&qKOYo)k&A;<YQ2U6yNr{uCgGF0(&iFBm@VjeFNT<j7H{9<D>v-II
z(*B`Biw9;lAOZ}6tcmGaK_*6&73ipho#fDJRjtEG)%8!`h|8UwZVmrZvXR36Vu~pw
zOCp01*JEI83M@5;H8c3&a%U+k#2i{in+-?`J?so6!uBn8Yo_((aMqFPbKUzUA7{%3
zDpK7d6H}*T4>-=|u!T2HY-Ex)vMdvdNjAkp5?dz5m-&O62ZnQ!OScSdt+eOW`n?4M
zdAH^y$+EhiT2%I^JA2#~mVMYMl>405QeTWCL(K4p1Zjl_cE#*(A^W#0vd;kLU|}nX
zwf;^8JPLfzSfv>sjnu^eP4V!djx%zeO(F?O??+0Vi+^5y<zd{7pxggMv#RQzY$m#w
zCV05dU`5FuuU1~w;<`S!V$nn-Q==MHj?+9_%$B=$<-@qo`8NrCH@)|_tPX^E32EN(
zD42XyA!g`4Cn8B<WWmkbpz(%pyB2EEtqicAU!gOFAu1i7eaj=M)VRzI<S6ujz{jTf
zsjqFe;hQ!dw;4`b9l_L}s0{%T`wS|xp|3`Gc)J}#_%LfuRYL};eGSceLsC9mxo72?
zh$566yIY*8-_o<o?D>iY*N^z5+kCVaamm<!q{Ke3Oy=E!T*hsF@dH<a^OVurO1ymK
z-#CsO{@nux$@<<-XBl4iM!<Mr%3e-u`(GVExCAJ#%#wcI?}|Um5)PlNDC6AECMfsY
z{q~JBkJ7Wfwa@=-kN{`JvO3%-tg0WFq$DD9Gq%&q3q-o9e4Gwx13iuHYc&~e4^%TO
zJUYlU`doG4X4JaJ^?|%zv-7-7H8)*LvQB)>cm~kJWp!b>SY~kYo*Jb2D-Qivk*I3R
zfE1R}FJ}&(8#*(h6cA9pl#;}Elkw@3{5lq0z7PvvAP2Iyo9YC=*IX%NnOqmHNI3o=
zFSLi0G}rp($cSpM?9Ez;cp)6Q{hZr>yjk{saM|qvN8l3S$EJV+>!UjRE;RB8tf1jv
zm^D(^F^mGERG7u#n`4u8{8#n>UG!->4*!E*xw$=Ul!tdi&Kx+jX=vR{I(__><@<|m
zli;A%eC?-kpUM-CM<-~__I?;H4ji4$&h!}uw3IlKig4)Vcq_<gT_R+m>~WNq|IGxc
zp4?r<@KHR<_hG>UtMwTfuO~O6f2K-+zJc=3>MbbT50-{k0fLlAeFY8|5Ucf112FEL
zGlCIQy|zbl&CI0E;xv_5_di?&8lY)f+B(<Xx<d@M_vfD5{LtcA4H3`!I&!PZ!OFYK
z_eWJO*CX@mwjL*a%e)5~L@i%y&99CigjQ~yNtr&1(IcogeqeuFe?ld<wTf!_14zM6
zQel=5C86+><oauG*d~@wC_#VTjI{F3ByLJH+-uwXKo<x19#|^RE}$M2$Bii*<P2Zf
ziYYz(1UCyJad+2gGkt5HTd#W=jvgl@eP(o}UNHoi&2Ah|%rlCi(>a6r;A-Li$?k6)
zWGn`Ama-YPHTjX`2Bs;?-|gyu7orFNx$}ZI;Z~d6k{T1@ogl|_#{@X6kg4~=f5~0m
zkRZX}t=#g(n@kE5SNGiP+Wyb<2^fS+g@62?s?gnQhqkO;>B<Yo!5F|oF5WF(Cpr<-
zg_27>vG<4zjg;omUA4+b;nnu_OmuYIVrDS=dgjY@8FQfQ+P&9staWE9L?IM{fT)`#
zn9M;tJU07w)g|D?dU<Fe)i%NFO!kWzw)zPdk|f_pW+po~%W!7o3b$yle(v@Z2?NZU
zk5&KqG$?KuqWE2asxCEN*1e~erETEc!=Rby(A~9tXB*NkYq9uU$HL&sH1}!-G&tP5
z6~I~gtE@4g=5V?X{Ci9H9c#l)_>*MM7YwBMq6}<Z(I7rn@ybVEP+m^qbIaJyr_Vuv
zidUP6oR;9d7G0(Idu3LPbu3lG<_R>|dG7sW{N1PTk{0;u^UDm>c;gmwYZpF8p?}q8
zj=161yj{B=3!Ve6E6TVxb1E}}B8WbHt@^DJduE*0b8dCA<@yzu=%!&M#XK6I82mf_
z)vCm!nDp-eE7>WaD5@Z@!<d~nB7AOboj>KP`C|sY2CyoS9bSu$G~IGo=l;dm8(&Au
zZc|VEv?6`}z%vT<7+!y_j8_xja0Prec&lGj<D3>0VA@P_7jSZj4h{_f#-uw6&N;Tx
z?FowF>gso9ubsMh%Li??91j;?mo<aI1pm1ju+q#fX-0KC!1VF(tb5wOH9ds1c~UQ2
z8!n|B(++g~BQJ*XFO=6M%Y=dvH=V~Bwy@&$I5W8dQKJBm@T|B7B;RN2A~=g&adXLA
z#{46b!Cgu(&HIj^uirfKe2kPr6_FgOh0OjiJ&%7Xw^ESTsThn{RR;3SZloIK{p!3G
zhh8Eiv^x=5{Q*0#Rr8n&@AC|<ReYj->!@u4(H~Kfx|O`xjMZNCyI&k{W5^e{Hv~%R
zNz`IcS{xFj;>Py5<6Ib!r8pXxS>-<^3E)VkL}a~)p#v)9@b<D>wSn{u0Cl*g5W%sJ
z2B`jX5FCx0;B;tw-;cCjHoybuHUoo%f92&?GoB^)NmU=o;PwK`#~mW9BdwsWs@?S>
zhW7xWBHoQ{D_gdLbpJf(0$5TtPb%>3-$Tz2PBE6Q=1}|LjV|)-`CqiXcU+R||3B{O
zR9042RyG_>HM7ht_h^`ArfB9KI5Sf;_XOLfIVv@`<VY<CPH<vsNltR2ppttaE(8@s
ze;0M?yx*Vi_wjrD=J}%&54hvzy6@|Czs7TD<k(1Dz5j!JOCPvb8;g%5`Kd?(tC<h`
z`tOdhyUNzWY-)DX8<YhcTrI|EJ@a4Q`AsjoRrcUPD+)4m9oh{30y+l$SYyatL!1N1
zv<?dW6QVdJH^WaP<+<28O~<Yfv{?TC45(L!)I1$D0sya>>%#^*DGgStlV<h7$EflB
zuAlPsCw^y|1^wWvkF~|Q_&k!>I#>j*yTCu!eUGu>5%Rv#(jd!5n?_{RJ_JBDa7Eqt
zCxejMPRESiE$Kh-*rW)b6E8IlQ&!fRDZa5}fa8pJ3U2=X0uaLfU(7v!X4$_Z;C}_-
z|551tgH!JOUF^t!@BNQZb1<|Ypnn}F+LFV81<ip{QlTx7OyuBRe;W-(rRl0YZfuG<
zd$gYK`Du=>eLm;z`FA}yk7&M1=^Mvi5q}YHcmED#j)1t4a#l(2B^U^Ez^s2Bq8xYl
zcfUR?^ykBRzG*n-)|77`&lYb6^FphlgTN1I^sQD$L-<h#AaTm}{)6flJ+}jLi=&tI
z3nE(%+#NbNB4zTd76%nRhAI$*`elur6rEYAmA2<Ohx}!=04Vs209${V<43?dCpI<w
zQ$qiz<bJ`1-hU580PmRt_S~(z^m8Htpo$NOrA|hiVU82*B%mq5c0=;Z#}f(=|2_PX
zS@`)}%jv)D&Z1&?2Vc;>U+3*6{*>40UkB3}Udq3&2AqrG0%VG2XgV^^y|0ld%W4IV
z?ch_cF<`d$>6|`CG_(`w`PKtp_WzpM0J=U030zHUQ<T3{SfsBbf0|>h2Mz=*s$2<u
z4pX25ATf{hc>P&5aMgZtA(VhP;*=SgX_&VL+WFde6_)dE$o~9G@RUX{q=_Q|qr=m=
zb0_|*x&x$p4*T`G4^oY8x(XN}aU_85P`%A@w#sYOmK}(uNMcupO)dV{sn!7_^EXd<
z;j@}1S(t^NT7}I(rb^(2=nl&zbaFnqh3}8c!>{$&1pza7$x$mca@j~T-Q0De@W<%K
ztdyT@fDhq%ig1-%cM1Pv{&nBC2>3H_e47oLz|vK443fvck8)&^|9XX5o`I<X?P91g
z`QO9F2~D2e>rNd8M(SSR<~Wl8yi|ai!V>2OQ8nDNIA71pJ1g^({(ru5rU;O10I<Jh
zNk({sArSL1ZxjF7#PHv>v794-b>0Fa9xb4cloO2tqVODXctSh?Cm0YVqV<Ie8nGhl
zl+M+x9?~Vs^DRDc+=g3W@80VhWwo;KI$3I79-K|``OQ6>p%9fCwOU-V&tN=~lJnx6
z9Pn#r6?2?WvVf?Jz3x5lxk2U05%43M?Asku!vOaE7jH(V>Gx*O!we<>7{cKfq7?@}
zB}+ngW+_=c4iQ<m-MmBoQJDyAa2P$*R2&)h;}K_Ha8mvDjkGf>-v>_mBLMy}6Eo<a
zvnV47S1#n$;dojJcLCkWk=3Vm)K%wy%g*-FJ3j+Mtc$PvSYN%O`i__@8INa;9cw!6
zZYXSQC%Arqsb)`cUnpM>>7I&0tTwHLD%#x5Vjxy;ZG5fZhV%P0?Yzs{7=1_2cS(Bv
zVH?Cb(1mn_)kZSQJu40(0PO)-3^18J<W4Om>>hk4oe$=cm&s`Ybk#q(q@1Ic!cWhD
zgEzZ~YU*Tby<JBB)(sb;3-{DNc`WAn@Ui;g6QdI@t7&XeOcJ&3wfjI1_IR{dPfUG8
z-%Kpx;hjE>JUC%_YVy$zU;y3?ByA@1-@5(WS85?l;XkPHq!RS}7r<E}X6LyUU$|sF
zr#((n12c?jg?4<@n!r8dz5;UX#h8cc^zKUKuHY>KN3`g(v6fsHw;gofHWVv4%~J|<
z+77uC@j#VcC_|ZxJ$LotMccdNZnubHORzD`_}HI&fgyQ`w``+a4+<*GPy}>>U#%B8
z5J@#PU1=thTwl3`4BWDHyLq>ZUwy=Lf$3w>#hg8qaw!~EfW5Vc?`049jM5bBx_!BG
z70@Za-4_&$WtWwNa}e*Jzkp3_BK|v${K)Xy1@RPZ0$JR_^;tgtYb*0MC5Sz`@%^#D
zl5Cr_f|8>km>qTSTv%Him{W2i>E=*u4vCL(WnXMK4-6#lul7ZPi{$zH$;YXkZOARf
zVo-ybS(ifrMfvuut5;Di!GBldT77g%f<>#bX0wdRJt;dI?0r)2Hry$3bN}9PWUXX@
z-Lrf(3rj=iK@v%`xgbo@0MPHJ$^&S3?PDqN;jitl*2cwB{Q7X$4h_C(AIpFFXbWFk
zK_tTW$Mg%Ir+_7#A>6jJ{CnzU(1*7v>t7v97QHi7qwsEeQCflfu)SDkz${LsVs7wa
zp3flYr}=TZa-53)@rNuSiNAomI;V5T5hDG3Crb6~hXpEVI9g$U*Be$Jzolxf$OwV!
zr1?7y0I}+SN;mx50Q=uQnt#UM|K0Qdi`+lTc$LRLCAtyMI<mC@LtRfW;sPKc{%SCB
zT0plFc>`aoFkiAS`=z%vD^GoIar<7lGMUcXQJa`16BNx5a6xewDE&!`|Fe;0TmwRp
zxum~9sfj{F?!4XD^`M&+%;2FO>*#UYWYO5*<*uf4r?RzmmW2}h5MtB?s)dP{{Ddrb
z=XgAG(5}Y=-dZ?Udyx<D7e_g5Gj~#!DM1%<9Eia@694@SKLfZBH%S;*2nZlf#BvXZ
zb4rEG55jREW$sKLGS;yE8YZx(>`EH{p(RrIHo2|#Y{kEu8eI?fv^bD8F4aZVt%1eO
z<olBuf{F8IyRoJiYu~g9t&?(7+HX<tk8>Qsz+3FWlAdX%IN$WHIm79EL21B#pfAUa
zal>=SO~#iZ$XVT4eYA1==EcXsj0kfyhEt;h>HNF^7Avb_Rxg1y_gtY~fq+7<rW(DV
zkltT-FzyzlnvJKML8pWx<Jr!vL70)B(wcujGuhar1|{s5dsH;5-L9)N8K_otxYPl>
zQvxUj^ZVHsXKc&D>-}ql{VBPzyp&HPXPW)lB>&){Xkf;gUq9<Rby(C+Z$p~uAqTXH
zs`N$YY$>EXqp@IK22NQYiy><e6yb}D0phlVbqv#d7XSR#BRgFE9P)mp0aPgRFd`t4
zVPs#KW9!t35YlwZeN`|I<g8evOVa0$ULW(>^x6E+6?fVJ*`L&FafX3TE^57I%&E$D
zEIo-H8aT2*t9_<Gb{rPjupRX4;5l@J7`X$Ykejp67A0_@%%0{!sT4jY_Ii?gFLBUq
z*2a;PZ$5#}=|CGpQGsOx)oA~I-l{H$y=qHI-j*}<ZcFckT{OHTPDYeo8kqX7tFldb
z(GHaz*;IGM8dO-?ce$fRZ;|V_qq+$=@ddl;9&~SHBCmjZ^HPsNe6Fk@?-|C`!H70j
zgK27xyCOHGjdE@ipHrgnGQ&esOxLf9ow~mGlzk^Rhr>rsa*M!S=|r^JQpyCMGiccY
z4qida@4Ee2q^yx%@0q_^ID$kRnHA2Awh%LuZB7^0XaAG%ZlxZ)o}x?IY#udt>yciv
zE@9L2LQqiO)Qe9FDD~19(rjLo9{!xZb9)ooMcHNN0O(y&L#O*yb`fL+@bkT8_NL2z
zUPyz8ycK&50m^MY?EOuHx+-y#2l>9%UMy{d3OtPF`?1#FBa6doeAMna%Qv@f*Fy+q
zrCAqQ-hNb?e@pI8cK8STO?mLU13h~mU%gSC2las`RkL3cCeTpZ$<m{?1EuT<W{Te+
zmiH5^xWOaUUTFwHr4M)q61y5K4nGy*r+Bce%W_EoOKCOu@1^E}sK=apiP&cC+WGC^
z38hAu#i2V#4x|_#J?ilR1~K!!v+Kfe!HM0{pPIW%T#O2K(F9WNmp2u9QWBkf--^1G
zT3M;rtGQh8ix4RYk0QEvka@K{WuGkA#@Uk7zeHJ5MB{RU*VOuG%@ntGkvW15>FCqH
zQ3O}}@?6_Td&3CAEaJjsGigYKO*@=od|yvdC<eYqAo8Jb_#w#1MT-cpT)I+dMDfyc
z{X-KBJRB$V+4<jd4<JRT@PAE_)bULV@w>d=xK|O9aP0-B{Knu@uYQ1Ez~*9hb-P2y
zd!!TRGrYiZS?qE#?-Qs8@^F0{-Gwcel|Dk8wJ#kOlxpW;g^FhT6<NmnDtOEUMEiC)
zk&fK%x!%4$b$AIy%?>M<wG7I-9`Nvom!MG;)0bTloca=)>3VG_1g6DO*@muMFu#8o
zQU;wsL(K5$4I{nM<~`xoUoLVr{D!%T<^kI)+9FJGeYH+ZgywgV9XzyIQB_z6>v3g>
zIMKLbRX0G%nJQK}q4z`TedF4D)Sw!6ap=?YY2$?Etz(F!7_air)`mlxEbkbv7^yZ5
z-(hAO1+f3Z<a$h+pPl0taCw^`8VK|kk6Fnr%xG_-@XZ%lK%9Ipf}84$XmvMrMj_Rk
zZ>&g%<(Ua=-Y6d#`eCwjETC)VsxP#h-B?PO7dM~89L?2utk%hB0UdZ34NuEml;)9k
z@AD;LSwl*5B@i0+BNAoNmY(Sm2yQ0q3#m<U%6|g)j_Wf|t(1k+CfoSVLRWrdWbvO`
z5^378XA#p<wjGTk*jYwR4?QDZ+tvQXj1SI#%hM{#b3~Mab)jzMf6&rpfIA25a98eK
zayGgg9S_QD3rx<z;g;h{hqoFlSG$g%VVLNHq4ZPxX4`YxQSB*8$6KOIRHbH$Ln^k5
zhPoa4E|k&|cb%NRB+`;U*W?`&MSr55adtY2F^F(V$R)W4chuT!N-^lsqgKLaq@8PG
z#-8fhWTV4NVU$SnbK&CMkTe80^Xm2d#3|{Z#K_VGFXb2yuP+PPR8%eyTGgid)b{8J
zWWB+q+0Xd(^&=I@+aQnpeqZ0e!j40BXE}7pB$YMLn>!C#;{rW~w2XtECA87D$rb(6
zg}K5ta@bGw+r?|XMVw)q#J+zP@1<ro7M{^i<2CxS$Q<KjesVCsC~QxP#0BvFt7re@
zF`!cA$R+)+34&Z}8-QpQ2!Qv&tozpl%8^6F<0|+z)OaQ<>8%jZIrAKgG0KdBsK`4@
z3;)UA0I7~shmX#W0wFccpYjqMT>+P>1>o)+_(xKrGwf&aySF|HF#oeS`WnBu<O&ae
zeEu@4@~8F!pR;S~_q+g~Z`YVgpV1}qmDUy&O%z1XPr#`cxCE|pv^s!XjK{+h9A8Nq
zKGCJ(jI-jOdhcNeN1&ENN&kg@F0{Ep1a`USmpQx?pyj1+f_OVFs#GqOhnVJ_BE~X>
zh$QpnuCtEMyJ5bvv3Uc!B~*;b>g#uYvUw$ptm?Nt_!4Lhy#Wz`Y0;{I<UopxtVvDA
zCD?u+smzu<ha;n)thc)=v4~9pK*Q$~x~|aOg2ba39;)(P6GnP{K&VV&XD#_sS8VfE
zn7A#gwYH@1-InitX+U?BG78M(0HTDW8@K+k5^|USob<mlhdUC-+JnSq!0dNlirQV2
zHvl5;q=;J24mA#z$ZR_U#sZQVhh7M>zo(JCzxI%`=#bU||1CoPD%<4z=?6o*h`jIo
zPUqdVFj;>~tklie20(bGy2brKM>uJ$0+q!UXd<bSbU*P&2R^i-y_X0UetN+UkSO&^
zv7d}BhnlSV5Zm;59Js=Y#D*GyCBar;ijpkq4&-=)n_K<^c?YtiD{9s^W9RLF?v!7A
zw#%LIBPn9vv-`D&ch&7MdUrkC^5&cR*LkRnQnn13v?Ut47BDS+i~KWl`Q2NTg0lJF
zuDlmPLGi5PO;#3cdM+dNmX_}wUVrr|ZI|JVDT9HQjEj)`G^Q#i@w{M;zW7)77Y)9P
z<RJO0Ftg>b;h>N8+j}KMvE6RV<(kA9OpfeO=f)`S26wfB)H#9$8@jRntbKZd9yF*S
zNST(qygsNR`R?eX!jMoQek<;KH>+@!hEnQT6*z2Q7*-S4%iF}g=6wKXn-mhLx@{g;
zsT6z^UtBd)yI$eYP>iYJ9j6CgAo5y7+7HYt#rp|umhwBA*q}VTjPWwz;+RODnN!#c
z9}iJh@tyxsMTY-7ZRJe$Fw>y*V0(2=;Y~Sk9e-SZtT#J)dG>C5@)>|XY$#bgK48(o
zqhYwS?f^Y+F`ltQ>0T3|tt5}pXBISfo}W$`tdO3}s;O!+t&dtC5G`F$_vfo0dX}%M
zm#cjq=B{5NDe|#9BtlyOcETV(C(g6mGwFM)h|(DmU-{8_z7ly@Y&UPS`vw}Kp>vS8
z9F{*<+~;)2Va(WQ*@wE)au4c&1~4bfK2a>zXRv$l*1r6jK^b9Gt+%5EBL4l{JL;z}
zkN%N2_;h#00TmZTJhOTCb-7Z?ilWr{Jg1(&Zb)SoNs_qFu`sY8Afr%R{9{Pdj}QXv
zyVhtNC0cXuf0Z^fytYFQj^y*j+xezlNVAmPskD`TbWocj>@OR9GUj`_@Cz|>6GeR#
zE@s~DyNoe1N8fL^F`$FF_40{{xSH6XFhS<7hI|xJ>E532N>03whCFZ(F$m{NA3WtV
zs#a=0Ov;csewI<+kIvb7`rgWRdm-1ppkjAqD^ViC3udGE3O=Auc1UMv%6)V(4uWqO
zVbZ(cl_ii+chy<F2e2GgDqYE=c{k2XRlOK^6M7W1vjZ>rA(vx!;pyvAuw8KVWJs;w
zU+)vQ0D<{Rozc`_p<AvX=KWX={LgC+1Ih`&C=mqDE$sKk#d1C=#$Y<atW;krJCbsD
za6KKzR&ippyj6_bZA&?B_e#n2QSK*<<G*)_D%S&N*3~0L4ElBt<!y(g9v{8^Im7zx
z<p-M%wtH7nJ4Q<sR)r!Qvnk%)6sJWdi~WK{M)|1QBTJh}!|w#2Z7!DU8MyvJ?+N_v
z^3@ttK3k@gHs){cl0_zuAqwq}u=38w#;|2SQfY&T$-ICse&g?wEqw3H)vP8hjf75<
zc5R5XC<)IvVN{PYT<OdC8L(t_+#^TK`yowFLWmNh*LJnu1|CmThqwIE(oHG>@){g+
zyi3P8GhS5wVZrCL(fXZ0`D~cNof`67>;`=Aqq{Xy8qCL9WBL0_lh2Te2UG6DTd(Rq
zM}B@`ziUV{Wqvc?aHv0AS;>vb*PXe(SQO6J|Gr8ac4sCQN%0Oh#fn3Yar4bEpA~u`
z!)*`Z{D(mj<wHOmCGBDn);~p-SIoANE>oyf8Yym-ePLM1t-0;I(qVj3n{*9wal|I9
zlzrjk1KIB^<+xayP~07!gDIB=yiPzjn1oIYFz>t-KdS;T>-u%rhCh1jqIu_(Oj;^+
z?0`|aWQN$a;9U%uqWv+wUFXIDw?z>;#{?LX>aitlWjDY;v*htV0<wp}XD%yMak*pL
z@ek_=hwj_a8?9NJ^JL%kG>$51KXi(ksOv{NeaR?$9eb`Ws<w#DR#uJrb{^+n1|;Uh
zmOEeCc4haAel@NTs(<HwWR9Dg(UO~$jc+dVkV9&K)JAsp4XcLikY};?Nc4okYE|7i
z#npK`G_F)*<Sc$;$UAnzq$G@Rw0SLw_Ib$^a9+?Pmz-xO2eEKg2OmU9?<_|?xtH)~
z-1#FzOrrgAf!*;?c+7$gSP=kv%n*LRb9Ozuiv9t}&{`Ze1~k{$14F@u^LBgE?ow!G
zejF)KncZM6-f-4pFkinNnH$%X@gX}=Pp827t+MXzgg{om_xGUcxu(s{A{l>oYudu9
zO@g<V8H=?S&46HSIoFLFKo4G@vidMr{y?!udQAoSk>`45liQTSn>k1}ck=;u#5PEU
zAZ1(==>L-3rEv>Cj7gVmW)OX7c6>Lca6zfFh>fEGMKO$H(vJ+8aiR)}Av}ljRUEce
z9$ev)(B*7FPf^Xo5#Km62<A0_%5OTbT(iOUD`)*d59t*9ZHMT_p&E%D`<`!V-QbHT
zcjAqHcaHxN5ca%q90*Z>n}j17yo)$V;ZK)=uGI01!(0Eo^Y1+qjVb`O0m!<Kq%6&v
zX0v(a$F~n@8uN1TT?8r-J`t0<_X)oQ(`Ln~%tV(@C6%n%%CoQ*UZ9}j36!}Fi4lKH
z3Us9FqBM<DfFQFg>9}0{sk*2FAubU+aHFeWz62lVXpdA(f6944C93d^y@IaU<gw-c
zM@AO+(D%-uR~n8&K=G0+fmLnH=P#WDq8v??GV_14jGu#euG?}-?GrJ^Ttz_}>z*8$
zZH~X~0Fd9D0-6!IB?Dz{wx=(gnSv=}|JU!a@=e2^@dLe4_xT0j<);i^ZHDGQJMLOd
zHzWd^o*(CwDo%bS#Bxr-v*EBqS5N1^*#lTJ(7@u`3Gws^xfY2N3Xq`o6=&^x7H#Q2
z^&!xx3CO`9ErEtcLHLU6#NmItp#L1V0|Ek(N|u^64k)t-ZauztAUv&LY%pL>8?U@<
zp0^&Xx@OJMqpI^l|7U{9nZkg=3oAbnp*Z`^Cp!ACn?_9MXrQ)|!NDhUOBt#p;{QiV
zdKc@m!bwKuZKlqqIiQ`kBU-8Be+!SoRlJ~zRbBI!zwtOP5nyxjO3WO504yRG6-1a*
zf{r0Z<8S)9ua3oL0dbJ@eJ@(xfpf&rCnrFPTK^xX^<U$E(*ZDka!(E+-tGXsDA~+z
z2>ZAN>kj#PKq4gtzyJy=cFm0!l^zX6gOp0R<05F&^{kf|bui-@pqtj~I`_`+r-y~1
zjI-I{S3R+;^9|AE^xIDb(m+KJ4N!5-i*h>O!SJTtx;D)u`bRcvUH3{+QXL;FK+VeE
z4xDijustsUs&KU=Zw_(sP1kIQXv$5F_2_O*(D_dmf-kiLC4Js8McpMoF-*U^RvGrs
z=;}vCE^wRL$ol-x1i*wxeg7xW6q)#BR2g&D$dIVr(O(}`?Fid*XKB+L%bQX=6`83w
zYN#Ce90i$RP2Zuk6u9T%()79gA4`QLXtzv1RurwBF7-*hxi@8nQTqN~xot<a(nA5<
zbzgV27or*x2-QeAKGx^n5C3lG&^q7^u;V(whSr7<duaekHM*fI_qL92%aNE$&8n-$
zLrw14?L24P4;9g4O3>tcUwc4vZkHjM2V#hireBMQpWvlm+b7&LN~id#svXYFsY&Tp
zx$C$cGJO><#;z2&ZGR`NBA&lx^|{Ag)hfPJTuoVz-Sv(7X_h235R(`1LPRrPCFym`
z_zkwzVa$3DRa{iNI;878LP*p-hAuRy-xaAM)T%BRIW+okh4J@>>L{XoF{lkdA>eo4
zU8YKtQAQRTG(VY8rf?x%d?MZq)x;}20|es&U27u!6b6YR$({9V3o;ae9EV#?sHtA*
z9bss#vW8fBvv>wJr+HVa*|8sy&sS(w2g4>;=s3&svfmd1zu`O}W9EybyL~kmR}@nx
z(D=30BPiLO5OG`AL#|^=0=7Ysz2_Ia5NvTEm|D9o(;7`Ww1$}E!SHDPRuWDs$(&ci
zQ}YzOV?%5B?2oqqVSHYJt+nbOs(i9SXKzmd+$9icnVNlTDOY5(CqLUY247<ILrNd(
zoe3+&4>ALM%Cn)%J;_&9*<%JhAY9I=d<2ui#63HqdzMAZp7OWJ=w<61+e)SJP^Wno
zhQ4Hx30573`A%K0++-bhP*~!8NfBH54pV9{$xj<cU#iFo%iT?U*|waKCiAAbX+$rq
z(!fuN88up~kc%ig*X_?I9BWFl5sv70fU&CRN=HBRJAAF6`42Ewyy&8Di8X#KchK)E
zw&o+&8jF+qjygE`rcsL~zIsQqvN8D)aM_Z0;W2qqfMp*y7$?Vc6Fs}^k(X2ItJ&>q
zEa{BJrgG}#<Ox6LVkMNivk?kWrW53{)W%avbwxIj8srk$5jXxt_nlE%@Y<obW+BF7
z{}#-<U-}PRm_O9z>MNTUG&vv;arasz;!xT{d+P0KA)~set0XIUzRsAu)nS1AvxdC)
z)k`+8lp~0qM?6W@yyoRTMv6>%Kh~%*@@m26PIt!Cb3|g*Z7=5-@H8W5%1kA21D4WA
zyMkWMHj(<6M%|#rQNm%JcTXB~_v5aPxE?ivu}mXuS$;CNe)R-hRLiNtvlDJT1Nn$B
zIQb+Z=m9R1fRJl&N3O1`FIhOL1}*wGc{I6d!787y1yf=LFU?4k8h~|lQdI4_Zcwc}
ziK%!vWuh8OLO@N!d-Ks`<d96IeFB2t453lD^t-*F=~PLxBjj5E8?YXAALQiu{bZN7
z2PfM2cy2hG1QA{e8P!KMk%E@WK!y`UZsR`dpX+_HjxRh5^p$k3iA%nw@Wl>|W-Z$&
zZbUlVz%@b*sp-s3LFz)Ux@D{GBU^cx=bJ}E^nwP4REpf_2Iw4ZcuhAtKphU%Wc#+r
zD;=H*ey_6s_C4vEDj|NDI<>gL_6`}U+<xc;Y~rEoMmKBLHJHVY<M^=7MH;XV<+#@H
z=HSvhR8|IH!nS^arp)|OVSTDGZ={p2B@6ZuW>j#l7VUG#EFTl@efxnekejGozc1%t
z79?74zvhN~-b0;MW=vQ?T#>smeK6?A+_3M2%0d4B>Kae2RB97vb>pMU5#yS>1pq^O
z^+LUx&$AWg)%!NbZ|OldAM18)d4u?Ir~K><m_ri={an-(>api;D*wRPtI=B~?62-C
zHl%lX*@R#|(N5&U%k<dTaLezq*zc}V;}`ulDa9o%i6~H`ew4og^smUC5YrnEtHh)7
z^>Ce+An&)@_N?dK9#@zFi_zg_u1#zk+RMUIkqj#v?`d4`GN^L1tn2!n$Ru(%e7sqG
zDY@0F2Dj)hK61Y40qMZZoM~c&>9R=yulR&rf$EV4DFkR9!UrlWsBm6PU#Sz*!g)>b
z>m9X!re2(+`b-TBH>*}yqzU@L9Xw}3zgs_rlXMQ>ynFo>sE~Ww2$kz+hcsQ~;rbAP
zl%*8HlN9yp?cMXw5p!FX=KZAH8YNSLCBM*k<{J1r>HO5vM$H?ShCD7^jYIJ-*`C*r
z?~fUonTr~yCM5epyG7pu>z!d+a@hv=G_at+#`Qs%dpaMeS};u78yr>f%v?Ot4t>bA
zX242$wdz5ykn9<Ym-A|rLlHGA7A+&5tlXpv{58Ve*d`BOH8Q+Bk|-~yF}5xl8DOvI
zKawkm?8iw&TrI>m(LPl~`j3d?E(-V*@+S9?8<iN$^8P6SS2>+zbWZA=c`VC=M7Yr4
zu53*FgGUkD+3pY@EumJZ`?ZN*LGF!wuxJOb?pB|myMxRQ9^Kshof1dtqnbnK>p`b!
zo8Bk-YMzp~Bye;N=7DS-i8=2|_*kHM4LbJRPfylX&Tn$6`hpKEbbErUYG7*q1RZ;p
zZ+D{D&by*orSy9zMT9dQ-M<^nRT9yrL1Kcr&II#byF%SQhi>+F5G%5mEiCd8RpJkD
z*Qfb<m4<dRU|DcO6Wq%Y3!PzR)FN}#Wl7$gj9y<EuyZRzQgBvi1y}u=^FhTC)Z$Dj
z#cJDjU2@Oz6)&=vB3@yhvYSaCnT1zs!-HZc^vkKKZ&)oG5iPmWL6vVy57Sxts`$V}
zVqx1SiX^FvfeEjnFRM?p(x=Ru$I4ZgS>*ZULKgXm#Fl@io(~gRwS1q{t!eKs>{Wku
zvbm>2IXIY)P$oocd2VgZe)HfsI_J1<ZO8ASa28OPIt5Z6VbDKd4<A=D0b&BhU6nca
znCspGeZMaN=w!xku8SIbI)5r3s`N~h2ecv$JyRCFlTY&g-le}1PtIxF1t9%jEz&FC
zcD`~041WH<dh@@q|9LK;uLf}cu4EPIh6ANCQJmew_2)bHZ#lk0jicgN0=xuFebaQm
za*OP^^92+Cld-|Y=?;r?7>{BCdR9fiYQWTYUrZhc7{YPuH0k@r1L4GE-Mt*(IpF{3
zrhU%HbMD}*3K!>(Y+&df1#AxPV6`<OeE`$rXIuC;)8i+X($GctP(ZhV(HQ=UUb(C6
z&*3!J??nPCv5;F8BclK+l5lvU4nDG*vzT0*KMruXqk#Cc<5!0SSiEu0gzL}g+^`O*
zK8-8hbA#MqYrn(j;38Gw=SZFd7<m*57=f+-b(X(+%>Pf`1Yi1p>W1(?JLZ7T$j>?E
zGFacwMf~hJ&;sZBegOO?D`1@V2)ww$VJ-gl(&e(?G~I#FE61(m7goWT@za>`|KdTN
z)1VI9d{Em{XOqUJU*8EF8m&xk@R?ers!g1Fc!~p*lL+8AD`Xm6O5Fk^Bz4a715NS9
zv<gjTl<I2K5-w;BXDv9+xs`vN<b}Mn?dJ+~(>xY$`ha>V1G&DGH3cdz{F1S~9%(i6
zhuug+_!OY%;UkTJqKILhX$*Xr54kP2c7}6>e*K(I@r3W2cup&b;@kkEC5t1{YvJ8z
zZ`*#+RA$=a{7(o~!KfCLd1tqzTBJc{#r^oz_lnva3t54;N!~=qsh{XKT^(h5*V+oG
zi*Ir4TxtFCra~h>**gFIn<B0s|29+~+(`y*-C;MH@AqZn`<Pu>Dlr^GQjSPL*Yw>?
zh0-&W@msFD?p!GHqm6sk?~=7+tYk##G(BztY7Vj2(}9Yr3Lcq`i14gvR`(fD^GZ`F
z4Vk|86x>z?GaPDLoMHPj@8gblR#n#{H*A@0K3KjU$^GFY!W#?1oq#eEgWMnmv0OVj
zHo>Nf<s%V_9YM=vw$Ce-@v&nHqLFuZi0*GP2kwKV3LH_0riyYo&@Kbquf&cm{N@+L
z6i33O-5=W6?|^ivt4acRp+LrDVJUL|mK#yqUL}ZK=nzx^x&rs}bbvT-Vv!4)bDMMQ
ziIaG$_i)@Y7GK@>8x9feFmXtZp#b4#MX`+@3^r!NA=^=2*|0BL1?*FUDGl$LUa9+M
z{axT3D0xQ@Q8v6Y7LNh8!OCpjjrxt(qGD+{@!|^d+PLi0r=0vFC1hZSalR8`mT7KC
zH)IH}*9YAMaI)s+=^LNk6=S>RKzSUuTSzHR^afT^FThC=>Y3!(&n{fRrBlmH;#Gw{
zEjQ<^<v`gF#sbAyU4^9zC`aWqoS|h3W*Rl4Z`<KdFPkAW<t4|wn$w_sFNfhj%xFcz
zmB%$MrCvTLwwATAguKX+N7*m2)~U+YSCJWWPa{jSQ^fDToNf(#CVJ#m^vD68>kT)2
zFJd|4pBT8L_$y+<WRd{xjz1}asq8tayDqOYVBTwS`rwO6*frpr?5F^MhE6cg;7}pg
z-h$)7XLeZTwgy%*r*k}vj{_u1{Ihdr=&nusd35ehklOz2VUN`9DI$*%Pn@Ez347ij
zzR!0zaX&MpKnU2;+9Um)VTpBo<k)Q9JXF$a;%IL}+SuAD?>iE53y)t2nQiL;4zRTB
zRx*2lylWF5d(Cx&v>}55fiO2O8a8frcw4U<=1S^R*=0diQ8f|B+Q2FWv`PtbO|)-q
zyN*J;7{Can4Ynq?)cbB>gnswl1SV#6;nM~{qgPXTZmVBPJ@9<D{mT1-AE*r`ie|fo
zXNU6si^kQiSyuMP>-dE2vL*96HwndjbPZ71T^F^$v1};?BuPCpzT~J8V{u@!u*ZYr
znu)lqX>@b=<87}8(#X_Soa*|*QanCTgxr^ArRJ)2W{x2TV4xu3#(uzUie1et7)7m5
zqdGvdC3$MWW{X(V4js;Dk+Ww$my3z|BKA!_-Cf$5p|5(my+kuT%Y6a<j?a#q1<g+?
z_{6L2+01wV^x|q9C1~1`N8o#go9zLbASMU#@r5YxQi<{wQp4p<^~O@+)xeN87aPKq
zB%Bp5*3FZ^c&L$z0h^&##<;p6bF9hg2C<2~(hMJ4elCey3l%A`*tBa4&&E9OhVJ&W
zVNZfNI*RgEKuQ9BMz>J2^!dfHijv%#`md4`&Ed>KE)6e)l0ErIF|XQP7h4I^yP*&v
zQZI~@d+x>BfM_~sUr#0}b%+)Ca`a!w>s0cKtKnHP93|~41mlGYLG7>50SjPLzdue5
z225zH!$m(Kd3bbE{HH(Ga*t0hT;mqo@e+txBkgIchJt{6`|k?*=Z0hmv3}G+uF#8<
zZZc)2^*6Lo{Npz4khxCaY7@#VbOUZe7EkF9!u)f2!#W|#{MydVm7B&BuZ4?c7d)~9
z3sy>ara{*N5Hs8N@Bz>MgotV(7EK*)vhrSmj1FO9_Mmc|rmwTjF4#^WiG6+_r25=H
zb(+C*b%;G5y-ih!Mq^lAVJzbK{cER+&nVte<1^i|FMak%;jud7@`#vg+vr2}d;^7P
z3d)AbTaK%g=&B;B?ceVW*Q%k3V;I2jseH@Xec`2GMwf3i26Ht@xVJtVrRS4;(^DtH
zwu|IFLzPds;xw3TufpoXk7Ll$@YZ)do%D0^BPGe<=WD-Z)J0vCD_s1#O&5?>pNIo{
zmw3qUXJy+B`C3|(y0VM-a+Fm%;P*n<U3Lazh&v?UZpAhcUeD6jZC?K>QjJbomH7yI
z5SO>}X}ff(k7?ZU?eOeRvxTCK62UGhf3h{%hdC8l%tS^4PNA8tcx<N!t124p^}wvO
ziU^S3ektcmI0~KK881aj>?ijW9=kRXe~p_*BCwnnq9p8Yd_T2PzDZH5D^fTZs)KL#
z$~K4hj#lrKb9QF*OS+B}Fb<|<>rhG_so%{U3nU-v5EQledE*G+vN6=`SpWgn=2#Lj
z*OzOMK$#_+BQU>{mAI=eYW&9+3A;x&KwYO0J)#`K#es$Y+CujefAp#8!<J;Yl@0wm
zPjxpntCX6{`<;t*N_=KkgHURZqxXw^!3L^KZppnAb9U*w-Pbx^K+*yt=vD4;t<y>i
zIQK5MSHxGPbetCZzI@Kv*zk7?u+!7&63Y`vItn<Ul!bLug8b6Gn1wgXQ3-AOEvWm~
z%my9zE?j+v@F@-Bl?9~ngV8JQ!n(Z*xz)h3R`}@(Xn-9KjHXup@^ZGm>67GHPEkwq
zaNpOHZ;?0%WPO$ZJa>X}<x(vYOfpn&aopLD`;ia^$;52fT~*;Uyxam{<^N}NZI`Ki
zC6e$U%ia?cij<=iR(k=xMMwf1sqTf9T!2p&S{AI(HEerm_uncC?+?7cZ=`<5&nJV+
z{UV#k!OF{2+;&JHnPJXewdYp=eC~m8Yutk_w_+LZ8MeF)-pjn(aH*FVsydO|@{Y#N
zwnRpzzdkvA9Y#$O!>g9EnS>fklZF*~EM-3|%h(Li`}S(zZ$5T>_~|yD<DSbmO%871
zQyDE#sLs<k9tzEZYMj||A+W}9oF&F`I-1T4>B{2uZbHXZgGY}B0T^i0u6PojwiR=r
z!T96p>-Vlx;u-UHXTH<d0UClwRlv~xQ!!yP?eTwJ>l=L9i4qUwwMFQ|X3qPRKIt@@
zmEXVf2?1tm(Ia<`mX@yP<(tbSY{v6f-)}#q#&_yWeOS>TS>A?jQP0=D*b~b<2fcJo
z%{Q&!3nQ;O{OfdLgjr{yWbB#xZKe7FIg*5lDf5@a7<e>A4DaZKatk-Dfo83EXj9j)
zcT_pxNP8%VIkxK{0_Z)|#ZqrXvN2TSJ=T9cbwwc$-kvP1+sbo!zuM&T9Xxzb>S7UZ
zY4Jn~aoY8zq(1aWa9-9<m7j74UX1?8>oAT$ExW{<QPnRSm&{p}SPT`I3<9mMMKTJ^
zJS3}uaQPGv>Du*k6MVSpgHD>?aGfI~VF7RJR0=j8uij7%J1MXzxo#~Wq#-9FAVez|
zJJkHx@>sx?9%HMr2hHkR9lvZ23*Y>t7LIze`ET`<A*lyt@V&f$Z)#7He5Y~q!Lvs$
zOrmjvGSuYSLEeRZH($nX-ge3l-}K4A$^M?bL0;)HaU#WoF`*tfJX>vOU}$)+=Toi{
zD~T<+(LAJlbyjdS<YXwQ?dC^AWUg>MGCQsC{a{A#`yl%U{yn$cQcJqO?mQzAJ*?@7
z8rz2TO(RV`(U=mAmKxpY$UIh*(VIqc64a_y%hy`CzT;{-BqbWVi2XK7@{Twe+URr)
zsd9$ffz8~OvFF5%BdeZIt7ebGGV-b->?}g}t2JR}zfrc8i^4{|PW_F(x&THLDN5~I
zw{bnpQR5~CM@Y7O9yuM_h<mZ$MrDqsA_+g|vNXjXUh)R5anSYB#&FGwWTxtCmL_sZ
z(;_3hB;4+^j2Ot#KSzlYx&GpEiJ82@`u+y;Y!dRE^Y3Ur!f|~Cm7(vV+R<ZNpY!$!
z-v4X%m6*t1LVxcEndXm1J{YKBFt<G4Zz+>Zi`(qGQx}vMk3=CQe{JIG7jJ)j@CWv#
z&AuN}SN=UwP}me4_;>NZ%SU<taTIv%{CpVHd`f<4yY}ScYv`_QGv1V&uHX$W-hWR9
zy!veTAEyppqp$t?mYN~iwHG<_Qb=Zb7JlsuFV8HzWlCRV*#m-Pl_TAmaZBs<I{0<{
zZbm&aSw(taqouQ$7fK3hn%hZin^RrZSG|YWII1Je2tj_d^I1s-hxBhO^-a~M1?(bv
z>?=8MiQj%0G8MDbHIl`$ZxbqfTx~Q}WUb<O+de03IT*dHwun<ehgITSEP~_`jgPkY
zhhV4tdmQ62mG8!k72z#e({9wNBFmgz)v9m7F-?PY0y*9Eyo~ih8SmXs1S_$wanz#T
z?p4$t+_mFE^`z{@yalK>Uid6~^{c;wNzVCNrWx__cz4K_&io^lh^=`o{*BdQFS2Af
zr<}I5;D7dLYvH|_F?eFb{DP-oRqIS|X>vWia~^lCOr=NyHfPLuq|2CTzL6E7+QkYC
znmy|#&AOGJ80WU`__fbh#WK>=kO4XDbO9wVgPDwXcJ*Y)B;ZWf^cyTmhc;FZxvcc}
z>Or;O6H*6B6YGN_-NqK7gS!&_O!7(zaggH)MyhS2UKh9ztG0Gel@o+{C~_NhHS>~5
z>wQ5CWNTncP#_b(Uc9lgB*kQBvAMG%lgRo%?;E@-4ZkLBG_=evL;)W>hxMKxgL8`T
zb)%rKQ-D8AC%Up*P;zj(FblrQc4eK+Laj`L53UE53_|VL8pt5#G-`dVb1o5uqBdWC
z17peTHGwiTbZRbF5Uwn(Olx8rA}-^p(oTIHvd)P!^Jb8s(PmS|z6Xg0jDZWnwiC~>
zGhG_Z;ep>XCL(>?D808NFJs0Kp6BAUBoqstN1Wu-_adju;e@|tYFoSw^4xHCpgf&S
z5Gk@1!kly1Uw^q!J3z&G%3}HBFuL8vkrev;c|-32{e1(^NH=D=qD5w-g&A*5G?hPD
zBcvf%S)A`ULu_NgmG`a=y)QMPNOmzgsU1$j`mdk{&=2XelK!S-HJWhmsZ^L?HUE-1
zlh#ofKW8S`RJHLfBS>x|KXS3Rp{KgEz?Pcl@e(H7cAe7x!ByH1_{Ke_nS^-WBAign
za=O^2lqJ@7ehKHU-8Tzm#;$)@HNBugi2b$6-XX;VTC#%1e3AxPTZH-hSxcRjH6zto
zl55L7PQuGu=9J+$OyJPe$SAvJ`FYkd0#^w^VoQty8!8FjTLx6B(M5@BMO#ZIGWL|m
z>=yQ6*14`mOjTr+@FfP~rUsCytovYfE1csXMKmKsMWxDX>iEg!2Zwi6tbdbP@UX-g
z`hP4xx18>TIIrpBM7xM;I%pu!cj%Ig{4?Tg9;Lfiv*w~G#!%)<ZJBn4nWr{OcXrvv
zH*F*`=ADH|f<HIB4qZ6oBC-F7ZK8wG^CJ+t?D{2al8I-dOe-N-h3^DzDRGK<WrRI6
zJ~ZY8?Z)pD=ILo$V1}>@_pA=RF6}#lL5NKG^?0NhuYF>Q3ldaTv1o^e>AewpZ$@mo
zr4u4kw1O<XoXz|`QgdDHC+=Gu67IHj5+~nKiEN0QN7K=<GC6^cogt;6*w!_o*j-xK
zc>2pVL5ohA*M;^;k*p^^$U%0@oQ}s^6~`2QrmcPW<DfC<s?oU9Rj91cuXwiBKwdeD
zsuN~6@TOpCTB<5#z$utKUpuD+Ukxg-WUWZD+d8>x79z)&H-K;vmiCnVkeRL(@O2`v
ze(LFZO1WXP%L(@Sa4b?qrGoHYIV(Ob;KKwCiCvRK%rEUirW22-FH`(DS0S>HR(Hia
zp_4mnb^j6U_NmpA_&%aOR3F~me{dkpsREyiL4Qm!vgZ->xw_MkfsM|rky$Z)GoI=-
zu!no3Tn!QBq@qqQy}FZkt#Ds>vLnS}x$g+&n(V=Q3AR4eyauO+oERss#^tZ~I&hJl
zXdL|`H3w!!lJ6;XaoD!@@Eg&YnHyoPj9((s%}^h)w{WE!R`65klD$1;FUc$?wqG}+
z0AVtID0irf!1`uR!GByF*uC)rO=mavk5<qukl0okocRUe@P((?anEkTDBTA!C7isJ
zII6Q)W8HCmNwdOoGBW1!*7edLDl`$b1^x;?vHa^{MZ>c_Hu?=#s+QM3PqF9Lzx)`S
zNXF8+2ZNZO9B3>DsF(i+@7m`nvkedSx)}uNz}%mKddCXMLNQ$wBf?mJli3DY5Oe0G
z6?~1Cnc|HAohRL=rxphBX0t)VmE<7i<MAr>Wm?s%aCfsTt)j#trz_K0o=tK=w<rA=
z6H1vAkq_F2qsFQ`v{oOqi&kW^d;?DPQOw27;>t)?b06^XK&Y?iOO^FV?-twQRk&n+
zB_&4}_v{Be-jg<GR>Zw-9D<vrP+7)D(Ik6j;hrkl(L$Sz?1hAdPfNE)CMRBCk+uyW
zTp#M47MhnSF0`768L<gQ@uUu5nq1n=0_e)p_&!w%o2WWf+F`bguRssqw<+=F&)xNG
zohZ<fbA-VB`t6g=c}fvcHFAthDZFfmmuT+IE@t$|e?jA^_uyC-TU*dZrq{WdNSTy8
z6#v{MX-s7<XxS(kdzqd%3tz_Q?6&|06`|i6FRHH9s|J>*4ChWNQa;)S|MN(%i9>9j
zt6+VfVqvGFo&?M(z)8U>p3K+7q?8<1&9ZXV9P2wKdC;DD-+ZIe#{gzGletz$b5(>-
z29Q0Nr-G`V#-1IOM|4anlNGB8iycatPPb|x%ujR0?17baY$0;eY*zc?NfvSa>x*KS
zW_tV$$-;@{<Uv}1k-WNhd~oUnG9g7Zx6PFIL+oOAnwe*7>(?;FQg~#7(GeqDM5LmF
ztK%Hi!dc%!SSoZO1x2rZMo&gJyKC#Un&~&@kC{PxJPOuJ&{M0nm%NSU+NJGL&J)P>
z-Y3E}OM+kKmxx3PNoP*V*1nu#-Xs?;2jFlompu-6n4%n2*oO`#seWRG%R`DjR7Vt_
zA1IAQ#&pv@hK3uUKpA2bKEzs{x#!&V6?Y@ET85i;2L$_^vU9L*_QhZW!oFB(qGfIG
z!D`jUxD!s@10+cC;47Fb@iKhS#!5Q1m=PL2%<^yBajx>P10SvI24==bxrS$LZ*FVN
zQtW!->4Uj5j<?(Ozi#~%bK=5jS5j)|j467vLv8g$RwV|Cw5;xg);L)9Cl9WF&gm?k
z6p~OwL_4|G(EH7wQcDO8rGCepTxDJF%;6qLzx4HRa{a6bO}4Co`}hkD<dnt4DcwuK
zTVn6kR6L4Yc^SD4WprC=Eh78E!l9RMZ9$s%@*$rRSEwlDu|t-T@H}GwhVu8nw{d;u
z6Fu;^48N&M(%tB^6~FC?uSEI&B$pbmRgy0V7V%}?T)6j2RDL0B>B;NpKyj#!uH0W-
zWvVTRTT)hGM9i#Z*K(e+^8U<AoFlpRa}r|kA7&Tlw{qR!WTRY4r?E55Sc#SBzqpos
z$*e(s%gFbf2?ZoYtPy0<T#raEARrUw5(8-`_#c<cQBIP|6?*^gf8OQX!H-UG(qxeN
zqEk7?zJDq6`DEFw(ScVxC1ulbf`|_;Ooi*L(r4;(m=qG@WIuta4t-O0pnar0==A)n
z%FhQ~89ASXw}?a(bl(aXfJSmwqRi^tQD_hJ@dK;^e2zB$sRga${PL;^WqCN3huuDQ
zr|<8?T{c6l3%YQ)MF&wapjFurI){I=-p|5%7q8E~+`$+5SWF%mJHO<d&3)nZ(^F+j
zSL8&`CvSGqUpRhR&dtWd(5Cy1(LUPS5>I=~X!J9QNvGY`MmKvx*Cws@M&|84A>N0$
zc_X#iIWua)O6SwVyP^a$+o6`yJHvM4sl5R=ec0PZyn>Xt1$($X6e)fllFnhZ)!fsm
zC^Lc4$k*w1yw2W?epG8rAlv|%jF)nnEoAx!M5uAn@hf{_k2D?*3^&FF8!GMf%Tcj;
zibkNR{@VL`j5@2tt2?g31&ziL{eMY|Vo^}+Ed`_P4?UcxWLf2>NR?5uXWielhHBpv
zK3#K`l(Fm-CQANTh{n|&b~@eK%$(|LuFOGUu21G7WpP)zYij%Ngy|~veZI^)tkEdc
zJ9D+6{NZURwA*3Aqa`6A7dx18QV-;rT)JvUf9x%h9hdL(J+ArH)9Qfd3B%L(WaJyU
z+smP%3yu-0!sm^Kzl`U8d7zONy_=G{cI+@;xd*8NsrW6HVfOaNu9t%D9cTSlH~U^d
z7tse^U47ekytUkskV{a3THG(bB$*S*(4wY)^FCW?ld5$A721C<BuF{G#mOH<h>NxF
zfm;3Th$8jM<FVorwv`kfN`GrvOkT!DhSuUxe}mv`?x1vPt8$;EJVFb~|7twGW8SDE
z??8R>M0iS+F0o`Z<a~2~vPHOdQ&kgl--&@6>PlHnnQh}zw$SCiACbj<CrH!6s8V$6
zzH?-YQ75WKZG@_2;x)55S|HWSbV@Z{;2xYhLrTq+&$BJ5IcFP;e<cm45^6y=#G;2v
zaH~@FWWlhOq*cn`;9UC8G2T9K6~Fh##b%_Q+AnWnOssfT5R(-BMFZOTY$Qufz43vF
zjP2@iLBEvff-QiB(>%D$Fo`M>vsOS#5Ssc`&@E>pf~6eWv@6?eXBWG@t4~%%b_7fz
zhkHb8oHh+61f4zjK$&}GWp{z?7AFYlVzrUC&s=9!dOfMX28)8n!CYplt=YaLhtQ2%
zP*GCf=_$t)DP`~?$U)lG!?n21%B9*bPo`;(*1M=MPhVW~^nd3kN2Zj8jTA^nq~I^+
zKj^f5in86hUiR{h^Tr@6>wAI8@ubSw81h7+f=V20mSF0SYB-eFdfOpMD^Qt~hwj|k
z(JN?Xc?I1*4RMW{Ep{Igfa2T?8s54A9r$%!1!tO<t-yv-;vlW@pCBW2HHmARSCO^M
zvbfZ%sHm>2TT4c13pq~7n-Ql}Gfv{a-`<APymu=s%<`*>$0ixkA21g3RoI9ZNseJy
z*?%;)&p9M~6!)>_3*{oNJGjxP6aJ<zEbE>GkT#RmRETC!`VCi4;8(ArFtx;})i3MN
zxy1FqYmj`Rg@R6sj(r~^d(QR+Iw|F^OAtzSFA^JW52#4RnO#ENa<yJ~6DEx}X|x<w
z^SGqYvXF|)U6WLkI@BUHL$U_T!dx#4d+gla*D58XSQLLEj&%d8GqM_2?9qpoL5)&w
zHi)>_oWqZLWCuDppFlrk^i`?sf0KM8qGo(8VIp@1-5&`{L;9E@>$_>P6*BY>e`4cH
znep4NohLIgZs`t>p3*TjLW^wGyK_8jG}v?WT!u`zn)~%T;vNP5A@EEm_3`q?2a!q<
zG3E9%iz*vPUfSPBEs~p^-`QMeIzi82%_ctDo-^mIHop0#kbJ6<MvV#ctD5=yYi4N{
zJIe&;gjzlPW{&A<5&7KLqR0DUMTT2m3W?w?$Zr~as<~A&J5YhM7!UKCG%ljUP6l<3
z&*rW9z%n2SK4Z<>)9ZVDBW*5B9t|gO?vtMjGII>U*WLTn>u3x61k`o@jR~)I{?Elw
zLwYb_=|$xXEq}q4iiBkZl$Vg%&tIMCG)z%kNbHBeZOk5QxX`@%^DAV+wf=;`?}MKy
zcImftwQcr_idq+a>`gdSvTx<h+UtlaI->c!a$?@iqd7)8na(v=ulXF*JE15PP-y#b
zk1?xXmY;Zge0VK)<iprW>4~cnb_}KzD_b6=7w8RCR!f{J78LPD%P3;xQsPU3Jxugu
zfKY()W;(8*i^jmtvL4>MfVpoum7r)h1qcB2=7}goRKF%xphyjw;j|~6LF`4wi*0?1
zHJI7i`-2jPRXuNeEPy6(GV#ola_A`KQp)m&YV<iBa4WPHj>}`nGM~!Y5q$zkP`a8Y
zb~qHx(KKt8t_Nd8%$nI5PUsLi_&7a&e`!v>c7^l#l-n@!-UA{+f9tvL1Vj71E>F0@
zO2CVT_Nhi0k7gWWmc9^Qa8ny0ZN407c3MjM<m&P2XJ-c}r!H4xcf`jM&Q5)Dwwv(V
z-v*H$D5NL7dlnFMEor>Jq;&?Dj3wF?_c@fFW5?<3#Mt=T?C0S*fr(%XAuJ6Ws!~kR
zrh#|!`xc64yu;9hHMNA|4kz>**xbya*PhvcZkgdVHGMfF!YKWELa?BsT>-Y<uhp$6
z0!BRv@4#4nKy+45S;37E)wV8`Z6u+BG{3K1=mRYt+2uO^z2#jkg{I-k^BUF>C<R0R
zFuQ<6^h+3e&)2#e*c5i^406eE4wLuTc&-^vwcDJ*y0;#GDYC6XGii)+%q0vuzH+ol
zsh&{mn&_m@yv=}L-U!d0aIH>RvsAI)-+QVx2wu}la8o=gYl3eLy5QZx64bLEmfCX~
z2eOa7Ln6Lh)Llxh-_G>KFKpM>%ve-TPKtg;EIcJw>TKP8eVISLV^CBkUc8WaEl$jS
zDao)WBS+OzNpe6%^e&B_90H4d8>jH;Z}oCa7?t-#6Jz4k;I7K^=srqLNNVd_RWqh3
za^(=(ySO6K#`;FX<f-v<;z-BC^dqJ{!AsH}c{o`azPl_&0(6doSS%$O1f&NX4rs2x
z_#d$d72cKSySO5^yXS%ZoPoE!q({&t)b^~(LV}V@d!D7Jj5_tm#|iuF@l*GYI`wtN
zr8$)8C_KZS-%t7iAY3<FnA8r(SI!QdAs^VE@3D>J%Dxd?;9HgxoM<Y6)R}RwGZh*O
zlT<_ehyauutIZ&I=MW|?GCp7#Zu`F)myZWZ8n1eXd%~%>WD^oa{#E}(7HW*(4HnHX
zZP)xZ=Fye<tXsKg-P2IBH_sYGu5f+%Dy4=`^E4(^Vu$uh32$0h*!2j7YSak)qVbGy
z@=t>?^3m}2&mVM^%98>MituS`odn!k;1ii<$e8?XRlj*U{oj1>rfQ$IFgvN2y_YN-
z+|J4!ZX~KQw_W_ahfiZa<a|S(*5kUym~GB^wX=|r6{9N$#qKL@zqRmXRQ<qeu==me
zcSQCUIAbm@6^>>QNHVW*UX;N&XY+qIKm8wv&Tk_^4J4qhzEcEL8}!Ygz%4~WJ}aeh
zQ%;v@Ml&%^{BVN>zVW_hLZb-pDkb)-4`$IIo0ljoIoor2X%F^+$&#NMG<IF=0#wr(
znaVZq`7?+9nFrq&wnLdIopDyU$^A9znnKd-`IHv_147yhV|`QI+)Qq_P|@W^TZV?^
z-^(Z?+&#kilsKFA`h}1)oAClz6$Siv*%xPKw%OOX;T=-NXPh?1;?m}~Vs`#c;e~3w
zUWwYyR{LHQow?UCrAwdRjoCX=&$RvVE>x8Fove2p;`-O9yK;Io?K$DkSul}Vdu64v
zVNH~;tawB(%aQl}!%ecg|NYkrd>5~=J#|I1yRYI7nl(ZC`I3j#J=Q$S;#r~*XHvfT
zrZd!ir1MWLT*M_+;ryopyxxfP-QM`pJ$X@hUz4&uIm4$s-*}ATM!BBaqDg!pKmH@l
z%d{8K`+#)&A?^R*?Y+aAO5c889Y-0)f&z+2Q>3Ug0SVGaX@V3RU5Iow2}rLAW2J+D
z)IcJFpi*Kep(dzwDWN8T&_P=0B%y@BUN|#9oxR_EuJ=9Xy3T(D7Atw4^{m|A=W~DW
zd!=3U<&PRn9(2@rhgrqputf#NT^jQuK6~($TGapotz_8GRXp#hvA@0;+i~C_LV&AK
z8`(x1uUH93lLN3H8y*v6H+eUbH?*PhGjHZ`of1z-SuT;#8p1DC?<h)S<8%}0)vpQ#
zc8t>1E&0yK8Y@Xi2;3O&)_!mV_tQ0zTo8XR8~*-!`t>uPN@BUfdq0~Vi$QZci037o
zj-9Z1lRYpR4{WPbT~)Gq2e<6M)cB2y_kGQA12%F)=UKfRiJk>{Aw;fjimu%yjB|dr
zt4x*w*=04;YNKg0_#*QUU$nFhkvcu*#KLx4s^UIeu1*5RmmYmeq3lLOfn~!AM63qf
zU;=un=^Q+a&}npO-Zo6`(3+~d+Q{J*vdE=HqKG&obRp2jbAd}yPDJ^_@k?)(55c#S
z2rkZKW+Llrj4MlfY4yXR73%>qndLcO?Xzd8=U*d~y@|Tmj1_Cg*9A&2X2h7C>%FB?
z$4$E)pA!dqO&a$zs%M{~`N4GWP!2CGAy7&5!+^9vH#Rdh8qonV#`uUpa*x>}_Y)Mi
zg`x)68pEJ+ii_fIt9ZLPA6Qa(yw)udzC{<jvp~S0-{=v-^X%kEdqv-_?)JWQuWOAi
zE-_C^2m64&-S@6WTVRxAf+Dr@g@d4?uokZ-t=Jbu0*L(keV^<ZzK$)HU-f{&WKOwF
z-ED08U_+3D;~IrNb-(y$XBqoRq9yJ0F%riCFaM)sbrqVgEWhi=x)8BpZt-uM7nMbD
zQ+2^_Tk|y6Q<uB1NK9iE1&}I}PajZ}J=$t3ivrRbU+lATxL5qik5q%l>TjRyEVc+X
zrIE@~ABl(Pc$}W5$ir}(hMh|u<tXog1KR`ojV`^L9k?p76Aha0rZUDAW>o0<GBxbG
z1v6#yEhd3$sPoU0hHnW{0v_1XEmr~=RPpWKQW#B+=c#hA6@MlICh(`t_k7Ln);RWc
zMmahBy~;grE>)>fd!u8~U|X6XMQ=sM>x+9otu`GYbaQx-TGxq3bNw1P#2C=q<P>1v
zgQ`-+g%ApC`AhpUei^pfVKxjY3=8A8H&D?UK|ueaQaHFqajP?YEldoe&(cxNC&A;T
z`LZVaO$HyTf@qqzag<8k0gFcaZ(JJ8NA0DtRAO%$g8F!_Q!)2w+Zo$p-}l~D6OqD|
zJL216aoA!mCuvFQ^oIrIv6CaDe=Q}=2Y#Fd2G(ApLhK&w_vxSCD;rBSe5t=86+fgZ
zUl#hO7$!A}%yB>sK`IS6IxFm*4xg%hf~E$3vcy<b4=W^Q(Ct6uky8k5bJd>I`Oq4|
z+%fh(J8^0qJviiOsKv6rm8osT@40Id*6<Jee0Y=98a*$;%<F+gB#!;qOg7BT9)Hu)
zBvKliHDw)%pvKM3p+_y_hP#x+)%xmMxHoRs%%DWZxkGxU1189t2P{}rmO<<^zXH*9
zRrMGDy4_UT-y2+>H5Gfab?y7A_oUad;Rbb6wJ&CokD4(xHM5zlNTUZLk~7;K#o-%&
zzH20TwS@lSGc5Gx1I}eDX7EF8W_?VMU*Pffwy$8Q`H|mWFz(%%d2r-5wx+r!s00Se
z^g(*R#9=WOxD7|0dAZm`7}t9<!5nwgiiiK<kl#ve`-|{H0@oByae&J-&B2L5(Fo)W
zrFGrBzpo-g<RAf)QETbeDDoH;6e(%FfaoKk%x*Rf6tA^Wy3@h?16}z&qB3Z)*W}cu
zNO;C}WnrZI-MdLXw=}f(qJ;lJJpR81#czdPGyGx@BbTLG(oUAu6muUjjyZg>*6Y_j
z!iqnR<260q*Kzz}mua^0Htz=a&;(`Ae$?4LODR8s_L2w{A<bc)r5uVn_&!8@blYJR
zIMd7B17i9ATOjCv3$*_;hIBu~Y<abNkcu(I3_YMOYCF||HS!wa?3L6Ci{*Bp4}$w}
z1}YB{YzB1L+VednyGOfZukd5uGh<`*KwNyzT#tC|f6Je_!dMtHn7#eG+&=d1k-`c;
zW`Qh&imF%}YmThyrXIH1{cG&ue@3SM#D00=Ij`&!)BD$sy;+55PIe1@4~KUqQvMEy
zcxGbtyGP^RtD7uS+yMUm;Hp=kZy@7wDHtBIEoS=Iv=unxfclU3V~>Svewup9?()5%
zem*KfV08Wcy-X*e?dF6BcF~%(z{eck)-jQdsjHkM(C|IxeM{0dz}o#}3_Mr(Z*J5f
zhoXo+R+$51{cqW-75T?^phrG>N(Hz;E&lk><jIgUzN8=*MC_N29=uR(bS*>^2I!?d
zr+$n|qn_vX#ekmrgv2{9m-a`wEN6oSn_&<Er!C9`FO-#Un!}7t?Cb#=gY9uU@b7=K
z^cSt?0Uw>=Gxc14V_Omid&$pWIN=?Jjl}ThUhj@o^~YGLk&?KkdpijI4V^mq`h*_W
z^Q{veHZ|>@9?N2Fj=e#bd@F}LbYE^z-gJF^hY_ciSg9{>rx=Xiz5|T7oc|wT2ME;q
zgy5s@?6hkt@1}yf2)t+JFv-%=x-r(ckAK~?Av()qT`hdU1C$x+i#bZgZ$)31nBBg|
zN(O_6OFOuyT_(+_(klYHI_FR7lmA4P*S6{bf^$;40&<VK%#Zi`{?i_HyC1)4#iU%?
zHgD9fn>OCP4tv~q|CyKFR{$mb=bXSN|A~YC0lfNuDNzAv`M)oJ{|bJM1zIw(6(8Y8
zP{kvFhX>xZt(wk@NT@E|8H{}0rl%8|xy_Zq=l579W@(3~vF;eo`T>STTb`rO?&HgM
z9>31YKZe2wYYZd(Z-ApUsjApB2b>FrBf+wC{p9P;Tu@NhbLB>D2E)eyvN)%-W(mh@
z>2G>1vijRLYtCLUQa|u!;^dw^r@u!v_<C~oc-Ows^m1?Ra^w2YS0i=dZC2rC`a^~$
z9aRPoubUV&{eo{jGdJSY#{23QWTRu=(=bDv$gP{x3dorWm6U`Fg1Q9ZzDr({*5^GG
zR&UH{IF%zBXh4;uYChMbZ{L-LG-%Y72+4@YZ7)2wbNufU2(pd&6^*mBc@^&eXx1x1
zjzcN0ZJS7SuM;WhiI%WyuZjk$3J+&TlQkGf0H}ISGXvi~-Bbmh_AQb)5HaUmU9pta
z=pG{jn^H+~Vx18m<m;2B+ArT+sZ#ZRyOtM{u-Ic+pX{7}$@e70H9zr^T+p6i=E?%_
zwnstvXx7y0eT;i<8x<c{0p_b-vX60de@s}GlNM<oLwl9sqvEp5qTPvcKUPn_z-l_Q
z`en9*>ZMJzm_>N1vB}C6?*+0!aN0OAv?cK}Rz(VXO5AXU(E2v{(f+mU;r#3H4quLq
zF2ea8g}Kim{{pHOaWt61*j41)04sP2_@Rii&}ybp4a&e#f0YU;zGrv5qK$jU+BB6+
zx5LQGwdB`)I?!cThUMt&vv}?d^@H1IRPmE3I6B(fz&D**UYpSyloQVrH=j6OM)x5o
z5MRBhNz-f>V~fJ+>Cd`y#7(`eCKu)&LT^o)k&=(j$SRDfn1Osi?hf9({f<4*rN%yJ
z91L~}Q~EjBno!k5?vH&U6jBX(jvI1islK%G#?GszFiMNvLyIO$2J?+oiC>=sV0G+%
z=~SgGjY+#aBvQ!+f&I2d=GdCw?<%Rz1OC6x|N36+uy|%u^Or7PM+aMO5x6lApwaoo
z^HM2M-vCn97l7j_lvyoW!{<8;U$(D&l|4L$o_D-nb6L0{TSa+ZHMXL~BDt@Xbq=4r
z-7KrQVav0GTg-ysX@`S@IVkI#Boxj$5Hq(hM72DJux63hO1X;LqVZKU$#EF^{I(Q4
z1L~Tbog2_VKesK#&S<M{!?*qZw1P2N+JCNQQByl<D!041wRQs$eO*N0dHdx+&6e^H
z#*rUjj!`ckYsor@QES$=&mWrPX?XITsGeGRCB(MAzSw&*t2A{c%Bv8wFZE4}OUPTS
z8m{_JXqFkDJ5QCcwFe1+uyh|m3+H@_=EL+R5yMaz!7XYW?b;pm&(;_Ca*(|CUqRJ<
zZPyUj^idfWQlnoD?qoz^vg?|r&79geDd~Tf&4=uLfYAIre9@OE>;9|-imTHzw9efg
zBRj|BaV21KSfaNZ6V~kA`0BN#Oiqaj8M1ub@}O~3Td&7GKQeWQy=%+x?vN3`2Q|tj
zV?I_?gBBBbiCwe1&A11{wIavoB^l&0%MAZK@Fu`4@L*)DQ+hzVAyZT`EvwT$hD*cc
zTgaJ+&-Y^NhYy%h??;`0hum%W14khOd^PAI`t%9e6`xbY#`KI9Txr05Fo!~(&#+i5
zzF;14VVEBoHq@?(B!`L?6*n!D)4{9hiSx-UtZ|8P*@h}p+XpuL6HqjH`NT<EQrzqb
zx1^*;S7nisd|3SN_5f`@Pb6l>J%U{`bUtD(7pG*a*zEOk$<9c)vERFe@(sSNB{J!V
z92QCLldgY3CljoL%i3>Kzcvi1B1l(;+{2N3&u<3@iJu(=H`-E4m?b-xX#Vp`T4z^m
zcM53OqnMU{6TRe1g}q*^{=)IAw3kj5Dx7A5hbK?8Nu}ql#6`)BHw~9m1WE1K3d|%-
z+HQD$nf|CWly&mZrrvnzyZ(jn)$fc^t^Vf7;={Sm!A~p!&La@)MAA->T33BpVa#`B
zvl7dd{WD_?1<WxMglQ#P9`JB@!31KKXWj8C)jJQK<=b2O;O;+BO8p7*fSsg(*^`Id
zk(X6C6O8MDuS-Lyi{6U1^@@|pO;L$=^8Fy2IFLCe-KY=o^qHHoN_fFMaAmMrD|xM>
z)||^A*%GUjTt;zBa#C!XmmRlbh&x847@f8{TNm`Eig~~*WxB!r6qWgJ-fHW|mX~H!
z<1t7t(xKg%u=VoD#5B{$a%j^{V^7Hq&n9koeBqU-eu!g;%Nt-W%(2~>0<LHOg3WDS
zf~}Ha&m)5~8deD<WL*8s@nE5*foc~}<8;6sk1V!=B}R$`hmq|c8Ser^&6#Ax^b*Ml
zQi1kv17VrPWL&@ULknA^ci&z0)PBOxF>K&huGjd-ET>wD01&px;0j&pu-VvnSVI}-
zL*X(*huyi6H7Ex$69WS9@r8z{jH$P+z7HvH)NrWo_(zMTVcqFS+zgHEkkA&toiO(`
z3DLSW)bL0uN9aM6Dnao|`k|%OB85ptPf_n!mS<ZG+PTcJ1V1UcrS2-w$83+;YY=L<
z({Ey(Txh2~>#wAm9YDcqAE2qFlLbR)6q07w6yy5FObH#iV9Y_QTA>MfQGJG(e;#j>
z%E1-fLut49bbZPXRguV(-y|cq&$TX_H5$goLEXDgVB1c-*<CxuTCdm%L$hq0(j(x8
zT75@mtG`ICaT~T%4lfR#hpX9dDKrk>nB*s*U|oM9>%0wj9gPqgV`6RPeAXuk7Y!K0
zXP~{onB=u85|u$m=-)~4Kcv$P2<|_0$~lGq2--&!@HF&w3I1}2`+cyfq@;MJuQaEL
zjEyCugRPrWvKDTf1CYg|5{AbDO;Wf0m#e*5={MTQ%91$8sJqXZR_ZvduyfSK9=S&C
zmcn8fbMv9Y{o)B?5`iSC`6Bt5roB%YXukfskR<Y=<3VdZ{EH;U8FuSk0gn%xv&^h)
zTMT4I5?p0ls$7|jEz1we%k6x--uclv<9E#%SAl8&ygB^W!a3)K*h!^PZ)Ij$qfBKl
zt*+sn?O8_kq2BagVU99Er*6{^kqx3^_OqhoegM~w2S@<8X72>M-z!E)8{M6Nlo6f;
zwUq`qg9SDcWX{?~EZkHNtm<98+(>@xp1>|0oMlu*!QW%xg1YkNg(|}b%?Y+=ZNVJN
zQu*_Yblrv3Zt@C54bX$%!yEhX*63|<bDMYZn1X9p9eGag85=v97Fvp@2?!rsJ#$oK
zc+dJ~8o*nFb^JBHE7o1>=hAP0sJQ!keL_n!hZIZts}>yIN|d}`ymbdvOHbecgGGMa
z@brX1dM7bFLnIfTa1u|vfXZiQ#h%`GNZvzddBS0!lJ{Kt-SAJOQ*+y|!b0{tJ$}-V
z@S4}u$n8#C$o=n0YLq%6YggUw8A<r><oy5GJ@mheV`E>l&FWVeFOm`L*{$Q@pDj+)
zJVL>dsRVPykb1ic-%g9;TK0fa&48}FtU*`>`$>VHZ@y+PkGa`ubB*RD>7w=NJ~Oeu
ztR~hm`G4PI%JE~|%qz^w`h+hzPrZR1R(9>o!dP>@#b_rl7?oiMe;sl(*WVMZ?h-Pg
z^k^s02kJXN7JmMOh9ElS>Qd_{Eo=1<+%e@#%nhc%TJVVvUkFTa%=zElAGQ1-2zSf;
z6()xwCB445HKZRg<63+qAg`IPb-?Yt|H{1p$Iuz&JL(3{d6b6f+k1oiUB>K4wNIr`
z^a#JKu`oQEx#xGuN8>-vb|_L(uE&(a=ZUqDHx&DJt4^cyyxXNl(@<nZ$XLo)c$D%(
zcW>o!LvA^**5;u6WP%0XgZMVO>D_4A)iap`x0%L)$+QSFf^eB8@7MI~f+WWyvevoJ
z=R*r{ZNDmGI31HeQ{a6XBtZYVLj<I#{bGaN+c!Bn@>sRh*2a7rkp`5_HMRhbzWp2Q
z^<>%dh-wLt$3#h?*8?*64nhQ{X>Uy9LQ=KrP9(_oy9vNV?`u57H8E*YA0s1dy$0)M
z>J%{2-Lqz3HKGU)ejVvk#3Yk@Xp_}@+z$S@Cca~K@w4$Mm30-ozZkLBUs?)n@s6&a
zKVx2`%DHllAa3|oNcO$yN^(Gwwqa+Rh{RTqvR!-ubarxM?psC?7=GhCxpH%D>teL+
zgzl<!gJB>^A<Y{G5=l#p%_nj=ayhLv7cr`%WleA*YSC{U^CD^?8^HMb-ktF}=sXbN
zEM23w!g8K-+Bb8%VQpUD8=5qS@#bWEnMivFUtC+;UUH0Pp8=hpU+b$Y<RD&S3XZFq
zoIOSCm~x+inES%O6_`1HoYt>em`zkE8W&I@M{c*_*kk$=DexUz;Qq#$Ab5Rj;CjC6
zEwqV)2!Q#jZY_%mh28qa9n+U>OZ*Nfbxr;JFRpdlYg6AP<-VUHxug50Ibhv%>ou(J
zsm@ZX5w-DQ;F5(zH8B-d?Z!aEw0b+TOSsg=S%$~58_5P2M~3q)jM!WYtT+jBl+>6{
zkJbwHhPq6iv!rGS9lUZ#qQ{?M-Cb0+UOS6zl<2~#hi<LjKUX!{7?E^X(A-@a7xfnE
zjnm={T<~r8iOR41#_Dnn8rZA;pG3;iZ_uKAPHubny^En7XH3#*+Tr4-YAQ(vTly<9
zH*Xbkd9B(9nY3Db{Z5dzgq)siZxXPnj+!Yi;5=mYd?{pZ0QB-p@dKcP!LDqoK+r_&
zF^!=5wGuZtlG9>EpO@oFj8L~r9)|a@NGQ#q5jH}Edqd3&xL{S+9qi|x1`esnCZM!K
zdRG1-mV~)%zs1yB_cvtfA7><!bYsOa7B#kGv42{{swWk(yCh;=7s<H2<z_!^xWa=n
zQquP6t-UVh7H;6(W#8?OVPeAyl3O`=&DI(6F$SApEI7#8_~Z4IEfJQD{@BUYkW*~i
zH7eOHqOI6*ekp_D?mj28I^Rh{FZNN2$(tY>>Ka3>RwTne_F9o|iD`E2!$HYrPx*(1
z^F0MQj>QX#&XEN+b#Na+^X(2tuBp4M^6$V{s7YAE>-SE<E+t5^VX`h^I+Fz+i#^G&
z#`>edvnaZ77I8LauiL+uQi5-CM_RU$WLKxD(D&&d79LqCFZeY;tVVREfX6H7w`(hD
z&HnIvAIDv7ksO%|R~q~LG^N)o3OJ$|Y4t3b+kFNiIhBFYGt}00sj@-DI;};xQ)|Sm
z$k>Ru#^K?AJmeLlCo%6)p!=KNT-6);9u;2F`rR&O(w0<P?t{qS0&hcA*~+M`o2<)$
zg{9MFLe1^l{4vKjWNdF2B^Xyr$7uo1#tnJdW&LQBK4RYSQE3exO%FqzSq%nZ&i<+Y
zBSCdV%>&J2{#@%>&b|gu)Ba?gU`^;d0%!8pCM!?4vZm=3(<6R?O9Pq06&489C<{J!
zV{P!vhlh}cMM{CHp!Hn2U#`XIK>k*}%eU9}EV=X&QIi*svszeH`cxMl>oNn52Lh}>
zXQY;1&-RLCAM>Skz5V9od67`^Qs@opTNx@1|5z-`W66i+$S|uQPnV^}v_-kU&B&l`
zU`JT}DpB8jw~kF$l=;8;wvY^)w>tj3RU>FPN~3MV?6qIgu|`V8b{M_L%WcqR5ksq7
zZ>V>+lI&IF9hv!FW%Av}^-;1pBrIDjePUhVgElRAeoTAiz%ETyRM+1#BL9Qi0p%X?
zhi&(sW$Ofvo5soQqSPBBDnFxC^<Q?d^NpVOlmfk`D_(9|a4*Q6*gexOYyH7x|3`uL
zf5M}HO#%>hwFdF*P5NvGj;*Pqx7Ax5H~?t%)S%;w!9Ia(=HN_4WrM}>T{ieVh+W)u
zja@q?Dr*PC#as7dF~3DfK6jM^FUq2_HQz2NbZ`Mjj-2^13*TLDL2{_-ay9(m%l*J#
zmnc874JS{S+FctJU4Qn1_l#=Iq@(8GU*S+U=I?MwhJc$Re^)k9#?<UMwG2j*G_-Pe
z{eqUP-nA*y72fqaz)kU~?Z^88v~+r3uqH(g1|(p=yekJ1eZQYDB#olgQzv_;6{S(x
z+w-Oq6Jyu%Aq!PQ*I|i=iABeOPc`r#*QEci0JN3iPO05K9x2&ddNxv$lg)WVsx02M
z!FPXlgtSFSm(E#$L*%!0Q3}4aJflx_O8_T${ez=ZZmY}hPtdnjw=&qz3I25dgz08|
z+yD-DrD4a=<TH-A>GZJ1lHXWkcdA@|OvdiNJqKDxs4wr2LoAE&$@S|-QVyiv1e=ni
zm~A>;k-q?syZBV_W2_(X{tl6cn2Ua|Omzfrs~f<Rz8DFYF=*0!e5PIM=6HR_T-IUR
zUsGdcE)+y<S{E53>v<MqQ!i=i0wewt`S>4*8T%Tn-psK~!i2wi8c2|wzkck?c3|_D
zTNCe`5B`1A0$F=eeDLSS=nMj^DJCQGblxF%Eg0VwYTKIaL7B&HE_S7DqBY-*h2=ky
z)&BZ~#?OS^_u2EQ`v-^xd<46{8UK+p`?M8dFz)W7t`jx%9Vn0J{WG0^07w3}b>{!K
z<^LiX**Q)?Y_tyK`A_9_)5;c2h`ptegb$aSZCJzj-}<3C^pmqY9RVJEl(FA-v^<Oi
z2Wtud*(%hC>1-)PhFyFS8I`-DG{QYDP!pj+Wq=$)$X@Fo)Yb5tpPY$fZP`<U{<e3&
z+=Q%(`qpi|eYGJWyrOuvuLc)n$B|sP5fn8FSc8G#0)AWI<{aJmE^NoN&yF6u)#Yox
zoQ*D@)z-a@07&c0rwEB=b%g*~#}fc)Jx7I<?Ai0`se#UwJC1qJOvS0lEl<<CF2yPb
zTwBxiK(}?@>L|7|F~@npK+VUExh^A;a$UvI%}SnHvUuaTLvmI_NOyfgG{OIN^)f?v
zGZ*VSMd{g`WR!Fg9@wH6BLnA2kfnE}0h;cUr-24)i^M3PkrfIaIGQ%R9941PM-E^<
zdm{|6xf&Y;Np`ABS<xg4S4Uw_jrgfF6g`#uoke_90Ke=5Q%-7Pe1Vuv?69ECq#EFI
z4ROEBdFifG@!a*0>4!q+E+F~SrE62`d6djU<`nz<|46`wLYC}OxLRc0xK#EKW>SWx
zBbDosF?;!k*8}YGtaDxE7JIxN1~O$m6zZd^haZC1jQU#6;3|F9!?u)<F2<Jnd;V&6
zX!xgm*u2go&7*`S1L!6v(xl--ZJ5R%Ibt8^G_l)l%eSAXt(n$w5=ZNK`27;9M?Oh=
zP7xI3q$Do~OKLEMD$5+^6;9gpZ7%3u#6$z|k>~c`jCOx$cE6ldmgT9!L?KWf{UYr=
z(MEF2ysR%NyuG~bGI51m>O7Umwgj8D(zG$|R6UwG#RVz0`eq+mK+WGy!+pA7Dq&ew
z4Y}WA%-Ly2mwA*~7nx{3r$N^r)GG2&#C4ytW);e(I``MUsR7}vM8mp=RNK4|O3f&i
z(IRas30a(!I9U>70VT(TT9<X0b80N?g>+LtZDhUG&v!J%O>4{~(9;$zJjT!hrQ6MJ
znZwrGO$r5tj8c@=i_6H=?Lflg0SA2zLi9#zl2#i<RoE$J#g6*cp7;&nIG0-KKL#z_
z+W5)O{#(^~VSTk@(gN;%9ky4`8ay^A%!X%3;}YH*T}Bw{yvlcZqmm@j6_?BiaE^~T
zXWs|ps)nhq#?U~{&HyKHfoEB)%xc8Ay-}K1ZDC7FRj^NL+jm>6h@db88Bi^2vsk~r
z{*m^YBpy@txjg#vVl0emMsBfxO*dU6%SX*!+6IBmh{-_V!v?;$n@0L*`-s?|Pf}_$
zmtsn)64Nyi`PBzbAdhU_?2ny0)%dB$FLhOiNPdDGZ*qAa2vydPotAGtj=YYXa&J!Y
zm6?FNHFYWu)}kYkt`D<N{MZ6@b998BIvoajX?59#=^ZjN1qGEUZyyOm--d_yv&>fo
z*RvwQEd@T5;#7(=>NaHVqQn-(MYvcanZ?+==BQf<`dFU;9XC(^7moUF6!@+3SC=nh
zN8*2@bE8swauXiuj$4qeIf-=u*1c_KaK8utYH2;-n{V3$LR8#V595GV&|4VB?eL4)
z7SB<XpJLT~5sJWlE)I&Yt&>2+7$eW~e?us?k5Lxm#<H3U8VbjyVpczw$7wx<$OOG0
zSJCY3Aox{vT>Tmfx3@VqqryDUui-ko#Mar)1Q$0oC3JMd;b0fB{%!d4Laj+$VMrZL
z$=R8u(rlR*71#E=$)slijOe_ru<d=0xF2<`JtB2jPzs}CGQ#r!(ugbiMzE?HEr-L$
z{9kHnAf2nCwt5ieQBF4Sv&aCOfH5otT3vy4mKJxMh!yrt4=1TY@0t=w@>IG_L98v;
z6GUMwYFV@xe?ZiGS*&?BpXI0XJiPIbSAu~4(AiZUcbe<3zC1eZ)FNhgRqgS#`0dVh
zBo8XQpgAq`JjUey7f9~_<W`q6{cH0}F=}4^{pzO|n-`L>Ev&5&P2M_Cjh1Y&Rm9;L
z47_(W18Zfhb|%`fCNwrSAHrXSaul3;>XCJstFRQcca*VEiFVALPHpIam^`42H~~Ao
zl81sks!>`rT%>C@W@a`~6-*0Sgl`!gaO4y4V;|E9bqJKd*GO9J@wfmymKmBOM4ne7
zFlVAfD6mvC!6G`tc^1JB>GnuRRe_#jOWTZ)=TN7{k2sUrbag6G^ZFby9Hk}k-Cn|`
zh-h2@>-sL<9Uh~R(%-rll*L#GjO&?nxl#oWR{F;`#B5z${pltQ+l?2#o;M_KyLgF+
z&D*2@yuUSTEj5~YvYBh9DUb0!AsyFdo*msQ)q-Uo;AHCF?;FSRsa>e~DoC$hL?47D
zar@Gy5Y>mAl*e6aL}=^p*u6&iwVHe52%k&M)kDb~G|jf_LcF3CGPi~gbCkUNM4q&M
z>jxWu?sV3f+`cMW{CP*4|L_I8(7q5TTvLx=0*`KIsPk<oXcaW(Y~X@lV#?@A^0e|>
zMO_s0!qj1IJ_Ql2MU%U&&uDKPj`GC8eH*ULqr=Us4>^-J%|W#KQKOUYXG4CA4DQsX
zsWA0pAEqY>ogz09+-T%Qo3&z`KpoH&q&cCzGUR7O3Ah2S1U+3tmQ`CI+3|mVWu^b7
zqjmTcY^-zrJu&{>H;+6q4;LUYkbEsIVE<yM!F|2SZw$lA3j%!s!jZ{?LN>$)1`cbI
z1%OAN+KL#M$ukCB-!v_fve}fkJ*0NEFQO@zKhCBR!6nxclL4#AkK}#YNqOo~Ygr0v
zVn(C)cJ|*L&$@dXSk(f?E?Q~wxy!ivdnj_h^2bb)T3<;fq)VIXgCO`gC~p+=s0}Sp
zmsdUMTW1zskueR?!SiJ8w5(X=IIYq+tvX2KNoqc6aL_9-*`0a}|1jv?RN~sObW7dU
zW%xaGwM4&%U}5C%QyiwJ$g$YZE~hkNpA|iJ%Uvi1Ca^!?$k-!^zV=x875%Fdre3MQ
z)=dwvl_KcNPL7v}XI>rO1pM93vV$kx>i?LRa<3{GvMzF6No)0N9aiTYv;MD^7I*aV
znq$e)YQx>l<n(v%3E|@M|ER-s9w{Z?Ge#u6OWbd-nvlM(<7`8!{p~98aT?d6eB~vx
zHTsq*n&G!`!|%Z{p-Hx`)Hz0PU586_or)ve!NLEYq5ubvZB1GH#7VrbLc5!@$(L-4
z&7>3s0$B|k1D?savEs91kW&IC+X>dTz-J(HPE&S7$fNb8>41Y(WA!tIEOQV9vy=aH
z&6RDmy1L?pIU=hUs<C{F<rD{alfO{CA80L=R-t!Z`WE;F4X(i?*p=APVDtV4_MBJi
zx<eW!*k`LtviUISX+-kF!{-J37{02m=E%cj7otnzToW;)d|@*y1{sLbwEJpVI`FK>
zl`Nvz2l5FnSj#`e&bM<I04rC9LsM%XX2oe$5>O`xF>n`H4*Hk@-&(bzFLH_a$`f2j
z)jFxxdH1h6%mWvZV~-Ch?{JvBdUS|iB2{MgSDru1Q^HARmCPon7jtzl=xH?96n61j
zYz)VVTC?TseY+X(-5vxZ$AFz!IbcZO+~Hw|ZzT*imXf+mz4Fla_U%!>`vZ!6ZPa8p
zs*0%UEfz-rzQ~=MmVX+jTz=y(n&Ok{f9N^S4upf(eD8?Ie|EOJLi-W*A69vK_vHZS
zA8Gf0){^b{1pCicWcS$r>%RiYUCadpQ1-k|v(WuXV_ySvLTWVWnZah*Y5AU=%+)d3
zkM+m4L&mB{f#aDgK7uuRm}T<93;DZFbG9~I$HSMS!S$&5KmlwGO(ocDg{(W=LT<>N
z8uY1&*#y+-F*S$nTVI2DxHeMb=D<`9%+u@S>d4W9^TS}Ims?^};BJBa-@Y)e9l#32
z+dnRKiZk|QJPw#5cAc4|tnr47iujcyo2g=}hRt4`gOUr&lnbM`n};N726&SDj3iUt
zOzKVd^W^r)w&0)NH=YAaNf5YMj+vCV0V4xPr>;)ZOb&thT-W{|6tx0rKj9tOjb#-y
z)31&WlGZ!lRlUeg#Xfy8SZpeHcUAL+pSo8dojh5&_Rq!mUa7_A_~JD!c|b8kXEooc
z09oE1T6S2$8Hx$&ay3k`Gf<dxF3;8whjNHnym<9-Fk>NjY~XKs9mF9H4}BEZRwTzK
z(iU1sdMw(!urWAO<ms}k6Rjl35(Ei%IL(cos^*)lEyC40t!f|n(_J-3d2`HoImhvj
z24w__{DA~inyE3;(@^;9=|&!B7t8v~Dq_k!!U_t7xI}jj*RdRBP=Z&E*K%lhZ7%EW
z+Gb9R?TQ?{JQ2APnO>KJ{y3xa+VIfaUIp=+Z^4qO4}tvtKt+hCiT@EfR8u)}qHjY&
zXJNo%()nBY)8Gd+s~v;--toV-@AP>5Wr(<ECt%>^CXoX?oQhD{;qt)F9Q|*#-OM7=
zKvacJ{xbe4tL;kMTy>EMjTRmNpJu?Q_XmHcLKB?qyeW?yIf!{vhw+SH1v^*Q;?pM8
zQFAp-!e3DSScNEj==M97KFF=X*IFAgtRzuv<Yk#(7!6DMZLFlsWHlXZTr{QG&DyN^
zHkt4IR;6J4IJI;<lO$7Ob~QHWQ$HQ_X#4)mF&ZU7CeU<K3_r;-OJASTD+npFnJ!Dx
zDl*E0zze2g&$PSb)S%o?mr-uUx;r8yR&t}L0h5Q|8j3Mxg02Mrc+!nHe4T^v>dzGq
z!1|46Hr$QRh(B8X%*EsoY2x8vU1_?nLLz6QX?R$CuhFH(6>Zg(B2A3Z8$R*tHj~ba
zL9F~{r<ACS&#ErW-V1&#iUP*>4M{S3_#;hWQWk9MqPUnvx7*|hZR~f6F=_1yj9Ffe
z8!x2b|I*usGgyvP-(H62(evzXmd~NHYSA@q7QL&^%7hSvJA+=S1mznj2Icv*VS6KD
z!`-&%OOD@^K2p3#V!IGd<jV(g2rcQ7frJwSg8Cq-9>*$`K%H2FLdxBK^^ofgC6F^<
zDYz)|8!K~oK>fA=qcsfn4ZC^g(paW@@#EGneMPyf>sqeG75HVpKep0mfh0y*+SDfz
z+bwIif?8Bto$PA5wPUD!9Niq`wK~mm6n};P*l);ZT8)}vtK*u2ei8?Dl~%&ngB*Q1
zTc7p46hAgCuCDmrRB|+;0aIAYjS2?}kaDV3uJo+k`Z7M1NL5N;ai%`)&7<T-#j(of
zYj_kTF~bc%<hCKV)bi|<<w7FsLrspBiy%wmR`4s2JS=TJVm$bw+XQjM8sfIAB9qD1
zi|Vm5gnlyU^afUuY`EC&{~nFYYi(%;t!!2A69q%BY*v(C!geqk2S|)q3N9xfswK$}
zNt7?L`rLfCuynqn72JS6@~z?%PqUT$D$?;=ViRYuC~Tf$jvG*hC<~ThOa-~Ra$Sp|
z$#Lj@VniG?&)rGUUCLD5H#%B*Hv!-jwbfZ0qu6O38ck~^tGXZ&2kG+6<KAikgR6~(
zN*uKpykt;KO76uzrpH9^KPAl_27irxi<jr%d^|Kz75@3_xzvb;;q)aVs4?k~aR4Jz
zshV`n^V0blg}`sm^y25u%r6b8_^WKQ|1XkzAaXK&O#E65AFw|e9Y0I6ZYZ2O*|>3U
z;9UDtNP+7g{`jheDa!f4Bl9`U@Nw791EMvv6$jRARtxDSi(Z1KBC2Ipdn)J7)H_}D
z#d?rMI=#;2@a^-3YM2V;t^|g*x%7Js+Kofd?dy*RlQw38dMQ>p3&~iJP~%JmMDe5z
zwY4OC?7jTL4c|diqGI2`hO8)aN(abf1xg3tHxYBO!igBsD!)SaWgoxxg3^k5vLal_
zJQe3ZHlIcMnoU-F^QF%5v|$VoMMO!)OP2itUiiI8vCQO?(qz@}dZSC*lh0focIzB5
zBz?*00+3Qy!))R=3If~a+ih6)Y$9u!5-F4jc0N+Dua*5Mv+dRwH}*hmvZe3*bs|EG
zq)-~AI_ZGt7}xU<z6+`M@`rz1=&ruArR!;vP53-&&+{15R%*D|-*B*5?`vVkl&;Iu
zolu2ScLLQ8Y*RLaqk=OwPi4>oWLKOK*0IK`u#MAT_Zb;SlE+)8x7dQaiZ$Z0PMV0J
zjPevtvTprp2~pNuR9wFnPk}%G*Fr`CloVN;dT~f^`{;>{H=!giU_N>;%cxx{jD-(&
zV#+{%>y?<=3&lIlJU*~f|Ek5JN%%|8M_a+@EkUJc<T&3|qZ0;CTOCR`uX_nGTP!9N
zFmS;jogdhYh|9XzeP%@)#J0B35)%e{^?XtKw<Nv)Drs{M=}P;lq%C_#tg7g(NO%3m
zESahpNMw^xDHcEhj;>TWnrQt!r>f88_W9NVPOJvvpG$oo>+~yfyeZ|Nv{u9=N0V__
z<Y#qEsrx<c0>7dM+T^cOtE&Y(Rn2I#tq1voW#d!drZ=>Qh#;Y8fsKAlXf?sMI(+MW
z^wv!ywFZhy>B0i4yDFF(Gi^rI*1%NnxL8S?h*;dmno#PD8GmGZ=dzZ6S2-f;FsOSv
zK<w3FZ#5r`OcjaT?sYU&vDp_96{p258j{xHP2APs4$Q1rNrBpcBboUfA_BoOUNiL{
zD{^7ggXG=Swdsz^F8$B|@=clC{CQ93Q>>l@eA@%U8~y6-;lK($u>&969SnFM_I>#f
zx*(_U7M`yDytzM2@6Da2W^4Xo94(fQc)d)y$i{$NUuWR0j&sk0*4(ZU<dUgs|GTQ~
zRJd2eW*x=JWQ<zmYIDdZNxo<F-oC(jr}V+E=`Q##We~4M^-#D^ut3dzaqt@23Gjr?
z*UMKAEDHbjCgAW95n&B?dyDGJgFeGwUFI2RpQY^{Vs;cd86D&krldL-p4=}PIrmtL
zdno5R>oI1Ky%kyl!Bc4jcf}cU^x>)EF3^H2(4d2_JNR4Pc(SH}+ehI$)psD*`pWal
zx>bt%q2-_;P@a=MVxi85EaEfJvr1pS)$rk)#4C-e?UZKR`*8@~)j7r0C)^`sa9X0s
z`AA;0-uConpu@?7dLr)Qaawa4URq(rYxqT?*|yCht=!*aSBjuCowe1|Zh9_t7&H?L
z_mS!@HbZYprT~?1MkR$^rTQ+&Vl>xBerWLJSh!q>xBADEB(ysJe_D(A{|e|}+2>;h
zqU=jOg?ayoZs`9Zx?A<tL^>aTo`#z*JI#aP)x!4<O2nK){pMmTA*?-G7ZQy6a$%3U
z>^~~~e`1jTV^?JVj|>+?Q$M~C_J^h=PsM+-Ix|xC^W;#?SC|VYG+u0KdD{)_$6fxi
zW16nKWmXULt%w;XPb+Qr5AKp|JcO1hDo<F>qZHeU7|v<E_Bp8@iqT#9oLHl}^N!(l
zOhR_m!Uc^NIZT&bHCBJ;qcO!9ei%z|lv#YpdQm}F8IVDpR8!C0Erd2jKhjqJ^9RzF
z1Q_tBRei!WI}^L)U%fKzLzB`?zBqDIw0XQT{%pTo1-OTw*@|0oy+7xj+LmuSm)-#4
zsXNiazDNQv_E|-&)`<w)w9ta~%Fbtmg}Nml4}ecE`w6}&vgMMsgwl1}wkiFM%zZ&y
zM)&hEDhO|u;3^gRGWcUB_!wjJ!<2u|rizF=Yo0Kz(4p4G8X_}JfEqTRUO)*>6o+3&
z*8(;Xa@=l~Vqg#Bh5sRstI~JX9uP|!ExhAD7ju8sFu;m|GqCst@tF|u<|=YavmxiU
zeR#%to?`AKCEl_PAsar~%hN6dFzxh9vYKf;H#2m6VW2gUM)G!P{AA|D=33}S`F7{;
zqPs4p{Yb)2?Bx_`tk7T;7gOEq5E*gAU1MuM#M#bN)fa`YzD<mu*(hK4oRwQt?tiVW
zPh^nK$is0&kmyRAVA-a_r$5{yB=tRC5+!7#`v8Z3gyL=@;nBW30%KQ7l;>390^)ck
z=-q1gy%q-H#=*Cqm~Z-UmrkyW*3eDsnn$d{M`E)5?~7zihYwis&A2i=0W<RU$ER`A
z-D%zTpw6@^J^>!epO>a`j);<}PIb>g*H?=+Eo<md&>6P!Ox3W9S#S#Dj^qTW-PJ}y
zbsRLV-U22km3lB8;TrN(ou5(n)0n?eHw<OLi776&I?89K#{@fZ*+Z&ZvAuyuOzXyD
z79m=Y3ur!mw|28bkXz~1X;4t(Fr9$FU8bJ1dZ4aEd_z+$BWPvAFU3X)myL%`ZejyN
zA=!Q*IV5a;kj!wjyOXlF`)o#daOyR7#9TPwYj(H0-KXE4ETKo9>O18Xw;*~Jl@M!R
zb0Do%6-UB<oE2MNW*2*wKAkV?icyPAhOr)QB(~N|<_!+7&4Y#evt$0A(&@IPYqQa%
zH$dOwr6-~h4<OvRT?CWhG~fY50P#NbD&Iumay&r1UCZwcyjo9T4QWEU#<|p{&a7B_
z_5a-jLZy#3GXhg^s2Vypq(6hFD|3dZ9r1(`tQ(-QG=|{#cx~ZR#>blrjmw~uWyfmR
zSXk9;ph|V(_6%F~MO;S1@TuX2jUs{J5Y3d68hE$E)crs@@}aF4wAAtan)J+V2Lioq
zkq@cLnp!hl8!h+A@73{`q%VaDC*bR3yCyem-aJiAz$9v#+Z9b!n<UH++6PR;Ui6iE
z6L9`2kSVVgI-qb+s4s74z*18dzj$yTx(qFj5O$txNO#(r;B!w15N_8h+BOuR)m(KI
z)IdAm?ak4h%>(=m-sv)nY__4PG0MhE$a@KNzaHwZv0(|do?~p$OBaK{1^Oos?lOgu
z0~ZCx9+xDvs>aEO>j9733MZc12m{2pPyA;OPo9g{WDmlqQ9Kee5XJ?j6_3Hpu&|??
zs8&nceK1roD9d&s_Pe3k;I+72n_v(~%JD*wm`bH_=JX7v%mC=^0D`=a!CY<!q}2AI
z!qPc@yTw8llxPNMao93G7xt$buQ>g#6kcuoEuz0rK~9p|w7PmEEEpT!-<Ss;Q#o1l
z)+4C07i)gA&t#ey5N^T0Q&81y8!;Ftd#b>1Rx3Ic!Il@Snu?Wf$;UhzAZTV1C(^nb
z3)`T{7Ylip0}J7q)MkiO*=W_3d|k&}$WVKvv2%K#3E+>`@7MLUE_BvtOKD44+5T<v
zBolU{wAaxIY{lwZ?h;hPK{xN|jAShZP%BZJRF7eX&thJ`E+Hx4=ZcIkZivRt{*Sdf
zdXl1p*-qj^)qi!_aC)?>KHblhzMo2<ysT~(%(qjynV^F(_HQ?;#+_EJ6vJxy2B3F{
z95Iih3)`JRE#ZqjVAh8zHOJ!n=_HEB+}hHzeF8l&-JE+sNI7D4#G1x`ba(Ppd?QeJ
zr8{we+In+X2hr<wc%f|4b|zzJ>hdMt0GrA8K7G3L<7SJOh4TX5miwy8l{i#(RHDf)
zdBdkLl{MAoUY&t$y!d3GAA(F2P_0WZ7>#1^Os981x~KUzs+HVe5d4C(NpCq%BG&=z
z361MtrXsBs|J|jc$m1g}|47zJDIH(Vzf9D#^0?^SdAr6QQiaMdBBc(XYGFENXVO5b
zeK*8@I($#LX8b;k(%Asv&Ud?2#4X_*v5Uqf`30M~_{EZ+On1anaean^T9Q^cuoQ3(
znILthL*r?CyZ`i?7>MPQs$zOc-5gqMRMmVKGUM@=LPtF4(zINAU^jb@uNfA%>88OO
z@Cz6TNgR>^n}`XVuR4O}6WFR5P35`WV#nq#h@I{?gpJ1tJ<A!Y07GO9s!6Kvu<>`*
z3S-K67vH#cxJAm8=7U`G(HCMivjd<>H(6IPESOi?Ns44(k~GupZUPwt)<l1A^0p|U
z0W__k-Jg$kfSy^=@9>M|`hW{O6fn<-DC`R&ao9{v{ubP`;_k084L)v~=KE$h1S|hJ
zxD}I?@p40_LHzg?PhR*XRl}Z3o$J6epvKLc`&zFdnod`=t_c`0-YrJ8N*UcqysJiZ
zG#Hoa`%9feLT;rrK>J;o<0fEOkyY1lyYhIWxBMK?WldhV8ho@O+W*1Gcx}5B6=B8q
zV4%tOA22=`S0cB3v+%qSs4!ZhSfnkb+n?%ikqDU=pnRONG5&{%mqld!4q2P;(Ig?7
zx2fD&srT9ImOanpZ(MWiQ%Q8E#(B&lW>d#t>MaVZ7XovFSnST8piEprW-+3n$n`?V
zIe}^4=%D5!&ZtD8Q-?^IaaJkhAyr&7d5&m7!+_!Utdm=E!>Wx})VEmv?P(Md2~AfG
z7R2}rND(%F(g0WKK34dJDAjGFb+ytRD%HarWC$J!hDJ(iAip=}6nH(fC-%%h3QvGn
z@?rdl@>o3YM3CzFW`VK=q$PKhHEtxKAlMdA%$NBO@q9iuIN>Q=b*A`x!wG_zL3jb@
z$cf2X{Yx%qgsGBNUzuu*mgSBj8Wf2qq@C=~N8YeOr<@#u6fX?SX4iz;sb$V7NZO}a
zY~sS+pm#aAyN~R-jmjOd+x-}bT+HaV?WEdkd5b6L)z590$GpjKDP(D|N}Tu7c0T$6
z!Va;}`?(${H?W(f#Cy;wq+uLP=wN4c!5~!n5Z&8X29A&6XXVQ?(;N)92?jt;*xbW>
z68m+IbyheeCt|;ShAT`FFn84V)s4{%amB+g@cNC$UCxezYmCDA#EzoDenlp-v6Mig
z)a6qH?Or_A`rcVhF_^>=HrKvtc+unjBrioeSh%l(RW7xXw?PXq^{fwp468Og`-V8G
zpX1*Z{dYX=5g3v8PH5HtBk`_VCeo7rjz@0Kn1h71#Z3R%;<i3wXl}g~(R_M^vS#C7
zK0Vfa?yp;Ww^{E$4Jiz=(b@ezi6N)9%SqOo2FoNg6ky?dX0=ZKRjK!vm%8gpX0SB<
zn9#|nA=l%kr0up?o_+L-fIV90B28iW<nNN(;~M}G7uH<H;G_pAxjFy;sPq-3Kfl|e
z&7OR>MT2XCT^7u;G0#fDBAYjW$4md)ax%08c(#HzRAazd<aLN&?MYb$)K@axFv@-F
z0uxFO<z{i+7dk*3g~SCv`i5!OddR-}EWBkavCnl;e;>XDfa4EsX&Awwqck<rN+HfY
z1rWP~W8v6ZuU)~oMCVkl+Xu8y``*Ojf~I#o^VLz5nR@udw+SDEi+rbi?>EngsY^V@
zUv+SsQ2Vz^_jV8_zIRo`)_S^&YEl3)ZnvO<y+L;q#;MZuc)puW>I*(+H4J-%ef8BS
zzlZJQQ_@!t4T5TYY$QHw*i0MOFC)s=v>j;X5MUp_iNOTM=og?@mvO@jk+S>n-PMb5
zTX%cMe64q5%~v#$<-i6*7UeH={`(jG4fn9dqmp%BN)wnyLBYC`{OVH21`>F$uk-@m
z6TA3ri}>mwe0u(?5s?&%&o`yUq`HSpFM~@M)T4zF06=DYEO(}d&FYj%Vj^U6TfPF`
z6LD&d*0X32Sw}AN2>zl-T}In~q0qyHO?Cn_W+(y76%&o?IaA|fE$?fphwndK5!4`q
zL+j{$n$)l+WiR#V)0!Que2rB*%1K%fX{DFU-W|dv7i4|Hg}-Cf4OkdQ=g`L~ok?Aj
zm))j|^aFRr#X-vkoYpgBgPyeU$gM7|W0Fr@#h<9fk7dHW-$;78+GeABTZAUAv$Brp
znLWwok1Bw|*Bl&w5qJrJl)NSeh~Fc#t*bg;vq5gRyMyU&(V%<r1<lsL4?La%Q^hho
z86L<@mknBf(P}FqA0w$lG~mJ$U;+g;_DEQKYm8PyIkq&vk3bX%L{6D~q0K>0)M1n3
z*nEB3lv8qm;6&B(ESHb7`iW^@r*vN+y^hzW@k(MOkZsG#cnn&m9b{;J%CxO`y0X1s
zk?Vm-+u5wf`Sr}IAu_gBsjEusHqDZRPg-nHE)u9zX0+=NjIt5BOq~ba@yeL@b7!Zn
z^JLLhq0trB{Nj!gn;SoZ_Zhng+0g7PeYm&Qx2-DrKQnC}G-fom;NYcOhLd9ny$g#h
zrW_aSRwMsz#;klV-Nj#w(O`WJ>1l9cMX#nrDg5>Wu%u?24opH&OZ<SL`FAle)1-L!
zqMKoGE8HEeG_xF<;nlR+WG~)Q!bxUgbxj1h96gK3MKtxFm^smdTGm$=e52X1E!^#0
z4cRLymaFOrsaCIIaVnlaiW)Y&O~Kjv;01>acjySA+9s26_h|RE;J)a^#jS4)lb_jn
zK#n&`9B$Z}OxR#M+;-jBvYXKqEQ={kJJ+5rEZpf>luXgxMdscgJy%M*8oyp=rjs8O
z;nk#Lw~jTq>0Xl4y|1Q~R95?kOXk@i23nw{@$DMieq@zdTu01`8ca!uLT`=16o|DO
z`dZ+Eo!>J&=)p-IX2=uoF{fIZyF75!Yim*(N&#+dJ{_N_ua6gxGA10c53ppQjD@fW
zFBP_z-pxh*Dewsz#?fV>K+|auJ7x9@kECYS#M$p|@dJ&`#-C1CNSDAAO;WNk06KRy
z7JC~K6a~*-E@4kiT%eVE%tiZF02YisZUOPfN&aSDbJYCPsuNhMV*_^hY;3{B|4Osx
z?P~V#{QQ$p1b1Lz;!wu&EiITuYH|W>Vk3Y<hd|MpAMcf07K|G1D%TjCwaj}5m84Hq
z*X2d+kOpUD>)kZ?qDg8Dbc0dN_Q{yRRsAGqlEq~=FuKFlvu(za?1H;~(jvlNgG}g{
zpD0bFE)AY0y}@=Xxlh&SD6~T*#e?F`&Wozakc&_*tu96ZA-{SZVu9ZE&&n5J^4W9#
z4`PIDK=6yAOE=f6VYa61`SQih$~CijQE*H3&pp5F|I(uNqFFp~yIRzJNNU%q{`YpV
z>}7w?ssZ%ckkb*MDDRztXpMxrtAyQNxSAV(RW)&EYG30gJ&P#?<hMG%Sq%JbuyT~f
z0~+@{W${0nJ*GgcT+NMl>T_w+kv7_(k5;2eXK~q!3!cN*VvThmw}?vR!)bnR{Q}YB
z9XBRmsktO)zS39={CMe&HmQ1ScYu8f%6e@z@IJ$4+-xnG{7}{!llo?@2q-Ol9;YRd
zMo>z}B7Vu>351<ui=xXK3Sb3feCzvDes5Mj15@T|upWF9qSuh*G2z}nfKS{hjHVla
zj*yai?Rg!aH_2WZzF&R9%toUDw_GwvOX*it)*s0-Z+$_2y3H6?e^CGT{W>@4Cs=S;
zt>54HNw2Y?`Iqd!I;e;}1zMs#ow#*W$l8+%vU$&%5^G^X#Fbg$b023_go9>8#9AR}
z*5p-W^WAiGX-0dol~V#6kw328@{VWa`%ci~AIZLY<*X*O!~k9<9HIU%q+UB!e_+Sm
zf3mKp$f8C^{*<lFd)NT>X-ALRTAriA*=1|m>jp#5`Eu2vTh)=MD^)VMo}zwWQa)Us
zO_;=5>CGR+FO;=CaJYw_wko1jc^KQ(AU1-#+~d`nYmoG#K;>grsd5DNd6USMVGYgQ
zB{We=ma24Fv=V`4AkQw{Y^fP#ybdu_f6yQP7k%<wRg3YxI?2PIeCOBZoAl1<b2qzz
zE^#`tK$kez-7axYClrR=#d@;{iVB#ESIj);)#d7Fb3=YWI}>Z}Lbic@npZcd80bm<
z@IQ5nMtrrl$Ts-`hOs=RUoLE5I#57F#Mdrh&e=BG<1F=XLodSiBj9KOgu4Z2Mb{ZY
zcaDF{_8YVeXn#j<qb~2km<i&A?MtKu>U(%TJD#08*@-0UlpunoAAUJ`E*m?S{<Unr
z>9UU&!)O_Va!w66uF;KWZ{MHA-=LB@th5~a6ce=oeqPmpcM4S?em!#d0Ij1*x)tIs
zL~VdDr}7wNjON9HmT$Lph9m-nx8drp#&cXe=wcMRH0LNX73UizW;3YlVKF+DI8z{U
zW>6V-{2^;0@Cb({u08?vzj%AkxTd;p-CJ+HMMXgcL8Ylwr3pyrU_lTNq9VNnsbVP7
zYru|l0V&d=f}m0&E!2QWlP)!c06|)S00BY>BqY2GycM74J$s+M&+qK>5lynznscqW
z#vJ1s|Ev91aPY9{h)Y{&Re9@k%SA3Xt%Cq7?$t!38AVs@fQGo)VzXhj#8yK6(DTsI
z7cTA!(Zeq>e3I#jE|A#F`u@ESL`k~^^o8F7GM47s|1M)0emY3a)E24)kr=to6-elC
zco$T7e9mx6;08$>$8pQa!BZl4oGU>5e;2-wd7hmarJJbrY*cLwQ5sCc6_K{wDoApv
zvsu%Xi>^>PF6KQdX%;#VgiWI=Gy;{C6kFqZ8>lfGq{jQ@O4ArGn&2O;FB{`cus6PY
zd$@rL)+%D>=SuGqyWHYDF(;Z}C}@CSu~X@41bxaakEjTeA|TTf?~byHZZ}23$-B>1
zlB$l~;7(Tf8^jFP^j=V12-~>N@E?gYU&0NRMoHZ*=c|u7m+m<p@lS4apYNez0n*W%
zf{A9+LL4fy_00dGV)^0d)?akILV1<W!7EYWEB!Mqx#bx0g&z>UKRCw@J~ku#(c5AY
z{#-4;Bq8W_6<HVycw9WBvNrz23xm_Q#BH88MfjLu>P-7GC_vV@B$zZ_zf0u?_buh4
zZ520^pMMSA^i_Rk@Gu0tkt5D5xBBtiFCF#&D6gX+@bKt+NR47}yw&3IZ~xmIdrq){
zTL67!3sCc172o_kqZtx66tHjJ-%$1RZSD^L8Vn+m2fHRe<rP1=et^QX!@Qs^2G{@a
z3%rEA6S&oI@#+m6h{-1pWL=Qyx=~@~-tt!Qdn>nyqT*Zw!Tfv07J1_t`z?Ej^Kz?-
zTS2=b<NLD=>gPD;q9NBti~`h72M)mhudn)lX^4a7J(6oJXIh!3^L8f>U0tT6h^2qP
zoBD2^PbJ;hCI3f*srQv2wPsw_o>~<S@Oi(P2g5D|FEBk@ogU9FQ)Q`Vc;44s^ds2g
z4g(q`9#UFvp<r7TQ>XES*}0z_QgrKnPGcdXz2W(Ie+#+a=r!rdBAkD{GdH`L#dX;V
zc7h#jn&}((M3tj*p3?e$sFQKv=1yb8J>dzDWr{W9BWm-Um)93$v$g7r4!UBf2SBR3
zmrfI2c?6xzt*_Eo{<z|ZJRED|s6;sHo@=@O@=j~@*lz!m|L`<Oag2-j=N3h%DqRip
zdqw$b@1Q14{g*{!V-%X~>8itIenxWs3}{eerouD@BT1;LD2%g=V~tD0gYu8qP&uzu
z%Co%iQ9_25m_VFE&hxg*2zJ{<b$yj4R(y$BNy3}Y5v1G*=?*!$XU(E{5NA#{eG@x`
z@2l%5?=EL^xE0JN`WPACK(-j1Ab9gop%@o0h-O&$mvo+#&}wP$yitx0YTpJu*L98=
zYgD48s9-@a2@gCB{!Ly|er$iGS^z2N=D}p5HKqvg1(n=7o{rP58j9{t-&T5xHaqG)
z$M02nSz~9pT3re*aDC+q(Z1M^EU>e5Q;uj3iF|IcrLiutARaAI+j!)w5>YY*X%+ER
zDgB%WKH)IA%OJmUkKwEgqCL~&!5fP~1JXH=#PTw&LC?i`bt0hHvWtEu%`czgFl>$m
zaxuhCQUr`>BUorLY;PBvhfOZf8B$0w3~EM)bhg~LR9PO#xq&AL=*$$h+KalSHV57}
zv72kzxA5ATNb}20wJFL(Bqv4}1qR#NypBGVaUl|xy;4w^MsKA{cWzxe&#$Lg`SFGF
z8@<hNtrY<`8K$@LCKsC_mo5f*wF`D6Z=+*x=viZ#W=1Zbvxy6MJCMzt;J%5ZcV;7-
z8w*0b%Uz?2Oy;BeLS{zh2=>bFpJ?;oUdyl2oCs{QGR6TPJ3ZCtpJE*yLh+`A_wyFE
zlF~lhqo1mkj;hQh1IiYU<f(=JZ1Ykn8}tK+9M<sLc>PkbCG;(sg(~ZGs)2sb(!v&1
zsgUC598nab1~qF)S}%8qNz0!8F{eLszIW+Ngp=V6)br?TvpKG4i=%BGJZ39}tEyP^
z;>52emoNM;jxFDKxiPcX>!mU0C-vT+(70L6EjiC}?fW)<;TD72yh5`afG7o;V0VlN
zAO-!nMLo7T7LdW}b@+W=hoV6~g0ffcGs2k$9oHLO9(9+Sx26^Mq$H8r<{gek-Z#oi
zGnKSqD^fjMiPRcD+^@^UlX%Ltt~{;h+>8m?0yYTO<nbt(r@EO$Lso#xO9wZy&L+pF
zI5vGcyDmKqnUZ}`RNZbkCZDpu5rWU2KZ}Tm<H^%B>cIU-r9zWFFpVFzD#h7liu1Gd
zcAA8$B_#J;t9~xL?OC+Npy$2(>ZQZ%M5jRflX}HDwj)5(Y|nxBHbBz)oTM<)kneS(
z?oA-N(+bV+$`K6EIa{4(8$J6_@fVk(U1+Kale?;k)wJ(8XQ;tY)y#H=eO=?tMG5Y+
zA2w5sK<nithEhzX{C&gGcGnffh!hK<McqsNWWVEb_AI*##1E1OylBXvk9h@gNVo5Z
zWmlo(I$#1%jTaM{-1>_#+5-|Vbk!2y!;Aa;GpjSopfnpFv7{wr9@bFlBzB-Ux%E@&
z^jmV(w||+vd&0J=>v5FxCv}<L#;#00l~g<td2H_9Mz4d`1yWhw)j>edFSDMGe>=Ip
z2bWb3(~C{B)G`um?I7(>jb`7@ukO*OEq0v+0O~22XeC%lv%S`)mUmM^j9Q_qnUsoD
zD-WOXhAHMNQq{3KX2d?<FrgqO8gflU>AMc1>mJI*!4hIgiIj@50Zb5zH)Dyt%8K6C
z+kkqm3IWxo)ck4uTtvYEz9PRgc8d)~4;!G&6Ft>;EpT`#``bdj3C>>hZt63JTgCMh
z#|^xGuu>zpCaUbCrw>IDXk*c>$ahQJK*yqPBKT_?zbUhF_DBaw?5Z%X0Y;&B=N{hA
zwyds~i-uo7Yq_iLeHEZ+BBu4$M(Y&xw_+ji-a$6fQHhgC-(jah0H_K?Sa510p>A&=
zUq+@XuM&2UZ=|D3vZ?M%egI5Xsu&aaB8M1Bzs2HwGN&?%7(cyuc6?5ySG~g7T&=J6
zdlY=`{Q@U#l3ZfvJXoIOpk7e&c9OJTjgek0!SPhO6BA8684tvy)`8+>1@xifNHS`s
z0_br!MyguC9T-$myYWH3RX^^AP^e6@QKBisy6$qSU^0lS;k6k=Uu~UB#d`teppA18
zvgcO>=}2Y4Ql{>CU8n$`Ncl)OX(!`=s659pi@LX}bsWORxqd4B57Jzn0O^swV1?QK
z*dNY&Lzo_Ng@sT1#jwN%pih4(k*BS*Ec)(@+;%KfdRw_!ZN9WKd_#Y^Y2(oDUA}WW
z`p=|jzLe;DYEJ*;E*a>UU7)*T(;BKV6a7(_e(c>f+P>}lwbi1!B^3A%)wusxg}f{^
zvln41vs+!FtJ}Fs-xWw7^_Py<oSqYgC1f`hB_iZj6u=<v_M)B~))n~W%Jle3-|Nt!
z!7~kuBlwDUu0;x~Y^;QniBlGyT<vNDoY;u*L%edow8wyexNh@kD0%H6^5fcftz(_q
zg-lx6dR3JntqG~_A6QnTo0q2QeYk+ueYCGr{2iU6cIm_|!7e8@cRc#aQn{LWlJWip
zhYk}!$sd6Rs~4g_cls4Zk0wJ$+uas^cm~vrqbC&HDx=#Ka~z_pz*6p)momTeZBj{U
ziMk}dIhzCmCpan^Jg_ao{<)4R{V0dmyX$}L+dd!7<vYhDsU;ISW{7~9&GWN~sy_;%
zQf&FWe7!=Vl{F`809C-9&iSxIk_27%x9t@Sk<9gxw1uG`@3zy83eZV^LTl6F)wAoJ
z0}l%8M#!|&Z+(vy7&thhEdm_6`8I=A%RB}y28Rj1`7<t3_OM>Ra_pkQV%b$F5EzBt
z(`IPb=p7s2R^z#YXN1aYDT_9{2&G9gC0co7E9%V#J1V|a0VP2{Sr78xQOqCa-;lYs
zQ-)`g&>G#TDb0b%`EB=xe6@oOcrtKy?H5-YjZbtFdo0w(5Hrax8RQ%2zQML26MR2F
z`AnWlno=xvdv>Cy=Ez`wL6gtnxq%kWqUu2w1Lb4~?aU_bjAwQuUQPlkQwp3k{~L2<
zc+B~nZ~Zn+&<|lvUmsYCPn~d585gcXv=<e4s6`w-6BcJ>ah!G^J6KROT;VR94ALn^
zzacw1>Nj0(Y?&Fn5hw`iCy0JWwc#KXx89%;e^CAFeyzpv%7SnUpY>Du+s-ck%uu<Q
zmZ8>G!mL<a>kW|ed)F@TK!_X1SNM3M;sQ{jf5qAUW5W+av(y6ur3iR!>Kcbx))MEY
z6Q9}C@us?@z|nhxB+^z-T59|K;59;R?LAeo2`K5VcrT7n{tS5Y$cu&~xvQWc^Xb&K
z>QXnWP@A%WvTv<K&dRb9OdPSx{~9I4bE<p<?&aZ};}BM()+rN3R|MV1{=HOmp}F6=
zeZa%q?~j0KU-fEXcYv%RNulD{?A(h%0owUsUx*o(9hb)VN>k$cr}ehAf<g(u^a5o;
z2iu|*OUw|>H7g2n0O$RLZWNg6m!g2{B+k=K!R;K7I`Y5VDqe-QvD#XHwO<y|%l|5H
zb34Ki2n8|-Jbu#1gv1de(k#y_Y0HlL@Ywn(M%PBCLp-d1pfYxeHY%Ue$4I&W=n3z5
zezPfUim<8aM5^8mWbL;!$(}KazoDd4<$WJjj0&H-mZc`<{eilmzVeyz@n`51cn+Pn
znOj2xs_8LJT}WsH_-Vh=H2Sk6J0-)9JhQIYx-@>0ryDS!JwD^~(d)>0T5`#GSSsw3
zY|KnFU!*vCBh@e^f7Q_2(i3Y{G-0M<KZj7Peq281Z;2kCmg<JOs@e27B_hR3*G}ah
z*x55F{Wx$;C+&to^Zi#Z8nxaCoeBoWZV5AV6+L2;4jwrdnn1xG^NMV%oh@mxU>lHk
zQw_hEeO9#9g4N2bQG%!g8Q#=&+nV^|DaZ&o=}AYf&a_XtQBx57pOB;10cl3Oz=i-q
zsv_P<-T!q+MIQ!2Dz1|G$7{EG$2n0?f+B$i&nFf3llG?m#{Sh&c>S4|V|RJw7M(MT
zgraIkE0E0_xjiHm*NuCJHPElbZL8m*GwX)Ue6p2d#HpDDas#=hl~OSlpUN+e31s!_
zMjxft67J7ci>v-%{Ofcdb3B%N{y;=*hsN!!7mc_$fvAa)IW5J+dS4V$Q0vte`m1UX
zP^NagRU7f0Ylvz=ob|w-nKR{fC~8riIz4)w<QmC?ncz-Ck};kiLIclH@CwMl6I++d
zMvNau@{S0p6J-Jun;9n>Y=8i3Qb{J{A;Tk+x6%dIFIgh%-3?-)8Zg?`Jx;XefIHE*
zHZ;+OnFw?x0{6wf&p*xi1B7)tnlJBi`IOgfwC$W@RHrcg_S^M5$LcXeCShNSY#<?Y
ztRT6SMM)jmZ<C4ELrf=^;~N*Sr}BS$8u4CM`mq%HUgvzz<qra21*vcrja$b)gf^CH
znemo-UFT|M#Uy)XdAsOw(ORmiEERs3Ph$KmHBNzBwf*xMvr&2YVgZU*p~~5r@4u}S
z{PI=IG#H=P);px~Xqia}n<`6Dvw?o$b~M3)=S!}bO-5G7Vay{-|HxT1?X~l)7w!a`
z0*4|LtQNO1I6rXaM}N5BKS9^W<2I`HB*k+T^=_OP`Qoju0<}7SE^nS|6pyJuo?bph
z0dm<o^oX#2`zJwFjnE70nlpA&r~PjrAgFjRKSn>{To4+Pc4{zJ#z9wh)7^PSv_glw
zgnoC)ZL0CZm|ANzx=#HFv!Pm<>#u4hK(}wU)9Nq`JR2X|Hkq!cj-N0j>xwm7{ibw9
z$JL88b6X#C(}^vezEe8$Q#ZQIs(TTd5)j;AL(4R6#%%R!8A_{R?GXr}=b#j}P3p)1
zpXdn7V<Jv5Q@gSs#S!Deg$8@=DjF9K_(*FA@`D|=W%7{fd|?f}+KN9Kw4nmC5ZiB;
zK6Al=o;ZH1-Oi<GtZ@}cM)p&(2+Pe+6r*y%X#DFMhBl^bH3Y`1={7bPG1X@~N;m*@
z#Uhul$>*oQ3t#i;#Mwe=hMjZi!}~xvbAr9z#>5#n2aLbC9?@%v?36H=Qj&8rPZtK6
z2$L{_rO^!i4MCPo^G!)9M(^gKWvV+-1ZwZ9)J?&MW*?3%<@JUferWbHBunOgWyR{C
z_GI_ze<2inc|WARB(Q0VQI%W<kMWUYfEcUbcgK^am1_FXhWt`p-A}EjYp}r{D}JFU
zmkBm4m-+qddb>u%?A3Bdnf@;Qi7NhS!1Z5ln)>gAX+U>S&8M|>0DXmk96xF4q7kjM
z@u_Ep{9%>A!Pf#9bMZzqa!et=q@HFQpT=~H(e$grYDSBbDO*Md!+8G+NWW!{g$X=>
z!t_vc|IRWBq@ISywC(~XS|aJ}8d}}}Zqn+Y3~G;+j-IfioK~=Ah{uWMD5BaH<G}o4
z%-I%YT*w{vif{IxF0k{2RaS#w!pUylKasEZ!X7*!UtJQgx+nA936}4J^-8b%7p&6i
znV<N8kd=;F8)&TaiDvzfYR{zm-x86Ql<rM~UP+!tv|HR<21}A260RBGbS}LuC;{Z2
zw*jG6Ye^KouK!#V>JPV-RBgGI=`A)%3&{g`uC$L^e1QDw5tc_+z65>7NOYSHFPh^9
zSw=tZ%;$Fr%QmL3oFp)D100*P2dQ#t>dEX7B5nxO1ZPbYU8)_=ohbKv8KY1J8J|IV
zG1&uIrdXDB4aDeTnk`Y;Gen&!AP@IbD_L6wik%u#K5dU(AobOPxK?xvde5~TLbuqb
z`9Dj#;!;#!gT$JzbV1u%r3szunQd1~3u-Drv`?QS=JO?UJ><p>s}mS;63wh0Tn?@|
zl(wv-qXD73rkb+Ei&<4h6!L(nFkhV`EFwS6wJ0B<X?}#+olb5wDhlc$FLMvb1jRj4
zi?x_b?jnfJD9^;e&z<DTc-`FrLDR>)rkob&SoM|kL2qkgHE<r>17`$?RB8fM30CvF
z9<b~@E%ZHa1-u16wlz<68y>6I0|H`g7v>*pjF*+%fp=0~Z#T@`W5IW}j!@jgVB=S7
zRSR8nxna&*Ek*#7bz+YW;fVAWl$8k}kHzz^Z{eORoKTz>zF+;k#Fne#+zNy*!zc==
z<qsOG(iT`VdaR}!-R$kH<qx9&I2UpkT{HdCmO!hmO7ISH@iJ4Z(Q)c0llSv6cRUA-
zkP!M<jJG=~1FyP|aUFEqzk||RRpg>N1x1a?n{`PW*$*qy2W@fr74pGe^J<iMH-{Rn
zh<e4p=ALZjuzwNz`<nCgs`Qr~SU_I1_njRRNC1E}4WwT{e6~}RzAE>x<~&vGTfve0
z2YHYisQMfcF9nK*4b;wvL=|JiGLDNnE|h@7dDz<J!)<Cp6|C|+ikJfMOsJ84Q1F}$
z{uWM-&J?63{0~WWRmzDqoxhN$y{aVbug&Lfy-6u)(Ghm|9~hUSM+nV3&UrlQ(S~BV
z9=BnjHE%AUtvd8?Hnr}N&iBV1MBhgHG{k53n-NYU=6wfQJ|POPec=D1_s0t$)GSRP
zd7@N%@X0D0UZ4~xGG0*wLLZgW69OpiBod-vPHpHL_qz$TRx$MBJ&hP!lWW9{n8mSZ
zahpVnX~)r!4?6N4_RV~{@JTlfrX+Ug+e0&url2_X;A&KC%mOE$2q;g5i%Il91fsHx
zoo!Ab554ht*QW<bM60rNl$cbw&;*kUW<OY;!Jdg8j(*ms+2Sp(;v=)zbedy!?ZCvd
zd9ho$rRXJ&`>2vC_M&)H_{b;3vRNkomp{ndgP~^pT4JI1<BQSrIjXz23#ePyR)~Li
z+S%eAN)Qtdy0z>|YXB+ji?NuJ-^v{6%+l{p1}QY!H*@L+hbt3v_O+K`a`btN{_&0q
z{MPF^E*I%cGn$vng>M^Y72*rfR~>>6>0EGi&OWRtoIG#1E?qjv>oDk)V=4a0_`COX
z)7M%4zJ=Q`j(v<1^;dY*yl7=<f)V5v`+yJR?}|^y#XnSQhXnCGbl%y-7qiL11zG~)
z59utI3Sbm&<p-lCt0q8XDJ^f>X<6VR$PZr*mMb{ViISH61uf#0l{)#|s*|U;!xS?8
ziIMuh74yC%XwI^)U*vb61sbaGc6M!qkME7V){4d*F!LuO`-dJ!uNQZ~XilY;P69mV
z>3~C;MTP(2rKMyq^9g73QlQ;Bdm~iBXY*{z;XsQdJHvT%F<%_T`Yt)9(Bi^o)$>&q
z=I4wDtKa<dDMrJ+bSoImJ6%4jO5$h{#Jp;%de*csG1*}`j;MbV7LSt%4|w=5Ah6a0
z_Sypufy?Hxvj8hJUU11%Ov~kW6vD@|Yc@c4A5*45c7^U%!+77BH|DG?dmQvxj6&u8
zqMKGjxb0|Z)JfkL^A!XCgdwaK`cUq}G6X9aYK+yB8R!~kxxo|BxmP^H@@gyf0n^mI
z4Q-#kAW!2Sf+@8b?P4@v=Zh^|$V=Bq{0;#;nLOtNJ^QPUG(C33Mg1T-3mpQKbMyg&
zL$c{6746*2GybuOO<*@Zj3aMG_s7;K0G-RL$l<?KDc&(l^A5x{V)G*Ij?2c*QyP%q
zI~zJFetH??{h$Bd$x}C_m*p`%TnqX(db&?Tu;vG>O!q}N|BLi%A4LirVL5+Y^4$!5
z$MWL`oj)nul;%XcL$5Ur3EA1U>~3ItsPp5Jm%{pI9+;vPmJ~Xs<-2*dC0nwiKos~t
z+SA{w)@izJX<*gbpjxf+k)LI;&32x$(Gxeg-QHB3D3y3N|I8vx_y=7M*c1Qpz5fm)
z>AzDw+jdn7tT&Pdk{sJUpgfM$gFTf!9$xeBfPU_;%7AJO^ArIY>BuO09jKCL#(KeO
z+=x1bZ|Q<uQ&MAM1Fu0{e1e>p^HoOgE7v3LxDZo}uB~EdylgBxOZBB=z)lV20=$iQ
zAxGK42WLhrD}CRw%CJRetx4;x;MC8&i6|d~P0p#@nn^tPR}V^VG&~2B%T~&{^e|jF
z>%+;x-p0q4v})J8@iF7U<)y-gEF$Sn{)S!(W3Q<XF(%6A%w5nVEk^#>^kaFYr%Tm-
z;?@CQY_^G2zupxi;CD6W+*AQ82HSF}?95Ho@WXi0kzj38+G)X2oiVr<@47K{2=y{4
zAnDqpqO#ht&@=52wX5bpS-aq5XMRmR=9K38Lxn(Z_73F%C`cuz;-+$F*-*Yix3MN?
z111B1cR}jHZ;OE~KbekDMtI;CEwx8Ip>FXa*e93Q9U0TYJ^-o68Xy$`?5~(5jrqt0
zdvh%@yC{XXQRHsQ&`?<W)K#1NHlEF)(3zb1lobi|an<HdG+~da!jXFlLYMm$#hsMi
z1n^~2u2E)p@f0*hO_!>;@vYma?9V0jSFAWC5KSyLWQT*T3m#QgTQ%Kl!tC;y7IpW`
zm9^7kYMdTC^Ma>0^@*E5p{prA8(nH`8PFMT(KdK-$<?bEdB=$-pcYeSZseYWpUsT!
z?;LWSF1;)_L!nOQ_{}*+Oz>gRfPkauR6tjr>eFoGBg-+(@$k@3&dD{a;Q@w<@W_v3
zXn|5k7IIL+-o=9(xw^{+EHkx{8&FRDpxkqwE0Gbe3mVLwJ~8}+iFqepeN|?!eFbtX
zH`Q0%IcKk^D&Q_Sbw$2f?SWA!sRdw<c79B`kiDl~(J+?CvX^jX0F&uYY}6@?*Bw@d
z>xM4fSCfRI`oU{TK}n4g%kTWeZ3I=IC&hDF3v*{-;PkNfFh;H&_K9A3O^3MZ{svIa
zV1;}jBO$8!G*ZzG8(p;f6X0&kl_6T$FN18}EmG4GK*Z+KE_%xo2ZWO?{Do6KtTImO
zPp{o*EF!o`cBKvt=JbPC(X(K@nq0JPT%_Bpc}W;v>ODNYCOiXBf$<GP8at%DQvEhL
z&sG{br$I~$K|M=F`0w(fl-2<T<A#bFF~dowr(>OeSij)&u>E)m6D#Y^dbIlJjozCZ
z()PzD%jn(Nai6yULyDmbt50u!W{Q5ro~_<**>j*K4Ly44wEwA;GTOQFKG3I0$Juf+
z)&WGlj4jq4%}dh|z!dR36G`_>$*)nW&Ob1Bcg$V&!L*-|n`k|VQ~^X1<;Pd+oz*(_
zwS{CFHD{G<#5i#=D>V++JCQJG(`dV)%uP?o#`n)LeNt~sb@rUEaZnKrW(n*kZ6<x`
zFOqEc)d;DG?&rs7b&AHKtx5_^HCqP?VEqLKaCh85Sv79i(H8wFkEByk<CcELK>6bJ
z)hgu<4y8NGe<|tpB5%*X68EgsB?QH_Tc?fQ{UfGVJ#z6FJ@$m5mUZC%oVZImK*=!A
z<ITzD(ic&x=Xyh}gDhBrMC~lSZaX%DL*2eZa74j5$MneRP;sq!4Yd;~_LX8FFliv@
zLRVoALEOXKbBVg3HS`3jLCGt$PQfsi2TKlYpu}B@%yB-XGrG~xv8w~8%?N^p=TB<J
zc%1`j6`ZM<UVFKe;~U!l(K_m_vy?Pj1e+=?S(Tt7T6(PB<YI8f)#0Y;80)(zNeYtc
zVNrU%Be9@Qw$Fh_smyiiHV%<~StiCJ2l)unZH`|XAte6r(3ThIm^-zf&T|uce)-mX
zofnF8cHkVv9~2(=7wd1sW&j8jdq;R)=xt8ym$hA{!jBTR8XsQDb8Z<?J;rEjw-a7a
zgK$Do3-my%UQ#|D)D0e(X0qwQNa%c3IaOzEhxc2dX0JA|ShLA4JbvvH{)M-((QHnz
z9>kVV9*Qa^K7P`-S~mR2=!vZi0L5toVW3=H>rN^lD{GssN;e1uniq#zV7!*fGz~bc
zBn#^gFmw@oQS?P<)fBj5DXfi!Qo+K}ocVb1gmpah7EmpGM30Ch&|(nJzU3QWqaZCZ
z4vDUxd>@#Lc4&-u0MqRLO8g3+1k8WM32DTky!VfIm+3EfF&>~oJ<^d*iOZW7#^*gP
z|9&Giaj#4?R*^ko!bkw+WqpsW0r0KLL~Fh034U4c!{*?Ca~E;<U<)AQ3G{@IbD6CC
zTx?VhOK*SNE4ikYq3Uj(3k7|30Cb>c)#!#((bECP<nWERxA=uIVDjtn7V60QotP<<
zW7O_JRgctZDNwVXYOn=8`86Pt!KrR+kZ1<>ws2&7i+KtmM>83boP&I;fne5D%P&3c
zL2^sL6KuR;5K32P+bSubtzxxT@fHa&_6^gf9Bz-xU3DW(*Y~^+xa3@P*mEP$HuV{3
z=*ZO^*Oro~=qc|$V+&xu$JlxQ@ZXuAs1(Q*Wn7Aj#RF-dGI#4Nnoxr6=LGRw|7pfq
z{lO-!yJ@yAZv?0ZRZ3Hzexfa0x>+JS?lT9vo;qJf!WDm*vY(U$iH5M%CGRrwPp-Q<
zCrKo7h;s=HpG74gOH{lzm)1%~KnZ5c4*Ni&6Y_|0a8u11*`PR~?S!GXQpY}l*V=ID
z=gYOm$mN)F7ouzbxm&c1No+sewx=<vafG>~=E`}9S+L>i!NEJE93bO$H`OGi7uwu$
zYwq)!xNpL>f>Q<gW+i%U9<|s8tSLc-98*2$V_G`nPtD4(b8+dAfhylO1CM99!bJW1
z+>jVfW)lteO>{(&XH9w5W4{ADe0i#E(u0JckoF42uUG%TOA3rdAAu`>J*nR8uDG|X
zezW#13;Pe)J$=3wanjxJ67rkSbll8hG_KKn{3K<XnN?YzPjqK1yzQMOxG}S9b(D3t
z02SY@WF@JFvbRuq;J$&y`!Lj-Y=W|I!Xcc=ynahhzheIYTb>rwnY5{j7MYRpkDIgj
zwsG!>b*Cm9&;qwwn46**_+`(vMW_<H-s*!znF%RQ@CL%7Hsg01>VGs;+t~1=tP*;1
zd<Iu(NB+qg-EUv<O7+Rc&z^!90AST!0K*pOqB;WjUZ1}9qRiI~$OOGrsXhy2f&l8}
zKh{VbJ1-jo2e@&2xAQN;p`Wf=Q;_H`_-Q{kG+h>cr*~ixD%-wvEocV*#y7SZK2;uY
zbU5X@cet~lK!B{;fr~E>14n0N+4<?9C3Q~mEu{OU5*{Gz%NWy;529v<#x@9p*|#Uk
zYG<~s)|%N24oNW)MLEEqpzQyP4}h2I*>8xX4~bf{(V#c}F3^$ie@bZpH3!wA4itDm
zymPlOw#tWgR+v=)mH+nfSTomIPVKdcEqdwxo!bL2zFM$yW|>(hzO91YT&m|?1Zw_|
zzmx;?NF!B?qnrl^Nm{SK?!{q8nn6AEn+RsRZ4l9}zjvaR8sD=a8^?n`Nc{aG5TGVM
zzI5)0e1i3r-<zdu-`JDv^4sS#^z(Yzw_S6_n#V_nwsr)&zUc47sQ-Vy>ZQ$DT^d?}
zmsbPm69zv0Ami7r^fd6-{~gZLzojgBFVk|u;P8c!AecW{4;#dHwyw2(+U;k5OBJba
zhK&7xeWw9kaEk(30YO!r%#H}xpfK{5DXXH|i<94i4*nXC(W5Kj!WH*^#Kr+N;0xzn
z0Bd(}vWQ9GGVmmf&RkiV0PcQZ#6-5-8J@$HZ#5i=t1{oRX503NU-W$I>kjNofKO~s
zP(YY)meqD)epiRa@;*AD{2&J1Gr~8N@{;?^{AMkxR9`~+CC@DB4>7<t2l(L6Y1$jO
z{O19YoZw}!+k#~qQCB*aEpekKy<62oZ>e5LYcgB2i34nFzJ8!rn(u0WYUpy$XT!6J
zPBO!+<ch30X1td!W<abg7*jQps<zLjMl0B=Xp~VG`GYaw`kjw;z}~fk?@58=t2Cm%
zvI6Jt=k719=K#YuRpj_Tjvt(6+JE7VW3zr+v4NKa+_c=4PSKJJ3rrqt7W$zSf)6zY
z#WB9v*V03{>gWZyH)_0}+qaJj5mCYcehd;j;}d&GmMuzi>rnwl>|yrrR5>rO58nEh
zravP4^%E}d)?)@jLb_76@Ax5+U%&Hjcixu&-G3EM_Md-M^E>0y7(TnQ6au$I^&oK}
zf3g&I2-&OlHJ{2<5Fxc&`i3f41+bU}u)RR#ZUQGVdSd5($=rXGQ!*d$2L?a_djUK(
zAdG<D0G6VsLLK5k0t%0GWAixHmBLR-F5H1|a!!q?L+6;xoPf*mt=hRgw+$)WIKT^!
zF5+e8;0I4W${QlzvBH?PJ*b#Cdn0EpR*igY-7^jWygjTqe+`lE-ny}7W(E09xXAYq
zXN8EAx>9ju5?H}AjH`W#o_#V(Ed2zAc94DCuN|&^E|u;W?h$5`2SFb=c&g&GG}dN5
z5z9HO|F)q`wzGiToRkGtx^@A$I{81g8o&~LaM$E#0?X(VpkQ!kXnzw0UNOyG;REoP
z=I+Q31ix{O#3J!}=V>l)9EFJ~W7v{ivEf(BUHwrJ^UTs7ckO1eQ7MWn(v}>+F9WtG
zTX(>=W~|27nzeT7Cahsh%WMA2SZHzSc$yFJYoZlI34gKNX9s9nFC#B9OEk#k1jfwI
zr{ZedgUsjSra+v!8yh_|6C#SS54f2~JA#{geD+VQU#O<4b&qMC+vOW|KHc1Wm&rHx
zRrXV{dhG!G!9hH1&D*=pOO@)6*x%i6Q&R(+%$pq@TW$JSsKT1+*q9dKdrgS$xDcvS
z^39yY#fxfw$BtW9)o4oza^5WNu$IZuyyJVzbHnQu9hi^Pf9_4%sC6YucUmvQ6iz3C
zg?|FP&tBrCd<HfiEBWN1R-_x@O1*c-w9<L$kA7xcm6XQPNmwgI)~n$C1(6Eie7?Bs
z+*{O!xDCRozk{cBLnbEEizP!yw{N(KG0pydQiE?UsV9Z+7M;KH&~CE|8Qk(N0af$u
zrCo7j+uyHDswGpC9^dYIFY(4U7ZqXtb~0MejR`nJ$4=^H+deVXK-sV5km~VeA-}l-
zU{Dv2><sD~-{qC-@csT)Ag!Q-o4m}x*UkU>J&TVReJM?zWwHRp%xwZv=_em-mPv;i
z0UvsB^4DGZpFfSjNB>WCO<NDL^}0U>ooz%co~N9Vt{RHqrI1@4rYswjAZeDBhzeK{
z#9$~L%~80JIJjEyvIgWgZ37%oe#h73FNJSSOjsbuIXJ&`9C$k{&P@`S43(Q39#?WQ
zs4W1{RX{1;TK_9X24jpvkVXH_85z32JwxVfzgN`9TS1a?$Cy^M+tP&Y==`gLXLOc?
zIRV2Kos?!K$p!Dh?bYpz?9RAuQSv{41*XBK-_8sME`Q}PYZK;C44MCl@8G_v?0Ed{
zig^o^u60PTMh<c3r3i(+b)zj?sfzcu?Gf7K6^(%`s^|6ZS&vHf{SkQO*rI`Z67STV
zuLLe-wt-u}d*ovW-|2Y*A=jw)&QYg1!7FFbJdeF<?>a()Z`*A>(BNx-3Fa8ABn<!^
zD$~Zt!7EiL37L5}xxi(CRPaJ6qas35aqnvMRQH!zrRb6>N_D;oz4&g>zC0h^CMvd5
zru5vh{$*{fLVIN%5QTin`^}!z+;Tas^CLSx15B$wK|_v%C*G(MKG>c*X>jYT1V?ex
z@J;h+cCe?KjD|sd!L{c{wG7X{v^@*YzS0ngYbmK7cJ(+(H0Ulp1<(V>M3O1@bG)m7
zb#qAQ*PR6z<!-%-mqo&XPJi}&08&M180D3?a{OegZ(o)5;JD>SUujOAi1foL>i0}$
zyj-KSkX$;Y#I+2ePEk&~*)<Ux12Iy+_fak<xD0UW;@hF|PeX`oUuzbULCg;~c5o&g
zFzn3Uvo7Eo8z2{{fAIWAU0FoZY8m=``t(`#ET!jlEiKQIEQ1TQ9O0HZZj?wknIl+;
zXQN7PAfU@)@Hq&0=E^K~p6YjF*BUvm4n0zWS-;_a+FHv<0xV;TxIX{^CfFomA|Mk+
zJs#WZ5KDhldEh;zp@GfJcfUfmZ{aNjhb6#EIVXu#roHdiInm*E7a+XRdOIU>n!4#1
zyX}`#R=1W{ft^E98`#d7=00Vbp0rdQovL#_mnEN2=lweZRm<{?4Ob<YFLS?|bBVFO
zh<Ka^d2Q5fV9`17*PSBY?h{yA<~8T++>B|CnUb}4<d1y%%7hqlJ}ig%jF<A$0`JR9
zz|%eY@wZA*^Sea4GK)7Sm{;`HEeDU?<4dH0adzM%raSMtn}A_!reDQab9>;a@#kUc
zz!?YZ+@aT*7MBUfqNh*0tW-Y(r>oZ>NxjU%AMc&@m~>48K3e=s5OWFm<G+kf`tNMI
zepzT(Y#c8*%g@lZ_|FYn&rBdVtJ61VcS}l^9|cA(>TiCUU<O);$;WI4v~Ts}*r;Jk
z7M(@VW6Gk4=YCNmJxNTr`|(^bRTB5JC%-P{3;)YZHNDlX4(%--5zF3lyH#_1yTPlZ
zyCTWK5-(mox$QHjVIBBlZXasTBZW325*#L5w5E=^PwqQf;Kt55(8kRWIuG%(4R`gz
zeTZ}kXx!aQCA=L7XnUZ`SqVRiV@=cTED~MTXv8fl!(QA}ew4lU_bPr_2~!Q<vz%pH
z6PL;d*hXA?TAA3Lm0mMl8I_1dt|THsQfhkMx~kJP>9*NY8;?%&tfCdN3lcI>D``#1
ztfgAdtJ1N@A@Q4$8*=q_pdw=v1*D+~Kc?e(vJA_0El#$KxQ$ZYrZa$sy$MFL$4f|2
z_l2E^F7{nM4GaL&9}9-ws^C#L%bMi!WkvdmnXsQhw_GWl`LC($scq9{&jC11cx++=
zAO?_1rxY?l`CpEj>x^qQyIyF#Tev6FSt4oTYPER!UZwz*bkW@XGmENNS(JpTyb`9<
zUlta>g7I6d`fi_oOUyClj)28j(je^8!6}2g{hH2u3dUzk<#`hr_Im5-#Sog3#n7Nw
zVH~}e3_#Nech*fO^qfn$aT*lY5=Zx#cA=rF47c~eAHa3?>lNWCvx8OM_NFA~1_U`g
zQ3(Y{TUJ0CK8DAOG^P{~spm0T!g2{U{rv&V{r28sFiA^?d3iwhrk8ra+wyYoLz$i1
z;GPgo=dnqwq0g?wy#?CWxk9Z8Ulfi;5m}?#Cj!N`Ffg@*(`yQnTJGXG&gf8PJ4$m<
z5tG_h;5F2NeW10FlWA%FW_1ZPC1qBv4VoDc8@rHl0NQoBT8;0+DXI^Bp3MDn4hJQU
z3%3WPc`QM?np%rU4+y3_zOAy@pydqYBd*F~zI7=l{SBju0L&CU*P)K@IOm{PDPL2N
zG9|rzx#GK9Vx#3?z-I3}n(!#7OF7Zc&cxXQG$@bp=E(rwpK0Aq?fky`PGP;syhVch
zN-=F%E32Z*sn3W$ZOm`}*dQx4=d$U<eKFL6q`nw@a!Ge9lN*!Dye(g3zU*GprZ6me
z!1E$;fP<N{nfDBA<Hx6OuUY>h(XH_f&(9UW7bN|Sxzg+iQ1_?pEvc<l8K5io(J#3M
zT5hgHEc~71g=}-~11|vFPr7NK<$Ck9@TyzIDf;6*9!8skBW5i5cT?_j1M1;>sED+E
z0C0cE`=apO)**V;+<<gKA<*hEWju5KVxR!EzVok5MVl4Q*Qhdyh_T>Cg0r(=MXof}
zKRSjnKJdaWtGZpDfW0wjx=D~Pl1iM;7k@avv)&EtHDnV=Q0(I3_B?p^9pWbsi3CV3
z#G8Zev$X{)WD>j$`)_75+eRN%Q)gn0$wMGQ1G|kDpuzr|92VW1CjBmzeC>BZDO$^q
zt4XPOx<(s!bG~BTFD-|-B5X64!dTg_)tqM(>jG}3t-iIpJ8wnfRBs^nWAAtucD~}y
zZcsDn?2>;L?!=M*F{yuOtEsUIWNbZjcPwwRC=j&(Y0QUXOgAsE@JHlrc*!CA&1hzp
zk`xVp*V>jBFr!Y$bQ91_K$mCUxYMBg#c$`zieu>_S{IojYA*}_Z2N!;;@N)A-p9xk
zuxDQ3)t9FOIucNSFFoPI@$J&C^iw|BgsB_!O6!^Bno;}wqeP+2{@Lm0Jty*HZ!c7;
zrlS-EgNyNfmPN1c>k9BVKxWWq=xe%#x|@Uc{Pd@vb?t<Ol`z+Mw0#Cv&Zan<^vHC{
z+oa?zzt5Yg5%f-0<(W}g98M^B_8<^&Grol}j+7kF_jf6!2*n1)RQWSPT~f);{n3EG
zvYGRt3p=TmH)(V00#d?tI%A2)ZUmIQ2$D7yZUa*5K&OWYsf_W!b<lev<PhsiwvUnU
zPUX&Pr5hvDHS3=}p3mvZtF;R#eU!S&CFxx(T^z|7>|F4+Hu^^rt2}M0vdez*!o?SC
z(74dUilHjcmr7|5C-Aaw?K0PUp?Np+4vgoRc<bW>YgF&qS4DPjq)Ei{?D>k<vl9+|
zeYO&Tei`lr!r_h($ARWg`z=n;)O6D~f<60_JQ@sD0+TW9_nlK;6Z;0^3~q-uH>E}R
zP^|A0#_Zxy;cb_54JwidszMrWh7>6fSG~zH3?RzWcmGV~-P|IM7qbylAI!qPtUr|&
zeB7#%cBg~sVxL@rKu3ww-M*_7&ez?ldYSsM!^-<X`{U?0^ak@RK_`(OBqS6|a>rQQ
z?#`dIFYatxGx+KPvu0IkF%<j(A9xRm!7cZR`M_`7ebOH0yfH9h-yx(}ZS<;UAJhB4
z9eo;ie>??g{jh<eelTS-s6rDwO3bR!YRa=g%Y6eQ`}7$7UJ#7dU_d}6BVf)yrhS%N
zIp}l&p$kgEJ|$!%)KHr+B5(W`#6UT;{!U3XWYOz#bY-xQ|D>~+XFtr0_<C9Fll2>9
zVhmqH*VNB7)?_$~ARVG2b?EyaGww4Gd?<6TlJW!3{VW<G55&tC%VO%-nKGF}!xYyC
zZGwU<T1-0CrZ1(|j_(xbf$x8b2XaBX)`eH6ZYl*YzoDNy`4Dx)VNrf3fVog}YVie&
z?>~h0SnINVQ)r+ZZLYUSV9&LX=N>!6d*)XF`#-uh`VVs)Gda(GnINrcEpGeD2R_RR
z<iU?6@(04$=lv!TjNuHt9Z7q97;SWjE4cT16)U>=47XKLN5xRd0+EeGo&@-9U6hdU
zACFw+Zmr}vDXQ79ac%VXO@4J~(c`@#wwKo0H*nH{HL|c8H*F-xSCF25`qxzhtshsv
z9A%nSD5zPvIiTgDFI`&c8_Rk?(5(hN)_OM-C&<KuqwI(9sW++0nJJfd)(u}SxL}%?
z(oavZ%E+sv20(ZVrdr=tI`%{c5oX+<raLTV+5Cu%2u47uKtA<PVE$m}IGy{0oM3(k
zkVvy!I3g`*LrFNqo3LhaQ~7AXDV~KUwAo8v`3}y+cEVeBuzEC2X^4l7xzt?wqxG64
zO8^(WziV=!q%;j^)V3~_yIJp>*$~H6i^|Pz`lFRs$t^8zi8FSh9sd3M0iF0S0~4r?
zr}tNyqyE{==_{Y)ebHKV+Z|Z+sJ&qWXUY(hCs(SxThit6pY^eUfIM~_ER(;2QbHvY
zx99@tPgK7}PRX)yi)@sUg~6%1?~>*k7Bj<nuVNdT!Ul8)#XKmgeI(PVcPm^2y|~Uc
zj|<4uk(yL=)5WYl(P)S9vlac;Rx-7@y2R)k$!4vcY<XTp=fY`o71uj7J8nDZ<x<=z
zE4IUeBBgv(we%gMXrZ%jsK44Ie>JkyV#(E`t$waFL2`-_szO>=Go1)iHLW?{cw^Ie
z)4AYHqn`90t`sPU!_=FE1fdfdmJ2JY7-%&F)6=AFh0b%!vK3AnGG>^X5yd_GqsuuP
zUK5~$&Yw+$JN7Ce-l%QAK)!D;LC4UtC(j=+)|*X0#?IYoHsGJZ1iaAJO8ALA7k6Pf
zs&h;(8t<va^vtfxbc9q|oQ`=ub?Fwy`Mso4P|f_M-2Kiou=$l$rnnVL;l`qoqWMht
zDgkf-y1;Q!RpJ!Lq-juEvTvkapYKLD_a|TUYA2D?A~s(dS)z~5x@_LNq|$k7u*2qC
zQbk$`<tblI>lgbGro$MAJlZ!QyW9&dWceq?C)P8*pJ>7sAJ3Wh^Ro!!H38>owtDAD
z$w>1}CSI}aIo)vuvj-xqlI<5CG=oaWqZ{S_UEEl$kItPN^y#-(<v3M6a<Ay#9JxAi
zek}hQf5#U4lUnBI8+_x$R*cjWjkw|@GXotr!`l9elL&@?#Du~(ykc!*3(h|ZjXR&x
z+pi9k`%i^tU5IsE((<~b-MgZ^@<U^4dgX+Gd!KpoJX2v#kSSume)SWqbe0F}ghEiy
z^UTx50igSb6M`6>6!$zi#0>0xh%;o2-q+hifc9Ux+?vC3q(nE8cqK($)ezll9tj!t
zm-684E`1$gW7ptzq6wp&*OMThg3oj+8RBcWg61R0x>oj=e0CLmE{dBi?_Y&tBzTLC
zMDnZ&MHCqmV-TV$k!jY!8Y_6&@j$Dlgo0O$?*4YEV#j;oxzUjh&hSA)jZG02{&(`s
zi~eS2p%OU})gv~U!M3bA0{Zzg1t=m7L}+>)S*~8^TFUZ!tMW*<@#5v!%(w(#FxW~i
zI2vpXhGOW{^=iATS8zIQvAoM{7eid&u?~O(BsvyQ%#xX7Th0_jQ=6TYJNzMJ14Ri+
z>41}U9ABK+dk0$`Hc^zHE-{CJgmpXiqt`wU5qKISc+(@99#1DP<TQS!-dmT>PT)NX
zOKFCVH=X3;;}1TiCZORaL@Badp2@FVXR~xyBcI$Fk+2UI5AynJWbl{dlq8ji390wm
z;s;&d>h7`dA14P|kY&7&!R`lZ)RS5&um$m~Rj%Yz+o&vD#A_RF*QK&61<t`Rfs{K?
z(CM(E$qFtrLLOZhkr=>_Dz&n!uZA{Z-svPiaq(!D5nR+iQnypZJ0hHaC2cXuwp`ol
zUFN5>B+hqBInX?H4{HHj+_4hNu|AzPMgLri^E;#V_kzI!m9v}z@%+gi1i?~2ZUR3{
zmu#?{$jI;$1a$~D-}Z0uwM3Tpg9o7j1FNl<MHZo+*QL=Fq!I7aAFPGnQa?#;C>oE1
z5AhIeY>SMuPa&eS6J)}QhVTmwnQ)+%jvi(%M_3~`nN!9doW0L!4xQm^d@yM?j9fq$
zTHsboa97eQDvUL%^H(l<&kocbjpRp1q{p)w0&MabNW0XVldSwGimLvpr{m#H&~QbL
z{w2F1gU<QY5%q4#SU^WLhxiDqr53r$*wln=g>iv4e}toKobbhodKWEgfk$qk?koEF
z^pFqbow3}2N6?clfQ8tQ$`1JVlqdPgvK9HI=PkuL**&r4mrHOh`V98gGAtEtMNL$|
zhlIGGG%j3Db&EH2v$pDKe*5wGd3UGW)pnaaB8~K^sbpT4J4->-#DhC;wXH&o*h81M
ze>PEL9cPlz^&SIRzg6-PeL1}qN+%pj8L*P^QL`?Vh-`Zulsc*EBZ;qhcE%$S{6>sY
zL{BNWu-J5Epo0n`%&ZU_KG!%*O|IOajFFFFoZhddTmV|nM|dDcs@}+)4b17}#I8!^
ztEpl!@XbqJa|mP}6*)&xG3MiH)N^`K)Bus-u&sLk;zPb`p%43>GkTmJ!wu^4oVvqJ
z15QUAgg8Ki;DA5ID(+jV@_Y55M&aA%KAJ4d?ENTE86|ii_qREuo4cXlqM676<I5Bx
zkI*slP%*t&S3PP2b;uQ$I+5V*ZwbRxz|9j2W+#xB<!X5ZO4$q@h7HLE$Rc_ZsE3%6
zsbH*<V=P^8A<1YGidAhl8I}YYQ!C}AJ*EfEzWamcGf{k^5d^2!2_IRFUdyS$=*bt4
z+Mjw3nBY;359aap?-EIU5edUlMeYdml%`J`r7g0nC)Vns%x(f+?84>UmW1KRA6Y1S
zPi|e37OthJ&pzJiGB%ITp{@kog$gVG(m0Y&Fn;3am~!KKSMDlK>?&cD=y<ZV==K6;
zVEN9{=YiY>Gwk>1c_;e?@<J!hdI~Rx6<Rg}f=FwlV3p5_F#vOXCD)CThhPE`@{i_W
zJ%<}E*zP3Po;Q>B2n&YaT|Sh|M8J=J>9Yl6HFaSF@*z#tNWR0-vJ$TLDkcLmEJ9%!
zp7YBNC!9il>pX!_Qkg@*kN|j=U#Ds<%=1L-9!)=xF1yZlK{<HgkIb^?X>q<#0Ft7g
zA=eNm9JVQYBzEacYZER5PVMJwm-`&GYxGcCQ0k}&4EJkxPj6+${&4yE{7h{Vzgb25
z2>i#;K|bpDkgtU3*F<VQ@gSwr?01R%zmp^THx21eEBKPEE_B+$UB><1QPG#=GGNCd
zLpeXPKD#mqBmYRDe;Ru-B?u7>XhdHHV2A!`l|?$`K9sMk81+JufJe4UPg2PG>0p&5
z6KbjN5t3qvcdE*X$0a}+oU&6de8jyvewE=BF8pkDEv#d=GjTVXgZHV&l<)Vdj&tb(
zX2o7vzQ?|&pdS@@DW}O3reO%~ypY@juRX@P@vK1oa3{gL?O`i-TlrSVtxbkVzM--L
zspmX;qLvfvuRJ}b6_RbNtX0_WpjWtgHHm-MmpwaEXJxGHcZMl>UAUI|-I8a_xj>LF
za4INm&pnSo65G8WiVbYRYdI6wD3VEuGm>*+Pw!AA+u*ma_g<5n5vIPdv~#j}^BrBf
zcD3{z2-+<1cg*`>JGs07dz~c#WPx~fG2S5hwVTvX8hV$F%zPY%H%R5&x{zK3s?p!|
z-FPQANgGKq@^Ov|92UYTBoQQ1_Usz^BeGuFeMcmu*!@CF$h-G>+;6skA_@;@p~(*d
zDQx#3U%mtB<=X-8ONo$XXauaks{5^e^CzbP4Zcy?5~5<z&3P2hK{w@kX=XsSM`<vW
zh&n|q<xaBUtEZ3q=|)&XpR`{IJQRTIB#5?lATku10EyJJioi_wayI%JK>_IdaQ9z<
z4cF1cYocwqckTMaf4BXr-2*F7NYl1_BV&(?X0>n$oW)iY(2pUcRvCVOhfsNdlRZ_6
zb;#g51-M7n^1R`JVY<<g8F&lKX^Ehx*KvMB21H-RQkBqZy<v8qCY6P*)*3L`bnA{H
zyZ5wpv%e>7W?X0eLk)<jdZBPovr*()+|<VIT~>dX;`)7vV0k-y)iv-Q4^Pm$B^uMk
z){!~`FZow~A}CS6$O1|y0Z{A+-KNPL)XRduJE^G@CVW<joHn)5Km2t12=}NkmGlYA
zZ05{yX57FdeUYSX<7sQSef*=e;(4y9?7&`&lo_uJM3*X#Lfm^)0&azC*DkTDg0W_Y
zz($8u#vGhpw6C0_1ocWp0jRaTcmZIO?(yl(UM&L_%=ocTrCg)sQ#M36nqM+qBv!1i
zRJ3xuvR<$u?zYHl+ZP?3xMa&#-$$@y((H6;pZ!s@IpZlt)p(C~$X6B%F&HgtDOG}M
z>f@ZAr>|j)Enf)zd)Gtk<VcwCW@F8gYZ3*r_6(AAPzbUt2#I}(cGoRkf^`V~bU)cr
zKMaN_2k%d$%%0|Fs+oNAidCTtck3Q6!~WgU{BDV8EOln%dUduUce0-oA1&4Ib=_UX
zdwRs-%U<g5gP&2%vbsy%zB@NPIa_F=zsk)eZuTCTQ{Akg2z02MPogb_vKa3|0{;>`
zm7^lbi4MyHF>8T7(LcXyY6pd_<aiq2BdDBhc51hYYBk8`5hgq5M+0p$0x2I0EK+yx
zy3~eZ2dmP1)aWaRaf^qu!D~;!#`&;zbYT0;FfoX-%n+?v7VRlnwj9*vn=#8z)7i0@
zj9`gx)g+SN+GlZll2jZaEaC5y#*A4Eb}}8R>Lsj+QtP81n#fG%a^6(r86WwJbYW1Z
z4i0YHa+wU^Ndp&)b3JnAY!B|<gA&E`+ruzdoaJ~t28G=%#_pTlvPv+Ulj7U32|!F2
zu-ONhIU^snxO9w|t`30+pfDM%@c4LHG_u^vNg69vg-2_afN0gc)>FlG{Q$<ftuI_S
zc$$@dhLoc~^ha0f@sV%wl~hU0r>h00=hG8#%VynP!<x4DUI&E60u{`MKiwghCfsiF
zJlI;eU0&pHfK|!*YO=@GMo8(D)SxEf8c!=?_M5QwL~uC~8#FE#WJBF#t{!F9tD%=}
zuJ)o!hyNI&?Ux6jNifgzJ^NTEW&*eF!$_N?7CCh4K{m;dU}}~tHLFK6ctukZ9gHV#
zq|FSXVZ-P&)tNX|$8rhSwddcCy`H4<zMD7!l*G>h9A7}5)IL&Evm_+-)1&Pn*W@R-
z@;a)9Ldp8tgb!xmQwTLPa`ddvN6w;6gN+TtB&dIU|L5zd{Qi=<NJBJ^6c7aVt!WYt
z8WYZ{4&I2~Tv}up{yx_4&rU$-Mw@*r1bN)DI4-tY3(v2%%-;@Mk5Ap4P+JG<)ofBW
z8NGVAIPjZq2udJHE|@f9qdH~NhC-<~O99$A_2S(>l_vZRah#hCBwZ(o^uP{$V8=`i
z6~V}vjIKF&`_j7HW_z%QBWbK5eA4oAwOjU3B9fZE(asjLZUQHp=%nQR`Z1HAKjsk+
zC=z@F`;1@))Bs`lsw3Q+IuK1Cm}I!poNL5~H+zDq;B42fqZ1|OaftI0^Fe4L)#4-K
z+Yys%F6A}xzgCL>ud*+XYvS(u#afC>U!sEYxIhp@h!~=%sB9^lpi~36U_nS#To5S=
z6eS^<N~;KweMuE0%3`z%QDhNWrizq6R3Io}lOQCL$PySrLbjQA=yspay?@>LZ!($r
zEocAEnR9&SE&H>`awx(nU}&z0pe~v!^n)`V!Rn91IRoVT=l8(ymYHU<ws{_F8T!q0
zEo$=TeSxTw%g{6ynSSsFJGT({zV=9pbpvs;?|dd;`Tl>F98)!%+@Y>ARh@hcd}`O;
zls|NY3{HxTY#@VEpftY`hdb0q8)%`e1FO;At;&7>-j_Svnn(PPZL=}%PL3vESEqg+
zpd%xKuALJ(8ZqV%y5bC=;Geejk4DoEm;GDI<XGwDfDF#2JdS1F%T@t>LU4q9cr)vp
zOc1aDMm<xk)Pqs*8*ul^z>=Sa!9Ok&u<%E$p`PC3<g*L^az8%()@<}~DLA#X%i0^(
z0f-PIQ_kg(R5|Yg!#tHWE38`3wJ-1d>MxY-&0&VMEMe5?;Is#PI=Rt~wW|~8FEJO0
z3L6zxs5;!cM;3f}&p(9wn+xW*WKkY?(Bdja7qK(oOO={~sO38kpe*Bhy4H>({!<8U
zy0?NF8C<vbnq2i5qj~(_V(>R>ezqowf@4djrVEwzqw-Fyu2VY35Ytp16;Q<P#>iTw
zHT;UTOP3~`b~-@Ty(ixu<k9d{%>TV*RhKQacZu?(fa&6?@=Fb4a(`4&@W%L)s+mz~
zUz7?DT7?K`p4akfnKrxawEc(zGz~RCEdbiJ@9&vVrakB6Bt$N^b!JU1W<5Tpxy4c4
z>SC!60_Wn9T(T-xx;DOz8g5G~iK>mW^N-%l<rvX4HGoFS0OuG@8Z=*n`Y&TC1Duy@
zv59!$OG{u`wbs9fFqcT!5=rlhQt$tytMzQX_z{DABqpeB0WoLX?oPsZ3w>Nl&|U>E
zs9_lbzcL`sz34ha>ppXnnpmF~5l!l=r_65hSBE!F^f%&rzX|0b^hXw)N>!muRoDg0
zVc{gSqZ2{qb*-L>RGpUwi%`>$|1V3RhOV%E?ne6-@RsGeX<YVoo88?$$4983lDgBx
zuW0zXvF*MER?j&MYp(-`Y<dqmFHfnzf4PWZi!xT~zfVbBNt(>I*{w*J=Uk~y1|avo
z*mr2CqnV-ERHzk$S|&4bzFfgiC$BqvGcRHDEqrXMSNWA}@lRPLzGZhI0kQ@vaB*B6
znyLzmSlVpfEJ;&IdYEF(zvoxJQ12VoKZ9KxPIhn9mo&&|QR?R+34Oi#Pz#!M!bQZh
zsCL>p(~1tW@V|z6?ekF-+$av_*T}S!LS0>xgFf!3xi7p`RjX@98K%)>6X$)bG6AL8
zsFp)KHUDOQ$iC=*{%uNRL|tO-j?0k@Und;#S?-0LBOQ8ueTh|PmH%{!WImH=DEgm&
z=jRg&eLkXnCeB2BEb&{iCgAb1BKNDtTiR&I&VXO;`vsJTH_Cm%%3$YCUF@_cZ<%gi
zu%6yoqsX7;x8y?qK<u<=;3ew7JBR$AN22Of<V_bzw-INy;R?{C3-^E2NR#mIPM+rT
zxBplCGJjh0Z*_>jH0r-OSMwMDpSnnOsJqiY%8E^7zj1QaXy!Q|J%)}IH90ur-CI!Y
zHGll>@c)0V2!&O|=~gyDTOQ@&qPa&{ENjZQicLro&go+vU68jdM_PM2{Bsu~zeE?y
zUtl#!QXTRs1UcCQFLG6k!QE0CQSK{6B(7-7DEJa0?q?$k17N+22RtlPH+Lb^JcQC?
zSk43FWkd=E5yA#+nffEyk;dPN`1GJ2qu$UOt%3uS50GbtNJAGgl?@i4o*e!hbwhNa
z?xhTtZoenG%bFggYkz%uKDKA@XX68nVh<Tn*G`-{$wp>a@X6zAFF*YyEz11LY&JMI
z#s(GJK#H0#)6}tr$}_-reO0>dCFeH%Gg`!6{@@beG=2$(yb;b_?IOU%K(yKy7-PQF
z=uPdKs|V%TY@$Zd&Y}whNQabzd?35frj@W<iuU^w@Lz;DJRxdF0gG{imKhc(V;=y<
zWJqz>nF9{YFXn`ERCL^&sJge?&}c#L&J>7bN3n~Vg-9-tpni*0m!hhng;d~*5RlvQ
zrULTZdmw9aZ~lE*DOYv)?Neap4ALpJ4Mje5nP_vt7&VJsa0t4?Sh}<GIMo*AbYQ9<
zCbEI42#~S~X@og+LA0z6n43_24tKnR3`j>BKc!pK<)idZ@@Anfa!*?2dzxj*8w~t`
zwMZ6Ta(mf_i1jneOvQ)<uDubPsmcL@Kixw=Nibia>q3SEB-V@xQ1RS4_c>FDDEYcj
z2!AyXA}!hCzqZ{PRC<$$+pXqUPN}vCPjmnFXu*?eC?EW6Kq79%KZiJ6=E5Pujuhw8
z_WODpl<77rR))yIvbbIQlJMMJYGGz$)_->ODVLXB&RF>1)uRC=E$vmmADk>JCauVM
zwyb}SnkdmmAR=JDeb@o-&vxw@ESAG7mMRI^6?x+X8-t{Pg$@r{np_|&1qY1Ilkx<A
z{b$)p%0v1I*07NZ+@Xwk)sU9j{VXvpx5#_?syU~aPE}bRjJ9B{(h_N6Okv|l6g(_t
zG>)>F)U0oO?gp($!p=P)?`^$0xm53Qu4N&+Sl3p}s)3?-FtLxV{QOv-Guo+n>woNE
z`&okBR!c!Kz;78{P^|M;=K$U+zj2GLBQ3L(s5k!AMWX>>CREQx9K2Q)S@~7@6=N^>
zGYN*Iv*}1vj)7Vey&olY@lqR$;FOJI<w8K1!1oO0?NDuK^E$aFX#zivEAUzGxx}zk
zvR(#`7$D~;c)`9Go`axfmPOLf_D!)4j^B*t>yI@=0YWG=#hNNNG?m$4QizHWz*?V~
z@NTb=nLflrgz~#AUu+XWwxePfGDtv1Dm!?IW-i>Y&8pcuHL#jcqJ+SD!3(pCZ;u8q
z?}Z+BL$F8#Yz$#ehdq+4-!K8h@x$fIZ1cTiqcC13D)3mg0q59S7xQ%f@uieU#Wbtv
zu(zEJ#ggWqF9_FWbwI2hcZc4*RI4LlAFdCU>M}2y=ko!?2rMYXk`*sNsu}=<?ImMS
zxH0Zm?&;Z|0a;)d$y~c_&(v008lBHxNygWOB+j|+t8jKaQfU^fk$rrKB(e6hR^=q-
zCP1Ery{Ii6&P_=1qc1U<)z|BJS=!#!Nf&3H35y_fPdKZ4$7B=lkK58^Sp$m3nP2eN
zBVS#Eg5*wo!_Lt0lN<YxqJiqGXn_t3@35R0w|8-v%+SOe)-!xT+BdNZ{jA~q6X`bB
zyjb{A!_4<V3kB}<Av<D;bR|wySeaSfsf$q=9i&^*Q{Mg-a5U5TohHtt^SIM618$>|
zfC)A*E}uqbk!=k~PLvMnBB6?pNPBxJA>@5`m+h{~l&_3QedF()V(UHVUhFS#CA`xB
zs$L*g{fao#Bt^}KCJC6t-X2upiCOd$IF9%h^CLDT*vy`#m>}k@P$RsZT0ix#AnGKD
zDeoFD%+qYQ1>t$1*@@1tEOWnA^?y;E^s7L3EX9sqERmAu<!$as+B%I7SR?60J$@fN
z7!l-1rJ9z3=YN5o_^1xwhG1pF2!@c)HV#C!1yH8S+)J#9(e}>>GM@x4>-XB5=Z${b
z^rQ+ggE>*Uqw4UqgbL5|4>C!HbO{>}Z)l&nPtf~)RT`yGQP_K{Y{EHMQ5$p0``E}$
zI(c1ql22axP41BjQfhQTV&0{a55W~-uJ#1l#G?9;?agM1HKW}zEqOaGY=Cx7zB&L!
zI6`nSB1cZZlebZq2@2}->9<7e3VR-$F;XoU^txzfS{;l|H-V&n=YhMU1%-&PfG(O>
zat4E%m4}1V<z1{TIG>9m0n$n=UxLb)wZ*ngC6eJpZstWEQD;lwe*!hrVC{fFz1K+<
z`>pD5F`r~Y`m&ZhnOmC!c-8Pn0rdmyUS(;B)E3o1wKY}d{9Bh89n*&2B?#y4vVsQ@
zG+=rvl^Jt6d@czm9+?vtZa$)FJsnS;!nAds$R#ngmxwT?i~XIvDPWK{JIE#}(yDSh
zJ?aLSEDMRj+0|s?D^Cz20pote4Pt;s3d;k6(##%q@DJCRP<`?tPS3YtjB;_|p?b!;
zs9;?vx(j^o6K-Ku4r|;dnYD9q5cnG8+B*7ZAQD+HlS#KvDq<ZYz)XeOXw|4iw8dHz
zPkORb_`&m*NLzvL+RnppI8gJcxMhlaj4{4yFiC%6>GAEL3-^{TmyDn_(KIkmrjyEB
zSmG{>emp@ShKbrL;8q`Xbr2S7Ymbdws|#)SZ4c3eMbuAP@t<nD8uJj}M`vm2?@FiG
za2<F_jle^MYsz1U%ANF&9n*S4ijMXt?(uKEG$D*`dTDP(U}U^P?RpjOIPNxH6vIrc
zN!KzIwkmd{tuE{UMB=S%;DP*59xkru#LvabBJMrc(?wgokh1vXd0{=nTUW!cxcaA{
z+MNnho=8Upbb_i1ERX2tMkF($NuLhED}(d4zV)JCumtbv{AH?q6iB&;JplfJCsyK=
zVl@7w^7r(asUlw4TbrISs~tTVg9>k5i<Q1H&X5ZRoVUqwcgJn!?jXxMkm^;Wl&?c_
zGF-(CTJj&8BdgALJ}}-3!vusMAkT<nX-vsceLNI!kt=DU(A9!5u}qmUT@r<Z&aaQH
zZz76HF0A*uLDsb(mFmkiUxpaxgkB4M^gJY%Ox)~^S#ex;G<bC@jzU+nG#86ces>+;
z&uxG@Y$HXt=zh}O;cF$0Ya+MN8Y-1>?<P(q+&;$D*k9}R08Qfg;A@hI>k%}ld9pnk
z)Q(wgFN@!Y*xwr<M5eexgXzMoDih8~x2CU~zbEPt1ay||U|F<`jP|;RoyD%I#Os%_
zf4F2w|5nu_Lgo&F1!xokH4a3m*sl($*!^>^>W0F=&f=b@#|RZ--4UlB?pphf-9PCy
zMlG?^UmbXTa<P4!%vJCAMY?si+?YpI!YZ5gaY?8fkyxzZlM7|12-ym8;I2Kic}jbU
zT8X_$Z9RjoL8K3XgUp8SuG9Zh@?*Eghexnndw%-8nMFS3L*=0O*6YC01$~_57E!)+
zE}oRd&1|u7xnjj_YW&e!P&sf{yb57_ZR*P>x8JpjAXt#;hmX=-f?eY`6E83c8~!FP
zKA7zO#5b0dL3MSwwA{4X+h>6|O8bFz)NqQr#3s>rW5NQj4*f-$v{vkml_fUoM<nh)
zbB$`F%PMDdqAGdUNRG19#)9%$0|oI`q&Q10^)V`Pxi=-ZI(mO!9uR79w_dnUayjXc
z-7I^rsQ3evY^0LZXxF5|zcxe#qq1Ldv^c3sOUYPwUxfKj8x@&ariv!2X*-U$AEi!F
z<de*#Z)5lOrPxI`XtPm#a*`*r$y56GL!6ptv(MC&__N#}8y2*J0rede%6Eg+V%qjX
zrqSL0>yMzIFg4J;G4ztuS|A2o8o3z}ox3Q8qbuHgH!^bI4+4@>M$3m_1QzzC`gP1C
zXH-MdWJ%$@9YCbzpK@-!S7c;GgqMPOuE#CFa!ZalP)`iRBQ4;VtRz)~)r}xKbdkn{
zrZLMHo2?%si-q2eCaa<6Js)bEmSl2tHZreKh$G>Qd^7e@Lw<P%xytfs&m+ULz%4k1
z_HIuG=PJ_yx?uu(M(XKNJlhZI3K)all?vN8XE`fe>Tg&mZA{;K#WECEqRHv_NFJEw
z!F35g*te8VmTeQWDp$5ed|-QJifQq<%>Adnc1gQ2p#<|dym}G&3Hye>Xs_lzH`Wlf
z)RH0EMO@jFC4FYi^v)`NXebkK#N-Zq1D$h8`ym)M-AdH88pWeNH3;8QMSc;FXE|mf
zoaxr=Iz%<vg?*il@^4hQ(T9G|*dDWw4C|NH0FPNn*YGagjKe2vbt`5p!Zchi(oEtC
z&zdImLxUr;y&fpdwNK0zhvJU-=<$w^+Om^=`La5}>F0s$FH*F3P2)r8>H9}aF38qf
z0!D6)SBkazrym?>6FTDn&wz5C4yrM7rvB0A(d(&Q2;RXS6;~zXluH8SP_*dyVTW&P
z379Rqu4|o5+uX+j%B2^JHCKzy#B=&nOlP$`s!LLIJ1@B-QohS#8+3Dkv1#OaRQSVF
z+#lodxj(ANX!q>C!cLk@P{gPw!16d-S!qT`KIxYmoqR7#`=YqeM!`gY=UXAHBKx8k
zluRdd&IHRgH1||Yx(v3c8w4SsVC#`jW^eYRgr10qFB|b1yF-p}i3RY=74YvLgswD%
z^s4#HlLq5*x)RWNym!(2sSG7BGB7K%4ASK8Q7aWEI-7)J6Z(aC#{vfZ5AWwWPfi&^
zeahtVN3yZ8HJOJE+dFB;83i%Pa)qF1nr7C4zCKTlH^kRnXQia4d4^TXyJt3YietRv
zO`9{!M-AOtYA2~1)Q@Z^Tui5^0C#4eTPPFz+IMYuf7?=}1tdO5$coyd)K|Sft#T`=
zOr69e8}_?sITPpIQoiB<<5709(#z)hi)!tFKu;4N&uZi4)o8_j{i^}jm#q${?C?sq
zAlJ<3_Br9}>IqjfP{^^gLGqpJ4og|-?brT;OjigTu%)b2MK>rToGd)xjr(GwmfjsP
zg_Mg*zPD&zvRfkIEX^BIzr(F&B4Uhdwd-;V##7@j!=6++Jioui!eDdlJz&YED+C~+
zVqN|A;1)-N%#oez;{95wx@Fm8^q5T;i(1Z7z3Bbw<nq$g8<rS*ye-AXw@&h0P}<{0
z+$C<fQL0%S#DW^-T^z5t_#TQAlgbaBtaA9imLO4Dko)!lLhr$`msyo~H5c*9V{yze
z9y$%nyMtli_6h&|><1C$X8sQcC%tGzs<R@r)@$tkWviP>>V}>}Ev072q7ptq&0WLf
zyv~j4%^XA0r2y^^c!n%Td|k81i{&)^PSSb51cD=T*UH<$7uUzw%-F=>6`SKS=)uE3
z5`yw-I5$dXnQ>6ipLQYMm1liL)Ze9bi7%%M(`S);#(!A|$>=e;YmxKQV(Oaku0Dpi
z&{@cX%>`}rizSA^85cKTa3fNhTSt6)_rX{j#k+|FR$`@zd<SVdQ=WR>JVxQ_oWixH
zn-!%Ck&=eD3xj;f;em33EPd)^3Ddm7+kt4X+WSQCm>owy3bUH%cqxY}t{M<*-7u4h
zwQH-gPt$T}u^XVZUk1F&*jA9RAUUBaRU6{$hK5?T){#ZR)4NPmo($s%5h7`PT)Lkr
zdHi9x;N@PoB@4wYxPN2m1vDm2sHLMV_d;t#nmD+D88SHL?t@EQ1O-iw0j1#NK~Zac
z8<x3JM*+5U^KyYxukSZl$0q!w^*^dQ=c}t(yge(H*HSMIq!eiqH}^rD&EKbUGo!{;
zI$0UG*xeF!Gapi(oq805!&IPQvq^*8<J&$dxi}-Pw5*$C7IbQaA1Qiag@_Pnh=8;$
z+&}4si9qKr2Q6ye?-7}pda~?WqCY4z5pigI$GJML%gs9OxybE_g&aQ-<F!2kaVoP_
zc>whMHF<0!#V4^S(h?FiR@w^E?yST_H_RQb$qe%u-zbP(D?GCun_9W@Cglfw9plFE
zHYBvaen<Ci?r|-n(He0(s=~ReZXLsw)a$l^(dy>#LgH>I0c(mUUYWA5bP=(XrIKK{
zb*u<X+v*ZHVU$^A6{;LQm8^wG<tF3^Fk;?UG$+1Uesg%K?#(F(A3kiNI`?}qy=|dh
zO)|Y3^%Pi*pE&S1RFLhUt{v5w$hQS&jK+?|+X#vqj&`Vh@-0Tznc8{Do<bzq-V@fX
z%S9}~)7Se)mxYG*nw)aw-_zO(s!Y+vMfCoz@q=?|vy18zqE2>t%Qwv!hZz>t3~GXX
z*52MGx%}+Qs9=?Kg%@HuQ9K=k8@WuqUKTW(cI4}Dgn2PVo0<OBYl&r6M8Z7WwMCc_
z0eKX53RcTXwd#u3{&TafW>7?1V!fT9G_^7{>}yo{EQcSaVC@@iqQ_9^X^N~Bv-Y)C
zB@BDOevdZWtLipDvqjNUnWQ_OI)yna6!)S|KOEb7WoLWm;+E25F(>OV@{MyxGdYex
zyAm0fD(SrRlBn^l(d&oi#JZhY5`f50Vb23O(AE`J0QFfV=q+kx&%K(2>hr$HOZd$%
zV+`stQ#tI|+nDz4Q9V67uR^l=;9AoE(5|OWE_Alq&@#s(YJJ%(<UNXTDL{CsG@I}z
zBrWTU=Z;~Kq;OOwyd&d`Osg&b0s)aGmKMCKG+R+ddNg2vcf`rZoVUO`D?+vFy#cTp
z(AH^PR_M89{RCa?lE5^}*6W9Qu>o7pU`}{H8TC(+>`c{u<^r0Z!HmN7P>XN6)(}bZ
zOs<QepRjDqW37;~T+Lo^yP*eI_|sxN=k221_krKwcNr>w=PSV;@b*_Va21QBx?|1}
z2fb6A6=gpY>MW5V`E3+mWDC`skOln=bl1~Ys@|_rv4I^13KNoE5SQ)P1{PxynC3}G
zRLUOLs*7dmz9^>pdlOor;&&r+$Ma2H7O~Fr_$YduAJUKz;3tE_FOMl9xA|Z8dL8gA
JcmF=|e*s1$I=%n^

literal 0
HcmV?d00001

diff --git a/docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulCMakeConfigure.png b/docs/GettingStartedDocs/images/VSCodeLinuxSuccessfulCMakeConfigure.png
new file mode 100644
index 0000000000000000000000000000000000000000..44365bdd68de3beb41d327a4e65680ed33aa90ca
GIT binary patch
literal 98499
zcmcG$2{@E*_&-|KBvdM7O+{r_+07&*B~sb4Hx!An?_+F*EK`jvStb-^H)LNUgDHC>
z#@L1iV;kGZn3?~p@AtQy-?^@H&UOChyw~Moc;}h>y`Ove+@Je?#N9PE;5mHy@PPvd
zcnojq-8*oA&FH`ZR`ekb;5V+IYqr3*gFg2Rt{*7v6<GjYuszYaqjTUu1%i9eksWx=
z<$2S}=fDBp_WiGe80aUb0|%HN4fS*$1lldpU8`(<rb~yS&8ZIwt1*mzC?C`U?wNwM
z>6E$lUWV)7@#EKThF^Ph0?BsskW#nA5tcKKJY8|@f{G4jU)9D29d*5p=1*AmJ&ku5
zRoiecc=Nq*>HAX)^T+09=A~$#!eWu90ejRqQb#2<sQ2hlVl8#=3l2(%ZK94oK}}Ea
z)5`dd8Ds_hPEU&c_j)LpcJ$akm;V3lkM)O*9xK#$(aFNiQ^vJq*MQwU{l~(R|6IA<
z`NUQy+#Bq;X-4yM(wJwzsLvX-5waT8_QNLh^Jw<JpXh>~zo3}z)n;aB$%3N25LRDP
z^_V5|B%-9l<{&;o|G8T3a_j8y$D(mlYRhU;{i=0$9}g#?YlI=?AUATGlUHPIZReYS
zy^%Oyyn$HIIng0jKCP*+op$kElvjg}RpsME+61+EWJqZNqWs;nxsl1Bt)Q{;m&u>C
z)qejfFt-)mnxQ(RG4iLOYz*@$=nFFwJ>Wu4V#MJ#-HECbF7n_DA=DK=8H>^@WQXoI
z=U0BHPWr~5@?%iWJa+IN{8mITHQ8&{T<K{b2o>(l&bbjxg(tc9GO%D$5+kw2HK;%}
zf=j9@?bjl!(;Z*wr`{1q^$_fLQ$}#7k<ac=cxS~@`M;*4yYDEl@IRX@zmvQn6+r*B
z+7wNhsa^1K%a!_$3v#Dt&k1#INHDVcrF3hDu)wPD`0}Jnw8)6=*>H#~sdkUiv#K*u
z7rl<&ID%njOzu6NYvFW>*`|DXPBP71T+PZy=tyI!EWOA^@{@_Q*)d5HBs2@jnALjg
zy&$t{a~(Ee$u^dpg}+;68&obT2vz8tYjppqXg+Fyc6VVC#hJfk9^!KQWNee@5e(Bw
z^5kfvUu34j-8sK!La@yG(NnVVbQy>nHT2+Ufw|~_Vw-x{_UMxgznSHlNwNCY+58L-
zZ}3hV-}u!L8{}u}#=wdYDj|T7hXB3%>=q-Gwg+AvCnfC;9$U31Y!_!-U9}0=`$ir&
zMbYv#7qbKIOWS*9LE)Q>7TylJUv3XOTcMp`!_Qvv#>VPjQhNtiXZcF?cZU?r{g-~3
z*7tc1w0_GgwmtR?Ww)x>g>U)Q+Zez3zWbXcLWmf;{AEPSsS#KAlK60o{g+}k=jm!k
z^qt}0KdN%8&|^5$x!OCObPH)U`81n(NF3w^`2ZtqYBl?69g<iNXENSvz3^Y&TTb?S
zq+SFvX~3F^3iQ(LY@s1J`)aQFf}9J<aRL8MG-NKf{o48>)EBTiu`HgKXeT!JiIbdp
z4R0qpWZcWQCvVkqpU{OjkMM*2!P*<6$T0KjXW5N&8l%!?3qI=dBO^jum`O#g6<@6;
zHRE3xufVgU0uKugBF5j+Pp{nx%^@X`)BW<K%%JkPX=IB!;l+6e4k@4BcVvb*3N|3R
zHNP6f#AL+~OanxH4G7yQnv0e80ZbC!-ly_ZCaRkG-5M_15A!RWmwc~qYUeZaXin3I
zwx*k(^#{bYigg(zHZX<LY^>+G1HRhbRk&4r-Jdz%`EvVptC~|5x=+zA!7ycrh>-5F
z<m|izYh>(_+k8ebyJ-i+ZVM9%iiK%6lkQK1E$fAX!o{p@5MJL%+&!E6q8Piy*&u~Z
zS=#kgXuR0jdHQ%sqk9~cKO4L2r!IDO{I!oH2uI;QRfW;m@>vid>5VsA3&w|?$;T3j
zN#4(-le9Y{y!R#^1wG44;3sm@ZFawHcTrx$F5o{=6RX~W%0cRrGqB0TT%rsyx{;nk
zMQL?<z44+x%^XhOQG4nQ3$NwLCT2c%P_B5HWFgj6k|jIItxr>e8tp>)7-5!he0)-f
zoha^S5oE0U&+8gFf(vzTgw{xK{<8CH3xdA_lP7z_N;@>@qAUK^!F38Rs}U|~Q+@;|
z9wP@rz28a{A80Ly>+2ic7~VQ*ROsL{eCc?fV!BVK)e5|U9uzQKI_XwNwO(Puy0txe
z)1R=rgExNLbNbpAyp(6zX+H~}rQBy6o#xBP4xd4sU`&03XKKEta`M3-qU)TZkk)A3
zu}8AX)3Nw%mTG$w&lwG&7`vJY6G~b!rKkBu`kq1zh=by@`Brs-WjM!vQ=u>9i^*pF
znh4n0nqsqxtmTEY)~<0E^l2L%_0yD{jHmSMmWvk$$5Kr~8|$BkIl*0m!JWim%xQ$*
z(eP^TrGwb%g3Tgo7U<Nyg1!v9e*78dz-OWX&%`@V#DD~m3H<JUci-0t^qI=jIKTtu
z(6VCAWqa6`nY}#bfkFZGwraUYkwUR9&Y}vu$!Lcx2`?y!sos%YV&=xZ878i#W`CHn
zoT<&RNjl%-DR%p)6y^jBi}v38XdEVRtv9t%X(4Q8ZjE{h{P756kT}qS7!>IFpgqx0
z+-IM_2Me!yO)(TVdoM1^L97$g6vMP=hHv$NUVeiudQBHh@Xd?Q1y4E#5o*39);CqX
zc2>00GO%p~C6mLHjMXOs<%t6r4)C%11tqR31Z@~EQ(nvvzSQ5Vk=k$9nTt7D^IGYx
zyL1?zQ%K>kW9B>`*xCN3XlG&Hou<C>BinB?`#vH4e;K=3Z#cjP117=>S+Mgy?65`m
z*BYb731$fUu}<vbwgg7f4)tn#(D*%gft9v89V5=0f}pjp4~o$qCLzCM4H{P);4aQA
zS9TDQ3<`hWNBExnLi46KMP+DsEo(Kj;Ef}<n5VJv?^ZUChGiA;cOqJW{n{JfFF(#O
zp5>5wk{OgjgWJ}3i*B`2$4&W|T3clvVPlgKx%jZ(TP?iv^~MWewd;(jse--NZ6+5-
z5IXYrb}l++4Z<A`!p8>`dbY%Gxyle*#UG`6cB$mpjcrFJ-06%~-b=9Wa%6^=#$ynu
z+Vc0j#qq-PkoPE(``Ja)$B8m4Mb>C}t)v=0vJPxdP*J7on~4yAN;@RT^g`djjTG{U
z&QoRfc1~Rt2^bf-k;KMkC;M@qKJ9ek=hQZn1k=S$N-Aix`FhCb_&(MmSWSP+9>dUT
zz^i6)Qw^I<rXQm^C+fd<pYSHMHsjzmRgGJYp=j`CS_vf&UiEfT;hoy9n$?z?)Ow8w
zMgVhoZYK_sgu(^o)4rkSiM^VuM|w8`tu{G>v+i*Ynuy$p4^&?;sTueHR$q0}@~WFy
z@pq&vr+;m3opc&~ym^t-B<41%Gyr>KRi$rF*|x?=*a>tV7iZNP!S+C`?6#4`*1K;Q
zzLTE}G=t=c!`K}7k^lkm%5Oors(muMR>a-3bmSs=5MIePmY0}to62s<_h8hx4tIU8
zX1uT+vKcqYwU@k=$Gg0xG>o06pQzCn58|f^j&;%uQJTxKsXuA_&bT1ye%|GcZ0=F}
zozJuce9n>OP0I5|rEh>blLQtO?SkxvdHpDUcTx~FR_(Q$+qorLBYtSxdgE$NKS6=c
zaMBe&n^4NPw^mrb!(mLR5C`v-I#NA#BBU=y%EB(_<7hs=zk_l>Hf_=z$Pa#a{K}^<
zWpzweP{S-Y6E)0q#Zn2sBDn{*nZLi-vqv^-JlKq3gL}^Mr8CYx$L!`FHdDCnyvAva
zyKi2K-4uuXX}<`U4dJ18Dy+@WBfN5q<!3FWJXkM`;E(CnHK%oLG!kEE^plgwzBCVq
z@%2a+;#Z%~?ZHkNYibi7qj2<cU_!YbGnu<=bM&INv27A8+Iz2R`%W1~f~Je~>tNDk
zHW`T+X_^hx;H^ecvGuQ{oo{ysybQ7?#4U|cWzKzDjPl(<ya3`Xw9aEz)V^4^%ml&e
z1P@;V(=B&(tjc=zpYm<jZPnlkQ#V>KA-8w6Vi7Ib<KNu%$6Kn{wNf|OmN%o>XXX@D
zHser(H-_kjLc4Fh$jU{0vN4nTLJdD}Fq1lnL*x+z5q5eAwn+LVK-qdI&bnYfMpVM(
zQO}5BCj~}5UNH$b)Km1+t8~EVMmvP8g5Uc1L*veKee7d-?l!y^Y8LzXst?kmCP?*(
zVj23K!wdeMh%KMZi!J>1VhAGrJtl{_jd9<qp7ENfi&F~MLZl{QvAteh!g&)WmMSZ(
zh%L(*()@j#dlq(3{>2s<CPNcN5a+ghicJtEP!m(le)7>ku~oN-u)ET<!%narll)ra
z-LKxeX|aI>y{O0yFJ(?CQWmiDovO{#E6p?yX0^!pH=mzo7U}MIXAUVQ)y&@8poCdZ
zEi0Xve%z;t5rust0l|d68o{s7*jB?-E!(?vlsdw-=h!B$wwDu6UW?&`Z>|Y~=MbmG
zZU>dk(J6ZBj02Av@8x5nDcEzm49o2eMBWnXA7Tm9g*(~NNYHx1KjMq~b#Yd@7F5_2
zq1@#08L33xCcN_N+SvlN20Mks<KmsmWj(szdSN&05`T^f+><Bbh$jV2Y;d0&oA18x
z6QGMN`mfv6jNo(dq%6+B1Z6_AwK+-<I-!(64bbXElY-%vusKl+tv>5g;UJ8v9ZD-{
zf&OF}YnL5A3|gW!LJHslb4rY`GducCApdz?G4k92WNM&yT0rkCy{XkFIZv$5i#Nw)
z5A<FZs-AF>S4U!nPcgeN!ti9UFp=_&jL`L4ID2YUHK>%SGQa(P<oq&45TB1HgJyrt
z1VVyjqiTkFl*2K>%!REE+MR5&$~|ew8`Aa8qp4A1Me+tMXw(*jz(KyGnXjC0Tyr_B
z7?o$TC))9+s7Bb264p=b$IHwO%0sQc1Zw5>p!J>LQ+xf8L7HKYBF7)mcFQ%J#Z8~h
zvxu#oVvt<D!d~)nQtC*bpJqSJrl$RuuV!p2yDY!`YIL#5NcZkq-4jZk96oB!2}oN5
zis|1YxSBNtCtpOB>-8LcH$~kUb1UN+^Z$Cp$k@*Ni{|2XSshWnc{D4?oV;->sm`fM
z^C@kW1LQaNn7WV(Klv9d@^LfPy2SnIF+%QM$H*A*vwxxlQi+J%Fr|xqTWPZh`D!ls
zO(OVv)^*gn`XLEAwz*Aky)!|{@fl@@=)bFfFx%qK5&pdnZx;k9SUkMgIz>N(V4>ik
zWogn#w?rg69uX`Mi+{CYf;g%0f>;s2O^majg@`Y3YcJ02Z0?F&2U9>_eTrGhUwslx
z!3g{!qy*my`DQ|IxoBx#rnyoiP|lnkA94=D*rLS4=QfoTLXw;ZIK`}Cj_|1h4{6#(
zAXr#p1j>1>><1Xv(wD$mopl$mIY+SFln-&z7(F29b7WfVo_<Nphcnmi_wv9%xlNgT
z;h?o`R#-8RpS^ge>S9MOeh?qFcHc;0Rkzp*Br-n8%NwL8)Y+o#w30ASO2kJvi%oiD
z>rLn)*!h-&@9a|T#K>>x2QQ?O)Z{HWAYZ-bSz9oHNx^O~OLJ-oHA5?P?t?LdV?K;+
zY@RYda!FZi5302iuG2DT%*f6)TJ?$W>)s`LEvob{_@Daem@t2T;>}r@W9E8D6e-x+
zNoX&*dOhG|-vD$^<C<=rNP{JSMsB5~R@_n-!v+=LvCaBT6C6w8uQ0f<ZZbc<jCwWY
zC(JNwqF|7hc9NcxsFkAeNBHANy#Fp#U~$vm#j<9FA3PVTpOtWIMhUx}C%4=07p$J^
zsBFcG<d&~(WoEmN*DBqQDLc(z0HwKk$-}pw-3(Tqq|K@`ax(~~*6<qVA;fqAm3|4R
z)aCbHcQ+iG2jAF5oR~tK;jNwjDV|?z|4PXrq4rnK5qK=6MFTytgQ(cdV;%}%g_L))
zt;alEoQ)K*_ubslLGZX&+_@J+Av@20%|md_do9G@Z}f02N?m3j?Nhdk*m|IC-*3Lk
zUG)<`C_`azYOmCSCh|Qx@O-$6*02G0rz00I-0JEEGxR)~f%PkA;s$?<YTyKx9uIrc
zB>1w%Iw>SHtb^n>>LV*d>s!2C&F6%g{xt)&-A5n(4`Gg?XiyhkJeb)H5rMiE(B8N8
zliq;*cj$v7cdK->7$NzH%Du!krOu$2%CF*H6dR<pRiyf{?8d_j4laK{?Z}1g?!9L8
zx2y;+50r_O+3_{k@etoE>j}F`lfG=8As4bhUQryaniRIefEr5G5+w^AfOYl}i5DO^
z^58N6+p&Sd&fvxB;LspaqHGa<ktB%7l(7_p^Eqjs9wUPWZs4BJIos!EB}Wx=LU1%2
z>RI<0z*zo<m@;0vqy0?5lEo<XQ%$wL!ddzPJz}}4+N^^fS$r7^{=y1*&G>MHzOW&0
zr!eM#x~VP}C2PG+)x)s{CaK^wobVsNk3n&Po_3FfmNo*L>iJ;u57);|B?^&~eR#3+
ze6Yk+T}_zXQJ&+y-KvwJl}CF=9l4DZOMhgjX84tR&)s6yxJ-Y2{up-Bom0y5>mPv4
zK{2yBU|?V7?l=37NsO<E@6NHYFK3(5a;L+IXQ$)LOdeS5WWDN6H?ucLo9{X2mFxJ1
z+nn$qihRB_LmwF?nR}_Ug|T~Ut*sEZ9(C{hp#>?~h$I$%wLjyx38oqF#iX${TWXp8
z&c}ewEZVp$N&YgP|JdAXrr&35{CIb41lMaGc#W^xd#1(1;bo|G=#%iD`QnQwBpigj
zICV#DkL&3TXC<-nrzyeXXf5Nl7}16mA=QngjqfUYdZ%DC*&~bav!73MNa>x~lb_n2
zjpJqSk{UT-cRM!rQ!2oZ{Rgj>FA3c8?{)0|-H)&Hj5U|9s9Gf?i0JC+J?Jg~ZC%W*
zwjvz|=(?Z$to)La@7@%5E1C+CZ2;0NH~5jmbv?cNZ>|bSU4mrY20r_N$q_&vms@D5
zc0K1}pEy9a#kdHrW5@0o;+)bxCHTn$E17C5DV~wcz1aQk2>;uP-t)jxh0^;1Upa4u
zbj(%8)$KpUR!3`eY;68HH)W#-of@gYN}sa#>B50zr#mm=dMy99gi7+Fj{B6+1`uHn
zgvPAtMpFMNwwVZQ@UzEKPsaGKxgtVA*zyS4{j~EZUE!)9!$Th)|9wi|1U{W$Q&76E
zNSdq_x`Y1Be($*qEk?z~ZEHZ@jTI187Uxv^l3loEHU&&=w%%T9@c3;;{@VY6BKUWy
zpIF|W7Fqzam%bJQzCs?`nnjw_x6tt|Ti}viM`aC-#S{g558T1U{?0<|Kbq}m{U8V5
zeggj;wq1#;BQyk%-oTp<-znyq?~G(8)t15O<Q4oRqdEp-Ve9uLgj`ayXW~lj*VUwN
zcl<4pRUw^e(2Y3-xVk0B-58ZY#y)Y^&jEYrhpWB&!t18cco=Qj)m~5U1h9E#HytE%
zx?NL?Z;{t5zrHDq=*|k5SYSQ$CkAuDy5iCE77&XVNzMZBg>#BQ#6;CSZ*yCr=!@_z
z3-}zy<)?LFQbks?MXAlgM98W(bt;PQ@#5VV8dY)Rm;daWlA<d&!|^NhC)eIzn8;XH
zV4|gS;=UXtTssuu{;FSBBKDOc+nLUtom#j^O{xStg4n9}^?225<zaC(PYL&e)B*B$
zVS(K@uh_6>e(6{fUc|;82b6wTG_6(NMBIBQ)oyOOqEv?4=;*B}@vvJ$EC-_}4jG0~
z;_Y|t>Wy$mbMIhUKm2-k)lE4kF8chZA@`#4zm|A9)WLhbyC5(t*{^Ulf@^Fl<(EBu
z(ZV)H3diAlRw3;`^4ZK+DD#l$Q-`$I)Od}24@f%SO9HJ~DnvC8h=DgcKeF-<pXnMP
zpOefz<)&=&oJ|Vr568-dY&XqPDp&IZQr;i&a|T%2y|kUP2g(=EEB@IbA}+VFr+mA*
zK@D4_M!q_@Jd0|+tRHjC>t@szlL%(yDIgoHKV+Ru>xg)6CyhHp$AYb(<Hoy4P1jlR
z&b1zyGB%xKxHytQl89^dEyhCF%lZBf8RcyMI3R~`S|*(FXGImhp{lLr0kCB-KBHN8
z&6X|emN^vj4~khgT7B4!wLZc@a#c>{kmQ<*5SQwQCSK(=%N2<@R{msi!)>;)E>RhZ
zs1&-i(d%14+D-7F>ak;AERoZf&M8{$?u4n5$M8`Nx7Gmr-q$(D{N1xs5#19_A#@Yb
zVu=f{j_O@!WfKI`7fgnn2Wo~5t+~WLl&Mt>Knjnib*a4^n+meiywiE1Z_Coxc09l=
zko<$T+OqnErXup=ukX8*M|3X~^m!>XZN7=Y+<P&?pQeC<ZSRfy6Xru49?>hu%pKjY
zsjjcghBvnAaSGL!B3s$8*08xmZn|LzdF7;}<kJekuIF2wW@m*KNGV;U^!LS29qyfw
zyy*}bevOmYtBzObifxRum+H%AH{G#$C5h;3HzQDHEc~KRXTP*<H2R;$orH4tc*gKl
zTcj*sQEbaPKl!IOK#RVe>HklN<WW%+N*-+eFpu|C{9KdL9kspl<fqwRxgxo=3?$A3
zz`ATj^$*5xrHEAhbf59I;-D|`y^}j^RNg3tDwY1nV)RAQrZT*e#I#4-iT*6e+@m_2
zXM=QJ@aoUjF{J%m5OA*p$7?X)Mr}@V@$s~I&}Ow|&WoSM?e$KLEcAKJM<0p_t$GtL
zqBL*61RbhA{5MnssUg1++TI4<t4irUi?#AIvlQ-6Y;?FDbNZ0dY`Ynr%jn#2e?a<s
z(5kLI<??E~GhnxY2`cmAU_YSSa%+F1l_Lxv*k4s_ix%gHi*mSVD7N`Tb9vW1mq)%j
z2=;5uA>U1MK4yN?YFx_vs^YPEgE4{Ur|Yv`paW$uM4=V)W4F@J?_R#+i@)@bSqi45
zt??nLg>(A-V$9<DOF$&!_{u>)CEUnPir`dv(hTF!VeiZqa5~WQQM^AO@@9IdcDXF1
zDbWDOkKkVRbzlihV9criYlXol(+;q()aB{+tO>&L#8x(d9gN|$w7bqBs`lP4=Ip(g
zR|f;0-BjOASe-h$%ptX#l-{UPPe>Bg+%wTKs1s}PhynRF<TgY0F~xqj;0IrzzR+U7
zRH@9PzcIg~wIdpy)?p#15c%(}9yoUF^|yCNER>*h-kQz0fbp4_PQt)Y{*y&hAk^vL
zYe6q0t}&7QXLyYc<V3P@hKK81=it&^<7+#d@>WCi#(VJaZNcMZ;4%?re+;kenhnE|
zpwV#+yc45huF2)+do<E3hhaUrYkqWgsvxYCma=690{o`|X{^y*%sQNtXqJlk>l?8V
zaa_#5snH4YU#U@)2oN%M;*k%YZ<~XWT>pP2?}8*&B$&AY4gk|e`$BEaT$m{42E2FE
z?CqC>Kqd#m;D4oX4PGPp#<lC>VO1Net4zi!0ca{H!_1uB|5fLIB7*%zB>`(Uw^c3X
zk&u)`TmFB54KDE*Y0y<NTXy1G6lvtnrO`?NqFe$3!#?8BGkeP+l@%)7YtNXoum5;E
z^&Q=>Jy^#`PtU1BKKMWHXz%zRzxx->)X)EIYMOof2e*)O4ffyi;N-uWkGE4z0xdjH
z^`E=rv9$hk<$lYy+o(#S@^B8%*yF{0q~vnX@gF?pH$d);OtkmLqCzHt#9^ztQRwIB
zG6*mb`!_E-bIwsP;sJc1o%dEFrEaBlolQG4@r;7M?ZhiThe3)~&7pN6OgfbSbQYKB
zI~cG(brRlU#Tl67U8Q4fOZ}!0rX*Lh``USHw<2LhH-)x4(ju133NXmiq@A6>e7X00
zRf%MZ&2HRC9!7Ko<EN+B{=I(QPnU(C>yB}Qli9-<%<+^5JVvMFZRS~H0iPLaha@K^
zCe}Sc!Eo)w#<@baGg)j>H50)__PvENQHsue+1g<V=1m_L1vM8k_Q9MmQbRFlXF7&Z
zRMx!Mt4$p@%Bm%oHtc<X&-J`b*O2MDX3fPh6P%pG8xa*&OiT7=J96C8l6*{Kr+?0J
zn-jbf(J=i&c+ZDR+X;sAHWwNrzt<hR2@ck#s1coO-0>+ODaq6RIQ=qV4aJD~Y|w1J
zLQ_vW#Ma_ennd!on~|t{FRnQdI}<_Yf)+m)gkH!cvwvlm#qMuj?57qfKL_tWbEysc
zjTP02!1g0|*1m4gCYjA4OBEPpKL_?Bhj@=lNZgENW!qmdbTwr1HZ6%Zuw0^aO(d-Y
zW{Lgg9Naj_;X6qQp3x8maO)kZeOZpD$>Qm9HA|z^H<-TWj0vkq<>9yNQfX_D8N`9s
z!qnE;oEWhlHUZ010ohZljl4qr#w!m70`lh-C3#)T86$QfKT^91a)Z5xjb>V}m+_Nd
zG5peh{)GY`cp<fvPT{EchsYfp2I8<Q?gCT*#p?|#AQ^J%$KNeYwtx@aQS4?;^TE@E
zQ^HRkns=B1TBV1t9~OPn1z|fOL7!JS4l1^90nHmAbguKh7H|rek8eLlNKNkEP#Ycy
zNSX&7M40BMa=I=3r$Hb;B31(`OPjQ7i`WpRFY3{)Y>w9^@b1@G_@g;@K1ZEoV?Q2w
z(<S@>1d}AXfS$Kr{7}NiH)tUOWLPsUBPS7k_cg7uEGbAbDOk2%e&w%iOy+kyN$ber
ziVQ~sDCX|h!$#+>9N^;jRg}bb&aLn4BiFGfb`FwfV#+)7vBh&U%0)aK09cEyEs4JH
z3F+*seQcl{EgwwikLd2|zC73`_qy-0j@8fB4;S=awXz+I;1!wi7FBks=f%#f*8e|9
z_s;u{smJf$6FOfMEj7v5t|1`8HuDC{*^Y{IoQYs#`!qCdDB}Bo%V^C8caXp)MX}tM
zN+>>Bi>2?Qc#{~H$xKD~rYKb5U%_Ho`9m-F4&+IP1dbc;qmX%ra|&JkIk8$b6X?k8
zKrv1UuaH)}PkHa9h`1G9=<RW-vaA<=-GS`80|6a3h4zDr<hz^qr4$cFOSMphTc*W=
zW{*{Zq^4tem3_mH#+(QqEsTiUj3{qgl;%~B7K_muSuUO{R+f#SIM|pAH;IjkukXFJ
zurnNiZr#zl^1T>{Pyc%v9zfu+pHTS^90s{WUBY=U7P3j9MI_EuM4q@PbJ*xgvf(vJ
z-}#)>p@T2XI0WNYZjWHv5~}orv^W4dDmL~-77+Drl(Fz%yCxCfds9e^4DEicv8QJ(
zD&`QxCFDC59xR%4Q}jB=c*U8y`OD2wx>dqy^O}#>$L9TSr^r&k6p^{$y?W8z{^ggu
zQh;(6W5zi5Ys#xu0!<#@ty|jVU^AjMJ2_qfn^g<x`*Fp+U!@dr=1@O0?)Cpn(*2x~
zCuL>)G!m}CKcy<3vxD2IzvmORoT?lCCr6_bei~mF6^(YV`P4#NX^4{G1aJ8eYKjs2
zI<Wt@OtswvUd6^1{#zyc4V(qUk}Q1rZ#}HPe{<}oOaE5B0^0k3%`N=De)H3N>{6AF
zv-E+)66ZHiR7p(I+#jrYx-?Gyy)(jAkfr@YG+<q6C3*o<Ps~rOg%}|GF{;@pHKLlT
ze{c87a9v(Ap^FRUg;7}q=*2R|-tkFZXG;!Pf(TQHxv_bEXlU*Oyoy400fByZ<iUhD
zBhW+>_0F1@is#Y|{3e>Xb{{t*%hX}V@i4-VikqXw8^(sT?>@ciq*~XZe6z3rCO;Od
zCxJQp`ETpX+PfjT8w=a%LnftT=wEVHJ}G?4kL5JJm4rP@*W8#9a&=L1$5B9^(o{AA
znW2o6m7$u+jzXJWIJ6K$`ua&L<6Q&cVqGzNv||o53Iq`Iu-(Z$x0dfS!hMHX`2PxH
zTkc;9PeL^>2NmpKNRwAomoJ-W21s81hi0gs|C!!siCzTs<g%y>V0ui}m6=)NW8-fl
zG__|vc<OXn4<72F*sRQ4Q~!E=oD!j|g|U^c)pY88UXZe#xa-)u|4>i+fOY=*U2ZT^
z6PQZM&Yrj!*`Vyn88coIp?M_~?}pU8w)S_GmCbAFJ!>KXSrUq`YnD%J+4_?(dViDq
zmnXKHi_aE0rSewZ5K<eg0}|`_zX#*F+)`?-S8q@F5bOmfj|cS17Rh6Zm1@vGmR-4b
zF`$fB%c~Xfq<U*5|FR$STUN+5o3)k(Z(gTP!d^&!-$q^@Ol78b)UU2#_EAw%a1<@A
zM@cc=!RM5`A8FjTO!LVWX}oyUr}96U4E|%LeSlx+gaGp?<DBB5Qy$HK9#=M_&MBq`
zp&DN;Ij~HIo_Pm06#Bqmm-_WYX2jP=#tS{EvA|09fP+;L$O(ZT;b+qHjK*5espGbz
zKjFLIWV-}}jK>%(sB2Y`BKLlDGp)_`G{?Iq>t61jO7jij9TBC9zZJguPoq%Iy1Eu1
zF&g%vL(}eJ5r9>*eH#3iy)A6Kp4S;Q6bp1Tl|TNWQ7Lk_#&i15<1EYdDGS0nX(9ld
z4I9a-+-_F9qGLIDL05F_eTkj_-DbuXt4C-k3IIg3m5^5Y6eoBSToNpqt5Yr?9OXUz
zT%dk6l%&Zx9fykIF>+cDkL$2e9ddDVGd{O9`(B9)wWM%MT2hfhp5HNkZEUwEjqG^a
z@DOPB!sZ^N>+Qrnov6cqbNZ})5Qo`~zM44VMNfNXQof?wa<EOwb#LYSvpwFqM7TqQ
zp@Cr9ra0C9^=sG5<CIE)`aF}&72|g;<B6G9eq&AjzhA5*C=HoV!IZtr(wQ^xT*mys
zP$(W^qKQq-OH96FADXB+mwbO*G+=ysrHN`sU2ErS5Qa7mJUPIpwH8iWPi<ME)ozcu
z(fioBPX$_X^l>_VWkuqlErh0xUQIE(BOa5@O-ez{ecIc<APo4>UB*&nUwynn^Dmp`
zOJsI0g-|9<{7UC;V7`d+r-qH*KIg?NK=F6Q%Cp_pRaES@<-Mzlb&TDspzs}lm(bR_
zF^YChZ2;io<bT0B`@NaGF!iF+BVUtOVXHNC!II$HKb8CeO5hF*rw_er7fR6=f79B^
zg2W1ZV7iGFDZjpi+Eisdd92F)#pQJ{S_ig1qavdF;6=mPemjLSsheTXZq!+ce?fMq
zv>@}Wq!p@u%t-`zKfah=&JLC9RzHQNdj*v`!BInkaI{<^>4$qVV{3a116JoKsrVe8
zI~#Zc#XYwb{OorYdl<@@73o=bDujmKTi3^!Llx$$n|UGk@cGr;q~o1A7(wIt!`p_2
zlY{X3;;|=Yz0+u)Gb?#lJu=T)riz7Z*ZQ`X2}8btx-tz+h4bV`%a%E%eo6ll2*z(w
zo(7<T!V;9zYpCff7Tmz}7W9Q7u4IINIph86QWzF2AhDZqOaz(hCry)Fl988LZ1@Q(
zfgYlrRnl0MtXW$jjeqT1_NufPU;bT!pG(S68cEIap7`m}iO!&#XrU_C4>I|;4q5j5
zcax|z@2c16I#uuz>#Kc;A0xF7;jJql-#MKoajmW1)PHlpph2draWDf64|^QS?|hvV
z33zfpr(~bjMnVhrTq#Nk@}gn68b59gZJL`1qqzqR-BEQOd*Iw8vGP1*wF%7s?xtm=
z1_77L%3r&a4z2$)LYV#!(oEtUFutKHvG%hJMACf&4ckzK{Wpm0qBi;Fa(`>bq@!{k
zB^Ui?rm@5@aQ)F$=JOz%$xyG1=1*@0DwUNE;b{WX>0G(N71_<PP<inY)pY)XPbKh*
zQrvm|@bQW(4(W@?H#Y~uw()NXNwP~VmzLSaRJTu7i_-Ec#L_=?;2i<Jd{6Q@CU42+
z!UT%KFiA2&i>aFnwW%SuzJRS>O1o6lf`YO=VkS8S5lb=Uu+Z%Dw0;JxYpL>0vnf1o
z43(AL{y4)Sb6radN7+DcJt#n&ueQSRuj4ZUN>9mJu+grgtZ|^X{^`p+VdC##AF<}6
zPl6jDS?(s+afF8`acj@)&&@>0D*5Ne&3=o=4KGJT<?%;Lif&C(d_tJV&P&NETD62V
z@!ftUc}B2eEEe#>zNXE=+s*X#IqVM==lw{QtBdsidi+(Z)94DcZZ6!@i5kMi+_5&a
zHFSvN0!uLt9ViawGO~kheKGQkaP}f~<Dsj3*Ey<?nr53>7c~-Mbx#*FF<?f;|0Du|
z@qw&O>3~6CP-tx`3Lp6w`vXOS_FwG3_1Jck!##}!Ib(Q3HcaPqoV}&)TBIsX5^Mvv
zL<w0d8nV*ZE56)Gk2Ai4`>x#i;eZ0pr=}_TYQA1Kh^I>Z;LVzY*dKnW<EhUOUqpXb
zTVd|YXo!6zUH4gs7=e%*5);M{JU3?Kck?YPvPXBOLAck=^vO=opeAS~DMEvU-L^8E
z6dGW>__}>(RHeH)A=T{*c7?pR(Zt#r1aa4;XjH;O3R~+ViSA4HT?G&qeM;FdH9a61
zjTq#{@EG6Ro3JRq&pv|0L$t(B$IKWxL5nK*=Bhz=J&`V)^zp;0gZAAjX6$kP<7t_G
zI4ef!v2m+=r&11$r$n{RzBUk3B4aHTVneu~O>Hq0ol(3e5b5N@*4;d&<udlk%3rBh
z7khv@<zNuB<{+0*wR=bxbGYqrBny|$xhvPgDFCth5t|GBjI2Jcb<^I<B@gr9yy9!G
z6MxyjcL}E1<cj(FTBxMtevVP;YMm{<lPFM>D9~UvYIx0jo#hHuKlnGho9-Hmnx<=<
z^vUUSvhSuW>B4A!1cz)9Zdv+z;ho1qkVna?rbUu=_P3QOpLcVcOO!sj_u~bOuOByW
zp;UBV*w;AA6={<nKILEd(4;u^KNQTB)y8FC^n*|>?>@Ovb7JEF8e6pWb{VjFBHfj4
zXQ2*9yDz~;pQe_mQt!to!{#yrzLBeXKYN?OC%^kM_P*0H?mMI2X0|gz%Mm^mGhuYK
zD4z?*s;GEe@eoE*5c#J1;%NSRF~m<L8M3C2U2;j$M3VN_5$5PwOr{nV_In4p_vF=-
z&z<}q4PEg3F7?X=4Slv=%^6C;jhY+7$i{T(tf^Fj7yUeg@>yDpge`j*n6J<h);;R6
z%Y~_9hZNMR7bNUz$Re8Wf_;7)p;)IXjn+JnJi;nFq`-tetu|8Ddji@SJBX?o_l_Sa
z>r+pE)jFFUvO*DGsrQ_|UI{`pKIhczEmU{}M6>hbR_pEJjQ$~L-^Dyuq&l~PF}Ow#
z)W_y*#=1|SvhcI9X?VtB{kq;SXvoGlm~Pq%58gl=Ji~VV@ZLU&diQJ@Pd4exP<d&f
z_1zbm&&r$7vOtN2wgfPe@Q$d|jtKHMH@1+UW!m0|Q{mQ0rldyjv{<sUv|JtXOru)T
z2r@|L*=1?tbOHRd+GXs{_Ogk}#;nQju^`jQ-)ya8F+4cS@9r}AN&T%hFNF*IKZwX@
z87ChKI_uN@w5)EWR3glLCiU?m$wH*W6asZIAom&S?Pk^=!qS>ZZ?)mJVVIS_JqfkC
z{8S9FNi}zBN6h%~N+`N!50xm9A*RkKXZ$P$dn!{nXC|!3qw*T9kOY70ev8Vwdr2L|
zx?{@~rdqVxqVW~jvr2<r%ev7l^v-Ff(77EO{!n8sPz;;<O5?K%+SkO?{D^Lth3!1H
zB^dLCLAfX`LdG6@|9-D?gG8%;;?dICRPB{m*1nE54*f;mXHTD`Kf_o5ARP=$!t8wK
z53S}JTWDpQ>;GrN*u+;}LR%{qU&`9n4|7WGbRH;bj@^o^wK)1}ZyO4qoU~#Iw7Gf(
z=rI7ra3(t`gyAI|VQ3orKI(O&gl>%F`gkz*@E9>jB)nt!AhfSdqlitap07#H{F5WF
zSMow-*TB0;f)^n`b*@CtRdvxlmUhKHjrh&OTH!(lGJJ~NkNEuQpn>vd_n+q#EUo+U
z3~yJKdD4G4`*(A`y_7D{q2f04K!vMI7SgCjb-z?R`9N`d5t*eT4WmToecolnA)b6#
z3rx=9uK3U-vf*$X=dcn|+~Uyk2b8;9+(8x2PF<*(b?P1U9LELaeWQWKd*8s!2Lo!G
zy3rKIXK!9>()HgWJlimIsVCgIPYJ*hqWnw9oy?lP^FCP@i%{OU=5ovBm#HPyeP1CD
z-_Hh|Nwy7WrJBL)pOYSJG-5@4y6bcP1aMEro~V{tz%#?DI+v-on;|w2jJK|wiRfm~
zY4n1Lhkp9Me`JtYk>s+LiQ>Nw!A`z>yO=NX2a?Mucen7LZWCGY+E4^n_F1D>4RXHe
z(MNVZv+~-;c+19@U+<YwsQ}o5Yv94=3&Z`(SCYR$bcB+hE9vR&!#Pjk#TfB0!B#w2
zT3JoU!Fx<j;EKJkc_8JftMO?h^J=1fs}!>NmLCtU{xb4%gur?ovgvpH!Y8ILos!ms
z(@;j9^zlAja`soXa(6Xpne3Ed4a?v!`MRt+TLpD@+YWRZ5v?($eel&<&f>;JSDK-G
zK$df#Jw^W@EuvO6pN!7i^x)<Y7eT$Fbc^!7Tf0dZzwUSbz0*sS15NJJzqX<^XaVOo
zXl!T`;<}_hsa!$fPZJ^uk{c{|S0p%jsd7H>+-%^3@h3qf&&Lg8Tv2FpZ`bCe211$S
zIjWB9AB#DOBfQ#Mu_gtZPEP;2n-n(V2XMM2s}bGmq)ehNU#MTXnY~kQrh1rF=*bE*
zdw>8Q=bi)(dwl=fBv@&I`{Wyw%^X+`9hyzzz1R++%c<XsLAeyQv&t%*iQ*NxTh@N;
zvu;<orpgBqSZ9D|tUoJ13}a*`OjrR3xc|Xj<n98@m0wEeJlX59Epz%C{110X$V|Ve
z+YHfOjT)$}{}8Fw&}{i7j)SKrEE9hv^Tjlj*EIWnpZ#2tx^uPW<J|?1-5IygbfyiG
zzkt@KtnSM2W(q<F+DI8wm-Rf69YRksr#m}4#}^7vE8qZN^j<xG$7X0@sDM_du{a<;
zaWBew4W%!v>R|*fWAh8N=1nnZ3QdVio{o3g1-dvD&74xlgSCMA;xX)4s4j0x(@H)0
z`>rI8d&bVPYMuqC*#dSKHoj|A1QJunzu7b1HLOir5Hfw_zYpgf@pFl)_JSSJ2@kuS
z5Y6iaDDC7qwF3aTt9(;15_GiK!RqsnBipWSQ}h|i?nci+*nBHMq4AP&XE*@Dy4e5t
z;=BYK@j9J|01L6H?|ep)o1I~L51;_M+WP{eNMXw0dzmTbucLXUXV3pZ;RCM^+2hm-
zr}f;PIyl@DXkS;2>Do@`H})#X4ET~!vGiD#`a1@u7}<B#YNt+{QEBwJtQHTpV|4J*
z0e$)0IqK0!-^M4Zj|mXQzPQn!#7{|sp0Y-CZ}fpzOY450wnz8@9YhJXtwZ{2LFYf|
zUWlBdP{ej*`G*aK!nOfFe8j(=k|~`X_;tU|eQbLybWDx~882Vo_19Gas%k&WXb6wB
z>JgeJQX4KL;E9}<y*~S=-Z=nS-RV7X8W>J^>g2-sebh9Yi_7R0$C;hhkpos+r;a=W
zNcEMEsdlG(pxwYg#pm{Yrh{#N2;_kYjvS@&4&XXH@jT5BcYtB&t7M3EjmOp*ZqO`{
zH6cwB|MAI{c53@W8L&_wsneezjWPmWGaHXK!Z<d3g78N`x7o^s?j{AiIFL=0;<~08
zs=_q^ioyiqdBpN~CYo9Kx75!O(#l)eG}$zF=2GqbQ|-g*Mmg5bD5)KAY49N#GY=}6
zHz?z{9|7!E{68F6VNt~#dG85ws`9pCs)1r8pFN=h5`!uuR_d+QoxOm81T{bYaauh3
zeOC0jzy#FsG@GEgw-b6WUPDy?Z36{qJfDtT(A-Jp#s-Sn$W*i#_lh*>{l?iS`Sz=|
z=Uq6^z6%gZ3EzrLi;eAi^bZa9X+r9pVjWNog&y(-rc-x4*}9KsTX$kG+^g3<_xv9^
zIuD>ggS@nP_o;aFR8hF^pCD2eX;rb!_WYrH2Ugt|f0rKT5xxQF`1yZ4&3=uauh87t
z?h~3H$1I%ImkAwJD){bifXMz0COJ8c9bsBY1Gq^>t{v|UINlx)e;SdvtT9wzLiO=W
zHhIyf5aDkpT`ih6MGl_~Cd*N~&LTEt4}HEArUZ1Kk}>u3rY+M&J_-Rf#=pzHHU+M<
zc7ivW&-~dPIJgq!7*6zbYp_2Eu(({Zd*fpJ_N*P6#0461>h0ki7a9T2V~y2UpNbbw
z`550I+0NoKE4(WeG8(o==%nnaczax_EjdNrc99iHLcu3&eSTbR4pj~f<Eq-ws3>V=
zL)}?lEGnxnK!uI{cy|^1Y{-NX?+7rJTKl=-#*G_$F@@7neU89!l*bKm;oVc`1&B&t
z6aA&0pIyncML!eckRqi0YW*-3xa}kUezjA5@F7&0*J=`=ymofO6F$~G!`Z0b-&J@p
zC-NA`<M%BTRutO|+$Ffx7Cs>New;wgl^!q28i{+$%KyPYp>Zt|-w;s7#0eMOY5At`
z0_dBq?}IceU??R9lb4t0vGM!I!bY6R1}OcI<oG9zf#|2mABKnsLwo8$me+3^PCIEn
zNj%?|xAkZ0T)>g;U-(IjtLiavvEG|Ay!_*~>#eMOJIp<u8;Vvdmj=dyvMetu>O^jS
zzudP2ZD`}I7&D6A`KAcCix_}6WY;7iUssj8>63p7`TJ(NAA3G&h2_n;pN?#fq&#Of
ztV)k2DoHUnpt5)oYqvia4qciTp7Ao{<3<N8%=hQfy)c;EAWV{3%=<QI!PEO*<H1@F
z$KaP0(?4(DRx1renek1$fhqr%cTL)gzUo6z7r<6WFH31DQfO6y88bf4mc76}6qW+Y
z`53_kDsUPpwO!d7u@8tBP*A}eCI2@;IgY0VE|$Le{h{`u;(_zXA5!3)D=bK--1N&8
z+x%u%xi*pQ=GN&Sde}z67LY#c0*k?#KaJ~Q7x|1{b}mczJsl4oeRkm$+t~$%i8K|>
z_|*KMjj~D8ODu6heZ!lv0TYwmS;mP<<0F>xJn*mne_)-o{KBUsPnm?nSR^rBj>-|l
z3viCs`wBgs_G}dWZF#a~5+DJ;7o%?empKW_KCJ3;C)EG^k$xFdyjo`Na8FI=vRTHn
zG5RT!-xWq`e|SdTE?j=szq^~s<>WQlsp6<ShHX6u9q;_0b;#(hc;ealJ_Ye4?ISil
zCq(+bgAUd3leto{D=}INg2H6Wph=qmE-_)+S19=|yHtBHAd^|ZieI-I;<CcK>7)#m
znI!O>Aamo_KpsI!T5Q=kOLGyG_rvvx$p&KX&x65Ua>pRx5P|V!hpQK*9_~G=wcclC
zXcPo|3B=feP`Aq9+H&^)c3+3QLubl7eA;<bYsL4bIK{-U-q**71!nm)fqCoB%OH^5
zn0N=>!D=%n^>wq;_j;biV&~`yX)n>6lR?DJb&4`Y<&Y3+#X><GVGZQLhmbDe)NfC%
zo#FG#1J1j@=0Oz8>hpF5vWU6z#tG^7eX3UGi`P1zWZ9#Qg$!g@Om^QWy_GY$l29B!
z@&3#?9m~l6j>1)GqX$U*AISDOxuUUia+j6Z!0O*ocS(sQi%yqUbWP;rX)4vOmMr{m
zfe58-3B}LBOS0^kN<~G(6l_w-kJfYZ{D^jU3e6*ph2LH!fuwlM)Q`JNoxs#ueQ}w<
z?nbJ=tdKnomz1q@YQG*Z<BHiOxm;%USTQJXu0COh8L=-n8W->7l(kEQDeVE=CJnmW
zRzvOZn<;HrSx2_Km9codxOq+qs{GQ~ndK7lhPF}?jjhNo)ex?%l%j&32#kboJ=uz=
z=n?!_7C2Kx)5&@k(3sRX_p#Y!M!}bfKC&B&kBDY9X9hOA<5ifyP8SS++t=H954RG|
ztsvT2c_cB4L;<~89wa9(r&h1q;H2q>uz|ph-o(JhcT2ijH&FF*Jr#DJrQgW{ijy$3
zRQ|*lvNf!ymX>L8&mHZ`A$6nt{oBNkJx-PE<fmH}<24m`+E1jNNX+vTe_-mVCBr6_
zWsIvx9CfawdCjvRbF_izQW)QIo^vuf3fkRPGuNd$BLWU_d??*_5G!_>?%N{UEW|0k
z_Y!)b5$N9nN1cNboab&oS_?h`E-*o@w3t45_Dr?}Lj;;E(y$~@S>yUGrViSYSDfe3
zm*wX`;xJxpWwUqno$o(G?G%Ql<#cx@3KOU;Oc?bS1mV1RO)6_2tVVK4N+qO8Jmhy8
z&M`8%0U0zmG4@Npn)5vH_%k`{2l>*Y6pc-l=?Y-d{3EzZHzYyE4i%QI>ai)u9||0C
z;OqMJ5iTo3#x0j81va#uj*^#o81S?D6H;kmIW^c;3f4h-y`o!odBTohygRbIMXc>T
z4Hs!W5m&<lgIH;w%I$8gpXceh8+|@J&eLb`v58Im1HiE(4AITwT#B7$ibC#Cw9uXW
z+q>JuH_fmXcH;M&Qq^daJ++^DHG$*bu${=?314A%@02e;baaq}EI%V`2MKKRg^B8(
zOgplwo_RCnb8rFQv7h(%<kWYhL_%-#Hp>|_AA2%Q==%s9l5vyOgpB?G5WF=n%RfY^
zD9|@F6o+U-Tj<q%hNbn3mzYU!_fsI}nKXM5*ycd97y>v?n^iqo<%(pg9j$8jzMU$6
z6~BF5vy5Nb&w=ImyD1-YUzf;k0v~**eY~8_=}lae1ky15*`jh)qI9dW>6fnPp-7E|
z+o{&bsao(}GCDAlhoUFst~jwp9-*NDS~bH}d*#9_zwTgSca<Gfi(>&_kJp)3(RV(|
zDTM~iRHv?(d#+yGR;;~t26mPV91Iy76+bn+u%%7u;CEHuHJG%FDK=oy1dcd8YeYGT
zJK6*{ej1`b#6Nv&RqU5%qJ`<J)gDl+1Q@DFzCc2q&l88ED9GTuDzi*A4yWs<Zta$n
zXS!=qo`t&(^ssxM$kxd2neP0G6*aaC^VX4ZRU$A8UZc~#lZji8gp1gvMx6&hM-FcO
zI=%ps$@H{1xh-zg&&|TWhR;taIi)<86;Q&sOn(QHru&{w>!4!;zxx@`0@eB)Ux9$e
zrfHq)Mk-BlcF)~@!x%(8T;o8$@6qd*5vtvM-eP4*jlMZVFqF=kJ@fq<eZ0<RNaOpE
zX-v4@E@u6ZiKhiuc1;L|%LeFKE%X6R*FI*4js9Z801%W7#nY~dymNSDaVjM|+qXwg
z4Ed0L-{hV1n__9?Dc2a3xz)t18N#4v#`)v-!(uaG&iivJDg>#`M9c*wm;c+X9!L)L
z_QX0)utd4lM+jo`VyoNIR33j3(x!|9PLwzg0EaIsw`0W0<cBaU_z2XmQ*2&nIkZ?Z
zu|T9|N9`694KC+%wi@NEFZt3a-vCHAM1P6$mi+)1LKO=jOiQt`Qmp?>1U(2ip7!0Y
zqD|B7hpxv&y{)T5WP`zMZ_*dHk^IRO>4<KC#D9f5vv*B&MUnzD$@ra$5j{I72K(ZJ
z;o7wX{>cD50d>ge73a7&R<60&8i=Qv$0N9Ix~wll;duJI0r(QnZNTHx1c?V6S>l+>
zm=DJToV#WpjFGvDR-~n1(*<Ua@3`pvqm3i(z>oq;R)OxA;dERUmUG0tB0*LF!AZX<
ztj!T5OFIJ{_fmUPLy&;<<Ig(5yqIV^QHgn#AR>CcdU=KK^N2I0`WEvO#zbp`%+{3n
zOUhN6emi8dEcGo0T^dNRG_St6I{r3z6l5F2FfGMgzanJ$x6hqhPu}L`|Nesru&`s?
z?vz@j=B>L@D9G{292T6d%%B+YYkhH_wvO<EE`UP4df24G`)5_dh^pgf5n7LMn9UFO
zrP7sMzeuGyBaH`EoE`!PS#DZ27AJRG`icvtX0I)}zwt+l^lbV&WCe>-EN7G)tb(#t
zR|2(yg$TS(HutCixBCIR;79BgOs^$xJ%sc-2hnWi{if7Y2KtB$;<i`%7tjJf{XLja
z@C<Gvjk&O*08np<C@<?Ec^EeEs%)wSLODSWYL)Bg{7;3kSc=y)DsH&tNj)?+6C@pw
z{N4zJIoGUvezo-NB~*wqoDn){=SK3INj_{e=6pxPdGG?irRXI~=Tjn?myoVn0)Y&2
z3xga+uNQ&5alTq4o^a<n$C)$wT9g~<&uU^v^2l2|6q{{PTwLFLd8Zut6dL-`<j!`<
zrnrI((V(SX1Rv@C5^;WBdDO#I!F^MO>`bf&j;4t3KgmTT{V2jJB{g_d8XZQkXe_SM
z7wSD*^>(gRL$xXp9`#HZIMYG7Y?tJcX7$e?LSYS%Sa2GOIn&2DrLJfRru94h`<$O9
z02J5N`r$T(`JLQw;FAVSRX?<VlgBu8B>v|M7t4PZ$gS6)*3aVq{I&@!)MU&;#^Ww0
z`Cw4q2@0AXW3lkiXGBt5fhajio#GO(G(XU6LsdEnZ1wB^J{<9>^pxGu-d)_sf;y{s
zW3M7{>)*YNYJc7jbK`oq5GDXPV@2Lpk@c<Y)%=!92IWTrA}jw#&wqay@8{0}Y2$z)
z0ej-~pROvQmHn10$Y-zHW2`ZLTuHjm8`Ec(hU@leMPrP>1ci8Lc3Vuj$FK4>LLf2G
zgN!R#fXK>BmPSEK+BnfOtPV;jgFo~0E{@tM7}d3@FXKRrf@vlb+aabS+<+rG{m1y;
z{-8%;(Q_1@_<LfnJYYPb&ck;?-($ZV`?c=JP;XZMA6aP>Xy)#;&bD!iZ%zaM_v7{;
z#*%LWhk$->tHDVeZL67;SOaDgUgrjfVtJY)I46TQfLnL`FJJ_$JMcrF|4+{?3d&gf
zU$lL9R8!m6twN~Mu^}Ku3>JidC>=zifCdx`f=H7hs1SN+0Ru=;I!KWcK(C;H6p_%o
z6j1?DT0#dYp+jh)ynV3U@Atj&+8FPjJMQ(~n{)O)yR0?WoO1!{Jq6=GFcw?6VPUL0
z$`+CDPEv(PZPbPgU*J}<c6K$$<ye%$#a4!oZT%mgoy2wnU?}3t_B?m9kyG1+iFKW@
zhOtD)Q18CC|9$}L$FvJiNner_uCL;`Gx;Ixpi+ph7%)*bl7v>*pr9`Q%!7{A^)!WZ
zA166&8x4iH;s$J^l{}VL@fqqoGY6}CMaF4I^)Aj_b)!xbunHs#AFno*7*)I;J;k*Q
zIG{Ks^z0n#`{I5nQ2^J4m;T6+BU{*tle$?5GDMeLx9-^(-I_i-hNeEpEEL}=q9fxS
z9N!X0$o35Zqz^)Pp-7B+Q@YBgHGA`b+r}D54NlM&G_*hkI<17WpZf<LKJ2@-x@!zT
za0{5qMnegJcr7`fzV~HmRPSC}QLeT=`{ev$-Rb?*7SliE4S%{B#Lhn;eFbq%Q~P+!
z-gPLBfO0P2jus88%?yQ?URanpCbzXZtRw~^&9Sf)l}wi1OhCj-6Zv@0fprBGunifU
zb?Gj&NvNdKS?GxhB8ovlA1l|PFD>p?%GTlQu2_FIxzOp%4#^ATnJjaCMjH}MiE@sg
z+`-Bco)myMLpMA?0v>Ls&ZJTcaTcv|A?A?IG@x~u;^ts@GoO~zc{{vP_vvx&^wNo^
zIrDR#0E<|Gz%RVqmbr{g--VgDsC&i3_av5_T|<{4yrR<5b>yX_u|J_v53ebVm!NU&
z`z$j*U`tAK7ZV8EJ?g3u>S_0IM_;t_0(t|}vH&48;?Sc&bf5CVIY$o?DM4VF!zcJl
zY2#=8wMV=L6<<^u#-59nQRTJ|wjNGxS`hUbSJ|eu*t1^@p%MkdEBUk>*sVDGBf*s;
zbno}!1cxEX6u$nl)81PfP9BR0#Ov`61GF=BdD`)`WpF&jO}u<bYNdD9t25geLcDz}
z?61xXopr77-u5DRtT@KIJSv>6peAoye+NmYGL)&?MT`+0z$^vA57S0H;fS8<rTTaP
z;Yts)RtXd8E+qe12k;r|6F`Xa@&|$?&b9#r!dgu<6=F`O4FcK@^nXuI#$C58g`ie}
z;dja=)$8dS2KIB#rN<g>?ZJC}zKB_Wzfv64QeM+JT<kfT>v@=|&(gPrt-6y50H3R#
zT%Iva3bSRyDw(YKdp={=LJRfw;~sl<Fm{9xsEu($^NFtYcPqW3Tgs-`FrSv%u}UAW
zhPfOZTO(HdfM7{LB57BNbtw3d-{sP6Ne{QVFC!gMHPR%CcM`xZMNk1_1Dh-9y+vaj
zCOA4!?K|PPQRf)lV0sxy3gp&lms$XkDdTj<4)ZMIEd&Z}3*~@voA7SGeT@5F@>MhX
z1VL032DXd_M<&$BqQ;z?aOSO?Wg*6ob8<((0ANQLFCX@tQ{8rhuRi4V+shSaq7OT^
zpnpV<uw(<M`C<6g+}kiAu+5dPThw2WS+oBFVx1(n+OgiHqn*XjUWttb%8a{mS=<NX
zoX(w(f+($8c&|6z7X_=T#=^(LVX6!R_USk#uS){g0w@S@p5Mp+LfT4=um)^D##fK`
zN1xV5ASS8`tVJO$6o^oV2qOcMAFp<5n%t!XN%fhYM}Fh^9dMPe7xH-~e14^s@D=?r
zUJTHYNKWlqGq2N=7tn@ofE%<SQ!aL=sP!SxZ~_cFJa;6U(C6UzBhj?5?PE=dHf@wF
zU*1Q+)jRZy)Xn7iSwh*{9J(OxMWwKy<5f2S^f?1Tdqf+Pjx2p;z@GTjqT^5ap<xh>
zclxS1llD}6!NN7z?(Ph!Sk3vsC1V=yDMnA%Jw9AzE90P6J-@s5R>i_TpweP-j5m5`
z#DU4|&4mrM(mH8;wcZ&MwCATm91m@?=yS3@Edu)a=9=r>BFAd)MWh_Ygn9yT6N;95
zWS7VC)VvC3V#-vf_h#qjm4XX$6-*p0d5VXPoxk7QGK2e1h(}kz;H$g7#u~XFXH?HU
z!kKo*ec~TgqE{Yx@QWxwYc&~2X&ws!cTbWaqw-6m0D)r-0k!+-;0t=|(PJAdU{8Gc
z8OjM?LM2p^DmUr-5wxq}H#}bidon&CVB!XNZRfJj>V++NcT7%C$dD2pJ8!i+4~h28
zIIe$RS(Oh~{W!-e0}wkev7+mA@vx4NJQKcS5}E3Fhla~wcKnzP3Li3k{8`x|+LoR=
zHhTc@mt>Tw-3q<U5|t!fJsK|eGQfPFkm(suq2=(=;O}|XYwFX$Ro3XR5yJ=G@K-Ez
z2>|ryxZR$mEHunasFLzpWJMA^Ibw@5u2F_G@J>f$uPT4XQ}&b#fU>?C1YCWB>B#ye
zPOps{AdsJyH#+t^*j{ZD{1Vt5mc~seucotTj+I!!G133iJecVCWge3vc(4c*LP+uV
zlH;x0#mRJ%kU-?8D&YIRia~me=K#^(uCxC2SkA)e>MPzr;+31=2j`SN7V!@GgXywn
zwSCw9{y{7|YR<5}WEz-%O*OyAQkRQ?m5Gd1=ii^ysmyXP3-cO^$<i`%WvyqELAQv`
zJW*dM=6qMtHU6qT-@|LD-jYahmd;-m4Z$u1B@jNnoedcw<#p!u^2<7Og&3p1w;}b5
zS8^4~F#qVQBct}rjKqOr$o8}>R2SJkVH!Qmi$<h}{d~tCpW=tngf=0@8TsO&CntSe
z7_W0=DFRy<+xejnTXN_3M^AU<9kC+*eMQ!u#>PNmuBq>~wELY~*=M7;X`^04Dy~a1
zTZ5cubi(k2hbqTLH4~1gpJ#B9CeFxmeE(p|LUYJ4C+5s#&ANZawr)}|`4LgvhREdm
zRsa)lvr=7|4|6ix<?-|376aW5dpnQ9x5W>0vw?-09#}9!K;I-fK16$S$bC()3*7P&
z#~O%kcCkU?4`Tn60_bf%JlUs==q|E90?zdoHk92hHN|4W$C?2lCb)y>GNbgjg^Eh)
zx<+>M^KyeY_RBW}hwuTz@*9Ju@9%)xG;DVS|HBchP#Y4-J9|^!=vxl^4W|J$q_i95
z3}QD-7}M(<tB-*S4C}I}YKHm>fas{|Lv%*4YxjejNP|(s?$n(Et2PtbD2sp%L)!D_
z*+^Qs=F=4;;vq@_q>KV$!4XV%hlmUt>N&<EML_@TsmnLmZ{?DNWID=-rcFKkUWV(o
z9L3x<?Zb4z#X7HuFmiG^V7OcO&VS6O-X<G#JWS~O;FI?l^Ur|xvzOZo_6Hu&F*Wr{
z)aO^vH!kx|9mtTjecdwKnR5U;fjuy_Vm>wDK5WLdglD9UN<>s&>3Ojr2(y+zFr8=1
zL`Ut5>mrBDddlSz@<N?9lNjL20~vgA(jD!0(s^V}OB1lq=p?hJ^T<I~tNhp@r|q?)
zkH%IX-7GsbcDeyS1@S}p9T&tf8&i)f*jm~ky5mMb?$F|utNtzW5$J^Kv6vybzMDSm
zh94SS8fCt+yu;DMGj+2UC`Ikak8|&pS1%3ac#fV_CA#QK1cJCv3@ST}WXl%S!i+s+
za;xgD<W4hrNEKf+bj(lC4m^sqLOGls4ElDoxxmNgSac)PjeK-%uC!>U9_F-QIET<3
zbw}QzreZ(lYlnjkm<rz?ziph)SAT?hRYltmr}^HV_`D%CFR@_7EPQ%y_$E1&(Cls`
zhv4jXF>>_yy7eLtHvEatgX(4{URQnbgvS95*&wt8Vt%*kx}yGB>e-|?Fkge}CsV9K
z9#B=SJFQKw<%iIHszM&$gIWmN!>P4@Rre66tq8(+k}weofbl0&=$YglivFbUy5hJc
znX(CGEY0}U)a?!K=)pzp5u&9F@N_$C(-ZA=gw<<^*E-9YJqpZG(L0#J9vhb#(gbE;
zk3`u3-YorgGsNxtRo7F63RWnNL>6&Gkm#FK-L4dPu5MuX*C^`=g<`d%@7R{2v^%&h
zi%hSPb)vi;_~3ctVB{}MyBBDpKCLe;bXR<GIXYZ;lq%hI_&a;ynJIOC!hrqtT!AO`
zy(gM`Z;hWk)=93FTBAzxF_<^pc4D|7I}xVFz@#L7b9VNaj&r@d=k{lJsx9*oM3YD9
zr9+5}a9RtmavOTM`xL+benSR00OH!B?SV?E6mStcy<Z*j@&ev;%N9Ux^CG8mW1)F7
zNtp2*benFmac$I<@mZ{v7+F7cAUXRepsvC(DW8%QI>%`9`%EQUt6;fiSHsxd>A=(~
zQ|s;%+5Q~AtmpZ{!5ma0&pt<<1Zqyyn<#}neyHbB7Bx~IuH;f2v{+Eg2U7zgmG%d{
zEYExRXN2+CH>;ag!CF1{Vm^nyw;OufFCSGroH{bIr?-!RgD%Ru^6&$`izboWUIjh^
zO5%$3?nD+;L4MxYxIALQ@)J_}21h8#zJcEsBy?M%%J{t&uCa`hphiQU-3x*?9K&I|
z-xoEDF{3ZuYG-I;dPXzn)_`K#v)pI}anRL-hTNI6GHtgjYh4?V*?w&R4m%9fOi{rA
z-Q)Kt@4Z*5ngJRw0AqHSN)q#B!W0^+wZTenPzF+MahhH#VBdQkJA}y;!x&pEzrH)I
ze(K#rm#plR)SDfVe(Xh5TJDWG@$j=W+~32x3#-`<W>wW0p&xjfDy=J(ValG)rM??T
zBUkxh;yAQ;+J8u_peyCPiJfIon0rcZJ37I!7jE1?%?}q%&g<fb@a)4A+gaa<y%U`e
zmjLmc^4%$EHHbh>^r9#MB5ruTnRfj2_6sJn>ZB8^8SGiSX4SG+jda75hZT%Kc~=hH
zD!tB~hGVsyiUA%o#SK_WrZL54j@vhHecbQQLGE8YFoVcDAC~b}457nqh{_#SK$+J}
zlYKNL;e9uKee@^;rU;zogM9py@e9MIBAXAmpxO4GP`EdXx$&w^d&5gBQns?g%1ulB
z{idSR4XUeo1?x-0H_YaxFrj{tLED2JNpNdJ1)S!ho9(XfrJK`iQ9t6Gj8*&Riw<Gq
zhI8uKl%Efu8h=NwdO1?W(KZ6;IKQ(&+MiJd44YKw^ximZDXhx;hXv*(K14W`aWdD)
zbJwX!5pd2f;V7nJdM#i7xx6Vq$0^A85X^!%VD;XcafQfkP*7;h9o%rJ&&M}qWTtd>
z8TaJ9XZqi(goU0b?hz{VF)Gr))R#Z5QKa-epK=ZoUSVnysr}ry$)!kf#D6y~e?YZk
zUj&nfrGtR~uK6tuX+rlM<GsSG18K!~%#th>-r;{N6o0cvka?F%C`C%;mAs?#UXA>O
z?-EEN-&DKaa@@F02bFJB4^x!nax5Z}&^+Q#pIU(b<Y)X?Sa~2YhPB4m9A(d|R4*bO
zA<th|htoWrm;umVv(su%%c|=7M6;Errt^KGrudb>Ro(6fgU<mz!rIG=wx1_t{_IoE
z@4D8Fl6OAN_@^+{6NWk3_I@Q)!KxW;ZB+FZK>D|qvp2to@)WSgcp+I~<z-7?^z+V3
zc<@VNZz=vX8HDG6d>)oj2-i0e#$22W^*6oh(7?{wCejWP4txrA=&8gjOl%d<q<bt(
z%iILFNhvPHe75fZ3GnMB=UV*$^rV9ZA>$$CWrMqZ?!1lBY5n46jns`WTU1FE452eS
z<*1y2u_Lhio)mt5X`L%h5n%9M*StZ6Z<YO8wdlZ1&-><bz!sT-_!hAfXF$A4@INXI
z;RW9eex_Z4li6dy87Y|o6AdwFROM#GRo6}tNL<k?(AW;hGigED?e_6f0q>1G>iCPW
z4H>#rK9x#p?`#QV@z|-#=Ld91<v`|OyR|{5YT~2ZnqB~*2@+vy`+|2j52t@?mSQmu
z%$Uh~dKe_KoZk&v0Kv|M$tMC7Tw$Z2K)yIi=yfr;+9v^}I}xoT?>mhg+tcy)3pp8O
zIc{i#3kfm#>|s*iFw)@n*#}Zc7!OzEfSk`WS%hjl@XE|pT(37P7fWt-&&>i3MC!;J
z>VF0&fo|H#s2E;O?w~+bBVR8|uzsX|0Gz3l?XQwXz-?xD91-NZXG76-E`?q0Tn+c@
zsJZim_DvicN*a40$V;p_#aOXH-nnwTc`__8L;TM$jA^10&=uVQM;NsayAJGzSQ4w~
zk86{+DkuB%%}%vH_?f-IhycUkvE*eHdR#`ipytLG_lWJR(?BX9CQ=q$1i}?iFO#wu
z2KStgD=I%{P|hZtCjU#{3z#2Fs9oU8P^ZAk3Y{AP3@KYw*I0rLwHmyCwo5J7Ig^M3
z7o+Lm^GSjwtTa);-;*4Ep(A@%Fo+0Tjdu_m;g6FBCQ?@5Wo(_eVs`m3k=k%`!f$~H
zZbY(%)lK2b1`m9GK~KBi)CaGp?Dc>>hQUo6c?0u%4nuI77x0@?Ni!g)v^^=t$#`-}
zrdxyY+J4}2w`y~G^*APYAbm!r!UJaGJPuUwQu^B7j_jN|{E(t2{`9?2Vu^Dm5mb8a
zL!1nQ|3Hkca>PNmQiy#>+zw(RE%^sGQvC^RN%Q@${v=4H)*LJ$TPLS)4<XAJ<Yw(}
zc@*o@eJ6Dh(n8>ghj#sesPqOxqe6IPAYc|q7EK_iC1V+sRuNTWaSyw4amFVB#|0_9
z>(9SP88{`o0ELmd3OnyE@%yKC1ap%i5Jdbv`6nch<_?iRk&vtk!e=u2e!u#Tn(mDZ
zJ$zrUJ2@MOVz9Q*d7<0__)<SApv?p-a0y@rq+S0#?~Iq0XRy`fAZoXH4Buo#wH{bU
z_UkGEmjOV+fi{y)Iq)v|Pgn?gY{Bc^RwPXnv_(O#s6GSuX)X{51>_m3J(k;Bn-zS@
zs{_7*jNRqb;sUnmLP(;_@a;1AK9j+J2lI6|la`Uk^cflK`fE#G+#Ib?pr6PBUp2!d
zr|bAGy3vI@DjnDbHjsb!0h%B*|2NPqD0zfUkEZR)Oz$(=sMS+)Mb}}fK{o^JMgRs>
zAtrI~&jAFlIU%z={wG&#apAMuNvhiObyhY)sifJ5vM=UWSqR%rR1*7J0h{-;U&mym
z*KL=W;=LMTiUg#|USmxUNMp{uS1&JLmzpu?T{P3>9j$plnw`=cdi#FT|55^RU-9y~
zLHqD{81-eB<>XUxL+{|gEDI1ov!HrJOq(Dz%8yTSwGUtDr!v-XF`?`jH2FLm4bXFX
zeLgSx-$2VLg8-2hvJD7drb)#>Tb}uOq%$4JCsG%bC4=Ok{57ZfDNWSK+SVRtkIXDS
zcx$n0FuS(<!MG7hz(TV2P@cp(M;uJ`+P%RGm=m_QUY1swmnwwI$sF0*P~rj_AqOJ+
z*^fRJw@T*O!-{AXZrgmdNMM^ajE_EYPSK&tCf4P#MTiBvE&AC%h-KaW5-q91t0lI9
z_4{nq_YIc#R$M+xJ#I({E|q(gn`5qY%%FJ1&Lz=n+t0#__<8dJvNjZ_$=kzvIYkT+
zL|)>DU!z~2mV?%}doxr6|Ct%r?q$=2pR+cJM1^KC-8}h8qb5rCpj139w^@zKahj+v
z%V@Oo{<!h!rNJQf!C;qH3so>~O05S$=F9L@-G<$ZEN5GFaMez=?*90(oFP&f2ubxC
zaQp|&zI8AkIMm!+ve6aXUyS5B53ANz2zE{<{zHs^uKJWs`dd*Hwza3lesvI^UVXFA
z<zV$bPAz5@)QL$EF<e>|EX-a;v+rJ<hDWQ=4)_TzG~axywlpEe%XVW8S4dq`{I-3`
zS4jK%gk%nV^B($fiW<$^D?+jApENU{zVdvOso;C_WXZ##)J|%ULB7kgH@-z-Ke{Yu
z9WQ@#h<C>^T_qA4Z!v-VHbeSjS)!)HJ-`BZTQFOAp24g}fbPJScwm8dZ^b^o_dR;M
z&wJ&DlWbDgbL3ru^F$Pxsk-EbeBK!8F!dK3H9wM0Oq59WUF=_H+wXYCjd*if5A#Y4
zVXajWHSlsDmq=<|5%cLKq>{?9rC>V|gN{Q6T!{re^{VH^cno;SwrbraPghHkm$nYS
z+)NmL_*mre@c8&F8z<`_022QjXaa^k<LIWKTJGZwGE?Kq<~+UZoSe?};A1k^M1Ie_
zRSN9K($P(-fq;=Az$9{8D3JZ)+3CPZ1JjFF!xR*qGzRejxF>VfmpI}?u!QrGB8p8g
z@d-VaqnNn8+9ZdgxC=TaL$r^bh7wU3*(NVHt3+lp<@9r;HE(fyVQ&So?~NSAj;GYn
zY`Spqvox;PPVbegKF{ZlRMpBe-~Qnb51H=HSvJe%_bQhkR~2v%w(oaqXzqLarlI8Y
zQCv`ELYka)7<|yd_6V$1D9C#%_T+dcGwqPndu0LXmxJf}lJ=eYP>E?;NO}w(C4afa
zB^>mFU(5|nnWxrt9-uQk+VCvUp9{L%-Y5YGgK@!y&+q7q7fmC3Oq)8g4SGRgLTZ{S
z%5?O$&;>P)^9NHe+!kOs%mh2pt#Bc@3Wf<nng*bw4%F*0({gXB%uI(fx#)7mr6@n|
z8uOzCHf{FfyDW3>YQh%}nsNC_i*Ap%Us;WsX7)|#kg_&Oqvdie%`#D4X^(z)<%tL`
zps!PINm++%J&jhXpK{&Ydc7Bxn$?pxgPO0C=e<$T^C}gfc*<Rkdr*-JCXvQM0LNhG
zCm~bmdX8d=7WPTGF(+kq<22Qz3d_!k@~F)liYIMN3#F;<$h4u0gdXTcu<AiKJG|v^
znul&2q#Q4O>tHg}8AU4RvZ9A~D_moFjMGeyI*E!LW-2|g7)9x*Q~sU_zF9iZ9WC-6
zn&!ot_A)Z$3!Qi2IlY8<Mrr@1mHWtoms;?CHgc;L+h<`C$&-+0Xv0VT;wPkWOktu!
z=;G=@><AtFe0HWZBB<e?hP#_akIlZDogD2nc#lo5Y!464b5i;|?|SjrwKL<^4+J>c
zuEw=ijesJb^Y(K8mca_fdj&HCYJLA~zi<FLzj&L{e`5g#4!T)-5y}E@szg|YKGH@Z
z0HDof35*8<qra<}CQSLgJA_Ic9ys^xCL2PY1@$I+v}%3Xxa%OW&-)tJ<*m$!VlI3D
zlw|Y|pOWZ?1jrRj6=Z3|Yli?$Ua-dKa6#@5G*Z^i#+#fE)!eF{M`dtocYQDMQMmZL
zHK1%%J%Ii>J4a-HCIU4sjIf>)LJsot*4)N8dnrxYXzAatJhP%Yw^ADmq<bsRJPuq+
z_x1?13J1v`kAMJXbw#0aQDFwesEhb&+}sG{&O%aSS27oGXZ@2surm8ZfQxT^tuBx@
zV#E=78>g;g@|8tZ3U7M1G6e3?pi%Z#Pao^MJ$H+G`g%%lkiq!?MqT|y+kj7g3YpVY
zFN>2qq?$?`sDZ1L>F`Ie=Dx{gbof~JfKXX`T0+&!Zo(9IrHxKwTa29w4BNalD~+%Y
zJyn|2;c`=@Bk4FJ%IT5Nx1=M3#UV`VrWie~uTd>Mtyr@2(du&#&f`&Y|5VOppVLwn
zv!aK^BT^HpkdOCTV(S>CPIzC|KJCZc@qJu^bT6Ajghg*C_mvfi4%%@YAX5TVW<2}l
zIiD-BEpd{yg9-PxfL~X)A(rx8)sXNv71SuIMJmrZ57lyM&~R?X93+QElvTkZTahs>
z>=ILiF2DXr+QE{c^@j(!->SUnj4JyW+2rnJLL+63wtjp_)4(vDjMa#E-C3<!;K>{1
zEFhMlS($YiefjIfaY_sfzNLMjTx|T2YFKHTgip{DT+sU~x2f+`Y2sdOc4p?jzGlL;
z%>U4A!et*n+4gAE%n}=03o{aVvMZ20TC3q4E;x9eM96tMYoh7<2(e)mbbkLZ+rih1
zs%kex&7Rrcc7Aq&_`PGnjc5atoS3&R&@5~!Iw|@N^{#AAd%y6Zi%P60jz@~Xu+O&I
zhfZ}(V53@~2pCOE9BcR5Uh(e7k`4NqKfWzrz6}}8(OXRC8gX!Qa_R#|i}Gg-!sSE0
zA!+EciKlbkUtWhgxt{-qcEfRVvX&;(!w=lC!%@HIc#T57a76%R?~H{^Y`oXgy&ZrU
z{bRuabj8{$DzIQ1URndp+S#qG+3h~;LX)VMTW{f;?a{JQ5OkgZ*#qUQ4o>qip>ye}
zJFl<)mFs-8+|OmVw4+z2QAp|IOMsFF@#5LFwx(LPKAkcu>*}}h@dgDBNg{1u43Jy6
z0&4Y)z}BDu>5BLIb<B_WdzL-Ae>bo@+00}}#TZ$hWLYySuH*XDGei;r{88*;yzd3V
zvnxFPgZ$u0TU1bd@6FPG_o*T?|Mw*PN&)+o0T!dOUA(=YkEHZ9bbATE6-Djotgu|}
z{)?6U3~(t&5%DtUWGZChR3ZVU#u6I=EWJMjz;z83{;atjcOyziY?b-uI%O;S45)@&
zY1Yj#nzsCs$W!18O5G*R;-z9(@#c>K^)7&6PYT_pL~70WDO5~_R&HvpREqV5+qCZ}
z_-$T+RxNPWU)8mp9|gtUEjDhq(5oZf8)4gn72BJ$fc5|?!k#O$+nbdb?*&os$QVOV
z&{9SegR;xld<Y&R+INKhv<Wz%LQPh%-@N``eUqY$H$+zqDyg%dN?fpm-_gaDTU774
z9ixEPb-x3AFn-7qh}6F|-A``;GO>HTD!|>U6fzJ{maZncY>kI)HEt5Xxl1}4dnd9G
zlynz?ZD5Pi3alBx#i}GWNKr4h+#&i^UNI*3<$aTU_s&e^N8#SC!TCpdD~GnGD!0D=
z)zc5pZgxrB`~FNdZo$}_Lim?YQpWY)$w{^ZuIY4(A~(rYSVVfQgHSQLHOIb<;Et&R
z_z^ZG*M7J@rOXiIoG#;4uo$mVLm7ufv%`nUkReYhY-=z*T8Lxyhq}6_2AH@l<6mO#
z4Jdp1rt;?@_i#a!Szs9OrGQsJ0No*v=`_SxOwQ{juJ+@%Ch(R$&p?5YphgpAkxMmb
z8m?~{uphps|8Ehq^7^JXo=H4cY({adS7p6j(EOajTKX)i%@oP^)ns#f7{As1pAJT&
z_$(P)(aokL=>>MPuEo#nKRt}LH-S|_LUyEgiGXmL7o@R8NJ$Nyeb_YsP;Z_tkmM$S
zWVe_FTD27Q7MduCLN_-pyNUtsm-IGv0Zl5K?J8?IyjuyCYrNYwvVa%Q)-%<WS1a)p
zabexy{r#J*ub2TwqX3j41I+=Xg3<~u(oLU+V`_$AObEf*>9c_2(QZtw*#4K1(J*M6
z5h?z(;vemvOLKzQ52+!CuRp6o*6VzuZ&~cImb&Qnwjqr?R1p-o-UI@~rx%{?F9zXZ
zX<M7lyPb|i>n{LEA_usRn*n7NKq+n=U&cQM?M(#;`UE{|hSk729XbFVch;q}3~WW<
z{87=yW1vmM#vixQFYYF|N#a^l<c_|{ih6P$#)RVF7_Sl%?-cTVMFvxUu?=GbG5GvA
z7?01ryJV847E*TBHMtX*1P<A#^33E`FMrGj`G}P;#1_f3?Ug6o{lNTgr$y6xx&)4C
zfY*MG=jiIATb>sXG|{yI>{Np%|FE8qs-%`yI(pABcn?^9iW~eQPZnEY-)@bY3JYVv
zI@dsZTozF+GrVCO+dDgG55UuZX*us~N68m7RLbrOA`T1mCHp$-GNGIV+zqm>*4|Gy
zH3ZhmUQ7Iv*Xlv~2Y&+beTpoHPM5o4cE}iYWCIhQZO+=t7VoXatu-x~-Vw{s&!1Tb
z5Qrr2?ai(EWF?Oc0~e0my6GNpY}%^B5kZrg^gG5{IkmgA7~rm<2-TUwRtqkvfpj)m
zC;pFlVl~XipAzfd(8FmqHK=J<)d=lZ_k+6b)&2DxoD`r{;-xPu-J#al0m{H5Pj0q~
z^IdN`V@?_Tm_6^dN$LE&4%MWHZJAXt4vt2C{%igX>jn-l+5XSG2eB>ubN}I5G<gPu
z*H%TP=FKsuHgazP^doKegn@|zhyqHz*J8crG4UHq=_(ZT=e(ZX%Izapwnnaa5>?h;
zsJz*m8x3tuv*nlry>wTwwMo=Qg&A+disRSAc3k7?DUz_=>-hhsxbtSz&CU8YfuPw;
zHL3}B-E<pW1x|=2xUmKH9m!p_N<m(aX2uI&j^I6%0OgHx!N%$<n|D@Dk&g&ZGW>j9
zSeE<_P*Vv=1&~~O`%!2AW^X?QKeZjUy&5*N;=R4n3*xr~>!;|iYhl~-DkYWcnUxNh
zKDTtL#P(?As>1a-H@H2~<!^-}{MUycpeQ1$?>!sHKErtVi|jCqu?uJ<P~1-~?_b31
z8K5=l_gvIkd7p#*?5)POC4>T$h#+*S=bFPxv+>qfLhPu5>EDVN4-bz$@7ad~y+<M3
zgtlX`YJ|6c^&&@%)v9jdShB~L%?|Wt4Dc}Y`T?LCT7olKSH|(jrxbpgnC-3p?NX1?
zXSaM7{=Vc-JPN{dl`~;@&AZ><50{YNE)s+dfWPMNTFtNj2raNK4<Nz2V4{Ah;QkwQ
z_3ELCl#~NF&UB9cK9K(}v96z_u>XL`Uc9mhAno%|wq6h7O~{^vvhb@F*6Ky5go`p*
zKp`-+=+HV=nGH(MH)T=_OKH{FO6SShC9f?;`)X$zBaQ_55<j0s_SVjR+fC@rIwJfL
z80Y%zk+?HiF*jFh+xa3a4%i8I<O3>6Jaq<BN$$uoMt2<OuJo=X0;KEHuxeF_Bz-2^
z)&A*K2=jVNOWi|drApYUBfmX>7;GSe90Lb>{Otm(i0-%BE=6u0%Jz#f`p&E@sCAQn
zc(>;QcSs7!{(A&MOP{G?E0JUy`P|z3L^**(7DE#*8xKT<&v4%GBZ>9~1W6gy_dVa}
zfs}xshOm5}X~N{-?ZR0Evdimg=g}HR$wM9`S{-hg%~OjR-<3<R_*6jDf*0!@T_Ky+
z8(yn6_}qS8;pZm~#@)zu_)f9iMwbm&c+EXxa<(!%)m-&b9$=Bu$Dk54$fpKrL4cC`
z3k{XFk`eM0{JOmhhtqtj^!lmji_cACelV7%5_kUax(yfhn<ifq{m7EjvaKZcqYXeo
z8W7NH>daR=t=2y(q}~TpVLIc~+NQT%eP8ul86InVpWpQ`Y#+`XUniu#px7sR^*u`(
z_A86V*TpX?Ev0HAJnCdVo5Nv=*jPguz;dI9W9$F@ejG7^(h*}|`Pu_oBOl7-8n7!I
z2`5aN*RY8ZtOI!UsZoh%Gf7=9vPVBFFGMeIzD^NeJS#j$w8&EEF`7_cF(zRg)U`8}
zZMi${5#;U(Pm2z;jY!0uyIWjuwplr6PyJ!Y9%RQKhcx4QJu4n4iZ8}7t=pigHj!n;
zSxP*%6dNt`;ULe;1rIso>xQ2+Kj$9%ls~#q!<;kaDot+SrCzV+vK6TBHU+8m^@@kd
zt||@WW6XO$&95#p6AjOR1XZw4v@P%9Nkr4h2gjxY0*^h#Y0?pTy#lCh>H;OT0^8D*
zXZI@a7lvq>EI<a@Van@`*p2yynO;o4<Kmcv22oJtoZNV8>M=yM8L-;DB<SnHczEt0
zxvIomPEo~m&ZOsT4m-~xFh`0DWfJ+c3t0O57Un1G^(~t!33$%oBpR+v9noh1z{hh9
z=#$&22bHnjGdHiZ>B<!<8a5a9OMP^=j8b2wfTUrv7NFx)eyD?e?;M~>B2@0V_?RnX
zY;ow(a2wY4<(i^?AEVCK67$3+<-nS>$O_--`xS<-DK4)>MDE+9&%1~|5boo+;=t{G
zK2FiL*O^1>(y*qBe3Mo(b&I$8GS%*G;?lEtSLXg$<|Anp77x3b92)yBq6Xe!oAf-Z
zUc?5$YfZ6z$lhzD!X?*6`#RU>(=`^Yh3~5BPCQVT4K-Jw6z-*iTN=9C>Ql4s^B}2p
zc=bs)(^k&p13_gJk<sF@)0{eh{y+!#m1{xN(OY-o<;M~qTN2~^Xt*L99l_G%5ZWE^
zE%go!{pLZ+xLOU2Uwph&dX8_ie7T2gtpJ1TUC|MEBtOBhB&!ovsCO~uf@@kWM+5;o
zUszB6HXKm_2$p~h#mY4UuO`}YB#xJA!SC#K(sQ8Y=D)UTm%?-HAbQbS0l~Dc?GrfE
zq8~x|kb2=|ak-hU-d(2kP}*=SLo43kQl6rWfyU&(F|E6lIthi{o!G&=GuF>E%`D5S
zN2IM2`u-Wbz)duv5eWUTVhGABgy}pJV`S90oq}Yjl}{4SgXFR%m$W6<mt<A_e2JRr
z%kb4|<ummb)1@h&(B4}M`zy<Cqs#ca&Kj~exkbLa;(jP@oN}>28=a{^kkdcQraCno
zZLEznH#ND2+ZSgAY~det%ih`LN5jaKB_DlxPH=i@Sk{UoLp`4D&>WvBQ&02a3G7J7
z9?HC#A$v)d6*c#8@NTmR`Do2bcZHY9z$*~Kxd*;P0;qePFr;DUQ;M=91bwf_fdlyB
zwzAt{5>FKGedNaS*;pObi<fo!KbMp#7(4Ypza56pI+Us^+r3{tt~HF?{jQCcPij(?
zNOJJ2OEghsHcz^VT?4byj19fdrzZ0T^LiLMV7w>j_P9l@BPZrtslbYU)34b)EcSvx
zZCd`6WMg`RDdm{}T!bp}t`}t7=J)}7r!RD4=AW#L?O1BfRFOA=!TRVhaF7Pp!|xyJ
zSUr*_-4sIK;^aCsknYE^aB#P;mw^^3{jIuQns*wzAD0Cd*kPWVT=@8;@JhfDA5gVn
zg~B?R+n&&hOyv0}oagl~BEZ=brfRH;&8^6_xmZ%JnadUSx@gw2oLS9h^z`tTk4cUC
z+(RZb@kx)!6(6_MmEQFMJ@HM^bjwo9@zhR!^yL!1o=N+?+PTeZDWVd7#}p2$DlIqc
zmO1>;c-d8dqwoV66zuamTpj$Va=g-elTH>7TgO<$zW<U0d^Pjl)(pq@vXM!g7M1Ks
zBmjMtfqD7J410O-Iafg;KSl9U1z1=c8~!+rl|)M$Xrx0vg8q~dCa?!sMvI^9QO**r
zs70<op0V&qXlOv~zr-(EGVM36Zo<_&Duj;(+)Xa;jzIQPUrW!9gof*uuXT%@N9VAs
z)!6-$i$220+%1F>#0({%7!9JzT)*;YRSh?#ooUjo(R5Nn$W4nQjz2HDA20dHSeG(N
zIP!cdP0MVP$lDx1)~HXKc=zT<k+1Wa4t&;&5mzJ?Ms!)NmCa~WIb6eX%)Hde?Z?59
zrz?(Sp*090N3q(?aGo3$Bl|{9e5r7ssAm5}$wmo?keeK-U9pKRNF?BN?;F8p&ymp;
z6Z<9P`tMvEdCblwE+`mS%aE$ZxOq@zQP~^T!g(>p$lHZ!a@0*<z|E|~ls@K}`^GoC
zDOZ?5OnWZdk`U<c(n)S50^`{$(4o0B7F$(S!_~-&ifpQ^NDyXJVy2C<EEgjjU#m|j
zq~U)5<<shO)qrm;1_`WEA}=|si<}MgZ_S-e*r))M4nfk}DX%@VE<vJR-STb^G-U@_
z$b#+aryp8bYbg(FI?2k}Xt(-W+}w_DlCS4_y!&&IONnPs-;6=nhyDqn(U8%(&!^|j
z6|Bv)UcK8K^WPogN~(sH4Y<}(k?WeVGRqM|VF8oGJ<Ik5#=+}~@n*dwHXiR+#y7_<
zj74C@{Q53Z^$0O7Gg0O$(qRug#T4a!4CXy@z4Lm21Q$N>pMem}MX{hg$^M7_4=G^@
z&+v1qGt1$G%({M8v&S4?1H@kVvIo{O>IWDdURZDBeaEKUN)UTmK_QHc=k2!<@cJk-
zZL$gRRuAn3K#1B2?s^s`G8?z?E1xuGsqM?gn)9&43_|4G5t-<NcNv}F!$m<>c7Mv9
zhpyEE$^|A}dT+(1=q=GG9eTKQb((@QT#d0!|DYz)x#4$}wrv*@?H05~Ah0|z`5KPB
ztX*mvWF@l;)Cg~|R37m>$;SCU?EkLB`acajAq~ub3vvIvE|f1o)!E-NhF?M81h`pK
zCF?ogL9!A~$`z2*uPu(1LPb?2NKvr}0IpI1gS6i<=J|{Legq!kKH;!Irn>2!B5<WU
zV0Z(0+ze=1VSh!563ydPum?!FmL6p11Ot)<|GgxKM51SPM(Oqjcdz6{z_JI;J9s;}
zIon1|0se0aYTGt_W!<N47aThUVGP6~`xiOwHjwHhqtg9woS0s2RTlcdI*+-@0<TQs
z(ALscJ865iqMbA*!N+=@Tk#^Wj;FVw<ZtHxk|Y4%53xny+Fgq2$L`p}ZH;ZL?IEpG
z$i0|Ksv&0LpV;_jP}T;X61*@!VMcY1$i2^?InddbL^KKE0KA7c@VvX@yA9X}jBt*t
z8XBCPN3uXknf(MEWVSsn0LrNmMWGOlr3T!zmp1nEDfX2(pWGoOq%qZ3i3G5r2Et~P
zK4+_}Albv50m|VpH=ru;1Xwtox-Nn7UOJ6X)iZl643#Rmpv^mCBe#&66MM%YXdA^{
zaWnu-fYsfd7iyB2spW^KuQwEBB4@-@c_u*`Em5(W#;)j;<j0d!zU<E7m%@L3uN!X&
zDIORM`blKOa?lSp0AuQrW{xi@XhV9v{pNi3CV&I6-zJZ5Qb!vp{e4HgqHuYpXgIW9
zc1=qT%G0=maGC&6^YZF+T50|80?-;EBXj_K07{hd_VoY`E+dU_oRr`G;o;$ld`8qu
z?VdDt81L5uF>UBl)j(m@J(HjWo3E{S(F6ER8_GW#>=i}cH~@xsP*4n*iR|eQg>14R
z0)hi*57D<Y{M#>D0mnqc$gf*B%Jrnqi9hB;@3DEJhf`&W8rP<*ZKfJ0e}0N~*p>C8
z!q4CAT;mTOj{-5w1GfGrJ3n|(4RqeHujjFy?JHN~hMGG3NOVdJXaL_zzU<sNq3Xv_
zPlvLQi+z`T9SRy8`9t-lRr{{BYnyPb?3Rxc+WFa^@GbEw3=Sl#g^=Yr32MaxnsXM`
z!?vy&D?jKE19|kAMb9me>DsCT^KlAzfNN+K4gMZitmd&a+K?i)QN8`U1EW9K+?|HO
z?K#wThW|57v>CuPZLajs#u5o=yvI<GC<$z@VY~`pz-$$oKZrj80N?5HTi`PlQPnCp
zFEAWtJT)RY=`1Vk%qTlo$ah>F54t)OKwi^L3YP*iLVvS$i05dd8V-AWQrg~FoOzS^
zmign@mn5=^$iB_NFWiQ=o<aMN`c|oF)3f&VjITj@>FF!VXa9f|!k}pa?lBvj<F3Z4
zP&Hj2o39C7^Q9!V>msfZb4R=`heY3EMLFTW2CzAUCP7lak>j(#hz1iQD5ffV_j@hq
z20cTC>IR=7Z=$>4#QBqX0~=bO7BN-g>KCp&^Cm9PCx?Bl!8L)c=2?-}--Bgm|CO@>
zt{(B>T>R064ItuhIBof9E^J;XC&K{PJa~J7QrjB3Iie8all>%T{y_zrc36y|idIhn
zGd<}@{?viW)e8iR=9mI}db0aRP-$2jgSOV}t$#uNKY1&JWIDL32dhtr6tG<>*`74<
z<P8;507iM+e5%aJ0Q2~43ue>05?wZbv8NFDx=Q}l8t9Z$#1J^BZ(3O<a^QhaEU<O~
zl(K6A$&CyZMlRhJTQ;)mwT8eY6t&IWALEN|k63u~7uM%CZ`h3)skJA3eRJec$}<o4
z(pryO&p`)(8|)w~{0J@R8OVn(476X-7w{jD1OYum`DEdvU3A7cV$-cX2EQjFr+*I5
zShNM5q6D_H=)S3o>guO${QIV`woS=uw%^`xcZQYL?!XQ2oa3?%%Q?K9ctq?I>-R!<
zCNJ5GJnwqzG%S#2_zh!;CHC%K^0q5|6YI?U{_P2lUH>!}c0A+3sO5)*NICLG=G{!r
zy;m<zj=@IUw8ozys1qo|%hXSk#2#ZgtU+^go)u#Yt`5iVzINhygRDe!)aI)WVx$;x
zOFk&j>dp8AlLa81y4M%ExK7TY4!|Vn=lP8JAD()e3q!X9+blf_Wa9}A3Bcg*lmI$J
z+gg8CTgv2jWftIFr`RdfRN_qb^bkuYvX+0X5{VZxz@0mL#|m|)9jXQvslxlV#CJtc
zcp;c<QQ?Fa;^JXyEJ`}d6dQVxOH$RHsprhf7%bBISQyN)ZF-R=X(kUJpU|G#ly@kU
zK;zdG9_5A^;MDly#+P*w(L{{nT1QcBcw>$_1OMl_R}PQbNPY7~c=&{OnUyidO&hex
z8tLc+`@o+B79bBWH1N6|)(R8Y1ua8{vZ2#}#K8oPY(1$59a*T#zerV%@tgoX;{}eu
zI&j?_w>n}0z=L^#;86Uvvy!^SdFm?mx28DlSMzE=UnVQtU+#D-)ocLiOfp9|k)&1Q
zZCMRQ5nR)1AMIyNXD-k{>aA$mgkOc6&XvwoYGFtJ_mQIWRuOMic%{!Bij)>zf7YP$
z9;;eP!gi3ZFzz!aKB3{x6eG-{Ot{2P;{25_>c(f=D?Xq8WP#XU$vQf?cXHSa*q&1m
zspzJ>0qsc8AE@8k8BxRSS#?tR-ODJ#;9q!+EOQc}+6`PV+U<}%BjwKN_=_D|b%uG?
z0s5k*m-r$-8NBL=CYeUcFr7-~FgqVol`6+$i*jd|Ue^#EvF45UJ5qOb@bV$O6cQtw
zCpG}5`Jq*~n6|cP5ADW!)cP`fTvP9Q$red+|I|B66CdoU-D(fK19k^6(gyle_?Gzp
zSZ;P)ypvIce?R2-MiHU8g1ZT-W!HPEXrp!nR>N__SDZvY$@T(b6D#PArrmKNr~e5}
z)VmgCV!ySpDpOy~i&^=2MrB0P9z_m+#gdkgjC@qpwS#d;Zi|0h9f;5E&?>H7{Iaf9
zD!|O**b<`;&pr)3atG!08}89J+-pDN7ic0xu3AfQaAYIk_oxf?dIc?Cb9Xg}b+1_9
zG)ITq?o_<5bdHO36i05})bZ3lvtj`9&1z^jKrU%RBkx)qpAuAN#l3#;&TJTaH<f}`
z4izlU9a7+;ECz;4Ud?+@LkgEhY~;DI0ZhTR_sjoz<t(FFo3Cc=mf~O%N#bnNGU3|D
zQ8_FlT2^gtIQcROzj`*NKjQT68Oytg2QI>#&T;tDCeOamH<rdpv`>k0e;f(Uv%_Bq
zYrB_O&L20vD=l~S$3l}^_;j=40f)lW!0xbXhvLj<f`QXn33x}7<$amGUq!uYKUdsO
z;+6YRq}wamP{MQIt=)ks_wS!89J0ON#=f`<`pGZib<DnVa<ck>4g+9e<SEx8XXN8o
zTM%uL1k%e?CYq>mwy0pXS%fCM&MoRX>P|?LgFI6w&aY$Y3QbhKnIl)PmdQ};=k8bV
zO6`7c$HeOOD2^rudM|;!D>v&|c7MuEHOK!$-ER}MIje#^BZJT(>U3b<DffP{^6ZdY
zAnp?&Z~?tTZ{h(kd9OkAB#CX4!fYKdb{55#cd4jsjkJ^8*u6e{F2yD&{3zn~>@JX7
zB(1SmPQAht6!mlggAfN=60MLxH<!d3&^2}oP--0kK&5(BAb<(T12B;Ill_oW@q4kJ
zR4fTDkrGI)ztSsEN1omfg1<v&q4kvoiWD&qdrQu+YRq}g^+%d{TWZ>MYWmL?!<pf)
z=aZO%AnlJ8P!fD=Fn#*`8z^cx#|JsYa+~!V=X#p;0;kJy!PI$0X1&{{mln#ROj3^C
zjz!Q$MPm2E;7zjg*+>@?E`id>ii9wO>Z@JGd`=?NV>3B-I&qo>>>zFi{vQWJmF%A@
z%r2G!X#nYYjF!q64Q9TbVbj2YBUxju>%*<m3kJ#a%^LCkCJ=K`H4v9;vNAKaVFsE9
zT%Ef<X=Wt>#+U^YEZLs*S}9FF?0XI`zc)S*;R}HaywKUqs4*9l5XYv?5vj3eQWLq#
z>ySnux^|;$oBWPc8(@ObO--z#&$(xpLj5dD%g(963*@+oPBnaVa4xZz&C+VYbGCtH
zl0ASq(O5DhC=@}zi<&C|7W#9ulg}Gvj&6=q4w*9PQOh3UKTz_+ZkTXo8H5qCz@hbZ
zpdoIGFy->zQ7kx5RX+L0RtOK3x8WNJ4?g;+BtkM#5uL|=Q9IGiGIJx&tap6kUMcsh
z7M7mFGShnn;!Jo9#j`-;GI|SK(6@g3hILeFnMIyBOypSXStyu3ls4{ikhg$4F6GM7
zHej;TV^SYE-(v1*PC~4%0q_&BYtvGJ)m=t^B-1I;G@xQT4{9=R=;(pibIfS!3w7h2
zGE4R1@GC9Mz5Zo4%wTMv!vW>x7zO*O;FQf84}nFzby_o$FRszRN#ttyIa(Ep!+C~-
ztFP6<$}A}IFGKbfX?U+5A8sQz`zkLHJ#$%VI5znxR`+bsZ3du5Mqgbr-Ue$V&8teI
zB1^B<D0qWUt_?o<5LkARVpz}01E4E(-?kqRgG(Lb<~rDzbifTSDNF&}5WcemqRB7r
z#Du7E2nhw+`bv?r&wbrLy8607xH@2lw}oQh`6Ri)j6NEea;BMrL0b8Yl-Zbd`Jvwj
zQ5M<!5(%M!%;@gaF9WAk%V?kMkbn<n5k>%=N;J{oxj`8=XFHhtcss}5aRn6kOYW}0
z^G4%1i;?Uzu7_8i5wdL4i34&Ub;1UaHBqvN<9klG-U6jdlEAOM^ShoBv|C`H#Fe;M
z9Z>Ou4!$}$xLBxcu%>35Z6_pwP)$jlUFP6AJ96sjIU1mqAkjAuokkAjd(p$C_Ujw<
z(TlVM1=4^1%`pI{fPK%}t<{`;$`hX)NqG%nC8uq>2E<)QShsoL_p*ySV+S8Rmgu59
z-+slH$qw4Z9AlP7@||Z?RF|8~1}*fwh*wDT6nQ7y37lqGU)duOuh0fpgRmuu7M?hc
zHpCx7I}2)o&oN73vAz_0ZiqI*EcCi_!`e<okiPkZu8EJ7-$6!Jk#nt>@RXUnhKdpI
zNrlr(`9+tHp!LgHdQw<aEY@5V?M>3Cv{`$m6@XfmPla<RMIt!1KT-`@3mA|;gJem>
zar?>0W)dBH<&e17ddl`4$WmTy#z(zhqk<=0Pz;>fO<;}u{;yv%_Q#zD$DmB%)FDib
z^*f$u&>>0ae^>Teht!);<ZIiOcENHJ1YM+G{KH?y2!E*JImW=5kmS$GOPc(i*$YI(
zr*Tc=;~5f_kU|$!a3LT9TnUU&ZVZtcJ0*agPACX=1SF(_bV5v!>>RMz`F<l5IsFSX
z+|>|-@^7OBuO0F^QkwJ|*C_vg{1er4`Ho{>SeUfuPRZN%f-&(VLhq-A`2GCfYw*8N
z-+5h4ATP@jkpGExf=-zVAZhz-@$^4Rk2Wc|rZ+b;J&!p6G6(39GvCk)^nxbhkd5uX
zdYj!q(*mAVpdcb|68Y@x{{KiRc6yxk{8FFaK!Z%cwrG%Ez-~l8*F?4Tumyw|ShfDn
z{R{wZlh2NRyh?iqtVYf@1R!sK=owJel|XaI`+}t0NhHZ10-0EUxgsGcP~Cs0$%>A`
z&tP+>1o&>H_^1b4u}<dOhCd<PJ)Yhrh*o^_>JMty^<1UvJuaAmMpGHD@|&F=Csz);
zfIgU-d?ee#i3Esy&fd^_DHBi|GH}oXA>ja-0CWmPNeY+}z|Ei={T0twuz`6$@Qod`
zqE*V93NIZ3g`2uJ2^=STR|C{ZgXJefO12iNn~)4}Rw6r_U<O#xnr11W_6u_X>Vk?g
z4gJc$vqpIegNzeg5@gU{U~pg@8m6wUj^%YzE_<bGB88x3LwQ<BrYMNh?~BvWa54#i
z0z_vSpkw5Co+8F>bait1Z$g=4%;6;{5`hq5L)|T^HAi6LMSu{yU`~pAjo&u;+Zj6G
z@4T&w1xMC5f)NIO;~WuRl-Jz^3>-N88W&8%xovK#okX;eZ7A`P&eUBQ-QtY*(kem*
zF3uQndOa+ueAIW3j*6ty&7O{#7j-s0X8vqn`922c&xFs?Figsn?0_%ZX2<g>{u6@>
zy2qjf;*ia+Y$6vB<AKeQ2$9l<Fk%(q2M1?_=>Sf%^3U4K>GxMc@aTJJ(9zGsh+fI`
z+{(MI;?xoV;kl2Za}?42B4(vp>p`#b)vK!h<!^IaZXBXHLw#C!dP;%!l8D*KF7|jE
z?&Yn}&VL91%gwp90tiWstgJ(X31liPrrp%f+pEgvO6--M*z(V!5{Pau1ThvIb1sKG
z;X$`Cdd5pGN0t=q@kAgFiGnJ4KX*AA2tdF6F_^?_IE?vwC&zbz2p{e@4wk;JuRo{@
zFe6941a~Cy4a)YgqnwKSY{j^3%n-U~*m^I5uy@1#MTM_T5N)*or;?}3I@SD#>lt3q
z+niRtd{B9{aNkT{V`Z&~ABPC5QraUJ)~`C0&EU|b^FkG;0D5*8Y@Ea18}<T$Bd@>G
zqucV<(SNn+>)B!mRSloqms4!f74zH+BX1vngVBLjl}wE1!LyoccAY6Sg28oDc6V&i
zSkIC}l;4+aWiOZ*)NG=yZA5!48zQKK=?)B<S$9pYQPgfa0x7{}_EjVUziZYE*SzVa
zqQqG4KA0-RFt~n&Hp=KAVAn#ZQgP^CP6L#Pa5G(|Uop*T>gABvh-*|p(R>yZW~J?6
zL)|Es4DF+bUm(V{r|a$oZSEK>Msb=wGWFJ3FA%xMO4MG80LRF&!0xv^?&At7LncQI
z#VfesCDfM(XQ2a?*jj!x{ZayiDg8>O0T;7r0Aj61Inng7ocbzQqk`7j;*=j(Q1!Hm
z(Eb=z!K_mH;;QuiBgb0NQ6SlVAXY8Q+u{Mb#_IXx!beuF&n&REdD&>z_a3^J|8~_4
zSOYdIu5*_f+9G^*y&RZ%8d+7xtR%LE19Tuaf+ixy@@js0o@Y_02<$az7+eodz;8R9
zrlI~$lsz<&;8?H(bvSm{5HkI|9GnX-!d5JKGSI5SY$z0wa)vWjkd|YYNe$?Ps#$~U
zD0zqThe;#Q`Uh?OhHV3BnFWfZ$%lx(%huZ^;{VVD*HpolTtuJLv)Q|H&aQMQKV81e
z@d?z$UIG^w;HT=68}V&|Q225hw4t!_hfge6Q!O)6$>$#PZJkoO)~9DnawVg_)|VuR
z5G#2$M*N|^Ul{1Dg%nhW+incgM)@e1Y#1JXzlUwrg-;kFXZ$)wIkk=#qgUD@=LA=#
zWv*ZS&i>EQ-yORll6!_gKAOO^m$Z3~Ke7dHeaxd-JMAKVtZie1yJ8<$sSD5znD+O?
z|MO7j1_z2lny3RtuGJ7IuRPW0i+Fh{f!DUE`i}a4BZ$7MG6y_1NPwk0H%@<^J9GQ5
zkpCA{b`RH-3&=}9NxMG*Pu|~K7MzP9>Hm+*VNXS2hxhwwA({K%DP4^{_yP*0?nS~5
zCc*sCQ{Y*pKjuwPrLJq0@##-FTVUL~|B(CtO9-JV2jb2w1A=&lfHn)t{cg7q=EDmr
zDe$I@knWB$2tZ$N^0ye^MD}{}rw#$RB8UJZJh{`Y9I`+9pM)7fa2w9IdX!qT`*d*H
z(*srJ5RFFThizyza7`cK>oNtYC?|#e_xM1{qQVgw92y!!4}YY9qUVnL|9!ZR(jED{
z0J_7@MI4!7M5aDrzy0#95Zl>>$>D`)XPKr@+KX`jzW!$X`->Y@f<BF{mY`LpEwI41
z#Hxg3DZQleb@j1Px#G(tuq&e~^|Jzsd3HU6D{e}snL6<5y{*8p48dBXTV3}~u;QL?
zULf);C$S!l%-c5=@Tri=!@Gg}m6+Wy)R{>Q31c6j=K?+j=6rU<?~BrVs~xP96mM1U
zQT9c4@_w8};I{fFz!|>xkIZj9`xqjkMTX~93nD^6W@GVFoiYnbN(jk-3*zUK23zZf
zpfJX=U}l7|q0P%At(oFt7H`GtoA<_k{OoNbz%}8e@ISoFmm+Q6VOS6bEH>is+>xv&
zZto7D#Ea_e8lsIFBDCMwgIX;F+v&OMzh(h@nGK*#z*xHl_~`Pg2wj=Et)X?*ByBeC
zk)U~FR;d`vRWtGhle=_>Or|Bmmn-_luQ!wXPp}srC2hxaxTM**@G+i}XGINh9N~Vn
zTB`jVO^}?q`+9%e4K!Hg-%kGPQLLyr7rwGn4Aa@`TN*R|t*SN1K2sn*;j}*3>SB^M
z8DhV57ID0%K2iC78ql3696QO5`dT5WZN^_-T3c5^Mw)cXO26LkHwT1*|8)@Hmtzux
zybZLu;$CvkSz1NVb8fjkSO{xX?PnTNd+Ky8dFkeAH~-_byo0JZuLKldoSqp|eYb00
z6ri|r`JEA}#5=^I1D79MmYV61jdK3bvWJ#i|3@3XYnoZ5Rzw03!EPG@{$~61WlyS=
zlCJ*#9eXlhyY>4H208l3qNX&HHdGl-0bopxU!9PQB^~EycNB?}z5qVNWxk7M7itw0
zr!{3;Z)483hCibJacWO(h#iU5{@ft#|6uK{!=miE_F)td5CvsGPzgmC6cG>w$w5Lw
z22hbsrBphHMnXbL7&;{smG17627v*Fl#m#@!+~!P2KW8E&+k3H-|>C^ao@)<*X*nI
z-fOLMt#zIe2AaB#U9d&%{tr)IKc<O%J-Q^`J#dwbV*)#hHtcpGagPF4d?OA)drnFP
zVNOW|edh^nFB%p%spHSC4V_vF&Ocj)OJ;cy{JAR0yL~%=qns@A6~f`n$)k*r$C0~_
zGYh}B(zn8{dXIk2#78D%ff;$cK<GEcwibEZ+{+j~iLLG4Ije6rD1Bzo@Xff9@2(P<
zM3>I}uU`D$nSGSI{GSc1zfz?CH30ZO{ItSF9nhhJ4&YREP*bNW{JUzp&~#)T5c%j9
z;zFCG16)(+QRD311NV2od)Q`9L5ZJsnS!;Bn~Wf=fBn~IrY5*bEDaER;8hSXfzE|h
zo8O1vz?a`{HIQCkx-XLL&hy{C0;L0yS9p)kDt?#uc(SXyNz=ajpYayJtAbYB`NC~5
zD8g1?8qPm<1r$4cAe%G-gtY{`rZZg9jypZ7z$pHJp#mItR&MMh5-16G-~{nB%NBB5
z+YWF#P`|P>S=wt$j5+QQ+$#|m_vk6Ao+8!Wad!j>*fs&lFU3Hk!CA+0$fPI=8}T1D
zNga%<tnJ+A4Yez`o_n&r*2+-^>UK&m-Z9Wat7R5XoMwpBaM_(UaQ@E}66h$v#YyIf
zuYl7jwz9#X=c8=YR(RP`X={-%C<Jfc`?o+sk^@FYhcQ7r*LaZY(8<`iZ4q5?^Q<f`
zE!xJFBS~*xzc^Ykl%57EuKyLmf$sICD!_pUlFkgFQiE+#cSdxBgu=aWggU3geJc+3
zFiU_q@-F7f-zWFGJp{DY8^+r=3W1A>S_9;eB{;zfA}|@&U<p%z&0y06@UZBja5=_b
z{4#&?RN$Bg=WNH>A!+nCoep+qoMUj3j&VSaD~hLI+qEJ~yWGy=W9I)zQ3-OE%qICc
z4Y+mQ_QkARhyxwsdk%K14b<&GK$vtiL}Bx?4cmWY?J)K_Agf=r!$~j}n%ufdYt|Q>
zJq2n3Z46^AB)TNt)4`VOzoh-An1c}c5#u6ISL=Jf01}awAZg}B{tzdK$M9v=L3Z?;
z6{xR{**p%of<6^Vj4+pRAR;u3an`z<bKYJj7qP6h{f5J-Mp$BJ6{rNHAi~O5YDt%B
zNjWwWWOG5uF}d0IZnFxJi)co@;G=Go-!pCuS1O7l>bY=BjWV<oP}}1okbYm>%r=3x
zwC(G;2Q?o6)z5U}7$@ob=4r)dy)W)~8U&PtmCck!DQPMnp%t<`Ab41@XCf8=$zPsB
zT5VFcXU$oMds$^Y^1>rH#?qHj1BE8)=q8+aWNUgS&r9#WbSZoKzseSCGPEktxY~v@
zaPwQ@0-7-5JIly-1V}88C;<b%#*$Lz<013a;pX!fj#gyS$M{pwoiQ#?x?&lE&gD`J
z`!=BBAT+C~Q6|A;6W~-k^AEmzGi))Oy4fjk+^^(PQ$TSQ04}pDpvkJ!WaJ_RiRe4p
z;yWL90z=LtI@tTnx(Y9L+!dqNt}<$idmlmGNIkOa&Y$1kN`#ff$n6I%`AEOPCS)7<
zelcQE@jVH-n1C)EuEcIhU~&NwpU<aMP?<O0K|yc@=!HJm3y-m_0E9sYTe`rzJYMQ!
zUi_S^y_(DvqIzhRmgN*;{4l2K7lgMdG^A*B2+y+C`*`3VYTRNd5PsIKLG`*G6TZbK
zBA(CAU~ZkO9sNu?JLvR&$5PMQqqpFcrF}is^`(v}n)}<!+cmy@uE(Bkzu5yf--9y{
zpshY)@LVS(9zKqps#u#6j2+(htsv)2N$)c&g`fNS9#)=)?=1DnEyoj4!jvd^3A!^b
z!okod$u*>OE>ef~nebrF52K|BZV8odk5CBS4qFtCVIgjQ*Sk{7yoNBUOahHdSLcl#
zyU;jb3Q03sd#5|mmyA!;_T9Nxr|@g0wBKB4FT2U*tPJqK#_&uIV(l}iy_<y4W*&l8
z`$h17E{j8|J=A0^&)O0Num+W2ZE>;vBQ8_KhYVZfg03Rps#bAAa{lb={jooZAbS8G
zJ*@>ANNaN_fq8zB7?I`T?Thw;Yf@!gY4(QI(4=jQyz-b9U?2huN3r2gG_t7<T4X98
z8(z`AnZES=g`<0*e$4m#Pd?(iO<5e!Q8c(oe?!!0(oumpP{R@zrhN*Ss0*vjPW4&3
zS4PgdxmaZ4tFCHI1kz>aH_!aB+Bm%bmoKq$fmSnc#)1KoXfyL5tc>9dg~as?ShSnl
z7o(BQ#}twG@4S2YSVRm&hc)6xB~}xlvTRnER;JiVY<h)}?0LwH!@{&PODpB*GhFG0
z&|gZ6^Jf!`BXO4EnB@Xw8V(0pO3d_eR#fZQ1be+9f7n(u3rx^s;s1ck{usOeJ+=Y2
zc0@1nzr<a~VbP+>bR#{szFpm*kGpMjCVYW!N+N?lTJLS(<`Kgl0*5K(;L`WkB#W!|
zvKGpRm&oo0;s-VaU-KT>*;I;=FIgn=!}z{<_1|NoBY4$GXgsISzz&{St!LfCV%m&W
zG@uJ>7Dl;<+M7Fm)Npre^R#YqYh1@SEi=t(shti5U|WlXGnZT6Q*F(yIQAY%XHqz>
z!hX^utKf?W{gK_JJU-!n>`Hu)NGa@!HxsDD-22LhQo7$gE_Q-Sl<BHSo~HDt;Bf9`
zJRg>Fi~BvTl`Pz+puwX+?C7cdpQo!;1$G2aCO|0(lCpq4Dx3*2d2{Qo5J;aAYzhnu
zel|J{?QSI_v{BB#80nvmmCklT-`hLe=x*_|KA=5(W*3Odf0h+^7$J+Y`WnEEiAW#m
z9v1#y+B&tJK){#5-^WpC-&2X&3%~mMm7wVo(MAbi?fbF%V!?25`&HS*WMY2|TNSHH
zRVIfJss!@H=;Rml7B43WdXtY+gxAV$xn-O^LWv>6#JCTGeV2Ymee?@y6C{Ee+v=e1
z77Fxa`>!Gjnb0IkU9QO$<a*JqO^B%-XEx`w&7_~>c2>gyYjo|fFQeU)5o7fJbo<)#
z&LuEv_b#bG?@?itZ88i-f7ZcqeM>oe<om!|$^^-CbeQW`1ObCriEMyHGmZNg3FAC2
z9rzmwvv(t@r6}1K9}R&NMG;>!BL95l3W>ZLLVuvMM>@YMSzLB!sJxDegvt^fK?tQn
zg*kfrl2i5O9+Yg1oH=_=^llxIv6%oOjnX6{OJRsAKL8aGT2v_T(yyug9VwPzKe3w!
z5})4~%r=G&G-qROy0o_R;_D504>I8zzxfQVJK{7>I_}Lc`EQf$naWyzfC(sNv&=>n
zcDrblY`<26sw#7ebPCX)Tg0!T3mfwaT}ZPN=&{+~l(_1fzZrzY#(LskFDe@A)qss~
zbe96HdH(8`Gj=I!TYx3JVbKTN|0-`CHjd42lc$KhDQ9*7@)$@n|0YOw$vX+L7a#*E
zAFf`rUve`nCijS4C~hH5;l&<ZjIrW|qMn5(kxY@q&?z;85g<g9?c_mcSzmL1SSdp?
zAkjhRNxr6196I&Kp4#L~y2}Od?=bRhRdZtz4t2|PA^2LlG(ygvza#+aJ;xPAl0f&W
z9;tPxf$G;E)8~S0=;V&XR?j<FX-~nslBGFNR0NE{Z7Qds?E{kE3&TAL+>F&LfF1%8
zJKmpK$e=5QF34GGJ5X@G7f-$Hk)09Y$WH0sG@K<p_Mj<M%3!#LW`$QR0ZpEv-?s&}
zo_W4M0mo5UL2fQd_Zj-BTQsBM1klQi)Ayf)Bx8Q?Z6XuM12<_JwSg0F=yW_=^(jpw
za?T2o!Lv2Y+4}ZM&%%G!--4XFI|U#8Mv}+<vOVr=BLr)3-@S~?lU^*sIU<Lp^jpwv
zk$ZE^IUggMCO-v?Wpx+McoC|7Gs})uzMaq6m=@&x!|v|x;v)!F>lBpYsa~LDHo5=g
zv!&#a)hTv`X_cYVo!2nDVphWW;fg~Mjtjn@6pmLjRRuFqf)!&Y5hPNFi~iIJh@-c(
zR(97rRfL5j10}&?z^Z*SkLPqLJR=oZonju_d_Y!rNfD*5GlB8IG6a4Ys%8?1qCyem
z>scCZ>B~RF5(q^avubW>Hpb7k6kdW@BMV$9ULFnv>a;c6ZPJ}>c;=>LqhX&r*@rPD
zyy_735k?5jz16T^JplN;5_JTBxGb6`T!@z}X}aC5rWBB<caiZGE=PF0pyHd%n!7t$
zB<{LxLuTdGkgpEQxxa5EdcIm_8J}Ykn7g^0C%~rkHMo`lws<qDoQUDwC6cBP?eK7n
z#VO2_t73r9W!1L9riRAxeB`G}Y$>RzWNt#=j7-^mBqj^TGI2P^!w=Mv?Rpatan?<X
z6mQ(5!F%v!DgAD%6eph6Y@y-pjGi@f)D?Or+---g4B8eu;Mui^kp1+bGxvVtAiE~H
zs89LgoP`dBnYWEr!TjXpV{0&#SY`yX^5wCW&GA`^9m(ZZ<pt^J%Glc!k7tgTj0heh
z!;dd>;{=FEsoi>SW?v>jDQFY%*`GyqpQH;in+WJ3b0{V?_cPUcmywQC;!m$YtP)vf
zOHD_)sPyj6*IIZKXbDw%#R6WB$R&Kpr&7(R@sEDhDO76AA!fb4TdG<*jGJ@0t2tif
zBrj^^Phts_<WI%uS+ch^C(_}882+s0h9)$MDGl__yk(g^A0<eX3)$4GnwIU-FTpnz
zjJ9^H;jgXqYZ|?>e~Vq-!za9r$DlBS&xOj)8h{wskI~=Vvy3+8s@_PVXG_J+Gs9_v
z+78xgH=9hjsz`GKXL-Zu{oHf*^_^Ykoq$#EwfZv?>CYF`$P;7kJT{V5THO2mIpB42
z|I_j3DETLwf<Zn|>OYGu$Oo<9(9}d(Tdn7gOI4rv8)1K9s4eo+n=N_+XH~E%Lo2Q+
zh2HRVYbL-s5BRlze5C)?{%gg>Id2Ub@Zo%fxWCw}%@Hu_^8(MU85it<#O81Vwe|vN
z&V5!mNBB2~*LM*&O#uu_0LArOI)bF(uqI+;S}8+K|GynaLI%g_L#Aa_0)+*ErQ*89
zk+LE)MAWfs-9Z!C+qU@&MD#&an-rnDLUXZK0yke*GDiBmpor?K*2C4uvAN--=?}|6
z<k?<0@|ToAt13e!rxwTUbW~$~`B!7+$~5|SI@f)A|MNY!=HFyhLb5ToQ~fwQE;W)X
zR%tw%`^hA)eHO|F%=E+k!TsS7iG5}xW$vLg{jDQYo~tyZ!={q3EN}^#ic%ng0n~x(
z>Z$Uq{R@%3E3^-{^jqENYz2A(@oRD=$xMUL>7dT=M{iT>B@_1?XWk{HmR#|tgPw%Y
z;<735IN|t6z(3u7Sg#5FlovkdbsSVZ5Iz5sr50qDJ*w;79r7>J(Q#w;6Zfn2ykiUr
zAkxGk1dxo^$rqpA9STgx`l_$J@aVlZRlR<<S8AS_xH(@wVsJ*{F?GbUh$EG!xSOwO
z0*T>A&|wHM{IY~8O%QY07dV>~Vm`Gp8ul`ZT<{wn;IJ}hN+*BNdhL;Pgvlw6sQX?%
zEpQc`T+j=Bm+eGJ9RV&YYZYaB{GznY4M{}L5nNF`i3IWHu6}x{%N!4<h|l?9?xYVV
z-mtEVNKn9c@bng8_p$~J^Z=$_2%kq*>!m*qC%7Ci6BD8%?tRAvYd3mE?wbvF|DBH>
zq3+d8mzP4Np?9|qXOl8-2X8=F(+(6&0nVMF?;*_s6^QhlJD8My*<E@$=`etYMUzg>
zw$9?-XJ6Hsp)mN`ittv(;SF+@<kix;!x1w%iVu~khjm)E>2(&*e>TH{!etcW^dc7W
zHfX*$2=O={G&G?TuIcM{?<6-nsl|UAqM{43g)X-@SHVVC`C=X8clDcMFsA;7l2!~G
z8&2m2$Q6V1l`w)Y1@F~TR|VKlvhQMVX@vV&%1Y@_jA@?SIRmj5guzDF%i#YEcTPe;
zYahV9APxu;YwAc!?=vqW&xf)g045m9#Hl(haql~O2-CTX()d&x0c#SDp0ojL_5p>@
z5}NmrWvX3S4(f7fc`N%+s#DPRGC0>{0TZ$Y#gxg%*9O0?FA6CLf`0ryB>|1*vVYr8
zC7aL1DmTFo#CfIT$aywW($f}0_LQQQwYOf*5v;yO|5$)wG&*=abm^9s+g9iFv>kKh
zlbq=nAesrWh^QjpNK9wpX4B0P_H-Ez-3`rb%^KbzA^HQsw?ztzlS%98CB`@H#LC`Q
zK^ALE`N^1*ZZ|kL!>$ihJ=jOOkvuj8N|?UO>?fRL0$p5y210Zzj-KN;kc3rY=Db)x
z!rawaO>jcIFq6tMWwVv6ggJ(6_dXLbfAk6BlVSD&4uYWWFh3&)rs!?S@FkQ0YFn-A
z12xv-v~QE^+R&p!#+g4!8)8AWPWT$@GKL9Ud<ZT4fb4N^HjQs%VndUUm?+bV-<_3C
zVK5tZt+Y$9N%zo=i)ypY&Vmd&D;3JO`C51E<?Ra(2dZo?*1~*SHj7*J&|dqAD}oBG
zg^e*n5^+ZHsj#+BF0j*8oiVM^GY;#K7fuQ3&mb+d&OPP^0-ot*GCBZe!wDkFCv5Mr
zL;miDo9ckwp-iR_fNO~iTdb$7ynP9-=B8JIUaz`pCOac?`g{9r8(BkhoP<H$nV|aH
zj+F?y3R++5^;q~bvaiOP7f9_dF!2fOazy2SK(c?0QVEkSWg9Rp(2RWN1zAExs(mq4
zE`-%(RSjm99Bw*Xc6U~4GxJm9IeUtq7uDzShN}^_y8nJqxzA-CJ!dHxSfsGLY*+P_
zs|4%SYHx99&$TZ&NZwp3({ZQ37;vK%9{#j?64d&I1GN{^Wf#9>R3L1%Wwzr;T~}xe
zg90rjN1f**nkUJHHr^dpD{FccDlx?U1^Be8!f+cI0a*B$tvhh1uUD=<fD_TwmadES
zr;7Lzusn9AbnqOr#&3VeT)a<Ua(UXw?<6FhL-;4jtaO@cI3#jMI`B3LnI0z3&G%bu
z?2pZvi1xVNOVbayAkQkCiiQ*moxaLn>XEjw4N)oXM0eNZEIH~h4rvyQ4clfM<W%MA
zlJ#ram+_B|LMsB|N6DFIeAPf_YKo9%oS}p8Zc{hSo&Cg`R}l|g$Q>+4As}+ZN0yh#
zjLT^6g*fibrFw7;>vMt9_q?osq8^}JR%BH3<Ol#EIL{NFZJkoLoH)mLhP9LwuzO}I
zV~GHz9Bt*ZCNg-)Oq4l`vY?1O)FNZ1o1k6ZQVm%?e6Frlj@XYyzggup%R8ayUIS=b
z@KRx#9wY5)tAv|$sj-#ow!wtTv`P^wZo$J&IE*$~V-@Dx_+*pjLVlec`SQr9iu}{%
zh{rS8!a?A5b1i+tjxF5jVLyF(Vx856{!#0eFz4JxF_g1%=ckzo!YN+0^+mIagH;El
zPZ``{jA`i&V)1-j5sGG+t$qvOg*MviJLb;^sb~rfd|iszul;1?^Gg(fRNBqpMaby%
z`SJ{A64?}XvKyB8NYdnLF)5vpQ!LLaTw};uCP9uS5kM&AkESzt-F^@}Ab^B@%Dfu?
zw7H(2N;cHmag1kCcnHDyIYjyeYwUFc6h<-9+JoRcVXJMW=AgqZfu*EPdh<z<u@P2&
z)LDmwd-H8NH+b0<S(e+StxGj}&7^gnEUL`N=VPZd!i{K~Rtv!sTW}am!p`Xz-QE_g
z%WZF}AcyA;^~$M)T(mMs@Wu}9w~ms5Cc1kt#(7=bvNLazqV=h!u3RD1t}+=agpbH@
zRP-YMu^B5H3X#CCe@i1lo9DQ{{&~3iaf!-XN+JBT5Ge9Wf&o5^5Cozb^mxY=)+jTp
znV6PLhriD{CdbYKzR5=2(=(vo(2*vR3BjUwz!K}=>E^2{FW$=nAaZkW;w8%Nt6zb7
z`Uuz^81mJtT%5Zk%GX+MngWzt<R47)zsBk<ud8>EA*%~<d9L#u1v$Sd4de!#$b8A}
zkJ?S1MKm)<=%J~c8=FDHN&L&PV>+cjZWoLIx;nyaSB``376HEt#FOdL5*LmErhWPt
ziPwt5p++FPECza07=pWW0iEYkpum!Or|@ApX!jYyDN9_;*Q|81KNnKJ5>7W#N%t2Z
zPrLIgp#j1-AfcR9x%Y)!pmO5_M~UNd#XaKtqd-)+NVh3)W09|TUA(^u$1sX$ylAM0
zQh4*%otgK?Wpd6x4g%2M1NZlniQe><peu;HHfR9Ht}?;`T4{nDfq+yy&-*IH)c<mF
z04gI$U<iT}O(5-H;KgtOaJ9dl2GX9E@~~aKj|U+8VQm;^6JFAB+>rD4%Fn=80`47A
zJ6kc434N(Gj58iC?iO09#)mltugSq$kL%Td+nZwGo^=W~UZ`#Yz2y{VrCa8;a`UC~
zlF-7o{bD7f-N4FCKNgi;WnD92l>=@dGts=MxVRHH)1N6112t$kxnnI??B*4`xlnM8
zMGNCIpjNQW=EC2U&%ZrXg(AR_qs@}egYAu})(gArxB)>l#DA0(Si{hd%t)k|4qnyf
zF;nd=95k?ogaat<0~U0-NGD@M3eut%`?!wuIAm1QOgJy3cW%=KG%H{}<1@r^az<ST
z0NKYWi-qJ$BIxvqn(8x5Y+ovc&%K3zs1`q<zs(e<0h$^80Vx@f)Jg%|%AkBtCUGQF
zvuwDITzJ7F7%ZU@pcvR?g3fOqd+FYJuLN+{wr}Eintqd@Rr&k-?;H}VR5%n2mD^iE
z&xpKpuNIF_re6fvJP%uJud_~WUHct(UnT-+cVDII?lY{>CX%3E;+B2B$ozTBar;ZJ
zm^LXq_0XxU3s%XW{93o)SDY42sunNm^t_`$$AVVC57Gro4c=0%_ibW%CZ(r`+?fvg
zcWz>+2^fh*&b?N_Ax`;6oD{2vzMN4&<AtV1^P1YFN1wPD^q6Wq$?v0<tk$DVBvAC0
zx~(ZN5_sb!ed+9OyUH6R64tzv{XsMB<4l^$RzkY`Qh;+W_q$xwkC8JV;CP?8$~ai1
zQaG=Upk>-1eFf)S5&m3yxI>5lPAKQ?C!0T*QjpYZb6l^mZ-%JkLqnPs)W+(X)w4%E
zhLZQzCW8SdMLyIsqv*oyAxVF0!=YGw@0<PW?5#tFrP{YNBoFMBPGNyhIxeVyd9Yiv
z`lI;rv_Q1;#;l!gjJaIV7Q)tb&Ut>@Ef&(=rBjCHSY7sBx;LEA;OyO6u)#*q)pT;h
zKAuF({AaXoP=t)4Aj8kqVft7ZhZuJ(>D(BJV1)C>PG!dm104!~A;a<-`+>#-_CfY8
z8wc!l;a>=z<wcKCa@ilY-Cf7%=`9Y<8Y}zDfx`hw%e+y<BZSa~t74Z72&S9qZWQA)
zlfacqx@C*~m`KDWzTGEuPA>1JzbcvRq?K$kV3>O_WqM&FZ8RLY)uTbL50Hd)c4V8~
zt!Ae8n~cSLpJlb#TBokW-c4D=`e9ZY5JtH@3pe9FHDFjBPh>(L8aOL(e*Sztu3YM{
z+4dvkYX}Uiy?0SgTMmrDQRVilt3HjI*J1SSz80lqpUq5UR5%tULtb89to!Dyl;26(
zna8yX^FuB6rxi+OrSaL<A8ZcIv@R|#d%~ah<PZ!+`2)$}8r$ae7XlN`q3LPQ$M{Sf
zuE7kEGc_<k?3u#W^D&8apKY5~ZcFlDS)R1T!%DqXpc6a5FPQbP@aAW;426Wt&Gv4E
z?Tcde-82G&%XiQH3Foz{rU{{?WHr8(LwZTLj#s?k45K%+FR{5|rp+J4VCP8O0}b%p
z@9S$N(+7D}Gnp8r%l9P?d$Tfw3X>I@B<gQkE6@1^RJ)O<;b&?|!c4VcH`XD6!_?#5
z;;izce*26rQRc=qOiiCSLZV)5z8*2$vZIviIN3<R8;Qrw0(Xe}LC_poEox26d5~nG
zUzjz{dm+J4Ki6clG;i|hzO;#}k#JGo((^&x^nDP!G}FeUI2-w|!g{b_8*wkk1YCqx
z`92ge=V>+`@N~AGw%m#`)-_-tm`TYI?n<!exNsmBJ!Ah3(Y-8_7_!K^hka?1rv_a{
z<cuRiy^hO{%pM>jK{rTW6_q3!WN(K}l7=>Wbe1@SuZV~DA-u;eXd(%KHuI!GLeznc
z0Nuy&+vqR?D2@CypqQ{D;CP#d3`2Rc*t;zr8s2$iQ9JX-*^^`b@=ui%*vuOT7LJKD
zwn-MTcAJ=esm4A^W98rlmsVqhn60+RmYp?SWXgWcr+XJ6D)JmbO^;)8ox>gBx%)St
z1=KvTCS%#>06lI3y~~oRpa{PTrZlMQU%3f86C~L+x-)W%Uf0R#^j=54nZgg1qQEqJ
zEsROCaYW9o#zN%~RrWy%K4?@9A?{&Vb_~{zNn2fX9u|01tl6yVOa={cMxzZ1oJ*?w
z7UTBssvOS<RX5*qLdh}3C)O+vtE~4gLScIE-Z6f}Kl5y4HxbkGUfdn|33ghj)~wXc
z;48(jvwLB{TEPQ15>y1k0l|u>fXg%5P<`zyF&x?YgZB$ZW7&LvFx|`&u1eozgl#uC
zyYWP<B1f%7L*S-wSt>{J_S@)#YMWK7d9`Z9(-!RB{*+eWH&__cIjQ_CVVWNKWwJ%V
znk-^LxWM&ooll2eP|i}>)HaJ@NNm3R7NWS*T2*>Xt7w1ZM?b`0fVCCeebpTkR@Py|
zMi_C2w65!ve=@c@rPW!pShK;os8F?_bzid$OZVZ~aiJq<_o8r>0s172`dE~S4ge}1
zcV)vXnOVrL*1k_Fs}@JkIrO;#w&K?Bmu(lSnZWLauw+JlLiz1aJ+Q*q-&I}Zh*amO
z#QH4`Q+Ewg&qt9+S4U6Xh@{+@f8Z3;N&qRfi*0ufsnU$g*;ce&8?e`T&agj>O=t<c
z`o_6?Kz`@Sx9kM4gkL37CK$?oGc-7PIiLstltIE-mW7hC;w+4uHT-ImK`zu--aeQg
zOLO<K<bbjhS;WT3)c)6456!pRu1>=qi&BkIe6Y$OvOtmiPT+VCOEwoz<m5NfEsA|u
zL3|4ma%5NLZ?Xzh_^{YAH`Kp-(7QG5e_M<E>|gEyP+k3cJWu*LMXc02#%Ty$`2Bu2
zlDlHa4fddMlUvd+7;P-1f-gsE&=As#o<!c|CBa~atRK-6LAl7NB2y;cu$ncHe64?f
z!|pbHA9p_VjPF!K@hgaIi}gOr&q}a!iw@4EXZh|li&WI612cpy_}<kQEn9SjXEEf(
zt2$++S0VLM*`2l6N4$Kbdi!J%t@K&<f7so({Wi}s*jSm7-|21>O1o?~fr|ApWU-!}
zF}EFxo>Yd^qg*=ZJ>(QeKN`dxO3)4(+UqKX=mslj_aaz_5q%wbr#DIiTsDi5W*?fD
zmUo=q7L7bD?c7+F(v3S%4^ELCT$bMw>@neLLX-A06g4lHU3C4vd{%E;a<t?}D?mWE
zg=dy^H><esp81Oa^JAoSM1x0V$zFCnJQ;k$$gcA{O0O?7m0saQq^hv0Y`yKY=k>eg
z$H(jHd?P;t|44QUYKsM8icx_2pFeb1NTI5V4*55cscZ;XzTDiJduyueGZ{d?1q9H{
zNSep5W$+^Z?pC;iaOFt2vCl_QSMVQYUB!>4^Vjm(-+ngZkqi9e0nTa16#^Z((_9=5
zzd=$ToOc^+-~GqoJQ}ji?~mJkWLEXGHvUy08U<QRP`msC+0Vpu{jWvwV2@7e^Jgdw
zwI>6y2#)j=v^U3sdixY0U-+G5mIwO_mpwiXctE(~sXK1IiadrLv_%$^651^K|9Myu
zAnpB5EE<xO`@4_i&mC^YP(|MVAAAnKD}6WB0dzin%+nBxvHj2M1Oqd9{oz$$S&Fgz
z_Y=Z_J|Zf)pf#PuS%B<UE!N-XL3qNqd_)2{PB4~qO`rHF6ucQ6nGg7P1S+p5{r~!Q
z{%>eQ{#g?@`g3<3$Is!zfAr`-GGSava36iX9NmaQ$S;Wn#xHMi*DfplyVd9uD{j)<
zW&W)cnDhnrV7f!~e#uGvU;G&89Rv1G-&2kJEWS|u<3W>3bD=rnkcR)`pHtuRS^X$h
zkQeGp$D{)C-=3v@m&N`z{&~9pHV8`@Ae-%}0QAR89^|l<6&ih|AuTZ#T=`KEs7X7t
z1Jot539u0Xpe@s`|LG2HlD~L(q!eMJFZ<jVFl)*cPDbhmS^zRsTTsINOg;Ndc){L6
zBha9kzz@L*E)iW=Dd}|Xh)C>E`$%mr*_{8f$BC26amyI7*{8hUrH51GTE(#;<2aXv
z5ryHYxTGUv(hWd&3Mv7^xP6(UucP<|$p{#T$my-e4z`Mh-1W25`wUZ8wqihp*DAEp
zB^FgmL~mDJ0rVS}Qjl^jy*8v~SP`0B%jt(eL$BX{Z6{PgZuM%5qO#_+N0L!yNn>Y1
zh6_|+Sk|M=D4qX49a_aEP6t=Q`0LevxoJcp5DYNAiGw=V9rC3#ZR{6S;m4eTRXcuF
zD-bQg!`)8TB^-^gA-V?0d(PwNbIr$f<4>nsS>}pfal7&Zv{mw8_P+xr00a;jHYcTK
zhqvM=CmF(}E}n$s*K`6k$T4pgJGRAr!V}-bUA#y|8HbzK0RfA_{39>^d|wRzQN0V8
zdrAFg%XjPmPc)X)Z~!Pe3SiRnoJIoa1iq~SLI?CA`J+)wzy+KO199c04Sc}R2Ol~a
zFT(&7MM=>Q_scEj*R;xZf5eP19Ii6#OOpU;)08C;@L2=C2x+tnKn5y7XI_+@YOl;7
zj+nO;;7EJ=t4UO?(%Q4zIO!2UhT_7QvVSr^qOih!(sMF1C;&$Pph>o6WA%Q87X7sL
zPA#?j`qd>!lhS;C`6eE{jJ?xnQdP0MKMAH`vRL~@gzXcuQigQ=nL<JDVh%ynX76Pb
zlaiFr3XWK_PB%1>>{%_2ihWNP!a=knRJVMimM~3g1DI`<EA$*vc;DDhK^ON&w=1a^
z9PdZ<DXGlp33$!j;+x&BcEdkNRU9L?-1Z^3Vn^CVNUbs6!8a2NzdY>g-UO&m*H4_T
zz3{Tf2vACXCclmsl);0|1{n_c3&v+8^VUPAe`lKwK9V2)b0b9w>drr0t@jxEf$MxP
zQX5CVGXYywL4!8UQjYr!D%yf1VI(>JgspSFMpaTONn&RN!^e|B9r=t>436blPK@H`
zPY>Z8{4sV=z+8B)Xs&>l;N2wqRnbw4R)H-G$NX+L60{Ou_=_Nm`kCO^%UrOuTc$T9
zFAI?ghU;(GafdeV-qLp{pB+05f5frxzE>Arf70EH*Zltdl?*fIR$+<A*YELb+<P%V
zI1|dq+5Mexua=*=SLEVe_{^e?&bLY+Mq_vq5~^zQ2CPqAmC+E7m1&$LDE9gD%({yi
z{UYs#u=R_GLH&r`GPQGF<F{B=HR%8?QZ6}AzQss={bocg<+6UywMPgne0q9v*1L1c
zDkuN0{t+J*8;6P1y0iIp;t=86C854aUY1?XjmYOCsaovuDM{pT)5)zD-duCSW^5H+
z)WQ5eyQaJRstKk)F`%k}4&%uu9r&2yX}bO5icBIwiKyNgk;7Go6Z#Y>4bzr^I*x#q
z`JJgpudcBQJDI}!PZ~kOqsk82vzGI>j40HZ>+eUd<RxI)h_4gWdf{jqy-x%E2SC@x
z6&!vAsznVVj@;R4>yrDz6lg%H!?JW)7X>7T_5Ce|0H3h##WLfV{0|qLBcumMn04Zi
z$g`qv0j<TT^NhgQ?YfI+O;%K)6+hX|I?0iULQ4Dy5J6X%a?mH;DeV0M701q!$j}2t
zo((axRl6iHh^Ods)nR3SE8vUx*W<DCZ@xy4$rhF8U%eAAIL|W+IlLT1J$VJ|wxsZ0
z3w?4g*kT0eCe1nAmJn?8uKdmtj}OgTJv`XH<bLL6?7K%P)L@F}hIs5fI}4wp(b1lv
zD=OCwYT7Fo(Wc;iFIUv=all;chgsXZe@M~zb=TY0QtKH!mv(-IhyJril1&m_c+r+(
zIY*awW&$x#u3^zfzTx(LK>XMi;p0gz+G3G@PVhZB9VmLF?EQXwp6O?o2;p8gCP3_r
zk;YD(WJx~oT3eXmCydfTrq8b8I){V6leoDuc*_#|2~4c9<e<9cR3MNPy=_*{1<2e#
zxDGuWR!+^1|6<ngGS!6Ti|1ABY4}98cni__Xj~bU!uzrK9+`hVA%`TNCi`iJiJM@v
z+we_@e4nHtueS~~u!QHt4nw714hw%3S4Q<1fq_<NAsp47r%WEfQ~?>`qyd;WLTG^h
zw47%jFRzn#j_r2kI0>mR^}nG-);YZ{{}$zI(y;cz5a?>z^LKyox~4R!_e}Qr<og=N
z@Aw^e2+mSGnYE;ge8E5P?)^!GNj>ORW)LE)pp9?B+~?bSN8(8P>g&K%iI!I5)kWaS
z(4lT5o_T+!b*}O=AtL-~3CMm}<<jW`ftC>}WsUDR^m7|<DC~|Cn04C$p}n>P{+eng
zVYc&-i_u?)%+1rM?Y6HS$+jI?7mP%AiX1fJg+~!5*ofDmAD_@~`%X`g7?o>u*Q@XK
zP3AQE&v22TrYl}kXS`Dme2)*IBoTZMc(<21yC*i!%IG8o=?_}up*`~Znn<xae4qUy
z3c|ZhYUZ!8_s=A31eHZ@6npkgx>{w}%;(%M&sytHz%881V~?M8f5&%0<oJ`_ZK*v&
zB57Sh#;iy8O>6d?c+iQBy;VUnfr%}}U;5Oaj&GF#r<#l_aNY*h-aDAr+@F^z@saW+
z04&_qDSuIwL}t>3`m#)j<0~|bo-G{t>m%WAwIf;s%*Gnc8xFbtO>2db#qvUrQO>7(
z=PK`SyEWMbC-s{JT<py7HQ~6jP+k9kh!V%gbrtlkJ`g3d&m1a(M9x-D^X>Jt%2|Ut
zykd-KpyHqflE-pklaH~}LZkb_iVE5tHj@Gm@4>#OPe6F+)Xn3YOvn0k3g=_LMO0F<
zUEA23v^iM_Nx6lOtjUJvSlH=wfA=6DFP33q&#NV-GnS$o&Gi@;&r-;`X7J`hsrHQ?
z=Xxwvz+)oltb#Y6h5CFf*hZ7*)h$<c>5I!w%nSm-=!KbgO0IF$4)gSpXYe(a$DFq{
z*YUL;d-2=Lc99-W^y|^Rsz{lrE6@4hS61CG>rJRDc~5_!<vjnOs`QM>ghk?6^uxm^
z)Eq{#PL6~ePdQhsQ-~+<u4VQke59QFfDmc<#v7MO>W2`}?QkX7`KH<9;Jxz6aKyr-
z{si91#V)P+$<3F%)akYs46FPTR%&Qn4Sh^MhQK*9F>X|O)(})p)KuQD$WI;3f#$r<
zzTzT7N{=yX4qg!vB^;p_X7;bvB{)N&cg3lCnK>S_a$?$o;RQ=4cYedzIZdxhPBK+_
zTH7N&h54xxdLr~g9rvc48;eu+<z_(noo_IZ6|4dk94+19wh?H|TMD>0YA!Fh>N%**
zLKAt0Xt>7mn>0(5&FfOFQPrdH1Lw{Fi9cmv{jcbBnR)w);ge9NWRP*5g94JDMH}IB
zM9|VWGCn=NcQ)gx`R8XzPxzT;HC?|7R=eGmpEt_t#KRk`=8$6{Jp$kY$ctOWp{;us
z99Mqc=kzF}St%w)zrRI)csR7*Z-}YPdJkz8es{0ZM=`u|^#Pl%BCGzz2b4EoiA*J(
zx|RH7Z6}iQG>w$Vm%ERw&vf?iMBMjySsGCL9ZwX0O^jDtt!H55<Vj&Z9@(3_H{30Q
z_pxh}E;$HPq*Z%CBaKyC2@37FXr-QzI<L?<Xf)brlEK%+>zF{-Zgb-a!Hu!-Yr>LJ
zF&n`N$$UC=lyE$}@dp$p4tRKy%nzR@@K@5{cSc-?CR~2vw0qfg(kvw_J79D=DH!$*
z(di!W198wX7IpA-(c5*$8v*`!FB%^uQbT};r^VF$kqFQHX%f@c=WEM9yOs}L&&W_B
z@j6eOhT`F^F#7Tc;k{0#V9voKfAIh5&v<xvuL~Y=p1^xeEuBAi0(`_vf8$PqhgU9@
zBukF_sB`P@U70%{tS}tZ$;V5X;=Um#gy7-X1&hbf<33fZU5^C+^<zSB;6CD^M1S2#
z)!aQSxMuLLZh42UYH~x}rPWN8@YipD{uuiib9B}-RTu;|bH#z+_n=kGxSzb%T`zOp
zUM9<u{B@1ZX4s4>D%>~KD~_(q%V&?j*f*&<`|AtX@;dDMCh_klb?}W3_h;IevBP~=
zS34p1KX+$FK3cvW-{UxXXKiVyC+&UbK{?;ZS<Fa902=jd%4J4&VCKQv-j=oN-8hCQ
zTBGgMq5kg8Hf;ONo~>{8HdYB6ux)zw$vcSDdm;&v(~BecF!B?4>>jw`Y2#n?4B<=f
z(ZdGI%5|Pd`S#CG)TH$+md!A259=*P^Qgz}cb|rK*y>{+)8Dk(%F<}{&AG`V#dV4D
zN<3?ZyRWJ1j^n4Vier+~d;Wo|v-AV(hYtvmly~HZ55e0Qzj!oB$mH|q0Nl#t7^KeG
zz4v3vQoVaBn#YmWl`R;nzaYpIiagXf!8G`EQ#LDg%1U@ln2Ns1@Ojf!(}pef1F?PO
zZ7F9CL7L7)8r*2{=Z{|Vig?T@JsY#*R>nGWcbJ}$)H^e##~sZo4_n}j3ob~L5b}t-
z5eV5?*bNen$)T!%%6uIP%{>0j21+wOlDq>I4Vup;MnirbMnBkjE_|_Xs#oot+@D>|
zfSrHY@n*{6VGDB1>BOt8?cUCOj`KstpJk^it4ipGnkL+TYM``pRef8zDm4&3a*1?~
zx7kb>)3kK`G+TC3s=_jIS9=jlRxUN-LqlT`lUCmgmK26EsO8brwPF`gKha8!A82Sd
zdMh{fHlLrs8y7vAjNg5EDuiA@9r5|xd?*@nXc(nyBALF@em;!+R8d-@AnhjKVYwC@
zl4wyb?f;EC>}iVLH93{d=+=7aBx%kOwU;gtKl4pc-3k?fO$H7J*FBvdilVyeD(SIB
zEv7l`tWR@kHsg@p8O_f-4YYXDl(iI4m$T$o`O!5)ZB3dYK_tZ39LhTVMazr=TMzs8
z^q5N56xn^Az|UbWCX6ntYk{`$nM2$m8q$WXOkyvRH+f2YUM$X4ZWmtKj5UtcwWeQQ
z+W(+}hgW<KH<!)rl4Q-uC-fegd%K9q(L9NH2z6{A9pdS5zNU-ePRR<B&Pd%Oso*wp
znm~42`3NoW+dLo0j~b|@Qr;MzGwfe_xvvXd(4`QpX}P7FABXxH;%jmt81(|`J~)GM
z4x4Ma$Q=JnuyIvwDE+*l1N{CJx$2OXl@-gNjRrT0ET=MVvn?x+fie+`+UNdQ$-zih
zZroGw@S{pRCknxmT@e`YhF9G|g01l+UiF)!)mjHJad7N{OFa=Cha|c4uXvNZDp{f^
zx?yn%IU^qDqeL<$6{;gnq8elSBz)%U;wE}g@9R5?G@YN<$I1gQr@rXOAl`r4?E3Dh
zd|}|?xxCyglu+00Iar~YG-Vl2nl(M~<n6$I2PZLQA?TGgZ<O+#Ir`?x3&N=88509%
z?Ewn>^Zhp>cLscnhf*AV<U1RXpin$oK6xM9o1e4c;b{=#b{by6?vF)8i=IpmeNMC1
zJo2rJrJZ*7iSLKXm1s7m>eVt|Qx8eGe$@!V?5l?2eYt*jT3yP$|7)qlcD8&$;d(-T
zkgr<OwN#e1;0J@|8mSLqlB(Y{(jbF`F(2$lH0IHQJc0ea{j+^5RX3&V7+u-+a?~7!
z2EDi+EcKci|9F1&{0OP~i_XuB)Vmy-Y1TngB~Kd*2weIPRDJTkUO*rE<$(8o^>}4&
zkgeZXJ&oiK)3H7cRX7>4H_IefG*be95*Bhk!N0*8GJiVZb%4=Lx*n&vDHR_G>?)=Y
z9w;FYS>M(j?+D#c4SS7YVwWN=;%qTN(V}jy+s6zRuO4V-2d5g{5suhgroH^ol`3o0
zKz0ms`-H6P#`EH}ezoV?(3l_|lrX6UTvgpfvPn5H++@qG?82<ppzvU}$+pmKp3AzX
z;W-S3!MEUWwuXPtfOAmCx1mx}Yn&m-MBWp9&5z|=T8hhhGNfZIPjay+?b^h#wPOk?
zQo&P3PV=mv(#=@F574_4pFGQ@8!{B)Po>nU*$E1o+uEi>id*9GMZTfyTQ#RH&2aNy
zQ1yoKxx_Bl-li+%v9f(!8L4{>(0|aRO;m5Fu6TFFXrl`Us@_lcrxdK&xOS>lxI5~+
z-#)|nl%IsTBQ&n*pc@;N$!%T4<NB4+V{1l-BWJyZx78%h-8cK35guN|eVhsVwaq@M
znfeT2)*Jr}8MIvF+dp{TaZ3%D6~U{=8_jziOM*4CCfOQ2r~bxygnhaA(RZY;k4?h*
z7S=FS@KVW*NH&O5=tNfoh1-!i!uvCd5YATd^89(@N0ycL@}K2@WRL^T{+YN$xPzO#
z{tS-~KE2iz`*Y1Wvs#^#sB;nz&zl9ku{CZ{skGBRw^W-|Ahghbx~fuWgh6&j6552u
z&TZLP3t73Yx8yH+?efp6odQ4ob51jIrnxe;-2SOGcj@na?O3lrmh7Gt!U3{nVkH}M
zs{{Lj5Mo%CdvHA{jBj5#llgE*T$t)ay!_f2E1;mn)YrLe`_5P_IfA|H)Sr7Br5BW&
z*eE81WSGf$6;a7%zRXLF`fA{MQJ|_K20L^5O7q7rW)4CXj&lwVUN=p=g2^;|S|qIC
z7HsFm$9rw{{_l<H+^}d_KKCw36v|Ti#EynyDrR-^q?l!F$a5rd8G<P?Xumk6q})h!
zTXpxbrwl2yn>%eiHrqiR9=X{xQ7dJlKBQ%>bqA4?^Qisi)}_69dnX2=%03px_L3Eg
zjJri&qksND{u~@r5bmiIH_rRO6TE-$!`7HVkM*|VzfG2MqdBrGyfj0oC?K_DL`xYC
zJMW0z^><M?FF81}Q#Z05mgQJU@ULrsAGL6HYKryYKx2wj2;F9|f3GY2oz}?k=ag1z
zX3KA(r=gQOC0$Q4Kc{3MdFQz!d{0B!eGx_<b~T^$7ph9iZ}QW}%<U$h+qywwEk?fY
zurbD3*1(hYsNv10<=9VVw`ezvf9U5qOmpj3tnN`}CDWC+I}KB9M857~xcq$J&QMEt
zNKdCw{@4xs!iMaDA$0YItdXDKhoAt9Ie{icI)OzSU`#ds%+3m-Sr)m>cejHfi6!H~
z$b!&F?htdF1wtY@s=PJ|xIS+_6;3QNkd3P*aUjd_)-=58*6VXi<N22vIpH$f&S+1r
zg=^AzQA7W>Ko<yeJNx%pd&2Ipih8cnG#Q!XNyN_GJ`pUeXX2PaS0{VvL3q0r(OS`@
z@zv2D4ciQ`H}l)a1t|EZzZJm4Qz8AcAc~0E>u)ei@K{9qLb~`wZuK*}DZ!i9A_ZCI
zJvo^b9fqYs&qZ@nH(NS7_c*ZTWcF*Ra!Qk!a=L_?X*C5X+?`SKbpA3m2CZzCLuTj-
z)Tb|`*^pbqOM@2G-=5NpQRF8-x;&xE#58)yxm__#+F+7n;T+$#BxRFryws1jXm{zl
z3*AB-1U&2}F$-V?{$uYpmX0-;Ah4EuWF;crX+(M%XJDo}nJY}9Ua@mTzEBO*GKl?f
zLp!wkChD(!(SBGtBVNGr$G$WTaB8;Zrj+nE5Xtu&ywtiEQOXk(Fv-2i?ZExh)u2YN
zIml0Z?<`xp=I+gRRYKl=F(-P84E+cN6jKgbw=d)2Z5(e0?<1TPef#T6-J3&+1AMz<
zcjmVQBc$Idx(jI<nXA_5X{gUd{!o|Ndy>$_{>A)J!P#`Fb3<00p0KnK*SH;?(<h8B
zPV*R%VZwIH+l`0q4%r93_7p@VwC*7S&wi+St8A9{ad|WH^+#bPuqy6KW-rwaHy<D?
zB=^hg!=DfADb4j4yxHEQu)PKLJM!brrdCfrI3(-p=NnT~P`Udv1U7Q{T!>WlJ|&ii
zy9LtoPoD5*U4{nYJGARRT>C`as5VISrT$yH?vLxGZIPblY<Td+w3*BqD(G0rl<>B)
zw2gkJ8|O3A@o9F;fOT{VBGhIUIoY(!PTP}cbjOf-+K-QC!cOyT4l5ZvfzXwhbe$ul
z@m}M`58JI4*PCBEdwib>ZO_)(5JD0wn+#%lc`!m?5BnYH{qmKm;PL!Jr=gM$sLl)*
zh_R$Up&58`7woxq?#E8h{hBG_sj&sgWouO|dr-uY=V5o^_<J3g<+^`}<h6T*Nc}HC
z=CtK1jKAU?ygxJh|7xoTyEoqWz~A9<AI**btl|H#Fklz%0LFlCM02O0&>O4vy}u}R
zKY8xw*C~}U;gQO~Ov5EJt*F8gPHiI1Ry@OyrR1`nm``W%#-om75H}`gWtpvL4K2<a
z<)tNKj|A;(N}ac3rwj^NWc%|6Cx(NRI4ufqVuIFGqVim))z*UKHx$l~?=l_YLY*o(
z!39Ku9sNwDt0=hU*VIQL;4jB42+1pCS|g5$L4G&!?cp}rx(gXx;Lx2ZLgXFCHV6*Q
zEaDXvjdnw2_<Vvvtk4x;V#W!Nudn9GMCjPnD-Yhl<*Yxfa58<pH`zq!HO0%^06lNJ
zEXB#NZ6R%C-|xAUx0XyCaRHuWq%_0#8NgVan4pF?!RW%mirI35rRTbd(aH<l8-43L
zFbAhJdGTng?~`gTO@q02+gXzGs#0A(I{OY7$e1v0W7`)8U|*j;|B_y%mq!ty?^LpM
zE>2V+)Big(@s^Fcqv>UNtFnsBNGHav{Pm02kD?yAWvkw0%Qv;Ro$U4f+X;-+9bJKV
zO=nrZn(Z=mT7UHZX*?Z{Kkx8&P*d`jqVV>O5IsXUtA5~b!%^ZXmW4$6J>|UE)cGdd
zQkI!5uKsaW30#x*Je*<~^>Do`CDSA?Fn-=fkf&!|^6G*@NR1c$*5+)LqOG5aQsP_E
z$76hti<)=1gktOm)3xknRn5v_4VV{1W_K76guvC_X!4@jYAdwNpW3h@Uqn2NH@VHW
zRmj8X+=FJ6pVQUV*z2%RY?5;vxjAVPuGPu2&eH<BzNq^XJ~>$&qrJaRk2hZWcWyd%
z$;YaBAH-fs;R&-#VM-4694fR}iivgF{Z~Zu{C7k{N|GXB{GCEU2(dR<;D}-hea0Xi
z-9D^jdNFx1Um_fCoad7-k$3%_bLFUVRA%hs^NjvYyjn&v+!Jlg{qbKJatkX^f#0D4
zjIBRP@OOtS3ePRSWG_Pvv+Kr{cQoFRP-+;de7bijW@;dRtA{6JQJ@L6qV~g*Kgt&G
z_07MY)uPB9i-#m{WMd7Uo=l_&V)cDTpn8Y-obFoeCrEAR(>aT4Jc-T5GVt7Ct+9Nq
z=xas&Mp<l;DFpXugj?=qO*Y<$wz^phQ(QBHjOnE|qjKn;D{b|a67fSvnzp_M-75WW
z!A;(SZQ~xRrJ(D9i-N&zQQU+`uUkouTExa0Xr94qT}F#L54DpeGxB^du3I$<BCHpT
zE-cyLy{`C&n<O)FH<^Ms%&tvZoZV;E-sIV}qSl?zpCu_pw-f^65WZ|haq6vVEE4Bs
zcasRTawJgPrQXh83gQl(p7aOzKz6?-8S`f98b@a8gBT~nQ{cT(-rcMi8O@lc#?|P(
zOBI(6mZ?ZiF}kL&PBI3&;LBJkADo^t>-;`pP`$A@_`F7r>hs|mwvZ^SQUbMWe>bSR
zf4-R0Lbc&MUUl6OSajrRi*W3Ip~&*(JrRc_j(F{lvrMRFAL+LWNdv4X6%^%FgEh6h
z%1QLYrn_UJ-y-%rZJQkm7D}KZ#+^ctz4V7@@$lz${NIP_uNSFWsbsZ*U~sZ=A5kL_
zpV<yDhAJ!L>sZBdhZt_>tR{lH*c>jem=r#D8|oi&TL}w7=&|-Z$~sih!>Y_%<yjHg
zMw*Z`Gp!=JyvnM#3?nY4aD2RlGk-SaBBE!xsZze;581i+Uiv^D#fgWC-?T!Mo~7{T
zJMkG38B5uL@$#K~EvpfJy*ZhY#z>#x6NSvZpeS5uLs6T9$61gSUly+%=`<5^IIPXw
z7bZmXr9i;0#7|?gT%w5))5X#hw64kfQLNvfgS~~?%D8^Dlu}obHWEg9aPGnnZKeP-
z|GD<Xg|I`VcL}MGI)|lhZ_H_^sB=&|&u0^q<JN*-xXco1aKrqw1e;RXhEBT-m!;m)
zj6gHI*QCd;fX-)~wcbG`PCizfTIEb3!!d1t%2S1u0l;p=<MvX#@gr0Bh?DQ+Zqe9B
z9j;2!?_E`dsW=au;~#-S+fY}+<Fyx4A9Zr!o9D@3Tu1Sf*2zCZ{Qnru;B4AIOq}Bi
zulCKKKdceo`_ZuWEGn&3<#6nQ^*+C86}xKV^RoRIWs!u`y0n=6)XA}1+G1_W7x3|_
z@sCY}8`Cm*!d-1(!HnfUX~&t4Rdk}c<*Rf;P%d1AA4P{)aQA?>cf4=iuhEm=>cQ}9
zC~V6dtub@<Keq`0G%EO$+P(PQYqWfy!w9wytR3$#y|Hwbda+&xwf+`^9DkWEO|SXv
z`{v@@=ytGYp8sO`<;hEg$RwF^+i>SsV@b;Pam4}^QH><Yvf7wkO@=#_-KjFE?<Z$a
zJhCRafgvU~x8G+)6l}tMn<unK<Xg2Tl$$>H$!A@zFZIns^S}<2F+vyMqn}pEwIe~m
zaqT#e6_MsmE{tW9AlX$p6Fg-B&reOUf#++3h(lCtNjNK+VjF;APkXo(KS@cOXwY;S
zWhQHLO0R!T89-NKZlj;6xr$`fK7HNQ-&6vvm@N3%-wdsc?9mBrU^?(+^axR}h(|>?
zMr=AA(rabqNIiE7-xpuk-|x(|JA}Upy|H9nR`l$BYIt3f>V{gz2y=j<!(It^u(n62
z>=A70VOx_DL77IN%zSu5mD_j4-{kU4rLW)VZ~ZO#?;hPl`M>O>!lds>N@v}0+1PyB
zMER=3-}I$F`@4;wJ&g27)an~NO<EdKsDnmUmjTIwCKWx;PX8b~6?{XZRMW-QVRQ1q
zf-b3&bBVxH=gnbo?)~FgAaZ9lgTgxCAym;_jb&%j?2uF;DH^ivG(t_*TXu>zjbi=*
zy4gOq_shZK+H}YUVa3GlH)`x@>hX?iVPC(gUt{Y0ZbNSJ$>!{|rcCmR&JUygl#ur3
zZ?}e1Y>dw^_d406KgL1rGe_w6ALuDBV*In-6Xt9yOH7Dk4>W70UWhrJon#SO6UaHZ
z{7tT-K;wG>Yxj2lo`Y<xB4_g=e@T$d?D@HSnUi|l{h5zBZ(|CapX?%xYEq^>-0l{2
z%PbsOs(9+-3AsVhVf!sBq*<;;?;(#u!n4fxI$TsIt)IlcJ%<TtWlhvdiHjxGGF0HD
znT}r!n~B!um{sIW)yZX6HJkYPga&&@JLqSTa!vgZCvt&);LBPT@`F0(%XG!;N;>^V
z7KR`cUT}W*ocmoI4vP>x_m2}pIzq%drs|cMYgpa-noaiXFCh@6+`d`z!|O)tLkA%~
zU-*(dD;|ELzDRn}!1R`1|6rE79^GxD?af@C8=<?@r=d5ev>IDeuM@hRhd=}<;rVSA
z<*H@jurSwqRB(csEH|{Ue*4h(0`^z4ThC-wV~(!i_OYj=BFCG+GeipQ3}rpRkQJx-
z)$aPd=sED-7l@AcaY}eRk+i%rr}VPt>Vr_0qi<dt9UCRL-JNEne5IlPu%w;0^hR*3
z;dc&P%!1eN`Tq`m0f+u`zrua|Kf2`qu}zwh)6W>a8H-)=+GOATGMKtsP>b1U$sJ2D
z)oxnsXKqz7M!2rC&aPYA*;pM~|J>g)#R}zqSnjiP(w0dV-lW0Dvs*gew^n#b+NTMT
zwOgKheREqQ`{|nN8>G;ei!2H{tohEOHB(OU?pZfLCP#zeI4HXwxzOz5py_Qi??OTe
z-<o;36Af;=dh;J9<VK=2$^XOLdxtf(uUn(2pbJq^KtKVJF1;wdDJl}Gi1ZSWriRdK
zXo@J(CG@T+MJb^edO$jn-V%E6p-3;G+!@x|3)VV&pKqV<?(^LHrw<R9nfaUJ9q$<9
zeJ9R+x@cpDSQ(y&?^<m6K=pHj>61!ji%6YMLavIb%IfTSGK7uVRz)alg1Obq5H0pr
z43*(HvS2|2PmTJCs~wtaxuZ%8-PLPb-i=uamNAqdVUR5<eDN~eDZ(l<@RTPiE89|0
znfh?vOYeZ9QbIM`3pR8Uqms~5xUy2Ix149ZDj)3KTYawq+sf{AVIYQIL>2K6QN`HL
zr^W9wqP<8&lq-6CHe<{h!@^T;F)@ZSgTB{4(4W4AhTd>bhvy7>8$Dukm~aj6O@(m1
zQ2GN0S(+#~;1eEPufL1@f(1FpV8HE}0#|RYZ`kF4mR+;wobvrutm1?6XIVuw%zmMr
zyri>*gZXhg2h!z6reU?)JX`+LO`FN)D+jUXIW-37oNa3Es`2`T7R(|!`5YBYBa^&x
zAbGPmu^g)l1I6FYvkQUm^Dhq!uaOWDZ63*lf8e8BmlDvXXTlF7vgV1OnheyJ*x1|8
zU_Vr7rM>kn&9hK;&(X2$kyV7Ltb9gjOQk(-GIvxmbz~k`Qwwxe)@z_S{QzqZRj%GB
z-tf0Iwvl$pY*Uy5Tb4z9#FaRf?Jca&Hw5;k_qqlTGJLCmE%|-C!kGEY^^<XDXVXsF
zbuuC%?GvBILM|MhtmTsq2Su{>kXGzj=nJxa6OS#Z+(`m~a&L&{{|+vX&?$3_Y|Wba
zx|7+zgLam+n{{~cCgwM^gX_?Jx|fFc-LRdvq+)jZWxkp@<U3NXeh&%$<Qs<wL5?53
z8zk2h__~zr>A^7nxGp!ctG75^`!a{&As}(`9Uty?)#otMBmlmFm&E`t-|SkGM^^@^
zk!C857P9J^<d38#CO}H6A)KdN{4+~1SO~KM4@*gwb%`OzR^BCP=KXr7gsf@3Tg!SF
zsvE$^*u$C4)hj-wfBdB+*yvd@#}k2)m|m=i(Ps!Up}t-kMF1J8^T!8jog(f}l*K$b
zfwC0EPH6MU$NT`8lOPH>>4WUsHh(&_AZXUPd`aHx@qN~h%t(5(rew0-<{`bB9PPqu
z#BWohobPU&`Lj|r%1iDB;=e#GN?WIWKS#a>8>s>ll<HU5TAoJ=P!kd5oIZxNecuAs
zu-oF-o`7-{jh*cE;i=6-b6Uuq+Hd6|l{<X?8F4I%!21GlwEr3G#rM%DPZy@R+$wu{
zTg0fdDfsH)#y+4*M;`-em3{Tj_da0gJMF3eyzAnET>X7@8Xo`+jb)D^`=jxylme{O
z2L$5?;!lwhC;WuSfbtlRo^%=x%N<UJFJEKXx&mxD^<<sV-3}xm@ekoYF^Pb&CnzG}
zpZ_l8{`Wfjz?+60y)n`BG82?i#mmhXUfI7SQ27f4gV+x5gchP67#b-*zbnN6=(w^B
zhZQJyEiel3rW;Ne0ia<<nHLp+H{6@_xKd)M!aW%YN%E><&E7XVul%-9?N&?zX&nR6
ztD0lxc8Vlix=#&(vsD@5f9-=l!gR3<$EWX~kxui!k<MX*KS?Lz|AKT14P%@7VQIBy
zD~P4^DgKqriSGGy?8Rq8wYpF`#zWi&^`P`ePtEh!`<K{5hIAMwcuQ(%uQ(>~Gy|94
zcK-MVDpp@ZPMHZRHa7Swv3Y28O0a_w)=N)6F>NJd)&22e!>r%t;<%oEnG}GV9{Pad
z)Y$4UXN`dOs&?&?!LB}u$66*pIwg%DutclzK=F(6x>l!osjfu~&To9j+^NW#!EgP7
z1wW*iC>Z33;~(&js>54yeNnbcA3$9^BaNh&X-&btT$K4doZYMJ5V$b0$2XlFd|Dc2
z9}T&vi+2E81BYWD|1X3T%KE+#nt*5L827q32Qhzw`|2fU(-O03kk|UnJ0d1-{1F)8
zs{ARcX?B`ozQS9t*0fVXrUXOkqBjr%X$a=Xb%|`Y`GqJjR6N)?=A#-`<?>6H)U%#H
zDcejpQk%3jErUQx9>wh!wE|z98pH7y7w2yi`4RHeKAoalqAGgiBX`;ZVUDF~(S?8r
zVw@ez9}G3db^bv8+1I}^R87TVNr>;Hc=^(&i^!Z$<q&`zqlY&^Z1Dh@D+b|uX%#be
z=5+?rjp36^8;dPhha`RGN21)n2p<NN04{*r37#xD78G!fBvSbsv9qeRp}kH2<VHeq
zdTkpUWQeu*3On8qpveZ0A7j5g7y;vO!dIwozWg0$OO9}Md~(=;Y|5}HuKNA}N2GTm
z&yddCRkpL8gYx`&Z89X`brq;h68EjC8!uYC!}x*!oAVe!?(vUVaqM%&J|*o<7%Z)o
z+PF3i94rl{yBu}!1>r#9sDH58nLCH;5>3(r+-<^@M(vrG*|U)b@<qI880AcK^=$GE
zY_ifJ+zJt0WWwGjovS$o=1?j!?$pUN_LThjal92!?_81OyO6E@KL5nmY$cSS;n^GW
zZG?k-LayE=wFK2$*pFwzjU#`|Pm1hI1(!(<#noatmUfUk*=}5M&A9%NjJBtw8_cHF
z&!;i@u8I4l4>4B?oWcB%aJkqK8tQWECVT#gDGgvt%6orO?JvFZye{-Mn4DBK;4?Kn
z+0#0>p0TfiDQ7UkF~6~9#6%!PuV(M{|9lrnlAAOXHQBoDZo4_6mkgkv!!g9XnettG
zQGhaDRraS?c=}YL=)=n6?zcAq6zo0m`ESKYk;9X6jN!wi1#=AKp{EGN<6kr1UxEQM
zV+a}@0Xs(U>aP``+_)<I1GoPsEdPzg{`Zjj?^&1DI?HfGoM#-EyId8)gD2RQgI<RD
zL3Pe*``orb4||NZSC()kj4Xwn*e4^2!w;ZDM3%=u`j=kcq56Bn-#h)*$y90=zHaWi
zF4F-*80w_r1JGYHSyWDquu~=RdG@mVRjiYCNiLUwCp7o=2`py2%xMx?loLAnMT=ta
zhz*xF0&KWtIj$XKqw15M$Bwpp`!?cku?(CxGB44^)Znx66Gwk+Yrfi|{yG<eQpV)^
zzaqlnm<l5d<~AF9ptqAOueU##Aze!rWqldP-uiN2dmD@>8eKZIm<iv8l*NlVn|cNn
zO<pp6&~BG6u+?)Je8K+twM6NOnU)`1sHjF*QIg9dUM93F&m>v03FhVv4W}dec$Dn=
zy+36e3+lIDrC?b26REENNd3*%)QE#4kMq>EhWH1<h8m<wiX!90HSBzljBrL30Inr}
zhii7b`B_Z`s8RAUM^>Ge2+HsERk<Z}tE30_BKw7hZrj%K*v55AjgxS#XrEr(wK)9l
zb&}pCM#~OJ@^7NoHmvI`;`GfJXIunrpj5LR;bjI8V3j{U&I~U)!IxhYx)Ndp{aKpi
zwj{iT3Tf+>>9f7ZKQpj>aE?gqL^sn<Lg_Lqnn5hbZ~&z+@uvtXi%)ouC+N*zRdvpz
zgiZS$>LfA&0DTEht}t4Osg`>(9iEf(2bh!g_`f&?^L6Y037DfekO>a-=KG$?ns&}%
zSu59d`53+X8J&1~#pdU(&W=8#B^rJ5kLL*`opEXHtz(7@sMlBVX7^a7>aPtOhjYq4
z>N!~dH;rcX!M(ohU23mb<|i%FR6UdrZ|UAfs}ahNiOQ2S54QaEzi?}c-ZD69F<eoE
zL+Q5H+rMyY?(hv(7le&X&g}4&r-y}uEZIBS%_v`R*^9$~-GjJ&nufbmBNt^d(2(v`
zzQL{6RvW0kPVV-x6g(->$3No-18?R9WUsJYA&I=3QFEB^V6xVrO`n6-tvqX)@?)X0
zu%;YJAtA=x;tv8IazwzDW1`^sgE^EvI(|38ye1@6wHy{xi1~psxn2l}8d!8^aOB%b
zi5BQO1wJAM%;Msg`j^_kpBm+`2`((!Ft>#Ul5?d9`_5LhW9M~p?fSa7-*-IPI7ReF
z4C5#ZHp`aKNzK8*_4={jp}4;-slxp2W^;-Q@j)?Pbl@o#dG$}&x&yn>q4l_g>0~3z
z5=-|TVyk-yxfp>S`)fmdid1B+{BJvC*ESlxXV_i;Leh=)3Nc(dBOyW=#kYkbX^j@&
z9Q1p7J3q5D1}!~+i<bKBI)G{NKxMff);sN@lFslg#lf<fa5r{X`yTgo_xA=X*}tI6
zX@|sdH#|(GA^Jgb+}3;~-@GDzEgtQUQ1sC}9Z&H_(7zF_b`20xG@)!Set{f+PtaUI
zO-t1Kb~I<3uSnpX0<%~w76G7Oe=Ag(KPQ&l1JzwJFZT#|a+y|8@RNsCeO5}8WQZt4
zJKX9eouqEmc+o2M?qYKO^x`i)j*3!G9Sw{%wK(%XsWS_~jYE7qziCYu3v^;2{#h<c
z*d<TIa%h!}jj{pXT<Rk4{+B~)fHItrOLG%!WuV`DcT*|YdOK`Jlj+5E2eo<ugZz*5
z=}}e;uu0uMtUHo~uhXrlEW5g1_%FntpfG!^N}Eo~R7)!RgsMxCd!v5%_~W<XGvYKi
z0iv+;CrSBR{DnaO|1;e{(YeqyWVMZ|OARdAqi3OOPjAc#W)4ip79l1!ad2~<Lic&_
zYyAB5!QA%N;!wfv{2~Otm(Pr03`t+#=;8mB`Tf)==-5p9OF2TsHcRdMfb{Tas+jZ8
zWI%Ec=Wg14P7<DG1XP#N;^RZ{4*^=L=RpY24U~7g)DV7{al-KVYW&12+@KNkij^2>
zPU4x|!f^NH;zxu(h5IJlQ8rb9Py8v!$p6m;8I#WI9sgE4K;aE_p=_|u3SEgBGzt1m
zLX~=YDP?hPIrysJ;C;vIW*s8Qd&mrJ%-j;xbn&X7mFMD=vj`C3s*g2(hTh5CY9=A-
zJ%8NP9#y2%SJ<RXS3gozaK2y&M`(+>aK--IpK-Fc52FYG1Z+Ma%^8$x#sW80&Dh@%
zVap5XuitqpWCk7Gpj{NmuKcKNqBwj~xlz-h1C$$IUJbLy_L<l&y{_&2q~(zsoG>*g
zsLek4d4<)XF7<Nq*AGH<iPl>p7uLJ&x5WaDwEgV^)t9xb(n=m~+Ii8eVdP)mkS=LL
zzRTJ#!7>-FuZYe|8IFj#<blFk`po7j=aIRaPcBH(VcK2~ukm<6mpN>>iC*m=-?NW~
z0(PWt@39ecUP1fID+*mFO(E#tXiyON{;poE$7!K1{o85M+F1qjjBII&hitz~(13s-
zwfTqs4a!heZZOjb{iEIZCl$(+a;ajFAw{R-i}RuyDyea--WiLr550r8Ni2JqJN@JW
zzdAav?i?9}zczQz3PZXPFX+Jklh+{|1tuaYJU+RAT&_YY&u#LU^tIyS&%|tp)ShOF
zK&sEgt0qT*ApSg~jB8Hw<+;LYLP-WPj>zKNk6s59duj@qWJiA<l(5_?z0p?tJ3Z{<
zVI=Wpj+xExdU+6-DcjWa)~D%A)9md^CYP8jENh9or@O<$t&oqqMTEAX^4XFT&mi{%
zQf14M%^|66yXZyHTV$DFLW7n_$L>RCZU@mxkv!A-WOtx_s6Bpa+Ev9q`(}KkI34-E
znKVFYNhQ8KiE=AqyM#C+o>)?Z&CLI1Z0!5<=jY>C<z@N=37WevdO)t4hSlkWLL}N}
zz?{1kN9^#0poG(Lw@gZePm93(JvV`1-{vBczqgEkO965a=<$^lV-Pe(!WCPzZEUib
zGrYLnG>K2!k<w==O4(#2`eA<JqbZ3EfGQP#d&(@tafMG%&GTJJS}o`(-N{C(P@rSl
z7x95@7afEZZ;?f9`fDUXyigytnUsfLmh6K1#KkJ9<PV#%EQg8lqi(43i?`8Bud}%h
zC3H(k!t3=&a0BXRue!*mQPgC5wu8%-+f)}W@SqbFR^_)IdoOLg_rmhVe94npqF#TQ
zgSuQZrbpSaKWbW27re9#YAbSB<{)}?{kRR?C7touE?R#1811k4z|jXz`9WxD$uTpW
zCiztmLWLp>9^f{l<zoU*(F`K}96P`+s%2Se9p+S<H3T5Wm&em!MUm*KBUv9b`rhCF
ztyzKEzwCL;42sAhKl?Mu*nPnIeYSZ-n1TWL;5BdZ)&qT9_^bH}s-OKzg5^J=+$-h_
zayJ8L3)e0^t&4Y4!Alh^K2!2<0!1kzGDgo3*~*+C=o|@Zbm3GevlL=UwrBgSzgE6d
z>c0ALtNs*`@s;E2{JlNmi&b9sbz3E6C!y3K1%T*P!SMrolWk}!d%W$IuAn{R7z2A%
z!>uI0N+aW{T2Bx3S_0XJPy%wD_=W#m9r{}&=>M!rNpB#2cpiBKP1s>o*2=8+8-5d<
zo}L?Idt8f3AMh5iX{mY#a_=8ae*Z8vfFXtxLKS%J*WO>v0_7YY+~=#xaWHj(lJf*@
zf4M{w<=?NBH&SrmaVzF8f9X8C`zjUu%?&kSyXQ?0t0t9`!n5=NsV~<+PoSiDH2)lb
zBO}qpWA>}V6%#SSO0)V&<I=~!mM`+uoevVh!k`dto-g;2I2M2PYXfeg^}^@bA4a<_
z^5DBG9wJsH#=_rsq#-u;azd|-%yy+}w68co;?qQQAEBw)v#<R3UV@QL)zF!KZMGGx
zv#8xd{VuHynxX#v#|bl&CBFWogJGR3HPR2#?@>e7(BMFrdE(Nr2*&724F+puZCSu|
z$tr=AJu0CR);1`8CDAM!v)@&*4Dl2io*`pJ(FwL2NV?{z9fV^c<5pFSMEn<y&)bnM
zM$9a+5Q2WAxNUaHvk|yq>6b7ihvlj=&1q*A#42QJGvBz)v>P&H(Qx`}c8j#8!<isw
z5Dm}IMVsB(;EJj7Hu+N<%NKIHX5N9mpVs(sQVWreOj|LR9;x)hLU`b`$x|{N9(@M|
zJj1dY%wqrPs+Q^Z$@@@@E(j4^2_G`B%Kn(8FIZ>jy?Do{p*YO63LAJp<mz?;`}ktE
z&t%Ip-0itnC^5-pH6XU7qWWy_I$-*C%lz8J1kEudu_S69-Vzi(w?pX3<anbyc!N7Y
z+HJDD<AN_3l6~iE?_@(8kQ4Qky=96pQG(~ob_nAe;**s`?XECy=7Ds;|3YIMV%Bls
zd>5TD**pH`Et2M$j+Y3|cef>`gk~zL1T)N!?=16v5?_>xtsAn558LrsQG#qu8m(`n
z$PyXdIL4Galp~IJp==lCiRQ^i`R>i_I}3sl<XxPkm<jomGd51SMqgZ9jTBC2zS({y
z-nd1uL8#$G$&SJlVKQ!)5bn?KXF~w*;k3JUev#)B^t9QFdc+4zo?yh|wVph!y^#+C
z_{w|mGHj9PA#bN3K%LV;5AHqHc3l4Lo45W_7-o-q+Nhx#C1f<<=&dC*vlHYU@2sy=
zMpxrzWlot5HY*Zxxo=G=X|Y%D4w}Z|tbb`PACP)ZIL-A#NkE&hz0Q8=5*klb{a=q{
zKdEKJ<*VJN?nu2Vn;ia*#);dh`6nw8m4b3vq+DHq8}r%6r<9uEpaofBL}@~i|A9DY
zQNk|Z*rMiBj63aaqwxHw809_5HU&A*p=xFDRLa!&&3>ANp=g4}_^_gz7{XWo>vUwZ
zzDI7Zv-Yy{p82Y0mq$`|n7%rG8TNEj+gSnH8r6eTns{hM83fiV<Jd|;i0+;lWjhvk
zewPQ2ZoyppJjGhKWeh}u2nS?a#p%=UJ7?;ce!YYVTqkccvh;k9piGy-?!gERo^QAP
zM))fSTQAO_gIL6)14+>rt1ve@3;56(ea!=>d`B|&VB~pB(dP?XOF_zP@3iqBE1gG@
z6ML`ez$L>bgO@%X4C1cr=jaQ7Og#sAXL}6XncmeP*;DXU4etW!hDO4ZY-Wbl1~L{9
zivsgw%PQP1j?go_hBO#ed$qg|1JiDpZP**&KoK1us790gMB7$B6@1QFCu7ZXww}*h
zNEHZepYS;s@87o0jlXtmPr^dkXf@?>8)F3GN)}D}=NGWN`5`e#JWMy9>gS#kdOClw
z$#sXy^t8sb@X5Xp+nElK7jsT8ZtsiT2b_@MO9&^SoB=;!^Ti$#$|^**RWEPMZ_;JF
z=){$+(S=H+3~9!a(x)sGRSlU{$xNmU83gg(L~{AAW_c|3d)w^+zQTy&1hcQ}-#ndo
zgDw)=_^rdDc!SQc9Lo1~^}ZV_gWzZxFdmsxMj-_`z;&Jo7V!YZIG&5i^{c}880CVI
z(5hKRINiT4##AHH`^4csq*(;-{fF)`ihO`Ctz<W~asE+@r+MdD+N#0)xyIu%ilc6=
zB#n;<YTk+8AQa>Oj3@Lr0TUR@^T_@c-!+sw%mx<5-vM4MnP{ZD2?&9>;{8&yYk`YN
zyV|1_r6t}H2U8Fm4men=cDH6FqM~A##4A#SNb1FL9sDr4KNddSM8^Jhk#s{iJT@K3
z<3MC%PiuTy1S~O2dvjgJY~#*ug8fAg#3g_$IvN!Fhi9K2*QhSgml(ZkO-uOU)#Kv@
z7)C#B;AG;YAACoTB1-)KaEss{!ruWACHp_!qS}oAv0KEetjDqo)75W_h~YWt+5f)B
z=H-;2x4&L`FDqUw6FM>BjT-hTJNF%-IF4Af9`6m_5FCa}23@(=fUX`i{4TwZ%42@#
z{$BMBPycjyCH2Nni6Im;3&s2{8-W^Zwa}#R6{D=iUmzMie|!KQQ?zFAa$HugzRga~
zH5L!Y2=2gu`U(FEIQkqMG@PGk8{#LK4K;vy#!D>X)4u&+8x4xg3}}KH+x-*%Qre^n
zm~kd<Jp>zP#1X&ki>$g8s5&k5@GM&q?B6!^og!})(f$j?(w+C25~KI$)~=0U2by@Q
zz66ytnNLPQzg3r8V6sm?E8RAZ#VwH&y=wZ?&D;b!!xeO@{J-i9`$-i5AIeCGat_Ew
z`G4*72L0hfX|aV$AAWz|@Wsi4;u~d`U|;t{zug4j{jj0v_Hb6waBt~o>*(Y}qkY#a
z_+DS&6=r_7wC;R0#A_fp?2Ge;kjO!nmIM76>nm9$R5eOZ?X6a-s{6?Vd1T|A<n}F^
z2O*PZiHezzj}=e`BaFXOoQ=GkK`gBJc-5xk5zxoL!|YM2TpAQv4Z#mc8-b><L&<^~
z{^ORe#xDQd)lg0zR*#9naKwYC;p<HQRxy-R#z5eMs0vg`iu<F-`vdl&->1QXTN2bu
zkt_Xa_yV|io8{iX_krsEA=*|`?)c~X%w>@!boP%{E)dzCpqbA(64d3M5?a^?)5LXb
zTWKmrZT{|xdj_YwReTuYDe@oi$NK-#5Y7qxw+-Pt;)4JCeo&O?$JG;eJKDA|+za>$
zADF2!8$3(ez2KnYA8y^|5c@@u;sYR5=5sPBt%qMjIK+9w7LUtVc@I#=@=umA^yYuE
zj4=|8{ycu(+SSBnYAQXo-zcg+Wlo`tNO%=t2MlW@mTwcAc|a+mp5BQC%F}IjPQ5xp
zd4k%TI&I>pbsshN1N2+vy!k<@nZxg@B%C-TCPqg=1mA7nuwt>OxBC>Rxjc0?Q-9{W
zRO_AaxoKIbQe)<AWaLE}GUNYYZ5nj8IZc#s!rEveo$0D)eaIhst4fvBLYCCSWBvj4
zO|!iBz|h}`Y3RoSZZ}w^4TWNdN!KPRmCv*1QV@XD@=v94@t$I7lYUFGdj7M2u1hjr
z{p&CM|3aFKMxYWEymYVN$Qv|vcjp^E)Ojv$n-1O{WF!hbd#tv>%Vj+}J>06k<Vt_4
zun_uNSnSXKkD<&MzPHkw2dW|-?Ktj^U-_Vu7Sgd!u8N@4cSkDaWTX$MaYCwruq)xl
z#p7}nb*X<!6#X`VSV7L#yA*ZpQsZBXk+?!xbv16F3$@JRw=7h+W*r2fQV!r->DS%-
z>KSM><utyuZgHI>NW?RH#>KOFTRxdD(I+HXf8Y)hEumQ0<F5|*t+-f<@Vd&<<fzJ8
zM2JRavXSU}CrV2s)MF2U)wkVxwW$f>Lk_9Xm*vUS>)ZPYGS7<X#*_sXrdNt;)!LGG
zy!h~Nz+)AgVx*g1RuqiXuFc&*Mi2C51)QO?lyglse9NPc6Cd_U@^8lYO?fFI+z)6=
z77qTB!v8`4fni60{&)3KCYEJ`@kqX$zqv%dE?%NQS_fnwXy)Q18q*2chX^~3YVF@E
z6vJ-z#qt}U8PYa@)Q~bdzCxx|c#Z)fj8YZJ1IE?Vsl$6&11>09Z@}~**TI;zeRo$>
zJ#p*F*crU)F9BSblbqQ6P(TYX;waO){A{@YR{LiTmlDher0kYnZIsM`d}2C|ZiY{U
zGhaMj*;5WhjWG%^v8>q@Z+B0sLtuv(qdzz`+I@+IYT=l+G&%}4KlPE9%O(U@V>6e@
ziF!{2cA8K1jZ&O{qxjnsW;l7voInnx_}i1Z=E>@XC%*Ui_nOcRcrM>2^JbE%S7N@0
zs5v^W-e!-78Aw`7y+&o$zI@}IxcFohG1IxYTF{lr$p4Hn-gawh>2h5FI}+kOzwzLb
zXkl3)5Mb!@#triN2uDA2^;ZnxmC?}wsQHv-fojG`P^^3Kpf(#qdn7dFP4xXHE!^`Z
zoFe~_cc2Z?X#WYIQ})pC=}@HYHqm9vQ1^M}wI<G{x^pubfd!c>`fL=3-8w~3=U`~%
z2-dF$>T(~~!JXVUG%}|0OQ%Xy0L}I<(O{N5p*0|~`?n6SP)#o8zXmU`dA5iktjJJu
zWV4&h#7No@HD;;a_J)4n0~}3XcJt5&$$*&;FPE~n^o-MM;i2=+4zilCxr5gsDkDTc
zkS7XCqOH8&qK^bmCQwlxn`I^bG2&j^#*jZC)MKUCNP#l5h~h41Cw;AE(R|d)t!g!y
zJ2fpzm;@d-bEW8M3J67Jq1x}=T>gh2sYl_sM2hOaI&;ERae;#6ciGmc8F{jXdde8Q
zV?9RhBwIozE4bWHyE5;WTs*TkKb0hNp&So+D^9(FoDi0eG9L4}SrlP_OLuOA(8MVw
zIJze_v1;1?%7N#_sF3QWBsaSzcI|cHc($zglQVc`HGc~)(#!FB;(Y0ZN!Ry3HR%wK
z*4NhfYkyI+vcJd*Eh9n20W!F4G3J4z>~^oM-Df;FG0U9_0;0C*nnU(*58Q3hsLR;c
zG2c2zv_KFC|5zztKMUnZSQ{Iu$h^nK!F8pBR8ic+a!Ix5TejledMvvM=wUb@kqUjr
z8Z`W$O5?Afn3%^hBBomEO$-h3NXVQ9;EU!{RYq2xeR&umY~zQOxQ1P<iOb(i^KA$E
zwqhM3Tptv)6jXW6@-TY?bk_-d-h45Y*2uU?8oZ&a<Nol%fZMqU@4dK9H;aL~D2nKT
zr52^e(jt#u&!iXe<hwEWuL0`*WzvL)nCt{ZQ?{lDg940%)O`}+iCz@j+ui;=cNM56
zfLQH`WeUG%siT$CM(AaC{%N0PJe;#11iyNe-4mj|!Je2LOpr`jJ<Dr$<W~Ma6ipuj
zO<NN9^KL{1JQCpt<ZfLBPV`~bHTx}@xr?xW%sJ`^pdo5?Q9x{2rFZM6)h!-YY3`D9
zKet(^mCX_x*~4Wa;I_Pjc}Ki8BYsKmjw~U3<NE9vRBW4l(1Z+2_vViTO`YexOYcd-
z{WG?i#K45ve6>P-U4c(`fe{-u`V;ryJo`c7MTdNG))dhRo6!-s+nx_BR3{x)#e;?Y
z)0K7`9$?l5D~D`o#0Y}{j9Y@91*)YwCfMkbWmTI186TzMOqT#F)kZu?xado-2`qdM
z(ib$eT0Yh*WQ4?T;9(^??}s~X|Lh5@6Uk{89P`YE(gfQ9L2V#hbo)fO$f$~yqpG7p
zvz}OoZB)pQ?*=gVnR))=ngo{}a7Kxx3^n|%6)_W`ExkT<*F7kpzyt|vU;j<qCvzk&
zI_3Txf^z*7qCuCmB);JBd0@QzIWKQ~o?V0N6td7x%tareDFb`&1A-T%I@q=l))M`q
zIss*d0xwvnNj1e3{H;}^-2LsI>J*oe2C$iq+zJae(~S(GTkT&fV>p}kMXXa7Vc4XO
zGY=Fj@I1rNs@O>9^>x}lKjzu%QIFZl*#XTqRF-y}63tU*j;6;Ac7;6)5Z?QD>J61d
zx+czv)LjRz`b5b6qprZp@~S|wnIu<C&@%1&aFxVHjQ{t2g=S?<R$4IxkdWqn*+p_{
z-(gz!s<IyB;oDR9`jDHTSocIDm<O#5O_+JcOpnMf=fL`6h~*9-;E$S|xGY@(QuyJu
zNLD|R@PveUH(a&cjbw_sn<XLU-})+z#{;kI>KW3z3X+6}(1RXn^maPf^l&#-Vk&XA
zZ$n5SZ@&1!Ged5tH|ZV#-<PY-@xh(F%8~L+UY;!~5t#LMjdF=6CJ7gc=7cGv^z*#b
z+2oDsmKb0iV4DW1BBB%Z2Si&8cd6rnGm;1;)3jeUEBW~T%GK-Ny$k1hZdnIS=n1XA
zXx81S>2JkF?teXh-;l7sN$NyH)lTa9KsChDF^pxOo?5v+Ii1iF^h{G?S4$PO(pPd+
zK4A^~)KVZ>t=2<NE?<6UCgI5)+>vQ05W7J?6Imj{F*)qaLIccp@am^+s!bnEV_JuL
zAUyBCu6(Mz@x}Pbxc%nW4P;;-*V%I-cp!~_a+);vses$O6+a;_OjJ&P{1qHAQleiT
z$KUo357seY&-;%?6~ev@qDy}o%zv|0{wD1Fzo71aPFnx5W6G`^m{YSX&=%c7vq$%C
zdH^{#{w-02k4)~n@dhK0B9Fuz#+}T<k>Qp?_cj7fw9kAi2cp9Gyrp|YVka7Ig|V?Q
z$^n8vlpaNIq?SYwh#qF$XPd{W1-Y+uuWo3RaomX7PvV^+RM;ET$7lj*L`@r$Zs+}t
zLs{7Ufi+Su>}Gw?0L$KYUsAP6DLh9=!AkKQ_x6O0@v1QE{4q}-*_C0noMI7j_+2yF
zDGpUS(11_uW_jrEJ8;KPN!G#4%aj-6t<oAWn-nFrZ7|R9_Q;(J`V?(O_tMj`2?nkC
z&^_9>{#O~=P$drW!Jh8fmbY;Y*QCK7%T_EQ>E>XZdnbYy`%slPIkII(2_bux^=a~W
z+vGW#+Z{*<@PyBV{%lSA#capqjB#Fph{az_m;mM*Pb>)e$f~BUuPTr-$-)uEseYYu
zk@FN?cnBdh5VnSXq009}PB26i{jfBRqAHa&L-7`4Xp+=dm8)b~o~U4XU{ag6*Gg_z
z7(Uyf)`bI67dhv<NIz->Bq6HXkd5nLa#O|Rh*`wO3vJB7AmElQmAA}`HLv-3{qij8
zeHv!=y#HAu0>z`jlxpH9y8N6$a}bR~kC+<{E$yb2OgrU(I!aQqP@}*_fZ94MYt`qH
z!T6X>!~~v_$k_Y%2tTJ$27+FI{==0w%jWWX2pN17LVn3{6D7>}rcf$OI?_ny6Qyz|
zrl>Dy9m3j??JKaK)v)d{k|JoKj<7nz5+Bs@Hi+HLioVjp-Q60(ZS%Q5dblvVIB4qS
z2n4#jg6hP!ihg~sel;K=luCZ78#|vhu-KpHq0JUhboC&^in=xf)3=ToM_#1?W}i-u
zflz3(bzBGZirQ+{E2ht`9u&GLkFIV=s4I~s-Vmi=yXj<K9F#mVpX}7Ns85kxD5bud
zu|Rv3^ysrHCw$qYtd`m`^AngeU~W_Id#R34f;ZL2Q8qcWt?+wh54{BMZs@HwVB@#+
z{JcC6>&S3R^^i$#cXH+Z;N{bfWzAg?(rMl{IX8ob%)Qr_Lt*7};5t`sK42W;%rPfh
zoa9uk7vf@i>|aNSr#)$dP{PGmlu6-A88nm<4-@HS_@Hhc`HMLZ{gX<LzQX}M0rWw)
z|F=koi@-#4Aj}YMz!z*N=mK)CyV074<VQjE*Jf}c?><AC)+gLk5r&mZ`;p_-^Jcs8
z#r`o+=84k6%CqX_*}od%@b_`gcB5&p52PHN92*;WW3<|>+N>$}ks=V_y6CkS-xgAT
zg3x2e#wMNpEI2j!v5b_oTe-Bx$edFldVwsyowwhrn!VwzB46TVV2PHvSaKN-ih9Zu
zYll;S2~%zhJA|&5<16N8pwvU;b9$qGia7#d;I!3vlSD)pgw16+sm<=ww6cBXLE4A*
zn{{2Dny+A&uR9y9`XSXr`btnCET*QG1yqz{C_qbQI6i^1>}qGGe%Xw;eFUb+@6NF@
zbKEi?1m;ONXf^E@DI;DBs&_dkL(hj7OP$IZW>J)Zs3A1+YTkE1sw^T=zT*Cw3uY7}
z3u>}n`qeX2nFDD+-v9}??pfYaL~XjdEm6S*en&!-8D9~-uw9zl!M@pGRwP`3f!+(V
z+>n+HLiOxpsg&j8*D=M{gMIwlxBLos+BXX;WF6^KOP<o>N*>zejj;({B+4Z@2Dm7A
zdU}YO!RQ56^m^SZ)$yIq=XIC!ocNvy^gX$Gn&{Q<qq|4zkpObTN_Tcy?)`}RO0_Lx
zdi!PlnXqT)%1#kU(H;Zfm&vqpmHlgMjq=v;0y0vW)2p3<Y+oP4ouHnMK0auXH22lt
z-ii>t;`nok#s7XiajIx_y4ZjRVrU{t;J5CdpluvYI(znnp+E;iR=)L8300A%&lRw3
zX@WaHx3MC)y}8s2MsV+{6%uxQT-r6b#t0Nr{v(;{clY21$Jb)Q=0Xx5j;8`8Nm7JS
z=m5&lg+MJSFxAZ0TXI!q()gi~qYYUhCnk=7c=S{r8GC30VcTJ{HQWQ~0}5oJQEtt{
zUL_RaM<*~N^-D^*>8B5r&p;tScusU;U}?lHd^&I0s*!a44u&<9Z->7!73-;0k$PBi
zRXHH>87ki}ZBs?0%M{}7Z!m6&s^GMa04fQ5_^6T?JdZUWSiN$I#_|j>EY?w&HGPAO
z-KKlrbT`5$ps>t8zIFdL`t!p4_>bLBGx6LXmWJdPw#B+6v>&pExre;1qcyrl_!3TN
zQZRorzNiQOZ80$!zG~C$bv}fWG1mg*%$}YW4H5NMD@}t>tDY`=`qA|{Y!%pGaaj)!
zqYD;En%2wh^HmWdbIW$~;ttf8>~lBosOI=V`DeMfj9CA=JP<Hrl)w*nw4x$9TU`=<
zG1AIJIdFKQJO|}|s4T+2554y#A3Sr=7fxY%HJnGQbrsgBGzsitYV=603?AD6R>S@3
zJeJx%CO+Msln<vY7I$j{{0(Erl(byv#Gt77${Iug%pI<$wm}Jl$ee|`F}ri2QodkV
z=RM<FdRYq|qf=*q9SS2`yw^>sH?EVh>lJd@SsPEIzmM;vOp5C~qHHys8x6RD=Iftc
zq@@Wugi947!m7~jVM{ZYcRX&+jqZP2eA?GsziNL05lBMxD*A+c*z$!L!2a<>b#$WQ
z)08hcTk+E#DAlY7?6<9171=XcUy^uvWgf=-$lTPTpzDa@;4-@<sf8YY1v-rviTB6o
zDu^_ca7f;v7?yDh`Kc8M+aMz`Y?g`zPGN-9Io$K=k~1ik%0|Ap?`gsJ-EB7ZK0~>@
z`evIZy^+>xt?%Xce7D{e-Z!VDYZ{^*zWle_+Yfq};A$BKY}7g>3SEV%=9uqWKP$N#
z<15V!b+bsUfvCe@<ZM7iSoRC4mHD_S%$fJkQg28oR@KhwA|d&_@mp;^Qq|pHjN2@p
zWp(E+96e{1qbZV?HyAv2@$Yvh`l*6`LU%TIj568;2ptQvNtSvlW1N^HC~~w2v19d6
zWwjeNYQTL4*%vnL!Ky4MMbJEs;Vssy71T2hE~xD20JhuK7oA(aeAb0b12;yYUU+P9
zIIZG+JF=u8wbGk<5<Mwa94*^gJ}%RL6#+5nHr+&abp_FxdO)kp?gJ|i%kLb6xsD>M
z2Am(=ub`^%6rKsEPHd0xWdn9s2%|%kBI>c4a^k@*&;TxfnAtzUawOUUq{_Rd2l=(y
z1MM1=M<|_VKcly7V$|UfVp+7**v~4lK4n($wj_F7yI=AlS6N}1x7JnVdY!W3%g$#(
zTkkwfJHE_LdwyCDEh~C9ffST#4<;O(6N|i*NW#-qBOg>br%a-v*Q*OgOGX9&oq;fD
z@u$IgH~$lNj8uOar7`0z*Hc9FXODllu0NWr;bR4?qOfPGdSrhqN=hv)G*zm4gb$d%
zKL(-y9J~M9xXX#5?WJLPC~g$;7JMG}j0um=tKbrC(ivYonAU7RhxxdyzpzbIPU!dZ
z++AQ@xQXP?t5<vc4qz({mCI9JV=}LWj}?PoV(0P+JRj&8aAfRoq6eV+inR5(uWcR*
zs>+}m0_GaV8x62>T(cQqUG82YBiek$*DP`#BeIBPMR+D6k46kt)UCA@h#6`3gUAMa
zXk}fiCOHSU203z1GzK?j?rtgoxxrG45Nr4-**Uigv=`^fV-U(c5u@%fGY$ehTOEXg
z4GNy;)lSeT-w18^j&FMV;MeOppzozGHD0~5<i13Caxt6IIU#(=d;3=rHIqOuW8ooM
zFKN>$waGxf^8=7B&e=q>MvvIe%S<QUSahMb;*K%%gnGLO3_le>BjQOYyTFc{u#C-@
zSq+H&4?GCNJw`k?-u>kW1=*BSHHQatbXMv=RDV^O;AH&<&7+y|mg0a$5gYWva?=An
zZ+e<RC7fx)Zj%(FS&j(<%4=g!V9R>X<AsdNV6X0UBl$sGLEpO>x%zpAx)<H-g~f!$
zwC7~6GO&AJ5bXEV;>(t7{%Q)<pbu7Fd5*y0Mb;;BG4WA|hD~if5mSd5auyeBO1fsD
zh?#d=5M00TTo$%$IZ!3-K&Wj`syT1<XYWwXn3c%oVGf|%{PPsY`8VBF4Vb^b>6oG6
zXHM_~$U_nDh)q=E91h(WoM-_x<-RFUXO<#fJ+KcFio3si+AHUK6wHvpRd|gF2!iIj
zmuw7rC5AcLs;)-A$-i!63z5CGj|?Y|AgpB@35BW3=)Zp}_gvPdfH0)K>e*BgqE4My
zY!+}q=F`tVLt$#7IbDMVH#pyYW6f^NhYt0>v-Zdz%QXsX8Bybg(#yKMLw;|yUfMCb
zHejgS>x^ii=(nig4av;c3UTRhE0>X`c_`w|+jbjYB<m8E$>73mSGekX@T<bvP81pK
zX6WusPP;+B$b|iV$OXoWl~I2V%{PjR+BY10pU{KKfHLO^ZK)wNy%8?6G_Ovql<7a0
zKU^in=&TVh@qP;~b+l`cJpJVCC2gj*u$SU#Dh<3xV_R{pfS8q<koLK`Ah0azMuWUa
zy8}Y?fIkg-D5m=K@K%SqU;!1`QG6`V^7?0Jci`NSx3HDIxk5_@8;qLdXn2j)M$RE6
zMJjqWb>0Lyz^=t>+3{?0inJc+e4dcdpDj6OaN)hd8ht0W@1tGYL*D})p4wklj8{W7
z+#OYd0lz4}>W41qdqE;cLP37=nho5rNoyqZI^`o%Fl9VUnqyg40$dxr<!OE!CkuIV
zD%*1Ovmcf&iTjvj-XS-e`(;5sf13>SY8`|%^pRztS~Ix=gvnNz!>@@_Fw|zAnLXdR
z_d?nB2jWus^&#0qD=Y0j9$f4$v7gB&n?vSw12Quw*RnphHP@lx_@++%GSyk-!^Wg~
z>V2K}gq0~)Qn&C;kg(Jud4;4J+>QD~403Fl_qq3VFuSxxeA|jt=v8=-zPW-!8%{N1
zhuiz*VMAfS^Ey=Mn6n(8Y-XW-rEA<)eyVxRgVeQGtIPCciWOg_OVjFknxTvFFZyx<
zV++_5ZhvT54>ZGm5l)n4r^9aLJS+;l*q`tB-U>DpX(!+??FsIy-9=nS>{D#d@_=iY
zj@6luo;Nd(uK$N?Z}(dNn{f}?$c-|;Rg&s63lwt#(v9?NSB6-BFswF7rAoJ0LM@=<
zi+yU>J9|M<sl*d;>zE|ZYes7#6wOF49_0rW=O^=5J`6aGQ{mcKI@|E<#neCD`E=jS
zB`G*SP(DueVyfQWDdt`8t@p^EE;8%;<2D4Z4^5!G<Y}af=2;G|(mfaF`(6}G*C2PH
z%{1~LT&hD@*urF~@vMGQC?(k@=}eZ#;+{SdV$gg^hmOA?AWywXRGXz~c}hu0Jh27&
zlO5xYIeVs`|8;2VsxbYLef&GkhMg075lCJO+-F&<G?^NMu6yc0;JcYgi0wi}@nsE$
zyV`;`rbifp7THf7d`JeXZ7RWDmSi)OOMkA}3MvW&<C*3VLs-c74Jy-C3#Girzrp<#
z_$bK@!8vuiw$Fm*c1m$Hz@=g=nm|vXU0&Y7ThXQ}a>a7X3g^6KzZ9>woyx<tKRSO8
z!;#pldw)tTxX2$lNAJLOgX8cKc0C5rGb*a{56@7K3np~oC8VQ!=!fv!IN?5r@5>8}
z<}|le!=0jM*5gpd;Do)mT&f1Lrk}GuhnTE+Py~S&40enpYOuC{4v3<pbtF7yzL>K!
zPDjCC?c_$Ucq>&g%CF((1!M?hW1grKo`U76Q9v&Jh@c|&+w1n0x*YxG?iduZpv%Vc
zO+^3}SyPk>Kjh*;KqqSP-?m+9XL~|P=pMZl@?IpTBX{p@Zc4X35UCLHZ`V3qf^6{-
zi-!vJt8FowLOjQ(_JjrI_#I+db$9!HF?cJZqNE~hQl(p(YLr9P!@}&vLZg{eHdsZq
zp0owYhJ=6y^kIiEWBOtV3qIfgvN1m*OLmZv1Zthu<k4B^_acAnY&UTSjZGBJc~sak
zjrY1MOSU|$cc@z#T@qo4Z1MBz^wzjgb3))XZW_aLK4G|f>b$yKGzCTUw)E{3cM-N1
zgXex#yDs4=f80Ng6aaI$uE5SETaxgnI<65TI?E3aTFOzDYc@3?p0S53rvu`F_4~)l
z2Ip%Yn^Ru${$Ij?{Wredj2*7Sb?_^P9bvDX>fqZfw3PhoGKy~t6h<EGhcUXE0aR#|
z?!@F3K`#B@%fZ<mz`Dwc)CVNC^~R#BOLZC#ys{A2kl=>0C2kM!`JK#I{t|7*^J^Pb
z`pKlznQ?$qks`x(>D$Z~1KCyWQJI5%rZzv*p=hGN5R{K4d?2Iyif|13Bb()Mvs-LR
z6M#=Bv&WG}%*hd&rh<UNbApPpLG#~Oo7ituTYWYL9sre`*gJ^8w++BHJ|ww*ggY>6
zUY%y?^GKGAs~#Wj<3GkZ$VjC;I(tmHY%_d7riQousFdTDzptQ8lWg+AiiJ<dCymmb
zx(7>KpTG;GTn1=DV~b_HswP)ly-418x_Rw_0W)B{5#X>_{`U8B9ow5ho?fCgdm(4V
zS;<MOTehu(n8ZPq=6C#UWE9j)RjyRCp{EkBm4>>dKa#xG7e~(~uHx-7I`R)HB&+!C
zsk<;{0_&v^h2=X4-H+UtM%wtl1rqO+x?xI~&b2Zb3y;rgG#ttGZP^oCNBIW}gNJ7E
zMP{2@=FHi$A!JLb8+j9Zn!$_c>3%LSxhHZ+q>r^-lGYngR&<Nv^w+PC|AO8})alIj
z@f7**&$wp|f=gOtDnCQ8tT?KMs6dv_*yp!5658FvdiA|9ZINCVWWKZ#shyZCUuWtG
z5BHUDi@B6(Pjn-kG4?(O7ce>8ZPLp)-oxZhZ*!>zh&d>y`|`slf+ic=rhr$skWliM
zMeDaMVy}TnU#mJAQV339ydLjDI2dmc_LNsJZX|dVUM73n?lo+&qSu9+#7B8DeCCm0
zYNER4krD$|gQ!e2!799ytqsykETx}Z&_q8EGao4BrE8sd6fbI~?=VtiYI@3hS!AiF
zrHxpH*7EksAQ_CeR&K=NGs^E^s(-JUcB(_fHqTC&JyD8xBm|~hNJ*z7zF`!R%(R5;
z)EM{?N^(+r|4tr<dce)-r4g?v0P_zx$~5>{pWKBUq^32v9T71{e3!9#W|D1!BK)R*
zjG0mFU@CT^xA81&sRw;n_kEGE!GC@^+~8ha^Anz0)ALA!`lJ^@h3foi`h*n{!^!;(
zraZHD`tVZvb4K8vH0)CEw$^~@Ma={Wx<?QvfdhrY?}Cs4cVa;ubeyiN<=vx8yNGHH
zA}N!{3}n4nFNA=<;C1gTeN|PSh9FzMt8huL_x^bF*VEoE^*rtVSLycFjLC-#MlDRD
zhAyNBjzq0~3m!uZ-_8-*_Ae3<<O$(7zwC6yY=Cs+x7uXs1~f&QU}-W{OyJpp%0^D?
zX<de4Yv*ApqoS>8U<x^hlCeuRKRxfEEKo;)eQ9*$KMz(V6vwFvn}2GGyGlj&P$Y|L
z6HQ+ltk%SnX7c3Vc9|C<E3<;T5?b)4A8WJgw`=Nuj(bqvyC9z@e0kS`m&_}0=F-w@
z-n@3C?(%R`bKB)P+;Sbs6P~Y5+B<TTBaEMHf*4-L&smz7TS|-Mrr#j5{e2nx?{9=)
zyz_?DSdL-5XUs`va{B)FB<zh>GxwbpHwUX=O=DYGlegGN-!xZMl|}lR8>~K==3IPH
zag!;*ia;{n5lF^V?Huf1kPJE6e?>C9C>#4y1H3IKz8OwT(&rw0*u?A$f&)pP<uWzx
zil3q0qizERx?Eb>;y0F1fb^(q8HjLUY67D<gxmlY(QmO^0`Ait5Xha0k_IyGCstxC
zf9z8=?qM=wFq*laBl#emz$8xT6orDaW$4r2Ao=-fYe}0aOyR3b##St(P1}=fl}QWH
zzzn0lq^mo79}OmMY7HXGx(}qrgA0?MHTPL@QlGyEr$U>Lf5J5(br@BH1f{_)`*Ln=
zb^TW2;#tuCWrVF@f(PB~wKkf*yLgTMo_+PcTs2_9kmmHIJ>Z=xCT3MOD}$<t_Dk8~
z(N<awt}U|@V{V0*DE!!@3wB0q#qN0nTiLgR$i(1_c+*oMCjtaYXl+o;`JE5nF0IT1
zG_Yjqa{Lif$OksY(V+>M!i(O4GLIRuw4ZSJu=JFk(Rf15%3oTn0cUtyl%1EZx|!k>
zY~%(VN&k1K0_pJIsRC5)E0oW)wn)o+MlE$F4)0|x+eTx)B$^UkCb}_5N(q5tYIS=m
zv=DD~W(TrDR^CfJau3FZIfYI+IImQ+x0QcV8PBSH-uY;2OT^JM^{{{YtgHWVMfphn
zwJmJk_~K&$Qe^4oE&nO62U}KLI?_A%yA;p&RfEX<_uL=5UOIie_TPpa7^PBTt9z%E
zp<yzn%h9*PaBefHr4sGEy9L<6nIDEd^FAA%8tpsg5BC&rHtEL$+c-@C3FI^&fp8kh
z`7n5}S{mlndOoOj*uZBP3V`ae71ADjrnO!7@eg<dWrUtSq22v2>((;}QPgCnK=Lm3
z`~U)kl0=d28obHp1K&OmP?4j-?;l6c>W7o5i!Z0E-ud|Rn*DaPYiXpw&C|WKvc8<#
zb=wEDnTmX2A$o0i*zj?)!|I$4$m<Ez|6*PC%e{rQIx)&bW&A5_$2#W(VYz2^{jHy#
z1_-E=P+ff(vh9_WR*Pu=&CpPDNR#lB^$@G^{V^*ev|)cRZ(Cm9U7JfoB0sauL2FRX
z$#)e-_Z<&k#DnnF9_EXWhXGCbaa|{MV*HkxQJ0MDI`Zz!TYPB%B@G0YJ-lB)TT|7)
zwtd%{(v;}PeEs8P5=><5n)wB6_jF%3yZv}$Yd(My8%UCAUBz(@YuHavtoE#%x(c>Z
zJO1>K4QXOB@ov~qbHJ?P-I>{tFSFN{-8iogCNG@}FvyQ8FI<}%mvaw(i?95oU9l8C
zAnCBo?q)sADqiDWD!ipIRpg7c<Vm8U;{XRROxq2glYTP71{S@dFXCv}lQc25l)diY
zd@bC2qTwF)*<r61WUlURcN${Hc_x&#2qV6gy#7n@gHhW)YI$!z{6*u4XWE@fnSpmi
zf7x}Swj&@*KQF&(qIL;ZbIL(Mt8-(_Huh3vhe>Xbu%DcZEl*`+muDwaVUP{ub`dME
zpSH2h{w1AG;^J6QuhQ0v-!v>Z_E~yRPo`**L0M&qinEf?RlIVkWxV`a>jXG<BY3dx
z+&fH_Y+80v;M<>Iz0KD`k8XwMs^+kUf|V95rbp5yeAP<nk-P>8FT}a7qhr#U-e3os
zo{VRGM_5)YuWgTQeCVzGx?nJ(5k;~uhl-k}vS*CdcD#hQ-W<3)$;}{XieEI=_N>I%
z-N@_2s+f7;cZyRD$K{&BlCG*SV75Qs$C8JstRp`fwnclGIwkE(G&J6EzB@uW>|&zq
zD|E>*nNtaN>SVYWHOa|9RZ|0&aZI~E8Polfe)r=G?=>7bcK(A{i0C<a@6kp2oc%Fp
z|J`3WGY81d0jEFhWa37`K)Q&Z`1{O~P6$%VW@%8{Y8<+}$Xu9B`9-RNP08#HEQD<#
z;Wh|?ek4P^D;RUx&BrbJx0#;2tNk{-;_u4rUYK378tnW^x%^JP@_S)HQN<(b#i0k&
z6ayDa0~g-xFTHbHfTe<Mg5R<Vb~edUGJluV-!#mHQq>^6d^$g6vEf4Z#|2N3t@2Qg
zEN2cxCT2C0$y`_1@40PG=XRj8^&INS`yA_h;hFhnW>EH`V3E6I_m&zv-0p6J@xwb7
zb4I6hPOQ~jocwBcQ+e{f(MyeU58T_o_X4}U>8|M`m^`zUUrP6=&1PQ<+s*X7h0;1_
z0K6@t;YMz%VQA>3Mz3IHe6B&x#&ps~5LCA9#T4&T=T6hEHkfkT7PKEGc})|}j^IW~
z=NwAt34UG(Uyu5tl4qC5iWk#DOhLnpAd+8*)v~#%4reD3k3NHqAW7Jf5xwbZ32<AX
z`&#S%+)|<eRrWK;cTY)DgZBspe#*~o2RwNCBCShPmeOrLP}B%<o_2O%0DtW5;4p|=
zOF#QX%x)>DFm)w8tkT5q%IA2uBppWN_~77ux@88YB+&qJ&z7PYtQL9d+AY(08^@>0
zG6ogiLSaE?`ft2N^R2{)RS*@PfakT`Y4XIgkvth^GC&k5Z$5)8es1jk`bORnH*YJE
zD<ODo#m}UyLbdiz0Rx8Ky6d{;>P-oEcP>d_OwgeXR$rKmm&Xx13z-(krXkyu$K_C;
z#V#w$LbiUkam5N^X?|P$x^ZdIg&l3N2HO{-!xuT~K@R0*7jcaokY{4@bx~1ZFOe<d
zO-uJ+dYg{@g!k);6{~jHrbEL@av3u|P!{(W?ycXUOptoh)6|o?@&h+huuB8qFQ&HO
zGYa!;B=w`s{KgT4!*H0j%s(+R8hg8K%Bl6~mh#L2`oYoj&=HgBPIB^13E#uhw~b@f
z&sjR%O(2ikG0vDllGb|IMr`ndW*5qvzLWou<7aBj3gb0mk>DACpa24II?(263M{4<
zGF8f_WTVBAZY;51KJ~RyAI$NEF2j*}-9X=5|7P84u@U{5fF#whi_F*2g*{~<WxQL_
z52w#BXwKzF5X*1*Fn4o@<~e-RVT7icij6@Bb9I^4^$CxCn)JY|NC4_RvcfvWDi<l;
z$DFGRclThYWuQ(91w|+EcuwOv^d8}uWRtlcWxc83h+0Zsa$=ylS``zxPyXSAU==Nu
zdL~PaiekR~>!tT=_qrG^G~74w`0e7Q>A9PgOQTToq9$L`FlM9+#W!KJ1>~ZQ+6Y2)
zE6dUfUxMf@EF6;ZDo<;WCmp+13p;nP*r~|Xs!&^B96u8<p1+8LPL`;2_7u$dv}k0}
z_MMeX+Tj&9iV_y2XOTF&`OOh6V}rP|t<%-jRQtO5c16g-wK^5kCAt5nx%ZB0YJ0nd
ztp|}KD56+^C{;v2P<n|9h)7dZIs^qog@}N3k{nT_O0ObBx*kfT1f+zBNbf}gM2Jc#
zF@!(}frONAbI$o4eed_)G436Ad}aR!BiY$yt!K?OpXZr#QG<-X3h1Zyo+OCXsL$Cj
z8=|XP+5<px{7@vlnsH;Sakg#|Sqt5?Jua7h-c@rQ+CK1cH9vWz?O9!{Q{!M_-lo}#
zD~*iy*)jNw99|Jo9yI3x1bgvUpSNEJonOtXiCe|`K*hvL4Hlaol7UM0I@3>)kk~ZX
zg*8Zu7h~)lqelDhxeURZW~MyvwwQB4&eLZ+cx46UfqJ|$j}_Rcx+_e$<I<I3zg+wR
zak91-I@@)x9$$MTnmx<H+wu!v$XGaZ8j_%{L}P~9-)qZh`4o4Fc%`bt=jH%~%1b)?
zd@AG?(ko+Q8t{7|>t$yJ^TmO^URnG7XqKr^*UdN#n=&N+SVK`!y4aBTU7Qkfi(WE5
zKNvTq^KqDS1ALDD#p1GMa=o`fV{=+4i93WleY9a9b@Hx%?~Yf$gfxsaN9!8s;q7z!
z-xP4_(iZ^cWLfhkxC0tdllK(_YHUaXIA+`5(v^P$nX}%z5tsR^0D`6~Vi%}LGpO>@
zC!00_*u43MPxw)N{deM<LqY=|jlFZr!TAZ~Q$fx<7X|;r@ccgx#&ViMkE6?H-XhB1
zakPgbH;+wLEy>gZ6|jHI|589>74#k(e5lqbVJiuB^8{cqQW^34w=JFZrBL;)_J3Sv
z;BFzv*{<dq^}a>fR(zvCOt6K%xI&lZpNf@v?{B?8!kUkG<fq&REo;BjcV};9tUezx
zs!t%J%Poq>HLDm$6FdH7UOrA-sq})@UyhkhG6y;e`V{I-8!KnE)Q>Op<>4>aqtD!L
zR*d*Ei1UnE0z=Q;hh(D4#JlnJh~NISoy_-J<#u^a&PO&MUTAs*vGMtS#~k&!5pmd6
z(>7EB)Cs+_I5|oNf6?EL`$fCT;IP@BZXTxLRXeg)FA9CMeA-<b>Qk!+do_!@(Nscg
zmm!vtI+pLeQd~$qcuqXS;3GGljGQZ*U0*l6`rxzuJYm)9{Cn_}kVw6oVlZ^Rr!9hU
zOkf>hfC4<+L;d|cmZqc!`m&`xf-LLiB;K;qmsxRbDR*Xwrj@O_{hP0ie>4)wvUhr(
zSCmfr>3+ea!TXh5Y2Iwj1^Y!1{(&OqNYo@<jj+T{B93X#b5kVre;X#(W7l)A2-SVe
z#(~u5Up(-S1oWSOEBd+0v{=zng;rbh9!i54#AP+HvypBxP9VVy(zT=FzxCMqoqEjI
zL37ZWk`uqvv%z?RFufx=8p&pzxbI&ZNw}jt)d6}*R=XRMqiT(s{^AQ{EY&9zyKXL?
zBjrMm_30!a+{ZM0ML|dG`FNSN(@KX=BkoV|b&KVheblZ`)`crpW@jO?;}7bSd`D{^
z`4rE-xhL(K`}}ujZ)MZy>fz>GX7j*IB+lRtueiz&W@&erF0f|*@<u1j&3Q;`v2ntC
zXA<i1VjQLJsnZ(Az9ab4RftB?3T1vKJs?^@(Ky8Vyua;Cf}j)FP<;p&9-s%Iz4#o=
zAd5+jjBkfo1`#4u4s>e{!ivw3{Ec>G+ZqbuoxyTdl$QhFh)?UM;`>6{p{B0Jpf`+C
zJo)G^n`!0X?#R@IWetf}#Qj-<cY+0BgEd&@TBN7{6|s)&or&Nt{(?B}qees6hJRH(
zI*gZU*qH|%_Irq&6mx$Fwh1X8`_Y%P8Dri=!8rYRN<D9LBfaxCOsjufj-M<^joI08
z3H;kZNz1cT;crdawU;)_i=?;Zyg#qXr~Z&M8Xag*0I|nUI1r>_84o4>qA9;k88KSm
zfvvg$m|;}i^9Ei4<BBrRENYPJH4)fSd;NDDi~nk5ReBki5!<orOlP%O7#8)=CZI}H
zdE?%RHJgD{D3R$pRe)Xt;45AwDs2L#T3g%kWr=c)0M5G7zFqw3p{>Q*UHP)!%gSr`
zHhnq!fFmXh?>>q@Js=9EI)s)N`B^w{PtNki&fAipKdiE~d&i#^x7EJzBXo|3{33@M
zH42e2B%!tAq5%_1##uQ^NZ8}dRZlm`P<u?s-|%HVP6(NnLm#JCON^|-vTLU;E~gcC
zk*|6ukg@UBy{9&%F*4EDyd34a^y5E!20IkuCI#hNu95e)fwh_Bp@j_G%lWnSy7c;Y
z{kUq%bdw*VAyiJ(sC4`o6a=<;7O@dSS5<jAKTtK`<2ic`KDK&hd~DNvf9U6iHyg=X
zBS-4fab?h9mvU6Lo5L~0G3N1rBPtD9^U-V975e-1YF4HXd=D<z7{rBz!l7%|v=dZ|
zxtERGh^@1matFIKUsJAUE(#|^&ycn6O)b8Z%zklD%0|ONbSbbhI`#$2+35&qeBUo+
zv*(38Nr}VS_e$L^ieKnEc}iQeVW(BIGw37zr2RqhOlvt=DehS>94<QZZf)z!R;Yc!
zRf!)v-&W2nH~fPUylX66<j#$W+y4I-?6pa%l&{(AROFA}iy4|!VsY=|FWwu^Kg+7U
zL;$sWJmJvA%(Z@+7Xq%EM0tJNyQ3|3;``^H-qpWA3SK*T6ZCF)`=IzAld7M`gEL4V
zb_oB)yDz*}jt%7vJCpnL$Vc(;rQ@6BRVhaul5?_h_t`%SiBt_ZBGi8urgaACbEV?H
zLxont*L%FzDrO$`aNLvXcZA+*I3x392=jW+TDR-stJ7n~*`y;DLB}<`toLvZGp}~U
z-ycwKcyUMh4lq7W9ruD-*6#62CrTjsFGohqyABu0nIf6o=&_-Y&Vl*v1LW7#=%US%
zP^S(fqqB2&c*uko{!l_(u!Z6JhfkLrA9svN*K4oei%HqHD*j7tVo2AGO_zMZD?k3w
z1f8F1d88}S9ytieRAiPsWj8#n(*sP2grZ+CB3kWr4)oTHEi>qxe<si77#~Du3oky@
z9juL76J+Cy(r%W;^0gibTy?zeSPPUb>(-exgs3~c3ywJ?g?H&Vhn4B*sgix}YS{6?
zIZbI|o}#t`<QWo@rI{Gqj!V)jcz?gwDT;F!=0KVsOV=W1KOJjlpN42$S05i=nvu?<
zq`=4E-63`Cbk0aE6y!PMmU8#^`R2Y2yCCPAz73hn0hOMj$5erBFx(7|QMX{oZ2CIm
zyVIeCuKIO#OQi1N=iKp_>ZR*H>(yN3fjG;|3VUs}wIdki>+}8Ey+L@dE*Q^BJTEb}
zCN{MFDysguTBM@F<{v+>vJ;Etw<-7ifBZEDnrk!8%I!<b>1~1Q>Nc)aBgTft8gmh2
z)f@T`vMcqYT~A7rv<9G$eW4C>wKTVyFHna#L#{6eTDFVdMXK^m7)AIn!cw68{khD{
z>rrAR49)l-^&AdZxc!|2>PHGin4n`P;fL`!caHkUO5}@?2NqLxpFTgIAI?W*M>%4+
zYn-%sn}MX)yvKU)jeQ-?QyW5!Z5t3jJf7#`yB17T*P-`tb-v0|V3xg%!FrYzKod?V
z9GG&@*Y`)}l{c3(v7b!c3`LYxInCrg>}!<ikN>w`w2sdwe<kdVP~E$u$mKLoF*Bg$
zAXoQialo~+PuyA;ruH>Q0j)vXEPp8_>2+v9UjMh|NnX(TjLOQbl}m)+gYZ`_b6TR-
zpjg(-u9p!B)4C3bQ4sd*a?@|)|7uJBp9u5<7xF(BSH$QAy+R%8hv)>at3Pn)xWTi(
zz3HDXw60d;K4t0!)Z}d&;QLt*Q@H#HC|vbwl*kY@+xzyyyF8aW0!Ke?wLg4W_i`rW
zE}>MYdnKA(l419uFDJ~O*9D4-tiB4<woXRgbhu;SQ+f=%8K%;2C^w@2)&D%Kd&8y#
zA6Tjq;|s!hI^>vD`nXZfok+N~`a->P#&u%S_k{>XDmw_FnQh~n5#ZY6=cPWFZBX~Z
z*VAq|%wcbR9%^T(kel7?<PrScoa_B*p2n4D33b60T$tmcFqm5A<b>?!RGV?W$om$n
zO<@XAc3Ha`A3_g`KE-%kJp>ps&3d?RPRHFD@7Znq6K(F)dVR~J<8v2Zho10{#~V|L
znKvUzk3UTLUV}X8B?&GXpSXH6;G0({OS1=65@gAbuQxFUKNp?xx>)jRl=NOqxH!;}
zciux0i<PqyE*{h7<z^I8xR1fth{<RoI!9S9kfL^YiTB)@*&x3DW3K;8qe*VIhDrZ2
zFxd30n2O)lj;7##1)q32+CibM?1#=_@fh<vOg!E7Bx;JDa)K;G#+U@utrCe4ygk{!
zOCoXhL6`W%1xV@S4YOW#b6*95J5NOKaIU=k;kkOsc-EE6d6WeE`N`%-Za*Qz0w}ZR
ziKXD(tgvgTt@uYD#FEn<!!#Y|TC?@9%<Y^$KPDzPl~>I!uGIdNzVd?TaiXhERpr2s
zrw?HJ(c1W(_bW4&W`sCv$Ii7`94)o+epnxX@XKCIcRS6<dOV>1VlJlxt4cmzA1m}b
zUT_AAaXNF8J6t7{s&y&rnZK`0Fxy@`&tw&u^+<ZNu44><qI1Fuv6kJ(&buv#gxXzw
zmBv`>U5814n<Ru?Ow!A9$f4a;uOV-6!>=waNv+28-zN0Ik4J?Sxq5hE#TWmi;<Wpv
ztT(jFW!4{iJvEtoi#*nN0etvwXglSqrJV!*o=N&{@MF779a>(qb)7?Fu}9&`)M9}N
z;Vtw+M`S|U^W3DkOL$NcbtdQ!*I#fa^}{Pc|8IHfpwZzc%HqzeVyv@&F@^!BO#s;v
zgL?4(KtbHM?X?E5Yk%X;$C(oUFowoi_<=O%Qgn#le6!zhYK5FmaAOpd>?WDu-6cHn
zI%V<vJHLKuj4X(0yU^kCQSPJy|NlN^xX+(wOi6O)X6?`8OjJ?Bp#?`O)()l$x+~ft
z7DW^IZ4*n*>K*^sEOWRVi5pCaSnMc9nl*Nw-IS{;DC%q~3++2H@*?OS>rs<+9X`ms
zRz2Vq46|Y8<C6g}HG@@_c+iU8t)9JqY4mLS+v<d|-CSnZt!(X6rP4CuJB~+c{OWcN
z>Q%(3NwF`gVXPwqw%9}29iO+`%H5X&*h4o<V4N)34U98ZUs+FIa+lLn|GN<eV31RM
z+^tl;u}}qv&UNdXP;W!~+WnIkXKXR)bw(lOltf{7bj3AxwQBUkwI0vD)#oPZ4@Ae9
zA+=N4flHQwRAT<ULk<O$nfaJ^`yolrvX@ucb_}hD<zn3fA-TKpAz1!9D0|UE5LJ(3
zQaIX6wE3~JwY4LqirIIOd@QAF9pSkJ{z5MnJUaiVO{pws9@v3TN8{SQnvH2Cd=7{X
zdxK&!bQ3-sY${<aI1Y?!mFa9P@@UKxU}7<h?UYdz4sy=!pvUs}pWM?0kncX(iz{!Q
z7HFT(2IiEsXz^1gi%g*V#x6?m#ihrur$bzNBVF}S&S0`TK4L=9JXHRB>!Z{U6FY<c
zen@@<&Ff{0ZtZswW}YbX?_zn=*Twb}BhjI=^YSPCf6|Gr`8UVN9TVf&q7nN|4c2{#
zvA*5GRuv_cGppSLa}vE=FI3WuVgvGEl5>}heuaM-KGbB-n&UgDn=*7Dt5(siFUage
zxb9IHVsyQ>zQbPS^J|a*+FUIyzFRO!{6&s#m!L<x`w;fvD$AZ#Kdx|_qO7h$c~H^j
z5i?dfgCEr22}OKbznScB{;DPRr%2&bV4TQFN%$vPN47oQV-{KWYCkD>UOiY(&W!Y7
zUN9bT*xe!+1^>)~ho9IY7+uHe{mcJ@tQYILE$({d-jL(hJ6^MAP0)QYk=3{s8f_hU
z)#Ks-`c^HFR!$(dsk~kwiA<cxPfE1Ikl*8d5q54BTUg4+SL5K6K+H9iZhQaRJFuFp
z_;1hZd|K~D40><vUo#nA1^818Ng!Z!rH&n=j(ixqU+z<(*i7jN4;ec@c{-FVnT!xL
z3b?tj>7mf>-J;FP-2*FI=*pYV8YE|-@#_~&pVxx(0hOB_@&7g{*70F>`e|!E=Q9Ov
zI=VG1^D+N*le@)Fiywl7rdj)siPs)~#y2i#8aX>UZSp3BahfjJ%4(qEvO~wt)p7vE
zgQOp<zZgd)X;shYEd<%t7N6+mBr5b=WofQH|GgK`$Pm2r9c%r&*_m<OwwNU7yO}IP
z@{Ie|`_6ZDL0!#QTxA@4lAxxCF%#?5ogsJTUjK4_PU#c8x*5nRdG?6W`Yw990=kEF
zwF#ucfil<H>keQ`@ZqZ5N@Oaf#B)-K>EYVbX?$?H-QfuCG^2u@JFgV-Nk7+wdyn~$
zl=a=;>yyLQt=B;3ae8`RZGVz%?^1PVTiIs%N9J1XS#~lxr2U!_=T}=WTQsD9WbX=E
z%eMIGT+>4Ze!#x&HtF3N+X=p#Jeg2_j9Qsqxy9eiGL9kaC|N`)>_~5|I}YCT5Qk#O
zOb@+SYC-K$a*F2ROYOT#;?%V3YZd(*f>rI8Y85X_BI>#7)?vQdgQo4hdPz`6;_7<M
zV2sYw=%W#xNp1-<Z*uVjp49E%8`u8SpHN!Cq|B<|Le<Z$3LZg>YnIQA!b}~ZK}v1S
z5){&R$sTPwlin2nSw~_df4!HaFWS^ErN2~admJwrS~vU1(C0gp!dj@u#N|r+4Fm#k
z!aZZ?`NQV)-_tO^RV_YIR{td01ZZpmEy{mOn}afu`lPR2Ei0<|L^&BTa?BQKxE%EJ
zu>ss<J|Uo(@HhZ2um!s;cm9N3y$*l;#Ey83&@b50@c!S}@n+obURnJ5chOP<YR`p&
zsoNd@&DsAyOiu#t#Q*fnu8d->$Kg2(t*}FP?be0y00jQ9`m?2Ir@ZbLz<LK?(E(VT
zT{^uVFg+f>^c>KWfr+o{Wp6nfd-gVlM=EE!LF}{d2BdtWOzm#dl|#m-5#>Iok6-)p
zXZwIYB<|c$SB+4RxH(dlyXBGgATIw)$J(T|+zl@=yUpJ_T|b8v?4xbi*48>o8BsfB
zr$PO5X<v$_#%W^N`{;9n(1I`a>E{XQmmV&VKTPkmv#wWfueI|?^_!i%ex`RFnp=th
zi8g*3(DAgvmH6?_+yDp0yt;25s7&&-mTjqUz<+9Up=MdNy~_<{+D$ZT6dYmrI%RY}
z>~CLw|MP90;Hx=Jdaup=`ri0bj-bzR;gla|a|GWz2>wt=)DjBHEc0p<^}vsG*unMM
zLa&bZn`^UFnvQq~XwMQ2J7yElVrEz+TAoafUQ+T|^cZu!NgBFdviSrkrI$fb!nEo=
zQI(H)8uV@)<vq~$G&gNd`_g3M`+WVe=TcI)H$Q41v+3}!S><BXl)e1jTZGDmYhJ=V
zgkq3DFr^r|%MM{nHLq&Sk(1+1j@hG38GoFyF$F4TS@xfE@7$@qpX|U?+ALY9TsAYQ
zJUamG=r>f|3q_1-;}{r8f%Sd5zi9T-g?eW{$njO1>7VNU2Gw*C?7G^ZFQ&Bm%^W1X
zy50Mjr(opLpdEa~c8kuuOgooIbjZrwvvv`!A7!6IIa&Evs+s%0l4^$X5&t_vGiR`n
zIbgQquyEAmVWs{Wu|xXuo`Z=kWQx1IkM$((9AQ0}y&Q7o4;j1KfC{R7PdGf!+0<`u
zeL}B-b|g$=6MBM{7N1ke33yl93?XYK*nT6|q<<Ny+$Wn=0)Mc$gJYXXIa;Tn=MIGy
z$k-ib54r<2#*r-hsfU!8xk>GT)d{k&lG^R!Absm&A(ywFlVNkh%(r8s>O-SG!V~gN
zrUTTt7p1z!<fGmlA)$<pyP#f*&~4N&##2wHpJ;)s@(n0K7m{{Dw43I%=qJ0lb2!lA
z&E&K38j*5{6H8(h1yAh~MzMaj3?MH}`g)2FWin6?d*GK^&v7K7?MpQRmvrRJNg-7!
zb+O~M7P7RB^fO8Ow7V>J>deRKd2Mci%u7W6IVZ_iHXYXYuxR3urS_sEt#>}AB^FJ`
zk8y@4`=?nFb~S+qvrN4-7L=-l7>&p0D#>YZjM^v%gf<RgdR%(O@aSn4sC{wg{g~x7
z?NqcIrxKzo>vA#oBi(DyX1Z+++}QwFPC(gkRf=TmBC<0+U2?T*NzK(v<9i;dbp?2A
zGino)<35bF@8{auoL(xtGw9L(3qUB6)2{eT+Ly+s6e53QJ8Qu7Sk*<5jmAwBw*BGb
z8Ole02F6Lg8fKzx-P@hXSFJ+$M1KLGZ}k%ou_B9JjuJq%qqof#Z{sTYDt>G$OQ|`4
zy)0W*0#q~nmEQ~Q-}u9J!X&{QOjgk&)ZHgj+#IuRn!V?e@3qBMSq_KVI#mCc+;!?M
z!yD`w;b*ch;6MZ6^w};e%72r&W;-4@{9R$V=hMAhaF2dRd71&!ZlK!5fvRzF@fJD%
zyXl;nE79J$y4K_=x>>>%?LM-&dV#R}hwY$W%~IY0&hJMD15^V>*X>;JRg8usue!A7
zD<_qbgx1suKnY&RJwg%gEuu%_^jI?3BgbB4f7hu|?kVyt8p9jW1%!)5X|U|sVHF2_
zTep8Zr(%EhcqL<+!L25u9oG9yf7-e3)QWo+$)EB%Xmq=Y_{+YNCZJ@2rERxBO{znA
z*P{d-9fabTkBa8Yh2XVLnUukr49W8A;?F53m0f|#%70S81^zp9vMQIZ)vHJQJqt1R
zIgtq;TS`NgJR5a_oTw=o)2Sh3#YJ1$p+Fw4ymSjs3SprHCeCy-|GneQ_%N;K|7B>(
zuWcc0>VuQTzkyL@I5CdjFghbuMwdI9+xtskhc`=Vkf_xg|9A9y!78$inV5P|QV*qd
z;q5bd@yB0ozx~UZJ4-FH+WLQrTw$ju6R(Zl1fFt@TzTX<MwPJ_Kb^B%4`)4b_)4X2
zg=ohg`6V~po<?21boakdpv0gDs005;$W;^}t<yMv&CNKX8Bu$OeYmWE8a>z%lPeaI
z%a6&mYlMMn-0p2ky;NwBlh_Lr!ui~x6fTY2Z^}O|ia8RufS2z2T+c)PQc6S@>?M6Y
zBH=cA^0JKJDlk@xuYzEE%7q-}_Mhf^GrisPfP{+<fa8lXey@K_ln&ar;z!p1WraZ&
z^D8rIdbOc0PL^dr!L*W6z%yxbL(thcAB}-SZL`ji^SXg65QX1l4}0a_Y3o!UU+MMk
zTB$0F{&r+Y<(*BDDI+-a#fOfUxz4hJZn-P|ZUd(t9`h5ugS8`Av+B|Ag3P(sXcfXb
z+5zA3c-Ui11^=cTSppIO_L-L5j1e_x2D`e_omjx{J);=sc_`EdKHw*+cLy{eji?E$
zqnoX0tA8(-F~EZ+Ygfs+5;kq0a#9r0cE@G2b4i;}6$*uTZ)4_HEo0sXU5UrU<#WkG
z&zaYf;npS|+T(GNg<+lYGi-0isgr(TP(jt%!J@e+L9LKJHQ>n{`-?1fQ_ib<jxPE9
z_U{NZ=^SoaSOa8Rd^ZCAyQF((=GWB9%W}9{_lF9WmwTpa+pZ9mafJ35OAEeZk-To4
z(#e(oPk}DZ-O%T2uJNSoQ|C1ekIxMgn*{1khD7;y_o}IIr$24^a|@IKH?IG5hO+qP
zN-VXn=#96mL<q}(Nw1GecWhzd!k_Fj(Cu%CrI=y&{SM!`m8rM<Mdzv)@AeB8e)->F
z;U5LNo|ECaU+deKPg3=M@lpp)^*?7q|4$s!ev$Y8tCu48ufoZLXh=ksJ9fz?rZ%V-
zEg-oQavebS?}UER#kv-NjCD(4;@*SV0<tKJI;v7z+!Ks|(pI)UCm&#)w;tQJ&|i|q
zD|=;wq37l(Q%Y54zpv_jY4pzpdKiEYG5$*t$Y*#>p@<ey{MeQ@e`6RYM`K1u^zngD
znAld4{f;ft7^&8^q<jNFncw)+Sh&d#?6uxg4Wph3Ay|o6CH_sH<9YR$hpJT`o}N3>
z%^JQ-aS6+qOV|1=X8(L?QuXfp;!RB^OibDuKh^f}k7z9^{2woE#?qQ6<!ayi&jt!?
zX%6}PviUh==9?@g!*ESLZL*fR*e&*!m-!BmSN4ne4P#;P<HmQu>B!_!LvhT`w?V>P
zD&6l@e7s2th0L3kA0}T*&l{=hAQfwRZ<1v=4`9O^`KIm}YP%2GS&G_*`Q*`8Ju@Ut
z>zCTK5z<-(;n#K+;5M}5cCR(mcx*P}9zb>0s}R8DI3N4@(8r0lMy|X+sHI{KJ-wZJ
zNO?=o{)O`1-ha#9?5b0*8Ecc#o?7{9BWUM~c{ge@=NVO3H+@?Sdk(W|>jOfUt|BeA
zmrB~Abn0H~58s@?^~(9`Xl-bUY}+RGi(|mc-6^S=lhPrV4+-Af;hBto>@<yj4YUmb
zUG_~zK)Jr5=+3>jE={?cw|pYAukB9JtwSTzfxilC-Hpb*Z!g_Ek%dn|j7{p=S`LV_
zyrC`994}YtzlXywISE-6b;Gu&AFW!XMGfgq>MMN|Rec$PQVX=_=0RD&OJ?ov-TLpI
zxHFk?RVE+7cc9lcTgTt3cmO}q_r<>U5LqOAjs7L6oR02p4rxYf1AW&`E<a!2*=V1^
z!*X0Q;Ny5ZPx{NnmckH^h_BN_g9TULWE^o<(H0^fvcvSN=V9-(xT!Gf)XhEb=^gG!
zc*bGvPH~PqQ+@d%bmTP_kR<>|i32q&Pk$NCR;sV|?lIWm&>6jG)#7FmcMedaO4*n!
zeBY!_b-c2r!Z+4<?9XQ*`&^Ut`zY-WIcp6Whs?^%e=srSyJwC=Q*N8jG``!fIs$2g
zoPE3K-d^#cOR?$*<_o)_yvn<1-uC?cIAH%9MEbcka}l2LxRQ1aY?B{u+)%reqmGk~
zNxJzZm_K0agL6MW2pC>PCr(G)7La8+ojg9><#ULpqv;h#4BWM1Aqd<@$1f;>Zt;ZX
z^L&~x6?ErFJ)~1dJkBDzLn%FO7pN=G7T5<bpZ_<y{jUTeA^Wq;jRfAthz)$!<`~g_
zbloa{CtxaY!LVjaZ*AL$%K8T_L?Lbq_?|O@Re}gPog6mi0kggYPxov{0Qo5mJvp*%
z+X=}@`rp6iSnfje0j>L#D07CD^<d+Xu<^%~*ye>;3&c8=J4ITXhcC?+d(NWiX)3C<
zjyf3&7k=NiZT|si$kz8Cc~w}QWo9NYkE~W^TXKn(`WW6OmPhv^t<UvkKc?)||GIP7
zU+?nVpx;9o?ft;;F*MBn9|g5mgaMg#A;5H3F5B@AJ~lXXy{tJOkZ}8|RUO(wEYSZ^
zVAV3S3g)d^g6J1P=V8AaPisl?OdF}2?huAMiD$W4W2poC$_IBjM&A7OX8?gMpj&@D
zKu<|IQ^e|ti(iX0ipSoov=vU5@Gk(3EZ}jCqg^CZ(mr+~Hx451G;n`>E*;4T>&kf5
z%<jRm=`A33%g7p-+rbNJV6;KlZ6!jyWg%omk8PI0T(VZrnxY}!9pH^e-5bF_Z9QbR
zmFbE^zvwpz=e^ne{PP)6v)o;O1!0M}DZ*`<DDOMOtSuhP)Zi7@bK%r=`0W*g3N%-<
zOvIl4U(Qt&ZW7#a>7*Pv`90tm@BRFfZ3TAqE-R|{70`_YKjtZX&*tpW*dxUW(o^n>
zq0iCI2{>^F0a=s&2(I;f<4E>f=;$UI9vSmcbg|JU?6xe)mVPMi3^e=DX2=|KtpSZO
zlp~eSt3-$@jy%Jazeq^wBv5LB?)v8YROXhtLV$ASo}#ZS^V}~;0emPs0=q0aJZ{NM
z1(I4gVeu$ns7dCVdkcjCns;w5^Z&>kFC{|eu5dbbd??M<NvoOX>epNHZ)!GMOy3$t
z#>n~Pm*E^QmmjYcdXFAv-`D{G!~@k)HpZ60dWW90GjnnQO%q%Ltwe1mJi5$jE|&gs
z?5gjW-}x1860W?y16Msz^<r)%sm~q|VcPb`lz=RDex035zn&e4Av=+dKbl^L5pXp<
z9Z+sJgsD)1WoPhwf0W>fIkL2&9Mnb(N)y%@85VUPfA#T+-?nXwic-hu0m@t<ZM)On
zmlT5KYB1mb61M$Iju0IYKK)Y7x@2MMuy0?5l&jYh!@BIXw!=zU8kAcn^UE`?k;kaW
zAzJ@UKY8q}-G5e4^`4kD07`%I;m$gVHXUvR5O9_699oDe`lJ*K1lgNYP7->**Xlge
z0I?us4x4U<>7Wl0vwg2N(mz9K8fI?&mK)D3Gg)Q7Op^0Jvw?8=b(5;A@Y3%swt$$Z
zFymF?JXtAAVld)&^VAPGqX>!XfPXHVIUho~6WO47P1G=ar2(_P6jjmp?6v0g1EL}g
zyHkdgZipEg#mhc1Yj*kWUorOZkXbr=D^xTdGP{~Iv#L*B9VRF<#}hc?Ba!fhNDB&L
zF@aM#%8h_*M3C^_yO?$rUAVm&a0JVeM>=mkmssE3R0LD}H;^y@eZ~9I(|;)-9?bY7
zTRk`j?;dtK{{6EC#T$LK;a!=3XvFTnNb`P!FAX<Aofw8fs<PfmBlmBXzw8lFyxeHE
zJGw~i{9o4>t2}3~h*Hih%K&N^zXmM=(JpRaBkrB~Da7yAh+E4LPANjoX@rnC!|WYk
z1EStQ47&B#Kx~VClbLiq+N;DxRi@!>g3`?ehKe1oE9~kU946Mqp~dY)UwO)-?9>uw
zSUC8)+;RY?Vd3^*#IqQgZ1-f#2G-c_J$VjiN!{qUq_>@Vee=*{s3x{z_Or?apb!h7
z7TXr$0FMbqvcl-b2>Ro45wj44So&5Bam?PD{LU?gSGwLwe~@bEOo9sv$jS^U&H%cx
z7jNHI(k0?#RU`zChs2+{U$J+)=P46R{^{@qhCCB;I&+UvM%G*2rQ7-5)!{h^nv=Wo
zZ6(8-zCXgd-eiDKYl{W$$L3P&U*z`7reOdF)I7>o!awL;0<jbHn6ruCQA-lOb%J1N
zfiF8j5geK_k0xzMS});_BEL&%0n5wlt$+*Y|K)1?x9m_qc*xgkyR4EG@cuuH+^!4n
zdI@Ho-Yp{kGBrRxeIdUaw6PO$0%l-wUl~DPI|yDmSfcM4E%*ue$pb^hb$lXbCng3D
znGNg22FU?W<wJ@`UAW1`W^3DKZQB?b1eMCc{P2vJ1!mp48IhWP1(-OTBrwg`>Y`DM
zELS12js}c2ec)`RTNCgss6O~-Y3)DD;hAxai)7f=$`umXiR4rx)V-)HNg!s@{j%Nz
zXw<(G<Zt1YY#<b%AXtmtLd@gRtcIp)Ltc4uxMPYsj8d&nt{xV{cn{b~{%7U+=Q~aU
zvZ`6^sRQx>3kjoFzRj366HSK+XPAjX%tTTH`wXsmBNjU@V$3BX*(vu0kFIXQ3DoQg
z@00(-d4Py6Nq|eW#Sie<17O%PAL0?~&)dOH+#_XS#P)SXD3bLS8Nzxk#Ckm<8rC9O
zh#Rh$pT6{;2=vdkqEXcBSpu+zn(R*aD2JfQA*Xp90)kaf4_%!zZ(wW(EpI0^NJ#lD
zXw?CMR{%jz;0`To186ek-pJoNIDTp2(aT$lIB7-;#JCMociPNXX626%m^uiL5KcXE
zv!0awxZ9JY;Ogd89{@lATfpB8)`tu0Bb@`Uo@)&N)Q=^Ginqr3wvM?6fQ<}K1xKT3
z(TtsXKmnW@%gys6^PFiar<d#pjD`p-7sq3fjyHcht}be>Pd5P5=?T0Qus)1j2lxE$
z&^+s4fn4TCx=e1x4wGzpJqBZ*>hluC{eiMjPejflu+~{9I<wuI-97?gnIh!Zl6bS|
z-jk?VgkD{o;_CKo7l1kS&&_=fkDi|ab7%TG9zN5XHWxl19;Ig0yHV`TD*kMg^5%r(
z?ij1{(Ublyg}nz48P|#ceLawyXNPtl+P2Ns_&=a1DZC5M+vq#3q?D;EJ@jOJH5$1Q
zUE<B1^LD;<K04-DgUbp4vQe82sO*^YTMIVh<Rsury0s|;WN{?R6klFZ$rm}@t>!ek
z5tXp9=f>AW1|VdwzgZ0qZQxddHY;zn7_vmV{kLsfI0#MLdXSI2B<NCFLMD$-#3y=F
znSY{Kf6_m<Uk^PQvfl10Vn*cAR&B!CY?cK9pE>a;^?yb~q*CUUN}>}r#D+EY3cTvU
zH5)HEVI%|@Jq3zRQips^3~(ZzavgIfA2KU+!e;+vrQ>dx{m;m5J#1DhV*1QVY-slZ
z$m_(9(cE#1n;)WLq=wJ{ph((+r5|Sh{WMTJU1%!_YO!-TBcCeyTtxoa8_knOvBOKe
zx#<0ejJwtP=EM5u0SBd!S4x=+T87QTfO_QQzh4L7PQPM05CwW<{(~mPDqLvI)XnA+
zECa_q)+W4dTjtL@;})QR$8zaEujJoE_}0Vv-?MnlHs77XYs(e_xAe>)7}10+CSdEB
z7nZ><v-xuXv-iIaa#S)ji2JM`Sn;=xKl}~5)O8V;Jhny_aD33tcRQX7&a2*f(ZJy%
ze!U9woWOkx@?p_YJiZbe2-ohmj;>N(wGMmCa+5KVji9xbc(a?4U``K+Su|1?##1iD
z0mzgKYUPG5=Rw$13*J;9Rs$fzcYav?j$k62=jjQ}s~#igh*)MIIFLo)iV_Ymo|0(@
zE*~L~HHYA>mY{gK>$&=Dg=US#txJ2fPk&i}OChatH<6kgAuv6bADBl*uysS)ge9*8
z{BkVSZ=r+N3L2Noc#%wzDYT_kc=P5)u-r;2m;-8F2J>%zm=V@)e6njqi1P)N!~LAV
zp^^N!6A4JJC4>o+e~0CHAlB%uR1SK?c#5<6=t~jXhBxP730_yg`mnrtQ=vdm2$EpG
z;4vaCAk18(7KfzFTp9^vZzv=6SF_=CItI)smAA`yK}PX#;3M%*IZOmM5FEw|1g`-A
zOnuxjW|}uA2WQfgAg~+{P2j#Rd_$~FP)#CYkgOsIn3F<<Q%MJ#8GM#NgB@I&vt!-^
z!PKzIrbo9s#}HA;18|%rx0~cm;BAmbn!g!a@Io|Gy0sR7zJOG(^>M2+%u)!4r^R8T
zxU{$I&1COQ)>{e^J`mboT5?jJM;bx0@-0om2$sBY(m5W<COfzgC2{;Dta-Hqan@_(
z3i#v$&yyihaWupzT*<U5N`IDcZ0dYo^-k$11brSsp_}mfgl<8tk{X#~$SV}g&N>mB
zZm@iVAxsyvatnBOOW&^XK>NtuJeu~8c`c7}G&^ZvvwuWLP{W>SGnY|F#k}}vakTm-
zJ&B>W*TCp7$Gcpdk$ih!RXn$@1SS0&g8?&CkdWq2%S;OZ-?ePoH;dfR59zoNEl~Nw
z`=H?*g!6(Y-*-}*BHyTM0KYrF3#iwD>p`F2DOqRY2}$a2klZ4|mEEbJU@9tST2R$+
z24;pzvs}CpCdsRNjJ^DYJbtfSVZm13R|K+$=6C*~0&o4>1xe~&HUYL2nA^-~gfG#L
z5;h8MWQ!du)KrX&K&-T4Qw2pr&TRW&&j`v@qS#1qn$i%S3|<i|r1W>sW#1(Xb+Jut
zHjeRK_?)jEOU{+8<#Hd9sxnJ())#5K(!1f0`QkZn%5$h8wLVr)k|4rUWI{<2?|-w}
z!>k3d+D14+>`U5wtblr1=&%PhKe|^jB3YR$3U;5qE(z{Y3-0JL^1R#?5UbcGEDyhu
zlqaH1T*JZV>xz)G_VUS{WNau8QX<(UvpWT?n*nSV)^1Um9wVOenO;dck82Bb#keUb
zUXsW)n!4<ik~b=Yhh^gt+L*THrm@a_%!AksGHFgpV`aG2bSyc6+q5bU&UWtM(d_wx
zK52QD8_lKj)#OsEvCNKPe>=;u7zy2Bo*Z9Rx`d;9Yt&@zHMb-laFOHP=%UE)&Z=b>
zQRq69o5YaT1AMHr?j9iwKffXm=yZ04PT1ZtS~{N8NGF^VbdzFH5zC?@t21C;Ita}1
z;4K2D55`4{n7BP<^&>ZC>Dj;W;tqtFA*GOU_uFiG9%h_qP7t(~5Ld8|N6*wP@8-2y
z76<OWnsjygw&Z}<MR<C6T9d;yI9?bK;InNl8W<_!bW06%jyacY2Ggr?b<niiig0Rj
zHN^mVaO_0wf#cl+l7!rVD8?PoxgoA-4%DHOJ!~_Vq;=JK|Ju|g>5LQPXlK@>L{x9{
zDXXv>iwD}?bymw#6YK5QKcEvKRXxggLn8R^r|1uBJOF1{iuY@LFF9qCb|>bQ0mfV7
zfDArjVB<MTn^Owna7U0lWgdjIX3Txc`wpOk^&2IYtV!hxR!E4^bL+f6!cDTveIxq=
zIy=0tKI+21=TWxixiXtWHG$FsmZ(e;L<<AQtrru_x(9sw2EKuwc}koCZK@HFf-AfZ
zWzG`)Fq{c-?pb?-`1T4tCb`-fcHJTPkx_Qc%`>y!yU*yoZ(5wUa$CtZu;hLO-ckz+
zJwF-B!Wa$YCRFmH*%kM@7AfdDb``VBL1NZbb9N26Sw+oKH<N!8Mi^i}SfwO7*ZHyW
ztGL`soBenrK81u@bh;~LLy--cW^(Bc$AkHz$E~EO``HW-rzk~tpa9T~^c*J#Pln$0
z9Am7OP0aV_=zKpmK##m*sblEJ%#8Mu*&H1{TJm}xKeAL_ZwMMPh2VF3i<(zPex=l_
zQ*Hf(7NgmH+Lb9`yNsQI!NPS|4O}F8)XRcRL8QicLj6IVH7`kQP2;Kl0yl?Mci#8o
zBaO$e4iUkdbG#p0(b%;lf%_-cX>F}jlVgz_E@B9$XuvV2!^`9|J6~O2F%%VXld!8}
zkAOUq^m%N)X3qyWnh7{q)QoxL`q2`=rne@eHs6$K<EG%sofSfOKgfW)m$6fLMNsI0
z!lJ;~!3n|oZ_SH%0GV?l2#gdGRj{+ejaZjNv)&w*)p*1Ht-48RBXVYV-)X8Oa~`}b
zKyp%GZI?&QhESbk9dPzN!%rJ(db|bb2GwOKkfS7oSwgUS1B#<zAEs#afb|lbO9zv0
zt&4_ULDEp;W^;$_OtWv+_UKO6ve5LTX7{*H;k}<H9e3SVZrFg+unUkm1=TA&nk59s
z>eL*{>y*RA@`|u<xwiUF-J}-+s)%SE(hV;uUQB;cLg#5-4c39Rpr)JenbjDve*5C)
zCEH<d0p9`cFp3jNuf*`^+3@q6?H<7y1{a-s{O|K3ARM8$SfoMEjH?lSsCEd2cD4_s
zq@Y(C(ysK=EH~}B%9Z)EQ#aB-5`eq)Ve#Pe0};@VV73OhksPw^kuKe@>{_nh5FD3}
zhTI=pyycmTft%fa@w>zR#)WFr7Q8XnXfusHQk&+JpTZtljrlSQA))5w18iNNV%GCJ
zi}mm3s~K_8^TJsWR=2L_V@J~-pbTpPkgM)ao{H5QBZ^P1(@>7M+9afm($(yRo7_VV
z>1zE(a62hb3!FE=s~CxdG1m(d?)4}?xY`J8Yzoa;R|tAw$urs{&DAT}34P{<UA6Pc
z`OzY~h!FX+B3D;liyS1rRDQgG@Dz}B7j%kBRGCGyA!BD?YhNU9$j7lqm74=kKfZ$H
zEqG!-(KFOZ5aPOPVR;#OmPXNY(>v<0SI2Wt4rN(LUEcc2x9=GU4)~_`RQiS39YX_o
z-q)s-AK-*Kiy|Z6`In>5^xYt`-y=45UT*hYMSDp>XD`~YI@LIjhPCe>U#L6=JqN?k
z*8@g5?l9QvM4bCR#Yni~YS#wfAR{GoH<*GOz7opB>3pi8r>?l0-&cmk=+Y)pgqNNQ
z&h2Q*<k+yWw*?K6R9<A6)iJZ?b<*!1=x~kVZpD(NKtZ^9uqlzZ(TdH4r}Jk0?|U*!
zKHX%NY;LHq&|{^Y*B9+7GU{iy`eO1lGSaVi#H0sW+U>2X*pKF~3P6c(bK&QRDRlak
zp$X_y1B-9UUn7y%8{;zOLnnF)5zL_WVcV@2ox~&}7Y*E@-XO&i2?bQo^ch3!wqaE=
ztZ+6%=6Ko4=fjfOArm!UW?wFp4s4%99Z)5_ggZnLg<~vxuzHI!s_Xr?i(sD9dGm_g
z46Vm!x`N6LJS)mO*)$aw<^sB@)fV2R1UYRrIST{|sG<YpQl;sr>_0Cy;F*Xyw=aSB
zHMPcD{^cI4xMib*7e&S0mQ1+|r6(fx*cpq8y6I=xRHVV-uh?g1=-RXX^3S4PH8{b?
z{P^AVk4hN{G9eYlzG=<A=B#vt^KW@g&ZY}qkvC7RHC`q{@w9&7V28Re!^_x+>2<}8
zNZ0y{1$;FCKazZkDfNst2|nuvzn`FwkoB_j6mX7r4h?>1h$}>OO5%FJTN}g1u(@|l
z@xYle$L&$2s0_XcM_hJ1TVc0=VhOSbU)vNvwz_J#ps#Afw40;zfX=){Rf~!qUI;A9
zpu&iJPrP4d*luRVVoaGAQw~GYSUg6;;+)()m}DWU$yD;eNDUpQE}Txshc~$zPHWM2
zf;US^InuQ2VoW>zX*pgG*^<cunPjh_*eqTucPtv&+9Rc%nz;<jbtwW+3F%kaNUal9
z#WD(-4rldXC9&~46(d0ie&j|1;;fznd<DlfV3Aj^gDy6IbYgX$b7l*#ZQr(VK+kf`
zPboxvXcBeaG&HUA+x)53C7IUxD6b*?Ym;k}!*y&0k3GOzT7*3@v!;K8YXZq*mvz*f
z@(YGIUv;}-XMmFO+~lBU$@v*<1xBh`ci1ra^qCw3V3k%4f;e9FEDx_Wu7o@;r)MC0
zz%aqI>L;&C*R&hFnRStHmbfg9h2ZeGHgh+2(yE&p4Y}BM9kV6w+CU*V1cc_#ucHH2
z-@uZ6pc!CVJ~isk)1PP{y;$hw-Md~WiRrF|M@uvox#YVq!+JauGCTzGs>Nx1fzmET
z7fxPO;P0Oo6#9+-F4KDV{gnJ@cBL4zK1|7c#(Q%5sS&sRNtoYdW>1$@L@M^S6?cE3
zV+Mm(w_n#`Z1U2CCflI-HOOk#BRJbJsi<>yK8f$<gmjUUggvWnuc=V)9!1moV%&>K
z0i%AJ{rVxD2b><ya)bMSje!vHtaG%i8lyvx^lIs!{W|@bcBdC;*z{G$8oh!5Do!%C
zNr_7jP(T$04UWiN8oSq(pQM!!hr^ZeMV-1lt_NHVR{pMufoL`4S|^LR^uVYq`eP`}
zA`2Z~nIBr1y;LVUiKA7=iz+_l+V$jhkb{-K6;Qbxk^|zbl4dNW$ac+x+e59G+_r5@
zSkIE<hr`C-qu3lfO2Ee&2@=Ne0=k}VnxdSz1UGrlSV3Af=-`B19hrPAt5mx8dgHsh
zxqi_^1}=Y%qxIToRM~!2%s$`%_z;K^-8+%&K(>R&)8c7<A_n0^@$h&*y#UL{6{mbV
zmHVX!QeRmmB72l)iW2D19DzE?)t*KNV$)Hy0IkxUIa@$~F)13I3{Bu&=|5I@?GZp8
zsbSK?pNNPP8`wGfokWuAiyplzb{Re`nfm={@5zY0PEn_T{TAGjR5GuGGF>SMlP;l)
zYV|a_64CU7;<NrorFf<eNu|BYxKL16k`~eXl_7L1rYB;RPZ$ZyU%TR4fSt72@uT4R
z&i8C(L`~&dzfk>2(*qYCCXUS=K4c*MHrbO^mm|DL<C8Y6Dza-F)9TcPrzAzDG>r)<
z)h}rj(w36~a_Bv3N9C&0^{e7_o9K>1Pi<L7ILw(gLDp?~l)Ivy#UL#e=l+UoH>V_I
z>ped#%PA^Hldd+thV%fywS7~CW-ppj=$&NDRrU*p?GE1dW593eqO!!UAqTgis;;&C
z?4=u%`6@~J$L_DI$5-&H8n2|l71clcyu}fAzFmmb^-bu(;k)Z*I@fp|%UBT?#HI(E
zmz+SHfy2vA(4zOnP>tq<OC<dilnf*Djfc?V)#Df2%cF7S3-wJfcSS`kJq3ww3hlN^
zoUd-0F>YS#t?TkzL&6X|Z^P}|&g3CocXM9FIvb~Y1dJ9Z>6c?{Cy7jF24B53BUaDd
z_Gy{ad}3AZwCFC_(vWY=?`^paNYIT$Zg}&Yynb?J(mq2EYAYrx?EBjOU^Z8dv!?Yr
zA}$SX#HED@fiL^=tF9;a4O|>c8Xv3b83?b7ECbDo7nQTmP_&;Lf|wEcjtb;X-lTD;
zBvK^tV+8RLO-7Q|cb*ow^baQ&t&e`BMC(5!KiJ6whG(&5#;J+1S2xbcUr~9@9zm2A
ziU@Rrvmh1J>t~aY4gdwpMI#%V#@Z6BHue)e?&EmfL3+i#av^Ep{R*@-U`0XNaMRQZ
zxVeK9+i8(bv!18c2*(CHFFH(rR0QFoCwJFh@4@<xgt$pCi*vB-TWcDc_X?d@=s%x%
zj%jDmmQVA#*^(LXM<!s-0e+GV>j9H^@s_&6l(B?0&62Auv`IthekxQ9xnP=2AL4a4
zmFue_k}eYEwbRM)IJPo$_S>HnNoaoKUkI@rb!{#~E0zlYDmh?%q4^C#dSrb&^9=Eq
z=TZVlHWieM3KGPSmC_|Cz7v(%jw3L3rVQ*nupt_4Krbr!i6EJ{$+>cL|3%^DfsJ;y
zvD0kb?pXzBQ4lQ`v{^JVurGu=cmms`Si>%E8OWoY<TWW9P17vlN;LA3k%kAzPDju0
z{t9rVEG#>P+=iQ^+E44b%XfN1-7Hojxa}&;fO9LcVJ`^I*uL$5xaK4MX_kx<WmYZn
zRj%K#F?gN55e~mAKzsF2PiQuzMpVFFf^=g})A+gR&}JEXBs6*4q<;@>pvUg<h{ql<
zWJ1&kM7qIEBTotrD{<`Am-SN-?vSaSU~FAwr<Cs@z1>3>iDRJ%0aC%h@7fYdEqH5g
z*B41%E@LRjsatzm;!dgc^ia%63a`o{3(;jfFWI(V%QI|dof8%`o#;u6%_%}jOkZW*
zt6Dh4o^%mn?x{Kf&L9sPvo8Cc0XVnaJoHD)qmVsX+IiK-*&UGeR?-DU>S7|8aatpt
zopXSB`kF}qkc%67uh`jm^Xi9+i!9^S4>Q&4CugiG>a+BAh0KIjbmEc`+&V6iq})sn
z9npYx`5B&O(paXvS<4*ms`q`YIZaDge53XeDJY>=jyiU*v1ipj#+tTt@nS`fw?ENg
zkoW;Te{%P>uU1565g}(~cre;?RB$;t@mxC&HV|qFUhM(6t(Vk|3A&&tu!Hs-4xspT
zZt)TJmWjv${p{#u%13YBXo4okTYr;xtX5CPo@%D03b21ymake#@jVDG9jyyPz&!(*
zo08kYz1Xwmh1WL?r1<u~Ee03u=s)}^{>}hKc)sJZ{$bkRq@N*o8!4Ai$xA)u6WH&4
z_Y;nWKf!Tm*R!ocH#J6LZ|~S<xi47o2O$@G-VnT3_R)FbfIj;vV(lDB_Y@$urTC*!
zgBFiRurOc*OOC*q9^rA-c?TwAflHl#7Up%COG=pfzzFBRAP~HMnOPT@9LS&irW-rY
zSc>z+90K^)ZMla5I@@{M^{RaX$iWHVA6v(}_)~yny5)k`-+ux`d8$|Is@!AsfBr7}
c>R`!3jQAN}kVq?jwe?REBMZZdOD^I67b8&8^#A|>

literal 0
HcmV?d00001


From 7e1072825796e112efd5bfe38db3f20d8390cd82 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Fri, 11 Oct 2019 22:45:46 +0000
Subject: [PATCH 195/420] Clean up the installation/build/runtime work flows
 for SGX1, SGX1FLC, and non-SGX platforms

* Introduce flag HAS_QUOTE_PROVIDER to indicate SGXFLC capability at build/installation time
* Eliminate the outdated AESM flow from both Linux and Windows
* Take dependency on enclave_common_api library for enclave creation/initialization/deletion
* Take dependency on dcap library with SGXFLC flow (HAS_QUOTE_PROVIDER=ON) for quotes
* Return OE_UNSUPPORTED for quoting functions when HAS_QUOTE_PROVIDER=OFF
* Avoid calling quoting functions when HAS_QUOTE_PROVIDER=OFF
* Remove the ambiguous flag USE_LIBSGX, and replace it with HAS_QUOTE_PROVIDER when quoting is concerned
* Replace OE_USE_LIBSGX with OE_LINK_SGX_DCAP_QL at runtime when quoting is concerned
* Install dcap library on Windows only when SGXFLC is specified to the installation script
* Remove build dependency on enclave common api library and dcap library on non-SGX platforms (flag OE_SGX=OFF)
* Update documents that are referring to USE_LIBSGX
* Update cmake files that are referring to USE_LIBSGX
* Update jenkins files that are referring to USE_LIBSGX
* Ensure samples work on their supported platforms (SGX1 and SGX1FLC)

Fixes #2258
---
 .jenkins/Jenkinsfile                          |  34 +-
 .jenkins/custom_label.Jenkinsfile             |  12 +-
 .jenkins/libcxx_tests.Jenkinsfile             |   2 +-
 CHANGELOG.md                                  |   1 +
 CMakeLists.txt                                |   9 +-
 CMakeSettings.json                            |   6 +-
 cmake/openenclave-config.cmake.in             |  81 +-
 .../Contributors/SGX1GettingStarted.md        |   2 +-
 .../Contributors/SimulatorGettingStarted.md   |   2 +-
 .../Contributors/WindowsInstallInfo.md        |   4 +-
 .../Contributors/WindowsManualSGX1Prereqs.md  |  46 +-
 .../WindowsSGX1FLCGettingStarted.md           |   4 +-
 .../Contributors/building_oe_sdk.md           |   2 +-
 enclave/core/CMakeLists.txt                   |   4 +-
 host/CMakeLists.txt                           |  74 +-
 host/sgx/linux/aesm.c                         | 706 ------------------
 host/sgx/ocalls.c                             |   6 +-
 host/sgx/quote.c                              | 153 +---
 host/sgx/report.c                             |  11 +-
 host/sgx/sgxload.c                            | 259 +------
 host/sgx/sgxquote.c                           |   2 +-
 host/sgx/sgxsign.c                            |   1 -
 host/sgx/windows/aesm.c                       | 414 ----------
 include/openenclave/internal/aesm.h           |  47 --
 pkgconfig/CMakeLists.txt                      |   4 +-
 samples/CMakeLists.txt                        |  14 +-
 samples/test-samples.cmake                    |  10 +-
 scripts/install-windows-prereqs.ps1           | 135 ++--
 scripts/test-build-config                     |   2 +-
 tests/CMakeLists.txt                          |   1 -
 tests/aesm/CMakeLists.txt                     |  12 -
 tests/aesm/main.cpp                           |  47 --
 tests/attestation_cert_apis/host/host.cpp     |   6 +-
 tests/bigmalloc/host/host.c                   |   3 -
 tests/debug-mode/host/host.c                  |   8 +-
 tests/qeidentity/enc/CMakeLists.txt           |   4 +-
 tests/qeidentity/enc/enc.cpp                  |   2 +-
 tests/qeidentity/host/CMakeLists.txt          |   4 +-
 tests/qeidentity/host/host.cpp                |   3 +-
 tests/qeidentity/host/qeidentifyinfo.cpp      |   3 +-
 tests/report/common/tests.cpp                 |  12 +-
 tests/report/enc/enc.cpp                      |   4 +-
 tests/report/host/CMakeLists.txt              |   4 +-
 tests/report/host/host.cpp                    |  20 +-
 tests/report/host/tcbinfo.cpp                 |   1 -
 tests/tls_e2e/client_enc/CMakeLists.txt       |   4 +-
 tests/tls_e2e/host/host.cpp                   |   9 +-
 tests/tls_e2e/server_enc/CMakeLists.txt       |   4 +-
 tests/tools/oecert/host/host.cpp              |   8 +-
 49 files changed, 328 insertions(+), 1878 deletions(-)
 delete mode 100644 host/sgx/linux/aesm.c
 delete mode 100644 host/sgx/windows/aesm.c
 delete mode 100644 include/openenclave/internal/aesm.h
 delete mode 100644 tests/aesm/CMakeLists.txt
 delete mode 100644 tests/aesm/main.cpp

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index f63a28d279..08102f9fe1 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -28,7 +28,7 @@ def ACCGNUTest() {
                 cleanWs()
                 checkout scm
                 def task = """
-                           cmake ${WORKSPACE} -DUSE_LIBSGX=ON
+                           cmake ${WORKSPACE} -DHAS_QUOTE_PROVIDER=ON
                            make
                            ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                            """
@@ -39,9 +39,9 @@ def ACCGNUTest() {
 }
 
 def simulationTest(String version, String platform_mode, String build_type) {
-    def use_libsgx = "OFF"
+    def has_quote_provider = "OFF"
     if (platform_mode == "SGX1FLC") {
-        use_libsgx = "ON"
+        has_quote_provider = "ON"
     }
     stage("Sim clang-7 Ubuntu${version} ${platform_mode} ${build_type}") {
         node("nonSGX") {
@@ -50,7 +50,7 @@ def simulationTest(String version, String platform_mode, String build_type) {
                 checkout scm
                 withEnv(["OE_SIMULATION=1"]) {
                     def task = """
-                               cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=${use_libsgx} -Wdev
+                               cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=${has_quote_provider} -Wdev
                                ninja -v
                                ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                                """
@@ -73,7 +73,7 @@ def AArch64GNUTest(String version, String build_type) {
                                 -DCMAKE_BUILD_TYPE=${build_type}                                   \
                                 -DCMAKE_TOOLCHAIN_FILE=${WORKSPACE}/cmake/arm-cross.cmake          \
                                 -DOE_TA_DEV_KIT_DIR=/devkits/vexpress-qemu_armv8a/export-ta_arm64  \
-                                -DUSE_LIBSGX=OFF                                                   \
+                                -DHAS_QUOTE_PROVIDER=OFF                                           \
                                 -Wdev
                             ninja -v
                             """
@@ -139,10 +139,10 @@ def checkDevFlows(String version) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           cmake ${WORKSPACE} -G Ninja -DUSE_LIBSGX=OFF -Wdev --warn-uninitialized -Werror=dev
+                           cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=OFF -Wdev --warn-uninitialized -Werror=dev
                            ninja -v
                            """
-                oe.ContainerRun("oetools-minimal-${version}", "clang-7", task, "--cap-add=SYS_PTRACE")
+                oe.ContainerRun("oetools-full-${version}", "clang-7", task, "--cap-add=SYS_PTRACE")
             }
         }
     }
@@ -169,7 +169,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=ON -Wdev
+                           cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=ON -Wdev
                            ninja -v
                            """
                 oe.ContainerRun("oetools-full-${version}", compiler, task, "--cap-add=SYS_PTRACE")
@@ -187,7 +187,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 dir('build') {
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja -v && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -197,12 +197,12 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
     }
 }
 
-def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
+def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
     def node_label = 'SGXFLC-Windows'
-    if (use_libsgx == "ON") {
+    if (has_quote_provider == "ON") {
         node_label = 'SGXFLC-Windows-DCAP'
     }
-    stage("Windows ${build_type} with SGX ${use_libsgx}") {
+    stage("Windows ${build_type} with SGX ${has_quote_provider}") {
         node(node_label) {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
@@ -214,7 +214,7 @@ def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -237,7 +237,7 @@ def ACCHostVerificationTest(String version, String build_type) {
 
                     println("Generating certificates and reports ...")
                     def task = """
-                            cmake ${WORKSPACE} -G Ninja -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -Wdev
+                            cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             pushd tests/host_verify/host
                             openssl ecparam -name prime256v1 -genkey -noout -out keyec.pem
@@ -275,7 +275,7 @@ def ACCHostVerificationTest(String version, String build_type) {
             }
         }
 
-        /* Compile the tests with USE_LIBSGX=OFF and unstash the certs over for verification.  */
+        /* Compile the tests with HAS_QUOTE_PROVIDER=OFF and unstash the certs over for verification.  */
         stage("Linux nonSGX Verify Quote") {
             node("nonSGX") {
                 timeout(GLOBAL_TIMEOUT_MINUTES) {
@@ -283,7 +283,7 @@ def ACCHostVerificationTest(String version, String build_type) {
                     checkout scm
                     unstash "linux_host_verify-${build_type}-${BUILD_NUMBER}"
                     def task = """
-                            cmake ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=OFF -DCMAKE_BUILD_TYPE=${build_type} -Wdev
+                            cmake ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             ctest -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                             """
@@ -303,7 +303,7 @@ def ACCHostVerificationTest(String version, String build_type) {
                     dir('build') {
                         bat """
                             vcvars64.bat x64 && \
-                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=OFF -DCMAKE_BUILD_TYPE=${build_type} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                             ninja -v && \
                             ctest.exe -V -C ${build_type} -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                             """
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index cb24bdadb4..8492eb33b9 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -38,12 +38,12 @@ def ACCContainerTest(String label, String version) {
     }
 }
 
-def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
+def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
     def node_label = WINDOWS_2016_CUSTOM_LABEL
-    if (use_libsgx == "ON") {
+    if (has_quote_provider == "ON") {
         node_label = WINDOWS_DCAP_CUSTOM_LABEL
     }
-    stage("Windows ${build_type} with SGX ${use_libsgx}") {
+    stage("Windows ${build_type} with SGX ${has_quote_provider}") {
         node(node_label) {
             timeout(GLOBAL_TIMEOUT_MINUTES) {
                 cleanWs()
@@ -55,7 +55,7 @@ def win2016CrossCompile(String build_type, String use_libsgx = 'OFF') {
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=${use_libsgx} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -76,7 +76,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=ON -Wdev
+                           cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=ON -Wdev
                            ninja -v
                            """
                 oe.ContainerRun("oetools-full-${version}:${DOCKER_TAG}", compiler, task, "--cap-add=SYS_PTRACE")
@@ -95,7 +95,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 dir('build') {
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DUSE_LIBSGX=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -Wdev && \
                       ninja -v && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
diff --git a/.jenkins/libcxx_tests.Jenkinsfile b/.jenkins/libcxx_tests.Jenkinsfile
index 75823cdef9..45746e5a79 100644
--- a/.jenkins/libcxx_tests.Jenkinsfile
+++ b/.jenkins/libcxx_tests.Jenkinsfile
@@ -87,7 +87,7 @@ def ACClibcxxTest(String label, String compiler, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           cmake .. -DCMAKE_BUILD_TYPE=${build_type} -DUSE_LIBSGX=ON -DENABLE_FULL_LIBCXX_TESTS=ON
+                           cmake .. -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=ON -DENABLE_FULL_LIBCXX_TESTS=ON
                            make
                            ctest -VV -debug --timeout ${CTEST_TIMEOUT_SECONDS}
                            """
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ed878ba82..c1792e7ee4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   release cannot be debugged with this version of oegdb and vice versa.
 - Update Intel DCAP library dependencies to 1.2.
 - Update Intel PSW dependencies to 2.6 on Linux and 2.4 on Windows.
+- SGX1 configurations always take build dependency on Intel SGX enclave common library.
 - Update LLVM libcxx to version 8.0.0.
 - Update mbedTLS to version 2.16.2.
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 28f232d7c0..219dd051b7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -164,13 +164,8 @@ include(package_settings)
 # See `cmake/add_enclave.cmake` for enclave creation logic
 include(add_enclave)
 
-# User configurable options
-# DCAP library support on Windows is experimental and is disabled by default
-if (UNIX)
-  option(USE_LIBSGX "Build oehost using SGX library requiring FLC" ON)
-elseif (WIN32)
-  option(USE_LIBSGX "Build oehost using SGX library requiring FLC" OFF)
-endif ()
+# User configurable options.
+option(HAS_QUOTE_PROVIDER "Take a build dependency on SGX DCAP, which requires FLC on target device to run." ON)
 
 # TODO: See #756: Fix this because it is incompatible with
 # multi-configuration generators
diff --git a/CMakeSettings.json b/CMakeSettings.json
index 537fee3d4f..f1c906b4fb 100644
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@@ -31,7 +31,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-Debug",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     },
@@ -42,7 +42,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-RelWithDebInfo",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     },
@@ -53,7 +53,7 @@
       "inheritEnvironments": [ "msvc_x64_x64" ],
       "buildRoot": "${workspaceRoot}\\build\\x64-Release",
       "installRoot": "${env.USERPROFILE}\\CMakeBuilds\\${workspaceHash}\\install\\${name}",
-      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
+      "cmakeCommandArgs": "-DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=${workspaceRoot}\\prereqs\\nuget",
       "buildCommandArgs": "-v",
       "ctestCommandArgs": ""
     }
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 44ef796003..5709981bf8 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -13,9 +13,9 @@ set_and_check(OE_BINDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@")
 set_and_check(OE_DATADIR "@PACKAGE_CMAKE_INSTALL_DATADIR@")
 set_and_check(OE_INCLUDEDIR "@PACKAGE_CMAKE_INSTALL_INCLUDEDIR@")
 set(OE_SCRIPTSDIR "@PACKAGE_CMAKE_INSTALL_BINDIR@/scripts")
+set (OE_SGX "@OE_SGX@")
 
 if (WIN32)
-  set(OE_SGX ON)
   set(USE_CLANGW ON)
 
   # NOTE: On Windows we have found that we must use Git Bash, not the
@@ -72,38 +72,58 @@ elseif (WIN32)
   endif()
 endif ()
 
-if (NOT TARGET openenclave::sgx_enclave_common)
-  find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common
-	       HINTS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
-  if (NOT SGX_ENCLAVE_COMMON_LIB)
-    message(FATAL_ERROR "-- Looking for sgx_enclave_common library - not found")
-  else ()
-    message(VERBOSE "-- Looking for sgx_enclave_common library - found")
-    add_library(openenclave::sgx_enclave_common SHARED IMPORTED)
+# Include the automatically exported targets.
+include("${CMAKE_CURRENT_LIST_DIR}/openenclave-targets.cmake")
+if (WIN32)
+  include("${CMAKE_CURRENT_LIST_DIR}/add_dcap_client_target.cmake")
+  include("${CMAKE_CURRENT_LIST_DIR}/copy_oedebugrt_target.cmake")
+  include("${CMAKE_CURRENT_LIST_DIR}/maybe_build_using_clangw.cmake")
+endif ()
+
+if (OE_SGX)
+  if (NOT TARGET openenclave::sgx_enclave_common)
     if (UNIX)
-      set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION ${SGX_ENCLAVE_COMMON_LIB})
+      find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common HINTS "/usr")
     elseif (WIN32)
-      set_target_properties(openenclave::sgx_enclave_common PROPERTIES
-                            IMPORTED_LOCATION $ENV{WINDIR}/System32
-                            IMPORTED_IMPLIB ${SGX_ENCLAVE_COMMON_LIB})
+      find_library(SGX_ENCLAVE_COMMON_LIB NAMES sgx_enclave_common
+           HINTS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
+    endif ()
+    if (NOT SGX_ENCLAVE_COMMON_LIB)
+      message(FATAL_ERROR "-- Looking for sgx_enclave_common library - not found")
+    else ()
+      message(VERBOSE "-- Looking for sgx_enclave_common library - found")
+      add_library(openenclave::sgx_enclave_common SHARED IMPORTED)
+      if (UNIX)
+        set_target_properties(openenclave::sgx_enclave_common PROPERTIES IMPORTED_LOCATION ${SGX_ENCLAVE_COMMON_LIB})
+      elseif (WIN32)
+        set_target_properties(openenclave::sgx_enclave_common PROPERTIES
+                              IMPORTED_LOCATION $ENV{WINDIR}/System32
+                              IMPORTED_IMPLIB ${SGX_ENCLAVE_COMMON_LIB})
+      endif ()
+      target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_enclave_common)
     endif ()
   endif ()
-endif ()
 
-if (NOT TARGET openenclave::sgx_dcap_ql)
-  find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql
-               HINTS ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
-  if (NOT SGX_DCAP_QL_LIB)
-    message(FATAL_ERROR "-- Looking for sgx_dcap_ql library - not found")
-  else ()
-    message(VERBOSE "-- Looking for sgx_dcap_ql library - found")
-    add_library(openenclave::sgx_dcap_ql SHARED IMPORTED)
+  if (NOT TARGET openenclave::sgx_dcap_ql)
     if (UNIX)
-      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${SGX_DCAP_QL_LIB})
+      find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql HINTS "/usr")
     elseif (WIN32)
-      set_target_properties(openenclave::sgx_dcap_ql PROPERTIES
-                            IMPORTED_LOCATION $ENV{WINDIR}/System32
-                            IMPORTED_IMPLIB ${SGX_DCAP_QL_LIB})
+      find_library(SGX_DCAP_QL_LIB NAMES sgx_dcap_ql
+                 HINTS ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
+    endif ()
+    if (NOT SGX_DCAP_QL_LIB)
+      message(WARNING "-- Looking for sgx_dcap_ql library - not found. Attestations based on quotes would not function without the quote provider.")
+    else ()
+      message(VERBOSE "-- Looking for sgx_dcap_ql library - found")
+      add_library(openenclave::sgx_dcap_ql SHARED IMPORTED)
+      if (UNIX)
+        set_target_properties(openenclave::sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${SGX_DCAP_QL_LIB})
+      elseif (WIN32)
+        set_target_properties(openenclave::sgx_dcap_ql PROPERTIES
+                              IMPORTED_LOCATION $ENV{WINDIR}/System32
+                              IMPORTED_IMPLIB ${SGX_DCAP_QL_LIB})
+      endif ()
+      target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_dcap_ql)
     endif ()
   endif ()
 endif ()
@@ -121,15 +141,6 @@ if(NOT TARGET openenclave::oegdb)
   set_target_properties(openenclave::oegdb PROPERTIES IMPORTED_LOCATION ${OE_BINDIR}/oegdb)
 endif ()
 
-# Include the automatically exported targets.
-include("${CMAKE_CURRENT_LIST_DIR}/openenclave-targets.cmake")
-if (WIN32)
-  include("${CMAKE_CURRENT_LIST_DIR}/add_dcap_client_target.cmake")
-  include("${CMAKE_CURRENT_LIST_DIR}/copy_oedebugrt_target.cmake")
-  include("${CMAKE_CURRENT_LIST_DIR}/maybe_build_using_clangw.cmake")
-endif ()
-target_link_libraries(openenclave::oehost INTERFACE openenclave::sgx_enclave_common openenclave::sgx_dcap_ql)
-
 # Apply Spectre mitigations if available.
 set(OE_SPECTRE_MITIGATION_FLAGS "@SPECTRE_MITIGATION_FLAGS@")
 
diff --git a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
index 9772683a6f..fe7ab198cd 100644
--- a/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SGX1GettingStarted.md
@@ -44,7 +44,7 @@ cd build/
 Then run `cmake` to configure the build and generate the make files and build:
 
 ```bash
-cmake -DUSE_LIBSGX=OFF ..
+cmake -DHAS_QUOTE_PROVIDER=OFF ..
 make
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
index 4e1223ffbb..12d6cd23ff 100644
--- a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
@@ -41,7 +41,7 @@ cd build/
 Then run `cmake` to configure the build and generate the make files and build:
 
 ```bash
-cmake -DUSE_LIBSGX=OFF ..
+cmake -DHAS_QUOTE_PROVIDER=OFF ..
 make
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 9b0bf20966..95ed3119a8 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -6,7 +6,7 @@ the install-prefix to the cmake call before calling `ninja install`.
 From the build subfolder in your source tree:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON
 ninja install
 ```
 
@@ -18,7 +18,7 @@ Please note that NUGET_PACKAGE_PATH in the above command points to the directory
 To create a redistributable NuGet package use the following command from your build subfolder:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet -DHAS_QUOTE_PROVIDER=ON
 ninja package
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index e1ae13f007..8019372ea2 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -1,25 +1,49 @@
 # SGX1 Prerequisites on Windows
 
-## Intel SGX Platform Software for Windows (PSW) v2.2
+## Intel SGX Platform Software for Windows (PSW) v2.4 or above
 
-The PSW should be installed automatically on a Windows Server 2016 image for an Azure Confidential Compute VM. You can verify that is the case on the command line as follows:
+The latest PSW should be installed automatically on a Windows machine with Windows
+version no lower than 1709. To check your Windows version, run `winver` on the
+command line.
+
+Windows Server 2016 image for an Azure Confidential Compute VM has a Windows version
+lower than 1709, therefore you need to install PSW v2.4 or above manually.
+You can download [PSW v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe),
+extract the zipped files, and run the executable under folder **PSW_EXE_RS2_and_before**
+to install PSW 2.4.
+
+You can verify that the correct version of Intel SGX PSW is installed by using
+Windows Explorer to open `C:\Windows\System32`. You should be able to find
+file `sgx_urts.dll` if PSW is installed. Right click on `sgx_urts.dll`,
+choose `Properties` and then find `Product version` on the `Details` tab.
+The version should be "2.4.xxx.xxx" or above.
+
+To verify that Intel SGX PSW is running, use the following command:
 
 ```cmd
 sc query aesmservice
 ```
 
-The state of the service should be "running" (4). Follow Intel's documentation for troubleshooting.
+The state of the service should be "running" (4). Follow Intel's documentation for
+troubleshooting. In case the AESM service was stopped for some reasons, restart it
+using the following command from Powershell.
 
-If you have a Windows Server 2016 image that does not have Intel PSW 2.2, please get the PSW 2.2 [zipped executable](https://oejenkins.blob.core.windows.net/oejenkins/intel_sgx_win_2.2.100.47975_PV.zip).
+```powershell
+Start-Service "AESMService"
+```
 
-After downloading and extracting the zipped executable, run the executable to install PSW 2.2.
+## Intel Enclave Common API library
 
+The Intel Enclave Common API library is necessary for creating, initializing, and deleting enclaves.
+It does not supporting quoting, and consequentially, attestation which is based on quoting. The lack
+of quoting capability is a limitation of SGX1 machines which don't have FLC support.
+
+Firstly we download Intel SGX and DCAP library from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe). Run the executable to unzip files to a specified location.
+
+Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed,
+run the following command from a Windows prompt:
 ```cmd
-C:\Intel SGX PSW for Windows v2.2.100.48339.exe\PSW_EXE_RS2_and_before\Intel(R)Intel(R)_SGX_Windows_x64_PSW_2.2.100.48339.exe
+nuget install EnclaveCommonAPI -Source C:\path\to\the\unzipped\sgx\and\dcap\files\nuget -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages  -ExcludeVersion
 ```
 
-Start the AESM service by running the following command from Powershell.
-
-```powershell
-Start-Service "AESMService"
-```
\ No newline at end of file
+You can verify that the library is installed properly by checking whether `sgx_enclave_coomon.lib` exists in the folder `C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages\nuget\EnclaveCommonAPI\lib\native\x64-Release`.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 0e8e756167..361d0d7864 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -69,7 +69,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON ..\..
 ninja
 ```
 
@@ -80,7 +80,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DUSE_LIBSGX=ON ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 1a73857618..898c77b49e 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -69,7 +69,7 @@ See [Open Enclave samples](/samples/README_Linux.md) for details.
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DUSE_LIBSGX=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DHAS_QUOTE_PROVIDER=ON
 ninja install
 ```
 Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 4afb255ffd..67d7ec21bc 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -243,8 +243,8 @@ target_compile_definitions(oecore
     # package.
     $<BUILD_INTERFACE:OE_API_VERSION=2>)
 
-if(USE_LIBSGX)
-    target_compile_definitions(oecore PUBLIC OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(oecore PUBLIC OE_LINK_SGX_DCAP_QL)
 endif()
 
 if(USE_DEBUG_MALLOC)
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index a240e19001..1769b8137f 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -160,7 +160,6 @@ if (OE_SGX)
 
     list(APPEND PLATFORM_SDK_ONLY_SRC
       sgx/linux/aep.S
-      sgx/linux/aesm.c
       sgx/linux/enter.S
       sgx/linux/entersim.S
       sgx/linux/exception.c
@@ -173,7 +172,6 @@ if (OE_SGX)
 
     list(APPEND PLATFORM_SDK_ONLY_SRC
       sgx/windows/aep.asm
-      sgx/windows/aesm.c
       sgx/windows/enter.asm
       sgx/windows/entersim.asm
       sgx/windows/host_context.asm
@@ -309,41 +307,55 @@ endif ()
 # For including edge routines.
 target_include_directories(oehost PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
-if (USE_LIBSGX)
+if (OE_SGX)
+  # Always link with the EnclaveCommonAPI
   if (WIN32)
-    set(LIBPATHS
-      ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release
-      ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
-    set(INCPATHS
-      "${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/Header Files"
-      "${NUGET_PACKAGE_PATH}/DCAP_Components/build/Header Files")
-    set(WINSYSLOCATION
-       $ENV{WINDIR}/System32)
+    set(LIBPATHS ${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/lib/native/x64-Release)
+    set(INCPATHS "${NUGET_PACKAGE_PATH}/EnclaveCommonAPI/Header Files")
   endif ()
-
-  find_library(LIBSGX_COMMON NAMES sgx_enclave_common PATHS ${LIBPATHS})
-  find_library(LIBSGX_QE NAMES sgx_dcap_ql PATHS ${LIBPATHS})
-  if (NOT LIBSGX_COMMON OR NOT LIBSGX_QE)
-    message(FATAL_ERROR "No SGX libraries found, aborting! Set -DUSE_LIBSGX=OFF to ignore.")
+  if (NOT LIBPATHS)
+    set(LIBPATHS "/usr")
+  endif ()
+  find_library(LIBSGX_COMMON NAMES sgx_enclave_common HINTS ${LIBPATHS})
+  if (NOT LIBSGX_COMMON)
+    message(FATAL_ERROR "Intel SGX EnclaveCommonAPI library not found, aborting!")
   endif ()
   add_library(sgx_enclave_common SHARED IMPORTED)
-  add_library(sgx_dcap_ql SHARED IMPORTED)
-
-  if (UNIX)
+  if (WIN32)
+     set_target_properties(sgx_enclave_common PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${INCPATHS}"
+        IMPORTED_LOCATION $ENV{WINDIR}/System32
+        IMPORTED_IMPLIB ${LIBSGX_COMMON})
+  elseif (UNIX)
     set_target_properties(sgx_enclave_common PROPERTIES IMPORTED_LOCATION ${LIBSGX_COMMON})
-    set_target_properties(sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${LIBSGX_QE})
-  elseif (WIN32)
-    set_target_properties(sgx_enclave_common PROPERTIES
-      INTERFACE_INCLUDE_DIRECTORIES "${INCPATHS}"
-      IMPORTED_LOCATION ${WINSYSLOCATION}
-      IMPORTED_IMPLIB ${LIBSGX_COMMON})
-    set_target_properties(sgx_dcap_ql PROPERTIES
-      INTERFACE_INCLUDE_DIRECTORIES "${INCPATHS}"
-      IMPORTED_LOCATION ${WINSYSLOCATION}
-      IMPORTED_IMPLIB ${LIBSGX_QE})
   endif ()
-  target_link_libraries(oehost PUBLIC $<BUILD_INTERFACE:sgx_dcap_ql> $<BUILD_INTERFACE:sgx_enclave_common>)
-  target_compile_definitions(oehost PUBLIC OE_USE_LIBSGX)
+  target_link_libraries(oehost PUBLIC $<BUILD_INTERFACE:sgx_enclave_common>)
+
+  # Optionally link in DCAP library
+  if (HAS_QUOTE_PROVIDER)
+    if (WIN32)
+      list(APPEND LIBPATHS
+          ${NUGET_PACKAGE_PATH}/DCAP_Components/build/lib/native/Libraries)
+      list(APPEND INCPATHS
+          "${NUGET_PACKAGE_PATH}/DCAP_Components/build/Header Files")
+    endif ()
+    find_library(LIBSGX_QE NAMES sgx_dcap_ql HINTS ${LIBPATHS})
+    if (NOT LIBSGX_QE)
+      message(FATAL_ERROR "No quote provider library found, aborting! Set -DHAS_QUOTE_PROVIDER=OFF to ignore.")
+    endif ()
+    add_library(sgx_dcap_ql SHARED IMPORTED)
+    if (WIN32)
+      set_target_properties(sgx_dcap_ql PROPERTIES
+          INTERFACE_INCLUDE_DIRECTORIES "${INCPATHS}"
+          IMPORTED_LOCATION $ENV{WINDIR}/System32
+          IMPORTED_IMPLIB ${LIBSGX_QE})
+    elseif (UNIX)
+      set_target_properties(sgx_dcap_ql PROPERTIES IMPORTED_LOCATION ${LIBSGX_QE})
+    endif ()
+    target_link_libraries(oehost PUBLIC $<BUILD_INTERFACE:sgx_dcap_ql>)
+    # turn on 'OE_LINK_SGX_DCAP_QL' for the preprocessor
+    target_compile_definitions(oehost PUBLIC OE_LINK_SGX_DCAP_QL)
+  endif ()
 endif ()
 
 # Compile definitions and options
diff --git a/host/sgx/linux/aesm.c b/host/sgx/linux/aesm.c
deleted file mode 100644
index 9c558cc8fd..0000000000
--- a/host/sgx/linux/aesm.c
+++ /dev/null
@@ -1,706 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#include <openenclave/bits/safecrt.h>
-#include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
-#include <openenclave/internal/hexdump.h>
-#include <openenclave/internal/mem.h>
-#include <openenclave/internal/raise.h>
-#include <openenclave/internal/trace.h>
-#include <openenclave/internal/utils.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/un.h>
-#include <unistd.h>
-
-/*
-**==============================================================================
-**
-** This module implements a socket client to AESM (SGX Application Enclave
-** Services Manager). On linux, this service is called 'aesmd'. See if it
-** is running with this command:
-**
-**     $ services aesmd status
-**
-** References:
-**
-**     See messages.proto from the Intel SGX SDK for the interface.
-**
-**==============================================================================
-*/
-
-#define OE_ERROR_UNPACK ((size_t)-1)
-
-#define AESM_SOCKET "/var/run/aesmd/aesm.socket"
-
-typedef enum _wire_type
-{
-    WIRE_TYPE_VARINT = 0,
-    WIRE_TYPE_LENGTH_DELIMITED = 2
-} wire_type_t;
-
-#define AESM_MAGIC 0x4efaa2a3
-
-typedef enum _message_type
-{
-    MESSAGE_TYPE_INIT_QUOTE = 1,
-    MESSAGE_TYPE_GET_QUOTE = 2,
-    MESSAGE_TYPE_GET_LAUNCH_TOKEN = 3
-} message_type_t;
-
-struct _aesm
-{
-    uint32_t magic;
-    int sock;
-};
-
-static int _aesm_valid(const aesm_t* aesm)
-{
-    return aesm != NULL && aesm->magic == AESM_MAGIC;
-}
-
-static int _make_tag(uint8_t field_num, wire_type_t wire_type, uint8_t* tag)
-{
-    int ret = -1;
-
-    /* Initialize the tag in case of failure */
-    if (tag)
-        *tag = 0;
-
-    /* Check parameter */
-    if (!tag)
-        goto done;
-
-    /* Check for overflow (field_num will occupy the upper 5 bits) */
-    if (field_num & 0xE0)
-        goto done;
-
-    /* Check for overflow (wire_type will occupy the lower 3 bits) */
-    if ((uint8_t)wire_type & 0xF8)
-        goto done;
-
-    /* Form the tag */
-    *tag = (uint8_t)((field_num << 3) | (uint8_t)wire_type);
-
-    ret = 0;
-
-done:
-    return ret;
-}
-
-static int _pack_variant_uint32(mem_t* buf, uint32_t x)
-{
-    uint8_t data[8];
-    uint8_t* p = data;
-    const uint8_t* end = data + sizeof(data);
-
-    while (x >= 0x80)
-    {
-        if (p == end)
-            return -1;
-
-        *p++ = (uint8_t)(x | 0x80);
-        x >>= 7;
-    }
-
-    if (p == end)
-        return -1;
-
-    *p++ = (uint8_t)(x);
-
-    return mem_cat(buf, data, (size_t)(p - data));
-}
-
-static int _pack_tag(mem_t* buf, uint8_t field_num, wire_type_t wire_type)
-{
-    uint8_t tag;
-
-    if (_make_tag(field_num, wire_type, &tag) != 0)
-        return -1;
-
-    return mem_cat(buf, &tag, sizeof(uint8_t));
-}
-
-static ssize_t _unpack_tag(const mem_t* buf, size_t pos, uint8_t* tag)
-{
-    size_t size = sizeof(uint8_t);
-
-    if (pos + size > mem_size(buf))
-        return -1;
-
-    if (oe_memcpy_s(tag, sizeof(*tag), mem_ptr_at(buf, pos), size) != OE_OK)
-        return -1;
-
-    if (pos + size > OE_SSIZE_MAX)
-        return -1;
-
-    return (ssize_t)(pos + size);
-}
-
-static ssize_t _unpack_variant_uint32(mem_t* buf, size_t pos, uint32_t* value)
-{
-    const uint8_t* p;
-    uint32_t result = 0;
-    size_t count = 0;
-    uint32_t b;
-
-    if (value)
-        *value = 0;
-
-    p = (const uint8_t*)mem_ptr_at(buf, pos);
-
-    do
-    {
-        /* Check for overflow */
-        if (count == sizeof(uint32_t))
-            return -1;
-
-        /* If buffer is exhausted */
-        if (p == mem_end(buf))
-            return -1;
-
-        b = *p;
-        result |= (uint32_t)(b & 0x7F) << (7 * count);
-        p++;
-        count++;
-    } while (b & 0x80);
-
-    *value = result;
-
-    if (pos + count > OE_SSIZE_MAX)
-        return -1;
-
-    return (ssize_t)(pos + count);
-}
-
-static oe_result_t _pack_bytes(
-    mem_t* buf,
-    uint8_t field_num,
-    const void* data,
-    uint32_t size)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint8_t tag;
-
-    if (_make_tag(field_num, WIRE_TYPE_LENGTH_DELIMITED, &tag) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (mem_cat(buf, &tag, sizeof(tag)) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (_pack_variant_uint32(buf, size) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (mem_cat(buf, data, size) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static oe_result_t _pack_var_int(mem_t* buf, uint8_t field_num, uint64_t value)
-{
-    oe_result_t result = OE_UNEXPECTED;
-
-    if (_pack_tag(buf, field_num, WIRE_TYPE_VARINT) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (value > OE_UINT_MAX)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    if (_pack_variant_uint32(buf, (uint32_t)value) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static oe_result_t _unpack_var_int(
-    mem_t* buf,
-    size_t* pos,
-    uint8_t field_num,
-    uint32_t* value)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint8_t tag;
-    uint8_t tmp_tag;
-
-    if ((*pos = (size_t)_unpack_tag(buf, *pos, &tag)) == OE_ERROR_UNPACK)
-        OE_RAISE(OE_FAILURE);
-
-    if (_make_tag(field_num, WIRE_TYPE_VARINT, &tmp_tag) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (tag != tmp_tag)
-        OE_RAISE(OE_FAILURE);
-
-    if ((*pos = (size_t)_unpack_variant_uint32(buf, *pos, value)) ==
-        OE_ERROR_UNPACK)
-        OE_RAISE(OE_FAILURE);
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static oe_result_t _unpack_length_delimited(
-    mem_t* buf,
-    size_t* pos,
-    uint8_t field_num,
-    void* data,
-    size_t data_size)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint8_t tag = 0;
-    uint8_t tmp_tag = 0;
-    uint32_t size;
-
-    if ((*pos = (size_t)_unpack_tag(buf, *pos, &tag)) == OE_ERROR_UNPACK)
-        OE_RAISE(OE_FAILURE);
-
-    if (_make_tag(field_num, WIRE_TYPE_LENGTH_DELIMITED, &tmp_tag) != 0)
-        OE_RAISE(OE_FAILURE);
-
-    if (tag != tmp_tag)
-        OE_RAISE(OE_FAILURE);
-
-    if ((*pos = (size_t)_unpack_variant_uint32(buf, *pos, &size)) ==
-        OE_ERROR_UNPACK)
-        OE_RAISE(OE_FAILURE);
-
-    if (size > data_size)
-        OE_RAISE(OE_FAILURE);
-
-    OE_CHECK(oe_memcpy_s(data, data_size, mem_ptr_at(buf, *pos), size));
-
-    *pos += size;
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static int _read(int sock, void* data, size_t size)
-{
-    ssize_t n;
-
-    if ((n = read(sock, data, size)) != (ssize_t)size)
-        return -1;
-
-    return 0;
-}
-
-static int _write(int sock, const void* data, size_t size)
-{
-    ssize_t n;
-
-    if ((n = write(sock, data, size)) != (ssize_t)size)
-        return -1;
-
-    return 0;
-}
-
-static oe_result_t _write_request(
-    aesm_t* aesm,
-    message_type_t message_type,
-    const mem_t* message)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    mem_t envelope = MEM_DYNAMIC_INIT;
-
-    OE_TRACE_INFO("=== _write_request:\n");
-    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_INFO)
-    {
-        oe_hex_dump(mem_ptr(message), mem_size(message));
-    }
-
-    /* Wrap message in envelope */
-    OE_CHECK(_pack_bytes(
-        &envelope,
-        (uint8_t)message_type,
-        mem_ptr(message),
-        (uint32_t)mem_size(message)));
-
-    /* Send the envelope to the AESM service */
-    {
-        uint32_t size = (uint32_t)mem_size(&envelope);
-
-        /* Send message size */
-        if (_write(aesm->sock, &size, sizeof(uint32_t)) != 0)
-            OE_RAISE(OE_FAILURE);
-
-        /* Send message data */
-        if (_write(aesm->sock, mem_ptr(&envelope), mem_size(&envelope)) != 0)
-            OE_RAISE(OE_FAILURE);
-    }
-
-    result = OE_OK;
-
-done:
-
-    mem_free(&envelope);
-
-    return result;
-}
-
-static oe_result_t _read_response(
-    aesm_t* aesm,
-    message_type_t message_type,
-    mem_t* message)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint32_t size;
-    mem_t envelope = MEM_DYNAMIC_INIT;
-
-    mem_clear(message);
-
-    /* Read the ENVELOPE from the AESM service */
-    {
-        /* Read the envelope size */
-        if (_read(aesm->sock, &size, sizeof(uint32_t)) != 0)
-            OE_RAISE(OE_FAILURE);
-
-        /* Expand the buffer */
-        if (mem_resize(&envelope, size) != 0)
-            OE_RAISE(OE_FAILURE);
-
-        /* Read the message */
-        if (_read(aesm->sock, mem_mutable_ptr(&envelope), size) != 0)
-            OE_RAISE(OE_FAILURE);
-    }
-
-    /* Copy envelope contents into MESSAGE */
-    {
-        uint8_t tag;
-        uint8_t tmp_tag;
-        size_t pos = 0;
-        uint32_t size;
-
-        /* Get the tag of this payload */
-        if ((pos = (size_t)_unpack_tag(&envelope, pos, &tag)) ==
-            OE_ERROR_UNPACK)
-            OE_RAISE(OE_FAILURE);
-
-        if (_make_tag(
-                (uint8_t)message_type, WIRE_TYPE_LENGTH_DELIMITED, &tmp_tag) !=
-            0)
-            OE_RAISE(OE_FAILURE);
-
-        if (tag != tmp_tag)
-            OE_RAISE(OE_FAILURE);
-
-        /* Get the size of this payload */
-        if ((pos = (size_t)_unpack_variant_uint32(&envelope, pos, &size)) ==
-            OE_ERROR_UNPACK)
-            OE_RAISE(OE_FAILURE);
-
-        /* Check the size (must equal unread bytes in envelope) */
-        if (size != mem_size(&envelope) - (size_t)pos)
-            OE_RAISE(OE_FAILURE);
-
-        uint8_t* temp = (uint8_t*)mem_ptr(&envelope) + pos;
-
-        /* Read the message from the envelope */
-        mem_cat(message, (const void*)temp, (size_t)size);
-    }
-
-    OE_TRACE_INFO("=== _read_response():\n");
-    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_INFO)
-    {
-        oe_hex_dump(mem_ptr(message), mem_size(message));
-    }
-
-    result = OE_OK;
-
-done:
-
-    mem_free(&envelope);
-
-    return result;
-}
-
-aesm_t* aesm_connect()
-{
-    int sock = -1;
-    struct sockaddr_un addr;
-    aesm_t* aesm = NULL;
-
-    /* Create a socket for connecting to the AESM service */
-    if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
-        goto done;
-
-    /* Initialize the address */
-    memset(&addr, 0, sizeof(struct sockaddr_un));
-    addr.sun_family = AF_UNIX;
-    oe_strncpy_s(
-        addr.sun_path, sizeof(addr.sun_path), AESM_SOCKET, strlen(AESM_SOCKET));
-
-    /* Connect to the AESM service */
-    if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) != 0)
-    {
-        close(sock);
-        goto done;
-    }
-
-    /* Allocate and initialize the AESM struct */
-    {
-        if (!(aesm = (aesm_t*)malloc(sizeof(aesm_t))))
-        {
-            close(sock);
-            goto done;
-        }
-
-        aesm->magic = AESM_MAGIC;
-        aesm->sock = sock;
-    }
-
-done:
-
-    if (aesm == NULL)
-        OE_TRACE_ERROR("aesm_connect failed");
-
-    return aesm;
-}
-
-void aesm_disconnect(aesm_t* aesm)
-{
-    if (_aesm_valid(aesm))
-    {
-        close(aesm->sock);
-        memset(aesm, 0xDD, sizeof(aesm_t));
-        free(aesm);
-    }
-}
-
-oe_result_t aesm_get_launch_token(
-    aesm_t* aesm,
-    uint8_t mrenclave[OE_SHA256_SIZE],
-    uint8_t modulus[OE_KEY_SIZE],
-    const sgx_attributes_t* attributes,
-    sgx_launch_token_t* launch_token)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint64_t timeout = 15000;
-    mem_t request = MEM_DYNAMIC_INIT;
-    mem_t response = MEM_DYNAMIC_INIT;
-
-    if (launch_token)
-        memset(launch_token, 0, sizeof(sgx_launch_token_t));
-
-    /* Reject invalid parameters */
-    if (!_aesm_valid(aesm) || !mrenclave || !modulus || !attributes)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    /* Build the PAYLOAD */
-    {
-        /* Pack MRENCLAVE */
-        OE_CHECK(_pack_bytes(&request, 1, mrenclave, OE_SHA256_SIZE));
-
-        /* Pack MODULUS */
-        OE_CHECK(_pack_bytes(&request, 2, modulus, OE_KEY_SIZE));
-
-        /* Pack ATTRIBUTES */
-        OE_CHECK(
-            _pack_bytes(&request, 3, attributes, sizeof(sgx_attributes_t)));
-
-        /* Pack TIMEOUT */
-        OE_CHECK(_pack_var_int(&request, 9, timeout));
-    }
-
-    /* Send the request to the AESM service */
-    OE_CHECK(_write_request(aesm, MESSAGE_TYPE_GET_LAUNCH_TOKEN, &request));
-
-    /* Receive the response from AESM service */
-    OE_CHECK(_read_response(aesm, MESSAGE_TYPE_GET_LAUNCH_TOKEN, &response));
-
-    /* Unpack the response */
-    {
-        size_t pos = 0;
-
-        /* Unpack the error code */
-        {
-            uint32_t errcode;
-            OE_CHECK(_unpack_var_int(&response, &pos, 1, &errcode));
-
-            if (errcode != 0)
-                OE_RAISE_MSG(OE_FAILURE, "errcode=0x%x", errcode);
-        }
-
-        /* Unpack the launch token */
-        OE_CHECK(_unpack_length_delimited(
-            &response, &pos, 2, launch_token, sizeof(sgx_launch_token_t)));
-    }
-
-    result = OE_OK;
-
-done:
-    mem_free(&request);
-    mem_free(&response);
-
-    return result;
-}
-
-oe_result_t aesm_init_quote(
-    aesm_t* aesm,
-    sgx_target_info_t* target_info,
-    sgx_epid_group_id_t* epid_group_id)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint64_t timeout = 15000;
-    mem_t request = MEM_DYNAMIC_INIT;
-    mem_t response = MEM_DYNAMIC_INIT;
-
-    if (target_info)
-        memset(target_info, 0, sizeof(sgx_target_info_t));
-
-    /* Reject invalid parameters */
-    if (!_aesm_valid(aesm) || !target_info || !epid_group_id)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    /* Build the PAYLOAD */
-    {
-        /* Pack TIMEOUT */
-        OE_CHECK(_pack_var_int(&request, 9, timeout));
-    }
-
-    /* Send the request to the AESM service */
-    OE_CHECK(_write_request(aesm, MESSAGE_TYPE_INIT_QUOTE, &request));
-
-    /* Receive the response from AESM service */
-    OE_CHECK(_read_response(aesm, MESSAGE_TYPE_INIT_QUOTE, &response));
-
-    /* Unpack the response */
-    {
-        size_t pos = 0;
-
-        /* Unpack the error code */
-        {
-            uint32_t errcode;
-            OE_CHECK(_unpack_var_int(&response, &pos, 1, &errcode));
-
-            if (errcode != 0)
-                OE_RAISE_MSG(OE_FAILURE, "errcode=0x%x", errcode);
-        }
-
-        /* Unpack target_info */
-        OE_CHECK(_unpack_length_delimited(
-            &response, &pos, 2, target_info, sizeof(sgx_target_info_t)));
-
-        /* Unpack epid_group_id */
-        OE_CHECK(_unpack_length_delimited(
-            &response, &pos, 3, epid_group_id, sizeof(sgx_epid_group_id_t)));
-    }
-
-    result = OE_OK;
-
-done:
-    mem_free(&request);
-    mem_free(&response);
-
-    return result;
-}
-
-oe_result_t aesm_get_quote(
-    aesm_t* aesm,
-    const sgx_report_t* report,
-    sgx_quote_type_t quote_type,
-    const sgx_spid_t* spid,
-    const sgx_nonce_t* nonce,
-    const uint8_t* signature_revocation_list,
-    uint32_t signature_revocation_list_size,
-    sgx_report_t* report_out, /* ATTN: support this! */
-    sgx_quote_t* quote,
-    size_t quote_size)
-{
-    uint64_t timeout = 15000;
-    mem_t request = MEM_DYNAMIC_INIT;
-    mem_t response = MEM_DYNAMIC_INIT;
-    oe_result_t result = OE_UNEXPECTED;
-
-    /* Zero initialize the quote */
-    if (quote)
-        memset(quote, 0, quote_size);
-
-    /* Check for invalid parameters */
-    if (!_aesm_valid(aesm) || !report || !spid || !quote || !quote_size)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    /* Build the PAYLOAD */
-    {
-        /* Pack REPORT */
-        OE_CHECK(_pack_bytes(&request, 1, report, sizeof(sgx_report_t)));
-
-        /* Pack QUOTE-TYPE */
-        OE_CHECK(_pack_var_int(&request, 2, quote_type));
-
-        /* Pack SPID */
-        OE_CHECK(_pack_bytes(&request, 3, spid, sizeof(sgx_spid_t)));
-
-        /* Pack NONCE */
-        if (nonce)
-            OE_CHECK(_pack_bytes(&request, 4, nonce, sizeof(sgx_nonce_t)));
-
-        /* Pack SIGNATURE-REVOCATION-LIST */
-        if (signature_revocation_list_size)
-        {
-            OE_CHECK(_pack_bytes(
-                &request,
-                5,
-                signature_revocation_list,
-                signature_revocation_list_size));
-        }
-
-        /* Pack QUOTE-SIZE */
-        OE_CHECK(_pack_var_int(&request, 6, quote_size));
-
-        /* Pack boolean indicating whether REPORT-OUT is present */
-        if (report_out)
-            OE_CHECK(_pack_var_int(&request, 7, 1));
-
-        /* Pack TIMEOUT */
-        OE_CHECK(_pack_var_int(&request, 9, timeout));
-    }
-
-    /* Send the request to the AESM service */
-    OE_CHECK(_write_request(aesm, MESSAGE_TYPE_GET_QUOTE, &request));
-
-    /* Receive the response from AESM service */
-    OE_CHECK(_read_response(aesm, MESSAGE_TYPE_GET_QUOTE, &response));
-
-    /* Unpack the response */
-    {
-        size_t pos = 0;
-
-        /* Unpack the error code */
-        {
-            uint32_t errcode;
-            OE_CHECK(_unpack_var_int(&response, &pos, 1, &errcode));
-
-            if (errcode != 0)
-                OE_RAISE_MSG(OE_FAILURE, "errcode=0x%x", errcode);
-        }
-
-        /* Unpack quote */
-        OE_CHECK(
-            _unpack_length_delimited(&response, &pos, 2, quote, quote_size));
-
-        /* Unpack optional report_out */
-        if (report_out)
-        {
-            OE_CHECK(_unpack_length_delimited(
-                &response, &pos, 3, report_out, sizeof(sgx_report_t)));
-        }
-    }
-
-    result = OE_OK;
-
-done:
-    return result;
-}
diff --git a/host/sgx/ocalls.c b/host/sgx/ocalls.c
index 594a7efd59..aba1c091e2 100644
--- a/host/sgx/ocalls.c
+++ b/host/sgx/ocalls.c
@@ -119,7 +119,7 @@ oe_result_t oe_get_quote_ocall(
     return result;
 }
 
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
 
 /* Copy the source array to an output buffer. */
 static oe_result_t _copy_output_buffer(
@@ -318,7 +318,7 @@ oe_result_t oe_get_qe_identity_info_ocall(
     return result;
 }
 
-#else /* !defined(OE_USE_LIBSGX) */
+#else /* !defined(OE_LINK_SGX_DCAP_QL) */
 
 oe_result_t oe_get_revocation_info_ocall(
     uint8_t fmspc[6],
@@ -402,7 +402,7 @@ oe_result_t oe_get_qe_identity_info_ocall(
     return OE_UNSUPPORTED;
 }
 
-#endif /* !defined(OE_USE_LIBSGX) */
+#endif /* !defined(OE_LINK_SGX_DCAP_QL) */
 
 oe_result_t oe_get_qetarget_info_ocall(sgx_target_info_t* target_info)
 {
diff --git a/host/sgx/quote.c b/host/sgx/quote.c
index 37c9b0d5fd..514cce2fd5 100644
--- a/host/sgx/quote.c
+++ b/host/sgx/quote.c
@@ -10,135 +10,9 @@
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
 #include "sgxquote.h"
 #include "sgxquoteprovider.h"
-#else
-#include <openenclave/internal/aesm.h>
-#endif
-
-#if !defined(OE_USE_LIBSGX)
-
-static oe_result_t _sgx_init_quote_with_aesm(sgx_target_info_t* target_info)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    sgx_epid_group_id_t epid_group_id = {{0}};
-
-    aesm_t* aesm = NULL;
-
-    if (!(aesm = aesm_connect()))
-        OE_RAISE(OE_FAILURE);
-
-    OE_CHECK(aesm_init_quote(aesm, target_info, &epid_group_id));
-
-    result = OE_OK;
-
-done:
-
-    if (aesm)
-        aesm_disconnect(aesm);
-
-    return result;
-}
-
-static oe_result_t _sgx_get_quote_size_from_aesm(
-    const uint8_t* signature_revocation_list,
-    size_t* quote_size)
-{
-    oe_result_t result = OE_FAILURE;
-    size_t signature_size = 0;
-    uint32_t n = 0;
-    const sgx_sig_rl_t* sig_rl = (const sgx_sig_rl_t*)signature_revocation_list;
-
-    if (quote_size)
-        *quote_size = 0;
-
-    if (!quote_size)
-        goto done;
-
-    if (sig_rl)
-    {
-        if (sig_rl->protocol_version != SGX_SE_EPID_SIG_RL_VERSION ||
-            sig_rl->epid_identifier != SGX_SE_EPID_SIG_RL_ID)
-        {
-            goto done;
-        }
-
-        assert(sizeof(sig_rl->sig_rl.n2) == sizeof(uint32_t));
-        const void* tmp = &sig_rl->sig_rl.n2;
-        n = oe_byte_swap32(*(uint32_t*)tmp);
-    }
-
-    /* Calculate variable size of EPID_Signature with N entries */
-    signature_size =
-        sizeof(sgx_epid_signature_t) + (n * sizeof(sgx_epid_nr_proof_t));
-
-    *quote_size = sizeof(sgx_quote_t) + sizeof(sgx_wrap_key_t) +
-                  SGX_QUOTE_IV_SIZE + sizeof(uint32_t) + signature_size +
-                  SGX_MAC_SIZE;
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
-static oe_result_t _sgx_get_quote_from_aesm(
-    const sgx_report_t* report,
-    sgx_quote_type_t quote_type,
-    sgx_quote_t* quote,
-    size_t quote_size)
-{
-    static const sgx_spid_t spid = {{
-        0x21,
-        0x68,
-        0x79,
-        0xB4,
-        0x42,
-        0xA0,
-        0x4A,
-        0x07,
-        0x60,
-        0xF6,
-        0x39,
-        0x91,
-        0x7F,
-        0x4E,
-        0x8B,
-        0x04,
-    }};
-
-    oe_result_t result = OE_UNEXPECTED;
-    aesm_t* aesm = NULL;
-
-    if (!report || !quote || !quote_size)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    if (!(aesm = aesm_connect()))
-        OE_RAISE(OE_SERVICE_UNAVAILABLE);
-
-    OE_CHECK(aesm_get_quote(
-        aesm,
-        report,
-        quote_type,
-        &spid,
-        NULL, /* nonce */
-        NULL, /* signature_revocation_list */
-        0,    /* signature_revocation_list_size */
-        NULL, /* report_out */
-        quote,
-        quote_size));
-
-    result = OE_OK;
-
-done:
-
-    if (aesm)
-        aesm_disconnect(aesm);
-
-    return result;
-}
-
 #endif
 
 oe_result_t sgx_get_qetarget_info(sgx_target_info_t* target_info)
@@ -146,7 +20,7 @@ oe_result_t sgx_get_qetarget_info(sgx_target_info_t* target_info)
     oe_result_t result = OE_UNEXPECTED;
     memset(target_info, 0, sizeof(sgx_target_info_t));
 
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
     // Quote workflow always begins with obtaining the target info. Therefore
     // initializing the quote provider here ensures that that we can control its
     // life time rather than Intel's attestation libraries.
@@ -155,13 +29,13 @@ oe_result_t sgx_get_qetarget_info(sgx_target_info_t* target_info)
 
     OE_CHECK(oe_initialize_quote_provider());
     OE_CHECK(oe_sgx_qe_get_target_info((uint8_t*)target_info));
-#else
-    OE_CHECK(_sgx_init_quote_with_aesm(target_info));
-#endif
-
     result = OE_OK;
 done:
     return result;
+#else
+    result = OE_UNSUPPORTED;
+    return result;
+#endif
 }
 
 oe_result_t sgx_get_quote_size(size_t* quote_size)
@@ -174,10 +48,10 @@ oe_result_t sgx_get_quote_size(size_t* quote_size)
     if (!quote_size)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
     result = oe_sgx_qe_get_quote_size(quote_size);
 #else
-    result = _sgx_get_quote_size_from_aesm(NULL, quote_size);
+    result = OE_UNSUPPORTED;
 #endif
 
 done:
@@ -217,17 +91,10 @@ oe_result_t sgx_get_quote(
 
     /* Get the quote from the AESM service */
 
-#if defined(OE_USE_LIBSGX)
-
+#if defined(OE_LINK_SGX_DCAP_QL)
     result = oe_sgx_qe_get_quote((uint8_t*)report, *quote_size, quote);
-
 #else
-
-    result = _sgx_get_quote_from_aesm(
-        report,
-        SGX_QUOTE_TYPE_UNLINKABLE_SIGNATURE,
-        (sgx_quote_t*)quote,
-        *quote_size);
+    result = OE_UNSUPPORTED;
 #endif
 
 done:
diff --git a/host/sgx/report.c b/host/sgx/report.c
index 1fcb9dedd4..daa6f5409b 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -145,10 +145,13 @@ static oe_result_t _oe_get_report_internal(
     oe_result_t result = OE_FAILURE;
     oe_report_header_t* header = (oe_report_header_t*)report_buffer;
 
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
     // The two host side attestation API's are oe_get_report and
     // oe_verify_report. Initialize the quote provider in both these APIs.
     OE_CHECK(oe_initialize_quote_provider());
+#else
+    if (flags & OE_REPORT_FLAGS_REMOTE_ATTESTATION)
+        return OE_UNSUPPORTED;
 #endif
 
     // Reserve space in the buffer for header.
@@ -288,9 +291,9 @@ oe_result_t oe_verify_report(
     if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
     {
         // Intialize the quote provider if we want to verify a remote quote.
-        // Note that we don't have the OE_USE_LIBSGX guard here since we don't
-        // need the sgx libraries to verify the quote. All we need is the quote
-        // provider.
+        // Note that we don't have the OE_LINK_SGX_DCAP_QL guard here since we
+        // don't need the sgx libraries to verify the quote. All we need is the
+        // quote provider.
         OE_CHECK(oe_initialize_quote_provider());
 
         // Quote attestation can be done entirely on the host side.
diff --git a/host/sgx/sgxload.c b/host/sgx/sgxload.c
index 8122d4a70c..f639b086f2 100644
--- a/host/sgx/sgxload.c
+++ b/host/sgx/sgxload.c
@@ -2,24 +2,18 @@
 // Licensed under the MIT License.
 
 #include "sgxload.h"
-#if defined(OE_USE_LIBSGX)
 #include <sgx_enclave_common.h>
-#endif
 
 #if defined(__linux__)
-#include <fcntl.h>
 #include <sys/mman.h>
 #include <unistd.h>
-#include "linux/sgxioctl.h"
 #elif defined(_WIN32)
 #include <Windows.h>
-#define MAX_EINIT_RETRY_COUNT 50
 #endif
 
 #include <assert.h>
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/bits/safemath.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/sgxcreate.h>
 #include <openenclave/internal/sgxsign.h>
@@ -49,23 +43,14 @@ static int _make_memory_protect_param(uint64_t inflags, bool simulate)
         }
         else
         {
-#if defined(OE_USE_LIBSGX)
-            /* libsgx is only used when not in simulation mode */
             outflags = ENCLAVE_PAGE_THREAD_CONTROL | ENCLAVE_PAGE_READ |
                        ENCLAVE_PAGE_WRITE;
-#elif defined(__linux__)
-            outflags = PROT_NONE;
-#elif defined(_WIN32)
-            outflags = PAGE_ENCLAVE_THREAD_CONTROL | PAGE_READWRITE;
-#endif
         }
     }
     else if (inflags & SGX_SECINFO_REG)
     {
-#if defined(OE_USE_LIBSGX)
         if (!simulate)
         {
-            /* libsgx is only used when not in simulation mode */
             if (inflags & SGX_SECINFO_R)
                 outflags |= ENCLAVE_PAGE_READ;
 
@@ -76,9 +61,8 @@ static int _make_memory_protect_param(uint64_t inflags, bool simulate)
                 outflags |= ENCLAVE_PAGE_EXECUTE;
         }
         else
+        /* simulation mode falls back to OS memory protection settings */
         {
-/* simulation mode falls back to OS memory protection settings */
-#endif
 #if defined(__linux__)
             if (inflags & SGX_SECINFO_R)
                 outflags |= PROT_READ;
@@ -89,25 +73,23 @@ static int _make_memory_protect_param(uint64_t inflags, bool simulate)
             if (inflags & SGX_SECINFO_X)
                 outflags |= PROT_EXEC;
 #elif defined(_WIN32)
-        if ((inflags & SGX_SECINFO_X) && (inflags & SGX_SECINFO_R) &&
-            (inflags & SGX_SECINFO_W))
-        {
-            outflags = PAGE_EXECUTE_READWRITE;
-        }
-        else if ((inflags & SGX_SECINFO_X) && (inflags & SGX_SECINFO_R))
-            outflags = PAGE_EXECUTE_READ;
-        else if ((inflags & SGX_SECINFO_X))
-            outflags = PAGE_EXECUTE;
-        else if ((inflags & SGX_SECINFO_R) && (inflags & SGX_SECINFO_W))
-            outflags = PAGE_READWRITE;
-        else if ((inflags & SGX_SECINFO_R))
-            outflags = PAGE_READONLY;
-        else
-            outflags = PAGE_NOACCESS;
+            if ((inflags & SGX_SECINFO_X) && (inflags & SGX_SECINFO_R) &&
+                (inflags & SGX_SECINFO_W))
+            {
+                outflags = PAGE_EXECUTE_READWRITE;
+            }
+            else if ((inflags & SGX_SECINFO_X) && (inflags & SGX_SECINFO_R))
+                outflags = PAGE_EXECUTE_READ;
+            else if ((inflags & SGX_SECINFO_X))
+                outflags = PAGE_EXECUTE;
+            else if ((inflags & SGX_SECINFO_R) && (inflags & SGX_SECINFO_W))
+                outflags = PAGE_READWRITE;
+            else if ((inflags & SGX_SECINFO_R))
+                outflags = PAGE_READONLY;
+            else
+                outflags = PAGE_NOACCESS;
 #endif
-#if defined(OE_USE_LIBSGX)
         }
-#endif
     }
 
 #if defined(__linux__)
@@ -299,7 +281,6 @@ static oe_result_t _sgx_free_enclave_memory(
     size_t size,
     bool is_simulation)
 {
-#if defined(OE_USE_LIBSGX)
     if (!is_simulation)
     {
         uint32_t enclave_error = 0;
@@ -311,7 +292,6 @@ static oe_result_t _sgx_free_enclave_memory(
         }
     }
     else /* Fallthrough to simulation mode cleanup based on OS. */
-#endif
     {
         OE_UNUSED(is_simulation);
 #if defined(__linux__)
@@ -376,45 +356,6 @@ static oe_result_t _get_sig_struct(
     return result;
 }
 
-/* obtaining a launch token is only necessary when not using libsgx */
-#if !defined(OE_USE_LIBSGX)
-static oe_result_t _get_launch_token(
-    const oe_sgx_enclave_properties_t* properties,
-    sgx_sigstruct_t* sigstruct,
-    sgx_launch_token_t* launch_token)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    aesm_t* aesm = NULL;
-
-    /* Initialize the SGX attributes */
-    sgx_attributes_t attributes = {0};
-    attributes.flags = properties->config.attributes;
-    attributes.xfrm = properties->config.xfrm;
-
-    memset(launch_token, 0, sizeof(sgx_launch_token_t));
-
-    /* Obtain a launch token from the AESM service */
-    if (!(aesm = aesm_connect()))
-        OE_RAISE(OE_FAILURE);
-
-    OE_CHECK(aesm_get_launch_token(
-        aesm,
-        sigstruct->enclavehash,
-        sigstruct->modulus,
-        &attributes,
-        launch_token));
-
-    result = OE_OK;
-
-done:
-
-    if (aesm)
-        aesm_disconnect(aesm);
-
-    return result;
-}
-#endif
-
 oe_result_t oe_sgx_initialize_load_context(
     oe_sgx_load_context_t* context,
     oe_sgx_load_type_t type,
@@ -433,15 +374,6 @@ oe_result_t oe_sgx_initialize_load_context(
     context->attributes.xfrm = _detect_xfrm();
 
     context->dev = OE_SGX_NO_DEVICE_HANDLE;
-#if !defined(OE_USE_LIBSGX) && defined(__linux__)
-    if (type != OE_SGX_LOAD_TYPE_MEASURE &&
-        !oe_sgx_is_simulation_load_context(context))
-    {
-        context->dev = open("/dev/isgx", O_RDWR);
-        if (context->dev == OE_SGX_NO_DEVICE_HANDLE)
-            OE_RAISE_MSG(OE_FAILURE, "open /dev/isgx device file failed");
-    }
-#endif
 
     context->state = OE_SGX_LOAD_STATE_INITIALIZED;
     result = OE_OK;
@@ -452,10 +384,6 @@ oe_result_t oe_sgx_initialize_load_context(
 
 void oe_sgx_cleanup_load_context(oe_sgx_load_context_t* context)
 {
-#if !defined(OE_USE_LIBSGX) && defined(__linux__)
-    if (context && context->dev != OE_SGX_NO_DEVICE_HANDLE)
-        close(context->dev);
-#endif
     /* Clear all fields, this also sets state to undefined */
     memset(context, 0, sizeof(oe_sgx_load_context_t));
 }
@@ -486,9 +414,7 @@ oe_result_t oe_sgx_create_enclave(
      * mode or on Linux Kabylake machines. */
     if (context->type == OE_SGX_LOAD_TYPE_CREATE)
     {
-#if defined(OE_USE_LIBSGX) || defined(_WIN32)
         if (oe_sgx_is_simulation_load_context(context))
-#endif
         {
             /* Allocation memory-mapped region */
             if (!(base = _allocate_enclave_memory(enclave_size, context->dev)))
@@ -516,8 +442,6 @@ oe_result_t oe_sgx_create_enclave(
     }
     else
     {
-#if defined(OE_USE_LIBSGX)
-
         uint32_t enclave_error;
         void* base = enclave_create(
             NULL, /* Let OS choose the enclave base address */
@@ -535,37 +459,6 @@ oe_result_t oe_sgx_create_enclave(
                 enclave_error);
 
         secs->base = (uint64_t)base;
-
-#elif defined(__linux__)
-
-        /* Ask the Linux SGX driver to create the enclave
-           sgxioctl internally traces any driver returned error */
-        if (sgx_ioctl_enclave_create(context->dev, secs) != 0)
-            OE_RAISE(OE_IOCTL_FAILED);
-
-#elif defined(_WIN32)
-
-        /* Ask OS to create the enclave */
-        DWORD enclave_error;
-        void* base = CreateEnclave(
-            GetCurrentProcess(),
-            NULL, /* Let OS choose the enclave base address */
-            secs->size,
-            secs->size,
-            ENCLAVE_TYPE_SGX,
-            (const void*)secs,
-            sizeof(ENCLAVE_CREATE_INFO_SGX),
-            &enclave_error);
-
-        if (!base)
-            OE_RAISE_MSG(
-                OE_PLATFORM_ERROR,
-                "CreateEnclave failed (err=%#x)",
-                enclave_error);
-
-        secs->base = (uint64_t)base;
-
-#endif
     }
 
     *enclave_addr = base ? (uint64_t)base : secs->base;
@@ -770,8 +663,6 @@ oe_result_t oe_sgx_load_enclave_data(
     }
     else
     {
-#if defined(OE_USE_LIBSGX)
-
         int protect = _make_memory_protect_param(flags, false /*not simulate*/);
         if (!extend)
             protect |= ENCLAVE_PAGE_UNVALIDATED;
@@ -789,46 +680,6 @@ oe_result_t oe_sgx_load_enclave_data(
                 addr,
                 protect,
                 enclave_error);
-
-#elif defined(__linux__)
-
-        /* Ask the Linux SGX driver to add a page to the enclave
-           sgxioctl internally traces any driver returned error */
-        if (sgx_ioctl_enclave_add_page(
-                context->dev, addr, src, flags, extend) != 0)
-            OE_RAISE(OE_IOCTL_FAILED);
-
-#elif defined(_WIN32)
-
-        /* Ask the OS to add a page to the enclave */
-        SIZE_T num_bytes = 0;
-        DWORD enclave_error;
-
-        DWORD protect =
-            _make_memory_protect_param(flags, false /*not simulate*/);
-        if (!extend)
-            protect |= PAGE_ENCLAVE_UNVALIDATED;
-
-        if (!LoadEnclaveData(
-                GetCurrentProcess(),
-                (LPVOID)addr,
-                (LPCVOID)src,
-                OE_PAGE_SIZE,
-                protect,
-                NULL,
-                0,
-                &num_bytes,
-                &enclave_error))
-        {
-            OE_RAISE_MSG(
-                OE_PLATFORM_ERROR,
-                "LoadEnclaveData failed (addr=%#x, prot=%#x, err=%#x)",
-                addr,
-                protect,
-                enclave_error);
-        }
-
-#endif
     }
 
     result = OE_OK;
@@ -866,8 +717,6 @@ oe_result_t oe_sgx_initialize_enclave(
         sgx_sigstruct_t sigstruct;
         OE_CHECK(_get_sig_struct(properties, mrenclave, &sigstruct));
 
-#if defined(OE_USE_LIBSGX)
-
         uint32_t enclave_error = 0;
         if (!enclave_initialize(
                 (void*)addr,
@@ -878,82 +727,6 @@ oe_result_t oe_sgx_initialize_enclave(
                 OE_PLATFORM_ERROR,
                 "enclave_initialize failed (err=%#x)",
                 enclave_error);
-
-#else
-        /* If not using libsgx, get a launch token from the AESM service */
-        sgx_launch_token_t launch_token;
-        OE_CHECK(_get_launch_token(properties, &sigstruct, &launch_token));
-
-#if defined(__linux__)
-
-        /* Ask the Linux SGX driver to initialize the enclave
-           sgxioctl internally traces any driver returned error */
-        if (sgx_ioctl_enclave_init(
-                context->dev,
-                addr,
-                (uint64_t)&sigstruct,
-                (uint64_t)&launch_token) != 0)
-            OE_RAISE(OE_IOCTL_FAILED);
-
-#elif defined(_WIN32)
-
-        OE_STATIC_ASSERT(
-            OE_FIELD_SIZE(ENCLAVE_INIT_INFO_SGX, SigStruct) ==
-            sizeof(sigstruct));
-        OE_STATIC_ASSERT(
-            OE_FIELD_SIZE(ENCLAVE_INIT_INFO_SGX, EInitToken) <=
-            sizeof(launch_token));
-
-        /* Ask the OS to initialize the enclave */
-        DWORD enclave_error;
-        ENCLAVE_INIT_INFO_SGX info = {{0}};
-
-        OE_CHECK(oe_memcpy_s(
-            &info.SigStruct,
-            sizeof(info.SigStruct),
-            (void*)&sigstruct,
-            sizeof(sigstruct)));
-        OE_CHECK(oe_memcpy_s(
-            &info.EInitToken,
-            sizeof(info.EInitToken),
-            (void*)&launch_token,
-            sizeof(info.EInitToken)));
-
-        BOOL success = FALSE;
-        /*
-         * Adding retry count to prevent the failures seen with Windows CI with
-         * EINIT SGX_UNMASKED_EVENT, presumably due to large number of external
-         * interrupts fired in succession. Mitigating this with retry logic at
-         * the OE SDK level as inhibiting the unmasked events requires Windows
-         * kernel support. Thus far, we have not seen the same issue on Linux,
-         * which has more retries and also does a 20ms sleep between each EINIT
-         * attempt. Did not add any delay or sleep as the context switch to
-         * Windows kernel mode should suffice for the delay.
-         *
-         */
-        for (DWORD i = 0; i < MAX_EINIT_RETRY_COUNT; i++)
-        {
-            enclave_error = 0;
-            success = InitializeEnclave(
-                GetCurrentProcess(),
-                (LPVOID)addr,
-                &info,
-                sizeof(info),
-                &enclave_error);
-
-            if (enclave_error != SGX_UNMASKED_EVENT)
-                break;
-        }
-
-        if (!success)
-        {
-            OE_RAISE_MSG(
-                OE_PLATFORM_ERROR,
-                "InitializeEnclave failed (err=%#x)",
-                enclave_error);
-        }
-#endif
-#endif
     }
 
     context->state = OE_SGX_LOAD_STATE_ENCLAVE_INITIALIZED;
diff --git a/host/sgx/sgxquote.c b/host/sgx/sgxquote.c
index ed95852952..32fee66107 100644
--- a/host/sgx/sgxquote.c
+++ b/host/sgx/sgxquote.c
@@ -1,6 +1,6 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
-#if defined(OE_USE_LIBSGX)
+#if defined(OE_LINK_SGX_DCAP_QL)
 
 #include "sgxquote.h"
 #include <openenclave/internal/defs.h>
diff --git a/host/sgx/sgxsign.c b/host/sgx/sgxsign.c
index 09f746bb79..82f3604603 100644
--- a/host/sgx/sgxsign.c
+++ b/host/sgx/sgxsign.c
@@ -3,7 +3,6 @@
 
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/elf.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/mem.h>
diff --git a/host/sgx/windows/aesm.c b/host/sgx/windows/aesm.c
deleted file mode 100644
index 3daff07708..0000000000
--- a/host/sgx/windows/aesm.c
+++ /dev/null
@@ -1,414 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#include <Windows.h>
-#include <limits.h>
-#include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
-
-static const uint32_t AESM_MAGIC = 0x4efaa2a3;
-
-typedef UINT32 aesm_error_t;
-
-typedef struct _aesm_interface aesm_interface_t;
-
-/* Copied from MSR-SDK. This is the COM interface for calling into Intel's
- * AESM interface. This will eventually be replaced by a different interface
- * that Intel will be providing.
- */
-typedef struct aesm_interface_vtbl
-{
-    BEGIN_INTERFACE
-
-    HRESULT(STDMETHODCALLTYPE* query_interface)
-    (aesm_interface_t* this,
-     /* [in] */ REFIID riid,
-     /* [annotation][iid_is][out] */
-     _COM_Outptr_ void** object);
-
-    ULONG(STDMETHODCALLTYPE* add_ref)(aesm_interface_t* this);
-
-    ULONG(STDMETHODCALLTYPE* release)(aesm_interface_t* this);
-
-    HRESULT(STDMETHODCALLTYPE* get_license_token)
-    (aesm_interface_t* this,
-     /* [size_is][ref][in] */ uint8_t* mrenclave,
-     uint32_t mrenclave_size,
-     /* [size_is][ref][in] */ uint8_t* public_key,
-     uint32_t public_key_size,
-     /* [size_is][ref][in] */ uint8_t* se_attributes,
-     uint32_t se_attributes_size,
-     /* [size_is][ref][out] */ uint8_t* lictoken,
-     uint32_t lictoken_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* init_quote)
-    (aesm_interface_t* this,
-     /* [size_is][out] */ uint8_t* target_info,
-     uint32_t target_info_size,
-     /* [size_is][ref][out] */ uint8_t* gid,
-     uint32_t gid_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_quote)
-    (aesm_interface_t* this,
-     /* [size_is][ref][in] */ uint8_t* report,
-     uint32_t report_size,
-     uint32_t type,
-     /* [size_is][ref][in] */ uint8_t* spid,
-     uint32_t spid_size,
-     /* [size_is][unique][in] */ uint8_t* nonce,
-     uint32_t nonce_size,
-     /* [size_is][unique][in] */ uint8_t* sig_rl,
-     uint32_t sig_rl_size,
-     /* [size_is][unique][out][in] */ uint8_t* qe_report,
-     uint32_t qe_report_size,
-     /* [size_is][ref][out][in] */ uint8_t* quote,
-     /* [in] */ uint32_t buf_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* create_session)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* session_id,
-     /* [size_is][ref][out] */ uint8_t* se_dh_msg1,
-     uint32_t se_dh_msg1_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* exchange_report)
-    (aesm_interface_t* this,
-     uint32_t session_id,
-     /* [size_is][ref][in] */ uint8_t* se_dh_msg2,
-     uint32_t se_dh_msg2_size,
-     /* [size_is][ref][out] */ uint8_t* se_dh_msg3,
-     uint32_t se_dh_msg3_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* close_session)
-    (aesm_interface_t* this,
-     uint32_t session_id,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* invoke_service)
-    (aesm_interface_t* this,
-     /* [size_is][ref][in] */ uint8_t* pse_message_req,
-     uint32_t pse_message_req_size,
-     /* [size_is][ref][out] */ uint8_t* pse_message_resp,
-     uint32_t pse_message_resp_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* report_attestation_status)
-    (aesm_interface_t* this,
-     /* [size_is][ref][in] */ uint8_t* platform_info,
-     uint32_t platform_info_size,
-     uint32_t attestation_status,
-     /* [size_is][ref][out] */ uint8_t* update_info,
-     uint32_t update_info_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_ps_cap)
-    (aesm_interface_t* this,
-     /* [out] */ uint64_t* ps_cap,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* sgx_register)
-    (aesm_interface_t* this,
-     /* [size_is][ref][in] */ uint8_t* white_list_cert,
-     uint32_t white_list_cert_size,
-     uint32_t registration_data_type,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* proxy_setting_assist)
-    (aesm_interface_t* this,
-     /* [size_is][unique][in] */ uint8_t* proxy_info,
-     uint32_t proxy_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* query_sgx_status)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* sgx_status,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_whitelist_size)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* white_list_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_white_list)
-    (aesm_interface_t* this,
-     /* [size_is][ref][out] */ uint8_t* white_list,
-     uint32_t buf_size,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_sec_domain_id)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* sec_domain_id,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* switch_sec_domain)
-    (aesm_interface_t* this,
-     uint32_t sec_domain_id,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_epid_provision_status)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* epid_pr_status,
-     /* [ref][out] */ aesm_error_t* result);
-
-    HRESULT(STDMETHODCALLTYPE* get_platform_service_status)
-    (aesm_interface_t* this,
-     /* [ref][out] */ uint32_t* pse_status,
-     /* [ref][out] */ aesm_error_t* result);
-
-    END_INTERFACE
-} aesm_interface_vtbl;
-
-struct _aesm_interface
-{
-    CONST_VTBL struct aesm_interface_vtbl* vtbl;
-};
-
-static aesm_interface_t* _create_instance()
-{
-    aesm_interface_t* instance = NULL;
-    static const CLSID CLSID_AESMInterface = {
-        0x82367CAB,
-        0xF2B9,
-        0x461A,
-        {0xB6, 0xC6, 0x88, 0x9D, 0x13, 0xEF, 0xC6, 0xCA}};
-    static const IID IID_IAESMInterface = {
-        0x50AFD900,
-        0xF309,
-        0x4557,
-        {0x8F, 0xCB, 0x10, 0xCF, 0xAB, 0x80, 0x2C, 0xDD}};
-
-    /* Initialize COM library */
-    {
-        HRESULT hr = CoInitializeEx(
-            NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
-
-        /* If COM initialization failed */
-        if (hr != S_OK && hr != S_FALSE)
-            goto done;
-    }
-
-    /* Create AESM interface object */
-    if (!SUCCEEDED(CoCreateInstance(
-            &CLSID_AESMInterface,
-            NULL,
-            CLSCTX_ALL,
-            &IID_IAESMInterface,
-            &instance)))
-    {
-        CoUninitialize();
-        goto done;
-    }
-
-done:
-
-    return instance;
-}
-
-static void _release_instance(aesm_interface_t* instance)
-{
-    instance->vtbl->release(instance);
-    CoUninitialize();
-}
-
-struct _aesm
-{
-    uint32_t magic;
-};
-
-static int _aesm_valid(const aesm_t* aesm)
-{
-    return aesm != NULL && aesm->magic == AESM_MAGIC;
-}
-
-aesm_t* aesm_connect()
-{
-    aesm_t* aesm = NULL;
-    aesm_interface_t* instance = NULL;
-
-    /* Obtain AESM COM object (as a test only) */
-    if (!(instance = _create_instance()))
-        goto done;
-
-    /* Allocate and initialize AESM struct */
-    {
-        if (!(aesm = (aesm_t*)calloc(1, sizeof(aesm_t))))
-            goto done;
-
-        aesm->magic = AESM_MAGIC;
-    }
-
-done:
-
-    if (instance)
-        _release_instance(instance);
-
-    return aesm;
-}
-
-void aesm_disconnect(aesm_t* aesm)
-{
-    if (_aesm_valid(aesm))
-    {
-        aesm->magic = 0xDDDDDDDD;
-        free(aesm);
-    }
-}
-
-oe_result_t aesm_get_launch_token(
-    aesm_t* aesm,
-    uint8_t mrenclave[OE_SHA256_SIZE],
-    uint8_t modulus[OE_KEY_SIZE],
-    const sgx_attributes_t* attributes,
-    sgx_launch_token_t* launch_token)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    aesm_error_t error;
-    aesm_interface_t* instance = NULL;
-
-    if (!_aesm_valid(aesm))
-        goto done;
-
-    /* Obtain AESM COM instance */
-    if (!(instance = _create_instance()))
-        goto done;
-
-    /* Obtain a launch token */
-    HRESULT hr = instance->vtbl->get_license_token(
-        instance,                 /* this */
-        mrenclave,                /* mrenclave */
-        OE_SHA256_SIZE,           /* mrenclave_size */
-        modulus,                  /* public_key */
-        OE_KEY_SIZE,              /* public_key_size */
-        (PUINT8)attributes,       /* se_attributes */
-        sizeof(sgx_attributes_t), /* se_attributes_size */
-        (PUINT8)launch_token,     /* lictoken */
-        /* MSR-SDK passes sizeof(sgx_einittoken_t) */
-        sizeof(sgx_einittoken_t), /* lictoken_size */
-        &error);                  /* result */
-
-    if (!SUCCEEDED(hr) || error != 0)
-    {
-        result = OE_FAILURE;
-        goto done;
-    }
-
-    result = OE_OK;
-
-done:
-
-    if (instance)
-        _release_instance(instance);
-
-    return result;
-}
-
-oe_result_t aesm_init_quote(
-    aesm_t* aesm,
-    sgx_target_info_t* target_info,
-    sgx_epid_group_id_t* epid_group_id)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    aesm_error_t error;
-    aesm_interface_t* instance = NULL;
-
-    if (!_aesm_valid(aesm))
-        goto done;
-
-    /* Obtain AESM COM instance */
-    if (!(instance = _create_instance()))
-        goto done;
-
-    // Get quote for a given report.
-    HRESULT hr = instance->vtbl->init_quote(
-        instance,
-        (uint8_t*)target_info,
-        sizeof(sgx_target_info_t),
-        (uint8_t*)epid_group_id,
-        sizeof(sgx_epid_group_id_t),
-        &error);
-
-    if (!SUCCEEDED(hr) || error != 0)
-    {
-        result = OE_FAILURE;
-        goto done;
-    }
-
-    result = OE_OK;
-
-done:
-
-    if (instance)
-        _release_instance(instance);
-
-    return result;
-}
-
-oe_result_t aesm_get_quote(
-    aesm_t* aesm,
-    const sgx_report_t* report,
-    sgx_quote_type_t quote_type,
-    const sgx_spid_t* spid,
-    const sgx_nonce_t* nonce,
-    const uint8_t* signature_revocation_list,
-    uint32_t signature_revocation_list_size,
-    sgx_report_t* report_out, /* ATTN: support this! */
-    sgx_quote_t* quote,
-    size_t quote_size)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    aesm_error_t error;
-    aesm_interface_t* instance = NULL;
-
-    if (quote_size > UINT_MAX)
-    {
-        result = OE_INVALID_PARAMETER;
-        goto done;
-    }
-
-    if (!_aesm_valid(aesm))
-    {
-        result = OE_INVALID_PARAMETER;
-        goto done;
-    }
-
-    /* Obtain AESM COM instance */
-    if (!(instance = _create_instance()))
-        goto done;
-
-    // Get quote for a given report.
-    HRESULT hr = instance->vtbl->get_quote(
-        instance,                            /* this */
-        (uint8_t*)report,                    /* report */
-        sizeof(sgx_report_t),                /* report_size */
-        (uint32_t)quote_type,                /* type */
-        (uint8_t*)spid,                      /* spid */
-        sizeof(sgx_spid_t),                  /* spid_size */
-        (uint8_t*)nonce,                     /* nonce */
-        sizeof(sgx_nonce_t),                 /* nonce_size */
-        (uint8_t*)signature_revocation_list, /* sig_rl */
-        signature_revocation_list_size,      /* sigrl_size */
-        (uint8_t*)report_out,                /* qe_report */
-        sizeof(sgx_report_t),                /* qe_report_size */
-        (uint8_t*)quote,                     /* quote */
-        (uint32_t)quote_size,                /* buffer_size */
-        &error);
-
-    if (!SUCCEEDED(hr) || error != 0)
-    {
-        result = OE_FAILURE;
-        goto done;
-    }
-
-    result = OE_OK;
-
-done:
-
-    if (instance)
-        _release_instance(instance);
-
-    return result;
-}
diff --git a/include/openenclave/internal/aesm.h b/include/openenclave/internal/aesm.h
deleted file mode 100644
index 29a9b14aa5..0000000000
--- a/include/openenclave/internal/aesm.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#ifndef _OE_AESM_H
-#define _OE_AESM_H
-
-#include <openenclave/bits/defs.h>
-#include <openenclave/bits/result.h>
-#include "sgxtypes.h"
-
-OE_EXTERNC_BEGIN
-
-typedef struct _aesm aesm_t;
-typedef struct _sgx_target_info sgx_target_info_t;
-typedef struct _sgx_epid_group_id sgx_epid_group_id_t;
-
-aesm_t* aesm_connect(void);
-
-void aesm_disconnect(aesm_t* aesm);
-
-oe_result_t aesm_get_launch_token(
-    aesm_t* aesm,
-    uint8_t mrenclave[OE_SHA256_SIZE],
-    uint8_t modulus[OE_KEY_SIZE],
-    const sgx_attributes_t* attributes,
-    sgx_launch_token_t* launch_token);
-
-oe_result_t aesm_init_quote(
-    aesm_t* aesm,
-    sgx_target_info_t* target_info,
-    sgx_epid_group_id_t* epid_group_id);
-
-oe_result_t aesm_get_quote(
-    aesm_t* aesm,
-    const sgx_report_t* report,
-    sgx_quote_type_t quote_type,
-    const sgx_spid_t* spid,
-    const sgx_nonce_t* nonce,
-    const uint8_t* signature_revocation_list,
-    uint32_t signature_revocation_list_size,
-    sgx_report_t* report_out,
-    sgx_quote_t* quote,
-    size_t quote_size);
-
-OE_EXTERNC_END
-
-#endif /* _OE_AESM_H */
diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt
index a0af26df0b..6a21ef6462 100644
--- a/pkgconfig/CMakeLists.txt
+++ b/pkgconfig/CMakeLists.txt
@@ -90,10 +90,10 @@ set(HOST_CXXFLAGS_GCC ${HOST_CFLAGS_GCC})
 ##
 ##==============================================================================
 
-if(USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
     set(SGX_LIBS "-lsgx_enclave_common -lsgx_dcap_ql -lsgx_urts")
 else()
-    set(SGX_LIBS "")
+    set(SGX_LIBS "-lsgx_enclave_common -lsgx_urts")
 endif()
 
 set(HOSTVERIFY_CLIBS "-rdynamic -Wl,-z,noexecstack -L\${libdir}/openenclave/host -loehostverify -ldl -lpthread")
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index ce3555197e..158397db48 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -1,8 +1,8 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
-if (USE_LIBSGX)
-  install(DIRECTORY remote_attestation local_attestation
+if (HAS_QUOTE_PROVIDER)
+  install(DIRECTORY remote_attestation
           DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
           PATTERN "gen_pubkey_header.sh"
           PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
@@ -16,6 +16,12 @@ if (USE_LIBSGX)
   endif()
 endif ()
 
+install(DIRECTORY local_attestation
+          DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+          PATTERN "gen_pubkey_header.sh"
+          PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+          GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
+
 install(DIRECTORY helloworld file-encryptor data-sealing switchless
         DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples)
 
@@ -31,8 +37,8 @@ endif ()
 
 if (WIN32)
   add_test(NAME samples
-           COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+           COMMAND ${CMAKE_COMMAND} -DHAS_QUOTE_PROVIDER=${HAS_QUOTE_PROVIDER} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
 else ()
   add_test(NAME samples
-           COMMAND ${CMAKE_COMMAND} -DUSE_LIBSGX=${USE_LIBSGX} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
+           COMMAND ${CMAKE_COMMAND} -DHAS_QUOTE_PROVIDER=${HAS_QUOTE_PROVIDER} -DSOURCE_DIR=${CMAKE_CURRENT_SOURCE_DIR} -DBUILD_DIR=${PROJECT_BINARY_DIR} -DPREFIX_DIR=${CMAKE_INSTALL_PREFIX} -P ${CMAKE_CURRENT_SOURCE_DIR}/test-samples.cmake)
 endif ()
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index 7baf4becec..fc50943052 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -4,7 +4,7 @@
 # This script requires the variables SOURCE_DIR, BUILD_DIR, and
 # PREFIX_DIR to be defined:
 #
-#     cmake -DUSE_LIBSGX=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
+#     cmake -DHAS_QUOTE_PROVIDER=ON -DSOURCE_DIR=~/openenclave -DBUILD_DIR=~/openenclave/build -DPREFIX_DIR=/opt/openenclave -P ~/openenclave/samples/test-samples.cmake
 
 # These three samples can run in simulation, and therefore run in every configuration.
 set(SAMPLES_LIST helloworld file-encryptor switchless)
@@ -19,12 +19,12 @@ else ()
   # This sample can run on SGX, both with and without FLC, meaning
   # they can run even if they weren't built against SGX, because in
   # that cause they directly interface with the AESM service.
-  list(APPEND SAMPLES_LIST data-sealing)
+  list(APPEND SAMPLES_LIST data-sealing local_attestation)
 
   # These tests can only run with SGX-FLC, meaning they were built
   # against SGX.
-  if (USE_LIBSGX)
-    list(APPEND SAMPLES_LIST local_attestation remote_attestation)
+  if (HAS_QUOTE_PROVIDER)
+    list(APPEND SAMPLES_LIST remote_attestation)
     # The attested_tls test is not supported on Windows at this time.
     if (UNIX)
 	    list(APPEND SAMPLES_LIST attested_tls)
@@ -54,7 +54,7 @@ foreach (SAMPLE ${SAMPLES_LIST})
   # Configure, build, and run the installed sample with CMake.
   if (WIN32)
     execute_process(
-      COMMAND ${CMAKE_COMMAND} -DCMAKE_PREFIX_PATH=${INSTALL_DIR}/lib/openenclave/cmake -G Ninja -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} ${SAMPLE_SOURCE_DIR}
+      COMMAND ${CMAKE_COMMAND} -DCMAKE_PREFIX_PATH=${INSTALL_DIR}/lib/openenclave/cmake -G Ninja -DNUGET_PACKAGE_PATH=${NUGET_PACKAGE_PATH} -DHAS_QUOTE_PROVIDER=${HAS_QUOTE_PROVIDER} ${SAMPLE_SOURCE_DIR}
       WORKING_DIRECTORY ${SAMPLE_BUILD_DIR})
   else ()
     execute_process(
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 308d653e3a..6549dd1794 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -37,18 +37,6 @@ Param(
     [Parameter(mandatory=$true)][ValidateSet("None", "Azure")][string]$DCAPClientType
 )
 
-if ($LaunchConfiguration -eq "SGX1")
-{
-    Write-Host "**** Installing PSW 2.2 ****"
-
-    $IntelPSWURL = "https://oejenkins.blob.core.windows.net/oejenkins/intel_sgx_win_2.2.100.47975_PV.zip"
-    $IntelPSWHash = 'EB479D1E029D51E48E534C284FCF5CCA3A937DA43052DCB2F4C71E5F354CA623'
-}
-else
-{
-    Write-Host "**** Installing PSW 2.4 ****"
-}
-
 $ErrorActionPreference = "Stop"
 
 $PACKAGES_DIRECTORY = Join-Path $env:TEMP "packages"
@@ -520,64 +508,68 @@ function Install-DCAP-Dependencies {
     Install-Tool -InstallerPath $PACKAGES["dcap"]["local_file"] `
                  -ArgumentList @('/auto', "$PACKAGES_DIRECTORY\Intel_SGX_DCAP")
 
-    $drivers = @{
-        'sgx_base_dev' = @{
-            'zip_path'    = "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\Intel SGX DCAP for Windows *\LC_driver_WinServer2016\Signed_*.zip"
-            'location'    = 'root\SgxLCDevice'
-            'description' = 'Intel(R) Software Guard Extensions Launch Configuration Service'
-        }
-        'sgx_dcap_dev' = @{
-            'zip_path'    = "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\Intel SGX DCAP for Windows *\DCAP_INF\WinServer2016\Signed_*.zip"
-            'location'    = 'root\SgxLCDevice_DCAP'
-            'description' = 'Intel(R) Software Guard Extensions DCAP Components Device'
-        }
-    }
-    $devConBinaryPath = Get-DevconBinary
-    foreach($driver in $drivers.Keys) {
-        $zip = Get-Item $drivers[$driver]['zip_path']
-        if(!$zip) {
-            Throw "Cannot find the zile file with $driver"
-        }
-        if($zip.Count -gt 1) {
-            $zip
-            Throw "Multiple driver zip files found"
-        }
-        New-Item -ItemType Directory -Force -Path "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver"
-        Expand-Archive -Path $zip -DestinationPath "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver" -Force
-        $inf = Get-Item "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver\drivers\*\$driver.inf"
-        if(!$inf) {
-            Throw "Cannot find $driver.inf file"
-        }
-        if($inf.Count -gt 1) {
-            $inf
-            Throw "Multiple $driver.inf files found"
-        }
-        # Check if the driver is already installed and delete it
-        $output = & $devConBinaryPath find "$($drivers[$driver]['location'])"
-        if($LASTEXITCODE) {
-            Throw "Failed searching for $driver driver"
-        }
-        $output | ForEach-Object {
-            if($_.Contains($drivers[$driver]['description'])) {
-                Write-Output "Removing driver $($drivers[$driver]['location'])"
-                Remove-DCAPDriver -Name $drivers[$driver]['location']
+    if (($LaunchConfiguration -eq "SGX1FLC") -or ($LaunchConfiguration -eq "SGX1FLC-NoDriver") -or ($DCAPClientType -eq "Azure"))
+    {
+        $drivers = @{
+            'sgx_base_dev' = @{
+                'zip_path'    = "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\Intel SGX DCAP for Windows *\LC_driver_WinServer2016\Signed_*.zip"
+                'location'    = 'root\SgxLCDevice'
+                'description' = 'Intel(R) Software Guard Extensions Launch Configuration Service'
+            }
+            'sgx_dcap_dev' = @{
+                'zip_path'    = "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\Intel SGX DCAP for Windows *\DCAP_INF\WinServer2016\Signed_*.zip"
+                'location'    = 'root\SgxLCDevice_DCAP'
+                'description' = 'Intel(R) Software Guard Extensions DCAP Components Device'
             }
         }
-        if ($LaunchConfiguration -eq "SGX1FLC")
-        {
-            Write-Output "Installing driver $($drivers[$driver]['location'])"
-            $install = & $devConBinaryPath install "$($inf.FullName)" $drivers[$driver]['location']
+        $devConBinaryPath = Get-DevconBinary
+        foreach($driver in $drivers.Keys) {
+            $zip = Get-Item $drivers[$driver]['zip_path']
+            if(!$zip) {
+                Throw "Cannot find the zile file with $driver"
+            }
+            if($zip.Count -gt 1) {
+                $zip
+                Throw "Multiple driver zip files found"
+            }
+            New-Item -ItemType Directory -Force -Path "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver"
+            Expand-Archive -Path $zip -DestinationPath "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver" -Force
+            $inf = Get-Item "$PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver\drivers\*\$driver.inf"
+            if(!$inf) {
+                Throw "Cannot find $driver.inf file"
+            }
+            if($inf.Count -gt 1) {
+                $inf
+                Throw "Multiple $driver.inf files found"
+            }
+            # Check if the driver is already installed and delete it
+            $output = & $devConBinaryPath find "$($drivers[$driver]['location'])"
             if($LASTEXITCODE) {
-                Throw "Failed to install $driver driver"
+                Throw "Failed searching for $driver driver"
+            }
+            $output | ForEach-Object {
+                if($_.Contains($drivers[$driver]['description'])) {
+                    Write-Output "Removing driver $($drivers[$driver]['location'])"
+                    Remove-DCAPDriver -Name $drivers[$driver]['location']
+                }
+            }
+            if ($LaunchConfiguration -eq "SGX1FLC")
+            {
+                Write-Output "Installing driver $($drivers[$driver]['location'])"
+                $install = & $devConBinaryPath install "$($inf.FullName)" $drivers[$driver]['location']
+                if($LASTEXITCODE) {
+                    Throw "Failed to install $driver driver"
+                }
+                Write-Output $install
+            }
+            elseif ($LaunchConfiguration -eq "SGX1FLC-NoDriver")
+            {
+                Write-Output "Copying Intel_SGX_DCAP dll files into $($env:SystemRoot)\system32"
+                Copy-item -Path $PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver\drivers\*\*.dll $env:SystemRoot\system32\
             }
-            Write-Output $install
-        }
-        elseif ($LaunchConfiguration -eq "SGX1FLC-NoDriver")
-        {
-            Write-Output "Copying Intel_SGX_DCAP dll files into $($env:SystemRoot)\system32"
-            Copy-item -Path $PACKAGES_DIRECTORY\Intel_SGX_DCAP\$driver\drivers\*\*.dll $env:SystemRoot\system32\
         }
     }
+
     $TEMP_NUGET_DIR = "$PACKAGES_DIRECTORY\Azure_DCAP_Client_nupkg"
     New-Directory -Path $OE_NUGET_DIR -RemoveExisting
     New-Directory -Path $TEMP_NUGET_DIR -RemoveExisting
@@ -598,9 +590,12 @@ function Install-DCAP-Dependencies {
             Throw "Failed to install nuget EnclaveCommonAPI"
         }
     }
-    & nuget.exe install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
-    if($LASTEXITCODE -ne 0) {
-        Throw "Failed to install nuget DCAP_Components"
+    if (($LaunchConfiguration -eq "SGX1FLC") -or ($LaunchConfiguration -eq "SGX1FLC-NoDriver") -or ($DCAPClientType -eq "Azure"))
+    {
+        & "$PACKAGES_DIRECTORY\nuget.exe" install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+        if($LASTEXITCODE -ne 0) {
+            Throw "Failed to install nuget DCAP_Components"
+        }
     }
     & nuget.exe install 'EnclaveCommonAPI' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
     if($LASTEXITCODE -ne 0) {
@@ -668,11 +663,7 @@ try {
         Write-Host "*** Not installing a DCAP Client ***"
     }
 
-    if ( ($LaunchConfiguration -eq "SGX1FLC") -or ($LaunchConfiguration -eq "SGX1FLC-NoDriver") -or ($DCAPClientType -eq "Azure") )
-    {
-        Install-DCAP-Dependencies
-    }
-
+    Install-DCAP-Dependencies
     Install-VCRuntime
 
     Write-Output 'Please reboot your computer for the configuration to complete.'
diff --git a/scripts/test-build-config b/scripts/test-build-config
index 263143a823..a5bcc49a47 100755
--- a/scripts/test-build-config
+++ b/scripts/test-build-config
@@ -123,7 +123,7 @@ mkdir build && cd build || exit 1
 
 CMAKE="cmake .. -DCMAKE_BUILD_TYPE=${BUILD_TYPE}"
 if [[ ${PLATFORM_MODE} == "SGX1FLC" ]]; then
-    CMAKE+=" -DUSE_LIBSGX=1"
+    CMAKE+=" -DHAS_QUOTE_PROVIDER=1"
 fi
 if [[ ${BUILD_PACKAGE} -eq 1 ]]; then
     CMAKE+=" -DCMAKE_INSTALL_PREFIX=${OE_INSTALL_DIR} -DCPACK_GENERATOR=DEB"
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 1d99e8c258..946f7c333f 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -24,7 +24,6 @@ add_subdirectory(logging)
 add_subdirectory(tools)
 
 if (OE_SGX)
-    add_subdirectory(aesm)
     add_subdirectory(debugger)
     add_subdirectory(host_verify)
     add_subdirectory(switchless)
diff --git a/tests/aesm/CMakeLists.txt b/tests/aesm/CMakeLists.txt
deleted file mode 100644
index 87642a897a..0000000000
--- a/tests/aesm/CMakeLists.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
-add_executable(aesm main.cpp)
-target_link_libraries(aesm oehost)
-
-# Additional compilation options when using libsgx instead of AESM
-if(USE_LIBSGX)
-target_compile_definitions(aesm PRIVATE OE_USE_LIBSGX)
-endif()
-add_test(NAME tests/aesm COMMAND aesm)
-set_tests_properties(tests/aesm PROPERTIES SKIP_RETURN_CODE 2)
diff --git a/tests/aesm/main.cpp b/tests/aesm/main.cpp
deleted file mode 100644
index 6e0c3b684d..0000000000
--- a/tests/aesm/main.cpp
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#include <openenclave/host.h>
-#include <openenclave/internal/tests.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#if defined(OE_USE_LIBSGX)
-#include <sgx_dcap_ql_wrapper.h>
-#else
-#include <openenclave/internal/aesm.h>
-#endif
-
-#define SKIP_RETURN_CODE 2
-
-int main()
-{
-    const uint32_t flags = oe_get_create_flags();
-    if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0)
-    {
-        printf("=== Skipped unsupported test in simulation mode "
-               "(aesm)\n");
-        return SKIP_RETURN_CODE;
-    }
-
-#if defined(OE_USE_LIBSGX)
-    quote3_error_t err;
-    sgx_target_info_t target_info = {};
-    if (SGX_QL_SUCCESS != (err = sgx_qe_get_target_info(&target_info)))
-    {
-        printf("FAILED: Call returned %x\n", err);
-        return -1;
-    }
-#else
-    aesm_t* aesm;
-    if (!(aesm = aesm_connect()))
-    {
-        fprintf(stderr, "aesm: failed to connect\n");
-        exit(1);
-    }
-    aesm_disconnect(aesm);
-#endif
-
-    printf("=== passed all tests (aesm)\n");
-    return 0;
-}
diff --git a/tests/attestation_cert_apis/host/host.cpp b/tests/attestation_cert_apis/host/host.cpp
index 34a227b9a8..e000d56fb4 100644
--- a/tests/attestation_cert_apis/host/host.cpp
+++ b/tests/attestation_cert_apis/host/host.cpp
@@ -123,7 +123,7 @@ void run_test(oe_enclave_t* enclave, int test_type)
 
 int main(int argc, const char* argv[])
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
 
 #ifdef _WIN32
     /* This is a workaround for running in Visual Studio 2017 Test Explorer
@@ -189,11 +189,11 @@ int main(int argc, const char* argv[])
     OE_TRACE_INFO("=== passed all tests (tls)\n");
     return 0;
 #else
-    // this test should not run on any platforms where OE_USE_LIBSGX is not
+    // this test should not run on any platforms where HAS_QUOTE_PROVIDER is not
     // defined
     OE_UNUSED(argc);
     OE_UNUSED(argv);
-    OE_TRACE_INFO("=== tests skipped when built with OE_USE_LIBSGX=OFF\n");
+    OE_TRACE_INFO("=== tests skipped when built with HAS_QUOTE_PROVIDER=OFF\n");
     return SKIP_RETURN_CODE;
 #endif
 }
diff --git a/tests/bigmalloc/host/host.c b/tests/bigmalloc/host/host.c
index 30d03e9ca0..43bd894028 100644
--- a/tests/bigmalloc/host/host.c
+++ b/tests/bigmalloc/host/host.c
@@ -30,7 +30,6 @@ int main(int argc, const char* argv[])
 {
     OE_UNUSED(argc);
     OE_UNUSED(argv);
-#if !defined(OE_USE_LIBSGX)
 
     oe_result_t result;
     const oe_enclave_type_t type = OE_ENCLAVE_TYPE_SGX;
@@ -75,7 +74,5 @@ int main(int argc, const char* argv[])
 
     printf("=== passed all tests (%s)\n", argv[0]);
 
-#endif /* defined(OE_USE_LIBSGX) */
-
     return 0;
 }
diff --git a/tests/debug-mode/host/host.c b/tests/debug-mode/host/host.c
index 2558193098..3593b65cee 100644
--- a/tests/debug-mode/host/host.c
+++ b/tests/debug-mode/host/host.c
@@ -68,8 +68,8 @@ static void _test_debug_signed(const char* path)
 {
     /* Signed debug mode should always pass. */
     _launch_enclave_success(path, _create_flags(true));
-#ifdef OE_USE_LIBSGX
-    /* Only works with the NGSA SDK. */
+#ifdef OE_LINK_SGX_DCAP_QL
+    /* Only works with FLC */
     _launch_enclave_success(path, _create_flags(false));
 #endif
 }
@@ -85,8 +85,8 @@ static void _test_non_debug_signed(const char* path)
 {
     /* Debug mode should fail. Non-debug mode should pass. */
     _launch_enclave_fail(path, _create_flags(true), OE_DEBUG_DOWNGRADE);
-#ifdef OE_USE_LIBSGX
-    /* Only works with the NGSA SDK. */
+#ifdef OE_LINK_SGX_DCAP_QL
+    /* Only works with FLC */
     _launch_enclave_success(path, _create_flags(false));
 #endif
 }
diff --git a/tests/qeidentity/enc/CMakeLists.txt b/tests/qeidentity/enc/CMakeLists.txt
index 21aa379c05..effe27241c 100644
--- a/tests/qeidentity/enc/CMakeLists.txt
+++ b/tests/qeidentity/enc/CMakeLists.txt
@@ -6,8 +6,8 @@ oeedl_file(../tests.edl enclave gen)
 # TODO: Does this need CXX?
 add_enclave(TARGET qeidentity_enc UUID a656f3b1-d319-4692-bcd6-a2f50d9fb1e5 SOURCES enc.cpp ${gen})
 
-if(USE_LIBSGX)
-    target_compile_definitions(qeidentity_enc PRIVATE OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(qeidentity_enc PRIVATE HAS_QUOTE_PROVIDER)
 endif()
 
 target_include_directories(qeidentity_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/../common)
diff --git a/tests/qeidentity/enc/enc.cpp b/tests/qeidentity/enc/enc.cpp
index aaa95865c7..78db622aee 100644
--- a/tests/qeidentity/enc/enc.cpp
+++ b/tests/qeidentity/enc/enc.cpp
@@ -16,7 +16,7 @@ oe_result_t test_verify_qe_identity_info(
     const char* info_json,
     oe_parsed_qe_identity_info_t* parsed_info)
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     return oe_parse_qe_identity_info_json(
         (const uint8_t*)info_json, strlen(info_json) + 1, parsed_info);
 #else
diff --git a/tests/qeidentity/host/CMakeLists.txt b/tests/qeidentity/host/CMakeLists.txt
index 483585a5d3..76389b5284 100644
--- a/tests/qeidentity/host/CMakeLists.txt
+++ b/tests/qeidentity/host/CMakeLists.txt
@@ -5,8 +5,8 @@
 oeedl_file(../tests.edl host gen)
 add_executable(qeidentity_host host.cpp qeidentifyinfo.cpp ${gen})
 
-if(USE_LIBSGX)
-    target_compile_definitions(qeidentity_host PRIVATE OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(qeidentity_host PRIVATE OE_LINK_SGX_DCAP_QL)
 endif()
 
 add_custom_command(TARGET qeidentity_host
diff --git a/tests/qeidentity/host/host.cpp b/tests/qeidentity/host/host.cpp
index b21e036346..45adec07e2 100644
--- a/tests/qeidentity/host/host.cpp
+++ b/tests/qeidentity/host/host.cpp
@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/hexdump.h>
 #include <openenclave/internal/tests.h>
@@ -46,7 +45,7 @@ int main(int argc, const char* argv[])
         oe_put_err("oe_create_enclave(): result=%u", result);
     }
 
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
 
     run_qe_identity_test_cases(enclave);
 
diff --git a/tests/qeidentity/host/qeidentifyinfo.cpp b/tests/qeidentity/host/qeidentifyinfo.cpp
index f183f01b5e..5ea345dbc3 100644
--- a/tests/qeidentity/host/qeidentifyinfo.cpp
+++ b/tests/qeidentity/host/qeidentifyinfo.cpp
@@ -1,9 +1,8 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
 
 #include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/hexdump.h>
 #include <openenclave/internal/tests.h>
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index b1c0c13b72..5af8db3ac8 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -171,9 +171,9 @@ static oe_result_t oe_verify_report_with_collaterals(
     {
 #ifndef OE_BUILD_ENCLAVE
         // Intialize the quote provider if we want to verify a remote quote.
-        // Note that we don't have the OE_USE_LIBSGX guard here since we don't
-        // need the sgx libraries to verify the quote. All we need is the quote
-        // provider.
+        // Note that we don't have the OE_LINK_SGX_DCAP_QL guard here since we
+        // don't need the sgx libraries to verify the quote. All we need is the
+        // quote provider.
         OE_CHECK(oe_initialize_quote_provider());
 #endif
 
@@ -280,9 +280,9 @@ static oe_result_t oe_get_quote_validity_with_collaterals(
     {
 #ifndef OE_BUILD_ENCLAVE
         // Intialize the quote provider if we want to verify a remote quote.
-        // Note that we don't have the OE_USE_LIBSGX guard here since we don't
-        // need the sgx libraries to verify the quote. All we need is the quote
-        // provider.
+        // Note that we don't have the OE_LINK_SGX_DCAP_QL guard here since we
+        // don't need the sgx libraries to verify the quote. All we need is the
+        // quote provider.
         OE_CHECK(oe_initialize_quote_provider());
 #endif
 
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index 34581752b1..6c9a4ab212 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -17,7 +17,7 @@ oe_result_t test_verify_tcb_info(
     oe_tcb_level_t* platform_tcb_level,
     oe_parsed_tcb_info_t* parsed_tcb_info)
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     return oe_parse_tcb_info_json(
         (const uint8_t*)tcb_info,
         strlen(tcb_info) + 1,
@@ -33,7 +33,7 @@ oe_result_t test_verify_tcb_info(
 
 void test_minimum_issue_date(oe_datetime_t now)
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     static uint8_t* report;
     size_t report_size = 0;
     static uint8_t* report_v2;
diff --git a/tests/report/host/CMakeLists.txt b/tests/report/host/CMakeLists.txt
index aa39a12873..057a1ceee9 100644
--- a/tests/report/host/CMakeLists.txt
+++ b/tests/report/host/CMakeLists.txt
@@ -6,8 +6,8 @@ include(add_dcap_client_target)
 oeedl_file(../tests.edl host gen)
 add_executable(report_host host.cpp tcbinfo.cpp ../common/tests.cpp ${gen})
 
-if(USE_LIBSGX)
-    target_compile_definitions(report_host PRIVATE OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(report_host PRIVATE OE_LINK_SGX_DCAP_QL)
 endif()
 
 add_custom_command(TARGET report_host
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 538cb8e176..51cd1cf791 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/hexdump.h>
 #include <openenclave/internal/tests.h>
@@ -28,7 +27,7 @@ extern int FileToBytes(const char* path, std::vector<uint8_t>* output);
 
 void generate_and_save_report(oe_enclave_t* enclave)
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     static uint8_t* report;
     size_t report_size;
     OE_TEST(
@@ -69,10 +68,11 @@ int load_and_verify_report()
 
 int main(int argc, const char* argv[])
 {
-    sgx_target_info_t target_info;
     oe_result_t result;
     oe_enclave_t* enclave = NULL;
 
+    sgx_target_info_t target_info = {{0}};
+
 #ifdef _WIN32
     /* This is a workaround for running in Visual Studio 2017 Test Explorer
      * where the environment variables are not correctly propagated to the
@@ -140,6 +140,13 @@ int main(int argc, const char* argv[])
         oe_put_err("oe_create_tests_enclave(): result=%u", result);
     }
 
+    /*
+     * Host API tests.
+     */
+    g_enclave = enclave;
+
+#ifdef OE_LINK_SGX_DCAP_QL
+
     /* Initialize the target info */
     {
         if ((result = sgx_get_qetarget_info(&target_info)) != OE_OK)
@@ -148,12 +155,6 @@ int main(int argc, const char* argv[])
         }
     }
 
-    /*
-     * Host API tests.
-     */
-    g_enclave = enclave;
-
-#ifdef OE_USE_LIBSGX
     test_local_report(&target_info);
     test_remote_report();
     test_parse_report_negative();
@@ -198,7 +199,6 @@ int main(int argc, const char* argv[])
     test_minimum_issue_date(enclave, now);
 
     generate_and_save_report(enclave);
-
 #else
     test_local_report(&target_info);
     test_parse_report_negative();
diff --git a/tests/report/host/tcbinfo.cpp b/tests/report/host/tcbinfo.cpp
index 1725bd9153..9ba0eb225b 100644
--- a/tests/report/host/tcbinfo.cpp
+++ b/tests/report/host/tcbinfo.cpp
@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
-#include <openenclave/internal/aesm.h>
 #include <openenclave/internal/datetime.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/hexdump.h>
diff --git a/tests/tls_e2e/client_enc/CMakeLists.txt b/tests/tls_e2e/client_enc/CMakeLists.txt
index deabcfddad..5377307ccf 100644
--- a/tests/tls_e2e/client_enc/CMakeLists.txt
+++ b/tests/tls_e2e/client_enc/CMakeLists.txt
@@ -7,8 +7,8 @@ oeedl_file(../tls_e2e.edl enclave gen)
 
 add_enclave(TARGET tls_client_enc SOURCES client.cpp tls_e2e_t.c ../common/utility.cpp ${gen})
 
-if(USE_LIBSGX)
-    target_compile_definitions(tls_client_enc PRIVATE OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(tls_client_enc PRIVATE OE_LINK_SGX_DCAP_QL)
 endif()
 
 set_source_files_properties(
diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index 3d3849db9e..dcd3eac8cc 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -335,7 +335,7 @@ int run_scenarios_tests()
 
 int main(int argc, const char* argv[])
 {
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     oe_result_t result = OE_FAILURE;
     uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
     int ret = 0;
@@ -391,11 +391,12 @@ int main(int argc, const char* argv[])
 
     return 0;
 #else
-    // this test should not run on any platforms where OE_USE_LIBSGX is not
-    // defined
+    // this test should not run on any platforms where OE_LINK_SGX_DCAP_QL is
+    // not defined
     OE_UNUSED(argc);
     OE_UNUSED(argv);
-    OE_TRACE_INFO("=== tests skipped when built with OE_USE_LIBSGX=OFF\n");
+    OE_TRACE_INFO(
+        "=== tests skipped when built with OE_LINK_SGX_DCAP_QL=OFF\n");
     return SKIP_RETURN_CODE;
 #endif
 }
diff --git a/tests/tls_e2e/server_enc/CMakeLists.txt b/tests/tls_e2e/server_enc/CMakeLists.txt
index 89baaf8283..7a0e99bdc9 100644
--- a/tests/tls_e2e/server_enc/CMakeLists.txt
+++ b/tests/tls_e2e/server_enc/CMakeLists.txt
@@ -6,8 +6,8 @@ include(oeedl_file)
 oeedl_file(../tls_e2e.edl enclave gen)
 
 add_enclave(TARGET tls_server_enc SOURCES server.cpp tls_e2e_t.c ../common/utility.cpp ${gen})
-if(USE_LIBSGX)
-    target_compile_definitions(tls_server_enc PRIVATE OE_USE_LIBSGX)
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(tls_server_enc PRIVATE OE_LINK_SGX_DCAP_QL)
 endif()
 
 set_source_files_properties(
diff --git a/tests/tools/oecert/host/host.cpp b/tests/tools/oecert/host/host.cpp
index a76a1a0cf5..31f2ff7f18 100644
--- a/tests/tools/oecert/host/host.cpp
+++ b/tests/tools/oecert/host/host.cpp
@@ -12,7 +12,7 @@
 
 #include "../../../../common/sgx/collaterals.h"
 
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
 
 #define INPUT_PARAM_OPTION_CERT "--cert"
 #define INPUT_PARAM_OPTION_REPORT "--report"
@@ -463,13 +463,13 @@ static oe_result_t _process_params(oe_enclave_t* enclave)
     return result;
 }
 
-#endif // OE_USE_LIBSGX
+#endif // OE_LINK_SGX_DCAP_QL
 
 int main(int argc, const char* argv[])
 {
     int ret = 0;
 
-#ifdef OE_USE_LIBSGX
+#ifdef OE_LINK_SGX_DCAP_QL
     oe_result_t result;
     oe_enclave_t* enclave = NULL;
 
@@ -506,7 +506,7 @@ int main(int argc, const char* argv[])
 exit:
 #else
 #pragma message \
-    "OE_USE_LIBSGX is not set to ON.  This tool requires SGX libraries."
+    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries."
     OE_UNUSED(argc);
     OE_UNUSED(argv);
 #endif

From 0c983c17cfd7d03f42bb35350e1b13c0a014c1dc Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Thu, 17 Oct 2019 18:33:30 +0000
Subject: [PATCH 196/420] Update packaging build for HAS_QUOTE_PROVIDER

---
 .jenkins/Packaging.Jenkinsfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index 3f900f080f..e1ee3f5056 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -34,7 +34,7 @@ def WindowsPackaging(String build_type) {
                 dir('build') {
                     bat """
                         vcvars64.bat x64 && \
-                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DUSE_LIBSGX=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
+                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
                         ninja.exe && \
                         ctest.exe -V -C RELEASE --timeout ${CTEST_TIMEOUT_SECONDS} && \
                         cpack && \

From 880a48af484e6b4c98dcef8b86df07c0b8fe22e7 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Sat, 12 Oct 2019 22:46:57 +0000
Subject: [PATCH 197/420] Exposing remote attestation collaterals API.

---
 .../RemoteAttestationCollaterals.md           | 292 ++++++++++++++++++
 1 file changed, 292 insertions(+)
 create mode 100644 docs/DesignDocs/RemoteAttestationCollaterals.md

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
new file mode 100644
index 0000000000..491cab2aaa
--- /dev/null
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -0,0 +1,292 @@
+Remote Attestation Collaterals
+=====
+
+Adding attestation APIs to support collaterals for remote attestation.  Collaterals are information from a second source that the user/challenger can provide for attestation verification.
+
+Motivation
+----------
+
+Currently, the existing collaterals used for Intel SGX quote verification are not exposed to the user.  This makes it difficult for the user/challenger to specify his/her own set of policies.  Adding these new APIs allows the user to specify a validation policy of his/her choosing.  Possible policies:
+1. The user/challenger has the option to specify its set of collaterals during verification.
+2. The user/challenger has the option to provide a datetime to use during verification.  This datetime specified the date and time at which the user wants to do the verification.  If no datetime is provided, it uses the datetime when the collaterals were created.  The user can provide a datetime in the past, enabling auditing of the evidence and collaterals.
+
+
+User Experience
+---------------
+
+There are 3 scenarios.
+
+### 1. Challenger does not specify the collaterals:
+In this scenario the challenger does not receive any collaterals from the attester(where the TEE resides).  The challenger also does not pass any collaterals to the verification function, instead the collaterals are fetched during verification by the OE SDK.
+
+##### Attester generates the evidence (inside an enclave/TEE)
+```C
+// Get OE report
+result = oe_get_report(
+    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+    NULL, // report_data
+    0,
+    NULL, // opt_params
+    0,
+    &report,
+    report_size);
+```
+
+##### Challenger verifies the evidence (in the untrusted host)
+```C
+...
+
+// Verify report without collaterals
+result = oe_verify_remote_report_with_collaterals(
+            report,
+            report_size,
+            NULL, // collaterals
+            0,    // collaterals_size
+            NULL, // input_validation_time
+            parsed_report);
+...
+```
+
+### 2. Challenger is provided with collaterals:
+In this scenario the attester provides the evidence and collaterals to the challenger.  The challenger then uses these to verify the TEE.
+
+##### Attester generates the evidence and collaterals (inside an enclave/TEE)
+```C
+...
+result = oe_get_report(
+    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+    NULL, // report_data
+    0,
+    NULL, // opt_params
+    0,
+    &report,
+    report_size);
+
+result = oe_get_collaterals(
+    &collaterals,
+    &collaterals_size);
+...
+```
+
+##### Challenger verifies the evidence and collaterals (in the untrusted host)
+```C
+...
+
+// Verify report with collaterals
+result = oe_verify_remote_report_with_collaterals(
+            report,
+            report_size,
+            collaterals,
+            collaterals_size,
+            NULL, // input_validation_time
+            NULL, // parsed_report);
+...
+```
+
+### 3. Challenger specifies collaterals:
+In this scenario the attester only provides the evidence to the challenger.  The challenger then fetches the collaterals from a second source different than the OE SDK, and uses the evidence and collaterals to verify the TEE.
+
+##### Attester generates the evidence and collaterals (inside an enclave/TEE)
+```C
+...
+result = oe_get_report(
+    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+    NULL, // report_data
+    0,
+    NULL, // opt_params
+    0,
+    &report,
+    report_size);
+...
+```
+
+##### Challenger verifies the evidence with custom collaterals (in the untrusted host)
+```C
+...
+//
+// Challenger gets collaterals not using OE SDK
+//
+
+//
+// Challenger builds **collaterals** structure
+//
+
+// Verify report with collaterals
+result = oe_verify_remote_report_with_collaterals(
+            report,
+            report_size,
+            collaterals,
+            collaterals_size,
+            NULL, // input_validation_time
+            NULL, // parsed_report);
+...
+```
+
+Specification
+-------------
+
+### Collateral structure
+Generic serializable structure that stores the collaterals in raw binary format.
+
+`report.h`
+```C
+/*! \struct oe_collaterals_t
+ *
+ * \brief OE collaterals
+ *
+ * Raw generic serializable structure that contains the collaterals.
+ *
+ */
+typedef struct _oe_collaterals_t
+{
+    uint32_t version;
+    uint8_t enclave_type;         ///< The type of enclave
+    uint8_t reserved;
+    uint16_t reserved2;
+    uint32_t num_elements;
+    size_t buffer_size;           ///< Size of the buffer
+
+    ///< Data buffer is made of an offset array of type uint32_t, followed by
+    ///< the actual data.
+    ///< This array has the size of **num_elements** and stores the offset
+    ///< into the data section.
+    ///<  _________________________
+    ///<  |  version              |
+    ///<  |-----------------------|
+    ///<  |  reserved    | type   |
+    ///<  |-----------------------|
+    ///<  |  num_elements         |
+    ///<  |-----------------------|
+    ///<  |  buffer_size          |
+    ///<  |-----------------------|
+    ///<  |                       |
+    ///<  |  array(uint32_t)      |
+    ///<  |  size of num_elements |
+    ///<  |-----------------------|
+    ///<  |  Data                 |
+    ///<  |_______________________|
+    ///<
+    uint8_t buffer[];              ///< Buffer of offsets + data
+
+} oe_collaterals_t;
+```
+
+### New Collateral functions
+
+`collaterals.c`
+```C
+/*! \struct sgx_collaterals
+ *
+ * \brief SGX collateral structure
+ *
+ * The generic oe_collaterals_t structure is parsed and converted into this
+ * internal structure.  The order of the generic data elements should
+ * coincide with the order of the fields in this structure.
+ */
+typedef struct _sgx_collaterals_t
+{
+    uint8_t* tcb_info;                      ///< TCB info
+    size_t tcb_info_size;                   ///< TCB Info size
+    uint8_t* tcb_issuer_chain;              ///< PEM format
+    size_t tcb_issuer_chain_size;           ///< Size of the tcb_issuer_chain
+    uint8_t* crl[3];                        ///< CRLs
+    size_t crl_size[3];                     ///< CRLs sizes
+    uint8_t* crl_issuer_chain[3];           ///< PEM format
+    size_t crl_issuer_chain_size[3];        ///< Size of each crl_issuer_chain
+
+    uint8_t* qe_id_info;                    ///< QE Identity info
+    size_t qe_id_info_size;                 ///< QE Identity size
+    uint8_t* qe_id_issuer_chain;            ///< PEM format
+    size_t qe_id_issuer_chain_size;         ///< Size of qe_id_issuer_chain
+
+    uint8_t* creation_datetime;             ///< Time the collaterals were generated
+    size_t create_datetime_size;            ///< The size of creation_datetime.  Should be 24.
+
+} sgx_collaterals_t;
+
+/**
+ * Returns the collaterals needed for verification of a remote OE report.
+ *
+ * This function is only available inside an enclave.
+ *
+ * @param[in] enclave The instance of the enclave that will be used.
+ * @param[in] collaterals_buffer The buffer containing the collaterals to parse.
+ * @param[in] collaterals_buffer_size The size of the **collaterals_buffer**.
+ *
+ * @retval OE_OK The collaterals were successfully retrieved.
+ */
+oe_result_t oe_get_collaterals(
+    uint8_t** collaterals_buffer,
+    size_t* collaterals_buffer_size);
+
+/**
+ * Free up any resources allocated by oe_get_collateras()
+ *
+ * @param[in] collaterals_buffer The buffer containing the collaterals.
+ */
+void oe_free_collaterals(uint8_t* collaterals_buffer);
+
+/**
+ * Verify the integrity of the report and its signature,
+ * with optional collaterals that is associated with the report. If
+ * the collaterals are not specified, this function will fetch
+ * the collaterals.  This only applies to remote reports.  For
+ * local reports please use oe_verify_report().
+ *
+ * This function is similar to oe_verify_report() but it supports
+ * collaterals.
+ *
+ * This function is available in the enclave as well as in the host.
+ *
+ * @param[in] enclave The instance of the enclave that will be used.
+ * @param[in] report The buffer containing the report to verify.
+ * @param[in] report_size The size of the **report** buffer.
+ * @param[in] collaterals Optional The collateral data that is associated with
+ * the report (for remote reports only).
+ * @param[in] collaterals_size The size of the **collaterals** buffer.
+ * @param[in] input_validation_time Optional datetime to use when validating
+ * collaterals. If not specified, it will used the creation_datetime of the
+ * collaterals (if any collaterals are provided).
+ * @param[out] parsed_report Optional **oe_report_t** structure to populate with
+ * the report properties in a standard format.
+ *
+ * @retval OE_OK The report was successfully created.
+ * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
+ *
+ */
+oe_result_t oe_verify_remote_report_with_collaterals(
+#ifndef OE_BUILD_ENCLAVE
+    oe_enclave_t* enclave,
+#endif
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* input_validation_time,
+    oe_report_t* parsed_report);
+
+```
+
+Alternates
+----------
+
+### Collateral structure:
+- Multiple serializable structures were considered.  At the end the final design
+made sense given that it is generic and support serialization.  We considered
+supporting multiple flavors of the structure, a binary format and another for supporting
+user defined collaterals.  But we ended up deciding to have the user build the binary
+structure instead, to avoid complexity.
+
+### APIs:
+- To reduce complexity, `oe_get_collaterals()` is only available in the enclave.
+- To reduce complexity, `oe_verify_remote_report_with_collaterals()` only supports
+remote reports.  For local reports use `oe_verify_report()`
+
+Authors
+-------
+
+Name: Sergio Wong
+
+email: sewong@microsoft.com
+
+github username: jazzybluesea
\ No newline at end of file

From 9082e7c15639b4039704dd9c7488e5d522c9c5c7 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Tue, 15 Oct 2019 01:36:27 +0000
Subject: [PATCH 198/420] Review updates.

---
 .../RemoteAttestationCollaterals.md           | 284 ++++++++++++------
 1 file changed, 199 insertions(+), 85 deletions(-)

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
index 491cab2aaa..3d1a2bed5c 100644
--- a/docs/DesignDocs/RemoteAttestationCollaterals.md
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -1,14 +1,99 @@
-Remote Attestation Collaterals
+Remote Attestation Endorsements
 =====
 
-Adding attestation APIs to support collaterals for remote attestation.  Collaterals are information from a second source that the user/challenger can provide for attestation verification.
+Attestation is the process of proving the authenticity of a
+Trusted Execution Environment (TEE) platform (HW + software).
+
+In the current API, OE SDK has functions to get the evidence and to verify
+the evidence.  This document describes additional changes to the API to
+support the concept of endorsements. Endorsements are additional information
+from a second source that the verifier can use for attestation verification.
+
+Terminology
+----------
+From Remote Attestation Procedures Architecture
+(https://www.ietf.org/id/draft-birkholz-rats-architecture-02.txt).
+
+- Evidence is provable Claims about a specific Computing Environment
+      made by an Attester.
+
+- Known-Good-Values are reference Claims used to appraise Evidence.
+
+- Endorsements are reference Claims about the environment protecting
+      the Attesters capabilities to create believable Evidence (e.g. the
+      type of protection for an attestation key).  It answers the
+      question "why Evidence is believable".
+
+- Attestation Results are the output from the appraisal of Evidence,
+      Known-Good-Values and Endorsements.
+
+       +----------------+                     +-----------------+
+       |                |  Known-Good-Values  |                 |
+       |   Asserter(s)  |-------------------->|    Verifier     |
+       |                |  Endorsements   /-->|                 |
+       +----------------+                 |   +-----------------+
+                                          |            |
+                                          |            |
+                                          |            |
+                                          |            |Attestation
+                                          |            |Results
+                                          |            |
+                                          |            |
+                                          |            v
+       +----------------+                 |   +-----------------+
+       |                |    Evidence     |   |                 |
+       |    Attester    |-----------------/   |  Relying Party  |
+       |                |                     |                 |
+       +----------------+                     +-----------------+
+
+                           Figure 1: RATS Roles
+
+### Roles
+
+RATS roles are implemented by principals that possess cryptographic
+keys used to protect and authenticate Claims or Results.
+
+#### Attester:
+An Attestation Function that creates Evidence by
+collecting, formatting and protecting (e.g., signing) Claims.  It
+presents Evidence to a Verifier using a conveyance mechanism or
+protocol.
+
+#### Verifier:
+An Attestation Function that accepts Evidence from an Attester using
+a conveyance mechanism or protocol.  It also accepts Known-Good-Values
+and Endorsments from an Asserter using a conveyance mechanism or protocol.
+It verifies the protection mechanisms, parses and appraises Evidence
+according to good-known valid (or known-invalid) Claims and Endorsments.
+It produces Attestation Results that are formatted and protected (e.g.,
+signed).  It presents Attestation Results to a Relying Party using
+a conveyance mechanism or protocol.
+
+#### Asserter:
+An Attestation Function that generates reference Claims
+about both the Attesting Computing Environment and the Attested
+Computing Environment.  The manufacturing and development
+processes are presumed to be trustworthy processes.  In other
+words the Asserter is presumed, by a Verifier, to produce valid
+Claims.  The function collects, formats and protects (e.g. signs)
+valid Claims known as Endorsements and Known-Good-Values.  It
+presents provable Claims to a Verifier using a conveyance
+mechanism or protocol.
+
+#### Relying Party:
+An Attestation Function that accepts Attestation
+Results from a Verifier using a conveyance mechanism or protocol.
+It assesses Attestation Results protections, parses and assesses
+Attestation Results according to an assessent context (Note:
+definition of the assessment context is out-of-scope).
+
 
 Motivation
 ----------
 
-Currently, the existing collaterals used for Intel SGX quote verification are not exposed to the user.  This makes it difficult for the user/challenger to specify his/her own set of policies.  Adding these new APIs allows the user to specify a validation policy of his/her choosing.  Possible policies:
-1. The user/challenger has the option to specify its set of collaterals during verification.
-2. The user/challenger has the option to provide a datetime to use during verification.  This datetime specified the date and time at which the user wants to do the verification.  If no datetime is provided, it uses the datetime when the collaterals were created.  The user can provide a datetime in the past, enabling auditing of the evidence and collaterals.
+Currently, the existing endorsements used for Intel SGX quote verification are not exposed to the user.  This makes it difficult for the verifier to specify his/her own set of policies.  Adding these new APIs allows the verifier to specify a validation policy of his/her choosing.  Possible policies:
+1. The verifier has the option to specify its set of endorsements during verification.
+2. The verifier has the option to provide a datetime to use during verification.  This datetime specifies the date and time at which the verifier wants to do the verification.  If no datetime is provided, the datetime when the endorsements were created is used during verification.  The verifier can provide a datetime in the past, enabling auditing of the evidence and endorsements.
 
 
 User Experience
@@ -16,8 +101,8 @@ User Experience
 
 There are 3 scenarios.
 
-### 1. Challenger does not specify the collaterals:
-In this scenario the challenger does not receive any collaterals from the attester(where the TEE resides).  The challenger also does not pass any collaterals to the verification function, instead the collaterals are fetched during verification by the OE SDK.
+### 1. Verifier does not specify the endorsements:
+In this scenario the verifier does not receive any endorsements from the attester (where the TEE resides).  The verifier also does not pass any endorsements to the verification function, instead the endorsements are fetched during verification by the OE SDK.
 
 ##### Attester generates the evidence (inside an enclave/TEE)
 ```C
@@ -32,25 +117,25 @@ result = oe_get_report(
     report_size);
 ```
 
-##### Challenger verifies the evidence (in the untrusted host)
+##### Verifier verifies the evidence (in the untrusted host or inside an enclave/TEE)
 ```C
 ...
 
-// Verify report without collaterals
-result = oe_verify_remote_report_with_collaterals(
+// Verify report without endorsements
+result = oe_verify_remote_report_with_endorsements(
             report,
             report_size,
-            NULL, // collaterals
-            0,    // collaterals_size
+            NULL, // endorsements
+            0,    // endorsements_size
             NULL, // input_validation_time
             parsed_report);
 ...
 ```
 
-### 2. Challenger is provided with collaterals:
-In this scenario the attester provides the evidence and collaterals to the challenger.  The challenger then uses these to verify the TEE.
+### 2. Verifier is provided with endorsements:
+In this scenario the attester/asserter provides the evidence and endorsements to the verifier.  The verifier is then free to use these to verify the TEE.
 
-##### Attester generates the evidence and collaterals (inside an enclave/TEE)
+##### Attester generates the evidence and endorsements (inside an enclave/TEE)
 ```C
 ...
 result = oe_get_report(
@@ -62,31 +147,31 @@ result = oe_get_report(
     &report,
     report_size);
 
-result = oe_get_collaterals(
-    &collaterals,
-    &collaterals_size);
+result = oe_get_endorsements(
+    &endorsements,
+    &endorsements_size);
 ...
 ```
 
-##### Challenger verifies the evidence and collaterals (in the untrusted host)
+##### Verifier verifies the evidence and endorsements (in the untrusted host or inside an enclave/TEE)
 ```C
 ...
 
-// Verify report with collaterals
-result = oe_verify_remote_report_with_collaterals(
+// Verify report with endorsements
+result = oe_verify_remote_report_with_endorsements(
             report,
             report_size,
-            collaterals,
-            collaterals_size,
+            endorsements,
+            endorsements_size,
             NULL, // input_validation_time
             NULL, // parsed_report);
 ...
 ```
 
-### 3. Challenger specifies collaterals:
-In this scenario the attester only provides the evidence to the challenger.  The challenger then fetches the collaterals from a second source different than the OE SDK, and uses the evidence and collaterals to verify the TEE.
+### 3. Verifier specifies endorsements:
+In this scenario the attester only provides the evidence to the verifier.  The verifier then fetches the endorsements from a second source different than the OE SDK, and uses the evidence and endorsements to verify the TEE.
 
-##### Attester generates the evidence and collaterals (inside an enclave/TEE)
+##### Attester generates the evidence (inside an enclave/TEE)
 ```C
 ...
 result = oe_get_report(
@@ -100,23 +185,23 @@ result = oe_get_report(
 ...
 ```
 
-##### Challenger verifies the evidence with custom collaterals (in the untrusted host)
+##### Verifier verifies the evidence with custom endorsements (in the untrusted host or inside an enclave/TEE)
 ```C
 ...
 //
-// Challenger gets collaterals not using OE SDK
+// Verifier gets endorsements not using OE SDK
 //
 
 //
-// Challenger builds **collaterals** structure
+// Verifier builds **endorsements** structure
 //
 
-// Verify report with collaterals
-result = oe_verify_remote_report_with_collaterals(
+// Verify report with endorsements
+result = oe_verify_remote_report_with_endorsements(
             report,
             report_size,
-            collaterals,
-            collaterals_size,
+            endorsements,
+            endorsements_size,
             NULL, // input_validation_time
             NULL, // parsed_report);
 ...
@@ -125,26 +210,24 @@ result = oe_verify_remote_report_with_collaterals(
 Specification
 -------------
 
-### Collateral structure
-Generic serializable structure that stores the collaterals in raw binary format.
+### Endorsement structure
+Generic serializable structure that stores the endorsements in raw binary format.
 
 `report.h`
 ```C
-/*! \struct oe_collaterals_t
+/*! \struct oe_endorsements_t
  *
- * \brief OE collaterals
+ * \brief OE endorsements
  *
- * Raw generic serializable structure that contains the collaterals.
+ * Raw generic serializable structure that contains the endorsements.
  *
  */
-typedef struct _oe_collaterals_t
+typedef struct _oe_endorsements_t
 {
     uint32_t version;
-    uint8_t enclave_type;         ///< The type of enclave
-    uint8_t reserved;
-    uint16_t reserved2;
+    uint32_t enclave_type;        ///< The type of enclave
+    uint64_t buffer_size;         ///< Size of the buffer
     uint32_t num_elements;
-    size_t buffer_size;           ///< Size of the buffer
 
     ///< Data buffer is made of an offset array of type uint32_t, followed by
     ///< the actual data.
@@ -153,37 +236,37 @@ typedef struct _oe_collaterals_t
     ///<  _________________________
     ///<  |  version              |
     ///<  |-----------------------|
-    ///<  |  reserved    | type   |
+    ///<  |  enclave_type         |
     ///<  |-----------------------|
     ///<  |  num_elements         |
     ///<  |-----------------------|
     ///<  |  buffer_size          |
     ///<  |-----------------------|
     ///<  |                       |
-    ///<  |  array(uint32_t)      |
-    ///<  |  size of num_elements |
+    ///<  | array of uint32_t     |
+    ///<  | of length num_elements|
     ///<  |-----------------------|
     ///<  |  Data                 |
     ///<  |_______________________|
     ///<
     uint8_t buffer[];              ///< Buffer of offsets + data
 
-} oe_collaterals_t;
+} oe_endorsements_t;
 ```
 
-### New Collateral functions
+### New Endorsement functions
 
-`collaterals.c`
+`endorsements.c`
 ```C
-/*! \struct sgx_collaterals
+/*! \struct tee_endorsements
  *
- * \brief SGX collateral structure
+ * \brief SGX endorsements structure
  *
- * The generic oe_collaterals_t structure is parsed and converted into this
+ * The generic oe_endorsements_t structure is parsed and converted into this
  * internal structure.  The order of the generic data elements should
  * coincide with the order of the fields in this structure.
  */
-typedef struct _sgx_collaterals_t
+typedef struct _tee_endorsements_t
 {
     uint8_t* tcb_info;                      ///< TCB info
     size_t tcb_info_size;                   ///< TCB Info size
@@ -199,54 +282,53 @@ typedef struct _sgx_collaterals_t
     uint8_t* qe_id_issuer_chain;            ///< PEM format
     size_t qe_id_issuer_chain_size;         ///< Size of qe_id_issuer_chain
 
-    uint8_t* creation_datetime;             ///< Time the collaterals were generated
+    uint8_t* creation_datetime;             ///< Time the endorsements were generated
     size_t create_datetime_size;            ///< The size of creation_datetime.  Should be 24.
 
-} sgx_collaterals_t;
+} tee_endorsements_t;
 
 /**
- * Returns the collaterals needed for verification of a remote OE report.
+ * Returns the endorsements needed for verification of a remote OE report.
  *
  * This function is only available inside an enclave.
  *
  * @param[in] enclave The instance of the enclave that will be used.
- * @param[in] collaterals_buffer The buffer containing the collaterals to parse.
- * @param[in] collaterals_buffer_size The size of the **collaterals_buffer**.
+ * @param[in] endorsements_buffer The buffer containing the endorsements to parse.
+ * @param[in] endorsements_buffer_size The size of the **endorsements_buffer**.
  *
- * @retval OE_OK The collaterals were successfully retrieved.
+ * @retval OE_OK The endorsements were successfully retrieved.
  */
-oe_result_t oe_get_collaterals(
-    uint8_t** collaterals_buffer,
-    size_t* collaterals_buffer_size);
+oe_result_t oe_get_endorsements(
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size);
 
 /**
- * Free up any resources allocated by oe_get_collateras()
+ * Free up any resources allocated by oe_get_endorsements()
  *
- * @param[in] collaterals_buffer The buffer containing the collaterals.
+ * @param[in] endorsements_buffer The buffer containing the endorsements.
  */
-void oe_free_collaterals(uint8_t* collaterals_buffer);
+void oe_free_endorsements(uint8_t* endorsements_buffer);
 
 /**
  * Verify the integrity of the report and its signature,
- * with optional collaterals that is associated with the report. If
- * the collaterals are not specified, this function will fetch
- * the collaterals.  This only applies to remote reports.  For
+ * with optional endorsements that are associated with the report. If
+ * the endorsements are not specified, this function will fetch
+ * the endorsements.  This only applies to remote reports.  For
  * local reports please use oe_verify_report().
  *
  * This function is similar to oe_verify_report() but it supports
- * collaterals.
+ * endorsements.
  *
  * This function is available in the enclave as well as in the host.
  *
- * @param[in] enclave The instance of the enclave that will be used.
  * @param[in] report The buffer containing the report to verify.
  * @param[in] report_size The size of the **report** buffer.
- * @param[in] collaterals Optional The collateral data that is associated with
+ * @param[in] endorsements Optional The endorsement data that is associated with
  * the report (for remote reports only).
- * @param[in] collaterals_size The size of the **collaterals** buffer.
+ * @param[in] endorsements_size The size of the **endorsements** buffer.
  * @param[in] input_validation_time Optional datetime to use when validating
- * collaterals. If not specified, it will used the creation_datetime of the
- * collaterals (if any collaterals are provided).
+ * endorsements. If not specified, it will use the creation_datetime of the
+ * endorsements (if any endorsements are provided).
  * @param[out] parsed_report Optional **oe_report_t** structure to populate with
  * the report properties in a standard format.
  *
@@ -254,33 +336,65 @@ void oe_free_collaterals(uint8_t* collaterals_buffer);
  * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
  *
  */
-oe_result_t oe_verify_remote_report_with_collaterals(
-#ifndef OE_BUILD_ENCLAVE
-    oe_enclave_t* enclave,
-#endif
+oe_result_t oe_verify_report_with_endorsements(
     const uint8_t* report,
     size_t report_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
     oe_datetime_t* input_validation_time,
     oe_report_t* parsed_report);
+```
 
+### Update existing functions
+
+In the host_verify library, this is the standalone library used for verifying remote reports outside
+the TEE/enclave. Update oe_verfiy_remote_report() to take endorsements as an input parameter.
+
+`host/sgx/hostverify_report.c`
+```C
+/**
+ * Verify the integrity of the report and its signature,
+ * with optional endorsements that are associated with the report. If
+ * the endorsements are not specified, this function will fetch
+ * the endorsements.
+ *
+ * @param[in] report The buffer containing the report to verify.
+ * @param[in] report_size The size of the **report** buffer.
+ * @param[in] endorsements Optional The endorsement data that is associated with
+ * the report (for remote reports only).
+ * @param[in] endorsements_size The size of the **endorsements** buffer.
+ * @param[in] input_validation_time Optional datetime to use when validating
+ * endorsements. If not specified, it will use the creation_datetime of the
+ * endorsements (if any endorsements are provided).
+ * @param[out] parsed_report Optional **oe_report_t** structure to populate with
+ * the report properties in a standard format.
+ *
+ * @retval OE_OK The report was successfully created.
+ * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
+ *
+ */
+oe_result_t oe_verify_remote_report(
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_report_t* parsed_report);
 ```
 
 Alternates
 ----------
 
-### Collateral structure:
+### Endorsement structure:
 - Multiple serializable structures were considered.  At the end the final design
 made sense given that it is generic and support serialization.  We considered
 supporting multiple flavors of the structure, a binary format and another for supporting
-user defined collaterals.  But we ended up deciding to have the user build the binary
+user defined endorsements.  But we ended up deciding to have the user build the binary
 structure instead, to avoid complexity.
 
 ### APIs:
-- To reduce complexity, `oe_get_collaterals()` is only available in the enclave.
-- To reduce complexity, `oe_verify_remote_report_with_collaterals()` only supports
-remote reports.  For local reports use `oe_verify_report()`
+- To reduce complexity, `oe_get_endorsements()` is only available in the enclave.
+- To reduce complexity and break existing API users, `oe_verify_remote_report_with_endorsements()`
+only supports remote reports.  For local reports use `oe_verify_report()`
 
 Authors
 -------

From 23fbadca4d2192a5d40f8dff6302f97c7d0665a3 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Wed, 16 Oct 2019 17:50:30 +0000
Subject: [PATCH 199/420] Public API is now oe_get_evidence() and
 oe_verify_evidence()

---
 .../RemoteAttestationCollaterals.md           | 351 ++++++++++--------
 1 file changed, 200 insertions(+), 151 deletions(-)

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
index 3d1a2bed5c..0c3f60ce9b 100644
--- a/docs/DesignDocs/RemoteAttestationCollaterals.md
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -99,55 +99,22 @@ Currently, the existing endorsements used for Intel SGX quote verification are n
 User Experience
 ---------------
 
-There are 3 scenarios.
+There are 2 scenarios.
 
-### 1. Verifier does not specify the endorsements:
-In this scenario the verifier does not receive any endorsements from the attester (where the TEE resides).  The verifier also does not pass any endorsements to the verification function, instead the endorsements are fetched during verification by the OE SDK.
-
-##### Attester generates the evidence (inside an enclave/TEE)
-```C
-// Get OE report
-result = oe_get_report(
-    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
-    NULL, // report_data
-    0,
-    NULL, // opt_params
-    0,
-    &report,
-    report_size);
-```
-
-##### Verifier verifies the evidence (in the untrusted host or inside an enclave/TEE)
-```C
-...
-
-// Verify report without endorsements
-result = oe_verify_remote_report_with_endorsements(
-            report,
-            report_size,
-            NULL, // endorsements
-            0,    // endorsements_size
-            NULL, // input_validation_time
-            parsed_report);
-...
-```
-
-### 2. Verifier is provided with endorsements:
+### 1. Verifier is provided with endorsements:
 In this scenario the attester/asserter provides the evidence and endorsements to the verifier.  The verifier is then free to use these to verify the TEE.
 
 ##### Attester generates the evidence and endorsements (inside an enclave/TEE)
 ```C
 ...
-result = oe_get_report(
-    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
-    NULL, // report_data
+result = oe_get_evidence(
+    OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION,
+    NULL, // custom_claims
     0,
     NULL, // opt_params
     0,
-    &report,
-    report_size);
-
-result = oe_get_endorsements(
+    &evidence,
+    &evidence_size,
     &endorsements,
     &endorsements_size);
 ...
@@ -158,30 +125,34 @@ result = oe_get_endorsements(
 ...
 
 // Verify report with endorsements
-result = oe_verify_remote_report_with_endorsements(
-            report,
-            report_size,
+result = oe_verify_evidence(
+            evidence,
+            evidence_size,
             endorsements,
             endorsements_size,
-            NULL, // input_validation_time
-            NULL, // parsed_report);
+            NULL,  // opt_params
+            0,
+            &claims,
+            &claims_size);
 ...
 ```
 
-### 3. Verifier specifies endorsements:
+### 2. Verifier specifies endorsements:
 In this scenario the attester only provides the evidence to the verifier.  The verifier then fetches the endorsements from a second source different than the OE SDK, and uses the evidence and endorsements to verify the TEE.
 
 ##### Attester generates the evidence (inside an enclave/TEE)
 ```C
 ...
-result = oe_get_report(
-    OE_REPORT_FLAGS_REMOTE_ATTESTATION,
-    NULL, // report_data
+result = oe_get_evidence(
+    OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION,
+    NULL, // custom_claims
     0,
     NULL, // opt_params
     0,
-    &report,
-    report_size);
+    &evidence,
+    &evidence_size,
+    &endorsements,
+    &endorsements_size);
 ...
 ```
 
@@ -195,38 +166,49 @@ result = oe_get_report(
 //
 // Verifier builds **endorsements** structure
 //
+endorsements_external = ...
+endorsements_external_size = ...
 
-// Verify report with endorsements
-result = oe_verify_remote_report_with_endorsements(
+// Verify evidence with external endorsements
+result = oe_verify_evidence(
             report,
             report_size,
-            endorsements,
-            endorsements_size,
-            NULL, // input_validation_time
-            NULL, // parsed_report);
+            endorsements_external,
+            endorsements_external_size,
+            NULL,  // opt_params
+            0,
+            &claims,
+            &claims_size);
 ...
 ```
 
 Specification
 -------------
 
-### Endorsement structure
-Generic serializable structure that stores the endorsements in raw binary format.
+### <B>Public</B> type definitions
+Generic serializable public structure that stores the endorsements in raw binary format.
 
-`report.h`
+`attestation.h`
 ```C
+/**
+ * Flags passed to oe_get_evidence() function.
+ */
+#define OE_EVIDENCE_FLAGS_LOCAL_ATTESTATION  0x00000000
+#define OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION 0x00000001
+
 /*! \struct oe_endorsements_t
  *
  * \brief OE endorsements
  *
- * Raw generic serializable structure that contains the endorsements.
+ * Raw generic serializable structure that contains the endorsements. All
+ * data should be in little endian format.
  *
  */
 typedef struct _oe_endorsements_t
 {
     uint32_t version;
     uint32_t enclave_type;        ///< The type of enclave
-    uint64_t buffer_size;         ///< Size of the buffer
+    uint64_t buffer_size;         ///< Size of the buffer  (oe_enclave_type_t)
     uint32_t num_elements;
 
     ///< Data buffer is made of an offset array of type uint32_t, followed by
@@ -238,13 +220,14 @@ typedef struct _oe_endorsements_t
     ///<  |-----------------------|
     ///<  |  enclave_type         |
     ///<  |-----------------------|
-    ///<  |  num_elements         |
-    ///<  |-----------------------|
     ///<  |  buffer_size          |
     ///<  |-----------------------|
-    ///<  |                       |
-    ///<  | array of uint32_t     |
-    ///<  | of length num_elements|
+    ///<  |  num_elements         |
+    ///<  |-----------------------|
+    ///<  |  offsets              |
+    ///<  |  (array of uint32_t   |
+    ///<  |  with length of       |
+    ///<  |  num_elements)        |
     ///<  |-----------------------|
     ///<  |  Data                 |
     ///<  |_______________________|
@@ -252,134 +235,202 @@ typedef struct _oe_endorsements_t
     uint8_t buffer[];              ///< Buffer of offsets + data
 
 } oe_endorsements_t;
+
+
+///< Number of CRLs in the SGX endorsements
+#define OE_SGX_ENDORSEMENTS_CRL_COUNT     (2)
+
+/*! \enum oe_sgx_endorsements_fields
+ *
+ * Specifies the order of the SGX endorsements fields stored in
+ * the oe_endorsements_t strcuture
+ */
+typedef enum _oe_sgx_endorsements_fields
+{
+    OE_SGX_ENDORSEMENT_FIELD_TCB_INFO = 0,
+    OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN = 1,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_START_INDEX = 2,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_END_INDEX =
+        OE_SGX_ENDORSEMENT_FIELD_CRL_START_INDEX + OE_SGX_ENDORSEMENTS_CRL_COUNT - 1,
+
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_START_INDEX =
+        OE_SGX_ENDORSEMENT_FIELD_CRL_END_INDEX + 1,
+
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_END_INDEX =
+        OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_START_INDEX +
+        OE_SGX_ENDORSEMENTS_CRL_COUNT - 1,
+
+    OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO =
+        OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_END_INDEX + 1,
+
+    OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN,
+    OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME
+
+} oe_sgx_endorsements_fields;
 ```
 
-### New Endorsement functions
+### <B>Private</B> SGX endorsement definitions
 
-`endorsements.c`
+`common/sgx/evidence.h`
 ```C
-/*! \struct tee_endorsements
+/*! \struct oe_sgx_endorsements
  *
  * \brief SGX endorsements structure
  *
  * The generic oe_endorsements_t structure is parsed and converted into this
  * internal structure.  The order of the generic data elements should
  * coincide with the order of the fields in this structure.
+ *
+ * Data format: All data comes from the Data Center Attestation Primitives(DCAP)
+ * Client.
+ *
+ * For Azure DCAP Client
+ * (https://github.com/microsoft/Azure-DCAP-Client/blob/master/src/dcap_provider.h)
+ * see **sgx_ql_revocation_info_t** and sgx_qe_identity_info_t.
+ *
+ * For Intel DCAP Client
+ * (https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/README.md)
+ * see TBD.
+ *
  */
-typedef struct _tee_endorsements_t
+typedef struct _oe_sgx_endorsements_t
 {
-    uint8_t* tcb_info;                      ///< TCB info
-    size_t tcb_info_size;                   ///< TCB Info size
-    uint8_t* tcb_issuer_chain;              ///< PEM format
-    size_t tcb_issuer_chain_size;           ///< Size of the tcb_issuer_chain
-    uint8_t* crl[3];                        ///< CRLs
-    size_t crl_size[3];                     ///< CRLs sizes
-    uint8_t* crl_issuer_chain[3];           ///< PEM format
-    size_t crl_issuer_chain_size[3];        ///< Size of each crl_issuer_chain
+    uint8_t* tcb_info;                      ///< TCB info, null-terminated JSON string
+    uint32_t tcb_info_size;                 ///< TCB Info size
+    uint8_t* tcb_issuer_chain;              ///< PEM format, null-terminated string
+    uint32_t tcb_issuer_chain_size;         ///< Size of the tcb_issuer_chain
+
+    ///< CRLs in DER format, null-terminated
+    ///<     crl[0] = CRL for the SGX PCK Certificate
+    ///<     crl[1] = CRL for the SGX PCK Processor CA
+    uint8_t* crl[OE_SGX_ENDORSEMENTS_CRL_COUNT];
+
+    ///< CRLs sizes
+    uint32_t crl_size[OE_SGX_ENDORSEMENTS_CRL_COUNT];
+
+    ///< PEM format, null-terminated string
+    uint8_t* crl_issuer_chain[OE_SGX_ENDORSEMENTS_CRL_COUNT];
+
+    ///< Size of each crl_issuer_chain
+    uint32_t crl_issuer_chain_size[OE_SGX_ENDORSEMENTS_CRL_COUNT];
+
+    uint8_t* qe_id_info;                    ///< QE Identity info, null-terminated JSON string
+    uint32_t qe_id_info_size;               ///< QE Identity size
+    uint8_t* qe_id_issuer_chain;            ///< PEM format, null-terminated string
+    uint32_t qe_id_issuer_chain_size;       ///< Size of qe_id_issuer_chain
+
+    uint8_t* creation_datetime;             ///< Time the endorsements were generated,
+                                            ///< null-terminated string
+    uint32_t create_datetime_size;          ///< The size of creation_datetime.
+
+} oe_sgx_endorsements_t;
+```
+
+### New <B>Public</B> Attestation functions
 
-    uint8_t* qe_id_info;                    ///< QE Identity info
-    size_t qe_id_info_size;                 ///< QE Identity size
-    uint8_t* qe_id_issuer_chain;            ///< PEM format
-    size_t qe_id_issuer_chain_size;         ///< Size of qe_id_issuer_chain
+These functions supersede the existing functions:
+1. `oe_get_evidence()` supersedes `oe_verify_report()`
+2. `oe_verify_evidence()` supersedes `oe_verify_report()`
 
-    uint8_t* creation_datetime;             ///< Time the endorsements were generated
-    size_t create_datetime_size;            ///< The size of creation_datetime.  Should be 24.
+These functions will use plug-in attestation framework.  For more information please
+see the design document `CustomAttestation.md`.  In short, the actual implementation
+of these functions will depend on which plug-in is registered.  By default there will
+be a built-in SGX plug-in.
 
-} tee_endorsements_t;
+For more information on the parameters `custom_claims`, `claims` or `opt_params`
+please see design document `CustomAttestation.md`.
 
+`common/sgx/attestation.c`
+```C
 /**
- * Returns the endorsements needed for verification of a remote OE report.
+ * Get evidence signed by the enclave platform along with the corresponding
+ * endorsements for use in attestation.
+ *
+ * This function returns the evidence and endorsements used in **local** or
+ * **remote** attestation.
  *
- * This function is only available inside an enclave.
+ * This function can only be called from a TEE/enclave.
  *
- * @param[in] enclave The instance of the enclave that will be used.
- * @param[in] endorsements_buffer The buffer containing the endorsements to parse.
- * @param[in] endorsements_buffer_size The size of the **endorsements_buffer**.
+ * @param[in] flags Specifying default value (0) generates evidence for local
+ * attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION generates
+ * evidence for remote attestation.
+ * @param[in] custom_claims A buffer to the optional custom claims.
+ * @param[in] custom_claims_size The size in bytes of custom_claims.
+ * @param[in] opt_params Optional additional parameters needed for the current
+ * enclave type.
+ *     For SGX:
+ *        This can be sgx_target_info_t for local attestation.
+ * @param[in] opt_params_size The size of the **opt_params** buffer.
+ * @param[out] evidence_buffer This points to the resulting evidence upon success.
+ * @param[out] evidence_buffer_size This is set to the size of the evidence buffer
+ * on success.
+ * @param[out] endorsements_buffer The buffer containing the endorsements to parse.
+ * @param[out] endorsements_buffer_size The size of the **endorsements_buffer**.
+ *
+ * @retval OE_OK The evidence and endorsements were successfully created.
+ * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
+ * @retval OE_OUT_OF_MEMORY Failed to allocate memory.
  *
- * @retval OE_OK The endorsements were successfully retrieved.
  */
-oe_result_t oe_get_endorsements(
+oe_result_t oe_get_evidence(
+    uint32_t flags,
+    const uint8_t* custom_claims,
+    size_t custom_claims_size,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
     uint8_t** endorsements_buffer,
     size_t* endorsements_buffer_size);
 
 /**
- * Free up any resources allocated by oe_get_endorsements()
+ * Free up any resources allocated by oe_get_evidence()
  *
+ * @param[in] evidence_buffer THe buffer containing the evidence.
  * @param[in] endorsements_buffer The buffer containing the endorsements.
  */
-void oe_free_endorsements(uint8_t* endorsements_buffer);
+void oe_free_evidence(
+    uint8_t* endorsements_buffer,
+    uint8_t* evidence_buffer);
 
 /**
- * Verify the integrity of the report and its signature,
- * with optional endorsements that are associated with the report. If
- * the endorsements are not specified, this function will fetch
- * the endorsements.  This only applies to remote reports.  For
- * local reports please use oe_verify_report().
- *
- * This function is similar to oe_verify_report() but it supports
- * endorsements.
+ * Verify the integrity of the evidence and its signature,
+ * with endorsements that are associated with the evidence.
+ * This function works for both local and remote attestation.
  *
  * This function is available in the enclave as well as in the host.
  *
- * @param[in] report The buffer containing the report to verify.
- * @param[in] report_size The size of the **report** buffer.
+ * @param[in] evidence_buffer The buffer containing the evidence to verify.
+ * @param[in] evidence_buffer_size The size of the **evidence** buffer.
  * @param[in] endorsements Optional The endorsement data that is associated with
- * the report (for remote reports only).
+ * the evidence.
  * @param[in] endorsements_size The size of the **endorsements** buffer.
- * @param[in] input_validation_time Optional datetime to use when validating
- * endorsements. If not specified, it will use the creation_datetime of the
+ * @param[in] input_validation_time Optional datetime to use when verifying
+ * evidence. If not specified, it will use the creation_datetime of the
  * endorsements (if any endorsements are provided).
- * @param[out] parsed_report Optional **oe_report_t** structure to populate with
- * the report properties in a standard format.
+ * @param[out] claims The list of claims.
+ * @param[out] claims_size The size of claims.
  *
- * @retval OE_OK The report was successfully created.
+ * @retval OE_OK The verification was successful.
  * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
  *
  */
-oe_result_t oe_verify_report_with_endorsements(
-    const uint8_t* report,
-    size_t report_size,
+oe_result_t oe_verify_evidence(
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
     const uint8_t* endorsements,
     size_t endorsements_size,
     oe_datetime_t* input_validation_time,
-    oe_report_t* parsed_report);
+    uint8_t** claims,
+    size_t* claims_size);
 ```
 
-### Update existing functions
+### OE Host Verify Library
 
-In the host_verify library, this is the standalone library used for verifying remote reports outside
-the TEE/enclave. Update oe_verfiy_remote_report() to take endorsements as an input parameter.
+The OE Host Verify library is a standalone library used for verifying remote reports outside
+the TEE/enclave. The function `oe_verfiy_remote_report()` will be deprecated and should use the
+upcoming plug-in mode to do verification.
 
-`host/sgx/hostverify_report.c`
-```C
-/**
- * Verify the integrity of the report and its signature,
- * with optional endorsements that are associated with the report. If
- * the endorsements are not specified, this function will fetch
- * the endorsements.
- *
- * @param[in] report The buffer containing the report to verify.
- * @param[in] report_size The size of the **report** buffer.
- * @param[in] endorsements Optional The endorsement data that is associated with
- * the report (for remote reports only).
- * @param[in] endorsements_size The size of the **endorsements** buffer.
- * @param[in] input_validation_time Optional datetime to use when validating
- * endorsements. If not specified, it will use the creation_datetime of the
- * endorsements (if any endorsements are provided).
- * @param[out] parsed_report Optional **oe_report_t** structure to populate with
- * the report properties in a standard format.
- *
- * @retval OE_OK The report was successfully created.
- * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
- *
- */
-oe_result_t oe_verify_remote_report(
-    const uint8_t* report,
-    size_t report_size,
-    const uint8_t* endorsements,
-    size_t endorsements_size,
-    oe_report_t* parsed_report);
-```
 
 Alternates
 ----------
@@ -392,9 +443,7 @@ user defined endorsements.  But we ended up deciding to have the user build the
 structure instead, to avoid complexity.
 
 ### APIs:
-- To reduce complexity, `oe_get_endorsements()` is only available in the enclave.
-- To reduce complexity and break existing API users, `oe_verify_remote_report_with_endorsements()`
-only supports remote reports.  For local reports use `oe_verify_report()`
+- To reduce complexity, `oe_get_evidence()` is only available in the enclave.
 
 Authors
 -------

From bd76920fbca851d546e8f5dc625ce397cc1020d9 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Fri, 18 Oct 2019 04:36:39 +0000
Subject: [PATCH 200/420] Update Linux/Windows VS Code docs according to
 comments.

---
 docs/GettingStartedDocs/Linux_vscode.md   | 32 +++++++----------------
 docs/GettingStartedDocs/Windows_vscode.md |  4 +--
 2 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/docs/GettingStartedDocs/Linux_vscode.md b/docs/GettingStartedDocs/Linux_vscode.md
index e3ae97cb5f..b7462be434 100644
--- a/docs/GettingStartedDocs/Linux_vscode.md
+++ b/docs/GettingStartedDocs/Linux_vscode.md
@@ -2,20 +2,13 @@
 
 This document provides a brief overview of how to build and debug Open Enclave applications using VS Code on Linux.
 
-## Where to Run VS Code?
-
-There are two ways of running VS Code for development on Linux.
-1. Run VS Code directly on your Linux system, which will give you a native Linux display of VS Code.
-2. Run VS Code from any modern Windows system and use the `Remote SSH` extension in VS Code to connect to a Linux system you wish to develop on.
-  a. For more information on how to use the `Remote SSH` extension, please follow this blog post here: [https://code.visualstudio.com/blogs/2019/07/25/remote-ssh](https://code.visualstudio.com/blogs/2019/07/25/remote-ssh)
-
 ## Install VS Code
 
 The latest version of Visual Studio Code can be installed from [https://code.visualstudio.com/](https://code.visualstudio.com/)
 
 ## Install VS Code Extensions
 
-Install the following VS Code extensions. If you are using the Remote SSH, ensure they are installed remotely too by clicking  Click on an image to navigate to the Visual Studio Code Marketplace page for the extension.
+Install the following VS Code extensions. Click on an image to navigate to the Visual Studio Code Marketplace page for the extension.
 
 [![C/C++ Extension](images/VSCodeCppExtension.png)](https://marketplace.visualstudio.com/items?itemName=ms-vscode.cpptools)
 
@@ -23,12 +16,9 @@ Install the following VS Code extensions. If you are using the Remote SSH, ensur
 
 [![CMake Tools Extension](images/VSCodeCMakeToolsExtension.png)](https://marketplace.visualstudio.com/items?itemName=vector-of-bool.cmake-tools)
 
-
 ## Launch Visual Studio Code
 
-If you want to run VS Code directly on your Linux system, simply run `code MY_WORKSPACE`, replacing "MY_WORKSPACE" with the path to your development directory.
-
-If you want to run VS Code from Windows and connect to your Linux system with the `Remote SSH` extension, simply start VS Code on your Windows system, probably from the start menu. Then at the bottom left of the VS Code window, there should be a small icon that looks like a greater-then and less-than sign ![Remote SSH Icon](images/VSCodeLinuxRemoteSSHIcon.png). You should click that icon and then select in the menu bar `Remote-SSH: Connect to Host...`. You should then be able to connect using SSH to your Linux development system. You can then use VS Code from your Windows system mostly as if you were using it natively on Linux. Please refer to the blog linked above for more details!
+Launch VS Code either directly on your Linux system, or use the Remote SSH extension to connect your local VS Code instance to another system.
 
 ## Configure Your Workspace
 
@@ -52,17 +42,17 @@ cp -R /opt/openenclave/share/openenclave/samples/helloworld ~/my_helloworld
 }
 ```
 
-5. Use the shortcut `Ctrl-Shift-P` and select `CMake: Configure` and then select the kit which you want to configure with. You should probably select Clang-7*, but other options may work too.
+5. Use the shortcut `Ctrl-Shift-P` and select `CMake: Configure` and choose the kit from the drop down to use, for example, the Clang-7 kit.
 
 ![Successful CMake Configure](images/VSCodeLinuxSuccessfulCMakeConfigure.png)
 
-## Build And Run Your Open Enclave Application
+## Building and Running an Open Enclave Application
 
-Build the application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
+Build the application by pressing F7 or typing "CMake Build a target" in the command palette, and selecting the "all META" target.
 
 ![Successful Build](images/VSCodeLinuxSuccessfulBuild.png)
 
-Run your application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "run UTILITY" target.
+Run the application by pressing Shift+F7 or typing "CMake Build a target" in the command palette, and selecting the "run UTILITY" target.
 
 ![Run](images/VSCodeLinuxRunApplication.png)
 
@@ -81,13 +71,9 @@ Open settings.json under the .vscode folder and add entries for "C_Cpp.default.i
 }
 ```
 
-## Debug Your Open Enclave Application
+## Debugging an Open Enclave Application
 
-You will want to use the oegdb script provided in /opt/openenclave/bin/oegdb for the debugger, by setting the `miDebuggerPath` field to /opt/openenclave/bin/oegdb in launch.json.
-
-The rest of the fields for this configuration can be typical gdb debugging values.
-
-Here is an example of launch.json after editing it for the helloworld enclave.
+To configure VS Code for debugging an enclave app with GDB, go to the Debug tab in the side bar and select the settings cog to open this project's launch.json. Add the `miDebuggerPath` property to indicate where the `oegdb` script is installed. By default, this should be `/opt/openenclave/bin/oegdb`. The `program` and `args` properties should also be set to the location of the sample to debug, for example:
 
 ```json
 {
@@ -128,3 +114,5 @@ Step over the line that creates the enclave. The Console pane should show that t
 Open enc.c and put a breakpoint and continue execution.
 
 ![Enclave Breakpoint](images/VSCodeLinuxEnclaveBreakpoint.png)
+
+To use `oegdb` at the command line, one can select the "Debug Console" tab near the terminal pane. Then the standard gdb commands can be used, as long as they are prefixed with `-exec` first, like `-exec bt`. Please read documentation for `gdb` for further information on how to use `oegdb`: [https://sourceware.org/gdb/current/onlinedocs/gdb/](https://sourceware.org/gdb/current/onlinedocs/gdb/)
diff --git a/docs/GettingStartedDocs/Windows_vscode.md b/docs/GettingStartedDocs/Windows_vscode.md
index 09329774e4..7aaf8ecb7d 100644
--- a/docs/GettingStartedDocs/Windows_vscode.md
+++ b/docs/GettingStartedDocs/Windows_vscode.md
@@ -1,6 +1,6 @@
-# Building And Debugging Using Visual Studio Code
+# Building And Debugging Using Visual Studio Code on Windows
 
-This document provides a brief overview of how to build and debug Open Enclave applications using VS Code.
+This document provides a brief overview of how to build and debug Open Enclave applications using VS Code on Windows.
 
 ## Install VS Code
 

From 942935f1c23f705e031e8ecf50ac3cd57a191934 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Fri, 18 Oct 2019 12:41:40 -0700
Subject: [PATCH 201/420] Fix errors in Windows documentations

---
 .../Contributors/WindowsInstallInfo.md              | 13 +++++++++++--
 .../Contributors/WindowsManualInstallPrereqs.md     |  5 +++--
 .../Contributors/WindowsManualSGX1Prereqs.md        | 11 ++++++-----
 .../Contributors/WindowsSGX1FLCGettingStarted.md    |  7 ++++---
 .../Contributors/WindowsSGX1GettingStarted.md       |  5 +++--
 .../Contributors/building_oe_sdk.md                 |  2 +-
 docs/GettingStartedDocs/Windows_using_oe_sdk.md     |  2 +-
 7 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 95ed3119a8..15c1cc2119 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -5,8 +5,17 @@ You can locally install the SDK from the compiled Open Enclave tree by specifyin
 the install-prefix to the cmake call before calling `ninja install`.
 From the build subfolder in your source tree:
 
+For SGX1 + FLC targets:
+
+```cmd
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave
+ninja install
+```
+
+For SGX1 targets:
+
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF
 ninja install
 ```
 
@@ -18,7 +27,7 @@ Please note that NUGET_PACKAGE_PATH in the above command points to the directory
 To create a redistributable NuGet package use the following command from your build subfolder:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet -DHAS_QUOTE_PROVIDER=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet
 ninja package
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index d67bc24a9c..2f070cc9c7 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -6,7 +6,8 @@
  Note: To check if your system has support for SGX1 with or without FLC, please look [here](../SGXSupportLevel.md).
  
 - A version of Windows OS with native support for SGX features:
-   - Windows Server 2016
+   - For server: Windows Server 2016
+   - For client: Windows 10 64-bit version 1709 or newer
    - To check your Windows version, run `winver` on the command line.
 
 ## Software prerequisites
@@ -18,7 +19,7 @@
 
 ## Prerequisites specific to SGX support on your system
 
-For systems with support for SGX1  - [Intel's PSW 2.2](WindowsManualSGX1Prereqs.md)
+For systems with support for SGX1  - [Intel's PSW 2.4, Intel Enclave Common API library](WindowsManualSGX1Prereqs.md)
 
 For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 8019372ea2..8e265601e8 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -7,7 +7,7 @@ version no lower than 1709. To check your Windows version, run `winver` on the
 command line.
 
 Windows Server 2016 image for an Azure Confidential Compute VM has a Windows version
-lower than 1709, therefore you need to install PSW v2.4 or above manually.
+lower than 1709, and therefore you need to install PSW v2.4 or above manually.
 You can download [PSW v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe),
 extract the zipped files, and run the executable under folder **PSW_EXE_RS2_and_before**
 to install PSW 2.4.
@@ -39,11 +39,12 @@ It does not supporting quoting, and consequentially, attestation which is based
 of quoting capability is a limitation of SGX1 machines which don't have FLC support.
 
 Firstly we download Intel SGX and DCAP library from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe). Run the executable to unzip files to a specified location.
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
 
-Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed,
-run the following command from a Windows prompt:
+Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed and in your path,
+run the following command from a command prompt:
 ```cmd
-nuget install EnclaveCommonAPI -Source C:\path\to\the\unzipped\sgx\and\dcap\files\nuget -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages  -ExcludeVersion
+nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_nuget_packages
 ```
 
-You can verify that the library is installed properly by checking whether `sgx_enclave_coomon.lib` exists in the folder `C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages\nuget\EnclaveCommonAPI\lib\native\x64-Release`.
+You can verify that the library is installed properly by checking whether `sgx_enclave_common.lib` exists in the folder `C:\path\to\where\you\would\like\to\install\intel_nuget_packages\nuget\EnclaveCommonAPI\lib\native\x64-Release`.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 361d0d7864..0288c4689b 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -7,7 +7,8 @@ Intel® X86-64bit architecture with SGX1 and Flexible Launch Control (FLC) suppo
 Note: To check if your system has support for SGX1 with FLC, please look [here](../SGXSupportLevel.md).
 
 A version of Windows OS with native support for SGX features:
-- Windows Server 2016
+- For server: Windows Server 2016
+- For client: Windows 10 64-bit version 1709 or newer
 - To check your Windows version, run `winver` on the command line.
 
 ## Install Git and Clone the Open Enclave SDK repo
@@ -69,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -80,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=ON ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 43aa9bc380..698c1ba2f5 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -8,6 +8,7 @@ Note: To check if your system has support for SGX1, please look [here](../SGXSup
 
 A version of Windows OS with native support for SGX features:
 - For server: Windows Server 2016
+- For client: Windows 10 64-bit version 1709 or newer
 
 ## Install Git and Clone the Open Enclave SDK repo
 
@@ -57,7 +58,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
 ninja
 ```
 
@@ -69,7 +70,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 898c77b49e..34919b8d58 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -69,7 +69,7 @@ See [Open Enclave samples](/samples/README_Linux.md) for details.
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave" -DHAS_QUOTE_PROVIDER=ON
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave"
 ninja install
 ```
 Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
diff --git a/docs/GettingStartedDocs/Windows_using_oe_sdk.md b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
index 5b250dcad0..57937032d2 100644
--- a/docs/GettingStartedDocs/Windows_using_oe_sdk.md
+++ b/docs/GettingStartedDocs/Windows_using_oe_sdk.md
@@ -40,7 +40,7 @@ what each one illustrates, and how to build and run them  can be found in
 
 Additional documentation is also available for:
 - [Building and signing enclaves](/docs/GettingStartedDocs/buildandsign.md)
-- [Debugging enclave memory](/docs/GettingStartedDocs/Debugging.md)
+- [Debugging enclave applications](/docs/GettingStartedDocs/Debugging.md)
 
 ## APIs and supported libraries
 

From f56da260cc2d344095b1604783a5ec4c2b2a08ab Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Fri, 18 Oct 2019 17:13:52 -0700
Subject: [PATCH 202/420] Fix a nuget path error

---
 scripts/install-windows-prereqs.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 6549dd1794..4893d7408a 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -592,7 +592,7 @@ function Install-DCAP-Dependencies {
     }
     if (($LaunchConfiguration -eq "SGX1FLC") -or ($LaunchConfiguration -eq "SGX1FLC-NoDriver") -or ($DCAPClientType -eq "Azure"))
     {
-        & "$PACKAGES_DIRECTORY\nuget.exe" install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
+        & nuget.exe install 'DCAP_Components' -Source "$TEMP_NUGET_DIR;nuget.org" -OutputDirectory "$OE_NUGET_DIR" -ExcludeVersion
         if($LASTEXITCODE -ne 0) {
             Throw "Failed to install nuget DCAP_Components"
         }

From 8e09d4ab2c448deee2cb9d031ffd769c9d6db61d Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Fri, 18 Oct 2019 18:23:21 +0000
Subject: [PATCH 203/420] More review updates.

---
 .../RemoteAttestationCollaterals.md           | 247 ++++++++++--------
 1 file changed, 140 insertions(+), 107 deletions(-)

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
index 0c3f60ce9b..b83fca5386 100644
--- a/docs/DesignDocs/RemoteAttestationCollaterals.md
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -11,8 +11,9 @@ from a second source that the verifier can use for attestation verification.
 
 Terminology
 ----------
-From Remote Attestation Procedures Architecture
-(https://www.ietf.org/id/draft-birkholz-rats-architecture-02.txt).
+From Remote Attestation Procedures Architecture (RATS)
+(https://www.ietf.org/id/draft-birkholz-rats-architecture-02.txt).  This
+a draft that is Work in Progress and subject to change.
 
 - Evidence is provable Claims about a specific Computing Environment
       made by an Attester.
@@ -69,6 +70,11 @@ It produces Attestation Results that are formatted and protected (e.g.,
 signed).  It presents Attestation Results to a Relying Party using
 a conveyance mechanism or protocol.
 
+Claims are statements about a particular subject. They consist of
+name-value pairs containing the claim name, which is a string, and
+claim value, which is arbitrary data. Example of claims could be
+[name="version", value=1] or [name="enclave_id", value=1111].
+
 #### Asserter:
 An Attestation Function that generates reference Claims
 about both the Attesting Computing Environment and the Attested
@@ -91,18 +97,27 @@ definition of the assessment context is out-of-scope).
 Motivation
 ----------
 
-Currently, the existing endorsements used for Intel SGX quote verification are not exposed to the user.  This makes it difficult for the verifier to specify his/her own set of policies.  Adding these new APIs allows the verifier to specify a validation policy of his/her choosing.  Possible policies:
+Currently, the existing endorsements used for Intel SGX quote verification are not exposed to the user.
+This makes it difficult for the verifier to specify his/her own set of policies.
+Adding these new APIs allows the verifier to specify a validation policy of his/her choosing.
+Possible policies:
 1. The verifier has the option to specify its set of endorsements during verification.
-2. The verifier has the option to provide a datetime to use during verification.  This datetime specifies the date and time at which the verifier wants to do the verification.  If no datetime is provided, the datetime when the endorsements were created is used during verification.  The verifier can provide a datetime in the past, enabling auditing of the evidence and endorsements.
+2. The verifier has the option to provide a datetime to use during verification.
+This datetime specifies the date and time at which the verifier wants to do the verification.
+If no datetime is provided, the datetime when the endorsements were created is used during verification.
+The verifier can provide a datetime in the past, enabling auditing of the evidence and endorsements.
 
 
 User Experience
 ---------------
 
-There are 2 scenarios.
+There are 2 scenarios. Note that to get the endorsements,
+currently requires a Data Center Attestation Primitives(DCAP)
+client that runs outside the enclave.
 
 ### 1. Verifier is provided with endorsements:
-In this scenario the attester/asserter provides the evidence and endorsements to the verifier.  The verifier is then free to use these to verify the TEE.
+In this scenario the attester/asserter provides the evidence and endorsements to the verifier.
+The verifier is then free to use these to verify the TEE.
 
 ##### Attester generates the evidence and endorsements (inside an enclave/TEE)
 ```C
@@ -185,7 +200,7 @@ result = oe_verify_evidence(
 Specification
 -------------
 
-### <B>Public</B> type definitions
+### Public type definitions
 Generic serializable public structure that stores the endorsements in raw binary format.
 
 `attestation.h`
@@ -193,8 +208,14 @@ Generic serializable public structure that stores the endorsements in raw binary
 /**
  * Flags passed to oe_get_evidence() function.
  */
-#define OE_EVIDENCE_FLAGS_LOCAL_ATTESTATION  0x00000000
-#define OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION 0x00000001
+#define OE_EVIDENCE_FLAGS_LOCAL_ATTESTATION     0x00000000
+#define OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION    0x00000001
+
+/*! Limit the size of the endorsements */
+#define OE_ATTESTATION_ENDORSEMENT_MAX_SIZE     (20 * 1024)
+
+/*! Endorsement structure version */
+#define OE_ATTESTATION_ENDORSEMENT_VERSION      (1)
 
 /*! \struct oe_endorsements_t
  *
@@ -206,70 +227,65 @@ Generic serializable public structure that stores the endorsements in raw binary
  */
 typedef struct _oe_endorsements_t
 {
-    uint32_t version;
-    uint32_t enclave_type;        ///< The type of enclave
-    uint64_t buffer_size;         ///< Size of the buffer  (oe_enclave_type_t)
-    uint32_t num_elements;
-
-    ///< Data buffer is made of an offset array of type uint32_t, followed by
-    ///< the actual data.
-    ///< This array has the size of **num_elements** and stores the offset
-    ///< into the data section.
-    ///<  _________________________
-    ///<  |  version              |
-    ///<  |-----------------------|
-    ///<  |  enclave_type         |
-    ///<  |-----------------------|
-    ///<  |  buffer_size          |
-    ///<  |-----------------------|
-    ///<  |  num_elements         |
-    ///<  |-----------------------|
-    ///<  |  offsets              |
-    ///<  |  (array of uint32_t   |
-    ///<  |  with length of       |
-    ///<  |  num_elements)        |
-    ///<  |-----------------------|
-    ///<  |  Data                 |
-    ///<  |_______________________|
-    ///<
+    uint32_t version;       ///< Version of this structure
+    uint32_t enclave_type;  ///< The type of enclave (oe_enclave_type_t)
+    uint32_t buffer_size;   ///< Size of the buffer
+    uint32_t num_elements;  ///< Number of elements stored in the data buffer
+
+    /*! Data buffer is made of an offset array of type uint32_t, followed by
+     * the actual data.
+     * This array has the size of **num_elements** and stores the offset
+     * into the data section.
+     * _________________________
+     * |  version              |
+     * |-----------------------|
+     * |  enclave_type         |
+     * |-----------------------|
+     * |  buffer_size          |
+     * |-----------------------|
+     * |  num_elements         |
+     * |-----------------------|
+     * |  offsets              |
+     * |  (array of uint32_t   |
+     * |  with length of       |
+     * |  num_elements)        |
+     * |-----------------------|
+     * |  buffer (data)        |
+     * |_______________________|
+     */
     uint8_t buffer[];              ///< Buffer of offsets + data
 
 } oe_endorsements_t;
 
+/*! Version of the supported SGX endorsement structures */
+#define OE_SGX_ENDORSEMENTS_VERSION     (1)
 
-///< Number of CRLs in the SGX endorsements
-#define OE_SGX_ENDORSEMENTS_CRL_COUNT     (2)
+/*! Number of CRLs in the SGX endorsements */
+#define OE_SGX_ENDORSEMENTS_CRL_COUNT   (2)
 
 /*! \enum oe_sgx_endorsements_fields
  *
  * Specifies the order of the SGX endorsements fields stored in
- * the oe_endorsements_t strcuture
+ * the oe_endorsements_t structure
  */
 typedef enum _oe_sgx_endorsements_fields
 {
-    OE_SGX_ENDORSEMENT_FIELD_TCB_INFO = 0,
-    OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN = 1,
-    OE_SGX_ENDORSEMENT_FIELD_CRL_START_INDEX = 2,
-    OE_SGX_ENDORSEMENT_FIELD_CRL_END_INDEX =
-        OE_SGX_ENDORSEMENT_FIELD_CRL_START_INDEX + OE_SGX_ENDORSEMENTS_CRL_COUNT - 1,
-
-    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_START_INDEX =
-        OE_SGX_ENDORSEMENT_FIELD_CRL_END_INDEX + 1,
-
-    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_END_INDEX =
-        OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_START_INDEX +
-        OE_SGX_ENDORSEMENTS_CRL_COUNT - 1,
-
-    OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO =
-        OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_END_INDEX + 1,
-
+    OE_SGX_ENDORSEMENT_FIELD_VERSION,
+    OE_SGX_ENDORSEMENT_FIELD_TCB_INFO,
+    OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_PROC_CA,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_PROC_CA,
+    OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO,
     OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN,
-    OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME
+    OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME,
+    OE_SGX_ENDORSEMENT_COUNT
 
-} oe_sgx_endorsements_fields;
+} oe_sgx_endorsements_fields;;
 ```
 
-### <B>Private</B> SGX endorsement definitions
+### Private SGX endorsement definitions
 
 `common/sgx/evidence.h`
 ```C
@@ -286,60 +302,69 @@ typedef enum _oe_sgx_endorsements_fields
  *
  * For Azure DCAP Client
  * (https://github.com/microsoft/Azure-DCAP-Client/blob/master/src/dcap_provider.h)
- * see **sgx_ql_revocation_info_t** and sgx_qe_identity_info_t.
+ * see **sgx_ql_revocation_info_t** and **sgx_qe_identity_info_t**.
  *
  * For Intel DCAP Client
  * (https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/README.md)
- * see TBD.
+ * see **sgx_ql_qv_collateral_t**.
  *
  */
 typedef struct _oe_sgx_endorsements_t
 {
-    uint8_t* tcb_info;                      ///< TCB info, null-terminated JSON string
-    uint32_t tcb_info_size;                 ///< TCB Info size
-    uint8_t* tcb_issuer_chain;              ///< PEM format, null-terminated string
-    uint32_t tcb_issuer_chain_size;         ///< Size of the tcb_issuer_chain
-
-    ///< CRLs in DER format, null-terminated
-    ///<     crl[0] = CRL for the SGX PCK Certificate
-    ///<     crl[1] = CRL for the SGX PCK Processor CA
-    uint8_t* crl[OE_SGX_ENDORSEMENTS_CRL_COUNT];
-
-    ///< CRLs sizes
-    uint32_t crl_size[OE_SGX_ENDORSEMENTS_CRL_COUNT];
-
-    ///< PEM format, null-terminated string
-    uint8_t* crl_issuer_chain[OE_SGX_ENDORSEMENTS_CRL_COUNT];
-
-    ///< Size of each crl_issuer_chain
-    uint32_t crl_issuer_chain_size[OE_SGX_ENDORSEMENTS_CRL_COUNT];
+    /*!
+     *  OE_SGX_ENDORSEMENT_FIELD_VERSION
+     *     Version of this SGX endorsement structure
+     *  OE_SGX_ENDORSEMENT_FIELD_TCB_INFO
+     *     TCB info, null-terminated JSON string
+     *     TCB Info size
+     *  OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN
+     *     PEM format, null-terminated string
+     *     Size of the tcb_issuer_chain
+     *
+     *  OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT to
+     *     OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_PROC_CA
+     *  CRLs in DER format, null-terminated
+     *      crl[0] = CRL for the SGX PCK Certificate
+     *      crl[1] = CRL for the SGX PCK Processor CA
+     *
+     *  OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT to
+     *     OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_PROC_CA
+     *  CRLs issuer chains in PEM format, null-terminated string
+     *      crl[0] = Issuer Chain for the SGX PCK Certificate
+     *      crl[1] = CRL for the SGX PCK Processor CA
+     *
+     *  OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO
+     *     QE Identity info, null-terminated JSON string
+     *     QE Identity size
+     *  OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN
+     *     PEM format, null-terminated string
+     *     Size of qe_id_issuer_chain
+     *
+     *  OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME
+     *     Time the endorsements were generated, null-terminated string
+     *     The size of creation_datetime.
+     */
+    oe_sgx_endorsement_item items[OE_SGX_ENDORSEMENT_COUNT];
 
-    uint8_t* qe_id_info;                    ///< QE Identity info, null-terminated JSON string
-    uint32_t qe_id_info_size;               ///< QE Identity size
-    uint8_t* qe_id_issuer_chain;            ///< PEM format, null-terminated string
-    uint32_t qe_id_issuer_chain_size;       ///< Size of qe_id_issuer_chain
+} oe_sgx_endorsements_t;
 
-    uint8_t* creation_datetime;             ///< Time the endorsements were generated,
-                                            ///< null-terminated string
-    uint32_t create_datetime_size;          ///< The size of creation_datetime.
 
-} oe_sgx_endorsements_t;
 ```
 
-### New <B>Public</B> Attestation functions
+### New Public Attestation functions
 
 These functions supersede the existing functions:
-1. `oe_get_evidence()` supersedes `oe_verify_report()`
+1. `oe_get_evidence()` supersedes `oe_get_report()`
 2. `oe_verify_evidence()` supersedes `oe_verify_report()`
 
-These functions will use plug-in attestation framework.  For more information please
-see the design document `CustomAttestation.md`.  In short, the actual implementation
+Users should start using these new functions.  `oe_get_report()` and `oe_verify_report()`
+are deprecated and will be removed in future releases.
+
+These functions will sit on top of the plug-in attestation framework.  For more information please
+see the [attestation plug-in design doc](CustomAttestation.md).  In short, the actual implementation
 of these functions will depend on which plug-in is registered.  By default there will
 be a built-in SGX plug-in.
 
-For more information on the parameters `custom_claims`, `claims` or `opt_params`
-please see design document `CustomAttestation.md`.
-
 `common/sgx/attestation.c`
 ```C
 /**
@@ -349,7 +374,11 @@ please see design document `CustomAttestation.md`.
  * This function returns the evidence and endorsements used in **local** or
  * **remote** attestation.
  *
- * This function can only be called from a TEE/enclave.
+ * For remote attesattion:
+ *  - This function can only be called from a TEE/enclave.
+ *
+ * For local attestation:
+ *  - This function can be called from the TEE/enclave or the untrusted host.
  *
  * @param[in] flags Specifying default value (0) generates evidence for local
  * attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION generates
@@ -425,25 +454,29 @@ oe_result_t oe_verify_evidence(
     size_t* claims_size);
 ```
 
-### OE Host Verify Library
+### Claims
+As part of the claims form `oe_verify_evidence()`, there will be a validity
+datetime range, `validity_from` and `validity_until` claims that applies to the evidence and endorsements.
 
-The OE Host Verify library is a standalone library used for verifying remote reports outside
-the TEE/enclave. The function `oe_verfiy_remote_report()` will be deprecated and should use the
-upcoming plug-in mode to do verification.
+Current set of claims definitions:
 
+| Claim Name       | Claim Value Type   | Description                                                          |
+|:-----------------|:-------------------|:---------------------------------------------------------------------|
+| id_version       | uint32_t           | Claims version. Must be 0                                            |
+| security_version | uint32_t           | Security version of the enclave. (ISVN for SGX).                     |
+| attributes       | uint64_t           | Attributes flags for the evidence: <br/> `OE_REPORT_ATTRIBUTES_DEBUG`: The evidence is for a debug enclave.<br/> `OE_REPORT_ATTRIBUTES_REMOTE`: The evidence can be used for remote attestation.   |
+| unique_id        | uint8_t[32]        | The unique ID for the enclave (MRENCLAVE for SGX).                   |
+| signer_id        | uint8_t[32]        | The signer ID for the enclave (MRSIGNER for SGX).                    |
+| product_id       | uint8_t[32]        | The product ID for the enclave (ISVPRODID for SGX).                  |
+| validity_from    | oe_datetime_t      | Overall datetime from which the evidence and endorsements are valid. |
+| validity_until   | oe_datetime_t      | Overall datetime at which the evidence and endorsements expire.      |
 
-Alternates
-----------
 
-### Endorsement structure:
-- Multiple serializable structures were considered.  At the end the final design
-made sense given that it is generic and support serialization.  We considered
-supporting multiple flavors of the structure, a binary format and another for supporting
-user defined endorsements.  But we ended up deciding to have the user build the binary
-structure instead, to avoid complexity.
+### OE Host Verify Library
 
-### APIs:
-- To reduce complexity, `oe_get_evidence()` is only available in the enclave.
+The OE Host Verify library is a standalone library used for verifying remote reports outside
+the TEE/enclave. The function `oe_verfiy_remote_report()` will be updated to support
+endorsements.
 
 Authors
 -------

From a3847a48895baa9e584702eda02e6cd8498c696c Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Mon, 21 Oct 2019 12:24:49 -0700
Subject: [PATCH 204/420] Add playbook for OP-TEE.

---
 scripts/ansible/oe-contributors-setup-cross-arm.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 scripts/ansible/oe-contributors-setup-cross-arm.yml

diff --git a/scripts/ansible/oe-contributors-setup-cross-arm.yml b/scripts/ansible/oe-contributors-setup-cross-arm.yml
new file mode 100644
index 0000000000..dd3967ae41
--- /dev/null
+++ b/scripts/ansible/oe-contributors-setup-cross-arm.yml
@@ -0,0 +1,11 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+---
+- hosts: localhost
+  any_errors_fatal: true
+  become: yes
+  tasks:
+    - import_role:
+        name: linux/openenclave
+        tasks_from: environment-setup-cross-arm.yml

From dc3291bef2bcde81563d3f71908da3051de00b9e Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Mon, 21 Oct 2019 12:49:09 -0700
Subject: [PATCH 205/420] Initial pass at doc updates for OP-TEE OS.

* Includes overview of OP-TEE OS support;
* Steps for building the SDK;
* Steps for debugging emulated.
---
 README.md                                     |  23 +-
 .../Contributors/OPTEEGettingStarted.md       |  69 +++
 .../OP-TEE/Debugging/QEMU.md                  | 412 ++++++++++++++++++
 .../OP-TEE/Hardware/ScalysTrustBox.md         |   1 +
 .../GettingStartedDocs/OP-TEE/Introduction.md | 115 +++++
 5 files changed, 616 insertions(+), 4 deletions(-)
 create mode 100644 docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
 create mode 100644 docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
 create mode 100644 docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
 create mode 100644 docs/GettingStartedDocs/OP-TEE/Introduction.md

diff --git a/README.md b/README.md
index c78d6c5cd5..31e13f8398 100644
--- a/README.md
+++ b/README.md
@@ -17,14 +17,17 @@ which is usually secured by hardware, for example,
 [Intel Software Guard Extensions (SGX)](https://software.intel.com/en-us/sgx).
 
 This SDK aims to generalize the development of enclave applications across TEEs
-from different hardware vendors. While the current implementation is focused on
-Intel SGX, support for ARM TrustZone is already under development. As an open
-source project, this SDK also strives to provide a transparent solution that is
-agnostic to specific vendors, service providers and choice of operating systems.
+from different hardware vendors. The current implementation provides support for
+Intel SGX as well as preview support for OP-TEE OS on ARM TrustZone. As an
+open source project, this SDK also strives to provide a transparent solution
+that is agnostic to specific vendors, service providers and choice of operating
+systems.
 
 Getting Started
 ---------------
 
+### Intel SGX
+
 If you would like to start developing apps with the preview Open Enclave SDK
 release, start here for instructions to install and use the SDK package:
 
@@ -40,6 +43,18 @@ capable hardware, see
 If you would like to modify and build the Open Enclave SDK from sources, refer
 to the documents for [getting started](docs/GettingStartedDocs/Contributors/building_oe_sdk.md).
 
+### OP-TEE OS (ARM TrustZone)
+
+The Open Enclave SDK provides preview support for the Open Portable TEE OS (OP-
+TEE). OP-TEE is an operating system for TEE's that implement a traditional
+kernel-mode and user-mode execution environment. It runs on A-profile ARM
+systems that support ARM TrustZone. As a result, the Open Enclave SDK can be
+leveraged to target these systems as well.
+
+For an overview of the SDK's support for OP-TEE OS as well as links to getting
+started guides, see
+[Open Enclave SDK for OP-TEE OS](docs/GettingStartedDocs/OP-TEE/Introduction.md).
+
 Contributing
 ------------
 
diff --git a/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
new file mode 100644
index 0000000000..b67f586c83
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
@@ -0,0 +1,69 @@
+# Getting Started with Open Enclave for OP-TEE OS
+
+The Open Enclave SDK as well as hosts and enclaves build via cross-compilation.
+Therefore, an ARM system, physical or emulated, is necessary only for execution,
+but not for development and building.
+
+## Platform Requirements
+
+- Ubuntu 16.04 LTS (64-bit) or 18.04 LTS (64-bit)
+
+## Clone the Open Enclave SDK
+
+```bash
+git clone --recursive https://github.com/openenclave/openenclave.git
+```
+
+## Install Build Requirements
+
+Installing the build-time requirements is done via Ansible. The following
+command listing shows how to install Ansible, then how to run the Ansible
+Playbook that installs the requirements.
+
+```bash
+cd openenclave
+
+sudo scripts/ansible/install-ansible.sh
+sudo ansible-playbook scripts/ansible/oe-contributors-setup-cross-arm.yml
+```
+
+## Build the Open Enclave SDK
+
+Given that each ARM board is different, OP-TEE OS may be configured and built
+accordingly. This means that a build of OP-TEE OS for one board is most likely
+not compatible with a build of the exact same code for a different board. During
+OP-TEE OS' build process, a so-called "Dev Kit" is generated. This kit contains
+a number of headers, libraries and configuration files that describe the
+settings that were used to build OP-TEE OS for a given board. The Open Enclave
+SDK's build process consumes this Dev Kit to in turn configure and link the
+components that it leverages to support OP-TEE OS. As a result, it is highly
+recommended that you build the SDK from source for each target board so as to
+minimize the chance of a configuration mismatch, which, while minimal at the
+level of abstraction that the SDK operates at, may nevertheless occur.
+
+Assuming that you have a Dev Kit from an OP-TEE OS build, compiling the SDK is
+simple:
+
+```bash
+mkdir build
+cd build
+
+cmake ../sdk \
+    -G Ninja \
+	-DHAS_QUOTE_PROVIDER=OFF \
+	-DCMAKE_TOOLCHAIN_FILE=../sdk/cmake/arm-cross.cmake \
+	-DOE_TA_DEV_KIT_DIR=/path/to/dev/kit/export-ta_arm64 \
+	-DCMAKE_BUILD_TYPE=Debug
+ninja
+```
+
+The build results in ARM64 binaries.
+
+Refer to the list of
+[supported platforms](../OP-TEE/Introduction.md#supported-platforms)
+for details on building the SDK for a specific target.
+
+## Remarks
+
+Automatically running unit tests or installing the SDK's build output is not yet
+supported when compiling it for OP-TEE OS.
diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
new file mode 100644
index 0000000000..e20fee488f
--- /dev/null
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -0,0 +1,412 @@
+# Debugging Enclaves on OP-TEE OS with QEMU
+
+[QEMU](https://www.qemu.org/) is a system emulator that can run ARM TrustZone
+enclaves on an x86/64 machine as though they were running on TrustZone-capable
+hardware. QEMU provides an emulated environment whose behavior matches real ARM
+TrustZone-capable hardware without requiring any: secure memory access
+violations, alignment errors, and the like, can be caught using QEMU.
+
+In this guide, you will learn how to retrieve and build a QEMU environment for
+debugging enclaves on ARM TrustZone. Then, you will see how to build the Open
+Enclave SDK samples and run them in the emulated environment. Lastly, you will
+learn how to set up and use GDB for source-level debugging of the sample
+enclaves that ship with this SDK.
+
+This guide is loosely based on [OP-TEE's own Build and Debug
+Guide](https://github.com/OP-TEE/build#op-tee-buildgit) with some modifications
+to render it more pertinent to this SDK.
+
+## Prerequisites
+
+This guide presumes you have a Ubuntu 18.04 LTS environment available. You may
+install Ubuntu on bare metal or in a virtual machine using your preferred
+hypervisor. Some commands launch GUIs, so a graphical environment is necessary.
+
+**Note:** To use this guide with the Windows Subsystem for Linux (WSL), read
+through [Debugging Enclaves on OP-TEE OS with QEMU ON WSL](ta_debugging_wsl.md)
+first.
+
+## Required Packages
+
+The following command installs all the packages necessary on Ubuntu 18.04 LTS:
+
+```
+sudo apt update && sudo apt install -y android-tools-adb android-tools-fastboot
+    autoconf automake bc bison build-essential ccache cgdb cscope curl
+    device-tree-compiler expect flex ftp-upload gdb-multiarch gdisk iasl
+    libattr1-dev libc6 libcap-dev libfdt-dev libftdi-dev libglib2.0-dev
+    libhidapi-dev libncurses5-dev libpixman-1-dev libssl-dev libstdc++6 libtool
+    libz1 make mtools netcat python-crypto python-pyelftools python-serial
+    python-wand python3-pyelftools repo unzip uuid-dev xdg-utils xterm xz-utils
+    zlib1g-dev
+```
+
+## Directory Structure
+
+The instructions in this guide assume that:
+
+* You have three terminals open;
+* The current working directory on all three is your home directory to start
+  with.
+
+The terminals are referred to as `TERM 1`, `TERM 2` and `TERM 3`, respectively.
+At the top of each command, the terminal to run them in is listed, unless
+otherwise specified.
+
+All work will be done in:
+
+```
+[ TERMS 1 & 2 & 3 ]
+
+mkdir openenclave_qemu
+cd openenclave_qemu
+```
+
+This is so that you may be able to easily run the commands listed here,
+especially the ones that must be run inside the emulator.
+
+# Getting Started
+
+The runtime environment inside a QEMU virtual machine has the same software
+requirements as real hardware. As such, firmware and a filesystem from which to
+boot must be generated. This section shows you how to retrieve all the software
+components required, how to build them, and how to run them in QEMU.
+
+## Sources
+
+The `repo` utility can manipulate multiple Git repositories as though they were
+one. The following commands instruct `repo` to clone all the repositories that
+are required to build a QEMU-based debugging environment:
+
+```
+[ TERM 1 ]
+
+mkdir emulation
+cd emulation
+
+repo init -u https://github.com/ms-iot/optee_manifest -m oe_qemu_v8.xml -b oe-3.6.0
+repo sync
+```
+
+`repo sync` takes some time, seeing as it clones the Linux kernel, among other
+things. To clone multiple repositories in parallel, add the `-j` switch to the
+`repo sync` command in the same way you would an invocation of `make`.
+
+## Building
+
+To create and launch a debugging environment all you need is `make`. Depending
+on your machine, this may take upward of an hour the first time; subsequent runs
+only take a few seconds, plus compiling anything that you may have changed:
+
+```
+[ TERM 1 ]
+
+cd build
+
+make toolchains -j2
+make run -j$(nproc)
+```
+
+**Note**: `make toolchains` need only be called once, and since it downloads two
+files, the `-j2` is already included.
+
+Once this command is complete, it launches QEMU inside the same terminal as
+where you executed `make run` along with two XTerm windows. In the terminal, you
+can control QEMU via its monitor interface. For example, typing `c <Enter>`
+resumes execution and `q <Enter>` quits QEMU.
+
+The two XTerm windows are connected to one emulated serial port each: one shows
+output from the Normal World (the REE, or untrusted side) and the other shows
+output from the Secure World (the TEE, or trusted side). The Normal World XTerm
+window allows you to interact with the emulated Linux environment through a
+BusyBox shell.
+
+By default, the emulated processor is halted when QEMU starts. To ensure that
+the build is sane, resume execution by issuing the `c <Enter>` command in the
+QEMU monitor (`c` is short for "continue").
+
+In the Secure World XTerm window you should see OP-TEE's initialization output.
+In the Normal World XTerm window you should see Linux boot. Try logging into
+Linux in the Normal World XTerm window once it is done booting (see the output
+in XTerm on how to log in).
+
+## Emulator Setup
+
+To debug enclaves on ARM TrustZone, you must build host applications and
+enclaves. Then, you must copy your enclaves into it.
+
+### Building Hosts & Enclaves
+
+```
+[ TERM 2 ]
+
+git clone --recursive https://github.com/openenclave/openenclave.git sdk
+
+cd sdk
+
+sudo scripts/ansible/install-ansible.sh
+sudo ansible-playbook scripts/ansible/oe-contributors-setup-cross-arm.yml
+
+cd ..
+
+mkdir build
+cd build
+
+cmake ../sdk \
+    -G Ninja \
+	-DHAS_QUOTE_PROVIDER=OFF \
+	-DCMAKE_TOOLCHAIN_FILE=../sdk/cmake/arm-cross.cmake \
+	-DOE_TA_DEV_KIT_DIR=$PWD/../emulation/optee_os/out/arm/export-ta_arm64 \
+	-DCMAKE_BUILD_TYPE=Debug
+ninja
+
+cd ..
+```
+
+For more information regarding these steps, see the [Getting Started with Open
+Enclave for OP-TEE OS](../../../GettingStartedDocs/Contributors/OPTEEGettingStarted.md).
+
+### Copying Enclaves
+
+To debug enclaves on OP-TEE OS, the enclave binaries must be present inside the
+emulator. A simple way to achieve this is using QEMU's built-in host-guest file
+sharing capabilities.
+
+By default, `make run` instructs QEMU to share your home directory read-only
+into the emulated guest. Once the guest boots and you have logged in via the
+Normal World XTerm window, type:
+
+```
+mkdir /mnt/home
+mount -t 9p -o trans=virtio sh0 /mnt/home -oversion=9p2000.L
+
+cd /mnt/home
+```
+
+`sh0` is the name of the share as specified in QEMU's command line by `make
+run`.
+
+For example, if you were trying to debug the SDK's test suite, you would do the
+following on the Normal World XTerm window:
+
+```
+export OE_SIMULATION=1
+
+cp openenclave_qemu/build/tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.ta /lib/optee_armtz
+openenclave_qemu/build/tests/hexdump/host/hexdump_host 126830b9-eb9f-412a-89a7-bcc8a517c12e
+```
+
+Notice how it is not necessary to copy the host application into the emulator,
+it can run directly from the share. The enclave, however, must be inside.
+
+**Note**: QEMU environments built with this tooling automatically start
+`tee-supplicant` on boot, unlike on some platforms where it might be necessary
+to start it manually.
+
+# Debugging
+
+QEMU exposes a GDB server on `localhost:1234` with system-wide visibility into
+the emulated environment. After starting QEMU with `make run`, start the
+architecture-aware version of GDB.
+
+```
+[ TERM 2 ]
+
+gdb-multiarch
+
+target remote localhost:1234
+symbol-file ./build/tests/hexdump/host/hexdump_host
+
+b main
+c
+```
+
+This command sequence connects GDB to QEMU, loads the symbols from
+`oetests_host`, sets a breakpoint on the `main` function and resumes execution.
+If you then run `oetests_host` inside the emulator, it will break on `main`.
+
+**Note:** Breakpoints on the host will not be hit if the latter is built as a
+position-independent executable, which hosts are by default. This is because GDB
+places breakpoints at virtual address offsets from the load address of the
+executable. However, a position-independent executable may be loaded anywhere
+within its virtual address space. It is possible to modify the host to print its
+load address on each start, then line up the symbols with GDB correctly. For
+debugging purposes, consider turning position-independent code generation off
+temporarily.
+
+## Loading Enclave Symbols
+
+Instructing GDB to load symbols for an enclave requires some work the first
+time.
+
+After launching QEMU, copying the sample enclave into it and launching the
+corresponding host application, OP-TEE prints lines similar to the following in
+the Secure World XTerm window:
+
+```
+D/TC:? 0 system_open_ta_binary:286 Lookup user TA ELF 126830b9-eb9f-412a-89a7-bcc8a517c12e (Secure Storage TA)
+D/TC:? 0 system_open_ta_binary:289 res=0xffff0008
+D/TC:? 0 system_open_ta_binary:286 Lookup user TA ELF 126830b9-eb9f-412a-89a7-bcc8a517c12e (REE [buffered])
+D/TC:? 0 system_open_ta_binary:289 res=0x0
+D/LD:  ldelf:150 ELF (126830b9-eb9f-412a-89a7-bcc8a517c12e) at 0x40010000
+```
+
+The fifth line indicates where in secure virtual memory OP-TEE has loaded the
+TA. In this case it's `0x40010000`. This value should remain the same throughout
+repeated runs as well as across reboots of the emulator. Note this value.
+
+Due to how OP-TEE loads enclaves, you must manually line up the symbols in the
+ELF file produced for enclaves with how the code is laid out in memory:
+
+```
+[ TERM 3 ]
+
+cd $HOME/openenclave_qemu
+
+./emulation/toolchains/aarch64/bin/aarch64-linux-gnu-objdump -x \
+    ./build/tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.elf | less
+```
+
+In the `Sections` table, you will see output like this:
+
+```
+Sections:
+Idx Name          Size      VMA               LMA               File off  Algn
+  0 .ta_head      00000020  0000000000000000  0000000000000000  00001000  2**12
+                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+  1 .text         0007d9a8  0000000000000020  0000000000000020  00001020  2**3
+                  CONTENTS, ALLOC, LOAD, READONLY, CODE
+  2 .eh_frame     0000bcd0  000000000007d9c8  000000000007d9c8  0007e9c8  2**3
+                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+  3 .rodata       00009cb5  00000000000896a0  00000000000896a0  0008a6a0  2**4
+                  CONTENTS, ALLOC, LOAD, READONLY, DATA
+```
+
+Take note of the `LMA` (Load Memory Address) of the `.text` section.
+
+Add the value you noted before from OP-TEE's output to the value of `LMA` for
+the `.text` section. In this case:
+
+```
+0x40010000 + 0x20 = 0x40010020
+```
+
+Switch back to `TERM 2` where GDB is running and type:
+
+```
+<CTRL-c>
+add-symbol-file ./build/tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.elf 0x40010020
+```
+
+From this point forward, even if you rebuild enclaves, the load address for the
+symbols should remain the same, so you do not need to go through of all this
+every time you want to debug. Just execute the `add-symbol-file` command in GDB.
+However, should your breakpoints stop being hit, do verify that these addresses
+have not changed, especially after a `git pull` and a rebuild.
+
+There is a known issue, either in GDB or QEMU, where once OP-TEE and Linux have
+fully booted up, it is not possible to place breakpoints inside enclaves. To
+work around this, switch to `TERM 1` where QEMU is running and type:
+
+```
+system_reset
+```
+
+On `TERM 2` where GDB is running:
+
+```
+b test
+c
+```
+
+When you run the `hexdump_host` host application and the ECALL is performed,
+there will be two breaks (assuming the host was built with position-independent
+code off):
+
+* One in the host application just prior to the transition into the enclave,
+and;
+* One in the enclave at the ECALL.
+
+This duplication is due to the fact that there exist functions with the same
+name in the host application and in the enclave.
+
+**Note**: Resetting QEMU means that emulator state is cleared, hence you must
+repeat the steps of mounting your home directory inside the emulator and copying
+the TA to `/lib/optee_armtz`. Any breakpoints you set in GDB, however, persist
+across `system_reset`.
+
+## Source-Level Debugging
+
+GDB by default offers a command-line interface. To see source code, registers,
+and more, you can use any GUI that can use GDB as a back-end. Some of these are:
+
+* GDB in TUI mode
+* CGDB
+* Visual Studio
+* Eclipse
+* DDD
+
+This guide shows you how to use the first two. Instructions on how to set up
+Visual Studio are coming soon.
+
+### GDB TUI
+
+GDB's Text User Interface, or TUI, can be accessed from within the GDB
+command-line interface. Once GDB is started and you are at the GDB command
+prompt:
+
+```
+[ TERM 2 ]
+
+<CTRL-x> a
+```
+
+This splits the GDB window in two horizontal panes: the top one shows source
+code and the bottom one hosts the usual GDB command-line interface.
+
+You can switch between different layouts using the `layout <name>` command,
+where `<name>` can be any of:
+
+* `asm`
+* `regs`
+* `src`
+* `split`
+
+You can also use `layout next` to cycle through all available layouts.
+
+GDB is a powerful debugger with great documentation available
+[here](https://sourceware.org/gdb/current/onlinedocs/gdb/).
+
+### CGDB
+
+CGDB is a terminal utility that wraps GDB and provides syntax highlighting as
+well as a simpler way to browse through source code.
+
+When started without arguments, CGDB uses the default GDB debugger on the
+system. However, to debug an ARM or AARCH64 target from an x86/64 host, CGDB
+must be told to use the same version of GDB used above. To start CGDB specifying
+a particular version of GDB, issue the following command from a terminal:
+
+```
+cgdb -d gdb-multiarch
+```
+
+CGDB looks like the first layout in the GDB TUI, but with colors by default.
+Unlike the GDB TUI, however, you may switch focus from the bottom pane to the
+top pane with the `ESC` key. To move back, press the `i` key. When the top pane
+is in focus, you can navigate through source code using Vim-style commands. The
+GDB command-line pane behaves in the same way as the regular GDB command-line
+interface.
+
+CGDB sports a wide array of commands, be sure to read through its
+[documentation](https://cgdb.github.io/docs/cgdb.html).
+
+**Note:** CGDB does not currently support multiple layouts and issuing the
+`layout` command corrupts the screen. The only split available is source + GDB
+command-line.
+
+Finally, to exit GDB, or CGDB:
+
+```
+q <Enter>
+```
diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
new file mode 100644
index 0000000000..a0990367ef
--- /dev/null
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -0,0 +1 @@
+TBD
diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
new file mode 100644
index 0000000000..198fa608e4
--- /dev/null
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -0,0 +1,115 @@
+# Open Enclave SDK for OP-TEE OS
+
+Each Trusted Execution Environment (TEE) implementation provides a different
+model with respect to the interaction between hosts and enclaves, as well as
+regarding the runtime behavior of the two. The TEE implemented by ARM TrustZone
+splits the system into a secure and a non-secure mode, where each keep their
+user-mode/kernel-mode partition. Hence, an enclave that leverages ARM TrustZone
+executes in secure user-mode whereas its host executes in non-secure user-mode:
+
+```
+            |=============================================|
+            |   Non-Secure Mode    |     Secure Mode      |
+            |=============================================|
+            |                      |                      |
+            |      Host #1         |  Enclave #1          |
+            |                      |                      |
+   User     |         Host #2      |          Enclave #2  |
+   Mode     |                      |                      |
+            |---------------------------------------------|
+  Kernel    |                      |                      |
+   Mode     |         Linux        |      OP-TEE OS       |
+            |                      |                      |
+            |=============================================|
+```
+
+While Linux operates in the usual way in non-secure kernel-mode, OP-TEE OS
+fulfills the role of kernel in secure mode.
+
+OP-TEE OS provides a low-level communication mechanism to Linux based on the ARM
+Secure Monitor Call (`smc`) instruction. In turn, Linux incorporates an OP-TEE
+driver that enables Linux to talk to OP-TEE. This driver plugs into a generic
+TEE driver, which exposes its capabilities to user-mode. There, a library known
+as the OP-TEE Client (`libteec`) may be leveraged by non-secure user-mode hosts
+to load, communicate with, and terminate enclaves.
+
+Likewise, OP-TEE OS provides a number of system calls to secure user-mode. A
+library is in turn provided (`libutee`) that enclaves can use to call into these
+system services.
+
+The Open Enclave SDK for OP-TEE OS effectively implements the SDK's API's and
+behaviors atop those exposed by OP-TEE OS both to non-secure user-mode as well
+as atop those exposed to secure user-mode.
+
+## Supported Features
+
+The SDK currently provides preview support for the following features on OP-TEE
+OS:
+
+1. Building Hosts & Enclaves
+   1. Linux Hosts
+   2. ARM64 Enclaves
+2. Loading Enclaves
+3. C/C++
+4. Enclave Calls (ECALLs)
+5. Out Calls (OCALLs)
+6. Terminating Enclaves
+
+**Note:** C++ exceptions are not yet fully supported.
+
+## Note on Forks
+
+While the SDK's support for Intel SGX is fairly self-contained, support for
+OP-TEE OS mandates interactions among several components that exist outside the
+purview of Open Enclave.
+
+Currently, the SDK works atop forks of the following projects:
+
+1. Linux
+   1. The TEE and OP-TEE drivers have been modified.
+   2. [Fork](https://github.com/ms-iot/linux/tree/ms-iot-openenclave-3.6.0)
+2. OP-TEE OS
+   1. The OS was augmented to support OCALLs.
+   2. [Fork](https://github.com/ms-iot/optee_os/tree/ms-iot-openenclave-3.6.0)
+3. OP-TEE Client
+   1. The library was provided with the ability to handle OCALL requests.
+   2. [Fork](https://github.com/ms-iot/optee_client/tree/ms-iot-openenclave-3.6.0)
+
+The changes to these are in the process of being upstreamed. For the moment, to
+leverage the SDK's support for OP-TEE OS, be it on hardware or on an emulator,
+Open Enclave's forks of these projects must be used.
+
+See the list of supported platforms below for instructions on how to use these
+forks.
+
+## Binary Packages
+
+The Open Enclave SDK for Intel SGX may be installed on Linux and Windows systems
+via binary packages. For the moment, there is no support for these for OP-TEE
+OS. As a result, building hosts and enclaves for OP-TEE OS with the SDK requires
+building the SDK from source.
+
+To do so, follow the instructions
+[here](../Contributors/OPTEEGettingStarted.md).
+
+## Debugging
+
+OP-TEE OS does not provide any debugging facilities. Hence, it is not possible
+to debug enclaves using a software debugger once these have been deployed to
+hardware. However, it is possible to debug enclaves prior to deployment using
+hardware emulation; for details, see the next section. Additionally, for boards
+that support it, it is possible to debug enclaves with a JTAG debugger.
+
+## Supported Platforms
+
+The Open Enclave SDK currently provides preview support for the following
+platforms:
+
+- Hardware
+   1. Scalys TrustBox
+      - [Website](https://scalys.com/trustbox-industrial)
+      - [Getting Started Guide](Hardware/ScalysTrustBox.md)
+- Emulation
+   1. The Quick EMUlator (QEMU)
+      - [Website](https://www.qemu.org)
+      - [Getting Started Guide](Debugging/QEMU.md)

From 31e9614efccc7cbb20ada8d126db4cee9436e294 Mon Sep 17 00:00:00 2001
From: brmclare <brmclare@microsoft.com>
Date: Mon, 21 Oct 2019 22:07:40 +0000
Subject: [PATCH 206/420] Remove FOOBARBAZ comment

---
 cmake/copy_oedebugrt_target.cmake | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
index 109f46b151..de83bc13b2 100644
--- a/cmake/copy_oedebugrt_target.cmake
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -20,7 +20,6 @@ function(copy_oedebugrt_target TARGET_NAME)
     add_custom_command(
         OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/oedebugrt.dll
         DEPENDS ${OEDEBUGRTLOCATION}
-        COMMENT FOOBARBAZ
         COMMAND ${CMAKE_COMMAND} -E copy ${OEDEBUGRTLOCATION} ${CMAKE_CURRENT_BINARY_DIR})
 
 

From 67a5e4d025cf88d61a87812ac7d649bfb1e2338c Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Mon, 21 Oct 2019 22:15:58 -0700
Subject: [PATCH 207/420] Add instructions for using Nuget package

Add instructions for installing OE nuget package

Fix up assumptions around DCAP Package paths

Fix up some typos

Fix punctuation
---
 .../Contributors/WindowsInstallInfo.md        |  6 +-
 .../WindowsManualSGX1FLCDCAPPrereqs.md        | 12 +--
 .../Contributors/WindowsManualSGX1Prereqs.md  |  6 +-
 .../WindowsSGX1FLCGettingStarted.md           | 12 +--
 .../install_oe_sdk-Windows.md                 | 73 +++++++++++++++++++
 samples/README_Windows.md                     |  2 +-
 6 files changed, 93 insertions(+), 18 deletions(-)
 create mode 100644 docs/GettingStartedDocs/install_oe_sdk-Windows.md

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 15c1cc2119..4862893827 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -8,14 +8,14 @@ From the build subfolder in your source tree:
 For SGX1 + FLC targets:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave
 ninja install
 ```
 
 For SGX1 targets:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF
 ninja install
 ```
 
@@ -27,7 +27,7 @@ Please note that NUGET_PACKAGE_PATH in the above command points to the directory
 To create a redistributable NuGet package use the following command from your build subfolder:
 
 ```cmd
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\your\path\to\intel_and_dcap_nuget_packages -DCPACK_GENERATOR=NuGet
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCPACK_GENERATOR=NuGet
 ninja package
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 6034ae1234..4d6e1ad2fa 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -10,11 +10,13 @@ C:\Intel SGX PSW for Windows v2.4.100.51291\PSW_EXE_RS2_and_before\Intel(R)_SGX_
 ## [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
 
 Note that this is optional since you can choose an alternate implementation of the DCAP client or create your own.
-The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via:
+The Azure DCAP client for Windows is necessary if you would like to perform enclave attestation on a Azure Confidential Computing VM. It is available from [nuget.org](https://www.nuget.org/packages/Azure.DCAP.Windows/) and can be installed directly via command below.
+This example assumes that `C:\oe_prereqs` is where you would like the prerequisites to be installed.
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\oe_prereqs
 ```
+This example assumes you would like to install the package to `C:\oe_prereqs`.
 
 ##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
 After unpacking the self-extracting ZIP executable, you can refer to the *Intel SGX DCAP Windows SW Installation Guide.pdf*
@@ -45,9 +47,9 @@ The following summary will assume that the contents were extracted to `C:\Intel
       ```
     - Note that `devcon.exe` is usually installed to `C:\Program Files (x86)\Windows Kits\10\tools\x64` which is not in the PATH environment variable by default.
 4. Install the DCAP nuget packages:
-    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
+    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt(assuming you would like to install the NuGet packages to `C:\oe_prereqs`):
       ```cmd
-      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
-      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages
+      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs
+      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs
       ```
     - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
\ No newline at end of file
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 8e265601e8..1edaff48eb 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -42,9 +42,9 @@ Firstly we download Intel SGX and DCAP library from [here](http://registrationce
 The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
 
 Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed and in your path,
-run the following command from a command prompt:
+run the following command from a command prompt (assuming you would like the package to be installed to `C:\oe_prereqs`):
 ```cmd
-nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_nuget_packages
+nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\oe_prereqs
 ```
 
-You can verify that the library is installed properly by checking whether `sgx_enclave_common.lib` exists in the folder `C:\path\to\where\you\would\like\to\install\intel_nuget_packages\nuget\EnclaveCommonAPI\lib\native\x64-Release`.
+You can verify that the library is installed properly by checking whether `sgx_enclave_common.lib` exists in the folder `C:\oe_prereqs`.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 0288c4689b..8d6d6ed244 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -35,25 +35,25 @@ Run the following from Powershell to deploy all the prerequisites for building O
 
 ```scripts/install-windows-prereqs.ps1```
 
-To install the prerequisites along with the Azure DCAP Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM.
+To install the prerequisites along with the Azure DCAP Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM. This command assumes that you would like the prerequisites to be installed to `C:\oe_prereqs`.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
 If you would like to skip the installation of the Azure DCAP Client, use the command below.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType None
 ```
 
 As an example, if you cloned the Open Enclave SDK repo into C:\openenclave and want to install the Azure DCAP Client, you would run the following command.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_and_dcap_nuget_packages -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
 If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
@@ -70,7 +70,7 @@ To build debug enclaves:
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
@@ -81,7 +81,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Windows.md b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
new file mode 100644
index 0000000000..61372d76ae
--- /dev/null
+++ b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
@@ -0,0 +1,73 @@
+# Install the Open Enclave SDK (On Windows Server 2016)
+
+## Platform requirements
+
+- A system with support for SGX1 with Flexible Launch Control (FLC).
+Note: To check if your system has support for SGX1 with or without FLC, please look [here](./SGXSupportLevel.md).
+
+- Windows Server 2016
+
+## Microsoft Visual Studio Build Tools 2019
+
+Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the "C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
+
+## Git for Windows 64-bit
+
+Download [Git for Windows 64-bit](https://git-scm.com/download/win).
+
+Install Git and add Git Bash to the PATH environment variable.
+Typically, Git Bash is located in `C:\Program Files\Git\bin`.
+Currently the Open Enclave SDK build system uses bash scripts to configure
+and build Linux-based 3rd-party libraries.
+
+Open a command prompt and ensure that Git Bash is added to PATH.
+
+```cmd
+C:\>where bash
+C:\Program Files\Git\bin\bash.exe
+```
+
+Tools available in the Git bash environment are also used for test and sample
+builds. For example, OpenSSL is used to generate test certificates, so it is
+also useful to have the `Git\mingw64\bin` folder added to PATH. This can be checked
+from the command prompt as well:
+
+```cmd
+C:\>where openssl
+C:\Program Files\Git\mingw64\bin\openssl.exe
+```
+
+## Clang
+
+Download [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe).
+Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
+to PATH. Open Enclave SDK uses clang to build the enclave binaries.
+
+Open up a command prompt and ensure that clang is added to PATH.
+
+```cmd
+C:\> where clang
+C:\Program Files\LLVM\bin\clang.exe
+C:\> where llvm-ar
+C:\Program Files\LLVM\bin\llvm-ar.exe
+C:\> where ld.lld
+C:\Program Files\LLVM\bin\ld.lld.exe
+```
+
+## SGX1 with Flexible Launch Control (FLC) Prerequisites on Windows
+
+Instructions to install Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies can be found [here](Contributors/WindowsManualSGX1FLCDCAPPrereqs.md).
+
+## Download and install the Open Enclave SDK NuGet Package
+
+Download the required Windows NuGet Package from [here](https://github.com/openenclave/openenclave/releases) and place it in a directory of your choice. Use the command below to install the NuGet package. In this example, we are placing the NuGet Package in `C:\openenclave_nuget` and installing it to `C:\oe`.
+
+```cmd
+ nuget.exe install open-enclave -Source C:\openenclave_nuget -OutputDirectory C:\oe -ExcludeVersion
+```
+
+Note: If it is an RC package, append `-pre` to the command above.
+
+## Verify the Open Enclave SDK install
+
+See [Using the Open Enclave SDK](Windows_using_oe_sdk.md) for verifying and using the installed SDK.
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 5beef12171..7236485217 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -47,7 +47,7 @@ set OpenEnclave_DIR=C:\openenclave\lib\openenclave\cmake
 ```cmd
 mkdir build
 cd build
-cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages
+cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs
 ninja
 ```
 

From 35afb1689ceac1646ef16dee90204d8f8d1f59ec Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Mon, 21 Oct 2019 22:49:43 -0700
Subject: [PATCH 208/420] Address John's comments

---
 .../Contributors/WindowsManualSGX1FLCDCAPPrereqs.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 4d6e1ad2fa..558442cc05 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -47,7 +47,7 @@ The following summary will assume that the contents were extracted to `C:\Intel
       ```
     - Note that `devcon.exe` is usually installed to `C:\Program Files (x86)\Windows Kits\10\tools\x64` which is not in the PATH environment variable by default.
 4. Install the DCAP nuget packages:
-    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt(assuming you would like to install the NuGet packages to `C:\oe_prereqs`):
+    - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
       ```cmd
       nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs
       nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs

From f7d66408a3e9171c7d29f4afc37ee9c498880920 Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Tue, 22 Oct 2019 01:07:50 -0700
Subject: [PATCH 209/420] Change title and formatting

---
 docs/GettingStartedDocs/install_oe_sdk-Windows.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/GettingStartedDocs/install_oe_sdk-Windows.md b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
index 61372d76ae..6888b12933 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Windows.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
@@ -1,4 +1,4 @@
-# Install the Open Enclave SDK (On Windows Server 2016)
+# Install the Open Enclave SDK NuGet Package
 
 ## Platform requirements
 
@@ -7,11 +7,13 @@ Note: To check if your system has support for SGX1 with or without FLC, please l
 
 - Windows Server 2016
 
-## Microsoft Visual Studio Build Tools 2019
+## Software Prerequisites
+
+### Microsoft Visual Studio Build Tools 2019
 
 Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the "C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
 
-## Git for Windows 64-bit
+### Git for Windows 64-bit
 
 Download [Git for Windows 64-bit](https://git-scm.com/download/win).
 
@@ -37,7 +39,7 @@ C:\>where openssl
 C:\Program Files\Git\mingw64\bin\openssl.exe
 ```
 
-## Clang
+### Clang
 
 Download [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe).
 Install Clang 7.0.1 and add the LLVM folder (typically C:\Program Files\LLVM\bin)
@@ -54,7 +56,7 @@ C:\> where ld.lld
 C:\Program Files\LLVM\bin\ld.lld.exe
 ```
 
-## SGX1 with Flexible Launch Control (FLC) Prerequisites on Windows
+### SGX1 with Flexible Launch Control (FLC) Prerequisites
 
 Instructions to install Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies can be found [here](Contributors/WindowsManualSGX1FLCDCAPPrereqs.md).
 

From 9155a74880a0a5b6a52c13393cf254e07b7fac2a Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <radhikaj@microsoft.com>
Date: Tue, 22 Oct 2019 12:06:53 -0700
Subject: [PATCH 210/420] Fix all prereq paths to c:\oe_prereqs

---
 .../Contributors/WindowsInstallInfo.md                 |  2 +-
 .../Contributors/WindowsSGX1GettingStarted.md          | 10 +++++-----
 .../GettingStartedDocs/Contributors/building_oe_sdk.md |  2 +-
 docs/GettingStartedDocs/install_oe_sdk-Windows.md      |  2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
index 4862893827..b90c695b88 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsInstallInfo.md
@@ -5,7 +5,7 @@ You can locally install the SDK from the compiled Open Enclave tree by specifyin
 the install-prefix to the cmake call before calling `ninja install`.
 From the build subfolder in your source tree:
 
-For SGX1 + FLC targets:
+For SGX1 + FLC targets, assuming that the Intel and Azure DCAP NuGet packages are installed to `C:\oe_prereqs` and the Open Enclave SDK is installed to `C:\openenclave`:
 
 ```cmd
 cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 698c1ba2f5..8a0d124338 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -30,18 +30,18 @@ First, change directory into the openenclave repository:
 cd openenclave
 ```
 
-To deploy all the prerequisities for building Open Enclave, you can run the following from Powershell. Note that the Data Center Attestation Primitives (DCAP) Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC).
+To deploy all the prerequisities for building Open Enclave, you can run the following from Powershell. Note that the Data Center Attestation Primitives (DCAP) Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC). The below example assumes you would like to install the packages to `C:\oe_prereqs`.
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 As an example, if you cloned Open Enclave SDK repo into `C:\openenclave`, you would run the following:
 
 ```powershell
 cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\path\to\where\you\would\like\to\install\intel_nuget_packages -LaunchConfiguration SGX1 -DCAPClientType None
+.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
 If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
@@ -58,7 +58,7 @@ Normally this is accessible under the `Visual Studio 2017` folder in the Start M
 cd C:\openenclave
 mkdir build\x64-Debug
 cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
 ninja
 ```
 
@@ -70,7 +70,7 @@ Similarly, to build release enclaves:
 cd C:\openenclave
 mkdir build\x64-Release
 cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_nuget_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
 ninja
 ```
 
diff --git a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
index 34919b8d58..6f5ac3ca0a 100644
--- a/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
+++ b/docs/GettingStartedDocs/Contributors/building_oe_sdk.md
@@ -69,7 +69,7 @@ See [Open Enclave samples](/samples/README_Linux.md) for details.
 Assuming you install the SDK as below (also described in the [basic install section](WindowsInstallInfo.md#basic-install-on-windows))
 
 ```bash
-cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=c:\path\to\intel_and_dcap_packages -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave"
+cmake .. -G  Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave"
 ninja install
 ```
 Open Enclave samples can be found in c:\openenclave\share\openenclave\samples
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Windows.md b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
index 6888b12933..10bbaf8d2f 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Windows.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Windows.md
@@ -70,6 +70,6 @@ Download the required Windows NuGet Package from [here](https://github.com/opene
 
 Note: If it is an RC package, append `-pre` to the command above.
 
-## Verify the Open Enclave SDK install
+## Verify the Open Enclave SDK installation
 
 See [Using the Open Enclave SDK](Windows_using_oe_sdk.md) for verifying and using the installed SDK.

From 8ea1cbffd901aead3d50ed2ac048e2d0afa9ae78 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Tue, 22 Oct 2019 13:25:19 -0700
Subject: [PATCH 211/420] Fix typos in document.

---
 docs/DesignDocs/RemoteAttestationCollaterals.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
index b83fca5386..7029628992 100644
--- a/docs/DesignDocs/RemoteAttestationCollaterals.md
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -112,7 +112,7 @@ User Experience
 ---------------
 
 There are 2 scenarios. Note that to get the endorsements,
-currently requires a Data Center Attestation Primitives(DCAP)
+currently requires a Data Center Attestation Primitives (DCAP)
 client that runs outside the enclave.
 
 ### 1. Verifier is provided with endorsements:
@@ -282,7 +282,7 @@ typedef enum _oe_sgx_endorsements_fields
     OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME,
     OE_SGX_ENDORSEMENT_COUNT
 
-} oe_sgx_endorsements_fields;;
+} oe_sgx_endorsements_fields;
 ```
 
 ### Private SGX endorsement definitions

From b8dd1a07c4458da8f787f8dfec6eb47c5ef34f76 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:16:11 -0700
Subject: [PATCH 212/420] Do not OE_ENCLAVE_FLAG_DEBUG on TrustZone.

---
 host/tests.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/host/tests.c b/host/tests.c
index 4337df7699..3deeef5de6 100644
--- a/host/tests.c
+++ b/host/tests.c
@@ -9,7 +9,13 @@
 
 uint32_t oe_get_create_flags(void)
 {
+#if __aarch64__
+    /* OE_ENCLAVE_FLAG_DEBUG is not available on ARM TrustZone. */
+    uint32_t result = 0;
+#else
     uint32_t result = OE_ENCLAVE_FLAG_DEBUG;
+#endif
+
     char* env = NULL;
 
     if (!(env = oe_dupenv("OE_SIMULATION")))

From 4cc21f25076a0cea4923f880c32d3ff4705a6c23 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:17:05 -0700
Subject: [PATCH 213/420] Add guide for Scalys TrustBox.

---
 .../OP-TEE/Hardware/ScalysTrustBox.md         | 393 +++++++++++++++++-
 1 file changed, 392 insertions(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
index a0990367ef..1679694a10 100644
--- a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -1 +1,392 @@
-TBD
+# Getting Started with Open Enclave for the Scalys TrustBox
+
+The [TrustBox](https://scalys.com/trustbox-industrial) is an industrial router
+manufactured by Scalys and serves as Open Enclave's reference hardware
+implementation for ARM TrustZone. The TrustBox incorporates a
+[Grapeboard](https://www.grapeboard.com), also produced by Scalys, which is in
+turn based on the NXP Layerscape LS1012A SoC. The latter provides a hardware
+root of trust as well as cryptographic and network acceleration.
+
+In this guide, you will learn how to retrieve, build and flash the firmware for
+the TrustBox. Further, you will see how to build and flash a root filesystem
+containing an Ubuntu 18.04 user-mode installation onto an SD card. Lastly, you
+will learn how to run OP-TEE's test suite as well as some of Open Enclave's
+own tests on the TrustBox.
+
+## Overview
+
+The TrustBox internally contains a Grapeboard. The latter has a MicroSD card
+reader from which the board can boot as well as a serial port offered over a
+Micro-USB Type B connector (effectively, serial-over-USB). Flashing the firmware
+requires connecting to the board over the serial connection while flashing the
+MicroSD card requires opening the TrustBox, retrieving the Grapeboard inside and
+either overwriting the MicroSD card it ships with with the root filesystem that
+you will build in this guide, or replacing the MicroSD card with your own card
+after you flash the latter with the required root filesystem.
+
+### Caution
+
+The Linux-based system that you will install to the TrustBox is configured to
+ease testing. Additionally, the secure firmware, such as OP-TEE OS, is currently
+meant for preview purposes only.
+
+**The resulting setup is not suitable for use in production and/or hostile
+environments!**
+
+### Prerequisites
+
+- Ubuntu 18.04 LTS (64-bit)
+- 1 TrustBox
+- 1 Power supply
+- 1 MicroSD card
+  - Optional if the TrustBox you are using ships with one
+- 1 T8 Torx screwdriver
+- 1 Micro-USB Type B to USB Type A cable
+- Ethernet network
+
+**Note:** The procedure below has not been validated on Ubuntu 16.04 LTS.
+
+### Required Packages
+
+The following command installs all the packages necessary on Ubuntu 18.04 LTS:
+
+```bash
+sudo apt install -y git flex bison python-pip libssl-dev build-essential \
+    gcc-aarch64-linux-gnu g++-aarch64-linux-gnu minicom u-boot-tools     \
+    device-tree-compiler qemu-user-static udisks2
+```
+
+## Serial Communication
+
+Connect the TrustBox to your computer via its serial-over-USB port. On a
+computer running Ubuntu 18.04 LTS the TrustBox appears as a `ttyUSB#` device
+node under `/dev`.
+
+For example:
+
+```bash
+$ ll /dev/ttyUSB*
+
+crw-rw---- 1 root dialout 188, 0 Oct 21 18:14 /dev/ttyUSB0
+```
+
+To establish a duplex serial connection, replace the device node with the one on
+your system in the command below to invoke `minicom`:
+
+```bash
+sudo minicom -D /dev/ttyUSB0
+```
+
+Before the connection is usable, `minicom` must be configured to disable
+hardware flow control.
+
+Inside the `minicom` window, type:
+
+```
+<Ctrl-a> o
+```
+
+From the pop-up list, select "Serial port setup". In the new dialog, press `f`
+to switch off Hardware Flow Control. Press `<Enter>` to confirm, then `<Esc>` to
+dismiss the parent dialog. `minicom` should now be able to communicate with the
+board.
+
+Once you have finished this guide and are ready to exit `minicom`:
+
+```
+<Ctrl-a> q
+```
+
+When prompted if you would like to leave without reset, select `Yes`.
+
+**Note:** You must turn off hardware flow control every time you connect anew.
+
+## Source Code
+
+All the code necessary to build the TrustBox' firmware and software, as well as
+the requisite build scripts may be obtained from Open Enclave's fork of NXP's
+Layerscape SDK (LSDK):
+
+```bash
+git clone --recursive https://github.com/ms-iot/lsdk -b ms-iot-openenclave-3.6.0 --depth=1
+```
+
+This operation will take some time as multiple submodules will be cloned, too.
+
+## Firmware
+
+In this subsection, you will build the firmware that contains the Secondary
+Program Loader (SPL), U-Boot, OP-TEE OS, and the NXP Primary Protected
+Application (PPA). You will then flash this firmware to your board.
+
+### Building Firmware
+
+To build the firmware, in the same folder where you cloned the LSDK repository,
+type:
+
+```bash
+make firmware
+```
+
+If the board has HAB enabled, do instead:
+
+```bash
+make firmware HAB=1
+```
+
+**Note:** Do not attempt to use `-j`. The steps that are parallelizable will be
+parallelized automatically.
+
+The build will generate the following files:
+
+- U-Boot
+    - `build/u-boot-with-spl-pbl.bin`
+- OP-TEE OS and NXP PPA
+    - `build/ppa.itb`
+- HAB Signature Data (if enabled)
+  - build/hdr_spl.out
+
+### Flashing Firmware
+
+To flash the newly built firmware, place the files listed above in the root
+directory of a FAT-formatted MicroSD card. Then, boot into recovery U-Boot as
+follows:
+
+1. Connect the Grapeboard to your computer;
+2. Establish a `minicom` connection as outlined above;
+3. Press and hold the push-button labelled `S2` on the board;
+4. Power up the board, or, if already powered up, reset it by pressing and
+releasing the push-button labelled `S1`.
+5. Release the `S2` button when U-Boot prompts you to.
+
+This should leave you at the recovery U-Boot prompt.
+
+Flash the firmware by issuing the following commands:
+
+```
+# Update U-Boot
+mmc rescan
+fatload mmc 0:1 $load_addr u-boot-with-spl-pbl.bin
+sf probe 0:0
+sf erase u-boot 200000
+sf write $load_addr u-boot $filesize
+
+# Update OPTEE-OS + PPA
+mmc rescan
+fatload mmc 0:1 $load_addr ppa.itb
+sf probe 0:0
+sf erase ppa 100000
+sf write $load_addr ppa $filesize
+
+# Update CSF Header (only if HAB is enabled)
+mmc rescan
+fatload mmc 0:1 $load_addr hdr_spl.out
+sf probe 0:0
+sf erase u-boot_hdr 40000
+sf write $load_addr u-boot_hdr $filesize
+```
+
+**Note:** Do not copy-paste more than one command at a time to the serial
+console.
+
+To reboot, type:
+
+```
+reset
+```
+
+Upon reboot, you should see messages similar to the following with HAB disabled:
+
+```
+U-Boot SPL 2018.09-g8947717e16 (Oct 21 2019 - 17:01:00 -0700)
+PPA Firmware: Version LSDK-18.09
+SEC Firmware: 'loadables' present in config
+loadables: 'trustedOS@1'
+can't get CSF - HAB disabled
+SSM not in secure/trusted state: 0x9
+Security state failure
+Continuing with non-secret testing identity
+I/TC:
+I/TC: OP-TEE version: v0.4.0-1123-gd1634ce8 #1 Tue Oct 22 00:01:37 UTC 2019 aarch64
+I/TC: Successfully captured Cyres certificate chain
+I/TC: Successfully captured Cyres private key
+I/TC: Initialized
+Trying to boot from RAM
+```
+
+If HAB is enabled, the messages will instead look as follows:
+
+```
+U-Boot SPL 2018.09-00480-gdc28a9fa63-dirty (Jan 17 2019 - 11:17:15 -0800)
+PPA Firmware: Version LSDK-18.09
+SEC Firmware: 'loadables' present in config
+loadables: 'trustedOS@1'
+I/TC:
+I/TC: OP-TEE version: v0.4.0-443-g9cdcf55b-dev #6 Sat Jan 26 05:59:52 UTC 2019 aarch64
+I/TC: Successfully captured Cyres certificate chain
+I/TC: Successfully captured Cyres private key
+I/TC: Initialized
+Trying to boot from RAM
+```
+
+### Recovery
+
+If upon reset the board fails to boot, you can repeat the procedure to re-enter
+recovery U-Boot to flash the firmware again. Flashing the firmware does not
+overwrite copy of U-Boot, which is part of the recovery ROM.
+
+## Root File System
+
+In this subsection, you will build a root filesystem comprised of Linux, Ubuntu
+18.04 user-mode as well as the necessary libraries and supporting binaries to
+communicate with OP-TEE OS. You will then flash the resulting filesystem onto
+a MicroSD card.
+
+### Building the Filesystem
+
+In the same folder where you cloned the LSDK repository, do:
+
+```bash
+make os
+```
+
+**Note:** Do not attempt to use `-j` here either. The steps that are
+parallelizable will be parallelized automatically.
+
+### Flashing the Filesystem
+
+Plug in the MicroSD card into your system, determine which block device node
+corresponds to the MicroSD card, then issue the following command from within
+the directory where you cloned the LSDK repository:
+
+```bash
+make sdcard DEV=/dev/sdX
+```
+
+When the script finishes, it is safe to remove the MicroSD card.
+
+**Note:** You might observe an error related to copying an `Image` file. This is
+expected if the MicroSD card is empty; copying this file is part of a backup
+step. `make` is configured to ignore the error and continue.
+
+### Booting the Filesystem
+
+Insert the MicroSD card you just flashed into the TrustBox and power it up.
+In the `minicom` window you should see Linux booting up.
+
+The default login credentials are:
+
+```
+Username: root
+Password: root
+```
+
+To log in over SSH, issue the `ifconfig` command to see your board's IP address,
+if it is connected to a network.
+
+## OP-TEE OS Test Suite
+
+To ensure that the build of OP-TEE OS is sane, first start the TEE supplicant on
+the board:
+
+```bash
+tee-supplicant &
+```
+
+You need only do this once per boot. Then, issue:
+
+```
+xtest
+```
+
+**Note:** `xtest` causes failures on purpose; do not be alarmed by the numerous
+stack traces scrolling by.
+
+Once `xtest` finishes, you should see the following output:
+
+```
+24078 subtests of which 1 failed
+95 test cases of which 1 failed
+0 test cases were skipped
+TEE test application done!
+```
+
+The single failed test is a known issue.
+
+## Open Enclave SDK
+
+In this subsection, you will retrieve the Open Enclave SDK from source, set up
+your build environment, then build the SDK to target the TrustBox. Additionally,
+you will copy a test host and enclave to the TrustBox. Lastly, you will execute
+these on the TrustBox.
+
+### Building
+
+To build the Open Enclave SDK for the TrustBox, issue the commands below, taking
+care to replace the path indicated for `OE_TA_DEV_KIT_DIR` to point to the
+output of the LSDK build as generated in the previous steps:
+
+```bash
+git clone --recursive https://github.com/openenclave/openenclave.git sdk
+
+cd sdk
+
+# Set up the build environment (only once).
+sudo scripts/ansible/install-ansible.sh
+sudo ansible-playbook scripts/ansible/oe-contributors-setup-cross-arm.yml
+
+cd ..
+
+mkdir build
+cd build
+
+# Configure the SDK
+cmake ../sdk \
+    -G Ninja \
+	-DHAS_QUOTE_PROVIDER=OFF \
+	-DCMAKE_TOOLCHAIN_FILE=../sdk/cmake/arm-cross.cmake \
+	-DOE_TA_DEV_KIT_DIR=$PWD/../lsdk/build/optee/export-ta_arm64 \
+	-DCMAKE_BUILD_TYPE=Debug
+
+# Build the SDK
+ninja
+```
+
+### Copy Hosts & Enclaves
+
+All OP-TEE OS enclaves are named `UUID.ta`, where `UUID` is a random UUID. These
+must be placed on the board's filesystem under the `/lib/optee_armtz` folder.
+Otherwise, enclaves will not load. The hosts may be located anywhere on the
+filesystem.
+
+For the purposes of this guide, the test host and enclave are the following two
+binaries located in the SDK's `build` folder as created above:
+
+```
+tests/hexdump/host/hexdump_host
+tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.ta
+```
+
+To copy these, you can either:
+
+1. Mount the MicroSD card on your Ubuntu 18.04 LTS machine and copy the files,
+or;
+2. Copy the files via SCP over the network.
+
+An example for using SCP:
+
+```bash
+scp tests/hexdump/host/hexdump_host root@192.168.0.10:
+scp tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.ta root@192.168.0.10:/lib/optee_armtz
+```
+
+### Execution
+
+To run the test, log into the TrustBox as `root`, either over serial or SSH, and
+do:
+
+```bash
+cd ~
+
+./hexdump_host 126830b9-eb9f-412a-89a7-bcc8a517c12e
+```

From 953985297b728c1df148d6c89d1f3c9f25c02e13 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:17:16 -0700
Subject: [PATCH 214/420] Expand on known issues.

---
 docs/GettingStartedDocs/OP-TEE/Introduction.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index 198fa608e4..fd0437180d 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -55,7 +55,13 @@ OS:
 5. Out Calls (OCALLs)
 6. Terminating Enclaves
 
-**Note:** C++ exceptions are not yet fully supported.
+### Known Issues
+
+#### C++ exceptions are not fully supported
+
+Even though it is possible to write enclaves that use C++ exceptions and run
+them on OP-TEE OS, the stack unwinder may fail to find an exception handler on
+`throw`.
 
 ## Note on Forks
 

From 4010c01c8f2379f21a14a152f4feef360f718839 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:17:35 -0700
Subject: [PATCH 215/420] Fix apt command line endings.

---
 .../OP-TEE/Debugging/QEMU.md                   | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
index e20fee488f..8cb25f4ff9 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -30,15 +30,15 @@ first.
 
 The following command installs all the packages necessary on Ubuntu 18.04 LTS:
 
-```
-sudo apt update && sudo apt install -y android-tools-adb android-tools-fastboot
-    autoconf automake bc bison build-essential ccache cgdb cscope curl
-    device-tree-compiler expect flex ftp-upload gdb-multiarch gdisk iasl
-    libattr1-dev libc6 libcap-dev libfdt-dev libftdi-dev libglib2.0-dev
-    libhidapi-dev libncurses5-dev libpixman-1-dev libssl-dev libstdc++6 libtool
-    libz1 make mtools netcat python-crypto python-pyelftools python-serial
-    python-wand python3-pyelftools repo unzip uuid-dev xdg-utils xterm xz-utils
-    zlib1g-dev
+```bash
+sudo apt update && sudo apt install -y android-tools-adb                       \
+    android-tools-fastboot autoconf automake bc bison build-essential ccache   \
+    cgdb cscope curl device-tree-compiler expect flex ftp-upload gdb-multiarch \
+    gdisk iasl libattr1-dev libc6 libcap-dev libfdt-dev libftdi-dev            \
+    libglib2.0-dev libhidapi-dev libncurses5-dev libpixman-1-dev libssl-dev    \
+    libstdc++6 libtool libz1 make mtools netcat python-crypto                  \
+    python-pyelftools python-serial python-wand python3-pyelftools repo unzip  \
+    uuid-dev xdg-utils xterm xz-utils zlib1g-dev
 ```
 
 ## Directory Structure

From ea5df077957ad8f09cba5aa8d5e4afefee834ad8 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:17:52 -0700
Subject: [PATCH 216/420] Annotate command listings with bash and replace TA
 with enclave.

---
 .../OP-TEE/Debugging/QEMU.md                  | 48 +++++++++++--------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
index 8cb25f4ff9..1294dd4fcd 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -55,10 +55,13 @@ otherwise specified.
 
 All work will be done in:
 
-```
-[ TERMS 1 & 2 & 3 ]
+```bash
+# [ TERMS 1 & 2 & 3 ]
 
+# Once
 mkdir openenclave_qemu
+
+# All terms
 cd openenclave_qemu
 ```
 
@@ -78,8 +81,8 @@ The `repo` utility can manipulate multiple Git repositories as though they were
 one. The following commands instruct `repo` to clone all the repositories that
 are required to build a QEMU-based debugging environment:
 
-```
-[ TERM 1 ]
+```bash
+# [ TERM 1 ]
 
 mkdir emulation
 cd emulation
@@ -98,8 +101,8 @@ To create and launch a debugging environment all you need is `make`. Depending
 on your machine, this may take upward of an hour the first time; subsequent runs
 only take a few seconds, plus compiling anything that you may have changed:
 
-```
-[ TERM 1 ]
+```bash
+# [ TERM 1 ]
 
 cd build
 
@@ -137,13 +140,14 @@ enclaves. Then, you must copy your enclaves into it.
 
 ### Building Hosts & Enclaves
 
-```
-[ TERM 2 ]
+```bash
+# [ TERM 2 ]
 
 git clone --recursive https://github.com/openenclave/openenclave.git sdk
 
 cd sdk
 
+# Set up the build environment (only once).
 sudo scripts/ansible/install-ansible.sh
 sudo ansible-playbook scripts/ansible/oe-contributors-setup-cross-arm.yml
 
@@ -152,12 +156,15 @@ cd ..
 mkdir build
 cd build
 
+# Configure the SDK
 cmake ../sdk \
     -G Ninja \
 	-DHAS_QUOTE_PROVIDER=OFF \
 	-DCMAKE_TOOLCHAIN_FILE=../sdk/cmake/arm-cross.cmake \
 	-DOE_TA_DEV_KIT_DIR=$PWD/../emulation/optee_os/out/arm/export-ta_arm64 \
 	-DCMAKE_BUILD_TYPE=Debug
+
+# Build the SDK
 ninja
 
 cd ..
@@ -176,7 +183,7 @@ By default, `make run` instructs QEMU to share your home directory read-only
 into the emulated guest. Once the guest boots and you have logged in via the
 Normal World XTerm window, type:
 
-```
+```bash
 mkdir /mnt/home
 mount -t 9p -o trans=virtio sh0 /mnt/home -oversion=9p2000.L
 
@@ -189,9 +196,7 @@ run`.
 For example, if you were trying to debug the SDK's test suite, you would do the
 following on the Normal World XTerm window:
 
-```
-export OE_SIMULATION=1
-
+```bash
 cp openenclave_qemu/build/tests/hexdump/enc/126830b9-eb9f-412a-89a7-bcc8a517c12e.ta /lib/optee_armtz
 openenclave_qemu/build/tests/hexdump/host/hexdump_host 126830b9-eb9f-412a-89a7-bcc8a517c12e
 ```
@@ -209,8 +214,8 @@ QEMU exposes a GDB server on `localhost:1234` with system-wide visibility into
 the emulated environment. After starting QEMU with `make run`, start the
 architecture-aware version of GDB.
 
-```
-[ TERM 2 ]
+```bash
+# [ TERM 2 ]
 
 gdb-multiarch
 
@@ -252,14 +257,15 @@ D/LD:  ldelf:150 ELF (126830b9-eb9f-412a-89a7-bcc8a517c12e) at 0x40010000
 ```
 
 The fifth line indicates where in secure virtual memory OP-TEE has loaded the
-TA. In this case it's `0x40010000`. This value should remain the same throughout
-repeated runs as well as across reboots of the emulator. Note this value.
+enclave. In this case it's `0x40010000`. This value should remain the same
+throughout repeated runs as well as across reboots of the emulator. Note this
+value.
 
 Due to how OP-TEE loads enclaves, you must manually line up the symbols in the
 ELF file produced for enclaves with how the code is laid out in memory:
 
-```
-[ TERM 3 ]
+```bash
+#[ TERM 3 ]
 
 cd $HOME/openenclave_qemu
 
@@ -332,8 +338,8 @@ name in the host application and in the enclave.
 
 **Note**: Resetting QEMU means that emulator state is cleared, hence you must
 repeat the steps of mounting your home directory inside the emulator and copying
-the TA to `/lib/optee_armtz`. Any breakpoints you set in GDB, however, persist
-across `system_reset`.
+the enclave to `/lib/optee_armtz`. Any breakpoints you set in GDB, however,
+persist across `system_reset`.
 
 ## Source-Level Debugging
 
@@ -387,7 +393,7 @@ system. However, to debug an ARM or AARCH64 target from an x86/64 host, CGDB
 must be told to use the same version of GDB used above. To start CGDB specifying
 a particular version of GDB, issue the following command from a terminal:
 
-```
+```bash
 cgdb -d gdb-multiarch
 ```
 

From 751fa9a1da443267f15759454213d467696051ed Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:19:49 -0700
Subject: [PATCH 217/420] Address PR feedback.

---
 docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md | 6 +++---
 docs/GettingStartedDocs/OP-TEE/Introduction.md              | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
index b67f586c83..f2b71be1c5 100644
--- a/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
@@ -41,8 +41,8 @@ recommended that you build the SDK from source for each target board so as to
 minimize the chance of a configuration mismatch, which, while minimal at the
 level of abstraction that the SDK operates at, may nevertheless occur.
 
-Assuming that you have a Dev Kit from an OP-TEE OS build, compiling the SDK is
-simple:
+Assuming that you have a Dev Kit from an OP-TEE OS build and its location is
+stored in the `DEV_KIT` variable, compiling the SDK is simple:
 
 ```bash
 mkdir build
@@ -52,7 +52,7 @@ cmake ../sdk \
     -G Ninja \
 	-DHAS_QUOTE_PROVIDER=OFF \
 	-DCMAKE_TOOLCHAIN_FILE=../sdk/cmake/arm-cross.cmake \
-	-DOE_TA_DEV_KIT_DIR=/path/to/dev/kit/export-ta_arm64 \
+	-DOE_TA_DEV_KIT_DIR=$DEV_KIT/export-ta_arm64 \
 	-DCMAKE_BUILD_TYPE=Debug
 ninja
 ```
diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index fd0437180d..ef62fb635e 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -24,7 +24,7 @@ executes in secure user-mode whereas its host executes in non-secure user-mode:
 ```
 
 While Linux operates in the usual way in non-secure kernel-mode, OP-TEE OS
-fulfills the role of kernel in secure mode.
+fulfills the role of the kernel in secure mode.
 
 OP-TEE OS provides a low-level communication mechanism to Linux based on the ARM
 Secure Monitor Call (`smc`) instruction. In turn, Linux incorporates an OP-TEE

From d7a153ea19d958074e200c30e47f71f56d0b24aa Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:38:32 -0700
Subject: [PATCH 218/420] Add QEMU on WSL guide.

---
 .../OP-TEE/Debugging/QEMU.md                  |   2 +-
 .../OP-TEE/Debugging/QEMUOnWSL.md             | 139 ++++++++++++++++++
 2 files changed, 140 insertions(+), 1 deletion(-)
 create mode 100644 docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
index 1294dd4fcd..3584ad2bda 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -23,7 +23,7 @@ install Ubuntu on bare metal or in a virtual machine using your preferred
 hypervisor. Some commands launch GUIs, so a graphical environment is necessary.
 
 **Note:** To use this guide with the Windows Subsystem for Linux (WSL), read
-through [Debugging Enclaves on OP-TEE OS with QEMU ON WSL](ta_debugging_wsl.md)
+through [Debugging Enclaves on OP-TEE OS with QEMU on WSL](QEMUOnWSL.md)
 first.
 
 ## Required Packages
diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
new file mode 100644
index 0000000000..0bc1e9baf8
--- /dev/null
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
@@ -0,0 +1,139 @@
+# Debugging Enclaves on OP-TEE OS with QEMU on WSL
+
+This document is a complement to
+[Debugging Enclaves on OP-TEE OS with QEMU](QEMU.md). That guide assumes it is
+being followed on a native Linux system. This guide shows you how to configure
+the Windows Subsystem for Linux (WSL) to use the guide on WSL.
+
+In this guide, you will learn how to:
+
+1. Install and configure a native X Server;
+2. Work around a UNIX feature used by `fakeroot`
+[not yet implemented in WSL](https://github.com/Microsoft/WSL/issues/1443).
+
+# Prerequisites
+
+This guide presumes you have a Windows 10 installation, version 1803 or later.
+
+## Required Features and Apps
+
+WSL is not installed by default. To install it, launch PowerShell as
+Administrator and run:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
+```
+
+Restart your computer when prompted.
+
+You are now ready to install [Ubuntu
+18.04](https://www.microsoft.com/en-us/p/ubuntu-1804-lts/9n9tngvndl3q) on WSL.
+
+For a visual guide to this process, see [Install the Windows Subsystem for
+Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10#install-the-windows-subsystem-for-linux).
+
+After Ubuntu 18.04 is installed, launch it from the Start Menu. The first launch
+takes some time while the root filesystem is decompressed. Follow the
+instructions on screen to set up an account inside the Ubuntu 18.04 environment.
+Once that is complete, update the environment as follows:
+
+```bash
+sudo apt update && sudo apt upgrade -y
+```
+
+## X Server
+
+The build system for the QEMU debugging environment launches two instances of
+XTerm. XTerm is a graphical application for X11, or simply X. X is a
+client-server windowing system where a graphical application runs on a remote
+machine and is rendered on a thin terminal. This is not too dissimilar in
+practice to Windows Server with Terminal Services. In X terminology, the server
+is the thin terminal where output is rendered and the client is an application
+running on a remote machine. In typical Linux distributions, the client and
+server both run on the same computer.
+
+For the purposes of this guide, you will install an X Server that runs outside
+of WSL. Then, you will let the build system launch XTerm inside WSL normally.
+XTerm will connect to the X server outside of WSL over a local network
+connection and render as a normal window on your Windows desktop.
+
+WSL does not ship with an X Server so you must install one yourself.
+[XMing](http://www.straightrunning.com/XmingNotes) is a cross-compiled version
+of X for Windows and is known to work well. The public domain releases are free
+to use.
+
+**Note:** The author of XMing does not provide signed binaries. You may choose a
+different X Server implementation if you prefer; the configuration steps below
+should be the same if the alternative implementation that you choose is
+compliant with the X protocol.
+
+Launch the installer and follow the instructions on screen.
+
+Once XMing is installed, a folder of the same name is added to the Start Menu.
+Be sure to use the "XMing" shortcut, not "XLaunch". If you are prompted by the
+Windows Defender Firewall after launching XMing to allow it to communicate over
+the network, click "Cancel". This configures the firewall to deny all incoming
+connections to XMing, local connections are not affected.
+
+The only indication that XMing has successfully started is an icon in the
+notification area.
+
+# Building & Debugging in WSL
+
+Before you are able to follow the steps in the debugging guide, execute the
+following command inside the Ubuntu 18.04 environment:
+
+```bash
+echo "export DISPLAY=:0" >> ~/.bashrc
+exit
+```
+
+**Note:** You need only do this once.
+
+X applications read the `DISPLAY` environment variable to determine what X
+Server to connect to. The value `:0` is shorthand for `localhost:0`, where
+`localhost` is the network address of the machine where the X Server is running
+on and `0` indicates the display number. You must exit and re-enter the Ubuntu
+18.04 environment for Bash to pick up the changes to `.bashrc`. Afterward, the
+`DISPLAY` variable will always be set.
+
+You may now follow the [Debugging Enclaves on OP-TEE OS with QEMU](QEMU.md)
+guide on WSL.
+
+After some time into the build process of the QEMU debugging environment, it
+will stop suggesting that `fakeroot` failed.
+
+## Fakeroot
+
+The build environment uses its own version of `fakeroot`. This version attempts
+to make use of SYS-V IPC, but this feature is not available on WSL. You will see
+an error that reads:
+
+```
+fakeroot, while creating message channels: Function not implemented
+This may be due to a lack of SYSV IPC support.
+fakeroot: error while starting the `faked' daemon.
+```
+
+To work around this issue, replace the `fakeroot` binary that the build system
+uses with the version of `fakeroot` that uses sockets for IPC instead. Ubuntu
+18.04 ships with both versions.
+
+Run the following commands to replace `fakeroot` with its socket-based
+counterpart:
+
+```bash
+mv $HOME/openenclave_qemu/emulation/out-br/host/bin/fakeroot $HOME/openenclave_qemu/emulation/out-br/host/bin/fakeroot.bak
+ln -s /usr/bin/fakeroot-tcp $HOME/openenclave_qemu/emulation/out-br/host/bin/fakeroot
+```
+
+Resume the build with `make run` (and `-j`, as appropriate). If you ever clean
+and rebuild the Buildroot output, you will run into this issue again. However,
+that is never required for the purposes of debugging TAs. In general, therefore,
+this is a one-time fix.
+
+The Windows Defender Firewall might prompt for permission to allow incoming
+connections to various Linux programs as the build proceeds. None of these
+programs require accepting remote requests, so you can safely click "Cancel" to
+block all incoming connections. Just as with XMing, local connections are not
+affected.

From 30c0583805c5bd512935dd8fe08a82fee94aa6cb Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:41:08 -0700
Subject: [PATCH 219/420] Fix hard-break spacing.

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 31e13f8398..ef6b665d1f 100644
--- a/README.md
+++ b/README.md
@@ -45,11 +45,11 @@ to the documents for [getting started](docs/GettingStartedDocs/Contributors/buil
 
 ### OP-TEE OS (ARM TrustZone)
 
-The Open Enclave SDK provides preview support for the Open Portable TEE OS (OP-
-TEE). OP-TEE is an operating system for TEE's that implement a traditional
-kernel-mode and user-mode execution environment. It runs on A-profile ARM
-systems that support ARM TrustZone. As a result, the Open Enclave SDK can be
-leveraged to target these systems as well.
+The Open Enclave SDK provides preview support for the Open Portable TEE OS
+(OP-TEE OS). OP-TEE is an operating system for TEE's that implement a
+traditional kernel-mode and user-mode execution environment. It runs on
+A-profile ARM systems that support ARM TrustZone. As a result, the Open Enclave
+SDK can be leveraged to target these systems as well.
 
 For an overview of the SDK's support for OP-TEE OS as well as links to getting
 started guides, see

From b86978b2abebe05f840fbfb8560b6396c23717bf Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:45:07 -0700
Subject: [PATCH 220/420] Add spacing in large paragraphs.

---
 .../Contributors/OPTEEGettingStarted.md             | 13 +++++++------
 docs/GettingStartedDocs/OP-TEE/Introduction.md      | 10 ++++++----
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
index f2b71be1c5..459eeca8c9 100644
--- a/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/OPTEEGettingStarted.md
@@ -31,12 +31,13 @@ sudo ansible-playbook scripts/ansible/oe-contributors-setup-cross-arm.yml
 
 Given that each ARM board is different, OP-TEE OS may be configured and built
 accordingly. This means that a build of OP-TEE OS for one board is most likely
-not compatible with a build of the exact same code for a different board. During
-OP-TEE OS' build process, a so-called "Dev Kit" is generated. This kit contains
-a number of headers, libraries and configuration files that describe the
-settings that were used to build OP-TEE OS for a given board. The Open Enclave
-SDK's build process consumes this Dev Kit to in turn configure and link the
-components that it leverages to support OP-TEE OS. As a result, it is highly
+not compatible with a build of the exact same code for a different board.
+
+During OP-TEE OS' build process, a so-called "Dev Kit" is generated. This kit
+contains a number of headers, libraries and configuration files that describe
+the settings that were used to build OP-TEE OS for a given board. The Open
+Enclave SDK's build process consumes this Dev Kit to in turn configure and link
+the components that it leverages to support OP-TEE OS. As a result, it is highly
 recommended that you build the SDK from source for each target board so as to
 minimize the chance of a configuration mismatch, which, while minimal at the
 level of abstraction that the SDK operates at, may nevertheless occur.
diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index ef62fb635e..40517a4733 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -2,10 +2,12 @@
 
 Each Trusted Execution Environment (TEE) implementation provides a different
 model with respect to the interaction between hosts and enclaves, as well as
-regarding the runtime behavior of the two. The TEE implemented by ARM TrustZone
-splits the system into a secure and a non-secure mode, where each keep their
-user-mode/kernel-mode partition. Hence, an enclave that leverages ARM TrustZone
-executes in secure user-mode whereas its host executes in non-secure user-mode:
+regarding the runtime behavior of the two.
+
+The TEE implemented by ARM TrustZone splits the system into a secure and a
+non-secure mode, where each keep their user-mode/kernel-mode partition. Hence,
+an enclave that leverages ARM TrustZone executes in secure user-mode whereas its
+host executes in non-secure user-mode:
 
 ```
             |=============================================|

From 2726c26d1276bbb0af37f05b5f039aa2d1f8c245 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:45:15 -0700
Subject: [PATCH 221/420] Make caution message clearer.

---
 docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
index 1679694a10..f44bf1be67 100644
--- a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -30,7 +30,7 @@ The Linux-based system that you will install to the TrustBox is configured to
 ease testing. Additionally, the secure firmware, such as OP-TEE OS, is currently
 meant for preview purposes only.
 
-**The resulting setup is not suitable for use in production and/or hostile
+> **The resulting setup is not suitable for use in production and/or hostile
 environments!**
 
 ### Prerequisites

From 8b5f0b7c4d650d1cd574b25f8dfeacfb70024e31 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:46:34 -0700
Subject: [PATCH 222/420] Mark Ethernet network as optional.

---
 docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
index f44bf1be67..e28e814fc0 100644
--- a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -42,7 +42,8 @@ environments!**
   - Optional if the TrustBox you are using ships with one
 - 1 T8 Torx screwdriver
 - 1 Micro-USB Type B to USB Type A cable
-- Ethernet network
+- Wired network (Ethernet)
+  - Optional
 
 **Note:** The procedure below has not been validated on Ubuntu 16.04 LTS.
 

From e38e0f8e455cf6718275c95ce6dae56f43bf3c5a Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:48:43 -0700
Subject: [PATCH 223/420] Add test case failure to known issues.

---
 docs/GettingStartedDocs/OP-TEE/Introduction.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index 40517a4733..e45e66ab99 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -65,6 +65,10 @@ Even though it is possible to write enclaves that use C++ exceptions and run
 them on OP-TEE OS, the stack unwinder may fail to find an exception handler on
 `throw`.
 
+#### OP-TEE test suite failure
+
+One of OP-TEE's test cases is known to fail on the TrustBox.
+
 ## Note on Forks
 
 While the SDK's support for Intel SGX is fairly self-contained, support for

From 145208017f6969cdbb616578cdbe87c1f64f6dde Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 15:51:27 -0700
Subject: [PATCH 224/420] Update link to OP-TEE's build & run docs.

* They've moved.
---
 docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
index 3584ad2bda..2cde36a8d9 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -13,8 +13,8 @@ learn how to set up and use GDB for source-level debugging of the sample
 enclaves that ship with this SDK.
 
 This guide is loosely based on [OP-TEE's own Build and Debug
-Guide](https://github.com/OP-TEE/build#op-tee-buildgit) with some modifications
-to render it more pertinent to this SDK.
+Guide](https://optee.readthedocs.io/en/latest/building/index.html) with some
+modifications to render it more pertinent to this SDK.
 
 ## Prerequisites
 

From c9ee0a9cbfb87b596d10020ec7113df250748532 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Tue, 22 Oct 2019 20:52:02 -0700
Subject: [PATCH 225/420] Address PR comments.

* Grammar;
* Added links to GitHub issues to track known problems.
---
 docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md      |  8 +++++---
 docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md |  2 +-
 .../OP-TEE/Hardware/ScalysTrustBox.md                 | 11 ++++++-----
 docs/GettingStartedDocs/OP-TEE/Introduction.md        |  6 +++++-
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
index 2cde36a8d9..bdadc7cf19 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMU.md
@@ -310,9 +310,11 @@ every time you want to debug. Just execute the `add-symbol-file` command in GDB.
 However, should your breakpoints stop being hit, do verify that these addresses
 have not changed, especially after a `git pull` and a rebuild.
 
-There is a known issue, either in GDB or QEMU, where once OP-TEE and Linux have
-fully booted up, it is not possible to place breakpoints inside enclaves. To
-work around this, switch to `TERM 1` where QEMU is running and type:
+There is a [known
+issue](https://github.com/openenclave/openenclave/issues/2276), either in GDB or
+QEMU, where once OP-TEE and Linux have fully booted up, it is not possible to
+place breakpoints inside enclaves. To work around this, switch to `TERM 1` where
+QEMU is running and type:
 
 ```
 system_reset
diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
index 0bc1e9baf8..040bd396cf 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
@@ -73,7 +73,7 @@ Once XMing is installed, a folder of the same name is added to the Start Menu.
 Be sure to use the "XMing" shortcut, not "XLaunch". If you are prompted by the
 Windows Defender Firewall after launching XMing to allow it to communicate over
 the network, click "Cancel". This configures the firewall to deny all incoming
-connections to XMing, local connections are not affected.
+connections to XMing, but local connections are not affected.
 
 The only indication that XMing has successfully started is an icon in the
 notification area.
diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
index e28e814fc0..1589ff88e0 100644
--- a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -104,9 +104,9 @@ When prompted if you would like to leave without reset, select `Yes`.
 
 ## Source Code
 
-All the code necessary to build the TrustBox' firmware and software, as well as
-the requisite build scripts may be obtained from Open Enclave's fork of NXP's
-Layerscape SDK (LSDK):
+All the code necessary to build the TrustBox's firmware and software, as well
+as the requisite build scripts may be obtained from Open Enclave's fork of
+NXP's Layerscape SDK (LSDK):
 
 ```bash
 git clone --recursive https://github.com/ms-iot/lsdk -b ms-iot-openenclave-3.6.0 --depth=1
@@ -234,7 +234,7 @@ Trying to boot from RAM
 
 If upon reset the board fails to boot, you can repeat the procedure to re-enter
 recovery U-Boot to flash the firmware again. Flashing the firmware does not
-overwrite copy of U-Boot, which is part of the recovery ROM.
+overwrite the copy of U-Boot, which is part of the recovery ROM.
 
 ## Root File System
 
@@ -312,7 +312,8 @@ Once `xtest` finishes, you should see the following output:
 TEE test application done!
 ```
 
-The single failed test is a known issue.
+The single failed test is a
+[known issue](https://github.com/openenclave/openenclave/issues/2275).
 
 ## Open Enclave SDK
 
diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index e45e66ab99..881edc5879 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -39,7 +39,7 @@ Likewise, OP-TEE OS provides a number of system calls to secure user-mode. A
 library is in turn provided (`libutee`) that enclaves can use to call into these
 system services.
 
-The Open Enclave SDK for OP-TEE OS effectively implements the SDK's API's and
+The Open Enclave SDK for OP-TEE OS effectively implements the SDK's APIs and
 behaviors atop those exposed by OP-TEE OS both to non-secure user-mode as well
 as atop those exposed to secure user-mode.
 
@@ -65,10 +65,14 @@ Even though it is possible to write enclaves that use C++ exceptions and run
 them on OP-TEE OS, the stack unwinder may fail to find an exception handler on
 `throw`.
 
+[Tracking issue](https://github.com/openenclave/openenclave/issues/2274).
+
 #### OP-TEE test suite failure
 
 One of OP-TEE's test cases is known to fail on the TrustBox.
 
+[Tracking issue](https://github.com/openenclave/openenclave/issues/2275).
+
 ## Note on Forks
 
 While the SDK's support for Intel SGX is fairly self-contained, support for

From 09101966685217119a451e530dee399746fac1b0 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Wed, 23 Oct 2019 00:08:32 -0700
Subject: [PATCH 226/420] Clear up usage of "TA".

---
 docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md | 4 ++--
 docs/GettingStartedDocs/OP-TEE/Introduction.md        | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
index 040bd396cf..215e64f23e 100644
--- a/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
+++ b/docs/GettingStartedDocs/OP-TEE/Debugging/QEMUOnWSL.md
@@ -129,8 +129,8 @@ ln -s /usr/bin/fakeroot-tcp $HOME/openenclave_qemu/emulation/out-br/host/bin/fak
 
 Resume the build with `make run` (and `-j`, as appropriate). If you ever clean
 and rebuild the Buildroot output, you will run into this issue again. However,
-that is never required for the purposes of debugging TAs. In general, therefore,
-this is a one-time fix.
+that is never required for the purposes of debugging enclaves. In general,
+therefore, this is a one-time fix.
 
 The Windows Defender Firewall might prompt for permission to allow incoming
 connections to various Linux programs as the build proceeds. None of these
diff --git a/docs/GettingStartedDocs/OP-TEE/Introduction.md b/docs/GettingStartedDocs/OP-TEE/Introduction.md
index 881edc5879..c763122978 100644
--- a/docs/GettingStartedDocs/OP-TEE/Introduction.md
+++ b/docs/GettingStartedDocs/OP-TEE/Introduction.md
@@ -43,6 +43,11 @@ The Open Enclave SDK for OP-TEE OS effectively implements the SDK's APIs and
 behaviors atop those exposed by OP-TEE OS both to non-secure user-mode as well
 as atop those exposed to secure user-mode.
 
+**Note:** OP-TEE OS refers to enclaves as "Trusted Applications" (TAs). This
+guide, as well as those linked at the bottom, use the term "enclave" to remain
+in line with the SDK's nomenclature. However, when working with OP-TEE OS, such
+as reading its debug output, you will come across "TA" frequently.
+
 ## Supported Features
 
 The SDK currently provides preview support for the following features on OP-TEE

From 0a9835c01bbeb79d584fbc929c6c87ea2ecb8f72 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Wed, 23 Oct 2019 00:30:38 -0700
Subject: [PATCH 227/420] Fix TrustBox prerequisites.

---
 .../OP-TEE/Hardware/ScalysTrustBox.md              | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
index 1589ff88e0..9f6c08ea91 100644
--- a/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
+++ b/docs/GettingStartedDocs/OP-TEE/Hardware/ScalysTrustBox.md
@@ -52,9 +52,17 @@ environments!**
 The following command installs all the packages necessary on Ubuntu 18.04 LTS:
 
 ```bash
-sudo apt install -y git flex bison python-pip libssl-dev build-essential \
-    gcc-aarch64-linux-gnu g++-aarch64-linux-gnu minicom u-boot-tools     \
-    device-tree-compiler qemu-user-static udisks2
+sudo apt update && sudo apt install -y android-tools-adb                       \
+    android-tools-fastboot autoconf automake bc bison build-essential ccache   \
+    cgdb cscope curl device-tree-compiler expect flex                          \
+    ftp-upload gdb-multiarch gdisk iasl libattr1-dev libc6 libcap-dev          \
+    libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev        \
+    libpixman-1-dev libssl-dev libstdc++6 libtool libz1 make mtools netcat     \
+    python-crypto python-pyelftools python-serial python-wand                  \
+    python3-pyelftools repo unzip uuid-dev xdg-utils xterm xz-utils zlib1g-dev \
+    flex bison python-pip libssl-dev build-essential gcc-aarch64-linux-gnu     \
+    g++-aarch64-linux-gnu minicom u-boot-tools device-tree-compiler            \
+    qemu-user-static udisks2
 ```
 
 ## Serial Communication

From 60e04eba7fe94c5a4c2edd1c755008a8ed89f811 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@microsoft.com>
Date: Wed, 23 Oct 2019 11:49:26 -0700
Subject: [PATCH 228/420] Update changelog.

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c1792e7ee4..73e49cffeb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - [Visual Studio Code CDB Extension](https://aka.ms/CDBVSCode)
     - [WinDbg Preview](https://aka.ms/WinDbgPreview)
     - The new oedebugrt.dll binary needs to be copied to the app folder to enable this.
+- Preview support for 64-bit ARM TrustZone-capable boards with OP-TEE OS
+  - See the [documentation](docs/GettingStartedDocs/OP-TEE/Introduction.md)
+    for the list of supported platforms, features, and known issues.
 
 ### Changed
 

From 32e8839d13086c4c97d9ea449309fda33ad6a25c Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Thu, 24 Oct 2019 15:12:42 -0700
Subject: [PATCH 229/420] Responded to review feedback.

---
 .../RemoteAttestationCollaterals.md           | 37 +++++++++----------
 1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/docs/DesignDocs/RemoteAttestationCollaterals.md b/docs/DesignDocs/RemoteAttestationCollaterals.md
index 7029628992..86574d0fb8 100644
--- a/docs/DesignDocs/RemoteAttestationCollaterals.md
+++ b/docs/DesignDocs/RemoteAttestationCollaterals.md
@@ -56,18 +56,18 @@ keys used to protect and authenticate Claims or Results.
 
 #### Attester:
 An Attestation Function that creates Evidence by
-collecting, formatting and protecting (e.g., signing) Claims.  It
+collecting, formatting and protecting (e.g., signing) Claims. It
 presents Evidence to a Verifier using a conveyance mechanism or
 protocol.
 
 #### Verifier:
 An Attestation Function that accepts Evidence from an Attester using
-a conveyance mechanism or protocol.  It also accepts Known-Good-Values
-and Endorsments from an Asserter using a conveyance mechanism or protocol.
+a conveyance mechanism or protocol. It also accepts Known-Good-Values
+and Endorsements from an Asserter using a conveyance mechanism or protocol.
 It verifies the protection mechanisms, parses and appraises Evidence
-according to good-known valid (or known-invalid) Claims and Endorsments.
+according to good-known valid (or known-invalid) Claims and Endorsements.
 It produces Attestation Results that are formatted and protected (e.g.,
-signed).  It presents Attestation Results to a Relying Party using
+signed). It presents Attestation Results to a Relying Party using
 a conveyance mechanism or protocol.
 
 Claims are statements about a particular subject. They consist of
@@ -78,11 +78,11 @@ claim value, which is arbitrary data. Example of claims could be
 #### Asserter:
 An Attestation Function that generates reference Claims
 about both the Attesting Computing Environment and the Attested
-Computing Environment.  The manufacturing and development
+Computing Environment. The manufacturing and development
 processes are presumed to be trustworthy processes.  In other
 words the Asserter is presumed, by a Verifier, to produce valid
-Claims.  The function collects, formats and protects (e.g. signs)
-valid Claims known as Endorsements and Known-Good-Values.  It
+Claims. The function collects, formats and protects (e.g. signs)
+valid Claims known as Endorsements and Known-Good-Values. It
 presents provable Claims to a Verifier using a conveyance
 mechanism or protocol.
 
@@ -90,7 +90,7 @@ mechanism or protocol.
 An Attestation Function that accepts Attestation
 Results from a Verifier using a conveyance mechanism or protocol.
 It assesses Attestation Results protections, parses and assesses
-Attestation Results according to an assessent context (Note:
+Attestation Results according to an assessment context (Note:
 definition of the assessment context is out-of-scope).
 
 
@@ -135,7 +135,7 @@ result = oe_get_evidence(
 ...
 ```
 
-##### Verifier verifies the evidence and endorsements (in the untrusted host or inside an enclave/TEE)
+##### Verifier verifies the evidence and endorsements (in an untrusted host or inside an enclave/TEE)
 ```C
 ...
 
@@ -256,7 +256,13 @@ typedef struct _oe_endorsements_t
     uint8_t buffer[];              ///< Buffer of offsets + data
 
 } oe_endorsements_t;
+```
+
+### Private SGX endorsement definitions
+
+`common/sgx/evidence.h`
 
+```C
 /*! Version of the supported SGX endorsement structures */
 #define OE_SGX_ENDORSEMENTS_VERSION     (1)
 
@@ -281,14 +287,8 @@ typedef enum _oe_sgx_endorsements_fields
     OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN,
     OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME,
     OE_SGX_ENDORSEMENT_COUNT
-
 } oe_sgx_endorsements_fields;
-```
 
-### Private SGX endorsement definitions
-
-`common/sgx/evidence.h`
-```C
 /*! \struct oe_sgx_endorsements
  *
  * \brief SGX endorsements structure
@@ -345,10 +345,7 @@ typedef struct _oe_sgx_endorsements_t
      *     The size of creation_datetime.
      */
     oe_sgx_endorsement_item items[OE_SGX_ENDORSEMENT_COUNT];
-
 } oe_sgx_endorsements_t;
-
-
 ```
 
 ### New Public Attestation functions
@@ -475,7 +472,7 @@ Current set of claims definitions:
 ### OE Host Verify Library
 
 The OE Host Verify library is a standalone library used for verifying remote reports outside
-the TEE/enclave. The function `oe_verfiy_remote_report()` will be updated to support
+the TEE/enclave. The function `oe_verify_remote_report()` will be updated to support
 endorsements.
 
 Authors

From 8a0b2a78ebe837ff1155f22f64fb76dfe87bd057 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Mon, 21 Oct 2019 20:58:26 +0000
Subject: [PATCH 230/420] Update install-windows-prereqs.ps1 to use DCAP 1.3

This also updates install-windows-prereqs.ps1 to use
the Intel SGX PSW 2.5.

It also removes the "prereqs\nuget" subdirectories inserted
after InstallPath.
---
 docs/GettingStartedDocs/Windows_vscode.md |  6 +++---
 docs/GettingStartedDocs/Windows_windbg.md |  2 +-
 scripts/install-windows-prereqs.ps1       | 10 +++++-----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/GettingStartedDocs/Windows_vscode.md b/docs/GettingStartedDocs/Windows_vscode.md
index 7aaf8ecb7d..8e89820e5b 100644
--- a/docs/GettingStartedDocs/Windows_vscode.md
+++ b/docs/GettingStartedDocs/Windows_vscode.md
@@ -50,7 +50,7 @@ Open Workspace Settings by pressing Ctrl+Shift+P and typing "Open Workspace Sett
 
 ![Open Workspace Settings](images/VSCodeOpenWorkspaceSettings.png)
 
-Search for the setting "CMake Configure Args" and add an item `-DNUGET_PACKAGE_PATH=path-to-openenclave-nuget-packages\prereqs\nuget`.
+Search for the setting "CMake Configure Args" and add an item `-DNUGET_PACKAGE_PATH=path-to-openenclave-nuget-packages`.
 Add another item `-DOpenEnclave_DIR=YourOpenEnclaveInstallFolder\lib\openenclave\cmake`
 
 ![CMake Configure Args](images/VSCodeCMakeConfigureArgs.png)
@@ -61,7 +61,7 @@ For example, if you ran install-windows-prereqs.ps1 with -InstallPath C:\openenc
 {
     "cmake.cmakePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake\\CMake\\bin\\cmake.exe",
     "cmake.configureArgs": [
-        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs\\prereqs\\nuget",
+        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs",
         "-DOpenEnclave_DIR=C:\\openenclave\\lib\\openenclave\\cmake"
     ]
 }
@@ -95,7 +95,7 @@ If you installed the Open Enclave SDK at `C:\openenclave`, the Settings.json wou
 {
     "cmake.cmakePath": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\BuildTools\\Common7\\IDE\\CommonExtensions\\Microsoft\\CMake\\CMake\\bin\\cmake.exe",
     "cmake.configureArgs": [
-        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs\\prereqs\\nuget",
+        "-DNUGET_PACKAGE_PATH=C:\\openenclave_prereqs",
         "-DOpenEnclave_DIR=C:\\openenclave\\lib\\openenclave\\cmake"
     ],
     "C_Cpp.default.includePath": ["C:\\openenclave\\include"],
diff --git a/docs/GettingStartedDocs/Windows_windbg.md b/docs/GettingStartedDocs/Windows_windbg.md
index cef633c884..49ed04ba05 100644
--- a/docs/GettingStartedDocs/Windows_windbg.md
+++ b/docs/GettingStartedDocs/Windows_windbg.md
@@ -29,7 +29,7 @@ Change to the directory containing your Open Enclave Application. Make a build f
 cd YourApplicationFolder
 mkdir build
 cd build
-cmake -G Ninja -DOpenEnclave_DIR=your-open-enclave-install-path\lib\openenclave\cmake -DNUGET_PACKAGE_PATH=your-openenclave-nuget-packages-path\prereqs\nuget ..
+cmake -G Ninja -DOpenEnclave_DIR=your-open-enclave-install-path\lib\openenclave\cmake -DNUGET_PACKAGE_PATH=your-openenclave-nuget-packages-path ..
 ```
 
 ![Configure](images/WinDbgConfigure.png)
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 4893d7408a..3864e24d8d 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -16,16 +16,16 @@ Param(
     [string]$OCamlHash = '369F900F7CDA543ABF674520ED6004CC75008E10BEED0D34845E8A42866D0F3A',
     [string]$Clang7URL = 'http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe',
     [string]$Clang7Hash = '672E4C420D6543A8A9F8EC5F1E5F283D88AC2155EF4C57232A399160A02BFF57',
-    [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe',
-    [string]$IntelPSWHash = '79AE32E984B5511CE4BF7568403333F837FBCE7E8D5730271C5D68F55BBF251D',
+    [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe',
+    [string]$IntelPSWHash = '744B52C2DEDA3EC2AAC495A4F671FE574C506C35523028584A74469911FB0707',
     [string]$ShellCheckURL = 'https://shellcheck.storage.googleapis.com/shellcheck-v0.7.0.zip',
     [string]$ShellCheckHash = '02CFA14220C8154BB7C97909E80E74D3A7FE2CBB7D80AC32ADCAC7988A95E387',
     [string]$NugetURL = 'https://www.nuget.org/api/v2/package/NuGet.exe/3.4.3',
     [string]$NugetHash = '2D4D38666E5C7D27EE487C60C9637BD9DD63795A117F0E0EDC68C55EE6DFB71F',
     [string]$DevconURL = 'https://download.microsoft.com/download/7/D/D/7DD48DE6-8BDA-47C0-854A-539A800FAA90/wdk/Installers/787bee96dbd26371076b37b13c405890.cab',
     [string]$DevconHash = 'A38E409617FC89D0BA1224C31E42AF4344013FEA046D2248E4B9E03F67D5908A',
-    [string]$IntelDCAPURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe',
-    [string]$IntelDCAPHash = 'F31E4451CA32E19CA3DCB0AFC49AFE9F4963C47BF62AAF24A8AE436BDA14FD8B',
+    [string]$IntelDCAPURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe',
+    [string]$IntelDCAPHash = 'B74C12B68BBDB942A6FB74A14BBCEDE05E37B3388693CB3EEA2D7DB520E83572',
     [string]$VCRuntime2012URL = 'https://download.microsoft.com/download/1/6/B/16B06F60-3B20-4FF2-B699-5E9B7962F9AE/VSU_4/vcredist_x64.exe',
     [string]$VCRuntime2012Hash = '681BE3E5BA9FD3DA02C09D7E565ADFA078640ED66A0D58583EFAD2C1E3CC4064',
     [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.3',
@@ -40,7 +40,7 @@ Param(
 $ErrorActionPreference = "Stop"
 
 $PACKAGES_DIRECTORY = Join-Path $env:TEMP "packages"
-$OE_NUGET_DIR = Join-Path $InstallPath "prereqs\nuget"
+$OE_NUGET_DIR = $InstallPath
 
 $PACKAGES = @{
     "git" = @{

From 150f9d72d028d67848d889a812a41c84a0214692 Mon Sep 17 00:00:00 2001
From: John Kordich <johnkord@microsoft.com>
Date: Fri, 25 Oct 2019 18:29:24 +0000
Subject: [PATCH 231/420] Update all docs and ansible to use latest Intel SGX
 versions

---
 CHANGELOG.md                                  |  6 +++---
 .../BuildingInADockerContainer.md             |  8 ++++----
 .../WindowsManualInstallPrereqs.md            |  4 ++--
 .../WindowsManualSGX1FLCDCAPPrereqs.md        | 20 +++++++++----------
 .../Contributors/WindowsManualSGX1Prereqs.md  | 14 ++++++++-----
 .../install_oe_sdk-Ubuntu_16.04.md            |  2 +-
 .../install_oe_sdk-Ubuntu_18.04.md            |  2 +-
 scripts/ansible/oe-windows-acc-setup.yml      | 14 ++++++-------
 .../ansible/roles/linux/intel/vars/bionic.yml |  4 ++--
 .../ansible/roles/linux/intel/vars/xenial.yml |  4 ++--
 10 files changed, 40 insertions(+), 38 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 73e49cffeb..2c5a1d70cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,8 +34,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   to [openenclave/openenclave](https://github.com/openenclave/openenclave).
 - Change debugging contract for oegdb. Enclaves and hosts built prior to this
   release cannot be debugged with this version of oegdb and vice versa.
-- Update Intel DCAP library dependencies to 1.2.
-- Update Intel PSW dependencies to 2.6 on Linux and 2.4 on Windows.
+- Update Intel DCAP library dependencies to 1.3.
+- Update Intel PSW dependencies to 2.7 on Linux and 2.5 on Windows.
 - SGX1 configurations always take build dependency on Intel SGX enclave common library.
 - Update LLVM libcxx to version 8.0.0.
 - Update mbedTLS to version 2.16.2.
@@ -242,4 +242,4 @@ Initial private preview release, no longer supported.
 [v0.5.0](https://github.com/openenclave/openenclave/compare/v0.4.1...v0.5.0)
 [v0.4.1](https://github.com/openenclave/openenclave/compare/v0.4.0...v0.4.1)
 [v0.4.0](https://github.com/openenclave/openenclave/compare/v0.1.0...v0.4.0)
-[v0.1.0](https://github.com/openenclave/openenclave/compare/beb546f...v0.1.0)
\ No newline at end of file
+[v0.1.0](https://github.com/openenclave/openenclave/compare/beb546f...v0.1.0)
diff --git a/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md b/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
index d43075a2f9..63ee25fe67 100644
--- a/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
+++ b/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
@@ -9,11 +9,11 @@
 1. Install Docker CE by following these instructions: https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-docker-ce
 
 2. Install the appropriate Intel SGX Driver for your platform. For example, if you're running on an SGX1 with FLC system, you'll probably want to install the Intel SGX DCAP Driver for your platfrom: https://01.org/intel-software-guard-extensions/downloads
-    - If you're running on an SGX with FLC system, you'll probably want to install the Intel SGX DCAP Driver for your platfrom: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-dcap-linux-1.2-release
-    - If you're running on an SGX without FLC system, you'll want to install the Intel SGX Driver for your platform: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.6-release
-    - The driver you're looking for is a ".bin" file, for either Ubuntu 16.04 or 18.04 releases. It will be named something like: `sgx_linux_x64_driver_1.12_c110012.bin`
+    - If you're running on an SGX with FLC system, you'll probably want to install the Intel SGX DCAP Driver for your platfrom: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-dcap-linux-1.3-release
+    - If you're running on an SGX without FLC system, you'll want to install the Intel SGX Driver for your platform: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.7-release
+    - The driver you're looking for is a ".bin" file, for either Ubuntu 16.04 or 18.04 releases. It will be named something like: `sgx_linux_x64_driver_1.13.bin`
     - To install this driver, simply run it as root like this:
-        - `sudo bash ./sgx_linux_x64_driver_1.12_c110012.bin`
+        - `sudo bash ./sgx_linux_x64_driver_1.13.bin`
 
 3. Pull the latest oetools-full image for Open Enclave from *either* of these two distributions:
     - https://hub.docker.com/r/oeciteam/oetools-full-16.04
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 2f070cc9c7..30ff49e746 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -19,9 +19,9 @@
 
 ## Prerequisites specific to SGX support on your system
 
-For systems with support for SGX1  - [Intel's PSW 2.4, Intel Enclave Common API library](WindowsManualSGX1Prereqs.md)
+For systems with support for SGX1  - [Intel's PSW 2.5, Intel Enclave Common API library](WindowsManualSGX1Prereqs.md)
 
-For systems with support for SGX1 + FLC - [Intel's PSW 2.4, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
+For systems with support for SGX1 + FLC - [Intel's PSW 2.5, Intel's Data Center Attestation Primitives and related dependencies](WindowsManualSGX1FLCDCAPPrereqs.md)
 
 ## Microsoft Visual Studio Build Tools 2019
 Install [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe). Choose the "C++ build tools" workload. Visual Studio Build Tools 2019 has support for CMake Version 3.15 (CMake ver 3.12 or above is required for building Open Enclave SDK). For more information about CMake support, look [here](https://blogs.msdn.microsoft.com/vcblog/2016/10/05/cmake-support-in-visual-studio/).
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 558442cc05..cf59092463 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -1,10 +1,10 @@
 # SGX1 with Flexible Launch Control (FLC) Prerequisites on Windows
 
-## [Intel Platform Software for Windows (PSW) v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe)
+## [Intel Platform Software for Windows (PSW) v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe)
 
 After unpacking the self-extracting ZIP executable, install the *PSW_EXE_RS2_and_before* version:
 ```cmd
-C:\Intel SGX PSW for Windows v2.4.100.51291\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.4.100.51291.exe"
+C:\Intel SGX PSW for Windows v2.5.100.2\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.5.100.2.exe"
 ```
 
 ## [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
@@ -14,19 +14,19 @@ The Azure DCAP client for Windows is necessary if you would like to perform encl
 This example assumes that `C:\oe_prereqs` is where you would like the prerequisites to be installed.
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.2 -OutputDirectory C:\oe_prereqs
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.3 -OutputDirectory C:\oe_prereqs
 ```
 This example assumes you would like to install the package to `C:\oe_prereqs`.
 
-##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.2](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe)
+##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.3](http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe)
 After unpacking the self-extracting ZIP executable, you can refer to the *Intel SGX DCAP Windows SW Installation Guide.pdf*
 for more details on how to install the contents of the package.
 
-The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.100.4`:
 
 1. Unzip the required drivers from the extracted subfolders:
-    - `LC_driver_WinServer2016\Signed_1152921504628095185.zip`
-    - `DCAP_INF\WinServer2016\Signed_1152921504628099289.zip`
+    - `LC_driver_WinServer2016\Signed_*.zip`
+    - `DCAP_INF\WinServer2016\Signed_*.zip`
 
    The following instructions will assume that these have been unzipped into the `LC_driver` and `DCAP_INF` folders respectively.
 
@@ -49,7 +49,7 @@ The following summary will assume that the contents were extracted to `C:\Intel
 4. Install the DCAP nuget packages:
     - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
       ```cmd
-      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs
-      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory c:\oe_prereqs
+      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory c:\oe_prereqs
+      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory c:\oe_prereqs
       ```
-    - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
\ No newline at end of file
+    - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 1edaff48eb..8c6be18182 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -8,15 +8,15 @@ command line.
 
 Windows Server 2016 image for an Azure Confidential Compute VM has a Windows version
 lower than 1709, and therefore you need to install PSW v2.4 or above manually.
-You can download [PSW v2.4](http://registrationcenter-download.intel.com/akdlm/irc_nas/15654/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe),
+You can download [PSW v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe),
 extract the zipped files, and run the executable under folder **PSW_EXE_RS2_and_before**
-to install PSW 2.4.
+to install PSW 2.5.
 
 You can verify that the correct version of Intel SGX PSW is installed by using
 Windows Explorer to open `C:\Windows\System32`. You should be able to find
 file `sgx_urts.dll` if PSW is installed. Right click on `sgx_urts.dll`,
 choose `Properties` and then find `Product version` on the `Details` tab.
-The version should be "2.4.xxx.xxx" or above.
+The version should be "2.5.xxx.xxx" or above.
 
 To verify that Intel SGX PSW is running, use the following command:
 
@@ -38,13 +38,17 @@ The Intel Enclave Common API library is necessary for creating, initializing, an
 It does not supporting quoting, and consequentially, attestation which is based on quoting. The lack
 of quoting capability is a limitation of SGX1 machines which don't have FLC support.
 
-Firstly we download Intel SGX and DCAP library from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/15650/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe). Run the executable to unzip files to a specified location.
-The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.2.100.49925`:
+Firstly we download the Intel SGX DCAP self-extracting executable from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe). Run the executable to unzip files to a specified location.
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.100.4`:
 
 Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed and in your path,
 run the following command from a command prompt (assuming you would like the package to be installed to `C:\oe_prereqs`):
 ```cmd
+<<<<<<< HEAD
 nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\oe_prereqs
+=======
+nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_nuget_packages
+>>>>>>> Update all docs and ansible to use latest Intel SGX versions
 ```
 
 You can verify that the library is installed properly by checking whether `sgx_enclave_common.lib` exists in the folder `C:\oe_prereqs`.
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
index 2c98286465..f663adf86f 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
@@ -26,7 +26,7 @@ wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add
 ```bash
 sudo apt update
 sudo apt -y install dkms
-wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer16.04/sgx_linux_x64_driver_1.12_c110012.bin -O sgx_linux_x64_driver.bin
+wget https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.13.bin -O sgx_linux_x64_driver.bin
 chmod +x sgx_linux_x64_driver.bin
 sudo ./sgx_linux_x64_driver.bin
 ```
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
index f0c9a373dc..11b11f46a0 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
@@ -26,7 +26,7 @@ wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add
 ```bash
 sudo apt update
 sudo apt -y install dkms
-wget https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_driver_1.12_c110012.bin -O sgx_linux_x64_driver.bin
+wget https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.13.bin -O sgx_linux_x64_driver.bin
 chmod +x sgx_linux_x64_driver.bin
 sudo ./sgx_linux_x64_driver.bin
 ```
diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 27f5b8675c..05008bcd50 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -8,12 +8,10 @@
   tasks:
     - name: OE setup | Set installer URLs from the OE storage account
       set_fact:
-        intel_psw_2_2_url:   "https://oejenkins.blob.core.windows.net/oejenkins/intel_sgx_win_2.2.100.47975_PV.zip"
-        intel_psw_2_2_hash:  "EB479D1E029D51E48E534C284FCF5CCA3A937DA43052DCB2F4C71E5F354CA623"
-        intel_psw_2_4_url:   "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20PSW%20for%20Windows%20v2.4.100.51291.exe"
-        intel_psw_2_4_hash:  "79AE32E984B5511CE4BF7568403333F837FBCE7E8D5730271C5D68F55BBF251D"
-        intel_dcap_url:      "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20DCAP%20for%20Windows%20v1.2.100.49925.exe"
-        intel_dcap_hash:     "F31E4451CA32E19CA3DCB0AFC49AFE9F4963C47BF62AAF24A8AE436BDA14FD8B"
+        intel_psw_url:       "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe"
+        intel_psw_hash:      "744B52C2DEDA3EC2AAC495A4F671FE574C506C35523028584A74469911FB0707"
+        intel_dcap_url:      "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe"
+        intel_dcap_hash:     "B74C12B68BBDB942A6FB74A14BBCEDE05E37B3388693CB3EEA2D7DB520E83572"
         git_url:             "https://oejenkins.blob.core.windows.net/oejenkins/Git-2.19.1-64-bit.exe"
         git_hash:            "5E11205840937DD4DFA4A2A7943D08DA7443FAA41D92CCC5DAFBB4F82E724793"
         seven_zip_url:       "https://oejenkins.blob.core.windows.net/oejenkins/7z1806-x64.msi"
@@ -38,8 +36,8 @@
         -InstallPath         "C:\openenclave"
         -LaunchConfiguration "{{ 'SGX1FLC' if dcap_testing_node is defined and dcap_testing_node == 'true' else 'SGX1' }}"
         -DCAPClientType      "{{ 'Azure' }}"
-        -IntelPSWURL         "{{ intel_psw_2_4_url if dcap_testing_node is defined and dcap_testing_node == 'true' else intel_psw_2_2_url }}"
-        -IntelPSWHash        "{{ intel_psw_2_4_hash if dcap_testing_node is defined and dcap_testing_node == 'true' else intel_psw_2_2_hash }}"
+        -IntelPSWURL         "{{ intel_psw_url }}"
+        -IntelPSWHash        "{{ intel_psw_hash }}"
         -IntelDCAPURL        "{{ intel_dcap_url }}"
         -IntelDCAPHash       "{{ intel_dcap_hash }}"
         -GitURL              "{{ git_url }}"
diff --git a/scripts/ansible/roles/linux/intel/vars/bionic.yml b/scripts/ansible/roles/linux/intel/vars/bionic.yml
index 6eef9fb8dc..37885e985f 100644
--- a/scripts/ansible/roles/linux/intel/vars/bionic.yml
+++ b/scripts/ansible/roles/linux/intel/vars/bionic.yml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer18.04/sgx_linux_x64_driver_1.12_c110012.bin"
-intel_sgx1_driver_url: "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.13.bin"
+intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.7/distro/ubuntu18.04-server/sgx_linux_x64_driver_2.6.0_4f5bb63.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf10"
diff --git a/scripts/ansible/roles/linux/intel/vars/xenial.yml b/scripts/ansible/roles/linux/intel/vars/xenial.yml
index 8bce765113..0f8656b6aa 100644
--- a/scripts/ansible/roles/linux/intel/vars/xenial.yml
+++ b/scripts/ansible/roles/linux/intel/vars/xenial.yml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/dcap-1.2/linux/dcap_installers/ubuntuServer16.04/sgx_linux_x64_driver_1.12_c110012.bin"
-intel_sgx1_driver_url: "https://download.01.org/intel-sgx/linux-2.6/ubuntu16.04-server/sgx_linux_x64_driver_2.5.0_2605efa.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.13.bin"
+intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.7/distro/ubuntu16.04-server/sgx_linux_x64_driver_2.6.0_4f5bb63.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf9v5"

From cf891b1a3a79f563c976a8b4512eba35a829f28c Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Thu, 31 Oct 2019 17:20:42 +0000
Subject: [PATCH 232/420] Fixed report test case to update oe_datetime_t
 correctly.

---
 tests/report/common/tests.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index 5af8db3ac8..7827b65adb 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -1352,7 +1352,7 @@ void test_verify_report_with_collaterals()
                 &valid_until,
                 NULL) == OE_OK);
 
-        valid_from.seconds -= 1;
+        valid_from.year -= 1;
         OE_TEST(
             VerifyReportWithCollaterals(
                 report_buffer_ptr,
@@ -1362,7 +1362,7 @@ void test_verify_report_with_collaterals()
                 &valid_from,
                 NULL) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
 
-        valid_until.seconds += 1;
+        valid_until.year += 1;
         OE_TEST(
             VerifyReportWithCollaterals(
                 report_buffer_ptr,

From 2d6ef56c808b74dc900d4afba08aa446439fe2c1 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Thu, 31 Oct 2019 10:54:09 -0700
Subject: [PATCH 233/420] Add links to the project readme for how to build and
 install the project.

---
 README.md | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index ef6b665d1f..4e7725f5b2 100644
--- a/README.md
+++ b/README.md
@@ -40,9 +40,6 @@ If you would like to run Ubuntu 16.04 or Ubuntu 18.04 in a Hyper-V VM on SGX
 capable hardware, see
 [Setting up a Linux Hyper-V VM on Windows with SGX Support](docs/GettingStartedDocs/HyperVLinuxVMSetup.md).
 
-If you would like to modify and build the Open Enclave SDK from sources, refer
-to the documents for [getting started](docs/GettingStartedDocs/Contributors/building_oe_sdk.md).
-
 ### OP-TEE OS (ARM TrustZone)
 
 The Open Enclave SDK provides preview support for the Open Portable TEE OS
@@ -70,10 +67,11 @@ For more information see the
 or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any
 additional questions or comments.
 
-See the [Development Guide](docs/DevelopmentGuide.md) for details about
-contributing code to this project, such as coding style and development
-processes. Also see our [Governance Model](docs/Governance.md) for how we
-maintain the project.
+If you are interested in contributing directly to the codebase, please see the following
+documentation:
+- [Development Guide](docs/DevelopmentGuide.md)
+- [Governance Model](docs/Governance.md)
+- [Build SDK and run tests](docs/GettingStartedDocs/Contributors/building_oe_sdk.md)
 
 Licensing
 =========

From 61f3946423935207dbe901bbc0dcf8bcb58b2582 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:11:44 +0000
Subject: [PATCH 234/420] Move main.ml and Emitter.ml to src subdirectory

---
 tools/oeedger8r/{ => src}/Emitter.ml | 0
 tools/oeedger8r/{ => src}/main.ml    | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename tools/oeedger8r/{ => src}/Emitter.ml (100%)
 rename tools/oeedger8r/{ => src}/main.ml (100%)

diff --git a/tools/oeedger8r/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
similarity index 100%
rename from tools/oeedger8r/Emitter.ml
rename to tools/oeedger8r/src/Emitter.ml
diff --git a/tools/oeedger8r/main.ml b/tools/oeedger8r/src/main.ml
similarity index 100%
rename from tools/oeedger8r/main.ml
rename to tools/oeedger8r/src/main.ml

From 394dd53b00e1564499ae0a176b5bb9b65f9fe31a Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:12:18 +0000
Subject: [PATCH 235/420] Rename main.ml to Oeedgr8r.ml for dune

---
 tools/oeedger8r/src/{main.ml => Oeedger8r.ml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename tools/oeedger8r/src/{main.ml => Oeedger8r.ml} (100%)

diff --git a/tools/oeedger8r/src/main.ml b/tools/oeedger8r/src/Oeedger8r.ml
similarity index 100%
rename from tools/oeedger8r/src/main.ml
rename to tools/oeedger8r/src/Oeedger8r.ml

From 560feca1d034fd1d4b4354304ad2489f179071c5 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:19:12 +0000
Subject: [PATCH 236/420] Add Dune build system to oeedger8r

---
 scripts/.check-license.ignore  |  3 ++-
 tools/oeedger8r/dune-project   |  4 ++++
 tools/oeedger8r/intel/dune     | 12 ++++++++++++
 tools/oeedger8r/oeedger8r.opam |  0
 tools/oeedger8r/src/dune       |  7 +++++++
 5 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 tools/oeedger8r/dune-project
 create mode 100644 tools/oeedger8r/intel/dune
 create mode 100644 tools/oeedger8r/oeedger8r.opam
 create mode 100644 tools/oeedger8r/src/dune

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index a0e18cad83..9688f56960 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -64,7 +64,8 @@ tests/print/printhost\.stderr
 tests/print/printhost\.stdout
 tests/str/test1\.txt
 tools/oeedger8r/\.merlin
-tools/oeedger8r/main\.ml
+tools/oeedger8r/oeedger8r.opam
+tools/oeedger8r/src/Oeedger8r\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
 tests/host_verify/data/.*
diff --git a/tools/oeedger8r/dune-project b/tools/oeedger8r/dune-project
new file mode 100644
index 0000000000..7f91886730
--- /dev/null
+++ b/tools/oeedger8r/dune-project
@@ -0,0 +1,4 @@
+(lang dune 1.2)
+
+; Copyright (c) Microsoft Corporation. All rights reserved.
+; Licensed under the MIT License.
diff --git a/tools/oeedger8r/intel/dune b/tools/oeedger8r/intel/dune
new file mode 100644
index 0000000000..1978258575
--- /dev/null
+++ b/tools/oeedger8r/intel/dune
@@ -0,0 +1,12 @@
+(library
+  (name intel)
+  (synopsis "Upstream Intel edger8r")
+  (wrapped false) ; TODO: We need to transition this to true.
+  (libraries str unix))
+
+(ocamllex Lexer)
+
+(ocamlyacc Parser)
+
+; TODO: Upstream code has a lot of warnings still.
+(env (dev (flags (:standard -warn-error -A))))
diff --git a/tools/oeedger8r/oeedger8r.opam b/tools/oeedger8r/oeedger8r.opam
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/oeedger8r/src/dune b/tools/oeedger8r/src/dune
new file mode 100644
index 0000000000..22805fda6f
--- /dev/null
+++ b/tools/oeedger8r/src/dune
@@ -0,0 +1,7 @@
+; Copyright (c) Microsoft Corporation. All rights reserved.
+; Licensed under the MIT License.
+
+(executable
+  (name oeedger8r)
+  (public_name oeedger8r)
+  (libraries intel))

From 7fb4910b58a6605def49dd3a95987e3058b71c66 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:19:36 +0000
Subject: [PATCH 237/420] Fix warnings in Emitter

---
 tools/oeedger8r/src/Emitter.ml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index dfdc46c9b3..ee016ad0e8 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -619,7 +619,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     in
     let with_errno = List.exists (fun uf -> uf.uf_propagate_errno) ufs in
     let guard_macro =
-      "EDGER8R_" ^ String.uppercase ec.enclave_name ^ "_ARGS_H"
+      "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
     in
     [ "#ifndef " ^ guard_macro
     ; "#define " ^ guard_macro
@@ -1271,7 +1271,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
           ufs
       else ["/* There were no ocalls. */"]
     in
-    let guard = "EDGER8R_" ^ String.uppercase ec.file_shortnm ^ "_T_H" in
+    let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
     [ "#ifndef " ^ guard
     ; "#define " ^ guard
     ; ""
@@ -1349,7 +1349,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         List.map (fun f -> oe_gen_prototype f.uf_fdecl ^ ";") ufs
       else ["/* There were no ocalls. */"]
     in
-    let guard = "EDGER8R_" ^ String.uppercase ec.file_shortnm ^ "_U_H" in
+    let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
     [ "#ifndef " ^ guard
     ; "#define " ^ guard
     ; ""

From 932e366e4e6ec0682e261dd02554994656557aef Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:20:39 +0000
Subject: [PATCH 238/420] Add Esy build wrapper for oeedger8r

---
 tools/oeedger8r/package.json | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 tools/oeedger8r/package.json

diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
new file mode 100644
index 0000000000..f3a69f88f6
--- /dev/null
+++ b/tools/oeedger8r/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "oeedger8r",
+  "version": "0.6.0",
+  "description": "The Open Enclave SDK's oeedger8r",
+  "license": "MIT",
+
+  "esy": {
+    "build": "dune build -p #{self.name}",
+    "release": {
+      "bin": "oeedger8r",
+      "includePackages": [
+        "root"
+      ]
+    }
+  },
+
+  "dependencies": {
+    "@opam/dune": "~1.2",
+    "ocaml": "~4.6.0"
+  },
+
+  "devDependencies": {
+    "@opam/merlin": "^3.0.3",
+    "ocaml": "~4.6.0"
+  }
+}

From 892c1de7a94b6a1da286b2a7899fdf17a383c132 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 27 Sep 2019 22:20:49 +0000
Subject: [PATCH 239/420] Add probably wrong gitignore for oeedger8r

---
 tools/oeedger8r/.gitignore | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 tools/oeedger8r/.gitignore

diff --git a/tools/oeedger8r/.gitignore b/tools/oeedger8r/.gitignore
new file mode 100644
index 0000000000..ce05bd9c2d
--- /dev/null
+++ b/tools/oeedger8r/.gitignore
@@ -0,0 +1,9 @@
+.merlin
+node_modules/
+_build
+_esy
+_release
+*.byte
+*.native
+*.install
+esy.lock
\ No newline at end of file

From 5cb4d352144095af33e7b13e13628b331548a40b Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 30 Sep 2019 19:02:08 +0000
Subject: [PATCH 240/420] Upgrade to Dune 1.11

This upgrade allows us to generate the `oeedger8r.opam` file within Dune
itself, consequently also providing more metadata in the build.

We can also revert to the conventional `main.ml` naming style as the
package has a `public_name` instead.
---
 scripts/.check-license.ignore                 |  3 +--
 tools/oeedger8r/dune-project                  | 16 +++++++++++++++-
 tools/oeedger8r/oeedger8r.opam                |  0
 tools/oeedger8r/package.json                  |  2 +-
 tools/oeedger8r/src/dune                      |  2 +-
 tools/oeedger8r/src/{Oeedger8r.ml => main.ml} |  0
 6 files changed, 18 insertions(+), 5 deletions(-)
 delete mode 100644 tools/oeedger8r/oeedger8r.opam
 rename tools/oeedger8r/src/{Oeedger8r.ml => main.ml} (100%)

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 9688f56960..2edca38b50 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -64,8 +64,7 @@ tests/print/printhost\.stderr
 tests/print/printhost\.stdout
 tests/str/test1\.txt
 tools/oeedger8r/\.merlin
-tools/oeedger8r/oeedger8r.opam
-tools/oeedger8r/src/Oeedger8r\.ml
+tools/oeedger8r/src/main\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
 tests/host_verify/data/.*
diff --git a/tools/oeedger8r/dune-project b/tools/oeedger8r/dune-project
index 7f91886730..ce5fc89758 100644
--- a/tools/oeedger8r/dune-project
+++ b/tools/oeedger8r/dune-project
@@ -1,4 +1,18 @@
-(lang dune 1.2)
+(lang dune 1.11)
 
 ; Copyright (c) Microsoft Corporation. All rights reserved.
 ; Licensed under the MIT License.
+
+(name oeedger8r)
+(license MIT)
+(version 0.7.0)
+(authors "Open Enclave SDK")
+(maintainers "Open Enclave SDK")
+(source (github openenclave/openenclave))
+
+(package
+  (name oeedger8r)
+  (synopsis "An OCaml tool for processing Enclave Definition Language files")
+  (description "Generates edge routines from EDL files for the Open Enclave SDK")
+  (depends
+    (dune (>= 1.11))))
diff --git a/tools/oeedger8r/oeedger8r.opam b/tools/oeedger8r/oeedger8r.opam
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index f3a69f88f6..1a3ea0eded 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -15,7 +15,7 @@
   },
 
   "dependencies": {
-    "@opam/dune": "~1.2",
+    "@opam/dune": "~1.11.3",
     "ocaml": "~4.6.0"
   },
 
diff --git a/tools/oeedger8r/src/dune b/tools/oeedger8r/src/dune
index 22805fda6f..28671cc78b 100644
--- a/tools/oeedger8r/src/dune
+++ b/tools/oeedger8r/src/dune
@@ -2,6 +2,6 @@
 ; Licensed under the MIT License.
 
 (executable
-  (name oeedger8r)
+  (name main)
   (public_name oeedger8r)
   (libraries intel))
diff --git a/tools/oeedger8r/src/Oeedger8r.ml b/tools/oeedger8r/src/main.ml
similarity index 100%
rename from tools/oeedger8r/src/Oeedger8r.ml
rename to tools/oeedger8r/src/main.ml

From 59306e9f53e52525a1f8bed6a472d1f12f6be36a Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 1 Oct 2019 21:58:48 +0000
Subject: [PATCH 241/420] Make CMake drive esy instead of ocamlopt

---
 tools/oeedger8r/CMakeLists.txt | 76 ++++++++++------------------------
 1 file changed, 23 insertions(+), 53 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 7189b9c0a6..863ea28fce 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -6,69 +6,39 @@
 # do not emit to the current working directory, they always emit to
 # the location of the input file.
 
-# Check prerequisites
-find_program(OCAMLLEX ocamllex)
-find_program(OCAMLYACC ocamlyacc)
-find_program(OCAMLOPT ocamlopt)
-if ((NOT OCAMLLEX) OR (NOT OCAMLYACC) OR (NOT OCAMLOPT))
-  message(FATAL_ERROR "Please check your OCAML installation and make sure you installed 'ocaml-native-compilers'")
+find_program(ESY esy)
+if (NOT ESY)
+  message(FATAL_ERROR "Please check your esy installation")
 endif ()
 
-# Generate Lexer.
+# TODO: Figure out how to produce artifacts in the build directory.
+message("oeedger8r is built in its source directory")
+set(BINARY ${CMAKE_CURRENT_SOURCE_DIR}/_release/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
 add_custom_command(
-  OUTPUT Lexer.ml
-  COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/intel/Lexer.mll ${CMAKE_CURRENT_BINARY_DIR}
-  COMMAND ocamllex Lexer.mll
-  DEPENDS intel/Lexer.mll)
-
-# Generate Parser.
-add_custom_command(
-  OUTPUT Parser.ml Parser.mli
-  COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/intel/Parser.mly ${CMAKE_CURRENT_BINARY_DIR}
-  COMMAND ocamlyacc Parser.mly
-  DEPENDS intel/Parser.mly)
-
-# Compile
-set(BINARY oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
-add_custom_command(
-    OUTPUT ${BINARY}
-    COMMAND ocamlopt -c -bin-annot -I . -o Ast.cmx          ${CMAKE_CURRENT_SOURCE_DIR}/intel/Ast.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Util.cmx         ${CMAKE_CURRENT_SOURCE_DIR}/intel/Util.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o SimpleStack.cmx  ${CMAKE_CURRENT_SOURCE_DIR}/intel/SimpleStack.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Plugin.cmx       ${CMAKE_CURRENT_SOURCE_DIR}/intel/Plugin.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Preprocessor.cmx ${CMAKE_CURRENT_SOURCE_DIR}/intel/Preprocessor.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Parser.cmi       ${CMAKE_CURRENT_BINARY_DIR}/Parser.mli
-    COMMAND ocamlopt -c -bin-annot -I . -o Parser.cmx       ${CMAKE_CURRENT_BINARY_DIR}/Parser.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Lexer.cmx        ${CMAKE_CURRENT_BINARY_DIR}/Lexer.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o CodeGen.cmx      ${CMAKE_CURRENT_SOURCE_DIR}/intel/CodeGen.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o Emitter.cmx      ${CMAKE_CURRENT_SOURCE_DIR}/Emitter.ml
-    COMMAND ocamlopt -c -bin-annot -I . -o main.cmx         ${CMAKE_CURRENT_SOURCE_DIR}/main.ml
-    COMMAND ocamlopt str.cmxa unix.cmxa Ast.cmx Util.cmx SimpleStack.cmx Plugin.cmx
-                     Preprocessor.cmx Parser.cmx Lexer.cmx CodeGen.cmx Emitter.cmx main.cmx
-                     -o ${BINARY}
-
-    # Add dependency to generated Lexer and Parser, and all of the sources.
-    DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Lexer.ml
-            ${CMAKE_CURRENT_BINARY_DIR}/Parser.ml
-            ${CMAKE_CURRENT_BINARY_DIR}/Parser.mli
-            Emitter.ml
-            main.ml
-            intel/Ast.ml
-            intel/CodeGen.ml
-            intel/Edger8r.ml
-            intel/Plugin.ml
-            intel/Preprocessor.ml
-            intel/SimpleStack.ml
-            intel/Util.ml)
+  OUTPUT ${BINARY}
+  COMMAND esy --project=${CMAKE_CURRENT_SOURCE_DIR}
+  # NOTE: This works around a bug: https://github.com/esy/esy/issues/979
+  COMMAND cmake -E env ESY__PROJECT=${CMAKE_CURRENT_SOURCE_DIR} esy npm-release
+  DEPENDS src/Emitter.ml
+          src/main.ml
+          intel/Ast.ml
+          intel/CodeGen.ml
+          intel/Edger8r.ml
+          intel/Lexer.mll
+          intel/Parser.mly
+          intel/Plugin.ml
+          intel/Preprocessor.ml
+          intel/SimpleStack.ml
+          intel/Util.ml)
 
 # The names here are important because the output file must be named
 # `oeedger8r`, and our targets must not clash with that.
 add_executable(edger8r IMPORTED GLOBAL)
-set_target_properties(edger8r PROPERTIES IMPORTED_LOCATION ${CMAKE_CURRENT_BINARY_DIR}/${BINARY})
+set_target_properties(edger8r PROPERTIES IMPORTED_LOCATION ${BINARY})
 add_custom_target(oeedger8r_target DEPENDS ${BINARY})
 add_dependencies(edger8r oeedger8r_target)
 
 # Can't use `install(TARGETS)` on an imported executable, because it
 # causes CMake to crash. Instead, see `openenclave-config.cmake.in`
 # for the manual "export" of this target.
-install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/${BINARY} DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(PROGRAMS ${BINARY} DESTINATION ${CMAKE_INSTALL_BINDIR})

From 1c58f0cb6068186618cb325d1c0d6a8ed05d412d Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 1 Oct 2019 22:12:50 +0000
Subject: [PATCH 242/420] Use `buildsinSource` instead of `npm-release` for esy

---
 tools/oeedger8r/CMakeLists.txt | 4 +---
 tools/oeedger8r/package.json   | 1 +
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 863ea28fce..ee766e6dd4 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -13,12 +13,10 @@ endif ()
 
 # TODO: Figure out how to produce artifacts in the build directory.
 message("oeedger8r is built in its source directory")
-set(BINARY ${CMAKE_CURRENT_SOURCE_DIR}/_release/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
+set(BINARY ${CMAKE_CURRENT_SOURCE_DIR}/_build/install/default/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
 add_custom_command(
   OUTPUT ${BINARY}
   COMMAND esy --project=${CMAKE_CURRENT_SOURCE_DIR}
-  # NOTE: This works around a bug: https://github.com/esy/esy/issues/979
-  COMMAND cmake -E env ESY__PROJECT=${CMAKE_CURRENT_SOURCE_DIR} esy npm-release
   DEPENDS src/Emitter.ml
           src/main.ml
           intel/Ast.ml
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 1a3ea0eded..29df79c33a 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -6,6 +6,7 @@
 
   "esy": {
     "build": "dune build -p #{self.name}",
+    "buildsInSource": "_build",
     "release": {
       "bin": "oeedger8r",
       "includePackages": [

From ad4c4253fc4ea2fc7ce2d948f71bc0d9aeb41d49 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 2 Oct 2019 20:31:08 +0000
Subject: [PATCH 243/420] Copy oeedger8r sources to build before calling esy

---
 tools/oeedger8r/CMakeLists.txt | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index ee766e6dd4..ab62106114 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -11,12 +11,14 @@ if (NOT ESY)
   message(FATAL_ERROR "Please check your esy installation")
 endif ()
 
-# TODO: Figure out how to produce artifacts in the build directory.
-message("oeedger8r is built in its source directory")
-set(BINARY ${CMAKE_CURRENT_SOURCE_DIR}/_build/install/default/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
+set(BINARY ${CMAKE_CURRENT_BINARY_DIR}/_build/install/default/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
 add_custom_command(
   OUTPUT ${BINARY}
-  COMMAND esy --project=${CMAKE_CURRENT_SOURCE_DIR}
+  # TODO: This copy command will fail if `esy` is used to build
+  # locally (e.g., for development) as the folder gets too big with
+  # the Node modules etc. We should be more explicit.
+  COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+  COMMAND esy
   DEPENDS src/Emitter.ml
           src/main.ml
           intel/Ast.ml

From 1d405b5f425c327fea20a597c8d0dba0a08f1120 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 3 Oct 2019 23:49:23 +0000
Subject: [PATCH 244/420] Use actual oeedger8r binary instead of symlink

The prior path was actually a symlink made by `esy`, instead we need the
real executable (and we have to rename it upon installation).
---
 tools/oeedger8r/CMakeLists.txt | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index ab62106114..8f77237570 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -11,7 +11,10 @@ if (NOT ESY)
   message(FATAL_ERROR "Please check your esy installation")
 endif ()
 
-set(BINARY ${CMAKE_CURRENT_BINARY_DIR}/_build/install/default/bin/oeedger8r${CMAKE_EXECUTABLE_SUFFIX})
+# An artifact of using `esy` is that the generated binary is always
+# `main.exe` regardless of platform. We rename it for installation in
+# the package.
+set(BINARY ${CMAKE_CURRENT_BINARY_DIR}/_build/default/src/main.exe)
 add_custom_command(
   OUTPUT ${BINARY}
   # TODO: This copy command will fail if `esy` is used to build
@@ -41,4 +44,6 @@ add_dependencies(edger8r oeedger8r_target)
 # Can't use `install(TARGETS)` on an imported executable, because it
 # causes CMake to crash. Instead, see `openenclave-config.cmake.in`
 # for the manual "export" of this target.
-install(PROGRAMS ${BINARY} DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(PROGRAMS ${BINARY}
+  RENAME oeedger8r${CMAKE_EXECUTABLE_SUFFIX}
+  DESTINATION ${CMAKE_INSTALL_BINDIR})

From 753807ac8b3a59d4188a1c9908c92696b89228da Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 00:15:04 +0000
Subject: [PATCH 245/420] Add dune and esy dependencies to CMake

---
 tools/oeedger8r/CMakeLists.txt | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 8f77237570..9d44577cb9 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -22,8 +22,12 @@ add_custom_command(
   # the Node modules etc. We should be more explicit.
   COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
   COMMAND esy
-  DEPENDS src/Emitter.ml
+  DEPENDS package.json
+          dune-project
+          src/dune
+          src/Emitter.ml
           src/main.ml
+          intel/dune
           intel/Ast.ml
           intel/CodeGen.ml
           intel/Edger8r.ml

From e129746f97cab31e42b051dc17cba39085d38cae Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 9 Oct 2019 18:01:35 +0000
Subject: [PATCH 246/420] Be explicit in the files copied to the build tree

---
 tools/oeedger8r/CMakeLists.txt | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 9d44577cb9..8eca7d3149 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -17,13 +17,18 @@ endif ()
 set(BINARY ${CMAKE_CURRENT_BINARY_DIR}/_build/default/src/main.exe)
 add_custom_command(
   OUTPUT ${BINARY}
-  # TODO: This copy command will fail if `esy` is used to build
-  # locally (e.g., for development) as the folder gets too big with
-  # the Node modules etc. We should be more explicit.
-  COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}
+  # NOTE: We copy only the files we need to build in order to allow
+  # for developers to build in the source tree (as this is easier for
+  # testing changes and new packages and formatting etc.). We cannot
+  # just copy the entire folder as CMake crashes with the
+  # `node_modules`.
+  COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/esy.lock ${CMAKE_CURRENT_BINARY_DIR}/esy.lock
+  COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/intel ${CMAKE_CURRENT_BINARY_DIR}/intel
+  COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/src ${CMAKE_CURRENT_BINARY_DIR}/src
+  COMMAND cmake -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/dune-project ${CMAKE_CURRENT_SOURCE_DIR}/package.json ${CMAKE_CURRENT_BINARY_DIR}
   COMMAND esy
-  DEPENDS package.json
-          dune-project
+  DEPENDS dune-project
+          package.json
           src/dune
           src/Emitter.ml
           src/main.ml

From 528fac45fc6822c098e4916f1a88af69c670e9b1 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 20:07:52 +0000
Subject: [PATCH 247/420] Add ocamlformat esy/dune support

This adds automatic formatting to the build instead of just an editor
hook.
---
 scripts/.check-license.ignore    | 1 +
 tools/oeedger8r/dune-project     | 2 ++
 tools/oeedger8r/package.json     | 1 +
 tools/oeedger8r/src/.ocamlformat | 0
 4 files changed, 4 insertions(+)
 create mode 100644 tools/oeedger8r/src/.ocamlformat

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 2edca38b50..4b90594367 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -64,6 +64,7 @@ tests/print/printhost\.stderr
 tests/print/printhost\.stdout
 tests/str/test1\.txt
 tools/oeedger8r/\.merlin
+tools/oeedger8r/src/\.ocamlformat
 tools/oeedger8r/src/main\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
diff --git a/tools/oeedger8r/dune-project b/tools/oeedger8r/dune-project
index ce5fc89758..dbb3737c98 100644
--- a/tools/oeedger8r/dune-project
+++ b/tools/oeedger8r/dune-project
@@ -10,6 +10,8 @@
 (maintainers "Open Enclave SDK")
 (source (github openenclave/openenclave))
 
+(using fmt 1.2) ; NOTE: Dune 2.0 will make this automatic.
+
 (package
   (name oeedger8r)
   (synopsis "An OCaml tool for processing Enclave Definition Language files")
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 29df79c33a..0899fe1bfd 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -22,6 +22,7 @@
 
   "devDependencies": {
     "@opam/merlin": "^3.0.3",
+    "@opam/ocamlformat": "~0.11.0",
     "ocaml": "~4.6.0"
   }
 }
diff --git a/tools/oeedger8r/src/.ocamlformat b/tools/oeedger8r/src/.ocamlformat
new file mode 100644
index 0000000000..e69de29bb2

From 4deac89ac85ff6402210fde3ff2c6d44a50fa632 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 20:08:26 +0000
Subject: [PATCH 248/420] Use esy/dune generated .merlin files

We no longer need to create these ourselves.
---
 scripts/.check-license.ignore | 1 -
 tools/oeedger8r/.merlin       | 4 ----
 tools/oeedger8r/package.json  | 2 +-
 3 files changed, 1 insertion(+), 6 deletions(-)
 delete mode 100644 tools/oeedger8r/.merlin

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 4b90594367..8d0c8848ee 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -63,7 +63,6 @@ tests/ocall/debugging\.txt
 tests/print/printhost\.stderr
 tests/print/printhost\.stdout
 tests/str/test1\.txt
-tools/oeedger8r/\.merlin
 tools/oeedger8r/src/\.ocamlformat
 tools/oeedger8r/src/main\.ml
 tools/oesign/getopt\.h
diff --git a/tools/oeedger8r/.merlin b/tools/oeedger8r/.merlin
deleted file mode 100644
index f8064b3f07..0000000000
--- a/tools/oeedger8r/.merlin
+++ /dev/null
@@ -1,4 +0,0 @@
-S intel
-S ../../build/tools/oeedger8r
-
-B ../../build/tools/oeedger8r
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 0899fe1bfd..19fa19aa39 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -21,7 +21,7 @@
   },
 
   "devDependencies": {
-    "@opam/merlin": "^3.0.3",
+    "@opam/merlin": "~3.3.2",
     "@opam/ocamlformat": "~0.11.0",
     "ocaml": "~4.6.0"
   }

From ef08e698c206b82579efaeb740379f1e079829f5 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 20:16:58 +0000
Subject: [PATCH 249/420] Run ocamlformat 0.11 on edger8r

With esy we have access to an up-to-date (and pinned) version of
`ocamlformat`, which also formats our `dune` files. This newer version
also allows us to include only our code, excluding the Intel code (and
the copy of `main.ml`).

Manually, this can be run via `esy dune build @fmt --auto-promote`, but
this will also be integrated into the build system.
---
 scripts/.check-license.ignore           |   1 +
 tools/oeedger8r/intel/dune              |  14 +-
 tools/oeedger8r/src/.ocamlformat-ignore |   1 +
 tools/oeedger8r/src/Emitter.ml          | 221 +++++++++++++++---------
 tools/oeedger8r/src/dune                |   6 +-
 5 files changed, 158 insertions(+), 85 deletions(-)
 create mode 100644 tools/oeedger8r/src/.ocamlformat-ignore

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 8d0c8848ee..3b388968d6 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -64,6 +64,7 @@ tests/print/printhost\.stderr
 tests/print/printhost\.stdout
 tests/str/test1\.txt
 tools/oeedger8r/src/\.ocamlformat
+tools/oeedger8r/src/\.ocamlformat-ignore
 tools/oeedger8r/src/main\.ml
 tools/oesign/getopt\.h
 tools/oesign/getopt_long\.c
diff --git a/tools/oeedger8r/intel/dune b/tools/oeedger8r/intel/dune
index 1978258575..3bca1f4859 100644
--- a/tools/oeedger8r/intel/dune
+++ b/tools/oeedger8r/intel/dune
@@ -1,12 +1,16 @@
 (library
-  (name intel)
-  (synopsis "Upstream Intel edger8r")
-  (wrapped false) ; TODO: We need to transition this to true.
-  (libraries str unix))
+ (name intel)
+ (synopsis "Upstream Intel edger8r")
+ (wrapped false) ; TODO: We need to transition this to true.
+ (libraries str unix))
 
 (ocamllex Lexer)
 
 (ocamlyacc Parser)
 
 ; TODO: Upstream code has a lot of warnings still.
-(env (dev (flags (:standard -warn-error -A))))
+
+(env
+ (dev
+  (flags
+   (:standard -warn-error -A))))
diff --git a/tools/oeedger8r/src/.ocamlformat-ignore b/tools/oeedger8r/src/.ocamlformat-ignore
new file mode 100644
index 0000000000..d389d15661
--- /dev/null
+++ b/tools/oeedger8r/src/.ocamlformat-ignore
@@ -0,0 +1 @@
+main.ml
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index ee016ad0e8..f216af89e9 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -13,8 +13,10 @@ open Util
 (** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
 let is_foreign_array (pt : parameter_type) =
   match pt with
-  | PTVal _ -> false
-  | PTPtr (t, a) -> ( match t with Foreign _ -> a.pa_isary | _ -> false )
+  | PTVal _ ->
+      false
+  | PTPtr (t, a) -> (
+    match t with Foreign _ -> a.pa_isary | _ -> false )
 
 (** Get the array declaration from a list of array dimensions. Empty
     [ns] indicates the corresponding declarator is a simple identifier.
@@ -33,7 +35,8 @@ let get_typed_declr_str (ty : atype) (declr : declarator) =
 let is_const_ptr (pt : parameter_type) =
   let aty = get_param_atype pt in
   match pt with
-  | PTVal _ -> false
+  | PTVal _ ->
+      false
   | PTPtr (_, pa) -> (
       if not pa.pa_rdonly then false
       else match aty with Foreign _ -> false | _ -> true )
@@ -59,7 +62,8 @@ let conv_array_to_ptr (pd : pdecl) : pdecl =
     ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
   in
   match pt with
-  | PTVal _ -> (pt, declr)
+  | PTVal _ ->
+      (pt, declr)
   | PTPtr (aty, pa) ->
       if is_array declr then
         let tmp_declr = {declr with array_dims= []} in
@@ -85,16 +89,22 @@ let filter_map f l =
 let flatten_map f l = List.flatten (List.map f l)
 
 let is_in_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrIn
+  | PTVal _ ->
+      false
+  | PTPtr (_, a) ->
+      a.pa_chkptr && a.pa_direction = PtrIn
 
 let is_out_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrOut
+  | PTVal _ ->
+      false
+  | PTPtr (_, a) ->
+      a.pa_chkptr && a.pa_direction = PtrOut
 
 let is_inout_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrInOut
+  | PTVal _ ->
+      false
+  | PTPtr (_, a) ->
+      a.pa_chkptr && a.pa_direction = PtrInOut
 
 let is_in_or_inout_ptr (p, _) = is_in_ptr p || is_inout_ptr p
 
@@ -109,8 +119,10 @@ let is_str_or_wstr_ptr (p, _) = is_str_ptr p || is_wstr_ptr p
 (* This tests if the member has a non-empty size attribute,
    implying that it should be marshalled. *)
 let is_marshalled_ptr = function
-  | PTPtr (_, attr) -> attr.pa_size <> empty_ptr_size
-  | PTVal _ -> false
+  | PTPtr (_, attr) ->
+      attr.pa_size <> empty_ptr_size
+  | PTVal _ ->
+      false
 
 let gen_c_for level count body =
   if count = "1" then body
@@ -150,21 +162,28 @@ let get_type_expr ptype =
   in
   let tystr = get_tystr param_atype in
   match ptype with
-  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
-  | _ -> tystr
+  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr ->
+      sprintf "*(%s)0" tystr
+  | _ ->
+      tystr
 
 (** For a list of args and current count, get the corresponding
    argstruct variable name. The prefix is usually, but not always,
    ["_args."].*)
 let oe_get_argstruct prefix args count =
   match args with
-  | [] -> prefix
-  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
+  | [] ->
+      prefix
+  | hd :: _ ->
+      prefix ^ hd ^ gen_c_deref (List.length args) count
 
 let attr_value_to_string argstruct = function
-  | None -> None
-  | Some (ANumber n) -> Some (string_of_int n)
-  | Some (AString s) -> Some (argstruct ^ s)
+  | None ->
+      None
+  | Some (ANumber n) ->
+      Some (string_of_int n)
+  | Some (AString s) ->
+      Some (argstruct ^ s)
 
 (** For a parameter, get its size expression. *)
 let get_param_size (ptype, decl, argstruct) =
@@ -173,10 +192,13 @@ let get_param_size (ptype, decl, argstruct) =
     let size = attr_value_to_string argstruct p.ps_size
     and count = attr_value_to_string argstruct p.ps_count in
     match (size, count) with
-    | Some s, None -> s
-    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
+    | Some s, None ->
+        s
+    | None, Some c ->
+        sprintf "(%s * sizeof(%s))" c type_expr
     (* TODO: Check that this is an even multiple of the size of type. *)
-    | Some s, Some c -> sprintf "(%s * %s)" s c
+    | Some s, Some c ->
+        sprintf "(%s * %s)" s c
     | None, None ->
         sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
   in
@@ -190,12 +212,15 @@ let get_param_size (ptype, decl, argstruct) =
         Some (get_ptr_or_decl_size ptr_attr.pa_size)
       else None
   (* Values have no marshalling size. *)
-  | _ -> None
+  | _ ->
+      None
 
 let oe_get_param_size (ptype, decl, argstruct) =
   match get_param_size (ptype, decl, argstruct) with
-  | Some size -> size
-  | None -> failwithf "Error: No size for " ^ decl.identifier
+  | Some size ->
+      size
+  | None ->
+      failwithf "Error: No size for " ^ decl.identifier
 
 (** For a parameter, get its count expression. *)
 let get_param_count (ptype, decl, argstruct) =
@@ -205,9 +230,12 @@ let get_param_count (ptype, decl, argstruct) =
     and count = attr_value_to_string argstruct p.ps_count in
     match (size, count) with
     (* TODO: Check that these are even multiples of the size of type. *)
-    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
-    | None, Some c -> c
-    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
+    | Some s, None ->
+        sprintf "(%s / sizeof(%s))" s type_expr
+    | None, Some c ->
+        c
+    | Some s, Some c ->
+        sprintf "((%s * %s) / sizeof(%s))" s c type_expr
     | None, None ->
         let dims = List.map string_of_int decl.array_dims in
         String.concat " * " dims
@@ -224,21 +252,27 @@ let get_param_count (ptype, decl, argstruct) =
         (* TODO: Should be able to return [Some "1"] for plain
            pointers and values. *)
       else None
-  | PTVal _ -> None
+  | PTVal _ ->
+      None
 
 let oe_get_param_count (ptype, decl, argstruct) =
   match get_param_count (ptype, decl, argstruct) with
-  | Some count -> count
-  | None -> failwithf "Error: No count for " ^ decl.identifier
+  | Some count ->
+      count
+  | None ->
+      failwithf "Error: No count for " ^ decl.identifier
 
 (** Generate the prototype for a given function. *)
 let oe_gen_prototype (fd : func_decl) =
   let plist_str =
     let args = List.map gen_parm_str fd.plist in
     match args with
-    | [] -> "void"
-    | [arg] -> arg
-    | _ -> "\n    " ^ String.concat ",\n    " args
+    | [] ->
+        "void"
+    | [arg] ->
+        arg
+    | _ ->
+        "\n    " ^ String.concat ",\n    " args
   in
   sprintf "%s %s(%s)" (get_tystr fd.rtype) fd.fname plist_str
 
@@ -249,14 +283,18 @@ let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
     let args =
       [ (if is_ecall then ["oe_enclave_t* enclave"] else [])
       ; ( match fd.rtype with
-        | Void -> []
-        | _ -> [get_tystr fd.rtype ^ "* _retval"] )
+        | Void ->
+            []
+        | _ ->
+            [get_tystr fd.rtype ^ "* _retval"] )
       ; List.map gen_parm_str fd.plist ]
       |> List.flatten
     in
     match args with
-    | [arg] -> arg
-    | _ -> "\n    " ^ String.concat ",\n    " args
+    | [arg] ->
+        arg
+    | _ ->
+        "\n    " ^ String.concat ",\n    " args
   in
   sprintf "oe_result_t %s(%s)" fd.fname plist_str
 
@@ -271,7 +309,7 @@ let emit_composite_type =
              sprintf "    %s %s%s;"
                (get_tystr (get_param_atype ptype))
                decl.identifier
-               (get_array_dims decl.array_dims) )
+               (get_array_dims decl.array_dims))
            s.smlist)
     ; "} " ^ s.sname ^ ";"
     ; "" ]
@@ -283,7 +321,7 @@ let emit_composite_type =
         (List.map
            (fun (atype, decl) ->
              sprintf "    %s %s%s;" (get_tystr atype) decl.identifier
-               (get_array_dims decl.array_dims) )
+               (get_array_dims decl.array_dims))
            u.umlist)
     ; "} " ^ u.uname ^ ";"
     ; "" ]
@@ -296,17 +334,23 @@ let emit_composite_type =
            (fun (name, value) ->
              sprintf "    %s%s" name
                ( match value with
-               | EnumVal (AString s) -> " = " ^ s
-               | EnumVal (ANumber n) -> " = " ^ string_of_int n
-               | EnumValNone -> "" ) )
+               | EnumVal (AString s) ->
+                   " = " ^ s
+               | EnumVal (ANumber n) ->
+                   " = " ^ string_of_int n
+               | EnumValNone ->
+                   "" ))
            e.enbody)
     ; "} " ^ e.enname ^ ";"
     ; "" ]
   in
   function
-  | StructDef s -> emit_struct s
-  | UnionDef u -> emit_union u
-  | EnumDef e -> emit_enum e
+  | StructDef s ->
+      emit_struct s
+  | UnionDef u ->
+      emit_union u
+  | EnumDef e ->
+      emit_enum e
 
 (** Generate a cast expression for a pointer argument. Pointer
     arguments need to be cast to their root type, since the marshalling
@@ -320,7 +364,8 @@ let emit_composite_type =
     are marshalled as-is. *)
 let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
   match ptype with
-  | PTVal _ -> ""
+  | PTVal _ ->
+      ""
   | PTPtr (t, _) ->
       let tystr = get_tystr t in
       if is_array decl then
@@ -339,7 +384,8 @@ let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
     ]}. *)
 let get_cast_from_mem_expr (ptype, decl) =
   match ptype with
-  | PTVal _ -> ""
+  | PTVal _ ->
+      ""
   | PTPtr (t, attr) ->
       if is_array decl then
         sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
@@ -358,7 +404,7 @@ let oe_gen_call_user_function (fd : func_decl) =
       (List.map
          (fun (ptype, decl) ->
            let cast_expr = get_cast_from_mem_expr (ptype, decl) in
-           sprintf "    %spargs_in->%s" cast_expr decl.identifier )
+           sprintf "    %spargs_in->%s" cast_expr decl.identifier)
          fd.plist)
     ^ ");" ]
 
@@ -413,15 +459,19 @@ let warn_signed_size_or_count_types (fd : func_decl) =
         let param_name {ps_size; ps_count} =
           match (ps_size, ps_count) with
           (* [s] is the name of the parameter as a string. *)
-          | None, Some (AString s) | Some (AString s), None -> Some s
+          | None, Some (AString s) | Some (AString s), None ->
+              Some s
           (* TODO: Check for [Some (ANumber n)] that [n < 1] *)
-          | _ -> None
+          | _ ->
+              None
         in
         (* Only variables that are pointers where [chkptr] is true may
            have size parameters. *)
         match ptype with
-        | PTPtr (_, a) when a.pa_chkptr -> param_name a.pa_size
-        | _ -> None )
+        | PTPtr (_, a) when a.pa_chkptr ->
+            param_name a.pa_size
+        | _ ->
+            None)
       fd.plist
   in
   (* Print warnings for size parameters that are [Signed]. *)
@@ -434,7 +484,8 @@ let warn_signed_size_or_count_types (fd : func_decl) =
             print_signedness_warning id
         | PTVal (Int i) when i.ia_signedness = Signed ->
             print_signedness_warning id
-        | _ -> () )
+        | _ ->
+            ())
     fd.plist
 
 let warn_size_and_count_params (fd : func_decl) =
@@ -445,14 +496,16 @@ let warn_size_and_count_params (fd : func_decl) =
           "Function '%s': simultaneous 'size' and 'count' parameters '%s' and \
            '%s' are not supported by oeedger8r.\n"
           fd.fname p q
-    | _ -> ()
+    | _ ->
+        ()
   in
   List.iter
     (fun (ptype, _) ->
       match ptype with
       | PTPtr (_, ptr_attr) when ptr_attr.pa_chkptr ->
           print_size_and_count_warning ptr_attr.pa_size
-      | _ -> () )
+      | _ ->
+          ())
     fd.plist
 
 (** Generate the Enclave code. *)
@@ -474,9 +527,9 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
           f.tf_fdecl.fname ;
       if f.tf_is_switchless then
         failwithf
-          "Function '%s': trusted switchless ecalls are not yet supported \
-           by Open Enclave SDK."
-          f.tf_fdecl.fname )
+          "Function '%s': trusted switchless ecalls are not yet supported by \
+           Open Enclave SDK."
+          f.tf_fdecl.fname)
     tfs ;
   List.iter
     (fun f ->
@@ -504,7 +557,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     (fun f ->
       warn_non_portable_types f ;
       warn_signed_size_or_count_types f ;
-      warn_size_and_count_params f )
+      warn_size_and_count_params f)
     funcs ;
   (* End EDL validation. *)
   (* Given [name], return the corresponding [StructDef], or [None]. *)
@@ -527,14 +580,18 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
      return an empty list. *)
   let get_deepcopy_members (a : atype) =
     let should_deepcopy_a = function
-      | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
-      | _ -> None
+      | Ptr (Struct n) | Ptr (Foreign n) ->
+          get_struct_by_name n
+      | _ ->
+          None
     in
     (* Only enabled with --experimental! *)
     if ep.experimental then
       match should_deepcopy_a a with
-      | Some s -> List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
-      | None -> []
+      | Some s ->
+          List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
+      | None ->
+          []
     else []
   in
   let get_function_id (f : func_decl) =
@@ -660,7 +717,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] -> decl.identifier
+          | [] ->
+              decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
@@ -694,7 +752,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] -> decl.identifier
+          | [] ->
+              decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
@@ -767,8 +826,10 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     let argstruct = oe_get_argstruct "" args count in
     let arg =
       match args with
-      | [] -> id
-      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
+      | [] ->
+          id
+      | hd :: _ ->
+          hd ^ gen_c_deref (List.length args) count ^ id
     in
     let param_count = oe_get_param_count (ptype, decl, argstruct) in
     let members = get_deepcopy_members (get_param_atype ptype) in
@@ -829,7 +890,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] -> decl.identifier
+          | [] ->
+              decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
@@ -847,7 +909,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
                    arg size
                in
                match args with
-               | [] -> [s]
+               | [] ->
+                   [s]
                | _ ->
                    let tystr = get_cast_to_mem_expr (ptype, decl) true in
                    [ sprintf "if (%s)" (String.concat " && " (List.rev args))
@@ -896,8 +959,10 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     let size = oe_get_param_size (ptype, decl, argstruct) in
     let arg =
       match args with
-      | [] -> decl.identifier
-      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+      | [] ->
+          decl.identifier
+      | hd :: _ ->
+          hd ^ gen_c_deref (List.length args) count ^ decl.identifier
     in
     let tystr = get_cast_to_mem_expr (ptype, decl) false in
     gen_c_for (List.length args) count
@@ -920,7 +985,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
                 be [SET_IN_OUT], since nested pointers don't actually
                 satisfy either [is_in_ptr] or [is_inout_ptr]
                 predicates. *)
-             if is_in_ptr p then "SET_IN" else "SET_IN_OUT" ))
+             if is_in_ptr p then "SET_IN" else "SET_IN_OUT"))
         (List.filter is_in_or_inout_ptr plist)
     in
     "    "
@@ -937,7 +1002,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
                 be [COPY_AND_SET_IN_OUT], since nested pointers don't
                 actually satisfy either [is_out_ptr] or [is_inout_ptr]
                 predicates. *)
-             if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT" ))
+             if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT"))
         (List.filter is_out_or_inout_ptr plist)
     in
     "    "
@@ -997,7 +1062,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
              sprintf
                "    OE_CHECK_NULL_TERMINATOR%s(pargs_in->%s, pargs_in->%s_len);"
                (if is_wstr_ptr ptype then "_WIDE" else "")
-               decl.identifier decl.identifier )
+               decl.identifier decl.identifier)
            (List.filter
               (fun p -> is_str_or_wstr_ptr p && is_in_or_inout_ptr p)
               fd.plist)
@@ -1046,8 +1111,10 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
       let argstruct = oe_get_argstruct "_args." args count in
       let arg =
         match args with
-        | [] -> id
-        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
+        | [] ->
+            id
+        | hd :: _ ->
+            hd ^ gen_c_deref (List.length args) count ^ id
       in
       gen_c_for (List.length args) count
         ( [ ( if args <> [] then
diff --git a/tools/oeedger8r/src/dune b/tools/oeedger8r/src/dune
index 28671cc78b..4c3c0d9349 100644
--- a/tools/oeedger8r/src/dune
+++ b/tools/oeedger8r/src/dune
@@ -2,6 +2,6 @@
 ; Licensed under the MIT License.
 
 (executable
-  (name main)
-  (public_name oeedger8r)
-  (libraries intel))
+ (name main)
+ (public_name oeedger8r)
+ (libraries intel))

From bf8e25f53f7890357299fddfadcef611d534b662 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 23:51:12 +0000
Subject: [PATCH 250/420] Commit esy.lock to lock dependencies

---
 scripts/.check-license.ignore                 |   1 +
 tools/oeedger8r/.gitignore                    |   1 -
 tools/oeedger8r/esy.lock/.gitattributes       |   3 +
 tools/oeedger8r/esy.lock/.gitignore           |   3 +
 tools/oeedger8r/esy.lock/index.json           | 954 ++++++++++++++++++
 .../esy.lock/opam/astring.0.8.3/opam          |  38 +
 .../esy.lock/opam/base-bytes.base/opam        |   9 +
 .../esy.lock/opam/base-threads.base/opam      |   6 +
 .../esy.lock/opam/base-unix.base/opam         |   6 +
 .../oeedger8r/esy.lock/opam/base.v0.12.2/opam |  39 +
 .../oeedger8r/esy.lock/opam/biniou.1.2.1/opam |  45 +
 .../esy.lock/opam/bisect_ppx.1.4.1/opam       |  49 +
 .../esy.lock/opam/cmdliner.1.0.4/opam         |  36 +
 tools/oeedger8r/esy.lock/opam/conf-m4.1/opam  |  22 +
 tools/oeedger8r/esy.lock/opam/cppo.1.6.6/opam |  37 +
 .../opam/dune-configurator.1.0.0/opam         |   9 +
 .../oeedger8r/esy.lock/opam/dune.1.11.3/opam  |  53 +
 .../esy.lock/opam/easy-format.1.3.2/opam      |  46 +
 .../oeedger8r/esy.lock/opam/fpath.0.7.2/opam  |  34 +
 .../oeedger8r/esy.lock/opam/merlin.3.3.2/opam |  70 ++
 .../opam/ocaml-migrate-parsetree.1.4.0/opam   |  37 +
 .../esy.lock/opam/ocamlbuild.0.14.0/opam      |  36 +
 .../opam/ocamlfind.1.8.1/files/ocaml-stub     |   4 +
 .../ocamlfind.1.8.1/files/ocamlfind.install   |   6 +
 .../esy.lock/opam/ocamlfind.1.8.1/opam        |  50 +
 .../esy.lock/opam/ocamlformat.0.11.0/opam     |  35 +
 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam |  45 +
 .../esy.lock/opam/ppx_derivers.1.2.1/opam     |  23 +
 .../opam/ppx_tools_versioned.5.2.3/opam       |  30 +
 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam   |  42 +
 tools/oeedger8r/esy.lock/opam/result.1.4/opam |  22 +
 tools/oeedger8r/esy.lock/opam/seq.0.2/opam    |  22 +
 .../esy.lock/opam/sexplib0.v0.12.0/opam       |  26 +
 .../esy.lock/opam/stdio.v0.12.0/opam          |  27 +
 .../oeedger8r/esy.lock/opam/topkg.1.0.1/opam  |  48 +
 .../oeedger8r/esy.lock/opam/tyxml.4.3.0/opam  |  45 +
 .../oeedger8r/esy.lock/opam/uchar.0.0.2/opam  |  36 +
 .../oeedger8r/esy.lock/opam/uucp.12.0.0/opam  |  47 +
 .../oeedger8r/esy.lock/opam/uuseg.12.0.0/opam |  50 +
 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam |  40 +
 .../oeedger8r/esy.lock/opam/yojson.1.7.0/opam |  38 +
 .../package.json                              |  14 +
 .../files/ocamlbuild-0.14.0.patch             | 463 +++++++++
 .../package.json                              |  27 +
 .../files/findlib-1.8.1.patch                 | 471 +++++++++
 .../package.json                              |  61 ++
 46 files changed, 3205 insertions(+), 1 deletion(-)
 create mode 100644 tools/oeedger8r/esy.lock/.gitattributes
 create mode 100644 tools/oeedger8r/esy.lock/.gitignore
 create mode 100644 tools/oeedger8r/esy.lock/index.json
 create mode 100644 tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base-threads.base/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base-unix.base/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/biniou.1.2.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/conf-m4.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/cppo.1.6.6/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/easy-format.1.3.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/merlin.3.3.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocaml-stub
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocamlfind.install
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/result.1.4/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/seq.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/yojson.1.7.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/files/findlib-1.8.1.patch
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/package.json

diff --git a/scripts/.check-license.ignore b/scripts/.check-license.ignore
index 3b388968d6..d3c87d2fef 100644
--- a/scripts/.check-license.ignore
+++ b/scripts/.check-license.ignore
@@ -33,6 +33,7 @@ tests/mbed/tests\..*$
 3rdparty/optee/patches/.*
 3rdparty/optee/optee_client/.*
 3rdparty/optee/optee_os/.*
+tools/oeedger8r/esy\.lock/.*
 tools/oeedger8r/intel/.*
 
 # Files
diff --git a/tools/oeedger8r/.gitignore b/tools/oeedger8r/.gitignore
index ce05bd9c2d..c1eda1a597 100644
--- a/tools/oeedger8r/.gitignore
+++ b/tools/oeedger8r/.gitignore
@@ -6,4 +6,3 @@ _release
 *.byte
 *.native
 *.install
-esy.lock
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/.gitattributes b/tools/oeedger8r/esy.lock/.gitattributes
new file mode 100644
index 0000000000..25366aee7a
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/.gitattributes
@@ -0,0 +1,3 @@
+
+# Set eol to LF so files aren't converted to CRLF-eol on Windows.
+* text eol=lf
diff --git a/tools/oeedger8r/esy.lock/.gitignore b/tools/oeedger8r/esy.lock/.gitignore
new file mode 100644
index 0000000000..a221be227e
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/.gitignore
@@ -0,0 +1,3 @@
+
+# Reset any possible .gitignore, we want all esy.lock to be un-ignored.
+!*
diff --git a/tools/oeedger8r/esy.lock/index.json b/tools/oeedger8r/esy.lock/index.json
new file mode 100644
index 0000000000..fd00bed78d
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/index.json
@@ -0,0 +1,954 @@
+{
+  "checksum": "cb1294e574fb741d496c675c4b390f6f",
+  "root": "oeedger8r@link-dev:./package.json",
+  "node": {
+    "oeedger8r@link-dev:./package.json": {
+      "id": "oeedger8r@link-dev:./package.json",
+      "name": "oeedger8r",
+      "version": "link-dev:./package.json",
+      "source": {
+        "type": "link-dev",
+        "path": ".",
+        "manifest": "package.json"
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlformat@opam:0.11.0@ec74e6e8",
+        "@opam/merlin@opam:3.3.2@7a364181"
+      ]
+    },
+    "ocaml@4.6.1000@d41d8cd9": {
+      "id": "ocaml@4.6.1000@d41d8cd9",
+      "name": "ocaml",
+      "version": "4.6.1000",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://registry.npmjs.org/ocaml/-/ocaml-4.6.1000.tgz#sha1:99525ef559353481396454f9a072dedc96b52f44"
+        ]
+      },
+      "overrides": [],
+      "dependencies": [],
+      "devDependencies": []
+    },
+    "@opam/yojson@opam:1.7.0@7056d985": {
+      "id": "@opam/yojson@opam:1.7.0@7056d985",
+      "name": "@opam/yojson",
+      "version": "opam:1.7.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/b8/b89d39ca3f8c532abe5f547ad3b8f84d#md5:b89d39ca3f8c532abe5f547ad3b8f84d",
+          "archive:https://github.com/ocaml-community/yojson/releases/download/1.7.0/yojson-1.7.0.tbz#md5:b89d39ca3f8c532abe5f547ad3b8f84d"
+        ],
+        "opam": {
+          "name": "yojson",
+          "version": "1.7.0",
+          "path": "esy.lock/opam/yojson.1.7.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "@opam/dune@opam:1.11.3@9894df55", "@opam/cppo@opam:1.6.6@f4f83858",
+        "@opam/biniou@opam:1.2.1@d7570399",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "@opam/dune@opam:1.11.3@9894df55", "@opam/biniou@opam:1.2.1@d7570399"
+      ]
+    },
+    "@opam/uutf@opam:1.0.2@4440868f": {
+      "id": "@opam/uutf@opam:1.0.2@4440868f",
+      "name": "@opam/uutf",
+      "version": "opam:1.0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/a7/a7c542405a39630c689a82bd7ef2292c#md5:a7c542405a39630c689a82bd7ef2292c",
+          "archive:http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz#md5:a7c542405a39630c689a82bd7ef2292c"
+        ],
+        "opam": {
+          "name": "uutf",
+          "version": "1.0.2",
+          "path": "esy.lock/opam/uutf.1.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea",
+        "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uuseg@opam:12.0.0@bf82c4c7": {
+      "id": "@opam/uuseg@opam:12.0.0@bf82c4c7",
+      "name": "@opam/uuseg",
+      "version": "opam:12.0.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/1d/1d4487ddf5154e3477e55021b978d58a#md5:1d4487ddf5154e3477e55021b978d58a",
+          "archive:https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz#md5:1d4487ddf5154e3477e55021b978d58a"
+        ],
+        "opam": {
+          "name": "uuseg",
+          "version": "12.0.0",
+          "path": "esy.lock/opam/uuseg.12.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uucp@opam:12.0.0@b7d4c3df", "@opam/uchar@opam:0.0.2@c8218eea",
+        "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uucp@opam:12.0.0@b7d4c3df",
+        "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uucp@opam:12.0.0@b7d4c3df": {
+      "id": "@opam/uucp@opam:12.0.0@b7d4c3df",
+      "name": "@opam/uucp",
+      "version": "opam:12.0.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/cf/cf210ed43375b7f882c0540874e2cb81#md5:cf210ed43375b7f882c0540874e2cb81",
+          "archive:https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz#md5:cf210ed43375b7f882c0540874e2cb81"
+        ],
+        "opam": {
+          "name": "uucp",
+          "version": "12.0.0",
+          "path": "esy.lock/opam/uucp.12.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uchar@opam:0.0.2@c8218eea", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uchar@opam:0.0.2@c8218eea": {
+      "id": "@opam/uchar@opam:0.0.2@c8218eea",
+      "name": "@opam/uchar",
+      "version": "opam:0.0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/c9/c9ba2c738d264c420c642f7bb1cf4a36#md5:c9ba2c738d264c420c642f7bb1cf4a36",
+          "archive:https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz#md5:c9ba2c738d264c420c642f7bb1cf4a36"
+        ],
+        "opam": {
+          "name": "uchar",
+          "version": "0.0.2",
+          "path": "esy.lock/opam/uchar.0.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/tyxml@opam:4.3.0@c1da25f1": {
+      "id": "@opam/tyxml@opam:4.3.0@c1da25f1",
+      "name": "@opam/tyxml",
+      "version": "opam:4.3.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/fd/fd834a567f813bf447cab5f4c3a723e2#md5:fd834a567f813bf447cab5f4c3a723e2",
+          "archive:https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz#md5:fd834a567f813bf447cab5f4c3a723e2"
+        ],
+        "opam": {
+          "name": "tyxml",
+          "version": "4.3.0",
+          "path": "esy.lock/opam/tyxml.4.3.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/topkg@opam:1.0.1@a42c631e": {
+      "id": "@opam/topkg@opam:1.0.1@a42c631e",
+      "name": "@opam/topkg",
+      "version": "opam:1.0.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/16/16b90e066d8972a5ef59655e7c28b3e9#md5:16b90e066d8972a5ef59655e7c28b3e9",
+          "archive:http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz#md5:16b90e066d8972a5ef59655e7c28b3e9"
+        ],
+        "opam": {
+          "name": "topkg",
+          "version": "1.0.1",
+          "path": "esy.lock/opam/topkg.1.0.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03"
+      ]
+    },
+    "@opam/stdio@opam:v0.12.0@04b3b004": {
+      "id": "@opam/stdio@opam:v0.12.0@04b3b004",
+      "name": "@opam/stdio",
+      "version": "opam:v0.12.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/b2/b261ff2d5667fde960c95e50cff668da#md5:b261ff2d5667fde960c95e50cff668da",
+          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz#md5:b261ff2d5667fde960c95e50cff668da"
+        ],
+        "opam": {
+          "name": "stdio",
+          "version": "v0.12.0",
+          "path": "esy.lock/opam/stdio.v0.12.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base@opam:v0.12.2@d687150c",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base@opam:v0.12.2@d687150c"
+      ]
+    },
+    "@opam/sexplib0@opam:v0.12.0@e432406d": {
+      "id": "@opam/sexplib0@opam:v0.12.0@e432406d",
+      "name": "@opam/sexplib0",
+      "version": "opam:v0.12.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/24/2486a25d3a94da9a94acc018b5f09061#md5:2486a25d3a94da9a94acc018b5f09061",
+          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz#md5:2486a25d3a94da9a94acc018b5f09061"
+        ],
+        "opam": {
+          "name": "sexplib0",
+          "version": "v0.12.0",
+          "path": "esy.lock/opam/sexplib0.v0.12.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/seq@opam:0.2@35c16df8": {
+      "id": "@opam/seq@opam:0.2@35c16df8",
+      "name": "@opam/seq",
+      "version": "opam:0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/1d/1d5a9d0aba27b22433f518cdc495d0fd#md5:1d5a9d0aba27b22433f518cdc495d0fd",
+          "archive:https://github.com/c-cube/seq/archive/0.2.tar.gz#md5:1d5a9d0aba27b22433f518cdc495d0fd"
+        ],
+        "opam": {
+          "name": "seq",
+          "version": "0.2",
+          "path": "esy.lock/opam/seq.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/result@opam:1.4@dc720aef": {
+      "id": "@opam/result@opam:1.4@dc720aef",
+      "name": "@opam/result",
+      "version": "opam:1.4",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/d3/d3162dbc501a2af65c8c71e0866541da#md5:d3162dbc501a2af65c8c71e0866541da",
+          "archive:https://github.com/janestreet/result/archive/1.4.tar.gz#md5:d3162dbc501a2af65c8c71e0866541da"
+        ],
+        "opam": {
+          "name": "result",
+          "version": "1.4",
+          "path": "esy.lock/opam/result.1.4"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/re@opam:1.9.0@d4d5e13d": {
+      "id": "@opam/re@opam:1.9.0@d4d5e13d",
+      "name": "@opam/re",
+      "version": "opam:1.9.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/bd/bddaed4f386a22cace7850c9c7dac296#md5:bddaed4f386a22cace7850c9c7dac296",
+          "archive:https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz#md5:bddaed4f386a22cace7850c9c7dac296"
+        ],
+        "opam": {
+          "name": "re",
+          "version": "1.9.0",
+          "path": "esy.lock/opam/re.1.9.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80": {
+      "id": "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
+      "name": "@opam/ppx_tools_versioned",
+      "version": "opam:5.2.3",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/b1/b1455e5a4a1bcd9ddbfcf712ccbd4262#md5:b1455e5a4a1bcd9ddbfcf712ccbd4262",
+          "archive:https://github.com/ocaml-ppx/ppx_tools_versioned/archive/5.2.3.tar.gz#md5:b1455e5a4a1bcd9ddbfcf712ccbd4262"
+        ],
+        "opam": {
+          "name": "ppx_tools_versioned",
+          "version": "5.2.3",
+          "path": "esy.lock/opam/ppx_tools_versioned.5.2.3"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/ppx_derivers@opam:1.2.1@ecf0aa45": {
+      "id": "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+      "name": "@opam/ppx_derivers",
+      "version": "opam:1.2.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/5d/5dc2bf130c1db3c731fe0fffc5648b41#md5:5dc2bf130c1db3c731fe0fffc5648b41",
+          "archive:https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz#md5:5dc2bf130c1db3c731fe0fffc5648b41"
+        ],
+        "opam": {
+          "name": "ppx_derivers",
+          "version": "1.2.1",
+          "path": "esy.lock/opam/ppx_derivers.1.2.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/odoc@opam:1.4.2@187ed639": {
+      "id": "@opam/odoc@opam:1.4.2@187ed639",
+      "name": "@opam/odoc",
+      "version": "opam:1.4.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/d7/d75ce63539040cd199d22203d46fc5f3#md5:d75ce63539040cd199d22203d46fc5f3",
+          "archive:https://github.com/ocaml/odoc/archive/1.4.2.tar.gz#md5:d75ce63539040cd199d22203d46fc5f3"
+        ],
+        "opam": {
+          "name": "odoc",
+          "version": "1.4.2",
+          "path": "esy.lock/opam/odoc.1.4.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/tyxml@opam:4.3.0@c1da25f1",
+        "@opam/result@opam:1.4@dc720aef", "@opam/fpath@opam:0.7.2@45477b93",
+        "@opam/dune@opam:1.11.3@9894df55", "@opam/cppo@opam:1.6.6@f4f83858",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/astring@opam:0.8.3@4e5e17d5",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/ocamlformat@opam:0.11.0@ec74e6e8": {
+      "id": "@opam/ocamlformat@opam:0.11.0@ec74e6e8",
+      "name": "@opam/ocamlformat",
+      "version": "opam:0.11.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/e4/e45a7f2090ad609b9ec1d4391922365e#md5:e45a7f2090ad609b9ec1d4391922365e",
+          "archive:https://github.com/ocaml-ppx/ocamlformat/archive/0.11.0.tar.gz#md5:e45a7f2090ad609b9ec1d4391922365e"
+        ],
+        "opam": {
+          "name": "ocamlformat",
+          "version": "0.11.0",
+          "path": "esy.lock/opam/ocamlformat.0.11.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uuseg@opam:12.0.0@bf82c4c7",
+        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/odoc@opam:1.4.2@187ed639",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/bisect_ppx@opam:1.4.1@e75b441f",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base@opam:v0.12.2@d687150c",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uuseg@opam:12.0.0@bf82c4c7",
+        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/odoc@opam:1.4.2@187ed639",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/bisect_ppx@opam:1.4.1@e75b441f",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base@opam:v0.12.2@d687150c"
+      ]
+    },
+    "@opam/ocamlfind@opam:1.8.1@ff07b0f9": {
+      "id": "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+      "name": "@opam/ocamlfind",
+      "version": "opam:1.8.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/18/18ca650982c15536616dea0e422cbd8c#md5:18ca650982c15536616dea0e422cbd8c",
+          "archive:http://download2.camlcity.org/download/findlib-1.8.1.tar.gz#md5:18ca650982c15536616dea0e422cbd8c",
+          "archive:http://download.camlcity.org/download/findlib-1.8.1.tar.gz#md5:18ca650982c15536616dea0e422cbd8c"
+        ],
+        "opam": {
+          "name": "ocamlfind",
+          "version": "1.8.1",
+          "path": "esy.lock/opam/ocamlfind.1.8.1"
+        }
+      },
+      "overrides": [
+        {
+          "opamoverride":
+            "esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override"
+        }
+      ],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/conf-m4@opam:1@3b2b148a",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/ocamlbuild@opam:0.14.0@6ac75d03": {
+      "id": "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+      "name": "@opam/ocamlbuild",
+      "version": "opam:0.14.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/87/87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78",
+          "archive:https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
+        ],
+        "opam": {
+          "name": "ocamlbuild",
+          "version": "0.14.0",
+          "path": "esy.lock/opam/ocamlbuild.0.14.0"
+        }
+      },
+      "overrides": [
+        {
+          "opamoverride":
+            "esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override"
+        }
+      ],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d": {
+      "id": "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+      "name": "@opam/ocaml-migrate-parsetree",
+      "version": "opam:1.4.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/23/231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8",
+          "archive:https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
+        ],
+        "opam": {
+          "name": "ocaml-migrate-parsetree",
+          "version": "1.4.0",
+          "path": "esy.lock/opam/ocaml-migrate-parsetree.1.4.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/merlin@opam:3.3.2@7a364181": {
+      "id": "@opam/merlin@opam:3.3.2@7a364181",
+      "name": "@opam/merlin",
+      "version": "opam:3.3.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/1d/1d1c71e663b1e58acf19069cebd1e8d18f7dbe513c6065347d162cdd2c2de801#sha256:1d1c71e663b1e58acf19069cebd1e8d18f7dbe513c6065347d162cdd2c2de801",
+          "archive:https://github.com/ocaml/merlin/releases/download/v3.3.2/merlin-v3.3.2.tbz#sha256:1d1c71e663b1e58acf19069cebd1e8d18f7dbe513c6065347d162cdd2c2de801"
+        ],
+        "opam": {
+          "name": "merlin",
+          "version": "3.3.2",
+          "path": "esy.lock/opam/merlin.3.3.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/fpath@opam:0.7.2@45477b93": {
+      "id": "@opam/fpath@opam:0.7.2@45477b93",
+      "name": "@opam/fpath",
+      "version": "opam:0.7.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/52/52c7ecb0bf180088336f3c645875fa41#md5:52c7ecb0bf180088336f3c645875fa41",
+          "archive:http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz#md5:52c7ecb0bf180088336f3c645875fa41"
+        ],
+        "opam": {
+          "name": "fpath",
+          "version": "0.7.2",
+          "path": "esy.lock/opam/fpath.0.7.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/result@opam:1.4@dc720aef",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/astring@opam:0.8.3@4e5e17d5",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/astring@opam:0.8.3@4e5e17d5"
+      ]
+    },
+    "@opam/easy-format@opam:1.3.2@0484b3c4": {
+      "id": "@opam/easy-format@opam:1.3.2@0484b3c4",
+      "name": "@opam/easy-format",
+      "version": "opam:1.3.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/34/3440c2b882d537ae5e9011eb06abb53f5667e651ea4bb3b460ea8230fa8c1926#sha256:3440c2b882d537ae5e9011eb06abb53f5667e651ea4bb3b460ea8230fa8c1926",
+          "archive:https://github.com/mjambon/easy-format/releases/download/1.3.2/easy-format-1.3.2.tbz#sha256:3440c2b882d537ae5e9011eb06abb53f5667e651ea4bb3b460ea8230fa8c1926"
+        ],
+        "opam": {
+          "name": "easy-format",
+          "version": "1.3.2",
+          "path": "esy.lock/opam/easy-format.1.3.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/dune-configurator@opam:1.0.0@4873acd8": {
+      "id": "@opam/dune-configurator@opam:1.0.0@4873acd8",
+      "name": "@opam/dune-configurator",
+      "version": "opam:1.0.0",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "dune-configurator",
+          "version": "1.0.0",
+          "path": "esy.lock/opam/dune-configurator.1.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "@opam/dune@opam:1.11.3@9894df55" ]
+    },
+    "@opam/dune@opam:1.11.3@9894df55": {
+      "id": "@opam/dune@opam:1.11.3@9894df55",
+      "name": "@opam/dune",
+      "version": "opam:1.11.3",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/c8/c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2#sha256:c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2",
+          "archive:https://github.com/ocaml/dune/releases/download/1.11.3/dune-build-info-1.11.3.tbz#sha256:c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2"
+        ],
+        "opam": {
+          "name": "dune",
+          "version": "1.11.3",
+          "path": "esy.lock/opam/dune.1.11.3"
+        }
+      },
+      "overrides": [
+        {
+          "opamoverride":
+            "esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override"
+        }
+      ],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base-threads@opam:base@36803084",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base-threads@opam:base@36803084"
+      ]
+    },
+    "@opam/cppo@opam:1.6.6@f4f83858": {
+      "id": "@opam/cppo@opam:1.6.6@f4f83858",
+      "name": "@opam/cppo",
+      "version": "opam:1.6.6",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/e7/e7272996a7789175b87bb998efd079794a8db6625aae990d73f7b4484a07b8a0#sha256:e7272996a7789175b87bb998efd079794a8db6625aae990d73f7b4484a07b8a0",
+          "archive:https://github.com/ocaml-community/cppo/releases/download/v1.6.6/cppo-v1.6.6.tbz#sha256:e7272996a7789175b87bb998efd079794a8db6625aae990d73f7b4484a07b8a0"
+        ],
+        "opam": {
+          "name": "cppo",
+          "version": "1.6.6",
+          "path": "esy.lock/opam/cppo.1.6.6"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base-unix@opam:base@87d0b2eb"
+      ]
+    },
+    "@opam/conf-m4@opam:1@3b2b148a": {
+      "id": "@opam/conf-m4@opam:1@3b2b148a",
+      "name": "@opam/conf-m4",
+      "version": "opam:1",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "conf-m4",
+          "version": "1",
+          "path": "esy.lock/opam/conf-m4.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
+      "devDependencies": []
+    },
+    "@opam/cmdliner@opam:1.0.4@93208aac": {
+      "id": "@opam/cmdliner@opam:1.0.4@93208aac",
+      "name": "@opam/cmdliner",
+      "version": "opam:1.0.4",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/fe/fe2213d0bc63b1e10a2d0aa66d2fc8d9#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9",
+          "archive:http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9"
+        ],
+        "opam": {
+          "name": "cmdliner",
+          "version": "1.0.4",
+          "path": "esy.lock/opam/cmdliner.1.0.4"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/bisect_ppx@opam:1.4.1@e75b441f": {
+      "id": "@opam/bisect_ppx@opam:1.4.1@e75b441f",
+      "name": "@opam/bisect_ppx",
+      "version": "opam:1.4.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/05/05d514706646adc947ed21e7e69a1cf1#md5:05d514706646adc947ed21e7e69a1cf1",
+          "archive:https://github.com/aantron/bisect_ppx/archive/1.4.1.tar.gz#md5:05d514706646adc947ed21e7e69a1cf1"
+        ],
+        "opam": {
+          "name": "bisect_ppx",
+          "version": "1.4.1",
+          "path": "esy.lock/opam/bisect_ppx.1.4.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9",
+        "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9",
+        "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/dune@opam:1.11.3@9894df55",
+        "@opam/base-unix@opam:base@87d0b2eb"
+      ]
+    },
+    "@opam/biniou@opam:1.2.1@d7570399": {
+      "id": "@opam/biniou@opam:1.2.1@d7570399",
+      "name": "@opam/biniou",
+      "version": "opam:1.2.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/35/35546c68b1929a8e6d27a3b39ecd17b38303a0d47e65eb9d1480c2061ea84335#sha256:35546c68b1929a8e6d27a3b39ecd17b38303a0d47e65eb9d1480c2061ea84335",
+          "archive:https://github.com/mjambon/biniou/releases/download/1.2.1/biniou-1.2.1.tbz#sha256:35546c68b1929a8e6d27a3b39ecd17b38303a0d47e65eb9d1480c2061ea84335"
+        ],
+        "opam": {
+          "name": "biniou",
+          "version": "1.2.1",
+          "path": "esy.lock/opam/biniou.1.2.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/base-unix@opam:base@87d0b2eb": {
+      "id": "@opam/base-unix@opam:base@87d0b2eb",
+      "name": "@opam/base-unix",
+      "version": "opam:base",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "base-unix",
+          "version": "base",
+          "path": "esy.lock/opam/base-unix.base"
+        }
+      },
+      "overrides": [],
+      "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
+      "devDependencies": []
+    },
+    "@opam/base-threads@opam:base@36803084": {
+      "id": "@opam/base-threads@opam:base@36803084",
+      "name": "@opam/base-threads",
+      "version": "opam:base",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "base-threads",
+          "version": "base",
+          "path": "esy.lock/opam/base-threads.base"
+        }
+      },
+      "overrides": [],
+      "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
+      "devDependencies": []
+    },
+    "@opam/base-bytes@opam:base@19d0c2ff": {
+      "id": "@opam/base-bytes@opam:base@19d0c2ff",
+      "name": "@opam/base-bytes",
+      "version": "opam:base",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "base-bytes",
+          "version": "base",
+          "path": "esy.lock/opam/base-bytes.base"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9"
+      ]
+    },
+    "@opam/base@opam:v0.12.2@d687150c": {
+      "id": "@opam/base@opam:v0.12.2@d687150c",
+      "name": "@opam/base",
+      "version": "opam:v0.12.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/71/7150e848a730369a2549d01645fb6c72#md5:7150e848a730369a2549d01645fb6c72",
+          "archive:https://github.com/janestreet/base/archive/v0.12.2.tar.gz#md5:7150e848a730369a2549d01645fb6c72"
+        ],
+        "opam": {
+          "name": "base",
+          "version": "v0.12.2",
+          "path": "esy.lock/opam/base.v0.12.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "@opam/dune-configurator@opam:1.0.0@4873acd8",
+        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "@opam/dune-configurator@opam:1.0.0@4873acd8",
+        "@opam/dune@opam:1.11.3@9894df55"
+      ]
+    },
+    "@opam/astring@opam:0.8.3@4e5e17d5": {
+      "id": "@opam/astring@opam:0.8.3@4e5e17d5",
+      "name": "@opam/astring",
+      "version": "opam:0.8.3",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/c5/c5bf6352b9ac27fbeab342740f4fa870#md5:c5bf6352b9ac27fbeab342740f4fa870",
+          "archive:http://erratique.ch/software/astring/releases/astring-0.8.3.tbz#md5:c5bf6352b9ac27fbeab342740f4fa870"
+        ],
+        "opam": {
+          "name": "astring",
+          "version": "0.8.3",
+          "path": "esy.lock/opam/astring.0.8.3"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/base-bytes@opam:base@19d0c2ff",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/base-bytes@opam:base@19d0c2ff"
+      ]
+    },
+    "@esy-ocaml/substs@0.0.1@d41d8cd9": {
+      "id": "@esy-ocaml/substs@0.0.1@d41d8cd9",
+      "name": "@esy-ocaml/substs",
+      "version": "0.0.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://registry.npmjs.org/@esy-ocaml/substs/-/substs-0.0.1.tgz#sha1:59ebdbbaedcda123fc7ed8fb2b302b7d819e9a46"
+        ]
+      },
+      "overrides": [],
+      "dependencies": [],
+      "devDependencies": []
+    }
+  }
+}
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam b/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
new file mode 100644
index 0000000000..578ba1fae2
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
@@ -0,0 +1,38 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/astring"
+doc: "http://erratique.ch/software/astring/doc"
+dev-repo: "git+http://erratique.ch/repos/astring.git"
+bug-reports: "https://github.com/dbuenzli/astring/issues"
+tags: [ "string" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build}
+  "base-bytes"
+]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pinned" "%{pinned}%" ]]
+synopsis: "Alternative String module for OCaml"
+description: """
+Astring exposes an alternative `String` module for OCaml. This module
+tries to balance minimality and expressiveness for basic, index-free,
+string processing and provides types and functions for substrings,
+string sets and string maps.
+
+Remaining compatible with the OCaml `String` module is a non-goal. The
+`String` module exposed by Astring has exception safe functions,
+removes deprecated and rarely used functions, alters some signatures
+and names, adds a few missing functions and fully exploits OCaml's
+newfound string immutability.
+
+Astring depends only on the OCaml standard library. It is distributed
+under the ISC license."""
+url {
+  src: "http://erratique.ch/software/astring/releases/astring-0.8.3.tbz"
+  checksum: "md5=c5bf6352b9ac27fbeab342740f4fa870"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam b/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
new file mode 100644
index 0000000000..f1cae506c6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
@@ -0,0 +1,9 @@
+opam-version: "2.0"
+maintainer: " "
+authors: " "
+homepage: " "
+depends: [
+  "ocaml" {>= "4.02.0"}
+  "ocamlfind" {>= "1.5.3"}
+]
+synopsis: "Bytes library distributed with the OCaml compiler"
diff --git a/tools/oeedger8r/esy.lock/opam/base-threads.base/opam b/tools/oeedger8r/esy.lock/opam/base-threads.base/opam
new file mode 100644
index 0000000000..914ff50ceb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base-threads.base/opam
@@ -0,0 +1,6 @@
+opam-version: "2.0"
+maintainer: "https://github.com/ocaml/opam-repository/issues"
+description: """
+Threads library distributed with the OCaml compiler
+"""
+
diff --git a/tools/oeedger8r/esy.lock/opam/base-unix.base/opam b/tools/oeedger8r/esy.lock/opam/base-unix.base/opam
new file mode 100644
index 0000000000..b973540bcb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base-unix.base/opam
@@ -0,0 +1,6 @@
+opam-version: "2.0"
+maintainer: "https://github.com/ocaml/opam-repository/issues"
+description: """
+Unix library distributed with the OCaml compiler
+"""
+
diff --git a/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam b/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
new file mode 100644
index 0000000000..861024cf57
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
@@ -0,0 +1,39 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/base"
+bug-reports: "https://github.com/janestreet/base/issues"
+dev-repo: "git+https://github.com/janestreet/base.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/base/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml"             {>= "4.04.2" & < "4.10.0"}
+  "sexplib0"          {>= "v0.12" & < "v0.13"}
+  "dune"              {>= "1.5.1"}
+  "dune-configurator"
+]
+depopts: [
+  "base-native-int63"
+]
+synopsis: "Full standard library replacement for OCaml"
+description: "
+Full standard library replacement for OCaml
+
+Base is a complete and portable alternative to the OCaml standard
+library. It provides all standard functionalities one would expect
+from a language standard library. It uses consistent conventions
+across all of its module.
+
+Base aims to be usable in any context. As a result system dependent
+features such as I/O are not offered by Base. They are instead
+provided by companion libraries such as stdio:
+
+  https://github.com/janestreet/stdio
+"
+url {
+  src: "https://github.com/janestreet/base/archive/v0.12.2.tar.gz"
+  checksum: "md5=7150e848a730369a2549d01645fb6c72"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/biniou.1.2.1/opam b/tools/oeedger8r/esy.lock/opam/biniou.1.2.1/opam
new file mode 100644
index 0000000000..b706b4251a
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/biniou.1.2.1/opam
@@ -0,0 +1,45 @@
+opam-version: "2.0"
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+  ["dune" "build" "-p" name "@doc"] {with-doc}
+]
+maintainer: ["martin@mjambon.com"]
+authors: ["Martin Jambon"]
+bug-reports: "https://github.com/mjambon/biniou/issues"
+homepage: "https://github.com/mjambon/biniou"
+doc: "https://mjambon.github.io/biniou/"
+license: "BSD-3-Clause"
+dev-repo: "git+https://github.com/mjambon/biniou.git"
+synopsis:
+  "Binary data format designed for speed, safety, ease of use and backward compatibility as protocols evolve"
+description: """
+
+Biniou (pronounced "be new") is a binary data format designed for speed, safety,
+ease of use and backward compatibility as protocols evolve. Biniou is vastly
+equivalent to JSON in terms of functionality but allows implementations several
+times faster (4 times faster than yojson), with 25-35% space savings.
+
+Biniou data can be decoded into human-readable form without knowledge of type
+definitions except for field and variant names which are represented by 31-bit
+hashes. A program named bdump is provided for routine visualization of biniou
+data files.
+
+The program atdgen is used to derive OCaml-Biniou serializers and deserializers
+from type definitions.
+
+Biniou format specification: mjambon.github.io/atdgen-doc/biniou-format.txt"""
+depends: [
+  "easy-format"
+  "dune" {>= "1.10"}
+  "ocaml" {>= "4.02.3"}
+]
+url {
+  src:
+    "https://github.com/mjambon/biniou/releases/download/1.2.1/biniou-1.2.1.tbz"
+  checksum: [
+    "sha256=35546c68b1929a8e6d27a3b39ecd17b38303a0d47e65eb9d1480c2061ea84335"
+    "sha512=82670cc77bf3e869ee26e5fbe5a5affa45a22bc8b6c4bd7e85473912780e0111baca59b34a2c14feae3543ce6e239d7fddaeab24b686a65bfe642cdb91d27ebf"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam b/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
new file mode 100644
index 0000000000..f97b5f2768
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
@@ -0,0 +1,49 @@
+opam-version: "2.0"
+
+synopsis: "Code coverage for OCaml"
+license: "MPL-2.0"
+homepage: "https://github.com/aantron/bisect_ppx"
+doc: "https://github.com/aantron/bisect_ppx"
+bug-reports: "https://github.com/aantron/bisect_ppx/issues"
+
+dev-repo: "git+https://github.com/aantron/bisect_ppx.git"
+authors: [
+  "Xavier Clerc <bisect@x9c.fr>"
+  "Leonid Rozenberg <leonidr@gmail.com>"
+  "Anton Bachin <antonbachin@yahoo.com>"
+]
+maintainer: [
+  "Anton Bachin <antonbachin@yahoo.com>"
+  "Leonid Rozenberg <leonidr@gmail.com>"
+]
+
+depends: [
+  "base-unix"
+  "dune"
+  "ocaml" {>= "4.02.0"}
+  "ocaml-migrate-parsetree" {>= "1.1.0"}
+  "ppx_tools_versioned"
+
+  "ocamlfind" {dev}
+  "ounit" {dev}
+]
+conflicts: [
+  "ocveralls" {<= "0.3.2"}
+]
+
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+
+description: "Bisect_ppx helps you test thoroughly. It is a small preprocessor
+that inserts instrumentation at places in your code, such as if-then-else and
+match expressions. After you run tests, Bisect_ppx gives a nice HTML report
+showing which places were visited and which were missed.
+
+Usage is simple - add package bisect_ppx when building tests, run your tests,
+then run the Bisect_ppx report tool on the generated visitation files."
+
+url {
+  src: "https://github.com/aantron/bisect_ppx/archive/1.4.1.tar.gz"
+  checksum: "md5=05d514706646adc947ed21e7e69a1cf1"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam b/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
new file mode 100644
index 0000000000..b2187dc5b6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/cmdliner"
+doc: "http://erratique.ch/software/cmdliner/doc/Cmdliner"
+dev-repo: "git+http://erratique.ch/repos/cmdliner.git"
+bug-reports: "https://github.com/dbuenzli/cmdliner/issues"
+tags: [ "cli" "system" "declarative" "org:erratique" ]
+license: "ISC"
+depends:[ "ocaml" {>= "4.03.0"} ]
+build: [[ make "all" "PREFIX=%{prefix}%" ]]
+install:
+[[make "install" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%" ]
+ [make "install-doc" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%"  ]]
+
+synopsis: """Declarative definition of command line interfaces for OCaml"""
+description: """\
+
+Cmdliner allows the declarative definition of command line interfaces
+for OCaml.
+
+It provides a simple and compositional mechanism to convert command
+line arguments to OCaml values and pass them to your functions. The
+module automatically handles syntax errors, help messages and UNIX man
+page generation. It supports programs with single or multiple commands
+and respects most of the [POSIX][1] and [GNU][2] conventions.
+
+Cmdliner has no dependencies and is distributed under the ISC license.
+
+[1]: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap12.html
+[2]: http://www.gnu.org/software/libc/manual/html_node/Argument-Syntax.html
+"""
+url {
+archive: "http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz"
+checksum: "fe2213d0bc63b1e10a2d0aa66d2fc8d9"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/conf-m4.1/opam b/tools/oeedger8r/esy.lock/opam/conf-m4.1/opam
new file mode 100644
index 0000000000..c6feb2a746
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/conf-m4.1/opam
@@ -0,0 +1,22 @@
+opam-version: "2.0"
+maintainer: "tim@gfxmonk.net"
+homepage: "http://www.gnu.org/software/m4/m4.html"
+bug-reports: "https://github.com/ocaml/opam-repository/issues"
+authors: "GNU Project"
+license: "GPL-3.0-only"
+build: [["sh" "-exc" "echo | m4"]]
+depexts: [
+  ["m4"] {os-family = "debian"}
+  ["m4"] {os-distribution = "fedora"}
+  ["m4"] {os-distribution = "rhel"}
+  ["m4"] {os-distribution = "centos"}
+  ["m4"] {os-distribution = "alpine"}
+  ["m4"] {os-distribution = "nixos"}
+  ["m4"] {os-family = "suse"}
+  ["m4"] {os-distribution = "ol"}
+  ["m4"] {os-distribution = "arch"}
+]
+synopsis: "Virtual package relying on m4"
+description:
+  "This package can only install if the m4 binary is installed on the system."
+flags: conf
diff --git a/tools/oeedger8r/esy.lock/opam/cppo.1.6.6/opam b/tools/oeedger8r/esy.lock/opam/cppo.1.6.6/opam
new file mode 100644
index 0000000000..f683f8b416
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/cppo.1.6.6/opam
@@ -0,0 +1,37 @@
+opam-version: "2.0"
+maintainer: "martin@mjambon.com"
+authors: "Martin Jambon"
+license: "BSD-3-Clause"
+homepage: "http://mjambon.com/cppo.html"
+doc: "https://ocaml-community.github.io/cppo/"
+bug-reports: "https://github.com/ocaml-community/cppo/issues"
+depends: [
+  "ocaml" {>= "4.03"}
+  "dune" {>= "1.0"}
+  "base-unix"
+]
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+dev-repo: "git+https://github.com/ocaml-community/cppo.git"
+synopsis: "Code preprocessor like cpp for OCaml"
+description: """
+Cppo is an equivalent of the C preprocessor for OCaml programs.
+It allows the definition of simple macros and file inclusion.
+
+Cppo is:
+
+* more OCaml-friendly than cpp
+* easy to learn without consulting a manual
+* reasonably fast
+* simple to install and to maintain
+"""
+url {
+  src: "https://github.com/ocaml-community/cppo/releases/download/v1.6.6/cppo-v1.6.6.tbz"
+  checksum: [
+    "sha256=e7272996a7789175b87bb998efd079794a8db6625aae990d73f7b4484a07b8a0"
+    "sha512=44ecf9d225d9e45490a2feac0bde04865ca398dba6c3579e3370fcd1ea255707b8883590852af8b2df87123801062b9f3acce2455c092deabf431f9c4fb8d8eb"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam b/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
new file mode 100644
index 0000000000..6e2b712edc
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
@@ -0,0 +1,9 @@
+opam-version: "2.0"
+authors: ["Jérémie Dimino"]
+homepage: "https://github.com/ocaml/dune"
+bug-reports: "https://github.com/ocaml/dune/issues"
+maintainer: "Jérémie Dimino"
+description: """
+dune.configurator library distributed with Dune 1.x
+"""
+depends: ["dune" {<"2.0.0"}]
diff --git a/tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam b/tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam
new file mode 100644
index 0000000000..af3286b5eb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam
@@ -0,0 +1,53 @@
+opam-version: "2.0"
+synopsis: "Fast, portable and opinionated build system"
+description: """
+
+dune is a build system that was designed to simplify the release of
+Jane Street packages. It reads metadata from "dune" files following a
+very simple s-expression syntax.
+
+dune is fast, it has very low-overhead and support parallel builds on
+all platforms. It has no system dependencies, all you need to build
+dune and packages using dune is OCaml. You don't need or make or bash
+as long as the packages themselves don't use bash explicitly.
+
+dune supports multi-package development by simply dropping multiple
+repositories into the same directory.
+
+It also supports multi-context builds, such as building against
+several opam roots/switches simultaneously. This helps maintaining
+packages across several versions of OCaml and gives cross-compilation
+for free.
+"""
+maintainer: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+license: "MIT"
+homepage: "https://github.com/ocaml/dune"
+doc: "https://dune.readthedocs.io/"
+bug-reports: "https://github.com/ocaml/dune/issues"
+depends: [
+  "ocaml" {>= "4.02"}
+  "base-unix"
+  "base-threads"
+]
+conflicts: [
+  "jbuilder" {!= "transition"}
+  "odoc" {< "1.3.0"}
+  "dune-release" {< "1.3.0"}
+]
+dev-repo: "git+https://github.com/ocaml/dune.git"
+build: [
+  # opam 2 sets OPAM_SWITCH_PREFIX, so we don't need a hardcoded path
+  ["ocaml" "configure.ml" "--libdir" lib] {opam-version < "2"}
+  ["ocaml" "bootstrap.ml"]
+  ["./boot.exe" "--release" "--subst"] {pinned}
+  ["./boot.exe" "--release" "-j" jobs]
+]
+url {
+  src:
+    "https://github.com/ocaml/dune/releases/download/1.11.3/dune-build-info-1.11.3.tbz"
+  checksum: [
+    "sha256=c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2"
+    "sha512=2c1532b91d223e6ea0628c5f5174792c1bb4113a464f6d8b878b3c58be1136beb84ba2d9883a330fa20e550367588aa923ba06ffb9b615a098a21374a9377e81"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/easy-format.1.3.2/opam b/tools/oeedger8r/esy.lock/opam/easy-format.1.3.2/opam
new file mode 100644
index 0000000000..138d0fb23e
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/easy-format.1.3.2/opam
@@ -0,0 +1,46 @@
+opam-version: "2.0"
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+  ["dune" "build" "-p" name "@doc"] {with-doc}
+]
+maintainer: ["martin@mjambon.com" "rudi.grinberg@gmail.com"]
+authors: ["Martin Jambon"]
+bug-reports: "https://github.com/mjambon/easy-format/issues"
+homepage: "https://github.com/mjambon/easy-format"
+doc: "https://mjambon.github.io/easy-format/"
+license: "BSD-3-Clause"
+dev-repo: "git+https://github.com/mjambon/easy-format.git"
+synopsis:
+  "High-level and functional interface to the Format module of the OCaml standard library"
+description: """
+
+This module offers a high-level and functional interface to the Format module of
+the OCaml standard library. It is a pretty-printing facility, i.e. it takes as
+input some code represented as a tree and formats this code into the most
+visually satisfying result, breaking and indenting lines of code where
+appropriate.
+
+Input data must be first modelled and converted into a tree using 3 kinds of
+nodes:
+
+* atoms
+* lists
+* labelled nodes
+
+Atoms represent any text that is guaranteed to be printed as-is. Lists can model
+any sequence of items such as arrays of data or lists of definitions that are
+labelled with something like "int main", "let x =" or "x:"."""
+depends: [
+  "dune" {>= "1.10"}
+  "ocaml" {>= "4.02.3"}
+]
+url {
+  src:
+    "https://github.com/mjambon/easy-format/releases/download/1.3.2/easy-format-1.3.2.tbz"
+  checksum: [
+    "sha256=3440c2b882d537ae5e9011eb06abb53f5667e651ea4bb3b460ea8230fa8c1926"
+    "sha512=e39377a2ff020ceb9ac29e8515a89d9bdbc91dfcfa871c4e3baafa56753fac2896768e5d9822a050dc1e2ade43c8967afb69391a386c0a8ecd4e1f774e236135"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam b/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
new file mode 100644
index 0000000000..2613a6accb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
@@ -0,0 +1,34 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/fpath"
+doc: "http://erratique.ch/software/fpath/doc"
+dev-repo: "git+http://erratique.ch/repos/fpath.git"
+bug-reports: "https://github.com/dbuenzli/fpath/issues"
+tags: [ "file" "system" "path" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build & >= "0.9.0"}
+  "result"
+  "astring"
+]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--dev-pkg" "%{pinned}%" ]]
+synopsis: "File system paths for OCaml"
+description: """
+Fpath is an OCaml module for handling file system paths with POSIX or
+Windows conventions. Fpath processes paths without accessing the file
+system and is independent from any system library.
+
+Fpath depends on [Astring][astring] and is distributed under the ISC
+license.
+
+[astring]: http://erratique.ch/software/astring"""
+url {
+  src: "http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz"
+  checksum: "md5=52c7ecb0bf180088336f3c645875fa41"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/merlin.3.3.2/opam b/tools/oeedger8r/esy.lock/opam/merlin.3.3.2/opam
new file mode 100644
index 0000000000..47fb8f5e00
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/merlin.3.3.2/opam
@@ -0,0 +1,70 @@
+opam-version: "2.0"
+name:         "merlin"
+maintainer:   "defree@gmail.com"
+authors:      "The Merlin team"
+homepage:     "https://github.com/ocaml/merlin"
+bug-reports:  "https://github.com/ocaml/merlin/issues"
+dev-repo: "git+https://github.com/ocaml/merlin.git"
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.02.1" & < "4.09"}
+  "dune" {>= "1.8.0"}
+  "ocamlfind" {>= "1.5.2"}
+  "yojson"
+  "mdx" {with-test & >= "1.3.0"}
+]
+synopsis:
+  "Editor helper, provides completion, typing and source browsing in Vim and Emacs"
+description:
+  "Merlin is an assistant for editing OCaml code. It aims to provide the features available in modern IDEs: error reporting, auto completion, source browsing and much more."
+post-messages: [
+  "merlin installed.
+
+Quick setup for VIM
+-------------------
+Append this to your .vimrc to add merlin to vim's runtime-path:
+  let g:opamshare = substitute(system('opam config var share'),'\\n$','','''')
+  execute \"set rtp+=\" . g:opamshare . \"/merlin/vim\"
+
+Also run the following line in vim to index the documentation:
+  :execute \"helptags \" . g:opamshare . \"/merlin/vim/doc\"
+
+Quick setup for EMACS
+-------------------
+Add opam emacs directory to your load-path by appending this to your .emacs:
+  (let ((opam-share (ignore-errors (car (process-lines \"opam\" \"config\" \"var\" \"share\")))))
+   (when (and opam-share (file-directory-p opam-share))
+    ;; Register Merlin
+    (add-to-list 'load-path (expand-file-name \"emacs/site-lisp\" opam-share))
+    (autoload 'merlin-mode \"merlin\" nil t nil)
+    ;; Automatically start it in OCaml buffers
+    (add-hook 'tuareg-mode-hook 'merlin-mode t)
+    (add-hook 'caml-mode-hook 'merlin-mode t)
+    ;; Use opam switch to lookup ocamlmerlin binary
+    (setq merlin-command 'opam)))
+
+Take a look at https://github.com/ocaml/merlin for more information
+
+Quick setup with opam-user-setup
+--------------------------------
+
+Opam-user-setup support Merlin.
+
+  $ opam user-setup install
+
+should take care of basic setup.
+See https://github.com/OCamlPro/opam-user-setup
+"
+  {success & !user-setup:installed}
+]
+url {
+  src:
+    "https://github.com/ocaml/merlin/releases/download/v3.3.2/merlin-v3.3.2.tbz"
+  checksum: [
+    "sha256=1d1c71e663b1e58acf19069cebd1e8d18f7dbe513c6065347d162cdd2c2de801"
+    "sha512=3ae021669808a40b4449f1cbdaca40b605ea5779a6204addd8b0ee4af9f14f528d55ca43a8dd3c7d547fb8e4cb256c09a9151d5559ef24dad83b5ab05aa146a2"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam b/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
new file mode 100644
index 0000000000..66d40bacda
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
@@ -0,0 +1,37 @@
+opam-version: "2.0"
+maintainer: "frederic.bour@lakaban.net"
+authors: [
+  "Frédéric Bour <frederic.bour@lakaban.net>"
+  "Jérémie Dimino <jeremie@dimino.org>"
+]
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+homepage: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree"
+bug-reports: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/issues"
+dev-repo: "git+https://github.com/ocaml-ppx/ocaml-migrate-parsetree.git"
+doc: "https://ocaml-ppx.github.io/ocaml-migrate-parsetree/"
+tags: [ "syntax" "org:ocamllabs" ]
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "result"
+  "ppx_derivers"
+  "dune" {>= "1.9.0"}
+  "ocaml" {>= "4.02.3"}
+]
+synopsis: "Convert OCaml parsetrees between different versions"
+description: """
+Convert OCaml parsetrees between different versions
+
+This library converts parsetrees, outcometree and ast mappers between
+different OCaml versions.  High-level functions help making PPX
+rewriters independent of a compiler version.
+"""
+url {
+  src:
+    "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz"
+  checksum: [
+    "sha256=231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
+    "sha512=61ee91d2d146cc2d2ff2d5dc4ef5dea4dc4d3c8dbd8b4c9586d64b6ad7302327ab35547aa0a5b0103c3f07b66b13d416a1bee6d4d117293cd3cabe44113ec6d4"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam b/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
new file mode 100644
index 0000000000..8deabeedfb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Gabriel Scherer <gabriel.scherer@gmail.com>"
+authors: ["Nicolas Pouillard" "Berke Durak"]
+homepage: "https://github.com/ocaml/ocamlbuild/"
+bug-reports: "https://github.com/ocaml/ocamlbuild/issues"
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+doc: "https://github.com/ocaml/ocamlbuild/blob/master/manual/manual.adoc"
+dev-repo: "git+https://github.com/ocaml/ocamlbuild.git"
+build: [
+  [
+    make
+    "-f"
+    "configure.make"
+    "all"
+    "OCAMLBUILD_PREFIX=%{prefix}%"
+    "OCAMLBUILD_BINDIR=%{bin}%"
+    "OCAMLBUILD_LIBDIR=%{lib}%"
+    "OCAMLBUILD_MANDIR=%{man}%"
+    "OCAML_NATIVE=%{ocaml:native}%"
+    "OCAML_NATIVE_TOOLS=%{ocaml:native}%"
+  ]
+  [make "check-if-preinstalled" "all" "opam-install"]
+]
+conflicts: [
+  "base-ocamlbuild"
+  "ocamlfind" {< "1.6.2"}
+]
+synopsis:
+  "OCamlbuild is a build system with builtin rules to easily build most OCaml projects."
+depends: [
+  "ocaml" {>= "4.03"}
+]
+url {
+  src: "https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz"
+  checksum: "sha256=87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocaml-stub b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocaml-stub
new file mode 100644
index 0000000000..e5ad9907e8
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocaml-stub
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+BINDIR=$(dirname "$(command -v ocamlc)")
+"$BINDIR/ocaml" -I "$OCAML_TOPLEVEL_PATH" "$@"
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocamlfind.install b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocamlfind.install
new file mode 100644
index 0000000000..295c62545f
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/files/ocamlfind.install
@@ -0,0 +1,6 @@
+bin: [
+  "src/findlib/ocamlfind" {"ocamlfind"}
+  "?src/findlib/ocamlfind_opt" {"ocamlfind"}
+  "?tools/safe_camlp4"
+]
+toplevel: ["src/findlib/topfind"]
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/opam b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/opam
new file mode 100644
index 0000000000..d757d669ca
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlfind.1.8.1/opam
@@ -0,0 +1,50 @@
+opam-version: "2.0"
+synopsis: "A library manager for OCaml"
+maintainer: "Thomas Gazagnaire <thomas@gazagnaire.org>"
+authors: "Gerd Stolpmann <gerd@gerd-stolpmann.de>"
+homepage: "http://projects.camlcity.org/projects/findlib.html"
+bug-reports: "https://gitlab.camlcity.org/gerd/lib-findlib/issues"
+dev-repo: "git+https://gitlab.camlcity.org/gerd/lib-findlib.git"
+description: """
+Findlib is a library manager for OCaml. It provides a convention how
+to store libraries, and a file format ("META") to describe the
+properties of libraries. There is also a tool (ocamlfind) for
+interpreting the META files, so that it is very easy to use libraries
+in programs and scripts.
+"""
+build: [
+  [
+    "./configure"
+    "-bindir"
+    bin
+    "-sitelib"
+    lib
+    "-mandir"
+    man
+    "-config"
+    "%{lib}%/findlib.conf"
+    "-no-custom"
+    "-no-camlp4" {!ocaml:preinstalled & ocaml:version >= "4.02.0"}
+    "-no-topfind" {ocaml:preinstalled}
+  ]
+  [make "all"]
+  [make "opt"] {ocaml:native}
+]
+install: [
+  [make "install"]
+  ["install" "-m" "0755" "ocaml-stub" "%{bin}%/ocaml"] {ocaml:preinstalled}
+]
+depends: [
+  "ocaml" {>= "4.00.0"}
+  "conf-m4" {build}
+]
+extra-files: [
+  ["ocamlfind.install" "md5=06f2c282ab52d93aa6adeeadd82a2543"]
+  ["ocaml-stub" "md5=181f259c9e0bad9ef523e7d4abfdf87a"]
+]
+url {
+  src: "http://download.camlcity.org/download/findlib-1.8.1.tar.gz"
+  checksum: "md5=18ca650982c15536616dea0e422cbd8c"
+  mirrors: "http://download2.camlcity.org/download/findlib-1.8.1.tar.gz"
+}
+depopts: ["graphics"]
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
new file mode 100644
index 0000000000..abaa584a40
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
@@ -0,0 +1,35 @@
+opam-version: "2.0"
+maintainer: "OCamlFormat Team <ocamlformat-team@fb.com>"
+authors: "Josh Berdine <jjb@fb.com>"
+homepage: "https://github.com/ocaml-ppx/ocamlformat"
+bug-reports: "https://github.com/ocaml-ppx/ocamlformat/issues"
+dev-repo: "git+https://github.com/ocaml-ppx/ocamlformat.git"
+url {
+  src: "https://github.com/ocaml-ppx/ocamlformat/archive/0.11.0.tar.gz"
+  checksum: [
+    "md5=e45a7f2090ad609b9ec1d4391922365e"
+    "sha512=5db2601b0c2a47c1f597519d21ba8a0ad07d2b7426b8a6996491c5301290a445cbe92be24d85bc9e4bc9f3a4bdd4ebe79f398863f9da29b3ba8dc2456f764210"
+  ]
+}
+license: "MIT"
+build: [
+  ["ocaml" "tools/gen_version.mlt" "src/Version.ml" version] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.06"}
+  "base" {>= "v0.11.0"}
+  "base-unix"
+  "bisect_ppx"
+  "cmdliner"
+  "dune" {>= "1.1.1"}
+  "fpath"
+  "ocaml-migrate-parsetree" {>= "1.3.1"}
+  "odoc" {>= "1.4.1"}
+  "re"
+  "stdio"
+  "uuseg" {>= "10.0.0"}
+  "uutf" {>= "1.0.1"}
+]
+synopsis: "Auto-formatter for OCaml code"
+description: "OCamlFormat is a tool to automatically format OCaml code in a uniform style."
diff --git a/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam b/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
new file mode 100644
index 0000000000..162971c621
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
@@ -0,0 +1,45 @@
+opam-version: "2.0"
+
+version: "1.4.2"
+homepage: "http://github.com/ocaml/odoc"
+doc: "https://github.com/ocaml/odoc#readme"
+bug-reports: "https://github.com/ocaml/odoc/issues"
+license: "ISC"
+
+authors: [
+  "Thomas Refis <trefis@janestreet.com>"
+  "David Sheets <sheets@alum.mit.edu>"
+  "Leo White <leo@lpw25.net>"
+]
+maintainer: "Anton Bachin <antonbachin@yahoo.com>"
+dev-repo: "git+https://github.com/ocaml/odoc.git"
+
+synopsis: "OCaml documentation generator"
+
+depends: [
+  "astring" {build}
+  "cmdliner" {build & >= "1.0.0"}
+  "cppo" {build}
+  "dune"
+  "fpath" {build}
+  "ocaml" {>= "4.02.0"}
+  "result" {build}
+  "tyxml" {build & >= "4.3.0"}
+
+  "alcotest" {dev & >= "0.8.3"}
+  "markup" {dev & >= "0.8.0"}
+  "ocamlfind" {dev}
+  "sexplib" {dev & >= "113.33.00"}
+
+  "bisect_ppx" {with-test & >= "1.3.0"}
+]
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+
+url {
+  src: "https://github.com/ocaml/odoc/archive/1.4.2.tar.gz"
+  checksum: "md5=d75ce63539040cd199d22203d46fc5f3"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam b/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
new file mode 100644
index 0000000000..3d10814e04
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
@@ -0,0 +1,23 @@
+opam-version: "2.0"
+maintainer: "jeremie@dimino.org"
+authors: ["Jérémie Dimino"]
+license: "BSD-3-Clause"
+homepage: "https://github.com/ocaml-ppx/ppx_derivers"
+bug-reports: "https://github.com/ocaml-ppx/ppx_derivers/issues"
+dev-repo: "git://github.com/ocaml-ppx/ppx_derivers.git"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml"
+  "dune"
+]
+synopsis: "Shared [@@deriving] plugin registry"
+description: """
+Ppx_derivers is a tiny package whose sole purpose is to allow
+ppx_deriving and ppx_type_conv to inter-operate gracefully when linked
+as part of the same ocaml-migrate-parsetree driver."""
+url {
+  src: "https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz"
+  checksum: "md5=5dc2bf130c1db3c731fe0fffc5648b41"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam b/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
new file mode 100644
index 0000000000..dbf79a1b01
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
@@ -0,0 +1,30 @@
+opam-version: "2.0"
+maintainer: "frederic.bour@lakaban.net"
+authors: [
+  "Frédéric Bour <frederic.bour@lakaban.net>"
+  "Alain Frisch <alain.frisch@lexifi.com>"
+]
+license: "MIT"
+homepage: "https://github.com/ocaml-ppx/ppx_tools_versioned"
+bug-reports: "https://github.com/ocaml-ppx/ppx_tools_versioned/issues"
+dev-repo: "git://github.com/ocaml-ppx/ppx_tools_versioned.git"
+tags: [ "syntax" ]
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+depends: [
+  "ocaml" {>= "4.02.0"}
+  "dune" {>= "1.0"}
+  "ocaml-migrate-parsetree" {>= "1.4.0"}
+]
+synopsis: "A variant of ppx_tools based on ocaml-migrate-parsetree"
+url {
+  src:
+    "https://github.com/ocaml-ppx/ppx_tools_versioned/archive/5.2.3.tar.gz"
+  checksum: [
+    "md5=b1455e5a4a1bcd9ddbfcf712ccbd4262"
+    "sha512=af20aa0031b9c638537bcdb52c75de95f316ae8fd455a38672a60da5c7c6895cca9dbecd5d56a88c3c40979c6a673a047d986b5b41e1e84b528b7df5d905b9b1"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam b/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
new file mode 100644
index 0000000000..f7987544d1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
@@ -0,0 +1,42 @@
+opam-version: "2.0"
+
+maintainer: "rudi.grinberg@gmail.com"
+authors: [
+  "Jerome Vouillon"
+  "Thomas Gazagnaire"
+  "Anil Madhavapeddy"
+  "Rudi Grinberg"
+  "Gabriel Radanne"
+]
+license: "LGPL-2.0-only with OCaml-LGPL-linking-exception"
+homepage: "https://github.com/ocaml/ocaml-re"
+bug-reports: "https://github.com/ocaml/ocaml-re/issues"
+dev-repo: "git+https://github.com/ocaml/ocaml-re.git"
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+
+depends: [
+  "ocaml" {>= "4.02"}
+  "dune"
+  "ounit" {with-test}
+  "seq"
+]
+
+synopsis: "RE is a regular expression library for OCaml"
+description: """
+Pure OCaml regular expressions with:
+* Perl-style regular expressions (module Re.Perl)
+* Posix extended regular expressions (module Re.Posix)
+* Emacs-style regular expressions (module Re.Emacs)
+* Shell-style file globbing (module Re.Glob)
+* Compatibility layer for OCaml's built-in Str module (module Re.Str)
+"""
+url {
+  src:
+    "https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz"
+  checksum: "md5=bddaed4f386a22cace7850c9c7dac296"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/result.1.4/opam b/tools/oeedger8r/esy.lock/opam/result.1.4/opam
new file mode 100644
index 0000000000..b44aeead8b
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/result.1.4/opam
@@ -0,0 +1,22 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/result"
+dev-repo: "git+https://github.com/janestreet/result.git"
+bug-reports: "https://github.com/janestreet/result/issues"
+license: "BSD-3-Clause"
+build: [["dune" "build" "-p" name "-j" jobs]]
+depends: [
+  "ocaml"
+  "dune" {>= "1.0"}
+]
+synopsis: "Compatibility Result module"
+description: """
+Projects that want to use the new result type defined in OCaml >= 4.03
+while staying compatible with older version of OCaml should use the
+Result module defined in this library."""
+url {
+  src:
+    "https://github.com/janestreet/result/archive/1.4.tar.gz"
+  checksum: "md5=d3162dbc501a2af65c8c71e0866541da"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
new file mode 100644
index 0000000000..55c46960c6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
@@ -0,0 +1,22 @@
+opam-version: "2.0"
+synopsis:
+  "Compatibility package for OCaml's standard iterator type starting from 4.07"
+maintainer: "simon.cruanes.2007@m4x.org"
+authors: "Simon Cruanes"
+license: "LGPL2.1"
+tags: ["iterator" "seq" "pure" "list" "compatibility" "cascade"]
+homepage: "https://github.com/c-cube/seq/"
+bug-reports: "https://github.com/c-cube/seq/issues"
+depends: [
+  "dune" {>= "1.1.0"}
+  "ocaml" {< "4.07.0"}
+]
+build: ["dune" "build" "-p" name "-j" jobs]
+dev-repo: "git+https://github.com/c-cube/seq.git"
+url {
+  src: "https://github.com/c-cube/seq/archive/0.2.tar.gz"
+  checksum: [
+    "md5=1d5a9d0aba27b22433f518cdc495d0fd"
+    "sha512=b2571225a18e624b79dad5e1aab91b22e2fda17702f2e23c438b75d2a71e24c55ee8672005f5cc4b17ae79e3b277b1918b71b5d0d674b8b12ea19b3fb2d747cb"
+  ]
+}
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
new file mode 100644
index 0000000000..9b45864bd4
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
@@ -0,0 +1,26 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/sexplib0"
+bug-reports: "https://github.com/janestreet/sexplib0/issues"
+dev-repo: "git+https://github.com/janestreet/sexplib0.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/sexplib0/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.04.2"}
+  "dune"  {>= "1.5.1"}
+]
+synopsis: "Library containing the definition of S-expressions and some base converters"
+description: "
+Part of Jane Street's Core library
+The Core suite of libraries is an industrial strength alternative to
+OCaml's standard library that was developed by Jane Street, the
+largest industrial user of OCaml.
+"
+url {
+  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz"
+  checksum: "md5=2486a25d3a94da9a94acc018b5f09061"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
new file mode 100644
index 0000000000..477c74579e
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
@@ -0,0 +1,27 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/stdio"
+bug-reports: "https://github.com/janestreet/stdio/issues"
+dev-repo: "git+https://github.com/janestreet/stdio.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/stdio/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.04.2"}
+  "base"  {>= "v0.12" & < "v0.13"}
+  "dune"  {>= "1.5.1"}
+]
+synopsis: "Standard IO library for OCaml"
+description: "
+Stdio implements simple input/output functionalities for OCaml.
+
+It re-exports the input/output functions of the OCaml standard
+libraries using a more consistent API.
+"
+url {
+  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz"
+  checksum: "md5=b261ff2d5667fde960c95e50cff668da"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam b/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
new file mode 100644
index 0000000000..77ae1f42d5
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
@@ -0,0 +1,48 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/topkg"
+doc: "http://erratique.ch/software/topkg/doc"
+license: "ISC"
+dev-repo: "git+http://erratique.ch/repos/topkg.git"
+bug-reports: "https://github.com/dbuenzli/topkg/issues"
+tags: ["packaging" "ocamlbuild" "org:erratique"]
+depends: [
+  "ocaml" {>= "4.03.0"}
+  "ocamlfind" {build & >= "1.6.1"}
+  "ocamlbuild" ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pkg-name" name
+          "--dev-pkg" "%{pinned}%" ]]
+synopsis: """The transitory OCaml software packager"""
+description: """\
+
+Topkg is a packager for distributing OCaml software. It provides an
+API to describe the files a package installs in a given build
+configuration and to specify information about the package's
+distribution, creation and publication procedures.
+
+The optional topkg-care package provides the `topkg` command line tool
+which helps with various aspects of a package's life cycle: creating
+and linting a distribution, releasing it on the WWW, publish its
+documentation, add it to the OCaml opam repository, etc.
+
+Topkg is distributed under the ISC license and has **no**
+dependencies. This is what your packages will need as a *build*
+dependency.
+
+Topkg-care is distributed under the ISC license it depends on
+[fmt][fmt], [logs][logs], [bos][bos], [cmdliner][cmdliner],
+[webbrowser][webbrowser] and `opam-format`.
+
+[fmt]: http://erratique.ch/software/fmt
+[logs]: http://erratique.ch/software/logs
+[bos]: http://erratique.ch/software/bos
+[cmdliner]: http://erratique.ch/software/cmdliner
+[webbrowser]: http://erratique.ch/software/webbrowser
+"""
+url {
+archive: "http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz"
+checksum: "16b90e066d8972a5ef59655e7c28b3e9"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam b/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
new file mode 100644
index 0000000000..93872f8b3c
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
@@ -0,0 +1,45 @@
+opam-version: "2.0"
+maintainer: "dev@ocsigen.org"
+homepage: "https://github.com/ocsigen/tyxml/"
+bug-reports: "https://github.com/ocsigen/tyxml/issues"
+doc: "https://ocsigen.org/tyxml/manual/"
+dev-repo: "git+https://github.com/ocsigen/tyxml.git"
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+
+depends: [
+  "ocaml" {>= "4.02"}
+  "re" {>= "1.5.0"}
+  ("ocaml" {>= "4.07"} | "re" {>= "1.8.0"})
+  "dune"
+  "alcotest" {with-test}
+  "seq"
+  "uutf" {>= "1.0.0"}
+]
+
+synopsis:"TyXML is a library for building correct HTML and SVG documents"
+description:"""
+TyXML provides a set of convenient combinators that uses the OCaml
+type system to ensure the validity of the generated documents. TyXML
+can be used with any representation of HTML and SVG: the textual one,
+provided directly by this package, or DOM trees (`js_of_ocaml-tyxml`)
+virtual DOM (`virtual-dom`) and reactive or replicated trees
+(`eliom`). You can also create your own representation and use it to
+instantiate a new set of combinators.
+
+```ocaml
+open Tyxml
+let to_ocaml = Html.(a ~a:[a_href "ocaml.org"] [txt "OCaml!"])
+```
+"""
+authors: "The ocsigen team"
+url {
+  src:
+    "https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz"
+  checksum: "md5=fd834a567f813bf447cab5f4c3a723e2"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam b/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
new file mode 100644
index 0000000000..428d7aa6f8
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://ocaml.org"
+doc: "https://ocaml.github.io/uchar/"
+dev-repo: "git+https://github.com/ocaml/uchar.git"
+bug-reports: "https://github.com/ocaml/uchar/issues"
+tags: [ "text" "character" "unicode" "compatibility" "org:ocaml.org" ]
+license: "typeof OCaml system"
+depends: [
+  "ocaml" {>= "3.12.0"}
+  "ocamlbuild" {build}
+]
+build: [
+  ["ocaml" "pkg/git.ml"]
+  [
+    "ocaml"
+    "pkg/build.ml"
+    "native=%{ocaml:native}%"
+    "native-dynlink=%{ocaml:native-dynlink}%"
+  ]
+]
+synopsis: "Compatibility library for OCaml's Uchar module"
+description: """
+The `uchar` package provides a compatibility library for the
+[`Uchar`][1] module introduced in OCaml 4.03.
+
+The `uchar` package is distributed under the license of the OCaml
+compiler. See [LICENSE](LICENSE) for details.
+
+[1]: http://caml.inria.fr/pub/docs/manual-ocaml/libref/Uchar.html"""
+url {
+  src:
+    "https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz"
+  checksum: "md5=c9ba2c738d264c420c642f7bb1cf4a36"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
new file mode 100644
index 0000000000..18bf0a8410
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
@@ -0,0 +1,47 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: [
+  "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+  "David Kaloper Meršinjak <david@numm.org>"
+]
+homepage: "https://erratique.ch/software/uucp"
+doc: "https://erratique.ch/software/uucp/doc/Uucp"
+dev-repo: "git+https://erratique.ch/repos/uucp.git"
+bug-reports: "https://github.com/dbuenzli/uucp/issues"
+tags: [ "unicode" "text" "character" "org:erratique" ]
+license: "ISC"
+depends: [
+ "ocaml" {>= "4.01.0"}
+ "ocamlfind" {build}
+ "ocamlbuild" {build}
+ "topkg" {build}
+ "uchar"
+ "uucd" {with-test} # dev really
+ "uunf" {with-test}
+ "uutf" {with-test}
+ ]
+depopts: [ "uunf" "uutf" "cmdliner" ]
+conflicts: [ "uutf" {< "1.0.1"}
+             "cmdliner" {< "1.0.0"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--dev-pkg" "%{pinned}%"
+          "--with-uutf" "%{uutf:installed}%"
+          "--with-uunf" "%{uunf:installed}%"
+          "--with-cmdliner" "%{cmdliner:installed}%"
+]]
+synopsis: """Unicode character properties for OCaml"""
+description: """\
+
+Uucp is an OCaml library providing efficient access to a selection of
+character properties of the [Unicode character database][1].
+
+Uucp is independent from any Unicode text data structure and has no
+dependencies. It is distributed under the ISC license.
+
+[1]: http://www.unicode.org/reports/tr44/
+"""
+url {
+archive: "https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz"
+checksum: "cf210ed43375b7f882c0540874e2cb81"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
new file mode 100644
index 0000000000..57dbdc65b1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
@@ -0,0 +1,50 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "https://erratique.ch/software/uuseg"
+doc: "https://erratique.ch/software/uuseg"
+dev-repo: "git+https://erratique.ch/repos/uuseg.git"
+bug-reports: "https://github.com/dbuenzli/uuseg/issues"
+tags: [ "segmentation" "text" "unicode" "org:erratique" ]
+license: "ISC"
+depends: [ "ocaml" {>= "4.01.0"}
+           "ocamlfind" {build}
+           "ocamlbuild" {build}
+           "topkg" {build}
+           "uchar"
+           "uucp" {>= "12.0.0" & < "13.0.0"} ]
+depopts: [ "uutf"
+           "cmdliner"
+           "uutf" {with-test}
+           "cmdliner" {with-test} ]
+conflicts: [ "uutf" {< "1.0.0"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+  "--pinned" "%{pinned}%"
+  "--with-uutf" "%{uutf:installed}%"
+  "--with-cmdliner" "%{cmdliner:installed}%" ]]
+
+synopsis: """Unicode text segmentation for OCaml"""
+description: """\
+
+Uuseg is an OCaml library for segmenting Unicode text. It implements
+the locale independent [Unicode text segmentation algorithms][1] to
+detect grapheme cluster, word and sentence boundaries and the
+[Unicode line breaking algorithm][2] to detect line break
+opportunities.
+
+The library is independent from any IO mechanism or Unicode text data
+structure and it can process text without a complete in-memory
+representation.
+
+Uuseg depends on [Uucp](http://erratique.ch/software/uucp) and
+optionally on [Uutf](http://erratique.ch/software/uutf) for support on
+OCaml UTF-X encoded strings. It is distributed under the ISC license.
+
+[1]: http://www.unicode.org/reports/tr29/
+[2]: http://www.unicode.org/reports/tr14/
+"""
+url {
+archive: "https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz"
+checksum: "1d4487ddf5154e3477e55021b978d58a"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam b/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
new file mode 100644
index 0000000000..3a9f5678d2
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
@@ -0,0 +1,40 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/uutf"
+doc: "http://erratique.ch/software/uutf/doc/Uutf"
+dev-repo: "git+http://erratique.ch/repos/uutf.git"
+bug-reports: "https://github.com/dbuenzli/uutf/issues"
+tags: [ "unicode" "text" "utf-8" "utf-16" "codec" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build}
+  "uchar"
+]
+depopts: ["cmdliner"]
+conflicts: ["cmdliner" { < "0.9.6"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pinned" "%{pinned}%"
+          "--with-cmdliner" "%{cmdliner:installed}%" ]]
+synopsis: """Non-blocking streaming Unicode codec for OCaml"""
+description: """\
+
+Uutf is a non-blocking streaming codec to decode and encode the UTF-8,
+UTF-16, UTF-16LE and UTF-16BE encoding schemes. It can efficiently
+work character by character without blocking on IO. Decoders perform
+character position tracking and support newline normalization.
+
+Functions are also provided to fold over the characters of UTF encoded
+OCaml string values and to directly encode characters in OCaml
+Buffer.t values.
+
+Uutf has no dependency and is distributed under the ISC license.
+"""
+url {
+archive: "http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz"
+checksum: "a7c542405a39630c689a82bd7ef2292c"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/yojson.1.7.0/opam b/tools/oeedger8r/esy.lock/opam/yojson.1.7.0/opam
new file mode 100644
index 0000000000..ffef0682a7
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/yojson.1.7.0/opam
@@ -0,0 +1,38 @@
+opam-version: "2.0"
+maintainer: "martin@mjambon.com"
+authors: ["Martin Jambon"]
+homepage: "https://github.com/ocaml-community/yojson"
+bug-reports: "https://github.com/ocaml-community/yojson/issues"
+dev-repo: "git+https://github.com/ocaml-community/yojson.git"
+doc: "https://ocaml-community.github.io/yojson/"
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+run-test: [["dune" "runtest" "-p" name "-j" jobs]]
+depends: [
+  "ocaml" {>= "4.02.3"}
+  "dune"
+  "cppo" {build}
+  "easy-format"
+  "biniou" {>= "1.2.0"}
+  "alcotest" {with-test & >= "0.8.5"}
+]
+synopsis:
+  "Yojson is an optimized parsing and printing library for the JSON format"
+description: """
+Yojson is an optimized parsing and printing library for the JSON format.
+
+It addresses a few shortcomings of json-wheel including 2x speedup,
+polymorphic variants and optional syntax for tuples and variants.
+
+ydump is a pretty-printing command-line program provided with the
+yojson package.
+
+The program atdgen can be used to derive OCaml-JSON serializers and
+deserializers from type definitions."""
+url {
+  src:
+    "https://github.com/ocaml-community/yojson/releases/download/1.7.0/yojson-1.7.0.tbz"
+  checksum: "md5=b89d39ca3f8c532abe5f547ad3b8f84d"
+}
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json
new file mode 100644
index 0000000000..064c7e390d
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json
@@ -0,0 +1,14 @@
+{
+  "build": [
+    [
+      "ocaml",
+      "bootstrap.ml"
+    ],
+    [
+      "./boot.exe",
+      "--release",
+      "-j",
+      "4"
+    ]
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
new file mode 100644
index 0000000000..4d5bea0e09
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
@@ -0,0 +1,463 @@
+--- ./Makefile
++++ ./Makefile
+@@ -213,7 +213,7 @@
+ 	rm -f man/ocamlbuild.1
+ 
+ man/options_man.byte: src/ocamlbuild_pack.cmo
+-	$(OCAMLC) $^ -I src man/options_man.ml -o man/options_man.byte
++	$(OCAMLC) -I +unix unix.cma $^ -I src man/options_man.ml -o man/options_man.byte
+ 
+ clean::
+ 	rm -f man/options_man.cm*
+--- ./src/command.ml
++++ ./src/command.ml
+@@ -148,9 +148,10 @@
+   let self = string_of_command_spec_with_calls call_with_tags call_with_target resolve_virtuals in
+   let b = Buffer.create 256 in
+   (* The best way to prevent bash from switching to its windows-style
+-   * quote-handling is to prepend an empty string before the command name. *)
++   * quote-handling is to prepend an empty string before the command name.
++   * space seems to work, too - and the ouput is nicer *)
+   if Sys.os_type = "Win32" then
+-    Buffer.add_string b "''";
++    Buffer.add_char b ' ';
+   let first = ref true in
+   let put_space () =
+     if !first then
+@@ -260,7 +261,7 @@
+ 
+ let execute_many ?(quiet=false) ?(pretend=false) cmds =
+   add_parallel_stat (List.length cmds);
+-  let degraded = !*My_unix.is_degraded || Sys.os_type = "Win32" in
++  let degraded = !*My_unix.is_degraded in
+   let jobs = !jobs in
+   if jobs < 0 then invalid_arg "jobs < 0";
+   let max_jobs = if jobs = 0 then None else Some jobs in
+--- ./src/findlib.ml
++++ ./src/findlib.ml
+@@ -66,9 +66,6 @@
+     (fun command -> lexer & Lexing.from_string & run_and_read command)
+     command
+ 
+-let run_and_read command =
+-  Printf.ksprintf run_and_read command
+-
+ let rec query name =
+   try
+     Hashtbl.find packages name
+@@ -135,7 +132,8 @@
+   with Not_found -> s
+ 
+ let list () =
+-  List.map before_space (split_nl & run_and_read "%s list" ocamlfind)
++  let cmd = Shell.quote_filename_if_needed ocamlfind ^ " list" in
++  List.map before_space (split_nl & run_and_read cmd)
+ 
+ (* The closure algorithm is easy because the dependencies are already closed
+ and sorted for each package. We only have to make the union. We could also
+--- ./src/main.ml
++++ ./src/main.ml
+@@ -162,6 +162,9 @@
+               Tags.mem "traverse" tags
+               || List.exists (Pathname.is_prefix path_name) !Options.include_dirs
+               || List.exists (Pathname.is_prefix path_name) target_dirs)
++            && ((* beware: !Options.build_dir is an absolute directory *)
++              Pathname.normalize !Options.build_dir
++              <> Pathname.normalize (Pathname.pwd/path_name))
+           end
+         end
+       end
+--- ./src/my_std.ml
++++ ./src/my_std.ml
+@@ -271,13 +271,107 @@
+       try Array.iter (fun x -> if x = basename then raise Exit) a; false
+       with Exit -> true
+ 
++let command_plain = function
++| [| |] -> 0
++| margv ->
++  let rec waitpid a b =
++    match Unix.waitpid a b with
++    | exception (Unix.Unix_error(Unix.EINTR,_,_)) -> waitpid a b
++    | x -> x
++  in
++  let pid = Unix.(create_process margv.(0) margv stdin stdout stderr) in
++  let pid', process_status = waitpid [] pid in
++  assert (pid = pid');
++  match process_status with
++  | Unix.WEXITED n -> n
++  | Unix.WSIGNALED _ -> 2 (* like OCaml's uncaught exceptions *)
++  | Unix.WSTOPPED _ -> 127
++
++(* can't use Lexers because of circular dependency *)
++let split_path_win str =
++  let rec aux pos =
++    try
++      let i = String.index_from str pos ';' in
++      let len = i - pos in
++      if len = 0 then
++        aux (succ i)
++      else
++        String.sub str pos (i - pos) :: aux (succ i)
++    with Not_found | Invalid_argument _ ->
++      let len = String.length str - pos in
++      if len = 0 then [] else [String.sub str pos len]
++  in
++  aux 0
++
++let windows_shell = lazy begin
++  let rec iter = function
++  | [] -> [| "bash.exe" ; "--norc" ; "--noprofile" |]
++  | hd::tl ->
++    let dash = Filename.concat hd "dash.exe" in
++    if Sys.file_exists dash then [|dash|] else
++    let bash = Filename.concat hd "bash.exe" in
++    if Sys.file_exists bash = false then iter tl else
++    (* if sh.exe and bash.exe exist in the same dir, choose sh.exe *)
++    let sh = Filename.concat hd "sh.exe" in
++    if Sys.file_exists sh then [|sh|] else [|bash ; "--norc" ; "--noprofile"|]
++  in
++  split_path_win (try Sys.getenv "PATH" with Not_found -> "") |> iter
++end
++
++let prep_windows_cmd cmd =
++  (* workaround known ocaml bug, remove later *)
++  if String.contains cmd '\t' && String.contains cmd ' ' = false then
++    " " ^ cmd
++  else
++    cmd
++
++let run_with_shell = function
++| "" -> 0
++| cmd ->
++  let cmd = prep_windows_cmd cmd in
++  let shell = Lazy.force windows_shell in
++  let qlen = Filename.quote cmd |> String.length in
++  (* old versions of dash had problems with bs *)
++  try
++    if qlen < 7_900 then
++      command_plain (Array.append shell [| "-ec" ; cmd |])
++    else begin
++      (* it can still work, if the called command is a cygwin tool *)
++      let ch_closed = ref false in
++      let file_deleted = ref false in
++      let fln,ch =
++        Filename.open_temp_file
++          ~mode:[Open_binary]
++          "ocamlbuildtmp"
++          ".sh"
++      in
++      try
++        let f_slash = String.map ( fun x -> if x = '\\' then '/' else x ) fln in
++        output_string ch cmd;
++        ch_closed:= true;
++        close_out ch;
++        let ret = command_plain (Array.append shell [| "-e" ; f_slash |]) in
++        file_deleted:= true;
++        Sys.remove fln;
++        ret
++      with
++      | x ->
++        if !ch_closed = false then
++          close_out_noerr ch;
++        if !file_deleted = false then
++          (try Sys.remove fln with _ -> ());
++        raise x
++    end
++  with
++  | (Unix.Unix_error _) as x ->
++    (* Sys.command doesn't raise an exception, so run_with_shell also won't
++       raise *)
++    Printexc.to_string x ^ ":" ^ cmd |> prerr_endline;
++    1
++
+ let sys_command =
+-  match Sys.os_type with
+-  | "Win32" -> fun cmd ->
+-      if cmd = "" then 0 else
+-      let cmd = "bash --norc -c " ^ Filename.quote cmd in
+-      Sys.command cmd
+-  | _ -> fun cmd -> if cmd = "" then 0 else Sys.command cmd
++  if Sys.win32 then run_with_shell
++  else fun cmd -> if cmd = "" then 0 else Sys.command cmd
+ 
+ (* FIXME warning fix and use Filename.concat *)
+ let filename_concat x y =
+--- ./src/my_std.mli
++++ ./src/my_std.mli
+@@ -69,3 +69,6 @@
+ 
+ val split_ocaml_version : (int * int * int * string) option
+ (** (major, minor, patchlevel, rest) *)
++
++val windows_shell : string array Lazy.t
++val prep_windows_cmd : string -> string
+--- ./src/ocamlbuild_executor.ml
++++ ./src/ocamlbuild_executor.ml
+@@ -34,6 +34,8 @@
+   job_stdin   : out_channel;
+   job_stderr  : in_channel;
+   job_buffer  : Buffer.t;
++  job_pid     : int;
++  job_tmp_file: string option;
+   mutable job_dying : bool;
+ };;
+ 
+@@ -76,6 +78,61 @@
+   in
+   loop 0
+ ;;
++
++let open_process_full_win cmd env =
++  let (in_read, in_write) = Unix.pipe () in
++  let (out_read, out_write) = Unix.pipe () in
++  let (err_read, err_write) = Unix.pipe () in
++  Unix.set_close_on_exec in_read;
++  Unix.set_close_on_exec out_write;
++  Unix.set_close_on_exec err_read;
++  let inchan = Unix.in_channel_of_descr in_read in
++  let outchan = Unix.out_channel_of_descr out_write in
++  let errchan = Unix.in_channel_of_descr err_read in
++  let shell = Lazy.force Ocamlbuild_pack.My_std.windows_shell in
++  let test_cmd =
++    String.concat " " (List.map Filename.quote (Array.to_list shell)) ^
++    "-ec " ^
++    Filename.quote (Ocamlbuild_pack.My_std.prep_windows_cmd cmd) in
++  let argv,tmp_file =
++    if String.length test_cmd < 7_900 then
++      Array.append
++        shell
++        [| "-ec" ; Ocamlbuild_pack.My_std.prep_windows_cmd cmd |],None
++    else
++    let fln,ch = Filename.open_temp_file ~mode:[Open_binary] "ocamlbuild" ".sh" in
++    output_string ch (Ocamlbuild_pack.My_std.prep_windows_cmd cmd);
++    close_out ch;
++    let fln' = String.map (function '\\' -> '/' | c -> c) fln in
++    Array.append
++      shell
++      [| "-c" ; fln' |], Some fln in
++  let pid =
++    Unix.create_process_env argv.(0) argv env out_read in_write err_write in
++  Unix.close out_read;
++  Unix.close in_write;
++  Unix.close err_write;
++  (pid, inchan, outchan, errchan,tmp_file)
++
++let close_process_full_win (pid,inchan, outchan, errchan, tmp_file) =
++  let delete tmp_file =
++    match tmp_file with
++    | None -> ()
++    | Some x -> try Sys.remove x with Sys_error _ -> () in
++  let tmp_file_deleted = ref false in
++  try
++    close_in inchan;
++    close_out outchan;
++    close_in errchan;
++    let res = snd(Unix.waitpid [] pid) in
++    tmp_file_deleted := true;
++    delete tmp_file;
++    res
++  with
++  | x when tmp_file <> None && !tmp_file_deleted = false ->
++    delete tmp_file;
++    raise x
++
+ (* ***)
+ (*** execute *)
+ (* XXX: Add test for non reentrancy *)
+@@ -130,10 +187,16 @@
+   (*** add_job *)
+   let add_job cmd rest result id =
+     (*display begin fun oc -> fp oc "Job %a is %s\n%!" print_job_id id cmd; end;*)
+-    let (stdout', stdin', stderr') = open_process_full cmd env in
++    let (pid,stdout', stdin', stderr', tmp_file) =
++      if Sys.win32 then open_process_full_win cmd env else
++      let a,b,c = open_process_full cmd env in
++      -1,a,b,c,None
++    in
+     incr jobs_active;
+-    set_nonblock (doi stdout');
+-    set_nonblock (doi stderr');
++    if not Sys.win32 then (
++      set_nonblock (doi stdout');
++      set_nonblock (doi stderr');
++    );
+     let job =
+       { job_id          = id;
+         job_command     = cmd;
+@@ -143,7 +206,9 @@
+         job_stdin       = stdin';
+         job_stderr      = stderr';
+         job_buffer      = Buffer.create 1024;
+-        job_dying       = false }
++        job_dying       = false;
++        job_tmp_file    = tmp_file;
++        job_pid         = pid }
+     in
+     outputs := FDM.add (doi stdout') job (FDM.add (doi stderr') job !outputs);
+     jobs := JS.add job !jobs;
+@@ -199,6 +264,7 @@
+               try
+                 read fd u 0 (Bytes.length u)
+               with
++              | Unix.Unix_error(Unix.EPIPE,_,_) when Sys.win32 -> 0
+               | Unix.Unix_error(e,_,_)  ->
+                 let msg = error_message e in
+                 display (fun oc -> fp oc
+@@ -241,14 +307,19 @@
+       decr jobs_active;
+ 
+       (* PR#5371: we would get EAGAIN below otherwise *)
+-      clear_nonblock (doi job.job_stdout);
+-      clear_nonblock (doi job.job_stderr);
+-
++      if not Sys.win32 then (
++        clear_nonblock (doi job.job_stdout);
++        clear_nonblock (doi job.job_stderr);
++      );
+       do_read ~loop:true (doi job.job_stdout) job;
+       do_read ~loop:true (doi job.job_stderr) job;
+       outputs := FDM.remove (doi job.job_stdout) (FDM.remove (doi job.job_stderr) !outputs);
+       jobs := JS.remove job !jobs;
+-      let status = close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
++      let status =
++        if Sys.win32 then
++          close_process_full_win (job.job_pid, job.job_stdout, job.job_stdin, job.job_stderr, job.job_tmp_file)
++        else
++          close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
+ 
+       let shown = ref false in
+ 
+--- ./src/ocamlbuild_unix_plugin.ml
++++ ./src/ocamlbuild_unix_plugin.ml
+@@ -48,12 +48,22 @@
+   end
+ 
+ let run_and_open s kont =
++  let s_orig = s in
++  let s =
++    (* Be consistent! My_unix.run_and_open uses My_std.sys_command and
++       sys_command uses bash. *)
++    if Sys.win32 = false then s else
++    let l = match Lazy.force My_std.windows_shell |> Array.to_list with
++    | hd::tl -> (Filename.quote hd)::tl
++    | _ -> assert false in
++    "\"" ^ (String.concat " " l) ^ " -ec " ^ Filename.quote (" " ^ s) ^ "\""
++  in
+   let ic = Unix.open_process_in s in
+   let close () =
+     match Unix.close_process_in ic with
+     | Unix.WEXITED 0 -> ()
+     | Unix.WEXITED _ | Unix.WSIGNALED _ | Unix.WSTOPPED _ ->
+-        failwith (Printf.sprintf "Error while running: %s" s) in
++        failwith (Printf.sprintf "Error while running: %s" s_orig) in
+   let res = try
+       kont ic
+     with e -> (close (); raise e)
+--- ./src/options.ml
++++ ./src/options.ml
+@@ -174,11 +174,24 @@
+     build_dir := Filename.concat (Sys.getcwd ()) s
+   else
+     build_dir := s
++
++let slashify =
++  if Sys.win32 then fun p -> String.map (function '\\' -> '/' | x -> x) p
++  else fun p ->p
++
++let sb () =
++  match Sys.os_type with
++  | "Win32" ->
++    (try set_binary_mode_out stdout true with _ -> ());
++  | _ -> ()
++
++
+ let spec = ref (
+     let print_version () =
++      sb ();
+       Printf.printf "ocamlbuild %s\n%!" Ocamlbuild_config.version; raise Exit_OK
+     in
+-    let print_vnum () = print_endline Ocamlbuild_config.version; raise Exit_OK in
++    let print_vnum () = sb (); print_endline Ocamlbuild_config.version; raise Exit_OK in
+   Arg.align
+   [
+    "-version", Unit print_version , " Display the version";
+@@ -257,8 +270,8 @@
+    "-build-dir", String set_build_dir, "<path> Set build directory (implies no-links)";
+    "-install-lib-dir", Set_string Ocamlbuild_where.libdir, "<path> Set the install library directory";
+    "-install-bin-dir", Set_string Ocamlbuild_where.bindir, "<path> Set the install binary directory";
+-   "-where", Unit (fun () -> print_endline !Ocamlbuild_where.libdir; raise Exit_OK), " Display the install library directory";
+-   "-which", String (fun cmd -> print_endline (find_tool cmd); raise Exit_OK), "<command> Display path to the tool command";
++   "-where", Unit (fun () -> sb (); print_endline (slashify !Ocamlbuild_where.libdir); raise Exit_OK), " Display the install library directory";
++   "-which", String (fun cmd -> sb (); print_endline (slashify (find_tool cmd)); raise Exit_OK), "<command> Display path to the tool command";
+    "-ocamlc", set_cmd ocamlc, "<command> Set the OCaml bytecode compiler";
+    "-plugin-ocamlc", set_cmd plugin_ocamlc, "<command> Set the OCaml bytecode compiler \
+      used when building myocamlbuild.ml (only)";
+--- ./src/pathname.ml
++++ ./src/pathname.ml
+@@ -84,6 +84,26 @@
+   | x :: xs -> x :: normalize_list xs
+ 
+ let normalize x =
++  let x =
++    if Sys.win32 = false then
++      x
++    else
++      let len = String.length x in
++      let b = Bytes.create len in
++      for i = 0 to pred len do
++        match x.[i] with
++        | '\\' -> Bytes.set b i '/'
++        | c -> Bytes.set b i c
++      done;
++      if len > 1 then (
++        let c1 = Bytes.get b 0 in
++        let c2 = Bytes.get b 1 in
++        if c2 = ':' && c1 >= 'a' && c1 <= 'z' &&
++           ( len = 2 || Bytes.get b 2 = '/') then
++          Bytes.set b 0 (Char.uppercase_ascii c1)
++      );
++      Bytes.unsafe_to_string b
++  in
+   if Glob.eval not_normal_form_re x then
+     let root, paths = split x in
+     join root (normalize_list paths)
+--- ./src/shell.ml
++++ ./src/shell.ml
+@@ -24,12 +24,26 @@
+     | 'a'..'z' | 'A'..'Z' | '0'..'9' | '.' | '-' | '/' | '_' | ':' | '@' | '+' | ',' -> loop (pos + 1)
+     | _ -> false in
+   loop 0
++
++let generic_quote quotequote s =
++  let l = String.length s in
++  let b = Buffer.create (l + 20) in
++  Buffer.add_char b '\'';
++  for i = 0 to l - 1 do
++    if s.[i] = '\''
++    then Buffer.add_string b quotequote
++    else Buffer.add_char b  s.[i]
++  done;
++  Buffer.add_char b '\'';
++  Buffer.contents b
++let unix_quote = generic_quote "'\\''"
++
+ let quote_filename_if_needed s =
+   if is_simple_filename s then s
+   (* We should probably be using [Filename.unix_quote] except that function
+    * isn't exported. Users on Windows will have to live with not being able to
+    * install OCaml into c:\o'caml. Too bad. *)
+-  else if Sys.os_type = "Win32" then Printf.sprintf "'%s'" s
++  else if Sys.os_type = "Win32" then unix_quote s
+   else Filename.quote s
+ let chdir dir =
+   reset_filesys_cache ();
+@@ -37,7 +51,7 @@
+ let run args target =
+   reset_readdir_cache ();
+   let cmd = String.concat " " (List.map quote_filename_if_needed args) in
+-  if !*My_unix.is_degraded || Sys.os_type = "Win32" then
++  if !*My_unix.is_degraded then
+     begin
+       Log.event cmd target Tags.empty;
+       let st = sys_command cmd in
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
new file mode 100644
index 0000000000..b24be7b5bc
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
@@ -0,0 +1,27 @@
+{
+  "build": [
+    [
+      "bash",
+      "-c",
+      "#{os == 'windows' ? 'patch -p1 < ocamlbuild-0.14.0.patch' : 'true'}"
+    ],
+    [
+      "make",
+      "-f",
+      "configure.make",
+      "all",
+      "OCAMLBUILD_PREFIX=#{self.install}",
+      "OCAMLBUILD_BINDIR=#{self.bin}",
+      "OCAMLBUILD_LIBDIR=#{self.lib}",
+      "OCAMLBUILD_MANDIR=#{self.man}",
+      "OCAMLBUILD_NATIVE=true",
+      "OCAMLBUILD_NATIVE_TOOLS=true"
+    ],
+    [
+      "make",
+      "check-if-preinstalled",
+      "all",
+      "#{os == 'windows' ? 'install' : 'opam-install'}"
+    ]
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/files/findlib-1.8.1.patch b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/files/findlib-1.8.1.patch
new file mode 100644
index 0000000000..3e3ee5a24f
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/files/findlib-1.8.1.patch
@@ -0,0 +1,471 @@
+--- ./Makefile
++++ ./Makefile
+@@ -57,16 +57,16 @@
+ 	cat findlib.conf.in | \
+ 	    $(SH) tools/patch '@SITELIB@' '$(OCAML_SITELIB)' >findlib.conf
+ 	if ./tools/cmd_from_same_dir ocamlc; then \
+-		echo 'ocamlc="ocamlc.opt"' >>findlib.conf; \
++		echo 'ocamlc="ocamlc.opt$(EXEC_SUFFIX)"' >>findlib.conf; \
+ 	fi
+ 	if ./tools/cmd_from_same_dir ocamlopt; then \
+-		echo 'ocamlopt="ocamlopt.opt"' >>findlib.conf; \
++		echo 'ocamlopt="ocamlopt.opt$(EXEC_SUFFIX)"' >>findlib.conf; \
+ 	fi
+ 	if ./tools/cmd_from_same_dir ocamldep; then \
+-		echo 'ocamldep="ocamldep.opt"' >>findlib.conf; \
++		echo 'ocamldep="ocamldep.opt$(EXEC_SUFFIX)"' >>findlib.conf; \
+ 	fi
+ 	if ./tools/cmd_from_same_dir ocamldoc; then \
+-		echo 'ocamldoc="ocamldoc.opt"' >>findlib.conf; \
++		echo 'ocamldoc="ocamldoc.opt$(EXEC_SUFFIX)"' >>findlib.conf; \
+ 	fi
+ 
+ .PHONY: install-doc
+--- ./src/findlib/findlib_config.mlp
++++ ./src/findlib/findlib_config.mlp
+@@ -24,3 +24,5 @@
+     | "MacOS" -> ""        (* don't know *)
+     | _ -> failwith "Unknown Sys.os_type"
+ ;;
++
++let exec_suffix = "@EXEC_SUFFIX@";;
+--- ./src/findlib/findlib.ml
++++ ./src/findlib/findlib.ml
+@@ -28,15 +28,20 @@
+ let conf_ldconf = ref "";;
+ let conf_ignore_dups_in = ref ([] : string list);;
+ 
+-let ocamlc_default = "ocamlc";;
+-let ocamlopt_default = "ocamlopt";;
+-let ocamlcp_default = "ocamlcp";;
+-let ocamloptp_default = "ocamloptp";;
+-let ocamlmklib_default = "ocamlmklib";;
+-let ocamlmktop_default = "ocamlmktop";;
+-let ocamldep_default = "ocamldep";;
+-let ocamlbrowser_default = "ocamlbrowser";;
+-let ocamldoc_default = "ocamldoc";;
++let add_exec str =
++  match Findlib_config.exec_suffix with
++  | "" -> str
++  | a  -> str ^ a ;;
++let ocamlc_default = add_exec "ocamlc";;
++let ocamlopt_default = add_exec "ocamlopt";;
++let ocamlcp_default = add_exec "ocamlcp";;
++let ocamloptp_default = add_exec "ocamloptp";;
++let ocamlmklib_default = add_exec "ocamlmklib";;
++let ocamlmktop_default = add_exec "ocamlmktop";;
++let ocamldep_default = add_exec "ocamldep";;
++let ocamlbrowser_default = add_exec "ocamlbrowser";;
++let ocamldoc_default = add_exec "ocamldoc";;
++
+ 
+ 
+ let init_manually 
+--- ./src/findlib/fl_package_base.ml
++++ ./src/findlib/fl_package_base.ml
+@@ -133,7 +133,15 @@
+ 	  List.find (fun def -> def.def_var = "exists_if") p.package_defs  in
+ 	let files = Fl_split.in_words def.def_value in
+ 	List.exists 
+-	  (fun file -> Sys.file_exists (Filename.concat d' file))
++	  (fun file ->
++            let fln = Filename.concat d' file in
++            let e = Sys.file_exists fln in
++            (* necessary for ppx executables *)
++            if e || Sys.os_type <> "Win32" || Filename.check_suffix fln ".exe" then
++              e
++            else
++              Sys.file_exists (fln ^ ".exe")
++          )
+ 	  files
+       with Not_found -> true in
+ 
+--- ./src/findlib/fl_split.ml
++++ ./src/findlib/fl_split.ml
+@@ -126,10 +126,17 @@
+     | '/' | '\\' -> true
+     | _ -> false in
+   let norm_dir_win() =
+-    if l >= 1 && s.[0] = '/' then
+-      Buffer.add_char b '\\' else Buffer.add_char b s.[0];
+-    if l >= 2 && s.[1] = '/' then
+-      Buffer.add_char b '\\' else Buffer.add_char b s.[1];
++    if l >= 1 then (
++      if s.[0] = '/' then
++        Buffer.add_char b '\\'
++      else
++        Buffer.add_char b s.[0] ;
++      if l >= 2 then
++        if s.[1] = '/' then
++          Buffer.add_char b '\\'
++        else
++          Buffer.add_char b s.[1];
++    );
+     for k = 2 to l - 1 do
+       let c = s.[k] in
+       if is_slash c then (
+--- ./src/findlib/frontend.ml
++++ ./src/findlib/frontend.ml
+@@ -31,10 +31,18 @@
+   else
+     Sys_error (arg ^ ": " ^ Unix.error_message code)
+ 
++let is_win = Sys.os_type = "Win32"
++
++let () =
++  match Findlib_config.system with
++    | "win32" | "win64" | "mingw" | "cygwin" | "mingw64" | "cygwin64" ->
++      (try set_binary_mode_out stdout true with _ -> ());
++      (try set_binary_mode_out stderr true with _ -> ());
++    | _ -> ()
+ 
+ let slashify s =
+   match Findlib_config.system with
+-    | "mingw" | "mingw64" | "cygwin" ->
++    | "win32" | "win64" | "mingw" | "cygwin" | "mingw64" | "cygwin64" ->
+         let b = Buffer.create 80 in
+         String.iter
+           (function
+@@ -49,7 +57,7 @@
+ 
+ let out_path ?(prefix="") s =
+   match Findlib_config.system with
+-    | "mingw" | "mingw64" | "cygwin" ->
++   | "win32" | "win64" | "mingw" | "mingw64" | "cygwin" ->
+ 	let u = slashify s in
+ 	prefix ^ 
+ 	  (if String.contains u ' ' then
+@@ -273,11 +281,9 @@
+ 
+ 
+ let identify_dir d =
+-  match Sys.os_type with
+-    | "Win32" ->
+-	failwith "identify_dir"   (* not available *)
+-    | _ ->
+-	let s = Unix.stat d in
++  if is_win then
++    failwith "identify_dir";   (* not available *)
++  let s = Unix.stat d in
+ 	(s.Unix.st_dev, s.Unix.st_ino)
+ ;;
+ 
+@@ -459,6 +465,96 @@
+       )
+       packages
+ 
++let rewrite_cmd s =
++  if s = "" || not is_win then
++    s
++  else
++    let s =
++      let l = String.length s in
++      let b = Buffer.create l in
++      for i = 0 to pred l do
++        match s.[i] with
++        | '/' -> Buffer.add_char b '\\'
++        | x -> Buffer.add_char b x
++      done;
++      Buffer.contents b
++    in
++    if (Filename.is_implicit s && String.contains s '\\' = false) ||
++      Filename.check_suffix (String.lowercase s) ".exe" then
++      s
++    else
++      let s' = s ^ ".exe" in
++      if Sys.file_exists s' then
++        s'
++      else
++        s
++
++let rewrite_cmd s =
++  if s = "" || not is_win then s else
++  let s =
++    let l = String.length s in
++    let b = Buffer.create l in
++    for i = 0 to pred l do
++      match s.[i] with
++      | '/' -> Buffer.add_char b '\\'
++      | x -> Buffer.add_char b x
++    done;
++    Buffer.contents b
++  in
++  if (Filename.is_implicit s && String.contains s '\\' = false) ||
++     Filename.check_suffix (String.lowercase s) ".exe" then
++    s
++  else
++    let s' = s ^ ".exe" in
++    if Sys.file_exists s' then
++      s'
++    else
++      s
++
++let rewrite_pp cmd =
++  if not is_win then cmd else
++  let module T = struct exception Keep end in
++  let is_whitespace = function
++  | ' ' | '\011' | '\012' | '\n' | '\r' | '\t' -> true
++  | _ -> false in
++  (* characters that triggers special behaviour (cmd.exe, not unix shell) *)
++  let is_unsafe_char = function
++  | '(' | ')' | '%' | '!' | '^' | '<' | '>' | '&' -> true
++  | _ -> false in
++  let len = String.length cmd in
++  let buf = Buffer.create (len + 4) in
++  let buf_cmd = Buffer.create len in
++  let rec iter_ws i =
++    if i >= len then () else
++    let cur = cmd.[i] in
++    if is_whitespace cur then (
++      Buffer.add_char buf cur;
++      iter_ws (succ i)
++    )
++    else
++      iter_cmd i
++  and iter_cmd i =
++    if i >= len then add_buf_cmd () else
++    let cur = cmd.[i] in
++    if is_unsafe_char cur || cur = '"' || cur = '\'' then
++      raise T.Keep;
++    if is_whitespace cur then (
++      add_buf_cmd ();
++      Buffer.add_substring buf cmd i (len - i)
++    )
++    else (
++      Buffer.add_char buf_cmd cur;
++      iter_cmd (succ i)
++    )
++  and add_buf_cmd () =
++    if Buffer.length buf_cmd > 0 then
++      Buffer.add_string buf (rewrite_cmd (Buffer.contents buf_cmd))
++  in
++  try
++    iter_ws 0;
++    Buffer.contents buf
++  with
++  | T.Keep -> cmd
+ 
+ let process_pp_spec syntax_preds packages pp_opts =
+   (* Returns: pp_command *)
+@@ -549,7 +645,7 @@
+       None -> []
+     | Some cmd ->
+ 	["-pp";
+-	 cmd ^ " " ^
++	 (rewrite_cmd cmd) ^ " " ^
+ 	 String.concat " " (List.map Filename.quote pp_i_options) ^ " " ^
+ 	 String.concat " " (List.map Filename.quote pp_archives) ^ " " ^
+ 	 String.concat " " (List.map Filename.quote pp_opts)]
+@@ -625,9 +721,11 @@
+           in
+           try
+             let preprocessor =
++              rewrite_cmd (
+               resolve_path
+                 ~base ~explicit:true
+-                (package_property predicates pname "ppx") in
++                  (package_property predicates pname "ppx") )
++            in
+             ["-ppx"; String.concat " " (preprocessor :: options)]
+           with Not_found -> []
+        )
+@@ -895,6 +993,14 @@
+        switch (e.g. -L<path> instead of -L <path>)
+      *)
+ 
++(* We may need to remove files on which we do not have complete control.
++   On Windows, removing a read-only file fails so try to change the
++   mode of the file first. *)
++let remove_file fname =
++  try Sys.remove fname
++  with Sys_error _ when is_win ->
++    (try Unix.chmod fname 0o666 with Unix.Unix_error _ -> ());
++    Sys.remove fname
+ 
+ let ocamlc which () =
+ 
+@@ -1022,9 +1128,12 @@
+               
+ 	      "-intf", 
+ 	      Arg.String (fun s -> pass_files := !pass_files @ [ Intf(slashify s) ]);
+-              
++
+ 	      "-pp", 
+-	      Arg.String (fun s -> pp_specified := true; add_spec_fn "-pp" s);
++	      Arg.String (fun s -> pp_specified := true; add_spec_fn "-pp" (rewrite_pp s));
++
++              "-ppx",
++              Arg.String (fun s -> add_spec_fn "-ppx" (rewrite_pp s));
+ 	      
+ 	      "-thread", 
+ 	      Arg.Unit (fun _ -> threads := threads_default);
+@@ -1237,7 +1346,7 @@
+     with
+       any ->
+ 	close_out initl;
+-	Sys.remove initl_file_name;
++	remove_file initl_file_name;
+ 	raise any
+   end;
+ 
+@@ -1245,9 +1354,9 @@
+     at_exit
+       (fun () ->
+ 	let tr f x = try f x with _ -> () in
+-	tr Sys.remove initl_file_name;
+-	tr Sys.remove (Filename.chop_extension initl_file_name ^ ".cmi");
+-	tr Sys.remove (Filename.chop_extension initl_file_name ^ ".cmo");
++	tr remove_file initl_file_name;
++	tr remove_file (Filename.chop_extension initl_file_name ^ ".cmi");
++	tr remove_file (Filename.chop_extension initl_file_name ^ ".cmo");
+       );
+ 
+   let exclude_list = [ stdlibdir; threads_dir; vmthreads_dir ] in
+@@ -1493,7 +1602,9 @@
+ 	  [ "-v", Arg.Unit (fun () -> verbose := Verbose);
+ 	    "-pp", Arg.String (fun s ->
+ 				 pp_specified := true;
+-				 options := !options @ ["-pp"; s]);
++				 options := !options @ ["-pp"; rewrite_pp s]);
++            "-ppx", Arg.String (fun s ->
++				 options := !options @ ["-ppx"; rewrite_pp s]);
+ 	  ]
+       )
+     )
+@@ -1672,7 +1783,9 @@
+ 	      Arg.String (fun s -> add_spec_fn "-I" (slashify (resolve_path s)));
+ 
+ 	      "-pp", Arg.String (fun s -> pp_specified := true;
+-		 	           add_spec_fn "-pp" s);
++                           add_spec_fn "-pp" (rewrite_pp s));
++              "-ppx", Arg.String (fun s -> add_spec_fn "-ppx" (rewrite_pp s));
++
+ 	    ]
+ 	)
+     )
+@@ -1830,7 +1943,10 @@
+       output_string ch_out append;
+       close_out ch_out;
+       close_in ch_in;
+-      Unix.utimes outpath s.Unix.st_mtime s.Unix.st_mtime;
++      (try Unix.utimes outpath s.Unix.st_mtime s.Unix.st_mtime
++       with Unix.Unix_error(e,_,_) ->
++         prerr_endline("Warning: setting utimes for " ^ outpath
++                       ^ ": " ^ Unix.error_message e));
+ 
+       prerr_endline("Installed " ^ outpath);
+     with
+@@ -1882,6 +1998,8 @@
+              Unix.openfile (Filename.concat dir owner_file) [Unix.O_RDONLY] 0 in
+            let f =
+              Unix.in_channel_of_descr fd in
++           if is_win then
++             set_binary_mode_in f false;
+            try
+              let line = input_line f in
+              let is_my_file = (line = pkg) in
+@@ -2208,7 +2326,7 @@
+     let lines = read_ldconf !ldconf in
+     let dlldir_norm = Fl_split.norm_dir dlldir in
+     let dlldir_norm_lc = string_lowercase_ascii dlldir_norm in
+-    let ci_filesys = (Sys.os_type = "Win32") in
++    let ci_filesys = is_win in
+     let check_dir d =
+       let d' = Fl_split.norm_dir d in
+       (d' = dlldir_norm) || 
+@@ -2356,7 +2474,7 @@
+       List.iter
+         (fun file ->
+            let absfile = Filename.concat dlldir file in
+-           Sys.remove absfile;
++           remove_file absfile;
+            prerr_endline ("Removed " ^ absfile)
+         )
+         dll_files
+@@ -2365,7 +2483,7 @@
+     (* Remove the files from the package directory: *)
+     if Sys.file_exists pkgdir then begin
+       let files = Sys.readdir pkgdir in
+-      Array.iter (fun f -> Sys.remove (Filename.concat pkgdir f)) files;
++      Array.iter (fun f -> remove_file (Filename.concat pkgdir f)) files;
+       Unix.rmdir pkgdir;
+       prerr_endline ("Removed " ^ pkgdir)
+     end
+@@ -2415,7 +2533,9 @@
+ 
+ 
+ let print_configuration() =
++  let sl = slashify in
+   let dir s =
++    let s = sl s in
+     if Sys.file_exists s then
+       s
+     else
+@@ -2453,27 +2573,27 @@
+ 	   if md = "" then "the corresponding package directories" else dir md
+ 	  );
+ 	Printf.printf "The standard library is assumed to reside in:\n    %s\n"
+-	  (Findlib.ocaml_stdlib());
++    (sl (Findlib.ocaml_stdlib()));
+ 	Printf.printf "The ld.conf file can be found here:\n    %s\n"
+-	  (Findlib.ocaml_ldconf());
++    (sl (Findlib.ocaml_ldconf()));
+ 	flush stdout
+     | Some "conf" ->
+-	print_endline (Findlib.config_file())
++  print_endline (sl (Findlib.config_file()))
+     | Some "path" ->
+-	List.iter print_endline (Findlib.search_path())
++  List.iter ( fun x -> print_endline (sl x)) (Findlib.search_path())
+     | Some "destdir" ->
+-	print_endline (Findlib.default_location())
++  print_endline ( sl (Findlib.default_location()))
+     | Some "metadir" ->
+-	print_endline (Findlib.meta_directory())
++  print_endline ( sl (Findlib.meta_directory()))
+     | Some "metapath" ->
+         let mdir = Findlib.meta_directory() in
+         let ddir = Findlib.default_location() in
+-	print_endline 
+-          (if mdir <> "" then mdir ^ "/META.%s" else ddir ^ "/%s/META")
++  print_endline ( sl
++          (if mdir <> "" then mdir ^ "/META.%s" else ddir ^ "/%s/META"))
+     | Some "stdlib" ->
+-	print_endline (Findlib.ocaml_stdlib())
++  print_endline ( sl (Findlib.ocaml_stdlib()))
+     | Some "ldconf" ->
+-	print_endline (Findlib.ocaml_ldconf())
++  print_endline ( sl (Findlib.ocaml_ldconf()))
+     | _ ->
+ 	assert false
+ ;;
+@@ -2481,7 +2601,7 @@
+ 
+ let ocamlcall pkg cmd =
+   let dir = package_directory pkg in
+-  let path = Filename.concat dir cmd in
++  let path = rewrite_cmd (Filename.concat dir cmd) in
+   begin
+     try Unix.access path [ Unix.X_OK ]
+     with
+@@ -2647,6 +2767,10 @@
+   | Sys_error f ->
+       prerr_endline ("ocamlfind: " ^ f);
+       exit 2
++  | Unix.Unix_error (e, fn, f) ->
++      prerr_endline ("ocamlfind: " ^ fn ^ " " ^ f
++                     ^ ": " ^ Unix.error_message e);
++      exit 2
+   | Findlib.No_such_package(pkg,info) ->
+       prerr_endline ("ocamlfind: Package `" ^ pkg ^ "' not found" ^
+ 		     (if info <> "" then " - " ^ info else ""));
+--- ./src/findlib/Makefile
++++ ./src/findlib/Makefile
+@@ -90,6 +90,7 @@
+ 	cat findlib_config.mlp | \
+ 	        $(SH) $(TOP)/tools/patch '@CONFIGFILE@' '$(OCAMLFIND_CONF)' | \
+ 	        $(SH) $(TOP)/tools/patch '@STDLIB@' '$(OCAML_CORE_STDLIB)' | \
++			$(SH) $(TOP)/tools/patch '@EXEC_SUFFIX@' '$(EXEC_SUFFIX)' | \
+ 		sed -e 's;@AUTOLINK@;$(OCAML_AUTOLINK);g' \
+ 		    -e 's;@SYSTEM@;$(SYSTEM);g' \
+ 		     >findlib_config.ml
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/package.json
new file mode 100644
index 0000000000..9314f87088
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlfind_opam__c__1.8.1_opam_override/package.json
@@ -0,0 +1,61 @@
+{
+  "build": [
+    [
+      "bash",
+      "-c",
+      "#{os == 'windows' ? 'patch -p1 < findlib-1.8.1.patch' : 'true'}"
+    ],
+    [
+      "./configure",
+      "-bindir",
+      "#{self.bin}",
+      "-sitelib",
+      "#{self.lib}",
+      "-mandir",
+      "#{self.man}",
+      "-config",
+      "#{self.lib}/findlib.conf",
+      "-no-custom",
+      "-no-topfind"
+    ],
+    [
+      "make",
+      "all"
+    ],
+    [
+      "make",
+      "opt"
+    ]
+  ],
+  "install": [
+    [
+      "make",
+      "install"
+    ],
+    [
+      "install",
+      "-m",
+      "0755",
+      "ocaml-stub",
+      "#{self.bin}/ocaml"
+    ],
+    [
+      "mkdir",
+      "-p",
+      "#{self.toplevel}"
+    ],
+    [
+      "install",
+      "-m",
+      "0644",
+      "src/findlib/topfind",
+      "#{self.toplevel}/topfind"
+    ]
+  ],
+  "exportedEnv": {
+    "OCAML_TOPLEVEL_PATH": {
+      "val": "#{self.toplevel}",
+      "scope": "global"
+    }
+  }
+}

From 1394c4231033b8718597875b37d522457c7cff66 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 30 Sep 2019 20:05:18 +0000
Subject: [PATCH 251/420] Install esy with Ansible (instead of OCaml etc.)

Notably Windows does not get setup via Ansible, only validated. So we'll
have to manually install it.
---
 .../openenclave/tasks/environment-setup.yml   | 31 +-----
 .../linux/openenclave/tasks/esy-setup.yml     | 98 +++++++++++++++++++
 .../linux/openenclave/tasks/opam-setup.yml    | 81 ---------------
 .../linux/openenclave/tasks/validation.yml    |  8 +-
 .../roles/linux/openenclave/vars/ubuntu.yml   | 28 +-----
 .../windows/openenclave/tasks/validation.yml  |  5 -
 .../windows/openenclave/vars/windows.yml      |  7 +-
 7 files changed, 110 insertions(+), 148 deletions(-)
 create mode 100644 scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
 delete mode 100644 scripts/ansible/roles/linux/openenclave/tasks/opam-setup.yml

diff --git a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
index 26d9f75da7..7a09abde3d 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
@@ -30,35 +30,8 @@
     update_cache: yes
     install_recommends: no
 
-- name: Download the OCaml deb packages
-  get_url:
-    url: "{{ item.value.url }}"
-    dest: "{{ item.value.local_path }}"
-    timeout: 10
-  retries: 5
-  with_dict: "{{ ocaml_packages }}"
-
-- name: Install the OCaml deb packages
-  shell: |
-    set -o errexit
-    dpkg --install {{ ocaml_packages.ocaml_base_nox.local_path }}
-    dpkg --install {{ ocaml_packages.ocaml_base.local_path }}
-    dpkg --install --force-depends {{ ocaml_packages.ocaml_compiler_libs.local_path }}
-    dpkg --install {{ ocaml_packages.ocaml_interp.local_path }}
-    dpkg --install {{ ocaml_packages.ocaml_nox.local_path }}
-    dpkg --install {{ ocaml_packages.ocaml.local_path }}
-  args:
-    executable: /bin/bash
-
-- name: Clean OCaml downloaded deb packages
-  file:
-    state: absent
-    path: "{{ item.value.local_path }}"
-  with_dict: "{{ ocaml_packages }}"
-
-- import_role:
-    name: linux/openenclave
-    tasks_from: opam-setup.yml
+- name: Install esy
+  include_tasks: esy-setup.yml
 
 - name: Install CMake 3.13.1
   unarchive:
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
new file mode 100644
index 0000000000..aa5c16bcd4
--- /dev/null
+++ b/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
@@ -0,0 +1,98 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+#
+# See https://github.com/esy/esy/pull/957, specifically:
+# https://github.com/esy/esy/blob/15f593510ea078b4b392b931c9572bc07a306119/scripts/install-esy.sh
+
+---
+- name: Prepare esy installation
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "/tmp/esy-release"
+    - "/tmp/esy-solve-cudf-release"
+    - "{{ esy_prefix }}/bin"
+    - "{{ esy_prefix }}/lib/node_modules/esy-solve-cudf/"
+
+- name: Download esy
+  get_url:
+    url: "https://registry.npmjs.org/esy/-/esy-{{ esy_target_version }}.tgz"
+    dest: "/tmp/esy-release/esy-{{ esy_target_version }}.tgz"
+    checksum: "sha256:f2cec5e6556172141bb399d1dcef7db4b9d881b0bed9c9749c0eebd95584b739"
+    timeout: 120
+  retries: 3
+
+- name: Download esy_solve_cudf
+  get_url:
+    url: "https://registry.npmjs.org/esy-solve-cudf/-/esy-solve-cudf-0.1.10.tgz"
+    dest: "/tmp/esy-solve-cudf-release/esy-solve-cudf-0.1.10.tgz"
+    checksum: "sha256:3cfb233e5536fe555ff1318bcff241481c8dcbe1edc30b5f97e2366134d3f234"
+    timeout: 120
+  retries: 3
+
+- name: Unarchive esy
+  unarchive:
+    src: "/tmp/esy-release/esy-{{ esy_target_version }}.tgz"
+    dest: "/tmp/esy-release/"
+    remote_src: yes
+
+- name: Unarchive esy_solve_cudf
+  unarchive:
+    src: "/tmp/esy-solve-cudf-release/esy-solve-cudf-0.1.10.tgz"
+    dest: "/tmp/esy-solve-cudf-release/"
+    remote_src: yes
+
+- name: Copy esy package.json
+  copy:
+    src: "/tmp/esy-release/package/package.json"
+    dest: "{{ esy_prefix }}/"
+    remote_src: yes
+
+- name: Copy esy esyInstallRelease.js
+  copy:
+    src: "/tmp/esy-release/package/platform-linux/_build/default/bin/esyInstallRelease.js"
+    dest: "{{ esy_prefix }}/bin/"
+    remote_src: yes
+
+- name: Copy esy default
+  copy:
+    src: "/tmp/esy-release/package/platform-linux/_build/default"
+    dest: "{{ esy_prefix }}/lib/"
+    remote_src: yes
+
+- name: Copy esy_solve_cudfy package.json
+  copy:
+    src: "/tmp/esy-solve-cudf-release/package/package.json"
+    dest: "{{ esy_prefix }}/lib/node_modules/esy-solve-cudf/"
+    remote_src: yes
+
+- name: Copy esy_solve_cudf exe
+  copy:
+    src: "/tmp/esy-solve-cudf-release/package/platform-linux/esySolveCudfCommand.exe"
+    dest: "{{ esy_prefix }}/lib/node_modules/esy-solve-cudf/"
+    remote_src: yes
+
+- name: Apply esy permissions
+  file:
+    mode: 0555
+    path: "{{ item }}"
+  with_items:
+    - "{{ esy_prefix }}/lib/default/bin/esy.exe"
+    - "{{ esy_prefix }}/lib/default/esy-build-package/bin/esyBuildPackageCommand.exe"
+    - "{{ esy_prefix }}/lib/default/esy-build-package/bin/esyRewritePrefixCommand.exe"
+
+- name: Create esy symbolic links
+  file:
+    src: "{{ esy_prefix }}/lib/default/bin/esy.exe"
+    dest: "/usr/local/bin/esy"
+    force: yes
+    state: link
+
+- name: Cleanup esy installation
+  file:
+    path: "/tmp/{{ item }}"
+    state: absent
+  with_items:
+    - esy-release
+    - esy-solve-cudf-release
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/opam-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/opam-setup.yml
deleted file mode 100644
index 33bff9bd55..0000000000
--- a/scripts/ansible/roles/linux/openenclave/tasks/opam-setup.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License.
-
----
-- name: Gather Ansible facts
-  setup:
-
-- name: Include distribution vars
-  include_vars:
-    file: "{{ ansible_distribution | lower }}.yml"
-
-- name: Add extra bubblewrap APT repository for Ubuntu Xenial
-  block:
-    - apt_key:
-        keyserver: keyserver.ubuntu.com
-        id: 6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367
-
-    - apt_repository:
-        repo: deb http://ppa.launchpad.net/ansible/bubblewrap/ubuntu xenial main
-        state: present
-        update_cache: yes
-  when: ansible_distribution_release == "xenial"
-
-- name: Install OPAM dependencies
-  apt:
-    name:
-      - "unzip"
-      - "bubblewrap"
-    state: present
-    update_cache: yes
-
-- name: Download OPAM bin
-  get_url:
-    url: "{{ opam_bin_url }}"
-    dest: /usr/local/bin/opam
-    mode: "u=rwx,g=rx,o=rx"
-    timeout: 10
-  retries: 5
-
-- name: Init OPAM
-  shell: |
-    if [[ -f /.dockerenv ]]; then
-        # Disable sandboxing inside Docker environment, otherwise opam will
-        # error out when installing ocamlformat package.
-        DISABLE_SANDBOXING="--disable-sandboxing"
-    fi
-    opam init --no-setup --root={{ opam_root }} $DISABLE_SANDBOXING
-  args:
-    executable: /bin/bash
-  retries: 10
-  delay: 5
-  register: result
-  until: result.rc == 0
-
-- name: Create OPAM profile file with the environment variables
-  blockinfile:
-    dest: /etc/profile.d/opam-env.sh
-    create: yes
-    block: |
-      export PATH="{{ opam_root }}/default/bin:{{ ansible_env.PATH }}"
-      export OPAMROOT="{{ opam_root }}"
-      export OPAM_SWITCH_PREFIX="{{ opam_root }}/default"
-      export CAML_LD_LIBRARY_PATH="{{ opam_root }}/default/lib/stublibs"
-      export OCAML_TOPLEVEL_PATH="{{ opam_root }}/default/lib/toplevel"
-      export MANPATH="{{ opam_root }}/default/man"
-
-- name: Install ocamlformat via OPAM
-  shell: "source /etc/profile && opam install ocamlformat -y"
-  args:
-    executable: /bin/bash
-  retries: 10
-  delay: 5
-  register: result
-  until: result.rc == 0
-
-- name: Create symbolic link for ocamlformat into /usr/local/bin
-  file:
-    src: "{{ opam_root }}/default/bin/ocamlformat"
-    dest: "/usr/local/bin/ocamlformat"
-    force: yes
-    state: link
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/validation.yml b/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
index c3f425d889..af21deceb6 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
@@ -37,9 +37,9 @@
   register: clang_check_version
   failed_when: clang_check_version.stdout.find(clang_target_version) == -1
 
-- name: Ocaml version check
-  shell: "ocaml -version"
+- name: Esy version check
+  shell: "esy --version"
   args:
     executable: /bin/bash
-  register: ocaml_check_version
-  failed_when: ocaml_check_version.stdout.find(ocaml_version) == -1
+  register: esy_check_version
+  failed_when: esy_check_version.stdout.find(esy_target_version) == -1
diff --git a/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml b/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
index 9110aca36c..d29823f9a5 100644
--- a/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
@@ -2,31 +2,10 @@
 # Licensed under the MIT License.
 
 ---
-opam_bin_url: "https://github.com/ocaml/opam/releases/download/2.0.4/opam-2.0.4-x86_64-linux"
-opam_root: "/usr/local/opam"
-ocaml_version: "4.05.0"
 cmake_target_version: "3.13.1"
 clang_target_version: "7.1.0"
-
-ocaml_packages:
-  ocaml_base_nox:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml-base-nox_amd64.deb"
-    local_path: "/tmp/ocaml-base-nox_amd64.deb"
-  ocaml_base:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml-base_amd64.deb"
-    local_path: "/tmp/ocaml-base_amd64.deb"
-  ocaml_compiler_libs:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml-compiler-libs_amd64.deb"
-    local_path: "/tmp/ocaml-compiler-libs_amd64.deb"
-  ocaml_interp:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml-interp_amd64.deb"
-    local_path: "/tmp/ocaml-interp_amd64.deb"
-  ocaml_nox:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml-nox_amd64.deb"
-    local_path: "/tmp/ocaml-nox_amd64.deb"
-  ocaml:
-    url: "https://oejenkins.blob.core.windows.net/oejenkins/ocaml/ocaml_amd64.deb"
-    local_path: "/tmp/ocaml_amd64.deb"
+esy_target_version: "0.5.8"
+esy_prefix: "/usr/local/lib/esy"
 
 apt_packages:
   - "curl"
@@ -65,7 +44,6 @@ apt_arm_packages:
   - "sshpass"
 
 validation_directories:
-  - "/usr/local/opam"
   - "/usr/share/libtool"
 
 validation_files:
@@ -77,6 +55,7 @@ validation_binaries:
   - "/usr/local/bin/ccmake"
   - "/usr/local/bin/cpack"
   - "/usr/local/bin/ctest"
+  - "/usr/local/bin/esy"
   - "/usr/bin/dot"
   - "/usr/bin/gcc"
   - "/usr/bin/g++"
@@ -84,7 +63,6 @@ validation_binaries:
   - "/usr/bin/autoconf"
   - "/usr/bin/libtoolize"
   - "/usr/bin/doxygen"
-  - "/usr/bin/ocaml"
   - "/usr/bin/openssl"
   - "/usr/bin/pkg-config"
   - "/usr/bin/clang-7"
diff --git a/scripts/ansible/roles/windows/openenclave/tasks/validation.yml b/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
index 15b5c572cf..6331cf7a94 100644
--- a/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
@@ -33,8 +33,3 @@
   raw: "clang --version"
   register: clang_check_version
   failed_when: clang_check_version.stdout.find(clang_target_version) == -1
-
-- name: Ocaml version check
-  raw: "ocaml -version"
-  register: ocaml_check_version
-  failed_when: ocaml_check_version.stdout.find(ocaml_target_version) == -1
diff --git a/scripts/ansible/roles/windows/openenclave/vars/windows.yml b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
index 86b3fc355a..772b9df88a 100644
--- a/scripts/ansible/roles/windows/openenclave/vars/windows.yml
+++ b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
@@ -5,11 +5,10 @@
 cmake_target_version: 3.12.18081601
 ninja_target_version: 1.8.2
 clang_target_version: 7.0.1
-ocaml_target_version: 4.02.1
 
 validation_directories:
   - "C:\\Program Files\\7-Zip"
-  - "C:\\Program Files\\OCaml\\bin"
+  - "C:\\Program Files\\nodejs"
   - "C:\\Program Files\\LLVM\\bin"
   - "C:\\Program Files\\Git\\bin"
   - "C:\\Program Files\\Git\\mingw64\\bin"
@@ -19,13 +18,13 @@ validation_directories:
 
 validation_files:
   - "C:\\Program Files\\LLVM\\lib\\libclang.lib"
-  - "C:\\Program Files\\OCaml\\lib\\arg.cmi"
+  - "C:\\Program Files\\nodejs\\npm.cmd"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Tools\\MSVC\\14.16.27023\\lib\\x64\\vcomp.lib"
 
 validation_binaries:
   - "C:\\Program Files\\LLVM\\bin\\clang.exe"
   - "C:\\Program Files\\LLVM\\bin\\llvm-ar.exe"
-  - "C:\\Program Files\\OCaml\\bin\\ocaml.exe"
+  - "C:\\Program Files\\nodejs\\node.exe"
   - "C:\\Program Files\\shellcheck\\shellcheck.exe"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Tools\\MSVC\\14.16.27023\\bin\\Hostx64\\x64\\cl.exe"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Tools\\MSVC\\14.16.27023\\bin\\Hostx64\\x64\\link.exe"

From 3cfaeff5a4adfbfbe268014921ee450d29893252 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 4 Oct 2019 23:04:09 +0000
Subject: [PATCH 252/420] Update Windows prereqs script to install esy via npm

---
 scripts/ansible/oe-windows-acc-setup.yml |  8 ++---
 scripts/install-windows-prereqs.ps1      | 37 ++++++++++++------------
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 05008bcd50..58f4b92539 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -18,8 +18,8 @@
         seven_zip_hash:      "F00E1588ED54DDF633D8652EB89D0A8F95BD80CCCFC3EED362D81927BEC05AA5"
         vs_buildtools:       "https://oejenkins.blob.core.windows.net/oejenkins/vs_buildtools_2017.exe"
         vs_buildtools_hash:  "6F49872B04A0EAEDF5ED96AB25F7697062D81A419D45D9970E41784F31165BF2"
-        ocaml_url:           "https://oejenkins.blob.core.windows.net/oejenkins/ocpwin64-20160113-4.02.1+ocp1-mingw64.zip"
-        ocaml_hash:          "369F900F7CDA543ABF674520ED6004CC75008E10BEED0D34845E8A42866D0F3A"
+        node_url:            "https://nodejs.org/dist/v10.16.3/node-v10.16.3-x64.msi"
+        node_hash:           "f68b75eea46232adb8fd38126c977dc244166d29e7c6cd2df930b460c38590a9"
         clang7_url:          "https://oejenkins.blob.core.windows.net/oejenkins/LLVM-7.0.1-win64.exe"
         clang7_hash:         "672E4C420D6543A8A9F8EC5F1E5F283D88AC2155EF4C57232A399160A02BFF57"
         shellcheck_url:      "https://oejenkins.blob.core.windows.net/oejenkins/shellcheck-v0.7.0.zip"
@@ -46,8 +46,8 @@
         -SevenZipHash        "{{ seven_zip_hash }}"
         -VSBuildToolsURL     "{{ vs_buildtools }}"
         -VSBuildToolsHash    "{{ vs_buildtools_hash }}"
-        -OCamlURL            "{{ ocaml_url }}"
-        -OCamlHash           "{{ ocaml_hash }}"
+        -NodeURL             "{{ node_url }}"
+        -NodeHash            "{{ node_hash }}"
         -Clang7URL           "{{ clang7_url }}"
         -Clang7Hash          "{{ clang7_hash }}"
         -ShellCheckURL       "{{ shellcheck_url }}"
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 3864e24d8d..08443d8555 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -12,8 +12,8 @@ Param(
     # We skip the hash check for the vs_buildtools.exe file because it is regularly updated without a change to the URL, unfortunately.
     [string]$VSBuildToolsURL = 'https://aka.ms/vs/15/release/vs_buildtools.exe',
     [string]$VSBuildToolsHash = '',
-    [string]$OCamlURL = 'https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.zip',
-    [string]$OCamlHash = '369F900F7CDA543ABF674520ED6004CC75008E10BEED0D34845E8A42866D0F3A',
+    [string]$NodeURL = 'https://nodejs.org/dist/v10.16.3/node-v10.16.3-x64.msi',
+    [string]$NodeHash = 'F68B75EEA46232ADB8FD38126C977DC244166D29E7C6CD2DF930B460C38590A9',
     [string]$Clang7URL = 'http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe',
     [string]$Clang7Hash = '672E4C420D6543A8A9F8EC5F1E5F283D88AC2155EF4C57232A399160A02BFF57',
     [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe',
@@ -58,10 +58,10 @@ $PACKAGES = @{
         "hash" = $VSBuildToolsHash
         "local_file" = Join-Path $PACKAGES_DIRECTORY "vs_buildtools.exe"
     }
-    "ocaml" = @{
-        "url" = $OCamlURL
-        "hash" = $OCamlHash
-        "local_file" = Join-Path $PACKAGES_DIRECTORY "ocpwin64.zip"
+    "node" = @{
+        "url" = $NodeURL
+        "hash" = $NodeHash
+        "local_file" = Join-Path $PACKAGES_DIRECTORY "node-x64.msi"
     }
     "clang7" = @{
         "url" = $Clang7URL
@@ -417,17 +417,18 @@ function Install-VisualStudio {
                                    "${env:ProgramFiles(x86)}\Microsoft Visual Studio\2017\BuildTools\Common7\Tools")
 }
 
-function Install-OCaml {
-    $installDir = Join-Path $env:ProgramFiles "OCaml"
-    $tmpDir = Join-Path $PACKAGES_DIRECTORY "ocpwin64"
-    if(Test-Path -Path $tmpDir) {
-        Remove-Item -Recurse -Force -Path $tmpDir
-    }
-    Install-ZipTool -ZipPath $PACKAGES["ocaml"]["local_file"] `
-                    -InstallDirectory $tmpDir `
-                    -EnvironmentPath @("$installDir\bin")
-    New-Directory -Path $installDir -RemoveExisting
-    Move-Item -Path "$tmpDir\*\*" -Destination $installDir
+function Install-Node {
+    $installDir = Join-Path $env:ProgramFiles "nodejs"
+    Install-Tool -InstallerPath $PACKAGES["node"]["local_file"] `
+                 -InstallDirectory $installDir `
+                 -ArgumentList @("/quiet", "/passive") `
+                 -EnvironmentPath @($installDir)
+
+    Add-ToSystemPath -Path "${env:APPDATA}\npm"
+
+    Start-ExecuteWithRetry -ScriptBlock {
+        npm install -g esy@0.5.8
+    } -RetryMessage "Failed to install esy. Retrying"
 }
 
 function Install-LLVM {
@@ -645,7 +646,7 @@ try {
     Install-OpenSSL
     Install-LLVM
     Install-Git
-    Install-OCaml
+    Install-Node
     Install-Shellcheck
 
     if ($LaunchConfiguration -ne "SGX1FLC-NoDriver")

From 21a06fe66c5ddd938587e72783ef57ed9ba430bc Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 1 Nov 2019 18:59:38 +0000
Subject: [PATCH 253/420] Remove ocamlformat

This is temporary until the package is fixed not to contain broken
symlinks, which causes the installation to crash on Windows.
---
 tools/oeedger8r/esy.lock/index.json           | 701 +-----------------
 .../esy.lock/opam/astring.0.8.3/opam          |  38 -
 .../esy.lock/opam/base-bytes.base/opam        |   9 -
 .../oeedger8r/esy.lock/opam/base.v0.12.2/opam |  39 -
 .../esy.lock/opam/bisect_ppx.1.4.1/opam       |  49 --
 .../esy.lock/opam/cmdliner.1.0.4/opam         |  36 -
 .../opam/dune-configurator.1.0.0/opam         |   9 -
 .../opam/{dune.1.11.3 => dune.1.11.4}/opam    |   6 +-
 .../oeedger8r/esy.lock/opam/fpath.0.7.2/opam  |  34 -
 .../opam/ocaml-migrate-parsetree.1.4.0/opam   |  37 -
 .../esy.lock/opam/ocamlbuild.0.14.0/opam      |  36 -
 .../esy.lock/opam/ocamlformat.0.11.0/opam     |  35 -
 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam |  45 --
 .../esy.lock/opam/ppx_derivers.1.2.1/opam     |  23 -
 .../opam/ppx_tools_versioned.5.2.3/opam       |  30 -
 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam   |  42 --
 tools/oeedger8r/esy.lock/opam/result.1.4/opam |  22 -
 tools/oeedger8r/esy.lock/opam/seq.0.2/opam    |  22 -
 .../esy.lock/opam/sexplib0.v0.12.0/opam       |  26 -
 .../esy.lock/opam/stdio.v0.12.0/opam          |  27 -
 .../oeedger8r/esy.lock/opam/topkg.1.0.1/opam  |  48 --
 .../oeedger8r/esy.lock/opam/tyxml.4.3.0/opam  |  45 --
 .../oeedger8r/esy.lock/opam/uchar.0.0.2/opam  |  36 -
 .../oeedger8r/esy.lock/opam/uucp.12.0.0/opam  |  47 --
 .../oeedger8r/esy.lock/opam/uuseg.12.0.0/opam |  50 --
 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam |  40 -
 .../package.json                              |   0
 .../files/ocamlbuild-0.14.0.patch             | 463 ------------
 .../package.json                              |  27 -
 tools/oeedger8r/package.json                  |   1 -
 30 files changed, 24 insertions(+), 1999 deletions(-)
 delete mode 100644 tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
 rename tools/oeedger8r/esy.lock/opam/{dune.1.11.3 => dune.1.11.4}/opam (84%)
 delete mode 100644 tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/result.1.4/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/seq.0.2/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
 delete mode 100644 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
 rename tools/oeedger8r/esy.lock/overrides/{opam__s__dune_opam__c__1.11.3_opam_override => opam__s__dune_opam__c__1.11.4_opam_override}/package.json (100%)
 delete mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
 delete mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json

diff --git a/tools/oeedger8r/esy.lock/index.json b/tools/oeedger8r/esy.lock/index.json
index fd00bed78d..5d68bd3049 100644
--- a/tools/oeedger8r/esy.lock/index.json
+++ b/tools/oeedger8r/esy.lock/index.json
@@ -1,5 +1,5 @@
 {
-  "checksum": "cb1294e574fb741d496c675c4b390f6f",
+  "checksum": "0a2a797cb1224fa13b432553c91f6ab5",
   "root": "oeedger8r@link-dev:./package.json",
   "node": {
     "oeedger8r@link-dev:./package.json": {
@@ -13,12 +13,9 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlformat@opam:0.11.0@ec74e6e8",
-        "@opam/merlin@opam:3.3.2@7a364181"
-      ]
+      "devDependencies": [ "@opam/merlin@opam:3.3.2@7a364181" ]
     },
     "ocaml@4.6.1000@d41d8cd9": {
       "id": "ocaml@4.6.1000@d41d8cd9",
@@ -53,432 +50,13 @@
       "overrides": [],
       "dependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
-        "@opam/dune@opam:1.11.3@9894df55", "@opam/cppo@opam:1.6.6@f4f83858",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@opam/cppo@opam:1.6.6@f4f83858",
         "@opam/biniou@opam:1.2.1@d7570399",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
-        "@opam/dune@opam:1.11.3@9894df55", "@opam/biniou@opam:1.2.1@d7570399"
-      ]
-    },
-    "@opam/uutf@opam:1.0.2@4440868f": {
-      "id": "@opam/uutf@opam:1.0.2@4440868f",
-      "name": "@opam/uutf",
-      "version": "opam:1.0.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/a7/a7c542405a39630c689a82bd7ef2292c#md5:a7c542405a39630c689a82bd7ef2292c",
-          "archive:http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz#md5:a7c542405a39630c689a82bd7ef2292c"
-        ],
-        "opam": {
-          "name": "uutf",
-          "version": "1.0.2",
-          "path": "esy.lock/opam/uutf.1.0.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea",
-        "@opam/topkg@opam:1.0.1@a42c631e",
-        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
-      ]
-    },
-    "@opam/uuseg@opam:12.0.0@bf82c4c7": {
-      "id": "@opam/uuseg@opam:12.0.0@bf82c4c7",
-      "name": "@opam/uuseg",
-      "version": "opam:12.0.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/1d/1d4487ddf5154e3477e55021b978d58a#md5:1d4487ddf5154e3477e55021b978d58a",
-          "archive:https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz#md5:1d4487ddf5154e3477e55021b978d58a"
-        ],
-        "opam": {
-          "name": "uuseg",
-          "version": "12.0.0",
-          "path": "esy.lock/opam/uuseg.12.0.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/uucp@opam:12.0.0@b7d4c3df", "@opam/uchar@opam:0.0.2@c8218eea",
-        "@opam/topkg@opam:1.0.1@a42c631e",
-        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uucp@opam:12.0.0@b7d4c3df",
-        "@opam/uchar@opam:0.0.2@c8218eea"
-      ]
-    },
-    "@opam/uucp@opam:12.0.0@b7d4c3df": {
-      "id": "@opam/uucp@opam:12.0.0@b7d4c3df",
-      "name": "@opam/uucp",
-      "version": "opam:12.0.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/cf/cf210ed43375b7f882c0540874e2cb81#md5:cf210ed43375b7f882c0540874e2cb81",
-          "archive:https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz#md5:cf210ed43375b7f882c0540874e2cb81"
-        ],
-        "opam": {
-          "name": "uucp",
-          "version": "12.0.0",
-          "path": "esy.lock/opam/uucp.12.0.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/uchar@opam:0.0.2@c8218eea", "@opam/topkg@opam:1.0.1@a42c631e",
-        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
-      ]
-    },
-    "@opam/uchar@opam:0.0.2@c8218eea": {
-      "id": "@opam/uchar@opam:0.0.2@c8218eea",
-      "name": "@opam/uchar",
-      "version": "opam:0.0.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/c9/c9ba2c738d264c420c642f7bb1cf4a36#md5:c9ba2c738d264c420c642f7bb1cf4a36",
-          "archive:https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz#md5:c9ba2c738d264c420c642f7bb1cf4a36"
-        ],
-        "opam": {
-          "name": "uchar",
-          "version": "0.0.2",
-          "path": "esy.lock/opam/uchar.0.0.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
-    },
-    "@opam/tyxml@opam:4.3.0@c1da25f1": {
-      "id": "@opam/tyxml@opam:4.3.0@c1da25f1",
-      "name": "@opam/tyxml",
-      "version": "opam:4.3.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/fd/fd834a567f813bf447cab5f4c3a723e2#md5:fd834a567f813bf447cab5f4c3a723e2",
-          "archive:https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz#md5:fd834a567f813bf447cab5f4c3a723e2"
-        ],
-        "opam": {
-          "name": "tyxml",
-          "version": "4.3.0",
-          "path": "esy.lock/opam/tyxml.4.3.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/topkg@opam:1.0.1@a42c631e": {
-      "id": "@opam/topkg@opam:1.0.1@a42c631e",
-      "name": "@opam/topkg",
-      "version": "opam:1.0.1",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/16/16b90e066d8972a5ef59655e7c28b3e9#md5:16b90e066d8972a5ef59655e7c28b3e9",
-          "archive:http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz#md5:16b90e066d8972a5ef59655e7c28b3e9"
-        ],
-        "opam": {
-          "name": "topkg",
-          "version": "1.0.1",
-          "path": "esy.lock/opam/topkg.1.0.1"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03"
-      ]
-    },
-    "@opam/stdio@opam:v0.12.0@04b3b004": {
-      "id": "@opam/stdio@opam:v0.12.0@04b3b004",
-      "name": "@opam/stdio",
-      "version": "opam:v0.12.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/b2/b261ff2d5667fde960c95e50cff668da#md5:b261ff2d5667fde960c95e50cff668da",
-          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz#md5:b261ff2d5667fde960c95e50cff668da"
-        ],
-        "opam": {
-          "name": "stdio",
-          "version": "v0.12.0",
-          "path": "esy.lock/opam/stdio.v0.12.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/base@opam:v0.12.2@d687150c",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/base@opam:v0.12.2@d687150c"
-      ]
-    },
-    "@opam/sexplib0@opam:v0.12.0@e432406d": {
-      "id": "@opam/sexplib0@opam:v0.12.0@e432406d",
-      "name": "@opam/sexplib0",
-      "version": "opam:v0.12.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/24/2486a25d3a94da9a94acc018b5f09061#md5:2486a25d3a94da9a94acc018b5f09061",
-          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz#md5:2486a25d3a94da9a94acc018b5f09061"
-        ],
-        "opam": {
-          "name": "sexplib0",
-          "version": "v0.12.0",
-          "path": "esy.lock/opam/sexplib0.v0.12.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/seq@opam:0.2@35c16df8": {
-      "id": "@opam/seq@opam:0.2@35c16df8",
-      "name": "@opam/seq",
-      "version": "opam:0.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/1d/1d5a9d0aba27b22433f518cdc495d0fd#md5:1d5a9d0aba27b22433f518cdc495d0fd",
-          "archive:https://github.com/c-cube/seq/archive/0.2.tar.gz#md5:1d5a9d0aba27b22433f518cdc495d0fd"
-        ],
-        "opam": {
-          "name": "seq",
-          "version": "0.2",
-          "path": "esy.lock/opam/seq.0.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/result@opam:1.4@dc720aef": {
-      "id": "@opam/result@opam:1.4@dc720aef",
-      "name": "@opam/result",
-      "version": "opam:1.4",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/d3/d3162dbc501a2af65c8c71e0866541da#md5:d3162dbc501a2af65c8c71e0866541da",
-          "archive:https://github.com/janestreet/result/archive/1.4.tar.gz#md5:d3162dbc501a2af65c8c71e0866541da"
-        ],
-        "opam": {
-          "name": "result",
-          "version": "1.4",
-          "path": "esy.lock/opam/result.1.4"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/re@opam:1.9.0@d4d5e13d": {
-      "id": "@opam/re@opam:1.9.0@d4d5e13d",
-      "name": "@opam/re",
-      "version": "opam:1.9.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/bd/bddaed4f386a22cace7850c9c7dac296#md5:bddaed4f386a22cace7850c9c7dac296",
-          "archive:https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz#md5:bddaed4f386a22cace7850c9c7dac296"
-        ],
-        "opam": {
-          "name": "re",
-          "version": "1.9.0",
-          "path": "esy.lock/opam/re.1.9.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80": {
-      "id": "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
-      "name": "@opam/ppx_tools_versioned",
-      "version": "opam:5.2.3",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/b1/b1455e5a4a1bcd9ddbfcf712ccbd4262#md5:b1455e5a4a1bcd9ddbfcf712ccbd4262",
-          "archive:https://github.com/ocaml-ppx/ppx_tools_versioned/archive/5.2.3.tar.gz#md5:b1455e5a4a1bcd9ddbfcf712ccbd4262"
-        ],
-        "opam": {
-          "name": "ppx_tools_versioned",
-          "version": "5.2.3",
-          "path": "esy.lock/opam/ppx_tools_versioned.5.2.3"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/ppx_derivers@opam:1.2.1@ecf0aa45": {
-      "id": "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
-      "name": "@opam/ppx_derivers",
-      "version": "opam:1.2.1",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/5d/5dc2bf130c1db3c731fe0fffc5648b41#md5:5dc2bf130c1db3c731fe0fffc5648b41",
-          "archive:https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz#md5:5dc2bf130c1db3c731fe0fffc5648b41"
-        ],
-        "opam": {
-          "name": "ppx_derivers",
-          "version": "1.2.1",
-          "path": "esy.lock/opam/ppx_derivers.1.2.1"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/odoc@opam:1.4.2@187ed639": {
-      "id": "@opam/odoc@opam:1.4.2@187ed639",
-      "name": "@opam/odoc",
-      "version": "opam:1.4.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/d7/d75ce63539040cd199d22203d46fc5f3#md5:d75ce63539040cd199d22203d46fc5f3",
-          "archive:https://github.com/ocaml/odoc/archive/1.4.2.tar.gz#md5:d75ce63539040cd199d22203d46fc5f3"
-        ],
-        "opam": {
-          "name": "odoc",
-          "version": "1.4.2",
-          "path": "esy.lock/opam/odoc.1.4.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/tyxml@opam:4.3.0@c1da25f1",
-        "@opam/result@opam:1.4@dc720aef", "@opam/fpath@opam:0.7.2@45477b93",
-        "@opam/dune@opam:1.11.3@9894df55", "@opam/cppo@opam:1.6.6@f4f83858",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@opam/astring@opam:0.8.3@4e5e17d5",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/ocamlformat@opam:0.11.0@ec74e6e8": {
-      "id": "@opam/ocamlformat@opam:0.11.0@ec74e6e8",
-      "name": "@opam/ocamlformat",
-      "version": "opam:0.11.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/e4/e45a7f2090ad609b9ec1d4391922365e#md5:e45a7f2090ad609b9ec1d4391922365e",
-          "archive:https://github.com/ocaml-ppx/ocamlformat/archive/0.11.0.tar.gz#md5:e45a7f2090ad609b9ec1d4391922365e"
-        ],
-        "opam": {
-          "name": "ocamlformat",
-          "version": "0.11.0",
-          "path": "esy.lock/opam/ocamlformat.0.11.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/uuseg@opam:12.0.0@bf82c4c7",
-        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
-        "@opam/odoc@opam:1.4.2@187ed639",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@opam/bisect_ppx@opam:1.4.1@e75b441f",
-        "@opam/base-unix@opam:base@87d0b2eb",
-        "@opam/base@opam:v0.12.2@d687150c",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/uuseg@opam:12.0.0@bf82c4c7",
-        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
-        "@opam/odoc@opam:1.4.2@187ed639",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/cmdliner@opam:1.0.4@93208aac",
-        "@opam/bisect_ppx@opam:1.4.1@e75b441f",
-        "@opam/base-unix@opam:base@87d0b2eb",
-        "@opam/base@opam:v0.12.2@d687150c"
+        "@opam/dune@opam:1.11.4@21d66ccd", "@opam/biniou@opam:1.2.1@d7570399"
       ]
     },
     "@opam/ocamlfind@opam:1.8.1@ff07b0f9": {
@@ -510,61 +88,6 @@
       ],
       "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
     },
-    "@opam/ocamlbuild@opam:0.14.0@6ac75d03": {
-      "id": "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-      "name": "@opam/ocamlbuild",
-      "version": "opam:0.14.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/sha256/87/87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78",
-          "archive:https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
-        ],
-        "opam": {
-          "name": "ocamlbuild",
-          "version": "0.14.0",
-          "path": "esy.lock/opam/ocamlbuild.0.14.0"
-        }
-      },
-      "overrides": [
-        {
-          "opamoverride":
-            "esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override"
-        }
-      ],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
-    },
-    "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d": {
-      "id": "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-      "name": "@opam/ocaml-migrate-parsetree",
-      "version": "opam:1.4.0",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/sha256/23/231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8",
-          "archive:https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
-        ],
-        "opam": {
-          "name": "ocaml-migrate-parsetree",
-          "version": "1.4.0",
-          "path": "esy.lock/opam/ocaml-migrate-parsetree.1.4.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
-        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
-        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
     "@opam/merlin@opam:3.3.2@7a364181": {
       "id": "@opam/merlin@opam:3.3.2@7a364181",
       "name": "@opam/merlin",
@@ -585,42 +108,12 @@
       "dependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/fpath@opam:0.7.2@45477b93": {
-      "id": "@opam/fpath@opam:0.7.2@45477b93",
-      "name": "@opam/fpath",
-      "version": "opam:0.7.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/52/52c7ecb0bf180088336f3c645875fa41#md5:52c7ecb0bf180088336f3c645875fa41",
-          "archive:http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz#md5:52c7ecb0bf180088336f3c645875fa41"
-        ],
-        "opam": {
-          "name": "fpath",
-          "version": "0.7.2",
-          "path": "esy.lock/opam/fpath.0.7.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
-        "@opam/result@opam:1.4@dc720aef",
-        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@opam/astring@opam:0.8.3@4e5e17d5",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
-        "@opam/astring@opam:0.8.3@4e5e17d5"
+        "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
     "@opam/easy-format@opam:1.3.2@0484b3c4": {
@@ -641,52 +134,33 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55"
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
-    "@opam/dune-configurator@opam:1.0.0@4873acd8": {
-      "id": "@opam/dune-configurator@opam:1.0.0@4873acd8",
-      "name": "@opam/dune-configurator",
-      "version": "opam:1.0.0",
-      "source": {
-        "type": "install",
-        "source": [ "no-source:" ],
-        "opam": {
-          "name": "dune-configurator",
-          "version": "1.0.0",
-          "path": "esy.lock/opam/dune-configurator.1.0.0"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [ "@opam/dune@opam:1.11.3@9894df55" ]
-    },
-    "@opam/dune@opam:1.11.3@9894df55": {
-      "id": "@opam/dune@opam:1.11.3@9894df55",
+    "@opam/dune@opam:1.11.4@21d66ccd": {
+      "id": "@opam/dune@opam:1.11.4@21d66ccd",
       "name": "@opam/dune",
-      "version": "opam:1.11.3",
+      "version": "opam:1.11.4",
       "source": {
         "type": "install",
         "source": [
-          "archive:https://opam.ocaml.org/cache/sha256/c8/c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2#sha256:c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2",
-          "archive:https://github.com/ocaml/dune/releases/download/1.11.3/dune-build-info-1.11.3.tbz#sha256:c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2"
+          "archive:https://opam.ocaml.org/cache/sha256/77/77cb5f483221b266ded2b85fc84173ae0089a25134a086be922e82c131456ce6#sha256:77cb5f483221b266ded2b85fc84173ae0089a25134a086be922e82c131456ce6",
+          "archive:https://github.com/ocaml/dune/releases/download/1.11.4/dune-build-info-1.11.4.tbz#sha256:77cb5f483221b266ded2b85fc84173ae0089a25134a086be922e82c131456ce6"
         ],
         "opam": {
           "name": "dune",
-          "version": "1.11.3",
-          "path": "esy.lock/opam/dune.1.11.3"
+          "version": "1.11.4",
+          "path": "esy.lock/opam/dune.1.11.4"
         }
       },
       "overrides": [
         {
           "opamoverride":
-            "esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override"
+            "esy.lock/overrides/opam__s__dune_opam__c__1.11.4_opam_override"
         }
       ],
       "dependencies": [
@@ -717,12 +191,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base-unix@opam:base@87d0b2eb",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.3@9894df55",
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base-unix@opam:base@87d0b2eb"
       ]
     },
@@ -743,61 +217,6 @@
       "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
       "devDependencies": []
     },
-    "@opam/cmdliner@opam:1.0.4@93208aac": {
-      "id": "@opam/cmdliner@opam:1.0.4@93208aac",
-      "name": "@opam/cmdliner",
-      "version": "opam:1.0.4",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/fe/fe2213d0bc63b1e10a2d0aa66d2fc8d9#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9",
-          "archive:http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9"
-        ],
-        "opam": {
-          "name": "cmdliner",
-          "version": "1.0.4",
-          "path": "esy.lock/opam/cmdliner.1.0.4"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
-    },
-    "@opam/bisect_ppx@opam:1.4.1@e75b441f": {
-      "id": "@opam/bisect_ppx@opam:1.4.1@e75b441f",
-      "name": "@opam/bisect_ppx",
-      "version": "opam:1.4.1",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/05/05d514706646adc947ed21e7e69a1cf1#md5:05d514706646adc947ed21e7e69a1cf1",
-          "archive:https://github.com/aantron/bisect_ppx/archive/1.4.1.tar.gz#md5:05d514706646adc947ed21e7e69a1cf1"
-        ],
-        "opam": {
-          "name": "bisect_ppx",
-          "version": "1.4.1",
-          "path": "esy.lock/opam/bisect_ppx.1.4.1"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9",
-        "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/base-unix@opam:base@87d0b2eb",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9",
-        "@opam/ppx_tools_versioned@opam:5.2.3@4994ec80",
-        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
-        "@opam/dune@opam:1.11.3@9894df55",
-        "@opam/base-unix@opam:base@87d0b2eb"
-      ]
-    },
     "@opam/biniou@opam:1.2.1@d7570399": {
       "id": "@opam/biniou@opam:1.2.1@d7570399",
       "name": "@opam/biniou",
@@ -817,11 +236,11 @@
       "overrides": [],
       "dependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
-        "@opam/dune@opam:1.11.3@9894df55"
+        "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
     "@opam/base-unix@opam:base@87d0b2eb": {
@@ -858,84 +277,6 @@
       "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
       "devDependencies": []
     },
-    "@opam/base-bytes@opam:base@19d0c2ff": {
-      "id": "@opam/base-bytes@opam:base@19d0c2ff",
-      "name": "@opam/base-bytes",
-      "version": "opam:base",
-      "source": {
-        "type": "install",
-        "source": [ "no-source:" ],
-        "opam": {
-          "name": "base-bytes",
-          "version": "base",
-          "path": "esy.lock/opam/base-bytes.base"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9"
-      ]
-    },
-    "@opam/base@opam:v0.12.2@d687150c": {
-      "id": "@opam/base@opam:v0.12.2@d687150c",
-      "name": "@opam/base",
-      "version": "opam:v0.12.2",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/71/7150e848a730369a2549d01645fb6c72#md5:7150e848a730369a2549d01645fb6c72",
-          "archive:https://github.com/janestreet/base/archive/v0.12.2.tar.gz#md5:7150e848a730369a2549d01645fb6c72"
-        ],
-        "opam": {
-          "name": "base",
-          "version": "v0.12.2",
-          "path": "esy.lock/opam/base.v0.12.2"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
-        "@opam/dune-configurator@opam:1.0.0@4873acd8",
-        "@opam/dune@opam:1.11.3@9894df55", "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
-        "@opam/dune-configurator@opam:1.0.0@4873acd8",
-        "@opam/dune@opam:1.11.3@9894df55"
-      ]
-    },
-    "@opam/astring@opam:0.8.3@4e5e17d5": {
-      "id": "@opam/astring@opam:0.8.3@4e5e17d5",
-      "name": "@opam/astring",
-      "version": "opam:0.8.3",
-      "source": {
-        "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/c5/c5bf6352b9ac27fbeab342740f4fa870#md5:c5bf6352b9ac27fbeab342740f4fa870",
-          "archive:http://erratique.ch/software/astring/releases/astring-0.8.3.tbz#md5:c5bf6352b9ac27fbeab342740f4fa870"
-        ],
-        "opam": {
-          "name": "astring",
-          "version": "0.8.3",
-          "path": "esy.lock/opam/astring.0.8.3"
-        }
-      },
-      "overrides": [],
-      "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
-        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
-        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
-        "@opam/base-bytes@opam:base@19d0c2ff",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
-      ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/base-bytes@opam:base@19d0c2ff"
-      ]
-    },
     "@esy-ocaml/substs@0.0.1@d41d8cd9": {
       "id": "@esy-ocaml/substs@0.0.1@d41d8cd9",
       "name": "@esy-ocaml/substs",
diff --git a/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam b/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
deleted file mode 100644
index 578ba1fae2..0000000000
--- a/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
+++ /dev/null
@@ -1,38 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://erratique.ch/software/astring"
-doc: "http://erratique.ch/software/astring/doc"
-dev-repo: "git+http://erratique.ch/repos/astring.git"
-bug-reports: "https://github.com/dbuenzli/astring/issues"
-tags: [ "string" "org:erratique" ]
-license: "ISC"
-depends: [
-  "ocaml" {>= "4.01.0"}
-  "ocamlfind" {build}
-  "ocamlbuild" {build}
-  "topkg" {build}
-  "base-bytes"
-]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-          "--pinned" "%{pinned}%" ]]
-synopsis: "Alternative String module for OCaml"
-description: """
-Astring exposes an alternative `String` module for OCaml. This module
-tries to balance minimality and expressiveness for basic, index-free,
-string processing and provides types and functions for substrings,
-string sets and string maps.
-
-Remaining compatible with the OCaml `String` module is a non-goal. The
-`String` module exposed by Astring has exception safe functions,
-removes deprecated and rarely used functions, alters some signatures
-and names, adds a few missing functions and fully exploits OCaml's
-newfound string immutability.
-
-Astring depends only on the OCaml standard library. It is distributed
-under the ISC license."""
-url {
-  src: "http://erratique.ch/software/astring/releases/astring-0.8.3.tbz"
-  checksum: "md5=c5bf6352b9ac27fbeab342740f4fa870"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam b/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
deleted file mode 100644
index f1cae506c6..0000000000
--- a/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
+++ /dev/null
@@ -1,9 +0,0 @@
-opam-version: "2.0"
-maintainer: " "
-authors: " "
-homepage: " "
-depends: [
-  "ocaml" {>= "4.02.0"}
-  "ocamlfind" {>= "1.5.3"}
-]
-synopsis: "Bytes library distributed with the OCaml compiler"
diff --git a/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam b/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
deleted file mode 100644
index 861024cf57..0000000000
--- a/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
+++ /dev/null
@@ -1,39 +0,0 @@
-opam-version: "2.0"
-maintainer: "opensource@janestreet.com"
-authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
-homepage: "https://github.com/janestreet/base"
-bug-reports: "https://github.com/janestreet/base/issues"
-dev-repo: "git+https://github.com/janestreet/base.git"
-doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/base/index.html"
-license: "MIT"
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "ocaml"             {>= "4.04.2" & < "4.10.0"}
-  "sexplib0"          {>= "v0.12" & < "v0.13"}
-  "dune"              {>= "1.5.1"}
-  "dune-configurator"
-]
-depopts: [
-  "base-native-int63"
-]
-synopsis: "Full standard library replacement for OCaml"
-description: "
-Full standard library replacement for OCaml
-
-Base is a complete and portable alternative to the OCaml standard
-library. It provides all standard functionalities one would expect
-from a language standard library. It uses consistent conventions
-across all of its module.
-
-Base aims to be usable in any context. As a result system dependent
-features such as I/O are not offered by Base. They are instead
-provided by companion libraries such as stdio:
-
-  https://github.com/janestreet/stdio
-"
-url {
-  src: "https://github.com/janestreet/base/archive/v0.12.2.tar.gz"
-  checksum: "md5=7150e848a730369a2549d01645fb6c72"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam b/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
deleted file mode 100644
index f97b5f2768..0000000000
--- a/tools/oeedger8r/esy.lock/opam/bisect_ppx.1.4.1/opam
+++ /dev/null
@@ -1,49 +0,0 @@
-opam-version: "2.0"
-
-synopsis: "Code coverage for OCaml"
-license: "MPL-2.0"
-homepage: "https://github.com/aantron/bisect_ppx"
-doc: "https://github.com/aantron/bisect_ppx"
-bug-reports: "https://github.com/aantron/bisect_ppx/issues"
-
-dev-repo: "git+https://github.com/aantron/bisect_ppx.git"
-authors: [
-  "Xavier Clerc <bisect@x9c.fr>"
-  "Leonid Rozenberg <leonidr@gmail.com>"
-  "Anton Bachin <antonbachin@yahoo.com>"
-]
-maintainer: [
-  "Anton Bachin <antonbachin@yahoo.com>"
-  "Leonid Rozenberg <leonidr@gmail.com>"
-]
-
-depends: [
-  "base-unix"
-  "dune"
-  "ocaml" {>= "4.02.0"}
-  "ocaml-migrate-parsetree" {>= "1.1.0"}
-  "ppx_tools_versioned"
-
-  "ocamlfind" {dev}
-  "ounit" {dev}
-]
-conflicts: [
-  "ocveralls" {<= "0.3.2"}
-]
-
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-
-description: "Bisect_ppx helps you test thoroughly. It is a small preprocessor
-that inserts instrumentation at places in your code, such as if-then-else and
-match expressions. After you run tests, Bisect_ppx gives a nice HTML report
-showing which places were visited and which were missed.
-
-Usage is simple - add package bisect_ppx when building tests, run your tests,
-then run the Bisect_ppx report tool on the generated visitation files."
-
-url {
-  src: "https://github.com/aantron/bisect_ppx/archive/1.4.1.tar.gz"
-  checksum: "md5=05d514706646adc947ed21e7e69a1cf1"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam b/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
deleted file mode 100644
index b2187dc5b6..0000000000
--- a/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
+++ /dev/null
@@ -1,36 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://erratique.ch/software/cmdliner"
-doc: "http://erratique.ch/software/cmdliner/doc/Cmdliner"
-dev-repo: "git+http://erratique.ch/repos/cmdliner.git"
-bug-reports: "https://github.com/dbuenzli/cmdliner/issues"
-tags: [ "cli" "system" "declarative" "org:erratique" ]
-license: "ISC"
-depends:[ "ocaml" {>= "4.03.0"} ]
-build: [[ make "all" "PREFIX=%{prefix}%" ]]
-install:
-[[make "install" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%" ]
- [make "install-doc" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%"  ]]
-
-synopsis: """Declarative definition of command line interfaces for OCaml"""
-description: """\
-
-Cmdliner allows the declarative definition of command line interfaces
-for OCaml.
-
-It provides a simple and compositional mechanism to convert command
-line arguments to OCaml values and pass them to your functions. The
-module automatically handles syntax errors, help messages and UNIX man
-page generation. It supports programs with single or multiple commands
-and respects most of the [POSIX][1] and [GNU][2] conventions.
-
-Cmdliner has no dependencies and is distributed under the ISC license.
-
-[1]: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap12.html
-[2]: http://www.gnu.org/software/libc/manual/html_node/Argument-Syntax.html
-"""
-url {
-archive: "http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz"
-checksum: "fe2213d0bc63b1e10a2d0aa66d2fc8d9"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam b/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
deleted file mode 100644
index 6e2b712edc..0000000000
--- a/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
+++ /dev/null
@@ -1,9 +0,0 @@
-opam-version: "2.0"
-authors: ["Jérémie Dimino"]
-homepage: "https://github.com/ocaml/dune"
-bug-reports: "https://github.com/ocaml/dune/issues"
-maintainer: "Jérémie Dimino"
-description: """
-dune.configurator library distributed with Dune 1.x
-"""
-depends: ["dune" {<"2.0.0"}]
diff --git a/tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam b/tools/oeedger8r/esy.lock/opam/dune.1.11.4/opam
similarity index 84%
rename from tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam
rename to tools/oeedger8r/esy.lock/opam/dune.1.11.4/opam
index af3286b5eb..19e25117e2 100644
--- a/tools/oeedger8r/esy.lock/opam/dune.1.11.3/opam
+++ b/tools/oeedger8r/esy.lock/opam/dune.1.11.4/opam
@@ -45,9 +45,9 @@ build: [
 ]
 url {
   src:
-    "https://github.com/ocaml/dune/releases/download/1.11.3/dune-build-info-1.11.3.tbz"
+    "https://github.com/ocaml/dune/releases/download/1.11.4/dune-build-info-1.11.4.tbz"
   checksum: [
-    "sha256=c83a63e7e8245611b0e11d6adea07c6484dc1b4efffacb176315cd6674d4bbd2"
-    "sha512=2c1532b91d223e6ea0628c5f5174792c1bb4113a464f6d8b878b3c58be1136beb84ba2d9883a330fa20e550367588aa923ba06ffb9b615a098a21374a9377e81"
+    "sha256=77cb5f483221b266ded2b85fc84173ae0089a25134a086be922e82c131456ce6"
+    "sha512=02f00fd872aa49b832fc8c1e928409f23c79ddf84a53009a58875f222cca36fbb92c905e12c539caec9cbad723f195a8aa24218382dca35a903b3f52b11f06f2"
   ]
 }
diff --git a/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam b/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
deleted file mode 100644
index 2613a6accb..0000000000
--- a/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
+++ /dev/null
@@ -1,34 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://erratique.ch/software/fpath"
-doc: "http://erratique.ch/software/fpath/doc"
-dev-repo: "git+http://erratique.ch/repos/fpath.git"
-bug-reports: "https://github.com/dbuenzli/fpath/issues"
-tags: [ "file" "system" "path" "org:erratique" ]
-license: "ISC"
-depends: [
-  "ocaml" {>= "4.01.0"}
-  "ocamlfind" {build}
-  "ocamlbuild" {build}
-  "topkg" {build & >= "0.9.0"}
-  "result"
-  "astring"
-]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-          "--dev-pkg" "%{pinned}%" ]]
-synopsis: "File system paths for OCaml"
-description: """
-Fpath is an OCaml module for handling file system paths with POSIX or
-Windows conventions. Fpath processes paths without accessing the file
-system and is independent from any system library.
-
-Fpath depends on [Astring][astring] and is distributed under the ISC
-license.
-
-[astring]: http://erratique.ch/software/astring"""
-url {
-  src: "http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz"
-  checksum: "md5=52c7ecb0bf180088336f3c645875fa41"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam b/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
deleted file mode 100644
index 66d40bacda..0000000000
--- a/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
+++ /dev/null
@@ -1,37 +0,0 @@
-opam-version: "2.0"
-maintainer: "frederic.bour@lakaban.net"
-authors: [
-  "Frédéric Bour <frederic.bour@lakaban.net>"
-  "Jérémie Dimino <jeremie@dimino.org>"
-]
-license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
-homepage: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree"
-bug-reports: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/issues"
-dev-repo: "git+https://github.com/ocaml-ppx/ocaml-migrate-parsetree.git"
-doc: "https://ocaml-ppx.github.io/ocaml-migrate-parsetree/"
-tags: [ "syntax" "org:ocamllabs" ]
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "result"
-  "ppx_derivers"
-  "dune" {>= "1.9.0"}
-  "ocaml" {>= "4.02.3"}
-]
-synopsis: "Convert OCaml parsetrees between different versions"
-description: """
-Convert OCaml parsetrees between different versions
-
-This library converts parsetrees, outcometree and ast mappers between
-different OCaml versions.  High-level functions help making PPX
-rewriters independent of a compiler version.
-"""
-url {
-  src:
-    "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz"
-  checksum: [
-    "sha256=231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
-    "sha512=61ee91d2d146cc2d2ff2d5dc4ef5dea4dc4d3c8dbd8b4c9586d64b6ad7302327ab35547aa0a5b0103c3f07b66b13d416a1bee6d4d117293cd3cabe44113ec6d4"
-  ]
-}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam b/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
deleted file mode 100644
index 8deabeedfb..0000000000
--- a/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
+++ /dev/null
@@ -1,36 +0,0 @@
-opam-version: "2.0"
-maintainer: "Gabriel Scherer <gabriel.scherer@gmail.com>"
-authors: ["Nicolas Pouillard" "Berke Durak"]
-homepage: "https://github.com/ocaml/ocamlbuild/"
-bug-reports: "https://github.com/ocaml/ocamlbuild/issues"
-license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
-doc: "https://github.com/ocaml/ocamlbuild/blob/master/manual/manual.adoc"
-dev-repo: "git+https://github.com/ocaml/ocamlbuild.git"
-build: [
-  [
-    make
-    "-f"
-    "configure.make"
-    "all"
-    "OCAMLBUILD_PREFIX=%{prefix}%"
-    "OCAMLBUILD_BINDIR=%{bin}%"
-    "OCAMLBUILD_LIBDIR=%{lib}%"
-    "OCAMLBUILD_MANDIR=%{man}%"
-    "OCAML_NATIVE=%{ocaml:native}%"
-    "OCAML_NATIVE_TOOLS=%{ocaml:native}%"
-  ]
-  [make "check-if-preinstalled" "all" "opam-install"]
-]
-conflicts: [
-  "base-ocamlbuild"
-  "ocamlfind" {< "1.6.2"}
-]
-synopsis:
-  "OCamlbuild is a build system with builtin rules to easily build most OCaml projects."
-depends: [
-  "ocaml" {>= "4.03"}
-]
-url {
-  src: "https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz"
-  checksum: "sha256=87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
deleted file mode 100644
index abaa584a40..0000000000
--- a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.11.0/opam
+++ /dev/null
@@ -1,35 +0,0 @@
-opam-version: "2.0"
-maintainer: "OCamlFormat Team <ocamlformat-team@fb.com>"
-authors: "Josh Berdine <jjb@fb.com>"
-homepage: "https://github.com/ocaml-ppx/ocamlformat"
-bug-reports: "https://github.com/ocaml-ppx/ocamlformat/issues"
-dev-repo: "git+https://github.com/ocaml-ppx/ocamlformat.git"
-url {
-  src: "https://github.com/ocaml-ppx/ocamlformat/archive/0.11.0.tar.gz"
-  checksum: [
-    "md5=e45a7f2090ad609b9ec1d4391922365e"
-    "sha512=5db2601b0c2a47c1f597519d21ba8a0ad07d2b7426b8a6996491c5301290a445cbe92be24d85bc9e4bc9f3a4bdd4ebe79f398863f9da29b3ba8dc2456f764210"
-  ]
-}
-license: "MIT"
-build: [
-  ["ocaml" "tools/gen_version.mlt" "src/Version.ml" version] {pinned}
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "ocaml" {>= "4.06"}
-  "base" {>= "v0.11.0"}
-  "base-unix"
-  "bisect_ppx"
-  "cmdliner"
-  "dune" {>= "1.1.1"}
-  "fpath"
-  "ocaml-migrate-parsetree" {>= "1.3.1"}
-  "odoc" {>= "1.4.1"}
-  "re"
-  "stdio"
-  "uuseg" {>= "10.0.0"}
-  "uutf" {>= "1.0.1"}
-]
-synopsis: "Auto-formatter for OCaml code"
-description: "OCamlFormat is a tool to automatically format OCaml code in a uniform style."
diff --git a/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam b/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
deleted file mode 100644
index 162971c621..0000000000
--- a/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
+++ /dev/null
@@ -1,45 +0,0 @@
-opam-version: "2.0"
-
-version: "1.4.2"
-homepage: "http://github.com/ocaml/odoc"
-doc: "https://github.com/ocaml/odoc#readme"
-bug-reports: "https://github.com/ocaml/odoc/issues"
-license: "ISC"
-
-authors: [
-  "Thomas Refis <trefis@janestreet.com>"
-  "David Sheets <sheets@alum.mit.edu>"
-  "Leo White <leo@lpw25.net>"
-]
-maintainer: "Anton Bachin <antonbachin@yahoo.com>"
-dev-repo: "git+https://github.com/ocaml/odoc.git"
-
-synopsis: "OCaml documentation generator"
-
-depends: [
-  "astring" {build}
-  "cmdliner" {build & >= "1.0.0"}
-  "cppo" {build}
-  "dune"
-  "fpath" {build}
-  "ocaml" {>= "4.02.0"}
-  "result" {build}
-  "tyxml" {build & >= "4.3.0"}
-
-  "alcotest" {dev & >= "0.8.3"}
-  "markup" {dev & >= "0.8.0"}
-  "ocamlfind" {dev}
-  "sexplib" {dev & >= "113.33.00"}
-
-  "bisect_ppx" {with-test & >= "1.3.0"}
-]
-
-build: [
-  ["dune" "subst"] {pinned}
-  ["dune" "build" "-p" name "-j" jobs]
-]
-
-url {
-  src: "https://github.com/ocaml/odoc/archive/1.4.2.tar.gz"
-  checksum: "md5=d75ce63539040cd199d22203d46fc5f3"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam b/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
deleted file mode 100644
index 3d10814e04..0000000000
--- a/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
+++ /dev/null
@@ -1,23 +0,0 @@
-opam-version: "2.0"
-maintainer: "jeremie@dimino.org"
-authors: ["Jérémie Dimino"]
-license: "BSD-3-Clause"
-homepage: "https://github.com/ocaml-ppx/ppx_derivers"
-bug-reports: "https://github.com/ocaml-ppx/ppx_derivers/issues"
-dev-repo: "git://github.com/ocaml-ppx/ppx_derivers.git"
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "ocaml"
-  "dune"
-]
-synopsis: "Shared [@@deriving] plugin registry"
-description: """
-Ppx_derivers is a tiny package whose sole purpose is to allow
-ppx_deriving and ppx_type_conv to inter-operate gracefully when linked
-as part of the same ocaml-migrate-parsetree driver."""
-url {
-  src: "https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz"
-  checksum: "md5=5dc2bf130c1db3c731fe0fffc5648b41"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam b/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
deleted file mode 100644
index dbf79a1b01..0000000000
--- a/tools/oeedger8r/esy.lock/opam/ppx_tools_versioned.5.2.3/opam
+++ /dev/null
@@ -1,30 +0,0 @@
-opam-version: "2.0"
-maintainer: "frederic.bour@lakaban.net"
-authors: [
-  "Frédéric Bour <frederic.bour@lakaban.net>"
-  "Alain Frisch <alain.frisch@lexifi.com>"
-]
-license: "MIT"
-homepage: "https://github.com/ocaml-ppx/ppx_tools_versioned"
-bug-reports: "https://github.com/ocaml-ppx/ppx_tools_versioned/issues"
-dev-repo: "git://github.com/ocaml-ppx/ppx_tools_versioned.git"
-tags: [ "syntax" ]
-build: [
-  ["dune" "subst"] {pinned}
-  ["dune" "build" "-p" name "-j" jobs]
-  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
-]
-depends: [
-  "ocaml" {>= "4.02.0"}
-  "dune" {>= "1.0"}
-  "ocaml-migrate-parsetree" {>= "1.4.0"}
-]
-synopsis: "A variant of ppx_tools based on ocaml-migrate-parsetree"
-url {
-  src:
-    "https://github.com/ocaml-ppx/ppx_tools_versioned/archive/5.2.3.tar.gz"
-  checksum: [
-    "md5=b1455e5a4a1bcd9ddbfcf712ccbd4262"
-    "sha512=af20aa0031b9c638537bcdb52c75de95f316ae8fd455a38672a60da5c7c6895cca9dbecd5d56a88c3c40979c6a673a047d986b5b41e1e84b528b7df5d905b9b1"
-  ]
-}
diff --git a/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam b/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
deleted file mode 100644
index f7987544d1..0000000000
--- a/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
+++ /dev/null
@@ -1,42 +0,0 @@
-opam-version: "2.0"
-
-maintainer: "rudi.grinberg@gmail.com"
-authors: [
-  "Jerome Vouillon"
-  "Thomas Gazagnaire"
-  "Anil Madhavapeddy"
-  "Rudi Grinberg"
-  "Gabriel Radanne"
-]
-license: "LGPL-2.0-only with OCaml-LGPL-linking-exception"
-homepage: "https://github.com/ocaml/ocaml-re"
-bug-reports: "https://github.com/ocaml/ocaml-re/issues"
-dev-repo: "git+https://github.com/ocaml/ocaml-re.git"
-
-build: [
-  ["dune" "subst"] {pinned}
-  ["dune" "build" "-p" name "-j" jobs]
-  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
-]
-
-depends: [
-  "ocaml" {>= "4.02"}
-  "dune"
-  "ounit" {with-test}
-  "seq"
-]
-
-synopsis: "RE is a regular expression library for OCaml"
-description: """
-Pure OCaml regular expressions with:
-* Perl-style regular expressions (module Re.Perl)
-* Posix extended regular expressions (module Re.Posix)
-* Emacs-style regular expressions (module Re.Emacs)
-* Shell-style file globbing (module Re.Glob)
-* Compatibility layer for OCaml's built-in Str module (module Re.Str)
-"""
-url {
-  src:
-    "https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz"
-  checksum: "md5=bddaed4f386a22cace7850c9c7dac296"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/result.1.4/opam b/tools/oeedger8r/esy.lock/opam/result.1.4/opam
deleted file mode 100644
index b44aeead8b..0000000000
--- a/tools/oeedger8r/esy.lock/opam/result.1.4/opam
+++ /dev/null
@@ -1,22 +0,0 @@
-opam-version: "2.0"
-maintainer: "opensource@janestreet.com"
-authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
-homepage: "https://github.com/janestreet/result"
-dev-repo: "git+https://github.com/janestreet/result.git"
-bug-reports: "https://github.com/janestreet/result/issues"
-license: "BSD-3-Clause"
-build: [["dune" "build" "-p" name "-j" jobs]]
-depends: [
-  "ocaml"
-  "dune" {>= "1.0"}
-]
-synopsis: "Compatibility Result module"
-description: """
-Projects that want to use the new result type defined in OCaml >= 4.03
-while staying compatible with older version of OCaml should use the
-Result module defined in this library."""
-url {
-  src:
-    "https://github.com/janestreet/result/archive/1.4.tar.gz"
-  checksum: "md5=d3162dbc501a2af65c8c71e0866541da"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
deleted file mode 100644
index 55c46960c6..0000000000
--- a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
+++ /dev/null
@@ -1,22 +0,0 @@
-opam-version: "2.0"
-synopsis:
-  "Compatibility package for OCaml's standard iterator type starting from 4.07"
-maintainer: "simon.cruanes.2007@m4x.org"
-authors: "Simon Cruanes"
-license: "LGPL2.1"
-tags: ["iterator" "seq" "pure" "list" "compatibility" "cascade"]
-homepage: "https://github.com/c-cube/seq/"
-bug-reports: "https://github.com/c-cube/seq/issues"
-depends: [
-  "dune" {>= "1.1.0"}
-  "ocaml" {< "4.07.0"}
-]
-build: ["dune" "build" "-p" name "-j" jobs]
-dev-repo: "git+https://github.com/c-cube/seq.git"
-url {
-  src: "https://github.com/c-cube/seq/archive/0.2.tar.gz"
-  checksum: [
-    "md5=1d5a9d0aba27b22433f518cdc495d0fd"
-    "sha512=b2571225a18e624b79dad5e1aab91b22e2fda17702f2e23c438b75d2a71e24c55ee8672005f5cc4b17ae79e3b277b1918b71b5d0d674b8b12ea19b3fb2d747cb"
-  ]
-}
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
deleted file mode 100644
index 9b45864bd4..0000000000
--- a/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
+++ /dev/null
@@ -1,26 +0,0 @@
-opam-version: "2.0"
-maintainer: "opensource@janestreet.com"
-authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
-homepage: "https://github.com/janestreet/sexplib0"
-bug-reports: "https://github.com/janestreet/sexplib0/issues"
-dev-repo: "git+https://github.com/janestreet/sexplib0.git"
-doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/sexplib0/index.html"
-license: "MIT"
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "ocaml" {>= "4.04.2"}
-  "dune"  {>= "1.5.1"}
-]
-synopsis: "Library containing the definition of S-expressions and some base converters"
-description: "
-Part of Jane Street's Core library
-The Core suite of libraries is an industrial strength alternative to
-OCaml's standard library that was developed by Jane Street, the
-largest industrial user of OCaml.
-"
-url {
-  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz"
-  checksum: "md5=2486a25d3a94da9a94acc018b5f09061"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
deleted file mode 100644
index 477c74579e..0000000000
--- a/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
+++ /dev/null
@@ -1,27 +0,0 @@
-opam-version: "2.0"
-maintainer: "opensource@janestreet.com"
-authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
-homepage: "https://github.com/janestreet/stdio"
-bug-reports: "https://github.com/janestreet/stdio/issues"
-dev-repo: "git+https://github.com/janestreet/stdio.git"
-doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/stdio/index.html"
-license: "MIT"
-build: [
-  ["dune" "build" "-p" name "-j" jobs]
-]
-depends: [
-  "ocaml" {>= "4.04.2"}
-  "base"  {>= "v0.12" & < "v0.13"}
-  "dune"  {>= "1.5.1"}
-]
-synopsis: "Standard IO library for OCaml"
-description: "
-Stdio implements simple input/output functionalities for OCaml.
-
-It re-exports the input/output functions of the OCaml standard
-libraries using a more consistent API.
-"
-url {
-  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz"
-  checksum: "md5=b261ff2d5667fde960c95e50cff668da"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam b/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
deleted file mode 100644
index 77ae1f42d5..0000000000
--- a/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
+++ /dev/null
@@ -1,48 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://erratique.ch/software/topkg"
-doc: "http://erratique.ch/software/topkg/doc"
-license: "ISC"
-dev-repo: "git+http://erratique.ch/repos/topkg.git"
-bug-reports: "https://github.com/dbuenzli/topkg/issues"
-tags: ["packaging" "ocamlbuild" "org:erratique"]
-depends: [
-  "ocaml" {>= "4.03.0"}
-  "ocamlfind" {build & >= "1.6.1"}
-  "ocamlbuild" ]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-          "--pkg-name" name
-          "--dev-pkg" "%{pinned}%" ]]
-synopsis: """The transitory OCaml software packager"""
-description: """\
-
-Topkg is a packager for distributing OCaml software. It provides an
-API to describe the files a package installs in a given build
-configuration and to specify information about the package's
-distribution, creation and publication procedures.
-
-The optional topkg-care package provides the `topkg` command line tool
-which helps with various aspects of a package's life cycle: creating
-and linting a distribution, releasing it on the WWW, publish its
-documentation, add it to the OCaml opam repository, etc.
-
-Topkg is distributed under the ISC license and has **no**
-dependencies. This is what your packages will need as a *build*
-dependency.
-
-Topkg-care is distributed under the ISC license it depends on
-[fmt][fmt], [logs][logs], [bos][bos], [cmdliner][cmdliner],
-[webbrowser][webbrowser] and `opam-format`.
-
-[fmt]: http://erratique.ch/software/fmt
-[logs]: http://erratique.ch/software/logs
-[bos]: http://erratique.ch/software/bos
-[cmdliner]: http://erratique.ch/software/cmdliner
-[webbrowser]: http://erratique.ch/software/webbrowser
-"""
-url {
-archive: "http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz"
-checksum: "16b90e066d8972a5ef59655e7c28b3e9"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam b/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
deleted file mode 100644
index 93872f8b3c..0000000000
--- a/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
+++ /dev/null
@@ -1,45 +0,0 @@
-opam-version: "2.0"
-maintainer: "dev@ocsigen.org"
-homepage: "https://github.com/ocsigen/tyxml/"
-bug-reports: "https://github.com/ocsigen/tyxml/issues"
-doc: "https://ocsigen.org/tyxml/manual/"
-dev-repo: "git+https://github.com/ocsigen/tyxml.git"
-license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
-
-build: [
-  ["dune" "subst"] {pinned}
-  ["dune" "build" "-p" name "-j" jobs]
-  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
-]
-
-depends: [
-  "ocaml" {>= "4.02"}
-  "re" {>= "1.5.0"}
-  ("ocaml" {>= "4.07"} | "re" {>= "1.8.0"})
-  "dune"
-  "alcotest" {with-test}
-  "seq"
-  "uutf" {>= "1.0.0"}
-]
-
-synopsis:"TyXML is a library for building correct HTML and SVG documents"
-description:"""
-TyXML provides a set of convenient combinators that uses the OCaml
-type system to ensure the validity of the generated documents. TyXML
-can be used with any representation of HTML and SVG: the textual one,
-provided directly by this package, or DOM trees (`js_of_ocaml-tyxml`)
-virtual DOM (`virtual-dom`) and reactive or replicated trees
-(`eliom`). You can also create your own representation and use it to
-instantiate a new set of combinators.
-
-```ocaml
-open Tyxml
-let to_ocaml = Html.(a ~a:[a_href "ocaml.org"] [txt "OCaml!"])
-```
-"""
-authors: "The ocsigen team"
-url {
-  src:
-    "https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz"
-  checksum: "md5=fd834a567f813bf447cab5f4c3a723e2"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam b/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
deleted file mode 100644
index 428d7aa6f8..0000000000
--- a/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
+++ /dev/null
@@ -1,36 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://ocaml.org"
-doc: "https://ocaml.github.io/uchar/"
-dev-repo: "git+https://github.com/ocaml/uchar.git"
-bug-reports: "https://github.com/ocaml/uchar/issues"
-tags: [ "text" "character" "unicode" "compatibility" "org:ocaml.org" ]
-license: "typeof OCaml system"
-depends: [
-  "ocaml" {>= "3.12.0"}
-  "ocamlbuild" {build}
-]
-build: [
-  ["ocaml" "pkg/git.ml"]
-  [
-    "ocaml"
-    "pkg/build.ml"
-    "native=%{ocaml:native}%"
-    "native-dynlink=%{ocaml:native-dynlink}%"
-  ]
-]
-synopsis: "Compatibility library for OCaml's Uchar module"
-description: """
-The `uchar` package provides a compatibility library for the
-[`Uchar`][1] module introduced in OCaml 4.03.
-
-The `uchar` package is distributed under the license of the OCaml
-compiler. See [LICENSE](LICENSE) for details.
-
-[1]: http://caml.inria.fr/pub/docs/manual-ocaml/libref/Uchar.html"""
-url {
-  src:
-    "https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz"
-  checksum: "md5=c9ba2c738d264c420c642f7bb1cf4a36"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
deleted file mode 100644
index 18bf0a8410..0000000000
--- a/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
+++ /dev/null
@@ -1,47 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: [
-  "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-  "David Kaloper Meršinjak <david@numm.org>"
-]
-homepage: "https://erratique.ch/software/uucp"
-doc: "https://erratique.ch/software/uucp/doc/Uucp"
-dev-repo: "git+https://erratique.ch/repos/uucp.git"
-bug-reports: "https://github.com/dbuenzli/uucp/issues"
-tags: [ "unicode" "text" "character" "org:erratique" ]
-license: "ISC"
-depends: [
- "ocaml" {>= "4.01.0"}
- "ocamlfind" {build}
- "ocamlbuild" {build}
- "topkg" {build}
- "uchar"
- "uucd" {with-test} # dev really
- "uunf" {with-test}
- "uutf" {with-test}
- ]
-depopts: [ "uunf" "uutf" "cmdliner" ]
-conflicts: [ "uutf" {< "1.0.1"}
-             "cmdliner" {< "1.0.0"} ]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-          "--dev-pkg" "%{pinned}%"
-          "--with-uutf" "%{uutf:installed}%"
-          "--with-uunf" "%{uunf:installed}%"
-          "--with-cmdliner" "%{cmdliner:installed}%"
-]]
-synopsis: """Unicode character properties for OCaml"""
-description: """\
-
-Uucp is an OCaml library providing efficient access to a selection of
-character properties of the [Unicode character database][1].
-
-Uucp is independent from any Unicode text data structure and has no
-dependencies. It is distributed under the ISC license.
-
-[1]: http://www.unicode.org/reports/tr44/
-"""
-url {
-archive: "https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz"
-checksum: "cf210ed43375b7f882c0540874e2cb81"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
deleted file mode 100644
index 57dbdc65b1..0000000000
--- a/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
+++ /dev/null
@@ -1,50 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "https://erratique.ch/software/uuseg"
-doc: "https://erratique.ch/software/uuseg"
-dev-repo: "git+https://erratique.ch/repos/uuseg.git"
-bug-reports: "https://github.com/dbuenzli/uuseg/issues"
-tags: [ "segmentation" "text" "unicode" "org:erratique" ]
-license: "ISC"
-depends: [ "ocaml" {>= "4.01.0"}
-           "ocamlfind" {build}
-           "ocamlbuild" {build}
-           "topkg" {build}
-           "uchar"
-           "uucp" {>= "12.0.0" & < "13.0.0"} ]
-depopts: [ "uutf"
-           "cmdliner"
-           "uutf" {with-test}
-           "cmdliner" {with-test} ]
-conflicts: [ "uutf" {< "1.0.0"} ]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-  "--pinned" "%{pinned}%"
-  "--with-uutf" "%{uutf:installed}%"
-  "--with-cmdliner" "%{cmdliner:installed}%" ]]
-
-synopsis: """Unicode text segmentation for OCaml"""
-description: """\
-
-Uuseg is an OCaml library for segmenting Unicode text. It implements
-the locale independent [Unicode text segmentation algorithms][1] to
-detect grapheme cluster, word and sentence boundaries and the
-[Unicode line breaking algorithm][2] to detect line break
-opportunities.
-
-The library is independent from any IO mechanism or Unicode text data
-structure and it can process text without a complete in-memory
-representation.
-
-Uuseg depends on [Uucp](http://erratique.ch/software/uucp) and
-optionally on [Uutf](http://erratique.ch/software/uutf) for support on
-OCaml UTF-X encoded strings. It is distributed under the ISC license.
-
-[1]: http://www.unicode.org/reports/tr29/
-[2]: http://www.unicode.org/reports/tr14/
-"""
-url {
-archive: "https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz"
-checksum: "1d4487ddf5154e3477e55021b978d58a"
-}
diff --git a/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam b/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
deleted file mode 100644
index 3a9f5678d2..0000000000
--- a/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
+++ /dev/null
@@ -1,40 +0,0 @@
-opam-version: "2.0"
-maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
-authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
-homepage: "http://erratique.ch/software/uutf"
-doc: "http://erratique.ch/software/uutf/doc/Uutf"
-dev-repo: "git+http://erratique.ch/repos/uutf.git"
-bug-reports: "https://github.com/dbuenzli/uutf/issues"
-tags: [ "unicode" "text" "utf-8" "utf-16" "codec" "org:erratique" ]
-license: "ISC"
-depends: [
-  "ocaml" {>= "4.01.0"}
-  "ocamlfind" {build}
-  "ocamlbuild" {build}
-  "topkg" {build}
-  "uchar"
-]
-depopts: ["cmdliner"]
-conflicts: ["cmdliner" { < "0.9.6"} ]
-build: [[
-  "ocaml" "pkg/pkg.ml" "build"
-          "--pinned" "%{pinned}%"
-          "--with-cmdliner" "%{cmdliner:installed}%" ]]
-synopsis: """Non-blocking streaming Unicode codec for OCaml"""
-description: """\
-
-Uutf is a non-blocking streaming codec to decode and encode the UTF-8,
-UTF-16, UTF-16LE and UTF-16BE encoding schemes. It can efficiently
-work character by character without blocking on IO. Decoders perform
-character position tracking and support newline normalization.
-
-Functions are also provided to fold over the characters of UTF encoded
-OCaml string values and to directly encode characters in OCaml
-Buffer.t values.
-
-Uutf has no dependency and is distributed under the ISC license.
-"""
-url {
-archive: "http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz"
-checksum: "a7c542405a39630c689a82bd7ef2292c"
-}
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.4_opam_override/package.json
similarity index 100%
rename from tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.3_opam_override/package.json
rename to tools/oeedger8r/esy.lock/overrides/opam__s__dune_opam__c__1.11.4_opam_override/package.json
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
deleted file mode 100644
index 4d5bea0e09..0000000000
--- a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
+++ /dev/null
@@ -1,463 +0,0 @@
---- ./Makefile
-+++ ./Makefile
-@@ -213,7 +213,7 @@
- 	rm -f man/ocamlbuild.1
- 
- man/options_man.byte: src/ocamlbuild_pack.cmo
--	$(OCAMLC) $^ -I src man/options_man.ml -o man/options_man.byte
-+	$(OCAMLC) -I +unix unix.cma $^ -I src man/options_man.ml -o man/options_man.byte
- 
- clean::
- 	rm -f man/options_man.cm*
---- ./src/command.ml
-+++ ./src/command.ml
-@@ -148,9 +148,10 @@
-   let self = string_of_command_spec_with_calls call_with_tags call_with_target resolve_virtuals in
-   let b = Buffer.create 256 in
-   (* The best way to prevent bash from switching to its windows-style
--   * quote-handling is to prepend an empty string before the command name. *)
-+   * quote-handling is to prepend an empty string before the command name.
-+   * space seems to work, too - and the ouput is nicer *)
-   if Sys.os_type = "Win32" then
--    Buffer.add_string b "''";
-+    Buffer.add_char b ' ';
-   let first = ref true in
-   let put_space () =
-     if !first then
-@@ -260,7 +261,7 @@
- 
- let execute_many ?(quiet=false) ?(pretend=false) cmds =
-   add_parallel_stat (List.length cmds);
--  let degraded = !*My_unix.is_degraded || Sys.os_type = "Win32" in
-+  let degraded = !*My_unix.is_degraded in
-   let jobs = !jobs in
-   if jobs < 0 then invalid_arg "jobs < 0";
-   let max_jobs = if jobs = 0 then None else Some jobs in
---- ./src/findlib.ml
-+++ ./src/findlib.ml
-@@ -66,9 +66,6 @@
-     (fun command -> lexer & Lexing.from_string & run_and_read command)
-     command
- 
--let run_and_read command =
--  Printf.ksprintf run_and_read command
--
- let rec query name =
-   try
-     Hashtbl.find packages name
-@@ -135,7 +132,8 @@
-   with Not_found -> s
- 
- let list () =
--  List.map before_space (split_nl & run_and_read "%s list" ocamlfind)
-+  let cmd = Shell.quote_filename_if_needed ocamlfind ^ " list" in
-+  List.map before_space (split_nl & run_and_read cmd)
- 
- (* The closure algorithm is easy because the dependencies are already closed
- and sorted for each package. We only have to make the union. We could also
---- ./src/main.ml
-+++ ./src/main.ml
-@@ -162,6 +162,9 @@
-               Tags.mem "traverse" tags
-               || List.exists (Pathname.is_prefix path_name) !Options.include_dirs
-               || List.exists (Pathname.is_prefix path_name) target_dirs)
-+            && ((* beware: !Options.build_dir is an absolute directory *)
-+              Pathname.normalize !Options.build_dir
-+              <> Pathname.normalize (Pathname.pwd/path_name))
-           end
-         end
-       end
---- ./src/my_std.ml
-+++ ./src/my_std.ml
-@@ -271,13 +271,107 @@
-       try Array.iter (fun x -> if x = basename then raise Exit) a; false
-       with Exit -> true
- 
-+let command_plain = function
-+| [| |] -> 0
-+| margv ->
-+  let rec waitpid a b =
-+    match Unix.waitpid a b with
-+    | exception (Unix.Unix_error(Unix.EINTR,_,_)) -> waitpid a b
-+    | x -> x
-+  in
-+  let pid = Unix.(create_process margv.(0) margv stdin stdout stderr) in
-+  let pid', process_status = waitpid [] pid in
-+  assert (pid = pid');
-+  match process_status with
-+  | Unix.WEXITED n -> n
-+  | Unix.WSIGNALED _ -> 2 (* like OCaml's uncaught exceptions *)
-+  | Unix.WSTOPPED _ -> 127
-+
-+(* can't use Lexers because of circular dependency *)
-+let split_path_win str =
-+  let rec aux pos =
-+    try
-+      let i = String.index_from str pos ';' in
-+      let len = i - pos in
-+      if len = 0 then
-+        aux (succ i)
-+      else
-+        String.sub str pos (i - pos) :: aux (succ i)
-+    with Not_found | Invalid_argument _ ->
-+      let len = String.length str - pos in
-+      if len = 0 then [] else [String.sub str pos len]
-+  in
-+  aux 0
-+
-+let windows_shell = lazy begin
-+  let rec iter = function
-+  | [] -> [| "bash.exe" ; "--norc" ; "--noprofile" |]
-+  | hd::tl ->
-+    let dash = Filename.concat hd "dash.exe" in
-+    if Sys.file_exists dash then [|dash|] else
-+    let bash = Filename.concat hd "bash.exe" in
-+    if Sys.file_exists bash = false then iter tl else
-+    (* if sh.exe and bash.exe exist in the same dir, choose sh.exe *)
-+    let sh = Filename.concat hd "sh.exe" in
-+    if Sys.file_exists sh then [|sh|] else [|bash ; "--norc" ; "--noprofile"|]
-+  in
-+  split_path_win (try Sys.getenv "PATH" with Not_found -> "") |> iter
-+end
-+
-+let prep_windows_cmd cmd =
-+  (* workaround known ocaml bug, remove later *)
-+  if String.contains cmd '\t' && String.contains cmd ' ' = false then
-+    " " ^ cmd
-+  else
-+    cmd
-+
-+let run_with_shell = function
-+| "" -> 0
-+| cmd ->
-+  let cmd = prep_windows_cmd cmd in
-+  let shell = Lazy.force windows_shell in
-+  let qlen = Filename.quote cmd |> String.length in
-+  (* old versions of dash had problems with bs *)
-+  try
-+    if qlen < 7_900 then
-+      command_plain (Array.append shell [| "-ec" ; cmd |])
-+    else begin
-+      (* it can still work, if the called command is a cygwin tool *)
-+      let ch_closed = ref false in
-+      let file_deleted = ref false in
-+      let fln,ch =
-+        Filename.open_temp_file
-+          ~mode:[Open_binary]
-+          "ocamlbuildtmp"
-+          ".sh"
-+      in
-+      try
-+        let f_slash = String.map ( fun x -> if x = '\\' then '/' else x ) fln in
-+        output_string ch cmd;
-+        ch_closed:= true;
-+        close_out ch;
-+        let ret = command_plain (Array.append shell [| "-e" ; f_slash |]) in
-+        file_deleted:= true;
-+        Sys.remove fln;
-+        ret
-+      with
-+      | x ->
-+        if !ch_closed = false then
-+          close_out_noerr ch;
-+        if !file_deleted = false then
-+          (try Sys.remove fln with _ -> ());
-+        raise x
-+    end
-+  with
-+  | (Unix.Unix_error _) as x ->
-+    (* Sys.command doesn't raise an exception, so run_with_shell also won't
-+       raise *)
-+    Printexc.to_string x ^ ":" ^ cmd |> prerr_endline;
-+    1
-+
- let sys_command =
--  match Sys.os_type with
--  | "Win32" -> fun cmd ->
--      if cmd = "" then 0 else
--      let cmd = "bash --norc -c " ^ Filename.quote cmd in
--      Sys.command cmd
--  | _ -> fun cmd -> if cmd = "" then 0 else Sys.command cmd
-+  if Sys.win32 then run_with_shell
-+  else fun cmd -> if cmd = "" then 0 else Sys.command cmd
- 
- (* FIXME warning fix and use Filename.concat *)
- let filename_concat x y =
---- ./src/my_std.mli
-+++ ./src/my_std.mli
-@@ -69,3 +69,6 @@
- 
- val split_ocaml_version : (int * int * int * string) option
- (** (major, minor, patchlevel, rest) *)
-+
-+val windows_shell : string array Lazy.t
-+val prep_windows_cmd : string -> string
---- ./src/ocamlbuild_executor.ml
-+++ ./src/ocamlbuild_executor.ml
-@@ -34,6 +34,8 @@
-   job_stdin   : out_channel;
-   job_stderr  : in_channel;
-   job_buffer  : Buffer.t;
-+  job_pid     : int;
-+  job_tmp_file: string option;
-   mutable job_dying : bool;
- };;
- 
-@@ -76,6 +78,61 @@
-   in
-   loop 0
- ;;
-+
-+let open_process_full_win cmd env =
-+  let (in_read, in_write) = Unix.pipe () in
-+  let (out_read, out_write) = Unix.pipe () in
-+  let (err_read, err_write) = Unix.pipe () in
-+  Unix.set_close_on_exec in_read;
-+  Unix.set_close_on_exec out_write;
-+  Unix.set_close_on_exec err_read;
-+  let inchan = Unix.in_channel_of_descr in_read in
-+  let outchan = Unix.out_channel_of_descr out_write in
-+  let errchan = Unix.in_channel_of_descr err_read in
-+  let shell = Lazy.force Ocamlbuild_pack.My_std.windows_shell in
-+  let test_cmd =
-+    String.concat " " (List.map Filename.quote (Array.to_list shell)) ^
-+    "-ec " ^
-+    Filename.quote (Ocamlbuild_pack.My_std.prep_windows_cmd cmd) in
-+  let argv,tmp_file =
-+    if String.length test_cmd < 7_900 then
-+      Array.append
-+        shell
-+        [| "-ec" ; Ocamlbuild_pack.My_std.prep_windows_cmd cmd |],None
-+    else
-+    let fln,ch = Filename.open_temp_file ~mode:[Open_binary] "ocamlbuild" ".sh" in
-+    output_string ch (Ocamlbuild_pack.My_std.prep_windows_cmd cmd);
-+    close_out ch;
-+    let fln' = String.map (function '\\' -> '/' | c -> c) fln in
-+    Array.append
-+      shell
-+      [| "-c" ; fln' |], Some fln in
-+  let pid =
-+    Unix.create_process_env argv.(0) argv env out_read in_write err_write in
-+  Unix.close out_read;
-+  Unix.close in_write;
-+  Unix.close err_write;
-+  (pid, inchan, outchan, errchan,tmp_file)
-+
-+let close_process_full_win (pid,inchan, outchan, errchan, tmp_file) =
-+  let delete tmp_file =
-+    match tmp_file with
-+    | None -> ()
-+    | Some x -> try Sys.remove x with Sys_error _ -> () in
-+  let tmp_file_deleted = ref false in
-+  try
-+    close_in inchan;
-+    close_out outchan;
-+    close_in errchan;
-+    let res = snd(Unix.waitpid [] pid) in
-+    tmp_file_deleted := true;
-+    delete tmp_file;
-+    res
-+  with
-+  | x when tmp_file <> None && !tmp_file_deleted = false ->
-+    delete tmp_file;
-+    raise x
-+
- (* ***)
- (*** execute *)
- (* XXX: Add test for non reentrancy *)
-@@ -130,10 +187,16 @@
-   (*** add_job *)
-   let add_job cmd rest result id =
-     (*display begin fun oc -> fp oc "Job %a is %s\n%!" print_job_id id cmd; end;*)
--    let (stdout', stdin', stderr') = open_process_full cmd env in
-+    let (pid,stdout', stdin', stderr', tmp_file) =
-+      if Sys.win32 then open_process_full_win cmd env else
-+      let a,b,c = open_process_full cmd env in
-+      -1,a,b,c,None
-+    in
-     incr jobs_active;
--    set_nonblock (doi stdout');
--    set_nonblock (doi stderr');
-+    if not Sys.win32 then (
-+      set_nonblock (doi stdout');
-+      set_nonblock (doi stderr');
-+    );
-     let job =
-       { job_id          = id;
-         job_command     = cmd;
-@@ -143,7 +206,9 @@
-         job_stdin       = stdin';
-         job_stderr      = stderr';
-         job_buffer      = Buffer.create 1024;
--        job_dying       = false }
-+        job_dying       = false;
-+        job_tmp_file    = tmp_file;
-+        job_pid         = pid }
-     in
-     outputs := FDM.add (doi stdout') job (FDM.add (doi stderr') job !outputs);
-     jobs := JS.add job !jobs;
-@@ -199,6 +264,7 @@
-               try
-                 read fd u 0 (Bytes.length u)
-               with
-+              | Unix.Unix_error(Unix.EPIPE,_,_) when Sys.win32 -> 0
-               | Unix.Unix_error(e,_,_)  ->
-                 let msg = error_message e in
-                 display (fun oc -> fp oc
-@@ -241,14 +307,19 @@
-       decr jobs_active;
- 
-       (* PR#5371: we would get EAGAIN below otherwise *)
--      clear_nonblock (doi job.job_stdout);
--      clear_nonblock (doi job.job_stderr);
--
-+      if not Sys.win32 then (
-+        clear_nonblock (doi job.job_stdout);
-+        clear_nonblock (doi job.job_stderr);
-+      );
-       do_read ~loop:true (doi job.job_stdout) job;
-       do_read ~loop:true (doi job.job_stderr) job;
-       outputs := FDM.remove (doi job.job_stdout) (FDM.remove (doi job.job_stderr) !outputs);
-       jobs := JS.remove job !jobs;
--      let status = close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
-+      let status =
-+        if Sys.win32 then
-+          close_process_full_win (job.job_pid, job.job_stdout, job.job_stdin, job.job_stderr, job.job_tmp_file)
-+        else
-+          close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
- 
-       let shown = ref false in
- 
---- ./src/ocamlbuild_unix_plugin.ml
-+++ ./src/ocamlbuild_unix_plugin.ml
-@@ -48,12 +48,22 @@
-   end
- 
- let run_and_open s kont =
-+  let s_orig = s in
-+  let s =
-+    (* Be consistent! My_unix.run_and_open uses My_std.sys_command and
-+       sys_command uses bash. *)
-+    if Sys.win32 = false then s else
-+    let l = match Lazy.force My_std.windows_shell |> Array.to_list with
-+    | hd::tl -> (Filename.quote hd)::tl
-+    | _ -> assert false in
-+    "\"" ^ (String.concat " " l) ^ " -ec " ^ Filename.quote (" " ^ s) ^ "\""
-+  in
-   let ic = Unix.open_process_in s in
-   let close () =
-     match Unix.close_process_in ic with
-     | Unix.WEXITED 0 -> ()
-     | Unix.WEXITED _ | Unix.WSIGNALED _ | Unix.WSTOPPED _ ->
--        failwith (Printf.sprintf "Error while running: %s" s) in
-+        failwith (Printf.sprintf "Error while running: %s" s_orig) in
-   let res = try
-       kont ic
-     with e -> (close (); raise e)
---- ./src/options.ml
-+++ ./src/options.ml
-@@ -174,11 +174,24 @@
-     build_dir := Filename.concat (Sys.getcwd ()) s
-   else
-     build_dir := s
-+
-+let slashify =
-+  if Sys.win32 then fun p -> String.map (function '\\' -> '/' | x -> x) p
-+  else fun p ->p
-+
-+let sb () =
-+  match Sys.os_type with
-+  | "Win32" ->
-+    (try set_binary_mode_out stdout true with _ -> ());
-+  | _ -> ()
-+
-+
- let spec = ref (
-     let print_version () =
-+      sb ();
-       Printf.printf "ocamlbuild %s\n%!" Ocamlbuild_config.version; raise Exit_OK
-     in
--    let print_vnum () = print_endline Ocamlbuild_config.version; raise Exit_OK in
-+    let print_vnum () = sb (); print_endline Ocamlbuild_config.version; raise Exit_OK in
-   Arg.align
-   [
-    "-version", Unit print_version , " Display the version";
-@@ -257,8 +270,8 @@
-    "-build-dir", String set_build_dir, "<path> Set build directory (implies no-links)";
-    "-install-lib-dir", Set_string Ocamlbuild_where.libdir, "<path> Set the install library directory";
-    "-install-bin-dir", Set_string Ocamlbuild_where.bindir, "<path> Set the install binary directory";
--   "-where", Unit (fun () -> print_endline !Ocamlbuild_where.libdir; raise Exit_OK), " Display the install library directory";
--   "-which", String (fun cmd -> print_endline (find_tool cmd); raise Exit_OK), "<command> Display path to the tool command";
-+   "-where", Unit (fun () -> sb (); print_endline (slashify !Ocamlbuild_where.libdir); raise Exit_OK), " Display the install library directory";
-+   "-which", String (fun cmd -> sb (); print_endline (slashify (find_tool cmd)); raise Exit_OK), "<command> Display path to the tool command";
-    "-ocamlc", set_cmd ocamlc, "<command> Set the OCaml bytecode compiler";
-    "-plugin-ocamlc", set_cmd plugin_ocamlc, "<command> Set the OCaml bytecode compiler \
-      used when building myocamlbuild.ml (only)";
---- ./src/pathname.ml
-+++ ./src/pathname.ml
-@@ -84,6 +84,26 @@
-   | x :: xs -> x :: normalize_list xs
- 
- let normalize x =
-+  let x =
-+    if Sys.win32 = false then
-+      x
-+    else
-+      let len = String.length x in
-+      let b = Bytes.create len in
-+      for i = 0 to pred len do
-+        match x.[i] with
-+        | '\\' -> Bytes.set b i '/'
-+        | c -> Bytes.set b i c
-+      done;
-+      if len > 1 then (
-+        let c1 = Bytes.get b 0 in
-+        let c2 = Bytes.get b 1 in
-+        if c2 = ':' && c1 >= 'a' && c1 <= 'z' &&
-+           ( len = 2 || Bytes.get b 2 = '/') then
-+          Bytes.set b 0 (Char.uppercase_ascii c1)
-+      );
-+      Bytes.unsafe_to_string b
-+  in
-   if Glob.eval not_normal_form_re x then
-     let root, paths = split x in
-     join root (normalize_list paths)
---- ./src/shell.ml
-+++ ./src/shell.ml
-@@ -24,12 +24,26 @@
-     | 'a'..'z' | 'A'..'Z' | '0'..'9' | '.' | '-' | '/' | '_' | ':' | '@' | '+' | ',' -> loop (pos + 1)
-     | _ -> false in
-   loop 0
-+
-+let generic_quote quotequote s =
-+  let l = String.length s in
-+  let b = Buffer.create (l + 20) in
-+  Buffer.add_char b '\'';
-+  for i = 0 to l - 1 do
-+    if s.[i] = '\''
-+    then Buffer.add_string b quotequote
-+    else Buffer.add_char b  s.[i]
-+  done;
-+  Buffer.add_char b '\'';
-+  Buffer.contents b
-+let unix_quote = generic_quote "'\\''"
-+
- let quote_filename_if_needed s =
-   if is_simple_filename s then s
-   (* We should probably be using [Filename.unix_quote] except that function
-    * isn't exported. Users on Windows will have to live with not being able to
-    * install OCaml into c:\o'caml. Too bad. *)
--  else if Sys.os_type = "Win32" then Printf.sprintf "'%s'" s
-+  else if Sys.os_type = "Win32" then unix_quote s
-   else Filename.quote s
- let chdir dir =
-   reset_filesys_cache ();
-@@ -37,7 +51,7 @@
- let run args target =
-   reset_readdir_cache ();
-   let cmd = String.concat " " (List.map quote_filename_if_needed args) in
--  if !*My_unix.is_degraded || Sys.os_type = "Win32" then
-+  if !*My_unix.is_degraded then
-     begin
-       Log.event cmd target Tags.empty;
-       let st = sys_command cmd in
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
deleted file mode 100644
index b24be7b5bc..0000000000
--- a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "build": [
-    [
-      "bash",
-      "-c",
-      "#{os == 'windows' ? 'patch -p1 < ocamlbuild-0.14.0.patch' : 'true'}"
-    ],
-    [
-      "make",
-      "-f",
-      "configure.make",
-      "all",
-      "OCAMLBUILD_PREFIX=#{self.install}",
-      "OCAMLBUILD_BINDIR=#{self.bin}",
-      "OCAMLBUILD_LIBDIR=#{self.lib}",
-      "OCAMLBUILD_MANDIR=#{self.man}",
-      "OCAMLBUILD_NATIVE=true",
-      "OCAMLBUILD_NATIVE_TOOLS=true"
-    ],
-    [
-      "make",
-      "check-if-preinstalled",
-      "all",
-      "#{os == 'windows' ? 'install' : 'opam-install'}"
-    ]
-  ]
-}
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 19fa19aa39..3755543f24 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -22,7 +22,6 @@
 
   "devDependencies": {
     "@opam/merlin": "~3.3.2",
-    "@opam/ocamlformat": "~0.11.0",
     "ocaml": "~4.6.0"
   }
 }

From f3ab363d53220b4d937c30c42439ec370fd61b36 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 5 Nov 2019 17:44:10 +0000
Subject: [PATCH 254/420] Add Ansible playbook for installing esy

This can be used manually or in scripts.
---
 scripts/ansible/oe-linux-esy-setup.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 scripts/ansible/oe-linux-esy-setup.yml

diff --git a/scripts/ansible/oe-linux-esy-setup.yml b/scripts/ansible/oe-linux-esy-setup.yml
new file mode 100644
index 0000000000..04a4ac3a27
--- /dev/null
+++ b/scripts/ansible/oe-linux-esy-setup.yml
@@ -0,0 +1,13 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+---
+- hosts: localhost
+  any_errors_fatal: true
+  gather_facts: true
+  become: yes
+  tasks:
+    - import_role:
+        name: linux/openenclave
+        tasks_from: esy-setup.yml
+        vars_from: ubuntu.yml

From 3a66d48066a21f33b611759db537c9ab179ee82e Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 11 Oct 2019 00:04:20 +0000
Subject: [PATCH 255/420] Install esy in CI containers on-the-fly

This is meant to be reverted once the containers are updated.
---
 .jenkins/Jenkinsfile | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 08102f9fe1..7d436b8968 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -50,6 +50,10 @@ def simulationTest(String version, String platform_mode, String build_type) {
                 checkout scm
                 withEnv(["OE_SIMULATION=1"]) {
                     def task = """
+                               pushd ${WORKSPACE}/scripts/ansible
+                               sudo ./install-ansible.sh
+                               sudo ansible-playbook oe-linux-esy-setup.yml
+                               popd
                                cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=${has_quote_provider} -Wdev
                                ninja -v
                                ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
@@ -68,6 +72,10 @@ def AArch64GNUTest(String version, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
+                            pushd ${WORKSPACE}/scripts/ansible
+                            sudo ./install-ansible.sh
+                            sudo ansible-playbook oe-linux-esy-setup.yml
+                            popd
                             cmake ${WORKSPACE}                                                     \
                                 -G Ninja                                                           \
                                 -DCMAKE_BUILD_TYPE=${build_type}                                   \
@@ -90,6 +98,10 @@ def ACCContainerTest(String label, String version) {
                 cleanWs()
                 checkout scm
                 def task = """
+                           pushd ${WORKSPACE}/scripts/ansible
+                           sudo ./install-ansible.sh
+                           sudo ansible-playbook oe-linux-esy-setup.yml
+                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -Wdev
                            ninja -v
                            ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
@@ -107,6 +119,10 @@ def ACCPackageTest(String label, String version) {
                 cleanWs()
                 checkout scm
                 def task = """
+                           pushd ${WORKSPACE}/scripts/ansible
+                           sudo ./install-ansible.sh
+                           sudo ansible-playbook oe-linux-esy-setup.yml
+                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -Wdev -DCMAKE_INSTALL_PREFIX:PATH='/opt/openenclave' -DCPACK_GENERATOR=DEB
                            ninja -v
                            ninja -v package
@@ -139,6 +155,10 @@ def checkDevFlows(String version) {
                 cleanWs()
                 checkout scm
                 def task = """
+                           pushd ${WORKSPACE}/scripts/ansible
+                           sudo ./install-ansible.sh
+                           sudo ansible-playbook oe-linux-esy-setup.yml
+                           popd
                            cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=OFF -Wdev --warn-uninitialized -Werror=dev
                            ninja -v
                            """
@@ -169,6 +189,10 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
+                           pushd ${WORKSPACE}/scripts/ansible
+                           sudo ./install-ansible.sh
+                           sudo ansible-playbook oe-linux-esy-setup.yml
+                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=ON -Wdev
                            ninja -v
                            """
@@ -237,6 +261,10 @@ def ACCHostVerificationTest(String version, String build_type) {
 
                     println("Generating certificates and reports ...")
                     def task = """
+                            pushd ${WORKSPACE}/scripts/ansible
+                            sudo ./install-ansible.sh
+                            sudo ansible-playbook oe-linux-esy-setup.yml
+                            popd
                             cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             pushd tests/host_verify/host
@@ -283,6 +311,10 @@ def ACCHostVerificationTest(String version, String build_type) {
                     checkout scm
                     unstash "linux_host_verify-${build_type}-${BUILD_NUMBER}"
                     def task = """
+                            pushd ${WORKSPACE}/scripts/ansible
+                            sudo ./install-ansible.sh
+                            sudo ansible-playbook oe-linux-esy-setup.yml
+                            popd
                             cmake ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             ctest -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}

From 564c504832749569a13b47633be9d5e2a4730a68 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 5 Nov 2019 17:42:49 +0000
Subject: [PATCH 256/420] Move host verification tests into a container

---
 .jenkins/Jenkinsfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 7d436b8968..7641e92566 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -277,7 +277,7 @@ def ACCHostVerificationTest(String version, String build_type) {
                             ../../tools/oecert/host/oecert ../../tools/oecert/enc/oecert_enc --report --out sgx_report.bin
                             popd
                             """
-                    oe.Run("clang-7", task)
+                    oe.ContainerRun("oetools-full-${version}", "clang-7", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx")
 
                     def ec_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_ec.der'
                     def rsa_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_rsa.der'

From 6f3a316979556d1f3bc1886cb772ad905e8e3317 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 5 Nov 2019 20:03:10 +0000
Subject: [PATCH 257/420] Update documentation for new build systems

---
 .../WindowsManualInstallPrereqs.md            | 25 ++++++++++++-------
 tools/oeedger8r/README.md                     | 10 ++++++++
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
index 30ff49e746..807478dc82 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualInstallPrereqs.md
@@ -13,7 +13,8 @@
 ## Software prerequisites
 - [Microsoft Visual Studio Build Tools 2019](https://aka.ms/vs/15/release/vs_buildtools.exe)
 - [Git for Windows 64-bit](https://git-scm.com/download/win)
-- [OCaml for Windows 64-bit](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/)
+- [Node.js 10.x](https://nodejs.org/en/download/)
+- [esy](https://esy.sh/)
 - [Clang/LLVM for Windows 64-bit](http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe)
 - [Python 3](https://www.python.org/downloads/windows/)
 
@@ -66,19 +67,25 @@ C:\> where ld.lld
 C:\Program Files\LLVM\bin\ld.lld.exe
 ```
 
-## OCaml
+## OCaml via esy with Node.js
 
-Install [OCaml for Windows (64-bit)](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/).
-Please download and install the [mingw64 exe for OCaml](https://www.ocamlpro.com/pub/ocpwin/ocpwin-builds/ocpwin64/20160113/ocpwin64-20160113-4.02.1+ocp1-mingw64.exe).
+Install [Node.js 10.x](https://nodejs.org/en/download/) from the "Previous
+Releases" page. Ensure `npm` is in your `PATH` (should be done by the MSI
+installer).
 
-[Alternate OCaml Web-site](https://fdopen.github.io/opam-repository-mingw/installation/)
+Then install [esy](https://esy.sh/) via `npm`.
 
-OCaml is used to build the oeedger8r tool as part of the OE SDK.
+```cmd
+npm install -g esy@0.5.8
+```
+
+OCaml (managed via `esy`) is used to build the oeedger8r tool as part of the OE SDK.
+
+Open up a command prompt and ensure that `esy` is added to the `PATH`.
 
-Open up a command prompt and ensure that ocaml is added to PATH.
 ```cmd
-C:\> where ocaml
-C:\Program Files\ocpwin64\4.02.1+ocp1-msvc64-20160113\bin\ocaml.exe
+C:\Users\test> where esy
+C:\Users\test\AppData\Roaming\npm\esy
 ```
 
 ## Python 3
diff --git a/tools/oeedger8r/README.md b/tools/oeedger8r/README.md
index ff2a1a374c..2b04fe829c 100644
--- a/tools/oeedger8r/README.md
+++ b/tools/oeedger8r/README.md
@@ -15,6 +15,16 @@ To build from source, please follow
 [Advanced Build Info](../../docs/GettingStartedDocs/Contributors/AdvancedBuildInfo.md).
 The `oeedger8r` is built by the CMake target `oeedger8r_target`.
 
+The `oeedger8r` tool is written in OCaml, and builds using
+[esy](https://esy.sh/). This is a tool that provides OCaml package management
+and reproducible build environments. Instead of installing the native OCaml
+tools, `esy` parses the `package.json` file to download and install the exact
+OCaml dependencies (including the OCaml compilers and tools, and the `dune`
+build system). Running just the command `esy` is equivalent to `esy install &&
+esy build` which installs the packages and kicks off the `dune` build, in the
+correct environment (this is similar to tools like `pyenv`), and in a
+cross-platform manner.
+
 For more information on using writing EDL files and using this tool, please see
 [Edger8r Getting Started](../../docs/GettingStartedDocs/Edger8rGettingStarted.md).
 

From c0b2e21047d4deb2083686563a9e7f9a7bae393a Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 5 Nov 2019 20:07:16 +0000
Subject: [PATCH 258/420] Bump oeedger8r version number

---
 tools/oeedger8r/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 3755543f24..e1983c2f99 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -1,6 +1,6 @@
 {
   "name": "oeedger8r",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "The Open Enclave SDK's oeedger8r",
   "license": "MIT",
 

From 1b025f03b312e33d5b2b371c89ee96a4bbb0b979 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 5 Nov 2019 20:55:52 +0000
Subject: [PATCH 259/420] Bump ansible from 2.8.0 to 2.8.2 in /scripts/ansible

Bumps [ansible](https://github.com/ansible/community) from 2.8.0 to 2.8.2.
- [Release notes](https://github.com/ansible/community/releases)
- [Commits](https://github.com/ansible/community/commits)

Signed-off-by: dependabot[bot] <support@github.com>
---
 scripts/ansible/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/ansible/requirements.txt b/scripts/ansible/requirements.txt
index 71464aed68..2c07f3e9f7 100644
--- a/scripts/ansible/requirements.txt
+++ b/scripts/ansible/requirements.txt
@@ -1,4 +1,4 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
-ansible==2.8.0
+ansible==2.8.2
 pywinrm==0.2.1

From 885aabeeb55489fe1869b0ead3c1435381b471b9 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Thu, 7 Nov 2019 04:05:41 +0000
Subject: [PATCH 260/420] Update project to use DCO instead of CLA

- Replace references to the CLA requirement from contribution documents
  with information about the new DCO requirements.

- Add a git hook to enforce that all commit messages must include a sign-off
  for the DCO.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 CMakeLists.txt       |  2 +-
 README.md            |  7 ++--
 docs/Contributing.md | 79 +++++++++++++++++++++++++++++++++++---------
 scripts/README.md    |  3 ++
 scripts/commit-msg   | 25 ++++++++++++++
 5 files changed, 96 insertions(+), 20 deletions(-)
 create mode 100644 scripts/commit-msg

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 219dd051b7..6b13a776b3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -51,7 +51,7 @@ if (IS_DIRECTORY "${PROJECT_SOURCE_DIR}/.git")
   # Install Git pre-commit hook
   if (NOT WIN32)
     file(
-      COPY scripts/pre-commit
+      COPY scripts/pre-commit scripts/commit-msg
       DESTINATION "${PROJECT_SOURCE_DIR}/.git/hooks")
   endif ()
 endif ()
diff --git a/README.md b/README.md
index 4e7725f5b2..f10db18858 100644
--- a/README.md
+++ b/README.md
@@ -55,10 +55,9 @@ started guides, see
 Contributing
 ------------
 
-This project welcomes contributions and suggestions. Most contributions require
-you to agree to a Contributor License Agreement (CLA) declaring that you have
-the right to, and actually do, grant us the rights to use your contribution. For
-details, see [Contributing to Open Enclave](docs/Contributing.md).
+This project welcomes contributions and suggestions. All contributions to the Open Enclave SDK
+must adhere to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/).
+For details, see [Contributing to Open Enclave](docs/Contributing.md).
 
 This project has adopted the
 [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
diff --git a/docs/Contributing.md b/docs/Contributing.md
index 58e541511a..f54f6ea4cf 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -217,21 +217,70 @@ commits with incorrect author information, you can fix them as follows:
 1. Choose to `edit` the commits with incorrect authorship.
    1. For each edit, use `git commit --amend --reset-author`.
 
-Contributor License Agreement
------------------------------
-
-You must sign a [Microsoft Contribution License Agreement (CLA)](
-https://opensource.microsoft.com/pdf/microsoft-contribution-license-agreement.pdf)
-before your PR will be merged. This is a one-time requirement for Open Enclave.
-You can read more about [Contribution License Agreements (CLA)](
-http://en.wikipedia.org/wiki/Contributor_License_Agreement) on Wikipedia.
-
-You don't have to do this up-front. You can simply clone, fork, and submit your
-pull request as usual. When your pull request is created, it is classified by a
-CLA bot. If the change is trivial (for example, you just fixed a typo), then the
-PR is labelled with `cla-not-required`. Otherwise it's classified as
-`cla-required`. Once you signed a CLA, the current and all future pull requests
-will be labelled as `cla-signed`.
+Developer Certificate of Origin
+------------------------------
+All contributions to the Open Enclave SDK must adhere to the terms of the
+[Developer Certificate of Origin (DCO)](https://developercertificate.org/):
+
+> Developer Certificate of Origin
+> Version 1.1
+>
+> Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+> 1 Letterman Drive
+> Suite D4700
+> San Francisco, CA, 94129
+>
+> Everyone is permitted to copy and distribute verbatim copies of this
+> license document, but changing it is not allowed.
+>
+> Developer's Certificate of Origin 1.1
+>
+> By making a contribution to this project, I certify that:
+>
+> (a) The contribution was created in whole or in part by me and I
+>    have the right to submit it under the open source license
+>    indicated in the file; or
+>
+> (b) The contribution is based upon previous work that, to the best
+>    of my knowledge, is covered under an appropriate open source
+>    license and I have the right under that license to submit that
+>    work with modifications, whether created in whole or in part
+>    by me, under the same open source license (unless I am
+>    permitted to submit under a different license), as indicated
+>    in the file; or
+>
+> (c) The contribution was provided directly to me by some other
+>    person who certified (a), (b) or (c) and I have not modified
+>    it.
+>
+> (d) I understand and agree that this project and the contribution
+>    are public and that a record of the contribution (including all
+>    personal information I submit with it, including my sign-off) is
+>    maintained indefinitely and may be redistributed consistent with
+>    this project or the open source license(s) involved.
+
+Contributors need to sign-off that they adhere to these requirements by adding
+a `Signed-off-by:` line to each commit message:
+
+```
+Author: John Doe <johndoe@example.com>
+Date:   Wed Nov 6 11:30 2019 +0000
+
+    This is my commit message.
+
+    Signed-off-by: John Doe <johndoe@example.com>
+```
+
+Commits without this sign-off cannot be accepted, and the name in the
+`Signed-off-by` and `Author` fields should match.
+
+If you have configured your `user.name` and `user.email` via `git config`,
+the `Signed-off-by` line can be automatically appended to your commit message
+using the `-s` option:
+
+```
+$ git commit -s -m "This is my commit message."
+```
 
 Copying Files from Other Projects
 ---------------------------------
diff --git a/scripts/README.md b/scripts/README.md
index 38f057c38e..9b72a1d639 100644
--- a/scripts/README.md
+++ b/scripts/README.md
@@ -7,6 +7,9 @@ This directory contains the following scripts.
   and code linting have been met before changes should be merged
 - [check-license][] - Prints a list of sources missing the license header
 - [check-linters][] - Runs ShellCheck across scripts to lint them
+- [commit-msg][] - A [Git pre-commit hook](https://git-scm.com/docs/githooks)
+  to ensure that commit messages contain a [DCO](https://developercertificate.org)
+  sign-off
 - [deploy-docs][] - Deploys HTML documentation to GitHub pages
 - [format-code][] - Formats Open Enclave C/C++ code using `clang-format`
 - [pre-commit][] - A [Git pre-commit hook](https://git-scm.com/docs/githooks)
diff --git a/scripts/commit-msg b/scripts/commit-msg
new file mode 100644
index 0000000000..247ddbd705
--- /dev/null
+++ b/scripts/commit-msg
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+set -o errexit
+
+exit_() {
+    echo ""
+    echo "$1"
+    echo ""
+    echo "This hook can be skipped if needed with 'git commit --no-verify'"
+    echo "See '.git/hooks/commit-msg', installed from 'scripts/commit-msg'"
+    exit 1
+}
+
+sign_offs="$(grep '^Signed-off-by: ' "$1" || test $? = 1 )"
+
+if [[ -z $sign_offs ]]; then
+    exit_ "Commit failed: please sign-off on the DCO with 'git commit -s'"
+fi
+
+if [[ -n $(echo "$sign_offs" | sort | uniq -c | sed -e '/^[ 	]*1[ 	]/d') ]]; then
+    exit_ "Commit failed: please remove duplicate Signed-off-by lines"
+fi

From 02428b8e7b59f4c40050d6f1eaee1e0cbbb5cdf4 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 6 Nov 2019 01:34:07 +0000
Subject: [PATCH 261/420] Update copyright headers to include all Open Enclave
 SDK contributors

Per contribution of the project to Confidential Computing Consortium, update
all the copyright headers on source files to include all Open Enclave SDK
contributors. All copyright headers should now read:

```
Copyright (c) Open Enclave SDK contributors.
Licensed under the MIT License.
```

- Update scripts/check-license to enforce this new value on git commit.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 .jenkins/Dockerfile.deploy                    |  2 +-
 .jenkins/Dockerfile.full                      |  2 +-
 .jenkins/Dockerfile.minimal                   |  2 +-
 .jenkins/Jenkinsfile                          |  2 +-
 .jenkins/custom_label.Jenkinsfile             |  2 +-
 .jenkins/provision/cleanup.sh                 |  2 +-
 .jenkins/provision/deploy-agent.sh            |  2 +-
 .jenkins/provision/register-agents.sh         |  2 +-
 3rdparty/CMakeLists.txt                       |  2 +-
 3rdparty/dlmalloc/update.make                 |  2 +-
 3rdparty/libcxx/CMakeLists.txt                |  2 +-
 3rdparty/libcxx/__config                      |  2 +-
 3rdparty/libcxx/__dso_handle.cpp              |  6 ++---
 3rdparty/libcxx/update.make                   |  2 +-
 3rdparty/libcxxrt/CMakeLists.txt              |  2 +-
 3rdparty/libcxxrt/update.make                 |  2 +-
 3rdparty/libunwind/CMakeLists.txt             |  2 +-
 3rdparty/libunwind/Gstep.c                    |  7 +++---
 3rdparty/libunwind/libunwind-common.h         |  2 +-
 3rdparty/libunwind/stubs.h                    | 23 +++++++++----------
 3rdparty/libunwind/update.make                |  2 +-
 3rdparty/mbedtls/CMakeLists.txt               |  2 +-
 3rdparty/mbedtls/mbedtls_hardware_poll.c      |  2 +-
 3rdparty/mbedtls/toolchain-clangw.cmake       |  2 +-
 3rdparty/mbedtls/update.make                  |  2 +-
 3rdparty/musl/CMakeLists.txt                  |  2 +-
 3rdparty/musl/append-deprecations             |  2 +-
 3rdparty/musl/deprecations.h                  | 23 +++++++++++--------
 3rdparty/musl/patches/endian.h                |  2 +-
 3rdparty/musl/patches/pthread_aarch64.h       |  2 +-
 3rdparty/musl/patches/pthread_x86_64.h        |  2 +-
 3rdparty/musl/patches/syscall_arch.h          |  2 +-
 3rdparty/musl/update.make                     |  2 +-
 3rdparty/optee/libutee/CMakeLists.txt         |  2 +-
 3rdparty/optee/libutee/compiler.h             |  2 +-
 3rdparty/optee/libutee/entry.c                |  2 +-
 CMakeGraphVizOptions.cmake                    |  2 +-
 CMakeLists.txt                                |  2 +-
 CMakeSettings.json                            |  2 +-
 LICENSE                                       |  2 +-
 cmake/add_dcap_client_target.cmake            |  2 +-
 cmake/add_enclave.cmake                       |  2 +-
 cmake/add_enclave_test.cmake                  |  2 +-
 cmake/arm-cross.cmake                         |  2 +-
 cmake/ccache.cmake                            |  2 +-
 cmake/compiler_settings.cmake                 |  2 +-
 cmake/copy_oedebugrt_target.cmake             |  2 +-
 cmake/cpack_settings.cmake                    |  2 +-
 cmake/get_testcase_name.cmake                 |  2 +-
 cmake/maybe_build_using_clangw.cmake          |  2 +-
 cmake/oeedl_file.cmake                        |  2 +-
 cmake/openenclave-config.cmake.in             |  2 +-
 cmake/openenclaverc.in                        |  2 +-
 cmake/package_settings.cmake                  |  2 +-
 common/argv.c                                 |  2 +-
 common/asn1.c                                 |  2 +-
 common/asn1.h                                 |  2 +-
 common/cert.c                                 |  2 +-
 common/common.h                               |  2 +-
 common/datetime.c                             |  2 +-
 common/kdf.c                                  |  2 +-
 common/oe_host_stdio.h                        |  2 +-
 common/oe_host_stdlib.h                       |  2 +-
 common/oe_host_string.h                       |  2 +-
 common/result.c                               |  2 +-
 common/safecrt.c                              |  2 +-
 common/sgx/collaterals.c                      |  2 +-
 common/sgx/collaterals.h                      |  2 +-
 common/sgx/qeidentity.c                       |  2 +-
 common/sgx/qeidentity.h                       |  2 +-
 common/sgx/quote.c                            |  2 +-
 common/sgx/quote.h                            |  2 +-
 common/sgx/rand.S                             |  2 +-
 common/sgx/rand.asm                           |  2 +-
 common/sgx/report.c                           |  2 +-
 common/sgx/revocation.c                       |  2 +-
 common/sgx/revocation.h                       |  2 +-
 common/sgx/sgx.edl                            |  2 +-
 common/sgx/sgxcertextensions.c                |  2 +-
 common/sgx/tcbinfo.c                          |  2 +-
 common/sgx/tcbinfo.h                          |  2 +-
 common/sgx/tlsverifier.c                      |  2 +-
 common/syscall.edl                            |  2 +-
 common/tee.edl                                |  2 +-
 debugger/CMakeLists.txt                       |  2 +-
 debugger/debugrt/CMakeLists.txt               |  2 +-
 debugger/debugrt/host/CMakeLists.txt          |  2 +-
 debugger/debugrt/host/host.c                  |  2 +-
 debugger/oe-gdb                               |  2 +-
 debugger/oegdb                                |  2 +-
 debugger/ptraceLib/CMakeLists.txt             |  2 +-
 debugger/ptraceLib/enclave_context.c          |  2 +-
 debugger/ptraceLib/enclave_context.h          |  2 +-
 debugger/ptraceLib/inferior_status.c          |  2 +-
 debugger/ptraceLib/inferior_status.h          |  2 +-
 debugger/ptraceLib/oe_ptrace.c                |  2 +-
 debugger/pythonExtension/CMakeLists.txt       |  2 +-
 debugger/pythonExtension/gdb_sgx_plugin.py    |  2 +-
 docs/DevelopmentGuide.md                      |  4 ++--
 docs/refman/CMakeLists.txt                    |  2 +-
 enclave/CMakeLists.txt                        |  2 +-
 enclave/asym_keys.c                           |  2 +-
 enclave/core/CMakeLists.txt                   |  2 +-
 enclave/core/__secs_to_tm.c                   |  2 +-
 enclave/core/__stack_chk_fail.c               |  2 +-
 enclave/core/arena.c                          |  2 +-
 enclave/core/arena.h                          |  2 +-
 enclave/core/assert.c                         |  2 +-
 enclave/core/atexit.c                         |  2 +-
 enclave/core/atexit.h                         |  2 +-
 enclave/core/backtrace.c                      |  2 +-
 enclave/core/calls.c                          |  2 +-
 enclave/core/calls.h                          |  2 +-
 enclave/core/ctype.c                          |  2 +-
 enclave/core/debugmalloc.c                    |  2 +-
 enclave/core/debugmalloc.h                    |  2 +-
 enclave/core/errno.c                          |  2 +-
 enclave/core/gmtime.c                         |  2 +-
 enclave/core/hexdump.c                        |  2 +-
 enclave/core/hostcalls.c                      |  2 +-
 enclave/core/init_fini.c                      |  2 +-
 enclave/core/init_fini.h                      |  2 +-
 enclave/core/intstr.c                         |  2 +-
 enclave/core/intstr.h                         |  2 +-
 enclave/core/malloc.c                         |  2 +-
 enclave/core/once.c                           |  2 +-
 enclave/core/optee/backtrace.c                |  2 +-
 enclave/core/optee/bounds.c                   |  2 +-
 enclave/core/optee/calls.c                    |  2 +-
 enclave/core/optee/entropy.c                  |  2 +-
 enclave/core/optee/globals.c                  |  2 +-
 enclave/core/optee/gp.c                       |  2 +-
 enclave/core/optee/header.c                   |  2 +-
 enclave/core/optee/hostcalls.c                |  2 +-
 enclave/core/optee/keys.c                     |  2 +-
 enclave/core/optee/printf.c                   |  2 +-
 enclave/core/optee/sched_yield.c              |  2 +-
 enclave/core/optee/spinlock.c                 |  2 +-
 enclave/core/optee/stubs.c                    |  2 +-
 enclave/core/optee/thread.c                   |  2 +-
 enclave/core/optee/tracee.c                   |  2 +-
 enclave/core/printf.c                         |  2 +-
 enclave/core/pthread.c                        |  2 +-
 enclave/core/result.c                         |  2 +-
 enclave/core/sbrk.c                           |  2 +-
 enclave/core/sgx/asmcommon.inc                |  2 +-
 enclave/core/sgx/asmdefs.h                    |  2 +-
 enclave/core/sgx/backtrace.c                  |  2 +-
 enclave/core/sgx/calls.c                      |  2 +-
 enclave/core/sgx/cpuid.c                      |  2 +-
 enclave/core/sgx/cpuid.h                      |  2 +-
 enclave/core/sgx/enter.S                      |  2 +-
 enclave/core/sgx/entropy.c                    |  2 +-
 enclave/core/sgx/exception.c                  |  2 +-
 enclave/core/sgx/exit.S                       |  2 +-
 enclave/core/sgx/getkey.S                     |  2 +-
 enclave/core/sgx/globals.c                    |  2 +-
 enclave/core/sgx/hostcalls.c                  |  2 +-
 enclave/core/sgx/init.c                       |  2 +-
 enclave/core/sgx/init.h                       |  2 +-
 enclave/core/sgx/jump.c                       |  2 +-
 enclave/core/sgx/keys.c                       |  2 +-
 enclave/core/sgx/linux/reloc.c                |  2 +-
 enclave/core/sgx/linux/threadlocal.c          |  2 +-
 enclave/core/sgx/linux/threadlocal.h          |  2 +-
 enclave/core/sgx/longjmp.S                    |  2 +-
 enclave/core/sgx/memory.c                     |  2 +-
 enclave/core/sgx/properties.c                 |  2 +-
 enclave/core/sgx/report.c                     |  2 +-
 enclave/core/sgx/report.h                     |  2 +-
 enclave/core/sgx/sched_yield.c                |  2 +-
 enclave/core/sgx/setjmp.S                     |  2 +-
 enclave/core/sgx/sgx_t_wrapper.c              |  2 +-
 enclave/core/sgx/spinlock.c                   |  2 +-
 enclave/core/sgx/td.c                         |  2 +-
 enclave/core/sgx/td.h                         |  2 +-
 enclave/core/sgx/thread.c                     |  2 +-
 enclave/core/sgx/thread.h                     |  2 +-
 enclave/core/sgx/tracee.c                     |  2 +-
 enclave/core/sgx/windows/reloc.c              |  2 +-
 enclave/core/stdio.c                          |  2 +-
 enclave/core/strerror.c                       |  2 +-
 enclave/core/string.c                         |  2 +-
 enclave/core/strtok_r.c                       |  2 +-
 enclave/core/strtoul.c                        |  2 +-
 enclave/core/switchlesscalls.c                |  2 +-
 enclave/core/switchlesscalls.h                |  2 +-
 enclave/core/tee_t_wrapper.c                  |  2 +-
 enclave/core/time.c                           |  2 +-
 enclave/core/tracee.c                         |  2 +-
 enclave/core/tracee.h                         |  2 +-
 enclave/crypto/CMakeLists.txt                 |  2 +-
 enclave/crypto/asn1.c                         |  2 +-
 enclave/crypto/cert.c                         |  2 +-
 enclave/crypto/cmac.c                         |  2 +-
 enclave/crypto/crl.c                          |  2 +-
 enclave/crypto/crl.h                          |  2 +-
 enclave/crypto/ec.c                           |  2 +-
 enclave/crypto/ec.h                           |  2 +-
 enclave/crypto/hmac.c                         |  2 +-
 enclave/crypto/key.c                          |  2 +-
 enclave/crypto/key.h                          |  2 +-
 enclave/crypto/pem.h                          |  2 +-
 enclave/crypto/random_internal.c              |  2 +-
 enclave/crypto/random_internal.h              |  2 +-
 enclave/crypto/rsa.c                          |  2 +-
 enclave/crypto/rsa.h                          |  2 +-
 enclave/crypto/sha.c                          |  2 +-
 enclave/link.c                                |  2 +-
 enclave/optee/report.c                        |  2 +-
 enclave/optee/start.S                         |  2 +-
 enclave/random.c                              |  2 +-
 enclave/sgx/qeidinfo.c                        |  2 +-
 enclave/sgx/report.c                          |  2 +-
 enclave/sgx/report.h                          |  2 +-
 enclave/sgx/revocationinfo.c                  |  2 +-
 enclave/sgx/start.S                           |  2 +-
 enclave/tls_cert.c                            |  2 +-
 host/CMakeLists.txt                           |  2 +-
 host/asym_keys.c                              |  2 +-
 host/calls.c                                  |  2 +-
 host/calls.h                                  |  2 +-
 host/crypto/bcrypt/bcrypt.h                   |  2 +-
 host/crypto/bcrypt/cert.c                     |  2 +-
 host/crypto/bcrypt/crl.c                      |  2 +-
 host/crypto/bcrypt/crl.h                      |  2 +-
 host/crypto/bcrypt/ec.c                       |  2 +-
 host/crypto/bcrypt/ec.h                       |  2 +-
 host/crypto/bcrypt/hmac.c                     |  2 +-
 host/crypto/bcrypt/key.c                      |  2 +-
 host/crypto/bcrypt/key.h                      |  2 +-
 host/crypto/bcrypt/pem.c                      |  2 +-
 host/crypto/bcrypt/pem.h                      |  2 +-
 host/crypto/bcrypt/random.c                   |  2 +-
 host/crypto/bcrypt/rsa.c                      |  2 +-
 host/crypto/bcrypt/rsa.h                      |  2 +-
 host/crypto/bcrypt/sha.c                      |  2 +-
 host/crypto/bcrypt/util.c                     |  2 +-
 host/crypto/bcrypt/util.h                     |  2 +-
 host/crypto/magic.h                           |  2 +-
 host/crypto/openssl/asn1.c                    |  2 +-
 host/crypto/openssl/asn1.h                    |  2 +-
 host/crypto/openssl/cert.c                    |  2 +-
 host/crypto/openssl/crl.c                     |  2 +-
 host/crypto/openssl/crl.h                     |  2 +-
 host/crypto/openssl/ec.c                      |  2 +-
 host/crypto/openssl/ec.h                      |  2 +-
 host/crypto/openssl/hmac.c                    |  2 +-
 host/crypto/openssl/init.c                    |  2 +-
 host/crypto/openssl/init.h                    |  2 +-
 host/crypto/openssl/key.c                     |  2 +-
 host/crypto/openssl/key.h                     |  2 +-
 host/crypto/openssl/random.c                  |  2 +-
 host/crypto/openssl/rsa.c                     |  2 +-
 host/crypto/openssl/rsa.h                     |  2 +-
 host/crypto/openssl/sha.c                     |  2 +-
 host/crypto/rsa.h                             |  2 +-
 host/dupenv.c                                 |  2 +-
 host/dupenv.h                                 |  2 +-
 host/error.c                                  |  2 +-
 host/files.c                                  |  2 +-
 host/fopen.c                                  |  2 +-
 host/fopen.h                                  |  2 +-
 host/hexdump.c                                |  2 +-
 host/hostthread.h                             |  2 +-
 host/linux/hostthread.c                       |  2 +-
 host/linux/syscall.c                          |  2 +-
 host/linux/time.c                             |  2 +-
 host/linux/windows.c                          |  2 +-
 host/linux/windows.h                          |  2 +-
 host/memalign.c                               |  2 +-
 host/memalign.h                               |  2 +-
 host/ocalls.c                                 |  2 +-
 host/ocalls.h                                 |  2 +-
 host/optee/linux/enclave.c                    |  2 +-
 host/optee/linux/enclave.h                    |  2 +-
 host/optee/log.c                              |  2 +-
 host/result.c                                 |  2 +-
 host/sgx/asmdefs.h                            |  2 +-
 host/sgx/calls.c                              |  2 +-
 host/sgx/cpuid.h                              |  2 +-
 host/sgx/create.c                             |  2 +-
 host/sgx/elf.c                                |  2 +-
 host/sgx/enclave.c                            |  2 +-
 host/sgx/enclave.h                            |  2 +-
 host/sgx/enclavemanager.c                     |  2 +-
 host/sgx/exception.c                          |  2 +-
 host/sgx/exception.h                          |  2 +-
 host/sgx/hostverify_report.c                  |  2 +-
 host/sgx/linux/aep.S                          |  2 +-
 host/sgx/linux/enter.S                        |  2 +-
 host/sgx/linux/entersim.S                     |  2 +-
 host/sgx/linux/exception.c                    |  2 +-
 host/sgx/linux/sgxioctl.c                     |  2 +-
 host/sgx/linux/sgxioctl.h                     |  2 +-
 host/sgx/linux/sgxquoteproviderloader.c       |  2 +-
 host/sgx/linux/switchless.c                   |  2 +-
 host/sgx/linux/xstate.c                       |  2 +-
 host/sgx/load.c                               |  2 +-
 host/sgx/loadelf.c                            |  2 +-
 host/sgx/loadpe.c                             |  2 +-
 host/sgx/ocalls.c                             |  2 +-
 host/sgx/ocalls.h                             |  2 +-
 host/sgx/platformquoteprovider.h              |  2 +-
 host/sgx/quote.c                              |  2 +-
 host/sgx/quote.h                              |  2 +-
 host/sgx/registers.c                          |  2 +-
 host/sgx/report.c                             |  2 +-
 host/sgx/sgx_u_wrapper.c                      |  2 +-
 host/sgx/sgxload.c                            |  2 +-
 host/sgx/sgxload.h                            |  2 +-
 host/sgx/sgxmeasure.c                         |  2 +-
 host/sgx/sgxmeasure.h                         |  2 +-
 host/sgx/sgxquote.c                           |  2 +-
 host/sgx/sgxquote.h                           |  2 +-
 host/sgx/sgxquoteprovider.c                   |  2 +-
 host/sgx/sgxquoteprovider.h                   |  2 +-
 host/sgx/sgxsign.c                            |  2 +-
 host/sgx/sgxtypes.c                           |  2 +-
 host/sgx/switchless.c                         |  2 +-
 host/sgx/windows/aep.asm                      |  2 +-
 host/sgx/windows/debugrtbridge.c              |  2 +-
 host/sgx/windows/enter.asm                    |  2 +-
 host/sgx/windows/entersim.asm                 |  2 +-
 host/sgx/windows/exception.c                  |  2 +-
 host/sgx/windows/host_context.asm             |  2 +-
 host/sgx/windows/sgxquoteproviderloader.c     |  2 +-
 host/sgx/windows/switchless.c                 |  2 +-
 host/sgx/windows/xstate.c                     |  2 +-
 host/sgx/xstate.h                             |  2 +-
 host/signkey.c                                |  2 +-
 host/signkey.h                                |  2 +-
 host/strings.c                                |  2 +-
 host/strings.h                                |  2 +-
 host/syscall_u_wrapper.c                      |  2 +-
 host/tee_u_wrapper.c                          |  2 +-
 host/tests.c                                  |  2 +-
 host/traceh.c                                 |  2 +-
 host/traceh_enclave.c                         |  2 +-
 host/windows/hostthread.c                     |  2 +-
 host/windows/syscall.c                        |  2 +-
 host/windows/time.c                           |  2 +-
 include/CMakeLists.txt                        |  2 +-
 include/openenclave/bits/defs.h               |  2 +-
 include/openenclave/bits/exception.h          |  2 +-
 include/openenclave/bits/fs.h                 |  2 +-
 include/openenclave/bits/module.h             |  2 +-
 .../openenclave/bits/optee/opteeproperties.h  |  2 +-
 include/openenclave/bits/properties.h         |  2 +-
 include/openenclave/bits/report.h             |  2 +-
 include/openenclave/bits/result.h             |  2 +-
 include/openenclave/bits/safecrt.h            |  2 +-
 include/openenclave/bits/safemath.h           |  2 +-
 include/openenclave/bits/sgx/sgxproperties.h  |  2 +-
 include/openenclave/bits/types.h              |  2 +-
 include/openenclave/corelibc/assert.h         |  2 +-
 include/openenclave/corelibc/bits/atexit.h    |  2 +-
 include/openenclave/corelibc/bits/defs.h      |  2 +-
 include/openenclave/corelibc/bits/jmp_buf.h   |  2 +-
 include/openenclave/corelibc/bits/malloc.h    |  2 +-
 .../openenclave/corelibc/bits/pthread_cond.h  |  2 +-
 .../corelibc/bits/pthread_create.h            |  2 +-
 .../openenclave/corelibc/bits/pthread_def.h   |  2 +-
 .../openenclave/corelibc/bits/pthread_equal.h |  2 +-
 .../openenclave/corelibc/bits/pthread_key.h   |  2 +-
 .../openenclave/corelibc/bits/pthread_mutex.h |  2 +-
 .../openenclave/corelibc/bits/pthread_once.h  |  2 +-
 .../corelibc/bits/pthread_rwlock.h            |  2 +-
 .../openenclave/corelibc/bits/pthread_spin.h  |  2 +-
 include/openenclave/corelibc/bits/stdfile.h   |  2 +-
 include/openenclave/corelibc/bits/strtoul.h   |  2 +-
 include/openenclave/corelibc/bits/types.h     |  2 +-
 include/openenclave/corelibc/ctype.h          |  2 +-
 include/openenclave/corelibc/endian.h         |  2 +-
 include/openenclave/corelibc/errno.h          |  2 +-
 include/openenclave/corelibc/inttypes.h       |  2 +-
 include/openenclave/corelibc/limits.h         |  2 +-
 include/openenclave/corelibc/pthread.h        |  2 +-
 include/openenclave/corelibc/sched.h          |  2 +-
 include/openenclave/corelibc/setjmp.h         |  2 +-
 include/openenclave/corelibc/stdarg.h         |  2 +-
 include/openenclave/corelibc/stdbool.h        |  2 +-
 include/openenclave/corelibc/stddef.h         |  2 +-
 include/openenclave/corelibc/stdint.h         |  2 +-
 include/openenclave/corelibc/stdio.h          |  2 +-
 include/openenclave/corelibc/stdlib.h         |  2 +-
 include/openenclave/corelibc/string.h         |  2 +-
 include/openenclave/corelibc/time.h           |  2 +-
 include/openenclave/corelibc/wchar.h          |  2 +-
 include/openenclave/edger8r/common.h          |  2 +-
 include/openenclave/edger8r/enclave.h         |  2 +-
 include/openenclave/edger8r/host.h            |  2 +-
 include/openenclave/enclave.h                 |  2 +-
 include/openenclave/host.h                    |  2 +-
 include/openenclave/host_verify.h             |  2 +-
 include/openenclave/internal/argv.h           |  2 +-
 include/openenclave/internal/asn1.h           |  2 +-
 include/openenclave/internal/atomic.h         |  2 +-
 include/openenclave/internal/backtrace.h      |  2 +-
 include/openenclave/internal/calls.h          |  2 +-
 include/openenclave/internal/cert.h           |  2 +-
 include/openenclave/internal/constants_x64.h  |  2 +-
 include/openenclave/internal/context.h        |  2 +-
 include/openenclave/internal/context.inc      |  2 +-
 include/openenclave/internal/cpuid.h          |  2 +-
 include/openenclave/internal/crypto/asn1.h    |  2 +-
 include/openenclave/internal/crypto/cert.h    |  2 +-
 include/openenclave/internal/crypto/cmac.h    |  2 +-
 include/openenclave/internal/crypto/crl.h     |  2 +-
 include/openenclave/internal/crypto/ec.h      |  2 +-
 include/openenclave/internal/crypto/hash.h    |  2 +-
 include/openenclave/internal/crypto/hmac.h    |  2 +-
 include/openenclave/internal/crypto/kdf.h     |  2 +-
 include/openenclave/internal/crypto/oid.h     |  2 +-
 include/openenclave/internal/crypto/sha.h     |  2 +-
 include/openenclave/internal/datetime.h       |  2 +-
 include/openenclave/internal/debugrt/host.h   |  2 +-
 include/openenclave/internal/defs.h           |  2 +-
 include/openenclave/internal/ec.h             |  2 +-
 include/openenclave/internal/elf.h            |  2 +-
 include/openenclave/internal/entropy.h        |  2 +-
 include/openenclave/internal/epid.h           |  2 +-
 include/openenclave/internal/error.h          |  2 +-
 include/openenclave/internal/fault.h          |  2 +-
 include/openenclave/internal/files.h          |  2 +-
 include/openenclave/internal/globals.h        |  2 +-
 include/openenclave/internal/hexdump.h        |  2 +-
 include/openenclave/internal/jump.h           |  2 +-
 include/openenclave/internal/kdf.h            |  2 +-
 include/openenclave/internal/load.h           |  2 +-
 include/openenclave/internal/malloc.h         |  2 +-
 include/openenclave/internal/mem.h            |  2 +-
 include/openenclave/internal/pem.h            |  2 +-
 include/openenclave/internal/print.h          |  2 +-
 include/openenclave/internal/properties.h     |  2 +-
 include/openenclave/internal/pthreadhooks.h   |  2 +-
 include/openenclave/internal/raise.h          |  2 +-
 include/openenclave/internal/random.h         |  2 +-
 include/openenclave/internal/rdrand.h         |  2 +-
 include/openenclave/internal/rdseed.h         |  2 +-
 include/openenclave/internal/registers.h      |  2 +-
 include/openenclave/internal/report.h         |  2 +-
 include/openenclave/internal/result.h         |  2 +-
 include/openenclave/internal/rsa.h            |  2 +-
 .../openenclave/internal/sgx/sgxproperties.h  |  2 +-
 .../openenclave/internal/sgxcertextensions.h  |  2 +-
 include/openenclave/internal/sgxcreate.h      |  2 +-
 include/openenclave/internal/sgxkeys.h        |  2 +-
 include/openenclave/internal/sgxsign.h        |  2 +-
 include/openenclave/internal/sgxtypes.h       |  2 +-
 include/openenclave/internal/stack_alloc.h    |  2 +-
 include/openenclave/internal/str.h            |  2 +-
 include/openenclave/internal/switchless.h     |  2 +-
 include/openenclave/internal/syscall.h        |  2 +-
 .../openenclave/internal/syscall/arpa/inet.h  |  2 +-
 .../internal/syscall/bits/addrinfo.h          |  2 +-
 .../internal/syscall/bits/dirent.h            |  2 +-
 .../internal/syscall/bits/sigaction.h         |  2 +-
 .../internal/syscall/bits/siginfo.h           |  2 +-
 include/openenclave/internal/syscall/device.h |  2 +-
 include/openenclave/internal/syscall/dirent.h |  2 +-
 include/openenclave/internal/syscall/fcntl.h  |  2 +-
 include/openenclave/internal/syscall/fd.h     |  2 +-
 .../openenclave/internal/syscall/fdtable.h    |  2 +-
 include/openenclave/internal/syscall/host.h   |  2 +-
 include/openenclave/internal/syscall/iov.h    |  2 +-
 include/openenclave/internal/syscall/netdb.h  |  2 +-
 .../internal/syscall/netinet/bits/in6_addr.h  |  2 +-
 .../syscall/netinet/bits/sockaddr_in.h        |  2 +-
 .../syscall/netinet/bits/sockaddr_in6.h       |  2 +-
 .../openenclave/internal/syscall/netinet/in.h |  2 +-
 include/openenclave/internal/syscall/poll.h   |  2 +-
 include/openenclave/internal/syscall/raise.h  |  2 +-
 .../openenclave/internal/syscall/resolver.h   |  2 +-
 .../internal/syscall/sys/bits/epoll_data.h    |  2 +-
 .../internal/syscall/sys/bits/epoll_event.h   |  2 +-
 .../internal/syscall/sys/bits/fd_set.h        |  2 +-
 .../internal/syscall/sys/bits/msghdr.h        |  2 +-
 .../internal/syscall/sys/bits/sigset.h        |  2 +-
 .../internal/syscall/sys/bits/sockaddr.h      |  2 +-
 .../syscall/sys/bits/sockaddr_storage.h       |  2 +-
 .../internal/syscall/sys/bits/stat.h          |  2 +-
 .../syscall/sys/bits/syscall_aarch64.h        |  2 +-
 .../syscall/sys/bits/syscall_x86_64.h         |  2 +-
 .../internal/syscall/sys/bits/utsname.h       |  2 +-
 .../openenclave/internal/syscall/sys/epoll.h  |  2 +-
 .../openenclave/internal/syscall/sys/ioctl.h  |  2 +-
 .../openenclave/internal/syscall/sys/mount.h  |  2 +-
 .../openenclave/internal/syscall/sys/poll.h   |  2 +-
 .../openenclave/internal/syscall/sys/select.h |  2 +-
 .../openenclave/internal/syscall/sys/socket.h |  2 +-
 .../openenclave/internal/syscall/sys/stat.h   |  2 +-
 .../internal/syscall/sys/syscall.h            |  2 +-
 .../openenclave/internal/syscall/sys/time.h   |  2 +-
 .../openenclave/internal/syscall/sys/types.h  |  2 +-
 .../openenclave/internal/syscall/sys/uio.h    |  2 +-
 .../internal/syscall/sys/utsname.h            |  2 +-
 include/openenclave/internal/syscall/types.h  |  2 +-
 include/openenclave/internal/syscall/unistd.h |  2 +-
 include/openenclave/internal/tests.h          |  2 +-
 include/openenclave/internal/thread.h         |  2 +-
 include/openenclave/internal/time.h           |  2 +-
 include/openenclave/internal/trace.h          |  2 +-
 include/openenclave/internal/types.h          |  2 +-
 include/openenclave/internal/utils.h          |  2 +-
 libc/CMakeLists.txt                           |  2 +-
 libc/__printf_chk.c                           |  2 +-
 libc/__vfprintf_chk.c                         |  2 +-
 libc/atexit.c                                 |  2 +-
 libc/dladdr.c                                 |  2 +-
 libc/epoll.c                                  |  2 +-
 libc/errno.c                                  |  2 +-
 libc/exit.c                                   |  2 +-
 libc/freeaddrinfo.c                           |  2 +-
 libc/getaddrinfo.c                            |  2 +-
 libc/getnameinfo.c                            |  2 +-
 libc/kill.c                                   |  2 +-
 libc/libunwind_stubs.c                        |  2 +-
 libc/link.c                                   |  2 +-
 libc/locale.c                                 |  2 +-
 libc/malloc.c                                 |  2 +-
 libc/optee/abort.c                            |  2 +-
 libc/optee/arc4random.c                       |  2 +-
 libc/optee/trace.c                            |  2 +-
 libc/pthread.c                                |  2 +-
 libc/regcomp.c                                |  2 +-
 libc/regexec.c                                |  2 +-
 libc/sched_yield.c                            |  2 +-
 libc/sgx/abort.S                              |  2 +-
 libc/sgx/arc4random.c                         |  2 +-
 libc/sgx/exp2l.S                              |  2 +-
 libc/sigaction.c                              |  2 +-
 libc/signal.c                                 |  2 +-
 libc/stdlib.c                                 |  2 +-
 libc/strerror.c                               |  2 +-
 libc/syscalls.c                               |  2 +-
 libc/sysconf.c                                |  2 +-
 libc/time.c                                   |  2 +-
 libc/tre-mem.c                                |  2 +-
 libcxx/CMakeLists.txt                         |  2 +-
 pkgconfig/CMakeLists.txt                      |  2 +-
 pkgconfig/oeenclave-clang++.pc                |  2 +-
 pkgconfig/oeenclave-clang.pc                  |  2 +-
 pkgconfig/oeenclave-g++.pc                    |  2 +-
 pkgconfig/oeenclave-gcc.pc                    |  2 +-
 pkgconfig/oehost-clang++.pc                   |  2 +-
 pkgconfig/oehost-clang.pc                     |  2 +-
 pkgconfig/oehost-g++.pc                       |  2 +-
 pkgconfig/oehost-gcc.pc                       |  2 +-
 pkgconfig/oehostverify-clang++.pc             |  2 +-
 pkgconfig/oehostverify-clang.pc               |  2 +-
 pkgconfig/oehostverify-g++.pc                 |  2 +-
 pkgconfig/oehostverify-gcc.pc                 |  2 +-
 samples/CMakeLists.txt                        |  2 +-
 samples/attested_tls/CMakeLists.txt           |  2 +-
 samples/attested_tls/Makefile                 |  2 +-
 samples/attested_tls/client/CMakeLists.txt    |  2 +-
 samples/attested_tls/client/Makefile          |  2 +-
 .../attested_tls/client/enc/CMakeLists.txt    |  2 +-
 samples/attested_tls/client/enc/Makefile      |  2 +-
 .../attested_tls/client/enc/cert_verifier.cpp |  2 +-
 samples/attested_tls/client/enc/client.cpp    |  2 +-
 samples/attested_tls/client/enc/crypto.cpp    |  2 +-
 samples/attested_tls/client/enc/crypto.h      |  2 +-
 samples/attested_tls/client/enc/ecalls.cpp    |  2 +-
 samples/attested_tls/client/enc/enc.conf      |  2 +-
 .../client/enc/identity_verifier.cpp          |  2 +-
 samples/attested_tls/client/enc/log.h         |  2 +-
 .../attested_tls/client/host/CMakeLists.txt   |  2 +-
 samples/attested_tls/client/host/Makefile     |  2 +-
 samples/attested_tls/client/host/host.cpp     |  2 +-
 samples/attested_tls/client/tls_client.edl    |  2 +-
 samples/attested_tls/common/common.h          |  2 +-
 .../common/tls_client_enc_pubkey.h            |  2 +-
 .../common/tls_server_enc_pubkey.h            |  2 +-
 samples/attested_tls/common/utility.cpp       |  2 +-
 samples/attested_tls/common/utility.h         |  2 +-
 .../non_enc_client/CMakeLists.txt             |  2 +-
 samples/attested_tls/non_enc_client/Makefile  |  2 +-
 .../attested_tls/non_enc_client/client.cpp    |  2 +-
 .../non_enc_client/verify_callback.cpp        |  2 +-
 .../non_enc_client/verify_signer_openssl.cpp  |  2 +-
 .../scripts/gen_mrenclave_header.sh           |  4 ++--
 samples/attested_tls/server/CMakeLists.txt    |  2 +-
 samples/attested_tls/server/Makefile          |  2 +-
 .../attested_tls/server/enc/CMakeLists.txt    |  2 +-
 samples/attested_tls/server/enc/Makefile      |  2 +-
 .../attested_tls/server/enc/cert_verifier.cpp |  2 +-
 samples/attested_tls/server/enc/crypto.cpp    |  2 +-
 samples/attested_tls/server/enc/crypto.h      |  2 +-
 samples/attested_tls/server/enc/ecalls.cpp    |  2 +-
 samples/attested_tls/server/enc/enc.conf      |  2 +-
 .../server/enc/identity_verifier.cpp          |  2 +-
 samples/attested_tls/server/enc/log.h         |  2 +-
 samples/attested_tls/server/enc/server.cpp    |  2 +-
 .../attested_tls/server/host/CMakeLists.txt   |  2 +-
 samples/attested_tls/server/host/Makefile     |  2 +-
 samples/attested_tls/server/host/host.cpp     |  2 +-
 samples/attested_tls/server/tls_server.edl    |  2 +-
 samples/data-sealing/CMakeLists.txt           |  2 +-
 samples/data-sealing/Makefile                 |  2 +-
 samples/data-sealing/common/CMakeLists.txt    |  2 +-
 samples/data-sealing/common/common.h          |  2 +-
 samples/data-sealing/common/dispatcher.cpp    |  2 +-
 samples/data-sealing/common/dispatcher.h      |  2 +-
 samples/data-sealing/common/keys.cpp          |  2 +-
 samples/data-sealing/common/shared.h          |  2 +-
 samples/data-sealing/datasealing.edl          |  2 +-
 .../data-sealing/enclave_a_v1/CMakeLists.txt  |  2 +-
 samples/data-sealing/enclave_a_v1/Makefile    |  2 +-
 .../enclave_a_v1/data-sealing.conf            |  2 +-
 samples/data-sealing/enclave_a_v1/ecalls.cpp  |  2 +-
 .../data-sealing/enclave_a_v2/CMakeLists.txt  |  2 +-
 samples/data-sealing/enclave_a_v2/Makefile    |  2 +-
 .../enclave_a_v2/data-sealing.conf            |  2 +-
 samples/data-sealing/enclave_a_v2/ecalls.cpp  |  2 +-
 samples/data-sealing/enclave_b/CMakeLists.txt |  2 +-
 samples/data-sealing/enclave_b/Makefile       |  2 +-
 .../data-sealing/enclave_b/data-sealing.conf  |  2 +-
 samples/data-sealing/enclave_b/ecalls.cpp     |  2 +-
 samples/data-sealing/host/CMakeLists.txt      |  2 +-
 samples/data-sealing/host/Makefile            |  2 +-
 samples/data-sealing/host/host.cpp            |  2 +-
 samples/file-encryptor/CMakeLists.txt         |  2 +-
 samples/file-encryptor/Makefile               |  2 +-
 samples/file-encryptor/enclave/CMakeLists.txt |  2 +-
 samples/file-encryptor/enclave/Makefile       |  2 +-
 samples/file-encryptor/enclave/common.h       |  2 +-
 samples/file-encryptor/enclave/ecalls.cpp     |  2 +-
 samples/file-encryptor/enclave/encryptor.cpp  |  2 +-
 samples/file-encryptor/enclave/encryptor.h    |  2 +-
 .../enclave/file-encryptor.conf               |  2 +-
 samples/file-encryptor/enclave/keys.cpp       |  2 +-
 samples/file-encryptor/fileencryptor.edl      |  2 +-
 samples/file-encryptor/host/CMakeLists.txt    |  2 +-
 samples/file-encryptor/host/Makefile          |  2 +-
 samples/file-encryptor/host/host.cpp          |  2 +-
 samples/file-encryptor/shared.h               |  2 +-
 samples/helloworld/CMakeLists.txt             |  2 +-
 samples/helloworld/Makefile                   |  2 +-
 samples/helloworld/enclave/CMakeLists.txt     |  2 +-
 samples/helloworld/enclave/Makefile           |  2 +-
 samples/helloworld/enclave/enc.c              |  2 +-
 samples/helloworld/enclave/helloworld.conf    |  2 +-
 samples/helloworld/helloworld.edl             |  2 +-
 samples/helloworld/host/CMakeLists.txt        |  2 +-
 samples/helloworld/host/Makefile              |  2 +-
 samples/helloworld/host/host.c                |  2 +-
 samples/local_attestation/CMakeLists.txt      |  2 +-
 samples/local_attestation/Makefile            |  2 +-
 .../local_attestation/common/CMakeLists.txt   |  2 +-
 .../local_attestation/common/attestation.cpp  |  2 +-
 .../local_attestation/common/attestation.h    |  2 +-
 samples/local_attestation/common/crypto.cpp   |  2 +-
 samples/local_attestation/common/crypto.h     |  2 +-
 .../local_attestation/common/dispatcher.cpp   |  2 +-
 samples/local_attestation/common/dispatcher.h |  2 +-
 samples/local_attestation/common/log.h        |  2 +-
 .../enclave_a/CMakeLists.txt                  |  2 +-
 samples/local_attestation/enclave_a/Makefile  |  2 +-
 .../local_attestation/enclave_a/ecalls.cpp    |  2 +-
 samples/local_attestation/enclave_a/enc.conf  |  2 +-
 .../enclave_b/CMakeLists.txt                  |  4 ++--
 samples/local_attestation/enclave_b/Makefile  |  2 +-
 .../local_attestation/enclave_b/ecalls.cpp    |  2 +-
 samples/local_attestation/enclave_b/enc.conf  |  2 +-
 .../local_attestation/gen_pubkey_header.sh    |  4 ++--
 samples/local_attestation/host/CMakeLists.txt |  2 +-
 samples/local_attestation/host/Makefile       |  2 +-
 samples/local_attestation/host/host.cpp       |  2 +-
 .../local_attestation/localattestation.edl    |  2 +-
 samples/remote_attestation/CMakeLists.txt     |  2 +-
 samples/remote_attestation/Makefile           |  2 +-
 .../remote_attestation/common/CMakeLists.txt  |  2 +-
 .../remote_attestation/common/attestation.cpp |  2 +-
 .../remote_attestation/common/attestation.h   |  2 +-
 samples/remote_attestation/common/crypto.cpp  |  2 +-
 samples/remote_attestation/common/crypto.h    |  2 +-
 .../remote_attestation/common/dispatcher.cpp  |  2 +-
 .../remote_attestation/common/dispatcher.h    |  2 +-
 samples/remote_attestation/common/log.h       |  2 +-
 .../enclave_a/CMakeLists.txt                  |  2 +-
 samples/remote_attestation/enclave_a/Makefile |  2 +-
 .../remote_attestation/enclave_a/ecalls.cpp   |  2 +-
 samples/remote_attestation/enclave_a/enc.conf |  2 +-
 .../enclave_b/CMakeLists.txt                  |  2 +-
 samples/remote_attestation/enclave_b/Makefile |  2 +-
 .../remote_attestation/enclave_b/ecalls.cpp   |  2 +-
 samples/remote_attestation/enclave_b/enc.conf |  2 +-
 .../remote_attestation/gen_pubkey_header.sh   |  4 ++--
 .../remote_attestation/host/CMakeLists.txt    |  2 +-
 samples/remote_attestation/host/Makefile      |  2 +-
 samples/remote_attestation/host/host.cpp      |  2 +-
 .../remote_attestation/remoteattestation.edl  |  2 +-
 samples/switchless/CMakeLists.txt             |  2 +-
 samples/switchless/Makefile                   |  2 +-
 samples/switchless/enclave/CMakeLists.txt     |  2 +-
 samples/switchless/enclave/Makefile           |  2 +-
 samples/switchless/enclave/enc.c              |  2 +-
 samples/switchless/enclave/switchless.conf    |  2 +-
 samples/switchless/host/CMakeLists.txt        |  2 +-
 samples/switchless/host/Makefile              |  2 +-
 samples/switchless/host/host.c                |  2 +-
 samples/switchless/switchless.edl             |  2 +-
 samples/test-samples.cmake                    |  2 +-
 scripts/VirtualMachineSgxSettings.psd1        | 10 ++++----
 scripts/VirtualMachineSgxSettings.psm1        |  2 +-
 scripts/ansible/README.md                     |  2 +-
 scripts/ansible/ansible.cfg                   |  2 +-
 scripts/ansible/install-ansible.sh            |  2 +-
 scripts/ansible/inventory/group_vars/all      |  2 +-
 .../ansible/inventory/group_vars/linux-agents |  2 +-
 .../inventory/group_vars/windows-agents       |  2 +-
 scripts/ansible/inventory/hosts               |  2 +-
 scripts/ansible/jenkins-agents-register.yml   |  2 +-
 scripts/ansible/jenkins-setup.yml             |  2 +-
 .../oe-contributors-acc-setup-no-driver.yml   |  2 +-
 scripts/ansible/oe-contributors-acc-setup.yml |  2 +-
 .../oe-contributors-setup-cross-arm.yml       |  2 +-
 .../ansible/oe-contributors-setup-sgx1.yml    |  2 +-
 scripts/ansible/oe-contributors-setup.yml     |  2 +-
 .../ansible/oe-linux-acc-setup-no-driver.yml  |  2 +-
 scripts/ansible/oe-linux-acc-setup.yml        |  2 +-
 scripts/ansible/oe-linux-esy-setup.yml        |  2 +-
 .../ansible/oe-vanilla-prelibsgx-setup.yml    |  2 +-
 scripts/ansible/oe-windows-acc-setup.yml      |  2 +-
 scripts/ansible/remove-ansible.sh             |  2 +-
 scripts/ansible/requirements.txt              |  2 +-
 .../common/jenkins/tasks/agent-provision.yml  |  2 +-
 .../az-dcap-client/tasks/stable-install.yml   |  2 +-
 .../linux/az-dcap-client/tasks/validation.yml |  2 +-
 .../linux/az-dcap-client/vars/ubuntu.yml      |  2 +-
 .../roles/linux/common/tasks/apt-repo.yml     |  2 +-
 .../roles/linux/docker/tasks/ci-setup.yml     |  2 +-
 .../linux/docker/tasks/stable-install.yml     |  2 +-
 .../roles/linux/docker/tasks/validation.yml   |  2 +-
 .../roles/linux/docker/vars/bionic.yml        |  2 +-
 .../roles/linux/docker/vars/ubuntu.yml        |  2 +-
 .../roles/linux/docker/vars/xenial.yml        |  2 +-
 .../roles/linux/intel/defaults/main.yml       |  2 +-
 .../linux/intel/tasks/driver-validation.yml   |  2 +-
 .../linux/intel/tasks/packages-validation.yml |  2 +-
 .../roles/linux/intel/tasks/sgx-driver.yml    |  2 +-
 .../roles/linux/intel/tasks/sgx-packages.yml  |  2 +-
 .../ansible/roles/linux/intel/vars/bionic.yml |  2 +-
 .../ansible/roles/linux/intel/vars/ubuntu.yml |  2 +-
 .../ansible/roles/linux/intel/vars/xenial.yml |  2 +-
 .../roles/linux/jenkins/tasks/slave-setup.yml |  2 +-
 .../roles/linux/jenkins/tasks/validation.yml  |  2 +-
 .../templates/jenkins-slave.default.j2        |  2 +-
 .../templates/jenkins-slave.service.j2        |  2 +-
 .../roles/linux/jenkins/vars/ubuntu.yml       |  2 +-
 .../tasks/environment-setup-cross-arm.yml     |  2 +-
 .../openenclave/tasks/environment-setup.yml   |  2 +-
 .../linux/openenclave/tasks/esy-setup.yml     |  2 +-
 .../openenclave/tasks/stable-install.yml      |  2 +-
 .../linux/openenclave/tasks/validation.yml    |  2 +-
 .../roles/linux/openenclave/vars/ubuntu.yml   |  2 +-
 .../az-dcap-client/tasks/validation.yml       |  2 +-
 .../windows/az-dcap-client/vars/windows.yml   |  2 +-
 .../windows/jenkins/tasks/slave-setup.yml     |  2 +-
 .../windows/jenkins/tasks/validation.yml      |  2 +-
 .../roles/windows/jenkins/vars/windows.yml    |  2 +-
 .../windows/openenclave/tasks/validation.yml  |  2 +-
 .../windows/openenclave/vars/windows.yml      |  2 +-
 scripts/check-ci                              |  2 +-
 scripts/check-license                         |  4 ++--
 scripts/check-linters                         |  2 +-
 scripts/clangw                                |  2 +-
 scripts/commit-msg                            |  2 +-
 scripts/deploy-docs                           |  2 +-
 scripts/format-code                           |  2 +-
 scripts/format-code.ps1                       |  2 +-
 scripts/generate-devkits                      |  2 +-
 scripts/install-windows-prereqs.ps1           |  2 +-
 scripts/llvm-arw                              |  2 +-
 scripts/pre-commit                            |  2 +-
 scripts/test-build-config                     |  2 +-
 syscall/CMakeLists.txt                        |  2 +-
 syscall/consolefs.c                           |  2 +-
 syscall/consolefs.h                           |  2 +-
 syscall/device.c                              |  2 +-
 syscall/devices/CMakeLists.txt                |  2 +-
 syscall/devices/hostepoll/CMakeLists.txt      |  2 +-
 syscall/devices/hostepoll/hostepoll.c         |  2 +-
 syscall/devices/hostfs/CMakeLists.txt         |  2 +-
 syscall/devices/hostfs/hostfs.c               |  2 +-
 syscall/devices/hostresolver/CMakeLists.txt   |  2 +-
 syscall/devices/hostresolver/hostresolver.c   |  2 +-
 syscall/devices/hostsock/CMakeLists.txt       |  2 +-
 syscall/devices/hostsock/hostsock.c           |  2 +-
 syscall/dirent.c                              |  2 +-
 syscall/epoll.c                               |  2 +-
 syscall/fcntl.c                               |  2 +-
 syscall/fdtable.c                             |  2 +-
 syscall/ioctl.c                               |  2 +-
 syscall/iov.c                                 |  2 +-
 syscall/mount.c                               |  2 +-
 syscall/mount.h                               |  2 +-
 syscall/netdb.c                               |  2 +-
 syscall/poll.c                                |  2 +-
 syscall/select.c                              |  2 +-
 syscall/socket.c                              |  2 +-
 syscall/stat.c                                |  2 +-
 syscall/stdio.c                               |  2 +-
 syscall/stdlib.c                              |  2 +-
 syscall/stub.c                                |  2 +-
 syscall/syscall.c                             |  2 +-
 syscall/syscall_t_wrapper.c                   |  2 +-
 syscall/unistd.c                              |  2 +-
 syscall/utsname.c                             |  2 +-
 tests/CMakeLists.txt                          |  2 +-
 tests/SampleApp/CMakeLists.txt                |  2 +-
 tests/SampleApp/SampleApp.edl                 |  2 +-
 tests/SampleApp/enc/CMakeLists.txt            |  2 +-
 tests/SampleApp/enc/SampleApp.cpp             |  2 +-
 tests/SampleApp/host/CMakeLists.txt           |  2 +-
 tests/SampleApp/host/SampleAppHost.cpp        |  2 +-
 tests/SampleAppCRT/CMakeLists.txt             |  2 +-
 tests/SampleAppCRT/SampleAppCRT.edl           |  2 +-
 tests/SampleAppCRT/enc/CMakeLists.txt         |  2 +-
 tests/SampleAppCRT/enc/SampleAppCRT.cpp       |  2 +-
 tests/SampleAppCRT/host/CMakeLists.txt        |  2 +-
 tests/SampleAppCRT/host/SampleAppCRTHost.cpp  |  2 +-
 tests/VectorException/CMakeLists.txt          |  2 +-
 tests/VectorException/VectorException.edl     |  2 +-
 tests/VectorException/enc/CMakeLists.txt      |  2 +-
 tests/VectorException/enc/enc.c               |  2 +-
 tests/VectorException/enc/init.cpp            |  2 +-
 tests/VectorException/enc/sigill_handling.c   |  2 +-
 tests/VectorException/host/CMakeLists.txt     |  2 +-
 tests/VectorException/host/host.c             |  2 +-
 tests/abortStatus/CMakeLists.txt              |  2 +-
 tests/abortStatus/abortStatus.edl             |  2 +-
 tests/abortStatus/enc/CMakeLists.txt          |  2 +-
 tests/abortStatus/enc/enc.cpp                 |  2 +-
 tests/abortStatus/host/CMakeLists.txt         |  2 +-
 tests/abortStatus/host/host.cpp               |  2 +-
 tests/argv/CMakeLists.txt                     |  2 +-
 tests/argv/argv.edl                           |  2 +-
 tests/argv/enc/CMakeLists.txt                 |  2 +-
 tests/argv/enc/enc.c                          |  2 +-
 tests/argv/host/CMakeLists.txt                |  2 +-
 tests/argv/host/host.c                        |  2 +-
 tests/attestation_cert_apis/CMakeLists.txt    |  2 +-
 .../attestation_cert_apis/enc/CMakeLists.txt  |  2 +-
 tests/attestation_cert_apis/enc/enc.cpp       |  2 +-
 .../attestation_cert_apis/host/CMakeLists.txt |  2 +-
 tests/attestation_cert_apis/host/host.cpp     |  2 +-
 tests/attestation_cert_apis/tls.edl           |  2 +-
 tests/backtrace/CMakeLists.txt                |  2 +-
 tests/backtrace/backtrace.edl                 |  2 +-
 tests/backtrace/enc/CMakeLists.txt            |  2 +-
 tests/backtrace/enc/enc.cpp                   |  2 +-
 tests/backtrace/host/CMakeLists.txt           |  2 +-
 tests/backtrace/host/host.cpp                 |  2 +-
 tests/bigmalloc/CMakeLists.txt                |  2 +-
 tests/bigmalloc/bigmalloc.edl                 |  2 +-
 tests/bigmalloc/enc/CMakeLists.txt            |  2 +-
 tests/bigmalloc/enc/enc.c                     |  2 +-
 tests/bigmalloc/enc/sign.conf                 |  2 +-
 tests/bigmalloc/host/CMakeLists.txt           |  2 +-
 tests/bigmalloc/host/host.c                   |  2 +-
 tests/cppException/CMakeLists.txt             |  2 +-
 tests/cppException/cppException.edl           |  2 +-
 tests/cppException/enc/CMakeLists.txt         |  2 +-
 tests/cppException/enc/cppException.cpp       |  2 +-
 tests/cppException/enc/enc.cpp                |  2 +-
 tests/cppException/host/CMakeLists.txt        |  2 +-
 tests/cppException/host/host.cpp              |  2 +-
 tests/create-errors/CMakeLists.txt            |  2 +-
 tests/create-errors/create_errors.edl         |  2 +-
 tests/create-errors/enc/CMakeLists.txt        |  2 +-
 tests/create-errors/enc/enc.c                 |  2 +-
 tests/create-errors/host/CMakeLists.txt       |  2 +-
 tests/create-errors/host/host.c               |  2 +-
 tests/create-rapid/CMakeLists.txt             |  2 +-
 tests/create-rapid/create_rapid.edl           |  2 +-
 tests/create-rapid/enc/CMakeLists.txt         |  2 +-
 tests/create-rapid/enc/enc.cpp                |  2 +-
 tests/create-rapid/host/CMakeLists.txt        |  2 +-
 tests/create-rapid/host/host.cpp              |  2 +-
 tests/crypto/CMakeLists.txt                   |  2 +-
 tests/crypto/asn1_tests.c                     |  2 +-
 tests/crypto/cpu_entropy_test.c               |  2 +-
 tests/crypto/crl_tests.c                      |  2 +-
 tests/crypto/data/CMakeLists.txt              |  2 +-
 tests/crypto/data/ec_cert_with_ext.cnf        |  2 +-
 tests/crypto/data/ec_crl_distribution.cnf     |  2 +-
 tests/crypto/data/intermediate.cnf            |  2 +-
 tests/crypto/data/intermediate_v3.ext         |  2 +-
 tests/crypto/data/make-test-certs             |  2 +-
 tests/crypto/data/root.cnf                    |  2 +-
 tests/crypto/data/root_v3.ext                 |  2 +-
 tests/crypto/data/sample.cnf                  |  2 +-
 tests/crypto/ec_tests.c                       |  2 +-
 tests/crypto/enclave/CMakeLists.txt           |  2 +-
 tests/crypto/enclave/crypto.edl               |  2 +-
 tests/crypto/enclave/enc/CMakeLists.txt       |  2 +-
 tests/crypto/enclave/enc/enc.c                |  2 +-
 tests/crypto/enclave/host/CMakeLists.txt      |  2 +-
 tests/crypto/enclave/host/host.c              |  2 +-
 tests/crypto/hash.c                           |  2 +-
 tests/crypto/hash.h                           |  2 +-
 tests/crypto/hmac_tests.c                     |  2 +-
 tests/crypto/host/CMakeLists.txt              |  2 +-
 tests/crypto/host/main.c                      |  2 +-
 tests/crypto/kdf_tests.c                      |  2 +-
 tests/crypto/random_tests.c                   |  2 +-
 tests/crypto/read_file.c                      |  2 +-
 tests/crypto/readfile.h                       |  2 +-
 tests/crypto/rsa_tests.c                      |  2 +-
 tests/crypto/sha_tests.c                      |  2 +-
 tests/crypto/tests.c                          |  2 +-
 tests/crypto/tests.h                          |  2 +-
 tests/crypto/utils.c                          |  2 +-
 tests/crypto/utils.h                          |  2 +-
 tests/crypto_crls_cert_chains/CMakeLists.txt  |  2 +-
 .../common/crypto_crls_cert_chains.edl        |  2 +-
 .../crypto_crls_cert_chains/common/tests.cpp  |  2 +-
 .../data/CMakeLists.txt                       |  2 +-
 .../data/intermediate.cnf                     |  2 +-
 .../data/intermediate2.cnf                    |  2 +-
 .../data/intermediate_v3.ext                  |  2 +-
 .../data/make-test-certs                      |  2 +-
 tests/crypto_crls_cert_chains/data/root.cnf   |  2 +-
 tests/crypto_crls_cert_chains/data/root2.cnf  |  2 +-
 .../crypto_crls_cert_chains/data/root_v3.ext  |  2 +-
 .../enc/CMakeLists.txt                        |  2 +-
 tests/crypto_crls_cert_chains/enc/enc.cpp     |  2 +-
 .../host/CMakeLists.txt                       |  2 +-
 tests/crypto_crls_cert_chains/host/host.cpp   |  2 +-
 tests/debug-mode/CMakeLists.txt               |  2 +-
 tests/debug-mode/debug_mode.edl               |  2 +-
 tests/debug-mode/enc/CMakeLists.txt           |  2 +-
 tests/debug-mode/enc/enc.c                    |  2 +-
 tests/debug-mode/enc/props-debug.c            |  2 +-
 tests/debug-mode/enc/props.c                  |  2 +-
 tests/debug-mode/enc/sign-debug.conf          |  2 +-
 tests/debug-mode/enc/sign.conf                |  2 +-
 tests/debug-mode/host/CMakeLists.txt          |  2 +-
 tests/debug-mode/host/host.c                  |  2 +-
 tests/debugger/CMakeLists.txt                 |  2 +-
 tests/debugger/oegdb/CMakeLists.txt           |  2 +-
 tests/debugger/oegdb/commands.gdb             |  2 +-
 tests/debugger/oegdb/enc/CMakeLists.txt       |  2 +-
 tests/debugger/oegdb/enc/contract.c           |  2 +-
 tests/debugger/oegdb/enc/enc.c                |  2 +-
 tests/debugger/oegdb/host/CMakeLists.txt      |  2 +-
 tests/debugger/oegdb/host/contract.c          |  2 +-
 tests/debugger/oegdb/host/host.c              |  2 +-
 tests/debugger/oegdb/oe_gdb_test.edl          |  2 +-
 tests/ecall/CMakeLists.txt                    |  2 +-
 tests/ecall/ecall.edl                         |  2 +-
 tests/ecall/enc/CMakeLists.txt                |  2 +-
 tests/ecall/enc/enc.cpp                       |  2 +-
 tests/ecall/host/CMakeLists.txt               |  2 +-
 tests/ecall/host/host.cpp                     |  2 +-
 tests/ecall_ocall/CMakeLists.txt              |  2 +-
 tests/ecall_ocall/ecall_ocall.edl             |  2 +-
 tests/ecall_ocall/enc/CMakeLists.txt          |  2 +-
 tests/ecall_ocall/enc/enc.cpp                 |  2 +-
 tests/ecall_ocall/enc/helpers.h               |  2 +-
 tests/ecall_ocall/host/CMakeLists.txt         |  2 +-
 tests/ecall_ocall/host/host.cpp               |  2 +-
 tests/echo/CMakeLists.txt                     |  2 +-
 tests/echo/echo.edl                           |  2 +-
 tests/echo/enc/CMakeLists.txt                 |  2 +-
 tests/echo/enc/enc.c                          |  2 +-
 tests/echo/host/CMakeLists.txt                |  2 +-
 tests/echo/host/host.c                        |  2 +-
 tests/enclaveparam/CMakeLists.txt             |  2 +-
 tests/enclaveparam/enc/CMakeLists.txt         |  2 +-
 tests/enclaveparam/enc/enc.c                  |  2 +-
 tests/enclaveparam/enclaveparam.edl           |  2 +-
 tests/enclaveparam/host/CMakeLists.txt        |  2 +-
 tests/enclaveparam/host/host.c                |  2 +-
 tests/file/CMakeLists.txt                     |  2 +-
 tests/file/enc/CMakeLists.txt                 |  2 +-
 tests/file/enc/enc.cpp                        |  2 +-
 tests/file/file.edl                           |  2 +-
 tests/file/host/CMakeLists.txt                |  2 +-
 tests/file/host/host.cpp                      |  2 +-
 tests/file/types.h                            |  2 +-
 tests/getenclave/CMakeLists.txt               |  2 +-
 tests/getenclave/enc/CMakeLists.txt           |  2 +-
 tests/getenclave/enc/enc.c                    |  2 +-
 tests/getenclave/getenclave.edl               |  2 +-
 tests/getenclave/host/CMakeLists.txt          |  2 +-
 tests/getenclave/host/host.c                  |  2 +-
 tests/hexdump/CMakeLists.txt                  |  2 +-
 tests/hexdump/args.h                          |  2 +-
 tests/hexdump/enc/CMakeLists.txt              |  2 +-
 tests/hexdump/enc/enc.c                       |  2 +-
 tests/hexdump/hexdump.edl                     |  2 +-
 tests/hexdump/host/CMakeLists.txt             |  2 +-
 tests/hexdump/host/host.c                     |  2 +-
 tests/host_verify/CMakeLists.txt              |  2 +-
 tests/host_verify/host/CMakeLists.txt         |  2 +-
 tests/host_verify/host/host.cpp               |  2 +-
 tests/hostcalls/CMakeLists.txt                |  2 +-
 tests/hostcalls/enc/CMakeLists.txt            |  2 +-
 tests/hostcalls/enc/enc.cpp                   |  2 +-
 tests/hostcalls/host/CMakeLists.txt           |  2 +-
 tests/hostcalls/host/host.cpp                 |  2 +-
 tests/hostcalls/hostcalls.edl                 |  2 +-
 tests/hostcalls/types.h                       |  2 +-
 tests/initializers/CMakeLists.txt             |  2 +-
 tests/initializers/enc/CMakeLists.txt         |  2 +-
 tests/initializers/enc/enc.c                  |  2 +-
 tests/initializers/host/CMakeLists.txt        |  2 +-
 tests/initializers/host/host.cpp              |  2 +-
 tests/initializers/initializers.edl           |  2 +-
 tests/libc/CMakeLists.txt                     |  2 +-
 tests/libc/enc/CMakeLists.txt                 |  2 +-
 tests/libc/enc/enc.c                          |  2 +-
 tests/libc/enc/include.c.in                   |  2 +-
 tests/libc/enc/tests.c.in                     |  2 +-
 tests/libc/host/CMakeLists.txt                |  2 +-
 tests/libc/host/host.cpp                      |  2 +-
 tests/libc/libc.edl                           |  2 +-
 tests/libc/tests.all                          |  2 +-
 tests/libc/tests.cmake                        |  2 +-
 tests/libc/tests.supported.gcc                |  2 +-
 tests/libcxx/CMakeLists.txt                   |  2 +-
 tests/libcxx/enc/CMakeLists.txt               |  2 +-
 tests/libcxx/enc/enc.cpp                      |  2 +-
 tests/libcxx/enc/fuzzing.cpp                  |  2 +-
 tests/libcxx/enc/main.cpp                     |  2 +-
 tests/libcxx/enc/memory_resource.cpp          |  2 +-
 tests/libcxx/host/CMakeLists.txt              |  2 +-
 tests/libcxx/host/host.cpp                    |  2 +-
 tests/libcxx/host/threadArgs.h                |  2 +-
 tests/libcxx/libcxx.edl                       |  2 +-
 tests/libcxxrt/CMakeLists.txt                 |  2 +-
 tests/libcxxrt/enc/CMakeLists.txt             |  2 +-
 tests/libcxxrt/enc/enc.cpp                    |  2 +-
 tests/libcxxrt/enc/main.cpp                   |  2 +-
 tests/libcxxrt/enc/test.cpp                   |  2 +-
 tests/libcxxrt/enc/test_exception.cpp         |  2 +-
 .../libcxxrt/enc/test_foreign_exceptions.cpp  |  2 +-
 tests/libcxxrt/enc/test_guard.cpp             |  2 +-
 tests/libcxxrt/enc/test_typeinfo.cpp          |  2 +-
 tests/libcxxrt/host/CMakeLists.txt            |  2 +-
 tests/libcxxrt/host/host.cpp                  |  2 +-
 tests/libcxxrt/host/ocalls.h                  |  2 +-
 tests/libcxxrt/libcxxrt.edl                   |  2 +-
 tests/libcxxrt/run.bat                        |  2 +-
 tests/libunwind/CMakeLists.txt                |  2 +-
 tests/libunwind/enc/CMakeLists.txt            |  2 +-
 tests/libunwind/enc/clang_varargs_extra.h     |  2 +-
 tests/libunwind/enc/enc.c                     |  2 +-
 tests/libunwind/enc/pid.h                     |  2 +-
 tests/libunwind/enc/test_support.c            |  2 +-
 tests/libunwind/host/CMakeLists.txt           |  2 +-
 tests/libunwind/host/host.cpp                 |  2 +-
 tests/libunwind/libunwind.edl                 |  2 +-
 tests/logging/CMakeLists.txt                  |  2 +-
 tests/logging/main.c                          |  2 +-
 tests/mbed/CMakeLists.txt                     |  2 +-
 tests/mbed/enc/CMakeLists.txt                 |  2 +-
 tests/mbed/enc/enc.c                          |  2 +-
 tests/mbed/enc/selftest_wrapper.c             |  2 +-
 tests/mbed/host/CMakeLists.txt                |  2 +-
 tests/mbed/host/host.c                        |  2 +-
 tests/mbed/host/ocalls.c                      |  2 +-
 tests/mbed/mbed.edl                           |  2 +-
 tests/mbed/myfileio.h                         |  2 +-
 tests/mem/CMakeLists.txt                      |  2 +-
 tests/mem/main.c                              |  2 +-
 tests/memory/CMakeLists.txt                   |  2 +-
 tests/memory/enc/CMakeLists.txt               |  2 +-
 tests/memory/enc/basic.c                      |  2 +-
 tests/memory/enc/boundaries.c                 |  2 +-
 tests/memory/enc/enc.c                        |  2 +-
 tests/memory/enc/stress.c                     |  2 +-
 tests/memory/host/CMakeLists.txt              |  2 +-
 tests/memory/host/host.cpp                    |  2 +-
 tests/memory/memory.edl                       |  2 +-
 tests/mixed_c_cpp/CMakeLists.txt              |  2 +-
 tests/mixed_c_cpp/enc/CMakeLists.txt          |  2 +-
 tests/mixed_c_cpp/enc/enc.cpp                 |  2 +-
 tests/mixed_c_cpp/enc/foo.c                   |  2 +-
 tests/mixed_c_cpp/host/CMakeLists.txt         |  2 +-
 tests/mixed_c_cpp/host/host.cpp               |  2 +-
 tests/mixed_c_cpp/mixed.edl                   |  2 +-
 tests/ocall-create/CMakeLists.txt             |  2 +-
 tests/ocall-create/enc/CMakeLists.txt         |  2 +-
 tests/ocall-create/enc/enc.c                  |  2 +-
 tests/ocall-create/host/CMakeLists.txt        |  2 +-
 tests/ocall-create/host/host.c                |  2 +-
 tests/ocall-create/ocall_create.edl           |  2 +-
 tests/ocall/CMakeLists.txt                    |  2 +-
 tests/ocall/enc/CMakeLists.txt                |  2 +-
 tests/ocall/enc/enc.cpp                       |  2 +-
 tests/ocall/host/CMakeLists.txt               |  2 +-
 tests/ocall/host/host.cpp                     |  2 +-
 tests/ocall/ocall.edl                         |  2 +-
 tests/oeedger8r/CMakeLists.txt                |  2 +-
 tests/oeedger8r/behavior/CMakeLists.txt       |  2 +-
 tests/oeedger8r/behavior/allow_list.edl       |  2 +-
 tests/oeedger8r/behavior/count_signedness.edl |  2 +-
 tests/oeedger8r/behavior/deepcopy_value.edl   |  2 +-
 tests/oeedger8r/behavior/portability.edl      |  2 +-
 tests/oeedger8r/behavior/private_trusted.edl  |  2 +-
 tests/oeedger8r/behavior/size_and_count.edl   |  2 +-
 tests/oeedger8r/behavior/size_signedness.edl  |  2 +-
 .../oeedger8r/behavior/switchless_trusted.edl |  2 +-
 tests/oeedger8r/edl/aliasing.edl              |  2 +-
 tests/oeedger8r/edl/all.edl                   |  2 +-
 tests/oeedger8r/edl/array.edl                 |  2 +-
 tests/oeedger8r/edl/basic.edl                 |  2 +-
 tests/oeedger8r/edl/deepcopy.edl              |  2 +-
 tests/oeedger8r/edl/enum.edl                  |  2 +-
 tests/oeedger8r/edl/errno.edl                 |  2 +-
 tests/oeedger8r/edl/foreign.edl               |  2 +-
 tests/oeedger8r/edl/other.edl                 |  2 +-
 tests/oeedger8r/edl/pointer.edl               |  2 +-
 tests/oeedger8r/edl/string.edl                |  2 +-
 tests/oeedger8r/edl/struct.edl                |  2 +-
 tests/oeedger8r/edl/switchless.edl            |  2 +-
 tests/oeedger8r/edltestutils.h                |  2 +-
 tests/oeedger8r/enc/CMakeLists.txt            |  2 +-
 tests/oeedger8r/enc/bar.cpp                   |  2 +-
 tests/oeedger8r/enc/config.cpp                |  2 +-
 tests/oeedger8r/enc/foo.cpp                   |  2 +-
 tests/oeedger8r/enc/testaliasing.cpp          |  2 +-
 tests/oeedger8r/enc/testarray.cpp             |  2 +-
 tests/oeedger8r/enc/testbasic.cpp             |  2 +-
 tests/oeedger8r/enc/testdeepcopy.cpp          |  2 +-
 tests/oeedger8r/enc/testenum.cpp              |  2 +-
 tests/oeedger8r/enc/testerrno.cpp             |  2 +-
 tests/oeedger8r/enc/testforeign.cpp           |  2 +-
 tests/oeedger8r/enc/testmisc.cpp              |  2 +-
 tests/oeedger8r/enc/testother.cpp             |  2 +-
 tests/oeedger8r/enc/testpointer.cpp           |  2 +-
 tests/oeedger8r/enc/teststring.cpp            |  2 +-
 tests/oeedger8r/enc/teststruct.cpp            |  2 +-
 tests/oeedger8r/enc/testswitchless.cpp        |  2 +-
 tests/oeedger8r/host/CMakeLists.txt           |  2 +-
 tests/oeedger8r/host/bar.cpp                  |  2 +-
 tests/oeedger8r/host/foo.cpp                  |  2 +-
 tests/oeedger8r/host/main.cpp                 |  2 +-
 tests/oeedger8r/host/testarray.cpp            |  2 +-
 tests/oeedger8r/host/testbasic.cpp            |  2 +-
 tests/oeedger8r/host/testdeepcopy.cpp         |  2 +-
 tests/oeedger8r/host/testenum.cpp             |  2 +-
 tests/oeedger8r/host/testerrno.cpp            |  2 +-
 tests/oeedger8r/host/testforeign.cpp          |  2 +-
 tests/oeedger8r/host/testother.cpp            |  2 +-
 tests/oeedger8r/host/testpointer.cpp          |  2 +-
 tests/oeedger8r/host/teststring.cpp           |  2 +-
 tests/oeedger8r/host/teststruct.cpp           |  2 +-
 tests/oeedger8r/host/testswitchless.cpp       |  2 +-
 tests/oeedger8r/moreedl/bar.edl               |  2 +-
 tests/oeedger8r/moreedl/foo.edl               |  2 +-
 tests/oeedger8r/mytypes.h                     |  2 +-
 tests/pingpong-shared/CMakeLists.txt          |  2 +-
 tests/pingpong-shared/enc/CMakeLists.txt      |  2 +-
 tests/pingpong-shared/enc/enc.cpp             |  2 +-
 tests/pingpong-shared/host/CMakeLists.txt     |  2 +-
 tests/pingpong-shared/host/host.cpp           |  2 +-
 tests/pingpong-shared/host/main.cpp           |  2 +-
 tests/pingpong-shared/main.cpp                |  2 +-
 tests/pingpong-shared/pingpong.edl            |  2 +-
 tests/pingpong/CMakeLists.txt                 |  2 +-
 tests/pingpong/enc/CMakeLists.txt             |  2 +-
 tests/pingpong/enc/enc.cpp                    |  2 +-
 tests/pingpong/host/CMakeLists.txt            |  2 +-
 tests/pingpong/host/host.cpp                  |  2 +-
 tests/pingpong/main.cpp                       |  2 +-
 tests/pingpong/pingpong.edl                   |  2 +-
 tests/print/CMakeLists.txt                    |  2 +-
 tests/print/enc/CMakeLists.txt                |  2 +-
 tests/print/enc/enc.cpp                       |  2 +-
 tests/print/host/CMakeLists.txt               |  2 +-
 tests/print/host/host.cpp                     |  2 +-
 tests/print/print.edl                         |  2 +-
 tests/props/CMakeLists.txt                    |  2 +-
 tests/props/enc/CMakeLists.txt                |  2 +-
 tests/props/enc/enc.c                         |  2 +-
 tests/props/enc/props.c                       |  2 +-
 tests/props/enc/sign.conf                     |  2 +-
 tests/props/host/CMakeLists.txt               |  2 +-
 tests/props/host/host.c                       |  2 +-
 tests/props/props.edl                         |  2 +-
 tests/qeidentity/CMakeLists.txt               |  2 +-
 tests/qeidentity/common/includes.h            |  2 +-
 tests/qeidentity/enc/CMakeLists.txt           |  2 +-
 tests/qeidentity/enc/enc.cpp                  |  2 +-
 tests/qeidentity/host/CMakeLists.txt          |  2 +-
 tests/qeidentity/host/host.cpp                |  2 +-
 tests/qeidentity/host/qeidentifyinfo.cpp      |  2 +-
 tests/qeidentity/tests.edl                    |  2 +-
 tests/report/CMakeLists.txt                   |  2 +-
 tests/report/common/includes.h                |  2 +-
 tests/report/common/tests.cpp                 |  2 +-
 tests/report/common/tests.h                   |  2 +-
 tests/report/enc/CMakeLists.txt               |  2 +-
 tests/report/enc/datetime.cpp                 |  2 +-
 tests/report/enc/enc.cpp                      |  2 +-
 tests/report/host/CMakeLists.txt              |  2 +-
 tests/report/host/host.cpp                    |  2 +-
 tests/report/host/tcbinfo.cpp                 |  2 +-
 tests/report/tests.edl                        |  2 +-
 tests/safecrt/CMakeLists.txt                  |  2 +-
 tests/safecrt/common/test.cpp                 |  2 +-
 tests/safecrt/common/test.h                   |  2 +-
 tests/safecrt/enc/CMakeLists.txt              |  2 +-
 tests/safecrt/enc/enc.cpp                     |  2 +-
 tests/safecrt/host/CMakeLists.txt             |  2 +-
 tests/safecrt/host/host.cpp                   |  2 +-
 tests/safecrt/safecrt.edl                     |  2 +-
 tests/safemath/CMakeLists.txt                 |  2 +-
 tests/safemath/main.cpp                       |  2 +-
 tests/sealKey/CMakeLists.txt                  |  2 +-
 tests/sealKey/args.h                          |  2 +-
 tests/sealKey/enc/CMakeLists.txt              |  2 +-
 tests/sealKey/enc/enc.cpp                     |  2 +-
 tests/sealKey/host/CMakeLists.txt             |  2 +-
 tests/sealKey/host/host.cpp                   |  2 +-
 tests/sealKey/sealKey.edl                     |  2 +-
 tests/stdc/CMakeLists.txt                     |  2 +-
 tests/stdc/enc/CMakeLists.txt                 |  2 +-
 tests/stdc/enc/enc.cpp                        |  2 +-
 tests/stdc/host/CMakeLists.txt                |  2 +-
 tests/stdc/host/host.cpp                      |  2 +-
 tests/stdc/stdc.edl                           |  2 +-
 tests/stdcxx/CMakeLists.txt                   |  2 +-
 tests/stdcxx/enc/CMakeLists.txt               |  2 +-
 tests/stdcxx/enc/enc.cpp                      |  2 +-
 tests/stdcxx/enc/f.cpp                        |  2 +-
 tests/stdcxx/enc/global_init_exception.cpp    |  2 +-
 tests/stdcxx/host/CMakeLists.txt              |  2 +-
 tests/stdcxx/host/host.cpp                    |  2 +-
 tests/stdcxx/stdcxx.edl                       |  2 +-
 tests/str/CMakeLists.txt                      |  2 +-
 tests/str/main.c                              |  2 +-
 tests/switchless/CMakeLists.txt               |  2 +-
 tests/switchless/enc/CMakeLists.txt           |  2 +-
 tests/switchless/enc/enc.c                    |  2 +-
 tests/switchless/host/CMakeLists.txt          |  2 +-
 tests/switchless/host/host.c                  |  2 +-
 tests/switchless/switchless.edl               |  2 +-
 tests/switchless_threads/CMakeLists.txt       |  2 +-
 tests/switchless_threads/enc/CMakeLists.txt   |  2 +-
 tests/switchless_threads/enc/enc.c            |  2 +-
 tests/switchless_threads/host/CMakeLists.txt  |  2 +-
 tests/switchless_threads/host/host.c          |  2 +-
 .../switchless_threads/switchless_threads.edl |  2 +-
 tests/syscall/CMakeLists.txt                  |  2 +-
 tests/syscall/cpio/CMakeLists.txt             |  2 +-
 tests/syscall/cpio/commands.c                 |  2 +-
 tests/syscall/cpio/commands.h                 |  2 +-
 tests/syscall/cpio/cpio.c                     |  2 +-
 tests/syscall/cpio/cpio.h                     |  2 +-
 tests/syscall/cpio/strarr.c                   |  2 +-
 tests/syscall/cpio/strarr.h                   |  2 +-
 tests/syscall/cpio/trace.h                    |  2 +-
 tests/syscall/cpio/utils.h                    |  2 +-
 tests/syscall/datagram/CMakeLists.txt         |  2 +-
 tests/syscall/datagram/enc/CMakeLists.txt     |  2 +-
 tests/syscall/datagram/enc/enc.c              |  2 +-
 tests/syscall/datagram/host/CMakeLists.txt    |  2 +-
 tests/syscall/datagram/host/host.c            |  2 +-
 tests/syscall/datagram/test_datagram.edl      |  2 +-
 tests/syscall/dup/CMakeLists.txt              |  2 +-
 tests/syscall/dup/enc/CMakeLists.txt          |  2 +-
 tests/syscall/dup/enc/enc.c                   |  2 +-
 tests/syscall/dup/enc/main.c                  |  2 +-
 tests/syscall/dup/host/CMakeLists.txt         |  2 +-
 tests/syscall/dup/host/host.c                 |  2 +-
 tests/syscall/dup/test_dup.edl                |  2 +-
 tests/syscall/fs/CMakeLists.txt               |  2 +-
 tests/syscall/fs/enc/CMakeLists.txt           |  2 +-
 tests/syscall/fs/enc/enc.cpp                  |  2 +-
 tests/syscall/fs/enc/file_system.h            |  2 +-
 tests/syscall/fs/host/CMakeLists.txt          |  2 +-
 tests/syscall/fs/host/host.c                  |  2 +-
 tests/syscall/fs/linux/fs.edl                 |  2 +-
 tests/syscall/fs/windows/fs.edl               |  2 +-
 tests/syscall/hostfs/CMakeLists.txt           |  2 +-
 tests/syscall/hostfs/enc/CMakeLists.txt       |  2 +-
 tests/syscall/hostfs/enc/enc.c                |  2 +-
 tests/syscall/hostfs/enc/main.c               |  2 +-
 tests/syscall/hostfs/host/CMakeLists.txt      |  2 +-
 tests/syscall/hostfs/host/host.c              |  2 +-
 tests/syscall/hostfs/test_hostfs.edl          |  2 +-
 tests/syscall/ids/CMakeLists.txt              |  2 +-
 tests/syscall/ids/enc/CMakeLists.txt          |  2 +-
 tests/syscall/ids/enc/enc.c                   |  2 +-
 tests/syscall/ids/enc/main.c                  |  2 +-
 tests/syscall/ids/host/CMakeLists.txt         |  2 +-
 tests/syscall/ids/host/host.c                 |  2 +-
 tests/syscall/ids/test_ids.edl                |  2 +-
 tests/syscall/platform/linux.h                |  2 +-
 tests/syscall/platform/windows.h              |  2 +-
 tests/syscall/poller/CMakeLists.txt           |  2 +-
 tests/syscall/poller/client.cpp               |  2 +-
 tests/syscall/poller/client.h                 |  2 +-
 tests/syscall/poller/enc/CMakeLists.txt       |  2 +-
 tests/syscall/poller/enc/enc.cpp              |  2 +-
 tests/syscall/poller/host/CMakeLists.txt      |  2 +-
 tests/syscall/poller/host/host.cpp            |  2 +-
 tests/syscall/poller/poller.cpp               |  2 +-
 tests/syscall/poller/poller.edl               |  2 +-
 tests/syscall/poller/poller.h                 |  2 +-
 tests/syscall/poller/server.cpp               |  2 +-
 tests/syscall/poller/server.h                 |  2 +-
 tests/syscall/resolver/CMakeLists.txt         |  2 +-
 tests/syscall/resolver/enc/CMakeLists.txt     |  2 +-
 tests/syscall/resolver/enc/enc.c              |  2 +-
 tests/syscall/resolver/host/CMakeLists.txt    |  2 +-
 tests/syscall/resolver/host/host.c            |  2 +-
 tests/syscall/resolver/resolver_test.edl      |  2 +-
 tests/syscall/resolver/utils.h                |  2 +-
 tests/syscall/sendmsg/CMakeLists.txt          |  2 +-
 tests/syscall/sendmsg/client.c                |  2 +-
 tests/syscall/sendmsg/client.h                |  2 +-
 tests/syscall/sendmsg/enc/CMakeLists.txt      |  2 +-
 tests/syscall/sendmsg/enc/enc.c               |  2 +-
 tests/syscall/sendmsg/host/CMakeLists.txt     |  2 +-
 tests/syscall/sendmsg/host/host.c             |  2 +-
 tests/syscall/sendmsg/main.c                  |  2 +-
 tests/syscall/sendmsg/sendmsg.edl             |  2 +-
 tests/syscall/sendmsg/server.c                |  2 +-
 tests/syscall/sendmsg/server.h                |  2 +-
 tests/syscall/socket/CMakeLists.txt           |  2 +-
 tests/syscall/socket/enc/CMakeLists.txt       |  2 +-
 tests/syscall/socket/enc/enc.c                |  2 +-
 tests/syscall/socket/host/CMakeLists.txt      |  2 +-
 tests/syscall/socket/host/host.c              |  2 +-
 tests/syscall/socket/socket_test.edl          |  2 +-
 tests/syscall/socketpair/CMakeLists.txt       |  2 +-
 tests/syscall/socketpair/enc/CMakeLists.txt   |  2 +-
 tests/syscall/socketpair/enc/enc.c            |  2 +-
 tests/syscall/socketpair/host/CMakeLists.txt  |  2 +-
 tests/syscall/socketpair/host/host.c          |  2 +-
 tests/syscall/socketpair/socketpair_test.edl  |  2 +-
 tests/thread/CMakeLists.txt                   |  2 +-
 tests/thread/enc/CMakeLists.txt               |  2 +-
 tests/thread/enc/cond_tests.cpp               |  2 +-
 tests/thread/enc/enc.cpp                      |  2 +-
 tests/thread/enc/rwlock_tests.cpp             |  2 +-
 tests/thread/enc/thread.h                     |  2 +-
 tests/thread/host/CMakeLists.txt              |  2 +-
 tests/thread/host/host.cpp                    |  2 +-
 tests/thread/host/rwlocks_test_host.cpp       |  2 +-
 tests/thread/rwlock_tests.h                   |  2 +-
 tests/thread/thread.edl                       |  2 +-
 tests/thread_local/CMakeLists.txt             |  2 +-
 tests/thread_local/enc/CMakeLists.txt         |  2 +-
 tests/thread_local/enc/enc.cpp                |  2 +-
 tests/thread_local/enc/externs.cpp            |  2 +-
 tests/thread_local/enc/visibility.h           |  2 +-
 tests/thread_local/host/CMakeLists.txt        |  2 +-
 tests/thread_local/host/host.cpp              |  2 +-
 tests/thread_local/thread_local.edl           |  2 +-
 tests/thread_local_no_tdata/CMakeLists.txt    |  2 +-
 .../thread_local_no_tdata/enc/CMakeLists.txt  |  2 +-
 tests/thread_local_no_tdata/enc/enc.cpp       |  2 +-
 tests/thread_local_no_tdata/host/#host.cpp#   |  2 +-
 .../thread_local_no_tdata/host/CMakeLists.txt |  2 +-
 tests/thread_local_no_tdata/host/host.cpp     |  2 +-
 tests/thread_local_no_tdata/no_tdata.edl      |  2 +-
 tests/thread_locals/CMakeLists.txt            |  2 +-
 tests/threadcxx/CMakeLists.txt                |  2 +-
 tests/threadcxx/enc/CMakeLists.txt            |  2 +-
 tests/threadcxx/enc/cond_tests.cpp            |  2 +-
 tests/threadcxx/enc/enc.cpp                   |  2 +-
 tests/threadcxx/host/CMakeLists.txt           |  2 +-
 tests/threadcxx/host/host.cpp                 |  2 +-
 tests/threadcxx/threadcxx.edl                 |  2 +-
 tests/tls_e2e/CMakeLists.txt                  |  2 +-
 tests/tls_e2e/client_enc/CMakeLists.txt       |  2 +-
 tests/tls_e2e/client_enc/client.cpp           |  2 +-
 tests/tls_e2e/common/utility.cpp              |  2 +-
 tests/tls_e2e/common/utility.h                |  2 +-
 tests/tls_e2e/host/CMakeLists.txt             |  2 +-
 tests/tls_e2e/host/host.cpp                   |  2 +-
 tests/tls_e2e/host/tls_enc2enc.edl            |  2 +-
 tests/tls_e2e/server_enc/CMakeLists.txt       |  2 +-
 tests/tls_e2e/server_enc/server.cpp           |  2 +-
 tests/tls_e2e/tls_e2e.edl                     |  2 +-
 tests/tools/CMakeLists.txt                    |  2 +-
 tests/tools/oecert/CMakeLists.txt             |  2 +-
 tests/tools/oecert/enc/CMakeLists.txt         |  2 +-
 tests/tools/oecert/enc/enc.cpp                |  2 +-
 tests/tools/oecert/host/CMakeLists.txt        |  2 +-
 tests/tools/oecert/host/host.cpp              |  2 +-
 tests/tools/oecert/oecert.edl                 |  2 +-
 tools/CMakeLists.txt                          |  2 +-
 tools/oeedger8r/CMakeLists.txt                |  2 +-
 tools/oeedger8r/dune-project                  |  2 +-
 tools/oeedger8r/src/Emitter.ml                |  2 +-
 tools/oeedger8r/src/dune                      |  2 +-
 tools/oesgx/CMakeLists.txt                    |  2 +-
 tools/oesgx/oesgx.c                           |  2 +-
 tools/oesign/CMakeLists.txt                   |  2 +-
 tools/oesign/main.c                           |  2 +-
 tools/oesign/oedump.c                         |  2 +-
 1401 files changed, 1437 insertions(+), 1436 deletions(-)

diff --git a/.jenkins/Dockerfile.deploy b/.jenkins/Dockerfile.deploy
index dcaea9d239..3d5038e510 100644
--- a/.jenkins/Dockerfile.deploy
+++ b/.jenkins/Dockerfile.deploy
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 FROM ubuntu:18.04
diff --git a/.jenkins/Dockerfile.full b/.jenkins/Dockerfile.full
index 7f837a2f14..31d8e70366 100644
--- a/.jenkins/Dockerfile.full
+++ b/.jenkins/Dockerfile.full
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 #
diff --git a/.jenkins/Dockerfile.minimal b/.jenkins/Dockerfile.minimal
index ef12afefb0..1f23161f82 100644
--- a/.jenkins/Dockerfile.minimal
+++ b/.jenkins/Dockerfile.minimal
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ARG ubuntu_version=18.04
diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 7641e92566..397fa91f34 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -234,7 +234,7 @@ def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
                 dir("build/X64-${build_type}") {
 
                   /* We need to copy nuget into the expected location
-                  https://github.com/microsoft/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
+                  https://github.com/openenclave/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
 
                   bat """
                       vcvars64.bat x64 && \
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index 8492eb33b9..c2e87181d9 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -51,7 +51,7 @@ def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
                 dir("build/X64-${build_type}") {
 
                   /* We need to copy nuget into the expected location
-                  https://github.com/microsoft/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
+                  https://github.com/openenclave/openenclave/blob/a982b46cf440def8fb66e94f2622a4f81e2b350b/host/CMakeLists.txt#L188-L197 */
 
                   bat """
                       vcvars64.bat x64 && \
diff --git a/.jenkins/provision/cleanup.sh b/.jenkins/provision/cleanup.sh
index f4a202efc4..c474da918e 100755
--- a/.jenkins/provision/cleanup.sh
+++ b/.jenkins/provision/cleanup.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/.jenkins/provision/deploy-agent.sh b/.jenkins/provision/deploy-agent.sh
index 0b65239c8a..9600716784 100755
--- a/.jenkins/provision/deploy-agent.sh
+++ b/.jenkins/provision/deploy-agent.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/.jenkins/provision/register-agents.sh b/.jenkins/provision/register-agents.sh
index 72fa260d4e..a0216da52a 100755
--- a/.jenkins/provision/register-agents.sh
+++ b/.jenkins/provision/register-agents.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index 189589a712..a00c8729c0 100755
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # NOTE: This is set here so that both `libcxx` and `musl` can use it
diff --git a/3rdparty/dlmalloc/update.make b/3rdparty/dlmalloc/update.make
index 899087ae45..f5401053ea 100755
--- a/3rdparty/dlmalloc/update.make
+++ b/3rdparty/dlmalloc/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 all: update-dlmalloc
diff --git a/3rdparty/libcxx/CMakeLists.txt b/3rdparty/libcxx/CMakeLists.txt
index 68e73b9298..3c5088b473 100644
--- a/3rdparty/libcxx/CMakeLists.txt
+++ b/3rdparty/libcxx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include (ExternalProject)
diff --git a/3rdparty/libcxx/__config b/3rdparty/libcxx/__config
index 1925fbd326..cd2ef93588 100644
--- a/3rdparty/libcxx/__config
+++ b/3rdparty/libcxx/__config
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef __OPEN_ENCLAVE_LIBCXX_CONFIG
diff --git a/3rdparty/libcxx/__dso_handle.cpp b/3rdparty/libcxx/__dso_handle.cpp
index 03728e77fb..cc2b031d85 100644
--- a/3rdparty/libcxx/__dso_handle.cpp
+++ b/3rdparty/libcxx/__dso_handle.cpp
@@ -1,8 +1,8 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <assert.h>
 
-const void *__dso_handle = NULL;
+const void* __dso_handle = NULL;
diff --git a/3rdparty/libcxx/update.make b/3rdparty/libcxx/update.make
index 2702b83725..9db7ab766f 100755
--- a/3rdparty/libcxx/update.make
+++ b/3rdparty/libcxx/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # libcxx SVN revision
diff --git a/3rdparty/libcxxrt/CMakeLists.txt b/3rdparty/libcxxrt/CMakeLists.txt
index 0df0cfb162..d24cd4b0ff 100644
--- a/3rdparty/libcxxrt/CMakeLists.txt
+++ b/3rdparty/libcxxrt/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Compile libcxx for Open Enclave. Some of these build rules emulate
diff --git a/3rdparty/libcxxrt/update.make b/3rdparty/libcxxrt/update.make
index 9518143acc..ae602acc97 100755
--- a/3rdparty/libcxxrt/update.make
+++ b/3rdparty/libcxxrt/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 all: update-libcxxrt
diff --git a/3rdparty/libunwind/CMakeLists.txt b/3rdparty/libunwind/CMakeLists.txt
index 05968faaed..3e9f28f4ed 100644
--- a/3rdparty/libunwind/CMakeLists.txt
+++ b/3rdparty/libunwind/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (OE_SGX)
diff --git a/3rdparty/libunwind/Gstep.c b/3rdparty/libunwind/Gstep.c
index d9192f6065..a687fcc2d5 100644
--- a/3rdparty/libunwind/Gstep.c
+++ b/3rdparty/libunwind/Gstep.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(__clang__)
@@ -10,16 +10,15 @@
 #endif
 
 #include <libunwind.h>
-#include "unwind_i.h"
 #include <openenclave/enclave.h>
+#include "unwind_i.h"
 
 #undef unw_step
 #define unw_step _ULx86_64_step
 
-
 extern int _ULx86_64_step(unw_cursor_t* cursor);
 
-// Wrapper for calling unw_step() throughout libunwind source. This 
+// Wrapper for calling unw_step() throughout libunwind source. This
 // function checks whether the cursor is within the enclave image.
 int __libunwind_unw_step(unw_cursor_t* cursor)
 {
diff --git a/3rdparty/libunwind/libunwind-common.h b/3rdparty/libunwind/libunwind-common.h
index ab9737a744..47e6608df6 100644
--- a/3rdparty/libunwind/libunwind-common.h
+++ b/3rdparty/libunwind/libunwind-common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_LIBUNWIND_COMMON_H
diff --git a/3rdparty/libunwind/stubs.h b/3rdparty/libunwind/stubs.h
index 74a3f474c8..f075f818b1 100644
--- a/3rdparty/libunwind/stubs.h
+++ b/3rdparty/libunwind/stubs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef __OE_LIBUNWIND_STUBS_H
@@ -6,16 +6,16 @@
 
 #if !defined(__ASSEMBLER__)
 
-#include <pthread.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
 #include <fcntl.h>
-#include <stdio.h>
+#include <pthread.h>
 #include <signal.h>
-#include <sys/mman.h>
-#include <string.h>
+#include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 // Disable use of adaptive mutexes, which are defined by GCC headers but not
 // supported by MUSL pthreads. Note that libunwind is compiled with GCC headers
@@ -109,10 +109,9 @@ static __inline void* __libunwind_mmap(
     return result;
 }
 
-
 static __inline int __libunwind_munmap(void* addr, size_t length)
 {
-    extern void dlfree(void *ptr);
+    extern void dlfree(void* ptr);
 
     if (!addr)
         return -1;
@@ -129,8 +128,8 @@ static __inline int __libunwind_msync(void* addr, size_t length, int flags)
 }
 
 static __inline int __libunwind_mincore(
-    void* addr, 
-    size_t length, 
+    void* addr,
+    size_t length,
     unsigned char* vec)
 {
     if (!addr || !vec)
diff --git a/3rdparty/libunwind/update.make b/3rdparty/libunwind/update.make
index befb90c22c..b87eb333cc 100755
--- a/3rdparty/libunwind/update.make
+++ b/3rdparty/libunwind/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 #libunwind Version
diff --git a/3rdparty/mbedtls/CMakeLists.txt b/3rdparty/mbedtls/CMakeLists.txt
index f0848162d5..e4f9319d3b 100644
--- a/3rdparty/mbedtls/CMakeLists.txt
+++ b/3rdparty/mbedtls/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Load the compiler info if we're cross compiling on Windows.
diff --git a/3rdparty/mbedtls/mbedtls_hardware_poll.c b/3rdparty/mbedtls/mbedtls_hardware_poll.c
index 06a2e8b48a..6bd09da546 100644
--- a/3rdparty/mbedtls/mbedtls_hardware_poll.c
+++ b/3rdparty/mbedtls/mbedtls_hardware_poll.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/3rdparty/mbedtls/toolchain-clangw.cmake b/3rdparty/mbedtls/toolchain-clangw.cmake
index fb12c66b94..dff9b99b63 100644
--- a/3rdparty/mbedtls/toolchain-clangw.cmake
+++ b/3rdparty/mbedtls/toolchain-clangw.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Toolchain file used for cross-compiling using clang.
diff --git a/3rdparty/mbedtls/update.make b/3rdparty/mbedtls/update.make
index b58323c3b6..205c5b7892 100755
--- a/3rdparty/mbedtls/update.make
+++ b/3rdparty/mbedtls/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # mbedTLS library definitions
diff --git a/3rdparty/musl/CMakeLists.txt b/3rdparty/musl/CMakeLists.txt
index d7b124fe66..99b5b332ee 100644
--- a/3rdparty/musl/CMakeLists.txt
+++ b/3rdparty/musl/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Copy MUSL headers to collector dir and wrap
diff --git a/3rdparty/musl/append-deprecations b/3rdparty/musl/append-deprecations
index 2d25837581..f9ecf62b64 100755
--- a/3rdparty/musl/append-deprecations
+++ b/3rdparty/musl/append-deprecations
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/3rdparty/musl/deprecations.h b/3rdparty/musl/deprecations.h
index 4c471901c7..bb7d2dbcd8 100644
--- a/3rdparty/musl/deprecations.h
+++ b/3rdparty/musl/deprecations.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_LIBC_DEPRECATIONS_H
@@ -13,7 +13,9 @@
 #include <bits/alltypes.h>
 
 #if defined(__cplusplus)
-#define OE_LIBC_EXTERN_C_BEGIN extern "C" {
+#define OE_LIBC_EXTERN_C_BEGIN \
+    extern "C"                 \
+    {
 #define OE_LIBC_EXTERN_C_END }
 #else
 #define OE_LIBC_EXTERN_C_BEGIN
@@ -44,10 +46,10 @@ OE_LIBC_EXTERN_C_BEGIN
 
 OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
 int pthread_create(
-    pthread_t *thread, 
-    const pthread_attr_t *attr,
-    void *(*start_routine) (void *), 
-    void *arg);
+    pthread_t* thread,
+    const pthread_attr_t* attr,
+    void* (*start_routine)(void*),
+    void* arg);
 
 OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
 int pthread_join(pthread_t thread, void** retval);
@@ -68,9 +70,9 @@ struct tm;
 
 OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
 size_t strftime(
-    char* s, 
-    size_t maxparam, 
-    const char* format, 
+    char* s,
+    size_t maxparam,
+    const char* format,
     const struct tm* tm);
 
 OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
@@ -83,6 +85,7 @@ size_t strftime_l(
 
 OE_LIBC_EXTERN_C_END
 
-#endif /* !defined(OE_LIBC_SUPPRESS_DEPRECATIONS) && !defined(__ASSEMBLER__) */
+#endif /* !defined(OE_LIBC_SUPPRESS_DEPRECATIONS) && !defined(__ASSEMBLER__) \
+        */
 
 #endif /* _OE_LIBC_DEPRECATIONS_H */
diff --git a/3rdparty/musl/patches/endian.h b/3rdparty/musl/patches/endian.h
index 851efac10b..e1b90382f5 100644
--- a/3rdparty/musl/patches/endian.h
+++ b/3rdparty/musl/patches/endian.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MUSL_PATCHES_ENDIAN_H
diff --git a/3rdparty/musl/patches/pthread_aarch64.h b/3rdparty/musl/patches/pthread_aarch64.h
index c2ae14c573..10e4031d68 100644
--- a/3rdparty/musl/patches/pthread_aarch64.h
+++ b/3rdparty/musl/patches/pthread_aarch64.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MUSL_PATCHES_PTHREAD_H
diff --git a/3rdparty/musl/patches/pthread_x86_64.h b/3rdparty/musl/patches/pthread_x86_64.h
index a2b6b26a66..3b9b3ad001 100644
--- a/3rdparty/musl/patches/pthread_x86_64.h
+++ b/3rdparty/musl/patches/pthread_x86_64.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MUSL_PATCHES_PTHREAD_H
diff --git a/3rdparty/musl/patches/syscall_arch.h b/3rdparty/musl/patches/syscall_arch.h
index 6744b89fc7..9fc1e28eba 100644
--- a/3rdparty/musl/patches/syscall_arch.h
+++ b/3rdparty/musl/patches/syscall_arch.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MUSL_PATCHES_SYSCALL_ARCH_H
diff --git a/3rdparty/musl/update.make b/3rdparty/musl/update.make
index b7f9b69040..47e9d90a74 100755
--- a/3rdparty/musl/update.make
+++ b/3rdparty/musl/update.make
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # MUSL C library definitions
diff --git a/3rdparty/optee/libutee/CMakeLists.txt b/3rdparty/optee/libutee/CMakeLists.txt
index f244dbdfcc..9ee7884b6d 100644
--- a/3rdparty/optee/libutee/CMakeLists.txt
+++ b/3rdparty/optee/libutee/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oeuteeasm
diff --git a/3rdparty/optee/libutee/compiler.h b/3rdparty/optee/libutee/compiler.h
index 91e47e15ba..10cf1e70cb 100644
--- a/3rdparty/optee/libutee/compiler.h
+++ b/3rdparty/optee/libutee/compiler.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef COMPILER_H
diff --git a/3rdparty/optee/libutee/entry.c b/3rdparty/optee/libutee/entry.c
index 380b067936..4f00fa54ee 100644
--- a/3rdparty/optee/libutee/entry.c
+++ b/3rdparty/optee/libutee/entry.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <compiler.h>
diff --git a/CMakeGraphVizOptions.cmake b/CMakeGraphVizOptions.cmake
index 733d25c113..3ce43c1b21 100644
--- a/CMakeGraphVizOptions.cmake
+++ b/CMakeGraphVizOptions.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # List of regular expressions matching targets to be excluded from the
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6b13a776b3..8f3a04aa37 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Top-level CMake file for the Open Enclave SDK
diff --git a/CMakeSettings.json b/CMakeSettings.json
index f1c906b4fb..2b96768672 100644
--- a/CMakeSettings.json
+++ b/CMakeSettings.json
@@ -1,5 +1,5 @@
 {
-  // Copyright (c) Microsoft Corporation. All rights reserved.
+  // Copyright (c) Open Enclave SDK contributors.
   // Licensed under the MIT License.
   //
   // This file illustrates CMake settings to use for building and testing
diff --git a/LICENSE b/LICENSE
index 21071075c2..2950a9ab1e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
     MIT License
 
-    Copyright (c) Microsoft Corporation. All rights reserved.
+    Copyright (c) Open Enclave SDK contributors.
 
     Permission is hereby granted, free of charge, to any person obtaining a copy
     of this software and associated documentation files (the "Software"), to deal
diff --git a/cmake/add_dcap_client_target.cmake b/cmake/add_dcap_client_target.cmake
index f995a1e72f..53fe8217e2 100644
--- a/cmake/add_dcap_client_target.cmake
+++ b/cmake/add_dcap_client_target.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ## This function adds a CMake target for the DCAP client and its dependencies provided through nuget
diff --git a/cmake/add_enclave.cmake b/cmake/add_enclave.cmake
index 0328d435d1..e3eabf3b29 100644
--- a/cmake/add_enclave.cmake
+++ b/cmake/add_enclave.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Helper mecro to either sign an SGX enclave binary or to generate and sign
diff --git a/cmake/add_enclave_test.cmake b/cmake/add_enclave_test.cmake
index d0a1dcb008..484791f9b8 100644
--- a/cmake/add_enclave_test.cmake
+++ b/cmake/add_enclave_test.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/cmake/arm-cross.cmake b/cmake/arm-cross.cmake
index ac9edc6ea4..da18df260f 100644
--- a/cmake/arm-cross.cmake
+++ b/cmake/arm-cross.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set(CMAKE_SYSTEM_NAME Linux)
diff --git a/cmake/ccache.cmake b/cmake/ccache.cmake
index 03ca0685c0..679429ea23 100644
--- a/cmake/ccache.cmake
+++ b/cmake/ccache.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Adapted from https://crascit.com/2016/04/09/using-ccache-with-cmake/
diff --git a/cmake/compiler_settings.cmake b/cmake/compiler_settings.cmake
index f8d7eb2b6b..c5ed05a866 100644
--- a/cmake/compiler_settings.cmake
+++ b/cmake/compiler_settings.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Check Clang version.
diff --git a/cmake/copy_oedebugrt_target.cmake b/cmake/copy_oedebugrt_target.cmake
index de83bc13b2..8718136396 100644
--- a/cmake/copy_oedebugrt_target.cmake
+++ b/cmake/copy_oedebugrt_target.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ## This function adds a CMake target for oedebugrt.dll. This allows the caller to :add a dependency on oedebugrt.dll so
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
index 930fcb8b38..0be68eaa6e 100644
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # CPack variables for the regular OE SDK.
diff --git a/cmake/get_testcase_name.cmake b/cmake/get_testcase_name.cmake
index 5b8c2934ee..d7bd1495a2 100644
--- a/cmake/get_testcase_name.cmake
+++ b/cmake/get_testcase_name.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Helper function to obtain name for a test-case. Given a filename, chop
diff --git a/cmake/maybe_build_using_clangw.cmake b/cmake/maybe_build_using_clangw.cmake
index 333d822eeb..304b2f205b 100644
--- a/cmake/maybe_build_using_clangw.cmake
+++ b/cmake/maybe_build_using_clangw.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Helper function to create ELF enclaves and libraries on Windows by 
diff --git a/cmake/oeedl_file.cmake b/cmake/oeedl_file.cmake
index 818a6a32ec..8cce1e2f32 100644
--- a/cmake/oeedl_file.cmake
+++ b/cmake/oeedl_file.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Helper function to handle EDL (gen) files
diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 5709981bf8..69fdb6b638 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 @PACKAGE_INIT@
diff --git a/cmake/openenclaverc.in b/cmake/openenclaverc.in
index 8325a57537..2f74f164b9 100644
--- a/cmake/openenclaverc.in
+++ b/cmake/openenclaverc.in
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Update PKG_CONFIG_PATH.
diff --git a/cmake/package_settings.cmake b/cmake/package_settings.cmake
index 918b70efd7..d7ece072fd 100644
--- a/cmake/package_settings.cmake
+++ b/cmake/package_settings.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # Set default paths
diff --git a/common/argv.c b/common/argv.c
index 69ce3b74d6..d2e0ddf951 100644
--- a/common/argv.c
+++ b/common/argv.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safemath.h>
diff --git a/common/asn1.c b/common/asn1.c
index 4e6a9c430c..504f384f4d 100644
--- a/common/asn1.c
+++ b/common/asn1.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "asn1.h"
diff --git a/common/asn1.h b/common/asn1.h
index 4947e98ca3..2877a702d1 100644
--- a/common/asn1.h
+++ b/common/asn1.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_ASN1_H
diff --git a/common/cert.c b/common/cert.c
index 0fa4077d7b..f0261b738c 100644
--- a/common/cert.c
+++ b/common/cert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/common/common.h b/common/common.h
index 836de42815..ee0d1fdb76 100644
--- a/common/common.h
+++ b/common/common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_COMMON_H
diff --git a/common/datetime.c b/common/datetime.c
index fdb8e5bdae..5ea6eac21c 100644
--- a/common/datetime.c
+++ b/common/datetime.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/datetime.h>
diff --git a/common/kdf.c b/common/kdf.c
index 1f3e785a81..298861084a 100644
--- a/common/kdf.c
+++ b/common/kdf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/result.h>
diff --git a/common/oe_host_stdio.h b/common/oe_host_stdio.h
index 9f19262a6f..a532df267d 100644
--- a/common/oe_host_stdio.h
+++ b/common/oe_host_stdio.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_STDIO_H
diff --git a/common/oe_host_stdlib.h b/common/oe_host_stdlib.h
index 060c8f6a8a..c1b88b6df3 100644
--- a/common/oe_host_stdlib.h
+++ b/common/oe_host_stdlib.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_STDLIB_H
diff --git a/common/oe_host_string.h b/common/oe_host_string.h
index 6b0b9c9daf..6e3f63d7e1 100644
--- a/common/oe_host_string.h
+++ b/common/oe_host_string.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_STRING_H
diff --git a/common/result.c b/common/result.c
index 490ee7297e..83063e7b34 100644
--- a/common/result.c
+++ b/common/result.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/result.h>
diff --git a/common/safecrt.c b/common/safecrt.c
index 65acf833e1..f145fc5e5c 100644
--- a/common/safecrt.c
+++ b/common/safecrt.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/common/sgx/collaterals.c b/common/sgx/collaterals.c
index 759ff0691b..a49816e2c8 100644
--- a/common/sgx/collaterals.c
+++ b/common/sgx/collaterals.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "collaterals.h"
diff --git a/common/sgx/collaterals.h b/common/sgx/collaterals.h
index 1e5743ce22..5102895489 100644
--- a/common/sgx/collaterals.h
+++ b/common/sgx/collaterals.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_OE_COLLATERALS_H
diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index 23cb42845e..151e90c8f7 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "qeidentity.h"
diff --git a/common/sgx/qeidentity.h b/common/sgx/qeidentity.h
index 1ccd4a4fa1..917fcf1435 100644
--- a/common/sgx/qeidentity.h
+++ b/common/sgx/qeidentity.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_QE_IDENTITY_H
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index 1e61a57c05..585a698c34 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "quote.h"
 #include <openenclave/internal/crypto/cert.h>
diff --git a/common/sgx/quote.h b/common/sgx/quote.h
index 3596bce097..99a8cc61f7 100644
--- a/common/sgx/quote.h
+++ b/common/sgx/quote.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_QUOTE_H
diff --git a/common/sgx/rand.S b/common/sgx/rand.S
index 154a29b6d8..ee300adf9a 100644
--- a/common/sgx/rand.S
+++ b/common/sgx/rand.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 .text
diff --git a/common/sgx/rand.asm b/common/sgx/rand.asm
index ff7bdc413d..c1d621e7ec 100644
--- a/common/sgx/rand.asm
+++ b/common/sgx/rand.asm
@@ -1,4 +1,4 @@
-;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Copyright (c) Open Enclave SDK contributors.
 ;; Licensed under the MIT License.
 .CODE
 
diff --git a/common/sgx/report.c b/common/sgx/report.c
index 49c13dc11e..de2cdfabb7 100644
--- a/common/sgx/report.c
+++ b/common/sgx/report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 8127a95c70..4ee74e8cbf 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "revocation.h"
diff --git a/common/sgx/revocation.h b/common/sgx/revocation.h
index 1393c947ca..a5e6275620 100644
--- a/common/sgx/revocation.h
+++ b/common/sgx/revocation.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_REVOCATION_H
diff --git a/common/sgx/sgx.edl b/common/sgx/sgx.edl
index c87ceaadd9..92b68e5e13 100644
--- a/common/sgx/sgx.edl
+++ b/common/sgx/sgx.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/common/sgx/sgxcertextensions.c b/common/sgx/sgxcertextensions.c
index d3715459b0..f4d975299d 100644
--- a/common/sgx/sgxcertextensions.c
+++ b/common/sgx/sgxcertextensions.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/internal/crypto/cert.h>
diff --git a/common/sgx/tcbinfo.c b/common/sgx/tcbinfo.c
index cbeb9663ef..2d1ed196f1 100644
--- a/common/sgx/tcbinfo.c
+++ b/common/sgx/tcbinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "tcbinfo.h"
 #include <openenclave/bits/safecrt.h>
diff --git a/common/sgx/tcbinfo.h b/common/sgx/tcbinfo.h
index 91b084788c..0efff67c21 100644
--- a/common/sgx/tcbinfo.h
+++ b/common/sgx/tcbinfo.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_TCBINFO_H
diff --git a/common/sgx/tlsverifier.c b/common/sgx/tlsverifier.c
index 120a29e11d..08943c2cd1 100644
--- a/common/sgx/tlsverifier.c
+++ b/common/sgx/tlsverifier.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/common/syscall.edl b/common/syscall.edl
index 6f80d2bec0..7add35a379 100644
--- a/common/syscall.edl
+++ b/common/syscall.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/common/tee.edl b/common/tee.edl
index 394e4a5341..93a5731289 100644
--- a/common/tee.edl
+++ b/common/tee.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/debugger/CMakeLists.txt b/debugger/CMakeLists.txt
index 8e7dc11535..3fb8bdad75 100644
--- a/debugger/CMakeLists.txt
+++ b/debugger/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (UNIX)
diff --git a/debugger/debugrt/CMakeLists.txt b/debugger/debugrt/CMakeLists.txt
index 576230d627..0a87cd9fb5 100644
--- a/debugger/debugrt/CMakeLists.txt
+++ b/debugger/debugrt/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (OE_SGX)
diff --git a/debugger/debugrt/host/CMakeLists.txt b/debugger/debugrt/host/CMakeLists.txt
index 9794626032..24c2b7852a 100644
--- a/debugger/debugrt/host/CMakeLists.txt
+++ b/debugger/debugrt/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (UNIX)
diff --git a/debugger/debugrt/host/host.c b/debugger/debugrt/host/host.c
index c9ba6b5047..5ad48ef5ef 100644
--- a/debugger/debugrt/host/host.c
+++ b/debugger/debugrt/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/debugrt/host.h>
diff --git a/debugger/oe-gdb b/debugger/oe-gdb
index 6be1718db6..f0771205a9 100644
--- a/debugger/oe-gdb
+++ b/debugger/oe-gdb
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
diff --git a/debugger/oegdb b/debugger/oegdb
index dcea8b9ad4..67ed196055 100755
--- a/debugger/oegdb
+++ b/debugger/oegdb
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Get path of the oegdb script
diff --git a/debugger/ptraceLib/CMakeLists.txt b/debugger/ptraceLib/CMakeLists.txt
index 49c7f8b831..a3344e8622 100644
--- a/debugger/ptraceLib/CMakeLists.txt
+++ b/debugger/ptraceLib/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 find_library(DL_LIB NAMES dl)
diff --git a/debugger/ptraceLib/enclave_context.c b/debugger/ptraceLib/enclave_context.c
index 3523a245c2..ac9b614141 100644
--- a/debugger/ptraceLib/enclave_context.c
+++ b/debugger/ptraceLib/enclave_context.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "enclave_context.h"
diff --git a/debugger/ptraceLib/enclave_context.h b/debugger/ptraceLib/enclave_context.h
index 4714e059b5..ed732c908a 100644
--- a/debugger/ptraceLib/enclave_context.h
+++ b/debugger/ptraceLib/enclave_context.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_CONTEXT_H
diff --git a/debugger/ptraceLib/inferior_status.c b/debugger/ptraceLib/inferior_status.c
index 3de9174207..7002dcea5d 100644
--- a/debugger/ptraceLib/inferior_status.c
+++ b/debugger/ptraceLib/inferior_status.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "inferior_status.h"
diff --git a/debugger/ptraceLib/inferior_status.h b/debugger/ptraceLib/inferior_status.h
index c3b44f9b65..742ef0e546 100644
--- a/debugger/ptraceLib/inferior_status.h
+++ b/debugger/ptraceLib/inferior_status.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INFERIOR_STATUS_H_
diff --git a/debugger/ptraceLib/oe_ptrace.c b/debugger/ptraceLib/oe_ptrace.c
index bef9e51eec..80ade61f70 100644
--- a/debugger/ptraceLib/oe_ptrace.c
+++ b/debugger/ptraceLib/oe_ptrace.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <dlfcn.h>
diff --git a/debugger/pythonExtension/CMakeLists.txt b/debugger/pythonExtension/CMakeLists.txt
index 00c6757191..b0ca53396f 100644
--- a/debugger/pythonExtension/CMakeLists.txt
+++ b/debugger/pythonExtension/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Copy files during build
diff --git a/debugger/pythonExtension/gdb_sgx_plugin.py b/debugger/pythonExtension/gdb_sgx_plugin.py
index 285111e150..5d5463b12a 100644
--- a/debugger/pythonExtension/gdb_sgx_plugin.py
+++ b/debugger/pythonExtension/gdb_sgx_plugin.py
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 from __future__ import print_function
diff --git a/docs/DevelopmentGuide.md b/docs/DevelopmentGuide.md
index 17a0623fc1..493e75f823 100644
--- a/docs/DevelopmentGuide.md
+++ b/docs/DevelopmentGuide.md
@@ -60,7 +60,7 @@ for details.
 The following license header **must** be included at the top of every file:
 
 ```
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 ```
 
@@ -123,7 +123,7 @@ For other files (`*.asm`, `*.S`, etc.) our current best guidance is consistency:
 Excerpt from `enclave/key.c`:
 
 ```c
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "key.h"
diff --git a/docs/refman/CMakeLists.txt b/docs/refman/CMakeLists.txt
index 22e822bf28..904def79b1 100644
--- a/docs/refman/CMakeLists.txt
+++ b/docs/refman/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 option(ENABLE_REFMAN "Enable Doxygen reference manual generation" ON)
 
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 2948d60aa0..74791bcf0d 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(core)
diff --git a/enclave/asym_keys.c b/enclave/asym_keys.c
index 2217dc7c84..bc17e1adde 100644
--- a/enclave/asym_keys.c
+++ b/enclave/asym_keys.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 67d7ec21bc..cddf778dc3 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/enclave/core/__secs_to_tm.c b/enclave/core/__secs_to_tm.c
index eded8be92d..165f29164e 100644
--- a/enclave/core/__secs_to_tm.c
+++ b/enclave/core/__secs_to_tm.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /* Use OE STDC time.h & limits.h defs for MUSL __secs_to_tm.c */
diff --git a/enclave/core/__stack_chk_fail.c b/enclave/core/__stack_chk_fail.c
index 43c4c4f0d1..825e5d10f7 100644
--- a/enclave/core/__stack_chk_fail.c
+++ b/enclave/core/__stack_chk_fail.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/arena.c b/enclave/core/arena.c
index 1b0877d955..c61b4c9ce1 100644
--- a/enclave/core/arena.c
+++ b/enclave/core/arena.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "arena.h"
diff --git a/enclave/core/arena.h b/enclave/core/arena.h
index 214bf525e7..b8f3cf351d 100644
--- a/enclave/core/arena.h
+++ b/enclave/core/arena.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ARENA_H
diff --git a/enclave/core/assert.c b/enclave/core/assert.c
index ff6662a66b..b7bed66d1a 100644
--- a/enclave/core/assert.c
+++ b/enclave/core/assert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/atexit.c b/enclave/core/atexit.c
index 4c1d823a52..9515f88bb5 100644
--- a/enclave/core/atexit.c
+++ b/enclave/core/atexit.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "atexit.h"
diff --git a/enclave/core/atexit.h b/enclave/core/atexit.h
index b607a03050..87619bcb3e 100644
--- a/enclave/core/atexit.h
+++ b/enclave/core/atexit.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ATEXIT_H
diff --git a/enclave/core/backtrace.c b/enclave/core/backtrace.c
index 0cd31ed863..23ee12bc54 100644
--- a/enclave/core/backtrace.c
+++ b/enclave/core/backtrace.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/calls.c b/enclave/core/calls.c
index 2846c0fc7c..a04a5b0637 100644
--- a/enclave/core/calls.c
+++ b/enclave/core/calls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/calls.h b/enclave/core/calls.h
index c3732107c9..ef8c5f089e 100644
--- a/enclave/core/calls.h
+++ b/enclave/core/calls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/enclave/core/ctype.c b/enclave/core/ctype.c
index 7cb94c2c60..c1de61d40d 100644
--- a/enclave/core/ctype.c
+++ b/enclave/core/ctype.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <ctype.h>
diff --git a/enclave/core/debugmalloc.c b/enclave/core/debugmalloc.c
index 766f503eac..f46263768d 100644
--- a/enclave/core/debugmalloc.c
+++ b/enclave/core/debugmalloc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define USE_DL_PREFIX
diff --git a/enclave/core/debugmalloc.h b/enclave/core/debugmalloc.h
index a9cd07603d..b2f7de529f 100644
--- a/enclave/core/debugmalloc.h
+++ b/enclave/core/debugmalloc.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_DEBUG_MALLOC_H
diff --git a/enclave/core/errno.c b/enclave/core/errno.c
index 71582aa96c..3cef71149c 100644
--- a/enclave/core/errno.c
+++ b/enclave/core/errno.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/gmtime.c b/enclave/core/gmtime.c
index acaf75083e..1536d98f47 100644
--- a/enclave/core/gmtime.c
+++ b/enclave/core/gmtime.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/types.h>
diff --git a/enclave/core/hexdump.c b/enclave/core/hexdump.c
index 4baa8a89da..3c4da1e3d8 100644
--- a/enclave/core/hexdump.c
+++ b/enclave/core/hexdump.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/hostcalls.c b/enclave/core/hostcalls.c
index 531f0dfbe0..3526d68885 100644
--- a/enclave/core/hostcalls.c
+++ b/enclave/core/hostcalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/init_fini.c b/enclave/core/init_fini.c
index 3a886b7f41..053811c819 100644
--- a/enclave/core/init_fini.c
+++ b/enclave/core/init_fini.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "init_fini.h"
diff --git a/enclave/core/init_fini.h b/enclave/core/init_fini.h
index 13111e2116..b4cf1cc354 100644
--- a/enclave/core/init_fini.h
+++ b/enclave/core/init_fini.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_INIT_FINI_H
diff --git a/enclave/core/intstr.c b/enclave/core/intstr.c
index adbc9ea198..7948df1707 100644
--- a/enclave/core/intstr.c
+++ b/enclave/core/intstr.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "intstr.h"
diff --git a/enclave/core/intstr.h b/enclave/core/intstr.h
index 9e6a5e4f1a..f3f5c129e8 100644
--- a/enclave/core/intstr.h
+++ b/enclave/core/intstr.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTSTR_H
diff --git a/enclave/core/malloc.c b/enclave/core/malloc.c
index c58d69f3ab..322c5810b8 100644
--- a/enclave/core/malloc.c
+++ b/enclave/core/malloc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/once.c b/enclave/core/once.c
index 407d57c47e..901d5150cf 100644
--- a/enclave/core/once.c
+++ b/enclave/core/once.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/optee/backtrace.c b/enclave/core/optee/backtrace.c
index 520eadcda0..214dd80378 100644
--- a/enclave/core/optee/backtrace.c
+++ b/enclave/core/optee/backtrace.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/optee/bounds.c b/enclave/core/optee/bounds.c
index 9254341720..3fdbd0be9d 100644
--- a/enclave/core/optee/bounds.c
+++ b/enclave/core/optee/bounds.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/optee/calls.c b/enclave/core/optee/calls.c
index 72daf2f50b..62364d4220 100644
--- a/enclave/core/optee/calls.c
+++ b/enclave/core/optee/calls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/enclave/core/optee/entropy.c b/enclave/core/optee/entropy.c
index 131ac8b55d..cd233d5d5e 100644
--- a/enclave/core/optee/entropy.c
+++ b/enclave/core/optee/entropy.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/optee/globals.c b/enclave/core/optee/globals.c
index 335420d711..14e762750d 100644
--- a/enclave/core/optee/globals.c
+++ b/enclave/core/optee/globals.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/optee/gp.c b/enclave/core/optee/gp.c
index a786cc36b0..1b5e543af8 100644
--- a/enclave/core/optee/gp.c
+++ b/enclave/core/optee/gp.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/optee/header.c b/enclave/core/optee/header.c
index b92c410806..b2b18e4959 100644
--- a/enclave/core/optee/header.c
+++ b/enclave/core/optee/header.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/optee/hostcalls.c b/enclave/core/optee/hostcalls.c
index fb29802efb..67bc42e0bd 100644
--- a/enclave/core/optee/hostcalls.c
+++ b/enclave/core/optee/hostcalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdlib.h>
diff --git a/enclave/core/optee/keys.c b/enclave/core/optee/keys.c
index 93905022c3..ba8d29495b 100644
--- a/enclave/core/optee/keys.c
+++ b/enclave/core/optee/keys.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/optee/printf.c b/enclave/core/optee/printf.c
index c505f87e37..34471cda02 100644
--- a/enclave/core/optee/printf.c
+++ b/enclave/core/optee/printf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/enclave/core/optee/sched_yield.c b/enclave/core/optee/sched_yield.c
index 052bec4326..5591a2bd5a 100644
--- a/enclave/core/optee/sched_yield.c
+++ b/enclave/core/optee/sched_yield.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 int oe_sched_yield(void)
diff --git a/enclave/core/optee/spinlock.c b/enclave/core/optee/spinlock.c
index c4fa8ce484..17559c6d3d 100644
--- a/enclave/core/optee/spinlock.c
+++ b/enclave/core/optee/spinlock.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // TODO: This file is a stub!
diff --git a/enclave/core/optee/stubs.c b/enclave/core/optee/stubs.c
index 99e2f0fd46..264fbcfa56 100644
--- a/enclave/core/optee/stubs.c
+++ b/enclave/core/optee/stubs.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/optee/thread.c b/enclave/core/optee/thread.c
index 6e057c61ed..e203becf5f 100644
--- a/enclave/core/optee/thread.c
+++ b/enclave/core/optee/thread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // TODO: This file is a stub!
diff --git a/enclave/core/optee/tracee.c b/enclave/core/optee/tracee.c
index 87fccb2634..d8517297fd 100644
--- a/enclave/core/optee/tracee.c
+++ b/enclave/core/optee/tracee.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/printf.c b/enclave/core/printf.c
index cd5bbf7984..de2b5be854 100644
--- a/enclave/core/printf.c
+++ b/enclave/core/printf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/enclave/core/pthread.c b/enclave/core/pthread.c
index f4f1475f44..19ede7c017 100644
--- a/enclave/core/pthread.c
+++ b/enclave/core/pthread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/enclave/core/result.c b/enclave/core/result.c
index ce2d83d42c..90f8b7b785 100644
--- a/enclave/core/result.c
+++ b/enclave/core/result.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../common/result.c"
diff --git a/enclave/core/sbrk.c b/enclave/core/sbrk.c
index dbd4315b26..13b789b95a 100644
--- a/enclave/core/sbrk.c
+++ b/enclave/core/sbrk.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/sgx/asmcommon.inc b/enclave/core/sgx/asmcommon.inc
index 424021c885..c480db63b8 100644
--- a/enclave/core/sgx/asmcommon.inc
+++ b/enclave/core/sgx/asmcommon.inc
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ASM_COMMON_INC
diff --git a/enclave/core/sgx/asmdefs.h b/enclave/core/sgx/asmdefs.h
index 1f45ba03a6..74c8120ad6 100644
--- a/enclave/core/sgx/asmdefs.h
+++ b/enclave/core/sgx/asmdefs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ASMDEFS_H
diff --git a/enclave/core/sgx/backtrace.c b/enclave/core/sgx/backtrace.c
index 698f7b68bf..7ad417fdc4 100644
--- a/enclave/core/sgx/backtrace.c
+++ b/enclave/core/sgx/backtrace.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 533fe89fd4..c616a70b91 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../calls.h"
diff --git a/enclave/core/sgx/cpuid.c b/enclave/core/sgx/cpuid.c
index a0d0a46288..b045759674 100644
--- a/enclave/core/sgx/cpuid.c
+++ b/enclave/core/sgx/cpuid.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "cpuid.h"
diff --git a/enclave/core/sgx/cpuid.h b/enclave/core/sgx/cpuid.h
index 50f9987244..32e0f825ae 100644
--- a/enclave/core/sgx/cpuid.h
+++ b/enclave/core/sgx/cpuid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CPUID_ENCLAVE_H
diff --git a/enclave/core/sgx/enter.S b/enclave/core/sgx/enter.S
index b130c34da6..a0146b1bfe 100644
--- a/enclave/core/sgx/enter.S
+++ b/enclave/core/sgx/enter.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "asmdefs.h"
diff --git a/enclave/core/sgx/entropy.c b/enclave/core/sgx/entropy.c
index bdf5c31836..0500efde04 100644
--- a/enclave/core/sgx/entropy.c
+++ b/enclave/core/sgx/entropy.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/enclave/core/sgx/exception.c b/enclave/core/sgx/exception.c
index 052175139a..9ad5c09dcf 100644
--- a/enclave/core/sgx/exception.c
+++ b/enclave/core/sgx/exception.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/sgx/exit.S b/enclave/core/sgx/exit.S
index 1564f2c133..eb7cd1b667 100644
--- a/enclave/core/sgx/exit.S
+++ b/enclave/core/sgx/exit.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "asmdefs.h"
diff --git a/enclave/core/sgx/getkey.S b/enclave/core/sgx/getkey.S
index 478e8a31ee..c70be6fe3f 100644
--- a/enclave/core/sgx/getkey.S
+++ b/enclave/core/sgx/getkey.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "asmdefs.h"
diff --git a/enclave/core/sgx/globals.c b/enclave/core/sgx/globals.c
index a286398c67..1abb9ab5de 100644
--- a/enclave/core/sgx/globals.c
+++ b/enclave/core/sgx/globals.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/sgx/hostcalls.c b/enclave/core/sgx/hostcalls.c
index 8f2712ea52..3581d4eb75 100644
--- a/enclave/core/sgx/hostcalls.c
+++ b/enclave/core/sgx/hostcalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/enclave/core/sgx/init.c b/enclave/core/sgx/init.c
index c6f539b1ec..831acce8a8 100644
--- a/enclave/core/sgx/init.c
+++ b/enclave/core/sgx/init.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "init.h"
diff --git a/enclave/core/sgx/init.h b/enclave/core/sgx/init.h
index b7359c5870..5b05a9ba1a 100644
--- a/enclave/core/sgx/init.h
+++ b/enclave/core/sgx/init.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_INIT_H
diff --git a/enclave/core/sgx/jump.c b/enclave/core/sgx/jump.c
index 1e5c203a91..fc1d6fae69 100644
--- a/enclave/core/sgx/jump.c
+++ b/enclave/core/sgx/jump.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/defs.h>
diff --git a/enclave/core/sgx/keys.c b/enclave/core/sgx/keys.c
index dded12bb19..8fa6e5868f 100644
--- a/enclave/core/sgx/keys.c
+++ b/enclave/core/sgx/keys.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/sgx/linux/reloc.c b/enclave/core/sgx/linux/reloc.c
index 67c8690198..f4c92be386 100644
--- a/enclave/core/sgx/linux/reloc.c
+++ b/enclave/core/sgx/linux/reloc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/sgx/linux/threadlocal.c b/enclave/core/sgx/linux/threadlocal.c
index 26ff377835..326e9f19c2 100644
--- a/enclave/core/sgx/linux/threadlocal.c
+++ b/enclave/core/sgx/linux/threadlocal.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "threadlocal.h"
diff --git a/enclave/core/sgx/linux/threadlocal.h b/enclave/core/sgx/linux/threadlocal.h
index 64db7a4753..9da66382cd 100644
--- a/enclave/core/sgx/linux/threadlocal.h
+++ b/enclave/core/sgx/linux/threadlocal.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CORE_THREADLOCAL_H
diff --git a/enclave/core/sgx/longjmp.S b/enclave/core/sgx/longjmp.S
index 7a36bb445d..09a87868b7 100644
--- a/enclave/core/sgx/longjmp.S
+++ b/enclave/core/sgx/longjmp.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 //==============================================================================
diff --git a/enclave/core/sgx/memory.c b/enclave/core/sgx/memory.c
index 812af23119..f941d02ab4 100644
--- a/enclave/core/sgx/memory.c
+++ b/enclave/core/sgx/memory.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/sgx/properties.c b/enclave/core/sgx/properties.c
index af545e01fe..af42878651 100644
--- a/enclave/core/sgx/properties.c
+++ b/enclave/core/sgx/properties.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/properties.h>
diff --git a/enclave/core/sgx/report.c b/enclave/core/sgx/report.c
index 2a2558f7aa..82723cabb1 100644
--- a/enclave/core/sgx/report.c
+++ b/enclave/core/sgx/report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "report.h"
diff --git a/enclave/core/sgx/report.h b/enclave/core/sgx/report.h
index 0a2b297de7..e9886449ea 100644
--- a/enclave/core/sgx/report.h
+++ b/enclave/core/sgx/report.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_CORE_REPORT_H
diff --git a/enclave/core/sgx/sched_yield.c b/enclave/core/sgx/sched_yield.c
index 8e279cd456..c9e5845425 100644
--- a/enclave/core/sgx/sched_yield.c
+++ b/enclave/core/sgx/sched_yield.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 int oe_sched_yield(void)
diff --git a/enclave/core/sgx/setjmp.S b/enclave/core/sgx/setjmp.S
index fb430017b9..2e555eef68 100644
--- a/enclave/core/sgx/setjmp.S
+++ b/enclave/core/sgx/setjmp.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 //==============================================================================
diff --git a/enclave/core/sgx/sgx_t_wrapper.c b/enclave/core/sgx/sgx_t_wrapper.c
index c75c42a1dc..e2fa8701ab 100644
--- a/enclave/core/sgx/sgx_t_wrapper.c
+++ b/enclave/core/sgx/sgx_t_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/sgx/spinlock.c b/enclave/core/sgx/spinlock.c
index 591b97fd9e..3bb7a652ed 100644
--- a/enclave/core/sgx/spinlock.c
+++ b/enclave/core/sgx/spinlock.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef OE_BUILD_ENCLAVE
diff --git a/enclave/core/sgx/td.c b/enclave/core/sgx/td.c
index 318e1192b0..faa289d36b 100644
--- a/enclave/core/sgx/td.c
+++ b/enclave/core/sgx/td.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "td.h"
diff --git a/enclave/core/sgx/td.h b/enclave/core/sgx/td.h
index ec266c6ba9..4b743d3e41 100644
--- a/enclave/core/sgx/td.h
+++ b/enclave/core/sgx/td.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TD_H
diff --git a/enclave/core/sgx/thread.c b/enclave/core/sgx/thread.c
index bf28f545d6..70730d0120 100644
--- a/enclave/core/sgx/thread.c
+++ b/enclave/core/sgx/thread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "thread.h"
diff --git a/enclave/core/sgx/thread.h b/enclave/core/sgx/thread.h
index bd21be06b1..3d99e6c012 100644
--- a/enclave/core/sgx/thread.h
+++ b/enclave/core/sgx/thread.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CORE_THREAD_H_H
diff --git a/enclave/core/sgx/tracee.c b/enclave/core/sgx/tracee.c
index 82127943fe..12011c60ca 100644
--- a/enclave/core/sgx/tracee.c
+++ b/enclave/core/sgx/tracee.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/sgx/windows/reloc.c b/enclave/core/sgx/windows/reloc.c
index 43513500af..bd770f71eb 100644
--- a/enclave/core/sgx/windows/reloc.c
+++ b/enclave/core/sgx/windows/reloc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/core/stdio.c b/enclave/core/stdio.c
index 5f5cf69315..e3713f9aaf 100644
--- a/enclave/core/stdio.c
+++ b/enclave/core/stdio.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdio.h>
diff --git a/enclave/core/strerror.c b/enclave/core/strerror.c
index bad34ba389..36ead6d214 100644
--- a/enclave/core/strerror.c
+++ b/enclave/core/strerror.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/string.c b/enclave/core/string.c
index 2d78ff8324..de42a43297 100644
--- a/enclave/core/string.c
+++ b/enclave/core/string.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/core/strtok_r.c b/enclave/core/strtok_r.c
index ea6fdb772a..3979ed042c 100644
--- a/enclave/core/strtok_r.c
+++ b/enclave/core/strtok_r.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/enclave/core/strtoul.c b/enclave/core/strtoul.c
index 22aafe2d06..3e71785762 100644
--- a/enclave/core/strtoul.c
+++ b/enclave/core/strtoul.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/enclave/core/switchlesscalls.c b/enclave/core/switchlesscalls.c
index 3628be5be4..6fb968ca10 100644
--- a/enclave/core/switchlesscalls.c
+++ b/enclave/core/switchlesscalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "switchlesscalls.h"
diff --git a/enclave/core/switchlesscalls.h b/enclave/core/switchlesscalls.h
index 5893d54adf..3e4afe0ac7 100644
--- a/enclave/core/switchlesscalls.h
+++ b/enclave/core/switchlesscalls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SWITCHLESSCALLS_H
diff --git a/enclave/core/tee_t_wrapper.c b/enclave/core/tee_t_wrapper.c
index 47003b3ed9..ead5a880ec 100644
--- a/enclave/core/tee_t_wrapper.c
+++ b/enclave/core/tee_t_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/enclave/core/time.c b/enclave/core/time.c
index 5a786e8f08..3f4eb1e106 100644
--- a/enclave/core/time.c
+++ b/enclave/core/time.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/types.h>
diff --git a/enclave/core/tracee.c b/enclave/core/tracee.c
index 82e5c6258d..6c81591cb1 100644
--- a/enclave/core/tracee.c
+++ b/enclave/core/tracee.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "tracee.h"
diff --git a/enclave/core/tracee.h b/enclave/core/tracee.h
index a9297a2277..56200c919a 100644
--- a/enclave/core/tracee.h
+++ b/enclave/core/tracee.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdbool.h>
diff --git a/enclave/crypto/CMakeLists.txt b/enclave/crypto/CMakeLists.txt
index 45de407745..fdd767710c 100644
--- a/enclave/crypto/CMakeLists.txt
+++ b/enclave/crypto/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oecryptombed STATIC
diff --git a/enclave/crypto/asn1.c b/enclave/crypto/asn1.c
index fac2c8bf34..6febee4361 100644
--- a/enclave/crypto/asn1.c
+++ b/enclave/crypto/asn1.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../common/asn1.h"
diff --git a/enclave/crypto/cert.c b/enclave/crypto/cert.c
index 061a678d86..2e9052cd46 100644
--- a/enclave/crypto/cert.c
+++ b/enclave/crypto/cert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/ctr_drbg.h>
diff --git a/enclave/crypto/cmac.c b/enclave/crypto/cmac.c
index 4825c25a22..981a8262b9 100644
--- a/enclave/crypto/cmac.c
+++ b/enclave/crypto/cmac.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/cmac.h>
diff --git a/enclave/crypto/crl.c b/enclave/crypto/crl.c
index cceb2842c5..1fce7a61e5 100644
--- a/enclave/crypto/crl.c
+++ b/enclave/crypto/crl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "crl.h"
diff --git a/enclave/crypto/crl.h b/enclave/crypto/crl.h
index c0bb92cf11..7c6ba80303 100644
--- a/enclave/crypto/crl.h
+++ b/enclave/crypto/crl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_CRL_H
diff --git a/enclave/crypto/ec.c b/enclave/crypto/ec.c
index d6bca84bd3..81c3e2088d 100644
--- a/enclave/crypto/ec.c
+++ b/enclave/crypto/ec.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "ec.h"
diff --git a/enclave/crypto/ec.h b/enclave/crypto/ec.h
index 8f36d0e41a..faf9f591a2 100644
--- a/enclave/crypto/ec.h
+++ b/enclave/crypto/ec.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_EC_H
diff --git a/enclave/crypto/hmac.c b/enclave/crypto/hmac.c
index 5f431e7240..e1180de720 100644
--- a/enclave/crypto/hmac.c
+++ b/enclave/crypto/hmac.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/md.h>
diff --git a/enclave/crypto/key.c b/enclave/crypto/key.c
index 965a0f07b0..bc0b710ee4 100644
--- a/enclave/crypto/key.c
+++ b/enclave/crypto/key.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "key.h"
diff --git a/enclave/crypto/key.h b/enclave/crypto/key.h
index 4ce75dd66f..6096656be6 100644
--- a/enclave/crypto/key.h
+++ b/enclave/crypto/key.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ENCLAVE_KEY_H
diff --git a/enclave/crypto/pem.h b/enclave/crypto/pem.h
index cb10ea6a00..300b8566bb 100644
--- a/enclave/crypto/pem.h
+++ b/enclave/crypto/pem.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_PEM_H
diff --git a/enclave/crypto/random_internal.c b/enclave/crypto/random_internal.c
index 196826665f..4f5d4ccae3 100644
--- a/enclave/crypto/random_internal.c
+++ b/enclave/crypto/random_internal.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "random_internal.h"
diff --git a/enclave/crypto/random_internal.h b/enclave/crypto/random_internal.h
index e85163ac03..d7765e07ea 100644
--- a/enclave/crypto/random_internal.h
+++ b/enclave/crypto/random_internal.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _CRYPTO_ENCLAVE_RANDOM_H
diff --git a/enclave/crypto/rsa.c b/enclave/crypto/rsa.c
index 6c279325bc..5f119d72dc 100644
--- a/enclave/crypto/rsa.c
+++ b/enclave/crypto/rsa.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "rsa.h"
diff --git a/enclave/crypto/rsa.h b/enclave/crypto/rsa.h
index a7803b0aa7..f3ca69007d 100644
--- a/enclave/crypto/rsa.h
+++ b/enclave/crypto/rsa.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_RSA_H
diff --git a/enclave/crypto/sha.c b/enclave/crypto/sha.c
index 193989c0e5..59334a3cbe 100644
--- a/enclave/crypto/sha.c
+++ b/enclave/crypto/sha.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/sha256.h>
diff --git a/enclave/link.c b/enclave/link.c
index 02e597e505..8410f68f9e 100644
--- a/enclave/link.c
+++ b/enclave/link.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/optee/report.c b/enclave/optee/report.c
index 23ae1720a8..029adf057e 100644
--- a/enclave/optee/report.c
+++ b/enclave/optee/report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/optee/start.S b/enclave/optee/start.S
index 270a777f4c..854a5d9100 100644
--- a/enclave/optee/start.S
+++ b/enclave/optee/start.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 //==============================================================================
diff --git a/enclave/random.c b/enclave/random.c
index a7a59ec275..0ef124f13f 100644
--- a/enclave/random.c
+++ b/enclave/random.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/enclave/sgx/qeidinfo.c b/enclave/sgx/qeidinfo.c
index 0017605926..3fb5d86a14 100644
--- a/enclave/sgx/qeidinfo.c
+++ b/enclave/sgx/qeidinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c
index a667d8e770..df1058e20a 100644
--- a/enclave/sgx/report.c
+++ b/enclave/sgx/report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "report.h"
diff --git a/enclave/sgx/report.h b/enclave/sgx/report.h
index bdbf4499d1..a3cd973059 100644
--- a/enclave/sgx/report.h
+++ b/enclave/sgx/report.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENCLAVE_REPORT_H
diff --git a/enclave/sgx/revocationinfo.c b/enclave/sgx/revocationinfo.c
index c82ea664d4..2caa962dc1 100644
--- a/enclave/sgx/revocationinfo.c
+++ b/enclave/sgx/revocationinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/enclave/sgx/start.S b/enclave/sgx/start.S
index 4cda7c1797..2cdc094fad 100644
--- a/enclave/sgx/start.S
+++ b/enclave/sgx/start.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 //==============================================================================
diff --git a/enclave/tls_cert.c b/enclave/tls_cert.c
index 2a463f46a0..9b32f61244 100644
--- a/enclave/tls_cert.c
+++ b/enclave/tls_cert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 1769b8137f..95c3c94cda 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/host/asym_keys.c b/host/asym_keys.c
index fc87ea577a..6bb5b486d3 100644
--- a/host/asym_keys.c
+++ b/host/asym_keys.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/result.h>
diff --git a/host/calls.c b/host/calls.c
index d2c62baa13..92501ab410 100644
--- a/host/calls.c
+++ b/host/calls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/calls.h b/host/calls.h
index 38daa10d76..d4a276a8f1 100644
--- a/host/calls.h
+++ b/host/calls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/host.h>
diff --git a/host/crypto/bcrypt/bcrypt.h b/host/crypto/bcrypt/bcrypt.h
index d57ab24ad3..2c559f5257 100644
--- a/host/crypto/bcrypt/bcrypt.h
+++ b/host/crypto/bcrypt/bcrypt.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/host/crypto/bcrypt/cert.c b/host/crypto/bcrypt/cert.c
index 53661c903e..02eea131c3 100644
--- a/host/crypto/bcrypt/cert.c
+++ b/host/crypto/bcrypt/cert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/crypto/bcrypt/crl.c b/host/crypto/bcrypt/crl.c
index cb8bd53b18..a310f4cb61 100644
--- a/host/crypto/bcrypt/crl.c
+++ b/host/crypto/bcrypt/crl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/crypto/crl.h>
diff --git a/host/crypto/bcrypt/crl.h b/host/crypto/bcrypt/crl.h
index 30f7137f87..097ff6a274 100644
--- a/host/crypto/bcrypt/crl.h
+++ b/host/crypto/bcrypt/crl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_CRL_H
diff --git a/host/crypto/bcrypt/ec.c b/host/crypto/bcrypt/ec.c
index 7fb07e45a5..04f30cb7be 100644
--- a/host/crypto/bcrypt/ec.c
+++ b/host/crypto/bcrypt/ec.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/crypto/bcrypt/ec.h b/host/crypto/bcrypt/ec.h
index d106e8d0cd..dee63b4e82 100644
--- a/host/crypto/bcrypt/ec.h
+++ b/host/crypto/bcrypt/ec.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_BCRYPT_EC_H
diff --git a/host/crypto/bcrypt/hmac.c b/host/crypto/bcrypt/hmac.c
index 9537858609..e9671fe53e 100644
--- a/host/crypto/bcrypt/hmac.c
+++ b/host/crypto/bcrypt/hmac.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "bcrypt.h"
diff --git a/host/crypto/bcrypt/key.c b/host/crypto/bcrypt/key.c
index 8ce0426db9..7a67654579 100644
--- a/host/crypto/bcrypt/key.c
+++ b/host/crypto/bcrypt/key.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/crypto/bcrypt/key.h b/host/crypto/bcrypt/key.h
index 1bc09adb5a..1321cf0ba2 100644
--- a/host/crypto/bcrypt/key.h
+++ b/host/crypto/bcrypt/key.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _HOST_KEY_H
diff --git a/host/crypto/bcrypt/pem.c b/host/crypto/bcrypt/pem.c
index a74ed80573..4c864699aa 100644
--- a/host/crypto/bcrypt/pem.c
+++ b/host/crypto/bcrypt/pem.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "pem.h"
diff --git a/host/crypto/bcrypt/pem.h b/host/crypto/bcrypt/pem.h
index b324875f0b..35b0a14f5c 100644
--- a/host/crypto/bcrypt/pem.h
+++ b/host/crypto/bcrypt/pem.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_PEM_H
diff --git a/host/crypto/bcrypt/random.c b/host/crypto/bcrypt/random.c
index eb0e0adc6a..c0d44cc43c 100644
--- a/host/crypto/bcrypt/random.c
+++ b/host/crypto/bcrypt/random.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/host/crypto/bcrypt/rsa.c b/host/crypto/bcrypt/rsa.c
index 670d297307..f5f4ec999b 100644
--- a/host/crypto/bcrypt/rsa.c
+++ b/host/crypto/bcrypt/rsa.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/crypto/bcrypt/rsa.h b/host/crypto/bcrypt/rsa.h
index 58557c8b48..270e55e585 100644
--- a/host/crypto/bcrypt/rsa.h
+++ b/host/crypto/bcrypt/rsa.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_BCRYPT_RSA_H
diff --git a/host/crypto/bcrypt/sha.c b/host/crypto/bcrypt/sha.c
index b1e5f4871f..748471630f 100644
--- a/host/crypto/bcrypt/sha.c
+++ b/host/crypto/bcrypt/sha.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/crypto/bcrypt/util.c b/host/crypto/bcrypt/util.c
index 910f375cdf..c9c55aed5a 100644
--- a/host/crypto/bcrypt/util.c
+++ b/host/crypto/bcrypt/util.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/host/crypto/bcrypt/util.h b/host/crypto/bcrypt/util.h
index ab237b54cf..2ec0f4e310 100644
--- a/host/crypto/bcrypt/util.h
+++ b/host/crypto/bcrypt/util.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_UTIL_H
diff --git a/host/crypto/magic.h b/host/crypto/magic.h
index 4d9a687110..54a4b1ec46 100644
--- a/host/crypto/magic.h
+++ b/host/crypto/magic.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_MAGIC_H
diff --git a/host/crypto/openssl/asn1.c b/host/crypto/openssl/asn1.c
index a4b595438b..ab3cf72c12 100644
--- a/host/crypto/openssl/asn1.c
+++ b/host/crypto/openssl/asn1.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../common/asn1.h"
diff --git a/host/crypto/openssl/asn1.h b/host/crypto/openssl/asn1.h
index a6121c5ba2..182b86b4df 100644
--- a/host/crypto/openssl/asn1.h
+++ b/host/crypto/openssl/asn1.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_ASN1_OPENSSL_H
diff --git a/host/crypto/openssl/cert.c b/host/crypto/openssl/cert.c
index b44cf0f58e..b914fd65f2 100644
--- a/host/crypto/openssl/cert.c
+++ b/host/crypto/openssl/cert.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <ctype.h>
diff --git a/host/crypto/openssl/crl.c b/host/crypto/openssl/crl.c
index aa627b33e8..b6af8c80c8 100644
--- a/host/crypto/openssl/crl.c
+++ b/host/crypto/openssl/crl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/host/crypto/openssl/crl.h b/host/crypto/openssl/crl.h
index b9418dab04..7823e260db 100644
--- a/host/crypto/openssl/crl.h
+++ b/host/crypto/openssl/crl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_CRL_H
diff --git a/host/crypto/openssl/ec.c b/host/crypto/openssl/ec.c
index b54cabb8f8..cff0a9ffce 100644
--- a/host/crypto/openssl/ec.c
+++ b/host/crypto/openssl/ec.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/host/crypto/openssl/ec.h b/host/crypto/openssl/ec.h
index df841aec8e..989d452fb9 100644
--- a/host/crypto/openssl/ec.h
+++ b/host/crypto/openssl/ec.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_EC_H
diff --git a/host/crypto/openssl/hmac.c b/host/crypto/openssl/hmac.c
index ff43d22a41..b0bbfbd957 100644
--- a/host/crypto/openssl/hmac.c
+++ b/host/crypto/openssl/hmac.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/crypto/hmac.h>
diff --git a/host/crypto/openssl/init.c b/host/crypto/openssl/init.c
index 44a8a0bb20..bd2dd08fad 100644
--- a/host/crypto/openssl/init.c
+++ b/host/crypto/openssl/init.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "init.h"
diff --git a/host/crypto/openssl/init.h b/host/crypto/openssl/init.h
index 33ebee65a3..09891d8641 100644
--- a/host/crypto/openssl/init.h
+++ b/host/crypto/openssl/init.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CRYPTO_HOST_INIT_H
diff --git a/host/crypto/openssl/key.c b/host/crypto/openssl/key.c
index e455298287..5eb3d4d590 100644
--- a/host/crypto/openssl/key.c
+++ b/host/crypto/openssl/key.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "key.h"
diff --git a/host/crypto/openssl/key.h b/host/crypto/openssl/key.h
index abe7e1cf98..d3c272fe4c 100644
--- a/host/crypto/openssl/key.h
+++ b/host/crypto/openssl/key.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _HOST_KEY_H
diff --git a/host/crypto/openssl/random.c b/host/crypto/openssl/random.c
index dee89e9430..68f22fff72 100644
--- a/host/crypto/openssl/random.c
+++ b/host/crypto/openssl/random.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/random.h>
diff --git a/host/crypto/openssl/rsa.c b/host/crypto/openssl/rsa.c
index 6b7cc43bbe..bd9a813a77 100644
--- a/host/crypto/openssl/rsa.c
+++ b/host/crypto/openssl/rsa.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/host/crypto/openssl/rsa.h b/host/crypto/openssl/rsa.h
index 271bf9072c..f746235222 100644
--- a/host/crypto/openssl/rsa.h
+++ b/host/crypto/openssl/rsa.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_OPENSSL_RSA_H
diff --git a/host/crypto/openssl/sha.c b/host/crypto/openssl/sha.c
index 3fc51ba0a5..ef571efbf7 100644
--- a/host/crypto/openssl/sha.c
+++ b/host/crypto/openssl/sha.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/crypto/rsa.h b/host/crypto/rsa.h
index 327a60f9cf..c97caadc63 100644
--- a/host/crypto/rsa.h
+++ b/host/crypto/rsa.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_CRYPTO_RSA_H
diff --git a/host/dupenv.c b/host/dupenv.c
index 1b87636f28..38c336b4c4 100644
--- a/host/dupenv.c
+++ b/host/dupenv.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "dupenv.h"
diff --git a/host/dupenv.h b/host/dupenv.h
index 1e99b84df0..f70c28270a 100644
--- a/host/dupenv.h
+++ b/host/dupenv.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_DUPENV_H
diff --git a/host/error.c b/host/error.c
index 8f6bf25263..7f6a4e02fd 100644
--- a/host/error.c
+++ b/host/error.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/files.c b/host/files.c
index 114e20108e..848544d396 100644
--- a/host/files.c
+++ b/host/files.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/host/fopen.c b/host/fopen.c
index b16e87ef20..f92d2342ab 100644
--- a/host/fopen.c
+++ b/host/fopen.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "fopen.h"
diff --git a/host/fopen.h b/host/fopen.h
index 1325aa012d..8a0c2ae4bb 100644
--- a/host/fopen.h
+++ b/host/fopen.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_FOPEN_H
diff --git a/host/hexdump.c b/host/hexdump.c
index 0bbb4ea3d0..374ade33a1 100644
--- a/host/hexdump.c
+++ b/host/hexdump.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/hostthread.h b/host/hostthread.h
index 5e23df5460..09367b3af7 100644
--- a/host/hostthread.h
+++ b/host/hostthread.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/host/linux/hostthread.c b/host/linux/hostthread.c
index 65a87251fb..bbba03cd00 100644
--- a/host/linux/hostthread.c
+++ b/host/linux/hostthread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../hostthread.h"
diff --git a/host/linux/syscall.c b/host/linux/syscall.c
index ef8f3812a4..dd84e4cc72 100644
--- a/host/linux/syscall.c
+++ b/host/linux/syscall.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <dirent.h>
diff --git a/host/linux/time.c b/host/linux/time.c
index 1e7930049f..6bb45d219f 100644
--- a/host/linux/time.c
+++ b/host/linux/time.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <errno.h>
diff --git a/host/linux/windows.c b/host/linux/windows.c
index 3c4b461290..34457863c9 100644
--- a/host/linux/windows.c
+++ b/host/linux/windows.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "windows.h"
diff --git a/host/linux/windows.h b/host/linux/windows.h
index 40bed4f14a..163e7c1100 100644
--- a/host/linux/windows.h
+++ b/host/linux/windows.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_WINDOWS_H
diff --git a/host/memalign.c b/host/memalign.c
index 41253f4ee1..c87b5e7124 100644
--- a/host/memalign.c
+++ b/host/memalign.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "memalign.h"
diff --git a/host/memalign.h b/host/memalign.h
index 72861c1407..204dd206c5 100644
--- a/host/memalign.h
+++ b/host/memalign.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_MEMALIGN_H
diff --git a/host/ocalls.c b/host/ocalls.c
index 144eb0c1fe..c93149bd61 100644
--- a/host/ocalls.c
+++ b/host/ocalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stdio.h>
diff --git a/host/ocalls.h b/host/ocalls.h
index 6b9071b9bd..12ce6032a7 100644
--- a/host/ocalls.h
+++ b/host/ocalls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_OCALLS_H
diff --git a/host/optee/linux/enclave.c b/host/optee/linux/enclave.c
index e5f75f1792..a54f19ba8b 100644
--- a/host/optee/linux/enclave.c
+++ b/host/optee/linux/enclave.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/host/optee/linux/enclave.h b/host/optee/linux/enclave.h
index 3301ed67f7..a9f25c18ba 100644
--- a/host/optee/linux/enclave.h
+++ b/host/optee/linux/enclave.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_ENCLAVE_H
diff --git a/host/optee/log.c b/host/optee/log.c
index 0b05012570..5f7d96da42 100644
--- a/host/optee/log.c
+++ b/host/optee/log.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/trace.h>
diff --git a/host/result.c b/host/result.c
index ce2d83d42c..90f8b7b785 100644
--- a/host/result.c
+++ b/host/result.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../common/result.c"
diff --git a/host/sgx/asmdefs.h b/host/sgx/asmdefs.h
index 4efe93bee2..8cc45152f0 100644
--- a/host/sgx/asmdefs.h
+++ b/host/sgx/asmdefs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ASMDEFS_H
diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index 984726139d..0fd584d17d 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/cpuid.h b/host/sgx/cpuid.h
index 4179e4662a..227ef718bd 100644
--- a/host/sgx/cpuid.h
+++ b/host/sgx/cpuid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CPUIDCOUNT_H
diff --git a/host/sgx/create.c b/host/sgx/create.c
index acbdc215fb..a7615803b0 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../strings.h"
diff --git a/host/sgx/elf.c b/host/sgx/elf.c
index c2e03e72b1..8f0d59c8fd 100644
--- a/host/sgx/elf.c
+++ b/host/sgx/elf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/enclave.c b/host/sgx/enclave.c
index f7e7902044..968017668e 100644
--- a/host/sgx/enclave.c
+++ b/host/sgx/enclave.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "enclave.h"
diff --git a/host/sgx/enclave.h b/host/sgx/enclave.h
index b914b488b4..d154b7b3d8 100644
--- a/host/sgx/enclave.h
+++ b/host/sgx/enclave.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_ENCLAVE_H
diff --git a/host/sgx/enclavemanager.c b/host/sgx/enclavemanager.c
index ec6e1fa3cf..39aea36d2f 100644
--- a/host/sgx/enclavemanager.c
+++ b/host/sgx/enclavemanager.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/exception.c b/host/sgx/exception.c
index b86702d8a8..1729fa73a5 100644
--- a/host/sgx/exception.c
+++ b/host/sgx/exception.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "exception.h"
diff --git a/host/sgx/exception.h b/host/sgx/exception.h
index 1d4ce5abd0..c5a41f3ec9 100644
--- a/host/sgx/exception.h
+++ b/host/sgx/exception.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_EXCEPTION_H
diff --git a/host/sgx/hostverify_report.c b/host/sgx/hostverify_report.c
index 4448a0733d..b487b1a18d 100644
--- a/host/sgx/hostverify_report.c
+++ b/host/sgx/hostverify_report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/report.h>
diff --git a/host/sgx/linux/aep.S b/host/sgx/linux/aep.S
index 5022fa4498..916ea39727 100644
--- a/host/sgx/linux/aep.S
+++ b/host/sgx/linux/aep.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../asmdefs.h"
diff --git a/host/sgx/linux/enter.S b/host/sgx/linux/enter.S
index 4957490f8d..6c0ef66f3e 100644
--- a/host/sgx/linux/enter.S
+++ b/host/sgx/linux/enter.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../asmdefs.h"
diff --git a/host/sgx/linux/entersim.S b/host/sgx/linux/entersim.S
index de7af84c07..b13e20338e 100644
--- a/host/sgx/linux/entersim.S
+++ b/host/sgx/linux/entersim.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../asmdefs.h"
diff --git a/host/sgx/linux/exception.c b/host/sgx/linux/exception.c
index 8e02498bc8..75499e5b53 100644
--- a/host/sgx/linux/exception.c
+++ b/host/sgx/linux/exception.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../exception.h"
diff --git a/host/sgx/linux/sgxioctl.c b/host/sgx/linux/sgxioctl.c
index 7cd73ff02e..4bc3f4f134 100644
--- a/host/sgx/linux/sgxioctl.c
+++ b/host/sgx/linux/sgxioctl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "sgxioctl.h"
diff --git a/host/sgx/linux/sgxioctl.h b/host/sgx/linux/sgxioctl.h
index ac707a4dd7..325963b0c2 100644
--- a/host/sgx/linux/sgxioctl.h
+++ b/host/sgx/linux/sgxioctl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXIOCTL_H
diff --git a/host/sgx/linux/sgxquoteproviderloader.c b/host/sgx/linux/sgxquoteproviderloader.c
index a17074135e..eb3570783a 100644
--- a/host/sgx/linux/sgxquoteproviderloader.c
+++ b/host/sgx/linux/sgxquoteproviderloader.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <dlfcn.h>
diff --git a/host/sgx/linux/switchless.c b/host/sgx/linux/switchless.c
index 567472ca52..808a0d400c 100644
--- a/host/sgx/linux/switchless.c
+++ b/host/sgx/linux/switchless.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/switchless.h>
diff --git a/host/sgx/linux/xstate.c b/host/sgx/linux/xstate.c
index a06c436d1c..338f79cfaf 100644
--- a/host/sgx/linux/xstate.c
+++ b/host/sgx/linux/xstate.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../xstate.h"
diff --git a/host/sgx/load.c b/host/sgx/load.c
index 44c02d1650..f483e466a5 100644
--- a/host/sgx/load.c
+++ b/host/sgx/load.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/host/sgx/loadelf.c b/host/sgx/loadelf.c
index 18e81b903b..8baf65b45e 100644
--- a/host/sgx/loadelf.c
+++ b/host/sgx/loadelf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/loadpe.c b/host/sgx/loadpe.c
index 660fdb34dd..a9b4280c5e 100644
--- a/host/sgx/loadpe.c
+++ b/host/sgx/loadpe.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/ocalls.c b/host/sgx/ocalls.c
index aba1c091e2..91c4541fe1 100644
--- a/host/sgx/ocalls.c
+++ b/host/sgx/ocalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/host/sgx/ocalls.h b/host/sgx/ocalls.h
index c4bb41ea3a..3281941259 100644
--- a/host/sgx/ocalls.h
+++ b/host/sgx/ocalls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_SGX_OCALLS_H
diff --git a/host/sgx/platformquoteprovider.h b/host/sgx/platformquoteprovider.h
index 1b9c869758..07e2ac09f5 100644
--- a/host/sgx/platformquoteprovider.h
+++ b/host/sgx/platformquoteprovider.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/host/sgx/quote.c b/host/sgx/quote.c
index 514cce2fd5..646d3a865f 100644
--- a/host/sgx/quote.c
+++ b/host/sgx/quote.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "quote.h"
diff --git a/host/sgx/quote.h b/host/sgx/quote.h
index 2b5377ce94..71ae20c7b0 100644
--- a/host/sgx/quote.h
+++ b/host/sgx/quote.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_QUOTE_H
diff --git a/host/sgx/registers.c b/host/sgx/registers.c
index d661f67ad7..00fb33963f 100644
--- a/host/sgx/registers.c
+++ b/host/sgx/registers.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(__linux__)
diff --git a/host/sgx/report.c b/host/sgx/report.c
index daa6f5409b..65ab2a34d8 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/host/sgx/sgx_u_wrapper.c b/host/sgx/sgx_u_wrapper.c
index 3eed2da9ab..503ad26c48 100644
--- a/host/sgx/sgx_u_wrapper.c
+++ b/host/sgx/sgx_u_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/sgx/sgxload.c b/host/sgx/sgxload.c
index f639b086f2..d057ee59e6 100644
--- a/host/sgx/sgxload.c
+++ b/host/sgx/sgxload.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "sgxload.h"
diff --git a/host/sgx/sgxload.h b/host/sgx/sgxload.h
index 753ff749cf..9c0b7258c9 100644
--- a/host/sgx/sgxload.h
+++ b/host/sgx/sgxload.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXLOAD_H
diff --git a/host/sgx/sgxmeasure.c b/host/sgx/sgxmeasure.c
index 0b3ce7e098..07c31bfb5b 100644
--- a/host/sgx/sgxmeasure.c
+++ b/host/sgx/sgxmeasure.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "sgxmeasure.h"
diff --git a/host/sgx/sgxmeasure.h b/host/sgx/sgxmeasure.h
index 268185eba3..a23263d2cb 100644
--- a/host/sgx/sgxmeasure.h
+++ b/host/sgx/sgxmeasure.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXMEASURE_H
diff --git a/host/sgx/sgxquote.c b/host/sgx/sgxquote.c
index 32fee66107..3a23fda2a6 100644
--- a/host/sgx/sgxquote.c
+++ b/host/sgx/sgxquote.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #if defined(OE_LINK_SGX_DCAP_QL)
 
diff --git a/host/sgx/sgxquote.h b/host/sgx/sgxquote.h
index 6417653621..0bd5761b8a 100644
--- a/host/sgx/sgxquote.h
+++ b/host/sgx/sgxquote.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXQUOTE_H
diff --git a/host/sgx/sgxquoteprovider.c b/host/sgx/sgxquoteprovider.c
index 12116c12b8..bd7b83660d 100644
--- a/host/sgx/sgxquoteprovider.c
+++ b/host/sgx/sgxquoteprovider.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/host/sgx/sgxquoteprovider.h b/host/sgx/sgxquoteprovider.h
index 1658800f3e..79462cc580 100644
--- a/host/sgx/sgxquoteprovider.h
+++ b/host/sgx/sgxquoteprovider.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGX_HOST_QUOTE_PROVIDER_H
diff --git a/host/sgx/sgxsign.c b/host/sgx/sgxsign.c
index 82f3604603..dd2bf28a98 100644
--- a/host/sgx/sgxsign.c
+++ b/host/sgx/sgxsign.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/host/sgx/sgxtypes.c b/host/sgx/sgxtypes.c
index fd0da988c7..5663b0d46f 100644
--- a/host/sgx/sgxtypes.c
+++ b/host/sgx/sgxtypes.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/hexdump.h>
diff --git a/host/sgx/switchless.c b/host/sgx/switchless.c
index 52261c91e9..679f21d4b8 100644
--- a/host/sgx/switchless.c
+++ b/host/sgx/switchless.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/sgx/windows/aep.asm b/host/sgx/windows/aep.asm
index b26cf028ca..79e05d8504 100644
--- a/host/sgx/windows/aep.asm
+++ b/host/sgx/windows/aep.asm
@@ -1,4 +1,4 @@
-;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Copyright (c) Open Enclave SDK contributors.
 ;; Licensed under the MIT License.
 
 include ksamd64.inc
diff --git a/host/sgx/windows/debugrtbridge.c b/host/sgx/windows/debugrtbridge.c
index 5be82e846f..be859906cf 100644
--- a/host/sgx/windows/debugrtbridge.c
+++ b/host/sgx/windows/debugrtbridge.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <Windows.h>
diff --git a/host/sgx/windows/enter.asm b/host/sgx/windows/enter.asm
index 2cb7881a62..dcbfdfe54b 100644
--- a/host/sgx/windows/enter.asm
+++ b/host/sgx/windows/enter.asm
@@ -1,4 +1,4 @@
-;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Copyright (c) Open Enclave SDK contributors.
 ;; Licensed under the MIT License.
 
 include ksamd64.inc
diff --git a/host/sgx/windows/entersim.asm b/host/sgx/windows/entersim.asm
index 4e1514be37..229759f074 100644
--- a/host/sgx/windows/entersim.asm
+++ b/host/sgx/windows/entersim.asm
@@ -1,4 +1,4 @@
-;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Copyright (c) Open Enclave SDK contributors.
 ;; Licensed under the MIT License.
 
 include ksamd64.inc
diff --git a/host/sgx/windows/exception.c b/host/sgx/windows/exception.c
index 71e7634175..1ad77cdf4f 100644
--- a/host/sgx/windows/exception.c
+++ b/host/sgx/windows/exception.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../exception.h"
diff --git a/host/sgx/windows/host_context.asm b/host/sgx/windows/host_context.asm
index d0aff41691..7221c2d962 100644
--- a/host/sgx/windows/host_context.asm
+++ b/host/sgx/windows/host_context.asm
@@ -1,4 +1,4 @@
-;; Copyright (c) Microsoft Corporation. All rights reserved.
+;; Copyright (c) Open Enclave SDK contributors.
 ;; Licensed under the MIT License.
 
 OE_CONTEXT_FLAGS    EQU 00
diff --git a/host/sgx/windows/sgxquoteproviderloader.c b/host/sgx/windows/sgxquoteproviderloader.c
index 3b18a04623..6e4eb42718 100644
--- a/host/sgx/windows/sgxquoteproviderloader.c
+++ b/host/sgx/windows/sgxquoteproviderloader.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <Windows.h>
diff --git a/host/sgx/windows/switchless.c b/host/sgx/windows/switchless.c
index e845249390..0931c935b8 100644
--- a/host/sgx/windows/switchless.c
+++ b/host/sgx/windows/switchless.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <Windows.h>
diff --git a/host/sgx/windows/xstate.c b/host/sgx/windows/xstate.c
index 5eca0d3d30..14e7640dcd 100644
--- a/host/sgx/windows/xstate.c
+++ b/host/sgx/windows/xstate.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../xstate.h"
diff --git a/host/sgx/xstate.h b/host/sgx/xstate.h
index 7585736efc..4c73f221e6 100644
--- a/host/sgx/xstate.h
+++ b/host/sgx/xstate.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_XSTATE_H
diff --git a/host/signkey.c b/host/signkey.c
index 696a3e9f8e..172055aae9 100644
--- a/host/signkey.c
+++ b/host/signkey.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "signkey.h"
diff --git a/host/signkey.h b/host/signkey.h
index dbaf5feba9..a022120779 100644
--- a/host/signkey.h
+++ b/host/signkey.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_SIGNKEY_H
diff --git a/host/strings.c b/host/strings.c
index f4d2ee61a8..dde3cb1b13 100644
--- a/host/strings.c
+++ b/host/strings.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "strings.h"
diff --git a/host/strings.h b/host/strings.h
index fb7f6609f8..ce66e47b3c 100644
--- a/host/strings.h
+++ b/host/strings.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HOST_STRINGS_H
diff --git a/host/syscall_u_wrapper.c b/host/syscall_u_wrapper.c
index e04bc51fe1..d7e5fae6f9 100644
--- a/host/syscall_u_wrapper.c
+++ b/host/syscall_u_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/tee_u_wrapper.c b/host/tee_u_wrapper.c
index 6832ed0387..7691583a9f 100644
--- a/host/tee_u_wrapper.c
+++ b/host/tee_u_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/tests.c b/host/tests.c
index 3deeef5de6..8bcdacd5a2 100644
--- a/host/tests.c
+++ b/host/tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/host/traceh.c b/host/traceh.c
index da2aec2a32..ba628e0d90 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/calls.h>
diff --git a/host/traceh_enclave.c b/host/traceh_enclave.c
index 4a1a13fb9f..f105f46a32 100644
--- a/host/traceh_enclave.c
+++ b/host/traceh_enclave.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/calls.h>
diff --git a/host/windows/hostthread.c b/host/windows/hostthread.c
index 2c42368385..0e73fd9720 100644
--- a/host/windows/hostthread.c
+++ b/host/windows/hostthread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../hostthread.h"
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 047036f658..0fdafb1f82 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/host/windows/time.c b/host/windows/time.c
index ca848ab58d..0c40096cab 100644
--- a/host/windows/time.c
+++ b/host/windows/time.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
index 8e247028e4..15e4a6cfcb 100644
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OE main include files, add interface library, add install steps
diff --git a/include/openenclave/bits/defs.h b/include/openenclave/bits/defs.h
index 7e5bdcacf6..aa30975854 100644
--- a/include/openenclave/bits/defs.h
+++ b/include/openenclave/bits/defs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_DEFS_H
diff --git a/include/openenclave/bits/exception.h b/include/openenclave/bits/exception.h
index 6e4e16f3dd..2bda489e11 100644
--- a/include/openenclave/bits/exception.h
+++ b/include/openenclave/bits/exception.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/fs.h b/include/openenclave/bits/fs.h
index 6ed53c1c17..f7220c44f6 100644
--- a/include/openenclave/bits/fs.h
+++ b/include/openenclave/bits/fs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_FS_H
diff --git a/include/openenclave/bits/module.h b/include/openenclave/bits/module.h
index 9cca479894..09bdef92e0 100644
--- a/include/openenclave/bits/module.h
+++ b/include/openenclave/bits/module.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/optee/opteeproperties.h b/include/openenclave/bits/optee/opteeproperties.h
index 79531eaa3e..2d7f6d7346 100644
--- a/include/openenclave/bits/optee/opteeproperties.h
+++ b/include/openenclave/bits/optee/opteeproperties.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // Additional copyrights follow:
diff --git a/include/openenclave/bits/properties.h b/include/openenclave/bits/properties.h
index a2cbf35eda..fb4e1841dc 100644
--- a/include/openenclave/bits/properties.h
+++ b/include/openenclave/bits/properties.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/report.h b/include/openenclave/bits/report.h
index 1f09fc09f7..cc33063c42 100644
--- a/include/openenclave/bits/report.h
+++ b/include/openenclave/bits/report.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/result.h b/include/openenclave/bits/result.h
index f931aca9b4..89ced3b075 100644
--- a/include/openenclave/bits/result.h
+++ b/include/openenclave/bits/result.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/safecrt.h b/include/openenclave/bits/safecrt.h
index fd9a427cd1..f429c6702d 100644
--- a/include/openenclave/bits/safecrt.h
+++ b/include/openenclave/bits/safecrt.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SAFECRT_H
diff --git a/include/openenclave/bits/safemath.h b/include/openenclave/bits/safemath.h
index 995706b533..789d216679 100644
--- a/include/openenclave/bits/safemath.h
+++ b/include/openenclave/bits/safemath.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SAFEMATH_H
diff --git a/include/openenclave/bits/sgx/sgxproperties.h b/include/openenclave/bits/sgx/sgxproperties.h
index 826a85d21c..3dd2aa8ec5 100644
--- a/include/openenclave/bits/sgx/sgxproperties.h
+++ b/include/openenclave/bits/sgx/sgxproperties.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/types.h b/include/openenclave/bits/types.h
index 9b06060025..65054158fc 100644
--- a/include/openenclave/bits/types.h
+++ b/include/openenclave/bits/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/corelibc/assert.h b/include/openenclave/corelibc/assert.h
index 95f235b5aa..6f015d60b3 100644
--- a/include/openenclave/corelibc/assert.h
+++ b/include/openenclave/corelibc/assert.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ASSERT_H
diff --git a/include/openenclave/corelibc/bits/atexit.h b/include/openenclave/corelibc/bits/atexit.h
index 1be51037b3..e47fc4518e 100644
--- a/include/openenclave/corelibc/bits/atexit.h
+++ b/include/openenclave/corelibc/bits/atexit.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_ATEXIT_H
diff --git a/include/openenclave/corelibc/bits/defs.h b/include/openenclave/corelibc/bits/defs.h
index cb5c20b0b0..d0af6f8cc3 100644
--- a/include/openenclave/corelibc/bits/defs.h
+++ b/include/openenclave/corelibc/bits/defs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CORELIBC_BITS_DEFS_H
diff --git a/include/openenclave/corelibc/bits/jmp_buf.h b/include/openenclave/corelibc/bits/jmp_buf.h
index a5a84fb3f9..9b2a7c5dc8 100644
--- a/include/openenclave/corelibc/bits/jmp_buf.h
+++ b/include/openenclave/corelibc/bits/jmp_buf.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /* These are the registers that are preserved across function calls
diff --git a/include/openenclave/corelibc/bits/malloc.h b/include/openenclave/corelibc/bits/malloc.h
index a4f459004a..5c2d491f51 100644
--- a/include/openenclave/corelibc/bits/malloc.h
+++ b/include/openenclave/corelibc/bits/malloc.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_MALLOC_H
diff --git a/include/openenclave/corelibc/bits/pthread_cond.h b/include/openenclave/corelibc/bits/pthread_cond.h
index 06416eede0..696a409af1 100644
--- a/include/openenclave/corelibc/bits/pthread_cond.h
+++ b/include/openenclave/corelibc/bits/pthread_cond.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_COND_H
diff --git a/include/openenclave/corelibc/bits/pthread_create.h b/include/openenclave/corelibc/bits/pthread_create.h
index 1d88545b42..8cc1a936fb 100644
--- a/include/openenclave/corelibc/bits/pthread_create.h
+++ b/include/openenclave/corelibc/bits/pthread_create.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_CREATE_H
diff --git a/include/openenclave/corelibc/bits/pthread_def.h b/include/openenclave/corelibc/bits/pthread_def.h
index 7869c362d9..b3202cb356 100644
--- a/include/openenclave/corelibc/bits/pthread_def.h
+++ b/include/openenclave/corelibc/bits/pthread_def.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_DEF_H
diff --git a/include/openenclave/corelibc/bits/pthread_equal.h b/include/openenclave/corelibc/bits/pthread_equal.h
index 5801f2621a..a695a905dc 100644
--- a/include/openenclave/corelibc/bits/pthread_equal.h
+++ b/include/openenclave/corelibc/bits/pthread_equal.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_EQUAL_H
diff --git a/include/openenclave/corelibc/bits/pthread_key.h b/include/openenclave/corelibc/bits/pthread_key.h
index 05375e7827..936dab0f57 100644
--- a/include/openenclave/corelibc/bits/pthread_key.h
+++ b/include/openenclave/corelibc/bits/pthread_key.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_KEY_H
diff --git a/include/openenclave/corelibc/bits/pthread_mutex.h b/include/openenclave/corelibc/bits/pthread_mutex.h
index 3a60680654..4995a618a8 100644
--- a/include/openenclave/corelibc/bits/pthread_mutex.h
+++ b/include/openenclave/corelibc/bits/pthread_mutex.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_MUTEX_H
diff --git a/include/openenclave/corelibc/bits/pthread_once.h b/include/openenclave/corelibc/bits/pthread_once.h
index a2a10a60c6..df7f413751 100644
--- a/include/openenclave/corelibc/bits/pthread_once.h
+++ b/include/openenclave/corelibc/bits/pthread_once.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_ONCE_H
diff --git a/include/openenclave/corelibc/bits/pthread_rwlock.h b/include/openenclave/corelibc/bits/pthread_rwlock.h
index 35140756fb..adfaffb892 100644
--- a/include/openenclave/corelibc/bits/pthread_rwlock.h
+++ b/include/openenclave/corelibc/bits/pthread_rwlock.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_RWLOCK_H
diff --git a/include/openenclave/corelibc/bits/pthread_spin.h b/include/openenclave/corelibc/bits/pthread_spin.h
index 70d9907596..bcaa949671 100644
--- a/include/openenclave/corelibc/bits/pthread_spin.h
+++ b/include/openenclave/corelibc/bits/pthread_spin.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_PTHREAD_SPIN_H
diff --git a/include/openenclave/corelibc/bits/stdfile.h b/include/openenclave/corelibc/bits/stdfile.h
index 94f67700c1..bee2a820ba 100644
--- a/include/openenclave/corelibc/bits/stdfile.h
+++ b/include/openenclave/corelibc/bits/stdfile.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_STDFILE_H
diff --git a/include/openenclave/corelibc/bits/strtoul.h b/include/openenclave/corelibc/bits/strtoul.h
index 5b2ad761cc..96acd49e35 100644
--- a/include/openenclave/corelibc/bits/strtoul.h
+++ b/include/openenclave/corelibc/bits/strtoul.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BITS_STRTOUL_H
diff --git a/include/openenclave/corelibc/bits/types.h b/include/openenclave/corelibc/bits/types.h
index 384919662f..1e86e0cbee 100644
--- a/include/openenclave/corelibc/bits/types.h
+++ b/include/openenclave/corelibc/bits/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CORELIBC_BITS_TYPES_H
diff --git a/include/openenclave/corelibc/ctype.h b/include/openenclave/corelibc/ctype.h
index f531c2d77f..d1f2dba6fe 100644
--- a/include/openenclave/corelibc/ctype.h
+++ b/include/openenclave/corelibc/ctype.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CTYPE_H
diff --git a/include/openenclave/corelibc/endian.h b/include/openenclave/corelibc/endian.h
index 23332f478c..6d7b91e446 100644
--- a/include/openenclave/corelibc/endian.h
+++ b/include/openenclave/corelibc/endian.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /* This header is a dependency for directly compiling MUSL memcpy
diff --git a/include/openenclave/corelibc/errno.h b/include/openenclave/corelibc/errno.h
index ac8e1198fa..87de95ff1e 100644
--- a/include/openenclave/corelibc/errno.h
+++ b/include/openenclave/corelibc/errno.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ERRNO_H
diff --git a/include/openenclave/corelibc/inttypes.h b/include/openenclave/corelibc/inttypes.h
index d194bed477..cb1923a6f4 100644
--- a/include/openenclave/corelibc/inttypes.h
+++ b/include/openenclave/corelibc/inttypes.h
@@ -1,2 +1,2 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
diff --git a/include/openenclave/corelibc/limits.h b/include/openenclave/corelibc/limits.h
index 686335873e..2f3020534c 100644
--- a/include/openenclave/corelibc/limits.h
+++ b/include/openenclave/corelibc/limits.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_LIMITS_H
diff --git a/include/openenclave/corelibc/pthread.h b/include/openenclave/corelibc/pthread.h
index db8748ef4c..6a65aa40d7 100644
--- a/include/openenclave/corelibc/pthread.h
+++ b/include/openenclave/corelibc/pthread.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_PTHREAD_H
diff --git a/include/openenclave/corelibc/sched.h b/include/openenclave/corelibc/sched.h
index f89204cbb1..c23eb55320 100644
--- a/include/openenclave/corelibc/sched.h
+++ b/include/openenclave/corelibc/sched.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SCHED_H
diff --git a/include/openenclave/corelibc/setjmp.h b/include/openenclave/corelibc/setjmp.h
index e5659359fb..e1664459a8 100644
--- a/include/openenclave/corelibc/setjmp.h
+++ b/include/openenclave/corelibc/setjmp.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SETJMP_H
diff --git a/include/openenclave/corelibc/stdarg.h b/include/openenclave/corelibc/stdarg.h
index d1c7160db1..b671aaa2c4 100644
--- a/include/openenclave/corelibc/stdarg.h
+++ b/include/openenclave/corelibc/stdarg.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDARG_H
diff --git a/include/openenclave/corelibc/stdbool.h b/include/openenclave/corelibc/stdbool.h
index b4ccf603aa..315038a9fb 100644
--- a/include/openenclave/corelibc/stdbool.h
+++ b/include/openenclave/corelibc/stdbool.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDBOOL_H
diff --git a/include/openenclave/corelibc/stddef.h b/include/openenclave/corelibc/stddef.h
index 7f31c61d6d..c37ff05acd 100644
--- a/include/openenclave/corelibc/stddef.h
+++ b/include/openenclave/corelibc/stddef.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDDEF_H
diff --git a/include/openenclave/corelibc/stdint.h b/include/openenclave/corelibc/stdint.h
index 4330bbf430..320960b796 100644
--- a/include/openenclave/corelibc/stdint.h
+++ b/include/openenclave/corelibc/stdint.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDINT_H
diff --git a/include/openenclave/corelibc/stdio.h b/include/openenclave/corelibc/stdio.h
index 8c86ccc604..3d9ec1335e 100644
--- a/include/openenclave/corelibc/stdio.h
+++ b/include/openenclave/corelibc/stdio.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDIO_H
diff --git a/include/openenclave/corelibc/stdlib.h b/include/openenclave/corelibc/stdlib.h
index e57ce8bd43..34ac255178 100644
--- a/include/openenclave/corelibc/stdlib.h
+++ b/include/openenclave/corelibc/stdlib.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STDLIB_H
diff --git a/include/openenclave/corelibc/string.h b/include/openenclave/corelibc/string.h
index 886b2d9e0a..13525b7b5d 100644
--- a/include/openenclave/corelibc/string.h
+++ b/include/openenclave/corelibc/string.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STRING_H
diff --git a/include/openenclave/corelibc/time.h b/include/openenclave/corelibc/time.h
index d29636799b..20a49a4632 100644
--- a/include/openenclave/corelibc/time.h
+++ b/include/openenclave/corelibc/time.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TIME_H
diff --git a/include/openenclave/corelibc/wchar.h b/include/openenclave/corelibc/wchar.h
index d194bed477..cb1923a6f4 100644
--- a/include/openenclave/corelibc/wchar.h
+++ b/include/openenclave/corelibc/wchar.h
@@ -1,2 +1,2 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
diff --git a/include/openenclave/edger8r/common.h b/include/openenclave/edger8r/common.h
index 73aa6d52d4..2aa86d98fd 100644
--- a/include/openenclave/edger8r/common.h
+++ b/include/openenclave/edger8r/common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/edger8r/enclave.h b/include/openenclave/edger8r/enclave.h
index a502fba0a7..27f88699f6 100644
--- a/include/openenclave/edger8r/enclave.h
+++ b/include/openenclave/edger8r/enclave.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/edger8r/host.h b/include/openenclave/edger8r/host.h
index 7b9907d33f..2ac11b0ed8 100644
--- a/include/openenclave/edger8r/host.h
+++ b/include/openenclave/edger8r/host.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/enclave.h b/include/openenclave/enclave.h
index 5c89747324..8a3543cf9f 100644
--- a/include/openenclave/enclave.h
+++ b/include/openenclave/enclave.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 3a3e0eb165..ce6cca61ee 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/host_verify.h b/include/openenclave/host_verify.h
index dad2758224..48e400f444 100644
--- a/include/openenclave/host_verify.h
+++ b/include/openenclave/host_verify.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/argv.h b/include/openenclave/internal/argv.h
index 0defdea2cf..9738dfc868 100644
--- a/include/openenclave/internal/argv.h
+++ b/include/openenclave/internal/argv.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_ARGV_H
diff --git a/include/openenclave/internal/asn1.h b/include/openenclave/internal/asn1.h
index 107f3350ae..b9a0cd6870 100644
--- a/include/openenclave/internal/asn1.h
+++ b/include/openenclave/internal/asn1.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/atomic.h b/include/openenclave/internal/atomic.h
index 5e177bc786..a463a584d6 100644
--- a/include/openenclave/internal/atomic.h
+++ b/include/openenclave/internal/atomic.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ATOMIC_H
diff --git a/include/openenclave/internal/backtrace.h b/include/openenclave/internal/backtrace.h
index 8fd28676f9..ff4748213c 100644
--- a/include/openenclave/internal/backtrace.h
+++ b/include/openenclave/internal/backtrace.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_BACKTRACE_H
diff --git a/include/openenclave/internal/calls.h b/include/openenclave/internal/calls.h
index 7025e44843..e09ed5d548 100644
--- a/include/openenclave/internal/calls.h
+++ b/include/openenclave/internal/calls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CALLS_H
diff --git a/include/openenclave/internal/cert.h b/include/openenclave/internal/cert.h
index f993acf8d8..bf228b7a05 100644
--- a/include/openenclave/internal/cert.h
+++ b/include/openenclave/internal/cert.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CERT_INTERNAL_H
diff --git a/include/openenclave/internal/constants_x64.h b/include/openenclave/internal/constants_x64.h
index b74ec90c41..51238c2478 100644
--- a/include/openenclave/internal/constants_x64.h
+++ b/include/openenclave/internal/constants_x64.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_CONSTANTS_X64_H
diff --git a/include/openenclave/internal/context.h b/include/openenclave/internal/context.h
index 07ae5dda5e..c66c2c6cf6 100644
--- a/include/openenclave/internal/context.h
+++ b/include/openenclave/internal/context.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_CONTEXT_H
diff --git a/include/openenclave/internal/context.inc b/include/openenclave/internal/context.inc
index c293de2ebc..8fc6bf2ceb 100644
--- a/include/openenclave/internal/context.inc
+++ b/include/openenclave/internal/context.inc
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/constants_x64.h>
diff --git a/include/openenclave/internal/cpuid.h b/include/openenclave/internal/cpuid.h
index 9a79509e51..1b64b71e0f 100644
--- a/include/openenclave/internal/cpuid.h
+++ b/include/openenclave/internal/cpuid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CPUID_H
diff --git a/include/openenclave/internal/crypto/asn1.h b/include/openenclave/internal/crypto/asn1.h
index 1a7a3b15f2..f0cae3c65f 100644
--- a/include/openenclave/internal/crypto/asn1.h
+++ b/include/openenclave/internal/crypto/asn1.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/crypto/cert.h b/include/openenclave/internal/crypto/cert.h
index ee9bf8d8b2..3823130cf0 100644
--- a/include/openenclave/internal/crypto/cert.h
+++ b/include/openenclave/internal/crypto/cert.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CERT_H
diff --git a/include/openenclave/internal/crypto/cmac.h b/include/openenclave/internal/crypto/cmac.h
index 831ede86a4..c607a885c6 100644
--- a/include/openenclave/internal/crypto/cmac.h
+++ b/include/openenclave/internal/crypto/cmac.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CMAC_H
diff --git a/include/openenclave/internal/crypto/crl.h b/include/openenclave/internal/crypto/crl.h
index 8d0fb3f1be..ab26c01cfa 100644
--- a/include/openenclave/internal/crypto/crl.h
+++ b/include/openenclave/internal/crypto/crl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CRL_H
diff --git a/include/openenclave/internal/crypto/ec.h b/include/openenclave/internal/crypto/ec.h
index 8bebde5b5c..feceec75e9 100644
--- a/include/openenclave/internal/crypto/ec.h
+++ b/include/openenclave/internal/crypto/ec.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_EC_H
diff --git a/include/openenclave/internal/crypto/hash.h b/include/openenclave/internal/crypto/hash.h
index bcdb9c4cfc..8c58aac129 100644
--- a/include/openenclave/internal/crypto/hash.h
+++ b/include/openenclave/internal/crypto/hash.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HASH_H
diff --git a/include/openenclave/internal/crypto/hmac.h b/include/openenclave/internal/crypto/hmac.h
index a712b8d6a4..91a701cc60 100644
--- a/include/openenclave/internal/crypto/hmac.h
+++ b/include/openenclave/internal/crypto/hmac.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HMAC_H
diff --git a/include/openenclave/internal/crypto/kdf.h b/include/openenclave/internal/crypto/kdf.h
index 374ad32c60..c187ce4d29 100644
--- a/include/openenclave/internal/crypto/kdf.h
+++ b/include/openenclave/internal/crypto/kdf.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_KDF_H
diff --git a/include/openenclave/internal/crypto/oid.h b/include/openenclave/internal/crypto/oid.h
index e5e67af981..9de30e97bc 100644
--- a/include/openenclave/internal/crypto/oid.h
+++ b/include/openenclave/internal/crypto/oid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_OID_H
diff --git a/include/openenclave/internal/crypto/sha.h b/include/openenclave/internal/crypto/sha.h
index 355e0c99a0..796b091c47 100644
--- a/include/openenclave/internal/crypto/sha.h
+++ b/include/openenclave/internal/crypto/sha.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SHA_H
diff --git a/include/openenclave/internal/datetime.h b/include/openenclave/internal/datetime.h
index 4b426fd42e..d9e98c665b 100644
--- a/include/openenclave/internal/datetime.h
+++ b/include/openenclave/internal/datetime.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_DATETIME_H
diff --git a/include/openenclave/internal/debugrt/host.h b/include/openenclave/internal/debugrt/host.h
index e0fa85b621..bc19bb8712 100644
--- a/include/openenclave/internal/debugrt/host.h
+++ b/include/openenclave/internal/debugrt/host.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/defs.h b/include/openenclave/internal/defs.h
index 75e8d4150d..30d97b9b40 100644
--- a/include/openenclave/internal/defs.h
+++ b/include/openenclave/internal/defs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_DEFS_H
diff --git a/include/openenclave/internal/ec.h b/include/openenclave/internal/ec.h
index 6db40cdc65..e6fe924249 100644
--- a/include/openenclave/internal/ec.h
+++ b/include/openenclave/internal/ec.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_EC_INTERNAL_H
diff --git a/include/openenclave/internal/elf.h b/include/openenclave/internal/elf.h
index b2572c4ce9..acac5218c3 100644
--- a/include/openenclave/internal/elf.h
+++ b/include/openenclave/internal/elf.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ELF_H
diff --git a/include/openenclave/internal/entropy.h b/include/openenclave/internal/entropy.h
index 6ea2ad21a4..e9df1e3a0b 100644
--- a/include/openenclave/internal/entropy.h
+++ b/include/openenclave/internal/entropy.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ENTROPY_H
diff --git a/include/openenclave/internal/epid.h b/include/openenclave/internal/epid.h
index fd51514193..23d6f5dc23 100644
--- a/include/openenclave/internal/epid.h
+++ b/include/openenclave/internal/epid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/include/openenclave/internal/error.h b/include/openenclave/internal/error.h
index 9019a93946..d0c3e521f9 100644
--- a/include/openenclave/internal/error.h
+++ b/include/openenclave/internal/error.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ERROR_H
diff --git a/include/openenclave/internal/fault.h b/include/openenclave/internal/fault.h
index ca294a99c3..85f21ecbd1 100644
--- a/include/openenclave/internal/fault.h
+++ b/include/openenclave/internal/fault.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_FAULT_H
diff --git a/include/openenclave/internal/files.h b/include/openenclave/internal/files.h
index 33fbe64e60..0d4b94625f 100644
--- a/include/openenclave/internal/files.h
+++ b/include/openenclave/internal/files.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_FILES_H
diff --git a/include/openenclave/internal/globals.h b/include/openenclave/internal/globals.h
index b4a60cfcf7..acf9f89cf6 100644
--- a/include/openenclave/internal/globals.h
+++ b/include/openenclave/internal/globals.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_GLOBALS_H
diff --git a/include/openenclave/internal/hexdump.h b/include/openenclave/internal/hexdump.h
index 63cec3310f..55ee11556c 100644
--- a/include/openenclave/internal/hexdump.h
+++ b/include/openenclave/internal/hexdump.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_HEXDUMP_H
diff --git a/include/openenclave/internal/jump.h b/include/openenclave/internal/jump.h
index 1693868b43..3809c0fae3 100644
--- a/include/openenclave/internal/jump.h
+++ b/include/openenclave/internal/jump.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_JUMP_H
diff --git a/include/openenclave/internal/kdf.h b/include/openenclave/internal/kdf.h
index 212236e5c2..4f15fec648 100644
--- a/include/openenclave/internal/kdf.h
+++ b/include/openenclave/internal/kdf.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_KDF_INTERNAL_H
diff --git a/include/openenclave/internal/load.h b/include/openenclave/internal/load.h
index d268730a39..3a5d022912 100644
--- a/include/openenclave/internal/load.h
+++ b/include/openenclave/internal/load.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_LOAD_H
diff --git a/include/openenclave/internal/malloc.h b/include/openenclave/internal/malloc.h
index 03482ddc99..40b9c858d2 100644
--- a/include/openenclave/internal/malloc.h
+++ b/include/openenclave/internal/malloc.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MALLOC_H
diff --git a/include/openenclave/internal/mem.h b/include/openenclave/internal/mem.h
index d928434138..2e8787fdc0 100644
--- a/include/openenclave/internal/mem.h
+++ b/include/openenclave/internal/mem.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _MEM_H
diff --git a/include/openenclave/internal/pem.h b/include/openenclave/internal/pem.h
index 22005e3190..37cd625503 100644
--- a/include/openenclave/internal/pem.h
+++ b/include/openenclave/internal/pem.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_PEM_H
diff --git a/include/openenclave/internal/print.h b/include/openenclave/internal/print.h
index 3eb15e079c..ee28d6c494 100644
--- a/include/openenclave/internal/print.h
+++ b/include/openenclave/internal/print.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_PRINT_H
diff --git a/include/openenclave/internal/properties.h b/include/openenclave/internal/properties.h
index 73ae94a9d2..1379d16e5a 100644
--- a/include/openenclave/internal/properties.h
+++ b/include/openenclave/internal/properties.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_PROPERTIES_H
diff --git a/include/openenclave/internal/pthreadhooks.h b/include/openenclave/internal/pthreadhooks.h
index fd8b7d364a..6d5d77589f 100644
--- a/include/openenclave/internal/pthreadhooks.h
+++ b/include/openenclave/internal/pthreadhooks.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_PTHREADHOOKS_H
diff --git a/include/openenclave/internal/raise.h b/include/openenclave/internal/raise.h
index b9297b7a45..4a4fa71f91 100644
--- a/include/openenclave/internal/raise.h
+++ b/include/openenclave/internal/raise.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/random.h b/include/openenclave/internal/random.h
index 400c537bef..989ce4a033 100644
--- a/include/openenclave/internal/random.h
+++ b/include/openenclave/internal/random.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_RANDOM_INTERNAL_H
diff --git a/include/openenclave/internal/rdrand.h b/include/openenclave/internal/rdrand.h
index 1189026843..55a0caa55d 100644
--- a/include/openenclave/internal/rdrand.h
+++ b/include/openenclave/internal/rdrand.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_RDRAND_H
diff --git a/include/openenclave/internal/rdseed.h b/include/openenclave/internal/rdseed.h
index 6e1618c042..12263e1d39 100644
--- a/include/openenclave/internal/rdseed.h
+++ b/include/openenclave/internal/rdseed.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_RDSEED_H
diff --git a/include/openenclave/internal/registers.h b/include/openenclave/internal/registers.h
index dbb81242aa..1a38147b51 100644
--- a/include/openenclave/internal/registers.h
+++ b/include/openenclave/internal/registers.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ASM_H
diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h
index 00b24c465f..b1a1a87038 100644
--- a/include/openenclave/internal/report.h
+++ b/include/openenclave/internal/report.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INCLUDE_REPORT_H_
diff --git a/include/openenclave/internal/result.h b/include/openenclave/internal/result.h
index 45939d34f3..f412528cf2 100644
--- a/include/openenclave/internal/result.h
+++ b/include/openenclave/internal/result.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/rsa.h b/include/openenclave/internal/rsa.h
index cc22d99341..b2b3b0ac15 100644
--- a/include/openenclave/internal/rsa.h
+++ b/include/openenclave/internal/rsa.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_RSA_H
diff --git a/include/openenclave/internal/sgx/sgxproperties.h b/include/openenclave/internal/sgx/sgxproperties.h
index b6d02afcd5..f7b59b4903 100644
--- a/include/openenclave/internal/sgx/sgxproperties.h
+++ b/include/openenclave/internal/sgx/sgxproperties.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_SGX_PROPERTIES_H
diff --git a/include/openenclave/internal/sgxcertextensions.h b/include/openenclave/internal/sgxcertextensions.h
index 046c648176..7ad23ffbd3 100644
--- a/include/openenclave/internal/sgxcertextensions.h
+++ b/include/openenclave/internal/sgxcertextensions.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXCERTEXTENSIONS_H
diff --git a/include/openenclave/internal/sgxcreate.h b/include/openenclave/internal/sgxcreate.h
index 0344612934..a7db1d9d8f 100644
--- a/include/openenclave/internal/sgxcreate.h
+++ b/include/openenclave/internal/sgxcreate.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXCREATE_H
diff --git a/include/openenclave/internal/sgxkeys.h b/include/openenclave/internal/sgxkeys.h
index ba128085b6..68ab543e52 100644
--- a/include/openenclave/internal/sgxkeys.h
+++ b/include/openenclave/internal/sgxkeys.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_KEYS_H
diff --git a/include/openenclave/internal/sgxsign.h b/include/openenclave/internal/sgxsign.h
index 8b83832129..83c65296d5 100644
--- a/include/openenclave/internal/sgxsign.h
+++ b/include/openenclave/internal/sgxsign.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SIGNSGX_H
diff --git a/include/openenclave/internal/sgxtypes.h b/include/openenclave/internal/sgxtypes.h
index 22c689fe15..ca0927a38c 100644
--- a/include/openenclave/internal/sgxtypes.h
+++ b/include/openenclave/internal/sgxtypes.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SGXTYPES_H
diff --git a/include/openenclave/internal/stack_alloc.h b/include/openenclave/internal/stack_alloc.h
index cc83d7c5c6..dc33fcd20b 100644
--- a/include/openenclave/internal/stack_alloc.h
+++ b/include/openenclave/internal/stack_alloc.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STACK_ALLOC_H
diff --git a/include/openenclave/internal/str.h b/include/openenclave/internal/str.h
index 0b09c5b3ef..40a1a294fe 100644
--- a/include/openenclave/internal/str.h
+++ b/include/openenclave/internal/str.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STR_H
diff --git a/include/openenclave/internal/switchless.h b/include/openenclave/internal/switchless.h
index 24b9e09ecc..a6c3d37427 100644
--- a/include/openenclave/internal/switchless.h
+++ b/include/openenclave/internal/switchless.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SWITCHLESS_H
diff --git a/include/openenclave/internal/syscall.h b/include/openenclave/internal/syscall.h
index 5abb407193..5e15d248e2 100644
--- a/include/openenclave/internal/syscall.h
+++ b/include/openenclave/internal/syscall.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_SYSCALL_H
diff --git a/include/openenclave/internal/syscall/arpa/inet.h b/include/openenclave/internal/syscall/arpa/inet.h
index c2d0e24eed..69d0162e17 100644
--- a/include/openenclave/internal/syscall/arpa/inet.h
+++ b/include/openenclave/internal/syscall/arpa/inet.h
@@ -1,4 +1,4 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved. */
+/* Copyright (c) Open Enclave SDK contributors. */
 /* Licensed under the MIT License. */
 
 #ifndef OE_SYSCALL_ARPA_INET_H
diff --git a/include/openenclave/internal/syscall/bits/addrinfo.h b/include/openenclave/internal/syscall/bits/addrinfo.h
index af9868e0c1..a3516d2945 100644
--- a/include/openenclave/internal/syscall/bits/addrinfo.h
+++ b/include/openenclave/internal/syscall/bits/addrinfo.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_ADDRINFO
diff --git a/include/openenclave/internal/syscall/bits/dirent.h b/include/openenclave/internal/syscall/bits/dirent.h
index a6b3be28e6..c2530ab8a3 100644
--- a/include/openenclave/internal/syscall/bits/dirent.h
+++ b/include/openenclave/internal/syscall/bits/dirent.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_DIRENT
diff --git a/include/openenclave/internal/syscall/bits/sigaction.h b/include/openenclave/internal/syscall/bits/sigaction.h
index 0a1ea4d3a4..c92d0849fe 100644
--- a/include/openenclave/internal/syscall/bits/sigaction.h
+++ b/include/openenclave/internal/syscall/bits/sigaction.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_SIGACTION
diff --git a/include/openenclave/internal/syscall/bits/siginfo.h b/include/openenclave/internal/syscall/bits/siginfo.h
index 8c5e8e2fa3..8168055960 100644
--- a/include/openenclave/internal/syscall/bits/siginfo.h
+++ b/include/openenclave/internal/syscall/bits/siginfo.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #define __OE_SI_PAD_SIZE ((128 / sizeof(int)) - 4)
 
diff --git a/include/openenclave/internal/syscall/device.h b/include/openenclave/internal/syscall/device.h
index 912f94ca92..dc6f5b1eb9 100644
--- a/include/openenclave/internal/syscall/device.h
+++ b/include/openenclave/internal/syscall/device.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_DEVICE_H
diff --git a/include/openenclave/internal/syscall/dirent.h b/include/openenclave/internal/syscall/dirent.h
index fe962bd134..e79332c73d 100644
--- a/include/openenclave/internal/syscall/dirent.h
+++ b/include/openenclave/internal/syscall/dirent.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_DIRENT_H
diff --git a/include/openenclave/internal/syscall/fcntl.h b/include/openenclave/internal/syscall/fcntl.h
index b4e802bbaa..c514082fd2 100644
--- a/include/openenclave/internal/syscall/fcntl.h
+++ b/include/openenclave/internal/syscall/fcntl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_FCNTL_H
diff --git a/include/openenclave/internal/syscall/fd.h b/include/openenclave/internal/syscall/fd.h
index c58a4b5c0c..2936b90e30 100644
--- a/include/openenclave/internal/syscall/fd.h
+++ b/include/openenclave/internal/syscall/fd.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_FD_H
diff --git a/include/openenclave/internal/syscall/fdtable.h b/include/openenclave/internal/syscall/fdtable.h
index 35676eae0e..3c5df59719 100644
--- a/include/openenclave/internal/syscall/fdtable.h
+++ b/include/openenclave/internal/syscall/fdtable.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_FDTABLE_H
diff --git a/include/openenclave/internal/syscall/host.h b/include/openenclave/internal/syscall/host.h
index 7e75ac7230..ff970e6ca9 100644
--- a/include/openenclave/internal/syscall/host.h
+++ b/include/openenclave/internal/syscall/host.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_HOST_H
diff --git a/include/openenclave/internal/syscall/iov.h b/include/openenclave/internal/syscall/iov.h
index 5ea3e267de..aed31cb800 100644
--- a/include/openenclave/internal/syscall/iov.h
+++ b/include/openenclave/internal/syscall/iov.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_IOV_H
diff --git a/include/openenclave/internal/syscall/netdb.h b/include/openenclave/internal/syscall/netdb.h
index b0c0099392..3975e1a5aa 100644
--- a/include/openenclave/internal/syscall/netdb.h
+++ b/include/openenclave/internal/syscall/netdb.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_NETDB_H_
diff --git a/include/openenclave/internal/syscall/netinet/bits/in6_addr.h b/include/openenclave/internal/syscall/netinet/bits/in6_addr.h
index 64ccd921d5..d0e1981a47 100644
--- a/include/openenclave/internal/syscall/netinet/bits/in6_addr.h
+++ b/include/openenclave/internal/syscall/netinet/bits/in6_addr.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_IN6_ADDR
diff --git a/include/openenclave/internal/syscall/netinet/bits/sockaddr_in.h b/include/openenclave/internal/syscall/netinet/bits/sockaddr_in.h
index a1eea520fa..b670fb7b69 100644
--- a/include/openenclave/internal/syscall/netinet/bits/sockaddr_in.h
+++ b/include/openenclave/internal/syscall/netinet/bits/sockaddr_in.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_SOCKADDR_IN
diff --git a/include/openenclave/internal/syscall/netinet/bits/sockaddr_in6.h b/include/openenclave/internal/syscall/netinet/bits/sockaddr_in6.h
index e877868076..1e6114b52d 100644
--- a/include/openenclave/internal/syscall/netinet/bits/sockaddr_in6.h
+++ b/include/openenclave/internal/syscall/netinet/bits/sockaddr_in6.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_SOCKADDR_IN6
diff --git a/include/openenclave/internal/syscall/netinet/in.h b/include/openenclave/internal/syscall/netinet/in.h
index abe0063961..ffbba3ff1b 100644
--- a/include/openenclave/internal/syscall/netinet/in.h
+++ b/include/openenclave/internal/syscall/netinet/in.h
@@ -1,4 +1,4 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved. */
+/* Copyright (c) Open Enclave SDK contributors. */
 /* Licensed under the MIT License. */
 
 #ifndef _OE_SYSCALL_NETINET_IN_H
diff --git a/include/openenclave/internal/syscall/poll.h b/include/openenclave/internal/syscall/poll.h
index f8d7df9e76..730391e451 100644
--- a/include/openenclave/internal/syscall/poll.h
+++ b/include/openenclave/internal/syscall/poll.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_POLL_H
diff --git a/include/openenclave/internal/syscall/raise.h b/include/openenclave/internal/syscall/raise.h
index b13391f247..5f328735da 100644
--- a/include/openenclave/internal/syscall/raise.h
+++ b/include/openenclave/internal/syscall/raise.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_RAISE_H
diff --git a/include/openenclave/internal/syscall/resolver.h b/include/openenclave/internal/syscall/resolver.h
index 4acd8e0c07..9bf6e3e43e 100644
--- a/include/openenclave/internal/syscall/resolver.h
+++ b/include/openenclave/internal/syscall/resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_RESOLVER_H
diff --git a/include/openenclave/internal/syscall/sys/bits/epoll_data.h b/include/openenclave/internal/syscall/sys/bits/epoll_data.h
index 2cb817bd11..1db508409c 100644
--- a/include/openenclave/internal/syscall/sys/bits/epoll_data.h
+++ b/include/openenclave/internal/syscall/sys/bits/epoll_data.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 typedef union __OE_EPOLL_DATA {
diff --git a/include/openenclave/internal/syscall/sys/bits/epoll_event.h b/include/openenclave/internal/syscall/sys/bits/epoll_event.h
index 953e1236e5..27ad847926 100644
--- a/include/openenclave/internal/syscall/sys/bits/epoll_event.h
+++ b/include/openenclave/internal/syscall/sys/bits/epoll_event.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/include/openenclave/internal/syscall/sys/bits/fd_set.h b/include/openenclave/internal/syscall/sys/bits/fd_set.h
index c7bf9aef4a..002ae411f9 100644
--- a/include/openenclave/internal/syscall/sys/bits/fd_set.h
+++ b/include/openenclave/internal/syscall/sys/bits/fd_set.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 typedef struct
diff --git a/include/openenclave/internal/syscall/sys/bits/msghdr.h b/include/openenclave/internal/syscall/sys/bits/msghdr.h
index 705f0c0e18..93e03aaa1f 100644
--- a/include/openenclave/internal/syscall/sys/bits/msghdr.h
+++ b/include/openenclave/internal/syscall/sys/bits/msghdr.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_MSGHDR
diff --git a/include/openenclave/internal/syscall/sys/bits/sigset.h b/include/openenclave/internal/syscall/sys/bits/sigset.h
index 397f8e6568..e29132e827 100644
--- a/include/openenclave/internal/syscall/sys/bits/sigset.h
+++ b/include/openenclave/internal/syscall/sys/bits/sigset.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SIGSET_H
diff --git a/include/openenclave/internal/syscall/sys/bits/sockaddr.h b/include/openenclave/internal/syscall/sys/bits/sockaddr.h
index b3dc4995de..f14a60a2d2 100644
--- a/include/openenclave/internal/syscall/sys/bits/sockaddr.h
+++ b/include/openenclave/internal/syscall/sys/bits/sockaddr.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_SOCKADDR
diff --git a/include/openenclave/internal/syscall/sys/bits/sockaddr_storage.h b/include/openenclave/internal/syscall/sys/bits/sockaddr_storage.h
index 49ed4714ae..78f834ebc1 100644
--- a/include/openenclave/internal/syscall/sys/bits/sockaddr_storage.h
+++ b/include/openenclave/internal/syscall/sys/bits/sockaddr_storage.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 struct __OE_SOCKADDR_STORAGE
diff --git a/include/openenclave/internal/syscall/sys/bits/stat.h b/include/openenclave/internal/syscall/sys/bits/stat.h
index b29f27f776..b8396c7d11 100644
--- a/include/openenclave/internal/syscall/sys/bits/stat.h
+++ b/include/openenclave/internal/syscall/sys/bits/stat.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/include/openenclave/internal/syscall/sys/bits/syscall_aarch64.h b/include/openenclave/internal/syscall/sys/bits/syscall_aarch64.h
index bafa7c7b82..a20fe8b042 100644
--- a/include/openenclave/internal/syscall/sys/bits/syscall_aarch64.h
+++ b/include/openenclave/internal/syscall/sys/bits/syscall_aarch64.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_SYS_io_setup 0
diff --git a/include/openenclave/internal/syscall/sys/bits/syscall_x86_64.h b/include/openenclave/internal/syscall/sys/bits/syscall_x86_64.h
index 367df67c3a..4cac0e024d 100644
--- a/include/openenclave/internal/syscall/sys/bits/syscall_x86_64.h
+++ b/include/openenclave/internal/syscall/sys/bits/syscall_x86_64.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_SYS_read 0
diff --git a/include/openenclave/internal/syscall/sys/bits/utsname.h b/include/openenclave/internal/syscall/sys/bits/utsname.h
index 18734ee6bd..acc9f6574b 100644
--- a/include/openenclave/internal/syscall/sys/bits/utsname.h
+++ b/include/openenclave/internal/syscall/sys/bits/utsname.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define __OE_UTSNAME_FIELD_SIZE 65
diff --git a/include/openenclave/internal/syscall/sys/epoll.h b/include/openenclave/internal/syscall/sys/epoll.h
index dbc78916f3..1d315a7581 100644
--- a/include/openenclave/internal/syscall/sys/epoll.h
+++ b/include/openenclave/internal/syscall/sys/epoll.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYS_EPOLL_H
diff --git a/include/openenclave/internal/syscall/sys/ioctl.h b/include/openenclave/internal/syscall/sys/ioctl.h
index 335a17e113..9beb41c0c1 100644
--- a/include/openenclave/internal/syscall/sys/ioctl.h
+++ b/include/openenclave/internal/syscall/sys/ioctl.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_IOCTL_H
diff --git a/include/openenclave/internal/syscall/sys/mount.h b/include/openenclave/internal/syscall/sys/mount.h
index a445622a01..31ab7bdfdc 100644
--- a/include/openenclave/internal/syscall/sys/mount.h
+++ b/include/openenclave/internal/syscall/sys/mount.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_MOUNT_H
diff --git a/include/openenclave/internal/syscall/sys/poll.h b/include/openenclave/internal/syscall/sys/poll.h
index 4c697664fa..754987f380 100644
--- a/include/openenclave/internal/syscall/sys/poll.h
+++ b/include/openenclave/internal/syscall/sys/poll.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_POLL_H
diff --git a/include/openenclave/internal/syscall/sys/select.h b/include/openenclave/internal/syscall/sys/select.h
index 5f5f8c9a72..eb25658430 100644
--- a/include/openenclave/internal/syscall/sys/select.h
+++ b/include/openenclave/internal/syscall/sys/select.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_SELECT_H
diff --git a/include/openenclave/internal/syscall/sys/socket.h b/include/openenclave/internal/syscall/sys/socket.h
index cb49c2b221..d7aaeb2a0f 100644
--- a/include/openenclave/internal/syscall/sys/socket.h
+++ b/include/openenclave/internal/syscall/sys/socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_SOCKET_H
diff --git a/include/openenclave/internal/syscall/sys/stat.h b/include/openenclave/internal/syscall/sys/stat.h
index d0bcc6cda0..0c5eec423a 100644
--- a/include/openenclave/internal/syscall/sys/stat.h
+++ b/include/openenclave/internal/syscall/sys/stat.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_STAT_H
diff --git a/include/openenclave/internal/syscall/sys/syscall.h b/include/openenclave/internal/syscall/sys/syscall.h
index 755ebb7a0c..fc3ed903ab 100644
--- a/include/openenclave/internal/syscall/sys/syscall.h
+++ b/include/openenclave/internal/syscall/sys/syscall.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_SYSCALL_H
diff --git a/include/openenclave/internal/syscall/sys/time.h b/include/openenclave/internal/syscall/sys/time.h
index e6dcd9645f..69641d166d 100644
--- a/include/openenclave/internal/syscall/sys/time.h
+++ b/include/openenclave/internal/syscall/sys/time.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_TIME_H
diff --git a/include/openenclave/internal/syscall/sys/types.h b/include/openenclave/internal/syscall/sys/types.h
index d8ad99238d..70f61eeaae 100644
--- a/include/openenclave/internal/syscall/sys/types.h
+++ b/include/openenclave/internal/syscall/sys/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_TYPES_H
diff --git a/include/openenclave/internal/syscall/sys/uio.h b/include/openenclave/internal/syscall/sys/uio.h
index 74998ec2da..56375cdd78 100644
--- a/include/openenclave/internal/syscall/sys/uio.h
+++ b/include/openenclave/internal/syscall/sys/uio.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_UIO_H
diff --git a/include/openenclave/internal/syscall/sys/utsname.h b/include/openenclave/internal/syscall/sys/utsname.h
index cb3262fb01..c74ddfa746 100644
--- a/include/openenclave/internal/syscall/sys/utsname.h
+++ b/include/openenclave/internal/syscall/sys/utsname.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_SYS_UTSNAME_H
diff --git a/include/openenclave/internal/syscall/types.h b/include/openenclave/internal/syscall/types.h
index 1ed571cec6..9a6ba7dd16 100644
--- a/include/openenclave/internal/syscall/types.h
+++ b/include/openenclave/internal/syscall/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_TYPES_H
diff --git a/include/openenclave/internal/syscall/unistd.h b/include/openenclave/internal/syscall/unistd.h
index 8596ba7681..15d8dd2df0 100644
--- a/include/openenclave/internal/syscall/unistd.h
+++ b/include/openenclave/internal/syscall/unistd.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_UNISTD_H
diff --git a/include/openenclave/internal/tests.h b/include/openenclave/internal/tests.h
index 9934a0f1eb..b279bbd272 100644
--- a/include/openenclave/internal/tests.h
+++ b/include/openenclave/internal/tests.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_H
diff --git a/include/openenclave/internal/thread.h b/include/openenclave/internal/thread.h
index 4371010dc7..ac799501ee 100644
--- a/include/openenclave/internal/thread.h
+++ b/include/openenclave/internal/thread.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INCLUDE_THREAD_H
diff --git a/include/openenclave/internal/time.h b/include/openenclave/internal/time.h
index e09b3045bb..fe0548950e 100644
--- a/include/openenclave/internal/time.h
+++ b/include/openenclave/internal/time.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INCLUDE_TIME_H
diff --git a/include/openenclave/internal/trace.h b/include/openenclave/internal/trace.h
index 5ea681209f..38867e0b66 100644
--- a/include/openenclave/internal/trace.h
+++ b/include/openenclave/internal/trace.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TRACE_H
diff --git a/include/openenclave/internal/types.h b/include/openenclave/internal/types.h
index 78e597eaa9..889033eb4b 100644
--- a/include/openenclave/internal/types.h
+++ b/include/openenclave/internal/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_TYPES_H
diff --git a/include/openenclave/internal/utils.h b/include/openenclave/internal/utils.h
index 42c0379c4a..93716b343a 100644
--- a/include/openenclave/internal/utils.h
+++ b/include/openenclave/internal/utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_UTILS_H
diff --git a/libc/CMakeLists.txt b/libc/CMakeLists.txt
index f6f76b28df..4b239abb32 100644
--- a/libc/CMakeLists.txt
+++ b/libc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Build the C library, using local sources and sources from musl.
diff --git a/libc/__printf_chk.c b/libc/__printf_chk.c
index 90c86f0df7..75792e28e2 100644
--- a/libc/__printf_chk.c
+++ b/libc/__printf_chk.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/libc/__vfprintf_chk.c b/libc/__vfprintf_chk.c
index 695dc8e6a0..3b04b0627d 100644
--- a/libc/__vfprintf_chk.c
+++ b/libc/__vfprintf_chk.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stdio.h>
diff --git a/libc/atexit.c b/libc/atexit.c
index de3a56bc69..6a9916fdb5 100644
--- a/libc/atexit.c
+++ b/libc/atexit.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdlib.h>
diff --git a/libc/dladdr.c b/libc/dladdr.c
index aa9deb9969..4cc093abb2 100644
--- a/libc/dladdr.c
+++ b/libc/dladdr.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/libc/epoll.c b/libc/epoll.c
index 9fa1c842d4..70847f14ec 100644
--- a/libc/epoll.c
+++ b/libc/epoll.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/syscall/sys/epoll.h>
diff --git a/libc/errno.c b/libc/errno.c
index c226e12ba8..9c2c084279 100644
--- a/libc/errno.c
+++ b/libc/errno.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/libc/exit.c b/libc/exit.c
index 1c82080556..1362c421f1 100644
--- a/libc/exit.c
+++ b/libc/exit.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/libc/freeaddrinfo.c b/libc/freeaddrinfo.c
index 7cc4e749c0..cfcbea21af 100644
--- a/libc/freeaddrinfo.c
+++ b/libc/freeaddrinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/syscall/netdb.h>
diff --git a/libc/getaddrinfo.c b/libc/getaddrinfo.c
index aaf3e52cb2..d77a1a1ae2 100644
--- a/libc/getaddrinfo.c
+++ b/libc/getaddrinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/syscall/netdb.h>
diff --git a/libc/getnameinfo.c b/libc/getnameinfo.c
index 76df49ddc5..3ce7cfa5c6 100644
--- a/libc/getnameinfo.c
+++ b/libc/getnameinfo.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/syscall/netdb.h>
diff --git a/libc/kill.c b/libc/kill.c
index db66222964..ca452550fb 100644
--- a/libc/kill.c
+++ b/libc/kill.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/libc/libunwind_stubs.c b/libc/libunwind_stubs.c
index b0f766a021..7bafb41ad1 100644
--- a/libc/libunwind_stubs.c
+++ b/libc/libunwind_stubs.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/libc/link.c b/libc/link.c
index bfac7463bc..48bb303fb2 100644
--- a/libc/link.c
+++ b/libc/link.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/libc/locale.c b/libc/locale.c
index 42fb32fa2c..406aad06a0 100644
--- a/libc/locale.c
+++ b/libc/locale.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <libc.h>
diff --git a/libc/malloc.c b/libc/malloc.c
index 8e31b83fcd..9677a690f4 100644
--- a/libc/malloc.c
+++ b/libc/malloc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdlib.h>
diff --git a/libc/optee/abort.c b/libc/optee/abort.c
index 81b6dfb405..84e9233fbb 100644
--- a/libc/optee/abort.c
+++ b/libc/optee/abort.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/libc/optee/arc4random.c b/libc/optee/arc4random.c
index 1efa46f0b9..51e8e09e95 100644
--- a/libc/optee/arc4random.c
+++ b/libc/optee/arc4random.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <tee_internal_api.h>
diff --git a/libc/optee/trace.c b/libc/optee/trace.c
index b08e6913c5..8fa8d85569 100644
--- a/libc/optee/trace.c
+++ b/libc/optee/trace.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/libc/pthread.c b/libc/pthread.c
index 19e69ba424..0f702ade15 100644
--- a/libc/pthread.c
+++ b/libc/pthread.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/pthread.h>
diff --git a/libc/regcomp.c b/libc/regcomp.c
index ad04ef62aa..2ed65af07f 100644
--- a/libc/regcomp.c
+++ b/libc/regcomp.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef NDEBUG
diff --git a/libc/regexec.c b/libc/regexec.c
index 6f80507278..b45dbdbf19 100644
--- a/libc/regexec.c
+++ b/libc/regexec.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef NDEBUG
diff --git a/libc/sched_yield.c b/libc/sched_yield.c
index 95ee7eedce..f8373d0ed7 100644
--- a/libc/sched_yield.c
+++ b/libc/sched_yield.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/defs.h>
diff --git a/libc/sgx/abort.S b/libc/sgx/abort.S
index bad56405c4..069cb78740 100644
--- a/libc/sgx/abort.S
+++ b/libc/sgx/abort.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 .globl abort
diff --git a/libc/sgx/arc4random.c b/libc/sgx/arc4random.c
index f811589f86..ac27f7e74e 100644
--- a/libc/sgx/arc4random.c
+++ b/libc/sgx/arc4random.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /* Ignore unused-variable warning in system header */
diff --git a/libc/sgx/exp2l.S b/libc/sgx/exp2l.S
index e948cb1696..ca68f4c67c 100644
--- a/libc/sgx/exp2l.S
+++ b/libc/sgx/exp2l.S
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // Rename the expm1l() defined in exp2l.s and use the definition in expm1l.c
diff --git a/libc/sigaction.c b/libc/sigaction.c
index 41f829abee..f7ff359208 100644
--- a/libc/sigaction.c
+++ b/libc/sigaction.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <signal.h>
diff --git a/libc/signal.c b/libc/signal.c
index 40a5eaaf8c..eb20de3fa5 100644
--- a/libc/signal.c
+++ b/libc/signal.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <signal.h>
diff --git a/libc/stdlib.c b/libc/stdlib.c
index d71af7a11e..1c30d97dbf 100644
--- a/libc/stdlib.c
+++ b/libc/stdlib.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <locale.h>
diff --git a/libc/strerror.c b/libc/strerror.c
index aa14cbc8ff..fea32d054c 100644
--- a/libc/strerror.c
+++ b/libc/strerror.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/libc/syscalls.c b/libc/syscalls.c
index a23f5ffb72..5261bdfe30 100644
--- a/libc/syscalls.c
+++ b/libc/syscalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define __OE_NEED_TIME_CALLS
diff --git a/libc/sysconf.c b/libc/sysconf.c
index f520f40d01..090f1d5335 100644
--- a/libc/sysconf.c
+++ b/libc/sysconf.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <errno.h>
diff --git a/libc/time.c b/libc/time.c
index b2fd04113e..59b6e11505 100644
--- a/libc/time.c
+++ b/libc/time.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/libc/tre-mem.c b/libc/tre-mem.c
index 93d9d32766..12b42dd7bf 100644
--- a/libc/tre-mem.c
+++ b/libc/tre-mem.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef NDEBUG
diff --git a/libcxx/CMakeLists.txt b/libcxx/CMakeLists.txt
index a5b109543d..3518f70eda 100644
--- a/libcxx/CMakeLists.txt
+++ b/libcxx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oelibcxx STATIC)
diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt
index 6a21ef6462..0dbaf0ef87 100644
--- a/pkgconfig/CMakeLists.txt
+++ b/pkgconfig/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/pkgconfig/oeenclave-clang++.pc b/pkgconfig/oeenclave-clang++.pc
index 7c31714d30..9ca45a5e49 100644
--- a/pkgconfig/oeenclave-clang++.pc
+++ b/pkgconfig/oeenclave-clang++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oeenclave-clang.pc b/pkgconfig/oeenclave-clang.pc
index 98b8aac6e2..0e2c77d6ea 100644
--- a/pkgconfig/oeenclave-clang.pc
+++ b/pkgconfig/oeenclave-clang.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oeenclave-g++.pc b/pkgconfig/oeenclave-g++.pc
index dcac3f09ef..1c2f81d433 100644
--- a/pkgconfig/oeenclave-g++.pc
+++ b/pkgconfig/oeenclave-g++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oeenclave-gcc.pc b/pkgconfig/oeenclave-gcc.pc
index 4e0e6a54ea..4267b8db03 100644
--- a/pkgconfig/oeenclave-gcc.pc
+++ b/pkgconfig/oeenclave-gcc.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oehost-clang++.pc b/pkgconfig/oehost-clang++.pc
index 37951b49fb..89b5c91e0f 100644
--- a/pkgconfig/oehost-clang++.pc
+++ b/pkgconfig/oehost-clang++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oehost-clang.pc b/pkgconfig/oehost-clang.pc
index face75da56..702ac7afb2 100644
--- a/pkgconfig/oehost-clang.pc
+++ b/pkgconfig/oehost-clang.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oehost-g++.pc b/pkgconfig/oehost-g++.pc
index 87ae5a0a7a..944f85875b 100644
--- a/pkgconfig/oehost-g++.pc
+++ b/pkgconfig/oehost-g++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oehost-gcc.pc b/pkgconfig/oehost-gcc.pc
index 02772dbf00..6c86ba0062 100644
--- a/pkgconfig/oehost-gcc.pc
+++ b/pkgconfig/oehost-gcc.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=${pcfiledir}/../..
diff --git a/pkgconfig/oehostverify-clang++.pc b/pkgconfig/oehostverify-clang++.pc
index 2fe6d6f7e5..33c01b43f7 100644
--- a/pkgconfig/oehostverify-clang++.pc
+++ b/pkgconfig/oehostverify-clang++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=@PREFIX@
diff --git a/pkgconfig/oehostverify-clang.pc b/pkgconfig/oehostverify-clang.pc
index 38995a0c1c..ed5b67a287 100644
--- a/pkgconfig/oehostverify-clang.pc
+++ b/pkgconfig/oehostverify-clang.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=@PREFIX@
diff --git a/pkgconfig/oehostverify-g++.pc b/pkgconfig/oehostverify-g++.pc
index fabda9a79d..da30cf65b5 100644
--- a/pkgconfig/oehostverify-g++.pc
+++ b/pkgconfig/oehostverify-g++.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=@PREFIX@
diff --git a/pkgconfig/oehostverify-gcc.pc b/pkgconfig/oehostverify-gcc.pc
index f0518775ac..0559e1f588 100644
--- a/pkgconfig/oehostverify-gcc.pc
+++ b/pkgconfig/oehostverify-gcc.pc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 prefix=@PREFIX@
diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 158397db48..254175184b 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (HAS_QUOTE_PROVIDER)
diff --git a/samples/attested_tls/CMakeLists.txt b/samples/attested_tls/CMakeLists.txt
index e914109b6b..276b81519c 100644
--- a/samples/attested_tls/CMakeLists.txt
+++ b/samples/attested_tls/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/attested_tls/Makefile b/samples/attested_tls/Makefile
index e8a3e8986b..cff2e53006 100644
--- a/samples/attested_tls/Makefile
+++ b/samples/attested_tls/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run
diff --git a/samples/attested_tls/client/CMakeLists.txt b/samples/attested_tls/client/CMakeLists.txt
index dfec8232d2..6d0d982141 100644
--- a/samples/attested_tls/client/CMakeLists.txt
+++ b/samples/attested_tls/client/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(enc)
diff --git a/samples/attested_tls/client/Makefile b/samples/attested_tls/client/Makefile
index 9c1b11ddf5..deb906af40 100644
--- a/samples/attested_tls/client/Makefile
+++ b/samples/attested_tls/client/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 all: build
diff --git a/samples/attested_tls/client/enc/CMakeLists.txt b/samples/attested_tls/client/enc/CMakeLists.txt
index d076debcbb..8b434db835 100644
--- a/samples/attested_tls/client/enc/CMakeLists.txt
+++ b/samples/attested_tls/client/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/attested_tls/client/enc/Makefile b/samples/attested_tls/client/enc/Makefile
index 2abb1945f7..14d50804ba 100644
--- a/samples/attested_tls/client/enc/Makefile
+++ b/samples/attested_tls/client/enc/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/attested_tls/client/enc/cert_verifier.cpp b/samples/attested_tls/client/enc/cert_verifier.cpp
index 2505d59529..f2345dac82 100644
--- a/samples/attested_tls/client/enc/cert_verifier.cpp
+++ b/samples/attested_tls/client/enc/cert_verifier.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <errno.h>
diff --git a/samples/attested_tls/client/enc/client.cpp b/samples/attested_tls/client/enc/client.cpp
index 011b0f9554..2ae83b6e6a 100644
--- a/samples/attested_tls/client/enc/client.cpp
+++ b/samples/attested_tls/client/enc/client.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <errno.h>
diff --git a/samples/attested_tls/client/enc/crypto.cpp b/samples/attested_tls/client/enc/crypto.cpp
index 0ed6053754..ebcdd00d3a 100644
--- a/samples/attested_tls/client/enc/crypto.cpp
+++ b/samples/attested_tls/client/enc/crypto.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "crypto.h"
diff --git a/samples/attested_tls/client/enc/crypto.h b/samples/attested_tls/client/enc/crypto.h
index cf20f355f2..8cba0faa9a 100644
--- a/samples/attested_tls/client/enc/crypto.h
+++ b/samples/attested_tls/client/enc/crypto.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
diff --git a/samples/attested_tls/client/enc/ecalls.cpp b/samples/attested_tls/client/enc/ecalls.cpp
index e03d41123e..13bed1a3e9 100644
--- a/samples/attested_tls/client/enc/ecalls.cpp
+++ b/samples/attested_tls/client/enc/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/samples/attested_tls/client/enc/enc.conf b/samples/attested_tls/client/enc/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/attested_tls/client/enc/enc.conf
+++ b/samples/attested_tls/client/enc/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/attested_tls/client/enc/identity_verifier.cpp b/samples/attested_tls/client/enc/identity_verifier.cpp
index 8d4e825447..b586f1d014 100644
--- a/samples/attested_tls/client/enc/identity_verifier.cpp
+++ b/samples/attested_tls/client/enc/identity_verifier.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/samples/attested_tls/client/enc/log.h b/samples/attested_tls/client/enc/log.h
index b064e3b905..507dcd8b81 100644
--- a/samples/attested_tls/client/enc/log.h
+++ b/samples/attested_tls/client/enc/log.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_LOG_H
diff --git a/samples/attested_tls/client/host/CMakeLists.txt b/samples/attested_tls/client/host/CMakeLists.txt
index 0966389be3..89451f9020 100644
--- a/samples/attested_tls/client/host/CMakeLists.txt
+++ b/samples/attested_tls/client/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT tls_client_u.h tls_client_u.c tls_client_args.h
diff --git a/samples/attested_tls/client/host/Makefile b/samples/attested_tls/client/host/Makefile
index 9bd5637d06..9885d1e1ce 100644
--- a/samples/attested_tls/client/host/Makefile
+++ b/samples/attested_tls/client/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/attested_tls/client/host/host.cpp b/samples/attested_tls/client/host/host.cpp
index ee1f07671b..8a4be171a1 100644
--- a/samples/attested_tls/client/host/host.cpp
+++ b/samples/attested_tls/client/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/attested_tls/client/tls_client.edl b/samples/attested_tls/client/tls_client.edl
index 0362263f86..d76fa877cd 100644
--- a/samples/attested_tls/client/tls_client.edl
+++ b/samples/attested_tls/client/tls_client.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/attested_tls/common/common.h b/samples/attested_tls/common/common.h
index c9c40b7551..74e1dd1ec6 100644
--- a/samples/attested_tls/common/common.h
+++ b/samples/attested_tls/common/common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 //
 #define ADD_TEST_CHECKING
diff --git a/samples/attested_tls/common/tls_client_enc_pubkey.h b/samples/attested_tls/common/tls_client_enc_pubkey.h
index ebbc528edd..f10413c4f9 100644
--- a/samples/attested_tls/common/tls_client_enc_pubkey.h
+++ b/samples/attested_tls/common/tls_client_enc_pubkey.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_REMOTE_ATTESTATION_PUBKEY_H
diff --git a/samples/attested_tls/common/tls_server_enc_pubkey.h b/samples/attested_tls/common/tls_server_enc_pubkey.h
index 57603a74b7..d54d8a6756 100644
--- a/samples/attested_tls/common/tls_server_enc_pubkey.h
+++ b/samples/attested_tls/common/tls_server_enc_pubkey.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_REMOTE_ATTESTATION_PUBKEY_H
diff --git a/samples/attested_tls/common/utility.cpp b/samples/attested_tls/common/utility.cpp
index 40d6b78727..462c21453c 100644
--- a/samples/attested_tls/common/utility.cpp
+++ b/samples/attested_tls/common/utility.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/samples/attested_tls/common/utility.h b/samples/attested_tls/common/utility.h
index 8e94e032e0..6f8d145d7d 100644
--- a/samples/attested_tls/common/utility.h
+++ b/samples/attested_tls/common/utility.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/pk.h>
diff --git a/samples/attested_tls/non_enc_client/CMakeLists.txt b/samples/attested_tls/non_enc_client/CMakeLists.txt
index bdbf6c8484..9b7eb26242 100644
--- a/samples/attested_tls/non_enc_client/CMakeLists.txt
+++ b/samples/attested_tls/non_enc_client/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 find_package(OpenSSL REQUIRED)
diff --git a/samples/attested_tls/non_enc_client/Makefile b/samples/attested_tls/non_enc_client/Makefile
index 8a1b3dd614..6c74a6a648 100644
--- a/samples/attested_tls/non_enc_client/Makefile
+++ b/samples/attested_tls/non_enc_client/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run
diff --git a/samples/attested_tls/non_enc_client/client.cpp b/samples/attested_tls/non_enc_client/client.cpp
index 6addd96e5d..26bfc050a1 100644
--- a/samples/attested_tls/non_enc_client/client.cpp
+++ b/samples/attested_tls/non_enc_client/client.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <arpa/inet.h>
diff --git a/samples/attested_tls/non_enc_client/verify_callback.cpp b/samples/attested_tls/non_enc_client/verify_callback.cpp
index d87d477c31..1a8c71ddca 100644
--- a/samples/attested_tls/non_enc_client/verify_callback.cpp
+++ b/samples/attested_tls/non_enc_client/verify_callback.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <arpa/inet.h>
diff --git a/samples/attested_tls/non_enc_client/verify_signer_openssl.cpp b/samples/attested_tls/non_enc_client/verify_signer_openssl.cpp
index 84a24a9559..c0d84379fa 100644
--- a/samples/attested_tls/non_enc_client/verify_signer_openssl.cpp
+++ b/samples/attested_tls/non_enc_client/verify_signer_openssl.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openssl/bio.h>
diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.sh b/samples/attested_tls/scripts/gen_mrenclave_header.sh
index 70562fc9b6..0cbc989e70 100755
--- a/samples/attested_tls/scripts/gen_mrenclave_header.sh
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 destfile="$1"
 input_file="$2"
 
 cat > "$destfile" << EOF
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H
diff --git a/samples/attested_tls/server/CMakeLists.txt b/samples/attested_tls/server/CMakeLists.txt
index d2cb62caff..86ce87c3d8 100644
--- a/samples/attested_tls/server/CMakeLists.txt
+++ b/samples/attested_tls/server/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(enc)
diff --git a/samples/attested_tls/server/Makefile b/samples/attested_tls/server/Makefile
index 3f10fc555e..e2f7cdc6a6 100644
--- a/samples/attested_tls/server/Makefile
+++ b/samples/attested_tls/server/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 all: build
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index c714158303..f820bfe063 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/attested_tls/server/enc/Makefile b/samples/attested_tls/server/enc/Makefile
index fd7e167d30..64fc2cb63e 100644
--- a/samples/attested_tls/server/enc/Makefile
+++ b/samples/attested_tls/server/enc/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/attested_tls/server/enc/cert_verifier.cpp b/samples/attested_tls/server/enc/cert_verifier.cpp
index 0e1626baf9..78bb541ae6 100644
--- a/samples/attested_tls/server/enc/cert_verifier.cpp
+++ b/samples/attested_tls/server/enc/cert_verifier.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/certs.h>
diff --git a/samples/attested_tls/server/enc/crypto.cpp b/samples/attested_tls/server/enc/crypto.cpp
index f35e473f9f..25c68c83cb 100644
--- a/samples/attested_tls/server/enc/crypto.cpp
+++ b/samples/attested_tls/server/enc/crypto.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "crypto.h"
diff --git a/samples/attested_tls/server/enc/crypto.h b/samples/attested_tls/server/enc/crypto.h
index cf20f355f2..8cba0faa9a 100644
--- a/samples/attested_tls/server/enc/crypto.h
+++ b/samples/attested_tls/server/enc/crypto.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
diff --git a/samples/attested_tls/server/enc/ecalls.cpp b/samples/attested_tls/server/enc/ecalls.cpp
index 73c63cfc3e..75f718766e 100644
--- a/samples/attested_tls/server/enc/ecalls.cpp
+++ b/samples/attested_tls/server/enc/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/samples/attested_tls/server/enc/enc.conf b/samples/attested_tls/server/enc/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/attested_tls/server/enc/enc.conf
+++ b/samples/attested_tls/server/enc/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/attested_tls/server/enc/identity_verifier.cpp b/samples/attested_tls/server/enc/identity_verifier.cpp
index 3540aa3cb6..7c6999a3bb 100644
--- a/samples/attested_tls/server/enc/identity_verifier.cpp
+++ b/samples/attested_tls/server/enc/identity_verifier.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/samples/attested_tls/server/enc/log.h b/samples/attested_tls/server/enc/log.h
index b064e3b905..507dcd8b81 100644
--- a/samples/attested_tls/server/enc/log.h
+++ b/samples/attested_tls/server/enc/log.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_LOG_H
diff --git a/samples/attested_tls/server/enc/server.cpp b/samples/attested_tls/server/enc/server.cpp
index ef6029c245..4c4797f0e7 100644
--- a/samples/attested_tls/server/enc/server.cpp
+++ b/samples/attested_tls/server/enc/server.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/certs.h>
diff --git a/samples/attested_tls/server/host/CMakeLists.txt b/samples/attested_tls/server/host/CMakeLists.txt
index 7f44397fee..a511007c00 100644
--- a/samples/attested_tls/server/host/CMakeLists.txt
+++ b/samples/attested_tls/server/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT tls_server_u.h tls_server_u.c tls_server_args.h
diff --git a/samples/attested_tls/server/host/Makefile b/samples/attested_tls/server/host/Makefile
index bcbe4235b7..66dd25013e 100644
--- a/samples/attested_tls/server/host/Makefile
+++ b/samples/attested_tls/server/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/attested_tls/server/host/host.cpp b/samples/attested_tls/server/host/host.cpp
index 8139ad65c5..10e309ac31 100644
--- a/samples/attested_tls/server/host/host.cpp
+++ b/samples/attested_tls/server/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/attested_tls/server/tls_server.edl b/samples/attested_tls/server/tls_server.edl
index 071694f5a7..5f1f6b0929 100644
--- a/samples/attested_tls/server/tls_server.edl
+++ b/samples/attested_tls/server/tls_server.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/data-sealing/CMakeLists.txt b/samples/data-sealing/CMakeLists.txt
index 3fc647d321..a1959546e1 100644
--- a/samples/data-sealing/CMakeLists.txt
+++ b/samples/data-sealing/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/data-sealing/Makefile b/samples/data-sealing/Makefile
index 4bb1423cd1..3e2b03e2fe 100644
--- a/samples/data-sealing/Makefile
+++ b/samples/data-sealing/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run
diff --git a/samples/data-sealing/common/CMakeLists.txt b/samples/data-sealing/common/CMakeLists.txt
index 8adb484176..73556fa9ed 100644
--- a/samples/data-sealing/common/CMakeLists.txt
+++ b/samples/data-sealing/common/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/data-sealing/common/common.h b/samples/data-sealing/common/common.h
index f63ca440e8..6a7962c8a1 100644
--- a/samples/data-sealing/common/common.h
+++ b/samples/data-sealing/common/common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 extern const char* enclave_name;
diff --git a/samples/data-sealing/common/dispatcher.cpp b/samples/data-sealing/common/dispatcher.cpp
index 6b4f5dbe2b..b83fcae1b5 100644
--- a/samples/data-sealing/common/dispatcher.cpp
+++ b/samples/data-sealing/common/dispatcher.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "dispatcher.h"
diff --git a/samples/data-sealing/common/dispatcher.h b/samples/data-sealing/common/dispatcher.h
index 79a9989423..c991f9ae74 100644
--- a/samples/data-sealing/common/dispatcher.h
+++ b/samples/data-sealing/common/dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/samples/data-sealing/common/keys.cpp b/samples/data-sealing/common/keys.cpp
index 241f9f49d1..ce5dc16b32 100644
--- a/samples/data-sealing/common/keys.cpp
+++ b/samples/data-sealing/common/keys.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/aes.h>
diff --git a/samples/data-sealing/common/shared.h b/samples/data-sealing/common/shared.h
index 3885fe0800..6e731f33c9 100644
--- a/samples/data-sealing/common/shared.h
+++ b/samples/data-sealing/common/shared.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _SHARED_H
diff --git a/samples/data-sealing/datasealing.edl b/samples/data-sealing/datasealing.edl
index 71fcf1fbcd..df5bbc4a68 100644
--- a/samples/data-sealing/datasealing.edl
+++ b/samples/data-sealing/datasealing.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/data-sealing/enclave_a_v1/CMakeLists.txt b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
index c3eeea9a74..dd0969d9da 100644
--- a/samples/data-sealing/enclave_a_v1/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v1/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(enclave_a_v1 ecalls.cpp)
diff --git a/samples/data-sealing/enclave_a_v1/Makefile b/samples/data-sealing/enclave_a_v1/Makefile
index 5332929f7b..bd9b3ff302 100644
--- a/samples/data-sealing/enclave_a_v1/Makefile
+++ b/samples/data-sealing/enclave_a_v1/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/data-sealing/enclave_a_v1/data-sealing.conf b/samples/data-sealing/enclave_a_v1/data-sealing.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/data-sealing/enclave_a_v1/data-sealing.conf
+++ b/samples/data-sealing/enclave_a_v1/data-sealing.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/data-sealing/enclave_a_v1/ecalls.cpp b/samples/data-sealing/enclave_a_v1/ecalls.cpp
index 9c96bf0500..b1749df002 100644
--- a/samples/data-sealing/enclave_a_v1/ecalls.cpp
+++ b/samples/data-sealing/enclave_a_v1/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <common/datasealing_t.h>
diff --git a/samples/data-sealing/enclave_a_v2/CMakeLists.txt b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
index f9f93086e6..9a61838ea0 100644
--- a/samples/data-sealing/enclave_a_v2/CMakeLists.txt
+++ b/samples/data-sealing/enclave_a_v2/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(enclave_a_v2 ecalls.cpp)
diff --git a/samples/data-sealing/enclave_a_v2/Makefile b/samples/data-sealing/enclave_a_v2/Makefile
index 960cc2f4d7..6b7a928a39 100644
--- a/samples/data-sealing/enclave_a_v2/Makefile
+++ b/samples/data-sealing/enclave_a_v2/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/data-sealing/enclave_a_v2/data-sealing.conf b/samples/data-sealing/enclave_a_v2/data-sealing.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/data-sealing/enclave_a_v2/data-sealing.conf
+++ b/samples/data-sealing/enclave_a_v2/data-sealing.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/data-sealing/enclave_a_v2/ecalls.cpp b/samples/data-sealing/enclave_a_v2/ecalls.cpp
index ef806ca5c2..226340e46e 100644
--- a/samples/data-sealing/enclave_a_v2/ecalls.cpp
+++ b/samples/data-sealing/enclave_a_v2/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <common/datasealing_t.h>
diff --git a/samples/data-sealing/enclave_b/CMakeLists.txt b/samples/data-sealing/enclave_b/CMakeLists.txt
index 39c80dfffd..b0db36e408 100644
--- a/samples/data-sealing/enclave_b/CMakeLists.txt
+++ b/samples/data-sealing/enclave_b/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(enclave_b ecalls.cpp)
diff --git a/samples/data-sealing/enclave_b/Makefile b/samples/data-sealing/enclave_b/Makefile
index 7bd69ddc4c..708fc95967 100644
--- a/samples/data-sealing/enclave_b/Makefile
+++ b/samples/data-sealing/enclave_b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/data-sealing/enclave_b/data-sealing.conf b/samples/data-sealing/enclave_b/data-sealing.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/data-sealing/enclave_b/data-sealing.conf
+++ b/samples/data-sealing/enclave_b/data-sealing.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/data-sealing/enclave_b/ecalls.cpp b/samples/data-sealing/enclave_b/ecalls.cpp
index 4016a912a5..e854199ec5 100644
--- a/samples/data-sealing/enclave_b/ecalls.cpp
+++ b/samples/data-sealing/enclave_b/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <common/datasealing_t.h>
diff --git a/samples/data-sealing/host/CMakeLists.txt b/samples/data-sealing/host/CMakeLists.txt
index e2518e35f9..6a45d79c05 100644
--- a/samples/data-sealing/host/CMakeLists.txt
+++ b/samples/data-sealing/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT datasealing_u.h datasealing_u.c datasealing_args.h
diff --git a/samples/data-sealing/host/Makefile b/samples/data-sealing/host/Makefile
index bfe674616b..6f7ef276da 100644
--- a/samples/data-sealing/host/Makefile
+++ b/samples/data-sealing/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/data-sealing/host/host.cpp b/samples/data-sealing/host/host.cpp
index 905b610289..62f37df355 100644
--- a/samples/data-sealing/host/host.cpp
+++ b/samples/data-sealing/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/samples/file-encryptor/CMakeLists.txt b/samples/file-encryptor/CMakeLists.txt
index 2af6c85476..d22be25402 100644
--- a/samples/file-encryptor/CMakeLists.txt
+++ b/samples/file-encryptor/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/file-encryptor/Makefile b/samples/file-encryptor/Makefile
index 11cdd0a660..65c437b836 100644
--- a/samples/file-encryptor/Makefile
+++ b/samples/file-encryptor/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run simulate
diff --git a/samples/file-encryptor/enclave/CMakeLists.txt b/samples/file-encryptor/enclave/CMakeLists.txt
index 303e13790f..5dd6b28177 100644
--- a/samples/file-encryptor/enclave/CMakeLists.txt
+++ b/samples/file-encryptor/enclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/file-encryptor/enclave/Makefile b/samples/file-encryptor/enclave/Makefile
index 35592ec100..cf900933e4 100644
--- a/samples/file-encryptor/enclave/Makefile
+++ b/samples/file-encryptor/enclave/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/file-encryptor/enclave/common.h b/samples/file-encryptor/enclave/common.h
index 7dfd765732..5d0df7e363 100644
--- a/samples/file-encryptor/enclave/common.h
+++ b/samples/file-encryptor/enclave/common.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define TRACE_ENCLAVE(fmt, ...) \
diff --git a/samples/file-encryptor/enclave/ecalls.cpp b/samples/file-encryptor/enclave/ecalls.cpp
index c9c9fb22ef..fd3cf1ce9a 100644
--- a/samples/file-encryptor/enclave/ecalls.cpp
+++ b/samples/file-encryptor/enclave/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/samples/file-encryptor/enclave/encryptor.cpp b/samples/file-encryptor/enclave/encryptor.cpp
index 2067005f8a..96c7c57d2e 100644
--- a/samples/file-encryptor/enclave/encryptor.cpp
+++ b/samples/file-encryptor/enclave/encryptor.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "encryptor.h"
diff --git a/samples/file-encryptor/enclave/encryptor.h b/samples/file-encryptor/enclave/encryptor.h
index 40cdd91162..689846d605 100644
--- a/samples/file-encryptor/enclave/encryptor.h
+++ b/samples/file-encryptor/enclave/encryptor.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/samples/file-encryptor/enclave/file-encryptor.conf b/samples/file-encryptor/enclave/file-encryptor.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/file-encryptor/enclave/file-encryptor.conf
+++ b/samples/file-encryptor/enclave/file-encryptor.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/file-encryptor/enclave/keys.cpp b/samples/file-encryptor/enclave/keys.cpp
index 4f7a97e45f..39fa9eab64 100644
--- a/samples/file-encryptor/enclave/keys.cpp
+++ b/samples/file-encryptor/enclave/keys.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/aes.h>
diff --git a/samples/file-encryptor/fileencryptor.edl b/samples/file-encryptor/fileencryptor.edl
index 45a0fd558f..49e7d55334 100644
--- a/samples/file-encryptor/fileencryptor.edl
+++ b/samples/file-encryptor/fileencryptor.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/file-encryptor/host/CMakeLists.txt b/samples/file-encryptor/host/CMakeLists.txt
index d9e9c966fe..9da81780df 100644
--- a/samples/file-encryptor/host/CMakeLists.txt
+++ b/samples/file-encryptor/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT fileencryptor_u.h fileencryptor_u.c fileencryptor_args.h
diff --git a/samples/file-encryptor/host/Makefile b/samples/file-encryptor/host/Makefile
index 1ba0d4a766..2e1f048e71 100644
--- a/samples/file-encryptor/host/Makefile
+++ b/samples/file-encryptor/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/file-encryptor/host/host.cpp b/samples/file-encryptor/host/host.cpp
index 1b5344ce8b..f43eaf8989 100644
--- a/samples/file-encryptor/host/host.cpp
+++ b/samples/file-encryptor/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/samples/file-encryptor/shared.h b/samples/file-encryptor/shared.h
index 8266c07b9e..9c8e42e7c0 100644
--- a/samples/file-encryptor/shared.h
+++ b/samples/file-encryptor/shared.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ARGS_H
diff --git a/samples/helloworld/CMakeLists.txt b/samples/helloworld/CMakeLists.txt
index f99e7fb394..c1262b8360 100644
--- a/samples/helloworld/CMakeLists.txt
+++ b/samples/helloworld/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/helloworld/Makefile b/samples/helloworld/Makefile
index 51482a91ab..0bb4a0b78d 100644
--- a/samples/helloworld/Makefile
+++ b/samples/helloworld/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run simulate
diff --git a/samples/helloworld/enclave/CMakeLists.txt b/samples/helloworld/enclave/CMakeLists.txt
index caa2b1a440..6f102aa25f 100644
--- a/samples/helloworld/enclave/CMakeLists.txt
+++ b/samples/helloworld/enclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/helloworld/enclave/Makefile b/samples/helloworld/enclave/Makefile
index 2d3fa65b5a..ae8baa57e8 100644
--- a/samples/helloworld/enclave/Makefile
+++ b/samples/helloworld/enclave/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/helloworld/enclave/enc.c b/samples/helloworld/enclave/enc.c
index 512ef5f717..f6e42c73d1 100644
--- a/samples/helloworld/enclave/enc.c
+++ b/samples/helloworld/enclave/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stdio.h>
diff --git a/samples/helloworld/enclave/helloworld.conf b/samples/helloworld/enclave/helloworld.conf
index 5d4ce9ef95..ca997aa136 100644
--- a/samples/helloworld/enclave/helloworld.conf
+++ b/samples/helloworld/enclave/helloworld.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/helloworld/helloworld.edl b/samples/helloworld/helloworld.edl
index 81e48130eb..952eb74f67 100644
--- a/samples/helloworld/helloworld.edl
+++ b/samples/helloworld/helloworld.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/helloworld/host/CMakeLists.txt b/samples/helloworld/host/CMakeLists.txt
index af1065c22d..dd95d96708 100644
--- a/samples/helloworld/host/CMakeLists.txt
+++ b/samples/helloworld/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 add_custom_command(OUTPUT helloworld_u.h helloworld_u.c helloworld_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/helloworld.edl
diff --git a/samples/helloworld/host/Makefile b/samples/helloworld/host/Makefile
index 1e692bf455..2de7207621 100644
--- a/samples/helloworld/host/Makefile
+++ b/samples/helloworld/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/helloworld/host/host.c b/samples/helloworld/host/host.c
index 4e7f85f12b..0085973c35 100644
--- a/samples/helloworld/host/host.c
+++ b/samples/helloworld/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/local_attestation/CMakeLists.txt b/samples/local_attestation/CMakeLists.txt
index 475d344eb4..c76cc7320d 100644
--- a/samples/local_attestation/CMakeLists.txt
+++ b/samples/local_attestation/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/local_attestation/Makefile b/samples/local_attestation/Makefile
index 1bd09ee0a0..b9631c2239 100644
--- a/samples/local_attestation/Makefile
+++ b/samples/local_attestation/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run
diff --git a/samples/local_attestation/common/CMakeLists.txt b/samples/local_attestation/common/CMakeLists.txt
index fbc2b3dcbd..757ec6736f 100644
--- a/samples/local_attestation/common/CMakeLists.txt
+++ b/samples/local_attestation/common/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/local_attestation/common/attestation.cpp b/samples/local_attestation/common/attestation.cpp
index 93f42a0444..a11bc47ed6 100644
--- a/samples/local_attestation/common/attestation.cpp
+++ b/samples/local_attestation/common/attestation.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "attestation.h"
diff --git a/samples/local_attestation/common/attestation.h b/samples/local_attestation/common/attestation.h
index 494432fdc4..d245a21010 100644
--- a/samples/local_attestation/common/attestation.h
+++ b/samples/local_attestation/common/attestation.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
diff --git a/samples/local_attestation/common/crypto.cpp b/samples/local_attestation/common/crypto.cpp
index 978adc1eb7..369a73c5ba 100644
--- a/samples/local_attestation/common/crypto.cpp
+++ b/samples/local_attestation/common/crypto.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "crypto.h"
diff --git a/samples/local_attestation/common/crypto.h b/samples/local_attestation/common/crypto.h
index cf20f355f2..8cba0faa9a 100644
--- a/samples/local_attestation/common/crypto.h
+++ b/samples/local_attestation/common/crypto.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
diff --git a/samples/local_attestation/common/dispatcher.cpp b/samples/local_attestation/common/dispatcher.cpp
index f64d648154..15ce110aa0 100644
--- a/samples/local_attestation/common/dispatcher.cpp
+++ b/samples/local_attestation/common/dispatcher.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "dispatcher.h"
diff --git a/samples/local_attestation/common/dispatcher.h b/samples/local_attestation/common/dispatcher.h
index 50ae2d1f76..f20364062a 100644
--- a/samples/local_attestation/common/dispatcher.h
+++ b/samples/local_attestation/common/dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/samples/local_attestation/common/log.h b/samples/local_attestation/common/log.h
index 26d7b92394..50235ce974 100644
--- a/samples/local_attestation/common/log.h
+++ b/samples/local_attestation/common/log.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_LOG_H
diff --git a/samples/local_attestation/enclave_a/CMakeLists.txt b/samples/local_attestation/enclave_a/CMakeLists.txt
index baa1dd952b..665c3021a4 100644
--- a/samples/local_attestation/enclave_a/CMakeLists.txt
+++ b/samples/local_attestation/enclave_a/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Generate header with public key of enclave B (2)
diff --git a/samples/local_attestation/enclave_a/Makefile b/samples/local_attestation/enclave_a/Makefile
index 38f6b521dd..18e62c67a3 100644
--- a/samples/local_attestation/enclave_a/Makefile
+++ b/samples/local_attestation/enclave_a/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/local_attestation/enclave_a/ecalls.cpp b/samples/local_attestation/enclave_a/ecalls.cpp
index 283bc1fafe..fe33805ab1 100644
--- a/samples/local_attestation/enclave_a/ecalls.cpp
+++ b/samples/local_attestation/enclave_a/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <common/dispatcher.h>
 #include <common/localattestation_t.h>
diff --git a/samples/local_attestation/enclave_a/enc.conf b/samples/local_attestation/enclave_a/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/local_attestation/enclave_a/enc.conf
+++ b/samples/local_attestation/enclave_a/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/local_attestation/enclave_b/CMakeLists.txt b/samples/local_attestation/enclave_b/CMakeLists.txt
index 9a65f583b6..97a1ba9811 100644
--- a/samples/local_attestation/enclave_b/CMakeLists.txt
+++ b/samples/local_attestation/enclave_b/CMakeLists.txt
@@ -1,9 +1,9 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Generate header with public key of enclave A
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT enclave_a_pubkey.h
diff --git a/samples/local_attestation/enclave_b/Makefile b/samples/local_attestation/enclave_b/Makefile
index 135c97787a..e22bf8044e 100644
--- a/samples/local_attestation/enclave_b/Makefile
+++ b/samples/local_attestation/enclave_b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/local_attestation/enclave_b/ecalls.cpp b/samples/local_attestation/enclave_b/ecalls.cpp
index 13727da78c..89a418e3a8 100644
--- a/samples/local_attestation/enclave_b/ecalls.cpp
+++ b/samples/local_attestation/enclave_b/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <common/dispatcher.h>
 #include <common/localattestation_t.h>
diff --git a/samples/local_attestation/enclave_b/enc.conf b/samples/local_attestation/enclave_b/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/local_attestation/enclave_b/enc.conf
+++ b/samples/local_attestation/enclave_b/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/local_attestation/gen_pubkey_header.sh b/samples/local_attestation/gen_pubkey_header.sh
index 4a51938fb4..aa77857117 100755
--- a/samples/local_attestation/gen_pubkey_header.sh
+++ b/samples/local_attestation/gen_pubkey_header.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 destfile="$1"
 pubkey_file="$2"
 
 cat > "$destfile" << EOF
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_LOCAL_ATTESTATION_PUBKEY_H
diff --git a/samples/local_attestation/host/CMakeLists.txt b/samples/local_attestation/host/CMakeLists.txt
index 7d665f640a..f121b83862 100644
--- a/samples/local_attestation/host/CMakeLists.txt
+++ b/samples/local_attestation/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT localattestation_u.h localattestation_u.c localattestation_args.h
diff --git a/samples/local_attestation/host/Makefile b/samples/local_attestation/host/Makefile
index 2979b7ffb2..752e4b3036 100644
--- a/samples/local_attestation/host/Makefile
+++ b/samples/local_attestation/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/local_attestation/host/host.cpp b/samples/local_attestation/host/host.cpp
index 0dab70f02d..93fa4a68ef 100644
--- a/samples/local_attestation/host/host.cpp
+++ b/samples/local_attestation/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/local_attestation/localattestation.edl b/samples/local_attestation/localattestation.edl
index fa843b6066..6c179f2ffd 100644
--- a/samples/local_attestation/localattestation.edl
+++ b/samples/local_attestation/localattestation.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/remote_attestation/CMakeLists.txt b/samples/remote_attestation/CMakeLists.txt
index 8d2847129e..6cac3fd9cb 100644
--- a/samples/remote_attestation/CMakeLists.txt
+++ b/samples/remote_attestation/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/remote_attestation/Makefile b/samples/remote_attestation/Makefile
index 1bd09ee0a0..b9631c2239 100644
--- a/samples/remote_attestation/Makefile
+++ b/samples/remote_attestation/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run
diff --git a/samples/remote_attestation/common/CMakeLists.txt b/samples/remote_attestation/common/CMakeLists.txt
index b3929ad559..629d1fc157 100644
--- a/samples/remote_attestation/common/CMakeLists.txt
+++ b/samples/remote_attestation/common/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT enclave_a_pubkey.h
diff --git a/samples/remote_attestation/common/attestation.cpp b/samples/remote_attestation/common/attestation.cpp
index ec23f2baec..d934b42bc3 100644
--- a/samples/remote_attestation/common/attestation.cpp
+++ b/samples/remote_attestation/common/attestation.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "attestation.h"
diff --git a/samples/remote_attestation/common/attestation.h b/samples/remote_attestation/common/attestation.h
index 7d72090fb7..a942acca86 100644
--- a/samples/remote_attestation/common/attestation.h
+++ b/samples/remote_attestation/common/attestation.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
diff --git a/samples/remote_attestation/common/crypto.cpp b/samples/remote_attestation/common/crypto.cpp
index 0ed6053754..ebcdd00d3a 100644
--- a/samples/remote_attestation/common/crypto.cpp
+++ b/samples/remote_attestation/common/crypto.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "crypto.h"
diff --git a/samples/remote_attestation/common/crypto.h b/samples/remote_attestation/common/crypto.h
index cf20f355f2..8cba0faa9a 100644
--- a/samples/remote_attestation/common/crypto.h
+++ b/samples/remote_attestation/common/crypto.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
diff --git a/samples/remote_attestation/common/dispatcher.cpp b/samples/remote_attestation/common/dispatcher.cpp
index 81adde71d2..e0503b0cd2 100644
--- a/samples/remote_attestation/common/dispatcher.cpp
+++ b/samples/remote_attestation/common/dispatcher.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "dispatcher.h"
diff --git a/samples/remote_attestation/common/dispatcher.h b/samples/remote_attestation/common/dispatcher.h
index db2ddddee0..8ab7151588 100644
--- a/samples/remote_attestation/common/dispatcher.h
+++ b/samples/remote_attestation/common/dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/samples/remote_attestation/common/log.h b/samples/remote_attestation/common/log.h
index b064e3b905..507dcd8b81 100644
--- a/samples/remote_attestation/common/log.h
+++ b/samples/remote_attestation/common/log.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef OE_SAMPLES_ATTESTATION_ENC_LOG_H
diff --git a/samples/remote_attestation/enclave_a/CMakeLists.txt b/samples/remote_attestation/enclave_a/CMakeLists.txt
index 341531342f..c63833ed70 100644
--- a/samples/remote_attestation/enclave_a/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_a/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Generate header with public key of enclave B (2)
diff --git a/samples/remote_attestation/enclave_a/Makefile b/samples/remote_attestation/enclave_a/Makefile
index 1c08fba7d5..bb6cf7daf3 100644
--- a/samples/remote_attestation/enclave_a/Makefile
+++ b/samples/remote_attestation/enclave_a/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/remote_attestation/enclave_a/ecalls.cpp b/samples/remote_attestation/enclave_a/ecalls.cpp
index b4a7f60052..e3b953a895 100644
--- a/samples/remote_attestation/enclave_a/ecalls.cpp
+++ b/samples/remote_attestation/enclave_a/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <common/dispatcher.h>
 #include <common/remoteattestation_t.h>
diff --git a/samples/remote_attestation/enclave_a/enc.conf b/samples/remote_attestation/enclave_a/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/remote_attestation/enclave_a/enc.conf
+++ b/samples/remote_attestation/enclave_a/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/remote_attestation/enclave_b/CMakeLists.txt b/samples/remote_attestation/enclave_b/CMakeLists.txt
index 6dbe6a940b..182425d0c0 100644
--- a/samples/remote_attestation/enclave_b/CMakeLists.txt
+++ b/samples/remote_attestation/enclave_b/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Generate header with public key of enclave A
diff --git a/samples/remote_attestation/enclave_b/Makefile b/samples/remote_attestation/enclave_b/Makefile
index 5b773e6e2c..47d97a0f09 100644
--- a/samples/remote_attestation/enclave_b/Makefile
+++ b/samples/remote_attestation/enclave_b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/remote_attestation/enclave_b/ecalls.cpp b/samples/remote_attestation/enclave_b/ecalls.cpp
index 2e60f060f8..216a44d2d9 100644
--- a/samples/remote_attestation/enclave_b/ecalls.cpp
+++ b/samples/remote_attestation/enclave_b/ecalls.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <common/dispatcher.h>
 #include <common/remoteattestation_t.h>
diff --git a/samples/remote_attestation/enclave_b/enc.conf b/samples/remote_attestation/enclave_b/enc.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/samples/remote_attestation/enclave_b/enc.conf
+++ b/samples/remote_attestation/enclave_b/enc.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/remote_attestation/gen_pubkey_header.sh b/samples/remote_attestation/gen_pubkey_header.sh
index 95a4402781..d6ac4ffb30 100755
--- a/samples/remote_attestation/gen_pubkey_header.sh
+++ b/samples/remote_attestation/gen_pubkey_header.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 destfile="$1"
 pubkey_file="$2"
 
 cat > "$destfile" << EOF
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_REMOTE_ATTESTATION_PUBKEY_H
diff --git a/samples/remote_attestation/host/CMakeLists.txt b/samples/remote_attestation/host/CMakeLists.txt
index 8bcc5edcf5..5369024603 100644
--- a/samples/remote_attestation/host/CMakeLists.txt
+++ b/samples/remote_attestation/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT remoteattestation_u.h remoteattestation_u.c remoteattestation_args.h
diff --git a/samples/remote_attestation/host/Makefile b/samples/remote_attestation/host/Makefile
index 306034bd84..3b07aaa8c8 100644
--- a/samples/remote_attestation/host/Makefile
+++ b/samples/remote_attestation/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/remote_attestation/host/host.cpp b/samples/remote_attestation/host/host.cpp
index cd5076193a..a3e997e608 100644
--- a/samples/remote_attestation/host/host.cpp
+++ b/samples/remote_attestation/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/remote_attestation/remoteattestation.edl b/samples/remote_attestation/remoteattestation.edl
index 790260b847..ae99dac4bb 100644
--- a/samples/remote_attestation/remoteattestation.edl
+++ b/samples/remote_attestation/remoteattestation.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/switchless/CMakeLists.txt b/samples/switchless/CMakeLists.txt
index 740d88835d..736188069c 100644
--- a/samples/switchless/CMakeLists.txt
+++ b/samples/switchless/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 cmake_minimum_required(VERSION 3.11)
diff --git a/samples/switchless/Makefile b/samples/switchless/Makefile
index 5ec9108611..4ef7181d3b 100644
--- a/samples/switchless/Makefile
+++ b/samples/switchless/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 .PHONY: all build clean run simulate
diff --git a/samples/switchless/enclave/CMakeLists.txt b/samples/switchless/enclave/CMakeLists.txt
index 90c8ab5b0f..755e5c9919 100644
--- a/samples/switchless/enclave/CMakeLists.txt
+++ b/samples/switchless/enclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Use the edger8r to generate C bindings from the EDL file.
diff --git a/samples/switchless/enclave/Makefile b/samples/switchless/enclave/Makefile
index c943748e67..224bd8f713 100644
--- a/samples/switchless/enclave/Makefile
+++ b/samples/switchless/enclave/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/switchless/enclave/enc.c b/samples/switchless/enclave/enc.c
index 91a987d733..ac5eb83e3c 100644
--- a/samples/switchless/enclave/enc.c
+++ b/samples/switchless/enclave/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stdio.h>
diff --git a/samples/switchless/enclave/switchless.conf b/samples/switchless/enclave/switchless.conf
index 5d4ce9ef95..ca997aa136 100644
--- a/samples/switchless/enclave/switchless.conf
+++ b/samples/switchless/enclave/switchless.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/samples/switchless/host/CMakeLists.txt b/samples/switchless/host/CMakeLists.txt
index edc22432e8..d2586c85ca 100644
--- a/samples/switchless/host/CMakeLists.txt
+++ b/samples/switchless/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT switchless_u.h switchless_u.c switchless_args.h
diff --git a/samples/switchless/host/Makefile b/samples/switchless/host/Makefile
index b9780c6378..e7e342fa74 100644
--- a/samples/switchless/host/Makefile
+++ b/samples/switchless/host/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Detect C and C++ compiler options
diff --git a/samples/switchless/host/host.c b/samples/switchless/host/host.c
index d1e10abedc..fee3bc9a6f 100644
--- a/samples/switchless/host/host.c
+++ b/samples/switchless/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/samples/switchless/switchless.edl b/samples/switchless/switchless.edl
index 89ab289a39..928717a814 100644
--- a/samples/switchless/switchless.edl
+++ b/samples/switchless/switchless.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index fc50943052..ef630955a6 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # This script requires the variables SOURCE_DIR, BUILD_DIR, and
diff --git a/scripts/VirtualMachineSgxSettings.psd1 b/scripts/VirtualMachineSgxSettings.psd1
index bb8e1f3886..2500c59a1c 100644
--- a/scripts/VirtualMachineSgxSettings.psd1
+++ b/scripts/VirtualMachineSgxSettings.psd1
@@ -1,15 +1,15 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 @{
     GUID              = "{5c36f9d9-e64f-4dbb-ae38-6ad1669954c4}"
-    Author            = "Microsoft Corporation"
-    CompanyName       = "Microsoft Corporation"
-    Copyright         = "© Microsoft Corporation. All rights reserved."
+    Author            = "Open Enclave SDK contributors"
+    CompanyName       = "Confidential Computing Consortium"
+    Copyright         = "© Open Enclave SDK contributors"
     RootModule        = "VirtualMachineSgxSettings.psm1"
     ModuleVersion     = "1.0.0.0"
     PowerShellVersion = "3.0"
     ClrVersion        = "4.0"
     FunctionsToExport = "Get-VMSgx", "Set-VMSgx"
-    HelpInfoUri       = "https://github.com/Microsoft/openenclave"
+    HelpInfoUri       = "https://github.com/openenclave/openenclave"
 }
\ No newline at end of file
diff --git a/scripts/VirtualMachineSgxSettings.psm1 b/scripts/VirtualMachineSgxSettings.psm1
index 2cf7ae7c4e..353311886a 100644
--- a/scripts/VirtualMachineSgxSettings.psm1
+++ b/scripts/VirtualMachineSgxSettings.psm1
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 Import-Module Hyper-V
diff --git a/scripts/ansible/README.md b/scripts/ansible/README.md
index bf9456d3af..64200a7dcd 100644
--- a/scripts/ansible/README.md
+++ b/scripts/ansible/README.md
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 This directory contains the Ansible work used to automate all the required tasks for setting up new Open Enclave environments, and new Jenkins agents for the CI / CD system.
diff --git a/scripts/ansible/ansible.cfg b/scripts/ansible/ansible.cfg
index 3380d6c6a3..acb77002db 100644
--- a/scripts/ansible/ansible.cfg
+++ b/scripts/ansible/ansible.cfg
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 [defaults]
diff --git a/scripts/ansible/install-ansible.sh b/scripts/ansible/install-ansible.sh
index d637c41100..87241a9f67 100755
--- a/scripts/ansible/install-ansible.sh
+++ b/scripts/ansible/install-ansible.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/scripts/ansible/inventory/group_vars/all b/scripts/ansible/inventory/group_vars/all
index 2d9ccfda1d..973cb49b19 100644
--- a/scripts/ansible/inventory/group_vars/all
+++ b/scripts/ansible/inventory/group_vars/all
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Global configs for all the Ansible machines
diff --git a/scripts/ansible/inventory/group_vars/linux-agents b/scripts/ansible/inventory/group_vars/linux-agents
index 4aeb81f870..a56b3b12b5 100644
--- a/scripts/ansible/inventory/group_vars/linux-agents
+++ b/scripts/ansible/inventory/group_vars/linux-agents
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ansible_ssh_user: azureuser
diff --git a/scripts/ansible/inventory/group_vars/windows-agents b/scripts/ansible/inventory/group_vars/windows-agents
index 12fe513fb8..165e01af7b 100644
--- a/scripts/ansible/inventory/group_vars/windows-agents
+++ b/scripts/ansible/inventory/group_vars/windows-agents
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Username and password of the nodes (if the nodes have different passwords, please look into host_vars folder)
diff --git a/scripts/ansible/inventory/hosts b/scripts/ansible/inventory/hosts
index 4509d6efec..817d28d3b1 100644
--- a/scripts/ansible/inventory/hosts
+++ b/scripts/ansible/inventory/hosts
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 [linux-agents]
diff --git a/scripts/ansible/jenkins-agents-register.yml b/scripts/ansible/jenkins-agents-register.yml
index 8d4799f056..1b221d72b1 100644
--- a/scripts/ansible/jenkins-agents-register.yml
+++ b/scripts/ansible/jenkins-agents-register.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/jenkins-setup.yml b/scripts/ansible/jenkins-setup.yml
index 89812c9250..6610c06006 100644
--- a/scripts/ansible/jenkins-setup.yml
+++ b/scripts/ansible/jenkins-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-contributors-acc-setup-no-driver.yml b/scripts/ansible/oe-contributors-acc-setup-no-driver.yml
index fe469b66ab..a8b01fe641 100644
--- a/scripts/ansible/oe-contributors-acc-setup-no-driver.yml
+++ b/scripts/ansible/oe-contributors-acc-setup-no-driver.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-contributors-acc-setup.yml b/scripts/ansible/oe-contributors-acc-setup.yml
index d6cedbbd0d..606c4ebd45 100644
--- a/scripts/ansible/oe-contributors-acc-setup.yml
+++ b/scripts/ansible/oe-contributors-acc-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-contributors-setup-cross-arm.yml b/scripts/ansible/oe-contributors-setup-cross-arm.yml
index dd3967ae41..c7c0bd7d75 100644
--- a/scripts/ansible/oe-contributors-setup-cross-arm.yml
+++ b/scripts/ansible/oe-contributors-setup-cross-arm.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-contributors-setup-sgx1.yml b/scripts/ansible/oe-contributors-setup-sgx1.yml
index 6ca7fc673e..f2758b7e8d 100644
--- a/scripts/ansible/oe-contributors-setup-sgx1.yml
+++ b/scripts/ansible/oe-contributors-setup-sgx1.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-contributors-setup.yml b/scripts/ansible/oe-contributors-setup.yml
index 59a65e7989..f4e402851d 100644
--- a/scripts/ansible/oe-contributors-setup.yml
+++ b/scripts/ansible/oe-contributors-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-linux-acc-setup-no-driver.yml b/scripts/ansible/oe-linux-acc-setup-no-driver.yml
index 13a9d684a6..80ccc464a4 100644
--- a/scripts/ansible/oe-linux-acc-setup-no-driver.yml
+++ b/scripts/ansible/oe-linux-acc-setup-no-driver.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-linux-acc-setup.yml b/scripts/ansible/oe-linux-acc-setup.yml
index 8cef5ff7f3..f16231dd03 100644
--- a/scripts/ansible/oe-linux-acc-setup.yml
+++ b/scripts/ansible/oe-linux-acc-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-linux-esy-setup.yml b/scripts/ansible/oe-linux-esy-setup.yml
index 04a4ac3a27..e69e2d0cd5 100644
--- a/scripts/ansible/oe-linux-esy-setup.yml
+++ b/scripts/ansible/oe-linux-esy-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-vanilla-prelibsgx-setup.yml b/scripts/ansible/oe-vanilla-prelibsgx-setup.yml
index cd7e4caa07..54d9445379 100644
--- a/scripts/ansible/oe-vanilla-prelibsgx-setup.yml
+++ b/scripts/ansible/oe-vanilla-prelibsgx-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 58f4b92539..da172fcf9f 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/remove-ansible.sh b/scripts/ansible/remove-ansible.sh
index 0a8d84b663..13e941b5e7 100755
--- a/scripts/ansible/remove-ansible.sh
+++ b/scripts/ansible/remove-ansible.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/scripts/ansible/requirements.txt b/scripts/ansible/requirements.txt
index 2c07f3e9f7..2383c81dac 100644
--- a/scripts/ansible/requirements.txt
+++ b/scripts/ansible/requirements.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 ansible==2.8.2
 pywinrm==0.2.1
diff --git a/scripts/ansible/roles/common/jenkins/tasks/agent-provision.yml b/scripts/ansible/roles/common/jenkins/tasks/agent-provision.yml
index 8e36c077f9..036772e6a3 100644
--- a/scripts/ansible/roles/common/jenkins/tasks/agent-provision.yml
+++ b/scripts/ansible/roles/common/jenkins/tasks/agent-provision.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml b/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
index cc03287a44..1d360ddce2 100644
--- a/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/az-dcap-client/tasks/validation.yml b/scripts/ansible/roles/linux/az-dcap-client/tasks/validation.yml
index 2284733cba..1c4d96861c 100644
--- a/scripts/ansible/roles/linux/az-dcap-client/tasks/validation.yml
+++ b/scripts/ansible/roles/linux/az-dcap-client/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/az-dcap-client/vars/ubuntu.yml b/scripts/ansible/roles/linux/az-dcap-client/vars/ubuntu.yml
index acee0b1de4..6d72ed0a84 100644
--- a/scripts/ansible/roles/linux/az-dcap-client/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/az-dcap-client/vars/ubuntu.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
index 62e1451c44..d7ed70464b 100644
--- a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
+++ b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml b/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
index aadacc1de6..79c206c286 100644
--- a/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
+++ b/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/tasks/stable-install.yml b/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
index 9e5012875a..1855d02c3a 100644
--- a/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/tasks/validation.yml b/scripts/ansible/roles/linux/docker/tasks/validation.yml
index de3c816731..ca355b88d1 100644
--- a/scripts/ansible/roles/linux/docker/tasks/validation.yml
+++ b/scripts/ansible/roles/linux/docker/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/vars/bionic.yml b/scripts/ansible/roles/linux/docker/vars/bionic.yml
index 53b8bea693..2d3f45aa0d 100644
--- a/scripts/ansible/roles/linux/docker/vars/bionic.yml
+++ b/scripts/ansible/roles/linux/docker/vars/bionic.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/vars/ubuntu.yml b/scripts/ansible/roles/linux/docker/vars/ubuntu.yml
index 050225db24..6f6e693baa 100644
--- a/scripts/ansible/roles/linux/docker/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/docker/vars/ubuntu.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/docker/vars/xenial.yml b/scripts/ansible/roles/linux/docker/vars/xenial.yml
index c2cd43a020..a9cf45fc95 100644
--- a/scripts/ansible/roles/linux/docker/vars/xenial.yml
+++ b/scripts/ansible/roles/linux/docker/vars/xenial.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/defaults/main.yml b/scripts/ansible/roles/linux/intel/defaults/main.yml
index 34570068dc..ed63f9e87d 100644
--- a/scripts/ansible/roles/linux/intel/defaults/main.yml
+++ b/scripts/ansible/roles/linux/intel/defaults/main.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml b/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml
index 120a0db72c..f34148edf5 100644
--- a/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/tasks/packages-validation.yml b/scripts/ansible/roles/linux/intel/tasks/packages-validation.yml
index 7a2a85afb5..e91ca0d53a 100644
--- a/scripts/ansible/roles/linux/intel/tasks/packages-validation.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/packages-validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
index ed2dd755d2..7785a17762 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
index 0379955adb..cdf630b619 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/vars/bionic.yml b/scripts/ansible/roles/linux/intel/vars/bionic.yml
index 37885e985f..894d5c7059 100644
--- a/scripts/ansible/roles/linux/intel/vars/bionic.yml
+++ b/scripts/ansible/roles/linux/intel/vars/bionic.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/vars/ubuntu.yml b/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
index 4965cda3aa..a5bbfb1098 100644
--- a/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/intel/vars/ubuntu.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/intel/vars/xenial.yml b/scripts/ansible/roles/linux/intel/vars/xenial.yml
index 0f8656b6aa..57f195836a 100644
--- a/scripts/ansible/roles/linux/intel/vars/xenial.yml
+++ b/scripts/ansible/roles/linux/intel/vars/xenial.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml b/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
index e3fc3387e7..837e7c11eb 100644
--- a/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
+++ b/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/jenkins/tasks/validation.yml b/scripts/ansible/roles/linux/jenkins/tasks/validation.yml
index 14507fb0f5..ee684d28ae 100644
--- a/scripts/ansible/roles/linux/jenkins/tasks/validation.yml
+++ b/scripts/ansible/roles/linux/jenkins/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.default.j2 b/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.default.j2
index 89364ea8d0..4b88363cdb 100644
--- a/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.default.j2
+++ b/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.default.j2
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 JENKINS_RUN=/var/run/jenkins
diff --git a/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.service.j2 b/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.service.j2
index bb649bb4b3..e08e6929f1 100644
--- a/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.service.j2
+++ b/scripts/ansible/roles/linux/jenkins/templates/jenkins-slave.service.j2
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 [Unit]
diff --git a/scripts/ansible/roles/linux/jenkins/vars/ubuntu.yml b/scripts/ansible/roles/linux/jenkins/vars/ubuntu.yml
index 722b10f372..8ba4c57643 100644
--- a/scripts/ansible/roles/linux/jenkins/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/jenkins/vars/ubuntu.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
index e70771575e..ef8ccc4cdd 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
index 7a09abde3d..2d1ca3ec3f 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
index aa5c16bcd4..2573e81def 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/esy-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 #
 # See https://github.com/esy/esy/pull/957, specifically:
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml b/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
index 4034a350c2..68c6a51981 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/validation.yml b/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
index af21deceb6..3f86d3ec76 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml b/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
index d29823f9a5..8eee4dd17c 100644
--- a/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
+++ b/scripts/ansible/roles/linux/openenclave/vars/ubuntu.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
index 45cb388ad9..0a96d692eb 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
index 32275ff0b7..07ed65bca1 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/jenkins/tasks/slave-setup.yml b/scripts/ansible/roles/windows/jenkins/tasks/slave-setup.yml
index e4c5b7d9cf..cd776f2a83 100644
--- a/scripts/ansible/roles/windows/jenkins/tasks/slave-setup.yml
+++ b/scripts/ansible/roles/windows/jenkins/tasks/slave-setup.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/jenkins/tasks/validation.yml b/scripts/ansible/roles/windows/jenkins/tasks/validation.yml
index fb867cbab2..41cffd5639 100644
--- a/scripts/ansible/roles/windows/jenkins/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/jenkins/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/jenkins/vars/windows.yml b/scripts/ansible/roles/windows/jenkins/vars/windows.yml
index f60457acbf..c640263786 100644
--- a/scripts/ansible/roles/windows/jenkins/vars/windows.yml
+++ b/scripts/ansible/roles/windows/jenkins/vars/windows.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/openenclave/tasks/validation.yml b/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
index 6331cf7a94..2403596200 100644
--- a/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
+++ b/scripts/ansible/roles/windows/openenclave/tasks/validation.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/ansible/roles/windows/openenclave/vars/windows.yml b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
index 772b9df88a..553e1674b4 100644
--- a/scripts/ansible/roles/windows/openenclave/vars/windows.yml
+++ b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ---
diff --git a/scripts/check-ci b/scripts/check-ci
index dd55b3a58d..b8388a237a 100755
--- a/scripts/check-ci
+++ b/scripts/check-ci
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # This script is very similar to the pre-commit hook, except it
diff --git a/scripts/check-license b/scripts/check-license
index 9de9405280..18c0da200a 100755
--- a/scripts/check-license
+++ b/scripts/check-license
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # This script accepts either a list of files relative to the current
@@ -11,7 +11,7 @@
 set -o errexit
 set -o pipefail
 
-license=("Copyright (c) Microsoft Corporation. All rights reserved." "Licensed under the MIT License.")
+license=("Copyright (c) Open Enclave SDK contributors." "Licensed under the MIT License.")
 
 root=$(git rev-parse --show-toplevel)
 
diff --git a/scripts/check-linters b/scripts/check-linters
index f3eef93093..371e7fb3ca 100755
--- a/scripts/check-linters
+++ b/scripts/check-linters
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # This script currently runs just the ShellCheck linter on shell
diff --git a/scripts/clangw b/scripts/clangw
index e8f3d7a1e4..deff4945d4 100644
--- a/scripts/clangw
+++ b/scripts/clangw
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # shellcheck disable=SC2068 disable=SC2006 disable=SC2179
diff --git a/scripts/commit-msg b/scripts/commit-msg
index 247ddbd705..5490af6060 100644
--- a/scripts/commit-msg
+++ b/scripts/commit-msg
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/scripts/deploy-docs b/scripts/deploy-docs
index 338c6c2ec7..e31ee9c313 100755
--- a/scripts/deploy-docs
+++ b/scripts/deploy-docs
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/scripts/format-code b/scripts/format-code
index 2ed26771e5..31050dab8a 100755
--- a/scripts/format-code
+++ b/scripts/format-code
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/scripts/format-code.ps1 b/scripts/format-code.ps1
index 4c323183ba..97f5610777 100644
--- a/scripts/format-code.ps1
+++ b/scripts/format-code.ps1
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 $usage=$false;
diff --git a/scripts/generate-devkits b/scripts/generate-devkits
index 899334cabe..0c4fe58fd3 100755
--- a/scripts/generate-devkits
+++ b/scripts/generate-devkits
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 OPTEE_OS_PATH=$1
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 08443d8555..89f233b3e3 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # The Hash parameter defaults below are calculated using Get-FileHash with the default SHA256 hashing algorithm
diff --git a/scripts/llvm-arw b/scripts/llvm-arw
index 3a5e971289..9993658fb5 100644
--- a/scripts/llvm-arw
+++ b/scripts/llvm-arw
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # shellcheck disable=SC2068
diff --git a/scripts/pre-commit b/scripts/pre-commit
index ffe64a5fca..82800cdc6c 100755
--- a/scripts/pre-commit
+++ b/scripts/pre-commit
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/scripts/test-build-config b/scripts/test-build-config
index a5bcc49a47..00c6ec7f8b 100755
--- a/scripts/test-build-config
+++ b/scripts/test-build-config
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##====================================================================================
diff --git a/syscall/CMakeLists.txt b/syscall/CMakeLists.txt
index 2fe73c8626..003e74b31a 100644
--- a/syscall/CMakeLists.txt
+++ b/syscall/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 ##==============================================================================
diff --git a/syscall/consolefs.c b/syscall/consolefs.c
index 3f4039688d..a97f322ca1 100644
--- a/syscall/consolefs.c
+++ b/syscall/consolefs.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/syscall/consolefs.h b/syscall/consolefs.h
index 73dec63bc6..c8c9e991eb 100644
--- a/syscall/consolefs.h
+++ b/syscall/consolefs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved._ops
+// Copyright (c) Open Enclave SDK contributors._ops
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_CONSOLEFS_H
diff --git a/syscall/device.c b/syscall/device.c
index e8a7fa7cd4..de00c6ec4d 100644
--- a/syscall/device.c
+++ b/syscall/device.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/syscall/devices/CMakeLists.txt b/syscall/devices/CMakeLists.txt
index a9b5012e52..dcc928accc 100644
--- a/syscall/devices/CMakeLists.txt
+++ b/syscall/devices/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(hostfs)
diff --git a/syscall/devices/hostepoll/CMakeLists.txt b/syscall/devices/hostepoll/CMakeLists.txt
index ffb43275a7..fca60f36b9 100644
--- a/syscall/devices/hostepoll/CMakeLists.txt
+++ b/syscall/devices/hostepoll/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oehostepoll STATIC hostepoll.c)
diff --git a/syscall/devices/hostepoll/hostepoll.c b/syscall/devices/hostepoll/hostepoll.c
index bb048883ce..fb85d769ad 100644
--- a/syscall/devices/hostepoll/hostepoll.c
+++ b/syscall/devices/hostepoll/hostepoll.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/syscall/devices/hostfs/CMakeLists.txt b/syscall/devices/hostfs/CMakeLists.txt
index 5127cda0dc..4ad635b7fd 100644
--- a/syscall/devices/hostfs/CMakeLists.txt
+++ b/syscall/devices/hostfs/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oehostfs STATIC hostfs.c)
diff --git a/syscall/devices/hostfs/hostfs.c b/syscall/devices/hostfs/hostfs.c
index 0b47e9959a..c433289a3b 100644
--- a/syscall/devices/hostfs/hostfs.c
+++ b/syscall/devices/hostfs/hostfs.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/syscall/devices/hostresolver/CMakeLists.txt b/syscall/devices/hostresolver/CMakeLists.txt
index 036e70070e..493284943d 100644
--- a/syscall/devices/hostresolver/CMakeLists.txt
+++ b/syscall/devices/hostresolver/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oehostresolver STATIC hostresolver.c)
diff --git a/syscall/devices/hostresolver/hostresolver.c b/syscall/devices/hostresolver/hostresolver.c
index bfff8d7baf..fd6072e4b6 100644
--- a/syscall/devices/hostresolver/hostresolver.c
+++ b/syscall/devices/hostresolver/hostresolver.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/syscall/devices/hostsock/CMakeLists.txt b/syscall/devices/hostsock/CMakeLists.txt
index 97adabb5d9..d4873c8861 100644
--- a/syscall/devices/hostsock/CMakeLists.txt
+++ b/syscall/devices/hostsock/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oehostsock STATIC hostsock.c)
diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index 99e4e60a33..a346f70ddd 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/syscall/dirent.c b/syscall/dirent.c
index ee32ddabae..aae1fa32e7 100644
--- a/syscall/dirent.c
+++ b/syscall/dirent.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/limits.h>
diff --git a/syscall/epoll.c b/syscall/epoll.c
index 57613d722c..28d81b9d91 100644
--- a/syscall/epoll.c
+++ b/syscall/epoll.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/syscall/fcntl.c b/syscall/fcntl.c
index e6a4f81d5a..e84a2be693 100644
--- a/syscall/fcntl.c
+++ b/syscall/fcntl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/syscall/fdtable.c b/syscall/fdtable.c
index 96743be314..cab5a97a28 100644
--- a/syscall/fdtable.c
+++ b/syscall/fdtable.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/module.h>
diff --git a/syscall/ioctl.c b/syscall/ioctl.c
index b43bf1eee3..18f6b174ce 100644
--- a/syscall/ioctl.c
+++ b/syscall/ioctl.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/syscall/iov.c b/syscall/iov.c
index 03a7844671..0429ab5f37 100644
--- a/syscall/iov.c
+++ b/syscall/iov.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/syscall/mount.c b/syscall/mount.c
index 5d123568ff..0e6eaf6a63 100644
--- a/syscall/mount.c
+++ b/syscall/mount.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/syscall/mount.h b/syscall/mount.h
index 53ac193327..b8c242395f 100644
--- a/syscall/mount.h
+++ b/syscall/mount.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved._ops
+// Copyright (c) Open Enclave SDK contributors._ops
 // Licensed under the MIT License.
 
 #ifndef _OE_SYSCALL_MOUNT_H
diff --git a/syscall/netdb.c b/syscall/netdb.c
index d8c81c6e95..f045f47120 100644
--- a/syscall/netdb.c
+++ b/syscall/netdb.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdlib.h>
diff --git a/syscall/poll.c b/syscall/poll.c
index fa4172cb08..d99e676391 100644
--- a/syscall/poll.c
+++ b/syscall/poll.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/syscall/select.c b/syscall/select.c
index 9b97f522c6..5e5c6ea7d6 100644
--- a/syscall/select.c
+++ b/syscall/select.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/syscall/socket.c b/syscall/socket.c
index dea108059c..33f0ff5897 100644
--- a/syscall/socket.c
+++ b/syscall/socket.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/syscall/stat.c b/syscall/stat.c
index c9334f02de..7581f1e564 100644
--- a/syscall/stat.c
+++ b/syscall/stat.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/syscall/device.h>
diff --git a/syscall/stdio.c b/syscall/stdio.c
index 0fd2912562..a1defe0f41 100644
--- a/syscall/stdio.c
+++ b/syscall/stdio.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdio.h>
diff --git a/syscall/stdlib.c b/syscall/stdlib.c
index f600a6c235..636ed957d7 100644
--- a/syscall/stdlib.c
+++ b/syscall/stdlib.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/syscall/stub.c b/syscall/stub.c
index 3a3cb11aa4..167cc0fd15 100644
--- a/syscall/stub.c
+++ b/syscall/stub.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/syscall/syscall.c b/syscall/syscall.c
index 4e228a996b..0c003631ee 100644
--- a/syscall/syscall.c
+++ b/syscall/syscall.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safemath.h>
diff --git a/syscall/syscall_t_wrapper.c b/syscall/syscall_t_wrapper.c
index 9d07779912..f980aca6a3 100644
--- a/syscall/syscall_t_wrapper.c
+++ b/syscall/syscall_t_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_NEED_STDC_NAMES
diff --git a/syscall/unistd.c b/syscall/unistd.c
index cdc5202e70..7b12067281 100644
--- a/syscall/unistd.c
+++ b/syscall/unistd.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/syscall/utsname.c b/syscall/utsname.c
index 4bdf55ebe0..d90dbd7e4c 100644
--- a/syscall/utsname.c
+++ b/syscall/utsname.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/errno.h>
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 946f7c333f..841fd0d871 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/SampleApp/CMakeLists.txt b/tests/SampleApp/CMakeLists.txt
index b67b0e421d..914a4c89e8 100644
--- a/tests/SampleApp/CMakeLists.txt
+++ b/tests/SampleApp/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/SampleApp/SampleApp.edl b/tests/SampleApp/SampleApp.edl
index 7fe72934d8..06f60610a5 100644
--- a/tests/SampleApp/SampleApp.edl
+++ b/tests/SampleApp/SampleApp.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/SampleApp/enc/CMakeLists.txt b/tests/SampleApp/enc/CMakeLists.txt
index e5408accf4..3106bc8761 100644
--- a/tests/SampleApp/enc/CMakeLists.txt
+++ b/tests/SampleApp/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # TODO: Does this need CXX?
diff --git a/tests/SampleApp/enc/SampleApp.cpp b/tests/SampleApp/enc/SampleApp.cpp
index 30ef05f4ad..50456fb8d9 100644
--- a/tests/SampleApp/enc/SampleApp.cpp
+++ b/tests/SampleApp/enc/SampleApp.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/SampleApp/host/CMakeLists.txt b/tests/SampleApp/host/CMakeLists.txt
index f836b65b12..2e15aec4e1 100644
--- a/tests/SampleApp/host/CMakeLists.txt
+++ b/tests/SampleApp/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../SampleApp.edl host gen)
diff --git a/tests/SampleApp/host/SampleAppHost.cpp b/tests/SampleApp/host/SampleAppHost.cpp
index 80a058fb44..35d45d2639 100644
--- a/tests/SampleApp/host/SampleAppHost.cpp
+++ b/tests/SampleApp/host/SampleAppHost.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/SampleAppCRT/CMakeLists.txt b/tests/SampleAppCRT/CMakeLists.txt
index 58b9984d92..5f045807d6 100644
--- a/tests/SampleAppCRT/CMakeLists.txt
+++ b/tests/SampleAppCRT/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/SampleAppCRT/SampleAppCRT.edl b/tests/SampleAppCRT/SampleAppCRT.edl
index b6267f3603..402d9a22f9 100644
--- a/tests/SampleAppCRT/SampleAppCRT.edl
+++ b/tests/SampleAppCRT/SampleAppCRT.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/SampleAppCRT/enc/CMakeLists.txt b/tests/SampleAppCRT/enc/CMakeLists.txt
index c32b82f6aa..63780d9e0f 100644
--- a/tests/SampleAppCRT/enc/CMakeLists.txt
+++ b/tests/SampleAppCRT/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # TODO: Does this need CXX?
diff --git a/tests/SampleAppCRT/enc/SampleAppCRT.cpp b/tests/SampleAppCRT/enc/SampleAppCRT.cpp
index 08cbaebe90..fe6b87b1a7 100644
--- a/tests/SampleAppCRT/enc/SampleAppCRT.cpp
+++ b/tests/SampleAppCRT/enc/SampleAppCRT.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/SampleAppCRT/host/CMakeLists.txt b/tests/SampleAppCRT/host/CMakeLists.txt
index 9829a785e1..37f99bba56 100644
--- a/tests/SampleAppCRT/host/CMakeLists.txt
+++ b/tests/SampleAppCRT/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../SampleAppCRT.edl host gen)
diff --git a/tests/SampleAppCRT/host/SampleAppCRTHost.cpp b/tests/SampleAppCRT/host/SampleAppCRTHost.cpp
index 377a39487f..8a0b7ae41b 100644
--- a/tests/SampleAppCRT/host/SampleAppCRTHost.cpp
+++ b/tests/SampleAppCRT/host/SampleAppCRTHost.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/VectorException/CMakeLists.txt b/tests/VectorException/CMakeLists.txt
index fd8bf39f35..cb7a660288 100644
--- a/tests/VectorException/CMakeLists.txt
+++ b/tests/VectorException/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/VectorException/VectorException.edl b/tests/VectorException/VectorException.edl
index b3b7af1941..d2556af185 100644
--- a/tests/VectorException/VectorException.edl
+++ b/tests/VectorException/VectorException.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/VectorException/enc/CMakeLists.txt b/tests/VectorException/enc/CMakeLists.txt
index 905fc54572..d07befa400 100644
--- a/tests/VectorException/enc/CMakeLists.txt
+++ b/tests/VectorException/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../VectorException.edl enclave gen)
diff --git a/tests/VectorException/enc/enc.c b/tests/VectorException/enc/enc.c
index e463a7e9e5..99f942d3f1 100644
--- a/tests/VectorException/enc/enc.c
+++ b/tests/VectorException/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/VectorException/enc/init.cpp b/tests/VectorException/enc/init.cpp
index 05fe5d8391..0b993d0da8 100644
--- a/tests/VectorException/enc/init.cpp
+++ b/tests/VectorException/enc/init.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/VectorException/enc/sigill_handling.c b/tests/VectorException/enc/sigill_handling.c
index 47df80921e..74abd78901 100644
--- a/tests/VectorException/enc/sigill_handling.c
+++ b/tests/VectorException/enc/sigill_handling.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/enclave.h>
 #include <openenclave/internal/calls.h>
diff --git a/tests/VectorException/host/CMakeLists.txt b/tests/VectorException/host/CMakeLists.txt
index 56d36c73eb..d82c9fd8ab 100644
--- a/tests/VectorException/host/CMakeLists.txt
+++ b/tests/VectorException/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../VectorException.edl host gen)
diff --git a/tests/VectorException/host/host.c b/tests/VectorException/host/host.c
index 2e7fa011a6..54ace06c1c 100644
--- a/tests/VectorException/host/host.c
+++ b/tests/VectorException/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <limits.h>
 #include <openenclave/host.h>
diff --git a/tests/abortStatus/CMakeLists.txt b/tests/abortStatus/CMakeLists.txt
index f3fd781e0b..3e641f0bf1 100644
--- a/tests/abortStatus/CMakeLists.txt
+++ b/tests/abortStatus/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/abortStatus/abortStatus.edl b/tests/abortStatus/abortStatus.edl
index 3273ff9332..3fb2be1ead 100644
--- a/tests/abortStatus/abortStatus.edl
+++ b/tests/abortStatus/abortStatus.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/abortStatus/enc/CMakeLists.txt b/tests/abortStatus/enc/CMakeLists.txt
index 5ff7274b40..4294ab98de 100644
--- a/tests/abortStatus/enc/CMakeLists.txt
+++ b/tests/abortStatus/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/abortStatus/enc/enc.cpp b/tests/abortStatus/enc/enc.cpp
index b448f93496..beda29d2a2 100644
--- a/tests/abortStatus/enc/enc.cpp
+++ b/tests/abortStatus/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/abortStatus/host/CMakeLists.txt b/tests/abortStatus/host/CMakeLists.txt
index 63d5787076..f4a580d2c8 100644
--- a/tests/abortStatus/host/CMakeLists.txt
+++ b/tests/abortStatus/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/abortStatus/host/host.cpp b/tests/abortStatus/host/host.cpp
index 09eb95db90..9b6a383e10 100644
--- a/tests/abortStatus/host/host.cpp
+++ b/tests/abortStatus/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/argv/CMakeLists.txt b/tests/argv/CMakeLists.txt
index eee6714aa5..ff670509ce 100644
--- a/tests/argv/CMakeLists.txt
+++ b/tests/argv/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/argv/argv.edl b/tests/argv/argv.edl
index fbd7b1a906..ed2c71b944 100644
--- a/tests/argv/argv.edl
+++ b/tests/argv/argv.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave
diff --git a/tests/argv/enc/CMakeLists.txt b/tests/argv/enc/CMakeLists.txt
index c717c824cb..85f5ee7f11 100644
--- a/tests/argv/enc/CMakeLists.txt
+++ b/tests/argv/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/argv/enc/enc.c b/tests/argv/enc/enc.c
index 30c7ed1db6..0e0da2c1d8 100644
--- a/tests/argv/enc/enc.c
+++ b/tests/argv/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/argv/host/CMakeLists.txt b/tests/argv/host/CMakeLists.txt
index e412a011fd..b5429a406d 100644
--- a/tests/argv/host/CMakeLists.txt
+++ b/tests/argv/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/argv/host/host.c b/tests/argv/host/host.c
index d4961bf553..0c540168b1 100644
--- a/tests/argv/host/host.c
+++ b/tests/argv/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/attestation_cert_apis/CMakeLists.txt b/tests/attestation_cert_apis/CMakeLists.txt
index d6f0f80dc5..6ca545ab31 100644
--- a/tests/attestation_cert_apis/CMakeLists.txt
+++ b/tests/attestation_cert_apis/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/attestation_cert_apis/enc/CMakeLists.txt b/tests/attestation_cert_apis/enc/CMakeLists.txt
index 09a52d5660..a7da26510b 100644
--- a/tests/attestation_cert_apis/enc/CMakeLists.txt
+++ b/tests/attestation_cert_apis/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/attestation_cert_apis/enc/enc.cpp b/tests/attestation_cert_apis/enc/enc.cpp
index 0b9c1d001b..a4182fb2d1 100644
--- a/tests/attestation_cert_apis/enc/enc.cpp
+++ b/tests/attestation_cert_apis/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <mbedtls/ctr_drbg.h>
diff --git a/tests/attestation_cert_apis/host/CMakeLists.txt b/tests/attestation_cert_apis/host/CMakeLists.txt
index e465c99eb7..1f904bae72 100644
--- a/tests/attestation_cert_apis/host/CMakeLists.txt
+++ b/tests/attestation_cert_apis/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(add_dcap_client_target)
diff --git a/tests/attestation_cert_apis/host/host.cpp b/tests/attestation_cert_apis/host/host.cpp
index e000d56fb4..026cd078c8 100644
--- a/tests/attestation_cert_apis/host/host.cpp
+++ b/tests/attestation_cert_apis/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/attestation_cert_apis/tls.edl b/tests/attestation_cert_apis/tls.edl
index 8494af080d..a655645d6d 100644
--- a/tests/attestation_cert_apis/tls.edl
+++ b/tests/attestation_cert_apis/tls.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/backtrace/CMakeLists.txt b/tests/backtrace/CMakeLists.txt
index 3ed44092ab..0159031f6d 100644
--- a/tests/backtrace/CMakeLists.txt
+++ b/tests/backtrace/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/backtrace/backtrace.edl b/tests/backtrace/backtrace.edl
index 82ae6db9b9..cf619b2ce9 100644
--- a/tests/backtrace/backtrace.edl
+++ b/tests/backtrace/backtrace.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/backtrace/enc/CMakeLists.txt b/tests/backtrace/enc/CMakeLists.txt
index 3f03a0528a..348662ae3b 100644
--- a/tests/backtrace/enc/CMakeLists.txt
+++ b/tests/backtrace/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/backtrace/enc/enc.cpp b/tests/backtrace/enc/enc.cpp
index dd85772400..c93d0fda33 100644
--- a/tests/backtrace/enc/enc.cpp
+++ b/tests/backtrace/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/backtrace/host/CMakeLists.txt b/tests/backtrace/host/CMakeLists.txt
index 765bfc1344..caa7c4b5e9 100644
--- a/tests/backtrace/host/CMakeLists.txt
+++ b/tests/backtrace/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/backtrace/host/host.cpp b/tests/backtrace/host/host.cpp
index 077e1aef1f..133dc30a70 100644
--- a/tests/backtrace/host/host.cpp
+++ b/tests/backtrace/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/bigmalloc/CMakeLists.txt b/tests/bigmalloc/CMakeLists.txt
index d7d9ee1669..e942b219f7 100644
--- a/tests/bigmalloc/CMakeLists.txt
+++ b/tests/bigmalloc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/bigmalloc/bigmalloc.edl b/tests/bigmalloc/bigmalloc.edl
index 84f6f1c99e..2783f4dea6 100644
--- a/tests/bigmalloc/bigmalloc.edl
+++ b/tests/bigmalloc/bigmalloc.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/bigmalloc/enc/CMakeLists.txt b/tests/bigmalloc/enc/CMakeLists.txt
index bf59a9f0ef..1ffe515c35 100644
--- a/tests/bigmalloc/enc/CMakeLists.txt
+++ b/tests/bigmalloc/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/bigmalloc/enc/enc.c b/tests/bigmalloc/enc/enc.c
index f158115d66..a417e79c62 100644
--- a/tests/bigmalloc/enc/enc.c
+++ b/tests/bigmalloc/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/bigmalloc/enc/sign.conf b/tests/bigmalloc/enc/sign.conf
index 4a9f5712d8..9235ad588c 100644
--- a/tests/bigmalloc/enc/sign.conf
+++ b/tests/bigmalloc/enc/sign.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings (with 16GB heap):
diff --git a/tests/bigmalloc/host/CMakeLists.txt b/tests/bigmalloc/host/CMakeLists.txt
index 27ca2e9533..fa01c818c2 100644
--- a/tests/bigmalloc/host/CMakeLists.txt
+++ b/tests/bigmalloc/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../bigmalloc.edl host gen)
diff --git a/tests/bigmalloc/host/host.c b/tests/bigmalloc/host/host.c
index 43bd894028..48ed3c7507 100644
--- a/tests/bigmalloc/host/host.c
+++ b/tests/bigmalloc/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/cppException/CMakeLists.txt b/tests/cppException/CMakeLists.txt
index 2de7366bee..bb81d7a56a 100644
--- a/tests/cppException/CMakeLists.txt
+++ b/tests/cppException/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/cppException/cppException.edl b/tests/cppException/cppException.edl
index 6e6d1c9e11..a95426d4e3 100644
--- a/tests/cppException/cppException.edl
+++ b/tests/cppException/cppException.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/cppException/enc/CMakeLists.txt b/tests/cppException/enc/CMakeLists.txt
index fd7e6b9fa7..fc52730a59 100644
--- a/tests/cppException/enc/CMakeLists.txt
+++ b/tests/cppException/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/cppException/enc/cppException.cpp b/tests/cppException/enc/cppException.cpp
index f3035e21ad..5a172b6bfc 100644
--- a/tests/cppException/enc/cppException.cpp
+++ b/tests/cppException/enc/cppException.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/cppException/enc/enc.cpp b/tests/cppException/enc/enc.cpp
index b4eb137c53..b346cd4f89 100644
--- a/tests/cppException/enc/enc.cpp
+++ b/tests/cppException/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/cppException/host/CMakeLists.txt b/tests/cppException/host/CMakeLists.txt
index 4de7766dfb..52a2041a4b 100644
--- a/tests/cppException/host/CMakeLists.txt
+++ b/tests/cppException/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/cppException/host/host.cpp b/tests/cppException/host/host.cpp
index a8b68e8116..9776ab9755 100644
--- a/tests/cppException/host/host.cpp
+++ b/tests/cppException/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/create-errors/CMakeLists.txt b/tests/create-errors/CMakeLists.txt
index 27a05c815a..b62f36418f 100644
--- a/tests/create-errors/CMakeLists.txt
+++ b/tests/create-errors/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/create-errors/create_errors.edl b/tests/create-errors/create_errors.edl
index baced94d3e..90da019518 100644
--- a/tests/create-errors/create_errors.edl
+++ b/tests/create-errors/create_errors.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/create-errors/enc/CMakeLists.txt b/tests/create-errors/enc/CMakeLists.txt
index 05cd8f4c13..518564220a 100644
--- a/tests/create-errors/enc/CMakeLists.txt
+++ b/tests/create-errors/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/create-errors/enc/enc.c b/tests/create-errors/enc/enc.c
index 6ff54aeb9d..c4663142d4 100644
--- a/tests/create-errors/enc/enc.c
+++ b/tests/create-errors/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/create-errors/host/CMakeLists.txt b/tests/create-errors/host/CMakeLists.txt
index cf74574558..3b7ae6e750 100644
--- a/tests/create-errors/host/CMakeLists.txt
+++ b/tests/create-errors/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/create-errors/host/host.c b/tests/create-errors/host/host.c
index d7ca89df0d..f7b5cb1359 100644
--- a/tests/create-errors/host/host.c
+++ b/tests/create-errors/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/create-rapid/CMakeLists.txt b/tests/create-rapid/CMakeLists.txt
index 098399266f..21cb316bd7 100644
--- a/tests/create-rapid/CMakeLists.txt
+++ b/tests/create-rapid/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/create-rapid/create_rapid.edl b/tests/create-rapid/create_rapid.edl
index 774a1cd025..f913e1e3a4 100644
--- a/tests/create-rapid/create_rapid.edl
+++ b/tests/create-rapid/create_rapid.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/create-rapid/enc/CMakeLists.txt b/tests/create-rapid/enc/CMakeLists.txt
index 094236b622..dc1a41347f 100644
--- a/tests/create-rapid/enc/CMakeLists.txt
+++ b/tests/create-rapid/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/create-rapid/enc/enc.cpp b/tests/create-rapid/enc/enc.cpp
index c069a20d6a..10589abaf5 100644
--- a/tests/create-rapid/enc/enc.cpp
+++ b/tests/create-rapid/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/create-rapid/host/CMakeLists.txt b/tests/create-rapid/host/CMakeLists.txt
index 6e0ac6791c..0780fc372d 100644
--- a/tests/create-rapid/host/CMakeLists.txt
+++ b/tests/create-rapid/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/create-rapid/host/host.cpp b/tests/create-rapid/host/host.cpp
index 7f2256435e..3de07332fb 100644
--- a/tests/create-rapid/host/host.cpp
+++ b/tests/create-rapid/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/crypto/CMakeLists.txt b/tests/crypto/CMakeLists.txt
index 502f1a9c58..53d1dfac7a 100644
--- a/tests/crypto/CMakeLists.txt
+++ b/tests/crypto/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(data)
diff --git a/tests/crypto/asn1_tests.c b/tests/crypto/asn1_tests.c
index dc727c18f8..6b04df2f02 100644
--- a/tests/crypto/asn1_tests.c
+++ b/tests/crypto/asn1_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/cpu_entropy_test.c b/tests/crypto/cpu_entropy_test.c
index a657b16510..b75ac7db21 100644
--- a/tests/crypto/cpu_entropy_test.c
+++ b/tests/crypto/cpu_entropy_test.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define MAX_LOOP_SIZE 1000
diff --git a/tests/crypto/crl_tests.c b/tests/crypto/crl_tests.c
index 6813b00a16..a971cd220a 100644
--- a/tests/crypto/crl_tests.c
+++ b/tests/crypto/crl_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/data/CMakeLists.txt b/tests/crypto/data/CMakeLists.txt
index 070632932f..b878bdcef1 100644
--- a/tests/crypto/data/CMakeLists.txt
+++ b/tests/crypto/data/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OS-specific configuration
diff --git a/tests/crypto/data/ec_cert_with_ext.cnf b/tests/crypto/data/ec_cert_with_ext.cnf
index c67e3add00..66374a0d1b 100644
--- a/tests/crypto/data/ec_cert_with_ext.cnf
+++ b/tests/crypto/data/ec_cert_with_ext.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/ec_crl_distribution.cnf b/tests/crypto/data/ec_crl_distribution.cnf
index c67e3add00..66374a0d1b 100644
--- a/tests/crypto/data/ec_crl_distribution.cnf
+++ b/tests/crypto/data/ec_crl_distribution.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/intermediate.cnf b/tests/crypto/data/intermediate.cnf
index 65f2f4f197..200302fab2 100644
--- a/tests/crypto/data/intermediate.cnf
+++ b/tests/crypto/data/intermediate.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/intermediate_v3.ext b/tests/crypto/data/intermediate_v3.ext
index 9694525ffb..8f36350fb9 100644
--- a/tests/crypto/data/intermediate_v3.ext
+++ b/tests/crypto/data/intermediate_v3.ext
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/make-test-certs b/tests/crypto/data/make-test-certs
index 8c77b19215..7f7660a06f 100755
--- a/tests/crypto/data/make-test-certs
+++ b/tests/crypto/data/make-test-certs
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/tests/crypto/data/root.cnf b/tests/crypto/data/root.cnf
index 5afdd0eec5..6e4ef1d88a 100644
--- a/tests/crypto/data/root.cnf
+++ b/tests/crypto/data/root.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/root_v3.ext b/tests/crypto/data/root_v3.ext
index 2d7f3c52ea..f000ae0fd0 100644
--- a/tests/crypto/data/root_v3.ext
+++ b/tests/crypto/data/root_v3.ext
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/data/sample.cnf b/tests/crypto/data/sample.cnf
index 528004d31b..203e04e1f4 100644
--- a/tests/crypto/data/sample.cnf
+++ b/tests/crypto/data/sample.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto/ec_tests.c b/tests/crypto/ec_tests.c
index 2c1b30aa32..6361d56494 100644
--- a/tests/crypto/ec_tests.c
+++ b/tests/crypto/ec_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/enclave/CMakeLists.txt b/tests/crypto/enclave/CMakeLists.txt
index c9533cd7c5..c88bf81ac2 100644
--- a/tests/crypto/enclave/CMakeLists.txt
+++ b/tests/crypto/enclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (BUILD_ENCLAVES)
diff --git a/tests/crypto/enclave/crypto.edl b/tests/crypto/enclave/crypto.edl
index c40890c0a9..7edbeff6fb 100644
--- a/tests/crypto/enclave/crypto.edl
+++ b/tests/crypto/enclave/crypto.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/crypto/enclave/enc/CMakeLists.txt b/tests/crypto/enclave/enc/CMakeLists.txt
index 82638f3161..047629bd5a 100644
--- a/tests/crypto/enclave/enc/CMakeLists.txt
+++ b/tests/crypto/enclave/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../crypto.edl enclave gen)
diff --git a/tests/crypto/enclave/enc/enc.c b/tests/crypto/enclave/enc/enc.c
index b11576356d..f552b9aad5 100644
--- a/tests/crypto/enclave/enc/enc.c
+++ b/tests/crypto/enclave/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/crypto/enclave/host/CMakeLists.txt b/tests/crypto/enclave/host/CMakeLists.txt
index d7e3b36b6a..55f0e9b188 100644
--- a/tests/crypto/enclave/host/CMakeLists.txt
+++ b/tests/crypto/enclave/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/crypto/enclave/host/host.c b/tests/crypto/enclave/host/host.c
index 74aec2d1e4..fc3963bd0a 100644
--- a/tests/crypto/enclave/host/host.c
+++ b/tests/crypto/enclave/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/crypto/hash.c b/tests/crypto/hash.c
index 3062815d2a..1b79843161 100644
--- a/tests/crypto/hash.c
+++ b/tests/crypto/hash.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "hash.h"
diff --git a/tests/crypto/hash.h b/tests/crypto/hash.h
index d35f5a5814..22560b7cb0 100644
--- a/tests/crypto/hash.h
+++ b/tests/crypto/hash.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TESTS_CRYPTO_HASH_H
diff --git a/tests/crypto/hmac_tests.c b/tests/crypto/hmac_tests.c
index 0866553848..b9df1eb931 100644
--- a/tests/crypto/hmac_tests.c
+++ b/tests/crypto/hmac_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/host/CMakeLists.txt b/tests/crypto/host/CMakeLists.txt
index fa75d83153..128c38d2d0 100644
--- a/tests/crypto/host/CMakeLists.txt
+++ b/tests/crypto/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OS- and TEE-specific source files
diff --git a/tests/crypto/host/main.c b/tests/crypto/host/main.c
index e13315b68a..427a9b2ceb 100644
--- a/tests/crypto/host/main.c
+++ b/tests/crypto/host/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/raise.h>
diff --git a/tests/crypto/kdf_tests.c b/tests/crypto/kdf_tests.c
index 1607f160db..de9165d858 100644
--- a/tests/crypto/kdf_tests.c
+++ b/tests/crypto/kdf_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/random_tests.c b/tests/crypto/random_tests.c
index 8e0b7f5e8b..21167bcb30 100644
--- a/tests/crypto/random_tests.c
+++ b/tests/crypto/random_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/read_file.c b/tests/crypto/read_file.c
index 913c0a225c..8a0c8a4678 100644
--- a/tests/crypto/read_file.c
+++ b/tests/crypto/read_file.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <ctype.h>
diff --git a/tests/crypto/readfile.h b/tests/crypto/readfile.h
index bc2f2c7bfa..be35fa3c1f 100644
--- a/tests/crypto/readfile.h
+++ b/tests/crypto/readfile.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _READFILE_H_
diff --git a/tests/crypto/rsa_tests.c b/tests/crypto/rsa_tests.c
index b1c8efe677..3938d33336 100644
--- a/tests/crypto/rsa_tests.c
+++ b/tests/crypto/rsa_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/sha_tests.c b/tests/crypto/sha_tests.c
index 7dfe2c3be8..5d62032cae 100644
--- a/tests/crypto/sha_tests.c
+++ b/tests/crypto/sha_tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/tests.c b/tests/crypto/tests.c
index b3110fa6a1..5f3423cd3d 100644
--- a/tests/crypto/tests.c
+++ b/tests/crypto/tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "tests.h"
diff --git a/tests/crypto/tests.h b/tests/crypto/tests.h
index d893d91660..489a2abc55 100644
--- a/tests/crypto/tests.h
+++ b/tests/crypto/tests.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TESTS_CRYPTO_TESTS_H
diff --git a/tests/crypto/utils.c b/tests/crypto/utils.c
index d5d273e47f..aeaaff2a2d 100644
--- a/tests/crypto/utils.c
+++ b/tests/crypto/utils.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/crypto/utils.h b/tests/crypto/utils.h
index 7719693654..bfde003506 100644
--- a/tests/crypto/utils.h
+++ b/tests/crypto/utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TESTS_CRYPTO_UTILS_H
diff --git a/tests/crypto_crls_cert_chains/CMakeLists.txt b/tests/crypto_crls_cert_chains/CMakeLists.txt
index 359bc3fed1..77b4501d90 100644
--- a/tests/crypto_crls_cert_chains/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(data)
diff --git a/tests/crypto_crls_cert_chains/common/crypto_crls_cert_chains.edl b/tests/crypto_crls_cert_chains/common/crypto_crls_cert_chains.edl
index 8a9500b1ee..cba6fb589b 100644
--- a/tests/crypto_crls_cert_chains/common/crypto_crls_cert_chains.edl
+++ b/tests/crypto_crls_cert_chains/common/crypto_crls_cert_chains.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/crypto_crls_cert_chains/common/tests.cpp b/tests/crypto_crls_cert_chains/common/tests.cpp
index b9c85e9156..337026d274 100644
--- a/tests/crypto_crls_cert_chains/common/tests.cpp
+++ b/tests/crypto_crls_cert_chains/common/tests.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/cert.h>
diff --git a/tests/crypto_crls_cert_chains/data/CMakeLists.txt b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
index bb09bb231e..82638481df 100644
--- a/tests/crypto_crls_cert_chains/data/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/data/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OS-specific configuration
diff --git a/tests/crypto_crls_cert_chains/data/intermediate.cnf b/tests/crypto_crls_cert_chains/data/intermediate.cnf
index a173487473..0895bd1deb 100644
--- a/tests/crypto_crls_cert_chains/data/intermediate.cnf
+++ b/tests/crypto_crls_cert_chains/data/intermediate.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/data/intermediate2.cnf b/tests/crypto_crls_cert_chains/data/intermediate2.cnf
index e0366eaba2..fac4ddae78 100644
--- a/tests/crypto_crls_cert_chains/data/intermediate2.cnf
+++ b/tests/crypto_crls_cert_chains/data/intermediate2.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/data/intermediate_v3.ext b/tests/crypto_crls_cert_chains/data/intermediate_v3.ext
index 9694525ffb..8f36350fb9 100644
--- a/tests/crypto_crls_cert_chains/data/intermediate_v3.ext
+++ b/tests/crypto_crls_cert_chains/data/intermediate_v3.ext
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/data/make-test-certs b/tests/crypto_crls_cert_chains/data/make-test-certs
index a040f401e6..0e46cd200c 100755
--- a/tests/crypto_crls_cert_chains/data/make-test-certs
+++ b/tests/crypto_crls_cert_chains/data/make-test-certs
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set -o errexit
diff --git a/tests/crypto_crls_cert_chains/data/root.cnf b/tests/crypto_crls_cert_chains/data/root.cnf
index 93add0f165..382716a281 100644
--- a/tests/crypto_crls_cert_chains/data/root.cnf
+++ b/tests/crypto_crls_cert_chains/data/root.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/data/root2.cnf b/tests/crypto_crls_cert_chains/data/root2.cnf
index f45b68a4f9..37e4d3f074 100644
--- a/tests/crypto_crls_cert_chains/data/root2.cnf
+++ b/tests/crypto_crls_cert_chains/data/root2.cnf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/data/root_v3.ext b/tests/crypto_crls_cert_chains/data/root_v3.ext
index 2d7f3c52ea..f000ae0fd0 100644
--- a/tests/crypto_crls_cert_chains/data/root_v3.ext
+++ b/tests/crypto_crls_cert_chains/data/root_v3.ext
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # OpenSSL configuration for test CRL generation
diff --git a/tests/crypto_crls_cert_chains/enc/CMakeLists.txt b/tests/crypto_crls_cert_chains/enc/CMakeLists.txt
index eb19b57db4..7985fdf596 100644
--- a/tests/crypto_crls_cert_chains/enc/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../common/crypto_crls_cert_chains.edl enclave gen)
diff --git a/tests/crypto_crls_cert_chains/enc/enc.cpp b/tests/crypto_crls_cert_chains/enc/enc.cpp
index d92a6f5e1d..9d5728f0a6 100644
--- a/tests/crypto_crls_cert_chains/enc/enc.cpp
+++ b/tests/crypto_crls_cert_chains/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/edger8r/enclave.h>
 #include <openenclave/enclave.h>
diff --git a/tests/crypto_crls_cert_chains/host/CMakeLists.txt b/tests/crypto_crls_cert_chains/host/CMakeLists.txt
index 575e60e4e1..f372b92049 100644
--- a/tests/crypto_crls_cert_chains/host/CMakeLists.txt
+++ b/tests/crypto_crls_cert_chains/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../common/crypto_crls_cert_chains.edl host gen)
diff --git a/tests/crypto_crls_cert_chains/host/host.cpp b/tests/crypto_crls_cert_chains/host/host.cpp
index 474abb254e..de1903df81 100644
--- a/tests/crypto_crls_cert_chains/host/host.cpp
+++ b/tests/crypto_crls_cert_chains/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/debug-mode/CMakeLists.txt b/tests/debug-mode/CMakeLists.txt
index 815ac3a479..098e5c0853 100644
--- a/tests/debug-mode/CMakeLists.txt
+++ b/tests/debug-mode/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/debug-mode/debug_mode.edl b/tests/debug-mode/debug_mode.edl
index baced94d3e..90da019518 100644
--- a/tests/debug-mode/debug_mode.edl
+++ b/tests/debug-mode/debug_mode.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/debug-mode/enc/CMakeLists.txt b/tests/debug-mode/enc/CMakeLists.txt
index bf461d80d9..cf89f8f69d 100644
--- a/tests/debug-mode/enc/CMakeLists.txt
+++ b/tests/debug-mode/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/debug-mode/enc/enc.c b/tests/debug-mode/enc/enc.c
index 5b260e105a..a9fea41d2c 100644
--- a/tests/debug-mode/enc/enc.c
+++ b/tests/debug-mode/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/debug-mode/enc/props-debug.c b/tests/debug-mode/enc/props-debug.c
index 6cdce97a28..11dd22a35b 100644
--- a/tests/debug-mode/enc/props-debug.c
+++ b/tests/debug-mode/enc/props-debug.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/debug-mode/enc/props.c b/tests/debug-mode/enc/props.c
index 9051f1e4ca..f5ddb693bd 100644
--- a/tests/debug-mode/enc/props.c
+++ b/tests/debug-mode/enc/props.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/debug-mode/enc/sign-debug.conf b/tests/debug-mode/enc/sign-debug.conf
index 981fd5fe9b..c6af0590eb 100644
--- a/tests/debug-mode/enc/sign-debug.conf
+++ b/tests/debug-mode/enc/sign-debug.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/tests/debug-mode/enc/sign.conf b/tests/debug-mode/enc/sign.conf
index 8e40fe2694..2216676b73 100644
--- a/tests/debug-mode/enc/sign.conf
+++ b/tests/debug-mode/enc/sign.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/tests/debug-mode/host/CMakeLists.txt b/tests/debug-mode/host/CMakeLists.txt
index 2bdfc0e97a..ecd2042b36 100644
--- a/tests/debug-mode/host/CMakeLists.txt
+++ b/tests/debug-mode/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/debug-mode/host/host.c b/tests/debug-mode/host/host.c
index 3593b65cee..854f1481cf 100644
--- a/tests/debug-mode/host/host.c
+++ b/tests/debug-mode/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/debugger/CMakeLists.txt b/tests/debugger/CMakeLists.txt
index 72618f9ab1..b17e683987 100644
--- a/tests/debugger/CMakeLists.txt
+++ b/tests/debugger/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 string(TOUPPER ${CMAKE_BUILD_TYPE} BUILD_TYPE_UPPER)
diff --git a/tests/debugger/oegdb/CMakeLists.txt b/tests/debugger/oegdb/CMakeLists.txt
index 09356128c3..72b2058e36 100644
--- a/tests/debugger/oegdb/CMakeLists.txt
+++ b/tests/debugger/oegdb/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/debugger/oegdb/commands.gdb b/tests/debugger/oegdb/commands.gdb
index 58c818ef16..0873ede4aa 100644
--- a/tests/debugger/oegdb/commands.gdb
+++ b/tests/debugger/oegdb/commands.gdb
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enable pending breakpoints
diff --git a/tests/debugger/oegdb/enc/CMakeLists.txt b/tests/debugger/oegdb/enc/CMakeLists.txt
index 5d98e3c8b5..1784c0e920 100644
--- a/tests/debugger/oegdb/enc/CMakeLists.txt
+++ b/tests/debugger/oegdb/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/debugger/oegdb/enc/contract.c b/tests/debugger/oegdb/enc/contract.c
index 0ca34464e9..4acf1ee838 100644
--- a/tests/debugger/oegdb/enc/contract.c
+++ b/tests/debugger/oegdb/enc/contract.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/error.h>
diff --git a/tests/debugger/oegdb/enc/enc.c b/tests/debugger/oegdb/enc/enc.c
index 52deac6a01..6186941531 100644
--- a/tests/debugger/oegdb/enc/enc.c
+++ b/tests/debugger/oegdb/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
diff --git a/tests/debugger/oegdb/host/CMakeLists.txt b/tests/debugger/oegdb/host/CMakeLists.txt
index 7c3f1a1014..e5e3b3ddf2 100644
--- a/tests/debugger/oegdb/host/CMakeLists.txt
+++ b/tests/debugger/oegdb/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/debugger/oegdb/host/contract.c b/tests/debugger/oegdb/host/contract.c
index ae5d038263..3b181545cd 100644
--- a/tests/debugger/oegdb/host/contract.c
+++ b/tests/debugger/oegdb/host/contract.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/internal/debugrt/host.h>
diff --git a/tests/debugger/oegdb/host/host.c b/tests/debugger/oegdb/host/host.c
index 67d39c7e7a..babdc4ec65 100644
--- a/tests/debugger/oegdb/host/host.c
+++ b/tests/debugger/oegdb/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/debugger/oegdb/oe_gdb_test.edl b/tests/debugger/oegdb/oe_gdb_test.edl
index 005f15b989..6974313157 100644
--- a/tests/debugger/oegdb/oe_gdb_test.edl
+++ b/tests/debugger/oegdb/oe_gdb_test.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/ecall/CMakeLists.txt b/tests/ecall/CMakeLists.txt
index 3d5f3aacaa..a41e9af776 100644
--- a/tests/ecall/CMakeLists.txt
+++ b/tests/ecall/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/ecall/ecall.edl b/tests/ecall/ecall.edl
index 17327c8b97..fd7de79ee3 100644
--- a/tests/ecall/ecall.edl
+++ b/tests/ecall/ecall.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/ecall/enc/CMakeLists.txt b/tests/ecall/enc/CMakeLists.txt
index 0fffd4a5c6..32808cd52f 100644
--- a/tests/ecall/enc/CMakeLists.txt
+++ b/tests/ecall/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # TODO: Does this need CXX?
diff --git a/tests/ecall/enc/enc.cpp b/tests/ecall/enc/enc.cpp
index a9a345870c..9a6c2bc2f0 100644
--- a/tests/ecall/enc/enc.cpp
+++ b/tests/ecall/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdio.h>
diff --git a/tests/ecall/host/CMakeLists.txt b/tests/ecall/host/CMakeLists.txt
index cfc282246b..5af0c03c2a 100644
--- a/tests/ecall/host/CMakeLists.txt
+++ b/tests/ecall/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ecall.edl host gen)
diff --git a/tests/ecall/host/host.cpp b/tests/ecall/host/host.cpp
index 82f6b3f92c..d506f92bc1 100644
--- a/tests/ecall/host/host.cpp
+++ b/tests/ecall/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/ecall_ocall/CMakeLists.txt b/tests/ecall_ocall/CMakeLists.txt
index dba0219eb4..a2e44d4039 100644
--- a/tests/ecall_ocall/CMakeLists.txt
+++ b/tests/ecall_ocall/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/ecall_ocall/ecall_ocall.edl b/tests/ecall_ocall/ecall_ocall.edl
index 13e30cc829..2130da8cae 100644
--- a/tests/ecall_ocall/ecall_ocall.edl
+++ b/tests/ecall_ocall/ecall_ocall.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/ecall_ocall/enc/CMakeLists.txt b/tests/ecall_ocall/enc/CMakeLists.txt
index 5f7dc7d1c5..a94ae6bc6b 100644
--- a/tests/ecall_ocall/enc/CMakeLists.txt
+++ b/tests/ecall_ocall/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ecall_ocall.edl enclave gen)
diff --git a/tests/ecall_ocall/enc/enc.cpp b/tests/ecall_ocall/enc/enc.cpp
index ef2cc82609..6065bd926d 100644
--- a/tests/ecall_ocall/enc/enc.cpp
+++ b/tests/ecall_ocall/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/ecall_ocall/enc/helpers.h b/tests/ecall_ocall/enc/helpers.h
index cffedbddf2..c59a8f7cf9 100644
--- a/tests/ecall_ocall/enc/helpers.h
+++ b/tests/ecall_ocall/enc/helpers.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/tests/ecall_ocall/host/CMakeLists.txt b/tests/ecall_ocall/host/CMakeLists.txt
index 70c26aab45..cfc1072293 100644
--- a/tests/ecall_ocall/host/CMakeLists.txt
+++ b/tests/ecall_ocall/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ecall_ocall.edl host gen)
diff --git a/tests/ecall_ocall/host/host.cpp b/tests/ecall_ocall/host/host.cpp
index 79695989ca..bf1288aefa 100644
--- a/tests/ecall_ocall/host/host.cpp
+++ b/tests/ecall_ocall/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/host.h>
 #include <openenclave/internal/error.h>
diff --git a/tests/echo/CMakeLists.txt b/tests/echo/CMakeLists.txt
index 848d6122a8..40b0b00e3a 100644
--- a/tests/echo/CMakeLists.txt
+++ b/tests/echo/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/echo/echo.edl b/tests/echo/echo.edl
index b232178d9d..81ec2facb8 100644
--- a/tests/echo/echo.edl
+++ b/tests/echo/echo.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/echo/enc/CMakeLists.txt b/tests/echo/enc/CMakeLists.txt
index 78c55c2a1a..8a36d36e79 100644
--- a/tests/echo/enc/CMakeLists.txt
+++ b/tests/echo/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/echo/enc/enc.c b/tests/echo/enc/enc.c
index 4be79999d8..15e7424102 100644
--- a/tests/echo/enc/enc.c
+++ b/tests/echo/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/tests/echo/host/CMakeLists.txt b/tests/echo/host/CMakeLists.txt
index ec919b9a13..e18982fa3a 100644
--- a/tests/echo/host/CMakeLists.txt
+++ b/tests/echo/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/echo/host/host.c b/tests/echo/host/host.c
index 1b112e9823..0bc362d4b1 100644
--- a/tests/echo/host/host.c
+++ b/tests/echo/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/enclaveparam/CMakeLists.txt b/tests/enclaveparam/CMakeLists.txt
index 3e0ba3fdbc..6a4d325361 100644
--- a/tests/enclaveparam/CMakeLists.txt
+++ b/tests/enclaveparam/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/enclaveparam/enc/CMakeLists.txt b/tests/enclaveparam/enc/CMakeLists.txt
index f422f0fadd..f72d0c2ae7 100644
--- a/tests/enclaveparam/enc/CMakeLists.txt
+++ b/tests/enclaveparam/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/enclaveparam/enc/enc.c b/tests/enclaveparam/enc/enc.c
index 057b2e078f..ba5f1d9d7c 100644
--- a/tests/enclaveparam/enc/enc.c
+++ b/tests/enclaveparam/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/enclaveparam/enclaveparam.edl b/tests/enclaveparam/enclaveparam.edl
index 7d8d32d5a8..82f6a62fd2 100644
--- a/tests/enclaveparam/enclaveparam.edl
+++ b/tests/enclaveparam/enclaveparam.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/enclaveparam/host/CMakeLists.txt b/tests/enclaveparam/host/CMakeLists.txt
index c49842715f..6deae88b81 100644
--- a/tests/enclaveparam/host/CMakeLists.txt
+++ b/tests/enclaveparam/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/enclaveparam/host/host.c b/tests/enclaveparam/host/host.c
index 96bac0ef23..a7a0d67cbc 100644
--- a/tests/enclaveparam/host/host.c
+++ b/tests/enclaveparam/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/file/CMakeLists.txt b/tests/file/CMakeLists.txt
index 0f706a768c..3909e646e3 100644
--- a/tests/file/CMakeLists.txt
+++ b/tests/file/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/file/enc/CMakeLists.txt b/tests/file/enc/CMakeLists.txt
index 5ebede1a89..4baeb06ccd 100644
--- a/tests/file/enc/CMakeLists.txt
+++ b/tests/file/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/file/enc/enc.cpp b/tests/file/enc/enc.cpp
index 58ba183a05..afc2f218a6 100644
--- a/tests/file/enc/enc.cpp
+++ b/tests/file/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/file/file.edl b/tests/file/file.edl
index 8c83da0664..c2ad0bf824 100644
--- a/tests/file/file.edl
+++ b/tests/file/file.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/file/host/CMakeLists.txt b/tests/file/host/CMakeLists.txt
index 9f18b6a93a..84949a1339 100644
--- a/tests/file/host/CMakeLists.txt
+++ b/tests/file/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../file.edl host gen)
diff --git a/tests/file/host/host.cpp b/tests/file/host/host.cpp
index d18fe5b3a0..9a7d180440 100644
--- a/tests/file/host/host.cpp
+++ b/tests/file/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/file/types.h b/tests/file/types.h
index b056c6babc..0762045d59 100644
--- a/tests/file/types.h
+++ b/tests/file/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/tests/getenclave/CMakeLists.txt b/tests/getenclave/CMakeLists.txt
index 8069ab5134..d24fb02336 100644
--- a/tests/getenclave/CMakeLists.txt
+++ b/tests/getenclave/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/getenclave/enc/CMakeLists.txt b/tests/getenclave/enc/CMakeLists.txt
index 83b7ade62b..1b3eace7af 100644
--- a/tests/getenclave/enc/CMakeLists.txt
+++ b/tests/getenclave/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/getenclave/enc/enc.c b/tests/getenclave/enc/enc.c
index e04de20981..7e9c5d8684 100644
--- a/tests/getenclave/enc/enc.c
+++ b/tests/getenclave/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/getenclave/getenclave.edl b/tests/getenclave/getenclave.edl
index 1523e253ec..dc6f028bf7 100644
--- a/tests/getenclave/getenclave.edl
+++ b/tests/getenclave/getenclave.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/getenclave/host/CMakeLists.txt b/tests/getenclave/host/CMakeLists.txt
index d743cfdacd..79acbbfb37 100644
--- a/tests/getenclave/host/CMakeLists.txt
+++ b/tests/getenclave/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/getenclave/host/host.c b/tests/getenclave/host/host.c
index 5855429d45..0d18a9ab2c 100644
--- a/tests/getenclave/host/host.c
+++ b/tests/getenclave/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/hexdump/CMakeLists.txt b/tests/hexdump/CMakeLists.txt
index 6ecbbff27d..d82dc9cdae 100644
--- a/tests/hexdump/CMakeLists.txt
+++ b/tests/hexdump/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/hexdump/args.h b/tests/hexdump/args.h
index 89c9b8d03a..7eca1cbba6 100644
--- a/tests/hexdump/args.h
+++ b/tests/hexdump/args.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _ARGS_H
diff --git a/tests/hexdump/enc/CMakeLists.txt b/tests/hexdump/enc/CMakeLists.txt
index f9c4f0e5d4..0d155c959d 100644
--- a/tests/hexdump/enc/CMakeLists.txt
+++ b/tests/hexdump/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/hexdump/enc/enc.c b/tests/hexdump/enc/enc.c
index 9bdf1df030..ef50cdde47 100644
--- a/tests/hexdump/enc/enc.c
+++ b/tests/hexdump/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/hexdump/hexdump.edl b/tests/hexdump/hexdump.edl
index fbfc0628ec..27d2523f32 100644
--- a/tests/hexdump/hexdump.edl
+++ b/tests/hexdump/hexdump.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/hexdump/host/CMakeLists.txt b/tests/hexdump/host/CMakeLists.txt
index 5806951923..aa6ababf8e 100644
--- a/tests/hexdump/host/CMakeLists.txt
+++ b/tests/hexdump/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/hexdump/host/host.c b/tests/hexdump/host/host.c
index a5384f4595..175c89f336 100644
--- a/tests/hexdump/host/host.c
+++ b/tests/hexdump/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/host_verify/CMakeLists.txt b/tests/host_verify/CMakeLists.txt
index c4a6057bac..7a88369750 100644
--- a/tests/host_verify/CMakeLists.txt
+++ b/tests/host_verify/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/host_verify/host/CMakeLists.txt b/tests/host_verify/host/CMakeLists.txt
index 2278763aba..fd4703505d 100644
--- a/tests/host_verify/host/CMakeLists.txt
+++ b/tests/host_verify/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(test_host_verify host.cpp)
diff --git a/tests/host_verify/host/host.cpp b/tests/host_verify/host/host.cpp
index 331862d737..fb45124c82 100644
--- a/tests/host_verify/host/host.cpp
+++ b/tests/host_verify/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <fcntl.h>
diff --git a/tests/hostcalls/CMakeLists.txt b/tests/hostcalls/CMakeLists.txt
index 3572546dc1..284eaed5ae 100644
--- a/tests/hostcalls/CMakeLists.txt
+++ b/tests/hostcalls/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/hostcalls/enc/CMakeLists.txt b/tests/hostcalls/enc/CMakeLists.txt
index a95b0b3a03..682103e2de 100644
--- a/tests/hostcalls/enc/CMakeLists.txt
+++ b/tests/hostcalls/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/hostcalls/enc/enc.cpp b/tests/hostcalls/enc/enc.cpp
index 49224e62e5..cfc265d81d 100644
--- a/tests/hostcalls/enc/enc.cpp
+++ b/tests/hostcalls/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/tests/hostcalls/host/CMakeLists.txt b/tests/hostcalls/host/CMakeLists.txt
index df0864d499..94136a3f7f 100644
--- a/tests/hostcalls/host/CMakeLists.txt
+++ b/tests/hostcalls/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/hostcalls/host/host.cpp b/tests/hostcalls/host/host.cpp
index 0af106afa6..dfb9e796d7 100644
--- a/tests/hostcalls/host/host.cpp
+++ b/tests/hostcalls/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/hostcalls/hostcalls.edl b/tests/hostcalls/hostcalls.edl
index a1ed57e846..aa9c90037f 100644
--- a/tests/hostcalls/hostcalls.edl
+++ b/tests/hostcalls/hostcalls.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/hostcalls/types.h b/tests/hostcalls/types.h
index 6ce1fe2d3f..85a0bdd576 100644
--- a/tests/hostcalls/types.h
+++ b/tests/hostcalls/types.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/tests/initializers/CMakeLists.txt b/tests/initializers/CMakeLists.txt
index ce98f27e39..bef9c30b2b 100644
--- a/tests/initializers/CMakeLists.txt
+++ b/tests/initializers/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/initializers/enc/CMakeLists.txt b/tests/initializers/enc/CMakeLists.txt
index 31d80990e7..8f23c6592c 100644
--- a/tests/initializers/enc/CMakeLists.txt
+++ b/tests/initializers/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/initializers/enc/enc.c b/tests/initializers/enc/enc.c
index b3eb865dd4..3fe497e549 100644
--- a/tests/initializers/enc/enc.c
+++ b/tests/initializers/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/properties.h>
diff --git a/tests/initializers/host/CMakeLists.txt b/tests/initializers/host/CMakeLists.txt
index 97c71d24c1..0a3356c834 100644
--- a/tests/initializers/host/CMakeLists.txt
+++ b/tests/initializers/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../initializers.edl host gen)
diff --git a/tests/initializers/host/host.cpp b/tests/initializers/host/host.cpp
index 00671064ba..2252d9ed32 100644
--- a/tests/initializers/host/host.cpp
+++ b/tests/initializers/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <cstdio>
diff --git a/tests/initializers/initializers.edl b/tests/initializers/initializers.edl
index 54493ac973..f64989be5d 100644
--- a/tests/initializers/initializers.edl
+++ b/tests/initializers/initializers.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/libc/CMakeLists.txt b/tests/libc/CMakeLists.txt
index a5e8717718..effa21bf7e 100644
--- a/tests/libc/CMakeLists.txt
+++ b/tests/libc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/libc/enc/CMakeLists.txt b/tests/libc/enc/CMakeLists.txt
index f9d4356fa5..3c2d41fb7d 100644
--- a/tests/libc/enc/CMakeLists.txt
+++ b/tests/libc/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/libc/enc/enc.c b/tests/libc/enc/enc.c
index dc55985980..790b199468 100644
--- a/tests/libc/enc/enc.c
+++ b/tests/libc/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <dirent.h>
diff --git a/tests/libc/enc/include.c.in b/tests/libc/enc/include.c.in
index ee36771d01..b9dc7e305c 100644
--- a/tests/libc/enc/include.c.in
+++ b/tests/libc/enc/include.c.in
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // This is a template used by CMake.
diff --git a/tests/libc/enc/tests.c.in b/tests/libc/enc/tests.c.in
index 0866eb76de..631e912633 100644
--- a/tests/libc/enc/tests.c.in
+++ b/tests/libc/enc/tests.c.in
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // This is a template used by CMake.
diff --git a/tests/libc/host/CMakeLists.txt b/tests/libc/host/CMakeLists.txt
index 0d37c61869..fcb1f14844 100644
--- a/tests/libc/host/CMakeLists.txt
+++ b/tests/libc/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/libc/host/host.cpp b/tests/libc/host/host.cpp
index 458bb96b0c..a327264a39 100644
--- a/tests/libc/host/host.cpp
+++ b/tests/libc/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/libc/libc.edl b/tests/libc/libc.edl
index baced94d3e..90da019518 100644
--- a/tests/libc/libc.edl
+++ b/tests/libc/libc.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/libc/tests.all b/tests/libc/tests.all
index b05f22d3a3..42305aac72 100644
--- a/tests/libc/tests.all
+++ b/tests/libc/tests.all
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 3rdparty/musl/libc-test/src/api/main.c
diff --git a/tests/libc/tests.cmake b/tests/libc/tests.cmake
index ff22892220..2706ae7f30 100644
--- a/tests/libc/tests.cmake
+++ b/tests/libc/tests.cmake
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 string(TOUPPER ${CMAKE_BUILD_TYPE} BUILD_TYPE)
diff --git a/tests/libc/tests.supported.gcc b/tests/libc/tests.supported.gcc
index e95892c7f2..7ff3710445 100644
--- a/tests/libc/tests.supported.gcc
+++ b/tests/libc/tests.supported.gcc
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # The following tests need to be skipped when built with Clang using these cmake flags.
diff --git a/tests/libcxx/CMakeLists.txt b/tests/libcxx/CMakeLists.txt
index 6bbec32dfe..5cf4f1f8b7 100644
--- a/tests/libcxx/CMakeLists.txt
+++ b/tests/libcxx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # read tests.supported, sanitize the cpp-file, and create the test-case
diff --git a/tests/libcxx/enc/CMakeLists.txt b/tests/libcxx/enc/CMakeLists.txt
index 040ec9defc..50c0a21f38 100644
--- a/tests/libcxx/enc/CMakeLists.txt
+++ b/tests/libcxx/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # create a binary for each testcase listed in ../tests.supported
diff --git a/tests/libcxx/enc/enc.cpp b/tests/libcxx/enc/enc.cpp
index 284cb302b0..0214493d5a 100644
--- a/tests/libcxx/enc/enc.cpp
+++ b/tests/libcxx/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/libcxx/enc/fuzzing.cpp b/tests/libcxx/enc/fuzzing.cpp
index e2db62e0cc..690eb089f2 100644
--- a/tests/libcxx/enc/fuzzing.cpp
+++ b/tests/libcxx/enc/fuzzing.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxx/libcxx/fuzzing/fuzzing.cpp"
diff --git a/tests/libcxx/enc/main.cpp b/tests/libcxx/enc/main.cpp
index 205f60e3c3..385cc81cda 100644
--- a/tests/libcxx/enc/main.cpp
+++ b/tests/libcxx/enc/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // This file exists so that each test has its own copy of
diff --git a/tests/libcxx/enc/memory_resource.cpp b/tests/libcxx/enc/memory_resource.cpp
index de8f99a31d..ac0c050e5d 100644
--- a/tests/libcxx/enc/memory_resource.cpp
+++ b/tests/libcxx/enc/memory_resource.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxx/libcxx/src/experimental/memory_resource.cpp"
diff --git a/tests/libcxx/host/CMakeLists.txt b/tests/libcxx/host/CMakeLists.txt
index bc7f28e9fa..f4329f4850 100644
--- a/tests/libcxx/host/CMakeLists.txt
+++ b/tests/libcxx/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../libcxx.edl host gen)
diff --git a/tests/libcxx/host/host.cpp b/tests/libcxx/host/host.cpp
index f7365a8085..694152550f 100644
--- a/tests/libcxx/host/host.cpp
+++ b/tests/libcxx/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/libcxx/host/threadArgs.h b/tests/libcxx/host/threadArgs.h
index 47137676e5..7937196855 100644
--- a/tests/libcxx/host/threadArgs.h
+++ b/tests/libcxx/host/threadArgs.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _THREAD_ARGS_H
diff --git a/tests/libcxx/libcxx.edl b/tests/libcxx/libcxx.edl
index 092cf94568..fab42b80d7 100644
--- a/tests/libcxx/libcxx.edl
+++ b/tests/libcxx/libcxx.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/libcxxrt/CMakeLists.txt b/tests/libcxxrt/CMakeLists.txt
index 7ba5d6fae9..de360a5cf7 100644
--- a/tests/libcxxrt/CMakeLists.txt
+++ b/tests/libcxxrt/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/libcxxrt/enc/CMakeLists.txt b/tests/libcxxrt/enc/CMakeLists.txt
index 646f0b70da..c4fe54bd50 100644
--- a/tests/libcxxrt/enc/CMakeLists.txt
+++ b/tests/libcxxrt/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/libcxxrt/enc/enc.cpp b/tests/libcxxrt/enc/enc.cpp
index 05206f608b..634312c8bc 100644
--- a/tests/libcxxrt/enc/enc.cpp
+++ b/tests/libcxxrt/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/tests/libcxxrt/enc/main.cpp b/tests/libcxxrt/enc/main.cpp
index 7365181f16..e70e480505 100644
--- a/tests/libcxxrt/enc/main.cpp
+++ b/tests/libcxxrt/enc/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 const char* __TEST__NAME = __TEST__;
diff --git a/tests/libcxxrt/enc/test.cpp b/tests/libcxxrt/enc/test.cpp
index 034fdcbfa4..a950167807 100644
--- a/tests/libcxxrt/enc/test.cpp
+++ b/tests/libcxxrt/enc/test.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/tests/libcxxrt/enc/test_exception.cpp b/tests/libcxxrt/enc/test_exception.cpp
index cda50c40bd..06aa0fff29 100644
--- a/tests/libcxxrt/enc/test_exception.cpp
+++ b/tests/libcxxrt/enc/test_exception.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxxrt/libcxxrt/test/test_exception.cc"
diff --git a/tests/libcxxrt/enc/test_foreign_exceptions.cpp b/tests/libcxxrt/enc/test_foreign_exceptions.cpp
index e54d1d191d..191e9e8cd8 100644
--- a/tests/libcxxrt/enc/test_foreign_exceptions.cpp
+++ b/tests/libcxxrt/enc/test_foreign_exceptions.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxxrt/libcxxrt/test/test_foreign_exceptions.cc"
diff --git a/tests/libcxxrt/enc/test_guard.cpp b/tests/libcxxrt/enc/test_guard.cpp
index 0a6e5fa0ed..4313ff196f 100644
--- a/tests/libcxxrt/enc/test_guard.cpp
+++ b/tests/libcxxrt/enc/test_guard.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxxrt/libcxxrt/test/test_guard.cc"
diff --git a/tests/libcxxrt/enc/test_typeinfo.cpp b/tests/libcxxrt/enc/test_typeinfo.cpp
index 37cfdf1e09..ea9667d9bb 100644
--- a/tests/libcxxrt/enc/test_typeinfo.cpp
+++ b/tests/libcxxrt/enc/test_typeinfo.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../../../3rdparty/libcxxrt/libcxxrt/test/test_typeinfo.cc"
diff --git a/tests/libcxxrt/host/CMakeLists.txt b/tests/libcxxrt/host/CMakeLists.txt
index 1cc3e7a49e..15c49ba7e8 100644
--- a/tests/libcxxrt/host/CMakeLists.txt
+++ b/tests/libcxxrt/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/libcxxrt/host/host.cpp b/tests/libcxxrt/host/host.cpp
index bd47f90bd2..f633e68bd5 100644
--- a/tests/libcxxrt/host/host.cpp
+++ b/tests/libcxxrt/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /*
diff --git a/tests/libcxxrt/host/ocalls.h b/tests/libcxxrt/host/ocalls.h
index 2e09bc475e..785131511d 100644
--- a/tests/libcxxrt/host/ocalls.h
+++ b/tests/libcxxrt/host/ocalls.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _RUNTEST_OCALLS_H
diff --git a/tests/libcxxrt/libcxxrt.edl b/tests/libcxxrt/libcxxrt.edl
index f34c024c74..234fca016f 100644
--- a/tests/libcxxrt/libcxxrt.edl
+++ b/tests/libcxxrt/libcxxrt.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/libcxxrt/run.bat b/tests/libcxxrt/run.bat
index 54627962a5..7847d70ee0 100644
--- a/tests/libcxxrt/run.bat
+++ b/tests/libcxxrt/run.bat
@@ -1,4 +1,4 @@
-:: Copyright (c) Microsoft Corporation. All rights reserved.
+:: Copyright (c) Open Enclave SDK contributors.
 :: Licensed under the MIT License.
 @echo off
 echo %1 
diff --git a/tests/libunwind/CMakeLists.txt b/tests/libunwind/CMakeLists.txt
index cf2ec8ff0d..31c3fdad93 100644
--- a/tests/libunwind/CMakeLists.txt
+++ b/tests/libunwind/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # read tests.supported, sanitize the c-file, and create the test-case
diff --git a/tests/libunwind/enc/CMakeLists.txt b/tests/libunwind/enc/CMakeLists.txt
index 03b2b476ec..dcdadf923f 100644
--- a/tests/libunwind/enc/CMakeLists.txt
+++ b/tests/libunwind/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Create a binary for each testcase listed in ../tests.supported
diff --git a/tests/libunwind/enc/clang_varargs_extra.h b/tests/libunwind/enc/clang_varargs_extra.h
index 102d372649..b67a03e79c 100644
--- a/tests/libunwind/enc/clang_varargs_extra.h
+++ b/tests/libunwind/enc/clang_varargs_extra.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // Provide forward declarations of functions in libunwind test suite
diff --git a/tests/libunwind/enc/enc.c b/tests/libunwind/enc/enc.c
index 6042dfce7a..5257625460 100644
--- a/tests/libunwind/enc/enc.c
+++ b/tests/libunwind/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <errno.h>
diff --git a/tests/libunwind/enc/pid.h b/tests/libunwind/enc/pid.h
index de970921d7..621a083a59 100644
--- a/tests/libunwind/enc/pid.h
+++ b/tests/libunwind/enc/pid.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_LIBUNWIND_ENC_PID_H
diff --git a/tests/libunwind/enc/test_support.c b/tests/libunwind/enc/test_support.c
index c2cadc3d3b..0f56f60cb1 100644
--- a/tests/libunwind/enc/test_support.c
+++ b/tests/libunwind/enc/test_support.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stdint.h>
diff --git a/tests/libunwind/host/CMakeLists.txt b/tests/libunwind/host/CMakeLists.txt
index a5772db299..dcc0a9e9e4 100644
--- a/tests/libunwind/host/CMakeLists.txt
+++ b/tests/libunwind/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/libunwind/host/host.cpp b/tests/libunwind/host/host.cpp
index f0d957da76..fa1adb550a 100644
--- a/tests/libunwind/host/host.cpp
+++ b/tests/libunwind/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/libunwind/libunwind.edl b/tests/libunwind/libunwind.edl
index b200168ca3..515c161e8e 100644
--- a/tests/libunwind/libunwind.edl
+++ b/tests/libunwind/libunwind.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/logging/CMakeLists.txt b/tests/logging/CMakeLists.txt
index 7a8ca897e0..2562003596 100644
--- a/tests/logging/CMakeLists.txt
+++ b/tests/logging/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(logging main.c)
diff --git a/tests/logging/main.c b/tests/logging/main.c
index 63e01c3c62..e32cf32457 100644
--- a/tests/logging/main.c
+++ b/tests/logging/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP \
diff --git a/tests/mbed/CMakeLists.txt b/tests/mbed/CMakeLists.txt
index c0344f7ccb..eb02f8ca8e 100644
--- a/tests/mbed/CMakeLists.txt
+++ b/tests/mbed/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # read tests.supported, sanitize the cpp-file, and create the test-case
diff --git a/tests/mbed/enc/CMakeLists.txt b/tests/mbed/enc/CMakeLists.txt
index b934f3bbff..e6b9432e31 100644
--- a/tests/mbed/enc/CMakeLists.txt
+++ b/tests/mbed/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # >> In one of the test "ssl" we are using a variable called new which is a function in C++
diff --git a/tests/mbed/enc/enc.c b/tests/mbed/enc/enc.c
index f9faa87871..21f8593d87 100644
--- a/tests/mbed/enc/enc.c
+++ b/tests/mbed/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/mbed/enc/selftest_wrapper.c b/tests/mbed/enc/selftest_wrapper.c
index 4d79e9d136..e615fbd2b8 100644
--- a/tests/mbed/enc/selftest_wrapper.c
+++ b/tests/mbed/enc/selftest_wrapper.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdio.h>
diff --git a/tests/mbed/host/CMakeLists.txt b/tests/mbed/host/CMakeLists.txt
index 20dea9a196..07f9ad8355 100644
--- a/tests/mbed/host/CMakeLists.txt
+++ b/tests/mbed/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/mbed/host/host.c b/tests/mbed/host/host.c
index 4aa78b21ea..be003684d9 100644
--- a/tests/mbed/host/host.c
+++ b/tests/mbed/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/mbed/host/ocalls.c b/tests/mbed/host/ocalls.c
index 1202945c20..9dce7d2581 100644
--- a/tests/mbed/host/ocalls.c
+++ b/tests/mbed/host/ocalls.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/mbed/mbed.edl b/tests/mbed/mbed.edl
index 9ae5a4c174..c99ab30170 100644
--- a/tests/mbed/mbed.edl
+++ b/tests/mbed/mbed.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/mbed/myfileio.h b/tests/mbed/myfileio.h
index 6032f09914..322e50fd99 100644
--- a/tests/mbed/myfileio.h
+++ b/tests/mbed/myfileio.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef TEST_MBED_MYFILEIO_H
diff --git a/tests/mem/CMakeLists.txt b/tests/mem/CMakeLists.txt
index e72861b4c2..cdc4b3ee54 100644
--- a/tests/mem/CMakeLists.txt
+++ b/tests/mem/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(mem main.c)
diff --git a/tests/mem/main.c b/tests/mem/main.c
index eebc00947a..9e8f322b77 100644
--- a/tests/mem/main.c
+++ b/tests/mem/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define MEM_MIN_CAP 1
diff --git a/tests/memory/CMakeLists.txt b/tests/memory/CMakeLists.txt
index a2b8a6c169..cb3b2aafb2 100644
--- a/tests/memory/CMakeLists.txt
+++ b/tests/memory/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/memory/enc/CMakeLists.txt b/tests/memory/enc/CMakeLists.txt
index 6c9b48e5d3..40560818d1 100644
--- a/tests/memory/enc/CMakeLists.txt
+++ b/tests/memory/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/memory/enc/basic.c b/tests/memory/enc/basic.c
index 548014e6a2..953343c36e 100644
--- a/tests/memory/enc/basic.c
+++ b/tests/memory/enc/basic.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/memory/enc/boundaries.c b/tests/memory/enc/boundaries.c
index 335ab22cb7..808dafadd2 100644
--- a/tests/memory/enc/boundaries.c
+++ b/tests/memory/enc/boundaries.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/memory/enc/enc.c b/tests/memory/enc/enc.c
index ecb68cd0fe..465d788e75 100644
--- a/tests/memory/enc/enc.c
+++ b/tests/memory/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/properties.h>
diff --git a/tests/memory/enc/stress.c b/tests/memory/enc/stress.c
index 85fca88a38..45a108a67d 100644
--- a/tests/memory/enc/stress.c
+++ b/tests/memory/enc/stress.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/memory/host/CMakeLists.txt b/tests/memory/host/CMakeLists.txt
index 5455c4191e..82e69abd46 100644
--- a/tests/memory/host/CMakeLists.txt
+++ b/tests/memory/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/memory/host/host.cpp b/tests/memory/host/host.cpp
index ab1d5f3840..4883fb2f91 100644
--- a/tests/memory/host/host.cpp
+++ b/tests/memory/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <cstdio>
diff --git a/tests/memory/memory.edl b/tests/memory/memory.edl
index 7cdcb64918..3a259a640a 100644
--- a/tests/memory/memory.edl
+++ b/tests/memory/memory.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/mixed_c_cpp/CMakeLists.txt b/tests/mixed_c_cpp/CMakeLists.txt
index 64a82f487a..41ae97e1af 100644
--- a/tests/mixed_c_cpp/CMakeLists.txt
+++ b/tests/mixed_c_cpp/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/mixed_c_cpp/enc/CMakeLists.txt b/tests/mixed_c_cpp/enc/CMakeLists.txt
index 0d645bfbe5..5b1c59741a 100644
--- a/tests/mixed_c_cpp/enc/CMakeLists.txt
+++ b/tests/mixed_c_cpp/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/mixed_c_cpp/enc/enc.cpp b/tests/mixed_c_cpp/enc/enc.cpp
index 435964823a..ae86704459 100644
--- a/tests/mixed_c_cpp/enc/enc.cpp
+++ b/tests/mixed_c_cpp/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/mixed_c_cpp/enc/foo.c b/tests/mixed_c_cpp/enc/foo.c
index 0d77fcdf3f..6e955d6ce5 100644
--- a/tests/mixed_c_cpp/enc/foo.c
+++ b/tests/mixed_c_cpp/enc/foo.c
@@ -1,5 +1,5 @@
 
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <stddef.h>
diff --git a/tests/mixed_c_cpp/host/CMakeLists.txt b/tests/mixed_c_cpp/host/CMakeLists.txt
index 6a3c2f8325..8cb448a04a 100644
--- a/tests/mixed_c_cpp/host/CMakeLists.txt
+++ b/tests/mixed_c_cpp/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../mixed.edl host gen)
diff --git a/tests/mixed_c_cpp/host/host.cpp b/tests/mixed_c_cpp/host/host.cpp
index a723ddc118..4b48e0447a 100644
--- a/tests/mixed_c_cpp/host/host.cpp
+++ b/tests/mixed_c_cpp/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/mixed_c_cpp/mixed.edl b/tests/mixed_c_cpp/mixed.edl
index 36aaa4f2b5..9befc67855 100644
--- a/tests/mixed_c_cpp/mixed.edl
+++ b/tests/mixed_c_cpp/mixed.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/ocall-create/CMakeLists.txt b/tests/ocall-create/CMakeLists.txt
index 5a568120da..9f244d4d5f 100644
--- a/tests/ocall-create/CMakeLists.txt
+++ b/tests/ocall-create/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/ocall-create/enc/CMakeLists.txt b/tests/ocall-create/enc/CMakeLists.txt
index c765017b5f..6687357ffe 100644
--- a/tests/ocall-create/enc/CMakeLists.txt
+++ b/tests/ocall-create/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ocall_create.edl enclave gen)
diff --git a/tests/ocall-create/enc/enc.c b/tests/ocall-create/enc/enc.c
index 40cf13ba46..d4a3f723b6 100644
--- a/tests/ocall-create/enc/enc.c
+++ b/tests/ocall-create/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/ocall-create/host/CMakeLists.txt b/tests/ocall-create/host/CMakeLists.txt
index d35332025a..1039c6eb17 100644
--- a/tests/ocall-create/host/CMakeLists.txt
+++ b/tests/ocall-create/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ocall_create.edl host gen)
diff --git a/tests/ocall-create/host/host.c b/tests/ocall-create/host/host.c
index 9c49ee5930..07d3feae26 100644
--- a/tests/ocall-create/host/host.c
+++ b/tests/ocall-create/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/ocall-create/ocall_create.edl b/tests/ocall-create/ocall_create.edl
index 76f7bbca22..30f95b07ed 100644
--- a/tests/ocall-create/ocall_create.edl
+++ b/tests/ocall-create/ocall_create.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/ocall/CMakeLists.txt b/tests/ocall/CMakeLists.txt
index 6480dcaeb0..de09db8e15 100644
--- a/tests/ocall/CMakeLists.txt
+++ b/tests/ocall/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/ocall/enc/CMakeLists.txt b/tests/ocall/enc/CMakeLists.txt
index a5c9c1feac..88150759c7 100644
--- a/tests/ocall/enc/CMakeLists.txt
+++ b/tests/ocall/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ocall.edl enclave gen)
diff --git a/tests/ocall/enc/enc.cpp b/tests/ocall/enc/enc.cpp
index 15b1578233..6290ed98f8 100644
--- a/tests/ocall/enc/enc.cpp
+++ b/tests/ocall/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/tests/ocall/host/CMakeLists.txt b/tests/ocall/host/CMakeLists.txt
index 0f855a7cf7..8b5d7459ed 100644
--- a/tests/ocall/host/CMakeLists.txt
+++ b/tests/ocall/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../ocall.edl host gen)
diff --git a/tests/ocall/host/host.cpp b/tests/ocall/host/host.cpp
index a88c1a5d47..6efd018e5c 100644
--- a/tests/ocall/host/host.cpp
+++ b/tests/ocall/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/ocall/ocall.edl b/tests/ocall/ocall.edl
index 109d7a966e..5a1780de2c 100644
--- a/tests/ocall/ocall.edl
+++ b/tests/ocall/ocall.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/CMakeLists.txt b/tests/oeedger8r/CMakeLists.txt
index a44b2fd84a..a093e0d447 100644
--- a/tests/oeedger8r/CMakeLists.txt
+++ b/tests/oeedger8r/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/oeedger8r/behavior/CMakeLists.txt b/tests/oeedger8r/behavior/CMakeLists.txt
index 6df0644a13..45294f83a5 100644
--- a/tests/oeedger8r/behavior/CMakeLists.txt
+++ b/tests/oeedger8r/behavior/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 set(EDGER8R_ARGS --header-only --search-path ${CMAKE_CURRENT_SOURCE_DIR})
diff --git a/tests/oeedger8r/behavior/allow_list.edl b/tests/oeedger8r/behavior/allow_list.edl
index da911a75e1..beefdcb517 100644
--- a/tests/oeedger8r/behavior/allow_list.edl
+++ b/tests/oeedger8r/behavior/allow_list.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/count_signedness.edl b/tests/oeedger8r/behavior/count_signedness.edl
index b7bc9a6ceb..ed1422affa 100644
--- a/tests/oeedger8r/behavior/count_signedness.edl
+++ b/tests/oeedger8r/behavior/count_signedness.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/deepcopy_value.edl b/tests/oeedger8r/behavior/deepcopy_value.edl
index 94f87e66ad..546609ddc4 100644
--- a/tests/oeedger8r/behavior/deepcopy_value.edl
+++ b/tests/oeedger8r/behavior/deepcopy_value.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/portability.edl b/tests/oeedger8r/behavior/portability.edl
index 3cae9c4d85..2103664b9e 100644
--- a/tests/oeedger8r/behavior/portability.edl
+++ b/tests/oeedger8r/behavior/portability.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/private_trusted.edl b/tests/oeedger8r/behavior/private_trusted.edl
index 01d02f305f..90b3565b3a 100644
--- a/tests/oeedger8r/behavior/private_trusted.edl
+++ b/tests/oeedger8r/behavior/private_trusted.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/size_and_count.edl b/tests/oeedger8r/behavior/size_and_count.edl
index 3c96ecaa85..c33e8a2977 100644
--- a/tests/oeedger8r/behavior/size_and_count.edl
+++ b/tests/oeedger8r/behavior/size_and_count.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/size_signedness.edl b/tests/oeedger8r/behavior/size_signedness.edl
index 10cf2c25e8..7d5121708d 100644
--- a/tests/oeedger8r/behavior/size_signedness.edl
+++ b/tests/oeedger8r/behavior/size_signedness.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/behavior/switchless_trusted.edl b/tests/oeedger8r/behavior/switchless_trusted.edl
index 157d13c3d3..0e8392817f 100644
--- a/tests/oeedger8r/behavior/switchless_trusted.edl
+++ b/tests/oeedger8r/behavior/switchless_trusted.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/aliasing.edl b/tests/oeedger8r/edl/aliasing.edl
index a497e40fe0..c60d308833 100644
--- a/tests/oeedger8r/edl/aliasing.edl
+++ b/tests/oeedger8r/edl/aliasing.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/all.edl b/tests/oeedger8r/edl/all.edl
index 33c983bdce..d77a21c87c 100644
--- a/tests/oeedger8r/edl/all.edl
+++ b/tests/oeedger8r/edl/all.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/edl/array.edl b/tests/oeedger8r/edl/array.edl
index c32e8cad28..76a43a2928 100644
--- a/tests/oeedger8r/edl/array.edl
+++ b/tests/oeedger8r/edl/array.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/edl/basic.edl b/tests/oeedger8r/edl/basic.edl
index ff852bdfba..45f3e4049e 100644
--- a/tests/oeedger8r/edl/basic.edl
+++ b/tests/oeedger8r/edl/basic.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/edl/deepcopy.edl b/tests/oeedger8r/edl/deepcopy.edl
index ec3b85ec99..cdf4e8918e 100644
--- a/tests/oeedger8r/edl/deepcopy.edl
+++ b/tests/oeedger8r/edl/deepcopy.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/enum.edl b/tests/oeedger8r/edl/enum.edl
index eeeb86d057..5559b1d1ca 100644
--- a/tests/oeedger8r/edl/enum.edl
+++ b/tests/oeedger8r/edl/enum.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/edl/errno.edl b/tests/oeedger8r/edl/errno.edl
index bd8ca69a24..341a9ce178 100644
--- a/tests/oeedger8r/edl/errno.edl
+++ b/tests/oeedger8r/edl/errno.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/foreign.edl b/tests/oeedger8r/edl/foreign.edl
index b86d3f9112..b07bb5079b 100644
--- a/tests/oeedger8r/edl/foreign.edl
+++ b/tests/oeedger8r/edl/foreign.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/edl/other.edl b/tests/oeedger8r/edl/other.edl
index 838742e184..92dbe020d4 100644
--- a/tests/oeedger8r/edl/other.edl
+++ b/tests/oeedger8r/edl/other.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/pointer.edl b/tests/oeedger8r/edl/pointer.edl
index 34e37023c7..6c44f0cd3e 100644
--- a/tests/oeedger8r/edl/pointer.edl
+++ b/tests/oeedger8r/edl/pointer.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/string.edl b/tests/oeedger8r/edl/string.edl
index b6689da863..05aa881e75 100644
--- a/tests/oeedger8r/edl/string.edl
+++ b/tests/oeedger8r/edl/string.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/struct.edl b/tests/oeedger8r/edl/struct.edl
index 2f980e9736..be26eef6b9 100644
--- a/tests/oeedger8r/edl/struct.edl
+++ b/tests/oeedger8r/edl/struct.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edl/switchless.edl b/tests/oeedger8r/edl/switchless.edl
index 4c28af03ba..a29797bb70 100644
--- a/tests/oeedger8r/edl/switchless.edl
+++ b/tests/oeedger8r/edl/switchless.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/oeedger8r/edltestutils.h b/tests/oeedger8r/edltestutils.h
index 57aa7627e1..7b36887c81 100644
--- a/tests/oeedger8r/edltestutils.h
+++ b/tests/oeedger8r/edltestutils.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/tests/oeedger8r/enc/CMakeLists.txt b/tests/oeedger8r/enc/CMakeLists.txt
index 0a73fd3652..118f408f03 100644
--- a/tests/oeedger8r/enc/CMakeLists.txt
+++ b/tests/oeedger8r/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(
diff --git a/tests/oeedger8r/enc/bar.cpp b/tests/oeedger8r/enc/bar.cpp
index cea440cae2..bfd9272c54 100644
--- a/tests/oeedger8r/enc/bar.cpp
+++ b/tests/oeedger8r/enc/bar.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "bar_t.h"
 
diff --git a/tests/oeedger8r/enc/config.cpp b/tests/oeedger8r/enc/config.cpp
index 9b80527886..3e24775b41 100644
--- a/tests/oeedger8r/enc/config.cpp
+++ b/tests/oeedger8r/enc/config.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
diff --git a/tests/oeedger8r/enc/foo.cpp b/tests/oeedger8r/enc/foo.cpp
index 008acd6a03..ee78600ece 100644
--- a/tests/oeedger8r/enc/foo.cpp
+++ b/tests/oeedger8r/enc/foo.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "all_t.h"
 
diff --git a/tests/oeedger8r/enc/testaliasing.cpp b/tests/oeedger8r/enc/testaliasing.cpp
index 5f95487be3..50fa96c4f2 100644
--- a/tests/oeedger8r/enc/testaliasing.cpp
+++ b/tests/oeedger8r/enc/testaliasing.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <cstddef>
diff --git a/tests/oeedger8r/enc/testarray.cpp b/tests/oeedger8r/enc/testarray.cpp
index b0b0b52900..dcf5d78cc6 100644
--- a/tests/oeedger8r/enc/testarray.cpp
+++ b/tests/oeedger8r/enc/testarray.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testbasic.cpp b/tests/oeedger8r/enc/testbasic.cpp
index cf4faf47e9..93a1babed6 100644
--- a/tests/oeedger8r/enc/testbasic.cpp
+++ b/tests/oeedger8r/enc/testbasic.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testdeepcopy.cpp b/tests/oeedger8r/enc/testdeepcopy.cpp
index 0d9d3dfd24..6e4c3db300 100644
--- a/tests/oeedger8r/enc/testdeepcopy.cpp
+++ b/tests/oeedger8r/enc/testdeepcopy.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testenum.cpp b/tests/oeedger8r/enc/testenum.cpp
index 5caf582768..ba13ab2da4 100644
--- a/tests/oeedger8r/enc/testenum.cpp
+++ b/tests/oeedger8r/enc/testenum.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testerrno.cpp b/tests/oeedger8r/enc/testerrno.cpp
index a330683d76..bd61020838 100644
--- a/tests/oeedger8r/enc/testerrno.cpp
+++ b/tests/oeedger8r/enc/testerrno.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testforeign.cpp b/tests/oeedger8r/enc/testforeign.cpp
index 427b58b763..9decd3d282 100644
--- a/tests/oeedger8r/enc/testforeign.cpp
+++ b/tests/oeedger8r/enc/testforeign.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testmisc.cpp b/tests/oeedger8r/enc/testmisc.cpp
index b087894efd..a7015d38ff 100644
--- a/tests/oeedger8r/enc/testmisc.cpp
+++ b/tests/oeedger8r/enc/testmisc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "all_t.h"
diff --git a/tests/oeedger8r/enc/testother.cpp b/tests/oeedger8r/enc/testother.cpp
index 6866f0049b..30e423c553 100644
--- a/tests/oeedger8r/enc/testother.cpp
+++ b/tests/oeedger8r/enc/testother.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testpointer.cpp b/tests/oeedger8r/enc/testpointer.cpp
index cc32abb3c7..d4b21c250b 100644
--- a/tests/oeedger8r/enc/testpointer.cpp
+++ b/tests/oeedger8r/enc/testpointer.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/teststring.cpp b/tests/oeedger8r/enc/teststring.cpp
index 18e5947e74..03578cc56e 100644
--- a/tests/oeedger8r/enc/teststring.cpp
+++ b/tests/oeedger8r/enc/teststring.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/teststruct.cpp b/tests/oeedger8r/enc/teststruct.cpp
index f218f5416a..04dd58d8d7 100644
--- a/tests/oeedger8r/enc/teststruct.cpp
+++ b/tests/oeedger8r/enc/teststruct.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/enc/testswitchless.cpp b/tests/oeedger8r/enc/testswitchless.cpp
index 32994bff68..ec95ccdb86 100644
--- a/tests/oeedger8r/enc/testswitchless.cpp
+++ b/tests/oeedger8r/enc/testswitchless.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/enclave.h>
 #include <openenclave/internal/tests.h>
diff --git a/tests/oeedger8r/host/CMakeLists.txt b/tests/oeedger8r/host/CMakeLists.txt
index abf73f50cd..5acd4d8246 100644
--- a/tests/oeedger8r/host/CMakeLists.txt
+++ b/tests/oeedger8r/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(
diff --git a/tests/oeedger8r/host/bar.cpp b/tests/oeedger8r/host/bar.cpp
index a86a74080c..e4990f0bff 100644
--- a/tests/oeedger8r/host/bar.cpp
+++ b/tests/oeedger8r/host/bar.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "bar_u.h"
 
diff --git a/tests/oeedger8r/host/foo.cpp b/tests/oeedger8r/host/foo.cpp
index a2419c7aa4..ea0042a743 100644
--- a/tests/oeedger8r/host/foo.cpp
+++ b/tests/oeedger8r/host/foo.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include "all_u.h"
 
diff --git a/tests/oeedger8r/host/main.cpp b/tests/oeedger8r/host/main.cpp
index c901edbee4..a28395c04b 100644
--- a/tests/oeedger8r/host/main.cpp
+++ b/tests/oeedger8r/host/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/oeedger8r/host/testarray.cpp b/tests/oeedger8r/host/testarray.cpp
index fc95b50482..0577004f49 100644
--- a/tests/oeedger8r/host/testarray.cpp
+++ b/tests/oeedger8r/host/testarray.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testbasic.cpp b/tests/oeedger8r/host/testbasic.cpp
index b8db8b5f92..84bd78432d 100644
--- a/tests/oeedger8r/host/testbasic.cpp
+++ b/tests/oeedger8r/host/testbasic.cpp
@@ -1,5 +1,5 @@
 
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testdeepcopy.cpp b/tests/oeedger8r/host/testdeepcopy.cpp
index 4ac76c50f3..24b612d53e 100644
--- a/tests/oeedger8r/host/testdeepcopy.cpp
+++ b/tests/oeedger8r/host/testdeepcopy.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testenum.cpp b/tests/oeedger8r/host/testenum.cpp
index 6767706fce..f66f8ed4e6 100644
--- a/tests/oeedger8r/host/testenum.cpp
+++ b/tests/oeedger8r/host/testenum.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testerrno.cpp b/tests/oeedger8r/host/testerrno.cpp
index 7f775f19ac..9a9fc90017 100644
--- a/tests/oeedger8r/host/testerrno.cpp
+++ b/tests/oeedger8r/host/testerrno.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testforeign.cpp b/tests/oeedger8r/host/testforeign.cpp
index f6bc15c9e1..3aa5cde2d8 100644
--- a/tests/oeedger8r/host/testforeign.cpp
+++ b/tests/oeedger8r/host/testforeign.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testother.cpp b/tests/oeedger8r/host/testother.cpp
index ae66b80bb2..ab63838743 100644
--- a/tests/oeedger8r/host/testother.cpp
+++ b/tests/oeedger8r/host/testother.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/testpointer.cpp b/tests/oeedger8r/host/testpointer.cpp
index 088e6026a7..aef85e2ef4 100644
--- a/tests/oeedger8r/host/testpointer.cpp
+++ b/tests/oeedger8r/host/testpointer.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/teststring.cpp b/tests/oeedger8r/host/teststring.cpp
index 0de52701aa..f4c449fd40 100644
--- a/tests/oeedger8r/host/teststring.cpp
+++ b/tests/oeedger8r/host/teststring.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../edltestutils.h"
diff --git a/tests/oeedger8r/host/teststruct.cpp b/tests/oeedger8r/host/teststruct.cpp
index dc6073338b..76627d7fc2 100644
--- a/tests/oeedger8r/host/teststruct.cpp
+++ b/tests/oeedger8r/host/teststruct.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>
diff --git a/tests/oeedger8r/host/testswitchless.cpp b/tests/oeedger8r/host/testswitchless.cpp
index e1414c54a9..6c9cda1d70 100644
--- a/tests/oeedger8r/host/testswitchless.cpp
+++ b/tests/oeedger8r/host/testswitchless.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/oeedger8r/moreedl/bar.edl b/tests/oeedger8r/moreedl/bar.edl
index 52d7e43de9..ed62e59798 100644
--- a/tests/oeedger8r/moreedl/bar.edl
+++ b/tests/oeedger8r/moreedl/bar.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // This edl is compiled only in header only mode.
diff --git a/tests/oeedger8r/moreedl/foo.edl b/tests/oeedger8r/moreedl/foo.edl
index 276cdcbccb..ccb05a4327 100644
--- a/tests/oeedger8r/moreedl/foo.edl
+++ b/tests/oeedger8r/moreedl/foo.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/oeedger8r/mytypes.h b/tests/oeedger8r/mytypes.h
index e35f85c2a9..ba8c3930d6 100644
--- a/tests/oeedger8r/mytypes.h
+++ b/tests/oeedger8r/mytypes.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #pragma once
diff --git a/tests/pingpong-shared/CMakeLists.txt b/tests/pingpong-shared/CMakeLists.txt
index 30477d4f96..a54faeeb11 100644
--- a/tests/pingpong-shared/CMakeLists.txt
+++ b/tests/pingpong-shared/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/pingpong-shared/enc/CMakeLists.txt b/tests/pingpong-shared/enc/CMakeLists.txt
index 6fbf626310..f7f420f0c6 100644
--- a/tests/pingpong-shared/enc/CMakeLists.txt
+++ b/tests/pingpong-shared/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/pingpong-shared/enc/enc.cpp b/tests/pingpong-shared/enc/enc.cpp
index 0c4086b4ef..6c98549550 100644
--- a/tests/pingpong-shared/enc/enc.cpp
+++ b/tests/pingpong-shared/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/pingpong-shared/host/CMakeLists.txt b/tests/pingpong-shared/host/CMakeLists.txt
index a542d0056e..9deb9421b6 100644
--- a/tests/pingpong-shared/host/CMakeLists.txt
+++ b/tests/pingpong-shared/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../pingpong.edl host gen)
diff --git a/tests/pingpong-shared/host/host.cpp b/tests/pingpong-shared/host/host.cpp
index 050743a59c..9640608f4f 100644
--- a/tests/pingpong-shared/host/host.cpp
+++ b/tests/pingpong-shared/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/pingpong-shared/host/main.cpp b/tests/pingpong-shared/host/main.cpp
index d260727e82..a77e469058 100644
--- a/tests/pingpong-shared/host/main.cpp
+++ b/tests/pingpong-shared/host/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 extern int main_shared(int argc, const char* argv[]);
diff --git a/tests/pingpong-shared/main.cpp b/tests/pingpong-shared/main.cpp
index da45678164..2d6b32b668 100644
--- a/tests/pingpong-shared/main.cpp
+++ b/tests/pingpong-shared/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 extern "C" __attribute__((section(".ecall"))) void __ping(void* args);
diff --git a/tests/pingpong-shared/pingpong.edl b/tests/pingpong-shared/pingpong.edl
index c4a9d1f906..c8e9ae436d 100644
--- a/tests/pingpong-shared/pingpong.edl
+++ b/tests/pingpong-shared/pingpong.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/pingpong/CMakeLists.txt b/tests/pingpong/CMakeLists.txt
index 45365b4cb3..a290fb3afe 100644
--- a/tests/pingpong/CMakeLists.txt
+++ b/tests/pingpong/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/pingpong/enc/CMakeLists.txt b/tests/pingpong/enc/CMakeLists.txt
index 56770bb127..d77de95449 100644
--- a/tests/pingpong/enc/CMakeLists.txt
+++ b/tests/pingpong/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/pingpong/enc/enc.cpp b/tests/pingpong/enc/enc.cpp
index 7ac77a61a8..6f1d23fb00 100644
--- a/tests/pingpong/enc/enc.cpp
+++ b/tests/pingpong/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/pingpong/host/CMakeLists.txt b/tests/pingpong/host/CMakeLists.txt
index 615c4f8c9e..777048faee 100644
--- a/tests/pingpong/host/CMakeLists.txt
+++ b/tests/pingpong/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../pingpong.edl host gen)
diff --git a/tests/pingpong/host/host.cpp b/tests/pingpong/host/host.cpp
index a6f5424dc4..ac8dccd63c 100644
--- a/tests/pingpong/host/host.cpp
+++ b/tests/pingpong/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/pingpong/main.cpp b/tests/pingpong/main.cpp
index da45678164..2d6b32b668 100644
--- a/tests/pingpong/main.cpp
+++ b/tests/pingpong/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 extern "C" __attribute__((section(".ecall"))) void __ping(void* args);
diff --git a/tests/pingpong/pingpong.edl b/tests/pingpong/pingpong.edl
index c4a9d1f906..c8e9ae436d 100644
--- a/tests/pingpong/pingpong.edl
+++ b/tests/pingpong/pingpong.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/print/CMakeLists.txt b/tests/print/CMakeLists.txt
index c574aeb2ff..8cd915d256 100644
--- a/tests/print/CMakeLists.txt
+++ b/tests/print/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/print/enc/CMakeLists.txt b/tests/print/enc/CMakeLists.txt
index 6649180413..5aa9449da8 100644
--- a/tests/print/enc/CMakeLists.txt
+++ b/tests/print/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/print/enc/enc.cpp b/tests/print/enc/enc.cpp
index b4b040ca9a..68836aa3ed 100644
--- a/tests/print/enc/enc.cpp
+++ b/tests/print/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/print/host/CMakeLists.txt b/tests/print/host/CMakeLists.txt
index 2419741c0e..d57566006d 100644
--- a/tests/print/host/CMakeLists.txt
+++ b/tests/print/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/print/host/host.cpp b/tests/print/host/host.cpp
index 9b85f1a2ca..3d8aca6334 100644
--- a/tests/print/host/host.cpp
+++ b/tests/print/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/print/print.edl b/tests/print/print.edl
index 64f629d9bd..9fd024138f 100644
--- a/tests/print/print.edl
+++ b/tests/print/print.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/props/CMakeLists.txt b/tests/props/CMakeLists.txt
index 8621bd9f44..0fc7d36ff1 100644
--- a/tests/props/CMakeLists.txt
+++ b/tests/props/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/props/enc/CMakeLists.txt b/tests/props/enc/CMakeLists.txt
index c60169c7b6..0579656a20 100644
--- a/tests/props/enc/CMakeLists.txt
+++ b/tests/props/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/props/enc/enc.c b/tests/props/enc/enc.c
index 932dab79f4..9e3ce423ed 100644
--- a/tests/props/enc/enc.c
+++ b/tests/props/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/props/enc/props.c b/tests/props/enc/props.c
index 7f49264d21..c01882ae76 100644
--- a/tests/props/enc/props.c
+++ b/tests/props/enc/props.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/props/enc/sign.conf b/tests/props/enc/sign.conf
index b1450e80d4..004f535b91 100644
--- a/tests/props/enc/sign.conf
+++ b/tests/props/enc/sign.conf
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # Enclave settings:
diff --git a/tests/props/host/CMakeLists.txt b/tests/props/host/CMakeLists.txt
index e40e20f303..874e9c6fdc 100644
--- a/tests/props/host/CMakeLists.txt
+++ b/tests/props/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/props/host/host.c b/tests/props/host/host.c
index 97d1e00527..d9cb93b1a9 100644
--- a/tests/props/host/host.c
+++ b/tests/props/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/props/props.edl b/tests/props/props.edl
index cee9b57d6f..26a0f5371f 100644
--- a/tests/props/props.edl
+++ b/tests/props/props.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/qeidentity/CMakeLists.txt b/tests/qeidentity/CMakeLists.txt
index 9401cccd57..ce84892311 100644
--- a/tests/qeidentity/CMakeLists.txt
+++ b/tests/qeidentity/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/qeidentity/common/includes.h b/tests/qeidentity/common/includes.h
index b5292699aa..ff2d078799 100644
--- a/tests/qeidentity/common/includes.h
+++ b/tests/qeidentity/common/includes.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _COMMON_INCLUDES_H_
diff --git a/tests/qeidentity/enc/CMakeLists.txt b/tests/qeidentity/enc/CMakeLists.txt
index effe27241c..16781c29cb 100644
--- a/tests/qeidentity/enc/CMakeLists.txt
+++ b/tests/qeidentity/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/qeidentity/enc/enc.cpp b/tests/qeidentity/enc/enc.cpp
index 78db622aee..0b7620a690 100644
--- a/tests/qeidentity/enc/enc.cpp
+++ b/tests/qeidentity/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/qeidentity/host/CMakeLists.txt b/tests/qeidentity/host/CMakeLists.txt
index 76389b5284..c724cdf5a1 100644
--- a/tests/qeidentity/host/CMakeLists.txt
+++ b/tests/qeidentity/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/qeidentity/host/host.cpp b/tests/qeidentity/host/host.cpp
index 45adec07e2..72e91dae6c 100644
--- a/tests/qeidentity/host/host.cpp
+++ b/tests/qeidentity/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/qeidentity/host/qeidentifyinfo.cpp b/tests/qeidentity/host/qeidentifyinfo.cpp
index 5ea345dbc3..6d6e0233ef 100644
--- a/tests/qeidentity/host/qeidentifyinfo.cpp
+++ b/tests/qeidentity/host/qeidentifyinfo.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #ifdef OE_LINK_SGX_DCAP_QL
 
diff --git a/tests/qeidentity/tests.edl b/tests/qeidentity/tests.edl
index bf7c1ed511..ed1fe3cda5 100644
--- a/tests/qeidentity/tests.edl
+++ b/tests/qeidentity/tests.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/report/CMakeLists.txt b/tests/report/CMakeLists.txt
index 90f785654b..85d24b8991 100644
--- a/tests/report/CMakeLists.txt
+++ b/tests/report/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/report/common/includes.h b/tests/report/common/includes.h
index b5292699aa..ff2d078799 100644
--- a/tests/report/common/includes.h
+++ b/tests/report/common/includes.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _COMMON_INCLUDES_H_
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index 7827b65adb..c5b0f0898c 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "../common/tests.h"
diff --git a/tests/report/common/tests.h b/tests/report/common/tests.h
index 4c1544fc18..85fe45503d 100644
--- a/tests/report/common/tests.h
+++ b/tests/report/common/tests.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TESTS_H_
diff --git a/tests/report/enc/CMakeLists.txt b/tests/report/enc/CMakeLists.txt
index 40f4304703..356eef0c80 100644
--- a/tests/report/enc/CMakeLists.txt
+++ b/tests/report/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/report/enc/datetime.cpp b/tests/report/enc/datetime.cpp
index 43f7f8d2dd..fedbac19f5 100644
--- a/tests/report/enc/datetime.cpp
+++ b/tests/report/enc/datetime.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index 6c9a4ab212..b137fcb7d9 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 #include <openenclave/enclave.h>
 #include <openenclave/internal/raise.h>
diff --git a/tests/report/host/CMakeLists.txt b/tests/report/host/CMakeLists.txt
index 057a1ceee9..c8bb2a80a8 100644
--- a/tests/report/host/CMakeLists.txt
+++ b/tests/report/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(add_dcap_client_target)
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 51cd1cf791..8c01f372f5 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/report/host/tcbinfo.cpp b/tests/report/host/tcbinfo.cpp
index 9ba0eb225b..f08c94b334 100644
--- a/tests/report/host/tcbinfo.cpp
+++ b/tests/report/host/tcbinfo.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/report/tests.edl b/tests/report/tests.edl
index 590035bf51..240c512aaa 100644
--- a/tests/report/tests.edl
+++ b/tests/report/tests.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/safecrt/CMakeLists.txt b/tests/safecrt/CMakeLists.txt
index 59f315da21..1eb4056e2b 100644
--- a/tests/safecrt/CMakeLists.txt
+++ b/tests/safecrt/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/safecrt/common/test.cpp b/tests/safecrt/common/test.cpp
index 0fabfe348a..e0787f9b39 100644
--- a/tests/safecrt/common/test.cpp
+++ b/tests/safecrt/common/test.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(OE_BUILD_ENCLAVE)
diff --git a/tests/safecrt/common/test.h b/tests/safecrt/common/test.h
index 8de53e091c..d7728e869f 100644
--- a/tests/safecrt/common/test.h
+++ b/tests/safecrt/common/test.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 void test_memcpy_s();
diff --git a/tests/safecrt/enc/CMakeLists.txt b/tests/safecrt/enc/CMakeLists.txt
index ef43fe70ca..f1ac0db2b8 100644
--- a/tests/safecrt/enc/CMakeLists.txt
+++ b/tests/safecrt/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/safecrt/enc/enc.cpp b/tests/safecrt/enc/enc.cpp
index 529fcc1dfd..82ad63a7f3 100644
--- a/tests/safecrt/enc/enc.cpp
+++ b/tests/safecrt/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/properties.h>
diff --git a/tests/safecrt/host/CMakeLists.txt b/tests/safecrt/host/CMakeLists.txt
index 14948dce4f..aa1b5415d0 100644
--- a/tests/safecrt/host/CMakeLists.txt
+++ b/tests/safecrt/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/safecrt/host/host.cpp b/tests/safecrt/host/host.cpp
index 750c6eb5a0..faa9b1ab99 100644
--- a/tests/safecrt/host/host.cpp
+++ b/tests/safecrt/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/safecrt/safecrt.edl b/tests/safecrt/safecrt.edl
index 9f28fa8147..5739d304c5 100644
--- a/tests/safecrt/safecrt.edl
+++ b/tests/safecrt/safecrt.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave  {
diff --git a/tests/safemath/CMakeLists.txt b/tests/safemath/CMakeLists.txt
index fcdfb05d98..fb7a5e8bd7 100644
--- a/tests/safemath/CMakeLists.txt
+++ b/tests/safemath/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(safemath main.cpp)
diff --git a/tests/safemath/main.cpp b/tests/safemath/main.cpp
index 4aff45a619..9c427b74e0 100644
--- a/tests/safemath/main.cpp
+++ b/tests/safemath/main.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/result.h>
diff --git a/tests/sealKey/CMakeLists.txt b/tests/sealKey/CMakeLists.txt
index e11633a50a..92125cd033 100644
--- a/tests/sealKey/CMakeLists.txt
+++ b/tests/sealKey/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/sealKey/args.h b/tests/sealKey/args.h
index e551e47548..9b9e49daf5 100644
--- a/tests/sealKey/args.h
+++ b/tests/sealKey/args.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _SEALKEY_ARGS_H
diff --git a/tests/sealKey/enc/CMakeLists.txt b/tests/sealKey/enc/CMakeLists.txt
index 638b70d32b..82377292f8 100644
--- a/tests/sealKey/enc/CMakeLists.txt
+++ b/tests/sealKey/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/sealKey/enc/enc.cpp b/tests/sealKey/enc/enc.cpp
index 1a37d30cf9..073dbaf88c 100644
--- a/tests/sealKey/enc/enc.cpp
+++ b/tests/sealKey/enc/enc.cpp
@@ -1,5 +1,5 @@
 
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/safecrt.h>
diff --git a/tests/sealKey/host/CMakeLists.txt b/tests/sealKey/host/CMakeLists.txt
index be4c2b67c8..753bc73bf6 100644
--- a/tests/sealKey/host/CMakeLists.txt
+++ b/tests/sealKey/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include (oeedl_file)
diff --git a/tests/sealKey/host/host.cpp b/tests/sealKey/host/host.cpp
index 5cde3b5819..10286da24b 100644
--- a/tests/sealKey/host/host.cpp
+++ b/tests/sealKey/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/sealKey/sealKey.edl b/tests/sealKey/sealKey.edl
index 48416cad55..64bb22c0d9 100644
--- a/tests/sealKey/sealKey.edl
+++ b/tests/sealKey/sealKey.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/stdc/CMakeLists.txt b/tests/stdc/CMakeLists.txt
index 363fc1fecd..322f132fe6 100644
--- a/tests/stdc/CMakeLists.txt
+++ b/tests/stdc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/stdc/enc/CMakeLists.txt b/tests/stdc/enc/CMakeLists.txt
index 962ddc2b2c..fe8d9ea137 100644
--- a/tests/stdc/enc/CMakeLists.txt
+++ b/tests/stdc/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/stdc/enc/enc.cpp b/tests/stdc/enc/enc.cpp
index 44a1e7caf7..b4c679556c 100644
--- a/tests/stdc/enc/enc.cpp
+++ b/tests/stdc/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <ctype.h>
diff --git a/tests/stdc/host/CMakeLists.txt b/tests/stdc/host/CMakeLists.txt
index 9156fa0819..3cadcb7d37 100644
--- a/tests/stdc/host/CMakeLists.txt
+++ b/tests/stdc/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/stdc/host/host.cpp b/tests/stdc/host/host.cpp
index 7613c5a50d..836f67fb0a 100644
--- a/tests/stdc/host/host.cpp
+++ b/tests/stdc/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/stdc/stdc.edl b/tests/stdc/stdc.edl
index 3d3d0ae7f1..0964ee54c6 100644
--- a/tests/stdc/stdc.edl
+++ b/tests/stdc/stdc.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/stdcxx/CMakeLists.txt b/tests/stdcxx/CMakeLists.txt
index aa884cbe77..a0a59ed615 100644
--- a/tests/stdcxx/CMakeLists.txt
+++ b/tests/stdcxx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/stdcxx/enc/CMakeLists.txt b/tests/stdcxx/enc/CMakeLists.txt
index 70aaab3bd5..a3e9b5bc8f 100644
--- a/tests/stdcxx/enc/CMakeLists.txt
+++ b/tests/stdcxx/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../stdcxx.edl enclave gen)
diff --git a/tests/stdcxx/enc/enc.cpp b/tests/stdcxx/enc/enc.cpp
index 5ed1e9f9e4..fcf423f527 100644
--- a/tests/stdcxx/enc/enc.cpp
+++ b/tests/stdcxx/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdlib.h>
diff --git a/tests/stdcxx/enc/f.cpp b/tests/stdcxx/enc/f.cpp
index b13bb401f9..b4c77e9ecc 100644
--- a/tests/stdcxx/enc/f.cpp
+++ b/tests/stdcxx/enc/f.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/stdcxx/enc/global_init_exception.cpp b/tests/stdcxx/enc/global_init_exception.cpp
index 761510cee3..9416a4d885 100644
--- a/tests/stdcxx/enc/global_init_exception.cpp
+++ b/tests/stdcxx/enc/global_init_exception.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/stdcxx/host/CMakeLists.txt b/tests/stdcxx/host/CMakeLists.txt
index 96044f92d3..abe53b0d8d 100644
--- a/tests/stdcxx/host/CMakeLists.txt
+++ b/tests/stdcxx/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../stdcxx.edl host gen)
diff --git a/tests/stdcxx/host/host.cpp b/tests/stdcxx/host/host.cpp
index e5b815c375..c59e52c140 100644
--- a/tests/stdcxx/host/host.cpp
+++ b/tests/stdcxx/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/stdcxx/stdcxx.edl b/tests/stdcxx/stdcxx.edl
index 09c2f10dda..6c0af703d1 100644
--- a/tests/stdcxx/stdcxx.edl
+++ b/tests/stdcxx/stdcxx.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/str/CMakeLists.txt b/tests/str/CMakeLists.txt
index 91d7c33391..0ebfdd1009 100644
--- a/tests/str/CMakeLists.txt
+++ b/tests/str/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(str main.c)
diff --git a/tests/str/main.c b/tests/str/main.c
index e19835313e..1bf3f88073 100644
--- a/tests/str/main.c
+++ b/tests/str/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define MEM_MIN_CAP 1
diff --git a/tests/switchless/CMakeLists.txt b/tests/switchless/CMakeLists.txt
index 95288c90cc..39064ab70b 100644
--- a/tests/switchless/CMakeLists.txt
+++ b/tests/switchless/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/switchless/enc/CMakeLists.txt b/tests/switchless/enc/CMakeLists.txt
index 750896937d..3e259415cb 100644
--- a/tests/switchless/enc/CMakeLists.txt
+++ b/tests/switchless/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../switchless.edl enclave gen)
diff --git a/tests/switchless/enc/enc.c b/tests/switchless/enc/enc.c
index 7c1601cf77..544a9c46e1 100644
--- a/tests/switchless/enc/enc.c
+++ b/tests/switchless/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/tests/switchless/host/CMakeLists.txt b/tests/switchless/host/CMakeLists.txt
index e38d76b2ae..2f318e504d 100644
--- a/tests/switchless/host/CMakeLists.txt
+++ b/tests/switchless/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../switchless.edl host gen)
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index a354ecba0c..e48b942f70 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/switchless/switchless.edl b/tests/switchless/switchless.edl
index d4f2dc8bb6..04da614f6e 100644
--- a/tests/switchless/switchless.edl
+++ b/tests/switchless/switchless.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/switchless_threads/CMakeLists.txt b/tests/switchless_threads/CMakeLists.txt
index 5036738e91..729dd9b04b 100644
--- a/tests/switchless_threads/CMakeLists.txt
+++ b/tests/switchless_threads/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/switchless_threads/enc/CMakeLists.txt b/tests/switchless_threads/enc/CMakeLists.txt
index 2d5fd8f606..55ebe7a4b8 100644
--- a/tests/switchless_threads/enc/CMakeLists.txt
+++ b/tests/switchless_threads/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../switchless_threads.edl enclave gen)
diff --git a/tests/switchless_threads/enc/enc.c b/tests/switchless_threads/enc/enc.c
index ec07302ac1..fbf6e321d4 100644
--- a/tests/switchless_threads/enc/enc.c
+++ b/tests/switchless_threads/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/string.h>
diff --git a/tests/switchless_threads/host/CMakeLists.txt b/tests/switchless_threads/host/CMakeLists.txt
index 9ba1523c36..3acdfa75f8 100644
--- a/tests/switchless_threads/host/CMakeLists.txt
+++ b/tests/switchless_threads/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../switchless_threads.edl host gen)
diff --git a/tests/switchless_threads/host/host.c b/tests/switchless_threads/host/host.c
index fc4938714a..936977079a 100644
--- a/tests/switchless_threads/host/host.c
+++ b/tests/switchless_threads/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/switchless_threads/switchless_threads.edl b/tests/switchless_threads/switchless_threads.edl
index b5921c9a0f..b9728ee7e2 100644
--- a/tests/switchless_threads/switchless_threads.edl
+++ b/tests/switchless_threads/switchless_threads.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/CMakeLists.txt b/tests/syscall/CMakeLists.txt
index 689c334a53..d05d1beef4 100644
--- a/tests/syscall/CMakeLists.txt
+++ b/tests/syscall/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if(UNIX)
diff --git a/tests/syscall/cpio/CMakeLists.txt b/tests/syscall/cpio/CMakeLists.txt
index ca2656f76a..c560225e2a 100644
--- a/tests/syscall/cpio/CMakeLists.txt
+++ b/tests/syscall/cpio/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_library(oecpio STATIC commands.c cpio.c strarr.c)
diff --git a/tests/syscall/cpio/commands.c b/tests/syscall/cpio/commands.c
index a0a62cd291..717bfaa0f6 100644
--- a/tests/syscall/cpio/commands.c
+++ b/tests/syscall/cpio/commands.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define _GNU_SOURCE
diff --git a/tests/syscall/cpio/commands.h b/tests/syscall/cpio/commands.h
index 41dac66997..e67ed94309 100644
--- a/tests/syscall/cpio/commands.h
+++ b/tests/syscall/cpio/commands.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMANDS_H
diff --git a/tests/syscall/cpio/cpio.c b/tests/syscall/cpio/cpio.c
index 1ff1c1c930..b506acf766 100644
--- a/tests/syscall/cpio/cpio.c
+++ b/tests/syscall/cpio/cpio.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _GNU_SOURCE
diff --git a/tests/syscall/cpio/cpio.h b/tests/syscall/cpio/cpio.h
index 360df72824..cc7b025a75 100644
--- a/tests/syscall/cpio/cpio.h
+++ b/tests/syscall/cpio/cpio.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_CPIO_H
diff --git a/tests/syscall/cpio/strarr.c b/tests/syscall/cpio/strarr.c
index 712acf3079..74380ac125 100644
--- a/tests/syscall/cpio/strarr.c
+++ b/tests/syscall/cpio/strarr.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "strarr.h"
diff --git a/tests/syscall/cpio/strarr.h b/tests/syscall/cpio/strarr.h
index 40f11047d6..8ad44c5c04 100644
--- a/tests/syscall/cpio/strarr.h
+++ b/tests/syscall/cpio/strarr.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_STRARR_H
diff --git a/tests/syscall/cpio/trace.h b/tests/syscall/cpio/trace.h
index 2ee41c8fcf..721adc6faa 100644
--- a/tests/syscall/cpio/trace.h
+++ b/tests/syscall/cpio/trace.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _CPIO_TRACE_H
diff --git a/tests/syscall/cpio/utils.h b/tests/syscall/cpio/utils.h
index e4be388d97..e76ea11cf9 100644
--- a/tests/syscall/cpio/utils.h
+++ b/tests/syscall/cpio/utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_UTILS_H
diff --git a/tests/syscall/datagram/CMakeLists.txt b/tests/syscall/datagram/CMakeLists.txt
index a02ac478c9..3a50a636e9 100644
--- a/tests/syscall/datagram/CMakeLists.txt
+++ b/tests/syscall/datagram/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/datagram/enc/CMakeLists.txt b/tests/syscall/datagram/enc/CMakeLists.txt
index f50c583ccf..c5310fd487 100644
--- a/tests/syscall/datagram/enc/CMakeLists.txt
+++ b/tests/syscall/datagram/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/datagram/enc/enc.c b/tests/syscall/datagram/enc/enc.c
index f5974a18fb..ddca2d35f9 100644
--- a/tests/syscall/datagram/enc/enc.c
+++ b/tests/syscall/datagram/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <arpa/inet.h>
diff --git a/tests/syscall/datagram/host/CMakeLists.txt b/tests/syscall/datagram/host/CMakeLists.txt
index dfba754e6d..4a76330d45 100644
--- a/tests/syscall/datagram/host/CMakeLists.txt
+++ b/tests/syscall/datagram/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/datagram/host/host.c b/tests/syscall/datagram/host/host.c
index 0532309da6..fa5d4a8256 100644
--- a/tests/syscall/datagram/host/host.c
+++ b/tests/syscall/datagram/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/syscall/datagram/test_datagram.edl b/tests/syscall/datagram/test_datagram.edl
index 7032305b0b..60a4976ceb 100644
--- a/tests/syscall/datagram/test_datagram.edl
+++ b/tests/syscall/datagram/test_datagram.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/dup/CMakeLists.txt b/tests/syscall/dup/CMakeLists.txt
index 5e76faff19..0bab7ce8b0 100644
--- a/tests/syscall/dup/CMakeLists.txt
+++ b/tests/syscall/dup/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/dup/enc/CMakeLists.txt b/tests/syscall/dup/enc/CMakeLists.txt
index 1fddfc974c..1ff6b8a27f 100644
--- a/tests/syscall/dup/enc/CMakeLists.txt
+++ b/tests/syscall/dup/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/dup/enc/enc.c b/tests/syscall/dup/enc/enc.c
index 0084de161c..3fc5cc1f08 100644
--- a/tests/syscall/dup/enc/enc.c
+++ b/tests/syscall/dup/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/syscall/dup/enc/main.c b/tests/syscall/dup/enc/main.c
index af4bcfcbc2..482176795b 100644
--- a/tests/syscall/dup/enc/main.c
+++ b/tests/syscall/dup/enc/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/syscall/dup/host/CMakeLists.txt b/tests/syscall/dup/host/CMakeLists.txt
index dd7b2cdd05..f1d993e609 100644
--- a/tests/syscall/dup/host/CMakeLists.txt
+++ b/tests/syscall/dup/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/dup/host/host.c b/tests/syscall/dup/host/host.c
index 0bad1ec1e5..c129da743e 100644
--- a/tests/syscall/dup/host/host.c
+++ b/tests/syscall/dup/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/syscall/dup/test_dup.edl b/tests/syscall/dup/test_dup.edl
index fa4a26a887..3dbe15d494 100644
--- a/tests/syscall/dup/test_dup.edl
+++ b/tests/syscall/dup/test_dup.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/fs/CMakeLists.txt b/tests/syscall/fs/CMakeLists.txt
index a58f5415cc..a6cbd6c31d 100644
--- a/tests/syscall/fs/CMakeLists.txt
+++ b/tests/syscall/fs/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/fs/enc/CMakeLists.txt b/tests/syscall/fs/enc/CMakeLists.txt
index e7d1cb674c..e9fb309ca7 100644
--- a/tests/syscall/fs/enc/CMakeLists.txt
+++ b/tests/syscall/fs/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if(UNIX)
diff --git a/tests/syscall/fs/enc/enc.cpp b/tests/syscall/fs/enc/enc.cpp
index 4f765b7fcd..58989974bd 100644
--- a/tests/syscall/fs/enc/enc.cpp
+++ b/tests/syscall/fs/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/limits.h>
diff --git a/tests/syscall/fs/enc/file_system.h b/tests/syscall/fs/enc/file_system.h
index f192142515..8370316c5a 100644
--- a/tests/syscall/fs/enc/file_system.h
+++ b/tests/syscall/fs/enc/file_system.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _file_system_h
diff --git a/tests/syscall/fs/host/CMakeLists.txt b/tests/syscall/fs/host/CMakeLists.txt
index 4af8b1778d..46b9d7448a 100644
--- a/tests/syscall/fs/host/CMakeLists.txt
+++ b/tests/syscall/fs/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if(UNIX)
diff --git a/tests/syscall/fs/host/host.c b/tests/syscall/fs/host/host.c
index 342326b59b..16e4e7451a 100644
--- a/tests/syscall/fs/host/host.c
+++ b/tests/syscall/fs/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/syscall/fs/linux/fs.edl b/tests/syscall/fs/linux/fs.edl
index 02fb3b2fe8..fd80839e27 100644
--- a/tests/syscall/fs/linux/fs.edl
+++ b/tests/syscall/fs/linux/fs.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/fs/windows/fs.edl b/tests/syscall/fs/windows/fs.edl
index bbd649ae8a..848404c88d 100644
--- a/tests/syscall/fs/windows/fs.edl
+++ b/tests/syscall/fs/windows/fs.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/hostfs/CMakeLists.txt b/tests/syscall/hostfs/CMakeLists.txt
index 8ca84504f3..5d5a97d683 100644
--- a/tests/syscall/hostfs/CMakeLists.txt
+++ b/tests/syscall/hostfs/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/hostfs/enc/CMakeLists.txt b/tests/syscall/hostfs/enc/CMakeLists.txt
index 43cf80fde1..b210b33ddd 100644
--- a/tests/syscall/hostfs/enc/CMakeLists.txt
+++ b/tests/syscall/hostfs/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/hostfs/enc/enc.c b/tests/syscall/hostfs/enc/enc.c
index 5fbd1e5f23..d819e0be7b 100644
--- a/tests/syscall/hostfs/enc/enc.c
+++ b/tests/syscall/hostfs/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/syscall/hostfs/enc/main.c b/tests/syscall/hostfs/enc/main.c
index af4bcfcbc2..482176795b 100644
--- a/tests/syscall/hostfs/enc/main.c
+++ b/tests/syscall/hostfs/enc/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/syscall/hostfs/host/CMakeLists.txt b/tests/syscall/hostfs/host/CMakeLists.txt
index 65373a538d..d51929ea09 100644
--- a/tests/syscall/hostfs/host/CMakeLists.txt
+++ b/tests/syscall/hostfs/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/hostfs/host/host.c b/tests/syscall/hostfs/host/host.c
index 8abda18dcd..08bec65ace 100644
--- a/tests/syscall/hostfs/host/host.c
+++ b/tests/syscall/hostfs/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/syscall/hostfs/test_hostfs.edl b/tests/syscall/hostfs/test_hostfs.edl
index 016184078c..ed944ecb12 100644
--- a/tests/syscall/hostfs/test_hostfs.edl
+++ b/tests/syscall/hostfs/test_hostfs.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/ids/CMakeLists.txt b/tests/syscall/ids/CMakeLists.txt
index f0a4798613..d6f130ffa6 100644
--- a/tests/syscall/ids/CMakeLists.txt
+++ b/tests/syscall/ids/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/ids/enc/CMakeLists.txt b/tests/syscall/ids/enc/CMakeLists.txt
index 171d74f64b..b78491d5c4 100644
--- a/tests/syscall/ids/enc/CMakeLists.txt
+++ b/tests/syscall/ids/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/ids/enc/enc.c b/tests/syscall/ids/enc/enc.c
index b89f0b2cb7..95c5670d67 100644
--- a/tests/syscall/ids/enc/enc.c
+++ b/tests/syscall/ids/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/syscall/ids/enc/main.c b/tests/syscall/ids/enc/main.c
index af4bcfcbc2..482176795b 100644
--- a/tests/syscall/ids/enc/main.c
+++ b/tests/syscall/ids/enc/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/syscall/ids/host/CMakeLists.txt b/tests/syscall/ids/host/CMakeLists.txt
index b773b9f117..894c824724 100644
--- a/tests/syscall/ids/host/CMakeLists.txt
+++ b/tests/syscall/ids/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/ids/host/host.c b/tests/syscall/ids/host/host.c
index 377098d32e..963ef4b1ca 100644
--- a/tests/syscall/ids/host/host.c
+++ b/tests/syscall/ids/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/limits.h>
diff --git a/tests/syscall/ids/test_ids.edl b/tests/syscall/ids/test_ids.edl
index 4fd60f25ff..ff6d20cdd1 100644
--- a/tests/syscall/ids/test_ids.edl
+++ b/tests/syscall/ids/test_ids.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/platform/linux.h b/tests/syscall/platform/linux.h
index 87853cde87..0537ca5c9f 100644
--- a/tests/syscall/platform/linux.h
+++ b/tests/syscall/platform/linux.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _PLATFORM_LINUX_H
diff --git a/tests/syscall/platform/windows.h b/tests/syscall/platform/windows.h
index d177924cce..8db83fe489 100644
--- a/tests/syscall/platform/windows.h
+++ b/tests/syscall/platform/windows.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _PLATFORM_WINDOWS_H
diff --git a/tests/syscall/poller/CMakeLists.txt b/tests/syscall/poller/CMakeLists.txt
index 72404b9411..39222728a5 100644
--- a/tests/syscall/poller/CMakeLists.txt
+++ b/tests/syscall/poller/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/poller/client.cpp b/tests/syscall/poller/client.cpp
index f8eadc84b8..c09560c7fc 100644
--- a/tests/syscall/poller/client.cpp
+++ b/tests/syscall/poller/client.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "client.h"
diff --git a/tests/syscall/poller/client.h b/tests/syscall/poller/client.h
index f30a7bc12a..0606577411 100644
--- a/tests/syscall/poller/client.h
+++ b/tests/syscall/poller/client.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_LIBCSOCKETS_CLIENT_H
diff --git a/tests/syscall/poller/enc/CMakeLists.txt b/tests/syscall/poller/enc/CMakeLists.txt
index 248901374f..6d891b622f 100644
--- a/tests/syscall/poller/enc/CMakeLists.txt
+++ b/tests/syscall/poller/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../poller.edl enclave gen)
diff --git a/tests/syscall/poller/enc/enc.cpp b/tests/syscall/poller/enc/enc.cpp
index 5bf214521c..7793fb8013 100644
--- a/tests/syscall/poller/enc/enc.cpp
+++ b/tests/syscall/poller/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/corelibc/stdio.h>
diff --git a/tests/syscall/poller/host/CMakeLists.txt b/tests/syscall/poller/host/CMakeLists.txt
index c4b9da9d25..0788c09df4 100644
--- a/tests/syscall/poller/host/CMakeLists.txt
+++ b/tests/syscall/poller/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/poller/host/host.cpp b/tests/syscall/poller/host/host.cpp
index 68406584ab..1c4cd08337 100644
--- a/tests/syscall/poller/host/host.cpp
+++ b/tests/syscall/poller/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(_WIN32)
diff --git a/tests/syscall/poller/poller.cpp b/tests/syscall/poller/poller.cpp
index 0bddd189bd..235bb99894 100644
--- a/tests/syscall/poller/poller.cpp
+++ b/tests/syscall/poller/poller.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "poller.h"
diff --git a/tests/syscall/poller/poller.edl b/tests/syscall/poller/poller.edl
index 84086aa65c..217c6c9f01 100644
--- a/tests/syscall/poller/poller.edl
+++ b/tests/syscall/poller/poller.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/poller/poller.h b/tests/syscall/poller/poller.h
index f6a37d33cb..e86bac34ec 100644
--- a/tests/syscall/poller/poller.h
+++ b/tests/syscall/poller/poller.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _POLLER_H
diff --git a/tests/syscall/poller/server.cpp b/tests/syscall/poller/server.cpp
index 9ce2c60b69..8e656ab3e9 100644
--- a/tests/syscall/poller/server.cpp
+++ b/tests/syscall/poller/server.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if defined(_MSC_VER)
diff --git a/tests/syscall/poller/server.h b/tests/syscall/poller/server.h
index 0422414f40..786180db60 100644
--- a/tests/syscall/poller/server.h
+++ b/tests/syscall/poller/server.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_LIBCSOCKETS_SERVER_H
diff --git a/tests/syscall/resolver/CMakeLists.txt b/tests/syscall/resolver/CMakeLists.txt
index 13710156c9..ea2a06e0b1 100644
--- a/tests/syscall/resolver/CMakeLists.txt
+++ b/tests/syscall/resolver/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/resolver/enc/CMakeLists.txt b/tests/syscall/resolver/enc/CMakeLists.txt
index 0a296efbf4..706797320f 100644
--- a/tests/syscall/resolver/enc/CMakeLists.txt
+++ b/tests/syscall/resolver/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../resolver_test.edl
diff --git a/tests/syscall/resolver/enc/enc.c b/tests/syscall/resolver/enc/enc.c
index 77a2fb8170..6f9f2eb20a 100644
--- a/tests/syscall/resolver/enc/enc.c
+++ b/tests/syscall/resolver/enc/enc.c
@@ -1,4 +1,4 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved. */
+/* Copyright (c) Open Enclave SDK contributors. */
 /* Licensed under the MIT License. */
 
 #include <openenclave/enclave.h>
diff --git a/tests/syscall/resolver/host/CMakeLists.txt b/tests/syscall/resolver/host/CMakeLists.txt
index ac3214ead0..0f502b3c7b 100644
--- a/tests/syscall/resolver/host/CMakeLists.txt
+++ b/tests/syscall/resolver/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/syscall/resolver/host/host.c b/tests/syscall/resolver/host/host.c
index d1cb117e0b..3127ad6b97 100644
--- a/tests/syscall/resolver/host/host.c
+++ b/tests/syscall/resolver/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #define OE_LIBC_SUPPRESS_DEPRECATIONS
diff --git a/tests/syscall/resolver/resolver_test.edl b/tests/syscall/resolver/resolver_test.edl
index 6110698c66..647a85346a 100644
--- a/tests/syscall/resolver/resolver_test.edl
+++ b/tests/syscall/resolver/resolver_test.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/resolver/utils.h b/tests/syscall/resolver/utils.h
index 7b7897c742..c535a1e7b4 100644
--- a/tests/syscall/resolver/utils.h
+++ b/tests/syscall/resolver/utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _TEST_RESOLVER_UTILS_H
diff --git a/tests/syscall/sendmsg/CMakeLists.txt b/tests/syscall/sendmsg/CMakeLists.txt
index cbb262c2b0..4ce3eeb020 100644
--- a/tests/syscall/sendmsg/CMakeLists.txt
+++ b/tests/syscall/sendmsg/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/sendmsg/client.c b/tests/syscall/sendmsg/client.c
index 9c303813ce..07a24fbdaa 100644
--- a/tests/syscall/sendmsg/client.c
+++ b/tests/syscall/sendmsg/client.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "client.h"
diff --git a/tests/syscall/sendmsg/client.h b/tests/syscall/sendmsg/client.h
index f30a7bc12a..0606577411 100644
--- a/tests/syscall/sendmsg/client.h
+++ b/tests/syscall/sendmsg/client.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_LIBCSOCKETS_CLIENT_H
diff --git a/tests/syscall/sendmsg/enc/CMakeLists.txt b/tests/syscall/sendmsg/enc/CMakeLists.txt
index 231d3a8699..45f827820f 100644
--- a/tests/syscall/sendmsg/enc/CMakeLists.txt
+++ b/tests/syscall/sendmsg/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../sendmsg.edl enclave gen)
diff --git a/tests/syscall/sendmsg/enc/enc.c b/tests/syscall/sendmsg/enc/enc.c
index f294289c5e..cad5937b3c 100644
--- a/tests/syscall/sendmsg/enc/enc.c
+++ b/tests/syscall/sendmsg/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/syscall/sendmsg/host/CMakeLists.txt b/tests/syscall/sendmsg/host/CMakeLists.txt
index 0db12d2586..1efa4131a6 100644
--- a/tests/syscall/sendmsg/host/CMakeLists.txt
+++ b/tests/syscall/sendmsg/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/syscall/sendmsg/host/host.c b/tests/syscall/sendmsg/host/host.c
index 7abc1cbbc0..67c42440de 100644
--- a/tests/syscall/sendmsg/host/host.c
+++ b/tests/syscall/sendmsg/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/syscall/sendmsg/main.c b/tests/syscall/sendmsg/main.c
index 50006f96dc..97b9cc5fd6 100644
--- a/tests/syscall/sendmsg/main.c
+++ b/tests/syscall/sendmsg/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <assert.h>
diff --git a/tests/syscall/sendmsg/sendmsg.edl b/tests/syscall/sendmsg/sendmsg.edl
index b8e604ab4d..929c793737 100644
--- a/tests/syscall/sendmsg/sendmsg.edl
+++ b/tests/syscall/sendmsg/sendmsg.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/sendmsg/server.c b/tests/syscall/sendmsg/server.c
index 8c75956712..1ca057f09a 100644
--- a/tests/syscall/sendmsg/server.c
+++ b/tests/syscall/sendmsg/server.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "server.h"
diff --git a/tests/syscall/sendmsg/server.h b/tests/syscall/sendmsg/server.h
index c7c0fc9c10..5963f6e98c 100644
--- a/tests/syscall/sendmsg/server.h
+++ b/tests/syscall/sendmsg/server.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_TESTS_LIBCSOCKETS_SERVER_H
diff --git a/tests/syscall/socket/CMakeLists.txt b/tests/syscall/socket/CMakeLists.txt
index c32c0df579..046363dd52 100644
--- a/tests/syscall/socket/CMakeLists.txt
+++ b/tests/syscall/socket/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/socket/enc/CMakeLists.txt b/tests/syscall/socket/enc/CMakeLists.txt
index 2a54936fd2..5ebcf3c295 100644
--- a/tests/syscall/socket/enc/CMakeLists.txt
+++ b/tests/syscall/socket/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../socket_test.edl 
diff --git a/tests/syscall/socket/enc/enc.c b/tests/syscall/socket/enc/enc.c
index 60a9c3ec0e..4a07589b2d 100644
--- a/tests/syscall/socket/enc/enc.c
+++ b/tests/syscall/socket/enc/enc.c
@@ -1,4 +1,4 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved. */
+/* Copyright (c) Open Enclave SDK contributors. */
 /* Licensed under the MIT License. */
 
 #include <openenclave/enclave.h>
diff --git a/tests/syscall/socket/host/CMakeLists.txt b/tests/syscall/socket/host/CMakeLists.txt
index cc4bccc7b8..b89e5bbb57 100644
--- a/tests/syscall/socket/host/CMakeLists.txt
+++ b/tests/syscall/socket/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/syscall/socket/host/host.c b/tests/syscall/socket/host/host.c
index 39061dc0a3..e2991b8e64 100644
--- a/tests/syscall/socket/host/host.c
+++ b/tests/syscall/socket/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // ATTN: #define OE_LIBC_SUPPRESS_DEPRECATIONS
diff --git a/tests/syscall/socket/socket_test.edl b/tests/syscall/socket/socket_test.edl
index f7ecf55c23..3d8f364687 100644
--- a/tests/syscall/socket/socket_test.edl
+++ b/tests/syscall/socket/socket_test.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/syscall/socketpair/CMakeLists.txt b/tests/syscall/socketpair/CMakeLists.txt
index b6d4fc01cf..2531b479dc 100644
--- a/tests/syscall/socketpair/CMakeLists.txt
+++ b/tests/syscall/socketpair/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/syscall/socketpair/enc/CMakeLists.txt b/tests/syscall/socketpair/enc/CMakeLists.txt
index 769bca67cd..483f9a513b 100644
--- a/tests/syscall/socketpair/enc/CMakeLists.txt
+++ b/tests/syscall/socketpair/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../socketpair_test.edl 
diff --git a/tests/syscall/socketpair/enc/enc.c b/tests/syscall/socketpair/enc/enc.c
index 944ff8d714..4ecf42023e 100644
--- a/tests/syscall/socketpair/enc/enc.c
+++ b/tests/syscall/socketpair/enc/enc.c
@@ -1,4 +1,4 @@
-/* Copyright (c) Microsoft Corporation. All rights reserved. */
+/* Copyright (c) Open Enclave SDK contributors. */
 /* Licensed under the MIT License. */
 
 #include <openenclave/enclave.h>
diff --git a/tests/syscall/socketpair/host/CMakeLists.txt b/tests/syscall/socketpair/host/CMakeLists.txt
index 3e62292ec4..ec924ea6c4 100644
--- a/tests/syscall/socketpair/host/CMakeLists.txt
+++ b/tests/syscall/socketpair/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/syscall/socketpair/host/host.c b/tests/syscall/socketpair/host/host.c
index 3172f819c2..40553eedcf 100644
--- a/tests/syscall/socketpair/host/host.c
+++ b/tests/syscall/socketpair/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #if !defined(_MSC_VER)
diff --git a/tests/syscall/socketpair/socketpair_test.edl b/tests/syscall/socketpair/socketpair_test.edl
index 2a044591b5..503ee2781c 100644
--- a/tests/syscall/socketpair/socketpair_test.edl
+++ b/tests/syscall/socketpair/socketpair_test.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/thread/CMakeLists.txt b/tests/thread/CMakeLists.txt
index 8632ba8548..b8d327b10e 100644
--- a/tests/thread/CMakeLists.txt
+++ b/tests/thread/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/thread/enc/CMakeLists.txt b/tests/thread/enc/CMakeLists.txt
index 3a554522c5..700e4f2c4d 100644
--- a/tests/thread/enc/CMakeLists.txt
+++ b/tests/thread/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/thread/enc/cond_tests.cpp b/tests/thread/enc/cond_tests.cpp
index 9aa9aa901a..b4c36808b9 100644
--- a/tests/thread/enc/cond_tests.cpp
+++ b/tests/thread/enc/cond_tests.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef _PTHREAD_ENC_
diff --git a/tests/thread/enc/enc.cpp b/tests/thread/enc/enc.cpp
index 5c789bb8d8..494a24963f 100644
--- a/tests/thread/enc/enc.cpp
+++ b/tests/thread/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef _PTHREAD_ENC_
diff --git a/tests/thread/enc/rwlock_tests.cpp b/tests/thread/enc/rwlock_tests.cpp
index 6563f53f98..204b6d05f2 100644
--- a/tests/thread/enc/rwlock_tests.cpp
+++ b/tests/thread/enc/rwlock_tests.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef _PTHREAD_ENC_
diff --git a/tests/thread/enc/thread.h b/tests/thread/enc/thread.h
index d428aae3fb..65afa10d6f 100644
--- a/tests/thread/enc/thread.h
+++ b/tests/thread/enc/thread.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // Intentionally using the same guard as the internal thread.h as we
diff --git a/tests/thread/host/CMakeLists.txt b/tests/thread/host/CMakeLists.txt
index ae11b86ea5..659e6cbeca 100644
--- a/tests/thread/host/CMakeLists.txt
+++ b/tests/thread/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../thread.edl host gen)
diff --git a/tests/thread/host/host.cpp b/tests/thread/host/host.cpp
index f9774582a0..8a15d7c24f 100644
--- a/tests/thread/host/host.cpp
+++ b/tests/thread/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/thread/host/rwlocks_test_host.cpp b/tests/thread/host/rwlocks_test_host.cpp
index a8a897792b..e3eb1b153b 100644
--- a/tests/thread/host/rwlocks_test_host.cpp
+++ b/tests/thread/host/rwlocks_test_host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/thread/rwlock_tests.h b/tests/thread/rwlock_tests.h
index 2edf378a3a..4be6cee1f2 100644
--- a/tests/thread/rwlock_tests.h
+++ b/tests/thread/rwlock_tests.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _rwlock_tests_h
diff --git a/tests/thread/thread.edl b/tests/thread/thread.edl
index bde8862425..2be205f78e 100644
--- a/tests/thread/thread.edl
+++ b/tests/thread/thread.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/thread_local/CMakeLists.txt b/tests/thread_local/CMakeLists.txt
index 8761d6ec2d..04f145cfdb 100644
--- a/tests/thread_local/CMakeLists.txt
+++ b/tests/thread_local/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/thread_local/enc/CMakeLists.txt b/tests/thread_local/enc/CMakeLists.txt
index 962daab116..6ec3bb109f 100644
--- a/tests/thread_local/enc/CMakeLists.txt
+++ b/tests/thread_local/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/thread_local/enc/enc.cpp b/tests/thread_local/enc/enc.cpp
index ec38602cf0..97f645b5fc 100644
--- a/tests/thread_local/enc/enc.cpp
+++ b/tests/thread_local/enc/enc.cpp
@@ -1,6 +1,6 @@
 
 
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/thread_local/enc/externs.cpp b/tests/thread_local/enc/externs.cpp
index 0e5f08ef45..ba1bb88740 100644
--- a/tests/thread_local/enc/externs.cpp
+++ b/tests/thread_local/enc/externs.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <random>
diff --git a/tests/thread_local/enc/visibility.h b/tests/thread_local/enc/visibility.h
index 1a8cc9915e..3501020c24 100644
--- a/tests/thread_local/enc/visibility.h
+++ b/tests/thread_local/enc/visibility.h
@@ -1,5 +1,5 @@
 
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _VISIBILITY_SPEC_H
diff --git a/tests/thread_local/host/CMakeLists.txt b/tests/thread_local/host/CMakeLists.txt
index f32dd32824..54d398de1c 100644
--- a/tests/thread_local/host/CMakeLists.txt
+++ b/tests/thread_local/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/thread_local/host/host.cpp b/tests/thread_local/host/host.cpp
index b4a8f7f7b8..c4bff4bec6 100644
--- a/tests/thread_local/host/host.cpp
+++ b/tests/thread_local/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/thread_local/thread_local.edl b/tests/thread_local/thread_local.edl
index c3b3aa17e5..b020dfcc3e 100644
--- a/tests/thread_local/thread_local.edl
+++ b/tests/thread_local/thread_local.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/thread_local_no_tdata/CMakeLists.txt b/tests/thread_local_no_tdata/CMakeLists.txt
index 2259847018..ee970b321a 100644
--- a/tests/thread_local_no_tdata/CMakeLists.txt
+++ b/tests/thread_local_no_tdata/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/thread_local_no_tdata/enc/CMakeLists.txt b/tests/thread_local_no_tdata/enc/CMakeLists.txt
index 0d39d67508..d24113006c 100644
--- a/tests/thread_local_no_tdata/enc/CMakeLists.txt
+++ b/tests/thread_local_no_tdata/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/thread_local_no_tdata/enc/enc.cpp b/tests/thread_local_no_tdata/enc/enc.cpp
index 643bfadd93..6a6af39992 100644
--- a/tests/thread_local_no_tdata/enc/enc.cpp
+++ b/tests/thread_local_no_tdata/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/thread_local_no_tdata/host/#host.cpp# b/tests/thread_local_no_tdata/host/#host.cpp#
index f179b99099..060e621a6b 100644
--- a/tests/thread_local_no_tdata/host/#host.cpp#
+++ b/tests/thread_local_no_tdata/host/#host.cpp#
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/thread_local_no_tdata/host/CMakeLists.txt b/tests/thread_local_no_tdata/host/CMakeLists.txt
index a14807dcce..89137a3b9f 100644
--- a/tests/thread_local_no_tdata/host/CMakeLists.txt
+++ b/tests/thread_local_no_tdata/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 
diff --git a/tests/thread_local_no_tdata/host/host.cpp b/tests/thread_local_no_tdata/host/host.cpp
index ae9fe24a0c..3c283c4674 100644
--- a/tests/thread_local_no_tdata/host/host.cpp
+++ b/tests/thread_local_no_tdata/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/thread_local_no_tdata/no_tdata.edl b/tests/thread_local_no_tdata/no_tdata.edl
index 0b7e553271..2b794f40eb 100644
--- a/tests/thread_local_no_tdata/no_tdata.edl
+++ b/tests/thread_local_no_tdata/no_tdata.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/thread_locals/CMakeLists.txt b/tests/thread_locals/CMakeLists.txt
index 1876b6898f..5cc4ee737d 100644
--- a/tests/thread_locals/CMakeLists.txt
+++ b/tests/thread_locals/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(core)
diff --git a/tests/threadcxx/CMakeLists.txt b/tests/threadcxx/CMakeLists.txt
index 774f5eff87..01de514d96 100644
--- a/tests/threadcxx/CMakeLists.txt
+++ b/tests/threadcxx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/threadcxx/enc/CMakeLists.txt b/tests/threadcxx/enc/CMakeLists.txt
index 23089fb5ca..a2ba07b235 100644
--- a/tests/threadcxx/enc/CMakeLists.txt
+++ b/tests/threadcxx/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../threadcxx.edl enclave gen)
diff --git a/tests/threadcxx/enc/cond_tests.cpp b/tests/threadcxx/enc/cond_tests.cpp
index 94d92dc04d..32f057863d 100644
--- a/tests/threadcxx/enc/cond_tests.cpp
+++ b/tests/threadcxx/enc/cond_tests.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/enclave.h>
diff --git a/tests/threadcxx/enc/enc.cpp b/tests/threadcxx/enc/enc.cpp
index a3876ca43a..02ad0ec693 100644
--- a/tests/threadcxx/enc/enc.cpp
+++ b/tests/threadcxx/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/threadcxx/host/CMakeLists.txt b/tests/threadcxx/host/CMakeLists.txt
index 706eca8675..a54e2c7172 100644
--- a/tests/threadcxx/host/CMakeLists.txt
+++ b/tests/threadcxx/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 oeedl_file(../threadcxx.edl host gen)
diff --git a/tests/threadcxx/host/host.cpp b/tests/threadcxx/host/host.cpp
index 5c0463ad34..0863c18baf 100644
--- a/tests/threadcxx/host/host.cpp
+++ b/tests/threadcxx/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/threadcxx/threadcxx.edl b/tests/threadcxx/threadcxx.edl
index a1a8b8aa7f..a4ce4e3942 100644
--- a/tests/threadcxx/threadcxx.edl
+++ b/tests/threadcxx/threadcxx.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/tls_e2e/CMakeLists.txt b/tests/tls_e2e/CMakeLists.txt
index 71d2f7a12d..984a85851d 100644
--- a/tests/tls_e2e/CMakeLists.txt
+++ b/tests/tls_e2e/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (BUILD_ENCLAVES)
diff --git a/tests/tls_e2e/client_enc/CMakeLists.txt b/tests/tls_e2e/client_enc/CMakeLists.txt
index 5377307ccf..9d723c9fb7 100644
--- a/tests/tls_e2e/client_enc/CMakeLists.txt
+++ b/tests/tls_e2e/client_enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/tls_e2e/client_enc/client.cpp b/tests/tls_e2e/client_enc/client.cpp
index 5cd120194c..4d899e43b4 100644
--- a/tests/tls_e2e/client_enc/client.cpp
+++ b/tests/tls_e2e/client_enc/client.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/tls_e2e/common/utility.cpp b/tests/tls_e2e/common/utility.cpp
index aa989eabd1..147b07730a 100644
--- a/tests/tls_e2e/common/utility.cpp
+++ b/tests/tls_e2e/common/utility.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/tests/tls_e2e/common/utility.h b/tests/tls_e2e/common/utility.h
index 8a8b7dc683..c30d7bc623 100644
--- a/tests/tls_e2e/common/utility.h
+++ b/tests/tls_e2e/common/utility.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/tests/tls_e2e/host/CMakeLists.txt b/tests/tls_e2e/host/CMakeLists.txt
index 434874578b..e83db9a811 100644
--- a/tests/tls_e2e/host/CMakeLists.txt
+++ b/tests/tls_e2e/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 #include(oeedl_file)
diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index dcd3eac8cc..08b3a3a568 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/tls_e2e/host/tls_enc2enc.edl b/tests/tls_e2e/host/tls_enc2enc.edl
index 26e4d9d813..64f9c68b95 100644
--- a/tests/tls_e2e/host/tls_enc2enc.edl
+++ b/tests/tls_e2e/host/tls_enc2enc.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/tls_e2e/server_enc/CMakeLists.txt b/tests/tls_e2e/server_enc/CMakeLists.txt
index 7a0e99bdc9..3be9f722d1 100644
--- a/tests/tls_e2e/server_enc/CMakeLists.txt
+++ b/tests/tls_e2e/server_enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/tls_e2e/server_enc/server.cpp b/tests/tls_e2e/server_enc/server.cpp
index 240dd99b0c..9668a8d62e 100644
--- a/tests/tls_e2e/server_enc/server.cpp
+++ b/tests/tls_e2e/server_enc/server.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 // clang-format off
diff --git a/tests/tls_e2e/tls_e2e.edl b/tests/tls_e2e/tls_e2e.edl
index 0517695b8c..4c99bd6e4d 100644
--- a/tests/tls_e2e/tls_e2e.edl
+++ b/tests/tls_e2e/tls_e2e.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/tools/CMakeLists.txt b/tests/tools/CMakeLists.txt
index af3bd6422a..257f1018d3 100644
--- a/tests/tools/CMakeLists.txt
+++ b/tests/tools/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (OE_SGX)
diff --git a/tests/tools/oecert/CMakeLists.txt b/tests/tools/oecert/CMakeLists.txt
index aba00fe372..7da568ee38 100644
--- a/tests/tools/oecert/CMakeLists.txt
+++ b/tests/tools/oecert/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 if (BUILD_ENCLAVES)
diff --git a/tests/tools/oecert/enc/CMakeLists.txt b/tests/tools/oecert/enc/CMakeLists.txt
index 78936ab659..b78b5a483e 100644
--- a/tests/tools/oecert/enc/CMakeLists.txt
+++ b/tests/tools/oecert/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT oecert_t.h oecert_t.c oecert_args.h
diff --git a/tests/tools/oecert/enc/enc.cpp b/tests/tools/oecert/enc/enc.cpp
index 0edae0c31e..208811a1f8 100644
--- a/tests/tools/oecert/enc/enc.cpp
+++ b/tests/tools/oecert/enc/enc.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/edger8r/enclave.h>
diff --git a/tests/tools/oecert/host/CMakeLists.txt b/tests/tools/oecert/host/CMakeLists.txt
index 8b708231da..8b56e19549 100644
--- a/tests/tools/oecert/host/CMakeLists.txt
+++ b/tests/tools/oecert/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_custom_command(OUTPUT oecert_u.h oecert_u.c oecert_args.h
diff --git a/tests/tools/oecert/host/host.cpp b/tests/tools/oecert/host/host.cpp
index 31f2ff7f18..a53daef79f 100644
--- a/tests/tools/oecert/host/host.cpp
+++ b/tests/tools/oecert/host/host.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <limits.h>
diff --git a/tests/tools/oecert/oecert.edl b/tests/tools/oecert/oecert.edl
index 8c4e07f531..fe54a474be 100644
--- a/tests/tools/oecert/oecert.edl
+++ b/tests/tools/oecert/oecert.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index 18f757bcb5..b63c8a014b 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(oeedger8r)
diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 8eca7d3149..24e641b49c 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 # NOTE: The custom commands below first copy the input files to the
diff --git a/tools/oeedger8r/dune-project b/tools/oeedger8r/dune-project
index dbb3737c98..1c50ff9a28 100644
--- a/tools/oeedger8r/dune-project
+++ b/tools/oeedger8r/dune-project
@@ -1,6 +1,6 @@
 (lang dune 1.11)
 
-; Copyright (c) Microsoft Corporation. All rights reserved.
+; Copyright (c) Open Enclave SDK contributors.
 ; Licensed under the MIT License.
 
 (name oeedger8r)
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index f216af89e9..fee548a3dd 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -1,4 +1,4 @@
-(* Copyright (c) Microsoft Corporation. All rights reserved.
+(* Copyright (c) Open Enclave SDK contributors.
    Licensed under the MIT License. *)
 
 (** This module is Open Enclave's plugin for Intel's Edger8r, allowing
diff --git a/tools/oeedger8r/src/dune b/tools/oeedger8r/src/dune
index 4c3c0d9349..9825272bf5 100644
--- a/tools/oeedger8r/src/dune
+++ b/tools/oeedger8r/src/dune
@@ -1,4 +1,4 @@
-; Copyright (c) Microsoft Corporation. All rights reserved.
+; Copyright (c) Open Enclave SDK contributors.
 ; Licensed under the MIT License.
 
 (executable
diff --git a/tools/oesgx/CMakeLists.txt b/tools/oesgx/CMakeLists.txt
index 44876a349f..6b191d3cfe 100644
--- a/tools/oesgx/CMakeLists.txt
+++ b/tools/oesgx/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_executable(oesgx oesgx.c)
diff --git a/tools/oesgx/oesgx.c b/tools/oesgx/oesgx.c
index 645467d235..3303d13f4f 100644
--- a/tools/oesgx/oesgx.c
+++ b/tools/oesgx/oesgx.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/types.h>
diff --git a/tools/oesign/CMakeLists.txt b/tools/oesign/CMakeLists.txt
index 15a50c4a2b..8f42d7fee1 100644
--- a/tools/oesign/CMakeLists.txt
+++ b/tools/oesign/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(CheckSymbolExists)
diff --git a/tools/oesign/main.c b/tools/oesign/main.c
index d08f6c1a7b..108eb3fb23 100644
--- a/tools/oesign/main.c
+++ b/tools/oesign/main.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <getopt.h>
diff --git a/tools/oesign/oedump.c b/tools/oesign/oedump.c
index ba678bf926..da65a7a70c 100644
--- a/tools/oesign/oedump.c
+++ b/tools/oesign/oedump.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/bits/defs.h>

From 5f7f007d6e33119b41244a37b4fedb828956ab0c Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Fri, 8 Nov 2019 18:29:18 +0000
Subject: [PATCH 262/420] Update CHANGELOG.md with DCO and copyright changes

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 CHANGELOG.md | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c5a1d70cc..e2a12215fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,8 +10,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [Unreleased]
 ------------
 
-[v0.7.0-rc1] - 2019-10-08
--------------------------
+### Changed
+
+- Open Enclave SDK is now officially an incubation project as part of the Linux
+  Foundation's Confidential Computing Consortium (CCC).
+    - All contributions are now accepted under the terms of the [Developer Certificate
+      of Origin](https://developercertificate.org). For details, see
+      [Contributing to Open Enclave](docs/Contributing.md).
+    - The copyright for all sources is now attributed to Open Enclave SDK contributors.
+
+[v0.7.0] - 2019-10-26
+---------------------
 
 ### Added
 
@@ -236,8 +245,8 @@ as listed below.
 
 Initial private preview release, no longer supported.
 
-[Unreleased](https://github.com/openenclave/openenclave/compare/v0.7.x...HEAD)
-[v0.7.0-rc1](https://github.com/openenclave/openenclave/compare/v0.6.0...v0.7.x)
+[Unreleased](https://github.com/openenclave/openenclave/compare/v0.7.0...HEAD)
+[v0.7.0](https://github.com/openenclave/openenclave/compare/v0.6.0...v0.7.0)
 [v0.6.0](https://github.com/openenclave/openenclave/compare/v0.5.0...v0.6.0)
 [v0.5.0](https://github.com/openenclave/openenclave/compare/v0.4.1...v0.5.0)
 [v0.4.1](https://github.com/openenclave/openenclave/compare/v0.4.0...v0.4.1)

From 3ec32aee97e2898a97fdc93a3e0e5bf98d12d14f Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 7 Nov 2019 18:10:31 +0000
Subject: [PATCH 263/420] Add ocamlformat 0.12

The next latest version fixed the symlink issue in the package, which
allows this to be installed on Windows.

Note that the syntax ~0.12.0 does not work because the published package
is no longer using semver, they dropped the trailing .0 and published
with 0.12.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/esy.lock/index.json           | 600 +++++++++++++++++-
 .../esy.lock/opam/astring.0.8.3/opam          |  38 ++
 .../esy.lock/opam/base-bytes.base/opam        |   9 +
 .../oeedger8r/esy.lock/opam/base.v0.12.2/opam |  39 ++
 .../esy.lock/opam/cmdliner.1.0.4/opam         |  36 ++
 .../opam/dune-configurator.1.0.0/opam         |   9 +
 .../oeedger8r/esy.lock/opam/fpath.0.7.2/opam  |  34 +
 .../opam/ocaml-migrate-parsetree.1.4.0/opam   |  37 ++
 .../esy.lock/opam/ocamlbuild.0.14.0/opam      |  36 ++
 .../esy.lock/opam/ocamlformat.0.12/opam       |  35 +
 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam |  45 ++
 .../esy.lock/opam/ppx_derivers.1.2.1/opam     |  23 +
 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam   |  42 ++
 tools/oeedger8r/esy.lock/opam/result.1.4/opam |  22 +
 tools/oeedger8r/esy.lock/opam/seq.0.2/opam    |  22 +
 .../esy.lock/opam/sexplib0.v0.12.0/opam       |  26 +
 .../esy.lock/opam/stdio.v0.12.0/opam          |  27 +
 .../oeedger8r/esy.lock/opam/topkg.1.0.1/opam  |  48 ++
 .../oeedger8r/esy.lock/opam/tyxml.4.3.0/opam  |  45 ++
 .../oeedger8r/esy.lock/opam/uchar.0.0.2/opam  |  36 ++
 .../oeedger8r/esy.lock/opam/uucp.12.0.0/opam  |  47 ++
 .../oeedger8r/esy.lock/opam/uuseg.12.0.0/opam |  50 ++
 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam |  40 ++
 .../files/ocamlbuild-0.14.0.patch             | 463 ++++++++++++++
 .../package.json                              |  27 +
 tools/oeedger8r/package.json                  |   1 +
 26 files changed, 1835 insertions(+), 2 deletions(-)
 create mode 100644 tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/result.1.4/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/seq.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
 create mode 100644 tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json

diff --git a/tools/oeedger8r/esy.lock/index.json b/tools/oeedger8r/esy.lock/index.json
index 5d68bd3049..cc7de2e32b 100644
--- a/tools/oeedger8r/esy.lock/index.json
+++ b/tools/oeedger8r/esy.lock/index.json
@@ -1,5 +1,5 @@
 {
-  "checksum": "0a2a797cb1224fa13b432553c91f6ab5",
+  "checksum": "f8e36b6ee01815c9f58e9b6a6d5c1cd6",
   "root": "oeedger8r@link-dev:./package.json",
   "node": {
     "oeedger8r@link-dev:./package.json": {
@@ -15,7 +15,10 @@
       "dependencies": [
         "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ],
-      "devDependencies": [ "@opam/merlin@opam:3.3.2@7a364181" ]
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlformat@opam:0.12@c757d3c3",
+        "@opam/merlin@opam:3.3.2@7a364181"
+      ]
     },
     "ocaml@4.6.1000@d41d8cd9": {
       "id": "ocaml@4.6.1000@d41d8cd9",
@@ -59,6 +62,395 @@
         "@opam/dune@opam:1.11.4@21d66ccd", "@opam/biniou@opam:1.2.1@d7570399"
       ]
     },
+    "@opam/uutf@opam:1.0.2@4440868f": {
+      "id": "@opam/uutf@opam:1.0.2@4440868f",
+      "name": "@opam/uutf",
+      "version": "opam:1.0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/a7/a7c542405a39630c689a82bd7ef2292c#md5:a7c542405a39630c689a82bd7ef2292c",
+          "archive:http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz#md5:a7c542405a39630c689a82bd7ef2292c"
+        ],
+        "opam": {
+          "name": "uutf",
+          "version": "1.0.2",
+          "path": "esy.lock/opam/uutf.1.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea",
+        "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uuseg@opam:12.0.0@bf82c4c7": {
+      "id": "@opam/uuseg@opam:12.0.0@bf82c4c7",
+      "name": "@opam/uuseg",
+      "version": "opam:12.0.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/1d/1d4487ddf5154e3477e55021b978d58a#md5:1d4487ddf5154e3477e55021b978d58a",
+          "archive:https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz#md5:1d4487ddf5154e3477e55021b978d58a"
+        ],
+        "opam": {
+          "name": "uuseg",
+          "version": "12.0.0",
+          "path": "esy.lock/opam/uuseg.12.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uucp@opam:12.0.0@b7d4c3df", "@opam/uchar@opam:0.0.2@c8218eea",
+        "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uucp@opam:12.0.0@b7d4c3df",
+        "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uucp@opam:12.0.0@b7d4c3df": {
+      "id": "@opam/uucp@opam:12.0.0@b7d4c3df",
+      "name": "@opam/uucp",
+      "version": "opam:12.0.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/cf/cf210ed43375b7f882c0540874e2cb81#md5:cf210ed43375b7f882c0540874e2cb81",
+          "archive:https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz#md5:cf210ed43375b7f882c0540874e2cb81"
+        ],
+        "opam": {
+          "name": "uucp",
+          "version": "12.0.0",
+          "path": "esy.lock/opam/uucp.12.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uchar@opam:0.0.2@c8218eea", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+      ]
+    },
+    "@opam/uchar@opam:0.0.2@c8218eea": {
+      "id": "@opam/uchar@opam:0.0.2@c8218eea",
+      "name": "@opam/uchar",
+      "version": "opam:0.0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/c9/c9ba2c738d264c420c642f7bb1cf4a36#md5:c9ba2c738d264c420c642f7bb1cf4a36",
+          "archive:https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz#md5:c9ba2c738d264c420c642f7bb1cf4a36"
+        ],
+        "opam": {
+          "name": "uchar",
+          "version": "0.0.2",
+          "path": "esy.lock/opam/uchar.0.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/tyxml@opam:4.3.0@c1da25f1": {
+      "id": "@opam/tyxml@opam:4.3.0@c1da25f1",
+      "name": "@opam/tyxml",
+      "version": "opam:4.3.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/fd/fd834a567f813bf447cab5f4c3a723e2#md5:fd834a567f813bf447cab5f4c3a723e2",
+          "archive:https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz#md5:fd834a567f813bf447cab5f4c3a723e2"
+        ],
+        "opam": {
+          "name": "tyxml",
+          "version": "4.3.0",
+          "path": "esy.lock/opam/tyxml.4.3.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/topkg@opam:1.0.1@a42c631e": {
+      "id": "@opam/topkg@opam:1.0.1@a42c631e",
+      "name": "@opam/topkg",
+      "version": "opam:1.0.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/16/16b90e066d8972a5ef59655e7c28b3e9#md5:16b90e066d8972a5ef59655e7c28b3e9",
+          "archive:http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz#md5:16b90e066d8972a5ef59655e7c28b3e9"
+        ],
+        "opam": {
+          "name": "topkg",
+          "version": "1.0.1",
+          "path": "esy.lock/opam/topkg.1.0.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03"
+      ]
+    },
+    "@opam/stdio@opam:v0.12.0@04b3b004": {
+      "id": "@opam/stdio@opam:v0.12.0@04b3b004",
+      "name": "@opam/stdio",
+      "version": "opam:v0.12.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/b2/b261ff2d5667fde960c95e50cff668da#md5:b261ff2d5667fde960c95e50cff668da",
+          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz#md5:b261ff2d5667fde960c95e50cff668da"
+        ],
+        "opam": {
+          "name": "stdio",
+          "version": "v0.12.0",
+          "path": "esy.lock/opam/stdio.v0.12.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@opam/base@opam:v0.12.2@d687150c",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@opam/base@opam:v0.12.2@d687150c"
+      ]
+    },
+    "@opam/sexplib0@opam:v0.12.0@e432406d": {
+      "id": "@opam/sexplib0@opam:v0.12.0@e432406d",
+      "name": "@opam/sexplib0",
+      "version": "opam:v0.12.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/24/2486a25d3a94da9a94acc018b5f09061#md5:2486a25d3a94da9a94acc018b5f09061",
+          "archive:https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz#md5:2486a25d3a94da9a94acc018b5f09061"
+        ],
+        "opam": {
+          "name": "sexplib0",
+          "version": "v0.12.0",
+          "path": "esy.lock/opam/sexplib0.v0.12.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/seq@opam:0.2@35c16df8": {
+      "id": "@opam/seq@opam:0.2@35c16df8",
+      "name": "@opam/seq",
+      "version": "opam:0.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/1d/1d5a9d0aba27b22433f518cdc495d0fd#md5:1d5a9d0aba27b22433f518cdc495d0fd",
+          "archive:https://github.com/c-cube/seq/archive/0.2.tar.gz#md5:1d5a9d0aba27b22433f518cdc495d0fd"
+        ],
+        "opam": {
+          "name": "seq",
+          "version": "0.2",
+          "path": "esy.lock/opam/seq.0.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/result@opam:1.4@dc720aef": {
+      "id": "@opam/result@opam:1.4@dc720aef",
+      "name": "@opam/result",
+      "version": "opam:1.4",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/d3/d3162dbc501a2af65c8c71e0866541da#md5:d3162dbc501a2af65c8c71e0866541da",
+          "archive:https://github.com/janestreet/result/archive/1.4.tar.gz#md5:d3162dbc501a2af65c8c71e0866541da"
+        ],
+        "opam": {
+          "name": "result",
+          "version": "1.4",
+          "path": "esy.lock/opam/result.1.4"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/re@opam:1.9.0@d4d5e13d": {
+      "id": "@opam/re@opam:1.9.0@d4d5e13d",
+      "name": "@opam/re",
+      "version": "opam:1.9.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/bd/bddaed4f386a22cace7850c9c7dac296#md5:bddaed4f386a22cace7850c9c7dac296",
+          "archive:https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz#md5:bddaed4f386a22cace7850c9c7dac296"
+        ],
+        "opam": {
+          "name": "re",
+          "version": "1.9.0",
+          "path": "esy.lock/opam/re.1.9.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/ppx_derivers@opam:1.2.1@ecf0aa45": {
+      "id": "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+      "name": "@opam/ppx_derivers",
+      "version": "opam:1.2.1",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/5d/5dc2bf130c1db3c731fe0fffc5648b41#md5:5dc2bf130c1db3c731fe0fffc5648b41",
+          "archive:https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz#md5:5dc2bf130c1db3c731fe0fffc5648b41"
+        ],
+        "opam": {
+          "name": "ppx_derivers",
+          "version": "1.2.1",
+          "path": "esy.lock/opam/ppx_derivers.1.2.1"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/odoc@opam:1.4.2@6f058006": {
+      "id": "@opam/odoc@opam:1.4.2@6f058006",
+      "name": "@opam/odoc",
+      "version": "opam:1.4.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/d7/d75ce63539040cd199d22203d46fc5f3#md5:d75ce63539040cd199d22203d46fc5f3",
+          "archive:https://github.com/ocaml/odoc/archive/1.4.2.tar.gz#md5:d75ce63539040cd199d22203d46fc5f3"
+        ],
+        "opam": {
+          "name": "odoc",
+          "version": "1.4.2",
+          "path": "esy.lock/opam/odoc.1.4.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/tyxml@opam:4.3.0@c1da25f1",
+        "@opam/result@opam:1.4@dc720aef", "@opam/fpath@opam:0.7.2@45477b93",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@opam/cppo@opam:1.6.6@f4f83858",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/astring@opam:0.8.3@4e5e17d5",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/ocamlformat@opam:0.12@c757d3c3": {
+      "id": "@opam/ocamlformat@opam:0.12@c757d3c3",
+      "name": "@opam/ocamlformat",
+      "version": "opam:0.12",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/f2/f2b64ff7f5cb9b4e19c6fc4e3f0fbd1747ef09d24848238540e2c27652e928fe#sha256:f2b64ff7f5cb9b4e19c6fc4e3f0fbd1747ef09d24848238540e2c27652e928fe",
+          "archive:https://github.com/ocaml-ppx/ocamlformat/releases/download/0.12/ocamlformat-0.12.tbz#sha256:f2b64ff7f5cb9b4e19c6fc4e3f0fbd1747ef09d24848238540e2c27652e928fe"
+        ],
+        "opam": {
+          "name": "ocamlformat",
+          "version": "0.12",
+          "path": "esy.lock/opam/ocamlformat.0.12"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uuseg@opam:12.0.0@bf82c4c7",
+        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/odoc@opam:1.4.2@6f058006",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base@opam:v0.12.2@d687150c",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/uuseg@opam:12.0.0@bf82c4c7",
+        "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
+        "@opam/odoc@opam:1.4.2@6f058006",
+        "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+        "@opam/fpath@opam:0.7.2@45477b93", "@opam/dune@opam:1.11.4@21d66ccd",
+        "@opam/cmdliner@opam:1.0.4@93208aac",
+        "@opam/base-unix@opam:base@87d0b2eb",
+        "@opam/base@opam:v0.12.2@d687150c"
+      ]
+    },
     "@opam/ocamlfind@opam:1.8.1@ff07b0f9": {
       "id": "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
       "name": "@opam/ocamlfind",
@@ -88,6 +480,61 @@
       ],
       "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
     },
+    "@opam/ocamlbuild@opam:0.14.0@6ac75d03": {
+      "id": "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+      "name": "@opam/ocamlbuild",
+      "version": "opam:0.14.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/87/87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78",
+          "archive:https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz#sha256:87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
+        ],
+        "opam": {
+          "name": "ocamlbuild",
+          "version": "0.14.0",
+          "path": "esy.lock/opam/ocamlbuild.0.14.0"
+        }
+      },
+      "overrides": [
+        {
+          "opamoverride":
+            "esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override"
+        }
+      ],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
+    "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d": {
+      "id": "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
+      "name": "@opam/ocaml-migrate-parsetree",
+      "version": "opam:1.4.0",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/sha256/23/231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8",
+          "archive:https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz#sha256:231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
+        ],
+        "opam": {
+          "name": "ocaml-migrate-parsetree",
+          "version": "1.4.0",
+          "path": "esy.lock/opam/ocaml-migrate-parsetree.1.4.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
+        "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
     "@opam/merlin@opam:3.3.2@7a364181": {
       "id": "@opam/merlin@opam:3.3.2@7a364181",
       "name": "@opam/merlin",
@@ -116,6 +563,36 @@
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
+    "@opam/fpath@opam:0.7.2@45477b93": {
+      "id": "@opam/fpath@opam:0.7.2@45477b93",
+      "name": "@opam/fpath",
+      "version": "opam:0.7.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/52/52c7ecb0bf180088336f3c645875fa41#md5:52c7ecb0bf180088336f3c645875fa41",
+          "archive:http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz#md5:52c7ecb0bf180088336f3c645875fa41"
+        ],
+        "opam": {
+          "name": "fpath",
+          "version": "0.7.2",
+          "path": "esy.lock/opam/fpath.0.7.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/result@opam:1.4@dc720aef",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/astring@opam:0.8.3@4e5e17d5",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "@opam/astring@opam:0.8.3@4e5e17d5"
+      ]
+    },
     "@opam/easy-format@opam:1.3.2@0484b3c4": {
       "id": "@opam/easy-format@opam:1.3.2@0484b3c4",
       "name": "@opam/easy-format",
@@ -141,6 +618,25 @@
         "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
+    "@opam/dune-configurator@opam:1.0.0@4873acd8": {
+      "id": "@opam/dune-configurator@opam:1.0.0@4873acd8",
+      "name": "@opam/dune-configurator",
+      "version": "opam:1.0.0",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "dune-configurator",
+          "version": "1.0.0",
+          "path": "esy.lock/opam/dune-configurator.1.0.0"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "@opam/dune@opam:1.11.4@21d66ccd" ]
+    },
     "@opam/dune@opam:1.11.4@21d66ccd": {
       "id": "@opam/dune@opam:1.11.4@21d66ccd",
       "name": "@opam/dune",
@@ -217,6 +713,28 @@
       "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
       "devDependencies": []
     },
+    "@opam/cmdliner@opam:1.0.4@93208aac": {
+      "id": "@opam/cmdliner@opam:1.0.4@93208aac",
+      "name": "@opam/cmdliner",
+      "version": "opam:1.0.4",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/fe/fe2213d0bc63b1e10a2d0aa66d2fc8d9#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9",
+          "archive:http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz#md5:fe2213d0bc63b1e10a2d0aa66d2fc8d9"
+        ],
+        "opam": {
+          "name": "cmdliner",
+          "version": "1.0.4",
+          "path": "esy.lock/opam/cmdliner.1.0.4"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+    },
     "@opam/biniou@opam:1.2.1@d7570399": {
       "id": "@opam/biniou@opam:1.2.1@d7570399",
       "name": "@opam/biniou",
@@ -277,6 +795,84 @@
       "dependencies": [ "@esy-ocaml/substs@0.0.1@d41d8cd9" ],
       "devDependencies": []
     },
+    "@opam/base-bytes@opam:base@19d0c2ff": {
+      "id": "@opam/base-bytes@opam:base@19d0c2ff",
+      "name": "@opam/base-bytes",
+      "version": "opam:base",
+      "source": {
+        "type": "install",
+        "source": [ "no-source:" ],
+        "opam": {
+          "name": "base-bytes",
+          "version": "base",
+          "path": "esy.lock/opam/base-bytes.base"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9"
+      ]
+    },
+    "@opam/base@opam:v0.12.2@d687150c": {
+      "id": "@opam/base@opam:v0.12.2@d687150c",
+      "name": "@opam/base",
+      "version": "opam:v0.12.2",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/71/7150e848a730369a2549d01645fb6c72#md5:7150e848a730369a2549d01645fb6c72",
+          "archive:https://github.com/janestreet/base/archive/v0.12.2.tar.gz#md5:7150e848a730369a2549d01645fb6c72"
+        ],
+        "opam": {
+          "name": "base",
+          "version": "v0.12.2",
+          "path": "esy.lock/opam/base.v0.12.2"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "@opam/dune-configurator@opam:1.0.0@4873acd8",
+        "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "@opam/dune-configurator@opam:1.0.0@4873acd8",
+        "@opam/dune@opam:1.11.4@21d66ccd"
+      ]
+    },
+    "@opam/astring@opam:0.8.3@4e5e17d5": {
+      "id": "@opam/astring@opam:0.8.3@4e5e17d5",
+      "name": "@opam/astring",
+      "version": "opam:0.8.3",
+      "source": {
+        "type": "install",
+        "source": [
+          "archive:https://opam.ocaml.org/cache/md5/c5/c5bf6352b9ac27fbeab342740f4fa870#md5:c5bf6352b9ac27fbeab342740f4fa870",
+          "archive:http://erratique.ch/software/astring/releases/astring-0.8.3.tbz#md5:c5bf6352b9ac27fbeab342740f4fa870"
+        ],
+        "opam": {
+          "name": "astring",
+          "version": "0.8.3",
+          "path": "esy.lock/opam/astring.0.8.3"
+        }
+      },
+      "overrides": [],
+      "dependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "@opam/base-bytes@opam:base@19d0c2ff",
+        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+      ],
+      "devDependencies": [
+        "ocaml@4.6.1000@d41d8cd9", "@opam/base-bytes@opam:base@19d0c2ff"
+      ]
+    },
     "@esy-ocaml/substs@0.0.1@d41d8cd9": {
       "id": "@esy-ocaml/substs@0.0.1@d41d8cd9",
       "name": "@esy-ocaml/substs",
diff --git a/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam b/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
new file mode 100644
index 0000000000..578ba1fae2
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/astring.0.8.3/opam
@@ -0,0 +1,38 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/astring"
+doc: "http://erratique.ch/software/astring/doc"
+dev-repo: "git+http://erratique.ch/repos/astring.git"
+bug-reports: "https://github.com/dbuenzli/astring/issues"
+tags: [ "string" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build}
+  "base-bytes"
+]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pinned" "%{pinned}%" ]]
+synopsis: "Alternative String module for OCaml"
+description: """
+Astring exposes an alternative `String` module for OCaml. This module
+tries to balance minimality and expressiveness for basic, index-free,
+string processing and provides types and functions for substrings,
+string sets and string maps.
+
+Remaining compatible with the OCaml `String` module is a non-goal. The
+`String` module exposed by Astring has exception safe functions,
+removes deprecated and rarely used functions, alters some signatures
+and names, adds a few missing functions and fully exploits OCaml's
+newfound string immutability.
+
+Astring depends only on the OCaml standard library. It is distributed
+under the ISC license."""
+url {
+  src: "http://erratique.ch/software/astring/releases/astring-0.8.3.tbz"
+  checksum: "md5=c5bf6352b9ac27fbeab342740f4fa870"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam b/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
new file mode 100644
index 0000000000..f1cae506c6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base-bytes.base/opam
@@ -0,0 +1,9 @@
+opam-version: "2.0"
+maintainer: " "
+authors: " "
+homepage: " "
+depends: [
+  "ocaml" {>= "4.02.0"}
+  "ocamlfind" {>= "1.5.3"}
+]
+synopsis: "Bytes library distributed with the OCaml compiler"
diff --git a/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam b/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
new file mode 100644
index 0000000000..861024cf57
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/base.v0.12.2/opam
@@ -0,0 +1,39 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/base"
+bug-reports: "https://github.com/janestreet/base/issues"
+dev-repo: "git+https://github.com/janestreet/base.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/base/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml"             {>= "4.04.2" & < "4.10.0"}
+  "sexplib0"          {>= "v0.12" & < "v0.13"}
+  "dune"              {>= "1.5.1"}
+  "dune-configurator"
+]
+depopts: [
+  "base-native-int63"
+]
+synopsis: "Full standard library replacement for OCaml"
+description: "
+Full standard library replacement for OCaml
+
+Base is a complete and portable alternative to the OCaml standard
+library. It provides all standard functionalities one would expect
+from a language standard library. It uses consistent conventions
+across all of its module.
+
+Base aims to be usable in any context. As a result system dependent
+features such as I/O are not offered by Base. They are instead
+provided by companion libraries such as stdio:
+
+  https://github.com/janestreet/stdio
+"
+url {
+  src: "https://github.com/janestreet/base/archive/v0.12.2.tar.gz"
+  checksum: "md5=7150e848a730369a2549d01645fb6c72"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam b/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
new file mode 100644
index 0000000000..b2187dc5b6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/cmdliner.1.0.4/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/cmdliner"
+doc: "http://erratique.ch/software/cmdliner/doc/Cmdliner"
+dev-repo: "git+http://erratique.ch/repos/cmdliner.git"
+bug-reports: "https://github.com/dbuenzli/cmdliner/issues"
+tags: [ "cli" "system" "declarative" "org:erratique" ]
+license: "ISC"
+depends:[ "ocaml" {>= "4.03.0"} ]
+build: [[ make "all" "PREFIX=%{prefix}%" ]]
+install:
+[[make "install" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%" ]
+ [make "install-doc" "LIBDIR=%{_:lib}%" "DOCDIR=%{_:doc}%"  ]]
+
+synopsis: """Declarative definition of command line interfaces for OCaml"""
+description: """\
+
+Cmdliner allows the declarative definition of command line interfaces
+for OCaml.
+
+It provides a simple and compositional mechanism to convert command
+line arguments to OCaml values and pass them to your functions. The
+module automatically handles syntax errors, help messages and UNIX man
+page generation. It supports programs with single or multiple commands
+and respects most of the [POSIX][1] and [GNU][2] conventions.
+
+Cmdliner has no dependencies and is distributed under the ISC license.
+
+[1]: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap12.html
+[2]: http://www.gnu.org/software/libc/manual/html_node/Argument-Syntax.html
+"""
+url {
+archive: "http://erratique.ch/software/cmdliner/releases/cmdliner-1.0.4.tbz"
+checksum: "fe2213d0bc63b1e10a2d0aa66d2fc8d9"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam b/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
new file mode 100644
index 0000000000..6e2b712edc
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/dune-configurator.1.0.0/opam
@@ -0,0 +1,9 @@
+opam-version: "2.0"
+authors: ["Jérémie Dimino"]
+homepage: "https://github.com/ocaml/dune"
+bug-reports: "https://github.com/ocaml/dune/issues"
+maintainer: "Jérémie Dimino"
+description: """
+dune.configurator library distributed with Dune 1.x
+"""
+depends: ["dune" {<"2.0.0"}]
diff --git a/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam b/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
new file mode 100644
index 0000000000..2613a6accb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/fpath.0.7.2/opam
@@ -0,0 +1,34 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/fpath"
+doc: "http://erratique.ch/software/fpath/doc"
+dev-repo: "git+http://erratique.ch/repos/fpath.git"
+bug-reports: "https://github.com/dbuenzli/fpath/issues"
+tags: [ "file" "system" "path" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build & >= "0.9.0"}
+  "result"
+  "astring"
+]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--dev-pkg" "%{pinned}%" ]]
+synopsis: "File system paths for OCaml"
+description: """
+Fpath is an OCaml module for handling file system paths with POSIX or
+Windows conventions. Fpath processes paths without accessing the file
+system and is independent from any system library.
+
+Fpath depends on [Astring][astring] and is distributed under the ISC
+license.
+
+[astring]: http://erratique.ch/software/astring"""
+url {
+  src: "http://erratique.ch/software/fpath/releases/fpath-0.7.2.tbz"
+  checksum: "md5=52c7ecb0bf180088336f3c645875fa41"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam b/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
new file mode 100644
index 0000000000..66d40bacda
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocaml-migrate-parsetree.1.4.0/opam
@@ -0,0 +1,37 @@
+opam-version: "2.0"
+maintainer: "frederic.bour@lakaban.net"
+authors: [
+  "Frédéric Bour <frederic.bour@lakaban.net>"
+  "Jérémie Dimino <jeremie@dimino.org>"
+]
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+homepage: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree"
+bug-reports: "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/issues"
+dev-repo: "git+https://github.com/ocaml-ppx/ocaml-migrate-parsetree.git"
+doc: "https://ocaml-ppx.github.io/ocaml-migrate-parsetree/"
+tags: [ "syntax" "org:ocamllabs" ]
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "result"
+  "ppx_derivers"
+  "dune" {>= "1.9.0"}
+  "ocaml" {>= "4.02.3"}
+]
+synopsis: "Convert OCaml parsetrees between different versions"
+description: """
+Convert OCaml parsetrees between different versions
+
+This library converts parsetrees, outcometree and ast mappers between
+different OCaml versions.  High-level functions help making PPX
+rewriters independent of a compiler version.
+"""
+url {
+  src:
+    "https://github.com/ocaml-ppx/ocaml-migrate-parsetree/releases/download/v1.4.0/ocaml-migrate-parsetree-v1.4.0.tbz"
+  checksum: [
+    "sha256=231fbdc205187b3ee266b535d9cfe44b599067b2f6e97883c782ea7bb577d3b8"
+    "sha512=61ee91d2d146cc2d2ff2d5dc4ef5dea4dc4d3c8dbd8b4c9586d64b6ad7302327ab35547aa0a5b0103c3f07b66b13d416a1bee6d4d117293cd3cabe44113ec6d4"
+  ]
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam b/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
new file mode 100644
index 0000000000..8deabeedfb
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlbuild.0.14.0/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Gabriel Scherer <gabriel.scherer@gmail.com>"
+authors: ["Nicolas Pouillard" "Berke Durak"]
+homepage: "https://github.com/ocaml/ocamlbuild/"
+bug-reports: "https://github.com/ocaml/ocamlbuild/issues"
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+doc: "https://github.com/ocaml/ocamlbuild/blob/master/manual/manual.adoc"
+dev-repo: "git+https://github.com/ocaml/ocamlbuild.git"
+build: [
+  [
+    make
+    "-f"
+    "configure.make"
+    "all"
+    "OCAMLBUILD_PREFIX=%{prefix}%"
+    "OCAMLBUILD_BINDIR=%{bin}%"
+    "OCAMLBUILD_LIBDIR=%{lib}%"
+    "OCAMLBUILD_MANDIR=%{man}%"
+    "OCAML_NATIVE=%{ocaml:native}%"
+    "OCAML_NATIVE_TOOLS=%{ocaml:native}%"
+  ]
+  [make "check-if-preinstalled" "all" "opam-install"]
+]
+conflicts: [
+  "base-ocamlbuild"
+  "ocamlfind" {< "1.6.2"}
+]
+synopsis:
+  "OCamlbuild is a build system with builtin rules to easily build most OCaml projects."
+depends: [
+  "ocaml" {>= "4.03"}
+]
+url {
+  src: "https://github.com/ocaml/ocamlbuild/archive/0.14.0.tar.gz"
+  checksum: "sha256=87b29ce96958096c0a1a8eeafeb6268077b2d11e1bf2b3de0f5ebc9cf8d42e78"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
new file mode 100644
index 0000000000..e37b4a3e5c
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
@@ -0,0 +1,35 @@
+opam-version: "2.0"
+maintainer: "OCamlFormat Team <ocamlformat-team@fb.com>"
+authors: "Josh Berdine <jjb@fb.com>"
+homepage: "https://github.com/ocaml-ppx/ocamlformat"
+bug-reports: "https://github.com/ocaml-ppx/ocamlformat/issues"
+dev-repo: "git+https://github.com/ocaml-ppx/ocamlformat.git"
+url {
+  src:
+    "https://github.com/ocaml-ppx/ocamlformat/releases/download/0.12/ocamlformat-0.12.tbz"
+  checksum: [
+    "sha256=f2b64ff7f5cb9b4e19c6fc4e3f0fbd1747ef09d24848238540e2c27652e928fe"
+    "sha512=1785ec8e7fe5d7f9f4bdd056be612e8ee170dcf4886bea0dde6f58602fa1729579d352e3a15df3229d124dac467b91f32ef900ff30e19a53c42feb1904c8a352"
+  ]
+}
+license: "MIT"
+build: [
+  ["ocaml" "tools/gen_version.mlt" "src/Version.ml" version] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.06"}
+  "base" {>= "v0.11.0"}
+  "base-unix"
+  "cmdliner"
+  "dune" {>= "1.11.1"}
+  "fpath"
+  "ocaml-migrate-parsetree" {>= "1.3.1"}
+  "odoc" {>= "1.4.2"}
+  "re"
+  "stdio"
+  "uuseg" {>= "10.0.0"}
+  "uutf" {>= "1.0.1"}
+]
+synopsis: "Auto-formatter for OCaml code"
+description: "OCamlFormat is a tool to automatically format OCaml code in a uniform style."
diff --git a/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam b/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
new file mode 100644
index 0000000000..d34a983faf
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/odoc.1.4.2/opam
@@ -0,0 +1,45 @@
+opam-version: "2.0"
+
+version: "1.4.2"
+homepage: "http://github.com/ocaml/odoc"
+doc: "https://github.com/ocaml/odoc#readme"
+bug-reports: "https://github.com/ocaml/odoc/issues"
+license: "ISC"
+
+authors: [
+  "Thomas Refis <trefis@janestreet.com>"
+  "David Sheets <sheets@alum.mit.edu>"
+  "Leo White <leo@lpw25.net>"
+]
+maintainer: "Anton Bachin <antonbachin@yahoo.com>"
+dev-repo: "git+https://github.com/ocaml/odoc.git"
+
+synopsis: "OCaml documentation generator"
+
+depends: [
+  "astring" {build}
+  "cmdliner" {build & >= "1.0.0"}
+  "cppo" {build}
+  "dune"
+  "fpath" {build}
+  "ocaml" {>= "4.02.0"}
+  "result" {build}
+  "tyxml" {build & >= "4.3.0"}
+
+  "alcotest" {dev & >= "0.8.3"}
+  "markup" {dev & >= "0.8.0"}
+  "ocamlfind" {dev}
+  "sexplib" {dev & >= "113.33.00" & < "v0.13"}
+
+  "bisect_ppx" {with-test & >= "1.3.0"}
+]
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+]
+
+url {
+  src: "https://github.com/ocaml/odoc/archive/1.4.2.tar.gz"
+  checksum: "md5=d75ce63539040cd199d22203d46fc5f3"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam b/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
new file mode 100644
index 0000000000..3d10814e04
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/ppx_derivers.1.2.1/opam
@@ -0,0 +1,23 @@
+opam-version: "2.0"
+maintainer: "jeremie@dimino.org"
+authors: ["Jérémie Dimino"]
+license: "BSD-3-Clause"
+homepage: "https://github.com/ocaml-ppx/ppx_derivers"
+bug-reports: "https://github.com/ocaml-ppx/ppx_derivers/issues"
+dev-repo: "git://github.com/ocaml-ppx/ppx_derivers.git"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml"
+  "dune"
+]
+synopsis: "Shared [@@deriving] plugin registry"
+description: """
+Ppx_derivers is a tiny package whose sole purpose is to allow
+ppx_deriving and ppx_type_conv to inter-operate gracefully when linked
+as part of the same ocaml-migrate-parsetree driver."""
+url {
+  src: "https://github.com/ocaml-ppx/ppx_derivers/archive/1.2.1.tar.gz"
+  checksum: "md5=5dc2bf130c1db3c731fe0fffc5648b41"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam b/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
new file mode 100644
index 0000000000..f7987544d1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/re.1.9.0/opam
@@ -0,0 +1,42 @@
+opam-version: "2.0"
+
+maintainer: "rudi.grinberg@gmail.com"
+authors: [
+  "Jerome Vouillon"
+  "Thomas Gazagnaire"
+  "Anil Madhavapeddy"
+  "Rudi Grinberg"
+  "Gabriel Radanne"
+]
+license: "LGPL-2.0-only with OCaml-LGPL-linking-exception"
+homepage: "https://github.com/ocaml/ocaml-re"
+bug-reports: "https://github.com/ocaml/ocaml-re/issues"
+dev-repo: "git+https://github.com/ocaml/ocaml-re.git"
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+
+depends: [
+  "ocaml" {>= "4.02"}
+  "dune"
+  "ounit" {with-test}
+  "seq"
+]
+
+synopsis: "RE is a regular expression library for OCaml"
+description: """
+Pure OCaml regular expressions with:
+* Perl-style regular expressions (module Re.Perl)
+* Posix extended regular expressions (module Re.Posix)
+* Emacs-style regular expressions (module Re.Emacs)
+* Shell-style file globbing (module Re.Glob)
+* Compatibility layer for OCaml's built-in Str module (module Re.Str)
+"""
+url {
+  src:
+    "https://github.com/ocaml/ocaml-re/releases/download/1.9.0/re-1.9.0.tbz"
+  checksum: "md5=bddaed4f386a22cace7850c9c7dac296"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/result.1.4/opam b/tools/oeedger8r/esy.lock/opam/result.1.4/opam
new file mode 100644
index 0000000000..b44aeead8b
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/result.1.4/opam
@@ -0,0 +1,22 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/result"
+dev-repo: "git+https://github.com/janestreet/result.git"
+bug-reports: "https://github.com/janestreet/result/issues"
+license: "BSD-3-Clause"
+build: [["dune" "build" "-p" name "-j" jobs]]
+depends: [
+  "ocaml"
+  "dune" {>= "1.0"}
+]
+synopsis: "Compatibility Result module"
+description: """
+Projects that want to use the new result type defined in OCaml >= 4.03
+while staying compatible with older version of OCaml should use the
+Result module defined in this library."""
+url {
+  src:
+    "https://github.com/janestreet/result/archive/1.4.tar.gz"
+  checksum: "md5=d3162dbc501a2af65c8c71e0866541da"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
new file mode 100644
index 0000000000..55c46960c6
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
@@ -0,0 +1,22 @@
+opam-version: "2.0"
+synopsis:
+  "Compatibility package for OCaml's standard iterator type starting from 4.07"
+maintainer: "simon.cruanes.2007@m4x.org"
+authors: "Simon Cruanes"
+license: "LGPL2.1"
+tags: ["iterator" "seq" "pure" "list" "compatibility" "cascade"]
+homepage: "https://github.com/c-cube/seq/"
+bug-reports: "https://github.com/c-cube/seq/issues"
+depends: [
+  "dune" {>= "1.1.0"}
+  "ocaml" {< "4.07.0"}
+]
+build: ["dune" "build" "-p" name "-j" jobs]
+dev-repo: "git+https://github.com/c-cube/seq.git"
+url {
+  src: "https://github.com/c-cube/seq/archive/0.2.tar.gz"
+  checksum: [
+    "md5=1d5a9d0aba27b22433f518cdc495d0fd"
+    "sha512=b2571225a18e624b79dad5e1aab91b22e2fda17702f2e23c438b75d2a71e24c55ee8672005f5cc4b17ae79e3b277b1918b71b5d0d674b8b12ea19b3fb2d747cb"
+  ]
+}
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
new file mode 100644
index 0000000000..9b45864bd4
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/sexplib0.v0.12.0/opam
@@ -0,0 +1,26 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/sexplib0"
+bug-reports: "https://github.com/janestreet/sexplib0/issues"
+dev-repo: "git+https://github.com/janestreet/sexplib0.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/sexplib0/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.04.2"}
+  "dune"  {>= "1.5.1"}
+]
+synopsis: "Library containing the definition of S-expressions and some base converters"
+description: "
+Part of Jane Street's Core library
+The Core suite of libraries is an industrial strength alternative to
+OCaml's standard library that was developed by Jane Street, the
+largest industrial user of OCaml.
+"
+url {
+  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/sexplib0-v0.12.0.tar.gz"
+  checksum: "md5=2486a25d3a94da9a94acc018b5f09061"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam b/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
new file mode 100644
index 0000000000..477c74579e
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/stdio.v0.12.0/opam
@@ -0,0 +1,27 @@
+opam-version: "2.0"
+maintainer: "opensource@janestreet.com"
+authors: ["Jane Street Group, LLC <opensource@janestreet.com>"]
+homepage: "https://github.com/janestreet/stdio"
+bug-reports: "https://github.com/janestreet/stdio/issues"
+dev-repo: "git+https://github.com/janestreet/stdio.git"
+doc: "https://ocaml.janestreet.com/ocaml-core/latest/doc/stdio/index.html"
+license: "MIT"
+build: [
+  ["dune" "build" "-p" name "-j" jobs]
+]
+depends: [
+  "ocaml" {>= "4.04.2"}
+  "base"  {>= "v0.12" & < "v0.13"}
+  "dune"  {>= "1.5.1"}
+]
+synopsis: "Standard IO library for OCaml"
+description: "
+Stdio implements simple input/output functionalities for OCaml.
+
+It re-exports the input/output functions of the OCaml standard
+libraries using a more consistent API.
+"
+url {
+  src: "https://ocaml.janestreet.com/ocaml-core/v0.12/files/stdio-v0.12.0.tar.gz"
+  checksum: "md5=b261ff2d5667fde960c95e50cff668da"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam b/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
new file mode 100644
index 0000000000..77ae1f42d5
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/topkg.1.0.1/opam
@@ -0,0 +1,48 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/topkg"
+doc: "http://erratique.ch/software/topkg/doc"
+license: "ISC"
+dev-repo: "git+http://erratique.ch/repos/topkg.git"
+bug-reports: "https://github.com/dbuenzli/topkg/issues"
+tags: ["packaging" "ocamlbuild" "org:erratique"]
+depends: [
+  "ocaml" {>= "4.03.0"}
+  "ocamlfind" {build & >= "1.6.1"}
+  "ocamlbuild" ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pkg-name" name
+          "--dev-pkg" "%{pinned}%" ]]
+synopsis: """The transitory OCaml software packager"""
+description: """\
+
+Topkg is a packager for distributing OCaml software. It provides an
+API to describe the files a package installs in a given build
+configuration and to specify information about the package's
+distribution, creation and publication procedures.
+
+The optional topkg-care package provides the `topkg` command line tool
+which helps with various aspects of a package's life cycle: creating
+and linting a distribution, releasing it on the WWW, publish its
+documentation, add it to the OCaml opam repository, etc.
+
+Topkg is distributed under the ISC license and has **no**
+dependencies. This is what your packages will need as a *build*
+dependency.
+
+Topkg-care is distributed under the ISC license it depends on
+[fmt][fmt], [logs][logs], [bos][bos], [cmdliner][cmdliner],
+[webbrowser][webbrowser] and `opam-format`.
+
+[fmt]: http://erratique.ch/software/fmt
+[logs]: http://erratique.ch/software/logs
+[bos]: http://erratique.ch/software/bos
+[cmdliner]: http://erratique.ch/software/cmdliner
+[webbrowser]: http://erratique.ch/software/webbrowser
+"""
+url {
+archive: "http://erratique.ch/software/topkg/releases/topkg-1.0.1.tbz"
+checksum: "16b90e066d8972a5ef59655e7c28b3e9"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam b/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
new file mode 100644
index 0000000000..93872f8b3c
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/tyxml.4.3.0/opam
@@ -0,0 +1,45 @@
+opam-version: "2.0"
+maintainer: "dev@ocsigen.org"
+homepage: "https://github.com/ocsigen/tyxml/"
+bug-reports: "https://github.com/ocsigen/tyxml/issues"
+doc: "https://ocsigen.org/tyxml/manual/"
+dev-repo: "git+https://github.com/ocsigen/tyxml.git"
+license: "LGPL-2.1-only with OCaml-LGPL-linking-exception"
+
+build: [
+  ["dune" "subst"] {pinned}
+  ["dune" "build" "-p" name "-j" jobs]
+  ["dune" "runtest" "-p" name "-j" jobs] {with-test}
+]
+
+depends: [
+  "ocaml" {>= "4.02"}
+  "re" {>= "1.5.0"}
+  ("ocaml" {>= "4.07"} | "re" {>= "1.8.0"})
+  "dune"
+  "alcotest" {with-test}
+  "seq"
+  "uutf" {>= "1.0.0"}
+]
+
+synopsis:"TyXML is a library for building correct HTML and SVG documents"
+description:"""
+TyXML provides a set of convenient combinators that uses the OCaml
+type system to ensure the validity of the generated documents. TyXML
+can be used with any representation of HTML and SVG: the textual one,
+provided directly by this package, or DOM trees (`js_of_ocaml-tyxml`)
+virtual DOM (`virtual-dom`) and reactive or replicated trees
+(`eliom`). You can also create your own representation and use it to
+instantiate a new set of combinators.
+
+```ocaml
+open Tyxml
+let to_ocaml = Html.(a ~a:[a_href "ocaml.org"] [txt "OCaml!"])
+```
+"""
+authors: "The ocsigen team"
+url {
+  src:
+    "https://github.com/ocsigen/tyxml/releases/download/4.3.0/tyxml-4.3.0.tbz"
+  checksum: "md5=fd834a567f813bf447cab5f4c3a723e2"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam b/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
new file mode 100644
index 0000000000..428d7aa6f8
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uchar.0.0.2/opam
@@ -0,0 +1,36 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://ocaml.org"
+doc: "https://ocaml.github.io/uchar/"
+dev-repo: "git+https://github.com/ocaml/uchar.git"
+bug-reports: "https://github.com/ocaml/uchar/issues"
+tags: [ "text" "character" "unicode" "compatibility" "org:ocaml.org" ]
+license: "typeof OCaml system"
+depends: [
+  "ocaml" {>= "3.12.0"}
+  "ocamlbuild" {build}
+]
+build: [
+  ["ocaml" "pkg/git.ml"]
+  [
+    "ocaml"
+    "pkg/build.ml"
+    "native=%{ocaml:native}%"
+    "native-dynlink=%{ocaml:native-dynlink}%"
+  ]
+]
+synopsis: "Compatibility library for OCaml's Uchar module"
+description: """
+The `uchar` package provides a compatibility library for the
+[`Uchar`][1] module introduced in OCaml 4.03.
+
+The `uchar` package is distributed under the license of the OCaml
+compiler. See [LICENSE](LICENSE) for details.
+
+[1]: http://caml.inria.fr/pub/docs/manual-ocaml/libref/Uchar.html"""
+url {
+  src:
+    "https://github.com/ocaml/uchar/releases/download/v0.0.2/uchar-0.0.2.tbz"
+  checksum: "md5=c9ba2c738d264c420c642f7bb1cf4a36"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
new file mode 100644
index 0000000000..18bf0a8410
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uucp.12.0.0/opam
@@ -0,0 +1,47 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: [
+  "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+  "David Kaloper Meršinjak <david@numm.org>"
+]
+homepage: "https://erratique.ch/software/uucp"
+doc: "https://erratique.ch/software/uucp/doc/Uucp"
+dev-repo: "git+https://erratique.ch/repos/uucp.git"
+bug-reports: "https://github.com/dbuenzli/uucp/issues"
+tags: [ "unicode" "text" "character" "org:erratique" ]
+license: "ISC"
+depends: [
+ "ocaml" {>= "4.01.0"}
+ "ocamlfind" {build}
+ "ocamlbuild" {build}
+ "topkg" {build}
+ "uchar"
+ "uucd" {with-test} # dev really
+ "uunf" {with-test}
+ "uutf" {with-test}
+ ]
+depopts: [ "uunf" "uutf" "cmdliner" ]
+conflicts: [ "uutf" {< "1.0.1"}
+             "cmdliner" {< "1.0.0"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--dev-pkg" "%{pinned}%"
+          "--with-uutf" "%{uutf:installed}%"
+          "--with-uunf" "%{uunf:installed}%"
+          "--with-cmdliner" "%{cmdliner:installed}%"
+]]
+synopsis: """Unicode character properties for OCaml"""
+description: """\
+
+Uucp is an OCaml library providing efficient access to a selection of
+character properties of the [Unicode character database][1].
+
+Uucp is independent from any Unicode text data structure and has no
+dependencies. It is distributed under the ISC license.
+
+[1]: http://www.unicode.org/reports/tr44/
+"""
+url {
+archive: "https://erratique.ch/software/uucp/releases/uucp-12.0.0.tbz"
+checksum: "cf210ed43375b7f882c0540874e2cb81"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam b/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
new file mode 100644
index 0000000000..57dbdc65b1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uuseg.12.0.0/opam
@@ -0,0 +1,50 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "https://erratique.ch/software/uuseg"
+doc: "https://erratique.ch/software/uuseg"
+dev-repo: "git+https://erratique.ch/repos/uuseg.git"
+bug-reports: "https://github.com/dbuenzli/uuseg/issues"
+tags: [ "segmentation" "text" "unicode" "org:erratique" ]
+license: "ISC"
+depends: [ "ocaml" {>= "4.01.0"}
+           "ocamlfind" {build}
+           "ocamlbuild" {build}
+           "topkg" {build}
+           "uchar"
+           "uucp" {>= "12.0.0" & < "13.0.0"} ]
+depopts: [ "uutf"
+           "cmdliner"
+           "uutf" {with-test}
+           "cmdliner" {with-test} ]
+conflicts: [ "uutf" {< "1.0.0"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+  "--pinned" "%{pinned}%"
+  "--with-uutf" "%{uutf:installed}%"
+  "--with-cmdliner" "%{cmdliner:installed}%" ]]
+
+synopsis: """Unicode text segmentation for OCaml"""
+description: """\
+
+Uuseg is an OCaml library for segmenting Unicode text. It implements
+the locale independent [Unicode text segmentation algorithms][1] to
+detect grapheme cluster, word and sentence boundaries and the
+[Unicode line breaking algorithm][2] to detect line break
+opportunities.
+
+The library is independent from any IO mechanism or Unicode text data
+structure and it can process text without a complete in-memory
+representation.
+
+Uuseg depends on [Uucp](http://erratique.ch/software/uucp) and
+optionally on [Uutf](http://erratique.ch/software/uutf) for support on
+OCaml UTF-X encoded strings. It is distributed under the ISC license.
+
+[1]: http://www.unicode.org/reports/tr29/
+[2]: http://www.unicode.org/reports/tr14/
+"""
+url {
+archive: "https://erratique.ch/software/uuseg/releases/uuseg-12.0.0.tbz"
+checksum: "1d4487ddf5154e3477e55021b978d58a"
+}
diff --git a/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam b/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
new file mode 100644
index 0000000000..3a9f5678d2
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/uutf.1.0.2/opam
@@ -0,0 +1,40 @@
+opam-version: "2.0"
+maintainer: "Daniel Bünzli <daniel.buenzl i@erratique.ch>"
+authors: ["Daniel Bünzli <daniel.buenzl i@erratique.ch>"]
+homepage: "http://erratique.ch/software/uutf"
+doc: "http://erratique.ch/software/uutf/doc/Uutf"
+dev-repo: "git+http://erratique.ch/repos/uutf.git"
+bug-reports: "https://github.com/dbuenzli/uutf/issues"
+tags: [ "unicode" "text" "utf-8" "utf-16" "codec" "org:erratique" ]
+license: "ISC"
+depends: [
+  "ocaml" {>= "4.01.0"}
+  "ocamlfind" {build}
+  "ocamlbuild" {build}
+  "topkg" {build}
+  "uchar"
+]
+depopts: ["cmdliner"]
+conflicts: ["cmdliner" { < "0.9.6"} ]
+build: [[
+  "ocaml" "pkg/pkg.ml" "build"
+          "--pinned" "%{pinned}%"
+          "--with-cmdliner" "%{cmdliner:installed}%" ]]
+synopsis: """Non-blocking streaming Unicode codec for OCaml"""
+description: """\
+
+Uutf is a non-blocking streaming codec to decode and encode the UTF-8,
+UTF-16, UTF-16LE and UTF-16BE encoding schemes. It can efficiently
+work character by character without blocking on IO. Decoders perform
+character position tracking and support newline normalization.
+
+Functions are also provided to fold over the characters of UTF encoded
+OCaml string values and to directly encode characters in OCaml
+Buffer.t values.
+
+Uutf has no dependency and is distributed under the ISC license.
+"""
+url {
+archive: "http://erratique.ch/software/uutf/releases/uutf-1.0.2.tbz"
+checksum: "a7c542405a39630c689a82bd7ef2292c"
+}
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
new file mode 100644
index 0000000000..4d5bea0e09
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/files/ocamlbuild-0.14.0.patch
@@ -0,0 +1,463 @@
+--- ./Makefile
++++ ./Makefile
+@@ -213,7 +213,7 @@
+ 	rm -f man/ocamlbuild.1
+ 
+ man/options_man.byte: src/ocamlbuild_pack.cmo
+-	$(OCAMLC) $^ -I src man/options_man.ml -o man/options_man.byte
++	$(OCAMLC) -I +unix unix.cma $^ -I src man/options_man.ml -o man/options_man.byte
+ 
+ clean::
+ 	rm -f man/options_man.cm*
+--- ./src/command.ml
++++ ./src/command.ml
+@@ -148,9 +148,10 @@
+   let self = string_of_command_spec_with_calls call_with_tags call_with_target resolve_virtuals in
+   let b = Buffer.create 256 in
+   (* The best way to prevent bash from switching to its windows-style
+-   * quote-handling is to prepend an empty string before the command name. *)
++   * quote-handling is to prepend an empty string before the command name.
++   * space seems to work, too - and the ouput is nicer *)
+   if Sys.os_type = "Win32" then
+-    Buffer.add_string b "''";
++    Buffer.add_char b ' ';
+   let first = ref true in
+   let put_space () =
+     if !first then
+@@ -260,7 +261,7 @@
+ 
+ let execute_many ?(quiet=false) ?(pretend=false) cmds =
+   add_parallel_stat (List.length cmds);
+-  let degraded = !*My_unix.is_degraded || Sys.os_type = "Win32" in
++  let degraded = !*My_unix.is_degraded in
+   let jobs = !jobs in
+   if jobs < 0 then invalid_arg "jobs < 0";
+   let max_jobs = if jobs = 0 then None else Some jobs in
+--- ./src/findlib.ml
++++ ./src/findlib.ml
+@@ -66,9 +66,6 @@
+     (fun command -> lexer & Lexing.from_string & run_and_read command)
+     command
+ 
+-let run_and_read command =
+-  Printf.ksprintf run_and_read command
+-
+ let rec query name =
+   try
+     Hashtbl.find packages name
+@@ -135,7 +132,8 @@
+   with Not_found -> s
+ 
+ let list () =
+-  List.map before_space (split_nl & run_and_read "%s list" ocamlfind)
++  let cmd = Shell.quote_filename_if_needed ocamlfind ^ " list" in
++  List.map before_space (split_nl & run_and_read cmd)
+ 
+ (* The closure algorithm is easy because the dependencies are already closed
+ and sorted for each package. We only have to make the union. We could also
+--- ./src/main.ml
++++ ./src/main.ml
+@@ -162,6 +162,9 @@
+               Tags.mem "traverse" tags
+               || List.exists (Pathname.is_prefix path_name) !Options.include_dirs
+               || List.exists (Pathname.is_prefix path_name) target_dirs)
++            && ((* beware: !Options.build_dir is an absolute directory *)
++              Pathname.normalize !Options.build_dir
++              <> Pathname.normalize (Pathname.pwd/path_name))
+           end
+         end
+       end
+--- ./src/my_std.ml
++++ ./src/my_std.ml
+@@ -271,13 +271,107 @@
+       try Array.iter (fun x -> if x = basename then raise Exit) a; false
+       with Exit -> true
+ 
++let command_plain = function
++| [| |] -> 0
++| margv ->
++  let rec waitpid a b =
++    match Unix.waitpid a b with
++    | exception (Unix.Unix_error(Unix.EINTR,_,_)) -> waitpid a b
++    | x -> x
++  in
++  let pid = Unix.(create_process margv.(0) margv stdin stdout stderr) in
++  let pid', process_status = waitpid [] pid in
++  assert (pid = pid');
++  match process_status with
++  | Unix.WEXITED n -> n
++  | Unix.WSIGNALED _ -> 2 (* like OCaml's uncaught exceptions *)
++  | Unix.WSTOPPED _ -> 127
++
++(* can't use Lexers because of circular dependency *)
++let split_path_win str =
++  let rec aux pos =
++    try
++      let i = String.index_from str pos ';' in
++      let len = i - pos in
++      if len = 0 then
++        aux (succ i)
++      else
++        String.sub str pos (i - pos) :: aux (succ i)
++    with Not_found | Invalid_argument _ ->
++      let len = String.length str - pos in
++      if len = 0 then [] else [String.sub str pos len]
++  in
++  aux 0
++
++let windows_shell = lazy begin
++  let rec iter = function
++  | [] -> [| "bash.exe" ; "--norc" ; "--noprofile" |]
++  | hd::tl ->
++    let dash = Filename.concat hd "dash.exe" in
++    if Sys.file_exists dash then [|dash|] else
++    let bash = Filename.concat hd "bash.exe" in
++    if Sys.file_exists bash = false then iter tl else
++    (* if sh.exe and bash.exe exist in the same dir, choose sh.exe *)
++    let sh = Filename.concat hd "sh.exe" in
++    if Sys.file_exists sh then [|sh|] else [|bash ; "--norc" ; "--noprofile"|]
++  in
++  split_path_win (try Sys.getenv "PATH" with Not_found -> "") |> iter
++end
++
++let prep_windows_cmd cmd =
++  (* workaround known ocaml bug, remove later *)
++  if String.contains cmd '\t' && String.contains cmd ' ' = false then
++    " " ^ cmd
++  else
++    cmd
++
++let run_with_shell = function
++| "" -> 0
++| cmd ->
++  let cmd = prep_windows_cmd cmd in
++  let shell = Lazy.force windows_shell in
++  let qlen = Filename.quote cmd |> String.length in
++  (* old versions of dash had problems with bs *)
++  try
++    if qlen < 7_900 then
++      command_plain (Array.append shell [| "-ec" ; cmd |])
++    else begin
++      (* it can still work, if the called command is a cygwin tool *)
++      let ch_closed = ref false in
++      let file_deleted = ref false in
++      let fln,ch =
++        Filename.open_temp_file
++          ~mode:[Open_binary]
++          "ocamlbuildtmp"
++          ".sh"
++      in
++      try
++        let f_slash = String.map ( fun x -> if x = '\\' then '/' else x ) fln in
++        output_string ch cmd;
++        ch_closed:= true;
++        close_out ch;
++        let ret = command_plain (Array.append shell [| "-e" ; f_slash |]) in
++        file_deleted:= true;
++        Sys.remove fln;
++        ret
++      with
++      | x ->
++        if !ch_closed = false then
++          close_out_noerr ch;
++        if !file_deleted = false then
++          (try Sys.remove fln with _ -> ());
++        raise x
++    end
++  with
++  | (Unix.Unix_error _) as x ->
++    (* Sys.command doesn't raise an exception, so run_with_shell also won't
++       raise *)
++    Printexc.to_string x ^ ":" ^ cmd |> prerr_endline;
++    1
++
+ let sys_command =
+-  match Sys.os_type with
+-  | "Win32" -> fun cmd ->
+-      if cmd = "" then 0 else
+-      let cmd = "bash --norc -c " ^ Filename.quote cmd in
+-      Sys.command cmd
+-  | _ -> fun cmd -> if cmd = "" then 0 else Sys.command cmd
++  if Sys.win32 then run_with_shell
++  else fun cmd -> if cmd = "" then 0 else Sys.command cmd
+ 
+ (* FIXME warning fix and use Filename.concat *)
+ let filename_concat x y =
+--- ./src/my_std.mli
++++ ./src/my_std.mli
+@@ -69,3 +69,6 @@
+ 
+ val split_ocaml_version : (int * int * int * string) option
+ (** (major, minor, patchlevel, rest) *)
++
++val windows_shell : string array Lazy.t
++val prep_windows_cmd : string -> string
+--- ./src/ocamlbuild_executor.ml
++++ ./src/ocamlbuild_executor.ml
+@@ -34,6 +34,8 @@
+   job_stdin   : out_channel;
+   job_stderr  : in_channel;
+   job_buffer  : Buffer.t;
++  job_pid     : int;
++  job_tmp_file: string option;
+   mutable job_dying : bool;
+ };;
+ 
+@@ -76,6 +78,61 @@
+   in
+   loop 0
+ ;;
++
++let open_process_full_win cmd env =
++  let (in_read, in_write) = Unix.pipe () in
++  let (out_read, out_write) = Unix.pipe () in
++  let (err_read, err_write) = Unix.pipe () in
++  Unix.set_close_on_exec in_read;
++  Unix.set_close_on_exec out_write;
++  Unix.set_close_on_exec err_read;
++  let inchan = Unix.in_channel_of_descr in_read in
++  let outchan = Unix.out_channel_of_descr out_write in
++  let errchan = Unix.in_channel_of_descr err_read in
++  let shell = Lazy.force Ocamlbuild_pack.My_std.windows_shell in
++  let test_cmd =
++    String.concat " " (List.map Filename.quote (Array.to_list shell)) ^
++    "-ec " ^
++    Filename.quote (Ocamlbuild_pack.My_std.prep_windows_cmd cmd) in
++  let argv,tmp_file =
++    if String.length test_cmd < 7_900 then
++      Array.append
++        shell
++        [| "-ec" ; Ocamlbuild_pack.My_std.prep_windows_cmd cmd |],None
++    else
++    let fln,ch = Filename.open_temp_file ~mode:[Open_binary] "ocamlbuild" ".sh" in
++    output_string ch (Ocamlbuild_pack.My_std.prep_windows_cmd cmd);
++    close_out ch;
++    let fln' = String.map (function '\\' -> '/' | c -> c) fln in
++    Array.append
++      shell
++      [| "-c" ; fln' |], Some fln in
++  let pid =
++    Unix.create_process_env argv.(0) argv env out_read in_write err_write in
++  Unix.close out_read;
++  Unix.close in_write;
++  Unix.close err_write;
++  (pid, inchan, outchan, errchan,tmp_file)
++
++let close_process_full_win (pid,inchan, outchan, errchan, tmp_file) =
++  let delete tmp_file =
++    match tmp_file with
++    | None -> ()
++    | Some x -> try Sys.remove x with Sys_error _ -> () in
++  let tmp_file_deleted = ref false in
++  try
++    close_in inchan;
++    close_out outchan;
++    close_in errchan;
++    let res = snd(Unix.waitpid [] pid) in
++    tmp_file_deleted := true;
++    delete tmp_file;
++    res
++  with
++  | x when tmp_file <> None && !tmp_file_deleted = false ->
++    delete tmp_file;
++    raise x
++
+ (* ***)
+ (*** execute *)
+ (* XXX: Add test for non reentrancy *)
+@@ -130,10 +187,16 @@
+   (*** add_job *)
+   let add_job cmd rest result id =
+     (*display begin fun oc -> fp oc "Job %a is %s\n%!" print_job_id id cmd; end;*)
+-    let (stdout', stdin', stderr') = open_process_full cmd env in
++    let (pid,stdout', stdin', stderr', tmp_file) =
++      if Sys.win32 then open_process_full_win cmd env else
++      let a,b,c = open_process_full cmd env in
++      -1,a,b,c,None
++    in
+     incr jobs_active;
+-    set_nonblock (doi stdout');
+-    set_nonblock (doi stderr');
++    if not Sys.win32 then (
++      set_nonblock (doi stdout');
++      set_nonblock (doi stderr');
++    );
+     let job =
+       { job_id          = id;
+         job_command     = cmd;
+@@ -143,7 +206,9 @@
+         job_stdin       = stdin';
+         job_stderr      = stderr';
+         job_buffer      = Buffer.create 1024;
+-        job_dying       = false }
++        job_dying       = false;
++        job_tmp_file    = tmp_file;
++        job_pid         = pid }
+     in
+     outputs := FDM.add (doi stdout') job (FDM.add (doi stderr') job !outputs);
+     jobs := JS.add job !jobs;
+@@ -199,6 +264,7 @@
+               try
+                 read fd u 0 (Bytes.length u)
+               with
++              | Unix.Unix_error(Unix.EPIPE,_,_) when Sys.win32 -> 0
+               | Unix.Unix_error(e,_,_)  ->
+                 let msg = error_message e in
+                 display (fun oc -> fp oc
+@@ -241,14 +307,19 @@
+       decr jobs_active;
+ 
+       (* PR#5371: we would get EAGAIN below otherwise *)
+-      clear_nonblock (doi job.job_stdout);
+-      clear_nonblock (doi job.job_stderr);
+-
++      if not Sys.win32 then (
++        clear_nonblock (doi job.job_stdout);
++        clear_nonblock (doi job.job_stderr);
++      );
+       do_read ~loop:true (doi job.job_stdout) job;
+       do_read ~loop:true (doi job.job_stderr) job;
+       outputs := FDM.remove (doi job.job_stdout) (FDM.remove (doi job.job_stderr) !outputs);
+       jobs := JS.remove job !jobs;
+-      let status = close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
++      let status =
++        if Sys.win32 then
++          close_process_full_win (job.job_pid, job.job_stdout, job.job_stdin, job.job_stderr, job.job_tmp_file)
++        else
++          close_process_full (job.job_stdout, job.job_stdin, job.job_stderr) in
+ 
+       let shown = ref false in
+ 
+--- ./src/ocamlbuild_unix_plugin.ml
++++ ./src/ocamlbuild_unix_plugin.ml
+@@ -48,12 +48,22 @@
+   end
+ 
+ let run_and_open s kont =
++  let s_orig = s in
++  let s =
++    (* Be consistent! My_unix.run_and_open uses My_std.sys_command and
++       sys_command uses bash. *)
++    if Sys.win32 = false then s else
++    let l = match Lazy.force My_std.windows_shell |> Array.to_list with
++    | hd::tl -> (Filename.quote hd)::tl
++    | _ -> assert false in
++    "\"" ^ (String.concat " " l) ^ " -ec " ^ Filename.quote (" " ^ s) ^ "\""
++  in
+   let ic = Unix.open_process_in s in
+   let close () =
+     match Unix.close_process_in ic with
+     | Unix.WEXITED 0 -> ()
+     | Unix.WEXITED _ | Unix.WSIGNALED _ | Unix.WSTOPPED _ ->
+-        failwith (Printf.sprintf "Error while running: %s" s) in
++        failwith (Printf.sprintf "Error while running: %s" s_orig) in
+   let res = try
+       kont ic
+     with e -> (close (); raise e)
+--- ./src/options.ml
++++ ./src/options.ml
+@@ -174,11 +174,24 @@
+     build_dir := Filename.concat (Sys.getcwd ()) s
+   else
+     build_dir := s
++
++let slashify =
++  if Sys.win32 then fun p -> String.map (function '\\' -> '/' | x -> x) p
++  else fun p ->p
++
++let sb () =
++  match Sys.os_type with
++  | "Win32" ->
++    (try set_binary_mode_out stdout true with _ -> ());
++  | _ -> ()
++
++
+ let spec = ref (
+     let print_version () =
++      sb ();
+       Printf.printf "ocamlbuild %s\n%!" Ocamlbuild_config.version; raise Exit_OK
+     in
+-    let print_vnum () = print_endline Ocamlbuild_config.version; raise Exit_OK in
++    let print_vnum () = sb (); print_endline Ocamlbuild_config.version; raise Exit_OK in
+   Arg.align
+   [
+    "-version", Unit print_version , " Display the version";
+@@ -257,8 +270,8 @@
+    "-build-dir", String set_build_dir, "<path> Set build directory (implies no-links)";
+    "-install-lib-dir", Set_string Ocamlbuild_where.libdir, "<path> Set the install library directory";
+    "-install-bin-dir", Set_string Ocamlbuild_where.bindir, "<path> Set the install binary directory";
+-   "-where", Unit (fun () -> print_endline !Ocamlbuild_where.libdir; raise Exit_OK), " Display the install library directory";
+-   "-which", String (fun cmd -> print_endline (find_tool cmd); raise Exit_OK), "<command> Display path to the tool command";
++   "-where", Unit (fun () -> sb (); print_endline (slashify !Ocamlbuild_where.libdir); raise Exit_OK), " Display the install library directory";
++   "-which", String (fun cmd -> sb (); print_endline (slashify (find_tool cmd)); raise Exit_OK), "<command> Display path to the tool command";
+    "-ocamlc", set_cmd ocamlc, "<command> Set the OCaml bytecode compiler";
+    "-plugin-ocamlc", set_cmd plugin_ocamlc, "<command> Set the OCaml bytecode compiler \
+      used when building myocamlbuild.ml (only)";
+--- ./src/pathname.ml
++++ ./src/pathname.ml
+@@ -84,6 +84,26 @@
+   | x :: xs -> x :: normalize_list xs
+ 
+ let normalize x =
++  let x =
++    if Sys.win32 = false then
++      x
++    else
++      let len = String.length x in
++      let b = Bytes.create len in
++      for i = 0 to pred len do
++        match x.[i] with
++        | '\\' -> Bytes.set b i '/'
++        | c -> Bytes.set b i c
++      done;
++      if len > 1 then (
++        let c1 = Bytes.get b 0 in
++        let c2 = Bytes.get b 1 in
++        if c2 = ':' && c1 >= 'a' && c1 <= 'z' &&
++           ( len = 2 || Bytes.get b 2 = '/') then
++          Bytes.set b 0 (Char.uppercase_ascii c1)
++      );
++      Bytes.unsafe_to_string b
++  in
+   if Glob.eval not_normal_form_re x then
+     let root, paths = split x in
+     join root (normalize_list paths)
+--- ./src/shell.ml
++++ ./src/shell.ml
+@@ -24,12 +24,26 @@
+     | 'a'..'z' | 'A'..'Z' | '0'..'9' | '.' | '-' | '/' | '_' | ':' | '@' | '+' | ',' -> loop (pos + 1)
+     | _ -> false in
+   loop 0
++
++let generic_quote quotequote s =
++  let l = String.length s in
++  let b = Buffer.create (l + 20) in
++  Buffer.add_char b '\'';
++  for i = 0 to l - 1 do
++    if s.[i] = '\''
++    then Buffer.add_string b quotequote
++    else Buffer.add_char b  s.[i]
++  done;
++  Buffer.add_char b '\'';
++  Buffer.contents b
++let unix_quote = generic_quote "'\\''"
++
+ let quote_filename_if_needed s =
+   if is_simple_filename s then s
+   (* We should probably be using [Filename.unix_quote] except that function
+    * isn't exported. Users on Windows will have to live with not being able to
+    * install OCaml into c:\o'caml. Too bad. *)
+-  else if Sys.os_type = "Win32" then Printf.sprintf "'%s'" s
++  else if Sys.os_type = "Win32" then unix_quote s
+   else Filename.quote s
+ let chdir dir =
+   reset_filesys_cache ();
+@@ -37,7 +51,7 @@
+ let run args target =
+   reset_readdir_cache ();
+   let cmd = String.concat " " (List.map quote_filename_if_needed args) in
+-  if !*My_unix.is_degraded || Sys.os_type = "Win32" then
++  if !*My_unix.is_degraded then
+     begin
+       Log.event cmd target Tags.empty;
+       let st = sys_command cmd in
diff --git a/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
new file mode 100644
index 0000000000..b24be7b5bc
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/overrides/opam__s__ocamlbuild_opam__c__0.14.0_opam_override/package.json
@@ -0,0 +1,27 @@
+{
+  "build": [
+    [
+      "bash",
+      "-c",
+      "#{os == 'windows' ? 'patch -p1 < ocamlbuild-0.14.0.patch' : 'true'}"
+    ],
+    [
+      "make",
+      "-f",
+      "configure.make",
+      "all",
+      "OCAMLBUILD_PREFIX=#{self.install}",
+      "OCAMLBUILD_BINDIR=#{self.bin}",
+      "OCAMLBUILD_LIBDIR=#{self.lib}",
+      "OCAMLBUILD_MANDIR=#{self.man}",
+      "OCAMLBUILD_NATIVE=true",
+      "OCAMLBUILD_NATIVE_TOOLS=true"
+    ],
+    [
+      "make",
+      "check-if-preinstalled",
+      "all",
+      "#{os == 'windows' ? 'install' : 'opam-install'}"
+    ]
+  ]
+}
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index e1983c2f99..15a7850d5b 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -22,6 +22,7 @@
 
   "devDependencies": {
     "@opam/merlin": "~3.3.2",
+    "@opam/ocamlformat": "0.12",
     "ocaml": "~4.6.0"
   }
 }

From d1ea4772ad8e319ce30b5b9a908083972c4ce503 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 7 Nov 2019 19:01:43 +0000
Subject: [PATCH 264/420] Run `esy dune build @fmt --auto-promote` with new
 ocamlformat

This is the last time we're doing this for a while, I swear. We couldn't
stick to 0.11 because of issues installing it on Windows, and 0.12
surprisingly changes a lot more formatting than expected.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Emitter.ml | 1478 ++++++++++++++++----------------
 1 file changed, 747 insertions(+), 731 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index fee548a3dd..90dfcb784b 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -13,10 +13,8 @@ open Util
 (** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
 let is_foreign_array (pt : parameter_type) =
   match pt with
-  | PTVal _ ->
-      false
-  | PTPtr (t, a) -> (
-    match t with Foreign _ -> a.pa_isary | _ -> false )
+  | PTVal _ -> false
+  | PTPtr (t, a) -> ( match t with Foreign _ -> a.pa_isary | _ -> false )
 
 (** Get the array declaration from a list of array dimensions. Empty
     [ns] indicates the corresponding declarator is a simple identifier.
@@ -35,8 +33,7 @@ let get_typed_declr_str (ty : atype) (declr : declarator) =
 let is_const_ptr (pt : parameter_type) =
   let aty = get_param_atype pt in
   match pt with
-  | PTVal _ ->
-      false
+  | PTVal _ -> false
   | PTPtr (_, pa) -> (
       if not pa.pa_rdonly then false
       else match aty with Foreign _ -> false | _ -> true )
@@ -62,15 +59,14 @@ let conv_array_to_ptr (pd : pdecl) : pdecl =
     ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
   in
   match pt with
-  | PTVal _ ->
-      (pt, declr)
+  | PTVal _ -> (pt, declr)
   | PTPtr (aty, pa) ->
       if is_array declr then
-        let tmp_declr = {declr with array_dims= []} in
+        let tmp_declr = { declr with array_dims = [] } in
         let tmp_aty = Ptr aty in
         let tmp_cnt = get_count_attr declr.array_dims in
         let tmp_pa =
-          {pa with pa_size= {empty_ptr_size with ps_count= Some tmp_cnt}}
+          { pa with pa_size = { empty_ptr_size with ps_count = Some tmp_cnt } }
         in
         (PTPtr (tmp_aty, tmp_pa), tmp_declr)
       else (pt, declr)
@@ -89,22 +85,16 @@ let filter_map f l =
 let flatten_map f l = List.flatten (List.map f l)
 
 let is_in_ptr = function
-  | PTVal _ ->
-      false
-  | PTPtr (_, a) ->
-      a.pa_chkptr && a.pa_direction = PtrIn
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrIn
 
 let is_out_ptr = function
-  | PTVal _ ->
-      false
-  | PTPtr (_, a) ->
-      a.pa_chkptr && a.pa_direction = PtrOut
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrOut
 
 let is_inout_ptr = function
-  | PTVal _ ->
-      false
-  | PTPtr (_, a) ->
-      a.pa_chkptr && a.pa_direction = PtrInOut
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrInOut
 
 let is_in_or_inout_ptr (p, _) = is_in_ptr p || is_inout_ptr p
 
@@ -119,19 +109,19 @@ let is_str_or_wstr_ptr (p, _) = is_str_ptr p || is_wstr_ptr p
 (* This tests if the member has a non-empty size attribute,
    implying that it should be marshalled. *)
 let is_marshalled_ptr = function
-  | PTPtr (_, attr) ->
-      attr.pa_size <> empty_ptr_size
-  | PTVal _ ->
-      false
+  | PTPtr (_, attr) -> attr.pa_size <> empty_ptr_size
+  | PTVal _ -> false
 
 let gen_c_for level count body =
   if count = "1" then body
   else
     let i = sprintf "_i_%i" level in
-    [ [sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i]
-    ; ["{"]
-    ; List.map (( ^ ) "    ") body
-    ; ["}"] ]
+    [
+      [ sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i ];
+      [ "{" ];
+      List.map (( ^ ) "    ") body;
+      [ "}" ];
+    ]
     |> List.flatten
 
 let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
@@ -146,10 +136,12 @@ let write_file (content : string list) (filename : string) (dir : string) =
   in
   fprintf os "%s"
     (String.concat "\n"
-       ( [ "/*"
-         ; " *  This file is auto generated by oeedger8r. DO NOT EDIT."
-         ; " */" ]
-       @ content )) ;
+       ( [
+           "/*";
+           " *  This file is auto generated by oeedger8r. DO NOT EDIT.";
+           " */";
+         ]
+       @ content ));
   close_out os
 
 let get_type_expr ptype =
@@ -162,28 +154,21 @@ let get_type_expr ptype =
   in
   let tystr = get_tystr param_atype in
   match ptype with
-  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr ->
-      sprintf "*(%s)0" tystr
-  | _ ->
-      tystr
+  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
+  | _ -> tystr
 
 (** For a list of args and current count, get the corresponding
    argstruct variable name. The prefix is usually, but not always,
    ["_args."].*)
 let oe_get_argstruct prefix args count =
   match args with
-  | [] ->
-      prefix
-  | hd :: _ ->
-      prefix ^ hd ^ gen_c_deref (List.length args) count
+  | [] -> prefix
+  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
 
 let attr_value_to_string argstruct = function
-  | None ->
-      None
-  | Some (ANumber n) ->
-      Some (string_of_int n)
-  | Some (AString s) ->
-      Some (argstruct ^ s)
+  | None -> None
+  | Some (ANumber n) -> Some (string_of_int n)
+  | Some (AString s) -> Some (argstruct ^ s)
 
 (** For a parameter, get its size expression. *)
 let get_param_size (ptype, decl, argstruct) =
@@ -192,13 +177,10 @@ let get_param_size (ptype, decl, argstruct) =
     let size = attr_value_to_string argstruct p.ps_size
     and count = attr_value_to_string argstruct p.ps_count in
     match (size, count) with
-    | Some s, None ->
-        s
-    | None, Some c ->
-        sprintf "(%s * sizeof(%s))" c type_expr
+    | Some s, None -> s
+    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
     (* TODO: Check that this is an even multiple of the size of type. *)
-    | Some s, Some c ->
-        sprintf "(%s * %s)" s c
+    | Some s, Some c -> sprintf "(%s * %s)" s c
     | None, None ->
         sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
   in
@@ -212,15 +194,12 @@ let get_param_size (ptype, decl, argstruct) =
         Some (get_ptr_or_decl_size ptr_attr.pa_size)
       else None
   (* Values have no marshalling size. *)
-  | _ ->
-      None
+  | _ -> None
 
 let oe_get_param_size (ptype, decl, argstruct) =
   match get_param_size (ptype, decl, argstruct) with
-  | Some size ->
-      size
-  | None ->
-      failwithf "Error: No size for " ^ decl.identifier
+  | Some size -> size
+  | None -> failwithf "Error: No size for " ^ decl.identifier
 
 (** For a parameter, get its count expression. *)
 let get_param_count (ptype, decl, argstruct) =
@@ -230,12 +209,9 @@ let get_param_count (ptype, decl, argstruct) =
     and count = attr_value_to_string argstruct p.ps_count in
     match (size, count) with
     (* TODO: Check that these are even multiples of the size of type. *)
-    | Some s, None ->
-        sprintf "(%s / sizeof(%s))" s type_expr
-    | None, Some c ->
-        c
-    | Some s, Some c ->
-        sprintf "((%s * %s) / sizeof(%s))" s c type_expr
+    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
+    | None, Some c -> c
+    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
     | None, None ->
         let dims = List.map string_of_int decl.array_dims in
         String.concat " * " dims
@@ -252,27 +228,21 @@ let get_param_count (ptype, decl, argstruct) =
         (* TODO: Should be able to return [Some "1"] for plain
            pointers and values. *)
       else None
-  | PTVal _ ->
-      None
+  | PTVal _ -> None
 
 let oe_get_param_count (ptype, decl, argstruct) =
   match get_param_count (ptype, decl, argstruct) with
-  | Some count ->
-      count
-  | None ->
-      failwithf "Error: No count for " ^ decl.identifier
+  | Some count -> count
+  | None -> failwithf "Error: No count for " ^ decl.identifier
 
 (** Generate the prototype for a given function. *)
 let oe_gen_prototype (fd : func_decl) =
   let plist_str =
     let args = List.map gen_parm_str fd.plist in
     match args with
-    | [] ->
-        "void"
-    | [arg] ->
-        arg
-    | _ ->
-        "\n    " ^ String.concat ",\n    " args
+    | [] -> "void"
+    | [ arg ] -> arg
+    | _ -> "\n    " ^ String.concat ",\n    " args
   in
   sprintf "%s %s(%s)" (get_tystr fd.rtype) fd.fname plist_str
 
@@ -281,76 +251,74 @@ let oe_gen_prototype (fd : func_decl) =
 let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
   let plist_str =
     let args =
-      [ (if is_ecall then ["oe_enclave_t* enclave"] else [])
-      ; ( match fd.rtype with
-        | Void ->
-            []
-        | _ ->
-            [get_tystr fd.rtype ^ "* _retval"] )
-      ; List.map gen_parm_str fd.plist ]
+      [
+        (if is_ecall then [ "oe_enclave_t* enclave" ] else []);
+        ( match fd.rtype with
+        | Void -> []
+        | _ -> [ get_tystr fd.rtype ^ "* _retval" ] );
+        List.map gen_parm_str fd.plist;
+      ]
       |> List.flatten
     in
     match args with
-    | [arg] ->
-        arg
-    | _ ->
-        "\n    " ^ String.concat ",\n    " args
+    | [ arg ] -> arg
+    | _ -> "\n    " ^ String.concat ",\n    " args
   in
   sprintf "oe_result_t %s(%s)" fd.fname plist_str
 
 (** Emit [struct], [union], or [enum]. *)
 let emit_composite_type =
   let emit_struct (s : struct_def) =
-    [ "typedef struct " ^ s.sname
-    ; "{"
-    ; String.concat "\n"
+    [
+      "typedef struct " ^ s.sname;
+      "{";
+      String.concat "\n"
         (List.map
            (fun (ptype, decl) ->
              sprintf "    %s %s%s;"
                (get_tystr (get_param_atype ptype))
                decl.identifier
                (get_array_dims decl.array_dims))
-           s.smlist)
-    ; "} " ^ s.sname ^ ";"
-    ; "" ]
+           s.smlist);
+      "} " ^ s.sname ^ ";";
+      "";
+    ]
   in
   let emit_union (u : union_def) =
-    [ "typedef union " ^ u.uname
-    ; "{"
-    ; String.concat "\n"
+    [
+      "typedef union " ^ u.uname;
+      "{";
+      String.concat "\n"
         (List.map
            (fun (atype, decl) ->
              sprintf "    %s %s%s;" (get_tystr atype) decl.identifier
                (get_array_dims decl.array_dims))
-           u.umlist)
-    ; "} " ^ u.uname ^ ";"
-    ; "" ]
+           u.umlist);
+      "} " ^ u.uname ^ ";";
+      "";
+    ]
   in
   let emit_enum (e : enum_def) =
-    [ "typedef enum " ^ e.enname
-    ; "{"
-    ; String.concat ",\n"
+    [
+      "typedef enum " ^ e.enname;
+      "{";
+      String.concat ",\n"
         (List.map
            (fun (name, value) ->
              sprintf "    %s%s" name
                ( match value with
-               | EnumVal (AString s) ->
-                   " = " ^ s
-               | EnumVal (ANumber n) ->
-                   " = " ^ string_of_int n
-               | EnumValNone ->
-                   "" ))
-           e.enbody)
-    ; "} " ^ e.enname ^ ";"
-    ; "" ]
+               | EnumVal (AString s) -> " = " ^ s
+               | EnumVal (ANumber n) -> " = " ^ string_of_int n
+               | EnumValNone -> "" ))
+           e.enbody);
+      "} " ^ e.enname ^ ";";
+      "";
+    ]
   in
   function
-  | StructDef s ->
-      emit_struct s
-  | UnionDef u ->
-      emit_union u
-  | EnumDef e ->
-      emit_enum e
+  | StructDef s -> emit_struct s
+  | UnionDef u -> emit_union u
+  | EnumDef e -> emit_enum e
 
 (** Generate a cast expression for a pointer argument. Pointer
     arguments need to be cast to their root type, since the marshalling
@@ -364,8 +332,7 @@ let emit_composite_type =
     are marshalled as-is. *)
 let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
   match ptype with
-  | PTVal _ ->
-      ""
+  | PTVal _ -> ""
   | PTPtr (t, _) ->
       let tystr = get_tystr t in
       if is_array decl then
@@ -384,8 +351,7 @@ let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
     ]}. *)
 let get_cast_from_mem_expr (ptype, decl) =
   match ptype with
-  | PTVal _ ->
-      ""
+  | PTVal _ -> ""
   | PTPtr (t, attr) ->
       if is_array decl then
         sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
@@ -397,16 +363,18 @@ let get_cast_from_mem_expr (ptype, decl) =
       else ""
 
 let oe_gen_call_user_function (fd : func_decl) =
-  [ "/* Call user function. */"
-  ; (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
-    ^ fd.fname ^ "("
-  ; String.concat ",\n    "
+  [
+    "/* Call user function. */";
+    (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
+    ^ fd.fname ^ "(";
+    String.concat ",\n    "
       (List.map
          (fun (ptype, decl) ->
            let cast_expr = get_cast_from_mem_expr (ptype, decl) in
            sprintf "    %spargs_in->%s" cast_expr decl.identifier)
          fd.plist)
-    ^ ");" ]
+    ^ ");";
+  ]
 
 let warn_non_portable_types (fd : func_decl) =
   (* Check if any of the parameters or the return type has the given
@@ -417,8 +385,7 @@ let warn_non_portable_types (fd : func_decl) =
   let print_portability_warning ty =
     printf
       "Warning: Function '%s': %s has different sizes on Windows and Linux. \
-       This enclave cannot be built in Linux and then safely loaded in \
-       Windows.\n"
+       This enclave cannot be built in Linux and then safely loaded in Windows.\n"
       fd.fname ty
   in
   let print_portability_warning_with_recommendation ty recommendation =
@@ -429,13 +396,13 @@ let warn_non_portable_types (fd : func_decl) =
       fd.fname ty recommendation
   in
   (* longs are represented as an Int type *)
-  let long_t = Int {ia_signedness= Signed; ia_shortness= ILong} in
-  let ulong_t = Int {ia_signedness= Unsigned; ia_shortness= ILong} in
-  if uses_type WChar then print_portability_warning "wchar_t" ;
-  if uses_type LDouble then print_portability_warning "long double" ;
+  let long_t = Int { ia_signedness = Signed; ia_shortness = ILong } in
+  let ulong_t = Int { ia_signedness = Unsigned; ia_shortness = ILong } in
+  if uses_type WChar then print_portability_warning "wchar_t";
+  if uses_type LDouble then print_portability_warning "long double";
   (* Handle long type *)
   if uses_type (Long Signed) || uses_type long_t then
-    print_portability_warning_with_recommendation "long" "int64_t or int32_t" ;
+    print_portability_warning_with_recommendation "long" "int64_t or int32_t";
   (* Handle unsigned long type *)
   if uses_type (Long Unsigned) || uses_type ulong_t then
     print_portability_warning_with_recommendation "unsigned long"
@@ -456,22 +423,18 @@ let warn_signed_size_or_count_types (fd : func_decl) =
            either a number or string. We are interested in the
            strings, as they indicate named [size] or [count]
            parameters. *)
-        let param_name {ps_size; ps_count} =
+        let param_name { ps_size; ps_count } =
           match (ps_size, ps_count) with
           (* [s] is the name of the parameter as a string. *)
-          | None, Some (AString s) | Some (AString s), None ->
-              Some s
+          | None, Some (AString s) | Some (AString s), None -> Some s
           (* TODO: Check for [Some (ANumber n)] that [n < 1] *)
-          | _ ->
-              None
+          | _ -> None
         in
         (* Only variables that are pointers where [chkptr] is true may
            have size parameters. *)
         match ptype with
-        | PTPtr (_, a) when a.pa_chkptr ->
-            param_name a.pa_size
-        | _ ->
-            None)
+        | PTPtr (_, a) when a.pa_chkptr -> param_name a.pa_size
+        | _ -> None)
       fd.plist
   in
   (* Print warnings for size parameters that are [Signed]. *)
@@ -484,28 +447,25 @@ let warn_signed_size_or_count_types (fd : func_decl) =
             print_signedness_warning id
         | PTVal (Int i) when i.ia_signedness = Signed ->
             print_signedness_warning id
-        | _ ->
-            ())
+        | _ -> ())
     fd.plist
 
 let warn_size_and_count_params (fd : func_decl) =
-  let print_size_and_count_warning {ps_size; ps_count} =
+  let print_size_and_count_warning { ps_size; ps_count } =
     match (ps_size, ps_count) with
     | Some (AString p), Some (AString q) ->
         failwithf
           "Function '%s': simultaneous 'size' and 'count' parameters '%s' and \
            '%s' are not supported by oeedger8r.\n"
           fd.fname p q
-    | _ ->
-        ()
+    | _ -> ()
   in
   List.iter
     (fun (ptype, _) ->
       match ptype with
       | PTPtr (_, ptr_attr) when ptr_attr.pa_chkptr ->
           print_size_and_count_warning ptr_attr.pa_size
-      | _ ->
-          ())
+      | _ -> ())
     fd.plist
 
 (** Generate the Enclave code. *)
@@ -518,19 +478,19 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
      validation has the side effects of printed warnings or failure
      with an error message. *)
   if ep.use_prefix then
-    failwithf "--use_prefix option is not supported by oeedger8r." ;
+    failwithf "--use_prefix option is not supported by oeedger8r.";
   List.iter
     (fun f ->
       if f.tf_is_priv then
         failwithf
           "Function '%s': 'private' specifier is not supported by oeedger8r"
-          f.tf_fdecl.fname ;
+          f.tf_fdecl.fname;
       if f.tf_is_switchless then
         failwithf
           "Function '%s': trusted switchless ecalls are not yet supported by \
            Open Enclave SDK."
           f.tf_fdecl.fname)
-    tfs ;
+    tfs;
   List.iter
     (fun f ->
       ( if f.uf_fattr.fa_convention <> CC_NONE then
@@ -538,16 +498,16 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         printf
           "Warning: Function '%s': Calling convention '%s' for ocalls is not \
            supported by oeedger8r.\n"
-          f.uf_fdecl.fname cconv_str ) ;
+          f.uf_fdecl.fname cconv_str );
       if f.uf_fattr.fa_dllimport then
         failwithf "Function '%s': dllimport is not supported by oeedger8r."
-          f.uf_fdecl.fname ;
+          f.uf_fdecl.fname;
       if f.uf_allow_list != [] then
         printf
           "Warning: Function '%s': Reentrant ocalls are not supported by Open \
            Enclave. Allow list ignored.\n"
           f.uf_fdecl.fname)
-    ufs ;
+    ufs;
   (* Map warning functions over trusted and untrusted function
      declarations *)
   let ufuncs = List.map (fun f -> f.uf_fdecl) ufs in
@@ -555,10 +515,10 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
   let funcs = List.append ufuncs tfuncs in
   List.iter
     (fun f ->
-      warn_non_portable_types f ;
-      warn_signed_size_or_count_types f ;
+      warn_non_portable_types f;
+      warn_signed_size_or_count_types f;
       warn_size_and_count_params f)
-    funcs ;
+    funcs;
   (* End EDL validation. *)
   (* Given [name], return the corresponding [StructDef], or [None]. *)
   let get_struct_by_name name =
@@ -580,18 +540,14 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
      return an empty list. *)
   let get_deepcopy_members (a : atype) =
     let should_deepcopy_a = function
-      | Ptr (Struct n) | Ptr (Foreign n) ->
-          get_struct_by_name n
-      | _ ->
-          None
+      | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
+      | _ -> None
     in
     (* Only enabled with --experimental! *)
     if ep.experimental then
       match should_deepcopy_a a with
-      | Some s ->
-          List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
-      | None ->
-          []
+      | Some s -> List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
+      | None -> []
     else []
   in
   let get_function_id (f : func_decl) =
@@ -599,25 +555,29 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
   in
   (* Emit IDs in enum for trusted functions. *)
   let emit_trusted_function_ids =
-    [ "enum"
-    ; "{"
-    ; String.concat "\n"
+    [
+      "enum";
+      "{";
+      String.concat "\n"
         (List.mapi
            (fun i f -> sprintf "    %s = %d," (get_function_id f.tf_fdecl) i)
-           tfs)
-    ; "    " ^ ec.enclave_name ^ "_fcn_id_trusted_call_id_max = OE_ENUM_MAX"
-    ; "};" ]
+           tfs);
+      "    " ^ ec.enclave_name ^ "_fcn_id_trusted_call_id_max = OE_ENUM_MAX";
+      "};";
+    ]
   in
   (* Emit IDs in enum for untrusted functions. *)
   let emit_untrusted_function_ids =
-    [ "enum"
-    ; "{"
-    ; String.concat "\n"
+    [
+      "enum";
+      "{";
+      String.concat "\n"
         (List.mapi
            (fun i f -> sprintf "    %s = %d," (get_function_id f.uf_fdecl) i)
-           ufs)
-    ; "    " ^ ec.enclave_name ^ "_fcn_id_untrusted_call_max = OE_ENUM_MAX"
-    ; "};" ]
+           ufs);
+      "    " ^ ec.enclave_name ^ "_fcn_id_untrusted_call_max = OE_ENUM_MAX";
+      "};";
+    ]
   in
   (* Generate [args.h] which contains [struct]s for ecalls and ocalls *)
   let oe_gen_args_header =
@@ -634,80 +594,88 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
           is_str_or_wstr_ptr (ptype, decl) && is_in_or_inout_ptr (ptype, decl)
         in
         let id = decl.identifier in
-        [ [tystr ^ " " ^ id ^ ";"]
-        ; (if need_strlen then [sprintf "size_t %s_len;" id] else []) ]
+        [
+          [ tystr ^ " " ^ id ^ ";" ];
+          (if need_strlen then [ sprintf "size_t %s_len;" id ] else []);
+        ]
         |> List.flatten
       in
       let struct_name = fd.fname ^ "_args_t" in
-      let retval_decl = {identifier= "_retval"; array_dims= []} in
+      let retval_decl = { identifier = "_retval"; array_dims = [] } in
       let members =
-        [ ["oe_result_t _result;"]
-        ; ( if fd.rtype = Void then []
-          else gen_member_decl (PTVal fd.rtype, retval_decl) )
-        ; (if errno then ["int _ocall_errno;"] else [])
-        ; flatten_map gen_member_decl (List.map conv_array_to_ptr fd.plist) ]
+        [
+          [ "oe_result_t _result;" ];
+          ( if fd.rtype = Void then []
+          else gen_member_decl (PTVal fd.rtype, retval_decl) );
+          (if errno then [ "int _ocall_errno;" ] else []);
+          flatten_map gen_member_decl (List.map conv_array_to_ptr fd.plist);
+        ]
         |> List.flatten
       in
-      [ "typedef struct _" ^ struct_name
-      ; "{"
-      ; "    " ^ String.concat "\n    " members
-      ; "} " ^ struct_name ^ ";"
-      ; "" ]
+      [
+        "typedef struct _" ^ struct_name;
+        "{";
+        "    " ^ String.concat "\n    " members;
+        "} " ^ struct_name ^ ";";
+        "";
+      ]
     in
     let oe_gen_user_includes (includes : string list) =
       if includes <> [] then List.map (sprintf "#include \"%s\"") includes
-      else ["/* There were no user includes. */"]
+      else [ "/* There were no user includes. */" ]
     in
     let oe_gen_user_types (cts : composite_type list) =
       if cts <> [] then flatten_map emit_composite_type cts
-      else ["/* There were no user defined types. */"; ""]
+      else [ "/* There were no user defined types. */"; "" ]
     in
     let oe_gen_ecall_marshal_structs =
       if tfs <> [] then
         flatten_map (fun tf -> oe_gen_marshal_struct tf.tf_fdecl false) tfs
-      else ["/* There were no ecalls. */"; ""]
+      else [ "/* There were no ecalls. */"; "" ]
     in
     let oe_gen_ocall_marshal_structs =
       if ufs <> [] then
         flatten_map
           (fun uf -> oe_gen_marshal_struct uf.uf_fdecl uf.uf_propagate_errno)
           ufs
-      else ["/* There were no ocalls. */"; ""]
+      else [ "/* There were no ocalls. */"; "" ]
     in
     let with_errno = List.exists (fun uf -> uf.uf_propagate_errno) ufs in
     let guard_macro =
       "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
     in
-    [ "#ifndef " ^ guard_macro
-    ; "#define " ^ guard_macro
-    ; ""
-    ; "#include <stdint.h>"
-    ; "#include <stdlib.h> /* for wchar_t */"
-    ; ""
-    ; (let s = "#include <errno.h>" in
+    [
+      "#ifndef " ^ guard_macro;
+      "#define " ^ guard_macro;
+      "";
+      "#include <stdint.h>";
+      "#include <stdlib.h> /* for wchar_t */";
+      "";
+      (let s = "#include <errno.h>" in
        if with_errno then s
        else
-         sprintf "/* %s - Errno propagation not enabled so not included. */" s)
-    ; ""
-    ; "#include <openenclave/bits/result.h>"
-    ; ""
-    ; "/**** User includes. ****/"
-    ; String.concat "\n" (oe_gen_user_includes ec.include_list)
-    ; ""
-    ; "/**** User defined types in EDL. ****/"
-    ; String.concat "\n" (oe_gen_user_types ec.comp_defs)
-    ; "/**** ECALL marshalling structs. ****/"
-    ; String.concat "\n" oe_gen_ecall_marshal_structs
-    ; "/**** OCALL marshalling structs. ****/"
-    ; String.concat "\n" oe_gen_ocall_marshal_structs
-    ; "/**** Trusted function IDs ****/"
-    ; String.concat "\n" emit_trusted_function_ids
-    ; ""
-    ; "/**** Untrusted function IDs. ****/"
-    ; String.concat "\n" emit_untrusted_function_ids
-    ; ""
-    ; "#endif // " ^ guard_macro
-    ; "" ]
+         sprintf "/* %s - Errno propagation not enabled so not included. */" s);
+      "";
+      "#include <openenclave/bits/result.h>";
+      "";
+      "/**** User includes. ****/";
+      String.concat "\n" (oe_gen_user_includes ec.include_list);
+      "";
+      "/**** User defined types in EDL. ****/";
+      String.concat "\n" (oe_gen_user_types ec.comp_defs);
+      "/**** ECALL marshalling structs. ****/";
+      String.concat "\n" oe_gen_ecall_marshal_structs;
+      "/**** OCALL marshalling structs. ****/";
+      String.concat "\n" oe_gen_ocall_marshal_structs;
+      "/**** Trusted function IDs ****/";
+      String.concat "\n" emit_trusted_function_ids;
+      "";
+      "/**** Untrusted function IDs. ****/";
+      String.concat "\n" emit_untrusted_function_ids;
+      "";
+      "#endif // " ^ guard_macro;
+      "";
+    ]
   in
   (* Prepare [input_buffer]. *)
   let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
@@ -717,19 +685,21 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] ->
-              decl.identifier
+          | [] -> decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
         gen_c_for (List.length args) count
-          ( [ [ sprintf "if (%s)"
-                  (String.concat " && " (List.rev (arg :: args))) ]
-            ; [sprintf "    OE_ADD_SIZE(%s, %s);" buffer size]
-            ; (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+          ( [
+              [
+                sprintf "if (%s)" (String.concat " && " (List.rev (arg :: args)));
+              ];
+              [ sprintf "    OE_ADD_SIZE(%s, %s);" buffer size ];
+              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
                flatten_map
                  (gen_add_size (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype))) ]
+                 (get_deepcopy_members (get_param_atype ptype)));
+            ]
           |> List.flatten )
       in
       let params =
@@ -752,24 +722,29 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] ->
-              decl.identifier
+          | [] -> decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
         let tystr = get_cast_to_mem_expr (ptype, decl) false in
         (* These need to be in order and so done together. *)
         gen_c_for (List.length args) count
-          ( [ (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
-              [ sprintf "if (%s)"
-                  (String.concat " && " (List.rev (arg :: args))) ]
-            ; [ sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
+          ( [
+              (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
+              [
+                sprintf "if (%s)"
+                  (String.concat " && " (List.rev (arg :: args)));
+              ];
+              [
+                sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
                   (if is_in_ptr ptype then "IN" else "IN_OUT")
-                  arg size tystr ]
-            ; (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+                  arg size tystr;
+              ];
+              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
                flatten_map
                  (gen_serialize (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype))) ]
+                 (get_deepcopy_members (get_param_atype ptype)));
+            ]
           |> List.flatten )
       in
       let params =
@@ -781,41 +756,43 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
       if params <> [] then String.concat "\n    " params
       else "/* There were no in nor in-out parameters. */"
     in
-    [ "/* Compute input buffer size. Include in and in-out parameters. */"
-    ; sprintf "OE_ADD_SIZE(_input_buffer_size, sizeof(%s_args_t));" fd.fname
-    ; oe_compute_input_buffer_size fd.plist
-    ; ""
-    ; "/* Compute output buffer size. Include out and in-out parameters. */"
-    ; sprintf "OE_ADD_SIZE(_output_buffer_size, sizeof(%s_args_t));" fd.fname
-    ; oe_compute_output_buffer_size fd.plist
-    ; ""
-    ; "/* Allocate marshalling buffer. */"
-    ; "_total_buffer_size = _input_buffer_size;"
-    ; "OE_ADD_SIZE(_total_buffer_size, _output_buffer_size);"
-    ; sprintf "_buffer = (uint8_t*)%s(_total_buffer_size);" alloc_func
-    ; "_input_buffer = _buffer;"
-    ; "_output_buffer = _buffer + _input_buffer_size;"
-    ; "if (_buffer == NULL)"
-    ; "{"
-    ; "    _result = OE_OUT_OF_MEMORY;"
-    ; "    goto done;"
-    ; "}"
-    ; ""
-    ; "/* Serialize buffer inputs (in and in-out parameters). */"
-    ; sprintf "_pargs_in = (%s_args_t*)_input_buffer;" fd.fname
-    ; "OE_ADD_SIZE(_input_buffer_offset, sizeof(*_pargs_in));"
-    ; oe_serialize_buffer_inputs fd.plist
-    ; ""
-    ; "/* Copy args structure (now filled) to input buffer. */"
-    ; "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));" ]
+    [
+      "/* Compute input buffer size. Include in and in-out parameters. */";
+      sprintf "OE_ADD_SIZE(_input_buffer_size, sizeof(%s_args_t));" fd.fname;
+      oe_compute_input_buffer_size fd.plist;
+      "";
+      "/* Compute output buffer size. Include out and in-out parameters. */";
+      sprintf "OE_ADD_SIZE(_output_buffer_size, sizeof(%s_args_t));" fd.fname;
+      oe_compute_output_buffer_size fd.plist;
+      "";
+      "/* Allocate marshalling buffer. */";
+      "_total_buffer_size = _input_buffer_size;";
+      "OE_ADD_SIZE(_total_buffer_size, _output_buffer_size);";
+      sprintf "_buffer = (uint8_t*)%s(_total_buffer_size);" alloc_func;
+      "_input_buffer = _buffer;";
+      "_output_buffer = _buffer + _input_buffer_size;";
+      "if (_buffer == NULL)";
+      "{";
+      "    _result = OE_OUT_OF_MEMORY;";
+      "    goto done;";
+      "}";
+      "";
+      "/* Serialize buffer inputs (in and in-out parameters). */";
+      sprintf "_pargs_in = (%s_args_t*)_input_buffer;" fd.fname;
+      "OE_ADD_SIZE(_input_buffer_offset, sizeof(*_pargs_in));";
+      oe_serialize_buffer_inputs fd.plist;
+      "";
+      "/* Copy args structure (now filled) to input buffer. */";
+      "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));";
+    ]
   in
   let gen_times count body =
     (* The first two conditionals check for the multiplicative identity
        and prevent unnecessary expressions from being generated.
        Otherwise we multiply the sum of [body] by [count]. *)
     if count = "1" || body = [] then body
-    else if List.length body = 1 && List.hd body = "1" then [count]
-    else [count ^ " * (" ^ String.concat " + " body ^ ")"]
+    else if List.length body = 1 && List.hd body = "1" then [ count ]
+    else [ count ^ " * (" ^ String.concat " + " body ^ ")" ]
   in
   let rec gen_ptr_count args count (ptype, decl) =
     let id = decl.identifier in
@@ -826,10 +803,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     let argstruct = oe_get_argstruct "" args count in
     let arg =
       match args with
-      | [] ->
-          id
-      | hd :: _ ->
-          hd ^ gen_c_deref (List.length args) count ^ id
+      | [] -> id
+      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
     in
     let param_count = oe_get_param_count (ptype, decl, argstruct) in
     let members = get_deepcopy_members (get_param_atype ptype) in
@@ -845,43 +820,42 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
          base case of counting 1. If there are members to recurse on,
          then we count 1 plus the current [param_count] times the
          number of members for each nested structure. *)
-      (if args <> [] then ["1"] else [])
+      (if args <> [] then [ "1" ] else [])
       @ gen_times param_count
           (flatten_map (gen_ptr_count (arg :: args) param_count) members)
     else []
   in
   let gen_ptr_array (plist : pdecl list) =
     let count =
-      flatten_map (gen_ptr_count [] "1")
-        (List.filter is_out_or_inout_ptr plist)
+      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
     in
     if count <> [] then
       (* TODO: Switch to malloc() to handle variable lengths. *)
-      [ "size_t _ptrs_index = 0;"
-      ; sprintf "void** _ptrs = malloc(sizeof(void*) * (%s));"
-          (String.concat " + " count)
-      ; "if (_ptrs == NULL)"
-      ; "{"
-      ; "    _result = OE_OUT_OF_MEMORY;"
-      ; "    goto done;"
-      ; "}" ]
-    else ["/* No pointers to save for deep copy. */"]
+      [
+        "size_t _ptrs_index = 0;";
+        sprintf "void** _ptrs = malloc(sizeof(void*) * (%s));"
+          (String.concat " + " count);
+        "if (_ptrs == NULL)";
+        "{";
+        "    _result = OE_OUT_OF_MEMORY;";
+        "    goto done;";
+        "}";
+      ]
+    else [ "/* No pointers to save for deep copy. */" ]
   in
   let gen_reset_ptr_index (plist : pdecl list) =
     let count =
-      flatten_map (gen_ptr_count [] "1")
-        (List.filter is_out_or_inout_ptr plist)
+      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
     in
     if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
     else "/* No pointers to restore for deep copy. */"
   in
   let gen_free_ptrs (plist : pdecl list) =
     let count =
-      flatten_map (gen_ptr_count [] "1")
-        (List.filter is_out_or_inout_ptr plist)
+      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
     in
-    if count <> [] then ["if (_ptrs)"; "    free(_ptrs);"]
-    else ["/* No `_ptrs` to free for deep copy. */"]
+    if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
+    else [ "/* No `_ptrs` to free for deep copy. */" ]
   in
   let oe_process_output_buffer (fd : func_decl) =
     let oe_serialize_buffer_outputs (plist : pdecl list) =
@@ -890,39 +864,43 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
         let size = oe_get_param_size (ptype, decl, argstruct) in
         let arg =
           match args with
-          | [] ->
-              decl.identifier
+          | [] -> decl.identifier
           | hd :: _ ->
               hd ^ gen_c_deref (List.length args) count ^ decl.identifier
         in
         gen_c_for (List.length args) count
-          ( [ ( if is_str_or_wstr_ptr (ptype, decl) then
-                [ sprintf
+          ( [
+              ( if is_str_or_wstr_ptr (ptype, decl) then
+                [
+                  sprintf
                     "OE_CHECK_NULL_TERMINATOR%s(_output_buffer + \
                      _output_buffer_offset, _args.%s_len);"
                     (if is_wstr_ptr ptype then "_WIDE" else "")
-                    arg ]
-              else [] )
-            ; (let s =
+                    arg;
+                ]
+              else [] );
+              (let s =
                  sprintf "OE_READ_%s_PARAM(%s, (size_t)(%s));"
                    (if is_out_ptr ptype then "OUT" else "IN_OUT")
                    arg size
                in
                match args with
-               | [] ->
-                   [s]
+               | [] -> [ s ]
                | _ ->
                    let tystr = get_cast_to_mem_expr (ptype, decl) true in
-                   [ sprintf "if (%s)" (String.concat " && " (List.rev args))
-                   ; "{"
-                   ; "    /* Restore original pointer. */"
-                   ; sprintf "    %s = %s_ptrs[_ptrs_index++];" arg tystr
-                   ; "    " ^ s
-                   ; "}" ])
-            ; (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+                   [
+                     sprintf "if (%s)" (String.concat " && " (List.rev args));
+                     "{";
+                     "    /* Restore original pointer. */";
+                     sprintf "    %s = %s_ptrs[_ptrs_index++];" arg tystr;
+                     "    " ^ s;
+                     "}";
+                   ]);
+              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
                flatten_map
                  (gen_serialize (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype))) ]
+                 (get_deepcopy_members (get_param_atype ptype)));
+            ]
           |> List.flatten )
       in
       let params =
@@ -932,49 +910,55 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
       if params <> [] then String.concat "\n    " params
       else "/* There were no out nor in-out parameters. */"
     in
-    [ (* Verify that the ecall succeeded *)
-      "/* Setup output arg struct pointer. */"
-    ; sprintf "_pargs_out = (%s_args_t*)_output_buffer;" fd.fname
-    ; "OE_ADD_SIZE(_output_buffer_offset, sizeof(*_pargs_out));"
-    ; ""
-    ; "/* Check if the call succeeded. */"
-    ; "if ((_result = _pargs_out->_result) != OE_OK)"
-    ; "    goto done;"
-    ; ""
-    ; "/* Currently exactly _output_buffer_size bytes must be written. */"
-    ; "if (_output_bytes_written != _output_buffer_size)"
-    ; "{"
-    ; "    _result = OE_FAILURE;"
-    ; "    goto done;"
-    ; "}"
-    ; ""
-    ; "/* Unmarshal return value and out, in-out parameters. */"
-    ; ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
-      else "/* No return value. */" )
-    ; gen_reset_ptr_index fd.plist
-    ; oe_serialize_buffer_outputs fd.plist ]
+    [
+      (* Verify that the ecall succeeded *)
+      "/* Setup output arg struct pointer. */";
+      sprintf "_pargs_out = (%s_args_t*)_output_buffer;" fd.fname;
+      "OE_ADD_SIZE(_output_buffer_offset, sizeof(*_pargs_out));";
+      "";
+      "/* Check if the call succeeded. */";
+      "if ((_result = _pargs_out->_result) != OE_OK)";
+      "    goto done;";
+      "";
+      "/* Currently exactly _output_buffer_size bytes must be written. */";
+      "if (_output_bytes_written != _output_buffer_size)";
+      "{";
+      "    _result = OE_FAILURE;";
+      "    goto done;";
+      "}";
+      "";
+      "/* Unmarshal return value and out, in-out parameters. */";
+      ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
+      else "/* No return value. */" );
+      gen_reset_ptr_index fd.plist;
+      oe_serialize_buffer_outputs fd.plist;
+    ]
   in
   let rec oe_gen_set_pointers args count setter (ptype, decl) =
     let argstruct = oe_get_argstruct "pargs_in->" args count in
     let size = oe_get_param_size (ptype, decl, argstruct) in
     let arg =
       match args with
-      | [] ->
-          decl.identifier
-      | hd :: _ ->
-          hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+      | [] -> decl.identifier
+      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
     in
     let tystr = get_cast_to_mem_expr (ptype, decl) false in
     gen_c_for (List.length args) count
-      ( [ (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
-          [ sprintf "if (pargs_in->%s)"
-              (String.concat " && pargs_in->" (List.rev (arg :: args))) ]
-        ; [ sprintf "    OE_%s_POINTER(%s, %s, %s);" (setter ptype) arg size
-              tystr ]
-        ; (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+      ( [
+          (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
+          [
+            sprintf "if (pargs_in->%s)"
+              (String.concat " && pargs_in->" (List.rev (arg :: args)));
+          ];
+          [
+            sprintf "    OE_%s_POINTER(%s, %s, %s);" (setter ptype) arg size
+              tystr;
+          ];
+          (let param_count = oe_get_param_count (ptype, decl, argstruct) in
            flatten_map
              (oe_gen_set_pointers (arg :: args) param_count setter)
-             (get_deepcopy_members (get_param_atype ptype))) ]
+             (get_deepcopy_members (get_param_atype ptype)));
+        ]
       |> List.flatten )
   in
   let oe_gen_in_and_inout_setters (plist : pdecl list) =
@@ -990,9 +974,11 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     in
     "    "
     ^ String.concat "\n    "
-        [ "/* Set in and in-out pointers. */"
-        ; ( if params <> [] then String.concat "\n    " params
-          else "/* There were no in nor in-out parameters. */" ) ]
+        [
+          "/* Set in and in-out pointers. */";
+          ( if params <> [] then String.concat "\n    " params
+          else "/* There were no in nor in-out parameters. */" );
+        ]
   in
   let oe_gen_out_and_inout_setters (plist : pdecl list) =
     let params =
@@ -1007,56 +993,59 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     in
     "    "
     ^ String.concat "\n    "
-        [ "/* Set out and in-out pointers. */"
-        ; "/* In-out parameters are copied to output buffer. */"
-        ; ( if params <> [] then String.concat "\n    " params
-          else "/* There were no out nor in-out parameters. */" ) ]
+        [
+          "/* Set out and in-out pointers. */";
+          "/* In-out parameters are copied to output buffer. */";
+          ( if params <> [] then String.concat "\n    " params
+          else "/* There were no out nor in-out parameters. */" );
+        ]
   in
   (* Generate ecall function. *)
   let oe_gen_ecall_function (tf : trusted_func) =
     let fd = tf.tf_fdecl in
-    [ sprintf "void ecall_%s(" fd.fname
-    ; "    uint8_t* input_buffer,"
-    ; "    size_t input_buffer_size,"
-    ; "    uint8_t* output_buffer,"
-    ; "    size_t output_buffer_size,"
-    ; "    size_t* output_bytes_written)"
-    ; "{"
-    ; (* Variable declarations *)
-      "    oe_result_t _result = OE_FAILURE;"
-    ; ""
-    ; "    /* Prepare parameters. */"
-    ; sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
-        fd.fname
-    ; sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
-        fd.fname
-    ; ""
-    ; "    size_t input_buffer_offset = 0;"
-    ; "    size_t output_buffer_offset = 0;"
-    ; "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));"
-    ; "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));"
-    ; ""
-    ; (* Buffer validation *)
-      "    /* Make sure input and output buffers lie within the enclave. */"
-    ; "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
-       input_buffer_size))"
-    ; "        goto done;"
-    ; ""
-    ; "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
-       output_buffer_size))"
-    ; "        goto done;"
-    ; ""
-    ; (* Prepare in and in-out parameters *)
-      oe_gen_in_and_inout_setters fd.plist
-    ; ""
-    ; (* Prepare out and in-out parameters. The in-out parameter is
+    [
+      sprintf "void ecall_%s(" fd.fname;
+      "    uint8_t* input_buffer,";
+      "    size_t input_buffer_size,";
+      "    uint8_t* output_buffer,";
+      "    size_t output_buffer_size,";
+      "    size_t* output_bytes_written)";
+      "{";
+      (* Variable declarations *)
+      "    oe_result_t _result = OE_FAILURE;";
+      "";
+      "    /* Prepare parameters. */";
+      sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
+        fd.fname;
+      sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
+        fd.fname;
+      "";
+      "    size_t input_buffer_offset = 0;";
+      "    size_t output_buffer_offset = 0;";
+      "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
+      "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
+      "";
+      (* Buffer validation *)
+      "    /* Make sure input and output buffers lie within the enclave. */";
+      "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
+       input_buffer_size))";
+      "        goto done;";
+      "";
+      "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
+       output_buffer_size))";
+      "        goto done;";
+      "";
+      (* Prepare in and in-out parameters *)
+      oe_gen_in_and_inout_setters fd.plist;
+      "";
+      (* Prepare out and in-out parameters. The in-out parameter is
          copied to output buffer. *)
-      oe_gen_out_and_inout_setters fd.plist
-    ; ""
-    ; "    /* Check that in/in-out strings are null terminated. */"
+      oe_gen_out_and_inout_setters fd.plist;
+      "";
+      "    /* Check that in/in-out strings are null terminated. */"
       (* NOTE: We do not support deep copy for strings, so there is not
-         (yet) anything to do here. *)
-    ; (let params =
+         (yet) anything to do here. *);
+      (let params =
          List.map
            (fun (ptype, decl) ->
              sprintf
@@ -1068,24 +1057,25 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
               fd.plist)
        in
        if params <> [] then String.concat "\n" params
-       else "    /* There were no in nor in-out string parameters. */")
-    ; ""
-    ; "    /* lfence after checks. */"
-    ; "    oe_lfence();"
-    ; ""
-    ; (* Call the enclave function *)
-      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd)
-    ; ""
-    ; (* Mark call as success *)
-      "    /* Success. */"
-    ; "    _result = OE_OK;"
-    ; "    *output_bytes_written = output_buffer_offset;"
-    ; ""
-    ; "done:"
-    ; "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))"
-    ; "        pargs_out->_result = _result;"
-    ; "}"
-    ; "" ]
+       else "    /* There were no in nor in-out string parameters. */");
+      "";
+      "    /* lfence after checks. */";
+      "    oe_lfence();";
+      "";
+      (* Call the enclave function *)
+      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
+      "";
+      (* Mark call as success *)
+      "    /* Success. */";
+      "    _result = OE_OK;";
+      "    *output_bytes_written = output_buffer_offset;";
+      "";
+      "done:";
+      "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
+      "        pargs_out->_result = _result;";
+      "}";
+      "";
+    ]
   in
   let gen_fill_marshal_struct (fd : func_decl) =
     (* Generate assignment argument to corresponding field in args. This
@@ -1093,15 +1083,19 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
        they are used directly by later marshalling code. *)
     let gen_assignment (ptype, decl) =
       let arg = decl.identifier in
-      [ [ sprintf "_args.%s = %s%s;" arg
+      [
+        [
+          sprintf "_args.%s = %s%s;" arg
             (get_cast_to_mem_expr (ptype, decl) true)
-            arg ]
-      ; (* for string parameter fill the len field *)
+            arg;
+        ];
+        (* for string parameter fill the len field *)
         ( if is_str_ptr ptype then
-          [sprintf "_args.%s_len = (%s) ? (strlen(%s) + 1) : 0;" arg arg arg]
+          [ sprintf "_args.%s_len = (%s) ? (strlen(%s) + 1) : 0;" arg arg arg ]
         else if is_wstr_ptr ptype then
-          [sprintf "_args.%s_len = (%s) ? (wcslen(%s) + 1) : 0;" arg arg arg]
-        else [] ) ]
+          [ sprintf "_args.%s_len = (%s) ? (wcslen(%s) + 1) : 0;" arg arg arg ]
+        else [] );
+      ]
       |> List.flatten
     in
     flatten_map gen_assignment fd.plist
@@ -1111,22 +1105,22 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
       let argstruct = oe_get_argstruct "_args." args count in
       let arg =
         match args with
-        | [] ->
-            id
-        | hd :: _ ->
-            hd ^ gen_c_deref (List.length args) count ^ id
+        | [] -> id
+        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
       in
       gen_c_for (List.length args) count
-        ( [ ( if args <> [] then
-              [sprintf "if (%s)" (String.concat " && " (List.rev args))]
-            else [] )
-          ; ( if args <> [] && is_marshalled_ptr ptype then
-              ["    _ptrs[_ptrs_index++] = (void*)" ^ arg ^ ";"]
-            else [] )
-          ; (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+        ( [
+            ( if args <> [] then
+              [ sprintf "if (%s)" (String.concat " && " (List.rev args)) ]
+            else [] );
+            ( if args <> [] && is_marshalled_ptr ptype then
+              [ "    _ptrs[_ptrs_index++] = (void*)" ^ arg ^ ";" ]
+            else [] );
+            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
                (gen_save_ptrs (arg :: args) param_count)
-               (get_deepcopy_members (get_param_atype ptype))) ]
+               (get_deepcopy_members (get_param_atype ptype)));
+          ]
         |> List.flatten )
     in
     flatten_map (gen_save_ptrs [] "1")
@@ -1139,189 +1133,199 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
       if tf.tf_is_switchless then "oe_switchless_call_enclave_function"
       else "oe_call_enclave_function"
     in
-    [ oe_gen_wrapper_prototype fd true
-    ; "{"
-    ; "    oe_result_t _result = OE_FAILURE;"
-    ; ""
-    ; "    /* Marshalling struct. */"
-    ; sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
-        fd.fname
-    ; ""
-    ; "    /* Marshalling buffer and sizes. */"
-    ; "    size_t _input_buffer_size = 0;"
-    ; "    size_t _output_buffer_size = 0;"
-    ; "    size_t _total_buffer_size = 0;"
-    ; "    uint8_t* _buffer = NULL;"
-    ; "    uint8_t* _input_buffer = NULL;"
-    ; "    uint8_t* _output_buffer = NULL;"
-    ; "    size_t _input_buffer_offset = 0;"
-    ; "    size_t _output_buffer_offset = 0;"
-    ; "    size_t _output_bytes_written = 0;"
-    ; ""
-    ; "    /* Deep copy buffer. */"
-    ; "    " ^ String.concat "\n    " (gen_ptr_array fd.plist)
-    ; ""
-    ; "    /* Fill marshalling struct. */"
-    ; "    memset(&_args, 0, sizeof(_args));"
-    ; "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd)
-    ; ""
-    ; "    " ^ String.concat "\n    " (oe_prepare_input_buffer fd "malloc")
-    ; ""
-    ; "    /* Call enclave function. */"
-    ; "    if ((_result = " ^ oe_ecall_function ^ "("
-    ; "             "
+    [
+      oe_gen_wrapper_prototype fd true;
+      "{";
+      "    oe_result_t _result = OE_FAILURE;";
+      "";
+      "    /* Marshalling struct. */";
+      sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
+        fd.fname;
+      "";
+      "    /* Marshalling buffer and sizes. */";
+      "    size_t _input_buffer_size = 0;";
+      "    size_t _output_buffer_size = 0;";
+      "    size_t _total_buffer_size = 0;";
+      "    uint8_t* _buffer = NULL;";
+      "    uint8_t* _input_buffer = NULL;";
+      "    uint8_t* _output_buffer = NULL;";
+      "    size_t _input_buffer_offset = 0;";
+      "    size_t _output_buffer_offset = 0;";
+      "    size_t _output_bytes_written = 0;";
+      "";
+      "    /* Deep copy buffer. */";
+      "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+      "";
+      "    /* Fill marshalling struct. */";
+      "    memset(&_args, 0, sizeof(_args));";
+      "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+      "";
+      "    " ^ String.concat "\n    " (oe_prepare_input_buffer fd "malloc");
+      "";
+      "    /* Call enclave function. */";
+      "    if ((_result = " ^ oe_ecall_function ^ "(";
+      "             "
       ^ String.concat ",\n             "
-          [ "enclave"
-          ; get_function_id fd
-          ; "_input_buffer"
-          ; "_input_buffer_size"
-          ; "_output_buffer"
-          ; "_output_buffer_size"
-          ; "&_output_bytes_written)) != OE_OK)" ]
-    ; "        goto done;"
-    ; ""
-    ; "    " ^ String.concat "\n    " (oe_process_output_buffer fd)
-    ; ""
-    ; "    _result = OE_OK;"
-    ; ""
-    ; "done:"
-    ; "    if (_buffer)"
-    ; "        free(_buffer);"
-    ; ""
-    ; "    " ^ String.concat "\n    " (gen_free_ptrs fd.plist)
-    ; ""
-    ; "    return _result;"
-    ; "}"
-    ; "" ]
+          [
+            "enclave";
+            get_function_id fd;
+            "_input_buffer";
+            "_input_buffer_size";
+            "_output_buffer";
+            "_output_buffer_size";
+            "&_output_bytes_written)) != OE_OK)";
+          ];
+      "        goto done;";
+      "";
+      "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+      "";
+      "    _result = OE_OK;";
+      "";
+      "done:";
+      "    if (_buffer)";
+      "        free(_buffer);";
+      "";
+      "    " ^ String.concat "\n    " (gen_free_ptrs fd.plist);
+      "";
+      "    return _result;";
+      "}";
+      "";
+    ]
   in
   (* Generate enclave OCALL wrapper function. *)
   let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
     let fd = uf.uf_fdecl in
     let allocate_buffer, call_function, free_buffer =
       if uf.uf_is_switchless then
-        ( "oe_allocate_switchless_ocall_buffer"
-        , "oe_switchless_call_host_function"
-        , "oe_free_switchless_ocall_buffer" )
+        ( "oe_allocate_switchless_ocall_buffer",
+          "oe_switchless_call_host_function",
+          "oe_free_switchless_ocall_buffer" )
       else
-        ( "oe_allocate_ocall_buffer"
-        , "oe_call_host_function"
-        , "oe_free_ocall_buffer" )
+        ( "oe_allocate_ocall_buffer",
+          "oe_call_host_function",
+          "oe_free_ocall_buffer" )
     in
-    [ oe_gen_wrapper_prototype fd false
-    ; "{"
-    ; "    oe_result_t _result = OE_FAILURE;"
-    ; ""
-    ; "    /* If the enclave is in crashing/crashed status, new OCALL should \
-       fail"
-    ; "       immediately. */"
-    ; "    if (oe_get_enclave_status() != OE_OK)"
-    ; "        return oe_get_enclave_status();"
-    ; ""
-    ; "    /* Marshalling struct. */"
-    ; sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
-        fd.fname
-    ; "    " ^ String.concat "\n    " (gen_ptr_array fd.plist)
-    ; ""
-    ; "    /* Marshalling buffer and sizes. */"
-    ; "    size_t _input_buffer_size = 0;"
-    ; "    size_t _output_buffer_size = 0;"
-    ; "    size_t _total_buffer_size = 0;"
-    ; "    uint8_t* _buffer = NULL;"
-    ; "    uint8_t* _input_buffer = NULL;"
-    ; "    uint8_t* _output_buffer = NULL;"
-    ; "    size_t _input_buffer_offset = 0;"
-    ; "    size_t _output_buffer_offset = 0;"
-    ; "    size_t _output_bytes_written = 0;"
-    ; ""
-    ; "    /* Fill marshalling struct. */"
-    ; "    memset(&_args, 0, sizeof(_args));"
-    ; "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd)
-    ; ""
-    ; "    "
-      ^ String.concat "\n    " (oe_prepare_input_buffer fd allocate_buffer)
-    ; ""
-    ; "    /* Call host function. */"
-    ; "    if ((_result = " ^ call_function ^ "("
-    ; "             "
+    [
+      oe_gen_wrapper_prototype fd false;
+      "{";
+      "    oe_result_t _result = OE_FAILURE;";
+      "";
+      "    /* If the enclave is in crashing/crashed status, new OCALL should \
+       fail";
+      "       immediately. */";
+      "    if (oe_get_enclave_status() != OE_OK)";
+      "        return oe_get_enclave_status();";
+      "";
+      "    /* Marshalling struct. */";
+      sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
+        fd.fname;
+      "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+      "";
+      "    /* Marshalling buffer and sizes. */";
+      "    size_t _input_buffer_size = 0;";
+      "    size_t _output_buffer_size = 0;";
+      "    size_t _total_buffer_size = 0;";
+      "    uint8_t* _buffer = NULL;";
+      "    uint8_t* _input_buffer = NULL;";
+      "    uint8_t* _output_buffer = NULL;";
+      "    size_t _input_buffer_offset = 0;";
+      "    size_t _output_buffer_offset = 0;";
+      "    size_t _output_bytes_written = 0;";
+      "";
+      "    /* Fill marshalling struct. */";
+      "    memset(&_args, 0, sizeof(_args));";
+      "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+      "";
+      "    "
+      ^ String.concat "\n    " (oe_prepare_input_buffer fd allocate_buffer);
+      "";
+      "    /* Call host function. */";
+      "    if ((_result = " ^ call_function ^ "(";
+      "             "
       ^ String.concat ",\n             "
-          [ get_function_id fd
-          ; "_input_buffer"
-          ; "_input_buffer_size"
-          ; "_output_buffer"
-          ; "_output_buffer_size"
-          ; "&_output_bytes_written)) != OE_OK)" ]
-    ; "        goto done;"
-    ; ""
-    ; "    " ^ String.concat "\n    " (oe_process_output_buffer fd)
-    ; ""
-    ; "    /* Retrieve propagated errno from OCALL. */"
-    ; ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
-      else sprintf "    /* Errno propagation not enabled. */" )
-    ; ""
-    ; "    _result = OE_OK;"
-    ; ""
-    ; "done:"
-    ; "    if (_buffer)"
-    ; "        " ^ free_buffer ^ "(_buffer);"
-    ; "    return _result;"
-    ; "}"
-    ; "" ]
+          [
+            get_function_id fd;
+            "_input_buffer";
+            "_input_buffer_size";
+            "_output_buffer";
+            "_output_buffer_size";
+            "&_output_bytes_written)) != OE_OK)";
+          ];
+      "        goto done;";
+      "";
+      "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+      "";
+      "    /* Retrieve propagated errno from OCALL. */";
+      ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
+      else sprintf "    /* Errno propagation not enabled. */" );
+      "";
+      "    _result = OE_OK;";
+      "";
+      "done:";
+      "    if (_buffer)";
+      "        " ^ free_buffer ^ "(_buffer);";
+      "    return _result;";
+      "}";
+      "";
+    ]
   in
   (* Generate ocall function. *)
   let oe_gen_ocall_function (uf : untrusted_func) =
     let fd = uf.uf_fdecl in
-    [ sprintf "void ocall_%s(" fd.fname
-    ; "    uint8_t* input_buffer,"
-    ; "    size_t input_buffer_size,"
-    ; "    uint8_t* output_buffer,"
-    ; "    size_t output_buffer_size,"
-    ; "    size_t* output_bytes_written)"
-    ; "{"
-    ; (* Variable declarations *)
-      "    oe_result_t _result = OE_FAILURE;"
-    ; "    OE_UNUSED(input_buffer_size);"
-    ; ""
-    ; "    /* Prepare parameters. */"
-    ; sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
-        fd.fname
-    ; sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
-        fd.fname
-    ; ""
-    ; "    size_t input_buffer_offset = 0;"
-    ; "    size_t output_buffer_offset = 0;"
-    ; "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));"
-    ; "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));"
-    ; ""
-    ; (* Buffer validation *)
-      "    /* Make sure input and output buffers are valid. */"
-    ; "    if (!input_buffer || !output_buffer) {"
-    ; "        _result = OE_INVALID_PARAMETER;"
-    ; "        goto done;"
-    ; "    }"
-    ; ""
-    ; (* Prepare in and in-out parameters *)
-      oe_gen_in_and_inout_setters fd.plist
-    ; ""
-    ; (* Prepare out and in-out parameters. The in-out parameter is copied to output buffer. *)
-      oe_gen_out_and_inout_setters fd.plist
-    ; ""
-    ; (* Call the host function *)
-      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd)
-    ; ""
-    ; "    /* Propagate errno back to enclave. */"
-    ; ( if uf.uf_propagate_errno then "    pargs_out->_ocall_errno = errno;"
-      else "    /* Errno propagation not enabled. */" )
-    ; ""
-    ; (* Mark call as success *)
-      "    /* Success. */"
-    ; "    _result = OE_OK;"
-    ; "    *output_bytes_written = output_buffer_offset;"
-    ; ""
-    ; "done:"
-    ; "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))"
-    ; "        pargs_out->_result = _result;"
-    ; "}"
-    ; "" ]
+    [
+      sprintf "void ocall_%s(" fd.fname;
+      "    uint8_t* input_buffer,";
+      "    size_t input_buffer_size,";
+      "    uint8_t* output_buffer,";
+      "    size_t output_buffer_size,";
+      "    size_t* output_bytes_written)";
+      "{";
+      (* Variable declarations *)
+      "    oe_result_t _result = OE_FAILURE;";
+      "    OE_UNUSED(input_buffer_size);";
+      "";
+      "    /* Prepare parameters. */";
+      sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
+        fd.fname;
+      sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
+        fd.fname;
+      "";
+      "    size_t input_buffer_offset = 0;";
+      "    size_t output_buffer_offset = 0;";
+      "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
+      "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
+      "";
+      (* Buffer validation *)
+      "    /* Make sure input and output buffers are valid. */";
+      "    if (!input_buffer || !output_buffer) {";
+      "        _result = OE_INVALID_PARAMETER;";
+      "        goto done;";
+      "    }";
+      "";
+      (* Prepare in and in-out parameters *)
+      oe_gen_in_and_inout_setters fd.plist;
+      "";
+      (* Prepare out and in-out parameters. The in-out parameter is copied to output buffer. *)
+      oe_gen_out_and_inout_setters fd.plist;
+      "";
+      (* Call the host function *)
+      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
+      "";
+      "    /* Propagate errno back to enclave. */";
+      ( if uf.uf_propagate_errno then "    pargs_out->_ocall_errno = errno;"
+      else "    /* Errno propagation not enabled. */" );
+      "";
+      (* Mark call as success *)
+      "    /* Success. */";
+      "    _result = OE_OK;";
+      "    *output_bytes_written = output_buffer_offset;";
+      "";
+      "done:";
+      "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
+      "        pargs_out->_result = _result;";
+      "}";
+      "";
+    ]
   in
   (* Includes are emitted in [args.h]. Imported functions have already
      been brought into function lists. *)
@@ -1329,200 +1333,212 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     let oe_gen_tfunc_prototypes =
       if tfs <> [] then
         List.map (fun f -> sprintf "%s;" (oe_gen_prototype f.tf_fdecl)) tfs
-      else ["/* There were no ecalls. */"]
+      else [ "/* There were no ecalls. */" ]
     in
     let oe_gen_ufunc_wrapper_prototypes =
       if ufs <> [] then
         List.map
           (fun f -> sprintf "%s;" (oe_gen_wrapper_prototype f.uf_fdecl false))
           ufs
-      else ["/* There were no ocalls. */"]
+      else [ "/* There were no ocalls. */" ]
     in
     let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
-    [ "#ifndef " ^ guard
-    ; "#define " ^ guard
-    ; ""
-    ; "#include <openenclave/enclave.h>"
-    ; ""
-    ; sprintf "#include \"%s_args.h\"" ec.file_shortnm
-    ; ""
-    ; "OE_EXTERNC_BEGIN"
-    ; ""
-    ; "/**** ECALL prototypes. ****/"
-    ; String.concat "\n\n" oe_gen_tfunc_prototypes
-    ; ""
-    ; "/**** OCALL prototypes. ****/"
-    ; String.concat "\n\n" oe_gen_ufunc_wrapper_prototypes
-    ; ""
-    ; "OE_EXTERNC_END"
-    ; ""
-    ; "#endif // " ^ guard
-    ; "" ]
+    [
+      "#ifndef " ^ guard;
+      "#define " ^ guard;
+      "";
+      "#include <openenclave/enclave.h>";
+      "";
+      sprintf "#include \"%s_args.h\"" ec.file_shortnm;
+      "";
+      "OE_EXTERNC_BEGIN";
+      "";
+      "/**** ECALL prototypes. ****/";
+      String.concat "\n\n" oe_gen_tfunc_prototypes;
+      "";
+      "/**** OCALL prototypes. ****/";
+      String.concat "\n\n" oe_gen_ufunc_wrapper_prototypes;
+      "";
+      "OE_EXTERNC_END";
+      "";
+      "#endif // " ^ guard;
+      "";
+    ]
   in
   let gen_t_c =
     let oe_gen_ecall_functions =
       if tfs <> [] then flatten_map oe_gen_ecall_function tfs
-      else ["/* There were no ecalls. */"]
+      else [ "/* There were no ecalls. */" ]
     in
     let oe_gen_ecall_table =
       let table = "__oe_ecalls_table" in
       if tfs <> [] then
-        [ sprintf "oe_ecall_func_t %s[] = {" table
-        ; "    "
+        [
+          sprintf "oe_ecall_func_t %s[] = {" table;
+          "    "
           ^ String.concat ",\n    "
               (List.map
                  (fun f -> "(oe_ecall_func_t) ecall_" ^ f.tf_fdecl.fname)
-                 tfs)
-        ; "};"
-        ; ""
-        ; sprintf "size_t %s_size = OE_COUNTOF(%s);" table table ]
-      else ["/* There were no ecalls. */"]
+                 tfs);
+          "};";
+          "";
+          sprintf "size_t %s_size = OE_COUNTOF(%s);" table table;
+        ]
+      else [ "/* There were no ecalls. */" ]
     in
     let oe_gen_enclave_ocall_wrappers =
       if ufs <> [] then flatten_map oe_gen_enclave_ocall_wrapper ufs
-      else ["/* There were no ocalls. */"]
+      else [ "/* There were no ocalls. */" ]
     in
-    [ sprintf "#include \"%s_t.h\"" ec.file_shortnm
-    ; ""
-    ; "#include <openenclave/edger8r/enclave.h>"
-    ; ""
-    ; "#include <stdlib.h>"
-    ; "#include <string.h>"
-    ; "#include <wchar.h>"
-    ; ""
-    ; "OE_EXTERNC_BEGIN"
-    ; ""
-    ; "/**** ECALL functions. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_ecall_functions
-    ; "/**** ECALL function table. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_ecall_table
-    ; ""
-    ; "/**** OCALL function wrappers. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_enclave_ocall_wrappers
-    ; "OE_EXTERNC_END"
-    ; "" ]
+    [
+      sprintf "#include \"%s_t.h\"" ec.file_shortnm;
+      "";
+      "#include <openenclave/edger8r/enclave.h>";
+      "";
+      "#include <stdlib.h>";
+      "#include <string.h>";
+      "#include <wchar.h>";
+      "";
+      "OE_EXTERNC_BEGIN";
+      "";
+      "/**** ECALL functions. ****/";
+      "";
+      String.concat "\n" oe_gen_ecall_functions;
+      "/**** ECALL function table. ****/";
+      "";
+      String.concat "\n" oe_gen_ecall_table;
+      "";
+      "/**** OCALL function wrappers. ****/";
+      "";
+      String.concat "\n" oe_gen_enclave_ocall_wrappers;
+      "OE_EXTERNC_END";
+      "";
+    ]
   in
   let gen_u_h =
     let oe_gen_tfunc_wrapper_prototypes =
       if tfs <> [] then
         List.map (fun f -> oe_gen_wrapper_prototype f.tf_fdecl true ^ ";") tfs
-      else ["/* There were no ecalls. */"]
+      else [ "/* There were no ecalls. */" ]
     in
     let oe_gen_ufunc_prototypes =
       if ufs <> [] then
         List.map (fun f -> oe_gen_prototype f.uf_fdecl ^ ";") ufs
-      else ["/* There were no ocalls. */"]
+      else [ "/* There were no ocalls. */" ]
     in
     let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
-    [ "#ifndef " ^ guard
-    ; "#define " ^ guard
-    ; ""
-    ; "#include <openenclave/host.h>"
-    ; ""
-    ; sprintf "#include \"%s_args.h\"" ec.file_shortnm
-    ; ""
-    ; "OE_EXTERNC_BEGIN"
-    ; ""
-    ; sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name
-    ; "    const char* path,"
-    ; "    oe_enclave_type_t type,"
-    ; "    uint32_t flags,"
-    ; "    const oe_enclave_setting_t* settings,"
-    ; "    uint32_t setting_count,"
-    ; "    oe_enclave_t** enclave);"
-    ; ""
-    ; "/**** ECALL prototypes. ****/"
-    ; String.concat "\n\n" oe_gen_tfunc_wrapper_prototypes
-    ; ""
-    ; "/**** OCALL prototypes. ****/"
-    ; String.concat "\n\n" oe_gen_ufunc_prototypes
-    ; ""
-    ; "OE_EXTERNC_END"
-    ; ""
-    ; "#endif // " ^ guard
-    ; "" ]
+    [
+      "#ifndef " ^ guard;
+      "#define " ^ guard;
+      "";
+      "#include <openenclave/host.h>";
+      "";
+      sprintf "#include \"%s_args.h\"" ec.file_shortnm;
+      "";
+      "OE_EXTERNC_BEGIN";
+      "";
+      sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
+      "    const char* path,";
+      "    oe_enclave_type_t type,";
+      "    uint32_t flags,";
+      "    const oe_enclave_setting_t* settings,";
+      "    uint32_t setting_count,";
+      "    oe_enclave_t** enclave);";
+      "";
+      "/**** ECALL prototypes. ****/";
+      String.concat "\n\n" oe_gen_tfunc_wrapper_prototypes;
+      "";
+      "/**** OCALL prototypes. ****/";
+      String.concat "\n\n" oe_gen_ufunc_prototypes;
+      "";
+      "OE_EXTERNC_END";
+      "";
+      "#endif // " ^ guard;
+      "";
+    ]
   in
   let gen_u_c =
     let oe_gen_host_ecall_wrappers =
       if tfs <> [] then flatten_map oe_gen_host_ecall_wrapper tfs
-      else ["/* There were no ecalls. */"]
+      else [ "/* There were no ecalls. */" ]
     in
     let oe_gen_ocall_functions =
       if ufs <> [] then flatten_map oe_gen_ocall_function ufs
-      else ["/* There were no ocalls. */"]
+      else [ "/* There were no ocalls. */" ]
     in
     let oe_gen_ocall_table =
-      [ sprintf "static oe_ocall_func_t __%s_ocall_function_table[] = {"
-          ec.enclave_name
-      ; "    "
+      [
+        sprintf "static oe_ocall_func_t __%s_ocall_function_table[] = {"
+          ec.enclave_name;
+        "    "
         ^ String.concat "\n    "
             (List.map
                (fun f -> "(oe_ocall_func_t) ocall_" ^ f.uf_fdecl.fname ^ ",")
-               ufs)
-      ; "    NULL"
-      ; "};" ]
+               ufs);
+        "    NULL";
+        "};";
+      ]
     in
-    [ sprintf "#include \"%s_u.h\"" ec.file_shortnm
-    ; ""
-    ; "#include <openenclave/edger8r/host.h>"
-    ; ""
-    ; "#include <stdlib.h>"
-    ; "#include <string.h>"
-    ; "#include <wchar.h>"
-    ; ""
-    ; "OE_EXTERNC_BEGIN"
-    ; ""
-    ; "/**** ECALL function wrappers. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_host_ecall_wrappers
-    ; "/**** OCALL functions. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_ocall_functions
-    ; "/**** OCALL function table. ****/"
-    ; ""
-    ; String.concat "\n" oe_gen_ocall_table
-    ; ""
-    ; sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name
-    ; "    const char* path,"
-    ; "    oe_enclave_type_t type,"
-    ; "    uint32_t flags,"
-    ; "    const oe_enclave_setting_t* settings,"
-    ; "    uint32_t setting_count,"
-    ; "    oe_enclave_t** enclave)"
-    ; "{"
-    ; "    return oe_create_enclave("
-    ; "               path,"
-    ; "               type,"
-    ; "               flags,"
-    ; "               settings,"
-    ; "               setting_count,"
-    ; sprintf "               __%s_ocall_function_table," ec.enclave_name
-    ; sprintf "               %d," (List.length ufs)
-    ; "               enclave);"
-    ; "}"
-    ; ""
-    ; "OE_EXTERNC_END"
-    ; "" ]
+    [
+      sprintf "#include \"%s_u.h\"" ec.file_shortnm;
+      "";
+      "#include <openenclave/edger8r/host.h>";
+      "";
+      "#include <stdlib.h>";
+      "#include <string.h>";
+      "#include <wchar.h>";
+      "";
+      "OE_EXTERNC_BEGIN";
+      "";
+      "/**** ECALL function wrappers. ****/";
+      "";
+      String.concat "\n" oe_gen_host_ecall_wrappers;
+      "/**** OCALL functions. ****/";
+      "";
+      String.concat "\n" oe_gen_ocall_functions;
+      "/**** OCALL function table. ****/";
+      "";
+      String.concat "\n" oe_gen_ocall_table;
+      "";
+      sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
+      "    const char* path,";
+      "    oe_enclave_type_t type,";
+      "    uint32_t flags,";
+      "    const oe_enclave_setting_t* settings,";
+      "    uint32_t setting_count,";
+      "    oe_enclave_t** enclave)";
+      "{";
+      "    return oe_create_enclave(";
+      "               path,";
+      "               type,";
+      "               flags,";
+      "               settings,";
+      "               setting_count,";
+      sprintf "               __%s_ocall_function_table," ec.enclave_name;
+      sprintf "               %d," (List.length ufs);
+      "               enclave);";
+      "}";
+      "";
+      "OE_EXTERNC_END";
+      "";
+    ]
   in
   (* NOTE: The below code encapsulates all our file I/O. *)
   let args_h = ec.file_shortnm ^ "_args.h" in
   if ep.gen_trusted then (
-    write_file oe_gen_args_header args_h ep.trusted_dir ;
-    write_file gen_t_h (ec.file_shortnm ^ "_t.h") ep.trusted_dir ;
+    write_file oe_gen_args_header args_h ep.trusted_dir;
+    write_file gen_t_h (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
     if not ep.header_only then
-      write_file gen_t_c (ec.file_shortnm ^ "_t.c") ep.trusted_dir ) ;
+      write_file gen_t_c (ec.file_shortnm ^ "_t.c") ep.trusted_dir );
   if ep.gen_untrusted then (
-    write_file oe_gen_args_header args_h ep.untrusted_dir ;
-    write_file gen_u_h (ec.file_shortnm ^ "_u.h") ep.untrusted_dir ;
+    write_file oe_gen_args_header args_h ep.untrusted_dir;
+    write_file gen_u_h (ec.file_shortnm ^ "_u.h") ep.untrusted_dir;
     if not ep.header_only then
-      write_file gen_u_c (ec.file_shortnm ^ "_u.c") ep.untrusted_dir ) ;
+      write_file gen_u_c (ec.file_shortnm ^ "_u.c") ep.untrusted_dir );
   printf "Success.\n"
 
 (** Install the plugin. *)
 let _ =
-  Printf.printf "Generating edge routines for the Open Enclave SDK.\n" ;
-  Plugin.instance.available <- true ;
+  Printf.printf "Generating edge routines for the Open Enclave SDK.\n";
+  Plugin.instance.available <- true;
   Plugin.instance.gen_edge_routines <- gen_enclave_code

From 930c129d8dae5dda3b171e4cc55b7473ba82075a Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 7 Nov 2019 22:49:21 +0000
Subject: [PATCH 265/420] Make `esy` run `ocamlformat` as part of the build

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/CMakeLists.txt |  3 ++-
 tools/oeedger8r/README.md      | 15 +++++++++++----
 tools/oeedger8r/package.json   |  8 +++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/tools/oeedger8r/CMakeLists.txt b/tools/oeedger8r/CMakeLists.txt
index 24e641b49c..ed037afd6b 100644
--- a/tools/oeedger8r/CMakeLists.txt
+++ b/tools/oeedger8r/CMakeLists.txt
@@ -26,7 +26,8 @@ add_custom_command(
   COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/intel ${CMAKE_CURRENT_BINARY_DIR}/intel
   COMMAND cmake -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/src ${CMAKE_CURRENT_BINARY_DIR}/src
   COMMAND cmake -E copy_if_different ${CMAKE_CURRENT_SOURCE_DIR}/dune-project ${CMAKE_CURRENT_SOURCE_DIR}/package.json ${CMAKE_CURRENT_BINARY_DIR}
-  COMMAND esy
+  COMMAND esy install
+  COMMAND esy build --release
   DEPENDS dune-project
           package.json
           src/dune
diff --git a/tools/oeedger8r/README.md b/tools/oeedger8r/README.md
index 2b04fe829c..70a6ccc525 100644
--- a/tools/oeedger8r/README.md
+++ b/tools/oeedger8r/README.md
@@ -71,10 +71,17 @@ improved plugin model as it is a copy of Intel's code.
 
 ### Best Practices
 
-We use [ocamlformat](https://github.com/ocaml-ppx/ocamlformat) to format our
-code (such as `Emitter.ml`, but not Intel's code). It is the final say in
-formatting. This should be setup to run automatically in one's editor, as it has
-not yet been setup in CI.
+We use [ocamlformat v0.12](https://github.com/ocaml-ppx/ocamlformat) (bundled
+via `esy`) to format our code (such as `Emitter.ml`, but not Intel's code). It
+is the final say in formatting. The developer build (that is, just `esy build`,
+not `esy build --release`) is setup to automatically run `ocamlformat` before
+compiling, and if any changes are necessary it will update the files and then
+exit with an error. Run the build a second time to complete the build with the
+fixed files (and don't forget to commit them).
+
+> Note that because we copy the sources to the build directory for CMake, the
+> CMake build uses `esy build --release` which does not run the formatter, as it
+> would not make sense to do on copied files.
 
 We follow [OCamlverse Best Practices](https://ocamlverse.github.io/content/best_practices.html)
 (which includes using `ocamlformat`).
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 15a7850d5b..94b99d9253 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -5,7 +5,13 @@
   "license": "MIT",
 
   "esy": {
-    "build": "dune build -p #{self.name}",
+    "build": [
+      "dune build -p #{self.name}"
+    ],
+    "buildDev": [
+      "dune build -p #{self.name} @fmt --auto-promote",
+      "dune build -p #{self.name}"
+    ],
     "buildsInSource": "_build",
     "release": {
       "bin": "oeedger8r",

From e55b91a905e735b51df88b7f389877222dfce568 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 11 Nov 2019 19:04:53 +0000
Subject: [PATCH 266/420] Publish location of CGC minutes

While the minutes were already public, we hadn't made their whereabouts
widely known, so here they are. Note that the public can read and
comment, but only CGC members can edit the document (admin invites just
went out to all the CGC members).

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 docs/Committers.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/Committers.md b/docs/Committers.md
index 092630ef2d..33a66c6c20 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -21,6 +21,8 @@ be prevented from making any decisions at the meeting.
 All decisions by vote, whether during a meeting or otherwise, require a super majority
 vote of all members of the Community Governance Committee.
 
+The running minutes for the Community Governance Community meetings are located
+at [aka.ms/openenclave/cgc](https://aka.ms/openenclave/cgc).
 
 Committee Members
 -----------------

From da6384fe86d5eb1d301bba0808ec4923556e96c2 Mon Sep 17 00:00:00 2001
From: Mike Brasher <mikbras@microsoft.com>
Date: Fri, 13 Sep 2019 13:35:52 -0500
Subject: [PATCH 267/420] Proposal: Enforcing full EDL serialization

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 docs/DesignDocs/full_edl_serialization.md | 151 ++++++++++++++++++++++
 1 file changed, 151 insertions(+)
 create mode 100644 docs/DesignDocs/full_edl_serialization.md

diff --git a/docs/DesignDocs/full_edl_serialization.md b/docs/DesignDocs/full_edl_serialization.md
new file mode 100644
index 0000000000..36a729113a
--- /dev/null
+++ b/docs/DesignDocs/full_edl_serialization.md
@@ -0,0 +1,151 @@
+Enforcing full serialization in EDL
+===================================
+
+Motivation
+----------
+
+Currently EDL only provides partial support for parameter serialization. For
+example, the following EDL defines ECALLs whose parameters can only be
+partially serialized.
+
+```c++
+enclave
+{
+    /* Include struct iovec (foreign structure) */
+    #include <sys/uio.h>
+
+    trusted
+    {
+        public int send(
+            [in, count=iovcnt] const struct iovec* iov,
+            size_t iovcnt);
+
+        public int recv(
+            [out, count=iovcnt] struct iovec* iov,
+            size_t iovcnt);
+    };
+};
+```
+
+The generator produces code that serializes the array of **iovec**
+structures, but it cannot serialize the buffer referenced by the structure
+itself. Recall the definition of the **iovec** structure.
+
+```c++
+struct iovec
+{
+    void* iov_base;
+    size_t iov_len;
+};
+```
+
+Consequently, these ECALLs pass pointers to untrusted memory (**iov_base**) to
+the enclave developer's **send** and **recv** implementations.
+
+The exposure of untrusted pointers to the enclave implementation poses two main
+problems.
+
+- Implementations are vulnerable to coding errors that may introduce security
+  vulnerabilities.
+- The enclave application is not portable to trusted hardware environments
+  that do not support or have not enabled shared memory (e.g., TrustZone).
+
+Some potential security vulnerabilities include:
+
+- Time-of-check, Time-of-use errors (TOC-TOU).
+- Unwittingly writing secrets onto host memory.
+- Overwrite attacks where **iov_base** points to enclave memory.
+
+EDL provides a *deep-copy* feature for fully serializing parameters as shown
+below.
+
+```c++
+enclave
+{
+    struct local_iovec
+    {
+        [size=iov_len]
+        void* iov_base;
+        size_t iov_len;
+    };
+
+    trusted
+    {
+        public int send(
+            [in, count=iovcnt] const struct local_iovec* iov,
+            size_t iovcnt);
+
+        public int recv(
+            [out, count=iovcnt] struct local_iovec* iov,
+            size_t iovcnt);
+    };
+};
+```
+
+This example introduces a local structure definition (**local_iovec**) which
+provides an annotation allowing **iov_base** to be serialized.
+
+The following EDL considers a second scenario that implicitly passes untrusted
+memory into the trusted implementation.
+
+```c++
+enclave
+{
+    untrusted
+    {
+        struct widget* get_widget();
+    };
+};
+```
+
+The **get_widget** OCALL returns a pointer to untrusted memory. This is overcome
+by redefining the OCALL as follows.
+
+```c++
+enclave
+{
+    untrusted
+    {
+        int get_widget([out] struct widget* widget);
+    };
+};
+```
+
+Although EDL provides sufficient mechanisms for performing full serialization,
+the generator does not currently enforce these mechanisms. By default, the
+generator produces edge routines that implicitly copy untrusted memory
+references into the enclave. This results in potential security flaws and
+non-portable code.
+
+To overcome these problems, the generator can be modified to warn when an EDL
+specification cannot be fully serialized.
+
+User Experience
+---------------
+
+When using the generator, the user will see warnings when the following are
+encountered.
+
+- Foreign structures
+- Non-serializable local structures (lacking the appropriate annotations)
+- Pointer return values
+
+The user may wish to treat these warnings as errors using an option similar to
+GCC's **-Werror** option.
+
+Specification
+-------------
+
+The generator should be modified to produce the warnings mentioned above.
+
+Alternatives
+------------
+
+We considered introducing complimentary interface definition languages such
+as Google protobufs and others. We are open to having such alternatives in
+the future.
+
+Authors
+-------
+
+Mike Brasher (mikbras)

From 73da3d6c960c296f1bf8cea7a661a5fdf335fa21 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 11 Nov 2019 19:39:54 +0000
Subject: [PATCH 268/420] Extend specification for updates to edger8r warning
 system

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 docs/DesignDocs/full_edl_serialization.md | 35 +++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/docs/DesignDocs/full_edl_serialization.md b/docs/DesignDocs/full_edl_serialization.md
index 36a729113a..93f682208a 100644
--- a/docs/DesignDocs/full_edl_serialization.md
+++ b/docs/DesignDocs/full_edl_serialization.md
@@ -136,7 +136,37 @@ GCC's **-Werror** option.
 Specification
 -------------
 
-The generator should be modified to produce the warnings mentioned above.
+The generator should be modified to produce the warnings mentioned above, via
+these flags:
+
+- `-Wforeign-struct`
+- `-Wptr-in-local-struct`
+- `-Wptr-return-value`
+
+While adding these warnings, the existing warnings that are able to be ignored
+(not that they ought to be) should be made togglable with the following flags:
+
+- `-Wnon-portable-types`
+- `-Wsigned-size-or-count-types`
+- `-Wcalling-convention`
+- `-Wallow-list`
+
+Along with `-Wno-` versions of all of the above to disable them, `-Wall` to turn
+them all on and `-Werror` to treat them as errors (causing `oeedger8r` to exit
+with a non-zero exit code).
+
+The warnings should not be on by default. However, the Open Enclave build should
+be modified to use `-Wall -Werror` in all places.
+
+The existing "warnings" which are actually errors that cannot be ignored should
+be renamed as "errors" in the implementation as well as in their messages. This
+includes:
+
+- Simultaneous size and count parameters
+- The `--use_prefix` flag
+- `private` function specifier
+- Switchless ecalls
+- "dllimport"
 
 Alternatives
 ------------
@@ -148,4 +178,5 @@ the future.
 Authors
 -------
 
-Mike Brasher (mikbras)
+- Mike Brasher (mikbras)
+- Andrew Schwartzmeyer (andschwa)

From ed4bed312b176bb7bd3e2fa694f86924d04572f6 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Tue, 12 Nov 2019 18:39:34 +0100
Subject: [PATCH 269/420] Add malloc_usable_size

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 docs/LibcSupport.md                        |  2 +-
 enclave/core/debugmalloc.c                 |  7 ++++++
 enclave/core/debugmalloc.h                 |  2 ++
 enclave/core/malloc.c                      |  7 ++++++
 include/openenclave/corelibc/bits/malloc.h |  6 +++++
 include/openenclave/corelibc/stdlib.h      |  2 ++
 tests/memory/enc/basic.c                   | 29 ++++++++++++++++++++++
 tests/memory/host/host.cpp                 |  1 +
 tests/memory/memory.edl                    |  1 +
 9 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/docs/LibcSupport.md b/docs/LibcSupport.md
index ab818e5d02..bf65e25815 100644
--- a/docs/LibcSupport.md
+++ b/docs/LibcSupport.md
@@ -12,7 +12,7 @@ inttypes.h | Partial | **Unsupported functions:** imaxabs(), imaxdiv() |
 iso646.h | Yes | - |
 limits.h | Yes | - |
 locale.h | Partial | Only basic support for C/POSIX locale |
-malloc.h | Partial | **Unsupported functions:** malloc_usable_size() |
+malloc.h | Partial | - |
 math.h | Partial | **Unsupported functions:** acosh(), asinh(), fmal(), lgamma(), lgammaf(), sinh(), sinhl(), tgamma() |
 setjmp.h | Yes | - |
 signal.h | No | - |
diff --git a/enclave/core/debugmalloc.c b/enclave/core/debugmalloc.c
index f46263768d..f13eb2da9e 100644
--- a/enclave/core/debugmalloc.c
+++ b/enclave/core/debugmalloc.c
@@ -430,6 +430,13 @@ int oe_debug_posix_memalign(void** memptr, size_t alignment, size_t size)
     return 0;
 }
 
+size_t oe_debug_malloc_usable_size(void* ptr)
+{
+    if (!ptr)
+        return 0;
+    return _get_header(ptr)->size;
+}
+
 void oe_debug_malloc_dump(void)
 {
     _dump(true);
diff --git a/enclave/core/debugmalloc.h b/enclave/core/debugmalloc.h
index b2f7de529f..999bddc4c0 100644
--- a/enclave/core/debugmalloc.h
+++ b/enclave/core/debugmalloc.h
@@ -18,4 +18,6 @@ void* oe_debug_memalign(size_t alignment, size_t size);
 
 int oe_debug_posix_memalign(void** memptr, size_t alignment, size_t size);
 
+size_t oe_debug_malloc_usable_size(void* ptr);
+
 #endif /* _OE_DEBUG_MALLOC_H */
diff --git a/enclave/core/malloc.c b/enclave/core/malloc.c
index 322c5810b8..7210ad3c31 100644
--- a/enclave/core/malloc.c
+++ b/enclave/core/malloc.c
@@ -51,6 +51,7 @@ static int _dlmalloc_stats_fprintf(FILE* stream, const char* format, ...);
 #define MEMALIGN oe_debug_memalign
 #define POSIX_MEMALIGN oe_debug_posix_memalign
 #define FREE oe_debug_free
+#define MALLOC_USABLE_SIZE oe_debug_malloc_usable_size
 #else
 #define MALLOC dlmalloc
 #define CALLOC dlcalloc
@@ -58,6 +59,7 @@ static int _dlmalloc_stats_fprintf(FILE* stream, const char* format, ...);
 #define MEMALIGN dlmemalign
 #define POSIX_MEMALIGN dlposix_memalign
 #define FREE dlfree
+#define MALLOC_USABLE_SIZE dlmalloc_usable_size
 #endif
 
 static oe_allocation_failure_callback_t _failure_callback;
@@ -153,6 +155,11 @@ void* oe_memalign(size_t alignment, size_t size)
     return p;
 }
 
+size_t oe_malloc_usable_size(void* ptr)
+{
+    return MALLOC_USABLE_SIZE(ptr);
+}
+
 /*
 **==============================================================================
 **
diff --git a/include/openenclave/corelibc/bits/malloc.h b/include/openenclave/corelibc/bits/malloc.h
index 5c2d491f51..3e2ee6191b 100644
--- a/include/openenclave/corelibc/bits/malloc.h
+++ b/include/openenclave/corelibc/bits/malloc.h
@@ -40,4 +40,10 @@ int posix_memalign(void** memptr, size_t alignment, size_t size)
     return oe_posix_memalign(memptr, alignment, size);
 }
 
+OE_INLINE
+size_t malloc_usable_size(void* ptr)
+{
+    return oe_malloc_usable_size(ptr);
+}
+
 #endif /* _OE_BITS_MALLOC_H */
diff --git a/include/openenclave/corelibc/stdlib.h b/include/openenclave/corelibc/stdlib.h
index 34ac255178..aca5654ee3 100644
--- a/include/openenclave/corelibc/stdlib.h
+++ b/include/openenclave/corelibc/stdlib.h
@@ -37,6 +37,8 @@ void* oe_memalign(size_t alignment, size_t size);
 
 int oe_posix_memalign(void** memptr, size_t alignment, size_t size);
 
+size_t oe_malloc_usable_size(void* ptr);
+
 unsigned long int oe_strtoul(const char* nptr, char** endptr, int base);
 
 long int oe_strtol(const char* nptr, char** endptr, int base);
diff --git a/tests/memory/enc/basic.c b/tests/memory/enc/basic.c
index 953343c36e..1f27392071 100644
--- a/tests/memory/enc/basic.c
+++ b/tests/memory/enc/basic.c
@@ -5,6 +5,7 @@
 #include <openenclave/internal/globals.h>
 #include <openenclave/internal/tests.h>
 
+#include <malloc.h>
 #include <stdint.h>
 #include <stdlib.h>
 
@@ -168,3 +169,31 @@ void test_posix_memalign(void)
     /* Should fail if alignment isn't possible. */
     OE_TEST(posix_memalign(&ptr, max, 64) != 0);
 }
+
+void test_malloc_usable_size(void)
+{
+    int* p1 = (int*)malloc(sizeof *p1);
+    OE_TEST(p1);
+    int* p2 = (int*)malloc(sizeof *p2);
+    OE_TEST(p2);
+
+    /* Ensure that p1 < p2 so that we can use p2 as upper bound. */
+    if (p1 > p2)
+    {
+        int* const tmp = p1;
+        p1 = p2;
+        p2 = tmp;
+    }
+    OE_TEST(p1 < p2);
+
+    const size_t s1 = malloc_usable_size(p1);
+    OE_TEST(sizeof *p1 <= s1 && s1 <= (size_t)(p2 - p1) * sizeof *p1);
+
+    OE_TEST(sizeof *p2 <= malloc_usable_size(p2));
+
+    const size_t end = s1 / sizeof *p1;
+    _set_buffer(p1, 0, end);
+    _check_buffer(p1, 0, end);
+    free(p1);
+    free(p2);
+}
diff --git a/tests/memory/host/host.cpp b/tests/memory/host/host.cpp
index 4883fb2f91..8593848b34 100644
--- a/tests/memory/host/host.cpp
+++ b/tests/memory/host/host.cpp
@@ -22,6 +22,7 @@ static void _malloc_basic_test(oe_enclave_t* enclave)
     OE_TEST(test_realloc(enclave) == OE_OK);
     OE_TEST(test_memalign(enclave) == OE_OK);
     OE_TEST(test_posix_memalign(enclave) == OE_OK);
+    OE_TEST(test_malloc_usable_size(enclave) == OE_OK);
 }
 
 static void _malloc_stress_test_single_thread(
diff --git a/tests/memory/memory.edl b/tests/memory/memory.edl
index 3a259a640a..5853467b4e 100644
--- a/tests/memory/memory.edl
+++ b/tests/memory/memory.edl
@@ -13,6 +13,7 @@ enclave {
         public void test_realloc();
         public void test_memalign();
         public void test_posix_memalign();
+        public void test_malloc_usable_size();
 
         public void init_malloc_stress_test();
         public void malloc_stress_test(int threads);

From c3b469ae647dbfe79209e34a907192e664db1dcf Mon Sep 17 00:00:00 2001
From: John Kordich <jkordich@gmail.com>
Date: Tue, 12 Nov 2019 10:02:24 -0800
Subject: [PATCH 270/420] Update Commiters.md email address for johnkord.

Signed-off-by: John Kordich <jkordich@gmail.com>
---
 docs/Committers.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Committers.md b/docs/Committers.md
index 092630ef2d..13e40a073e 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -32,7 +32,7 @@ Committee Members
 | Anand Krishnamoorthi | Microsoft | anakrish@microsoft.com        | anakrish       |
 | Andrew Schwartzmeyer | Microsoft | andschwa@microsoft.com        | andschwa       |
 | Dave Thaler          | Microsoft | dthaler@microsoft.com         | dthaler        |
-| John Kordich         | Microsoft | johnkord@microsoft.com        | johnkord       |
+| John Kordich         | Microsoft | jkordich@gmail.com            | johnkord       |
 | Mike Brasher         | Microsoft | mikbras@microsoft.com         | mikbras        |
 | Simon Leet           | Microsoft | simon.leet@microsoft.com      | CodeMonkeyLeet |
 

From 19f2d4634c6dd6bb59a602e5a0556a81d407943e Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 12 Nov 2019 19:28:33 +0000
Subject: [PATCH 271/420] Update dependency graph

I noticed that this had become out-of-date, so I updated it. It'd be
nice if we could automate this with a CI job at some point.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 .../Contributors/AdvancedBuildInfo.md         |   2 +-
 docs/GettingStartedDocs/DependencyGraph.svg   | 582 ++++++++++--------
 2 files changed, 340 insertions(+), 244 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/AdvancedBuildInfo.md b/docs/GettingStartedDocs/Contributors/AdvancedBuildInfo.md
index 2397dee015..53522f69c4 100644
--- a/docs/GettingStartedDocs/Contributors/AdvancedBuildInfo.md
+++ b/docs/GettingStartedDocs/Contributors/AdvancedBuildInfo.md
@@ -102,7 +102,7 @@ huge number of nodes (targets) in the resulting graph.
 To change the ignored targets, edit the file named `CMakeGraphVizOptions.cmake`
 at the root of the repo.
 
-As of 2019-03-27, it looks like this:
+As of 2019-11-12, it looks like this:
 
 ![CMake Dependency Graph](/docs/GettingStartedDocs/DependencyGraph.svg)
 
diff --git a/docs/GettingStartedDocs/DependencyGraph.svg b/docs/GettingStartedDocs/DependencyGraph.svg
index cd56be12c3..43944a5ff5 100644
--- a/docs/GettingStartedDocs/DependencyGraph.svg
+++ b/docs/GettingStartedDocs/DependencyGraph.svg
@@ -4,334 +4,430 @@
 <!-- Generated by graphviz version 2.40.1 (20161225.0304)
  -->
 <!-- Title: GG Pages: 1 -->
-<svg width="871pt" height="620pt"
- viewBox="0.00 0.00 871.40 620.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 616)">
+<svg width="1344pt" height="692pt"
+ viewBox="0.00 0.00 1344.14 692.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 688)">
 <title>GG</title>
-<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-616 867.4002,-616 867.4002,4 -4,4"/>
-<!-- node1538 -->
+<polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-688 1340.1387,-688 1340.1387,4 -4,4"/>
+<!-- node102 -->
 <g id="node1" class="node">
-<title>node1538</title>
-<polygon fill="none" stroke="#000000" points="353.5,-468 280.5,-468 280.5,-432 353.5,-432 353.5,-468"/>
-<text text-anchor="middle" x="317" y="-446.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedcrypto</text>
+<title>node102</title>
+<polygon fill="none" stroke="#000000" points="80.485,-167.5623 40.3281,-180 .1712,-167.5623 .2087,-147.4377 80.4475,-147.4377 80.485,-167.5623"/>
+<text text-anchor="middle" x="40.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">logging</text>
 </g>
-<!-- node1537 -->
+<!-- node21 -->
 <g id="node2" class="node">
-<title>node1537</title>
-<polygon fill="none" stroke="#000000" points="317,-396 270.719,-378 317,-360 363.281,-378 317,-396"/>
-<text text-anchor="middle" x="317" y="-374.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedtls</text>
+<title>node21</title>
+<polygon fill="none" stroke="#000000" points="175.3281,-108 134.4942,-90 175.3281,-72 216.162,-90 175.3281,-108"/>
+<text text-anchor="middle" x="175.3281" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehost</text>
 </g>
-<!-- node1538&#45;&gt;node1537 -->
+<!-- node102&#45;&gt;node21 -->
 <g id="edge1" class="edge">
-<title>node1538&#45;&gt;node1537</title>
-<path fill="none" stroke="#000000" stroke-dasharray="1,5" d="M317,-431.8314C317,-424.131 317,-414.9743 317,-406.4166"/>
-<polygon fill="#000000" stroke="#000000" points="320.5001,-406.4132 317,-396.4133 313.5001,-406.4133 320.5001,-406.4132"/>
+<title>node102&#45;&gt;node21</title>
+<path fill="none" stroke="#000000" d="M67.6474,-147.4297C90.9416,-135.0061 124.2738,-117.2289 147.6659,-104.7532"/>
+<polygon fill="#000000" stroke="#000000" points="149.5399,-107.7204 156.7163,-99.9263 146.2457,-101.544 149.5399,-107.7204"/>
 </g>
-<!-- node1534 -->
+<!-- node2166 -->
 <g id="node3" class="node">
-<title>node1534</title>
-<polygon fill="none" stroke="#000000" points="317,-324 258.8429,-306 317,-288 375.1571,-306 317,-324"/>
-<text text-anchor="middle" x="317" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedx509</text>
+<title>node2166</title>
+<ellipse fill="none" stroke="#000000" cx="240.3281" cy="-18" rx="28.8653" ry="18"/>
+<text text-anchor="middle" x="240.3281" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">crypto</text>
 </g>
-<!-- node1537&#45;&gt;node1534 -->
+<!-- node21&#45;&gt;node2166 -->
 <g id="edge2" class="edge">
-<title>node1537&#45;&gt;node1534</title>
-<path fill="none" stroke="#000000" d="M317,-359.8314C317,-352.131 317,-342.9743 317,-334.4166"/>
-<polygon fill="#000000" stroke="#000000" points="320.5001,-334.4132 317,-324.4133 313.5001,-334.4133 320.5001,-334.4132"/>
+<title>node21&#45;&gt;node2166</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M187.2501,-76.7941C196.124,-66.9645 208.4751,-53.2833 219.0301,-41.5917"/>
+<polygon fill="#000000" stroke="#000000" points="221.8825,-43.6551 225.9856,-33.8871 216.6866,-38.9644 221.8825,-43.6551"/>
 </g>
-<!-- node1536 -->
+<!-- node2167 -->
 <g id="node4" class="node">
-<title>node1536</title>
-<polygon fill="none" stroke="#000000" points="317,-252 227.162,-234 317,-216 406.838,-234 317,-252"/>
-<text text-anchor="middle" x="317" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedcrypto_static</text>
+<title>node2167</title>
+<ellipse fill="none" stroke="#000000" cx="314.3281" cy="-18" rx="27" ry="18"/>
+<text text-anchor="middle" x="314.3281" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">dl</text>
 </g>
-<!-- node1534&#45;&gt;node1536 -->
+<!-- node21&#45;&gt;node2167 -->
 <g id="edge3" class="edge">
-<title>node1534&#45;&gt;node1536</title>
-<path fill="none" stroke="#000000" d="M317,-287.8314C317,-280.131 317,-270.9743 317,-262.4166"/>
-<polygon fill="#000000" stroke="#000000" points="320.5001,-262.4132 317,-252.4133 313.5001,-262.4133 320.5001,-262.4132"/>
+<title>node21&#45;&gt;node2167</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M194.364,-80.1397C217.3768,-68.2194 256.4051,-48.0033 283.6765,-33.8771"/>
+<polygon fill="#000000" stroke="#000000" points="285.5172,-36.8654 292.7868,-29.1581 282.2975,-30.6497 285.5172,-36.8654"/>
 </g>
-<!-- node26 -->
+<!-- node29 -->
 <g id="node5" class="node">
-<title>node26</title>
-<polygon fill="none" stroke="#000000" points="347.5,-36 274.5,-36 274.5,0 347.5,0 347.5,-36"/>
-<text text-anchor="middle" x="311" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">oe_includes</text>
+<title>node29</title>
+<polygon fill="none" stroke="#000000" points="449.8281,-36 376.8281,-36 376.8281,0 449.8281,0 449.8281,-36"/>
+<text text-anchor="middle" x="413.3281" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">oe_includes</text>
 </g>
-<!-- node1536&#45;&gt;node26 -->
+<!-- node21&#45;&gt;node29 -->
 <g id="edge4" class="edge">
-<title>node1536&#45;&gt;node26</title>
-<path fill="none" stroke="#000000" d="M316.4988,-215.9555C315.4554,-178.3938 313.0432,-91.5541 311.7892,-46.4103"/>
-<polygon fill="#000000" stroke="#000000" points="315.2804,-46.044 311.504,-36.1451 308.2831,-46.2384 315.2804,-46.044"/>
+<title>node21&#45;&gt;node29</title>
+<path fill="none" stroke="#000000" d="M197.621,-81.6195C206.2344,-78.4751 216.1982,-74.951 225.3281,-72 228.7978,-70.8785 312.2858,-46.9406 366.8257,-31.3165"/>
+<polygon fill="#000000" stroke="#000000" points="367.9972,-34.6218 376.6468,-28.5033 366.0696,-27.8924 367.9972,-34.6218"/>
 </g>
-<!-- node1547 -->
+<!-- node2136 -->
 <g id="node6" class="node">
-<title>node1547</title>
-<polygon fill="none" stroke="#000000" points="158,-180 118.6478,-162 158,-144 197.3522,-162 158,-180"/>
-<text text-anchor="middle" x="158" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibc</text>
+<title>node2136</title>
+<polygon fill="none" stroke="#000000" points="193.3281,-36 129.3281,-36 129.3281,0 193.3281,0 193.3281,-36"/>
+<text text-anchor="middle" x="161.3281" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">oedebugrt</text>
 </g>
-<!-- node1536&#45;&gt;node1547 -->
+<!-- node21&#45;&gt;node2136 -->
 <g id="edge5" class="edge">
-<title>node1536&#45;&gt;node1547</title>
-<path fill="none" stroke="#000000" d="M289.3043,-221.4586C260.6867,-208.4997 216.2065,-188.3577 187.0873,-175.1716"/>
-<polygon fill="#000000" stroke="#000000" points="188.3994,-171.9237 177.846,-170.9869 185.5118,-178.3004 188.3994,-171.9237"/>
+<title>node21&#45;&gt;node2136</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M172.081,-73.3008C170.5082,-65.2118 168.5764,-55.2769 166.7862,-46.0702"/>
+<polygon fill="#000000" stroke="#000000" points="170.1963,-45.2702 164.8518,-36.1222 163.325,-46.6064 170.1963,-45.2702"/>
 </g>
-<!-- node1464 -->
+<!-- node2007 -->
 <g id="node7" class="node">
-<title>node1464</title>
-<polygon fill="none" stroke="#000000" points="62,-108 20.4241,-90 62,-72 103.5759,-90 62,-108"/>
-<text text-anchor="middle" x="62" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecore</text>
+<title>node2007</title>
+<polygon fill="none" stroke="#000000" points="502.8281,-540 429.8281,-540 429.8281,-504 502.8281,-504 502.8281,-540"/>
+<text text-anchor="middle" x="466.3281" y="-518.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedcrypto</text>
 </g>
-<!-- node1547&#45;&gt;node1464 -->
-<g id="edge6" class="edge">
-<title>node1547&#45;&gt;node1464</title>
-<path fill="none" stroke="#000000" d="M143,-150.75C127.6823,-139.2617 103.6746,-121.2559 85.7669,-107.8252"/>
-<polygon fill="#000000" stroke="#000000" points="87.6308,-104.8481 77.5308,-101.6481 83.4308,-110.4481 87.6308,-104.8481"/>
-</g>
-<!-- node1548 -->
+<!-- node2006 -->
 <g id="node8" class="node">
-<title>node1548</title>
-<polygon fill="none" stroke="#000000" points="180.5,-108 121.5,-108 121.5,-72 180.5,-72 180.5,-108"/>
-<text text-anchor="middle" x="151" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibasm</text>
+<title>node2006</title>
+<polygon fill="none" stroke="#000000" points="466.3281,-468 420.0471,-450 466.3281,-432 512.6091,-450 466.3281,-468"/>
+<text text-anchor="middle" x="466.3281" y="-446.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedtls</text>
 </g>
-<!-- node1547&#45;&gt;node1548 -->
-<g id="edge8" class="edge">
-<title>node1547&#45;&gt;node1548</title>
-<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M156.3055,-144.5708C155.5319,-136.6139 154.5963,-126.9902 153.7275,-118.054"/>
-<polygon fill="#000000" stroke="#000000" points="157.2033,-117.635 152.752,-108.0206 150.2362,-118.3124 157.2033,-117.635"/>
+<!-- node2007&#45;&gt;node2006 -->
+<g id="edge6" class="edge">
+<title>node2007&#45;&gt;node2006</title>
+<path fill="none" stroke="#000000" stroke-dasharray="1,5" d="M466.3281,-503.8314C466.3281,-496.131 466.3281,-486.9743 466.3281,-478.4166"/>
+<polygon fill="#000000" stroke="#000000" points="469.8282,-478.4132 466.3281,-468.4133 462.8282,-478.4133 469.8282,-478.4132"/>
 </g>
-<!-- node1521 -->
+<!-- node2003 -->
 <g id="node9" class="node">
-<title>node1521</title>
-<polygon fill="none" stroke="#000000" points="289,-108 199,-108 199,-72 289,-72 289,-108"/>
-<text text-anchor="middle" x="244" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibc_includes</text>
-</g>
-<!-- node1547&#45;&gt;node1521 -->
-<g id="edge9" class="edge">
-<title>node1547&#45;&gt;node1521</title>
-<path fill="none" stroke="#000000" d="M172.2012,-150.1107C183.7136,-140.4723 200.3233,-126.5665 214.668,-114.557"/>
-<polygon fill="#000000" stroke="#000000" points="216.9368,-117.2223 222.3576,-108.1193 212.4432,-111.855 216.9368,-117.2223"/>
+<title>node2003</title>
+<polygon fill="none" stroke="#000000" points="466.3281,-396 408.171,-378 466.3281,-360 524.4852,-378 466.3281,-396"/>
+<text text-anchor="middle" x="466.3281" y="-374.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedx509</text>
 </g>
-<!-- node1464&#45;&gt;node26 -->
+<!-- node2006&#45;&gt;node2003 -->
 <g id="edge7" class="edge">
-<title>node1464&#45;&gt;node26</title>
-<path fill="none" stroke="#000000" d="M84.2702,-81.5483C92.8808,-78.3951 102.8486,-74.8837 112,-72 163.7773,-55.6842 224.0424,-39.7494 264.5701,-29.4697"/>
-<polygon fill="#000000" stroke="#000000" points="265.5917,-32.8217 274.4314,-26.9812 263.8789,-26.0344 265.5917,-32.8217"/>
+<title>node2006&#45;&gt;node2003</title>
+<path fill="none" stroke="#000000" d="M466.3281,-431.8314C466.3281,-424.131 466.3281,-414.9743 466.3281,-406.4166"/>
+<polygon fill="#000000" stroke="#000000" points="469.8282,-406.4132 466.3281,-396.4133 462.8282,-406.4133 469.8282,-406.4132"/>
 </g>
-<!-- node1586 -->
+<!-- node2005 -->
 <g id="node10" class="node">
-<title>node1586</title>
-<polygon fill="none" stroke="#000000" points="418,-108 356,-108 356,-72 418,-72 418,-108"/>
-<text text-anchor="middle" x="387" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oe_ptrace</text>
+<title>node2005</title>
+<polygon fill="none" stroke="#000000" points="466.3281,-324 376.49,-306 466.3281,-288 556.1661,-306 466.3281,-324"/>
+<text text-anchor="middle" x="466.3281" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">mbedcrypto_static</text>
 </g>
-<!-- node1586&#45;&gt;node26 -->
-<g id="edge11" class="edge">
-<title>node1586&#45;&gt;node26</title>
-<path fill="none" stroke="#000000" d="M367.822,-71.8314C358.6412,-63.1337 347.4994,-52.5783 337.5224,-43.1265"/>
-<polygon fill="#000000" stroke="#000000" points="339.8385,-40.4995 330.1719,-36.1628 335.0243,-45.5811 339.8385,-40.4995"/>
+<!-- node2003&#45;&gt;node2005 -->
+<g id="edge8" class="edge">
+<title>node2003&#45;&gt;node2005</title>
+<path fill="none" stroke="#000000" d="M466.3281,-359.8314C466.3281,-352.131 466.3281,-342.9743 466.3281,-334.4166"/>
+<polygon fill="#000000" stroke="#000000" points="469.8282,-334.4132 466.3281,-324.4133 462.8282,-334.4133 469.8282,-334.4132"/>
+</g>
+<!-- node2005&#45;&gt;node29 -->
+<g id="edge9" class="edge">
+<title>node2005&#45;&gt;node29</title>
+<path fill="none" stroke="#000000" d="M468.7015,-288.2944C473.3541,-248.3078 480.9656,-148.5383 453.3281,-72 449.7619,-62.124 443.7594,-52.5178 437.4743,-44.2124"/>
+<polygon fill="#000000" stroke="#000000" points="440.169,-41.9783 431.1748,-36.3788 434.714,-46.365 440.169,-41.9783"/>
 </g>
-<!-- node1630 -->
+<!-- node2016 -->
 <g id="node11" class="node">
-<title>node1630</title>
-<ellipse fill="none" stroke="#000000" cx="393" cy="-18" rx="27" ry="18"/>
-<text text-anchor="middle" x="393" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">dl</text>
+<title>node2016</title>
+<polygon fill="none" stroke="#000000" points="673.3281,-252 633.9759,-234 673.3281,-216 712.6803,-234 673.3281,-252"/>
+<text text-anchor="middle" x="673.3281" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibc</text>
 </g>
-<!-- node1586&#45;&gt;node1630 -->
+<!-- node2005&#45;&gt;node2016 -->
 <g id="edge10" class="edge">
-<title>node1586&#45;&gt;node1630</title>
-<path fill="none" stroke="#000000" d="M388.5141,-71.8314C389.1558,-64.131 389.9188,-54.9743 390.6319,-46.4166"/>
-<polygon fill="#000000" stroke="#000000" points="394.1229,-46.6694 391.4656,-36.4133 387.1471,-46.088 394.1229,-46.6694"/>
+<title>node2005&#45;&gt;node2016</title>
+<path fill="none" stroke="#000000" d="M499.5862,-294.432C538.508,-280.894 602.5227,-258.628 641.0273,-245.2351"/>
+<polygon fill="#000000" stroke="#000000" points="642.4074,-248.4608 650.7026,-241.8697 640.1078,-241.8493 642.4074,-248.4608"/>
 </g>
-<!-- node1471 -->
+<!-- node1933 -->
 <g id="node12" class="node">
-<title>node1471</title>
-<polygon fill="none" stroke="#000000" points="317,-540 243.7438,-522 317,-504 390.2562,-522 317,-540"/>
-<text text-anchor="middle" x="317" y="-518.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecryptombed</text>
+<title>node1933</title>
+<polygon fill="none" stroke="#000000" points="706.3281,-108 664.7522,-90 706.3281,-72 747.904,-90 706.3281,-108"/>
+<text text-anchor="middle" x="706.3281" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecore</text>
 </g>
-<!-- node1471&#45;&gt;node1538 -->
-<g id="edge12" class="edge">
-<title>node1471&#45;&gt;node1538</title>
-<path fill="none" stroke="#000000" d="M317,-503.8314C317,-496.131 317,-486.9743 317,-478.4166"/>
-<polygon fill="#000000" stroke="#000000" points="320.5001,-478.4132 317,-468.4133 313.5001,-478.4133 320.5001,-478.4132"/>
+<!-- node2016&#45;&gt;node1933 -->
+<g id="edge11" class="edge">
+<title>node2016&#45;&gt;node1933</title>
+<path fill="none" stroke="#000000" d="M669.0015,-217.6333C664.9175,-199.256 660.4875,-168.766 668.3281,-144 672.1427,-131.9508 679.7196,-120.2645 687.1107,-110.8632"/>
+<polygon fill="#000000" stroke="#000000" points="690.0135,-112.8474 693.733,-102.927 684.6388,-108.3626 690.0135,-112.8474"/>
 </g>
-<!-- node1452 -->
+<!-- node2017 -->
 <g id="node13" class="node">
-<title>node1452</title>
-<polygon fill="none" stroke="#000000" points="317,-612 261.066,-594 317,-576 372.934,-594 317,-612"/>
-<text text-anchor="middle" x="317" y="-590.9" font-family="Times,serif" font-size="12.00" fill="#000000">oeenclave</text>
+<title>node2017</title>
+<polygon fill="none" stroke="#000000" points="735.8281,-180 676.8281,-180 676.8281,-144 735.8281,-144 735.8281,-180"/>
+<text text-anchor="middle" x="706.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibasm</text>
 </g>
-<!-- node1452&#45;&gt;node1471 -->
+<!-- node2016&#45;&gt;node2017 -->
 <g id="edge13" class="edge">
-<title>node1452&#45;&gt;node1471</title>
-<path fill="none" stroke="#000000" d="M317,-575.8314C317,-568.131 317,-558.9743 317,-550.4166"/>
-<polygon fill="#000000" stroke="#000000" points="320.5001,-550.4132 317,-540.4133 313.5001,-550.4133 320.5001,-550.4132"/>
+<title>node2016&#45;&gt;node2017</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M680.1657,-219.0816C684.0857,-210.5289 689.1291,-199.5251 693.74,-189.4649"/>
+<polygon fill="#000000" stroke="#000000" points="696.9926,-190.7685 697.9775,-180.2195 690.6291,-187.8519 696.9926,-190.7685"/>
 </g>
-<!-- node13 -->
+<!-- node1990 -->
 <g id="node14" class="node">
-<title>node13</title>
-<polygon fill="none" stroke="#000000" points="577,-108 536.1661,-90 577,-72 617.8339,-90 577,-108"/>
-<text text-anchor="middle" x="577" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehost</text>
+<title>node1990</title>
+<polygon fill="none" stroke="#000000" points="620.3281,-180 530.3281,-180 530.3281,-144 620.3281,-144 620.3281,-180"/>
+<text text-anchor="middle" x="575.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibc_includes</text>
 </g>
-<!-- node13&#45;&gt;node26 -->
-<g id="edge16" class="edge">
-<title>node13&#45;&gt;node26</title>
-<path fill="none" stroke="#000000" d="M548.8891,-84.3475C506.7377,-75.5925 424.8592,-57.5011 357,-36 356.9029,-35.9692 356.8057,-35.9384 356.7085,-35.9074"/>
-<polygon fill="#000000" stroke="#000000" points="358.0963,-32.6823 347.502,-32.7866 355.849,-39.3118 358.0963,-32.6823"/>
+<!-- node2016&#45;&gt;node1990 -->
+<g id="edge14" class="edge">
+<title>node2016&#45;&gt;node1990</title>
+<path fill="none" stroke="#000000" d="M658.0156,-222.75C644.813,-213.0502 625.2864,-198.7041 608.5235,-186.3885"/>
+<polygon fill="#000000" stroke="#000000" points="610.1887,-183.2689 600.0576,-180.1686 606.0442,-188.91 610.1887,-183.2689"/>
+</g>
+<!-- node2035 -->
+<g id="node15" class="node">
+<title>node2035</title>
+<polygon fill="none" stroke="#000000" points="913.3281,-180 862.1003,-162 913.3281,-144 964.5559,-162 913.3281,-180"/>
+<text text-anchor="middle" x="913.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesyscall</text>
 </g>
-<!-- node13&#45;&gt;node1630 -->
+<!-- node2016&#45;&gt;node2035 -->
 <g id="edge15" class="edge">
-<title>node13&#45;&gt;node1630</title>
-<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M553.3514,-82.2995C523.8615,-72.4861 472.0804,-54.5579 429,-36 427.2191,-35.2328 425.4013,-34.4205 423.5755,-33.5818"/>
-<polygon fill="#000000" stroke="#000000" points="425.0462,-30.4055 414.5139,-29.2555 422.0302,-36.7225 425.0462,-30.4055"/>
+<title>node2016&#45;&gt;node2035</title>
+<path fill="none" stroke="#000000" d="M697.2176,-226.8331C739.0356,-214.2878 825.7926,-188.2606 875.7301,-173.2794"/>
+<polygon fill="#000000" stroke="#000000" points="876.9276,-176.5743 885.5002,-170.3484 874.9162,-169.8695 876.9276,-176.5743"/>
 </g>
-<!-- node1629 -->
-<g id="node15" class="node">
-<title>node1629</title>
-<ellipse fill="none" stroke="#000000" cx="722" cy="-18" rx="28.8653" ry="18"/>
-<text text-anchor="middle" x="722" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">crypto</text>
+<!-- node1933&#45;&gt;node29 -->
+<g id="edge12" class="edge">
+<title>node1933&#45;&gt;node29</title>
+<path fill="none" stroke="#000000" d="M679.5496,-83.4196C629.6345,-71.1538 521.828,-44.6621 459.8029,-29.4204"/>
+<polygon fill="#000000" stroke="#000000" points="460.4339,-25.9714 449.8876,-26.9839 458.7634,-32.7692 460.4339,-25.9714"/>
 </g>
-<!-- node13&#45;&gt;node1629 -->
-<g id="edge14" class="edge">
-<title>node13&#45;&gt;node1629</title>
-<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M596.2549,-80.439C620.2025,-68.5477 661.4238,-48.0792 690.1157,-33.8322"/>
-<polygon fill="#000000" stroke="#000000" points="691.9226,-36.8428 699.3226,-29.2605 688.8094,-30.5732 691.9226,-36.8428"/>
+<!-- node2035&#45;&gt;node1933 -->
+<g id="edge16" class="edge">
+<title>node2035&#45;&gt;node1933</title>
+<path fill="none" stroke="#000000" d="M887.5299,-153.0267C849.9836,-139.9671 780.2876,-115.725 739.1388,-101.4124"/>
+<polygon fill="#000000" stroke="#000000" points="740.1714,-98.066 729.5766,-98.0864 737.8717,-104.6774 740.1714,-98.066"/>
 </g>
-<!-- node1632 -->
+<!-- node2104 -->
 <g id="node16" class="node">
-<title>node1632</title>
-<ellipse fill="none" stroke="#000000" cx="816" cy="-18" rx="47.3006" ry="18"/>
-<text text-anchor="middle" x="816" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">sgx_dcap_ql</text>
+<title>node2104</title>
+<polygon fill="none" stroke="#000000" points="444.3281,-108 382.3281,-108 382.3281,-72 444.3281,-72 444.3281,-108"/>
+<text text-anchor="middle" x="413.3281" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oe_ptrace</text>
 </g>
-<!-- node13&#45;&gt;node1632 -->
+<!-- node2104&#45;&gt;node2167 -->
 <g id="edge17" class="edge">
-<title>node13&#45;&gt;node1632</title>
-<path fill="none" stroke="#000000" d="M601.9207,-82.8523C637.1903,-72.6896 703.6528,-53.3666 760,-36 763.3211,-34.9764 766.7489,-33.9069 770.1963,-32.8217"/>
-<polygon fill="#000000" stroke="#000000" points="771.4171,-36.1064 779.8912,-29.7471 769.301,-29.4339 771.4171,-36.1064"/>
+<title>node2104&#45;&gt;node2167</title>
+<path fill="none" stroke="#000000" d="M388.3462,-71.8314C373.8854,-61.3144 355.6897,-48.0812 340.958,-37.3672"/>
+<polygon fill="#000000" stroke="#000000" points="342.8849,-34.4409 332.7389,-31.3897 338.7677,-40.102 342.8849,-34.4409"/>
 </g>
-<!-- node1631 -->
+<!-- node2104&#45;&gt;node29 -->
+<g id="edge18" class="edge">
+<title>node2104&#45;&gt;node29</title>
+<path fill="none" stroke="#000000" d="M413.3281,-71.8314C413.3281,-64.131 413.3281,-54.9743 413.3281,-46.4166"/>
+<polygon fill="#000000" stroke="#000000" points="416.8282,-46.4132 413.3281,-36.4133 409.8282,-46.4133 416.8282,-46.4132"/>
+</g>
+<!-- node139 -->
 <g id="node17" class="node">
-<title>node1631</title>
-<ellipse fill="none" stroke="#000000" cx="513" cy="-18" rx="75.2034" ry="18"/>
-<text text-anchor="middle" x="513" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">sgx_enclave_common</text>
+<title>node139</title>
+<polygon fill="none" stroke="#000000" points="167.8115,-167.5623 133.3281,-180 98.8447,-167.5623 98.8769,-147.4377 167.7793,-147.4377 167.8115,-167.5623"/>
+<text text-anchor="middle" x="133.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecert</text>
 </g>
-<!-- node13&#45;&gt;node1631 -->
-<g id="edge18" class="edge">
-<title>node13&#45;&gt;node1631</title>
-<path fill="none" stroke="#000000" d="M565.2614,-76.7941C556.9345,-67.4263 545.498,-54.5603 535.4463,-43.252"/>
-<polygon fill="#000000" stroke="#000000" points="538.0234,-40.8831 528.7638,-35.7342 532.7915,-45.5336 538.0234,-40.8831"/>
+<!-- node139&#45;&gt;node21 -->
+<g id="edge19" class="edge">
+<title>node139&#45;&gt;node21</title>
+<path fill="none" stroke="#000000" d="M141.8274,-147.4297C147.5202,-137.6706 155.1401,-124.608 161.6742,-113.4067"/>
+<polygon fill="#000000" stroke="#000000" points="164.8259,-114.95 166.8414,-104.5486 158.7794,-111.4228 164.8259,-114.95"/>
 </g>
-<!-- node1633 -->
+<!-- node1102 -->
 <g id="node18" class="node">
-<title>node1633</title>
-<ellipse fill="none" stroke="#000000" cx="641" cy="-18" rx="34.4458" ry="18"/>
-<text text-anchor="middle" x="641" y="-14.9" font-family="Times,serif" font-size="12.00" fill="#000000">sgx_urts</text>
+<title>node1102</title>
+<polygon fill="none" stroke="#000000" points="843.3281,-324 801.7522,-306 843.3281,-288 884.904,-306 843.3281,-324"/>
+<text text-anchor="middle" x="843.3281" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecpio</text>
 </g>
-<!-- node13&#45;&gt;node1633 -->
-<g id="edge19" class="edge">
-<title>node13&#45;&gt;node1633</title>
-<path fill="none" stroke="#000000" d="M588.7386,-76.7941C597.3587,-67.0964 609.3112,-53.6499 619.6102,-42.0635"/>
-<polygon fill="#000000" stroke="#000000" points="622.3871,-44.2077 626.4149,-34.4083 617.1552,-39.5571 622.3871,-44.2077"/>
+<!-- node1102&#45;&gt;node2016 -->
+<g id="edge21" class="edge">
+<title>node1102&#45;&gt;node2016</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M822.1412,-297.0267C792.2485,-284.3663 737.5418,-261.1964 703.4368,-246.7519"/>
+<polygon fill="#000000" stroke="#000000" points="704.5561,-243.4251 693.9829,-242.7479 701.8261,-249.8708 704.5561,-243.4251"/>
 </g>
-<!-- node18 -->
+<!-- node1102&#45;&gt;node1933 -->
+<g id="edge20" class="edge">
+<title>node1102&#45;&gt;node1933</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M826.9852,-294.8878C813.586,-285.0225 794.9912,-269.489 783.3281,-252 755.0961,-209.6657 768.9114,-189.0895 745.3281,-144 739.419,-132.7023 731.3662,-121.1202 724.1121,-111.594"/>
+<polygon fill="#000000" stroke="#000000" points="726.6834,-109.2009 717.7591,-103.4906 721.1745,-113.5198 726.6834,-109.2009"/>
+</g>
+<!-- node1940 -->
 <g id="node19" class="node">
-<title>node18</title>
-<polygon fill="none" stroke="#000000" points="652.5,-180 587.5,-180 587.5,-144 652.5,-144 652.5,-180"/>
-<text text-anchor="middle" x="620" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostapp</text>
+<title>node1940</title>
+<polygon fill="none" stroke="#000000" points="466.3281,-612 393.0719,-594 466.3281,-576 539.5843,-594 466.3281,-612"/>
+<text text-anchor="middle" x="466.3281" y="-590.9" font-family="Times,serif" font-size="12.00" fill="#000000">oecryptombed</text>
 </g>
-<!-- node18&#45;&gt;node13 -->
-<g id="edge20" class="edge">
-<title>node18&#45;&gt;node13</title>
-<path fill="none" stroke="#000000" stroke-dasharray="1,5" d="M609.1493,-143.8314C603.5871,-134.518 596.7528,-123.0744 590.8177,-113.1367"/>
-<polygon fill="#000000" stroke="#000000" points="593.8146,-111.3286 585.6823,-104.5378 587.8048,-114.9178 593.8146,-111.3286"/>
+<!-- node1940&#45;&gt;node2007 -->
+<g id="edge22" class="edge">
+<title>node1940&#45;&gt;node2007</title>
+<path fill="none" stroke="#000000" d="M466.3281,-575.8314C466.3281,-568.131 466.3281,-558.9743 466.3281,-550.4166"/>
+<polygon fill="#000000" stroke="#000000" points="469.8282,-550.4132 466.3281,-540.4133 462.8282,-550.4133 469.8282,-550.4132"/>
 </g>
-<!-- node1557 -->
+<!-- node1919 -->
 <g id="node20" class="node">
-<title>node1557</title>
-<polygon fill="none" stroke="#000000" points="99,-324 49.2545,-306 99,-288 148.7455,-306 99,-324"/>
-<text text-anchor="middle" x="99" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibcxx</text>
+<title>node1919</title>
+<polygon fill="none" stroke="#000000" points="466.3281,-684 410.3941,-666 466.3281,-648 522.2621,-666 466.3281,-684"/>
+<text text-anchor="middle" x="466.3281" y="-662.9" font-family="Times,serif" font-size="12.00" fill="#000000">oeenclave</text>
+</g>
+<!-- node1919&#45;&gt;node1940 -->
+<g id="edge23" class="edge">
+<title>node1919&#45;&gt;node1940</title>
+<path fill="none" stroke="#000000" d="M466.3281,-647.8314C466.3281,-640.131 466.3281,-630.9743 466.3281,-622.4166"/>
+<polygon fill="#000000" stroke="#000000" points="469.8282,-622.4132 466.3281,-612.4133 462.8282,-622.4133 469.8282,-622.4132"/>
 </g>
-<!-- node1494 -->
+<!-- node23 -->
 <g id="node21" class="node">
-<title>node1494</title>
-<polygon fill="none" stroke="#000000" points="54,-252 0,-252 0,-216 54,-216 54,-252"/>
-<text text-anchor="middle" x="27" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">libcxx</text>
+<title>node23</title>
+<polygon fill="none" stroke="#000000" points="250.8281,-180 185.8281,-180 185.8281,-144 250.8281,-144 250.8281,-180"/>
+<text text-anchor="middle" x="218.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostapp</text>
 </g>
-<!-- node1557&#45;&gt;node1494 -->
-<g id="edge21" class="edge">
-<title>node1557&#45;&gt;node1494</title>
-<path fill="none" stroke="#000000" d="M85.4574,-292.4574C76.1009,-283.1009 63.3747,-270.3747 52.1851,-259.1851"/>
-<polygon fill="#000000" stroke="#000000" points="54.6507,-256.7009 45.1047,-252.1047 49.7009,-261.6507 54.6507,-256.7009"/>
+<!-- node23&#45;&gt;node21 -->
+<g id="edge24" class="edge">
+<title>node23&#45;&gt;node21</title>
+<path fill="none" stroke="#000000" stroke-dasharray="1,5" d="M207.4774,-143.8314C201.9152,-134.518 195.0809,-123.0744 189.1458,-113.1367"/>
+<polygon fill="#000000" stroke="#000000" points="192.1427,-111.3286 184.0104,-104.5378 186.1329,-114.9178 192.1427,-111.3286"/>
 </g>
-<!-- node1501 -->
+<!-- node2086 -->
 <g id="node22" class="node">
-<title>node1501</title>
-<polygon fill="none" stroke="#000000" points="126,-252 72,-252 72,-216 126,-216 126,-252"/>
-<text text-anchor="middle" x="99" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">libcxxrt</text>
+<title>node2086</title>
+<polygon fill="none" stroke="#000000" points="1274.3281,-252 1212.7064,-234 1274.3281,-216 1335.9498,-234 1274.3281,-252"/>
+<text text-anchor="middle" x="1274.3281" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostepoll</text>
 </g>
-<!-- node1557&#45;&gt;node1501 -->
-<g id="edge23" class="edge">
-<title>node1557&#45;&gt;node1501</title>
-<path fill="none" stroke="#000000" d="M99,-287.8314C99,-280.131 99,-270.9743 99,-262.4166"/>
-<polygon fill="#000000" stroke="#000000" points="102.5001,-262.4132 99,-252.4133 95.5001,-262.4133 102.5001,-262.4132"/>
-</g>
-<!-- node1511 -->
-<g id="node23" class="node">
-<title>node1511</title>
-<polygon fill="none" stroke="#000000" points="209.5,-252 144.5,-252 144.5,-216 209.5,-216 209.5,-252"/>
-<text text-anchor="middle" x="177" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">libunwind</text>
-</g>
-<!-- node1557&#45;&gt;node1511 -->
+<!-- node2086&#45;&gt;node2035 -->
 <g id="edge25" class="edge">
-<title>node1557&#45;&gt;node1511</title>
-<path fill="none" stroke="#000000" d="M113.3064,-292.7941C123.5772,-283.3134 137.7296,-270.2496 150.0859,-258.8438"/>
-<polygon fill="#000000" stroke="#000000" points="152.5225,-261.3579 157.4965,-252.0032 147.7745,-256.2142 152.5225,-261.3579"/>
+<title>node2086&#45;&gt;node2035</title>
+<path fill="none" stroke="#000000" d="M1241.914,-225.3162C1229.8416,-222.2051 1215.9968,-218.7824 1203.3281,-216 1117.1542,-197.0739 1015.63,-179.1656 958.4416,-169.4764"/>
+<polygon fill="#000000" stroke="#000000" points="958.7358,-165.9766 948.2929,-167.7644 957.5714,-172.8791 958.7358,-165.9766"/>
 </g>
-<!-- node1494&#45;&gt;node1547 -->
-<g id="edge22" class="edge">
-<title>node1494&#45;&gt;node1547</title>
-<path fill="none" stroke="#000000" d="M54.1433,-219.0816C76.7011,-206.6834 108.6303,-189.1345 131.1159,-176.776"/>
-<polygon fill="#000000" stroke="#000000" points="133.0418,-179.7113 140.1196,-171.8274 129.6701,-173.5768 133.0418,-179.7113"/>
-</g>
-<!-- node1501&#45;&gt;node1547 -->
-<g id="edge24" class="edge">
-<title>node1501&#45;&gt;node1547</title>
-<path fill="none" stroke="#000000" d="M113.8882,-215.8314C122.0769,-205.8384 132.2751,-193.3931 140.8025,-182.9868"/>
-<polygon fill="#000000" stroke="#000000" points="143.5817,-185.1172 147.2128,-175.164 138.1674,-180.6804 143.5817,-185.1172"/>
+<!-- node2056 -->
+<g id="node23" class="node">
+<title>node2056</title>
+<polygon fill="none" stroke="#000000" points="841.3281,-252 792.8228,-234 841.3281,-216 889.8334,-234 841.3281,-252"/>
+<text text-anchor="middle" x="841.3281" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostfs</text>
 </g>
-<!-- node1511&#45;&gt;node1547 -->
+<!-- node2056&#45;&gt;node2035 -->
 <g id="edge26" class="edge">
-<title>node1511&#45;&gt;node1547</title>
-<path fill="none" stroke="#000000" d="M172.2055,-215.8314C170.001,-207.4774 167.3442,-197.4096 164.9276,-188.252"/>
-<polygon fill="#000000" stroke="#000000" points="168.2739,-187.2152 162.3381,-178.4393 161.5056,-189.0014 168.2739,-187.2152"/>
+<title>node2056&#45;&gt;node2035</title>
+<path fill="none" stroke="#000000" d="M854.534,-220.7941C865.1578,-210.1703 880.2807,-195.0474 892.5283,-182.7998"/>
+<polygon fill="#000000" stroke="#000000" points="895.1205,-185.1574 899.7167,-175.6114 890.1707,-180.2076 895.1205,-185.1574"/>
 </g>
-<!-- node1566 -->
+<!-- node2066 -->
 <g id="node24" class="node">
-<title>node1566</title>
-<polygon fill="none" stroke="#000000" points="55,-180 8.719,-162 55,-144 101.281,-162 55,-180"/>
-<text text-anchor="middle" x="55" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesyscall</text>
+<title>node2066</title>
+<polygon fill="none" stroke="#000000" points="982.3281,-252 908.3309,-234 982.3281,-216 1056.3252,-234 982.3281,-252"/>
+<text text-anchor="middle" x="982.3281" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostresolver</text>
 </g>
-<!-- node1566&#45;&gt;node1464 -->
+<!-- node2066&#45;&gt;node2035 -->
 <g id="edge27" class="edge">
-<title>node1566&#45;&gt;node1464</title>
-<path fill="none" stroke="#000000" d="M56.6945,-144.5708C57.4797,-136.4942 58.4319,-126.7004 59.3117,-117.6514"/>
-<polygon fill="#000000" stroke="#000000" points="62.8127,-117.81 60.2968,-107.5182 55.8455,-117.1326 62.8127,-117.81"/>
+<title>node2066&#45;&gt;node2035</title>
+<path fill="none" stroke="#000000" d="M968.0312,-219.0816C958.153,-208.7738 944.8627,-194.9057 933.8558,-183.4202"/>
+<polygon fill="#000000" stroke="#000000" points="936.1164,-180.7205 926.6703,-175.9223 931.0624,-185.5639 936.1164,-180.7205"/>
 </g>
-<!-- node1432 -->
+<!-- node2076 -->
 <g id="node25" class="node">
-<title>node1432</title>
-<polygon fill="none" stroke="#000000" points="457.4599,-599.5623 424,-612 390.5401,-599.5623 390.5714,-579.4377 457.4286,-579.4377 457.4599,-599.5623"/>
-<text text-anchor="middle" x="424" y="-590.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesgx</text>
-</g>
-<!-- node1442 -->
-<g id="node26" class="node">
-<title>node1442</title>
-<polygon fill="none" stroke="#000000" points="569.5269,-167.5623 534,-180 498.4731,-167.5623 498.5063,-147.4377 569.4937,-147.4377 569.5269,-167.5623"/>
-<text text-anchor="middle" x="534" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesign</text>
+<title>node2076</title>
+<polygon fill="none" stroke="#000000" points="1134.3281,-252 1074.1891,-234 1134.3281,-216 1194.467,-234 1134.3281,-252"/>
+<text text-anchor="middle" x="1134.3281" y="-230.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostsock</text>
 </g>
-<!-- node1442&#45;&gt;node13 -->
+<!-- node2076&#45;&gt;node2035 -->
 <g id="edge28" class="edge">
-<title>node1442&#45;&gt;node13</title>
-<path fill="none" stroke="#000000" d="M542.7017,-147.4297C548.5301,-137.6706 556.3313,-124.608 563.021,-113.4067"/>
-<polygon fill="#000000" stroke="#000000" points="566.1887,-114.9287 568.3112,-104.5486 560.1789,-111.3394 566.1887,-114.9287"/>
+<title>node2076&#45;&gt;node2035</title>
+<path fill="none" stroke="#000000" d="M1105.4362,-224.5873C1065.4912,-211.5735 993.3997,-188.0867 949.7938,-173.8802"/>
+<polygon fill="#000000" stroke="#000000" points="950.7433,-170.5086 940.151,-170.7387 948.5749,-177.1643 950.7433,-170.5086"/>
+</g>
+<!-- node22 -->
+<g id="node26" class="node">
+<title>node22</title>
+<polygon fill="none" stroke="#000000" points="299.3281,-108 234.2417,-90 299.3281,-72 364.4145,-90 299.3281,-108"/>
+<text text-anchor="middle" x="299.3281" y="-86.9" font-family="Times,serif" font-size="12.00" fill="#000000">oehostverify</text>
+</g>
+<!-- node22&#45;&gt;node2166 -->
+<g id="edge29" class="edge">
+<title>node22&#45;&gt;node2166</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M287.1033,-75.0816C279.3032,-65.5628 269.0152,-53.008 260.0742,-42.097"/>
+<polygon fill="#000000" stroke="#000000" points="262.6085,-39.6676 253.5631,-34.1512 257.1942,-44.1044 262.6085,-39.6676"/>
+</g>
+<!-- node22&#45;&gt;node2167 -->
+<g id="edge30" class="edge">
+<title>node22&#45;&gt;node2167</title>
+<path fill="none" stroke="#000000" stroke-dasharray="5,2" d="M302.8829,-72.937C304.5698,-64.8397 306.629,-54.9555 308.5334,-45.8147"/>
+<polygon fill="#000000" stroke="#000000" points="311.9763,-46.4489 310.5895,-35.9453 305.1234,-45.0212 311.9763,-46.4489"/>
+</g>
+<!-- node22&#45;&gt;node29 -->
+<g id="edge31" class="edge">
+<title>node22&#45;&gt;node29</title>
+<path fill="none" stroke="#000000" d="M319.1854,-77.4586C334.8255,-67.5806 357.0738,-53.529 376.0154,-41.5659"/>
+<polygon fill="#000000" stroke="#000000" points="378.1407,-44.3633 384.7266,-36.0641 374.4027,-38.4449 378.1407,-44.3633"/>
+</g>
+<!-- node2026 -->
+<g id="node27" class="node">
+<title>node2026</title>
+<polygon fill="none" stroke="#000000" points="673.3281,-396 623.5826,-378 673.3281,-360 723.0735,-378 673.3281,-396"/>
+<text text-anchor="middle" x="673.3281" y="-374.9" font-family="Times,serif" font-size="12.00" fill="#000000">oelibcxx</text>
+</g>
+<!-- node1963 -->
+<g id="node28" class="node">
+<title>node1963</title>
+<polygon fill="none" stroke="#000000" points="628.3281,-324 574.3281,-324 574.3281,-288 628.3281,-288 628.3281,-324"/>
+<text text-anchor="middle" x="601.3281" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">libcxx</text>
+</g>
+<!-- node2026&#45;&gt;node1963 -->
+<g id="edge32" class="edge">
+<title>node2026&#45;&gt;node1963</title>
+<path fill="none" stroke="#000000" d="M659.7854,-364.4574C650.429,-355.1009 637.7028,-342.3747 626.5132,-331.1851"/>
+<polygon fill="#000000" stroke="#000000" points="628.9788,-328.7009 619.4328,-324.1047 624.029,-333.6507 628.9788,-328.7009"/>
+</g>
+<!-- node1970 -->
+<g id="node29" class="node">
+<title>node1970</title>
+<polygon fill="none" stroke="#000000" points="700.3281,-324 646.3281,-324 646.3281,-288 700.3281,-288 700.3281,-324"/>
+<text text-anchor="middle" x="673.3281" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">libcxxrt</text>
+</g>
+<!-- node2026&#45;&gt;node1970 -->
+<g id="edge34" class="edge">
+<title>node2026&#45;&gt;node1970</title>
+<path fill="none" stroke="#000000" d="M673.3281,-359.8314C673.3281,-352.131 673.3281,-342.9743 673.3281,-334.4166"/>
+<polygon fill="#000000" stroke="#000000" points="676.8282,-334.4132 673.3281,-324.4133 669.8282,-334.4133 676.8282,-334.4132"/>
+</g>
+<!-- node1980 -->
+<g id="node30" class="node">
+<title>node1980</title>
+<polygon fill="none" stroke="#000000" points="783.8281,-324 718.8281,-324 718.8281,-288 783.8281,-288 783.8281,-324"/>
+<text text-anchor="middle" x="751.3281" y="-302.9" font-family="Times,serif" font-size="12.00" fill="#000000">libunwind</text>
+</g>
+<!-- node2026&#45;&gt;node1980 -->
+<g id="edge36" class="edge">
+<title>node2026&#45;&gt;node1980</title>
+<path fill="none" stroke="#000000" d="M687.6345,-364.7941C697.9053,-355.3134 712.0576,-342.2496 724.4139,-330.8438"/>
+<polygon fill="#000000" stroke="#000000" points="726.8506,-333.3579 731.8246,-324.0032 722.1026,-328.2142 726.8506,-333.3579"/>
+</g>
+<!-- node1963&#45;&gt;node2016 -->
+<g id="edge33" class="edge">
+<title>node1963&#45;&gt;node2016</title>
+<path fill="none" stroke="#000000" d="M619.4967,-287.8314C629.8217,-277.5064 642.7646,-264.5635 653.3715,-253.9566"/>
+<polygon fill="#000000" stroke="#000000" points="656.0151,-256.2627 660.6113,-246.7168 651.0654,-251.313 656.0151,-256.2627"/>
+</g>
+<!-- node1970&#45;&gt;node2016 -->
+<g id="edge35" class="edge">
+<title>node1970&#45;&gt;node2016</title>
+<path fill="none" stroke="#000000" d="M673.3281,-287.8314C673.3281,-280.131 673.3281,-270.9743 673.3281,-262.4166"/>
+<polygon fill="#000000" stroke="#000000" points="676.8282,-262.4132 673.3281,-252.4133 669.8282,-262.4133 676.8282,-262.4132"/>
+</g>
+<!-- node1980&#45;&gt;node2016 -->
+<g id="edge37" class="edge">
+<title>node1980&#45;&gt;node2016</title>
+<path fill="none" stroke="#000000" d="M731.6454,-287.8314C720.2048,-277.2708 705.7971,-263.9714 694.165,-253.2341"/>
+<polygon fill="#000000" stroke="#000000" points="696.3481,-250.486 686.626,-246.275 691.6001,-255.6297 696.3481,-250.486"/>
+</g>
+<!-- node1899 -->
+<g id="node31" class="node">
+<title>node1899</title>
+<polygon fill="none" stroke="#000000" points="606.788,-671.5623 573.3281,-684 539.8682,-671.5623 539.8995,-651.4377 606.7567,-651.4377 606.788,-671.5623"/>
+<text text-anchor="middle" x="573.3281" y="-662.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesgx</text>
+</g>
+<!-- node1909 -->
+<g id="node32" class="node">
+<title>node1909</title>
+<polygon fill="none" stroke="#000000" points="339.855,-167.5623 304.3281,-180 268.8012,-167.5623 268.8344,-147.4377 339.8218,-147.4377 339.855,-167.5623"/>
+<text text-anchor="middle" x="304.3281" y="-158.9" font-family="Times,serif" font-size="12.00" fill="#000000">oesign</text>
+</g>
+<!-- node1909&#45;&gt;node21 -->
+<g id="edge38" class="edge">
+<title>node1909&#45;&gt;node21</title>
+<path fill="none" stroke="#000000" d="M278.223,-147.4297C256.1918,-135.1332 224.7641,-117.5922 202.45,-105.1378"/>
+<polygon fill="#000000" stroke="#000000" points="203.9365,-101.9592 193.4987,-100.1417 200.5249,-108.0716 203.9365,-101.9592"/>
 </g>
 </g>
 </svg>

From 7945b44e2705a96b352e5a3c294a0253eaee422d Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 12 Nov 2019 19:37:17 +0000
Subject: [PATCH 272/420] Replace `List.exists` with `List.find_opt`

Now that we have modern OCaml!

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Emitter.ml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 90dfcb784b..fe2d7319a1 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -528,10 +528,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
     let structs =
       filter_map (function StructDef s -> Some s | _ -> None) ec.comp_defs
     in
-    (* TODO: [List.find_opt] is better, but requires 4.05. *)
-    if List.exists (fun s -> s.sname = name) structs then
-      Some (List.find (fun s -> s.sname = name) structs)
-    else None
+    List.find_opt (fun s -> s.sname = name) structs
   in
   (* We need to check [Ptr]s for [Foreign] or [Struct] types, then
      check those against the user's [Struct]s, and then check if any

From dc4dcc4e59d0b98a271804debc3a94c73732f379 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 12 Nov 2019 22:15:19 +0000
Subject: [PATCH 273/420] Bump OCaml to 4.08

We can go one version higher (which brings in `List.of_seq`); however,
Merlin does not yet support 4.09. Even more modern OCaml!

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/esy.lock/index.json           | 152 +++++++++---------
 .../esy.lock/opam/ocamlformat.0.12/opam       |   4 +-
 tools/oeedger8r/esy.lock/opam/seq.0.2/opam    |  22 ---
 .../esy.lock/opam/seq.base/files/META.seq     |   4 +
 .../esy.lock/opam/seq.base/files/seq.install  |   3 +
 tools/oeedger8r/esy.lock/opam/seq.base/opam   |  15 ++
 tools/oeedger8r/package.json                  |   4 +-
 7 files changed, 99 insertions(+), 105 deletions(-)
 delete mode 100644 tools/oeedger8r/esy.lock/opam/seq.0.2/opam
 create mode 100644 tools/oeedger8r/esy.lock/opam/seq.base/files/META.seq
 create mode 100644 tools/oeedger8r/esy.lock/opam/seq.base/files/seq.install
 create mode 100644 tools/oeedger8r/esy.lock/opam/seq.base/opam

diff --git a/tools/oeedger8r/esy.lock/index.json b/tools/oeedger8r/esy.lock/index.json
index cc7de2e32b..37d4d7d2de 100644
--- a/tools/oeedger8r/esy.lock/index.json
+++ b/tools/oeedger8r/esy.lock/index.json
@@ -1,5 +1,5 @@
 {
-  "checksum": "f8e36b6ee01815c9f58e9b6a6d5c1cd6",
+  "checksum": "28ece31f2d1499e7e2f4bd8bb580fab1",
   "root": "oeedger8r@link-dev:./package.json",
   "node": {
     "oeedger8r@link-dev:./package.json": {
@@ -13,21 +13,21 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlformat@opam:0.12@c757d3c3",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlformat@opam:0.12@35299172",
         "@opam/merlin@opam:3.3.2@7a364181"
       ]
     },
-    "ocaml@4.6.1000@d41d8cd9": {
-      "id": "ocaml@4.6.1000@d41d8cd9",
+    "ocaml@4.8.1000@d41d8cd9": {
+      "id": "ocaml@4.8.1000@d41d8cd9",
       "name": "ocaml",
-      "version": "4.6.1000",
+      "version": "4.8.1000",
       "source": {
         "type": "install",
         "source": [
-          "archive:https://registry.npmjs.org/ocaml/-/ocaml-4.6.1000.tgz#sha1:99525ef559353481396454f9a072dedc96b52f44"
+          "archive:https://registry.npmjs.org/ocaml/-/ocaml-4.8.1000.tgz#sha1:abc435b5d4ddea2acba8b2df7efb81e2d1690db1"
         ]
       },
       "overrides": [],
@@ -52,13 +52,13 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
         "@opam/dune@opam:1.11.4@21d66ccd", "@opam/cppo@opam:1.6.6@f4f83858",
         "@opam/biniou@opam:1.2.1@d7570399",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
         "@opam/dune@opam:1.11.4@21d66ccd", "@opam/biniou@opam:1.2.1@d7570399"
       ]
     },
@@ -80,7 +80,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea",
         "@opam/topkg@opam:1.0.1@a42c631e",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
@@ -88,7 +88,7 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
       ]
     },
     "@opam/uuseg@opam:12.0.0@bf82c4c7": {
@@ -109,7 +109,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
         "@opam/uucp@opam:12.0.0@b7d4c3df", "@opam/uchar@opam:0.0.2@c8218eea",
         "@opam/topkg@opam:1.0.1@a42c631e",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
@@ -118,7 +118,7 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uucp@opam:12.0.0@b7d4c3df",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uucp@opam:12.0.0@b7d4c3df",
         "@opam/uchar@opam:0.0.2@c8218eea"
       ]
     },
@@ -140,7 +140,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
         "@opam/uchar@opam:0.0.2@c8218eea", "@opam/topkg@opam:1.0.1@a42c631e",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
@@ -148,7 +148,7 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uchar@opam:0.0.2@c8218eea"
       ]
     },
     "@opam/uchar@opam:0.0.2@c8218eea": {
@@ -169,10 +169,10 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+      "devDependencies": [ "ocaml@4.8.1000@d41d8cd9" ]
     },
     "@opam/tyxml@opam:4.3.0@c1da25f1": {
       "id": "@opam/tyxml@opam:4.3.0@c1da25f1",
@@ -192,13 +192,13 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:base@d8d7de1d", "@opam/re@opam:1.9.0@d4d5e13d",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
-        "@opam/seq@opam:0.2@35c16df8", "@opam/re@opam:1.9.0@d4d5e13d",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "@opam/seq@opam:base@d8d7de1d", "@opam/re@opam:1.9.0@d4d5e13d",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
@@ -220,12 +220,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlbuild@opam:0.14.0@6ac75d03"
       ]
     },
     "@opam/stdio@opam:v0.12.0@04b3b004": {
@@ -246,12 +246,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base@opam:v0.12.2@d687150c",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base@opam:v0.12.2@d687150c"
       ]
     },
@@ -273,37 +273,31 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
-    "@opam/seq@opam:0.2@35c16df8": {
-      "id": "@opam/seq@opam:0.2@35c16df8",
+    "@opam/seq@opam:base@d8d7de1d": {
+      "id": "@opam/seq@opam:base@d8d7de1d",
       "name": "@opam/seq",
-      "version": "opam:0.2",
+      "version": "opam:base",
       "source": {
         "type": "install",
-        "source": [
-          "archive:https://opam.ocaml.org/cache/md5/1d/1d5a9d0aba27b22433f518cdc495d0fd#md5:1d5a9d0aba27b22433f518cdc495d0fd",
-          "archive:https://github.com/c-cube/seq/archive/0.2.tar.gz#md5:1d5a9d0aba27b22433f518cdc495d0fd"
-        ],
+        "source": [ "no-source:" ],
         "opam": {
           "name": "seq",
-          "version": "0.2",
-          "path": "esy.lock/opam/seq.0.2"
+          "version": "base",
+          "path": "esy.lock/opam/seq.base"
         }
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
-        "@esy-ocaml/substs@0.0.1@d41d8cd9"
+        "ocaml@4.8.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
-      "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
-      ]
+      "devDependencies": [ "ocaml@4.8.1000@d41d8cd9" ]
     },
     "@opam/result@opam:1.4@dc720aef": {
       "id": "@opam/result@opam:1.4@dc720aef",
@@ -323,11 +317,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
     "@opam/re@opam:1.9.0@d4d5e13d": {
@@ -348,11 +342,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/seq@opam:base@d8d7de1d",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/seq@opam:0.2@35c16df8",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/seq@opam:base@d8d7de1d",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
@@ -374,11 +368,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
     "@opam/odoc@opam:1.4.2@6f058006": {
@@ -399,7 +393,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/tyxml@opam:4.3.0@c1da25f1",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/tyxml@opam:4.3.0@c1da25f1",
         "@opam/result@opam:1.4@dc720aef", "@opam/fpath@opam:0.7.2@45477b93",
         "@opam/dune@opam:1.11.4@21d66ccd", "@opam/cppo@opam:1.6.6@f4f83858",
         "@opam/cmdliner@opam:1.0.4@93208aac",
@@ -407,11 +401,11 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
-    "@opam/ocamlformat@opam:0.12@c757d3c3": {
-      "id": "@opam/ocamlformat@opam:0.12@c757d3c3",
+    "@opam/ocamlformat@opam:0.12@35299172": {
+      "id": "@opam/ocamlformat@opam:0.12@35299172",
       "name": "@opam/ocamlformat",
       "version": "opam:0.12",
       "source": {
@@ -428,7 +422,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
         "@opam/uuseg@opam:12.0.0@bf82c4c7",
         "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
         "@opam/odoc@opam:1.4.2@6f058006",
@@ -440,7 +434,7 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/uutf@opam:1.0.2@4440868f",
         "@opam/uuseg@opam:12.0.0@bf82c4c7",
         "@opam/stdio@opam:v0.12.0@04b3b004", "@opam/re@opam:1.9.0@d4d5e13d",
         "@opam/odoc@opam:1.4.2@6f058006",
@@ -475,10 +469,10 @@
         }
       ],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/conf-m4@opam:1@3b2b148a",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/conf-m4@opam:1@3b2b148a",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+      "devDependencies": [ "ocaml@4.8.1000@d41d8cd9" ]
     },
     "@opam/ocamlbuild@opam:0.14.0@6ac75d03": {
       "id": "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
@@ -503,9 +497,9 @@
         }
       ],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+        "ocaml@4.8.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+      "devDependencies": [ "ocaml@4.8.1000@d41d8cd9" ]
     },
     "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d": {
       "id": "@opam/ocaml-migrate-parsetree@opam:1.4.0@0c4ec62d",
@@ -525,12 +519,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
         "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
         "@opam/ppx_derivers@opam:1.2.1@ecf0aa45",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
@@ -553,12 +547,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/yojson@opam:1.7.0@7056d985",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
@@ -581,7 +575,7 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
         "@opam/result@opam:1.4@dc720aef",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
@@ -589,7 +583,7 @@
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/result@opam:1.4@dc720aef",
         "@opam/astring@opam:0.8.3@4e5e17d5"
       ]
     },
@@ -611,11 +605,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
     "@opam/dune-configurator@opam:1.0.0@4873acd8": {
@@ -660,12 +654,12 @@
         }
       ],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
         "@opam/base-threads@opam:base@36803084",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/base-unix@opam:base@87d0b2eb",
         "@opam/base-threads@opam:base@36803084"
       ]
     },
@@ -687,12 +681,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base-unix@opam:base@87d0b2eb",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/dune@opam:1.11.4@21d66ccd",
         "@opam/base-unix@opam:base@87d0b2eb"
       ]
     },
@@ -731,9 +725,9 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
+        "ocaml@4.8.1000@d41d8cd9", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
-      "devDependencies": [ "ocaml@4.6.1000@d41d8cd9" ]
+      "devDependencies": [ "ocaml@4.8.1000@d41d8cd9" ]
     },
     "@opam/biniou@opam:1.2.1@d7570399": {
       "id": "@opam/biniou@opam:1.2.1@d7570399",
@@ -753,11 +747,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/easy-format@opam:1.3.2@0484b3c4",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
     },
@@ -810,11 +804,11 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/ocamlfind@opam:1.8.1@ff07b0f9"
       ]
     },
     "@opam/base@opam:v0.12.2@d687150c": {
@@ -835,12 +829,12 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
         "@opam/dune-configurator@opam:1.0.0@4873acd8",
         "@opam/dune@opam:1.11.4@21d66ccd", "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/sexplib0@opam:v0.12.0@e432406d",
         "@opam/dune-configurator@opam:1.0.0@4873acd8",
         "@opam/dune@opam:1.11.4@21d66ccd"
       ]
@@ -863,14 +857,14 @@
       },
       "overrides": [],
       "dependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
+        "ocaml@4.8.1000@d41d8cd9", "@opam/topkg@opam:1.0.1@a42c631e",
         "@opam/ocamlfind@opam:1.8.1@ff07b0f9",
         "@opam/ocamlbuild@opam:0.14.0@6ac75d03",
         "@opam/base-bytes@opam:base@19d0c2ff",
         "@esy-ocaml/substs@0.0.1@d41d8cd9"
       ],
       "devDependencies": [
-        "ocaml@4.6.1000@d41d8cd9", "@opam/base-bytes@opam:base@19d0c2ff"
+        "ocaml@4.8.1000@d41d8cd9", "@opam/base-bytes@opam:base@19d0c2ff"
       ]
     },
     "@esy-ocaml/substs@0.0.1@d41d8cd9": {
diff --git a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
index e37b4a3e5c..00df987727 100644
--- a/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
+++ b/tools/oeedger8r/esy.lock/opam/ocamlformat.0.12/opam
@@ -19,7 +19,7 @@ build: [
 ]
 depends: [
   "ocaml" {>= "4.06"}
-  "base" {>= "v0.11.0"}
+  "base" {>= "v0.11.0" & < "v0.13"}
   "base-unix"
   "cmdliner"
   "dune" {>= "1.11.1"}
@@ -27,7 +27,7 @@ depends: [
   "ocaml-migrate-parsetree" {>= "1.3.1"}
   "odoc" {>= "1.4.2"}
   "re"
-  "stdio"
+  "stdio" {< "v0.13"}
   "uuseg" {>= "10.0.0"}
   "uutf" {>= "1.0.1"}
 ]
diff --git a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam b/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
deleted file mode 100644
index 55c46960c6..0000000000
--- a/tools/oeedger8r/esy.lock/opam/seq.0.2/opam
+++ /dev/null
@@ -1,22 +0,0 @@
-opam-version: "2.0"
-synopsis:
-  "Compatibility package for OCaml's standard iterator type starting from 4.07"
-maintainer: "simon.cruanes.2007@m4x.org"
-authors: "Simon Cruanes"
-license: "LGPL2.1"
-tags: ["iterator" "seq" "pure" "list" "compatibility" "cascade"]
-homepage: "https://github.com/c-cube/seq/"
-bug-reports: "https://github.com/c-cube/seq/issues"
-depends: [
-  "dune" {>= "1.1.0"}
-  "ocaml" {< "4.07.0"}
-]
-build: ["dune" "build" "-p" name "-j" jobs]
-dev-repo: "git+https://github.com/c-cube/seq.git"
-url {
-  src: "https://github.com/c-cube/seq/archive/0.2.tar.gz"
-  checksum: [
-    "md5=1d5a9d0aba27b22433f518cdc495d0fd"
-    "sha512=b2571225a18e624b79dad5e1aab91b22e2fda17702f2e23c438b75d2a71e24c55ee8672005f5cc4b17ae79e3b277b1918b71b5d0d674b8b12ea19b3fb2d747cb"
-  ]
-}
\ No newline at end of file
diff --git a/tools/oeedger8r/esy.lock/opam/seq.base/files/META.seq b/tools/oeedger8r/esy.lock/opam/seq.base/files/META.seq
new file mode 100644
index 0000000000..06b95eff3f
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/seq.base/files/META.seq
@@ -0,0 +1,4 @@
+name="seq"
+version="[distributed with OCaml 4.07 or above]"
+description="dummy backward-compatibility package for iterators"
+requires=""
diff --git a/tools/oeedger8r/esy.lock/opam/seq.base/files/seq.install b/tools/oeedger8r/esy.lock/opam/seq.base/files/seq.install
new file mode 100644
index 0000000000..c4d70206e1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/seq.base/files/seq.install
@@ -0,0 +1,3 @@
+lib:[
+  "META.seq" {"META"}
+]
diff --git a/tools/oeedger8r/esy.lock/opam/seq.base/opam b/tools/oeedger8r/esy.lock/opam/seq.base/opam
new file mode 100644
index 0000000000..b33d8c7da1
--- /dev/null
+++ b/tools/oeedger8r/esy.lock/opam/seq.base/opam
@@ -0,0 +1,15 @@
+opam-version: "2.0"
+maintainer: " "
+authors: " "
+homepage: " "
+depends: [
+  "ocaml" {>= "4.07.0"}
+]
+dev-repo: "git+https://github.com/ocaml/ocaml.git"
+bug-reports: "https://caml.inria.fr/mantis/main_page.php"
+synopsis:
+  "Compatibility package for OCaml's standard iterator type starting from 4.07."
+extra-files: [
+  ["seq.install" "md5=026b31e1df290373198373d5aaa26e42"]
+  ["META.seq" "md5=b33c8a1a6c7ed797816ce27df4855107"]
+]
diff --git a/tools/oeedger8r/package.json b/tools/oeedger8r/package.json
index 94b99d9253..a3cc0f43bd 100644
--- a/tools/oeedger8r/package.json
+++ b/tools/oeedger8r/package.json
@@ -23,12 +23,12 @@
 
   "dependencies": {
     "@opam/dune": "~1.11.3",
-    "ocaml": "~4.6.0"
+    "ocaml": "~4.8.0"
   },
 
   "devDependencies": {
     "@opam/merlin": "~3.3.2",
     "@opam/ocamlformat": "0.12",
-    "ocaml": "~4.6.0"
+    "ocaml": "~4.8.0"
   }
 }

From 0f7d9781878d9c572440ca46b2133ea04e491ea6 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 12 Nov 2019 22:18:19 +0000
Subject: [PATCH 274/420] Fix `filter_map` helper now that `Seq.filter_map` is
 available

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Emitter.ml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index fe2d7319a1..d45ccfe0db 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -74,12 +74,7 @@ let conv_array_to_ptr (pd : pdecl) : pdecl =
 (** ----- End code borrowed and tweaked from {!CodeGen.ml} ----- *)
 
 (* Helper to map and filter out None at the same time. *)
-let filter_map f l =
-  (* Would be [List.of_seq (Seq.filter_map f (List.to_seq l))] if we
-     had 4.07 everywhere. *)
-  List.map
-    (function Some x -> x | None -> invalid_arg "None")
-    (List.filter (function Some _ -> true | None -> false) (List.map f l))
+let filter_map f l = List.of_seq (Seq.filter_map f (List.to_seq l))
 
 (* Helper to flatten and map at the same time. *)
 let flatten_map f l = List.flatten (List.map f l)

From cb8b53a54dab69a78b7361f9bbc74bc556db973e Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Tue, 5 Nov 2019 18:59:04 +0000
Subject: [PATCH 275/420] Initial design document draft.

Signed-off-by: sewong <sewong@microsoft.com>
---
 docs/DesignDocs/SGX_Endorsements_V2.md | 222 +++++++++++++++++++++++++
 1 file changed, 222 insertions(+)
 create mode 100644 docs/DesignDocs/SGX_Endorsements_V2.md

diff --git a/docs/DesignDocs/SGX_Endorsements_V2.md b/docs/DesignDocs/SGX_Endorsements_V2.md
new file mode 100644
index 0000000000..9f74087408
--- /dev/null
+++ b/docs/DesignDocs/SGX_Endorsements_V2.md
@@ -0,0 +1,222 @@
+SGX Attestation Endorsements V2 Updates
+================
+
+Intel SGX released v2 of the Provision Certification Service for ECDSA Attestation.  The
+following APIs were affected:
+
+1. Get TCB Info.
+2. Get Quoting Enclave Identity.
+
+[API Version 1](https://api.portal.trustedservices.intel.com/documentation#pcs-certificate)
+
+[API Version 2](https://api.portal.trustedservices.intel.com/documentation#pcs-certificate-v2)
+
+This document describes the changes for supporting version 2 of the API as well as keeping
+the existing support for version 1 of the API.  This document assumes the user is familiar with
+the SGX attestation endorsements and how it is used during SGX quote verification.
+
+Motivation
+----------
+
+This change is required for customers who would like to use the v2 API web endpoints. Note that the Azure PCK
+Caching Service and the Azure DCAP Client will also need to be updated and it is outside of the this specification.
+
+User Experience
+---------------
+
+The user experience does not change, it should be seamless to the user.  The caller will be able to identify the version of the data by checking the existing `version` field.
+
+The quote verifier will specify whether to use the v1 or v2 Azure PCK Caching Service web API endpoints.  The
+quote verification logic will be able to determine the version of the API by checking the `version` field in endorsement data.
+
+Specification
+-------------
+
+## Differences between V1 and V2 APIs.
+
+The APIs to get the PCK Certificate and the revocation list are the same between the versions.  The APIs to
+get the TCB Info and get QE Identity are different.  The differences are highlighted below.
+
+### Get TCB Info
+1. tcbInfo:version changed from 1 to 2.
+2. New field tcbInfo:tcbType.
+3. New field tcbInfo:tcbEvaluationDataNumber.
+4. Field tcbInfo:tcbLevels:status was renamed to tcbInfo:tcbLevels:tcbStatus.
+5. New fields in tcbInfo:tcbLevels named tcbDate and advisoryIDs.
+
+### Get QE Identity Info
+1. The 'qeIdentity' block was renamed to 'enclaveIdentity'.
+2. A new field, enclaveIdentity:id was added to differentiate QE Id info from Quoting Enclave (QE) and Quoting Validation Enclave (QVE).
+3. enclaveIdentity:version changed from 1 to 2.
+4. New field enclaveIdentity:tcbEvaluationDataNumber.
+5. qeIdentity:isvsvn moved to enclaveIdentity:tcbLevels:tcb:isvsvn.
+6. New fields in enclaveIdentity:tcbLevels named tcbData, tcbStatus and advisoryIDs.
+
+### New field definitions
+
+#### tcbType:
+	type: integer
+	example: 0
+	description: >- Type of TCB level composition that determines TCB level comparison logic
+
+##### tcbEvaluationDataNumber:
+	type: integer
+	example: 2
+	description: >- A monotonically increasing sequence number changed when Intel updates the content of the TCB evaluation data set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber update is synchronized across TCB Info for all flavors of SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE Identity. This sequence number allows users to easily determine when a particular TCB Info/QE Idenity/QVE Identiy superseedes another TCB Info/QE Identity/QVE Identity (value: current TCB Recovery event number stored in the database).
+
+##### tcbDate:
+	type: string
+	format: date-time
+	description: >- Representation of date and time when the TCB level was certified not to be vulnerable to any issues described in SAs that were published on or prior to this date. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
+
+##### tcbStatus:
+	type: string
+	description: TCB level status
+
+##### advisoryIDs:
+	type: array
+	description: >- Array of Advisory IDs describing vulnerabilities that this TCB level is vulnerable to. Note: The value can be different for different FMSPCs. This field is optional. It will be present only if the list of Advisory IDs is not empty.
+	items:
+        type: string
+
+For more information on the new fields please see [API Version 2](https://api.portal.trustedservices.intel.com/documentation#pcs-certificate-v2).
+
+
+## Changes
+
+### Update current structs with new additional fields and create new type definitions.
+
+```C
+typedef enum _oe_tcb_level_status
+{
+    // Existing fields
+    OE_TCB_LEVEL_STATUS_UNKNOWN,
+    OE_TCB_LEVEL_STATUS_REVOKED,
+    OE_TCB_LEVEL_STATUS_OUT_OF_DATE,
+    OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED,
+    OE_TCB_LEVEL_STATUS_UP_TO_DATE,
+
+    // New field for new value "OutOfDateConfigurationNeeded"
+    OE_TCB_LEVEL_STATUS_OUTOFDATE_CONFIGURATION_NEEDED,
+
+    __OE_TCB_LEVEL_MAX = OE_ENUM_MAX,
+
+} oe_tcb_level_status_t;
+
+// Existing TCB Level struct for TCB Info.  Will rename this
+// struct to oe_tcb_tcb_level given that
+// QE identity info also has its TCB level data field.
+typedef struct _oe_tcb_level
+{
+    // Existing fields
+    uint8_t sgx_tcb_comp_svn[16];
+    uint16_t pce_svn;
+    oe_tcb_level_status_t tcb_status;
+
+    // New fields
+    oe_datetime_t tcb_date;
+    uint8_t* advisory_ids_json;     // ["INTEL-SA-00079", "INTEL-SA-00076"]
+
+} oe_tcb_level_t;
+
+typedef struct _oe_parsed_tcb_info
+{
+    // Existing fields
+    uint32_t version;
+    oe_datetime_t issue_date;
+    oe_datetime_t next_update;
+    uint8_t fmspc[6];
+    uint8_t pceid[2];
+    uint8_t signature[64];
+    const uint8_t* tcb_info_start;
+    size_t tcb_info_size;
+
+    // New fields
+    uint32_t tcb_type;
+    uint32_t tcb_evaluation_data_number;
+
+} oe_parsed_tcb_info_t;
+
+/*!
+ * New enum for QE id field
+ */
+typedef enum _oe_qe_identity_id
+{
+    OE_IDENTITY_ID_QE,
+    QE_IDENTITY_ID_QVE
+} oe_qe_identity_id;
+
+/*!
+ * New TCB level for QE identity info.
+ */
+typedef struct _oe_qe_tcb_level
+{
+    uint32_t isvsvn;
+    oe_tcb_level_status_t tcb_status;
+    oe_datetime_t tcb_date;
+    uint8_t* advisory_ids_json;     // ["INTEL-SA-00079", "INTEL-SA-00076"]
+
+} oe_qe_tcb_level_t;
+
+typedef struct _oe_parsed_qe_identity_info
+{
+    // Existing fields
+    uint32_t version;
+    oe_datetime_t issue_date;
+    oe_datetime_t next_update;
+    uint32_t miscselect;         // The MISCSELECT that must be set
+    uint32_t miscselect_mask;    // Mask of MISCSELECT to enforce
+    sgx_attributes_t attributes; // flags and xfrm (XSAVE-Feature Request Mask)
+    uint64_t attributes_flags_mask;   // mask for attributes.flags
+    uint64_t attributes_xfrm_mask;    // mask for attributes.xfrm
+    uint8_t mrsigner[OE_SHA256_SIZE]; // MRSIGNER of the enclave
+    uint16_t isvprodid;               // ISV assigned Product ID
+    uint16_t isvsvn;                  // ISV assigned SVN
+    uint8_t signature[64];
+    const uint8_t* info_start;
+    size_t info_size;
+
+    // New fields
+    oe_qe_identity_id id;
+    uint32_t tcb_evaluation_data_number;
+
+
+} oe_parsed_qe_identity_info_t;
+```
+
+### Summary of Processing Changes
+
+The quote verification logic for parsing the TCB Info and the QE Identity Info will need to be updated as well as the validation logic.
+
+1. Update `oe_parse_tcb_info_json()` and `oe_parse_qe_identity_info_json()` to parse the new v2 fields.
+2. Account for new TCB status "OutOfDateConfigurationNeeded" in v2 API.
+3. TCB info validation updates:
+    - version 1:
+        - Bug fix.  Will create and address this in a separate issue:
+            - Verify `pceid` field matches the one in the PCK Cert.
+            - Verify `fmspc` field matches the one in the PCK Cert.
+    - version 2:
+        - Validate `tcbType` has a value of 0.
+        - Check that `tcbEvaluationDataNumber` is at least or equal to the current cached value.  Update cached
+        value if the current value is greater than the cached value.
+        - TCB Level processing:
+            - Account for new tcbStatus "OutOfDateConfigurationNeeded"
+            - No additional processing on `tcbDate` and `advisoryIDs`.
+4. QE identity info validation updates:
+    - version 1: No updates.
+    - version 2:
+        - Check that `tcbEvaluationDataNumber` is at least or equal to the current cached value.  Update cached
+        value if the current value is greater than the cached value.
+        - TCB Level processing:
+            - Find the first TCB level which the quote's `isvsvn` value is greater than or equal to the corresponding value in the TCB level.
+            - Set the `tcbStatus` value from the corresponding TCB level.
+            - No additional processing on `tcbDate` and `advisoryIDs`.
+
+Authors
+-------
+
+Name: Sergio Wong
+
+email: sewong@microsoft.com
+
+github username: jazzybluesea

From 9659de0931ae4f7f553e497e1ff1d43265782f3d Mon Sep 17 00:00:00 2001
From: Sergio Wong <sewong@microsoft.com>
Date: Tue, 12 Nov 2019 14:26:34 -0800
Subject: [PATCH 276/420] Review comments.

Signed-off-by: sewong <sewong@microsoft.com>
---
 docs/DesignDocs/SGX_Endorsements_V2.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/DesignDocs/SGX_Endorsements_V2.md b/docs/DesignDocs/SGX_Endorsements_V2.md
index 9f74087408..6b8ea87813 100644
--- a/docs/DesignDocs/SGX_Endorsements_V2.md
+++ b/docs/DesignDocs/SGX_Endorsements_V2.md
@@ -19,14 +19,14 @@ Motivation
 ----------
 
 This change is required for customers who would like to use the v2 API web endpoints. Note that the Azure PCK
-Caching Service and the Azure DCAP Client will also need to be updated and it is outside of the this specification.
+Caching Service and the Azure DCAP Client will also need to be updated and it is outside of this specification.
 
 User Experience
 ---------------
 
 The user experience does not change, it should be seamless to the user.  The caller will be able to identify the version of the data by checking the existing `version` field.
 
-The quote verifier will specify whether to use the v1 or v2 Azure PCK Caching Service web API endpoints.  The
+The quote verifier will specify whether to use the v1 or v2 PCK Caching Service web API endpoints.  The
 quote verification logic will be able to determine the version of the API by checking the `version` field in endorsement data.
 
 Specification
@@ -67,7 +67,7 @@ get the TCB Info and get QE Identity are different.  The differences are highlig
 ##### tcbDate:
 	type: string
 	format: date-time
-	description: >- Representation of date and time when the TCB level was certified not to be vulnerable to any issues described in SAs that were published on or prior to this date. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
+	description: >- Representation of date and time when the TCB level was certified not to be vulnerable to any issues described in Security Advisories (SAs) that were published on or prior to this date. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
 
 ##### tcbStatus:
 	type: string

From 21679192f684f82eae5d08f9d1a56a4eed8025e5 Mon Sep 17 00:00:00 2001
From: sewong <sewong@microsoft.com>
Date: Tue, 12 Nov 2019 15:38:21 -0800
Subject: [PATCH 277/420] Changing oe_tcb_level_status_t to a bitfield.

Signed-off-by: sewong <sewong@microsoft.com>
---
 docs/DesignDocs/SGX_Endorsements_V2.md | 70 +++++++++++++++++++-------
 1 file changed, 51 insertions(+), 19 deletions(-)

diff --git a/docs/DesignDocs/SGX_Endorsements_V2.md b/docs/DesignDocs/SGX_Endorsements_V2.md
index 6b8ea87813..61707b7dce 100644
--- a/docs/DesignDocs/SGX_Endorsements_V2.md
+++ b/docs/DesignDocs/SGX_Endorsements_V2.md
@@ -87,26 +87,38 @@ For more information on the new fields please see [API Version 2](https://api.po
 ### Update current structs with new additional fields and create new type definitions.
 
 ```C
-typedef enum _oe_tcb_level_status
+#define OE_TCB_LEVEL_STATUS_UNKNOWN                 (0)
+#define OE_TCB_LEVEL_STATUS_REVOKED                 (1 << 0)
+#define OE_TCB_LEVEL_STATUS_OUT_OF_DATE             (1 << 1)
+#define OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED    (1 << 2)
+#define OE_TCB_LEVEL_STATUS_UP_TO_DATE              (1 << 3)
+#define OE_TCB_LEVEL_STATUS_QE_IDENTITY_OUT_OF_DATE (1 << 4)
+
+/*! \struct oe_tcb_level_status_t
+ */
+typedef union _oe_tcb_level_status
 {
-    // Existing fields
-    OE_TCB_LEVEL_STATUS_UNKNOWN,
-    OE_TCB_LEVEL_STATUS_REVOKED,
-    OE_TCB_LEVEL_STATUS_OUT_OF_DATE,
-    OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED,
-    OE_TCB_LEVEL_STATUS_UP_TO_DATE,
-
-    // New field for new value "OutOfDateConfigurationNeeded"
-    OE_TCB_LEVEL_STATUS_OUTOFDATE_CONFIGURATION_NEEDED,
-
-    __OE_TCB_LEVEL_MAX = OE_ENUM_MAX,
-
+    struct {
+        uint32_t revoked : 1;                       //! "Revoked"
+        uint32_t outofdate : 1;                     //! "OutOfDate"
+        uint32_t configuration_needed :1;           //! "ConfigurationNeeded"
+        uint32_t up_to_date : 1;                    //! "UpToDate"
+
+        /*! "OutOfDateConfigurationNeeded"
+        *
+        * This tcb status indicates that the QE Identity Info is out of date and
+        * the TCB Info requires configuration "ConfigurationNeeded"
+        */
+        uint32_t qe_identity_out_of_date : 1;
+    } fields;
+    uint32_t AsUINT32;
+                                                
 } oe_tcb_level_status_t;
 
 // Existing TCB Level struct for TCB Info.  Will rename this
 // struct to oe_tcb_tcb_level given that
 // QE identity info also has its TCB level data field.
-typedef struct _oe_tcb_level
+typedef struct _oe_tcb_tcb_level
 {
     // Existing fields
     uint8_t sgx_tcb_comp_svn[16];
@@ -115,9 +127,18 @@ typedef struct _oe_tcb_level
 
     // New fields
     oe_datetime_t tcb_date;
-    uint8_t* advisory_ids_json;     // ["INTEL-SA-00079", "INTEL-SA-00076"]
 
-} oe_tcb_level_t;
+    /*! Offset into the json QE Identity info where
+     * the advisoryIDs fields start.
+     *
+     * Example of this field: ["INTEL-SA-00079", "INTEL-SA-00076"]
+     */
+    size_t advisory_ids_offset;
+
+    //! Total size of all the advisoryIDs.
+    size_t advisory_ids_size;
+
+} oe_tcb_tcb_level_t;
 
 typedef struct _oe_parsed_tcb_info
 {
@@ -130,6 +151,7 @@ typedef struct _oe_parsed_tcb_info
     uint8_t signature[64];
     const uint8_t* tcb_info_start;
     size_t tcb_info_size;
+    oe_tcb_tcb_level_t tcb_level;
 
     // New fields
     uint32_t tcb_type;
@@ -151,10 +173,17 @@ typedef enum _oe_qe_identity_id
  */
 typedef struct _oe_qe_tcb_level
 {
-    uint32_t isvsvn;
+    uint32_t isvsvn[1];
     oe_tcb_level_status_t tcb_status;
     oe_datetime_t tcb_date;
-    uint8_t* advisory_ids_json;     // ["INTEL-SA-00079", "INTEL-SA-00076"]
+
+    /*! Offset into the json QE Identity info where
+     * the advisoryIDs fields start.
+     */
+    size_t advisory_ids_offset;
+
+    //! Total size of all the advisoryIDs.
+    size_t advisory_ids_size;
 
 } oe_qe_tcb_level_t;
 
@@ -179,7 +208,7 @@ typedef struct _oe_parsed_qe_identity_info
     // New fields
     oe_qe_identity_id id;
     uint32_t tcb_evaluation_data_number;
-
+    oe_qe_tcb_level_t tcb_level;
 
 } oe_parsed_qe_identity_info_t;
 ```
@@ -190,6 +219,9 @@ The quote verification logic for parsing the TCB Info and the QE Identity Info w
 
 1. Update `oe_parse_tcb_info_json()` and `oe_parse_qe_identity_info_json()` to parse the new v2 fields.
 2. Account for new TCB status "OutOfDateConfigurationNeeded" in v2 API.
+    - This new TCB status seems to indicate that:
+        1. The QE Identity info is out of date, and
+        2. The TCB Info requires configuration.
 3. TCB info validation updates:
     - version 1:
         - Bug fix.  Will create and address this in a separate issue:

From 025a3b07b647ac435058f061643dbecbba3d0192 Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Tue, 12 Nov 2019 19:06:14 -0500
Subject: [PATCH 278/420] Add Parallel in try catch finally. Added call to
 oe.emailJobStatus before parallel execution, and in finally. Use ternary
 operator on setting currentBuild.result based on exception having been
 raised.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 .jenkins/Jenkinsfile | 84 ++++++++++++++++++++++++++------------------
 1 file changed, 49 insertions(+), 35 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 397fa91f34..b7f7e00680 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -3,6 +3,7 @@ oe = new jenkins.common.Openenclave()
 
 GLOBAL_TIMEOUT_MINUTES = 240
 CTEST_TIMEOUT_SECONDS = 480
+GLOBAL_ERROR = null
 
 def ACCTest(String label, String compiler, String build_type) {
     stage("${label} ${compiler} SGX1FLC ${build_type}") {
@@ -351,38 +352,51 @@ properties([buildDiscarder(logRotator(artifactDaysToKeepStr: '90',
                                       numToKeepStr: '180')),
             [$class: 'JobRestrictionProperty']])
 
-parallel "Check Developer Experience Ubuntu 16.04" :            { checkDevFlows('16.04') },
-         "Check Developer Experience Ubuntu 18.04" :            { checkDevFlows('18.04') },
-         "Check CI" :                                           { checkCI() },
-         "ACC1604 clang-7 Debug" :                              { ACCTest('ACC-1604', 'clang-7', 'Debug') },
-         "ACC1604 clang-7 Release" :                            { ACCTest('ACC-1604', 'clang-7', 'Release') },
-         "ACC1604 gcc Debug" :                                  { ACCTest('ACC-1604', 'gcc', 'Debug') },
-         "ACC1604 gcc Release" :                                { ACCTest('ACC-1604', 'gcc', 'Release') },
-         "ACC1604 Container RelWithDebInfo" :                   { ACCContainerTest('ACC-1604', '16.04') },
-         "ACC1604 Package RelWithDebInfo" :                     { ACCPackageTest('ACC-1604', '16.04') },
-         "ACC1804 clang-7 Debug" :                              { ACCTest('ACC-1804', 'clang-7', 'Debug') },
-         "ACC1804 clang-7 Release" :                            { ACCTest('ACC-1804', 'clang-7', 'Release') },
-         "ACC1804 gcc Debug" :                                  { ACCTest('ACC-1804', 'gcc', 'Debug') },
-         "ACC1804 gcc Release" :                                { ACCTest('ACC-1804', 'gcc', 'Release') },
-         "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest('ACC-1804', '18.04') },
-         "ACC1804 Package RelWithDebInfo" :                     { ACCPackageTest('ACC-1804', '18.04') },
-         "ACC1804 GNU gcc SGX1FLC" :                            { ACCGNUTest() },
-         "AArch64 1604 GNU gcc Debug" :                         { AArch64GNUTest('16.04', 'Debug')},
-         "AArch64 1604 GNU gcc Release" :                       { AArch64GNUTest('16.04', 'Release')},
-         "AArch64 1804 GNU gcc Debug" :                         { AArch64GNUTest('18.04', 'Debug')},
-         "AArch64 1804 GNU gcc Release" :                       { AArch64GNUTest('18.04', 'Release')},
-         "Sim 1804 clang-7 SGX1 Debug" :                        { simulationTest('18.04', 'SGX1', 'Debug')},
-         "Sim 1804 clang-7 SGX1 Release" :                      { simulationTest('18.04', 'SGX1', 'Release')},
-         "Sim 1804 clang-7 SGX1-FLC Debug" :                    { simulationTest('18.04', 'SGX1FLC', 'Debug')},
-         "Sim 1804 clang-7 SGX1-FLC Release" :                  { simulationTest('18.04', 'SGX1FLC', 'Release')},
-         "Win2016 Ubuntu1604 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('16.04', 'clang-7', 'Debug') },
-         "Win2016 Ubuntu1604 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('16.04', 'clang-7', 'Release') },
-         "Win2016 Ubuntu1804 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('18.04', 'clang-7', 'Debug') },
-         "Win2016 Ubuntu1804 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('18.04', 'clang-7', 'Release') },
-         "Win2016 Ubuntu1804 gcc Debug Linux-Elf-build" :       { win2016LinuxElfBuild('18.04', 'gcc', 'Debug') },
-         "Win2016 Debug Cross Compile" :                        { win2016CrossCompile('Debug') },
-         "Win2016 Release Cross Compile" :                      { win2016CrossCompile('Release') },
-         "Win2016 Debug Cross Compile with DCAP libs" :         { win2016CrossCompile('Debug', 'ON') },
-         "Win2016 Release Cross Compile with DCAP libs" :       { win2016CrossCompile('Release', 'ON') },
-         "Host verification Debug" :                            { ACCHostVerificationTest('18.04', 'Debug') },
-         "Host verification Release" :                          { ACCHostVerificationTest('18.04', 'Release') }
+try{
+    oe.emailJobStatus('STARTED')
+    
+    parallel "Check Developer Experience Ubuntu 16.04" :            { checkDevFlows('16.04') },
+            "Check Developer Experience Ubuntu 18.04" :            { checkDevFlows('18.04') },
+            "Check CI" :                                           { checkCI() },
+            "ACC1604 clang-7 Debug" :                              { ACCTest('ACC-1604', 'clang-7', 'Debug') },
+            "ACC1604 clang-7 Release" :                            { ACCTest('ACC-1604', 'clang-7', 'Release') },
+            "ACC1604 gcc Debug" :                                  { ACCTest('ACC-1604', 'gcc', 'Debug') },
+            "ACC1604 gcc Release" :                                { ACCTest('ACC-1604', 'gcc', 'Release') },
+            "ACC1604 Container RelWithDebInfo" :                   { ACCContainerTest('ACC-1604', '16.04') },
+            "ACC1604 Package RelWithDebInfo" :                     { ACCPackageTest('ACC-1604', '16.04') },
+            "ACC1804 clang-7 Debug" :                              { ACCTest('ACC-1804', 'clang-7', 'Debug') },
+            "ACC1804 clang-7 Release" :                            { ACCTest('ACC-1804', 'clang-7', 'Release') },
+            "ACC1804 gcc Debug" :                                  { ACCTest('ACC-1804', 'gcc', 'Debug') },
+            "ACC1804 gcc Release" :                                { ACCTest('ACC-1804', 'gcc', 'Release') },
+            "ACC1804 Container RelWithDebInfo" :                   { ACCContainerTest('ACC-1804', '18.04') },
+            "ACC1804 Package RelWithDebInfo" :                     { ACCPackageTest('ACC-1804', '18.04') },
+            "ACC1804 GNU gcc SGX1FLC" :                            { ACCGNUTest() },
+            "AArch64 1604 GNU gcc Debug" :                         { AArch64GNUTest('16.04', 'Debug')},
+            "AArch64 1604 GNU gcc Release" :                       { AArch64GNUTest('16.04', 'Release')},
+            "AArch64 1804 GNU gcc Debug" :                         { AArch64GNUTest('18.04', 'Debug')},
+            "AArch64 1804 GNU gcc Release" :                       { AArch64GNUTest('18.04', 'Release')},
+            "Sim 1804 clang-7 SGX1 Debug" :                        { simulationTest('18.04', 'SGX1', 'Debug')},
+            "Sim 1804 clang-7 SGX1 Release" :                      { simulationTest('18.04', 'SGX1', 'Release')},
+            "Sim 1804 clang-7 SGX1-FLC Debug" :                    { simulationTest('18.04', 'SGX1FLC', 'Debug')},
+            "Sim 1804 clang-7 SGX1-FLC Release" :                  { simulationTest('18.04', 'SGX1FLC', 'Release')},
+            "Win2016 Ubuntu1604 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('16.04', 'clang-7', 'Debug') },
+            "Win2016 Ubuntu1604 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('16.04', 'clang-7', 'Release') },
+            "Win2016 Ubuntu1804 clang-7 Debug Linux-Elf-build" :   { win2016LinuxElfBuild('18.04', 'clang-7', 'Debug') },
+            "Win2016 Ubuntu1804 clang-7 Release Linux-Elf-build" : { win2016LinuxElfBuild('18.04', 'clang-7', 'Release') },
+            "Win2016 Ubuntu1804 gcc Debug Linux-Elf-build" :       { win2016LinuxElfBuild('18.04', 'gcc', 'Debug') },
+            "Win2016 Debug Cross Compile" :                        { win2016CrossCompile('Debug') },
+            "Win2016 Release Cross Compile" :                      { win2016CrossCompile('Release') },
+            "Win2016 Debug Cross Compile with DCAP libs" :         { win2016CrossCompile('Debug', 'ON') },
+            "Win2016 Release Cross Compile with DCAP libs" :       { win2016CrossCompile('Release', 'ON') },
+            "Host verification Debug" :                            { ACCHostVerificationTest('18.04', 'Debug') },
+            "Host verification Release" :                          { ACCHostVerificationTest('18.04', 'Release') }
+}catch(Exception e)
+{
+    println "Caught global pipeline exception :" + e
+    GLOBAL_ERROR = e
+    throw e   
+} finally {
+    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
+    oe.emailJobStatus(currentBuild.result)
+}
+

From 7496e809296e078b227f6c1540deede021f3210f Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Tue, 12 Nov 2019 20:28:11 -0500
Subject: [PATCH 279/420] Removed new line. Added copyright.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 .jenkins/Jenkinsfile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index b7f7e00680..b18b5c5716 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -1,3 +1,6 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
 @Library("OpenEnclaveCommon") _
 oe = new jenkins.common.Openenclave()
 
@@ -354,7 +357,7 @@ properties([buildDiscarder(logRotator(artifactDaysToKeepStr: '90',
 
 try{
     oe.emailJobStatus('STARTED')
-    
+
     parallel "Check Developer Experience Ubuntu 16.04" :            { checkDevFlows('16.04') },
             "Check Developer Experience Ubuntu 18.04" :            { checkDevFlows('18.04') },
             "Check CI" :                                           { checkCI() },
@@ -398,5 +401,4 @@ try{
 } finally {
     currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
     oe.emailJobStatus(currentBuild.result)
-}
-
+}
\ No newline at end of file

From 6c2be06cf05693897e723f06751e70383ce3bb94 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Wed, 9 Oct 2019 08:56:52 -0700
Subject: [PATCH 280/420] Added documentation for attestation plugin.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 docs/DesignDocs/CustomAttestation.md | 1016 ++++++++++++++++++++++++++
 1 file changed, 1016 insertions(+)
 create mode 100644 docs/DesignDocs/CustomAttestation.md

diff --git a/docs/DesignDocs/CustomAttestation.md b/docs/DesignDocs/CustomAttestation.md
new file mode 100644
index 0000000000..b0635c0256
--- /dev/null
+++ b/docs/DesignDocs/CustomAttestation.md
@@ -0,0 +1,1016 @@
+___
+
+Custom Attestation Data Formats for Open Enclave
+=====
+
+This design document proposes a new attestation framework and set of APIs that
+enable developers to use custom formats for their attestation data.  
+
+Motivation
+----------
+
+Currently, Open Enclave provides several APIs that developers can use for
+attestation. The two key functions are `oe_get_report`, which produces an opaque
+blob that is signed by the enclave, and `oe_verify_report`, which can be used to
+verify the generated report. The original purpose of those two APIs were to
+provide a simple, cross-platform way to produce and verify attestation data.
+
+However, some developers need more flexibility for their attestation
+requirements. For example, one might want to extend Open Enclave's
+current attestation structures with extra information, such as geolocation
+or a timestamp. Another user might want their enclaves to generate attestation
+data that is in a format compatible with their existing authentication
+infrastructure, such as a JSON Web Token or an X.509 certificate. There are also
+users who want to specify their endorsements (information from a second source
+used for verification), instead of using the set of endorsements provided by Open
+Enclave.
+
+Overall, there has been interest in enhancing Open Enclave's APIs to support
+custom attestation formats to enable these scenarios.
+
+Terminology
+-----------
+
+This document uses the following terminology defined below. Note that
+these definitions are consistent with the terms defined in the
+[Remote Attestation Procedures (RATS)](https://datatracker.ietf.org/wg/rats/about/)
+working group.
+
+- Claims
+  - Claims are statements about a particular subject. They consist of
+    name-value pairs containing the claim name, which is a string, and
+    claim value, which is arbitrary data. Example of claims could be
+    [name="version", value=1] or [name="enclave_id", value=1111].
+- Evidence
+  - Evidence is claims about the enclave that are produced and signed by it.
+    The SGX report would be an example of evidence.
+- Endorsements
+  - Endorsements are additional claims used in the evidence verification process,
+    but not produced by the enclave. An example of an endorsement would be
+    the quoting enclave's identity used in SGX remote attestation, because it
+    is retrieved from Intel's servers, rather than the enclave.
+- Attester
+  - The attester creates the evidence and signs it. Trusted Execution Environments
+    (TEEs), such as the SGX enclave, often play the role of the attester.
+- Verifier
+  - The verifier is responsible for taking in the evidence and endorsements
+    and deciding if the enclave is trustworthy.
+- Relying party
+  - The relying party is the entity interested in communicating with an
+    enclave. The enclave must attest to the relying party before the
+    relying party can trust it. The relying party can also play the role
+    of the verifier, but it does not necessarily have to.
+
+Specification
+-------------
+
+To support custom attestation formats, this document proposes adding a plugin
+model for attestation. The Open Enclave SDK will define a plugin API for the
+attester and another API for the verifier. Each plugin will define a UUID to
+distinguish plugins. An attester and verifier plugin sharing the same UUID
+indicates that that verifier is able to process the evidence format generated
+by the attester.
+
+Futhermore, there will be additional attestation "plugin aware" APIs that are
+analogous to `oe_get_report` and `oe_verify_report` called `oe_get_evidence`
+and `oe_verify_evidence` respectively. There will also
+be functions for registering and unregistering plugins called
+`oe_register_[attester|verifier]` and `oe_unregister_[attester|verifier]`. The user
+can link in their desired plugin and call the register plugin function.
+The attestation data can be retrieved from `oe_get_evidence` with the desired UUID.
+The generated data will have the UUID in its header. The user can `oe_verify_evidence`
+to verify the data and the Open Enclave runtime can use this UUID to determine what plugin
+verification routine to run.
+
+If the plugin is registered on the enclave side, it will only work for the enclave side.
+Likewise, if the plugin is registered for the host side, it will only work for the
+host side. If the user wants to use the plugin for both sides, then they must register
+it once inside the enclave and once inside the host.
+
+### Attester Plugin API (Enclave only)
+
+Each plugin must implement the functions below:
+
+```C
+/**
+ * Claims struct used for claims parameters for the plugin.
+ */
+struct oe_claim_t
+{
+    char* name;
+    uint8_t* value;
+    size_t value_size;
+};
+
+/**
+ * Struct that defines the structure of each plugin. Each plugin must
+ * define a UUID for its format and implement the functions in this
+ * struct. Ideally, each plugin should provide a helper function to
+ * create this struct on the behalf of the plugin users.
+ */
+struct oe_attester_plugin_t
+{
+    /**
+     * The UUID for the plugin.
+     */
+    uuid_t format_id;
+
+    /**
+     * The function that gets executed when a plugin is registered.
+     *
+     * @param[in] plugin_context A pointer to the attester plugin struct.
+     * @param[in] config_data An optional pointer to the configuration data.
+     * @param[in] config_data_size The size in bytes of config_data.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*on_register)(
+        oe_attester_plugin_t* plugin_context,
+        const void* config_data,
+        size_t config_data_size);
+
+    /**
+     * The function that gets executed when a plugin is unregistered.
+     *
+     * @param[in] plugin_context A pointer to the attester plugin struct.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*on_unregister)(
+        oe_attester_plugin_t* plugin_context);
+
+    /**
+     * Generates the attestation evidence, which is defined as the data
+     * produced by the enclave. The caller may pass in custom claims, which
+     * must be attached to the evidence and then cryptographically signed.
+     *
+     * @param[in] plugin_context A pointer to the attester plugin struct.
+     * @param[in] flags Specifying default value (0) generates evidence for local
+     * attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION generates
+     * evidence for remote attestation.
+     * @param[in] custom_claims The optional custom claims list.
+     * @param[in] custom_claims_length The number of custom claims.
+     * @param[in] opt_params The optional plugin-specific input parameters.
+     * @param[in] opt_params_size The size of opt_params in bytes.
+     * @param[out] evidence_buffer An output pointer that will be assigned the
+     * address of the evidence buffer.
+     * @param[out] evidence_buffer_size A pointer that points to the size of the
+     * evidence buffer in bytes.
+     * @param[out] endorsements_buffer An output pointer that will be assigned the
+     * address of the endorsements buffer.
+     * @param[out] endorsements_buffer_size A pointer that points to the size of the
+     * endorsements buffer in bytes.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*get_evidence)(
+        oe_attester_plugin_t* plugin_context,
+        uint32_t flags,
+        const oe_claim_t* custom_claims,
+        size_t custom_claims_length,
+        const void* opt_params,
+        size_t opt_params_size,
+        uint8_t** evidence_buffer,
+        size_t* evidence_buffer_size,
+        uint8_t** endorsements_buffer,
+        size_t* endorsements_buffer_size);
+
+    /**
+     * Frees the generated attestation evidence and endorsements.
+     *
+     * @param[in] plugin_context A pointer to the attester plugin struct.
+     * @param[in] evidence_buffer A pointer to the evidence buffer.
+     * @param[in] endorsements_buffer A pointer to the endorsements buffer.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*free_evidence)(
+        oe_attester_plugin_t* plugin_context,
+        uint8_t* evidence_buffer,
+        uint8_t* endorsements_buffer);
+};
+```
+
+Here is the rationale for each element in the plugin struct:
+- `format_id`
+  - Each plugin needs a unique identifier to distinguish itself.
+- `on_register` and `on_unregister`
+  - A plugin might require some setup or teardown when it is registered or
+    unregistered, so these functions are required. Furthermore, a plugin
+    might require configuration, which is why there is a `config_data`
+    parameter. The configuration data can be plugin specific, so no format is
+    specified in this proposal.
+- `get_evidence` and  `free_evidence`
+  - Producing evidence and endorsements is necessary for attestation.
+  - `flags` field to determine local vs. remote attestation.
+  - There is a `custom_claims` parameter because many attestation protocols
+    require the enclave to sign some data from a relying party. For example,
+    many protocols follow the "challenge response" architecture, which requires
+    the enclave to sign a nonce from the relying party.
+  - There is an `opt_params` field because some plugins might require plugin
+    specific input. For example, the SGX local attestation needs the
+    other enclave's target info struct.
+  - There is an `endorsements` parameter to return the endorsements that are
+    coupled with the evidence to ensure that the evidence and endorsements are
+    in sync.
+
+### Verifier Plugin API (Supported by host and enclave side)
+
+The plugin API is very similar to the attester plugin. The only difference
+is that it implements a `verify_evidence` function instead of `get_evidence`.
+
+
+```C
+/**
+ * Claims struct used for claims parameters for the plugin.
+ */
+struct oe_claim_t
+{
+    char* name;
+    uint8_t* value;
+    size_t value_size;
+};
+
+/**
+ * Supported policies for validation. Only time is supported for now.
+ */
+enum oe_policy_type_t
+{
+    /**
+     * Enforces that time fields in the endorsements will be checked in
+     * with the given time rather than the endorsement creation time.
+     *
+     * The policy will be in the form of `oe_datetime_t`.
+     */  
+    OE_POLICY_ENDORSEMENTS_TIME = 1
+};
+
+struct oe_policy_t
+{
+    oe_policy_type_t type;
+    void* policy;
+    size_t policy_size;
+};
+
+/**
+ * Struct that defines the structure of each plugin. Each plugin must
+ * define a UUID for its format and implement the functions in this
+ * struct. Ideally, each plugin should provide a helper function to
+ * create this struct on the behalf of the plugin users.
+ */
+struct oe_verifier_plugin_t
+{
+    /**
+     * The UUID for the plugin.
+     */
+    uuid_t format_id;
+
+    /**
+     * The function that gets executed when a plugin is registered.
+     *
+     * @param[in] plugin_context A pointer to the verifier plugin struct.
+     * @param[in] config_data An optional pointer to the configuration data.
+     * @param[in] config_data_size The size in bytes of config_data.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*on_register)(
+        oe_verifier_plugin_t* plugin_context,
+        const void* config_data,
+        size_t config_data_size);
+
+    /**
+     * The function that gets executed when a plugin is unregistered.
+     *
+     * @param[in] plugin_context A pointer to the verifier plugin struct.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*on_unregister)(
+        oe_verifier_plugin_t* plugin_context);
+
+    /**
+     * Verifies the attestation evidence and returns the claims contained in
+     * the evidence.
+     *
+     * @param[in] plugin_context A pointer to the verifier plugin struct.
+     * @param[in] evidence_buffer The evidence buffer.
+     * @param[in] evidence_buffer_size The size of evidence_buffer in bytes.
+     * @param[in] endorsements_buffer The endorsements buffer.
+     * @param[in] endorsements_buffer_size The size of endorsements_buffer in bytes.
+     * @param[in] policies A list of policies to use.
+     * @param[in] policies_size The size of the policy list.
+     * @param[out] claims The list of returned claims.
+     * @param[out] claims_length The number of claims.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*verify_evidence)(
+        oe_verifier_plugin_t* plugin_context,
+        const uint8_t* evidence_buffer,
+        size_t evidence_buffer_size,
+        const uint8_t* endorsements_buffer,
+        size_t endorsements_buffer_size,
+        const oe_policy_t* policies,
+        size_t policies_size,
+        oe_claim_t** claims,
+        size_t* claims_length);
+
+    /**
+     * Frees the generated claims.
+     *
+     * @param[in] context A pointer to the verifier plugin struct.
+     * @param[out] claims The list of returned claims.
+     * @param[out] claims_length The number of claims.
+     * @retval OE_OK on success.
+     */
+    oe_result_t (*free_claims_list)(
+        oe_verifier_t* context,
+        oe_claim_t* claims,
+        size_t claims_length);
+};
+```
+
+Here is the rationale for the parameters in the `verify_evidence` function:
+- `verify_evidence`
+  - Verifying evidence and endorsements is essential for attestation.
+  - Evidence can be verified according to some policy, which is why there
+    is a `policies` parameter.
+  - The `claims` field contains key-value pairs that can be verified by the
+    caller. This will have the similar contents as the `oe_identity_t` field
+    in the `oe_report_t` struct returned by `oe_verify_report` and any custom
+    claims that were passed to the `get_evidence` function.
+
+###  Known Open Enclave Claims
+
+- Each plugin's `verify_evidence` function must, at minimum, return the
+  following claims (mapped from the `oe_identity_t`):
+  
+| Claim Name       | Claim Value Type   | Description                                                          |
+|:-----------------|:-------------------|:---------------------------------------------------------------------|
+| id_version       | uint32_t           | Claims version. Must be 0                                            |
+| security_version | uint32_t           | Security version of the enclave. (ISVN for SGX).                     |
+| attributes       | uint64_t           | Attributes flags for the evidence: <br/> `OE_REPORT_ATTRIBUTES_DEBUG`: The evidence is for a debug enclave.<br/> `OE_REPORT_ATTRIBUTES_REMOTE`: The evidence can be used for remote attestation.   |
+| unique_id        | uint8_t[32]        | The unique ID for the enclave (MRENCLAVE for SGX).                   |
+| signer_id        | uint8_t[32]        | The signer ID for the enclave (MRSIGNER for SGX).                    |
+| product_id       | uint8_t[32]        | The product ID for the enclave (ISVPRODID for SGX).                  |
+| validity_from    | oe_datetime_t      | Overall datetime from which the evidence and endorsements are valid. |
+| validity_until   | oe_datetime_t      | Overall datetime at which the evidence and endorsements expire.      |
+| plugin_uuid      | uuid_t             | The UUID of the plugin that generated the evidence.
+
+### Built-in SGX Plugin
+
+The current Open Enclave attestation only works on SGX platforms, so it will
+be moved to an SGX plugin. Most of the current Open Enclave APIs can be mapped
+directly to the plugin APIs. For the `on_register` and `on_unregister`  APIs,
+they can simply be no-ops. `oe_get_report` can be mapped to the `get_evidence` API and
+`oe_verify_report` can be mapped to the `verify_evidence` API.
+
+### SGX Plug-In Definitions
+
+`sgx_plugin_common.h`
+
+```C
+
+/* Define the uuid. */
+#define SGX_PLUGIN_UUID                 \
+{                                       \
+ 0x2f, 0x50, 0xdc, 0xb4,                \
+ 0x79, 0x9c,                            \
+ 0x45, 0x07,                            \
+ 0xa1, 0xe9,                            \
+ 0x86, 0x2c, 0x62, 0x9b, 0x76, 0x2a}    \
+}
+```
+
+`sgx_plugin_attester.h`
+
+```C
+#include <sgx_plugin_common.h>
+
+oe_attester_t* sgx_attester();
+```
+
+`sgx_plugin_verifier.h`
+
+```C
+#include <sgx_plugin_common.h>
+
+oe_verifier_t* sgx_verifier();
+```
+
+`sgx_plugin_attester.c`
+
+```C
+#include "sgx_plugin_attester.h"
+
+static
+oe_result_t
+sgx_attestation_plugin_on_register(
+    oe_attester_t* plugin_context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    OE_UNUSED(plugin_context);
+    OE_UNUSED(config_data);
+    OE_UNUSED(config_data_size);
+
+    // Nothing to do
+    return OE_OK;
+}
+
+static 
+oe_result_t 
+sgx_attestation_plugin_on_unregister(
+    oe_attester_t* plugin_context)
+{
+    OE_UNUSED(plugin_context);
+
+    // Nothing to do
+    return OE_OK;
+}
+
+static 
+oe_result_t 
+sgx_attestation_plugin_get_evidence(
+    oe_attester_t* plugin_context,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    OE_UNUSED(plugin_context);
+
+    /*
+     * Pseudocode description instead of actual C code:
+     *
+     * Hash custom claims field.
+     * Call oe_get_report with the flags and opt_param parameters and the hash as reportdata.
+     * Report contains the endorsements, so extract them out.
+     * Evidence will be report + custom_claims blob.
+     *
+     * Note: Since the verifier can run outside the SGX enclave, it can be running on a
+     * machine with different endianness. Consequently, it must be possible for the verifier
+     * to determine the endianness of the multibyte numbers in the evidence and endorsements,
+     * so it can properly interpret them.
+     *
+     */
+
+    return OE_OK;
+}
+
+static 
+oe_result_t 
+sgx_attestation_plugin_free_evidence(
+    oe_attester_t* plugin_context,
+    uint8_t* evidence_buffer,
+    uint8_t* endorsements_buffer)
+{
+    OE_UNUSED(plugin_context);
+
+    oe_free_report(evidence_buffer);
+    oe_free_endorsements(endorsements_buffer);
+    return OE_OK;
+}
+
+/* Setting up the plugin structs. */
+oe_attester_t sgx_attester_plugin = {
+
+ /* Plugin UUID. */
+ .format_id = SGX_PLUGIN_UUID,
+
+ .on_register = sgx_attestation_plugin_on_register,
+ .on_unregister = sgx_attestation_plugin_on_unregister,
+ .get_evidence = sgx_attestation_plugin_get_evidence,
+ .free_evidence = sgx_attestation_plugin_free_evidence,
+};
+
+/* Implement helper initialization function. */
+oe_attester_t* sgx_attester() {
+    return &sgx_attester_plugin;
+}
+```
+
+`sgx_verifier_plugin.c`
+
+```C
+#include "sgx_plugin_verifier.h"
+
+static
+oe_result_t
+sgx_attestation_plugin_on_register(
+    oe_verifier_t* plugin_context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    OE_UNUSED(plugin_context);
+    OE_UNUSED(config_data);
+    OE_UNUSED(config_data_size);
+
+    // Nothing to do
+    return OE_OK;
+}
+
+static 
+oe_result_t 
+sgx_attestation_plugin_on_unregister(
+    oe_verifier_t* plugin_context)
+{
+    OE_UNUSED(plugin_context);
+
+    // Nothing to do
+    return OE_OK;
+}
+
+static 
+oe_result_t 
+sgx_attestation_plugin_verify_evidence(
+    oe_verifier_t* plugin_context,
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* polices,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length)
+{
+    OE_UNUSED(plugin_context);
+
+    /*
+     * Pseudocode description instead of actual C code:
+     *
+     * Call oe_verify_report with all the input parameters and get the oe_identity_t back.
+     * Look for the custom claims in the evidence header and extract them if found.
+     * Verify the hash of custom claims == report data field in evidence report.
+     * Convert oe_identity_t to the claims format.
+     *
+     * Note: Since the verifier can run outside the SGX enclave, it can be running on a
+     * machine with different endianness. Consequently, the verification code needs to
+     * understand the endianness of the multibyte numbers in the evidence and endorsements
+     * and intelligently convert them to the verifier's native architecture.
+     */
+
+    return OE_OK;
+}
+
+static oe_result_t
+sgx_attestation_plugin_free_claims_list(
+    oe_verifier_t* plugin_context,
+    oe_claim_t* claims,
+    size_t claims_length)
+{
+    OE_UNUSED(plugin_context);
+    for (size_t i = 0; i < claims_length; i++)
+    {
+        free(claims[i].name);
+        free(claims[i].value);
+    }
+    return OE_OK;
+}
+
+oe_verifier_t sgx_verifier_plugin = {
+
+ /* Plugin UUID. */
+ .format_id = SGX_PLUGIN_UUID,
+
+ .on_register = sgx_attestation_plugin_on_register,
+ .on_unregister = sgx_attestation_plugin_on_unregister,
+ .verify_evidence = sgx_attestation_plugin_verify_evidence,
+ .free_claims_list = sgx_attestation_plugin_free_claims_list
+};
+
+oe_verifier_t* sgx_verifier() {
+    return &sgx_verifier_plugin;
+}
+```
+
+### New Open Enclave APIs
+
+The functions are what the plugin user calls to use a plugin. They map almost
+exactly to the plugin API. The main difference is that `oe_get_evidence`
+requires the UUID of the plugin as an input parameter.
+
+```C
+/**
+ * oe_register_attester
+ *
+ * Registers a new attester plugin and optionally configures it with plugin
+ * specific configuration data. The function will fail if the plugin UUID has
+ * already been registered.
+ *
+ * This is available in the enclave and host.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct. Note that this will
+ * not copy the contents of the pointer, so the pointer must be kept valid until
+ * the plugin is unregistered.
+ * @param[in] config_data An optional pointer to the configuration data.
+ * @param[in] config_data_size The size in bytes of config_data.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_ALREADY_EXISTS A plugin with the same UUID is already registered.
+ */
+oe_result_t oe_register_attester(
+    oe_attester_t* plugin,
+    const void* config_data,
+    size_t config_data_size);
+
+/**
+ * oe_register_verifier
+ *
+ * Registers a new verifier plugin and optionally configures it with plugin
+ * specific configuration data. The function will fail if the plugin UUID has
+ * already been registered.
+ *
+ * This is available in the enclave and host.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct. Note that this will
+ * not copy the contents of the pointer, so the pointer must be kept valid until
+ * the plugin is unregistered.
+ * @param[in] config_data An optional pointer to the configuration data.
+ * @param[in] config_data_size The size in bytes of config_data.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_ALREADY_EXISTS A plugin with the same UUID is already registered.
+ */
+oe_result_t oe_register_verifier(
+    oe_verifier_t* plugin,
+    const void* config_data,
+    size_t config_data_size);
+
+/**
+ * oe_unregister_attester
+ *
+ * Unregisters an attester plugin. This is available in the enclave and host.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_NOT_FOUND The plugin does not exist.
+ */
+oe_result_t oe_unregister_attester(
+    oe_attester_t* plugin);
+
+/**
+ * oe_unregister_verifier
+ *
+ * Unregisters an verifier plugin. This is available in the enclave and host.
+ * 
+ * @param[in] plugin A pointer to the attestation plugin struct.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_NOT_FOUND The plugin does not exist.
+ */
+oe_result_t oe_unregister_verifier(
+    oe_verifier_t* plugin);
+
+/**
+ * oe_get_evidence
+ *
+ * Generates the attestation evidence for the given UUID attestation format.
+ * This function is only available in the enclave.
+ *
+ * @param[in] evidence_format_uuid The UUID of the plugin.
+ * @param[in] flags Specifying default value (0) generates evidence for local
+ * attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION generates
+ * evidence for remote attestation.
+ * @param[in] custom_claims The optional custom claims list.
+ * @param[in] custom_claims_length The number of custom claims.
+ * @param[in] opt_params The optional plugin-specific input parameters.
+ * @param[in] opt_params_size The size of opt_params in bytes.
+ * @param[out] evidence_buffer An output pointer that will be assigned the
+ * address of the evidence buffer.
+ * @param[out] evidence_buffer_size A pointer that points to the size of the
+ * evidence buffer in bytes.
+ * @param[out] endorsements_buffer An output pointer that will be assigned the
+ * address of the endorsements buffer.
+ * @param[out] endorsements_buffer_size A pointer that points to the size of the
+ * endorsements buffer in bytes.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_NOT_FOUND The plugin does not exist.
+ */
+oe_result_t oe_get_evidence(
+    const uuid_t* evidence_format_uuid,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size);
+
+/**
+ * oe_free_evidence
+ *
+ * Frees the attestation evidence and endorsements. This function is only
+ * available in the enclave.
+ *
+ * @param[in] evidence_buffer A pointer to the evidence buffer.
+ * @param[in] endorsements_buffer A pointer to the endorsements buffer.
+ * @retval OE_OK on success.
+ */
+oe_result_t oe_free_evidence(uint8_t* evidence_buffer, uint8_t* endorsements_buffer);
+
+/**
+ * oe_verify_evidence
+ *
+ * Verifies the attestation evidence and returns well known and custom claims.
+ * This is available in the enclave and host.
+ *
+ * @param[in] evidence_buffer The evidence buffer.
+ * @param[in] evidence_buffer_size The size of evidence_buffer in bytes.
+ * @param[in] endorsements_buffer The endorsements buffer.
+ * @param[in] endorsements_buffer_size The size of endorsements_buffer in bytes.
+ * @param[in] policies A list of policies to use.
+ * @param[in] policies_size The size of the policy list.
+ * @param[out] claims The list of claims.
+ * @param[out] claims_length The length of the claims list.
+ * @retval OE_OK on success.
+ */
+oe_result_t oe_verify_evidence(
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length);
+
+/**
+ * oe_free_claims_list
+ *
+ * Frees a claims list.
+ *
+ * @param[in] claims The list of claims.
+ * @param[in] claims_length The length of the claims list.
+ * @retval OE_OK on success.
+ */
+oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length);
+```
+
+The outputs returned by `oe_get_evidence` will begin with the header
+specified below. This allows `oe_verify_evidence` to determine what plugin
+verification routine to use. Note that since these functions return opaque
+structures, these headers are internal and not visible to the SDK consumers
+or the plugin writers.
+
+```C
+/*
+ * Header will be sent to oe_verify_evidence but not to the
+ * plugin verification routines.
+ */
+typedef struct _oe_attestation_header
+{
+    /* Set to + 1 of existing header version. */
+    uint32_t version;
+
+    /* UUID to identify format. */
+    uuid_t format_id;
+
+    /* Size of evidence/endorsements sent to the plugin. */
+    uint32_t data_size;
+
+    /* The actual data */
+    uint8_t data[];
+
+    /* data_size bytes that follows the header will be sent to a plugin. */
+} oe_attestation_header_t;
+```
+
+### Backwards compatibility
+
+The new APIs should support verifying the old Open Enclave reports
+generated by `oe_get_report`. The `oe_attestation_header_t` structure
+shares the same 1st field (`uint32_t version`) as the old Open Enclave
+report header. Consequently, the `oe_verify_evidence` can use this
+information to decide if it needs to call a plugin or run the legacy
+verification routine (which is technically the same logic as the SGX plugin).
+
+User Experience
+---------------
+
+### Plug-in
+
+There are two types of users: the plugin writers and the plugin consumers.
+
+Plugin writers will implement their plugin according to the plugin API.
+They should also provide a helper function that makes it easy for plugin
+consumers to register the plugin as shown below:
+
+`my_plugin_guid.h`
+
+```C
+/* Define the uuid. */
+#define MY_PLUGIN_UUID                  \
+{                                       \
+ 0x13, 0x99, 0x9a, 0xe5,                \
+ 0x23, 0xbe,                       _     \
+ 0x4f, 0xd4,                            \
+ 0x86, 0x63,                            \
+ 0x42, 0x1e, 0x3a, 0x57, 0xa0, 0xa4}    \
+}
+```
+
+`my_plugin_attester.h`
+
+```C
+#include <my_plugin_guid.h>
+
+/* Helper function to create the plugin. */
+oe_attester_t* my_plugin_attester();
+
+/* Example struct used for config data for my_plugin->on_register. */
+struct my_plugin_attester_config_data_t { ... };
+
+/* Example struct used as input parameters for my_plugin->get_evidence. */
+struct my_plugin_attester_opt_params_t { ... };
+```
+
+`my_plugin_verifier.h`
+
+```C
+#include <my_plugin_guid.h>
+
+/* Helper function to create the plugin. */
+oe_verifier_t* my_plugin_verifier();
+
+/* Example struct used for config data for my_plugin->on_register. */
+struct my_plugin_verifier_config_data_t { ... };
+```
+
+`my_plugin_attester.c`
+
+```C
+#include <my_plugin_attester.h>
+
+/* Plugin implementation functions here. */
+static oe_result_t my_plugin_on_register(
+    oe_attester_t* context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    struct my_plugin_config_data_t* my_data = (struct my_plugin_config_data_t*) config_data;
+    /* Do meaningful work with my_data here. */
+    return OE_OK;
+}
+
+static oe_result_t my_plugin_on_unregister(...) { ... }
+static oe_result_t my_plugin_get_evidence(...) { ... }
+static oe_result_t my_plugin_free_evidence(...) { ... }
+
+/* Setting up the plugin struct. */
+oe_attester_t my_plugin = {
+ /* Plugin UUID. */
+ .format_id = MY_PLUGIN_UUID,
+
+  /* Plugin functions. */
+ .on_register = my_plugin_on_register,
+ .on_unregister = my_plugin_on_unregister,
+ .get_evidence = my_plugin_get_evidence,
+ .free_evidence = my_plugin_free_evidence,
+};
+
+/* Implement helper initialization function. */
+oe_attester_t* my_plugin_attester() {
+    return &my_plugin;
+}
+```
+
+`my_plugin_verifier.c`
+
+```C
+#include <my_plugin_verifier.h>
+
+/* Plugin implementation functions here. */
+static oe_result_t my_plugin_on_register(...) { ... }
+static oe_result_t my_plugin_on_unregister(...) { ... }
+static oe_result_t my_plugin_verify_evidence(...) { ... }
+static oe_result_t my_plugin_free_claims_list(...) { ... }
+
+/* Setting up the plugin struct. */
+oe_verifier_t my_plugin = {
+ /* Plugin UUID. */
+ .format_id = MY_PLUGIN_UUID,
+
+  /* Plugin functions. */
+ .on_register = my_plugin_on_register,
+ .on_unregister = my_plugin_on_unregister,
+ .verify_evidence = my_plugin_verify_evidence,
+ .free_claims_list = my_plugin_free_claims_list
+};
+
+/* Implement helper initialization function. */
+oe_verifier_t* my_plugin_attester() {
+    return &my_plugin;
+}
+```
+
+They can then compile their code in the standard way for building Open Enclave
+enclave and host applications.
+
+Plugin consumers will use the new "plugin aware" APIs like
+`oe_get_evidence`. The enclave can generate the evidence
+using the plugin like this:
+
+`attester.c`
+
+```C
+#include <my_plugin_attester.h>
+
+/* Register plugin. Send the config data if necessary. */
+struct my_plugin_attester_config_data_t config = { ... };
+size_t config_size = sizeof(config);
+oe_register_attester(my_plugin_attester(), &config, config_size);
+
+/* Create input params struct if needed. */
+struct my_plugin_attester_opt_params_t params = { ... };
+size_t params_size = sizeof(params);
+
+/* Create claims if desired. */
+oe_claim_t claims = { ... };
+size_t claims_size = ...;
+
+/* Get evidence. */
+oe_get_evidence(
+    MY_PLUGIN_UUID,
+    OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION,
+    claims,
+    claims_size,
+    &params,
+    params_size,
+    &evidence,
+    &evidence_size,
+    &endorsements,
+    &endorsements_size);
+
+/* Send the evidence to the verifier. Protocol is up to enclave and verifier. */
+send(VERIFIER_SOCKET_FD, evidence, evidence_size, 0);
+send(VERIFIER_SOCKET_FD, endorsements, endorsements_size, 0);
+
+/* Free data and unregister plugin. */
+oe_free_evidence(evidence, endorsements);
+oe_unregister_attester(my_plugin_attester());
+```
+
+The verifier, which can either be the enclave or the host, can verify the evidence like this:
+
+`verifier.c`
+
+```C
+#include <my_plugin_verifier.h>
+
+/* Register plugin. Send the config data if necessary. */
+struct my_plugin_verifier_config_data_t config = { ... };
+size_t config_size = sizeof(config);
+oe_register_verifier(my_plugin_verifier(), &config, config_size);
+
+/* Receive evidence and endorsement buffer from enclave. */
+recv(ENCLAVE_SOCKET_FD, evidence, evidence_size, 0);
+recv(ENCLAVE_SOCKET_FD, endorsements, endorsements_size, 0);
+
+/* Set polices if desired. */
+oe_datetime_t time = { ... };
+oe_policy_t policy = {
+    .type = OE_POLICY_ENDORSEMENTS_TIME,
+    .policy = &time,
+    .policy_size = sizeof(time);
+};
+
+/* Verify evidence. Can check the claims if desired. */
+oe_verify_evidence(
+    evidence,
+    evidence_size,
+    endorsements,
+    endorsements_size,
+    &policy,
+    1,
+    &claims,
+    &claims_size);
+
+/* Free data and unregister plugin. */
+oe_free_claims_list(claims, claims_size);
+oe_unregister_verifier(my_plugin_verifier());
+```
+
+In either case, the plugin user can link in the plugin to build their app:
+
+```bash
+gcc -o my_app_attester attester.o my_plugin_attester.o ...
+gcc -o my_app_verifier verifier.o my_plugin_verifier.o ...
+```
+
+Alternate Designs Considered
+----------
+
+Another option is to transform the Open Enclave report from a platform-specific
+opaque blob to something like a JWT/CWT token or X.509 cert, which contains
+platform-specific attestation data embedded inside it. This makes it easy to add
+or parse claims and extend the report format. However, users would be constrained
+to the format chosen by Open Enclave and they will not be able to use their own
+custom format.
+
+Authors
+-------
+
+Name: Akash Gupta
+
+Email: akagup@microsoft.com
+
+Github username: gupta-ak

From 3d8e81f411775072ea6a755f8714d0f4128f5c9a Mon Sep 17 00:00:00 2001
From: Oprin Marius <moprin@cloudbasesolutions.com>
Date: Wed, 13 Nov 2019 07:18:48 +0200
Subject: [PATCH 281/420] Remove esy on-the-fly installation from CI containers

Signed-off-by: Oprin Marius <moprin@cloudbasesolutions.com>
---
 .jenkins/Jenkinsfile | 32 --------------------------------
 1 file changed, 32 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 397fa91f34..52721ec35c 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -50,10 +50,6 @@ def simulationTest(String version, String platform_mode, String build_type) {
                 checkout scm
                 withEnv(["OE_SIMULATION=1"]) {
                     def task = """
-                               pushd ${WORKSPACE}/scripts/ansible
-                               sudo ./install-ansible.sh
-                               sudo ansible-playbook oe-linux-esy-setup.yml
-                               popd
                                cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=${has_quote_provider} -Wdev
                                ninja -v
                                ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
@@ -72,10 +68,6 @@ def AArch64GNUTest(String version, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
-                            pushd ${WORKSPACE}/scripts/ansible
-                            sudo ./install-ansible.sh
-                            sudo ansible-playbook oe-linux-esy-setup.yml
-                            popd
                             cmake ${WORKSPACE}                                                     \
                                 -G Ninja                                                           \
                                 -DCMAKE_BUILD_TYPE=${build_type}                                   \
@@ -98,10 +90,6 @@ def ACCContainerTest(String label, String version) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           pushd ${WORKSPACE}/scripts/ansible
-                           sudo ./install-ansible.sh
-                           sudo ansible-playbook oe-linux-esy-setup.yml
-                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -Wdev
                            ninja -v
                            ctest --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
@@ -119,10 +107,6 @@ def ACCPackageTest(String label, String version) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           pushd ${WORKSPACE}/scripts/ansible
-                           sudo ./install-ansible.sh
-                           sudo ansible-playbook oe-linux-esy-setup.yml
-                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -Wdev -DCMAKE_INSTALL_PREFIX:PATH='/opt/openenclave' -DCPACK_GENERATOR=DEB
                            ninja -v
                            ninja -v package
@@ -155,10 +139,6 @@ def checkDevFlows(String version) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           pushd ${WORKSPACE}/scripts/ansible
-                           sudo ./install-ansible.sh
-                           sudo ansible-playbook oe-linux-esy-setup.yml
-                           popd
                            cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=OFF -Wdev --warn-uninitialized -Werror=dev
                            ninja -v
                            """
@@ -189,10 +169,6 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 cleanWs()
                 checkout scm
                 def task = """
-                           pushd ${WORKSPACE}/scripts/ansible
-                           sudo ./install-ansible.sh
-                           sudo ansible-playbook oe-linux-esy-setup.yml
-                           popd
                            cmake ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DHAS_QUOTE_PROVIDER=ON -Wdev
                            ninja -v
                            """
@@ -261,10 +237,6 @@ def ACCHostVerificationTest(String version, String build_type) {
 
                     println("Generating certificates and reports ...")
                     def task = """
-                            pushd ${WORKSPACE}/scripts/ansible
-                            sudo ./install-ansible.sh
-                            sudo ansible-playbook oe-linux-esy-setup.yml
-                            popd
                             cmake ${WORKSPACE} -G Ninja -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             pushd tests/host_verify/host
@@ -311,10 +283,6 @@ def ACCHostVerificationTest(String version, String build_type) {
                     checkout scm
                     unstash "linux_host_verify-${build_type}-${BUILD_NUMBER}"
                     def task = """
-                            pushd ${WORKSPACE}/scripts/ansible
-                            sudo ./install-ansible.sh
-                            sudo ansible-playbook oe-linux-esy-setup.yml
-                            popd
                             cmake ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -Wdev
                             ninja -v
                             ctest -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}

From d83bfcc8e06dd02025e3f2eaa35e0aa757b042b2 Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 07:16:01 -0500
Subject: [PATCH 282/420] Added try catch finally and use of oe.emailJobStatus
 for statrted and currentBuild.result to Packaging and libcxx jenkinsfiles. 
 Also added copyright.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 .jenkins/Packaging.Jenkinsfile    | 18 +++++++++++++++++-
 .jenkins/libcxx_tests.Jenkinsfile | 12 ++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index e1ee3f5056..feef87cf64 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -1,8 +1,12 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
 @Library("OpenEnclaveCommon") _
 oe = new jenkins.common.Openenclave()
 
 GLOBAL_TIMEOUT_MINUTES = 240
 CTEST_TIMEOUT_SECONDS = 480
+GLOBAL_ERROR = null
 
 def LinuxPackaging(String version, String build_type) {
     stage("Ubuntu${version} SGX1FLC Package ${build_type}") {
@@ -48,7 +52,10 @@ def WindowsPackaging(String build_type) {
     }
 }
 
-parallel "1604 SGX1FLC Package Debug" :          { LinuxPackaging('1604', 'Debug') },
+try{
+    oe.emailJobStatus('STARTED')
+
+    parallel "1604 SGX1FLC Package Debug" :          { LinuxPackaging('1604', 'Debug') },
          "1604 SGX1FLC Package Release" :        { LinuxPackaging('1604', 'Release') },
          "1604 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1604', 'RelWithDebInfo') },
          "1804 SGX1FLC Package Debug" :          { LinuxPackaging('1804', 'Debug') },
@@ -56,3 +63,12 @@ parallel "1604 SGX1FLC Package Debug" :          { LinuxPackaging('1604', 'Debug
          "1804 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1804', 'RelWithDebInfo') },
          "Windows Debug" :                       { WindowsPackaging('DEBUG') },
          "Windows Release" :                     { WindowsPackaging('RELEASE') }
+}catch(Exception e)
+{
+    println "Caught global pipeline exception :" + e
+    GLOBAL_ERROR = e
+    throw e   
+} finally {
+    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
+    oe.emailJobStatus(currentBuild.result)
+}
\ No newline at end of file
diff --git a/.jenkins/libcxx_tests.Jenkinsfile b/.jenkins/libcxx_tests.Jenkinsfile
index 45746e5a79..6d11e3a4c1 100644
--- a/.jenkins/libcxx_tests.Jenkinsfile
+++ b/.jenkins/libcxx_tests.Jenkinsfile
@@ -1,3 +1,6 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
 import hudson.slaves.*
 import hudson.model.*
 
@@ -6,6 +9,7 @@ oe = new jenkins.common.Openenclave()
 
 GLOBAL_TIMEOUT_MINUTES = 240
 CTEST_TIMEOUT_SECONDS = 480
+GLOBAL_ERROR = null
 
 XENIAL_LABEL = "LIBCXX-${BUILD_NUMBER}-1604"
 BIONIC_LABEL = "LIBCXX-${BUILD_NUMBER}-1804"
@@ -108,6 +112,8 @@ def cleanup(){
 }
 
 try {
+    oe.emailJobStatus('STARTED')
+
     for (int i = 1 ; i <= AGENT_NUM ; i++ ) {
         parallel "Deploy Ubuntu 16.04 #${i}" :  { ACCDeployVM("${XENIAL_LABEL}-${i}".toLowerCase(), "xenial" , "eastus", XENIAL_RG, "${VHD_URL_XENIAL}") },
                  "Deploy Ubuntu 18.04 #${i}" :  { ACCDeployVM("${BIONIC_LABEL}-${i}".toLowerCase(), "bionic", "westeurope", BIONIC_RG, "${VHD_URL_BIONIC}") }
@@ -127,7 +133,13 @@ try {
              "libcxx ACC1804 gcc Debug" :              { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'Debug') },
              "libcxx ACC1804 gcc Release" :            { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'Release') },
              "libcxx ACC1804 gcc RelWithDebInfo" :     { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'RelWithDebinfo') }
+}catch(Exception e){
+    println "Caught global pipeline exception :" + e
+    GLOBAL_ERROR = e
+    throw e   
 } finally {
     cleanup()
     unregisterJenkinsSlaves()
+    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
+    oe.emailJobStatus(currentBuild.result)
 }

From 08059a19abeb1274d72d61d6b60620007e273525 Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 14:45:56 -0500
Subject: [PATCH 283/420] Fix whitespace & newline issues per PR comments

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 .jenkins/Jenkinsfile              | 6 ++----
 .jenkins/Packaging.Jenkinsfile    | 6 ++----
 .jenkins/libcxx_tests.Jenkinsfile | 2 +-
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index b18b5c5716..22051dcd77 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -357,7 +357,6 @@ properties([buildDiscarder(logRotator(artifactDaysToKeepStr: '90',
 
 try{
     oe.emailJobStatus('STARTED')
-
     parallel "Check Developer Experience Ubuntu 16.04" :            { checkDevFlows('16.04') },
             "Check Developer Experience Ubuntu 18.04" :            { checkDevFlows('18.04') },
             "Check CI" :                                           { checkCI() },
@@ -393,12 +392,11 @@ try{
             "Win2016 Release Cross Compile with DCAP libs" :       { win2016CrossCompile('Release', 'ON') },
             "Host verification Debug" :                            { ACCHostVerificationTest('18.04', 'Debug') },
             "Host verification Release" :                          { ACCHostVerificationTest('18.04', 'Release') }
-}catch(Exception e)
-{
+} catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e
     throw e   
 } finally {
     currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
     oe.emailJobStatus(currentBuild.result)
-}
\ No newline at end of file
+}
diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index feef87cf64..d46ef47976 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -54,7 +54,6 @@ def WindowsPackaging(String build_type) {
 
 try{
     oe.emailJobStatus('STARTED')
-
     parallel "1604 SGX1FLC Package Debug" :          { LinuxPackaging('1604', 'Debug') },
          "1604 SGX1FLC Package Release" :        { LinuxPackaging('1604', 'Release') },
          "1604 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1604', 'RelWithDebInfo') },
@@ -63,12 +62,11 @@ try{
          "1804 SGX1FLC Package RelWithDebInfo" : { LinuxPackaging('1804', 'RelWithDebInfo') },
          "Windows Debug" :                       { WindowsPackaging('DEBUG') },
          "Windows Release" :                     { WindowsPackaging('RELEASE') }
-}catch(Exception e)
-{
+} catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e
     throw e   
 } finally {
     currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
     oe.emailJobStatus(currentBuild.result)
-}
\ No newline at end of file
+}
diff --git a/.jenkins/libcxx_tests.Jenkinsfile b/.jenkins/libcxx_tests.Jenkinsfile
index 6d11e3a4c1..6af484c27d 100644
--- a/.jenkins/libcxx_tests.Jenkinsfile
+++ b/.jenkins/libcxx_tests.Jenkinsfile
@@ -133,7 +133,7 @@ try {
              "libcxx ACC1804 gcc Debug" :              { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'Debug') },
              "libcxx ACC1804 gcc Release" :            { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'Release') },
              "libcxx ACC1804 gcc RelWithDebInfo" :     { ACClibcxxTest(BIONIC_LABEL, 'gcc', 'RelWithDebinfo') }
-}catch(Exception e){
+} catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e
     throw e   

From c96cff40c65eb8a022764bb9524d4fb59d4d37f7 Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 14:51:24 -0500
Subject: [PATCH 284/420] Fixed extra newline per comment on PR.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 .jenkins/libcxx_tests.Jenkinsfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.jenkins/libcxx_tests.Jenkinsfile b/.jenkins/libcxx_tests.Jenkinsfile
index 6af484c27d..892968579a 100644
--- a/.jenkins/libcxx_tests.Jenkinsfile
+++ b/.jenkins/libcxx_tests.Jenkinsfile
@@ -113,7 +113,6 @@ def cleanup(){
 
 try {
     oe.emailJobStatus('STARTED')
-
     for (int i = 1 ; i <= AGENT_NUM ; i++ ) {
         parallel "Deploy Ubuntu 16.04 #${i}" :  { ACCDeployVM("${XENIAL_LABEL}-${i}".toLowerCase(), "xenial" , "eastus", XENIAL_RG, "${VHD_URL_XENIAL}") },
                  "Deploy Ubuntu 18.04 #${i}" :  { ACCDeployVM("${BIONIC_LABEL}-${i}".toLowerCase(), "bionic", "westeurope", BIONIC_RG, "${VHD_URL_BIONIC}") }

From 0de5a75d943192befc4dfa6add365fe0e9fa0db1 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Wed, 13 Nov 2019 10:12:45 -0800
Subject: [PATCH 285/420] Fix code formatting in Windows Getting Started doc

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 .../Contributors/WindowsSGX1FLCGettingStarted.md          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 8d6d6ed244..0df77cc16f 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -17,11 +17,11 @@ A version of Windows OS with native support for SGX features:
 
 - Clone the Open Enclave SDK.
 
-      ```powershell
-      git clone https://github.com/openenclave/openenclave.git
-      ```
+```powershell
+git clone https://github.com/openenclave/openenclave.git
+```
 
-      This creates a source tree under the directory called openenclave.
+This creates a source tree under the directory called openenclave.
 
 ## Install project prerequisites
 

From b6d930bb16ae1cd67774ed9e097884d26eb4479e Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 15:56:11 -0500
Subject: [PATCH 286/420] Initial round of changes to update references
 (scripts and documentation) for new SGX version.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 CHANGELOG.md                                       |  2 ++
 .../Contributors/BuildingInADockerContainer.md     |  4 ++--
 .../WindowsManualSGX1FLCDCAPPrereqs.md             | 14 +++++++-------
 .../Contributors/WindowsManualSGX1Prereqs.md       | 14 ++++++--------
 .../install_oe_sdk-Ubuntu_16.04.md                 |  2 +-
 .../install_oe_sdk-Ubuntu_18.04.md                 |  2 +-
 scripts/ansible/oe-windows-acc-setup.yml           |  8 ++++----
 scripts/ansible/roles/linux/intel/vars/bionic.yml  |  2 +-
 scripts/ansible/roles/linux/intel/vars/xenial.yml  |  2 +-
 9 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2a12215fe..42129f9c6f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
       of Origin](https://developercertificate.org). For details, see
       [Contributing to Open Enclave](docs/Contributing.md).
     - The copyright for all sources is now attributed to Open Enclave SDK contributors.
+- Update Intel DCAP library dependencies to 1.3.1.
+- Update Intel PSW dependencies to 2.5.101.3 on Windows.
 
 [v0.7.0] - 2019-10-26
 ---------------------
diff --git a/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md b/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
index 63ee25fe67..8440152e10 100644
--- a/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
+++ b/docs/GettingStartedDocs/Contributors/BuildingInADockerContainer.md
@@ -11,9 +11,9 @@
 2. Install the appropriate Intel SGX Driver for your platform. For example, if you're running on an SGX1 with FLC system, you'll probably want to install the Intel SGX DCAP Driver for your platfrom: https://01.org/intel-software-guard-extensions/downloads
     - If you're running on an SGX with FLC system, you'll probably want to install the Intel SGX DCAP Driver for your platfrom: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-dcap-linux-1.3-release
     - If you're running on an SGX without FLC system, you'll want to install the Intel SGX Driver for your platform: https://01.org/intel-softwareguard-extensions/downloads/intel-sgx-linux-2.7-release
-    - The driver you're looking for is a ".bin" file, for either Ubuntu 16.04 or 18.04 releases. It will be named something like: `sgx_linux_x64_driver_1.13.bin`
+    - The driver you're looking for is a ".bin" file, for either Ubuntu 16.04 or 18.04 releases. It will be named something like: `sgx_linux_x64_driver_1.20.bin`
     - To install this driver, simply run it as root like this:
-        - `sudo bash ./sgx_linux_x64_driver_1.13.bin`
+        - `sudo bash ./sgx_linux_x64_driver_1.20.bin`
 
 3. Pull the latest oetools-full image for Open Enclave from *either* of these two distributions:
     - https://hub.docker.com/r/oeciteam/oetools-full-16.04
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index cf59092463..305e38519c 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -1,10 +1,10 @@
 # SGX1 with Flexible Launch Control (FLC) Prerequisites on Windows
 
-## [Intel Platform Software for Windows (PSW) v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe)
+## [Intel Platform Software for Windows (PSW) v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/16115/Intel%20SGX%20PSW%20for%20Windows%20v2.5.101.3.exe)
 
 After unpacking the self-extracting ZIP executable, install the *PSW_EXE_RS2_and_before* version:
 ```cmd
-C:\Intel SGX PSW for Windows v2.5.100.2\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.5.100.2.exe"
+C:\Intel SGX PSW for Windows v2.5.101.3\PSW_EXE_RS2_and_before\Intel(R)_SGX_Windows_x64_PSW_2.5.101.3.exe"
 ```
 
 ## [Azure DCAP client for Windows](https://github.com/Microsoft/Azure-DCAP-Client/tree/master/src/Windows) [optional]
@@ -14,15 +14,15 @@ The Azure DCAP client for Windows is necessary if you would like to perform encl
 This example assumes that `C:\oe_prereqs` is where you would like the prerequisites to be installed.
 
 ```cmd
-nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.3 -OutputDirectory C:\oe_prereqs
+nuget.exe install Azure.DCAP.Windows -ExcludeVersion -Version 0.0.4 -OutputDirectory C:\oe_prereqs
 ```
 This example assumes you would like to install the package to `C:\oe_prereqs`.
 
-##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.3](http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe)
+##### [Intel Data Center Attestation Primitives (DCAP) Libraries v1.3](http://registrationcenter-download.intel.com/akdlm/irc_nas/16114/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.101.3.exe)
 After unpacking the self-extracting ZIP executable, you can refer to the *Intel SGX DCAP Windows SW Installation Guide.pdf*
 for more details on how to install the contents of the package.
 
-The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.100.4`:
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.101.3`:
 
 1. Unzip the required drivers from the extracted subfolders:
     - `LC_driver_WinServer2016\Signed_*.zip`
@@ -49,7 +49,7 @@ The following summary will assume that the contents were extracted to `C:\Intel
 4. Install the DCAP nuget packages:
     - The standalone `nuget.exe` [CLI tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) can be used to do this from the command prompt:
       ```cmd
-      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory c:\oe_prereqs
-      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory c:\oe_prereqs
+      nuget.exe install DCAP_Components -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.101.3\nuget" -OutputDirectory c:\oe_prereqs
+      nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.101.3\nuget" -OutputDirectory c:\oe_prereqs
       ```
     - *Note:* EnclaveCommonAPI should be installed as the *very last* nuget package as a temporary workaround for a dependency issue. Please see issue #2170, for more details.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
index 8c6be18182..f35f181b23 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1Prereqs.md
@@ -8,7 +8,7 @@ command line.
 
 Windows Server 2016 image for an Azure Confidential Compute VM has a Windows version
 lower than 1709, and therefore you need to install PSW v2.4 or above manually.
-You can download [PSW v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe),
+You can download [PSW v2.5](http://registrationcenter-download.intel.com/akdlm/irc_nas/16115/Intel%20SGX%20PSW%20for%20Windows%20v2.5.101.3.exe),
 extract the zipped files, and run the executable under folder **PSW_EXE_RS2_and_before**
 to install PSW 2.5.
 
@@ -38,17 +38,15 @@ The Intel Enclave Common API library is necessary for creating, initializing, an
 It does not supporting quoting, and consequentially, attestation which is based on quoting. The lack
 of quoting capability is a limitation of SGX1 machines which don't have FLC support.
 
-Firstly we download the Intel SGX DCAP self-extracting executable from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe). Run the executable to unzip files to a specified location.
-The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.100.4`:
+Firstly we download the Intel SGX DCAP self-extracting executable from [here](http://registrationcenter-download.intel.com/akdlm/irc_nas/16114/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.101.3.exe). Run the executable to unzip files to a specified location.
+The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.101.3`:
 
 Make sure you have [nuget cli tool](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe) installed and in your path,
 run the following command from a command prompt (assuming you would like the package to be installed to `C:\oe_prereqs`):
 ```cmd
-<<<<<<< HEAD
-nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.2.100.49925\nuget" -OutputDirectory C:\oe_prereqs
-=======
-nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.100.4\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_nuget_packages
->>>>>>> Update all docs and ansible to use latest Intel SGX versions
+
+nuget.exe install EnclaveCommonAPI -ExcludeVersion -Source "C:\Intel SGX DCAP for Windows v1.3.101.3\nuget" -OutputDirectory C:\path\to\where\you\would\like\to\install\intel_nuget_packages
+
 ```
 
 You can verify that the library is installed properly by checking whether `sgx_enclave_common.lib` exists in the folder `C:\oe_prereqs`.
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
index f663adf86f..16f2c697ba 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_16.04.md
@@ -26,7 +26,7 @@ wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add
 ```bash
 sudo apt update
 sudo apt -y install dkms
-wget https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.13.bin -O sgx_linux_x64_driver.bin
+wget https://download.01.org/intel-sgx/sgx-dcap/1.3.1/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.20.bin -O sgx_linux_x64_driver.bin
 chmod +x sgx_linux_x64_driver.bin
 sudo ./sgx_linux_x64_driver.bin
 ```
diff --git a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
index 11b11f46a0..c7ebf507ae 100644
--- a/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
+++ b/docs/GettingStartedDocs/install_oe_sdk-Ubuntu_18.04.md
@@ -26,7 +26,7 @@ wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add
 ```bash
 sudo apt update
 sudo apt -y install dkms
-wget https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.13.bin -O sgx_linux_x64_driver.bin
+wget https://download.01.org/intel-sgx/sgx-dcap/1.3.1/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.20.bin -O sgx_linux_x64_driver.bin
 chmod +x sgx_linux_x64_driver.bin
 sudo ./sgx_linux_x64_driver.bin
 ```
diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index da172fcf9f..078594de4b 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -8,10 +8,10 @@
   tasks:
     - name: OE setup | Set installer URLs from the OE storage account
       set_fact:
-        intel_psw_url:       "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe"
-        intel_psw_hash:      "744B52C2DEDA3EC2AAC495A4F671FE574C506C35523028584A74469911FB0707"
-        intel_dcap_url:      "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe"
-        intel_dcap_hash:     "B74C12B68BBDB942A6FB74A14BBCEDE05E37B3388693CB3EEA2D7DB520E83572"
+        intel_psw_url:       "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20PSW%20for%20Windows%20v2.5.101.3.exe"
+        intel_psw_hash:      "D904964872A49426D3BFD0249752403DC746611F92F4FF6B95F64F336744323C"
+        intel_dcap_url:      "https://oejenkins.blob.core.windows.net/oejenkins/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.101.3.exe"
+        intel_dcap_hash:     "27C1CC7F8434A704853FC3BFE15723F6F507CB09BF79B248A09A9ED0EED48A01"
         git_url:             "https://oejenkins.blob.core.windows.net/oejenkins/Git-2.19.1-64-bit.exe"
         git_hash:            "5E11205840937DD4DFA4A2A7943D08DA7443FAA41D92CCC5DAFBB4F82E724793"
         seven_zip_url:       "https://oejenkins.blob.core.windows.net/oejenkins/7z1806-x64.msi"
diff --git a/scripts/ansible/roles/linux/intel/vars/bionic.yml b/scripts/ansible/roles/linux/intel/vars/bionic.yml
index 894d5c7059..de4b425227 100644
--- a/scripts/ansible/roles/linux/intel/vars/bionic.yml
+++ b/scripts/ansible/roles/linux/intel/vars/bionic.yml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.13.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3.1/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.20.bin"
 intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.7/distro/ubuntu18.04-server/sgx_linux_x64_driver_2.6.0_4f5bb63.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf10"
diff --git a/scripts/ansible/roles/linux/intel/vars/xenial.yml b/scripts/ansible/roles/linux/intel/vars/xenial.yml
index 57f195836a..399b79edda 100644
--- a/scripts/ansible/roles/linux/intel/vars/xenial.yml
+++ b/scripts/ansible/roles/linux/intel/vars/xenial.yml
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 ---
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.13.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.3.1/linux/distro/ubuntuServer16.04/sgx_linux_x64_driver_1.20.bin"
 intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.7/distro/ubuntu16.04-server/sgx_linux_x64_driver_2.6.0_4f5bb63.bin"
 intel_sgx_package_dependencies:
   - "libprotobuf9v5"

From e4d42d723439c5a95f0ae6919651d0e0b7c888fb Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 16:20:54 -0500
Subject: [PATCH 287/420] Updated reference to SGX DCAP PSW in PowerShell
 script.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 scripts/install-windows-prereqs.ps1 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index 89f233b3e3..a2fb83c676 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -16,16 +16,16 @@ Param(
     [string]$NodeHash = 'F68B75EEA46232ADB8FD38126C977DC244166D29E7C6CD2DF930B460C38590A9',
     [string]$Clang7URL = 'http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe',
     [string]$Clang7Hash = '672E4C420D6543A8A9F8EC5F1E5F283D88AC2155EF4C57232A399160A02BFF57',
-    [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/15929/Intel%20SGX%20PSW%20for%20Windows%20v2.5.100.2.exe',
-    [string]$IntelPSWHash = '744B52C2DEDA3EC2AAC495A4F671FE574C506C35523028584A74469911FB0707',
+    [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/16115/Intel%20SGX%20PSW%20for%20Windows%20v2.5.101.3.exe',
+    [string]$IntelPSWHash = 'D904964872A49426D3BFD0249752403DC746611F92F4FF6B95F64F336744323C       ',
     [string]$ShellCheckURL = 'https://shellcheck.storage.googleapis.com/shellcheck-v0.7.0.zip',
     [string]$ShellCheckHash = '02CFA14220C8154BB7C97909E80E74D3A7FE2CBB7D80AC32ADCAC7988A95E387',
     [string]$NugetURL = 'https://www.nuget.org/api/v2/package/NuGet.exe/3.4.3',
     [string]$NugetHash = '2D4D38666E5C7D27EE487C60C9637BD9DD63795A117F0E0EDC68C55EE6DFB71F',
     [string]$DevconURL = 'https://download.microsoft.com/download/7/D/D/7DD48DE6-8BDA-47C0-854A-539A800FAA90/wdk/Installers/787bee96dbd26371076b37b13c405890.cab',
     [string]$DevconHash = 'A38E409617FC89D0BA1224C31E42AF4344013FEA046D2248E4B9E03F67D5908A',
-    [string]$IntelDCAPURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/16014/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.100.4.exe',
-    [string]$IntelDCAPHash = 'B74C12B68BBDB942A6FB74A14BBCEDE05E37B3388693CB3EEA2D7DB520E83572',
+    [string]$IntelDCAPURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/16114/Intel%20SGX%20DCAP%20for%20Windows%20v1.3.101.3.exe',
+    [string]$IntelDCAPHash = '27C1CC7F8434A704853FC3BFE15723F6F507CB09BF79B248A09A9ED0EED48A01',
     [string]$VCRuntime2012URL = 'https://download.microsoft.com/download/1/6/B/16B06F60-3B20-4FF2-B699-5E9B7962F9AE/VSU_4/vcredist_x64.exe',
     [string]$VCRuntime2012Hash = '681BE3E5BA9FD3DA02C09D7E565ADFA078640ED66A0D58583EFAD2C1E3CC4064',
     [string]$AzureDCAPNupkgURL = 'https://www.nuget.org/api/v2/package/Azure.DCAP.Windows/0.0.3',

From aebd4771ba712864b38781a3eefcfd5f73f86f60 Mon Sep 17 00:00:00 2001
From: sewong <sewong@microsoft.com>
Date: Wed, 13 Nov 2019 14:02:58 -0800
Subject: [PATCH 288/420] Updated motivation section.

---
 docs/DesignDocs/SGX_Endorsements_V2.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/DesignDocs/SGX_Endorsements_V2.md b/docs/DesignDocs/SGX_Endorsements_V2.md
index 61707b7dce..ddb7c1a54b 100644
--- a/docs/DesignDocs/SGX_Endorsements_V2.md
+++ b/docs/DesignDocs/SGX_Endorsements_V2.md
@@ -18,8 +18,9 @@ the SGX attestation endorsements and how it is used during SGX quote verificatio
 Motivation
 ----------
 
-This change is required for customers who would like to use the v2 API web endpoints. Note that the Azure PCK
-Caching Service and the Azure DCAP Client will also need to be updated and it is outside of this specification.
+This change is required for customers who would like to use the v2 API web endpoints. Note that if SGX is
+being used in an Azure data center context, the Azure PCK Caching Service and the Azure DCAP Client will 
+also need to be updated and it is outside of this specification.
 
 User Experience
 ---------------
@@ -101,7 +102,7 @@ typedef union _oe_tcb_level_status
     struct {
         uint32_t revoked : 1;                       //! "Revoked"
         uint32_t outofdate : 1;                     //! "OutOfDate"
-        uint32_t configuration_needed :1;           //! "ConfigurationNeeded"
+        uint32_t configuration_needed : 1;          //! "ConfigurationNeeded"
         uint32_t up_to_date : 1;                    //! "UpToDate"
 
         /*! "OutOfDateConfigurationNeeded"

From 229809b8ecd001230262aab5df2f0bc3dc7fd237 Mon Sep 17 00:00:00 2001
From: chrisrod-MSFT <chrisrod@microsoft.com>
Date: Wed, 13 Nov 2019 17:46:27 -0500
Subject: [PATCH 289/420] Removed trailing whitespace on hash.

Signed-off-by: chrisrod-MSFT <chrisrod@microsoft.com>
---
 scripts/install-windows-prereqs.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index a2fb83c676..cdb634d6a1 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -17,7 +17,7 @@ Param(
     [string]$Clang7URL = 'http://releases.llvm.org/7.0.1/LLVM-7.0.1-win64.exe',
     [string]$Clang7Hash = '672E4C420D6543A8A9F8EC5F1E5F283D88AC2155EF4C57232A399160A02BFF57',
     [string]$IntelPSWURL = 'http://registrationcenter-download.intel.com/akdlm/irc_nas/16115/Intel%20SGX%20PSW%20for%20Windows%20v2.5.101.3.exe',
-    [string]$IntelPSWHash = 'D904964872A49426D3BFD0249752403DC746611F92F4FF6B95F64F336744323C       ',
+    [string]$IntelPSWHash = 'D904964872A49426D3BFD0249752403DC746611F92F4FF6B95F64F336744323C',
     [string]$ShellCheckURL = 'https://shellcheck.storage.googleapis.com/shellcheck-v0.7.0.zip',
     [string]$ShellCheckHash = '02CFA14220C8154BB7C97909E80E74D3A7FE2CBB7D80AC32ADCAC7988A95E387',
     [string]$NugetURL = 'https://www.nuget.org/api/v2/package/NuGet.exe/3.4.3',

From 0240401b3921b8e0807206f3d6a01b7d93e2a2f0 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Thu, 14 Nov 2019 18:49:43 +0000
Subject: [PATCH 290/420] Adopt Contributors Covenant v1.4 Code of Conduct

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 README.md                       |  8 +---
 docs/CodeOfConduct.md           | 76 +++++++++++++++++++++++++++++++++
 docs/Committers.md              |  4 +-
 docs/Contributing.md            |  8 +---
 docs/Governance.md              | 39 +++++++++++------
 samples/file-encryptor/testfile | 37 ++++++----------
 6 files changed, 122 insertions(+), 50 deletions(-)
 create mode 100644 docs/CodeOfConduct.md

diff --git a/README.md b/README.md
index f10db18858..f8bef6a2bb 100644
--- a/README.md
+++ b/README.md
@@ -59,12 +59,8 @@ This project welcomes contributions and suggestions. All contributions to the Op
 must adhere to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/).
 For details, see [Contributing to Open Enclave](docs/Contributing.md).
 
-This project has adopted the
-[Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the
-[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
-or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any
-additional questions or comments.
+This project follows a [Code of Conduct](docs/CodeOfConduct.md) adapted from the
+[Contributor Covenant v1.4](https://www.contributor-covenant.org).
 
 If you are interested in contributing directly to the codebase, please see the following
 documentation:
diff --git a/docs/CodeOfConduct.md b/docs/CodeOfConduct.md
new file mode 100644
index 0000000000..30915ee2f3
--- /dev/null
+++ b/docs/CodeOfConduct.md
@@ -0,0 +1,76 @@
+# Open Enclave SDK Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to make participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting any member of the [Community Governance Committee](
+Committers.md#Committee_Members). All complaints will be reviewed and investigated
+and will result in a response that is deemed necessary and appropriate to the
+circumstances. The project team is obligated to maintain confidentiality with
+regard to the reporter of an incident.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
diff --git a/docs/Committers.md b/docs/Committers.md
index 547dcb5dd9..9de79de3fb 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -46,7 +46,9 @@ The primary responsibility of the Committee is to grant new committer rights
 repositories), and to grant new membership into the Committee. Conversely, the
 Committee must also remove committer rights and membership from those found to
 be violating the project's Code of Conduct or otherwise negatively affecting the
-project's community health.
+project's community health. It is duty of each committee member to receive and
+address reported violations of the Code of Conduct while maintaining the
+confidentiality of the reporter.
 
 This Committee is not intended to make every technical decision, as those should
 generally be made by agreement among committers as PRs are reviewed and merged.
diff --git a/docs/Contributing.md b/docs/Contributing.md
index f54f6ea4cf..c0d1589b35 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -314,9 +314,5 @@ an issue to discuss the idea.
 Code of Conduct
 ---------------
 
-This project has adopted the [Microsoft Open Source Code of Conduct](
-https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](
-https://opensource.microsoft.com/codeofconduct/faq/) or contact 
-[opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional
-questions or comments.
+This project follows a [Code of Conduct](docs/CodeOfConduct.md) adapted from the
+[Contributor Covenant v1.4](https://www.contributor-covenant.org).
diff --git a/docs/Governance.md b/docs/Governance.md
index d909cb9212..d9d218a4eb 100644
--- a/docs/Governance.md
+++ b/docs/Governance.md
@@ -10,16 +10,31 @@ Our model is based on the
 [liberal contribution policy](https://opensource.guide/leadership-and-governance/).
 See [below](#accepting-contributions) for more info.
 
-Code of Conduct
----------------
-
-In order to maintain a pleasant and welcoming environment, we want to reiterate
-that it is imperative that all community members adhere to our
-[Code of Conduct](Contributing.md#code-of-conduct).
-Anyone failing to follow the Code of Conduct will be removed from the community
-by the [Community Governance Committee](Committers.md). If you are made to
-feel uncomfortable, or have any concerns about behavior within the community, we
-encourage you to reach out to members of the Community Governance Committee.
+Conflict Resolution
+-------------------
+We do not believe that all conflict is bad; healthy debate and disagreement often
+yield positive results. However, it is never okay to be disrespectful or to engage
+in behavior that violates the project’s [Code of Conduct](CodeOfConduct.md).
+
+If you see someone violating the code of conduct, you are encouraged to address
+the behavior directly with those involved. Many issues can be resolved quickly and
+easily, and this gives people more control over the outcome of their dispute. If
+you are unable to resolve the matter for any reason, or if the behavior is
+threatening or harassing, report it. We are dedicated to providing an environment
+where participants feel welcome and safe.
+
+Reports can be made to any member of the [Community Governance Committee](
+Committers.md#Committee_Members). It is the duty of the committee members to receive
+and address reports while maintaining the confidentiality of the reporter.
+
+We will investigate every complaint, but you may not receive a direct response. We
+will use our discretion in determining when and how to follow up on reported
+incidents, which may range from not taking action to permanent expulsion from the
+project and project-sponsored spaces. We will notify the accused of the report and
+provide them an opportunity to discuss it before any action is taken. The identity
+of the reporter will be omitted from the details of the report supplied to the accused.
+In potentially harmful situations, such as ongoing harassment or threats to anyone’s
+safety, we may take action without notice.
 
 Design and Development Discussions
 ----------------------------------
@@ -52,8 +67,8 @@ opening or reviewing pull requests, or other useful contributions such as
 providing support in forums or chats.
 
 See the [Community Governance Committee document](Committers.md) for more information
-on the Community Governance Committee, our process for adding new committers and Committee members, as well the
-areas of expertise for each of the committers.
+on the Community Governance Committee, our process for adding new committers and
+Committee members, as well the areas of expertise for each of the committers.
 
 Accepting Contributions
 -----------------------
diff --git a/samples/file-encryptor/testfile b/samples/file-encryptor/testfile
index e1ca9c4e96..ae36a39644 100644
--- a/samples/file-encryptor/testfile
+++ b/samples/file-encryptor/testfile
@@ -1,28 +1,15 @@
-Open Enclave SDK
-Introduction
-Open Enclave (OE) is an SDK for building enclave applications in C and C++. An enclave application partitions itself into two components (1) An untrusted component (called the host) and (2) A trusted component (called the enclave). An enclave is a secure container whose memory is protected from entities outside the enclave. These protections allow enclaves to perform secure computations with assurances that secrets will not be compromised.
-
-This SDK is a fully open-source and transparent project, which plans to generalize enclave application models across enclave implementations from different hardware vendors. It's a non-vendor specific solution that supports enclave applications both on Linux and Windows platforms.
-
-The current implementation of Open Enclave is built on Intel Software Guard Extensions (SGX), other enclave architectures (such as solutions from AMD or ARM) will be added in the future. This public preview focuses on the Linux platform.
-
-Design Overview
-The Design Overview document provides a brief design overview of the Open Enclave SDK. It describes the parts of the SDK and how they work together to create, invoke, and terminate enclaves.
-
-Getting Started
-For OE application developers, user intends to build/develop an OE application. Start here
-
-For OE Developer/Builder of OE Source, users who not only want to experience OE applications but also want to dig into how OE was implemented, and potentially contribute to this open source effort, start here
-
-Contributing
-This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, see Contributing to Open Enclave.
-
-This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
-
-See the Development Guide for details about developing code in this repo, such as coding style and development processes.
-
-Licensing
-Microsoft plans to release the Open Enclave SDK under the MIT license
+This is dummy text file consisting of only English words and punctuation:
+-------------------------------------------------------------------------
 
+Our. Fifth have saying two they're firmament, herb. Shall, set for. Open
+firmament greater creeping gently winged thing likeness abundantly fourth
+hath subdue. That multiply night. I third whose there i. Give. Morning.
+Over forth light us.
 
+Herb. Replenish. Firmament lesser their of our lesser fowl were beginning
+divided may give cattle don't deep sea, cattle night second had appear He
+over. Were were blessed, place Multiply were given.
 
+Were, two god you'll, to, had spirit together, won't likeness is first good
+greater called together dominion. Unto without subdue creeping void you
+dominion two man forth one moving abundantly multiply.

From b0cd0328dc112a3029b17ac33ca0bc0543029bd7 Mon Sep 17 00:00:00 2001
From: Amaury Chamayou <amchamay@microsoft.com>
Date: Fri, 15 Nov 2019 09:33:14 +0000
Subject: [PATCH 291/420] Make sure the latest versions of dependencies is
 present

Signed-off-by: Amaury Chamayou <amchamay@microsoft.com>
---
 .../roles/linux/az-dcap-client/tasks/stable-install.yml     | 2 +-
 scripts/ansible/roles/linux/common/tasks/apt-repo.yml       | 2 +-
 scripts/ansible/roles/linux/docker/tasks/ci-setup.yml       | 2 +-
 scripts/ansible/roles/linux/docker/tasks/stable-install.yml | 2 +-
 scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml      | 2 +-
 scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml    | 6 +++---
 scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml   | 2 +-
 .../linux/openenclave/tasks/environment-setup-cross-arm.yml | 2 +-
 .../roles/linux/openenclave/tasks/environment-setup.yml     | 2 +-
 .../roles/linux/openenclave/tasks/stable-install.yml        | 2 +-
 10 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml b/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
index 1d360ddce2..761e928bd4 100644
--- a/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/az-dcap-client/tasks/stable-install.yml
@@ -12,5 +12,5 @@
 - name: Install the official Azure-DCAP-Client APT package
   apt:
     name: az-dcap-client
-    state: present
+    state: latest
     update_cache: yes
diff --git a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
index d7ed70464b..5a448c3f9b 100644
--- a/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
+++ b/scripts/ansible/roles/linux/common/tasks/apt-repo.yml
@@ -5,7 +5,7 @@
 - name: Install apt-transport-https APT package
   apt:
     name: apt-transport-https
-    state: present
+    state: latest
 
 - name: Add APT repository key
   apt_key:
diff --git a/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml b/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
index 79c206c286..f04e9114df 100644
--- a/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
+++ b/scripts/ansible/roles/linux/docker/tasks/ci-setup.yml
@@ -16,7 +16,7 @@
 - name: Install Docker prerequisite packages
   apt:
     name: "{{ ci_apt_packages }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
 
diff --git a/scripts/ansible/roles/linux/docker/tasks/stable-install.yml b/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
index 1855d02c3a..daeb986996 100644
--- a/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/docker/tasks/stable-install.yml
@@ -32,7 +32,7 @@
 - name: Docker | Install Docker-CE
   apt:
     name: "{{ apt_packages }}"
-    state: present
+    state: latest
     update_cache: yes
   retries: 10
   delay: 10
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
index 7785a17762..2edf77021c 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-driver.yml
@@ -14,7 +14,7 @@
   apt:
     name:
       - "dkms"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
 
diff --git a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
index cdf630b619..7f59dfe163 100644
--- a/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
+++ b/scripts/ansible/roles/linux/intel/tasks/sgx-packages.yml
@@ -23,21 +23,21 @@
 - name: Install the Intel libsgx package dependencies
   apt:
     name: "{{ intel_sgx_package_dependencies }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
 
 - name: Install the Intel libsgx packages
   apt:
     name: "{{ intel_sgx_packages }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
 
 - name: Install the Intel DCAP packages
   apt:
     name: "{{ intel_dcap_packages }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
   when: flc_enabled|bool
diff --git a/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml b/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
index 837e7c11eb..4e49b732ce 100644
--- a/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
+++ b/scripts/ansible/roles/linux/jenkins/tasks/slave-setup.yml
@@ -21,7 +21,7 @@
 - name: Jenkins | Install Java JRE needed by Jenkins
   apt:
     name: openjdk-8-jre
-    state: present
+    state: latest
     update_cache: yes
   retries: 10
   delay: 10
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
index ef8ccc4cdd..a7a368af06 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup-cross-arm.yml
@@ -29,6 +29,6 @@
 - name: Install the additional Open Enclave prerequisites APT packages for ARM development
   apt:
     name: "{{ apt_arm_packages }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
index 2d1ca3ec3f..a3825df30b 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/environment-setup.yml
@@ -26,7 +26,7 @@
 - name: Install all the Open Enclave prerequisites APT packages for development
   apt:
     name: "{{ apt_packages }}"
-    state: present
+    state: latest
     update_cache: yes
     install_recommends: no
 
diff --git a/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml b/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
index 68c6a51981..dcbc62f154 100644
--- a/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
+++ b/scripts/ansible/roles/linux/openenclave/tasks/stable-install.yml
@@ -15,5 +15,5 @@
 - name: Install the official Open Enclave APT package
   apt:
     name: open-enclave
-    state: present
+    state: latest
     update_cache: yes

From b7e19444c58777c2051ebc11c6259bd6fcb37545 Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Fri, 8 Nov 2019 10:22:48 -0800
Subject: [PATCH 292/420] add a design doc for switchless

Signed-off-by: Xuejun Yang <xuejya@microsoft.com>

Address Dave's comments

Address Anand and Radhika's comments
---
 docs/DesignDocs/SwitchlessCalls.md | 108 +++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 docs/DesignDocs/SwitchlessCalls.md

diff --git a/docs/DesignDocs/SwitchlessCalls.md b/docs/DesignDocs/SwitchlessCalls.md
new file mode 100644
index 0000000000..7ff3538f06
--- /dev/null
+++ b/docs/DesignDocs/SwitchlessCalls.md
@@ -0,0 +1,108 @@
+Context-switchless Calls
+================
+
+## Motivation
+
+Context-switchless Calls are designed to reduce the cost of context switching between hosts and enclaves.
+In an enclave application, the host makes **ECALL**s into functions exposed by the enclaves it created. Likewise,
+the enclaves may make **OCALL**s into functions exposed by the host that created them. In either case, the
+execution has to be transitioned from an untrusted environment to a trusted environment, or vice versa. Since the
+transition is costly due to heavy security checks, for example, instruction `EENTER` alone could take hundreds of CPU
+cycles, it might be more performance advantageous to make the calls
+**context-switchless**: the caller delegates the function call to a worker thread in the other environment, which
+does the real job of calling the function and posting the result to the caller. Both the calling thread and the
+worker thread never leave their respective execution contexts during the perceived function call. By having two threads
+working on two different security contexts, each conforming to the security constraints of its own context, we could
+achieve better function call performance without sacrificing security.
+
+## Possible Usages
+
+In general, the good candidates for switchless calls are functions that are:
+1) short, thus the transition takes relatively a high percentage of the overall execution time of the call; and
+2) called frequently, so the savings in transition time adds up.
+
+If your enclave application has such functions and you are concerned with performance, consider making those
+functions context-switchless.
+
+## User Experience
+
+Firstly, the user has to identify which functions are good candidates of switchless calls. The identified ones
+need to be marked in the EDL file with a keyword `transition_using_threads`. For example, to mark function
+`host_increment_switchless` a target of switchless calls, it has to be declared as:
+
+```c
+void host_increment_switchless([in, out] int* m) transition_using_threads;
+```
+
+Secondly, while creating an enclave, the user has to explicitly configure it to enable switchless capability.
+An important setting in the configuration is how many worker threads are to be created for servicing the
+context-switchless calls. More worker threads typically means more competition for the CPU cores and more thread
+context switches, hurting the performance. On the other hand, fewer worker threads means simultaneously issued
+switchless calls are less likely to be serviced quickly, if they got serviced at all.
+We will give a guideline for users to search for the "sweet spot" of this setting.
+
+The users are encouraged to measure the performance delta between enclave applications with
+or without switchless calls, and decide on whether switchless calling should be turned on for some functions,
+and/or the ideal number of worker threads.
+
+## Specification
+
+**Information exchanges between threads**
+
+The calling thread and the worker thread need to exchange information twice during the call. When the switchless
+call is initiated, the caller needs to pass the `job` (encapsulating information regarding the function call in a
+ single object, for details see the next section) to the worker thread. And when the call finishes, the worker
+thread needs to pass the result back to the caller.
+
+**The function call as a `job`**
+
+We use the same marshalling code for both switchless calls and regular calls. Essentially, the `job` contains
+information like the function table, the function ID, the input parameters flattened in a contiguous buffer,
+and reserved spaces for output parameters and return value. Since the call is represented the same way for
+both switchless calls and regular calls, we have the flexibility of converting a switchless call into a
+regular call, or vice versa, at any point prior to the call is fulfilled.
+
+**Thread synchronizations**
+
+Both exchanges between the calling thread and the worker thread need to be synchronized. Whenever possible,
+we use atomic operations to such exchanges for performance reasons. We will also ensure the compiler doesn't
+introduce out-of-order execution in the case one thread writes data which is then consumed by another thread. Obviously,
+there is a M:N mapping between the calling threads and the worker threads. To simplify synchronization, instead
+of having a queue that is shared by worker threads, we choose to set up a queue for each worker thread, so that
+`jobs` posted to one worker thread do not interfere with `jobs` posted to another worker
+thread. With a further simplification, we limit the queue length to 1. Effectively, this means there is at
+most one `job` waiting to be serviced by a worker thread. This avoids interference between `jobs` posted to
+the same worker thread, i.e., a time-consuming switchless call stalls the next switchless call on the same thread.
+
+**Sleep/wake of worker threads**
+
+The worker threads are idle when there are no incoming switchless calls. To save CPU cycles, we will put a
+worker thread to sleep when it is idle for a prolonged period of time. Subsequently, a calling thread has to
+wake it up before posting a `job` to it.
+
+**Fallback to regular calls**
+
+Since we have a limited number of worker threads, and the queue for each worker thread is just one, obviously
+a switchless call could be dropped due to all worker threads are busy. In this case, we fall back to the regular
+**ECALL**/**OCALL**.
+
+**Security considerations**
+
+Switchless calls depend on switchless manager, an object manages the worker threads and their queues. Since it
+exists in the untrusted memory, we have to assume it could be maliciously manipulated. The switchless handling
+inside the enclave must be guarded against such manipulations. In any case, deny-of-service is outside the scope
+since DoS is possible even with regular ECALL/OCALLs.
+
+
+**Switchless OCALLs first**
+
+Based on customer feedback, we have decided to deliver switchless OCALLs first. Please contact us if you have
+strong demand for switchless ECALLs.
+
+
+Authors
+-------
+
+Xuejun Yang (xuejya@microsoft.com)
+
+Anand Krishnamoorthi (anakrish@microsoft.com)

From f1a6f00ab9e363e56250ee98658865208bcc8197 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Mon, 4 Nov 2019 04:41:10 +0000
Subject: [PATCH 293/420] Added attestation plugin runtime implementation.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                   | 445 +++++++++++++++++++++++
 common/result.c                          |   3 +
 enclave/CMakeLists.txt                   |   1 +
 host/CMakeLists.txt                      |   1 +
 include/CMakeLists.txt                   |   1 +
 include/openenclave/attestation_plugin.h | 430 ++++++++++++++++++++++
 include/openenclave/bits/report.h        |  78 ++++
 include/openenclave/bits/result.h        |   5 +
 include/openenclave/internal/report.h    |   4 +
 9 files changed, 968 insertions(+)
 create mode 100644 common/attest_plugin.c
 create mode 100644 include/openenclave/attestation_plugin.h

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
new file mode 100644
index 0000000000..b87bc42d4e
--- /dev/null
+++ b/common/attest_plugin.c
@@ -0,0 +1,445 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/attestation_plugin.h>
+#include <openenclave/bits/defs.h>
+#include <openenclave/bits/safemath.h>
+#include <openenclave/internal/print.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/utils.h>
+#include <stdio.h>
+#include <string.h>
+
+#ifndef OE_BUILD_ENCLAVE
+#include <pthread.h>
+#endif
+
+#include "common.h"
+
+/**
+ * Header that the OE runtime puts ontop of the attestation plugins.
+ */
+typedef struct _oe_attestation_header
+{
+    /* Set to OE_ATTESTATION_HEADER_VERSION. */
+    uint32_t version;
+
+    /* UUID to identify format. */
+    uuid_t format_id;
+
+    /* Size of evidence/endorsements sent to the plugin. */
+    uint64_t data_size;
+
+    /* The actual data */
+    uint8_t data[];
+
+    /* data_size bytes that follows the header will be sent to a plugin. */
+} oe_attestation_header_t;
+
+// Struct definition to represent the list of plugins.
+struct plugin_list_node_t
+{
+    oe_attestation_role_t* plugin;
+    struct plugin_list_node_t* next;
+};
+
+// Variables storing the attester and verifier lists.
+struct plugin_list_node_t* attesters = NULL;
+struct plugin_list_node_t* verifiers = NULL;
+
+// Finds the plugin node with the given ID. If found, the function
+// will return the node and store the pointer of the previous node
+// in prev (NULL for the head pointer). If not found, the function
+// will return NULL.
+static struct plugin_list_node_t* _find_plugin(
+    struct plugin_list_node_t* head,
+    const uuid_t* target_format_id,
+    struct plugin_list_node_t** prev)
+{
+    struct plugin_list_node_t* ret = NULL;
+    struct plugin_list_node_t* cur = NULL;
+
+    if (prev)
+        *prev = NULL;
+
+    // Find a plugin for attestation type.
+    cur = head;
+    while (cur)
+    {
+        if (memcmp(&cur->plugin->format_id, target_format_id, sizeof(uuid_t)) ==
+            0)
+        {
+            ret = cur;
+            break;
+        }
+        if (prev)
+            *prev = cur;
+        cur = cur->next;
+    }
+
+    return ret;
+}
+
+static oe_result_t _register_plugin(
+    struct plugin_list_node_t** list,
+    oe_attestation_role_t* plugin,
+    const void* config_data,
+    size_t config_data_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    struct plugin_list_node_t* plugin_node = NULL;
+
+    if (!list || !plugin)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    plugin_node = _find_plugin(*list, &plugin->format_id, NULL);
+    if (plugin_node)
+    {
+        plugin_node = NULL;
+        OE_RAISE(OE_ALREADY_EXISTS);
+    }
+
+    plugin_node = (struct plugin_list_node_t*)oe_malloc(sizeof(*plugin_node));
+    if (plugin_node == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    // Run the register function for the plugin.
+    OE_CHECK(plugin->on_register(plugin, config_data, config_data_size));
+
+    // Add to the plugin list.
+    plugin_node->plugin = plugin;
+    plugin_node->next = *list;
+    *list = plugin_node;
+    plugin_node = NULL;
+
+    result = OE_OK;
+
+done:
+    if (plugin_node != NULL)
+        oe_free(plugin_node);
+
+    return result;
+}
+
+static oe_result_t _unregister_plugin(
+    struct plugin_list_node_t** list,
+    oe_attestation_role_t* plugin)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    struct plugin_list_node_t* prev = NULL;
+    struct plugin_list_node_t* cur = NULL;
+
+    if (!list || !plugin)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Find the guid and remove it.
+    cur = _find_plugin(*list, &plugin->format_id, &prev);
+    if (cur == NULL)
+        OE_RAISE(OE_NOT_FOUND);
+
+    if (prev != NULL)
+        prev->next = cur->next;
+    else
+        *list = cur->next;
+
+    // Run the unregister hook for the plugin.
+    OE_CHECK(cur->plugin->on_unregister(cur->plugin));
+
+    result = OE_OK;
+
+done:
+    oe_free(cur);
+    return result;
+}
+
+oe_result_t oe_register_attester(
+    oe_attester_t* plugin,
+    const void* config_data,
+    size_t config_data_size)
+{
+    return _register_plugin(
+        &attesters,
+        (oe_attestation_role_t*)plugin,
+        config_data,
+        config_data_size);
+}
+
+oe_result_t oe_register_verifier(
+    oe_verifier_t* plugin,
+    const void* config_data,
+    size_t config_data_size)
+{
+    return _register_plugin(
+        &verifiers,
+        (oe_attestation_role_t*)plugin,
+        config_data,
+        config_data_size);
+}
+
+oe_result_t oe_unregister_attester(oe_attester_t* plugin)
+{
+    return _unregister_plugin(&attesters, (oe_attestation_role_t*)plugin);
+}
+
+oe_result_t oe_unregister_verifier(oe_verifier_t* plugin)
+{
+    return _unregister_plugin(&verifiers, (oe_attestation_role_t*)plugin);
+}
+
+static oe_result_t _wrap_with_header(
+    const uuid_t* format_id,
+    const uint8_t* data,
+    size_t data_size,
+    uint8_t** total_data,
+    size_t* total_data_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_attestation_header_t* header;
+
+    OE_CHECK(oe_safe_add_sizet(sizeof(*header), data_size, total_data_size));
+
+    *total_data = (uint8_t*)oe_malloc(*total_data_size);
+    if (*total_data == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    header = (oe_attestation_header_t*)*total_data;
+    header->version = OE_ATTESTATION_HEADER_VERSION;
+    header->format_id = *format_id;
+    header->data_size = data_size;
+    memcpy(header->data, data, data_size);
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+oe_result_t oe_get_evidence(
+    const uuid_t* format_id,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    struct plugin_list_node_t* plugin_node = NULL;
+    oe_attester_t* plugin = NULL;
+    uint8_t* plugin_evidence = NULL;
+    size_t plugin_evidence_size = 0;
+    uint8_t* plugin_endorsements = NULL;
+    size_t plugin_endorsements_size = 0;
+    uint8_t* total_evidence_buf = NULL;
+    size_t total_evidence_size = 0;
+    uint8_t* total_endorsements_buf = NULL;
+    size_t total_endorsements_size = 0;
+
+    if (!format_id || !evidence_buffer || !evidence_buffer_size ||
+        (endorsements_buffer && !endorsements_buffer_size))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Find a plugin for attestation type and run its get_evidence.
+    plugin_node = _find_plugin(attesters, format_id, NULL);
+    if (plugin_node == NULL)
+        OE_RAISE(OE_NOT_FOUND);
+
+    // Now get the evidence and endorsements (if desired).
+    plugin = (oe_attester_t*)plugin_node->plugin;
+    OE_CHECK(plugin->get_evidence(
+        plugin,
+        flags,
+        custom_claims,
+        custom_claims_length,
+        opt_params,
+        opt_params_size,
+        &plugin_evidence,
+        &plugin_evidence_size,
+        endorsements_buffer ? &plugin_endorsements : NULL,
+        endorsements_buffer ? &plugin_endorsements_size : NULL));
+
+    // Wrap the attestation header around the evidence.
+    OE_CHECK(_wrap_with_header(
+        format_id,
+        plugin_evidence,
+        plugin_evidence_size,
+        &total_evidence_buf,
+        &total_evidence_size));
+
+    if (endorsements_buffer)
+    {
+        OE_CHECK(_wrap_with_header(
+            format_id,
+            plugin_endorsements,
+            plugin_endorsements_size,
+            &total_endorsements_buf,
+            &total_endorsements_size));
+    }
+
+    // Finally, set the out parameters.
+    *evidence_buffer = total_evidence_buf;
+    *evidence_buffer_size = total_evidence_size;
+    total_evidence_buf = NULL;
+
+    if (endorsements_buffer)
+    {
+        *endorsements_buffer = total_endorsements_buf;
+        *endorsements_buffer_size = total_endorsements_size;
+        total_endorsements_buf = NULL;
+    }
+
+    result = OE_OK;
+
+done:
+    if (plugin && plugin_evidence)
+    {
+        plugin->free_evidence(plugin, plugin_evidence);
+        if (plugin_endorsements)
+            plugin->free_endorsements(plugin, plugin_endorsements);
+    }
+    if (total_evidence_buf != NULL)
+        oe_free(total_evidence_buf);
+    if (total_endorsements_buf != NULL)
+        oe_free(total_endorsements_buf);
+    return result;
+}
+
+oe_result_t oe_free_evidence(uint8_t* evidence_buffer)
+{
+    oe_free(evidence_buffer);
+    return OE_OK;
+}
+
+oe_result_t oe_free_endorsements(uint8_t* evidence_buffer)
+{
+    oe_free(evidence_buffer);
+    return OE_OK;
+}
+
+static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
+{
+    for (size_t i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    {
+        bool found = false;
+
+        for (size_t j = 0; j < claims_length && !found; j++)
+        {
+            if (oe_strcmp(OE_KNOWN_CLAIMS[i], claims[j].name) == 0)
+            {
+                found = true;
+            }
+        }
+
+        if (!found)
+            return false;
+    }
+    return true;
+}
+
+oe_result_t oe_verify_evidence(
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    struct plugin_list_node_t* plugin_node;
+    oe_verifier_t* verifier;
+    oe_attestation_header_t* evidence =
+        (oe_attestation_header_t*)evidence_buffer;
+    oe_attestation_header_t* endorsements =
+        (oe_attestation_header_t*)endorsements_buffer;
+
+    if (!evidence_buffer || evidence_buffer_size < sizeof(*evidence) ||
+        (endorsements_buffer &&
+         endorsements_buffer_size < sizeof(*endorsements)))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    plugin_node = _find_plugin(verifiers, &evidence->format_id, NULL);
+    if (plugin_node == NULL)
+        OE_RAISE(OE_NOT_FOUND);
+
+    if (endorsements && memcmp(
+                            &evidence->format_id,
+                            &endorsements->format_id,
+                            sizeof(evidence->format_id)) != 0)
+        OE_RAISE(OE_CONSTRAINT_FAILED);
+
+    verifier = (oe_verifier_t*)plugin_node->plugin;
+    OE_CHECK(verifier->verify_evidence(
+        verifier,
+        evidence->data,
+        evidence->data_size,
+        endorsements ? endorsements->data : NULL,
+        endorsements ? endorsements->data_size : 0,
+        policies,
+        policies_size,
+        claims,
+        claims_length));
+
+    if (!_check_claims(*claims, *claims_length))
+    {
+        verifier->free_claims_list(verifier, *claims, *claims_length);
+        *claims = NULL;
+        *claims_length = 0;
+        OE_RAISE(OE_CONSTRAINT_FAILED);
+    }
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+static oe_result_t _get_uuid(
+    const oe_claim_t* claims,
+    size_t claims_length,
+    uuid_t* uuid)
+{
+    for (size_t i = 0; i < claims_length; i++)
+    {
+        if (oe_strcmp(claims[i].name, "plugin_uuid") == 0)
+        {
+            if (claims[i].value_size != sizeof(uuid_t))
+                return OE_CONSTRAINT_FAILED;
+
+            *uuid = *((uuid_t*)claims[i].value);
+            return OE_OK;
+        }
+    }
+    return OE_NOT_FOUND;
+}
+
+oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length)
+{
+    uuid_t uuid;
+    oe_result_t result = OE_UNEXPECTED;
+    struct plugin_list_node_t* plugin_node;
+    oe_verifier_t* verifier;
+
+    if (!claims)
+        return OE_OK;
+
+    OE_CHECK(_get_uuid(claims, claims_length, &uuid));
+
+    plugin_node = _find_plugin(verifiers, &uuid, NULL);
+    if (plugin_node == NULL)
+        OE_RAISE(OE_NOT_FOUND);
+
+    verifier = (oe_verifier_t*)plugin_node->plugin;
+    OE_CHECK(verifier->free_claims_list(verifier, claims, claims_length));
+
+    result = OE_OK;
+
+done:
+    return result;
+}
\ No newline at end of file
diff --git a/common/result.c b/common/result.c
index 83063e7b34..d9c662de00 100644
--- a/common/result.c
+++ b/common/result.c
@@ -126,6 +126,8 @@ const char* oe_result_str(oe_result_t result)
             return "OE_THREAD_CREATE_ERROR";
         case OE_THREAD_JOIN_ERROR:
             return "OE_THREAD_JOIN_ERROR";
+        case OE_ALREADY_EXISTS:
+            return "OE_ALREADY_EXISTS";
         case __OE_RESULT_MAX:
             break;
     }
@@ -192,6 +194,7 @@ bool oe_is_valid_result(uint32_t result)
         case OE_CONTEXT_SWITCHLESS_OCALL_MISSED:
         case OE_THREAD_CREATE_ERROR:
         case OE_THREAD_JOIN_ERROR:
+        case OE_ALREADY_EXISTS:
         {
             return true;
         }
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 74791bcf0d..4fd99f91f4 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -26,6 +26,7 @@ elseif(OE_TRUSTZONE)
 endif()
 
 add_library(oeenclave STATIC
+    ../common/attest_plugin.c
     ../common/datetime.c
     asym_keys.c
     link.c
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 95c3c94cda..e70aac4a0c 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -203,6 +203,7 @@ endif()
 
 # Common host verification files that work on any OS/architecture.
 list(APPEND PLATFORM_HOST_ONLY_SRC
+  ../common/attest_plugin.c
   ../common/datetime.c
   ../common/safecrt.c
   hexdump.c
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
index 15e4a6cfcb..fe6317b514 100644
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -13,4 +13,5 @@ install(DIRECTORY openenclave/edger8r DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/op
 install(FILES openenclave/enclave.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
 install(FILES openenclave/host.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
 install(FILES openenclave/host_verify.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/ COMPONENT OEHOSTVERIFY)
+install(FILES openenclave/attestation_plugin.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
 install(TARGETS oe_includes EXPORT openenclave-targets)
diff --git a/include/openenclave/attestation_plugin.h b/include/openenclave/attestation_plugin.h
new file mode 100644
index 0000000000..6e5ffeb7d0
--- /dev/null
+++ b/include/openenclave/attestation_plugin.h
@@ -0,0 +1,430 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * @file attestation_plugin.h
+ *
+ * This file defines the programming interface for developing an
+ * attestation plugin for supporting alternative evidence formats.
+ *
+ */
+
+#ifndef _OE_ATTESTATION_PLUGIN_H
+#define _OE_ATTESTATION_PLUGIN_H
+
+#include <openenclave/bits/report.h>
+#include <openenclave/bits/result.h>
+#include <openenclave/bits/types.h>
+
+OE_EXTERNC_BEGIN
+
+/**
+ * Struct that defines the base structure of each attestation role plugin.
+ * Each attestation role will have an UUID to indicate what evidence format
+ * is supported and have functions for registering/unregistering the plugin.
+ * Each attestation role will also define the require function for their
+ * specific role (i.e. `get_evidence` for the attester and `verifiy_evidence`
+ * for the verifier).
+ */
+typedef struct _oe_attestation_role oe_attestation_role_t;
+struct _oe_attestation_role
+{
+    /**
+     * The UUID for the attestation role.
+     */
+    uuid_t format_id;
+
+    /**
+     * The function that gets executed when the attestation role is registered.
+     *
+     * @param[in] context A pointer to the attestation role struct.
+     * @param[in] config_data An optional pointer to the configuration data.
+     * @param[in] config_data_size The size in bytes of config_data.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*on_register)(
+        oe_attestation_role_t* context,
+        const void* config_data,
+        size_t config_data_size);
+
+    /**
+     * The function that gets executed when the attestation role is
+     * unregistered.
+     *
+     * @param[in] context A pointer to the attestation role struct.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*on_unregister)(oe_attestation_role_t* context);
+};
+
+/**
+ * The attester attestion role. The attester is reponsible for generating the
+ * attestation evidence and must implement the functions below.
+ */
+typedef struct _oe_attester oe_attester_t;
+struct _oe_attester
+{
+    /**
+     * The base attestation role containing the common functions for each role.
+     */
+    oe_attestation_role_t base;
+
+    /**
+     * Generates the attestation evidence, which is defined as the data
+     * produced by the enclave. The caller may pass in custom claims, which
+     * must be attached to the evidence and then cryptographically signed.
+     *
+     * Note that many callers of `get_evidence` will send the results over
+     * the network, so the output must be in a serialized form.
+     *
+     * @param[in] context A pointer to the attester plugin struct.
+     * @param[in] flags Specifying default value (0) generates evidence for
+     * local attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION
+     * generates evidence for remote attestation.
+     * @param[in] custom_claims The optional custom claims list.
+     * @param[in] custom_claims_length The number of custom claims.
+     * @param[in] opt_params The optional plugin-specific input parameters.
+     * @param[in] opt_params_size The size of opt_params in bytes.
+     * @param[out] evidence_buffer An output pointer that will be assigned the
+     * address of the evidence buffer.
+     * @param[out] evidence_buffer_size A pointer that points to the size of the
+     * evidence buffer in bytes.
+     * @param[out] endorsements_buffer An output pointer that will be assigned
+     * the address of the endorsements buffer.
+     * @param[out] endorsements_buffer_size A pointer that points to the size of
+     * the endorsements buffer in bytes.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*get_evidence)(
+        oe_attester_t* context,
+        uint32_t flags,
+        const oe_claim_t* custom_claims,
+        size_t custom_claims_length,
+        const void* opt_params,
+        size_t opt_params_size,
+        uint8_t** evidence_buffer,
+        size_t* evidence_buffer_size,
+        uint8_t** endorsements_buffer,
+        size_t* endorsements_buffer_size);
+
+    /**
+     * Frees the generated attestation evidence and endorsements.
+     *
+     * @param[in] context A pointer to the attester plugin struct.
+     * @param[in] evidence_buffer A pointer to the evidence buffer.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (
+        *free_evidence)(oe_attester_t* context, uint8_t* evidence_buffer);
+
+    /**
+     * Frees the generated attestation endorsements.
+     *
+     * @param[in] context A pointer to the attester plugin struct.
+     * @param[in] endorsements_buffer A pointer to the endorsements buffer.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*free_endorsements)(
+        oe_attester_t* context,
+        uint8_t* endorsements_buffer);
+};
+
+/**
+ * The verifier attestion role. The verifier is reponsible for verifying the
+ * attestation evidence and must implement the functions below.
+ */
+typedef struct _oe_verifier oe_verifier_t;
+struct _oe_verifier
+{
+    /**
+     * The base attestation role containing the common functions for each role.
+     */
+    oe_attestation_role_t base;
+
+    /**
+     * Verifies the attestation evidence and returns the claims contained in
+     * the evidence.
+     *
+     * Each plugin must return the following required claims:
+     *  - id_version (uint32_t)
+     *      - Version number. Must be 1.
+     *  - security_version (uint32_t)
+     *      - Security version of the enclave. (ISVN for SGX).
+     * - attributes (uint64_t)
+     *      - Attributes flags for the evidence:
+     *          - OE_REPORT_ATTRIBUTES_DEBUG: The evidence is for a debug
+     * enclave.
+     *          - OE_REPORT_ATTRIBUTES_REMOTE: The evidence can be used for
+     * remote attestation.
+     * - unique_id (uint8_t[32])
+     *      - The unique ID for the enclave (MRENCLAVE for SGX).
+     * - signer_id (uint8_t[32])
+     *      - The signer ID for the enclave (MRSIGNER for SGX).
+     * - product_id (uint8_t[32])
+     *      - The product ID for the enclave (ISVPRODID for SGX).
+     * - validity_from (oe_datetime_t)
+     *      - Overall datetime from which the evidence and endorsements are
+     *        valid.
+     * - validity_until (oe_datetime_t)
+     *      - Overall datetime at which the evidence and endorsements expire.
+     * - plugin_uuid (uint8_t[16])
+     *      - The UUID of the plugin used to verify the evidence.
+     *
+     * The plugin is responsible for handling endianness and ensuring that the
+     * data from the raw evidence converted properly for each platform.
+     *
+     * @param[in] context A pointer to the verifier plugin struct.
+     * @param[in] evidence_buffer The evidence buffer.
+     * @param[in] evidence_buffer_size The size of evidence_buffer in bytes.
+     * @param[in] endorsements_buffer The endorsements buffer.
+     * @param[in] endorsements_buffer_size The size of endorsements_buffer in
+     * bytes.
+     * @param[in] policies A list of policies to use.
+     * @param[in] policies_size The size of the policy list.
+     * @param[out] claims The list of returned claims.
+     * @param[out] claims_length The number of claims.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*verify_evidence)(
+        oe_verifier_t* context,
+        const uint8_t* evidence_buffer,
+        size_t evidence_buffer_size,
+        const uint8_t* endorsements_buffer,
+        size_t endorsements_buffer_size,
+        const oe_policy_t* policies,
+        size_t policies_size,
+        oe_claim_t** claims,
+        size_t* claims_length);
+
+    /**
+     * Frees the generated claims.
+     *
+     * @param[in] context A pointer to the verifier plugin struct.
+     * @param[out] claims The list of returned claims.
+     * @param[out] claims_length The number of claims.
+     * @retval OE_OK on success.
+     * @retval An appropriate error code on failure.
+     */
+    oe_result_t (*free_claims_list)(
+        oe_verifier_t* context,
+        oe_claim_t* claims,
+        size_t claims_length);
+};
+
+/**
+ * oe_register_attester
+ *
+ * Registers a new attester plugin and optionally configures it with plugin
+ * specific configuration data. The function will fail if the plugin UUID has
+ * already been registered.
+ *
+ * This is available in the enclave only.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct. Note that this
+ * will not copy the contents of the pointer, so the pointer must be kept valid
+ * until the plugin is unregistered.
+ * @param[in] config_data An optional pointer to the configuration data.
+ * @param[in] config_data_size The size in bytes of config_data.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_OUT_OF_MEMORY Out of memory.
+ * @retval OE_ALREADY_EXISTS A plugin with the same UUID is already registered.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_register_attester(
+    oe_attester_t* plugin,
+    const void* config_data,
+    size_t config_data_size);
+
+/**
+ * oe_register_verifier
+ *
+ * Registers a new verifier plugin and optionally configures it with plugin
+ * specific configuration data. The function will fail if the plugin UUID has
+ * already been registered.
+ *
+ * This is available in the enclave and host.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct. Note that this
+ * will not copy the contents of the pointer, so the pointer must be kept valid
+ * until the plugin is unregistered.
+ * @param[in] config_data An optional pointer to the configuration data.
+ * @param[in] config_data_size The size in bytes of config_data.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_OUT_OF_MEMORY Out of memory.
+ * @retval OE_ALREADY_EXISTS A plugin with the same UUID is already registered.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_register_verifier(
+    oe_verifier_t* plugin,
+    const void* config_data,
+    size_t config_data_size);
+
+/**
+ * oe_unregister_attester
+ *
+ * Unregisters an attester plugin. This is available in the enclave only.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_NOT_FOUND The plugin does not exist or has not been registered.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_unregister_attester(oe_attester_t* plugin);
+
+/**
+ * oe_unregister_verifier
+ *
+ * Unregisters an verifier plugin. This is available in the enclave and host.
+ *
+ * @param[in] plugin A pointer to the attestation plugin struct.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_NOT_FOUND The plugin does not exist or has not been registered.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_unregister_verifier(oe_verifier_t* plugin);
+
+/**
+ * oe_get_evidence
+ *
+ * Generates the attestation evidence for the given UUID attestation format.
+ * This function is only available in the enclave.
+ *
+ * @param[in] evidence_format_uuid The UUID of the plugin.
+ * @param[in] flags Specifying default value (0) generates evidence for local
+ * attestation. Specifying OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION generates
+ * evidence for remote attestation.
+ * @param[in] custom_claims The optional custom claims list.
+ * @param[in] custom_claims_length The number of custom claims.
+ * @param[in] opt_params The optional plugin-specific input parameters.
+ * @param[in] opt_params_size The size of opt_params in bytes.
+ * @param[out] evidence_buffer An output pointer that will be assigned the
+ * address of the evidence buffer.
+ * @param[out] evidence_buffer_size A pointer that points to the size of the
+ * evidence buffer in bytes.
+ * @param[out] endorsements_buffer An output pointer that will be assigned the
+ * address of the endorsements buffer.
+ * @param[out] endorsements_buffer_size A pointer that points to the size of the
+ * endorsements buffer in bytes.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_NOT_FOUND The plugin does not exist or has not been registered.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_get_evidence(
+    const uuid_t* evidence_format_uuid,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size);
+
+/**
+ * oe_free_evidence
+ *
+ * Frees the attestation evidence. This function is only available in the
+ * enclave.
+ *
+ * @param[in] evidence_buffer A pointer to the evidence buffer.
+ * @retval OE_OK The function succeeded.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_free_evidence(uint8_t* evidence_buffer);
+
+/**
+ * oe_free_endorsements
+ *
+ * Frees the generated attestation endorsements. This function is only available
+ * in the enclave.
+ *
+ * @param[in] endorsements_buffer A pointer to the endorsements buffer.
+ * @retval OE_OK The function succeeded.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_free_endorsements(uint8_t* endorsements_buffer);
+
+/**
+ * oe_verify_evidence
+ *
+ * Verifies the attestation evidence and returns well known and custom claims.
+ * This is available in the enclave and host.
+ *
+ * The following claims will be returned at the minimum:
+ *
+ *  - id_version (uint32_t)
+ *      - Version number. Must be 1.
+ *  - security_version (uint32_t)
+ *      - Security version of the enclave. (ISVN for SGX).
+ * - attributes (uint64_t)
+ *      - Attributes flags for the evidence:
+ *          - OE_REPORT_ATTRIBUTES_DEBUG: The evidence is for a debug enclave.
+ *          - OE_REPORT_ATTRIBUTES_REMOTE: The evidence can be used for remote
+ * attestation.
+ * - unique_id (uint8_t[32])
+ *      - The unique ID for the enclave (MRENCLAVE for SGX).
+ * - signer_id (uint8_t[32])
+ *      - The signer ID for the enclave (MRSIGNER for SGX).
+ * - product_id (uint8_t[32])
+ *      - The product ID for the enclave (ISVPRODID for SGX).
+ * - validity_from (oe_datetime_t, optional)
+ *      - Overall datetime from which the evidence and endorsements are valid.
+ * - validity_until (oe_datetime_t, optional)
+ *      - Overall datetime at which the evidence and endorsements expire.
+ * - plugin_uuid (uint8_t[16])
+ *      - The UUID of the plugin used to verify the evidence.
+ *
+ * @param[in] evidence_buffer The evidence buffer.
+ * @param[in] evidence_buffer_size The size of evidence_buffer in bytes.
+ * @param[in] endorsements_buffer The optional endorsements buffer.
+ * @param[in] endorsements_buffer_size The size of endorsements_buffer in bytes.
+ * @param[in] policies An optional list of policies to use.
+ * @param[in] policies_size The size of the policy list.
+ * @param[out] claims The list of claims.
+ * @param[out] claims_length The length of the claims list.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_INVALID_PARAMTER Atleast one of the parameters is invalid.
+ * @retval OE_NOT_FOUND The plugin does not exist or has not been registered.
+ * @retval OE_CONSTRAINT_FAILED The UUIDs of the evidence and endorsements
+ * differ.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_verify_evidence(
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length);
+
+/**
+ * oe_free_claims_list
+ *
+ * Frees a claims list.
+ *
+ * @param[in] claims The list of claims.
+ * @param[in] claims_length The length of the claims list.
+ * @retval OE_OK The function succeeded.
+ * @retval OE_NOT_FOUND The plugin that generated the claims does not exist or
+ * has not been registered, so the claims can't be freed.
+ * @retval Otherwise, returns the error code the plugin's function.
+ */
+oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length);
+
+OE_EXTERNC_END
+
+#endif /* _OE_ATTESTATION_PLUGIN_H */
diff --git a/include/openenclave/bits/report.h b/include/openenclave/bits/report.h
index cc33063c42..df3bbf2da2 100644
--- a/include/openenclave/bits/report.h
+++ b/include/openenclave/bits/report.h
@@ -136,6 +136,84 @@ typedef struct _oe_report
 } oe_report_t;
 /**< typedef struct _oe_report oe_report_t*/
 
+/**
+ * The size of a UUID in bytes.
+ */
+#define UUID_SIZE 16
+
+/**
+ * Struct containing the definition for an UUID.
+ */
+typedef struct
+{
+    uint8_t b[UUID_SIZE];
+} uuid_t;
+
+/**
+ * Claims struct used for claims parameters for the attestation plugins.
+ */
+typedef struct _oe_claim
+{
+    char* name;
+    uint8_t* value;
+    size_t value_size;
+} oe_claim_t;
+
+/**
+ * Claims that are known to OE that every attestation plugin should output.
+ */
+#define OE_CLAIM_ID_VERSION "id_version"
+#define OE_CLAIM_SECURITY_VERSION "security_version"
+#define OE_CLAIM_ATTRIBUTES "attributes"
+#define OE_CLAIM_UNIQUE_ID "unique_id"
+#define OE_CLAIM_SIGNER_ID "signer_id"
+#define OE_CLAIM_PRODUCT_ID "product_id"
+#define OE_CLAIM_PLUGIN_UUID "plugin_uuid"
+#define OE_REQUIRED_CLAIMS_COUNT 7
+static const char* OE_REQUIRED_CLAIMS[OE_REQUIRED_CLAIMS_COUNT] = {
+    OE_CLAIM_ID_VERSION,
+    OE_CLAIM_SECURITY_VERSION,
+    OE_CLAIM_ATTRIBUTES,
+    OE_CLAIM_UNIQUE_ID,
+    OE_CLAIM_SIGNER_ID,
+    OE_CLAIM_PRODUCT_ID,
+    OE_CLAIM_PLUGIN_UUID};
+
+/**
+ * Additional optional claims that are known to OE that plugins can output.
+ */
+#define OE_CLAIM_VALIDITY_FROM "validity_from"
+#define OE_CLAIM_VALIDITY_UNTIL "validity_until"
+#define OE_OPTIONAL_CLAIMS_COUNT 2
+static const char* OE_OPTIONAL_CLAIMS[OE_OPTIONAL_CLAIMS_COUNT] = {
+    OE_CLAIM_VALIDITY_FROM,
+    OE_CLAIM_VALIDITY_UNTIL};
+
+/**
+ * Supported policies for validation by the verifier attestation plugin.
+ * Only time is supported for now.
+ */
+typedef enum _oe_policy_type
+{
+    /**
+     * Enforces that time fields in the endorsements will be checked in
+     * with the given time rather than the endorsement creation time.
+     *
+     * The policy will be in the form of `oe_datetime_t`.
+     */
+    OE_POLICY_ENDORSEMENTS_TIME = 1
+} oe_policy_type_t;
+
+/**
+ * Generic struct for defining policy for the attestation plugins.
+ */
+typedef struct _oe_policy
+{
+    oe_policy_type_t type;
+    void* policy;
+    size_t policy_size;
+} oe_policy_t;
+
 OE_EXTERNC_END
 
 #endif /* _OE_BITS_REPORT_H */
diff --git a/include/openenclave/bits/result.h b/include/openenclave/bits/result.h
index 89ced3b075..514228e984 100644
--- a/include/openenclave/bits/result.h
+++ b/include/openenclave/bits/result.h
@@ -334,6 +334,11 @@ typedef enum _oe_result
      */
     OE_THREAD_JOIN_ERROR,
 
+    /**
+     * The desired resource already exists.
+     */
+    OE_ALREADY_EXISTS,
+
     __OE_RESULT_MAX = OE_ENUM_MAX,
 } oe_result_t;
 /**< typedef enum _oe_result oe_result_t*/
diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h
index b1a1a87038..281e7fadfc 100644
--- a/include/openenclave/internal/report.h
+++ b/include/openenclave/internal/report.h
@@ -138,6 +138,10 @@ OE_STATIC_ASSERT(
     }
 #define X509_OID_FOR_QUOTE_STRING "1.2.840.113556.10.1.1"
 
+// For old OE reports.
 #define OE_REPORT_HEADER_VERSION (1)
 
+// For attestation plugin reports.
+#define OE_ATTESTATION_HEADER_VERSION (2)
+
 #endif //_OE_INCLUDE_REPORT_H_

From 04882537aa355a5b2fae14c3d8598ad020a0c9a9 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Wed, 6 Nov 2019 14:30:59 +0000
Subject: [PATCH 294/420] Added tests for plugin implementation.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                        |   6 +-
 tests/CMakeLists.txt                          |   1 +
 tests/attestation_plugin/CMakeLists.txt       |  10 +
 tests/attestation_plugin/enc/CMakeLists.txt   |  11 +
 tests/attestation_plugin/enc/enc.c            |  21 ++
 tests/attestation_plugin/host/CMakeLists.txt  |  11 +
 tests/attestation_plugin/host/host.c          |  37 +++
 tests/attestation_plugin/plugin.edl           |   8 +
 .../attestation_plugin/plugin/mock_attester.h | 239 +++++++++++++++
 tests/attestation_plugin/plugin/tests.c       | 284 ++++++++++++++++++
 tests/attestation_plugin/plugin/tests.h       |   9 +
 11 files changed, 634 insertions(+), 3 deletions(-)
 create mode 100644 tests/attestation_plugin/CMakeLists.txt
 create mode 100644 tests/attestation_plugin/enc/CMakeLists.txt
 create mode 100644 tests/attestation_plugin/enc/enc.c
 create mode 100644 tests/attestation_plugin/host/CMakeLists.txt
 create mode 100644 tests/attestation_plugin/host/host.c
 create mode 100644 tests/attestation_plugin/plugin.edl
 create mode 100644 tests/attestation_plugin/plugin/mock_attester.h
 create mode 100644 tests/attestation_plugin/plugin/tests.c
 create mode 100644 tests/attestation_plugin/plugin/tests.h

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index b87bc42d4e..39dfa75d6b 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -323,13 +323,13 @@ oe_result_t oe_free_endorsements(uint8_t* evidence_buffer)
 
 static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
 {
-    for (size_t i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    for (size_t i = 0; i < OE_REQUIRED_CLAIMS_COUNT; i++)
     {
         bool found = false;
 
         for (size_t j = 0; j < claims_length && !found; j++)
         {
-            if (oe_strcmp(OE_KNOWN_CLAIMS[i], claims[j].name) == 0)
+            if (oe_strcmp(OE_REQUIRED_CLAIMS[i], claims[j].name) == 0)
             {
                 found = true;
             }
@@ -407,7 +407,7 @@ static oe_result_t _get_uuid(
 {
     for (size_t i = 0; i < claims_length; i++)
     {
-        if (oe_strcmp(claims[i].name, "plugin_uuid") == 0)
+        if (oe_strcmp(claims[i].name, OE_CLAIM_PLUGIN_UUID) == 0)
         {
             if (claims[i].value_size != sizeof(uuid_t))
                 return OE_CONSTRAINT_FAILED;
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 841fd0d871..e15ad09d1c 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -69,6 +69,7 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         add_subdirectory(VectorException)
     endif()
 
+add_subdirectory(attestation_plugin)
 add_subdirectory(create-errors)
 add_subdirectory(crypto)
 add_subdirectory(hexdump)
diff --git a/tests/attestation_plugin/CMakeLists.txt b/tests/attestation_plugin/CMakeLists.txt
new file mode 100644
index 0000000000..c5a952743a
--- /dev/null
+++ b/tests/attestation_plugin/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+add_subdirectory(host)
+
+if (BUILD_ENCLAVES)
+    add_subdirectory(enc)
+endif()
+
+add_enclave_test(tests/attestation_plugin plugin_host plugin_enc)
\ No newline at end of file
diff --git a/tests/attestation_plugin/enc/CMakeLists.txt b/tests/attestation_plugin/enc/CMakeLists.txt
new file mode 100644
index 0000000000..445654d9f6
--- /dev/null
+++ b/tests/attestation_plugin/enc/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+include(oeedl_file)
+
+oeedl_file(../plugin.edl enclave gen)
+
+add_enclave(TARGET plugin_enc UUID 0ed4cfa8-3d98-4ef6-a8e6-b3120517ccac SOURCES enc.c ../plugin/tests.c ${gen})
+
+target_include_directories(plugin_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(plugin_enc oeenclave oelibc)
diff --git a/tests/attestation_plugin/enc/enc.c b/tests/attestation_plugin/enc/enc.c
new file mode 100644
index 0000000000..58c5188f8c
--- /dev/null
+++ b/tests/attestation_plugin/enc/enc.c
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/enclave.h>
+#include <openenclave/internal/tests.h>
+
+#include "../plugin/tests.h"
+#include "plugin_t.h"
+
+void run_test()
+{
+    test_run_all();
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    128,  /* HeapPageCount */
+    128,  /* StackPageCount */
+    1);   /* TCSCount */
diff --git a/tests/attestation_plugin/host/CMakeLists.txt b/tests/attestation_plugin/host/CMakeLists.txt
new file mode 100644
index 0000000000..e2bf56f776
--- /dev/null
+++ b/tests/attestation_plugin/host/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+include(oeedl_file)
+
+oeedl_file(../plugin.edl host gen)
+
+add_executable(plugin_host host.c ../plugin/tests.c ${gen})
+
+target_include_directories(plugin_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(plugin_host oehostapp)
\ No newline at end of file
diff --git a/tests/attestation_plugin/host/host.c b/tests/attestation_plugin/host/host.c
new file mode 100644
index 0000000000..cc62892e80
--- /dev/null
+++ b/tests/attestation_plugin/host/host.c
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <openenclave/internal/tests.h>
+#include <stdio.h>
+
+#include "../plugin/tests.h"
+#include "plugin_u.h"
+
+int main(int argc, const char* argv[])
+{
+    oe_result_t result;
+    oe_enclave_t* enclave = NULL;
+
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE\n", argv[0]);
+        exit(1);
+    }
+
+    // Run test on the enclave.
+    const uint32_t flags = oe_get_create_flags();
+
+    result = oe_create_plugin_enclave(
+        argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
+    OE_TEST(result == OE_OK);
+
+    run_test(enclave);
+
+    OE_TEST(oe_terminate_enclave(enclave) == OE_OK);
+
+    // Run test on the host.
+    test_run_all();
+
+    return 0;
+}
diff --git a/tests/attestation_plugin/plugin.edl b/tests/attestation_plugin/plugin.edl
new file mode 100644
index 0000000000..57980a66e6
--- /dev/null
+++ b/tests/attestation_plugin/plugin.edl
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public void run_test();
+    };
+};
diff --git a/tests/attestation_plugin/plugin/mock_attester.h b/tests/attestation_plugin/plugin/mock_attester.h
new file mode 100644
index 0000000000..4c94f345f6
--- /dev/null
+++ b/tests/attestation_plugin/plugin/mock_attester.h
@@ -0,0 +1,239 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_MOCK_ATTESTER_H
+#define _OE_MOCK_ATTESTER_H
+
+#include <openenclave/attestation_plugin.h>
+#include <string.h>
+
+#define MOCK_EVIDENCE "123"
+#define MOCK_ENDORSEMENTS "456"
+
+#define OE_MOCK_ATTESTER_UUID1                                            \
+    {                                                                     \
+        0x17, 0x04, 0x94, 0xa6, 0xab, 0x23, 0x47, 0x98, 0x8c, 0x38, 0x35, \
+            0x1c, 0xb0, 0xb6, 0xaf, 0x09                                  \
+    }
+
+#define OE_MOCK_ATTESTER_UUID2                                            \
+    {                                                                     \
+        0x15, 0x6a, 0x29, 0x71, 0x27, 0xee, 0x41, 0xf1, 0x9b, 0x90, 0xff, \
+            0xc7, 0xc6, 0x52, 0x68, 0xf1                                  \
+    }
+
+static inline oe_result_t mock_attester_register(
+    oe_attestation_role_t* context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(config_data);
+    OE_UNUSED(config_data_size);
+    return OE_OK;
+}
+
+static inline oe_result_t mock_attester_unregister(
+    oe_attestation_role_t* context)
+{
+    OE_UNUSED(context);
+    return OE_OK;
+}
+
+static inline oe_result_t mock_get_evidence(
+    oe_attester_t* context,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(flags);
+    OE_UNUSED(custom_claims);
+    OE_UNUSED(custom_claims_length);
+    OE_UNUSED(opt_params);
+    OE_UNUSED(opt_params_size);
+    *evidence_buffer = (uint8_t*)MOCK_EVIDENCE;
+    *evidence_buffer_size = sizeof(MOCK_EVIDENCE);
+    if (endorsements_buffer)
+    {
+        *endorsements_buffer = (uint8_t*)MOCK_ENDORSEMENTS;
+        *endorsements_buffer_size = sizeof(MOCK_ENDORSEMENTS);
+    }
+    return OE_OK;
+}
+
+static inline oe_result_t mock_free_evidence(
+    oe_attester_t* context,
+    uint8_t* evidence_buffer)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(evidence_buffer);
+    return OE_OK;
+}
+
+static inline oe_result_t mock_free_endorsements(
+    oe_attester_t* context,
+    uint8_t* endorsements_buffer)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(endorsements_buffer);
+    return OE_OK;
+}
+
+static inline oe_result_t mock_verify_evidence(
+    oe_verifier_t* context,
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(policies);
+    OE_UNUSED(policies_size);
+
+    if (evidence_buffer_size != sizeof(MOCK_EVIDENCE))
+        return OE_VERIFY_FAILED;
+
+    if (strcmp(MOCK_EVIDENCE, (const char*)evidence_buffer) != 0)
+        return OE_VERIFY_FAILED;
+
+    if (endorsements_buffer)
+    {
+        if (endorsements_buffer_size != sizeof(MOCK_ENDORSEMENTS))
+            return OE_VERIFY_FAILED;
+
+        if (strcmp(MOCK_ENDORSEMENTS, (const char*)endorsements_buffer) != 0)
+            return OE_VERIFY_FAILED;
+    }
+
+    *claims = (oe_claim_t*)malloc(OE_KNOWN_CLAIMS_COUNT * sizeof(oe_claim_t));
+    if (*claims == NULL)
+        return OE_OUT_OF_MEMORY;
+
+    for (int i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    {
+        (*claims)[i].name = (char*)(OE_KNOWN_CLAIMS[i]);
+        if (strcmp(OE_KNOWN_CLAIMS[i], "plugin_uuid") == 0)
+        {
+            (*claims)[i].value = (uint8_t*)&context->base.format_id;
+            (*claims)[i].value_size = sizeof(uuid_t);
+        }
+    }
+    *claims_length = OE_KNOWN_CLAIMS_COUNT;
+
+    return OE_OK;
+}
+
+static inline oe_result_t mock_verify_evidence_bad(
+    oe_verifier_t* context,
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(evidence_buffer);
+    OE_UNUSED(evidence_buffer_size);
+    OE_UNUSED(endorsements_buffer);
+    OE_UNUSED(endorsements_buffer_size);
+    OE_UNUSED(policies);
+    OE_UNUSED(policies_size);
+
+    *claims =
+        (oe_claim_t*)malloc((OE_KNOWN_CLAIMS_COUNT - 1) * sizeof(oe_claim_t));
+    if (*claims == NULL)
+        return OE_OUT_OF_MEMORY;
+
+    for (int i = 0; i < OE_KNOWN_CLAIMS_COUNT - 1; i++)
+    {
+        (*claims)[i].name = (char*)(OE_KNOWN_CLAIMS[i]);
+        if (strcmp(OE_KNOWN_CLAIMS[i], "plugin_uuid") == 0)
+        {
+            (*claims)[i].value = (uint8_t*)&context->base.format_id;
+            (*claims)[i].value_size = sizeof(uuid_t);
+        }
+    }
+    *claims_length = OE_KNOWN_CLAIMS_COUNT - 1;
+
+    return OE_OK;
+}
+
+static inline oe_result_t mock_free_claims_list(
+    oe_verifier_t* context,
+    oe_claim_t* claims,
+    size_t claims_length)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(claims);
+    OE_UNUSED(claims_length);
+    return OE_OK;
+}
+
+static oe_attester_t mock_attester1 = {
+    .base =
+        {
+            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .on_register = &mock_attester_register,
+            .on_unregister = &mock_attester_unregister,
+        },
+    .get_evidence = &mock_get_evidence,
+    .free_evidence = &mock_free_evidence,
+    .free_endorsements = &mock_free_endorsements};
+
+static oe_verifier_t mock_verifier1 = {
+    .base =
+        {
+            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .on_register = &mock_attester_register,
+            .on_unregister = &mock_attester_unregister,
+        },
+    .verify_evidence = &mock_verify_evidence,
+    .free_claims_list = &mock_free_claims_list};
+
+// Same implementation but different UUID.
+static oe_attester_t mock_attester2 = {
+    .base =
+        {
+            .format_id = OE_MOCK_ATTESTER_UUID2,
+            .on_register = &mock_attester_register,
+            .on_unregister = &mock_attester_unregister,
+        },
+    .get_evidence = &mock_get_evidence,
+    .free_evidence = &mock_free_evidence,
+    .free_endorsements = &mock_free_endorsements};
+
+static oe_verifier_t mock_verifier2 = {
+    .base =
+        {
+            .format_id = OE_MOCK_ATTESTER_UUID2,
+            .on_register = &mock_attester_register,
+            .on_unregister = &mock_attester_unregister,
+        },
+    .verify_evidence = &mock_verify_evidence,
+    .free_claims_list = &mock_free_claims_list};
+
+static oe_verifier_t bad_verifier = {
+    .base =
+        {
+            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .on_register = &mock_attester_register,
+            .on_unregister = &mock_attester_unregister,
+        },
+    .verify_evidence = &mock_verify_evidence_bad,
+    .free_claims_list = &mock_free_claims_list};
+
+#endif /* _OE_MOCK_ATTESTER_H */
\ No newline at end of file
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
new file mode 100644
index 0000000000..3ba0a6a8f6
--- /dev/null
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -0,0 +1,284 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifdef OE_BUILD_ENCLAVE
+#include <openenclave/enclave.h>
+#else
+#include <openenclave/host.h>
+#endif
+
+#include <openenclave/attestation_plugin.h>
+#include <openenclave/internal/error.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/tests.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mock_attester.h"
+#include "tests.h"
+
+static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
+{
+    for (size_t i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    {
+        bool found = false;
+
+        for (size_t j = 0; j < claims_length && !found; j++)
+        {
+            if (strcmp(OE_KNOWN_CLAIMS[i], claims[j].name) == 0)
+            {
+                found = true;
+            }
+        }
+
+        if (!found)
+            return false;
+    }
+    return true;
+}
+
+static void _test_and_register_attester()
+{
+    OE_TEST(oe_register_attester(&mock_attester1, NULL, 0) == OE_OK);
+    OE_TEST(
+        oe_register_attester(&mock_attester1, NULL, 0) == OE_ALREADY_EXISTS);
+    OE_TEST(oe_register_attester(&mock_attester2, NULL, 0) == OE_OK);
+    OE_TEST(
+        oe_register_attester(&mock_attester1, NULL, 0) == OE_ALREADY_EXISTS);
+    OE_TEST(
+        oe_register_attester(&mock_attester2, NULL, 0) == OE_ALREADY_EXISTS);
+}
+
+static void _test_and_register_verifier()
+{
+    OE_TEST(oe_register_verifier(&mock_verifier1, NULL, 0) == OE_OK);
+    OE_TEST(
+        oe_register_verifier(&mock_verifier1, NULL, 0) == OE_ALREADY_EXISTS);
+    OE_TEST(oe_register_verifier(&mock_verifier2, NULL, 0) == OE_OK);
+    OE_TEST(
+        oe_register_verifier(&mock_verifier1, NULL, 0) == OE_ALREADY_EXISTS);
+    OE_TEST(
+        oe_register_verifier(&mock_verifier2, NULL, 0) == OE_ALREADY_EXISTS);
+}
+
+static void _test_and_unregister_attester()
+{
+    OE_TEST(oe_unregister_attester(&mock_attester1) == OE_OK);
+    OE_TEST(oe_unregister_attester(&mock_attester1) == OE_NOT_FOUND);
+    OE_TEST(oe_unregister_attester(&mock_attester2) == OE_OK);
+    OE_TEST(oe_unregister_attester(&mock_attester1) == OE_NOT_FOUND);
+    OE_TEST(oe_unregister_attester(&mock_attester2) == OE_NOT_FOUND);
+}
+
+static void _test_and_unregister_verifier()
+{
+    OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_OK);
+    OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_NOT_FOUND);
+    OE_TEST(oe_unregister_verifier(&mock_verifier2) == OE_OK);
+    OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_NOT_FOUND);
+    OE_TEST(oe_unregister_verifier(&mock_verifier2) == OE_NOT_FOUND);
+}
+
+static void _test_evidence_success(
+    const uuid_t* format_id,
+    bool use_endorsements)
+{
+    uint8_t* evidence = NULL;
+    size_t evidence_size = 0;
+    uint8_t* endorsements = NULL;
+    size_t endorsements_size = 0;
+    oe_claim_t* claims = NULL;
+    size_t claims_length = 0;
+
+    OE_TEST(
+        oe_get_evidence(
+            format_id,
+            0,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            use_endorsements ? &endorsements : NULL,
+            use_endorsements ? &endorsements_size : NULL) == OE_OK);
+
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims,
+            &claims_length) == OE_OK);
+
+    OE_TEST(_check_claims(claims, claims_length));
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+    OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
+    OE_TEST(oe_free_claims_list(claims, claims_length) == OE_OK);
+}
+
+static void _test_get_evidence_fail()
+{
+    uint8_t* evidence;
+    size_t evidence_size;
+
+    // Test get_evidence when plugin is unregistered.
+    OE_TEST(oe_unregister_attester(&mock_attester1) == OE_OK);
+
+    OE_TEST(
+        oe_get_evidence(
+            &mock_attester1.base.format_id,
+            0,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            NULL,
+            NULL) == OE_NOT_FOUND);
+
+    OE_TEST(oe_register_attester(&mock_attester1, NULL, 0) == OE_OK);
+}
+
+static void _test_verify_evidence_fail()
+{
+    uint8_t* evidence;
+    size_t evidence_size;
+    uint8_t* endorsements;
+    size_t endorsements_size;
+    oe_claim_t* claims;
+    size_t claims_length;
+
+    OE_TEST(
+        oe_get_evidence(
+            &mock_attester1.base.format_id,
+            0,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            &endorsements,
+            &endorsements_size) == OE_OK);
+
+    // Test verify_evidence with wrong sizes
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            0,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims,
+            &claims_length) == OE_INVALID_PARAMETER);
+
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            0,
+            NULL,
+            0,
+            &claims,
+            &claims_length) == OE_INVALID_PARAMETER);
+
+    // Test verify evidence when plugin is unregistered
+    OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_OK);
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims,
+            &claims_length) == OE_NOT_FOUND);
+    OE_TEST(oe_register_verifier(&mock_verifier1, NULL, 0) == OE_OK);
+
+    // Test verify when evidence / endorsement id don't match
+    uint8_t* evidence2;
+    size_t evidence2_size;
+    uint8_t* endorsements2;
+    size_t endorsements2_size;
+    oe_claim_t* claims2;
+    size_t claims2_length;
+
+    OE_TEST(
+        oe_get_evidence(
+            &mock_attester2.base.format_id,
+            0,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence2,
+            &evidence2_size,
+            &endorsements2,
+            &endorsements2_size) == OE_OK);
+
+    OE_TEST(
+        oe_verify_evidence(
+            evidence2,
+            evidence2_size,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims2,
+            &claims2_length) == OE_CONSTRAINT_FAILED);
+
+    OE_TEST(oe_free_evidence(evidence2) == OE_OK);
+    OE_TEST(oe_free_endorsements(endorsements2) == OE_OK);
+
+    // Test faulty verifier when they don't have the right claims.
+    OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_OK);
+    OE_TEST(oe_register_verifier(&bad_verifier, NULL, 0) == OE_OK);
+
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims,
+            &claims_length) == OE_CONSTRAINT_FAILED);
+
+    OE_TEST(oe_unregister_verifier(&bad_verifier) == OE_OK);
+    OE_TEST(oe_register_verifier(&mock_verifier1, NULL, 0) == OE_OK);
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+    OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
+}
+
+void test_run_all()
+{
+    // Test register functions.
+    _test_and_register_attester();
+    _test_and_register_verifier();
+
+    // Test get evidence + verify evidence with the proper claims.
+    // Should work with and without endorsements.
+    _test_evidence_success(&mock_attester1.base.format_id, true);
+    _test_evidence_success(&mock_attester2.base.format_id, true);
+    _test_evidence_success(&mock_attester1.base.format_id, false);
+    _test_evidence_success(&mock_attester2.base.format_id, false);
+
+    // Test failures.
+    _test_get_evidence_fail();
+    _test_verify_evidence_fail();
+
+    // Test unregister functions
+    _test_and_unregister_attester();
+    _test_and_unregister_verifier();
+}
\ No newline at end of file
diff --git a/tests/attestation_plugin/plugin/tests.h b/tests/attestation_plugin/plugin/tests.h
new file mode 100644
index 0000000000..c701190f17
--- /dev/null
+++ b/tests/attestation_plugin/plugin/tests.h
@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_ATTESTATION_PLUGIN_TESTS
+#define _OE_ATTESTATION_PLUGIN_TESTS
+
+void test_run_all();
+
+#endif // _OE_ATTESTATION_PLUGIN_TESTS
\ No newline at end of file

From 9de3dd4e1a9e25bec96979b3499d55f24a925801 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Mon, 18 Nov 2019 19:38:00 +0000
Subject: [PATCH 295/420] Optimization/Security: Reduce TCB via gc-sections.

Function and variables are put in their own sections (-ffunction-sections and -fdata-sections).
Linker is asked to garbage collect unused sections (-gc-sections).
Thus any function/variable that is not reachable from the enclave entry point is eliminated
from the enclave binary, reducing the footprint and tcb.

For example, release build of echo_enc previously took 970KB. Now it takes 650KB.

Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
---
 enclave/core/CMakeLists.txt    | 6 +++++-
 host/sgx/asmdefs.h             | 2 ++
 host/sgx/calls.c               | 4 ++++
 pkgconfig/CMakeLists.txt       | 5 ++++-
 tests/debugger/oegdb/enc/enc.c | 3 +++
 5 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index cddf778dc3..ba61ca7422 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -210,6 +210,9 @@ if (OE_SGX)
         -nostdinc
         -fno-stack-protector
         -fvisibility=hidden
+        # Put each function or data in its own section.
+        # This allows aggressively eliminating unused code.
+        -ffunction-sections -fdata-sections
         # "The default without -fpic is 'initial-exec'; with -fpic the
         # default is 'global-dynamic'."
         # https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#Code-Gen-Options
@@ -258,7 +261,8 @@ if(OE_SGX)
         -nostdlib -nodefaultlibs -nostartfiles
         -Wl,--no-undefined,-Bstatic,-Bsymbolic,--export-dynamic,-pie,--build-id
         -Wl,-z,noexecstack
-        -Wl,-z,now)
+        -Wl,-z,now
+        -Wl,-gc-sections)
 elseif(OE_TRUSTZONE)
     target_link_libraries(oecore INTERFACE
         -nostdlib -nodefaultlibs -nostartfiles
diff --git a/host/sgx/asmdefs.h b/host/sgx/asmdefs.h
index 8cc45152f0..b3216b1b90 100644
--- a/host/sgx/asmdefs.h
+++ b/host/sgx/asmdefs.h
@@ -80,10 +80,12 @@ typedef struct _oe_host_ocall_frame
 #endif
 
 #ifndef __ASSEMBLER__
+OE_EXPORT
 void oe_notify_ocall_start(oe_host_ocall_frame_t* frame_pointer, void* tcs);
 #endif
 
 #ifndef __ASSEMBLER__
+OE_EXPORT
 void oe_notify_ocall_end(oe_host_ocall_frame_t* frame_pointer, void* tcs);
 #endif
 
diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index 0fd584d17d..308f42a48d 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -834,10 +834,13 @@ oe_result_t oe_switchless_call_enclave_function(
 /*
 ** These two functions are needed to notify the debugger. They should not be
 ** optimized out even though they don't do anything in here.
+** OE_EXPORT is used to retain these function irrespective of linker
+** optimizations.
 */
 
 OE_NO_OPTIMIZE_BEGIN
 
+OE_EXPORT
 OE_NEVER_INLINE void oe_notify_ocall_start(
     oe_host_ocall_frame_t* frame_pointer,
     void* tcs)
@@ -848,6 +851,7 @@ OE_NEVER_INLINE void oe_notify_ocall_start(
     return;
 }
 
+OE_EXPORT
 OE_NEVER_INLINE void oe_notify_ocall_end(
     oe_host_ocall_frame_t* frame_pointer,
     void* tcs)
diff --git a/pkgconfig/CMakeLists.txt b/pkgconfig/CMakeLists.txt
index 0dbaf0ef87..8b89434748 100644
--- a/pkgconfig/CMakeLists.txt
+++ b/pkgconfig/CMakeLists.txt
@@ -27,7 +27,9 @@ set(ENCLAVE_CFLAGS_LIST
   -fPIE
   -ftls-model=local-exec
   -fvisibility=hidden
-  -fno-stack-protector)
+  -fno-stack-protector
+  -ffunction-sections
+  -fdata-sections)
 
 set(ENCLAVE_CFLAGS_CLANG_LIST ${ENCLAVE_CFLAGS_LIST} ${SPECTRE_MITIGATION_FLAGS})
 list(JOIN ENCLAVE_CFLAGS_CLANG_LIST " " ENCLAVE_CFLAGS_CLANG)
@@ -52,6 +54,7 @@ set(ENCLAVE_CLIBS_1
   -Wl,--build-id
   -Wl,-z,noexecstack
   -Wl,-z,now
+  -Wl,-gc-sections
   -L\${libdir}/openenclave/enclave
   -loeenclave
   -loecryptombed
diff --git a/tests/debugger/oegdb/enc/enc.c b/tests/debugger/oegdb/enc/enc.c
index 6186941531..39e9844f2d 100644
--- a/tests/debugger/oegdb/enc/enc.c
+++ b/tests/debugger/oegdb/enc/enc.c
@@ -33,6 +33,9 @@ int enc_add(int a, int b)
     return c;
 }
 
+// The following function is intended to be called by the debugger.
+// It must be retained via OE_EXPORT.
+OE_EXPORT
 int square(int x)
 {
     printf("square called with %d\n", x);

From 31a06d107b66fbd0433d49a94f4f1349d713afb2 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Mon, 18 Nov 2019 15:20:50 -0800
Subject: [PATCH 296/420] Fix clang-format version parser

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 scripts/format-code | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/format-code b/scripts/format-code
index 31050dab8a..88ea78a401 100755
--- a/scripts/format-code
+++ b/scripts/format-code
@@ -170,7 +170,7 @@ check_clang-format()
 
     local required_cfver='7.0.1'
     # shellcheck disable=SC2155
-    local cfver=$(${cf} --version | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+')
+    local cfver=$(${cf} --version | grep -o -E '[0-9]+\.[0-9]+\.[0-9]+' | head -1)
     check_version "${required_cfver}" "${cfver}"
 }
 

From d2202e35cfb6f79ca4505508e69a7591d00e3bc4 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Thu, 17 Oct 2019 20:11:59 +0000
Subject: [PATCH 297/420] Added support for new endorsement structure and SGX
 plug-in internal functions.

Signed-off-by: Sergio Wong <sergio.wong@gmail.com>
---
 common/sgx/collaterals.c                      | 150 -------
 common/sgx/collaterals.h                      |  35 --
 common/sgx/endorsements.c                     | 422 ++++++++++++++++++
 common/sgx/endorsements.h                     | 115 +++++
 common/sgx/qeidentity.c                       |  29 +-
 common/sgx/qeidentity.h                       |   5 +-
 common/sgx/quote.c                            | 112 ++---
 common/sgx/quote.h                            |  48 +-
 common/sgx/revocation.c                       |  58 ++-
 common/sgx/revocation.h                       |   5 +-
 common/sgx/tlsverifier.c                      |   4 +-
 enclave/CMakeLists.txt                        |   2 +-
 enclave/core/CMakeLists.txt                   |   2 +-
 enclave/sgx/report.c                          |   2 +-
 host/CMakeLists.txt                           |   2 +-
 host/sgx/hostverify_report.c                  |  10 +-
 host/sgx/report.c                             |   2 +-
 include/openenclave/bits/attestation.h        |  96 ++++
 include/openenclave/host_verify.h             |   2 +
 include/openenclave/internal/report.h         |  51 ---
 .../attestation_plugin/plugin/mock_attester.h |  23 +-
 tests/attestation_plugin/plugin/tests.c       |   4 +-
 tests/host_verify/host/host.cpp               |  93 +---
 tests/report/common/tests.cpp                 |  34 +-
 tests/tools/oecert/host/host.cpp              |  90 ++--
 25 files changed, 889 insertions(+), 507 deletions(-)
 delete mode 100644 common/sgx/collaterals.c
 delete mode 100644 common/sgx/collaterals.h
 create mode 100644 common/sgx/endorsements.c
 create mode 100644 common/sgx/endorsements.h
 create mode 100644 include/openenclave/bits/attestation.h

diff --git a/common/sgx/collaterals.c b/common/sgx/collaterals.c
deleted file mode 100644
index a49816e2c8..0000000000
--- a/common/sgx/collaterals.c
+++ /dev/null
@@ -1,150 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include "collaterals.h"
-#include <openenclave/internal/datetime.h>
-#include <openenclave/internal/raise.h>
-#include "../common.h"
-
-#include "qeidentity.h"
-#include "quote.h"
-#include "revocation.h"
-
-oe_result_t oe_get_collaterals_internal(
-    const uint8_t* remote_report,
-    size_t remote_report_size,
-    uint8_t** collaterals_buffer,
-    size_t* collaterals_buffer_size)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    uint8_t* buffer = NULL;
-    oe_collaterals_header_t* header = NULL;
-    oe_collaterals_t* collaterals = NULL;
-
-    const uint8_t* pem_pck_certificate = NULL;
-    size_t pem_pck_certificate_size = 0;
-    oe_cert_chain_t pck_cert_chain = {0};
-    oe_cert_t leaf_cert = {0};
-    oe_cert_t intermediate_cert = {0};
-
-    OE_TRACE_INFO("Enter call %s\n", __FUNCTION__);
-
-    if ((collaterals_buffer == NULL) || (collaterals_buffer_size == NULL))
-    {
-        OE_RAISE(OE_INVALID_PARAMETER);
-    }
-
-    *collaterals_buffer = NULL;
-    *collaterals_buffer_size = 0;
-
-    buffer = (uint8_t*)oe_calloc(1, OE_COLLATERALS_SIZE);
-    if (buffer == NULL)
-    {
-        OE_RAISE(OE_OUT_OF_MEMORY);
-    }
-
-    header = (oe_collaterals_header_t*)buffer;
-    collaterals = (oe_collaterals_t*)(buffer + OE_COLLATERALS_HEADER_SIZE);
-
-    // Collateral header initialization
-    header->collaterals_size = OE_COLLATERALS_BODY_SIZE;
-
-    //
-    // Get the uri from the quote certificates, and then get the
-    // CRL (oe_get_revocation_info_from_certs)
-    //
-
-    // Get PCK cert chain from the quote.
-    OE_CHECK_MSG(
-        oe_get_quote_cert_chain_internal(
-            remote_report,
-            remote_report_size,
-            &pem_pck_certificate,
-            &pem_pck_certificate_size,
-            &pck_cert_chain),
-        "Failed to get certificate chain from quote. %s",
-        oe_result_str(result));
-
-    // Fetch leaf and intermediate certificates.
-    OE_CHECK_MSG(
-        oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
-        "Failed to get leaf certificate. %s",
-        oe_result_str(result));
-    OE_CHECK_MSG(
-        oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert),
-        "Failed to get intermediate certificate. %s",
-        oe_result_str(result));
-
-    // Get revocation information
-    OE_CHECK_MSG(
-        oe_get_revocation_info_from_certs(
-            &leaf_cert, &intermediate_cert, &(collaterals->revocation_info)),
-        "Failed to get certificate revocation information. %s",
-        oe_result_str(result));
-
-    // Application specific collaterals
-    collaterals->app_collaterals_size = 0;
-
-    //
-    // QE identify info
-    //
-    OE_CHECK_MSG(
-        oe_get_qe_identity_info(&(collaterals->qe_id_info)),
-        "Failed to get quote enclave identity information. %s",
-        oe_result_str(result));
-
-    // Record creation datetime.
-    {
-        oe_datetime_t datetime_now = {0};
-        size_t datetime_size = sizeof(collaterals->creation_datetime);
-
-        OE_CHECK(oe_datetime_now(&datetime_now));
-
-        OE_CHECK_MSG(
-            oe_datetime_to_string(
-                &datetime_now, collaterals->creation_datetime, &datetime_size),
-            "Failed to update collateral creation time. %s",
-            oe_result_str(result));
-    }
-
-    *collaterals_buffer = buffer;
-    *collaterals_buffer_size = OE_COLLATERALS_SIZE;
-    result = OE_OK;
-
-done:
-    oe_cert_free(&leaf_cert);
-    oe_cert_free(&intermediate_cert);
-    oe_cert_chain_free(&pck_cert_chain);
-
-    if ((result != OE_OK) && buffer)
-    {
-        oe_free_get_revocation_info_args(&(collaterals->revocation_info));
-        oe_free_qe_identity_info_args(&(collaterals->qe_id_info));
-
-        oe_free(buffer);
-    }
-
-    OE_TRACE_INFO(
-        "Exit call %s: %d(%s)\n", __FUNCTION__, result, oe_result_str(result));
-
-    return result;
-}
-
-/**
- * Free up any resources allocated by oe_get_collaterals()
- *
- * @param collaterals_buffer The buffer containing the collaterals.
- */
-void oe_free_collaterals_internal(uint8_t* collaterals_buffer)
-{
-    if (collaterals_buffer)
-    {
-        oe_collaterals_t* collaterals =
-            (oe_collaterals_t*)(collaterals_buffer + OE_COLLATERALS_HEADER_SIZE);
-
-        oe_free_qe_identity_info_args(&collaterals->qe_id_info);
-        oe_free_get_revocation_info_args(&collaterals->revocation_info);
-
-        oe_free(collaterals_buffer);
-    }
-}
\ No newline at end of file
diff --git a/common/sgx/collaterals.h b/common/sgx/collaterals.h
deleted file mode 100644
index 5102895489..0000000000
--- a/common/sgx/collaterals.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#ifndef _OE_COMMON_OE_COLLATERALS_H
-#define _OE_COMMON_OE_COLLATERALS_H
-
-#include <openenclave/bits/defs.h>
-#include <openenclave/bits/result.h>
-
-OE_EXTERNC_BEGIN
-
-/**
- * Get the collaterals for the respective remote report.
- *
- * @param[in] remote_report The remote report.
- * @param[in] remote_report_size The size of the remote report.
- * @param[out] collaterals_buffer The buffer where to store the collaterals.
- * @param[out] collaterals_buffer_size The size of the collaterals.
- */
-oe_result_t oe_get_collaterals_internal(
-    const uint8_t* remote_report,
-    size_t remote_report_size,
-    uint8_t** collaterals_buffer,
-    size_t* collaterals_buffer_size);
-
-/**
- * Free up any resources allocated by oe_get_collateras()
- *
- * @param[in] collaterals_buffer The buffer containing the collaterals.
- */
-void oe_free_collaterals_internal(uint8_t* collaterals_buffer);
-
-OE_EXTERNC_END
-
-#endif /* _OE_COMMON_OE_COLLATERALS_H */
diff --git a/common/sgx/endorsements.c b/common/sgx/endorsements.c
new file mode 100644
index 0000000000..b9b78bc986
--- /dev/null
+++ b/common/sgx/endorsements.c
@@ -0,0 +1,422 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include "endorsements.h"
+#include <openenclave/bits/attestation.h>
+#include <openenclave/bits/safecrt.h>
+#include <openenclave/internal/datetime.h>
+#include <openenclave/internal/raise.h>
+#include "../common.h"
+
+#include "qeidentity.h"
+#include "quote.h"
+#include "revocation.h"
+
+#define CREATION_DATETIME_SIZE 21
+
+/**
+ * Create oe_endorsements_t from the given SGX endorsements.
+ *
+ * @param[in] revocation_info SGX revocation information.
+ * @param[in] qe_id_info SGX QE identity information.
+ * @param[out] endorsements OE endorsement structure.
+ */
+static oe_result_t oe_create_sgx_endorsements(
+    const oe_get_revocation_info_args_t* revocation_info,
+    const oe_get_qe_identity_info_args_t* qe_id_info,
+    oe_endorsements_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_endorsements_t* endorsements = NULL;
+    char creation_datetime[CREATION_DATETIME_SIZE];
+    uint32_t* buffer32 = NULL;
+    uint8_t* buffer = NULL;
+    uint32_t offset;
+    uint32_t offsets_size;
+    uint32_t size;
+    int i;
+
+    OE_TRACE_INFO("Enter call %s\n", __FUNCTION__);
+
+    if (revocation_info == NULL || qe_id_info == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (revocation_info->num_crl_urls != OE_SGX_ENDORSEMENTS_CRL_COUNT)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "Expected %d num CRLs, but got %d",
+            OE_SGX_ENDORSEMENTS_CRL_COUNT,
+            revocation_info->num_crl_urls);
+
+    offsets_size = (uint32_t)sizeof(uint32_t) * OE_SGX_ENDORSEMENT_COUNT;
+    size = (uint32_t)sizeof(oe_endorsements_t) + // Header
+           offsets_size +                        // Array of offsets
+           (uint32_t)(                           // Data
+               sizeof(uint32_t) +                // Version
+               revocation_info->tcb_info_size +
+               revocation_info->tcb_issuer_chain_size +
+               qe_id_info->qe_id_info_size + qe_id_info->issuer_chain_size);
+
+    for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
+    {
+        size += (uint32_t)revocation_info->crl_size[i];
+        size += (uint32_t)revocation_info->crl_issuer_chain_size[i];
+    }
+
+    size += CREATION_DATETIME_SIZE;
+    if (size > OE_ATTESTATION_ENDORSEMENT_MAX_SIZE)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "SGX endorsements are too large. Size is %d bytes",
+            size);
+
+    // Allocate memory
+    endorsements = (oe_endorsements_t*)oe_calloc(1, size);
+    if (endorsements == NULL)
+        OE_RAISE_MSG(
+            OE_OUT_OF_MEMORY,
+            "Out of memory while creating endorsements.",
+            NULL);
+
+    // Record creation datetime.
+    {
+        oe_datetime_t datetime_now = {0};
+        size_t datetime_size = CREATION_DATETIME_SIZE;
+
+        OE_CHECK(oe_datetime_now(&datetime_now));
+
+        OE_CHECK_MSG(
+            oe_datetime_to_string(
+                &datetime_now, creation_datetime, &datetime_size),
+            "Failed to update endorsement creation time. %s",
+            oe_result_str(result));
+    }
+
+    // Initialize header
+    endorsements->version = OE_ATTESTATION_ENDORSEMENT_VERSION;
+    endorsements->enclave_type = OE_ENCLAVE_TYPE_SGX;
+    endorsements->num_elements = OE_SGX_ENDORSEMENT_COUNT;
+    endorsements->buffer_size = size - (uint32_t)sizeof(oe_endorsements_t);
+    buffer32 = (uint32_t*)&endorsements->buffer[0];
+
+    // Set offsets
+    offset = 0;
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_VERSION] = offset;
+    offset += (uint32_t)sizeof(uint32_t);
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO] = offset;
+    offset += (uint32_t)revocation_info->tcb_info_size;
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN] = offset;
+    offset += (uint32_t)revocation_info->tcb_issuer_chain_size;
+    for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
+    {
+        buffer32[OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT + i] = offset;
+        offset += (uint32_t)revocation_info->crl_size[i];
+    }
+    for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
+    {
+        buffer32[OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT + i] =
+            offset;
+        offset += (uint32_t)revocation_info->crl_issuer_chain_size[i];
+    }
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO] = offset;
+    offset += (uint32_t)qe_id_info->qe_id_info_size;
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN] = offset;
+    offset += (uint32_t)qe_id_info->issuer_chain_size;
+    buffer32[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME] = offset;
+    offset += CREATION_DATETIME_SIZE;
+
+    // Sanity check
+    if (offset != (endorsements->buffer_size - offsets_size))
+        OE_RAISE_MSG(
+            OE_FAILURE,
+            "Encountered size mismatch when creating SGX endorsements. "
+            "data size: %d bytes, expected: %d",
+            offset,
+            (endorsements->buffer_size - offsets_size));
+
+    OE_TRACE_INFO(
+        "SGX endorsements. Header size: %d, offsets size: %d, data size: %d",
+        sizeof(oe_endorsements_t),
+        offsets_size,
+        offset);
+
+    // Set version
+    buffer = (uint8_t*)&buffer32[OE_SGX_ENDORSEMENT_COUNT];
+    *((uint32_t*)buffer) = OE_SGX_ENDORSEMENTS_VERSION;
+    buffer += sizeof(uint32_t);
+
+    // Copy TCB Info
+    OE_CHECK(oe_memcpy_s(
+        buffer,
+        size,
+        revocation_info->tcb_info,
+        revocation_info->tcb_info_size));
+    buffer += revocation_info->tcb_info_size;
+
+    // Copy TCB Issuer Chain
+    OE_CHECK(oe_memcpy_s(
+        buffer,
+        size,
+        revocation_info->tcb_issuer_chain,
+        revocation_info->tcb_issuer_chain_size));
+    buffer += revocation_info->tcb_issuer_chain_size;
+
+    // Copy CRLs
+    for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
+    {
+        OE_CHECK(oe_memcpy_s(
+            buffer,
+            size,
+            revocation_info->crl[i],
+            revocation_info->crl_size[i]));
+        buffer += revocation_info->crl_size[i];
+    }
+
+    // Copy CRLs Issuer Chain
+    for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
+    {
+        OE_CHECK(oe_memcpy_s(
+            buffer,
+            size,
+            revocation_info->crl_issuer_chain[i],
+            revocation_info->crl_issuer_chain_size[i]));
+        buffer += revocation_info->crl_issuer_chain_size[i];
+    }
+
+    // Copy QE ID Info
+    OE_CHECK(oe_memcpy_s(
+        buffer, size, qe_id_info->qe_id_info, qe_id_info->qe_id_info_size));
+    buffer += qe_id_info->qe_id_info_size;
+
+    // Copy QE ID Issue Chain
+    OE_CHECK(oe_memcpy_s(
+        buffer, size, qe_id_info->issuer_chain, qe_id_info->issuer_chain_size));
+    buffer += qe_id_info->issuer_chain_size;
+
+    // Copy creation datetime
+    OE_CHECK(
+        oe_memcpy_s(buffer, size, creation_datetime, CREATION_DATETIME_SIZE));
+    buffer += CREATION_DATETIME_SIZE;
+
+    // Sanity check
+    if (buffer != (endorsements->buffer + endorsements->buffer_size))
+        OE_RAISE_MSG(
+            OE_FAILURE,
+            "Encountered size mismatch when creating SGX endorsements. "
+            "end of data section: 0x%x bytes, expected: 0x%x",
+            buffer,
+            (endorsements->buffer + endorsements->buffer_size));
+
+    *endorsements_buffer = endorsements;
+    *endorsements_buffer_size = size;
+
+    result = OE_OK;
+
+done:
+    if ((result != OE_OK) && endorsements)
+        oe_free(endorsements);
+
+    OE_TRACE_INFO(
+        "Exit call %s: %d(%s)\n", __FUNCTION__, result, oe_result_str(result));
+
+    return result;
+}
+
+/**
+ * Converts an oe_endorsement_t structure to a SGX endorsement structure
+ * (oe_sgx_endorsements_t).
+ *
+ * @param[in] endorsements The endorsements in raw format (oe_endorsements_t)
+ * @param[out] sgx_endorsements The parsed SGX endorsements.
+ */
+oe_result_t oe_parse_sgx_endorsements(
+    const oe_endorsements_t* endorsements,
+    const size_t endorsements_size,
+    oe_sgx_endorsements_t* sgx_endorsements)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    uint32_t* offsets = NULL;
+    uint32_t offsets_size = 0;
+    uint8_t* data_ptr_start = NULL;
+    uint32_t data_size;
+    uint32_t version = 0;
+
+    if (endorsements == NULL || sgx_endorsements == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Verify version and enclave type
+    if ((endorsements->version != OE_ATTESTATION_ENDORSEMENT_VERSION) ||
+        (endorsements->enclave_type != OE_ENCLAVE_TYPE_SGX))
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "Failed to parse SGX endorsement. Invalid version or enclave "
+            "type.",
+            NULL);
+
+    if (endorsements->num_elements != OE_SGX_ENDORSEMENT_COUNT)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "Failed to parse SGX endorsement. Exepected %d items, but got %d.",
+            OE_SGX_ENDORSEMENT_COUNT,
+            endorsements->num_elements);
+
+    offsets_size = endorsements->num_elements * (uint32_t)sizeof(uint32_t);
+    if (endorsements_size > OE_ATTESTATION_ENDORSEMENT_MAX_SIZE ||
+        endorsements->buffer_size > endorsements_size ||
+        endorsements->buffer_size <= offsets_size)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER, "Endorsement buffer size is invalid.", NULL);
+
+    data_size = endorsements->buffer_size - offsets_size;
+    offsets = (uint32_t*)endorsements->buffer;
+    data_ptr_start = (uint8_t*)(endorsements->buffer + offsets_size);
+
+    memset(sgx_endorsements, 0, sizeof(oe_sgx_endorsements_t));
+
+    version = *((uint32_t*)data_ptr_start);
+    if (version != OE_SGX_ENDORSEMENTS_VERSION)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "Unexpected SGX endorsement version %d, expected %d",
+            version,
+            OE_SGX_ENDORSEMENTS_VERSION);
+
+    OE_TRACE_INFO("SGX Version: %d", version);
+    for (int i = 0; i < OE_SGX_ENDORSEMENT_COUNT; i++)
+    {
+        uint8_t* item_ptr = data_ptr_start + offsets[i];
+        uint32_t item_size;
+
+        if (offsets[i] >= endorsements->buffer_size)
+            OE_RAISE_MSG(
+                OE_INVALID_PARAMETER,
+                "Offset value when creating SGX endorsement is incorrect.",
+                NULL);
+
+        if (i < OE_SGX_ENDORSEMENT_COUNT - 1)
+            item_size = offsets[i + 1] - offsets[i];
+        else
+            item_size = data_size - offsets[i];
+
+        sgx_endorsements->items[i].data = item_ptr;
+        sgx_endorsements->items[i].size = item_size;
+
+        OE_TRACE_VERBOSE(
+            "SGX endorsement %d, size(%d): %s\n", i, item_size, item_ptr);
+    }
+
+    result = OE_OK;
+done:
+
+    return result;
+}
+
+oe_result_t oe_get_sgx_endorsements(
+    const uint8_t* remote_report,
+    size_t remote_report_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_get_qe_identity_info_args_t qe_id_info = {0};
+    oe_get_revocation_info_args_t revocation_info = {0};
+
+    const uint8_t* pem_pck_certificate = NULL;
+    size_t pem_pck_certificate_size = 0;
+    oe_cert_chain_t pck_cert_chain = {0};
+    oe_cert_t leaf_cert = {0};
+    oe_cert_t intermediate_cert = {0};
+
+    OE_TRACE_INFO("Enter call %s\n", __FUNCTION__);
+
+    if ((endorsements_buffer == NULL) || (endorsements_buffer_size == NULL))
+    {
+        OE_RAISE(OE_INVALID_PARAMETER);
+    }
+
+    *endorsements_buffer = NULL;
+    *endorsements_buffer_size = 0;
+
+    //
+    // Get the uri from the quote certificates, and then get the
+    // CRL (oe_get_revocation_info_from_certs)
+    //
+
+    // Get PCK cert chain from the quote.
+    OE_CHECK_MSG(
+        oe_get_quote_cert_chain_internal(
+            remote_report,
+            remote_report_size,
+            &pem_pck_certificate,
+            &pem_pck_certificate_size,
+            &pck_cert_chain),
+        "Failed to get certificate chain from quote. %s",
+        oe_result_str(result));
+
+    // Fetch leaf and intermediate certificates.
+    OE_CHECK_MSG(
+        oe_cert_chain_get_leaf_cert(&pck_cert_chain, &leaf_cert),
+        "Failed to get leaf certificate. %s",
+        oe_result_str(result));
+    OE_CHECK_MSG(
+        oe_cert_chain_get_cert(&pck_cert_chain, 1, &intermediate_cert),
+        "Failed to get intermediate certificate. %s",
+        oe_result_str(result));
+
+    //
+    // Get revocation information
+    //
+    OE_CHECK_MSG(
+        oe_get_revocation_info_from_certs(
+            &leaf_cert, &intermediate_cert, &revocation_info),
+        "Failed to get certificate revocation information. %s",
+        oe_result_str(result));
+
+    //
+    // Get QE identify info
+    //
+    OE_CHECK_MSG(
+        oe_get_qe_identity_info(&qe_id_info),
+        "Failed to get quote enclave identity information. %s",
+        oe_result_str(result));
+
+    //
+    // Create endorsement structure
+    //
+    OE_CHECK_MSG(
+        oe_create_sgx_endorsements(
+            &revocation_info,
+            &qe_id_info,
+            (oe_endorsements_t**)endorsements_buffer,
+            endorsements_buffer_size),
+        "Failed to create SGX endorsements.",
+        oe_result_str(result));
+
+    result = OE_OK;
+
+done:
+    oe_cert_free(&leaf_cert);
+    oe_cert_free(&intermediate_cert);
+    oe_cert_chain_free(&pck_cert_chain);
+    oe_free_get_revocation_info_args(&revocation_info);
+    oe_free_qe_identity_info_args(&qe_id_info);
+
+    OE_TRACE_INFO(
+        "Exit call %s: %d(%s)\n", __FUNCTION__, result, oe_result_str(result));
+
+    return result;
+}
+
+/**
+ * Free up any resources allocated by oe_get_sgx_endorsements()
+ *
+ * @param endorsements_buffer The buffer containing the endorsements.
+ */
+void oe_free_sgx_endorsements(uint8_t* endorsements_buffer)
+{
+    if (endorsements_buffer)
+    {
+        oe_free(endorsements_buffer);
+    }
+}
\ No newline at end of file
diff --git a/common/sgx/endorsements.h b/common/sgx/endorsements.h
new file mode 100644
index 0000000000..4e7455f3a3
--- /dev/null
+++ b/common/sgx/endorsements.h
@@ -0,0 +1,115 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_COMMON_OE_ENDORSEMENTS_H
+#define _OE_COMMON_OE_ENDORSEMENTS_H
+
+#include <openenclave/bits/attestation.h>
+#include <openenclave/bits/defs.h>
+#include <openenclave/bits/result.h>
+
+OE_EXTERNC_BEGIN
+
+/*! \struct SGX endorsement item
+ */
+typedef struct _oe_sgx_endorsement_item
+{
+    uint8_t* data;
+    uint32_t size;
+} oe_sgx_endorsement_item;
+
+/*! \struct oe_sgx_endorsements
+ *
+ * \brief SGX endorsements structure
+ *
+ * The generic oe_endorsements_t structure is parsed and converted into this
+ * internal structure.  The order of the generic data elements should
+ * coincide with the order of the fields in this structure.
+ *
+ * Data format: All data comes from the Data Center Attestation Primitives(DCAP)
+ * Client.
+ *
+ * For Azure DCAP Client
+ * (https://github.com/microsoft/Azure-DCAP-Client/blob/master/src/dcap_provider.h)
+ * see **sgx_ql_revocation_info_t** and sgx_qe_identity_info_t.
+ *
+ * For Intel DCAP Client
+ * (https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/README.md)
+ * see TBD.
+ *
+ */
+typedef struct _oe_sgx_endorsements_t
+{
+    ///< OE_SGX_ENDORSEMENT_FIELD_VERSION
+    ///<    Version of this SGX endorsement structure
+
+    ///< OE_SGX_ENDORSEMENT_FIELD_TCB_INFO
+    ///<    TCB info, null-terminated JSON string
+    ///<    TCB Info size
+    ///< OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN
+    ///<    PEM format, null-terminated string
+    ///<    Size of the tcb_issuer_chain
+
+    ///< OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT to
+    ///<    OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_PROC_CA
+    ///< CRLs in DER format, null-terminated
+    ///<     crl[0] = CRL for the SGX PCK Certificate
+    ///<     crl[1] = CRL for the SGX PCK Processor CA
+
+    ///< OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT to
+    ///<    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_PROC_CA
+    ///< CRLs issuer chains in PEM format, null-terminated string
+    ///<     crl[0] = Issuer Chain for the SGX PCK Certificate
+    ///<     crl[1] = CRL for the SGX PCK Processor CA
+
+    ///< OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO
+    ///<    QE Identity info, null-terminated JSON string
+    ///<    QE Identity size
+    ///< OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN
+    ///<    PEM format, null-terminated string
+    ///<    Size of qe_id_issuer_chain
+
+    ///< OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME
+    ///<    Time the endorsements were generated, null-terminated string
+    ///<    The size of creation_datetime.
+    oe_sgx_endorsement_item items[OE_SGX_ENDORSEMENT_COUNT];
+
+} oe_sgx_endorsements_t;
+
+/**
+ * Convert a oe_endorsement_t structure to a SGX endorsement structure
+ * (oe_sgx_endorsements_t).
+ *
+ * @param[in] endorsements The endorsements in raw format (oe_endorsements_t)
+ * @param[in] endorsements_size The size of the **endorsements**
+ * @param[out] sgx_endorsements The parsed SGX endorsements.
+ */
+oe_result_t oe_parse_sgx_endorsements(
+    const oe_endorsements_t* endorsements,
+    const size_t endorsements_size,
+    oe_sgx_endorsements_t* sgx_endorsements);
+
+/**
+ * Get the endorsements for the respective SGX remote report.
+ *
+ * @param[in] remote_report The remote report.
+ * @param[in] remote_report_size The size of the remote report.
+ * @param[out] endorsements_buffer The buffer where to store the endorsements.
+ * @param[out] endorsements_buffer_size The size of the endorsements.
+ */
+oe_result_t oe_get_sgx_endorsements(
+    const uint8_t* remote_report,
+    size_t remote_report_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size);
+
+/**
+ * Free up any resources allocated by oe_get_sgx_endorsements()
+ *
+ * @param[in] endorsements_buffer The buffer containing the endorsements.
+ */
+void oe_free_sgx_endorsements(uint8_t* endorsements_buffer);
+
+OE_EXTERNC_END
+
+#endif /* _OE_COMMON_OE_ENDORSEMENTS_H */
diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index 151e90c8f7..ecfa7eacf8 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include "qeidentity.h"
+#include <openenclave/bits/attestation.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/utils.h>
 #include "../common.h"
@@ -22,8 +23,8 @@ static void dump_info(
 }
 
 oe_result_t oe_validate_qe_identity(
-    sgx_report_body_t* qe_report_body,
-    oe_get_qe_identity_info_args_t* qe_id_args,
+    const sgx_report_body_t* qe_report_body,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* validity_from,
     oe_datetime_t* validity_until)
 {
@@ -38,24 +39,36 @@ oe_result_t oe_validate_qe_identity(
 
     OE_TRACE_INFO("Calling %s\n", __FUNCTION__);
 
-    if ((qe_id_args == NULL) || (validity_from == NULL) ||
+    if ((sgx_endorsements == NULL) || (validity_from == NULL) ||
         (validity_until == NULL))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     // Use QE Identity info to validate QE
     // Check against fetched qe identityinfo
-    OE_TRACE_INFO("qe_identity.issuer_chain:[%s]\n", qe_id_args->issuer_chain);
-    pem_pck_certificate = qe_id_args->issuer_chain;
-    pem_pck_certificate_size = qe_id_args->issuer_chain_size;
+    OE_TRACE_INFO(
+        "qe_identity.issuer_chain:[%s]\n",
+        (const char*)sgx_endorsements
+            ->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN]
+            .data);
+    pem_pck_certificate =
+        sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN]
+            .data;
+    pem_pck_certificate_size =
+        sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN]
+            .size;
 
     // validate the cert chain.
     OE_CHECK(oe_cert_chain_read_pem(
         &pck_cert_chain, pem_pck_certificate, pem_pck_certificate_size));
 
     // parse identity info json blob
-    OE_TRACE_INFO("*qe_identity.qe_id_info:[%s]\n", qe_id_args->qe_id_info);
+    OE_TRACE_INFO(
+        "*qe_identity.qe_id_info:[%s]\n",
+        sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO].data);
     OE_CHECK(oe_parse_qe_identity_info_json(
-        qe_id_args->qe_id_info, qe_id_args->qe_id_info_size, &parsed_info));
+        sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO].data,
+        sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO].size,
+        &parsed_info));
 
     // verify qe identity signature
     OE_TRACE_INFO("Calling oe_verify_ecdsa256_signature\n");
diff --git a/common/sgx/qeidentity.h b/common/sgx/qeidentity.h
index 917fcf1435..4221200f52 100644
--- a/common/sgx/qeidentity.h
+++ b/common/sgx/qeidentity.h
@@ -9,6 +9,7 @@
 #include <openenclave/bits/types.h>
 #include <openenclave/internal/crypto/cert.h>
 #include <openenclave/internal/report.h>
+#include "endorsements.h"
 
 OE_EXTERNC_BEGIN
 
@@ -22,8 +23,8 @@ OE_EXTERNC_BEGIN
  * @param[out] validity_until The date which the QE identity info expires.
  */
 oe_result_t oe_validate_qe_identity(
-    sgx_report_body_t* qe_report_body,
-    oe_get_qe_identity_info_args_t* qe_id_args,
+    const sgx_report_body_t* qe_report_body,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* validity_from,
     oe_datetime_t* validity_until);
 
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index 585a698c34..69ef6420d0 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -9,7 +9,7 @@
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 #include "../common.h"
-#include "collaterals.h"
+#include "endorsements.h"
 #include "qeidentity.h"
 #include "revocation.h"
 
@@ -423,37 +423,41 @@ static void _update_validity(
     }
 }
 
-oe_result_t oe_verify_quote_internal_with_collaterals(
+oe_result_t oe_verify_sgx_quote(
     const uint8_t* quote,
     size_t quote_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
-    oe_datetime_t* validation_time)
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_datetime_t* input_validation_time)
 {
     oe_result_t result = OE_UNEXPECTED;
 
-    uint8_t* local_collaterals = NULL;
-    size_t local_collaterals_size = 0;
+    uint8_t* local_endorsements = NULL;
+    size_t local_endorsements_size = 0;
     oe_datetime_t validity_from = {0};
     oe_datetime_t validity_until = {0};
-    oe_datetime_t creation_time = {0};
+    oe_datetime_t validation_time = {0};
+    oe_sgx_endorsements_t sgx_endorsements;
 
     if (quote == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    if (collaterals == NULL)
+    if (endorsements == NULL && input_validation_time != NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (endorsements == NULL)
     {
         OE_CHECK_MSG(
-            oe_get_collaterals_internal(
+            oe_get_sgx_endorsements(
                 quote,
                 quote_size,
-                (uint8_t**)&local_collaterals,
-                &local_collaterals_size),
-            "Failed to get collaterals. %s",
+                (uint8_t**)&local_endorsements,
+                &local_endorsements_size),
+            "Failed to get SGX endorsements. %s",
             oe_result_str(result));
 
-        collaterals = local_collaterals;
-        collaterals_size = local_collaterals_size;
+        endorsements = local_endorsements;
+        endorsements_size = local_endorsements_size;
     }
 
     OE_CHECK_MSG(
@@ -461,39 +465,51 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
         "Failed to verify remote quote.",
         NULL);
 
-    // Collateral verification
-    {
-        oe_collaterals_t* collaterals_body =
-            (oe_collaterals_t*)(collaterals + OE_COLLATERALS_HEADER_SIZE);
+    OE_CHECK_MSG(
+        oe_parse_sgx_endorsements(
+            (oe_endorsements_t*)endorsements,
+            endorsements_size,
+            &sgx_endorsements),
+        "Failed to parse SGX endorsements.",
+        oe_result_str(result));
 
+    // Endorsements verification
+    {
         OE_CHECK_MSG(
-            oe_get_quote_validity_with_collaterals_internal(
+            oe_get_sgx_quote_validity(
                 quote,
                 quote_size,
-                collaterals,
-                collaterals_size,
+                &sgx_endorsements,
                 &validity_from,
                 &validity_until),
             "Failed to validate quote. %s",
             oe_result_str(result));
 
-        // Verify quote/collaterals for the given time.  Use collateral creation
-        // time if one was not provided.
-        if (validation_time == NULL)
+        // Verify quote/endorsements for the given time.  Use endorsements
+        // creation time if one was not provided.
+        if (input_validation_time == NULL)
         {
             OE_CHECK_MSG(
                 oe_datetime_from_string(
-                    collaterals_body->creation_datetime,
-                    sizeof(collaterals_body->creation_datetime),
-                    &creation_time),
-                "Invalid creation time in collaterals: %s",
-                collaterals_body->creation_datetime);
-
-            validation_time = &creation_time;
+                    (const char*)sgx_endorsements
+                        .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                        .data,
+                    sgx_endorsements
+                        .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                        .size,
+                    &validation_time),
+                "Invalid creation time in endorsements: %s",
+                sgx_endorsements
+                    .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                    .data);
+        }
+        else
+        {
+            validation_time = *input_validation_time;
         }
 
-        oe_datetime_log("Validation datetime: ", validation_time);
-        if (oe_datetime_compare(validation_time, &validity_from) < 0)
+        oe_datetime_log("Validation datetime: ", &validation_time);
+        if (oe_datetime_compare(&validation_time, &validity_from) < 0)
         {
             oe_datetime_log("Latests valid datetime: ", &validity_from);
             OE_RAISE_MSG(
@@ -502,7 +518,7 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
                 "latest 'valid from' value.",
                 NULL);
         }
-        if (oe_datetime_compare(validation_time, &validity_until) > 0)
+        if (oe_datetime_compare(&validation_time, &validity_until) > 0)
         {
             oe_datetime_log("Earliest expiration datetime: ", &validity_until);
             OE_RAISE_MSG(
@@ -516,17 +532,16 @@ oe_result_t oe_verify_quote_internal_with_collaterals(
     result = OE_OK;
 
 done:
-    if (local_collaterals)
-        oe_free_collaterals_internal(local_collaterals);
+    if (local_endorsements)
+        oe_free_sgx_endorsements(local_endorsements);
 
     return result;
 }
 
-oe_result_t oe_get_quote_validity_with_collaterals_internal(
+oe_result_t oe_get_sgx_quote_validity(
     const uint8_t* quote,
     const size_t quote_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* valid_from,
     oe_datetime_t* valid_until)
 {
@@ -541,10 +556,6 @@ oe_result_t oe_get_quote_validity_with_collaterals_internal(
     size_t pem_pck_certificate_size = 0;
     oe_cert_chain_t pck_cert_chain = {0};
 
-    oe_collaterals_header_t* col_header = (oe_collaterals_header_t*)collaterals;
-    oe_collaterals_t* col =
-        (oe_collaterals_t*)(collaterals + OE_COLLATERALS_HEADER_SIZE);
-
     oe_cert_t root_cert = {0};
     oe_cert_t intermediate_cert = {0};
     oe_cert_t pck_cert = {0};
@@ -554,14 +565,10 @@ oe_result_t oe_get_quote_validity_with_collaterals_internal(
     oe_datetime_t from;
     oe_datetime_t until;
 
-    if ((quote == NULL) || (collaterals == NULL) || (valid_from == NULL) ||
+    if ((quote == NULL) || (sgx_endorsements == NULL) || (valid_from == NULL) ||
         (valid_until == NULL))
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    if ((col_header->collaterals_size != OE_COLLATERALS_BODY_SIZE) ||
-        (collaterals_size != OE_COLLATERALS_SIZE))
-        OE_RAISE_MSG(OE_INVALID_PARAMETER, "Invalid collaterals size.", NULL);
-
     OE_TRACE_INFO("Call enter %s\n", __FUNCTION__);
 
     OE_CHECK_MSG(
@@ -621,8 +628,8 @@ oe_result_t oe_get_quote_validity_with_collaterals_internal(
 
     // Fetch revocation info validity dates.
     OE_CHECK_MSG(
-        oe_validate_revocation_list(
-            &pck_cert, &col->revocation_info, &from, &until),
+        oe_validate_revocation_list(&pck_cert, sgx_endorsements, &from, &until),
+
         "Failed to validate revocation info. %s",
         oe_result_str(result));
     _update_validity(&latest_from, &earliest_until, &from, &until);
@@ -630,7 +637,8 @@ oe_result_t oe_get_quote_validity_with_collaterals_internal(
     // QE identity info validity dates.
     OE_CHECK_MSG(
         oe_validate_qe_identity(
-            &quote_auth_data->qe_report_body, &col->qe_id_info, &from, &until),
+            &quote_auth_data->qe_report_body, sgx_endorsements, &from, &until),
+
         "Failed quoting enclave identity checking. %s",
         oe_result_str(result));
     _update_validity(&latest_from, &earliest_until, &from, &until);
diff --git a/common/sgx/quote.h b/common/sgx/quote.h
index 99a8cc61f7..ff04933917 100644
--- a/common/sgx/quote.h
+++ b/common/sgx/quote.h
@@ -8,26 +8,11 @@
 #include <openenclave/bits/result.h>
 #include <openenclave/bits/types.h>
 #include <openenclave/internal/crypto/cert.h>
+#include <openenclave/internal/datetime.h>
+#include "endorsements.h"
 
 OE_EXTERNC_BEGIN
 
-/*!
- * Verify quote with optional collaterals.
- *
- * @param[in] quote Input quote.
- * @param[in] quote_size The size of the quote.
- * @param[in] collaterals Optional collaterals related to a remote quote.
- * @param[in] collatterals_size The size of the collaterals.
- * @param[in] input_validation_time Optional time to use for validation,
- * defaults to the time the collaterals were created.
- */
-oe_result_t oe_verify_quote_internal_with_collaterals(
-    const uint8_t* quote,
-    size_t quote_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
-    oe_datetime_t* input_validation_time);
-
 /*!
  * Retrieves certifate chain from the quote.
  *
@@ -50,8 +35,25 @@ oe_result_t oe_get_quote_cert_chain_internal(
     oe_cert_chain_t* pck_cert_chain);
 
 /*!
- * Find the valid datetime range for the given quote, collaterals.  This
- * function accounts for the following items:
+ * Verify SGX quote and endorsements.
+ *
+ * @param[in] quote Input quote.
+ * @param[in] quote_size The size of the quote.
+ * @param[in] endorsements Optional endorsements related to a remote quote.
+ * @param[in] endorsements_size The size of the endorsements.
+ * @param[in] input_validation_time Optional time to use for validation,
+ * defaults to the time the endorsements were created.
+ */
+oe_result_t oe_verify_sgx_quote(
+    const uint8_t* quote,
+    size_t quote_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_datetime_t* input_validation_time);
+
+/*!
+ * Find the valid datetime range for the given quote and sgx endorsements.
+ * This function accounts for the following items:
  *
  * 1. From the quote:
  *          a) Root CA.
@@ -69,16 +71,14 @@ oe_result_t oe_get_quote_cert_chain_internal(
  *
  * @param[in] quote Input quote.
  * @param[in] quote_size The size of the quote.
- * @param[in] collaterals Collaterals related to the quote.
- * @param[in] collatterals_size The size of the collaterals.
+ * @param[in] sgx_endorsements SGX endorsements related to the quote.
  * @param[out] valid_from validity_from The date from which the quote is valid.
  * @param[out] valid_until validity_until The date which the quote expires.
  */
-oe_result_t oe_get_quote_validity_with_collaterals_internal(
+oe_result_t oe_get_sgx_quote_validity(
     const uint8_t* quote,
     const size_t quote_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* valid_from,
     oe_datetime_t* valid_until);
 
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 4ee74e8cbf..0aeb0dd194 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include "revocation.h"
+#include <openenclave/bits/attestation.h>
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/bits/safemath.h>
 #include <openenclave/internal/calls.h>
@@ -285,7 +286,7 @@ oe_result_t oe_get_revocation_info_from_certs(
 
 oe_result_t oe_validate_revocation_list(
     oe_cert_t* pck_cert,
-    oe_get_revocation_info_args_t* revocation_args,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* validity_from,
     oe_datetime_t* validity_until)
 {
@@ -298,6 +299,7 @@ oe_result_t oe_validate_revocation_list(
     oe_parsed_tcb_info_t parsed_tcb_info = {0};
     oe_tcb_level_t platform_tcb_level = {{0}};
 
+    uint32_t version = 0;
     oe_crl_t crls[2] = {{{0}}};
     const oe_crl_t* crl_ptrs[2] = {&crls[0], &crls[1]};
     oe_datetime_t from = {0};
@@ -305,49 +307,71 @@ oe_result_t oe_validate_revocation_list(
     oe_datetime_t latest_from = {0};
     oe_datetime_t earliest_until = {0};
 
-    if (pck_cert == NULL || revocation_args == NULL)
+    if (pck_cert == NULL || sgx_endorsements == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
+    version =
+        *(uint32_t*)sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_VERSION]
+             .data;
+    if (version != OE_SGX_ENDORSEMENTS_VERSION)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "SGX endorsement version is %d, expected %d",
+            version,
+            OE_SGX_ENDORSEMENTS_VERSION);
+
     OE_STATIC_ASSERT(
-        OE_COUNTOF(crl_issuer_chain) ==
-        OE_COUNTOF(revocation_args->crl_issuer_chain));
+        OE_COUNTOF(crl_issuer_chain) >= OE_SGX_ENDORSEMENTS_CRL_COUNT);
 
     OE_CHECK_MSG(
         _parse_sgx_extensions(pck_cert, &parsed_extension_info),
         "Failed to parse SGX extensions from leaf cert. %s",
         oe_result_str(result));
 
-    // Apply revocation info.
     OE_CHECK_MSG(
         oe_cert_chain_read_pem(
             &tcb_issuer_chain,
-            revocation_args->tcb_issuer_chain,
-            revocation_args->tcb_issuer_chain_size),
+            sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN]
+                .data,
+            sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN]
+                .size),
         "Failed to read TCB chain certificate. %s",
         oe_result_str(result));
 
     // Read CRLs for each cert other than root. If any CRL is missing, the read
     // will error out.
-    for (uint32_t i = 0; i < revocation_args->num_crl_urls; ++i)
+    for (uint32_t i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; ++i)
     {
         OE_CHECK_MSG(
             oe_crl_read_der(
                 &crls[i],
-                revocation_args->crl[i],
-                revocation_args->crl_size[i]),
+                sgx_endorsements
+                    ->items[OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT + i]
+                    .data,
+                sgx_endorsements
+                    ->items[OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT + i]
+                    .size),
             "Failed to read CRL. %s",
             oe_result_str(result));
         OE_CHECK_MSG(
             oe_cert_chain_read_pem(
                 &crl_issuer_chain[i],
-                revocation_args->crl_issuer_chain[i],
-                revocation_args->crl_issuer_chain_size[i]),
+                sgx_endorsements
+                    ->items
+                        [OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT + i]
+                    .data,
+                sgx_endorsements
+                    ->items
+                        [OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT + i]
+                    .size),
             "Failed to read CRL cert chain. %s",
             oe_result_str(result));
         OE_TRACE_VERBOSE(
             "CRL certificate[%d]: \n[%s]\n",
             i,
-            revocation_args->crl_issuer_chain[i]);
+            (const char*)sgx_endorsements
+                ->items[OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT + i]
+                .data);
     }
 
     // Verify the leaf cert.
@@ -382,8 +406,8 @@ oe_result_t oe_validate_revocation_list(
 
     OE_CHECK_MSG(
         oe_parse_tcb_info_json(
-            revocation_args->tcb_info,
-            revocation_args->tcb_info_size,
+            sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO].data,
+            sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO].size,
             &platform_tcb_level,
             &parsed_tcb_info),
         "Failed to parse TCB info. %s",
@@ -460,11 +484,11 @@ oe_result_t oe_validate_revocation_list(
     result = OE_OK;
 
 done:
-    for (int32_t i = (int32_t)revocation_args->num_crl_urls - 1; i >= 0; --i)
+    for (int32_t i = (int32_t)OE_SGX_ENDORSEMENTS_CRL_COUNT - 1; i >= 0; --i)
     {
         oe_crl_free(&crls[i]);
     }
-    for (uint32_t i = 0; i < revocation_args->num_crl_urls; ++i)
+    for (uint32_t i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; ++i)
     {
         oe_cert_chain_free(&crl_issuer_chain[i]);
     }
diff --git a/common/sgx/revocation.h b/common/sgx/revocation.h
index a5e6275620..f2285ac330 100644
--- a/common/sgx/revocation.h
+++ b/common/sgx/revocation.h
@@ -9,6 +9,7 @@
 #include <openenclave/bits/types.h>
 #include <openenclave/internal/crypto/cert.h>
 #include <openenclave/internal/report.h>
+#include "endorsements.h"
 
 OE_EXTERNC_BEGIN
 
@@ -22,13 +23,13 @@ OE_EXTERNC_BEGIN
  * revocation info.
  *
  * @param[in] pck_cert The PCK certificate.
- * @param[in] revocation_args The revocation information.
+ * @param[in] sgx_endorsements The SGX endorsements.
  * @param[out] validity_from The date from which the revocation info is valid.
  * @param[out] validity_until The date which the revocation info expires.
  */
 oe_result_t oe_validate_revocation_list(
     oe_cert_t* pck_cert,
-    oe_get_revocation_info_args_t* revocation_args,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_datetime_t* validity_from,
     oe_datetime_t* validity_until);
 
diff --git a/common/sgx/tlsverifier.c b/common/sgx/tlsverifier.c
index 08943c2cd1..4531510c67 100644
--- a/common/sgx/tlsverifier.c
+++ b/common/sgx/tlsverifier.c
@@ -10,6 +10,7 @@
 #include <openenclave/internal/report.h>
 #include <openenclave/internal/utils.h>
 #include "../common/common.h"
+#include "quote.h"
 
 #define KEY_BUFF_SIZE 2048
 
@@ -127,7 +128,8 @@ oe_result_t oe_verify_attestation_certificate(
 #ifdef OE_BUILD_ENCLAVE
     result = oe_verify_report(report, report_size, &parsed_report);
 #else
-    result = oe_verify_remote_report(report, report_size, &parsed_report);
+    result =
+        oe_verify_remote_report(report, report_size, NULL, 0, &parsed_report);
 #endif
     OE_CHECK(result);
     OE_TRACE_VERBOSE("quote validation succeeded");
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 4fd99f91f4..87988665df 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -6,7 +6,7 @@ add_subdirectory(crypto)
 
 if (OE_SGX)
     set(PLATFORM_SRC
-        ../common/sgx/collaterals.c
+        ../common/sgx/endorsements.c
         ../common/sgx/qeidentity.c
         ../common/sgx/quote.c
         ../common/sgx/report.c
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index cddf778dc3..00d9e8a268 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -50,7 +50,7 @@ set(MUSL_SRC_DIR ${PROJECT_SOURCE_DIR}/3rdparty/musl/musl/src)
 
 if (OE_SGX)
     list(APPEND PLATFORM_SRC
-        ../../common/sgx/collaterals.c
+        ../../common/sgx/endorsements.c
         sgx/backtrace.c
         sgx/calls.c
         sgx/cpuid.c
diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c
index df1058e20a..a77c3f1f12 100644
--- a/enclave/sgx/report.c
+++ b/enclave/sgx/report.c
@@ -66,7 +66,7 @@ oe_result_t oe_verify_report(
 
     if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
     {
-        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+        OE_CHECK(oe_verify_sgx_quote(
             header->report, header->report_size, NULL, 0, NULL));
     }
     else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index e70aac4a0c..a2a607ce08 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -120,7 +120,7 @@ endif()
 # SGX specific files.
 if (OE_SGX)
   list(APPEND PLATFORM_HOST_ONLY_SRC
-    ../common/sgx/collaterals.c
+    ../common/sgx/endorsements.c
     ../common/sgx/qeidentity.c
     ../common/sgx/quote.c
     ../common/sgx/report.c
diff --git a/host/sgx/hostverify_report.c b/host/sgx/hostverify_report.c
index b487b1a18d..1d39542878 100644
--- a/host/sgx/hostverify_report.c
+++ b/host/sgx/hostverify_report.c
@@ -13,6 +13,8 @@
 oe_result_t oe_verify_remote_report(
     const uint8_t* report,
     size_t report_size,
+    const uint8_t* endorsement,
+    size_t endorsement_size,
     oe_report_t* parsed_report)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -36,8 +38,12 @@ oe_result_t oe_verify_remote_report(
         OE_RAISE(OE_UNSUPPORTED);
 
     // Quote attestation can be done entirely on the host side.
-    OE_CHECK(oe_verify_quote_internal_with_collaterals(
-        header->report, header->report_size, NULL, 0, NULL));
+    OE_CHECK(oe_verify_sgx_quote(
+        header->report,
+        header->report_size,
+        endorsement,
+        endorsement_size,
+        NULL));
 
     // Optionally return parsed report.
     if (parsed_report != NULL)
diff --git a/host/sgx/report.c b/host/sgx/report.c
index 65ab2a34d8..4b9cfbd4ff 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -297,7 +297,7 @@ oe_result_t oe_verify_report(
         OE_CHECK(oe_initialize_quote_provider());
 
         // Quote attestation can be done entirely on the host side.
-        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+        OE_CHECK(oe_verify_sgx_quote(
             header->report, header->report_size, NULL, 0, NULL));
     }
     else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
diff --git a/include/openenclave/bits/attestation.h b/include/openenclave/bits/attestation.h
new file mode 100644
index 0000000000..2a277ecb48
--- /dev/null
+++ b/include/openenclave/bits/attestation.h
@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * @file attestation.h
+ *
+ * This file defines structures and options passed to attestation functions.
+ *
+ */
+#ifndef _OE_BITS_ATTESTATION_H
+#define _OE_BITS_ATTESTATION_H
+
+#include <openenclave/bits/defs.h>
+#include <openenclave/bits/types.h>
+
+/**
+ * Flags passed to oe_get_evidence() function.
+ */
+#define OE_EVIDENCE_FLAGS_LOCAL_ATTESTATION 0x00000000
+#define OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION 0x00000001
+
+/*! Limit the size of the endorsements */
+#define OE_ATTESTATION_ENDORSEMENT_MAX_SIZE (20 * 1024)
+
+/*! Endorsement structure version */
+#define OE_ATTESTATION_ENDORSEMENT_VERSION (1)
+
+/*! \struct oe_endorsements_t
+ *
+ * \brief OE endorsements
+ *
+ * Raw generic serializable structure that contains the endorsements. All
+ * data should be in little endian format.
+ *
+ */
+typedef struct _oe_endorsements_t
+{
+    uint32_t version;      ///< Version of this structure
+    uint32_t enclave_type; ///< The type of enclave (oe_enclave_type_t)
+    uint32_t buffer_size;  ///< Size of the buffer
+    uint32_t num_elements; ///< Number of elements stored in the data buffer
+
+    /*! Data buffer is made of an offset array of type uint32_t, followed by
+     * the actual data.
+     * This array has the size of **num_elements** and stores the offset
+     * into the data section.
+     * _________________________
+     * |  version              |
+     * |-----------------------|
+     * |  enclave_type         |
+     * |-----------------------|
+     * |  buffer_size          |
+     * |-----------------------|
+     * |  num_elements         |
+     * |-----------------------|
+     * |  offsets              |
+     * |  (array of uint32_t   |
+     * |  with length of       |
+     * |  num_elements)        |
+     * |-----------------------|
+     * |  buffer (data)        |
+     * |_______________________|
+     */
+    uint8_t buffer[]; ///< Buffer of offsets + data
+
+} oe_endorsements_t;
+/**< typedef struct _oe_endorsements_t */
+
+/*! Version of the supported SGX endorsement structures */
+#define OE_SGX_ENDORSEMENTS_VERSION (1)
+
+/*! Number of CRLs in the SGX endorsements */
+#define OE_SGX_ENDORSEMENTS_CRL_COUNT (2)
+
+/*! \enum oe_sgx_endorsements_fields
+ *
+ * Specifies the order of the SGX endorsements fields stored in
+ * the oe_endorsements_t structure
+ */
+typedef enum _oe_sgx_endorsements_fields_t
+{
+    OE_SGX_ENDORSEMENT_FIELD_VERSION,
+    OE_SGX_ENDORSEMENT_FIELD_TCB_INFO,
+    OE_SGX_ENDORSEMENT_FIELD_TCB_ISSUER_CHAIN,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_CERT,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_PCK_PROC_CA,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_CERT,
+    OE_SGX_ENDORSEMENT_FIELD_CRL_ISSUER_CHAIN_PCK_PROC_CA,
+    OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO,
+    OE_SGX_ENDORSEMENT_FIELD_QE_ID_ISSUER_CHAIN,
+    OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME,
+    OE_SGX_ENDORSEMENT_COUNT
+
+} oe_sgx_endorsements_fields_t;
+
+#endif /* _OE_BITS_ATTESTATION_H */
diff --git a/include/openenclave/host_verify.h b/include/openenclave/host_verify.h
index 48e400f444..56ea1cdf94 100644
--- a/include/openenclave/host_verify.h
+++ b/include/openenclave/host_verify.h
@@ -40,6 +40,8 @@ OE_EXTERNC_BEGIN
 oe_result_t oe_verify_remote_report(
     const uint8_t* report,
     size_t report_size,
+    const uint8_t* endorsement,
+    size_t endorsement_size,
     oe_report_t* parsed_report);
 
 /**
diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h
index 281e7fadfc..f2125cab15 100644
--- a/include/openenclave/internal/report.h
+++ b/include/openenclave/internal/report.h
@@ -47,57 +47,6 @@ typedef struct _oe_get_qe_identity_info_args
     uint8_t* host_out_buffer; /* out */
 } oe_get_qe_identity_info_args_t;
 
-/*
-**==============================================================================
-**
-** oe_collaterals_header_t
-**
-**==============================================================================
-*/
-typedef struct _oe_collaterals_header
-{
-    /** Size of the collaterals */
-    uint32_t collaterals_size;
-
-    /** Collaterals data **/
-    uint8_t collaterals[];
-
-} oe_collaterals_header_t;
-
-OE_STATIC_ASSERT(sizeof(oe_collaterals_header_t) == 4);
-
-/*
-**==============================================================================
-**
-** oe_collaterals_t
-**
-** Structure with the collateral contents.  The collaterals are used during
-** the verification of the oe_report_t.
-**
-**==============================================================================
-*/
-typedef struct _oe_collaterals
-{
-    oe_get_qe_identity_info_args_t qe_id_info;
-    oe_get_revocation_info_args_t revocation_info;
-
-    /* Time the collaterals were generated */
-    char creation_datetime[24];
-
-    uint64_t app_collaterals_size;
-    uint8_t app_collaterals[];
-
-} oe_collaterals_t;
-
-OE_STATIC_ASSERT(
-    OE_OFFSETOF(oe_collaterals_header_t, collaterals) ==
-    sizeof(oe_collaterals_header_t));
-
-#define OE_COLLATERALS_HEADER_SIZE (sizeof(oe_collaterals_header_t))
-#define OE_COLLATERALS_BODY_SIZE (sizeof(oe_collaterals_t))
-#define OE_COLLATERALS_SIZE \
-    (OE_COLLATERALS_HEADER_SIZE + OE_COLLATERALS_BODY_SIZE)
-
 /*
 **==============================================================================
 **
diff --git a/tests/attestation_plugin/plugin/mock_attester.h b/tests/attestation_plugin/plugin/mock_attester.h
index 4c94f345f6..ed19dded32 100644
--- a/tests/attestation_plugin/plugin/mock_attester.h
+++ b/tests/attestation_plugin/plugin/mock_attester.h
@@ -116,20 +116,21 @@ static inline oe_result_t mock_verify_evidence(
             return OE_VERIFY_FAILED;
     }
 
-    *claims = (oe_claim_t*)malloc(OE_KNOWN_CLAIMS_COUNT * sizeof(oe_claim_t));
+    *claims =
+        (oe_claim_t*)malloc(OE_REQUIRED_CLAIMS_COUNT * sizeof(oe_claim_t));
     if (*claims == NULL)
         return OE_OUT_OF_MEMORY;
 
-    for (int i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    for (int i = 0; i < OE_REQUIRED_CLAIMS_COUNT; i++)
     {
-        (*claims)[i].name = (char*)(OE_KNOWN_CLAIMS[i]);
-        if (strcmp(OE_KNOWN_CLAIMS[i], "plugin_uuid") == 0)
+        (*claims)[i].name = (char*)(OE_REQUIRED_CLAIMS[i]);
+        if (strcmp(OE_REQUIRED_CLAIMS[i], OE_CLAIM_PLUGIN_UUID) == 0)
         {
             (*claims)[i].value = (uint8_t*)&context->base.format_id;
             (*claims)[i].value_size = sizeof(uuid_t);
         }
     }
-    *claims_length = OE_KNOWN_CLAIMS_COUNT;
+    *claims_length = OE_REQUIRED_CLAIMS_COUNT;
 
     return OE_OK;
 }
@@ -153,21 +154,21 @@ static inline oe_result_t mock_verify_evidence_bad(
     OE_UNUSED(policies);
     OE_UNUSED(policies_size);
 
-    *claims =
-        (oe_claim_t*)malloc((OE_KNOWN_CLAIMS_COUNT - 1) * sizeof(oe_claim_t));
+    *claims = (oe_claim_t*)malloc(
+        (OE_REQUIRED_CLAIMS_COUNT - 1) * sizeof(oe_claim_t));
     if (*claims == NULL)
         return OE_OUT_OF_MEMORY;
 
-    for (int i = 0; i < OE_KNOWN_CLAIMS_COUNT - 1; i++)
+    for (int i = 0; i < OE_REQUIRED_CLAIMS_COUNT - 1; i++)
     {
-        (*claims)[i].name = (char*)(OE_KNOWN_CLAIMS[i]);
-        if (strcmp(OE_KNOWN_CLAIMS[i], "plugin_uuid") == 0)
+        (*claims)[i].name = (char*)(OE_REQUIRED_CLAIMS[i]);
+        if (strcmp(OE_REQUIRED_CLAIMS[i], OE_CLAIM_PLUGIN_UUID) == 0)
         {
             (*claims)[i].value = (uint8_t*)&context->base.format_id;
             (*claims)[i].value_size = sizeof(uuid_t);
         }
     }
-    *claims_length = OE_KNOWN_CLAIMS_COUNT - 1;
+    *claims_length = OE_REQUIRED_CLAIMS_COUNT - 1;
 
     return OE_OK;
 }
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
index 3ba0a6a8f6..82c22e9024 100644
--- a/tests/attestation_plugin/plugin/tests.c
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -20,13 +20,13 @@
 
 static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
 {
-    for (size_t i = 0; i < OE_KNOWN_CLAIMS_COUNT; i++)
+    for (size_t i = 0; i < OE_REQUIRED_CLAIMS_COUNT; i++)
     {
         bool found = false;
 
         for (size_t j = 0; j < claims_length && !found; j++)
         {
-            if (strcmp(OE_KNOWN_CLAIMS[i], claims[j].name) == 0)
+            if (strcmp(OE_REQUIRED_CLAIMS[i], claims[j].name) == 0)
             {
                 found = true;
             }
diff --git a/tests/host_verify/host/host.cpp b/tests/host_verify/host/host.cpp
index fb45124c82..14c52ff31a 100644
--- a/tests/host_verify/host/host.cpp
+++ b/tests/host_verify/host/host.cpp
@@ -114,70 +114,6 @@ static oe_result_t _verify_cert(const char* filename, bool pass)
     return oe_ret;
 }
 
-/**
- * Verify the integrity of the remote report and its signature,
- * with optional collateral data.
- *
- * This function verifies that the report signature is valid. It
- * verifies that the signing authority is rooted to a trusted authority
- * such as the enclave platform manufacturer.
- *
- * @param report The buffer containing the report to verify.
- * @param report_size The size of the **report** buffer.
- * @param collaterals The collateral data that is associated with the report.
- * @param collaterals_size The size of the **collaterals** buffer.
- * @param parsed_report Optional **oe_report_t** structure to populate
- * with the report properties in a standard format.
- *
- * @retval OE_OK The report was successfully verified.
- * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
- *
- */
-static oe_result_t oe_verify_remote_report_with_collaterals(
-    const uint8_t* report,
-    size_t report_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
-    oe_report_t* parsed_report)
-{
-    oe_result_t result = OE_UNEXPECTED;
-    oe_report_t oe_report = {0};
-    oe_report_header_t* header = (oe_report_header_t*)report;
-
-    if (report == NULL)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    if (report_size == 0 || report_size > OE_MAX_REPORT_SIZE)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
-    // The two host side attestation API's are oe_get_report and
-    // oe_verify_report. Initialize the quote provider in both these APIs.
-    OE_CHECK(oe_initialize_quote_provider());
-
-    // Ensure that the report is parseable before using the header.
-    OE_CHECK(oe_parse_report(report, report_size, &oe_report));
-
-    if (header->report_type != OE_REPORT_TYPE_SGX_REMOTE)
-        OE_RAISE(OE_UNSUPPORTED);
-
-    // Quote attestation can be done entirely on the host side.
-    OE_CHECK(oe_verify_quote_internal_with_collaterals(
-        header->report,
-        header->report_size,
-        collaterals,
-        collaterals_size,
-        NULL));
-
-    // Optionally return parsed report.
-    if (parsed_report != NULL)
-        OE_CHECK(oe_parse_report(report, report_size, parsed_report));
-
-    result = OE_OK;
-
-done:
-    return result;
-}
-
 static size_t _get_filesize(FILE* fp)
 {
     size_t size = 0;
@@ -219,26 +155,27 @@ static void _read_binary_file(
 
 static int _verify_report(
     const char* report_filename,
-    const char* collaterals_filename,
+    const char* endorsements_filename,
     bool pass)
 {
     int ret = -1;
     size_t report_file_size = 0;
-    size_t collaterals_file_size = 0;
+    size_t endorsements_file_size = 0;
     uint8_t* report_data = NULL;
-    uint8_t* collaterals_data = NULL;
+    uint8_t* endorsements_data = NULL;
     oe_result_t result = OE_FAILURE;
 
     OE_TRACE_INFO(
-        "\n\nVerifying report %s, collaterals: %s\n",
+        "\n\nVerifying report %s, endorsements: %s\n",
         report_filename,
-        collaterals_filename);
+        endorsements_filename);
 
     _read_binary_file(report_filename, &report_data, &report_file_size);
 
-    if (collaterals_filename == NULL)
+    if (endorsements_filename == NULL)
     {
-        result = oe_verify_remote_report(report_data, report_file_size, NULL);
+        result = oe_verify_remote_report(
+            report_data, report_file_size, NULL, 0, NULL);
         if (pass)
             OE_TEST(result == OE_OK);
         else
@@ -259,13 +196,13 @@ static int _verify_report(
     else
     {
         _read_binary_file(
-            collaterals_filename, &collaterals_data, &collaterals_file_size);
+            endorsements_filename, &endorsements_data, &endorsements_file_size);
 
-        result = oe_verify_remote_report_with_collaterals(
+        result = oe_verify_sgx_quote(
             report_data,
             report_file_size,
-            collaterals_data,
-            collaterals_file_size,
+            endorsements_data,
+            endorsements_file_size,
             NULL);
 
         if (pass)
@@ -280,7 +217,7 @@ static int _verify_report(
                 "Report %s and collateral %s verification failed as expected. "
                 "Failure %d(%s)\n",
                 report_filename,
-                collaterals_filename,
+                endorsements_filename,
                 result,
                 oe_result_str(result));
         }
@@ -291,8 +228,8 @@ static int _verify_report(
 
     if (report_data != NULL)
         free(report_data);
-    if (collaterals_data != NULL)
-        free(collaterals_data);
+    if (endorsements_data != NULL)
+        free(endorsements_data);
 
     return ret;
 }
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index c5b0f0898c..50f86ba844 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -11,7 +11,7 @@
 #include "../../../host/sgx/sgxquoteprovider.h"
 #endif
 #include "../../../common/oe_host_stdlib.h"
-#include "../../../common/sgx/collaterals.h"
+#include "../../../common/sgx/endorsements.h"
 #include "../../../common/sgx/qeidentity.h"
 #include "../../../common/sgx/quote.h"
 #include "../../../common/sgx/revocation.h"
@@ -97,7 +97,7 @@ oe_result_t oe_get_collaterals(
 #endif
 
     OE_CHECK_MSG(
-        oe_get_collaterals_internal(
+        oe_get_sgx_endorsements(
             header->report,
             header->report_size,
             collaterals_buffer,
@@ -178,7 +178,7 @@ static oe_result_t oe_verify_report_with_collaterals(
 #endif
 
         // Quote attestation can be done entirely on the host side.
-        OE_CHECK(oe_verify_quote_internal_with_collaterals(
+        OE_CHECK(oe_verify_sgx_quote(
             header->report,
             header->report_size,
             collaterals,
@@ -225,7 +225,7 @@ static oe_result_t oe_verify_report_with_collaterals(
  */
 static void oe_free_collaterals(uint8_t* collaterals_buffer)
 {
-    oe_free_collaterals_internal(collaterals_buffer);
+    oe_free_sgx_endorsements(collaterals_buffer);
 }
 
 /*!
@@ -248,29 +248,30 @@ static void oe_free_collaterals(uint8_t* collaterals_buffer)
  *
  * @param[in] report The buffer containing the report to verify.
  * @param[in] report_size The size of the **report** buffer.
- * @param[in] collaterals Collaterals related to the quote.
- * @param[in] collatterals_size The size of the collaterals.
+ * @param[in] endorsements Endorsements related to the quote.
+ * @param[in] endorsements_size The size of the endorsements.
  * @param[out] valid_from validity_from The date from which the quote is valid.
  * @param[out] valid_until validity_until The date which the quote expires.
  */
 static oe_result_t oe_get_quote_validity_with_collaterals(
     const uint8_t* report,
     const size_t report_size,
-    const uint8_t* collaterals,
-    size_t collaterals_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
     oe_datetime_t* valid_from,
     oe_datetime_t* valid_until)
 {
     oe_result_t result = OE_UNEXPECTED;
     oe_report_t oe_report = {0};
     oe_report_header_t* header = (oe_report_header_t*)report;
+    oe_sgx_endorsements_t sgx_endorsements;
 
-    if (report == NULL || collaterals == NULL || valid_from == NULL ||
+    if (report == NULL || endorsements == NULL || valid_from == NULL ||
         valid_until == NULL)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     if (report_size == 0 || report_size > OE_MAX_REPORT_SIZE ||
-        collaterals_size == 0)
+        endorsements_size == 0)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     // Ensure that the report is parseable before using the header.
@@ -286,12 +287,19 @@ static oe_result_t oe_get_quote_validity_with_collaterals(
         OE_CHECK(oe_initialize_quote_provider());
 #endif
 
+        OE_CHECK_MSG(
+            oe_parse_sgx_endorsements(
+                (oe_endorsements_t*)endorsements,
+                endorsements_size,
+                &sgx_endorsements),
+            "Failed to parse SGX endorsements.",
+            oe_result_str(result));
+
         // Quote attestation can be done entirely on the host side.
-        OE_CHECK(oe_get_quote_validity_with_collaterals_internal(
+        OE_CHECK(oe_get_sgx_quote_validity(
             header->report,
             header->report_size,
-            collaterals,
-            collaterals_size,
+            &sgx_endorsements,
             valid_from,
             valid_until));
     }
diff --git a/tests/tools/oecert/host/host.cpp b/tests/tools/oecert/host/host.cpp
index a53daef79f..46c193af3e 100644
--- a/tests/tools/oecert/host/host.cpp
+++ b/tests/tools/oecert/host/host.cpp
@@ -10,14 +10,13 @@
 #include <string.h>
 #include "oecert_u.h"
 
-#include "../../../../common/sgx/collaterals.h"
+#include "../../../../common/sgx/endorsements.h"
 
 #ifdef OE_LINK_SGX_DCAP_QL
 
 #define INPUT_PARAM_OPTION_CERT "--cert"
 #define INPUT_PARAM_OPTION_REPORT "--report"
 #define INPUT_PARAM_OPTION_OUT_FILE "--out"
-#define INPUT_PARAM_OPTION_COLLATERALS "--collaterals"
 
 // Structure to store input parameters
 //
@@ -29,7 +28,6 @@ typedef struct _input_params
     const char* out_filename;
     bool gen_cert;
     bool gen_report;
-    bool gen_collaterals;
 } input_params_t;
 
 static input_params_t _params;
@@ -195,53 +193,45 @@ static oe_result_t _gen_report(
             }
         }
 
-        // Check if collaterals need to be generated
-        if (_params.gen_collaterals)
-        {
-            char collateral_filename[1024 + 1];
+        char collateral_filename[1024 + 1];
 
-            if (strlen(report_filename) < (1024 - 4))
+        if (strlen(report_filename) < (1024 - 4))
+        {
+            uint8_t* collaterals = NULL;
+            size_t collaterals_size = 0;
+            oe_report_header_t* header = (oe_report_header_t*)remote_report;
+
+            sprintf(collateral_filename, "%s.col", report_filename);
+            printf("Generatting collateral file: %s\n", collateral_filename);
+
+            result = oe_get_sgx_endorsements(
+                header->report,
+                header->report_size,
+                &collaterals,
+                &collaterals_size);
+            if (result != OE_OK)
             {
-                uint8_t* collaterals = NULL;
-                size_t collaterals_size = 0;
-                oe_report_header_t* header = (oe_report_header_t*)remote_report;
-
-                sprintf(collateral_filename, "%s.col", report_filename);
-                printf(
-                    "Generatting collateral file: %s\n", collateral_filename);
-
-                result = oe_get_collaterals_internal(
-                    header->report,
-                    header->report_size,
-                    &collaterals,
-                    &collaterals_size);
-                if (result != OE_OK)
-                {
-                    printf("ERROR: Failed to get collaterals\n");
-                    goto exit;
-                }
-
-                // TODO: Current collateral structure is not self contained.
-                // Needs to be updated to be serialisable.
-                //
-                FILE* col_fp = fopen(collateral_filename, "wb");
-                if (!col_fp)
-                {
-                    printf(
-                        "Failed to open collateral file %s\n",
-                        collateral_filename);
-                    result = OE_FAILURE;
-                    goto exit;
-                }
-                fwrite(collaterals, collaterals_size, 1, col_fp);
-                fclose(col_fp);
-                printf("collaterals_size = %zu\n", collaterals_size);
+                printf("Failed to create SGX endorsements.");
+                result = OE_FAILURE;
+                goto exit;
             }
-            else
+
+            FILE* col_fp = fopen(collateral_filename, "wb");
+            if (!col_fp)
             {
-                printf("ERROR: Report filename is too long.\n");
-                exit(1);
+                printf(
+                    "Failed to open collateral file %s\n", collateral_filename);
+                result = OE_FAILURE;
+                goto exit;
             }
+            fwrite(collaterals, collaterals_size, 1, col_fp);
+            fclose(col_fp);
+            printf("collaterals_size = %zu\n", collaterals_size);
+        }
+        else
+        {
+            printf("ERROR: Report filename is too long.\n");
+            exit(1);
         }
     }
     else
@@ -264,10 +254,7 @@ static void _display_help(const char* cmd)
         "\t%s PRIVKEY PUBKEY: generate der remote attestation certificate.\n",
         INPUT_PARAM_OPTION_CERT);
     printf(
-        "\t%s : generate binary enclave report.\n", INPUT_PARAM_OPTION_REPORT);
-    printf(
-        "\t%s : generate binary collaterals.  Valid only if %s is specified.\n",
-        INPUT_PARAM_OPTION_COLLATERALS,
+        "\t%s : generate binary enclave evidence and endorsements.\n",
         INPUT_PARAM_OPTION_REPORT);
     printf("\t%s : output filename.\n", INPUT_PARAM_OPTION_OUT_FILE);
 
@@ -340,11 +327,6 @@ static int _parse_args(int argc, const char* argv[])
                 return 1;
             }
         }
-        else if (strcmp(INPUT_PARAM_OPTION_COLLATERALS, argv[i]) == 0)
-        {
-            _params.gen_collaterals = true;
-            i += 1;
-        }
         else if (strcmp(INPUT_PARAM_OPTION_OUT_FILE, argv[i]) == 0)
         {
             if (argc >= i + 1)

From 0016d68c54a477e34bf7b54e2536e46f7cf35fe1 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Fri, 8 Nov 2019 16:16:52 +0000
Subject: [PATCH 298/420] Added SGX plugin implementation.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                        |   2 +-
 common/sgx/verifier.c                         | 456 ++++++++++++++++++
 enclave/CMakeLists.txt                        |   2 +
 enclave/sgx/attester.c                        | 248 ++++++++++
 host/CMakeLists.txt                           |   1 +
 include/CMakeLists.txt                        |   4 +-
 .../plugin.h}                                 |   0
 .../openenclave/attestation/sgx/attester.h    |  40 ++
 .../openenclave/attestation/sgx/verifier.h    |  28 ++
 include/openenclave/bits/types.h              |  13 +
 include/openenclave/internal/datetime.h       |  11 -
 include/openenclave/internal/sgx/plugin.h     |  39 ++
 .../attestation_plugin/plugin/mock_attester.h |   2 +-
 tests/attestation_plugin/plugin/tests.c       |   2 +-
 14 files changed, 833 insertions(+), 15 deletions(-)
 create mode 100644 common/sgx/verifier.c
 create mode 100644 enclave/sgx/attester.c
 rename include/openenclave/{attestation_plugin.h => attestation/plugin.h} (100%)
 create mode 100644 include/openenclave/attestation/sgx/attester.h
 create mode 100644 include/openenclave/attestation/sgx/verifier.h
 create mode 100644 include/openenclave/internal/sgx/plugin.h

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index 39dfa75d6b..7339297043 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-#include <openenclave/attestation_plugin.h>
+#include <openenclave/attestation/plugin.h>
 #include <openenclave/bits/defs.h>
 #include <openenclave/bits/safemath.h>
 #include <openenclave/internal/print.h>
diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c
new file mode 100644
index 0000000000..88c5a4eb51
--- /dev/null
+++ b/common/sgx/verifier.c
@@ -0,0 +1,456 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/attestation/plugin.h>
+#include <openenclave/attestation/sgx/verifier.h>
+#include <openenclave/bits/safemath.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgx/plugin.h>
+
+#include "../common.h"
+#include "endorsements.h"
+#include "quote.h"
+#ifndef OE_BUILD_ENCLAVE
+#include "../../host/sgx/sgxquoteprovider.h"
+#endif
+
+static oe_result_t _on_register(
+    oe_attestation_role_t* context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(config_data);
+    OE_UNUSED(config_data_size);
+
+#ifdef OE_BUILD_ENCLAVE
+    return OE_OK;
+#else
+    // Intialize the quote provider if we want to verify a remote quote.
+    // Note that we don't have the OE_LINK_SGX_DCAP_QL guard here since we
+    // don't need the sgx libraries to verify the quote. All we need is the
+    // quote provider.
+    return oe_initialize_quote_provider();
+#endif
+}
+
+static oe_result_t _on_unregister(oe_attestation_role_t* context)
+{
+    OE_UNUSED(context);
+    return OE_OK;
+}
+
+static void _free_claim(oe_claim_t* claim)
+{
+    oe_free(claim->name);
+    oe_free(claim->value);
+}
+
+static oe_result_t _free_claims_list(
+    oe_verifier_t* context,
+    oe_claim_t* claims,
+    size_t claims_length)
+{
+    OE_UNUSED(context);
+    if (!claims)
+        return OE_OK;
+
+    for (size_t i = 0; i < claims_length; i++)
+        _free_claim(&claims[i]);
+    oe_free(claims);
+    return OE_OK;
+}
+
+static oe_result_t _get_input_time(
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_datetime_t** time)
+{
+    if (!policies)
+        return OE_OK;
+
+    for (size_t i = 0; i < policies_size; i++)
+    {
+        if (policies[i].type == OE_POLICY_ENDORSEMENTS_TIME)
+        {
+            if (policies[i].policy_size != sizeof(**time))
+                return OE_INVALID_PARAMETER;
+
+            *time = (oe_datetime_t*)policies[i].policy;
+            break;
+        }
+    }
+
+    return OE_OK;
+}
+
+static oe_result_t _verify_local_report(
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size)
+{
+    // Do a normal report verification on the enclave side.
+    // Local report verification is unsupported for host side.
+#ifdef OE_BUILD_ENCLAVE
+    return oe_verify_report(evidence_buffer, evidence_buffer_size, NULL);
+#else
+    OE_UNUSED(evidence_buffer);
+    OE_UNUSED(evidence_buffer_size);
+    return OE_UNSUPPORTED;
+#endif
+}
+
+static oe_result_t _add_claim(
+    oe_claim_t* claim,
+    void* name,
+    size_t name_size,
+    void* value,
+    size_t value_size)
+{
+    if (*((uint8_t*)name + name_size - 1) != '\0')
+        return OE_CONSTRAINT_FAILED;
+
+    claim->name = (char*)oe_malloc(name_size);
+    if (claim->name == NULL)
+        return OE_OUT_OF_MEMORY;
+    memcpy(claim->name, name, name_size);
+
+    claim->value_size = value_size;
+    claim->value = (uint8_t*)oe_malloc(claim->value_size);
+    if (claim->value == NULL)
+    {
+        oe_free(claim->name);
+        return OE_OUT_OF_MEMORY;
+    }
+    memcpy(claim->value, value, claim->value_size);
+
+    return OE_OK;
+}
+
+static oe_result_t _fill_with_known_claims(
+    const uint8_t* report,
+    size_t report_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_claim_t* claims,
+    size_t claims_length,
+    size_t* claims_added)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_t parsed_report = {0};
+    oe_identity_t* id = &parsed_report.identity;
+    uuid_t plugin_id = OE_SGX_PLUGIN_UUID;
+    size_t claims_index = 0;
+    uint8_t* endorsements_local = NULL;
+    size_t endorsements_local_size = 0;
+
+    if (claims_length < OE_REQUIRED_CLAIMS_COUNT)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    OE_CHECK(oe_parse_report(report, report_size, &parsed_report));
+
+    if (parsed_report.type == OE_REPORT_TYPE_SGX_REMOTE &&
+        claims_length < OE_REQUIRED_CLAIMS_COUNT + OE_OPTIONAL_CLAIMS_COUNT)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // ID version.
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_ID_VERSION,
+        sizeof(OE_CLAIM_ID_VERSION),
+        &id->id_version,
+        sizeof(id->id_version)));
+
+    // Security version.
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_SECURITY_VERSION,
+        sizeof(OE_CLAIM_SECURITY_VERSION),
+        &id->security_version,
+        sizeof(id->security_version)));
+
+    // Attributes.
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_ATTRIBUTES,
+        sizeof(OE_CLAIM_ATTRIBUTES),
+        &id->attributes,
+        sizeof(id->attributes)));
+
+    // Unique ID
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_UNIQUE_ID,
+        sizeof(OE_CLAIM_UNIQUE_ID),
+        &id->unique_id,
+        sizeof(id->unique_id)));
+
+    // Signer ID
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_SIGNER_ID,
+        sizeof(OE_CLAIM_SIGNER_ID),
+        &id->signer_id,
+        sizeof(id->signer_id)));
+
+    // Product ID
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_PRODUCT_ID,
+        sizeof(OE_CLAIM_PRODUCT_ID),
+        &id->product_id,
+        sizeof(id->product_id)));
+
+    // Plugin UUID
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_PLUGIN_UUID,
+        sizeof(OE_CLAIM_PLUGIN_UUID),
+        &plugin_id,
+        sizeof(plugin_id)));
+
+    // Add the claims from the endorsements.
+    if (parsed_report.type == OE_REPORT_TYPE_SGX_REMOTE)
+    {
+        oe_sgx_endorsements_t sgx_endorsements;
+        oe_datetime_t valid_from;
+        oe_datetime_t valid_until;
+
+        // Get the endorsements if none were provided.
+        if (endorsements == NULL)
+        {
+            OE_CHECK(oe_get_sgx_endorsements(
+                parsed_report.enclave_report,
+                parsed_report.enclave_report_size,
+                &endorsements_local,
+                &endorsements_local_size));
+            endorsements = endorsements_local;
+            endorsements_size = endorsements_local_size;
+        }
+
+        OE_CHECK(oe_parse_sgx_endorsements(
+            (oe_endorsements_t*)endorsements,
+            endorsements_size,
+            &sgx_endorsements));
+
+        OE_CHECK(oe_get_sgx_quote_validity(
+            parsed_report.enclave_report,
+            parsed_report.enclave_report_size,
+            &sgx_endorsements,
+            &valid_from,
+            &valid_until));
+
+        OE_CHECK(_add_claim(
+            &claims[claims_index++],
+            OE_CLAIM_VALIDITY_FROM,
+            sizeof(OE_CLAIM_VALIDITY_FROM),
+            &valid_from,
+            sizeof(valid_from)));
+
+        OE_CHECK(_add_claim(
+            &claims[claims_index++],
+            OE_CLAIM_VALIDITY_UNTIL,
+            sizeof(OE_CLAIM_VALIDITY_UNTIL),
+            &valid_until,
+            sizeof(valid_until)));
+    }
+
+    *claims_added = claims_index;
+    result = OE_OK;
+
+done:
+    if (result != OE_OK)
+    {
+        for (size_t i = 0; i < claims_index; i++)
+            _free_claim(&claims[i]);
+    }
+    oe_free_sgx_endorsements(endorsements_local);
+    return result;
+}
+
+static oe_result_t _fill_with_custom_claims(
+    const uint8_t* claims_buf,
+    size_t claims_buf_size,
+    oe_claim_t* claims,
+    size_t claims_length)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_sgx_plugin_claims_header_t* header =
+        (oe_sgx_plugin_claims_header_t*)claims_buf;
+    size_t claims_index = 0;
+
+    if (claims_length < header->num_claims)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    claims_buf += sizeof(*header);
+    claims_buf_size -= sizeof(*header);
+    for (uint64_t i = 0; i < header->num_claims; i++)
+    {
+        oe_sgx_plugin_claims_entry_t* entry =
+            (oe_sgx_plugin_claims_entry_t*)claims_buf;
+        uint64_t size;
+
+        // Sanity check sizes.
+        if (claims_buf_size < sizeof(*entry))
+            OE_RAISE(OE_CONSTRAINT_FAILED);
+
+        OE_CHECK(oe_safe_add_u64(sizeof(*entry), entry->name_size, &size));
+        OE_CHECK(oe_safe_add_u64(size, entry->value_size, &size));
+
+        if (claims_buf_size < size)
+            OE_RAISE(OE_CONSTRAINT_FAILED);
+
+        // Finally, add the claim.
+        OE_CHECK(_add_claim(
+            &claims[claims_index++],
+            entry->name,
+            entry->name_size,
+            entry->name + entry->name_size,
+            entry->value_size));
+
+        // Go to next entry.
+        claims_buf += size;
+        claims_buf_size -= size;
+    }
+
+    result = OE_OK;
+
+done:
+    if (result != OE_OK)
+    {
+        for (size_t i = 0; i < claims_index; i++)
+            _free_claim(&claims[i]);
+    }
+    return result;
+}
+
+static oe_result_t _extract_claims(
+    const uint8_t* evidence,
+    size_t evidence_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_claim_t** claims_out,
+    size_t* claims_length_out)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_header_t* header = (oe_report_header_t*)evidence;
+    oe_sgx_plugin_claims_header_t* claims_header = NULL;
+    size_t report_size = sizeof(*header) + header->report_size;
+    oe_claim_t* claims = NULL;
+    uint64_t claims_length = 0;
+    uint64_t claims_size = 0;
+    size_t claims_added = 0;
+
+    // Check if the buffer is the proper size.
+    if (evidence_size - report_size < sizeof(*claims_header))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    claims_header = (oe_sgx_plugin_claims_header_t*)(evidence + report_size);
+
+    // Get the number of claims we need and allocate the claims.
+    OE_CHECK(oe_safe_add_u64(
+        OE_REQUIRED_CLAIMS_COUNT, claims_header->num_claims, &claims_length));
+
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
+    {
+        OE_CHECK(oe_safe_add_u64(
+            claims_length, OE_OPTIONAL_CLAIMS_COUNT, &claims_length));
+    }
+
+    OE_CHECK(oe_safe_mul_u64(claims_length, sizeof(oe_claim_t), &claims_size));
+
+    claims = (oe_claim_t*)oe_malloc(claims_size);
+    if (claims == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    // Fill the list with the known claims.
+    OE_CHECK(_fill_with_known_claims(
+        evidence,
+        report_size,
+        endorsements,
+        endorsements_size,
+        claims,
+        claims_length,
+        &claims_added));
+
+    // Fill with the custom claims.
+    OE_CHECK(_fill_with_custom_claims(
+        evidence + report_size,
+        evidence_size - report_size,
+        claims + claims_added,
+        claims_length - claims_added));
+
+    *claims_out = claims;
+    *claims_length_out = claims_length;
+    claims = NULL;
+    result = OE_OK;
+
+done:
+    if (claims)
+        _free_claims_list(NULL, claims, claims_length);
+    return result;
+}
+
+static oe_result_t _verify_evidence(
+    oe_verifier_t* context,
+    const uint8_t* evidence_buffer,
+    size_t evidence_buffer_size,
+    const uint8_t* endorsements_buffer,
+    size_t endorsements_buffer_size,
+    const oe_policy_t* policies,
+    size_t policies_size,
+    oe_claim_t** claims,
+    size_t* claims_length)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_report_header_t* header = (oe_report_header_t*)evidence_buffer;
+    oe_datetime_t* time = NULL;
+    OE_UNUSED(context);
+
+    if (!evidence_buffer || !claims || !claims_length ||
+        evidence_buffer_size < sizeof(*header) ||
+        evidence_buffer_size - sizeof(*header) < header->report_size)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Check the datetime policy if it exists.
+    OE_CHECK(_get_input_time(policies, policies_size, &time));
+
+    // Verify the report. Send the report size to just the oe report,
+    // not including the custom claims section.
+    if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
+        OE_CHECK(_verify_local_report(
+            evidence_buffer, header->report_size + sizeof(oe_report_header_t)));
+    else
+        OE_CHECK(oe_verify_sgx_quote(
+            header->report,
+            header->report_size,
+            endorsements_buffer,
+            endorsements_buffer_size,
+            time));
+
+    // Last step is to return the required and custom claims.
+    OE_CHECK(_extract_claims(
+        evidence_buffer,
+        evidence_buffer_size,
+        endorsements_buffer,
+        endorsements_buffer_size,
+        claims,
+        claims_length));
+
+done:
+    return result;
+}
+
+static oe_verifier_t _verifier = {.base =
+                                      {
+                                          .format_id = OE_SGX_PLUGIN_UUID,
+                                          .on_register = &_on_register,
+                                          .on_unregister = &_on_unregister,
+                                      },
+                                  .verify_evidence = &_verify_evidence,
+                                  .free_claims_list = &_free_claims_list};
+
+oe_verifier_t* oe_sgx_plugin_verifier()
+{
+    return &_verifier;
+}
\ No newline at end of file
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 87988665df..68ad3f203d 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -14,6 +14,8 @@ if (OE_SGX)
         ../common/sgx/sgxcertextensions.c
         ../common/sgx/tcbinfo.c
         ../common/sgx/tlsverifier.c
+        ../common/sgx/verifier.c
+        sgx/attester.c
         sgx/qeidinfo.c
         sgx/report.c
         sgx/revocationinfo.c
diff --git a/enclave/sgx/attester.c b/enclave/sgx/attester.c
new file mode 100644
index 0000000000..8229719956
--- /dev/null
+++ b/enclave/sgx/attester.c
@@ -0,0 +1,248 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <openenclave/attestation/plugin.h>
+#include <openenclave/attestation/sgx/attester.h>
+#include <openenclave/corelibc/stdlib.h>
+#include <openenclave/corelibc/string.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgx/plugin.h>
+
+#include <mbedtls/sha256.h>
+
+#include "../common/sgx/endorsements.h"
+
+static oe_result_t _on_register(
+    oe_attestation_role_t* context,
+    const void* config_data,
+    size_t config_data_size)
+{
+    OE_UNUSED(context);
+    OE_UNUSED(config_data);
+    OE_UNUSED(config_data_size);
+    return OE_OK;
+}
+
+static oe_result_t _on_unregister(oe_attestation_role_t* context)
+{
+    OE_UNUSED(context);
+    return OE_OK;
+}
+
+static size_t _get_claims_size(
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length)
+{
+    size_t size = sizeof(oe_sgx_plugin_claims_header_t);
+
+    if (!custom_claims)
+        return size;
+
+    for (size_t i = 0; i < custom_claims_length; i++)
+    {
+        size += sizeof(oe_sgx_plugin_claims_entry_t);
+        size += oe_strlen(custom_claims[i].name) + 1;
+        size += custom_claims[i].value_size;
+    }
+    return size;
+}
+
+static void _set_claims(
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    uint8_t* claims)
+{
+    // Custom claims structure would be:
+    //  - oe_sgx_plugin_claims_header_t
+    //  - N claim entries of oe_sgx_plugin_claims_entry_t
+    oe_sgx_plugin_claims_header_t* header =
+        (oe_sgx_plugin_claims_header_t*)claims;
+    header->version = OE_SGX_PLUGIN_CLAIMS_VERSION;
+    header->num_claims = custom_claims_length;
+    claims += sizeof(oe_sgx_plugin_claims_header_t);
+
+    if (!custom_claims)
+        return;
+
+    for (size_t i = 0; i < custom_claims_length; i++)
+    {
+        oe_sgx_plugin_claims_entry_t* entry =
+            (oe_sgx_plugin_claims_entry_t*)claims;
+        entry->name_size = oe_strlen(custom_claims[i].name) + 1;
+        entry->value_size = custom_claims[i].value_size;
+        memcpy(entry->name, custom_claims[i].name, entry->name_size);
+        memcpy(
+            entry->name + entry->name_size,
+            custom_claims[i].value,
+            entry->value_size);
+        claims += sizeof(*entry) + entry->name_size + entry->value_size;
+    }
+}
+
+static oe_result_t _serialize_claims(
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    uint8_t** claims_out,
+    size_t* claims_size_out,
+    OE_SHA256* hash_out)
+{
+    uint8_t* claims = NULL;
+    size_t claims_size = 0;
+    oe_sha256_context_t hash_ctx = {0};
+    oe_result_t result = OE_UNEXPECTED;
+
+    // Get claims size.
+    claims_size = _get_claims_size(custom_claims, custom_claims_length);
+
+    // Allocate memory and set the claims.
+    claims = (uint8_t*)oe_malloc(claims_size);
+    if (claims == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+    _set_claims(custom_claims, custom_claims_length, claims);
+
+    // Produce a hash of the claims.
+    OE_CHECK(oe_sha256_init(&hash_ctx));
+    OE_CHECK(oe_sha256_update(&hash_ctx, claims, claims_size));
+    OE_CHECK(oe_sha256_final(&hash_ctx, hash_out));
+
+    *claims_out = claims;
+    *claims_size_out = claims_size;
+    claims = NULL;
+    result = OE_OK;
+
+done:
+    if (claims != NULL)
+        oe_free(claims);
+    return result;
+}
+
+static oe_result_t _get_evidence(
+    oe_attester_t* context,
+    uint32_t flags,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_length,
+    const void* opt_params,
+    size_t opt_params_size,
+    uint8_t** evidence_buffer,
+    size_t* evidence_buffer_size,
+    uint8_t** endorsements_buffer,
+    size_t* endorsements_buffer_size)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    uint8_t* claims = NULL;
+    size_t claims_size = 0;
+    OE_SHA256 hash;
+    uint8_t* report = NULL;
+    size_t report_size = 0;
+    uint8_t* evidence = NULL;
+    uint8_t* endorsements = NULL;
+    size_t endorsements_size = 0;
+    OE_UNUSED(context);
+
+    if (!evidence_buffer || !evidence_buffer_size ||
+        (endorsements_buffer && !endorsements_buffer_size))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Endorsements are only for SGX remote attestation.
+    if (endorsements_buffer && flags != OE_REPORT_TYPE_SGX_REMOTE)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Serialize the claims.
+    OE_CHECK_MSG(
+        _serialize_claims(
+            custom_claims, custom_claims_length, &claims, &claims_size, &hash),
+        "SGX Plugin: Failed to serialize claims. %s",
+        oe_result_str(result));
+
+    // Get the report with the hash of the claims as the report data.
+    OE_CHECK_MSG(
+        oe_get_report(
+            flags,
+            opt_params,
+            opt_params_size,
+            hash.buf,
+            sizeof(hash.buf),
+            &report,
+            &report_size),
+        "SGX Plugin: Failed to get OE report. %s",
+        oe_result_str(result));
+
+    // Combine the two to get the evidence.
+    // Format is report first then claims.
+    evidence = (uint8_t*)oe_malloc(report_size + claims_size);
+    if (evidence == NULL)
+        OE_RAISE(OE_OUT_OF_MEMORY);
+
+    memcpy(evidence, report, report_size);
+    memcpy(evidence + report_size, claims, claims_size);
+
+    // Get the endorsements from the report if needed.
+    if (endorsements_buffer)
+    {
+        oe_report_header_t* header = (oe_report_header_t*)report;
+
+        OE_CHECK_MSG(
+            oe_get_sgx_endorsements(
+                header->report,
+                header->report_size,
+                &endorsements,
+                &endorsements_size),
+            "SGX Plugin: Failed to get endorsements: %s",
+            oe_result_str(result));
+    }
+
+    *evidence_buffer = evidence;
+    *evidence_buffer_size = report_size + claims_size;
+    evidence = NULL;
+    if (endorsements_buffer)
+    {
+        *endorsements_buffer = endorsements;
+        *endorsements_buffer_size = endorsements_size;
+        endorsements = NULL;
+    }
+    result = OE_OK;
+
+done:
+    oe_free(claims);
+    oe_free_report(report);
+    if (evidence != NULL)
+        oe_free(evidence);
+    if (endorsements != NULL)
+        oe_free_sgx_endorsements(endorsements);
+    return result;
+}
+
+static oe_result_t _free_evidence(
+    oe_attester_t* context,
+    uint8_t* evidence_buffer)
+{
+    OE_UNUSED(context);
+    oe_free(evidence_buffer);
+    return OE_OK;
+}
+
+static oe_result_t _free_endorsements(
+    oe_attester_t* context,
+    uint8_t* endorsements_buffer)
+{
+    OE_UNUSED(context);
+    oe_free_sgx_endorsements(endorsements_buffer);
+    return OE_OK;
+}
+
+static oe_attester_t _attester = {.base =
+                                      {
+                                          .format_id = OE_SGX_PLUGIN_UUID,
+                                          .on_register = &_on_register,
+                                          .on_unregister = &_on_unregister,
+                                      },
+                                  .get_evidence = &_get_evidence,
+                                  .free_evidence = &_free_evidence,
+                                  .free_endorsements = &_free_endorsements};
+
+oe_attester_t* oe_sgx_plugin_attester()
+{
+    return &_attester;
+}
\ No newline at end of file
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index a2a607ce08..72d062b18d 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -128,6 +128,7 @@ if (OE_SGX)
     ../common/sgx/sgxcertextensions.c
     ../common/sgx/tcbinfo.c
     ../common/sgx/tlsverifier.c
+    ../common/sgx/verifier.c
     sgx/hostverify_report.c
     sgx/sgxquoteprovider.c)
 
diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
index fe6317b514..585e2f851e 100644
--- a/include/CMakeLists.txt
+++ b/include/CMakeLists.txt
@@ -13,5 +13,7 @@ install(DIRECTORY openenclave/edger8r DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/op
 install(FILES openenclave/enclave.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
 install(FILES openenclave/host.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
 install(FILES openenclave/host_verify.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/ COMPONENT OEHOSTVERIFY)
-install(FILES openenclave/attestation_plugin.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
+install(FILES openenclave/attestation/plugin.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/ COMPONENT OEHOSTVERIFY)
+install(FILES openenclave/attestation/sgx/attester.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/)
+install(FILES openenclave/attestation/sgx/verifier.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/ COMPONENT OEHOSTVERIFY)
 install(TARGETS oe_includes EXPORT openenclave-targets)
diff --git a/include/openenclave/attestation_plugin.h b/include/openenclave/attestation/plugin.h
similarity index 100%
rename from include/openenclave/attestation_plugin.h
rename to include/openenclave/attestation/plugin.h
diff --git a/include/openenclave/attestation/sgx/attester.h b/include/openenclave/attestation/sgx/attester.h
new file mode 100644
index 0000000000..19aab3345c
--- /dev/null
+++ b/include/openenclave/attestation/sgx/attester.h
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * @file attester.h
+ *
+ * This file defines the API for getting the SGX attester.
+ *
+ */
+
+#ifndef _OE_ATTESTATION_SGX_ATTESTER_H
+#define _OE_ATTESTATION_SGX_ATTESTER_H
+
+#ifdef _OE_HOST_H
+#error "The sgx attester (sgx/attester.h) is only available for the enclave."
+#endif
+
+#include <openenclave/attestation/plugin.h>
+
+OE_EXTERNC_BEGIN
+
+/**
+ *  The `opt_params` field for `oe_get_evidence` identical to the `opt_params`
+ *  field `oe_get_report`. In other words, it is the output of
+ * `oe_get_target_info` for local attestation and is ignored for remote
+ *  attestation.
+ */
+typedef void* oe_sgx_plugin_opt_params;
+
+/**
+ * Helper function that returns the SGX attester that can then be sent to
+ * `oe_register_attester`.
+ *
+ * @retval A pointer to the SGX attester. This function never fails.
+ */
+oe_attester_t* oe_sgx_plugin_attester(void);
+
+OE_EXTERNC_END
+
+#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
\ No newline at end of file
diff --git a/include/openenclave/attestation/sgx/verifier.h b/include/openenclave/attestation/sgx/verifier.h
new file mode 100644
index 0000000000..54edc8d980
--- /dev/null
+++ b/include/openenclave/attestation/sgx/verifier.h
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * @file verifier.h
+ *
+ * This file defines the API for getting the SGX verifier.
+ *
+ */
+
+#ifndef _OE_ATTESTATION_SGX_VERIFIER_H
+#define _OE_ATTESTATION_SGX_VERIFIER_H
+
+#include <openenclave/attestation/plugin.h>
+
+OE_EXTERNC_BEGIN
+
+/**
+ * Helper function that returns the SGX verifier that can then be sent to
+ * `oe_register_verifier`.
+ *
+ * @retval A pointer to the SGX verifier. This function never fails.
+ */
+oe_verifier_t* oe_sgx_plugin_verifier(void);
+
+OE_EXTERNC_END
+
+#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
\ No newline at end of file
diff --git a/include/openenclave/bits/types.h b/include/openenclave/bits/types.h
index 65054158fc..c807c56841 100644
--- a/include/openenclave/bits/types.h
+++ b/include/openenclave/bits/types.h
@@ -224,4 +224,17 @@ typedef struct _oe_asymmetric_key_params
     size_t user_data_size;
 } oe_asymmetric_key_params_t;
 
+/**
+ * This struct defines a datetime up to 1 second precision.
+ */
+typedef struct _oe_datetime
+{
+    uint32_t year;    /* format: 1970, 2018, 2020 */
+    uint32_t month;   /* range: 1-12 */
+    uint32_t day;     /* range: 1-31 */
+    uint32_t hours;   /* range: 0-23 */
+    uint32_t minutes; /* range: 0-59 */
+    uint32_t seconds; /* range: 0-59 */
+} oe_datetime_t;
+
 #endif /* _OE_BITS_TYPES_H */
diff --git a/include/openenclave/internal/datetime.h b/include/openenclave/internal/datetime.h
index d9e98c665b..730fa3d471 100644
--- a/include/openenclave/internal/datetime.h
+++ b/include/openenclave/internal/datetime.h
@@ -10,17 +10,6 @@
 
 OE_EXTERNC_BEGIN
 
-/* Date representation with 1 second precision */
-typedef struct _oe_datetime
-{
-    uint32_t year;    /* format: 1970, 2018, 2020 */
-    uint32_t month;   /* range: 1-12 */
-    uint32_t day;     /* range: 1-31 */
-    uint32_t hours;   /* range: 0-23 */
-    uint32_t minutes; /* range: 0-59 */
-    uint32_t seconds; /* range: 0-59 */
-} oe_datetime_t;
-
 // ISO 8601 format: YYYY-MM-DDThh:mm:ssZ
 #define OE_DATETIME_FORMAT ("YYYY-MM-DDThh:mm:ssZ")
 
diff --git a/include/openenclave/internal/sgx/plugin.h b/include/openenclave/internal/sgx/plugin.h
new file mode 100644
index 0000000000..6ac14b51ea
--- /dev/null
+++ b/include/openenclave/internal/sgx/plugin.h
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef _OE_INTERNAL_SGX_PLUGIN
+#define _OE_INTERNAL_SGX_PLUGIN
+
+/**
+ * The SGX plugin UUID.
+ */
+#define OE_SGX_PLUGIN_UUID                                                \
+    {                                                                     \
+        0xa3, 0xa2, 0x1e, 0x87, 0x1b, 0x4d, 0x40, 0x14, 0xb7, 0x0a, 0xa1, \
+            0x25, 0xd2, 0xfb, 0xcd, 0x8c                                  \
+    }
+
+#define OE_SGX_PLUGIN_CLAIMS_VERSION 1
+
+/**
+ *  Serialized header for the custom claims.
+ */
+typedef struct _oe_sgx_plugin_claims_header
+{
+    uint64_t version;
+    uint64_t num_claims;
+} oe_sgx_plugin_claims_header_t;
+
+/**
+ * Serialzied entry for custom claims. Each entry will have the name and value
+ * sizes and then the contents of the name and value respectively.
+ */
+typedef struct _oe_sgx_plugin_claims_entry
+{
+    uint64_t name_size;
+    uint64_t value_size;
+    uint8_t name[]; // name_size bytes follow.
+    // uint8_t value[]; value_size_bytes follow.
+} oe_sgx_plugin_claims_entry_t;
+
+#endif // _OE_INTENRAL_SGX_PLUGIN
\ No newline at end of file
diff --git a/tests/attestation_plugin/plugin/mock_attester.h b/tests/attestation_plugin/plugin/mock_attester.h
index ed19dded32..35a75ae3d5 100644
--- a/tests/attestation_plugin/plugin/mock_attester.h
+++ b/tests/attestation_plugin/plugin/mock_attester.h
@@ -4,7 +4,7 @@
 #ifndef _OE_MOCK_ATTESTER_H
 #define _OE_MOCK_ATTESTER_H
 
-#include <openenclave/attestation_plugin.h>
+#include <openenclave/attestation/plugin.h>
 #include <string.h>
 
 #define MOCK_EVIDENCE "123"
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
index 82c22e9024..ab77d7ca03 100644
--- a/tests/attestation_plugin/plugin/tests.c
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -7,7 +7,7 @@
 #include <openenclave/host.h>
 #endif
 
-#include <openenclave/attestation_plugin.h>
+#include <openenclave/attestation/plugin.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/tests.h>

From b82dfce6e7eaba7d0bdaf0ecc080f6d0473e6fbd Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Fri, 8 Nov 2019 21:07:31 +0000
Subject: [PATCH 299/420] Added test for SGX plugin.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                  |   4 -
 common/sgx/verifier.c                   |  14 +-
 enclave/sgx/attester.c                  |  13 +-
 tests/attestation_plugin/enc/enc.c      | 116 ++++++++-
 tests/attestation_plugin/host/host.c    |  29 ++-
 tests/attestation_plugin/plugin.edl     |  15 +-
 tests/attestation_plugin/plugin/tests.c | 311 +++++++++++++++++++++++-
 tests/attestation_plugin/plugin/tests.h |  24 +-
 8 files changed, 501 insertions(+), 25 deletions(-)

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index 7339297043..3aab9d0437 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -12,10 +12,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#ifndef OE_BUILD_ENCLAVE
-#include <pthread.h>
-#endif
-
 #include "common.h"
 
 /**
diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c
index 88c5a4eb51..04900f2fc1 100644
--- a/common/sgx/verifier.c
+++ b/common/sgx/verifier.c
@@ -68,7 +68,10 @@ static oe_result_t _get_input_time(
     oe_datetime_t** time)
 {
     if (!policies)
+    {
+        *time = NULL;
         return OE_OK;
+    }
 
     for (size_t i = 0; i < policies_size; i++)
     {
@@ -215,13 +218,14 @@ static oe_result_t _fill_with_known_claims(
         oe_sgx_endorsements_t sgx_endorsements;
         oe_datetime_t valid_from;
         oe_datetime_t valid_until;
+        oe_report_header_t* header = (oe_report_header_t*)report;
 
         // Get the endorsements if none were provided.
         if (endorsements == NULL)
         {
             OE_CHECK(oe_get_sgx_endorsements(
-                parsed_report.enclave_report,
-                parsed_report.enclave_report_size,
+                header->report,
+                header->report_size,
                 &endorsements_local,
                 &endorsements_local_size));
             endorsements = endorsements_local;
@@ -234,8 +238,8 @@ static oe_result_t _fill_with_known_claims(
             &sgx_endorsements));
 
         OE_CHECK(oe_get_sgx_quote_validity(
-            parsed_report.enclave_report,
-            parsed_report.enclave_report_size,
+            header->report,
+            header->report_size,
             &sgx_endorsements,
             &valid_from,
             &valid_until));
@@ -437,6 +441,8 @@ static oe_result_t _verify_evidence(
         claims,
         claims_length));
 
+    result = OE_OK;
+
 done:
     return result;
 }
diff --git a/enclave/sgx/attester.c b/enclave/sgx/attester.c
index 8229719956..31bd5c5dbe 100644
--- a/enclave/sgx/attester.c
+++ b/enclave/sgx/attester.c
@@ -3,6 +3,7 @@
 
 #include <openenclave/attestation/plugin.h>
 #include <openenclave/attestation/sgx/attester.h>
+#include <openenclave/corelibc/stdio.h>
 #include <openenclave/corelibc/stdlib.h>
 #include <openenclave/corelibc/string.h>
 #include <openenclave/enclave.h>
@@ -60,7 +61,7 @@ static void _set_claims(
     oe_sgx_plugin_claims_header_t* header =
         (oe_sgx_plugin_claims_header_t*)claims;
     header->version = OE_SGX_PLUGIN_CLAIMS_VERSION;
-    header->num_claims = custom_claims_length;
+    header->num_claims = custom_claims ? custom_claims_length : 0;
     claims += sizeof(oe_sgx_plugin_claims_header_t);
 
     if (!custom_claims)
@@ -145,10 +146,6 @@ static oe_result_t _get_evidence(
         (endorsements_buffer && !endorsements_buffer_size))
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    // Endorsements are only for SGX remote attestation.
-    if (endorsements_buffer && flags != OE_REPORT_TYPE_SGX_REMOTE)
-        OE_RAISE(OE_INVALID_PARAMETER);
-
     // Serialize the claims.
     OE_CHECK_MSG(
         _serialize_claims(
@@ -160,10 +157,10 @@ static oe_result_t _get_evidence(
     OE_CHECK_MSG(
         oe_get_report(
             flags,
-            opt_params,
-            opt_params_size,
             hash.buf,
             sizeof(hash.buf),
+            opt_params,
+            opt_params_size,
             &report,
             &report_size),
         "SGX Plugin: Failed to get OE report. %s",
@@ -179,7 +176,7 @@ static oe_result_t _get_evidence(
     memcpy(evidence + report_size, claims, claims_size);
 
     // Get the endorsements from the report if needed.
-    if (endorsements_buffer)
+    if (endorsements_buffer && flags == OE_REPORT_FLAGS_REMOTE_ATTESTATION)
     {
         oe_report_header_t* header = (oe_report_header_t*)report;
 
diff --git a/tests/attestation_plugin/enc/enc.c b/tests/attestation_plugin/enc/enc.c
index 58c5188f8c..cc5482f228 100644
--- a/tests/attestation_plugin/enc/enc.c
+++ b/tests/attestation_plugin/enc/enc.c
@@ -1,15 +1,127 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+#include <openenclave/attestation/sgx/attester.h>
+#include <openenclave/attestation/sgx/verifier.h>
 #include <openenclave/enclave.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgx/plugin.h>
 #include <openenclave/internal/tests.h>
+#include <stdio.h>
+#include <string.h>
 
+#include "../../../common/sgx/quote.h"
 #include "../plugin/tests.h"
 #include "plugin_t.h"
 
-void run_test()
+oe_attester_t* sgx_attest = NULL;
+
+void run_runtime_test()
+{
+    test_runtime();
+}
+
+void register_sgx()
+{
+    printf("====== running register_sgx\n");
+
+    sgx_attest = oe_sgx_plugin_attester();
+    OE_TEST(oe_register_attester(sgx_attest, NULL, 0) == OE_OK);
+    register_verifier();
+}
+
+void unregister_sgx()
+{
+    printf("====== running unregister_sgx\n");
+
+    OE_TEST(oe_unregister_attester(sgx_attest) == OE_OK);
+    sgx_attest = NULL;
+    unregister_verifier();
+}
+
+static void _test_sgx_remote()
+{
+    printf("====== running _test_sgx_remote\n");
+    uint8_t* evidence = NULL;
+    size_t evidence_size = 0;
+    uint8_t* endorsements = NULL;
+    size_t endorsements_size = 0;
+
+    // Get a remote attestation report.
+    printf("====== running _test_sgx_remote #1: Just evidence\n");
+    OE_TEST(
+        oe_get_evidence(
+            &sgx_attest->base.format_id,
+            OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            NULL,
+            0) == OE_OK);
+
+    verify_sgx_evidence(evidence, evidence_size, NULL, 0, NULL, 0);
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+
+    // Get a remote report with endorsements.
+    printf("====== running _test_sgx_remote #2: + Endorsements\n");
+    OE_TEST(
+        oe_get_evidence(
+            &sgx_attest->base.format_id,
+            OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+            NULL,
+            0,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            &endorsements,
+            &endorsements_size) == OE_OK);
+
+    verify_sgx_evidence(
+        evidence, evidence_size, endorsements, endorsements_size, NULL, 0);
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+    OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
+
+    // Get a remote report with both.
+    printf("====== running _test_sgx_remote #3: + Claims\n");
+    OE_TEST(
+        oe_get_evidence(
+            &sgx_attest->base.format_id,
+            OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+            test_claims,
+            NUM_TEST_CLAIMS,
+            NULL,
+            0,
+            &evidence,
+            &evidence_size,
+            &endorsements,
+            &endorsements_size) == OE_OK);
+
+    verify_sgx_evidence(
+        evidence,
+        evidence_size,
+        endorsements,
+        endorsements_size,
+        test_claims,
+        NUM_TEST_CLAIMS);
+
+    OE_TEST(
+        host_verify(evidence, evidence_size, endorsements, endorsements_size) ==
+        OE_OK);
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+    OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
+}
+
+void test_sgx()
 {
-    test_run_all();
+    printf("====== running test_sgx\n");
+    _test_sgx_remote();
 }
 
 OE_SET_ENCLAVE_SGX(
diff --git a/tests/attestation_plugin/host/host.c b/tests/attestation_plugin/host/host.c
index cc62892e80..7eecd9d4cb 100644
--- a/tests/attestation_plugin/host/host.c
+++ b/tests/attestation_plugin/host/host.c
@@ -8,6 +8,22 @@
 #include "../plugin/tests.h"
 #include "plugin_u.h"
 
+void host_verify(
+    uint8_t* evidence,
+    size_t evidence_size,
+    uint8_t* endorsements,
+    size_t endorsements_size)
+{
+    printf("====== running host_verify.\n");
+    verify_sgx_evidence(
+        evidence,
+        evidence_size,
+        endorsements,
+        endorsements_size,
+        test_claims,
+        NUM_TEST_CLAIMS);
+}
+
 int main(int argc, const char* argv[])
 {
     oe_result_t result;
@@ -19,6 +35,8 @@ int main(int argc, const char* argv[])
         exit(1);
     }
 
+    register_verifier();
+
     // Run test on the enclave.
     const uint32_t flags = oe_get_create_flags();
 
@@ -26,12 +44,17 @@ int main(int argc, const char* argv[])
         argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
     OE_TEST(result == OE_OK);
 
-    run_test(enclave);
+    run_runtime_test(enclave);
+    register_sgx(enclave);
+    test_sgx(enclave);
+    unregister_sgx(enclave);
 
     OE_TEST(oe_terminate_enclave(enclave) == OE_OK);
 
-    // Run test on the host.
-    test_run_all();
+    // Run runtime test on the host.
+    test_runtime();
+
+    unregister_verifier();
 
     return 0;
 }
diff --git a/tests/attestation_plugin/plugin.edl b/tests/attestation_plugin/plugin.edl
index 57980a66e6..c2d0684b69 100644
--- a/tests/attestation_plugin/plugin.edl
+++ b/tests/attestation_plugin/plugin.edl
@@ -3,6 +3,17 @@
 
 enclave {
     trusted {
-        public void run_test();
+        public void run_runtime_test();
+        public void register_sgx();
+        public void unregister_sgx();
+        public void test_sgx();
     };
-};
+
+    untrusted {
+        void host_verify(
+            [in, size=evidence_size] uint8_t* evidence,
+            size_t evidence_size,
+            [in, size=endorsements_size] uint8_t* endorsements,
+            size_t endorsements_size);
+    };
+};
\ No newline at end of file
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
index ab77d7ca03..dc7f9ac73d 100644
--- a/tests/attestation_plugin/plugin/tests.c
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -8,16 +8,37 @@
 #endif
 
 #include <openenclave/attestation/plugin.h>
+#include <openenclave/attestation/sgx/verifier.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgx/plugin.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
+#include "../../../common/sgx/quote.h"
 #include "mock_attester.h"
 #include "tests.h"
 
+oe_verifier_t* sgx_verify = NULL;
+
+typedef struct _header
+{
+    uint32_t version;
+    uuid_t format_id;
+    uint64_t data_size;
+    uint8_t data[];
+} header_t;
+
+oe_claim_t test_claims[2] = {{.name = CLAIM1_NAME,
+                              .value = (uint8_t*)CLAIM1_VALUE,
+                              .value_size = sizeof(CLAIM1_VALUE)},
+                             {.name = CLAIM2_NAME,
+                              .value = (uint8_t*)CLAIM2_VALUE,
+                              .value_size = sizeof(CLAIM2_VALUE)}};
+
 static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
 {
     for (size_t i = 0; i < OE_REQUIRED_CLAIMS_COUNT; i++)
@@ -40,6 +61,7 @@ static bool _check_claims(const oe_claim_t* claims, size_t claims_length)
 
 static void _test_and_register_attester()
 {
+    printf("====== running _test_and_register_attester\n");
     OE_TEST(oe_register_attester(&mock_attester1, NULL, 0) == OE_OK);
     OE_TEST(
         oe_register_attester(&mock_attester1, NULL, 0) == OE_ALREADY_EXISTS);
@@ -52,6 +74,7 @@ static void _test_and_register_attester()
 
 static void _test_and_register_verifier()
 {
+    printf("====== running _test_and_register_verifier\n");
     OE_TEST(oe_register_verifier(&mock_verifier1, NULL, 0) == OE_OK);
     OE_TEST(
         oe_register_verifier(&mock_verifier1, NULL, 0) == OE_ALREADY_EXISTS);
@@ -64,6 +87,7 @@ static void _test_and_register_verifier()
 
 static void _test_and_unregister_attester()
 {
+    printf("====== running _test_and_unregister_attester\n");
     OE_TEST(oe_unregister_attester(&mock_attester1) == OE_OK);
     OE_TEST(oe_unregister_attester(&mock_attester1) == OE_NOT_FOUND);
     OE_TEST(oe_unregister_attester(&mock_attester2) == OE_OK);
@@ -73,6 +97,7 @@ static void _test_and_unregister_attester()
 
 static void _test_and_unregister_verifier()
 {
+    printf("====== running _test_and_unregister_verifier\n");
     OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_OK);
     OE_TEST(oe_unregister_verifier(&mock_verifier1) == OE_NOT_FOUND);
     OE_TEST(oe_unregister_verifier(&mock_verifier2) == OE_OK);
@@ -84,6 +109,8 @@ static void _test_evidence_success(
     const uuid_t* format_id,
     bool use_endorsements)
 {
+    printf("====== running _test_evidence_success\n");
+
     uint8_t* evidence = NULL;
     size_t evidence_size = 0;
     uint8_t* endorsements = NULL;
@@ -124,6 +151,8 @@ static void _test_evidence_success(
 
 static void _test_get_evidence_fail()
 {
+    printf("====== running _test_get_evidence_fail\n");
+
     uint8_t* evidence;
     size_t evidence_size;
 
@@ -148,6 +177,8 @@ static void _test_get_evidence_fail()
 
 static void _test_verify_evidence_fail()
 {
+    printf("====== running _test_verify_evidence_fail\n");
+
     uint8_t* evidence;
     size_t evidence_size;
     uint8_t* endorsements;
@@ -261,8 +292,10 @@ static void _test_verify_evidence_fail()
     OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
 }
 
-void test_run_all()
+void test_runtime()
 {
+    printf("====== running test_runtime\n");
+
     // Test register functions.
     _test_and_register_attester();
     _test_and_register_verifier();
@@ -281,4 +314,280 @@ void test_run_all()
     // Test unregister functions
     _test_and_unregister_attester();
     _test_and_unregister_verifier();
+}
+
+void register_verifier()
+{
+    sgx_verify = oe_sgx_plugin_verifier();
+    OE_TEST(oe_register_verifier(sgx_verify, NULL, 0) == OE_OK);
+}
+
+void unregister_verifier()
+{
+    OE_TEST(oe_unregister_verifier(sgx_verify) == OE_OK);
+    sgx_verify = NULL;
+}
+
+static void* _find_claim(
+    const oe_claim_t* claims,
+    size_t claims_size,
+    const char* name)
+{
+    for (size_t i = 0; i < claims_size; i++)
+    {
+        if (strcmp(claims[i].name, name) == 0)
+            return claims[i].value;
+    }
+    return NULL;
+}
+
+static void _test_time(
+    const uint8_t* report,
+    const uint8_t* collaterals,
+    size_t collaterals_size,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    oe_datetime_t tmp;
+    oe_report_header_t* header = (oe_report_header_t*)report;
+
+    OE_TEST(
+        oe_verify_sgx_quote(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            from) == OE_OK);
+
+    OE_TEST(
+        oe_verify_sgx_quote(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            until) == OE_OK);
+
+    tmp = *from;
+    tmp.year--;
+    OE_TEST(
+        oe_verify_sgx_quote(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            &tmp) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+
+    tmp = *until;
+    tmp.year++;
+    OE_TEST(
+        oe_verify_sgx_quote(
+            header->report,
+            header->report_size,
+            collaterals,
+            collaterals_size,
+            &tmp) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+}
+
+static void _test_time_policy(
+    const uint8_t* evidence,
+    size_t evidence_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    oe_datetime_t* from,
+    oe_datetime_t* until)
+{
+    oe_policy_t policy;
+    oe_datetime_t dt;
+    oe_claim_t* claims;
+    size_t claims_size;
+
+    policy.type = OE_POLICY_ENDORSEMENTS_TIME;
+    policy.policy = (void*)&dt;
+    policy.policy_size = sizeof(dt);
+
+    dt = *from;
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            &policy,
+            1,
+            &claims,
+            &claims_size) == OE_OK);
+    OE_TEST(oe_free_claims_list(claims, claims_size) == OE_OK);
+
+    dt = *until;
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            &policy,
+            1,
+            &claims,
+            &claims_size) == OE_OK);
+    OE_TEST(oe_free_claims_list(claims, claims_size) == OE_OK);
+
+    dt = *from;
+    dt.year--;
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            &policy,
+            1,
+            &claims,
+            &claims_size) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+
+    dt = *until;
+    dt.year++;
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            &policy,
+            1,
+            &claims,
+            &claims_size) == OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD);
+}
+
+void verify_sgx_evidence(
+    const uint8_t* evidence,
+    size_t evidence_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_size)
+{
+    printf("====== running verify_sgx_evidence\n");
+
+    header_t* header = (header_t*)evidence;
+    header_t* header_endorsements = (header_t*)endorsements;
+    oe_report_t report;
+    oe_claim_t* claims = NULL;
+    size_t claims_size = 0;
+    size_t extra_size = 0;
+    void* value;
+    void* from;
+    void* until;
+
+    // Try with no policies.
+    OE_TEST(
+        oe_verify_evidence(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            NULL,
+            0,
+            &claims,
+            &claims_size) == OE_OK);
+
+    // Make sure that the identity info matches with the regular oe report.
+    // We need to remove the attestation header and the claims first.
+    extra_size = sizeof(oe_sgx_plugin_claims_header_t);
+    for (size_t i = 0; i < custom_claims_size; i++)
+    {
+        extra_size += sizeof(oe_sgx_plugin_claims_entry_t);
+        extra_size += strlen(custom_claims[i].name) + 1;
+        extra_size += custom_claims[i].value_size;
+    }
+
+    OE_TEST(
+        oe_parse_report(
+            header->data, header->data_size - extra_size, &report) == OE_OK);
+
+    // Check id version.
+    value = _find_claim(claims, claims_size, OE_CLAIM_ID_VERSION);
+    OE_TEST(value != NULL && *((uint32_t*)value) == report.identity.id_version);
+
+    // Check security version.
+    value = _find_claim(claims, claims_size, OE_CLAIM_SECURITY_VERSION);
+    OE_TEST(
+        value != NULL &&
+        *((uint32_t*)value) == report.identity.security_version);
+
+    // Check attributes
+    value = _find_claim(claims, claims_size, OE_CLAIM_ATTRIBUTES);
+    OE_TEST(value != NULL && *((uint64_t*)value) == report.identity.attributes);
+
+    // Check unique ID
+    value = _find_claim(claims, claims_size, OE_CLAIM_UNIQUE_ID);
+    OE_TEST(
+        value != NULL && memcmp(
+                             value,
+                             &report.identity.unique_id,
+                             sizeof(report.identity.unique_id)) == 0);
+
+    // Check signer ID
+    value = _find_claim(claims, claims_size, OE_CLAIM_SIGNER_ID);
+    OE_TEST(
+        value != NULL && memcmp(
+                             value,
+                             &report.identity.signer_id,
+                             sizeof(report.identity.signer_id)) == 0);
+
+    // Check product ID
+    value = _find_claim(claims, claims_size, OE_CLAIM_PRODUCT_ID);
+    OE_TEST(
+        value != NULL && memcmp(
+                             value,
+                             &report.identity.product_id,
+                             sizeof(report.identity.product_id)) == 0);
+
+    // Check UUID.
+    value = _find_claim(claims, claims_size, OE_CLAIM_PLUGIN_UUID);
+    OE_TEST(
+        value != NULL && memcmp(
+                             value,
+                             &sgx_verify->base.format_id,
+                             sizeof(sgx_verify->base.format_id)) == 0);
+
+    // Check date time.
+    from = _find_claim(claims, claims_size, OE_CLAIM_VALIDITY_FROM);
+    OE_TEST(from != NULL);
+
+    until = _find_claim(claims, claims_size, OE_CLAIM_VALIDITY_UNTIL);
+    OE_TEST(until != NULL);
+
+    if (endorsements)
+    {
+        _test_time(
+            header->data,
+            endorsements ? header_endorsements->data : NULL,
+            endorsements ? header_endorsements->data_size : 0,
+            (oe_datetime_t*)from,
+            (oe_datetime_t*)until);
+
+        _test_time_policy(
+            evidence,
+            evidence_size,
+            endorsements,
+            endorsements_size,
+            (oe_datetime_t*)from,
+            (oe_datetime_t*)until);
+    }
+
+    // Check custom claims.
+    if (custom_claims)
+    {
+        for (size_t i = 0; i < custom_claims_size; i++)
+        {
+            value = _find_claim(claims, claims_size, custom_claims[i].name);
+            OE_TEST(
+                value != NULL && memcmp(
+                                     custom_claims[i].value,
+                                     value,
+                                     custom_claims[i].value_size) == 0);
+        }
+    }
+
+    OE_TEST(oe_free_claims_list(claims, claims_size) == OE_OK);
 }
\ No newline at end of file
diff --git a/tests/attestation_plugin/plugin/tests.h b/tests/attestation_plugin/plugin/tests.h
index c701190f17..faa175f142 100644
--- a/tests/attestation_plugin/plugin/tests.h
+++ b/tests/attestation_plugin/plugin/tests.h
@@ -4,6 +4,28 @@
 #ifndef _OE_ATTESTATION_PLUGIN_TESTS
 #define _OE_ATTESTATION_PLUGIN_TESTS
 
-void test_run_all();
+#include <openenclave/attestation/plugin.h>
+
+#define CLAIM1_NAME "Hello"
+#define CLAIM1_VALUE "World!"
+#define CLAIM2_NAME "123"
+#define CLAIM2_VALUE "456"
+
+#define NUM_TEST_CLAIMS 2
+extern oe_claim_t test_claims[2];
+
+void test_runtime();
+
+void register_verifier();
+
+void unregister_verifier();
+
+void verify_sgx_evidence(
+    const uint8_t* evidence,
+    size_t evidence_size,
+    const uint8_t* endorsements,
+    size_t endorsements_size,
+    const oe_claim_t* custom_claims,
+    size_t custom_claims_size);
 
 #endif // _OE_ATTESTATION_PLUGIN_TESTS
\ No newline at end of file

From 0ac95d76310832a9b5deb3a1dec891bf69d050c4 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Wed, 13 Nov 2019 21:57:44 +0000
Subject: [PATCH 300/420] Fix CI breaks.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                        | 34 +++++++++++++------
 common/sgx/endorsements.c                     |  2 +-
 common/sgx/endorsements.h                     |  2 +-
 common/sgx/verifier.c                         | 12 +++----
 enclave/sgx/attester.c                        |  4 +--
 include/openenclave/attestation/plugin.h      |  6 ++--
 .../openenclave/attestation/sgx/verifier.h    |  2 +-
 include/openenclave/bits/attestation.h        |  2 +-
 include/openenclave/bits/report.h             | 21 ++++--------
 include/openenclave/internal/sgx/plugin.h     |  4 ++-
 tests/attestation_plugin/CMakeLists.txt       |  2 +-
 tests/attestation_plugin/enc/CMakeLists.txt   |  2 +-
 tests/attestation_plugin/enc/enc.c            |  2 +-
 tests/attestation_plugin/host/CMakeLists.txt  |  2 +-
 tests/attestation_plugin/host/host.c          |  2 +-
 tests/attestation_plugin/plugin.edl           |  2 +-
 .../attestation_plugin/plugin/mock_attester.h | 18 +++++-----
 tests/attestation_plugin/plugin/tests.c       |  6 ++--
 tests/attestation_plugin/plugin/tests.h       |  2 +-
 19 files changed, 67 insertions(+), 60 deletions(-)

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index 3aab9d0437..758e8cf381 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/attestation/plugin.h>
@@ -14,6 +14,19 @@
 
 #include "common.h"
 
+const char* OE_REQUIRED_CLAIMS[OE_REQUIRED_CLAIMS_COUNT] = {
+    OE_CLAIM_ID_VERSION,
+    OE_CLAIM_SECURITY_VERSION,
+    OE_CLAIM_ATTRIBUTES,
+    OE_CLAIM_UNIQUE_ID,
+    OE_CLAIM_SIGNER_ID,
+    OE_CLAIM_PRODUCT_ID,
+    OE_CLAIM_PLUGIN_UUID};
+
+const char* OE_OPTIONAL_CLAIMS[OE_OPTIONAL_CLAIMS_COUNT] = {
+    OE_CLAIM_VALIDITY_FROM,
+    OE_CLAIM_VALIDITY_UNTIL};
+
 /**
  * Header that the OE runtime puts ontop of the attestation plugins.
  */
@@ -23,7 +36,7 @@ typedef struct _oe_attestation_header
     uint32_t version;
 
     /* UUID to identify format. */
-    uuid_t format_id;
+    oe_uuid_t format_id;
 
     /* Size of evidence/endorsements sent to the plugin. */
     uint64_t data_size;
@@ -51,7 +64,7 @@ struct plugin_list_node_t* verifiers = NULL;
 // will return NULL.
 static struct plugin_list_node_t* _find_plugin(
     struct plugin_list_node_t* head,
-    const uuid_t* target_format_id,
+    const oe_uuid_t* target_format_id,
     struct plugin_list_node_t** prev)
 {
     struct plugin_list_node_t* ret = NULL;
@@ -64,7 +77,8 @@ static struct plugin_list_node_t* _find_plugin(
     cur = head;
     while (cur)
     {
-        if (memcmp(&cur->plugin->format_id, target_format_id, sizeof(uuid_t)) ==
+        if (memcmp(
+                &cur->plugin->format_id, target_format_id, sizeof(oe_uuid_t)) ==
             0)
         {
             ret = cur;
@@ -185,7 +199,7 @@ oe_result_t oe_unregister_verifier(oe_verifier_t* plugin)
 }
 
 static oe_result_t _wrap_with_header(
-    const uuid_t* format_id,
+    const oe_uuid_t* format_id,
     const uint8_t* data,
     size_t data_size,
     uint8_t** total_data,
@@ -213,7 +227,7 @@ static oe_result_t _wrap_with_header(
 }
 
 oe_result_t oe_get_evidence(
-    const uuid_t* format_id,
+    const oe_uuid_t* format_id,
     uint32_t flags,
     const oe_claim_t* custom_claims,
     size_t custom_claims_length,
@@ -399,16 +413,16 @@ oe_result_t oe_verify_evidence(
 static oe_result_t _get_uuid(
     const oe_claim_t* claims,
     size_t claims_length,
-    uuid_t* uuid)
+    oe_uuid_t* uuid)
 {
     for (size_t i = 0; i < claims_length; i++)
     {
         if (oe_strcmp(claims[i].name, OE_CLAIM_PLUGIN_UUID) == 0)
         {
-            if (claims[i].value_size != sizeof(uuid_t))
+            if (claims[i].value_size != sizeof(oe_uuid_t))
                 return OE_CONSTRAINT_FAILED;
 
-            *uuid = *((uuid_t*)claims[i].value);
+            *uuid = *((oe_uuid_t*)claims[i].value);
             return OE_OK;
         }
     }
@@ -417,7 +431,7 @@ static oe_result_t _get_uuid(
 
 oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length)
 {
-    uuid_t uuid;
+    oe_uuid_t uuid;
     oe_result_t result = OE_UNEXPECTED;
     struct plugin_list_node_t* plugin_node;
     oe_verifier_t* verifier;
diff --git a/common/sgx/endorsements.c b/common/sgx/endorsements.c
index b9b78bc986..fc9d0b58ca 100644
--- a/common/sgx/endorsements.c
+++ b/common/sgx/endorsements.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include "endorsements.h"
diff --git a/common/sgx/endorsements.h b/common/sgx/endorsements.h
index 4e7455f3a3..aa4f7b28c1 100644
--- a/common/sgx/endorsements.h
+++ b/common/sgx/endorsements.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_COMMON_OE_ENDORSEMENTS_H
diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c
index 04900f2fc1..f8c55c6684 100644
--- a/common/sgx/verifier.c
+++ b/common/sgx/verifier.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/attestation/plugin.h>
@@ -142,17 +142,18 @@ static oe_result_t _fill_with_known_claims(
     oe_result_t result = OE_UNEXPECTED;
     oe_report_t parsed_report = {0};
     oe_identity_t* id = &parsed_report.identity;
-    uuid_t plugin_id = OE_SGX_PLUGIN_UUID;
+    oe_uuid_t plugin_id = {OE_SGX_PLUGIN_UUID};
     size_t claims_index = 0;
     uint8_t* endorsements_local = NULL;
     size_t endorsements_local_size = 0;
+    oe_report_header_t* header = (oe_report_header_t*)report;
 
     if (claims_length < OE_REQUIRED_CLAIMS_COUNT)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     OE_CHECK(oe_parse_report(report, report_size, &parsed_report));
 
-    if (parsed_report.type == OE_REPORT_TYPE_SGX_REMOTE &&
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE &&
         claims_length < OE_REQUIRED_CLAIMS_COUNT + OE_OPTIONAL_CLAIMS_COUNT)
         OE_RAISE(OE_INVALID_PARAMETER);
 
@@ -213,12 +214,11 @@ static oe_result_t _fill_with_known_claims(
         sizeof(plugin_id)));
 
     // Add the claims from the endorsements.
-    if (parsed_report.type == OE_REPORT_TYPE_SGX_REMOTE)
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
     {
         oe_sgx_endorsements_t sgx_endorsements;
         oe_datetime_t valid_from;
         oe_datetime_t valid_until;
-        oe_report_header_t* header = (oe_report_header_t*)report;
 
         // Get the endorsements if none were provided.
         if (endorsements == NULL)
@@ -449,7 +449,7 @@ static oe_result_t _verify_evidence(
 
 static oe_verifier_t _verifier = {.base =
                                       {
-                                          .format_id = OE_SGX_PLUGIN_UUID,
+                                          .format_id = {OE_SGX_PLUGIN_UUID},
                                           .on_register = &_on_register,
                                           .on_unregister = &_on_unregister,
                                       },
diff --git a/enclave/sgx/attester.c b/enclave/sgx/attester.c
index 31bd5c5dbe..85faf0d01d 100644
--- a/enclave/sgx/attester.c
+++ b/enclave/sgx/attester.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/attestation/plugin.h>
@@ -231,7 +231,7 @@ static oe_result_t _free_endorsements(
 
 static oe_attester_t _attester = {.base =
                                       {
-                                          .format_id = OE_SGX_PLUGIN_UUID,
+                                          .format_id = {OE_SGX_PLUGIN_UUID},
                                           .on_register = &_on_register,
                                           .on_unregister = &_on_unregister,
                                       },
diff --git a/include/openenclave/attestation/plugin.h b/include/openenclave/attestation/plugin.h
index 6e5ffeb7d0..c5edeb8a29 100644
--- a/include/openenclave/attestation/plugin.h
+++ b/include/openenclave/attestation/plugin.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
@@ -32,7 +32,7 @@ struct _oe_attestation_role
     /**
      * The UUID for the attestation role.
      */
-    uuid_t format_id;
+    oe_uuid_t format_id;
 
     /**
      * The function that gets executed when the attestation role is registered.
@@ -321,7 +321,7 @@ oe_result_t oe_unregister_verifier(oe_verifier_t* plugin);
  * @retval Otherwise, returns the error code the plugin's function.
  */
 oe_result_t oe_get_evidence(
-    const uuid_t* evidence_format_uuid,
+    const oe_uuid_t* evidence_format_uuid,
     uint32_t flags,
     const oe_claim_t* custom_claims,
     size_t custom_claims_length,
diff --git a/include/openenclave/attestation/sgx/verifier.h b/include/openenclave/attestation/sgx/verifier.h
index 54edc8d980..ef0c9cd2b9 100644
--- a/include/openenclave/attestation/sgx/verifier.h
+++ b/include/openenclave/attestation/sgx/verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/attestation.h b/include/openenclave/bits/attestation.h
index 2a277ecb48..86aa996131 100644
--- a/include/openenclave/bits/attestation.h
+++ b/include/openenclave/bits/attestation.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/bits/report.h b/include/openenclave/bits/report.h
index df3bbf2da2..aac7722f67 100644
--- a/include/openenclave/bits/report.h
+++ b/include/openenclave/bits/report.h
@@ -139,15 +139,15 @@ typedef struct _oe_report
 /**
  * The size of a UUID in bytes.
  */
-#define UUID_SIZE 16
+#define OE_UUID_SIZE 16
 
 /**
  * Struct containing the definition for an UUID.
  */
-typedef struct
+typedef struct _oe_uuid_t
 {
-    uint8_t b[UUID_SIZE];
-} uuid_t;
+    uint8_t b[OE_UUID_SIZE];
+} oe_uuid_t;
 
 /**
  * Claims struct used for claims parameters for the attestation plugins.
@@ -170,14 +170,7 @@ typedef struct _oe_claim
 #define OE_CLAIM_PRODUCT_ID "product_id"
 #define OE_CLAIM_PLUGIN_UUID "plugin_uuid"
 #define OE_REQUIRED_CLAIMS_COUNT 7
-static const char* OE_REQUIRED_CLAIMS[OE_REQUIRED_CLAIMS_COUNT] = {
-    OE_CLAIM_ID_VERSION,
-    OE_CLAIM_SECURITY_VERSION,
-    OE_CLAIM_ATTRIBUTES,
-    OE_CLAIM_UNIQUE_ID,
-    OE_CLAIM_SIGNER_ID,
-    OE_CLAIM_PRODUCT_ID,
-    OE_CLAIM_PLUGIN_UUID};
+extern const char* OE_REQUIRED_CLAIMS[OE_REQUIRED_CLAIMS_COUNT];
 
 /**
  * Additional optional claims that are known to OE that plugins can output.
@@ -185,9 +178,7 @@ static const char* OE_REQUIRED_CLAIMS[OE_REQUIRED_CLAIMS_COUNT] = {
 #define OE_CLAIM_VALIDITY_FROM "validity_from"
 #define OE_CLAIM_VALIDITY_UNTIL "validity_until"
 #define OE_OPTIONAL_CLAIMS_COUNT 2
-static const char* OE_OPTIONAL_CLAIMS[OE_OPTIONAL_CLAIMS_COUNT] = {
-    OE_CLAIM_VALIDITY_FROM,
-    OE_CLAIM_VALIDITY_UNTIL};
+extern const char* OE_OPTIONAL_CLAIMS[OE_OPTIONAL_CLAIMS_COUNT];
 
 /**
  * Supported policies for validation by the verifier attestation plugin.
diff --git a/include/openenclave/internal/sgx/plugin.h b/include/openenclave/internal/sgx/plugin.h
index 6ac14b51ea..746a62d4eb 100644
--- a/include/openenclave/internal/sgx/plugin.h
+++ b/include/openenclave/internal/sgx/plugin.h
@@ -1,9 +1,11 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_INTERNAL_SGX_PLUGIN
 #define _OE_INTERNAL_SGX_PLUGIN
 
+#include <openenclave/bits/report.h>
+
 /**
  * The SGX plugin UUID.
  */
diff --git a/tests/attestation_plugin/CMakeLists.txt b/tests/attestation_plugin/CMakeLists.txt
index c5a952743a..f5d90c1678 100644
--- a/tests/attestation_plugin/CMakeLists.txt
+++ b/tests/attestation_plugin/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 add_subdirectory(host)
diff --git a/tests/attestation_plugin/enc/CMakeLists.txt b/tests/attestation_plugin/enc/CMakeLists.txt
index 445654d9f6..fd35c4db44 100644
--- a/tests/attestation_plugin/enc/CMakeLists.txt
+++ b/tests/attestation_plugin/enc/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/attestation_plugin/enc/enc.c b/tests/attestation_plugin/enc/enc.c
index cc5482f228..edb099bf11 100644
--- a/tests/attestation_plugin/enc/enc.c
+++ b/tests/attestation_plugin/enc/enc.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/attestation/sgx/attester.h>
diff --git a/tests/attestation_plugin/host/CMakeLists.txt b/tests/attestation_plugin/host/CMakeLists.txt
index e2bf56f776..e8aafd7e05 100644
--- a/tests/attestation_plugin/host/CMakeLists.txt
+++ b/tests/attestation_plugin/host/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) Microsoft Corporation. All rights reserved.
+# Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
 include(oeedl_file)
diff --git a/tests/attestation_plugin/host/host.c b/tests/attestation_plugin/host/host.c
index 7eecd9d4cb..577a3abddc 100644
--- a/tests/attestation_plugin/host/host.c
+++ b/tests/attestation_plugin/host/host.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #include <openenclave/host.h>
diff --git a/tests/attestation_plugin/plugin.edl b/tests/attestation_plugin/plugin.edl
index c2d0684b69..e1976ba5e6 100644
--- a/tests/attestation_plugin/plugin.edl
+++ b/tests/attestation_plugin/plugin.edl
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 enclave {
diff --git a/tests/attestation_plugin/plugin/mock_attester.h b/tests/attestation_plugin/plugin/mock_attester.h
index 35a75ae3d5..1885066aa7 100644
--- a/tests/attestation_plugin/plugin/mock_attester.h
+++ b/tests/attestation_plugin/plugin/mock_attester.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_MOCK_ATTESTER_H
@@ -127,7 +127,7 @@ static inline oe_result_t mock_verify_evidence(
         if (strcmp(OE_REQUIRED_CLAIMS[i], OE_CLAIM_PLUGIN_UUID) == 0)
         {
             (*claims)[i].value = (uint8_t*)&context->base.format_id;
-            (*claims)[i].value_size = sizeof(uuid_t);
+            (*claims)[i].value_size = sizeof(oe_uuid_t);
         }
     }
     *claims_length = OE_REQUIRED_CLAIMS_COUNT;
@@ -165,7 +165,7 @@ static inline oe_result_t mock_verify_evidence_bad(
         if (strcmp(OE_REQUIRED_CLAIMS[i], OE_CLAIM_PLUGIN_UUID) == 0)
         {
             (*claims)[i].value = (uint8_t*)&context->base.format_id;
-            (*claims)[i].value_size = sizeof(uuid_t);
+            (*claims)[i].value_size = sizeof(oe_uuid_t);
         }
     }
     *claims_length = OE_REQUIRED_CLAIMS_COUNT - 1;
@@ -179,15 +179,15 @@ static inline oe_result_t mock_free_claims_list(
     size_t claims_length)
 {
     OE_UNUSED(context);
-    OE_UNUSED(claims);
     OE_UNUSED(claims_length);
+    free(claims);
     return OE_OK;
 }
 
 static oe_attester_t mock_attester1 = {
     .base =
         {
-            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .format_id = {OE_MOCK_ATTESTER_UUID1},
             .on_register = &mock_attester_register,
             .on_unregister = &mock_attester_unregister,
         },
@@ -198,7 +198,7 @@ static oe_attester_t mock_attester1 = {
 static oe_verifier_t mock_verifier1 = {
     .base =
         {
-            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .format_id = {OE_MOCK_ATTESTER_UUID1},
             .on_register = &mock_attester_register,
             .on_unregister = &mock_attester_unregister,
         },
@@ -209,7 +209,7 @@ static oe_verifier_t mock_verifier1 = {
 static oe_attester_t mock_attester2 = {
     .base =
         {
-            .format_id = OE_MOCK_ATTESTER_UUID2,
+            .format_id = {OE_MOCK_ATTESTER_UUID2},
             .on_register = &mock_attester_register,
             .on_unregister = &mock_attester_unregister,
         },
@@ -220,7 +220,7 @@ static oe_attester_t mock_attester2 = {
 static oe_verifier_t mock_verifier2 = {
     .base =
         {
-            .format_id = OE_MOCK_ATTESTER_UUID2,
+            .format_id = {OE_MOCK_ATTESTER_UUID2},
             .on_register = &mock_attester_register,
             .on_unregister = &mock_attester_unregister,
         },
@@ -230,7 +230,7 @@ static oe_verifier_t mock_verifier2 = {
 static oe_verifier_t bad_verifier = {
     .base =
         {
-            .format_id = OE_MOCK_ATTESTER_UUID1,
+            .format_id = {OE_MOCK_ATTESTER_UUID1},
             .on_register = &mock_attester_register,
             .on_unregister = &mock_attester_unregister,
         },
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
index dc7f9ac73d..519ba751cc 100644
--- a/tests/attestation_plugin/plugin/tests.c
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifdef OE_BUILD_ENCLAVE
@@ -27,7 +27,7 @@ oe_verifier_t* sgx_verify = NULL;
 typedef struct _header
 {
     uint32_t version;
-    uuid_t format_id;
+    oe_uuid_t format_id;
     uint64_t data_size;
     uint8_t data[];
 } header_t;
@@ -106,7 +106,7 @@ static void _test_and_unregister_verifier()
 }
 
 static void _test_evidence_success(
-    const uuid_t* format_id,
+    const oe_uuid_t* format_id,
     bool use_endorsements)
 {
     printf("====== running _test_evidence_success\n");
diff --git a/tests/attestation_plugin/plugin/tests.h b/tests/attestation_plugin/plugin/tests.h
index faa175f142..fb293d660c 100644
--- a/tests/attestation_plugin/plugin/tests.h
+++ b/tests/attestation_plugin/plugin/tests.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef _OE_ATTESTATION_PLUGIN_TESTS

From 363945f773f1a25ada60383ab7354e63d79295a3 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Sat, 16 Nov 2019 01:47:44 -0800
Subject: [PATCH 301/420] Added memcpy bounds fix to endorsements.

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 common/sgx/endorsements.c | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/common/sgx/endorsements.c b/common/sgx/endorsements.c
index fc9d0b58ca..0d38995b22 100644
--- a/common/sgx/endorsements.c
+++ b/common/sgx/endorsements.c
@@ -36,6 +36,7 @@ static oe_result_t oe_create_sgx_endorsements(
     uint32_t offsets_size;
     uint32_t size;
     int i;
+    uint32_t remaining_size;
 
     OE_TRACE_INFO("Enter call %s\n", __FUNCTION__);
 
@@ -79,6 +80,8 @@ static oe_result_t oe_create_sgx_endorsements(
             "Out of memory while creating endorsements.",
             NULL);
 
+    remaining_size = size;
+
     // Record creation datetime.
     {
         oe_datetime_t datetime_now = {0};
@@ -145,32 +148,37 @@ static oe_result_t oe_create_sgx_endorsements(
     buffer = (uint8_t*)&buffer32[OE_SGX_ENDORSEMENT_COUNT];
     *((uint32_t*)buffer) = OE_SGX_ENDORSEMENTS_VERSION;
     buffer += sizeof(uint32_t);
+    remaining_size =
+        size - (uint32_t)((uint8_t*)buffer - (uint8_t*)endorsements);
 
     // Copy TCB Info
     OE_CHECK(oe_memcpy_s(
         buffer,
-        size,
+        remaining_size,
         revocation_info->tcb_info,
         revocation_info->tcb_info_size));
     buffer += revocation_info->tcb_info_size;
+    remaining_size -= (uint32_t)revocation_info->tcb_info_size;
 
     // Copy TCB Issuer Chain
     OE_CHECK(oe_memcpy_s(
         buffer,
-        size,
+        remaining_size,
         revocation_info->tcb_issuer_chain,
         revocation_info->tcb_issuer_chain_size));
     buffer += revocation_info->tcb_issuer_chain_size;
+    remaining_size -= (uint32_t)revocation_info->tcb_issuer_chain_size;
 
     // Copy CRLs
     for (i = 0; i < OE_SGX_ENDORSEMENTS_CRL_COUNT; i++)
     {
         OE_CHECK(oe_memcpy_s(
             buffer,
-            size,
+            remaining_size,
             revocation_info->crl[i],
             revocation_info->crl_size[i]));
         buffer += revocation_info->crl_size[i];
+        remaining_size -= (uint32_t)revocation_info->crl_size[i];
     }
 
     // Copy CRLs Issuer Chain
@@ -178,25 +186,34 @@ static oe_result_t oe_create_sgx_endorsements(
     {
         OE_CHECK(oe_memcpy_s(
             buffer,
-            size,
+            remaining_size,
             revocation_info->crl_issuer_chain[i],
             revocation_info->crl_issuer_chain_size[i]));
         buffer += revocation_info->crl_issuer_chain_size[i];
+        remaining_size -= (uint32_t)revocation_info->crl_issuer_chain_size[i];
     }
 
     // Copy QE ID Info
     OE_CHECK(oe_memcpy_s(
-        buffer, size, qe_id_info->qe_id_info, qe_id_info->qe_id_info_size));
+        buffer,
+        remaining_size,
+        qe_id_info->qe_id_info,
+        qe_id_info->qe_id_info_size));
     buffer += qe_id_info->qe_id_info_size;
+    remaining_size -= (uint32_t)qe_id_info->qe_id_info_size;
 
     // Copy QE ID Issue Chain
     OE_CHECK(oe_memcpy_s(
-        buffer, size, qe_id_info->issuer_chain, qe_id_info->issuer_chain_size));
+        buffer,
+        remaining_size,
+        qe_id_info->issuer_chain,
+        qe_id_info->issuer_chain_size));
     buffer += qe_id_info->issuer_chain_size;
+    remaining_size -= (uint32_t)qe_id_info->issuer_chain_size;
 
     // Copy creation datetime
-    OE_CHECK(
-        oe_memcpy_s(buffer, size, creation_datetime, CREATION_DATETIME_SIZE));
+    OE_CHECK(oe_memcpy_s(
+        buffer, remaining_size, creation_datetime, CREATION_DATETIME_SIZE));
     buffer += CREATION_DATETIME_SIZE;
 
     // Sanity check

From 8623fdc5c6554cf4589f5359966e50e9551d3742 Mon Sep 17 00:00:00 2001
From: Akash Gupta <akash-gupta@hotmail.com>
Date: Sat, 16 Nov 2019 02:57:26 -0800
Subject: [PATCH 302/420] Skip attestation plugin test in CI.

Signed-off-by: Akash Gupta <akash-gupta@hotmail.com>
---
 common/attest_plugin.c                        |  1 -
 .../openenclave/attestation/sgx/attester.h    |  2 +-
 include/openenclave/internal/report.h         |  5 ++
 tests/CMakeLists.txt                          |  2 +-
 tests/attestation_plugin/CMakeLists.txt       |  3 +-
 tests/attestation_plugin/host/host.c          | 65 +++++++++++++++++--
 6 files changed, 70 insertions(+), 8 deletions(-)

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index 758e8cf381..227b9e78e1 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -7,7 +7,6 @@
 #include <openenclave/internal/print.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/report.h>
-#include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 #include <stdio.h>
 #include <string.h>
diff --git a/include/openenclave/attestation/sgx/attester.h b/include/openenclave/attestation/sgx/attester.h
index 19aab3345c..20dd5b47a8 100644
--- a/include/openenclave/attestation/sgx/attester.h
+++ b/include/openenclave/attestation/sgx/attester.h
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 /**
diff --git a/include/openenclave/internal/report.h b/include/openenclave/internal/report.h
index f2125cab15..327c38d527 100644
--- a/include/openenclave/internal/report.h
+++ b/include/openenclave/internal/report.h
@@ -4,8 +4,13 @@
 #ifndef _OE_INCLUDE_REPORT_H_
 #define _OE_INCLUDE_REPORT_H_
 
+#include <openenclave/bits/defs.h>
 #include <openenclave/bits/types.h>
+#include <openenclave/internal/defs.h>
+
+#if __x86_64__ || _M_X64
 #include <openenclave/internal/sgxtypes.h>
+#endif
 
 /*
 **==============================================================================
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index e15ad09d1c..a113e56644 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -35,6 +35,7 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         # The following tests currently fail in Windows simulation mode
         if (NOT WIN32_SIMULATION)
             add_subdirectory(abortStatus)
+            add_subdirectory(attestation_plugin)
             add_subdirectory(cppException)
             add_subdirectory(ecall)
             add_subdirectory(file)
@@ -69,7 +70,6 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         add_subdirectory(VectorException)
     endif()
 
-add_subdirectory(attestation_plugin)
 add_subdirectory(create-errors)
 add_subdirectory(crypto)
 add_subdirectory(hexdump)
diff --git a/tests/attestation_plugin/CMakeLists.txt b/tests/attestation_plugin/CMakeLists.txt
index f5d90c1678..3f40dc93e5 100644
--- a/tests/attestation_plugin/CMakeLists.txt
+++ b/tests/attestation_plugin/CMakeLists.txt
@@ -7,4 +7,5 @@ if (BUILD_ENCLAVES)
     add_subdirectory(enc)
 endif()
 
-add_enclave_test(tests/attestation_plugin plugin_host plugin_enc)
\ No newline at end of file
+add_enclave_test(tests/attestation_plugin plugin_host plugin_enc)
+set_tests_properties(tests/attestation_plugin PROPERTIES SKIP_RETURN_CODE 2)
diff --git a/tests/attestation_plugin/host/host.c b/tests/attestation_plugin/host/host.c
index 577a3abddc..ea9f19be5a 100644
--- a/tests/attestation_plugin/host/host.c
+++ b/tests/attestation_plugin/host/host.c
@@ -5,9 +5,16 @@
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 
+#if defined(_WIN32)
+#include <ShlObj.h>
+#include <Windows.h>
+#endif
+
 #include "../plugin/tests.h"
 #include "plugin_u.h"
 
+#define SKIP_RETURN_CODE 2
+
 void host_verify(
     uint8_t* evidence,
     size_t evidence_size,
@@ -26,6 +33,47 @@ void host_verify(
 
 int main(int argc, const char* argv[])
 {
+#ifdef OE_LINK_SGX_DCAP_QL
+
+#ifdef _WIN32
+    /* This is a workaround for running in Visual Studio 2017 Test Explorer
+     * where the environment variables are not correctly propagated to the
+     * test. This is resolved in Visual Studio 2019 */
+    WCHAR path[_MAX_PATH];
+
+    if (!GetEnvironmentVariableW(L"SystemRoot", path, _MAX_PATH))
+    {
+        if (GetLastError() != ERROR_ENVVAR_NOT_FOUND)
+            exit(1);
+
+        UINT path_length = GetSystemWindowsDirectoryW(path, _MAX_PATH);
+        if (path_length == 0 || path_length > _MAX_PATH)
+            exit(1);
+
+        if (SetEnvironmentVariableW(L"SystemRoot", path) == 0)
+            exit(1);
+    }
+
+    if (!GetEnvironmentVariableW(L"LOCALAPPDATA", path, _MAX_PATH))
+    {
+        if (GetLastError() != ERROR_ENVVAR_NOT_FOUND)
+            exit(1);
+
+        WCHAR* local_path = NULL;
+        if (SHGetKnownFolderPath(
+                &FOLDERID_LocalAppData, 0, NULL, &local_path) != S_OK)
+        {
+            exit(1);
+        }
+
+        BOOL success = SetEnvironmentVariableW(L"LOCALAPPDATA", local_path);
+        CoTaskMemFree(local_path);
+
+        if (!success)
+            exit(1);
+    }
+#endif
+
     oe_result_t result;
     oe_enclave_t* enclave = NULL;
 
@@ -35,10 +83,12 @@ int main(int argc, const char* argv[])
         exit(1);
     }
 
-    register_verifier();
-
-    // Run test on the enclave.
+    // Skip in simulation mode.
     const uint32_t flags = oe_get_create_flags();
+    if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0)
+        return SKIP_RETURN_CODE;
+
+    register_verifier();
 
     result = oe_create_plugin_enclave(
         argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
@@ -55,6 +105,13 @@ int main(int argc, const char* argv[])
     test_runtime();
 
     unregister_verifier();
-
     return 0;
+#else
+    // This test should not run on any platforms where HAS_QUOTE_PROVIDER is not
+    // defined.
+    OE_UNUSED(argc);
+    OE_UNUSED(argv);
+    printf("=== tests skipped when built with HAS_QUOTE_PROVIDER=OFF\n");
+    return SKIP_RETURN_CODE;
+#endif
 }

From 502d2008aec56822b773a962a6ec060598f01add Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Tue, 19 Nov 2019 05:05:47 +0000
Subject: [PATCH 303/420] Optimized verify_evidence path and addressed
 feedback.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/attest_plugin.c                        |   5 +-
 common/sgx/endorsements.c                     |   2 +-
 common/sgx/quote.c                            | 138 ++++++++++--------
 common/sgx/quote.h                            |  24 ++-
 common/sgx/verifier.c                         | 134 +++++++++--------
 enclave/sgx/attester.c                        |   5 +-
 .../openenclave/attestation/sgx/attester.h    |   2 +-
 .../openenclave/attestation/sgx/verifier.h    |   2 +-
 include/openenclave/host_verify.h             |   4 +
 include/openenclave/internal/sgx/plugin.h     |   7 +-
 tests/attestation_plugin/plugin.edl           |   2 +-
 .../attestation_plugin/plugin/mock_attester.h |   5 +
 12 files changed, 188 insertions(+), 142 deletions(-)

diff --git a/common/attest_plugin.c b/common/attest_plugin.c
index 227b9e78e1..62beb33eb9 100644
--- a/common/attest_plugin.c
+++ b/common/attest_plugin.c
@@ -250,7 +250,8 @@ oe_result_t oe_get_evidence(
     size_t total_endorsements_size = 0;
 
     if (!format_id || !evidence_buffer || !evidence_buffer_size ||
-        (endorsements_buffer && !endorsements_buffer_size))
+        (endorsements_buffer && !endorsements_buffer_size) ||
+        (!endorsements_buffer && endorsements_buffer_size))
         OE_RAISE(OE_INVALID_PARAMETER);
 
     // Find a plugin for attestation type and run its get_evidence.
@@ -451,4 +452,4 @@ oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length)
 
 done:
     return result;
-}
\ No newline at end of file
+}
diff --git a/common/sgx/endorsements.c b/common/sgx/endorsements.c
index 0d38995b22..0334d0f7a2 100644
--- a/common/sgx/endorsements.c
+++ b/common/sgx/endorsements.c
@@ -436,4 +436,4 @@ void oe_free_sgx_endorsements(uint8_t* endorsements_buffer)
     {
         oe_free(endorsements_buffer);
     }
-}
\ No newline at end of file
+}
diff --git a/common/sgx/quote.c b/common/sgx/quote.c
index 69ef6420d0..dd881c0ba3 100644
--- a/common/sgx/quote.c
+++ b/common/sgx/quote.c
@@ -431,12 +431,8 @@ oe_result_t oe_verify_sgx_quote(
     oe_datetime_t* input_validation_time)
 {
     oe_result_t result = OE_UNEXPECTED;
-
     uint8_t* local_endorsements = NULL;
     size_t local_endorsements_size = 0;
-    oe_datetime_t validity_from = {0};
-    oe_datetime_t validity_until = {0};
-    oe_datetime_t validation_time = {0};
     oe_sgx_endorsements_t sgx_endorsements;
 
     if (quote == NULL)
@@ -460,11 +456,6 @@ oe_result_t oe_verify_sgx_quote(
         endorsements_size = local_endorsements_size;
     }
 
-    OE_CHECK_MSG(
-        oe_verify_quote_internal(quote, quote_size),
-        "Failed to verify remote quote.",
-        NULL);
-
     OE_CHECK_MSG(
         oe_parse_sgx_endorsements(
             (oe_endorsements_t*)endorsements,
@@ -474,67 +465,90 @@ oe_result_t oe_verify_sgx_quote(
         oe_result_str(result));
 
     // Endorsements verification
+    OE_CHECK(oe_verify_quote_with_sgx_endorsements(
+        quote, quote_size, &sgx_endorsements, input_validation_time));
+
+    result = OE_OK;
+
+done:
+    if (local_endorsements)
+        oe_free_sgx_endorsements(local_endorsements);
+
+    return result;
+}
+
+oe_result_t oe_verify_quote_with_sgx_endorsements(
+    const uint8_t* quote,
+    size_t quote_size,
+    const oe_sgx_endorsements_t* sgx_endorsements,
+    oe_datetime_t* input_validation_time)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    oe_datetime_t validity_from = {0};
+    oe_datetime_t validity_until = {0};
+    oe_datetime_t validation_time = {0};
+
+    OE_CHECK_MSG(
+        oe_verify_quote_internal(quote, quote_size),
+        "Failed to verify remote quote.",
+        NULL);
+
+    OE_CHECK_MSG(
+        oe_get_sgx_quote_validity(
+            quote,
+            quote_size,
+            sgx_endorsements,
+            &validity_from,
+            &validity_until),
+        "Failed to validate quote. %s",
+        oe_result_str(result));
+
+    // Verify quote/endorsements for the given time.  Use endorsements
+    // creation time if one was not provided.
+    if (input_validation_time == NULL)
     {
         OE_CHECK_MSG(
-            oe_get_sgx_quote_validity(
-                quote,
-                quote_size,
-                &sgx_endorsements,
-                &validity_from,
-                &validity_until),
-            "Failed to validate quote. %s",
-            oe_result_str(result));
-
-        // Verify quote/endorsements for the given time.  Use endorsements
-        // creation time if one was not provided.
-        if (input_validation_time == NULL)
-        {
-            OE_CHECK_MSG(
-                oe_datetime_from_string(
-                    (const char*)sgx_endorsements
-                        .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
-                        .data,
-                    sgx_endorsements
-                        .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
-                        .size,
-                    &validation_time),
-                "Invalid creation time in endorsements: %s",
+            oe_datetime_from_string(
+                (const char*)(sgx_endorsements
+                                  ->items
+                                      [OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                                  .data),
                 sgx_endorsements
-                    .items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
-                    .data);
-        }
-        else
-        {
-            validation_time = *input_validation_time;
-        }
-
-        oe_datetime_log("Validation datetime: ", &validation_time);
-        if (oe_datetime_compare(&validation_time, &validity_from) < 0)
-        {
-            oe_datetime_log("Latests valid datetime: ", &validity_from);
-            OE_RAISE_MSG(
-                OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
-                "Time to validate quote is earlier than the "
-                "latest 'valid from' value.",
-                NULL);
-        }
-        if (oe_datetime_compare(&validation_time, &validity_until) > 0)
-        {
-            oe_datetime_log("Earliest expiration datetime: ", &validity_until);
-            OE_RAISE_MSG(
-                OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
-                "Time to validate quoteis later than the "
-                "earliest 'valid to' value.",
-                NULL);
-        }
+                    ->items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                    .size,
+                &validation_time),
+            "Invalid creation time in endorsements: %s",
+            sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_CREATION_DATETIME]
+                .data);
+    }
+    else
+    {
+        validation_time = *input_validation_time;
+    }
+
+    oe_datetime_log("Validation datetime: ", &validation_time);
+    if (oe_datetime_compare(&validation_time, &validity_from) < 0)
+    {
+        oe_datetime_log("Latests valid datetime: ", &validity_from);
+        OE_RAISE_MSG(
+            OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+            "Time to validate quote is earlier than the "
+            "latest 'valid from' value.",
+            NULL);
+    }
+    if (oe_datetime_compare(&validation_time, &validity_until) > 0)
+    {
+        oe_datetime_log("Earliest expiration datetime: ", &validity_until);
+        OE_RAISE_MSG(
+            OE_VERIFY_FAILED_TO_FIND_VALIDITY_PERIOD,
+            "Time to validate quoteis later than the "
+            "earliest 'valid to' value.",
+            NULL);
     }
 
     result = OE_OK;
 
 done:
-    if (local_endorsements)
-        oe_free_sgx_endorsements(local_endorsements);
-
     return result;
 }
 
diff --git a/common/sgx/quote.h b/common/sgx/quote.h
index ff04933917..93ea059185 100644
--- a/common/sgx/quote.h
+++ b/common/sgx/quote.h
@@ -42,7 +42,10 @@ oe_result_t oe_get_quote_cert_chain_internal(
  * @param[in] endorsements Optional endorsements related to a remote quote.
  * @param[in] endorsements_size The size of the endorsements.
  * @param[in] input_validation_time Optional time to use for validation,
- * defaults to the time the endorsements were created.
+ * defaults to the time the endorsements were created if null. Note that
+ * if the input time is after than the endorsement creation time, then the
+ * CRLs might have updated in the period between the input time and the
+ * endorsement creation time.
  */
 oe_result_t oe_verify_sgx_quote(
     const uint8_t* quote,
@@ -51,6 +54,25 @@ oe_result_t oe_verify_sgx_quote(
     size_t endorsements_size,
     oe_datetime_t* input_validation_time);
 
+/*!
+ * Verify SGX quote and endorsements.
+ *
+ * @param[in] quote Input quote.
+ * @param[in] quote_size The size of the quote.
+ * @param[in] endorsements The endorsements in the format of
+ * the `oe_sgx_endorsements_t` struct.
+ * @param[in] input_validation_time Optional time to use for validation,
+ * defaults to the time the endorsements were created if null. Note that
+ * if the input time is after than the endorsement creation time, then the
+ * CRLs might have updated in the period between the input time and the
+ * endorsement creation time.
+ */
+oe_result_t oe_verify_quote_with_sgx_endorsements(
+    const uint8_t* quote,
+    size_t quote_size,
+    const oe_sgx_endorsements_t* endorsements,
+    oe_datetime_t* input_validation_time);
+
 /*!
  * Find the valid datetime range for the given quote and sgx endorsements.
  * This function accounts for the following items:
diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c
index f8c55c6684..dc6b7ee69e 100644
--- a/common/sgx/verifier.c
+++ b/common/sgx/verifier.c
@@ -11,7 +11,7 @@
 #include "../common.h"
 #include "endorsements.h"
 #include "quote.h"
-#ifndef OE_BUILD_ENCLAVE
+#if defined(OE_LINK_SGX_DCAP_QL) && !defined(OE_BUILD_ENCLAVE)
 #include "../../host/sgx/sgxquoteprovider.h"
 #endif
 
@@ -24,13 +24,9 @@ static oe_result_t _on_register(
     OE_UNUSED(config_data);
     OE_UNUSED(config_data_size);
 
-#ifdef OE_BUILD_ENCLAVE
+#if defined(OE_BUILD_ENCLAVE) || !defined(OE_LINK_SGX_DCAP_QL)
     return OE_OK;
 #else
-    // Intialize the quote provider if we want to verify a remote quote.
-    // Note that we don't have the OE_LINK_SGX_DCAP_QL guard here since we
-    // don't need the sgx libraries to verify the quote. All we need is the
-    // quote provider.
     return oe_initialize_quote_provider();
 #endif
 }
@@ -85,6 +81,8 @@ static oe_result_t _get_input_time(
         }
     }
 
+    // Time not found, which is fine since it's an optional parameter.
+    *time = NULL;
     return OE_OK;
 }
 
@@ -118,14 +116,14 @@ static oe_result_t _add_claim(
         return OE_OUT_OF_MEMORY;
     memcpy(claim->name, name, name_size);
 
-    claim->value_size = value_size;
-    claim->value = (uint8_t*)oe_malloc(claim->value_size);
+    claim->value = (uint8_t*)oe_malloc(value_size);
     if (claim->value == NULL)
     {
         oe_free(claim->name);
         return OE_OUT_OF_MEMORY;
     }
-    memcpy(claim->value, value, claim->value_size);
+    memcpy(claim->value, value, value_size);
+    claim->value_size = value_size;
 
     return OE_OK;
 }
@@ -133,8 +131,7 @@ static oe_result_t _add_claim(
 static oe_result_t _fill_with_known_claims(
     const uint8_t* report,
     size_t report_size,
-    const uint8_t* endorsements,
-    size_t endorsements_size,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_claim_t* claims,
     size_t claims_length,
     size_t* claims_added)
@@ -144,9 +141,9 @@ static oe_result_t _fill_with_known_claims(
     oe_identity_t* id = &parsed_report.identity;
     oe_uuid_t plugin_id = {OE_SGX_PLUGIN_UUID};
     size_t claims_index = 0;
-    uint8_t* endorsements_local = NULL;
-    size_t endorsements_local_size = 0;
     oe_report_header_t* header = (oe_report_header_t*)report;
+    oe_datetime_t valid_from = {0};
+    oe_datetime_t valid_until = {0};
 
     if (claims_length < OE_REQUIRED_CLAIMS_COUNT)
         OE_RAISE(OE_INVALID_PARAMETER);
@@ -213,51 +210,29 @@ static oe_result_t _fill_with_known_claims(
         &plugin_id,
         sizeof(plugin_id)));
 
-    // Add the claims from the endorsements.
-    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
-    {
-        oe_sgx_endorsements_t sgx_endorsements;
-        oe_datetime_t valid_from;
-        oe_datetime_t valid_until;
+    // Get quote validity periods to get validity from and until claims.
+    OE_CHECK(oe_get_sgx_quote_validity(
+        header->report,
+        header->report_size,
+        sgx_endorsements,
+        &valid_from,
+        &valid_until));
 
-        // Get the endorsements if none were provided.
-        if (endorsements == NULL)
-        {
-            OE_CHECK(oe_get_sgx_endorsements(
-                header->report,
-                header->report_size,
-                &endorsements_local,
-                &endorsements_local_size));
-            endorsements = endorsements_local;
-            endorsements_size = endorsements_local_size;
-        }
-
-        OE_CHECK(oe_parse_sgx_endorsements(
-            (oe_endorsements_t*)endorsements,
-            endorsements_size,
-            &sgx_endorsements));
-
-        OE_CHECK(oe_get_sgx_quote_validity(
-            header->report,
-            header->report_size,
-            &sgx_endorsements,
-            &valid_from,
-            &valid_until));
-
-        OE_CHECK(_add_claim(
-            &claims[claims_index++],
-            OE_CLAIM_VALIDITY_FROM,
-            sizeof(OE_CLAIM_VALIDITY_FROM),
-            &valid_from,
-            sizeof(valid_from)));
+    // Validity from.
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_VALIDITY_FROM,
+        sizeof(OE_CLAIM_VALIDITY_FROM),
+        &valid_from,
+        sizeof(valid_from)));
 
-        OE_CHECK(_add_claim(
-            &claims[claims_index++],
-            OE_CLAIM_VALIDITY_UNTIL,
-            sizeof(OE_CLAIM_VALIDITY_UNTIL),
-            &valid_until,
-            sizeof(valid_until)));
-    }
+    // Validity to.
+    OE_CHECK(_add_claim(
+        &claims[claims_index++],
+        OE_CLAIM_VALIDITY_UNTIL,
+        sizeof(OE_CLAIM_VALIDITY_UNTIL),
+        &valid_until,
+        sizeof(valid_until)));
 
     *claims_added = claims_index;
     result = OE_OK;
@@ -268,7 +243,6 @@ static oe_result_t _fill_with_known_claims(
         for (size_t i = 0; i < claims_index; i++)
             _free_claim(&claims[i]);
     }
-    oe_free_sgx_endorsements(endorsements_local);
     return result;
 }
 
@@ -331,8 +305,7 @@ static oe_result_t _fill_with_custom_claims(
 static oe_result_t _extract_claims(
     const uint8_t* evidence,
     size_t evidence_size,
-    const uint8_t* endorsements,
-    size_t endorsements_size,
+    const oe_sgx_endorsements_t* sgx_endorsements,
     oe_claim_t** claims_out,
     size_t* claims_length_out)
 {
@@ -371,8 +344,7 @@ static oe_result_t _extract_claims(
     OE_CHECK(_fill_with_known_claims(
         evidence,
         report_size,
-        endorsements,
-        endorsements_size,
+        sgx_endorsements,
         claims,
         claims_length,
         &claims_added));
@@ -409,6 +381,9 @@ static oe_result_t _verify_evidence(
     oe_result_t result = OE_UNEXPECTED;
     oe_report_header_t* header = (oe_report_header_t*)evidence_buffer;
     oe_datetime_t* time = NULL;
+    uint8_t* local_endorsements_buffer = NULL;
+    size_t local_endorsements_buffer_size = 0;
+    oe_sgx_endorsements_t sgx_endorsements;
     OE_UNUSED(context);
 
     if (!evidence_buffer || !claims || !claims_length ||
@@ -422,28 +397,49 @@ static oe_result_t _verify_evidence(
     // Verify the report. Send the report size to just the oe report,
     // not including the custom claims section.
     if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
+    {
         OE_CHECK(_verify_local_report(
             evidence_buffer, header->report_size + sizeof(oe_report_header_t)));
+    }
     else
-        OE_CHECK(oe_verify_sgx_quote(
-            header->report,
-            header->report_size,
-            endorsements_buffer,
+    {
+        // Get the endorsements if none were provided.
+        if (endorsements_buffer == NULL)
+        {
+            OE_CHECK(oe_get_sgx_endorsements(
+                header->report,
+                header->report_size,
+                &local_endorsements_buffer,
+                &local_endorsements_buffer_size));
+            endorsements_buffer = local_endorsements_buffer;
+            endorsements_buffer_size = local_endorsements_buffer_size;
+        }
+
+        // Parse into SGX endorsements.
+        OE_CHECK(oe_parse_sgx_endorsements(
+            (oe_endorsements_t*)endorsements_buffer,
             endorsements_buffer_size,
-            time));
+            &sgx_endorsements));
+
+        // Verify the quote now.
+        OE_CHECK(oe_verify_quote_with_sgx_endorsements(
+            header->report, header->report_size, &sgx_endorsements, time));
+    }
 
     // Last step is to return the required and custom claims.
     OE_CHECK(_extract_claims(
         evidence_buffer,
         evidence_buffer_size,
-        endorsements_buffer,
-        endorsements_buffer_size,
+        &sgx_endorsements,
         claims,
         claims_length));
 
     result = OE_OK;
 
 done:
+    if (local_endorsements_buffer)
+        oe_free_sgx_endorsements(local_endorsements_buffer);
+
     return result;
 }
 
@@ -459,4 +455,4 @@ static oe_verifier_t _verifier = {.base =
 oe_verifier_t* oe_sgx_plugin_verifier()
 {
     return &_verifier;
-}
\ No newline at end of file
+}
diff --git a/enclave/sgx/attester.c b/enclave/sgx/attester.c
index 85faf0d01d..154e1a3c98 100644
--- a/enclave/sgx/attester.c
+++ b/enclave/sgx/attester.c
@@ -119,6 +119,9 @@ static oe_result_t _serialize_claims(
     return result;
 }
 
+// Timing note:
+// Roughly 0.002 seconds without endorsements.
+// Roughtly 0.5 seconds with endorsements.
 static oe_result_t _get_evidence(
     oe_attester_t* context,
     uint32_t flags,
@@ -242,4 +245,4 @@ static oe_attester_t _attester = {.base =
 oe_attester_t* oe_sgx_plugin_attester()
 {
     return &_attester;
-}
\ No newline at end of file
+}
diff --git a/include/openenclave/attestation/sgx/attester.h b/include/openenclave/attestation/sgx/attester.h
index 20dd5b47a8..82a0b5b727 100644
--- a/include/openenclave/attestation/sgx/attester.h
+++ b/include/openenclave/attestation/sgx/attester.h
@@ -37,4 +37,4 @@ oe_attester_t* oe_sgx_plugin_attester(void);
 
 OE_EXTERNC_END
 
-#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
\ No newline at end of file
+#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
diff --git a/include/openenclave/attestation/sgx/verifier.h b/include/openenclave/attestation/sgx/verifier.h
index ef0c9cd2b9..4b767d50f8 100644
--- a/include/openenclave/attestation/sgx/verifier.h
+++ b/include/openenclave/attestation/sgx/verifier.h
@@ -25,4 +25,4 @@ oe_verifier_t* oe_sgx_plugin_verifier(void);
 
 OE_EXTERNC_END
 
-#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
\ No newline at end of file
+#endif /* _OE_ATTESTATION_SGX_ATTESTER_H */
diff --git a/include/openenclave/host_verify.h b/include/openenclave/host_verify.h
index 56ea1cdf94..fca849a76a 100644
--- a/include/openenclave/host_verify.h
+++ b/include/openenclave/host_verify.h
@@ -32,6 +32,10 @@ OE_EXTERNC_BEGIN
  * @param report_size The size of the **report** buffer.
  * @param parsed_report Optional **oe_report_t** structure to populate
  * with the report properties in a standard format.
+ * @param[out] endorsements An optional output pointer that will be assigned
+ * the address of the endorsements buffer.
+ * @param[out] endorsements_size A pointer that points to the size of
+ * the endorsements buffer in bytes.
  *
  * @retval OE_OK The report was successfully verified.
  * @retval OE_INVALID_PARAMETER At least one parameter is invalid.
diff --git a/include/openenclave/internal/sgx/plugin.h b/include/openenclave/internal/sgx/plugin.h
index 746a62d4eb..531a6ccb93 100644
--- a/include/openenclave/internal/sgx/plugin.h
+++ b/include/openenclave/internal/sgx/plugin.h
@@ -34,8 +34,9 @@ typedef struct _oe_sgx_plugin_claims_entry
 {
     uint64_t name_size;
     uint64_t value_size;
-    uint8_t name[]; // name_size bytes follow.
-    // uint8_t value[]; value_size_bytes follow.
+    uint8_t name[];
+    // name_size bytes follow.
+    // value_size_bytes follow.
 } oe_sgx_plugin_claims_entry_t;
 
-#endif // _OE_INTENRAL_SGX_PLUGIN
\ No newline at end of file
+#endif // _OE_INTENRAL_SGX_PLUGIN
diff --git a/tests/attestation_plugin/plugin.edl b/tests/attestation_plugin/plugin.edl
index e1976ba5e6..549fbef9de 100644
--- a/tests/attestation_plugin/plugin.edl
+++ b/tests/attestation_plugin/plugin.edl
@@ -16,4 +16,4 @@ enclave {
             [in, size=endorsements_size] uint8_t* endorsements,
             size_t endorsements_size);
     };
-};
\ No newline at end of file
+};
diff --git a/tests/attestation_plugin/plugin/mock_attester.h b/tests/attestation_plugin/plugin/mock_attester.h
index 1885066aa7..a02a3a1744 100644
--- a/tests/attestation_plugin/plugin/mock_attester.h
+++ b/tests/attestation_plugin/plugin/mock_attester.h
@@ -1,6 +1,11 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+// This file provides a dummy implementation of an attester plugin and a
+// verifier plugin in order to test the OE plugin management runtime
+// implementation. It essentially tests that plugins are being registered
+// correctly and can get/verify evidence based of the right UUID.
+
 #ifndef _OE_MOCK_ATTESTER_H
 #define _OE_MOCK_ATTESTER_H
 

From a2298b9241615061c5509cdf34236e3e3ad0c4df Mon Sep 17 00:00:00 2001
From: Akash Gupta <akagup@microsoft.com>
Date: Tue, 19 Nov 2019 06:23:30 +0000
Subject: [PATCH 304/420] Added test for local attestation.

Signed-off-by: Akash Gupta <akagup@microsoft.com>
---
 common/sgx/verifier.c                   | 49 ++++++++--------
 tests/attestation_plugin/enc/enc.c      | 76 ++++++++++++++++++++++++-
 tests/attestation_plugin/host/host.c    |  8 ++-
 tests/attestation_plugin/plugin.edl     |  1 +
 tests/attestation_plugin/plugin/tests.c |  9 +--
 tests/attestation_plugin/plugin/tests.h |  3 +-
 6 files changed, 113 insertions(+), 33 deletions(-)

diff --git a/common/sgx/verifier.c b/common/sgx/verifier.c
index dc6b7ee69e..02ad6b821e 100644
--- a/common/sgx/verifier.c
+++ b/common/sgx/verifier.c
@@ -77,7 +77,7 @@ static oe_result_t _get_input_time(
                 return OE_INVALID_PARAMETER;
 
             *time = (oe_datetime_t*)policies[i].policy;
-            break;
+            return OE_OK;
         }
     }
 
@@ -210,29 +210,32 @@ static oe_result_t _fill_with_known_claims(
         &plugin_id,
         sizeof(plugin_id)));
 
-    // Get quote validity periods to get validity from and until claims.
-    OE_CHECK(oe_get_sgx_quote_validity(
-        header->report,
-        header->report_size,
-        sgx_endorsements,
-        &valid_from,
-        &valid_until));
-
-    // Validity from.
-    OE_CHECK(_add_claim(
-        &claims[claims_index++],
-        OE_CLAIM_VALIDITY_FROM,
-        sizeof(OE_CLAIM_VALIDITY_FROM),
-        &valid_from,
-        sizeof(valid_from)));
+    if (header->report_type == OE_REPORT_TYPE_SGX_REMOTE)
+    {
+        // Get quote validity periods to get validity from and until claims.
+        OE_CHECK(oe_get_sgx_quote_validity(
+            header->report,
+            header->report_size,
+            sgx_endorsements,
+            &valid_from,
+            &valid_until));
+
+        // Validity from.
+        OE_CHECK(_add_claim(
+            &claims[claims_index++],
+            OE_CLAIM_VALIDITY_FROM,
+            sizeof(OE_CLAIM_VALIDITY_FROM),
+            &valid_from,
+            sizeof(valid_from)));
 
-    // Validity to.
-    OE_CHECK(_add_claim(
-        &claims[claims_index++],
-        OE_CLAIM_VALIDITY_UNTIL,
-        sizeof(OE_CLAIM_VALIDITY_UNTIL),
-        &valid_until,
-        sizeof(valid_until)));
+        // Validity to.
+        OE_CHECK(_add_claim(
+            &claims[claims_index++],
+            OE_CLAIM_VALIDITY_UNTIL,
+            sizeof(OE_CLAIM_VALIDITY_UNTIL),
+            &valid_until,
+            sizeof(valid_until)));
+    }
 
     *claims_added = claims_index;
     result = OE_OK;
diff --git a/tests/attestation_plugin/enc/enc.c b/tests/attestation_plugin/enc/enc.c
index edb099bf11..c230c5d657 100644
--- a/tests/attestation_plugin/enc/enc.c
+++ b/tests/attestation_plugin/enc/enc.c
@@ -6,6 +6,7 @@
 #include <openenclave/enclave.h>
 #include <openenclave/internal/report.h>
 #include <openenclave/internal/sgx/plugin.h>
+#include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
 #include <string.h>
@@ -62,7 +63,7 @@ static void _test_sgx_remote()
             NULL,
             0) == OE_OK);
 
-    verify_sgx_evidence(evidence, evidence_size, NULL, 0, NULL, 0);
+    verify_sgx_evidence(evidence, evidence_size, NULL, 0, NULL, 0, false);
 
     OE_TEST(oe_free_evidence(evidence) == OE_OK);
 
@@ -82,7 +83,13 @@ static void _test_sgx_remote()
             &endorsements_size) == OE_OK);
 
     verify_sgx_evidence(
-        evidence, evidence_size, endorsements, endorsements_size, NULL, 0);
+        evidence,
+        evidence_size,
+        endorsements,
+        endorsements_size,
+        NULL,
+        0,
+        false);
 
     OE_TEST(oe_free_evidence(evidence) == OE_OK);
     OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
@@ -108,7 +115,8 @@ static void _test_sgx_remote()
         endorsements,
         endorsements_size,
         test_claims,
-        NUM_TEST_CLAIMS);
+        NUM_TEST_CLAIMS,
+        false);
 
     OE_TEST(
         host_verify(evidence, evidence_size, endorsements, endorsements_size) ==
@@ -118,10 +126,72 @@ static void _test_sgx_remote()
     OE_TEST(oe_free_endorsements(endorsements) == OE_OK);
 }
 
+static void _test_sgx_local()
+{
+    uint8_t* report = NULL;
+    size_t report_size = 0;
+    void* target = NULL;
+    size_t target_size = 0;
+    uint8_t* evidence = NULL;
+    size_t evidence_size = 0;
+
+    printf("====== running _test_sgx_local\n");
+    printf("====== running _test_sgx_local #0: Getting target info.\n");
+    OE_TEST(oe_get_report(0, NULL, 0, NULL, 0, &report, &report_size) == OE_OK);
+
+    OE_TEST(
+        oe_get_target_info(report, report_size, &target, &target_size) ==
+        OE_OK);
+
+    oe_free_report(report);
+
+    // Only evidence.
+    printf("====== running _test_sgx_local #1: Just evidence\n");
+    OE_TEST(
+        oe_get_evidence(
+            &sgx_attest->base.format_id,
+            0,
+            NULL,
+            0,
+            target,
+            target_size,
+            &evidence,
+            &evidence_size,
+            NULL,
+            0) == OE_OK);
+
+    verify_sgx_evidence(evidence, evidence_size, NULL, 0, NULL, 0, true);
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+
+    // Evidence + claims.
+    printf("====== running _test_sgx_local #2: + Claims\n");
+    OE_TEST(
+        oe_get_evidence(
+            &sgx_attest->base.format_id,
+            0,
+            test_claims,
+            NUM_TEST_CLAIMS,
+            target,
+            target_size,
+            &evidence,
+            &evidence_size,
+            NULL,
+            0) == OE_OK);
+
+    verify_sgx_evidence(
+        evidence, evidence_size, NULL, 0, test_claims, NUM_TEST_CLAIMS, true);
+
+    OE_TEST(oe_free_evidence(evidence) == OE_OK);
+    oe_free_target_info(target);
+}
+
 void test_sgx()
 {
     printf("====== running test_sgx\n");
+
     _test_sgx_remote();
+    _test_sgx_local();
 }
 
 OE_SET_ENCLAVE_SGX(
diff --git a/tests/attestation_plugin/host/host.c b/tests/attestation_plugin/host/host.c
index ea9f19be5a..bcce7efd6d 100644
--- a/tests/attestation_plugin/host/host.c
+++ b/tests/attestation_plugin/host/host.c
@@ -10,6 +10,7 @@
 #include <Windows.h>
 #endif
 
+#include "../../../host/sgx/quote.h"
 #include "../plugin/tests.h"
 #include "plugin_u.h"
 
@@ -28,7 +29,8 @@ void host_verify(
         endorsements,
         endorsements_size,
         test_claims,
-        NUM_TEST_CLAIMS);
+        NUM_TEST_CLAIMS,
+        false);
 }
 
 int main(int argc, const char* argv[])
@@ -88,8 +90,10 @@ int main(int argc, const char* argv[])
     if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0)
         return SKIP_RETURN_CODE;
 
+    // Register the host verifier.
     register_verifier();
 
+    // Run all enclave tests.
     result = oe_create_plugin_enclave(
         argv[1], OE_ENCLAVE_TYPE_AUTO, flags, NULL, 0, &enclave);
     OE_TEST(result == OE_OK);
@@ -98,12 +102,12 @@ int main(int argc, const char* argv[])
     register_sgx(enclave);
     test_sgx(enclave);
     unregister_sgx(enclave);
-
     OE_TEST(oe_terminate_enclave(enclave) == OE_OK);
 
     // Run runtime test on the host.
     test_runtime();
 
+    // Unregister verifier.
     unregister_verifier();
     return 0;
 #else
diff --git a/tests/attestation_plugin/plugin.edl b/tests/attestation_plugin/plugin.edl
index 549fbef9de..d77448dd61 100644
--- a/tests/attestation_plugin/plugin.edl
+++ b/tests/attestation_plugin/plugin.edl
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 enclave {
+
     trusted {
         public void run_runtime_test();
         public void register_sgx();
diff --git a/tests/attestation_plugin/plugin/tests.c b/tests/attestation_plugin/plugin/tests.c
index 519ba751cc..6aa419d0b7 100644
--- a/tests/attestation_plugin/plugin/tests.c
+++ b/tests/attestation_plugin/plugin/tests.c
@@ -464,7 +464,8 @@ void verify_sgx_evidence(
     const uint8_t* endorsements,
     size_t endorsements_size,
     const oe_claim_t* custom_claims,
-    size_t custom_claims_size)
+    size_t custom_claims_size,
+    bool is_local)
 {
     printf("====== running verify_sgx_evidence\n");
 
@@ -552,12 +553,12 @@ void verify_sgx_evidence(
 
     // Check date time.
     from = _find_claim(claims, claims_size, OE_CLAIM_VALIDITY_FROM);
-    OE_TEST(from != NULL);
+    OE_TEST(is_local || from != NULL);
 
     until = _find_claim(claims, claims_size, OE_CLAIM_VALIDITY_UNTIL);
-    OE_TEST(until != NULL);
+    OE_TEST(is_local || until != NULL);
 
-    if (endorsements)
+    if (!is_local && endorsements)
     {
         _test_time(
             header->data,
diff --git a/tests/attestation_plugin/plugin/tests.h b/tests/attestation_plugin/plugin/tests.h
index fb293d660c..ed2afd6b80 100644
--- a/tests/attestation_plugin/plugin/tests.h
+++ b/tests/attestation_plugin/plugin/tests.h
@@ -26,6 +26,7 @@ void verify_sgx_evidence(
     const uint8_t* endorsements,
     size_t endorsements_size,
     const oe_claim_t* custom_claims,
-    size_t custom_claims_size);
+    size_t custom_claims_size,
+    bool is_local);
 
 #endif // _OE_ATTESTATION_PLUGIN_TESTS
\ No newline at end of file

From 52b8fb23b6b3cb53c403cd360dd9e3a390ca121b Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 13 Nov 2019 19:30:53 +0000
Subject: [PATCH 305/420] Plumb pointer type through `oe_gen_set_pointers`

We were previously assuming that all nested pointers were "in/out" types
as they did not contain the information necessary to determine if they
were just "in" or "out" types. This information exists only at the
top-level definition of the function (the pointer parameter is either
"in," or "out," or "in/out"). So we can instead determine the correct
setter before the first recursion, and then continue to pass it through.

This is made easier by the introduction of `flatten_map2`, which acts
just like `flatten_map` but for `List.map2`.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Emitter.ml | 40 +++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index d45ccfe0db..8de2e1f803 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -79,6 +79,8 @@ let filter_map f l = List.of_seq (Seq.filter_map f (List.to_seq l))
 (* Helper to flatten and map at the same time. *)
 let flatten_map f l = List.flatten (List.map f l)
 
+let flatten_map2 f l m = List.flatten (List.map2 f l m)
+
 let is_in_ptr = function
   | PTVal _ -> false
   | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrIn
@@ -728,6 +730,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
                   (String.concat " && " (List.rev (arg :: args)));
               ];
               [
+                (* NOTE: The [WRITE_IN_OUT] macro is defined to be the
+                   [WRITE_IN] macro. *)
                 sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
                   (if is_in_ptr ptype then "IN" else "IN_OUT")
                   arg size tystr;
@@ -942,10 +946,7 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
             sprintf "if (pargs_in->%s)"
               (String.concat " && pargs_in->" (List.rev (arg :: args)));
           ];
-          [
-            sprintf "    OE_%s_POINTER(%s, %s, %s);" (setter ptype) arg size
-              tystr;
-          ];
+          [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
           (let param_count = oe_get_param_count (ptype, decl, argstruct) in
            flatten_map
              (oe_gen_set_pointers (arg :: args) param_count setter)
@@ -955,14 +956,13 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
   in
   let oe_gen_in_and_inout_setters (plist : pdecl list) =
     let params =
-      flatten_map
-        (oe_gen_set_pointers [] "1" (fun p ->
-             (* TODO: Right now we assume all nested pointers should
-                be [SET_IN_OUT], since nested pointers don't actually
-                satisfy either [is_in_ptr] or [is_inout_ptr]
-                predicates. *)
-             if is_in_ptr p then "SET_IN" else "SET_IN_OUT"))
-        (List.filter is_in_or_inout_ptr plist)
+      let ptrs = List.filter is_in_or_inout_ptr plist in
+      let setters =
+        List.map
+          (fun (p, _) -> if is_in_ptr p then "SET_IN" else "SET_IN_OUT")
+          ptrs
+      in
+      flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
     in
     "    "
     ^ String.concat "\n    "
@@ -974,14 +974,14 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
   in
   let oe_gen_out_and_inout_setters (plist : pdecl list) =
     let params =
-      flatten_map
-        (oe_gen_set_pointers [] "1" (fun p ->
-             (* TODO: Right now we assume all nested pointers should
-                be [COPY_AND_SET_IN_OUT], since nested pointers don't
-                actually satisfy either [is_out_ptr] or [is_inout_ptr]
-                predicates. *)
-             if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT"))
-        (List.filter is_out_or_inout_ptr plist)
+      let ptrs = List.filter is_out_or_inout_ptr plist in
+      let setters =
+        List.map
+          (fun (p, _) ->
+            if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT")
+          ptrs
+      in
+      flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
     in
     "    "
     ^ String.concat "\n    "

From add5ab8e9a7f5b07d887a3dd6abc91537948fa40 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 13 Nov 2019 23:47:17 +0000
Subject: [PATCH 306/420] Add `deepcopy_in` test

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tests/oeedger8r/edl/deepcopy.edl      | 3 +++
 tests/oeedger8r/enc/testdeepcopy.cpp  | 9 +++++++++
 tests/oeedger8r/host/testdeepcopy.cpp | 7 +++++++
 3 files changed, 19 insertions(+)

diff --git a/tests/oeedger8r/edl/deepcopy.edl b/tests/oeedger8r/edl/deepcopy.edl
index cdf4e8918e..ca7ae3dc4c 100644
--- a/tests/oeedger8r/edl/deepcopy.edl
+++ b/tests/oeedger8r/edl/deepcopy.edl
@@ -108,6 +108,9 @@ enclave {
     // Test handling of null values.
     public void deepcopy_null([in, out, count=1] CountStruct* s);
 
+    // Test that it is only copied in, not out.
+    public void deepcopy_in([in, count=1] CountStruct* s);
+
     // Deep copy of one `CountStruct` with an embedded array out
     // should take place.
     public void deepcopy_out_count([in, out, count=1] CountStruct* s);
diff --git a/tests/oeedger8r/enc/testdeepcopy.cpp b/tests/oeedger8r/enc/testdeepcopy.cpp
index 6e4c3db300..93fb8b6324 100644
--- a/tests/oeedger8r/enc/testdeepcopy.cpp
+++ b/tests/oeedger8r/enc/testdeepcopy.cpp
@@ -195,6 +195,15 @@ void deepcopy_null(CountStruct* s)
     OE_UNUSED(s);
 }
 
+void deepcopy_in(CountStruct* s)
+{
+    // Assert that it was copied in correctly.
+    deepcopy_count(s);
+    // Cause it to copy out incorrectly.
+    for (size_t i = 0; i < 3; ++i)
+        s->ptr[i] = i;
+}
+
 void deepcopy_out_count(CountStruct* s)
 {
     OE_TEST(s->count == 0);
diff --git a/tests/oeedger8r/host/testdeepcopy.cpp b/tests/oeedger8r/host/testdeepcopy.cpp
index 24b612d53e..cd55006b64 100644
--- a/tests/oeedger8r/host/testdeepcopy.cpp
+++ b/tests/oeedger8r/host/testdeepcopy.cpp
@@ -168,6 +168,13 @@ void test_deepcopy_edl_ecalls(oe_enclave_t* enclave)
         OE_TEST(s.ptr == nullptr);
     }
 
+    {
+        auto s = init_struct<CountStruct>();
+        OE_TEST(deepcopy_in(enclave, &s) == OE_OK);
+        // Assert the struct was not changed (as if it were "out").
+        test_struct(s, 3);
+    }
+
     {
         CountStruct s{};
         uint64_t p[3] = {0, 0, 0};

From 857924e85cee5d76fec0b28a771af5f2cf8515d9 Mon Sep 17 00:00:00 2001
From: Oprin Marius <moprin@cloudbasesolutions.com>
Date: Tue, 19 Nov 2019 19:36:12 +0200
Subject: [PATCH 307/420] Update oe_prereqs folder install path to reflect
 recent changes

Signed-off-by: Oprin Marius <moprin@cloudbasesolutions.com>
---
 .jenkins/Jenkinsfile                                   | 10 +++++-----
 .jenkins/Packaging.Jenkinsfile                         |  6 +++---
 .jenkins/custom_label.Jenkinsfile                      |  5 ++---
 scripts/ansible/oe-windows-acc-setup.yml               |  2 +-
 .../roles/windows/az-dcap-client/vars/windows.yml      |  8 ++++----
 5 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index 01044cf6ac..ae16d4997e 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -191,7 +191,7 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 dir('build') {
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/oe_prereqs -Wdev && \
                       ninja -v && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -218,7 +218,7 @@ def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/oe_prereqs -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -307,7 +307,7 @@ def ACCHostVerificationTest(String version, String build_type) {
                     dir('build') {
                         bat """
                             vcvars64.bat x64 && \
-                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                            cmake.exe ${WORKSPACE} -G Ninja -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=OFF -DCMAKE_BUILD_TYPE=${build_type} -DNUGET_PACKAGE_PATH=C:/oe_prereqs -Wdev && \
                             ninja -v && \
                             ctest.exe -V -C ${build_type} -R host_verify --output-on-failure --timeout ${CTEST_TIMEOUT_SECONDS}
                             """
@@ -363,8 +363,8 @@ try{
 } catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e
-    throw e   
+    throw e
 } finally {
-    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
+    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"
     oe.emailJobStatus(currentBuild.result)
 }
diff --git a/.jenkins/Packaging.Jenkinsfile b/.jenkins/Packaging.Jenkinsfile
index d46ef47976..6dd883f3d1 100644
--- a/.jenkins/Packaging.Jenkinsfile
+++ b/.jenkins/Packaging.Jenkinsfile
@@ -38,7 +38,7 @@ def WindowsPackaging(String build_type) {
                 dir('build') {
                     bat """
                         vcvars64.bat x64 && \
-                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -DCPACK_GENERATOR=NuGet -Wdev && \
+                        cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=ON -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCPACK_GENERATOR=NuGet -Wdev && \
                         ninja.exe && \
                         ctest.exe -V -C RELEASE --timeout ${CTEST_TIMEOUT_SECONDS} && \
                         cpack && \
@@ -65,8 +65,8 @@ try{
 } catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e
-    throw e   
+    throw e
 } finally {
-    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"    
+    currentBuild.result = (GLOBAL_ERROR != null) ? 'FAILURE' : "SUCCESS"
     oe.emailJobStatus(currentBuild.result)
 }
diff --git a/.jenkins/custom_label.Jenkinsfile b/.jenkins/custom_label.Jenkinsfile
index c2e87181d9..bcc2a283a7 100644
--- a/.jenkins/custom_label.Jenkinsfile
+++ b/.jenkins/custom_label.Jenkinsfile
@@ -55,7 +55,7 @@ def win2016CrossCompile(String build_type, String has_quote_provider = 'OFF') {
 
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/openenclave/prereqs/nuget -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DCMAKE_BUILD_TYPE=${build_type} -DBUILD_ENCLAVES=ON -DHAS_QUOTE_PROVIDER=${has_quote_provider} -DNUGET_PACKAGE_PATH=C:/oe_prereqs -Wdev && \
                       ninja.exe && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
@@ -91,11 +91,10 @@ def win2016LinuxElfBuild(String version, String compiler, String build_type) {
                 checkout scm
                 unstash "linux-${compiler}-${build_type}-${version}-${BUILD_NUMBER}"
                 bat 'move build linuxbin'
-                powershell 'Copy-Item -Recurse C:\\openenclave\\prereqs\\nuget ${env:WORKSPACE}\\prereqs'
                 dir('build') {
                   bat """
                       vcvars64.bat x64 && \
-                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -Wdev && \
+                      cmake.exe ${WORKSPACE} -G Ninja -DADD_WINDOWS_ENCLAVE_TESTS=ON -DBUILD_ENCLAVES=OFF -DHAS_QUOTE_PROVIDER=ON -DCMAKE_BUILD_TYPE=${build_type} -DLINUX_BIN_DIR=${WORKSPACE}\\linuxbin\\tests -DNUGET_PACKAGE_PATH=C:/oe_prereqs -Wdev && \
                       ninja -v && \
                       ctest.exe -V -C ${build_type} --timeout ${CTEST_TIMEOUT_SECONDS}
                       """
diff --git a/scripts/ansible/oe-windows-acc-setup.yml b/scripts/ansible/oe-windows-acc-setup.yml
index 078594de4b..6ddbff4f44 100644
--- a/scripts/ansible/oe-windows-acc-setup.yml
+++ b/scripts/ansible/oe-windows-acc-setup.yml
@@ -33,7 +33,7 @@
 
     - name: OE setup | Run the install-windows-prereqs.ps1 script (this may take a while)
       script: ../install-windows-prereqs.ps1
-        -InstallPath         "C:\openenclave"
+        -InstallPath         "C:\oe_prereqs"
         -LaunchConfiguration "{{ 'SGX1FLC' if dcap_testing_node is defined and dcap_testing_node == 'true' else 'SGX1' }}"
         -DCAPClientType      "{{ 'Azure' }}"
         -IntelPSWURL         "{{ intel_psw_url }}"
diff --git a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
index 07ed65bca1..6a6fd32b6f 100644
--- a/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
+++ b/scripts/ansible/roles/windows/az-dcap-client/vars/windows.yml
@@ -11,9 +11,9 @@ lc_driver:
   reg_value: 1
 
 validation_directories:
-  - "C:\\openenclave\\prereqs\\nuget\\DCAP_Components"
-  - "C:\\openenclave\\prereqs\\nuget\\EnclaveCommonAPI"
+  - "C:\\oe_prereqs\\DCAP_Components"
+  - "C:\\oe_prereqs\\EnclaveCommonAPI"
 
 validation_binaries:
-  - "C:\\openenclave\\prereqs\\nuget\\DCAP_Components\\build\\lib\\native\\Libraries\\sgx_dcap_ql.lib"
-  - "C:\\openenclave\\prereqs\\nuget\\EnclaveCommonAPI\\lib\\native\\x64-Release\\sgx_enclave_common.lib"
+  - "C:\\oe_prereqs\\DCAP_Components\\build\\lib\\native\\Libraries\\sgx_dcap_ql.lib"
+  - "C:\\oe_prereqs\\EnclaveCommonAPI\\lib\\native\\x64-Release\\sgx_enclave_common.lib"

From fdd6f0d4b8b83f18444b6603c9d98055c14f6225 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Fri, 15 Nov 2019 14:03:52 -0800
Subject: [PATCH 308/420] Port tls_e2e test host from pthread to std::thread

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/tls_e2e/host/host.cpp | 73 +++++++++++++++----------------------
 1 file changed, 29 insertions(+), 44 deletions(-)

diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index 08b3a3a568..faa08878a5 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -6,13 +6,17 @@
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/tests.h>
-#include <pthread.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "tls_e2e_u.h"
 
+#include <condition_variable>
+#include <exception>
+#include <mutex>
+#include <thread>
+
 #define SERVER_PORT "12345"
 #define SERVER_IP "127.0.0.1"
 
@@ -60,20 +64,22 @@ typedef enum test_config_type
 
 oe_enclave_t* g_server_enclave = NULL;
 oe_enclave_t* g_client_enclave = NULL;
+
 int g_server_thread_exit_code = 0;
 int g_client_thread_exit_code = 0;
-pthread_mutex_t server_mutex;
-pthread_cond_t server_cond;
 bool g_server_condition = false;
-pthread_t server_thread_id;
+
+std::mutex server_mutex;
+std::condition_variable server_cond;
+std::thread server_thread;
 
 int server_is_ready()
 {
     OE_TRACE_INFO("TLS server_is_ready!\n");
-    pthread_mutex_lock(&server_mutex);
+    server_mutex.lock();
     g_server_condition = true;
-    pthread_cond_signal(&server_cond);
-    pthread_mutex_unlock(&server_mutex);
+    server_cond.notify_all();
+    server_mutex.unlock();
     return 1;
 }
 
@@ -118,7 +124,7 @@ oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
     return result;
 }
 
-void* server_thread(void* arg)
+void* run_server(void* arg)
 {
     oe_result_t result = OE_FAILURE;
     tls_thread_context_config_t* config = &(((tls_test_configs_t*)arg)->server);
@@ -149,19 +155,17 @@ void* server_thread(void* arg)
 
     OE_TRACE_INFO("Leaving server thread...\n");
     fflush(stdout);
-    pthread_exit((void*)&g_server_thread_exit_code);
 done:
     return NULL;
 }
 
-void* client_thread(void* arg)
+void* run_client(void* arg)
 {
     oe_result_t result = OE_FAILURE;
     tls_thread_context_config_t* client_config =
         &(((tls_test_configs_t*)arg)->client);
     tls_thread_context_config_t* server_config =
         &(((tls_test_configs_t*)arg)->server);
-    void* retval = NULL;
 
     OE_TRACE_INFO("Client thread: call launch_tls_client()\n");
     result = launch_tls_client(
@@ -186,10 +190,10 @@ void* client_thread(void* arg)
 
     OE_TRACE_INFO("Waiting for the server thread to terminate...\n");
     // block client thread until the server thread is done
-    pthread_join(server_thread_id, (void**)&retval);
+    server_thread.join();
 
     // enforce server return value
-    OE_TRACE_INFO("server returns retval = [%d]\n", *(int*)retval);
+    OE_TRACE_INFO("server returns retval = [%d]\n", g_server_thread_exit_code);
 
     if (server_config->args.fail_cert_verify_callback ||
         server_config->args.fail_enclave_identity_verifier_callback ||
@@ -197,7 +201,7 @@ void* client_thread(void* arg)
     {
         // since this test ignores SIGPIPE, ther client thread will terminiate
         // with 0
-        OE_TEST(*(int*)(retval) == 0);
+        OE_TEST(g_server_thread_exit_code == 0);
     }
 
     // In the no-fault-injection test case, the client thread should return
@@ -216,7 +220,7 @@ void* client_thread(void* arg)
         // g_client_thread_exit_code could be any values in negative test cases
         g_client_thread_exit_code = 0;
     }
-    pthread_exit((void*)&g_client_thread_exit_code);
+
     fflush(stdout);
 done:
     return NULL;
@@ -224,44 +228,24 @@ void* client_thread(void* arg)
 
 int run_test_with_config(tls_test_configs_t* test_configs)
 {
-    pthread_attr_t server_tattr;
-    pthread_attr_t client_tattr;
-    pthread_t client_thread_id;
-    int ret = 0;
-    void* retval = NULL;
-
     // create server thread
-    ret = pthread_attr_init(&server_tattr);
-    if (ret)
-        oe_put_err("pthread_attr_init(server): ret=%u", ret);
-
-    ret = pthread_create(
-        &server_thread_id, NULL, server_thread, (void*)test_configs);
-    if (ret)
-        oe_put_err("pthread_create(server): ret=%u", ret);
+    server_thread = std::thread(run_server, (void*)test_configs);
 
     OE_TRACE_INFO("wait until TLS server is ready to accept client request\n");
-    pthread_mutex_lock(&server_mutex);
+    std::unique_lock<std::mutex> l(server_mutex);
     while (!g_server_condition)
-        pthread_cond_wait(&server_cond, &server_mutex);
-    pthread_mutex_unlock(&server_mutex);
+        server_cond.wait(l);
 
     fflush(stdout);
 
     // create client thread
-    ret = pthread_attr_init(&client_tattr);
-    if (ret)
-        oe_put_err("pthread_attr_init(client): ret=%u", ret);
-
-    ret = pthread_create(
-        &client_thread_id, NULL, client_thread, (void*)test_configs);
-    if (ret)
-        oe_put_err("pthread_create(client): ret=%u", ret);
+    std::thread client_thread(run_client, (void*)test_configs);
+    client_thread.join();
+    OE_TRACE_INFO(
+        "Client thread terminated with ret =%d... \n",
+        g_client_thread_exit_code);
 
-    pthread_join(client_thread_id, &retval);
-    ret = *(int*)retval;
-    OE_TRACE_INFO("Client thread terminated with ret =%d... \n", ret);
-    return ret;
+    return g_client_thread_exit_code;
 }
 
 int run_scenarios_tests()
@@ -336,6 +320,7 @@ int run_scenarios_tests()
 int main(int argc, const char* argv[])
 {
 #ifdef OE_LINK_SGX_DCAP_QL
+
     oe_result_t result = OE_FAILURE;
     uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
     int ret = 0;

From f4afb1b341deed5b8370dc7eb9e6ac9b09517220 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Mon, 18 Nov 2019 15:16:39 -0800
Subject: [PATCH 309/420] Release lock when done in tls_e2e test

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 tests/tls_e2e/host/host.cpp | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index faa08878a5..f4008a3aa0 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -69,17 +69,17 @@ int g_server_thread_exit_code = 0;
 int g_client_thread_exit_code = 0;
 bool g_server_condition = false;
 
-std::mutex server_mutex;
-std::condition_variable server_cond;
-std::thread server_thread;
+std::mutex g_server_mutex;
+std::condition_variable g_server_cond;
+std::thread g_server_thread;
 
 int server_is_ready()
 {
     OE_TRACE_INFO("TLS server_is_ready!\n");
-    server_mutex.lock();
+    g_server_mutex.lock();
     g_server_condition = true;
-    server_cond.notify_all();
-    server_mutex.unlock();
+    g_server_cond.notify_all();
+    g_server_mutex.unlock();
     return 1;
 }
 
@@ -124,7 +124,7 @@ oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
     return result;
 }
 
-void* run_server(void* arg)
+void run_server(void* arg)
 {
     oe_result_t result = OE_FAILURE;
     tls_thread_context_config_t* config = &(((tls_test_configs_t*)arg)->server);
@@ -159,7 +159,7 @@ void* run_server(void* arg)
     return NULL;
 }
 
-void* run_client(void* arg)
+void run_client(void* arg)
 {
     oe_result_t result = OE_FAILURE;
     tls_thread_context_config_t* client_config =
@@ -190,7 +190,7 @@ void* run_client(void* arg)
 
     OE_TRACE_INFO("Waiting for the server thread to terminate...\n");
     // block client thread until the server thread is done
-    server_thread.join();
+    g_server_thread.join();
 
     // enforce server return value
     OE_TRACE_INFO("server returns retval = [%d]\n", g_server_thread_exit_code);
@@ -229,12 +229,16 @@ void* run_client(void* arg)
 int run_test_with_config(tls_test_configs_t* test_configs)
 {
     // create server thread
-    server_thread = std::thread(run_server, (void*)test_configs);
+    g_server_thread = std::thread(run_server, (void*)test_configs);
 
     OE_TRACE_INFO("wait until TLS server is ready to accept client request\n");
-    std::unique_lock<std::mutex> l(server_mutex);
-    while (!g_server_condition)
-        server_cond.wait(l);
+
+    {
+        // Release lock on scope exit
+        std::unique_lock<std::mutex> l(g_server_mutex);
+        while (!g_server_condition)
+            g_server_cond.wait(l);
+    }
 
     fflush(stdout);
 

From bb72e95a2bc9eff450a16741445a1412d81987f6 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 19 Nov 2019 10:36:21 -0800
Subject: [PATCH 310/420] Fix some code style and change return type in
 client/server functions for tls_e2e

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/tls_e2e/host/host.cpp | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index f4008a3aa0..3f996bfd5c 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -155,8 +155,6 @@ void run_server(void* arg)
 
     OE_TRACE_INFO("Leaving server thread...\n");
     fflush(stdout);
-done:
-    return NULL;
 }
 
 void run_client(void* arg)
@@ -222,8 +220,6 @@ void run_client(void* arg)
     }
 
     fflush(stdout);
-done:
-    return NULL;
 }
 
 int run_test_with_config(tls_test_configs_t* test_configs)
@@ -235,9 +231,8 @@ int run_test_with_config(tls_test_configs_t* test_configs)
 
     {
         // Release lock on scope exit
-        std::unique_lock<std::mutex> l(g_server_mutex);
-        while (!g_server_condition)
-            g_server_cond.wait(l);
+        std::unique_lock<std::mutex> server_lock(g_server_mutex);
+        g_server_cond.wait(server_lock, []{ return g_server_cond; });
     }
 
     fflush(stdout);
@@ -324,7 +319,6 @@ int run_scenarios_tests()
 int main(int argc, const char* argv[])
 {
 #ifdef OE_LINK_SGX_DCAP_QL
-
     oe_result_t result = OE_FAILURE;
     uint32_t flags = OE_ENCLAVE_FLAG_DEBUG;
     int ret = 0;

From e17cbf72c79a9d25c85cca2eb29e5225ba9c3603 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 19 Nov 2019 11:14:55 -0800
Subject: [PATCH 311/420] Fix build errors associated with missing done label

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/tls_e2e/host/host.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index 3f996bfd5c..5000f835f5 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -154,6 +154,9 @@ void run_server(void* arg)
     }
 
     OE_TRACE_INFO("Leaving server thread...\n");
+
+// Label needed for OE_CHECK* macros
+done:
     fflush(stdout);
 }
 
@@ -219,6 +222,8 @@ void run_client(void* arg)
         g_client_thread_exit_code = 0;
     }
 
+// Label needed for OE_CHECK* macros
+done:
     fflush(stdout);
 }
 
@@ -232,7 +237,7 @@ int run_test_with_config(tls_test_configs_t* test_configs)
     {
         // Release lock on scope exit
         std::unique_lock<std::mutex> server_lock(g_server_mutex);
-        g_server_cond.wait(server_lock, []{ return g_server_cond; });
+        g_server_cond.wait(server_lock, [] { return g_server_condition; });
     }
 
     fflush(stdout);

From 9404cc318372e30b36c0f0cb3647cd52195e590b Mon Sep 17 00:00:00 2001
From: Oprin Marius <moprin@cloudbasesolutions.com>
Date: Wed, 20 Nov 2019 17:54:37 +0200
Subject: [PATCH 312/420] Update Windows esy install path

Signed-off-by: Oprin Marius <moprin@cloudbasesolutions.com>
---
 scripts/ansible/roles/windows/openenclave/vars/windows.yml | 2 ++
 scripts/install-windows-prereqs.ps1                        | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/ansible/roles/windows/openenclave/vars/windows.yml b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
index 553e1674b4..95baaad66e 100644
--- a/scripts/ansible/roles/windows/openenclave/vars/windows.yml
+++ b/scripts/ansible/roles/windows/openenclave/vars/windows.yml
@@ -15,6 +15,7 @@ validation_directories:
   - "C:\\Program Files\\shellcheck"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Auxiliary\\Build"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\Common7\\Tools"
+  - "C:\\oe_prereqs\\node_modules\\esy"
 
 validation_files:
   - "C:\\Program Files\\LLVM\\lib\\libclang.lib"
@@ -28,3 +29,4 @@ validation_binaries:
   - "C:\\Program Files\\shellcheck\\shellcheck.exe"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Tools\\MSVC\\14.16.27023\\bin\\Hostx64\\x64\\cl.exe"
   - "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\BuildTools\\VC\\Tools\\MSVC\\14.16.27023\\bin\\Hostx64\\x64\\link.exe"
+  - "C:\\oe_prereqs\\esy"
diff --git a/scripts/install-windows-prereqs.ps1 b/scripts/install-windows-prereqs.ps1
index cdb634d6a1..4164f8181b 100644
--- a/scripts/install-windows-prereqs.ps1
+++ b/scripts/install-windows-prereqs.ps1
@@ -424,10 +424,10 @@ function Install-Node {
                  -ArgumentList @("/quiet", "/passive") `
                  -EnvironmentPath @($installDir)
 
-    Add-ToSystemPath -Path "${env:APPDATA}\npm"
+    Add-ToSystemPath -Path "${InstallPath}"
 
     Start-ExecuteWithRetry -ScriptBlock {
-        npm install -g esy@0.5.8
+        npm install --prefix "${InstallPath}" -g esy@0.5.8
     } -RetryMessage "Failed to install esy. Retrying"
 }
 
@@ -646,7 +646,6 @@ try {
     Install-OpenSSL
     Install-LLVM
     Install-Git
-    Install-Node
     Install-Shellcheck
 
     if ($LaunchConfiguration -ne "SGX1FLC-NoDriver")
@@ -665,6 +664,8 @@ try {
     }
 
     Install-DCAP-Dependencies
+    # Install-Node has to be executed after Install-DCAP-Dependencies because it removes existing $InstallPath directory
+    Install-Node
     Install-VCRuntime
 
     Write-Output 'Please reboot your computer for the configuration to complete.'

From a2a3f0c76a53e2bc51295680cb4a50d6ad0d7bcb Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 20 Nov 2019 19:19:54 +0000
Subject: [PATCH 313/420] Update bors badge to point to public bors instance

Now that we switched.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f8bef6a2bb..628deb1fb5 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 Open Enclave SDK
 ================
 
-[![Bors enabled](https://bors.tech/images/badge_small.svg)](https://oe-bors.westus2.cloudapp.azure.com/repositories/12) [![Build Status](https://oe-jenkins.eastus.cloudapp.azure.com/buildStatus/icon?job=OpenEnclave-nightly_packages)](https://oe-jenkins.eastus.cloudapp.azure.com/job/OpenEnclave-nightly_packages/) [![Join the chat at https://gitter.im/openenclave/community](https://badges.gitter.im/openenclave/community.svg)](https://gitter.im/openenclave/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Bors enabled](https://bors.tech/images/badge_small.svg)](https://app.bors.tech/repositories/21855) [![Build Status](https://oe-jenkins.eastus.cloudapp.azure.com/buildStatus/icon?job=OpenEnclave-nightly_packages)](https://oe-jenkins.eastus.cloudapp.azure.com/job/OpenEnclave-nightly_packages/) [![Join the chat at https://gitter.im/openenclave/community](https://badges.gitter.im/openenclave/community.svg)](https://gitter.im/openenclave/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
 Introduction
 ------------

From bdfb66c23af25ebb341e5b72bacb8ae0d9219ef3 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 20 Nov 2019 19:29:41 +0000
Subject: [PATCH 314/420] Change PR Status requirement from CLA bot to DCO bot

This was missed in the switch to DCO. It ensures that a `bors r+` will
immediately fail if DCO is not passing.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 bors.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bors.toml b/bors.toml
index 0b4e74c2b3..936cb8df98 100644
--- a/bors.toml
+++ b/bors.toml
@@ -1,5 +1,5 @@
 status = [ "continuous-integration/jenkins/branch" ]
-pr_status = [ "license/cla" ]
+pr_status = [ "DCO" ]
 required_approvals = 1
 block_labels = [ "do not merge" ]
 delete_merged_branches = true

From f6208da1b086de258d80fa0b66d56b37bed6e6f7 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Sat, 9 Nov 2019 00:11:44 +0000
Subject: [PATCH 315/420] Implement oe_enter, oe_enter_sim in C

- Remove hard to maintain and error prone hand-written assembly
- The compiler takes care of ABI conformance
- The same source (enter.c) is used on both Linux and Windows
- Achieve Windows ABI conformance; previous implementation was not conformant
  in the way prolog/epilog were written and how the frame pointer was setup.
- clang is used to compile enter.c in Windows

Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
---
 host/CMakeLists.txt               |  38 +++-
 host/sgx/asmdefs.h                |   4 +-
 host/sgx/enter.c                  | 201 ++++++++++++++++++++
 host/sgx/linux/enter.S            | 296 ------------------------------
 host/sgx/linux/entersim.S         | 182 ------------------
 host/sgx/linux/hoststackbridge.c  |  41 +++++
 host/sgx/windows/debugrtbridge.c  |   7 +-
 host/sgx/windows/enter.asm        | 184 -------------------
 host/sgx/windows/entersim.asm     | 181 ------------------
 host/sgx/windows/host_context.asm |  78 --------
 10 files changed, 279 insertions(+), 933 deletions(-)
 create mode 100644 host/sgx/enter.c
 delete mode 100644 host/sgx/linux/enter.S
 delete mode 100644 host/sgx/linux/entersim.S
 create mode 100644 host/sgx/linux/hoststackbridge.c
 delete mode 100644 host/sgx/windows/enter.asm
 delete mode 100644 host/sgx/windows/entersim.asm
 delete mode 100644 host/sgx/windows/host_context.asm

diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 95c3c94cda..c3687271f5 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -117,6 +117,22 @@ else()
   message(FATAL_ERROR "Unknown OS. Only supported OSes are Linux and Windows")
 endif()
 
+if (OE_SGX AND WIN32)
+  # Use clang to compile the oe_enter function that calls ENCLU.
+  # Windows debuggers (WinDbg and Visual Studio Debugger) require that the rbp
+  # is set up like a Linux x64 ABI style frame pointer by the oe_enter function.
+  # Since oe_enter function is setting up the frame-pointer, enter.c must be
+  # compiled with the -fomit-frame-pointer flag so that the compiler does not
+  # set up the frame pointer.
+  add_custom_command(
+     OUTPUT enter.obj
+     DEPENDS sgx/enter.c
+     COMMAND clang  -c -O2 -fomit-frame-pointer -m64
+             -I${PROJECT_SOURCE_DIR}/include
+             ${CMAKE_CURRENT_SOURCE_DIR}/sgx/enter.c
+             -o enter.obj)
+endif()
+
 # SGX specific files.
 if (OE_SGX)
   list(APPEND PLATFORM_HOST_ONLY_SRC
@@ -160,9 +176,9 @@ if (OE_SGX)
 
     list(APPEND PLATFORM_SDK_ONLY_SRC
       sgx/linux/aep.S
-      sgx/linux/enter.S
-      sgx/linux/entersim.S
+      sgx/enter.c
       sgx/linux/exception.c
+      sgx/linux/hoststackbridge.c
       sgx/linux/sgxioctl.c
       sgx/linux/switchless.c
       sgx/linux/xstate.c)
@@ -172,9 +188,7 @@ if (OE_SGX)
 
     list(APPEND PLATFORM_SDK_ONLY_SRC
       sgx/windows/aep.asm
-      sgx/windows/enter.asm
-      sgx/windows/entersim.asm
-      sgx/windows/host_context.asm
+      ${CMAKE_CURRENT_BINARY_DIR}/enter.obj
       sgx/windows/exception.c
       sgx/windows/switchless.c
       sgx/windows/xstate.c)
@@ -184,7 +198,7 @@ if (OE_SGX)
 elseif(OE_TRUSTZONE)
   list(APPEND PLATFORM_SDK_ONLY_SRC
     optee/log.c)
-  
+
   if (UNIX)
     list(APPEND PLATFORM_SDK_ONLY_SRC
       optee/linux/enclave.c)
@@ -196,7 +210,7 @@ elseif(OE_TRUSTZONE)
 endif()
 
 if (OE_SGX AND WIN32)
-  # oedebugrt is accessed via a bridge on Win32 and need not be linked.    
+  # oedebugrt is accessed via a bridge on Win32 and need not be linked.
   list(APPEND PLATFORM_SDK_ONLY_SRC
     sgx/windows/debugrtbridge.c)
 endif()
@@ -246,6 +260,16 @@ endif()
 if (OE_SGX AND UNIX)
   # Link oedebugrt static library.
   target_link_libraries(oehost PRIVATE oedebugrt)
+
+  # hoststackbridge and enter.c must be forced to retain the frame-pointer
+  # for ocall stack-stitching by using the -fno-omit-frame-pointer flag.
+  # Both are compiled with -O2 flag to retain the same generated assembly
+  # code in both debug and release builds.
+  set_source_files_properties(oehost
+    sgx/enter.c
+    sgx/linux/hoststackbridge.c
+    PROPERTIES
+    COMPILE_FLAGS "-O2 -fno-omit-frame-pointer")
 endif()
 
 add_dependencies(oehost syscall_untrusted_edl)
diff --git a/host/sgx/asmdefs.h b/host/sgx/asmdefs.h
index 8cc45152f0..e3185a696a 100644
--- a/host/sgx/asmdefs.h
+++ b/host/sgx/asmdefs.h
@@ -62,13 +62,13 @@ int __oe_dispatch_ocall(
 #endif
 
 #ifndef __ASSEMBLER__
-int _oe_host_stack_bridge(
+int __oe_host_stack_bridge(
     uint64_t arg1,
     uint64_t arg2,
     uint64_t* arg1_out,
     uint64_t* arg2_out,
     void* tcs,
-    void* rsp);
+    oe_enclave_t* enclave);
 #endif
 
 #ifndef __ASSEMBLER__
diff --git a/host/sgx/enter.c b/host/sgx/enter.c
new file mode 100644
index 0000000000..7d45dca8f1
--- /dev/null
+++ b/host/sgx/enter.c
@@ -0,0 +1,201 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/sgxtypes.h>
+#include "asmdefs.h"
+#include "enclave.h"
+
+// Define a variable with given name and bind it to the register with the
+// corresponding name. This allows manipulating the register as a normal
+// C variable. The variable and hence the register is also assigned the
+// specified value.
+#define OE_DEFINE_REGISTER(regname, value) \
+    register uint64_t regname __asm__(#regname) = (uint64_t)(value)
+
+#if _WIN32
+
+// In x64 Windows ABI, the frame pointer can be any register and the frame
+// pointer points to a constant location *within* the frame. In x64, the
+// frame pointer points to the top of the frame. Windows debugger extensions
+// for Open Enclave SDK require a linux-style frame pointer for the oe_enter
+// function on the host-side.
+#define OE_DEFINE_FRAME_POINTER(r, v) OE_DEFINE_REGISTER(r, v)
+
+// As per Windows x64 ABI, the linux style frame pointer is -0x40 bytes
+// from the address of the enclave parameter which is passed via the stack.
+// Enclave parameter is the 7th parameter. Including the return-address, the
+// Linux style frame-pointer is -(7+1)*8 = -64 = -0x40 bytes from the enclave
+// parameter in the stack.
+#define OE_FRAME_POINTER_VALUE ((uint64_t)&enclave - 0x40)
+#define OE_FRAME_POINTER , "r"(rbp)
+
+// The SDK currently does not use a bridge for ocall stack-stitching on Windows.
+// Unlike oegdb, the Windows debuggers (WinDbg, VS Debugger) rely on the
+// function name being __oe_dispatch_ocall to detect host-enclave transition
+// during stack-walking and don't require that the stack be actually stitched
+// by the ocall-bridge. In the future, the Windows Debuggers would also require
+// that the SDK stitches the ocall stack, simplifying the debugger
+// implementations.
+#define OE_OCALL_BRIDGE __oe_dispatch_ocall
+
+#elif __linux__
+
+// The debugger requires a Linux x64 ABI frame pointer for stack walking.
+// Therefore, this file must be compiled with -fno-omit-frame-pointer.
+// Nothing else needs to be done and the macros below are noops.
+#define OE_DEFINE_FRAME_POINTER(r, v) OE_UNUSED(v)
+#define OE_FRAME_POINTER_VALUE 0
+#define OE_FRAME_POINTER
+
+// The SDK uses a bridge to stitch the ocall stack with the help
+// of the debugger.
+#define OE_OCALL_BRIDGE __oe_host_stack_bridge
+
+#endif
+
+// The following registers are inputs to ENCLU instruction. They are also
+// clobbered. Hence marked as +r.
+#define OE_ENCLU_REGISTERS "+r"(rax), "+r"(rbx), "+r"(rcx), "+r"(rdi), "+r"(rsi)
+
+// The following registers are clobbered by ENCLU.
+// Only rbp and rsp are preserved.
+#define OE_ENCLU_CLOBBERED_REGISTERS \
+    "rdx", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
+
+/**
+ * oe_enter Executes the ENCLU instruction and transfers control to the enclave.
+ *
+ * The ENCLU instruction has the following contract:
+ * EENTER(RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2) contract
+ * Input:
+ *       RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2,
+ *       RBP=Current host stack rbp,
+ *       RSP=Current host stack sp.
+ *       All other registers are NOT used/ignored.
+ *  Output:
+ *       RDI=ARG1OUT, RSI=ARG2OUT,
+ *       RBP is not changed,
+ *       RSP might be decreased because of host stack memory allocation.
+ *       All other Registers are clobbered.
+ */
+OE_NEVER_INLINE
+void oe_enter(
+    void* tcs,
+    uint64_t aep,
+    uint64_t arg1,
+    uint64_t arg2,
+    uint64_t* arg3,
+    uint64_t* arg4,
+    oe_enclave_t* enclave)
+{
+    // The general purpose registers are preserved by the compiler.
+    // The floating point state and the flags must be explicitly preserved.
+    // The space for saving the floating-point state must be 16 byte aligned.
+    OE_ALIGNED(16)
+    uint64_t fx_state[64];
+
+    while (1)
+    {
+        // Define register bindings and initialize the registers.
+        // On Windows, explicitly setup rbp as a Linux ABI style frame-pointer.
+        // On Linux, the frame-pointer is set up by compiling the file with the
+        // -fno-omit-frame-pointer flag.
+        OE_DEFINE_REGISTER(rax, ENCLU_EENTER);
+        OE_DEFINE_REGISTER(rbx, tcs);
+        OE_DEFINE_REGISTER(rcx, aep);
+        OE_DEFINE_REGISTER(rdi, arg1);
+        OE_DEFINE_REGISTER(rsi, arg2);
+        OE_DEFINE_FRAME_POINTER(rbp, OE_FRAME_POINTER_VALUE);
+
+        asm volatile("fxsave %[fx_state] \n\t" // Save floating point state.
+                     "pushfq \n\t"             // Save flags.
+                     "enclu \n\t"
+                     "popfq \n\t"               // Restore flags.
+                     "fxrstor %[fx_state] \n\t" // Restore floating point state.
+                     : OE_ENCLU_REGISTERS
+                     : [fx_state] "m"(fx_state)OE_FRAME_POINTER
+                     : OE_ENCLU_CLOBBERED_REGISTERS);
+
+        // Update arg1 and arg2 with outputs returned by the enclave.
+        arg1 = rdi;
+        arg2 = rsi;
+
+        // Make an OCALL if needed.
+        oe_code_t code = oe_get_code_from_call_arg1(arg1);
+        if (code == OE_CODE_OCALL)
+        {
+            OE_OCALL_BRIDGE(arg1, arg2, &arg1, &arg2, tcs, enclave);
+        }
+        else
+            break;
+    }
+
+    *arg3 = arg1;
+    *arg4 = arg2;
+}
+
+/**
+ * oe_enter_sim Simulates the ENCLU instruction.
+ *
+ * See oe_enter above for ENCLU instruction's contract.
+ * For simulation, the contract is modified as below:
+ *  - rax is the CSSA which is always 0
+ *  - rcx contains the return address instead of the AEP
+ *  - The address of the enclave entry point is fetched from the tcs
+ *    (offset 72) and the control is transferred to it via a jmp
+ */
+OE_NEVER_INLINE
+void oe_enter_sim(
+    void* tcs,
+    uint64_t aep,
+    uint64_t arg1,
+    uint64_t arg2,
+    uint64_t* arg3,
+    uint64_t* arg4,
+    oe_enclave_t* enclave)
+{
+    OE_UNUSED(aep);
+    OE_ALIGNED(16)
+    uint64_t fx_state[64];
+
+    while (1)
+    {
+        // Define register bindings and initialize the registers.
+        // See oe_enter for ENCLU contract.
+        OE_DEFINE_REGISTER(rax, 0 /* CSSA */);
+        OE_DEFINE_REGISTER(rbx, tcs);
+        OE_DEFINE_REGISTER(rcx, 0 /* filled in asm snippet */);
+        OE_DEFINE_REGISTER(rdi, arg1);
+        OE_DEFINE_REGISTER(rsi, arg2);
+        OE_DEFINE_FRAME_POINTER(rbp, OE_FRAME_POINTER_VALUE);
+
+        asm volatile("fxsave %[fx_state] \n\t"    // Save floating point state
+                     "pushfq \n\t"                // Save flags
+                     "lea 1f(%%rip), %%rcx \n\t"  // Load return address in rcx
+                     "mov 72(%%rbx), %% rdx \n\t" // Load enclave entry point
+                     "jmp *%%rdx  \n\t"           // Jump to enclave entry point
+                     "1: \n\t"
+                     "popfq \n\t"               // Restore flags
+                     "fxrstor %[fx_state] \n\t" // Restore floating point state
+                     : OE_ENCLU_REGISTERS
+                     : [fx_state] "m"(fx_state)OE_FRAME_POINTER
+                     : OE_ENCLU_CLOBBERED_REGISTERS);
+
+        // Update arg1 and arg2 with outputs returned by the enclave.
+        arg1 = rdi;
+        arg2 = rsi;
+
+        // Make an OCALL if needed.
+        oe_code_t code = oe_get_code_from_call_arg1(arg1);
+        if (code == OE_CODE_OCALL)
+        {
+            OE_OCALL_BRIDGE(arg1, arg2, &arg1, &arg2, tcs, enclave);
+        }
+        else
+            break;
+    }
+
+    *arg3 = arg1;
+    *arg4 = arg2;
+}
diff --git a/host/sgx/linux/enter.S b/host/sgx/linux/enter.S
deleted file mode 100644
index 6c0ef66f3e..0000000000
--- a/host/sgx/linux/enter.S
+++ /dev/null
@@ -1,296 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include "../asmdefs.h"
-#include <openenclave/internal/context.inc>
-
-//==============================================================================
-//
-// void __morestack(
-//     [IN] void* tcs,                  /* RDI */
-//     [IN] uint64_t aep,               /* RSI */
-//     [IN] uint64_t arg1,              /* RDX */
-//     [IN] uint64_t arg2,              /* RCX */
-//     [OUT] uint64_t* arg3,            /* R8 */
-//     [OUT] uint64_t* arg4,            /* R9 */
-//     [IN] oe_enclave_t* enclave);       /* on stack */
-//
-// Registers:
-//     RDI   - tcs: thread control structure
-//     RSI   - aep: asynchronous execution procedure
-//     RDX   - arg1
-//     RCX   - arg2
-//     R8    - arg3
-//     R9    - arg4
-//
-// N.B: Don't change the function name, otherwise debugger can't work.
-// GDB depends on this hardcode function name when does stack walking for split
-// stack.
-//
-// Note that oe_enter is defined to __morestack
-//
-//==============================================================================
-
-#define TCS             (-1*OE_WORDSIZE)(%rbp)
-#define AEP             (-2*OE_WORDSIZE)(%rbp)
-#define ARG1            (-3*OE_WORDSIZE)(%rbp)
-#define ARG2            (-4*OE_WORDSIZE)(%rbp)
-#define ARG3            (-5*OE_WORDSIZE)(%rbp)
-#define ARG4            (-6*OE_WORDSIZE)(%rbp)
-#define ENCLAVE         (-7*OE_WORDSIZE)(%rbp)
-#define ARG1OUT         (-8*OE_WORDSIZE)(%rbp)
-#define ARG2OUT         (-9*OE_WORDSIZE)(%rbp)
-#define RSP             (-10*OE_WORDSIZE)(%rbp)
-#define HOST_CONTEXT    (-11*OE_WORDSIZE)(%rbp)
-// We need an extra OE_WORDSIZE to keep the stack aligned.
-#define PARAMS_SPACE    ((12*OE_WORDSIZE) + OE_CONTEXT_SIZE)
-
-.globl __morestack
-.type __morestack, @function
-__morestack:
-
-    // Setup stack frame:
-    push %rbp
-    mov %rsp, %rbp
-
-    // Save parameters on stack for later reference:
-    sub $PARAMS_SPACE, %rsp
-    mov %rdi, TCS
-    mov %rsi, AEP
-    mov %rdx, ARG1
-    mov %rcx, ARG2
-    mov %r8,  ARG3
-    mov %r9,  ARG4
-    mov 16(%rbp), %rax  // enclave parameter
-    mov %rax, ENCLAVE
-
-    // The host context will be saved in the host stack.
-    mov %rsp, HOST_CONTEXT
-
-.execute_eenter:
-
-    // Save the current context.
-    mov HOST_CONTEXT, %rdi
-    call oe_snap_current_context@PLT
-
-    // Save the stack pointer so enclave can use the stack.
-    mov %rsp, RSP
-
-    // The EENTER(RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2) contract:
-    // Input:
-    //      RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2,
-    //      RBP=Current host stack rbp,
-    //      RSP=Current host stack sp.
-    //      All other registers are NOT used/ignored.
-    // Output:
-    //      RDI=ARG1OUT, RSI=ARG2OUT,
-    //      RBP is not changed,
-    //      RSP might be decreased because of host stack memory allocation.
-    //      All other Registers are clobbered.
-    mov TCS, %rbx
-    mov AEP, %rcx
-    mov ARG1, %rdi
-    mov ARG2, %rsi
-    mov $ENCLU_EENTER, %rax
-    ENCLU
-
-    // Align the stack since enclave code change the host rsp for call out.
-    and $-16, %rsp
-
-    mov %rdi, ARG1OUT
-    mov %rsi, ARG2OUT
-
-    // Restore the saved host context.
-    mov HOST_CONTEXT, %rdi
-    call oe_restore_partial_context@PLT
-
-    // Check if it is an OCALL needed to be dispatched.
-    // ecall-return-check.
-    mov ARG1OUT, %r10
-    shr $48, %r10
-    cmpq $OE_OCALL_CODE, %r10
-    jne .return_from_ecall
-
-.dispatch_ocall:
-    // Stop speculative execution at fallthrough of conditional
-    // ecall-return-check.
-    lfence
-
-    // Save registers that could get clobbered below or by function call.
-    push %rdi
-    push %rsi
-    push %rdx
-    push %rcx
-    push %rbx
-    push %r8
-    push %r9
-    push %r12
-    push %r13
-
-    // RAX = __oe_host_stack_bridge(
-    //     RDI=arg1
-    //     RSI=arg2
-    //     RDX=arg1_out
-    //     RCX=arg2_out
-    //     R8=TCS,
-    //     R9=RSP)
-    mov ARG1OUT, %rdi
-    mov ARG2OUT, %rsi
-    leaq ARG1OUT, %rdx
-    leaq ARG2OUT, %rcx
-    mov TCS, %r8
-    mov RSP, %r9
-    push ENCLAVE // push enclave parameter
-    call __oe_host_stack_bridge@PLT
-    add $8, %rsp // pop enclave parameter
-
-    // Restore registers (except RDI and RSI)
-    pop %r13
-    pop %r12
-    pop %r9
-    pop %r8
-    pop %rbx
-    pop %rcx
-    pop %rdx
-    pop %rsi
-    pop %rdi
-
-    // Restore the stack pointer:
-    mov RSP, %rsp
-
-    // If this was not an OCALL, then return from ECALL.
-    // ecall-return-check-1.
-    cmp $0, %rax
-    jne .return_from_ecall
-
-    // Stop speculative execution at fallthrough of conditional
-    // ecall-return-check-1.
-    lfence
-    
-    // Execute EENTER(RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2)
-    mov ARG1OUT, %rax
-    mov %rax, ARG1
-    mov ARG2OUT, %rax
-    mov %rax, ARG2
-    jmp .execute_eenter
-
-.return_from_ecall:
-    // Stop speculative execution at target of conditional jump
-    // ecall-return-check and ecall-return-check-1.
-    lfence
-
-    // Set output parameters:
-    mov ARG1OUT, %rax
-    mov %rax, (%r8) /* arg3 */
-    mov ARG2OUT, %rax
-    mov %rax, (%r9) /* arg3 */
-
-    // Restore stack frame:
-    mov %rbp, %rsp
-    pop %rbp
-
-    ret
-
-.size __morestack, .-__morestack
-
-//==============================================================================
-//
-// __oe_host_stack_bridge(
-//     [IN] uint64_t arg1,      /* RDI */
-//     [IN] uint64_t arg2,      /* RSI */
-//     [OUT] uint64_t* arg3,    /* RDX */
-//     [OUT] uint64_t* arg4,    /* RCX */
-//     [IN] void* tcs,          /* R8 */
-//     [IN] void* rsp,          /* R9 */
-//     [IN] uint64_t enclave)    /* STACK */
-//
-// This function is wrapper of __oe_dispatch_ocall. It is needed to stitch
-// the host stack and enclave stack together.
-//
-//==============================================================================
-
-#define HB_SAVED_OCALL_RETURN   (0*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_ARG1           (1*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_ARG2           (2*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_ARG3           (3*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_ARG4           (4*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_TCS            (5*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_RSP            (6*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_ENCLAVE         (7*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_RETURN_ADDR    (8*OE_WORDSIZE)(%rsp)
-#define HB_SAVED_FRAME_POINTER  (9*OE_WORDSIZE)(%rsp)
-#define HB_STACK_LENGTH         (10*OE_WORDSIZE)
-
-.globl __oe_host_stack_bridge
-.type __oe_host_stack_bridge, @function
-.type oe_notify_ocall_start,@function
-.hidden oe_notify_ocall_start
-.type oe_notify_ocall_end,@function
-.hidden oe_notify_ocall_end
-__oe_host_stack_bridge:
-.cfi_startproc
-    push %rbp
-.cfi_def_cfa_offset 16
-.cfi_offset rbp,-16
-    mov %rsp, %rbp
-.cfi_def_cfa_register   rbp
-    sub $HB_STACK_LENGTH, %rsp
-
-    // Save the current return address and frame point of __oe_host_stack_bridge
-    // into stack.
-    mov 0(%rbp), %rax
-    mov %rax, HB_SAVED_FRAME_POINTER
-    mov (1*OE_WORDSIZE)(%rbp), %rax
-    mov %rax, HB_SAVED_RETURN_ADDR
-
-    // Save the function parameters needed for __oe_dispatch_ocall into stack.
-    mov %rdi, HB_SAVED_ARG1     // arg1
-    mov %rsi, HB_SAVED_ARG2     // arg2
-    mov %rdx, HB_SAVED_ARG3     // arg3
-    mov %rcx, HB_SAVED_ARG4     // arg4
-    mov %r8,  HB_SAVED_TCS      // tcs
-    mov %r9, HB_SAVED_RSP       // rsp
-    mov 16(%rbp), %rax          // enclave
-    mov %rax, HB_SAVED_ENCLAVE
-
-    // Notify that an ocall happens in current host thread.
-    // oe_notify_ocall_start(rdi=host_frame_pointer, rsi=tcs)
-    mov %rbp, %rdi
-    mov %r8,  %rsi
-    call oe_notify_ocall_start@PLT
-
-    // Restore the parameters for __oe_dispatch_ocall.
-    mov HB_SAVED_ARG1, %rdi
-    mov HB_SAVED_ARG2, %rsi
-    mov HB_SAVED_ARG3, %rdx
-    mov HB_SAVED_ARG4, %rcx
-    mov HB_SAVED_TCS, %r8
-    mov HB_SAVED_ENCLAVE, %r9
-
-    // Do actual OCALL.
-    call __oe_dispatch_ocall@PLT
-
-    // Save the return value of OCALL dispatch.
-    mov %rax, HB_SAVED_OCALL_RETURN
-
-    // Notify that an ocall is done in current host thread.
-    // oe_notify_ocall_start(rdi=host_frame_pointer, rsi=tcs)
-    mov %rbp, %rdi
-    mov HB_SAVED_TCS, %rsi
-    call oe_notify_ocall_end@PLT
-
-    // Because of stack stitching, the return address might be overwritten by
-    // gdb. Restore the current return address and frame point of
-    // __oe_host_stack_bridge from stack.
-    mov HB_SAVED_FRAME_POINTER, %rax
-    mov %rax, (0*OE_WORDSIZE)(%rbp)
-    mov HB_SAVED_RETURN_ADDR, %rax
-    mov %rax, (1*OE_WORDSIZE)(%rbp)
-
-    // Restore the return value of OCALL dispatch.
-    mov HB_SAVED_OCALL_RETURN, %rax
-
-    leave
-    ret
-
-.cfi_endproc
diff --git a/host/sgx/linux/entersim.S b/host/sgx/linux/entersim.S
deleted file mode 100644
index b13e20338e..0000000000
--- a/host/sgx/linux/entersim.S
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include "../asmdefs.h"
-#include <openenclave/internal/constants_x64.h>
-
-//==============================================================================
-//
-// void oe_enter_sim(
-//     [IN] void* tcs,
-//     [IN] uint64_t aep,
-//     [IN] uint64_t arg1,
-//     [IN] uint64_t arg2,
-//     [OUT] uint64_t* arg3,
-//     [OUT] uint64_t* arg4,
-//     [IN] oe_enclave_t* enclave);
-//
-// Registers:
-//     RDI   - tcs: thread control structure (extended)
-//     RSI   - aep: asynchronous execution procedure
-//     RDX   - arg1
-//     RCX   - arg2
-//     R8    - arg3
-//     R9    - arg4
-//
-//==============================================================================
-
-#define TCS             (-1*OE_WORDSIZE)(%rbp)
-#define AEP             (-2*OE_WORDSIZE)(%rbp)
-#define ARG1            (-3*OE_WORDSIZE)(%rbp)
-#define ARG2            (-4*OE_WORDSIZE)(%rbp)
-#define ARG3            (-5*OE_WORDSIZE)(%rbp)
-#define ARG4            (-6*OE_WORDSIZE)(%rbp)
-#define ENCLAVE          (-7*OE_WORDSIZE)(%rbp)
-#define ARG1OUT         (-8*OE_WORDSIZE)(%rbp)
-#define ARG2OUT         (-9*OE_WORDSIZE)(%rbp)
-#define CSSA            (-10*OE_WORDSIZE)(%rbp)
-#define RSP             (-11*OE_WORDSIZE)(%rbp)
-#define HOST_CONTEXT    (-12*OE_WORDSIZE)(%rbp)
-#define PARAMS_SPACE    ((12*OE_WORDSIZE) + OE_CONTEXT_SIZE)
-
-.globl oe_enter_sim
-.type oe_enter_sim, @function
-oe_enter_sim:
-.cfi_startproc
-
-    // Setup stack frame:
-    push %rbp
-    mov %rsp, %rbp
-
-    // Save parameters on stack for later reference:
-    sub $PARAMS_SPACE, %rsp
-    mov %rdi, TCS
-    mov %rsi, AEP
-    mov %rdx, ARG1
-    mov %rcx, ARG2
-    mov %r8, ARG3
-    mov %r9, ARG4
-    mov 16(%rbp), %rax  // enclave parameter
-    mov %rax, ENCLAVE
-    movq $0, CSSA
-
-    // The host context will be saved in the host stack.
-    mov %rsp, HOST_CONTEXT
-
-    // Save registers:
-    push %rbx
-
-.call_start:
-
-    // Save the current context.
-    mov HOST_CONTEXT, %rdi
-    call oe_snap_current_context@PLT
-
-    // Save the stack pointer so enclave can use the stack.
-    mov %rsp, RSP
-
-    // Call start(RAX=CSSA, RBX=TCS, RCX=RETADDR, RDI=ARG1, RSI=ARG2)
-    mov CSSA, %rax
-    mov TCS, %rbx
-    mov 72(%rbx), %rdx  // RDX=TCS.u.main (72)
-    mov ARG1, %rdi
-    mov ARG2, %rsi
-    lea .retaddr(%rip), %rcx
-    jmp *%rdx
-.retaddr:
-    mov %rdi, ARG1OUT
-    mov %rsi, ARG2OUT
-
-    // Align the stack since enclave code change the host rsp for call out.
-    and $-16, %rsp
-
-    // Restore the saved host context.
-    mov HOST_CONTEXT, %rdi
-    call oe_restore_partial_context@PLT
-
-.dispatch_ocall_sim:
-
-    // Save registers that could get clobbered below or by function call.
-    push %rdi
-    push %rsi
-    push %rdx
-    push %rcx
-    push %rbx
-    push %r8
-    push %r9
-    push %r12
-    push %r13
-    // Push one extra register to keep the stack aligned.
-    push %r13
-
-    // RAX = __oe_dispatch_ocall(
-    //     RDI=arg1
-    //     RSI=arg2
-    //     RDX=arg1_out
-    //     RCX=arg2_out
-    //     R8=TCS)
-    mov ARG1OUT, %rdi
-    mov ARG2OUT, %rsi
-    leaq ARG1OUT, %rdx
-    leaq ARG2OUT, %rcx
-    mov TCS, %r8
-    mov ENCLAVE, %r9
-    call __oe_dispatch_ocall@PLT
-
-    // Restore registers saved above:
-    pop %r13
-    pop %r13
-    pop %r12
-    pop %r9
-    pop %r8
-    pop %rbx
-    pop %rcx
-    pop %rdx
-    pop %rsi
-    pop %rdi
-
-    // Restore the stack pointer:
-    mov RSP, %rsp
-
-    // If this was not an OCALL, then return from ECALL.
-    // ecall-return-check.
-    cmp $0, %rax
-    jne .return_from_ecall_sim
-
-    // Stop speculative execution at fallthrough of conditional
-    // ecall-return-check.
-    lfence
-
-    // (RDI=TCS, RDX=ARG1, RCX=ARG2)
-    mov ARG1OUT, %rax
-    mov %rax, ARG1
-    mov ARG2OUT, %rax
-    mov %rax, ARG2
-    jmp .call_start
-
-.return_from_ecall_sim:
-    // Stop speculative execution at target of conditional jump
-    // ecall-return-check.
-    lfence
-    
-    // Set output parameters:
-    mov ARG1OUT, %rax
-    mov %rax, (%r8) /* arg3 */
-    mov ARG2OUT, %rax
-    mov %rax, (%r9) /* arg4 */
-
-    // Restore registers:
-    pop %rbx
-
-    // Return parameters space:
-    add $PARAMS_SPACE, %rsp
-
-    // Restore stack frame:
-    pop %rbp
-
-    ret
-
-.forever:
-    jmp .forever
-
-.cfi_endproc
diff --git a/host/sgx/linux/hoststackbridge.c b/host/sgx/linux/hoststackbridge.c
new file mode 100644
index 0000000000..ec573571c2
--- /dev/null
+++ b/host/sgx/linux/hoststackbridge.c
@@ -0,0 +1,41 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/context.h>
+#include <openenclave/internal/sgxtypes.h>
+#include "../asmdefs.h"
+
+// The following function must not be inlined and must have a frame-pointer
+// so that the frame can be manipulated to stitch the ocall stack.
+// This is ensured by compiling this file with -fno-omit-frame-pointer.
+OE_NEVER_INLINE
+int __oe_host_stack_bridge(
+    uint64_t arg1,
+    uint64_t arg2,
+    uint64_t* arg1_out,
+    uint64_t* arg2_out,
+    void* tcs,
+    oe_enclave_t* enclave)
+{
+    oe_host_ocall_frame_t *current, backup;
+
+    // Fetch pointer to current frame.
+    asm volatile("mov %%rbp, %0\n\t" : "=r"(current) : : "memory");
+
+    // Back up current frame.
+    backup = *current;
+
+    // Notify the debugger to overwrite the return address of
+    // the current frame with the exit frame of the enclave.
+    // This will stitch the ocall stack.
+    oe_notify_ocall_start(current, tcs);
+
+    int ret = __oe_dispatch_ocall(arg1, arg2, arg1_out, arg2_out, tcs, enclave);
+
+    // Restore the frame so that this function can return to the caller
+    // correctly. Alternatively, we could use a setjmp/longjmp combination.
+    *current = backup;
+
+    return ret;
+}
diff --git a/host/sgx/windows/debugrtbridge.c b/host/sgx/windows/debugrtbridge.c
index be859906cf..b31ab072f8 100644
--- a/host/sgx/windows/debugrtbridge.c
+++ b/host/sgx/windows/debugrtbridge.c
@@ -47,18 +47,19 @@ static void load_oedebugrt(void)
             debugrtpath,
             NULL, /* reserved */
             /* Search only specified path. */
-            LOAD_LIBRARY_SEARCH_DEFAULT_DIRS);
+            LOAD_WITH_ALTERED_SEARCH_PATH);
     }
 
 #endif
 
-    /* Search for oedebugrt.dll only in the application folder. */
+    /* Search for oedebugrt.dll first in the application folder and then the
+     * system32 folder.*/
     if (_oedebugrt.hmodule == NULL)
     {
         _oedebugrt.hmodule = LoadLibraryExA(
             "oedebugrt.dll",
             NULL, /* reserved */
-            LOAD_LIBRARY_SEARCH_APPLICATION_DIR);
+            LOAD_LIBRARY_SEARCH_DEFAULT_DIRS);
     }
 
     if (_oedebugrt.hmodule != NULL)
diff --git a/host/sgx/windows/enter.asm b/host/sgx/windows/enter.asm
deleted file mode 100644
index dcbfdfe54b..0000000000
--- a/host/sgx/windows/enter.asm
+++ /dev/null
@@ -1,184 +0,0 @@
-;; Copyright (c) Open Enclave SDK contributors.
-;; Licensed under the MIT License.
-
-include ksamd64.inc
-
-extern __oe_dispatch_ocall:proc
-extern oe_save_host_context:proc
-extern oe_restore_host_context:proc
-
-;;==============================================================================
-;;
-;; void oe_enter(
-;;     [IN] void* tcs,
-;;     [IN] uint64_t aep,
-;;     [IN] uint64_t arg1,
-;;     [IN] uint64_t arg2,
-;;     [OUT] uint64_t* arg3,
-;;     [OUT] uint64_t* arg4,
-;;     [OUT] oe_enclave_t* enclave);
-;;
-;; Parameters passed on register and stack:
-;;     RCX      - tcs: thread control structure (extended)
-;;     RDX      - aep: asynchronous execution procedure
-;;     R8       - arg1
-;;     R9       - arg2
-;;     [RBP+48] - arg3
-;;     [RBP+56] - arg4
-;;     [RBP+64] - enclave
-;;
-;; These registers may be destroyed across function calls:
-;;     RAX, RCX, RDX, R8, R9, R10, R11
-;;
-;; These registers must be preserved across function calls:
-;;     RBX, RBP, RDI, RSI, RSP, R12, R13, R14, and R15
-;;
-;;==============================================================================
-
-ENCLU_EENTER    EQU 2
-
-ARG3_PARAM      EQU [rbp+48]
-ARG4_PARAM      EQU [rbp+56]
-ENCLAVE_PARAM   EQU [rbp+64]
-
-TCS             EQU [rbp-8]
-AEP             EQU [rbp-16]
-ARG1            EQU [rbp-24]
-ARG2            EQU [rbp-32]
-ARG3            EQU [rbp-40]
-ARG4            EQU [rbp-48]
-ENCLAVE         EQU [rbp-56]
-ARG1OUT         EQU [rbp-64]
-ARG2OUT         EQU [rbp-72]
-STACKPTR        EQU [rbp-80]
-HOST_CONTEXT    EQU [rbp-88]
-
-;; Reserve parameter space based on:
-;; + 88 bytes for 11*8-byte parameters TCS to HOST_CONTEXT
-;; HOST_CONTEXT points to the start of the context data consisting of:
-;; + 64 bytes for 8*8-byte callee-preserved registers
-;; + 512-byte OE_CONTEXT_FLOAT memory image used in fxsave/fxrstor
-;; + 8 bytes so that the stack remains 16-byte aligned.
-PARAMS_SPACE    EQU 672
-
-NESTED_ENTRY oe_enter, _TEXT$00
-    END_PROLOGUE
-
-    ;; Setup stack frame:
-    push rbp ;; Stack is 16-byte aligned at this point
-    mov rbp, rsp
-
-    ;; Save parameters on stack for later reference:
-    ;;     TCS  := [RBP-8]  <- RCX
-    ;;     AEP  := [RBP-16] <- RDX
-    ;;     ARG1 := [RBP-24] <- R8
-    ;;     ARG2 := [RBP-32] <- R9
-    ;;     ARG3 := [RBP-40] <- ARG3_PARAM := [RBP+48]
-    ;;     ARG4 := [RBP-48] <- ARG4_PARAM := [RBP+56]
-    ;;     ENCLAVE := [RBP-56] <- ENCLAVE_PARAM := [RBP+64]
-    ;;     HOST_CONTEXT := [RBP-88]
-    sub rsp, PARAMS_SPACE
-    mov TCS, rcx
-    mov AEP, rdx
-    mov ARG1, r8
-    mov ARG2, r9
-    mov rax, ARG3_PARAM
-    mov ARG3, rax
-    mov rax, ARG4_PARAM
-    mov ARG4, rax
-    mov rax, ENCLAVE_PARAM
-    mov ENCLAVE, rax
-
-    ;; Set the save location for the host context on the host stack
-    mov HOST_CONTEXT, rsp
-
-execute_eenter:
-
-    ;; Save the current host context
-    mov rcx, HOST_CONTEXT
-    call oe_save_host_context
-
-    ;; Save the stack pointer so enclave can use the stack.
-    mov STACKPTR, rsp
-
-    ;; EENTER(RBX=TCS, RCX=AEP, RDI=ARG1, RSI=ARG2)
-    mov rbx, TCS
-    mov rcx, AEP
-    mov rdi, ARG1
-    mov rsi, ARG2
-    mov rax, ENCLU_EENTER
-    ENCLU
-
-    mov ARG1OUT, rdi
-    mov ARG2OUT, rsi
-
-    ;; Restore the saved host context
-    mov rcx, HOST_CONTEXT
-    call oe_restore_host_context
-
-dispatch_ocall:
-    ;; RAX = __oe_dispatch_ocall(
-    ;;     RCX=arg1
-    ;;     RDX=arg2
-    ;;     R8=arg1_out
-    ;;     R9=arg2_out
-    ;;     [RSP+32]=TCS,
-    ;;     [RSP+40]=ENCLAVE);
-    ;;
-    ;; Stack should already be 16-byte aligned, so only need
-    ;; shadow space (32 bytes) plus stack params size (16 bytes)
-    sub rsp, 48
-    mov rcx, ARG1OUT
-    mov rdx, ARG2OUT
-    lea r8, qword ptr ARG1OUT
-    lea r9, qword ptr ARG2OUT
-    mov rax, qword ptr TCS
-    mov qword ptr [rsp+32], rax
-    mov rax, qword ptr ENCLAVE
-    mov qword ptr [rsp+40], rax
-    call __oe_dispatch_ocall ;; RAX contains return value
-    add rsp, 48
-
-    ;; Restore the stack pointer
-    mov rsp, STACKPTR
-
-    ;; If this was not an OCALL, then return from ECALL.
-    cmp rax, 0
-    jne return_from_ecall
-
-    ;; Stop speculative execution at fallthrough of conditional check
-    lfence
-
-    ;; Prepare to reenter the enclave, calling the entry point.
-    mov rax, ARG1OUT
-    mov ARG1, rax
-    mov rax, ARG2OUT
-    mov ARG2, rax
-    jmp execute_eenter
-
-return_from_ecall:
-    ;; Stop speculative execution at target of conditional jump
-    lfence
-
-    ;; Set ARG3 (out)
-    mov r10, ARG1OUT
-    mov rax, qword ptr ARG3_PARAM
-    mov qword ptr [rax], r10
-
-    ;; Set ARG4 (out)
-    mov r10, ARG2OUT
-    mov rax, qword ptr ARG4_PARAM
-    mov qword ptr [rax], r10
-
-    ;; Return parameters space and restore the stack pointer
-    mov rsp, rbp
-
-    ;; Restore stack frame
-    pop rbp
-
-    BEGIN_EPILOGUE
-    ret
-
-NESTED_END oe_enter, _TEXT$00
-
-END
diff --git a/host/sgx/windows/entersim.asm b/host/sgx/windows/entersim.asm
deleted file mode 100644
index 229759f074..0000000000
--- a/host/sgx/windows/entersim.asm
+++ /dev/null
@@ -1,181 +0,0 @@
-;; Copyright (c) Open Enclave SDK contributors.
-;; Licensed under the MIT License.
-
-include ksamd64.inc
-
-extern __oe_dispatch_ocall:proc
-
-;;==============================================================================
-;;
-;; void oe_enter_sim(
-;;     [IN] void* tcs,
-;;     [IN] uint64_t aep,
-;;     [IN] uint64_t arg1,
-;;     [IN] uint64_t arg2,
-;;     [OUT] uint64_t* arg3,
-;;     [OUT] uint64_t* arg4,
-;;     [OUT] oe_enclave_t* enclave);
-;;
-;; Registers:
-;;     RCX      - tcs: thread control structure (extended)
-;;     RDX      - aep: asynchronous execution procedure
-;;     R8       - arg1
-;;     R9       - arg2
-;;     [RBP+48] - arg3
-;;     [RBP+56] - arg4
-;;
-;; These registers may be destroyed across function calls:
-;;     RAX, RCX, RDX, R8, R9, R10, R11
-;;
-;; These registers must be preserved across function calls:
-;;     RBX, RBP, RDI, RSI, RSP, R12, R13, R14, and R15
-;;
-;;==============================================================================
-
-PARAMS_SPACE    EQU 128
-TCS             EQU [rbp-8]
-AEP             EQU [rbp-16]
-ARG1            EQU [rbp-24]
-ARG2            EQU [rbp-32]
-ARG3            EQU [rbp-40]
-ARG4            EQU [rbp-48]
-ENCLAVE          EQU [rbp-56]
-ARG1OUT         EQU [rbp-64]
-ARG2OUT         EQU [rbp-72]
-CSSA            EQU [rbp-80]
-STACKPTR        EQU [rbp-88]
-TCS_u_main      EQU 72
-
-NESTED_ENTRY oe_enter_sim, _TEXT$00
-    END_PROLOGUE
-
-    ;; Setup stack frame:
-    push rbp
-    mov rbp, rsp
-
-    ;; Save parameters on stack for later reference:
-    ;;     TCS  := [RBP-8]  <- RCX
-    ;;     AEP  := [RBP-16] <- RDX
-    ;;     ARG1 := [RBP-24] <- R8
-    ;;     ARG2 := [RBP-32] <- R9
-    ;;     ARG3 := [RBP-40] <- [RBP+48]
-    ;;     ARG4 := [RBP-48] <- [RBP+56]
-    ;;     ENCLAVE := [RBP-56] <- [RBP+64]
-    ;;
-    sub rsp, PARAMS_SPACE
-    mov TCS, rcx
-    mov AEP, rdx
-    mov ARG1, r8
-    mov ARG2, r9
-    mov rax, [rbp+48]
-    mov ARG3, rax
-    mov rax, [rbp+56]
-    mov ARG4, rax
-    mov rax, [rbp+64]
-    mov ENCLAVE, rax
-
-    ;; Load CSSA with zero initially:
-    mov rax, 0
-    mov CSSA, rax
-
-    ;; Save registers:
-    push rbx
-    push rdi
-    push rsi
-    push r12
-    push r13
-    push r14
-    push r15
-
-call_start:
-
-    ;; Save the stack pointer so enclave can use the stack.
-    mov STACKPTR, rsp
-
-    ;; Call start(RAX=CSSA, RBX=TCS, RCX=RETADDR, RDI=ARG1, RSI=ARG2) in enclave
-    mov rax, CSSA
-    mov rbx, TCS
-    lea rcx, retaddr
-    mov rdi, ARG1
-    mov rsi, ARG2
-    jmp qword ptr [rbx+TCS_u_main]
-retaddr:
-    mov ARG1OUT, rdi
-    mov ARG2OUT, rsi
-
-dispatch_ocall_sim:
-
-    ;; RAX = __oe_dispatch_ocall(
-    ;;     RCX=arg1
-    ;;     RDX=arg2
-    ;;     R8=arg1_out
-    ;;     R9=arg2_out
-    ;;     [RSP+32]=TCS,
-    ;;     [RSP+40]=ENCLAVE);
-    sub rsp, 56
-    mov rcx, ARG1OUT
-    mov rdx, ARG2OUT
-    lea r8, qword ptr ARG1OUT
-    lea r9, qword ptr ARG2OUT
-    mov rax, qword ptr TCS
-    mov qword ptr [rsp+32], rax
-    mov rax, qword ptr ENCLAVE
-    mov qword ptr [rsp+40], rax
-    call __oe_dispatch_ocall ;; RAX contains return value
-    add rsp, 56
-
-    ;; Restore the stack pointer:
-    mov rsp, STACKPTR
-
-    ;; If this was not an OCALL, then return from ECALL.
-    cmp rax, 0
-    jne return_from_ecall_sim
-
-    ;; Stop speculative execution at fallthrough of conditional check
-    lfence
-
-    ;; Prepare to reenter the enclave, calling start()
-    mov rax, ARG1OUT
-    mov ARG1, rax
-    mov rax, ARG2OUT
-    mov ARG2, rax
-    jmp call_start
-
-return_from_ecall_sim:
-    ;; Stop speculative execution at target of conditional jump
-    lfence
-
-    ;; Set ARG3 (out)
-    mov rbx, ARG1OUT
-    mov rax, qword ptr [rbp+48]
-    mov qword ptr [rax], rbx
-
-    ;; Set ARG4 (out)
-    mov rbx, ARG2OUT
-    mov rax, qword ptr [rbp+56]
-    mov qword ptr [rax], rbx
-
-    ;; Restore registers:
-    pop r15
-    pop r14
-    pop r13
-    pop r12
-    pop rsi
-    pop rdi
-    pop rbx
-
-    ;; Return parameters space:
-    add rsp, PARAMS_SPACE
-
-    ;; Restore stack frame:
-    pop rbp
-
-    BEGIN_EPILOGUE
-    ret
-
-forever:
-    jmp forever
-
-NESTED_END oe_enter_sim, _TEXT$00
-
-END
diff --git a/host/sgx/windows/host_context.asm b/host/sgx/windows/host_context.asm
deleted file mode 100644
index 7221c2d962..0000000000
--- a/host/sgx/windows/host_context.asm
+++ /dev/null
@@ -1,78 +0,0 @@
-;; Copyright (c) Open Enclave SDK contributors.
-;; Licensed under the MIT License.
-
-OE_CONTEXT_FLAGS    EQU 00
-OE_CONTEXT_RBX      EQU 08
-OE_CONTEXT_RDI      EQU 16
-OE_CONTEXT_RSI      EQU 24
-OE_CONTEXT_R12      EQU 32
-OE_CONTEXT_R13      EQU 40
-OE_CONTEXT_R14      EQU 48
-OE_CONTEXT_R15      EQU 56
-OE_CONTEXT_FLOAT    EQU 64
-
-.CODE
-
-PUBLIC oe_save_host_context
-oe_save_host_context PROC
-    ;; Subroutine prologue
-    push rbp
-    mov rbp, rsp
-
-    ;; Save the flags to stack.
-    pushf
-    mov rax, [rsp]
-    mov [rcx+OE_CONTEXT_FLAGS], rax
-    popf
-
-    ;; Save general registers.
-    mov [rcx+OE_CONTEXT_RBX], rbx
-    mov [rcx+OE_CONTEXT_RDI], rdi
-    mov [rcx+OE_CONTEXT_RSI], rsi
-    mov [rcx+OE_CONTEXT_R12], r12
-    mov [rcx+OE_CONTEXT_R13], r13
-    mov [rcx+OE_CONTEXT_R14], r14
-    mov [rcx+OE_CONTEXT_R15], r15
-
-    ;; Save x87 FPU, MMX and SSE state (includes MXCSR and XMM registers).
-    fxsave [rcx+OE_CONTEXT_FLOAT]
-
-    ;; Subroutine epilogue
-    mov rsp, rbp
-    pop rbp
-    ret
-
-oe_save_host_context ENDP
-
-PUBLIC oe_restore_host_context
-oe_restore_host_context PROC
-
-    ;; Subroutine prologue
-    push rbp
-    mov rbp, rsp
-
-    ;; Restore the flags to stack.
-    push [rcx+OE_CONTEXT_FLAGS]
-    popfq
-
-    ;; Restore general registers.
-    mov rbx, [rcx+OE_CONTEXT_RBX]
-    mov rdi, [rcx+OE_CONTEXT_RDI]
-    mov rsi, [rcx+OE_CONTEXT_RSI]
-    mov r12, [rcx+OE_CONTEXT_R12]
-    mov r13, [rcx+OE_CONTEXT_R13]
-    mov r14, [rcx+OE_CONTEXT_R14]
-    mov r15, [rcx+OE_CONTEXT_R15]
-
-    ;; Restore x87 FPU, MMX and SSE state (includes MXCSR and XMM registers).
-    fxrstor [rcx+OE_CONTEXT_FLOAT]
-
-    ;; Subroutine epilogue
-    mov rsp, rbp
-    pop rbp
-    ret
-
-oe_restore_host_context ENDP
-
-END
-

From 5202016157e36d841c47863525eae4956cdc928e Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Wed, 20 Nov 2019 18:50:37 +0000
Subject: [PATCH 316/420] Remove OE_DEBUGRT_PATH

Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
---
 host/sgx/windows/debugrtbridge.c | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/host/sgx/windows/debugrtbridge.c b/host/sgx/windows/debugrtbridge.c
index b31ab072f8..33332a2d28 100644
--- a/host/sgx/windows/debugrtbridge.c
+++ b/host/sgx/windows/debugrtbridge.c
@@ -36,22 +36,6 @@ static void load_oedebugrt(void)
         return;
     }
 
-#ifndef NDEBUG
-    /**
-     *  In debug mode, give preference to OE_DEBUGRT_PATH.
-     *  This is mainly used for OE SDK development.
-     */
-    {
-        char* debugrtpath = getenv("OE_DEBUGRT_PATH");
-        _oedebugrt.hmodule = LoadLibraryExA(
-            debugrtpath,
-            NULL, /* reserved */
-            /* Search only specified path. */
-            LOAD_WITH_ALTERED_SEARCH_PATH);
-    }
-
-#endif
-
     /* Search for oedebugrt.dll first in the application folder and then the
      * system32 folder.*/
     if (_oedebugrt.hmodule == NULL)

From d5772cc0e9c98541c060a2694979e3ca15cc566f Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Wed, 20 Nov 2019 20:32:20 +0000
Subject: [PATCH 317/420] Document ABI specified callee-saved register lists

Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
---
 host/sgx/enter.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/host/sgx/enter.c b/host/sgx/enter.c
index 7d45dca8f1..9bce94242c 100644
--- a/host/sgx/enter.c
+++ b/host/sgx/enter.c
@@ -75,9 +75,18 @@
  *       All other registers are NOT used/ignored.
  *  Output:
  *       RDI=ARG1OUT, RSI=ARG2OUT,
- *       RBP is not changed,
- *       RSP might be decreased because of host stack memory allocation.
+ *       RBP, RBP are preserved.
  *       All other Registers are clobbered.
+ *
+ * Callee-saved (non-volatile) registers:
+ * As per System V x64 ABI, the registers RBX, RBP, RSP, R12, R13, R14, and R15
+ * are preserved across function calls.
+ * As per x64 Windows ABI, the registers RBX, RBP, RDI, RSI, RSP, R12, R13, R14,
+ * R15, and XMM6-15 are preserved across function calls.
+ * The general purpose callee-saved registers are listed in
+ * OE_ENCLU_CLOBBERED_REGISTERS. Since we explicitly save and restore the
+ * floating-point state via fxsave/fxrstor, the xmm registers are not listed
+ * in the clobber list.
  */
 OE_NEVER_INLINE
 void oe_enter(

From 338255a4231e0ce8c99345da9cd768347aa9688e Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Fri, 8 Nov 2019 23:24:57 +0000
Subject: [PATCH 318/420] Update 3rdparty/mbedtls/config.h with 2.16 options

Merge new options from 3rdparty/mbedtls/mbedtls/include/mbedtls/config.h into
config.h used by OE SDK. These options were introduced with the upgrade to
v2.16.2.

This change also cleans up some Open Enclave configuration choices:

- Disable options previously deprecated in v0.7:
    - `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE`: Considerable advances
      have been made in breaking SHA1 since our original review and we would
      like to be more prescriptive in recommending the use of SHA256.
    - `MBEDTLS_KEY_EXCHANGE_RSA_ENABLED`: This option provides no perfect
      forward secrecy and is generally becoming less popular as this is
      recognized. The ECDHE variants are also more performant.

- Disable 'MBEDTLS_SELF_TEST' by default.
    - This is a performance and TCB optimization as mbedtls is not currently
      compliance certified anyway.
    - The removal of this breaks the aarch64 build for OP-TEE, which had an
      incorrect link ordering for liboeutee and liboecore that was masked by
      libmbedcrypto pulling in the TEE_GenerateRandom symbol for self-tests
      first.
      - Update CMakeLists.txt for liboeutee to mark TEE_GenerateRandom with
        the --undefined linker flag to force this to be pulled in.

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 3rdparty/mbedtls/config.h             | 540 +++++++++++++++++++++++---
 3rdparty/optee/libutee/CMakeLists.txt |   3 +-
 2 files changed, 495 insertions(+), 48 deletions(-)

diff --git a/3rdparty/mbedtls/config.h b/3rdparty/mbedtls/config.h
index 9f3b1ef3d9..1b74f487f9 100644
--- a/3rdparty/mbedtls/config.h
+++ b/3rdparty/mbedtls/config.h
@@ -8,7 +8,7 @@
  *  memory footprint.
  */
 /*
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -48,10 +48,14 @@
  * Requires support for asm() in compiler.
  *
  * Used in:
+ *      library/aria.c
  *      library/timing.c
- *      library/padlock.c
  *      include/mbedtls/bn_mul.h
  *
+ * Required by:
+ *      MBEDTLS_AESNI_C
+ *      MBEDTLS_PADLOCK_C
+ *
  * Comment to disable the use of assembly code.
  */
 #define MBEDTLS_HAVE_ASM
@@ -85,6 +89,28 @@
 // Open Enclave: enabled
 #define MBEDTLS_NO_UDBL_DIVISION
 
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ *      library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
 /**
  * \def MBEDTLS_HAVE_SSE2
  *
@@ -114,12 +140,21 @@
 /**
  * \def MBEDTLS_HAVE_TIME_DATE
  *
- * System has time.h and time(), gmtime() and the clock is correct.
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
  * The time needs to be correct (not necesarily very accurate, but at least
  * the date should be correct). This is used to verify the validity period of
  * X.509 certificates.
  *
  * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
  */
 // Open Enclave: Time methods are not secure against host, enabled only for x509 expiration checks
 #define MBEDTLS_HAVE_TIME_DATE
@@ -229,6 +264,48 @@
  // Open Enclave: Enable deprecation errors
 #define MBEDTLS_DEPRECATED_REMOVED
 
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - the pointer is checked to be non-NULL only if this option is enabled
+ * - the content of the buffer is always validated
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid, it will:
+ * - invoke the macro MBEDTLS_PARAM_FAILED() which by default expands to a
+ *   call to the function mbedtls_param_failed()
+ * - immediately return (with a specific error code unless the function
+ *   returns void and can't communicate an error).
+ *
+ * When defining this flag, you also need to:
+ * - either provide a definition of the function mbedtls_param_failed() in
+ *   your application (see platform_util.h for its prototype) as the library
+ *   calls that function, but does not provide a default definition for it,
+ * - or provide a different definition of the macro MBEDTLS_PARAM_FAILED()
+ *   below if the above mechanism is not flexible enough to suit your needs.
+ *   See the documentation of this macro later in this file.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
 /* \} name SECTION: System support */
 
 /**
@@ -279,23 +356,29 @@
  */
 //#define MBEDTLS_AES_ALT
 //#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
 //#define MBEDTLS_BLOWFISH_ALT
 //#define MBEDTLS_CAMELLIA_ALT
 //#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
 //#define MBEDTLS_CMAC_ALT
 //#define MBEDTLS_DES_ALT
 //#define MBEDTLS_DHM_ALT
 //#define MBEDTLS_ECJPAKE_ALT
 //#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
 //#define MBEDTLS_MD2_ALT
 //#define MBEDTLS_MD4_ALT
 //#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
 //#define MBEDTLS_RIPEMD160_ALT
 //#define MBEDTLS_RSA_ALT
 //#define MBEDTLS_SHA1_ALT
 //#define MBEDTLS_SHA256_ALT
 //#define MBEDTLS_SHA512_ALT
 //#define MBEDTLS_XTEA_ALT
+
 /*
  * When replacing the elliptic curve module, pleace consider, that it is
  * implemented with two .c files:
@@ -381,11 +464,11 @@
  *      unsigned char mbedtls_internal_ecp_grp_capable(
  *          const mbedtls_ecp_group *grp )
  *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
- *      void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
  * The mbedtls_internal_ecp_grp_capable function should return 1 if the
  * replacement functions implement arithmetic for the given group and 0
  * otherwise.
- * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
  * called before and after each point operation and provide an opportunity to
  * implement optimized set up and tear down instructions.
  *
@@ -449,12 +532,45 @@
 /**
  * \def MBEDTLS_AES_ROM_TABLES
  *
- * Store the AES tables in ROM.
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
  *
- * Uncomment this macro to store the AES tables in ROM.
  */
 //#define MBEDTLS_AES_ROM_TABLES
 
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
 /**
  * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
  *
@@ -486,6 +602,20 @@
  */
 #define MBEDTLS_CIPHER_MODE_CTR
 
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
 /**
  * \def MBEDTLS_CIPHER_NULL_CIPHER
  *
@@ -566,6 +696,26 @@
  */
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
 /**
  * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
  *
@@ -589,6 +739,7 @@
 //#define MBEDTLS_ECP_DP_BP384R1_ENABLED
 //#define MBEDTLS_ECP_DP_BP512R1_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
@@ -601,6 +752,30 @@
  */
 #define MBEDTLS_ECP_NIST_OPTIM
 
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note  This option only works with the default software implementation of
+ *        elliptic curve functionality. It is incompatible with
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
 /**
  * \def MBEDTLS_ECDSA_DETERMINISTIC
  *
@@ -746,9 +921,9 @@
  *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
  *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
  */
-// Open Enclave: Support for backward compatibility
-// Consider ECDHE key exchange instead for forward secrecy
-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+// Open Enclave: Deprecated in v0.7, developers should consider
+// ECDHE key exchange instead for forward secrecy.
+//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -1090,8 +1265,8 @@
  *
  * Enable the checkup functions (*_self_test).
  */
-// Open Enclave: Enable these by default for compliance checks
-#define MBEDTLS_SELF_TEST
+// Open Enclave: Disable these by default for performance
+//#define MBEDTLS_SELF_TEST
 
 /**
  * \def MBEDTLS_SHA256_SMALLER
@@ -1123,6 +1298,17 @@
  */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 
+/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
 /**
  * \def MBEDTLS_SSL_DEBUG_ALL
  *
@@ -1578,6 +1764,9 @@
  *
  * \note Currently compression can't be used with DTLS.
  *
+ * \deprecated This feature is deprecated and will be removed
+ *             in the next major revision of the library.
+ *
  * Used in: library/ssl_tls.c
  *          library/ssl_cli.c
  *          library/ssl_srv.c
@@ -1616,7 +1805,7 @@
  * Enable the AES block cipher.
  *
  * Module:  library/aes.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *          library/pem.c
  *          library/ctr_drbg.c
  *
@@ -1691,7 +1880,7 @@
  * Enable the ARCFOUR stream cipher.
  *
  * Module:  library/arc4.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1787,7 +1976,7 @@
  * Enable the Camellia block cipher.
  *
  * Module:  library/camellia.c
- * Caller:  library/ssl_tls.c
+ * Caller:  library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1837,6 +2026,58 @@
 // Open Enclave: Drop support for uncommon cipher
 //#define MBEDTLS_CAMELLIA_C
 
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module:  library/aria.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
+
 /**
  * \def MBEDTLS_CCM_C
  *
@@ -1864,6 +2105,28 @@
 // Open Enclave: Enabled conditionally
 #cmakedefine MBEDTLS_CERTS_C
 
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module:  library/chacha20.c
+ */
+// Open Enclave: Disable less common cipher until there's a demand for it.
+//#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module:  library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+// Open Enclave: Disable less common cipher until there's a demand for it.
+//#define MBEDTLS_CHACHAPOLY_C
+
 /**
  * \def MBEDTLS_CIPHER_C
  *
@@ -1893,14 +2156,16 @@
 /**
  * \def MBEDTLS_CTR_DRBG_C
  *
- * Enable the CTR_DRBG AES-256-based random generator.
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
  *
  * Module:  library/ctr_drbg.c
  * Caller:
  *
  * Requires: MBEDTLS_AES_C
  *
- * This module provides the CTR_DRBG AES-256 random number generator.
+ * This module provides the CTR_DRBG AES random number generator.
  */
 #define MBEDTLS_CTR_DRBG_C
 
@@ -1917,7 +2182,7 @@
  * This module provides debugging functions.
  */
 // Open Enclave: Enabled conditionally
-#define MBEDTLS_DEBUG_C
+#cmakedefine MBEDTLS_DEBUG_C
 
 /**
  * \def MBEDTLS_DES_C
@@ -1926,7 +2191,7 @@
  *
  * Module:  library/des.c
  * Caller:  library/pem.c
- *          library/ssl_tls.c
+ *          library/cipher.c
  *
  * This module enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -2099,6 +2364,21 @@
  */
 //#define MBEDTLS_HAVEGE_C
 
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module:  library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
 /**
  * \def MBEDTLS_HMAC_DRBG_C
  *
@@ -2113,6 +2393,19 @@
  */
 #define MBEDTLS_HMAC_DRBG_C
 
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module:  library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
 /**
  * \def MBEDTLS_MD_C
  *
@@ -2399,6 +2692,17 @@
  */
 #define MBEDTLS_PLATFORM_C
 
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module:  library/poly1305.c
+ * Caller:  library/chachapoly.c
+ */
+// Open Enclave: Drop uncommon hash algorithm to minimize TCB.
+//#define MBEDTLS_POLY1305_C
+
 /**
  * \def MBEDTLS_RIPEMD160_C
  *
@@ -2408,7 +2712,7 @@
  * Caller:  library/md.c
  *
  */
-// Open Enclave: Drop uncommon hash algorithm to minimize TCB
+// Open Enclave: Drop uncommon hash algorithm to minimize TCB.
 //#define MBEDTLS_RIPEMD160_C
 
 /**
@@ -2758,6 +3062,7 @@
 //#define MBEDTLS_CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY              /**< Use 128-bit key for CTR_DRBG - may reduce security (see ctr_drbg.h) */
 
 /* HMAC_DRBG options */
 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000 /**< Interval before reseed is performed by default */
@@ -2780,16 +3085,8 @@
 
 /* Platform options */
 //#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
-/* Open Enclave: Redirect the mbedtls_calloc/free calls to the corelibc methods
- * so that mbedtls does not need to depend on oelibc. Note that we do this
- * instead of defining the MBEDTLS_PLATFORM_CALLOC/FREE_MACRO as the STD
- * implementation defines them as function pointers instead of macros, which is
- * resiliant to compiling without the oe_calloc/free definition as happens in
- * tests/mbed where the return value is corrupted by being marshalled as an
- * int by default instead of void*.
- */
 //#define MBEDTLS_PLATFORM_STD_CALLOC        calloc /**< Default allocator to use, can be undefined */
-//#define MBEDTLS_PLATFORM_STD_FREE           free /**< Default free to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_FREE            free /**< Default free to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT            exit /**< Default exit to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
@@ -2810,19 +3107,140 @@
 //#define MBEDTLS_PLATFORM_TIME_MACRO            time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
-/* Open Enclave: Redirect printf to corelibc version for tests */
 //#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
 /* Note: your snprintf must correclty zero-terminate the buffer! */
 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
 
+/**
+ * \brief       This macro is invoked by the library when an invalid parameter
+ *              is detected that is only checked with MBEDTLS_CHECK_PARAMS
+ *              (see the documentation of that option for context).
+ *
+ *              When you leave this undefined here, a default definition is
+ *              provided that invokes the function mbedtls_param_failed(),
+ *              which is declared in platform_util.h for the benefit of the
+ *              library, but that you need to define in your application.
+ *
+ *              When you define this here, this replaces the default
+ *              definition in platform_util.h (which no longer declares the
+ *              function mbedtls_param_failed()) and it is your responsibility
+ *              to make sure this macro expands to something suitable (in
+ *              particular, that all the necessary declarations are visible
+ *              from within the library - you can ensure that by providing
+ *              them in this file next to the macro definition).
+ *
+ *              Note that you may define this macro to expand to nothing, in
+ *              which case you don't have to worry about declarations or
+ *              definitions. However, you will then be notified about invalid
+ *              parameters only in non-void functions, and void function will
+ *              just silently return early on invalid parameters, which
+ *              partially negates the benefits of enabling
+ *              #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond  The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond )               assert( cond )
+
 /* SSL Cache options */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
 
 /* SSL options */
-//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+ *
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
+ *
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of outgoing plaintext fragments.
+ *
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING             32768
+
 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
 //#define MBEDTLS_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
 //#define MBEDTLS_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@@ -2874,32 +3292,60 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-// Open Enclave: Support for backward compatibility. Still common, but
-// developers should move to SHA256
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+// Open Enclave: Deprecated in v0.7, developers should move to SHA256
+//#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
-/* \} name SECTION: Customisation configuration options */
+/**
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * mbedtls_platform_zeroize() is a widely used function across the library to
+ * zero a block of memory. The implementation is expected to be secure in the
+ * sense that it has been written to prevent the compiler from removing calls
+ * to mbedtls_platform_zeroize() as part of redundant code elimination
+ * optimizations. However, it is difficult to guarantee that calls to
+ * mbedtls_platform_zeroize() will not be optimized by the compiler as older
+ * versions of the C language standards do not provide a secure implementation
+ * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
+ * configure their own implementation of mbedtls_platform_zeroize(), for
+ * example by using directives specific to their compiler, features from newer
+ * C standards (e.g using memset_s() in C11) or calling a secure memset() from
+ * their system (e.g explicit_bzero() in BSD).
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
 
-/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
 
-#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
-#endif
+/* \} name SECTION: Customisation configuration options */
 
-/*
+/* Target and application specific configurations
+ *
  * Allow user to override any previous default.
  *
- * Use two macro names for that, as:
- * - with yotta the prefix YOTTA_CFG_ is forced
- * - without yotta is looks weird to have a YOTTA prefix.
  */
-#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
-#elif defined(MBEDTLS_USER_CONFIG_FILE)
+#if defined(MBEDTLS_USER_CONFIG_FILE)
 #include MBEDTLS_USER_CONFIG_FILE
 #endif
 
+// Open Enclave: Update path relative to source tree
 #include <mbedtls/check_config.h>
 
 #endif /* MBEDTLS_CONFIG_H */
diff --git a/3rdparty/optee/libutee/CMakeLists.txt b/3rdparty/optee/libutee/CMakeLists.txt
index 9ee7884b6d..7f599c1bb9 100644
--- a/3rdparty/optee/libutee/CMakeLists.txt
+++ b/3rdparty/optee/libutee/CMakeLists.txt
@@ -94,7 +94,8 @@ add_library(oelibutee INTERFACE)
 
 target_link_libraries(oelibutee INTERFACE
   oeutee
-  oelibutee_includes)
+  oelibutee_includes
+  --undefined=TEE_GenerateRandom)
 
 install(TARGETS oelibutee oelibutee_includes EXPORT openenclave-targets)
 

From a9f623cde3883b1279dd1c069f85a5d62eeb3cc3 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 20 Nov 2019 17:59:43 +0000
Subject: [PATCH 319/420] Remove fixed dependency on MBEDTLS_DEBUG_C in samples
 and tests

- Remove samples/attested_tls dependency on mbedtls_debug_set_threshold
- Make tests/tls_e2e dependency on mbedtls_debug_set_threshold contingent
  on debug build type.

Fixes #2332

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 samples/attested_tls/client/enc/client.cpp | 4 ----
 samples/attested_tls/server/enc/server.cpp | 6 ------
 tests/tls_e2e/client_enc/client.cpp        | 2 ++
 tests/tls_e2e/server_enc/server.cpp        | 3 +++
 4 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/samples/attested_tls/client/enc/client.cpp b/samples/attested_tls/client/enc/client.cpp
index 2ae83b6e6a..17e10bb6ac 100644
--- a/samples/attested_tls/client/enc/client.cpp
+++ b/samples/attested_tls/client/enc/client.cpp
@@ -4,7 +4,6 @@
 #include <errno.h>
 #include <mbedtls/certs.h>
 #include <mbedtls/ctr_drbg.h>
-#include <mbedtls/debug.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/error.h>
 #include <mbedtls/net_sockets.h>
@@ -14,8 +13,6 @@
 #include <string.h>
 #include "../../common/utility.h"
 
-#define DEBUG_LEVEL 1
-
 extern "C"
 {
     int launch_tls_client(char* server_name, char* server_port);
@@ -217,7 +214,6 @@ int launch_tls_client(char* server_name, char* server_port)
     }
 
     // Initialize mbedtls objects
-    mbedtls_debug_set_threshold(DEBUG_LEVEL);
     mbedtls_net_init(&server_fd);
     mbedtls_ssl_init(&ssl);
     mbedtls_ssl_config_init(&conf);
diff --git a/samples/attested_tls/server/enc/server.cpp b/samples/attested_tls/server/enc/server.cpp
index 4c4797f0e7..1f33b0b3ef 100644
--- a/samples/attested_tls/server/enc/server.cpp
+++ b/samples/attested_tls/server/enc/server.cpp
@@ -3,7 +3,6 @@
 
 #include <mbedtls/certs.h>
 #include <mbedtls/ctr_drbg.h>
-#include <mbedtls/debug.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/error.h>
 #include <mbedtls/net_sockets.h>
@@ -34,9 +33,6 @@ int cert_verify_callback(
     int depth,
     uint32_t* flags);
 
-// mbedtls debug levels
-// 0 No debug, 1 Error, 2 State change, 3 Informational, 4 Verbose
-#define DEBUG_LEVEL 1
 #define SERVER_IP "0.0.0.0"
 
 #define HTTP_RESPONSE                                    \
@@ -321,8 +317,6 @@ int setup_tls_server(char* server_port)
     mbedtls_entropy_init(&entropy);
     mbedtls_ctr_drbg_init(&ctr_drbg);
 
-    mbedtls_debug_set_threshold(DEBUG_LEVEL);
-
     printf(
         TLS_SERVER "Setup the listening TCP socket on SERVER_IP= [%s] "
                    "server_port = [%s]\n",
diff --git a/tests/tls_e2e/client_enc/client.cpp b/tests/tls_e2e/client_enc/client.cpp
index 4d899e43b4..3c5b7732a3 100644
--- a/tests/tls_e2e/client_enc/client.cpp
+++ b/tests/tls_e2e/client_enc/client.cpp
@@ -195,7 +195,9 @@ int launch_tls_client(
         oe_module_loaded = true;
     }
 
+#if !defined(NDEBUG)
     mbedtls_debug_set_threshold(DEBUG_LEVEL);
+#endif
 
     // Initialize the RNG and the session data
     mbedtls_net_init(&server_fd);
diff --git a/tests/tls_e2e/server_enc/server.cpp b/tests/tls_e2e/server_enc/server.cpp
index 9668a8d62e..a1dc758f6d 100644
--- a/tests/tls_e2e/server_enc/server.cpp
+++ b/tests/tls_e2e/server_enc/server.cpp
@@ -217,7 +217,10 @@ int setup_tls_server(struct tls_control_args* config, char* server_port)
     mbedtls_entropy_init(&entropy);
     mbedtls_ctr_drbg_init(&ctr_drbg);
 
+#if !defined(NDEBUG)
     mbedtls_debug_set_threshold(DEBUG_LEVEL);
+#endif
+
     g_control_config = *config;
 
     OE_TRACE_INFO(

From 500c902979327187a38d32698a8e40ef2baed547 Mon Sep 17 00:00:00 2001
From: Oprin Marius <moprin@cloudbasesolutions.com>
Date: Thu, 21 Nov 2019 18:20:30 +0200
Subject: [PATCH 320/420] Add master.Jenkinsfile

Signed-off-by: Oprin Marius <moprin@cloudbasesolutions.com>
---
 .jenkins/master.Jenkinsfile | 140 ++++++++++++++++++++++++++++++++++++
 1 file changed, 140 insertions(+)
 create mode 100644 .jenkins/master.Jenkinsfile

diff --git a/.jenkins/master.Jenkinsfile b/.jenkins/master.Jenkinsfile
new file mode 100644
index 0000000000..31f7785b3e
--- /dev/null
+++ b/.jenkins/master.Jenkinsfile
@@ -0,0 +1,140 @@
+import hudson.slaves.*
+import hudson.model.*
+
+// Get current node label index from CI
+def getStartingIndex(String label, String prefix) {
+    def startNum = []
+    nodesByLabel(label).each {
+        startNum.add(it.replace(prefix,"").toInteger())
+    }
+    return startNum.max() + 1
+}
+
+// Generate a list of Agent Names for each Agent Label
+def generateAgentNames(String label, String prefix, Integer count) {
+    def first = getStartingIndex(label, prefix)
+    def nodeNames = []
+    for (int i=0; i<count; ++i) {
+        nodeNames.add(prefix + (i + first).toString())
+    }
+    return nodeNames
+}
+
+// Generate a list of Jenkins agent names matching certain labels
+def currentAgentList() {
+    def agentList = []
+    ["ACC-1604", "ACC-1804", "SGXFLC-Windows", "SGXFLC-Windows-DCAP"].each { label ->
+        nodesByLabel(label).each {
+            agentList.add(it)
+        }
+    }
+    return agentList
+}
+
+// Save a list of current Jenkins node names, to be turned offline
+CURRENT_JENKINS_NODES = currentAgentList()
+
+def cleanup(List currentNodes) {
+    for (aSlave in hudson.model.Hudson.instance.slaves) {
+        if (currentNodes.contains(aSlave.name)) {
+          println("Set ${aSlave.name} temporarily offline!");
+          aSlave.getComputer().setTemporarilyOffline(true,null);
+        }
+    }
+}
+
+// Generate Agent properties map
+def xenial = [
+    "agentType": "xenial",
+    "agentName": generateAgentNames("ACC-1604", "ACC-1604-", 3),
+    "agentLabel": "ACC-1604",
+    "agentRegion": "eastus",
+    "agentVhdUrl": "https://oejenkins.blob.core.windows.net/disks/${env.VHD_NAME_PREFIX}-ubuntu-16.04.vhd"
+]
+
+def bionic = [
+    "agentType": "bionic",
+    "agentName": generateAgentNames("ACC-1804", "ACC-1804-", 3),
+    "agentLabel": "ACC-1804",
+    "agentRegion": "westeurope",
+    "agentVhdUrl": "https://oejenkinswesteurope.blob.core.windows.net/disks/${env.VHD_NAME_PREFIX}-ubuntu-18.04.vhd"
+]
+
+def win2016 = [
+    "agentType": "windows",
+    "agentName": generateAgentNames("SGXFLC-Windows", "ACC-Win-SGX-", 2),
+    "agentLabel": "SGXFLC-Windows",
+    "agentRegion": "westeurope",
+    "agentVhdUrl": "https://oejenkinswesteurope.blob.core.windows.net/disks/${env.VHD_NAME_PREFIX}-win-2016.vhd"
+]
+
+def win2016dcap = [
+    "agentType": "windows",
+    "agentName": generateAgentNames("SGXFLC-Windows-DCAP", "ACC-Win-", 2),
+    "agentLabel": "SGXFLC-Windows-DCAP",
+    "agentRegion": "westeurope",
+    "agentVhdUrl": "https://oejenkinswesteurope.blob.core.windows.net/disks/${env.VHD_NAME_PREFIX}-win-dcap.vhd"
+]
+
+def agentsProperties = [
+    "xenial": xenial,
+    "bionic": bionic,
+    "win2016": win2016,
+    "win2016dcap": win2016dcap
+]
+
+
+
+if(BUILD_IMAGES == "true") {
+    // Build Docker images triggering 'OpenEnclave-Docker-Images' job with code from OpenEnclave master branch
+    stage("Build Docker Images") {
+        build job: 'OpenEnclave-Docker-Images' ,
+              parameters: [string(name: 'REPOSITORY_NAME', value: "openenclave/openenclave"),
+                           string(name: 'BRANCH_SPECIFIER', value: "master"),
+                           string(name: 'DOCKER_TAG', value: env.DOCKER_TAG),
+                           booleanParam(name: 'TAG_LATEST',value: true)]
+    }
+
+    /*
+    Build VHD images triggering 'OpenEnclave-jenkins-agents-VHDs' job with code from OpenEnclave master branch
+    Here we will use the oe-deploy docker image with the tag we just built in previous job
+    */
+    stage("Build Jenkins Agents VHDs") {
+        build job: 'OpenEnclave-jenkins-agents-VHDs' ,
+              parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.DOCKER_TAG}"),
+                           string(name: 'REPOSITORY_NAME', value: "openenclave/openenclave"),
+                           string(name: 'BRANCH_SPECIFIER', value: "master"),
+                           string(name: 'VHD_NAME_PREFIX', value: env.VHD_NAME_PREFIX)]
+    }
+}
+
+/*
+Deploy Jenkins agents with the latest VHD
+Register the new Jenkins agents into our CI
+*/
+
+def stepsForParallel = [:]
+agentsProperties.keySet().each { agent ->
+    agentsProperties[agent]['agentName'].each { agent_name ->
+        stepsForParallel[agent_name] = {
+            build job: 'OpenEnclave-deploy-jenkins-agent-test',
+                parameters: [string(name: 'OE_DEPLOY_IMAGE', value: "oetools-deploy:${env.DOCKER_TAG}"),
+                             string(name: 'REPOSITORY_NAME', value: "openenclave/openenclave"),
+                             string(name: 'BRANCH_SPECIFIER', value: "master"),
+                             string(name: 'VHD_URL', value: agentsProperties[agent]['agentVhdUrl']),
+                             string(name: 'REGION', value: agentsProperties[agent]['agentRegion']),
+                             string(name: 'RESOURCE_GROUP', value: agent_name),
+                             string(name: 'AGENT_NAME', value: agent_name.toLowerCase()),
+                             string(name: 'AGENT_LABEL', value: agentsProperties[agent]['agentLabel']),
+                             string(name: 'AGENT_TYPE', value: agentsProperties[agent]['agentType'])]
+        }
+    }
+}
+
+// Deploy Jenkins Agents
+parallel stepsForParallel
+
+// Mark old Jenkins agents offline
+stage("Mark old Jenkins agents offline") {
+    cleanup(CURRENT_JENKINS_NODES)  
+}

From 46c40fbcc67584198d86308ce76a94e947acd318 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Thu, 21 Nov 2019 17:50:43 +0000
Subject: [PATCH 321/420] Remove debug.h support statement from
 MbedtlsSupport.md

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 docs/MbedtlsSupport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/MbedtlsSupport.md b/docs/MbedtlsSupport.md
index 47a9c64032..b94599a4b8 100644
--- a/docs/MbedtlsSupport.md
+++ b/docs/MbedtlsSupport.md
@@ -15,7 +15,7 @@ ccm.h | Yes | - |
 cipher.h | Yes | - |
 cmac.h | Yes | - |
 ctr_drbg.h | Partial | Unsupported functions: mbedtls_ctr_drbg_write_seed_file(), mbedtls_ctr_drbg_update_seed_file() |
-debug.h | Yes | - |
+debug.h | No | - |
 des.h | Yes | - |
 dhm.h | No | - |
 ecdh.h | Yes | - |

From 990b5a8820b97851b1e190fdb24dddc7ec0512c7 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 14 Nov 2019 15:41:09 -0800
Subject: [PATCH 322/420] Adjust instructions for Windows

Adjusted the instructions to install to a subdirectory of the build
folder, as we should not just be cloning and installing to the same
folder (and the samples tests will only work if the install directory is
relative to the build folder).

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 .../WindowsSGX1FLCGettingStarted.md           | 99 +++++++++++--------
 .../Contributors/WindowsSGX1GettingStarted.md | 92 +++++++++--------
 2 files changed, 110 insertions(+), 81 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 0df77cc16f..5ba111a970 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -14,74 +14,90 @@ A version of Windows OS with native support for SGX features:
 ## Install Git and Clone the Open Enclave SDK repo
 
 - Download and install Git for Windows from [here](https://git-scm.com/download/win).
-
-- Clone the Open Enclave SDK.
+- Clone the Open Enclave SDK to folder of your choice. In these instructions
+  we're assuming `openenclave`.
 
 ```powershell
 git clone https://github.com/openenclave/openenclave.git
 ```
 
-This creates a source tree under the directory called openenclave.
+This creates a source tree under the directory called `openenclave`.
 
 ## Install project prerequisites
 
-First, change directory into the openenclave repository:
+First, change directory into the Open Enclave repository (from wherever you
+cloned it):
 
 ```powershell
 cd openenclave
 ```
 
-Run the following from Powershell to deploy all the prerequisites for building Open Enclave
+Run the following from PowerShell to deploy all the prerequisites for building Open Enclave:
 
-```scripts/install-windows-prereqs.ps1```
+```powershell
+./scripts/install-windows-prereqs.ps1
+```
 
-To install the prerequisites along with the Azure DCAP Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM. This command assumes that you would like the prerequisites to be installed to `C:\oe_prereqs`.
+To install the prerequisites along with the Azure DCAP Client, use the below
+command. The Azure DCAP Client is necessary to perform attestation on an Azure
+Confidential Computing VM. This command assumes that you would like the
+prerequisites to be installed to `C:/oe_prereqs`.
 
 ```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
-If you would like to skip the installation of the Azure DCAP Client, use the command below.
+If you would like to skip the installation of the Azure DCAP Client, use the
+command below:
 
 ```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType None
+./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType None
 ```
 
-As an example, if you cloned the Open Enclave SDK repo into C:\openenclave and want to install the Azure DCAP Client, you would run the following command.
+If you want to install the Azure DCAP Client, you would run the following
+command:
 
 ```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
+./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure
 ```
 
-If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
+If you prefer to manually install prerequisites, please refer to this
+[document](WindowsManualInstallPrereqs.md).
 
-## Build
+## Building on Windows using Developer Command Prompt
 
 Launch the [x64 Native Tools Command Prompt for VS(2017 or 2019)](
-https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-To build, first create a build directory ("build" in the example below) and change directory into it.
-Then run `cmake` to configure the build and generate the Makefiles, and then build by running `ninja`.
+https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs),
+which is found in the `Visual Studio 2017` folder in the Start Menu.
+
+Run the command `powershell.exe` to open a PowerShell prompt within the native
+tools environment.
+
+From here, use CMake and Ninja to build Open Enclave.
 
 To build debug enclaves:
-```cmd
-cd C:\openenclave
-mkdir build\x64-Debug
-cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+
+```powershell
+cd openenclave
+mkdir build/x64-Debug
+cd build/x64-Debug
+cmake -G ninja -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
-Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH.
+Later, using the `ninja install` command will install the SDK in
+`C:/openenclave/build/x64-Debug/install`. To choose a different location, change
+the value specified for `CMAKE_INSTALL_PATH`, but note that the samples tests
+will break if an absolute path is specified.
+
+Similarly, to build release enclaves, specify the flag
+`-DCMAKE_BUILD_TYPE=Release`:
 
-Similarly, to build release enclaves:
-```cmd
-cd C:\openenclave
-mkdir build\x64-Release
-cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave ..\..
+```powershell
+cd C:/openenclave
+mkdir build/x64-Release
+cd build/x64-Release
+cmake -G ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
@@ -89,16 +105,16 @@ ninja
 
 After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
 
-Run the following command from the build directory to run tests(In this example, we are testing the debug build):
+Run the following command from the build directory to run tests, (in this example, we are testing the debug build):
 
-```cmd
+```powershell
 ctest
 ```
 
 You will see test logs similar to the following:
 
-```cmd
-  Test project C:/openenclave/build/x64-Debug
+```powershell
+  Test project C:/Users/test/openenclave/build/x64-Debug
         Start   1: tests/lockless_queue
   1/107 Test   #1: tests/lockless_queue ..................................   Passed    3.49 sec
         Start   2: tests/mem
@@ -118,12 +134,15 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 
 To install the SDK on the local machine use the following:
 
-```cmd
-cd build\x64-Debug
+```powershell
+cd openenclave/build/x64-Debug
+cmake -DCMAKE_INSTALL_PREFIX=C:/openenclave ../..
 ninja install
 ```
 
-This installs the SDK in `C:\openenclave`.
+This installs the SDK in `C:/openenclave`, the path specified for
+`CMAKE_INSTALL_PREFIX`. This install path is assumed for the rest of the
+instructions.
 
 ## Build and run samples
 
@@ -131,4 +150,4 @@ To build and run the samples, please look [here](/samples/README_Windows.md).
 
 ## Known Issues
 
-Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
+Not all tests currently run on Windows. See `tests/CMakeLists.txt` for a list of supported tests.
diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 8a0d124338..03e7beda8e 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -12,82 +12,89 @@ A version of Windows OS with native support for SGX features:
 
 ## Install Git and Clone the Open Enclave SDK repo
 
-Download and install Git for Windows from [here](https://git-scm.com/download/win).
-
-Clone the Open Enclave SDK
+- Download and install Git for Windows from [here](https://git-scm.com/download/win).
+- Clone the Open Enclave SDK to folder of your choice. In these instructions
+  we're assuming `openenclave`.
 
 ```powershell
 git clone https://github.com/openenclave/openenclave.git
 ```
 
-This creates a source tree under the directory called openenclave.
+This creates a source tree under the directory called `openenclave`.
 
 ## Install project prerequisites
 
-First, change directory into the openenclave repository:
+First, change directory into the Open Enclave repository (from wherever you
+cloned it):
 
 ```powershell
 cd openenclave
 ```
 
-To deploy all the prerequisities for building Open Enclave, you can run the following from Powershell. Note that the Data Center Attestation Primitives (DCAP) Client is not used for attestation on systems which have support for SGX1 without support for Flexible Launch Control (FLC). The below example assumes you would like to install the packages to `C:\oe_prereqs`.
+To deploy all the prerequisities for building Open Enclave, you can run the
+following from PowerShell. Note that the Data Center Attestation Primitives
+(DCAP) Client is not used for attestation on systems which have support for SGX1
+without support for Flexible Launch Control (FLC). The below example assumes you
+would like to install the packages to `C:/oe_prereqs`.
 
 ```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1 -DCAPClientType None
+./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1 -DCAPClientType None
 ```
 
-As an example, if you cloned Open Enclave SDK repo into `C:\openenclave`, you would run the following:
+If you prefer to manually install prerequisites, please refer to this
+[document](WindowsManualInstallPrereqs.md).
 
-```powershell
-cd scripts
-.\install-windows-prereqs.ps1 -InstallPath C:\oe_prereqs -LaunchConfiguration SGX1 -DCAPClientType None
-```
+## Building on Windows using Developer Command Prompt
 
-If you prefer to manually install prerequisites, please refer to this [document](WindowsManualInstallPrereqs.md).
+Launch the [x64 Native Tools Command Prompt for VS(2017 or 2019)](
+https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs),
+which is found in the `Visual Studio 2017` folder in the Start Menu.
 
-## Building on Windows using Developer Command Prompt
+Run the command `powershell.exe` to open a PowerShell prompt within the native
+tools environment.
 
-1. Launch the [x64 Native Tools Command Prompt for VS 2017](
-https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs)
-Normally this is accessible under the `Visual Studio 2017` folder in the Start Menu.
+From here, use CMake and Ninja to build Open Enclave.
 
-2. At the x64 Native Tools command prompt, use CMake and ninja to build the debug version:
+To build debug enclaves:
 
-```
-cd C:\openenclave
-mkdir build\x64-Debug
-cd build\x64-Debug
-cmake -G Ninja -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
+```powershell
+cd openenclave
+mkdir build/x64-Debug
+cd build/x64-Debug
+cmake -G ninja -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
-Later, using the `ninja install` command will install the SDK in C:\openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PATH.
+Later, using the `ninja install` command will install the SDK in
+`C:/openenclave/build/x64-Debug/install`. To choose a different location, change
+the value specified for `CMAKE_INSTALL_PATH`, but note that the samples tests
+will break if an absolute path is specified.
 
-Similarly, to build release enclaves:
+Similarly, to build release enclaves, specify the flag
+`-DCMAKE_BUILD_TYPE=Release`:
 
-```cmd
-cd C:\openenclave
-mkdir build\x64-Release
-cd build\x64-Release
-cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:\oe_prereqs -DCMAKE_INSTALL_PREFIX:PATH=C:\openenclave -DHAS_QUOTE_PROVIDER=OFF ..\..
+```powershell
+cd openenclave
+mkdir build/x64-Release
+cd build/x64-Release
+cmake -G ninja -DCMAKE_BUILD_TYPE=Release -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
 ## Run unit tests
 
-After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected. In this example, we are testing the debug build.
+After building, run all unit test cases using `ctest` to confirm the SDK is built and working as expected.
 
-Run the following command from the build directory:
+Run the following command from the build directory to run tests, (in this example, we are testing the debug build):
 
-```cmd
+```powershell
 ctest
 ```
 
 You will see test logs similar to the following:
 
-```cmd
-  Test project C:/openenclave/build/x64-Debug
+```powershell
+  Test project C:/Users/test/openenclave/build/x64-Debug
         Start   1: tests/lockless_queue
   1/107 Test   #1: tests/lockless_queue ..................................   Passed    3.49 sec
         Start   2: tests/mem
@@ -105,14 +112,17 @@ For more information refer to the [Advanced Test Info](AdvancedTestInfo.md) docu
 
 ## Installing the SDK on the local machine
 
-To install the SDK on the local machine use the following:
+To install the debug SDK on the local machine use the following:
 
-```cmd
-cd build\x64-Debug
+```powershell
+cd openenclave/build/x64-Debug
+cmake -DCMAKE_INSTALL_PREFIX=C:/openenclave ../..
 ninja install
 ```
 
-This installs the SDK in `C:\openenclave`.
+This installs the SDK in `C:/openenclave`, the path specified for
+`CMAKE_INSTALL_PREFIX`. This install path is assumed for the rest of the
+instructions.
 
 ## Build and run samples
 
@@ -120,4 +130,4 @@ To build and run the samples, please look [here](/samples/README_Windows.md).
 
 ## Known Issues
 
-Not all tests currently run on Windows. See tests\MakeLists.txt for a list of supported tests.
+Not all tests currently run on Windows. See `tests/CMakeLists.txt` for a list of supported tests.

From 158bcd9a8c49fb5ab7b4861f452351dd21fbd1d8 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Thu, 21 Nov 2019 23:13:40 +0000
Subject: [PATCH 323/420] Remove workaround in dune build of Intel sources

We had set `wrapped` to `false` such that the libraries built by dune
from the Intel sources did not require the `Intel.` prefix. Now we can
remove this and fix up the few types we actually need to use manually.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/README.md      |  4 ++++
 tools/oeedger8r/intel/dune     |  1 -
 tools/oeedger8r/src/Emitter.ml | 27 +++++++++++++--------------
 tools/oeedger8r/src/main.ml    |  8 ++++----
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/tools/oeedger8r/README.md b/tools/oeedger8r/README.md
index 70a6ccc525..1e2852829b 100644
--- a/tools/oeedger8r/README.md
+++ b/tools/oeedger8r/README.md
@@ -62,6 +62,10 @@ else (
    defining the `enclave_content` record in `Ast.ml` and redefining it as an
    equivalent type in `CodeGen.ml`.
 
+4. Dune build for the Intel sources. This required adding the prefix `Intel.` to
+   uses of types defined in the Intel sources in both `main.ml` and
+   `Emitter.ml`.
+
 ### Edge Routine Emitter
 
 The edge routine emitter for Open Enclave is implemented in `Emitter.ml`. It
diff --git a/tools/oeedger8r/intel/dune b/tools/oeedger8r/intel/dune
index 3bca1f4859..7c00ccb169 100644
--- a/tools/oeedger8r/intel/dune
+++ b/tools/oeedger8r/intel/dune
@@ -1,7 +1,6 @@
 (library
  (name intel)
  (synopsis "Upstream Intel edger8r")
- (wrapped false) ; TODO: We need to transition this to true.
  (libraries str unix))
 
 (ocamllex Lexer)
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 8de2e1f803..86420fdbca 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -5,10 +5,8 @@
     us to share the same Enclave Definition Language, but emit our
     SDK's bindings. *)
 
-open Ast
-open Plugin
+open Intel.Ast
 open Printf
-open Util
 
 (** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
 let is_foreign_array (pt : parameter_type) =
@@ -129,7 +127,7 @@ let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
 let write_file (content : string list) (filename : string) (dir : string) =
   let os =
     if dir = "." then open_out filename
-    else open_out (dir ^ separator_str ^ filename)
+    else open_out (dir ^ Intel.Util.separator_str ^ filename)
   in
   fprintf os "%s"
     (String.concat "\n"
@@ -196,7 +194,7 @@ let get_param_size (ptype, decl, argstruct) =
 let oe_get_param_size (ptype, decl, argstruct) =
   match get_param_size (ptype, decl, argstruct) with
   | Some size -> size
-  | None -> failwithf "Error: No size for " ^ decl.identifier
+  | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
 
 (** For a parameter, get its count expression. *)
 let get_param_count (ptype, decl, argstruct) =
@@ -230,7 +228,7 @@ let get_param_count (ptype, decl, argstruct) =
 let oe_get_param_count (ptype, decl, argstruct) =
   match get_param_count (ptype, decl, argstruct) with
   | Some count -> count
-  | None -> failwithf "Error: No count for " ^ decl.identifier
+  | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
 
 (** Generate the prototype for a given function. *)
 let oe_gen_prototype (fd : func_decl) =
@@ -451,7 +449,7 @@ let warn_size_and_count_params (fd : func_decl) =
   let print_size_and_count_warning { ps_size; ps_count } =
     match (ps_size, ps_count) with
     | Some (AString p), Some (AString q) ->
-        failwithf
+        Intel.Util.failwithf
           "Function '%s': simultaneous 'size' and 'count' parameters '%s' and \
            '%s' are not supported by oeedger8r.\n"
           fd.fname p q
@@ -466,7 +464,7 @@ let warn_size_and_count_params (fd : func_decl) =
     fd.plist
 
 (** Generate the Enclave code. *)
-let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
+let gen_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   (* Short aliases for the trusted and untrusted function
      declarations. *)
   let tfs = ec.tfunc_decls in
@@ -475,15 +473,15 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
      validation has the side effects of printed warnings or failure
      with an error message. *)
   if ep.use_prefix then
-    failwithf "--use_prefix option is not supported by oeedger8r.";
+    Intel.Util.failwithf "--use_prefix option is not supported by oeedger8r.";
   List.iter
     (fun f ->
       if f.tf_is_priv then
-        failwithf
+        Intel.Util.failwithf
           "Function '%s': 'private' specifier is not supported by oeedger8r"
           f.tf_fdecl.fname;
       if f.tf_is_switchless then
-        failwithf
+        Intel.Util.failwithf
           "Function '%s': trusted switchless ecalls are not yet supported by \
            Open Enclave SDK."
           f.tf_fdecl.fname)
@@ -497,7 +495,8 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
            supported by oeedger8r.\n"
           f.uf_fdecl.fname cconv_str );
       if f.uf_fattr.fa_dllimport then
-        failwithf "Function '%s': dllimport is not supported by oeedger8r."
+        Intel.Util.failwithf
+          "Function '%s': dllimport is not supported by oeedger8r."
           f.uf_fdecl.fname;
       if f.uf_allow_list != [] then
         printf
@@ -1532,5 +1531,5 @@ let gen_enclave_code (ec : enclave_content) (ep : edger8r_params) =
 (** Install the plugin. *)
 let _ =
   Printf.printf "Generating edge routines for the Open Enclave SDK.\n";
-  Plugin.instance.available <- true;
-  Plugin.instance.gen_edge_routines <- gen_enclave_code
+  Intel.Plugin.instance.available <- true;
+  Intel.Plugin.instance.gen_edge_routines <- gen_enclave_code
diff --git a/tools/oeedger8r/src/main.ml b/tools/oeedger8r/src/main.ml
index 50f23a96c1..cb413add52 100644
--- a/tools/oeedger8r/src/main.ml
+++ b/tools/oeedger8r/src/main.ml
@@ -42,14 +42,14 @@ let main =
   let progname = Sys.argv.(0) in
   let argc = Array.length Sys.argv in
   let args = if argc = 1 then [||] else Array.sub Sys.argv 1 (argc-1) in
-  let cmd_params = Util.parse_cmdline progname (Array.to_list args) in
+  let cmd_params = Intel.Util.parse_cmdline progname (Array.to_list args) in
 
   let real_ast_handler fname =
     try
-      CodeGen.gen_enclave_code (CodeGen.start_parsing fname) cmd_params
+      Intel.CodeGen.gen_enclave_code (Intel.CodeGen.start_parsing fname) cmd_params
     with
       Failure s -> (Printf.eprintf "error: %s\n" s; exit (-1))
   in
-    if cmd_params.Util.input_files = [] then Util.usage progname
-    else List.iter real_ast_handler cmd_params.Util.input_files
+    if cmd_params.input_files = [] then Intel.Util.usage progname
+    else List.iter real_ast_handler cmd_params.input_files
 

From eee13d42911a4c6d6bdc9302b76461216a0ba276 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Sat, 23 Nov 2019 12:29:56 +0900
Subject: [PATCH 324/420] Fix broken link

Problem was due to docs/docs appearing in the path instead of just docs,
because the path is already relative to the docs directory.

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/Contributing.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Contributing.md b/docs/Contributing.md
index c0d1589b35..6ec8b70ac9 100644
--- a/docs/Contributing.md
+++ b/docs/Contributing.md
@@ -314,5 +314,5 @@ an issue to discuss the idea.
 Code of Conduct
 ---------------
 
-This project follows a [Code of Conduct](docs/CodeOfConduct.md) adapted from the
+This project follows a [Code of Conduct](CodeOfConduct.md) adapted from the
 [Contributor Covenant v1.4](https://www.contributor-covenant.org).

From c45d2d772e11c11fbc38aa2548deb59e5b8ca6a4 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Thu, 7 Nov 2019 01:17:57 +0000
Subject: [PATCH 325/420] Enable socket test on windows

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 host/windows/syscall.c              | 109 +++++++++++++++++++++++++---
 syscall/devices/hostsock/hostsock.c |   2 +-
 tests/syscall/CMakeLists.txt        |   2 +-
 tests/syscall/platform/windows.h    |   1 +
 tests/syscall/socket/enc/enc.c      |   1 -
 tests/syscall/socket/host/host.c    |  25 +++++--
 6 files changed, 118 insertions(+), 22 deletions(-)

diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 0fdafb1f82..2cbeed8795 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -11,7 +11,6 @@
 **
 **==============================================================================
 */
-
 #define _WINSOCK_DEPRECATED_NO_WARNINGS
 
 #include <direct.h>
@@ -19,8 +18,13 @@
 #include <stdint.h>
 #include <sys/stat.h>
 
+
 // clang-format off
+
+#include <winsock2.h>
 #include <windows.h>
+#include <Ws2def.h>
+#include <VersionHelpers.h>
 // clang-format on
 
 #include <openenclave/corelibc/errno.h>
@@ -213,11 +217,13 @@ int oe_syscall_close_ocall(oe_host_fd_t fd)
     return _close(fd);
 }
 
+static oe_host_fd_t _dup_socket(oe_host_fd_t);
+
 oe_host_fd_t oe_syscall_dup_ocall(oe_host_fd_t oldfd)
 {
     oe_host_fd_t ret = -1;
 
-    // Only support duping std file descriptors for now.
+    // Only support duping std file descriptors and sockets for now.
     switch (oldfd)
     {
         case 0:
@@ -233,9 +239,12 @@ oe_host_fd_t oe_syscall_dup_ocall(oe_host_fd_t oldfd)
             break;
 
         default:
+            // Try dup-ing it as a socket.
+            ret = _dup_socket(oldfd);
             break;
     }
 
+
     if (ret == -1)
         _set_errno(OE_EINVAL);
     else
@@ -312,11 +321,57 @@ int oe_syscall_rmdir_ocall(const char* pathname)
 **==============================================================================
 */
 
+#define OE_SOCKET_FD_MAGIC 0x29b4a345c7564b57
+typedef struct win_socket_fd {
+    uint64_t magic;
+    SOCKET socket;
+} oe_socket_fd_t;
+
+static oe_socket_fd_t _invalid_socket = {
+    OE_SOCKET_FD_MAGIC,
+    INVALID_SOCKET
+};
+
+oe_host_fd_t _make_socket_fd(SOCKET sock)
+{
+    oe_host_fd_t fd = (oe_host_fd_t)&_invalid_socket;
+    if (sock != INVALID_SOCKET)
+    {
+        oe_socket_fd_t* socket_fd = (oe_socket_fd_t*) malloc(sizeof(oe_socket_fd_t));
+        socket_fd->magic = OE_SOCKET_FD_MAGIC;
+        socket_fd->socket = sock;
+        fd = (oe_host_fd_t) socket_fd;
+    }
+    return fd;
+}
+
+SOCKET _get_socket(oe_host_fd_t fd)
+{
+    oe_socket_fd_t* socket_fd = (oe_socket_fd_t*) fd;
+    if (socket_fd && socket_fd->magic == OE_SOCKET_FD_MAGIC)
+        return socket_fd->socket;
+    return INVALID_SOCKET;
+}
+
+static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
+{
+    oe_socket_fd_t* old_socket_fd = (oe_socket_fd_t*) oldfd;
+    if (old_socket_fd && old_socket_fd->magic == OE_SOCKET_FD_MAGIC)
+    {
+        oe_socket_fd_t* new_socket_fd = (oe_socket_fd_t*) malloc(sizeof(oe_socket_fd_t));
+        *new_socket_fd = *old_socket_fd;
+        return (oe_host_fd_t)(uint64_t) new_socket_fd;
+    }
+    return -1;
+}
+
 oe_host_fd_t oe_syscall_socket_ocall(int domain, int type, int protocol)
 {
-    PANIC;
+    SOCKET sock = socket(domain, type, protocol);
+    return _make_socket_fd(sock);
 }
 
+
 int oe_syscall_socketpair_ocall(
     int domain,
     int type,
@@ -331,7 +386,7 @@ int oe_syscall_connect_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-    PANIC;
+   return connect(_get_socket(sockfd), (const struct sockaddr*) addr, (int) addrlen);
 }
 
 oe_host_fd_t oe_syscall_accept_ocall(
@@ -340,7 +395,11 @@ oe_host_fd_t oe_syscall_accept_ocall(
     oe_socklen_t addrlen_in,
     oe_socklen_t* addrlen_out)
 {
-    PANIC;
+    int addrlen = (int) addrlen_in;
+    SOCKET conn_socket =  accept(_get_socket(sockfd), (struct sockaddr*) addr, addrlen_out ? &addrlen : NULL);
+    if (addrlen_out)
+        *addrlen_out = addrlen;
+    return _make_socket_fd(conn_socket);
 }
 
 int oe_syscall_bind_ocall(
@@ -348,12 +407,12 @@ int oe_syscall_bind_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-    PANIC;
+    return bind(_get_socket(sockfd), (const struct sockaddr*) addr, addrlen);
 }
 
 int oe_syscall_listen_ocall(oe_host_fd_t sockfd, int backlog)
 {
-    PANIC;
+    return listen(_get_socket(sockfd), backlog);
 }
 
 ssize_t oe_syscall_recvmsg_ocall(
@@ -392,7 +451,7 @@ ssize_t oe_syscall_recv_ocall(
     size_t len,
     int flags)
 {
-    PANIC;
+    return recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
 }
 
 ssize_t oe_syscall_recvfrom_ocall(
@@ -413,7 +472,7 @@ ssize_t oe_syscall_send_ocall(
     size_t len,
     int flags)
 {
-    PANIC;
+    return send(_get_socket(sockfd), buf, len, flags);
 }
 
 ssize_t oe_syscall_sendto_ocall(
@@ -452,7 +511,14 @@ int oe_syscall_shutdown_ocall(oe_host_fd_t sockfd, int how)
 
 int oe_syscall_close_socket_ocall(oe_host_fd_t sockfd)
 {
-    PANIC;
+    SOCKET sock = _get_socket(sockfd);
+    int r = -1;
+    if (sock != INVALID_SOCKET)
+    {
+        r = closesocket(sock);
+        free((oe_socket_fd_t*)sockfd);
+    }
+    return r;
 }
 
 int oe_syscall_fcntl_ocall(
@@ -503,7 +569,7 @@ int oe_syscall_setsockopt_ocall(
     const void* optval,
     oe_socklen_t optlen)
 {
-    PANIC;
+    return setsockopt(_get_socket(sockfd), level, optname, optval, optlen);
 }
 
 int oe_syscall_getsockopt_ocall(
@@ -723,5 +789,24 @@ int oe_syscall_getgroups_ocall(size_t size, unsigned int* list)
 
 int oe_syscall_uname_ocall(struct oe_utsname* buf)
 {
-    PANIC;
+    // Based on https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version
+    // OE SDK is supported only on WindowsServer and Win10
+    if (IsWindowsServer())
+    {
+        sprintf(buf->nodename, "(unknown)");
+        sprintf(buf->domainname, "(none)");
+        sprintf(buf->sysname, "WindowsServer");
+        sprintf(buf->version, "2016OrAbove");
+        return 0;
+    }
+    else if(IsWindows10OrGreater())
+    {
+        sprintf(buf->nodename, "(unknown)");
+        sprintf(buf->domainname, "(none)");
+        sprintf(buf->sysname, "Windows10OrGreater");
+        sprintf(buf->version, "10OrAbove");
+        return 0;
+    }
+
+    return -1;
 }
diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index a346f70ddd..ba1ad7b240 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -261,7 +261,7 @@ static oe_fd_t* _hostsock_accept(
         oe_host_fd_t retval = -1;
 
         if (oe_syscall_accept_ocall(
-                &retval, sock->host_fd, &buf.addr, addrlen_in, addrlen) !=
+                &retval, sock->host_fd, addr ? &buf.addr : NULL, addrlen_in, addrlen) !=
             OE_OK)
         {
             OE_RAISE_ERRNO(oe_errno);
diff --git a/tests/syscall/CMakeLists.txt b/tests/syscall/CMakeLists.txt
index d05d1beef4..d3e576dfa1 100644
--- a/tests/syscall/CMakeLists.txt
+++ b/tests/syscall/CMakeLists.txt
@@ -1,6 +1,7 @@
 # Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
+add_subdirectory(socket)
 if(UNIX)
 add_subdirectory(cpio)
 add_subdirectory(datagram)
@@ -10,7 +11,6 @@ add_subdirectory(hostfs)
 add_subdirectory(ids)
 add_subdirectory(poller)
 add_subdirectory(resolver)
-add_subdirectory(socket)
 add_subdirectory(socketpair)
 add_subdirectory(sendmsg)
 endif()
diff --git a/tests/syscall/platform/windows.h b/tests/syscall/platform/windows.h
index 8db83fe489..163f49c4a1 100644
--- a/tests/syscall/platform/windows.h
+++ b/tests/syscall/platform/windows.h
@@ -20,6 +20,7 @@ typedef SOCKET socket_t;
 typedef int socklen_t;
 typedef int length_t;
 typedef void pthread_attr_t;
+typedef uint16_t in_port_t;
 
 OE_INLINE int sleep(unsigned int seconds)
 {
diff --git a/tests/syscall/socket/enc/enc.c b/tests/syscall/socket/enc/enc.c
index 4a07589b2d..f0f3faed10 100644
--- a/tests/syscall/socket/enc/enc.c
+++ b/tests/syscall/socket/enc/enc.c
@@ -172,7 +172,6 @@ int ecall_run_server()
             printf("enc: accept failed errno = %d \n", oe_errno);
         }
     }
-
     oe_close(listenfd);
     printf("exit from server thread\n");
     return status;
diff --git a/tests/syscall/socket/host/host.c b/tests/syscall/socket/host/host.c
index e2991b8e64..1ecacff38a 100644
--- a/tests/syscall/socket/host/host.c
+++ b/tests/syscall/socket/host/host.c
@@ -16,6 +16,12 @@
 
 #define SERVER_PORT "12345"
 
+#if __linux__
+#define HOST_SOCKET_ERRNO errno
+#elif _WIN32
+#define HOST_SOCKET_ERRNO WSAGetLastError()
+#endif
+
 void* enclave_server_thread(void* arg)
 {
     oe_enclave_t* enclave = NULL;
@@ -47,7 +53,7 @@ void* host_server_thread(void* arg)
         setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void*)&optVal, optLen);
     if (rtn > 0)
     {
-        printf("setsockopt failed errno = %d\n", errno);
+        printf("setsockopt failed errno = %d\n", HOST_SOCKET_ERRNO);
     }
     serv_addr.sin_family = AF_INET;
     serv_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
@@ -87,7 +93,7 @@ char* host_client(in_port_t port)
     static char recvBuff[1024];
     struct sockaddr_in serv_addr = {0};
 
-    memset(recvBuff, '0', sizeof(recvBuff));
+    memset(recvBuff, '\0', sizeof(recvBuff));
     if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
     {
         printf("\n Error : Could not create socket \n");
@@ -109,13 +115,18 @@ char* host_client(in_port_t port)
     {
         if (retries++ > max_retries)
         {
-            printf("\n Error : Connect Failed errno = %d\n", errno);
+            printf("\n Error : Connect Failed errno = %d\n", HOST_SOCKET_ERRNO);
             sock_close(sockfd);
             return NULL;
         }
-        else
+#if _WIN32        
+        else if(HOST_SOCKET_ERRNO == WSAEISCONN)
+        {
+            break;
+        }
+#endif        
         {
-            printf("Connect Failed. errno = %d Retrying \n", errno);
+            printf("Connect Failed. errno = %d Retrying \n", HOST_SOCKET_ERRNO);            
             sleep_msec(100);
         }
     }
@@ -130,9 +141,9 @@ char* host_client(in_port_t port)
         }
         else
         {
-            if (errno != EAGAIN)
+            if (HOST_SOCKET_ERRNO != EAGAIN)
             {
-                printf("Read error, errno = %d\n", errno);
+                printf("Read error, errno = %d\n", HOST_SOCKET_ERRNO);
                 sock_close(sockfd);
                 return NULL;
             }

From 81491bd081b4a0d98d99347d3faa20fab5a46a22 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 19 Nov 2019 17:09:00 -0800
Subject: [PATCH 326/420] Refactor socket syscalls

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.c             | 189 ++++++++++++++++++++++++++++
 common/oe_host_socket.h             |  47 +++++++
 host/CMakeLists.txt                 |   1 +
 host/linux/syscall.c                | 160 +++--------------------
 host/windows/syscall.c              |  59 +++++----
 syscall/devices/hostsock/hostsock.c |   7 +-
 tests/CMakeLists.txt                |   4 +-
 tests/syscall/socket/host/host.c    |   8 +-
 tests/tls_e2e/host/host.cpp         |   2 +
 9 files changed, 300 insertions(+), 177 deletions(-)
 create mode 100644 common/oe_host_socket.c
 create mode 100644 common/oe_host_socket.h

diff --git a/common/oe_host_socket.c b/common/oe_host_socket.c
new file mode 100644
index 0000000000..a283d8bb5e
--- /dev/null
+++ b/common/oe_host_socket.c
@@ -0,0 +1,189 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "oe_host_socket.h"
+#include <stdlib.h>
+
+// Winsock and Linux POSIX socket APIs are nearly identical. The only difference
+// is the error handling. Simply define the necessary error macros and codes.
+// And the implementation can be shared.
+#ifdef _WIN32
+#define SOCKET_ERRNO() WSAGetLastError()
+#define SET_SOCKET_ERRNO(_err) WSASetLastError(_err)
+
+#undef EINVAL
+#define EINVAL WSAEINVAL
+
+#else
+
+#define SOCKET_ERRNO() errno
+#define SET_SOCKET_ERRNO(_err) \
+    do                         \
+    {                          \
+        errno = _err           \
+    } while (0)
+
+#endif
+
+static getaddrinfo_handle_t* _getaddrinfo_handle(void* handle_)
+{
+    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
+
+    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
+        return NULL;
+
+    return handle;
+}
+
+int _getaddrinfo_open_ocall(
+    const char* node,
+    const char* service,
+    const struct oe_addrinfo* hints,
+    uint64_t* handle_out)
+{
+    int ret = EAI_FAIL;
+    getaddrinfo_handle_t* handle = NULL;
+
+    SET_SOCKET_ERRNO(0);
+
+    if (handle_out)
+        *handle_out = 0;
+
+    if (!handle_out)
+    {
+        ret = EAI_SYSTEM;
+        SET_SOCKET_ERRNO(EINVAL);
+        goto done;
+    }
+
+    if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
+    {
+        ret = EAI_MEMORY;
+        goto done;
+    }
+
+    ret =
+        getaddrinfo(node, service, (const struct addrinfo*)hints, &handle->res);
+
+    if (ret == 0)
+    {
+        handle->magic = GETADDRINFO_HANDLE_MAGIC;
+        handle->next = handle->res;
+        *handle_out = (uint64_t)handle;
+        handle = NULL;
+    }
+
+done:
+
+    if (handle)
+        free(handle);
+
+    return ret;
+}
+
+int _getaddrinfo_read_ocall(
+    uint64_t handle_,
+    int* ai_flags,
+    int* ai_family,
+    int* ai_socktype,
+    int* ai_protocol,
+    oe_socklen_t ai_addrlen_in,
+    oe_socklen_t* ai_addrlen,
+    struct oe_sockaddr* ai_addr,
+    size_t ai_canonnamelen_in,
+    size_t* ai_canonnamelen,
+    char* ai_canonname)
+{
+    int ret = -1;
+    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
+
+    SET_SOCKET_ERRNO(0);
+
+    if (!handle || !ai_flags || !ai_family || !ai_socktype || !ai_protocol ||
+        !ai_addrlen || !ai_canonnamelen)
+    {
+        SET_SOCKET_ERRNO(EINVAL);
+        goto done;
+    }
+
+    if (!ai_addr && ai_addrlen_in)
+    {
+        SET_SOCKET_ERRNO(EINVAL);
+        goto done;
+    }
+
+    if (!ai_canonname && ai_canonnamelen_in)
+    {
+        SET_SOCKET_ERRNO(EINVAL);
+        goto done;
+    }
+
+    if (handle->next)
+    {
+        struct addrinfo* p = handle->next;
+
+        *ai_flags = p->ai_flags;
+        *ai_family = p->ai_family;
+        *ai_socktype = p->ai_socktype;
+        *ai_protocol = p->ai_protocol;
+        *ai_addrlen = p->ai_addrlen;
+
+        if (p->ai_canonname)
+            *ai_canonnamelen = strlen(p->ai_canonname) + 1;
+        else
+            *ai_canonnamelen = 0;
+
+        if (*ai_addrlen > ai_addrlen_in)
+        {
+            errno = ENAMETOOLONG;
+            goto done;
+        }
+
+        if (*ai_canonnamelen > ai_canonnamelen_in)
+        {
+            errno = ENAMETOOLONG;
+            goto done;
+        }
+
+        memcpy(ai_addr, p->ai_addr, *ai_addrlen);
+
+        if (p->ai_canonname)
+            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
+
+        handle->next = handle->next->ai_next;
+
+        ret = 0;
+        goto done;
+    }
+    else
+    {
+        /* Done */
+        ret = 1;
+        goto done;
+    }
+
+done:
+    return ret;
+}
+
+int _getaddrinfo_close_ocall(uint64_t handle_)
+{
+    int ret = -1;
+    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
+
+    SET_SOCKET_ERRNO(0);
+
+    if (!handle)
+    {
+        SET_SOCKET_ERRNO(EINVAL);
+        goto done;
+    }
+
+    freeaddrinfo(handle->res);
+    free(handle);
+
+    ret = 0;
+
+done:
+    return ret;
+}
diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
new file mode 100644
index 0000000000..26add8d8bd
--- /dev/null
+++ b/common/oe_host_socket.h
@@ -0,0 +1,47 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef _OE_HOST_SOCKET_H
+#define _OE_HOST_SOCKET_H
+
+#include <openenclave/corelibc/bits/types.h>
+#include <openenclave/internal/syscall/types.h>
+#include <stdint.h>
+
+#ifdef _WIN32
+#include <winsock2.h>
+#else
+#include <sys/socket.h>
+#endif
+
+#define GETADDRINFO_HANDLE_MAGIC 0xed11d13a
+
+typedef struct _getaddrinfo_handle
+{
+    uint32_t magic;
+    struct addrinfo* res;
+    struct addrinfo* next;
+} getaddrinfo_handle_t;
+
+int _getaddrinfo_open_ocall(
+    const char* node,
+    const char* service,
+    const struct oe_addrinfo* hints,
+    uint64_t* handle_out);
+
+int _getaddrinfo_read_ocall(
+    uint64_t handle_,
+    int* ai_flags,
+    int* ai_family,
+    int* ai_socktype,
+    int* ai_protocol,
+    oe_socklen_t ai_addrlen_in,
+    oe_socklen_t* ai_addrlen,
+    struct oe_sockaddr* ai_addr,
+    size_t ai_canonnamelen_in,
+    size_t* ai_canonnamelen,
+    char* ai_canonname);
+
+int _getaddrinfo_close_ocall(uint64_t handle_);
+
+#endif // _OE_HOST_SOCKET_H
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 65373168c5..550a146f08 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -220,6 +220,7 @@ endif()
 list(APPEND PLATFORM_HOST_ONLY_SRC
   ../common/attest_plugin.c
   ../common/datetime.c
+  ../common/oe_host_socket.c
   ../common/safecrt.c
   hexdump.c
   dupenv.c
diff --git a/host/linux/syscall.c b/host/linux/syscall.c
index dd84e4cc72..2163bb91c9 100644
--- a/host/linux/syscall.c
+++ b/host/linux/syscall.c
@@ -21,6 +21,7 @@
 #include <sys/uio.h>
 #include <sys/utsname.h>
 #include <unistd.h>
+#include "../common/oe_host_socket.h"
 #include "../host/strings.h"
 #include "syscall_u.h"
 
@@ -792,69 +793,13 @@ int oe_syscall_kill_ocall(int pid, int signum)
 **==============================================================================
 */
 
-#define GETADDRINFO_HANDLE_MAGIC 0xed11d13a
-
-typedef struct _getaddrinfo_handle
-{
-    uint32_t magic;
-    struct addrinfo* res;
-    struct addrinfo* next;
-} getaddrinfo_handle_t;
-
-static getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
-{
-    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
-
-    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
-        return NULL;
-
-    return handle;
-}
-
 int oe_syscall_getaddrinfo_open_ocall(
     const char* node,
     const char* service,
     const struct oe_addrinfo* hints,
     uint64_t* handle_out)
 {
-    int ret = EAI_FAIL;
-    getaddrinfo_handle_t* handle = NULL;
-
-    errno = 0;
-
-    if (handle_out)
-        *handle_out = 0;
-
-    if (!handle_out)
-    {
-        ret = EAI_SYSTEM;
-        errno = EINVAL;
-        goto done;
-    }
-
-    if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
-    {
-        ret = EAI_MEMORY;
-        goto done;
-    }
-
-    ret =
-        getaddrinfo(node, service, (const struct addrinfo*)hints, &handle->res);
-
-    if (ret == 0)
-    {
-        handle->magic = GETADDRINFO_HANDLE_MAGIC;
-        handle->next = handle->res;
-        *handle_out = (uint64_t)handle;
-        handle = NULL;
-    }
-
-done:
-
-    if (handle)
-        free(handle);
-
-    return ret;
+    return _getaddrinfo_open_ocall(node, service, hints, handle_out);
 }
 
 int oe_syscall_getaddrinfo_read_ocall(
@@ -870,98 +815,23 @@ int oe_syscall_getaddrinfo_read_ocall(
     size_t* ai_canonnamelen,
     char* ai_canonname)
 {
-    int ret = -1;
-    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
-
-    errno = 0;
-
-    if (!handle || !ai_flags || !ai_family || !ai_socktype || !ai_protocol ||
-        !ai_addrlen || !ai_canonnamelen)
-    {
-        errno = EINVAL;
-        goto done;
-    }
-
-    if (!ai_addr && ai_addrlen_in)
-    {
-        errno = EINVAL;
-        goto done;
-    }
-
-    if (!ai_canonname && ai_canonnamelen_in)
-    {
-        errno = EINVAL;
-        goto done;
-    }
-
-    if (handle->next)
-    {
-        struct addrinfo* p = handle->next;
-
-        *ai_flags = p->ai_flags;
-        *ai_family = p->ai_family;
-        *ai_socktype = p->ai_socktype;
-        *ai_protocol = p->ai_protocol;
-        *ai_addrlen = p->ai_addrlen;
-
-        if (p->ai_canonname)
-            *ai_canonnamelen = strlen(p->ai_canonname) + 1;
-        else
-            *ai_canonnamelen = 0;
-
-        if (*ai_addrlen > ai_addrlen_in)
-        {
-            errno = ENAMETOOLONG;
-            goto done;
-        }
-
-        if (*ai_canonnamelen > ai_canonnamelen_in)
-        {
-            errno = ENAMETOOLONG;
-            goto done;
-        }
-
-        memcpy(ai_addr, p->ai_addr, *ai_addrlen);
-
-        if (p->ai_canonname)
-            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
-
-        handle->next = handle->next->ai_next;
-
-        ret = 0;
-        goto done;
-    }
-    else
-    {
-        /* Done */
-        ret = 1;
-        goto done;
-    }
-
-done:
-    return ret;
+    return _get_addr_info_read_ocall(
+        handle_,
+        ai_flags,
+        ai_family,
+        ai_socktype,
+        ai_protocol,
+        ai_addrlen_in,
+        ai_addrlen,
+        ai_addr,
+        ai_canonnamelen_in,
+        ai_canonnamelen,
+        ai_canonname);
 }
 
 int oe_syscall_getaddrinfo_close_ocall(uint64_t handle_)
 {
-    int ret = -1;
-    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
-
-    errno = 0;
-
-    if (!handle)
-    {
-        errno = EINVAL;
-        goto done;
-    }
-
-    freeaddrinfo(handle->res);
-    free(handle);
-
-    ret = 0;
-
-done:
-    return ret;
+    return _getaddrinfo_close_ocall(handle_);
 }
 
 int oe_syscall_getnameinfo_ocall(
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 2cbeed8795..a96b3608a4 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -18,7 +18,6 @@
 #include <stdint.h>
 #include <sys/stat.h>
 
-
 // clang-format off
 
 #include <winsock2.h>
@@ -244,7 +243,6 @@ oe_host_fd_t oe_syscall_dup_ocall(oe_host_fd_t oldfd)
             break;
     }
 
-
     if (ret == -1)
         _set_errno(OE_EINVAL);
     else
@@ -322,32 +320,31 @@ int oe_syscall_rmdir_ocall(const char* pathname)
 */
 
 #define OE_SOCKET_FD_MAGIC 0x29b4a345c7564b57
-typedef struct win_socket_fd {
+typedef struct win_socket_fd
+{
     uint64_t magic;
     SOCKET socket;
 } oe_socket_fd_t;
 
-static oe_socket_fd_t _invalid_socket = {
-    OE_SOCKET_FD_MAGIC,
-    INVALID_SOCKET
-};
+static oe_socket_fd_t _invalid_socket = {OE_SOCKET_FD_MAGIC, INVALID_SOCKET};
 
 oe_host_fd_t _make_socket_fd(SOCKET sock)
 {
     oe_host_fd_t fd = (oe_host_fd_t)&_invalid_socket;
     if (sock != INVALID_SOCKET)
     {
-        oe_socket_fd_t* socket_fd = (oe_socket_fd_t*) malloc(sizeof(oe_socket_fd_t));
+        oe_socket_fd_t* socket_fd =
+            (oe_socket_fd_t*)malloc(sizeof(oe_socket_fd_t));
         socket_fd->magic = OE_SOCKET_FD_MAGIC;
         socket_fd->socket = sock;
-        fd = (oe_host_fd_t) socket_fd;
+        fd = (oe_host_fd_t)socket_fd;
     }
     return fd;
 }
 
 SOCKET _get_socket(oe_host_fd_t fd)
 {
-    oe_socket_fd_t* socket_fd = (oe_socket_fd_t*) fd;
+    oe_socket_fd_t* socket_fd = (oe_socket_fd_t*)fd;
     if (socket_fd && socket_fd->magic == OE_SOCKET_FD_MAGIC)
         return socket_fd->socket;
     return INVALID_SOCKET;
@@ -355,12 +352,13 @@ SOCKET _get_socket(oe_host_fd_t fd)
 
 static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
 {
-    oe_socket_fd_t* old_socket_fd = (oe_socket_fd_t*) oldfd;
+    oe_socket_fd_t* old_socket_fd = (oe_socket_fd_t*)oldfd;
     if (old_socket_fd && old_socket_fd->magic == OE_SOCKET_FD_MAGIC)
     {
-        oe_socket_fd_t* new_socket_fd = (oe_socket_fd_t*) malloc(sizeof(oe_socket_fd_t));
+        oe_socket_fd_t* new_socket_fd =
+            (oe_socket_fd_t*)malloc(sizeof(oe_socket_fd_t));
         *new_socket_fd = *old_socket_fd;
-        return (oe_host_fd_t)(uint64_t) new_socket_fd;
+        return (oe_host_fd_t)(uint64_t)new_socket_fd;
     }
     return -1;
 }
@@ -371,7 +369,6 @@ oe_host_fd_t oe_syscall_socket_ocall(int domain, int type, int protocol)
     return _make_socket_fd(sock);
 }
 
-
 int oe_syscall_socketpair_ocall(
     int domain,
     int type,
@@ -386,7 +383,8 @@ int oe_syscall_connect_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-   return connect(_get_socket(sockfd), (const struct sockaddr*) addr, (int) addrlen);
+    return connect(
+        _get_socket(sockfd), (const struct sockaddr*)addr, (int)addrlen);
 }
 
 oe_host_fd_t oe_syscall_accept_ocall(
@@ -395,8 +393,11 @@ oe_host_fd_t oe_syscall_accept_ocall(
     oe_socklen_t addrlen_in,
     oe_socklen_t* addrlen_out)
 {
-    int addrlen = (int) addrlen_in;
-    SOCKET conn_socket =  accept(_get_socket(sockfd), (struct sockaddr*) addr, addrlen_out ? &addrlen : NULL);
+    int addrlen = (int)addrlen_in;
+    SOCKET conn_socket = accept(
+        _get_socket(sockfd),
+        (struct sockaddr*)addr,
+        addrlen_out ? &addrlen : NULL);
     if (addrlen_out)
         *addrlen_out = addrlen;
     return _make_socket_fd(conn_socket);
@@ -407,7 +408,7 @@ int oe_syscall_bind_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-    return bind(_get_socket(sockfd), (const struct sockaddr*) addr, addrlen);
+    return bind(_get_socket(sockfd), (const struct sockaddr*)addr, addrlen);
 }
 
 int oe_syscall_listen_ocall(oe_host_fd_t sockfd, int backlog)
@@ -633,7 +634,7 @@ int oe_syscall_getaddrinfo_open_ocall(
     const struct oe_addrinfo* hints,
     uint64_t* handle_out)
 {
-    PANIC;
+    return _getaddrinfo_open_ocall(node, service, hints, handle_out);
 }
 
 int oe_syscall_getaddrinfo_read_ocall(
@@ -649,12 +650,23 @@ int oe_syscall_getaddrinfo_read_ocall(
     size_t* ai_canonnamelen,
     char* ai_canonname)
 {
-    PANIC;
+    return _get_addr_info_read_ocall(
+        handle_,
+        ai_flags,
+        ai_family,
+        ai_socktype,
+        ai_protocol,
+        ai_addrlen_in,
+        ai_addrlen,
+        ai_addr,
+        ai_canonnamelen_in,
+        ai_canonnamelen,
+        ai_canonname);
 }
 
 int oe_syscall_getaddrinfo_close_ocall(uint64_t handle_)
 {
-    PANIC;
+    return _getaddrinfo_close_ocall(handle_);
 }
 
 int oe_syscall_getnameinfo_ocall(
@@ -789,7 +801,8 @@ int oe_syscall_getgroups_ocall(size_t size, unsigned int* list)
 
 int oe_syscall_uname_ocall(struct oe_utsname* buf)
 {
-    // Based on https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version
+    // Based on
+    // https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version
     // OE SDK is supported only on WindowsServer and Win10
     if (IsWindowsServer())
     {
@@ -799,7 +812,7 @@ int oe_syscall_uname_ocall(struct oe_utsname* buf)
         sprintf(buf->version, "2016OrAbove");
         return 0;
     }
-    else if(IsWindows10OrGreater())
+    else if (IsWindows10OrGreater())
     {
         sprintf(buf->nodename, "(unknown)");
         sprintf(buf->domainname, "(none)");
diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index ba1ad7b240..cb0c956579 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -261,8 +261,11 @@ static oe_fd_t* _hostsock_accept(
         oe_host_fd_t retval = -1;
 
         if (oe_syscall_accept_ocall(
-                &retval, sock->host_fd, addr ? &buf.addr : NULL, addrlen_in, addrlen) !=
-            OE_OK)
+                &retval,
+                sock->host_fd,
+                addr ? &buf.addr : NULL,
+                addrlen_in,
+                addrlen) != OE_OK)
         {
             OE_RAISE_ERRNO(oe_errno);
         }
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index a113e56644..19119878e4 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -67,6 +67,7 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         add_subdirectory(sealKey)
         add_subdirectory(stdc)
         add_subdirectory(syscall)
+        add_subdirectory(tls_e2e)
         add_subdirectory(VectorException)
     endif()
 
@@ -95,7 +96,4 @@ if (OE_SGX AND UNIX)
    # ecall_ocall enclave size cannot be handled by Windows ninja CI
    add_subdirectory(ecall_ocall)
    add_subdirectory(libunwind)
-
-   # Attestation supported only on Linux
-   add_subdirectory(tls_e2e)
 endif()
diff --git a/tests/syscall/socket/host/host.c b/tests/syscall/socket/host/host.c
index 1ecacff38a..e5654eca6e 100644
--- a/tests/syscall/socket/host/host.c
+++ b/tests/syscall/socket/host/host.c
@@ -119,14 +119,14 @@ char* host_client(in_port_t port)
             sock_close(sockfd);
             return NULL;
         }
-#if _WIN32        
-        else if(HOST_SOCKET_ERRNO == WSAEISCONN)
+#if _WIN32
+        else if (HOST_SOCKET_ERRNO == WSAEISCONN)
         {
             break;
         }
-#endif        
+#endif
         {
-            printf("Connect Failed. errno = %d Retrying \n", HOST_SOCKET_ERRNO);            
+            printf("Connect Failed. errno = %d Retrying \n", HOST_SOCKET_ERRNO);
             sleep_msec(100);
         }
     }
diff --git a/tests/tls_e2e/host/host.cpp b/tests/tls_e2e/host/host.cpp
index 5000f835f5..eebf386460 100644
--- a/tests/tls_e2e/host/host.cpp
+++ b/tests/tls_e2e/host/host.cpp
@@ -269,7 +269,9 @@ int run_scenarios_tests()
          {false, false, true},
          NEGATIVE_TEST}};
 
+#ifndef _WIN32
     signal(SIGPIPE, SIG_IGN);
+#endif
     test_configs.server.enclave = g_server_enclave;
     test_configs.client.enclave = g_client_enclave;
 

From 932b270cab029ab2ea491c5277cccf4541fd1877 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Fri, 22 Nov 2019 16:39:45 -0800
Subject: [PATCH 327/420] Fill out socket stubs on host side for Windows and
 unify socket error codes.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.c                     | 189 -------------
 common/oe_host_socket.h                     |  94 ++++++-
 host/CMakeLists.txt                         |   1 -
 host/linux/syscall.c                        |  97 ++++++-
 host/windows/syscall.c                      | 296 ++++++++++++++++++--
 syscall/devices/hostresolver/hostresolver.c |   6 +-
 6 files changed, 446 insertions(+), 237 deletions(-)
 delete mode 100644 common/oe_host_socket.c

diff --git a/common/oe_host_socket.c b/common/oe_host_socket.c
deleted file mode 100644
index a283d8bb5e..0000000000
--- a/common/oe_host_socket.c
+++ /dev/null
@@ -1,189 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include "oe_host_socket.h"
-#include <stdlib.h>
-
-// Winsock and Linux POSIX socket APIs are nearly identical. The only difference
-// is the error handling. Simply define the necessary error macros and codes.
-// And the implementation can be shared.
-#ifdef _WIN32
-#define SOCKET_ERRNO() WSAGetLastError()
-#define SET_SOCKET_ERRNO(_err) WSASetLastError(_err)
-
-#undef EINVAL
-#define EINVAL WSAEINVAL
-
-#else
-
-#define SOCKET_ERRNO() errno
-#define SET_SOCKET_ERRNO(_err) \
-    do                         \
-    {                          \
-        errno = _err           \
-    } while (0)
-
-#endif
-
-static getaddrinfo_handle_t* _getaddrinfo_handle(void* handle_)
-{
-    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
-
-    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
-        return NULL;
-
-    return handle;
-}
-
-int _getaddrinfo_open_ocall(
-    const char* node,
-    const char* service,
-    const struct oe_addrinfo* hints,
-    uint64_t* handle_out)
-{
-    int ret = EAI_FAIL;
-    getaddrinfo_handle_t* handle = NULL;
-
-    SET_SOCKET_ERRNO(0);
-
-    if (handle_out)
-        *handle_out = 0;
-
-    if (!handle_out)
-    {
-        ret = EAI_SYSTEM;
-        SET_SOCKET_ERRNO(EINVAL);
-        goto done;
-    }
-
-    if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
-    {
-        ret = EAI_MEMORY;
-        goto done;
-    }
-
-    ret =
-        getaddrinfo(node, service, (const struct addrinfo*)hints, &handle->res);
-
-    if (ret == 0)
-    {
-        handle->magic = GETADDRINFO_HANDLE_MAGIC;
-        handle->next = handle->res;
-        *handle_out = (uint64_t)handle;
-        handle = NULL;
-    }
-
-done:
-
-    if (handle)
-        free(handle);
-
-    return ret;
-}
-
-int _getaddrinfo_read_ocall(
-    uint64_t handle_,
-    int* ai_flags,
-    int* ai_family,
-    int* ai_socktype,
-    int* ai_protocol,
-    oe_socklen_t ai_addrlen_in,
-    oe_socklen_t* ai_addrlen,
-    struct oe_sockaddr* ai_addr,
-    size_t ai_canonnamelen_in,
-    size_t* ai_canonnamelen,
-    char* ai_canonname)
-{
-    int ret = -1;
-    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
-
-    SET_SOCKET_ERRNO(0);
-
-    if (!handle || !ai_flags || !ai_family || !ai_socktype || !ai_protocol ||
-        !ai_addrlen || !ai_canonnamelen)
-    {
-        SET_SOCKET_ERRNO(EINVAL);
-        goto done;
-    }
-
-    if (!ai_addr && ai_addrlen_in)
-    {
-        SET_SOCKET_ERRNO(EINVAL);
-        goto done;
-    }
-
-    if (!ai_canonname && ai_canonnamelen_in)
-    {
-        SET_SOCKET_ERRNO(EINVAL);
-        goto done;
-    }
-
-    if (handle->next)
-    {
-        struct addrinfo* p = handle->next;
-
-        *ai_flags = p->ai_flags;
-        *ai_family = p->ai_family;
-        *ai_socktype = p->ai_socktype;
-        *ai_protocol = p->ai_protocol;
-        *ai_addrlen = p->ai_addrlen;
-
-        if (p->ai_canonname)
-            *ai_canonnamelen = strlen(p->ai_canonname) + 1;
-        else
-            *ai_canonnamelen = 0;
-
-        if (*ai_addrlen > ai_addrlen_in)
-        {
-            errno = ENAMETOOLONG;
-            goto done;
-        }
-
-        if (*ai_canonnamelen > ai_canonnamelen_in)
-        {
-            errno = ENAMETOOLONG;
-            goto done;
-        }
-
-        memcpy(ai_addr, p->ai_addr, *ai_addrlen);
-
-        if (p->ai_canonname)
-            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
-
-        handle->next = handle->next->ai_next;
-
-        ret = 0;
-        goto done;
-    }
-    else
-    {
-        /* Done */
-        ret = 1;
-        goto done;
-    }
-
-done:
-    return ret;
-}
-
-int _getaddrinfo_close_ocall(uint64_t handle_)
-{
-    int ret = -1;
-    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
-
-    SET_SOCKET_ERRNO(0);
-
-    if (!handle)
-    {
-        SET_SOCKET_ERRNO(EINVAL);
-        goto done;
-    }
-
-    freeaddrinfo(handle->res);
-    free(handle);
-
-    ret = 0;
-
-done:
-    return ret;
-}
diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
index 26add8d8bd..8c564cdae2 100644
--- a/common/oe_host_socket.h
+++ b/common/oe_host_socket.h
@@ -23,13 +23,17 @@ typedef struct _getaddrinfo_handle
     struct addrinfo* next;
 } getaddrinfo_handle_t;
 
-int _getaddrinfo_open_ocall(
-    const char* node,
-    const char* service,
-    const struct oe_addrinfo* hints,
-    uint64_t* handle_out);
+OE_INLINE getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
+{
+    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
+
+    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
+        return NULL;
+
+    return handle;
+}
 
-int _getaddrinfo_read_ocall(
+OE_INLINE int _getaddrinfo_read(
     uint64_t handle_,
     int* ai_flags,
     int* ai_family,
@@ -40,8 +44,82 @@ int _getaddrinfo_read_ocall(
     struct oe_sockaddr* ai_addr,
     size_t ai_canonnamelen_in,
     size_t* ai_canonnamelen,
-    char* ai_canonname);
+    char* ai_canonname,
+    int* err_no)
+{
+    int ret = -1;
+    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
+
+    if (!err_no) {
+        goto done;
+    }
+
+    if (!handle || !ai_flags || !ai_family || !ai_socktype || !ai_protocol ||
+        !ai_addrlen || !ai_canonnamelen)
+    {
+        *err_no = OE_EINVAL;
+
+        goto done;
+    }
+
+    if (!ai_addr && ai_addrlen_in)
+    {
+        *err_no = OE_EINVAL;
+        goto done;
+    }
+
+    if (!ai_canonname && ai_canonnamelen_in)
+    {
+        *err_no = OE_EINVAL;
+        goto done;
+    }
+
+    if (handle->next)
+    {
+        struct addrinfo* p = handle->next;
+
+        *ai_flags = p->ai_flags;
+        *ai_family = p->ai_family;
+        *ai_socktype = p->ai_socktype;
+        *ai_protocol = p->ai_protocol;
+        *ai_addrlen = p->ai_addrlen;
+
+        if (p->ai_canonname)
+            *ai_canonnamelen = strlen(p->ai_canonname) + 1;
+        else
+            *ai_canonnamelen = 0;
+
+        if (*ai_addrlen > ai_addrlen_in)
+        {
+            *err_no = OE_ENAMETOOLONG;
+            goto done;
+        }
+
+        if (*ai_canonnamelen > ai_canonnamelen_in)
+        {
+            *err_no = OE_ENAMETOOLONG;
+            goto done;
+        }
+
+        memcpy(ai_addr, p->ai_addr, *ai_addrlen);
+
+        if (p->ai_canonname)
+            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
+
+        handle->next = handle->next->ai_next;
+
+        ret = 0;
+        goto done;
+    }
+    else
+    {
+        /* Done */
+        ret = 1;
+        goto done;
+    }
 
-int _getaddrinfo_close_ocall(uint64_t handle_);
+done:
+    return ret;
+}
 
 #endif // _OE_HOST_SOCKET_H
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 550a146f08..65373168c5 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -220,7 +220,6 @@ endif()
 list(APPEND PLATFORM_HOST_ONLY_SRC
   ../common/attest_plugin.c
   ../common/datetime.c
-  ../common/oe_host_socket.c
   ../common/safecrt.c
   hexdump.c
   dupenv.c
diff --git a/host/linux/syscall.c b/host/linux/syscall.c
index 2163bb91c9..4a13be4ed7 100644
--- a/host/linux/syscall.c
+++ b/host/linux/syscall.c
@@ -21,7 +21,6 @@
 #include <sys/uio.h>
 #include <sys/utsname.h>
 #include <unistd.h>
-#include "../common/oe_host_socket.h"
 #include "../host/strings.h"
 #include "syscall_u.h"
 
@@ -793,13 +792,69 @@ int oe_syscall_kill_ocall(int pid, int signum)
 **==============================================================================
 */
 
+#define GETADDRINFO_HANDLE_MAGIC 0xed11d13a
+
+typedef struct _getaddrinfo_handle
+{
+    uint32_t magic;
+    struct addrinfo* res;
+    struct addrinfo* next;
+} getaddrinfo_handle_t;
+
+static getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
+{
+    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
+
+    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
+        return NULL;
+
+    return handle;
+}
+
 int oe_syscall_getaddrinfo_open_ocall(
     const char* node,
     const char* service,
     const struct oe_addrinfo* hints,
     uint64_t* handle_out)
 {
-    return _getaddrinfo_open_ocall(node, service, hints, handle_out);
+    int ret = EAI_FAIL;
+    getaddrinfo_handle_t* handle = NULL;
+
+    errno = 0;
+
+    if (handle_out)
+        *handle_out = 0;
+
+    if (!handle_out)
+    {
+        ret = EAI_SYSTEM;
+        errno = EINVAL;
+        goto done;
+    }
+
+    if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
+    {
+        ret = EAI_MEMORY;
+        goto done;
+    }
+
+    ret =
+        getaddrinfo(node, service, (const struct addrinfo*)hints, &handle->res);
+
+    if (ret == 0)
+    {
+        handle->magic = GETADDRINFO_HANDLE_MAGIC;
+        handle->next = handle->res;
+        *handle_out = (uint64_t)handle;
+        handle = NULL;
+    }
+
+done:
+
+    if (handle)
+        free(handle);
+
+    return ret;
 }
 
 int oe_syscall_getaddrinfo_read_ocall(
@@ -815,23 +870,35 @@ int oe_syscall_getaddrinfo_read_ocall(
     size_t* ai_canonnamelen,
     char* ai_canonname)
 {
-    return _get_addr_info_read_ocall(
-        handle_,
-        ai_flags,
-        ai_family,
-        ai_socktype,
-        ai_protocol,
-        ai_addrlen_in,
-        ai_addrlen,
-        ai_addr,
-        ai_canonnamelen_in,
-        ai_canonnamelen,
-        ai_canonname);
+    int err_no = OE_EFAIL;
+    int ret = _getaddrinfo_read(handle_, ai_flags, ai_family, ai_socktype, ai_protocol,
+            ai_addrlen_in, ai_addrlen, ai_addr, ai_canonnamelen_in,
+            ai_canonnamelen, ai_canonname, &err_no);
+    errno = err_no;
+
+    return ret;
 }
 
 int oe_syscall_getaddrinfo_close_ocall(uint64_t handle_)
 {
-    return _getaddrinfo_close_ocall(handle_);
+    int ret = -1;
+    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
+
+    errno = 0;
+
+    if (!handle)
+    {
+        errno = EINVAL;
+        goto done;
+    }
+
+    freeaddrinfo(handle->res);
+    free(handle);
+
+    ret = 0;
+
+done:
+    return ret;
 }
 
 int oe_syscall_getnameinfo_ocall(
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index a96b3608a4..2f8fdf8134 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -31,8 +31,127 @@
 #include <openenclave/internal/syscall/dirent.h>
 #include <openenclave/internal/syscall/unistd.h>
 #include "../hostthread.h"
+#include "../../common/oe_host_socket.h"
 #include "syscall_u.h"
 
+/*
+**==============================================================================
+**
+** WINDOWS ERROR CONVERSION
+**
+**==============================================================================
+*/
+
+struct errno_tab_entry
+{
+    DWORD winerr;
+    int error_no;
+};
+
+static struct errno_tab_entry winsock2errno[] = {
+    {WSAEINTR, OE_EINTR},
+    {WSAEBADF, OE_EBADF},
+    {WSAEACCES, OE_EACCES},
+    {WSAEFAULT, OE_EFAULT},
+    {WSAEINVAL, OE_EINVAL},
+    {WSAEMFILE, OE_EMFILE},
+    {WSAEWOULDBLOCK, OE_EWOULDBLOCK},
+    {WSAEINPROGRESS, OE_EINPROGRESS},
+    {WSAEALREADY, OE_EALREADY},
+    {WSAENOTSOCK, OE_ENOTSOCK},
+    {WSAEDESTADDRREQ, OE_EDESTADDRREQ},
+    {WSAEMSGSIZE, OE_EMSGSIZE},
+    {WSAEPROTOTYPE, OE_EPROTOTYPE},
+    {WSAENOPROTOOPT, OE_ENOPROTOOPT},
+    {WSAEPROTONOSUPPORT, OE_EPROTONOSUPPORT},
+    {WSAESOCKTNOSUPPORT, OE_ESOCKTNOSUPPORT},
+    {WSAEOPNOTSUPP, OE_EOPNOTSUPP},
+    {WSAEPFNOSUPPORT, OE_EPFNOSUPPORT},
+    {WSAEAFNOSUPPORT, OE_EAFNOSUPPORT},
+    {WSAEADDRINUSE, OE_EADDRINUSE},
+    {WSAEADDRNOTAVAIL, OE_EADDRNOTAVAIL},
+    {WSAENETDOWN, OE_ENETDOWN},
+    {WSAENETUNREACH, OE_ENETUNREACH},
+    {WSAENETRESET, OE_ENETRESET},
+    {WSAECONNABORTED, OE_ECONNABORTED},
+    {WSAECONNRESET, OE_ECONNRESET},
+    {WSAENOBUFS, OE_ENOBUFS},
+    {WSAEISCONN, OE_EISCONN},
+    {WSAENOTCONN, OE_ENOTCONN},
+    {WSAESHUTDOWN, OE_ESHUTDOWN},
+    {WSAETOOMANYREFS, OE_ETOOMANYREFS},
+    {WSAETIMEDOUT, OE_ETIMEDOUT},
+    {WSAECONNREFUSED, OE_ECONNREFUSED},
+    {WSAELOOP, OE_ELOOP},
+    {WSAENAMETOOLONG, OE_ENAMETOOLONG},
+    {WSAEHOSTDOWN, OE_EHOSTDOWN},
+    {WSAEHOSTUNREACH, OE_EHOSTUNREACH},
+    {WSAENOTEMPTY, OE_ENOTEMPTY},
+    {WSAEUSERS, OE_EUSERS},
+    {WSAEDQUOT, OE_EDQUOT},
+    {WSAESTALE, OE_ESTALE},
+    {WSAEREMOTE, OE_EREMOTE},
+    {WSAEDISCON, 199},
+    {WSAEPROCLIM, 200},
+    {WSASYSNOTREADY, 201}, // Made up number but close to adjacent
+    {WSAVERNOTSUPPORTED, 202},
+    {WSANOTINITIALISED, 203},
+    {0, 0}};
+
+// From netdb.h
+#define EAI_BADFLAGS   -1
+#define EAI_NONAME     -2
+#define EAI_AGAIN      -3
+#define EAI_FAIL       -4
+#define EAI_FAMILY     -6
+#define EAI_SOCKTYPE   -7
+#define EAI_SERVICE    -8
+#define EAI_MEMORY     -10
+#define EAI_SYSTEM     -11
+#define EAI_OVERFLOW   -12
+
+static struct errno_tab_entry wsa2eai[] = {
+    {WSATRY_AGAIN, EAI_AGAIN},
+    {WSAEINVAL, EAI_BADFLAGS},
+    {WSAEAFNOSUPPORT, EAI_FAMILY},
+    {WSA_NOT_ENOUGH_MEMORY, EAI_MEMORY},
+    {WSAHOST_NOT_FOUND, EAI_NONAME},
+    {WSATYPE_NOT_FOUND, EAI_SERVICE},
+    {WSAESOCKTNOSUPPORT, EAI_SOCKTYPE},
+    {0, 0}};
+
+static int _winsockerr_to_errno(DWORD winsockerr)
+{
+    struct errno_tab_entry* pent = winsock2errno;
+    do
+    {
+        if (pent->winerr == winsockerr)
+        {
+            return pent->error_no;
+        }
+
+        pent++;
+    } while(pent->winerr != 0);
+
+    return OE_EINVAL;
+}
+
+static int _wsaerr_to_eai(DWORD winsockerr)
+{
+    struct errno_tab_entry* pent = wsa2eai;
+    do
+    {
+        if (pent->winerr == winsockerr)
+        {
+            return pent->error_no;
+        }
+
+        pent++;
+    } while(pent->winerr != 0);
+
+    return OE_EINVAL;
+}
+
 /*
 **==============================================================================
 **
@@ -363,9 +482,41 @@ static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
     return -1;
 }
 
+static int _wsa_startup()
+{
+    static bool wsa_init_done = FALSE;
+    WSADATA wsaData;
+    int ret = 0;
+
+    if(!wsa_init_done)
+    {
+        ret = WSAStartup(2, &wsaData);
+        if(ret != 0)
+            goto done;
+
+        wsa_init_done = TRUE;
+    }
+
+done:
+    return ret;
+}
+
 oe_host_fd_t oe_syscall_socket_ocall(int domain, int type, int protocol)
 {
-    SOCKET sock = socket(domain, type, protocol);
+    SOCKET sock = INVALID_SOCKET;
+
+    if (_wsa_startup() != 0)
+    {
+        _set_errno(OE_EINVAL);
+        goto done;
+    }
+
+    sock = socket(domain, type, protocol);
+    if (sock == INVALID_SOCKET) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+done:
     return _make_socket_fd(sock);
 }
 
@@ -383,8 +534,13 @@ int oe_syscall_connect_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-    return connect(
+    int ret = connect(
         _get_socket(sockfd), (const struct sockaddr*)addr, (int)addrlen);
+    if (ret != 0) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 oe_host_fd_t oe_syscall_accept_ocall(
@@ -398,8 +554,16 @@ oe_host_fd_t oe_syscall_accept_ocall(
         _get_socket(sockfd),
         (struct sockaddr*)addr,
         addrlen_out ? &addrlen : NULL);
+    if (conn_socket == INVALID_SOCKET)
+    {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+        goto done;
+    }
+
     if (addrlen_out)
         *addrlen_out = addrlen;
+
+done:
     return _make_socket_fd(conn_socket);
 }
 
@@ -408,12 +572,22 @@ int oe_syscall_bind_ocall(
     const struct oe_sockaddr* addr,
     oe_socklen_t addrlen)
 {
-    return bind(_get_socket(sockfd), (const struct sockaddr*)addr, addrlen);
+    int ret = bind(_get_socket(sockfd), (const struct sockaddr*)addr, addrlen);
+    if (ret != 0) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 int oe_syscall_listen_ocall(oe_host_fd_t sockfd, int backlog)
 {
-    return listen(_get_socket(sockfd), backlog);
+    int ret = listen(_get_socket(sockfd), backlog);
+    if (ret != 0) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 ssize_t oe_syscall_recvmsg_ocall(
@@ -452,7 +626,12 @@ ssize_t oe_syscall_recv_ocall(
     size_t len,
     int flags)
 {
-    return recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
+    int ret = recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
+    if (ret != 0) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 ssize_t oe_syscall_recvfrom_ocall(
@@ -473,7 +652,12 @@ ssize_t oe_syscall_send_ocall(
     size_t len,
     int flags)
 {
-    return send(_get_socket(sockfd), buf, len, flags);
+    int ret = send(_get_socket(sockfd), buf, len, flags);
+    if (ret != 0) {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 ssize_t oe_syscall_sendto_ocall(
@@ -517,6 +701,10 @@ int oe_syscall_close_socket_ocall(oe_host_fd_t sockfd)
     if (sock != INVALID_SOCKET)
     {
         r = closesocket(sock);
+        if (r != 0) {
+            _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+        }
+
         free((oe_socket_fd_t*)sockfd);
     }
     return r;
@@ -570,7 +758,14 @@ int oe_syscall_setsockopt_ocall(
     const void* optval,
     oe_socklen_t optlen)
 {
-    return setsockopt(_get_socket(sockfd), level, optname, optval, optlen);
+
+    int ret = setsockopt(_get_socket(sockfd), level, optname, optval, optlen);
+    if (ret != 0) {
+        int err = _winsockerr_to_errno(WSAGetLastError());
+        _set_errno(err);
+    }
+
+    return ret;
 }
 
 int oe_syscall_getsockopt_ocall(
@@ -634,7 +829,54 @@ int oe_syscall_getaddrinfo_open_ocall(
     const struct oe_addrinfo* hints,
     uint64_t* handle_out)
 {
-    return _getaddrinfo_open_ocall(node, service, hints, handle_out);
+    int ret = EAI_FAIL;
+    getaddrinfo_handle_t* handle = NULL;
+
+    if (_wsa_startup() != 0)
+    {
+        _set_errno(OE_EINVAL);
+        goto done;
+    }
+
+    _set_errno(0);
+
+    if (handle_out)
+        *handle_out = 0;
+
+    if (!handle_out)
+    {
+        ret = EAI_SYSTEM;
+        _set_errno(OE_EINVAL);
+        goto done;
+    }
+
+    if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
+    {
+        ret = EAI_MEMORY;
+        _set_errno(OE_ENOMEM);
+        goto done;
+    }
+
+    ret =
+        getaddrinfo(node, service, (const struct addrinfo*)hints, &handle->res);
+    if (ret == 0)
+    {
+        handle->magic = GETADDRINFO_HANDLE_MAGIC;
+        handle->next = handle->res;
+        *handle_out = (uint64_t)handle;
+        handle = NULL;
+    }
+    else
+    {
+        ret = _wsaerr_to_eai(ret);
+    }
+
+done:
+
+    if (handle)
+        free(handle);
+
+    return ret;
 }
 
 int oe_syscall_getaddrinfo_read_ocall(
@@ -650,23 +892,35 @@ int oe_syscall_getaddrinfo_read_ocall(
     size_t* ai_canonnamelen,
     char* ai_canonname)
 {
-    return _get_addr_info_read_ocall(
-        handle_,
-        ai_flags,
-        ai_family,
-        ai_socktype,
-        ai_protocol,
-        ai_addrlen_in,
-        ai_addrlen,
-        ai_addr,
-        ai_canonnamelen_in,
-        ai_canonnamelen,
-        ai_canonname);
+    int err_no = 0;
+    int ret = _getaddrinfo_read(handle_, ai_flags, ai_family, ai_socktype, ai_protocol,
+            ai_addrlen_in, ai_addrlen, ai_addr, ai_canonnamelen_in,
+            ai_canonnamelen, ai_canonname, &err_no);
+    _set_errno(err_no);
+
+    return ret;
 }
 
 int oe_syscall_getaddrinfo_close_ocall(uint64_t handle_)
 {
-    return _getaddrinfo_close_ocall(handle_);
+    int ret = -1;
+    getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
+
+    _set_errno(0);
+
+    if (!handle)
+    {
+        _set_errno(OE_EINVAL);
+        goto done;
+    }
+
+    freeaddrinfo(handle->res);
+    free(handle);
+
+    ret = 0;
+
+done:
+    return ret;
 }
 
 int oe_syscall_getnameinfo_ocall(
diff --git a/syscall/devices/hostresolver/hostresolver.c b/syscall/devices/hostresolver/hostresolver.c
index fd6072e4b6..d2009c514f 100644
--- a/syscall/devices/hostresolver/hostresolver.c
+++ b/syscall/devices/hostresolver/hostresolver.c
@@ -102,7 +102,7 @@ static int _hostresolver_getaddrinfo(
                 &retval, node, service, hints, &handle) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(OE_EINVAL);
+            OE_RAISE_ERRNO(oe_errno);
         }
 
         if (!handle)
@@ -140,7 +140,7 @@ static int _hostresolver_getaddrinfo(
                 NULL) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(OE_EINVAL);
+            OE_RAISE_ERRNO(oe_errno);
         }
 
         /* If this is the final element in the enumeration. */
@@ -181,7 +181,7 @@ static int _hostresolver_getaddrinfo(
                 p->ai_canonname) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(OE_EINVAL);
+            OE_RAISE_ERRNO(oe_errno);
         }
 
         /* Append to the list. */

From fc85204611b777e32b9a898e22c8181c406525d3 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 25 Nov 2019 11:51:27 -0800
Subject: [PATCH 328/420] Add more socket syscalls to windows to support
 mbedtls

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.h |   3 +-
 host/linux/syscall.c    |  16 +++-
 host/windows/syscall.c  | 207 ++++++++++++++++++++++++++++------------
 3 files changed, 163 insertions(+), 63 deletions(-)

diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
index 8c564cdae2..6f883fd1e1 100644
--- a/common/oe_host_socket.h
+++ b/common/oe_host_socket.h
@@ -50,7 +50,8 @@ OE_INLINE int _getaddrinfo_read(
     int ret = -1;
     getaddrinfo_handle_t* handle = _cast_getaddrinfo_handle((void*)handle_);
 
-    if (!err_no) {
+    if (!err_no)
+    {
         goto done;
     }
 
diff --git a/host/linux/syscall.c b/host/linux/syscall.c
index 4a13be4ed7..fe806442b1 100644
--- a/host/linux/syscall.c
+++ b/host/linux/syscall.c
@@ -871,9 +871,19 @@ int oe_syscall_getaddrinfo_read_ocall(
     char* ai_canonname)
 {
     int err_no = OE_EFAIL;
-    int ret = _getaddrinfo_read(handle_, ai_flags, ai_family, ai_socktype, ai_protocol,
-            ai_addrlen_in, ai_addrlen, ai_addr, ai_canonnamelen_in,
-            ai_canonnamelen, ai_canonname, &err_no);
+    int ret = _getaddrinfo_read(
+        handle_,
+        ai_flags,
+        ai_family,
+        ai_socktype,
+        ai_protocol,
+        ai_addrlen_in,
+        ai_addrlen,
+        ai_addr,
+        ai_canonnamelen_in,
+        ai_canonnamelen,
+        ai_canonname,
+        &err_no);
     errno = err_no;
 
     return ret;
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 2f8fdf8134..632b2cfe7c 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -42,13 +42,13 @@
 **==============================================================================
 */
 
-struct errno_tab_entry
+struct tab_entry
 {
-    DWORD winerr;
-    int error_no;
+    int key;
+    int val;
 };
 
-static struct errno_tab_entry winsock2errno[] = {
+static struct tab_entry winsock2errno[] = {
     {WSAEINTR, OE_EINTR},
     {WSAEBADF, OE_EBADF},
     {WSAEACCES, OE_EACCES},
@@ -98,58 +98,82 @@ static struct errno_tab_entry winsock2errno[] = {
     {WSANOTINITIALISED, 203},
     {0, 0}};
 
-// From netdb.h
-#define EAI_BADFLAGS   -1
-#define EAI_NONAME     -2
-#define EAI_AGAIN      -3
-#define EAI_FAIL       -4
-#define EAI_FAMILY     -6
-#define EAI_SOCKTYPE   -7
-#define EAI_SERVICE    -8
-#define EAI_MEMORY     -10
-#define EAI_SYSTEM     -11
-#define EAI_OVERFLOW   -12
-
-static struct errno_tab_entry wsa2eai[] = {
-    {WSATRY_AGAIN, EAI_AGAIN},
-    {WSAEINVAL, EAI_BADFLAGS},
-    {WSAEAFNOSUPPORT, EAI_FAMILY},
-    {WSA_NOT_ENOUGH_MEMORY, EAI_MEMORY},
-    {WSAHOST_NOT_FOUND, EAI_NONAME},
-    {WSATYPE_NOT_FOUND, EAI_SERVICE},
-    {WSAESOCKTNOSUPPORT, EAI_SOCKTYPE},
-    {0, 0}};
+/**
+ * Musl libc has redefined pretty much every define in socket.h so that
+ * constants passed as parameters are different if the enclave uses musl
+ * and the host uses a socket implementation that uses the original BSD
+ * defines (winsock, glibc, BSD libc). The following tables are 1-to-1 mappings
+ * from musl defines to bsd defines
+ */
+
+// Only SOL_SOCKET is different. All other socket level
+// defines are the same.
+static struct tab_entry musl2bsd_socket_level[] = {{1, SOL_SOCKET}, {0, 0}};
+
+static struct tab_entry musl2bsd_socket_option[] = {{1, SO_DEBUG},
+                                                    {2, SO_REUSEADDR},
+                                                    {3, SO_TYPE},
+                                                    {4, SO_ERROR},
+                                                    {5, SO_DONTROUTE},
+                                                    {6, SO_BROADCAST},
+                                                    {7, SO_SNDBUF},
+                                                    {8, SO_RCVBUF},
+                                                    {9, SO_KEEPALIVE},
+                                                    {10, SO_OOBINLINE},
+                                                    {13, SO_LINGER},
+                                                    {18, SO_RCVLOWAT},
+                                                    {19, SO_SNDLOWAT}};
 
-static int _winsockerr_to_errno(DWORD winsockerr)
-{
-    struct errno_tab_entry* pent = winsock2errno;
+// From netdb.h
+#define EAI_BADFLAGS -1
+#define EAI_NONAME -2
+#define EAI_AGAIN -3
+#define EAI_FAIL -4
+#define EAI_FAMILY -6
+#define EAI_SOCKTYPE -7
+#define EAI_SERVICE -8
+#define EAI_MEMORY -10
+#define EAI_SYSTEM -11
+#define EAI_OVERFLOW -12
+
+static struct tab_entry wsa2eai[] = {{WSATRY_AGAIN, EAI_AGAIN},
+                                     {WSAEINVAL, EAI_BADFLAGS},
+                                     {WSAEAFNOSUPPORT, EAI_FAMILY},
+                                     {WSA_NOT_ENOUGH_MEMORY, EAI_MEMORY},
+                                     {WSAHOST_NOT_FOUND, EAI_NONAME},
+                                     {WSATYPE_NOT_FOUND, EAI_SERVICE},
+                                     {WSAESOCKTNOSUPPORT, EAI_SOCKTYPE},
+                                     {0, 0}};
+
+static int _do_lookup(int key, int fallback, struct tab_entry* table)
+{
+    struct tab_entry* pent = table;
     do
     {
-        if (pent->winerr == winsockerr)
+        if (pent->key == key)
         {
-            return pent->error_no;
+            return pent->val;
         }
 
         pent++;
-    } while(pent->winerr != 0);
+    } while (pent->val != 0);
 
-    return OE_EINVAL;
+    return fallback;
 }
 
-static int _wsaerr_to_eai(DWORD winsockerr)
+static int _winsockerr_to_errno(DWORD winsockerr)
 {
-    struct errno_tab_entry* pent = wsa2eai;
-    do
-    {
-        if (pent->winerr == winsockerr)
-        {
-            return pent->error_no;
-        }
+    return _do_lookup(winsockerr, OE_EINVAL, winsock2errno);
+}
 
-        pent++;
-    } while(pent->winerr != 0);
+static int _wsaerr_to_eai(DWORD winsockerr)
+{
+    return _do_lookup(winsockerr, OE_EINVAL, wsa2eai);
+}
 
-    return OE_EINVAL;
+static int _musl_to_bsd(int musl_define, struct tab_entry* table)
+{
+    return _do_lookup(musl_define, OE_EINVAL, table);
 }
 
 /*
@@ -488,10 +512,10 @@ static int _wsa_startup()
     WSADATA wsaData;
     int ret = 0;
 
-    if(!wsa_init_done)
+    if (!wsa_init_done)
     {
         ret = WSAStartup(2, &wsaData);
-        if(ret != 0)
+        if (ret != 0)
             goto done;
 
         wsa_init_done = TRUE;
@@ -512,7 +536,8 @@ oe_host_fd_t oe_syscall_socket_ocall(int domain, int type, int protocol)
     }
 
     sock = socket(domain, type, protocol);
-    if (sock == INVALID_SOCKET) {
+    if (sock == INVALID_SOCKET)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -536,7 +561,8 @@ int oe_syscall_connect_ocall(
 {
     int ret = connect(
         _get_socket(sockfd), (const struct sockaddr*)addr, (int)addrlen);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -573,7 +599,8 @@ int oe_syscall_bind_ocall(
     oe_socklen_t addrlen)
 {
     int ret = bind(_get_socket(sockfd), (const struct sockaddr*)addr, addrlen);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -583,7 +610,8 @@ int oe_syscall_bind_ocall(
 int oe_syscall_listen_ocall(oe_host_fd_t sockfd, int backlog)
 {
     int ret = listen(_get_socket(sockfd), backlog);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -627,7 +655,8 @@ ssize_t oe_syscall_recv_ocall(
     int flags)
 {
     int ret = recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -653,7 +682,8 @@ ssize_t oe_syscall_send_ocall(
     int flags)
 {
     int ret = send(_get_socket(sockfd), buf, len, flags);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
 
@@ -691,7 +721,13 @@ ssize_t oe_syscall_sendv_ocall(
 
 int oe_syscall_shutdown_ocall(oe_host_fd_t sockfd, int how)
 {
-    PANIC;
+    int ret = shutdown(_get_socket(sockfd), how);
+    if (ret != 0)
+    {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 int oe_syscall_close_socket_ocall(oe_host_fd_t sockfd)
@@ -701,7 +737,8 @@ int oe_syscall_close_socket_ocall(oe_host_fd_t sockfd)
     if (sock != INVALID_SOCKET)
     {
         r = closesocket(sock);
-        if (r != 0) {
+        if (r != 0)
+        {
             _set_errno(_winsockerr_to_errno(WSAGetLastError()));
         }
 
@@ -710,6 +747,8 @@ int oe_syscall_close_socket_ocall(oe_host_fd_t sockfd)
     return r;
 }
 
+#define F_GETFL 3
+
 int oe_syscall_fcntl_ocall(
     oe_host_fd_t fd,
     int cmd,
@@ -717,7 +756,28 @@ int oe_syscall_fcntl_ocall(
     uint64_t argsize,
     void* argout)
 {
-    PANIC;
+    SOCKET sock;
+
+    if ((sock = _get_socket(fd)) != INVALID_SOCKET)
+    {
+        switch (cmd)
+        {
+            case F_GETFL:
+                // TODO: There is no way to get file access modes on winsock
+                // sockets. Currently this only exists to because mbedtls uses
+                // this syscall to check if the socket is blocking. If we want
+                // this syscall to actually work properly for other cases, this
+                // should be revisited.
+                return 0;
+            default:
+                PANIC;
+        }
+    }
+    else
+    {
+        // File operations are not supported
+        PANIC;
+    }
 }
 
 #define TIOCGWINSZ 0x5413
@@ -758,9 +818,12 @@ int oe_syscall_setsockopt_ocall(
     const void* optval,
     oe_socklen_t optlen)
 {
+    level = _musl_to_bsd(level, musl2bsd_socket_level);
+    optname = _musl_to_bsd(optname, musl2bsd_socket_option);
 
     int ret = setsockopt(_get_socket(sockfd), level, optname, optval, optlen);
-    if (ret != 0) {
+    if (ret != 0)
+    {
         int err = _winsockerr_to_errno(WSAGetLastError());
         _set_errno(err);
     }
@@ -776,7 +839,23 @@ int oe_syscall_getsockopt_ocall(
     oe_socklen_t optlen_in,
     oe_socklen_t* optlen_out)
 {
-    PANIC;
+    level = _musl_to_bsd(level, musl2bsd_socket_level);
+    optname = _musl_to_bsd(optname, musl2bsd_socket_option);
+
+    int ret =
+        getsockopt(_get_socket(sockfd), level, optname, optval, &optlen_in);
+    if (ret != 0)
+    {
+        int err = _winsockerr_to_errno(WSAGetLastError());
+        _set_errno(err);
+    }
+    else
+    {
+        if (optlen_out)
+            *optlen_out = optlen_in;
+    }
+
+    return ret;
 }
 
 int oe_syscall_getsockname_ocall(
@@ -893,9 +972,19 @@ int oe_syscall_getaddrinfo_read_ocall(
     char* ai_canonname)
 {
     int err_no = 0;
-    int ret = _getaddrinfo_read(handle_, ai_flags, ai_family, ai_socktype, ai_protocol,
-            ai_addrlen_in, ai_addrlen, ai_addr, ai_canonnamelen_in,
-            ai_canonnamelen, ai_canonname, &err_no);
+    int ret = _getaddrinfo_read(
+        handle_,
+        ai_flags,
+        ai_family,
+        ai_socktype,
+        ai_protocol,
+        ai_addrlen_in,
+        ai_addrlen,
+        ai_addr,
+        ai_canonnamelen_in,
+        ai_canonnamelen,
+        ai_canonname,
+        &err_no);
     _set_errno(err_no);
 
     return ret;

From a16e3725f26a2ddc290e57ab5f12f2f689c6f090 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 25 Nov 2019 14:50:14 -0800
Subject: [PATCH 329/420] Fix error code reporting and fix a couple places
 where unsafe functions are used and errors are not checked.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.h                     |  22 ++--
 host/windows/syscall.c                      | 111 +++++++++++++-------
 include/openenclave/corelibc/errno.h        |   1 +
 syscall/devices/hostresolver/hostresolver.c |   6 +-
 tests/syscall/socket/host/host.c            |  18 ++--
 5 files changed, 96 insertions(+), 62 deletions(-)

diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
index 6f883fd1e1..a6e9c3fc94 100644
--- a/common/oe_host_socket.h
+++ b/common/oe_host_socket.h
@@ -90,23 +90,21 @@ OE_INLINE int _getaddrinfo_read(
         else
             *ai_canonnamelen = 0;
 
-        if (*ai_addrlen > ai_addrlen_in)
-        {
-            *err_no = OE_ENAMETOOLONG;
+        *err_no = memcpy_s(ai_addr, ai_addrlen_in, p->ai_addr, *ai_addrlen);
+        if (*err_no != 0)
             goto done;
-        }
 
-        if (*ai_canonnamelen > ai_canonnamelen_in)
+        if (p->ai_canonname)
         {
-            *err_no = OE_ENAMETOOLONG;
-            goto done;
+            *err_no = memcpy_s(
+                ai_canonname,
+                ai_canonnamelen_in,
+                p->ai_canonname,
+                *ai_canonnamelen);
+            if (*err_no != 0)
+                goto done;
         }
 
-        memcpy(ai_addr, p->ai_addr, *ai_addrlen);
-
-        if (p->ai_canonname)
-            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
-
         handle->next = handle->next->ai_next;
 
         ret = 0;
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 632b2cfe7c..25f1ad3f16 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -91,11 +91,11 @@ static struct tab_entry winsock2errno[] = {
     {WSAEDQUOT, OE_EDQUOT},
     {WSAESTALE, OE_ESTALE},
     {WSAEREMOTE, OE_EREMOTE},
-    {WSAEDISCON, 199},
-    {WSAEPROCLIM, 200},
-    {WSASYSNOTREADY, 201}, // Made up number but close to adjacent
-    {WSAVERNOTSUPPORTED, 202},
-    {WSANOTINITIALISED, 203},
+    {WSAEDISCON, OE_ESHUTDOWN},
+    {WSAEPROCLIM, OE_EPROCLIM},
+    {WSASYSNOTREADY, OE_EBUSY},
+    {WSAVERNOTSUPPORTED, OE_ENOTSUP},
+    {WSANOTINITIALISED, OE_ENXIO},
     {0, 0}};
 
 /**
@@ -124,25 +124,13 @@ static struct tab_entry musl2bsd_socket_option[] = {{1, SO_DEBUG},
                                                     {18, SO_RCVLOWAT},
                                                     {19, SO_SNDLOWAT}};
 
-// From netdb.h
-#define EAI_BADFLAGS -1
-#define EAI_NONAME -2
-#define EAI_AGAIN -3
-#define EAI_FAIL -4
-#define EAI_FAMILY -6
-#define EAI_SOCKTYPE -7
-#define EAI_SERVICE -8
-#define EAI_MEMORY -10
-#define EAI_SYSTEM -11
-#define EAI_OVERFLOW -12
-
-static struct tab_entry wsa2eai[] = {{WSATRY_AGAIN, EAI_AGAIN},
-                                     {WSAEINVAL, EAI_BADFLAGS},
-                                     {WSAEAFNOSUPPORT, EAI_FAMILY},
-                                     {WSA_NOT_ENOUGH_MEMORY, EAI_MEMORY},
-                                     {WSAHOST_NOT_FOUND, EAI_NONAME},
-                                     {WSATYPE_NOT_FOUND, EAI_SERVICE},
-                                     {WSAESOCKTNOSUPPORT, EAI_SOCKTYPE},
+static struct tab_entry wsa2eai[] = {{WSATRY_AGAIN, OE_EAI_AGAIN},
+                                     {WSAEINVAL, OE_EAI_BADFLAGS},
+                                     {WSAEAFNOSUPPORT, OE_EAI_FAMILY},
+                                     {WSA_NOT_ENOUGH_MEMORY, OE_EAI_MEMORY},
+                                     {WSAHOST_NOT_FOUND, OE_EAI_NONAME},
+                                     {WSATYPE_NOT_FOUND, OE_EAI_SERVICE},
+                                     {WSAESOCKTNOSUPPORT, OE_EAI_SOCKTYPE},
                                      {0, 0}};
 
 static int _do_lookup(int key, int fallback, struct tab_entry* table)
@@ -500,8 +488,15 @@ static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
     {
         oe_socket_fd_t* new_socket_fd =
             (oe_socket_fd_t*)malloc(sizeof(oe_socket_fd_t));
-        *new_socket_fd = *old_socket_fd;
-        return (oe_host_fd_t)(uint64_t)new_socket_fd;
+        if (new_socket_fd)
+        {
+            *new_socket_fd = *old_socket_fd;
+            return (oe_host_fd_t)(uint64_t)new_socket_fd;
+        }
+        else
+        {
+            _set_errno(OE_ENOMEM);
+        }
     }
     return -1;
 }
@@ -654,8 +649,11 @@ ssize_t oe_syscall_recv_ocall(
     size_t len,
     int flags)
 {
-    int ret = recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
-    if (ret != 0)
+    ssize_t ret;
+    _set_errno(0);
+
+    ret = recv(_get_socket(sockfd), (char*)buf, (int)len, flags);
+    if (ret == SOCKET_ERROR)
     {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
@@ -672,7 +670,27 @@ ssize_t oe_syscall_recvfrom_ocall(
     oe_socklen_t addrlen_in,
     oe_socklen_t* addrlen_out)
 {
-    PANIC;
+    ssize_t ret;
+    _set_errno(0);
+
+    ret = recvfrom(
+        _get_socket(sockfd),
+        (char*)buf,
+        (int)len,
+        flags,
+        (struct sockaddr*)src_addr,
+        addrlen_in);
+    if (ret == SOCKET_ERROR)
+    {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+    else
+    {
+        if (addrlen_out)
+            *addrlen_out = addrlen_in;
+    }
+
+    return ret;
 }
 
 ssize_t oe_syscall_send_ocall(
@@ -681,8 +699,11 @@ ssize_t oe_syscall_send_ocall(
     size_t len,
     int flags)
 {
-    int ret = send(_get_socket(sockfd), buf, len, flags);
-    if (ret != 0)
+    ssize_t ret;
+    _set_errno(0);
+
+    ret = send(_get_socket(sockfd), buf, len, flags);
+    if (ret == SOCKET_ERROR)
     {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
     }
@@ -698,7 +719,22 @@ ssize_t oe_syscall_sendto_ocall(
     const struct oe_sockaddr* src_addr,
     oe_socklen_t addrlen)
 {
-    PANIC;
+    ssize_t ret;
+    _set_errno(0);
+
+    ret = sendto(
+        _get_socket(sockfd),
+        buf,
+        len,
+        flags,
+        (struct sockaddr*)src_addr,
+        addrlen);
+    if (ret == SOCKET_ERROR)
+    {
+        _set_errno(_winsockerr_to_errno(WSAGetLastError()));
+    }
+
+    return ret;
 }
 
 ssize_t oe_syscall_recvv_ocall(
@@ -908,7 +944,7 @@ int oe_syscall_getaddrinfo_open_ocall(
     const struct oe_addrinfo* hints,
     uint64_t* handle_out)
 {
-    int ret = EAI_FAIL;
+    int ret = OE_EAI_FAIL;
     getaddrinfo_handle_t* handle = NULL;
 
     if (_wsa_startup() != 0)
@@ -920,18 +956,19 @@ int oe_syscall_getaddrinfo_open_ocall(
     _set_errno(0);
 
     if (handle_out)
+    {
         *handle_out = 0;
-
-    if (!handle_out)
+    }
+    else
     {
-        ret = EAI_SYSTEM;
+        ret = OE_EAI_SYSTEM;
         _set_errno(OE_EINVAL);
         goto done;
     }
 
     if (!(handle = calloc(1, sizeof(getaddrinfo_handle_t))))
     {
-        ret = EAI_MEMORY;
+        ret = OE_EAI_MEMORY;
         _set_errno(OE_ENOMEM);
         goto done;
     }
diff --git a/include/openenclave/corelibc/errno.h b/include/openenclave/corelibc/errno.h
index 87de95ff1e..eb44232351 100644
--- a/include/openenclave/corelibc/errno.h
+++ b/include/openenclave/corelibc/errno.h
@@ -153,6 +153,7 @@ OE_EXTERNC_BEGIN
 #define OE_ENOTRECOVERABLE 131
 #define OE_ERFKILL         132
 #define OE_EHWPOISON       133
+#define OE_EPROCLIM        134
 // clang-format on
 
 extern int* __oe_errno_location(void);
diff --git a/syscall/devices/hostresolver/hostresolver.c b/syscall/devices/hostresolver/hostresolver.c
index d2009c514f..fd6072e4b6 100644
--- a/syscall/devices/hostresolver/hostresolver.c
+++ b/syscall/devices/hostresolver/hostresolver.c
@@ -102,7 +102,7 @@ static int _hostresolver_getaddrinfo(
                 &retval, node, service, hints, &handle) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(oe_errno);
+            OE_RAISE_ERRNO(OE_EINVAL);
         }
 
         if (!handle)
@@ -140,7 +140,7 @@ static int _hostresolver_getaddrinfo(
                 NULL) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(oe_errno);
+            OE_RAISE_ERRNO(OE_EINVAL);
         }
 
         /* If this is the final element in the enumeration. */
@@ -181,7 +181,7 @@ static int _hostresolver_getaddrinfo(
                 p->ai_canonname) != OE_OK)
         {
             ret = OE_EAI_SYSTEM;
-            OE_RAISE_ERRNO(oe_errno);
+            OE_RAISE_ERRNO(OE_EINVAL);
         }
 
         /* Append to the list. */
diff --git a/tests/syscall/socket/host/host.c b/tests/syscall/socket/host/host.c
index e5654eca6e..fe251020b0 100644
--- a/tests/syscall/socket/host/host.c
+++ b/tests/syscall/socket/host/host.c
@@ -16,10 +16,8 @@
 
 #define SERVER_PORT "12345"
 
-#if __linux__
-#define HOST_SOCKET_ERRNO errno
-#elif _WIN32
-#define HOST_SOCKET_ERRNO WSAGetLastError()
+#if _WIN32
+#define errno WSAGetLastError()
 #endif
 
 void* enclave_server_thread(void* arg)
@@ -53,7 +51,7 @@ void* host_server_thread(void* arg)
         setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (void*)&optVal, optLen);
     if (rtn > 0)
     {
-        printf("setsockopt failed errno = %d\n", HOST_SOCKET_ERRNO);
+        printf("setsockopt failed errno = %d\n", errno);
     }
     serv_addr.sin_family = AF_INET;
     serv_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
@@ -115,18 +113,18 @@ char* host_client(in_port_t port)
     {
         if (retries++ > max_retries)
         {
-            printf("\n Error : Connect Failed errno = %d\n", HOST_SOCKET_ERRNO);
+            printf("\n Error : Connect Failed errno = %d\n", errno);
             sock_close(sockfd);
             return NULL;
         }
 #if _WIN32
-        else if (HOST_SOCKET_ERRNO == WSAEISCONN)
+        else if (errno == WSAEISCONN)
         {
             break;
         }
 #endif
         {
-            printf("Connect Failed. errno = %d Retrying \n", HOST_SOCKET_ERRNO);
+            printf("Connect Failed. errno = %d Retrying \n", errno);
             sleep_msec(100);
         }
     }
@@ -141,9 +139,9 @@ char* host_client(in_port_t port)
         }
         else
         {
-            if (HOST_SOCKET_ERRNO != EAGAIN)
+            if (errno != EAGAIN)
             {
-                printf("Read error, errno = %d\n", HOST_SOCKET_ERRNO);
+                printf("Read error, errno = %d\n", errno);
                 sock_close(sockfd);
                 return NULL;
             }

From f9b95e11bceb921f11230ce488fc40c8fbaba14e Mon Sep 17 00:00:00 2001
From: John Kordich <jkordich@gmail.com>
Date: Tue, 26 Nov 2019 08:58:57 -0800
Subject: [PATCH 330/420] Adjust CODEOWNERS based on CGC consensus.

Signed-off-by: John Kordich <jkordich@gmail.com>
---
 docs/CODEOWNERS | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/CODEOWNERS b/docs/CODEOWNERS
index f8220cbd1e..fbe11d3cb6 100644
--- a/docs/CODEOWNERS
+++ b/docs/CODEOWNERS
@@ -23,7 +23,7 @@
 /samples/ @andschwa @dthaler @soccerGB
 /syscall/ @mikbras @yakman2020
 # TODO: Break this folder out?
-/tests/ @EmilAlexandruStoica @mikbras
+/tests/ @radhikaj
 /tools/ @anakrish @CodeMonkeyLeet
 /tools/oeedger8r/ @andschwa @anakrish @jxyang
 /pkgconfig/ @gupta-ak @mikbras
@@ -37,8 +37,8 @@ windows/ @CodeMonkeyLeet @yakman2020
 crypto/ @CodeMonkeyLeet @gupta-ak
 
 # Match all CMake, anywhere.
-CMakeLists.txt @andschwa @BRMcLaren @EmilAlexandruStoica
-*.cmake @andschwa @BRMcLaren @EmilAlexandruStoica
+CMakeLists.txt @andschwa @BRMcLaren
+*.cmake @andschwa @BRMcLaren
 
 # Match all Markdown, anywhere.
 *.md @CodeMonkeyLeet @johnkord @andschwa @radhikaj

From caea613b6c01f343aa53e496b01610fe5e9338d3 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 26 Nov 2019 17:10:29 +0000
Subject: [PATCH 331/420] Add Radhika to CGC

As approved in the 11/26/2019 CGC meeting.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 docs/Committers.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/Committers.md b/docs/Committers.md
index 9de79de3fb..e4fade13d1 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -36,6 +36,7 @@ Committee Members
 | Dave Thaler          | Microsoft | dthaler@microsoft.com         | dthaler        |
 | John Kordich         | Microsoft | jkordich@gmail.com            | johnkord       |
 | Mike Brasher         | Microsoft | mikbras@microsoft.com         | mikbras        |
+| Radhika Jandhyala    | Microsoft | radhikaj@microsoft.com        | radhikaj       |
 | Simon Leet           | Microsoft | simon.leet@microsoft.com      | CodeMonkeyLeet |
 
 Committee Responsibilities

From cae02fd410a27a7ba4128439e98768765c1e9cf2 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 26 Nov 2019 17:12:51 +0000
Subject: [PATCH 332/420] Add Jordan Hand to Committers

As approved in the 11/26/20119 CGC meeting.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 docs/Committers.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/Committers.md b/docs/Committers.md
index e4fade13d1..91c8262ef8 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -99,6 +99,7 @@ instead, it should be brought up with the Community Governance Committee.
 | Sergio Wong           | jazzybluesea        | Attestation, SGX               |
 | Jiri Appl             | jiria               | Attestation, TrustZone         |
 | John Kordich          | johnkord            | Build, CI, Dev Tools, Release  |
+| Jordan Hand           | jhand2              | Windows, Build, SGX            |
 | Xuejun Yang           | jxyang              | SGX                            |
 | Mike Brasher          | mikbras             | SGX, APIs, EDL                 |
 | Marius Oprin          | oprinmarius         | Build, CMake, CI, Ansible      |

From bd01f605becce04b9bcd28b9071cac75925e6b60 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Fri, 22 Nov 2019 23:05:59 +0000
Subject: [PATCH 333/420] Split out Common code

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  | 227 +++++++++++++++++++++++++++++++++
 tools/oeedger8r/src/Emitter.ml | 223 +-------------------------------
 2 files changed, 228 insertions(+), 222 deletions(-)
 create mode 100644 tools/oeedger8r/src/Common.ml

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
new file mode 100644
index 0000000000..e1a735b92e
--- /dev/null
+++ b/tools/oeedger8r/src/Common.ml
@@ -0,0 +1,227 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+open Intel.Ast
+open Printf
+
+(** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
+let is_foreign_array (pt : parameter_type) =
+  match pt with
+  | PTVal _ -> false
+  | PTPtr (t, a) -> ( match t with Foreign _ -> a.pa_isary | _ -> false )
+
+(** Get the array declaration from a list of array dimensions. Empty
+    [ns] indicates the corresponding declarator is a simple identifier.
+    Element of value -1 means that user does not specify the dimension
+    size. *)
+let get_array_dims (ns : int list) =
+  let get_dim n = if n = -1 then "[]" else sprintf "[%d]" n in
+  String.concat "" (List.map get_dim ns)
+
+let get_typed_declr_str (ty : atype) (declr : declarator) =
+  let tystr = get_tystr ty in
+  let dmstr = get_array_dims declr.array_dims in
+  sprintf "%s %s%s" tystr declr.identifier dmstr
+
+(** Check whether given parameter [pt] is [const] specified. *)
+let is_const_ptr (pt : parameter_type) =
+  let aty = get_param_atype pt in
+  match pt with
+  | PTVal _ -> false
+  | PTPtr (_, pa) -> (
+      if not pa.pa_rdonly then false
+      else match aty with Foreign _ -> false | _ -> true )
+
+(** Generate parameter [p] representation. *)
+let gen_parm_str (p : pdecl) =
+  let pt, (declr : declarator) = p in
+  let aty = get_param_atype pt in
+  let str = get_typed_declr_str aty declr in
+  if is_const_ptr pt then "const " ^ str else str
+
+(** [conv_array_to_ptr] is used to convert Array form into Pointer form.
+    {[
+      int array[10][20] => [count = 200] int* array
+    ]}
+
+    This function is called when generating proxy/bridge code and the
+    marshalling structure. *)
+let conv_array_to_ptr (pd : pdecl) : pdecl =
+  let pt, declr = pd in
+  let get_count_attr ilist =
+    (* XXX: assume the size of each dimension will be > 0. *)
+    ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
+  in
+  match pt with
+  | PTVal _ -> (pt, declr)
+  | PTPtr (aty, pa) ->
+      if is_array declr then
+        let tmp_declr = { declr with array_dims = [] } in
+        let tmp_aty = Ptr aty in
+        let tmp_cnt = get_count_attr declr.array_dims in
+        let tmp_pa =
+          { pa with pa_size = { empty_ptr_size with ps_count = Some tmp_cnt } }
+        in
+        (PTPtr (tmp_aty, tmp_pa), tmp_declr)
+      else (pt, declr)
+
+(** ----- End code borrowed and tweaked from {!CodeGen.ml} ----- *)
+
+(* Helper to map and filter out None at the same time. *)
+let filter_map f l = List.of_seq (Seq.filter_map f (List.to_seq l))
+
+(* Helper to flatten and map at the same time. *)
+let flatten_map f l = List.flatten (List.map f l)
+
+let flatten_map2 f l m = List.flatten (List.map2 f l m)
+
+let is_in_ptr = function
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrIn
+
+let is_out_ptr = function
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrOut
+
+let is_inout_ptr = function
+  | PTVal _ -> false
+  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrInOut
+
+let is_in_or_inout_ptr (p, _) = is_in_ptr p || is_inout_ptr p
+
+let is_out_or_inout_ptr (p, _) = is_out_ptr p || is_inout_ptr p
+
+let is_str_ptr = function PTVal _ -> false | PTPtr (_, a) -> a.pa_isstr
+
+let is_wstr_ptr = function PTVal _ -> false | PTPtr (_, a) -> a.pa_iswstr
+
+let is_str_or_wstr_ptr (p, _) = is_str_ptr p || is_wstr_ptr p
+
+(* This tests if the member has a non-empty size attribute,
+   implying that it should be marshalled. *)
+let is_marshalled_ptr = function
+  | PTPtr (_, attr) -> attr.pa_size <> empty_ptr_size
+  | PTVal _ -> false
+
+let gen_c_for level count body =
+  if count = "1" then body
+  else
+    let i = sprintf "_i_%i" level in
+    [
+      [ sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i ];
+      [ "{" ];
+      List.map (( ^ ) "    ") body;
+      [ "}" ];
+    ]
+    |> List.flatten
+
+let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
+
+(** [write_file] opens [filename] in the directory [dir] and emits a
+    comment noting the file is auto generated followed by the
+    [content], it then closes the file. *)
+let write_file (content : string list) (filename : string) (dir : string) =
+  let os =
+    if dir = "." then open_out filename
+    else open_out (dir ^ Intel.Util.separator_str ^ filename)
+  in
+  fprintf os "%s"
+    (String.concat "\n"
+       ( [
+           "/*";
+           " *  This file is auto generated by oeedger8r. DO NOT EDIT.";
+           " */";
+         ]
+       @ content ));
+  close_out os
+
+let get_type_expr ptype =
+  (* Get the base type of the parameter. That is, yield its [atype],
+     unless it is a pointer, in which case decompose and yield the
+     [atype] the pointer points to. *)
+  let param_atype =
+    let a = get_param_atype ptype in
+    match a with Ptr p -> p | _ -> a
+  in
+  let tystr = get_tystr param_atype in
+  match ptype with
+  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
+  | _ -> tystr
+
+(** For a list of args and current count, get the corresponding
+   argstruct variable name. The prefix is usually, but not always,
+   ["_args."].*)
+let oe_get_argstruct prefix args count =
+  match args with
+  | [] -> prefix
+  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
+
+let attr_value_to_string argstruct = function
+  | None -> None
+  | Some (ANumber n) -> Some (string_of_int n)
+  | Some (AString s) -> Some (argstruct ^ s)
+
+(** For a parameter, get its size expression. *)
+let get_param_size (ptype, decl, argstruct) =
+  let type_expr = get_type_expr ptype in
+  let get_ptr_or_decl_size (p : ptr_size) =
+    let size = attr_value_to_string argstruct p.ps_size
+    and count = attr_value_to_string argstruct p.ps_count in
+    match (size, count) with
+    | Some s, None -> s
+    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
+    (* TODO: Check that this is an even multiple of the size of type. *)
+    | Some s, Some c -> sprintf "(%s * %s)" s c
+    | None, None ->
+        sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
+  in
+  match ptype with
+  | PTPtr (_, ptr_attr) ->
+      if ptr_attr.pa_isstr then
+        Some (argstruct ^ decl.identifier ^ "_len * sizeof(char)")
+      else if ptr_attr.pa_iswstr then
+        Some (argstruct ^ decl.identifier ^ "_len * sizeof(wchar_t)")
+      else if ptr_attr.pa_chkptr then
+        Some (get_ptr_or_decl_size ptr_attr.pa_size)
+      else None
+  (* Values have no marshalling size. *)
+  | _ -> None
+
+let oe_get_param_size (ptype, decl, argstruct) =
+  match get_param_size (ptype, decl, argstruct) with
+  | Some size -> size
+  | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
+
+(** For a parameter, get its count expression. *)
+let get_param_count (ptype, decl, argstruct) =
+  let type_expr = get_type_expr ptype in
+  let get_ptr_or_decl_count (p : ptr_size) =
+    let size = attr_value_to_string argstruct p.ps_size
+    and count = attr_value_to_string argstruct p.ps_count in
+    match (size, count) with
+    (* TODO: Check that these are even multiples of the size of type. *)
+    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
+    | None, Some c -> c
+    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
+    | None, None ->
+        let dims = List.map string_of_int decl.array_dims in
+        String.concat " * " dims
+  in
+  match ptype with
+  | PTPtr (_, ptr_attr) ->
+      (* The count of a string is its length. *)
+      if ptr_attr.pa_isstr || ptr_attr.pa_iswstr then
+        (* TODO: Double-check that this length includes the
+           null-terminator. *)
+        Some (argstruct ^ decl.identifier ^ "_len")
+      else if ptr_attr.pa_chkptr then
+        Some (get_ptr_or_decl_count ptr_attr.pa_size)
+        (* TODO: Should be able to return [Some "1"] for plain
+           pointers and values. *)
+      else None
+  | PTVal _ -> None
+
+let oe_get_param_count (ptype, decl, argstruct) =
+  match get_param_count (ptype, decl, argstruct) with
+  | Some count -> count
+  | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 86420fdbca..43f8f05d03 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -7,228 +7,7 @@
 
 open Intel.Ast
 open Printf
-
-(** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
-let is_foreign_array (pt : parameter_type) =
-  match pt with
-  | PTVal _ -> false
-  | PTPtr (t, a) -> ( match t with Foreign _ -> a.pa_isary | _ -> false )
-
-(** Get the array declaration from a list of array dimensions. Empty
-    [ns] indicates the corresponding declarator is a simple identifier.
-    Element of value -1 means that user does not specify the dimension
-    size. *)
-let get_array_dims (ns : int list) =
-  let get_dim n = if n = -1 then "[]" else sprintf "[%d]" n in
-  String.concat "" (List.map get_dim ns)
-
-let get_typed_declr_str (ty : atype) (declr : declarator) =
-  let tystr = get_tystr ty in
-  let dmstr = get_array_dims declr.array_dims in
-  sprintf "%s %s%s" tystr declr.identifier dmstr
-
-(** Check whether given parameter [pt] is [const] specified. *)
-let is_const_ptr (pt : parameter_type) =
-  let aty = get_param_atype pt in
-  match pt with
-  | PTVal _ -> false
-  | PTPtr (_, pa) -> (
-      if not pa.pa_rdonly then false
-      else match aty with Foreign _ -> false | _ -> true )
-
-(** Generate parameter [p] representation. *)
-let gen_parm_str (p : pdecl) =
-  let pt, (declr : declarator) = p in
-  let aty = get_param_atype pt in
-  let str = get_typed_declr_str aty declr in
-  if is_const_ptr pt then "const " ^ str else str
-
-(** [conv_array_to_ptr] is used to convert Array form into Pointer form.
-    {[
-      int array[10][20] => [count = 200] int* array
-    ]}
-
-    This function is called when generating proxy/bridge code and the
-    marshalling structure. *)
-let conv_array_to_ptr (pd : pdecl) : pdecl =
-  let pt, declr = pd in
-  let get_count_attr ilist =
-    (* XXX: assume the size of each dimension will be > 0. *)
-    ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
-  in
-  match pt with
-  | PTVal _ -> (pt, declr)
-  | PTPtr (aty, pa) ->
-      if is_array declr then
-        let tmp_declr = { declr with array_dims = [] } in
-        let tmp_aty = Ptr aty in
-        let tmp_cnt = get_count_attr declr.array_dims in
-        let tmp_pa =
-          { pa with pa_size = { empty_ptr_size with ps_count = Some tmp_cnt } }
-        in
-        (PTPtr (tmp_aty, tmp_pa), tmp_declr)
-      else (pt, declr)
-
-(** ----- End code borrowed and tweaked from {!CodeGen.ml} ----- *)
-
-(* Helper to map and filter out None at the same time. *)
-let filter_map f l = List.of_seq (Seq.filter_map f (List.to_seq l))
-
-(* Helper to flatten and map at the same time. *)
-let flatten_map f l = List.flatten (List.map f l)
-
-let flatten_map2 f l m = List.flatten (List.map2 f l m)
-
-let is_in_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrIn
-
-let is_out_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrOut
-
-let is_inout_ptr = function
-  | PTVal _ -> false
-  | PTPtr (_, a) -> a.pa_chkptr && a.pa_direction = PtrInOut
-
-let is_in_or_inout_ptr (p, _) = is_in_ptr p || is_inout_ptr p
-
-let is_out_or_inout_ptr (p, _) = is_out_ptr p || is_inout_ptr p
-
-let is_str_ptr = function PTVal _ -> false | PTPtr (_, a) -> a.pa_isstr
-
-let is_wstr_ptr = function PTVal _ -> false | PTPtr (_, a) -> a.pa_iswstr
-
-let is_str_or_wstr_ptr (p, _) = is_str_ptr p || is_wstr_ptr p
-
-(* This tests if the member has a non-empty size attribute,
-   implying that it should be marshalled. *)
-let is_marshalled_ptr = function
-  | PTPtr (_, attr) -> attr.pa_size <> empty_ptr_size
-  | PTVal _ -> false
-
-let gen_c_for level count body =
-  if count = "1" then body
-  else
-    let i = sprintf "_i_%i" level in
-    [
-      [ sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i ];
-      [ "{" ];
-      List.map (( ^ ) "    ") body;
-      [ "}" ];
-    ]
-    |> List.flatten
-
-let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
-
-(** [write_file] opens [filename] in the directory [dir] and emits a
-    comment noting the file is auto generated followed by the
-    [content], it then closes the file. *)
-let write_file (content : string list) (filename : string) (dir : string) =
-  let os =
-    if dir = "." then open_out filename
-    else open_out (dir ^ Intel.Util.separator_str ^ filename)
-  in
-  fprintf os "%s"
-    (String.concat "\n"
-       ( [
-           "/*";
-           " *  This file is auto generated by oeedger8r. DO NOT EDIT.";
-           " */";
-         ]
-       @ content ));
-  close_out os
-
-let get_type_expr ptype =
-  (* Get the base type of the parameter. That is, yield its [atype],
-     unless it is a pointer, in which case decompose and yield the
-     [atype] the pointer points to. *)
-  let param_atype =
-    let a = get_param_atype ptype in
-    match a with Ptr p -> p | _ -> a
-  in
-  let tystr = get_tystr param_atype in
-  match ptype with
-  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
-  | _ -> tystr
-
-(** For a list of args and current count, get the corresponding
-   argstruct variable name. The prefix is usually, but not always,
-   ["_args."].*)
-let oe_get_argstruct prefix args count =
-  match args with
-  | [] -> prefix
-  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
-
-let attr_value_to_string argstruct = function
-  | None -> None
-  | Some (ANumber n) -> Some (string_of_int n)
-  | Some (AString s) -> Some (argstruct ^ s)
-
-(** For a parameter, get its size expression. *)
-let get_param_size (ptype, decl, argstruct) =
-  let type_expr = get_type_expr ptype in
-  let get_ptr_or_decl_size (p : ptr_size) =
-    let size = attr_value_to_string argstruct p.ps_size
-    and count = attr_value_to_string argstruct p.ps_count in
-    match (size, count) with
-    | Some s, None -> s
-    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
-    (* TODO: Check that this is an even multiple of the size of type. *)
-    | Some s, Some c -> sprintf "(%s * %s)" s c
-    | None, None ->
-        sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
-  in
-  match ptype with
-  | PTPtr (_, ptr_attr) ->
-      if ptr_attr.pa_isstr then
-        Some (argstruct ^ decl.identifier ^ "_len * sizeof(char)")
-      else if ptr_attr.pa_iswstr then
-        Some (argstruct ^ decl.identifier ^ "_len * sizeof(wchar_t)")
-      else if ptr_attr.pa_chkptr then
-        Some (get_ptr_or_decl_size ptr_attr.pa_size)
-      else None
-  (* Values have no marshalling size. *)
-  | _ -> None
-
-let oe_get_param_size (ptype, decl, argstruct) =
-  match get_param_size (ptype, decl, argstruct) with
-  | Some size -> size
-  | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
-
-(** For a parameter, get its count expression. *)
-let get_param_count (ptype, decl, argstruct) =
-  let type_expr = get_type_expr ptype in
-  let get_ptr_or_decl_count (p : ptr_size) =
-    let size = attr_value_to_string argstruct p.ps_size
-    and count = attr_value_to_string argstruct p.ps_count in
-    match (size, count) with
-    (* TODO: Check that these are even multiples of the size of type. *)
-    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
-    | None, Some c -> c
-    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
-    | None, None ->
-        let dims = List.map string_of_int decl.array_dims in
-        String.concat " * " dims
-  in
-  match ptype with
-  | PTPtr (_, ptr_attr) ->
-      (* The count of a string is its length. *)
-      if ptr_attr.pa_isstr || ptr_attr.pa_iswstr then
-        (* TODO: Double-check that this length includes the
-           null-terminator. *)
-        Some (argstruct ^ decl.identifier ^ "_len")
-      else if ptr_attr.pa_chkptr then
-        Some (get_ptr_or_decl_count ptr_attr.pa_size)
-        (* TODO: Should be able to return [Some "1"] for plain
-           pointers and values. *)
-      else None
-  | PTVal _ -> None
-
-let oe_get_param_count (ptype, decl, argstruct) =
-  match get_param_count (ptype, decl, argstruct) with
-  | Some count -> count
-  | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
+open Common
 
 (** Generate the prototype for a given function. *)
 let oe_gen_prototype (fd : func_decl) =

From 563b5b711431efb1a6f18cf2912c261977faa9ee Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Sat, 23 Nov 2019 00:40:53 +0000
Subject: [PATCH 334/420] Refactor Emitter into multiple files

This moves all the header file generation to `Headers.ml` and the source
file generation to `Sources.ml`, with common code moved to `Common.ml`.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  |   23 +
 tools/oeedger8r/src/Emitter.ml | 1154 +-------------------------------
 tools/oeedger8r/src/Headers.ml |  279 ++++++++
 tools/oeedger8r/src/Sources.ml |  874 ++++++++++++++++++++++++
 4 files changed, 1185 insertions(+), 1145 deletions(-)
 create mode 100644 tools/oeedger8r/src/Headers.ml
 create mode 100644 tools/oeedger8r/src/Sources.ml

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index e1a735b92e..606d0c9788 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -225,3 +225,26 @@ let oe_get_param_count (ptype, decl, argstruct) =
   match get_param_count (ptype, decl, argstruct) with
   | Some count -> count
   | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
+
+(** Generate the wrapper prototype for a given function. Optionally
+    add an [oe_enclave_t*] first parameter. *)
+let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
+  let plist_str =
+    let args =
+      [
+        (if is_ecall then [ "oe_enclave_t* enclave" ] else []);
+        ( match fd.rtype with
+        | Void -> []
+        | _ -> [ get_tystr fd.rtype ^ "* _retval" ] );
+        List.map gen_parm_str fd.plist;
+      ]
+      |> List.flatten
+    in
+    match args with
+    | [ arg ] -> arg
+    | _ -> "\n    " ^ String.concat ",\n    " args
+  in
+  sprintf "oe_result_t %s(%s)" fd.fname plist_str
+
+let get_function_id (ec : enclave_content) (f : func_decl) =
+  ec.enclave_name ^ "_fcn_id_" ^ f.fname
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 43f8f05d03..613a6e3517 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -9,147 +9,6 @@ open Intel.Ast
 open Printf
 open Common
 
-(** Generate the prototype for a given function. *)
-let oe_gen_prototype (fd : func_decl) =
-  let plist_str =
-    let args = List.map gen_parm_str fd.plist in
-    match args with
-    | [] -> "void"
-    | [ arg ] -> arg
-    | _ -> "\n    " ^ String.concat ",\n    " args
-  in
-  sprintf "%s %s(%s)" (get_tystr fd.rtype) fd.fname plist_str
-
-(** Generate the wrapper prototype for a given function. Optionally
-    add an [oe_enclave_t*] first parameter. *)
-let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
-  let plist_str =
-    let args =
-      [
-        (if is_ecall then [ "oe_enclave_t* enclave" ] else []);
-        ( match fd.rtype with
-        | Void -> []
-        | _ -> [ get_tystr fd.rtype ^ "* _retval" ] );
-        List.map gen_parm_str fd.plist;
-      ]
-      |> List.flatten
-    in
-    match args with
-    | [ arg ] -> arg
-    | _ -> "\n    " ^ String.concat ",\n    " args
-  in
-  sprintf "oe_result_t %s(%s)" fd.fname plist_str
-
-(** Emit [struct], [union], or [enum]. *)
-let emit_composite_type =
-  let emit_struct (s : struct_def) =
-    [
-      "typedef struct " ^ s.sname;
-      "{";
-      String.concat "\n"
-        (List.map
-           (fun (ptype, decl) ->
-             sprintf "    %s %s%s;"
-               (get_tystr (get_param_atype ptype))
-               decl.identifier
-               (get_array_dims decl.array_dims))
-           s.smlist);
-      "} " ^ s.sname ^ ";";
-      "";
-    ]
-  in
-  let emit_union (u : union_def) =
-    [
-      "typedef union " ^ u.uname;
-      "{";
-      String.concat "\n"
-        (List.map
-           (fun (atype, decl) ->
-             sprintf "    %s %s%s;" (get_tystr atype) decl.identifier
-               (get_array_dims decl.array_dims))
-           u.umlist);
-      "} " ^ u.uname ^ ";";
-      "";
-    ]
-  in
-  let emit_enum (e : enum_def) =
-    [
-      "typedef enum " ^ e.enname;
-      "{";
-      String.concat ",\n"
-        (List.map
-           (fun (name, value) ->
-             sprintf "    %s%s" name
-               ( match value with
-               | EnumVal (AString s) -> " = " ^ s
-               | EnumVal (ANumber n) -> " = " ^ string_of_int n
-               | EnumValNone -> "" ))
-           e.enbody);
-      "} " ^ e.enname ^ ";";
-      "";
-    ]
-  in
-  function
-  | StructDef s -> emit_struct s
-  | UnionDef u -> emit_union u
-  | EnumDef e -> emit_enum e
-
-(** Generate a cast expression for a pointer argument. Pointer
-    arguments need to be cast to their root type, since the marshalling
-    struct has the root pointer. For example:
-    {[
-      int a[10][20]
-    ]}
-    needs to be cast to [int *].
-
-    NOTE: Foreign arrays are marshalled as [void *], but foreign pointers
-    are marshalled as-is. *)
-let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
-  match ptype with
-  | PTVal _ -> ""
-  | PTPtr (t, _) ->
-      let tystr = get_tystr t in
-      if is_array decl then
-        let s = tystr ^ "*" in
-        if parens then sprintf "(%s)" s else s
-      else if is_foreign_array ptype then
-        let s = if parens then "(void*)" else "void*" in
-        sprintf "/* foreign array of type %s */ %s" tystr s
-      else if parens then sprintf "(%s)" tystr
-      else tystr
-
-(** Generate a cast expression to a specific pointer type. For example,
-    [int*] needs to be cast to
-    {[
-      *(int ( * )[5][6])
-    ]}. *)
-let get_cast_from_mem_expr (ptype, decl) =
-  match ptype with
-  | PTVal _ -> ""
-  | PTPtr (t, attr) ->
-      if is_array decl then
-        sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
-      else if is_foreign_array ptype then
-        sprintf "/* foreign array */ *(%s*)" (get_tystr t)
-      else if attr.pa_rdonly then
-        (* for ptrs, only constness is removed; add it back *)
-        sprintf "(const %s)" (get_tystr t)
-      else ""
-
-let oe_gen_call_user_function (fd : func_decl) =
-  [
-    "/* Call user function. */";
-    (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
-    ^ fd.fname ^ "(";
-    String.concat ",\n    "
-      (List.map
-         (fun (ptype, decl) ->
-           let cast_expr = get_cast_from_mem_expr (ptype, decl) in
-           sprintf "    %spargs_in->%s" cast_expr decl.identifier)
-         fd.plist)
-    ^ ");";
-  ]
-
 let warn_non_portable_types (fd : func_decl) =
   (* Check if any of the parameters or the return type has the given
      root type. *)
@@ -295,1016 +154,21 @@ let gen_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
       warn_size_and_count_params f)
     funcs;
   (* End EDL validation. *)
-  (* Given [name], return the corresponding [StructDef], or [None]. *)
-  let get_struct_by_name name =
-    (* [ec.comp_defs] is a list of all composite types, but we're only
-       interested in the structs, so we filter out the rest and unwrap
-       them from [composite_type]. *)
-    let structs =
-      filter_map (function StructDef s -> Some s | _ -> None) ec.comp_defs
-    in
-    List.find_opt (fun s -> s.sname = name) structs
-  in
-  (* We need to check [Ptr]s for [Foreign] or [Struct] types, then
-     check those against the user's [Struct]s, and then check if any
-     members should be deep copied. What we return is the list of
-     members of the [Struct] which should be deep-copied, otherwise we
-     return an empty list. *)
-  let get_deepcopy_members (a : atype) =
-    let should_deepcopy_a = function
-      | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
-      | _ -> None
-    in
-    (* Only enabled with --experimental! *)
-    if ep.experimental then
-      match should_deepcopy_a a with
-      | Some s -> List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
-      | None -> []
-    else []
-  in
-  let get_function_id (f : func_decl) =
-    ec.enclave_name ^ "_fcn_id_" ^ f.fname
-  in
-  (* Emit IDs in enum for trusted functions. *)
-  let emit_trusted_function_ids =
-    [
-      "enum";
-      "{";
-      String.concat "\n"
-        (List.mapi
-           (fun i f -> sprintf "    %s = %d," (get_function_id f.tf_fdecl) i)
-           tfs);
-      "    " ^ ec.enclave_name ^ "_fcn_id_trusted_call_id_max = OE_ENUM_MAX";
-      "};";
-    ]
-  in
-  (* Emit IDs in enum for untrusted functions. *)
-  let emit_untrusted_function_ids =
-    [
-      "enum";
-      "{";
-      String.concat "\n"
-        (List.mapi
-           (fun i f -> sprintf "    %s = %d," (get_function_id f.uf_fdecl) i)
-           ufs);
-      "    " ^ ec.enclave_name ^ "_fcn_id_untrusted_call_max = OE_ENUM_MAX";
-      "};";
-    ]
-  in
-  (* Generate [args.h] which contains [struct]s for ecalls and ocalls *)
-  let oe_gen_args_header =
-    let oe_gen_marshal_struct (fd : func_decl) (errno : bool) =
-      let gen_member_decl (ptype, decl) =
-        let aty = get_param_atype ptype in
-        let tystr = get_tystr aty in
-        let tystr =
-          if is_foreign_array ptype then
-            sprintf "/* foreign array of type %s */ void*" tystr
-          else tystr
-        in
-        let need_strlen =
-          is_str_or_wstr_ptr (ptype, decl) && is_in_or_inout_ptr (ptype, decl)
-        in
-        let id = decl.identifier in
-        [
-          [ tystr ^ " " ^ id ^ ";" ];
-          (if need_strlen then [ sprintf "size_t %s_len;" id ] else []);
-        ]
-        |> List.flatten
-      in
-      let struct_name = fd.fname ^ "_args_t" in
-      let retval_decl = { identifier = "_retval"; array_dims = [] } in
-      let members =
-        [
-          [ "oe_result_t _result;" ];
-          ( if fd.rtype = Void then []
-          else gen_member_decl (PTVal fd.rtype, retval_decl) );
-          (if errno then [ "int _ocall_errno;" ] else []);
-          flatten_map gen_member_decl (List.map conv_array_to_ptr fd.plist);
-        ]
-        |> List.flatten
-      in
-      [
-        "typedef struct _" ^ struct_name;
-        "{";
-        "    " ^ String.concat "\n    " members;
-        "} " ^ struct_name ^ ";";
-        "";
-      ]
-    in
-    let oe_gen_user_includes (includes : string list) =
-      if includes <> [] then List.map (sprintf "#include \"%s\"") includes
-      else [ "/* There were no user includes. */" ]
-    in
-    let oe_gen_user_types (cts : composite_type list) =
-      if cts <> [] then flatten_map emit_composite_type cts
-      else [ "/* There were no user defined types. */"; "" ]
-    in
-    let oe_gen_ecall_marshal_structs =
-      if tfs <> [] then
-        flatten_map (fun tf -> oe_gen_marshal_struct tf.tf_fdecl false) tfs
-      else [ "/* There were no ecalls. */"; "" ]
-    in
-    let oe_gen_ocall_marshal_structs =
-      if ufs <> [] then
-        flatten_map
-          (fun uf -> oe_gen_marshal_struct uf.uf_fdecl uf.uf_propagate_errno)
-          ufs
-      else [ "/* There were no ocalls. */"; "" ]
-    in
-    let with_errno = List.exists (fun uf -> uf.uf_propagate_errno) ufs in
-    let guard_macro =
-      "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
-    in
-    [
-      "#ifndef " ^ guard_macro;
-      "#define " ^ guard_macro;
-      "";
-      "#include <stdint.h>";
-      "#include <stdlib.h> /* for wchar_t */";
-      "";
-      (let s = "#include <errno.h>" in
-       if with_errno then s
-       else
-         sprintf "/* %s - Errno propagation not enabled so not included. */" s);
-      "";
-      "#include <openenclave/bits/result.h>";
-      "";
-      "/**** User includes. ****/";
-      String.concat "\n" (oe_gen_user_includes ec.include_list);
-      "";
-      "/**** User defined types in EDL. ****/";
-      String.concat "\n" (oe_gen_user_types ec.comp_defs);
-      "/**** ECALL marshalling structs. ****/";
-      String.concat "\n" oe_gen_ecall_marshal_structs;
-      "/**** OCALL marshalling structs. ****/";
-      String.concat "\n" oe_gen_ocall_marshal_structs;
-      "/**** Trusted function IDs ****/";
-      String.concat "\n" emit_trusted_function_ids;
-      "";
-      "/**** Untrusted function IDs. ****/";
-      String.concat "\n" emit_untrusted_function_ids;
-      "";
-      "#endif // " ^ guard_macro;
-      "";
-    ]
-  in
-  (* Prepare [input_buffer]. *)
-  let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
-    let oe_compute_buffer_size buffer predicate plist =
-      let rec gen_add_size args count (ptype, decl) =
-        let argstruct = oe_get_argstruct "_args." args count in
-        let size = oe_get_param_size (ptype, decl, argstruct) in
-        let arg =
-          match args with
-          | [] -> decl.identifier
-          | hd :: _ ->
-              hd ^ gen_c_deref (List.length args) count ^ decl.identifier
-        in
-        gen_c_for (List.length args) count
-          ( [
-              [
-                sprintf "if (%s)" (String.concat " && " (List.rev (arg :: args)));
-              ];
-              [ sprintf "    OE_ADD_SIZE(%s, %s);" buffer size ];
-              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
-               flatten_map
-                 (gen_add_size (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype)));
-            ]
-          |> List.flatten )
-      in
-      let params =
-        flatten_map (gen_add_size [] "1") (List.filter predicate plist)
-      in
-      (* Note that the indentation for the first line is applied by the
-         parent function. *)
-      if params <> [] then String.concat "\n    " params
-      else "/* There were no corresponding parameters. */"
-    in
-    let oe_compute_input_buffer_size =
-      oe_compute_buffer_size "_input_buffer_size" is_in_or_inout_ptr
-    in
-    let oe_compute_output_buffer_size =
-      oe_compute_buffer_size "_output_buffer_size" is_out_or_inout_ptr
-    in
-    let oe_serialize_buffer_inputs (plist : pdecl list) =
-      let rec gen_serialize args count (ptype, decl) =
-        let argstruct = oe_get_argstruct "_args." args count in
-        let size = oe_get_param_size (ptype, decl, argstruct) in
-        let arg =
-          match args with
-          | [] -> decl.identifier
-          | hd :: _ ->
-              hd ^ gen_c_deref (List.length args) count ^ decl.identifier
-        in
-        let tystr = get_cast_to_mem_expr (ptype, decl) false in
-        (* These need to be in order and so done together. *)
-        gen_c_for (List.length args) count
-          ( [
-              (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
-              [
-                sprintf "if (%s)"
-                  (String.concat " && " (List.rev (arg :: args)));
-              ];
-              [
-                (* NOTE: The [WRITE_IN_OUT] macro is defined to be the
-                   [WRITE_IN] macro. *)
-                sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
-                  (if is_in_ptr ptype then "IN" else "IN_OUT")
-                  arg size tystr;
-              ];
-              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
-               flatten_map
-                 (gen_serialize (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype)));
-            ]
-          |> List.flatten )
-      in
-      let params =
-        flatten_map (gen_serialize [] "1")
-          (List.filter is_in_or_inout_ptr plist)
-      in
-      (* Note that the indentation for the first line is applied by the
-         parent function. *)
-      if params <> [] then String.concat "\n    " params
-      else "/* There were no in nor in-out parameters. */"
-    in
-    [
-      "/* Compute input buffer size. Include in and in-out parameters. */";
-      sprintf "OE_ADD_SIZE(_input_buffer_size, sizeof(%s_args_t));" fd.fname;
-      oe_compute_input_buffer_size fd.plist;
-      "";
-      "/* Compute output buffer size. Include out and in-out parameters. */";
-      sprintf "OE_ADD_SIZE(_output_buffer_size, sizeof(%s_args_t));" fd.fname;
-      oe_compute_output_buffer_size fd.plist;
-      "";
-      "/* Allocate marshalling buffer. */";
-      "_total_buffer_size = _input_buffer_size;";
-      "OE_ADD_SIZE(_total_buffer_size, _output_buffer_size);";
-      sprintf "_buffer = (uint8_t*)%s(_total_buffer_size);" alloc_func;
-      "_input_buffer = _buffer;";
-      "_output_buffer = _buffer + _input_buffer_size;";
-      "if (_buffer == NULL)";
-      "{";
-      "    _result = OE_OUT_OF_MEMORY;";
-      "    goto done;";
-      "}";
-      "";
-      "/* Serialize buffer inputs (in and in-out parameters). */";
-      sprintf "_pargs_in = (%s_args_t*)_input_buffer;" fd.fname;
-      "OE_ADD_SIZE(_input_buffer_offset, sizeof(*_pargs_in));";
-      oe_serialize_buffer_inputs fd.plist;
-      "";
-      "/* Copy args structure (now filled) to input buffer. */";
-      "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));";
-    ]
-  in
-  let gen_times count body =
-    (* The first two conditionals check for the multiplicative identity
-       and prevent unnecessary expressions from being generated.
-       Otherwise we multiply the sum of [body] by [count]. *)
-    if count = "1" || body = [] then body
-    else if List.length body = 1 && List.hd body = "1" then [ count ]
-    else [ count ^ " * (" ^ String.concat " + " body ^ ")" ]
-  in
-  let rec gen_ptr_count args count (ptype, decl) =
-    let id = decl.identifier in
-    (* TODO: The use of [gen_c_deref] does not work here as we are not
-       within a [gen_c_for] loop when producing the count. Therefore
-       arrays of structs which use members for the count of another
-       nested parameter are not yet supported. *)
-    let argstruct = oe_get_argstruct "" args count in
-    let arg =
-      match args with
-      | [] -> id
-      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
-    in
-    let param_count = oe_get_param_count (ptype, decl, argstruct) in
-    let members = get_deepcopy_members (get_param_atype ptype) in
-    if is_marshalled_ptr ptype then
-      (* The base case is a marshalled pointer. We count 1 for every
-         one of these, except for the top-level pointers as they are
-         the original function arguments, and so do not need to be
-         saved/restored.
-
-         For a marshalled pointer, we then need to recurse. If there
-         are no members to recurse on, then [members] is the empty
-         list and the recursion is a no-op, leaving us back at the
-         base case of counting 1. If there are members to recurse on,
-         then we count 1 plus the current [param_count] times the
-         number of members for each nested structure. *)
-      (if args <> [] then [ "1" ] else [])
-      @ gen_times param_count
-          (flatten_map (gen_ptr_count (arg :: args) param_count) members)
-    else []
-  in
-  let gen_ptr_array (plist : pdecl list) =
-    let count =
-      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
-    in
-    if count <> [] then
-      (* TODO: Switch to malloc() to handle variable lengths. *)
-      [
-        "size_t _ptrs_index = 0;";
-        sprintf "void** _ptrs = malloc(sizeof(void*) * (%s));"
-          (String.concat " + " count);
-        "if (_ptrs == NULL)";
-        "{";
-        "    _result = OE_OUT_OF_MEMORY;";
-        "    goto done;";
-        "}";
-      ]
-    else [ "/* No pointers to save for deep copy. */" ]
-  in
-  let gen_reset_ptr_index (plist : pdecl list) =
-    let count =
-      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
-    in
-    if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
-    else "/* No pointers to restore for deep copy. */"
-  in
-  let gen_free_ptrs (plist : pdecl list) =
-    let count =
-      flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
-    in
-    if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
-    else [ "/* No `_ptrs` to free for deep copy. */" ]
-  in
-  let oe_process_output_buffer (fd : func_decl) =
-    let oe_serialize_buffer_outputs (plist : pdecl list) =
-      let rec gen_serialize args count (ptype, decl) =
-        let argstruct = oe_get_argstruct "_args." args count in
-        let size = oe_get_param_size (ptype, decl, argstruct) in
-        let arg =
-          match args with
-          | [] -> decl.identifier
-          | hd :: _ ->
-              hd ^ gen_c_deref (List.length args) count ^ decl.identifier
-        in
-        gen_c_for (List.length args) count
-          ( [
-              ( if is_str_or_wstr_ptr (ptype, decl) then
-                [
-                  sprintf
-                    "OE_CHECK_NULL_TERMINATOR%s(_output_buffer + \
-                     _output_buffer_offset, _args.%s_len);"
-                    (if is_wstr_ptr ptype then "_WIDE" else "")
-                    arg;
-                ]
-              else [] );
-              (let s =
-                 sprintf "OE_READ_%s_PARAM(%s, (size_t)(%s));"
-                   (if is_out_ptr ptype then "OUT" else "IN_OUT")
-                   arg size
-               in
-               match args with
-               | [] -> [ s ]
-               | _ ->
-                   let tystr = get_cast_to_mem_expr (ptype, decl) true in
-                   [
-                     sprintf "if (%s)" (String.concat " && " (List.rev args));
-                     "{";
-                     "    /* Restore original pointer. */";
-                     sprintf "    %s = %s_ptrs[_ptrs_index++];" arg tystr;
-                     "    " ^ s;
-                     "}";
-                   ]);
-              (let param_count = oe_get_param_count (ptype, decl, argstruct) in
-               flatten_map
-                 (gen_serialize (arg :: args) param_count)
-                 (get_deepcopy_members (get_param_atype ptype)));
-            ]
-          |> List.flatten )
-      in
-      let params =
-        flatten_map (gen_serialize [] "1")
-          (List.filter is_out_or_inout_ptr plist)
-      in
-      if params <> [] then String.concat "\n    " params
-      else "/* There were no out nor in-out parameters. */"
-    in
-    [
-      (* Verify that the ecall succeeded *)
-      "/* Setup output arg struct pointer. */";
-      sprintf "_pargs_out = (%s_args_t*)_output_buffer;" fd.fname;
-      "OE_ADD_SIZE(_output_buffer_offset, sizeof(*_pargs_out));";
-      "";
-      "/* Check if the call succeeded. */";
-      "if ((_result = _pargs_out->_result) != OE_OK)";
-      "    goto done;";
-      "";
-      "/* Currently exactly _output_buffer_size bytes must be written. */";
-      "if (_output_bytes_written != _output_buffer_size)";
-      "{";
-      "    _result = OE_FAILURE;";
-      "    goto done;";
-      "}";
-      "";
-      "/* Unmarshal return value and out, in-out parameters. */";
-      ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
-      else "/* No return value. */" );
-      gen_reset_ptr_index fd.plist;
-      oe_serialize_buffer_outputs fd.plist;
-    ]
-  in
-  let rec oe_gen_set_pointers args count setter (ptype, decl) =
-    let argstruct = oe_get_argstruct "pargs_in->" args count in
-    let size = oe_get_param_size (ptype, decl, argstruct) in
-    let arg =
-      match args with
-      | [] -> decl.identifier
-      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
-    in
-    let tystr = get_cast_to_mem_expr (ptype, decl) false in
-    gen_c_for (List.length args) count
-      ( [
-          (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
-          [
-            sprintf "if (pargs_in->%s)"
-              (String.concat " && pargs_in->" (List.rev (arg :: args)));
-          ];
-          [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
-          (let param_count = oe_get_param_count (ptype, decl, argstruct) in
-           flatten_map
-             (oe_gen_set_pointers (arg :: args) param_count setter)
-             (get_deepcopy_members (get_param_atype ptype)));
-        ]
-      |> List.flatten )
-  in
-  let oe_gen_in_and_inout_setters (plist : pdecl list) =
-    let params =
-      let ptrs = List.filter is_in_or_inout_ptr plist in
-      let setters =
-        List.map
-          (fun (p, _) -> if is_in_ptr p then "SET_IN" else "SET_IN_OUT")
-          ptrs
-      in
-      flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
-    in
-    "    "
-    ^ String.concat "\n    "
-        [
-          "/* Set in and in-out pointers. */";
-          ( if params <> [] then String.concat "\n    " params
-          else "/* There were no in nor in-out parameters. */" );
-        ]
-  in
-  let oe_gen_out_and_inout_setters (plist : pdecl list) =
-    let params =
-      let ptrs = List.filter is_out_or_inout_ptr plist in
-      let setters =
-        List.map
-          (fun (p, _) ->
-            if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT")
-          ptrs
-      in
-      flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
-    in
-    "    "
-    ^ String.concat "\n    "
-        [
-          "/* Set out and in-out pointers. */";
-          "/* In-out parameters are copied to output buffer. */";
-          ( if params <> [] then String.concat "\n    " params
-          else "/* There were no out nor in-out parameters. */" );
-        ]
-  in
-  (* Generate ecall function. *)
-  let oe_gen_ecall_function (tf : trusted_func) =
-    let fd = tf.tf_fdecl in
-    [
-      sprintf "void ecall_%s(" fd.fname;
-      "    uint8_t* input_buffer,";
-      "    size_t input_buffer_size,";
-      "    uint8_t* output_buffer,";
-      "    size_t output_buffer_size,";
-      "    size_t* output_bytes_written)";
-      "{";
-      (* Variable declarations *)
-      "    oe_result_t _result = OE_FAILURE;";
-      "";
-      "    /* Prepare parameters. */";
-      sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
-        fd.fname;
-      sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
-        fd.fname;
-      "";
-      "    size_t input_buffer_offset = 0;";
-      "    size_t output_buffer_offset = 0;";
-      "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
-      "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
-      "";
-      (* Buffer validation *)
-      "    /* Make sure input and output buffers lie within the enclave. */";
-      "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
-       input_buffer_size))";
-      "        goto done;";
-      "";
-      "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
-       output_buffer_size))";
-      "        goto done;";
-      "";
-      (* Prepare in and in-out parameters *)
-      oe_gen_in_and_inout_setters fd.plist;
-      "";
-      (* Prepare out and in-out parameters. The in-out parameter is
-         copied to output buffer. *)
-      oe_gen_out_and_inout_setters fd.plist;
-      "";
-      "    /* Check that in/in-out strings are null terminated. */"
-      (* NOTE: We do not support deep copy for strings, so there is not
-         (yet) anything to do here. *);
-      (let params =
-         List.map
-           (fun (ptype, decl) ->
-             sprintf
-               "    OE_CHECK_NULL_TERMINATOR%s(pargs_in->%s, pargs_in->%s_len);"
-               (if is_wstr_ptr ptype then "_WIDE" else "")
-               decl.identifier decl.identifier)
-           (List.filter
-              (fun p -> is_str_or_wstr_ptr p && is_in_or_inout_ptr p)
-              fd.plist)
-       in
-       if params <> [] then String.concat "\n" params
-       else "    /* There were no in nor in-out string parameters. */");
-      "";
-      "    /* lfence after checks. */";
-      "    oe_lfence();";
-      "";
-      (* Call the enclave function *)
-      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
-      "";
-      (* Mark call as success *)
-      "    /* Success. */";
-      "    _result = OE_OK;";
-      "    *output_bytes_written = output_buffer_offset;";
-      "";
-      "done:";
-      "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
-      "        pargs_out->_result = _result;";
-      "}";
-      "";
-    ]
-  in
-  let gen_fill_marshal_struct (fd : func_decl) =
-    (* Generate assignment argument to corresponding field in args. This
-       is necessary for all arguments, not just copy-as-value, because
-       they are used directly by later marshalling code. *)
-    let gen_assignment (ptype, decl) =
-      let arg = decl.identifier in
-      [
-        [
-          sprintf "_args.%s = %s%s;" arg
-            (get_cast_to_mem_expr (ptype, decl) true)
-            arg;
-        ];
-        (* for string parameter fill the len field *)
-        ( if is_str_ptr ptype then
-          [ sprintf "_args.%s_len = (%s) ? (strlen(%s) + 1) : 0;" arg arg arg ]
-        else if is_wstr_ptr ptype then
-          [ sprintf "_args.%s_len = (%s) ? (wcslen(%s) + 1) : 0;" arg arg arg ]
-        else [] );
-      ]
-      |> List.flatten
-    in
-    flatten_map gen_assignment fd.plist
-    @
-    let rec gen_save_ptrs args count (ptype, decl) =
-      let id = decl.identifier in
-      let argstruct = oe_get_argstruct "_args." args count in
-      let arg =
-        match args with
-        | [] -> id
-        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
-      in
-      gen_c_for (List.length args) count
-        ( [
-            ( if args <> [] then
-              [ sprintf "if (%s)" (String.concat " && " (List.rev args)) ]
-            else [] );
-            ( if args <> [] && is_marshalled_ptr ptype then
-              [ "    _ptrs[_ptrs_index++] = (void*)" ^ arg ^ ";" ]
-            else [] );
-            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
-             flatten_map
-               (gen_save_ptrs (arg :: args) param_count)
-               (get_deepcopy_members (get_param_atype ptype)));
-          ]
-        |> List.flatten )
-    in
-    flatten_map (gen_save_ptrs [] "1")
-      (List.filter is_out_or_inout_ptr fd.plist)
-  in
-  (* Generate host ECALL wrapper function. *)
-  let oe_gen_host_ecall_wrapper (tf : trusted_func) =
-    let fd = tf.tf_fdecl in
-    let oe_ecall_function =
-      if tf.tf_is_switchless then "oe_switchless_call_enclave_function"
-      else "oe_call_enclave_function"
-    in
-    [
-      oe_gen_wrapper_prototype fd true;
-      "{";
-      "    oe_result_t _result = OE_FAILURE;";
-      "";
-      "    /* Marshalling struct. */";
-      sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
-        fd.fname;
-      "";
-      "    /* Marshalling buffer and sizes. */";
-      "    size_t _input_buffer_size = 0;";
-      "    size_t _output_buffer_size = 0;";
-      "    size_t _total_buffer_size = 0;";
-      "    uint8_t* _buffer = NULL;";
-      "    uint8_t* _input_buffer = NULL;";
-      "    uint8_t* _output_buffer = NULL;";
-      "    size_t _input_buffer_offset = 0;";
-      "    size_t _output_buffer_offset = 0;";
-      "    size_t _output_bytes_written = 0;";
-      "";
-      "    /* Deep copy buffer. */";
-      "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
-      "";
-      "    /* Fill marshalling struct. */";
-      "    memset(&_args, 0, sizeof(_args));";
-      "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
-      "";
-      "    " ^ String.concat "\n    " (oe_prepare_input_buffer fd "malloc");
-      "";
-      "    /* Call enclave function. */";
-      "    if ((_result = " ^ oe_ecall_function ^ "(";
-      "             "
-      ^ String.concat ",\n             "
-          [
-            "enclave";
-            get_function_id fd;
-            "_input_buffer";
-            "_input_buffer_size";
-            "_output_buffer";
-            "_output_buffer_size";
-            "&_output_bytes_written)) != OE_OK)";
-          ];
-      "        goto done;";
-      "";
-      "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
-      "";
-      "    _result = OE_OK;";
-      "";
-      "done:";
-      "    if (_buffer)";
-      "        free(_buffer);";
-      "";
-      "    " ^ String.concat "\n    " (gen_free_ptrs fd.plist);
-      "";
-      "    return _result;";
-      "}";
-      "";
-    ]
-  in
-  (* Generate enclave OCALL wrapper function. *)
-  let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
-    let fd = uf.uf_fdecl in
-    let allocate_buffer, call_function, free_buffer =
-      if uf.uf_is_switchless then
-        ( "oe_allocate_switchless_ocall_buffer",
-          "oe_switchless_call_host_function",
-          "oe_free_switchless_ocall_buffer" )
-      else
-        ( "oe_allocate_ocall_buffer",
-          "oe_call_host_function",
-          "oe_free_ocall_buffer" )
-    in
-    [
-      oe_gen_wrapper_prototype fd false;
-      "{";
-      "    oe_result_t _result = OE_FAILURE;";
-      "";
-      "    /* If the enclave is in crashing/crashed status, new OCALL should \
-       fail";
-      "       immediately. */";
-      "    if (oe_get_enclave_status() != OE_OK)";
-      "        return oe_get_enclave_status();";
-      "";
-      "    /* Marshalling struct. */";
-      sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
-        fd.fname;
-      "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
-      "";
-      "    /* Marshalling buffer and sizes. */";
-      "    size_t _input_buffer_size = 0;";
-      "    size_t _output_buffer_size = 0;";
-      "    size_t _total_buffer_size = 0;";
-      "    uint8_t* _buffer = NULL;";
-      "    uint8_t* _input_buffer = NULL;";
-      "    uint8_t* _output_buffer = NULL;";
-      "    size_t _input_buffer_offset = 0;";
-      "    size_t _output_buffer_offset = 0;";
-      "    size_t _output_bytes_written = 0;";
-      "";
-      "    /* Fill marshalling struct. */";
-      "    memset(&_args, 0, sizeof(_args));";
-      "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
-      "";
-      "    "
-      ^ String.concat "\n    " (oe_prepare_input_buffer fd allocate_buffer);
-      "";
-      "    /* Call host function. */";
-      "    if ((_result = " ^ call_function ^ "(";
-      "             "
-      ^ String.concat ",\n             "
-          [
-            get_function_id fd;
-            "_input_buffer";
-            "_input_buffer_size";
-            "_output_buffer";
-            "_output_buffer_size";
-            "&_output_bytes_written)) != OE_OK)";
-          ];
-      "        goto done;";
-      "";
-      "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
-      "";
-      "    /* Retrieve propagated errno from OCALL. */";
-      ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
-      else sprintf "    /* Errno propagation not enabled. */" );
-      "";
-      "    _result = OE_OK;";
-      "";
-      "done:";
-      "    if (_buffer)";
-      "        " ^ free_buffer ^ "(_buffer);";
-      "    return _result;";
-      "}";
-      "";
-    ]
-  in
-  (* Generate ocall function. *)
-  let oe_gen_ocall_function (uf : untrusted_func) =
-    let fd = uf.uf_fdecl in
-    [
-      sprintf "void ocall_%s(" fd.fname;
-      "    uint8_t* input_buffer,";
-      "    size_t input_buffer_size,";
-      "    uint8_t* output_buffer,";
-      "    size_t output_buffer_size,";
-      "    size_t* output_bytes_written)";
-      "{";
-      (* Variable declarations *)
-      "    oe_result_t _result = OE_FAILURE;";
-      "    OE_UNUSED(input_buffer_size);";
-      "";
-      "    /* Prepare parameters. */";
-      sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
-        fd.fname;
-      sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
-        fd.fname;
-      "";
-      "    size_t input_buffer_offset = 0;";
-      "    size_t output_buffer_offset = 0;";
-      "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
-      "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
-      "";
-      (* Buffer validation *)
-      "    /* Make sure input and output buffers are valid. */";
-      "    if (!input_buffer || !output_buffer) {";
-      "        _result = OE_INVALID_PARAMETER;";
-      "        goto done;";
-      "    }";
-      "";
-      (* Prepare in and in-out parameters *)
-      oe_gen_in_and_inout_setters fd.plist;
-      "";
-      (* Prepare out and in-out parameters. The in-out parameter is copied to output buffer. *)
-      oe_gen_out_and_inout_setters fd.plist;
-      "";
-      (* Call the host function *)
-      "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
-      "";
-      "    /* Propagate errno back to enclave. */";
-      ( if uf.uf_propagate_errno then "    pargs_out->_ocall_errno = errno;"
-      else "    /* Errno propagation not enabled. */" );
-      "";
-      (* Mark call as success *)
-      "    /* Success. */";
-      "    _result = OE_OK;";
-      "    *output_bytes_written = output_buffer_offset;";
-      "";
-      "done:";
-      "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
-      "        pargs_out->_result = _result;";
-      "}";
-      "";
-    ]
-  in
-  (* Includes are emitted in [args.h]. Imported functions have already
-     been brought into function lists. *)
-  let gen_t_h =
-    let oe_gen_tfunc_prototypes =
-      if tfs <> [] then
-        List.map (fun f -> sprintf "%s;" (oe_gen_prototype f.tf_fdecl)) tfs
-      else [ "/* There were no ecalls. */" ]
-    in
-    let oe_gen_ufunc_wrapper_prototypes =
-      if ufs <> [] then
-        List.map
-          (fun f -> sprintf "%s;" (oe_gen_wrapper_prototype f.uf_fdecl false))
-          ufs
-      else [ "/* There were no ocalls. */" ]
-    in
-    let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
-    [
-      "#ifndef " ^ guard;
-      "#define " ^ guard;
-      "";
-      "#include <openenclave/enclave.h>";
-      "";
-      sprintf "#include \"%s_args.h\"" ec.file_shortnm;
-      "";
-      "OE_EXTERNC_BEGIN";
-      "";
-      "/**** ECALL prototypes. ****/";
-      String.concat "\n\n" oe_gen_tfunc_prototypes;
-      "";
-      "/**** OCALL prototypes. ****/";
-      String.concat "\n\n" oe_gen_ufunc_wrapper_prototypes;
-      "";
-      "OE_EXTERNC_END";
-      "";
-      "#endif // " ^ guard;
-      "";
-    ]
-  in
-  let gen_t_c =
-    let oe_gen_ecall_functions =
-      if tfs <> [] then flatten_map oe_gen_ecall_function tfs
-      else [ "/* There were no ecalls. */" ]
-    in
-    let oe_gen_ecall_table =
-      let table = "__oe_ecalls_table" in
-      if tfs <> [] then
-        [
-          sprintf "oe_ecall_func_t %s[] = {" table;
-          "    "
-          ^ String.concat ",\n    "
-              (List.map
-                 (fun f -> "(oe_ecall_func_t) ecall_" ^ f.tf_fdecl.fname)
-                 tfs);
-          "};";
-          "";
-          sprintf "size_t %s_size = OE_COUNTOF(%s);" table table;
-        ]
-      else [ "/* There were no ecalls. */" ]
-    in
-    let oe_gen_enclave_ocall_wrappers =
-      if ufs <> [] then flatten_map oe_gen_enclave_ocall_wrapper ufs
-      else [ "/* There were no ocalls. */" ]
-    in
-    [
-      sprintf "#include \"%s_t.h\"" ec.file_shortnm;
-      "";
-      "#include <openenclave/edger8r/enclave.h>";
-      "";
-      "#include <stdlib.h>";
-      "#include <string.h>";
-      "#include <wchar.h>";
-      "";
-      "OE_EXTERNC_BEGIN";
-      "";
-      "/**** ECALL functions. ****/";
-      "";
-      String.concat "\n" oe_gen_ecall_functions;
-      "/**** ECALL function table. ****/";
-      "";
-      String.concat "\n" oe_gen_ecall_table;
-      "";
-      "/**** OCALL function wrappers. ****/";
-      "";
-      String.concat "\n" oe_gen_enclave_ocall_wrappers;
-      "OE_EXTERNC_END";
-      "";
-    ]
-  in
-  let gen_u_h =
-    let oe_gen_tfunc_wrapper_prototypes =
-      if tfs <> [] then
-        List.map (fun f -> oe_gen_wrapper_prototype f.tf_fdecl true ^ ";") tfs
-      else [ "/* There were no ecalls. */" ]
-    in
-    let oe_gen_ufunc_prototypes =
-      if ufs <> [] then
-        List.map (fun f -> oe_gen_prototype f.uf_fdecl ^ ";") ufs
-      else [ "/* There were no ocalls. */" ]
-    in
-    let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
-    [
-      "#ifndef " ^ guard;
-      "#define " ^ guard;
-      "";
-      "#include <openenclave/host.h>";
-      "";
-      sprintf "#include \"%s_args.h\"" ec.file_shortnm;
-      "";
-      "OE_EXTERNC_BEGIN";
-      "";
-      sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
-      "    const char* path,";
-      "    oe_enclave_type_t type,";
-      "    uint32_t flags,";
-      "    const oe_enclave_setting_t* settings,";
-      "    uint32_t setting_count,";
-      "    oe_enclave_t** enclave);";
-      "";
-      "/**** ECALL prototypes. ****/";
-      String.concat "\n\n" oe_gen_tfunc_wrapper_prototypes;
-      "";
-      "/**** OCALL prototypes. ****/";
-      String.concat "\n\n" oe_gen_ufunc_prototypes;
-      "";
-      "OE_EXTERNC_END";
-      "";
-      "#endif // " ^ guard;
-      "";
-    ]
-  in
-  let gen_u_c =
-    let oe_gen_host_ecall_wrappers =
-      if tfs <> [] then flatten_map oe_gen_host_ecall_wrapper tfs
-      else [ "/* There were no ecalls. */" ]
-    in
-    let oe_gen_ocall_functions =
-      if ufs <> [] then flatten_map oe_gen_ocall_function ufs
-      else [ "/* There were no ocalls. */" ]
-    in
-    let oe_gen_ocall_table =
-      [
-        sprintf "static oe_ocall_func_t __%s_ocall_function_table[] = {"
-          ec.enclave_name;
-        "    "
-        ^ String.concat "\n    "
-            (List.map
-               (fun f -> "(oe_ocall_func_t) ocall_" ^ f.uf_fdecl.fname ^ ",")
-               ufs);
-        "    NULL";
-        "};";
-      ]
-    in
-    [
-      sprintf "#include \"%s_u.h\"" ec.file_shortnm;
-      "";
-      "#include <openenclave/edger8r/host.h>";
-      "";
-      "#include <stdlib.h>";
-      "#include <string.h>";
-      "#include <wchar.h>";
-      "";
-      "OE_EXTERNC_BEGIN";
-      "";
-      "/**** ECALL function wrappers. ****/";
-      "";
-      String.concat "\n" oe_gen_host_ecall_wrappers;
-      "/**** OCALL functions. ****/";
-      "";
-      String.concat "\n" oe_gen_ocall_functions;
-      "/**** OCALL function table. ****/";
-      "";
-      String.concat "\n" oe_gen_ocall_table;
-      "";
-      sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
-      "    const char* path,";
-      "    oe_enclave_type_t type,";
-      "    uint32_t flags,";
-      "    const oe_enclave_setting_t* settings,";
-      "    uint32_t setting_count,";
-      "    oe_enclave_t** enclave)";
-      "{";
-      "    return oe_create_enclave(";
-      "               path,";
-      "               type,";
-      "               flags,";
-      "               settings,";
-      "               setting_count,";
-      sprintf "               __%s_ocall_function_table," ec.enclave_name;
-      sprintf "               %d," (List.length ufs);
-      "               enclave);";
-      "}";
-      "";
-      "OE_EXTERNC_END";
-      "";
-    ]
-  in
   (* NOTE: The below code encapsulates all our file I/O. *)
   let args_h = ec.file_shortnm ^ "_args.h" in
   if ep.gen_trusted then (
-    write_file oe_gen_args_header args_h ep.trusted_dir;
-    write_file gen_t_h (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
+    write_file (Headers.oe_gen_args_header ec) args_h ep.trusted_dir;
+    write_file (Headers.gen_t_h ec ep) (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
     if not ep.header_only then
-      write_file gen_t_c (ec.file_shortnm ^ "_t.c") ep.trusted_dir );
+      write_file (Sources.gen_t_c ec ep) (ec.file_shortnm ^ "_t.c")
+        ep.trusted_dir );
   if ep.gen_untrusted then (
-    write_file oe_gen_args_header args_h ep.untrusted_dir;
-    write_file gen_u_h (ec.file_shortnm ^ "_u.h") ep.untrusted_dir;
+    write_file (Headers.oe_gen_args_header ec) args_h ep.untrusted_dir;
+    write_file (Headers.gen_u_h ec ep) (ec.file_shortnm ^ "_u.h")
+      ep.untrusted_dir;
     if not ep.header_only then
-      write_file gen_u_c (ec.file_shortnm ^ "_u.c") ep.untrusted_dir );
+      write_file (Sources.gen_u_c ec ep) (ec.file_shortnm ^ "_u.c")
+        ep.untrusted_dir );
   printf "Success.\n"
 
 (** Install the plugin. *)
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
new file mode 100644
index 0000000000..db7388c6cf
--- /dev/null
+++ b/tools/oeedger8r/src/Headers.ml
@@ -0,0 +1,279 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+open Intel.Ast
+open Common
+open Printf
+
+(** Generate the prototype for a given function. *)
+let oe_gen_prototype (fd : func_decl) =
+  let plist_str =
+    let args = List.map gen_parm_str fd.plist in
+    match args with
+    | [] -> "void"
+    | [ arg ] -> arg
+    | _ -> "\n    " ^ String.concat ",\n    " args
+  in
+  sprintf "%s %s(%s)" (get_tystr fd.rtype) fd.fname plist_str
+
+(** Emit [struct], [union], or [enum]. *)
+let emit_composite_type =
+  let emit_struct (s : struct_def) =
+    [
+      "typedef struct " ^ s.sname;
+      "{";
+      String.concat "\n"
+        (List.map
+           (fun (ptype, decl) ->
+             sprintf "    %s %s%s;"
+               (get_tystr (get_param_atype ptype))
+               decl.identifier
+               (get_array_dims decl.array_dims))
+           s.smlist);
+      "} " ^ s.sname ^ ";";
+      "";
+    ]
+  in
+  let emit_union (u : union_def) =
+    [
+      "typedef union " ^ u.uname;
+      "{";
+      String.concat "\n"
+        (List.map
+           (fun (atype, decl) ->
+             sprintf "    %s %s%s;" (get_tystr atype) decl.identifier
+               (get_array_dims decl.array_dims))
+           u.umlist);
+      "} " ^ u.uname ^ ";";
+      "";
+    ]
+  in
+  let emit_enum (e : enum_def) =
+    [
+      "typedef enum " ^ e.enname;
+      "{";
+      String.concat ",\n"
+        (List.map
+           (fun (name, value) ->
+             sprintf "    %s%s" name
+               ( match value with
+               | EnumVal (AString s) -> " = " ^ s
+               | EnumVal (ANumber n) -> " = " ^ string_of_int n
+               | EnumValNone -> "" ))
+           e.enbody);
+      "} " ^ e.enname ^ ";";
+      "";
+    ]
+  in
+  function
+  | StructDef s -> emit_struct s
+  | UnionDef u -> emit_union u
+  | EnumDef e -> emit_enum e
+
+(* Generate [args.h] which contains [struct]s for ecalls and ocalls *)
+let oe_gen_args_header (ec : enclave_content) =
+  let tfs = ec.tfunc_decls in
+  let ufs = ec.ufunc_decls in
+  (* Emit IDs in enum for trusted functions. *)
+  let emit_trusted_function_ids =
+    [
+      "enum";
+      "{";
+      String.concat "\n"
+        (List.mapi
+           (fun i f -> sprintf "    %s = %d," (get_function_id ec f.tf_fdecl) i)
+           tfs);
+      "    " ^ ec.enclave_name ^ "_fcn_id_trusted_call_id_max = OE_ENUM_MAX";
+      "};";
+    ]
+  in
+  (* Emit IDs in enum for untrusted functions. *)
+  let emit_untrusted_function_ids =
+    [
+      "enum";
+      "{";
+      String.concat "\n"
+        (List.mapi
+           (fun i f -> sprintf "    %s = %d," (get_function_id ec f.uf_fdecl) i)
+           ufs);
+      "    " ^ ec.enclave_name ^ "_fcn_id_untrusted_call_max = OE_ENUM_MAX";
+      "};";
+    ]
+  in
+  let oe_gen_marshal_struct (fd : func_decl) (errno : bool) =
+    let gen_member_decl (ptype, decl) =
+      let aty = get_param_atype ptype in
+      let tystr = get_tystr aty in
+      let tystr =
+        if is_foreign_array ptype then
+          sprintf "/* foreign array of type %s */ void*" tystr
+        else tystr
+      in
+      let need_strlen =
+        is_str_or_wstr_ptr (ptype, decl) && is_in_or_inout_ptr (ptype, decl)
+      in
+      let id = decl.identifier in
+      [
+        [ tystr ^ " " ^ id ^ ";" ];
+        (if need_strlen then [ sprintf "size_t %s_len;" id ] else []);
+      ]
+      |> List.flatten
+    in
+    let struct_name = fd.fname ^ "_args_t" in
+    let retval_decl = { identifier = "_retval"; array_dims = [] } in
+    let members =
+      [
+        [ "oe_result_t _result;" ];
+        ( if fd.rtype = Void then []
+        else gen_member_decl (PTVal fd.rtype, retval_decl) );
+        (if errno then [ "int _ocall_errno;" ] else []);
+        flatten_map gen_member_decl (List.map conv_array_to_ptr fd.plist);
+      ]
+      |> List.flatten
+    in
+    [
+      "typedef struct _" ^ struct_name;
+      "{";
+      "    " ^ String.concat "\n    " members;
+      "} " ^ struct_name ^ ";";
+      "";
+    ]
+  in
+  let oe_gen_user_includes (includes : string list) =
+    if includes <> [] then List.map (sprintf "#include \"%s\"") includes
+    else [ "/* There were no user includes. */" ]
+  in
+  let oe_gen_user_types (cts : composite_type list) =
+    if cts <> [] then flatten_map emit_composite_type cts
+    else [ "/* There were no user defined types. */"; "" ]
+  in
+  let oe_gen_ecall_marshal_structs =
+    if tfs <> [] then
+      flatten_map (fun tf -> oe_gen_marshal_struct tf.tf_fdecl false) tfs
+    else [ "/* There were no ecalls. */"; "" ]
+  in
+  let oe_gen_ocall_marshal_structs =
+    if ufs <> [] then
+      flatten_map
+        (fun uf -> oe_gen_marshal_struct uf.uf_fdecl uf.uf_propagate_errno)
+        ufs
+    else [ "/* There were no ocalls. */"; "" ]
+  in
+  let with_errno = List.exists (fun uf -> uf.uf_propagate_errno) ufs in
+  let guard_macro =
+    "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
+  in
+  [
+    "#ifndef " ^ guard_macro;
+    "#define " ^ guard_macro;
+    "";
+    "#include <stdint.h>";
+    "#include <stdlib.h> /* for wchar_t */";
+    "";
+    (let s = "#include <errno.h>" in
+     if with_errno then s
+     else sprintf "/* %s - Errno propagation not enabled so not included. */" s);
+    "";
+    "#include <openenclave/bits/result.h>";
+    "";
+    "/**** User includes. ****/";
+    String.concat "\n" (oe_gen_user_includes ec.include_list);
+    "";
+    "/**** User defined types in EDL. ****/";
+    String.concat "\n" (oe_gen_user_types ec.comp_defs);
+    "/**** ECALL marshalling structs. ****/";
+    String.concat "\n" oe_gen_ecall_marshal_structs;
+    "/**** OCALL marshalling structs. ****/";
+    String.concat "\n" oe_gen_ocall_marshal_structs;
+    "/**** Trusted function IDs ****/";
+    String.concat "\n" emit_trusted_function_ids;
+    "";
+    "/**** Untrusted function IDs. ****/";
+    String.concat "\n" emit_untrusted_function_ids;
+    "";
+    "#endif // " ^ guard_macro;
+    "";
+  ]
+
+(* Includes are emitted in [args.h]. Imported functions have already
+     been brought into function lists. *)
+let gen_t_h (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+  let tfs = ec.tfunc_decls in
+  let ufs = ec.ufunc_decls in
+  let oe_gen_tfunc_prototypes =
+    if tfs <> [] then
+      List.map (fun f -> sprintf "%s;" (oe_gen_prototype f.tf_fdecl)) tfs
+    else [ "/* There were no ecalls. */" ]
+  in
+  let oe_gen_ufunc_wrapper_prototypes =
+    if ufs <> [] then
+      List.map
+        (fun f -> sprintf "%s;" (oe_gen_wrapper_prototype f.uf_fdecl false))
+        ufs
+    else [ "/* There were no ocalls. */" ]
+  in
+  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
+  [
+    "#ifndef " ^ guard;
+    "#define " ^ guard;
+    "";
+    "#include <openenclave/enclave.h>";
+    "";
+    sprintf "#include \"%s_args.h\"" ec.file_shortnm;
+    "";
+    "OE_EXTERNC_BEGIN";
+    "";
+    "/**** ECALL prototypes. ****/";
+    String.concat "\n\n" oe_gen_tfunc_prototypes;
+    "";
+    "/**** OCALL prototypes. ****/";
+    String.concat "\n\n" oe_gen_ufunc_wrapper_prototypes;
+    "";
+    "OE_EXTERNC_END";
+    "";
+    "#endif // " ^ guard;
+    "";
+  ]
+
+let gen_u_h (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+  let tfs = ec.tfunc_decls in
+  let ufs = ec.ufunc_decls in
+  let oe_gen_tfunc_wrapper_prototypes =
+    if tfs <> [] then
+      List.map (fun f -> oe_gen_wrapper_prototype f.tf_fdecl true ^ ";") tfs
+    else [ "/* There were no ecalls. */" ]
+  in
+  let oe_gen_ufunc_prototypes =
+    if ufs <> [] then List.map (fun f -> oe_gen_prototype f.uf_fdecl ^ ";") ufs
+    else [ "/* There were no ocalls. */" ]
+  in
+  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
+  [
+    "#ifndef " ^ guard;
+    "#define " ^ guard;
+    "";
+    "#include <openenclave/host.h>";
+    "";
+    sprintf "#include \"%s_args.h\"" ec.file_shortnm;
+    "";
+    "OE_EXTERNC_BEGIN";
+    "";
+    sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
+    "    const char* path,";
+    "    oe_enclave_type_t type,";
+    "    uint32_t flags,";
+    "    const oe_enclave_setting_t* settings,";
+    "    uint32_t setting_count,";
+    "    oe_enclave_t** enclave);";
+    "";
+    "/**** ECALL prototypes. ****/";
+    String.concat "\n\n" oe_gen_tfunc_wrapper_prototypes;
+    "";
+    "/**** OCALL prototypes. ****/";
+    String.concat "\n\n" oe_gen_ufunc_prototypes;
+    "";
+    "OE_EXTERNC_END";
+    "";
+    "#endif // " ^ guard;
+    "";
+  ]
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
new file mode 100644
index 0000000000..e81516c1cc
--- /dev/null
+++ b/tools/oeedger8r/src/Sources.ml
@@ -0,0 +1,874 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+open Intel.Ast
+open Common
+open Printf
+
+let _ec : Intel.Ast.enclave_content ref =
+  ref
+    {
+      file_shortnm = "";
+      enclave_name = "";
+      include_list = [];
+      import_exprs = [];
+      comp_defs = [];
+      tfunc_decls = [];
+      ufunc_decls = [];
+    }
+
+(* let _ep : Intel.Util.edger8r_params ref =
+ *   ref
+ *     {
+ *       input_files = [];
+ *       use_prefix = false;
+ *       header_only = false;
+ *       gen_untrusted = false;
+ *       gen_trusted = false;
+ *       untrusted_dir = "";
+ *       trusted_dir = "";
+ *       experimental = "";
+ *     } *)
+
+(** Generate a cast expression to a specific pointer type. For example,
+    [int*] needs to be cast to
+    {[
+      *(int ( * )[5][6])
+    ]}. *)
+let get_cast_from_mem_expr (ptype, decl) =
+  match ptype with
+  | PTVal _ -> ""
+  | PTPtr (t, attr) ->
+      if is_array decl then
+        sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
+      else if is_foreign_array ptype then
+        sprintf "/* foreign array */ *(%s*)" (get_tystr t)
+      else if attr.pa_rdonly then
+        (* for ptrs, only constness is removed; add it back *)
+        sprintf "(const %s)" (get_tystr t)
+      else ""
+
+let oe_gen_call_user_function (fd : func_decl) =
+  [
+    "/* Call user function. */";
+    (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
+    ^ fd.fname ^ "(";
+    String.concat ",\n    "
+      (List.map
+         (fun (ptype, decl) ->
+           let cast_expr = get_cast_from_mem_expr (ptype, decl) in
+           sprintf "    %spargs_in->%s" cast_expr decl.identifier)
+         fd.plist)
+    ^ ");";
+  ]
+
+(* Given [name], return the corresponding [StructDef], or [None]. *)
+let get_struct_by_name name =
+  (* [ec.comp_defs] is a list of all composite types, but we're only
+       interested in the structs, so we filter out the rest and unwrap
+       them from [composite_type]. *)
+  let structs =
+    filter_map (function StructDef s -> Some s | _ -> None) !_ec.comp_defs
+  in
+  List.find_opt (fun s -> s.sname = name) structs
+
+(* We need to check [Ptr]s for [Foreign] or [Struct] types, then
+     check those against the user's [Struct]s, and then check if any
+     members should be deep copied. What we return is the list of
+     members of the [Struct] which should be deep-copied, otherwise we
+     return an empty list. *)
+let get_deepcopy_members (a : atype) =
+  let should_deepcopy_a = function
+    | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
+    | _ -> None
+  in
+  (* TODO: Only enable with [ep.experimental] *)
+  if true then
+    match should_deepcopy_a a with
+    | Some s -> List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
+    | None -> []
+  else []
+
+(** Generate a cast expression for a pointer argument. Pointer
+    arguments need to be cast to their root type, since the marshalling
+    struct has the root pointer. For example:
+    {[
+      int a[10][20]
+    ]}
+    needs to be cast to [int *].
+
+    NOTE: Foreign arrays are marshalled as [void *], but foreign pointers
+    are marshalled as-is. *)
+let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
+  match ptype with
+  | PTVal _ -> ""
+  | PTPtr (t, _) ->
+      let tystr = get_tystr t in
+      if is_array decl then
+        let s = tystr ^ "*" in
+        if parens then sprintf "(%s)" s else s
+      else if is_foreign_array ptype then
+        let s = if parens then "(void*)" else "void*" in
+        sprintf "/* foreign array of type %s */ %s" tystr s
+      else if parens then sprintf "(%s)" tystr
+      else tystr
+
+let rec oe_gen_set_pointers args count setter (ptype, decl) =
+  let argstruct = oe_get_argstruct "pargs_in->" args count in
+  let size = oe_get_param_size (ptype, decl, argstruct) in
+  let arg =
+    match args with
+    | [] -> decl.identifier
+    | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+  in
+  let tystr = get_cast_to_mem_expr (ptype, decl) false in
+  gen_c_for (List.length args) count
+    ( [
+        (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
+        [
+          sprintf "if (pargs_in->%s)"
+            (String.concat " && pargs_in->" (List.rev (arg :: args)));
+        ];
+        [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
+        (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+         flatten_map
+           (oe_gen_set_pointers (arg :: args) param_count setter)
+           (get_deepcopy_members (get_param_atype ptype)));
+      ]
+    |> List.flatten )
+
+let oe_gen_in_and_inout_setters (plist : pdecl list) =
+  let params =
+    let ptrs = List.filter is_in_or_inout_ptr plist in
+    let setters =
+      List.map
+        (fun (p, _) -> if is_in_ptr p then "SET_IN" else "SET_IN_OUT")
+        ptrs
+    in
+    flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
+  in
+  "    "
+  ^ String.concat "\n    "
+      [
+        "/* Set in and in-out pointers. */";
+        ( if params <> [] then String.concat "\n    " params
+        else "/* There were no in nor in-out parameters. */" );
+      ]
+
+let oe_gen_out_and_inout_setters (plist : pdecl list) =
+  let params =
+    let ptrs = List.filter is_out_or_inout_ptr plist in
+    let setters =
+      List.map
+        (fun (p, _) ->
+          if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT")
+        ptrs
+    in
+    flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
+  in
+  "    "
+  ^ String.concat "\n    "
+      [
+        "/* Set out and in-out pointers. */";
+        "/* In-out parameters are copied to output buffer. */";
+        ( if params <> [] then String.concat "\n    " params
+        else "/* There were no out nor in-out parameters. */" );
+      ]
+
+(* Generate ecall function. *)
+let oe_gen_ecall_function (tf : trusted_func) =
+  let fd = tf.tf_fdecl in
+  [
+    sprintf "void ecall_%s(" fd.fname;
+    "    uint8_t* input_buffer,";
+    "    size_t input_buffer_size,";
+    "    uint8_t* output_buffer,";
+    "    size_t output_buffer_size,";
+    "    size_t* output_bytes_written)";
+    "{";
+    (* Variable declarations *)
+    "    oe_result_t _result = OE_FAILURE;";
+    "";
+    "    /* Prepare parameters. */";
+    sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
+      fd.fname;
+    sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
+      fd.fname;
+    "";
+    "    size_t input_buffer_offset = 0;";
+    "    size_t output_buffer_offset = 0;";
+    "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
+    "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
+    "";
+    (* Buffer validation *)
+    "    /* Make sure input and output buffers lie within the enclave. */";
+    "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
+     input_buffer_size))";
+    "        goto done;";
+    "";
+    "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
+     output_buffer_size))";
+    "        goto done;";
+    "";
+    (* Prepare in and in-out parameters *)
+    oe_gen_in_and_inout_setters fd.plist;
+    "";
+    (* Prepare out and in-out parameters. The in-out parameter is
+         copied to output buffer. *)
+    oe_gen_out_and_inout_setters fd.plist;
+    "";
+    "    /* Check that in/in-out strings are null terminated. */"
+    (* NOTE: We do not support deep copy for strings, so there is not
+         (yet) anything to do here. *);
+    (let params =
+       List.map
+         (fun (ptype, decl) ->
+           sprintf
+             "    OE_CHECK_NULL_TERMINATOR%s(pargs_in->%s, pargs_in->%s_len);"
+             (if is_wstr_ptr ptype then "_WIDE" else "")
+             decl.identifier decl.identifier)
+         (List.filter
+            (fun p -> is_str_or_wstr_ptr p && is_in_or_inout_ptr p)
+            fd.plist)
+     in
+     if params <> [] then String.concat "\n" params
+     else "    /* There were no in nor in-out string parameters. */");
+    "";
+    "    /* lfence after checks. */";
+    "    oe_lfence();";
+    "";
+    (* Call the enclave function *)
+    "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
+    "";
+    (* Mark call as success *)
+    "    /* Success. */";
+    "    _result = OE_OK;";
+    "    *output_bytes_written = output_buffer_offset;";
+    "";
+    "done:";
+    "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
+    "        pargs_out->_result = _result;";
+    "}";
+    "";
+  ]
+
+let rec gen_ptr_count args count (ptype, decl) =
+  let gen_times count body =
+    (* The first two conditionals check for the multiplicative identity
+       and prevent unnecessary expressions from being generated.
+       Otherwise we multiply the sum of [body] by [count]. *)
+    if count = "1" || body = [] then body
+    else if List.length body = 1 && List.hd body = "1" then [ count ]
+    else [ count ^ " * (" ^ String.concat " + " body ^ ")" ]
+  in
+  let id = decl.identifier in
+  (* TODO: The use of [gen_c_deref] does not work here as we are not
+       within a [gen_c_for] loop when producing the count. Therefore
+       arrays of structs which use members for the count of another
+       nested parameter are not yet supported. *)
+  let argstruct = oe_get_argstruct "" args count in
+  let arg =
+    match args with
+    | [] -> id
+    | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
+  in
+  let param_count = oe_get_param_count (ptype, decl, argstruct) in
+  let members = get_deepcopy_members (get_param_atype ptype) in
+  if is_marshalled_ptr ptype then
+    (* The base case is a marshalled pointer. We count 1 for every
+         one of these, except for the top-level pointers as they are
+         the original function arguments, and so do not need to be
+         saved/restored.
+
+         For a marshalled pointer, we then need to recurse. If there
+         are no members to recurse on, then [members] is the empty
+         list and the recursion is a no-op, leaving us back at the
+         base case of counting 1. If there are members to recurse on,
+         then we count 1 plus the current [param_count] times the
+         number of members for each nested structure. *)
+    (if args <> [] then [ "1" ] else [])
+    @ gen_times param_count
+        (flatten_map (gen_ptr_count (arg :: args) param_count) members)
+  else []
+
+let gen_ptr_array (plist : pdecl list) =
+  let count =
+    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+  in
+  if count <> [] then
+    (* TODO: Switch to malloc() to handle variable lengths. *)
+    [
+      "size_t _ptrs_index = 0;";
+      sprintf "void** _ptrs = malloc(sizeof(void*) * (%s));"
+        (String.concat " + " count);
+      "if (_ptrs == NULL)";
+      "{";
+      "    _result = OE_OUT_OF_MEMORY;";
+      "    goto done;";
+      "}";
+    ]
+  else [ "/* No pointers to save for deep copy. */" ]
+
+let gen_fill_marshal_struct (fd : func_decl) =
+  (* Generate assignment argument to corresponding field in args. This
+       is necessary for all arguments, not just copy-as-value, because
+       they are used directly by later marshalling code. *)
+  let gen_assignment (ptype, decl) =
+    let arg = decl.identifier in
+    [
+      [
+        sprintf "_args.%s = %s%s;" arg
+          (get_cast_to_mem_expr (ptype, decl) true)
+          arg;
+      ];
+      (* for string parameter fill the len field *)
+      ( if is_str_ptr ptype then
+        [ sprintf "_args.%s_len = (%s) ? (strlen(%s) + 1) : 0;" arg arg arg ]
+      else if is_wstr_ptr ptype then
+        [ sprintf "_args.%s_len = (%s) ? (wcslen(%s) + 1) : 0;" arg arg arg ]
+      else [] );
+    ]
+    |> List.flatten
+  in
+  flatten_map gen_assignment fd.plist
+  @
+  let rec gen_save_ptrs args count (ptype, decl) =
+    let id = decl.identifier in
+    let argstruct = oe_get_argstruct "_args." args count in
+    let arg =
+      match args with
+      | [] -> id
+      | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
+    in
+    gen_c_for (List.length args) count
+      ( [
+          ( if args <> [] then
+            [ sprintf "if (%s)" (String.concat " && " (List.rev args)) ]
+          else [] );
+          ( if args <> [] && is_marshalled_ptr ptype then
+            [ "    _ptrs[_ptrs_index++] = (void*)" ^ arg ^ ";" ]
+          else [] );
+          (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+           flatten_map
+             (gen_save_ptrs (arg :: args) param_count)
+             (get_deepcopy_members (get_param_atype ptype)));
+        ]
+      |> List.flatten )
+  in
+  flatten_map (gen_save_ptrs [] "1") (List.filter is_out_or_inout_ptr fd.plist)
+
+(* Prepare [input_buffer]. *)
+let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
+  let oe_compute_buffer_size buffer predicate plist =
+    let rec gen_add_size args count (ptype, decl) =
+      let argstruct = oe_get_argstruct "_args." args count in
+      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let arg =
+        match args with
+        | [] -> decl.identifier
+        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+      in
+      gen_c_for (List.length args) count
+        ( [
+            [ sprintf "if (%s)" (String.concat " && " (List.rev (arg :: args))) ];
+            [ sprintf "    OE_ADD_SIZE(%s, %s);" buffer size ];
+            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+             flatten_map
+               (gen_add_size (arg :: args) param_count)
+               (get_deepcopy_members (get_param_atype ptype)));
+          ]
+        |> List.flatten )
+    in
+    let params =
+      flatten_map (gen_add_size [] "1") (List.filter predicate plist)
+    in
+    (* Note that the indentation for the first line is applied by the
+         parent function. *)
+    if params <> [] then String.concat "\n    " params
+    else "/* There were no corresponding parameters. */"
+  in
+  let oe_compute_input_buffer_size =
+    oe_compute_buffer_size "_input_buffer_size" is_in_or_inout_ptr
+  in
+  let oe_compute_output_buffer_size =
+    oe_compute_buffer_size "_output_buffer_size" is_out_or_inout_ptr
+  in
+  let oe_serialize_buffer_inputs (plist : pdecl list) =
+    let rec gen_serialize args count (ptype, decl) =
+      let argstruct = oe_get_argstruct "_args." args count in
+      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let arg =
+        match args with
+        | [] -> decl.identifier
+        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+      in
+      let tystr = get_cast_to_mem_expr (ptype, decl) false in
+      (* These need to be in order and so done together. *)
+      gen_c_for (List.length args) count
+        ( [
+            (* NOTE: This makes the embedded check in the `OE_` macro superfluous. *)
+            [
+              sprintf "if (%s)" (String.concat " && " (List.rev (arg :: args)));
+            ];
+            [
+              (* NOTE: The [WRITE_IN_OUT] macro is defined to be the
+                   [WRITE_IN] macro. *)
+              sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
+                (if is_in_ptr ptype then "IN" else "IN_OUT")
+                arg size tystr;
+            ];
+            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+             flatten_map
+               (gen_serialize (arg :: args) param_count)
+               (get_deepcopy_members (get_param_atype ptype)));
+          ]
+        |> List.flatten )
+    in
+    let params =
+      flatten_map (gen_serialize [] "1") (List.filter is_in_or_inout_ptr plist)
+    in
+    (* Note that the indentation for the first line is applied by the
+         parent function. *)
+    if params <> [] then String.concat "\n    " params
+    else "/* There were no in nor in-out parameters. */"
+  in
+  [
+    "/* Compute input buffer size. Include in and in-out parameters. */";
+    sprintf "OE_ADD_SIZE(_input_buffer_size, sizeof(%s_args_t));" fd.fname;
+    oe_compute_input_buffer_size fd.plist;
+    "";
+    "/* Compute output buffer size. Include out and in-out parameters. */";
+    sprintf "OE_ADD_SIZE(_output_buffer_size, sizeof(%s_args_t));" fd.fname;
+    oe_compute_output_buffer_size fd.plist;
+    "";
+    "/* Allocate marshalling buffer. */";
+    "_total_buffer_size = _input_buffer_size;";
+    "OE_ADD_SIZE(_total_buffer_size, _output_buffer_size);";
+    sprintf "_buffer = (uint8_t*)%s(_total_buffer_size);" alloc_func;
+    "_input_buffer = _buffer;";
+    "_output_buffer = _buffer + _input_buffer_size;";
+    "if (_buffer == NULL)";
+    "{";
+    "    _result = OE_OUT_OF_MEMORY;";
+    "    goto done;";
+    "}";
+    "";
+    "/* Serialize buffer inputs (in and in-out parameters). */";
+    sprintf "_pargs_in = (%s_args_t*)_input_buffer;" fd.fname;
+    "OE_ADD_SIZE(_input_buffer_offset, sizeof(*_pargs_in));";
+    oe_serialize_buffer_inputs fd.plist;
+    "";
+    "/* Copy args structure (now filled) to input buffer. */";
+    "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));";
+  ]
+
+let gen_reset_ptr_index (plist : pdecl list) =
+  let count =
+    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+  in
+  if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
+  else "/* No pointers to restore for deep copy. */"
+
+let oe_process_output_buffer (fd : func_decl) =
+  let oe_serialize_buffer_outputs (plist : pdecl list) =
+    let rec gen_serialize args count (ptype, decl) =
+      let argstruct = oe_get_argstruct "_args." args count in
+      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let arg =
+        match args with
+        | [] -> decl.identifier
+        | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ decl.identifier
+      in
+      gen_c_for (List.length args) count
+        ( [
+            ( if is_str_or_wstr_ptr (ptype, decl) then
+              [
+                sprintf
+                  "OE_CHECK_NULL_TERMINATOR%s(_output_buffer + \
+                   _output_buffer_offset, _args.%s_len);"
+                  (if is_wstr_ptr ptype then "_WIDE" else "")
+                  arg;
+              ]
+            else [] );
+            (let s =
+               sprintf "OE_READ_%s_PARAM(%s, (size_t)(%s));"
+                 (if is_out_ptr ptype then "OUT" else "IN_OUT")
+                 arg size
+             in
+             match args with
+             | [] -> [ s ]
+             | _ ->
+                 let tystr = get_cast_to_mem_expr (ptype, decl) true in
+                 [
+                   sprintf "if (%s)" (String.concat " && " (List.rev args));
+                   "{";
+                   "    /* Restore original pointer. */";
+                   sprintf "    %s = %s_ptrs[_ptrs_index++];" arg tystr;
+                   "    " ^ s;
+                   "}";
+                 ]);
+            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+             flatten_map
+               (gen_serialize (arg :: args) param_count)
+               (get_deepcopy_members (get_param_atype ptype)));
+          ]
+        |> List.flatten )
+    in
+    let params =
+      flatten_map (gen_serialize [] "1") (List.filter is_out_or_inout_ptr plist)
+    in
+    if params <> [] then String.concat "\n    " params
+    else "/* There were no out nor in-out parameters. */"
+  in
+  [
+    (* Verify that the ecall succeeded *)
+    "/* Setup output arg struct pointer. */";
+    sprintf "_pargs_out = (%s_args_t*)_output_buffer;" fd.fname;
+    "OE_ADD_SIZE(_output_buffer_offset, sizeof(*_pargs_out));";
+    "";
+    "/* Check if the call succeeded. */";
+    "if ((_result = _pargs_out->_result) != OE_OK)";
+    "    goto done;";
+    "";
+    "/* Currently exactly _output_buffer_size bytes must be written. */";
+    "if (_output_bytes_written != _output_buffer_size)";
+    "{";
+    "    _result = OE_FAILURE;";
+    "    goto done;";
+    "}";
+    "";
+    "/* Unmarshal return value and out, in-out parameters. */";
+    ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
+    else "/* No return value. */" );
+    gen_reset_ptr_index fd.plist;
+    oe_serialize_buffer_outputs fd.plist;
+  ]
+
+(* Generate enclave OCALL wrapper function. *)
+let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
+  let fd = uf.uf_fdecl in
+  let allocate_buffer, call_function, free_buffer =
+    if uf.uf_is_switchless then
+      ( "oe_allocate_switchless_ocall_buffer",
+        "oe_switchless_call_host_function",
+        "oe_free_switchless_ocall_buffer" )
+    else
+      ( "oe_allocate_ocall_buffer",
+        "oe_call_host_function",
+        "oe_free_ocall_buffer" )
+  in
+  [
+    oe_gen_wrapper_prototype fd false;
+    "{";
+    "    oe_result_t _result = OE_FAILURE;";
+    "";
+    "    /* If the enclave is in crashing/crashed status, new OCALL should fail";
+    "       immediately. */";
+    "    if (oe_get_enclave_status() != OE_OK)";
+    "        return oe_get_enclave_status();";
+    "";
+    "    /* Marshalling struct. */";
+    sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
+      fd.fname;
+    "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+    "";
+    "    /* Marshalling buffer and sizes. */";
+    "    size_t _input_buffer_size = 0;";
+    "    size_t _output_buffer_size = 0;";
+    "    size_t _total_buffer_size = 0;";
+    "    uint8_t* _buffer = NULL;";
+    "    uint8_t* _input_buffer = NULL;";
+    "    uint8_t* _output_buffer = NULL;";
+    "    size_t _input_buffer_offset = 0;";
+    "    size_t _output_buffer_offset = 0;";
+    "    size_t _output_bytes_written = 0;";
+    "";
+    "    /* Fill marshalling struct. */";
+    "    memset(&_args, 0, sizeof(_args));";
+    "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+    "";
+    "    "
+    ^ String.concat "\n    " (oe_prepare_input_buffer fd allocate_buffer);
+    "";
+    "    /* Call host function. */";
+    "    if ((_result = " ^ call_function ^ "(";
+    "             "
+    ^ String.concat ",\n             "
+        [
+          get_function_id !_ec fd;
+          "_input_buffer";
+          "_input_buffer_size";
+          "_output_buffer";
+          "_output_buffer_size";
+          "&_output_bytes_written)) != OE_OK)";
+        ];
+    "        goto done;";
+    "";
+    "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+    "";
+    "    /* Retrieve propagated errno from OCALL. */";
+    ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
+    else sprintf "    /* Errno propagation not enabled. */" );
+    "";
+    "    _result = OE_OK;";
+    "";
+    "done:";
+    "    if (_buffer)";
+    "        " ^ free_buffer ^ "(_buffer);";
+    "    return _result;";
+    "}";
+    "";
+  ]
+
+let gen_t_c (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+  _ec := ec;
+  let tfs = ec.tfunc_decls in
+  let ufs = ec.ufunc_decls in
+  let oe_gen_ecall_functions =
+    if tfs <> [] then flatten_map oe_gen_ecall_function tfs
+    else [ "/* There were no ecalls. */" ]
+  in
+  let oe_gen_ecall_table =
+    let table = "__oe_ecalls_table" in
+    if tfs <> [] then
+      [
+        sprintf "oe_ecall_func_t %s[] = {" table;
+        "    "
+        ^ String.concat ",\n    "
+            (List.map
+               (fun f -> "(oe_ecall_func_t) ecall_" ^ f.tf_fdecl.fname)
+               tfs);
+        "};";
+        "";
+        sprintf "size_t %s_size = OE_COUNTOF(%s);" table table;
+      ]
+    else [ "/* There were no ecalls. */" ]
+  in
+  let oe_gen_enclave_ocall_wrappers =
+    if ufs <> [] then flatten_map oe_gen_enclave_ocall_wrapper ufs
+    else [ "/* There were no ocalls. */" ]
+  in
+  [
+    sprintf "#include \"%s_t.h\"" ec.file_shortnm;
+    "";
+    "#include <openenclave/edger8r/enclave.h>";
+    "";
+    "#include <stdlib.h>";
+    "#include <string.h>";
+    "#include <wchar.h>";
+    "";
+    "OE_EXTERNC_BEGIN";
+    "";
+    "/**** ECALL functions. ****/";
+    "";
+    String.concat "\n" oe_gen_ecall_functions;
+    "/**** ECALL function table. ****/";
+    "";
+    String.concat "\n" oe_gen_ecall_table;
+    "";
+    "/**** OCALL function wrappers. ****/";
+    "";
+    String.concat "\n" oe_gen_enclave_ocall_wrappers;
+    "OE_EXTERNC_END";
+    "";
+  ]
+
+let gen_free_ptrs (plist : pdecl list) =
+  let count =
+    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+  in
+  if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
+  else [ "/* No `_ptrs` to free for deep copy. */" ]
+
+(* Generate host ECALL wrapper function. *)
+let oe_gen_host_ecall_wrapper (tf : trusted_func) =
+  let fd = tf.tf_fdecl in
+  let oe_ecall_function =
+    if tf.tf_is_switchless then "oe_switchless_call_enclave_function"
+    else "oe_call_enclave_function"
+  in
+  [
+    oe_gen_wrapper_prototype fd true;
+    "{";
+    "    oe_result_t _result = OE_FAILURE;";
+    "";
+    "    /* Marshalling struct. */";
+    sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
+      fd.fname;
+    "";
+    "    /* Marshalling buffer and sizes. */";
+    "    size_t _input_buffer_size = 0;";
+    "    size_t _output_buffer_size = 0;";
+    "    size_t _total_buffer_size = 0;";
+    "    uint8_t* _buffer = NULL;";
+    "    uint8_t* _input_buffer = NULL;";
+    "    uint8_t* _output_buffer = NULL;";
+    "    size_t _input_buffer_offset = 0;";
+    "    size_t _output_buffer_offset = 0;";
+    "    size_t _output_bytes_written = 0;";
+    "";
+    "    /* Deep copy buffer. */";
+    "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+    "";
+    "    /* Fill marshalling struct. */";
+    "    memset(&_args, 0, sizeof(_args));";
+    "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+    "";
+    "    " ^ String.concat "\n    " (oe_prepare_input_buffer fd "malloc");
+    "";
+    "    /* Call enclave function. */";
+    "    if ((_result = " ^ oe_ecall_function ^ "(";
+    "             "
+    ^ String.concat ",\n             "
+        [
+          "enclave";
+          get_function_id !_ec fd;
+          "_input_buffer";
+          "_input_buffer_size";
+          "_output_buffer";
+          "_output_buffer_size";
+          "&_output_bytes_written)) != OE_OK)";
+        ];
+    "        goto done;";
+    "";
+    "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+    "";
+    "    _result = OE_OK;";
+    "";
+    "done:";
+    "    if (_buffer)";
+    "        free(_buffer);";
+    "";
+    "    " ^ String.concat "\n    " (gen_free_ptrs fd.plist);
+    "";
+    "    return _result;";
+    "}";
+    "";
+  ]
+
+(* Generate ocall function. *)
+let oe_gen_ocall_function (uf : untrusted_func) =
+  let fd = uf.uf_fdecl in
+  [
+    sprintf "void ocall_%s(" fd.fname;
+    "    uint8_t* input_buffer,";
+    "    size_t input_buffer_size,";
+    "    uint8_t* output_buffer,";
+    "    size_t output_buffer_size,";
+    "    size_t* output_bytes_written)";
+    "{";
+    (* Variable declarations *)
+    "    oe_result_t _result = OE_FAILURE;";
+    "    OE_UNUSED(input_buffer_size);";
+    "";
+    "    /* Prepare parameters. */";
+    sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
+      fd.fname;
+    sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
+      fd.fname;
+    "";
+    "    size_t input_buffer_offset = 0;";
+    "    size_t output_buffer_offset = 0;";
+    "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
+    "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
+    "";
+    (* Buffer validation *)
+    "    /* Make sure input and output buffers are valid. */";
+    "    if (!input_buffer || !output_buffer) {";
+    "        _result = OE_INVALID_PARAMETER;";
+    "        goto done;";
+    "    }";
+    "";
+    (* Prepare in and in-out parameters *)
+    oe_gen_in_and_inout_setters fd.plist;
+    "";
+    (* Prepare out and in-out parameters. The in-out parameter is copied to output buffer. *)
+    oe_gen_out_and_inout_setters fd.plist;
+    "";
+    (* Call the host function *)
+    "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
+    "";
+    "    /* Propagate errno back to enclave. */";
+    ( if uf.uf_propagate_errno then "    pargs_out->_ocall_errno = errno;"
+    else "    /* Errno propagation not enabled. */" );
+    "";
+    (* Mark call as success *)
+    "    /* Success. */";
+    "    _result = OE_OK;";
+    "    *output_bytes_written = output_buffer_offset;";
+    "";
+    "done:";
+    "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
+    "        pargs_out->_result = _result;";
+    "}";
+    "";
+  ]
+
+let gen_u_c (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+  _ec := ec;
+  let tfs = ec.tfunc_decls in
+  let ufs = ec.ufunc_decls in
+  let oe_gen_host_ecall_wrappers =
+    if tfs <> [] then flatten_map oe_gen_host_ecall_wrapper tfs
+    else [ "/* There were no ecalls. */" ]
+  in
+  let oe_gen_ocall_functions =
+    if ufs <> [] then flatten_map oe_gen_ocall_function ufs
+    else [ "/* There were no ocalls. */" ]
+  in
+  let oe_gen_ocall_table =
+    [
+      sprintf "static oe_ocall_func_t __%s_ocall_function_table[] = {"
+        ec.enclave_name;
+      "    "
+      ^ String.concat "\n    "
+          (List.map
+             (fun f -> "(oe_ocall_func_t) ocall_" ^ f.uf_fdecl.fname ^ ",")
+             ufs);
+      "    NULL";
+      "};";
+    ]
+  in
+  [
+    sprintf "#include \"%s_u.h\"" ec.file_shortnm;
+    "";
+    "#include <openenclave/edger8r/host.h>";
+    "";
+    "#include <stdlib.h>";
+    "#include <string.h>";
+    "#include <wchar.h>";
+    "";
+    "OE_EXTERNC_BEGIN";
+    "";
+    "/**** ECALL function wrappers. ****/";
+    "";
+    String.concat "\n" oe_gen_host_ecall_wrappers;
+    "/**** OCALL functions. ****/";
+    "";
+    String.concat "\n" oe_gen_ocall_functions;
+    "/**** OCALL function table. ****/";
+    "";
+    String.concat "\n" oe_gen_ocall_table;
+    "";
+    sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
+    "    const char* path,";
+    "    oe_enclave_type_t type,";
+    "    uint32_t flags,";
+    "    const oe_enclave_setting_t* settings,";
+    "    uint32_t setting_count,";
+    "    oe_enclave_t** enclave)";
+    "{";
+    "    return oe_create_enclave(";
+    "               path,";
+    "               type,";
+    "               flags,";
+    "               settings,";
+    "               setting_count,";
+    sprintf "               __%s_ocall_function_table," ec.enclave_name;
+    sprintf "               %d," (List.length ufs);
+    "               enclave);";
+    "}";
+    "";
+    "OE_EXTERNC_END";
+    "";
+  ]

From 3f822fdcc42d3ceb405dd4b3a26cc78aaa423425 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Wed, 4 Sep 2019 18:37:12 -0700
Subject: [PATCH 335/420] Fix polymorphic exceptions caught by value

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/cppException/enc/cppException.cpp | 22 +++++++++++-----------
 tests/stdcxx/enc/enc.cpp                |  2 +-
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/cppException/enc/cppException.cpp b/tests/cppException/enc/cppException.cpp
index f3035e21ad..8fd829416a 100644
--- a/tests/cppException/enc/cppException.cpp
+++ b/tests/cppException/enc/cppException.cpp
@@ -177,7 +177,7 @@ bool BasicVerification()
     {
         return false;
     }
-    catch (BarClass01 ex_obj)
+    catch (BarClass01& ex_obj)
     {
         if (ex_obj.i != 0XFFFF)
         {
@@ -243,11 +243,11 @@ bool BasicVerification()
     {
         return false;
     }
-    catch (BarClass01)
+    catch (BarClass01&)
     {
         return false;
     }
-    catch (BarClass02 ex_obj)
+    catch (BarClass02& ex_obj)
     {
         if (ex_obj.i != 0XFFFFF)
         {
@@ -280,7 +280,7 @@ bool BasicVerification()
     {
         return false;
     }
-    catch (BarClass01)
+    catch (BarClass01&)
     {
         return false;
     }
@@ -318,11 +318,11 @@ bool BasicVerification()
     {
         return false;
     }
-    catch (BarClass01)
+    catch (BarClass01&)
     {
         return false;
     }
-    catch (BarClass02 ex_obj)
+    catch (BarClass02& ex_obj)
     {
         if (ex_obj.i != 0XFFFFFF)
         {
@@ -409,7 +409,7 @@ void bar02()
         BarClass02 obj(0XFFFFF);
         throw obj;
     }
-    catch (BarClass03)
+    catch (BarClass03&)
     {
         return;
     }
@@ -421,7 +421,7 @@ void bar01()
     {
         bar02();
     }
-    catch (BarClass01)
+    catch (BarClass01&)
     {
         return;
     }
@@ -436,7 +436,7 @@ bool NestedException()
         BarClass01 obj(0XF);
         throw obj;
     }
-    catch (BarClass01 ex_obj)
+    catch (BarClass01& ex_obj)
     {
         if (ex_obj.i != 0XF)
         {
@@ -487,12 +487,12 @@ bool NestedException()
                 return false;
             }
         }
-        catch (BarClass01)
+        catch (BarClass01&)
         {
             return false;
         }
     }
-    catch (BarClass02 ex_obj)
+    catch (BarClass02& ex_obj)
     {
         if (ex_obj.i != 0XFFFF)
         {
diff --git a/tests/stdcxx/enc/enc.cpp b/tests/stdcxx/enc/enc.cpp
index 5ed1e9f9e4..e1e0da35ff 100644
--- a/tests/stdcxx/enc/enc.cpp
+++ b/tests/stdcxx/enc/enc.cpp
@@ -204,7 +204,7 @@ int enc_test(bool* caught, bool* dynamic_cast_works, size_t* n_constructions)
                 int* p = new int[64];
                 ptrs.push_back(p);
             }
-            catch (std::bad_alloc)
+            catch (std::bad_alloc&)
             {
                 bad_alloc_caught = true;
                 printf("std::bad_alloc caught\n");

From dce501fc1222dc3af6f272c7eb4846c4bfe6deac Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 26 Nov 2019 09:36:13 -0800
Subject: [PATCH 336/420] Build attested_tls sample for Windows

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 samples/CMakeLists.txt                        | 12 ++--
 samples/README_Windows.md                     |  7 +++
 samples/attested_tls/client/enc/client.cpp    |  9 ++-
 samples/attested_tls/common/utility.cpp       |  3 +-
 .../scripts/gen_mrenclave_header.py           | 60 +++++++++++++++++++
 .../attested_tls/server/enc/CMakeLists.txt    |  3 +-
 .../server/enc/identity_verifier.cpp          |  3 +-
 samples/attested_tls/server/enc/server.cpp    | 10 ++--
 samples/attested_tls/server/host/host.cpp     |  2 +-
 samples/test-samples.cmake                    |  5 +-
 10 files changed, 87 insertions(+), 27 deletions(-)
 create mode 100644 samples/attested_tls/scripts/gen_mrenclave_header.py

diff --git a/samples/CMakeLists.txt b/samples/CMakeLists.txt
index 254175184b..208b1d508e 100644
--- a/samples/CMakeLists.txt
+++ b/samples/CMakeLists.txt
@@ -7,13 +7,11 @@ if (HAS_QUOTE_PROVIDER)
           PATTERN "gen_pubkey_header.sh"
           PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
           GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
-  if(NOT WIN32)
-    install(DIRECTORY attested_tls
-          DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
-          PATTERN "gen_pubkey_header.sh"
-          PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
-          GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
-  endif()
+  install(DIRECTORY attested_tls
+        DESTINATION ${CMAKE_INSTALL_DATADIR}/openenclave/samples
+        PATTERN "gen_pubkey_header.sh"
+        PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+        GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ)
 endif ()
 
 install(DIRECTORY local_attestation
diff --git a/samples/README_Windows.md b/samples/README_Windows.md
index 7236485217..4de561e20c 100644
--- a/samples/README_Windows.md
+++ b/samples/README_Windows.md
@@ -90,6 +90,13 @@ The following samples demonstrate how to develop enclave applications using OE A
 - Explain the concept of OE local attestation
 - Demonstrate an implementation of local attestation between two enclaves on the same VM
 
+#### [Attested TLS](attested_tls/README.md)
+
+- Explain what an Attested TLS channel is
+- Demonstrate an implementation for how to establish an Attested TLS channel
+  - between two enclaves
+  - between one non-enclave client and an enclave
+
 #### [Switchless Calls](switchless/README.md)
 
 - Explain the concept of switchless calls
diff --git a/samples/attested_tls/client/enc/client.cpp b/samples/attested_tls/client/enc/client.cpp
index 17e10bb6ac..cb6f0525ca 100644
--- a/samples/attested_tls/client/enc/client.cpp
+++ b/samples/attested_tls/client/enc/client.cpp
@@ -116,7 +116,7 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
     // Write client payload to the server
     printf(TLS_CLIENT "Write to server-->:");
     len = sprintf((char*)buf, CLIENT_PAYLOAD);
-    while ((ret = mbedtls_ssl_write(ssl, buf, len)) <= 0)
+    while ((ret = mbedtls_ssl_write(ssl, buf, (size_t)len)) <= 0)
     {
         if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
             ret != MBEDTLS_ERR_SSL_WANT_WRITE)
@@ -135,7 +135,7 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
     {
         len = sizeof(buf) - 1;
         memset(buf, 0, sizeof(buf));
-        ret = mbedtls_ssl_read(ssl, buf, len);
+        ret = mbedtls_ssl_read(ssl, buf, (size_t)len);
         if (ret == MBEDTLS_ERR_SSL_WANT_READ ||
             ret == MBEDTLS_ERR_SSL_WANT_WRITE)
             continue;
@@ -156,8 +156,8 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
         }
         len = ret;
         printf(TLS_CLIENT "%d bytes received from server:\n\n", len);
-        if ((len != SERVER_PAYLOAD_SIZE) ||
-            (memcmp(SERVER_PAYLOAD, buf, len) != 0))
+        if (((size_t)len != SERVER_PAYLOAD_SIZE) ||
+            (memcmp(SERVER_PAYLOAD, buf, (size_t)len) != 0))
         {
             printf(
                 TLS_CLIENT
@@ -184,7 +184,6 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
 int launch_tls_client(char* server_name, char* server_port)
 {
     int ret = 1;
-    uint32_t flags;
     const char* pers = "ssl_client";
     oe_result_t result = OE_FAILURE;
     int exit_code = MBEDTLS_EXIT_FAILURE;
diff --git a/samples/attested_tls/common/utility.cpp b/samples/attested_tls/common/utility.cpp
index 462c21453c..ab08faecc2 100644
--- a/samples/attested_tls/common/utility.cpp
+++ b/samples/attested_tls/common/utility.cpp
@@ -94,7 +94,6 @@ oe_result_t generate_certificate_and_pkey(
     mbedtls_pk_context* private_key)
 {
     oe_result_t result = OE_FAILURE;
-    uint8_t* host_cert_buf = NULL;
     uint8_t* output_cert = NULL;
     size_t output_cert_size = 0;
     uint8_t* private_key_buf = NULL;
@@ -245,7 +244,7 @@ bool verify_mrsigner(
     if (memcmp(signer, signer_id_buf, signer_id_buf_size) != 0)
     {
         printf("mrsigner is not equal!\n");
-        for (int i = 0; i < signer_id_buf_size; i++)
+        for (int i = 0; i < (int)signer_id_buf_size; i++)
         {
             printf(
                 "0x%x - 0x%x\n", (uint8_t)signer[i], (uint8_t)signer_id_buf[i]);
diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.py b/samples/attested_tls/scripts/gen_mrenclave_header.py
new file mode 100644
index 0000000000..86680b2ce9
--- /dev/null
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.py
@@ -0,0 +1,60 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+import sys
+import os
+
+def parse_mrenclave(fname):
+    enc_bytes = []
+    with open(fname, "r") as f:
+        for line in f:
+            prefix = "mrenclave="
+            if line.startswith(prefix):
+                line = line[len(prefix):]
+                new_byte = True
+                b = ""
+                for char in line:
+                    if new_byte:
+                        b = "0x" + char
+                        new_byte = False
+                    else:
+                        b += char
+                        enc_bytes.append(b)
+                        new_byte = True
+
+    return ("," + os.linesep).join(enc_bytes)
+
+def gen_header(inpath, outpath):
+    lines = [
+        "// Copyright (c) Open Enclave SDK contributors.",
+        "// Licensed under the MIT License.",
+        "",
+        "#ifndef SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H",
+        "#define SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H",
+        "",
+        "static const unsigned char SERVER_ENCLAVE_MRENCLAVE[] =",
+        "{"
+    ]
+
+    lines.append(parse_mrenclave(inpath))
+
+    lines += [
+        "};",
+        "",
+        "#endif /* SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H */",
+        ""
+    ]
+
+    return os.linesep.join(lines)
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print("Usage: gen_mrenclave_header.py <oesign_dump> <output_file>")
+        exit(1)
+
+    outpath = sys.argv[1]
+    inpath = sys.argv[2]
+
+    header = gen_header(inpath, outpath)
+    with open(outpath, "w") as f:
+        f.write(header)
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index f820bfe063..99438cc632 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -11,8 +11,7 @@ add_custom_command(OUTPUT tls_server_enc.signed tls_server_enc_mrenclave.h
   DEPENDS tls_server_enc enc.conf ${CMAKE_SOURCE_DIR}/server/enc/private.pem ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh
   COMMAND openenclave::oesign sign -e $<TARGET_FILE:tls_server_enc> -c ${CMAKE_SOURCE_DIR}/server/enc/enc.conf -k ${CMAKE_SOURCE_DIR}/server/enc/private.pem
   COMMAND openenclave::oesign dump -e tls_server_enc.signed  > temp.dmp
-  COMMAND chmod u+x ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh
-  COMMAND ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
+  COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.py ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
   COMMAND ${CMAKE_COMMAND} -E remove temp.dmp)
 
 add_executable(tls_server_enc
diff --git a/samples/attested_tls/server/enc/identity_verifier.cpp b/samples/attested_tls/server/enc/identity_verifier.cpp
index 7c6999a3bb..ba0c39f302 100644
--- a/samples/attested_tls/server/enc/identity_verifier.cpp
+++ b/samples/attested_tls/server/enc/identity_verifier.cpp
@@ -11,8 +11,9 @@ oe_result_t enclave_identity_verifier_callback(
     oe_identity_t* identity,
     void* arg)
 {
+    OE_UNUSED(arg);
+
     oe_result_t result = OE_VERIFY_FAILED;
-    bool bret = false;
 
     printf(TLS_SERVER
            "Server:enclave_identity_verifier_callback is called with enclave "
diff --git a/samples/attested_tls/server/enc/server.cpp b/samples/attested_tls/server/enc/server.cpp
index 1f33b0b3ef..7fc2280d21 100644
--- a/samples/attested_tls/server/enc/server.cpp
+++ b/samples/attested_tls/server/enc/server.cpp
@@ -183,7 +183,7 @@ int handle_communication_until_done(
     {
         len = sizeof(buf) - 1;
         memset(buf, 0, sizeof(buf));
-        ret = mbedtls_ssl_read(ssl, buf, len);
+        ret = mbedtls_ssl_read(ssl, buf, (size_t)len);
 
         if (ret == MBEDTLS_ERR_SSL_WANT_READ ||
             ret == MBEDTLS_ERR_SSL_WANT_WRITE)
@@ -214,8 +214,8 @@ int handle_communication_until_done(
 
         // For testing purpose, valdiate received data's content and size
 #ifdef ADD_TEST_CHECKING
-        if ((len != CLIENT_PAYLOAD_SIZE) ||
-            (memcmp(CLIENT_PAYLOAD, buf, len) != 0))
+        if (((size_t)len != CLIENT_PAYLOAD_SIZE) ||
+            (memcmp(CLIENT_PAYLOAD, buf, (size_t)len) != 0))
         {
             printf(
                 TLS_SERVER
@@ -228,7 +228,7 @@ int handle_communication_until_done(
         printf(TLS_SERVER
                "Verified: the contents of client payload were expected\n\n");
 #endif
-        if (ret == CLIENT_PAYLOAD_SIZE)
+        if ((size_t)ret == CLIENT_PAYLOAD_SIZE)
             break;
     } while (1);
 
@@ -236,7 +236,7 @@ int handle_communication_until_done(
     printf(TLS_SERVER "-----> Write to client:\n");
     len = snprintf((char*)buf, sizeof(buf) - 1, SERVER_PAYLOAD);
 
-    while ((ret = mbedtls_ssl_write(ssl, buf, len)) <= 0)
+    while ((ret = mbedtls_ssl_write(ssl, buf, (size_t)len)) <= 0)
     {
         if (ret == MBEDTLS_ERR_NET_CONN_RESET)
         {
diff --git a/samples/attested_tls/server/host/host.cpp b/samples/attested_tls/server/host/host.cpp
index 10e309ac31..e559f510f6 100644
--- a/samples/attested_tls/server/host/host.cpp
+++ b/samples/attested_tls/server/host/host.cpp
@@ -55,7 +55,7 @@ int main(int argc, const char* argv[])
     // read port parameter
     {
         char* option = (char*)"-port:";
-        int param_len = 0;
+        size_t param_len = 0;
         param_len = strlen(option);
         if (strncmp(argv[2], option, param_len) == 0)
         {
diff --git a/samples/test-samples.cmake b/samples/test-samples.cmake
index ef630955a6..4cf2652eaf 100644
--- a/samples/test-samples.cmake
+++ b/samples/test-samples.cmake
@@ -25,10 +25,7 @@ else ()
   # against SGX.
   if (HAS_QUOTE_PROVIDER)
     list(APPEND SAMPLES_LIST remote_attestation)
-    # The attested_tls test is not supported on Windows at this time.
-    if (UNIX)
-	    list(APPEND SAMPLES_LIST attested_tls)
-    endif ()
+    list(APPEND SAMPLES_LIST attested_tls)
   endif ()
 endif ()
 

From 77ed62b9c03e349ae5376f1686a07a91e95d617e Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 25 Nov 2019 19:01:17 +0000
Subject: [PATCH 337/420] Rename `oe_gen_t_h` to `Headers.generate_trusted`
 etc.

With the refactor, these names can make more sense.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Emitter.ml | 27 ++++++++++++++++-----------
 tools/oeedger8r/src/Headers.ml |  6 +++---
 tools/oeedger8r/src/Sources.ml |  4 ++--
 3 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 613a6e3517..27d7168940 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -102,7 +102,7 @@ let warn_size_and_count_params (fd : func_decl) =
     fd.plist
 
 (** Generate the Enclave code. *)
-let gen_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+let write_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   (* Short aliases for the trusted and untrusted function
      declarations. *)
   let tfs = ec.tfunc_decls in
@@ -157,22 +157,27 @@ let gen_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   (* NOTE: The below code encapsulates all our file I/O. *)
   let args_h = ec.file_shortnm ^ "_args.h" in
   if ep.gen_trusted then (
-    write_file (Headers.oe_gen_args_header ec) args_h ep.trusted_dir;
-    write_file (Headers.gen_t_h ec ep) (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
+    write_file (Headers.generate_args ec) args_h ep.trusted_dir;
+    write_file
+      (Headers.generate_trusted ec ep)
+      (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
     if not ep.header_only then
-      write_file (Sources.gen_t_c ec ep) (ec.file_shortnm ^ "_t.c")
-        ep.trusted_dir );
+      write_file
+        (Sources.generate_trusted ec ep)
+        (ec.file_shortnm ^ "_t.c") ep.trusted_dir );
   if ep.gen_untrusted then (
-    write_file (Headers.oe_gen_args_header ec) args_h ep.untrusted_dir;
-    write_file (Headers.gen_u_h ec ep) (ec.file_shortnm ^ "_u.h")
-      ep.untrusted_dir;
+    write_file (Headers.generate_args ec) args_h ep.untrusted_dir;
+    write_file
+      (Headers.generate_untrusted ec ep)
+      (ec.file_shortnm ^ "_u.h") ep.untrusted_dir;
     if not ep.header_only then
-      write_file (Sources.gen_u_c ec ep) (ec.file_shortnm ^ "_u.c")
-        ep.untrusted_dir );
+      write_file
+        (Sources.generate_untrusted ec ep)
+        (ec.file_shortnm ^ "_u.c") ep.untrusted_dir );
   printf "Success.\n"
 
 (** Install the plugin. *)
 let _ =
   Printf.printf "Generating edge routines for the Open Enclave SDK.\n";
   Intel.Plugin.instance.available <- true;
-  Intel.Plugin.instance.gen_edge_routines <- gen_enclave_code
+  Intel.Plugin.instance.gen_edge_routines <- write_enclave_code
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index db7388c6cf..325907a236 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -71,7 +71,7 @@ let emit_composite_type =
   | EnumDef e -> emit_enum e
 
 (* Generate [args.h] which contains [struct]s for ecalls and ocalls *)
-let oe_gen_args_header (ec : enclave_content) =
+let generate_args (ec : enclave_content) =
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
   (* Emit IDs in enum for trusted functions. *)
@@ -197,7 +197,7 @@ let oe_gen_args_header (ec : enclave_content) =
 
 (* Includes are emitted in [args.h]. Imported functions have already
      been brought into function lists. *)
-let gen_t_h (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
   let oe_gen_tfunc_prototypes =
@@ -235,7 +235,7 @@ let gen_t_h (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "";
   ]
 
-let gen_u_h (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
   let oe_gen_tfunc_wrapper_prototypes =
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index e81516c1cc..4e92f37552 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -620,7 +620,7 @@ let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
     "";
   ]
 
-let gen_t_c (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   _ec := ec;
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
@@ -804,7 +804,7 @@ let oe_gen_ocall_function (uf : untrusted_func) =
     "";
   ]
 
-let gen_u_c (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
+let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   _ec := ec;
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in

From 912d3f107fde4a1965590ee16509786425429cb4 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 25 Nov 2019 20:07:02 +0000
Subject: [PATCH 338/420] Clean up names in `Headers.ml`

This fixes up the names (and in some instances, location) of functions
and variables in `Headers.ml`.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  |   6 +-
 tools/oeedger8r/src/Emitter.ml |   4 +-
 tools/oeedger8r/src/Headers.ml | 187 +++++++++++++++++----------------
 tools/oeedger8r/src/Sources.ml |   4 +-
 4 files changed, 102 insertions(+), 99 deletions(-)

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index 606d0c9788..2095f526b2 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -33,7 +33,7 @@ let is_const_ptr (pt : parameter_type) =
       else match aty with Foreign _ -> false | _ -> true )
 
 (** Generate parameter [p] representation. *)
-let gen_parm_str (p : pdecl) =
+let get_parameter_str (p : pdecl) =
   let pt, (declr : declarator) = p in
   let aty = get_param_atype pt in
   let str = get_typed_declr_str aty declr in
@@ -228,7 +228,7 @@ let oe_get_param_count (ptype, decl, argstruct) =
 
 (** Generate the wrapper prototype for a given function. Optionally
     add an [oe_enclave_t*] first parameter. *)
-let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
+let get_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
   let plist_str =
     let args =
       [
@@ -236,7 +236,7 @@ let oe_gen_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
         ( match fd.rtype with
         | Void -> []
         | _ -> [ get_tystr fd.rtype ^ "* _retval" ] );
-        List.map gen_parm_str fd.plist;
+        List.map get_parameter_str fd.plist;
       ]
       |> List.flatten
     in
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index 27d7168940..bbcf6d1219 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -159,7 +159,7 @@ let write_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   if ep.gen_trusted then (
     write_file (Headers.generate_args ec) args_h ep.trusted_dir;
     write_file
-      (Headers.generate_trusted ec ep)
+      (Headers.generate_trusted ec)
       (ec.file_shortnm ^ "_t.h") ep.trusted_dir;
     if not ep.header_only then
       write_file
@@ -168,7 +168,7 @@ let write_enclave_code (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   if ep.gen_untrusted then (
     write_file (Headers.generate_args ec) args_h ep.untrusted_dir;
     write_file
-      (Headers.generate_untrusted ec ep)
+      (Headers.generate_untrusted ec)
       (ec.file_shortnm ^ "_u.h") ep.untrusted_dir;
     if not ep.header_only then
       write_file
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 325907a236..3bbf707699 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -6,9 +6,9 @@ open Common
 open Printf
 
 (** Generate the prototype for a given function. *)
-let oe_gen_prototype (fd : func_decl) =
+let get_function_prototype (fd : func_decl) =
   let plist_str =
-    let args = List.map gen_parm_str fd.plist in
+    let args = List.map get_parameter_str fd.plist in
     match args with
     | [] -> "void"
     | [ arg ] -> arg
@@ -17,8 +17,8 @@ let oe_gen_prototype (fd : func_decl) =
   sprintf "%s %s(%s)" (get_tystr fd.rtype) fd.fname plist_str
 
 (** Emit [struct], [union], or [enum]. *)
-let emit_composite_type =
-  let emit_struct (s : struct_def) =
+let get_composite_type =
+  let get_struct (s : struct_def) =
     [
       "typedef struct " ^ s.sname;
       "{";
@@ -34,7 +34,7 @@ let emit_composite_type =
       "";
     ]
   in
-  let emit_union (u : union_def) =
+  let get_union (u : union_def) =
     [
       "typedef union " ^ u.uname;
       "{";
@@ -48,7 +48,7 @@ let emit_composite_type =
       "";
     ]
   in
-  let emit_enum (e : enum_def) =
+  let get_enum (e : enum_def) =
     [
       "typedef enum " ^ e.enname;
       "{";
@@ -66,16 +66,54 @@ let emit_composite_type =
     ]
   in
   function
-  | StructDef s -> emit_struct s
-  | UnionDef u -> emit_union u
-  | EnumDef e -> emit_enum e
+  | StructDef s -> get_struct s
+  | UnionDef u -> get_union u
+  | EnumDef e -> get_enum e
+
+let get_marshal_struct (fd : func_decl) (errno : bool) =
+  let get_member_decl (ptype, decl) =
+    let aty = get_param_atype ptype in
+    let tystr = get_tystr aty in
+    let tystr =
+      if is_foreign_array ptype then
+        sprintf "/* foreign array of type %s */ void*" tystr
+      else tystr
+    in
+    let need_strlen =
+      is_str_or_wstr_ptr (ptype, decl) && is_in_or_inout_ptr (ptype, decl)
+    in
+    let id = decl.identifier in
+    [
+      [ tystr ^ " " ^ id ^ ";" ];
+      (if need_strlen then [ sprintf "size_t %s_len;" id ] else []);
+    ]
+    |> List.flatten
+  in
+  let struct_name = fd.fname ^ "_args_t" in
+  let retval_decl = { identifier = "_retval"; array_dims = [] } in
+  let members =
+    [
+      [ "oe_result_t _result;" ];
+      ( if fd.rtype = Void then []
+      else get_member_decl (PTVal fd.rtype, retval_decl) );
+      (if errno then [ "int _ocall_errno;" ] else []);
+      flatten_map get_member_decl (List.map conv_array_to_ptr fd.plist);
+    ]
+    |> List.flatten
+  in
+  [
+    "typedef struct _" ^ struct_name;
+    "{";
+    "    " ^ String.concat "\n    " members;
+    "} " ^ struct_name ^ ";";
+    "";
+  ]
 
 (* Generate [args.h] which contains [struct]s for ecalls and ocalls *)
 let generate_args (ec : enclave_content) =
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
-  (* Emit IDs in enum for trusted functions. *)
-  let emit_trusted_function_ids =
+  let trusted_function_ids =
     [
       "enum";
       "{";
@@ -87,8 +125,7 @@ let generate_args (ec : enclave_content) =
       "};";
     ]
   in
-  (* Emit IDs in enum for untrusted functions. *)
-  let emit_untrusted_function_ids =
+  let untrusted_function_ids =
     [
       "enum";
       "{";
@@ -100,69 +137,36 @@ let generate_args (ec : enclave_content) =
       "};";
     ]
   in
-  let oe_gen_marshal_struct (fd : func_decl) (errno : bool) =
-    let gen_member_decl (ptype, decl) =
-      let aty = get_param_atype ptype in
-      let tystr = get_tystr aty in
-      let tystr =
-        if is_foreign_array ptype then
-          sprintf "/* foreign array of type %s */ void*" tystr
-        else tystr
-      in
-      let need_strlen =
-        is_str_or_wstr_ptr (ptype, decl) && is_in_or_inout_ptr (ptype, decl)
-      in
-      let id = decl.identifier in
-      [
-        [ tystr ^ " " ^ id ^ ";" ];
-        (if need_strlen then [ sprintf "size_t %s_len;" id ] else []);
-      ]
-      |> List.flatten
-    in
-    let struct_name = fd.fname ^ "_args_t" in
-    let retval_decl = { identifier = "_retval"; array_dims = [] } in
-    let members =
-      [
-        [ "oe_result_t _result;" ];
-        ( if fd.rtype = Void then []
-        else gen_member_decl (PTVal fd.rtype, retval_decl) );
-        (if errno then [ "int _ocall_errno;" ] else []);
-        flatten_map gen_member_decl (List.map conv_array_to_ptr fd.plist);
-      ]
-      |> List.flatten
-    in
-    [
-      "typedef struct _" ^ struct_name;
-      "{";
-      "    " ^ String.concat "\n    " members;
-      "} " ^ struct_name ^ ";";
-      "";
-    ]
+  let guard_macro =
+    "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
+  in
+  let include_errno =
+    let s = "#include <errno.h>" in
+    if List.exists (fun uf -> uf.uf_propagate_errno) ufs then s
+    else sprintf "/* %s - Errno propagation not enabled so not included. */" s
   in
-  let oe_gen_user_includes (includes : string list) =
+  let user_includes =
+    let includes = ec.include_list in
     if includes <> [] then List.map (sprintf "#include \"%s\"") includes
     else [ "/* There were no user includes. */" ]
   in
-  let oe_gen_user_types (cts : composite_type list) =
-    if cts <> [] then flatten_map emit_composite_type cts
+  let user_types =
+    let cts = ec.comp_defs in
+    if cts <> [] then flatten_map get_composite_type cts
     else [ "/* There were no user defined types. */"; "" ]
   in
-  let oe_gen_ecall_marshal_structs =
+  let ecall_marshal_structs =
     if tfs <> [] then
-      flatten_map (fun tf -> oe_gen_marshal_struct tf.tf_fdecl false) tfs
+      flatten_map (fun tf -> get_marshal_struct tf.tf_fdecl false) tfs
     else [ "/* There were no ecalls. */"; "" ]
   in
-  let oe_gen_ocall_marshal_structs =
+  let ocall_marshal_structs =
     if ufs <> [] then
       flatten_map
-        (fun uf -> oe_gen_marshal_struct uf.uf_fdecl uf.uf_propagate_errno)
+        (fun uf -> get_marshal_struct uf.uf_fdecl uf.uf_propagate_errno)
         ufs
     else [ "/* There were no ocalls. */"; "" ]
   in
-  let with_errno = List.exists (fun uf -> uf.uf_propagate_errno) ufs in
-  let guard_macro =
-    "EDGER8R_" ^ String.uppercase_ascii ec.enclave_name ^ "_ARGS_H"
-  in
   [
     "#ifndef " ^ guard_macro;
     "#define " ^ guard_macro;
@@ -170,49 +174,47 @@ let generate_args (ec : enclave_content) =
     "#include <stdint.h>";
     "#include <stdlib.h> /* for wchar_t */";
     "";
-    (let s = "#include <errno.h>" in
-     if with_errno then s
-     else sprintf "/* %s - Errno propagation not enabled so not included. */" s);
+    include_errno;
     "";
     "#include <openenclave/bits/result.h>";
     "";
     "/**** User includes. ****/";
-    String.concat "\n" (oe_gen_user_includes ec.include_list);
+    String.concat "\n" user_includes;
     "";
     "/**** User defined types in EDL. ****/";
-    String.concat "\n" (oe_gen_user_types ec.comp_defs);
+    String.concat "\n" user_types;
     "/**** ECALL marshalling structs. ****/";
-    String.concat "\n" oe_gen_ecall_marshal_structs;
+    String.concat "\n" ecall_marshal_structs;
     "/**** OCALL marshalling structs. ****/";
-    String.concat "\n" oe_gen_ocall_marshal_structs;
+    String.concat "\n" ocall_marshal_structs;
     "/**** Trusted function IDs ****/";
-    String.concat "\n" emit_trusted_function_ids;
+    String.concat "\n" trusted_function_ids;
     "";
     "/**** Untrusted function IDs. ****/";
-    String.concat "\n" emit_untrusted_function_ids;
+    String.concat "\n" untrusted_function_ids;
     "";
     "#endif // " ^ guard_macro;
     "";
   ]
 
 (* Includes are emitted in [args.h]. Imported functions have already
-     been brought into function lists. *)
-let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
-  let tfs = ec.tfunc_decls in
-  let ufs = ec.ufunc_decls in
-  let oe_gen_tfunc_prototypes =
+   been brought into function lists. *)
+let generate_trusted (ec : enclave_content) =
+  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
+  let tfunc_prototypes =
+    let tfs = ec.tfunc_decls in
     if tfs <> [] then
-      List.map (fun f -> sprintf "%s;" (oe_gen_prototype f.tf_fdecl)) tfs
+      List.map (fun f -> sprintf "%s;" (get_function_prototype f.tf_fdecl)) tfs
     else [ "/* There were no ecalls. */" ]
   in
-  let oe_gen_ufunc_wrapper_prototypes =
+  let ufunc_wrapper_prototypes =
+    let ufs = ec.ufunc_decls in
     if ufs <> [] then
       List.map
-        (fun f -> sprintf "%s;" (oe_gen_wrapper_prototype f.uf_fdecl false))
+        (fun f -> sprintf "%s;" (get_wrapper_prototype f.uf_fdecl false))
         ufs
     else [ "/* There were no ocalls. */" ]
   in
-  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_T_H" in
   [
     "#ifndef " ^ guard;
     "#define " ^ guard;
@@ -224,10 +226,10 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "OE_EXTERNC_BEGIN";
     "";
     "/**** ECALL prototypes. ****/";
-    String.concat "\n\n" oe_gen_tfunc_prototypes;
+    String.concat "\n\n" tfunc_prototypes;
     "";
     "/**** OCALL prototypes. ****/";
-    String.concat "\n\n" oe_gen_ufunc_wrapper_prototypes;
+    String.concat "\n\n" ufunc_wrapper_prototypes;
     "";
     "OE_EXTERNC_END";
     "";
@@ -235,19 +237,20 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "";
   ]
 
-let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
-  let tfs = ec.tfunc_decls in
-  let ufs = ec.ufunc_decls in
-  let oe_gen_tfunc_wrapper_prototypes =
+let generate_untrusted (ec : enclave_content) =
+  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
+  let tfunc_wrapper_prototypes =
+    let tfs = ec.tfunc_decls in
     if tfs <> [] then
-      List.map (fun f -> oe_gen_wrapper_prototype f.tf_fdecl true ^ ";") tfs
+      List.map (fun f -> get_wrapper_prototype f.tf_fdecl true ^ ";") tfs
     else [ "/* There were no ecalls. */" ]
   in
-  let oe_gen_ufunc_prototypes =
-    if ufs <> [] then List.map (fun f -> oe_gen_prototype f.uf_fdecl ^ ";") ufs
+  let ufunc_prototypes =
+    let ufs = ec.ufunc_decls in
+    if ufs <> [] then
+      List.map (fun f -> get_function_prototype f.uf_fdecl ^ ";") ufs
     else [ "/* There were no ocalls. */" ]
   in
-  let guard = "EDGER8R_" ^ String.uppercase_ascii ec.file_shortnm ^ "_U_H" in
   [
     "#ifndef " ^ guard;
     "#define " ^ guard;
@@ -267,10 +270,10 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "    oe_enclave_t** enclave);";
     "";
     "/**** ECALL prototypes. ****/";
-    String.concat "\n\n" oe_gen_tfunc_wrapper_prototypes;
+    String.concat "\n\n" tfunc_wrapper_prototypes;
     "";
     "/**** OCALL prototypes. ****/";
-    String.concat "\n\n" oe_gen_ufunc_prototypes;
+    String.concat "\n\n" ufunc_prototypes;
     "";
     "OE_EXTERNC_END";
     "";
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 4e92f37552..d0321b27b1 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -558,7 +558,7 @@ let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
         "oe_free_ocall_buffer" )
   in
   [
-    oe_gen_wrapper_prototype fd false;
+    get_wrapper_prototype fd false;
     "{";
     "    oe_result_t _result = OE_FAILURE;";
     "";
@@ -688,7 +688,7 @@ let oe_gen_host_ecall_wrapper (tf : trusted_func) =
     else "oe_call_enclave_function"
   in
   [
-    oe_gen_wrapper_prototype fd true;
+    get_wrapper_prototype fd true;
     "{";
     "    oe_result_t _result = OE_FAILURE;";
     "";

From c1c07fd80e16cdf337667fbb464d84132f5663ac Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Mon, 25 Nov 2019 23:58:44 +0000
Subject: [PATCH 339/420] Clean up and fix names in `Sources.ml`

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Sources.ml | 471 +++++++++++++++++----------------
 1 file changed, 241 insertions(+), 230 deletions(-)

diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index d0321b27b1..ea96067079 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -30,53 +30,22 @@ let _ec : Intel.Ast.enclave_content ref =
  *       experimental = "";
  *     } *)
 
-(** Generate a cast expression to a specific pointer type. For example,
-    [int*] needs to be cast to
-    {[
-      *(int ( * )[5][6])
-    ]}. *)
-let get_cast_from_mem_expr (ptype, decl) =
-  match ptype with
-  | PTVal _ -> ""
-  | PTPtr (t, attr) ->
-      if is_array decl then
-        sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
-      else if is_foreign_array ptype then
-        sprintf "/* foreign array */ *(%s*)" (get_tystr t)
-      else if attr.pa_rdonly then
-        (* for ptrs, only constness is removed; add it back *)
-        sprintf "(const %s)" (get_tystr t)
-      else ""
-
-let oe_gen_call_user_function (fd : func_decl) =
-  [
-    "/* Call user function. */";
-    (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
-    ^ fd.fname ^ "(";
-    String.concat ",\n    "
-      (List.map
-         (fun (ptype, decl) ->
-           let cast_expr = get_cast_from_mem_expr (ptype, decl) in
-           sprintf "    %spargs_in->%s" cast_expr decl.identifier)
-         fd.plist)
-    ^ ");";
-  ]
-
-(* Given [name], return the corresponding [StructDef], or [None]. *)
-let get_struct_by_name name =
+(** Given [name], return the corresponding [StructDef], or [None]. *)
+let get_struct_by_name (name : string) =
   (* [ec.comp_defs] is a list of all composite types, but we're only
-       interested in the structs, so we filter out the rest and unwrap
-       them from [composite_type]. *)
+     interested in the structs, so we filter out the rest and unwrap
+     them from [composite_type]. *)
   let structs =
+    (* TODO: Pass [comp_defs] instead of needing [ec]. *)
     filter_map (function StructDef s -> Some s | _ -> None) !_ec.comp_defs
   in
   List.find_opt (fun s -> s.sname = name) structs
 
-(* We need to check [Ptr]s for [Foreign] or [Struct] types, then
-     check those against the user's [Struct]s, and then check if any
-     members should be deep copied. What we return is the list of
-     members of the [Struct] which should be deep-copied, otherwise we
-     return an empty list. *)
+(** We need to check [Ptr]s for [Foreign] or [Struct] types, then
+    check those against the user's [Struct]s, and then check if any
+    members should be deep copied. What we return is the list of
+    members of the [Struct] which should be deep-copied, otherwise we
+    return an empty list. *)
 let get_deepcopy_members (a : atype) =
   let should_deepcopy_a = function
     | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
@@ -113,7 +82,9 @@ let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
       else if parens then sprintf "(%s)" tystr
       else tystr
 
-let rec oe_gen_set_pointers args count setter (ptype, decl) =
+(** Recursively generates [if (a && a->b) OE_SET_PTR(a->b->c);]
+    statements. *)
+let rec get_ptr_setter args count setter (ptype, decl) =
   let argstruct = oe_get_argstruct "pargs_in->" args count in
   let size = oe_get_param_size (ptype, decl, argstruct) in
   let arg =
@@ -132,12 +103,13 @@ let rec oe_gen_set_pointers args count setter (ptype, decl) =
         [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
         (let param_count = oe_get_param_count (ptype, decl, argstruct) in
          flatten_map
-           (oe_gen_set_pointers (arg :: args) param_count setter)
+           (get_ptr_setter (arg :: args) param_count setter)
            (get_deepcopy_members (get_param_atype ptype)));
       ]
     |> List.flatten )
 
-let oe_gen_in_and_inout_setters (plist : pdecl list) =
+(** Generates pointer setters for in and in-out pointers. *)
+let get_in_ptr_setter (plist : pdecl list) =
   let params =
     let ptrs = List.filter is_in_or_inout_ptr plist in
     let setters =
@@ -145,7 +117,7 @@ let oe_gen_in_and_inout_setters (plist : pdecl list) =
         (fun (p, _) -> if is_in_ptr p then "SET_IN" else "SET_IN_OUT")
         ptrs
     in
-    flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
+    flatten_map2 (get_ptr_setter [] "1") setters ptrs
   in
   "    "
   ^ String.concat "\n    "
@@ -155,7 +127,8 @@ let oe_gen_in_and_inout_setters (plist : pdecl list) =
         else "/* There were no in nor in-out parameters. */" );
       ]
 
-let oe_gen_out_and_inout_setters (plist : pdecl list) =
+(** Generates pointer setters for out and in-out pointers. *)
+let get_out_ptr_setter (plist : pdecl list) =
   let params =
     let ptrs = List.filter is_out_or_inout_ptr plist in
     let setters =
@@ -164,7 +137,7 @@ let oe_gen_out_and_inout_setters (plist : pdecl list) =
           if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT")
         ptrs
     in
-    flatten_map2 (oe_gen_set_pointers [] "1") setters ptrs
+    flatten_map2 (get_ptr_setter [] "1") setters ptrs
   in
   "    "
   ^ String.concat "\n    "
@@ -175,85 +148,11 @@ let oe_gen_out_and_inout_setters (plist : pdecl list) =
         else "/* There were no out nor in-out parameters. */" );
       ]
 
-(* Generate ecall function. *)
-let oe_gen_ecall_function (tf : trusted_func) =
-  let fd = tf.tf_fdecl in
-  [
-    sprintf "void ecall_%s(" fd.fname;
-    "    uint8_t* input_buffer,";
-    "    size_t input_buffer_size,";
-    "    uint8_t* output_buffer,";
-    "    size_t output_buffer_size,";
-    "    size_t* output_bytes_written)";
-    "{";
-    (* Variable declarations *)
-    "    oe_result_t _result = OE_FAILURE;";
-    "";
-    "    /* Prepare parameters. */";
-    sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
-      fd.fname;
-    sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
-      fd.fname;
-    "";
-    "    size_t input_buffer_offset = 0;";
-    "    size_t output_buffer_offset = 0;";
-    "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
-    "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
-    "";
-    (* Buffer validation *)
-    "    /* Make sure input and output buffers lie within the enclave. */";
-    "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
-     input_buffer_size))";
-    "        goto done;";
-    "";
-    "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
-     output_buffer_size))";
-    "        goto done;";
-    "";
-    (* Prepare in and in-out parameters *)
-    oe_gen_in_and_inout_setters fd.plist;
-    "";
-    (* Prepare out and in-out parameters. The in-out parameter is
-         copied to output buffer. *)
-    oe_gen_out_and_inout_setters fd.plist;
-    "";
-    "    /* Check that in/in-out strings are null terminated. */"
-    (* NOTE: We do not support deep copy for strings, so there is not
-         (yet) anything to do here. *);
-    (let params =
-       List.map
-         (fun (ptype, decl) ->
-           sprintf
-             "    OE_CHECK_NULL_TERMINATOR%s(pargs_in->%s, pargs_in->%s_len);"
-             (if is_wstr_ptr ptype then "_WIDE" else "")
-             decl.identifier decl.identifier)
-         (List.filter
-            (fun p -> is_str_or_wstr_ptr p && is_in_or_inout_ptr p)
-            fd.plist)
-     in
-     if params <> [] then String.concat "\n" params
-     else "    /* There were no in nor in-out string parameters. */");
-    "";
-    "    /* lfence after checks. */";
-    "    oe_lfence();";
-    "";
-    (* Call the enclave function *)
-    "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
-    "";
-    (* Mark call as success *)
-    "    /* Success. */";
-    "    _result = OE_OK;";
-    "    *output_bytes_written = output_buffer_offset;";
-    "";
-    "done:";
-    "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
-    "        pargs_out->_result = _result;";
-    "}";
-    "";
-  ]
-
-let rec gen_ptr_count args count (ptype, decl) =
-  let gen_times count body =
+(** Generates an expression representing the total number of pointers
+    we need to save and restore, used as the size for the pointer
+    array. *)
+let rec get_ptr_count args count (ptype, decl) =
+  let get_multiplication_expr count body =
     (* The first two conditionals check for the multiplicative identity
        and prevent unnecessary expressions from being generated.
        Otherwise we multiply the sum of [body] by [count]. *)
@@ -263,9 +162,9 @@ let rec gen_ptr_count args count (ptype, decl) =
   in
   let id = decl.identifier in
   (* TODO: The use of [gen_c_deref] does not work here as we are not
-       within a [gen_c_for] loop when producing the count. Therefore
-       arrays of structs which use members for the count of another
-       nested parameter are not yet supported. *)
+     within a [gen_c_for] loop when producing the count. Therefore
+     arrays of structs which use members for the count of another
+     nested parameter are not yet supported. *)
   let argstruct = oe_get_argstruct "" args count in
   let arg =
     match args with
@@ -275,28 +174,28 @@ let rec gen_ptr_count args count (ptype, decl) =
   let param_count = oe_get_param_count (ptype, decl, argstruct) in
   let members = get_deepcopy_members (get_param_atype ptype) in
   if is_marshalled_ptr ptype then
-    (* The base case is a marshalled pointer. We count 1 for every
-         one of these, except for the top-level pointers as they are
-         the original function arguments, and so do not need to be
-         saved/restored.
+    (* The base case is a marshalled pointer. We count 1 for every one
+       of these, except for the top-level pointers as they are the
+       original function arguments, and so do not need to be
+       saved/restored.
 
-         For a marshalled pointer, we then need to recurse. If there
-         are no members to recurse on, then [members] is the empty
-         list and the recursion is a no-op, leaving us back at the
-         base case of counting 1. If there are members to recurse on,
-         then we count 1 plus the current [param_count] times the
-         number of members for each nested structure. *)
+       For a marshalled pointer, we then need to recurse. If there are
+       no members to recurse on, then [members] is the empty list and
+       the recursion is a no-op, leaving us back at the base case of
+       counting 1. If there are members to recurse on, then we count 1
+       plus the current [param_count] times the number of members for
+       each nested structure. *)
     (if args <> [] then [ "1" ] else [])
-    @ gen_times param_count
-        (flatten_map (gen_ptr_count (arg :: args) param_count) members)
+    @ get_multiplication_expr param_count
+        (flatten_map (get_ptr_count (arg :: args) param_count) members)
   else []
 
-let gen_ptr_array (plist : pdecl list) =
+(** Generates the array used to save the original pointers. *)
+let get_ptr_array (plist : pdecl list) =
   let count =
-    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
   in
   if count <> [] then
-    (* TODO: Switch to malloc() to handle variable lengths. *)
     [
       "size_t _ptrs_index = 0;";
       sprintf "void** _ptrs = malloc(sizeof(void*) * (%s));"
@@ -309,11 +208,26 @@ let gen_ptr_array (plist : pdecl list) =
     ]
   else [ "/* No pointers to save for deep copy. */" ]
 
-let gen_fill_marshal_struct (fd : func_decl) =
+(** Generates expression to reset the index into the pointer array. *)
+let get_ptr_index_reset (plist : pdecl list) =
+  let count =
+    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+  in
+  if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
+  else "/* No pointers to restore for deep copy. */"
+
+let get_ptr_free_expr (plist : pdecl list) =
+  let count =
+    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+  in
+  if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
+  else [ "/* No `_ptrs` to free for deep copy. */" ]
+
+let get_filled_marshal_struct (fd : func_decl) =
   (* Generate assignment argument to corresponding field in args. This
-       is necessary for all arguments, not just copy-as-value, because
-       they are used directly by later marshalling code. *)
-  let gen_assignment (ptype, decl) =
+     is necessary for all arguments, not just copy-as-value, because
+     they are used directly by later marshalling code. *)
+  let get_assignment_to_args (ptype, decl) =
     let arg = decl.identifier in
     [
       [
@@ -330,9 +244,9 @@ let gen_fill_marshal_struct (fd : func_decl) =
     ]
     |> List.flatten
   in
-  flatten_map gen_assignment fd.plist
+  flatten_map get_assignment_to_args fd.plist
   @
-  let rec gen_save_ptrs args count (ptype, decl) =
+  let rec get_saved_ptrs args count (ptype, decl) =
     let id = decl.identifier in
     let argstruct = oe_get_argstruct "_args." args count in
     let arg =
@@ -350,17 +264,17 @@ let gen_fill_marshal_struct (fd : func_decl) =
           else [] );
           (let param_count = oe_get_param_count (ptype, decl, argstruct) in
            flatten_map
-             (gen_save_ptrs (arg :: args) param_count)
+             (get_saved_ptrs (arg :: args) param_count)
              (get_deepcopy_members (get_param_atype ptype)));
         ]
       |> List.flatten )
   in
-  flatten_map (gen_save_ptrs [] "1") (List.filter is_out_or_inout_ptr fd.plist)
+  flatten_map (get_saved_ptrs [] "1") (List.filter is_out_or_inout_ptr fd.plist)
 
 (* Prepare [input_buffer]. *)
-let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
-  let oe_compute_buffer_size buffer predicate plist =
-    let rec gen_add_size args count (ptype, decl) =
+let get_input_buffer (fd : func_decl) (alloc_func : string) =
+  let get_buffer_size buffer predicate plist =
+    let rec get_add_size_expr args count (ptype, decl) =
       let argstruct = oe_get_argstruct "_args." args count in
       let size = oe_get_param_size (ptype, decl, argstruct) in
       let arg =
@@ -374,27 +288,27 @@ let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
             [ sprintf "    OE_ADD_SIZE(%s, %s);" buffer size ];
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
-               (gen_add_size (arg :: args) param_count)
+               (get_add_size_expr (arg :: args) param_count)
                (get_deepcopy_members (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
     let params =
-      flatten_map (gen_add_size [] "1") (List.filter predicate plist)
+      flatten_map (get_add_size_expr [] "1") (List.filter predicate plist)
     in
     (* Note that the indentation for the first line is applied by the
          parent function. *)
     if params <> [] then String.concat "\n    " params
     else "/* There were no corresponding parameters. */"
   in
-  let oe_compute_input_buffer_size =
-    oe_compute_buffer_size "_input_buffer_size" is_in_or_inout_ptr
+  let get_input_buffer_size =
+    get_buffer_size "_input_buffer_size" is_in_or_inout_ptr
   in
-  let oe_compute_output_buffer_size =
-    oe_compute_buffer_size "_output_buffer_size" is_out_or_inout_ptr
+  let get_output_buffer_size =
+    get_buffer_size "_output_buffer_size" is_out_or_inout_ptr
   in
-  let oe_serialize_buffer_inputs (plist : pdecl list) =
-    let rec gen_serialize args count (ptype, decl) =
+  let get_serialized_buffer_inputs (plist : pdecl list) =
+    let rec get_serializer args count (ptype, decl) =
       let argstruct = oe_get_argstruct "_args." args count in
       let size = oe_get_param_size (ptype, decl, argstruct) in
       let arg =
@@ -412,20 +326,20 @@ let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
             ];
             [
               (* NOTE: The [WRITE_IN_OUT] macro is defined to be the
-                   [WRITE_IN] macro. *)
+                 [WRITE_IN] macro. *)
               sprintf "    OE_WRITE_%s_PARAM(%s, %s, %s);"
                 (if is_in_ptr ptype then "IN" else "IN_OUT")
                 arg size tystr;
             ];
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
-               (gen_serialize (arg :: args) param_count)
+               (get_serializer (arg :: args) param_count)
                (get_deepcopy_members (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
     let params =
-      flatten_map (gen_serialize [] "1") (List.filter is_in_or_inout_ptr plist)
+      flatten_map (get_serializer [] "1") (List.filter is_in_or_inout_ptr plist)
     in
     (* Note that the indentation for the first line is applied by the
          parent function. *)
@@ -435,11 +349,11 @@ let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
   [
     "/* Compute input buffer size. Include in and in-out parameters. */";
     sprintf "OE_ADD_SIZE(_input_buffer_size, sizeof(%s_args_t));" fd.fname;
-    oe_compute_input_buffer_size fd.plist;
+    get_input_buffer_size fd.plist;
     "";
     "/* Compute output buffer size. Include out and in-out parameters. */";
     sprintf "OE_ADD_SIZE(_output_buffer_size, sizeof(%s_args_t));" fd.fname;
-    oe_compute_output_buffer_size fd.plist;
+    get_output_buffer_size fd.plist;
     "";
     "/* Allocate marshalling buffer. */";
     "_total_buffer_size = _input_buffer_size;";
@@ -456,22 +370,15 @@ let oe_prepare_input_buffer (fd : func_decl) (alloc_func : string) =
     "/* Serialize buffer inputs (in and in-out parameters). */";
     sprintf "_pargs_in = (%s_args_t*)_input_buffer;" fd.fname;
     "OE_ADD_SIZE(_input_buffer_offset, sizeof(*_pargs_in));";
-    oe_serialize_buffer_inputs fd.plist;
+    get_serialized_buffer_inputs fd.plist;
     "";
     "/* Copy args structure (now filled) to input buffer. */";
     "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));";
   ]
 
-let gen_reset_ptr_index (plist : pdecl list) =
-  let count =
-    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
-  in
-  if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
-  else "/* No pointers to restore for deep copy. */"
-
-let oe_process_output_buffer (fd : func_decl) =
-  let oe_serialize_buffer_outputs (plist : pdecl list) =
-    let rec gen_serialize args count (ptype, decl) =
+let get_output_buffer (fd : func_decl) =
+  let get_serialized_buffer_outputs (plist : pdecl list) =
+    let rec get_serializer args count (ptype, decl) =
       let argstruct = oe_get_argstruct "_args." args count in
       let size = oe_get_param_size (ptype, decl, argstruct) in
       let arg =
@@ -509,13 +416,14 @@ let oe_process_output_buffer (fd : func_decl) =
                  ]);
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
-               (gen_serialize (arg :: args) param_count)
+               (get_serializer (arg :: args) param_count)
                (get_deepcopy_members (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
     let params =
-      flatten_map (gen_serialize [] "1") (List.filter is_out_or_inout_ptr plist)
+      flatten_map (get_serializer [] "1")
+        (List.filter is_out_or_inout_ptr plist)
     in
     if params <> [] then String.concat "\n    " params
     else "/* There were no out nor in-out parameters. */"
@@ -540,12 +448,122 @@ let oe_process_output_buffer (fd : func_decl) =
     "/* Unmarshal return value and out, in-out parameters. */";
     ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
     else "/* No return value. */" );
-    gen_reset_ptr_index fd.plist;
-    oe_serialize_buffer_outputs fd.plist;
+    get_ptr_index_reset fd.plist;
+    get_serialized_buffer_outputs fd.plist;
+  ]
+
+(** Generate a cast expression to a specific pointer type. For example,
+    [int*] needs to be cast to
+    {[
+      *(int ( * )[5][6])
+    ]}. *)
+let get_cast_from_mem_expr (ptype, decl) =
+  match ptype with
+  | PTVal _ -> ""
+  | PTPtr (t, attr) ->
+      if is_array decl then
+        sprintf "*(%s(*)%s)" (get_tystr t) (get_array_dims decl.array_dims)
+      else if is_foreign_array ptype then
+        sprintf "/* foreign array */ *(%s*)" (get_tystr t)
+      else if attr.pa_rdonly then
+        (* for ptrs, only constness is removed; add it back *)
+        sprintf "(const %s)" (get_tystr t)
+      else ""
+
+(** Generate an expression to call the user function [fd]. *)
+let get_call_user_function (fd : func_decl) =
+  [
+    "/* Call user function. */";
+    (match fd.rtype with Void -> "" | _ -> "pargs_out->_retval = ")
+    ^ fd.fname ^ "(";
+    String.concat ",\n    "
+      (List.map
+         (fun (ptype, decl) ->
+           let cast_expr = get_cast_from_mem_expr (ptype, decl) in
+           sprintf "    %spargs_in->%s" cast_expr decl.identifier)
+         fd.plist)
+    ^ ");";
+  ]
+
+(** Generate ecall function definition. *)
+let get_ecall_function (tf : trusted_func) =
+  let fd = tf.tf_fdecl in
+  [
+    sprintf "void ecall_%s(" fd.fname;
+    "    uint8_t* input_buffer,";
+    "    size_t input_buffer_size,";
+    "    uint8_t* output_buffer,";
+    "    size_t output_buffer_size,";
+    "    size_t* output_bytes_written)";
+    "{";
+    (* Variable declarations *)
+    "    oe_result_t _result = OE_FAILURE;";
+    "";
+    "    /* Prepare parameters. */";
+    sprintf "    %s_args_t* pargs_in = (%s_args_t*)input_buffer;" fd.fname
+      fd.fname;
+    sprintf "    %s_args_t* pargs_out = (%s_args_t*)output_buffer;" fd.fname
+      fd.fname;
+    "";
+    "    size_t input_buffer_offset = 0;";
+    "    size_t output_buffer_offset = 0;";
+    "    OE_ADD_SIZE(input_buffer_offset, sizeof(*pargs_in));";
+    "    OE_ADD_SIZE(output_buffer_offset, sizeof(*pargs_out));";
+    "";
+    (* Buffer validation *)
+    "    /* Make sure input and output buffers lie within the enclave. */";
+    "    if (!input_buffer || !oe_is_within_enclave(input_buffer, \
+     input_buffer_size))";
+    "        goto done;";
+    "";
+    "    if (!output_buffer || !oe_is_within_enclave(output_buffer, \
+     output_buffer_size))";
+    "        goto done;";
+    "";
+    (* Prepare in and in-out parameters *)
+    get_in_ptr_setter fd.plist;
+    "";
+    (* Prepare out and in-out parameters. The in-out parameter is
+         copied to output buffer. *)
+    get_out_ptr_setter fd.plist;
+    "";
+    "    /* Check that in/in-out strings are null terminated. */"
+    (* NOTE: We do not support deep copy for strings, so there is not
+         (yet) anything to do here. *);
+    (let params =
+       List.map
+         (fun (ptype, decl) ->
+           sprintf
+             "    OE_CHECK_NULL_TERMINATOR%s(pargs_in->%s, pargs_in->%s_len);"
+             (if is_wstr_ptr ptype then "_WIDE" else "")
+             decl.identifier decl.identifier)
+         (List.filter
+            (fun p -> is_str_or_wstr_ptr p && is_in_or_inout_ptr p)
+            fd.plist)
+     in
+     if params <> [] then String.concat "\n" params
+     else "    /* There were no in nor in-out string parameters. */");
+    "";
+    "    /* lfence after checks. */";
+    "    oe_lfence();";
+    "";
+    (* Call the enclave function *)
+    "    " ^ String.concat "\n    " (get_call_user_function fd);
+    "";
+    (* Mark call as success *)
+    "    /* Success. */";
+    "    _result = OE_OK;";
+    "    *output_bytes_written = output_buffer_offset;";
+    "";
+    "done:";
+    "    if (pargs_out && output_buffer_size >= sizeof(*pargs_out))";
+    "        pargs_out->_result = _result;";
+    "}";
+    "";
   ]
 
-(* Generate enclave OCALL wrapper function. *)
-let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
+(** Generate enclave OCALL wrapper function. *)
+let get_ocall_function_wrapper (uf : untrusted_func) =
   let fd = uf.uf_fdecl in
   let allocate_buffer, call_function, free_buffer =
     if uf.uf_is_switchless then
@@ -570,7 +588,7 @@ let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
     "    /* Marshalling struct. */";
     sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
       fd.fname;
-    "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_array fd.plist);
     "";
     "    /* Marshalling buffer and sizes. */";
     "    size_t _input_buffer_size = 0;";
@@ -585,10 +603,9 @@ let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
     "";
     "    /* Fill marshalling struct. */";
     "    memset(&_args, 0, sizeof(_args));";
-    "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+    "    " ^ String.concat "\n    " (get_filled_marshal_struct fd);
     "";
-    "    "
-    ^ String.concat "\n    " (oe_prepare_input_buffer fd allocate_buffer);
+    "    " ^ String.concat "\n    " (get_input_buffer fd allocate_buffer);
     "";
     "    /* Call host function. */";
     "    if ((_result = " ^ call_function ^ "(";
@@ -604,7 +621,7 @@ let oe_gen_enclave_ocall_wrapper (uf : untrusted_func) =
         ];
     "        goto done;";
     "";
-    "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+    "    " ^ String.concat "\n    " (get_output_buffer fd);
     "";
     "    /* Retrieve propagated errno from OCALL. */";
     ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
@@ -624,11 +641,11 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   _ec := ec;
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
-  let oe_gen_ecall_functions =
-    if tfs <> [] then flatten_map oe_gen_ecall_function tfs
+  let ecall_functions =
+    if tfs <> [] then flatten_map get_ecall_function tfs
     else [ "/* There were no ecalls. */" ]
   in
-  let oe_gen_ecall_table =
+  let ecall_table =
     let table = "__oe_ecalls_table" in
     if tfs <> [] then
       [
@@ -644,8 +661,8 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
       ]
     else [ "/* There were no ecalls. */" ]
   in
-  let oe_gen_enclave_ocall_wrappers =
-    if ufs <> [] then flatten_map oe_gen_enclave_ocall_wrapper ufs
+  let ocall_function_wrappers =
+    if ufs <> [] then flatten_map get_ocall_function_wrapper ufs
     else [ "/* There were no ocalls. */" ]
   in
   [
@@ -661,29 +678,22 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "";
     "/**** ECALL functions. ****/";
     "";
-    String.concat "\n" oe_gen_ecall_functions;
+    String.concat "\n" ecall_functions;
     "/**** ECALL function table. ****/";
     "";
-    String.concat "\n" oe_gen_ecall_table;
+    String.concat "\n" ecall_table;
     "";
     "/**** OCALL function wrappers. ****/";
     "";
-    String.concat "\n" oe_gen_enclave_ocall_wrappers;
+    String.concat "\n" ocall_function_wrappers;
     "OE_EXTERNC_END";
     "";
   ]
 
-let gen_free_ptrs (plist : pdecl list) =
-  let count =
-    flatten_map (gen_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
-  in
-  if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
-  else [ "/* No `_ptrs` to free for deep copy. */" ]
-
 (* Generate host ECALL wrapper function. *)
-let oe_gen_host_ecall_wrapper (tf : trusted_func) =
+let get_host_ecall_wrapper (tf : trusted_func) =
   let fd = tf.tf_fdecl in
-  let oe_ecall_function =
+  let ecall_function =
     if tf.tf_is_switchless then "oe_switchless_call_enclave_function"
     else "oe_call_enclave_function"
   in
@@ -708,16 +718,16 @@ let oe_gen_host_ecall_wrapper (tf : trusted_func) =
     "    size_t _output_bytes_written = 0;";
     "";
     "    /* Deep copy buffer. */";
-    "    " ^ String.concat "\n    " (gen_ptr_array fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_array fd.plist);
     "";
     "    /* Fill marshalling struct. */";
     "    memset(&_args, 0, sizeof(_args));";
-    "    " ^ String.concat "\n    " (gen_fill_marshal_struct fd);
+    "    " ^ String.concat "\n    " (get_filled_marshal_struct fd);
     "";
-    "    " ^ String.concat "\n    " (oe_prepare_input_buffer fd "malloc");
+    "    " ^ String.concat "\n    " (get_input_buffer fd "malloc");
     "";
     "    /* Call enclave function. */";
-    "    if ((_result = " ^ oe_ecall_function ^ "(";
+    "    if ((_result = " ^ ecall_function ^ "(";
     "             "
     ^ String.concat ",\n             "
         [
@@ -731,7 +741,7 @@ let oe_gen_host_ecall_wrapper (tf : trusted_func) =
         ];
     "        goto done;";
     "";
-    "    " ^ String.concat "\n    " (oe_process_output_buffer fd);
+    "    " ^ String.concat "\n    " (get_output_buffer fd);
     "";
     "    _result = OE_OK;";
     "";
@@ -739,7 +749,7 @@ let oe_gen_host_ecall_wrapper (tf : trusted_func) =
     "    if (_buffer)";
     "        free(_buffer);";
     "";
-    "    " ^ String.concat "\n    " (gen_free_ptrs fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_free_expr fd.plist);
     "";
     "    return _result;";
     "}";
@@ -747,7 +757,7 @@ let oe_gen_host_ecall_wrapper (tf : trusted_func) =
   ]
 
 (* Generate ocall function. *)
-let oe_gen_ocall_function (uf : untrusted_func) =
+let get_ocall_function (uf : untrusted_func) =
   let fd = uf.uf_fdecl in
   [
     sprintf "void ocall_%s(" fd.fname;
@@ -780,13 +790,14 @@ let oe_gen_ocall_function (uf : untrusted_func) =
     "    }";
     "";
     (* Prepare in and in-out parameters *)
-    oe_gen_in_and_inout_setters fd.plist;
+    get_in_ptr_setter fd.plist;
     "";
-    (* Prepare out and in-out parameters. The in-out parameter is copied to output buffer. *)
-    oe_gen_out_and_inout_setters fd.plist;
+    (* Prepare out and in-out parameters: the in-out parameter is
+       copied to output buffer. *)
+    get_out_ptr_setter fd.plist;
     "";
     (* Call the host function *)
-    "    " ^ String.concat "\n    " (oe_gen_call_user_function fd);
+    "    " ^ String.concat "\n    " (get_call_user_function fd);
     "";
     "    /* Propagate errno back to enclave. */";
     ( if uf.uf_propagate_errno then "    pargs_out->_ocall_errno = errno;"
@@ -806,17 +817,17 @@ let oe_gen_ocall_function (uf : untrusted_func) =
 
 let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   _ec := ec;
-  let tfs = ec.tfunc_decls in
-  let ufs = ec.ufunc_decls in
-  let oe_gen_host_ecall_wrappers =
-    if tfs <> [] then flatten_map oe_gen_host_ecall_wrapper tfs
+  let host_ecall_wrappers =
+    let tfs = ec.tfunc_decls in
+    if tfs <> [] then flatten_map get_host_ecall_wrapper tfs
     else [ "/* There were no ecalls. */" ]
   in
-  let oe_gen_ocall_functions =
-    if ufs <> [] then flatten_map oe_gen_ocall_function ufs
+  let ocall_functions =
+    let ufs = ec.ufunc_decls in
+    if ufs <> [] then flatten_map get_ocall_function ufs
     else [ "/* There were no ocalls. */" ]
   in
-  let oe_gen_ocall_table =
+  let ocall_table =
     [
       sprintf "static oe_ocall_func_t __%s_ocall_function_table[] = {"
         ec.enclave_name;
@@ -824,7 +835,7 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
       ^ String.concat "\n    "
           (List.map
              (fun f -> "(oe_ocall_func_t) ocall_" ^ f.uf_fdecl.fname ^ ",")
-             ufs);
+             ec.ufunc_decls);
       "    NULL";
       "};";
     ]
@@ -842,13 +853,13 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "";
     "/**** ECALL function wrappers. ****/";
     "";
-    String.concat "\n" oe_gen_host_ecall_wrappers;
+    String.concat "\n" host_ecall_wrappers;
     "/**** OCALL functions. ****/";
     "";
-    String.concat "\n" oe_gen_ocall_functions;
+    String.concat "\n" ocall_functions;
     "/**** OCALL function table. ****/";
     "";
-    String.concat "\n" oe_gen_ocall_table;
+    String.concat "\n" ocall_table;
     "";
     sprintf "oe_result_t oe_create_%s_enclave(" ec.enclave_name;
     "    const char* path,";
@@ -865,7 +876,7 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "               settings,";
     "               setting_count,";
     sprintf "               __%s_ocall_function_table," ec.enclave_name;
-    sprintf "               %d," (List.length ufs);
+    sprintf "               %d," (List.length ec.ufunc_decls);
     "               enclave);";
     "}";
     "";

From 6cc4038fc03f018ebc65517fd0a0f649377c2898 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 26 Nov 2019 18:05:46 +0000
Subject: [PATCH 340/420] Make `get_deepcopy_members` a higher order function

This allows us to more easily plumb through the information we need from
`enclave_content` and `edger8r_params`, without having to those or
multiple arguments everywhere. Instead, we partially apply the higher
order form of `get_deepcopy_members` and then plumb the result through
as needed.

Similarly we also plumbed through `enclave_name` for `get_function_id`
so we can entirely remove the `ec` reference.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  |   4 +-
 tools/oeedger8r/src/Headers.ml |  10 ++-
 tools/oeedger8r/src/Sources.ml | 156 +++++++++++++++------------------
 3 files changed, 81 insertions(+), 89 deletions(-)

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index 2095f526b2..43870fbef4 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -246,5 +246,5 @@ let get_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
   in
   sprintf "oe_result_t %s(%s)" fd.fname plist_str
 
-let get_function_id (ec : enclave_content) (f : func_decl) =
-  ec.enclave_name ^ "_fcn_id_" ^ f.fname
+let get_function_id (enclave_name : string) (f : func_decl) =
+  enclave_name ^ "_fcn_id_" ^ f.fname
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 3bbf707699..dc5e414d4c 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -119,7 +119,10 @@ let generate_args (ec : enclave_content) =
       "{";
       String.concat "\n"
         (List.mapi
-           (fun i f -> sprintf "    %s = %d," (get_function_id ec f.tf_fdecl) i)
+           (fun i f ->
+             sprintf "    %s = %d,"
+               (get_function_id ec.enclave_name f.tf_fdecl)
+               i)
            tfs);
       "    " ^ ec.enclave_name ^ "_fcn_id_trusted_call_id_max = OE_ENUM_MAX";
       "};";
@@ -131,7 +134,10 @@ let generate_args (ec : enclave_content) =
       "{";
       String.concat "\n"
         (List.mapi
-           (fun i f -> sprintf "    %s = %d," (get_function_id ec f.uf_fdecl) i)
+           (fun i f ->
+             sprintf "    %s = %d,"
+               (get_function_id ec.enclave_name f.uf_fdecl)
+               i)
            ufs);
       "    " ^ ec.enclave_name ^ "_fcn_id_untrusted_call_max = OE_ENUM_MAX";
       "};";
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index ea96067079..17f2ce6277 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -5,54 +5,29 @@ open Intel.Ast
 open Common
 open Printf
 
-let _ec : Intel.Ast.enclave_content ref =
-  ref
-    {
-      file_shortnm = "";
-      enclave_name = "";
-      include_list = [];
-      import_exprs = [];
-      comp_defs = [];
-      tfunc_decls = [];
-      ufunc_decls = [];
-    }
-
-(* let _ep : Intel.Util.edger8r_params ref =
- *   ref
- *     {
- *       input_files = [];
- *       use_prefix = false;
- *       header_only = false;
- *       gen_untrusted = false;
- *       gen_trusted = false;
- *       untrusted_dir = "";
- *       trusted_dir = "";
- *       experimental = "";
- *     } *)
-
 (** Given [name], return the corresponding [StructDef], or [None]. *)
-let get_struct_by_name (name : string) =
-  (* [ec.comp_defs] is a list of all composite types, but we're only
+let get_struct_by_name (cts : composite_type list) (name : string) =
+  (* [cts] is a list of all composite types, but we're only
      interested in the structs, so we filter out the rest and unwrap
      them from [composite_type]. *)
-  let structs =
-    (* TODO: Pass [comp_defs] instead of needing [ec]. *)
-    filter_map (function StructDef s -> Some s | _ -> None) !_ec.comp_defs
-  in
+  let structs = filter_map (function StructDef s -> Some s | _ -> None) cts in
   List.find_opt (fun s -> s.sname = name) structs
 
 (** We need to check [Ptr]s for [Foreign] or [Struct] types, then
     check those against the user's [Struct]s, and then check if any
     members should be deep copied. What we return is the list of
     members of the [Struct] which should be deep-copied, otherwise we
-    return an empty list. *)
-let get_deepcopy_members (a : atype) =
+    return an empty list.
+
+    NOTE: This is a higher-order function that is mean to have its
+    first two arguments partially applied, and then used repeatedly. *)
+let get_deepcopy_function (enabled : bool) (cts : composite_type list)
+    (a : atype) =
   let should_deepcopy_a = function
-    | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name n
+    | Ptr (Struct n) | Ptr (Foreign n) -> get_struct_by_name cts n
     | _ -> None
   in
-  (* TODO: Only enable with [ep.experimental] *)
-  if true then
+  if enabled then
     match should_deepcopy_a a with
     | Some s -> List.filter (fun (p, _) -> is_marshalled_ptr p) s.smlist
     | None -> []
@@ -84,7 +59,7 @@ let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
 
 (** Recursively generates [if (a && a->b) OE_SET_PTR(a->b->c);]
     statements. *)
-let rec get_ptr_setter args count setter (ptype, decl) =
+let rec get_ptr_setter get_deepcopy args count setter (ptype, decl) =
   let argstruct = oe_get_argstruct "pargs_in->" args count in
   let size = oe_get_param_size (ptype, decl, argstruct) in
   let arg =
@@ -103,13 +78,13 @@ let rec get_ptr_setter args count setter (ptype, decl) =
         [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
         (let param_count = oe_get_param_count (ptype, decl, argstruct) in
          flatten_map
-           (get_ptr_setter (arg :: args) param_count setter)
-           (get_deepcopy_members (get_param_atype ptype)));
+           (get_ptr_setter get_deepcopy (arg :: args) param_count setter)
+           (get_deepcopy (get_param_atype ptype)));
       ]
     |> List.flatten )
 
 (** Generates pointer setters for in and in-out pointers. *)
-let get_in_ptr_setter (plist : pdecl list) =
+let get_in_ptr_setter get_deepcopy (plist : pdecl list) =
   let params =
     let ptrs = List.filter is_in_or_inout_ptr plist in
     let setters =
@@ -117,7 +92,7 @@ let get_in_ptr_setter (plist : pdecl list) =
         (fun (p, _) -> if is_in_ptr p then "SET_IN" else "SET_IN_OUT")
         ptrs
     in
-    flatten_map2 (get_ptr_setter [] "1") setters ptrs
+    flatten_map2 (get_ptr_setter get_deepcopy [] "1") setters ptrs
   in
   "    "
   ^ String.concat "\n    "
@@ -128,7 +103,7 @@ let get_in_ptr_setter (plist : pdecl list) =
       ]
 
 (** Generates pointer setters for out and in-out pointers. *)
-let get_out_ptr_setter (plist : pdecl list) =
+let get_out_ptr_setter get_deepcopy (plist : pdecl list) =
   let params =
     let ptrs = List.filter is_out_or_inout_ptr plist in
     let setters =
@@ -137,7 +112,7 @@ let get_out_ptr_setter (plist : pdecl list) =
           if is_out_ptr p then "SET_OUT" else "COPY_AND_SET_IN_OUT")
         ptrs
     in
-    flatten_map2 (get_ptr_setter [] "1") setters ptrs
+    flatten_map2 (get_ptr_setter get_deepcopy [] "1") setters ptrs
   in
   "    "
   ^ String.concat "\n    "
@@ -151,7 +126,7 @@ let get_out_ptr_setter (plist : pdecl list) =
 (** Generates an expression representing the total number of pointers
     we need to save and restore, used as the size for the pointer
     array. *)
-let rec get_ptr_count args count (ptype, decl) =
+let rec get_ptr_count get_deepcopy args count (ptype, decl) =
   let get_multiplication_expr count body =
     (* The first two conditionals check for the multiplicative identity
        and prevent unnecessary expressions from being generated.
@@ -172,7 +147,7 @@ let rec get_ptr_count args count (ptype, decl) =
     | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
   in
   let param_count = oe_get_param_count (ptype, decl, argstruct) in
-  let members = get_deepcopy_members (get_param_atype ptype) in
+  let members = get_deepcopy (get_param_atype ptype) in
   if is_marshalled_ptr ptype then
     (* The base case is a marshalled pointer. We count 1 for every one
        of these, except for the top-level pointers as they are the
@@ -187,13 +162,17 @@ let rec get_ptr_count args count (ptype, decl) =
        each nested structure. *)
     (if args <> [] then [ "1" ] else [])
     @ get_multiplication_expr param_count
-        (flatten_map (get_ptr_count (arg :: args) param_count) members)
+        (flatten_map
+           (get_ptr_count get_deepcopy (arg :: args) param_count)
+           members)
   else []
 
 (** Generates the array used to save the original pointers. *)
-let get_ptr_array (plist : pdecl list) =
+let get_ptr_array get_deepcopy (plist : pdecl list) =
   let count =
-    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+    flatten_map
+      (get_ptr_count get_deepcopy [] "1")
+      (List.filter is_out_or_inout_ptr plist)
   in
   if count <> [] then
     [
@@ -209,21 +188,25 @@ let get_ptr_array (plist : pdecl list) =
   else [ "/* No pointers to save for deep copy. */" ]
 
 (** Generates expression to reset the index into the pointer array. *)
-let get_ptr_index_reset (plist : pdecl list) =
+let get_ptr_index_reset get_deepcopy (plist : pdecl list) =
   let count =
-    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+    flatten_map
+      (get_ptr_count get_deepcopy [] "1")
+      (List.filter is_out_or_inout_ptr plist)
   in
   if count <> [] then "_ptrs_index = 0; /* For deep copy. */"
   else "/* No pointers to restore for deep copy. */"
 
-let get_ptr_free_expr (plist : pdecl list) =
+let get_ptr_free_expr get_deepcopy (plist : pdecl list) =
   let count =
-    flatten_map (get_ptr_count [] "1") (List.filter is_out_or_inout_ptr plist)
+    flatten_map
+      (get_ptr_count get_deepcopy [] "1")
+      (List.filter is_out_or_inout_ptr plist)
   in
   if count <> [] then [ "if (_ptrs)"; "    free(_ptrs);" ]
   else [ "/* No `_ptrs` to free for deep copy. */" ]
 
-let get_filled_marshal_struct (fd : func_decl) =
+let get_filled_marshal_struct get_deepcopy (fd : func_decl) =
   (* Generate assignment argument to corresponding field in args. This
      is necessary for all arguments, not just copy-as-value, because
      they are used directly by later marshalling code. *)
@@ -265,14 +248,14 @@ let get_filled_marshal_struct (fd : func_decl) =
           (let param_count = oe_get_param_count (ptype, decl, argstruct) in
            flatten_map
              (get_saved_ptrs (arg :: args) param_count)
-             (get_deepcopy_members (get_param_atype ptype)));
+             (get_deepcopy (get_param_atype ptype)));
         ]
       |> List.flatten )
   in
   flatten_map (get_saved_ptrs [] "1") (List.filter is_out_or_inout_ptr fd.plist)
 
 (* Prepare [input_buffer]. *)
-let get_input_buffer (fd : func_decl) (alloc_func : string) =
+let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
   let get_buffer_size buffer predicate plist =
     let rec get_add_size_expr args count (ptype, decl) =
       let argstruct = oe_get_argstruct "_args." args count in
@@ -289,7 +272,7 @@ let get_input_buffer (fd : func_decl) (alloc_func : string) =
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_add_size_expr (arg :: args) param_count)
-               (get_deepcopy_members (get_param_atype ptype)));
+               (get_deepcopy (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
@@ -334,7 +317,7 @@ let get_input_buffer (fd : func_decl) (alloc_func : string) =
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_serializer (arg :: args) param_count)
-               (get_deepcopy_members (get_param_atype ptype)));
+               (get_deepcopy (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
@@ -376,7 +359,7 @@ let get_input_buffer (fd : func_decl) (alloc_func : string) =
     "memcpy(_pargs_in, &_args, sizeof(*_pargs_in));";
   ]
 
-let get_output_buffer (fd : func_decl) =
+let get_output_buffer get_deepcopy (fd : func_decl) =
   let get_serialized_buffer_outputs (plist : pdecl list) =
     let rec get_serializer args count (ptype, decl) =
       let argstruct = oe_get_argstruct "_args." args count in
@@ -417,7 +400,7 @@ let get_output_buffer (fd : func_decl) =
             (let param_count = oe_get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_serializer (arg :: args) param_count)
-               (get_deepcopy_members (get_param_atype ptype)));
+               (get_deepcopy (get_param_atype ptype)));
           ]
         |> List.flatten )
     in
@@ -448,7 +431,7 @@ let get_output_buffer (fd : func_decl) =
     "/* Unmarshal return value and out, in-out parameters. */";
     ( if fd.rtype <> Void then "*_retval = _pargs_out->_retval;"
     else "/* No return value. */" );
-    get_ptr_index_reset fd.plist;
+    get_ptr_index_reset get_deepcopy fd.plist;
     get_serialized_buffer_outputs fd.plist;
   ]
 
@@ -486,7 +469,7 @@ let get_call_user_function (fd : func_decl) =
   ]
 
 (** Generate ecall function definition. *)
-let get_ecall_function (tf : trusted_func) =
+let get_ecall_function get_deepcopy (tf : trusted_func) =
   let fd = tf.tf_fdecl in
   [
     sprintf "void ecall_%s(" fd.fname;
@@ -521,11 +504,11 @@ let get_ecall_function (tf : trusted_func) =
     "        goto done;";
     "";
     (* Prepare in and in-out parameters *)
-    get_in_ptr_setter fd.plist;
+    get_in_ptr_setter get_deepcopy fd.plist;
     "";
     (* Prepare out and in-out parameters. The in-out parameter is
          copied to output buffer. *)
-    get_out_ptr_setter fd.plist;
+    get_out_ptr_setter get_deepcopy fd.plist;
     "";
     "    /* Check that in/in-out strings are null terminated. */"
     (* NOTE: We do not support deep copy for strings, so there is not
@@ -563,7 +546,7 @@ let get_ecall_function (tf : trusted_func) =
   ]
 
 (** Generate enclave OCALL wrapper function. *)
-let get_ocall_function_wrapper (uf : untrusted_func) =
+let get_ocall_function_wrapper get_deepcopy enclave_name (uf : untrusted_func) =
   let fd = uf.uf_fdecl in
   let allocate_buffer, call_function, free_buffer =
     if uf.uf_is_switchless then
@@ -588,7 +571,7 @@ let get_ocall_function_wrapper (uf : untrusted_func) =
     "    /* Marshalling struct. */";
     sprintf "    %s_args_t _args, *_pargs_in = NULL, *_pargs_out = NULL;"
       fd.fname;
-    "    " ^ String.concat "\n    " (get_ptr_array fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_array get_deepcopy fd.plist);
     "";
     "    /* Marshalling buffer and sizes. */";
     "    size_t _input_buffer_size = 0;";
@@ -603,16 +586,17 @@ let get_ocall_function_wrapper (uf : untrusted_func) =
     "";
     "    /* Fill marshalling struct. */";
     "    memset(&_args, 0, sizeof(_args));";
-    "    " ^ String.concat "\n    " (get_filled_marshal_struct fd);
+    "    " ^ String.concat "\n    " (get_filled_marshal_struct get_deepcopy fd);
     "";
-    "    " ^ String.concat "\n    " (get_input_buffer fd allocate_buffer);
+    "    "
+    ^ String.concat "\n    " (get_input_buffer get_deepcopy fd allocate_buffer);
     "";
     "    /* Call host function. */";
     "    if ((_result = " ^ call_function ^ "(";
     "             "
     ^ String.concat ",\n             "
         [
-          get_function_id !_ec fd;
+          get_function_id enclave_name fd;
           "_input_buffer";
           "_input_buffer_size";
           "_output_buffer";
@@ -621,7 +605,7 @@ let get_ocall_function_wrapper (uf : untrusted_func) =
         ];
     "        goto done;";
     "";
-    "    " ^ String.concat "\n    " (get_output_buffer fd);
+    "    " ^ String.concat "\n    " (get_output_buffer get_deepcopy fd);
     "";
     "    /* Retrieve propagated errno from OCALL. */";
     ( if uf.uf_propagate_errno then "    errno = _pargs_out->_ocall_errno;\n"
@@ -638,11 +622,11 @@ let get_ocall_function_wrapper (uf : untrusted_func) =
   ]
 
 let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
-  _ec := ec;
+  let get_deepcopy = get_deepcopy_function ep.experimental ec.comp_defs in
   let tfs = ec.tfunc_decls in
   let ufs = ec.ufunc_decls in
   let ecall_functions =
-    if tfs <> [] then flatten_map get_ecall_function tfs
+    if tfs <> [] then flatten_map (get_ecall_function get_deepcopy) tfs
     else [ "/* There were no ecalls. */" ]
   in
   let ecall_table =
@@ -662,7 +646,8 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     else [ "/* There were no ecalls. */" ]
   in
   let ocall_function_wrappers =
-    if ufs <> [] then flatten_map get_ocall_function_wrapper ufs
+    if ufs <> [] then
+      flatten_map (get_ocall_function_wrapper get_deepcopy ec.enclave_name) ufs
     else [ "/* There were no ocalls. */" ]
   in
   [
@@ -691,7 +676,7 @@ let generate_trusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
   ]
 
 (* Generate host ECALL wrapper function. *)
-let get_host_ecall_wrapper (tf : trusted_func) =
+let get_host_ecall_wrapper get_deepcopy enclave_name (tf : trusted_func) =
   let fd = tf.tf_fdecl in
   let ecall_function =
     if tf.tf_is_switchless then "oe_switchless_call_enclave_function"
@@ -718,13 +703,13 @@ let get_host_ecall_wrapper (tf : trusted_func) =
     "    size_t _output_bytes_written = 0;";
     "";
     "    /* Deep copy buffer. */";
-    "    " ^ String.concat "\n    " (get_ptr_array fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_array get_deepcopy fd.plist);
     "";
     "    /* Fill marshalling struct. */";
     "    memset(&_args, 0, sizeof(_args));";
-    "    " ^ String.concat "\n    " (get_filled_marshal_struct fd);
+    "    " ^ String.concat "\n    " (get_filled_marshal_struct get_deepcopy fd);
     "";
-    "    " ^ String.concat "\n    " (get_input_buffer fd "malloc");
+    "    " ^ String.concat "\n    " (get_input_buffer get_deepcopy fd "malloc");
     "";
     "    /* Call enclave function. */";
     "    if ((_result = " ^ ecall_function ^ "(";
@@ -732,7 +717,7 @@ let get_host_ecall_wrapper (tf : trusted_func) =
     ^ String.concat ",\n             "
         [
           "enclave";
-          get_function_id !_ec fd;
+          get_function_id enclave_name fd;
           "_input_buffer";
           "_input_buffer_size";
           "_output_buffer";
@@ -741,7 +726,7 @@ let get_host_ecall_wrapper (tf : trusted_func) =
         ];
     "        goto done;";
     "";
-    "    " ^ String.concat "\n    " (get_output_buffer fd);
+    "    " ^ String.concat "\n    " (get_output_buffer get_deepcopy fd);
     "";
     "    _result = OE_OK;";
     "";
@@ -749,7 +734,7 @@ let get_host_ecall_wrapper (tf : trusted_func) =
     "    if (_buffer)";
     "        free(_buffer);";
     "";
-    "    " ^ String.concat "\n    " (get_ptr_free_expr fd.plist);
+    "    " ^ String.concat "\n    " (get_ptr_free_expr get_deepcopy fd.plist);
     "";
     "    return _result;";
     "}";
@@ -757,7 +742,7 @@ let get_host_ecall_wrapper (tf : trusted_func) =
   ]
 
 (* Generate ocall function. *)
-let get_ocall_function (uf : untrusted_func) =
+let get_ocall_function get_deepcopy (uf : untrusted_func) =
   let fd = uf.uf_fdecl in
   [
     sprintf "void ocall_%s(" fd.fname;
@@ -790,11 +775,11 @@ let get_ocall_function (uf : untrusted_func) =
     "    }";
     "";
     (* Prepare in and in-out parameters *)
-    get_in_ptr_setter fd.plist;
+    get_in_ptr_setter get_deepcopy fd.plist;
     "";
     (* Prepare out and in-out parameters: the in-out parameter is
        copied to output buffer. *)
-    get_out_ptr_setter fd.plist;
+    get_out_ptr_setter get_deepcopy fd.plist;
     "";
     (* Call the host function *)
     "    " ^ String.concat "\n    " (get_call_user_function fd);
@@ -816,15 +801,16 @@ let get_ocall_function (uf : untrusted_func) =
   ]
 
 let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
-  _ec := ec;
+  let get_deepcopy = get_deepcopy_function ep.experimental ec.comp_defs in
   let host_ecall_wrappers =
     let tfs = ec.tfunc_decls in
-    if tfs <> [] then flatten_map get_host_ecall_wrapper tfs
+    if tfs <> [] then
+      flatten_map (get_host_ecall_wrapper get_deepcopy ec.enclave_name) tfs
     else [ "/* There were no ecalls. */" ]
   in
   let ocall_functions =
     let ufs = ec.ufunc_decls in
-    if ufs <> [] then flatten_map get_ocall_function ufs
+    if ufs <> [] then flatten_map (get_ocall_function get_deepcopy) ufs
     else [ "/* There were no ocalls. */" ]
   in
   let ocall_table =

From 7af4e3e052af34aba064b108e7c175433805f181 Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 26 Nov 2019 18:12:53 +0000
Subject: [PATCH 341/420] Rename functions in `Common.ml`

That's the last of the inconsistent use of `oe_gen` or `oe_get`
prefixes.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  | 14 +++++++-------
 tools/oeedger8r/src/Sources.ml | 32 ++++++++++++++++----------------
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index 43870fbef4..a08b3ffd16 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -151,7 +151,7 @@ let get_type_expr ptype =
 (** For a list of args and current count, get the corresponding
    argstruct variable name. The prefix is usually, but not always,
    ["_args."].*)
-let oe_get_argstruct prefix args count =
+let get_argstruct prefix args count =
   match args with
   | [] -> prefix
   | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
@@ -162,7 +162,7 @@ let attr_value_to_string argstruct = function
   | Some (AString s) -> Some (argstruct ^ s)
 
 (** For a parameter, get its size expression. *)
-let get_param_size (ptype, decl, argstruct) =
+let _get_param_size (ptype, decl, argstruct) =
   let type_expr = get_type_expr ptype in
   let get_ptr_or_decl_size (p : ptr_size) =
     let size = attr_value_to_string argstruct p.ps_size
@@ -187,13 +187,13 @@ let get_param_size (ptype, decl, argstruct) =
   (* Values have no marshalling size. *)
   | _ -> None
 
-let oe_get_param_size (ptype, decl, argstruct) =
-  match get_param_size (ptype, decl, argstruct) with
+let get_param_size (ptype, decl, argstruct) =
+  match _get_param_size (ptype, decl, argstruct) with
   | Some size -> size
   | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
 
 (** For a parameter, get its count expression. *)
-let get_param_count (ptype, decl, argstruct) =
+let _get_param_count (ptype, decl, argstruct) =
   let type_expr = get_type_expr ptype in
   let get_ptr_or_decl_count (p : ptr_size) =
     let size = attr_value_to_string argstruct p.ps_size
@@ -221,8 +221,8 @@ let get_param_count (ptype, decl, argstruct) =
       else None
   | PTVal _ -> None
 
-let oe_get_param_count (ptype, decl, argstruct) =
-  match get_param_count (ptype, decl, argstruct) with
+let get_param_count (ptype, decl, argstruct) =
+  match _get_param_count (ptype, decl, argstruct) with
   | Some count -> count
   | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
 
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 17f2ce6277..51f1935cbb 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -60,8 +60,8 @@ let get_cast_to_mem_expr (ptype, decl) (parens : bool) =
 (** Recursively generates [if (a && a->b) OE_SET_PTR(a->b->c);]
     statements. *)
 let rec get_ptr_setter get_deepcopy args count setter (ptype, decl) =
-  let argstruct = oe_get_argstruct "pargs_in->" args count in
-  let size = oe_get_param_size (ptype, decl, argstruct) in
+  let argstruct = get_argstruct "pargs_in->" args count in
+  let size = get_param_size (ptype, decl, argstruct) in
   let arg =
     match args with
     | [] -> decl.identifier
@@ -76,7 +76,7 @@ let rec get_ptr_setter get_deepcopy args count setter (ptype, decl) =
             (String.concat " && pargs_in->" (List.rev (arg :: args)));
         ];
         [ sprintf "    OE_%s_POINTER(%s, %s, %s);" setter arg size tystr ];
-        (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+        (let param_count = get_param_count (ptype, decl, argstruct) in
          flatten_map
            (get_ptr_setter get_deepcopy (arg :: args) param_count setter)
            (get_deepcopy (get_param_atype ptype)));
@@ -140,13 +140,13 @@ let rec get_ptr_count get_deepcopy args count (ptype, decl) =
      within a [gen_c_for] loop when producing the count. Therefore
      arrays of structs which use members for the count of another
      nested parameter are not yet supported. *)
-  let argstruct = oe_get_argstruct "" args count in
+  let argstruct = get_argstruct "" args count in
   let arg =
     match args with
     | [] -> id
     | hd :: _ -> hd ^ gen_c_deref (List.length args) count ^ id
   in
-  let param_count = oe_get_param_count (ptype, decl, argstruct) in
+  let param_count = get_param_count (ptype, decl, argstruct) in
   let members = get_deepcopy (get_param_atype ptype) in
   if is_marshalled_ptr ptype then
     (* The base case is a marshalled pointer. We count 1 for every one
@@ -231,7 +231,7 @@ let get_filled_marshal_struct get_deepcopy (fd : func_decl) =
   @
   let rec get_saved_ptrs args count (ptype, decl) =
     let id = decl.identifier in
-    let argstruct = oe_get_argstruct "_args." args count in
+    let argstruct = get_argstruct "_args." args count in
     let arg =
       match args with
       | [] -> id
@@ -245,7 +245,7 @@ let get_filled_marshal_struct get_deepcopy (fd : func_decl) =
           ( if args <> [] && is_marshalled_ptr ptype then
             [ "    _ptrs[_ptrs_index++] = (void*)" ^ arg ^ ";" ]
           else [] );
-          (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+          (let param_count = get_param_count (ptype, decl, argstruct) in
            flatten_map
              (get_saved_ptrs (arg :: args) param_count)
              (get_deepcopy (get_param_atype ptype)));
@@ -258,8 +258,8 @@ let get_filled_marshal_struct get_deepcopy (fd : func_decl) =
 let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
   let get_buffer_size buffer predicate plist =
     let rec get_add_size_expr args count (ptype, decl) =
-      let argstruct = oe_get_argstruct "_args." args count in
-      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let argstruct = get_argstruct "_args." args count in
+      let size = get_param_size (ptype, decl, argstruct) in
       let arg =
         match args with
         | [] -> decl.identifier
@@ -269,7 +269,7 @@ let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
         ( [
             [ sprintf "if (%s)" (String.concat " && " (List.rev (arg :: args))) ];
             [ sprintf "    OE_ADD_SIZE(%s, %s);" buffer size ];
-            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+            (let param_count = get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_add_size_expr (arg :: args) param_count)
                (get_deepcopy (get_param_atype ptype)));
@@ -292,8 +292,8 @@ let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
   in
   let get_serialized_buffer_inputs (plist : pdecl list) =
     let rec get_serializer args count (ptype, decl) =
-      let argstruct = oe_get_argstruct "_args." args count in
-      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let argstruct = get_argstruct "_args." args count in
+      let size = get_param_size (ptype, decl, argstruct) in
       let arg =
         match args with
         | [] -> decl.identifier
@@ -314,7 +314,7 @@ let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
                 (if is_in_ptr ptype then "IN" else "IN_OUT")
                 arg size tystr;
             ];
-            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+            (let param_count = get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_serializer (arg :: args) param_count)
                (get_deepcopy (get_param_atype ptype)));
@@ -362,8 +362,8 @@ let get_input_buffer get_deepcopy (fd : func_decl) (alloc_func : string) =
 let get_output_buffer get_deepcopy (fd : func_decl) =
   let get_serialized_buffer_outputs (plist : pdecl list) =
     let rec get_serializer args count (ptype, decl) =
-      let argstruct = oe_get_argstruct "_args." args count in
-      let size = oe_get_param_size (ptype, decl, argstruct) in
+      let argstruct = get_argstruct "_args." args count in
+      let size = get_param_size (ptype, decl, argstruct) in
       let arg =
         match args with
         | [] -> decl.identifier
@@ -397,7 +397,7 @@ let get_output_buffer get_deepcopy (fd : func_decl) =
                    "    " ^ s;
                    "}";
                  ]);
-            (let param_count = oe_get_param_count (ptype, decl, argstruct) in
+            (let param_count = get_param_count (ptype, decl, argstruct) in
              flatten_map
                (get_serializer (arg :: args) param_count)
                (get_deepcopy (get_param_atype ptype)));

From 701bf76973cd975620b974758d558f75a6e7204b Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Tue, 26 Nov 2019 18:26:29 +0000
Subject: [PATCH 342/420] Refine functions in `Common.ml`

Those that weren't common were moved to files in which they were used.
Unfortunately, this also made `Sources.ml` even longer.

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  | 116 +--------------------------------
 tools/oeedger8r/src/Headers.ml |  30 +++++++++
 tools/oeedger8r/src/Sources.ml |  86 ++++++++++++++++++++++++
 3 files changed, 118 insertions(+), 114 deletions(-)

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index a08b3ffd16..c4bb696e97 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -5,8 +5,8 @@ open Intel.Ast
 open Printf
 
 (** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
-let is_foreign_array (pt : parameter_type) =
-  match pt with
+
+let is_foreign_array = function
   | PTVal _ -> false
   | PTPtr (t, a) -> ( match t with Foreign _ -> a.pa_isary | _ -> false )
 
@@ -39,32 +39,6 @@ let get_parameter_str (p : pdecl) =
   let str = get_typed_declr_str aty declr in
   if is_const_ptr pt then "const " ^ str else str
 
-(** [conv_array_to_ptr] is used to convert Array form into Pointer form.
-    {[
-      int array[10][20] => [count = 200] int* array
-    ]}
-
-    This function is called when generating proxy/bridge code and the
-    marshalling structure. *)
-let conv_array_to_ptr (pd : pdecl) : pdecl =
-  let pt, declr = pd in
-  let get_count_attr ilist =
-    (* XXX: assume the size of each dimension will be > 0. *)
-    ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
-  in
-  match pt with
-  | PTVal _ -> (pt, declr)
-  | PTPtr (aty, pa) ->
-      if is_array declr then
-        let tmp_declr = { declr with array_dims = [] } in
-        let tmp_aty = Ptr aty in
-        let tmp_cnt = get_count_attr declr.array_dims in
-        let tmp_pa =
-          { pa with pa_size = { empty_ptr_size with ps_count = Some tmp_cnt } }
-        in
-        (PTPtr (tmp_aty, tmp_pa), tmp_declr)
-      else (pt, declr)
-
 (** ----- End code borrowed and tweaked from {!CodeGen.ml} ----- *)
 
 (* Helper to map and filter out None at the same time. *)
@@ -135,97 +109,11 @@ let write_file (content : string list) (filename : string) (dir : string) =
        @ content ));
   close_out os
 
-let get_type_expr ptype =
-  (* Get the base type of the parameter. That is, yield its [atype],
-     unless it is a pointer, in which case decompose and yield the
-     [atype] the pointer points to. *)
-  let param_atype =
-    let a = get_param_atype ptype in
-    match a with Ptr p -> p | _ -> a
-  in
-  let tystr = get_tystr param_atype in
-  match ptype with
-  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
-  | _ -> tystr
-
-(** For a list of args and current count, get the corresponding
-   argstruct variable name. The prefix is usually, but not always,
-   ["_args."].*)
-let get_argstruct prefix args count =
-  match args with
-  | [] -> prefix
-  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
-
 let attr_value_to_string argstruct = function
   | None -> None
   | Some (ANumber n) -> Some (string_of_int n)
   | Some (AString s) -> Some (argstruct ^ s)
 
-(** For a parameter, get its size expression. *)
-let _get_param_size (ptype, decl, argstruct) =
-  let type_expr = get_type_expr ptype in
-  let get_ptr_or_decl_size (p : ptr_size) =
-    let size = attr_value_to_string argstruct p.ps_size
-    and count = attr_value_to_string argstruct p.ps_count in
-    match (size, count) with
-    | Some s, None -> s
-    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
-    (* TODO: Check that this is an even multiple of the size of type. *)
-    | Some s, Some c -> sprintf "(%s * %s)" s c
-    | None, None ->
-        sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
-  in
-  match ptype with
-  | PTPtr (_, ptr_attr) ->
-      if ptr_attr.pa_isstr then
-        Some (argstruct ^ decl.identifier ^ "_len * sizeof(char)")
-      else if ptr_attr.pa_iswstr then
-        Some (argstruct ^ decl.identifier ^ "_len * sizeof(wchar_t)")
-      else if ptr_attr.pa_chkptr then
-        Some (get_ptr_or_decl_size ptr_attr.pa_size)
-      else None
-  (* Values have no marshalling size. *)
-  | _ -> None
-
-let get_param_size (ptype, decl, argstruct) =
-  match _get_param_size (ptype, decl, argstruct) with
-  | Some size -> size
-  | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
-
-(** For a parameter, get its count expression. *)
-let _get_param_count (ptype, decl, argstruct) =
-  let type_expr = get_type_expr ptype in
-  let get_ptr_or_decl_count (p : ptr_size) =
-    let size = attr_value_to_string argstruct p.ps_size
-    and count = attr_value_to_string argstruct p.ps_count in
-    match (size, count) with
-    (* TODO: Check that these are even multiples of the size of type. *)
-    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
-    | None, Some c -> c
-    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
-    | None, None ->
-        let dims = List.map string_of_int decl.array_dims in
-        String.concat " * " dims
-  in
-  match ptype with
-  | PTPtr (_, ptr_attr) ->
-      (* The count of a string is its length. *)
-      if ptr_attr.pa_isstr || ptr_attr.pa_iswstr then
-        (* TODO: Double-check that this length includes the
-           null-terminator. *)
-        Some (argstruct ^ decl.identifier ^ "_len")
-      else if ptr_attr.pa_chkptr then
-        Some (get_ptr_or_decl_count ptr_attr.pa_size)
-        (* TODO: Should be able to return [Some "1"] for plain
-           pointers and values. *)
-      else None
-  | PTVal _ -> None
-
-let get_param_count (ptype, decl, argstruct) =
-  match _get_param_count (ptype, decl, argstruct) with
-  | Some count -> count
-  | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
-
 (** Generate the wrapper prototype for a given function. Optionally
     add an [oe_enclave_t*] first parameter. *)
 let get_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index dc5e414d4c..0fbe6094b1 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -5,6 +5,36 @@ open Intel.Ast
 open Common
 open Printf
 
+(** ----- Begin code borrowed and tweaked from {!CodeGen.ml}. ----- *)
+
+(** [conv_array_to_ptr] is used to convert Array form into Pointer form.
+    {[
+      int array[10][20] => [count = 200] int* array
+    ]}
+
+    This function is called when generating proxy/bridge code and the
+    marshalling structure. *)
+let conv_array_to_ptr (pd : pdecl) : pdecl =
+  let pt, declr = pd in
+  let get_count_attr ilist =
+    (* XXX: assume the size of each dimension will be > 0. *)
+    ANumber (List.fold_left (fun acc i -> acc * i) 1 ilist)
+  in
+  match pt with
+  | PTVal _ -> (pt, declr)
+  | PTPtr (aty, pa) ->
+      if is_array declr then
+        let tmp_declr = { declr with array_dims = [] } in
+        let tmp_aty = Ptr aty in
+        let tmp_cnt = get_count_attr declr.array_dims in
+        let tmp_pa =
+          { pa with pa_size = { empty_ptr_size with ps_count = Some tmp_cnt } }
+        in
+        (PTPtr (tmp_aty, tmp_pa), tmp_declr)
+      else (pt, declr)
+
+(** ----- End code borrowed and tweaked from {!CodeGen.ml} ----- *)
+
 (** Generate the prototype for a given function. *)
 let get_function_prototype (fd : func_decl) =
   let plist_str =
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 51f1935cbb..2d02468aaa 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -33,6 +33,92 @@ let get_deepcopy_function (enabled : bool) (cts : composite_type list)
     | None -> []
   else []
 
+(** For a list of args and current count, get the corresponding
+   argstruct variable name. The prefix is usually, but not always,
+   ["_args."].*)
+let get_argstruct prefix args count =
+  match args with
+  | [] -> prefix
+  | hd :: _ -> prefix ^ hd ^ gen_c_deref (List.length args) count
+
+let get_type_expr ptype =
+  (* Get the base type of the parameter. That is, yield its [atype],
+     unless it is a pointer, in which case decompose and yield the
+     [atype] the pointer points to. *)
+  let param_atype =
+    let a = get_param_atype ptype in
+    match a with Ptr p -> p | _ -> a
+  in
+  let tystr = get_tystr param_atype in
+  match ptype with
+  | PTPtr (_, ptr_attr) when ptr_attr.pa_isptr -> sprintf "*(%s)0" tystr
+  | _ -> tystr
+
+(** For a parameter, get its size expression. *)
+let _get_param_size (ptype, decl, argstruct) =
+  let type_expr = get_type_expr ptype in
+  let get_ptr_or_decl_size (p : ptr_size) =
+    let size = attr_value_to_string argstruct p.ps_size
+    and count = attr_value_to_string argstruct p.ps_count in
+    match (size, count) with
+    | Some s, None -> s
+    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
+    (* TODO: Check that this is an even multiple of the size of type. *)
+    | Some s, Some c -> sprintf "(%s * %s)" s c
+    | None, None ->
+        sprintf "sizeof(%s%s)" type_expr (get_array_dims decl.array_dims)
+  in
+  match ptype with
+  | PTPtr (_, ptr_attr) ->
+      if ptr_attr.pa_isstr then
+        Some (argstruct ^ decl.identifier ^ "_len * sizeof(char)")
+      else if ptr_attr.pa_iswstr then
+        Some (argstruct ^ decl.identifier ^ "_len * sizeof(wchar_t)")
+      else if ptr_attr.pa_chkptr then
+        Some (get_ptr_or_decl_size ptr_attr.pa_size)
+      else None
+  (* Values have no marshalling size. *)
+  | _ -> None
+
+let get_param_size (ptype, decl, argstruct) =
+  match _get_param_size (ptype, decl, argstruct) with
+  | Some size -> size
+  | None -> Intel.Util.failwithf "Error: No size for " ^ decl.identifier
+
+(** For a parameter, get its count expression. *)
+let _get_param_count (ptype, decl, argstruct) =
+  let type_expr = get_type_expr ptype in
+  let get_ptr_or_decl_count (p : ptr_size) =
+    let size = attr_value_to_string argstruct p.ps_size
+    and count = attr_value_to_string argstruct p.ps_count in
+    match (size, count) with
+    (* TODO: Check that these are even multiples of the size of type. *)
+    | Some s, None -> sprintf "(%s / sizeof(%s))" s type_expr
+    | None, Some c -> c
+    | Some s, Some c -> sprintf "((%s * %s) / sizeof(%s))" s c type_expr
+    | None, None ->
+        let dims = List.map string_of_int decl.array_dims in
+        String.concat " * " dims
+  in
+  match ptype with
+  | PTPtr (_, ptr_attr) ->
+      (* The count of a string is its length. *)
+      if ptr_attr.pa_isstr || ptr_attr.pa_iswstr then
+        (* TODO: Double-check that this length includes the
+           null-terminator. *)
+        Some (argstruct ^ decl.identifier ^ "_len")
+      else if ptr_attr.pa_chkptr then
+        Some (get_ptr_or_decl_count ptr_attr.pa_size)
+        (* TODO: Should be able to return [Some "1"] for plain
+           pointers and values. *)
+      else None
+  | PTVal _ -> None
+
+let get_param_count (ptype, decl, argstruct) =
+  match _get_param_count (ptype, decl, argstruct) with
+  | Some count -> count
+  | None -> Intel.Util.failwithf "Error: No count for " ^ decl.identifier
+
 (** Generate a cast expression for a pointer argument. Pointer
     arguments need to be cast to their root type, since the marshalling
     struct has the root pointer. For example:

From 9943151f01cb759c6cd37c3f398fa23331ba718f Mon Sep 17 00:00:00 2001
From: John Kordich <jkordich@gmail.com>
Date: Tue, 26 Nov 2019 08:15:52 -0800
Subject: [PATCH 343/420] Update Company for johnkord.

Signed-off-by: John Kordich <jkordich@gmail.com>
---
 docs/Committers.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/Committers.md b/docs/Committers.md
index 91c8262ef8..10a0c3efe4 100644
--- a/docs/Committers.md
+++ b/docs/Committers.md
@@ -27,17 +27,17 @@ at [aka.ms/openenclave/cgc](https://aka.ms/openenclave/cgc).
 Committee Members
 -----------------
 
-| Name                 | Company   | Email                         | GitHub Alias   |
-|----------------------|-----------|-------------------------------|----------------|
-| Akash Gupta          | Microsoft | akagup@microsoft.com          | gupta-ak       |
-| Amaury Chamayou      | Microsoft | amaury.chamayou@microsoft.com | achamayou      |
-| Anand Krishnamoorthi | Microsoft | anakrish@microsoft.com        | anakrish       |
-| Andrew Schwartzmeyer | Microsoft | andschwa@microsoft.com        | andschwa       |
-| Dave Thaler          | Microsoft | dthaler@microsoft.com         | dthaler        |
-| John Kordich         | Microsoft | jkordich@gmail.com            | johnkord       |
-| Mike Brasher         | Microsoft | mikbras@microsoft.com         | mikbras        |
-| Radhika Jandhyala    | Microsoft | radhikaj@microsoft.com        | radhikaj       |
-| Simon Leet           | Microsoft | simon.leet@microsoft.com      | CodeMonkeyLeet |
+| Name                 | Company     | Email                         | GitHub Alias   |
+|----------------------|-------------|-------------------------------|----------------|
+| Akash Gupta          | Microsoft   | akagup@microsoft.com          | gupta-ak       |
+| Amaury Chamayou      | Microsoft   | amaury.chamayou@microsoft.com | achamayou      |
+| Anand Krishnamoorthi | Microsoft   | anakrish@microsoft.com        | anakrish       |
+| Andrew Schwartzmeyer | Microsoft   | andschwa@microsoft.com        | andschwa       |
+| Dave Thaler          | Microsoft   | dthaler@microsoft.com         | dthaler        |
+| John Kordich         | Independent | jkordich@gmail.com            | johnkord       |
+| Mike Brasher         | Microsoft   | mikbras@microsoft.com         | mikbras        |
+| Radhika Jandhyala    | Microsoft   | radhikaj@microsoft.com        | radhikaj       |
+| Simon Leet           | Microsoft   | simon.leet@microsoft.com      | CodeMonkeyLeet |
 
 Committee Responsibilities
 --------------------------

From 4d6249f329c188f35c66ca47bae9332a75631cde Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 26 Nov 2019 09:36:13 -0800
Subject: [PATCH 344/420] Build attested_tls sample for Windows

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.h                       | 21 ++++++++++++++++---
 .../client/enc/identity_verifier.cpp          |  3 ++-
 .../attested_tls/non_enc_client/client.cpp    |  9 +++++++-
 .../non_enc_client/verify_callback.cpp        |  8 ++++++-
 .../scripts/gen_mrenclave_header.py           |  2 +-
 .../attested_tls/server/enc/CMakeLists.txt    |  2 ++
 6 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
index a6e9c3fc94..2963607575 100644
--- a/common/oe_host_socket.h
+++ b/common/oe_host_socket.h
@@ -90,11 +90,26 @@ OE_INLINE int _getaddrinfo_read(
         else
             *ai_canonnamelen = 0;
 
-        *err_no = memcpy_s(ai_addr, ai_addrlen_in, p->ai_addr, *ai_addrlen);
-        if (*err_no != 0)
+        if (*ai_addrlen > ai_addrlen_in)
+        {
+            *err_no = OE_ENAMETOOLONG;
             goto done;
+        }
 
-        if (p->ai_canonname)
+        if (*ai_canonnamelen > ai_canonnamelen_in)
+        {
+            *err_no = OE_ENAMETOOLONG;
+            goto done;
+        }
+
+        if (ai_addr)
+        {
+            *err_no = memcpy_s(ai_addr, ai_addrlen_in, p->ai_addr, *ai_addrlen);
+            if (*err_no != 0)
+                goto done;
+        }
+
+        if (ai_canonname && p->ai_canonname)
         {
             *err_no = memcpy_s(
                 ai_canonname,
diff --git a/samples/attested_tls/client/enc/identity_verifier.cpp b/samples/attested_tls/client/enc/identity_verifier.cpp
index b586f1d014..d4cbbe82db 100644
--- a/samples/attested_tls/client/enc/identity_verifier.cpp
+++ b/samples/attested_tls/client/enc/identity_verifier.cpp
@@ -13,8 +13,9 @@ oe_result_t enclave_identity_verifier_callback(
     oe_identity_t* identity,
     void* arg)
 {
+    OE_UNUSED(arg);
+
     oe_result_t result = OE_VERIFY_FAILED;
-    bool bret = false;
 
     printf(TLS_CLIENT
            "Client:enclave_identity_verifier_callback is called with enclave "
diff --git a/samples/attested_tls/non_enc_client/client.cpp b/samples/attested_tls/non_enc_client/client.cpp
index 26bfc050a1..3a7478d351 100644
--- a/samples/attested_tls/non_enc_client/client.cpp
+++ b/samples/attested_tls/non_enc_client/client.cpp
@@ -1,13 +1,20 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#ifdef _WIN32
+#include <Ws2def.h>
+#include <winsock2.h>
+#define close closesocket
+#else
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <resolv.h>
-#include <string.h>
 #include <sys/socket.h>
 #include <unistd.h>
+#endif
+
+#include <string.h>
 
 #include <openenclave/host.h>
 #include <openssl/bio.h>
diff --git a/samples/attested_tls/non_enc_client/verify_callback.cpp b/samples/attested_tls/non_enc_client/verify_callback.cpp
index 1a8c71ddca..089adc15e4 100644
--- a/samples/attested_tls/non_enc_client/verify_callback.cpp
+++ b/samples/attested_tls/non_enc_client/verify_callback.cpp
@@ -1,12 +1,18 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#ifdef _WIN32
+#include <Ws2def.h>
+#include <winsock2.h>
+#else
 #include <arpa/inet.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <resolv.h>
-#include <string.h>
 #include <sys/socket.h>
+#endif
+
+#include <string.h>
 
 #include <openenclave/host.h>
 #include <openssl/bio.h>
diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.py b/samples/attested_tls/scripts/gen_mrenclave_header.py
index 86680b2ce9..f1f5f4bcfa 100644
--- a/samples/attested_tls/scripts/gen_mrenclave_header.py
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.py
@@ -50,7 +50,7 @@ def gen_header(inpath, outpath):
 if __name__ == "__main__":
     if len(sys.argv) < 3:
         print("Usage: gen_mrenclave_header.py <oesign_dump> <output_file>")
-        exit(1)
+        sys.exit(1)
 
     outpath = sys.argv[1]
     inpath = sys.argv[2]
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index 99438cc632..a321c9a449 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -1,6 +1,8 @@
 # Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
+find_package(PythonInterp 3 REQUIRED)
+
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT tls_server_t.h tls_server_t.c tls_server_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/server/tls_server.edl

From 388f5dcbb0412661b643611e1c5efac9c86bae40 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Wed, 27 Nov 2019 20:22:12 +0000
Subject: [PATCH 345/420] Removed code related to deprecation of strftime

Signed-off-by: Vikas Tikoo <vitikoo@microsoft.com>
---
 3rdparty/musl/deprecations.h | 26 -------------------------
 libc/CMakeLists.txt          |  1 +
 libc/time.c                  | 37 ------------------------------------
 3 files changed, 1 insertion(+), 63 deletions(-)
 delete mode 100644 libc/time.c

diff --git a/3rdparty/musl/deprecations.h b/3rdparty/musl/deprecations.h
index bb7d2dbcd8..c684479654 100644
--- a/3rdparty/musl/deprecations.h
+++ b/3rdparty/musl/deprecations.h
@@ -57,32 +57,6 @@ int pthread_join(pthread_t thread, void** retval);
 OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
 int pthread_detach(pthread_t thread);
 
-/*
-**==============================================================================
-**
-** <time.h>
-**
-**==============================================================================
-*/
-
-// Need this since including <time.h> will create a circular dependency.
-struct tm;
-
-OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
-size_t strftime(
-    char* s,
-    size_t maxparam,
-    const char* format,
-    const struct tm* tm);
-
-OE_LIBC_DEPRECATED(OE_UNSUPPORTED_ENCLAVE_FUNCTION)
-size_t strftime_l(
-    char* s,
-    size_t maxparam,
-    const char* format,
-    const struct tm* tm,
-    locale_t loc);
-
 OE_LIBC_EXTERN_C_END
 
 #endif /* !defined(OE_LIBC_SUPPRESS_DEPRECATIONS) && !defined(__ASSEMBLER__) \
diff --git a/libc/CMakeLists.txt b/libc/CMakeLists.txt
index 4b239abb32..e0fd01835d 100644
--- a/libc/CMakeLists.txt
+++ b/libc/CMakeLists.txt
@@ -747,6 +747,7 @@ add_library(oelibc STATIC
     ${MUSLSRC}/time/mktime.c
     ${MUSLSRC}/time/nanosleep.c
     ${MUSLSRC}/time/__secs_to_tm.c
+    ${MUSLSRC}/time/strftime.c
     ${MUSLSRC}/time/__tz.c
     ${MUSLSRC}/time/time.c
     ${MUSLSRC}/time/__tm_to_secs.c
diff --git a/libc/time.c b/libc/time.c
deleted file mode 100644
index 59b6e11505..0000000000
--- a/libc/time.c
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include <assert.h>
-#include <openenclave/enclave.h>
-#include <stdlib.h>
-#include <sys/time.h>
-#include <time.h>
-
-// MUSL gmtime_r.c depends on these variable definitions.
-const char __gmt[] = "GMT";
-
-size_t strftime(char* s, size_t max, const char* format, const struct tm* tm)
-{
-    OE_UNUSED(s);
-    OE_UNUSED(max);
-    OE_UNUSED(format);
-    OE_UNUSED(tm);
-    assert("strftime(): panic" == NULL);
-    return 0;
-}
-
-size_t strftime_l(
-    char* s,
-    size_t max,
-    const char* format,
-    const struct tm* tm,
-    locale_t loc)
-{
-    OE_UNUSED(s);
-    OE_UNUSED(max);
-    OE_UNUSED(format);
-    OE_UNUSED(tm);
-    OE_UNUSED(loc);
-    assert("strftime_l(): panic" == NULL);
-    return 0;
-}

From 8dad574b313117cecb26d6065cbfd63323f28004 Mon Sep 17 00:00:00 2001
From: Vikas Tikoo <vitikoo@microsoft.com>
Date: Wed, 27 Nov 2019 20:34:24 +0000
Subject: [PATCH 346/420] Remove libc/time.c from oelibc sources

Signed-off-by: Vikas Tikoo <vitikoo@microsoft.com>
---
 libc/CMakeLists.txt | 1 -
 1 file changed, 1 deletion(-)

diff --git a/libc/CMakeLists.txt b/libc/CMakeLists.txt
index e0fd01835d..4cf4f3375f 100644
--- a/libc/CMakeLists.txt
+++ b/libc/CMakeLists.txt
@@ -76,7 +76,6 @@ add_library(oelibc STATIC
     strerror.c
     syscalls.c
     sysconf.c
-    time.c
     regcomp.c
     regexec.c
     tre-mem.c

From 7f6ede6f549058e65aaf0da98b41927f429fa2e3 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Fri, 29 Nov 2019 16:11:22 +0100
Subject: [PATCH 347/420] Fix oe_accept not returning peer addr

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostsock/hostsock.c |  8 ++++++++
 tests/syscall/socket/enc/enc.c      | 11 ++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index a346f70ddd..a69d3cc50c 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -271,6 +271,14 @@ static oe_fd_t* _hostsock_accept(
             OE_RAISE_ERRNO_MSG(oe_errno, "retval=%d", retval);
 
         new_sock->host_fd = retval;
+
+        // copy peer addr to out buffer
+        if (addrlen && *addrlen <= addrlen_in)
+        {
+            oe_assert(addr);
+            if (oe_memcpy_s(addr, addrlen_in, &buf, *addrlen) != OE_OK)
+                OE_RAISE_ERRNO(OE_EINVAL);
+        }
     }
 
     ret = &new_sock->base;
diff --git a/tests/syscall/socket/enc/enc.c b/tests/syscall/socket/enc/enc.c
index 4a07589b2d..08e5c2b897 100644
--- a/tests/syscall/socket/enc/enc.c
+++ b/tests/syscall/socket/enc/enc.c
@@ -144,7 +144,16 @@ int ecall_run_server()
     {
         oe_sleep_msec(1);
         printf("enc: accepting\n");
-        connfd = oe_accept(listenfd, (struct oe_sockaddr*)NULL, NULL);
+
+        struct oe_sockaddr_in peer_addr = {0};
+        oe_socklen_t peer_addr_len = sizeof peer_addr;
+        connfd = oe_accept(
+            listenfd, (struct oe_sockaddr*)&peer_addr, &peer_addr_len);
+        OE_TEST(peer_addr_len == sizeof peer_addr);
+        OE_TEST(peer_addr.sin_family == OE_AF_INET);
+        OE_TEST(oe_ntohs(peer_addr.sin_port) >= 1024);
+        OE_TEST(oe_ntohl(peer_addr.sin_addr.s_addr) == OE_INADDR_LOOPBACK);
+
         if (connfd >= 0)
         {
             printf("enc: accepted fd = %d\n", connfd);

From 336036ab4ef3bd68dced3239deb3a744c3024455 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Tue, 26 Nov 2019 17:15:00 -0800
Subject: [PATCH 348/420] oecert dump

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/CMakeLists.txt                 |   1 +
 tests/tools/oecertdump/CMakeLists.txt      |   8 +
 tests/tools/oecertdump/README.md           |  13 +
 tests/tools/oecertdump/enc/CMakeLists.txt  |  13 +
 tests/tools/oecertdump/enc/enc.cpp         | 319 ++++++++++++++
 tests/tools/oecertdump/host/CMakeLists.txt |  11 +
 tests/tools/oecertdump/host/host.cpp       | 457 +++++++++++++++++++++
 tests/tools/oecertdump/oecertdump.edl      |  18 +
 8 files changed, 840 insertions(+)
 create mode 100644 tests/tools/oecertdump/CMakeLists.txt
 create mode 100644 tests/tools/oecertdump/README.md
 create mode 100644 tests/tools/oecertdump/enc/CMakeLists.txt
 create mode 100644 tests/tools/oecertdump/enc/enc.cpp
 create mode 100644 tests/tools/oecertdump/host/CMakeLists.txt
 create mode 100644 tests/tools/oecertdump/host/host.cpp
 create mode 100644 tests/tools/oecertdump/oecertdump.edl

diff --git a/tests/tools/CMakeLists.txt b/tests/tools/CMakeLists.txt
index 257f1018d3..251913c0fb 100644
--- a/tests/tools/CMakeLists.txt
+++ b/tests/tools/CMakeLists.txt
@@ -3,4 +3,5 @@
 
 if (OE_SGX)
     add_subdirectory(oecert)
+    add_subdirectory(oecertdump)
 endif()
diff --git a/tests/tools/oecertdump/CMakeLists.txt b/tests/tools/oecertdump/CMakeLists.txt
new file mode 100644
index 0000000000..00835ae94f
--- /dev/null
+++ b/tests/tools/oecertdump/CMakeLists.txt
@@ -0,0 +1,8 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+if (BUILD_ENCLAVES)
+   add_subdirectory(enc)
+endif()
+
+add_subdirectory(host)
\ No newline at end of file
diff --git a/tests/tools/oecertdump/README.md b/tests/tools/oecertdump/README.md
new file mode 100644
index 0000000000..9f59b8851d
--- /dev/null
+++ b/tests/tools/oecertdump/README.md
@@ -0,0 +1,13 @@
+oecertdump
+=====
+
+oecertdump is a utility that generates and validates report and certificates.
+Generation and validation logs are save to a log file specified by --out option.
+Default log filename is "oecertdump_out.log".
+
+Usage: oecertdump ENCLAVE_PATH Options
+
+where Options are:
+    --out FILENAME        : specify output filename.
+
+Example: host/oecertdump enc/oecertdump_enc --out myoutput.log
\ No newline at end of file
diff --git a/tests/tools/oecertdump/enc/CMakeLists.txt b/tests/tools/oecertdump/enc/CMakeLists.txt
new file mode 100644
index 0000000000..c9c76f15e8
--- /dev/null
+++ b/tests/tools/oecertdump/enc/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT oecertdump_t.h oecertdump_t.c oecertdump_args.h
+  DEPENDS ../oecertdump.edl edger8r
+  COMMAND edger8r --trusted ${CMAKE_CURRENT_SOURCE_DIR}/../oecertdump.edl)
+
+add_enclave(TARGET oecertdump_enc SOURCES enc.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_t.c)
+
+# Need for the generated file oecert_t.h
+target_include_directories(oecertdump_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(oecertdump_enc oeenclave oelibc)
\ No newline at end of file
diff --git a/tests/tools/oecertdump/enc/enc.cpp b/tests/tools/oecertdump/enc/enc.cpp
new file mode 100644
index 0000000000..412352bec0
--- /dev/null
+++ b/tests/tools/oecertdump/enc/enc.cpp
@@ -0,0 +1,319 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/rsa.h>
+#include <openenclave/edger8r/enclave.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/report.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "oecertdump_t.h"
+
+// This is the identity validation callback. A TLS connecting party (client or
+// server) can verify the passed in identity information to decide whether to
+// accept a connection request
+oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
+{
+    oe_result_t result = OE_VERIFY_FAILED;
+
+    (void)arg;
+    OE_TRACE_INFO("enclave_identity_verifier is called with parsed report:\n");
+
+    // Check the enclave's security version
+    if (identity->security_version < 1)
+    {
+        OE_TRACE_ERROR(
+            "identity->security_version checking failed (%d)\n",
+            identity->security_version);
+        goto done;
+    }
+
+    // Dump an enclave's unique ID, signer ID and Product ID. They are
+    // MRENCLAVE, MRSIGNER and ISVPRODID for SGX enclaves. In a real scenario,
+    // custom id checking should be done here
+
+    OE_TRACE_INFO("identity->signer_id :\n");
+    for (int i = 0; i < OE_UNIQUE_ID_SIZE; i++)
+        OE_TRACE_INFO("0x%0x ", (uint8_t)identity->signer_id[i]);
+
+    OE_TRACE_INFO("\nparsed_report->identity.signer_id :\n");
+    for (int i = 0; i < OE_SIGNER_ID_SIZE; i++)
+        OE_TRACE_INFO("0x%0x ", (uint8_t)identity->signer_id[i]);
+
+    OE_TRACE_INFO("\nidentity->product_id :\n");
+    for (int i = 0; i < OE_PRODUCT_ID_SIZE; i++)
+        OE_TRACE_INFO("0x%0x ", (uint8_t)identity->product_id[i]);
+
+    result = OE_OK;
+done:
+    return result;
+}
+
+// input: input_data and input_data_len
+// output: key, key_size
+oe_result_t generate_key_pair(
+    int key_type,
+    uint8_t** public_key,
+    size_t* public_key_size,
+    uint8_t** private_key,
+    size_t* private_key_size)
+{
+    oe_result_t result = OE_FAILURE;
+    oe_asymmetric_key_params_t params;
+    char user_data[] = "test user data!";
+    size_t user_data_size = sizeof(user_data) - 1;
+    uint8_t* local_public_key = NULL;
+    uint8_t* local_private_key = NULL;
+
+    if (key_type == MBEDTLS_PK_ECKEY)
+    {
+        params.type =
+            OE_ASYMMETRIC_KEY_EC_SECP256P1; // MBEDTLS_ECP_DP_SECP256R1
+        params.format = OE_ASYMMETRIC_KEY_PEM;
+        params.user_data = user_data;
+        params.user_data_size = user_data_size;
+        result = oe_get_public_key_by_policy(
+            OE_SEAL_POLICY_UNIQUE,
+            &params,
+            public_key,
+            public_key_size,
+            NULL,
+            NULL);
+        OE_CHECK(result);
+
+        result = oe_get_private_key_by_policy(
+            OE_SEAL_POLICY_UNIQUE,
+            &params,
+            private_key,
+            private_key_size,
+            NULL,
+            NULL);
+        OE_CHECK(result);
+    }
+    else if (key_type == MBEDTLS_PK_RSA)
+    {
+        int res = -1;
+        mbedtls_ctr_drbg_context ctr_drbg_contex;
+        mbedtls_entropy_context entropy_context;
+        mbedtls_pk_context pk_context;
+        size_t local_public_key_size = 512;
+        size_t local_private_key_size = 2048;
+
+        mbedtls_ctr_drbg_init(&ctr_drbg_contex);
+        mbedtls_entropy_init(&entropy_context);
+        mbedtls_pk_init(&pk_context);
+
+        // Initialize entropy.
+        res = mbedtls_ctr_drbg_seed(
+            &ctr_drbg_contex, mbedtls_entropy_func, &entropy_context, NULL, 0);
+        if (res != 0)
+        {
+            OE_TRACE_ERROR("mbedtls_ctr_drbg_seed failed.");
+            goto clean_rsa;
+        }
+
+        // Initialize RSA context.
+        res = mbedtls_pk_setup(
+            &pk_context, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+        if (res != 0)
+        {
+            OE_TRACE_ERROR("mbedtls_pk_setup failed (%d).", res);
+            goto clean_rsa;
+        }
+
+        // Generate an ephemeral 2048-bit RSA key pair with
+        // exponent 65537 for the enclave.
+        res = mbedtls_rsa_gen_key(
+            mbedtls_pk_rsa(pk_context),
+            mbedtls_ctr_drbg_random,
+            &ctr_drbg_contex,
+            2048,
+            65537);
+        if (res != 0)
+        {
+            OE_TRACE_ERROR("mbedtls_rsa_gen_key failed (%d)\n", res);
+            goto clean_rsa;
+        }
+
+        /* Call again with the allocated memory. */
+        local_public_key = (uint8_t*)malloc(local_public_key_size);
+        if (local_public_key == NULL)
+            OE_RAISE(OE_OUT_OF_MEMORY);
+        memset((void*)local_public_key, 0, local_public_key_size);
+
+        local_private_key = (uint8_t*)malloc(local_private_key_size);
+        if (local_private_key == NULL)
+            OE_RAISE(OE_OUT_OF_MEMORY);
+        memset((void*)local_private_key, 0, local_private_key_size);
+
+        // Write out the public/private key in PEM format for exchange with
+        // other enclaves.
+        res = mbedtls_pk_write_pubkey_pem(
+            &pk_context, local_public_key, local_public_key_size);
+        if (res != 0)
+        {
+            OE_TRACE_ERROR("mbedtls_pk_write_pubkey_pem failed (%d)\n", res);
+            goto clean_rsa;
+        }
+
+        res = mbedtls_pk_write_key_pem(
+            &pk_context, local_private_key, local_private_key_size);
+        if (res != 0)
+        {
+            OE_TRACE_ERROR("mbedtls_pk_write_key_pem failed (%d)\n", res);
+            goto clean_rsa;
+        }
+
+        *public_key = local_public_key;
+        // plus one to make sure \0 at the end is counted
+        *public_key_size = strlen((const char*)local_public_key) + 1;
+
+        *private_key = local_private_key;
+        *private_key_size = strlen((const char*)local_private_key) + 1;
+
+        local_public_key = NULL;
+        local_private_key = NULL;
+
+        OE_TRACE_INFO("public_key_size\n[%d]\n", *public_key_size);
+        OE_TRACE_INFO("public_key\n[%s]\n", *public_key);
+        result = OE_OK;
+
+    clean_rsa:
+        mbedtls_pk_free(&pk_context);
+        mbedtls_ctr_drbg_free(&ctr_drbg_contex);
+        mbedtls_entropy_free(&entropy_context);
+    }
+    else
+    {
+        OE_TRACE_ERROR("Unsupported key type [%d]\n", key_type);
+    }
+
+done:
+    if (local_public_key)
+        free(local_public_key);
+    if (local_private_key)
+        free(local_private_key);
+
+    return result;
+}
+
+static oe_result_t get_tls_cert_signed_with_key(
+    int key_type,
+    unsigned char** cert,
+    size_t* cert_size)
+{
+    oe_result_t result = OE_FAILURE;
+    uint8_t* host_cert_buf = NULL;
+
+    uint8_t* output_cert = NULL;
+    size_t output_cert_size = 0;
+
+    uint8_t* private_key = NULL;
+    size_t private_key_size = 0;
+    uint8_t* public_key = NULL;
+    size_t public_key_size = 0;
+
+    OE_TRACE_INFO("called into enclave\n");
+
+    // generate public/private key pair
+    result = generate_key_pair(
+        key_type,
+        &public_key,
+        &public_key_size,
+        &private_key,
+        &private_key_size);
+    if (result != OE_OK)
+    {
+        OE_TRACE_ERROR(" failed with %s\n", oe_result_str(result));
+        goto done;
+    }
+    if (result != OE_OK)
+    {
+        OE_TRACE_ERROR(" failed with %s\n", oe_result_str(result));
+        goto done;
+    }
+
+    OE_TRACE_INFO("private key:[%s]\n", private_key);
+    OE_TRACE_INFO("public key:[%s]\n", public_key);
+
+    result = oe_generate_attestation_certificate(
+        (const unsigned char*)"CN=Open Enclave SDK,O=OESDK TLS,C=US",
+        private_key,
+        private_key_size,
+        public_key,
+        public_key_size,
+        &output_cert,
+        &output_cert_size);
+    if (result != OE_OK)
+    {
+        OE_TRACE_ERROR(" failed with %s\n", oe_result_str(result));
+        goto done;
+    }
+
+    OE_TRACE_INFO("output_cert_size = 0x%x", output_cert_size);
+    // validate cert inside the enclave
+    result = oe_verify_attestation_certificate(
+        output_cert, output_cert_size, enclave_identity_verifier, NULL);
+    OE_TRACE_INFO(
+        "\nFrom inside enclave: verifying the certificate... %s\n",
+        result == OE_OK ? "Success" : "Fail");
+
+    // copy cert to host memory
+    host_cert_buf = (uint8_t*)oe_host_malloc(output_cert_size);
+    if (host_cert_buf == NULL)
+    {
+        result = OE_OUT_OF_MEMORY;
+        goto done;
+    }
+
+    // copy to the host for host-side validation test
+    memcpy(host_cert_buf, output_cert, output_cert_size);
+    *cert_size = output_cert_size;
+    *cert = host_cert_buf;
+    OE_TRACE_INFO("*cert = %p", *cert);
+    OE_TRACE_INFO("*cert_size = 0x%x", *cert_size);
+
+done:
+
+    free(private_key);
+    free(public_key);
+    oe_free_attestation_certificate(output_cert);
+
+    return result;
+}
+
+oe_result_t get_tls_cert_signed_with_ec_key(
+    unsigned char** cert,
+    size_t* cert_size)
+{
+    return get_tls_cert_signed_with_key(MBEDTLS_PK_ECKEY, cert, cert_size);
+}
+
+oe_result_t get_tls_cert_signed_with_rsa_key(
+    unsigned char** cert,
+    size_t* cert_size)
+{
+    return get_tls_cert_signed_with_key(MBEDTLS_PK_RSA, cert, cert_size);
+}
+
+oe_result_t dump_revocation_info(
+    unsigned char** revocation_info_args,
+    size_t* revocation_info_args_size)
+{
+    (void)revocation_info_args;
+    (void)revocation_info_args_size;
+    return OE_OK;
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    128,  /* HeapPageCount */
+    128,  /* StackPageCount */
+    1);   /* TCSCount */
diff --git a/tests/tools/oecertdump/host/CMakeLists.txt b/tests/tools/oecertdump/host/CMakeLists.txt
new file mode 100644
index 0000000000..6208481bff
--- /dev/null
+++ b/tests/tools/oecertdump/host/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT oecertdump_u.h oecertdump_u.c oecertdump_args.h
+  DEPENDS ../oecertdump.edl edger8r
+  COMMAND edger8r --untrusted ${CMAKE_CURRENT_SOURCE_DIR}/../oecertdump.edl)
+
+add_executable(oecertdump host.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_u.c)
+
+target_include_directories(oecertdump PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(oecertdump oehost)
\ No newline at end of file
diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
new file mode 100644
index 0000000000..21eb349af6
--- /dev/null
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -0,0 +1,457 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <dlfcn.h>
+#include <limits.h>
+#include <openenclave/host.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgxcertextensions.h>
+#include <openenclave/internal/tests.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "oecertdump_u.h"
+
+#include "../../../../common/sgx/quote.h"
+#include "../../../../common/sgx/revocation.h"
+
+#include "../../../../host/sgx/sgxquoteprovider.h"
+
+#ifdef OE_LINK_SGX_DCAP_QL
+
+#define INPUT_PARAM_OPTION_OUT_FILE "--out"
+#define INPUT_PARAM_USAGE "--help"
+#define DEFAULT_OUTPUTFILE "oecertdump_out.log"
+
+// Structure to store input parameters
+//
+typedef struct _input_params
+{
+    const char* enclave_filename;
+    const char* out_filename;
+} input_params_t;
+
+static input_params_t _params;
+static FILE* log_file = NULL;
+
+void log(const char* fmt, ...)
+{
+    char message[4096];
+    va_list args;
+    va_start(args, fmt);
+    vsnprintf(message, sizeof(message), fmt, args);
+    va_end(args);
+
+    // ensure buf is always null-terminated
+    message[sizeof(message) - 1] = 0;
+
+    if (log_file)
+    {
+        fprintf(log_file, "%s", message);
+    }
+    else
+    {
+        printf("%s", message);
+    }
+}
+
+// This is the identity validation callback. An TLS connecting party (client or
+// server) can verify the passed in "identity" information to decide whether to
+// accept an connection request
+oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
+{
+    oe_result_t result = OE_VERIFY_FAILED;
+
+    (void)arg;
+    log("enclave_identity_verifier is called with parsed report:\n");
+
+    // Check the enclave's security version
+    log("identity.security_version = %d\n", identity->security_version);
+    if (identity->security_version < 1)
+    {
+        log("identity.security_version check failed (%d)\n",
+            identity->security_version);
+        goto done;
+    }
+
+    // Dump an enclave's unique ID, signer ID and Product ID. They are
+    // MRENCLAVE, MRSIGNER and ISVPRODID for SGX enclaves.  In a real scenario,
+    // custom id checking should be done here
+    log("identity->signer_id :\n");
+    for (int i = 0; i < OE_UNIQUE_ID_SIZE; i++)
+        log("0x%0x ", (uint8_t)identity->signer_id[i]);
+
+    log("\nidentity->signer_id :\n");
+    for (int i = 0; i < OE_SIGNER_ID_SIZE; i++)
+        log("0x%0x ", (uint8_t)identity->signer_id[i]);
+
+    log("\nidentity->product_id :\n");
+    for (int i = 0; i < OE_PRODUCT_ID_SIZE; i++)
+        log("0x%0x ", (uint8_t)identity->product_id[i]);
+    log("\n");
+
+    result = OE_OK;
+done:
+    return result;
+}
+
+// Azure dcap client log callback to this function.
+void oecertdump_quote_provider_log(
+    sgx_ql_log_level_t level,
+    const char* message)
+{
+    const char* level_string = level == 0 ? "ERROR" : "INFO";
+
+    log("[%s]: %s\n", level_string, message);
+}
+
+// Set Azure dcap calient log callback
+void _set_log_callback()
+{
+    extern oe_sgx_quote_provider_t provider;
+
+    sgx_ql_set_logging_function_t set_log_fcn =
+        (sgx_ql_set_logging_function_t)dlsym(
+            provider.handle, "sgx_ql_set_logging_function");
+    if (set_log_fcn != NULL)
+    {
+        set_log_fcn(oecertdump_quote_provider_log);
+    }
+}
+
+void output_certificate(const uint8_t* data, size_t data_len)
+{
+    if (log_file)
+    {
+        fprintf(log_file, "\n");
+        X509* x509;
+        BIO* input = BIO_new_mem_buf(data, (int)data_len);
+        x509 = d2i_X509_bio(input, NULL);
+        if (x509)
+        {
+            X509_print_ex_fp(
+                log_file, x509, XN_FLAG_COMPAT, XN_FLAG_SEP_CPLUS_SPC);
+        }
+        BIO_free_all(input);
+        fprintf(log_file, "\n");
+    }
+}
+
+void validate_certificate(uint8_t* cert, size_t cert_size)
+{
+    oe_result_t result;
+
+    result = oe_verify_attestation_certificate(
+        cert, cert_size, enclave_identity_verifier, NULL);
+
+    log("Certificate verification result: %s\n", oe_result_str(result));
+}
+
+static oe_result_t _gen_cert(oe_enclave_t* enclave)
+{
+    oe_result_t result = OE_FAILURE;
+    oe_result_t ecall_result;
+    unsigned char* cert = NULL;
+    size_t cert_size = 0;
+
+    log("========== Getting certificates\n");
+
+    // EC Key
+    result = get_tls_cert_signed_with_ec_key(
+        enclave, &ecall_result, &cert, &cert_size);
+    if ((result != OE_OK) || (ecall_result != OE_OK))
+    {
+        log("Failed to create certificate. Enclave: %s, Host: %s\n",
+            oe_result_str(ecall_result),
+            oe_result_str(result));
+
+        goto exit;
+    }
+    else
+    {
+        output_certificate(cert, cert_size);
+        validate_certificate(cert, cert_size);
+    }
+    if (cert)
+    {
+        free(cert);
+        cert = NULL;
+    }
+    cert_size = 0;
+
+    // RSA Key
+    result = get_tls_cert_signed_with_rsa_key(
+        enclave, &ecall_result, &cert, &cert_size);
+    if ((result != OE_OK) || (ecall_result != OE_OK))
+    {
+        log("Failed to create certificate. Enclave: %s, Host: %s\n",
+            oe_result_str(ecall_result),
+            oe_result_str(result));
+
+        goto exit;
+    }
+    else
+    {
+        output_certificate(cert, cert_size);
+        validate_certificate(cert, cert_size);
+    }
+
+exit:
+    // deallcate resources
+    if (cert)
+        free(cert);
+
+    return result;
+}
+
+static oe_result_t _gen_report(oe_enclave_t* enclave)
+{
+    size_t report_size = OE_MAX_REPORT_SIZE;
+    uint8_t* remote_report = NULL;
+
+    log("========== Getting report\n");
+
+    oe_result_t result = oe_get_report(
+        enclave,
+        OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+        NULL, // opt_params must be null
+        0,
+        (uint8_t**)&remote_report,
+        &report_size);
+    if (result == OE_OK)
+    {
+        log("========== Got report, size = %zu\n\n", report_size);
+
+        // Print endorsements
+        {
+            uint8_t* endorsements_data = NULL;
+            size_t endorsements_data_size = 0;
+            oe_report_header_t* header = (oe_report_header_t*)remote_report;
+            sgx_quote_t* quote = (sgx_quote_t*)header->report;
+            uint64_t quote_size = header->report_size;
+
+            result = oe_get_sgx_endorsements(
+                (const uint8_t*)quote,
+                quote_size,
+                &endorsements_data,
+                &endorsements_data_size);
+            if (result != OE_OK)
+            {
+                log("ERROR: Failed to get endorsements\n");
+                goto exit;
+            }
+
+            log("========== Got endorsements, size = %zu\n",
+                endorsements_data_size);
+            log("CPU_SVN: '");
+            for (uint64_t n = 0; n < SGX_CPUSVN_SIZE; n++)
+            {
+                log("%02x", quote->report_body.cpusvn[n]);
+            }
+            log("'\nQEID: '");
+            for (uint64_t n = 0; n < 16; n++)
+            {
+                log("%02x", quote->user_data[n]);
+            }
+            log("'\nRevocation TCB_INFO:\n");
+            oe_sgx_endorsements_t endorsements;
+            result = oe_parse_sgx_endorsements(
+                (oe_endorsements_t*)endorsements_data,
+                endorsements_data_size,
+                &endorsements);
+            oe_sgx_endorsement_item tcb_info =
+                endorsements.items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO];
+            log("%s\n\n", tcb_info.data);
+        }
+
+        // Verify report
+        {
+            log("========== Verifying report\n");
+
+            oe_report_t parsed_report;
+            result = oe_verify_report(
+                NULL, remote_report, report_size, &parsed_report);
+            if (result != OE_OK)
+            {
+                log("Failed to verify report. result=%u (%s)\n",
+                    result,
+                    oe_result_str(result));
+                goto exit;
+            }
+            else
+            {
+                log("========== Report verified\n\n");
+            }
+        }
+    }
+    else
+    {
+        log("Failed to create report. Error: %s\n", oe_result_str(result));
+    }
+
+exit:
+    if (remote_report)
+        oe_free_report(remote_report);
+
+    return result;
+}
+
+static void _display_help(const char* cmd)
+{
+    printf("Usage: %s ENCLAVE_PATH Options\n", cmd);
+    printf("\tOptions:\n");
+    printf("\t%s : output filename.\n", INPUT_PARAM_OPTION_OUT_FILE);
+}
+
+static int _parse_args(int argc, const char* argv[])
+{
+    if (argc < 1)
+    {
+        _display_help(argv[0]);
+        return 1;
+    }
+
+    // clear params memory
+    memset(&_params, 0, sizeof(_params));
+
+    int i = 1; // current index
+    // save
+    _params.enclave_filename = argv[i++];
+    _params.out_filename = DEFAULT_OUTPUTFILE;
+
+    // Verify enclave file is valid
+    FILE* fp = fopen(_params.enclave_filename, "rb");
+    if (!fp)
+    {
+        printf("Failed to find file: %s\n", _params.enclave_filename);
+        return 1;
+    }
+    else
+        fclose(fp);
+
+    while (i < argc)
+    {
+        if (strcmp(INPUT_PARAM_OPTION_OUT_FILE, argv[i]) == 0)
+        {
+            if (argc >= i + 1)
+            {
+                _params.out_filename = argv[i + 1];
+                i += 2;
+            }
+            else
+            {
+                printf(
+                    "%s has invalid number of parameters.\n",
+                    INPUT_PARAM_OPTION_OUT_FILE);
+                _display_help(argv[0]);
+                return 1;
+            }
+        }
+        else if (strcmp(INPUT_PARAM_USAGE, argv[i]) == 0)
+        {
+            _display_help(argv[0]);
+            return 1;
+        }
+        else
+        {
+            printf("Invalid option: %s\n", argv[i]);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+static oe_result_t _process_params(oe_enclave_t* enclave)
+{
+    oe_result_t result = OE_FAILURE;
+
+    result = _gen_report(enclave);
+    if (result != OE_OK)
+        return result;
+
+    result = _gen_cert(enclave);
+
+    return result;
+}
+
+#endif // OE_LINK_SGX_DCAP_QL
+
+int main(int argc, const char* argv[])
+{
+    int ret = 0;
+
+#ifdef OE_LINK_SGX_DCAP_QL
+    oe_result_t result;
+    oe_enclave_t* enclave = NULL;
+
+    const uint32_t flags = oe_get_create_flags();
+    if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0)
+    {
+        printf("oecert not supported in simulation mode.\n");
+        goto exit;
+    }
+
+    ret = _parse_args(argc, argv);
+    if (ret != 0)
+        goto exit;
+
+    if ((result = oe_create_oecertdump_enclave(
+             _params.enclave_filename,
+             OE_ENCLAVE_TYPE_AUTO,
+             OE_ENCLAVE_FLAG_DEBUG,
+             NULL,
+             0,
+             &enclave)) != OE_OK)
+    {
+        printf(
+            "Failed to create enclave. result=%u (%s)\n",
+            result,
+            oe_result_str(result));
+        ret = 1;
+        goto exit;
+    }
+
+    // Create log file
+    log_file = fopen(_params.out_filename, "w");
+    if (!log_file)
+    {
+        printf("Failed to open log file %s\n", _params.out_filename);
+        ret = 1;
+        goto exit;
+    }
+
+    // Initialize quote provider and set log callback
+    oe_initialize_quote_provider();
+    _set_log_callback();
+
+    if ((result = _process_params(enclave)) != OE_OK)
+    {
+        log("Failed to process parameters. result=%u (%s)\n",
+            result,
+            oe_result_str(result));
+        ret = 1;
+        goto exit;
+    }
+
+exit:
+    if (enclave)
+        oe_terminate_enclave(enclave);
+
+    if (log_file)
+    {
+        fflush(log_file);
+        fclose(log_file);
+    }
+
+#else
+#pragma message \
+    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries."
+    OE_UNUSED(argc);
+    OE_UNUSED(argv);
+#endif
+    return ret;
+}
diff --git a/tests/tools/oecertdump/oecertdump.edl b/tests/tools/oecertdump/oecertdump.edl
new file mode 100644
index 0000000000..4081960b89
--- /dev/null
+++ b/tests/tools/oecertdump/oecertdump.edl
@@ -0,0 +1,18 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public oe_result_t dump_revocation_info(
+            [out] unsigned char **revocation_info_args,
+            [out] size_t *revocation_info_args_size);
+
+        public oe_result_t get_tls_cert_signed_with_ec_key(
+            [out] unsigned char** data,
+            [out] size_t* data_size);
+
+        public oe_result_t get_tls_cert_signed_with_rsa_key(
+            [out] unsigned char** data,
+            [out] size_t* data_size);
+    };
+};

From e6ff52cf28dd960d9d8cf2fa3c2d352505f9cc23 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Wed, 27 Nov 2019 11:00:08 -0800
Subject: [PATCH 349/420] format fix

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/host/host.cpp | 39 +++++++++++++++++-----------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
index 21eb349af6..c05b508b45 100644
--- a/tests/tools/oecertdump/host/host.cpp
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -1,7 +1,6 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
-#include <dlfcn.h>
 #include <limits.h>
 #include <openenclave/host.h>
 #include <openenclave/internal/report.h>
@@ -15,6 +14,10 @@
 #include <string.h>
 #include "oecertdump_u.h"
 
+#if defined(__linux__)
+#include <dlfcn.h>
+#endif
+
 #include "../../../../common/sgx/quote.h"
 #include "../../../../common/sgx/revocation.h"
 
@@ -111,6 +114,7 @@ void oecertdump_quote_provider_log(
 // Set Azure dcap calient log callback
 void _set_log_callback()
 {
+#if defined(__linux__)
     extern oe_sgx_quote_provider_t provider;
 
     sgx_ql_set_logging_function_t set_log_fcn =
@@ -120,6 +124,7 @@ void _set_log_callback()
     {
         set_log_fcn(oecertdump_quote_provider_log);
     }
+#endif
 }
 
 void output_certificate(const uint8_t* data, size_t data_len)
@@ -225,13 +230,26 @@ static oe_result_t _gen_report(oe_enclave_t* enclave)
     {
         log("========== Got report, size = %zu\n\n", report_size);
 
+        oe_report_header_t* header = (oe_report_header_t*)remote_report;
+        sgx_quote_t* quote = (sgx_quote_t*)header->report;
+        uint64_t quote_size = header->report_size;
+
+        log("CPU_SVN: '");
+        for (uint64_t n = 0; n < SGX_CPUSVN_SIZE; n++)
+        {
+            log("%02x", quote->report_body.cpusvn[n]);
+        }
+        log("'\nQEID: '");
+        for (uint64_t n = 0; n < 16; n++)
+        {
+            log("%02x", quote->user_data[n]);
+        }
+        log("'\n");
+
         // Print endorsements
         {
             uint8_t* endorsements_data = NULL;
             size_t endorsements_data_size = 0;
-            oe_report_header_t* header = (oe_report_header_t*)remote_report;
-            sgx_quote_t* quote = (sgx_quote_t*)header->report;
-            uint64_t quote_size = header->report_size;
 
             result = oe_get_sgx_endorsements(
                 (const uint8_t*)quote,
@@ -246,22 +264,13 @@ static oe_result_t _gen_report(oe_enclave_t* enclave)
 
             log("========== Got endorsements, size = %zu\n",
                 endorsements_data_size);
-            log("CPU_SVN: '");
-            for (uint64_t n = 0; n < SGX_CPUSVN_SIZE; n++)
-            {
-                log("%02x", quote->report_body.cpusvn[n]);
-            }
-            log("'\nQEID: '");
-            for (uint64_t n = 0; n < 16; n++)
-            {
-                log("%02x", quote->user_data[n]);
-            }
-            log("'\nRevocation TCB_INFO:\n");
             oe_sgx_endorsements_t endorsements;
             result = oe_parse_sgx_endorsements(
                 (oe_endorsements_t*)endorsements_data,
                 endorsements_data_size,
                 &endorsements);
+
+            log("Revocation TCB_INFO:\n");
             oe_sgx_endorsement_item tcb_info =
                 endorsements.items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO];
             log("%s\n\n", tcb_info.data);

From e1c90476e39cee6758313fc93675ce7252690e9b Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Wed, 27 Nov 2019 11:34:01 -0800
Subject: [PATCH 350/420] includ eopenssl

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/host/CMakeLists.txt | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/tools/oecertdump/host/CMakeLists.txt b/tests/tools/oecertdump/host/CMakeLists.txt
index 6208481bff..0e92d22651 100644
--- a/tests/tools/oecertdump/host/CMakeLists.txt
+++ b/tests/tools/oecertdump/host/CMakeLists.txt
@@ -1,11 +1,16 @@
 # Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
+find_package(OpenSSL REQUIRED)
+
 add_custom_command(OUTPUT oecertdump_u.h oecertdump_u.c oecertdump_args.h
   DEPENDS ../oecertdump.edl edger8r
   COMMAND edger8r --untrusted ${CMAKE_CURRENT_SOURCE_DIR}/../oecertdump.edl)
 
 add_executable(oecertdump host.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_u.c)
 
-target_include_directories(oecertdump PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_include_directories(oecertdump PRIVATE
+  ${CMAKE_CURRENT_BINARY_DIR}
+  -I/usr/include/openssl)
+
 target_link_libraries(oecertdump oehost)
\ No newline at end of file

From 3de7b31913a080a501e5472ee5aebf6d09a83d91 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Wed, 27 Nov 2019 13:14:02 -0800
Subject: [PATCH 351/420] Exclude openssl from Windows build

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/host/host.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
index c05b508b45..d09977f286 100644
--- a/tests/tools/oecertdump/host/host.cpp
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -6,9 +6,6 @@
 #include <openenclave/internal/report.h>
 #include <openenclave/internal/sgxcertextensions.h>
 #include <openenclave/internal/tests.h>
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -16,6 +13,9 @@
 
 #if defined(__linux__)
 #include <dlfcn.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
 #endif
 
 #include "../../../../common/sgx/quote.h"
@@ -129,6 +129,7 @@ void _set_log_callback()
 
 void output_certificate(const uint8_t* data, size_t data_len)
 {
+#if defined(__linux__)
     if (log_file)
     {
         fprintf(log_file, "\n");
@@ -143,6 +144,9 @@ void output_certificate(const uint8_t* data, size_t data_len)
         BIO_free_all(input);
         fprintf(log_file, "\n");
     }
+#endif
+    (void)data;
+    (void)data_len;
 }
 
 void validate_certificate(uint8_t* cert, size_t cert_size)

From 83b3e1a35679b18ddc63d5ceb40e32e4de72f622 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Wed, 27 Nov 2019 23:30:17 -0800
Subject: [PATCH 352/420] CR feedback revision

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/README.md           |   4 +-
 tests/tools/oecertdump/enc/enc.cpp         |  21 +--
 tests/tools/oecertdump/host/CMakeLists.txt |   2 +-
 tests/tools/oecertdump/host/host.cpp       | 163 +------------------
 tests/tools/oecertdump/host/sgx_quote.cpp  | 178 +++++++++++++++++++++
 tests/tools/oecertdump/host/sgx_quote.h    |  18 +++
 tests/tools/oecertdump/oecertdump.edl      |   4 -
 7 files changed, 213 insertions(+), 177 deletions(-)
 create mode 100644 tests/tools/oecertdump/host/sgx_quote.cpp
 create mode 100644 tests/tools/oecertdump/host/sgx_quote.h

diff --git a/tests/tools/oecertdump/README.md b/tests/tools/oecertdump/README.md
index 9f59b8851d..9101298267 100644
--- a/tests/tools/oecertdump/README.md
+++ b/tests/tools/oecertdump/README.md
@@ -1,8 +1,8 @@
 oecertdump
 =====
 
-oecertdump is a utility that generates and validates report and certificates.
-Generation and validation logs are save to a log file specified by --out option.
+oecertdump is a utility that generates and validates reports and certificates.
+Generation and validation logs are saved to a log file specified by --out option.
 Default log filename is "oecertdump_out.log".
 
 Usage: oecertdump ENCLAVE_PATH Options
diff --git a/tests/tools/oecertdump/enc/enc.cpp b/tests/tools/oecertdump/enc/enc.cpp
index 412352bec0..4368db3cab 100644
--- a/tests/tools/oecertdump/enc/enc.cpp
+++ b/tests/tools/oecertdump/enc/enc.cpp
@@ -21,7 +21,7 @@ oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
 {
     oe_result_t result = OE_VERIFY_FAILED;
 
-    (void)arg;
+    OE_UNUSED(arg);
     OE_TRACE_INFO("enclave_identity_verifier is called with parsed report:\n");
 
     // Check the enclave's security version
@@ -98,19 +98,19 @@ oe_result_t generate_key_pair(
     else if (key_type == MBEDTLS_PK_RSA)
     {
         int res = -1;
-        mbedtls_ctr_drbg_context ctr_drbg_contex;
+        mbedtls_ctr_drbg_context ctr_drbg_context;
         mbedtls_entropy_context entropy_context;
         mbedtls_pk_context pk_context;
         size_t local_public_key_size = 512;
         size_t local_private_key_size = 2048;
 
-        mbedtls_ctr_drbg_init(&ctr_drbg_contex);
+        mbedtls_ctr_drbg_init(&ctr_drbg_context);
         mbedtls_entropy_init(&entropy_context);
         mbedtls_pk_init(&pk_context);
 
         // Initialize entropy.
         res = mbedtls_ctr_drbg_seed(
-            &ctr_drbg_contex, mbedtls_entropy_func, &entropy_context, NULL, 0);
+            &ctr_drbg_context, mbedtls_entropy_func, &entropy_context, NULL, 0);
         if (res != 0)
         {
             OE_TRACE_ERROR("mbedtls_ctr_drbg_seed failed.");
@@ -131,7 +131,7 @@ oe_result_t generate_key_pair(
         res = mbedtls_rsa_gen_key(
             mbedtls_pk_rsa(pk_context),
             mbedtls_ctr_drbg_random,
-            &ctr_drbg_contex,
+            &ctr_drbg_context,
             2048,
             65537);
         if (res != 0)
@@ -185,7 +185,7 @@ oe_result_t generate_key_pair(
 
     clean_rsa:
         mbedtls_pk_free(&pk_context);
-        mbedtls_ctr_drbg_free(&ctr_drbg_contex);
+        mbedtls_ctr_drbg_free(&ctr_drbg_context);
         mbedtls_entropy_free(&entropy_context);
     }
     else
@@ -301,15 +301,6 @@ oe_result_t get_tls_cert_signed_with_rsa_key(
     return get_tls_cert_signed_with_key(MBEDTLS_PK_RSA, cert, cert_size);
 }
 
-oe_result_t dump_revocation_info(
-    unsigned char** revocation_info_args,
-    size_t* revocation_info_args_size)
-{
-    (void)revocation_info_args;
-    (void)revocation_info_args_size;
-    return OE_OK;
-}
-
 OE_SET_ENCLAVE_SGX(
     1,    /* ProductID */
     1,    /* SecurityVersion */
diff --git a/tests/tools/oecertdump/host/CMakeLists.txt b/tests/tools/oecertdump/host/CMakeLists.txt
index 0e92d22651..1b328ae6f9 100644
--- a/tests/tools/oecertdump/host/CMakeLists.txt
+++ b/tests/tools/oecertdump/host/CMakeLists.txt
@@ -7,7 +7,7 @@ add_custom_command(OUTPUT oecertdump_u.h oecertdump_u.c oecertdump_args.h
   DEPENDS ../oecertdump.edl edger8r
   COMMAND edger8r --untrusted ${CMAKE_CURRENT_SOURCE_DIR}/../oecertdump.edl)
 
-add_executable(oecertdump host.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_u.c)
+add_executable(oecertdump host.cpp sgx_quote.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_u.c)
 
 target_include_directories(oecertdump PRIVATE
   ${CMAKE_CURRENT_BINARY_DIR}
diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
index d09977f286..8502be43a3 100644
--- a/tests/tools/oecertdump/host/host.cpp
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -18,10 +18,7 @@
 #include <openssl/x509.h>
 #endif
 
-#include "../../../../common/sgx/quote.h"
-#include "../../../../common/sgx/revocation.h"
-
-#include "../../../../host/sgx/sgxquoteprovider.h"
+#include "sgx_quote.h"
 
 #ifdef OE_LINK_SGX_DCAP_QL
 
@@ -38,37 +35,17 @@ typedef struct _input_params
 } input_params_t;
 
 static input_params_t _params;
-static FILE* log_file = NULL;
-
-void log(const char* fmt, ...)
-{
-    char message[4096];
-    va_list args;
-    va_start(args, fmt);
-    vsnprintf(message, sizeof(message), fmt, args);
-    va_end(args);
-
-    // ensure buf is always null-terminated
-    message[sizeof(message) - 1] = 0;
 
-    if (log_file)
-    {
-        fprintf(log_file, "%s", message);
-    }
-    else
-    {
-        printf("%s", message);
-    }
-}
+FILE* log_file = NULL;
 
-// This is the identity validation callback. An TLS connecting party (client or
+// This is the identity validation callback. A TLS connecting party (client or
 // server) can verify the passed in "identity" information to decide whether to
 // accept an connection request
 oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
 {
     oe_result_t result = OE_VERIFY_FAILED;
 
-    (void)arg;
+    OE_UNUSED(arg);
     log("enclave_identity_verifier is called with parsed report:\n");
 
     // Check the enclave's security version
@@ -101,32 +78,6 @@ oe_result_t enclave_identity_verifier(oe_identity_t* identity, void* arg)
     return result;
 }
 
-// Azure dcap client log callback to this function.
-void oecertdump_quote_provider_log(
-    sgx_ql_log_level_t level,
-    const char* message)
-{
-    const char* level_string = level == 0 ? "ERROR" : "INFO";
-
-    log("[%s]: %s\n", level_string, message);
-}
-
-// Set Azure dcap calient log callback
-void _set_log_callback()
-{
-#if defined(__linux__)
-    extern oe_sgx_quote_provider_t provider;
-
-    sgx_ql_set_logging_function_t set_log_fcn =
-        (sgx_ql_set_logging_function_t)dlsym(
-            provider.handle, "sgx_ql_set_logging_function");
-    if (set_log_fcn != NULL)
-    {
-        set_log_fcn(oecertdump_quote_provider_log);
-    }
-#endif
-}
-
 void output_certificate(const uint8_t* data, size_t data_len)
 {
 #if defined(__linux__)
@@ -145,8 +96,8 @@ void output_certificate(const uint8_t* data, size_t data_len)
         fprintf(log_file, "\n");
     }
 #endif
-    (void)data;
-    (void)data_len;
+    OE_UNUSED(data);
+    OE_UNUSED(data_len);
 }
 
 void validate_certificate(uint8_t* cert, size_t cert_size)
@@ -216,102 +167,6 @@ static oe_result_t _gen_cert(oe_enclave_t* enclave)
     return result;
 }
 
-static oe_result_t _gen_report(oe_enclave_t* enclave)
-{
-    size_t report_size = OE_MAX_REPORT_SIZE;
-    uint8_t* remote_report = NULL;
-
-    log("========== Getting report\n");
-
-    oe_result_t result = oe_get_report(
-        enclave,
-        OE_REPORT_FLAGS_REMOTE_ATTESTATION,
-        NULL, // opt_params must be null
-        0,
-        (uint8_t**)&remote_report,
-        &report_size);
-    if (result == OE_OK)
-    {
-        log("========== Got report, size = %zu\n\n", report_size);
-
-        oe_report_header_t* header = (oe_report_header_t*)remote_report;
-        sgx_quote_t* quote = (sgx_quote_t*)header->report;
-        uint64_t quote_size = header->report_size;
-
-        log("CPU_SVN: '");
-        for (uint64_t n = 0; n < SGX_CPUSVN_SIZE; n++)
-        {
-            log("%02x", quote->report_body.cpusvn[n]);
-        }
-        log("'\nQEID: '");
-        for (uint64_t n = 0; n < 16; n++)
-        {
-            log("%02x", quote->user_data[n]);
-        }
-        log("'\n");
-
-        // Print endorsements
-        {
-            uint8_t* endorsements_data = NULL;
-            size_t endorsements_data_size = 0;
-
-            result = oe_get_sgx_endorsements(
-                (const uint8_t*)quote,
-                quote_size,
-                &endorsements_data,
-                &endorsements_data_size);
-            if (result != OE_OK)
-            {
-                log("ERROR: Failed to get endorsements\n");
-                goto exit;
-            }
-
-            log("========== Got endorsements, size = %zu\n",
-                endorsements_data_size);
-            oe_sgx_endorsements_t endorsements;
-            result = oe_parse_sgx_endorsements(
-                (oe_endorsements_t*)endorsements_data,
-                endorsements_data_size,
-                &endorsements);
-
-            log("Revocation TCB_INFO:\n");
-            oe_sgx_endorsement_item tcb_info =
-                endorsements.items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO];
-            log("%s\n\n", tcb_info.data);
-        }
-
-        // Verify report
-        {
-            log("========== Verifying report\n");
-
-            oe_report_t parsed_report;
-            result = oe_verify_report(
-                NULL, remote_report, report_size, &parsed_report);
-            if (result != OE_OK)
-            {
-                log("Failed to verify report. result=%u (%s)\n",
-                    result,
-                    oe_result_str(result));
-                goto exit;
-            }
-            else
-            {
-                log("========== Report verified\n\n");
-            }
-        }
-    }
-    else
-    {
-        log("Failed to create report. Error: %s\n", oe_result_str(result));
-    }
-
-exit:
-    if (remote_report)
-        oe_free_report(remote_report);
-
-    return result;
-}
-
 static void _display_help(const char* cmd)
 {
     printf("Usage: %s ENCLAVE_PATH Options\n", cmd);
@@ -382,7 +237,7 @@ static oe_result_t _process_params(oe_enclave_t* enclave)
 {
     oe_result_t result = OE_FAILURE;
 
-    result = _gen_report(enclave);
+    result = gen_report(enclave);
     if (result != OE_OK)
         return result;
 
@@ -437,9 +292,7 @@ int main(int argc, const char* argv[])
         goto exit;
     }
 
-    // Initialize quote provider and set log callback
-    oe_initialize_quote_provider();
-    _set_log_callback();
+    set_log_callback();
 
     if ((result = _process_params(enclave)) != OE_OK)
     {
diff --git a/tests/tools/oecertdump/host/sgx_quote.cpp b/tests/tools/oecertdump/host/sgx_quote.cpp
new file mode 100644
index 0000000000..4b4f81615b
--- /dev/null
+++ b/tests/tools/oecertdump/host/sgx_quote.cpp
@@ -0,0 +1,178 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "sgx_quote.h"
+
+#include <openenclave/host.h>
+#include <openenclave/internal/report.h>
+#include <openenclave/internal/sgxcertextensions.h>
+#include <openenclave/internal/tests.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "oecertdump_u.h"
+
+#if defined(__linux__)
+#include <dlfcn.h>
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#endif
+
+#include "../../../../common/sgx/quote.h"
+#include "../../../../common/sgx/revocation.h"
+#include "../../../../host/sgx/sgxquoteprovider.h"
+
+#ifdef OE_LINK_SGX_DCAP_QL
+
+extern FILE* log_file;
+
+void log(const char* fmt, ...)
+{
+    char message[4096];
+    va_list args;
+    va_start(args, fmt);
+    vsnprintf(message, sizeof(message), fmt, args);
+    va_end(args);
+
+    // ensure buf is always null-terminated
+    message[sizeof(message) - 1] = 0;
+
+    if (log_file)
+    {
+        fprintf(log_file, "%s", message);
+    }
+    else
+    {
+        printf("%s", message);
+    }
+}
+
+// DCAP client (libdcap_quoteprov) log callback to this function.
+void oecertdump_quote_provider_log(
+    sgx_ql_log_level_t level,
+    const char* message)
+{
+    const char* level_string = level == 0 ? "ERROR" : "INFO";
+
+    log("[%s]: %s\n", level_string, message);
+}
+
+// Set DCAP client (libdcap_quoteprov) log callback
+void set_log_callback()
+{
+#if defined(__linux__)
+    extern oe_sgx_quote_provider_t provider;
+
+    // Initialize quote provider and set log callback
+    oe_initialize_quote_provider();
+
+    sgx_ql_set_logging_function_t set_log_fcn =
+        (sgx_ql_set_logging_function_t)dlsym(
+            provider.handle, "sgx_ql_set_logging_function");
+    if (set_log_fcn != NULL)
+    {
+        set_log_fcn(oecertdump_quote_provider_log);
+    }
+#endif
+}
+
+oe_result_t gen_report(oe_enclave_t* enclave)
+{
+    size_t report_size = OE_MAX_REPORT_SIZE;
+    uint8_t* remote_report = NULL;
+
+    log("========== Getting report\n");
+
+    oe_result_t result = oe_get_report(
+        enclave,
+        OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+        NULL, // opt_params must be null
+        0,
+        (uint8_t**)&remote_report,
+        &report_size);
+    if (result == OE_OK)
+    {
+        log("========== Got report, size = %zu\n\n", report_size);
+
+        oe_report_header_t* header = (oe_report_header_t*)remote_report;
+        sgx_quote_t* quote = (sgx_quote_t*)header->report;
+        uint64_t quote_size = header->report_size;
+
+        log("CPU_SVN: '");
+        for (uint64_t n = 0; n < SGX_CPUSVN_SIZE; n++)
+        {
+            log("%02x", quote->report_body.cpusvn[n]);
+        }
+        log("'\nQEID: '");
+        for (uint64_t n = 0; n < 16; n++)
+        {
+            log("%02x", quote->user_data[n]);
+        }
+        log("'\n");
+
+        // Print endorsements
+        {
+            uint8_t* endorsements_data = NULL;
+            size_t endorsements_data_size = 0;
+
+            result = oe_get_sgx_endorsements(
+                (const uint8_t*)quote,
+                quote_size,
+                &endorsements_data,
+                &endorsements_data_size);
+            if (result != OE_OK)
+            {
+                log("ERROR: Failed to get endorsements\n");
+                goto exit;
+            }
+
+            log("========== Got endorsements, size = %zu\n",
+                endorsements_data_size);
+            oe_sgx_endorsements_t endorsements;
+            result = oe_parse_sgx_endorsements(
+                (oe_endorsements_t*)endorsements_data,
+                endorsements_data_size,
+                &endorsements);
+
+            log("Revocation TCB_INFO:\n");
+            oe_sgx_endorsement_item tcb_info =
+                endorsements.items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO];
+            log("%s\n\n", tcb_info.data);
+
+            oe_free_sgx_endorsements(endorsements_data);
+        }
+
+        // Verify report
+        {
+            log("========== Verifying report\n");
+
+            oe_report_t parsed_report;
+            result = oe_verify_report(
+                NULL, remote_report, report_size, &parsed_report);
+            if (result != OE_OK)
+            {
+                log("Failed to verify report. result=%u (%s)\n",
+                    result,
+                    oe_result_str(result));
+                goto exit;
+            }
+            else
+            {
+                log("========== Report verified\n\n");
+            }
+        }
+    }
+    else
+    {
+        log("Failed to create report. Error: %s\n", oe_result_str(result));
+    }
+
+exit:
+    if (remote_report)
+        oe_free_report(remote_report);
+
+    return result;
+}
+
+#endif // OE_LINK_SGX_DCAP_QL
diff --git a/tests/tools/oecertdump/host/sgx_quote.h b/tests/tools/oecertdump/host/sgx_quote.h
new file mode 100644
index 0000000000..679c592626
--- /dev/null
+++ b/tests/tools/oecertdump/host/sgx_quote.h
@@ -0,0 +1,18 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef _SGX_QUOTE
+#define _SGX_QUOTE
+
+#include <openenclave/host.h>
+#include "../../../../host/sgx/platformquoteprovider.h"
+
+void log(const char* fmt, ...);
+void oecertdump_quote_provider_log(
+    sgx_ql_log_level_t level,
+    const char* message);
+void set_log_callback();
+
+oe_result_t gen_report(oe_enclave_t* enclave);
+
+#endif // _SGX_QUOTE
\ No newline at end of file
diff --git a/tests/tools/oecertdump/oecertdump.edl b/tests/tools/oecertdump/oecertdump.edl
index 4081960b89..e423b5bfe4 100644
--- a/tests/tools/oecertdump/oecertdump.edl
+++ b/tests/tools/oecertdump/oecertdump.edl
@@ -3,10 +3,6 @@
 
 enclave {
     trusted {
-        public oe_result_t dump_revocation_info(
-            [out] unsigned char **revocation_info_args,
-            [out] size_t *revocation_info_args_size);
-
         public oe_result_t get_tls_cert_signed_with_ec_key(
             [out] unsigned char** data,
             [out] size_t* data_size);

From af4656a778047ea1bc10c1899ace595195017272 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Wed, 27 Nov 2019 23:41:38 -0800
Subject: [PATCH 353/420] fixed typo

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/tools/oecertdump/README.md b/tests/tools/oecertdump/README.md
index 9101298267..eee664355e 100644
--- a/tests/tools/oecertdump/README.md
+++ b/tests/tools/oecertdump/README.md
@@ -2,7 +2,7 @@ oecertdump
 =====
 
 oecertdump is a utility that generates and validates reports and certificates.
-Generation and validation logs are saved to a log file specified by --out option.
+Generation and validation logs are saved to a log file specified by the --out option.
 Default log filename is "oecertdump_out.log".
 
 Usage: oecertdump ENCLAVE_PATH Options

From 3fe04f234c0e4cc620629fe57349123caaca6aa3 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Mon, 2 Dec 2019 14:45:33 +0100
Subject: [PATCH 354/420] Make poller epoll test debuggable

epoll_wait can be interrupted and this is very likely to happen if the
process is being debugged.

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 tests/syscall/poller/poller.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/syscall/poller/poller.cpp b/tests/syscall/poller/poller.cpp
index 235bb99894..2a8945b327 100644
--- a/tests/syscall/poller/poller.cpp
+++ b/tests/syscall/poller/poller.cpp
@@ -377,7 +377,11 @@ int epoll_poller::wait(std::vector<event_t>& events)
 
     events.clear();
 
-    int n = epoll_wait(_epfd, epoll_events, MAX_EPOLL_EVENTS, -1);
+    int n;
+    do
+    {
+        n = epoll_wait(_epfd, epoll_events, MAX_EPOLL_EVENTS, -1);
+    } while (n < 0 && errno == EINTR);
 
     if (n < 0)
         return -1;

From 386dbd2d8eb2ab87cb282eda36f2786328d38e61 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Mon, 2 Dec 2019 14:54:44 +0100
Subject: [PATCH 355/420] Fix race condition in epoll

One thread can add or delete file descriptors to/from an epoll instance
while another thread is waiting on it. This was not handled correctly.

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostepoll/hostepoll.c   |  79 +++++++++-------
 syscall/devices/hostsock/hostsock.c     |   2 +-
 tests/syscall/CMakeLists.txt            |   1 +
 tests/syscall/epoll/CMakeLists.txt      |  10 +++
 tests/syscall/epoll/README.md           |   5 ++
 tests/syscall/epoll/enc/CMakeLists.txt  |  10 +++
 tests/syscall/epoll/enc/enc.cpp         | 115 ++++++++++++++++++++++++
 tests/syscall/epoll/epoll.edl           |  13 +++
 tests/syscall/epoll/host/CMakeLists.txt |  10 +++
 tests/syscall/epoll/host/host.cpp       |  51 +++++++++++
 10 files changed, 262 insertions(+), 34 deletions(-)
 create mode 100644 tests/syscall/epoll/CMakeLists.txt
 create mode 100644 tests/syscall/epoll/README.md
 create mode 100644 tests/syscall/epoll/enc/CMakeLists.txt
 create mode 100644 tests/syscall/epoll/enc/enc.cpp
 create mode 100644 tests/syscall/epoll/epoll.edl
 create mode 100644 tests/syscall/epoll/host/CMakeLists.txt
 create mode 100644 tests/syscall/epoll/host/host.cpp

diff --git a/syscall/devices/hostepoll/hostepoll.c b/syscall/devices/hostepoll/hostepoll.c
index fb85d769ad..e88ed44870 100644
--- a/syscall/devices/hostepoll/hostepoll.c
+++ b/syscall/devices/hostepoll/hostepoll.c
@@ -62,7 +62,7 @@ typedef struct _epoll
     size_t map_capacity;
 
     /* Synchronizes access to this structure. */
-    oe_spinlock_t lock;
+    oe_mutex_t lock;
 } epoll_t;
 
 static oe_epoll_ops_t _get_epoll_ops(void);
@@ -224,6 +224,10 @@ static int _epoll_ctl_add(epoll_t* epoll, int fd, struct oe_epoll_event* event)
         host_event.data.fd = fd;
     }
 
+    // The host call and the map update must be done in an atomic operation.
+    locked = true;
+    oe_mutex_lock(&epoll->lock);
+
     if (oe_syscall_epoll_ctl_ocall(
             &retval, host_epfd, OE_EPOLL_CTL_ADD, host_fd, &host_event) !=
         OE_OK)
@@ -233,9 +237,6 @@ static int _epoll_ctl_add(epoll_t* epoll, int fd, struct oe_epoll_event* event)
 
     if (retval == 0)
     {
-        oe_spin_lock(&epoll->lock);
-        locked = true;
-
         if (_map_reserve(epoll, epoll->map_size + 1) != 0)
             OE_RAISE_ERRNO(OE_ENOMEM);
 
@@ -249,7 +250,7 @@ static int _epoll_ctl_add(epoll_t* epoll, int fd, struct oe_epoll_event* event)
 done:
 
     if (locked)
-        oe_spin_unlock(&epoll->lock);
+        oe_mutex_unlock(&epoll->lock);
 
     return ret;
 }
@@ -262,6 +263,7 @@ static int _epoll_ctl_mod(epoll_t* epoll, int fd, struct oe_epoll_event* event)
     oe_host_fd_t host_fd;
     struct oe_epoll_event host_event;
     int retval;
+    bool locked = false;
 
     oe_errno = 0;
 
@@ -290,6 +292,10 @@ static int _epoll_ctl_mod(epoll_t* epoll, int fd, struct oe_epoll_event* event)
         host_event.data.fd = fd;
     }
 
+    // The host call and the map update must be done in an atomic operation.
+    locked = true;
+    oe_mutex_lock(&epoll->lock);
+
     if (oe_syscall_epoll_ctl_ocall(
             &retval, host_epfd, OE_EPOLL_CTL_MOD, host_fd, &host_event) !=
         OE_OK)
@@ -300,22 +306,19 @@ static int _epoll_ctl_mod(epoll_t* epoll, int fd, struct oe_epoll_event* event)
     /* Modify the mapping. */
     if (retval == 0)
     {
-        mapping_t* mapping;
-
-        oe_spin_lock(&epoll->lock);
-        {
-            if ((mapping = _map_find(epoll, fd)))
-                mapping->event = *event;
-        }
-        oe_spin_unlock(&epoll->lock);
-
+        mapping_t* const mapping = _map_find(epoll, fd);
         if (!mapping)
             OE_RAISE_ERRNO(OE_ENOENT);
+
+        mapping->event = *event;
     }
 
     ret = 0;
 
 done:
+    if (locked)
+        oe_mutex_unlock(&epoll->lock);
+
     return ret;
 }
 
@@ -326,6 +329,7 @@ static int _epoll_ctl_del(epoll_t* epoll, int fd)
     oe_host_fd_t host_epfd;
     oe_host_fd_t host_fd;
     int retval;
+    bool locked = false;
 
     oe_errno = 0;
 
@@ -343,6 +347,10 @@ static int _epoll_ctl_del(epoll_t* epoll, int fd)
     if ((host_fd = desc->ops.fd.get_host_fd(desc)) == -1)
         OE_RAISE_ERRNO(oe_errno);
 
+    // The host call and the map update must be done in an atomic operation.
+    locked = true;
+    oe_mutex_lock(&epoll->lock);
+
     if (oe_syscall_epoll_ctl_ocall(
             &retval, host_epfd, OE_EPOLL_CTL_DEL, host_fd, NULL) != OE_OK)
     {
@@ -354,20 +362,16 @@ static int _epoll_ctl_del(epoll_t* epoll, int fd)
     {
         bool found = false;
 
-        oe_spin_lock(&epoll->lock);
+        for (size_t i = 0; epoll->map_size; i++)
         {
-            for (size_t i = 0; epoll->map_size; i++)
+            if (epoll->map[i].fd == fd)
             {
-                if (epoll->map[i].fd == fd)
-                {
-                    /* Swap with last element of array. */
-                    epoll->map[i] = epoll->map[--epoll->map_size];
-                    found = true;
-                    break;
-                }
+                /* Swap with last element of array. */
+                epoll->map[i] = epoll->map[--epoll->map_size];
+                found = true;
+                break;
             }
         }
-        oe_spin_unlock(&epoll->lock);
 
         if (!found)
             OE_RAISE_ERRNO(OE_ENOENT);
@@ -376,6 +380,9 @@ static int _epoll_ctl_del(epoll_t* epoll, int fd)
     ret = 0;
 
 done:
+    if (locked)
+        oe_mutex_unlock(&epoll->lock);
+
     return ret;
 }
 
@@ -434,6 +441,7 @@ static int _epoll_wait(
 {
     int ret = -1;
     int retval;
+    bool locked = false;
     epoll_t* epoll = _cast_epoll(epoll_);
     oe_host_fd_t host_epfd = -1;
 
@@ -457,26 +465,31 @@ static int _epoll_wait(
         if (retval > maxevents)
             OE_RAISE_ERRNO(OE_EINVAL);
 
+        locked = true;
+        oe_mutex_lock(&epoll->lock);
+
         for (int i = 0; i < retval; i++)
         {
-            struct oe_epoll_event* event = &events[i];
-            const mapping_t* mapping;
+            struct oe_epoll_event* const event = &events[i];
+            const mapping_t* const mapping = _map_find(epoll, event->data.fd);
 
-            oe_spin_lock(&epoll->lock);
+            if (mapping)
+                event->data.u64 = mapping->event.data.u64;
+            else
             {
-                if ((mapping = _map_find(epoll, event->data.fd)))
-                    event->data.u64 = mapping->event.data.u64;
+                // fd has been deleted between the return of epoll_wait and the
+                // acquisition of the lock.
+                --retval;
+                memmove(event, event + 1, (size_t)(retval - i) * sizeof *event);
             }
-            oe_spin_unlock(&epoll->lock);
-
-            if (!mapping)
-                OE_RAISE_ERRNO(OE_ENOENT);
         }
     }
 
     ret = (int)retval;
 
 done:
+    if (locked)
+        oe_mutex_unlock(&epoll->lock);
 
     return ret;
 }
diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index a346f70ddd..af393e0aa7 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -343,7 +343,7 @@ static ssize_t _hostsock_recv(
 
     if (buf)
     {
-        if (oe_memset_s(buf, sizeof(count), 0, sizeof(count)) != OE_OK)
+        if (oe_memset_s(buf, count, 0, count) != OE_OK)
             OE_RAISE_ERRNO(OE_EINVAL);
     }
 
diff --git a/tests/syscall/CMakeLists.txt b/tests/syscall/CMakeLists.txt
index d05d1beef4..1636eb2fb5 100644
--- a/tests/syscall/CMakeLists.txt
+++ b/tests/syscall/CMakeLists.txt
@@ -5,6 +5,7 @@ if(UNIX)
 add_subdirectory(cpio)
 add_subdirectory(datagram)
 add_subdirectory(dup)
+add_subdirectory(epoll)
 add_subdirectory(fs)
 add_subdirectory(hostfs)
 add_subdirectory(ids)
diff --git a/tests/syscall/epoll/CMakeLists.txt b/tests/syscall/epoll/CMakeLists.txt
new file mode 100644
index 0000000000..7b70890be8
--- /dev/null
+++ b/tests/syscall/epoll/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_subdirectory(host)
+
+if (BUILD_ENCLAVES)
+    add_subdirectory(enc)
+endif()
+
+add_enclave_test(tests/epoll epoll_host epoll_enc)
diff --git a/tests/syscall/epoll/README.md b/tests/syscall/epoll/README.md
new file mode 100644
index 0000000000..e2e14bcf3b
--- /dev/null
+++ b/tests/syscall/epoll/README.md
@@ -0,0 +1,5 @@
+epoll test:
+===========
+
+This test uses epoll concurrently. One thread waits on an epoll instance while
+another thread adds and deletes file descriptors.
diff --git a/tests/syscall/epoll/enc/CMakeLists.txt b/tests/syscall/epoll/enc/CMakeLists.txt
new file mode 100644
index 0000000000..0f64dc72ee
--- /dev/null
+++ b/tests/syscall/epoll/enc/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+oeedl_file(../epoll.edl enclave gen)
+
+add_executable(epoll_enc enc.cpp ${gen})
+
+maybe_build_using_clangw(epoll_enc)
+
+target_link_libraries(epoll_enc oelibcxx oeenclave oehostepoll oehostsock)
diff --git a/tests/syscall/epoll/enc/enc.cpp b/tests/syscall/epoll/enc/enc.cpp
new file mode 100644
index 0000000000..3e7369eaf6
--- /dev/null
+++ b/tests/syscall/epoll/enc/enc.cpp
@@ -0,0 +1,115 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <netinet/in.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/tests.h>
+#include <sys/epoll.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <cerrno>
+#include <cstdio>
+
+static const uint16_t _port = 12347;
+static sockaddr_in _addr;
+static int _epfd;
+static int _sockfd;
+
+extern "C" void set_up()
+{
+    OE_TEST(oe_load_module_host_socket_interface() == OE_OK);
+    OE_TEST(oe_load_module_host_epoll() == OE_OK);
+
+    _addr.sin_family = AF_INET;
+    _addr.sin_port = htons(_port);
+    _addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+    // create and bind UDP socket
+    _sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    OE_TEST(_sockfd >= 0);
+    OE_TEST(
+        bind(_sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof _addr) == 0);
+
+    // create epoll instance
+    _epfd = epoll_create(1);
+    OE_TEST(_epfd >= 0);
+}
+
+extern "C" void tear_down()
+{
+    OE_TEST(close(_epfd) == 0);
+    OE_TEST(close(_sockfd) == 0);
+}
+
+extern "C" void wait_for_events()
+{
+    uint8_t run = 1;
+
+    while (run)
+    {
+        epoll_event event{};
+
+        int n;
+        do
+        {
+            n = epoll_wait(_epfd, &event, 1, -1);
+        } while (n == -1 && errno == EINTR);
+
+        if (n == 1)
+        {
+            OE_TEST(event.data.fd == _sockfd);
+            OE_TEST(read(_sockfd, &run, sizeof run) == sizeof run);
+        }
+        else
+            OE_TEST(n == 0); // fd has been deleted
+    }
+}
+
+static void _send(uint8_t run)
+{
+    const int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    OE_TEST(sockfd >= 0);
+    OE_TEST(
+        connect(sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof _addr) ==
+        0);
+    OE_TEST(write(sockfd, &run, sizeof run) == sizeof run);
+    OE_TEST(close(sockfd) == 0);
+}
+
+extern "C" void trigger_and_add_event()
+{
+    _send(1);
+
+    // add fd to the epoll instance
+    epoll_event event{};
+    event.events = EPOLLIN;
+    event.data.fd = _sockfd;
+    OE_TEST(epoll_ctl(_epfd, EPOLL_CTL_ADD, _sockfd, &event) == 0);
+}
+
+extern "C" void trigger_and_delete_event()
+{
+    _send(1);
+
+    // delete fd from the epoll instance
+    OE_TEST(epoll_ctl(_epfd, EPOLL_CTL_DEL, _sockfd, nullptr) == 0);
+}
+
+extern "C" void cancel_wait()
+{
+    // add fd to the epoll instance
+    epoll_event event{};
+    event.events = EPOLLIN;
+    event.data.fd = _sockfd;
+    OE_TEST(epoll_ctl(_epfd, EPOLL_CTL_ADD, _sockfd, &event) == 0);
+
+    _send(0);
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    1024, /* HeapPageCount */
+    256,  /* StackPageCount */
+    9);   /* TCSCount */
diff --git a/tests/syscall/epoll/epoll.edl b/tests/syscall/epoll/epoll.edl
new file mode 100644
index 0000000000..280eb9d19c
--- /dev/null
+++ b/tests/syscall/epoll/epoll.edl
@@ -0,0 +1,13 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public void set_up();
+        public void tear_down();
+        public void wait_for_events();
+        public void trigger_and_add_event();
+        public void trigger_and_delete_event();
+        public void cancel_wait();
+    };
+};
diff --git a/tests/syscall/epoll/host/CMakeLists.txt b/tests/syscall/epoll/host/CMakeLists.txt
new file mode 100644
index 0000000000..546124f8de
--- /dev/null
+++ b/tests/syscall/epoll/host/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+oeedl_file(../epoll.edl host gen)
+
+add_executable(epoll_host host.cpp ${gen})
+
+target_include_directories(epoll_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(epoll_host oehostapp)
diff --git a/tests/syscall/epoll/host/host.cpp b/tests/syscall/epoll/host/host.cpp
new file mode 100644
index 0000000000..cb62f0e1b2
--- /dev/null
+++ b/tests/syscall/epoll/host/host.cpp
@@ -0,0 +1,51 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <openenclave/internal/tests.h>
+#include <cstdio>
+#include <thread>
+#include "epoll_u.h"
+
+using namespace std;
+
+int main(int argc, const char* argv[])
+{
+    oe_result_t r;
+    const uint32_t flags = oe_get_create_flags();
+    const oe_enclave_type_t type = OE_ENCLAVE_TYPE_SGX;
+
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE_PATH\n", argv[0]);
+        return 1;
+    }
+
+    oe_enclave_t* enclave;
+    r = oe_create_epoll_enclave(argv[1], type, flags, NULL, 0, &enclave);
+    OE_TEST(r == OE_OK);
+
+    set_up(enclave);
+
+    thread wait_thread(
+        [enclave] { OE_TEST(wait_for_events(enclave) == OE_OK); });
+    this_thread::sleep_for(100ms); // give wait_thread time to initialize
+
+    for (int i = 0; i < 100; ++i)
+    {
+        OE_TEST(trigger_and_add_event(enclave) == OE_OK);
+        OE_TEST(trigger_and_delete_event(enclave) == OE_OK);
+    }
+
+    cancel_wait(enclave);
+    wait_thread.join();
+    tear_down(enclave);
+
+    r = oe_terminate_enclave(enclave);
+    OE_TEST(r == OE_OK);
+
+    printf("=== passed all tests (epoll)\n");
+    fflush(stdout);
+
+    return 0;
+}

From a16b874011377dad760c3362c45379788d3cbc69 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 26 Nov 2019 16:22:24 -0800
Subject: [PATCH 356/420] Ensure sample works for both enc and non_enc

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 common/oe_host_socket.h                       |  39 +++-
 host/linux/syscall.c                          |  22 +-
 host/windows/syscall.c                        | 208 ++++++++++++++++--
 samples/attested_tls/CMakeLists.txt           |   4 +-
 .../attested_tls/non_enc_client/client.cpp    |  58 +++--
 .../non_enc_client/verify_callback.cpp        |   3 +-
 .../scripts/gen_mrenclave_header.py           |  60 -----
 .../scripts/gen_mrenclave_header.sh           |  11 +-
 .../attested_tls/server/enc/CMakeLists.txt    |   4 +-
 tests/syscall/socket/enc/enc.c                |   1 +
 10 files changed, 271 insertions(+), 139 deletions(-)
 delete mode 100644 samples/attested_tls/scripts/gen_mrenclave_header.py

diff --git a/common/oe_host_socket.h b/common/oe_host_socket.h
index 2963607575..af46e14f0d 100644
--- a/common/oe_host_socket.h
+++ b/common/oe_host_socket.h
@@ -5,8 +5,11 @@
 #define _OE_HOST_SOCKET_H
 
 #include <openenclave/corelibc/bits/types.h>
+#include <openenclave/corelibc/errno.h>
+#include <openenclave/internal/syscall/sys/socket.h>
 #include <openenclave/internal/syscall/types.h>
 #include <stdint.h>
+#include <string.h>
 
 #ifdef _WIN32
 #include <winsock2.h>
@@ -14,15 +17,33 @@
 #include <sys/socket.h>
 #endif
 
+OE_EXTERNC_BEGIN
+
 #define GETADDRINFO_HANDLE_MAGIC 0xed11d13a
 
 typedef struct _getaddrinfo_handle
 {
-    uint32_t magic;
+    uint64_t magic;
     struct addrinfo* res;
     struct addrinfo* next;
 } getaddrinfo_handle_t;
 
+OE_INLINE getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_);
+
+int _getaddrinfo_read(
+    uint64_t handle_,
+    int* ai_flags,
+    int* ai_family,
+    int* ai_socktype,
+    int* ai_protocol,
+    oe_socklen_t ai_addrlen_in,
+    oe_socklen_t* ai_addrlen,
+    struct oe_sockaddr* ai_addr,
+    size_t ai_canonnamelen_in,
+    size_t* ai_canonnamelen,
+    char* ai_canonname,
+    int* err_no);
+
 OE_INLINE getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
 {
     getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
@@ -33,7 +54,7 @@ OE_INLINE getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
     return handle;
 }
 
-OE_INLINE int _getaddrinfo_read(
+int _getaddrinfo_read(
     uint64_t handle_,
     int* ai_flags,
     int* ai_family,
@@ -104,20 +125,12 @@ OE_INLINE int _getaddrinfo_read(
 
         if (ai_addr)
         {
-            *err_no = memcpy_s(ai_addr, ai_addrlen_in, p->ai_addr, *ai_addrlen);
-            if (*err_no != 0)
-                goto done;
+            memcpy(ai_addr, p->ai_addr, *ai_addrlen);
         }
 
         if (ai_canonname && p->ai_canonname)
         {
-            *err_no = memcpy_s(
-                ai_canonname,
-                ai_canonnamelen_in,
-                p->ai_canonname,
-                *ai_canonnamelen);
-            if (*err_no != 0)
-                goto done;
+            memcpy(ai_canonname, p->ai_canonname, *ai_canonnamelen);
         }
 
         handle->next = handle->next->ai_next;
@@ -136,4 +149,6 @@ OE_INLINE int _getaddrinfo_read(
     return ret;
 }
 
+OE_EXTERNC_END
+
 #endif // _OE_HOST_SOCKET_H
diff --git a/host/linux/syscall.c b/host/linux/syscall.c
index fe806442b1..85254882a6 100644
--- a/host/linux/syscall.c
+++ b/host/linux/syscall.c
@@ -21,6 +21,7 @@
 #include <sys/uio.h>
 #include <sys/utsname.h>
 #include <unistd.h>
+#include "../../common/oe_host_socket.h"
 #include "../host/strings.h"
 #include "syscall_u.h"
 
@@ -792,25 +793,6 @@ int oe_syscall_kill_ocall(int pid, int signum)
 **==============================================================================
 */
 
-#define GETADDRINFO_HANDLE_MAGIC 0xed11d13a
-
-typedef struct _getaddrinfo_handle
-{
-    uint32_t magic;
-    struct addrinfo* res;
-    struct addrinfo* next;
-} getaddrinfo_handle_t;
-
-static getaddrinfo_handle_t* _cast_getaddrinfo_handle(void* handle_)
-{
-    getaddrinfo_handle_t* handle = (getaddrinfo_handle_t*)handle_;
-
-    if (!handle || handle->magic != GETADDRINFO_HANDLE_MAGIC || !handle->res)
-        return NULL;
-
-    return handle;
-}
-
 int oe_syscall_getaddrinfo_open_ocall(
     const char* node,
     const char* service,
@@ -870,7 +852,7 @@ int oe_syscall_getaddrinfo_read_ocall(
     size_t* ai_canonnamelen,
     char* ai_canonname)
 {
-    int err_no = OE_EFAIL;
+    int err_no = 0;
     int ret = _getaddrinfo_read(
         handle_,
         ai_flags,
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index 25f1ad3f16..c5169c3e66 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -27,6 +27,7 @@
 // clang-format on
 
 #include <openenclave/corelibc/errno.h>
+#include <openenclave/internal/atomic.h>
 #include <openenclave/internal/syscall/fcntl.h>
 #include <openenclave/internal/syscall/dirent.h>
 #include <openenclave/internal/syscall/unistd.h>
@@ -48,6 +49,133 @@ struct tab_entry
     int val;
 };
 
+static struct tab_entry winerr2errno[] = {
+    {ERROR_ACCESS_DENIED, OE_EACCES},
+    {ERROR_ACTIVE_CONNECTIONS, OE_EAGAIN},
+    {ERROR_ALREADY_EXISTS, OE_EEXIST},
+    {ERROR_BAD_DEVICE, OE_ENODEV},
+    {ERROR_BAD_EXE_FORMAT, OE_ENOEXEC},
+    {ERROR_BAD_NETPATH, OE_ENOENT},
+    {ERROR_BAD_NET_NAME, OE_ENOENT},
+    {ERROR_BAD_NET_RESP, OE_ENOSYS},
+    {ERROR_BAD_PATHNAME, OE_ENOENT},
+    {ERROR_BAD_PIPE, OE_EINVAL},
+    {ERROR_BAD_UNIT, OE_ENODEV},
+    {ERROR_BAD_USERNAME, OE_EINVAL},
+    {ERROR_BEGINNING_OF_MEDIA, OE_EIO},
+    {ERROR_BROKEN_PIPE, OE_EPIPE},
+    {ERROR_BUSY, OE_EBUSY},
+    {ERROR_BUS_RESET, OE_EIO},
+    {ERROR_CALL_NOT_IMPLEMENTED, OE_ENOSYS},
+    {ERROR_CANCELLED, OE_EINTR},
+    {ERROR_CANNOT_MAKE, OE_EPERM},
+    {ERROR_CHILD_NOT_COMPLETE, OE_EBUSY},
+    {ERROR_COMMITMENT_LIMIT, OE_EAGAIN},
+    {ERROR_CONNECTION_REFUSED, OE_ECONNREFUSED},
+    {ERROR_CRC, OE_EIO},
+    {ERROR_DEVICE_DOOR_OPEN, OE_EIO},
+    {ERROR_DEVICE_IN_USE, OE_EAGAIN},
+    {ERROR_DEVICE_REQUIRES_CLEANING, OE_EIO},
+    {ERROR_DEV_NOT_EXIST, OE_ENOENT},
+    {ERROR_DIRECTORY, OE_ENOTDIR},
+    {ERROR_DIR_NOT_EMPTY, OE_ENOTEMPTY},
+    {ERROR_DISK_CORRUPT, OE_EIO},
+    {ERROR_DISK_FULL, OE_ENOSPC},
+    {ERROR_DS_GENERIC_ERROR, OE_EIO},
+    {ERROR_DUP_NAME, OE_ENOTUNIQ},
+    {ERROR_EAS_DIDNT_FIT, OE_ENOSPC},
+    {ERROR_EAS_NOT_SUPPORTED, OE_ENOTSUP},
+    {ERROR_EA_LIST_INCONSISTENT, OE_EINVAL},
+    {ERROR_EA_TABLE_FULL, OE_ENOSPC},
+    {ERROR_END_OF_MEDIA, OE_ENOSPC},
+    {ERROR_EOM_OVERFLOW, OE_EIO},
+    {ERROR_EXE_MACHINE_TYPE_MISMATCH, OE_ENOEXEC},
+    {ERROR_EXE_MARKED_INVALID, OE_ENOEXEC},
+    {ERROR_FILEMARK_DETECTED, OE_EIO},
+    {ERROR_FILENAME_EXCED_RANGE, OE_ENAMETOOLONG},
+    {ERROR_FILE_CORRUPT, OE_EEXIST},
+    {ERROR_FILE_EXISTS, OE_EEXIST},
+    {ERROR_FILE_INVALID, OE_ENXIO},
+    {ERROR_FILE_NOT_FOUND, OE_ENOENT},
+    {ERROR_HANDLE_DISK_FULL, OE_ENOSPC},
+    {ERROR_HANDLE_EOF, OE_ENODATA},
+    {ERROR_INVALID_ADDRESS, OE_EINVAL},
+    {ERROR_INVALID_AT_INTERRUPT_TIME, OE_EINTR},
+    {ERROR_INVALID_BLOCK_LENGTH, OE_EIO},
+    {ERROR_INVALID_DATA, OE_EINVAL},
+    {ERROR_INVALID_DRIVE, OE_ENODEV},
+    {ERROR_INVALID_EA_NAME, OE_EINVAL},
+    {ERROR_INVALID_EXE_SIGNATURE, OE_ENOEXEC},
+    {ERROR_INVALID_FUNCTION, OE_EBADRQC},
+    {ERROR_INVALID_HANDLE, OE_EBADF},
+    {ERROR_INVALID_NAME, OE_ENOENT},
+    {ERROR_INVALID_PARAMETER, OE_EINVAL},
+    {ERROR_INVALID_SIGNAL_NUMBER, OE_EINVAL},
+    {ERROR_IOPL_NOT_ENABLED, OE_ENOEXEC},
+    {ERROR_IO_DEVICE, OE_EIO},
+    {ERROR_IO_INCOMPLETE, OE_EAGAIN},
+    {ERROR_IO_PENDING, OE_EAGAIN},
+    {ERROR_LOCK_VIOLATION, OE_EBUSY},
+    {ERROR_MAX_THRDS_REACHED, OE_EAGAIN},
+    {ERROR_META_EXPANSION_TOO_LONG, OE_EINVAL},
+    {ERROR_MOD_NOT_FOUND, OE_ENOENT},
+    {ERROR_MORE_DATA, OE_EMSGSIZE},
+    {ERROR_NEGATIVE_SEEK, OE_EINVAL},
+    {ERROR_NETNAME_DELETED, OE_ENOENT},
+    {ERROR_NOACCESS, OE_EFAULT},
+    {ERROR_NONE_MAPPED, OE_EINVAL},
+    {ERROR_NONPAGED_SYSTEM_RESOURCES, OE_EAGAIN},
+    {ERROR_NOT_CONNECTED, OE_ENOLINK},
+    {ERROR_NOT_ENOUGH_MEMORY, OE_ENOMEM},
+    {ERROR_NOT_ENOUGH_QUOTA, OE_EIO},
+    {ERROR_NOT_OWNER, OE_EPERM},
+    {ERROR_NOT_READY, OE_ENOMEDIUM},
+    {ERROR_NOT_SAME_DEVICE, OE_EXDEV},
+    {ERROR_NOT_SUPPORTED, OE_ENOSYS},
+    {ERROR_NO_DATA, OE_EPIPE},
+    {ERROR_NO_DATA_DETECTED, OE_EIO},
+    {ERROR_NO_MEDIA_IN_DRIVE, OE_ENOMEDIUM},
+    {ERROR_NO_MORE_FILES, OE_ENFILE},
+    {ERROR_NO_MORE_ITEMS, OE_ENFILE},
+    {ERROR_NO_MORE_SEARCH_HANDLES, OE_ENFILE},
+    {ERROR_NO_PROC_SLOTS, OE_EAGAIN},
+    {ERROR_NO_SIGNAL_SENT, OE_EIO},
+    {ERROR_NO_SYSTEM_RESOURCES, OE_EFBIG},
+    {ERROR_NO_TOKEN, OE_EINVAL},
+    {ERROR_OPEN_FAILED, OE_EIO},
+    {ERROR_OPEN_FILES, OE_EAGAIN},
+    {ERROR_OUTOFMEMORY, OE_ENOMEM},
+    {ERROR_PAGED_SYSTEM_RESOURCES, OE_EAGAIN},
+    {ERROR_PAGEFILE_QUOTA, OE_EAGAIN},
+    {ERROR_PATH_NOT_FOUND, OE_ENOENT},
+    {ERROR_PIPE_BUSY, OE_EBUSY},
+    {ERROR_PIPE_CONNECTED, OE_EBUSY},
+    {ERROR_PIPE_LISTENING, OE_ECOMM},
+    {ERROR_PIPE_NOT_CONNECTED, OE_ECOMM},
+    {ERROR_POSSIBLE_DEADLOCK, OE_EDEADLOCK},
+    {ERROR_PRIVILEGE_NOT_HELD, OE_EPERM},
+    {ERROR_PROCESS_ABORTED, OE_EFAULT},
+    {ERROR_PROC_NOT_FOUND, OE_ESRCH},
+    {ERROR_REM_NOT_LIST, OE_ENONET},
+    {ERROR_SECTOR_NOT_FOUND, OE_EINVAL},
+    {ERROR_SEEK, OE_EINVAL},
+    {ERROR_SERVICE_REQUEST_TIMEOUT, OE_EBUSY},
+    {ERROR_SETMARK_DETECTED, OE_EIO},
+    {ERROR_SHARING_BUFFER_EXCEEDED, OE_ENOLCK},
+    {ERROR_SHARING_VIOLATION, OE_EBUSY},
+    {ERROR_SIGNAL_PENDING, OE_EBUSY},
+    {ERROR_SIGNAL_REFUSED, OE_EIO},
+    {ERROR_SXS_CANT_GEN_ACTCTX, OE_ELIBBAD},
+    {ERROR_THREAD_1_INACTIVE, OE_EINVAL},
+    {ERROR_TIMEOUT, OE_EBUSY},
+    {ERROR_TOO_MANY_LINKS, OE_EMLINK},
+    {ERROR_TOO_MANY_OPEN_FILES, OE_EMFILE},
+    {ERROR_UNEXP_NET_ERR, OE_EIO},
+    {ERROR_WAIT_NO_CHILDREN, OE_ECHILD},
+    {ERROR_WORKING_SET_QUOTA, OE_EAGAIN},
+    {ERROR_WRITE_PROTECT, OE_EROFS},
+    {0, 0}};
+
 static struct tab_entry winsock2errno[] = {
     {WSAEINTR, OE_EINTR},
     {WSAEBADF, OE_EBADF},
@@ -149,6 +277,11 @@ static int _do_lookup(int key, int fallback, struct tab_entry* table)
     return fallback;
 }
 
+static int _winerr_to_errno(int winerr)
+{
+    return _do_lookup(winerr, OE_EINVAL, winerr2errno);
+}
+
 static int _winsockerr_to_errno(DWORD winsockerr)
 {
     return _do_lookup(winsockerr, OE_EINVAL, winsock2errno);
@@ -466,9 +599,12 @@ oe_host_fd_t _make_socket_fd(SOCKET sock)
     {
         oe_socket_fd_t* socket_fd =
             (oe_socket_fd_t*)malloc(sizeof(oe_socket_fd_t));
-        socket_fd->magic = OE_SOCKET_FD_MAGIC;
-        socket_fd->socket = sock;
-        fd = (oe_host_fd_t)socket_fd;
+        if (socket_fd)
+        {
+            socket_fd->magic = OE_SOCKET_FD_MAGIC;
+            socket_fd->socket = sock;
+            fd = (oe_host_fd_t)socket_fd;
+        }
     }
     return fd;
 }
@@ -486,18 +622,30 @@ static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
     oe_socket_fd_t* old_socket_fd = (oe_socket_fd_t*)oldfd;
     if (old_socket_fd && old_socket_fd->magic == OE_SOCKET_FD_MAGIC)
     {
-        oe_socket_fd_t* new_socket_fd =
-            (oe_socket_fd_t*)malloc(sizeof(oe_socket_fd_t));
-        if (new_socket_fd)
+        // Duplicate socket
+        WSAPROTOCOL_INFO protocolInfo;
+        int ret = WSADuplicateSocket(
+            old_socket_fd->socket, GetCurrentProcessId(), &protocolInfo);
+        if (ret == SOCKET_ERROR)
         {
-            *new_socket_fd = *old_socket_fd;
-            return (oe_host_fd_t)(uint64_t)new_socket_fd;
+            _set_errno(_winsockerr_to_errno(WSAGetLastError()));
         }
-        else
+
+        SOCKET sock = WSASocket(
+            protocolInfo.iAddressFamily,
+            protocolInfo.iSocketType,
+            protocolInfo.iProtocol,
+            &protocolInfo,
+            0,
+            0);
+        if (sock == INVALID_SOCKET)
         {
-            _set_errno(OE_ENOMEM);
+            _set_errno(_winsockerr_to_errno(WSAGetLastError()));
         }
+
+        return _make_socket_fd(sock);
     }
+
     return -1;
 }
 
@@ -507,13 +655,12 @@ static int _wsa_startup()
     WSADATA wsaData;
     int ret = 0;
 
-    if (!wsa_init_done)
+    if (oe_atomic_compare_and_swap(
+            &wsa_init_done, (int64_t) false, (int64_t) true))
     {
         ret = WSAStartup(2, &wsaData);
         if (ret != 0)
             goto done;
-
-        wsa_init_done = TRUE;
     }
 
 done:
@@ -1181,25 +1328,46 @@ int oe_syscall_getgroups_ocall(size_t size, unsigned int* list)
 
 int oe_syscall_uname_ocall(struct oe_utsname* buf)
 {
+    int ret = -1;
+
+    if (!buf)
+    {
+        _set_errno(OE_EINVAL);
+        goto done;
+    }
+
+    // Get domain name
+    DWORD size = sizeof(buf->domainname);
+    if (!GetComputerNameEx(ComputerNameDnsDomain, buf->domainname, &size))
+    {
+        _set_errno(_winerr_to_errno(GetLastError()));
+        goto done;
+    }
+
+    // Get hostname
+    size = sizeof(buf->nodename);
+    if (!GetComputerNameEx(ComputerNameDnsHostname, buf->nodename, &size))
+    {
+        _set_errno(_winerr_to_errno(GetLastError()));
+        goto done;
+    }
+
     // Based on
     // https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version
     // OE SDK is supported only on WindowsServer and Win10
     if (IsWindowsServer())
     {
-        sprintf(buf->nodename, "(unknown)");
-        sprintf(buf->domainname, "(none)");
         sprintf(buf->sysname, "WindowsServer");
         sprintf(buf->version, "2016OrAbove");
-        return 0;
     }
     else if (IsWindows10OrGreater())
     {
-        sprintf(buf->nodename, "(unknown)");
-        sprintf(buf->domainname, "(none)");
         sprintf(buf->sysname, "Windows10OrGreater");
         sprintf(buf->version, "10OrAbove");
-        return 0;
     }
 
-    return -1;
+    ret = 0;
+
+done:
+    return ret;
 }
diff --git a/samples/attested_tls/CMakeLists.txt b/samples/attested_tls/CMakeLists.txt
index 276b81519c..8caddd7c0d 100644
--- a/samples/attested_tls/CMakeLists.txt
+++ b/samples/attested_tls/CMakeLists.txt
@@ -16,12 +16,12 @@ if ((NOT DEFINED ENV{OE_SIMULATION}) OR (NOT $ENV{OE_SIMULATION}))
   add_custom_target(run
     DEPENDS tls_server tls_client tls_non_enc_client tls_client_enc tls_server_enc
     COMMENT "Launch processes to establish an Attested TLS between two enclaves"
-    COMMAND ${CMAKE_BINARY_DIR}/server/host/tls_server_host ${CMAKE_BINARY_DIR}/server/enc/tls_server_enc.signed -port:12341 &
+    COMMAND bash -c "${CMAKE_BINARY_DIR}/server/host/tls_server_host ${CMAKE_BINARY_DIR}/server/enc/tls_server_enc.signed -port:12341 &"
     COMMAND ${CMAKE_COMMAND} -E sleep 2
     COMMAND ${CMAKE_BINARY_DIR}/client/host/tls_client_host ${CMAKE_BINARY_DIR}/client/enc/tls_client_enc.signed -server:localhost -port:12341
     COMMAND ${CMAKE_COMMAND} -E sleep 2
     COMMENT "Launch processes to establish an Attested TLS between an non-encalve TLS client and an TLS server running inside an enclave "
-    COMMAND ${CMAKE_BINARY_DIR}/server/host/tls_server_host ${CMAKE_BINARY_DIR}/server/enc/tls_server_enc.signed -port:12341 &
+    COMMAND bash -c "${CMAKE_BINARY_DIR}/server/host/tls_server_host ${CMAKE_BINARY_DIR}/server/enc/tls_server_enc.signed -port:12341 &"
     COMMAND ${CMAKE_COMMAND} -E sleep 2
     COMMAND ${CMAKE_BINARY_DIR}/non_enc_client/tls_non_enc_client -server:localhost -port:12341)
 endif ()
diff --git a/samples/attested_tls/non_enc_client/client.cpp b/samples/attested_tls/non_enc_client/client.cpp
index 3a7478d351..10c7894ec4 100644
--- a/samples/attested_tls/non_enc_client/client.cpp
+++ b/samples/attested_tls/non_enc_client/client.cpp
@@ -2,8 +2,7 @@
 // Licensed under the MIT License.
 
 #ifdef _WIN32
-#include <Ws2def.h>
-#include <winsock2.h>
+#include <ws2tcpip.h>
 #define close closesocket
 #else
 #include <arpa/inet.h>
@@ -142,12 +141,46 @@ int create_socket(char* server_name, char* server_port)
     int sockfd = -1;
     char* addr_ptr = NULL;
     int port = 0;
-    struct hostent* host = NULL;
-    struct sockaddr_in dest_addr;
+    struct addrinfo hints, *dest_info;
+    int res;
 
-    if ((host = gethostbyname(server_name)) == NULL)
+#ifdef _WIN32
+    WSADATA wsaData;
+    if ((res = WSAStartup(MAKEWORD(2, 2), &wsaData)) != 0)
+    {
+        printf(TLS_CLIENT "Error: WSAStartup failed: %d\n", res);
+        goto done;
+    }
+#endif
+
+    hints = {0};
+    hints.ai_family = AF_INET;
+    hints.ai_socktype = SOCK_STREAM;
+
+    if ((res = getaddrinfo(server_name, server_port, &hints, &dest_info)) != 0)
     {
-        printf(TLS_CLIENT "Error: Cannot resolve hostname %s.\n", server_name);
+        printf(
+            TLS_CLIENT "Error: Cannot resolve hostname %s. %s\n",
+            server_name,
+            gai_strerror(res));
+        goto done;
+    }
+
+    while (dest_info)
+    {
+        if (dest_info->ai_family == AF_INET)
+        {
+            break;
+        }
+
+        dest_info = dest_info->ai_next;
+    }
+
+    if (!dest_info)
+    {
+        printf(
+            TLS_CLIENT "Error: Cannot get address for hostname %s.\n",
+            server_name);
         goto done;
     }
 
@@ -158,17 +191,10 @@ int create_socket(char* server_name, char* server_port)
         goto done;
     }
 
-    port = atoi(server_port);
-    dest_addr.sin_family = AF_INET;
-    dest_addr.sin_port = htons(port);
-    dest_addr.sin_addr.s_addr = *(long*)(host->h_addr);
-
-    memset(&(dest_addr.sin_zero), '\0', 8);
-    addr_ptr = inet_ntoa(dest_addr.sin_addr);
-
     if (connect(
-            sockfd, (struct sockaddr*)&dest_addr, sizeof(struct sockaddr)) ==
-        -1)
+            sockfd,
+            (struct sockaddr*)dest_info->ai_addr,
+            sizeof(struct sockaddr)) == -1)
     {
         printf(
             TLS_CLIENT "failed to connect to %s:%s (errno=%d)\n",
diff --git a/samples/attested_tls/non_enc_client/verify_callback.cpp b/samples/attested_tls/non_enc_client/verify_callback.cpp
index 089adc15e4..21af6fe096 100644
--- a/samples/attested_tls/non_enc_client/verify_callback.cpp
+++ b/samples/attested_tls/non_enc_client/verify_callback.cpp
@@ -2,8 +2,7 @@
 // Licensed under the MIT License.
 
 #ifdef _WIN32
-#include <Ws2def.h>
-#include <winsock2.h>
+#include <ws2tcpip.h>
 #else
 #include <arpa/inet.h>
 #include <netdb.h>
diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.py b/samples/attested_tls/scripts/gen_mrenclave_header.py
deleted file mode 100644
index f1f5f4bcfa..0000000000
--- a/samples/attested_tls/scripts/gen_mrenclave_header.py
+++ /dev/null
@@ -1,60 +0,0 @@
-# Copyright (c) Open Enclave SDK contributors.
-# Licensed under the MIT License.
-
-import sys
-import os
-
-def parse_mrenclave(fname):
-    enc_bytes = []
-    with open(fname, "r") as f:
-        for line in f:
-            prefix = "mrenclave="
-            if line.startswith(prefix):
-                line = line[len(prefix):]
-                new_byte = True
-                b = ""
-                for char in line:
-                    if new_byte:
-                        b = "0x" + char
-                        new_byte = False
-                    else:
-                        b += char
-                        enc_bytes.append(b)
-                        new_byte = True
-
-    return ("," + os.linesep).join(enc_bytes)
-
-def gen_header(inpath, outpath):
-    lines = [
-        "// Copyright (c) Open Enclave SDK contributors.",
-        "// Licensed under the MIT License.",
-        "",
-        "#ifndef SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H",
-        "#define SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H",
-        "",
-        "static const unsigned char SERVER_ENCLAVE_MRENCLAVE[] =",
-        "{"
-    ]
-
-    lines.append(parse_mrenclave(inpath))
-
-    lines += [
-        "};",
-        "",
-        "#endif /* SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H */",
-        ""
-    ]
-
-    return os.linesep.join(lines)
-
-if __name__ == "__main__":
-    if len(sys.argv) < 3:
-        print("Usage: gen_mrenclave_header.py <oesign_dump> <output_file>")
-        sys.exit(1)
-
-    outpath = sys.argv[1]
-    inpath = sys.argv[2]
-
-    header = gen_header(inpath, outpath)
-    with open(outpath, "w") as f:
-        f.write(header)
diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.sh b/samples/attested_tls/scripts/gen_mrenclave_header.sh
index 0cbc989e70..c61ff42a28 100755
--- a/samples/attested_tls/scripts/gen_mrenclave_header.sh
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.sh
@@ -21,11 +21,15 @@ printf '\n{' >> "$destfile"
 while read -r line; do
   if [[ $line == mrenclave=* ]]; then
     read -r mrenclave < <(echo "$line" | cut -d'=' --fields=2)
+    if [[ "${mrenclave: -1}" = $'\r' ]]; then
+      mrenclave="${mrenclave:0: -1}"
+    fi
+
     for (( i=0; i<${#mrenclave}; i=i+2)); do
-      echo "0x${mrenclave:$i:2}" >> "$destfile"
+      echo -n "0x${mrenclave:$i:2}" >> "$destfile"
       index=$((${#mrenclave} - 2))
       if [ $i -lt $index ]; then
-        printf "," >> "$destfile"
+        printf ",\n" >> "$destfile"
       fi
     done
   fi
@@ -36,5 +40,4 @@ printf '};\n' >> "$destfile"
 cat >> "$destfile" << EOF
 
 #endif /* SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H */
-EOF
-
+EOF
\ No newline at end of file
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index a321c9a449..fbbaaebaf7 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -1,8 +1,6 @@
 # Copyright (c) Open Enclave SDK contributors.
 # Licensed under the MIT License.
 
-find_package(PythonInterp 3 REQUIRED)
-
 # Use the edger8r to generate C bindings from the EDL file.
 add_custom_command(OUTPUT tls_server_t.h tls_server_t.c tls_server_args.h
   DEPENDS ${CMAKE_SOURCE_DIR}/server/tls_server.edl
@@ -13,7 +11,7 @@ add_custom_command(OUTPUT tls_server_enc.signed tls_server_enc_mrenclave.h
   DEPENDS tls_server_enc enc.conf ${CMAKE_SOURCE_DIR}/server/enc/private.pem ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh
   COMMAND openenclave::oesign sign -e $<TARGET_FILE:tls_server_enc> -c ${CMAKE_SOURCE_DIR}/server/enc/enc.conf -k ${CMAKE_SOURCE_DIR}/server/enc/private.pem
   COMMAND openenclave::oesign dump -e tls_server_enc.signed  > temp.dmp
-  COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.py ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
+  COMMAND bash ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
   COMMAND ${CMAKE_COMMAND} -E remove temp.dmp)
 
 add_executable(tls_server_enc
diff --git a/tests/syscall/socket/enc/enc.c b/tests/syscall/socket/enc/enc.c
index f0f3faed10..4a07589b2d 100644
--- a/tests/syscall/socket/enc/enc.c
+++ b/tests/syscall/socket/enc/enc.c
@@ -172,6 +172,7 @@ int ecall_run_server()
             printf("enc: accept failed errno = %d \n", oe_errno);
         }
     }
+
     oe_close(listenfd);
     printf("exit from server thread\n");
     return status;

From 7144e6aedfc38244ab46981d02f3c3ee32b04334 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Mon, 2 Dec 2019 13:02:48 -0800
Subject: [PATCH 357/420] Better return message

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 tests/tools/oecertdump/CMakeLists.txt      |  2 +-
 tests/tools/oecertdump/README.md           |  8 +++++++-
 tests/tools/oecertdump/enc/CMakeLists.txt  |  4 ++--
 tests/tools/oecertdump/host/CMakeLists.txt |  6 +++++-
 tests/tools/oecertdump/host/host.cpp       | 13 +++++++++----
 5 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/tests/tools/oecertdump/CMakeLists.txt b/tests/tools/oecertdump/CMakeLists.txt
index 00835ae94f..45fe19551b 100644
--- a/tests/tools/oecertdump/CMakeLists.txt
+++ b/tests/tools/oecertdump/CMakeLists.txt
@@ -5,4 +5,4 @@ if (BUILD_ENCLAVES)
    add_subdirectory(enc)
 endif()
 
-add_subdirectory(host)
\ No newline at end of file
+add_subdirectory(host)
diff --git a/tests/tools/oecertdump/README.md b/tests/tools/oecertdump/README.md
index eee664355e..7af6beafaa 100644
--- a/tests/tools/oecertdump/README.md
+++ b/tests/tools/oecertdump/README.md
@@ -10,4 +10,10 @@ Usage: oecertdump ENCLAVE_PATH Options
 where Options are:
     --out FILENAME        : specify output filename.
 
-Example: host/oecertdump enc/oecertdump_enc --out myoutput.log
\ No newline at end of file
+Example: host/oecertdump enc/oecertdump_enc --out myoutput.log
+
+If the validation succeeds, oecertdump returns 0 and prints success message to stdout. For example,
+    "oecertdump succeeded. Log file oecertdump_out.log created."
+
+If the validation fails, oecertdump returns non zero and prints failure message to stdout. For example,
+    "Failed to process parameters."
\ No newline at end of file
diff --git a/tests/tools/oecertdump/enc/CMakeLists.txt b/tests/tools/oecertdump/enc/CMakeLists.txt
index c9c76f15e8..2cd6258ca6 100644
--- a/tests/tools/oecertdump/enc/CMakeLists.txt
+++ b/tests/tools/oecertdump/enc/CMakeLists.txt
@@ -7,7 +7,7 @@ add_custom_command(OUTPUT oecertdump_t.h oecertdump_t.c oecertdump_args.h
 
 add_enclave(TARGET oecertdump_enc SOURCES enc.cpp ${CMAKE_CURRENT_BINARY_DIR}/oecertdump_t.c)
 
-# Need for the generated file oecert_t.h
+# Need for the generated file oecertdump_t.h
 target_include_directories(oecertdump_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 
-target_link_libraries(oecertdump_enc oeenclave oelibc)
\ No newline at end of file
+target_link_libraries(oecertdump_enc oeenclave oelibc)
diff --git a/tests/tools/oecertdump/host/CMakeLists.txt b/tests/tools/oecertdump/host/CMakeLists.txt
index 1b328ae6f9..5793895ca8 100644
--- a/tests/tools/oecertdump/host/CMakeLists.txt
+++ b/tests/tools/oecertdump/host/CMakeLists.txt
@@ -13,4 +13,8 @@ target_include_directories(oecertdump PRIVATE
   ${CMAKE_CURRENT_BINARY_DIR}
   -I/usr/include/openssl)
 
-target_link_libraries(oecertdump oehost)
\ No newline at end of file
+target_link_libraries(oecertdump oehost)
+
+if(HAS_QUOTE_PROVIDER)
+    target_compile_definitions(oecertdump PRIVATE OE_LINK_SGX_DCAP_QL)
+endif()
diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
index 8502be43a3..2b8b81b695 100644
--- a/tests/tools/oecertdump/host/host.cpp
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -124,7 +124,7 @@ static oe_result_t _gen_cert(oe_enclave_t* enclave)
         enclave, &ecall_result, &cert, &cert_size);
     if ((result != OE_OK) || (ecall_result != OE_OK))
     {
-        log("Failed to create certificate. Enclave: %s, Host: %s\n",
+        log("Failed to create EC certificate. Enclave: %s, Host: %s\n",
             oe_result_str(ecall_result),
             oe_result_str(result));
 
@@ -147,7 +147,7 @@ static oe_result_t _gen_cert(oe_enclave_t* enclave)
         enclave, &ecall_result, &cert, &cert_size);
     if ((result != OE_OK) || (ecall_result != OE_OK))
     {
-        log("Failed to create certificate. Enclave: %s, Host: %s\n",
+        log("Failed to create RSA certificate. Enclave: %s, Host: %s\n",
             oe_result_str(ecall_result),
             oe_result_str(result));
 
@@ -259,7 +259,7 @@ int main(int argc, const char* argv[])
     const uint32_t flags = oe_get_create_flags();
     if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0)
     {
-        printf("oecert not supported in simulation mode.\n");
+        printf("oecertdump not supported in simulation mode.\n");
         goto exit;
     }
 
@@ -296,13 +296,17 @@ int main(int argc, const char* argv[])
 
     if ((result = _process_params(enclave)) != OE_OK)
     {
-        log("Failed to process parameters. result=%u (%s)\n",
+        printf(
+            "Failed to process parameters. result=%u (%s)\n",
             result,
             oe_result_str(result));
         ret = 1;
         goto exit;
     }
 
+    printf(
+        "oecertdump succeeded. Log file %s created.\n", _params.out_filename);
+
 exit:
     if (enclave)
         oe_terminate_enclave(enclave);
@@ -318,6 +322,7 @@ int main(int argc, const char* argv[])
     "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries."
     OE_UNUSED(argc);
     OE_UNUSED(argv);
+    printf("oecertdump requires DCAP libraries.\n");
 #endif
     return ret;
 }

From 13bdaa41db052486cc6ff0be7fe1286915ec0107 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 2 Dec 2019 14:39:29 -0800
Subject: [PATCH 358/420] Only build tls_e2e tests of enclaves are built

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/CMakeLists.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 19119878e4..4ece6a31e7 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -48,6 +48,9 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
             add_subdirectory(thread_local)
             add_subdirectory(thread_local_no_tdata)
         endif()
+        if (BUILD_ENCLAVES)
+            add_subdirectory(tls_e2e)
+        endif()
         add_subdirectory(argv)
         add_subdirectory(attestation_cert_apis)
         add_subdirectory(backtrace)
@@ -67,7 +70,6 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         add_subdirectory(sealKey)
         add_subdirectory(stdc)
         add_subdirectory(syscall)
-        add_subdirectory(tls_e2e)
         add_subdirectory(VectorException)
     endif()
 

From a945221658fde4c88c4ad845e19113379323a405 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Tue, 3 Dec 2019 09:43:19 +0100
Subject: [PATCH 359/420] Fix opendir() does not return NULL on error

oe_opendir() always returned a valid pointer even if the host call
returned NULL.

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostfs/hostfs.c    | 14 +++++++-------
 tests/syscall/fs/enc/enc.cpp       | 12 ++++++++++++
 tests/syscall/fs/enc/file_system.h |  9 +++++++++
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/syscall/devices/hostfs/hostfs.c b/syscall/devices/hostfs/hostfs.c
index c433289a3b..c826e268f6 100644
--- a/syscall/devices/hostfs/hostfs.c
+++ b/syscall/devices/hostfs/hostfs.c
@@ -871,13 +871,13 @@ static oe_fd_t* _hostfs_opendir(oe_device_t* device, const char* name)
     if (oe_syscall_opendir_ocall(&retval, host_name) != OE_OK)
         OE_RAISE_ERRNO(OE_EINVAL);
 
-    if (retval != 0)
-    {
-        dir->base.type = OE_FD_TYPE_FILE;
-        dir->magic = DIR_MAGIC;
-        dir->base.ops.file = _get_file_ops();
-        dir->host_dir = retval;
-    }
+    if (!retval)
+        OE_RAISE_ERRNO(oe_errno);
+
+    dir->base.type = OE_FD_TYPE_FILE;
+    dir->magic = DIR_MAGIC;
+    dir->base.ops.file = _get_file_ops();
+    dir->host_dir = retval;
 
     ret = &dir->base;
     dir = NULL;
diff --git a/tests/syscall/fs/enc/enc.cpp b/tests/syscall/fs/enc/enc.cpp
index 58989974bd..aeedfa54f7 100644
--- a/tests/syscall/fs/enc/enc.cpp
+++ b/tests/syscall/fs/enc/enc.cpp
@@ -326,6 +326,17 @@ static void test_unlink_file(FILE_SYSTEM& fs, const char* tmp_dir)
     OE_TEST(fs.stat(path, &buf) != 0);
 }
 
+template <class FILE_SYSTEM>
+static void test_invalid_path(FILE_SYSTEM& fs)
+{
+    const char* const path = "doesnotexist";
+    printf("--- %s()\n", __FUNCTION__);
+    OE_TEST(fs.open(path, O_RDONLY, 0) == FILE_SYSTEM::invalid_file_handle);
+    OE_TEST(fs.opendir(path) == FILE_SYSTEM::invalid_dir_handle);
+    OE_TEST(fs.rmdir(path) == -1);
+    OE_TEST(fs.truncate(path, 0) == -1);
+}
+
 template <class FILE_SYSTEM>
 void test_all(FILE_SYSTEM& fs, const char* tmp_dir)
 {
@@ -338,6 +349,7 @@ void test_all(FILE_SYSTEM& fs, const char* tmp_dir)
     test_readdir(fs, tmp_dir);
     test_truncate_file(fs, tmp_dir);
     test_unlink_file(fs, tmp_dir);
+    test_invalid_path(fs);
     cleanup(fs, tmp_dir);
 }
 
diff --git a/tests/syscall/fs/enc/file_system.h b/tests/syscall/fs/enc/file_system.h
index 8370316c5a..86eae95c81 100644
--- a/tests/syscall/fs/enc/file_system.h
+++ b/tests/syscall/fs/enc/file_system.h
@@ -30,6 +30,9 @@ class oe_fd_file_system
     typedef struct oe_stat stat_type;
     typedef struct oe_dirent dirent_type;
 
+    static constexpr file_handle invalid_file_handle = -1;
+    static constexpr dir_handle invalid_dir_handle = nullptr;
+
     oe_fd_file_system(void)
     {
     }
@@ -158,6 +161,9 @@ class fd_file_system
     typedef struct oe_stat stat_type;
     typedef struct dirent dirent_type;
 
+    static constexpr file_handle invalid_file_handle = -1;
+    static constexpr dir_handle invalid_dir_handle = nullptr;
+
     fd_file_system(void)
     {
     }
@@ -286,6 +292,9 @@ class stream_file_system
     typedef struct stat stat_type;
     typedef struct dirent dirent_type;
 
+    static constexpr file_handle invalid_file_handle = nullptr;
+    static constexpr dir_handle invalid_dir_handle = nullptr;
+
     stream_file_system(void)
     {
     }

From 3ab92ee35e576b8b31152bf7d61e6f77aa8174ea Mon Sep 17 00:00:00 2001
From: Mike Brasher <mikbras@microsoft.com>
Date: Tue, 3 Dec 2019 13:26:44 -0600
Subject: [PATCH 360/420] Add guidance on disabling doxygen comments.

Signed-off-by: Mike Brasher <mikbras@microsoft.com>
---
 docs/DevelopmentGuide.md     | 3 +++
 docs/refman/doxygen-howto.md | 1 +
 2 files changed, 4 insertions(+)

diff --git a/docs/DevelopmentGuide.md b/docs/DevelopmentGuide.md
index 493e75f823..fbeacdc193 100644
--- a/docs/DevelopmentGuide.md
+++ b/docs/DevelopmentGuide.md
@@ -16,6 +16,9 @@ Coding Conventions
   headers. This is also encouraged, but not strictly required, for internal API
   headers as well.
 
+* **DO** disable doxygen documentation for elements that are not in the public
+  API as described [here](./refman/doxygen-howto.md#disable-doxygen).
+
 * **DON'T** use global variables where possible.
 
 * **DON'T** use abbreviations unless they are already well-known terms known by
diff --git a/docs/refman/doxygen-howto.md b/docs/refman/doxygen-howto.md
index 8394d5ba99..24e0e773e7 100644
--- a/docs/refman/doxygen-howto.md
+++ b/docs/refman/doxygen-howto.md
@@ -182,6 +182,7 @@ For example.
  */
 ```
 
+<a name="disable-doxygen"></a>
 ### Disabling Doxygen documentation from blocks of code
 
 To disable Doxygen documentation from blocks of code with `#defines` or

From 28672ca61bd2855c0e17a1751f0b0dca6b07ebfa Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 2 Dec 2019 17:17:09 -0800
Subject: [PATCH 361/420] Fix memory leak in attested_tls sample

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 samples/attested_tls/non_enc_client/client.cpp | 17 +++++++++++------
 samples/attested_tls/server/enc/CMakeLists.txt |  3 ++-
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/samples/attested_tls/non_enc_client/client.cpp b/samples/attested_tls/non_enc_client/client.cpp
index 10c7894ec4..91f4dccdd8 100644
--- a/samples/attested_tls/non_enc_client/client.cpp
+++ b/samples/attested_tls/non_enc_client/client.cpp
@@ -141,7 +141,7 @@ int create_socket(char* server_name, char* server_port)
     int sockfd = -1;
     char* addr_ptr = NULL;
     int port = 0;
-    struct addrinfo hints, *dest_info;
+    struct addrinfo hints, *dest_info, *curr_di;
     int res;
 
 #ifdef _WIN32
@@ -166,17 +166,18 @@ int create_socket(char* server_name, char* server_port)
         goto done;
     }
 
-    while (dest_info)
+    curr_di = dest_info;
+    while (curr_di)
     {
-        if (dest_info->ai_family == AF_INET)
+        if (curr_di->ai_family == AF_INET)
         {
             break;
         }
 
-        dest_info = dest_info->ai_next;
+        curr_di = curr_di->ai_next;
     }
 
-    if (!dest_info)
+    if (!curr_di)
     {
         printf(
             TLS_CLIENT "Error: Cannot get address for hostname %s.\n",
@@ -193,7 +194,7 @@ int create_socket(char* server_name, char* server_port)
 
     if (connect(
             sockfd,
-            (struct sockaddr*)dest_info->ai_addr,
+            (struct sockaddr*)curr_di->ai_addr,
             sizeof(struct sockaddr)) == -1)
     {
         printf(
@@ -206,7 +207,11 @@ int create_socket(char* server_name, char* server_port)
         goto done;
     }
     printf(TLS_CLIENT "connected to %s:%s\n", server_name, server_port);
+
 done:
+    if (dest_info)
+        freeaddrinfo(dest_info);
+
     return sockfd;
 }
 
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index fbbaaebaf7..2cf11dc422 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -12,6 +12,7 @@ add_custom_command(OUTPUT tls_server_enc.signed tls_server_enc_mrenclave.h
   COMMAND openenclave::oesign sign -e $<TARGET_FILE:tls_server_enc> -c ${CMAKE_SOURCE_DIR}/server/enc/enc.conf -k ${CMAKE_SOURCE_DIR}/server/enc/private.pem
   COMMAND openenclave::oesign dump -e tls_server_enc.signed  > temp.dmp
   COMMAND bash ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
+  COMMAND ${CMAKE_COMMAND} -E sleep 0.5
   COMMAND ${CMAKE_COMMAND} -E remove temp.dmp)
 
 add_executable(tls_server_enc
@@ -40,4 +41,4 @@ target_link_libraries(tls_server_enc
 		openenclave::oehostsock
 		openenclave::oehostresolver)
 
-add_custom_target(tls_server_sign_enc ALL DEPENDS tls_server_enc.signed)
+add_custom_target(tls_server_sign_enc ALL DEPENDS tls_server_enc.signed tls_server_enc_mrenclave.h)

From 87280435cc2fa300b36876212226f14d5cd18fae Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 3 Dec 2019 16:17:49 -0800
Subject: [PATCH 362/420] Don't build socket test enclave when BUILD_ENCLAVES
 is set to FALSE

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 .../scripts/gen_mrenclave_header.sh           | 27 ++++++++++++-------
 .../attested_tls/server/enc/CMakeLists.txt    |  1 -
 tests/syscall/CMakeLists.txt                  |  1 +
 tests/syscall/socket/CMakeLists.txt           |  4 ++-
 4 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.sh b/samples/attested_tls/scripts/gen_mrenclave_header.sh
index c61ff42a28..783334e760 100755
--- a/samples/attested_tls/scripts/gen_mrenclave_header.sh
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.sh
@@ -6,18 +6,22 @@
 destfile="$1"
 input_file="$2"
 
-cat > "$destfile" << EOF
+# Store text in variables and then write file all at once at the end. This
+# will keep build tools from consuming an incomplete header file.
+
+SECTION1="$(cat <<-EOF
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
 #ifndef SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H
 #define SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H
 
+static const unsigned char SERVER_ENCLAVE_MRENCLAVE[] =
+{
 EOF
+)"
 
-printf 'static const unsigned char SERVER_ENCLAVE_MRENCLAVE[] =' >> "$destfile"
-printf '\n{' >> "$destfile"
-
+SECTION2=""
 while read -r line; do
   if [[ $line == mrenclave=* ]]; then
     read -r mrenclave < <(echo "$line" | cut -d'=' --fields=2)
@@ -26,18 +30,23 @@ while read -r line; do
     fi
 
     for (( i=0; i<${#mrenclave}; i=i+2)); do
-      echo -n "0x${mrenclave:$i:2}" >> "$destfile"
+      echo -n "" >> "$destfile"
+      SECTION2=$SECTION2"0x${mrenclave:$i:2}"
       index=$((${#mrenclave} - 2))
       if [ $i -lt $index ]; then
-        printf ",\n" >> "$destfile"
+        SECTION2=$SECTION2",\n"
       fi
     done
   fi
 done < "$input_file"
 
-printf '};\n' >> "$destfile"
 
-cat >> "$destfile" << EOF
+SECTION3="$(cat <<-EOF
+};
 
 #endif /* SAMPLES_ATTESTED_TLS_SERVER_UNIQUE_ID_H */
-EOF
\ No newline at end of file
+EOF
+)"
+
+echo -ne "$SECTION1$SECTION2$SECTION3" > $destfile
+
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index 2cf11dc422..a0303760cd 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -12,7 +12,6 @@ add_custom_command(OUTPUT tls_server_enc.signed tls_server_enc_mrenclave.h
   COMMAND openenclave::oesign sign -e $<TARGET_FILE:tls_server_enc> -c ${CMAKE_SOURCE_DIR}/server/enc/enc.conf -k ${CMAKE_SOURCE_DIR}/server/enc/private.pem
   COMMAND openenclave::oesign dump -e tls_server_enc.signed  > temp.dmp
   COMMAND bash ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
-  COMMAND ${CMAKE_COMMAND} -E sleep 0.5
   COMMAND ${CMAKE_COMMAND} -E remove temp.dmp)
 
 add_executable(tls_server_enc
diff --git a/tests/syscall/CMakeLists.txt b/tests/syscall/CMakeLists.txt
index d3e576dfa1..5bbe3162e2 100644
--- a/tests/syscall/CMakeLists.txt
+++ b/tests/syscall/CMakeLists.txt
@@ -2,6 +2,7 @@
 # Licensed under the MIT License.
 
 add_subdirectory(socket)
+
 if(UNIX)
 add_subdirectory(cpio)
 add_subdirectory(datagram)
diff --git a/tests/syscall/socket/CMakeLists.txt b/tests/syscall/socket/CMakeLists.txt
index 046363dd52..3cdcd6fff7 100644
--- a/tests/syscall/socket/CMakeLists.txt
+++ b/tests/syscall/socket/CMakeLists.txt
@@ -3,6 +3,8 @@
 
 add_subdirectory(host)
 
-add_subdirectory(enc)
+if (BUILD_ENCLAVES)
+    add_subdirectory(enc)
+endif()
 
 add_enclave_test(tests/sockets socket_host socket_enc)

From b3a65d73a26eaa95b33cc414e08dd40ef3a1e2bb Mon Sep 17 00:00:00 2001
From: Radhika Jandhyala <Radhikaj@microsoft.com>
Date: Wed, 4 Dec 2019 00:14:11 +0000
Subject: [PATCH 363/420] Updated README.md to contain a link to API docs

Signed-off-by: Radhika Jandhyala <Radhikaj@microsoft.com>
---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 628deb1fb5..048ed46169 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,12 @@ documentation:
 - [Governance Model](docs/Governance.md)
 - [Build SDK and run tests](docs/GettingStartedDocs/Contributors/building_oe_sdk.md)
 
+API Documentation
+-----------------
+
+The Doxygen generated documentation corresponding to the APIs currently supported by the master branch is [here](https://openenclave.github.io/openenclave/api/index.html).
+API Documentation for older releases of the SDK can be found on the Open Enclave SDK [website](https://openenclave.io/sdk).
+
 Licensing
 =========
 

From 68d2ec8142f46ff239bf29b064cfdec05a6a4cf4 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Tue, 3 Dec 2019 16:53:26 -0800
Subject: [PATCH 364/420] Add @experimental annotation support to doxygen

Addresses issue #2216

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 docs/refman/CMakeLists.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/refman/CMakeLists.txt b/docs/refman/CMakeLists.txt
index 904def79b1..973d91ec66 100644
--- a/docs/refman/CMakeLists.txt
+++ b/docs/refman/CMakeLists.txt
@@ -17,6 +17,12 @@ if (ENABLE_REFMAN)
   # have to specify it because we have another directory to strip.
   set(DOXYGEN_STRIP_FROM_PATH "${PROJECT_SOURCE_DIR}/include/openenclave/;${PROJECT_SOURCE_DIR}/docs/refman")
 
+  # Allow @experimental to be used in headers to mark an API as experimental and add it to a list of
+  # experimental APIs.
+  set(DOXYGEN_ALIASES
+    "experimental = \\xrefitem experimental \\\"This feature is marked as experimental\\\" \\\"Experimental List\\\""
+    "experimental{1} = \\xrefitem experimental \\\"Experimental\\\" \\\"Experimental List\\\" \\1")
+
   # NOTE: These were set to their non-default values in the existing
   # configuration file, so that configuration has been copied here.
   # However, they may or may not be desired.

From 311f7d88955fe4ad978543c172575da499b73980 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Wed, 4 Dec 2019 09:21:07 -0800
Subject: [PATCH 365/420] Fix bash linter error for attested_tls sample

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 samples/attested_tls/scripts/gen_mrenclave_header.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/attested_tls/scripts/gen_mrenclave_header.sh b/samples/attested_tls/scripts/gen_mrenclave_header.sh
index 783334e760..f013009774 100755
--- a/samples/attested_tls/scripts/gen_mrenclave_header.sh
+++ b/samples/attested_tls/scripts/gen_mrenclave_header.sh
@@ -48,5 +48,5 @@ SECTION3="$(cat <<-EOF
 EOF
 )"
 
-echo -ne "$SECTION1$SECTION2$SECTION3" > $destfile
+echo -ne "$SECTION1$SECTION2$SECTION3" > "$destfile"
 

From 7d54157c29962935c959950565256b336c803b4a Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 4 Dec 2019 18:09:27 +0000
Subject: [PATCH 366/420] Move more uncommon code out of `Common.ml`

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.ml  | 37 ----------------------------------
 tools/oeedger8r/src/Emitter.ml | 18 +++++++++++++++++
 tools/oeedger8r/src/Sources.ml | 19 +++++++++++++++++
 3 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/tools/oeedger8r/src/Common.ml b/tools/oeedger8r/src/Common.ml
index c4bb696e97..f1b867b745 100644
--- a/tools/oeedger8r/src/Common.ml
+++ b/tools/oeedger8r/src/Common.ml
@@ -77,43 +77,6 @@ let is_marshalled_ptr = function
   | PTPtr (_, attr) -> attr.pa_size <> empty_ptr_size
   | PTVal _ -> false
 
-let gen_c_for level count body =
-  if count = "1" then body
-  else
-    let i = sprintf "_i_%i" level in
-    [
-      [ sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i ];
-      [ "{" ];
-      List.map (( ^ ) "    ") body;
-      [ "}" ];
-    ]
-    |> List.flatten
-
-let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
-
-(** [write_file] opens [filename] in the directory [dir] and emits a
-    comment noting the file is auto generated followed by the
-    [content], it then closes the file. *)
-let write_file (content : string list) (filename : string) (dir : string) =
-  let os =
-    if dir = "." then open_out filename
-    else open_out (dir ^ Intel.Util.separator_str ^ filename)
-  in
-  fprintf os "%s"
-    (String.concat "\n"
-       ( [
-           "/*";
-           " *  This file is auto generated by oeedger8r. DO NOT EDIT.";
-           " */";
-         ]
-       @ content ));
-  close_out os
-
-let attr_value_to_string argstruct = function
-  | None -> None
-  | Some (ANumber n) -> Some (string_of_int n)
-  | Some (AString s) -> Some (argstruct ^ s)
-
 (** Generate the wrapper prototype for a given function. Optionally
     add an [oe_enclave_t*] first parameter. *)
 let get_wrapper_prototype (fd : func_decl) (is_ecall : bool) =
diff --git a/tools/oeedger8r/src/Emitter.ml b/tools/oeedger8r/src/Emitter.ml
index bbcf6d1219..7fa23f9eff 100644
--- a/tools/oeedger8r/src/Emitter.ml
+++ b/tools/oeedger8r/src/Emitter.ml
@@ -9,6 +9,24 @@ open Intel.Ast
 open Printf
 open Common
 
+(** [write_file] opens [filename] in the directory [dir] and emits a
+    comment noting the file is auto generated followed by the
+    [content], it then closes the file. *)
+let write_file (content : string list) (filename : string) (dir : string) =
+  let os =
+    if dir = "." then open_out filename
+    else open_out (dir ^ Intel.Util.separator_str ^ filename)
+  in
+  fprintf os "%s"
+    (String.concat "\n"
+       ( [
+           "/*";
+           " *  This file is auto generated by oeedger8r. DO NOT EDIT.";
+           " */";
+         ]
+       @ content ));
+  close_out os
+
 let warn_non_portable_types (fd : func_decl) =
   (* Check if any of the parameters or the return type has the given
      root type. *)
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 2d02468aaa..4b84a60a51 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -33,6 +33,25 @@ let get_deepcopy_function (enabled : bool) (cts : composite_type list)
     | None -> []
   else []
 
+let gen_c_for level count body =
+  if count = "1" then body
+  else
+    let i = sprintf "_i_%i" level in
+    [
+      [ sprintf "for (size_t %s = 0; %s < %s; %s++)" i i count i ];
+      [ "{" ];
+      List.map (( ^ ) "    ") body;
+      [ "}" ];
+    ]
+    |> List.flatten
+
+let gen_c_deref level i = if i = "1" then "->" else sprintf "[_i_%i]." level
+
+let attr_value_to_string argstruct = function
+  | None -> None
+  | Some (ANumber n) -> Some (string_of_int n)
+  | Some (AString s) -> Some (argstruct ^ s)
+
 (** For a list of args and current count, get the corresponding
    argstruct variable name. The prefix is usually, but not always,
    ["_args."].*)

From c95cc209de0127aefd1906c42bdf6d63c901e1cc Mon Sep 17 00:00:00 2001
From: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
Date: Wed, 4 Dec 2019 18:09:36 +0000
Subject: [PATCH 367/420] Add module interfaces to edger8r

Signed-off-by: Andrew Schwartzmeyer <andrew@schwartzmeyer.com>
---
 tools/oeedger8r/src/Common.mli  | 36 +++++++++++++++++++++++++++++++++
 tools/oeedger8r/src/Headers.mli |  8 ++++++++
 tools/oeedger8r/src/Sources.mli |  8 ++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 tools/oeedger8r/src/Common.mli
 create mode 100644 tools/oeedger8r/src/Headers.mli
 create mode 100644 tools/oeedger8r/src/Sources.mli

diff --git a/tools/oeedger8r/src/Common.mli b/tools/oeedger8r/src/Common.mli
new file mode 100644
index 0000000000..889b15428e
--- /dev/null
+++ b/tools/oeedger8r/src/Common.mli
@@ -0,0 +1,36 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+val is_foreign_array : Intel.Ast.parameter_type -> bool
+
+val get_array_dims : int list -> string
+
+val get_parameter_str : Intel.Ast.pdecl -> string
+
+val filter_map : ('a -> 'b option) -> 'a list -> 'b list
+
+val flatten_map : ('a -> 'b list) -> 'a list -> 'b list
+
+val flatten_map2 : ('a -> 'b -> 'c list) -> 'a list -> 'b list -> 'c list
+
+val is_in_ptr : Intel.Ast.parameter_type -> bool
+
+val is_out_ptr : Intel.Ast.parameter_type -> bool
+
+val is_inout_ptr : Intel.Ast.parameter_type -> bool
+
+val is_in_or_inout_ptr : Intel.Ast.parameter_type * 'a -> bool
+
+val is_out_or_inout_ptr : Intel.Ast.parameter_type * 'a -> bool
+
+val is_str_ptr : Intel.Ast.parameter_type -> bool
+
+val is_wstr_ptr : Intel.Ast.parameter_type -> bool
+
+val is_str_or_wstr_ptr : Intel.Ast.parameter_type * 'a -> bool
+
+val is_marshalled_ptr : Intel.Ast.parameter_type -> bool
+
+val get_wrapper_prototype : Intel.Ast.func_decl -> bool -> string
+
+val get_function_id : string -> Intel.Ast.func_decl -> string
diff --git a/tools/oeedger8r/src/Headers.mli b/tools/oeedger8r/src/Headers.mli
new file mode 100644
index 0000000000..32a6466338
--- /dev/null
+++ b/tools/oeedger8r/src/Headers.mli
@@ -0,0 +1,8 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+val generate_args : Intel.Ast.enclave_content -> string list
+
+val generate_trusted : Intel.Ast.enclave_content -> string list
+
+val generate_untrusted : Intel.Ast.enclave_content -> string list
diff --git a/tools/oeedger8r/src/Sources.mli b/tools/oeedger8r/src/Sources.mli
new file mode 100644
index 0000000000..fd50eb047a
--- /dev/null
+++ b/tools/oeedger8r/src/Sources.mli
@@ -0,0 +1,8 @@
+(* Copyright (c) Open Enclave SDK contributors.
+   Licensed under the MIT License. *)
+
+val generate_trusted :
+  Intel.Ast.enclave_content -> Intel.Util.edger8r_params -> string list
+
+val generate_untrusted :
+  Intel.Ast.enclave_content -> Intel.Util.edger8r_params -> string list

From 9f69e293bdd0d1c7edb3f42689b3b0da67ac67f9 Mon Sep 17 00:00:00 2001
From: Brett McLaren <brmclare@microsoft.com>
Date: Wed, 4 Dec 2019 20:11:33 +0000
Subject: [PATCH 368/420] add 1604 host verification tests

Signed-off-by: Brett McLaren <brmclare@microsoft.com>
---
 .jenkins/Jenkinsfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
index ae16d4997e..4434d7c347 100644
--- a/.jenkins/Jenkinsfile
+++ b/.jenkins/Jenkinsfile
@@ -358,8 +358,10 @@ try{
             "Win2016 Release Cross Compile" :                      { win2016CrossCompile('Release') },
             "Win2016 Debug Cross Compile with DCAP libs" :         { win2016CrossCompile('Debug', 'ON') },
             "Win2016 Release Cross Compile with DCAP libs" :       { win2016CrossCompile('Release', 'ON') },
-            "Host verification Debug" :                            { ACCHostVerificationTest('18.04', 'Debug') },
-            "Host verification Release" :                          { ACCHostVerificationTest('18.04', 'Release') }
+            "Host verification 1604 Debug" :                       { ACCHostVerificationTest('16.04', 'Debug') },
+            "Host verification 1604 Release" :                     { ACCHostVerificationTest('16.04', 'Release') },
+            "Host verification 1804 Debug" :                       { ACCHostVerificationTest('18.04', 'Debug') },
+            "Host verification 1804 Release" :                     { ACCHostVerificationTest('18.04', 'Release') }
 } catch(Exception e) {
     println "Caught global pipeline exception :" + e
     GLOBAL_ERROR = e

From 0bc7c236af2b2e6518baf503c13a8229cc2956f3 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Thu, 5 Dec 2019 09:15:15 +0100
Subject: [PATCH 369/420] Address review comments

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostsock/hostsock.c | 4 ++--
 tests/syscall/socket/enc/enc.c      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/syscall/devices/hostsock/hostsock.c b/syscall/devices/hostsock/hostsock.c
index a69d3cc50c..de89f161ac 100644
--- a/syscall/devices/hostsock/hostsock.c
+++ b/syscall/devices/hostsock/hostsock.c
@@ -273,10 +273,10 @@ static oe_fd_t* _hostsock_accept(
         new_sock->host_fd = retval;
 
         // copy peer addr to out buffer
-        if (addrlen && *addrlen <= addrlen_in)
+        if (addrlen)
         {
             oe_assert(addr);
-            if (oe_memcpy_s(addr, addrlen_in, &buf, *addrlen) != OE_OK)
+            if (oe_memcpy_s(addr, addrlen_in, &buf.addr, *addrlen) != OE_OK)
                 OE_RAISE_ERRNO(OE_EINVAL);
         }
     }
diff --git a/tests/syscall/socket/enc/enc.c b/tests/syscall/socket/enc/enc.c
index 08e5c2b897..2329b43a6e 100644
--- a/tests/syscall/socket/enc/enc.c
+++ b/tests/syscall/socket/enc/enc.c
@@ -146,10 +146,10 @@ int ecall_run_server()
         printf("enc: accepting\n");
 
         struct oe_sockaddr_in peer_addr = {0};
-        oe_socklen_t peer_addr_len = sizeof peer_addr;
+        oe_socklen_t peer_addr_len = sizeof(peer_addr);
         connfd = oe_accept(
             listenfd, (struct oe_sockaddr*)&peer_addr, &peer_addr_len);
-        OE_TEST(peer_addr_len == sizeof peer_addr);
+        OE_TEST(peer_addr_len == sizeof(peer_addr));
         OE_TEST(peer_addr.sin_family == OE_AF_INET);
         OE_TEST(oe_ntohs(peer_addr.sin_port) >= 1024);
         OE_TEST(oe_ntohl(peer_addr.sin_addr.s_addr) == OE_INADDR_LOOPBACK);

From 35321e7893e51fae026d62f0632c2f561b72229c Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Thu, 5 Dec 2019 09:23:04 +0100
Subject: [PATCH 370/420] Add parentheses to sizeof

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostepoll/hostepoll.c | 3 ++-
 tests/syscall/epoll/enc/enc.cpp       | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/syscall/devices/hostepoll/hostepoll.c b/syscall/devices/hostepoll/hostepoll.c
index e88ed44870..9d962881cd 100644
--- a/syscall/devices/hostepoll/hostepoll.c
+++ b/syscall/devices/hostepoll/hostepoll.c
@@ -480,7 +480,8 @@ static int _epoll_wait(
                 // fd has been deleted between the return of epoll_wait and the
                 // acquisition of the lock.
                 --retval;
-                memmove(event, event + 1, (size_t)(retval - i) * sizeof *event);
+                memmove(
+                    event, event + 1, (size_t)(retval - i) * sizeof(*event));
             }
         }
     }
diff --git a/tests/syscall/epoll/enc/enc.cpp b/tests/syscall/epoll/enc/enc.cpp
index 3e7369eaf6..8e6f18c0d2 100644
--- a/tests/syscall/epoll/enc/enc.cpp
+++ b/tests/syscall/epoll/enc/enc.cpp
@@ -28,7 +28,7 @@ extern "C" void set_up()
     _sockfd = socket(AF_INET, SOCK_DGRAM, 0);
     OE_TEST(_sockfd >= 0);
     OE_TEST(
-        bind(_sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof _addr) == 0);
+        bind(_sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof(_addr)) == 0);
 
     // create epoll instance
     _epfd = epoll_create(1);
@@ -58,7 +58,7 @@ extern "C" void wait_for_events()
         if (n == 1)
         {
             OE_TEST(event.data.fd == _sockfd);
-            OE_TEST(read(_sockfd, &run, sizeof run) == sizeof run);
+            OE_TEST(read(_sockfd, &run, sizeof(run)) == sizeof(run));
         }
         else
             OE_TEST(n == 0); // fd has been deleted
@@ -70,9 +70,9 @@ static void _send(uint8_t run)
     const int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
     OE_TEST(sockfd >= 0);
     OE_TEST(
-        connect(sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof _addr) ==
+        connect(sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof(_addr)) ==
         0);
-    OE_TEST(write(sockfd, &run, sizeof run) == sizeof run);
+    OE_TEST(write(sockfd, &run, sizeof(run)) == sizeof(run));
     OE_TEST(close(sockfd) == 0);
 }
 

From 585ef80fcba8a1e5eba2e41d606366fa492e3ae1 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Thu, 5 Dec 2019 10:37:15 -0800
Subject: [PATCH 371/420] Add sleep to tls_server_enc signing to allow header
 to be generated in `attested_tls` sample.

The sleep is added because cmake opens bash in a separate process on
Windows. This means that the build dependecy on the autogenerated
tls_server_enc_mrenclave.h file may be satisfied and files which depend
in it may be compiled before the file is actually generated. This causes
transient build failures for the attested_tls sample.

Also adds tls_server_sign_enc as a dependency for both tls_client_enc
and tls_non_enc_client. This ensures that those targets will not be
built before the target that generates tls_server_enc_mrenclave.h has
been run.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 samples/attested_tls/client/enc/CMakeLists.txt     | 4 +++-
 samples/attested_tls/non_enc_client/CMakeLists.txt | 2 ++
 samples/attested_tls/server/enc/CMakeLists.txt     | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/samples/attested_tls/client/enc/CMakeLists.txt b/samples/attested_tls/client/enc/CMakeLists.txt
index 8b434db835..9be4fbd866 100644
--- a/samples/attested_tls/client/enc/CMakeLists.txt
+++ b/samples/attested_tls/client/enc/CMakeLists.txt
@@ -18,7 +18,9 @@ add_executable(tls_client_enc
 	       cert_verifier.cpp
 	       identity_verifier.cpp
 	       ../../common/utility.cpp
-	       ${CMAKE_CURRENT_BINARY_DIR}/tls_client_t.c)
+         ${CMAKE_CURRENT_BINARY_DIR}/tls_client_t.c)
+
+add_dependencies(tls_client_enc tls_server_sign_enc)
 
 if (WIN32)
   maybe_build_using_clangw(tls_client_enc)
diff --git a/samples/attested_tls/non_enc_client/CMakeLists.txt b/samples/attested_tls/non_enc_client/CMakeLists.txt
index 9b7eb26242..ad44206e6f 100644
--- a/samples/attested_tls/non_enc_client/CMakeLists.txt
+++ b/samples/attested_tls/non_enc_client/CMakeLists.txt
@@ -8,6 +8,8 @@ add_executable(tls_non_enc_client
 	       verify_callback.cpp
 	       verify_signer_openssl.cpp)
 
+add_dependencies(tls_non_enc_client tls_server_sign_enc)
+
 target_include_directories(tls_non_enc_client PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR}
   ${CMAKE_CURRENT_BINARY_DIR}
diff --git a/samples/attested_tls/server/enc/CMakeLists.txt b/samples/attested_tls/server/enc/CMakeLists.txt
index a0303760cd..838804125f 100644
--- a/samples/attested_tls/server/enc/CMakeLists.txt
+++ b/samples/attested_tls/server/enc/CMakeLists.txt
@@ -12,6 +12,7 @@ add_custom_command(OUTPUT tls_server_enc.signed tls_server_enc_mrenclave.h
   COMMAND openenclave::oesign sign -e $<TARGET_FILE:tls_server_enc> -c ${CMAKE_SOURCE_DIR}/server/enc/enc.conf -k ${CMAKE_SOURCE_DIR}/server/enc/private.pem
   COMMAND openenclave::oesign dump -e tls_server_enc.signed  > temp.dmp
   COMMAND bash ${CMAKE_SOURCE_DIR}/scripts/gen_mrenclave_header.sh ${CMAKE_SOURCE_DIR}/common/tls_server_enc_mrenclave.h temp.dmp
+  COMMAND ${CMAKE_COMMAND} -E sleep 1
   COMMAND ${CMAKE_COMMAND} -E remove temp.dmp)
 
 add_executable(tls_server_enc

From d86f842c8128249bbb300b0096a3ae55027e2023 Mon Sep 17 00:00:00 2001
From: Brett McLaren <brmclare@microsoft.com>
Date: Thu, 5 Dec 2019 17:03:25 -0800
Subject: [PATCH 372/420] change required reviewers from 1 to 2

Signed-off-by: Brett McLaren <brmclare@microsoft.com>
---
 bors.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bors.toml b/bors.toml
index 936cb8df98..7c9885e99e 100644
--- a/bors.toml
+++ b/bors.toml
@@ -1,6 +1,6 @@
 status = [ "continuous-integration/jenkins/branch" ]
 pr_status = [ "DCO" ]
-required_approvals = 1
+required_approvals = 2
 block_labels = [ "do not merge" ]
 delete_merged_branches = true
 timeout_sec = 7200 # two hours

From 3ac451568a6ef27069f1f6588214b4a954d533b8 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Fri, 6 Dec 2019 15:01:48 +0100
Subject: [PATCH 373/420] Fix oegdb on Ubuntu with German locale

oegdb could not get symbols from enclave file on Ubuntu with a German
locale. This commit updates load_symbol_cmd.py to the current master of
intel/linux-sgx related to intel/linux-sgx#405

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 debugger/pythonExtension/load_symbol_cmd.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/debugger/pythonExtension/load_symbol_cmd.py b/debugger/pythonExtension/load_symbol_cmd.py
index f87da4bdbd..10d52b6cfb 100644
--- a/debugger/pythonExtension/load_symbol_cmd.py
+++ b/debugger/pythonExtension/load_symbol_cmd.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 #
-# Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+# Copyright (C) 2011-2019 Intel Corporation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -30,6 +30,8 @@
 #
 #
 
+# -*- coding: iso-8859-15 -*-
+
 try:
     from cStringIO import StringIO
 except ImportError:
@@ -54,7 +56,7 @@ def GetLoadSymbolCommand(EnclaveFile, Base):
         # their offsets and add the Proj base address.
         for line in FileList:
             list = line.split();
-            if(len(list) > 0):
+            if(len(list) > 1):
                 SegOffset = -1;
                 # The readelf will put a space after the open bracket for single
                 # digit section numbers.  This causes the line.split to create

From 0589b8ac1bef42e6714706bee7cf30bba1d4d191 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Thu, 5 Dec 2019 15:36:14 -0800
Subject: [PATCH 374/420] Fix some of the memory safety issues reported by
 scan-build static analyzer.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 enclave/core/sgx/td.c           |  2 +-
 host/asym_keys.c                |  2 +-
 host/sgx/create.c               |  3 +++
 host/sgx/elf.c                  |  2 +-
 host/sgx/switchless.c           | 15 +++++++++++++++
 syscall/devices/hostfs/hostfs.c |  6 ++++--
 syscall/fdtable.c               |  6 ++++--
 syscall/netdb.c                 |  2 ++
 8 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/enclave/core/sgx/td.c b/enclave/core/sgx/td.c
index faa289d36b..cd06b54f30 100644
--- a/enclave/core/sgx/td.c
+++ b/enclave/core/sgx/td.c
@@ -90,7 +90,7 @@ void td_push_callsite(td_t* td, Callsite* callsite)
 
 void td_pop_callsite(td_t* td)
 {
-    if (!td->callsites)
+    if (!td || !td->callsites)
         oe_abort();
 
     if (td->depth == 1)
diff --git a/host/asym_keys.c b/host/asym_keys.c
index 6bb5b486d3..a2191386a2 100644
--- a/host/asym_keys.c
+++ b/host/asym_keys.c
@@ -132,7 +132,7 @@ oe_result_t oe_get_public_key_by_policy(
     if (arg.key_info)
     {
         oe_secure_zero_fill(arg.key_info, arg.key_info_size);
-        free(arg.key_buffer);
+        free(arg.key_info);
     }
 
     return result;
diff --git a/host/sgx/create.c b/host/sgx/create.c
index a7615803b0..7023b1964d 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -554,6 +554,9 @@ oe_result_t oe_sgx_build_enclave(
     uint64_t vaddr = 0;
     oe_sgx_enclave_properties_t props;
 
+    if (!enclave)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
     memset(&oeimage, 0, sizeof(oeimage));
 
     /* Clear and initialize enclave structure */
diff --git a/host/sgx/elf.c b/host/sgx/elf.c
index 8f0d59c8fd..51dc7af1a0 100644
--- a/host/sgx/elf.c
+++ b/host/sgx/elf.c
@@ -321,7 +321,7 @@ int elf64_load(const char* path, elf64_t* elf)
     if (is)
         fclose(is);
 
-    if (rc != 0)
+    if (rc != 0 && elf)
     {
         free(elf->data);
         memset(elf, 0, sizeof(elf64_t));
diff --git a/host/sgx/switchless.c b/host/sgx/switchless.c
index 679f21d4b8..c252dadba3 100644
--- a/host/sgx/switchless.c
+++ b/host/sgx/switchless.c
@@ -149,6 +149,21 @@ oe_result_t oe_start_switchless_manager(
     result = OE_OK;
 
 done:
+    if (result != OE_OK)
+    {
+        if (manager)
+        {
+            free(manager);
+            enclave->switchless_manager = NULL;
+        }
+
+        if (contexts)
+            free(contexts);
+
+        if (threads)
+            free(threads);
+    }
+
     return result;
 }
 
diff --git a/syscall/devices/hostfs/hostfs.c b/syscall/devices/hostfs/hostfs.c
index c826e268f6..878496d2eb 100644
--- a/syscall/devices/hostfs/hostfs.c
+++ b/syscall/devices/hostfs/hostfs.c
@@ -433,8 +433,10 @@ static int _hostfs_dup(oe_fd_t* desc, oe_fd_t** new_file_out)
     file_t* file = _cast_file(desc);
     file_t* new_file = NULL;
 
-    if (new_file_out)
-        *new_file_out = NULL;
+    if (!new_file_out)
+        OE_RAISE_ERRNO(OE_EINVAL);
+
+    *new_file_out = NULL;
 
     /* Check parameters. */
     if (!file)
diff --git a/syscall/fdtable.c b/syscall/fdtable.c
index cab5a97a28..db6f422185 100644
--- a/syscall/fdtable.c
+++ b/syscall/fdtable.c
@@ -283,12 +283,14 @@ int oe_fdtable_reassign(int fd, oe_fd_t* new_desc, oe_fd_t** old_desc)
     int ret = -1;
     bool locked = false;
 
+    if (!new_desc || !old_desc)
+        OE_RAISE_ERRNO(OE_EINVAL);
+
 #if !defined(NDEBUG)
     _assert_fd(new_desc);
 #endif
 
-    if (old_desc)
-        *old_desc = NULL;
+    *old_desc = NULL;
 
     oe_spin_lock(&_lock);
     locked = true;
diff --git a/syscall/netdb.c b/syscall/netdb.c
index f045f47120..26d943fdb7 100644
--- a/syscall/netdb.c
+++ b/syscall/netdb.c
@@ -69,6 +69,8 @@ int oe_getaddrinfo(
 
     if (res_out)
         *res_out = NULL;
+    else
+        OE_RAISE_ERRNO(OE_EINVAL);
 
     oe_spin_lock(&_lock);
     locked = true;

From 25b88a0d7ba283999c149fbeba861525d6ed876d Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 2 Dec 2019 16:27:03 -0800
Subject: [PATCH 375/420] Fix Windows warnings exposed by /W1 accross the
 codebase

Also enables /W1 and /WX to ensure new W1 violations are not added. The
end goal is to enable /W3 /WX for all Windows builds.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 cmake/compiler_settings.cmake              |  30 ++++-
 common/cert.c                              |   8 +-
 common/datetime.c                          |   1 +
 common/sgx/revocation.c                    |   4 +-
 host/CMakeLists.txt                        |   1 +
 host/asym_keys.c                           |  12 +-
 host/crypto/bcrypt/cert.c                  |  25 ++--
 host/crypto/bcrypt/crl.c                   |   4 +-
 host/crypto/bcrypt/ec.c                    |  14 +-
 host/crypto/bcrypt/pem.c                   |  22 ++--
 host/crypto/bcrypt/pem.h                   |   2 +
 host/crypto/bcrypt/rsa.c                   |   1 -
 host/sgx/calls.c                           |   6 +-
 host/sgx/cpuid.h                           |  10 +-
 host/sgx/elf.c                             |  16 +--
 host/sgx/loadpe.c                          |   6 +-
 host/sgx/registers.c                       |   1 +
 host/sgx/report.c                          |   8 +-
 host/sgx/sgxload.c                         |   4 +
 host/sgx/windows/sgxquoteproviderloader.c  |   2 +-
 host/sgx/windows/switchless.c              |   5 +-
 host/traceh.c                              |  95 +++++++++++---
 host/windows/hostthread.c                  |   3 +
 host/windows/syscall.c                     | 143 ++++++++++++++++++++-
 include/openenclave/internal/atomic.h      |  10 +-
 include/openenclave/internal/crypto/cert.h |   2 +-
 scripts/clangw                             |  10 ++
 tests/bigmalloc/host/host.c                |   4 +-
 tests/crypto/ec_tests.c                    |   2 +-
 tests/oeedger8r/host/teststring.cpp        |   5 +-
 tests/switchless/host/host.c               |  11 +-
 tests/syscall/socket/host/host.c           |   3 +-
 tests/tools/oecert/host/host.cpp           |   4 +-
 tests/tools/oecertdump/host/host.cpp       |   4 +-
 tools/oesgx/oesgx.c                        |   3 +-
 tools/oesign/oedump.c                      |   3 +-
 36 files changed, 366 insertions(+), 118 deletions(-)

diff --git a/cmake/compiler_settings.cmake b/cmake/compiler_settings.cmake
index c5ed05a866..99304fe2f4 100644
--- a/cmake/compiler_settings.cmake
+++ b/cmake/compiler_settings.cmake
@@ -16,6 +16,8 @@ if (NOT CMAKE_C_COMPILER_ID STREQUAL CMAKE_CXX_COMPILER_ID)
     "${CMAKE_C_COMPILER_ID} != ${CMAKE_CXX_COMPILER_ID}")
 endif ()
 
+set(CMAKE_C_STANDARD 11)
+
 # Set the default standard to C++14 for all targets.
 set(CMAKE_CXX_STANDARD 14)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
@@ -72,7 +74,6 @@ if (CMAKE_CXX_COMPILER_ID MATCHES GNU OR CMAKE_CXX_COMPILER_ID MATCHES Clang)
   # and that are easy to avoid. Treat at warnings-as-errors, which forces developers
   # to fix warnings as they arise, so they don't accumulate "to be fixed later".
   add_compile_options(-Wall -Werror -Wpointer-arith -Wconversion -Wextra -Wno-missing-field-initializers)
-
   add_compile_options(-fno-strict-aliasing)
 
   # Enables XSAVE intrinsics
@@ -84,11 +85,36 @@ elseif (MSVC)
   if (MSVC_VERSION VERSION_LESS 1910)
     message(FATAL_ERROR "Only Visual Studio 2017 and above supported!")
   endif ()
+
+  # Explicitly set C/CXX flags rather than using the defaults. This uses the defaults
+  # but removes /W3 from CMAKE_C(XX)_FLAGS. Using W3 and W1 together adds many warnings
+  # that W3 is being overwritten by W1
+  set (CMAKE_C_FLAGS "/DWIN32 /D_WINDOWS")
+  set (CMAKE_C_FLAGS_DEBUG "/MDd /Zi /Ob0 /Od /RTC1")
+  set (CMAKE_C_FLAGS_RELEASE "/MD /O2 /Ob2 /DNDEBUG")
+
+  set (CMAKE_CXX_FLAGS "/DWIN32 /D_WINDOWS /GR /EHsc")
+  set (CMAKE_CXX_FLAGS_DEBUG "/DWIN32 /D_WINDOWS /MDd /Zi /Ob0 /Od /RTC1")
+  set (CMAKE_CXX_FLAGS_RELEASE "/MD /O2 /Ob2 /DNDEBUG")
+
+  # Can't use add_compile_options because it adds for all file types and ml64
+  # doesn't recognize /wd flags
+  # Turns off warnings for:
+  # * Unicode character cannot be represented by current code page
+  set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4566")
+  set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /wd4566")
+
+  # Add Flags we want to use for both C and CXX
+  add_compile_options(/WX)
+  add_compile_options(/W1)
+
+  # Ignore compiler warnings:
+  # * unicode character not supported
+
   if (CMAKE_MSVC_PARALLEL_ENABLE)
     add_compile_options(/MP)
     message(STATUS "Using parallel compiling (/MP)")
   endif()
-
 endif ()
 
 # Use ML64 as assembler on Windows
diff --git a/common/cert.c b/common/cert.c
index f0261b738c..cc224b55d7 100644
--- a/common/cert.c
+++ b/common/cert.c
@@ -97,7 +97,7 @@ static oe_result_t _append(
 
 oe_result_t oe_get_crl_distribution_points(
     const oe_cert_t* cert,
-    const char*** urls,
+    char*** urls,
     size_t* num_urls,
     uint8_t* buffer,
     size_t* buffer_size)
@@ -163,7 +163,7 @@ oe_result_t oe_get_crl_distribution_points(
 
         /* Set the pointer to the urls[] array if enough space */
         if (buffer && urls_bytes <= *buffer_size)
-            *urls = (const char**)buffer;
+            *urls = (char**)buffer;
 
         /* Process all the CRL distribution points */
         {
@@ -187,7 +187,7 @@ oe_result_t oe_get_crl_distribution_points(
                 {
                     // The address could point beyond end of buffer, but that is
                     // fine since an OE_BUFFER_TOO_SMALL error is raised below.
-                    (*urls)[i] = (const char*)(buffer + offset);
+                    (*urls)[i] = ((char*)buffer + offset);
                 }
 
                 /* Append the URL */
@@ -270,4 +270,4 @@ oe_result_t oe_cert_write_public_key_pem(
 done:
 
     return result;
-}
\ No newline at end of file
+}
diff --git a/common/datetime.c b/common/datetime.c
index 5ea6eac21c..5179f3f45c 100644
--- a/common/datetime.c
+++ b/common/datetime.c
@@ -1,6 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <openenclave/bits/defs.h>
 #include <openenclave/internal/datetime.h>
 #include <openenclave/internal/raise.h>
 #include <time.h>
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 0aeb0dd194..99c7b86196 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -191,7 +191,7 @@ static oe_result_t _get_crl_distribution_point(oe_cert_t* cert, char** url)
     oe_result_t result = OE_FAILURE;
     size_t buffer_size = 512;
     uint8_t* buffer = oe_malloc(buffer_size);
-    const char** urls = NULL;
+    char** urls = NULL;
     uint64_t num_urls = 0;
     size_t url_length = 0;
 
@@ -496,4 +496,4 @@ oe_result_t oe_validate_revocation_list(
     oe_cert_free(&tcb_cert);
 
     return result;
-}
\ No newline at end of file
+}
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 65373168c5..77635a2945 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -223,6 +223,7 @@ list(APPEND PLATFORM_HOST_ONLY_SRC
   ../common/safecrt.c
   hexdump.c
   dupenv.c
+  fopen.c
   tests.c
   result.c
   traceh.c)
diff --git a/host/asym_keys.c b/host/asym_keys.c
index 6bb5b486d3..3d518d1b55 100644
--- a/host/asym_keys.c
+++ b/host/asym_keys.c
@@ -27,7 +27,7 @@ oe_result_t oe_get_public_key_by_policy(
     size_t* key_info_size)
 {
     oe_result_t result = OE_UNEXPECTED;
-    uint32_t retval;
+    oe_result_t retval;
     const size_t KEY_BUFFER_SIZE = DEFAULT_KEY_BUFFER_SIZE;
     const size_t KEY_INFO_SIZE = 1024;
     struct
@@ -85,7 +85,7 @@ oe_result_t oe_get_public_key_by_policy(
     }
 
     /* If the buffers were too small, try again with corrected sizes. */
-    if ((oe_result_t)retval == OE_BUFFER_TOO_SMALL)
+    if (retval == OE_BUFFER_TOO_SMALL)
     {
         if (!(arg.key_buffer = realloc(arg.key_buffer, arg.key_buffer_size)))
             OE_RAISE(OE_OUT_OF_MEMORY);
@@ -109,7 +109,7 @@ oe_result_t oe_get_public_key_by_policy(
         }
     }
 
-    OE_CHECK((oe_result_t)retval);
+    OE_CHECK(retval);
 
     *key_buffer = arg.key_buffer;
     *key_buffer_size = arg.key_buffer_size;
@@ -147,7 +147,7 @@ oe_result_t oe_get_public_key(
     size_t* key_buffer_size)
 {
     oe_result_t result = OE_UNEXPECTED;
-    uint32_t retval;
+    oe_result_t retval;
     const size_t KEY_BUFFER_SIZE = DEFAULT_KEY_BUFFER_SIZE;
     struct
     {
@@ -190,7 +190,7 @@ oe_result_t oe_get_public_key(
     }
 
     /* If the buffers were too small, try again with corrected sizes. */
-    if ((oe_result_t)retval == OE_BUFFER_TOO_SMALL)
+    if (retval == OE_BUFFER_TOO_SMALL)
     {
         if (!(arg.key_buffer = realloc(arg.key_buffer, arg.key_buffer_size)))
             OE_RAISE(OE_OUT_OF_MEMORY);
@@ -209,7 +209,7 @@ oe_result_t oe_get_public_key(
         }
     }
 
-    OE_CHECK((oe_result_t)retval);
+    OE_CHECK(retval);
 
     *key_buffer = arg.key_buffer;
     *key_buffer_size = arg.key_buffer_size;
diff --git a/host/crypto/bcrypt/cert.c b/host/crypto/bcrypt/cert.c
index 02eea131c3..daa502417f 100644
--- a/host/crypto/bcrypt/cert.c
+++ b/host/crypto/bcrypt/cert.c
@@ -43,8 +43,8 @@ static const CERT_STRONG_SIGN_PARA _OE_DEFAULT_SIGN_PARAMS = {
 
 static const CERT_CHAIN_PARA _OE_DEFAULT_CERT_CHAIN_PARAMS = {
     .cbSize = sizeof(CERT_CHAIN_PARA),
-    .RequestedUsage = {{0}},
-    .RequestedIssuancePolicy = {{0}},
+    .RequestedUsage = {0},
+    .RequestedIssuancePolicy = {0},
     .dwUrlRetrievalTimeout = 0,
     .fCheckRevocationFreshnessTime = FALSE,
     .dwRevocationFreshnessTime = 0,
@@ -204,7 +204,10 @@ static oe_result_t _bcrypt_load_cert_store_pem(
             OE_RAISE(find_result);
 
         OE_CHECK(oe_bcrypt_pem_to_der(
-            pem_cert, pem_cert_size, &der_blob.pbData, &der_blob.cbData));
+            (const uint8_t*)pem_cert,
+            pem_cert_size,
+            &der_blob.pbData,
+            &der_blob.cbData));
         free(pem_cert);
         pem_cert = NULL;
 
@@ -361,7 +364,7 @@ static oe_result_t _bcrypt_check_revocation(
         /* For parity with OpenSSL implementation, we require that a CRL
          * is provided for each issuer in the chain. */
         DWORD error = GetLastError();
-        if (error == CRYPT_E_NOT_FOUND)
+        if (error == (DWORD)CRYPT_E_NOT_FOUND)
             OE_RAISE(OE_VERIFY_CRL_MISSING);
         else
             OE_RAISE_MSG(
@@ -784,7 +787,8 @@ oe_result_t oe_cert_chain_read_pem(
     OE_CHECK(_bcrypt_load_cert_store_pem(pem_data, pem_data_size, &cert_store));
 
     /* Count the number of unique certs in the resulting cert store */
-    while (cert_context = CertEnumCertificatesInStore(cert_store, cert_context))
+    while (
+        (cert_context = CertEnumCertificatesInStore(cert_store, cert_context)))
         cert_count++;
 
     if (cert_count == 0)
@@ -796,7 +800,8 @@ oe_result_t oe_cert_chain_read_pem(
      * cert until a cert chain is found that uses all certs in the store and
      * terminates in a self-signed (root) certificate.
      */
-    while (cert_context = CertEnumCertificatesInStore(cert_store, cert_context))
+    while (
+        (cert_context = CertEnumCertificatesInStore(cert_store, cert_context)))
     {
         oe_result_t find_result = _bcrypt_get_cert_chain(
             cert_context, cert_store, cert_count, &cert_chain);
@@ -922,7 +927,7 @@ oe_result_t oe_cert_verify(
     }
 
     /* Add CRLs to cert store */
-    for (int j = 0; j < num_crls; j++)
+    for (size_t j = 0; j < num_crls; j++)
     {
         PCCRL_CONTEXT crl_context;
         OE_CHECK(oe_crl_get_context(crls[j], &crl_context));
@@ -960,7 +965,7 @@ oe_result_t oe_cert_verify(
 
 oe_result_t oe_get_crl_distribution_points(
     const oe_cert_t* cert,
-    const char*** urls,
+    char*** urls,
     size_t* num_urls,
     uint8_t* buffer,
     size_t* buffer_size)
@@ -1044,7 +1049,7 @@ oe_result_t oe_get_crl_distribution_points(
         /* Copy the URLs array and pack the URL strings into buffer */
         if (buffer)
         {
-            uint8_t* offset = buffer + found_urls_size;
+            char* offset = (char*)buffer + found_urls_size;
             size_t remaining_bytes = found_urls_total_length;
             char** urls_array = (char**)buffer;
             for (DWORD k = 0; k < found_urls_count; k++)
@@ -1084,7 +1089,6 @@ oe_result_t oe_cert_get_rsa_public_key(
     oe_rsa_public_key_t* public_key)
 {
     oe_result_t result = OE_UNEXPECTED;
-    NTSTATUS status = STATUS_UNSUCCESSFUL;
     BCRYPT_KEY_HANDLE key_handle = NULL;
     PWSTR key_alg_name = NULL;
     ULONG key_alg_name_size;
@@ -1134,7 +1138,6 @@ oe_result_t oe_cert_get_ec_public_key(
     oe_ec_public_key_t* public_key)
 {
     oe_result_t result = OE_UNEXPECTED;
-    NTSTATUS status = STATUS_UNSUCCESSFUL;
     BCRYPT_KEY_HANDLE key_handle = NULL;
     PWSTR key_alg_name = NULL;
     ULONG key_alg_name_size;
diff --git a/host/crypto/bcrypt/crl.c b/host/crypto/bcrypt/crl.c
index a310f4cb61..033b8a32da 100644
--- a/host/crypto/bcrypt/crl.c
+++ b/host/crypto/bcrypt/crl.c
@@ -9,6 +9,7 @@
 #include "../magic.h"
 #include "bcrypt.h"
 #include "crl.h"
+#include "util.h"
 
 typedef struct _crl
 {
@@ -81,8 +82,7 @@ oe_result_t oe_crl_read_der(
             "CertCreateCRLContext failed, err=%#x\n",
             GetLastError());
 
-    impl->magic = OE_CRL_MAGIC;
-    impl->crl = crl_context;
+    _crl_init(impl, crl_context);
     result = OE_OK;
 
 done:
diff --git a/host/crypto/bcrypt/ec.c b/host/crypto/bcrypt/ec.c
index 04f30cb7be..3582c456c6 100644
--- a/host/crypto/bcrypt/ec.c
+++ b/host/crypto/bcrypt/ec.c
@@ -96,8 +96,8 @@ static oe_result_t _fixup_public_key_info_for_import(
          * offsets from the original */
         new_key_info = (PCERT_PUBLIC_KEY_INFO)new_key_info_buffer;
         new_key_info->Algorithm.pszObjId =
-            new_key_info_buffer +
-            (key_info->Algorithm.pszObjId - key_info_base);
+            (PSTR)new_key_info_buffer +
+            (key_info->Algorithm.pszObjId - (PSTR)key_info_base);
         new_key_info->Algorithm.Parameters.pbData =
             new_key_info_buffer +
             (key_info->Algorithm.Parameters.pbData - key_info_base);
@@ -157,6 +157,8 @@ static oe_result_t _bcrypt_import_ec_private_key(
     DWORD d_data_size,
     BCRYPT_KEY_HANDLE* private_key)
 {
+    OE_UNUSED(ec_key_magic);
+
     oe_result_t result = OE_UNEXPECTED;
     DWORD key_blob_size = 0;
     BYTE* key_blob = NULL;
@@ -544,6 +546,8 @@ oe_result_t oe_ec_private_key_sign(
     uint8_t* signature,
     size_t* signature_size)
 {
+    OE_UNUSED(hash_type);
+
     oe_result_t result = OE_UNEXPECTED;
     uint8_t* raw_signature = NULL;
     size_t raw_signature_size = 0;
@@ -638,6 +642,8 @@ oe_result_t oe_ec_public_key_verify(
     const uint8_t* signature,
     size_t signature_size)
 {
+    OE_UNUSED(hash_type);
+
     oe_result_t result = OE_UNEXPECTED;
     BYTE* x509_signature = NULL;
     DWORD x509_signature_size = 0;
@@ -1013,8 +1019,8 @@ oe_result_t oe_ecdsa_signature_write_der(
 
     /* Encode the ECDSA siganture */
     {
-        CERT_ECC_SIGNATURE ecc_sig = {
-            (DWORD)max_rs_size, r, (DWORD)max_rs_size, s};
+        CERT_ECC_SIGNATURE ecc_sig = {{(DWORD)max_rs_size, r},
+                                      {(DWORD)max_rs_size, s}};
         BOOL success = CryptEncodeObjectEx(
             X509_ASN_ENCODING,
             X509_ECC_SIGNATURE,
diff --git a/host/crypto/bcrypt/pem.c b/host/crypto/bcrypt/pem.c
index 4c864699aa..0725bbb527 100644
--- a/host/crypto/bcrypt/pem.c
+++ b/host/crypto/bcrypt/pem.c
@@ -145,7 +145,7 @@ oe_result_t oe_bcrypt_der_to_pem(
     size_t* pem_size)
 {
     oe_result_t result = OE_UNEXPECTED;
-    uint8_t* pem_local = NULL;
+    char* pem_local = NULL;
     DWORD pem_local_size = 0;
     BOOL success = FALSE;
     pem_header_info_t* pem_info = NULL;
@@ -158,7 +158,7 @@ oe_result_t oe_bcrypt_der_to_pem(
 
     /* Check parameters */
     if (!der_data || der_data_size == 0 || der_data_size > MAXDWORD ||
-        !pem_data || !pem_size || pem_type >= ARRAYSIZE(_PEM_HEADERS))
+        !pem_data || !pem_size || pem_type >= OE_PEM_HEADER_MAX)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     success = CryptBinaryToStringA(
@@ -179,7 +179,7 @@ oe_result_t oe_bcrypt_der_to_pem(
     /* Need to allocate and write the PEM header/footer manually because
      * BCrypt only supports the cert/CRL/CSR headers.
      * The size also accounts for LF characters at the end of each line. */
-    pem_info = &_PEM_HEADERS[(DWORD)pem_type];
+    pem_info = (pem_header_info_t*)&_PEM_HEADERS[(DWORD)pem_type];
     assert(pem_info->type == pem_type);
     assert(pem_info->begin_label_length < OE_PEM_MAX_LEN);
     assert(pem_info->end_label_length < OE_PEM_MAX_LEN);
@@ -188,17 +188,17 @@ oe_result_t oe_bcrypt_der_to_pem(
         /* Max pem_headers_size is (2 * OE_PEM_MAX_LEN + 2) < MAXDWORD */
         DWORD pem_headers_size = (DWORD)(
             pem_info->begin_label_length + pem_info->end_label_length + 2);
-        OE_CHECK(
-            oe_safe_add_u32(pem_local_size, pem_headers_size, &pem_local_size));
+        OE_CHECK(oe_safe_add_u32(
+            pem_local_size, pem_headers_size, (uint32_t*)&pem_local_size));
 
-        pem_local = (uint8_t*)malloc(pem_local_size);
+        pem_local = (char*)malloc(pem_local_size);
         if (pem_local == NULL)
             OE_RAISE(OE_OUT_OF_MEMORY);
     }
 
     {
         /* Write the begin public key header */
-        uint8_t* pos = pem_local;
+        char* pos = pem_local;
         DWORD size_left = pem_local_size;
 
         OE_CHECK(oe_memcpy_s(
@@ -288,14 +288,12 @@ oe_result_t oe_get_next_pem_cert(
     if (!pem_cert || !pem_cert_size)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    cert_begin = (unsigned char*)strstr(
-        (const char*)*pem_read_pos, OE_PEM_BEGIN_CERTIFICATE);
+    cert_begin = strstr((const char*)*pem_read_pos, OE_PEM_BEGIN_CERTIFICATE);
 
     if (!cert_begin || *cert_begin == '\0')
         return (OE_NOT_FOUND);
 
-    cert_end = (unsigned char*)strstr(
-        (const char*)*pem_read_pos, OE_PEM_END_CERTIFICATE);
+    cert_end = strstr((const char*)*pem_read_pos, OE_PEM_END_CERTIFICATE);
 
     if (!cert_end || *cert_begin == '\0' || cert_end <= cert_begin)
         return (OE_NOT_FOUND);
@@ -339,4 +337,4 @@ oe_result_t oe_get_next_pem_cert(
         free(found_pem);
 
     return result;
-}
\ No newline at end of file
+}
diff --git a/host/crypto/bcrypt/pem.h b/host/crypto/bcrypt/pem.h
index 35b0a14f5c..2045f0b363 100644
--- a/host/crypto/bcrypt/pem.h
+++ b/host/crypto/bcrypt/pem.h
@@ -18,6 +18,8 @@ typedef enum _oe_pem_header
     OE_PEM_HEADER_PRIVATE_KEY = 2,
     OE_PEM_HEADER_RSA_PRIVATE_KEY = 3,
     OE_PEM_HEADER_EC_PRIVATE_KEY = 4,
+    /* Caution: always add new PEM header values here */
+    OE_PEM_HEADER_MAX,
     __OE_PEM_HEADER_MAX = OE_ENUM_MAX,
 } oe_pem_header_t;
 
diff --git a/host/crypto/bcrypt/rsa.c b/host/crypto/bcrypt/rsa.c
index f5f4ec999b..38247fc1e7 100644
--- a/host/crypto/bcrypt/rsa.c
+++ b/host/crypto/bcrypt/rsa.c
@@ -429,7 +429,6 @@ oe_result_t oe_rsa_public_key_equal(
     bool* equal)
 {
     oe_result_t result = OE_UNEXPECTED;
-    NTSTATUS status = STATUS_UNSUCCESSFUL;
 
     /* key1 and key2 are both BCRYPT_RSAKEY_BLOB structures
      * which should be comparable as raw byte buffers.
diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index 308f42a48d..9668cc7aaf 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -345,8 +345,7 @@ static const char* oe_ocall_str(oe_func_t ocall)
 
     OE_STATIC_ASSERT(OE_OCALL_BASE + OE_COUNTOF(func_names) == OE_OCALL_MAX);
 
-    if (ocall >= OE_OCALL_BASE &&
-        ocall < (OE_OCALL_BASE + OE_COUNTOF(func_names)))
+    if (ocall >= OE_OCALL_BASE && ocall < OE_OCALL_MAX)
         return func_names[ocall - OE_OCALL_BASE];
     else
         return "UNKNOWN";
@@ -367,8 +366,7 @@ static const char* oe_ecall_str(oe_func_t ecall)
 
     OE_STATIC_ASSERT(OE_ECALL_BASE + OE_COUNTOF(func_names) == OE_ECALL_MAX);
 
-    if (ecall >= OE_ECALL_BASE &&
-        ecall < (OE_ECALL_BASE + OE_COUNTOF(func_names)))
+    if (ecall >= OE_ECALL_BASE && ecall < OE_ECALL_MAX)
         return func_names[ecall - OE_ECALL_BASE];
     else
         return "UNKNOWN";
diff --git a/host/sgx/cpuid.h b/host/sgx/cpuid.h
index 227ef718bd..0b18b25388 100644
--- a/host/sgx/cpuid.h
+++ b/host/sgx/cpuid.h
@@ -29,12 +29,12 @@ static inline void oe_get_cpuid(
 #elif defined(_MSC_VER)
     int registers[4] = {0};
 
-    __cpuidex(registers, __leaf, __subleaf);
+    __cpuidex(registers, (int)__leaf, (int)__subleaf);
 
-    *__eax = registers[0];
-    *__ebx = registers[1];
-    *__ecx = registers[2];
-    *__edx = registers[3];
+    *__eax = (unsigned int)registers[0];
+    *__ebx = (unsigned int)registers[1];
+    *__ecx = (unsigned int)registers[2];
+    *__edx = (unsigned int)registers[3];
 #endif
 }
 #endif /* _OE_CPUIDCOUNT_H */
diff --git a/host/sgx/elf.c b/host/sgx/elf.c
index 8f0d59c8fd..97efd9748a 100644
--- a/host/sgx/elf.c
+++ b/host/sgx/elf.c
@@ -80,15 +80,13 @@ static bool _is_valid_elf64(const elf64_t* elf)
         return false;
 
     /* Ensure that multiplying header size and num entries won't overflow. */
-    static_assert(
+    OE_STATIC_ASSERT(
         sizeof(uint64_t) >=
-            sizeof(header->e_phentsize) + sizeof(header->e_phnum),
-        "e_phentsize or e_phnum is too large");
+        sizeof(header->e_phentsize) + sizeof(header->e_phnum));
 
-    static_assert(
+    OE_STATIC_ASSERT(
         sizeof(uint64_t) >=
-            sizeof(header->e_shentsize) + sizeof(header->e_shnum),
-        "e_shentsize or e_shnum is too large");
+        sizeof(header->e_shentsize) + sizeof(header->e_shnum));
 
     uint64_t size = (uint64_t)header->e_phentsize * header->e_phnum;
     uint64_t end;
@@ -284,7 +282,7 @@ int elf64_load(const char* path, elf64_t* elf)
     if (fd == -1 || _fstat64(fd, &statbuf) != 0)
         goto done;
 
-    if (!(statbuf.st_mode & _S_IFREG) != 0)
+    if ((statbuf.st_mode & _S_IFREG) == 0)
         goto done;
 #else
     fd = fileno(is);
@@ -1652,9 +1650,7 @@ int elf64_add_section(
         }
 
         /* Update the size of the .shstrtab section */
-        static_assert(
-            sizeof(namesize) == sizeof(uint64_t),
-            "sizeof(namesize) != sizeof(uint64_t)");
+        OE_STATIC_ASSERT(sizeof(namesize) == sizeof(uint64_t));
 
         if (oe_safe_add_u64(
                 shdr->sh_size, (uint64_t)namesize, &shdr->sh_size) != OE_OK)
diff --git a/host/sgx/loadpe.c b/host/sgx/loadpe.c
index a9b4280c5e..990aed6e10 100644
--- a/host/sgx/loadpe.c
+++ b/host/sgx/loadpe.c
@@ -265,6 +265,7 @@ oe_result_t oe_load_pe_enclave_image(
     PIMAGE_SECTION_HEADER section_hdr;
     const IMAGE_DATA_DIRECTORY* idd;
     uint32_t i;
+    DWORD old_protection;
 
     memset(image, 0, sizeof(oe_enclave_image_t));
     image->type = OE_IMAGE_TYPE_PE;
@@ -308,7 +309,10 @@ oe_result_t oe_load_pe_enclave_image(
 
     /* change protection to r/w */
     if (!VirtualProtect(
-            image->image_base, image->image_size, PAGE_READWRITE, &i))
+            image->image_base,
+            image->image_size,
+            PAGE_READWRITE,
+            &old_protection))
     {
         OE_RAISE(OE_FAILURE);
     }
diff --git a/host/sgx/registers.c b/host/sgx/registers.c
index 00fb33963f..466cc60f62 100644
--- a/host/sgx/registers.c
+++ b/host/sgx/registers.c
@@ -7,6 +7,7 @@
 #include <unistd.h>
 #elif defined(_WIN32)
 #include <Windows.h>
+#include <immintrin.h>
 #endif
 
 #include <assert.h>
diff --git a/host/sgx/report.c b/host/sgx/report.c
index 4b9cfbd4ff..fabd00486a 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -27,7 +27,6 @@ static oe_result_t _get_local_report(
     size_t* report_buffer_size)
 {
     oe_result_t result = OE_UNEXPECTED;
-    uint32_t retval;
 
     // opt_params, if specified, must be a sgx_target_info_t. When opt_params is
     // NULL, opt_params_size must be zero.
@@ -48,15 +47,13 @@ static oe_result_t _get_local_report(
 
     OE_CHECK(oe_get_sgx_report_ecall(
         enclave,
-        &retval,
+        &result,
         opt_params,
         opt_params_size,
         (sgx_report_t*)report_buffer));
 
     *report_buffer_size = sizeof(sgx_report_t);
 
-    result = (oe_result_t)retval;
-
 done:
 
     return result;
@@ -302,13 +299,12 @@ oe_result_t oe_verify_report(
     }
     else if (header->report_type == OE_REPORT_TYPE_SGX_LOCAL)
     {
-        uint32_t retval;
+        oe_result_t retval;
 
         if (enclave == NULL)
             OE_RAISE(OE_INVALID_PARAMETER);
 
         OE_CHECK(oe_verify_report_ecall(enclave, &retval, report, report_size));
-
         OE_CHECK(retval);
     }
     else
diff --git a/host/sgx/sgxload.c b/host/sgx/sgxload.c
index d057ee59e6..81e62425ed 100644
--- a/host/sgx/sgxload.c
+++ b/host/sgx/sgxload.c
@@ -12,6 +12,7 @@
 #endif
 
 #include <assert.h>
+#include <openenclave/bits/defs.h>
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/bits/safemath.h>
 #include <openenclave/internal/raise.h>
@@ -254,6 +255,7 @@ static void* _allocate_enclave_memory(size_t enclave_size, int fd)
     return result;
 
 #elif defined(_WIN32)
+    OE_UNUSED(fd);
 
     /* Allocate enclave memory for simulated mode only */
     void* result = NULL;
@@ -281,6 +283,8 @@ static oe_result_t _sgx_free_enclave_memory(
     size_t size,
     bool is_simulation)
 {
+    OE_UNUSED(size);
+
     if (!is_simulation)
     {
         uint32_t enclave_error = 0;
diff --git a/host/sgx/windows/sgxquoteproviderloader.c b/host/sgx/windows/sgxquoteproviderloader.c
index 6e4eb42718..4bc1077a88 100644
--- a/host/sgx/windows/sgxquoteproviderloader.c
+++ b/host/sgx/windows/sgxquoteproviderloader.c
@@ -8,7 +8,7 @@
 
 oe_sgx_quote_provider_t provider = {0};
 
-static void _unload_quote_provider()
+static void _unload_quote_provider(void)
 {
     OE_TRACE_INFO("_unload_quote_provider dcap_quoteprov.dll\n");
     if (provider.handle)
diff --git a/host/sgx/windows/switchless.c b/host/sgx/windows/switchless.c
index 0931c935b8..62ac768bb4 100644
--- a/host/sgx/windows/switchless.c
+++ b/host/sgx/windows/switchless.c
@@ -13,7 +13,8 @@ void oe_host_worker_wait(oe_host_worker_context_t* context)
     int32_t oldval = 1;
     int32_t newval = 0;
 
-    if (_InterlockedCompareExchange(&context->event, newval, oldval) == 0)
+    if (_InterlockedCompareExchange((long*)&context->event, newval, oldval) ==
+        0)
     {
         // If the previous value was zero, then wait while value is zero.
         uint32_t zero = 0;
@@ -25,5 +26,5 @@ void oe_host_worker_wake(oe_host_worker_context_t* context)
 {
     // Set the event and wake up the worker.
     context->event = 1;
-    WakeByAddressSingle(&context->event);
+    WakeByAddressSingle((void*)&context->event);
 }
diff --git a/host/traceh.c b/host/traceh.c
index ba628e0d90..f398d4b342 100644
--- a/host/traceh.c
+++ b/host/traceh.c
@@ -1,6 +1,8 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <openenclave/bits/safecrt.h>
+#include <openenclave/corelibc/limits.h>
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/trace.h>
@@ -12,17 +14,21 @@
 #include <sys/time.h>
 #endif
 #include <time.h>
+#include "dupenv.h"
+#include "fopen.h"
 #include "hostthread.h"
 
-#define LOGGING_FORMAT_STRING "%s.%06ldZ [(%s)%s] tid(0x%lx) | %s"
+#define LOGGING_FORMAT_STRING "%s.%06ldZ [(%s)%s] tid(0x%llx) | %s"
 
 static char* _log_level_strings[OE_LOG_LEVEL_MAX] =
     {"NONE", "FATAL", "ERROR", "WARN", "INFO", "VERBOSE"};
 static oe_mutex _log_lock = OE_H_MUTEX_INITIALIZER;
-static const char* _log_file_name = NULL;
-static const char* _custom_log_format = NULL;
-static const char* _log_all_streams = NULL;
-static const char* _log_escape = NULL;
+static char _log_file_name[OE_PATH_MAX];
+static char _custom_log_format[OE_PATH_MAX];
+static bool _use_log_file = false;
+static bool _use_custom_log_format = false;
+static bool _log_all_streams = false;
+static bool _log_escape = false;
 static const size_t MAX_ESCAPED_CHAR_LEN = 5; // e.g. u2605
 static const size_t MAX_ESCAPED_MSG_MULTIPLIER =
     7; // MAX_ESCAPED_CHAR_LEN + sizeof("\\\\")
@@ -33,7 +39,7 @@ static bool _initialized = false;
 static oe_log_level_t _env2log_level(void)
 {
     oe_log_level_t level = OE_LOG_LEVEL_ERROR;
-    const char* level_str = getenv("OE_LOG_LEVEL");
+    char* level_str = oe_dupenv("OE_LOG_LEVEL");
 
     if (level_str == NULL)
     {
@@ -64,34 +70,85 @@ static oe_log_level_t _env2log_level(void)
         level = OE_LOG_LEVEL_NONE;
     }
 done:
+    if (level_str)
+        free(level_str);
+
     return level;
 }
 
 void initialize_log_config()
 {
+    oe_result_t ret;
+    char* env_log_file = NULL;
+    char* env_log_format = NULL;
+    char* env_log_all_streams = NULL;
+    char* env_log_escape = NULL;
+
     if (!_initialized)
     {
         // inititalize if not already
         _log_level = _env2log_level();
-        _log_file_name = getenv("OE_LOG_DEVICE");
-        _custom_log_format = getenv("OE_LOG_FORMAT");
-        _log_all_streams = getenv("OE_LOG_ALL_STREAMS");
-        _log_escape = getenv("OE_LOG_JSON_ESCAPE");
-        if (_custom_log_format)
+        env_log_file = oe_dupenv("OE_LOG_DEVICE");
+        env_log_format = oe_dupenv("OE_LOG_FORMAT");
+        env_log_all_streams = oe_dupenv("OE_LOG_ALL_STREAMS");
+        env_log_escape = oe_dupenv("OE_LOG_JSON_ESCAPE");
+
+        if (env_log_format)
         {
             // check that custom log format string terminates with a line return
-            size_t len = strlen(_custom_log_format);
-            if (_custom_log_format[len - 1] != '\n')
+            size_t len = strlen(env_log_format);
+            if (env_log_format[len - 1] != '\n')
             {
                 fprintf(
                     stderr,
                     "%s\n",
                     "[ERROR] Custom log format does not end with a newline");
-                exit(1);
+                goto done;
             }
         }
         _initialized = true;
     }
+
+done:
+    ret = OE_OK;
+
+    if (env_log_file)
+    {
+        ret = oe_strncpy_s(
+            _log_file_name, OE_PATH_MAX, env_log_file, strlen(env_log_file));
+        _use_log_file = true;
+
+        free(env_log_file);
+    }
+
+    if (env_log_format)
+    {
+        ret = oe_strncpy_s(
+            _custom_log_format,
+            OE_PATH_MAX,
+            env_log_format,
+            strlen(env_log_format));
+        _use_custom_log_format = true;
+        free(env_log_format);
+    }
+
+    if (env_log_all_streams)
+    {
+        _log_all_streams = true;
+        free(env_log_all_streams);
+    }
+
+    if (env_log_escape)
+    {
+        _log_escape = true;
+        free(env_log_escape);
+    }
+
+    if (!_initialized || ret != OE_OK)
+    {
+        fprintf(stderr, "%s\n", "[ERROR] Could not initialize logging.");
+        exit(1);
+    }
 }
 
 static bool _escape_characters(
@@ -179,7 +236,7 @@ static void _write_message_to_stream(
         usecs,
         (is_enclave ? "E" : "H"),
         _log_level_strings[level],
-        oe_thread_self(),
+        (long long unsigned int)oe_thread_self(),
         message);
 }
 
@@ -283,13 +340,13 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
     // Take the log file lock.
     if (oe_mutex_lock(&_log_lock) == OE_OK)
     {
-        if (_log_all_streams || !_log_file_name)
+        if (_log_all_streams || !_use_log_file)
         {
             _write_message_to_stream(
                 stdout, is_enclave, time, usecs, level, message);
         }
 
-        if (!_log_file_name)
+        if (!_use_log_file)
         {
             // Release the log file lock.
             oe_mutex_unlock(&_log_lock);
@@ -299,7 +356,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
         if (!_log_creation_failed_before)
         {
             FILE* log_file = NULL;
-            log_file = fopen(_log_file_name, "a");
+            oe_fopen(&log_file, _log_file_name, "a");
             if (log_file == NULL)
             {
                 fprintf(
@@ -309,7 +366,7 @@ void oe_log_message(bool is_enclave, oe_log_level_t level, const char* message)
                 return;
             }
 
-            if (!_custom_log_format)
+            if (!_use_custom_log_format)
             {
                 _write_message_to_stream(
                     log_file, is_enclave, time, usecs, level, message);
diff --git a/host/windows/hostthread.c b/host/windows/hostthread.c
index 0e73fd9720..987194a9e1 100644
--- a/host/windows/hostthread.c
+++ b/host/windows/hostthread.c
@@ -57,6 +57,9 @@ static BOOL CALLBACK OnceHelper(
     _Inout_opt_ PVOID Parameter,
     _Out_opt_ PVOID* Context)
 {
+    OE_UNUSED(InitOnce);
+    OE_UNUSED(Context);
+
     ((void (*)(void))Parameter)();
     return TRUE;
 }
diff --git a/host/windows/syscall.c b/host/windows/syscall.c
index c5169c3e66..792ae9565c 100644
--- a/host/windows/syscall.c
+++ b/host/windows/syscall.c
@@ -332,6 +332,8 @@ oe_host_fd_t oe_syscall_open_ocall(
     int flags,
     oe_mode_t mode)
 {
+    OE_UNUSED(mode);
+
     oe_host_fd_t ret = -1;
 
     if (strcmp(pathname, "/dev/stdin") == 0)
@@ -380,12 +382,18 @@ oe_host_fd_t oe_syscall_open_ocall(
 
 ssize_t oe_syscall_read_ocall(oe_host_fd_t fd, void* buf, size_t count)
 {
-    return _read(fd, buf, count);
+    if ((count & UINT_MAX) != count)
+        _set_errno(OE_EINVAL);
+
+    return _read((int)fd, buf, (unsigned int)count);
 }
 
 ssize_t oe_syscall_write_ocall(oe_host_fd_t fd, const void* buf, size_t count)
 {
-    return _write(fd, buf, count);
+    if ((count & UINT_MAX) != count)
+        _set_errno(OE_EINVAL);
+
+    return _write((int)fd, buf, (unsigned int)count);
 }
 
 ssize_t oe_syscall_readv_ocall(
@@ -472,12 +480,16 @@ ssize_t oe_syscall_writev_ocall(
 
 oe_off_t oe_syscall_lseek_ocall(oe_host_fd_t fd, oe_off_t offset, int whence)
 {
+    OE_UNUSED(fd);
+    OE_UNUSED(offset);
+    OE_UNUSED(whence);
+
     PANIC;
 }
 
 int oe_syscall_close_ocall(oe_host_fd_t fd)
 {
-    return _close(fd);
+    return _close((int)fd);
 }
 
 static oe_host_fd_t _dup_socket(oe_host_fd_t);
@@ -517,61 +529,92 @@ oe_host_fd_t oe_syscall_dup_ocall(oe_host_fd_t oldfd)
 
 uint64_t oe_syscall_opendir_ocall(const char* pathname)
 {
+    OE_UNUSED(pathname);
+
     PANIC;
 }
 
 int oe_syscall_readdir_ocall(uint64_t dirp, struct oe_dirent* entry)
 {
+    OE_UNUSED(dirp);
+    OE_UNUSED(entry);
+
     PANIC;
 }
 
 void oe_syscall_rewinddir_ocall(uint64_t dirp)
 {
+    OE_UNUSED(dirp);
+
     PANIC;
 }
 
 int oe_syscall_closedir_ocall(uint64_t dirp)
 {
+    OE_UNUSED(dirp);
+
     PANIC;
 }
 
 int oe_syscall_stat_ocall(const char* pathname, struct oe_stat* buf)
 {
+    OE_UNUSED(pathname);
+    OE_UNUSED(buf);
+
     PANIC;
 }
 
 int oe_syscall_access_ocall(const char* pathname, int mode)
 {
+    OE_UNUSED(pathname);
+    OE_UNUSED(mode);
+
     PANIC;
 }
 
 int oe_syscall_link_ocall(const char* oldpath, const char* newpath)
 {
+    OE_UNUSED(oldpath);
+    OE_UNUSED(newpath);
+
     PANIC;
 }
 
 int oe_syscall_unlink_ocall(const char* pathname)
 {
+    OE_UNUSED(pathname);
+
     PANIC;
 }
 
 int oe_syscall_rename_ocall(const char* oldpath, const char* newpath)
 {
+    OE_UNUSED(oldpath);
+    OE_UNUSED(newpath);
+
     PANIC;
 }
 
 int oe_syscall_truncate_ocall(const char* pathname, oe_off_t length)
 {
+    OE_UNUSED(pathname);
+    OE_UNUSED(length);
+
     PANIC;
 }
 
 int oe_syscall_mkdir_ocall(const char* pathname, oe_mode_t mode)
 {
+    OE_UNUSED(pathname);
+    OE_UNUSED(mode);
+
     PANIC;
 }
 
 int oe_syscall_rmdir_ocall(const char* pathname)
 {
+    OE_UNUSED(pathname);
+
     PANIC;
 }
 
@@ -651,12 +694,12 @@ static oe_host_fd_t _dup_socket(oe_host_fd_t oldfd)
 
 static int _wsa_startup()
 {
-    static bool wsa_init_done = FALSE;
+    static int64_t wsa_init_done = FALSE;
     WSADATA wsaData;
     int ret = 0;
 
     if (oe_atomic_compare_and_swap(
-            &wsa_init_done, (int64_t) false, (int64_t) true))
+            (volatile int64_t*)&wsa_init_done, (int64_t)0, (int64_t)1))
     {
         ret = WSAStartup(2, &wsaData);
         if (ret != 0)
@@ -693,6 +736,11 @@ int oe_syscall_socketpair_ocall(
     int protocol,
     oe_host_fd_t sv_out[2])
 {
+    OE_UNUSED(domain);
+    OE_UNUSED(type);
+    OE_UNUSED(protocol);
+    OE_UNUSED(sv_out);
+
     PANIC;
 }
 
@@ -773,6 +821,18 @@ ssize_t oe_syscall_recvmsg_ocall(
     size_t* msg_controllen_out,
     int flags)
 {
+    OE_UNUSED(sockfd);
+    OE_UNUSED(msg_name);
+    OE_UNUSED(msg_namelen);
+    OE_UNUSED(msg_namelen_out);
+    OE_UNUSED(msg_iov_buf);
+    OE_UNUSED(msg_iovlen);
+    OE_UNUSED(msg_iov_buf_size);
+    OE_UNUSED(msg_control);
+    OE_UNUSED(msg_controllen);
+    OE_UNUSED(msg_controllen_out);
+    OE_UNUSED(flags);
+
     PANIC;
 }
 
@@ -787,6 +847,16 @@ ssize_t oe_syscall_sendmsg_ocall(
     size_t msg_controllen,
     int flags)
 {
+    OE_UNUSED(sockfd);
+    OE_UNUSED(msg_name);
+    OE_UNUSED(msg_namelen);
+    OE_UNUSED(msg_iov_buf);
+    OE_UNUSED(msg_iovlen);
+    OE_UNUSED(msg_iov_buf_size);
+    OE_UNUSED(msg_control);
+    OE_UNUSED(msg_controllen);
+    OE_UNUSED(flags);
+
     PANIC;
 }
 
@@ -826,7 +896,7 @@ ssize_t oe_syscall_recvfrom_ocall(
         (int)len,
         flags,
         (struct sockaddr*)src_addr,
-        addrlen_in);
+        (int*)&addrlen_in);
     if (ret == SOCKET_ERROR)
     {
         _set_errno(_winsockerr_to_errno(WSAGetLastError()));
@@ -890,6 +960,11 @@ ssize_t oe_syscall_recvv_ocall(
     int iovcnt,
     size_t iov_buf_size)
 {
+    OE_UNUSED(fd);
+    OE_UNUSED(iov_buf);
+    OE_UNUSED(iovcnt);
+    OE_UNUSED(iov_buf_size);
+
     PANIC;
 }
 
@@ -899,6 +974,11 @@ ssize_t oe_syscall_sendv_ocall(
     int iovcnt,
     size_t iov_buf_size)
 {
+    OE_UNUSED(fd);
+    OE_UNUSED(iov_buf);
+    OE_UNUSED(iovcnt);
+    OE_UNUSED(iov_buf_size);
+
     PANIC;
 }
 
@@ -973,6 +1053,11 @@ int oe_syscall_ioctl_ocall(
     uint64_t argsize,
     void* argout)
 {
+    OE_UNUSED(fd);
+    OE_UNUSED(arg);
+    OE_UNUSED(argsize);
+    OE_UNUSED(argout);
+
     errno = 0;
 
     // We don't support any ioctls right now as we will have to translate the
@@ -1047,6 +1132,11 @@ int oe_syscall_getsockname_ocall(
     oe_socklen_t addrlen_in,
     oe_socklen_t* addrlen_out)
 {
+    OE_UNUSED(sockfd);
+    OE_UNUSED(addr);
+    OE_UNUSED(addrlen_in);
+    OE_UNUSED(addrlen_out);
+
     PANIC;
 }
 
@@ -1056,11 +1146,18 @@ int oe_syscall_getpeername_ocall(
     oe_socklen_t addrlen_in,
     oe_socklen_t* addrlen_out)
 {
+    OE_UNUSED(sockfd);
+    OE_UNUSED(addr);
+    OE_UNUSED(addrlen_in);
+    OE_UNUSED(addrlen_out);
+
     PANIC;
 }
 
 int oe_syscall_shutdown_sockets_device_ocall(oe_host_fd_t sockfd)
 {
+    OE_UNUSED(sockfd);
+
     PANIC;
 }
 
@@ -1074,6 +1171,9 @@ int oe_syscall_shutdown_sockets_device_ocall(oe_host_fd_t sockfd)
 
 int oe_syscall_kill_ocall(int pid, int signum)
 {
+    OE_UNUSED(pid);
+    OE_UNUSED(signum);
+
     PANIC;
 }
 
@@ -1205,6 +1305,14 @@ int oe_syscall_getnameinfo_ocall(
     oe_socklen_t servlen,
     int flags)
 {
+    OE_UNUSED(sa);
+    OE_UNUSED(salen);
+    OE_UNUSED(host);
+    OE_UNUSED(hostlen);
+    OE_UNUSED(serv);
+    OE_UNUSED(servlen);
+    OE_UNUSED(flags);
+
     PANIC;
 }
 
@@ -1218,6 +1326,8 @@ int oe_syscall_getnameinfo_ocall(
 
 oe_host_fd_t oe_syscall_epoll_create1_ocall(int flags)
 {
+    OE_UNUSED(flags);
+
     PANIC;
 }
 
@@ -1227,6 +1337,11 @@ int oe_syscall_epoll_wait_ocall(
     unsigned int maxevents,
     int timeout)
 {
+    OE_UNUSED(epfd);
+    OE_UNUSED(events);
+    OE_UNUSED(maxevents);
+    OE_UNUSED(timeout);
+
     PANIC;
 }
 
@@ -1241,11 +1356,18 @@ int oe_syscall_epoll_ctl_ocall(
     int64_t fd,
     struct oe_epoll_event* event)
 {
+    OE_UNUSED(epfd);
+    OE_UNUSED(op);
+    OE_UNUSED(fd);
+    OE_UNUSED(event);
+
     PANIC;
 }
 
 int oe_syscall_epoll_close_ocall(oe_host_fd_t epfd)
 {
+    OE_UNUSED(epfd);
+
     PANIC;
 }
 
@@ -1262,6 +1384,10 @@ int oe_syscall_poll_ocall(
     oe_nfds_t nfds,
     int timeout)
 {
+    OE_UNUSED(host_fds);
+    OE_UNUSED(nfds);
+    OE_UNUSED(timeout);
+
     PANIC;
 }
 
@@ -1310,11 +1436,16 @@ unsigned int oe_syscall_getegid_ocall(void)
 
 int oe_syscall_getpgid_ocall(int pid)
 {
+    OE_UNUSED(pid);
+
     PANIC;
 }
 
 int oe_syscall_getgroups_ocall(size_t size, unsigned int* list)
 {
+    OE_UNUSED(size);
+    OE_UNUSED(list);
+
     PANIC;
 }
 
diff --git a/include/openenclave/internal/atomic.h b/include/openenclave/internal/atomic.h
index a463a584d6..8e947c808c 100644
--- a/include/openenclave/internal/atomic.h
+++ b/include/openenclave/internal/atomic.h
@@ -14,8 +14,14 @@
 #pragma intrinsic(_InterlockedCompareExchangePointer)
 __int64 _InterlockedIncrement64(__int64* lpAddend);
 __int64 _InterlockedDecrement64(__int64* lpAddend);
-__int64 _InterlockedCompareExchange64(__int64* Dest, __int64 val, __int64 old);
-void* _InterlockedCompareExchangePointer(void** Dest, void* newptr, void* old);
+__int64 _InterlockedCompareExchange64(
+    __int64 volatile* Dest,
+    __int64 val,
+    __int64 old);
+void* _InterlockedCompareExchangePointer(
+    void* volatile* Dest,
+    void* newptr,
+    void* old);
 #endif
 
 /* Atomically increment **x** and return its new value */
diff --git a/include/openenclave/internal/crypto/cert.h b/include/openenclave/internal/crypto/cert.h
index 3823130cf0..875cf40739 100644
--- a/include/openenclave/internal/crypto/cert.h
+++ b/include/openenclave/internal/crypto/cert.h
@@ -340,7 +340,7 @@ oe_result_t oe_cert_find_extension(
  */
 oe_result_t oe_get_crl_distribution_points(
     const oe_cert_t* cert,
-    const char*** urls,
+    char*** urls,
     size_t* num_urls,
     uint8_t* buffer,
     size_t* buffer_size);
diff --git a/scripts/clangw b/scripts/clangw
index deff4945d4..9de31dc8d5 100644
--- a/scripts/clangw
+++ b/scripts/clangw
@@ -42,6 +42,16 @@ function call_clang {
         [ "$a" == "/FS" ]           && continue
         [ "$a" == "/showIncludes" ] && continue
         [ "$a" == "/JMC" ]          && continue
+        [ "$a" == "/W1" ]           && continue
+        [ "$a" == "/W2" ]           && continue
+        [ "$a" == "/W3" ]           && continue
+        [ "$a" == "/W4" ]           && continue
+        [ "$a" == "/WX" ]           && continue
+
+        # Ignore warnings for specific error codes
+        if [[ "$a" =~ /[wW][dD][0-9]* ]]; then
+            continue
+        fi
 
         # Map the following arguments
         [ "$a" == "/DNDEBUG" ]   && args+="-DNDEBUG "   && continue
diff --git a/tests/bigmalloc/host/host.c b/tests/bigmalloc/host/host.c
index 48ed3c7507..07b3eebb14 100644
--- a/tests/bigmalloc/host/host.c
+++ b/tests/bigmalloc/host/host.c
@@ -1,6 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <inttypes.h>
 #include <openenclave/host.h>
 #include <openenclave/internal/tests.h>
 #include "bigmalloc_u.h"
@@ -52,7 +53,8 @@ int main(int argc, const char* argv[])
         {
             fprintf(
                 stderr,
-                "%s: warning: insufficient memory to load enclave: %lu\n",
+                "%s: warning: insufficient memory to load enclave: %" PRIu64
+                "\n",
                 argv[0],
                 free_memory);
 
diff --git a/tests/crypto/ec_tests.c b/tests/crypto/ec_tests.c
index 6361d56494..eec1002a43 100644
--- a/tests/crypto/ec_tests.c
+++ b/tests/crypto/ec_tests.c
@@ -878,7 +878,7 @@ static void _test_crl_distribution_points(void)
 {
     oe_result_t r;
     oe_cert_t cert;
-    const char** urls = NULL;
+    char** urls = NULL;
     size_t num_urls;
     size_t buffer_size = 0;
 
diff --git a/tests/oeedger8r/host/teststring.cpp b/tests/oeedger8r/host/teststring.cpp
index f4c449fd40..4491da1744 100644
--- a/tests/oeedger8r/host/teststring.cpp
+++ b/tests/oeedger8r/host/teststring.cpp
@@ -276,7 +276,6 @@ void test_string_edl_ecalls(oe_enclave_t* enclave)
     }
     // Test wstrings without null terminators.
     {
-        OE_UNUSED(ecall_wstring_no_null_terminator_modified);
         // wchar_t is not a portable type. Hence the test is performed
         // only on Linux.
 #ifdef __linux__
@@ -384,7 +383,7 @@ void test_wstring_edl_ecalls(oe_enclave_t* enclave)
     if (!g_enabled[TYPE_WCHAR_T])
         return;
 
-    swprintf(str, 50, L"%S", str_value);
+    swprintf(str, 50, L"%lS", str_value);
 
     // wchar_t*
     OE_TEST(ecall_wstring_fun1(enclave, str) == OE_OK);
@@ -399,7 +398,7 @@ void test_wstring_edl_ecalls(oe_enclave_t* enclave)
     OE_TEST(wcscmp(str, L"Goodbye\n") == 0);
 
     // Restore value.
-    swprintf(str, 50, L"%S", str_value);
+    swprintf(str, 50, L"%lS", str_value);
 
     // wchar_t* user check.
     OE_TEST(ecall_wstring_fun5(enclave, str) == OE_OK);
diff --git a/tests/switchless/host/host.c b/tests/switchless/host/host.c
index e48b942f70..1e74cec7b1 100644
--- a/tests/switchless/host/host.c
+++ b/tests/switchless/host/host.c
@@ -1,6 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <inttypes.h>
 #include <limits.h>
 #include <openenclave/host.h>
 #include <openenclave/internal/atomic.h>
@@ -36,9 +37,9 @@ double get_relative_time_in_microseconds()
 static double frequency;
 double get_relative_time_in_microseconds()
 {
-    double current_time;
+    LARGE_INTEGER current_time;
     QueryPerformanceCounter(&current_time);
-    return current_time / frequency;
+    return current_time.QuadPart / frequency;
 }
 
 #endif
@@ -119,12 +120,12 @@ int main(int argc, const char* argv[])
 
     if (argc >= 3)
     {
-        sscanf(argv[2], "%lu", &num_host_threads);
+        sscanf(argv[2], "%" SCNu64, &num_host_threads);
     }
 
     if (argc == 4)
     {
-        sscanf(argv[3], "%lu", &num_enclave_threads);
+        sscanf(argv[3], "%" SCNu64, &num_enclave_threads);
     }
 
 #if defined(__WIN32)
@@ -162,7 +163,7 @@ int main(int argc, const char* argv[])
         {
             oe_put_err("thread_create(host): ret=%u", ret);
         }
-        printf("Launched enclave producer thread %ld\n", i);
+        printf("Launched enclave producer thread %" PRIu64 "\n", i);
     }
     printf("Using main enclave thread\n");
     double switchless_microseconds = make_repeated_switchless_ocalls(enclave);
diff --git a/tests/syscall/socket/host/host.c b/tests/syscall/socket/host/host.c
index fe251020b0..1e111dae16 100644
--- a/tests/syscall/socket/host/host.c
+++ b/tests/syscall/socket/host/host.c
@@ -9,6 +9,7 @@
 #include "../../platform/linux.h"
 #endif
 
+#include <inttypes.h>
 #include <openenclave/host.h>
 #include <openenclave/internal/tests.h>
 #include <openenclave/internal/types.h>
@@ -134,7 +135,7 @@ char* host_client(in_port_t port)
         if ((n = sock_recv(sockfd, recvBuff, sizeof(recvBuff), 0)) > 0)
         {
             recvBuff[n] = '\0';
-            printf("host finished reading: %ld bytes...\n", n);
+            printf("host finished reading: %" PRIu64 " bytes...\n", n);
             break;
         }
         else
diff --git a/tests/tools/oecert/host/host.cpp b/tests/tools/oecert/host/host.cpp
index 46c193af3e..7cd4ec2124 100644
--- a/tests/tools/oecert/host/host.cpp
+++ b/tests/tools/oecert/host/host.cpp
@@ -487,8 +487,8 @@ int main(int argc, const char* argv[])
     result = oe_terminate_enclave(enclave);
 exit:
 #else
-#pragma message \
-    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries."
+#pragma message( \
+    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries.")
     OE_UNUSED(argc);
     OE_UNUSED(argv);
 #endif
diff --git a/tests/tools/oecertdump/host/host.cpp b/tests/tools/oecertdump/host/host.cpp
index 2b8b81b695..dbc8bcda44 100644
--- a/tests/tools/oecertdump/host/host.cpp
+++ b/tests/tools/oecertdump/host/host.cpp
@@ -318,8 +318,8 @@ int main(int argc, const char* argv[])
     }
 
 #else
-#pragma message \
-    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries."
+#pragma message( \
+    "OE_LINK_SGX_DCAP_QL is not set to ON.  This tool requires DCAP libraries.")
     OE_UNUSED(argc);
     OE_UNUSED(argv);
     printf("oecertdump requires DCAP libraries.\n");
diff --git a/tools/oesgx/oesgx.c b/tools/oesgx/oesgx.c
index 3303d13f4f..fe7c80fddb 100644
--- a/tools/oesgx/oesgx.c
+++ b/tools/oesgx/oesgx.c
@@ -152,7 +152,8 @@ int main(int argc, const char* argv[])
         epc_size =
             ((regs.ecx & 0x0fffff000) |
              ((uint64_t)(regs.edx & 0x0fffff) << 32));
-        printf("EPC size on the platform: %lu\n", epc_size);
+        printf(
+            "EPC size on the platform: %llu\n", (unsigned long long)epc_size);
     }
     return 0;
 }
diff --git a/tools/oesign/oedump.c b/tools/oesign/oedump.c
index da65a7a70c..fe994ecd83 100644
--- a/tools/oesign/oedump.c
+++ b/tools/oesign/oedump.c
@@ -1,6 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <inttypes.h>
 #include <openenclave/bits/defs.h>
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/internal/elf.h>
@@ -179,7 +180,7 @@ void dump_enclave_properties(const oe_sgx_enclave_properties_t* props)
     bool debug = props->config.attributes & OE_SGX_FLAGS_DEBUG;
     printf("debug=%u\n", debug);
 
-    printf("xfrm=%lx\n", props->config.xfrm);
+    printf("xfrm=%" PRIx64 "\n", props->config.xfrm);
 
     printf(
         "num_heap_pages=%llu\n",

From 8cc07f6b738a088450cba60de6df5e35ab791bdb Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 10 Dec 2019 09:52:16 -0800
Subject: [PATCH 376/420] Provide details for default MSVC compiler flags in
 cmake

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 cmake/compiler_settings.cmake | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmake/compiler_settings.cmake b/cmake/compiler_settings.cmake
index 99304fe2f4..4ab75ae377 100644
--- a/cmake/compiler_settings.cmake
+++ b/cmake/compiler_settings.cmake
@@ -88,7 +88,10 @@ elseif (MSVC)
 
   # Explicitly set C/CXX flags rather than using the defaults. This uses the defaults
   # but removes /W3 from CMAKE_C(XX)_FLAGS. Using W3 and W1 together adds many warnings
-  # that W3 is being overwritten by W1
+  # that W3 is being overwritten by W1. W3 as a default flag is removed in cmake 3.15,
+  # so this behavior can be removed if/when cmake_minimum_required is raised to 3.15.
+  # ======= Default compiler flags for cmake version 3.12 can be found here: =======
+  # https://github.com/Kitware/CMake/blob/v3.12.0/Modules/Platform/Windows-MSVC.cmake
   set (CMAKE_C_FLAGS "/DWIN32 /D_WINDOWS")
   set (CMAKE_C_FLAGS_DEBUG "/MDd /Zi /Ob0 /Od /RTC1")
   set (CMAKE_C_FLAGS_RELEASE "/MD /O2 /Ob2 /DNDEBUG")

From de7299580b3082c474609e70915686af45b118c6 Mon Sep 17 00:00:00 2001
From: Dionna Amalie Glaze <drdeeglaze@gmail.com>
Date: Fri, 30 Aug 2019 13:43:51 -0700
Subject: [PATCH 377/420] Remove extra openenclave/

After cloning, the directions already have `cd openenclave`, so the
relative path to ansible which includes `openenclave` is incorrect for
that context.

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
index dedf6ec797..f2fb444ed4 100644
--- a/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/SimulatorGettingStarted.md
@@ -25,7 +25,7 @@ sudo ./scripts/ansible/install-ansible.sh
 To install all the Open Enclave prerequisites you can execute the `environment-setup.yml` tasks from `linux/openenclave` Ansible role:
 
 ```bash
-cd openenclave/scripts/ansible
+cd scripts/ansible
 ansible localhost -m import_role -a "name=linux/openenclave tasks_from=environment-setup.yml" --become --ask-become-pass
 ```
 

From 8efed1075dc35e384748c2ad62e978f0cffadeee Mon Sep 17 00:00:00 2001
From: Brett McLaren <brmclare@microsoft.com>
Date: Thu, 12 Dec 2019 10:49:51 -0800
Subject: [PATCH 378/420] typo fix in documentation

Signed-off-by: Brett McLaren <brmclare@microsoft.com>
---
 .../Contributors/WindowsManualSGX1FLCDCAPPrereqs.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
index 305e38519c..bdd902a3d2 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsManualSGX1FLCDCAPPrereqs.md
@@ -25,7 +25,7 @@ for more details on how to install the contents of the package.
 The following summary will assume that the contents were extracted to `C:\Intel SGX DCAP for Windows v1.3.101.3`:
 
 1. Unzip the required drivers from the extracted subfolders:
-    - `LC_driver_WinServer2016\Signed_*.zip`
+    - `LC_driver\WinServer2016\Signed_*.zip`
     - `DCAP_INF\WinServer2016\Signed_*.zip`
 
    The following instructions will assume that these have been unzipped into the `LC_driver` and `DCAP_INF` folders respectively.

From be92f0dd0afe2d9ca1c990ab181a331658bd95ec Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Thu, 12 Dec 2019 10:44:17 -0800
Subject: [PATCH 379/420] Add instructions for running scan-build on Linux

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 .../Contributors/RunningStaticAnalysis.md     | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 docs/GettingStartedDocs/Contributors/RunningStaticAnalysis.md

diff --git a/docs/GettingStartedDocs/Contributors/RunningStaticAnalysis.md b/docs/GettingStartedDocs/Contributors/RunningStaticAnalysis.md
new file mode 100644
index 0000000000..b779af0372
--- /dev/null
+++ b/docs/GettingStartedDocs/Contributors/RunningStaticAnalysis.md
@@ -0,0 +1,42 @@
+# Getting started with running static analysis tools
+
+## scan-build
+
+*Note: scan-build only works with clang and gcc and as such is only currently supported for linux builds*
+
+1. Install scan-build-7 (or whatever version matches your version of clang)
+
+    ```
+    $ apt install clang-tools-7
+    ```
+
+2. (Optional) Create symlinks for scan-build and scan-view to avoid needing to specify a version. If you skip this step, just add the clang version to each `scan-*` command e.g. `scan-build-7 ...`
+
+    ```{bash}
+    $ ln -s /usr/bin/scan-build /usr/bin/scan-build-7
+    $ ln -s /usr/bin/scan-view /usr/bin/scan-view-7
+    ```
+
+3. Run scan-build for cmake and make build commands
+
+    For example:
+
+    ```{bash}
+    $ scan-build cmake .. -G Ninja -DHAS_QUOTE_PROVIDER=OFF
+    $ scan-build ninja
+    ```
+
+    *Note: scan-build also works with the cmake GNU make generator*
+
+4. View the output
+
+    At the end of the scan-build output, it will print a command you can use to view the results.
+
+    The output could look like:
+
+    ```
+    scan-build: 200 bugs found.
+    scan-build: Run 'scan-view /tmp/scan-build-2019-12-12-102130-18694-1' to examine bug reports.
+    ```
+
+    Running `scan-view /tmp/scan-build-2019-12-12-102130-18694-1` will open results in a web browser.

From 99c60f38f6ea7318c97d38ff19812e39a944207d Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Sat, 14 Dec 2019 15:36:30 +0100
Subject: [PATCH 380/420] Address review comments

- fix skipping next event
- assign last event instead of memmove
- clarify test

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 syscall/devices/hostepoll/hostepoll.c |  4 ++--
 tests/syscall/epoll/enc/enc.cpp       | 24 ++++++++++++++++--------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/syscall/devices/hostepoll/hostepoll.c b/syscall/devices/hostepoll/hostepoll.c
index 9d962881cd..b19be44f38 100644
--- a/syscall/devices/hostepoll/hostepoll.c
+++ b/syscall/devices/hostepoll/hostepoll.c
@@ -480,8 +480,8 @@ static int _epoll_wait(
                 // fd has been deleted between the return of epoll_wait and the
                 // acquisition of the lock.
                 --retval;
-                memmove(
-                    event, event + 1, (size_t)(retval - i) * sizeof(*event));
+                *event = events[retval];
+                --i;
             }
         }
     }
diff --git a/tests/syscall/epoll/enc/enc.cpp b/tests/syscall/epoll/enc/enc.cpp
index 8e6f18c0d2..9dac612bda 100644
--- a/tests/syscall/epoll/enc/enc.cpp
+++ b/tests/syscall/epoll/enc/enc.cpp
@@ -10,6 +10,12 @@
 #include <cerrno>
 #include <cstdio>
 
+enum class action_t : uint8_t
+{
+    stop,
+    run
+};
+
 static const uint16_t _port = 12347;
 static sockaddr_in _addr;
 static int _epfd;
@@ -43,9 +49,9 @@ extern "C" void tear_down()
 
 extern "C" void wait_for_events()
 {
-    uint8_t run = 1;
+    action_t action = action_t::run;
 
-    while (run)
+    while (action == action_t::run)
     {
         epoll_event event{};
 
@@ -58,27 +64,29 @@ extern "C" void wait_for_events()
         if (n == 1)
         {
             OE_TEST(event.data.fd == _sockfd);
-            OE_TEST(read(_sockfd, &run, sizeof(run)) == sizeof(run));
+            OE_TEST(read(_sockfd, &action, sizeof(action)) == sizeof(action));
         }
         else
             OE_TEST(n == 0); // fd has been deleted
     }
+
+    OE_TEST(action == action_t::stop);
 }
 
-static void _send(uint8_t run)
+static void _send(action_t action)
 {
     const int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
     OE_TEST(sockfd >= 0);
     OE_TEST(
         connect(sockfd, reinterpret_cast<sockaddr*>(&_addr), sizeof(_addr)) ==
         0);
-    OE_TEST(write(sockfd, &run, sizeof(run)) == sizeof(run));
+    OE_TEST(write(sockfd, &action, sizeof(action)) == sizeof(action));
     OE_TEST(close(sockfd) == 0);
 }
 
 extern "C" void trigger_and_add_event()
 {
-    _send(1);
+    _send(action_t::run);
 
     // add fd to the epoll instance
     epoll_event event{};
@@ -89,7 +97,7 @@ extern "C" void trigger_and_add_event()
 
 extern "C" void trigger_and_delete_event()
 {
-    _send(1);
+    _send(action_t::run);
 
     // delete fd from the epoll instance
     OE_TEST(epoll_ctl(_epfd, EPOLL_CTL_DEL, _sockfd, nullptr) == 0);
@@ -103,7 +111,7 @@ extern "C" void cancel_wait()
     event.data.fd = _sockfd;
     OE_TEST(epoll_ctl(_epfd, EPOLL_CTL_ADD, _sockfd, &event) == 0);
 
-    _send(0);
+    _send(action_t::stop);
 }
 
 OE_SET_ENCLAVE_SGX(

From c5202211644e1090934c1f8238bdf6f730d74e74 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Mon, 16 Dec 2019 14:28:48 -0800
Subject: [PATCH 381/420] Remove path resolution for source in mounting
 external hostfs. The enclave's internal current working directory has no
 inherent relation to the external device.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 syscall/devices/hostfs/hostfs.c |  9 +++++++++
 syscall/mount.c                 | 12 +++---------
 tests/syscall/hostfs/enc/enc.c  | 14 ++++++++++++++
 3 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/syscall/devices/hostfs/hostfs.c b/syscall/devices/hostfs/hostfs.c
index 878496d2eb..bacdb84087 100644
--- a/syscall/devices/hostfs/hostfs.c
+++ b/syscall/devices/hostfs/hostfs.c
@@ -221,6 +221,15 @@ static int _hostfs_mount(
     if ((flags & OE_MS_RDONLY))
         fs->mount.flags = flags;
 
+    /* ---------------------------------------------------------------------
+     * Only support absolute paths. Hostfs is treated as an external
+     * filesystem. As such, it does not make sense to resolve relative paths
+     * using the enclave's current working directory.
+     * ---------------------------------------------------------------------
+     */
+    if (source && source[0] != '/')
+        OE_RAISE_ERRNO(OE_EINVAL);
+
     /* Save the source parameter (will be needed to form host paths). */
     oe_strlcpy(fs->mount.source, source, sizeof(fs->mount.source));
 
diff --git a/syscall/mount.c b/syscall/mount.c
index 0e6eaf6a63..7b73502561 100644
--- a/syscall/mount.c
+++ b/syscall/mount.c
@@ -137,7 +137,6 @@ int oe_mount(
     oe_device_t* device = NULL;
     oe_device_t* new_device = NULL;
     bool locked = false;
-    oe_syscall_path_t source_path;
     oe_syscall_path_t target_path;
     mount_point_t mount_point = {0};
 
@@ -152,14 +151,9 @@ int oe_mount(
         target = target_path.buf;
     }
 
-    /* Normalize the source path if any. */
-    if (source)
-    {
-        if (!oe_realpath(source, &source_path))
-            OE_RAISE_ERRNO(OE_EINVAL);
-
-        source = source_path.buf;
-    }
+    /* Note: Normialization of source path is left to the external device
+     * as it may not be a path internal to the enclave.
+     */
 
     /* Resolve the device for the given filesystemtype. */
     device = oe_device_table_find(filesystemtype, OE_DEVICE_TYPE_FILE_SYSTEM);
diff --git a/tests/syscall/hostfs/enc/enc.c b/tests/syscall/hostfs/enc/enc.c
index d819e0be7b..e5005005d7 100644
--- a/tests/syscall/hostfs/enc/enc.c
+++ b/tests/syscall/hostfs/enc/enc.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include <assert.h>
+#include <openenclave/corelibc/errno.h>
 #include <openenclave/enclave.h>
 #include <setjmp.h>
 #include <stdio.h>
@@ -18,6 +19,19 @@ void test_hostfs(const char* tmp_dir)
         exit(1);
     }
 
+    /* Mount with a relative source should fail */
+    if (mount(".", "/", OE_HOST_FILE_SYSTEM, 0, NULL) == 0)
+    {
+        fprintf(stderr, "mount() with relative path should not succeed\n");
+        exit(1);
+    }
+    else if (oe_errno != OE_EINVAL)
+    {
+        fprintf(
+            stderr, "mount() with relative path should fail with OE_EINVAL\n");
+        exit(1);
+    }
+
     if (mount("/", "/", OE_HOST_FILE_SYSTEM, 0, NULL) != 0)
     {
         fprintf(stderr, "mount() failed\n");

From 7d3b6e8ced123b76b7e0574bd960d84f487ca9a0 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Tue, 17 Dec 2019 12:40:53 -0800
Subject: [PATCH 382/420] Modify oegdb to more relaibly find the oegdb libdir
 using readlink

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 debugger/oegdb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debugger/oegdb b/debugger/oegdb
index 67ed196055..17e0866830 100755
--- a/debugger/oegdb
+++ b/debugger/oegdb
@@ -7,7 +7,9 @@
 # See https://mywiki.wooledge.org/BashFAQ/028 for complexities involved
 # in determining location of a bash script. ${BASH_SOURCE}, though not perfect,
 # is an acceptable solution for oegdb.
-OE_GDB_DIR=$(dirname "${BASH_SOURCE[0]}")
+# readlink provides additional benefit in getting the absolute path
+# to the script directory for systems where BASH_SOURCE is only relative.
+OE_GDB_DIR=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")
 
 # Get the path to the debugger libraries relative to the oegdb path.
 # Normalize the path by cd-ing and doing a pwd -P.

From 94dedf7ac6a78b571f3def6826b1c7a7fcc93f24 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Tue, 17 Dec 2019 12:16:51 -0800
Subject: [PATCH 383/420] Add test for reading from relative filepath

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 syscall/mount.c              |  2 +-
 tests/syscall/fs/enc/enc.cpp | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/syscall/mount.c b/syscall/mount.c
index 7b73502561..08884f8aa4 100644
--- a/syscall/mount.c
+++ b/syscall/mount.c
@@ -151,7 +151,7 @@ int oe_mount(
         target = target_path.buf;
     }
 
-    /* Note: Normialization of source path is left to the external device
+    /* Note: Normalization of source path is left to the external device
      * as it may not be a path internal to the enclave.
      */
 
diff --git a/tests/syscall/fs/enc/enc.cpp b/tests/syscall/fs/enc/enc.cpp
index aeedfa54f7..0628107dbd 100644
--- a/tests/syscall/fs/enc/enc.cpp
+++ b/tests/syscall/fs/enc/enc.cpp
@@ -628,12 +628,35 @@ void test_fs(const char* src_dir, const char* tmp_dir)
         test_all(fs, tmp_dir);
     }
 
+    /* Test reading from enclave relative path */
+    {
+        char path[OE_PATH_MAX];
+        mkpath(path, tmp_dir, "testfile");
+
+        // Create file in tmp dir
+        OE_TEST(
+            oe_mount("/", "/", OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) == 0);
+        const int flags = OE_O_CREAT | OE_O_TRUNC | OE_O_WRONLY;
+        OE_TEST(oe_open(path, flags, MODE) == 0);
+        OE_TEST(oe_umount("/") == 0);
+
+        // Open file in tmp dir using a relative path
+        OE_TEST(
+            oe_mount(
+                tmp_dir, tmp_dir, OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) ==
+            0);
+        OE_TEST(oe_chdir(tmp_dir));
+        OE_TEST(oe_open("./testfile", OE_O_RDONLY, MODE) == 0);
+        OE_TEST(oe_umount(tmp_dir) == 0);
+    }
+
     /* Test writing to a read-only mounted file system. */
     {
         char path[OE_PATH_MAX];
         mkpath(path, tmp_dir, "somefile");
         const int flags = OE_O_CREAT | OE_O_TRUNC | OE_O_WRONLY;
 
+        // Create file
         OE_TEST(
             oe_mount(
                 "/",
@@ -641,8 +664,10 @@ void test_fs(const char* src_dir, const char* tmp_dir)
                 OE_DEVICE_NAME_HOST_FILE_SYSTEM,
                 OE_MS_RDONLY,
                 NULL) == 0);
+
         OE_TEST(oe_open(path, flags, MODE) == -1);
         OE_TEST(oe_errno == EPERM);
+
         OE_TEST(oe_umount("/") == 0);
     }
 

From 537d58448636015294709fbcf60cc6e37195b2e8 Mon Sep 17 00:00:00 2001
From: Ming-Wei Shih <mishih@microsoft.com>
Date: Wed, 18 Dec 2019 13:47:55 -0800
Subject: [PATCH 384/420] Fix typo for specifying Ninja generator in cmake

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
---
 .../Contributors/WindowsSGX1GettingStarted.md                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
index 03e7beda8e..8e533d3925 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1GettingStarted.md
@@ -61,7 +61,7 @@ To build debug enclaves:
 cd openenclave
 mkdir build/x64-Debug
 cd build/x64-Debug
-cmake -G ninja -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
+cmake -G Ninja -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
@@ -77,7 +77,7 @@ Similarly, to build release enclaves, specify the flag
 cd openenclave
 mkdir build/x64-Release
 cd build/x64-Release
-cmake -G ninja -DCMAKE_BUILD_TYPE=Release -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DHAS_QUOTE_PROVIDER=OFF -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 

From f45476ce318245149f94c64c368c6dd8edb2c6d3 Mon Sep 17 00:00:00 2001
From: Ming-Wei Shih <mishih@microsoft.com>
Date: Mon, 23 Dec 2019 08:55:43 -0800
Subject: [PATCH 385/420] Fix document typo on windows build

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
---
 .../Contributors/WindowsSGX1FLCGettingStarted.md              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
index 5ba111a970..eb5c3c6394 100644
--- a/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
+++ b/docs/GettingStartedDocs/Contributors/WindowsSGX1FLCGettingStarted.md
@@ -81,7 +81,7 @@ To build debug enclaves:
 cd openenclave
 mkdir build/x64-Debug
 cd build/x64-Debug
-cmake -G ninja -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
+cmake -G Ninja -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 
@@ -97,7 +97,7 @@ Similarly, to build release enclaves, specify the flag
 cd C:/openenclave
 mkdir build/x64-Release
 cd build/x64-Release
-cmake -G ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=install ../..
 ninja
 ```
 

From 2c08fd2ceb6bb2f7a387e06525fcccf1c3402a6f Mon Sep 17 00:00:00 2001
From: Ming-Wei Shih <mishih@microsoft.com>
Date: Mon, 23 Dec 2019 19:45:24 +0000
Subject: [PATCH 386/420] Enable test/ecall_ocall on windows

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

Clearing up

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>
---
 tests/CMakeLists.txt            | 3 +--
 tests/ecall_ocall/host/host.cpp | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4ece6a31e7..8c825b8140 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -38,6 +38,7 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
             add_subdirectory(attestation_plugin)
             add_subdirectory(cppException)
             add_subdirectory(ecall)
+            add_subdirectory(ecall_ocall)
             add_subdirectory(file)
             add_subdirectory(mbed)
             add_subdirectory(ocall-create)
@@ -95,7 +96,5 @@ add_subdirectory(libc)
 endif()
 
 if (OE_SGX AND UNIX)
-   # ecall_ocall enclave size cannot be handled by Windows ninja CI
-   add_subdirectory(ecall_ocall)
    add_subdirectory(libunwind)
 endif()
diff --git a/tests/ecall_ocall/host/host.cpp b/tests/ecall_ocall/host/host.cpp
index bf1288aefa..fb690ec926 100644
--- a/tests/ecall_ocall/host/host.cpp
+++ b/tests/ecall_ocall/host/host.cpp
@@ -250,7 +250,7 @@ static void test_cross_enclave_calls()
         enc_cross_enclave_call(enclave_wrap::get(0), &total, 0, SEED, 0);
     OE_TEST(OE_OK == result);
 
-    printf("total=%u, expected_total=%lu\n", total, expected_total);
+    printf("total=%u, expected_total=%zu\n", total, expected_total);
     OE_TEST(total == expected_total);
 
     printf("=== test_cross_enclave_calls passed\n");

From 6a689d7ed670936f76cf46af8387bfc077d8990d Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Fri, 3 Jan 2020 11:23:32 -0800
Subject: [PATCH 387/420] Previously, oe_mount did not work for any target
 other than "/". Modify to avoid use of oe_stat for paths which are in the
 process of being mounted by oe_mount as oe_stat requires a path to be
 mounted.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 syscall/mount.c              |  7 ++++++-
 tests/syscall/fs/enc/enc.cpp | 12 +++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/syscall/mount.c b/syscall/mount.c
index 08884f8aa4..a726e8a4ca 100644
--- a/syscall/mount.c
+++ b/syscall/mount.c
@@ -166,7 +166,12 @@ int oe_mount(
         struct oe_stat buf;
         int retval = -1;
 
-        if ((retval = oe_stat(target, &buf)) != 0)
+        /**
+         * oe_stat tries to do a mount resolution, but the directory is not yet
+         * mounted. As a result, we must call the filesystem's stat
+         * implementation directly.
+         */
+        if ((retval = device->ops.fs.stat(device, target, &buf)) != 0)
             OE_RAISE_ERRNO(oe_errno);
 
         if (!OE_S_ISDIR(buf.st_mode))
diff --git a/tests/syscall/fs/enc/enc.cpp b/tests/syscall/fs/enc/enc.cpp
index 0628107dbd..79966b60bb 100644
--- a/tests/syscall/fs/enc/enc.cpp
+++ b/tests/syscall/fs/enc/enc.cpp
@@ -637,7 +637,7 @@ void test_fs(const char* src_dir, const char* tmp_dir)
         OE_TEST(
             oe_mount("/", "/", OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) == 0);
         const int flags = OE_O_CREAT | OE_O_TRUNC | OE_O_WRONLY;
-        OE_TEST(oe_open(path, flags, MODE) == 0);
+        OE_TEST(oe_open(path, flags, MODE) != -1);
         OE_TEST(oe_umount("/") == 0);
 
         // Open file in tmp dir using a relative path
@@ -645,9 +645,15 @@ void test_fs(const char* src_dir, const char* tmp_dir)
             oe_mount(
                 tmp_dir, tmp_dir, OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) ==
             0);
-        OE_TEST(oe_chdir(tmp_dir));
-        OE_TEST(oe_open("./testfile", OE_O_RDONLY, MODE) == 0);
+        OE_TEST(oe_chdir(tmp_dir) == 0);
+        OE_TEST(oe_open("./testfile", OE_O_RDONLY, MODE) != -1);
         OE_TEST(oe_umount(tmp_dir) == 0);
+
+        // Change workdir back for other tests.
+        OE_TEST(
+            oe_mount("/", "/", OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) == 0);
+        OE_TEST(oe_chdir("/") == 0);
+        OE_TEST(oe_umount("/") == 0);
     }
 
     /* Test writing to a read-only mounted file system. */

From 528c5e97fd407c742d46ba5136ef69dbd5a49ac6 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Tue, 17 Dec 2019 14:40:35 -0800
Subject: [PATCH 388/420] Allow versions of clang-format other than 7, simply
 emit a warning

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 .clang-format       | 2 ++
 scripts/format-code | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.clang-format b/.clang-format
index 8824d6c7ae..0e01ab74f9 100644
--- a/.clang-format
+++ b/.clang-format
@@ -24,5 +24,7 @@ ObjCSpaceBeforeProtocolList: false
 PenaltyBreakBeforeFirstCallParameter: 1
 PenaltyReturnTypeOnItsOwnLine: 300
 PointerAlignment: Left
+SpacesInContainerLiterals: false
+SpacesInSquareBrackets: false
 TabWidth: 4
 ...
diff --git a/scripts/format-code b/scripts/format-code
index 88ea78a401..b1a56c2123 100755
--- a/scripts/format-code
+++ b/scripts/format-code
@@ -140,8 +140,7 @@ check_version()
         # Because clang-format is not invariant across versions, this
         # is an explicit equivalence check.
         if [[ ${v1[$i]} -ne ${v2[$i]} ]]; then
-            echo "format-code requires clang-format version $1, installed version is $2"
-            exit 1
+            echo "Warning: format-code prefers clang-format version $1, installed version is $2"
         fi
     done
 }

From d18333c837fa04411e3abd15c11fd96f2a9b099d Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Fri, 3 Jan 2020 15:01:05 -0800
Subject: [PATCH 389/420] Close opened file descriptors in tests/fs2

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 tests/syscall/fs/enc/enc.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tests/syscall/fs/enc/enc.cpp b/tests/syscall/fs/enc/enc.cpp
index 79966b60bb..c1fbc99a28 100644
--- a/tests/syscall/fs/enc/enc.cpp
+++ b/tests/syscall/fs/enc/enc.cpp
@@ -631,13 +631,15 @@ void test_fs(const char* src_dir, const char* tmp_dir)
     /* Test reading from enclave relative path */
     {
         char path[OE_PATH_MAX];
+        int fd;
         mkpath(path, tmp_dir, "testfile");
 
         // Create file in tmp dir
         OE_TEST(
             oe_mount("/", "/", OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) == 0);
         const int flags = OE_O_CREAT | OE_O_TRUNC | OE_O_WRONLY;
-        OE_TEST(oe_open(path, flags, MODE) != -1);
+        OE_TEST((fd = oe_open(path, flags, MODE)) != -1);
+        OE_TEST(close(fd) != -1);
         OE_TEST(oe_umount("/") == 0);
 
         // Open file in tmp dir using a relative path
@@ -646,7 +648,8 @@ void test_fs(const char* src_dir, const char* tmp_dir)
                 tmp_dir, tmp_dir, OE_DEVICE_NAME_HOST_FILE_SYSTEM, 0, NULL) ==
             0);
         OE_TEST(oe_chdir(tmp_dir) == 0);
-        OE_TEST(oe_open("./testfile", OE_O_RDONLY, MODE) != -1);
+        OE_TEST((fd = oe_open("./testfile", OE_O_RDONLY, MODE)) != -1);
+        OE_TEST(close(fd) != -1);
         OE_TEST(oe_umount(tmp_dir) == 0);
 
         // Change workdir back for other tests.

From 2f859e3e80b7a22c0c3078622fe95ffbb1faf207 Mon Sep 17 00:00:00 2001
From: Sergio Wong <sergio.wong@gmail.com>
Date: Wed, 6 Nov 2019 19:43:50 +0000
Subject: [PATCH 390/420] V2 SGX collateral parsing. No verification applied.

Signed-off-by: Sergio Wong <sergio.wong@gmail.com>
---
 common/sgx/qeidentity.c                       |   2 +
 common/sgx/revocation.c                       |   4 +-
 common/sgx/tcbinfo.c                          | 677 ++++++++++++++++--
 common/sgx/tcbinfo.h                          | 151 +++-
 docs/DesignDocs/SGX_Endorsements_V2.md        |  81 ++-
 .../qe_identity_missing_attributes.json       |  28 +
 .../qe_identity_missing_attributesmask.json   |  28 +
 .../data_v2/qe_identity_missing_id.json       |  28 +
 .../qe_identity_missing_issuedate.json        |  28 +
 .../qe_identity_missing_isvprodid.json        |  28 +
 .../data_v2/qe_identity_missing_isvsvn.json   |  29 +
 .../qe_identity_missing_miscselect.json       |  28 +
 .../qe_identity_missing_miscselectmask.json   |  28 +
 .../data_v2/qe_identity_missing_mrsigner.json |  28 +
 .../qe_identity_missing_nextupdate.json       |  28 +
 .../qe_identity_missing_qeidentity.json       |  29 +
 .../qe_identity_missing_signature.json        |  28 +
 .../data_v2/qe_identity_missing_tcb_date.json |  28 +
 ...qe_identity_missing_tcb_eval_data_num.json |  28 +
 .../qe_identity_missing_tcb_levels.json       |  17 +
 .../qe_identity_missing_tcb_status.json       |  28 +
 .../data_v2/qe_identity_missing_version.json  |  28 +
 tests/qeidentity/data_v2/qe_identity_ok.json  |  29 +
 .../data_v2/qe_identity_with_advisoryids.json |  30 +
 tests/qeidentity/data_v2/qve_identity_ok.json |  29 +
 tests/qeidentity/enc/enc.cpp                  |   7 +-
 tests/qeidentity/host/CMakeLists.txt          |   1 +
 tests/qeidentity/host/host.cpp                |   4 +
 tests/qeidentity/host/qeidentifyinfo.cpp      | 260 ++++++-
 tests/qeidentity/tests.edl                    |   3 +-
 tests/report/data/tcbInfoNegativeCompSvn.json |   1 +
 tests/report/data/tcbInfoNegativeFloat.json   |   1 +
 .../data/tcbInfoNegativeIntegerOverflow.json  |   1 +
 .../data/tcbInfoNegativeIntegerWithSign.json  |   1 +
 .../data/tcbInfoNegativeInvalidIssueDate.json |   1 +
 tests/report/data/tcbInfoNegativePceSvn.json  |   3 +-
 .../tcbInfoNegativePropertyMissingLevel1.json |   1 +
 .../tcbInfoNegativePropertyMissingLevel2.json |   1 +
 .../tcbInfoNegativePropertyMissingLevel3.json |   1 +
 ...cbInfoNegativePropertyWrongTypeLevel0.json |   1 +
 ...cbInfoNegativePropertyWrongTypeLevel1.json |   1 +
 ...cbInfoNegativePropertyWrongTypeLevel2.json |   1 +
 ...cbInfoNegativePropertyWrongTypeLevel3.json |   1 +
 .../report/data/tcbInfoNegativeSignature.json |   3 +-
 .../data/tcbInfoNegativeStringEscape.json     |   1 +
 tests/report/data_v2/tcbInfo.json             | 128 ++++
 tests/report/data_v2/tcbInfoAdvisoryIds.json  | 129 ++++
 .../data_v2/tcbInfoNegativeCompSvn.json       | 128 ++++
 .../report/data_v2/tcbInfoNegativeFloat.json  | 128 ++++
 .../tcbInfoNegativeIntegerOverflow.json       | 128 ++++
 .../tcbInfoNegativeIntegerWithSign.json       | 128 ++++
 .../tcbInfoNegativeInvalidIssueDate.json      | 128 ++++
 .../tcbInfoNegativeInvalidNextUpdate.json     | 128 ++++
 .../tcbInfoNegativeMissingNextUpdate.json     | 127 ++++
 .../report/data_v2/tcbInfoNegativePceSvn.json | 128 ++++
 .../tcbInfoNegativePropertyMissingLevel0.json | 128 ++++
 .../tcbInfoNegativePropertyMissingLevel1.json | 128 ++++
 .../tcbInfoNegativePropertyMissingLevel2.json | 128 ++++
 .../tcbInfoNegativePropertyMissingLevel3.json | 128 ++++
 ...cbInfoNegativePropertyWrongTypeLevel0.json | 128 ++++
 ...cbInfoNegativePropertyWrongTypeLevel1.json | 128 ++++
 ...cbInfoNegativePropertyWrongTypeLevel2.json | 128 ++++
 ...cbInfoNegativePropertyWrongTypeLevel3.json | 128 ++++
 .../data_v2/tcbInfoNegativeSignature.json     | 128 ++++
 .../data_v2/tcbInfoNegativeStringEscape.json  | 128 ++++
 tests/report/data_v2/tcbInfo_with_pceid.json  | 129 ++++
 tests/report/enc/enc.cpp                      |   2 +-
 tests/report/host/CMakeLists.txt              |   1 +
 tests/report/host/host.cpp                    |  11 +
 tests/report/host/tcbinfo.cpp                 | 342 ++++++++-
 tests/report/tests.edl                        |   2 +-
 71 files changed, 4650 insertions(+), 161 deletions(-)
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_attributes.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_attributesmask.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_id.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_issuedate.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_isvprodid.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_isvsvn.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_miscselect.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_miscselectmask.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_mrsigner.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_nextupdate.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_qeidentity.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_signature.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_tcb_date.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_tcb_eval_data_num.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_tcb_levels.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_tcb_status.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_missing_version.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_ok.json
 create mode 100644 tests/qeidentity/data_v2/qe_identity_with_advisoryids.json
 create mode 100644 tests/qeidentity/data_v2/qve_identity_ok.json
 create mode 100644 tests/report/data_v2/tcbInfo.json
 create mode 100644 tests/report/data_v2/tcbInfoAdvisoryIds.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeCompSvn.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeFloat.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeIntegerOverflow.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeIntegerWithSign.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeInvalidIssueDate.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeInvalidNextUpdate.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeMissingNextUpdate.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePceSvn.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyMissingLevel0.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyMissingLevel1.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyMissingLevel2.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyMissingLevel3.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel0.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel1.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel2.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel3.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeSignature.json
 create mode 100644 tests/report/data_v2/tcbInfoNegativeStringEscape.json
 create mode 100644 tests/report/data_v2/tcbInfo_with_pceid.json

diff --git a/common/sgx/qeidentity.c b/common/sgx/qeidentity.c
index ecfa7eacf8..b514684396 100644
--- a/common/sgx/qeidentity.c
+++ b/common/sgx/qeidentity.c
@@ -34,6 +34,7 @@ oe_result_t oe_validate_qe_identity(
     oe_cert_chain_t pck_cert_chain = {0};
     oe_cert_t leaf_cert = {0};
     oe_parsed_qe_identity_info_t parsed_info = {0};
+    oe_qe_identity_info_tcb_level_t platform_tcb_level = {{0}};
     oe_datetime_t from = {0};
     oe_datetime_t until = {0};
 
@@ -68,6 +69,7 @@ oe_result_t oe_validate_qe_identity(
     OE_CHECK(oe_parse_qe_identity_info_json(
         sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO].data,
         sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_QE_ID_INFO].size,
+        &platform_tcb_level,
         &parsed_info));
 
     // verify qe identity signature
diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 99c7b86196..839b859d72 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -297,7 +297,7 @@ oe_result_t oe_validate_revocation_list(
     oe_cert_chain_t crl_issuer_chain[3] = {{{0}}};
     oe_cert_t tcb_cert = {0};
     oe_parsed_tcb_info_t parsed_tcb_info = {0};
-    oe_tcb_level_t platform_tcb_level = {{0}};
+    oe_tcb_info_tcb_level_t platform_tcb_level = {{0}};
 
     uint32_t version = 0;
     oe_crl_t crls[2] = {{{0}}};
@@ -402,7 +402,7 @@ oe_result_t oe_validate_revocation_list(
             parsed_extension_info.comp_svn[i];
     }
     platform_tcb_level.pce_svn = parsed_extension_info.pce_svn;
-    platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
 
     OE_CHECK_MSG(
         oe_parse_tcb_info_json(
diff --git a/common/sgx/tcbinfo.c b/common/sgx/tcbinfo.c
index 2d1ed196f1..e7a47f30ef 100644
--- a/common/sgx/tcbinfo.c
+++ b/common/sgx/tcbinfo.c
@@ -220,8 +220,32 @@ static oe_result_t _trace_json_string(const uint8_t* str, size_t str_length)
     return result;
 }
 
+static oe_tcb_level_status_t _parse_tcb_status(
+    const uint8_t* str,
+    size_t length)
+{
+    oe_tcb_level_status_t status;
+    status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+
+    if (_json_str_equal(str, length, "UpToDate"))
+        status.fields.up_to_date = 1;
+    else if (_json_str_equal(str, length, "OutOfDate"))
+        status.fields.outofdate = 1;
+    else if (_json_str_equal(str, length, "Revoked"))
+        status.fields.revoked = 1;
+    else if (_json_str_equal(str, length, "ConfigurationNeeded"))
+        status.fields.configuration_needed = 1;
+    else if (_json_str_equal(str, length, "OutOfDateConfigurationNeeded"))
+    {
+        status.fields.qe_identity_out_of_date = 1;
+        status.fields.configuration_needed = 1;
+    }
+
+    return status;
+}
+
 /**
- * Type: tcb
+ * Type: tcb in TCB Info tcbLevels
  * Schema:
  * {
  *    "sgxtcbcomp01svn": uint8_t,
@@ -231,10 +255,10 @@ static oe_result_t _trace_json_string(const uint8_t* str, size_t str_length)
  *    "pcesvn": uint16_t
  * }
  */
-static oe_result_t _read_tcb(
+static oe_result_t _read_tcb_info_tcb_level(
     const uint8_t** itr,
     const uint8_t* end,
-    oe_tcb_level_t* tcb_level)
+    oe_tcb_info_tcb_level_t* tcb_level)
 {
     oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
     uint64_t value = 0;
@@ -295,12 +319,12 @@ static oe_result_t _read_tcb(
 // 3. The status of the platform's tcb level is the status of the chosen tcb
 // level.
 // 4. If no tcb level was chosen, then the status of the platform is unknown.
-static void _determine_platform_tcb_level(
-    oe_tcb_level_t* platform_tcb_level,
-    oe_tcb_level_t* tcb_level)
+static void _determine_platform_tcb_info_tcb_level(
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* tcb_level)
 {
     // If the platform's status has already been determined, return.
-    if (platform_tcb_level->status != OE_TCB_LEVEL_STATUS_UNKNOWN)
+    if (platform_tcb_level->status.AsUINT32 != OE_TCB_LEVEL_STATUS_UNKNOWN)
         return;
 
     // Compare all of the platform's comp svn values with the corresponding
@@ -318,35 +342,33 @@ static void _determine_platform_tcb_level(
     // If all the values of the tcb level are less than corresponding values of
     // the platform, then the platform's status is the status of the current tcb
     // level.
-    platform_tcb_level->status = tcb_level->status;
+    platform_tcb_level->status.AsUINT32 = tcb_level->status.AsUINT32;
 }
 
 /**
- * Type: tcbLevel
+ * Type: tcbLevel in TCB Info (V1)
  * Schema:
  * {
  *    "tcb" : object of type tcb
- *    "status": one of "UpToDate" or "OutOfDate" or "Revoked"
+ *    "status": one of "UpToDate" or "OutOfDate" or "Revoked" or
+ *              "ConfigurationNeeded"
  * }
  */
-static oe_result_t _read_tcb_level(
+static oe_result_t _read_tcb_info_tcb_level_v1(
     const uint8_t** itr,
     const uint8_t* end,
-    oe_tcb_level_t* platform_tcb_level,
-    oe_parsed_tcb_info_t* parsed_info)
+    oe_tcb_info_tcb_level_t* platform_tcb_level)
 {
     oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
-    oe_tcb_level_t tcb_level = {{0}};
+    oe_tcb_info_tcb_level_t tcb_level = {{0}};
     const uint8_t* status = NULL;
     size_t status_length = 0;
 
-    OE_UNUSED(parsed_info);
-
     OE_CHECK(_read('{', itr, end));
 
     OE_TRACE_VERBOSE("Reading tcb");
     OE_CHECK(_read_property_name_and_colon("tcb", itr, end));
-    OE_CHECK(_read_tcb(itr, end, &tcb_level));
+    OE_CHECK(_read_tcb_info_tcb_level(itr, end, &tcb_level));
     OE_CHECK(_read(',', itr, end));
 
     OE_TRACE_VERBOSE("Reading status");
@@ -356,18 +378,88 @@ static oe_result_t _read_tcb_level(
 
     OE_CHECK(_read('}', itr, end));
 
-    if (_json_str_equal(status, status_length, "UpToDate"))
-        tcb_level.status = OE_TCB_LEVEL_STATUS_UP_TO_DATE;
-    else if (_json_str_equal(status, status_length, "OutOfDate"))
-        tcb_level.status = OE_TCB_LEVEL_STATUS_OUT_OF_DATE;
-    else if (_json_str_equal(status, status_length, "Revoked"))
-        tcb_level.status = OE_TCB_LEVEL_STATUS_REVOKED;
-    else if (_json_str_equal(status, status_length, "ConfigurationNeeded"))
-        tcb_level.status = OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED;
+    tcb_level.status = _parse_tcb_status(status, status_length);
+    if (tcb_level.status.AsUINT32 != OE_TCB_LEVEL_STATUS_UNKNOWN)
+    {
+        _determine_platform_tcb_info_tcb_level(platform_tcb_level, &tcb_level);
+        result = OE_OK;
+    }
+
+done:
+    return result;
+}
+
+/**
+ * Type: tcbLevel in TCB Info (V2)
+ * Schema:
+ * {
+ *    "tcb" : object of type tcb (Note: QE Identity info has the same object,
+ * but with different set of values). "tcbDate" : oe_datetime_t when TCB level
+ * was certified not to be vulnerable. ISO 8601 standard(YYYY-MM-DDThh:mm:ssZ).
+ *    "tcbStatus" : one of "UpToDate" or "OutOfDate" or "Revoked" or
+ *                  "ConfigurationNeeded" or "OutOfDateConfigurationNeeded"
+ *    "advisoryIDs" : array of strings describing vulnerabilities that this TCB
+ * level is vulnerable to.  Example: ["INTEL-SA-00079", "INTEL-SA-00076"]
+ * }
+ */
+static oe_result_t _read_tcb_info_tcb_level_v2(
+    const uint8_t* info_json,
+    const uint8_t** itr,
+    const uint8_t* end,
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* tcb_level)
+{
+    oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
+    const uint8_t* status = NULL;
+    size_t status_length = 0;
+    const uint8_t* date_str = NULL;
+    size_t date_size = 0;
+
+    OE_CHECK(_read('{', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcb");
+    OE_CHECK(_read_property_name_and_colon("tcb", itr, end));
+    OE_CHECK(_read_tcb_info_tcb_level(itr, end, tcb_level));
+    OE_CHECK(_read(',', itr, end));
 
-    if (tcb_level.status != OE_TCB_LEVEL_STATUS_UNKNOWN)
+    OE_TRACE_VERBOSE("Reading tcbDate");
+    OE_CHECK(_read_property_name_and_colon("tcbDate", itr, end));
+    OE_CHECK(_read_string(itr, end, &date_str, &date_size));
+    if (oe_datetime_from_string(
+            (const char*)date_str, date_size, &tcb_level->tcb_date) != OE_OK)
+        OE_RAISE(OE_JSON_INFO_PARSE_ERROR);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcbStatus");
+    OE_CHECK(_read_property_name_and_colon("tcbStatus", itr, end));
+    OE_CHECK(_read_string(itr, end, &status, &status_length));
+    OE_CHECK(_trace_json_string(status, status_length));
+
+    // Optional advisoryIDs field
+    if (OE_JSON_INFO_PARSE_ERROR != _read(',', itr, end))
     {
-        _determine_platform_tcb_level(platform_tcb_level, &tcb_level);
+        OE_TRACE_VERBOSE("Reading advisoryIDs");
+        OE_CHECK(_read_property_name_and_colon("advisoryIDs", itr, end));
+        OE_CHECK(_read('[', itr, end));
+
+        tcb_level->advisory_ids_offset = (size_t)(*itr - info_json);
+        size_t size = 0;
+
+        while (*itr < end && **itr != ']')
+        {
+            (*itr)++;
+            size++;
+        }
+        OE_CHECK(_read(']', itr, end));
+        tcb_level->advisory_ids_size = size;
+    }
+
+    OE_CHECK(_read('}', itr, end));
+
+    tcb_level->status = _parse_tcb_status(status, status_length);
+    if (tcb_level->status.AsUINT32 != OE_TCB_LEVEL_STATUS_UNKNOWN)
+    {
+        _determine_platform_tcb_info_tcb_level(platform_tcb_level, tcb_level);
         result = OE_OK;
     }
 
@@ -377,18 +469,33 @@ static oe_result_t _read_tcb_level(
 
 /**
  * type = tcbInfo
- * Schema:
+ * V1 Schema:
  * {
  *    "version" : integer,
  *    "issueDate" : string,
- *    "fmspc" : "hex string"
- *    "tcbLevels" : [ objects of type tcbLevel ]
+ *    "nextUpdate" : string,
+ *    "fmspc" : "hex string (12 nibbles)"
+ *    "pceId" : "hex string (4 nibbles)"
+ *    "tcbLevels" : [ objects of type oe_tcb_info_tcb_level_t ]
+ * }
+ *
+ * V2 Schema:
+ * {
+ *    "version" : integer,
+ *    "issueDate" : string,
+ *    "nextUpdate" : string,
+ *    "fmspc" : "hex string (12 nibbles)"
+ *    "pceId" : "hex string (4 nibbles)"
+ *    "tcbType" : integer
+ *    "tcbEvaluationDataNumber" : integer
+ *    "tcbLevels" : [ objects of type oe_tcb_info_tcb_level_t ]
  * }
  */
 static oe_result_t _read_tcb_info(
+    const uint8_t* tcb_info_json,
     const uint8_t** itr,
     const uint8_t* end,
-    oe_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
     oe_parsed_tcb_info_t* parsed_info)
 {
     oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
@@ -451,19 +558,73 @@ static oe_result_t _read_tcb_info(
         }
     }
 
-    OE_TRACE_VERBOSE("Reading tcbLevels");
-    OE_CHECK(_read_property_name_and_colon("tcbLevels", itr, end));
-    OE_CHECK(_read('[', itr, end));
-    while (*itr < end)
+    if (parsed_info->version == 2)
     {
-        OE_CHECK(_read_tcb_level(itr, end, platform_tcb_level, parsed_info));
-        // Read end of array or comma separator.
-        if (*itr < end && **itr == ']')
-            break;
+        OE_TRACE_VERBOSE("V2: Reading tcbType");
+        OE_CHECK(_read_property_name_and_colon("tcbType", itr, end));
+        OE_CHECK(_read_integer(itr, end, &value));
+        parsed_info->tcb_type = (uint32_t)value;
+        OE_CHECK(_read(',', itr, end));
 
+        OE_TRACE_VERBOSE("V2: Reading tcbEvaluationDataNumber");
+        OE_CHECK(
+            _read_property_name_and_colon("tcbEvaluationDataNumber", itr, end));
+        OE_CHECK(_read_integer(itr, end, &value));
+        parsed_info->tcb_evaluation_data_number = (uint32_t)value;
         OE_CHECK(_read(',', itr, end));
+
+        OE_TRACE_VERBOSE("Reading tcbLevels (V2)");
+        OE_CHECK(_read_property_name_and_colon("tcbLevels", itr, end));
+        OE_CHECK(_read('[', itr, end));
+        while (*itr < end)
+        {
+            OE_CHECK(_read_tcb_info_tcb_level_v2(
+                tcb_info_json,
+                itr,
+                end,
+                platform_tcb_level,
+                &parsed_info->tcb_level));
+
+            // Optimization
+            if (platform_tcb_level->status.AsUINT32 !=
+                OE_TCB_LEVEL_STATUS_UNKNOWN)
+            {
+                // Found matching TCB level, go to the end of the array.
+                while (*itr < end && **itr != ']')
+                    (*itr)++;
+            }
+
+            // Read end of array or comma separator.
+            if (*itr < end && **itr == ']')
+                break;
+
+            OE_CHECK(_read(',', itr, end));
+        }
+        OE_CHECK(_read(']', itr, end));
+    }
+    else if (parsed_info->version == 1)
+    {
+        OE_TRACE_VERBOSE("Reading tcbLevels (V1)");
+        OE_CHECK(_read_property_name_and_colon("tcbLevels", itr, end));
+        OE_CHECK(_read('[', itr, end));
+        while (*itr < end)
+        {
+            OE_CHECK(_read_tcb_info_tcb_level_v1(itr, end, platform_tcb_level));
+            // Read end of array or comma separator.
+            if (*itr < end && **itr == ']')
+                break;
+
+            OE_CHECK(_read(',', itr, end));
+        }
+        OE_CHECK(_read(']', itr, end));
+    }
+    else
+    {
+        OE_RAISE_MSG(
+            OE_JSON_INFO_PARSE_ERROR,
+            "Unsupported TCB level info version %d",
+            parsed_info->version);
     }
-    OE_CHECK(_read(']', itr, end));
 
     // itr is expected to point to the '}' that denotes the end of the tcb
     // object. The signature is generated over the entire object including the
@@ -487,7 +648,7 @@ static oe_result_t _read_tcb_info(
 oe_result_t oe_parse_tcb_info_json(
     const uint8_t* tcb_info_json,
     size_t tcb_info_json_size,
-    oe_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
     oe_parsed_tcb_info_t* parsed_info)
 {
     oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
@@ -502,15 +663,16 @@ oe_result_t oe_parse_tcb_info_json(
     if (end <= itr)
         OE_RAISE(OE_INVALID_PARAMETER);
 
-    if (platform_tcb_level->status != OE_TCB_LEVEL_STATUS_UNKNOWN)
-        OE_RAISE(OE_INVALID_PARAMETER);
+    // Initialize status
+    platform_tcb_level->status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
 
     itr = _skip_ws(itr, end);
     OE_CHECK(_read('{', &itr, end));
 
     OE_TRACE_VERBOSE("Reading tcbInfo");
     OE_CHECK(_read_property_name_and_colon("tcbInfo", &itr, end));
-    OE_CHECK(_read_tcb_info(&itr, end, platform_tcb_level, parsed_info));
+    OE_CHECK(_read_tcb_info(
+        tcb_info_json, &itr, end, platform_tcb_level, parsed_info));
     OE_CHECK(_read(',', &itr, end));
 
     OE_TRACE_VERBOSE("Reading signature");
@@ -522,7 +684,7 @@ oe_result_t oe_parse_tcb_info_json(
 
     if (itr == end)
     {
-        if (platform_tcb_level->status != OE_TCB_LEVEL_STATUS_UP_TO_DATE)
+        if (platform_tcb_level->status.fields.up_to_date != 1)
         {
             for (uint32_t i = 0;
                  i < OE_COUNTOF(platform_tcb_level->sgx_tcb_comp_svn);
@@ -537,6 +699,15 @@ oe_result_t oe_parse_tcb_info_json(
                 "Platform TCB (%d) is not up-to-date",
                 platform_tcb_level->status);
         }
+
+        // Display any advisory IDs as warnings
+        if (platform_tcb_level->advisory_ids_size > 0)
+        {
+            OE_TRACE_WARNING(
+                "Found %d AdvisoryIDs for this tcb level.",
+                platform_tcb_level->advisory_ids_size);
+        }
+
         result = OE_OK;
     }
 done:
@@ -561,11 +732,11 @@ OE_INLINE uint64_t read_uint64(const uint8_t* p)
 }
 /**
  * type = qe_identity
- * Schema:
+ * V1 Schema:
  * {
- *     "version" : integer,
+ *    "version" : integer,
  *    "issueDate" : string,
- *    "nextDate" : string,
+ *    "nextUpdate" : string,
  *    "miscselect" : hex string,
  *    "miscselectMask" : hex string,
  *    "attributes" : hex string,
@@ -575,7 +746,7 @@ OE_INLINE uint64_t read_uint64(const uint8_t* p)
  *    "isvsvn" : integer,
  * }
  */
-static oe_result_t _read_qe_identity_info(
+static oe_result_t _read_qe_identity_info_v1(
     const uint8_t** itr,
     const uint8_t* end,
     oe_parsed_qe_identity_info_t* parsed_info)
@@ -670,23 +841,350 @@ static oe_result_t _read_qe_identity_info(
     result = OE_OK;
 done:
     OE_TRACE_VERBOSE(
-        "Reading _read_qe_identity_info ended with [%s]\n",
+        "Reading _read_qe_identity_info_v1 ended with [%s]\n",
         oe_result_str(result));
     return result;
 }
 
+/**
+ * Type: tcb in QE Identity Info tcbLevels
+ * Schema:
+ * {
+ *    "isvsvn": uint32_t
+ * }
+ */
+static oe_result_t _read_qe_tcb(
+    const uint8_t** itr,
+    const uint8_t* end,
+    oe_qe_identity_info_tcb_level_t* tcb_level)
+{
+    oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
+    uint64_t value = 0;
+
+    static const char* _names[] = {"isvsvn"};
+    OE_STATIC_ASSERT(OE_COUNTOF(_names) == OE_COUNTOF(tcb_level->isvsvn));
+
+    OE_CHECK(_read('{', itr, end));
+
+    for (size_t i = 0; i < OE_COUNTOF(_names); ++i)
+    {
+        OE_TRACE_VERBOSE("Reading %s", _names[i]);
+        OE_CHECK(_read_property_name_and_colon(_names[i], itr, end));
+        OE_CHECK(_read_integer(itr, end, &value));
+        OE_TRACE_VERBOSE("value = %lu", value);
+
+        if (i != (OE_COUNTOF(_names) - 1))
+            OE_CHECK(_read(',', itr, end));
+
+        if (value > OE_UINT32_MAX)
+            OE_RAISE(OE_JSON_INFO_PARSE_ERROR);
+        tcb_level->isvsvn[i] = (uint32_t)value;
+    }
+
+    OE_CHECK(_read('}', itr, end));
+
+    result = OE_OK;
+done:
+    return result;
+}
+
+// Algorithm specified by Intel, reworded:
+// 1. Go over the sorted collection of TCB levels in the JSON.
+// 2. Choose the first tcb level for which  all of the platform's isv svn
+// values are greater than or equal to corresponding values of
+// the tcb level.
+// 3. The status of the platform's tcb level is the status of the chosen tcb
+// level.
+// 4. If no tcb level was chosen, then the status of the platform is unknown.
+static void _determine_platform_qe_tcb_level(
+    oe_qe_identity_info_tcb_level_t* platform_tcb_level,
+    oe_qe_identity_info_tcb_level_t* tcb_level)
+{
+    // If the platform's status has already been determined, return.
+    if (platform_tcb_level->tcb_status.AsUINT32 != OE_TCB_LEVEL_STATUS_UNKNOWN)
+        return;
+
+    // Compare all of the platform's comp svn values with the corresponding
+    // values in the current tcb level.
+    for (uint32_t i = 0; i < OE_COUNTOF(platform_tcb_level->isvsvn); ++i)
+    {
+        if (platform_tcb_level->isvsvn[i] < tcb_level->isvsvn[i])
+            return;
+    }
+
+    // If all the values of the tcb level are less than corresponding values of
+    // the platform, then the platform's status is the status of the current tcb
+    // level.
+    platform_tcb_level->tcb_status = tcb_level->tcb_status;
+}
+
+/**
+ * Type: tcbLevel in QE Identity Info (New in V2 of QE Identity Info)
+ * Schema:
+ * {
+ *    "tcb" : object of type tcb (Note: TCB Info has the same object, but with
+ *            different set of values).
+ *    "tcbDate" : oe_datetime_t when TCB level was certified not to be
+ * vulnerable. ISO 8601 standard(YYYY-MM-DDThh:mm:ssZ). "tcbStatus" : one of
+ * "UpToDate" or "OutOfDate" or "Revoked" or "ConfigurationNeeded" or
+ * "OutOfDateConfigurationNeeded" "advisoryIDs" : array of strings describing
+ * vulnerabilities that this TCB level is vulnerable to.  Example:
+ * ["INTEL-SA-00079", "INTEL-SA-00076"]
+ * }
+ */
+static oe_result_t _read_qe_tcb_level(
+    const uint8_t* info_json,
+    const uint8_t** itr,
+    const uint8_t* end,
+    oe_qe_identity_info_tcb_level_t* platform_qe_tcb_level,
+    oe_qe_identity_info_tcb_level_t* tcb_level)
+{
+    oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
+    const uint8_t* status = NULL;
+    size_t status_length = 0;
+    const uint8_t* date_str = NULL;
+    size_t date_size = 0;
+
+    memset(tcb_level, 0, sizeof(oe_qe_identity_info_tcb_level_t));
+
+    OE_CHECK(_read('{', itr, end));
+
+    OE_TRACE_VERBOSE("Reading QE Identity tcb");
+    OE_CHECK(_read_property_name_and_colon("tcb", itr, end));
+    OE_CHECK(_read_qe_tcb(itr, end, tcb_level));
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcbDate");
+    OE_CHECK(_read_property_name_and_colon("tcbDate", itr, end));
+    OE_CHECK(_read_string(itr, end, &date_str, &date_size));
+    if (oe_datetime_from_string(
+            (const char*)date_str, date_size, &tcb_level->tcb_date) != OE_OK)
+        OE_RAISE(OE_JSON_INFO_PARSE_ERROR);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcbStatus");
+    OE_CHECK(_read_property_name_and_colon("tcbStatus", itr, end));
+    OE_CHECK(_read_string(itr, end, &status, &status_length));
+    OE_CHECK(_trace_json_string(status, status_length));
+
+    // Optional advisoryIDs field
+    if (OE_JSON_INFO_PARSE_ERROR != _read(',', itr, end))
+    {
+        OE_TRACE_VERBOSE("Reading advisoryIDs");
+        OE_CHECK(_read_property_name_and_colon("advisoryIDs", itr, end));
+        OE_CHECK(_read('[', itr, end));
+
+        tcb_level->advisory_ids_offset = (size_t)(*itr - info_json);
+        size_t size = 0;
+
+        while (*itr < end && **itr != ']')
+        {
+            (*itr)++;
+            size++;
+        }
+        OE_CHECK(_read(']', itr, end));
+        tcb_level->advisory_ids_size = size;
+    }
+
+    OE_CHECK(_read('}', itr, end));
+
+    tcb_level->tcb_status = _parse_tcb_status(status, status_length);
+    if (tcb_level->tcb_status.AsUINT32 != OE_TCB_LEVEL_STATUS_UNKNOWN)
+    {
+        _determine_platform_qe_tcb_level(platform_qe_tcb_level, tcb_level);
+        result = OE_OK;
+    }
+
+done:
+    return result;
+}
+
+/*!
+ * type = enclaveIdentity
+ * V2 Schema:
+ * {
+ *    "id" : string ("QE" | "QVE")
+ *    "version" : integer,
+ *    "issueDate" : string,
+ *    "nextUpdate" : string,
+ *    "tcbEvaluationDataNumber" : integer
+ *    "miscselect" : hex string,
+ *    "miscselectMask" : hex string,
+ *    "attributes" : hex string,
+ *    "attributesMask" : hex string,
+ *    "mrsigner" : hex string,
+ *    "isvprodid" : integer,
+ *    "tcbLevels" : [ objects of type oe_qe_identity_info_tcb_level_t ]
+ * }
+ */
+static oe_result_t _read_qe_identity_info_v2(
+    const uint8_t* info_json,
+    const uint8_t** itr,
+    const uint8_t* end,
+    oe_qe_identity_info_tcb_level_t* platform_tcb_level,
+    oe_parsed_qe_identity_info_t* parsed_info)
+{
+    oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
+    uint64_t value = 0;
+    const uint8_t* str = NULL;
+    size_t size = 0;
+    uint8_t four_bytes_buf[4];
+    uint8_t sixteen_bytes_buf[16];
+
+    if (platform_tcb_level == NULL)
+        OE_RAISE_MSG(
+            OE_INVALID_PARAMETER,
+            "QE identity info v2 requires platform tcb level.",
+            NULL);
+
+    // Initialize status.
+    platform_tcb_level->tcb_status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+
+    parsed_info->info_start = *itr;
+    OE_CHECK(_read('{', itr, end));
+
+    OE_TRACE_VERBOSE("Reading id");
+    OE_CHECK(_read_property_name_and_colon("id", itr, end));
+    OE_CHECK(_read_string(itr, end, &str, &size));
+    if (_json_str_equal(str, size, "QE"))
+        parsed_info->id = QE_IDENTITY_ID_QE;
+    else if (_json_str_equal(str, size, "QVE"))
+        parsed_info->id = QE_IDENTITY_ID_QVE;
+    else
+        OE_RAISE_MSG(OE_JSON_INFO_PARSE_ERROR, "Invalid id %s", str);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading version");
+    OE_CHECK(_read_property_name_and_colon("version", itr, end));
+    OE_CHECK(_read_integer(itr, end, &value));
+    parsed_info->version = (uint32_t)value;
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading issueDate");
+    OE_CHECK(_read_property_name_and_colon("issueDate", itr, end));
+    OE_CHECK(_read_string(itr, end, &str, &size));
+    if (oe_datetime_from_string(
+            (const char*)str, size, &parsed_info->issue_date) != OE_OK)
+        OE_RAISE(OE_JSON_INFO_PARSE_ERROR);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading nextUpdate");
+    OE_CHECK(_read_property_name_and_colon("nextUpdate", itr, end));
+    OE_CHECK(_read_string(itr, end, &str, &size));
+    if (oe_datetime_from_string(
+            (const char*)str, size, &parsed_info->next_update) != OE_OK)
+        OE_RAISE(OE_JSON_INFO_PARSE_ERROR);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcbEvaluationDataNumber");
+    OE_CHECK(
+        _read_property_name_and_colon("tcbEvaluationDataNumber", itr, end));
+    OE_CHECK(_read_integer(itr, end, &value));
+    parsed_info->tcb_evaluation_data_number = (uint32_t)value;
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading miscselect");
+    OE_CHECK(_read_property_name_and_colon("miscselect", itr, end));
+    OE_CHECK(
+        _read_hex_string(itr, end, four_bytes_buf, sizeof(four_bytes_buf)));
+    parsed_info->miscselect = read_uint32(four_bytes_buf);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading miscselectMask");
+    OE_CHECK(_read_property_name_and_colon("miscselectMask", itr, end));
+    OE_CHECK(
+        _read_hex_string(itr, end, four_bytes_buf, sizeof(four_bytes_buf)));
+    parsed_info->miscselect_mask = read_uint32(four_bytes_buf);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading attributes.flags");
+    OE_CHECK(_read_property_name_and_colon("attributes", itr, end));
+    OE_CHECK(_read_hex_string(
+        itr, end, sixteen_bytes_buf, sizeof(sixteen_bytes_buf)));
+    parsed_info->attributes.flags = read_uint64(sixteen_bytes_buf);
+    parsed_info->attributes.xfrm = read_uint64(sixteen_bytes_buf + 8);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading attributesMask");
+    OE_CHECK(_read_property_name_and_colon("attributesMask", itr, end));
+    OE_CHECK(_read_hex_string(
+        itr, end, sixteen_bytes_buf, sizeof(sixteen_bytes_buf)));
+    parsed_info->attributes_flags_mask = read_uint64(sixteen_bytes_buf);
+    parsed_info->attributes_xfrm_mask = read_uint64(sixteen_bytes_buf + 8);
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading mrsigner");
+    OE_CHECK(_read_property_name_and_colon("mrsigner", itr, end));
+    OE_CHECK(_read_hex_string(
+        itr, end, parsed_info->mrsigner, sizeof(parsed_info->mrsigner)));
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading isvprodid");
+    OE_CHECK(_read_property_name_and_colon("isvprodid", itr, end));
+    OE_CHECK(_read_integer(itr, end, &value));
+    parsed_info->isvprodid = (uint16_t)value;
+    OE_CHECK(_read(',', itr, end));
+
+    OE_TRACE_VERBOSE("Reading tcbLevels");
+    OE_CHECK(_read_property_name_and_colon("tcbLevels", itr, end));
+    OE_CHECK(_read('[', itr, end));
+    while (*itr < end)
+    {
+        OE_CHECK(_read_qe_tcb_level(
+            info_json, itr, end, platform_tcb_level, &parsed_info->tcb_level));
+
+        // Optimization
+        if (platform_tcb_level->tcb_status.AsUINT32 !=
+            OE_TCB_LEVEL_STATUS_UNKNOWN)
+        {
+            // Found matching TCB level, go to the end of the array.
+            while (*itr < end && **itr != ']')
+                (*itr)++;
+        }
+
+        // Read end of array or comma separator.
+        if (*itr < end && **itr == ']')
+            break;
+
+        OE_CHECK(_read(',', itr, end));
+    }
+    OE_CHECK(_read(']', itr, end));
+
+    // Synchronize legacy V1 field.
+    parsed_info->isvsvn = (uint16_t)parsed_info->tcb_level.isvsvn[0];
+
+    // itr is expected to point to the '}' that denotes the end of the qe
+    // identity object. The signature is generated over the entire object
+    // including the '}'.
+    parsed_info->info_size = (size_t)(*itr - parsed_info->info_start + 1);
+    OE_CHECK(_read('}', itr, end));
+    OE_TRACE_VERBOSE("Done with last read");
+    result = OE_OK;
+done:
+    OE_TRACE_VERBOSE(
+        "Reading %s ended with [%s]\n", __FUNCTION__, oe_result_str(result));
+    return result;
+}
+
 /**
  * type = qe_identity_info
  *
- * Schema:
+ * Schema V1:
  * {
  *    "qeIdentity" : object of type qe_identity,
  *    "signature" : "hex string"
  * }
+ *
+ * Schema V2:
+ * {
+ *    "enclaveIdentity" : object of type enclaveIdentity,
+ *    "signature" : "hex string"
+ * }
  */
 oe_result_t oe_parse_qe_identity_info_json(
     const uint8_t* info_json,
     size_t info_json_size,
+    oe_qe_identity_info_tcb_level_t* platform_tcb_level,
     oe_parsed_qe_identity_info_t* parsed_info)
 {
     oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
@@ -704,18 +1202,50 @@ oe_result_t oe_parse_qe_identity_info_json(
     itr = _skip_ws(itr, end);
     OE_CHECK(_read('{', &itr, end));
 
-    OE_TRACE_VERBOSE("Reading qeIdentity");
-    OE_CHECK(_read_property_name_and_colon("qeIdentity", &itr, end));
-    OE_CHECK(_read_qe_identity_info(&itr, end, parsed_info));
-    OE_CHECK(_read(',', &itr, end));
+    if (OE_JSON_INFO_PARSE_ERROR !=
+        _read_property_name_and_colon("enclaveIdentity", &itr, end))
+    {
+        OE_TRACE_VERBOSE("Reading enclaveIdentity");
+        OE_CHECK(_read_qe_identity_info_v2(
+            info_json, &itr, end, platform_tcb_level, parsed_info));
+        OE_CHECK(_read(',', &itr, end));
+    }
+    else
+    {
+        OE_TRACE_VERBOSE("Reading qeIdentity");
+        OE_CHECK(_read_property_name_and_colon("qeIdentity", &itr, end));
+        OE_CHECK(_read_qe_identity_info_v1(&itr, end, parsed_info));
+        OE_CHECK(_read(',', &itr, end));
+    }
 
     OE_TRACE_VERBOSE("Reading signature");
     OE_CHECK(_read_property_name_and_colon("signature", &itr, end));
     OE_CHECK(_read_hex_string(
         &itr, end, parsed_info->signature, sizeof(parsed_info->signature)));
     OE_CHECK(_read('}', &itr, end));
+
     if (itr == end)
     {
+        if (parsed_info->version == 2 &&
+            platform_tcb_level->tcb_status.fields.up_to_date != 1)
+        {
+            for (uint32_t i = 0; i < OE_COUNTOF(platform_tcb_level->isvsvn);
+                 ++i)
+                OE_TRACE_VERBOSE(
+                    "isvsvn[%d] = 0x%x", i, platform_tcb_level->isvsvn[i]);
+            OE_RAISE_MSG(
+                OE_TCB_LEVEL_INVALID,
+                "QE Identity Information (%d) is not up-to-date",
+                platform_tcb_level->tcb_status.AsUINT32);
+        }
+
+        // Display any advisory IDs as warnings
+        if (parsed_info->tcb_level.advisory_ids_size > 0)
+        {
+            OE_TRACE_WARNING(
+                "Found %d AdvisoryIDs for this tcb level.",
+                parsed_info->tcb_level.advisory_ids_size);
+        }
         result = OE_OK;
     }
 
@@ -817,3 +1347,40 @@ oe_result_t oe_verify_ecdsa256_signature(
 
     return result;
 }
+
+oe_result_t oe_parse_advisoryids_json(
+    const uint8_t* json,
+    size_t json_size,
+    const uint8_t** id_array,
+    size_t id_array_size,
+    size_t* id_sizes_array,
+    size_t id_sizes_size,
+    size_t* num_ids)
+{
+    oe_result_t result = OE_JSON_INFO_PARSE_ERROR;
+    const uint8_t* itr = json;
+    const uint8_t* end = json + json_size;
+    size_t count = 0;
+
+    if (json == NULL || json_size == 0 || id_array == NULL || num_ids == NULL ||
+        (id_array_size != id_sizes_size))
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    *num_ids = 0;
+
+    while (itr < end && count < id_array_size)
+    {
+        OE_CHECK(
+            _read_string(&itr, end, &id_array[count], &id_sizes_array[count]));
+        count += 1;
+
+        if (itr < end)
+            OE_CHECK(_read(',', &itr, end));
+    }
+
+    *num_ids = count;
+    result = OE_OK;
+done:
+
+    return result;
+}
\ No newline at end of file
diff --git a/common/sgx/tcbinfo.h b/common/sgx/tcbinfo.h
index 0efff67c21..7b75a1d9bc 100644
--- a/common/sgx/tcbinfo.h
+++ b/common/sgx/tcbinfo.h
@@ -13,23 +13,56 @@
 
 OE_EXTERNC_BEGIN
 
-typedef enum _oe_tcb_level_status
-{
-    OE_TCB_LEVEL_STATUS_UNKNOWN,
-    OE_TCB_LEVEL_STATUS_REVOKED,
-    OE_TCB_LEVEL_STATUS_OUT_OF_DATE,
-    OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED,
-    OE_TCB_LEVEL_STATUS_UP_TO_DATE,
-    __OE_TCB_LEVEL_MAX = OE_ENUM_MAX,
+#define OE_TCB_LEVEL_STATUS_UNKNOWN (0)
+
+/*! \struct oe_tcb_level_status_t
+ */
+typedef union _oe_tcb_level_status {
+    struct
+    {
+        uint32_t revoked : 1;              //! "Revoked"
+        uint32_t outofdate : 1;            //! "OutOfDate"
+        uint32_t configuration_needed : 1; //! "ConfigurationNeeded"
+        uint32_t up_to_date : 1;           //! "UpToDate"
+
+        /*! "OutOfDateConfigurationNeeded"
+         *
+         * This tcb status indicates that the QE Identity Info is out of date
+         * and the TCB Info requires configuration "ConfigurationNeeded"
+         */
+        uint32_t qe_identity_out_of_date : 1;
+    } fields;
+    uint32_t AsUINT32;
+
 } oe_tcb_level_status_t;
 
-typedef struct _oe_tcb_level
+/*! \struct oe_tcb_info_tcb_level_t
+ *  \brief TCB level field in the SGX TCB Info.
+ *
+ *  Version 2 of the SGX endorsements/collaterals, the QE Identiy
+ *  Info structure also has a TCB level field (\ref See oe_qe_info_tcb_level_t).
+ */
+typedef struct _oe_tcb_info_tcb_level
 {
     uint8_t sgx_tcb_comp_svn[16];
     uint16_t pce_svn;
     oe_tcb_level_status_t status;
-} oe_tcb_level_t;
 
+    // V2 fields
+    oe_datetime_t tcb_date;
+
+    /*! Offset into the json QE Identity info where
+     * the advisoryIDs fields start.
+     */
+    size_t advisory_ids_offset;
+
+    //! Total size of all the advisoryIDs.
+    size_t advisory_ids_size;
+} oe_tcb_info_tcb_level_t;
+
+/*! \struct oe_parsed_tcb_info_t
+ *  \brief TCB info excluding the TCB levels field.
+ */
 typedef struct _oe_parsed_tcb_info
 {
     uint32_t version;
@@ -38,8 +71,15 @@ typedef struct _oe_parsed_tcb_info
     uint8_t fmspc[6];
     uint8_t pceid[2];
     uint8_t signature[64];
+
+    // V2 fields
+    uint32_t tcb_type;
+    uint32_t tcb_evaluation_data_number;
+    oe_tcb_info_tcb_level_t tcb_level;
+
     const uint8_t* tcb_info_start;
     size_t tcb_info_size;
+
 } oe_parsed_tcb_info_t;
 
 /**
@@ -63,11 +103,17 @@ typedef struct _oe_parsed_tcb_info
  * If the plaform's tcb level status was determined to be not uptodate,
  * then OE_TCB_LEVEL_INVALID is returned.
  *
+ * @param[in] tcb_info_json The json string to parse.
+ * @param[in] tcb_info_json_size The string length of info_json
+ * @param[in] platform_tcb_level The platform tcb level.
+ *                The sgx_tcb_comp_svn and pce_svn fields are required to be
+ * set.
+ * @param[out] parsed_info The parsed results.
  */
 oe_result_t oe_parse_tcb_info_json(
     const uint8_t* tcb_info_json,
     size_t tcb_info_json_size,
-    oe_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
     oe_parsed_tcb_info_t* parsed_info);
 
 oe_result_t oe_verify_ecdsa256_signature(
@@ -76,29 +122,96 @@ oe_result_t oe_verify_ecdsa256_signature(
     sgx_ecdsa256_signature_t* signature,
     oe_cert_chain_t* tcb_cert_chain);
 
+/*! \enum oe_qe_identity_id
+ *  \brief Quoting enclave identity id (V2 only)
+ */
+typedef enum _oe_qe_identity_id
+{
+    QE_IDENTITY_ID_QE,
+    QE_IDENTITY_ID_QVE
+} oe_qe_identity_id_t;
+
+/*! \struct oe_qe_tcb_level
+ *  \brief Quoting enclave identity TCB level.  Applies to V2 only.
+ */
+typedef struct _oe_qe_identity_info_tcb_level
+{
+    uint32_t isvsvn[1];
+    oe_tcb_level_status_t tcb_status;
+    oe_datetime_t tcb_date;
+
+    /*! Offset into the json QE Identity info where
+     * the advisoryIDs fields start.
+     */
+    size_t advisory_ids_offset;
+
+    //! Total size of all the advisoryIDs.
+    size_t advisory_ids_size;
+} oe_qe_identity_info_tcb_level_t;
+
+/*! \struct oe_parsed_qe_identity_info_t
+ *  \brief SGX Quoting Enclave Identity Info data structure.
+ */
 typedef struct _oe_parsed_qe_identity_info
 {
     uint32_t version;
     oe_datetime_t issue_date;
     oe_datetime_t next_update;
-    uint32_t miscselect;         // The MISCSELECT that must be set
-    uint32_t miscselect_mask;    // Mask of MISCSELECT to enforce
-    sgx_attributes_t attributes; // flags and xfrm (XSAVE-Feature Request Mask)
-    uint64_t attributes_flags_mask;   // mask for attributes.flags
-    uint64_t attributes_xfrm_mask;    // mask for attributes.xfrm
-    uint8_t mrsigner[OE_SHA256_SIZE]; // MRSIGNER of the enclave
-    uint16_t isvprodid;               // ISV assigned Product ID
-    uint16_t isvsvn;                  // ISV assigned SVN
+    uint32_t miscselect;         //! The MISCSELECT that must be set
+    uint32_t miscselect_mask;    //! Mask of MISCSELECT to enforce
+    sgx_attributes_t attributes; //! flags and xfrm (XSAVE-Feature Request Mask)
+    uint64_t attributes_flags_mask;   //! mask for attributes.flags
+    uint64_t attributes_xfrm_mask;    //! mask for attributes.xfrm
+    uint8_t mrsigner[OE_SHA256_SIZE]; //! MRSIGNER of the enclave
+    uint16_t isvprodid;               //! ISV assigned Product ID
+    uint16_t isvsvn;                  //! ISV assigned SVN
     uint8_t signature[64];
+
+    // V2 fields
+    oe_qe_identity_id_t id;
+    uint32_t tcb_evaluation_data_number;
+    oe_qe_identity_info_tcb_level_t tcb_level;
+
     const uint8_t* info_start;
     size_t info_size;
 } oe_parsed_qe_identity_info_t;
 
+/*!
+ * Parse a QE or QVE identity json string.
+ *
+ * @param[in] info_json The json string to parse.
+ * @param[in] info_json_size The string length of info_json
+ * @param[in,out] platform_tcb_level The platform tcb level.
+ *                The platform isvsvn is required to be set as input.
+ *                The status field is updated as output.
+ * @param[out] parsed_info The parsed results.
+ */
 oe_result_t oe_parse_qe_identity_info_json(
     const uint8_t* info_json,
     size_t info_json_size,
+    oe_qe_identity_info_tcb_level_t* platform_tcb_level,
     oe_parsed_qe_identity_info_t* parsed_info);
 
+/*!
+ * Parse an advisoryIDs field json string.
+ *
+ * @param[in] json Json string to parse.
+ * @param[in] json_size Length of the json string.
+ * @param[out] id_array Array of char* to store the resulting advisoryIDs.
+ * @param[in] json_size The number of elements in array id_array.
+ * @param[out] id_sizes_array Array of the length of each id in id_array.
+ * @param[in] id_sizes_size The number of elements in array id_sizes_array.
+ * @param[out] num_ids The number of advisoryIDs set in id_array.
+ */
+oe_result_t oe_parse_advisoryids_json(
+    const uint8_t* json,
+    size_t json_size,
+    const uint8_t** id_array,
+    size_t id_array_size,
+    size_t* id_sizes_array,
+    size_t id_sizes_size,
+    size_t* num_ids);
+
 OE_EXTERNC_END
 
 #endif // _OE_COMMON_TCBINFO_H
diff --git a/docs/DesignDocs/SGX_Endorsements_V2.md b/docs/DesignDocs/SGX_Endorsements_V2.md
index ddb7c1a54b..4e631e2d21 100644
--- a/docs/DesignDocs/SGX_Endorsements_V2.md
+++ b/docs/DesignDocs/SGX_Endorsements_V2.md
@@ -116,63 +116,65 @@ typedef union _oe_tcb_level_status
                                                 
 } oe_tcb_level_status_t;
 
-// Existing TCB Level struct for TCB Info.  Will rename this
-// struct to oe_tcb_tcb_level given that
-// QE identity info also has its TCB level data field.
-typedef struct _oe_tcb_tcb_level
+/*! \struct oe_tcb_info_tcb_level_t
+ *  \brief TCB level field in the SGX TCB Info.
+ *
+ *  Version 2 of the SGX endorsements/collaterals, the QE Identiy
+ *  Info structure also has a TCB level field (\ref See oe_qe_info_tcb_level_t).
+ */
+typedef struct _oe_tcb_info_tcb_level
 {
-    // Existing fields
     uint8_t sgx_tcb_comp_svn[16];
     uint16_t pce_svn;
-    oe_tcb_level_status_t tcb_status;
+    oe_tcb_level_status_t status;
 
-    // New fields
+    // V2 fields
     oe_datetime_t tcb_date;
 
     /*! Offset into the json QE Identity info where
      * the advisoryIDs fields start.
-     *
-     * Example of this field: ["INTEL-SA-00079", "INTEL-SA-00076"]
      */
     size_t advisory_ids_offset;
 
     //! Total size of all the advisoryIDs.
     size_t advisory_ids_size;
+} oe_tcb_info_tcb_level_t;
 
-} oe_tcb_tcb_level_t;
-
+/*! \struct oe_parsed_tcb_info_t
+ *  \brief TCB info excluding the TCB levels field.
+ */
 typedef struct _oe_parsed_tcb_info
 {
-    // Existing fields
     uint32_t version;
     oe_datetime_t issue_date;
     oe_datetime_t next_update;
     uint8_t fmspc[6];
     uint8_t pceid[2];
     uint8_t signature[64];
-    const uint8_t* tcb_info_start;
-    size_t tcb_info_size;
-    oe_tcb_tcb_level_t tcb_level;
 
-    // New fields
+    // V2 fields
     uint32_t tcb_type;
     uint32_t tcb_evaluation_data_number;
+    oe_tcb_info_tcb_level_t tcb_level;
+
+    const uint8_t* tcb_info_start;
+    size_t tcb_info_size;
 
 } oe_parsed_tcb_info_t;
 
-/*!
- * New enum for QE id field
+/*! \enum oe_qe_identity_id
+ *  \brief Quoting enclave identity id (V2 only)
  */
 typedef enum _oe_qe_identity_id
 {
-    OE_IDENTITY_ID_QE,
+    QE_IDENTITY_ID_QE,
     QE_IDENTITY_ID_QVE
-} oe_qe_identity_id;
+} oe_qe_identity_id_t;
 
-/*!
- * New TCB level for QE identity info.
+/*! \struct oe_qe_tcb_level
+ *  \brief Quoting enclave identity TCB level.  Applies to V2 only.
  */
-typedef struct _oe_qe_tcb_level
+typedef struct _oe_qe_identity_info_tcb_level
 {
     uint32_t isvsvn[1];
     oe_tcb_level_status_t tcb_status;
@@ -185,32 +187,33 @@ typedef struct _oe_qe_tcb_level
 
     //! Total size of all the advisoryIDs.
     size_t advisory_ids_size;
+} oe_qe_identity_info_tcb_level_t;
 
-} oe_qe_tcb_level_t;
-
+/*! \struct oe_parsed_qe_identity_info_t
+ *  \brief SGX Quoting Enclave Identity Info data structure.
+ */
 typedef struct _oe_parsed_qe_identity_info
 {
-    // Existing fields
     uint32_t version;
     oe_datetime_t issue_date;
     oe_datetime_t next_update;
-    uint32_t miscselect;         // The MISCSELECT that must be set
-    uint32_t miscselect_mask;    // Mask of MISCSELECT to enforce
-    sgx_attributes_t attributes; // flags and xfrm (XSAVE-Feature Request Mask)
-    uint64_t attributes_flags_mask;   // mask for attributes.flags
-    uint64_t attributes_xfrm_mask;    // mask for attributes.xfrm
-    uint8_t mrsigner[OE_SHA256_SIZE]; // MRSIGNER of the enclave
-    uint16_t isvprodid;               // ISV assigned Product ID
-    uint16_t isvsvn;                  // ISV assigned SVN
+    uint32_t miscselect;         //! The MISCSELECT that must be set
+    uint32_t miscselect_mask;    //! Mask of MISCSELECT to enforce
+    sgx_attributes_t attributes; //! flags and xfrm (XSAVE-Feature Request Mask)
+    uint64_t attributes_flags_mask;   //! mask for attributes.flags
+    uint64_t attributes_xfrm_mask;    //! mask for attributes.xfrm
+    uint8_t mrsigner[OE_SHA256_SIZE]; //! MRSIGNER of the enclave
+    uint16_t isvprodid;               //! ISV assigned Product ID
+    uint16_t isvsvn;                  //! ISV assigned SVN
     uint8_t signature[64];
-    const uint8_t* info_start;
-    size_t info_size;
 
-    // New fields
-    oe_qe_identity_id id;
+    // V2 fields
+    oe_qe_identity_id_t id;
     uint32_t tcb_evaluation_data_number;
-    oe_qe_tcb_level_t tcb_level;
+    oe_qe_identity_info_tcb_level_t tcb_level;
 
+    const uint8_t* info_start;
+    size_t info_size;
 } oe_parsed_qe_identity_info_t;
 ```
 
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_attributes.json b/tests/qeidentity/data_v2/qe_identity_missing_attributes.json
new file mode 100644
index 0000000000..06000c62b7
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_attributes.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_attributesmask.json b/tests/qeidentity/data_v2/qe_identity_missing_attributesmask.json
new file mode 100644
index 0000000000..30c44cc16e
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_attributesmask.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_id.json b/tests/qeidentity/data_v2/qe_identity_missing_id.json
new file mode 100644
index 0000000000..7b8ff2e5ea
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_id.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_issuedate.json b/tests/qeidentity/data_v2/qe_identity_missing_issuedate.json
new file mode 100644
index 0000000000..c95c4c934d
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_issuedate.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_isvprodid.json b/tests/qeidentity/data_v2/qe_identity_missing_isvprodid.json
new file mode 100644
index 0000000000..a1932dccf2
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_isvprodid.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_isvsvn.json b/tests/qeidentity/data_v2/qe_identity_missing_isvsvn.json
new file mode 100644
index 0000000000..31d8251bdf
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_isvsvn.json
@@ -0,0 +1,29 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{:2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_miscselect.json b/tests/qeidentity/data_v2/qe_identity_missing_miscselect.json
new file mode 100644
index 0000000000..704d7eca8b
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_miscselect.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_miscselectmask.json b/tests/qeidentity/data_v2/qe_identity_missing_miscselectmask.json
new file mode 100644
index 0000000000..44e6f6c8f1
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_miscselectmask.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_mrsigner.json b/tests/qeidentity/data_v2/qe_identity_missing_mrsigner.json
new file mode 100644
index 0000000000..906e2f5821
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_mrsigner.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_nextupdate.json b/tests/qeidentity/data_v2/qe_identity_missing_nextupdate.json
new file mode 100644
index 0000000000..f0d6662cdb
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_nextupdate.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_qeidentity.json b/tests/qeidentity/data_v2/qe_identity_missing_qeidentity.json
new file mode 100644
index 0000000000..55ac2fee60
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_qeidentity.json
@@ -0,0 +1,29 @@
+{
+  :
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_signature.json b/tests/qeidentity/data_v2/qe_identity_missing_signature.json
new file mode 100644
index 0000000000..ee8d002636
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_signature.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    }
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_tcb_date.json b/tests/qeidentity/data_v2/qe_identity_missing_tcb_date.json
new file mode 100644
index 0000000000..865f3a1b6f
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_tcb_date.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_tcb_eval_data_num.json b/tests/qeidentity/data_v2/qe_identity_missing_tcb_eval_data_num.json
new file mode 100644
index 0000000000..daf5d52db8
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_tcb_eval_data_num.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_tcb_levels.json b/tests/qeidentity/data_v2/qe_identity_missing_tcb_levels.json
new file mode 100644
index 0000000000..1677ec9b0e
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_tcb_levels.json
@@ -0,0 +1,17 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_tcb_status.json b/tests/qeidentity/data_v2/qe_identity_missing_tcb_status.json
new file mode 100644
index 0000000000..f59063d23b
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_tcb_status.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_missing_version.json b/tests/qeidentity/data_v2/qe_identity_missing_version.json
new file mode 100644
index 0000000000..40bd23675c
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_missing_version.json
@@ -0,0 +1,28 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_ok.json b/tests/qeidentity/data_v2/qe_identity_ok.json
new file mode 100644
index 0000000000..f65721e944
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_ok.json
@@ -0,0 +1,29 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2018-10-18T01:26:20Z",
+      "nextUpdate":"2018-11-17T01:26:20Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+          "tcbDate":"2019-05-15T01:02:03Z",
+          "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"3ad9d2811548ac36b5d5648a74e352377ea681c2d780b75f579bb5058998c487a13c6fbf27b5bae23e77f7d55657fefef110c30ae9197202462913a963e6802b"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qe_identity_with_advisoryids.json b/tests/qeidentity/data_v2/qe_identity_with_advisoryids.json
new file mode 100644
index 0000000000..1d42b19ed0
--- /dev/null
+++ b/tests/qeidentity/data_v2/qe_identity_with_advisoryids.json
@@ -0,0 +1,30 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QE",
+      "version":2,
+      "issueDate":"2019-11-08T00:59:29Z",
+      "nextUpdate":"2019-12-08T00:59:29Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T00:00:00Z",
+            "tcbStatus":"UpToDate",
+            "advisoryIDs":["INTEL-SA-00079", "INTEL-SA-00076"]
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"d258943a7f496eb3b0acbfed97594b3f9f26a5b818af1726089799e6b2238289fa3557423622968be8bb6602a697ab3db8895a01186d831b60d3230d05e5bf08"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/data_v2/qve_identity_ok.json b/tests/qeidentity/data_v2/qve_identity_ok.json
new file mode 100644
index 0000000000..cb9732e1d3
--- /dev/null
+++ b/tests/qeidentity/data_v2/qve_identity_ok.json
@@ -0,0 +1,29 @@
+{
+  "enclaveIdentity":
+    {
+      "id":"QVE",
+      "version":2,
+      "issueDate":"2018-10-18T01:26:20Z",
+      "nextUpdate":"2018-11-17T01:26:20Z",
+      "tcbEvaluationDataNumber":5,
+      "miscselect":"00000000",
+      "miscselectMask":"FFFFFFFF",
+      "attributes":"11000000000000000000000000000000",
+      "attributesMask":"FBFFFFFFFFFFFFFF0000000000000000",
+      "mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
+      "isvprodid":1,
+      "tcbLevels":[
+        {
+          "tcb":{"isvsvn":2},
+            "tcbDate":"2019-05-15T01:02:03Z",
+            "tcbStatus":"UpToDate"
+        },
+        {
+          "tcb":{"isvsvn":1},
+          "tcbDate":"2018-08-15T00:00:00Z",
+          "tcbStatus":"OutOfDate"
+        }
+      ]
+    },
+  "signature":"3ad9d2811548ac36b5d5648a74e352377ea681c2d780b75f579bb5058998c487a13c6fbf27b5bae23e77f7d55657fefef110c30ae9197202462913a963e6802b"
+}
\ No newline at end of file
diff --git a/tests/qeidentity/enc/enc.cpp b/tests/qeidentity/enc/enc.cpp
index 0b7620a690..49330c5877 100644
--- a/tests/qeidentity/enc/enc.cpp
+++ b/tests/qeidentity/enc/enc.cpp
@@ -14,13 +14,18 @@
 
 oe_result_t test_verify_qe_identity_info(
     const char* info_json,
+    oe_qe_identity_info_tcb_level_t* platform_tcb_level,
     oe_parsed_qe_identity_info_t* parsed_info)
 {
 #ifdef OE_LINK_SGX_DCAP_QL
     return oe_parse_qe_identity_info_json(
-        (const uint8_t*)info_json, strlen(info_json) + 1, parsed_info);
+        (const uint8_t*)info_json,
+        strlen(info_json) + 1,
+        platform_tcb_level,
+        parsed_info);
 #else
     OE_UNUSED(info_json);
+    OE_UNUSED(platform_tcb_level);
     OE_UNUSED(parsed_info);
     return OE_OK;
 #endif
diff --git a/tests/qeidentity/host/CMakeLists.txt b/tests/qeidentity/host/CMakeLists.txt
index c724cdf5a1..20bee2c8e4 100644
--- a/tests/qeidentity/host/CMakeLists.txt
+++ b/tests/qeidentity/host/CMakeLists.txt
@@ -11,6 +11,7 @@ endif()
 
 add_custom_command(TARGET qeidentity_host
     COMMAND ${CMAKE_COMMAND} -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/../data ${CMAKE_CURRENT_BINARY_DIR}/../data
+    COMMAND ${CMAKE_COMMAND} -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/../data_v2 ${CMAKE_CURRENT_BINARY_DIR}/../data_v2
 )
 
 target_include_directories(qeidentity_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/../common)
diff --git a/tests/qeidentity/host/host.cpp b/tests/qeidentity/host/host.cpp
index 72e91dae6c..6d012bfe5a 100644
--- a/tests/qeidentity/host/host.cpp
+++ b/tests/qeidentity/host/host.cpp
@@ -14,7 +14,9 @@
 
 #define SKIP_RETURN_CODE 2
 
+extern void run_parse_advisoryids_json_test();
 extern void run_qe_identity_test_cases(oe_enclave_t* enclave);
+extern void run_qe_identity_v2_test_cases(oe_enclave_t* enclave);
 extern std::vector<uint8_t> FileToBytes(const char* path);
 
 int main(int argc, const char* argv[])
@@ -47,7 +49,9 @@ int main(int argc, const char* argv[])
 
 #ifdef OE_LINK_SGX_DCAP_QL
 
+    run_parse_advisoryids_json_test();
     run_qe_identity_test_cases(enclave);
+    run_qe_identity_v2_test_cases(enclave);
 
 #endif
 
diff --git a/tests/qeidentity/host/qeidentifyinfo.cpp b/tests/qeidentity/host/qeidentifyinfo.cpp
index 6d6e0233ef..a19f450b98 100644
--- a/tests/qeidentity/host/qeidentifyinfo.cpp
+++ b/tests/qeidentity/host/qeidentifyinfo.cpp
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 #ifdef OE_LINK_SGX_DCAP_QL
 
+#include <openenclave/bits/safecrt.h>
 #include <openenclave/host.h>
 #include <openenclave/internal/error.h>
 #include <openenclave/internal/hexdump.h>
@@ -40,10 +41,8 @@ std::vector<uint8_t> FileToBytes(const char* path)
     return bytes;
 }
 
-void check_parsed_value(oe_parsed_qe_identity_info_t& parsed_info)
+void check_parsed_common_values(oe_parsed_qe_identity_info_t& parsed_info)
 {
-    OE_TEST(parsed_info.version == 1);
-
     oe_datetime_t expected_issue_date = {2018, 10, 18, 1, 26, 20};
     OE_TEST(
         oe_datetime_compare(&parsed_info.issue_date, &expected_issue_date) ==
@@ -62,7 +61,6 @@ void check_parsed_value(oe_parsed_qe_identity_info_t& parsed_info)
     // OE_TEST(parsed_info.attributesMask   == 0xFFFFFFFF);
 
     OE_TEST(parsed_info.isvprodid == 1);
-    OE_TEST(parsed_info.isvsvn == 1);
 
     uint8_t expected_mrsigner[32] = {
         0x8C, 0x4F, 0x57, 0x75, 0xD7, 0x96, 0x50, 0x3E, 0x96, 0x13, 0x7F,
@@ -88,6 +86,31 @@ void check_parsed_value(oe_parsed_qe_identity_info_t& parsed_info)
             sizeof(expected_signature)) == 0);
 }
 
+void check_parsed_v1_values(oe_parsed_qe_identity_info_t& parsed_info)
+{
+    OE_TEST(parsed_info.version == 1);
+    OE_TEST(parsed_info.isvsvn == 1);
+    check_parsed_common_values(parsed_info);
+}
+
+void check_parsed_v2_values(oe_parsed_qe_identity_info_t& parsed_info)
+{
+    OE_TEST(parsed_info.version == 2);
+    OE_TEST(parsed_info.tcb_evaluation_data_number == 5);
+    OE_TEST(parsed_info.isvsvn == 2);
+    OE_TEST(parsed_info.tcb_level.isvsvn[0] == 2);
+
+    oe_datetime_t expected_tcb_date = {2019, 5, 15, 1, 2, 3};
+    OE_TEST(
+        oe_datetime_compare(
+            &parsed_info.tcb_level.tcb_date, &expected_tcb_date) == 0);
+
+    OE_TEST(parsed_info.tcb_level.tcb_status.fields.up_to_date == 1);
+    OE_TEST(parsed_info.tcb_level.advisory_ids_size == 0);
+
+    check_parsed_common_values(parsed_info);
+}
+
 void run_qe_identity_test_cases(oe_enclave_t* enclave)
 {
     // validate positive case
@@ -103,9 +126,10 @@ void run_qe_identity_test_cases(oe_enclave_t* enclave)
             enclave,
             &ecall_result,
             (const char*)&positive_qe_id_info[0],
+            NULL,
             &parsed_info) == OE_OK);
     OE_TEST(ecall_result == OE_OK);
-    check_parsed_value(parsed_info);
+    check_parsed_v1_values(parsed_info);
 
     // validate negative case
     qe_identity_test_case_t test_cases[] = {
@@ -139,12 +163,232 @@ void run_qe_identity_test_cases(oe_enclave_t* enclave)
                 enclave,
                 &ecall_result,
                 (const char*)&qeIdInfo[0],
+                NULL,
+                &parsed_info) == OE_OK);
+
+        printf(
+            "%s: ecall_result = %s   expected_result = %s\n",
+            test_cases[i].file_name,
+            oe_result_str(ecall_result),
+            oe_result_str(test_cases[i].expected_result));
+        OE_TEST(ecall_result == test_cases[i].expected_result);
+        printf("passed\n");
+    }
+}
+
+void run_parse_advisoryids_json_test()
+{
+    const uint8_t* advisoryids_test0 = (const uint8_t*)"\"advisoryId1\"";
+    const uint8_t* advisoryids_test1 =
+        (const uint8_t*)"\"advisoryId1\", \"advisoryId2\", \"advisoryId3\"";
+    const uint8_t* id_array[3];
+    size_t id_size_array[3];
+    size_t num_ids = 0;
+
+    OE_TEST(
+        oe_parse_advisoryids_json(
+            advisoryids_test0,
+            strlen((const char*)advisoryids_test0),
+            (const uint8_t**)&id_array,
+            3,
+            (size_t*)id_size_array,
+            3,
+            &num_ids) == OE_OK);
+    OE_TEST(num_ids == 1);
+
+    OE_TEST(
+        oe_parse_advisoryids_json(
+            advisoryids_test1,
+            strlen((const char*)advisoryids_test1),
+            (const uint8_t**)&id_array,
+            3,
+            (size_t*)id_size_array,
+            3,
+            &num_ids) == OE_OK);
+    OE_TEST(num_ids == 3);
+
+    OE_TEST(
+        oe_parse_advisoryids_json(
+            NULL,
+            0,
+            (const uint8_t**)&id_array,
+            3,
+            (size_t*)id_size_array,
+            3,
+            &num_ids) == OE_INVALID_PARAMETER);
+}
+
+void run_qe_identity_v2_test_cases(oe_enclave_t* enclave)
+{
+    // validate positive case
+    std::vector<uint8_t> positive_qe_id_info =
+        FileToBytes("./data_v2/qe_identity_ok.json");
+    std::vector<uint8_t> positive_qve_id_info =
+        FileToBytes("./data_v2/qve_identity_ok.json");
+    std::vector<uint8_t> positive_qe_id_info_with_advisoryids =
+        FileToBytes("./data_v2/qe_identity_with_advisoryids.json");
+
+    const uint8_t* advisoryIDs[2] = {0};
+    size_t advisoryIDs_length[2] = {0};
+    const char* expectedAdvisoryIDs[2] = {"INTEL-SA-00079", "INTEL-SA-00076"};
+    size_t num_advisory_ids = 0;
+
+    oe_parsed_qe_identity_info_t parsed_info = {0};
+    oe_qe_identity_info_tcb_level_t platform_tcb_level = {{0}};
+    oe_result_t ecall_result = OE_FAILURE;
+
+    // QE Identity V2 positive test
+    platform_tcb_level.isvsvn[0] = 2;
+    OE_TEST(
+        test_verify_qe_identity_info(
+            enclave,
+            &ecall_result,
+            (const char*)&positive_qe_id_info[0],
+            &platform_tcb_level,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_OK);
+    OE_TEST(parsed_info.id == QE_IDENTITY_ID_QE);
+    check_parsed_v2_values(parsed_info);
+    printf("\n\nQE Identity V2 positive test. PASSED.\n");
+
+    // QE Identity V2 negative, OutOfDate
+    platform_tcb_level.isvsvn[0] = 1;
+    OE_TEST(
+        test_verify_qe_identity_info(
+            enclave,
+            &ecall_result,
+            (const char*)&positive_qe_id_info[0],
+            &platform_tcb_level,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_TCB_LEVEL_INVALID);
+    OE_TEST(parsed_info.id == QE_IDENTITY_ID_QE);
+    OE_TEST(parsed_info.tcb_level.tcb_status.fields.outofdate == 1);
+    printf("\n\nQE Identity V2 positive test, OutOfDate. PASSED.\n");
+
+    // QE Identity V2 positive with advisoryIDs
+    platform_tcb_level.isvsvn[0] = 2;
+    OE_TEST(
+        test_verify_qe_identity_info(
+            enclave,
+            &ecall_result,
+            (const char*)&positive_qe_id_info_with_advisoryids[0],
+            &platform_tcb_level,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_OK);
+    OE_TEST(parsed_info.id == QE_IDENTITY_ID_QE);
+    OE_TEST(parsed_info.tcb_level.tcb_status.fields.up_to_date == 1);
+    OE_TEST(parsed_info.tcb_level.advisory_ids_size > 0);
+    OE_TEST(
+        parsed_info.tcb_level.advisory_ids_offset <
+        positive_qe_id_info_with_advisoryids.size());
+
+    const char* ptr = (const char*)&positive_qe_id_info_with_advisoryids
+        [parsed_info.tcb_level.advisory_ids_offset];
+    OE_TEST(
+        oe_parse_advisoryids_json(
+            (const uint8_t*)ptr,
+            parsed_info.tcb_level.advisory_ids_size,
+            (const uint8_t**)&advisoryIDs,
+            2,
+            (size_t*)&advisoryIDs_length,
+            2,
+            &num_advisory_ids) == OE_OK);
+    OE_TEST(num_advisory_ids == 2);
+    for (int i = 0; i < 2; i++)
+    {
+        printf(
+            "AdvisoryIDs[%d]: %.*s\n",
+            i,
+            (int)advisoryIDs_length[i],
+            advisoryIDs[i]);
+        OE_TEST(
+            strncmp(
+                (const char*)advisoryIDs[i],
+                expectedAdvisoryIDs[i],
+                advisoryIDs_length[i]) == 0);
+    }
+    printf("QE Identity V2 positive test, with advisoryIDs. PASSED\n");
+
+    // QVE Identity V2 positive test
+    platform_tcb_level.isvsvn[0] = 2;
+    OE_TEST(
+        test_verify_qe_identity_info(
+            enclave,
+            &ecall_result,
+            (const char*)&positive_qve_id_info[0],
+            &platform_tcb_level,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_OK);
+    OE_TEST(parsed_info.id == QE_IDENTITY_ID_QVE);
+    check_parsed_v2_values(parsed_info);
+    printf("\n\nQVE Identity V2 positive test. PASSED.\n");
+
+    // negative test without a valid platform_tcb_level
+    OE_TEST(
+        test_verify_qe_identity_info(
+            enclave,
+            &ecall_result,
+            (const char*)&positive_qe_id_info[0],
+            NULL,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_INVALID_PARAMETER);
+    printf("\n\nQE Identity V2 negative test with invalid platform_tcb_level. "
+           "PASSED.\n");
+
+    // validate negative case
+    qe_identity_test_case_t test_cases[] = {
+        {"./data_v2/qe_identity_missing_qeidentity.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_version.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_issuedate.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_nextupdate.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_miscselect.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_miscselectmask.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_attributes.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_attributesmask.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_isvprodid.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_isvsvn.json", OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_signature.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_id.json", OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_mrsigner.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_tcb_date.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_tcb_eval_data_num.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_tcb_levels.json",
+         OE_JSON_INFO_PARSE_ERROR},
+        {"./data_v2/qe_identity_missing_tcb_status.json",
+         OE_JSON_INFO_PARSE_ERROR}};
+
+    for (size_t i = 0; i < sizeof(test_cases) / sizeof(test_cases[0]); ++i)
+    {
+        std::vector<uint8_t> qeIdInfo = FileToBytes(test_cases[i].file_name);
+        oe_parsed_qe_identity_info_t parsed_info = {0};
+        oe_result_t ecall_result = OE_FAILURE;
+        printf("Testing file %s ", test_cases[i].file_name);
+        OE_TEST(
+            test_verify_qe_identity_info(
+                enclave,
+                &ecall_result,
+                (const char*)&qeIdInfo[0],
+                &platform_tcb_level,
                 &parsed_info) == OE_OK);
 
         printf(
-            "ecall_result = %d   expected_result = %d\n",
-            ecall_result,
-            test_cases[i].expected_result);
+            "%s: ecall_result = %s   expected_result = %s\n",
+            test_cases[i].file_name,
+            oe_result_str(ecall_result),
+            oe_result_str(test_cases[i].expected_result));
         OE_TEST(ecall_result == test_cases[i].expected_result);
         printf("passed\n");
     }
diff --git a/tests/qeidentity/tests.edl b/tests/qeidentity/tests.edl
index ed1fe3cda5..1bf5e43db1 100644
--- a/tests/qeidentity/tests.edl
+++ b/tests/qeidentity/tests.edl
@@ -7,7 +7,8 @@ enclave {
         // qe identity info tests.
         public oe_result_t test_verify_qe_identity_info(
            [in, string] const char* info_json,
-           [user_check] oe_parsed_qe_identity_info_t* parsed_info);
+           [in] oe_qe_identity_info_tcb_level_t* platform_tcb_level,
+           [out] oe_parsed_qe_identity_info_t* parsed_info);
     };
     untrusted {
     };
diff --git a/tests/report/data/tcbInfoNegativeCompSvn.json b/tests/report/data/tcbInfoNegativeCompSvn.json
index b41296286b..47d4a40fa5 100644
--- a/tests/report/data/tcbInfoNegativeCompSvn.json
+++ b/tests/report/data/tcbInfoNegativeCompSvn.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeFloat.json b/tests/report/data/tcbInfoNegativeFloat.json
index e5ea823c94..1e3644b760 100644
--- a/tests/report/data/tcbInfoNegativeFloat.json
+++ b/tests/report/data/tcbInfoNegativeFloat.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1.234,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeIntegerOverflow.json b/tests/report/data/tcbInfoNegativeIntegerOverflow.json
index d75dc24b32..d581bbb604 100644
--- a/tests/report/data/tcbInfoNegativeIntegerOverflow.json
+++ b/tests/report/data/tcbInfoNegativeIntegerOverflow.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 10000000000000000000000000000000000,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeIntegerWithSign.json b/tests/report/data/tcbInfoNegativeIntegerWithSign.json
index c37bf74139..bd4dd7f80f 100644
--- a/tests/report/data/tcbInfoNegativeIntegerWithSign.json
+++ b/tests/report/data/tcbInfoNegativeIntegerWithSign.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": -1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeInvalidIssueDate.json b/tests/report/data/tcbInfoNegativeInvalidIssueDate.json
index 6cabd038ff..50582b6fe2 100644
--- a/tests/report/data/tcbInfoNegativeInvalidIssueDate.json
+++ b/tests/report/data/tcbInfoNegativeInvalidIssueDate.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-16-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePceSvn.json b/tests/report/data/tcbInfoNegativePceSvn.json
index 77bb2acf1c..e45a9aa52c 100644
--- a/tests/report/data/tcbInfoNegativePceSvn.json
+++ b/tests/report/data/tcbInfoNegativePceSvn.json
@@ -1,7 +1,8 @@
 {
   "tcbInfo": {
-    "version": 10000000000000000000000000000000000,
+    "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyMissingLevel1.json b/tests/report/data/tcbInfoNegativePropertyMissingLevel1.json
index 2845e65fbf..4cd01c0e08 100644
--- a/tests/report/data/tcbInfoNegativePropertyMissingLevel1.json
+++ b/tests/report/data/tcbInfoNegativePropertyMissingLevel1.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "VERSION": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyMissingLevel2.json b/tests/report/data/tcbInfoNegativePropertyMissingLevel2.json
index dcc45f3e9a..2b4c994d7e 100644
--- a/tests/report/data/tcbInfoNegativePropertyMissingLevel2.json
+++ b/tests/report/data/tcbInfoNegativePropertyMissingLevel2.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyMissingLevel3.json b/tests/report/data/tcbInfoNegativePropertyMissingLevel3.json
index 54749432d6..9057df7bc8 100644
--- a/tests/report/data/tcbInfoNegativePropertyMissingLevel3.json
+++ b/tests/report/data/tcbInfoNegativePropertyMissingLevel3.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel0.json b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel0.json
index 60c8b0aad9..0b082f6346 100644
--- a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel0.json
+++ b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel0.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel1.json b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel1.json
index 2ec898120d..037cc4241f 100644
--- a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel1.json
+++ b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel1.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": 90610000,
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel2.json b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel2.json
index 9ccb6f19eb..9bc9a0ffc3 100644
--- a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel2.json
+++ b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel2.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel3.json b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel3.json
index 788d5ecb52..b37a54f02a 100644
--- a/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel3.json
+++ b/tests/report/data/tcbInfoNegativePropertyWrongTypeLevel3.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeSignature.json b/tests/report/data/tcbInfoNegativeSignature.json
index a77dc83a5d..8371279bbe 100644
--- a/tests/report/data/tcbInfoNegativeSignature.json
+++ b/tests/report/data/tcbInfoNegativeSignature.json
@@ -1,7 +1,8 @@
 {
   "tcbInfo": {
-    "version": 10000000000000000000000000000000000,
+    "version": 1,
     "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data/tcbInfoNegativeStringEscape.json b/tests/report/data/tcbInfoNegativeStringEscape.json
index 9eb7ed2454..425924ef7e 100644
--- a/tests/report/data/tcbInfoNegativeStringEscape.json
+++ b/tests/report/data/tcbInfoNegativeStringEscape.json
@@ -2,6 +2,7 @@
   "tcbInfo": {
     "version": 1,
     "issueDate": "2018-\n06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
     "fmspc": "00906EA10000",
     "tcbLevels": [
       {
diff --git a/tests/report/data_v2/tcbInfo.json b/tests/report/data_v2/tcbInfo.json
new file mode 100644
index 0000000000..20c31db540
--- /dev/null
+++ b/tests/report/data_v2/tcbInfo.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoAdvisoryIds.json b/tests/report/data_v2/tcbInfoAdvisoryIds.json
new file mode 100644
index 0000000000..d805c042ca
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoAdvisoryIds.json
@@ -0,0 +1,129 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus":"UpToDate",
+        "advisoryIDs":["INTEL-SA-00079", "INTEL-SA-00076"]
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeCompSvn.json b/tests/report/data_v2/tcbInfoNegativeCompSvn.json
new file mode 100644
index 0000000000..ab35696e7d
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeCompSvn.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 257,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeFloat.json b/tests/report/data_v2/tcbInfoNegativeFloat.json
new file mode 100644
index 0000000000..86fddd6677
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeFloat.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2.234,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeIntegerOverflow.json b/tests/report/data_v2/tcbInfoNegativeIntegerOverflow.json
new file mode 100644
index 0000000000..a139922235
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeIntegerOverflow.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 10000000000000000000000000000000000,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeIntegerWithSign.json b/tests/report/data_v2/tcbInfoNegativeIntegerWithSign.json
new file mode 100644
index 0000000000..e44a4e7f8b
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeIntegerWithSign.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": -1,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeInvalidIssueDate.json b/tests/report/data_v2/tcbInfoNegativeInvalidIssueDate.json
new file mode 100644
index 0000000000..3f4f599469
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeInvalidIssueDate.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-16-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeInvalidNextUpdate.json b/tests/report/data_v2/tcbInfoNegativeInvalidNextUpdate.json
new file mode 100644
index 0000000000..fc015a9167
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeInvalidNextUpdate.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-16-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeMissingNextUpdate.json b/tests/report/data_v2/tcbInfoNegativeMissingNextUpdate.json
new file mode 100644
index 0000000000..32e51143a1
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeMissingNextUpdate.json
@@ -0,0 +1,127 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePceSvn.json b/tests/report/data_v2/tcbInfoNegativePceSvn.json
new file mode 100644
index 0000000000..bc3c2fcf68
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePceSvn.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":65537
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel0.json b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel0.json
new file mode 100644
index 0000000000..56774bab0e
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel0.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "SIGNATURE": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel1.json b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel1.json
new file mode 100644
index 0000000000..13571b4179
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel1.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "VERSION": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel2.json b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel2.json
new file mode 100644
index 0000000000..d5f434c2e9
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel2.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "TCBDATE":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel3.json b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel3.json
new file mode 100644
index 0000000000..0b214ad3f1
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyMissingLevel3.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "PCESVN":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel0.json b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel0.json
new file mode 100644
index 0000000000..b177198b7c
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel0.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": 123456
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel1.json b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel1.json
new file mode 100644
index 0000000000..b51236e0df
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel1.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": 90610000,
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel2.json b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel2.json
new file mode 100644
index 0000000000..18b992d30f
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel2.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":1
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel3.json b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel3.json
new file mode 100644
index 0000000000..852e2af0f0
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativePropertyWrongTypeLevel3.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": "128",
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeSignature.json b/tests/report/data_v2/tcbInfoNegativeSignature.json
new file mode 100644
index 0000000000..c16ac9e2e4
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeSignature.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "1c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfoNegativeStringEscape.json b/tests/report/data_v2/tcbInfoNegativeStringEscape.json
new file mode 100644
index 0000000000..f0ce9392b3
--- /dev/null
+++ b/tests/report/data_v2/tcbInfoNegativeStringEscape.json
@@ -0,0 +1,128 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-\n06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2019-05-15T00:00:00Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-08-15T00:00:00Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T00:00:00Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/data_v2/tcbInfo_with_pceid.json b/tests/report/data_v2/tcbInfo_with_pceid.json
new file mode 100644
index 0000000000..e904ba82e7
--- /dev/null
+++ b/tests/report/data_v2/tcbInfo_with_pceid.json
@@ -0,0 +1,129 @@
+{
+  "tcbInfo": {
+    "version": 2,
+    "issueDate": "2018-06-06T10:12:17Z",
+    "nextUpdate": "2019-06-06T10:12:17Z",
+    "fmspc": "00906EA10000",
+    "pceId":"0000",
+    "tcbType": 0,
+    "tcbEvaluationDataNumber":5,
+    "tcbLevels": [
+      {
+        "tcb":{
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn":6
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus":"UpToDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 4,
+          "sgxtcbcomp02svn": 4,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 5
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDateConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 4
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "ConfigurationNeeded"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 3
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "OutOfDate"
+      },
+      {
+        "tcb": {
+          "sgxtcbcomp01svn": 2,
+          "sgxtcbcomp02svn": 2,
+          "sgxtcbcomp03svn": 2,
+          "sgxtcbcomp04svn": 4,
+          "sgxtcbcomp05svn": 1,
+          "sgxtcbcomp06svn": 128,
+          "sgxtcbcomp07svn": 1,
+          "sgxtcbcomp08svn": 1,
+          "sgxtcbcomp09svn": 1,
+          "sgxtcbcomp10svn": 1,
+          "sgxtcbcomp11svn": 1,
+          "sgxtcbcomp12svn": 1,
+          "sgxtcbcomp13svn": 1,
+          "sgxtcbcomp14svn": 1,
+          "sgxtcbcomp15svn": 1,
+          "sgxtcbcomp16svn": 1,
+          "pcesvn": 2
+        },
+        "tcbDate":"2018-01-04T01:02:03Z",
+        "tcbStatus": "Revoked"
+      }
+    ]
+  },
+  "signature": "62d181c4ba863213b825d1c0b66b92a3dbdb27b8ff7c7250cb2b2ab87a8f90d5e5a1416914369d8f82c56cd3d875caa54ae4b917caf4af7a93dec52067cbfd7b"
+}
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index b137fcb7d9..41579bb25d 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -14,7 +14,7 @@
 
 oe_result_t test_verify_tcb_info(
     const char* tcb_info,
-    oe_tcb_level_t* platform_tcb_level,
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
     oe_parsed_tcb_info_t* parsed_tcb_info)
 {
 #ifdef OE_LINK_SGX_DCAP_QL
diff --git a/tests/report/host/CMakeLists.txt b/tests/report/host/CMakeLists.txt
index c8bb2a80a8..6ea3a62325 100644
--- a/tests/report/host/CMakeLists.txt
+++ b/tests/report/host/CMakeLists.txt
@@ -12,6 +12,7 @@ endif()
 
 add_custom_command(TARGET report_host
     COMMAND ${CMAKE_COMMAND} -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/../data ${CMAKE_CURRENT_BINARY_DIR}/../data
+    COMMAND ${CMAKE_COMMAND} -E copy_directory ${CMAKE_CURRENT_SOURCE_DIR}/../data_v2 ${CMAKE_CURRENT_BINARY_DIR}/../data_v2
 )
 
 target_include_directories(report_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/../common)
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 8c01f372f5..70cc010bce 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -23,6 +23,12 @@
 extern void TestVerifyTCBInfo(
     oe_enclave_t* enclave,
     const char* test_file_name);
+extern void TestVerifyTCBInfoV2(
+    oe_enclave_t* enclave,
+    const char* test_filename);
+extern void TestVerifyTCBInfoV2_AdvisoryIDs(
+    oe_enclave_t* enclave,
+    const char* test_filename);
 extern int FileToBytes(const char* path, std::vector<uint8_t>* output);
 
 void generate_and_save_report(oe_enclave_t* enclave)
@@ -184,6 +190,11 @@ int main(int argc, const char* argv[])
     TestVerifyTCBInfo(enclave, "./data/tcbInfo.json");
     TestVerifyTCBInfo(enclave, "./data/tcbInfo_with_pceid.json");
 
+    TestVerifyTCBInfoV2(enclave, "./data_v2/tcbInfo.json");
+    TestVerifyTCBInfoV2(enclave, "./data_v2/tcbInfo_with_pceid.json");
+    TestVerifyTCBInfoV2_AdvisoryIDs(
+        enclave, "./data_v2/tcbInfoAdvisoryIds.json");
+
     // Get current time and pass it to enclave.
     std::time_t t = std::time(0);
     std::tm* tm = std::gmtime(&t);
diff --git a/tests/report/host/tcbinfo.cpp b/tests/report/host/tcbinfo.cpp
index f08c94b334..d650a9f923 100644
--- a/tests/report/host/tcbinfo.cpp
+++ b/tests/report/host/tcbinfo.cpp
@@ -36,9 +36,9 @@ int FileToBytes(const char* path, std::vector<uint8_t>* out)
     return 0;
 }
 
-void AssertParsedValues(oe_parsed_tcb_info_t& parsed_info)
+void AssertParsedValues(oe_parsed_tcb_info_t& parsed_info, uint32_t version)
 {
-    OE_TEST(parsed_info.version == 1);
+    OE_TEST(parsed_info.version == version);
 
     oe_datetime_t expected_issue_date = {2018, 6, 6, 10, 12, 17};
     OE_TEST(
@@ -67,23 +67,33 @@ void AssertParsedValues(oe_parsed_tcb_info_t& parsed_info)
             parsed_info.signature,
             expected_signature,
             sizeof(expected_signature)) == 0);
+
+    if (version == 2)
+    {
+        //"tcbDate":"2018-01-04T01:02:03Z",
+        oe_datetime_t expected_tcb_date = {2018, 1, 4, 1, 2, 3};
+        OE_TEST(
+            oe_datetime_compare(
+                &parsed_info.tcb_level.tcb_date, &expected_tcb_date) == 0);
+    }
 }
 
 void TestVerifyTCBInfo(
     oe_enclave_t* enclave,
     const char* test_filename,
-    oe_tcb_level_t* platform_tcb_level,
-    oe_result_t expected)
+    oe_tcb_info_tcb_level_t* platform_tcb_level,
+    oe_parsed_tcb_info_t* parsed_info,
+    oe_result_t expected,
+    uint32_t version)
 {
     std::vector<uint8_t> tcbInfo;
     OE_TEST(FileToBytes(test_filename, &tcbInfo) == 0);
 
-    oe_parsed_tcb_info_t parsed_info = {0};
     oe_result_t ecall_result = OE_FAILURE;
 
     // Contains nextUpdate field.
-    memset(&parsed_info, 0, sizeof(parsed_info));
-    platform_tcb_level->status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    memset(parsed_info, 0, sizeof(oe_parsed_tcb_info_t));
+    platform_tcb_level->status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
 
     OE_TEST(
         test_verify_tcb_info(
@@ -91,20 +101,20 @@ void TestVerifyTCBInfo(
             &ecall_result,
             (const char*)&tcbInfo[0],
             platform_tcb_level,
-            &parsed_info) == OE_OK);
+            parsed_info) == OE_OK);
     OE_TEST(ecall_result == expected);
-    AssertParsedValues(parsed_info);
+    AssertParsedValues(*parsed_info, version);
 
     oe_datetime_t nextUpdate = {2019, 6, 6, 10, 12, 17};
-    OE_TEST(oe_datetime_compare(&parsed_info.next_update, &nextUpdate) == 0);
+    OE_TEST(oe_datetime_compare(&parsed_info->next_update, &nextUpdate) == 0);
 }
 
 void TestVerifyTCBInfo(oe_enclave_t* enclave, const char* test_filename)
 {
-    oe_tcb_level_t platform_tcb_level = {
-        {4, 4, 2, 4, 1, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1},
-        8,
-        OE_TCB_LEVEL_STATUS_UNKNOWN};
+    const uint32_t version = 1;
+    oe_tcb_info_tcb_level_t platform_tcb_level = {
+        {4, 4, 2, 4, 1, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, 8};
+    oe_parsed_tcb_info_t parsed_info = {0};
 
     // ./data/tcbInfo.json contains 4 tcb levels.
     // The first level with pce svn = 5 is up to date.
@@ -114,50 +124,76 @@ void TestVerifyTCBInfo(oe_enclave_t* enclave, const char* test_filename)
 
     // Set platform pce svn to 8 and assert that
     // the determined status is up to date.
-    platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
     platform_tcb_level.pce_svn = 8;
-    TestVerifyTCBInfo(enclave, test_filename, &platform_tcb_level, OE_OK);
-    OE_TEST(platform_tcb_level.status == OE_TCB_LEVEL_STATUS_UP_TO_DATE);
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_OK,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.up_to_date == 1);
     printf("UptoDate TCB Level determination test passed.\n");
 
     // Set platform pce svn to 4 and assert that
     // the determined status is configuration needed.
-    platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
     platform_tcb_level.pce_svn = 4;
     TestVerifyTCBInfo(
-        enclave, test_filename, &platform_tcb_level, OE_TCB_LEVEL_INVALID);
-    OE_TEST(
-        platform_tcb_level.status == OE_TCB_LEVEL_STATUS_CONFIGURATION_NEEDED);
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.configuration_needed == 1);
     printf("ConfigurationNeeded TCB Level determination test passed.\n");
 
     // Set platform pce svn to 3 and assert that
     // the determined status is out of date.
-    platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
     platform_tcb_level.pce_svn = 3;
     TestVerifyTCBInfo(
-        enclave, test_filename, &platform_tcb_level, OE_TCB_LEVEL_INVALID);
-    OE_TEST(platform_tcb_level.status == OE_TCB_LEVEL_STATUS_OUT_OF_DATE);
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.outofdate == 1);
     printf("OutOfDate TCB Level determination test passed.\n");
 
     // Set platform pce svn to 2 and assert that
     // the determined status is revoked.
-    platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
     platform_tcb_level.pce_svn = 2;
     TestVerifyTCBInfo(
-        enclave, test_filename, &platform_tcb_level, OE_TCB_LEVEL_INVALID);
-    OE_TEST(platform_tcb_level.status == OE_TCB_LEVEL_STATUS_REVOKED);
-    printf("OutOfDate TCB Level determination test passed.\n");
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.revoked == 1);
+    printf("Revoked TCB Level determination test passed.\n");
 
     // Set each of the fields to a value not listed in the json and
     // test that the determined status is OE_TCB_LEVEL_INVALID
     for (uint32_t i = 0; i < OE_COUNTOF(platform_tcb_level.sgx_tcb_comp_svn);
          ++i)
     {
-        platform_tcb_level.status = OE_TCB_LEVEL_STATUS_UNKNOWN;
+        platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
         platform_tcb_level.sgx_tcb_comp_svn[i] = 0;
         TestVerifyTCBInfo(
-            enclave, test_filename, &platform_tcb_level, OE_TCB_LEVEL_INVALID);
-        OE_TEST(platform_tcb_level.status == OE_TCB_LEVEL_STATUS_UNKNOWN);
+            enclave,
+            test_filename,
+            &platform_tcb_level,
+            &parsed_info,
+            OE_TCB_LEVEL_INVALID,
+            version);
+        OE_TEST(
+            platform_tcb_level.status.AsUINT32 == OE_TCB_LEVEL_STATUS_UNKNOWN);
         platform_tcb_level.sgx_tcb_comp_svn[i] = 1;
     }
     printf("Unknown TCB Level determination test passed.\n");
@@ -211,7 +247,7 @@ void TestVerifyTCBInfo(oe_enclave_t* enclave, const char* test_filename)
         OE_TEST(FileToBytes(negative_files[i], &tcbInfo) == 0);
 
         oe_parsed_tcb_info_t parsed_info = {0};
-        oe_tcb_level_t platform_tcb_level = {{0}};
+        oe_tcb_info_tcb_level_t platform_tcb_level = {{0}};
         oe_result_t ecall_result = OE_FAILURE;
         OE_TEST(
             test_verify_tcb_info(
@@ -225,3 +261,245 @@ void TestVerifyTCBInfo(oe_enclave_t* enclave, const char* test_filename)
             "TestVerifyTCBInfo: Negative Test %s passed\n", negative_files[i]);
     }
 }
+
+void TestVerifyTCBInfoV2(oe_enclave_t* enclave, const char* test_filename)
+{
+    const uint32_t version = 2;
+    oe_tcb_info_tcb_level_t platform_tcb_level = {
+        {4, 4, 2, 4, 1, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, 8};
+    oe_parsed_tcb_info_t parsed_info = {0};
+
+    printf("TCB Info Version 2 tests:\n");
+    // ./data_v2/tcbInfo.json contains 5 tcb levels.
+    // The first level with pce svn = 6 is up to date.
+    // The second level with pce svn = 5 is OutOfDateConfigurationNeeded
+    // The third level with pce svn = 4 needs configuration.
+    // The fourth level with pce svn = 3 is out of date.
+    // The fifth level with pce svn = 2 is revoked.
+
+    // Set platform pce svn to 8 and assert that
+    // the determined status is up to date.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 8;
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_OK,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.up_to_date == 1);
+    printf("UptoDate TCB Level determination test passed.\n");
+
+    // Set platform pce svn to 5 and assert that
+    // the determined status is out of date configuration needed.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 5;
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.qe_identity_out_of_date == 1);
+    OE_TEST(platform_tcb_level.status.fields.configuration_needed == 1);
+    printf(
+        "OutOfDateConfigurationNeeded TCB Level determination test passed.\n");
+
+    // Set platform pce svn to 4 and assert that
+    // the determined status is configuration needed.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 4;
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.configuration_needed == 1);
+    printf("ConfigurationNeeded TCB Level determination test passed.\n");
+
+    // Set platform pce svn to 3 and assert that
+    // the determined status is out of date.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 3;
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.outofdate == 1);
+    printf("OutOfDate TCB Level determination test passed.\n");
+
+    // Set platform pce svn to 2 and assert that
+    // the determined status is revoked.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 2;
+    TestVerifyTCBInfo(
+        enclave,
+        test_filename,
+        &platform_tcb_level,
+        &parsed_info,
+        OE_TCB_LEVEL_INVALID,
+        version);
+    OE_TEST(platform_tcb_level.status.fields.revoked == 1);
+    printf("Revoked TCB Level determination test passed.\n");
+
+    // Set each of the fields to a value not listed in the json and
+    // test that the determined status is OE_TCB_LEVEL_INVALID
+    for (uint32_t i = 0; i < OE_COUNTOF(platform_tcb_level.sgx_tcb_comp_svn);
+         ++i)
+    {
+        platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+        platform_tcb_level.sgx_tcb_comp_svn[i] = 0;
+        TestVerifyTCBInfo(
+            enclave,
+            test_filename,
+            &platform_tcb_level,
+            &parsed_info,
+            OE_TCB_LEVEL_INVALID,
+            version);
+        OE_TEST(
+            platform_tcb_level.status.AsUINT32 == OE_TCB_LEVEL_STATUS_UNKNOWN);
+        platform_tcb_level.sgx_tcb_comp_svn[i] = 2;
+    }
+    printf("Unknown TCB Level determination test passed.\n");
+
+    printf("TestVerifyTCBInfo V2: Positive Tests passed\n");
+
+    const char* negative_files[] = {
+        // In the following files, a property in corresponding level has been
+        // capitalized. JSON is case sensitive and therefore schema validation
+        // should fail.
+        "./data_v2/tcbInfoNegativePropertyMissingLevel0.json",
+        "./data_v2/tcbInfoNegativePropertyMissingLevel1.json",
+        "./data_v2/tcbInfoNegativePropertyMissingLevel2.json",
+        "./data_v2/tcbInfoNegativePropertyMissingLevel3.json",
+        // In the following files, a property in corresponding level has wrong
+        // type.
+        "./data_v2/tcbInfoNegativePropertyWrongTypeLevel0.json",
+        "./data_v2/tcbInfoNegativePropertyWrongTypeLevel1.json",
+        "./data_v2/tcbInfoNegativePropertyWrongTypeLevel2.json",
+        "./data_v2/tcbInfoNegativePropertyWrongTypeLevel3.json",
+
+        // Comp Svn greater than uint8_t
+        "./data_v2/tcbInfoNegativeCompSvn.json",
+
+        // pce Svn greater than uint16_t
+        "./data_v2/tcbInfoNegativePceSvn.json",
+
+        // Invalid issueDate field.
+        "./data_v2/tcbInfoNegativeInvalidIssueDate.json",
+
+        // Invalid nextUpdate field.
+        "./data_v2/tcbInfoNegativeInvalidNextUpdate.json",
+
+        // Missing nextUpdate field.
+        "./data_v2/tcbInfoNegativeMissingNextUpdate.json",
+
+        // Signature != 64 bytes
+        "./data_v2/tcbInfoNegativeSignature.json",
+
+        // Unsupported JSON constructs
+        "./data_v2/tcbInfoNegativeStringEscape.json",
+        "./data_v2/tcbInfoNegativeIntegerOverflow.json",
+        "./data_v2/tcbInfoNegativeIntegerWithSign.json",
+        "./data_v2/tcbInfoNegativeFloat.json",
+    };
+
+    for (size_t i = 0; i < sizeof(negative_files) / sizeof(negative_files[0]);
+         ++i)
+    {
+        std::vector<uint8_t> tcbInfo;
+        OE_TEST(FileToBytes(negative_files[i], &tcbInfo) == 0);
+
+        oe_parsed_tcb_info_t parsed_info = {0};
+        oe_tcb_info_tcb_level_t platform_tcb_level = {{0}};
+        oe_result_t ecall_result = OE_FAILURE;
+        OE_TEST(
+            test_verify_tcb_info(
+                enclave,
+                &ecall_result,
+                (const char*)&tcbInfo[0],
+                &platform_tcb_level,
+                &parsed_info) == OE_OK);
+        OE_TEST(ecall_result == OE_JSON_INFO_PARSE_ERROR);
+        printf(
+            "TestVerifyTCBInfoV2: Negative Test %s passed\n",
+            negative_files[i]);
+    }
+}
+
+void TestVerifyTCBInfoV2_AdvisoryIDs(
+    oe_enclave_t* enclave,
+    const char* test_filename)
+{
+    std::vector<uint8_t> tcbInfo;
+    oe_result_t ecall_result = OE_FAILURE;
+    OE_TEST(FileToBytes(test_filename, &tcbInfo) == 0);
+
+    oe_tcb_info_tcb_level_t platform_tcb_level = {
+        {4, 4, 2, 4, 1, 128, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}, 8};
+    oe_parsed_tcb_info_t parsed_info = {0};
+
+    // Set platform pce svn to 8 and assert that
+    // the determined status is up to date.
+    platform_tcb_level.status.AsUINT32 = OE_TCB_LEVEL_STATUS_UNKNOWN;
+    platform_tcb_level.pce_svn = 8;
+
+    // Contains nextUpdate field.
+    memset(&parsed_info, 0, sizeof(parsed_info));
+
+    OE_TEST(
+        test_verify_tcb_info(
+            enclave,
+            &ecall_result,
+            (const char*)&tcbInfo[0],
+            &platform_tcb_level,
+            &parsed_info) == OE_OK);
+    OE_TEST(ecall_result == OE_OK);
+    OE_TEST(platform_tcb_level.status.fields.up_to_date == 1);
+
+    AssertParsedValues(parsed_info, 2);
+    oe_datetime_t nextUpdate = {2019, 6, 6, 10, 12, 17};
+    OE_TEST(oe_datetime_compare(&parsed_info.next_update, &nextUpdate) == 0);
+
+    OE_TEST(parsed_info.tcb_level.status.fields.up_to_date == 1);
+    OE_TEST(parsed_info.tcb_level.advisory_ids_size > 0);
+    OE_TEST(parsed_info.tcb_level.advisory_ids_offset < tcbInfo.size());
+
+    const char* ptr =
+        (const char*)&tcbInfo[parsed_info.tcb_level.advisory_ids_offset];
+    const uint8_t* advisoryIDs[2] = {0};
+    size_t advisoryIDs_length[2] = {0};
+    const char* expectedAdvisoryIDs[2] = {"INTEL-SA-00079", "INTEL-SA-00076"};
+    size_t num_advisory_ids = 0;
+    OE_TEST(
+        oe_parse_advisoryids_json(
+            (const uint8_t*)ptr,
+            parsed_info.tcb_level.advisory_ids_size,
+            (const uint8_t**)&advisoryIDs,
+            2,
+            (size_t*)&advisoryIDs_length,
+            2,
+            &num_advisory_ids) == OE_OK);
+    OE_TEST(num_advisory_ids == 2);
+    for (int i = 0; i < 2; i++)
+    {
+        printf(
+            "AdvisoryIDs[%d]: %.*s\n",
+            i,
+            (int)advisoryIDs_length[i],
+            advisoryIDs[i]);
+        OE_TEST(
+            strncmp(
+                (const char*)advisoryIDs[i],
+                expectedAdvisoryIDs[i],
+                advisoryIDs_length[i]) == 0);
+    }
+    printf("TCB Info V2 positive test, with advisoryIDs. PASSED\n");
+}
\ No newline at end of file
diff --git a/tests/report/tests.edl b/tests/report/tests.edl
index 240c512aaa..30b0521cb4 100644
--- a/tests/report/tests.edl
+++ b/tests/report/tests.edl
@@ -12,7 +12,7 @@ enclave {
         // tcb info tests.
         public oe_result_t test_verify_tcb_info(
             [in, string] const char* tcb_info,
-            [user_check] oe_tcb_level_t* platform_tcb_level,
+            [user_check] oe_tcb_info_tcb_level_t* platform_tcb_level,
             [out] oe_parsed_tcb_info_t* parsed_tcb_info
         );
 

From 7d6efc8cc797888d10f5dd2320e5b458d6d9f7ee Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Mon, 6 Jan 2020 19:44:20 +0000
Subject: [PATCH 391/420] Avoid data race with variable _capacity

Signed-off-by: Xuejun Yang <xuejya@microsoft.com>
---
 enclave/core/arena.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/enclave/core/arena.c b/enclave/core/arena.c
index c61b4c9ce1..dfea301a2c 100644
--- a/enclave/core/arena.c
+++ b/enclave/core/arena.c
@@ -39,11 +39,14 @@ void* oe_arena_malloc(size_t size)
     // Create the anera if it hasn't been created.
     if (_arena.buffer == NULL)
     {
-        void* buffer = oe_allocate_arena(_capacity);
+        _arena.capacity = __atomic_load_n(&_capacity, __ATOMIC_SEQ_CST);
+        void* buffer = oe_allocate_arena(_arena.capacity);
         if (buffer == NULL)
+        {
+            _arena.capacity = 0;
             return NULL;
+        }
         _arena.buffer = (uint8_t*)buffer;
-        _arena.capacity = _capacity;
         _arena.used = 0;
     }
 

From 9dcaf154b3bb59034094344b4774f0b4ea4a85ef Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Wed, 18 Dec 2019 14:33:55 -0800
Subject: [PATCH 392/420] Clang 9 (and potentially other compilers) may
 generate code which relies on the return address of a callee's stack frame to
 be the actual address that was returned to in the caller.

Modify oe_longjmp to respect this condition.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 enclave/core/CMakeLists.txt |  4 --
 enclave/core/sgx/jump.c     | 81 -------------------------------------
 enclave/core/sgx/longjmp.S  | 33 +++++++++------
 enclave/core/sgx/setjmp.S   | 26 ++++++------
 4 files changed, 33 insertions(+), 111 deletions(-)
 delete mode 100644 enclave/core/sgx/jump.c

diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 970b90e75a..a3ab9c2187 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -60,7 +60,6 @@ if (OE_SGX)
         sgx/hostcalls.c
         sgx/init.c
         sgx/sgx_t_wrapper.c
-        sgx/jump.c
         sgx/keys.c
         sgx/memory.c
         sgx/properties.c
@@ -186,9 +185,6 @@ set_source_files_properties(malloc.c
     PROPERTIES COMPILE_FLAGS "-Wno-conversion -Wno-null-pointer-arithmetic")
 
 if (OE_SGX)
-    # jump.s must be optimized for the correct call-frame.
-    set_source_files_properties(sgx/jump.c PROPERTIES COMPILE_FLAGS -O2)
-
     set_source_files_properties(sgx/keys.c PROPERTIES COMPILE_FLAGS -Wno-type-limits)
 
     # -m64 is an x86_64 specific flag
diff --git a/enclave/core/sgx/jump.c b/enclave/core/sgx/jump.c
deleted file mode 100644
index fc1d6fae69..0000000000
--- a/enclave/core/sgx/jump.c
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright (c) Open Enclave SDK contributors.
-// Licensed under the MIT License.
-
-#include <openenclave/internal/defs.h>
-#include <openenclave/internal/jump.h>
-
-OE_CHECK_SIZE(sizeof(oe_jmpbuf_t), 64);
-
-/*
- * This file must be compiled with optimization enabled because the code
- * relies on the precise layout of the stack (and thereby preamble) to obtain
- * the correct rsp and rip.
- *
- * Really, this should go into a separate .s-file to ensure correct register
- * access.
- */
-
-int oe_setjmp(oe_jmpbuf_t* env)
-{
-    asm volatile(
-        /* Save RBX */
-        "mov %%rbx, %0;"
-        /* Save RBP */
-        "mov %%rbp, %1;"
-        /* Save R12 */
-        "mov %%r12, %2;"
-        /* Save R13 */
-        "mov %%r13, %3;"
-        /* Save R14 */
-        "mov %%r14, %4;"
-        /* Save R15 */
-        "mov %%r15, %5;"
-        /* Save stack pointer */
-        "lea 8(%%rsp), %6;"
-        /* Save instruction pointer */
-        "mov (%%rsp), %7;"
-        : "=m"(env->rbx),
-          "=m"(env->rbp),
-          "=m"(env->r12),
-          "=m"(env->r13),
-          "=m"(env->r14),
-          "=m"(env->r15),
-          "=r"(env->rsp),
-          "=r"(env->rip));
-
-    return 0;
-}
-
-void oe_longjmp(oe_jmpbuf_t* env, int val)
-{
-    if (val == 0)
-        val = 1;
-
-    asm volatile(
-        /* Restore RBX */
-        "mov %1, %%rbx;"
-        /* Restore RBP*/
-        "mov %2, %%rbp;"
-        /* Restore R12 */
-        "mov %3, %%r12;"
-        /* Restore R13 */
-        "mov %4, %%r13;"
-        /* Restore R14 */
-        "mov %5, %%r14;"
-        /* Restore R15 */
-        "mov %6, %%r15;"
-        /* Restore stack pointer */
-        "mov %7, %%rsp;"
-        /* Fetch and jump to instruction pointer */
-        "jmp *%8;"
-        :
-        : "a"(val),
-          "m"(env->rbx),
-          "m"(env->rbp),
-          "m"(env->r12),
-          "m"(env->r13),
-          "m"(env->r14),
-          "m"(env->r15),
-          "m"(env->rsp),
-          "d"(env->rip));
-}
diff --git a/enclave/core/sgx/longjmp.S b/enclave/core/sgx/longjmp.S
index 09a87868b7..67723ee5fd 100644
--- a/enclave/core/sgx/longjmp.S
+++ b/enclave/core/sgx/longjmp.S
@@ -3,7 +3,7 @@
 
 //==============================================================================
 //
-// void oe_longjmp(oe_jmp_buf env, int val)
+// void oe_longjmp(oe_jmp_buf* env, int val)
 //
 //     Implementation of standard longjmp() function.
 //
@@ -12,7 +12,7 @@
 //
 //==============================================================================
 
-/* ATTN: WINPORT */
+// Modified from musl-libc root/src/setjmp/x86_64/longjmp.s
 
 .globl oe_longjmp
 .type oe_longjmp, @function
@@ -22,16 +22,23 @@ oe_longjmp:
     // if (val == 0) then set val to 1.
     cmp $0, %rax
     jne val_is_nonzero
-    mov $1, %rax
+    mov $1, %rax # Return value (int)
+
 val_is_nonzero:
-    mov (%rdi), %rbx
-    mov 8(%rdi), %rbp
-    mov 16(%rdi), %r12
-    mov 24(%rdi), %r13
-    mov 32(%rdi), %r14
-    mov 40(%rdi), %r15
-    mov 48(%rdi), %rdx
-    mov %rdx, %rsp
-    mov 56(%rdi), %rdx
-    jmp *%rdx
+    # Some versions of clang generate code that relies on the return address
+    # of this stack frame to be the address that was actually jumped to. Set
+    # the stored %rip value as the return address for the stack frame directly
+    # above the one we're returning to.
+    mov 16(%rdi),%rcx # Get stored %rip
+    mov (%rdi),%rdx # Get stored %rsp
+    mov %rcx,-0x8(%rdx)
+
+    mov (%rdi),%rsp
+    mov 8(%rdi),%rbp
+    mov 24(%rdi),%rbx
+    mov 32(%rdi),%r12
+    mov 40(%rdi),%r13
+    mov 48(%rdi),%r14
+    mov 56(%rdi),%r15
+    jmp *16(%rdi)
 .cfi_endproc
diff --git a/enclave/core/sgx/setjmp.S b/enclave/core/sgx/setjmp.S
index 2e555eef68..24574a673c 100644
--- a/enclave/core/sgx/setjmp.S
+++ b/enclave/core/sgx/setjmp.S
@@ -3,7 +3,7 @@
 
 //==============================================================================
 //
-// void oe_setjmp(oe_jmp_buf env)
+// void oe_setjmp(oe_jmp_buf* env)
 //
 //     Implementation of standard setjmp() function.
 //
@@ -11,22 +11,22 @@
 //
 //==============================================================================
 
-/* ATTN: WINPORT */
+// Modified from musl-libc root/src/setjmp/x86_64/setjmp.s
 
 .globl oe_setjmp
 .type oe_setjmp,@function
 oe_setjmp:
 .cfi_startproc
-    mov %rbx, (%rdi)
-    mov %rbp, 8(%rdi)
-    mov %r12, 16(%rdi)
-    mov %r13, 24(%rdi)
-    mov %r14, 32(%rdi)
-    mov %r15, 40(%rdi)
-    lea 8(%rsp), %rdx
-    mov %rdx, 48(%rdi)
-    mov (%rsp), %rdx
-    mov %rdx, 56(%rdi)
-    xor %rax, %rax
+    lea  8(%rsp), %rdx # this is our rsp WITHOUT current ret addr
+    mov  %rdx, (%rdi)
+    mov  %rbp, 8(%rdi)
+    mov  (%rsp), %rdx # save return addr ptr for new rip
+    mov  %rdx, 16(%rdi)
+    mov  %rbx, 24(%rdi)
+    mov  %r12, 32(%rdi)
+    mov  %r13, 40(%rdi)
+    mov  %r14, 48(%rdi)
+    mov  %r15, 56(%rdi)
+    xorl %eax, %eax # Set return value
     ret
 .cfi_endproc

From 554888f93dcc07b86252299c5c554cba2981fd47 Mon Sep 17 00:00:00 2001
From: Anand Krishnamoorthi <anakrish@microsoft.com>
Date: Tue, 7 Jan 2020 00:33:50 +0000
Subject: [PATCH 393/420] oe_enter_sim manages GS and FS registers

oe_enter_sim instruction simulates EENTER instruciton.
with this change, it manages GS and FS registers.
Before entering the enclave, the registers are set to the values
set by the EENTER instruction. Immediately upon return from the enclave,
the registers are reset to their host-side values.

- Localized register management.
- Avoids duplication of register management in many code paths.
- Removed unnecessary assertions.

Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
---
 host/sgx/calls.c   | 39 +--------------------------------------
 host/sgx/enclave.h | 21 ---------------------
 host/sgx/enter.c   | 15 +++++++++++++++
 3 files changed, 16 insertions(+), 59 deletions(-)

diff --git a/host/sgx/calls.c b/host/sgx/calls.c
index 9668cc7aaf..e2ff6164b9 100644
--- a/host/sgx/calls.c
+++ b/host/sgx/calls.c
@@ -115,7 +115,6 @@ static oe_result_t _enter_sim(
 {
     oe_result_t result = OE_UNEXPECTED;
     sgx_tcs_t* tcs = (sgx_tcs_t*)tcs_;
-    ThreadBinding* binding = GetThreadBinding();
     td_t* td = NULL;
 
     /* Reject null parameters */
@@ -127,22 +126,8 @@ static oe_result_t _enter_sim(
     if (!tcs->u.entry)
         OE_RAISE(OE_NOT_FOUND);
 
-    /* Save old GS and FS register bases */
-    binding->host_gs = oe_get_gs_register_base();
-    binding->host_fs = oe_get_fs_register_base();
-
-    /* Change GS and FS registers to the values for the enclave thread. At this
-     * point thread-locals, pthread, libc etc won't work within the host thread
-     * since they depend on FS register.
-     * This means that when the enclave makes an ocall, the GS and FS registers
-     * must be immediately restored upon entry to host.
-     * See __oe_dispatch_ocall.
-     */
-    td = (td_t*)(enclave->addr + tcs->gsbase);
-    oe_set_gs_register_base(td);
-    oe_set_fs_register_base((void*)(enclave->addr + tcs->fsbase));
-
     /* Set td_t.simulate flag */
+    td = (td_t*)(enclave->addr + tcs->gsbase);
     td->simulate = true;
 
     /* Call into enclave */
@@ -153,13 +138,6 @@ static oe_result_t _enter_sim(
         *arg4 = 0;
 
     oe_enter_sim(tcs, aep, arg1, arg2, arg3, arg4, enclave);
-
-    /* Restore GS and GS registers. After this, host side library calls can be
-     * safely called.
-     */
-    oe_set_fs_register_base(binding->host_fs);
-    oe_set_gs_register_base(binding->host_gs);
-
     result = OE_OK;
 
 done:
@@ -513,13 +491,6 @@ int __oe_dispatch_ocall(
                     break;
                 }
             }
-
-            /**
-             * Restore FS and GS registers when making an OCALL.
-             * This makes sure that thread-locals, libc on host work.
-             */
-            oe_set_fs_register_base(binding->host_fs);
-            oe_set_gs_register_base(binding->host_gs);
         }
         else
         {
@@ -533,14 +504,6 @@ int __oe_dispatch_ocall(
 
         // Restore the binding.
         _set_thread_binding(binding);
-
-        if (enclave->simulate)
-        {
-            // Prior to returning back to the enclave, set the GS and FS
-            // registers to their values for the enclave thread.
-            oe_set_fs_register_base((void*)(enclave->addr + tcs->fsbase));
-            oe_set_gs_register_base((void*)(enclave->addr + tcs->gsbase));
-        }
         return 0;
     }
 
diff --git a/host/sgx/enclave.h b/host/sgx/enclave.h
index d154b7b3d8..de585bc788 100644
--- a/host/sgx/enclave.h
+++ b/host/sgx/enclave.h
@@ -67,10 +67,6 @@ typedef struct _thread_binding
 
     /* Event signaling object for enclave threading implementation */
     EnclaveEvent event;
-
-    /* The host GS and FS values saved before making an ecall */
-    void* host_gs;
-    void* host_fs;
 } ThreadBinding;
 
 OE_STATIC_ASSERT(OE_OFFSETOF(ThreadBinding, tcs) == ThreadBinding_tcs);
@@ -130,23 +126,6 @@ struct _oe_enclave
     oe_switchless_call_manager_t* switchless_manager;
 };
 
-// Static asserts for consistency with
-// debugger/pythonExtension/gdb_sgx_plugin.py
-#if defined(__linux__)
-OE_STATIC_ASSERT(OE_OFFSETOF(oe_enclave_t, magic) == 0);
-
-// Python plugin only needs the field number which is 2
-OE_STATIC_ASSERT(OE_OFFSETOF(oe_enclave_t, addr) == 2 * sizeof(void*));
-
-// The fields up to binding correspond to 'ENCLAVE_HEADER'
-OE_STATIC_ASSERT(OE_OFFSETOF(oe_enclave_t, bindings) == 0x28);
-
-OE_STATIC_ASSERT(OE_OFFSETOF(oe_enclave_t, debug) == 0x788);
-OE_STATIC_ASSERT(
-    OE_OFFSETOF(oe_enclave_t, debug) + 1 ==
-    OE_OFFSETOF(oe_enclave_t, simulate));
-#endif
-
 /* Get the event for the given TCS */
 EnclaveEvent* GetEnclaveEvent(oe_enclave_t* enclave, uint64_t tcs);
 
diff --git a/host/sgx/enter.c b/host/sgx/enter.c
index 9bce94242c..a702466b0c 100644
--- a/host/sgx/enter.c
+++ b/host/sgx/enter.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include <openenclave/internal/calls.h>
+#include <openenclave/internal/registers.h>
 #include <openenclave/internal/sgxtypes.h>
 #include "asmdefs.h"
 #include "enclave.h"
@@ -168,8 +169,18 @@ void oe_enter_sim(
     OE_ALIGNED(16)
     uint64_t fx_state[64];
 
+    // Backup host GS and FS registers.
+    void* host_gs = oe_get_gs_register_base();
+    void* host_fs = oe_get_fs_register_base();
+    sgx_tcs_t* sgx_tcs = (sgx_tcs_t*)tcs;
+
     while (1)
     {
+        // Set GS and FS registers to values set by the ENCLU instruction upon
+        // entry to the enclave.
+        oe_set_gs_register_base((void*)(enclave->addr + sgx_tcs->gsbase));
+        oe_set_fs_register_base((void*)(enclave->addr + sgx_tcs->fsbase));
+
         // Define register bindings and initialize the registers.
         // See oe_enter for ENCLU contract.
         OE_DEFINE_REGISTER(rax, 0 /* CSSA */);
@@ -195,6 +206,10 @@ void oe_enter_sim(
         arg1 = rdi;
         arg2 = rsi;
 
+        // Restore GS and FS registers upon returning from the enclave.
+        oe_set_gs_register_base(host_gs);
+        oe_set_fs_register_base(host_fs);
+
         // Make an OCALL if needed.
         oe_code_t code = oe_get_code_from_call_arg1(arg1);
         if (code == OE_CODE_OCALL)

From df33a01afc1e2de7dadce87d4cafb44a5d494976 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Tue, 7 Jan 2020 18:08:32 -0800
Subject: [PATCH 394/420] Mark oe_setjmp as returns_twice. This prevents clang
 from adding return address based speculative load hardening mitigations which
 can cause code calling oe_setjmp to crash.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 enclave/core/sgx/longjmp.S            | 8 --------
 include/openenclave/bits/defs.h       | 6 ++++++
 include/openenclave/corelibc/setjmp.h | 3 ++-
 include/openenclave/internal/jump.h   | 2 +-
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/enclave/core/sgx/longjmp.S b/enclave/core/sgx/longjmp.S
index 67723ee5fd..bdd35c2217 100644
--- a/enclave/core/sgx/longjmp.S
+++ b/enclave/core/sgx/longjmp.S
@@ -25,14 +25,6 @@ oe_longjmp:
     mov $1, %rax # Return value (int)
 
 val_is_nonzero:
-    # Some versions of clang generate code that relies on the return address
-    # of this stack frame to be the address that was actually jumped to. Set
-    # the stored %rip value as the return address for the stack frame directly
-    # above the one we're returning to.
-    mov 16(%rdi),%rcx # Get stored %rip
-    mov (%rdi),%rdx # Get stored %rsp
-    mov %rcx,-0x8(%rdx)
-
     mov (%rdi),%rsp
     mov 8(%rdi),%rbp
     mov 24(%rdi),%rbx
diff --git a/include/openenclave/bits/defs.h b/include/openenclave/bits/defs.h
index aa30975854..70c9633aba 100644
--- a/include/openenclave/bits/defs.h
+++ b/include/openenclave/bits/defs.h
@@ -51,6 +51,12 @@
 #define OE_INLINE static __inline__
 #endif
 
+#if defined(__GNUC__) || defined(__clang__)
+#define OE_RETURNS_TWICE __attribute__((returns_twice))
+#else
+#define OE_RETURNS_TWICE
+#endif
+
 #ifdef _MSC_VER
 #define OE_NO_OPTIMIZE_BEGIN __pragma(optimize("", off))
 #define OE_NO_OPTIMIZE_END __pragma(optimize("", on))
diff --git a/include/openenclave/corelibc/setjmp.h b/include/openenclave/corelibc/setjmp.h
index e1664459a8..a5e82303ae 100644
--- a/include/openenclave/corelibc/setjmp.h
+++ b/include/openenclave/corelibc/setjmp.h
@@ -6,6 +6,7 @@
 
 #include <openenclave/bits/defs.h>
 #include <openenclave/bits/types.h>
+#include <openenclave/corelibc/bits/defs.h>
 
 /*
 **==============================================================================
@@ -21,7 +22,7 @@
 #undef ___OE_JMP_BUF
 #undef __OE_JMP_BUF
 
-int oe_setjmp(oe_jmp_buf* env);
+int oe_setjmp(oe_jmp_buf* env) OE_RETURNS_TWICE;
 
 void oe_longjmp(oe_jmp_buf* env, int val);
 
diff --git a/include/openenclave/internal/jump.h b/include/openenclave/internal/jump.h
index 3809c0fae3..3bf204442a 100644
--- a/include/openenclave/internal/jump.h
+++ b/include/openenclave/internal/jump.h
@@ -26,7 +26,7 @@ typedef struct _oe_jmpbuf
     uint64_t r15;
 } oe_jmpbuf_t;
 
-int oe_setjmp(oe_jmpbuf_t* env);
+int oe_setjmp(oe_jmpbuf_t* env) OE_RETURNS_TWICE;
 
 void oe_longjmp(oe_jmpbuf_t* env, int val);
 

From 05a0710c98896b2c3b481feff33d03ad8022cdb4 Mon Sep 17 00:00:00 2001
From: Simon Leet <simon.leet@microsoft.com>
Date: Wed, 8 Jan 2020 19:14:02 +0000
Subject: [PATCH 395/420] Update OE SDK contact alias to
 oesdk@lists.confidentialcomputing.io

Signed-off-by: Simon Leet <simon.leet@microsoft.com>
---
 THIRD_PARTY_NOTICES        | 2 +-
 cmake/cpack_settings.cmake | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/THIRD_PARTY_NOTICES b/THIRD_PARTY_NOTICES
index 05076e5b15..0642c71495 100644
--- a/THIRD_PARTY_NOTICES
+++ b/THIRD_PARTY_NOTICES
@@ -4,7 +4,7 @@ distributed under licenses different than the Open Enclave software.
 In the event that we accidentally failed to list a required notice, please
 bring it to our attention. Post an issue or email us:
 
-           openenclave@microsoft.com
+           oesdk@lists.confidentialcomputing.io
 
 The attached notices are provided for information only.
 
diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
index 0be68eaa6e..49252d94c2 100644
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@@ -5,7 +5,7 @@
 include(InstallRequiredSystemLibraries)
 set(CPACK_PACKAGE_NAME "open-enclave")
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Open Enclave SDK")
-set(CPACK_PACKAGE_CONTACT "openenclave@microsoft.com")
+set(CPACK_PACKAGE_CONTACT "oesdk@lists.confidentialcomputing.io")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/README.md")
 set(CPACK_RESOURCE_FILE_LICENSE "${PROJECT_SOURCE_DIR}/LICENSE")
 set(CPACK_PACKAGE_VERSION ${OE_VERSION})

From a5e12178df8e81fabdff3c056f68dc416ba3e97b Mon Sep 17 00:00:00 2001
From: Yufei Jiang <yufjiang@microsoft.com>
Date: Wed, 8 Jan 2020 02:52:35 +0000
Subject: [PATCH 396/420] fix error message

Signed-off-by: Yufei Jiang <yufjiang@microsoft.com>
---
 common/sgx/revocation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/sgx/revocation.c b/common/sgx/revocation.c
index 839b859d72..1f8fb073b7 100644
--- a/common/sgx/revocation.c
+++ b/common/sgx/revocation.c
@@ -410,7 +410,7 @@ oe_result_t oe_validate_revocation_list(
             sgx_endorsements->items[OE_SGX_ENDORSEMENT_FIELD_TCB_INFO].size,
             &platform_tcb_level,
             &parsed_tcb_info),
-        "Failed to parse TCB info. %s",
+        "Failed to parse TCB info or Platform TCB is not up-to-date. %s",
         oe_result_str(result));
 
     OE_CHECK_MSG(

From 36cf132ce1c03eeeef85c5633eda401ab7f8164e Mon Sep 17 00:00:00 2001
From: Xuejun Yang <xuejya@microsoft.com>
Date: Wed, 8 Jan 2020 23:08:59 +0000
Subject: [PATCH 397/420] `Use atomic store for shared variable _capacity

Signed-off-by: Xuejun Yang <xuejya@microsoft.com>
---
 enclave/core/arena.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/enclave/core/arena.c b/enclave/core/arena.c
index dfea301a2c..780e187644 100644
--- a/enclave/core/arena.c
+++ b/enclave/core/arena.c
@@ -26,7 +26,7 @@ bool oe_configure_arena_capacity(size_t cap)
     {
         return false;
     }
-    _capacity = cap;
+    __atomic_store_n(&_capacity, cap, __ATOMIC_SEQ_CST);
     return true;
 }
 

From 2e5349daf093fd174fdb5d58bc4f11ad4a1049c4 Mon Sep 17 00:00:00 2001
From: Ming-Wei Shih <mishih@microsoft.com>
Date: Thu, 19 Dec 2019 23:55:24 +0000
Subject: [PATCH 398/420] Add namespace to dl and crypto libraries

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

add test

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

format & readme

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

update naming

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

Resolve comments

Signed-off-by: Ming-Wei Shih <mishih@microsoft.com>

Add dependencies

Add edger8r into dependency
---
 cmake/openenclave-config.cmake.in             | 12 +++---
 debugger/ptraceLib/CMakeLists.txt             |  6 +--
 host/CMakeLists.txt                           | 22 +++++++----
 tests/CMakeLists.txt                          |  1 +
 tests/cmake_name_conflict/CMakeLists.txt      | 10 +++++
 tests/cmake_name_conflict/README.md           |  2 +
 tests/cmake_name_conflict/enc/CMakeLists.txt  | 24 ++++++++++++
 .../enc/crypto/CMakeLists.txt                 |  4 ++
 tests/cmake_name_conflict/enc/crypto/crypto.c |  7 ++++
 tests/cmake_name_conflict/enc/crypto/crypto.h |  4 ++
 .../cmake_name_conflict/enc/dl/CMakeLists.txt |  4 ++
 tests/cmake_name_conflict/enc/dl/dl.c         |  7 ++++
 tests/cmake_name_conflict/enc/dl/dl.h         |  4 ++
 tests/cmake_name_conflict/enc/enc.c           | 21 ++++++++++
 tests/cmake_name_conflict/host/CMakeLists.txt | 22 +++++++++++
 tests/cmake_name_conflict/host/host.cpp       | 39 +++++++++++++++++++
 tests/cmake_name_conflict/name_conflict.edl   |  9 +++++
 17 files changed, 181 insertions(+), 17 deletions(-)
 create mode 100644 tests/cmake_name_conflict/CMakeLists.txt
 create mode 100644 tests/cmake_name_conflict/README.md
 create mode 100644 tests/cmake_name_conflict/enc/CMakeLists.txt
 create mode 100644 tests/cmake_name_conflict/enc/crypto/CMakeLists.txt
 create mode 100644 tests/cmake_name_conflict/enc/crypto/crypto.c
 create mode 100644 tests/cmake_name_conflict/enc/crypto/crypto.h
 create mode 100644 tests/cmake_name_conflict/enc/dl/CMakeLists.txt
 create mode 100644 tests/cmake_name_conflict/enc/dl/dl.c
 create mode 100644 tests/cmake_name_conflict/enc/dl/dl.h
 create mode 100644 tests/cmake_name_conflict/enc/enc.c
 create mode 100644 tests/cmake_name_conflict/host/CMakeLists.txt
 create mode 100644 tests/cmake_name_conflict/host/host.cpp
 create mode 100644 tests/cmake_name_conflict/name_conflict.edl

diff --git a/cmake/openenclave-config.cmake.in b/cmake/openenclave-config.cmake.in
index 69fdb6b638..e50a4f3297 100644
--- a/cmake/openenclave-config.cmake.in
+++ b/cmake/openenclave-config.cmake.in
@@ -45,25 +45,25 @@ endif ()
 include(CMakeFindDependencyMacro)
 find_dependency(Threads)
 if (UNIX)
-  if (NOT TARGET crypto)
+  if (NOT TARGET openenclave::crypto)
     find_library(CRYPTO_LIB NAMES crypto)
     if (NOT CRYPTO_LIB)
       message(FATAL_ERROR "-- Looking for crypto library - not found")
     else ()
       message("-- Looking for crypto library - found")
-      add_library(crypto SHARED IMPORTED)
-      set_target_properties(crypto PROPERTIES IMPORTED_LOCATION ${CRYPTO_LIB})
+      add_library(openenclave::crypto SHARED IMPORTED)
+      set_target_properties(openenclave::crypto PROPERTIES IMPORTED_LOCATION ${CRYPTO_LIB})
     endif ()
   endif ()
   
-  if (NOT TARGET dl)
+  if (NOT TARGET openenclave::dl)
     find_library(DL_LIB NAMES dl)
     if(NOT DL_LIB)
       message(FATAL_ERROR "-- Looking for dl library - not found")
     else ()
       message("-- Looking for dl library - found")
-      add_library(dl SHARED IMPORTED)
-      set_target_properties(dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
+      add_library(openenclave::dl SHARED IMPORTED)
+      set_target_properties(openenclave::dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
     endif ()
   endif ()
 elseif (WIN32)
diff --git a/debugger/ptraceLib/CMakeLists.txt b/debugger/ptraceLib/CMakeLists.txt
index a3344e8622..1b1fe2ff3e 100644
--- a/debugger/ptraceLib/CMakeLists.txt
+++ b/debugger/ptraceLib/CMakeLists.txt
@@ -2,8 +2,8 @@
 # Licensed under the MIT License.
 
 find_library(DL_LIB NAMES dl)
-add_library(dl SHARED IMPORTED)
-set_target_properties(dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
+add_library(openenclave::dl SHARED IMPORTED)
+set_target_properties(openenclave::dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
 
 find_package(Threads REQUIRED)
 
@@ -12,7 +12,7 @@ add_library(oe_ptrace SHARED
   inferior_status.c
   enclave_context.c)
 
-target_link_libraries(oe_ptrace oe_includes dl Threads::Threads)
+target_link_libraries(oe_ptrace oe_includes openenclave::dl Threads::Threads)
 
 target_compile_options(oe_ptrace PRIVATE 
   -Wall -Werror -Wno-attributes -Wmissing-prototypes -m64)
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 77635a2945..06b17e63b4 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -284,25 +284,25 @@ endif()
 # TODO: Replace these with `find_package` and add as dependencies to
 # the CMake package.
 if (UNIX)
-  if (NOT TARGET crypto)
+  if (NOT TARGET openenclave::crypto)
     find_library(CRYPTO_LIB NAMES crypto)
     if (NOT CRYPTO_LIB)
       message(FATAL_ERROR "-- Looking for crypto library - not found")
     else ()
       message("-- Looking for crypto library - found")
-      add_library(crypto SHARED IMPORTED)
-      set_target_properties(crypto PROPERTIES IMPORTED_LOCATION ${CRYPTO_LIB})
+      add_library(openenclave::crypto SHARED IMPORTED)
+      set_target_properties(openenclave::crypto PROPERTIES IMPORTED_LOCATION ${CRYPTO_LIB})
     endif ()
   endif ()
 
-  if (NOT TARGET dlib)
+  if (NOT TARGET openenclave::dl)
     find_library(DL_LIB NAMES dl)
     if (NOT DL_LIB)
       message(FATAL_ERROR "-- Looking for dl library - not found")
     else ()
       message("-- Looking for dl library - found")
-      add_library(dl SHARED IMPORTED)
-      set_target_properties(dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
+      add_library(openenclave::dl SHARED IMPORTED)
+      set_target_properties(openenclave::dl PROPERTIES IMPORTED_LOCATION ${DL_LIB})
     endif ()
   endif ()
 endif ()
@@ -310,8 +310,14 @@ endif ()
 find_package(Threads REQUIRED)
 
 if (UNIX)
-  target_link_libraries(oehost PRIVATE crypto dl Threads::Threads)
-  target_link_libraries(oehostverify PRIVATE crypto dl Threads::Threads)
+  target_link_libraries(oehost PRIVATE
+      openenclave::crypto
+      openenclave::dl
+      Threads::Threads)
+  target_link_libraries(oehostverify PRIVATE
+      openenclave::crypto
+      openenclave::dl
+      Threads::Threads)
 
   if (OE_TRUSTZONE)
     target_include_directories(oehost PRIVATE
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4ece6a31e7..13c98d0b74 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -86,6 +86,7 @@ endif()
 # Windows test Broken Post #632 issue
 if ( UNIX )
     if (OE_SGX)
+        add_subdirectory(cmake_name_conflict)
         add_subdirectory(libcxx)
         add_subdirectory(libcxxrt)
         add_subdirectory(memory)
diff --git a/tests/cmake_name_conflict/CMakeLists.txt b/tests/cmake_name_conflict/CMakeLists.txt
new file mode 100644
index 0000000000..3871793d40
--- /dev/null
+++ b/tests/cmake_name_conflict/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_subdirectory(host)
+
+if (BUILD_ENCLAVES)
+	add_subdirectory(enc)
+endif()
+
+add_enclave_test(tests/cmake_name_conflict name_conflict_host name_conflict_enc)
diff --git a/tests/cmake_name_conflict/README.md b/tests/cmake_name_conflict/README.md
new file mode 100644
index 0000000000..79bdfee4d5
--- /dev/null
+++ b/tests/cmake_name_conflict/README.md
@@ -0,0 +1,2 @@
+This test verifies that the linux build allows developers to include cmake
+target named **dl** or **crypto**.
diff --git a/tests/cmake_name_conflict/enc/CMakeLists.txt b/tests/cmake_name_conflict/enc/CMakeLists.txt
new file mode 100644
index 0000000000..7e8c06fde9
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/CMakeLists.txt
@@ -0,0 +1,24 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(
+    OUTPUT
+    name_conflict_t.h
+    name_conflict_t.c
+    name_conflict_args.h
+    DEPENDS
+    edger8r
+    ../name_conflict.edl
+    COMMAND edger8r --trusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. name_conflict.edl)
+
+add_enclave(TARGET name_conflict_enc
+    UUID 15056a35-a9ae-4c5e-a118-3ff174d61579
+    SOURCES enc.c name_conflict_t.c)
+
+add_subdirectory(crypto)
+add_subdirectory(dl)
+
+target_include_directories(name_conflict_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR}
+                           ${CMAKE_CURRENT_SOURCE_DIR}/crypto
+                           ${CMAKE_CURRENT_SOURCE_DIR}/dl)
+target_link_libraries(name_conflict_enc oelibc crypto dl)
diff --git a/tests/cmake_name_conflict/enc/crypto/CMakeLists.txt b/tests/cmake_name_conflict/enc/crypto/CMakeLists.txt
new file mode 100644
index 0000000000..a1f1af3352
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/crypto/CMakeLists.txt
@@ -0,0 +1,4 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_library(crypto crypto.c)
diff --git a/tests/cmake_name_conflict/enc/crypto/crypto.c b/tests/cmake_name_conflict/enc/crypto/crypto.c
new file mode 100644
index 0000000000..549fee602b
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/crypto/crypto.c
@@ -0,0 +1,7 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+int test_crypto()
+{
+    return 5;
+}
diff --git a/tests/cmake_name_conflict/enc/crypto/crypto.h b/tests/cmake_name_conflict/enc/crypto/crypto.h
new file mode 100644
index 0000000000..c6a402f306
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/crypto/crypto.h
@@ -0,0 +1,4 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+int test_crypto();
diff --git a/tests/cmake_name_conflict/enc/dl/CMakeLists.txt b/tests/cmake_name_conflict/enc/dl/CMakeLists.txt
new file mode 100644
index 0000000000..068d8684cd
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/dl/CMakeLists.txt
@@ -0,0 +1,4 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_library(dl dl.c)
diff --git a/tests/cmake_name_conflict/enc/dl/dl.c b/tests/cmake_name_conflict/enc/dl/dl.c
new file mode 100644
index 0000000000..c38896eae1
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/dl/dl.c
@@ -0,0 +1,7 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+int test_dl()
+{
+    return 6;
+}
diff --git a/tests/cmake_name_conflict/enc/dl/dl.h b/tests/cmake_name_conflict/enc/dl/dl.h
new file mode 100644
index 0000000000..c4f1c8032b
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/dl/dl.h
@@ -0,0 +1,4 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+int test_dl();
diff --git a/tests/cmake_name_conflict/enc/enc.c b/tests/cmake_name_conflict/enc/enc.c
new file mode 100644
index 0000000000..ae38f9117d
--- /dev/null
+++ b/tests/cmake_name_conflict/enc/enc.c
@@ -0,0 +1,21 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <crypto.h>
+#include <dl.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/tests.h>
+
+void test_name_conflict(void)
+{
+    OE_TEST(test_crypto() == 5);
+    OE_TEST(test_dl() == 6);
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    1024, /* HeapPageCount */
+    1024, /* StackPageCount */
+    2);   /* TCSCount */
diff --git a/tests/cmake_name_conflict/host/CMakeLists.txt b/tests/cmake_name_conflict/host/CMakeLists.txt
new file mode 100644
index 0000000000..0b512db49a
--- /dev/null
+++ b/tests/cmake_name_conflict/host/CMakeLists.txt
@@ -0,0 +1,22 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(
+    OUTPUT
+    name_conflict_u.h
+    name_conflict_u.c
+    name_conflict_args.h
+    DEPENDS
+    edger8r
+    ../name_conflict.edl
+    COMMAND edger8r --untrusted --search-path ${CMAKE_CURRENT_SOURCE_DIR}/.. name_conflict.edl)
+
+add_executable(name_conflict_host
+    host.cpp
+    name_conflict_u.c
+    name_conflict_u.h
+    name_conflict_args.h
+)
+
+target_include_directories(name_conflict_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(name_conflict_host oehostapp)
diff --git a/tests/cmake_name_conflict/host/host.cpp b/tests/cmake_name_conflict/host/host.cpp
new file mode 100644
index 0000000000..f166843796
--- /dev/null
+++ b/tests/cmake_name_conflict/host/host.cpp
@@ -0,0 +1,39 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <cstdio>
+
+#include <openenclave/host.h>
+#include <openenclave/internal/error.h>
+#include <openenclave/internal/globals.h>
+#include <openenclave/internal/tests.h>
+
+#include "name_conflict_u.h"
+
+int main(int argc, const char* argv[])
+{
+    oe_result_t result;
+    oe_enclave_t* enclave = NULL;
+    const oe_enclave_type_t type = OE_ENCLAVE_TYPE_SGX;
+    const uint32_t flags = oe_get_create_flags();
+
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE_PATH\n", argv[0]);
+        return 1;
+    }
+
+    result = oe_create_name_conflict_enclave(
+        argv[1], type, flags, NULL, 0, &enclave);
+    OE_TEST(result == OE_OK);
+
+    result = test_name_conflict(enclave);
+    OE_TEST(result == OE_OK);
+
+    result = oe_terminate_enclave(enclave);
+    OE_TEST(result == OE_OK);
+
+    printf("===All tests pass (cmake_name_conflict).\n");
+
+    return 0;
+}
diff --git a/tests/cmake_name_conflict/name_conflict.edl b/tests/cmake_name_conflict/name_conflict.edl
new file mode 100644
index 0000000000..88de101658
--- /dev/null
+++ b/tests/cmake_name_conflict/name_conflict.edl
@@ -0,0 +1,9 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+
+    trusted {
+        public void test_name_conflict();
+    };
+};

From 456f3a2ee5735cc650f69e2e810fb253a83799d4 Mon Sep 17 00:00:00 2001
From: Alvin Chen <alvin@chen.asia>
Date: Fri, 1 Nov 2019 17:33:20 -0700
Subject: [PATCH 399/420] The stack guard for enclave on SGX is turned on.

This implementation makes use of the Stack Smashing Protector from the compiler. The key measurement is putting a canary(copied from fs:0x28) on the stack, then check the value of canary before exit.
To use the stack guard already defined in thread data, the thread data td is moved from GS page to FS page. Thus the first 256 bytes of FS page is also reserved from thread specific data in FS page.
One test unit stack_smashing_protector is added, which includes stack smashing protection test and also thread specific data test.

Signed-off-by: Alvin Chen <alvin@chen.asia>
---
 CHANGELOG.md                                  |   1 +
 debugger/pythonExtension/gdb_sgx_plugin.py    |   2 +-
 enclave/core/CMakeLists.txt                   |   8 +-
 enclave/core/sgx/calls.c                      |  57 ++++---
 enclave/core/sgx/enter.S                      |  36 ++--
 enclave/core/sgx/exit.S                       |  14 +-
 enclave/core/sgx/linux/threadlocal.c          |  15 +-
 enclave/core/sgx/td.c                         | 159 ++---------------
 enclave/core/sgx/td.h                         |  24 ++-
 enclave/core/sgx/td_basic.c                   | 161 ++++++++++++++++++
 enclave/core/sgx/thread.c                     |  25 ++-
 host/README.md                                |  15 +-
 host/sgx/create.c                             |  15 +-
 include/openenclave/internal/constants_x64.h  |   2 +-
 include/openenclave/internal/sgxtypes.h       |  21 ++-
 tests/CMakeLists.txt                          |   1 +
 tests/debugger/oegdb/enc/contract.c           |   2 +-
 tests/stack_smashing_protector/CMakeLists.txt |  11 ++
 .../enc/CMakeLists.txt                        |  16 ++
 tests/stack_smashing_protector/enc/enc.cpp    |  89 ++++++++++
 .../host/CMakeLists.txt                       |  11 ++
 tests/stack_smashing_protector/host/host.cpp  |  69 ++++++++
 tests/stack_smashing_protector/ssp.edl        |  14 ++
 tests/stdcxx/CMakeLists.txt                   |   5 +
 tests/stdcxx/host/host.cpp                    |  13 ++
 25 files changed, 558 insertions(+), 228 deletions(-)
 create mode 100644 enclave/core/sgx/td_basic.c
 create mode 100644 tests/stack_smashing_protector/CMakeLists.txt
 create mode 100644 tests/stack_smashing_protector/enc/CMakeLists.txt
 create mode 100644 tests/stack_smashing_protector/enc/enc.cpp
 create mode 100644 tests/stack_smashing_protector/host/CMakeLists.txt
 create mode 100644 tests/stack_smashing_protector/host/host.cpp
 create mode 100644 tests/stack_smashing_protector/ssp.edl

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 42129f9c6f..6cc9f8123a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
     - The copyright for all sources is now attributed to Open Enclave SDK contributors.
 - Update Intel DCAP library dependencies to 1.3.1.
 - Update Intel PSW dependencies to 2.5.101.3 on Windows.
+- The stack guard for OE SDK on SGX is turned on. It is also turned on for enclaves.
 
 [v0.7.0] - 2019-10-26
 ---------------------
diff --git a/debugger/pythonExtension/gdb_sgx_plugin.py b/debugger/pythonExtension/gdb_sgx_plugin.py
index 5d5463b12a..fa257be403 100644
--- a/debugger/pythonExtension/gdb_sgx_plugin.py
+++ b/debugger/pythonExtension/gdb_sgx_plugin.py
@@ -78,7 +78,7 @@ def is_valid(self):
 
 
 # This constant definition must align with the OE enclave layout.
-TD_OFFSET_FROM_TCS =  0X4000
+TD_OFFSET_FROM_TCS =  0X5000
 
 # This constant definition must align with TD structure in internal\sgxtypes.h.
 TD_CALLSITE_OFFSET = 0XF0
diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 970b90e75a..e3aa07f74e 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -68,6 +68,7 @@ if (OE_SGX)
         sgx/sched_yield.c
         sgx/spinlock.c
         sgx/td.c
+        sgx/td_basic.c
         sgx/thread.c
         sgx/tracee.c
         sgx/enter.S
@@ -76,6 +77,11 @@ if (OE_SGX)
         sgx/longjmp.S
         sgx/setjmp.S)
 
+    # Functions in td_basic.c will change the status of td and may trigger
+    # stack check fail, thus it is necessary to turn off stack check.
+    set_source_files_properties(sgx/td_basic.c PROPERTIES
+        COMPILE_FLAGS -fno-stack-protector)
+
     # OS specific sources for SGX.
     if (UNIX OR USE_CLANGW)
         list(APPEND PLATFORM_SRC
@@ -208,7 +214,7 @@ if (OE_SGX)
     target_compile_options(oecore PUBLIC
         -fPIE
         -nostdinc
-        -fno-stack-protector
+        -fstack-protector-strong
         -fvisibility=hidden
         # Put each function or data in its own section.
         # This allows aggressively eliminating unused code.
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index c616a70b91..830d8c14c4 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -340,6 +340,19 @@ static void _handle_ecall(
     uint64_t* output_arg1,
     uint64_t* output_arg2)
 {
+    /* To keep status of td consistent before and after _handle_ecall, td_init
+     is moved into _handle_ecall. In this way _handle_ecall will not trigger
+     stack check fail by accident. Of couse not all function have the
+     opportunity to keep such consistency. Such basic functions are moved to a
+     separate source file and the stack protector is disabled by force
+     through fno-stack-protector option. */
+
+    /* Initialize thread data structure (if not already initialized) */
+    if (!td_initialized(td))
+    {
+        td_init(td);
+    }
+
     oe_result_t result = OE_OK;
 
     /* Insert ECALL context onto front of td_t.ecalls list */
@@ -698,25 +711,27 @@ oe_result_t oe_call_host_function(
 **     used by a thread entering the enclave). Each thread section has the
 **     following layout:
 **
-**         +--------------------------------+
-**         | Guard Page                     |
-**         +--------------------------------+
-**         | Stack pages                    |
-**         +--------------------------------+
-**         | Guard Page                     |
-**         +--------------------------------+
-**         | TCS Page                       |
-**         +--------------------------------+
-**         | SSA (State Save Area) 0        |
-**         +--------------------------------+
-**         | SSA (State Save Area) 1        |
-**         +--------------------------------+
-**         | Guard Page                     |
-**         +--------------------------------+
-**         | GS page (contains thread data) |
-**         +--------------------------------+
-**
-**     EENTER sets the GS segment register to refer to the GS page before
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | Stack pages                |
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | TCS Page                   |
+**         +----------------------------+
+**         | SSA (State Save Area) 0    |
+**         +----------------------------+
+**         | SSA (State Save Area) 1    |
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | Thread local storage       |
+**         +----------------------------+
+**         | FS/GS Page (td_t + tsp)    |
+**         +----------------------------+
+**
+**     EENTER sets the FS segment register to refer to the FS page before
 **     calling this function.
 **
 **     If the enclave should fault, SGX saves the registers in the SSA slot
@@ -815,10 +830,6 @@ void __oe_handle_main(
     /* Get pointer to the thread data structure */
     td_t* td = td_from_tcs(tcs);
 
-    /* Initialize thread data structure (if not already initialized) */
-    if (!td_initialized(td))
-        td_init(td);
-
     /* If this is a normal (non-exception) entry */
     if (cssa == 0)
     {
diff --git a/enclave/core/sgx/enter.S b/enclave/core/sgx/enter.S
index a0146b1bfe..ca16c5e0dd 100644
--- a/enclave/core/sgx/enter.S
+++ b/enclave/core/sgx/enter.S
@@ -40,15 +40,15 @@ oe_enter:
 
 .save_host_registers:
     // Backup the current host rbp and rsp to previous.
-    mov %gs:td_host_rbp, %r8
-    mov %r8, %gs:td_host_previous_rbp
-    mov %gs:td_host_rsp, %r8
-    mov %r8, %gs:td_host_previous_rsp
+    mov %fs:td_host_rbp, %r8
+    mov %r8, %fs:td_host_previous_rbp
+    mov %fs:td_host_rsp, %r8
+    mov %r8, %fs:td_host_previous_rsp
 
     // Save host registers (restored on EEXIT)
-    mov %rcx, %gs:td_host_rcx // host return address here
-    mov %rsp, %gs:td_host_rsp
-    mov %rbp, %gs:td_host_rbp
+    mov %rcx, %fs:td_host_rcx // host return address here
+    mov %rsp, %fs:td_host_rsp
+    mov %rbp, %fs:td_host_rbp
 
 .determine_entry_type:
     // Check if this is exception dispatching request.
@@ -62,7 +62,7 @@ oe_enter:
 
     // Check whether this is a clean entry or a nested entry
     // clean-entry-check.
-    mov %gs:td_depth, %r8
+    mov %fs:td_depth, %r8
     cmp $0, %r8
     je .clean_entry
     jmp .nested_entry
@@ -99,7 +99,7 @@ oe_enter:
     lfence
 
     // Restore stack pointer and enclave registers:
-    mov %gs:td_last_sp, %rsp
+    mov %fs:td_last_sp, %rsp
 
     // align the stack
     and $-16, %rsp
@@ -138,8 +138,8 @@ oe_enter:
     popfq
 
     // Get the host stack pointer.
-    mov %gs:td_host_rsp, %r8
-    mov %gs:td_host_rbp, %r9
+    mov %fs:td_host_rsp, %r8
+    mov %fs:td_host_rbp, %r9
 
     // Construct the frame and align the stack.
     pushq $0
@@ -162,13 +162,13 @@ oe_enter:
     sub $OM_STACK_LENGTH, %rsp
 
     // Save the host stack pointers to enclave stack.
-    mov %gs:td_host_rsp, %r8
-    mov %gs:td_host_rbp, %r9
+    mov %fs:td_host_rsp, %r8
+    mov %fs:td_host_rbp, %r9
     mov %r8, OM_HOST_RSP
     mov %r9, OM_HOST_RBP
 
     // Save the host return address to enclave stack.
-    mov %gs:td_host_rcx, %r8
+    mov %fs:td_host_rcx, %r8
     mov %r8, OM_HOST_RETURN_ADDR
 
     // Call __oe_handle_main(ARG1=RDI, ARG2=RSI, CSSA=RDX, TCS=RCX, OUTPUTARG1=R8, OUTPUTARG2=R9)
@@ -186,7 +186,7 @@ oe_enter:
 
     // Check the depth of the ECALL stack (zero for clean exit)
     // exit-type-check.
-    mov %gs:td_depth, %r8
+    mov %fs:td_depth, %r8
     cmp $0, %r8
     je .clean_exit
 
@@ -218,7 +218,7 @@ oe_enter:
     pop %r12
     pop %r12
 
-    mov %rsp, %gs:td_last_sp
+    mov %rsp, %fs:td_last_sp
 
     jmp .clear_enclave_registers
 
@@ -228,7 +228,7 @@ oe_enter:
     lfence
 
     // Clear the td_t.last_sp field (force oe_enter to calculate stack pointer)
-    movq $0, %gs:td_last_sp
+    movq $0, %fs:td_last_sp
 
 .clear_enclave_registers:
 
@@ -246,7 +246,7 @@ oe_enter:
 
     // Check td_t.simulate flag
     // simulation-flag-check.
-    mov %gs:td_simulate, %rax
+    mov %fs:td_simulate, %rax
     cmp $0, %rax
     jz .execute_eexit_instruction
 
diff --git a/enclave/core/sgx/exit.S b/enclave/core/sgx/exit.S
index eb7cd1b667..9aed5372bf 100644
--- a/enclave/core/sgx/exit.S
+++ b/enclave/core/sgx/exit.S
@@ -55,7 +55,7 @@ oe_asm_exit:
 
     // Check the depth of the ECALL stack (zero for clean exit)
     // exit-type-check.
-    mov %gs:td_depth, %r8
+    mov %fs:td_depth, %r8
     cmp $0, %r8
     je .clean_exit
 
@@ -89,7 +89,7 @@ oe_asm_exit:
     pop %rsi
     pop %rdi
 
-    mov %rsp, %gs:td_last_sp
+    mov %rsp, %fs:td_last_sp
 
     jmp .clear_enclave_registers
 
@@ -99,7 +99,7 @@ oe_asm_exit:
     lfence
 
     // Clear the td_t.last_sp field (force oe_enter to calculate stack pointer)
-    movq $0, %gs:td_last_sp
+    movq $0, %fs:td_last_sp
 
 .clear_enclave_registers:
 
@@ -108,15 +108,15 @@ oe_asm_exit:
 
 .restore_host_registers:
 
-    mov %gs:td_host_rcx, %rcx
-    mov %gs:td_host_rsp, %rsp
-    mov %gs:td_host_rbp, %rbp
+    mov %fs:td_host_rcx, %rcx
+    mov %fs:td_host_rsp, %rsp
+    mov %fs:td_host_rbp, %rbp
 
 .execute_eexit:
 
     // Check td_t.simulate flag
     // simulate-flag-check.
-    mov %gs:td_simulate, %rax
+    mov %fs:td_simulate, %rax
     cmp $0, %rax
     jz .execute_eexit_instruction
 
diff --git a/enclave/core/sgx/linux/threadlocal.c b/enclave/core/sgx/linux/threadlocal.c
index 326e9f19c2..e8db3cbb6e 100644
--- a/enclave/core/sgx/linux/threadlocal.c
+++ b/enclave/core/sgx/linux/threadlocal.c
@@ -204,16 +204,15 @@ static volatile bool _thread_locals_relocated = false;
 static __thread oe_tls_atexit_t* _tls_atexit_functions;
 static __thread uint64_t _num_tls_atexit_functions;
 
-/**
- * Get the address of the FS segment given a thread data object.
- * Currently FS is assumed to exist one page after the thread data.
- * This needs to be made more flexible, taking into account the
- * actual size of the tls data.
- */
+// TODO: Make this flexible in case more than one page of thread local storage
+// need to allocate.
+
+/* The thread data (td) object is always populated at the start of the
+   FS segment, so this method just returns the address of the td.
+*/
 static uint8_t* _get_fs_from_td(td_t* td)
 {
-    // TODO: Make this flexible
-    uint8_t* fs = (uint8_t*)td + 1 * OE_PAGE_SIZE;
+    uint8_t* fs = (uint8_t*)td;
     return fs;
 }
 
diff --git a/enclave/core/sgx/td.c b/enclave/core/sgx/td.c
index cd06b54f30..2230ffaf7f 100644
--- a/enclave/core/sgx/td.c
+++ b/enclave/core/sgx/td.c
@@ -8,6 +8,7 @@
 #include <openenclave/internal/calls.h>
 #include <openenclave/internal/fault.h>
 #include <openenclave/internal/globals.h>
+#include <openenclave/internal/rdrand.h>
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 #include "asmdefs.h"
@@ -17,7 +18,7 @@
 #include "linux/threadlocal.h"
 #endif
 
-#define TD_FROM_TCS (4 * OE_PAGE_SIZE)
+#define TD_FROM_TCS (5 * OE_PAGE_SIZE)
 
 OE_STATIC_ASSERT(OE_OFFSETOF(td_t, magic) == td_magic);
 OE_STATIC_ASSERT(OE_OFFSETOF(td_t, depth) == td_depth);
@@ -36,7 +37,7 @@ OE_STATIC_ASSERT(OE_OFFSETOF(td_t, simulate) == td_simulate);
 #if defined(__linux__)
 OE_STATIC_ASSERT(td_callsites == 0xf0);
 OE_STATIC_ASSERT(OE_OFFSETOF(Callsite, ocall_context) == 0x40);
-OE_STATIC_ASSERT(TD_FROM_TCS == 0x4000);
+OE_STATIC_ASSERT(TD_FROM_TCS == 0x5000);
 OE_STATIC_ASSERT(sizeof(oe_ocall_context_t) == (2 * sizeof(uintptr_t)));
 #endif
 
@@ -80,41 +81,19 @@ void td_push_callsite(td_t* td, Callsite* callsite)
 /*
 **==============================================================================
 **
-** td_pop_callsite()
-**
-**     Remove the Callsite structure that is at the head of the
-**     td_t.callsites list.
-**
-**==============================================================================
-*/
-
-void td_pop_callsite(td_t* td)
-{
-    if (!td || !td->callsites)
-        oe_abort();
-
-    if (td->depth == 1)
-    {
-        // The outermost ecall is about to return.
-        // Clear the thread-local storage.
-        td_clear(td);
-    }
-    else
-    {
-        // Nested ecall returning.
-        td->callsites = td->callsites->next;
-        --td->depth;
-    }
-}
-
-/*
-**==============================================================================
+**     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+**     According to the implementation of Windows debugger and the previous
+**     design of this structure, the debugger need the GS segment register
+**     to find td_t. Since td_t is moved to current FS page, now GS segment
+**     register needs to point to this page. Do not change the GS segment
+**     resigter until it is solved on Windows debugger.
+**     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 **
 ** td_from_tcs()
 **
 **     This function calculates the address of the td_t (thread data structure)
 **     relative to the TCS (Thread Control Structure) page. The td_t resides in
-**     a page pointed to by the GS (segment register). This page occurs 4 pages
+**     a page pointed to by the FS (segment register). This page occurs 5 pages
 **     after the TCS page. The layout is as follows:
 **
 **         +----------------------------+
@@ -126,14 +105,16 @@ void td_pop_callsite(td_t* td)
 **         +----------------------------+
 **         | Guard Page                 |
 **         +----------------------------+
-**         | GS Segment (contains td_t) |
+**         | Thread local storage       |
+**         +----------------------------+
+**         | FS/GS Page (td_t + tsp)    |
 **         +----------------------------+
 **
 **     This layout is determined by the enclave builder. See:
 **
-**         ../host/build.c (_add_control_pages)
+**         ../host/sgx/create.c (_add_control_pages)
 **
-**     The GS segment register is set by the EENTER instruction and the td_t
+**     The FS segment register is set by the EENTER instruction and the td_t
 **     page is zero filled upon initial enclave entry. Software sets the
 **     contents of the td_t when it first determines that td_t.self_addr is
 **     zero.
@@ -158,7 +139,7 @@ td_t* td_from_tcs(void* tcs)
 
 void* td_to_tcs(const td_t* td)
 {
-    return (uint8_t*)td - (4 * OE_PAGE_SIZE);
+    return (uint8_t*)td - TD_FROM_TCS;
 }
 
 /*
@@ -179,7 +160,7 @@ td_t* oe_get_td()
 {
     td_t* td;
 
-    asm("mov %%gs:0, %0" : "=r"(td));
+    asm("mov %%fs:0, %0" : "=r"(td));
 
     return td;
 }
@@ -206,107 +187,3 @@ bool td_initialized(td_t* td)
 
     return false;
 }
-
-/*
-**==============================================================================
-**
-** td_init()
-**
-**     Initialize the thread data structure (td_t) if not already initialized.
-**     The td_t resides in the GS segment and is located relative to the TCS.
-**     Refer to the following layout.
-**
-**         +-------------------------+
-**         | Guard Page              |
-**         +-------------------------+
-**         | Stack pages             |
-**         +-------------------------+
-**         | Guard Page              |
-**         +-------------------------+
-**         | TCS Page                |
-**         +-------------------------+
-**         | SSA (State Save Area) 0 |
-**         +-------------------------+
-**         | SSA (State Save Area) 1 |
-**         +-------------------------+
-**         | Guard Page              |
-**         +-------------------------+
-**         | GS page (contains td_t) |
-**         +-------------------------+
-**
-**     Note: the host register fields are pre-initialized by oe_enter:
-**
-**==============================================================================
-*/
-
-void td_init(td_t* td)
-{
-    /* If not already initialized */
-    if (!td_initialized(td))
-    {
-        // td_t.hostsp, td_t.hostbp, and td_t.retaddr already set by
-        // oe_enter().
-
-        /* Clear base structure */
-        memset(&td->base, 0, sizeof(td->base));
-
-        /* Set pointer to self */
-        td->base.self_addr = (uint64_t)td;
-
-        /* Set the magic number */
-        td->magic = TD_MAGIC;
-
-        /* Set the ECALL depth to zero */
-        td->depth = 0;
-
-        /* List of callsites is initially empty */
-        td->callsites = NULL;
-
-#if __linux__
-        oe_thread_local_init(td);
-#endif
-    }
-}
-
-/*
-**==============================================================================
-**
-** td_clear()
-**
-**     Clear the td_t. This is called when the ECALL depth falls to zero
-**     in td_pop_callsite().
-**
-**==============================================================================
-*/
-
-void td_clear(td_t* td)
-{
-    if (td->depth != 1)
-        oe_abort();
-
-    // Release any pthread thread-local storage created using
-    // pthread_create_key.
-    oe_thread_destruct_specific();
-
-#if __linux__
-    oe_thread_local_cleanup(td);
-#endif
-
-    // The call sites and depth are cleaned up after the thread-local storage is
-    // cleaned up since thread-local dynamic destructors could make ocalls.
-    // For such ocalls to work depth and callsites must be cleaned up here.
-    td->callsites = td->callsites->next;
-    --td->depth;
-
-    /* Sanity checks */
-    if (td->depth != 0 || td->callsites != NULL)
-        oe_abort();
-
-    /* Clear base structure */
-    memset(&td->base, 0, sizeof(td->base));
-
-    /* Clear the magic number */
-    td->magic = 0;
-
-    /* Never clear td_t.initialized nor host registers */
-}
diff --git a/enclave/core/sgx/td.h b/enclave/core/sgx/td.h
index 4b743d3e41..0e57a1d289 100644
--- a/enclave/core/sgx/td.h
+++ b/enclave/core/sgx/td.h
@@ -54,26 +54,40 @@ struct _callsite
     Callsite* next;
 };
 
+/* Some basic td function do not have the opportunity to keep consistency of
+   td then may trigger stack check fail. Such functions are moved to a separate
+   source file td_basic.c and the stack guard protector is disabled by force
+   through fno-stack-protector option.
+*/
+
 /*
 **==============================================================================
 **
-** td_t methods:
+** td_t methods defined in td.c
 **
 **==============================================================================
 */
 
 void td_push_callsite(td_t* td, Callsite* ec);
 
-void td_pop_callsite(td_t* td);
-
 td_t* td_from_tcs(void* tcs);
 
 void* td_to_tcs(const td_t* td);
 
+bool td_initialized(td_t* td);
+
+/*
+**==============================================================================
+**
+** td_t methods defined in td_basic.c
+**
+**==============================================================================
+*/
+
+void td_pop_callsite(td_t* td);
+
 void td_init(td_t* td);
 
 void td_clear(td_t* td);
 
-bool td_initialized(td_t* td);
-
 #endif /* _TD_H */
diff --git a/enclave/core/sgx/td_basic.c b/enclave/core/sgx/td_basic.c
new file mode 100644
index 0000000000..eae5e593c5
--- /dev/null
+++ b/enclave/core/sgx/td_basic.c
@@ -0,0 +1,161 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/bits/safecrt.h>
+#include <openenclave/corelibc/string.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/fault.h>
+#include <openenclave/internal/globals.h>
+#include <openenclave/internal/rdrand.h>
+#include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/utils.h>
+#include "asmdefs.h"
+#include "td.h"
+#include "thread.h"
+
+#if __linux__
+#include "linux/threadlocal.h"
+#endif
+
+/*
+**==============================================================================
+**
+** td_pop_callsite()
+**
+**     Remove the Callsite structure that is at the head of the
+**     td_t.callsites list.
+**
+**==============================================================================
+*/
+
+void td_pop_callsite(td_t* td)
+{
+    if (!td->callsites)
+        oe_abort();
+
+    if (td->depth == 1)
+    {
+        // The outermost ecall is about to return.
+        // Clear the thread-local storage.
+        td_clear(td);
+    }
+    else
+    {
+        // Nested ecall returning.
+        td->callsites = td->callsites->next;
+        --td->depth;
+    }
+}
+
+/*
+**==============================================================================
+**
+** td_init()
+**
+**     Initialize the thread data structure (td_t) if not already initialized.
+**     The td_t resides in the FS segment and is located relative to the TCS.
+**     Refer to the following layout.
+**
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | Stack pages                |
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | TCS Page                   |
+**         +----------------------------+
+**         | SSA (State Save Area) 0    |
+**         +----------------------------+
+**         | SSA (State Save Area) 1    |
+**         +----------------------------+
+**         | Guard Page                 |
+**         +----------------------------+
+**         | Thread local storage       |
+**         +----------------------------+
+**         | FS/GS Page (td_t + tsp)    |
+**         +----------------------------+
+**
+**     Note: the host register fields are pre-initialized by oe_enter:
+**
+**==============================================================================
+*/
+
+void td_init(td_t* td)
+{
+    /* If not already initialized */
+    if (!td_initialized(td))
+    {
+        // td_t.hostsp, td_t.hostbp, and td_t.retaddr already set by
+        // oe_enter().
+
+        /* Clear base structure */
+        memset(&td->base, 0, sizeof(td->base));
+
+        /* Set pointer to self */
+        td->base.self_addr = (uint64_t)td;
+
+        /* initialize the stack_guard at %%fs:0x28 with a random number.
+        oe_rdrand is a warpper of rdrand. rdrand is a hardware-implemented
+        Pseudo Random Generator, and it is repeatedly seeeded by a high entropy
+        source. */
+        td->base.stack_guard = oe_rdrand();
+
+        /* Set the magic number */
+        td->magic = TD_MAGIC;
+
+        /* Set the ECALL depth to zero */
+        td->depth = 0;
+
+        /* List of callsites is initially empty */
+        td->callsites = NULL;
+
+#if __linux__
+        oe_thread_local_init(td);
+#endif
+    }
+}
+
+/*
+**==============================================================================
+**
+** td_clear()
+**
+**     Clear the td_t. This is called when the ECALL depth falls to zero
+**     in td_pop_callsite().
+**
+**==============================================================================
+*/
+
+void td_clear(td_t* td)
+{
+    if (td->depth != 1)
+        oe_abort();
+
+    // Release any pthread thread-local storage created using
+    // pthread_create_key.
+    oe_thread_destruct_specific();
+
+#if __linux__
+    oe_thread_local_cleanup(td);
+#endif
+
+    // The call sites and depth are cleaned up after the thread-local storage is
+    // cleaned up since thread-local dynamic destructors could make ocalls.
+    // For such ocalls to work depth and callsites must be cleaned up here.
+    td->callsites = td->callsites->next;
+    --td->depth;
+
+    /* Sanity checks */
+    if (td->depth != 0 || td->callsites != NULL)
+        oe_abort();
+
+    /* Clear base structure */
+    memset(&td->base, 0, sizeof(td->base));
+
+    /* Clear the magic number */
+    td->magic = 0;
+
+    /* Never clear td_t.initialized nor host registers */
+}
diff --git a/enclave/core/sgx/thread.c b/enclave/core/sgx/thread.c
index 70730d0120..4593b33aad 100644
--- a/enclave/core/sgx/thread.c
+++ b/enclave/core/sgx/thread.c
@@ -793,7 +793,13 @@ oe_result_t oe_rwlock_unlock(oe_rwlock_t* read_write_lock)
 **==============================================================================
 */
 
-#define MAX_KEYS (OE_PAGE_SIZE / sizeof(void*))
+// We use the FS segment as both the start of the enclave thread data and the
+// user thread-specific data (TSD) space. To prevent TSD from overwriting the
+// enclave thread data, we reserve the first pthread_key indices up to
+// MIN_THREAD_KEY_INDEX so that they are not used by oe_thread_key_create.
+#define MIN_THREAD_KEY_INDEX \
+    ((sizeof(td_t) - OE_THREAD_SPECIFIC_DATA_SIZE) / sizeof(void*))
+#define MAX_THREAD_KEY_INDEX (OE_PAGE_SIZE / sizeof(void*))
 
 typedef struct _key_slot
 {
@@ -801,7 +807,7 @@ typedef struct _key_slot
     void (*destructor)(void* value);
 } KeySlot;
 
-static KeySlot _slots[MAX_KEYS];
+static KeySlot _slots[MAX_THREAD_KEY_INDEX];
 static oe_spinlock_t _lock = OE_SPINLOCK_INITIALIZER;
 
 static void** _get_tsd_page(void)
@@ -811,7 +817,7 @@ static void** _get_tsd_page(void)
     if (!td)
         return NULL;
 
-    return (void**)((unsigned char*)td + OE_PAGE_SIZE);
+    return (void**)td;
 }
 
 oe_result_t oe_thread_key_create(
@@ -827,7 +833,8 @@ oe_result_t oe_thread_key_create(
     {
         oe_spin_lock(&_lock);
 
-        for (unsigned int i = 1; i < MAX_KEYS; i++)
+        for (unsigned int i = MIN_THREAD_KEY_INDEX; i < MAX_THREAD_KEY_INDEX;
+             i++)
         {
             /* If this key is available */
             if (!_slots[i].used)
@@ -853,7 +860,7 @@ oe_result_t oe_thread_key_create(
 oe_result_t oe_thread_key_delete(oe_thread_key_t key)
 {
     /* If key parameter is invalid */
-    if (key == 0 || key >= MAX_KEYS)
+    if (key < MIN_THREAD_KEY_INDEX || key >= MAX_THREAD_KEY_INDEX)
         return OE_INVALID_PARAMETER;
 
     /* Mark this key as unused */
@@ -875,7 +882,7 @@ oe_result_t oe_thread_setspecific(oe_thread_key_t key, const void* value)
     void** tsd_page;
 
     /* If key parameter is invalid */
-    if (key == 0 || key >= MAX_KEYS)
+    if (key < MIN_THREAD_KEY_INDEX || key >= MAX_THREAD_KEY_INDEX)
         return OE_INVALID_PARAMETER;
 
     if (!(tsd_page = _get_tsd_page()))
@@ -890,7 +897,7 @@ void* oe_thread_getspecific(oe_thread_key_t key)
 {
     void** tsd_page;
 
-    if (key == 0 || key >= MAX_KEYS)
+    if (key < MIN_THREAD_KEY_INDEX || key >= MAX_THREAD_KEY_INDEX)
         return NULL;
 
     if (!(tsd_page = _get_tsd_page()))
@@ -909,7 +916,9 @@ void oe_thread_destruct_specific(void)
         oe_spin_lock(&_lock);
         {
             /* For each thread-specific-data key */
-            for (oe_thread_key_t key = 1; key < MAX_KEYS; key++)
+            for (oe_thread_key_t key = MIN_THREAD_KEY_INDEX;
+                 key < MAX_THREAD_KEY_INDEX;
+                 key++)
             {
                 /* If this key is in use: */
                 if (_slots[key].used)
diff --git a/host/README.md b/host/README.md
index 6919ac320d..2aeee6fc30 100644
--- a/host/README.md
+++ b/host/README.md
@@ -48,11 +48,20 @@ see [create.c](create.c)).
         +----------------------------------------+    |
         | Guard page                             |    |
         +----------------------------------------+    |
-        | Segment Page: (FS or GS)               |    |
-        |     (contains thread data structure)   |    |
+        | Thread local storage                   |    |
         +----------------------------------------+    |
-        | Thread specific data (TSD) Page        |    |
+        | Segment Page: (FS)                     |    |
+        | (contains thread data structure        |    |
+        | and Thread specific data (TSD))        |    |
         +----------------------------------------+ <--+
         | Padding Pages (must be a power of two) |
         +----------------------------------------+
+The thread data (td) object is always populated at the start of the
+FS segment, thus FS segment regiter points to td.
 
+The existing Windows SGX enclave debugger finds the start of the thread data
+by assuming that it is located at the start of the GS segment. i.e. it adds the
+enclave base address and the offset to the GS segment stored in TCS.OGSBASGX.
+OE SDK uses the FS segment for this purpose and has no separate use for the
+GS register, so we point it at the FS segment to preserve the Windows debugger
+behavior.
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 7023b1964d..983fdd0956 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -166,7 +166,7 @@ static oe_result_t _add_control_pages(
      *     page2 - state-save-area (SSA) slot (zero-filled)
      *     page3 - state-save-area (SSA) slot (zero-filled)
      *     page4 - guard page
-     *     page5 - segment space for fs or gs register (holds thread data).
+     *     page5 - thread local storage page.
      *     page6 - extra segment space for thread-specific data.
      */
 
@@ -205,9 +205,6 @@ static oe_result_t _add_control_pages(
         /* The entry point for the program (from ELF) */
         tcs->oentry = entry;
 
-        /* GS segment: points to page following SSA slots (page[3]) */
-        tcs->gsbase = *vaddr + (4 * OE_PAGE_SIZE);
-
         /* FS segment: Used for thread-local variables.
          * The reserved (unused) space in td_t is used for thread-local
          * variables.
@@ -216,6 +213,16 @@ static oe_result_t _add_control_pages(
          */
         tcs->fsbase = *vaddr + (5 * OE_PAGE_SIZE);
 
+        /* The existing Windows SGX enclave debugger finds the start of the
+         * thread data by assuming that it is located at the start of the GS
+         * segment. i.e. it adds the enclave base address and the offset to the
+         * GS segment stored in TCS.OGSBASGX.  OE SDK uses the FS segment for
+         * this purpose and has no separate use for the GS register, so we
+         * point it at the FS segment to preserve the Windows debugger
+         * behavior.
+         */
+        tcs->gsbase = tcs->fsbase;
+
         /* Set to maximum value */
         tcs->fslimit = 0xFFFFFFFF;
 
diff --git a/include/openenclave/internal/constants_x64.h b/include/openenclave/internal/constants_x64.h
index 51238c2478..c5ec1b1dff 100644
--- a/include/openenclave/internal/constants_x64.h
+++ b/include/openenclave/internal/constants_x64.h
@@ -21,7 +21,7 @@
 //
 
 #define OE_SSA_FROM_TCS_BYTE_OFFSET OE_PAGE_SIZE
-#define OE_TD_FROM_TCS_BYTE_OFFSET (4 * OE_PAGE_SIZE)
+#define OE_TD_FROM_TCS_BYTE_OFFSET (5 * OE_PAGE_SIZE)
 #define OE_DEFAULT_SSA_FRAME_SIZE 0x1
 #define OE_SGX_GPR_BYTE_SIZE 0xb8
 #define OE_SGX_TCS_HEADER_BYTE_SIZE 0x48
diff --git a/include/openenclave/internal/sgxtypes.h b/include/openenclave/internal/sgxtypes.h
index ca0927a38c..798bf6f7af 100644
--- a/include/openenclave/internal/sgxtypes.h
+++ b/include/openenclave/internal/sgxtypes.h
@@ -505,11 +505,11 @@ OE_CHECK_SIZE(OE_OFFSETOF(sgx_tcs_t, u.entry), 72);
 **
 **     This structure defines information about an enclave thread. Each
 **     instance is associated with one thread control structure (TCS). This
-**     structure resides in the GS segment page (referenced by the GS segment
+**     structure resides in the FS segment page (referenced by the FS segment
 **     register). A thread obtains its thread data structure by calling
 **     oe_get_thread_data(), which fetches the address at offset zero in
-**     the GS segment register (%gs:0) which contains
-*oe_thread_data_t.self_addr.
+**     the FS segment register (%fs:0) which contains
+**     oe_thread_data_t.self_addr.
 **
 **==============================================================================
 */
@@ -528,7 +528,12 @@ struct _oe_thread_data
     uint64_t __stack_base_addr;
     uint64_t __stack_limit_addr;
     uint64_t __first_ssa_gpr;
-    uint64_t __stack_guard; /* 0x28 for x64 */
+    /* Here the name and offset of stack_guard complies to the properties of
+       stack_guard defined in tcbhead_t(Struct for Thread Control Block). In
+       this way we can make use of the compiler's support of stack smashing
+       protector.
+     */
+    uint64_t stack_guard; /* The offset is 0x28 for x64 */
     uint64_t __reserved_0;
     uint64_t __ssa_frame_size;
     uint64_t __last_error;
@@ -565,7 +570,9 @@ oe_thread_data_t* oe_get_thread_data(void);
 
 #define TD_MAGIC 0xc90afe906c5d19a3
 
-#define OE_THREAD_LOCAL_SPACE (3840)
+#define OE_THREAD_LOCAL_SPACE (OE_PAGE_SIZE)
+
+#define OE_THREAD_SPECIFIC_DATA_SIZE (3840)
 
 typedef struct _callsite Callsite;
 
@@ -606,8 +613,8 @@ typedef struct _td
     /* Simulation mode is active if non-zero */
     uint64_t simulate;
 
-    /* Reserved for thread-local variables. */
-    uint8_t thread_local_data[OE_THREAD_LOCAL_SPACE];
+    /* Reserved for thread specific data. */
+    uint8_t thread_specific_data[OE_THREAD_SPECIFIC_DATA_SIZE];
 } td_t;
 OE_PACK_END
 
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4ece6a31e7..e8bcc5177e 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -71,6 +71,7 @@ if (UNIX OR ADD_WINDOWS_ENCLAVE_TESTS OR USE_CLANGW)
         add_subdirectory(stdc)
         add_subdirectory(syscall)
         add_subdirectory(VectorException)
+        add_subdirectory(stack_smashing_protector)
     endif()
 
 add_subdirectory(create-errors)
diff --git a/tests/debugger/oegdb/enc/contract.c b/tests/debugger/oegdb/enc/contract.c
index 4acf1ee838..8cc5a4a516 100644
--- a/tests/debugger/oegdb/enc/contract.c
+++ b/tests/debugger/oegdb/enc/contract.c
@@ -24,7 +24,7 @@ volatile uint64_t OCALLCONTEXT_RET = (uint64_t)-1;
 
 void assert_debugger_binary_contract_enclave_side()
 {
-    OE_TEST(TD_OFFSET_FROM_TCS == 4 * OE_PAGE_SIZE);
+    OE_TEST(TD_OFFSET_FROM_TCS == 5 * OE_PAGE_SIZE);
     OE_TEST(TD_CALLSITE_OFFSET == OE_OFFSETOF(td_t, callsites));
     OE_TEST(
         CALLSITE_OCALLCONTEXT_OFFSET == OE_OFFSETOF(Callsite, ocall_context));
diff --git a/tests/stack_smashing_protector/CMakeLists.txt b/tests/stack_smashing_protector/CMakeLists.txt
new file mode 100644
index 0000000000..a028f2ed06
--- /dev/null
+++ b/tests/stack_smashing_protector/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_subdirectory(host)
+
+if (BUILD_ENCLAVES)
+	add_subdirectory(enc)
+endif()
+
+add_enclave_test(tests/stack_smashing_protector ssp_host ssp_enc)
+set_tests_properties(tests/stack_smashing_protector PROPERTIES SKIP_RETURN_CODE 2)
diff --git a/tests/stack_smashing_protector/enc/CMakeLists.txt b/tests/stack_smashing_protector/enc/CMakeLists.txt
new file mode 100644
index 0000000000..c729cf4ae6
--- /dev/null
+++ b/tests/stack_smashing_protector/enc/CMakeLists.txt
@@ -0,0 +1,16 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT ssp_t.h ssp_t.c ssp_args.h
+  DEPENDS ../ssp.edl edger8r
+  COMMAND edger8r --trusted ${CMAKE_CURRENT_SOURCE_DIR}/../ssp.edl)
+
+add_enclave(TARGET ssp_enc SOURCES enc.cpp ${CMAKE_CURRENT_BINARY_DIR}/ssp_t.c)
+
+# The flag -fstack-protector-all can make sure stack protector is turned on.
+set_source_files_properties(enc.cpp PROPERTIES COMPILE_FLAGS -fstack-protector-all)
+
+# Need for the generated file ssp_t.h
+target_include_directories(ssp_enc PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(ssp_enc oelibcxx)
diff --git a/tests/stack_smashing_protector/enc/enc.cpp b/tests/stack_smashing_protector/enc/enc.cpp
new file mode 100644
index 0000000000..288b4a2a5d
--- /dev/null
+++ b/tests/stack_smashing_protector/enc/enc.cpp
@@ -0,0 +1,89 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/corelibc/string.h>
+#include <openenclave/edger8r/enclave.h>
+#include <openenclave/enclave.h>
+#include <openenclave/internal/calls.h>
+#include <openenclave/internal/fault.h>
+#include <openenclave/internal/globals.h>
+#include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/tests.h>
+#include <openenclave/internal/thread.h>
+#include <stdio.h>
+#include "ssp_t.h"
+
+static oe_once_t g_once = OE_ONCE_INIT;
+static oe_thread_key_t g_key = OE_THREADKEY_INITIALIZER;
+
+static bool g_destructor_called = false;
+
+static void _destructor(void* data)
+{
+    char* str = (char*)data;
+
+    if (oe_strcmp(str, "TSD-DATA") == 0)
+    {
+        oe_host_free(str);
+        g_destructor_called = true;
+        OE_TEST(oe_thread_setspecific(g_key, NULL) == 0);
+    }
+}
+
+static void _init()
+{
+    if (oe_thread_key_create(&g_key, _destructor) != 0)
+    {
+        oe_abort();
+    }
+}
+int enc_set_thread_variable(void* value)
+{
+    int rval = 0;
+    /* Initialize this the first time */
+    if (oe_once(&g_once, _init) != 0 ||
+        oe_thread_setspecific(g_key, value) != 0)
+    {
+        rval = -1;
+    }
+    return rval;
+}
+
+void* enc_get_thread_specific_data()
+{
+    return oe_thread_getspecific(g_key);
+}
+
+bool was_destructor_called()
+{
+    return g_destructor_called;
+}
+
+void* ssp_test_sub()
+{
+    /* The test should change the canary in the current stack.
+     * But in Debug mode the canary is at $rbp-0x8, and in Release mode
+     * the canary is at $rsp+0x20. To avoid unseen cases, here the %%fs:0x28 is
+     * modified.
+     */
+    uint64_t canary;
+    asm("mov %%fs:0x28, %0" : "=r"(canary));
+    canary /= 2;
+    asm("mov %0, %%fs:0x28" : : "r"(canary));
+
+    return 0;
+}
+
+void* ssp_test()
+{
+    ssp_test_sub();
+    return (void*)0;
+}
+
+OE_SET_ENCLAVE_SGX(
+    1,    /* ProductID */
+    1,    /* SecurityVersion */
+    true, /* AllowDebug */
+    1024, /* HeapPageCount */
+    128,  /* StackPageCount */
+    16);  /* TCSCount */
diff --git a/tests/stack_smashing_protector/host/CMakeLists.txt b/tests/stack_smashing_protector/host/CMakeLists.txt
new file mode 100644
index 0000000000..d683ff8236
--- /dev/null
+++ b/tests/stack_smashing_protector/host/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT ssp_u.h ssp_u.c ssp_args.h
+  DEPENDS ../ssp.edl edger8r
+  COMMAND edger8r --untrusted ${CMAKE_CURRENT_SOURCE_DIR}/../ssp.edl)
+
+add_executable(ssp_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/ssp_u.c)
+
+target_include_directories(ssp_host PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+target_link_libraries(ssp_host oehost)
diff --git a/tests/stack_smashing_protector/host/host.cpp b/tests/stack_smashing_protector/host/host.cpp
new file mode 100644
index 0000000000..50e9f8b284
--- /dev/null
+++ b/tests/stack_smashing_protector/host/host.cpp
@@ -0,0 +1,69 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <openenclave/internal/error.h>
+#include <openenclave/internal/tests.h>
+#include <cassert>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#include "ssp_u.h"
+
+#define SKIP_RETURN_CODE 2
+
+int main(int argc, const char* argv[])
+{
+    if (argc != 2)
+    {
+        fprintf(stderr, "Usage: %s ENCLAVE\n", argv[0]);
+        exit(1);
+    }
+
+    const uint32_t flags = oe_get_create_flags();
+    oe_enclave_t* enclave = NULL;
+    oe_result_t result = oe_create_ssp_enclave(
+        argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave);
+    if (OE_OK != result)
+    {
+        oe_put_err("oe_create_ocall_enclave(): result=%u", result);
+    }
+
+    /* Call enc_set_thread_variable */
+    {
+        int ret_val = -1;
+        result = enc_set_thread_variable(enclave, &ret_val, strdup("TSD-DATA"));
+        OE_TEST(OE_OK == result);
+        OE_TEST(0 == ret_val);
+    }
+
+    /* Call was_destructor_called */
+    {
+        bool ret_destroyed = false;
+        result = was_destructor_called(enclave, &ret_destroyed);
+        OE_TEST(OE_OK == result);
+        OE_TEST(ret_destroyed);
+    }
+
+    /* Call enc_get_thread_specific_data */
+    {
+        void* ret_value = NULL;
+        result = enc_get_thread_specific_data(enclave, &ret_value);
+        OE_TEST(OE_OK == result);
+        OE_TEST(NULL == ret_value);
+    }
+
+    /* Call ssp_test */
+    {
+        void* ret_value = NULL;
+        result = ssp_test(enclave, &ret_value);
+        OE_TEST(OE_ENCLAVE_ABORTING == result);
+        OE_TEST(NULL == ret_value);
+    }
+
+    oe_terminate_enclave(enclave);
+
+    printf("=== passed all tests (%s)\n", argv[0]);
+
+    return 0;
+}
diff --git a/tests/stack_smashing_protector/ssp.edl b/tests/stack_smashing_protector/ssp.edl
new file mode 100644
index 0000000000..080cd1eb21
--- /dev/null
+++ b/tests/stack_smashing_protector/ssp.edl
@@ -0,0 +1,14 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+        public bool was_destructor_called();
+
+        public int enc_set_thread_variable([user_check] void* value);
+
+        public void* enc_get_thread_specific_data();
+
+        public void* ssp_test();
+    };
+};
diff --git a/tests/stdcxx/CMakeLists.txt b/tests/stdcxx/CMakeLists.txt
index a0a59ed615..167cd374fa 100644
--- a/tests/stdcxx/CMakeLists.txt
+++ b/tests/stdcxx/CMakeLists.txt
@@ -8,4 +8,9 @@ if (BUILD_ENCLAVES)
 endif()
 
 add_enclave_test(tests/stdcxx  stdcxx_host stdcxx_enc OE_OK)
+
+# Some expection test will fail in simulation mode, due to the failure of
+# isolation of exception in enclave then host process will be terminated.
+
 add_enclave_test(tests/global_init_exception stdcxx_host global_init_exception_enc OE_ENCLAVE_ABORTING)
+set_tests_properties(tests/global_init_exception PROPERTIES SKIP_RETURN_CODE 2)
diff --git a/tests/stdcxx/host/host.cpp b/tests/stdcxx/host/host.cpp
index c59e52c140..1ca87e57a7 100644
--- a/tests/stdcxx/host/host.cpp
+++ b/tests/stdcxx/host/host.cpp
@@ -14,6 +14,8 @@
 #define ECHO
 #endif
 
+#define SKIP_RETURN_CODE 2
+
 void test_stdcxx(oe_enclave_t* enclave)
 {
     int ret = -1;
@@ -43,7 +45,18 @@ int main(int argc, const char* argv[])
         exit(1);
     }
 
+    /*
+       Some expection test will fail in simulation mode, due to the failure of
+       isolation of exception in enclave then host process will be terminated.
+    */
     const uint32_t flags = oe_get_create_flags();
+    if ((flags & OE_ENCLAVE_FLAG_SIMULATE) != 0 &&
+        strstr(argv[1], "global_init_exception_enc") != 0)
+    {
+        printf("=== Skipped unsupported test in simulation mode "
+               "(global_init_exception_enc)\n");
+        return SKIP_RETURN_CODE;
+    }
 
     result = oe_create_stdcxx_enclave(
         argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave);

From 55e3acb88a24daae3eb826b40bcd7cf6276514bf Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Wed, 8 Jan 2020 12:01:54 +0100
Subject: [PATCH 400/420] Fix oe_random for size > 1024

mbedtls_ctr_drbg_random() does not accept arbitrary large output sizes
and must be called repeatedly to fill large buffers.

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 enclave/crypto/random_internal.c | 13 ++++++++++---
 tests/crypto/random_tests.c      | 26 ++++++++++++++++++--------
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/enclave/crypto/random_internal.c b/enclave/crypto/random_internal.c
index 4f5d4ccae3..af8aad3990 100644
--- a/enclave/crypto/random_internal.c
+++ b/enclave/crypto/random_internal.c
@@ -70,9 +70,16 @@ oe_result_t oe_random_internal(void* data, size_t size)
     }
 
     /* Generate random data (synchronize access to _drbg instance) */
-    rc = mbedtls_ctr_drbg_random(&_drbg, data, size);
-    if (rc != 0)
-        OE_RAISE_MSG(OE_CRYPTO_ERROR, "rc = 0x%x\n", rc);
+    for (size_t i = 0; i < size; i += MBEDTLS_CTR_DRBG_MAX_REQUEST)
+    {
+        size_t request_size = size - i;
+        if (request_size > MBEDTLS_CTR_DRBG_MAX_REQUEST)
+            request_size = MBEDTLS_CTR_DRBG_MAX_REQUEST;
+
+        rc = mbedtls_ctr_drbg_random(&_drbg, (uint8_t*)data + i, request_size);
+        if (rc != 0)
+            OE_RAISE_MSG(OE_CRYPTO_ERROR, "rc = 0x%x\n", rc);
+    }
 
     result = OE_OK;
 done:
diff --git a/tests/crypto/random_tests.c b/tests/crypto/random_tests.c
index 21167bcb30..a5915e94c9 100644
--- a/tests/crypto/random_tests.c
+++ b/tests/crypto/random_tests.c
@@ -13,38 +13,48 @@
 #include "tests.h"
 
 #define SEQ_COUNT 64
-#define SEQ_LENGTH 19
 
-void TestRandom(void)
+static void _test_random(size_t seq_length)
 {
-    printf("=== begin %s()\n", __FUNCTION__);
+    printf("=== begin %s(%zu)\n", __FUNCTION__, seq_length);
 
-    uint8_t buf[SEQ_COUNT][SEQ_LENGTH];
+    uint8_t buf[SEQ_COUNT][seq_length];
     memset(buf, 0, sizeof(buf));
 
     for (size_t i = 0; i < SEQ_COUNT; i++)
     {
         /* Generate a random sequence */
         OE_TEST(
-            oe_random_internal(buf[i], SEQ_LENGTH * sizeof(uint8_t)) == OE_OK);
+            oe_random_internal(buf[i], seq_length * sizeof(uint8_t)) == OE_OK);
 
         /* Be sure buffer is not filled with same character */
         {
             size_t m;
             uint8_t c = buf[i][0];
 
-            for (m = 1; m < SEQ_LENGTH && buf[i][m] == c; m++)
+            for (m = 1; m < seq_length && buf[i][m] == c; m++)
                 ;
 
-            OE_TEST(m != SEQ_LENGTH);
+            OE_TEST(m != seq_length);
         }
 
         /* Check whether duplicate of one of the previous calls */
         for (size_t j = 0; j < i; j++)
         {
-            OE_TEST(memcmp(buf[j], buf[i], SEQ_LENGTH * sizeof(uint8_t)) != 0);
+            OE_TEST(memcmp(buf[j], buf[i], seq_length * sizeof(uint8_t)) != 0);
         }
     }
 
     printf("=== passed %s()\n", __FUNCTION__);
 }
+
+void TestRandom(void)
+{
+    _test_random(19);
+    _test_random(1023);
+    _test_random(1024);
+    _test_random(1025);
+    _test_random(2047);
+    _test_random(2048);
+    _test_random(2049);
+}

From f6de2fba8bc692226f8a975469d096ba93c5491d Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Sat, 11 Jan 2020 10:39:06 +0100
Subject: [PATCH 401/420] Replace VLA with fixed length in random_tests.c

Signed-off-by: Thomas Tendyck <tt@edgeless.systems>
---
 tests/crypto/random_tests.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/crypto/random_tests.c b/tests/crypto/random_tests.c
index a5915e94c9..939f8f71a1 100644
--- a/tests/crypto/random_tests.c
+++ b/tests/crypto/random_tests.c
@@ -5,6 +5,7 @@
 #include <openenclave/enclave.h>
 #endif
 
+#include <openenclave/internal/defs.h>
 #include <openenclave/internal/random.h>
 #include <openenclave/internal/tests.h>
 #include <stdio.h>
@@ -13,12 +14,13 @@
 #include "tests.h"
 
 #define SEQ_COUNT 64
+#define SEQ_LENGTH_MAX 2049
 
 static void _test_random(size_t seq_length)
 {
     printf("=== begin %s(%zu)\n", __FUNCTION__, seq_length);
 
-    uint8_t buf[SEQ_COUNT][seq_length];
+    uint8_t buf[SEQ_COUNT][SEQ_LENGTH_MAX];
     memset(buf, 0, sizeof(buf));
 
     for (size_t i = 0; i < SEQ_COUNT; i++)
@@ -57,4 +59,5 @@ void TestRandom(void)
     _test_random(2047);
     _test_random(2048);
     _test_random(2049);
+    OE_STATIC_ASSERT(SEQ_LENGTH_MAX == 2049);
 }

From b40a5b75d2612fc2695b6a425679976351c1c230 Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Thu, 19 Dec 2019 12:04:56 -0800
Subject: [PATCH 402/420] Enable /W2 to treat W2 warnings as errors for Windows
 builds. Additionally, fix errors which arise from enabling this flag.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 cmake/compiler_settings.cmake        | 11 ++++++++---
 include/openenclave/edger8r/common.h | 26 ++++++++++++++++++--------
 tools/oeedger8r/src/Sources.ml       |  4 +++-
 3 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/cmake/compiler_settings.cmake b/cmake/compiler_settings.cmake
index 4ab75ae377..d3ea6be4e3 100644
--- a/cmake/compiler_settings.cmake
+++ b/cmake/compiler_settings.cmake
@@ -76,6 +76,10 @@ if (CMAKE_CXX_COMPILER_ID MATCHES GNU OR CMAKE_CXX_COMPILER_ID MATCHES Clang)
   add_compile_options(-Wall -Werror -Wpointer-arith -Wconversion -Wextra -Wno-missing-field-initializers)
   add_compile_options(-fno-strict-aliasing)
 
+  # Allow checks which always evaluate to true or false due to type limits.
+  # This is required as some macros operate on types of varying sizes.
+  add_compile_options(-Wno-type-limits)
+
   # Enables XSAVE intrinsics
   if (OE_SGX)
       add_compile_options(-mxsave)
@@ -104,12 +108,13 @@ elseif (MSVC)
   # doesn't recognize /wd flags
   # Turns off warnings for:
   # * Unicode character cannot be represented by current code page
-  set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4566")
-  set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /wd4566")
+  # * Flexible array members. These are standard in C99 so we will allow them.
+  set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4566 /wd4200")
+  set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /wd4566 /wd4200")
 
   # Add Flags we want to use for both C and CXX
   add_compile_options(/WX)
-  add_compile_options(/W1)
+  add_compile_options(/W2)
 
   # Ignore compiler warnings:
   # * unicode character not supported
diff --git a/include/openenclave/edger8r/common.h b/include/openenclave/edger8r/common.h
index 2aa86d98fd..39f5391e74 100644
--- a/include/openenclave/edger8r/common.h
+++ b/include/openenclave/edger8r/common.h
@@ -66,14 +66,24 @@ OE_INLINE oe_result_t oe_add_size(size_t* total, size_t size)
     return result;
 }
 
-#define OE_ADD_SIZE(total, size)                \
-    do                                          \
-    {                                           \
-        if (oe_add_size(&total, size) != OE_OK) \
-        {                                       \
-            _result = OE_INTEGER_OVERFLOW;      \
-            goto done;                          \
-        }                                       \
+#define OE_ADD_SIZE(total, size)                                 \
+    do                                                           \
+    {                                                            \
+        if (sizeof(total) > sizeof(size_t) && total > SIZE_MAX)  \
+        {                                                        \
+            _result = OE_INVALID_PARAMETER;                      \
+            goto done;                                           \
+        }                                                        \
+        if (sizeof(size) > sizeof(size_t) && size > SIZE_MAX)    \
+        {                                                        \
+            _result = OE_INVALID_PARAMETER;                      \
+            goto done;                                           \
+        }                                                        \
+        if (oe_add_size((size_t*)&total, (size_t)size) != OE_OK) \
+        {                                                        \
+            _result = OE_INTEGER_OVERFLOW;                       \
+            goto done;                                           \
+        }                                                        \
     } while (0)
 
 /**
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 4b84a60a51..4932a2a1c9 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -81,7 +81,9 @@ let _get_param_size (ptype, decl, argstruct) =
     and count = attr_value_to_string argstruct p.ps_count in
     match (size, count) with
     | Some s, None -> s
-    | None, Some c -> sprintf "(%s * sizeof(%s))" c type_expr
+    (* TODO: Check that c actually fits in size_t. Also check for overflow,
+     * similar to oe_add_size *)
+    | None, Some c -> sprintf "((size_t)%s * sizeof(%s))" c type_expr
     (* TODO: Check that this is an even multiple of the size of type. *)
     | Some s, Some c -> sprintf "(%s * %s)" s c
     | None, None ->

From b87af1e7e96c35c4c29e5e93cdd9fc7ca825b30a Mon Sep 17 00:00:00 2001
From: Jordan Hand <jorhand@microsoft.com>
Date: Wed, 8 Jan 2020 13:27:28 -0800
Subject: [PATCH 403/420] Mark setjmp as returns_twice

setjmp has returns_twice behavior that prevents the compiler from being
able to reason about the control flow behavior of the function. Mark it
with the returns_twice attribute so that the compiler knows it is not a
normal function.

Signed-off-by: Jordan Hand <jorhand@microsoft.com>
---
 3rdparty/musl/CMakeLists.txt   |  3 +++
 3rdparty/musl/patches/setjmp.h | 41 ++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 3rdparty/musl/patches/setjmp.h

diff --git a/3rdparty/musl/CMakeLists.txt b/3rdparty/musl/CMakeLists.txt
index 99b5b332ee..1db5e467a3 100644
--- a/3rdparty/musl/CMakeLists.txt
+++ b/3rdparty/musl/CMakeLists.txt
@@ -55,6 +55,9 @@ ExternalProject_Add(musl_includes
     COMMAND ${CMAKE_COMMAND} -E copy
       ${PATCHES_DIR}/pthread_${ARCH}.h
       ${MUSL_DIR}/arch/${ARCH}/pthread_arch.h
+    COMMAND ${CMAKE_COMMAND} -E copy
+      ${PATCHES_DIR}/setjmp.h
+      ${MUSL_DIR}/include/setjmp.h
   CONFIGURE_COMMAND
     ${CMAKE_COMMAND} -E chdir ${MUSL_DIR}
     ${OE_BASH} -x ./configure
diff --git a/3rdparty/musl/patches/setjmp.h b/3rdparty/musl/patches/setjmp.h
new file mode 100644
index 0000000000..1e24de761c
--- /dev/null
+++ b/3rdparty/musl/patches/setjmp.h
@@ -0,0 +1,41 @@
+#ifndef	_SETJMP_H
+#define	_SETJMP_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <features.h>
+
+#include <bits/setjmp.h>
+
+typedef struct __jmp_buf_tag {
+	__jmp_buf __jb;
+	unsigned long __fl;
+	unsigned long __ss[128/sizeof(long)];
+} jmp_buf[1];
+
+#if defined(_POSIX_SOURCE) || defined(_POSIX_C_SOURCE) \
+ || defined(_XOPEN_SOURCE) || defined(_GNU_SOURCE) \
+ || defined(_BSD_SOURCE)
+typedef jmp_buf sigjmp_buf;
+int sigsetjmp (sigjmp_buf, int) __attribute__((returns_twice));
+_Noreturn void siglongjmp (sigjmp_buf, int);
+#endif
+
+#if defined(_XOPEN_SOURCE) || defined(_GNU_SOURCE) \
+ || defined(_BSD_SOURCE)
+int _setjmp (jmp_buf) __attribute__((returns_twice));
+_Noreturn void _longjmp (jmp_buf, int);
+#endif
+
+int setjmp (jmp_buf) __attribute__((returns_twice));
+_Noreturn void longjmp (jmp_buf, int);
+
+#define setjmp setjmp
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

From a19accf850f6b1c4567e59212f82d5b90318cbff Mon Sep 17 00:00:00 2001
From: Jordan Hand <jordanhand22@gmail.com>
Date: Tue, 14 Jan 2020 14:05:30 -0800
Subject: [PATCH 404/420] Add copyright header to setjmp.h

Signed-off-by: Jordan Hand <jordanhand22@gmail.com>
---
 3rdparty/musl/patches/setjmp.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/3rdparty/musl/patches/setjmp.h b/3rdparty/musl/patches/setjmp.h
index 1e24de761c..838ce52150 100644
--- a/3rdparty/musl/patches/setjmp.h
+++ b/3rdparty/musl/patches/setjmp.h
@@ -1,3 +1,6 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
 #ifndef	_SETJMP_H
 #define	_SETJMP_H
 

From f7e1397bc4044cd567d1ac1ca97a048d5581c562 Mon Sep 17 00:00:00 2001
From: Yen Lee <yenlee@microsoft.com>
Date: Fri, 3 Jan 2020 15:23:13 -0800
Subject: [PATCH 405/420] Query registered attesters/verifiers

Signed-off-by: Yen Lee <yenlee@microsoft.com>
---
 docs/DesignDocs/CustomAttestation.md | 58 +++++++++++++++++++++++++---
 1 file changed, 52 insertions(+), 6 deletions(-)

diff --git a/docs/DesignDocs/CustomAttestation.md b/docs/DesignDocs/CustomAttestation.md
index b0635c0256..b0204c99d4 100644
--- a/docs/DesignDocs/CustomAttestation.md
+++ b/docs/DesignDocs/CustomAttestation.md
@@ -734,15 +734,40 @@ oe_result_t oe_verify_evidence(
     size_t* claims_length);
 
 /**
- * oe_free_claims_list
+ * oe_get_registered_attester_format_ids
  *
- * Frees a claims list.
+ * Get the unique identifiers of all registered attesters.
  *
- * @param[in] claims The list of claims.
- * @param[in] claims_length The length of the claims list.
+ * @param[out] format_ids The list of the UUIDs of the registered attesters.
+ * @param[out] format_ids_length The length of the UUIDs list.
  * @retval OE_OK on success.
  */
-oe_result_t oe_free_claims_list(oe_claim_t* claims, size_t claims_length);
+oe_result_t oe_get_registered_attester_format_ids(
+    oe_uuid_t** format_ids,
+    size_t* format_ids_length);
+
+/**
+ * oe_get_registered_verifier_format_ids
+ *
+ * Get the unique identifiers of all registered verifiers.
+ *
+ * @param[out] format_ids The list of the UUIDs of the registered verifiers.
+ * @param[out] format_ids_length The length of the UUIDs list.
+ * @retval OE_OK on success.
+ */
+oe_result_t oe_get_registered_verifier_format_ids(
+    oe_uuid_t** format_ids,
+    size_t* format_ids_length);
+
+/**
+ * oe_free_format_ids
+ *
+ * Frees the attester/verifier format ids.
+ *
+ * @param[in] format_ids The list of the attester/verifier UUIDs.
+ * @retval OE_OK on success.
+ */
+oe_result_t oe_free_format_ids(oe_uuid_t* format_ids);
 ```
 
 The outputs returned by `oe_get_evidence` will begin with the header
@@ -927,9 +952,24 @@ size_t params_size = sizeof(params);
 oe_claim_t claims = { ... };
 size_t claims_size = ...;
 
+/* Receive the evidence format ids that the verifier supports */
+recv(VERIFIER_SOCKET_FD, evidence_format_ids, evidence_format_id_length, 0);
+
+/* Get registered attester format ids and find a common format */
+oe_get_registered_attester_format_ids(*format_ids, &format_ids_length);
+for (size_t m = 0; m < format_ids_length; m++)
+{
+    for (size_t n = 0; n < evidence_format_id_length; n++)
+    if (format_ids[m] == evidence_format_ids[n])
+    {
+        common_format_id = format_ids[m];
+        break;
+    }
+}
+
 /* Get evidence. */
 oe_get_evidence(
-    MY_PLUGIN_UUID,
+    common_format_id,
     OE_EVIDENCE_FLAGS_REMOTE_ATTESTATION,
     claims,
     claims_size,
@@ -945,6 +985,7 @@ send(VERIFIER_SOCKET_FD, evidence, evidence_size, 0);
 send(VERIFIER_SOCKET_FD, endorsements, endorsements_size, 0);
 
 /* Free data and unregister plugin. */
+oe_free_format_id(format_ids);
 oe_free_evidence(evidence, endorsements);
 oe_unregister_attester(my_plugin_attester());
 ```
@@ -961,6 +1002,10 @@ struct my_plugin_verifier_config_data_t config = { ... };
 size_t config_size = sizeof(config);
 oe_register_verifier(my_plugin_verifier(), &config, config_size);
 
+/* Tell enclave the format ids the verifier supports */
+oe_get_registered_verifier_format_ids(*format_ids, &format_ids_length);
+send(ENCLAVE_SOCKET_FD, *format_ids, format_ids_length, 0);
+
 /* Receive evidence and endorsement buffer from enclave. */
 recv(ENCLAVE_SOCKET_FD, evidence, evidence_size, 0);
 recv(ENCLAVE_SOCKET_FD, endorsements, endorsements_size, 0);
@@ -985,6 +1030,7 @@ oe_verify_evidence(
     &claims_size);
 
 /* Free data and unregister plugin. */
+oe_free_format_id(format_ids);
 oe_free_claims_list(claims, claims_size);
 oe_unregister_verifier(my_plugin_verifier());
 ```

From 6af0e52428d97059962d24b552179b38a41c24c0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Thu, 23 Jan 2020 16:41:39 +0000
Subject: [PATCH 406/420] Add draft of extended attestation with user data and
 example

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 enclave/core/sgx/calls.c                 |  27 ++++
 enclave/core/sgx/globals.c               |  28 ++++
 host/sgx/create.c                        | 182 ++++++++++++++++++++++-
 include/openenclave/host.h               |  50 +++++++
 include/openenclave/internal/globals.h   |   5 +
 include/openenclave/internal/sgxcreate.h |   2 +
 tools/oeedger8r/src/Headers.ml           |  10 ++
 tools/oeedger8r/src/Sources.ml           |  23 +++
 tools/oesign/main.c                      |   4 +-
 9 files changed, 328 insertions(+), 3 deletions(-)

diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 830d8c14c4..6227b708c8 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -125,6 +125,30 @@ extern bool oe_disable_debug_malloc_check;
 **==============================================================================
 */
 
+static oe_result_t _oe_check_user_data()
+{
+    oe_result_t result = OE_OK;
+
+    const uint8_t* user_data = __oe_get_user_data_base();
+    uint64_t user_data_size = __oe_get_user_data_size();
+
+    const uint8_t* old_signature = user_data + user_data_size;
+    const uint8_t* hash_ud_sig = old_signature + OE_KEY_SIZE;
+
+    oe_sha256_context_t hctx;
+    OE_SHA256 h;
+    oe_sha256_init(&hctx);
+    oe_sha256_update(&hctx, user_data, user_data_size);
+    oe_sha256_update(&hctx, old_signature, OE_KEY_SIZE);
+    oe_sha256_final(&hctx, &h);
+
+    if (memcmp(hash_ud_sig, h.buf, OE_SHA256_SIZE) != 0)
+        OE_RAISE(OE_VERIFY_FAILED);
+
+done:
+    return result;
+}
+
 /*
 **==============================================================================
 **
@@ -171,6 +195,9 @@ static oe_result_t _handle_init_enclave(uint64_t arg_in)
              * instructions like CPUID. */
             oe_call_init_functions();
 
+            /* Check that the user data has not been tampered with */
+            OE_CHECK(_oe_check_user_data());
+
             /* DCLP Release barrier. */
             OE_ATOMIC_MEMORY_BARRIER_RELEASE();
             _once = true;
diff --git a/enclave/core/sgx/globals.c b/enclave/core/sgx/globals.c
index 1abb9ab5de..08f64846a6 100644
--- a/enclave/core/sgx/globals.c
+++ b/enclave/core/sgx/globals.c
@@ -127,6 +127,8 @@ extern volatile const oe_sgx_enclave_properties_t oe_enclave_properties_sgx;
 static volatile uint64_t _enclave_rva;
 static volatile uint64_t _reloc_rva;
 static volatile uint64_t _reloc_size;
+static volatile uint64_t _user_data_rva;
+static volatile uint64_t _user_data_size;
 
 #endif
 
@@ -196,6 +198,32 @@ size_t __oe_get_reloc_size()
 #endif
 }
 
+const void* __oe_get_user_data_base()
+{
+    const unsigned char* base = __oe_get_enclave_base();
+
+#if defined(__linux__)
+    return base + _user_data_rva;
+#else
+#error "unsupported"
+#endif
+}
+
+uint64_t __oe_get_user_data_size()
+{
+#if defined(__linux__)
+    return _user_data_size;
+#else
+#error "unsupported"
+#endif
+}
+
+const void* __oe_get_user_data_end()
+{
+    return (const uint8_t*)__oe_get_user_data_base() +
+           __oe_get_user_data_size();
+}
+
 /*
 **==============================================================================
 **
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 983fdd0956..8315aceddc 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -44,12 +44,14 @@ static char* get_fullpath(const char* path)
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/result.h>
 #include <openenclave/internal/sgxcreate.h>
+#include <openenclave/internal/sgxsign.h>
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/switchless.h>
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
 #include <string.h>
 #include "../memalign.h"
+#include "../signkey.h"
 #include "cpuid.h"
 #include "enclave.h"
 #include "exception.h"
@@ -545,10 +547,145 @@ oe_result_t oe_sgx_validate_enclave_properties(
     return result;
 }
 
+static oe_result_t _add_extra_data_pages(
+    oe_sgx_load_context_t* context,
+    uint64_t enclave_addr,
+    const oe_page_t* pages,
+    const size_t num_pages,
+    uint64_t* vaddr)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    if (!context || !vaddr)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    /* Add any data pages as regular-read-only pages. */
+    if (pages && num_pages)
+    {
+        uint64_t size = num_pages * OE_PAGE_SIZE;
+        assert((size & (OE_PAGE_SIZE - 1)) == 0);
+
+        for (size_t i = 0; i < num_pages; i++)
+        {
+            uint64_t addr = enclave_addr + *vaddr;
+            uint64_t src = (uint64_t)&pages[i];
+            uint64_t flags = SGX_SECINFO_REG | SGX_SECINFO_R;
+            bool extend = true;
+
+            OE_CHECK(oe_sgx_load_enclave_data(
+                context, enclave_addr, addr, src, flags, extend));
+            (*vaddr) += sizeof(oe_page_t);
+        }
+    }
+
+    result = OE_OK;
+
+done:
+    return result;
+}
+
+static uint64_t user_data_pages_size(uint64_t user_data_size)
+{
+    return oe_round_up_to_page_size(
+        user_data_size + OE_KEY_SIZE + OE_SHA256_SIZE);
+}
+
+static oe_result_t _patch_user_data_symbols(
+    oe_enclave_image_t* oeimage,
+    uint64_t enclave_end,
+    const void* user_data,
+    const size_t user_data_size)
+{
+    if (user_data && user_data_size)
+    {
+        elf64_sym_t sym_rva = {0}, sym_sz = {0};
+        if (elf64_find_symbol_by_name(
+                &oeimage->u.elf.elf, "_user_data_rva", &sym_rva) == 0 &&
+            elf64_find_symbol_by_name(
+                &oeimage->u.elf.elf, "_user_data_size", &sym_sz) == 0)
+        {
+            uint64_t sz = user_data_pages_size(user_data_size);
+            uint64_t *sym_rva_addr = NULL, *sym_sz_addr = NULL;
+            sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
+            *sym_rva_addr = enclave_end - sz;
+            sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
+            *sym_sz_addr = user_data_size;
+        }
+    }
+
+    return OE_OK;
+}
+
+static oe_result_t _add_user_data_pages(
+    oe_sgx_load_context_t* context,
+    oe_enclave_t* enclave,
+    uint64_t enclave_end,
+    oe_sgx_enclave_properties_t* properties,
+    uint64_t* vaddr,
+    uint8_t* user_data,
+    uint32_t user_data_size)
+{
+    oe_result_t result = OE_OK;
+
+    if (user_data_size > 0 && user_data != NULL)
+    {
+        sgx_sigstruct_t* sigstruct = (sgx_sigstruct_t*)properties->sigstruct;
+        // cwinter: verify sigstruct->signature here?
+
+        uint64_t sz = user_data_pages_size(user_data_size);
+        assert(*vaddr == enclave_end - sz);
+
+        oe_sha256_context_t hctx;
+        OE_SHA256 hash_ud_sig;
+        oe_sha256_init(&hctx);
+        oe_sha256_update(&hctx, user_data, user_data_size);
+        oe_sha256_update(&hctx, sigstruct->signature, OE_KEY_SIZE);
+        oe_sha256_final(&hctx, &hash_ud_sig);
+
+        uint8_t data[sz];
+        memset(data, 0, sz);
+        memcpy(data, user_data, user_data_size); /* not necessary? */
+        memcpy(
+            data + user_data_size,
+            sigstruct->signature,
+            OE_KEY_SIZE); /* not necessary? */
+        memcpy(
+            data + user_data_size + OE_KEY_SIZE,
+            hash_ud_sig.buf,
+            OE_SHA256_SIZE);
+
+        OE_CHECK(_add_extra_data_pages(
+            context,
+            enclave->addr,
+            (const oe_page_t*)data,
+            sz / OE_PAGE_SIZE,
+            vaddr));
+
+        OE_SHA256 ext_mrenclave;
+        oe_sha256_final(&context->hash_context, &ext_mrenclave);
+
+        OE_CHECK(oe_sgx_sign_enclave(
+            &ext_mrenclave,
+            properties->config.attributes,
+            properties->config.product_id,
+            properties->config.security_version,
+            OE_DEBUG_SIGN_KEY, /* Use different key? */
+            OE_DEBUG_SIGN_KEY_SIZE,
+            sigstruct));
+
+        assert(*vaddr == enclave_end);
+    }
+
+done:
+    return result;
+}
+
 oe_result_t oe_sgx_build_enclave(
     oe_sgx_load_context_t* context,
     const char* path,
     const oe_sgx_enclave_properties_t* properties,
+    uint8_t* user_data,
+    uint32_t user_data_size,
     oe_enclave_t* enclave)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -633,6 +770,9 @@ oe_result_t oe_sgx_build_enclave(
     /* Calculate the size of image */
     OE_CHECK(oeimage.calculate_size(&oeimage, &image_size));
 
+    /* Add (optional) user data pages size */
+    image_size += user_data_pages_size(user_data_size);
+
     /* Calculate the size of this enclave in memory */
     OE_CHECK(_calculate_enclave_size(
         image_size, &props, &enclave_end, &enclave_size));
@@ -648,6 +788,10 @@ oe_result_t oe_sgx_build_enclave(
     /* Patch image */
     OE_CHECK(oeimage.patch(&oeimage, enclave_end));
 
+    /* Patch user data */
+    OE_CHECK(_patch_user_data_symbols(
+        &oeimage, enclave_end, user_data, user_data_size));
+
     /* Add image to enclave */
     OE_CHECK(oeimage.add_pages(&oeimage, context, enclave, &vaddr));
 
@@ -655,6 +799,16 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(
         _add_data_pages(context, enclave, &props, oeimage.entry_rva, &vaddr));
 
+    /* Add user data for extended attestation */
+    OE_CHECK(_add_user_data_pages(
+        context,
+        enclave,
+        enclave_end,
+        &props,
+        &vaddr,
+        user_data,
+        user_data_size));
+
     /* Ask the platform to initialize the enclave and finalize the hash */
     OE_CHECK(oe_sgx_initialize_enclave(
         context, enclave_addr, &props, &enclave->hash));
@@ -705,6 +859,31 @@ oe_result_t oe_create_enclave(
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
+{
+    return oe_create_enclave_wud(
+        enclave_path,
+        enclave_type,
+        flags,
+        settings,
+        setting_count,
+        ocall_table,
+        ocall_count,
+        NULL,
+        0,
+        enclave_out);
+}
+
+oe_result_t oe_create_enclave_wud(
+    const char* enclave_path,
+    oe_enclave_type_t enclave_type,
+    uint32_t flags,
+    const oe_enclave_setting_t* settings,
+    uint32_t setting_count,
+    const oe_ocall_func_t* ocall_table,
+    uint32_t ocall_count,
+    uint8_t* user_data,
+    uint32_t user_data_size,
+    oe_enclave_t** enclave_out)
 {
     oe_result_t result = OE_UNEXPECTED;
     oe_enclave_t* enclave = NULL;
@@ -760,7 +939,8 @@ oe_result_t oe_create_enclave(
         &context, OE_SGX_LOAD_TYPE_CREATE, flags));
 
     /* Build the enclave */
-    OE_CHECK(oe_sgx_build_enclave(&context, enclave_path, NULL, enclave));
+    OE_CHECK(oe_sgx_build_enclave(
+        &context, enclave_path, NULL, user_data, user_data_size, enclave));
 
     /* Push the new created enclave to the global list. */
     if (oe_push_enclave_instance(enclave) != 0)
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index ce6cca61ee..1cc34f586a 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -156,6 +156,56 @@ oe_result_t oe_create_enclave(
     uint32_t ocall_count,
     oe_enclave_t** enclave);
 
+/**
+ * Create an enclave from an enclave image file with optional user data.
+ *
+ * This function creates an enclave from an enclave image file. On successful
+ * return, the enclave is fully initialized and ready to use.
+ *
+ * @param path The path of an enclave image file in ELF-64 format. This
+ * file must have been linked with the **oecore** library and signed by the
+ * **oesign** tool.
+ *
+ * @param type The type of enclave supported by the enclave image file.
+ *     - OE_ENCLAVE_TYPE_SGX - An SGX enclave
+ *
+ * @param flags These flags control how the enclave is run.
+ *     It is the bitwise OR of zero or more of the following flags
+ *     - OE_ENCLAVE_FLAG_SIMULATE - runs the enclave in simulation mode
+ *     - OE_ENCLAVE_FLAG_DEBUG - runs the enclave in debug mode.
+ *                               DO NOT SHIP CODE with this flag
+ *
+ * @param settings Array of additional enclave creation settings for the
+ * specific enclave type.
+ *
+ * @param setting_count The number of settings in the **settings**.
+ *
+ * @param ocall_table Pointer to table of ocall functions generated by
+ * oeedger8r.
+ *
+ * @param ocall_count The number of functions in the **ocall_table**.
+ *
+ * @param user_data Optional user data for attestation.
+ *
+ * @param user_data_size Size of the user data.
+ *
+ * @param enclave This points to the enclave instance upon success.
+ *
+ * @returns Returns OE_OK on success.
+ *
+ */
+oe_result_t oe_create_enclave_wud(
+    const char* path,
+    oe_enclave_type_t type,
+    uint32_t flags,
+    const oe_enclave_setting_t* settings,
+    uint32_t setting_count,
+    const oe_ocall_func_t* ocall_table,
+    uint32_t ocall_count,
+    uint8_t* user_data,
+    uint32_t user_data_size,
+    oe_enclave_t** enclave);
+
 /**
  * Terminate an enclave and reclaims its resources.
  *
diff --git a/include/openenclave/internal/globals.h b/include/openenclave/internal/globals.h
index acf9f89cf6..dc77f36a84 100644
--- a/include/openenclave/internal/globals.h
+++ b/include/openenclave/internal/globals.h
@@ -32,6 +32,11 @@ uint64_t oe_get_base_heap_page(void);
 uint64_t oe_get_num_heap_pages(void);
 uint64_t oe_get_num_pages(void);
 
+/* User data */
+const void* __oe_get_user_data_base(void);
+const void* __oe_get_user_data_end(void);
+uint64_t __oe_get_user_data_size(void);
+
 OE_EXTERNC_END
 
 #endif /* _OE_GLOBALS_H */
diff --git a/include/openenclave/internal/sgxcreate.h b/include/openenclave/internal/sgxcreate.h
index a7db1d9d8f..c9287e8452 100644
--- a/include/openenclave/internal/sgxcreate.h
+++ b/include/openenclave/internal/sgxcreate.h
@@ -75,6 +75,8 @@ oe_result_t oe_sgx_build_enclave(
     oe_sgx_load_context_t* context,
     const char* path,
     const oe_sgx_enclave_properties_t* properties,
+    uint8_t* user_data,
+    uint32_t user_data_size,
     oe_enclave_t* enclave);
 
 /**
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 0fbe6094b1..05a8f504e6 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -305,6 +305,16 @@ let generate_untrusted (ec : enclave_content) =
     "    uint32_t setting_count,";
     "    oe_enclave_t** enclave);";
     "";
+    sprintf "oe_result_t oe_create_%s_enclave_wud(" ec.enclave_name;
+    "    const char* path,";
+    "    oe_enclave_type_t type,";
+    "    uint32_t flags,";
+    "    const oe_enclave_setting_t* settings,";
+    "    uint32_t setting_count,";
+    "    uint8_t *user_data,";
+    "    uint32_t user_data_size,";
+    "    oe_enclave_t** enclave);";
+    "";
     "/**** ECALL prototypes. ****/";
     String.concat "\n\n" tfunc_wrapper_prototypes;
     "";
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 4932a2a1c9..680211ffe6 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -973,6 +973,29 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "               enclave);";
     "}";
     "";
+    sprintf "oe_result_t oe_create_%s_enclave_wud(" ec.enclave_name;
+    "    const char* path,";
+    "    oe_enclave_type_t type,";
+    "    uint32_t flags,";
+    "    const oe_enclave_setting_t* settings,";
+    "    uint32_t setting_count,";
+    "    uint8_t *user_data,";
+    "    uint32_t user_data_size,";
+    "    oe_enclave_t** enclave)";
+    "{";
+    "    return oe_create_enclave_wud(";
+    "               path,";
+    "               type,";
+    "               flags,";
+    "               settings,";
+    "               setting_count,";
+    sprintf "               __%s_ocall_function_table," ec.enclave_name;
+    sprintf "               %d," (List.length ec.ufunc_decls);
+    "               user_data,";
+    "               user_data_size,";
+    "               enclave);";
+    "}";
+    "";
     "OE_EXTERNC_END";
     "";
   ]
diff --git a/tools/oesign/main.c b/tools/oesign/main.c
index 108eb3fb23..bc785aa94c 100644
--- a/tools/oesign/main.c
+++ b/tools/oesign/main.c
@@ -580,8 +580,8 @@ int oesign(const char* enclave, const char* conffile, const char* keyfile)
     }
 
     /* Build an enclave to obtain the MRENCLAVE measurement */
-    if ((result = oe_sgx_build_enclave(&context, enclave, &props, &enc)) !=
-        OE_OK)
+    if ((result = oe_sgx_build_enclave(
+             &context, enclave, &props, NULL, 0, &enc)) != OE_OK)
     {
         Err("oe_sgx_build_enclave(): result=%s (%u)",
             oe_result_str(result),

From aec1baa432aff36d1144675d268f4deed48b4181 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 24 Jan 2020 10:19:54 +0000
Subject: [PATCH 407/420] Add extended remote attestation sample

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 samples/remote_attestation_wud/CMakeLists.txt |  23 ++
 samples/remote_attestation_wud/Makefile       |  19 ++
 samples/remote_attestation_wud/README.md      | 233 +++++++++++++
 .../common/CMakeLists.txt                     |  31 ++
 .../common/attestation.cpp                    | 166 ++++++++++
 .../common/attestation.h                      |  44 +++
 .../remote_attestation_wud/common/crypto.cpp  | 312 ++++++++++++++++++
 .../remote_attestation_wud/common/crypto.h    | 103 ++++++
 .../common/dispatcher.cpp                     | 204 ++++++++++++
 .../common/dispatcher.h                       |  45 +++
 samples/remote_attestation_wud/common/log.h   |  13 +
 .../enclave_a/CMakeLists.txt                  |  31 ++
 .../remote_attestation_wud/enclave_a/Makefile |  57 ++++
 .../enclave_a/ecalls.cpp                      |  57 ++++
 .../remote_attestation_wud/enclave_a/enc.conf |  10 +
 .../enclave_b/CMakeLists.txt                  |  31 ++
 .../remote_attestation_wud/enclave_b/Makefile |  56 ++++
 .../enclave_b/ecalls.cpp                      |  57 ++++
 .../remote_attestation_wud/enclave_b/enc.conf |  10 +
 .../gen_pubkey_header.sh                      |  31 ++
 .../host/CMakeLists.txt                       |  20 ++
 samples/remote_attestation_wud/host/Makefile  |  33 ++
 samples/remote_attestation_wud/host/host.cpp  | 199 +++++++++++
 .../images/attestationsample.png              | Bin 0 -> 24098 bytes
 .../images/localattestation.png               | Bin 0 -> 6469 bytes
 .../images/remoteattestation_sample.png       | Bin 0 -> 19420 bytes
 .../remoteattestation_sample_details.png      | Bin 0 -> 27944 bytes
 .../images/remoteattestation_service.png      | Bin 0 -> 12545 bytes
 .../remoteattestation.edl                     |  25 ++
 29 files changed, 1810 insertions(+)
 create mode 100644 samples/remote_attestation_wud/CMakeLists.txt
 create mode 100644 samples/remote_attestation_wud/Makefile
 create mode 100644 samples/remote_attestation_wud/README.md
 create mode 100644 samples/remote_attestation_wud/common/CMakeLists.txt
 create mode 100644 samples/remote_attestation_wud/common/attestation.cpp
 create mode 100644 samples/remote_attestation_wud/common/attestation.h
 create mode 100644 samples/remote_attestation_wud/common/crypto.cpp
 create mode 100644 samples/remote_attestation_wud/common/crypto.h
 create mode 100644 samples/remote_attestation_wud/common/dispatcher.cpp
 create mode 100644 samples/remote_attestation_wud/common/dispatcher.h
 create mode 100644 samples/remote_attestation_wud/common/log.h
 create mode 100644 samples/remote_attestation_wud/enclave_a/CMakeLists.txt
 create mode 100644 samples/remote_attestation_wud/enclave_a/Makefile
 create mode 100644 samples/remote_attestation_wud/enclave_a/ecalls.cpp
 create mode 100644 samples/remote_attestation_wud/enclave_a/enc.conf
 create mode 100644 samples/remote_attestation_wud/enclave_b/CMakeLists.txt
 create mode 100644 samples/remote_attestation_wud/enclave_b/Makefile
 create mode 100644 samples/remote_attestation_wud/enclave_b/ecalls.cpp
 create mode 100644 samples/remote_attestation_wud/enclave_b/enc.conf
 create mode 100755 samples/remote_attestation_wud/gen_pubkey_header.sh
 create mode 100644 samples/remote_attestation_wud/host/CMakeLists.txt
 create mode 100644 samples/remote_attestation_wud/host/Makefile
 create mode 100644 samples/remote_attestation_wud/host/host.cpp
 create mode 100644 samples/remote_attestation_wud/images/attestationsample.png
 create mode 100644 samples/remote_attestation_wud/images/localattestation.png
 create mode 100644 samples/remote_attestation_wud/images/remoteattestation_sample.png
 create mode 100644 samples/remote_attestation_wud/images/remoteattestation_sample_details.png
 create mode 100644 samples/remote_attestation_wud/images/remoteattestation_service.png
 create mode 100644 samples/remote_attestation_wud/remoteattestation.edl

diff --git a/samples/remote_attestation_wud/CMakeLists.txt b/samples/remote_attestation_wud/CMakeLists.txt
new file mode 100644
index 0000000000..6cac3fd9cb
--- /dev/null
+++ b/samples/remote_attestation_wud/CMakeLists.txt
@@ -0,0 +1,23 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+cmake_minimum_required(VERSION 3.11)
+
+project("Remote Attestation Sample" LANGUAGES C CXX)
+
+find_package(OpenEnclave CONFIG REQUIRED)
+
+set(CMAKE_CXX_STANDARD 11)
+
+add_subdirectory(common)
+add_subdirectory(enclave_a)
+add_subdirectory(enclave_b)
+add_subdirectory(host)
+
+add_custom_target(sign ALL DEPENDS enclave_a_signed enclave_b_signed)
+
+if ((NOT DEFINED ENV{OE_SIMULATION}) OR (NOT $ENV{OE_SIMULATION}))
+  add_custom_target(run
+    DEPENDS remote_attestation_host sign
+    COMMAND remote_attestation_host ${CMAKE_BINARY_DIR}/enclave_a/enclave_a.signed ${CMAKE_BINARY_DIR}/enclave_b/enclave_b.signed)
+endif ()
diff --git a/samples/remote_attestation_wud/Makefile b/samples/remote_attestation_wud/Makefile
new file mode 100644
index 0000000000..b9631c2239
--- /dev/null
+++ b/samples/remote_attestation_wud/Makefile
@@ -0,0 +1,19 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+.PHONY: all build clean run
+
+all: build
+
+build:
+	$(MAKE) -C enclave_a
+	$(MAKE) -C enclave_b
+	$(MAKE) -C host
+
+clean:
+	$(MAKE) -C enclave_a clean
+	$(MAKE) -C enclave_b clean
+	$(MAKE) -C host clean
+
+run:
+	host/attestation_host ./enclave_a/enclave_a.signed ./enclave_b/enclave_b.signed
diff --git a/samples/remote_attestation_wud/README.md b/samples/remote_attestation_wud/README.md
new file mode 100644
index 0000000000..c359e3c010
--- /dev/null
+++ b/samples/remote_attestation_wud/README.md
@@ -0,0 +1,233 @@
+# The Remote Attestation Sample
+
+This sample demonstrates how to do remote attestation between two enclaves and establish a secure communication channel for exchanging messages between them.
+
+It has the following properties:
+
+- Written in C++
+- Demonstrates an implementation of remote attestation
+- Use of mbedTLS within the enclave
+- Use Asymmetric / Public-Key Encryption to establish secure communications between two attesting enclaves
+- Enclave APIs used:
+  - oe_get_report
+  - oe_verify_report,
+  - oe_is_within_enclave
+
+**Note: Currently this sample only works on SGX-FLC systems.** The underlying SGX library support for end-to-end remote attestation is available only on SGX-FLC system. There is no plan to back port those libraries to either SGX1 system or software emulator.
+
+## Attestation primer
+
+### What is Attestation
+
+Attestation is the process of demonstrating that a software component (such as an enclave image) has been properly instantiated on an Trusted Execution Environment (TEE, such as the SGX enabled platform).
+
+A successfully attested enclave proves:
+
+- The enclave is running in a valid Trusted Execution Environment (TEE), which is Intel SGX in this case (trustworthiness).
+
+- The enclave has the correct identity and runtime properties that has not been tampered with (identity).
+
+  In the context of Open Enclave, when an enclave requests confidential information from a remote entity, the remote entity will issue a challenge to the requesting enclave to prove its identity and trustworthiness before provisioning any confidential information to the enclave. This process of proving its identity and trustworthiness to a challenger is known as attestation.
+
+### Attestation types
+
+There are two types of attestation:
+
+- **Local Attestation** refers to two enclaves on the same TEE platform authenticating each other before exchanging information. In Open Enclave, this is done through the creation and validation of an enclave's `local report`.
+
+  ![Local Attestation](images/localattestation.png)
+
+- **Remote Attestation** is the process of a [trusted computing base (TCB)](https://en.wikipedia.org/wiki/Trusted_computing_base), a combination of HW and SW, gaining the trust of a remote enclave/provider. In Open Enclave, this is done through the creation and validation of an enclave's `remote report`.
+
+  ![Remote Attestation Sample](images/remoteattestation_service.png)
+
+### Secure Communication Channel
+
+Remote Attestation alone is not enough for the remote party to be able to securely deliver their secrets to the requesting enclave. Securely delivering services requires a secure communication channel which is often guaranteed by Transport Layer Security (TLS).
+
+A few alternatives for establishing a secure communication channel without TLS are:
+1) Use the established ephemeral private keys to perform a signed Diffie-Hellman key exchange and use symmetric key cryptography to communicate after that point.
+2) Generate an ephemeral symmetric key in one of the enclaves, say enclave_a, encrypt with the public key of enclave_b, sign with your private key and then send it to enclave_b. This will ensure that the symmetric key is only known to the two enclaves and the root of trust is in the remote attestation.
+
+This remote attestation sample only demonstrates the remote attestation process but does not establish a secure communication channel or communicate secrets after that. Please note that the established public keys cannot be used to encrypt the messages as they are visible to the external world, including the host. The host can fake messages on behalf of the enclaves.
+
+Here is a good article about [Intel SGX attestation](
+https://software.intel.com/sites/default/files/managed/57/0e/ww10-2016-sgx-provisioning-and-attestation-final.pdf), which describes how Intel's SGX attestation works. The current Open Enclave's implementation was based on it for the SGX platform.
+
+Note: `local report` is the same as an `Intel SGX report`, while the `remote report` is the same as an `Intel SGX quote`.
+
+## Remote Attestation sample
+
+In a typical Open Enclave application, it's common to see multiple enclaves working together to achieve common goals. Once an enclave verifies the counterpart is trustworthy, they can exchange information on a protected channel, which typically provides confidentiality, integrity and replay protection.
+
+This is why instead of attesting an enclave to a remote (mostly cloud) service, this sample demonstrates how to attest two enclaves to each other by using Open Enclave APIs `oe_get_report` and `oe_verify_report` which takes care of all remote attestation operations.
+
+To simplify this sample without losing the focus in explaining how the remote attestation works, host1 and host2 are combined into one single host to eliminate the need for additional socket code logic to deal with communication between two hosts.
+
+![Remote Attestation](images/remoteattestation_sample.png)
+
+### Authoring the Host
+
+The host process is what drives the enclave app. It is responsible for managing the lifetime of the enclave and invoking enclave ECALLs but should be considered an untrusted component that is never allowed to handle plaintext secrets intended for the enclave.
+
+![Remote Attestation](images/remoteattestation_sample_details.png)
+
+The host does the following in this sample:
+
+   1. Create two enclaves for attesting each other, let's say they are enclave_a and enclave_b
+
+      ```c
+      oe_create_remoteattestation_enclave( enclaveImagePath, OE_ENCLAVE_TYPE_SGX, OE_ENCLAVE_FLAG_DEBUG, NULL, 0, &enclave);
+      ```
+
+   2. Ask enclave_a for a remote report and a public key, which is returned in a `RemoteReportWithPKey` structure.
+
+      This is done through a call into the enclave_a `GetRemoteReportWithPKey` `OE_ECALL`
+
+      ```c
+      oe_call_enclave(enclave, "GetRemoteReportWithPKey", &args);
+
+      struct RemoteReportWithPKey
+      {
+          uint8_t pem_key[512]; // public key information
+          uint8_t* remote_report;
+          size_t remote_report_size;
+      };
+      ```
+
+      Where:
+
+        - `pem_key` holds the public key that identifies enclave_a
+
+        - `remote_report` contains a remote report signed by the enclave platform for use in remote attestation
+
+   3. Ask enclave_b to attest (validate) enclave_a's remote report (remote_report from above)
+
+      This is done through the following call:
+      ```c
+      oe_call_enclave(enclave, "VerifyReportAndSetPKey", &args);
+      ```
+
+      In the enclave_b's implementation of `VerifyReportAndSetPKey`, it calls `oe_verify_report`, which will be described in the enclave section to handle all the platform specfic report validation operations (including PCK certificate chain checking). If successful the public key in `RemoteReportWithPKey.pem_key` will be stored inside the enclave for future use
+
+   4. Repeat step 2 and 3 for asking enclave_a to validate enclave_b
+
+   5. Free the resource used, including the host memory allocated by the enclaves and the enclaves themselves
+
+      For example:
+
+      ```c
+      oe_terminate_enclave(enclave_a);
+      oe_terminate_enclave(enclave_b);
+      ```
+
+### Authoring the Enclave
+
+#### Attesting an Enclave
+
+Attesting an enclave consists of three steps:
+
+##### 1) Generating an Enclave Report
+
+The enclave being attested first needs to generate a cryptographically strong proof of its identity that the challenger can verify. In the sample this is done by asking the SGX platform to generate a `remote report` signed by Intel via the `oe_get_report` method with `OE_REPORT_FLAGS_REMOTE_ATTESTATION` flag. The `remote report` can be verified by the `oe_verify_report` method on a different machine.
+
+An important feature of `oe_get_report` is that you can pass in application specific data as the `reportData` parameter to be signed into the report.
+
+- This is limited to 64 bytes in SGX. As illustrated in the sample, you sign arbitrarily large data into the report by first hashing it and then passing it to the `oe_get_report` method.
+
+- This is useful to bootstrap a secure communication channel between the enclave and the challenger.
+
+  - In this sample, the enclave signs the hash of an ephemeral public key into its report, which the challenger can then use to encrypt a response to it.
+
+  - Other usage examples for `reportData` might be to include a nonce, or to initiate Diffie-Helman key exchange.
+
+##### 2) Verifying the integrity of the Enclave Report
+
+Once the report is generated and passed to the challenger, the challenger can call `oe_verify_report` to validate the report originated from an Trust Execution Environment (TEE, in the case it's a valid SGX platform).
+
+In the context of Open Enclave on Intel SGX platform, a remote report is verified using the certificate chain issued by Intel which is only valid for SGX platforms.
+
+At this point, the challenger knows that the report originated from an enclave running in a TEE, and that the information in the report can be trusted.
+
+Note that for the Public Preview, remote attestation verification is only supported in the Azure ACC VMs, but Intel will be expanding support for this with Open Enclave SDK more broadly moving forward.
+
+##### 3) Verifying the enclave identity
+
+Finally, it is up to the enclave app to check that identity and properties of the enclave reflected in the report matches its expectation.
+Open Enclave exposes a generalized identity model to support this process across TEE types. In the sample, the app-specific `AttestQuote` method calls `oe_parse_report` to obtain an `oe_report_t`. This data structure contains:
+
+- The `reportData` signed into the report
+- The generalized identity structure as defined by `oe_identity_t`:
+
+  ```c
+  typedef struct _oe_identity
+  {
+      /** Version of the oe_identity_t structure */
+      uint32_t idVersion;
+
+      /** Security version of the enclave. For SGX enclaves, this is the
+        *  ISVN value */
+      uint32_t securityVersion;
+
+      /** Values of the attributes flags for the enclave -
+        *  OE_REPORT_ATTRIBUTES_DEBUG: The report is for a debug enclave.
+        *  OE_REPORT_ATTRIBUTES_REMOTE: The report can be used for remote
+        *  attestation */
+      uint64_t attributes;
+
+      /** The unique ID for the enclave.
+        * For SGX enclaves, this is the MRENCLAVE value */
+      uint8_t uniqueID[OE_UNIQUE_ID_SIZE];
+
+      /** The author ID for the enclave.
+        * For SGX enclaves, this is the MRSIGNER value */
+      uint8_t authorID[OE_AUTHOR_ID_SIZE];
+
+      /** The Product ID for the enclave.
+        * For SGX enclaves, this is the ISVPRODID value. */
+      uint8_t productID[OE_PRODUCT_ID_SIZE];
+  } oe_identity_t;
+  ```
+
+As shown in the sample, the set of validations performed on these properties is up to the app. In general, we would strongly recommend:
+
+- Ensure that the identity of the enclave matches the expected value:
+  - Verify the `uniqueID` value if you want to match the exact bitwise identity of the enclave. Bear in mind that any patches to the enclave will change the uniqueID in the future.
+  - Verify the `authorID` and `productID` values if you want to match the identity of an enclave that might span multiple binary versions. This is what the attestation sample does.
+- Ensure that the `securityVersion` of the enclave matches your minimum required security version.
+- Ensure that the `reportData` matches the hash of the data provided with the report, as illustrated by the sample.
+
+## Using Cryptography in an Enclave
+
+The attestation remote_attestation/common/crypto.cpp file from the sample illustrates how to use mbedTLS inside the enclave for cryptographic operations such as:
+
+- RSA key generation, encryption and decryption
+- SHA256 hashing
+
+In general, the Open Enclave SDK provides default support for mbedTLS layered on top of the Open Enclave core runtime with a small integration surface so that it can be switched out by open source developers in the future for your choice of crypto libraries.
+
+See [here](https://github.com/openenclave/openenclave/tree/master/docs/MbedtlsSupport.md) for supported mbedTLS functions
+
+## Build and run
+
+Note that there are two different build systems supported, one using GNU Make and
+`pkg-config`, the other using CMake.
+
+### CMake
+
+This uses the CMake package provided by the Open Enclave SDK.
+
+```bash
+cd remote_attestation
+mkdir build && cd build
+cmake ..
+make run
+```
+
+### GNU Make
+
+```bash
+cd remote_attestation
+make build
+make run
+```
diff --git a/samples/remote_attestation_wud/common/CMakeLists.txt b/samples/remote_attestation_wud/common/CMakeLists.txt
new file mode 100644
index 0000000000..629d1fc157
--- /dev/null
+++ b/samples/remote_attestation_wud/common/CMakeLists.txt
@@ -0,0 +1,31 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT enclave_a_pubkey.h
+  DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
+  COMMAND ${OE_BASH} ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
+# Use the edger8r to generate C bindings from the EDL file.
+add_custom_command(OUTPUT remoteattestation_t.h remoteattestation_t.c remoteattestation_args.h
+  DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
+  COMMAND openenclave::oeedger8r --trusted ${CMAKE_SOURCE_DIR}/remoteattestation.edl)
+
+# Create a library common to each of our two enclaves.
+add_library(common STATIC attestation.cpp crypto.cpp dispatcher.cpp ${CMAKE_CURRENT_BINARY_DIR}/remoteattestation_t.c)
+
+if(WIN32)
+  maybe_build_using_clangw(common)
+endif()
+
+target_compile_definitions(common PUBLIC OE_API_VERSION=2)
+target_link_libraries(common PUBLIC
+  # `liboecore`, a dependency of `liboeenclave`, requires the ecalls
+  # function table. Because the libraries linking `libcommon` do not
+  # directly require this symbol, the linker skips the object in
+  # `libcommon` which defines them. So we manually require it.
+  #
+  # Alternatively we could use a CMake OBJECT library, but that
+  # requires a newish version of CMake.
+  $<$<PLATFORM_ID:Linux>:-Wl,--require-defined=__oe_ecalls_table>
+  openenclave::oeenclave
+  openenclave::oelibcxx)
+target_include_directories(common PUBLIC ${CMAKE_SOURCE_DIR} ${CMAKE_BINARY_DIR})
diff --git a/samples/remote_attestation_wud/common/attestation.cpp b/samples/remote_attestation_wud/common/attestation.cpp
new file mode 100644
index 0000000000..d934b42bc3
--- /dev/null
+++ b/samples/remote_attestation_wud/common/attestation.cpp
@@ -0,0 +1,166 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "attestation.h"
+#include <string.h>
+#include "log.h"
+
+Attestation::Attestation(Crypto* crypto, uint8_t* enclave_mrsigner)
+{
+    m_crypto = crypto;
+    m_enclave_mrsigner = enclave_mrsigner;
+}
+
+/**
+ * Generate a remote report for the given data. The SHA256 digest of the data is
+ * stored in the report_data field of the generated remote report.
+ */
+bool Attestation::generate_remote_report(
+    const uint8_t* data,
+    const size_t data_size,
+    uint8_t** remote_report_buf,
+    size_t* remote_report_buf_size)
+{
+    bool ret = false;
+    uint8_t sha256[32];
+    oe_result_t result = OE_OK;
+    uint8_t* temp_buf = NULL;
+
+    if (m_crypto->Sha256(data, data_size, sha256) != 0)
+    {
+        goto exit;
+    }
+
+    // To generate a remote report that can be attested remotely by an enclave
+    // running  on a different platform, pass the
+    // OE_REPORT_FLAGS_REMOTE_ATTESTATION option. This uses the trusted
+    // quoting enclave to generate the report based on this enclave's local
+    // report.
+    // To generate a remote report that just needs to be attested by another
+    // enclave running on the same platform, pass 0 instead. This uses the
+    // EREPORT instruction to generate this enclave's local report.
+    // Both kinds of reports can be verified using the oe_verify_report
+    // function.
+    result = oe_get_report(
+        OE_REPORT_FLAGS_REMOTE_ATTESTATION,
+        sha256, // Store sha256 in report_data field
+        sizeof(sha256),
+        NULL, // opt_params must be null
+        0,
+        &temp_buf,
+        remote_report_buf_size);
+    if (result != OE_OK)
+    {
+        TRACE_ENCLAVE("oe_get_report failed.");
+        goto exit;
+    }
+    *remote_report_buf = temp_buf;
+    ret = true;
+    TRACE_ENCLAVE("generate_remote_report succeeded.");
+exit:
+    return ret;
+}
+
+/**
+ * Attest the given remote report and accompanying data. It consists of the
+ * following three steps:
+ *
+ * 1) The remote report is first attested using the oe_verify_report API. This
+ * ensures the authenticity of the enclave that generated the remote report.
+ * 2) Next, to establish trust of the enclave that  generated the remote report,
+ * the mrsigner, product_id, isvsvn values are checked to  see if they are
+ * predefined trusted values.
+ * 3) Once the enclave's trust has been established, the validity of
+ * accompanying data is ensured by comparing its SHA256 digest against the
+ * report_data field.
+ */
+bool Attestation::attest_remote_report(
+    const uint8_t* remote_report,
+    size_t remote_report_size,
+    const uint8_t* data,
+    size_t data_size)
+{
+    bool ret = false;
+    uint8_t sha256[32];
+    oe_report_t parsed_report = {0};
+    oe_result_t result = OE_OK;
+
+    // While attesting, the remote report being attested must not be tampered
+    // with. Ensure that it has been copied over to the enclave.
+    if (!oe_is_within_enclave(remote_report, remote_report_size))
+    {
+        TRACE_ENCLAVE("Cannot attest remote report in host memory. Unsafe.");
+        goto exit;
+    }
+
+    // 1)  Validate the report's trustworthiness
+    // Verify the remote report to ensure its authenticity.
+    result =
+        oe_verify_report(remote_report, remote_report_size, &parsed_report);
+    if (result != OE_OK)
+    {
+        TRACE_ENCLAVE("oe_verify_report failed (%s).\n", oe_result_str(result));
+        goto exit;
+    }
+
+    // 2) validate the enclave identity's signed_id is the hash of the public
+    // signing key that was used to sign an enclave. Check that the enclave was
+    // signed by an trusted entity.
+    if (memcmp(parsed_report.identity.signer_id, m_enclave_mrsigner, 32) != 0)
+    {
+        TRACE_ENCLAVE("identity.signer_id checking failed.");
+        TRACE_ENCLAVE(
+            "identity.signer_id %s", parsed_report.identity.signer_id);
+
+        for (int i = 0; i < 32; i++)
+        {
+            TRACE_ENCLAVE(
+                "m_enclave_mrsigner[%d]=0x%0x\n",
+                i,
+                (uint8_t)m_enclave_mrsigner[i]);
+        }
+
+        TRACE_ENCLAVE("\n\n\n");
+
+        for (int i = 0; i < 32; i++)
+        {
+            TRACE_ENCLAVE(
+                "parsedReport.identity.signer_id)[%d]=0x%0x\n",
+                i,
+                (uint8_t)parsed_report.identity.signer_id[i]);
+        }
+        TRACE_ENCLAVE("m_enclave_mrsigner %s", m_enclave_mrsigner);
+        goto exit;
+    }
+
+    // Check the enclave's product id and security version
+    // See enc.conf for values specified when signing the enclave.
+    if (parsed_report.identity.product_id[0] != 1)
+    {
+        TRACE_ENCLAVE("identity.product_id checking failed.");
+        goto exit;
+    }
+
+    if (parsed_report.identity.security_version < 1)
+    {
+        TRACE_ENCLAVE("identity.security_version checking failed.");
+        goto exit;
+    }
+
+    // 3) Validate the report data
+    //    The report_data has the hash value of the report data
+    if (m_crypto->Sha256(data, data_size, sha256) != 0)
+    {
+        goto exit;
+    }
+
+    if (memcmp(parsed_report.report_data, sha256, sizeof(sha256)) != 0)
+    {
+        TRACE_ENCLAVE("SHA256 mismatch.");
+        goto exit;
+    }
+    ret = true;
+    TRACE_ENCLAVE("remote attestation succeeded.");
+exit:
+    return ret;
+}
diff --git a/samples/remote_attestation_wud/common/attestation.h b/samples/remote_attestation_wud/common/attestation.h
new file mode 100644
index 0000000000..a942acca86
--- /dev/null
+++ b/samples/remote_attestation_wud/common/attestation.h
@@ -0,0 +1,44 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
+#define OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
+
+#include <openenclave/enclave.h>
+#include "crypto.h"
+
+#define ENCLAVE_SECRET_DATA_SIZE 16
+class Attestation
+{
+  private:
+    Crypto* m_crypto;
+    uint8_t* m_enclave_mrsigner;
+
+  public:
+    Attestation(Crypto* crypto, uint8_t* enclave_mrsigner);
+
+    // Generate a remote report for the given data. The SHA256 digest of the
+    // data is stored in the report_data field of the generated remote report.
+    bool generate_remote_report(
+        const uint8_t* data,
+        size_t data_size,
+        uint8_t** remote_report_buf,
+        size_t* remote_report_buf_size);
+
+    /**
+     * Attest the given remote report and accompanying data. The remote report
+     * is first attested using the oe_verify_report API. This ensures the
+     * authenticity of the enclave that generated the remote report. Next the
+     * mrsigner and mrenclave values are tested to establish trust of the
+     * enclave that generated the remote report. Next the validity of
+     * accompanying data is ensured by comparing its SHA256 digest against the
+     * report_data field.
+     */
+    bool attest_remote_report(
+        const uint8_t* remote_report,
+        size_t remote_report_size,
+        const uint8_t* data,
+        size_t data_size);
+};
+
+#endif // OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
diff --git a/samples/remote_attestation_wud/common/crypto.cpp b/samples/remote_attestation_wud/common/crypto.cpp
new file mode 100644
index 0000000000..ebcdd00d3a
--- /dev/null
+++ b/samples/remote_attestation_wud/common/crypto.cpp
@@ -0,0 +1,312 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "crypto.h"
+#include <mbedtls/pk.h>
+#include <mbedtls/rsa.h>
+#include <openenclave/enclave.h>
+#include <stdlib.h>
+#include <string.h>
+
+Crypto::Crypto()
+{
+    m_initialized = init_mbedtls();
+}
+
+Crypto::~Crypto()
+{
+    cleanup_mbedtls();
+}
+
+/**
+ * init_mbedtls initializes the crypto module.
+ * mbedtls initialization. Please refer to mbedtls documentation for detailed
+ * information about the functions used.
+ */
+bool Crypto::init_mbedtls(void)
+{
+    bool ret = false;
+    int res = -1;
+
+    mbedtls_ctr_drbg_init(&m_ctr_drbg_contex);
+    mbedtls_entropy_init(&m_entropy_context);
+    mbedtls_pk_init(&m_pk_context);
+
+    // Initialize entropy.
+    res = mbedtls_ctr_drbg_seed(
+        &m_ctr_drbg_contex, mbedtls_entropy_func, &m_entropy_context, NULL, 0);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_ctr_drbg_seed failed.");
+        goto exit;
+    }
+
+    // Initialize RSA context.
+    res = mbedtls_pk_setup(
+        &m_pk_context, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_pk_setup failed (%d).", res);
+        goto exit;
+    }
+
+    // Generate an ephemeral 2048-bit RSA key pair with
+    // exponent 65537 for the enclave.
+    res = mbedtls_rsa_gen_key(
+        mbedtls_pk_rsa(m_pk_context),
+        mbedtls_ctr_drbg_random,
+        &m_ctr_drbg_contex,
+        2048,
+        65537);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_rsa_gen_key failed (%d)\n", res);
+        goto exit;
+    }
+
+    // Write out the public key in PEM format for exchange with other enclaves.
+    res = mbedtls_pk_write_pubkey_pem(
+        &m_pk_context, m_public_key, sizeof(m_public_key));
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_pk_write_pubkey_pem failed (%d)\n", res);
+        goto exit;
+    }
+    ret = true;
+    TRACE_ENCLAVE("mbedtls initialized.");
+exit:
+    return ret;
+}
+
+/**
+ * mbedtls cleanup during shutdown.
+ */
+void Crypto::cleanup_mbedtls(void)
+{
+    mbedtls_pk_free(&m_pk_context);
+    mbedtls_entropy_free(&m_entropy_context);
+    mbedtls_ctr_drbg_free(&m_ctr_drbg_contex);
+
+    TRACE_ENCLAVE("mbedtls cleaned up.");
+}
+
+/**
+ * Get the public key for this enclave.
+ */
+void Crypto::retrieve_public_key(uint8_t pem_public_key[512])
+{
+    memcpy(pem_public_key, m_public_key, sizeof(m_public_key));
+}
+
+// Compute the sha256 hash of given data.
+int Crypto::Sha256(const uint8_t* data, size_t data_size, uint8_t sha256[32])
+{
+    int ret = 0;
+    mbedtls_sha256_context ctx;
+
+    mbedtls_sha256_init(&ctx);
+
+    ret = mbedtls_sha256_starts_ret(&ctx, 0);
+    if (ret)
+        goto exit;
+
+    ret = mbedtls_sha256_update_ret(&ctx, data, data_size);
+    if (ret)
+        goto exit;
+
+    ret = mbedtls_sha256_finish_ret(&ctx, sha256);
+    if (ret)
+        goto exit;
+
+exit:
+    mbedtls_sha256_free(&ctx);
+    return ret;
+}
+
+/**
+ * Encrypt encrypts the given data using the given public key.
+ * Used to encrypt data using the public key of another enclave.
+ */
+bool Crypto::Encrypt(
+    const uint8_t* pem_public_key,
+    const uint8_t* data,
+    size_t data_size,
+    uint8_t* encrypted_data,
+    size_t* encrypted_data_size)
+{
+    bool result = false;
+    mbedtls_pk_context key;
+    size_t key_size = 0;
+    int res = -1;
+    mbedtls_rsa_context* rsa_context;
+
+    mbedtls_pk_init(&key);
+
+    if (!m_initialized)
+        goto exit;
+
+    // Read the given public key.
+    key_size = strlen((const char*)pem_public_key) + 1; // Include ending '\0'.
+    res = mbedtls_pk_parse_public_key(&key, pem_public_key, key_size);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_pk_parse_public_key failed.");
+        goto exit;
+    }
+
+    rsa_context = mbedtls_pk_rsa(key);
+    rsa_context->padding = MBEDTLS_RSA_PKCS_V21;
+    rsa_context->hash_id = MBEDTLS_MD_SHA256;
+
+    if (rsa_context->padding == MBEDTLS_RSA_PKCS_V21)
+    {
+        TRACE_ENCLAVE("Padding used: MBEDTLS_RSA_PKCS_V21 for OAEP or PSS");
+    }
+
+    if (rsa_context->padding == MBEDTLS_RSA_PKCS_V15)
+    {
+        TRACE_ENCLAVE("New MBEDTLS_RSA_PKCS_V15  for 1.5 padding");
+    }
+
+    // Encrypt the data.
+    res = mbedtls_rsa_pkcs1_encrypt(
+        rsa_context,
+        mbedtls_ctr_drbg_random,
+        &m_ctr_drbg_contex,
+        MBEDTLS_RSA_PUBLIC,
+        data_size,
+        data,
+        encrypted_data);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_rsa_pkcs1_encrypt failed with %d\n", res);
+        goto exit;
+    }
+
+    *encrypted_data_size = mbedtls_pk_rsa(key)->len;
+    result = true;
+exit:
+    mbedtls_pk_free(&key);
+    return result;
+}
+
+/**
+ * decrypt the given data using current enclave's private key.
+ * Used to receive encrypted data from another enclave.
+ */
+bool Crypto::decrypt(
+    const uint8_t* encrypted_data,
+    size_t encrypted_data_size,
+    uint8_t* data,
+    size_t* data_size)
+{
+    bool ret = false;
+    size_t output_size = 0;
+    int res = 0;
+    mbedtls_rsa_context* rsa_context;
+
+    if (!m_initialized)
+        goto exit;
+
+    mbedtls_pk_rsa(m_pk_context)->len = encrypted_data_size;
+    rsa_context = mbedtls_pk_rsa(m_pk_context);
+    rsa_context->padding = MBEDTLS_RSA_PKCS_V21;
+    rsa_context->hash_id = MBEDTLS_MD_SHA256;
+
+    output_size = *data_size;
+    res = mbedtls_rsa_pkcs1_decrypt(
+        rsa_context,
+        mbedtls_ctr_drbg_random,
+        &m_ctr_drbg_contex,
+        MBEDTLS_RSA_PRIVATE,
+        &output_size,
+        encrypted_data,
+        data,
+        output_size);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_rsa_pkcs1_decrypt failed with %d\n", res);
+        goto exit;
+    }
+    *data_size = output_size;
+    ret = true;
+
+exit:
+    return ret;
+}
+
+bool Crypto::get_rsa_modulus_from_pem(
+    const char* pem_data,
+    size_t pem_size,
+    uint8_t** modulus,
+    size_t* modulus_size)
+{
+    mbedtls_pk_context ctx;
+    mbedtls_pk_type_t pk_type;
+    mbedtls_rsa_context* rsa_ctx = NULL;
+    uint8_t* modulus_local = NULL;
+    size_t modulus_local_size = 0;
+    int res = 0;
+    bool ret = false;
+
+    if (!m_initialized || !modulus || !modulus_size)
+        goto exit_preinit;
+
+    mbedtls_pk_init(&ctx);
+    res = mbedtls_pk_parse_public_key(
+        &ctx, (const unsigned char*)pem_data, pem_size);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_pk_parse_public_key failed with %d\n", res);
+        goto exit;
+    }
+
+    pk_type = mbedtls_pk_get_type(&ctx);
+    if (pk_type != MBEDTLS_PK_RSA)
+    {
+        TRACE_ENCLAVE("mbedtls_pk_get_type had incorrect type: %d\n", res);
+        goto exit;
+    }
+
+    rsa_ctx = mbedtls_pk_rsa(ctx);
+    modulus_local_size = mbedtls_rsa_get_len(rsa_ctx);
+    modulus_local = (uint8_t*)malloc(modulus_local_size);
+    if (modulus_local == NULL)
+    {
+        TRACE_ENCLAVE(
+            "malloc for modulus failed with size %zu:\n", modulus_local_size);
+        goto exit;
+    }
+
+    res = mbedtls_rsa_export_raw(
+        rsa_ctx,
+        modulus_local,
+        modulus_local_size,
+        NULL,
+        0,
+        NULL,
+        0,
+        NULL,
+        0,
+        NULL,
+        0);
+    if (res != 0)
+    {
+        TRACE_ENCLAVE("mbedtls_rsa_export failed with %d\n", res);
+        goto exit;
+    }
+
+    *modulus = modulus_local;
+    *modulus_size = modulus_local_size;
+    modulus_local = NULL;
+    ret = true;
+
+exit:
+    if (modulus_local != NULL)
+        free(modulus_local);
+
+    mbedtls_pk_free(&ctx);
+
+exit_preinit:
+    return ret;
+}
diff --git a/samples/remote_attestation_wud/common/crypto.h b/samples/remote_attestation_wud/common/crypto.h
new file mode 100644
index 0000000000..8cba0faa9a
--- /dev/null
+++ b/samples/remote_attestation_wud/common/crypto.h
@@ -0,0 +1,103 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
+#define OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
+
+#include <openenclave/enclave.h>
+// Includes for mbedtls shipped with oe.
+// Also add the following libraries to your linker command line:
+// -loeenclave -lmbedcrypto -lmbedtls -lmbedx509
+#include <mbedtls/config.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/sha256.h>
+#include "log.h"
+
+#define PUBLIC_KEY_SIZE 512
+
+class Crypto
+{
+  private:
+    mbedtls_ctr_drbg_context m_ctr_drbg_contex;
+    mbedtls_entropy_context m_entropy_context;
+    mbedtls_pk_context m_pk_context;
+    uint8_t m_public_key[512];
+    bool m_initialized;
+
+    // Public key of another enclave.
+    uint8_t m_other_enclave_pubkey[PUBLIC_KEY_SIZE];
+
+  public:
+    Crypto();
+    ~Crypto();
+
+    /**
+     * Get this enclave's own public key
+     */
+    void retrieve_public_key(uint8_t pem_public_key[512]);
+
+    /**
+     * Encrypt encrypts the given data using the given public key.
+     * Used to encrypt data using the public key of another enclave.
+     */
+    bool Encrypt(
+        const uint8_t* pem_public_key,
+        const uint8_t* data,
+        size_t size,
+        uint8_t* encrypted_data,
+        size_t* encrypted_data_size);
+
+    /**
+     * decrypt decrypts the given data using current enclave's private key.
+     * Used to receive encrypted data from another enclave.
+     */
+    bool decrypt(
+        const uint8_t* encrypted_data,
+        size_t encrypted_data_size,
+        uint8_t* data,
+        size_t* data_size);
+
+    /**
+     * get_rsa_modulus_from_pem returns the RSA modulus in big endian format
+     * from the public key PEM data. This is needed to verify the MRSIGNER
+     * of the other enclave, which ensures that the other enclave has been
+     * signed by the right key. MRSIGNER is the SHA256 hash of the modulus
+     * in little endian.
+     */
+    bool get_rsa_modulus_from_pem(
+        const char* pem_data,
+        size_t pem_size,
+        uint8_t** modulus,
+        size_t* modulus_size);
+
+    // Public key of another enclave.
+    uint8_t* get_the_other_enclave_public_key()
+    {
+        return m_other_enclave_pubkey;
+    }
+
+    /**
+     * Compute the sha256 hash of given data.
+     */
+    int Sha256(const uint8_t* data, size_t data_size, uint8_t sha256[32]);
+
+  private:
+    /**
+     * Crypto demonstrates use of mbedtls within the enclave to generate keys
+     * and perform encryption. In this sample, each enclave instance generates
+     * an ephemeral 2048-bit RSA key pair and shares the public key with the
+     * other instance. The other enclave instance then replies with data
+     * encrypted to the provided public key.
+     */
+
+    /** init_mbedtls initializes the crypto module.
+     */
+    bool init_mbedtls(void);
+
+    void cleanup_mbedtls(void);
+};
+
+#endif // OE_SAMPLES_ATTESTATION_ENC_CRYPTO_H
diff --git a/samples/remote_attestation_wud/common/dispatcher.cpp b/samples/remote_attestation_wud/common/dispatcher.cpp
new file mode 100644
index 0000000000..165cb9c9ae
--- /dev/null
+++ b/samples/remote_attestation_wud/common/dispatcher.cpp
@@ -0,0 +1,204 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include "dispatcher.h"
+#include <openenclave/enclave.h>
+
+// Public key corresponding to OE_DEBUG_SIGN_KEY
+const char EXPECTED_MRSIGNER_PUBKEY[] =
+    "-----BEGIN PUBLIC KEY-----\n"
+    "MIIBoDANBgkqhkiG9w0BAQEFAAOCAY0AMIIBiAKCAYEAukAt/kn+T5FG64MM2dDv\n"
+    "R26WSrDjGu8XDjYisFwBbktinVUFE05mFO9X1GDBlOqS8lqZuq8fhwm4lZFSc01i\n"
+    "m6LlLRp4l+EOAHkhfRl+y4SDPlLbJX2yl5DMJjjTbWLH+Wiu5BzzWZ85Z2tPeS8d\n"
+    "aMnisrv3ZuyVGl+aJPC3x1SCtL4G4yk5+svrGwYemefSBV8sLviVaPmRcmeBV2x6\n"
+    "BLUc8/jgVVt3L9e0fWM3wnb9o9ZxJoIoAX1bFwXRnuP6N2xezEpfSWLgK41scmsN\n"
+    "AkCmsp0WvoeiaD9nsOGfRxZnBpHbZBC0IyzTEPiOI+5NhRQ3QFbdy1kFuJxOoFiZ\n"
+    "4leKZOwLqG264HwPmiTTWA7XXhP4+d/osb4F4BaEXZ7+4EYfbo5yxbjngcVI1oNN\n"
+    "drCZIy9spWXxqfrG3XMfReWteVlYr6GLcbB5fNE8qm9AiX+fAyw5/ACajPAduKqU\n"
+    "+7Q7ZoMNReay/Zkj9VPCAHeGZzLG/MUOC3Xtdjo3IJ/BAgED\n"
+    "-----END PUBLIC KEY-----\n";
+
+size_t EXPECTED_MRSIGNER_PUBKEY_SIZE = OE_COUNTOF(EXPECTED_MRSIGNER_PUBKEY);
+
+ecall_dispatcher::ecall_dispatcher(
+    const char* name,
+    enclave_config_data_t* enclave_config)
+    : m_crypto(NULL), m_attestation(NULL)
+{
+    m_enclave_config = enclave_config;
+    m_initialized = initialize(name);
+}
+
+ecall_dispatcher::~ecall_dispatcher()
+{
+    if (m_crypto)
+        delete m_crypto;
+
+    if (m_attestation)
+        delete m_attestation;
+}
+
+bool ecall_dispatcher::initialize(const char* name)
+{
+    bool ret = false;
+    uint8_t* modulus = NULL;
+    size_t modulus_size;
+
+    m_name = name;
+    m_crypto = new Crypto();
+    if (m_crypto == NULL)
+    {
+        goto exit;
+    }
+
+    // Extract modulus from raw PEM.
+    if (!m_crypto->get_rsa_modulus_from_pem(
+            // m_enclave_config->other_enclave_pubkey_pem,
+            // m_enclave_config->other_enclave_pubkey_pem_size,
+
+            // The expected MRSIGNER is the public key corresponding to
+            // the extended attestation re-signer (debug key in this example)
+            EXPECTED_MRSIGNER_PUBKEY,
+            EXPECTED_MRSIGNER_PUBKEY_SIZE,
+            &modulus,
+            &modulus_size))
+    {
+        goto exit;
+    }
+
+    // Reverse the modulus and compute sha256 on it.
+    for (size_t i = 0; i < modulus_size / 2; i++)
+    {
+        uint8_t tmp = modulus[i];
+        modulus[i] = modulus[modulus_size - 1 - i];
+        modulus[modulus_size - 1 - i] = tmp;
+    }
+
+    // Calculate the MRSIGNER value which is the SHA256 hash of the
+    // little endian representation of the public key modulus. This value
+    // is populated by the signer_id sub-field of a parsed oe_report_t's
+    // identity field.
+    if (m_crypto->Sha256(modulus, modulus_size, m_other_enclave_mrsigner) != 0)
+    {
+        goto exit;
+    }
+
+    m_attestation = new Attestation(m_crypto, m_other_enclave_mrsigner);
+    if (m_attestation == NULL)
+    {
+        goto exit;
+    }
+    ret = true;
+
+exit:
+    if (modulus != NULL)
+        free(modulus);
+
+    return ret;
+}
+
+/**
+ * Return the public key of this enclave along with the enclave's remote report.
+ * The enclave that receives the key will use the remote report to attest this
+ * enclave.
+ */
+int ecall_dispatcher::get_remote_report_with_pubkey(
+    uint8_t** pem_key,
+    size_t* key_size,
+    uint8_t** remote_report,
+    size_t* remote_report_size)
+{
+    uint8_t pem_public_key[512];
+    uint8_t* report = NULL;
+    size_t report_size = 0;
+    uint8_t* key_buf = NULL;
+    int ret = 1;
+
+    TRACE_ENCLAVE("get_remote_report_with_pubkey");
+    if (m_initialized == false)
+    {
+        TRACE_ENCLAVE("ecall_dispatcher initialization failed.");
+        goto exit;
+    }
+
+    m_crypto->retrieve_public_key(pem_public_key);
+
+    // Generate a remote report for the public key so that the enclave that
+    // receives the key can attest this enclave.
+    if (m_attestation->generate_remote_report(
+            pem_public_key, sizeof(pem_public_key), &report, &report_size))
+    {
+        // Allocate memory on the host and copy the report over.
+        *remote_report = (uint8_t*)oe_host_malloc(report_size);
+        if (*remote_report == NULL)
+        {
+            ret = OE_OUT_OF_MEMORY;
+            goto exit;
+        }
+        memcpy(*remote_report, report, report_size);
+        *remote_report_size = report_size;
+        oe_free_report(report);
+
+        key_buf = (uint8_t*)oe_host_malloc(512);
+        if (key_buf == NULL)
+        {
+            ret = OE_OUT_OF_MEMORY;
+            goto exit;
+        }
+        memcpy(key_buf, pem_public_key, sizeof(pem_public_key));
+
+        *pem_key = key_buf;
+        *key_size = sizeof(pem_public_key);
+
+        ret = 0;
+        TRACE_ENCLAVE("get_remote_report_with_pubkey succeeded");
+    }
+    else
+    {
+        TRACE_ENCLAVE("get_remote_report_with_pubkey failed.");
+    }
+
+exit:
+    if (ret != 0)
+    {
+        if (report)
+            oe_free_report(report);
+        if (key_buf)
+            oe_host_free(key_buf);
+        if (*remote_report)
+            oe_host_free(*remote_report);
+    }
+    return ret;
+}
+
+int ecall_dispatcher::verify_report_and_set_pubkey(
+    uint8_t* pem_key,
+    size_t key_size,
+    uint8_t* remote_report,
+    size_t remote_report_size)
+{
+    int ret = 1;
+
+    if (m_initialized == false)
+    {
+        TRACE_ENCLAVE("ecall_dispatcher initialization failed.");
+        goto exit;
+    }
+
+    // Attest the remote report and accompanying key.
+    if (m_attestation->attest_remote_report(
+            remote_report, remote_report_size, pem_key, key_size))
+    {
+        memcpy(m_crypto->get_the_other_enclave_public_key(), pem_key, key_size);
+    }
+    else
+    {
+        TRACE_ENCLAVE("verify_report_and_set_pubkey failed.");
+        goto exit;
+    }
+    ret = 0;
+    TRACE_ENCLAVE("verify_report_and_set_pubkey succeeded.");
+
+exit:
+    return ret;
+}
diff --git a/samples/remote_attestation_wud/common/dispatcher.h b/samples/remote_attestation_wud/common/dispatcher.h
new file mode 100644
index 0000000000..8ab7151588
--- /dev/null
+++ b/samples/remote_attestation_wud/common/dispatcher.h
@@ -0,0 +1,45 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#pragma once
+#include <openenclave/enclave.h>
+#include <string>
+#include "attestation.h"
+#include "crypto.h"
+
+using namespace std;
+
+typedef struct _enclave_config_data
+{
+    uint8_t* enclave_secret_data;
+    const char* other_enclave_pubkey_pem;
+    size_t other_enclave_pubkey_pem_size;
+} enclave_config_data_t;
+
+class ecall_dispatcher
+{
+  private:
+    bool m_initialized;
+    Crypto* m_crypto;
+    Attestation* m_attestation;
+    string m_name;
+    enclave_config_data_t* m_enclave_config;
+    unsigned char m_other_enclave_mrsigner[32];
+
+  public:
+    ecall_dispatcher(const char* name, enclave_config_data_t* enclave_config);
+    ~ecall_dispatcher();
+    int get_remote_report_with_pubkey(
+        uint8_t** pem_key,
+        size_t* key_size,
+        uint8_t** remote_report,
+        size_t* remote_report_size);
+    int verify_report_and_set_pubkey(
+        uint8_t* pem_key,
+        size_t key_size,
+        uint8_t* remote_report,
+        size_t remote_report_size);
+
+  private:
+    bool initialize(const char* name);
+};
diff --git a/samples/remote_attestation_wud/common/log.h b/samples/remote_attestation_wud/common/log.h
new file mode 100644
index 0000000000..507dcd8b81
--- /dev/null
+++ b/samples/remote_attestation_wud/common/log.h
@@ -0,0 +1,13 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef OE_SAMPLES_ATTESTATION_ENC_LOG_H
+#define OE_SAMPLES_ATTESTATION_ENC_LOG_H
+
+#include <stdio.h>
+
+#define TRACE_ENCLAVE(fmt, ...) \
+                                \
+    printf("Enclave: ***%s(%d): " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__)
+
+#endif // OE_SAMPLES_ATTESTATION_ENC_LOG_H
diff --git a/samples/remote_attestation_wud/enclave_a/CMakeLists.txt b/samples/remote_attestation_wud/enclave_a/CMakeLists.txt
new file mode 100644
index 0000000000..c63833ed70
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_a/CMakeLists.txt
@@ -0,0 +1,31 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Generate header with public key of enclave B (2)
+add_custom_command(OUTPUT enclave_b_pubkey.h
+  DEPENDS public_key_b ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
+  COMMAND ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_b_pubkey.h ${CMAKE_BINARY_DIR}/enclave_b/public_b.pem)
+
+add_executable(enclave_a ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_b_pubkey.h)
+
+if(WIN32)
+  maybe_build_using_clangw(enclave_a)
+endif()
+
+target_include_directories(enclave_a PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(enclave_a common)
+
+# Generate key A
+add_custom_command(OUTPUT private_a.pem public_a.pem
+  COMMAND openssl genrsa -out private_a.pem -3 3072
+  COMMAND openssl rsa -in private_a.pem -pubout -out public_a.pem)
+
+add_custom_target(public_key_a DEPENDS public_a.pem)
+
+# Sign enclave A with key A
+add_custom_command(OUTPUT enclave_a.signed
+  DEPENDS enclave_a enc.conf private_a.pem
+  COMMAND openenclave::oesign sign -e $<TARGET_FILE:enclave_a> -c ${CMAKE_CURRENT_SOURCE_DIR}/enc.conf -k private_a.pem)
+
+add_custom_target(enclave_a_signed ALL DEPENDS enclave_a.signed)
diff --git a/samples/remote_attestation_wud/enclave_a/Makefile b/samples/remote_attestation_wud/enclave_a/Makefile
new file mode 100644
index 0000000000..bb6cf7daf3
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_a/Makefile
@@ -0,0 +1,57 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Detect C and C++ compiler options
+# if not gcc and g++, default to clang-7
+C_COMPILER=$(notdir $(CC))
+ifeq ($(C_COMPILER), gcc)
+        CXX_COMPILER=$(notdir $(CXX))
+        USE_GCC = true
+endif
+
+ifeq ($(USE_GCC),)
+        CC = clang-7
+        CXX = clang++-7
+        C_COMPILER=clang
+        CXX_COMPILER=clang++
+endif
+
+CFLAGS=$(shell pkg-config oeenclave-$(C_COMPILER) --cflags)
+CXXFLAGS=$(shell pkg-config oeenclave-$(CXX_COMPILER) --cflags)
+LDFLAGS=$(shell pkg-config oeenclave-$(CXX_COMPILER) --libs)
+
+all:
+	$(MAKE) genkey
+	$(MAKE) -C ../enclave_b genkey
+	$(MAKE) build
+	$(MAKE) sign
+
+private.pem:
+	openssl genrsa -out $@ -3 3072
+
+public.pem: private.pem
+	openssl rsa -in $< -out $@ -pubout
+
+# The enclaves in the sample will check if the other enclave is signed
+# with the expected key. Since this sample builds both enclaves, we can
+# inject the expected public keys at build time.
+#
+# If the other public key isn't known, then we would have to load the
+# public key from the host. We can't simply load the raw public key since
+# a malicious host might change it. So, we would need to load a certicate
+# that contains the expected public key that is signed by a trusted CA.
+genkey: public.pem
+	../gen_pubkey_header.sh ../enclave_b/enclave_a_pubkey.h $<
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../remoteattestation.edl --trusted --trusted-dir ../common
+	$(CXX) -g -c $(CXXFLAGS) $(INCLUDES) -I.. -std=c++11 -DOE_API_VERSION=2 ecalls.cpp ../common/attestation.cpp ../common/crypto.cpp ../common/dispatcher.cpp
+	$(CC) -g -c $(CFLAGS) $(CINCLUDES) -I.. -DOE_API_VERSION=2 ../common/remoteattestation_t.c
+	$(CXX) -o enclave_a attestation.o crypto.o ecalls.o dispatcher.o remoteattestation_t.o $(LDFLAGS)
+
+sign:
+	oesign sign -e enclave_a -c enc.conf -k private.pem
+
+clean:
+	rm -f *.o enclave_a enclave_a.signed ../common/remoteattestation_t.* ../common/remoteattestation_args.h *.pem enclave_b_pubkey.h
diff --git a/samples/remote_attestation_wud/enclave_a/ecalls.cpp b/samples/remote_attestation_wud/enclave_a/ecalls.cpp
new file mode 100644
index 0000000000..e3b953a895
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_a/ecalls.cpp
@@ -0,0 +1,57 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+#include <common/dispatcher.h>
+#include <common/remoteattestation_t.h>
+#include <openenclave/enclave.h>
+#include "enclave_b_pubkey.h"
+
+// For this purpose of this example: demonstrating how to do remote attestation
+// g_enclave_secret_data is hardcoded as part of the enclave. In this sample,
+// the secret data is hard coded as part of the enclave binary. In a real world
+// enclave implementation, secrets are never hard coded in the enclave binary
+// since the enclave binary itself is not encrypted. Instead, secrets are
+// acquired via provisioning from a service (such as a cloud server) after
+// successful attestation.
+// The g_enclave_secret_data holds the secret data specific to the holding
+// enclave, it's only visible inside this secured enclave. Arbitrary enclave
+// specific secret data exchanged by the enclaves. In this sample, the first
+// enclave sends its g_enclave_secret_data (encrypted) to the second enclave.
+// The second enclave decrypts the received data and adds it to its own
+// g_enclave_secret_data, and sends it back to the other enclave.
+uint8_t g_enclave_secret_data[ENCLAVE_SECRET_DATA_SIZE] =
+    {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
+
+enclave_config_data_t config_data = {g_enclave_secret_data,
+                                     OTHER_ENCLAVE_PUBLIC_KEY,
+                                     sizeof(OTHER_ENCLAVE_PUBLIC_KEY)};
+
+// Declare a static dispatcher object for enabling
+// for better organizing enclave-wise global variables
+static ecall_dispatcher dispatcher("Enclave1", &config_data);
+const char* enclave_name = "Enclave1";
+/**
+ * Return the public key of this enclave along with the enclave's remote report.
+ * Another enclave can use the remote report to attest the enclave and verify
+ * the integrity of the public key.
+ */
+int get_remote_report_with_pubkey(
+    uint8_t** pem_key,
+    size_t* key_size,
+    uint8_t** remote_report,
+    size_t* remote_report_size)
+{
+    TRACE_ENCLAVE("enter get_remote_report_with_pubkey");
+    return dispatcher.get_remote_report_with_pubkey(
+        pem_key, key_size, remote_report, remote_report_size);
+}
+
+// Attest and store the public key of another enclave.
+int verify_report_and_set_pubkey(
+    uint8_t* pem_key,
+    size_t key_size,
+    uint8_t* remote_report,
+    size_t remote_report_size)
+{
+    return dispatcher.verify_report_and_set_pubkey(
+        pem_key, key_size, remote_report, remote_report_size);
+}
diff --git a/samples/remote_attestation_wud/enclave_a/enc.conf b/samples/remote_attestation_wud/enclave_a/enc.conf
new file mode 100644
index 0000000000..c6af0590eb
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_a/enc.conf
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Enclave settings:
+Debug=1
+NumHeapPages=1024
+NumStackPages=1024
+NumTCS=2
+ProductID=1
+SecurityVersion=1
diff --git a/samples/remote_attestation_wud/enclave_b/CMakeLists.txt b/samples/remote_attestation_wud/enclave_b/CMakeLists.txt
new file mode 100644
index 0000000000..182425d0c0
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_b/CMakeLists.txt
@@ -0,0 +1,31 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Generate header with public key of enclave A
+add_custom_command(OUTPUT enclave_a_pubkey.h
+  DEPENDS public_key_a ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh
+  COMMAND ${CMAKE_SOURCE_DIR}/gen_pubkey_header.sh enclave_a_pubkey.h ${CMAKE_BINARY_DIR}/enclave_a/public_a.pem)
+
+add_executable(enclave_b ecalls.cpp ${CMAKE_CURRENT_BINARY_DIR}/enclave_a_pubkey.h)
+
+if(WIN32)
+  maybe_build_using_clangw(enclave_b)
+endif()
+
+target_include_directories(enclave_b PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
+
+target_link_libraries(enclave_b common)
+
+# Generate key B
+add_custom_command(OUTPUT private_b.pem public_b.pem
+  COMMAND openssl genrsa -out private_b.pem -3 3072
+  COMMAND openssl rsa -in private_b.pem -pubout -out public_b.pem)
+
+add_custom_target(public_key_b DEPENDS public_b.pem)
+
+# Sign enclave B with key B
+add_custom_command(OUTPUT enclave_b.signed
+  DEPENDS enclave_b enc.conf private_b.pem
+  COMMAND openenclave::oesign sign -e $<TARGET_FILE:enclave_b> -c ${CMAKE_CURRENT_SOURCE_DIR}/enc.conf -k private_b.pem)
+
+add_custom_target(enclave_b_signed ALL DEPENDS enclave_b.signed)
diff --git a/samples/remote_attestation_wud/enclave_b/Makefile b/samples/remote_attestation_wud/enclave_b/Makefile
new file mode 100644
index 0000000000..d4b0a566e5
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_b/Makefile
@@ -0,0 +1,56 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Detect C and C++ compiler options
+# if not gcc and g++, default to clang-7
+C_COMPILER=$(notdir $(CC))
+ifeq ($(C_COMPILER), gcc)
+        CXX_COMPILER=$(notdir $(CXX))
+        USE_GCC = true
+endif
+
+ifeq ($(USE_GCC),)
+        CC = clang-7
+        CXX = clang++-7
+        C_COMPILER=clang
+        CXX_COMPILER=clang++
+endif
+
+CFLAGS=$(shell pkg-config oeenclave-$(C_COMPILER) --cflags)
+CXXFLAGS=$(shell pkg-config oeenclave-$(CXX_COMPILER) --cflags)
+LDFLAGS=$(shell pkg-config oeenclave-$(CXX_COMPILER) --libs)
+
+all:
+	$(MAKE) genkey
+	$(MAKE) -C ../enclave_a genkey
+	$(MAKE) build
+	$(MAKE) sign
+
+private.pem:
+	openssl genrsa -out $@ -3 3072
+
+public.pem: private.pem
+	openssl rsa -in $< -out $@ -pubout
+
+# The enclaves in the sample will check if the other enclave is signed
+# with the expected key. Since this sample builds both enclaves, we can
+# inject the expected public keys at build time.
+#
+# If the other public key isn't known, then we would have to load the
+# public key from the host. We can't simply load the raw public key since
+# a malicious host might change it. So, we would need to load a certicate
+# that contains the expected public key that is signed by a trusted CA.
+genkey: public.pem
+	../gen_pubkey_header.sh ../enclave_a/enclave_b_pubkey.h $<
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	$(CXX) -g -c $(CXXFLAGS) $(INCLUDES) -I.. -std=c++11 -DOE_API_VERSION=2 ecalls.cpp ../common/attestation.cpp ../common/crypto.cpp ../common/dispatcher.cpp
+	$(CC) -g -c $(CFLAGS) $(CINCLUDES) -I.. -DOE_API_VERSION=2 ../common/remoteattestation_t.c
+	$(CXX) -o enclave_b attestation.o crypto.o ecalls.o dispatcher.o remoteattestation_t.o $(LDFLAGS)
+
+sign:
+	oesign sign -e enclave_b -c enc.conf -k private.pem
+
+clean:
+	rm -f *.o enclave_b enclave_b.signed ../common/remoteattestation_t.* ../common/remoteattestation_args.h *.pem enclave_a_pubkey.h
\ No newline at end of file
diff --git a/samples/remote_attestation_wud/enclave_b/ecalls.cpp b/samples/remote_attestation_wud/enclave_b/ecalls.cpp
new file mode 100644
index 0000000000..216a44d2d9
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_b/ecalls.cpp
@@ -0,0 +1,57 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+#include <common/dispatcher.h>
+#include <common/remoteattestation_t.h>
+#include <openenclave/enclave.h>
+#include "enclave_a_pubkey.h"
+
+// For this purpose of this example: demonstrating how to do remote attestation
+// g_enclave_secret_data is hardcoded as part of the enclave. In this sample,
+// the secret data is hard coded as part of the enclave binary. In a real world
+// enclave implementation, secrets are never hard coded in the enclave binary
+// since the enclave binary itself is not encrypted. Instead, secrets are
+// acquired via provisioning from a service (such as a cloud server) after
+// successful attestation.
+// This g_enclave_secret_data holds the secret data specific to the holding
+// enclave, it's only visible inside this secured enclave. Arbitrary enclave
+// specific secret data exchanged by the enclaves. In this sample, the first
+// enclave sends its g_enclave_secret_data (encrypted) to the second enclave.
+// The second enclave decrypts the received data and adds it to its own
+// g_enclave_secret_data, and sends it back to the other enclave.
+uint8_t g_enclave_secret_data[ENCLAVE_SECRET_DATA_SIZE] =
+    {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
+
+enclave_config_data_t config_data = {g_enclave_secret_data,
+                                     OTHER_ENCLAVE_PUBLIC_KEY,
+                                     sizeof(OTHER_ENCLAVE_PUBLIC_KEY)};
+
+// Declare a static dispatcher object for enabling
+// for better organizing enclave-wise global variables
+static ecall_dispatcher dispatcher("Enclave2", &config_data);
+const char* enclave_name = "Enclave2";
+
+/**
+ * Return the public key of this enclave along with the enclave's remote report.
+ * Another enclave can use the remote report to attest the enclave and verify
+ * the integrity of the public key.
+ */
+int get_remote_report_with_pubkey(
+    uint8_t** pem_key,
+    size_t* key_size,
+    uint8_t** remote_report,
+    size_t* remote_report_size)
+{
+    return dispatcher.get_remote_report_with_pubkey(
+        pem_key, key_size, remote_report, remote_report_size);
+}
+
+// Attest and store the public key of another enclave.
+int verify_report_and_set_pubkey(
+    uint8_t* pem_key,
+    size_t key_size,
+    uint8_t* remote_report,
+    size_t remote_report_size)
+{
+    return dispatcher.verify_report_and_set_pubkey(
+        pem_key, key_size, remote_report, remote_report_size);
+}
diff --git a/samples/remote_attestation_wud/enclave_b/enc.conf b/samples/remote_attestation_wud/enclave_b/enc.conf
new file mode 100644
index 0000000000..c6af0590eb
--- /dev/null
+++ b/samples/remote_attestation_wud/enclave_b/enc.conf
@@ -0,0 +1,10 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Enclave settings:
+Debug=1
+NumHeapPages=1024
+NumStackPages=1024
+NumTCS=2
+ProductID=1
+SecurityVersion=1
diff --git a/samples/remote_attestation_wud/gen_pubkey_header.sh b/samples/remote_attestation_wud/gen_pubkey_header.sh
new file mode 100755
index 0000000000..d6ac4ffb30
--- /dev/null
+++ b/samples/remote_attestation_wud/gen_pubkey_header.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+destfile="$1"
+pubkey_file="$2"
+
+cat > "$destfile" << EOF
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef SAMPLES_REMOTE_ATTESTATION_PUBKEY_H
+#define SAMPLES_REMOTE_ATTESTATION_PUBKEY_H
+
+EOF
+
+printf 'static const char OTHER_ENCLAVE_PUBLIC_KEY[] =' >> "$destfile"
+while IFS="" read -r p || [ -n "$p" ]
+do
+    # Sometimes openssl can insert carriage returns into the PEM files. Let's remove those!
+    CR=$(printf "\r")
+    p=$(echo "$p" | tr -d "$CR")
+    printf '\n    \"%s\\n\"' "$p" >> "$destfile"
+done < "$pubkey_file"
+printf ';\n' >> "$destfile"
+
+cat >> "$destfile" << EOF
+
+#endif /* SAMPLES_REMOTE_ATTESTATION_PUBKEY_H */
+EOF
diff --git a/samples/remote_attestation_wud/host/CMakeLists.txt b/samples/remote_attestation_wud/host/CMakeLists.txt
new file mode 100644
index 0000000000..5369024603
--- /dev/null
+++ b/samples/remote_attestation_wud/host/CMakeLists.txt
@@ -0,0 +1,20 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+add_custom_command(OUTPUT remoteattestation_u.h remoteattestation_u.c remoteattestation_args.h
+  DEPENDS ${CMAKE_SOURCE_DIR}/remoteattestation.edl
+  COMMAND openenclave::oeedger8r --untrusted ${CMAKE_SOURCE_DIR}/remoteattestation.edl)
+
+add_executable(remote_attestation_host host.cpp ${CMAKE_CURRENT_BINARY_DIR}/remoteattestation_u.c)
+target_include_directories(remote_attestation_host PRIVATE
+  ${CMAKE_CURRENT_SOURCE_DIR}/../ # For common/shared.h
+  ${CMAKE_CURRENT_BINARY_DIR})
+
+if(WIN32)
+  add_dcap_client_target(remote_attestation_dcap_target)
+  add_dependencies(remote_attestation_host remote_attestation_dcap_target)
+  copy_oedebugrt_target(remote_attestation_oedebugrt_target)
+  add_dependencies(remote_attestation_host remote_attestation_oedebugrt_target)
+endif()
+
+target_link_libraries(remote_attestation_host openenclave::oehostapp)
diff --git a/samples/remote_attestation_wud/host/Makefile b/samples/remote_attestation_wud/host/Makefile
new file mode 100644
index 0000000000..c4d906561d
--- /dev/null
+++ b/samples/remote_attestation_wud/host/Makefile
@@ -0,0 +1,33 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+# Detect C and C++ compiler options
+# if not gcc and g++, default to clang-7
+C_COMPILER=$(notdir $(CC))
+ifeq ($(C_COMPILER), gcc)
+        CXX_COMPILER=$(notdir $(CXX))
+        USE_GCC = true
+endif
+
+ifeq ($(USE_GCC),)
+        CC = clang-7
+        CXX = clang++-7
+        C_COMPILER=clang
+        CXX_COMPILER=clang++
+endif
+
+CFLAGS=$(shell pkg-config oehost-$(C_COMPILER) --cflags)
+CXXFLAGS=$(shell pkg-config oehost-$(CXX_COMPILER) --cflags)
+LDFLAGS=$(shell pkg-config oehost-$(CXX_COMPILER) --libs)
+
+all: build
+
+build:
+	@ echo "Compilers used: $(CC), $(CXX)"
+	oeedger8r ../remoteattestation.edl --untrusted
+	$(CC) -g -c $(CFLAGS) $(CINCLUDES) remoteattestation_u.c
+	$(CXX) -g -c $(CXXFLAGS) $(INCLUDES) host.cpp
+	$(CXX) -o attestation_host host.o remoteattestation_u.o $(LDFLAGS)
+
+clean:
+	rm -f attestation_host *.o remoteattestation_u.*  remoteattestation_args.h
\ No newline at end of file
diff --git a/samples/remote_attestation_wud/host/host.cpp b/samples/remote_attestation_wud/host/host.cpp
new file mode 100644
index 0000000000..e6e169ec1b
--- /dev/null
+++ b/samples/remote_attestation_wud/host/host.cpp
@@ -0,0 +1,199 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openenclave/host.h>
+#include <stdio.h>
+#include "remoteattestation_u.h"
+
+oe_enclave_t* create_enclave(
+    const char* enclave_path,
+    uint8_t* user_data,
+    uint32_t user_data_size)
+{
+    oe_enclave_t* enclave = NULL;
+
+    printf("Host: Enclave library %s\n", enclave_path);
+    oe_result_t result = oe_create_remoteattestation_enclave_wud(
+        enclave_path,
+        OE_ENCLAVE_TYPE_SGX,
+        OE_ENCLAVE_FLAG_DEBUG,
+        NULL,
+        0,
+        user_data,
+        user_data_size,
+        &enclave);
+
+    if (result != OE_OK)
+    {
+        printf(
+            "Host: oe_create_remoteattestation_enclave failed. %s",
+            oe_result_str(result));
+    }
+    else
+    {
+        printf("Host: Enclave successfully created.\n");
+    }
+    return enclave;
+}
+
+void terminate_enclave(oe_enclave_t* enclave)
+{
+    oe_terminate_enclave(enclave);
+    printf("Host: Enclave successfully terminated.\n");
+}
+
+int main(int argc, const char* argv[])
+{
+    oe_enclave_t* enclave_a = NULL;
+    oe_enclave_t* enclave_b = NULL;
+    uint8_t* encrypted_msg = NULL;
+    size_t encrypted_msg_size = 0;
+    oe_result_t result = OE_OK;
+    int ret = 1;
+    uint8_t* pem_key = NULL;
+    size_t pem_key_size = 0;
+    uint8_t* remote_report = NULL;
+    size_t remote_report_size = 0;
+
+    uint32_t user_data_size = 512;
+    uint8_t user_data_a[user_data_size], user_data_b[user_data_size];
+
+    for (size_t i = 0; i < user_data_size; i++)
+    {
+        user_data_a[i] = i;
+        user_data_b[i] = user_data_size - i - 1;
+    }
+
+    /* Check argument count */
+    if (argc != 3)
+    {
+        printf("Usage: %s ENCLAVE_PATH\n", argv[0]);
+        return 1;
+    }
+
+    printf("Host: Creating two enclaves\n");
+    enclave_a = create_enclave(argv[1], user_data_a, user_data_size);
+    if (enclave_a == NULL)
+    {
+        goto exit;
+    }
+    enclave_b = create_enclave(argv[2], user_data_b, user_data_size);
+    if (enclave_b == NULL)
+    {
+        goto exit;
+    }
+
+    printf("Host: requesting a remote report and the encryption key from 1st "
+           "enclave\n");
+    result = get_remote_report_with_pubkey(
+        enclave_a,
+        &ret,
+        &pem_key,
+        &pem_key_size,
+        &remote_report,
+        &remote_report_size);
+    if ((result != OE_OK) || (ret != 0))
+    {
+        printf(
+            "Host: verify_report_and_set_pubkey failed. %s",
+            oe_result_str(result));
+        if (ret == 0)
+            ret = 1;
+        goto exit;
+    }
+    printf("Host: 1st enclave's public key: \n%s", pem_key);
+
+    printf("Host: requesting 2nd enclave to attest 1st enclave's the remote "
+           "report and the public key\n");
+    result = verify_report_and_set_pubkey(
+        enclave_b,
+        &ret,
+        pem_key,
+        pem_key_size,
+        remote_report,
+        remote_report_size);
+    if ((result != OE_OK) || (ret != 0))
+    {
+        printf(
+            "Host: verify_report_and_set_pubkey failed. %s",
+            oe_result_str(result));
+        if (ret == 0)
+            ret = 1;
+        goto exit;
+    }
+    free(pem_key);
+    pem_key = NULL;
+    free(remote_report);
+    remote_report = NULL;
+
+    printf("Host: Requesting a remote report and the encryption key from "
+           "2nd enclave=====\n");
+    result = get_remote_report_with_pubkey(
+        enclave_b,
+        &ret,
+        &pem_key,
+        &pem_key_size,
+        &remote_report,
+        &remote_report_size);
+    if ((result != OE_OK) || (ret != 0))
+    {
+        printf(
+            "Host: verify_report_and_set_pubkey failed. %s",
+            oe_result_str(result));
+        if (ret == 0)
+            ret = 1;
+        goto exit;
+    }
+
+    printf("Host: 2nd enclave's public key: \n%s", pem_key);
+
+    printf("Host: Requesting first enclave to attest 2nd enclave's "
+           "remote report and the public key=====\n");
+    result = verify_report_and_set_pubkey(
+        enclave_a,
+        &ret,
+        pem_key,
+        pem_key_size,
+        remote_report,
+        remote_report_size);
+    if ((result != OE_OK) || (ret != 0))
+    {
+        printf(
+            "Host: verify_report_and_set_pubkey failed. %s",
+            oe_result_str(result));
+        if (ret == 0)
+            ret = 1;
+        goto exit;
+    }
+    free(pem_key);
+    pem_key = NULL;
+    free(remote_report);
+    remote_report = NULL;
+
+    printf("Host: Remote attestation Succeeded\n");
+
+    // Free host memory allocated by the enclave.
+    free(encrypted_msg);
+    encrypted_msg = NULL;
+    ret = 0;
+
+exit:
+    if (pem_key)
+        free(pem_key);
+
+    if (remote_report)
+        free(remote_report);
+
+    if (encrypted_msg != NULL)
+        free(encrypted_msg);
+
+    printf("Host: Terminating enclaves\n");
+    if (enclave_a)
+        terminate_enclave(enclave_a);
+
+    if (enclave_b)
+        terminate_enclave(enclave_b);
+
+    printf("Host:  %s \n", (ret == 0) ? "succeeded" : "failed");
+    return ret;
+}
diff --git a/samples/remote_attestation_wud/images/attestationsample.png b/samples/remote_attestation_wud/images/attestationsample.png
new file mode 100644
index 0000000000000000000000000000000000000000..a6a96960ef0b5686ea84ed16183390a755b154fb
GIT binary patch
literal 24098
zcmZ^LWmuGL*RGVLbR#u%NOwxNz|hhy2-4Es-Cfe%N(h3|NQVN_-QB$}zS!@dy`ST7
z9;um|d)BqqS<7&hcQUU~h*4g=c=1Y3RucN+1xz*gLy80oJ~KCfix2(>;{=rve^EX1
zdIx*}Zz-lE_ToidEb6^60{9r&URKBH#S8SV=RYugcBN)7Ug$T;Ns6hv860FIXGQ;c
z>O10S^&V(9Qy7?lP{(6F+{VkwtBWSz7D+uM<J-!Y1$_{ED6Gd7Pncq5XuYpjOF`qj
z^k&=3_B?ue5L&YQG)-t4;%Rv}<h4}Ox0ZF5b-+K$pL_POXuEGvGhMuncye-rh(Q(=
z6VtdFk-v^C6H8|Mr#u;N;B67xQdneUg-V{dx_T0x7A}qQOuf0n!|g?t>`U}LUz*Xn
zxdSUJD@{q&q_)nr6KzUSb(FJLg_xCL`Sdpt@_G66|9L<u#bu1h|DT5tTmu}Ygg?5E
z{P&pjv-S7Qe);s45=Ct5vT}0#4y!?U0~E7CZ_)pZeQJ6-9b|Rd9I6ACW)>-L{J}rS
z`)ruEO1J58C6xSiOh@iW7#3A;4CzN7Y<3xPDeAe^p2)3{?2kQoQUmzOopEr9$JZxo
zU7;AF9_RF`>~I+5BKzbQp}4-XSS?ZDzwq#Qv|Uyv`O8w=5KM?MOKOFF>u2tde_snY
zmljI6xw&a;6T)B#YIpcNB+w|Jzvg?(kPF*+c`zrZEGzpK(L0@;4F?A&^^LAHgPf{^
zI<BueiUfMoT=edb%YPqH30UqoQVmsj_X3df8$V80i+JD08P7L6xGuO%Z{_;3RC6IL
zd7TZ1lKZ5c6Bv3qZ2V3>ZQz}%{j~7i^RQ(r5JQAe$nE&2Kb#sA%Arv~FZKGtJj2WM
z>Tsb*KABN9KL~Gh`Qd8Gu+F5XP%e>HG3~gAz;Gy&7emT(Gu^WG)WCfsd1`9P;D^Vb
z8p9`WDZK~=-<_?V9v}K*$(Jg18dy8-Pk&r3W^$OzSH1t%Xgl}$YQc5MZ7sSh<dxv(
zeeI*gA4jc6?PS6pg(W3U?Heh&WNyna6~a9jjX0H#m&p1Ad5V&fK~GFOEgP|-kInn_
zgO#!`Z~M=po#ZKFi#@LnwG6#4P+8lS6FZ+Cj(n9xZr0~poEVsH*x{HoE3bDeYVy6O
z4Sj`G<$ND5rZGqbg7|#ECD{GA_$zqSCJ|h^MVIRpaHsf?pmg%<+GeSpl+;-uTQdRM
zqgG2wO6pIkYT%ZO&qy>V4TpCO)I*#S%k8(jOw1x^_=WZ(S^U=>rI}_gv17@E1w78T
zV@L(_6S4(dPThp|)2U=)z@^YZuV*cD9WF9HR{x?l+oh(X<F)<g{L>Fc)13zHZzuSP
z-KjFup5(Y7tJeesTCJZCe#+;yYZ6Wz|GYil31rPmNujmNG<rcM>hrqc9mmhbAD&EF
z)rv1fi8<r^uF(rgQf(VSO{!V%&(zHXlKbAXLn6_4=V*2Es~xrjl_)sx@12iro~y4O
z35(%USk7OD+&c-kQrt^7UrWzHDi{SX1f4V^Elu_@*XPy>ye|viUDlv;jkZ{VJc<)_
zOk1P5tWxj4SqFPKhFh0egA%H%tMkv64t`0R0s%*+-``=&lN56U1p~wP@n%a79;(7C
zWSF%Fio%#}^=6e~y2g<FW^cNNJm(0MLZq^==jFccrxqy@tuQ%0o0(dx$>IfvKGGka
zS7huaLG6K+^yw<D6ia+_AA?KYWjnU$6)B|RTPktwZI2gx$oJh8eY~dP=Kcn1_`2g1
zlV%H4RYF1nF^^3cxtO0vA$IvfySJdh=N}#yV`_%O5g5H@;J||FuZvNn@A|sbWJex5
z5V1w(JxBeOFB6yXCRpCspF$Q|ieCTU4Fwm!);icG9~+-TDw2;eI07pBvxcBPD!^BJ
zAgEn4&2IZ+aNf(0dCTpZ&9-xmH64!v92^`%LPC_3c{&XiZ*&{)S0h>9<p`yxr2PGA
zH3{C~kxX7Y(AMVl2NGyN$?Ct|%4ydurT?uXHcia+!B3G{r+yvup&IQv6ECm(00dO+
zGf5_ma>*Qir%hZY%_tj}y}z$eQPnv6$&<yU7|<v_>w{A^U9At^El@E3njK8d;*Uk2
zZj|$tGPo!)3}kafyaikj=kp{&OH1jK#X;A=D>{zL%G!5qp^lodU2MB4h!r6g_TXZn
zWN`a^)P8rE#%|jFaH*S5aJt44j6sSj#qc#KG}IJ1g+>2;djLZXHuf8XHa^vFC=aR(
z>Pel*JVpoqzIk5kx{L~6VNxKN?=Q6Sia3I@p^06UC{j^H!T8i9$jz<MNfx_xywVkl
zPAcGbynM3OC-=*H@w-b!;r0CoDV67^f*Ywhy25Auz73hO?~kKo{c%3AK9DF^rcv=1
z^svW&A8THb@St%|#S+~X<T4HMo;wBSN&7$Q8IOyJYL(JQU^9c?PD=GZ4{yQC<4XPC
z2ZaCq%7)j;tuYOQe;4s=8?i39ll;nFhVtWfCGdelWEu~v`t5m!ZK&MZs4cgvpoZ@B
zSW+K%4dd)v7m}H@&@nJZ&-nt*djyj^y}&G)>aW7>?ddszM=sSMw9k6C6;CDeJLL_N
zXw`PC52B8$IO@I_41+ps3|b}k-(ND|YQ)ji-#((@Saxb!qyJ0`plI<>XCiG_4Mqi5
zf(+@GadYD{FhGCxIzF?ou+X$GhSD00N*b@m`u6kwe%ZP_Y;0^$RdQl-qsZgq<LtEX
zm4yv&aRvqkocG0}zJ-N_WyMMx<U>p8#o)blz&v59X@d}37G*GgE`BWwk<zTxKDpV-
zC1BFD0TV(Yg&8Y8p&|hXDe@xpxTm)_-%oaEs!Xi|)PVDFstl~iy_%%3OcdeC^;#?j
zA=`3Q(;_&Ekb=UyE%<!(yN;&^yUrkFRaMo5)xkAXKi_;`0g74BV+nX&R=dOXc3jB5
zJYPx>LdS=3$hys7${Qqq!f;uVPqZ*Ms98aBzw{Db6irM{s?x;vO?LP`?bURU=|*MY
z%INe<WMfNbQb#oJ|N9mRbzSnl0<RrGDfhDcbR!RMmk!}3@vqzpW0ei4;uO$Go*wU7
zop;1FC}uyX*58yv#t%NL1=XIX;Ku9kgv_JDKxMZW&0CZv<nlW0+HW?&{K*#e^?CoE
zSW6C#G;3c=Q)NJRhS1zc*MSC}&*$E4XQD`FS5ruL9r=BH<y!(UlWV<hPBTA!x4PK<
zWBc!G-X`c+#&kYU4_ENNL1i?3(%<Jh{gReQt0Ydr^5Y!pd<F_0K!_afkN5&m(8H86
zdAzSzLf0k9L6zs%nf5`LNO)|Tcgrh$?oayCIV~Z<pg*xASj7{6-k&*nygM4r7IX!D
zIGUKd(<qD20dg>sBTS<IX`&DrDmA?Q54`MiAF0r+ioj!<u)M9c7|sB_;vO^+a8{Ug
z8}~s|{E)FZ#)|gm`uZAt;3&A(7hB@<GSBDX*0eXOOuv<<NdmF`@pdoejqXGdn61}M
zOFnDXWzeE+9*Qzj0cVQQKU#+R^=5KVvo9k-4n}Ykq8T4)%>7>H3b;h{ne{kfm<|%Y
zk4KwgR8KPUS7Fg@taRM?4baU(gXJhVJ=!w>kVsJ+g7H3Q*YN=QO=n$nWaQnE?~_7K
zD4EBH)AfPUG@H2X&A(N;v7~|_-;EXXqTmqGC3WIz4;NZRpYG3EU5_5Y6JVykd__DD
zW<;v~XCg)krm%i+gU1C=Rls;IU>nv1(8Be|z{}Vf{u{PLtn=3>8)e~(DR4{0HkW*#
zNL}y7Wyp(?i8w9Bgfl+<`?@o!EV|I_u$GjBD-aTt=K)%?=YCzEip2L&p@-YO8rdh%
zg2(s{GduxGqi2kw$p83NiebH8G924PD}xGG9KcL@6{Bxdm<p*ZQkdfuK`-tiow<-g
zzj|Ek9?Uh>s205BA%LB#GnE;Vu%Y>BDwS7=U5FF-sV4%Do}!qhT;4CEZogPDJzzKQ
zquI}HiOf<&_D*{VOnz6;=jXN-J&%L|nD`ZlIGD=%6zh8*NL&rz9>5c_59e{T|Gs?;
zb&YafHK8&ytAG}v%*LrF#aDkmoNs{^$+wGANFml@Vu>mC1O)|kcS{}yXCcwlzZ0#a
zAMmqkaoTz}r1AQ*LnxNm`y_esSI?~n1qtVpbi$8>$qttyvXBY|DP>*kW54uU14FpN
zH;D>iF0|$HgyGa%LC83m8HnUw$KUs=CG=!vI=yz~e0B*MB8S%36|)QDq9w~AaI;8M
zWAxnUN3VG2{l;Zb77}f;igK}&Z_9%IjkRNlT)*IL^L=_G^qBvbtYsjFGg+c6;|0oC
zz9!CsB|e5mAzl%MegTyMv}_vsFI1eCBi){)>?Yj+s|B)xpY*YL%N6WwLk}IJf=5VC
z<Fz9zUP?9e2_K!ymqML~I!KMnch{K@rpz_jfih)$cbLKbk*%Ko8bH7|dd(^ZpCoj~
zbkMlWBI~E*UVMX`0c0F@r&p{<G$AzwRZ}a=f~W@^8*@J1pN--oIww{nM6<Qua8K(6
z$_YBGN@f5|!>wP$9GxGMwZo~Tf+rB>IYRo)`cFjt2QCB7_S!c2?L?n1s=uMirDb{T
zwh4Cqk%uO@^pxUX7J2esYI@q(*zEnSa^T+}ec>#VW!^RgiX2Dj=BndK$*B|#8jL|g
zPX2V<h2eyEBOzm-KF%7&JjAqaGoCNydw(JW%A9T0K5k&?tCbpyMuq09qhwrIb0zD)
zmF|Buv?!rdQOuXSe^6Z{{EqF%Y5#2~rb+H|XKh52@aB&b)?W9^;`NjTiLALM27Hs<
z$mFr@%r3DTnhAMDV)F0+UNorgj-_QC`w+JISEgM%(LuphP{-Y&pq?9XxprOtC}W|I
zz}p%^l<^bhyk@lbv?N5O5hr>4OgWzQUUQNifmwFju5l8t{)$((2Qn*<MVKK#11iGY
zrGnKBDz(`Qw_3JxKts^KyF3{1qyK^gC{v9}UZ?QYyab9gQSD=0VeR7>tfmNeoRXw}
zh5E)M)-Ih?bwchf4MroK`2ccZV)|b>na43!EaDcWCB&S8a6KrVOF#|AIwHr|tKB?g
zRk`X22bpi{srXn7r*X1QU&XUctmJWE&08E8KGI~vR2fy*OQ^&qC&7H%agD<(qVSLT
zf>poFUqC^xdULv=vjwm6sv7c|kPqTM<CmXV7^zN41clqntw`|4h3&_e^=V<uXJD98
zMp24G6ov$kgx$vZTO-TT4VX@Sw4g0<PN--Xi8JH~TbI*ei5JhFV!bJnvWm2pqm$2`
zAh%M$v>HiDJ9_RMWd4d@s4#?%e}euRorH<toCoGS?}9T93{!3b`SW)y`d_YSt@6v`
z4$4Bi>oiWWz%d<AJAM@}%4Fhb5s`59KRow;8L!_n7nWa?UrDcdwO7#-ksk!>P8|#?
zjfD48)>9~>=*@cK#$c*0mJ|alA6|)Cdw@x_EPcF;VcXqirXB6OEWVF_nVCK{T<p)D
zflsspJXq;AF45seU|ow3d)FiAD?~O5#ulIM2?Uu+ug&emq$eU<?K9?Z=S@$m{Tb_m
zHWp6)X^->_8062C4;;4}5hFZM%+F(8#A_yX1z?N$CopTMrBqQcKUB;eNTaAJCPY%t
zH+v0Wq&M`^B=u7<3^`^dci)_CJzp@GB7hd2gDxnS#bN%Nb5w{E3@$`6H={r08tXUv
z4WnQvoKGmQD&>kSFqgA(Fe1dVogJn3w|waQ(eP8k>0~n=*TVe_5)81^!QZMmFe{{^
z2vw`~TAojYE4k103IM&2fHfAxt~<2o%|rn>O(NvRmST!^#epk@%y(mfcMApWme;rw
zemxfVG8&IblbZJVew_eF^1jW@K~L{>4#MoeM%zdgY>G^y6ix7BFTlMAcU#nDSN;3V
zUNdZnK{|&ylF;Rh>GM<qq!>&zksG4Ldh@}*>{b(n196lRuh9|Hy;-@-(HSGK?N4P<
zz<cKj2wgBLfxPo@1~*_#R`bnuZORh>(KDzOgSqqp)NH?@yu5rWi~c8o+Q7Zi1Mmxp
zJS0y5Q~-ReP=Ywx&pvYB*En{|KmAA3LBYW#Gir#h8F=i_OaKo4in&iZnpofS;M+_f
z;ACD~*{(TWr*hN@tDA#?jKL+UTuXctO@m1k@iIr7V<^1~K$QSO#HO==?$;0givvX$
zfYj-=JdeehkW*`lbOL7WT5!a7|5P+t|6vpm5D*a&5fXa6vu>St62p4z6dVQh@c2G>
zA808BbC{ZrgN3znSJ&Yufg^USM~PQlRJ4K&DED|o^84;MF(Y_Jt!iew7iJQRzSV53
zg>kfg{x6tzn2m0;)1xKRA9M`fH0xc<RHkDxFfiC)Yqr&PJp+N{s__U!Vv90)<Ks9n
z`Uxl!B)Gj1>H6|>Cq?2Y!Lb;M<x{sJ5ef@Tytp$Z2M1KT472N1Jx|PQ{?0J-+e)7o
zd3ed4%annb_0Tk#8ob~0tIXGTeApL73O^AU(y^;dB9K!!8p_A0n!>}j;Z*`8$>g5T
z9(@4-yTK@EmM2A(*E&DD(NR$&!@}t6(LHIwC@VU~BqfdhNkdCpTwH8X5YnGJxijBn
zX9%k2rfMob8XR9-Y!efcXGjT9nCDcfDkw$W@6HUr!{Wns2aYJTZ-&T2=ndMg0rCU4
zd3g}-?*=6N`R87$e5FxH@jB@t0J?(*P-SkfjtooQk){sf;o&96#o2F<QF<9;2|{Bs
zG2@g?u=redr^X9psHmtS_es=lXoJ(Xbxia%acTONQR(RD0Pt*bJz4}TR&tq9y;S9!
zwFV0~VBVk@fwpi0v@TU?=00#lV~IFJaEGMNu}CE)mOPJsfZ1;Jw^B!H%d|YbpO?Yx
zYyewBLTcbmn&*r+JSYj*)o$e2zQmlI7=kvN*?Lerq8C$YtnJs3ooC_3)YKG91WM+)
z&u#|r`_V${)!k8t@A<flA&{8<RA|}FHNNsrvW~>P*`YAax0|gu2Ve>aA@ko|_68E^
z<Ro8hl;_j)!^6R@C@3jO{qtf%Qj0hL15VpSk%H4jFNqxxx|YGO;ILDa3aAj)kJj7W
z3jU+{7964;vhH_^^75T(EE%lCplQ@AA!F-<Cig`w@Vo1g&)q@OlFPKd>!Q0Qka@uC
zU4o|ba5-m}ATtbpLrQvzUCn$+<gBFx+MY-PnQ=aH5idRtj)b281hc_K;xS317}z^I
zp94(G5EiJ{Xfr#KEx6>dS2ZefX9KV&(B3LNBC+39nlKS6Vv6xFHI|VIeipi#cLIn{
z4-^5F0l<pj7N!Cg>gfY!XxgFZ{V|+-b@OTj>W%b!{}-XbI@@<}tXnW7e68MCvt8+;
ziiG&~Dhs?qcs8Z4ztf(=SIIW2Q050Nb)D5Gz(!~XyY+Ee49&E;bBeHz;M0=Pu7J7&
z;6r(}T%)3vho$}6WZpQ1u$KZ~4hTMW-*;&5O-^fH@+Yoj<;n?(nqh9!Dcog+#I)U}
zZ>$w#TZsIZq{0&z$@0BF!YodvW|%T~o<#m?h;!6tt}&W4O21UC<Q+h2{DOEy%}s!$
z02R>=K-On9c)pq4aX=@6Kpys#)GR5f1&Yi3Ve@(3)Zas`zZems9=gVrrTo^B0VGn;
ze))yPGC*W%4HinBk@#=KMF2K_KZLFcVE|x?6QW%tkC$Kh3xHqHJR#YDG3W%oeC4&M
zYZNc`B~j{ji_j0io~8D?tD~)WG%}%QiLj9+3;plv$C@9~7LCo|U8w}x(m7kGT7yv@
zG>u6eWfYm))M*@EARx<FvQ>}8%NV-tCpkd7$j<X+8*3*CA|(($mX?e_Rwimz#1?D7
zWQM&)-~^|=_AIES2+*so1H_!k=U@VWZsVtgTQIszsJHA580E1-lLNZJL|JVyC4+n}
zw5N@-JG`?}fHnL1Qc~@$yc}76LJ3lW3^eS!@iw>h)HdL*Jp-eTrquCOQBFXj1^qi%
zquK3bwWj^{_xDPmg>VHh1w-6{+LFO;Dy^tE<Oc({{^vLID`6oDxe|52C&@gvDWibC
zLN^#{gDa&PAY-5%43yHa=;$A-5ljM~_dn2NBNUF6BmgG&V?99uaL2~a2k+&8qJoU=
zP8s|R*5%}^03@w$pHwSXFZ)>C@-h)~^q)Kwd<XikWO4QrbTT1Ae0)tnjOB#rM7nAL
zY~~w8M1LK(ZRI9xAY|2*{u!rnR;YJ&PpN5^&wg+?7B1^TpOHhB?2KC>{D$1OBtv5h
z_X)Da>^6e7)%~&Ij$E@m`S5rqI?&JI8u1>3X*}mbOxWV58!b=l0-<G#)Gx)7w&7uo
zriC5kO=risF5yeIJspx*5!8FZRQ?psLcb>>4%ptOueKwMn}&bARZ!^Njq!3gI(|Em
z<r3#1)u+Y98TCBW;xl$yx)Sb9>D~0_cV!+*V*L1|KB32IN!I(mUd`W~M=gqGIG&Q8
zx}cod&NR5;kw4d<YZjf#vREQR@PO^>oVF5r0Y(yR{+7@^NkZ55hhjJlN4JG{y5GA}
z$TsC%Au7H4%?E!E(qNtf?|GUg6Ui)MGGDjXvi>a1cOwg({FvB<`L=a>(6>0}U$%j3
z5MBD`;W=a!ti>dI<?<U9cWJKSG`5`d-fq4jA;&Zl>Tq~(OXU8Q+z({)Q%hS>Sr${>
zdya0C*SYdU#tj(ql$5N6Y+%MMRyD2i)3UQ;F$|sF5t5k-*QQN&*<K#>LEC5D?Ct7F
zG}e9SO^md;jPo5z$j#zg8`lH<UK6Q0Qr5g1uxb+Ax2WRhD|}DPgCFazl3i5W-c>qV
zI$z_LW-&|VQ+17gb9AKp#W8kxhrNokfD(Q3%itpg-OJQLvK*hrF8rKBBwl8bjNgPb
zTvMh^PWF*{kjy@^PZmh{7NT7fPd>%{@!W0gp7B}mL(VUMg+nuu6KryRiMG0@ctmws
zqTb~@&e*VIW~<iEQf2X^Vtots9NsF$Md!dbwZ|mS2S9XZX9rjbaotX<XF~L=CvKo7
zA*#M;d7Y(of`3V6+pNyX^+o?Jc<%4&hcoxqI%js-Hkjr%*9*){DoqCC8HHza?>vbx
zTMcM4wRDz_VGFLkm42mqDOwq|k2xM6KYm)2Kjc0lG-Q(=9u*Z96|nu`EDX3=VJ!GW
zcsO{Z64sJQCntNQVaNNi+hMiaY@Sh^Ye)?ws%N#ZD;9iNrGZJMY`RI4BpY9)g7~vP
z*K`ej$;XPfx}-1sy{m)yb}DY!zUwbf5~^kTfl5x2l?_Q~-gxo1y<?9dI%Bl?9Sq*c
zuGhX@_cHtG>ga>{SK;libL?vd4;<(U*}XfXWcGfEqvhjOuCvduY?fo7tH*d>0wV^U
zknIcL!GK@)sWnz-ldg}h*c(YLf~f-}+DtZMalpf>KKi7+i#Yg0?%K|A)?B6NFjp36
z%gUr#qNrX^$NVqTY{=Y>&>$*#uDe;QRT!<aYbdNv#s0-G!UZoxSp6+1STd{?_Nq!J
zG~C|6$-{8_?~+YJXF8F~L%E9bZ?uY?oz0r-@P{SwUn{7=!m3j3e;Z#gVehs3c9%nN
zxjVi_*F^>C>dZ>8VE#zO$u2lSNQQ452D@ganNVhdx@w?&BCC#f!KQZ4snTt;K(Ou$
z&j#t-e)-O!<%7(QY-ry{?E)-=HZ8OZqcTd)t(m&DWX2SyknE?X#?gV1g%bj;iceA_
zFa8|e&Gs^Gn3CD*|L_PuUN~_ml25IxHb<?Xz-YI{UhSs{+HX<<T@#k`3jnX6a}taC
z+$-@em=)!ae(x?-0<a3;=U2pB*FYKqvZ<B+9f@Z3%Kgxi$JaX<Us@W13YBr;lXit&
zJXdOuY!ksW1;NP)UTi2-f1tNyH=1NC*NPx)S-VB)Xio8~Aarsv5j!zTt9M9Y_H7wg
z6CFQ)&ueH<{8vtt@UKMB4}wW?Hcs7=(yKuksrA90a_{O|7JRkBcC!@~9Uwv43d<Wg
zCox3WYbNp;gUK-nHtlhYytGoB-^|bZ;<FCroZ@vj<j^^Jy}1wPWZB<PNPHZB+e($C
zdtRLVy+LF6-NoR)MC=J$tTe05j|CHoKTo9j+gf8<eHJ{Ze;LegB1N)Qs=7nlMTl9;
zh%vHdva)s^NY;MinR2AV@MliHsgyK5Ixa40O-M{s&QWAkh0s>OO2023zPaf=F7U)r
zNd6qX4?Rf{7$2uOKcd*eO%@N-GH^E^N@IWX{%e|$yJN9kW*W|)pQ*CHA0O@jtpSR(
zZ#%Fu0S-z$Z#bE3G#zx!`mj`c|4oC4o3V}&%>kWML>nCGu;a5PhnUyG*m!t=IK-@2
zrUmu>&^6s2AT;u&WXs>2B}d86M-w4xNJl-rMDllT;^iKeDC$>f9>%kBb&uAfj*68d
z!vBE(1|Ht7c@oQ)+2!OfT%T=^&<N7nMm#4mr?>8!PXu1%uK<hIB;)wGRL*O8If#!#
z8m}<gm8ih|&tFt{Oi62pk1UDttV4%#jr@o{-yZDqui8`a$UbNmSKgToB(x-UZf|cx
zn1YubTOa^of5j!^v;U%;D*`I(nS%DmQ<;muP=lwAJrDXIE-ns?QePkp?^U;=@1QMC
zADyKNZ>HWv8vYz*-{<v-p@cvn6Ce4Tj9yv1<o9Y$mp6}Q_}2SGq&$Q<FQoeyJ#_85
zu0VrHtDB%HA>ilZLMx+2g_Tsj$?b1amp%2CdM{kp4kjPNS)dRz>HLh#gLQCl=ym3;
zW5K1-UZ$sTY6sm@N(%*swC!rqll|&A9{BWn9X{TBojaAfO`m`n0|d@0&8mMu`XlE3
zw9oFlS9?5620UWD_@xfTz@4lVlh`PZ>OxPUUY=Ul(Hy|je{W>@5#L^V$}vFuf0$OC
z(bLe7pj6>bpv3zA3P50OJASr2pCzj~+a{Oou{?kc<{7ns$Gt<Ivdp{W6{weB4EWEq
zfu}8HjsRnD3*@P2EHlR%!`1D_3QyA@nZ=dI<-wx9fTdj~l9U?EgE2hedY0m}I8(6p
z=dASMPz-V(z=GDBs9WR|&2PBhe<GoK?;}tJEHuIp9iNb5wr5Ots*8dEKdvN_DI8@^
z8jHKRe}$4fpKt|r`=r24!Pb=a8{`hIJDQP$;@cAGlmQ%cDH;IummRIemnGhKvRG-p
zRzrIL!wp}vKZ&vyB8AICvc{zNsdeGNzL?~wqS^7z7Dv<HBwA`4ORqwOG4<{VkO-hY
z)B)*a|CjZja_$dfUyQp#fQkpG7Bd65@j{O4{XlEL+6P7`BxyL4x6fyt`9dY!*EZNs
zr4gkJ6IED1AcGB#We(dmdp7Q<#U7nkPF^0Rms33QY?hHrq}r^_wVS)?1nc8yj&Q5f
zb&EKqu&}<twTKg8B)ZheH*xEiEeBUhn5_z|KfVIo4I0~b0Pv_YMc4b@-9PK}fDz5i
zXse%|0NG$YUZ#27sctwb*gq~=oOTZ!*S;9iyYorqf)I9g_FS)1<X0Dm3nYWt6^d$_
z+$4kt^|d>GxP`czUf}x@6BFU)X!?B_gy7r*G^uq<F%2yNad~X~j1|P+6&AcH*#Aod
zznFFMBPcT9%FqrL7<TwPtHBGBh%NBImf|$sovwMBQd0)z$w7|iq4CO(lU|aVAD6_b
zrHr9C>Md^xEqQVPsbJqkA|L<yl`BdTwjXjg3j|-F&-lwHz;N0Fz5s+^nb!m?de>kk
z)`x~4m}-=mp)m|*ibZlf4H;tvkyuWn&9-3SGMp1M1AWLFFit??p0fgA61*>i(nvfF
zp`}X)mFfk6XGRCq?s)l^B58!F>ihJh<*w@j2l(2~ne<q4(Gig$j!l^1T+!TND?o&w
zZOo&Nr;+tuBlt?Up&Ot%)$2b2Gj0C{8VF%4<d_?tB{lMF`9g8UGB_`fLKAT98rQPr
zezy4o*f@mfVMa9uKfHF9Q5D|CDNu|TD`l=yJ%?4E4LTqWfQIsBCpa+fL9kyv?9#Y{
z>ND^PEbq0d^=8}L&wxq*q}x_trnH@n2s-G}DrGziPr!W@1+?;6VgR=POcNVfuJ@%5
zbGM(et3_~|*UnjApco8zMg&+Qc<C>avX7+eKkXJA6X$te_5cqjJ1OaWOacR_gp;le
zT7b{q0jFwfgdO`LHfx>8ts4}x_rbU6TA26_-^a7up$<SH@<IU9w~VP*$b+R`1T0!2
z1nn1FVbb76!Zc<PwiLr#cmotHF$y+^)o$=c8!J7_WRjy2h(-NR4@*znRuk~3<{%)E
zP`wT#B*|m;v$XG><l664R^Ro0EcawK5fQSMZXRG1GKH*w6vRm+mW+HjlkFdDzSlgl
zH+ZIzR18*D?X2$+!{%N7UDuoX34U3p`sE=8;DRZL{TSN{T`vcMaxNr<O&`RA-00YO
z-(B`p=Lmc9T!!gE10wqF16Q;B=^q_|JOkJh=z{ma8+dNoK#UZFSN#FBl;_xk8xv3^
zyDaAGOc7Ply8Jpcx4#Ka9K7?Cyw0JXj$Arw^PE2|^iwvV&AQ=<#~UVVoxVp!1PEQ5
z)p#U>doNywtOeMC79&~ii>#qHUbe5-fk@ET+v{_?Qvw)Ras@(m+ymPyxEOSff2n$o
z$R?qs2lFk7PCy(Cuhy=EO{^6Qe3`aOr<`*SIt?(}y929%$M?Mj!~+5mF&eEVL$dr2
z@JRV{l5QVzWkQFdqXnS?`B`U;gITJd)ym;QgxMLsX)98{ciY5JO6$<164l$e@R(5O
zmRxYXkkV2QmmB=G2ZL62&+)2PEKXBzn=0@p5^j}YvHRt$WnVN&pZnMsG0h2gu`9FG
z=LQT4;K{!ICyGR<%3~OJr_3-Cggem2LQyOSVUZnQz$t@1HLYyuedk*;p%=eR#54ZD
zC)I|j^`X->cUjshJ$~4c)B3$q_SBvqHA(cAVg2*vzOYJ>yp+t}5Xu6Z!pZ!uJr{v}
z_Uc59-zoj!nblAvpeyg}k-E;;0Tb>y29)J{#}{g(e|fajArXp>L-!7?`7D_=s2(?j
z0_*cp-CF2iQq5~3ydRwGwi~_K3z^f%oR5qW6tg4*x<%4&m>gLy4`WzW8D)-4%W=iS
z6pU54HbBwvDKVeE@VPGnftbo0aK5N%XmsS{$B-~EELUM+m>3Y(d3>vnXI__GZgZ`<
zwyCkO;4e1Z&=`jl9<v%D`q-79ydoZIA4;tkTIc<m+$p9~i21Y)+)T3A5<ufMClI<e
z-v)zeFy;Er5mh2oeB(Evan|JI<g8D_Bh^$%*Gm?%uY(&Vt;LjFsw^Au5uC~+vl6jg
zR*V?#onsPf7-fXClyWyt%gkFQZ<FKbj-mZQ)xc%}x*c$MP4{*4XO&N0LmMoHfdbG0
zram(X7dwRuzDFE&kOgSPpov_$a!HooBSh9N+w<8Q5LznUbv)jF1S7f7&xOArjCH68
z+)EIY5~ihnN$Lf}F)S70iw&5DAOzJX%TU<*CZ#kse=_OJjz@dVHnOu(0g1H9Pq7rv
z?|a;pe42bU&4zwOF!58-Yf@I90GH4nv|3Z<G<mnYdZ}0RMjsPPv%K34VS25B1P=PQ
z#0TnNJP0f6Z;f&0{L?~NtUa_l78;r&Fgu@x8ZQoM5iFVvdL9aMEY=8>8{jgur~{u2
zC{5`V`x^AD`~y^@k!<N@SvK%y@?(eKOn|hL066;1&3x4fX~OLnRj9%Wg!U9a`Oc8)
z?;TMCNBf=RasnXmkCCp59-0Ao>;(aM9c*rHP(0=LP!tyT;~qiDEzpO}lp~^}tH2ri
zdka!3H^9uX1*#;-K4fKbfBbyDJ+3VJpe};Z3`}v5#7J;C1y+aw5ZjTFk<T`VKmPm5
zFv1Zs2LeLR0wYs(v&l+lu-PN%sDsH&p+4TnzYu{!)=OBa*K)c)+mOj+CB6zWcpq-T
zY%XjZWNF>MTJkMf0NqtBuC*P^@%2IXZRUlw^wYOx{BPb2@7@x{$#l4-3Oic>rBo;e
zH0Qb}&@vi;NFGJFrz)*o&+a#b81fy!)^rvGJkar9sO@AiDyE{`6CC-?EjK>Yv1GAo
zzS-nVY;Y0d7nEHG-UD0fcOV9VNCVKE<2ui80czO&TXhFCwBEkH(F|_XH_y4rv}{6W
z#mT4pEzu!Sh7o9ADRmdP>SyB@G^qvmt!(BTpj;Wh`Mf(7ehzGqMdwMSewx&{axel^
zUysk%8h1Tg^gtnZ#(yYU0Jk?i>p2Hvnd=?W4;6LFSOrE#g7U$!S<%+-n_qE<vkjrb
zb|6#deS6Li5)`_2KYC{BIoTWK<mAlas;<DDUu<@u3O6Bf3>VT%_K2V@X9&i(fwy6o
zMBMuV&fN^ENwD#iahOJ>b{zn|^rQ+1BvoJ%>?gX;J0K?Xr3^wSId##$hva<)%@}y#
zaS)INp(3HBb_{9!-Fibv&^(&OAXShS`V91E8|b7VAqJp&wQ3BMG(b6)8+M3Pr7~(n
z2n?W|%Xn14!>>mzAe?o8yYL)%Sgt*HhX}D&_JEvJL97tEGiHGgXzZuc0|2HCYgmY@
zYDy$`ild4*c-=Ur4hHK36;Z(EZ6#-6gfn{u`)%5-$%jGWxA3ZOI}6iXv}<IIkXJ_&
zVw8T}{z};&FX)5A5TdX%9uHy_#q2FRY5Cr7&VI(~j%-#eWu?wR?=MA`LijK32_#B3
z%2tSkfGoeS4cxa+0Oo>B3&@dqUHsAFB(I&UgN%2BFdp_dYX*-}T>N)w51>S2qNAVP
z<CBC%pF3OpuAy{JRT@35`vR#*e5@YRWUZL?`%{G>>9#cx^H944%3~${QY1%Z7RXCM
zDnV=60}fw&LxD`}>IaYpB~k7A-DM+b$p8^`@&+l^ybk6!#DI8r)FPH4DoH+S=LQW}
zxl9GQWDZvZ$yXZ%@pDcI5x>O0S>t~M;0j!CL}a7{4LhEHN!0Pl7py*z)gcw}N>h+>
z_eEJf!egApnQBs!HCtSp;IW=UdS&9iJVQ%IN9ENl3xsanMjN8luw(EJB8Fap6rVwx
z8+#0AZvYaG0cWxV0L;hMI-I3+7tWw?5gP1Q#M>4?Cujpl3Ro1Dl*TSRHZyS>GAKK4
zf7kP-o|Ch{KcR+-IF5S2{dQcd|G*&LcU)YdUX~Eup;+L|JUBfLC+qJs7Zm^NtSB7+
z&3pS^GP9<=#UFR~H)k!k{Zz5XxNf)miqFb+EZ%YCGpGb!iz^5;3Sp7y9bZxt!3*GL
z*k!`+3HJZyN8TkklBLWZHZ&Nal1~c{*13Ad0^}lDlEt`}q_od=C*UBz%JCaw6bNH+
z%><yL4Djn+>{Ai~7nro1mP;D&EZp453Q)M-un%0}vV<3y=8kHTj8_-wFN*jQqbm~J
zXuo!HjGSg_`v-`?AK7J6u>X2o)jwJ7DFJB~;(C4KHq+!La6~LebKG8DcknK{t#yav
zw6ubhuFFiVu@EgTrW%$~3yATKb%RrS5hHl`*1U2THX03<N+qb>tz=zLQPAw2vr4`!
z9z)nWfKo9@PqbTtBsI&`k>gEl!y;f{G?~wmg_39#eWHj*AgNHj)5K01>thB6`(#O@
z%K{Uw12us%y?U5%Jrkcnjg2<rQs9C|jRE-k@~jb%jOVsAD>}x<d<eSD0%*Q~fGNt#
z{-k`%%f5bhzSE`F>$5-C#9Hietk^jwQ`PB3W#|(l=6D+!!-^p8&QYr2_O3L2;O8fq
zG}~}|e@SNMn;@ZbnI!#)hgf4XL<mXh3~kHr&r*-C7w_CD0>5a2;2s72YSZm;5xiYE
zqdVODz^rUGEKfb`aluNrpN=w*ZmaZIjg%SUK8}!>w|s5_gty>uy%`h455Z&S=agcA
z&r+M}r`X1)|9{#3|DOmv2oZeAHA}&&4c#Sp|D2{_jjQ=g&w<N9OBw8QK)ckRnrlkm
zj2n<^3L^M}=LpC7(jFcjAfGC6wng|Hvrq2SQ~gqeS(?RNIT*b|oD$d}SPs<=Qehav
zL(oU@*R2(oB7DhDH_3feq>>w*zm7%Lvo;WpzKIGFv-$M@d3a6%Mm(ny|N8;<KVSK;
zzy04YZ$%zun#so*xmDGni`+V)-Gn^8mZ(Phm1{cFU>Q4ikV39A=7MWaI0v{5XIGWm
z%iBS&;AlTtV`pbBCmL4X(fiIFXEJ`rLg$@{JgVTg@mZFdBY~VU+C{asSeOio@80z?
zeq9YF{tL&e3l8Pfk~|967G<#fVgXcprWqj2Un^pTMMYRFD56238-uncu!zbf>L{r2
zjKRUtsHvThW)t)8FL!!1z^4%IN_5lB0!~sg!@*=UjM#MCsMaV+GKzDJ!4v4G?(K_j
zNG=Cv4D5O~HKi|z`ptmp0}W$-Uj}Xs<=e$F;DdXBGu+kLX)&5};4Dz2Z-!+#Ye}7e
zlx`ypMJZBtUOA#*@()f=shCDd|Ng0|Rps4?il0ATUO!hS!lP}Xq0f!^{q>1rHeHTe
zKG1n5s^<#_H^k{TB(NWUy8*%k$Pf;Fl65JR(0W}H#XSJ#DU4fb&_=YOlNqOhdW+vl
zDz1DO`=7jmLIr@bVE-aHNz6aB69(?(7r)ZE&EZU-qrCeKTC*r1NC3Z_f&mT`3RwVM
zo=w!DUO*yS!T54^1$r__JNT{y6EJF4(kJ5r!~4HdK!t#uwJWA`Xj0pUtzM64T8~U=
z%In1YC6tMZS@(o`<%<j=Kx>Phw+{f4c>-y@_^d2Nqlv<2$8ioM|K2psJ9fR|JwI9^
zuQ(o{%LS86W~tr#IjjuALmfag)F@Xc;&(I?7l++6qpfMdv|k}F_6Mmx8|x<oHSPGj
z=<smlMVa4aqD`8VAdv*0xQsl16OZ`7@YNUb21LI~)yuHYLO3C^Ns`hHpl&ck@9lxq
z1G+2}9*Zu+S$YMyymo-hgNPT9AX-35!hXwwTiybYir74TTv>T}0iS!m!LILT0dSr1
z713EP{&u)TL~?$dgOs7<B2=PxlAoGTZa2H+1yI{#^!r0s94A!T<7B*Vf$q7sx_a!J
z>$ZyQd{C0>li+NV51^1dp^jN4G8+`Ywd8J~C4%_2ja)dRh_(?X8QDlP9+o^%pclOS
z#qmY8Pn`TOK~QrWM9?9A501ynV(|UnQ}8N@Q;^dK8UcI({2QyWdgDcespX1+ePhB1
z?4Q+YxxUK6`Jc|_ZzeHWDE|IPCgy-wMIkbw0HEvT`g20R3xSNy=qFfvv6nD0H6@Ax
zaG$L?!57>Z@IKQme{Nk{Tce53;`5tHz}6U%T<l{;(F<cwFkD^&opc{WEzOA|1HOcZ
z!CL0Sk0^>wgXswHgQ4nkLXnvqjeTI#5PoG%F|A^~&%i>=*ooP&U2oC<e3T00<^p|D
zwkRb+o-s(XVS#iss83U;WE+avx8?bd-#$)*05p+QB6{NX9tMog5!AN0aeWuuJRn@v
zh}`Wrfa(-Hdx*R5+5Ny4#~u)lLkG?t=2lw_SYA=G4<*87cHg`L`w!;;P`m>PIIv*>
z)&wA;rsu=FOKjTLgHg}ecHP@diou>@DPIjlIKuje<#6KRpkugtxgba+M<yABt0@D7
zTX5GsSSTgJ82&<N@lxp>mw&=I)`wx^;5>(yfP6<sLvyh+SppPP@RZ`O7-FR49`XzG
zd(MNL<-={_WecvYpM@_ErM}u%Wlw;h>0ujY78fyQq{OJEyr?qjlO?ke7N8QQi-Mil
z24JZ)=*5lP3XAnrDZAUT5i#(0Uv8ogtMW+Nx1auI(quzo<3fYb8iTg-9Hl4n#wNm=
zU{Wuw1$8ZW*lY?6TkQp*Sa7lvjltdus2ihg0#*aC9mFdNl0g>c!LOK2Hh(Bio=G#-
zL4t{kUnyXjBk#6{!7qnTrr?dHIH8LukTzKW+}n?n*aAw6z7wcC<ek7gHoBu5#naLg
zTLv0p7Zb#<nG3AA0Qg&K0Pb-w&<6BP1@3`z_`IFM6#N0ip}<B}B#hX3c|~>SZnxWf
ztE(L-FXT0f=d{O62*{YiYytcJZ;fH@w~+BB#|`<2F-=eorIPpIfO!BAj^BqGUC@;T
z2@VeD54ZurSG)+Lnla0-HGs~5-a#wM{jACm<^gAL86VhQZz{7uUgVix&2Rxgp1%bs
zaA!stP@h4!8UG~N0R9$5I6~ee!NBE@-mh&gUWg+`P<9atIS=};uydf|q$YJB#rt5`
zrt=!#hYG-Cg3LoG!-T@YFP-_q6)?MLll<7%{0V+Koo=CFh{rRgu|GgI-7HZOR8#H#
zI4<rkh^zm485JEZ^{F-l#QE)AbHG)C{C7QbIM^jHegUDUN59Or3&f?02>=xf6woD*
ze02gixQ;09rYP0Gq-a@a0hoA5t6dnPQO)~H9l6}WUkWloIAsf**y@(e4A3PT{>I6o
z0Gj(12+d)*O0{G=7y*v}&O&cMm-WYusOwFTY*dk8%wjWs4q$S6T^|Ecej*=<o^jyK
zvQ9zxy74a-?b;WKm<O#ujC{IVdV*{qeE<Tk0}4X``WRvzmz-EXA^y4QCr(_X@3<EK
zjKXiBgcP(en?EGIDQ<>HnDXfnFjIujUa$OA>`IiPJ;qmk#bUf;1Og2+9^f4JmWwCX
zHn26<mScVcaPdY+rZ6IFCK+t6{L1<Aeu!87Wl<M{bRZk{fVA$1==G9E5UVzQ+4x~R
zpyFC1DPOk5apQfXjoiy9NiS{ef!I<I%-dgjdb|RgV8<XZ4Ob@4qN+O}{q6b!ejBgi
z8wecLyIFk%god8khvj#qsn1$8?<0`8umABmfuz2{H*36hiq7cSeprIkbb&JXmaPep
z{wa;1{}zlSmfG3yE78c(4N&q8TQPSwaiGkCb)yebxJ55I1!OwMP<dQ7c_#d1LYN)H
zFIeY9IfCT+8Q<2<JPteZ-0MM`sZ}XNPlFP$Y5l$!X;2mbVSp=xCIpYWUzg^ql+IsV
zrMR$u6D|2yS*il3abnJiL(~zwKu$#csA|JomS{6C6^>0)>R;;B9t(PATo$m=fWoi(
zm6+Rl%-t*_%efN7|39#7Qd&@<-aJo7k7VmI%#NH!*%r(z9@+IwT-YxEl{dNUDGSnI
zhYFF0$JDY14_y0g-&0SS7ZB@?X#l&{r#1zo6NsVLCC8wjnzXKjCfqzXS3tkm3*sm%
z`5jGc<70$_(;)8G%6bprdyc>8@By7BQ_%Gg5Ek?FFV1@6((ydM4IBq(wy`cIQ5s1s
zh%2HzBvI-#%Chhfw}~C2K1O|2g@ctxlnfgPNe=Z@!fo>S_tgpzL8c2+xYc#Y=kp+F
zTJ%)cFyLol+ZWS@%4CPcR1QGI(CcZHi8lsLVe_anq2&{h2p&KmAMqk(BS$`*qn-VE
ztdrMZKZ1rp3U<4+*vQ$Ov@MuDnHZ4Zk8N>0P`8O=wHJ+g*t!k6JbUJ(RDg>71Ws}!
zv1YZN4oJ+62ZP;+@COahOT3J$H9@|*$L4S4ERc-GXe-~ejW4via^muJ;7VSMO#<~O
zLcPWyn=^;`z>yVfxPrY9N|Jwl&H5mThs1s=ldTTkkA<#733x2|C?)Hz`T`8T9k49Y
zyWI+a3zp6h6jxI~0>aO0x2T9~nM?o2(G?dgwDA9#c!fPKf{TNJK`9O6Pyc)HN5S-Z
zyhvI>GLe9E?%Anr;@GXYa{Ov%N8nIHK?3GEcK{4D;0pyyB{>tr7+Vg^{VM6VJdqhq
zSu{LsDZ???D9Nvtz$IB1^ON=3t7_6t2e^PH_+nHzVwOfL+@y?BaTS&m=>yD;I+7ku
z@O>C946fwq7uWR?eGV$&iSN!Y4+<RF(c~;&-X0Q!=iv_D)Q=-(NbfYuJ6IRIVJzf_
zm1JQ0GXa?`g^8w(U(GjhmKORnV8mrA&T!0~jhrF<1$Bks2)C&87eq!Tj#1|zOBGWR
z#xr68^#JTeaQCYK18kqwEEqT6jFtpSlM+wQu%m~Np9JySR_Q1WpX!}WBA^QX*Z&q0
zefyp+USJ?ZC?2wtp!Ak#fY$r+LQLRgAtwH-B0OmSeyhxY^ec7L1en67b~K7NP?GQj
ze%$8`Ga=aYw-krqV1Q9XMV}!11<Yh1Ji=u_7!b0ZP_mR+Bv76c)>M*I-HoTysQa|+
zFO$6_pI5d5;!g1+DgMJ*+^K>=+yux<0|b6kYuxc{?5p>#zdznNF65Pcyrg+=xayFJ
zXk7h!_Nm{L;~Pt8@WS3VPp7M%f=L6r6qsX$+POAIJ{z)<>4WoPoXdZt2AN#~3d`qR
z$3sI<qJ_cRTF-^Q#%HoVCA`CjE?6d62Rytm%4{Wx4y-&f(m2ix3SOimZ+g{@DLVIi
zXS=nMpNx<1{MG0tqLsV&U%zWjjVbax=sh5js$!P^Mb(_kB-tZ!f7}J67;}$ozEG8J
zb<sU0kLOy=QjP7~bntw=GU`omciD8p<Eh<&{>PxTsC@cb5r-xk!L)j2lH>w{vltd;
zpWsb^#0KBqP>2+z)ZC@*<;d;XpU6bRXMe4-lh8v&6@?L*%^QkN#+-OE*A!BWd_ET`
zMC9$bzI@{mJ+!G9cQ;hp>#HYZQI5sQ$h*64DF3~$D-N19!9%y9B=-vCb1M~1&-IW#
z2()?Gn*Ecz7d%{LOyx|Fjn{>FvPq!7i1XcRoFV3}a3VopGRh$2A6{9(66G?VjDe%O
zb18Mw;NPOblNS&k*hC7EgRv5Cd3*Zk6#Of>^EqG%TnVtGwly7*Bz`AErVNn$^U@Qe
zMtMICkGX|G2HnGVUae{o^}qO7_{M^Ns#F#E8vgC2a1V<%y_p<6@W^g-rps)R*sO{l
z)$Z|0V<?VEoBX$PJi|XC+;#A-hHgG(^|-Jhs&c>gNmIgykbzzuno*^`lMuh6jql65
zg^DB@T{}%egpZGdXFJ8L!WucTro<OdDD@pVQj3i4ue@{A$;o>v-9{=qb<->S*m}WP
zNafecmBXPCH}?!hwb*I3&Uk|k@$gl20({l)R0$-mX^qBlUvdwV3aK;K?uKQwx^s|X
zkxCep@h#G3;aEwzd^BT2w;F?qNJRzpx)!+(NA`r>PtEGm=tFvJG0uEHOS{`hH%*e|
zG=4}mwcKaOJm~h@E6DlrLkc-|ZsoHvTZtea5u<gA3QJfgZSeD~vYx3i?0A<gP?xJ)
z#vjto4&j>y3tgXWZ1&H0CIP}@OikNq_Gez#+U)yrdw`WWec^Uj&-%HX3VT495>EQ9
zqvcOYrH0wW#OTqzC*k4IpTo6jFjLh0G|4$z-LXA~O7bp6MJ@LS$PGCif+k_fMD{cL
zo)~m9Sv@8u5C;y<i%IeVj@CDSY!wuFvYR{hIMfe=D1(WX9ysu3jst!ys>#V&@B~q`
zCd>Jjo~uWkya_;a68y+9m90MzPAU6Hj0LL1MxA{kd$X}b0MhlN%x!}{Ed9+fMQ|B|
z)d1O%oZZZ$Wa{t=8t3LuD=JI+j&Tj~#qI6><61V3G5wYd(%!}u7ruQNbn*(F9}(L+
zoBG}TtHzl-f-W-m{z3kv6<jRj231}=_O2P@IpdXz<@+J31C+rkD0E<99xQVKn|w}Q
zfc5ca)E8`@Ay*s&*qeYmZ@Nj&$un#5WOYVa)3@+=8qpKgV^f8|`65q{6@&aA$WK{W
zUL)}L%b*{y>K7~a+LB~ghZSLcCS;`{WIZ6Nu{KBba61&$h>!X6G2<P}n&;2nPUWw`
za|>2I6UuJ;BhH@9I2HYo>7PY>FCcWsHi^)MYG<uK5$PSm#BWz!4@*B)vVY<lOb^@*
zezJQi`)6+YTbd8!+4RZ}n%i;U&*HIj3u2$hsYKJDnO^^a`*J!hw*PwJ_)OwAEiG;R
zHODM-Wsh?vjwN5O#ooknzAlMD5PHNx2r(NS=lhK(#Zbfkpce?<q3MT%tAh1wuTzyn
z+vP-cW=f!F3bS4Z2d_hC!+d$8yY}Ri<=!dD$;-WyU&%_^7f4UYNgIk!NsHo4S6o)F
zzsu?ypq}QBP3kV3>Q);F4?mp3weu*SPR2hFAliAS)N~d`YHXmlR=b=YMB7|xwPMg6
zhQ)61lKnB2$&xaXa&VW8i9NueMsVR{+pSfxxkww?S`Ed?&kRjQRi4hA!;@l<1Ek!p
zz%?67lApqwq|D9m+9)S99Z!#*S*y>y5zrM7mIKY{JwTnnV3O0TGYK|pwO5<kaS5KA
zn2k-(o9az(v1uOKRCupV8)8pf)qi;?=!f=~64lQSuCMRBIokDwHg-s^%Rgg$A*S}h
zzxgMEBSG!qx|Up)Rg#8RBOYnq%f>{Af77#md@h+=k@TBKUt?R+r=jC^)PSwj;6W>K
zNqJk`MSpSi;W|_qL%S((!xF7>8fWttT46BQPj*}S!zEM3C~Gh1*2)q(EyWAnKh@+=
z$`IyS3>)Qp@+S1=$YppKI%Iogxx_a(hIP3V9#wbF2We{zW2+h5e7BK5nG$o{@_L0w
zH;q4r?9AJYh`MMQOBOM`JOqu1<I_A}DrzuCSa>){Kq|_2eqi@ugtJ@Cc3s>7J4UJX
zzUK0AHrl~pTj%<0RMc`PZN(`L6$S`&EnSB{UtBgrnbfPZJ~@Rw+3BNTMp-s?C{l%o
zbpCFv^&HKC7De<fZ}B6{i52giZH<;(J+Gnwq)qO&><>7Z3-AO$ekxYzR2IZaCMPB~
zhtefRvbMkEU$3~#oG5kaU$3PZhhR|T4wykUW{r&q|MA?Y`x}eO=R=W@3UPt9?<tf6
zmZO1`)o}xsn{G}3oTUnrr6j3I)>U<cBZK`^GiM*2%@aCl+$8u4ZrII`-Y;}5Dyaiw
zGWoN%Pt%GA$z~o@8$6c)$0IWrer57Hq5-Gnjg_3#0N&>{VVp;W==u`D=%ySYCey1D
z!c|#jqtFF13$M*7w==pknzh=AlMmgpNz<6g;^Hbna*7>_FTeZ?{2lD4yX%6h;LP7X
z=doXm@wCrte2`KgcY<6d2<Kk7&$kmjob`dUbtv!!(PvWS2+@?R%|8SlC>Z`;b7tVC
z0KTjsCzlTH7WgMQ6o(&ckU?PJ3h>*fKGDaMos!)5a$DloV@*mUFW1z97I_@_I)xTv
z369)uOK_}^X*!ugTuLpOHsuoS;9tUPiaW}CI6DLDUn_GNU6&QzQQkE<EPQ{uZB;`f
zvZ%!+7DEW(j_NOnV~H2BX;DZVeogA;n&#0e8%O<oH2Y&ObL*c0uEq7Rf56Fn3)A6h
z2KW7zEziE?@#tfdQW9!jt#|h=Y&=nVmwOqmbsN^=S2NwD1)}jr>7h#BKiO_i8s@`V
z7oBjfk~6mPJQ!PwJC=gy=0}~9Fm4%Odgq7SrYIP6Hts)}Q+95>_T>l-4K-ZWiW&(x
z(K(UTjhI~HK$EQbA(reIKk{M}(c@rX*pm{bLym@gfEUqyvCSQvVn*<<7r58&z-a+9
zo!4f@9;m0l0ylIT<|aFHMV3PxP<xAPj>yl!;Rr|&SZwOp%K1N~oOw9Z@89-|60-06
zzKtf?vP71#OZJ3{!B`{v7A<IOk+G8{V=t36B5P#NE|G6#86xy8OWC{MbN`;_ujhD<
z<35i2Ps=gJXFi|ny58scI?u41%U=UYxCiGUM9uodPjZBZGLT6cxSEa}9sF5r|G6!C
zL!c(6q$JnSB={P^vir7w^Qgxb?dKDn=ZU|Q9?0%48(H>>c1RbI;zd8%jz3ZZi8Kvj
zM@H_=AtuCd_B`6Xh7LSF($UB0BD*QdhMMyyDVPRSB%gw(wV$7C^q0C3wOI)6f_*k2
z;h)^AITAXhEi-G9cS-cYQV@`pETouB>ic$OPNj8)=B~V4+(N^(a?6?dt8!`%8?lsx
z8(pnLLuyFaaB|ABN6v6~2w;H|0b|*3KC=^o60>)j6K@P0f26sW?o&$X0U7w+PJA>T
ziH-dP+y5(o1i?<{TuTbwgWwAc@0DPjoMl6H6q<l~e5?64)X4OeKq`%3TmKyhB?#v%
zjpDV;3>2DRc5)nc-NN|CeO{#865}^9_=9Hs)Ou&)Vuuqwk*DBwQwoZh?+b)fBa>1H
z8x3*`=U>`uhAzfE0gZ}eRZp%zp#OUR;QYBV7-B$)OiKe0ZRDA{df52_3VV90$6Qai
z6)QpKNU`>z@<ou+HQe4U5gl>DEzW~%g;10LI^8~rC4#Itc~lK7DIr53AOD?;qL-#w
zrAmr!nys=|4={Z}&CwH#dud-ICgv|xog=uIeGXx{i4`z#FjbJZ`I5cNTyZW{N#V{v
zyD&n-QlxS}=&*_@sQEK;477<G*CaH_!^!{@1PglgLj}7lBPF37T>V1WLCU|}3jT~$
zTj;bTSo^}}v^%Ei$fHYSBG{7Ym3lYHBwALconS&&RD%NxORS0NFKsZsDEqvH>r{V6
zf`@zrO2r~3?wWox$XUC@RFhm|*I`A6gh&vKN#}cZM<Xny;BD4TrBPWPhoC$_Zm}}-
zXU~Q~D$KiiqXERanj$sG(_<jHHwL9Na7DfHH<76zD-LJLM7e_1{uMY!L$8QPyOQGK
zT|y_iz{(+_0Ik#qI={*?x5d<wAE+oynj%Ld>VJ#9YN+9r;MMJM`i-$Bjiy03$T=xI
zI6efqU={X-<kwf>k(mT(Wq)Ul*=@GrJl!U2oia4PlA#X9<bF^izy!x|v*^Qrqh|Bc
z_M+<AiD4<2!X!@6`N2N>GaZLYp!95&y7dOlhXP$!R10`ns2rgxr;An!>5csi>_|sO
zPZ#PTs0S8p;h}uL=H5opLs<j(`5>C5(hz|oARmL<#Xew62R@@Ji?U$=EP0oEZxg<=
zh!UxauTgSPf~t5ae7CygU*XYH6lC&lqiCSLk>Y+SQabTSyeF%<Tm~9ynj9SqRW;Yu
zEa{!oGFAGb)Wk$Z`(52){o*8aV*RLYj1v&(QQCTHR(Sih^rgtu{%`z(kNsR&vp=#%
znPzk{XqQw|3X!F(`m%^1Ed78d65LAKcV=4-PXS<P7{6?q+6e^>PKYZ?F*<3vU5gSR
zrDuCruocr!NZ`r0sKR*OIvXw-;xWg*Y(;8eeZn(-Szr0XJ>HyAqJ29$I_JASEprJ;
zuA@OEknsJvMVaYk&M&GOB=gdnfO>>bRt`Nr+yl|K;QZ^^U8mNWC<VBdYmoKbYyW%D
z4)LMyz$U}0W@2c#xqC!ql}%t01Bki22^<_ChZX^4RC5~@5c4%IwSvm3=xL}(D93{!
z4qR<XLEuJ!o9HB=vvBLX_Lr{Vd)q5!(TXEr=UO=kieI{P7ycGJbKj89T;mfGL^^1+
zIG1iDZQ7l|b#m@t8oIl?1uw&@dwaIwWy|gjh}FvWO{OhqxQu^$pG`s@O8*7v^X}mJ
z*K-OfUo-V+%-yd`YMwL@q~9cw0V%1s<{=mb^2~+2<a~C@#>WDJ>1XQWwuCP<V`zNs
z=EIlLuM-MVUPF-vndrdr8N_g$r6WWGUTOvaRv84s?VXw05^!87he+8~NN54<2%*PT
z(300HJyR$}zrj`^_m`An1Y#MG8+csuH~s+20JeYcN|$kQAKYgB53>!jgn;ubZ6Fy*
z|MA82mZ3kyv`Cj$#1Hl%`Kx@JMGxIXm1RzlwD*3|%!08Mfe#9h0tWCC9$V2{oqBg*
zWX-t4h{$@xf|msKiU*pXt`Of(9ii{pUa#X1kN8C_ohA>jl3YHeK#%s3xZ+BQnH62j
zGjP8`?egp^e^07`1Ul!&a~sVg%i)B9Ye&b@H&uhVQuMN~iY^S{vQ=tRWD5fKGRjy-
zE`!V0wo>>QI<-7l*<2XfAb7~55=4L#S0i`1AOf6o9vR0|La`K#u}MjKyVZTx6kzfk
z!b6J_$&l*KZd_T0d}a0%5)8=$<V@mTw4JnG&9U?Xl!ZaD8x}s*spl3k@BruhN=7IF
z<_Tg%z54`3E0lmKX3apH4DuGLPpE8_;gq>q&7}YBJ(rflFGXM6s&2-)cTT}i)taoS
z?GD3}5Le)%J6_do%jGo}AvYML$=klGYG?B1aAu4kmv>UD_vJmv&lXxKM<mZPhVLz9
zaty*<+h#p9RZl=$nz9MZ!mg@zdy25Wb)aPvRG*}_A3Nj;UMWr61ND3KkvF~}`Fa4c
zTEQ0|^lc_PlW{uJCBOygN#N|`O!2ryNegzcoM$^^K%QII2=#E4axP~TJBbKk;MQwj
zetO$F(8w^MnN)T{O4ajjr0#T(6;KTP06JAc;Ws#b?LaV-vXqhpsO>-i2nM>THnq(8
znq?fSRK<#7Q?DKt|5N5lK64rb)pboXlXu&d%|B3D-K(Xnm_M-cl7ioGgI2SR{I+#y
z6dzg*bUs{lNSesGbBs5x`a548O2nyuj6*+Nonp_ZQzm-f7b*^tXDg9Q`<>9W_FIX^
zPOlLWsT}ylG!c#&4nX{Qo}dv!{8N=6*?0Cd@nq<##``xAJFSjkoHHOv(2rBZg>;IU
z`V)vU(U1ND)5)V6f;+r^EARsV)lz#$Tcgw)<J5@a!M;>}1Jvaiv3?W2IhlyDls!oW
zL|f^MUQHRuEf=WA{SAtZYscazH7+@jwS}ckH4QL>nX8g691ET!Uph{IhC#EWdbE>8
z+X`9&8o=_gr23myZDjb$Xj3|=U#oD$9$mWM>}QF(U!1r%BpS}Pybo0aou7)BT5Lnz
zlZ23x_Ke@tu8H4fI?Li8_58x1(&fu}ClbkKtT{-@<@V#9Dj-hMKcFbahn^aDc?Flw
z3f-EH)_w2ZXXc_QN9Q!dIn8*LpkL=^j27fL(@+-rDAeo81btazK=2#hyn2;&T`fMk
zifx;@3^UTPJ7D9}4zwU$knQ!UQFgF@0HAK)NeY#sefTE*S{NJy{%zSZhKRSYm=pFa
z;_lllxfBa%8d31%2%}jAD?&J-&-~_n1==m1if6wthY`IIzjmf>cst<CSudh*jWbLg
z0Za8fRdpNZ`qsE-I|P_x=-blq!W2;@yn_`xUNs;~b$bJxOVU8Pg6RIUG23fV)CG!+
zkYV0?S}xQ(Qh$fbAVfGxY!>pW<h&Ho4toFcNemI-a-R2znQD(HfpB0eMGEy<y4X66
zCh}c=8aIsWl|a9dOV1`?I;1hWOdUR5>0PZ*8>U=mPmmKqA`n#VtQT|TT<In<v8`Yn
z({zwBEQ?P9-03RxP9>{?saC`~#Wb#qMTU5eLk$h1jTJWQ5rI~!rqKG4d_;xRAbGLz
zgX)i+UX@Jq(dn)|b%%>WZfU9USL<czEcpG&X56M28Cl&~6wX~bntOKnAI{&02|NE*
zO$T>svD{NVqu&K93oZ#jZJ`Hnm?h#1Sim*Zgi-{~X`qgxJlD<3DNLwOhXP(|W|H<e
zK!j9m0c^aSu<kHCui$0n2!eOckQrh`$&geFlqO&l-Nvqi4zC!IpLmu1L{495UY9NY
z3CHgudI^NF;%}7_pLhd@-Z{om+5pbi!QiNZ7f{U{+P1v~4}FRF3c{Z}>IjZG+uHeb
z7TAr{vYwU&!NPx6klm!a19pZ58R<1Q-oR1?Mz_ks9Qk*m`ATx{Uf+u*!!K2yJNf8C
zWNIM1UpeROA4W$YxXpi-zF-rR704l=)D62%?_X!-A?Shndpe@4LPr#s+_x>RiDvX%
z1IEUTR$SwxNKIS|6t;1-XL(MldQ3`qrb3NljhH*>0Lc%rHn7JuW?-wjQsg|4CMf4%
z#kGcWj#f*_F41SXcL;-HgqKA0i%@2@7Rnp8){`ki2dXl3?=SOUCi`!fvwiW<74y6(
z=Ofv_>#T+3|GsyyX){;b`$IoCEG300NgQ^Bz;{OE{$n`;_uNiIP;v8~VdvxAoA{x4
zDZ|U+;?rVJ4?VZ)cfPj1el~l3j$j-atizz-%B&lQ*A@18#Ca{gx*3-!n8L+zIpMaX
zreS{QGN<`;ZsWzC#Ik6l`5~;HL<iqxLGw_ksWO%NuIa-$4-5(|IGu2GE)HHD$HqJ^
z#9P5^Tx2{KH+NG`%Pm&g@1M$BDtr<qCuK_H)cPs5lT|h9;cq)p&&w8lCiSiq8X@A*
z`!%;W8_i4<+F@Scn%7!!e|)LmNT}90D@~3spbZ27H-~!Z&)JciVK%vNYI2$4u;SQ<
z)=PDBqBF02Z2db!6+l7OA|jD5dilZ<E_RR!lPi-*5>;8L8YLSv#|45`hT^%@lJ0A&
z7dqv8g#@|xRlvx1kK8ff!(_f_eB=;W?Z{ZoVJ$s<fdzAI)BtlmoM@DlLiADYY~V9i
zUGPPl=-#zR7JscAaqlih0^ch=J$fYV%97tO5wiC$&mF?AyM-VL1*9pYeX=Swa>r!K
zx)iZB&h~sY!=nz&Zdm&*8jht8ru_`53$w_=cLa1E>DB#o7^5U86f?}HekNNHC+`fg
zs<OLf&VcNRkJxcPRTN|SOPg{qBiaEw9k@Q7%&XHg<l4=A+9>e1^b65s>gTjO_*?nB
zp&Xcfu^kIsg+y%&O2`B!Cc<5J`mCj$G5(pVp`>`8xv*{m`UQ+0krg+E9+or(teSI?
zQZDe|=HhS~)F!DmdcKUKkW#6Z84ZAKfeK1JKiH`K2-oB#cGA>MeLW+Hw8+M4KD^j7
z?r6s(hSh*l&|+M6+?6+vA`pXQXfK>`)(dM}g1o)&Fp}KQkkS0%VOq-Sj|%GYchuPx
znJ?V9R#MXMUh3i3Y)~#7XX0;a>-kx^^JVqs!H!gB>)6ux>o=2294`5Z8sF}A-Fc}_
z7!<uwU-dhDc3|YIwex7=hiC5B<qj5CgV^ak?ZY%?AM<;dZP;JW`0=rDpM0p|&uzOS
z&GsVuEssC`ugZ^6gFpHCs#Mk@qF=6ANw;CV1EtS4B3g9VRA(t{yEwfWb7Jvb4;@#)
zc?<<^L?+M2*i3`qw|+6cdZ;gI(P$W)Dw4@ej$45e2}(F_9!GQE=@2SH&h$kc%5-AT
zuhu?P#9WI#-(Q!n5-jByGv3cEBIk;prt%ldyJO0up2_v@dzxoJ5peP$^&P@m$<Lpu
zy7ANLfpX-Fz=bi@{F#~m0-kSZD>et!3=~ovU@<JrS#g>|ihY$DGtkgr%6+R)fEG)+
z-_#i%)gNPCjVA1d3Z`2p^K=|m!m&-4r_N$Kb~V<$CqXankX7=E_ArKZ?+Q02p4vt%
zpK9jRxqQ}F2Hz%bMzcDJp603gGs?KgP3IStEv;_2=w<gBl~)_>rDI<cI-;;^PJUnL
zDK=eOVf~JgG6iS1CWD!lXE{We=s)ZNMhjR)WCt)c^omVzPKN$beTv%J`$u=*SAz3x
zHVcR;0((B%VF#L4;|dDyPVe^3q#-Pb>Dr%!$Wc-5(H943LRauH9P;14H5Hj!K6&Vv
z948=UQ+ul4uF*$ud<G^+dAi^>kP(#Ht%Ifmwr$k7bWS*>4m-_`JM1$+F9vNI)7M<?
zxBoa9PMmx1@a7dvC6{i3X<X~O2nQ*_(gm0-eY1b@Y4_HhV*F+&?c_dbIPj43@e7JW
zf2<&}g8gF9w}}y%*p1~ag9!ItRTsN`a}>kASkTq`_kPi(KCWNrPWH?Cw?cY1EF{vE
zH{8Q%Y=A;5OLIBlfTUVNeuqL-D6ed!4=x20Vik^*n=zqS2dOZo%<_og6UJ+h?W#Hc
zSv$t19slXwR*8$5^{}H=YGkY_{Uz(lo63c12fX3wsVEJC`YOH!or1`bzv{J}c&u-H
zid}P_X(EnG|0J|+MT+>9apVNVg<)z9s#Yi@buY6NqnJi0b_$w^#aFD%DJ%=^TP(;<
zFtZb4sr;{tRix1N6_GP;x1RS>k2#(ARN$15;v*eReTSc80YRE9v|wg4p6wH7pgie;
zVjKosCqTBZLC?1zIj%(=8LMrsyeEpKrYeZCl*-}BRJyVxz)NmucD_(6QzYk=K3^w`
zUcu@M%WhGorg*+&`%WSe*(yr!(4?2F`gL-FX$Sqpj4II3aizfAT08mL{75!pV71!%
zJ-^7Y%3V6^L$&Ucg%XxfUh`DmJ(5iTBU0%5`paFIGQC7~UX-P|#Xq3Ec{(mdDieg9
z-y<d*1`F$t4LgtlwpGP0xbmAzM%MdU8Vx1}X(#rmqAs*g3hc^S`!W}fmoVgdf+d`y
zCHvB@u*q(uTnpyg?uj&(Vm$0dAx9}fwS~mXq~8$6Njyj&U>Q<w%qY(vK?-S5M{-0)
zn<t~dTlUiy6PC7+kHI_-mW;&zcZJvgkL8Uo{NMa|09)`NUPNEII`nYy3%n~owQ8%x
z_TMhYt%_6<5lipYv)C=SO*+4E@9l`spOu)V+&d7TAHl#fER}iX*rS@s2ZzcJ#9)e9
zM+EdAFxf$EH;Dokl)xIcF^C{0X|IynR;wRI2}VUlvsyIH^DQZSh%<|PH2gArk&G7;
z>I1Rk++-@bm$*g0rg#{9@u<`1_}nHnr5K<~mjv<RTRvK?WLA1-T*@=<GNc(kdcnd*
z3DXugyA;+`dtH;i@IVr)!+CF3TRCwKfszoe;;?1Zq2iImp5|aZtwY7~e;xXT7{!tH
z{TIXxfy)8_fqZTJ>764Hfvv9&T(g3&)8@yZTa^bg*`U;YYxQ1L>BB?)Z~0r>IXu9>
zH66p=iHOjLvl}iS`g*Sb>Pt?#USD!w8&K{$a6!V1>ZIcAwf|Y$?Eh(`g_d*mxY*cg
z6m*}n8kbE_@8Q2{4l6D!EC8Uz!p!VMY7%F*4hE^LL5TA|gf~<m|39>}!t7u2qgNpX
U8-KOgq1XL{fsV0uB?=w+UtuX0XaE2J

literal 0
HcmV?d00001

diff --git a/samples/remote_attestation_wud/images/localattestation.png b/samples/remote_attestation_wud/images/localattestation.png
new file mode 100644
index 0000000000000000000000000000000000000000..5867a3b1df056acca22667718bd692f5d72d32af
GIT binary patch
literal 6469
zcmcgxc|4SV*OoPeill|fFHKBBj3ts~lyw-plr_@Wvn1<SibB~6jeQ-v>@~Kc$kJep
zWG}^-k#!8l`rPREd7k(E<9Xjd-sk;eX71(O=X=g|&bhAd=bmQ>U3Ct&(`<BfbR3!*
zY6f(4hunbU&cpP;_td&c5%6=!(?DI7t_*jU1e`EBsK8a|=qh5^w``bzb5?haTb^`u
zoUMDGL+x$_c64-n!<uR;MvpA#QWnbZd<tya2K^XZvmijqH~xA>W@I(iIx(en;Z=?>
zqQ5#Z{^rZhV`U;DN5dqZIlbX{a7f+B_Q;*GGf`(E_=E?;OAx8x3#x2IcDWjdg_hH3
z*QFeAsi1nFp42J_pY#}$d&JjQC$2i+q<Yfp*D4pJR1a$&>VJGRo;jaYP>4f^TUFz9
zGWc;UR04ij5NVA*s)~OP6?~i<f&>g1{*7S?egEAvo2zppshO`Y_mg-QKJ(e2tEGls
zx-_f=c0-S?m`E6^AL-9ctI_1XT=773$K4IDfX{Pot?;`PpCO{j(x1zp-(kBF3$|O4
zfDhZCMVb4B)RVz;-MR^+U*D#~E1D}SDy|leF!yUpXfgA%--KUE(|__Bi8og%7gUXu
zCJFc>d-EJgsh9ic8dpx)pOiO-wf@y@iSo~6#VmRiN9oA7LXi$P(FLtfp2MRkj$Xkd
zLbg;}o;Dps3pLAl+0P%{U1Tj2m%>9thGl8C>+2hj2&bJaV`J!UsI4pgosDtabmX-u
zqt=Dl1<zG8IGud$6^_K~I-#u<UR^&jm2mPeMp>QfQhhR?Yag6(mfGlT=VXl-bjc0%
zg(w%#XD~P3Y<u;t2+s5>d|V7u<RRyQqqd*T3-PAJmjM}zEM!W;1LMX`vJ=U*g^)Qy
zv}qxhHcQ>`6no_YDX3m!e(4C|Xg9fud$&WSPG47%RMJU!Xr7(f7c=#O=B$vW`y1Bu
z=_~?m=tM|=f@xI!i6oFA8yV8qim(+}nQ2U-=2Us7dAVPOq47JuA-Nl)$3O+&s@&vM
zD*5&t;d3jr$7cP^A;SHODczxqPdB!|zs{l8GV;+YeQ~MaBA-*!^x}DKE0m00-C|+U
zo#<50?P3;)PQqTfkR74<9NgYePD3wxQVc4ei&!$jWnISh9HU<>%i;Qd2Yr+CFlS+T
zFUja<-1Cd4d<Z&%5^y|F5X=QQdV|pL1jzfLw$YeXGw3A^Lg17l%$5@G==tJ?E4^)L
z6587$#_B-g-iC))XUKlBoO^4InGB0GhFn-uc=A5q-KY8)nA_jTn@HF)$hJ`urWoIE
ziuY^uIH9#vEPP6Tr|U(5uEmfm#@vDt<?eoZfa+$Zs8Hq+lFJSxZ~ZOsjD2c|Mcrl#
z{@d5;PO!1U8H)&{_T1b?H9P9C&EdVc-rqS9Y9rt2BSZR>N7Af!@?_|Zu_OqW)z>;>
z42^59d6ZGh6^=$o!sA<@$o7#MowqK(VAyZGliT<SLpiMp)0;UhZs0HDeKCW*+tkf0
z>xWEHn-5`6cj#*@W5mB0iFvp8XEP8IEw+r#@Y<|yNWsHH|EH<@UytX1&hSHS2M&k3
z^ii-lOB?o8Kwc@go&rZ}WcfUUnZT05OBB6=G<=9saNA@sO_><6U-b?ad8Nn5c!7M)
z>%BC={T5md!ExE3b0d)PTwXzk`-K#B5&|+Quw*dF2K|d64b%eF<mwj!&1@ab*Yx}U
za0Scl_!=kvTj>!SM|)w|X0y8;`}3E{Lk3A@jiEPz03@W~Cf~L&oa58U{o9uSqEhd)
zQ^lrSs3L_*!ZluH_1no&-1x7~bbT)IJYi7>?bG$7QWkc25%=Aw$>1odG~FdvX+C50
zed2hxJZKs+E%&n`_gQqGI$aj@o1!aHu2X-Qhn(1LT&h#ZAC%}mpC}e_WT=(H7A^YO
z&NIWtGjx?LRtVna5~S_b#u5D&ygS%dtyj`*tiVuxG-aCo5_a-xo;q(AzbX1nUY8&Y
zVlD+l36ON<bJ-W4xR~L7>Zdy$(Lx!edRUC+kh@A(gLh6MGAQgw@xXazE$*v7Awh+c
zCzgwkiAUv0j&iT6MYMI<V6W8XbsghEMj$1l(mTaMeDRDA#ebePc~B+m`pf!{U9DV0
zUf11f@@v8s1iJdNc7RIg0yLr%pM;G%-=)T`?`pyc`7%M6I%?lERV@L(7iWqtsix&A
zHm|9tgLypz+%=b|^r!4$&5uE5R|}vh!z9?tccxyCk&<b;GP2z}HO|h?;Uj!jCNGCl
zq2zQx9`ePpdXc)>?oXMWozaI}?4|9rJo!H5>Y5b??7TqA-BRhXYFT*=PP9i);1rt|
z)Z@VU^#M1eSs240?AC=QBAOnELc3m9k_SQKa`YuQ_+ixWn6q*bPY=_*jL4EA{>pzU
zf}+bg8HxAZPW~gEGI^|RBR^hI>Ry69KOj%PdaA862rV40oes7}Jh0QK(b9B$ur7d|
zwq`_T6D^{JOVbR)PS=>;s!E607MvAA&T&dzXc<buo~<#Ik*tIcMGKrc%9zLHGLU^4
z0-ceryteb$IE4*TYJUl7`=&>lt=ifw?+$ERU<M5)m)d^3-)(i<lQ&0$Tcz!@vB(ow
zQz70`h?ZGZwJOu<BZY2VA1$sDff2%##FW!7=C)U0<D!(>2b%-4Q{UZRcGfNs!^aJn
zwCCPO-tWOc3(N~IVlmGoZc<pP{2_zKq}0&SAu~Hqs=Y3^@%7uur+oum5xs};*5E#|
z-6JAkJoareB1Usc9Dh2$_@1)ym5-z=)6i24VXrfgm8(d}p1}l;k$OwhiV$mO(rvSC
zPF|>v>6hRl+o%0G24z`6ToQ2AWUx~@c>b8+Iyv`Vl#ENWd0>qHz|KugKq!y}2*rvb
z+k$IRGZK9*ZZ<!2{6dh&<F(O8I+F3Zt`lFK`>;0Qeiq!0di6Ee99q2wxQij-!f-_C
zy8VlWg-xHUocjcm{s6-oL_6-%mmgd(Xk42A;iH=^B_-D#rtVGd5=#aTN3(Doa7#}z
zo^ezE;cb%MmB-8Tlvb~o3(k0HPMwIkxa%(1Lo@2)jyxnot6DU_@u#DC&yGnn-i7h~
zqCMUxEe9jyUyrR?(P_nc7ngWB>g-n9E2(}YF6S>hmv@)*xA;p)YAgjJ_4m<lXDU1F
zmr(C{)7?P;^UcPBO(!00e)Jq!%fPOGSy1vJ_IWOEY%ug_QP$s?mTgU5K5{y?BCi9T
zbIX8Log=&HryU8oOvcr)=vv8pEN9DGS*~4Q3QgW^Sv8L4iyhGA?ubLte&{u?q+#Y2
zYN#LC%dLWDr)x-?%fs)MZX?H0)0JNQL0%pthw`7nD%R*Dk=F}9B9CvoxLS!`fqxuW
zUZM@Ir3bEDG}W{4gQba=W9oL)yLao<Gq#rl9eSFVJ);F4pU_QU>1h(Rd9eDb?)uIz
zL&aC-V!yY@m(+u{dSaS`TQ>l95M5WfxUTQ;2IQ5P2wuAuV0q^<C_^qrKEHXh^#cmE
zQ?~nPXKq&3-K?j?5q(x+8_$(Kf$WKkb=dVc6)<pj?~#Cq-`u^3RC}7Wd|B5@^aA{2
z$D~8*2hrMzE$SFo8VHOqk%S9r31r+EAQ2sw(eF5f^=*jo1`;PA6Mh~$DfJ7V*`G_Y
zCtK0qNJqE_WRzH<Q|niT$GF7T`xmzz#6U_XGsv$^-2&!*%`ZiDw4?yiqj+_9vS)(U
z`D}KwL)eg4W;cvjc5P*)s{ntdI0?MW{ZqR+K#w?nsa{rTogC+Y_&oKQKL&lW|FNht
z3YlFSEopB<QO7Mj8_-S=58CXQK&{8&8chL=`g<m*Z+Tcf)vR>5E9n9;&zb`AMV*5d
zwk&ToLTOzndD@RsCGsfyA`yj>>^#=AZvHIEuG4DFKgfoHnm-d`!%l4@=XIp1_gJJf
zm3uC{nh03j^$A#8!KEw!UY^gGEDZrc=;310;lHS*Rf9L~eA^-i7%e;pLgDUlnecJc
z2IAIhSlsBlXho3M&zFFIraux3MxQSdci!0zSQ?H?I9a2C0#IrQ+-?I9M$K*Pl2<5F
z+hd@nRkvO5xl#+B%5@zZbS%@1G`!`kKCe{swPYZN_BhI>H5IRBW({}B`FQ^I@v&Ml
z3HWl>MPePFLAQ9{xuCXF-IHsepcS9?bpC0S+3gPKF*|tk&iks}^>2C(V#OuX0M17e
zzOVtM3-@U{r`z<i9`k8nZsK#$RtM&y*w&=m4wdv_XJXJ8&OO!5ZrT(uajWAcyFxQo
zCU7@LDX4@fG%NfiDTtQ76-)c%rbO%Q7uVkSp1cEW9$G6?#e;ZFqv{rvJbj66Za!{7
z!Q7QGKWul@Q65z7319L|f;i`@Af)6WS~y-L0+crDyE1CE)ylQ|yNo+yv+Zt1^XvoU
zIAxIr0C~4J7|6}$9WF`dYS8=%UyWU$4?eCs2GIgeP?X#^@B^~rZEv&8BA`pZ#~-bw
z=vgG8lGuT~ZcYZ+9GSK%hSK`Frt74Z#fP;+fsXsBnQ$c;6^K_e@TIU)HhpP61Kj8m
zw)2_^ar>96Zdnzl_u3irX`-V)ZaKw+ucuIJ$gFUaCs%Si9(6Z^k;m^<HJQj~brea2
zLr=xf1_j~S&R++$E<$geNK6OkNbbt#cJ!1rdTvc}1a=r~tYzQ*_+~E!5>gUEDTkpS
ze-51-Teb#(dXy?II=1y^JBB>|XUmlg{(Fb^e{zWx|BF0OY+x_6w`}}dkEzJ5s2agp
z-0EuW_}Y~>UX(6JYYSfc45L1uy0gP8%KU0cOvd`b@}C<7EKH!EvE1WMZ*9z)SrKky
zY+uBc`4<DQ3Ls=?3qv}Vet;CDlEo=q-fqX*FLY+BG5iek+8Lwbm>)Sj3%s9lS=qS!
z$@B!}L8d42-y0%@!P?2-q0BY&FXswoLgZgw505cuxc%}k_&GTvp5BMbbLvTe;qQjf
z$bG}_z-k`K{0LC1y2$CMP^e0m4Mr++E_gU)zMs)0B9eZXvw-B4a6u=*89`ycukgpm
zp80T;K>+(~AAZlIkXqa<GofT`l|4%rE$}NqCs6`ksWM+PzIIePEV!1z(I7CN#uPoj
z3*@Dw%gr;tOX#Z&m>u=+bBxTk;8P^fl0|LMb}*`CD+i1Qzkj7UxGyYK&xe?VXMDnP
zl^Q!Y3sPe*8j9{?NRR0_p06pRwszW;uh&hLx@0G!H>K)BJPE)BOT(&v@=t%gF+gxO
zvFNoCDA=CaPxI&>e6x+dlw-5uTm*rYd7L^rb1@iGrrhX#N$0-r!Us7P!uUa|i+j#T
z-5}vT(_Ma$lURj`KQJ3%X1QXQ#R*x{)Tg$Uz;2(zuYBN0Xrw?v*v$A=oB(}|Y-2qo
z3L5eqp|3o0sD{M?q$h+qZ=t_;CLQOx|H$|jy$}l_%S(Fqct+<9(tJQJt2w7a+94NU
z{gnkP?5*NrVW0$PUD;bL&<<wl=HOb`jlH`;E1-rA6e1$c6j1@J;%1|0ZVveMF7@6o
zP^^FHnxfj5bHKCMCO;oyJAlY`#>Uql+nZc&D*W!2)%=LGgAfM%Ib>Hzb?gzV3rb#x
zTp~Dmf!5$xTbSQ6KxewozLeD)4Z8h)XPZS}$l@2F6&f-uf1S}WN^HPQ=>hk$0QsO=
zUgbZ+nKOQ0_n^zK`#piGm$TZ#ka;XubMY#qKn#dOKFM{J8~3|*q;rZ`+CN6S0YF|N
zaslp@qnai?&M-i_4$l-bZ)c#k2wEUAz`excyZaFR0J<C<IGI+iJXWl<=?j^VKdUzK
z^@ju^6Q_@<r^JDUueHC#=I`w4g_48iBg&lEYGC|K<WlyxhVw&=%cI`=4ftWg>221)
zMH{qo+K4HlR3M*~@PzzW*?YqlG%%Lt2DBD21z%D~`vLwsMX$E17xo~sUY%K`zMBbz
zweA|Nys?xD?#gtehV%+Qbo3Qhf4k((l_~@0eR^#l?_U4Xdq<5{l)bTf+y%OImi4#z
zmfxQrr!jBlX7b?HZd=Icd=IFp52~1)WuHDuB-%zH-(e|(BAGa>7|_}$k@O$3vV&_|
z?=+3z1uGdnp5X7^p7z*^A3CA%9X~bwtaaMutzE3>lX=sz?4`dHmn~14#<+XX0_@Z*
zezBSWQ;O)@r-TL?lLlu&NEy;#`|0uWLQ1J~`in-FIgF5B!<T`<hi{yp!^UY(Trbb1
zl`B5f`zAmPP<-FXJRtgMz0x(<9OL729nW|<A`J($84u`rq-Dwsw(v?>^-4ZQgGt-F
zVKRKyV1tVR<3v7LIpAXUi8^Qfn%^aY-wkNJSIGENjzK^J0Yt&O#INJFR4+eTFW>F$
zaw`V5ruLIP^2JzoI2o-`AM?0U=K`*rAZtvX?O8?v=})xyRaft|c9l=-B@gWHiTK}1
zZMiUH)#g&x*>T83mMrt@g;|!E7wPVf(Jut#94wN~Ex`XPvE)n@-jP)pZlkrm|2lb(
zUD-$Ol;04I52R**XvWd-_UgBO)A9eF^*^Ak^Kisl-_AvOrh?TJGCpxto5XASVFoWd
zGJTm>^fZdX=$ff%e{uNGw5ypBMfufGYZdGCjgdnGq<s!SG!DAM()6J4B9K0Iq>r~j
zX^wXhXPR1~H}#eFwIDmGt={FHgLfQ{Gl$f;?QQ1Lsd&5a9z{gy_!un@s`BHj2rx&E
z-tYLDQO|!RwVe%?esh;&xykGl1$VEe93=XB9C98jQE@DcAyY2eP9zQPJASkv<X~R=
zfO$9_P)WpiP>z{>Gg<t}Kuqx|O4<0}PU0atB`bUQ!`j(<$I84kB}a&CMnFx2_GZLM
zOVRDtwF2F>&6AE5_a62|VxEmH)(cCGmt~7KpK=`3R*)DSEpCl)6Q56Vd<tP`8pZzz
z?b{ks^P?kF9<2P&Np$gr_~1-)&~N4J1o#^$19R)=YWjY%u;=4KU=f__R#tq@DrbMB
zl}i$60b<G=e+c%hVJF)Rm$QHcorPg^;?gJdDWNM8!-4Ht+w$Mm(8p_AOQXA;l19hG
z3RV+m1XYoiH+t@g59aL?Ojt93c(Gm)ZZJlfC>?gnvHzoj(lssAIRm1T+W>9YhFA@%
zYO21`H7gi83$<EP^|&u`yWKkCg!1LtzvtT^82bXduNX6pCQ^qXewp`j_R%?d7Q%L4
zA+xOTUr9OjAnK_%{igszw6Gf6A27lepm8Ud0Qwv>0w{9wwpmQ#9${KI9o+wAIUC5O
zFLij&T{%$g2LQ`0i?ITXopqom1$*)%-0YhvW_&=gi{~%`^xljIf&Gy(HiA76wbh=|
zc#{PRe)jJ7x?sbgd+VDZ?#vg;3wuhz#`TEIM(8_`weJhkqY`f?GGD-edkH|ne;2YN
z+H+I(v@~qoNjfYuo5fKEkb=LthJlPG|BLQ_(cJg>xB5^A4#w+?IKVA?iscQb&f~<J
zo>1>2_w=Xc>wg<R2J!}ZEDeNVWfNbB-%}8+eaQ+Z1MM2VoWepj*n2(?2-<@zh)~bm
z4-B>^8;7>@l`U!kto9TEfte4H=RCl&1yH6Vv$BWChk;T|_|TT^>%*SfI5|1_`=4=w
zedT{Q_IBwb8Z=ueyt!zldYHugZ(iU3C*BVlEDkxK=<kxY__<Kerhvab=rnKWs+Fl)
GhyDWuUaElr

literal 0
HcmV?d00001

diff --git a/samples/remote_attestation_wud/images/remoteattestation_sample.png b/samples/remote_attestation_wud/images/remoteattestation_sample.png
new file mode 100644
index 0000000000000000000000000000000000000000..456b9cc91c71b331efed16f3b255a73e5b40d41b
GIT binary patch
literal 19420
zcmeIaWmJ{l);=r(0wOKl0wU5#C@CN%rJ^F;UD6>9O1IJ}CBmjRn?@R>Yttbe(%t{H
z!Jp@x|9PG<-f!=R_x<2tu!XhOob#I3yyjdtcfbn;DXiOMw{P6Ifh8mT?A47M$n7_7
zAfcn*1fR@(q&)y%kZfN`iQUNWrdR>rpcskDi{7|V6oz@Gg9^UKcrUGDd*cRnBjO)Y
ztJOFC8#iRFWuA$?cG6r=I)~kDbza)1R=Idnw_>hP`a!`iw4^B_fR9!M%|Q?UNgnH5
zp;w+QC4r84xW&D>+#8aWV#~TyO=>rEP-^i}=y18T*Qg*bX<qd<(0*buDzckBcMwwC
ze_bcv(+SDXPd;|<rigW^taQm*TlwCzx3}lEJnW0I<THNA)>&6)wehozZpk)mASPd@
zZ@uaex+-1mxQk6Ds#MXk{gfgMjoK~m4F;_*uGpC<?7o+0pO}TRIseg!k{Yq%dQ%iu
ziEaM=PrdzUy?3R?U3XUHEJTnlYaK7Wcwb`apKpyi@~#V&xXxWjDGS2%*V(wevur}<
zyvnO@ncrORNp}5k(ZXu+5myYIR$r$VB7+fAF!_16YD2Howg$F2<<}>suT$#8<s{I%
zpgiqLd=X-wGG%?6U55B^D$@fV)ldHE*v~3TRhgW0jH&r+?arz4gl*4eZz@I;fE9gv
zA?*cARukS|@~3R%6i#Nn7;W5#-2@K?-?F&44mk+=MJCtUK`u!RSR{C2IX}D5jy=2?
z65}i75=tui(%}J*tA;lna#)J+dxdWOxeCcECw%g?6so8`S*+SJA=&NU|IqXW?a2zJ
z-lvYhpvIDzyva8%EyN*uc;8J%(VU!}a@HIY-B+5%gR&hOAZQip`VZy}8cS+ma^Q5~
zGM<(~)<1j(Y)iLR`ttXroi`ULO}c8#k;_6_63Ux&FIphe=c}QY$A?l0Rqn_FC<PwJ
zE$2>VWcNTY&`Ix9?xWBSzvQ;FC{iygvO7-}IXyrcDU+<Z>DYR|LA?a2sHLo1vnJmF
z;fipiR5eG>V{+L1u&>k8pkJ*{zZ0q=Z=v;dfw;HZ-^CPsIhhjUv3F2xwbAFTTuAWN
zoS$Up6_z=s8pT;_1lX_=^Zr1;0E|lbwA*vnoRBLZJxRU83E_!%O$9QocPj1eW@r+H
zjt@SKKJlOY%JV2J-^p_2M97IPYz28~-t+VA9Z&9bvSh)Uxw}Nao(`3<yfXu+>C%v*
z{V@g{H`MEFP@S_i{B*8{WxBj><y;b-mR>McDYYzCj?=cCLe*vIty~^gk8rK&>CY}H
z!%!^>{dj>7`~2|cz@79gJMV6xtg@6JU-wY8i#3m+@fr5Z@Rv6}G%~7EIE9-W8>A&h
zQ~g}+4{NsJ&<lP_$6-%VNrGAWDoXnSMoC(@_Ixw;;7#Bs-XG@vPuLtaoe$>6(Pz`X
z+`6@{t?kD=rzQ6pIhprUkY2pcMMDYgXe_0j7xJQdg+0r|8Nyj87TeEn!B6hm^1YR!
zJA;>2^+MEcp?#;2#x;vADp1OJ9LwoIFLk8F;NgqPx^|O`ek3XgUR}P_8UqDT$Z*z<
zeqmHz;OY_Np?tTS*=p>=Em6T2zlyTUW@RAVx+{^;s$PX0QXK3>%W7V^f>=|Ad&F#P
z8g*#JwLfww@WUkM8RfWtvx&hh(I}1|+r0OkOSf>*=S9JGdO{b9)AWlymjwC3q17zq
zcrAv*K`*26MePr~I9xGl!WS}f@4^bkl0#w0E)NagI6aym^TzCHnYevEWN_=XCzf7L
zYfyqnxf@RWMTOPxi`f#tnR+Lr${z%=wMEoh#ZMd^F)QscpJr|AI5z%PZ%bj<c8cfa
z>u9VayXO<3NfenZRbSr2{u`aPi5OQaI6sy&Ez+;2w&eX6-*@5#eKWxo>_k+?6#<Xv
zjCb2Nt9Q~dFV#A*JmsHG{2Eog-zN^kzAZdAYuws8f$FZq%|%jYL%krwx|}!R|Jz-s
z^;`y>7842iH*gPNnYr`qE#vnmKPsj*&l|EYc0S&pc->v5tvh6+Hxr`W^2=_3a2fvV
zhmrLiYC+x>j63k7!cyG<(d3sjzH-<k+w(Vr_X3w@#n}R;jND_i3{nm^M8eIes@0$!
z0|E-`F6-H<TWC{cQ?*3#Xs5WRfwuCDscLAti$@X^Q%J&-kz3k}Kf?X2-*))oa%r{=
zJCYkN5hbYAvhnbJ@!`*QTzw$i1Sz_0Dts^qZ&kKvC6N1=Ls{#%tKd1kn&uYVqq_C{
z2!pc5QwR<}oYH^445$5Z)R3FlN`9v}R%~mgl~Js1<OXMRVVVAVzJ!@!R_FSvq;S3K
z<^?i3UzXSit>CE#VC7S-6pKAO=#4Kpg<rI18arW*b!n*h%yw%nqos#;CR8!?^Xi*Q
zY<BTjLGbyUxB6NU(Qut}KbGu1?b-M>`lyxtqIpk*C3y@(Mg54Km=Vpc%j0Z^cMr3A
z_V>`5pdTfp-I}53s#4kg+nofo1wZI~al@WY(pUs_rl_O8XU@Q}oNn|C=(31SBF`@A
z2-z7t#NKq;XSE~veY46kCrrSUpsp7}j*`+0QocFZF>d;(O&mvPudT(IHH<D7Mqzf6
zyx@yFn^dA)AU;TA;iX6~zO3UX$jnKzOyd|B2lK$NF+Ih&=;y>=hGTj6oL^khd~I71
z$6*!7K<Y>{VCd_gF%Is1-Tp9Y22MRu3v)8fCIUp_LNmZo@+Be6_beB)iQR_$ca~M9
z*ex&1$-7517f0XMkCZ!-r6=|x3_57OA)DCQSqjl^4f4=tFh9)$)h@OwNMz-KP05y9
zwbh&4UP!{%IA#cenw$Py^^?;Cfn!-%D0;A^(xT!Md@<=x*Y~GWuP(akwr9O+tiD9c
zfMCiOnQX?5Mp>EF6X)c`Gv=r#yt>8m5bOE*1lf~Q`{<QOcX@;8H@;Yvoh;v`?zOSV
ziAX%Qw=rvN`*?f^_Wy<|h8_@kXgQ@)Yc0Y~OCmd8`(~<6kkRKU%<}d(LKIod<oDHs
zg7*3q>Z-CnHti)?hO(oCg)BxLqgjzJ*mWQ3n|`(sqJFe6^>%(?zC+=`p$i@ABRI&L
z(x>RO+emBP?{<Ts;VB<lZZ7lmXu@tzRx$xH-Euotm6WwrP-QDNsHgu-D$*JLHKJeA
zS2&2}_@P0rzFyX6@-8l(=PgymZ}ohZAQ-d}kKAS^I=6#V-#tEfCav?Hjj~uMbdHYu
zP4Ulnl{}tmyJKrxz<mvu@?tjWUQGPRqAN$Q?nJ+~6?6L((|=GB`;dp7iNF?G>!&86
z`64T1=gVxvZiWOpt!7-EwHc@;s#~I59J`JO+kL$jgwh_%aN!E03!rOchs!9RTsA3d
zjoGx#rRcG|vl8YQIbtyTqRqVjaDLC;v%c-M^;>2&1_EZQ0Sie@g{(k~1x<Bx7L}?X
zSn)mIXF;0-aqWd6Iu+(lY?MnKXqOQrX-r{in>RwvPJ;G6TCRHmMAA8?DIM9B>kiZp
zsfE@<>PnVE7RV3HLO#-k#*r2edaoaWP2bFZXD}X!i(l}0S&-H290DAryI>LjjaO;M
zMg9SwlN72IJ_u)Gvyy<@g)b*%$K)?HS<=F9+z<9`%|3Tgd9$qyzcy5n7)kBu^j>B4
z-U(>SiBc0Fs`ii)HBD0s!@hO@!M>iNg+|3Oy6|119wiq+XO-6@R2wu=BBep~{iX}C
z-&ew4tH0EIZPob`@}d?Z$5Q7#^L8ast>=8Nrd3&}CkpNxZoJK=)}5+BG4#l%Hj^cm
za>Lfg!w{8a&EjiD4*g(I?Cm%*1GS!3xe6Ge^ONIZf}b^0{+_v8J#na?EQM|ZapvLD
z%0$onxw6MVuAuffpRx5jzwsn(x_RLP3~cMOgzqaaUYUQ#<@A~wQ96k%E;=K_h$CZQ
z=Q}O_ieM6u>QzS@Xw1Bnch01IFlhCkx?Ya(KQbnk-2a_g@EIlQg`vJ<>&bth?X?J>
zf$3)`8L}M$MShEWnP#%^jh)NZ&eIq7VgsK<8_1Ys7HjKBOW%Bzd3a~OC0bW$)c^Bs
ztR+}7xm(8b{kPBKInp})iO}xBcT~)P^qk^}#>Hn$p5*8IzLXVurkh5>lC$W$qx4bS
z<WxoOOMJ}dfG>)VEWcoP$%D*yT81}ry3J6WF>NumpB2tTKB<+L@Ui_dj6#rz+MgUb
zZCJzvqil-Qb;xXZcz?zmSHDc9l7%41>MU}T)5dYdqv!19EtY;RTHhul$?WONlRP4#
zz&rij;fXk(@0>8y{}!CNg6pTtt5oPVy@pO@S6fH>YtFQZpdc>`sqQ(z=qQ!@xaL45
zSVB<6?wl^>zjh0=KI!Li#UB6~rnIT%6lea{TcvTuyb-&t?Kk6>13#&cD%jPgGQ3pZ
zYbmm#$f`q8Eclg5CVW2duoA4nuZ{D$>Fff6%8IM|!w#zBkl%Aif^~*L3$&&`p!Edd
z_m)6^hMQD)5q?U?+}+e`+u0{33A{Zn-dr-M6jX1M#M*2>QB1fXv7q5%3}Z7cR?B3z
ztg#-R$f_|aeJUmjqe2gUaWvmrRS>09;dXcd<g=3jAZPkrKFeP|=d(FUp!{goIw+-M
zbNmKmZLDMW{LX+j%j-FVdusT3rr&+@nurn}K9kcXfwAR9gy-~Oz*@3%7J7a!q0;_J
zQ(HRT+9=qIL%!^!B8~gLE1nq#G$iJ)sdKbKQ`d}w^Onv=qYG1NUaE((&zZlVGAy>4
z;D<k~F``+jY0fIfV<IH$wh~%{t7f_|Gswrj5VXX~B+6~61C^X!y5T9Td$)0y`r=r2
zv-)7Svsoqx-nlhMM;bEwX1I-Qo`g#tRQ_3?j$un|-J#kC0u^TM<=L?g-gN0a^(aPO
zrP=c^74x4KXhj*Z8aai57>~(O;w+-sI-0&(n^i2f3Tf0>ZQN!z#lo26#|d648Hm|_
zk9FEd*waoR_6fC-LO7uvRYG?tQrpf<%wH;X5G2k#M1+yTcn`R(nO)W>RBOJA#9I{B
z9aRYxY$~MwV9Ly1cAw5C!tyfVGEx;PxD5Bj)oK&kf1)VQwd^+kG$mzN&t#?fut@-?
zB1(w*O_)fm``Y|CpIr(b*B$Dq^PyRz=}v>Y)X=aAdlldChcmBahc|zbn)QpIO;tIg
zIXB>FBS}xFrr?WjRP#_JXq_$@;Z(P4jYUQrhp>x;vHV;h>`^;JstU4{Z}SA*Mgw(j
zgy@$2rbIt=r9IU!gtNY*i(+HaqY$)(7l{$UH~J0x;z<QX*(yHC!#0p7<HH{Y!boNv
z&-I_4oMmE9RsN*2TN9jx=e)^ItZ|uaoqQ@|_QP7)>Iu;WdqoDH82+oqEVV-~OL=L+
zX3{{%;(N$8n-@MnYYls&`mkDQED%@PCo^westsksgsG3D8GoQ<<g7Dt;K)-yCSDwC
z0*!99lc|yQn0P4dK<U%ly%3C?n<Zs}uNoJV^4ey!pFhtQDKeE|tb|Gd9zd$mELx$t
z<o3X>7%&n%?A*kWa|Bv2n7xB<L&R+*UNYg=5a0C2E;Fw?cMzsD`Szn>M~gTwaui_D
zBHud{vW2Kp*_nkQc&y><6u8za(SD}2Y*b*HZ>e_DX6<gLB;d$Kzf91yanFAN2`K*k
z^(1z{9<b2V8tNIw!(Nwp`Z2urtR*I;M}>#lNAOd8<T5<{Ms705)V}yQ`42rmQpmVU
zKI&fl{5)3`aKll-1DS?8+EB3;VxUMPqrEN|$4zEu_Nt>vL32f)9mlD^4|a*;VWD^n
zsihdW;-rN7uznZrM&j`Nt6Eq$U=`4Hx!N_`dK5YwfaWBB!c~7fViy<sxZ9{BXZ|;}
z3B%BgUgUJbJE5An&yHFt6wC08=zyf^SESx=vi;gYm40jW<bIEg@(*q=XU6$ASp#U@
z^=k9Z-GwV~w^TJh<djR$cRsj4Nf8E(-2@q)6R$5hjw}B&yfEI4kR%Z^jZZmx);tsb
zPi~eq(2?^+^9+xFa*ifE?%aPc%EJsBX9Ha5bPRbYY?m1zD(M3}6*tn3X*B^|{oH6Y
ztx|C;jmGwto=A=;)-gJ75()+ef+i<7#pWfqVf#5c1CZ0FFl=A-=i`^;9)lGem%>y|
zU(-DOf4m*DKd5%tV1Y3S@A!YflIclTN_;T|v4y@Y{a8D0k@Ru;_F_$fW3<&on8Gj@
zDMlqvj)5*?fv{i8Xznm4=PxZ*MM17+eWQF5gp6tYJptO|BUpvmhm+}vcv$`_@+3bB
zWyNPWdVbpDV)_oQmwhY2H;j__vO7k3IvYw|(oDlH#zT<q2$6V}a@+xpNv!aDYyxsC
zx)Pu*Gl&#4GqulvaczSK1TTAD@V7qb>bg;!6l)mk{*?8gOG8BvS`x5XnYIbAxin0c
zE(*i0Z#yBRazwFhiOItxpLmh8wdkE?oX}RPTv_&_WRj#DurpAHpH3{X)4xm%7LYrJ
zt=t4i!30JjT7Fz6!7_^H7Y=W@MNqh6MW^HLMKYzkw!}*JD%rT@w8}o~9R%dAdVJeW
zFjb8YdjgYai1Q;?WdaR;0@3cbx#)50`=+;Z@QqL^#-i8C$T2nwgid_Yp68L}a=YbB
zJOhI!==+`T3oDe_(U9rWLqGSMFF*XwffVL~ann|ro2~M^i-e$e%2c!oO+KfHST9el
zIZ4Qj5>dfjRdmqo#DOscs5$e_+2MFy<<^rkhS9`5bg_kb3xe__KOwm=a*WN%>JmUa
zte?HoZku>|Ddxq)YIm?F;|Cksb8&ElPn^JPBKG^lz*A70>c9VjbC{1foS+MMFZ8I!
z=&Zh*AZ_dxENggo*-b@&<znRJ!Wv4olH^^5JXvYYZzn1pI`v+Ocd9(LC|iF^HiX~p
ztNxg6SyZ-R)%F(XHY#>|W8FEVGoOdZ1f{>R1%ofv#Of0c==rnK-Oq8i9%iA_teRy9
zn9D3>wI3%5HMz8pX{5U;hC)I9`6lfO41E-bStfQ@LIvIq29tBS8{A^9XL;u!eK|nW
z7OGXz*O7+UsKUMqr+T{tNQU$(PF^9<c!I`p%lA3uEr8FDQObmU9u=lp=;GGN($NNA
z<5r}z!hch|ihV!9b1Nyqv~2ty-QN8?GPCyK?_~EdeJm#*x7p}Jh`u)8!Q42a6Mtou
z+7=`KBmafaH|eSlj@yK2FwG2ey-M!7HVq;?kCV;|5zRU@%aERz#9vQHd-b1Q#q{CA
z!Q?5ZoW``e`VVmvF=+W>=*wwK-nv`<M3wL3jW8*&vjB%*F9vNcl9kBEoZGfUtKzSn
zioOEU4SD1-2M4$+#eHO`{r*8H-Y8l3jxb%g%4Z1H_Z9}(GRV*M7V+(PTzvd%3z_;-
zO1pK9?k1u4>ry2#{#?qE8@$_Z!tjXii`?tylMdqsi$~2DMyY9oK*4T+?1`;Np0YOe
ziZPD5XSasC6@xS<udHwu%y|v{S8pwa`=J72{v%|3(b+>{2}R3Pp^5^E1fOiyR@cj9
zhkDjFCq2R+@?13Ax;KyEf+cAB(uU<`tuyr)-COYf914`~>RxCardgtLaD}P|7NO<j
zqt!&!m~#8}u~cCD%~2<SbzGc1bC(3-BknK!Bz9|0X%axCYw@KL>CFbi#GU6*hcvY)
z)yK|X`bT%+_sVz}!*eIb`0X_zw%zKi!#seLrjK)pL6eP|sbHnpol7Jx2E#_%a{&sj
zy3nL^MrMs9^?HGu+hZI8*&orFMhf0pC_3#L5EL@UejKt9%&IH#lN6~nts;^p?}hkq
zdCU<BKi{$13BfWd&|DhE<NOm+)TlndXD@MdTO26^Zze!~vGCngUxlx>9K&ralfq2|
z$KNhEjH40^fU#Za(=ks=O0qjTK<PCU!YH5g*p4K9(xt??_VB~`Lkm@!$!v1R3re$P
z`1<?P4Y%@rpl|?lwQ{~c9+TJTB|bJ0TXJ{APX;s)|5nrW>DPCyKrLJ)ZXxHzWcaq{
zp@KhBrG3Yb@0{Q25lSfcj8x<?pSc=^DwSCol~%FCa5{5xRLcFtT042=`-Fm1^OITI
z6~+sTbg_PqotpowCKBrc%2mr6VHGxiL}V|&-P$|PZ=&fsLnJfWBkz~@w$aRt>O5ws
zp;S5P6(VpS6|@>3#m5?_D(6Sy*93;DQ08R11o~k?>)w|f;=j^R`>E{KuswCK%Y>lk
zC_NAE+&uVlDBEQ@T@z+V42i2RY}WM0y@JUwjkYUL+}NK&@HT7eFD!WjPy+1*dm#co
z6AfV=(?udj6gwZ31nO!|L%;-=Ro$Bt`gEXZTxZCs!S+d?*wy}IiQ|r&dQED;UXV4Z
zW9NQK$Nhwl?lx_Jxjgst;+c}?wo3-{&n2!_u0nZ@lRW%0M=3Zqsn;b~YeXcL5ZHeJ
z_$rnJx4wyE27@GyzVPJJXa#6pIicG7NFFB7ReeE`{WZ^XljLB*aePPle4a~Ug!hw*
z^I6|O)qJZMXhKr`x0QzJv13&V56Soid`9DxAGX|@tkj#CX*wdjh<rREDB07tU+JWz
zSgpNnen$ulj@izI9#HB2dPgrISg1Up^?3uxM*(^V^lR7LtY^7l--28c=Fda5^*eLz
zaBDT<0>l!_HiYO5DYvB?w5B;*+2e@$KoSaCq&hzFju>kB{pv@mb4{3y4{WP8titrL
z!&i{1unCYq2{O%!#%-`&Bk<FY)WD)cAl-(zn6@&FaCGwf8ocYVTU*J|Z{)?t1himG
zRyMZb{HD@^x`9Dduo)6Px!)eOhn}M^bp&VamhPU+rz?*PQN+4&V1YRp=CQ?h+)F04
z&IB;>Jz5T20ura(Vz9%oP_IX`CY00zkh_x{_2bqkQBHB#hT!A*`2y3-$aS|oucmYr
z*JqlghKq-_WxJTuLN7kJJf<hH))h`uxOts?rtu&PZh9o#PEFvv^u({aS7UhVEf%cB
zoFO@c=}mra{hDH(usyZEtXqYqHNf`>tp9ERMdkj{%yVAsW-!HQmzu|WO`aS`XicIw
z(olXQQ?lf7w?t0SgGeofHYg{F^{j}!DA~s=lL&7d^YRqxh`&l7S_6gns4WfE?{(7l
zk2Sxi#MJkuzqLP-O7gK3N}hQk2o$jE{6|w_k4EK_AFpD$AL{9Ujwhj(WiR#YXfU>(
zhdFi5L4V12QPh1i;HtkafZh>gycbxuIaG`3=vJQ*jkci-Yq*TJr4Unf%sH0U3bL#p
z8QOLcdAgBPqx*iBBgjN(dL{SAQuM3zXXYSD;hbdAsLOuY4sM{341KL?&*pmE*B6{N
zVoqk#!w?LrBtn2W8P9T;6VYJK$fRrCoSmx&R~8j{iNlF_#Mcz921a<v(!7$Jgo}r+
z+3Xr>ZKR}m9}ZUSE6!6o(SgRKDF#<sBz8n8_qLu3PLcT9VOR2OBey`a9TOWk{5&|b
zoCMQd0bAXPA^8r3=0~K@F>gUhxe`$D`enEJvt%nEFaVPWnszAqZ2j0`)5<5Jj=ibf
zzwsuBnU7ku(1}g`yAC0%A1VR0;nV6i4&{b$<1{sb6v3nAIiO|h-&KI?woi4Sg8_Oz
zM91=**DWqArPdcgwD^q=^2iz)E+5}pxn?qE-e=H-Y*8ok*rdi-t&<;jZ$weOe<;eM
z!knQqS2M$^4R5^jjrJ-GN{HcQu2pT7$tG#AwN0_;#i~vU+N!@?!GtTy-0QZ82s^Ut
zBz#8uDI~{edg6<uN1W}!>OMFK5n!-H!r$-*^ft?IdI}Opj;VcTV<9ncXLiLAUY*nB
zV6K2Y%Up-PvtRO|)8NG_Xi}s*3T_>bTV#lXj*B+Q@A_xk+t|H{6xTnC4AT%ZW9N_A
z9N(rO%K}$?$$RV-Tbge&?pA{F?Cv#k&^@uTiJ8Tq)Ee7~XBow-w8Y%cDJy6(JhG+1
z#Ed|UALj}nL7(p}W#m$En{WXwD<-{kT|x20KyQEF*N*DSE@E2xJOBTG{(ry;_En%_
ztb;;Wip!i>jZUkRdJU9H4a6iF6upQw9!7RCX%a9u3GW7ao4A~ZN^$csVTq>g&OKjW
z(1xS02->YV;K5p=V)w^}=j{)Ek5c1_wct@qx+JpS`Ge1K275DHh~{a0H3!mVA}&|x
z%rbn=6<l^-VSSP<U(M(7emr6^08(7ByOs7;^Alvxz6~Q#2nv`l?$>9t@Pvb8m7<jy
z6k(7PofSO(@&zm4SQm&@o&_{P0PrWkRRQC!HMkI(#KeBN!UGlqgBBiI-v`^}P+_`g
zr@gC9dLEbaZ0gU?u6481yT=~0X>z4lQa*}UzW({ElLzxo#?yTcDxhN6ZtQg2jy$$o
zYYPy)-tdTvv(ldBX!Rw&NT(|?dz>OHGzETr{4jQcbhTFRfB!Xw-h9mgaK!U%16`n=
zwuaLG?m0=QI%tM)kw~pvuq7pCt;^>ooJZ5mvWo+ds+&z@E|8Cf2<!f*U&T<pYlcYK
zz1En3K8Rkua#-Y%&SI5QyKANWSt&Ez6XDJO;W%w38hJ=pe$l!w2@6Hl5_&%C7q>af
zu)6~1B=C8M{J)$hodLh-)>SxM<47j?iCp&|1W+5+2E}xSwL;iC>qO#kCQ(&p@&4yS
zok>r)0ImnBKk-K^kg_F=)9@PYfam|qQRuAK0t~=Z#mTrHH{pLh(m2Bs950Xuf!UL}
zj;3XJ(M+zC%o)e7Mzy~1WTl2WEK~`xL1|B4y3{^t0N#IFydGI;U#g1*1_%aODNYZ5
z1(>i#EpPpIpx9>NoIzkGMGh%tH~d$p?Qf2wTHb7<zUs>>haN)kJpLOKmc;)1Kym64
z0gohW&%QUq7y9ogj~jq1_K541?aa7v|NAFoSnbw|7MA-~7=`0T@_t37xHf!It!aDG
zK``)T`*Zq0Zn8AF8+wSs((5P6zoHcB2~T*Ke<qDe;>%D>STLWSuu4sa?9VihYyLO<
z<PkS1j02MILdNfZ(>v@YWrPP7K9m2#7<^y3*&d>vn-%_q0D=!8j9ib;JdcOim_e+*
z6KmGdmT;bO-ebD!o5F&wb)Tp}Ek*q>$1f$Z&)Z<J-A@F%kwN4dY2M{Hkhz(PkHA;9
zgXPBiogTqsj1JGyO$5?1h${D;xXzz#d@eS%Ui8gxvT3;eaF*d$`d3)l(Dz#(YrBXh
z`0EpQiMSVEGjl8V39E3_%9-m<R9?o9kZfhMjl?gbf_c&I?(Rt*`CxZflKe%~TC!Y1
z{aZBCK}7l>+$NLut?&z%DpikZDZ_xdM-}8<yh;5F)goN(0!F2r5&Ug$M7A=vH8i2#
za{MK1EZzuR%9Uaa74P6^65Q)87FXT40kyUDi<+i&CPuE-MP&MYXfLESE?p|StC{3e
zlK}Ay9AB<rSvukyWV}jFuX5{9`ysC~_pB~G?PkB-n)VS_k!2OnYTJrVc#e5pY&3z<
zJK4ZgIU4iakMcjg?U*;pPFadmf8tio=1L)R)olaX3^VUc;m!|a4-YhKhSXR=WK5S9
zHyG<^4+ELE01W~8H0dHoIxpo;Sgb}Bqm8OC*=a?(5EJ~oc`;B@J(zx8qq0|B;#9vL
z?2TPz|0+$nk%>Xk0upC`AhXXst@e5Pe)Lny-!5@j2P*oaU&Qjrw1mjQA5T>J06!i-
z<1S}Plz*K4Sr7^xle<89%^b4ycUzXC?64%+d|6-Ub4l4b@%Y>dS&X;u-{u&n9W?|-
z_%=A3=6s4hRckp@Z9=Y<V=;xboN3S#`c<=MScb=-h^M&(R?)*uHL)X`Rbf5%WNV*$
zxb7Q2U53-W65yjt;GQfQxx=h)8(&^=hv@c@(gZ`rn^S$K6bUAoyrbto|DJ+^sbmCS
zhc!3)1r@Ot^-qnG@w^fB?T>_X7*AkuxC<Y8z3mir2B~Y@JEI=8rEJG=Ho3PS{q>0s
z;hm8K-sVMxuMAJ$1hM$vxlepcOK3IZ_*lGyO2!<%)kfE$o--7bSi&Oknp81Pq|{nv
zY+2lR?}fq_TS6+8=-11`c@G>7$z|xR-@_ok*I=Dh<ZFFf&Eo(h!%@@=^|sUhK+ihE
zxX493EV1zIijA}SR|&pkg)h7n0s*<O3WuKwlzouQ*n(&AKVkwxGS$c<_meP$MNXN&
z87QC|N;4C^{b^oj8i5+&b$*W*Camu}RBqwT@35I@tqVby9ek}~$X)R;-)upZ=VND_
z@fTxAxcM;4`mp&IH8VG*nynM8xRB8>Jef3_v*etlgsQ|d!*QP_p~-k(&_qQ0Cp8E?
zg1O&PA(qdTf!OK1QJ;UTq8+Urch>?{BVQI8k{lGnr^dYk0K5d3dCF&XOg~exb_-Bq
zlKq;#wSzmmN`21jUL^6NFLLP22Jv=3-H244i@AZa=Ki>p#qqfc^s%j&vhEWdRKo4Z
zt?Ffn1@yaUnpFuZOo3ym8a3p}(Cw}_rPGMSl3`15?QdeqvS`1pkU164*8G+$O_)@;
z=_}ITSgTumbjCX6C02A}<}!b)5Se&K)pJ(V+GJS5hthr#$*J-U^K+!3l)V}APRktD
zN=lfu7Kh5?TDiOuOV$#n0?8J7^FfnzyKeR(ObpXEd3ym<!)r1G8}M9kXg-yI0xFBZ
zuMKa18aoT-_C?E;oUfPZnq;Ahn>35{Rwv74>dIoh6yS5@IhGyIYy1;ivwoSTJWOiB
zXB|w#?toM&9n3uWW9L3<P8^8}8-MjLw=i@~^HZ6A{U{+Jf-q?9Eo(7-SBx(+@Q`p^
ziikd23kUsF#SK`rwu^*R;4_QKDFZUU+a5Ssy0#K@Y?AmpY?CIiTb%dnO7=fDoVLwf
z(PcE}`?cY2O{c}oxwT}GlVhv(=+<d-ft{|nbU($U0W$rw@RAW{Soe8STQ`A><tbN@
z(<J{b8{WBoqdsGxR21**(AC`@Wet-pyqRse2n*hkmCXFRp@wn(*YjKcBD<o6^M_X)
zBbz;Wax`(w?(R6fdD+zgt|&m4>ZEhw=G+OMR|J*WV+T^>QGT$X?7kPKnh;FrBI9rS
zvhAG)KK>i9JJ3fW-YclUWX;0=r<4(b>#^vg-F{sjqBkn{m6P2TY}eeKz@4ressU)5
z_UB=T9wq}9DVi1Eb0doCC&b1pj;fsY9hC!EVQxT`R8mK+!VQSj?&TQ_;s2bQT@$Y`
zb4VaeV6H8^!t<Ew<}F&Msl9VimTe<pF#6+6Pq(abIq99E#yR<^ShF9LeX&8f%Cmxk
zw^;U%lG_*U)7}3>^+X5KzpzvOEXdOJ!JD!94f_14#W5x;hi9;8-P%_qe^jKr>B?6%
zE7z4FR=@6*PiV-ucQWNq?ayx-P4_eU`ldZxs9q`~{zpK4BW_aol^mxg;*%GYHI(tT
zvhX3BO(F}2Y@u9WnK#>T=9pwpb4LPeyd7s`xa}H!Y648~rgvhM;kC@;$;q^}tT{c3
z%TDeJ(L>%&nk=}S{EcDJT)Yd-?MSIRJ5LwPl=t?|OBl0VfbNP66xUl>erWnfE}k@;
zbL!0&*(~z2=jEp^UcA?H7Tj&6B1q_(!lgfzZP8C-d+|J;atH!xBM;-t@DOfstC#<A
zt%c2A$u3QtF!$8%tR`%(zV-XH15J<}UhjXK_hxQ=4)KVrjBO8(xmLwG<zLNpORTeU
z>!oOEwMoTa1Dc2D34b4*PhRfNqQN#-z(Vy>)R&7fWvQsc-xm<;v>T+795mQg(YnTs
z%vbJL1c^*mZVvJpg}QH7oz5EuYB?FQ2To6)rw@DB$S|We0U7M|Hx;ss`F88KD|WXh
z7>2L2xAuO4cI&3q<-#s_cw-oX-EQT2e4IG2RWBtN#>ksk?YwkpT8!NeCZhv%8AxDH
z`bwTA-Tl3^%j%Pl&_|45SnC1sSP?f1F122sEp`tmy4s`p3T)Mgx$Qq7y;DQqRPlg*
zgn`zga(`paNV`8p?XXeU5x?0;0YZs#Eg+8KtGy}f9>2CWM|cignF$N*_m9HdFG7^_
zvv}!nk`ZRRwWyV??;H>)i`40CirJ_oSl-aO&ueXYKCBk{lm$D*O-kz-DlX6kHJ6w@
zzp)%1(E*`#tNCwAD3wMYx6Nm+ISB3lPP?ERI}1@e>cnWQeZNwiKgxk<c;rpDd7M!N
z+_#yC(b6sLNi-ij=uGaqY|bTuJ3txjS1_X7T66qfSxY`Ic7g;J7}cs_;7sQik5vy5
ziLk>*JBU7p?B^Mb?eY!|tG*~UT~tKR$?a879ro!$#$e44pb_E8K?K-*k?f$55L}lV
zjq<t23OFf&E9$5pKOh>pM1qTDTENK}<vjd508KW_ojvyB$V!>RQ=3Nf2rbY3`B>_5
z+bCt+1@%eXqu+g!McOXw*NoU*!SkaYGww(IxAFWr@ErGr-Q3jolsol>oX?HD!fDR7
z>{`Anoq;^Q+F*aWEBUB<W7xh?d}k+&&FviRG8K!*K?LEp+3d8=);uN?ut7wWNX#+T
zuWN~_6{Xx3hdHymZj`OrKs#~i7=pMHTl<xA);HZ<wxi}MCP~vUabTbuH46vmuXJ6{
zvUHN}U8_5f=}C`}{FeziY8`Yuh_$=UBoVD7&~Vtd-O4z`y44#L3)Gt#=cmuL*xhZH
zR>1RBRerl5Sj3Cd;F;@<fP#%9cu?z2*S=@|Qo0=$00T^xHQ@=QNK-xjVWGm>BXzrc
z1;L4DAyezpfY3N*-uD_|(p9Tr7KU$bUi1+sj|M4rJm$D;j47L)7EwRlS*nAc#>IrD
zR2?Znq@;)a8DT5%MlS`jv*Kh5aH)C(sXG!K_*Zx*oXrH^*0`e9M?`6HX{lM=xyJB}
zKVqBt&Ns~qxgwXdq0E^vMfm+DV_nxLJm052YwQrI%pj+V1e19;kgFL<iyMDqny(i0
zM%HzH-tkf06GX2TKj=Ltmckkw{z#c{T#<eN_hN{Pc22CSV!fm3elw&;<7~x4t?q+w
zU6C_*oZ<4KOQ;~JCKZb`zC0xY(Q6O9SPW9DddnIdeU=$Fjq(@X9}_E{SGevkb(Aqs
zr){$<YD8Io-TxD@nf(;?lk~bI%GD0*<>nNjlFg$DXN!A5)2F1zh}Is<z&*wH+0Nxk
zOO4N({blDNXmzu}ZBa`LWT7cp&}lV3m;kZ_%0vPU>=rSbhUP&CwY$;b8Z^@SbmJW2
z=dq(zTlOee^TrjzzEqI9gt)r@8bNg`sSV|#a^2hhRkC?Dob71OeAN#Duraq<J$KPn
zq!P4eP5hraDo9!uV;qUicuatNw3^S}Cw8q#2MTO!os09=Jlcd0YQdefnUTWR2AHNG
zyjd$d^2o%@Qc}3!!^JXz*5vl2kkwwrc;D)ZIIUI0+FyjLwHC}Ik3^v<Y9RMmPI}0j
z-+7VmMj(!m5COJppNX+ANU*no-nan3@S50K;HxV|Z7vWz{Rwx=PMuL@zl#`JC|1RJ
z{OUJwtqxvN(ERItsMFb^!tZvU?0ivaSoFsuSh)ljSHwKRW$G{m(Vph_SFAP57}<%&
zNndyEURQZdR;oH%V)ujdbmavvSd_4ox|!TVpK_j6*M`U(!QG5o^7eTQ5-$vU%7z;5
z8;DjCI*z*$;n7AS;%c`RZFLk0nkkvHXOYJ=pZ>_1pn`Vh$T?ywsgww$3I3ek++Uv~
zv&-O}{HOG03v4wK#}>L6)uZ__quMDF8PY*lu$zRi!`vEU?jpj+7+LWo@;}ysNnHBl
zE`NVQm&gcRtY*p9P2|%ThpJV{+T`lK%*xa+g0GkO-!<U`x@07y3YrLuY9&dmp-ZCq
zx0Nt=)B)zDL$#_Y-6T!1o@|!UXvF5-#_VC)fW$E@HI3@(WOg3p5=Go&MaYo^W0*qE
zc)Q-6?x_d`+{OtC#hq)CMRm^aA(Fh)%Kl@#&q!a?(n1=JR;KXr<ZE;ywxi6SegcoF
zU-v4g4rYhdNrIK`2cdS}B#Vnqk$;*NX&b;ux{uwFrb313pq5EO^@%Tvy_Is*-GU(c
zV(*v+GL$y{nlxW&zwvh!_|oFH|5!y;#2po3)AKh^%-RCF4ovmA$0U<@pHIS`K^VTh
zDe7l*8IGoxFIOv2eHK_6I}TcVn@Jb8;)LtWgY<O0WcU{xAk=kYK^J(mP)n>At?Eq?
zy+Pzpy3yqC;=#IZ(`~dvM<;^w-l@Y(|FN*$-YkaX7SmPSk~`5LjQ?6Hf})O7POXU{
zdxy>KAGd-DKof`bRmyMc3mXd^*IW_Otl3WB{85O`*gbG5rge45V9O-jMw$f#xSFDl
zQ}_P^5PY9Zg35a#ZhZ(Z1N|#@$LBMGng|pZec(}ld<^7=bm%lm7OPl%YV$Q-egBuE
zW-BC#^_O9TU|@DnOe9j(=vO<P?+-)6)H0hVTKXWZ#|^1!jHUU+H$I3TVv;(}w!8Ma
z`~d{0x(kNCHG-m9$t<`+VM=7grRII#vYlSjk!+*8ysdn9I(|<y)gVaHt#v^BO?p}x
zW_72Or)5%a<uzL|evixfck8;|B}F4EoOz=JSxL=4?H~#{36kRR#tTa|>Z==@CR(vW
ztVQlGYiY(k<KPu@jNS_&P#wm+n#Mijc?3;9`^yP3Evuyz4zp-vtmRNipX%gqk{q)U
zv&MNfRP+U}!pF(5sx)Q{gm2od`NH>aUX55^cFFyF2;0C}d=$^fc&rcCjk((#L=i?w
zTXMrSalR-swXOG;qj&+k_wf$7sKNcW*qRFxVpN&(%`ofV!oaR?KGeiwJo@$J^!6TD
zXYhI*e*rSH0<=zMB)oYC6ZPI=iS*=I%|*JWFa=``cF(JD4s{Oxo0~rdL*iqv_Pgt`
z)Ur;UeEEXPN#Mw_m7H(OX^j|Gnk=!3%&Nv+S$O4qX@0OiUzEtxbcM5&&9gf06b9G=
zr^l{vwCVbyRv7SH=^}ioJE`%5KT0)|8yw$ej(n0wf5LekI-D`Bhk%?-58bt{`j|0f
zM3fYrkaFa)zg_2X@o|2)@bsvWRrzB7LP~Wg6-xd=XaspxSHC)Z0<LMr;=vssLI=B?
zKTi3wSO&-5aS4<<GzQykkoUp}^;;{9ONXdGqK}YY@p*m$5Bbf-1e*F;JXY&#q+F*(
zf73iFcY-)2yWe!}N4{C%WRE#5{fJa(g6p5np7uP?MqalHl1vERJZ~2vwpDwG3^D5a
zwpos_ZWDe|CbnLFHzdCNG>e-|zl!O4!?5w;cr2Y=EMx9aoahsCB*c~06eD};D8-gj
zds1b0QYm~4tB&e7l07GvW~xzU5VVdJA4Rpycu?u=AW3V{=CsAnQ9lA+B8>}z+K1Xy
z(<zl|0E5E_-?w6rLAUqhO+bv53i+<EPztQ`UP_RZpAh=WgE+(=cnUZpbuAXQV!l`0
ztYCyd9d--QK0MV34klh!*(*4JN$^u55K~}%XckxJv7XXj9(08@jdv3rt|()6W^QUa
zjugG$2x9m$`#i@9aqFk9ru`WO45XeYO59`*ld1a1u%MH7uSJwoV)a&mq3zZjYQ(ss
zJCkx&B_kx0D_l2FvZkd7ZLqn`=_N%7bl7K}P`WN!Mp0E(P~zbgm}dU?Qnl>bT*Fx>
zB}C@Xi2la9qCI){RN5d(<dy}0xbctm+y01K0U*XtLG1MVjCZY{)Wjs0!i~QT`v|47
zNwx${AQJFl0ZO~Y6B7t+(Cb?W&q^VzQgtw6eb<>FkH`hhxh3}qbrV%r8n!Q9aLbE*
zZL6ycjXVRKfN>MRe3e~TdIuRYxwZC3=5iq_96U@*@N%g2@?wd-hK><}@c7LG&q@+f
z_KCiCAB40uF<_f#JMF|C4s(rXPWe!BcOj5;y;*8&kAkW>ueqgQ?A+3naOdf>n2&Bk
z*O<XMQ9YTIh(x;1;)`~iQV_7#>pt(FVpi|x=<(5mhwOdTjq6CRAS~rA@I>+078TIN
z0=!2<1Yk0B7CKOz=5)X&WR(pSuc5m3WA+F@W!etbo{W1c)Tf&2I&3uU`=bs1zm5pG
z$pk~M{D;|YvA#d!oZ0tw4jdf!quSc|?czCg+~c45$Ahf>yAH2Nr8y<iv6_mm@u#k3
z#*5O)m&SeU1;^fZ`J;dZhk>Nt+Wz3Q(1=qYs2(h9fG|BFSP$o0P{j64A?76P(mKFw
zlp+-;zx<R_SXvN}+5l|1UInd%ybxfM@XpSkklPpQ9+#nzhTaX~C1|}y;6yFl96iD6
zMuhH;tU3Z<<o^FA9a=nFHy1YDP6)7ZM9$(M!;()ln;=m0h@S|m$EK26OSza@pdGKL
zdO=J#hx)gEENESxjKO=14aw<ilu8e7toy5(*?FFLOES;-^?k1`R&>3&n*R%FY@3VP
zD|%9OIvPgF|6H9-@XM|P8CJ0d@gJ<Nn{|DfInL^<a-5uZoO>nLXZ*<ePkuO>bu9)8
z`l%VY={3zUSex1EvP)dmA8Znl3e`?z%k^66RA}zslM$Wgo?ApHpsDiyfGjAfuwl!w
zhyoJ~=K|Cc3Jh$lX|9T1?i{1C09tap?WngTOO~Z~G}a%qjqkw3q2_(Y8sL!4bxin*
zea2DN*Qb;^QH?~B=8#Aioi*86nq?!iVA;5q&~=uOQT3#y0N2M#)slW9n*Hous3F+X
zq0wKWTrx2_-Hvc>T(j_l(3Y{akFL_f{MeTvXuZV@KNu9n-FD}$;}?BRXQgqE54<HC
zEs3RZKQtn)^kkx_joZHVd0NwpTnznNE;DQe&<;a*OlRL4_zn~d?t1GgG9o`o|6K`v
zLYlATkli;MS4XeQ8zSvu5_k%!d421|lsnNmiH!_ueNCeCl6vd=#jdz8g-23P)!DdK
zGhtogv{6$jqk)}0{#G`f87oQi+`4gReDt{^8S55p6w>$M>B=56R_-8a5ZvnBTs?{c
zlAgczA16gp8;@QKi&pMG?vc|}p1Op66gi+4V#vu|SEWbKh^>T5T2SQQApC((AiH>O
zH_K<bO?v+Id}9HU8#SZ^lNOs+i@W`doz12HgHR>PeiTE_jZs3mISjJW_^*AHhp6v6
zzk`Hmpak5=ypy&X$(WIt0SjPw663xVwO6*L{-`1mZ`$nsT&4|sa?kj@>gp6e-SYk4
z-1^~#YFfSTn@{=OXZ1InsMojmejTdXnz<Q9@ZACmY584i5nrHyZ!q(+*@`2v%q>Lz
zwenqC5?w%9zPM22JWbxFW-)lL{Z8rc#FqrGa&X`Dj>XAJMKZv}UDoGU&F;pcX1Ty^
zafyF%WD^Y(e)~}CrbPONoBzk@&BumAfYT!oI2bw(SG4-D4$a7gcdPS9s_3rXNBr*o
z2h7N7XqUirX)Imqr#|;rY^5pw_Rgm&+%AV3X>$b&p@$LFR^Z_t2+mU_ONdqO36>cs
zcfaPoP{v85r_GL#S5S(z#OeZm;f}Lv&puh);MMK})a^ERRpPukXSUbKyguED^>O)1
zV-Ob=$@sliW@6Sis(g)m<z_mmX<y9&PQjoHc5&Nl?o<btMfNI<)IKqaYx0a7A6s+V
zt(SiS%D2pebHNzj&L+J9waJb_`L<6{kJZ&5@yJ+d%%E2e)Y>}B1hPc7FkB80BXdt3
zx;e*%Nv7f<nD!8>3i<Z3tpygMq})$llNJqRBBP|;$Qt5U*S0DJV<o`~Kv&<|2psc}
zx|LfR7mR+9m&BhS$jETEeLJI|b7Hkk!fY6NH5#WUL8hw9$1R_c?nKW|irSmAQgM4}
zoHIs126H#%A1-qryX|OLmg|!AjjkZ8P=i3Ww-^=guZ|e-0%bj&H`y=|KoWz2^n0J(
ztjz9&?)SsU*Wd4v52a3=EWV4}Q|OUbrex2uFzF~NYH(2EHU&JNj<<zSGpkeY-$-Q{
zm$GfxW!&4o8-h&^GeYm58a&ee#~Mozjn_*u@yFhheqB9=wM9=V#_-&1iD)OiCDDwp
z3l_&MLHA}zQo9h6b>~T;3M;a${(auWycw!=j91jRBkm^ZjlAVELcx0HZ+#EryMISs
z4l~U?dQ>zw9%PDaZ<K4b;FbJ^4SsQ@2_D8#UVN}_7Z16Yd>_&-c|H;Y30sh9qj!n#
ziL5Sj;qpiur8g#%6(ej7Vza(4PjjX5l7Or*MiE356C{LHx5+4Jrq-l=Bw5KQ`7PO_
zV=ky`DSwBQxqS9zM6h<P^SwBc1~lH(mjsG_<?0g>>FF&4^2T<B4p$WoMeoNP%+%XY
zOuwOBC;exH;QFZ8uU5^k<U4*G!S5b_krx1i{GEXSCbMT_8yJBXkGU8ENMQ~>KVB;!
zpkcSRjVcs$F$4_CMrI|C)Mq(up_38+&?3>nD;p)Zkz^80&Bnjtar|LLN>pZluUz`x
zx5K!hT#+aW{`=81D@g*HF2aVK_5>iajd?+tBtuF8DPva1H&I8&**&j7?vwG|wmyz!
z)t-Kg^E_L2{l*}98;eYnIayE9Cy3U;kZb>Wy6cS}Q^ug<bNWZbna;^X#t#mC3rSG#
zm}qByBx-17pAlz;FJRIj*I7B3^&xU;v6my$SD!GUr$$^Zp83OhF-8cyrr=ui)st);
z$%l2_jdPxF8yfp&g(JvRY1SSbLshZSKkwv7Oh3*eWiR@<uR8B0*EnI}NC@^;?be_4
zYX)kmCLCuaIQ(9Pzi(tU57dPqjC(ep!Fj1$pk}Y7I!cI5|GwN39nDK__S_p)lloC)
z#i==a(s&tofXWcT#RpeJL^h><XM>eTE%fN6<}#nKn9JF?-fIUiF`T}ZBrm0*3!&uQ
z6Mt1k_aSBW!}ghHrtFrWimqSUgy*-^Pj*(n?Bm~ggKG86u?&%_2&P16%_JwTub<tt
z#q(tr6W%Wl_Zs5%GnmB7Y9{=A%>6biZaOI8v%{@a{eUO;J0tCG@-oN1_inmVb294W
zEs42JPCa$pk4bFn(}*6{Q@3SX$%E1OqO~Bk&pO~*{M=ij9a~G=c_@)?(KOCg<Y#lZ
zMSe^RLmzs}y4ZE!c+^{ZLp-u`&p&9^v?kb}Ue+bl`~jTU+#V0pgboiQq$AE#bEGMx
za%r6JOOZXRn%p^}Zas%3bMy}PZ(gft&+35;zKqbd_`KI8LBF-sJIbPRr_*6GHU(G#
zK`D${L;DRQce(0%-TR+ApStZ{g07?1X}PtcUZ=FRZt7BcoFPNz6TiEcWb1=JqHtKe
zbQpQ@OKM;AtVP_2_{pU=Q!SFS9zrYMzrWVK$%~!P<*W2kTK!3St%)1o??Bngr`!@f
zXj$vZ(_0d~V~tu>pO!|*E%qN^{7dTgFOieK)M90fOQA26*`CMkEpPtBlicMB*#xZX
zuCk~Xkz>F?m|-*K9(dK8SXi;p>2rgF@$hT@sr(t~MF%b;)i=p3*r(vGgP(y~{qEkl
zk%z-Qwlv0*OXdwqQdP9z8@IM0MN2(>B6_3W=Dn|_Cz@!A?uO{DZRA>)<$}U!LGd9S
zLdEcl=>Tddu9EDpMl4boaB51LacqL^#l4G49&KeVx0vuuLQrX%%Fr<PZEun|U5*t;
zCW=Xii@khuw(($7+;N859s9G}pxr1f`ExvJOVEP%Fo%?pS(yo&HbM3+_T3uu)yxK)
zIHB3R3BIphO22&pUR^=3RlS7K{>YY!-C`OK9WRF7cxVhAmY<3zi_fL6Deq9lMrIER
zBEo%&h<5hjj{dTh`Gl4ldH;#RB4ZDIa_Q#lRx$nBZ_rP_i)i<~TGn5h)Km)hpoWY+
zew1PtloqOm5CByat^WvL(EoV=y|b}hwn%r0D8Cz69W2;idcTEa^XB#?i;{eNFyY?j
z@-Z<^R-Zn{^tULH@qUv!7}R<<y`CW0W7K^`Nnf-#G(U??*40wPHwMPcR4{O~@4NI}
zuA=E~o4hn}>;ds@B^8fe#veznpA_}`JE@Y=ug3~FKe3SYsg#UA#)mI!J7aUN{^L7S
zQ2#?)|EmCe?c)rD@lZQEfTk3=TIa}9eL3zPKh38!=*v1IT#PLvh($q2^untr8u8pZ
zMDG-TID~k<bME_wcUJ{fzl^ypmvqq$<B#{oKo{h;n-P1w<JG&UD)wrq+&=zzL)B)*
zU%!@x)v%U@W1O3se;^C1AF$T%hIuJKJJL#7NhnGXKgkknL*W%7amqS2vUT@AME39P
zbl*1OoZwF6x_LI1v%an{e-$?Yfze`=W&IrSwFW_uppdj?g)z5NHRQOhPR;DE<P5Fp
zdm9$HmC=p^y4+>@W(2ynj+(EcC-KjOh|GcxpniT70@dcU;zhIvp;mv895IjfPe;ue
z@@Q8EHnSac-QPJP#!Iov-jZrphrMLg3%qVjTlxQNnp%)KtwB%f2}Vzp(+K!rQq^7S
zerYKnv<sb4xyLlYfxj^!G|&|G5U6kny><o9B7gz01+_p)wg24qUu~sDmsChOsLM10
z-4f||ppQggC;3kwDVlE4`tP=a7VZB=D)V5dY@ad3AK$hjs(0b>Ep9T=#5l!D)G)2T
zg6QvH#V&XjY?=)Ewzoeh8I8H)A0J4n2|aI!LZtha>i}2`5m-jWWNzex`3515{6eE5
zw7thTL5eWA3GeS`*xY1F>ilmy^d}-}qxEm#%k?cc0nmcC=-ej-$zyOmJE0tK(uH#e
z2hd)REEt)(I~l>tL)x9L<__}-*AhHAmIq5uH~c^2171ZW$93V+5qpn-6(Jb(C>1;7
zKXG#Y-=V-2Yoi|kEXO@Qg;D?#TD+N{Buhu`PBWq@{$j;MX2J7kQ|?(ff7h+JHVxny
zK~6KWmZtDE;3?1J`^Kf~AgG9y=DHw?DZ&=6k@Sgz&O3uSN|k19<&CEl6{Yq)bl@#R
z^tY-jzyqg<w>c4jKcz!_^~DuIJjIFlY#Tg`{{PlT)MqEdm((i!1_QfEf&1W%TsLGS
L6rSaaX?y=4ac1m~

literal 0
HcmV?d00001

diff --git a/samples/remote_attestation_wud/images/remoteattestation_sample_details.png b/samples/remote_attestation_wud/images/remoteattestation_sample_details.png
new file mode 100644
index 0000000000000000000000000000000000000000..d38f3aead497d51560948baf5e676e50a2238937
GIT binary patch
literal 27944
zcmc$`XH-;O6E1iF0TB@u0Rah$f{1{Ub5h9}B?pz9b84~yMI<OWD>-MnNeu`{4w6HY
zGc?I2G@04`zTY=<=iZrrch;P>Skmn|d)L`jyXvW@Y7?xcB1?9K_6h_+Wb$&)H6Vzf
z6oT+_FB5@p^o2@;z(05{8nV(*QSY5K@Zpk$l(G~Am4=g^z99skNgU;LT_EUM6Yd9(
z@}WWi1lc0xpG&>;G}@dZNzz;zzqlZk($b|gWsJcae<}Il3O=)r`s70m>dDx&w<nU7
zdK1TE4dOa%;(CW-*6gp)TF;+{T)C(9?L{fm<wuFOy(Oe&m&-y<U8aOAmhVT#%X7>3
zCNJ*#Au$O;E1mZ(xFcOKVp!)#cgU|pPz06ME!$XT*>EAn-)_Bji#`^qWpJcXq4hwW
z6ukur6wrPdyq=C_^MP2I;}XmG?%7?6bNJ@5xFd>{-kDZziGp1i`^bK6qHsAsNQ&$u
z?1D#6fOih=ocZ0KQ$6g|vD>z}vys2}@z|Rf?M31yn^_xORK3l%)ULNT0@*A7st3Np
zFEn0F4Kbl^yv2h`0)j-z3Pb8A9+PU@aR-)rpJcJLSjE}s6r0bwe|Om~v${Q`mV<W~
z;)YTx8Dh!_+<8~-LNPMG7Nmt08nK_YN=f%sIcwy&u1C-y`-$pTaX-esHptU=($Jec
zu5Hs@Pjk0sC||dyS^!LV9Zb0M4PH`zIDIpIe_WWNw<dYyc@4sbO7nGSOpr9$hi%^)
zEtNbiT_Wt-!?T(S=e*MK%IzO@Pd%!;^~%Jrf3~59A6U<-5c!Hvxl>@Y?XTMUQ&!i^
z&^W)r^7o2C(D=LSq)@x%mSA_^C}HimjB^^CO4!galCr7EDkL*#v@+47gN)i$-s|?@
z=!<7LM9;{|sofpuUZJz5{U=!S-=0@L9~_yGFR$kf)IuzjrEDrcA%;xFr5{5~%vC0G
z+IC}a^fr0#`}yz4y%7{EcYC&y@|*r_uC1vg-#8lnDDQQb<=}_Vjv+f*5vwArz~LR(
z)|!yYZ$|r&by;JosEM-N;_Wf*<@iy|cbAFZQ|}Tjr>Wlfa_sXx=*E{cXKulV1~f9Z
zGAHN}hP%gEW@^tYyqdm>!=2l5)-x1n&AWJ5G#OWNb4eHBA+<*gM$J}Le(ODifyJMe
z>hn)-)w>HX@BfZhRBA_VCrq>1<c3AtU(}LncU7p?f1i5~i))~Sn0Rn%w|b#JS+S)2
z%<K{CaeqX{-66UJV(c0dSaMFD$F+FstgJQL3F7sx4L~i!7Fk^1(ZsIbCWiCdKUk$I
z7_G!`S6syRifv@E3bfX9Yp)OIaW->ps~1twK#&M-{1F%Z@##2(wD97PfC<x?{f(im
zN{4R48<%~L0<TXgaSE+ed`4w(#HX`#N0HW4$|uTy*0MX*k`X&A;w>~rRn%uKRO-(d
zR>`pR97}ICh=+IWLXtsu!TJ<r&b?xl7#NY-^b@J_Xv^rH&}X34u<(UXE4gPB`b|U+
zllkh=oeg|4ziL(E>M&f|vXIqH{-I&Fz`M{Sv#{*=*e2w$6cxlxe3uG({lMci2ky9j
zwQB7T$Iz7d=Csd?)G*BA&_#w}z_5KE?Q6R&%pFp(8<<9kY1VdpNuqy5NGr4uX5pc4
z4UaMHOfti4h=iD}9$9qmOKffwR3_GMk&9yeWGWhin86d~xF_xnsFlwpiuG#Tzz*<q
z%!Zjf-qhe)lhikL!{k0~CK9ySSPnxC>qgoo`&QNMeV3s%Wn>hO=tzN>dcbNjk**QL
zlBck{Zu(}}`e)|f?_q25IPLK4{H*_y_)aSJJ=`|4-4iY-q)WYX7(d~pd}*(#yKgaZ
z>SWMQMwjeE^SMVJNy*wkTJC7;aD#7_ag2-wJf)$av4Wof8lVR2z?~FCk$l_g9D_ez
ziTy$Hm<&D4i>LVB!jLRK@Xs1qMn8tgn5+d2-}p{8<6|LR3LjfvfLj{~Tn|f#rd{Q2
z%%dZA<ue|PuOHdw&|@Z_@~JN;;-?X@N=fR^d!vWgBanmx+m<96h|xmsb)7EJDg6<}
z?okbto4Dj^=j(OWgjk0Z2959QyC-f{(nfHt#@MikVc<jN8Ue37B=)bFaB*Z!E&2<c
z+j;p7QEF6cys+San391%VR~k%lZ@Q68N8WesJH)}m)0OsD2R`$#uo^}PO5Fs-L>Lo
z#pZoLA0y0{Z>kjVYJ$5bPO)}vOb2OSTrUejYoCC}uu{<%-Pg;bO~D8wcp1AFXd)97
zCZt7N=4dIb^#zJ7Se(lq*fQ^~dCPD;;GIj6>ZOGwg@Ixv6P%m#Yv$f@TG8QG=9l)$
z72Nf4+z$Kt>bb(zJNs!vLb-YI-RoaR$a=K({@^i*;RNon^ms#7d>kl}+-xJbX@A;U
zN4cCI#+GSD)sbQNrMANAF{Nq_lW_scTqSGugT=A`=w<~Ajf5r-l)(f1PzK57JCTEE
zFLP%Wvf_AQr-&e(&Gp>7zK2T^@`+tTOvu#>o%h0grgAeXy$Q1yDF==^d&A~DLKCy%
z^clvnBNcz}1I$2-i6EK=+bherOd*JT{ae}i$FnSs-aaMc`{6Tue+<g0<TBV?Vmc1Q
zexYy5rm==j$JI7f{ISk22tzG@xB`s@f>om$bV^&u@_8JsT3{+}J9zKX{h)dTd~-tE
zJe&wQQ}6(7I#9r+tZg#=37VAvqU%_{_~kz6dl-ag2qe+!)r0){8Ey!ZjN4IrEMP>T
zS!Uc#a<#(ie8!A5OFlIN_*6Lezeex0xcamjIHWoWyhh>=I#9`1_<>KUU*e>Pn}Y=z
zgj&@Z&(7j}vM?0iaU0SI!O7O&@pW3iLWZH{$Oqh^zvek!8oAv0V5I`LDX%2Y`Vc~g
zO8V}+jnn>TUO=DxgCr??XL&rI&?FBbNo$~~MtqpBLh_Sk;92FC6eyD`A=~V2ZL%^L
zzQQMb2>KolrV$@RtA{0W&$!-Q9-x;z?q|y1o;m6wwfsgHaEqx0KcJ7das7eF<q}C4
zolr(>9f*58@1H_UUO)k}>4@dxsAaNsxs^#7Ai$ae7s92P(6IY~Cj@mo`%DO>TH5qv
z=o%*|x<c(&S5i`#SzqNh9qK@G_rN+GK4*2NovbCG5W=G|KU@-1LcB#@B8Qm%;)W)$
z`#4PUniD-dtxLe9xq9eMf3NYrDim=CtliEp5D^p`I14R55^@g_PC56Oc|cIGESQk7
z+ZZkdbGP1ljMvUPakCb<tnQarA$iHq;B`=NwD;~W_%js(3$g$u*Ed*r)+iywREo2u
zw>ARXQIjnDNe`g-Jgc*bGOIQt0A?Z{g8Af1$xzrhn`W?NOz!`DensalSG&BQjJx>_
zGSU=P<lB1_Vp9KSB-o}L@)9w?ZEtZBL2~byCGIS6>p>Bhz_U=meI4Br!-<tAt`KxH
z6exggq{K+sC7vFN-`sUWEq0HD0vROJa2xHnN}>L<`tcr9E=iWbq86A?;Wdsb243hs
zE%106&$$ZAT{pE{^sB5R%c;gqHxG?8eo7Or@%a^&6UAG<ICt-`bLKVy<B;Iwx<vcZ
zIPNI^Yr+%FATj<|$5UqoqC1nsn0ar-#fs&9GgR+myI?~RBN(A{5>YkELJ%$89f7K3
zDAm#9P`~;2PVSh>*jA`lml<#mxR?Eg8<dIGpiMcR>)E+r|A$w6RjRVp+w0TZ=)d|)
zN9x+`3(drx^s(--NkMKsXXQN;YmsJteQ&r6vfDr8j#FctWqlsEg)_#6%PtDrL<CpR
zm4<msVE66-YyW3-wQIEp^jArW3Ta29Ng9sgN%94*tv;GU@$ng6X<l-(XDg5O+k9*m
zLW5atKN{HW^j?}~=ldN-1slFMxa#&pw&C>Wq@xryZn%CR>~-R^AIIH$FECwy9X?$e
z?SjE$VSM>Q*hk~l*@%en`fiVyvX-y8+;?{}HBkl~b||);DW7;z<ip>+Rfe@R<h<B#
zBm~N_CLX7jR+aZu1dRGPG{UE6O{x(n0*NI<<5rjMDx{<D&ItSc&#_0hd;4OMhA{RC
zer-o3yB#6LW3gGr<Zi2tjOqdS8e5rtmkKTd{3BR8a8&U-ddT(QtPsbFU&D&q63%j5
z7HlHjae4jraaU^|?kuHA1#aU%b;r0m@yxzZWsF^Dn|X>h8xzSw6{7ax6$x)zCy1KT
zv*G3jeUf2U$-dH_5~<u~*%rhK)n~o`y2Uqb`%Jg*jr78h)JODtY%&)!>K0);H-aba
z^&vx*ZBhZ7&jufN(aI&7+f?7*?+LNDuU@lh+ER?zM`>zO%OM66+P8~)c)El+8K4MH
zV91}phdI?+b)(CC`~194ivn?YYAL~sx3;ybC*pMw{r!YD1Wu|%gqj7Ov?dGu3;o}?
z8!VVEiPQVIMvKgUl&l&w>iQL-=R=3@EZg437#?9Mlammz?&WhvpW-L$A55Z=GKb``
zAB{n!aBmTAyDxTr4o{9awfsxGEo2|cdYgF5+y4kbu*CECecw`sb##wBM`kn0Er5$|
z;@q10pI|+ihP|Jnu8RINeqP~m`bOm`gVCOGRzYMn598iGtGU(IMv|R85%jU&faE~W
z=&nt-Gu_(t%at9sLuzf^>d33Kw75up*1R$e3?9piNclGnz2zvFcp&mT@mk<*gOp84
zFP}ZLz=DaAXZE#KiRCPE?>Ek$$trJ?L6Y-e^ZvLBQ`SzdTl=Zs8w*^dpv?_rCAVKi
zR(Hz4Pi4o@xl3FQvGY|0h8!&SJX?R%AOepoK02GVkS^f&(QJg#iKh%R+L-=6ZH#@3
zH)#_ep}d*NQG$aeSY!W`a+au+Jv|T<i^#|zlIOs;Y1HxgXX28KHE|`hP11-;YzOU7
zlRljb7gchG&T@FvWifM;6`J?7FmK_C6UW!dVX?znuPMw;s#0tm-#$=PyQbXHeovUE
zIxJMeaW#jeB$JHePYt*!6%UGH1l~qrXRC=1^Sj25+k7m*In=kueR-nfSedB+{+Fon
zik)c&n`QX8bH>;tJPjFSGG|oGCz!#Pu=U%<%%}LufO$rH6<<n#Edvu?Od)3`Urpo(
zEJIL(>x?5da=U#;N=%7*zU+WpSW9bLz`nB$2Tr_j4iMk&X*@4Fq##jB@b5^c>)=&%
z{0+gy<?cngH<K27lchza5;AnV@B1BV&aTxOD<oSAnrA9IQogzO=um;Hkk5TU^yuvw
zzt`KA%z?YvftqZIBHt3jQVF3ba_~y`{>UfETwAl!Q&YQUuRVYBeH_L76^juLj)<6-
zE^Rd`5rMr+&IVa0#VErugP=BVngkk54nN^1R~ODTp?d|RZ6RaHf^aq8eq^uU6de*(
z#L*yZ<HU6Osr&O)2@b>BSG|_QYFo869tI~tbeyaAxatuty7*8FF1WvOy;GnvJ0yho
zR!;PnJGP$Wd4&@;=1$AIyDB`XGUC_)ZrIe|Ys5m@-Tcg<Zk<s{j)E@dL`p2RAr-4*
zDs?Ld`|0=<n4vE6v1<DRcLiA3Jes{i_bwLgl90OlXw&0!qwNVT4ePX>12eP8+HK=L
zPoqN>eNC>7t>om#{ME`TF+uw(X?#>rXKs_zW*;H+kk@t3)XV2ka`z1dbkhpJ9G;Fy
zcUdB+<x>oZxPP|Z(HfDIK;Na>`q$%5>}u;hMnHgj0Rmk3xMD+0T`va+hH`aVn+csw
zujs(<k_Eu!&OWv25MCS2tSr9-1>;a)*=l|dE_i4G53=(|(eerN(*V=;KWTvl?K2=|
z|1)BQTNr}~=M4SnFJ1hAp*-#KggZxbaY9yF-|0`nglF)eCXi8>CW{gKMSP1KY45r?
z3VK4?NDZLH&8IEBhDcezvvt~dgn4*55p+H5Iw=#omCZ(Nmpc_{`9yS8#mEgvj!2+R
zC9d|PmJalg;4YP<7Abjo_6q;g*m1momrQl|k{ge{ro{OBERCG?-h)gL6p!x24z8av
z`B%*=foO7n`j2c@CmY8^SJ7Ep5+4*`c{(?r^!hXX<o+$InVg_<T8KLl?rzy7Ta^@<
zudosny%_nRYw_<K0YG38o@ZNrT1LJ*L`S3F>9hFwCufWHd&nTQ#kn=YK;H#6S5_j3
zteCmafrb2{Ao}z)X&IL-=z<`xNf^*F0nlXp&nmwj3NxM5R!nUEgj_1zE$I>T<1tuL
z-7Y$#+RB`@0?O*md3y{9cD*;%CMW(PGo(LW8L&Ckvmm=JhLkBVVjp=CM;I^$_Lylh
z?JJefw~Y*eQSc)?sHwJ{uQC?Wb0P76sW+#4Ge0-KmP~0d;{rPyQbGXj4FD~IEYKm&
zZYHOuoa)~dM!zgJc>30JpVrTd+{<Lzc^n`u3o;+R1^3)P|LlF|(?h2fxJ*&fWNR!_
zqR6~SIT>SkyW0rUje4C1<)HJvd~UE=b=6CzbQ8T?tE92+JxQ7KyxrW|Bv8~>uwibj
z?!RRONSFqf7oXCeR%o?`r(8c2R@x#b39aUyH+g58^#?oYtBs9WktO@aqsJEo@N`6C
zYh8+y*gf&%GD+vep-5o#&i}F7fSaqIy1zYxbrSR;Qz;GaY*xx>b(8z7jY~~j(vEr)
zG|4csd3Zph(sAR?Ak2F<CFSIRmTSRbblY1#qjidAIstxF*3*EZ%3COWW%3K+RxHwY
zT&a2E;}oi$f|)b=ll_{5p2a6I{^1V|N;}hOe9lsc)$>R^=o>KJAGd`04?qsF7`reN
z0|*^qn{Rs59Y5X#a_!1?hMKw2^DmeacYb)Yeal_Mh^Hu9>Go~5hn$i9NTN<|L<pvh
z+4T8NuqkG5{+CN0KM}T0gOjs#PP^HPj)rZ)G<0{eExds_S!P=2))$irab5?twu;_$
z<>u6&an~*Lf|Kj?X^w!?!8ut`ut(K`aGUmQbfu$;ZFi~gh&{PdE;9tg;CDiBWs<@~
zDINxTwq0)`>BT{6Asg4zb<&&d!Q5~5JW0-SkGLBKMSf0w<D$LglhQHxY`fOojR|8N
zgw#>!Ea9;y|Dd_XwqSI7uDb69X76wKZ{IItaB@zu_>8F&zHV!Q1=nOT1MJ<2S^`K-
z9EU01!7q#XjY{e^m>~d8jU-9cP-%W$GOY39TDgjiRW|&M6p!|V`xT$~25D(oZ6f>?
z<cl}ltM{t4Q%%lI|MIsMC5sDP_iAoigcU{)|BBMLR<yH4eR8BVuS|5>&tpxPzCj1y
zc6xL$Sc>dXEo7#5{=!*E0DZ<qgS3}mmkoa5#$ni#T#xPyRoAB~93EP;3pTBU_i`xA
zr~Il^Y;u7rxTjw_5b%l0uwm!f3BorwHR`moR8zRPZPl3OV_Iks`j3CW?pvNP;SdqG
zk6L)6w<A1$ZPXn$plBg7s@sPLErG-!;I<WZJ{U{<P9^(}3tI&7`QLg`iCrGAyN-(4
zF+VF}M5M*V>swu$qe;@AvA)H86(B>387f@fZ%67B4YiI@s?@GdtljJ`Q9pAX@2vHG
zQt?7l-z?j=taF{_tD8m@NEH((UJF}MLO)J%*f-nHP_N^IH&Hy*grWEQ*g3D+YI4)n
z)eg*1B5Aj6o<Rz0e3E@t(IkA{@T+l=K>?e4)60H-BLutCOB(m__3v$!EVd`J1K8=a
z(NqibCn<-&R(kbnR}ZIB=o1G+Z$mdfgH5{hgHcU2PwU0jxffTplcY9|>cAZC1P=UA
z37xggyEx&Z!L$WuRch&5?`K6m12M94EVPl1-Qtcl6D^$2*Apd2JjhLVHFfF6hK8tA
zR`2I5_EKjHwQKZ>bdQ`+pYG9`x;15Q)?&M&gq9hbXpjAh)%Ty%48#snLlJT~1A6a%
zW9VtA@Gqr9+jN+(?%AKb@>~@!#~h`@o<8X!(%i^r$iwOHZxJ}OzZH0Wxs3N)(LOBw
z>(#}sl!YxfeDk8Oo>Fa{Aoe4rEsps{KZY*R@~gzolV~#XnHZ+8Dfsjwk0*D{7DK03
zt{DmN9}baBir-4#Za(S~h@+6^{{!XkEmDD;^4|dBII5Z9n@-#N2$Ixw4VowIwKu7`
z#Y|{E$w~R8$B$QOI#@95W$|cUZ0+AaPB|%E6PA{?JQ}8x329w3A4sQVEo{E*i1r>_
z^<Js+WZ?gC=z_h2VA<mqSGQ%HPe;=1A%)Dxpj;3k%lY^BG=$x3v>r6#OTH5mMN0D4
z-UI+jM)+W>@n^a->h}}~RJNsQuWPGg3RI4xtY;WS-@+{SHiis1(c{y)q>$V#ftG>f
z+tAw|<>Y-v$CZ;$euR`01t`1XXTmD;;)91Z<hl0KM~j9P9dEqGW2(kk)%()oZXT0u
zS8f`}9Y-RWCwV=xMCTh>qeH8^mj2cfB`7-LLEmwRM}5FXonNBzT5KouI2N^Nx+^{$
z-xw*+XsmDCXF2=_>r@3rDC5S=99JAw1OzRB35jdouWHX(-}eTHZj|PlXF1vVB1^pc
zHx{6PMI0M<tD<XmqDLgt#hw|2WpKA!vw-(a*qPa8=+C)VwU5x1R&JJfg~d<=>>ux<
za&r*r%hTF~Z?!l%s2_E5+y%q80sJR7z&<#jNMQs>%RjEVM9|@ToXCI3i-otyB#$je
z>*@<8b_&aHiIEjetRDj^mHfk~w%JL_8B3LQz=JycfD0fxVA%NzJignaD*JRFO~DOk
zK3&olb8?eH@MA`rN4s{qyyM#N|0SLv?(ari?xWM~CU3QG*$Pa3kOjHQ)uV;yINu}v
zE+1Z#;tdOPaexAp{})RVL|)5qXEmqNVDeqfP-(uv#25^vhx(LzH&{ixv3d_E?zmd^
zH@XUq$p47@K>}@HclPl6Hxv{fL(iooX169h8g=m_uI>4H?|m`}M1?Qk9|HA+Z@2`z
z8+NLN1It;7j(}acTmnUy<23RyB{`w%)Qk@B5^Ha<SmGr>-Nzf<s;C0oFrbKl8qh!8
zrG`3;p$uZ*2L1x=K>%}2uK<eYxqK~suU=WNF8=FU5a$%^BVjo7r-{S%3b9FpD$^&f
zg*bEv46R2ClqOj0!IM<~JXuU3RHaJnWxbA%(=CTVr93FJtOJb5O$gleTSwi#gR(a#
z47xS$`QYhL5aJt?JUi{2%K+?)V8h9sep0l>tct7-kWYa^z`nofB2N!VF5_6wuN7`9
zKNI_6ft$Q(ibvXig%pa%kugqx$lE9God5+3@ch6pAua@KFpe9Gm8>kBobe%G;$wpu
zeYOe+XR~od1%P|4J`x68l>rXjSuj`643`Q!&;C(AS~^5nMHBk)+H}Ci;WnvPH~q74
zf(3)Y)KsF`Uqzufw^*8q_alG^@$#wen<A?(@iN|}NWx6EoN-JcE<R`71G2tzZMR~g
z*rK^lwmuZ`2IoWp1}XzPS(7m0vGA`1cXY$W@ou*~z}&d{i{v}9HI#gosNhSOd*?SC
z2znE)91WN{-qBcP-m{&e(Soz{*&6@}A^|bQV<I;gpYm{kWCWKAwdN8)+{PdK2QlH~
zTd*$`4lkQ^2_d=ro6CZmk;O?RUOK`n{NHi)Iu1m?ig@}|q<~L(o6qZ+dhZ637Iq9m
z5ve!aLyVn^#lF5r*P?Why7#;bz#+Gh3~DhUUhlQhEJC<Zk2N4pC9`0jus}=q2SDO0
zR=0<roPgw#MbffyxZ@{p!20M&C|U@6b${vDVX<wYO?k&o4G{#OjI3~lrR1o56o>#_
zreOaq-<K2ar!w6XFSxi6rb@=*L8inw4pzDr-zILj7!7}(GIa>*2+Hlsh!VWowdbZ5
z71j?y#cZLVG&SYY0OucIhMa|PI!MhA_y{>3uI|%rA0!A~yOa;f?RxGUOB8qRrU%7Q
z+=mZx?$H|Uo03nh;4z6*-;D`QhM1JA=7!12|K$Q`QtiA0hB*%>+zta*#3Mje=v&(-
z^83Ie$Kdor>-4_BsQwd8usXvwr-5C~;)Fu&n2qNdu$0VK3pJS29CqNATmY75N_@2;
z;JSD*TCeVwYdm;f^c;eo7FtN0dK#Q>hpJ|1=4)oUhvumeehzbg;ODn|)61cscD%}@
zcqm6tmv$t7?d4f|>{poY7B_{_MY(hO-s+#1elD*Zcz%NF*6xT8Yl0yS1*jP)v|SGK
zH8UDfa$Hae$h^z2ly0J!uPvsIiwLglBTw@2H1vht(z0K=^Ncj)_70s*XWJ-`&f!_C
zbb1-;#nV)QV(8nqtWY~dyO9EOkzxwihy;+@e2>`QPVCM>gQi(`3EuKV)#q@c7n^DM
zQ!dEZtp4jK{jo=w-^X_5M6-Z@OMHSV^77q<)y4)sA}1>VH0<|%eUJF<eXl*I%FO+D
zlAf8rDIqmlpj6ZAWCRn0n)(ApTOKlc-TZXqXJW=a4#Dx0#DBeJ8MhNjzIW0Z=W(1J
z!-|2o7Lrf<si~S!#W6Q=b~se?O+sWt!gXkJri-iqW;2{qbfl0k3^7pwt+z{3NE}YO
zg4#o3uHjd{0`zl<2}-I`FONCe!2#IJFfy61bnr=D#nJ(=q;Bk->(|1dmt6Sl(2qK>
zog;o$)aHbFP44tC4E`1rRmu?A)G8?FLF>!{U@dH;PDPfCD-x14(A*jTNGZVemm6?@
z&xS!wxuSxMap+mAN`l3^5O|~2Vb>+v#;t~PQ7@<E?{5vYZp0If;eg!VmP<O2WDU-U
zf(GQBStfbpKzZ4+CgR#zs<yJW0X;fyi}&-HyQMMB#W5%rD9jU$0pHgQUM=9Oq{myR
z{iZNmA1G%mhE}t8x2S^RtnsLp)i8H9p3hvTGG;ohvdm^1Z}63#f9y%o+A~s<OSlPH
z-Y9`Ze~RQ>0oB(lmzqL9#;UJ@Ts=Bgu%EM;k&8WoJl4l9rWWDwh}yM_;|^NHrsKGA
zyG#L;EKa{BM+-6FM#;jJ50%gxO|KG7hlA+L?)le}e5Ez-vz=0#AjU5wntX|HT;D*@
zHty-AG5YGherHvz(z8^@S*TEVttiNO^HHHmAdlU>e9zU}s{+d$0>4rqP$0hr-c9nU
z@KI#Yc;Bd9bTpxe(hpldYkCTEo0now7YEpA-51EJXjAx}*kES?VobcASI&m+?mRYt
zk!c`fRsrSvS@=UWM|f7EE7OiSv+vpePzILj;)R&fL6Cyf`%7})xL^Ea4n*}g(FF2s
zSg#H@(kTC#ti-;a%g~@L;=O9qW&OT}Pf5U>tV_7u*~?OpL14**VwtzaOf$a#Uayj{
z|1mx~L6IB;t{Wh5MO>f2udy2yx5zc!w|>Q5D&m-CwTdf&XT8D(k=B^HhGeANzJ1au
z>T)w+L>njpXdU972JUV#)QjEJar+u~h6AgGo%x>~VXKkYEHj_Qh!icAPC`iX9`H$M
z+}$xm+DNUf1F;jcc1G4to<ZvPm<87?3a3!O{WExO5eTKfdWMVhIQ3}#d;o-^bWPd-
zMU_NF(k1>}3zh(d*wS?21J4l)bWfZ%y}u~PidvEQP}#MqU_3}yk!vb_G-j&gOoYbK
zy(o$P@&|aOc}=VYj*{eQ)o#NYO>OT*g|ZVtjr=%0jSLq3=8-VuNG+PMZH=>5+i=&T
z*c}cp$%&;s=Dlt(wb?&1VxP?yy|tMb<GpMSK?C$)r66*<qai9)#FA$1j&+<^r9GJy
z)#VD>d;8zTg5%D#Yx&V`PJGY(%e_-=C(o0u+=gd;+-q61;8zKtSpncKpv*r3xo<|u
z;%P<QSYDIW(mvtqhWF)ePu9B1`XBaJl&$xzn^-c9D9*3)xlctD6c!mU5JLgqL4po_
zj-->*CaRZNXi=afeP0Y;#)ksNaQ^`=t7fuN16Cj(=!M}2`yX5Z6;ilT4+Le9;U)%1
z&<<xk;IhI2NpQ*0frS8<<OD!WxL*c{aIg5kX^8(jM$Fr*aGaACa-0nSv>UkMb7A}I
z14wTV3pQ`je^LW;rO(M?-f&*~$uR)cfc)JRW?fVrU0p6QWuNHYuBlwbJ@@~u%>VPs
zg<eU|USeeYFNgL>tS3cGpH{$r<1wD(@!=p^(X2TPRM`R?d(fj%GsgYnKyushvKJT(
zCMk2{@4p}yXd!j#FTxA6{9apF5o$6#Z|lGyL|`I{P=GCYDUMqM*Z*!UF)i3eQQHe@
z*BpHIp*tRsS@9E}*!k8yKI>zgwRh~hEP8vai0+(?@Yio?LawQslgq>s&LdSxGpeHw
zhuK#*{X*(y>-ncg+3K{E*ormV`v|wG|GFh&9e2)u!*4*4Hx4d8t2|j^$Be%Vmv$(g
zV#D~4wll5>d0^fLmEP@>uP?t{=z8RPd{8TA`pR!?8=-D~;azDU{6tM(`#O~)sp(l>
z<M!wy*^Hw~Zl^gHXOrE=^-J|C7st`<hj+=l?yQL4unIt0B!Bhf*x~UP9n}SGT)w!_
zri_1g?I7gEbV~GH4m<vHaUqV3<n9RFyTA0_TkBi7xfoZw4ij^uPzk~gVRamKW|A}J
zy<b|os?VvaE5`V};vjYmwSXi6^!h0-ej`ilbEd>N-0i7HypAhZ#k1J+aw!W*?a0Wy
zl@Q)}R)(kf1$iZUtrwH1%*rUc&$_o7`V>_Vx=2d&v3?VreRr3f*l&7`wg8d(=}f%m
zq&>j>o()E9%8f4vj^^^}amjd9JIw8(qF%`4pZqzOkgBfOqh*xsb(jT;0O5>~rY0Jb
zkTbS;_3gW{;-H;y0jhM3TUpx_lEm$Kro>D5UBxpusw+}ahA*FW@^RPi-&P$Rbi<${
zUQ=Jz@Tc}N{i%6jrmwr-!Z)yg{>RN>W`QVar_JYuOaUF`Re=dZ_s-;jEl>SHJGc4$
ziR0Tn{83EPGb<PPKYOP5kMd6oo_I!=ZGJRwKio&$60di+x_0K9AU~~2P~6|JLM6VE
zq|1{rrFtS4rmt^Y!FPn#7U2s|k}Hn9Vtdk{-`<e4a?N*2k$>fvItFfV{|qL=Zb19m
zpXV8;Z$Sp6kFl|;QC3Y|@UqYDa-Ew2{%R4In+0)84GzAwu&32I$1;2UA>-LKiu#++
z`MtrjRWhL{JOBJqpO@Yt=h^Sdk9XO#9WErRzLcnp$k)3^ava3<EVdedAZ7@Eh`9T+
zLG_I#sV!<%QYY!$z;QnPAp%+OBW5tI(!yXvroVNBpW~g>P@UGtaO}741f!QBGQq{Q
z%me5>^jhEyTS4aV<n}g)X^SMurMb%#GST~b2U~O#FT9!!0E+Z4{c#nNe23G)vyVzU
zCVHgr(N_qJ1J*kA-UOWr-{1TC9l`Ed+YF~nc6s<R!;N86PmXj&zxgW#8JT|3D*SG6
zgX-=bE9U&n5~qr8JFW!}ZI)Rf2?~a-?p>idhi8EW!9&t|X=SM*11&14FV-LVOeAB9
zsf(lOE)KtZwM6K(&M;133=eF)iY77n@Q(}MNSA$>@;SHYe!ifF0$OlM82=ypx^P2N
zy_qkeKZl-BFu?E;X`BUY*U|iA=O>r&jT%DUn;3_D5-B8n|0DHRaSmzuAT4se7*o5`
zwH5VOkE-&~VDxP$LKsAWb}HlrlmAmg*^pK>qFQ87PfX(Fxp3VGuKbM3iqB7W?Iuyz
zvD*t)Zm;GFe?GPKw$iJ(66VWiV$__Vs+fP2c2tRJFMel|JQazrj*KzCnNP!weo%9h
z0MfuU0_kRK_jn|9HJnZ)=j33?e%F3qH<b{6W?%4gU`c#gLNxNhnQzc%)coyfU&I~M
z_3dp6Zj#|Me-3Lh4jU9R$%XHotZ3&c7tG$?d~6?Ep;pd^HszQkbSkMB+x1}^nxvfd
zO;*w3yAULg%Xw|*E2=s~(v!O2ypeRquI8(5ZDP~qDl$rJef!eMZ9}@gJto3DlT<3#
zZ*8cY95~?fQHXbyk~y7;+nKc#x6q(z>g~+zyzkF7gg<+>nm1h5iS!AJg})}kw{Fq<
zd6PjP`1suEYkUElAc2#sKQ%?WTN>9tubR=cYIW2`>>>7ILLhIhKtZ+KqA#X3lnyxh
z2=T2$l&IJ4FZSdI_oJ&-Hi@}^7~G}5+ijD;g^;c5wS8;wZ&X;#zX}y`=)>iVj8e*@
z#28YHm=X-Ff<Yj68tlkj)E4-IQyDida9<a(3*7W8I^CE#TlyB&dwLaW$8~~89{f?<
zeVoDWBpo-3VLsaUZIi6H4`Mp)|3k2sl(suP@Q$zdeE&7IzHV%@=Oba(H4uz&^+2Y(
z%f-hs=O@v>F`aEk8pTFpN53;A*xYRfasqS1VOBqVc7B@+!8T-9vhkqcw3Crc<L#)}
zl_GX`ZuL>$8uw3k1W(@swn$C_029e-Ta=3=OC2`a)p}UXzGmmKmCpA4Y>hI*lWUzV
z*x1fGF3i%hpIydqZe@~!`@C?e<XV-At?L1U=%b5spYm?wO66XF&U?j>W~IIuz+-ha
zMbj+~7V|5{YV9wjaVjq@CcH{|^q)jVC3R){yS8{|tOOYyQ+m)r=%dCwkk@r^`MZam
z?r%wPo2+Ra^{vyZ5JK0(U!d!wFMM|uJM5<AjQm&iXnfIxxX#xBA%uFn@~D`jiNDv0
zs(@S{kFzp*qdPM(Nfs|)4|MNbk6ohk=xTDSUF;VjR@fzSOR6mGf08fJa8#RqNf-J&
zNJo0bbo1anW`5hBQ=(7A@R4@j>Pv;}K=%OxZN+G7){dE(i!XN>{=r?6-LB4ASn-)h
z<QH!Pl3o^;mGg@qzd?J9E_Z07>IFDzp@3DZ06U$A6f46}{<<JKcPo$Tjmg2K?ThnH
zT>{A6MCoxr+-m&sCl;=!hJlq2_;7v8O7@3?HkiaN)mXh@71t5-Pqi0+Ng@lN%p9Z4
z@1lOYLcKQ)%IhcZNhGQLzS<}EVbt884b5*K`Af_h$IV7>n!F_`h2CO%E$A}cHz%BT
zUjWWFc=wkDdhzTdJ5FQCpw=kos)3|7FXmyrwO|(*YT9yv<d6_U{;aSwK<N@R$|!AI
z0#vJ(4wARGQetzyK)&GIP`_&w)exI}a!thM9?E~{hzKeh(oeO2!b(9w^Ln_L2pcte
z5xM;sFCZC&{Isl5deM^#7LtoUi<wdfgO#Y{Of|w8`dDgl2^L15o<(Med$ik4qBGAS
zTtxBrT5!Fx2zh&THfue~!9FrFQ!6yD4A$iV*sBsyR*@Wvu^Z!9N$DTZRR}9b@kJNI
zH{4?0?KMw+=nIR7@})rM<~V#iylauNt=o@FBW{?&7uLk3dz>20o?1Aw286=lkhCm|
zi*zKFZ5<#t*k-oGOzS<G^Znum$=v`%QMgi$Za6aP?Y3Kd{2;|hH3k%{`Aq;Vp?<Qh
zP1SX1Y?!debTT+o|JcG^D8FS^Z{hhj%{*<#n1IDR*LQM*dZ!I{-NY}JWydK*W2w{T
z<S8>$cPSQ)T^b@J3}*UV&y<6<$r--coLhVsbstp4>8g371?+Hj+Wi4(ujP97n=q?n
zIb1{4*XmqE_tZ}M<0&nlQyX**<>F)`u@Dob-{n(M`w2x=C__d5u9oWTTK%>$qaRD(
z<VktPR*0L#>Aw)w_St7ZhkYJkcJN6VD!;HEt$*)~8XGn1-k<6z^NRpg>SVeUrr1hw
zQ@hgK!o}1MOe>v2sSiSGVN-+1B5-{sSh>eYdu(QdxBB@uHS!-}AGkwI3YGcV{C9cc
z-8aRUDs5gm#XMhsNlBq|k?;M0!U&H^-_n!*&+#Ri{`BvAmN&1K<hh47)_Xc&4t^hx
zxv5;)@WE@;@VR&CdSzITb(gI1ee7`{sg`}zHRTWlr)RTm{vxk96hLXMm3#eZU5(z5
zgnZ13|H9)3(_h|g4y+F)0Md611SckIL%reH@K{Pg#g4y!V+oyMDux!hf@I~%v?XZ#
zh-xB)$lbS|ZfoKi*ys*SKee%9_VR=6Pk4<EJ~zSKU|U7OLv6Z<Qwv>2?vDWGe`$7(
z8H}%o<4OgmWY_C8u<^lJ&tzg&9AbMpA_V{)7zMh6C6$T<volY9C$i1w!=KafIE5LE
zvU*YP5C<qZsmEqvPHRJwGh5;h&ow&GV`?e|?Xu6IgSX^_Oe_<$Cxbk6T@(&JU@Lva
z?bvEE8-;Ss@7`p3Q2V6`jpMWP_vQ?N&-+VD*mn`~sbQgD$zQWd1OKpZKcg0QNBrT1
zkAH4?mQRH@rit>1yGk|;@W5&@#;1F{UVo=vlz|pL3*}RAK*H#JCMq1a%>kqQTI@gr
znokRKIcs%LqMpULa-{4WNPA%=*cY>QCj@OEsQ*vNQOK@pWJALlqu1^NW$(lojwAQG
zz<MmT))@?<h#*@~X1tEbhgC+&@UeH=nao6ZP!~Ck$gHGuf%bdZnTTfM1_8z<!Ci8w
zG#~h=s|_VcpHf)*<i&>fQ{{t<!eZDx=Xvjtr3NDRh)5eM!*n{xR_o1P#p%NP+LU{n
zbi<BXnc3sz7K#h4p`hg>x58!SO?;_oWWh8hc~3n3<KB7{bFxcFc<#VoEk;gVE>bPq
zD5A>zxM2C)1f)=K=^i@S+}I#rX1KAwDl^F&Mrx(Q<;s}<%WW<%6r3HA(Ji;i9w*1z
zdgKABn-gw3e$UIxt5@T|^S{io+-<UQ#fEdO7`sVkc7ZK!v`UVSx}PZ3hJ6w$C(PAK
zS5=t5n4Jv$QUDDaL^D}$H9Q=9fQwi3GxV3o$w!L~4Tbsh**6o0mbrx`X_;F<&Fp>$
zxx^Py#9rLwK=s>T>P=$kKKaQTCLS~I&t@J(OjcA5XX<cY|4AQ0D1+hT4HOS5pG<6f
z8yB*4?-&#I@;Pxp?CeQ^5@?QzxCI;Wzv!RE9!G0|e468+8RDh{_SodrcV25r2n7ti
zk+{kf36SsoB<w~*2<|3&+)Xs#Cg~T#C);V1xISIna6p+6YTnoAW9>s#BkF~IB|0~Z
z?(6+49Tbo2bNQ)~YxHxcS>x~%E7FP{iV)rSgl8)J{|h1UKPUJ93oVlV|BBy&D_vGp
zgnSN5$}cfd^%dALA(retVt(Yk%)Q5&>Qe^3eO0#a+3R;(E~PV?y^Ae7Y5s9$Zw!b2
zeJ-v(-A)E_Rj%tjMIXi<u1a+1S|pp*7weX19j#Y7%!sdutPkaWs@;mG#Ej-A#BbY8
zic73_Od8`o)IIzpPKPBo3eKB3T9@%Uf?r$q=F*3&s%JBB8m@;>a~&+jrEK1f*=l)O
zazvJqqe(71wIvK)jMe+gnTp*^gog|7JFdO_ByqV^z3hzac`{6J-F+1Au<hWCz-^s#
zeN9^yG-NNBp3r?3c8i_am$RJ!Q$wdFC+C5}Zq)mG`OI#YOPxw^kJg0LOu0elrM?%E
z{|@s_@59*b@pGaym8lp1o%M%`*d4c8w49i<EjU3$pq{;zX752C;BPx4aX)>_Y~cWW
zqtGUND)l+^`=$fa`jFw!VDYs^3HUZ+j;4n?qBd;kUQ28Hfxz|s`y&#5I>&o7EPd3M
zs0~MKjRQj6xabgl+yB1bkCc|<B;pLkSa!4d*4Z>S6t$$7@A`iyHd98<dR1pBQm;)`
zmsjs^P1Wv<EG4Y`PJBvnd^-F{WQJ0Hb%FJV(atHKb117B3hp~shWuBKo4VmG37aTE
z^`QMVO;084^zo#yI<E=K(h)g>Q@!HALYwaBLe<F$dWF`P%w4y_mvjAv8z{`uJwVM!
zj_Wiyc8kUfaCz$2xaL-KcrCGXIIY7S{NJKeI|u?_`yW+B_tK((ULbFvr1m^m=%Zz{
z*~0raCuDWoL3Q7?=xg$R=a2ZlpB$DB@iktfosnr3Y`CcNqA+{@yP@L;CwV)dMLLT&
zUDUadVM9zUtsMsfYFVS<LdMadsMwn0HcXDtdok&0VZTXTi@}2z=7R@E>cq2*C@lGq
zrZ#o%st?CJ`k=Dz*|`wbXl?27NWr+2JuQ#)L<b5ZkR2Oc3>Ff(Ck&D{I%4obG{!Uj
zV@E|_Q?Xy)B=1V9V;2Tm8>^-~C$~C$k40&n4>akg8Ebr}+rst^^|t4QLiF}d?4m|L
z?X!&#9#5$oUP(1}nBMyJXm3B)yq>7<b$D#oqn8mTpRkE;c|)VD0W}T(u_>{FEt=-z
zzs<hgf1i4GBeNWfzU-ueek-zRk0_sw5yjj07RBA=!;AODeHmi<zS#K(iu#(xzBT;O
zEWtdv?j!km?_?A`@hU-RhI+(BPa$#EW6AprKZh0ZUyD-XA7<BPUsxd^&RJ;F?yTw(
z=^{Rhz2&YBGi{_jLRBI<(Y19F#!P+2gD;3eC0IOE9<Qf~x;<yl-g;zBz>m`2sXJ9}
z{pcEa#s9SajEl^+O&=r0^gGCQrsyNLOLTjtN0s4^mG&G?!$lADc0_RRE|;%MM*E@E
zM=AIrdQh7|uk1O)I-P+wZ&UWhX!w6$Ty6R|JUXwVv+#t}!TN6veHrZJu8YY1S3Sa9
z4Ty{OU)+A@v)>v^T`N!BEFI$g)pz2G5Kgg0SMIPBf6LbP^!JN(QKF_fGVlL;l<HC8
zy8gg+rZpIoB&u;Z_Kl%Idpe-ez0M|V&FDny(n#SA8pjY6AuNn$na8>3ve%&3xfjKD
zR3q^vnuFt_S#qza{bR>>6I;R>;n(R1aOV7yYZ@<SG1Wl=qfCLBgcZ|mMYxyAnEUAr
zHR<l0KBQ^L3!VJiXJKYpo|f8Iy_O}ZboGlM$@5-i%$G<eMIW$G%A{*3o@p{p;?+KC
zA3;s6j?94>uXmKH5^OwX0iyHt1h+g-pE6H$<o)gItTn3_Cr;j0$cx?I9Wv}FBG?Jv
zJo)r|xUIfc3Z%iW?bo>&w;tBf3(nI=EnFP5aX)Vt%c?z|7M7m46qd!<&2Bw+m0=Lo
z@j17+U0LXb#Ek8#T6IZ9n*;w#mhkE)hsgA?1!GUJgj@2Z$GdbZzSjjY<Pjm9SH=B)
z?fOR|2-*&viYM>yi-uq1xF})GX9tW@XBR5Iog?4dRs5~1ABxofuPcpu<z{j7GeYK;
zTVH>o`&qxe@N{ai+E3(FK`z$46_E-aLl>>WKJuand@pSBE7&pb{YIFVe|@(+Q&Jn(
zfHv&fWuJH<l&i@Valb$x%Y-*4i4k=UGqsrcnGv}}5&MVk0X<e$aIGuv+WNQ=#c!i&
zdp%xA!;8PBW~Utg>i|Dz8`bJPSevO&ITANOQ1LxjSxk%3nL*6Z+}qpAN#m^BQue;<
z<v%T!<-M6ds#eiAlu#@n7{1M5ynUIZ<k7(HC-NItR>bSCjGQQ3C=wV?pEq9WpIvZ>
z@|w8nz4oFvcv}dwarkP$zNK)0Z{z5F+a4dLGCQO!e{8qUi%IZ}NmQz8&WXOP^^LbC
zAb>nfT;Ea($_fc{N%Zk1&eqE~#LN3wVNGqIb#hP`RZP&9!q1Tydvy9h8NbwNzA)t}
z?{8LJ=UT>|i*B#ecjWI4gHNzz;^(dSx{Nx=<Kkz}uFWp<&lk@2U5cvo{VjX=VZ_AC
z*Kn!O`{?f}{NE7v%xgV1#j7kyr}SO<%S8*rb&;9z%CqV5;3?Dx_Al=|dv0>Mj2b9$
z7Tif<mcDO1LL64SsaN@M_b7zyhVuubW%H;yI>9V&)$6s*AI$5}qUWt%-1<BPsLH%q
zw4@THuFw{ysgLL*-js_Hm)%LX&P1axyMdt0^7&8gYGdQ|jzZ@B%cW0o!4c_+%pi#B
zI@vXYzm^dUDDpg3aCu#G@c!JqTXCn6F6p&A<+)EWovG<b+Lmk<yHo8AXE*J>U1IwQ
z<xX$NqxopEy03GSzVrBOioo+*nGxgq`N%&}`k5D+_0&-fh7j-2y@G)^O;ntfUcKS$
zg?@EUR5IQ~jv0JtM*oN>=$^dw%Va06$prSZ9?_X>$KKvO{>v)Oog>LEYz+ac5khB&
z!#z}Z!{@|`&~_c)wHLp@9-R68Dy?9i7PjYnAQw>CaLxbv+jN{N>CpX3_;X)gl8XlH
zDwhzJ=Xg7*jiabH@C%4@A4EEE)rl9f??Dq%y>x$i*Zgj6tPimid-p&7@ViDZ_G16%
z{~7V~#DDnqM2zSlC`V#8HMg$cEgoZNI3%$YJGQ~TeKpcYO?KmoJKjiShYPF0T>JyU
z0g`#xK&}65j+hJFN6RHvC<{U7Xw>hv9^&S7?G<J_8_zwXj)S1P@-4v;Uu!CP+Li--
zE`Sn|n+`veirctJo@YEQ_#{TIR=)i4?t=cym#7t2JkF7KA}jABwpzCOR+0o74bYqK
zS0ti5v_7g1T(|nFtft$LYPbL5=wz|RLaRNw*q&D)vujHk&F|2l;Qk-vQZ}98m)ulZ
zYR_JvjG|UWc0VmRsZmJbA%F3=YxaY<pB!DuAYqjbsr}f~sk0+<<Oy-u8c)wt-{m~_
zk0x&K_l<h_ySYvc<{oWg6L%$_G>UU$$(Qv?|JI2QofZBUVMYDjw=AZxc~0A`R~Mo_
z^QpBXGw@kkJ16;vZv4~n^h^U*xUK`un2PCeH+iOG%EG&qrOs~-BBXCnu`Vf=CL4Jk
z)8F{)jzi3K91JZahayBUo!LEn%Tc++47&-$U*KurXu!7Bp{j_`&cIM8udu+*%}e5v
zR#QuD2jegQ1qi`;wI(K&lq0R1yN~j>#6B8M^kI*inFCFZm4G{BXr7^e)#>(@pl!8|
z|DKI_oVIJSw%9o=Z0#;;bWYku$(Tp;6EWHKo|5U~j~>Epu6>oW%D$j?Y=17C+4ka2
z{0+}X$+O>}#1yv-s=NF$@P@#$+#(*D8Var|0j%_D-WcAa#*^I_k&-#H`&x`NJMga<
zrKTs&%IsEilg#bj&?b`r^5*4+{MN3etzB}x2Z(Op=bQy<cbjgb?yNBgN*5U+CtT=-
z!jlqBrDrXO3yu=6x}``Q#-W$OO1chn<ch;NMuX|ce#RWpZZ)~TSSUZ86kqxeI&IN3
zuHZI4FLy3iN<bR4sv6!0$792)#SX)<8SB$-n8OzTuCu;AeuP9luPVb~+X)7o1U4P{
zzK=_kXAs84g0l?Xq~ZRCMK@Ns*PfEy7+}zXDKUDip}3ob#L=4`Xnh42&F~7}ebd$Q
z7j3gm3)|nF%$02aQnUz}$Nd2*L(l#+DOWnh>vb4OePbU?f_Zg&cx9q^sR+pa5X<c)
z{44$B#M{BJ#uMMOWfP0tj@@+2F!~>xqI{I3gya8PKUFCB4~4w{56tEty4We+*C^SI
zC}$ZHJ~<&(;hRB~_|9qQ8rOL`4IF4g3d;<A&EpmRpW*fHyDAjo)V`IvR7Df_Hxox=
zL8qlWjz!abFRa1Uq@z;2P4LrkDkizi>BOVVWgG9vXNuoybmNu~_A3?OOuvEFu-VDM
z-kF&YkXA76o0>-qL{&(1xxzMW{)ZfB>GAjxE_*OjG;FI6^Pbtf&Ef1_teN35Xgy+^
zs-1`Squ&XzrCxiMYIpL<aT@kf;T2eMH%#j!rN&Xq7ZzK0k-}hChtZ*G*`tDoW1PFO
zc2DL!aqLuwP<BT(J+0zY<U1Z()cLU*$d@SH8dQ`lygz4(IDNJCC8!3;(u($!Hyg3t
z#|Mov|6&bdME%7dbuYIqZRf!_wlcpid#}})b8c`jnfnyOKtfugpl|E|j#Y_1o!7vf
zN)fv5IbC~k;NS&2zA5x5I?0=|bZK85By);p^trO1Lj(WGahi_|J=z-AZ|nYF*^48Z
z@o`72dY|9J;rx_`6c;CtXoNDdaXs-v-*dsyO{E{nm{~O|R9*e#*`f$HI82tDCsrJu
zrXptW2)#o*6`UR+Z(>;oa;E6)B92R_dXdMVh5Q??qh!l+eXMl$zD_Oqok&gVAeFLA
z6S%c@{(TO*k#AZ1HuAeNzig;s<Cv4&=cAyae%LIQf~xaZvp3Y2^pCp2q7=i|$~W$M
zbrT$rjq^SGEH#zkoH@I3!QbHb1tgQfMLaD0mA5JA-n%kBdzK8V!i=mu)@AP6^=P-S
zL4ae;C&~|pV*-iXY(6LvY1~YXc<yiCljYEpaSt4Xxi^Iphz4gMc#X*!MgK97hB`Ot
z$Ft;ODcQ|;sAc^GSuO<jHP>Kzn$-ms-q~+Ih1Wlhpdr=jn9|;hh(uF4+&DP*`;?J4
zRP2>jek<zBXx|GUg6R-RY3_^9p;Ctu!J!UJTp+6qE<oRBbm%i?bMUPj_%OobLKk1E
zbL{K277sXUfevakq61Uh@GbSyyNy{Flsww}*Z5bYt*@^^|4@AL?VV2oEfY2VYFx;R
z%%R*@&w>sl1|OqjxVm`!bpt1H$C?wEJWeEzU=7_m)v7Q=F2!Mq?$991tKw9ghRW7I
zj19egn=LqgOyrD9cwZVeqroW#v$2cwuE!T=)4wn)C@x;cqMJ8fN5ki@fxbxGX=<-I
z4~f`8XWDlEh9_+XZE6HXU9F>S>@hgFSLd(O;D#s|D;eCNup2H`WFJK8aBVIOY>w{0
zE-E-M^G$|jCNt{UH>2`K|6vEl-7*;N@)H3c3vA>;p14^rH&485eydy0A_F+Cny}}j
z3lw5o)2Cc_p-}xppAK|y+IpEE-y5&4eb_yLIrjXm@o!LI^edI;6cj-?cIOu2{(1=b
zYZLbM{@WpTALraw&S!lt8}TFSfyuKw(4YShak@2Nb~Q8vSjyj_HqbzZzXZB?pBkT~
znKT<Eo@ExaU&#2m9gPo^_=#m}w6u=)vDfv+=`=EatC<;x``<nodx<-$OM+he{&?c1
z_hww~K-yINjrZ&WZ4Z*IyMEJGf03+nE22o$`x+c7RrB>HZnN!<uxsVo*J~9UxCTj_
zuJG}S?@XS2AFYly7(<3?{!Mk)AB=xm*;Oj=G8?n6_%iuA=^^v!v((U&Pe0RH6KyKi
zAK2SwwSDRGyZC;(2`WRrM;-v92@2d{(>F5aT0g<}uSG7O<oge_`0Rt;UIYG7U~j+U
z#stSsi8R3cq{Y-5qW76u3!??ZQFn>M?t~ofPPidZR>}oeN)%YXfz#yaUz2%9bxmf_
zbVUU?eb)G|MrbzdXqfR2{vW-4c|4Tg+y6*~e6kkFPEjF6*|$X5Rk9moNoDL?c9AXF
zk}Zbp`!ZzTx9p?HzGpXfF&H!RJJa_4KA+d``S<ac*Uas{&$-Vz*Y&>M@9VngF6!UT
z<>4OAzT&di7ujGic<<;_s0UUr!O)0)FV$_KtIb`1^pj`#@GPY)?EOztg{3gPIzam@
zg40mf6xqlkab)@gD*c`pS~ECCCXbYqZ1)&cmKZrYs_x1KAyhAhWc}3c>^mpqySk_R
zSUoo<m|i8;?JE3<=f#8@?rPnsQ=U0q*mHZ!sFNeD!;u$XkBI!Db<XD$-l|p8--k~~
zTj@XPUL$lnQAUdPRt3VZi)O)V4<FhJP@B)87<*BajjVvfLBbxYdmV4zcPK$>xi#;W
z4kj#&k-u3ax6_QiYkwE*CUErbv;9-GmEp*;?Y%6u$@A*WIW2J`SJGQ9Tr6_TCXief
zWaVG%N~G7Ot~9Xrx2=-NI|@Xmq!~qfhg~#V$5-T~iwy^>h85W0wC-6SRn@v_3tOm0
z%Bve*F1pRk?Ok6RS;}?3yepxB`6{h>_FK&E!n-buduA&F?QI*Il$|4;_(+fns#hUB
z1!}<<1ntV-Ui_d9n<(T1N0$W(RX5?OODYN-Uoy9xEONbG;;F*RE_7zfn?`?HrqD6R
zGRX5U2WM{L3BvWASV}(<UVcwJ%4;UYBD2$Iqk04kdZJTqirGD?G&5+us6n5*mFs?&
z>{=@KLhkT~7-p4<`l}7h!bX>j(w8cwm6dh{IqdJ|gJsHal6)fkqFH4C(;6ds#?iN~
zK^^lLw-l31W89K%Ie8W#ZKW~jp($jQ+`TBqE>spba+N};;nicYK~BVTj6mH+|JG4p
zh(k}oilTJab5)eCbV`u3X~;K$Cj%(PbyRpy`EqFRD?sjeO>rA>)gwA|$s0!Ny=_rq
z<d`{^v+wzbY@&>$MWI44{%S4f-1RY+2RKZXcef?07xlJWR%lT&{a!!nei)NoeW?Qm
zR@A}@_{?8hMN<pv3be1yA$KPjS7~ga@btJ6H*F_sqF?un(gG^>t=Mr2Uxl`ztNHAD
zE_aLXVk&pY3vH~{)Wk*D*E;((CQ;m;w7Fb*^3_iYbUjw=k~PBbto;I&LaNA5Sjw)L
zVuiLoPOVq2R@f-bJU=7v!1^BS>%gw)Yh7@9mzZR<H8&o+h7mZ*pws~6y4**YT^@&p
zLOUD9WVK#`HcMAyUD*rP*w76QNvIS9tt=Qh0m1RpdL#&E)6y75SKtOV*5^CEnr3##
zg?>8k3_2B5<!ifJsJ<|2F#9%3Ik5NA#G%S&$1EOZJ!ifga6d#g$N7|(qo0Ael#ch_
zRMJzYiW<Y{PV`>%8NQ<E?P@96VRO^3C*sFbvrY=+E2M4om$n(`Qn7D(Vf&~B)b7z)
z`Ki2*e9|QH0mCK*PS3>A3Lj$!c>^Pdr1(OId&p2ngtXfGtSJNI69p6qg-eroRL0N`
zw=#SjLP5>)k#^F-0>r_C)S?@e2Ea^g*I(M^r%gg#rkdEw<-i_yu-DBKdKVdg3RdGv
zWgT-&rL}@T04KgVx+1JqT*?CWBqReZ<czdiVtEnyOno|KZsT1l>6pTGR)#5)F@q14
zb2>FpmVvk-dGbZ2kfcfY&C<|x_dYrSVc9nYU(iy0B2X7bL&1Xj!e<+PBVa=XJ>DG7
zh?a2NJrtM~mW~=5yw>^lR9+7g5dl+^C21`33KnFIVJmpW7PU4pL&wnsFx_Kn@N#+=
zfV+i9pyR-fwD5lPSK$Rk{B^$h`RX14rt49w22Zm*{!*=Ak|7m^rf?R}(8Tq-QL@ee
zN8X$x@Hsq$j!7acLqo%Tnp(`ADX;iPOc>m1ifm3Tu@H?Zt)9&;yr+7?Qn=&k*+4ba
z%7_dktm>-+Dq-itK=jC9wtHVtQ>pv_7t)2I^lVCM6{QJa!&CB)f_MB3oYnLhoHW%1
zJ0}TVt;qpo`u}WHK_6bv4(exx=AChMeSy3v-p#T8YJeVh<Bl%aU{~B21Yte~V|CHD
zvNb02E4I;DNtI$mLfcO1r`d(nfRBb1xsO(Qjv5YADjdx!aBqJZy;*kt8|B!ej|D~Q
zs!%pGbTSYUa_+^YSp1=8yaY~fbZc4Deo#}Lj&VTmT><%0_i%edjCa`9r_<pFS-QgB
z?7dlDrJi^y^*T_5#4v_eaY)^4Lb-SEq7Auhq+VtaN@^T1?W~2-%BOz_Pov!GR?NFT
z<5wRI)GT}^g7%s|<ELlzmL@<cp`l1I;1NcC68)M<ZlR!HQBi`B=<T~UqPY7=$N_<D
z7Pap3U;xhh`Gc$g0FL{cM{iiUdOmhVZ7D`&_BUJE?TuB777OM3mw#Q@S<-Ir{6goj
zP?mkPX&vpqyPL64HWyNMI=rDgW4_Pmg1}V`TxKuQC5*J7_3H!)0!$>L<ESBKEdqq;
zW^DnfPdI=H1fhkt*wBB85YgFgXlGUPW}DNU3<VdvfH=w_EF~b%<+bJ7Ok5DwG`MXb
zMxKdm9?i9b#@qI>G4xkNIZ%olu@>p9Zarj+`_Mi0_D6Z4b+mB%ip*$JlU+$j67NuG
zrR%ej_r=c`J~^fI^ii%WtqDNi>~g<BzYrG-s91KT>x>FVM$>HwiTvIw?2&tA<CGsD
zc~W`}(;j8dF$UjqYWfjj-#A-8Hv+Eym$A+c94ZUZE!sc3&{we+^-w#RlZ1l#Hq?V3
z)1pl1i6tE6OK8ltYMl2<(_-*j@__QaWt9X|E@Wh{_<lz(G4e*Kt>I9qXGaDT%**pJ
zuhW6L1p|w)qaVZW#kC!A*+n#y_N`ZsqB1iX5fxe@)OHn3ndVyFLdP`XZdM~6E?VDh
zpC%T(R@wTtGlofDvE0~w8(rnOv8VF=+__#)DoG$01Q+7x=2FY?>h)9n(ptHTyyp?F
znDcw{LsdO$hpSun|Ad}O9d9#Mp6#!V_E*}OT3kgC1W^mPQ%tGZ662N0)nUm}S;P7Q
zztYe3>*V((?I+=r_U1UP(c^Wg(fTEy{IP=qjk97YCh~{dI?I>Y9ASCRl-84#Nw+K?
z+_z^OdSA`0dHZ&Pm$Y^&3TR^Np3Aq5jVxEmkkoPxta9q%OFy;O2ttIokYh={R*4oC
zQ@%s*ET&tC>C8dCn;b6!B7oG2bd%I&dY63jh5d}Xp4;Es>X`;O*ZWGES_a7FN_qGY
zH%s=;&J)nP0BY=!+tUy?dnd#DRTdrU^EpOFh9Z$c;_)5+SPY%orSFBq*3EA5q;Qq_
zwTUC$^TtFYE&Eu&)D`jLJ|7l#knp&4x{!F^m>#dkf~AKQ{iO+kZq|S*@~qa3u@<|+
z=)#Jy#~lAAxj`6JFk!u4H%n+TVB=jsaI~J4R4o=edew*-$JTles613otFy<2-jNLh
zCw0n<O}8l@0bQvC<rCJ;mzQ9B3w>vept7ZU{TK<iSIipA#MsV>X{I}uDLq||n-cP<
znSQNnj@qvQZ$r&T)#DFw#x{;J6tZUB+Zi^}Wvcb5|4`$m{sev7yk)=YIQtI)--pa$
z*T$y@GvM7i8MwRSd)3}a8zge#2eXonb8S3D5hkbdDvW?CiQNCI9D%7H=hi@jpw_?d
z_B+I0{nql|Iv<cBrBR#tBbN1UD`p&SWX!R><3;bFzhaNhY*tCPZ-+?adYal~blBgR
zray-zSatk9AfI0H<SXl&S`_{>)xNl{{YNq|`$owu23kNa?LS0UAe~IQwg2$;K*#Lf
zbj#?{G_xH(Vvh>`Wc6ThqI_NQnr2?|{6uMx>iFjUU##B)5V+m@H&{@1!X^%tsRlW5
z)2@6eesg?Od$hQZQPzv^l&gh}<81#7KyDDtBF2^VE%#|Xy2KoF4lG@N&L0!-Yas{x
z3x51!@)gXmua%-jUtI`rdkF7ddtda2hz$Z^)VKA&?+qv-w8peXe<a(E{p#3I@Dl9y
zXw@aY9u|VJFa2lisYzZ==@jfj6u&~iLuip+S?(^BI-&fpg8Eyl<&%ZI{iW5Gq~Io-
zSbNr5uaB4W1ES%l5X{ct^fV=7BQ@#ZFTPlL9NwC_o|Y6>ZOAwTS7`-&p_2I@l^2w3
zZM=EBgirf#S6!2xW%T=k)WX=29NmSJmKA;Sl6y`kVBc32{tkf!xhY1{(f|9&51rP}
zYm}ZI4nBJyUY%F_clim_jSC#2@AmtaB}m@wZ!NB<f8&F+KTI@XEuFzyf++x@mKy-S
z^5Htzgw$$qo`Vms;cs~~=jSMM?goYW{nDnrhACOZ+2?7*yE4~zYyQa8KQ;FM0LU6x
zwmUx}4K`kHo0I?R!2H+t`zd$-k<)&^H(+Eq{=C~g8#K#10FXWqRDZzw$G=AWZ|@D)
z63!8QBKZI|DMi2cZJ4Y$IFGXo2oS%8{RWid6P~{sc9CIS_0QG*l>u;n6{s}E1et%&
z)@wMNMRJvJI1Yawv*3K~{0nPJYvuz#&x_{CuKzkO|089f(2VfhBF@|YF73GGz7Kmo
zQHdyhucKcMi>$4cu(;ZRCBYSOPe=Q%yZ54l4Cg48I%3Wzizs(I-uqAyOI%alm9mKz
zu`Ic-=BKxV->AOvo#=Wzh6i$aVD1p4NG$OBdqL`))=)cp<vk<X@CS(0M4hr_2WWwY
ze#ex}&cc?LRFO=&SDv6OPP#UXWsF~Z$a|KzX|Uu8v+I66565YphOm{$9Yvu(i8=S!
zkCR(5lpcqy+}*^nWzI2F1r|d>5##n1;$Tn%!o$&pd-bvR2H#Ylw+IQG(&H{=X&BVK
zmWl~)3!$eqA!2=b7j{6F>E$AwaI<~aw4J9T{Wz+(teW$%^C~7?1MY{UDN)6tHRrKb
zWgtCqN%&YzFVS&C*H<}wg@C$B&sF2uS~Ft^r7TRG)l`t6SQk7|qjbF2aiPv^WumT2
zL+QC(y*Abi&-GL?bcE-v^dy4?5{sOmLe9pR&_28~(EEKL<ZOl~bs8xm!=^!Q*td_l
zuWly>=%20Xu!eFZ&If&>NI5vRA#eqtQu=!vj<{GmGs(FB<5;=Yvyi;<PoSvy{M1Ed
z9#EvRa8jol+%bsqqfBSmvCf@x774^wX7^|qgnWc&K-$MS*MTj4P*Z>GnZJMc_>K|}
zY>l)S2NE=VC_iqGdo9Zy!n8x16Lzj!GOrYwu$3amw8mAI(<|VCJn=<hk+D-T>p6=P
zg5p%hMDFG-m;rHIbd1nz2Yu7S=^$pJA#V^p%8NB_Q!>?k;AV;HbI}gJVB%Ca6p4#d
zxg>Cc*Ekj?)-)gXDkI};<TCygo)Iy7vW&U1RqY&y>XUUGu|qI?8M`$8fm;8&;|Fi}
z25Wpuy0W<0_+{pal><)ZnMyT4EpA?Revig7tk8(7dsXT>Zz$uVYz8fdV~MBNZDaZe
zI&bH7L6>gZ#k}Luz-^FfCgIu9C9aVtcw<Kt`3eEex#dl>DSd-o$nD~bTNBSZ>{do+
z^Yqu=iuiH#4`+$13-GO7U(a>a9hlU;O&0>n-1fHvMz&~GB4zXI!x>#f+I4-C%kvK|
znI~5q)L4L=KFTWYOz0Gr1cdJ(yE$=Lma0KvQc=13B&44)Dp+oD(i^fx*=_^bHo-q3
z0a-Mp#S2SyQgAQ6=f{@_SDd@=b83xh<)9ZsD|74bLI=;D75>!xREUfAYBN}IdLlZR
zTOveH=|8vLV;{PC>k2$9)U#m5?9i3M^oeq_8HaPQg#ald_bW&VG~dDChEPAt+hBRu
zXcraOfdu^quH`@6hjmb><7uu)_L$Kv0rgtJSvyFXvIL0~mT^po>}14xE$dOU`i+~2
zs7X@9l_I$SolTq{RRSS1==~4%RD5G_B0LWMbTQZ^uoLeK?P4@(QTG9PW!{zTyIYVv
zQiOB&BGvfrF@->_zn6>7l$$49Wy(s6^Iq^7#4LsqoZnFv69!sFZm<TB_m?CZPi$$Y
zgWZ`@Vj!CCSL@-$XCeC0+VfDC{A>{qQ1D2Ly-e{>z~*NHn?IF$1=0@Q1~IElB;Bf3
z<UM;GA#<IVgF_1u#Yv}0i=ElQ-uE_!Y;!c8a4z0HfQPZJLRV_nokcmKvhpKPQ`0D3
z@%@vs`MZ3_?MvR`R3@e}KBuVo!Ojd+Xt$Y44hkgOyt}IGU@`h^@G-!+IX`ZZtD$Gc
zClYE52j3Y@59t-cG>uqpmo=iD?y8f<ZDLN<7ik#b($Qr3;Xe|4Ys#+IGgHfZA^R&d
zEZwBBx)mF^M4p&w!Iy%j9{S6c=XKQ5XxTh)6(qFc@^?toYGOwoPI=GBA=P?L(!>V_
z!v*fv(u$A%TnG-;*Wc@<yFG*9)vqX5w7<pPLz+amaIj!MCiBD&-t_mW+xaG#VCIF`
zBRWiYQ}OwH+U&=ASW=lbawDq`C8e#{m-cB$W!{gufBsD-&9ND+l<tG)(yX{dYPqs?
zM5(<A_t|`G?l}x&GQ2@+1A3`x*iQW`D&@(pI^TZRX4YE7*~PMN4X@C9XHO5$es?{)
zCtA(o?Dbjq`nG8J@|#C;ZfZ-L(C^OGcuILZcjnZg?J~Y-X{mRU>fq2=vTIuKRK0GU
zg0(1rJwAng$%as&?illiNyJu0tH_WqE7AT<DVI|{c3+>6&;_a@3~_zJ_LJ&rms{_(
zfKAocNM-WyqAcv`74@LdZ+@V<@qkmJ)onU?fgI69xf&WPcBlE|nBLBFoiA5Jue9!_
zNY$JOj%FWntvf@Uj^4aJizikxYB(wx%_pyq5wP?>Hm}p5xU#Po5IEAGRJ!G=L^CVO
ziK}%H_v;&;7u<AqW4V9pv2q9g?((kOp?hXy;aQ%Hx#v~LN3fj+$t!S&yXxai;?6xD
zgII-yuIOHLj^lg>b&f{6`#ujSn@gJy7*T+d3fyizO{sSTJz&sl^`%N+`2Mqivp7V!
zH6Ype+AwIKMq1#{dfffbnQf2ka4HG`k%$onle_9PLFm`74)x`%3k;dMEp>TYV|EhN
z>ddH<N_*CO5~=io4Z|kSh#{PxsKDNHoYL8pwms^HYmB^n-AEC-GEo}HqR{Uo8|FB=
zuYjS1;K(S87s@fku*hrn&X!rXGp(&eYmiSyne31AIbxyIOq9!Ej1oM>g^C>`&2kEZ
zyE0Zf724%PIhUn#^mV=ZQ{V97dKkGT`yQnT+r)*m2gr+?*};$O<?|H!7{V`9lv<yE
z4!S3Q!EdfbZedBj%LavNJUux=a|13Oaf4|FQgdmS_*ojVs%hq>yyvI@&+#Q&`xB~m
zC*QpvtGkPfHj+n5<-JOTS`_ix8ZAvucV@Zgc9>gSo^!ZA<GLe{T+M>ENP-7lso2f;
zl8+L-Z3E3)cKCi&SEBQx)3$FZFKJ0Qx^#anVz_&(P)sv5?rqoglR97#<|1^7Vpb*w
zlAKRnlbG9>sud&=D_Hk0`=U#0n#}&7=CrHDMaSg4^reS-1DKV*YNt)1+<q^qV^Kfh
zaSP$Mjy~PXw8k<Q6_-iAXqEK@?oY>_yO?(N)&ll{I@>nrkcb+}mY;FznMSQV%1bU9
z>e6>gG<`hV>kbP^mdc{uN!$*y7N_s)?`-rflXjwWMLAVqwhRxu!5Kxk^HNL%43pK;
zcP&pzcyCjTuEslwGE*6^Hv_J`RV;wZ@ax;A8>XbqE)-8Q#atwOPZLQBE`5{bGWx<c
z1J``eH&hs<YH>bP`9`?S=Vq}T;ZBYIPa_Ti>Ix4_I{M;sO1T4+adA3WXuQg$QSa`T
z?X7O@eOFxYv%?1rY~yWW?eaaQoZ{McF}}X0XW;%O?R*QPS+4C|_aw#bwh;jt((1)S
z^QEe<j4IRT@@g8Ko{8{F48?9G-n4OFgE7;h5=`1LW_EZBrRTlsv<u(^qyu$5e#<f`
z1jb5hDZBQHvpwBy;SCa01Y7harT6}`h{P=*Wizj7{ZntKJZv3Jm-Se1I(GPbTS(W`
z^BA!*v4JWQ)I(g-)rcQd`m)c=1tMFO<bw8+AfO5zcLfN<!14)-+b!ShqPF)PrHkBe
zTX{vrc<qOShCs$9UZqm*^@sv@BPjwWawqG`P(u0V%-sUZy3NZ)ZDfj7E2c&xh1CWV
zh|DVN@mlII3S%Su!HvWEp>6|oYD~jpCrEwxIgh~>rh<;%^CKk%ZkUWD@jOw8McYdm
zzID;Gb32I-Z7d$L3GB&auYA2${3Z7e+sx?`x!jdK-rgDyC#iQg<HG==;rnumtT+~p
z)xG|t#rDH6xmENj8g7x4fuZ9~2_h}^eYfzY*@{+2Q{+>C?8wHw*`9LGCmIYoURFcv
zr@gp;Im_8Uec}gVTqyg6wMAJW>rQPTdh_<4+(fE_94^XR=VDp5)#s!*1h4ykm-m^w
z$^yP}x_u0kC)7D^#s}4r7W>rE>=8M(q=xRqh|FOU^${_naa0NqKFoM<rPR$j!d`5f
z+J5Dm!ne&hWVrLd1gMO$ZLMlIix-Hm3{<62MFs0f#*-4!6>FPJCnGNfCwbZ(r`(}d
zfFw{GV}aKFP7_KRhlG#PLQ%q<o4c0&iP+)sBJvu|SV@$z$x~8ZjO*iaq_qNoFU@3J
zfACG>u@rHO<HqPsxV!EfF52zHlw{zNR+l{a{4A!FB|;k911C_0;V*pCjmht93m%$F
zgwI+*NjLYIhIXiS(7dyvrc?Xh<{%^^{*)gHaJPj8kd+6_#-V!&N(VEBdJ#cPCl?!7
z_eG9IB2Ub2w3KMp5V>=iU1NO3y%ML=suxLNtF<N#*&;e8qXHm7j;%!Fp;Uo+x04CB
z)o}x%e0144aX7aXMe&*U<<*2{6fqs`rfC*>`W7{C#v3?4<uwRSVbRGX(jcd{6&dGJ
zAHykqyv)n4@wm{@_wB`ze%&{r?!nCG>+v%*;shqA3CkS}5S6<u?8fWYhKw<d8Zq;M
zI_a_;viUA}P_KXdus=}B(>rEK453i}I6#Ljk<o+`4tDwx2whL1dkVTSl!>Z*h#+Qm
zA;I?qUjf-g`H+~^D6k$)pe@p=ltU6Fy9VBzejkgD+sFVQN==0plyI5v0AMP3<F(HF
z0N`u7XiZv(^FawIjuii8$<zDZ83g1bhrbSC2zvl-w6Q&+KLNR-2*6e&1?Udm+FgV9
zA*7MNarBvEy#S!6&p#vngivHndQB!Ml=dg$Y$S4?CBEYG5`ix!F*Qkx$h~<>g)P$c
zJ3Po2f2yW+*X5HP4Jq4r#)~k}*hoHnWdne7g4vOvAC=;Y0n^)*Ry<(1K;Z`AK>WP2
zie2at`I&YH$Ylbo2B>+6)sZ`l2ucbe3<xrl{1b;kQk#~%34T?M0MGVWeZX!9pOM|D
z0g$bg<N*Z1)_7w7`>&C0(F0xF19FOr9N;+qsbt7^d7nL2b|EFO6OM_AgHE$X5Y>Q)
zr8NW_$PAL-0XPggO(N2Go$xo{=KCOGdId?4q?2$?N<@#GupkRkO($l;P&QI{Kzgq;
z^*sd9+0O?{+s5^3%*QUBqWC9ioIeZZ{3hp<ZsxIoqxkW7%uD$rW|k;97JFg!Lvw^*
zrD!qUUTJ1D5=IE^m>M`|UM9&f^$9XyD8+x`&a<U6H$^wAxic2xC>L5N;p5#d!4j@;
z8<GU&+Hsmn$(!lH8j7sUn{HLMn05mJ)q9r@d+fs9PxS4zQYkiQU#kOC5|<P6vcO`Z
z=3F1yO7uw(fF+ps$r0NG^DgCq9*UzR7UZ=-vml9^i!{2p`AbW0(~?4uGgL-vWmtG5
z7<0Namr12fS0wcr@+HeZeoE$7J{L~ye7d@IPK6B3Go^a<AW@zK-|yA_ZchYF6ImpD
z+DoshAyAjJpOVGj0;-IW^eaOp8C(~zdY@A@PFKC|*09wOYn|tUF+IfGLEs^4ZDg5^
zQi*e}vsjU&n%iict=);9>mZoeCi;drq>ZnuO`C_)&UzSyJ1o!~>Iu<pT!`(C8m_w}
z%1_dF@3i^`-TDQ331_&(sJ+VUXjkm!k={Ljr@(lj+~uWq1Dcn$iik}uWv{o56u4?`
z`7?cSVbrcyAGstpVp*sUp|j4;@1G;FJx$NY?#qi~iif#BOd~2An=WlN$?6G(tmMC#
zpDqpl$Cab9*Iv<9TuCagz`H1X-k`LAzZ=S&)tS9p80Cwaw4yx5vRob8Kk%wpy92CU
z8_5?)*wW%i$2OQ){)qPh&>o4Ud;%=5_9{&<^2hqBA}feu-@3|9c*3IChv}Km39CoO
zW;(sEDZDO*wOsAC=;ltU%S12T?Ry&VK`3`#FzB+>XWwu$J>!r<ehJba5$+t$?PSpD
z`9z78%37J8qURJp2Ie`J$b`KG^kZClXdQY&c3d3!ym!PbFhx<LuCIvgI&!v4<S}~D
zi|=ltPkQMO${{<+S*}d>KI_jnH|B&-i+`Tx8z;o=+qfU!Um^)Z=LNApXY0MI{X}8j
z#+##~w#=8aa(1ocru<TquKr-jzjum)b(@U&?%YOY+LxR6l_m`W;}x1Fk*K79U{!g6
z%iHE3L|3h1)SvRlDi@+zMAGog<n3QxJI<Bpe#d#mzoG2#fsz)_iX=HmXfyStHQ`z)
zfGIck^s(w!(F<Uzl<0~7(vMudws~iphC$=yM|&H23s#M0Nm|_xr@}j()XRCthGI9*
z9Mj3W88GV%U029NeZ6dN-9arJHjQW>%tZAmrx0uLnl(-LnGkU27SXML+8x4{{6&&t
z{jq_P;H-BXK`ehn<T?G*nN3Q2?QK69M<Io%<!asZ;#L06TNRdSQ4W{-HkoS%oU)%W
z(sh_Vd`qNzqtks+s1XZgiRbI)7p+)Ehhtn|9Cr)RNp)5nW4qihokbd53ry+myQI^M
zZlOzc{u&D>JBg*2EREZ>Dt`?|B-h=f2+H<P|E#;&Pr^Fgs}3#^$G)vHJd=otFHQD0
zedy@x8++NNT->^~s!cRfX8FR0XGJ{2cQ?q8YO}`^%I|h-NKK!)O>jPa<FSM=>Z;<g
zE&g#POjx(xqsoBBeyp6S!E|IKkp=xWQaN#yw6CU6rjV7k`jk0Y7{>KcA^EX~W09&Z
z4F=uqNU%d5kh5)srBB6s#lHpS5d5np+j@1&zeVlAWxx8fgj_Jj5E}Q}>RRqfa(rDG
z^AntH6G<kD7-Dg=gcHO@i>tR9uN&5iJSXsb4&h6)Kd`QVhI5eMKi}?P#xI%Ka5xi9
zO$-wdRCum5mTXS02dp_cFTs^S))qXyPsk{8FgJ{PAAq_PPAQ)gL8kx`p=Xu(X{H+h
z3pzvmOv3T)DQI{EoB(xRdVhX1CpyE?cmzrrG89NeaIc8u{C;h*pD=;2w?M;4IX_}1
zV|v03=`obRh0GBm{7`T`@FL6ykTYy_f7a%P&r5K<xb5+2f*1HV69-(RoL?V)Kl>Mc
zxV$Ud;&yYk6e-rNdj?BV{{zk61=_HKYDCgp&>NIcOdhuhsE|XaCys36E87x;BC#{}
z)5*ifD`!P*4@h<;AulzH9w}x@+NYI1mP51tD)wS|?i~Z#Q9j%X7%4%{Jj!AT0|}NO
zzvQPIx0u5<0acXV$sP4t$NLLh<TOYQAxIC|<G+bspvi#W|D%Qc4{rBg<zVzqn15A*
zfvi7&tMT&AaB18!=zepUXxmKIU;N~*1({5)tprKLGcV?W_>tgWorRwJfj)GE9|hX~
zPuBs$7yrjyiq40Th)iddx$Z7@B23#s(@5~sp>m!_>-|)nySVb`y?Hzd`O$9KXV3mN
P!gq@DYI23L#=id#NpcYD

literal 0
HcmV?d00001

diff --git a/samples/remote_attestation_wud/images/remoteattestation_service.png b/samples/remote_attestation_wud/images/remoteattestation_service.png
new file mode 100644
index 0000000000000000000000000000000000000000..1aeb1fb1f5396b8a1367ea93b7965165029c50c0
GIT binary patch
literal 12545
zcmbWdbx@n(*DV@KDJ@c<Sn&d-cq#5spg?hVcXxtYixw~LT0FSBLvgp@?(T%ZdHeg$
zcjnHWGiUC(e`Jz3lf1H@z1LcM?dO-gtT;LfAqoftLYMgdO%Vh_xBy-+UcUgo2{q`-
z0NxOs6vc%>WuwIVz`;v1AsHbMs4@!m(EtfJeq;Y#!wCd>+x_o_&~I003<7;gkoYE~
z?52CXjINF|*D82MMfV1!PhVIb2S*5jJ(T>t0w%LscwZu+)wFUf+nbvhKDCrbtJb30
z`d>CmGD;0{wdm|c%=PAI%xxP|lr%I&0U=DUX};?tiK5YC;fSI?uMTrJ^EOvhbhHf*
z`v^v1oN%)Oht;dxPNqBIT2fMBud*1Mf<7I`KU5tw5!I(?$dqUBcfIi1>zvO*faDKZ
zI!CZKy?Sup)<i6yG$-}`J2bag4MRn?HwgiM5mNBEk`}eizA;`fk;8C(7Kb6-U!Pun
zW#YIVT_y{qv)V_H$$R)4Eu@h9s4=c3qNU|~B~8VchPQFZ_>l|lb(JmPRVC)M4MiXH
z&}^trL=N=q2@#4FLmppTi$&-_2?4LsSaOolWYyjOnGm6Y(5ftZ-mFbQg`IZdl@-LM
z67=_L&KewkB<$F=dD_iYZX9!qvLW`?uxq{0{1oW<)MyFq8^1Bqz54D!k@*UAEDWK4
zCu(n`<WxCt&%ruhK*kQHMJcu0Qv7Nspq|ydQo|;YM!428Ysuau=E0M9*0NV|A1i*Y
ziPbtVR*mYqo6r+MBsL*E;v|sGYCf>&G&;HHX=3{F!3@L`pst37vf54E&hL@0sHG)W
zsv~(k?k9f7_A9J*RY@t)^yaD|6C6{MIo<3ShT)@A_vNJ0mLqsywB9r$f6g10S1^wk
zxWUEE?<#pWZe}C~Zl?^aGbXy-QS$ViiJ{#~Krlx()HzYtHqB^QTdsFKn$N~*dlG=(
z)wn27@|15;98wkZT})c6n?`K!G~aR@amix5+l{nqZ}0VB7}U!+ziSLzRlrnwIaP+3
zX^QGjrE-;_#t>T9CPLOR^I>*742g$*Y*#c`;j=3@8EqS@T-;O+g$S}j15rv7y%L7J
zmXC`v4Lx*_bC(Hzvne7NNm9Ed*ySECGm&XBLakBbIT83o0aEi*Pb|8k3|w>yr5QJq
zL#vfgg4!=#B)_5Dks}qgS?TzJvA{PqRD8&B#Amw~T#5alL$i>XjQP_T*&My{GjD{<
zh*iBQ%)_&lg|$o7oAOnSy=C1gmnsf(*Qu{=(x8=10Cb`T`OH?h#fDcG`fZ@?A(yFW
zB+|bSWQuuM_ouXUPRA|>Sv0=Z^<>2;-gx*6DZhb;7gWyD^0;g{rP^7u0Y18$`&IiP
z_zGR3+J>~P<oSHNCPY6t{nvM`-*ZYXcAEE)5l$aaXps6Tp5%H<OmT6^+=3_@5b72f
ziUtAR+EmG|w>7EbfiSwKyfV3VkjOge#`BjE?5(-X8P*yV^=2wFV8L{FvBo9$#Zjyd
z?LLkYj1AR^_#z<Jryt)ogJ|##Tj^<hfh0)KkU!a9CnaDpAE(67^c~>kuP@xN{B=Xe
zd&~Ek&mM{`RKs65!4BMctD!--4r@AtZuK$KkQsMYW)Jh;oV%byQ0ucf2<4~x=}VVs
zhcUI?J!TUJ?Yj!w{5PWRrkzMo;j1Hu)zY2jcHe732%mc;uQR$#@qlxcgPqSQvIk=Z
zPf#L)HmTvVCXkgtCML7-tO1K<P1@EAEm^D@RrYn|cNldeMm)lS!rZT0Ndz+mnOU5p
zQ#jN>IzWWxCs^Z&Tu7tP2!PUAD(mbVeS39fFPC=t(E}H9dt^6Bib`ys|5)X^x^l(L
z&r1H%mp?Cye=R3eQ}Yr%H-IG@LEuQyQrA|^NQsrP)0$0Q7&V){6T!2?(O=yTqtwZ&
z-grt*e22kCl;dQiVELz-sn{8v`P?CGGxly|0gk?S#jO`O^2QCXFT$nswE8EG%IqX{
zZ;)fIZ;*m;@`mL4T5Nf}8c-|Mxx$OXt~w%9Pc4^?ftpaGT&kpqSCZ!Ban}(t^^_vW
z;^Ajus2E$=({C$nu}U$m1O`&@Strk}5N*Djdq<#>na+iIDErs_JgQ)2vSNc>N&?Zk
z@xAK&bB{g2YJ?HjIO2Me-ejMg$et41!na4cXCKaOsbPkvJ)fcTt$M;og%{EH9aNS~
z;NHem$o&ypC@epcd01jqhNFqto0FFqGj39_yn*gnTSZ}eCU2^%K>XF^n}a}gJEBr%
zAi{c;U!X_C-{di&r`b$`$5(5H%Bfjm%y0=>Gg=#3iDl30_pHN-a#QAI>`OTW=I@A%
zA~pMeXZsIRq?!U58Qi9HY1jo>P0V5J++7IlN2xu6CAsY35T%vDWrVG)jpUUTnk^+D
zP3?0b*Bs+b&HTHN)^a~&<g5fJlyTuH>ZZH#cv)!mH58WZmd?iW!R2WDhV}O(Yx$NT
zfU+p^(1mnCcO2B!mKZu{dCvD^&E5Al?^YJlM9KE1es?GK1-sIX=gsE_y5J};S&Ktb
zb9clXJx*ZdBYPJfh>o#7e<~g?*ewswS=37ls}kDYwyk7L^VqhR=dwf5#``{0XL%Vc
znM2>n=eMU~u5Op(B0ZD~KF$rXQuZNXY^mtXc-@l16{C<IirE*i4nLXCXuu~DZ`ww&
ziS2xK_xCRdKYAAYA>k2?u!T<S%O)au7d*A?9#R&xE#IVy>a4)?7<&$Uy%t7X4NU<s
zQ^<Xx>`shZY5Q%_KAbeq5U7nICLO61vfiQ3Sz>eFJu~q?&r~`I*VJBn{R|OKP>e|#
z%SMO_2o=%zj=@yEoFdYD;_Uj~dft7hK##1N*9?r}?b5cQTgNXZoEi#%%#=^#!`ouY
z*@!P4AqU)UUs%ktUkZBUZ|M6FP^m>{-d6lrvB~I^QKG#nVpr1EkZP2RYK7fo;9;>@
zTt)Ni#m^r=bu^#CPJKR)VJ%EIVFau1&JPykcPeJFr$dpw|Cs0JGxze?G|^=7E}96*
z6-0C<u4=p8b*^v_>nGQdUGTyD+O7pPuYG+zFU9@I_J>N85h_Q)zJgdd<j3Phsr4s?
zr;1FW7wEjtGJ-ZNPcPYxILR17P%*UM-zGJUAxlZGfGclc2=G8s(&`ejIMm9|^4^qh
z(F(WkHk$V>+I?hYGOx>)HjWoWYf7sOp5N6PPetLJ+#hI9KGNW3-aViHz`k<YDD(s1
z)n6~M(#a>z#~Hx?4vTl6w<FLAqzVE{HaoZi?HoNm+vHfgWjfG8Q6{Ad8_cR8O_4r?
z9wjtO|9G=~tC&hDt~vFmI{r9*H!0`MOLxT)TIRS$fUyc;gM<ZH_Nx_}T&3hF%Qr-)
zYny|BB;oZeLZV4*mlLd3g2#mrP5^wv6yf?yNS2s^#dsXZ$ShOdZQgQ4oSvrft)dC`
z`7;*eXztTC(xZgxP_YpSgC$%vS0l0&T~fQ}t0G`AXqbVNJ31<XxeJX9Dt>Bel#!<0
z6rI~%sitNJy9*^pW)w}cFMX@e)@i&wsx&k}vk?HJqgcHJNLLt5hd+QxU2O3WI&T#9
zNao)mea;Nh6RFK^&Z9d{Ci<6#I(Rfw{;_NWd5qHgKW&)i1?K$|$gC{5>-a+Ob<{M#
zI?<V&Of=(VM!kS)T5IC&2Nr31)@MvMNdcv&sSnU<VrGuz48e=_pJ~-%D+Z$*a5_Tt
zV2$=gw)0<+`X4$Ut1Ph8`H884f(FFPHWHQnzWUtk>~6fWx7XUYa?)Gw_UhWRmfoBD
zHj@^oAcn<$diVB`D({Dr)L*nF8{skBA(h1{t4)Eunh>=xC49?1G^GQH!<rn+^4GU+
zn<f>4P);6?{22VW4qPLCppJq1a<KDic*qr5tR7R8S^IhlumQ&mK}JSu*2LB)r26D+
zoGMmDY!>xXX-DM)w5iD3X@bs0ypUGT=?;ASxF!+830_6^lz>LL%befNm5hu8DFlzb
zyl&jRQ|xRrdxYIVG}m6LnhNo-9o)gG&8NQn#g?qs8*_71+GSREmuCH@t+n^*Bgw(C
z+H18rzCP|3r=D#)NYn#aUrlq+ypIB6;te%2+wx7$EBB9fE>Wds#y-eyAYJwzB+qH3
z$ThA&-Oj4J&D?~3+>i)9_cJcEfFfD8cZu#PsqBBv@*LOalkn8CTz_5b2%c2sueTh)
zsjj@F6nVuBKbkHO%!(3`R<Nui;*lD>u^nQ!utr8FGlA-1*Xrljq_Ugu{G>7RY(4VI
zzDJ{Qs8ld0{cN;<w;d<*-t!)ceyfW@iXOD$b(!AWGVTuXAF-~N-^++qPR1=Y8^Ipg
z!CHwrx<$6Q9i3YY!;kw4uk@)px&XM+Zlx*q;dy5?62-<TE%-zG)5UvCF+L4ZYs1}7
z1Y>~`>Etd>tgMRerAU+7_=-)X%4TBdcAmloy0St*!8nasK0iK$F9|c2;<l(-w6yY-
z`S`}-^VqCLP8S9Q(8T)i6ui@9trFz-o5c%^p!iU?pmOMT-mB+R(S9+=uB(btDK54L
zGq1<~mSzq`ro=4n)$B$TV`&aFtMX8}Zro#EYJnek>H(|s#S`+n{&Z>C_3<%NkoV^D
z+SBamwqNimlhI4qY{Ek{v+0bMNWl1<axP4A^b2DZ`!}8_hvVq!i$KCNYRQA1f?DRN
ziv0S<?^CWx(d0f<FCRF!zxpo4$oTr|%D-Um=P?0j;{o5B%1wj2r*^Rcs-^jxsyZ3-
zpeW_JpI*j{)0%U*=GJjg^v#pz#b-@2x5m7{x+`Uo`_Ums70qiBlR-#5$JAJQe<+G1
z(}bt))o6jv;-`rMdY=ZHQi7QHP6!PI`yuB%*_8E{^dZZ;t8xP`RZmp>{G=94rVxzl
zvBWllewta`^ygGIlim<ZUV{tC;u|lODj-Ra&`KDum{Oc=+VuG%;QM+X#go%0MOa;@
z@oBHRw`{fQ%hE~T8&sw!!xxzP@?5sJjU#We)Sfq`s)f4Y-VeQzBu)4F2uwqAMoO1K
z>HTxIBkm02obdWEHHPpE5?me*bH9RMUO0tLBTqhqi42_<`8-P1Tyd0&m+A%6-FiaS
zcFDW&G3$1w-F=L!R{D)Y-1yKa#&;fQ*en9kEzw(9vcj+Q670(o5u>ih3(j_J#9?j?
zoU00x=GX_}*QO4b2Y?j9jo#nd#|Xeib2qC?C2C%oZtx+?{S;c+?kS^g5$yeYV~&Qs
zHr)qoP&tjl!r&4V<ZIV-;mDHU^C!9r2Jay#mAlH|XI3WG5RL5ip57x|osV9hDwjJ*
zbprHIYH8mur+(LU7lKJd#`FO&1!>Rj6|z<jZlS!k9D~hmFDliy&S}~G?-sxJ`8o|q
z>`;zuk7tjlrn+J?A~Y{05-yo+DpPojyf;@K-6sqro0>HFF#0<9zUL`XP4yr`Y=X+T
zdc9KakGwvKwc}!`1BjBHKO3Pn61Q(dN?ic?6K`y_W1*XXKIkkNTd(IaILY|Fd0HJy
z&XHxSI=Xsxw@ITs*e89BUcQfJ|0KP$&7@Nz_m2)8N!I(_sQ01w9HTRi?@=6}Dk$f^
z0d-k5u{i95zTJ_VUMWXKUuO5Ugi60G#pBS7=!KB=quTs7@K0YE9-Ky`$LqWE@VuZ)
z#q2AHb}2xWNKLI7P3kk{Cko0LuaMK3(iKdzAg!Mfp?DifK4HofdM6xYD`XV)oAtG)
z)FG?zBbhEA7_B6k1h?3#p(x2p<~|rg;n-03I!@S@n)~q~*LORuYz=AA;_!R!{e)zf
z|0=|McHXqMtNI#Eio-j{Afa$;>t(le=`M2{^MLSm`ACL7OPE89&QhDxZS9s$p33TZ
z73oaN!wP=O2Rpi!{pJ6X=l#o(9fVy-lGmK?cEfi~3I^$mpc&pb%K>h>uaY(3QA`D*
zFBi`Q)?9MBWZy4!zJ+iCDVir0TgI`p9(9y868KLmAF0P4W(uk1h`rj%n7Q~FUUc(P
z9AtGT2rU<z(|3sxxw(JH^wmsJvh0VYKMCYg+z*AtgX`Ti{<M@3=txIr)>FLF6^Hms
zIh`(aPi^{im&#~l6`1N(St+Ftl$+np;BQab&*`-9FXMCeN0$T8IQ`n(+H%LFQPBVb
zw4nf<xFcjy0xbeR{}Ktop5mlEe(<^Cjf|>_9PuBulghF#k$j+62qnbT=MbaxqXMXn
z%hW5}f2u|1*4NiyVc33urs4zVl$tg48b-y^KB^E{*+yUA@Hkof=YG<u3dE43{(Mz0
z)lSnOiSD9HmBM*~_0W%6C+7KT5`Dm*l;133{~10b1)j4T+^Qiq$1Y_|K5ZXHb<FFM
zP1^t6eJNSI<*v}s{cFxni+EZT%U@?vErKiVhElino#Cse`^L4Tb@<&&@$9e91F=z`
zn9wo=il3u$x{Y}=epIn>u%C`q!~Y^ma_5(JsV5$bu8#{m(B+fSI@|Y~0PUlQZ@PcC
z4&h#_M}q=-X;V#Na+=SuMR(L|B9F3&a}dwiFZAH4ZT7G^>uQ^ZFte<;+eidTyUAaw
zse>%br?q&<7UI=OImCSU_?PUKEM@PeBBL<U?A04~GfN`hulJ);h%^Mh-5V)6(iaMd
zVjD-N5P3BLlaL()3s+5*rJvu_5u~_?qgBLIpTr0qPKE|foKlbKuV-k;k5W62O|as|
ziean+S2TktmHg|ufj+69mU-|(__1M{b9WN4KY*999nw@bvTTWRJC5M(*7^1mn&&vf
zIJ&8LV9=dl3(K`1>#T0~o@So`I8TIGlJI;ZdW04NZnsVzn4j!=ghYI<nMJ>j>3tvU
zV_`JFv3Ynr(8XV05mOh}QdeTG#$vnl#RTocUyhMtW%q4p$*K2*hc$8m_NzwBzS=L5
ze&i(E!o;kU<lWADXx%RnyJ-kE6vK^7Ux%w~IQ^00beGBgkWQ0qS@k{4Zorn%c4ejJ
zIaT!3%W`f}VybKI^p4Y$fzyn>tmQ1&*~7C&aJ`U-yAosmaT8Y+1wQy;xU--dEGn3t
zp6ph8Cf{!E6O4{3R}}`Zlh1wU)8|#Lypso+2d*vORa~)c&emLvO`ux;sU8#eFHz#>
zsD|o!BLyt^mlZi%FvB~S*B@~=y3pieM;9JUG-Zz07#GOA!)WGw;1lgf=ir!U{Og<a
zX5Xiyc{!i@2o5`jjVOFQ2AWpmxm2!Ds~=m{cmkgLyRuUn3P}o8vjkz2X78;=OsVk_
zt(mUoVD}HLI<TH&wwI~tg?zJbyg7m1P=c($E9IDhD(|qNV)RhWf@8)R3I9;K9VezB
zNyetOqRxypecrOThCzVCQz}wKui&#U(IWXXk+P!y@>!Tt+*BJ<EoV^>h0ov^=ctEO
zHM~xuPsQK+=F@zre#X>8)!9ptR)<d>#&s_=w5v!a#C|{dwdk|=E)OZEdmk!7GQ9!w
zuvW`y<?&F!vZa88hsys4$-5m%TWxYQ4I4)_#HsB3Uab#F%SvA_a18!fZleDk9K}!J
zPsg?uG^&cuTJK}t?@f$uqjtz~*0(N*@Zq;`{<@KN4me7A=*`eDI;&c>g934$Qx0^J
z33j&9`>nG@CjQ<NgpJcFyQeLM(@#C^nOsIwgJ!I&zV36U2^A7Im^F`^#+xI*{_M*@
z1zyoDG5uB*K3@S(f)@)TQb{ywjfn_}*gEDGOOy)wD`0O2-Bm1P;FY7}{r7{zAp#gz
zl1U`)m$M`fg?Qx)327OgSJK-9RYOOa!^r0Z>`TV+iKbO-b9uKMtmHl3$l<q5ln>3R
z147YyzLGcbMab5UKCf*^0qd~MP=SqUNYU|u`62!of2lM+Pns<wjAq3}#2nGtiwK>c
zV;2=qQK#WekpVX>VS-+x-8eOecs|7)n)2yqUER}l+;ZrU^9Eg|ZG+Ku(pS9)ZKc&T
zsnQI<{v#P?TK1~&gXcn`JU2yl1DiE$Q(2qy!X+fb8b6QfGtbD>A>t*~rW=DTKT^S1
zv4xv_1rWV67f4Eq;6o)_!7iVi=TeFJ$~bGs@vWy;Yn;UlSlWNtj9(b#^?4Yc^En$Z
z4v*AMtNK3pPa31Q@2{j(L|H7%GA$$k!Zn{CYx)VyIPH<;?E%%2OykvcNdCOGs;6QU
zENQ#iI5aeBdeksoJxx+ZJ)0a<c18Ow$v^Z_P}icVLKXG5ESp}&n^=PM1E6_W<_4|U
zUviYbVd3K*9L|TYjtlC7w3@Z&D)!Rl+&gh(9$*>enL2Q}2inY@J%;Q0S&MG^BL}AN
z-wS(ujS`&?eFJSKtcvV!N}v`5VWke65u|}|lj?#H#yp$DSq;k)?5V(U3h5JMCg+Gr
zPnHZmhK$4`zgeY%kE7m>fPN_h_l^s&*G^&Yh8F}0mdBL*r}OIWIK0_7JYMkHEpv{3
zrI`z~p4!PCYd}ZcO14*PvF!ydNYpTN{`p|!efi@Bbhqjp-Ph&=d3OaOoi3ER_1f2}
zYbJ-_O;FqE+DG)-beRl_9S_UmZDo9X;bYsj=(QXb2yU6#&AXc1;oGk5fSWAph_~}#
zNK#@cpy1@^3si;k{SmJ&ukH>Ysz(+B9_PzrX6@GlosX05%#>5AjOu*ga7qk|d4Cjf
z`?#Elv&YpxdCxAD5RMi@5qD*AiMKYnVya!9dgEq;LnPVvbG8FFzBQRYp?cHSe?mH6
zx877A!P9R~;Ah73YaKsUgnU*U1;!_l=<G^&an&Nw3A2{cY0V=DkK!g~(e6Zkv^m&4
z5goG9P!y$?WzBpr4A29-DqRq7!?Ks_HL8-i6d68gVU;vBUDP$eVt{*e@uILd$)K&^
za}EBX$qd-4en&pH?G~~1smd#1Bc;`0Gl+y=X`xo+wSEMlj(>SQK2u@jpiz3;3d@lc
zu1Dnr;uN}35IPq)I|yIe1TU^VqbgNLIOb`w7v-2bk3Z&)`ez+6Pw$YvQcVdyM~`?f
z@A-kCG0FjD>uy0^T}F=fp7laBvv+U)QrBQl<0eouC4Z+PsPJS+F2NGD!%V-G3Xi$X
zc15GMkk}RP$(0_8nbPsfLWolQt^r$j=&8o2V$5F@x3-3!WNVj%Yn+#%L)=8>i_12S
zs{W!OiL>>iS*@Zwq&nRpk8`O5t@i;Stn))ErRi3B8TG0uJSz(?uE<AMy~}0K@`5AX
z+K;N<!4i4OD{m+>6y$qRv+&rPf)G}8%j_d#3xZ*=U#uR2<5o|0lZ6p6Y8#>StTv0*
z;48P|grh)*s3P8}UxQkQHNp(Km-}U_jO!-yfjW)7+lggVBZ=D5c`k8Q$<%`wnG8%N
zWnn~|;Wt9G=jiFIfUzo<I5$3fV!W{ZPhxla56mwD?F=&iq$@ChU~+u}N0{@9!DVOZ
zz`a>kAw3M3eUs_qy(4#GpGGeq9^rXegwX7E@Lt!2swpUc7#p9ar)a>C%e_5w7jaC6
zfYs36SLLRQNw+$}MWe|no680@cFGAzk1F&Gs)HynRI>f<WY<?iK#G8qJRoun(MATC
z<y6)J?)&4bfxR+9olPPlmPu8{wQbp)(zP8#Bw*A)k0;hV+JJQ+*g4T^7S+SO89Nnq
z&O)QD>!1R-Gb}oTs|92x575$ugJx>jx#2PVg#TtYesbkadDUCdduS;)5bU?ack)1&
zqhrbN0l*4^+57KW*1E5HbC@hQmd*_j1X|EM;`RZdsYys?ds$)$xM`8-glloe(txHi
z`xH(y;p2KGjpV%t4B9M+b`Fncc6=lNcSxhQ?3?HHf2MP{W}gCjB2b+>Swpm`X5W;i
zT)6{|Q{mP6g7yO7;v-*5t@`ZK>b_FqanNSf?8e>|u;?Zsgz7_{`V#@!Wq;-x+*VzC
z&1r6ziVLVtN7Py<)Wbs%7!G={T1$zbySpso;qL2&Ja^Y%DZ=+ZAKPcEQ%{?&W;k(J
z_~1Z2B)=tJ_dSHSGh_y$JHc2`2Z6a>5<WHuzhgrwv^a7#YqGzU<+`K!&3QtdTo4=Q
z7Vnob+{1w5LXX>Pbsk3IlAl#;DF%lMTQ*Cnz!Xt*slnhfN8IIEo{sVCctk@k{0!y*
zp_HY|O;j4>moxsmZJ3^&-@oIJRP#F%4~v+9r?7i@2AGV6(pg%lIQ_={!xQ$zl4*wD
zhA9}CXcO`DG_c>;px;ov=d_UN>f<T<yM4?bi}JB)Tu@dji%IH4V_o(H(3^lG$fZ9d
zNyb?_rI$?bqxGQ7VM5)^T!ueMFG0;~qS@~BSMDR(#l;t1LJ?N$5x&w=xUMVQbRIL4
zx!dbFQ9IOhj^9}_p;oI}XG{1U?*M(#prD$}A#3RX&Y-_HDKSTdAiI@$y$TdrhIL%-
z!C$XI*>yc85^SK9A|7#NhEACBjkmed2=Vw<<KM93QyL42E7m?sVkFof7~mQO#?KMj
z5=8c$y&)Wlu~?TAf2+2--%)4MZq+tVuz<Qr+MT%c2>^?@Wqhkc+FIIN@LcL1({O<W
z8-zgCLC`vjb6cSFrc~?Jdh8bm2GDLVK2{h*vy~bHp}1i=I`@8Nx8$>n-Ox`BaP{DK
zPc_{;iJs$RnJ)3>g8DNt>dqB|=<Ls&z^rBjWaH56JBV&W$08R8Ojj}SNxvUE>!Rue
zs-J>N?c<Kdq+bhFX$jw3UH)*LZzP_|c<nfX^#bQd8)0)K?o>V}i}M*PwwQA%S=tS*
z`B3X_iBnDBzdUH}<@lj~`aY)Bo4bIX<7hDT>Dzdm?JAz)+<1-PDWCU1_Y2a><K#Jg
zK>$l`y;Kx)t+KqL-mmYTUh2a<)gUFT&)V!rO`c<<|K`kZnFXwfgdtjiRLz@F&~zN8
zgjjd{Z(W%#;~96o&<Ds*yCN<sFLSfY^tN45T(!$Fm5Ebcen&1Fp$SVRV(3SJcP4@h
zOW|$*+6+`7i~h(@6HP*~=7?V`t}wmEZ~WBj@u+xt6>AI?!n-x`NOXU%JDVB-17|bb
zxN5K4lf%xpZ4;Z!-NSOfa?5W4uc0?y4N#7)tscSX=h>(3+HM~*(NN4>4iG4xIYN0p
z%<@u~|FHy2gJ~|Xdi8SI?pqgZn*#>){O|W=%`4wZt5FjJ4nbP03Mp+X-lTiDglpJ%
zYa**Ix~QOKU|z=-S`0YNi~BFjIVN<40f(~5oe076?ylp_!!M_M1Y@Mi6;a5-$>H(7
z-xOJq0z)^^7ejezkh?I%6*Ulcb5sos#uwj~d;}{uIBTVPHyL()f7as{OrGN*f^T@X
z(E$oI6gAQV<%3fQm}q=<)^6<cyFP!sC|E>oZ&nud&}X2hXVfyC{_7`^i%7Ft1WscU
z9Nd?XJhi#({OO9l@p~V{5};n6EOx#UW4#ptlq<~=?M7=W-y_+v8DMAuXbYuZP1Ku>
zSDC|AnO02ck0jv%BE9c)yBoigQR-|<#0~#We$3wjpH$)+ee*#s1l$ZvP(!iw@~q4!
zb&Coz8CLI&m5z*8DnMi@<n|pRLOyWXDMlpDW^-O((#hc!OgRD5zLdag9RP-nS?O;-
zXoY~04em!#^Lad3%2kQsgMho*wQL}>lWRs7I5Mzw-Y|{#bqDiMvR1I%*=lDWfa4^7
z=IJsUGnA_lWK^$K{@5M4ntaYTpfuFVGW{CluLBwG8(mj_*KgjdbYt!{#Nzn<{4k4K
zURmU>W_zAdK8kejE*^nav12NCoXdtEZ17IDODGGG=B=R)Rm$ng5PjJoe~AgFXDAxM
z)%+JdVB>{Vkd#Tkb#3i+0n_wWymF<J+pugG0x0h*qy*E1EsxcNZ5ym$!bl_)b<wIe
z2D>AsaPduxeGsAmjKhfpzdB?tC#<g%n1=`beUn3sZO-|{>jNEaEvmT&uGP+uzhXf8
zY9U~?-;dk9kD)=UaGEb!&xkE3py|KH<;2s)RVR2RJp6Y#Yjh<Dpju%_^GlHwr3R&*
z>V8m`WC-}0m2HNAZ60A7y|T>5lsobjuU`}StjZ{)Xf&(yZI&Syw%E3;8hgSF$AteW
z;VF(@8y3m1`0q6KopoLQrFkQeJa$i0NtX1g&qlM}2-=znNS@ZY3j``eF(d(fRlz(2
zfr@{sBZK5|dw4*8#UEx7K*~s!Z$VjfAz%<lMF@iUfBdQF`y@^#rqi8~)RwO8>yu?(
z7M2)%<(G(;FB)Ex&ti}X@Y%0@)m^{%tkZ-;L^Om-2VBb@YcBxd|L+C=FYYbRsnW-N
zmnl;#a}3qv{xB1^Jv!8)FV$7DU@-v#S#D3ydccSRhTI!d$VKQJFQb7_sK(k+OF!MP
z$tX`o8PQGFrJj<3Kz>wpQP)GfzKvhU{`7zH<uAuc-J4d_tGM|-RR64P%R!Xr%jfxB
zdCM=vJuKLmEK$}}#;d#J`y%XE`US`yiz5;oI{k<38Fw)$t``dCtFq|gIliP7J}zhv
z$q5aa6IiY@tXh=MKAD=M2yp-7R&2$FNRd12sFRy*BUJV2S9`!GMu{pFbF+6KKl(jq
zNIkK}5VY&n^v=#yPh@QGKu|R47itOU?9FX%(kCpZoeJax0>#!5ZP(P6jVLdyBPsz_
zwxPx3m!LHi9+JbjR70)#5a^N@VPGYBb25U@6QK<|Qpx+#8lj5fYcKa*vmoVNId+L%
za{tFWN{W^M1>RT?Nc%_k+vK-Nm;G|}d3@zMw@Xeo;5;dv(II#OxQTV>Swb`o6A`43
zp4!*6nnez=v9)j1q_=5DUC3Bc7<--P5jekX8+Y+2zyB)|S7qiAi+Ne}zn-VU0)ml5
znHFWvC++TT=9pr7&X--n@7r4Q%a%MyRJfSPQ~!N7nV4ga(a`VOhrI1_y+r<i)_}rv
z2@t5Pqc8mnR=I+ec8OqN6CWpCGFitJ(I1`LwCor%W!y2{KgoHmEcc63nt41!;E45(
z{qbEjw1;p;8ylBlrmOz%NdH+NBwI#C#$XIGQZD-s<<YH=*JIus-`i`y%#40K)M;|2
z<={xbSN?N%5phi22AdfM>AnKRJI<3Ufk5^z|5GzGOtX}_uxUk3ssDuPrRM*urnsJ8
z_8-c)qR@kz`m_?u*xA`vb5nHrPcD6dO<UsS3QusD=kl1T)BCiw*Pzgy;aMJ}hu!Bg
zH@n^Bls>YD+fzYK)8Ufpj6c3%1^lwTLA?A*HyQBuBUJo$t1USoKO?zHYkkg?uO~L>
z$NIw4SZRk_%`kKq2cKFduPDu4ke*yF^<=jUj*e?0gG8NVt-SSw;$ev19PQVeWc`u0
z)Kddjf7c?~lWynFI;X97RX`y9WNgE9mR7sfwl~!jix|#D+}Pcp!bxXktL9cWFo1kW
z%Qb=@^;*r$*|uLf7xb%mc|4x^c(+ETwe}2oP+R%jt+q55ls$F~0n0QpQJJCU0e-l{
zY8jW9>c@C)f<)q9{b)OU#4s;L1ik0tnH?%;3qZO%6Q%}sz?DN<Wic@KK%fM!2kE5v
z%q<)3a|p1zjmcGUiHIyHBGr%WGzIV@?LVRU9dPr^0>SVG&&C@0H?e$31niU2X~buC
zUOp`tBKy31skvi^_f-^rlXxjL*9*TeduQrl>~7MPOxFy29@>(u$8!TXj6W-x|FP{k
z^oV<QZo-Zf^!16D^sqB(ug#82*Xws;sj8~ZEx6KUkfu%ThdnaLJT{lLQY{Lm8-o7u
zcvd7!#cSemVa8o9O|k-e%4m@^etk<0Uvk3*`B^y$D<x9F5`5Fuuh)eJt#qw~BFfI0
z^t@_qhknl{+kRaqJ^Szvhu4O&h~<2=>dUhRPk$p*N01&I9usWMtxk2PAEchH&=(iZ
zu(NIB{&Ng*cqchcw?NSM6=n-WZ<Am6<#7Az>!RFtg<XTu>uc1AQcfPvx?4Tt)`SpY
z*VlXOhHL%`<WU#*#Q&f(bmvi>vjOJ6lN)>M!&4_NS3vqw6oTlNGqA@NWB2)4erjG=
z(47DT;*tAYDJyfGt4Th-PtE@d<X84v3Zg^_?;}}9fPeER0c8ytV;u(N^Z38w1$|8%
zpqNFM0lz|b0r`D)@`0qX|A(|dO?~&3y1pe;hFM>pD2RUk=FcK5He&@+_BxI15aZUx
zNa1q?_(A;I`V|ONk#T860s>jT{{PNC|3wD2?(XiKwo7YNW{c`Omy+^~OkDoW&7Mw9
zthOG=puz2g`1tF)%_vWI_j42l5fMbswY7&#YleqIC;$B){(5ur&m)|x<8nYP(<F|+
z*@U3QyYqwm-X-6b^3scJt73q%<UduOK+xEyQyu0HQ)Uo>-!ado$7eg10KCbz9&KT5
z4XI{{JCIXl_qIRc)lE?6IA5>y=Ocdfc}pfBE$HwU2NWk|Ub@Ijzxc0P-FpU=Fu#9{
zZr)^FmIqF+-6#9r%!Fp<ndTAeW?o-RT@ShCvuDTq0|XFGM1K=->KSpg^B9i#q9Rg~
zgKkuc;8uW^@~{n;S2QeST5CF=jy9t%#3>3|fUg5tT)MuD4vu5N1I2jwf$bRVD;iV|
zvoL^hX=2q~RfDP?2n@XU3u+cllIEyPuR)+elW?$^Nny4C&os5Eo1lo&vO&4kzsEM`
z`}dSBPxGgShVM93EP<Iw=uD)?vMTT=N$Q@a+6A>n3kA13b%h$;I|@movcrV~@~dJZ
zXK!wfVjwi1ji|%p7dYX|#5;cq^@qX`3|mL4XEcC+hxQpQ4<0r5Ki6vn4VD5Gw-4x6
z4w&tdDF!q{Z&lF8nEkZy4TfH{i$W4bdb{Hkg$S9f^l%epi>5s+=p2lWN<O(Q@9lPH
zdBXsQwcNQ2hu1KfKM&g1c~KOda7~Q>p^N)F|EAkH$@_#9k7c5}H7}3LeRN(#2~{?O
zFF7{$GWc$?o&Wh_m#6ztc=d59&ht6B4`%PefU%|Y(o62E+w!1{@6^XIZ@!(OWInK}
z)KHm-_{Z{+Azt~M<ZIShd}m`5w>#g&=Wtyiw~Nt_GK1O)M<h?Wf1N?{$g%3DUtk^;
z&sUmbWGOY5#{(@s8<UxV=8_o3=Qobq`SG+=or194;4tLNdqiC?hbpe3>>`avz4kOe
z{Q7alt07K}(XFED<t3NXMJ7JH-SXjgir&QySveT9WaB;0>)pKu58Exxe1AS}cf(2G
zy8pe3QUqp@Qzt?AQf=C8MD*U?UgFee!W~y9)QHS?`e}j;AJubdY0ELC;$f_kZ0CaP
z#!WvAo?tL_HysCVkJ#J|_7ue6sPkJ3>Fb~%c<Qq%;bV2)6x9&Md%BjuK~-;|p2<_x
z|D*+@iT2^c0&R<3z(O5E_zdghlS72*cm3D&6ON(nj59AWuIp>Os`(L$+mmis4#~)P
zUGB>g@I>G}^LGge@J8yM?L8$O_0irz$B3OrJ^V|Xx7A*WcYMY?pavB3S>WtuhcXZS
zRA`sC4eb~}B_tYotawZyqtc9I3bKI<Dv-!&f#?)wj0rkeC>AcBh;%t9k<W-EFcBB%
zwaugUWd2#bF*fsUV1PKa<AeMh33v@4!zVkRP?ODP1#QQddY%flW?lcjW-u!mPh@!%
zoI<H%G&1X9y|rD{$7pHk%I^s_4*+&^@N;oEektMHzuf0)X8c$9gi&Dn>hkW(*^!5S
zyTi=2ZFcVihKQuzpEp%1M^eldb7b7cdjSTQ$Q9bFaq$Z8_}DeSgMpnS>r_y!w!ex1
zu1vnEw6(dZ^<8P|fcP$rx8dz%KDt~mjGX*An+dv9l!aIwwp@2kunMzL#bBG`eLObB
zh$yGu@sJP`D@r;DdKh40Drk_?Jp17mq6{ftstL*5S#iiu{daS}E3t$2zrb$F!*|3f
zMf<D*8Nv^99B$VzXy#E-o-o@zsd(QJlB6pWas|jy1o_-o;Mac~qmxMPP7ti$Dp>GM
zI@vLWGLc~t5P3a4-rr>&jF}j}(3Kv+lXcQ#_^jvUaX<EPSMnXON`<Lfs;UX=VzBfP
zf$JGE0k0$<!lw^FT^m`K@(PF$H2%+60kE?4uM}lN{vnL@A@Ff%{yz|_1%x8!{2w0u
zcm4nS*aASoukiFQ;ngh4wg66`n7lh29hCpi>HeRXOZvaQO~?HAabfl!C|6?lX%NuW
zdw@WqoBsei{@+C=8@IQ%mRda%6SXr^Qy0B&m+?tRMgUzRxjCEDevS#WLVlHY0P!e;
l{%?urf7c<=<xD*KzWv@fM_5%2pfLy}Au9W=Oj!Tt{{YCr`X~SZ

literal 0
HcmV?d00001

diff --git a/samples/remote_attestation_wud/remoteattestation.edl b/samples/remote_attestation_wud/remoteattestation.edl
new file mode 100644
index 0000000000..213a90eb9c
--- /dev/null
+++ b/samples/remote_attestation_wud/remoteattestation.edl
@@ -0,0 +1,25 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+enclave {
+    trusted {
+
+        // Return the public key of this enclave along with the enclave's remote report.
+        // Another enclave can use the remote report to attest the enclave and verify
+        // the integrity of the public key.
+        public int get_remote_report_with_pubkey(   [out] uint8_t **pem_key,
+                                                [out] size_t *key_size,
+                                                [out] uint8_t **remote_report,
+                                                [out] size_t  *remote_report_size);
+
+        // Attest and store the public key of another enclave
+        public int verify_report_and_set_pubkey(   [in, count=key_size] uint8_t *pem_key,
+                                                                  size_t key_size,
+                                               [in, count=remote_report_size] uint8_t *remote_report,
+                                               size_t   remote_report_size);
+    };
+
+    //untrusted {
+    //    no untrusted functions in this sample
+    //};
+};

From 9f62119be190994aa988a781e5def81be8963121 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 24 Jan 2020 12:16:04 +0000
Subject: [PATCH 408/420] Rename user data to extended enclave initialization
 data (EEID)

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 enclave/core/sgx/calls.c                      |  12 +--
 enclave/core/sgx/globals.c                    |  25 +++---
 host/sgx/create.c                             |  71 ++++++++----------
 include/openenclave/host.h                    |  13 ++--
 include/openenclave/internal/globals.h        |   8 +-
 .../CMakeLists.txt                            |   0
 .../Makefile                                  |   0
 .../README.md                                 |   0
 .../common/CMakeLists.txt                     |   0
 .../common/attestation.cpp                    |   0
 .../common/attestation.h                      |   0
 .../common/crypto.cpp                         |   0
 .../common/crypto.h                           |   0
 .../common/dispatcher.cpp                     |   0
 .../common/dispatcher.h                       |   0
 .../common/log.h                              |   0
 .../enclave_a/CMakeLists.txt                  |   0
 .../enclave_a/Makefile                        |   0
 .../enclave_a/ecalls.cpp                      |   0
 .../enclave_a/enc.conf                        |   0
 .../enclave_b/CMakeLists.txt                  |   0
 .../enclave_b/Makefile                        |   0
 .../enclave_b/ecalls.cpp                      |   0
 .../enclave_b/enc.conf                        |   0
 .../gen_pubkey_header.sh                      |   0
 .../host/CMakeLists.txt                       |   0
 .../host/Makefile                             |   0
 .../host/host.cpp                             |  24 +++---
 .../images/attestationsample.png              | Bin
 .../images/localattestation.png               | Bin
 .../images/remoteattestation_sample.png       | Bin
 .../remoteattestation_sample_details.png      | Bin
 .../images/remoteattestation_service.png      | Bin
 .../remoteattestation.edl                     |   0
 tools/oeedger8r/src/Headers.ml                |   6 +-
 tools/oeedger8r/src/Sources.ml                |  12 +--
 36 files changed, 84 insertions(+), 87 deletions(-)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/CMakeLists.txt (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/Makefile (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/README.md (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/CMakeLists.txt (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/attestation.cpp (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/attestation.h (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/crypto.cpp (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/crypto.h (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/dispatcher.cpp (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/dispatcher.h (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/common/log.h (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_a/CMakeLists.txt (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_a/Makefile (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_a/ecalls.cpp (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_a/enc.conf (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_b/CMakeLists.txt (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_b/Makefile (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_b/ecalls.cpp (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/enclave_b/enc.conf (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/gen_pubkey_header.sh (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/host/CMakeLists.txt (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/host/Makefile (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/host/host.cpp (89%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/images/attestationsample.png (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/images/localattestation.png (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/images/remoteattestation_sample.png (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/images/remoteattestation_sample_details.png (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/images/remoteattestation_service.png (100%)
 rename samples/{remote_attestation_wud => remote_attestation_eeid}/remoteattestation.edl (100%)

diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 6227b708c8..e3f810d1d3 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -125,20 +125,20 @@ extern bool oe_disable_debug_malloc_check;
 **==============================================================================
 */
 
-static oe_result_t _oe_check_user_data()
+static oe_result_t _oe_check_eeid()
 {
     oe_result_t result = OE_OK;
 
-    const uint8_t* user_data = __oe_get_user_data_base();
-    uint64_t user_data_size = __oe_get_user_data_size();
+    const uint8_t* eeid = __oe_get_eeid_base();
+    uint64_t eeid_size = __oe_get_eeid_size();
 
-    const uint8_t* old_signature = user_data + user_data_size;
+    const uint8_t* old_signature = eeid + eeid_size;
     const uint8_t* hash_ud_sig = old_signature + OE_KEY_SIZE;
 
     oe_sha256_context_t hctx;
     OE_SHA256 h;
     oe_sha256_init(&hctx);
-    oe_sha256_update(&hctx, user_data, user_data_size);
+    oe_sha256_update(&hctx, eeid, eeid_size);
     oe_sha256_update(&hctx, old_signature, OE_KEY_SIZE);
     oe_sha256_final(&hctx, &h);
 
@@ -196,7 +196,7 @@ static oe_result_t _handle_init_enclave(uint64_t arg_in)
             oe_call_init_functions();
 
             /* Check that the user data has not been tampered with */
-            OE_CHECK(_oe_check_user_data());
+            OE_CHECK(_oe_check_eeid());
 
             /* DCLP Release barrier. */
             OE_ATOMIC_MEMORY_BARRIER_RELEASE();
diff --git a/enclave/core/sgx/globals.c b/enclave/core/sgx/globals.c
index 08f64846a6..e70c3dfbc6 100644
--- a/enclave/core/sgx/globals.c
+++ b/enclave/core/sgx/globals.c
@@ -127,8 +127,8 @@ extern volatile const oe_sgx_enclave_properties_t oe_enclave_properties_sgx;
 static volatile uint64_t _enclave_rva;
 static volatile uint64_t _reloc_rva;
 static volatile uint64_t _reloc_size;
-static volatile uint64_t _user_data_rva;
-static volatile uint64_t _user_data_size;
+static volatile uint64_t _eeid_rva;
+static volatile uint64_t _eeid_size;
 
 #endif
 
@@ -198,30 +198,37 @@ size_t __oe_get_reloc_size()
 #endif
 }
 
-const void* __oe_get_user_data_base()
+/*
+**==============================================================================
+**
+** Extended enclave initialization data boundaries:
+**
+**==============================================================================
+*/
+
+const void* __oe_get_eeid_base()
 {
     const unsigned char* base = __oe_get_enclave_base();
 
 #if defined(__linux__)
-    return base + _user_data_rva;
+    return base + _eeid_rva;
 #else
 #error "unsupported"
 #endif
 }
 
-uint64_t __oe_get_user_data_size()
+uint64_t __oe_get_eeid_size()
 {
 #if defined(__linux__)
-    return _user_data_size;
+    return _eeid_size;
 #else
 #error "unsupported"
 #endif
 }
 
-const void* __oe_get_user_data_end()
+const void* __oe_get_eeid_end()
 {
-    return (const uint8_t*)__oe_get_user_data_base() +
-           __oe_get_user_data_size();
+    return (const uint8_t*)__oe_get_eeid_base() + __oe_get_eeid_size();
 }
 
 /*
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 8315aceddc..aebc23c3de 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -584,75 +584,71 @@ static oe_result_t _add_extra_data_pages(
     return result;
 }
 
-static uint64_t user_data_pages_size(uint64_t user_data_size)
+static uint64_t eeid_pages_size(uint64_t eeid_size)
 {
-    return oe_round_up_to_page_size(
-        user_data_size + OE_KEY_SIZE + OE_SHA256_SIZE);
+    return oe_round_up_to_page_size(eeid_size + OE_KEY_SIZE + OE_SHA256_SIZE);
 }
 
-static oe_result_t _patch_user_data_symbols(
+static oe_result_t _patch_eeid_symbols(
     oe_enclave_image_t* oeimage,
     uint64_t enclave_end,
-    const void* user_data,
-    const size_t user_data_size)
+    const void* eeid,
+    const size_t eeid_size)
 {
-    if (user_data && user_data_size)
+    if (eeid && eeid_size)
     {
         elf64_sym_t sym_rva = {0}, sym_sz = {0};
         if (elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_user_data_rva", &sym_rva) == 0 &&
+                &oeimage->u.elf.elf, "_eeid_rva", &sym_rva) == 0 &&
             elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_user_data_size", &sym_sz) == 0)
+                &oeimage->u.elf.elf, "_eeid_size", &sym_sz) == 0)
         {
-            uint64_t sz = user_data_pages_size(user_data_size);
+            uint64_t sz = eeid_pages_size(eeid_size);
             uint64_t *sym_rva_addr = NULL, *sym_sz_addr = NULL;
             sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
             *sym_rva_addr = enclave_end - sz;
             sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
-            *sym_sz_addr = user_data_size;
+            *sym_sz_addr = eeid_size;
         }
     }
 
     return OE_OK;
 }
 
-static oe_result_t _add_user_data_pages(
+static oe_result_t _add_eeid_pages(
     oe_sgx_load_context_t* context,
     oe_enclave_t* enclave,
     uint64_t enclave_end,
     oe_sgx_enclave_properties_t* properties,
     uint64_t* vaddr,
-    uint8_t* user_data,
-    uint32_t user_data_size)
+    uint8_t* eeid,
+    uint32_t eeid_size)
 {
     oe_result_t result = OE_OK;
 
-    if (user_data_size > 0 && user_data != NULL)
+    if (eeid_size > 0 && eeid != NULL)
     {
         sgx_sigstruct_t* sigstruct = (sgx_sigstruct_t*)properties->sigstruct;
         // cwinter: verify sigstruct->signature here?
 
-        uint64_t sz = user_data_pages_size(user_data_size);
+        uint64_t sz = eeid_pages_size(eeid_size);
         assert(*vaddr == enclave_end - sz);
 
         oe_sha256_context_t hctx;
         OE_SHA256 hash_ud_sig;
         oe_sha256_init(&hctx);
-        oe_sha256_update(&hctx, user_data, user_data_size);
+        oe_sha256_update(&hctx, eeid, eeid_size);
         oe_sha256_update(&hctx, sigstruct->signature, OE_KEY_SIZE);
         oe_sha256_final(&hctx, &hash_ud_sig);
 
         uint8_t data[sz];
         memset(data, 0, sz);
-        memcpy(data, user_data, user_data_size); /* not necessary? */
+        memcpy(data, eeid, eeid_size); /* not necessary? */
         memcpy(
-            data + user_data_size,
+            data + eeid_size,
             sigstruct->signature,
             OE_KEY_SIZE); /* not necessary? */
-        memcpy(
-            data + user_data_size + OE_KEY_SIZE,
-            hash_ud_sig.buf,
-            OE_SHA256_SIZE);
+        memcpy(data + eeid_size + OE_KEY_SIZE, hash_ud_sig.buf, OE_SHA256_SIZE);
 
         OE_CHECK(_add_extra_data_pages(
             context,
@@ -684,8 +680,8 @@ oe_result_t oe_sgx_build_enclave(
     oe_sgx_load_context_t* context,
     const char* path,
     const oe_sgx_enclave_properties_t* properties,
-    uint8_t* user_data,
-    uint32_t user_data_size,
+    uint8_t* eeid,
+    uint32_t eeid_size,
     oe_enclave_t* enclave)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -771,7 +767,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(oeimage.calculate_size(&oeimage, &image_size));
 
     /* Add (optional) user data pages size */
-    image_size += user_data_pages_size(user_data_size);
+    image_size += eeid_pages_size(eeid_size);
 
     /* Calculate the size of this enclave in memory */
     OE_CHECK(_calculate_enclave_size(
@@ -789,8 +785,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(oeimage.patch(&oeimage, enclave_end));
 
     /* Patch user data */
-    OE_CHECK(_patch_user_data_symbols(
-        &oeimage, enclave_end, user_data, user_data_size));
+    OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid, eeid_size));
 
     /* Add image to enclave */
     OE_CHECK(oeimage.add_pages(&oeimage, context, enclave, &vaddr));
@@ -800,14 +795,8 @@ oe_result_t oe_sgx_build_enclave(
         _add_data_pages(context, enclave, &props, oeimage.entry_rva, &vaddr));
 
     /* Add user data for extended attestation */
-    OE_CHECK(_add_user_data_pages(
-        context,
-        enclave,
-        enclave_end,
-        &props,
-        &vaddr,
-        user_data,
-        user_data_size));
+    OE_CHECK(_add_eeid_pages(
+        context, enclave, enclave_end, &props, &vaddr, eeid, eeid_size));
 
     /* Ask the platform to initialize the enclave and finalize the hash */
     OE_CHECK(oe_sgx_initialize_enclave(
@@ -860,7 +849,7 @@ oe_result_t oe_create_enclave(
     uint32_t ocall_count,
     oe_enclave_t** enclave_out)
 {
-    return oe_create_enclave_wud(
+    return oe_create_enclave_eeid(
         enclave_path,
         enclave_type,
         flags,
@@ -873,7 +862,7 @@ oe_result_t oe_create_enclave(
         enclave_out);
 }
 
-oe_result_t oe_create_enclave_wud(
+oe_result_t oe_create_enclave_eeid(
     const char* enclave_path,
     oe_enclave_type_t enclave_type,
     uint32_t flags,
@@ -881,8 +870,8 @@ oe_result_t oe_create_enclave_wud(
     uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
-    uint8_t* user_data,
-    uint32_t user_data_size,
+    uint8_t* eeid,
+    uint32_t eeid_size,
     oe_enclave_t** enclave_out)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -940,7 +929,7 @@ oe_result_t oe_create_enclave_wud(
 
     /* Build the enclave */
     OE_CHECK(oe_sgx_build_enclave(
-        &context, enclave_path, NULL, user_data, user_data_size, enclave));
+        &context, enclave_path, NULL, eeid, eeid_size, enclave));
 
     /* Push the new created enclave to the global list. */
     if (oe_push_enclave_instance(enclave) != 0)
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 1cc34f586a..2ab9e3de04 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -157,7 +157,8 @@ oe_result_t oe_create_enclave(
     oe_enclave_t** enclave);
 
 /**
- * Create an enclave from an enclave image file with optional user data.
+ * Create an enclave from an enclave image file with extended enclave
+ * initialization data.
  *
  * This function creates an enclave from an enclave image file. On successful
  * return, the enclave is fully initialized and ready to use.
@@ -185,16 +186,16 @@ oe_result_t oe_create_enclave(
  *
  * @param ocall_count The number of functions in the **ocall_table**.
  *
- * @param user_data Optional user data for attestation.
+ * @param eeid Optional user data for attestation.
  *
- * @param user_data_size Size of the user data.
+ * @param eeid_size Size of the user data.
  *
  * @param enclave This points to the enclave instance upon success.
  *
  * @returns Returns OE_OK on success.
  *
  */
-oe_result_t oe_create_enclave_wud(
+oe_result_t oe_create_enclave_eeid(
     const char* path,
     oe_enclave_type_t type,
     uint32_t flags,
@@ -202,8 +203,8 @@ oe_result_t oe_create_enclave_wud(
     uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
-    uint8_t* user_data,
-    uint32_t user_data_size,
+    uint8_t* eeid,
+    uint32_t eeid_size,
     oe_enclave_t** enclave);
 
 /**
diff --git a/include/openenclave/internal/globals.h b/include/openenclave/internal/globals.h
index dc77f36a84..6dd9c01e36 100644
--- a/include/openenclave/internal/globals.h
+++ b/include/openenclave/internal/globals.h
@@ -32,10 +32,10 @@ uint64_t oe_get_base_heap_page(void);
 uint64_t oe_get_num_heap_pages(void);
 uint64_t oe_get_num_pages(void);
 
-/* User data */
-const void* __oe_get_user_data_base(void);
-const void* __oe_get_user_data_end(void);
-uint64_t __oe_get_user_data_size(void);
+/* Extended enclave initialization data */
+const void* __oe_get_eeid_base(void);
+const void* __oe_get_eeid_end(void);
+uint64_t __oe_get_eeid_size(void);
 
 OE_EXTERNC_END
 
diff --git a/samples/remote_attestation_wud/CMakeLists.txt b/samples/remote_attestation_eeid/CMakeLists.txt
similarity index 100%
rename from samples/remote_attestation_wud/CMakeLists.txt
rename to samples/remote_attestation_eeid/CMakeLists.txt
diff --git a/samples/remote_attestation_wud/Makefile b/samples/remote_attestation_eeid/Makefile
similarity index 100%
rename from samples/remote_attestation_wud/Makefile
rename to samples/remote_attestation_eeid/Makefile
diff --git a/samples/remote_attestation_wud/README.md b/samples/remote_attestation_eeid/README.md
similarity index 100%
rename from samples/remote_attestation_wud/README.md
rename to samples/remote_attestation_eeid/README.md
diff --git a/samples/remote_attestation_wud/common/CMakeLists.txt b/samples/remote_attestation_eeid/common/CMakeLists.txt
similarity index 100%
rename from samples/remote_attestation_wud/common/CMakeLists.txt
rename to samples/remote_attestation_eeid/common/CMakeLists.txt
diff --git a/samples/remote_attestation_wud/common/attestation.cpp b/samples/remote_attestation_eeid/common/attestation.cpp
similarity index 100%
rename from samples/remote_attestation_wud/common/attestation.cpp
rename to samples/remote_attestation_eeid/common/attestation.cpp
diff --git a/samples/remote_attestation_wud/common/attestation.h b/samples/remote_attestation_eeid/common/attestation.h
similarity index 100%
rename from samples/remote_attestation_wud/common/attestation.h
rename to samples/remote_attestation_eeid/common/attestation.h
diff --git a/samples/remote_attestation_wud/common/crypto.cpp b/samples/remote_attestation_eeid/common/crypto.cpp
similarity index 100%
rename from samples/remote_attestation_wud/common/crypto.cpp
rename to samples/remote_attestation_eeid/common/crypto.cpp
diff --git a/samples/remote_attestation_wud/common/crypto.h b/samples/remote_attestation_eeid/common/crypto.h
similarity index 100%
rename from samples/remote_attestation_wud/common/crypto.h
rename to samples/remote_attestation_eeid/common/crypto.h
diff --git a/samples/remote_attestation_wud/common/dispatcher.cpp b/samples/remote_attestation_eeid/common/dispatcher.cpp
similarity index 100%
rename from samples/remote_attestation_wud/common/dispatcher.cpp
rename to samples/remote_attestation_eeid/common/dispatcher.cpp
diff --git a/samples/remote_attestation_wud/common/dispatcher.h b/samples/remote_attestation_eeid/common/dispatcher.h
similarity index 100%
rename from samples/remote_attestation_wud/common/dispatcher.h
rename to samples/remote_attestation_eeid/common/dispatcher.h
diff --git a/samples/remote_attestation_wud/common/log.h b/samples/remote_attestation_eeid/common/log.h
similarity index 100%
rename from samples/remote_attestation_wud/common/log.h
rename to samples/remote_attestation_eeid/common/log.h
diff --git a/samples/remote_attestation_wud/enclave_a/CMakeLists.txt b/samples/remote_attestation_eeid/enclave_a/CMakeLists.txt
similarity index 100%
rename from samples/remote_attestation_wud/enclave_a/CMakeLists.txt
rename to samples/remote_attestation_eeid/enclave_a/CMakeLists.txt
diff --git a/samples/remote_attestation_wud/enclave_a/Makefile b/samples/remote_attestation_eeid/enclave_a/Makefile
similarity index 100%
rename from samples/remote_attestation_wud/enclave_a/Makefile
rename to samples/remote_attestation_eeid/enclave_a/Makefile
diff --git a/samples/remote_attestation_wud/enclave_a/ecalls.cpp b/samples/remote_attestation_eeid/enclave_a/ecalls.cpp
similarity index 100%
rename from samples/remote_attestation_wud/enclave_a/ecalls.cpp
rename to samples/remote_attestation_eeid/enclave_a/ecalls.cpp
diff --git a/samples/remote_attestation_wud/enclave_a/enc.conf b/samples/remote_attestation_eeid/enclave_a/enc.conf
similarity index 100%
rename from samples/remote_attestation_wud/enclave_a/enc.conf
rename to samples/remote_attestation_eeid/enclave_a/enc.conf
diff --git a/samples/remote_attestation_wud/enclave_b/CMakeLists.txt b/samples/remote_attestation_eeid/enclave_b/CMakeLists.txt
similarity index 100%
rename from samples/remote_attestation_wud/enclave_b/CMakeLists.txt
rename to samples/remote_attestation_eeid/enclave_b/CMakeLists.txt
diff --git a/samples/remote_attestation_wud/enclave_b/Makefile b/samples/remote_attestation_eeid/enclave_b/Makefile
similarity index 100%
rename from samples/remote_attestation_wud/enclave_b/Makefile
rename to samples/remote_attestation_eeid/enclave_b/Makefile
diff --git a/samples/remote_attestation_wud/enclave_b/ecalls.cpp b/samples/remote_attestation_eeid/enclave_b/ecalls.cpp
similarity index 100%
rename from samples/remote_attestation_wud/enclave_b/ecalls.cpp
rename to samples/remote_attestation_eeid/enclave_b/ecalls.cpp
diff --git a/samples/remote_attestation_wud/enclave_b/enc.conf b/samples/remote_attestation_eeid/enclave_b/enc.conf
similarity index 100%
rename from samples/remote_attestation_wud/enclave_b/enc.conf
rename to samples/remote_attestation_eeid/enclave_b/enc.conf
diff --git a/samples/remote_attestation_wud/gen_pubkey_header.sh b/samples/remote_attestation_eeid/gen_pubkey_header.sh
similarity index 100%
rename from samples/remote_attestation_wud/gen_pubkey_header.sh
rename to samples/remote_attestation_eeid/gen_pubkey_header.sh
diff --git a/samples/remote_attestation_wud/host/CMakeLists.txt b/samples/remote_attestation_eeid/host/CMakeLists.txt
similarity index 100%
rename from samples/remote_attestation_wud/host/CMakeLists.txt
rename to samples/remote_attestation_eeid/host/CMakeLists.txt
diff --git a/samples/remote_attestation_wud/host/Makefile b/samples/remote_attestation_eeid/host/Makefile
similarity index 100%
rename from samples/remote_attestation_wud/host/Makefile
rename to samples/remote_attestation_eeid/host/Makefile
diff --git a/samples/remote_attestation_wud/host/host.cpp b/samples/remote_attestation_eeid/host/host.cpp
similarity index 89%
rename from samples/remote_attestation_wud/host/host.cpp
rename to samples/remote_attestation_eeid/host/host.cpp
index e6e169ec1b..7c1bebdd6e 100644
--- a/samples/remote_attestation_wud/host/host.cpp
+++ b/samples/remote_attestation_eeid/host/host.cpp
@@ -7,20 +7,20 @@
 
 oe_enclave_t* create_enclave(
     const char* enclave_path,
-    uint8_t* user_data,
-    uint32_t user_data_size)
+    uint8_t* eeid,
+    uint32_t eeid_size)
 {
     oe_enclave_t* enclave = NULL;
 
     printf("Host: Enclave library %s\n", enclave_path);
-    oe_result_t result = oe_create_remoteattestation_enclave_wud(
+    oe_result_t result = oe_create_remoteattestation_enclave_eeid(
         enclave_path,
         OE_ENCLAVE_TYPE_SGX,
         OE_ENCLAVE_FLAG_DEBUG,
         NULL,
         0,
-        user_data,
-        user_data_size,
+        eeid,
+        eeid_size,
         &enclave);
 
     if (result != OE_OK)
@@ -55,13 +55,13 @@ int main(int argc, const char* argv[])
     uint8_t* remote_report = NULL;
     size_t remote_report_size = 0;
 
-    uint32_t user_data_size = 512;
-    uint8_t user_data_a[user_data_size], user_data_b[user_data_size];
+    uint32_t eeid_size = 512;
+    uint8_t eeid_a[eeid_size], eeid_b[eeid_size];
 
-    for (size_t i = 0; i < user_data_size; i++)
+    for (size_t i = 0; i < eeid_size; i++)
     {
-        user_data_a[i] = i;
-        user_data_b[i] = user_data_size - i - 1;
+        eeid_a[i] = i;
+        eeid_b[i] = eeid_size - i - 1;
     }
 
     /* Check argument count */
@@ -72,12 +72,12 @@ int main(int argc, const char* argv[])
     }
 
     printf("Host: Creating two enclaves\n");
-    enclave_a = create_enclave(argv[1], user_data_a, user_data_size);
+    enclave_a = create_enclave(argv[1], eeid_a, eeid_size);
     if (enclave_a == NULL)
     {
         goto exit;
     }
-    enclave_b = create_enclave(argv[2], user_data_b, user_data_size);
+    enclave_b = create_enclave(argv[2], eeid_b, eeid_size);
     if (enclave_b == NULL)
     {
         goto exit;
diff --git a/samples/remote_attestation_wud/images/attestationsample.png b/samples/remote_attestation_eeid/images/attestationsample.png
similarity index 100%
rename from samples/remote_attestation_wud/images/attestationsample.png
rename to samples/remote_attestation_eeid/images/attestationsample.png
diff --git a/samples/remote_attestation_wud/images/localattestation.png b/samples/remote_attestation_eeid/images/localattestation.png
similarity index 100%
rename from samples/remote_attestation_wud/images/localattestation.png
rename to samples/remote_attestation_eeid/images/localattestation.png
diff --git a/samples/remote_attestation_wud/images/remoteattestation_sample.png b/samples/remote_attestation_eeid/images/remoteattestation_sample.png
similarity index 100%
rename from samples/remote_attestation_wud/images/remoteattestation_sample.png
rename to samples/remote_attestation_eeid/images/remoteattestation_sample.png
diff --git a/samples/remote_attestation_wud/images/remoteattestation_sample_details.png b/samples/remote_attestation_eeid/images/remoteattestation_sample_details.png
similarity index 100%
rename from samples/remote_attestation_wud/images/remoteattestation_sample_details.png
rename to samples/remote_attestation_eeid/images/remoteattestation_sample_details.png
diff --git a/samples/remote_attestation_wud/images/remoteattestation_service.png b/samples/remote_attestation_eeid/images/remoteattestation_service.png
similarity index 100%
rename from samples/remote_attestation_wud/images/remoteattestation_service.png
rename to samples/remote_attestation_eeid/images/remoteattestation_service.png
diff --git a/samples/remote_attestation_wud/remoteattestation.edl b/samples/remote_attestation_eeid/remoteattestation.edl
similarity index 100%
rename from samples/remote_attestation_wud/remoteattestation.edl
rename to samples/remote_attestation_eeid/remoteattestation.edl
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 05a8f504e6..393bf8d70e 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -305,14 +305,14 @@ let generate_untrusted (ec : enclave_content) =
     "    uint32_t setting_count,";
     "    oe_enclave_t** enclave);";
     "";
-    sprintf "oe_result_t oe_create_%s_enclave_wud(" ec.enclave_name;
+    sprintf "oe_result_t oe_create_%s_enclave_eeid(" ec.enclave_name;
     "    const char* path,";
     "    oe_enclave_type_t type,";
     "    uint32_t flags,";
     "    const oe_enclave_setting_t* settings,";
     "    uint32_t setting_count,";
-    "    uint8_t *user_data,";
-    "    uint32_t user_data_size,";
+    "    uint8_t *eeid,";
+    "    uint32_t eeid_size,";
     "    oe_enclave_t** enclave);";
     "";
     "/**** ECALL prototypes. ****/";
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 680211ffe6..1f349feae9 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -973,17 +973,17 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "               enclave);";
     "}";
     "";
-    sprintf "oe_result_t oe_create_%s_enclave_wud(" ec.enclave_name;
+    sprintf "oe_result_t oe_create_%s_enclave_eeid(" ec.enclave_name;
     "    const char* path,";
     "    oe_enclave_type_t type,";
     "    uint32_t flags,";
     "    const oe_enclave_setting_t* settings,";
     "    uint32_t setting_count,";
-    "    uint8_t *user_data,";
-    "    uint32_t user_data_size,";
+    "    uint8_t *eeid,";
+    "    uint32_t eeid_size,";
     "    oe_enclave_t** enclave)";
     "{";
-    "    return oe_create_enclave_wud(";
+    "    return oe_create_enclave_eeid(";
     "               path,";
     "               type,";
     "               flags,";
@@ -991,8 +991,8 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "               setting_count,";
     sprintf "               __%s_ocall_function_table," ec.enclave_name;
     sprintf "               %d," (List.length ec.ufunc_decls);
-    "               user_data,";
-    "               user_data_size,";
+    "               eeid,";
+    "               eeid_size,";
     "               enclave);";
     "}";
     "";

From 78dbf1422674b0a04a5d907c7943330e6519e250 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 24 Jan 2020 13:58:48 +0000
Subject: [PATCH 409/420] Add proper datatype for extended enclave
 initialization data

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 enclave/core/sgx/calls.c                | 15 +++---
 host/sgx/create.c                       | 70 +++++++++++++++----------
 include/openenclave/internal/sgxtypes.h | 16 ++++++
 3 files changed, 63 insertions(+), 38 deletions(-)

diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index e3f810d1d3..39d7dcf22f 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -129,20 +129,17 @@ static oe_result_t _oe_check_eeid()
 {
     oe_result_t result = OE_OK;
 
-    const uint8_t* eeid = __oe_get_eeid_base();
-    uint64_t eeid_size = __oe_get_eeid_size();
-
-    const uint8_t* old_signature = eeid + eeid_size;
-    const uint8_t* hash_ud_sig = old_signature + OE_KEY_SIZE;
+    const oe_eeid_t* eeid = (const oe_eeid_t*)__oe_get_eeid_base();
 
     oe_sha256_context_t hctx;
     OE_SHA256 h;
     oe_sha256_init(&hctx);
-    oe_sha256_update(&hctx, eeid, eeid_size);
-    oe_sha256_update(&hctx, old_signature, OE_KEY_SIZE);
+    oe_sha256_update(&hctx, eeid->data, eeid->data_size);
+    oe_sha256_update(&hctx, eeid->mrenclave, sizeof(eeid->mrenclave));
+    oe_sha256_update(&hctx, eeid->signature, sizeof(eeid->signature));
     oe_sha256_final(&hctx, &h);
 
-    if (memcmp(hash_ud_sig, h.buf, OE_SHA256_SIZE) != 0)
+    if (memcmp(eeid->hash, h.buf, OE_SHA256_SIZE) != 0)
         OE_RAISE(OE_VERIFY_FAILED);
 
 done:
@@ -195,7 +192,7 @@ static oe_result_t _handle_init_enclave(uint64_t arg_in)
              * instructions like CPUID. */
             oe_call_init_functions();
 
-            /* Check that the user data has not been tampered with */
+            /* Check that the EEI data has not been tampered with */
             OE_CHECK(_oe_check_eeid());
 
             /* DCLP Release barrier. */
diff --git a/host/sgx/create.c b/host/sgx/create.c
index aebc23c3de..a167e54b78 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -584,31 +584,35 @@ static oe_result_t _add_extra_data_pages(
     return result;
 }
 
-static uint64_t eeid_pages_size(uint64_t eeid_size)
+static uint64_t eeid_pages_size(uint64_t id_size)
 {
-    return oe_round_up_to_page_size(eeid_size + OE_KEY_SIZE + OE_SHA256_SIZE);
+    return oe_round_up_to_page_size(
+        sizeof(oe_eeid_t) + id_size * sizeof(uint8_t));
 }
 
 static oe_result_t _patch_eeid_symbols(
     oe_enclave_image_t* oeimage,
     uint64_t enclave_end,
-    const void* eeid,
-    const size_t eeid_size)
+    const void* id,
+    const size_t id_size)
 {
-    if (eeid && eeid_size)
+    if (id && id_size)
     {
         elf64_sym_t sym_rva = {0}, sym_sz = {0};
         if (elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_eeid_rva", &sym_rva) == 0 &&
-            elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_eeid_size", &sym_sz) == 0)
+                &oeimage->u.elf.elf, "_eeid_rva", &sym_rva) == 0)
         {
-            uint64_t sz = eeid_pages_size(eeid_size);
-            uint64_t *sym_rva_addr = NULL, *sym_sz_addr = NULL;
+            uint64_t pgsz = eeid_pages_size(id_size);
+            uint64_t* sym_rva_addr = NULL;
             sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
-            *sym_rva_addr = enclave_end - sz;
+            *sym_rva_addr = enclave_end - pgsz;
+        }
+        if (elf64_find_symbol_by_name(
+                &oeimage->u.elf.elf, "_eeid_size", &sym_sz) == 0)
+        {
+            uint64_t* sym_sz_addr = NULL;
             sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
-            *sym_sz_addr = eeid_size;
+            *sym_sz_addr = sizeof(oe_eeid_t) + id_size * sizeof(uint8_t);
         }
     }
 
@@ -621,42 +625,50 @@ static oe_result_t _add_eeid_pages(
     uint64_t enclave_end,
     oe_sgx_enclave_properties_t* properties,
     uint64_t* vaddr,
-    uint8_t* eeid,
-    uint32_t eeid_size)
+    uint8_t* id,
+    uint32_t id_size)
 {
     oe_result_t result = OE_OK;
 
-    if (eeid_size > 0 && eeid != NULL)
+    if (id_size > 0 && id != NULL)
     {
         sgx_sigstruct_t* sigstruct = (sgx_sigstruct_t*)properties->sigstruct;
-        // cwinter: verify sigstruct->signature here?
 
-        uint64_t sz = eeid_pages_size(eeid_size);
+        uint64_t sz = eeid_pages_size(id_size);
         assert(*vaddr == enclave_end - sz);
 
         oe_sha256_context_t hctx;
-        OE_SHA256 hash_ud_sig;
+        OE_SHA256 eeid_hash;
         oe_sha256_init(&hctx);
-        oe_sha256_update(&hctx, eeid, eeid_size);
-        oe_sha256_update(&hctx, sigstruct->signature, OE_KEY_SIZE);
-        oe_sha256_final(&hctx, &hash_ud_sig);
-
-        uint8_t data[sz];
-        memset(data, 0, sz);
-        memcpy(data, eeid, eeid_size); /* not necessary? */
+        oe_sha256_update(&hctx, id, id_size);
+        oe_sha256_update(
+            &hctx, sigstruct->enclavehash, sizeof(sigstruct->enclavehash));
+        oe_sha256_update(
+            &hctx, sigstruct->signature, sizeof(sigstruct->signature));
+        oe_sha256_final(&hctx, &eeid_hash);
+
+        oe_eeid_t* eeid = (oe_eeid_t*)calloc(1, sz);
+        memcpy(eeid->data, id, id_size);
+        eeid->data_size = id_size;
         memcpy(
-            data + eeid_size,
+            eeid->mrenclave,
+            sigstruct->enclavehash,
+            sizeof(sigstruct->enclavehash));
+        memcpy(
+            eeid->signature,
             sigstruct->signature,
-            OE_KEY_SIZE); /* not necessary? */
-        memcpy(data + eeid_size + OE_KEY_SIZE, hash_ud_sig.buf, OE_SHA256_SIZE);
+            sizeof(sigstruct->signature));
+        memcpy(eeid->hash, eeid_hash.buf, sizeof(eeid_hash));
 
         OE_CHECK(_add_extra_data_pages(
             context,
             enclave->addr,
-            (const oe_page_t*)data,
+            (const oe_page_t*)eeid,
             sz / OE_PAGE_SIZE,
             vaddr));
 
+        free(eeid);
+
         OE_SHA256 ext_mrenclave;
         oe_sha256_final(&context->hash_context, &ext_mrenclave);
 
diff --git a/include/openenclave/internal/sgxtypes.h b/include/openenclave/internal/sgxtypes.h
index 798bf6f7af..04c315914c 100644
--- a/include/openenclave/internal/sgxtypes.h
+++ b/include/openenclave/internal/sgxtypes.h
@@ -1161,6 +1161,22 @@ typedef struct _sgx_key
 #define OE_SEALKEY_DEFAULT_MISCMASK (~SGX_MISC_NON_SECURITY_BITS)
 #define OE_SEALKEY_DEFAULT_XFRMMASK (0X0ULL)
 
+/*
+**==============================================================================
+**
+** oe_eeid_t
+**
+**==============================================================================
+*/
+typedef struct oe_eeid_t_
+{
+    uint8_t mrenclave[OE_SHA256_SIZE]; /* normal/non-extended mrenclave */
+    uint8_t signature[OE_KEY_SIZE];    /* signature over normal mrenclave */
+    uint8_t hash[OE_SHA256_SIZE];      /* sha256(eeid, signature) */
+    uint64_t data_size;                /* size of initialization data */
+    uint8_t data[];                    /* actual initialization data */
+} oe_eeid_t;
+
 OE_EXTERNC_END
 
 #endif /* _OE_SGXTYPES_H */

From 199ca731445543ce4cbc3695b0daffd08b6c5776 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Mon, 27 Jan 2020 13:35:20 +0000
Subject: [PATCH 410/420] Fix enclave creation without EEID

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 enclave/core/sgx/calls.c | 23 ++++++++++--------
 host/sgx/create.c        | 51 ++++++++++++++++------------------------
 2 files changed, 33 insertions(+), 41 deletions(-)

diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 39d7dcf22f..483aa188d0 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -131,16 +131,19 @@ static oe_result_t _oe_check_eeid()
 
     const oe_eeid_t* eeid = (const oe_eeid_t*)__oe_get_eeid_base();
 
-    oe_sha256_context_t hctx;
-    OE_SHA256 h;
-    oe_sha256_init(&hctx);
-    oe_sha256_update(&hctx, eeid->data, eeid->data_size);
-    oe_sha256_update(&hctx, eeid->mrenclave, sizeof(eeid->mrenclave));
-    oe_sha256_update(&hctx, eeid->signature, sizeof(eeid->signature));
-    oe_sha256_final(&hctx, &h);
-
-    if (memcmp(eeid->hash, h.buf, OE_SHA256_SIZE) != 0)
-        OE_RAISE(OE_VERIFY_FAILED);
+    if (eeid != __oe_get_enclave_base())
+    {
+        oe_sha256_context_t hctx;
+        OE_SHA256 h;
+        oe_sha256_init(&hctx);
+        oe_sha256_update(&hctx, eeid->data, eeid->data_size);
+        oe_sha256_update(&hctx, eeid->mrenclave, sizeof(eeid->mrenclave));
+        oe_sha256_update(&hctx, eeid->signature, sizeof(eeid->signature));
+        oe_sha256_final(&hctx, &h);
+
+        if (memcmp(eeid->hash, h.buf, OE_SHA256_SIZE) != 0)
+            OE_RAISE(OE_VERIFY_FAILED);
+    }
 
 done:
     return result;
diff --git a/host/sgx/create.c b/host/sgx/create.c
index a167e54b78..0053138cfb 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -593,27 +593,24 @@ static uint64_t eeid_pages_size(uint64_t id_size)
 static oe_result_t _patch_eeid_symbols(
     oe_enclave_image_t* oeimage,
     uint64_t enclave_end,
-    const void* id,
     const size_t id_size)
 {
-    if (id && id_size)
+    elf64_sym_t sym_rva = {0}, sym_sz = {0};
+
+    const elf64_t* eimg = &oeimage->u.elf.elf;
+    if (elf64_find_symbol_by_name(eimg, "_eeid_rva", &sym_rva) == 0)
     {
-        elf64_sym_t sym_rva = {0}, sym_sz = {0};
-        if (elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_eeid_rva", &sym_rva) == 0)
-        {
-            uint64_t pgsz = eeid_pages_size(id_size);
-            uint64_t* sym_rva_addr = NULL;
-            sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
-            *sym_rva_addr = enclave_end - pgsz;
-        }
-        if (elf64_find_symbol_by_name(
-                &oeimage->u.elf.elf, "_eeid_size", &sym_sz) == 0)
-        {
-            uint64_t* sym_sz_addr = NULL;
-            sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
-            *sym_sz_addr = sizeof(oe_eeid_t) + id_size * sizeof(uint8_t);
-        }
+        uint64_t pgsz = eeid_pages_size(id_size);
+        uint64_t* sym_rva_addr = NULL;
+        sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
+        *sym_rva_addr = id_size == 0 ? 0 : enclave_end - pgsz;
+    }
+    if (elf64_find_symbol_by_name(eimg, "_eeid_size", &sym_sz) == 0)
+    {
+        uint64_t* sym_sz_addr = NULL;
+        sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
+        *sym_sz_addr =
+            id_size == 0 ? 0 : sizeof(oe_eeid_t) + id_size * sizeof(uint8_t);
     }
 
     return OE_OK;
@@ -641,23 +638,15 @@ static oe_result_t _add_eeid_pages(
         OE_SHA256 eeid_hash;
         oe_sha256_init(&hctx);
         oe_sha256_update(&hctx, id, id_size);
-        oe_sha256_update(
-            &hctx, sigstruct->enclavehash, sizeof(sigstruct->enclavehash));
-        oe_sha256_update(
-            &hctx, sigstruct->signature, sizeof(sigstruct->signature));
+        oe_sha256_update(&hctx, sigstruct->enclavehash, OE_SHA256_SIZE);
+        oe_sha256_update(&hctx, sigstruct->signature, OE_KEY_SIZE);
         oe_sha256_final(&hctx, &eeid_hash);
 
         oe_eeid_t* eeid = (oe_eeid_t*)calloc(1, sz);
         memcpy(eeid->data, id, id_size);
         eeid->data_size = id_size;
-        memcpy(
-            eeid->mrenclave,
-            sigstruct->enclavehash,
-            sizeof(sigstruct->enclavehash));
-        memcpy(
-            eeid->signature,
-            sigstruct->signature,
-            sizeof(sigstruct->signature));
+        memcpy(eeid->mrenclave, sigstruct->enclavehash, OE_SHA256_SIZE);
+        memcpy(eeid->signature, sigstruct->signature, OE_KEY_SIZE);
         memcpy(eeid->hash, eeid_hash.buf, sizeof(eeid_hash));
 
         OE_CHECK(_add_extra_data_pages(
@@ -797,7 +786,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(oeimage.patch(&oeimage, enclave_end));
 
     /* Patch user data */
-    OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid, eeid_size));
+    OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid_size));
 
     /* Add image to enclave */
     OE_CHECK(oeimage.add_pages(&oeimage, context, enclave, &vaddr));

From fda16fecda51973be2e510437dbf1dae60848d88 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Mon, 27 Jan 2020 14:17:10 +0000
Subject: [PATCH 411/420] Add EEID-enabled attestation tests

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 tests/report/CMakeLists.txt |  4 ++++
 tests/report/host/host.cpp  | 32 ++++++++++++++++++++++++++++----
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/tests/report/CMakeLists.txt b/tests/report/CMakeLists.txt
index 85d24b8991..b5c9fbb535 100644
--- a/tests/report/CMakeLists.txt
+++ b/tests/report/CMakeLists.txt
@@ -15,3 +15,7 @@ set_tests_properties(tests/report PROPERTIES SKIP_RETURN_CODE 2)
 add_enclave_test(tests/report_attestation_without_enclave report_host report_enc
     --attest-generated-report)
 set_tests_properties(tests/report_attestation_without_enclave PROPERTIES SKIP_RETURN_CODE 2)
+
+# Run all tests with EEID
+add_enclave_test(tests/report-eeid report_host report_enc --eeid)
+set_tests_properties(tests/report PROPERTIES SKIP_RETURN_CODE 2)
\ No newline at end of file
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 70cc010bce..15b731ff84 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -76,6 +76,7 @@ int main(int argc, const char* argv[])
 {
     oe_result_t result;
     oe_enclave_t* enclave = NULL;
+    std::vector<uint8_t> eeid;
 
     sgx_target_info_t target_info = {{0}};
 
@@ -131,19 +132,42 @@ int main(int argc, const char* argv[])
     {
         return load_and_verify_report();
     }
+    else if (argc == 3 && strcmp(argv[2], "--eeid") == 0)
+    {
+        eeid.resize(512);
+        for (size_t i = 0; i < 512; i++)
+            eeid[i] = (uint8_t)i;
+    }
 
     /* Check arguments */
-    if (argc != 2)
+    if (argc != 2 && argc != 3)
     {
         fprintf(stderr, "Usage: %s ENCLAVE\n", argv[0]);
         exit(1);
     }
 
     /* Create the enclave */
-    if ((result = oe_create_tests_enclave(
-             argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave)) != OE_OK)
+    if (!eeid.empty())
+    {
+        if ((result = oe_create_tests_enclave_eeid(
+                 argv[1],
+                 OE_ENCLAVE_TYPE_SGX,
+                 flags,
+                 NULL,
+                 0,
+                 eeid.data(),
+                 (uint32_t)eeid.size(),
+                 &enclave)) != OE_OK)
+            oe_put_err("oe_create_tests_enclave_eeid(): result=%u", result);
+    }
+    else
     {
-        oe_put_err("oe_create_tests_enclave(): result=%u", result);
+        if ((result = oe_create_tests_enclave(
+                 argv[1], OE_ENCLAVE_TYPE_SGX, flags, NULL, 0, &enclave)) !=
+            OE_OK)
+        {
+            oe_put_err("oe_create_tests_enclave(): result=%u", result);
+        }
     }
 
     /*

From 8b3c5e2829ebd9bd52efee317db793fe3b0695a8 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Thu, 30 Jan 2020 14:36:11 +0000
Subject: [PATCH 412/420] EEID checkpoint

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 enclave/core/CMakeLists.txt               |  1 +
 enclave/core/sgx/calls.c                  | 41 ++++++++++++++++----
 enclave/crypto/sha.c                      | 46 +++++++++++++++++++++++
 host/crypto/openssl/sha.c                 | 45 ++++++++++++++++++++++
 host/sgx/create.c                         | 27 ++++++-------
 include/openenclave/internal/crypto/sha.h | 10 +++++
 include/openenclave/internal/sgxtypes.h   | 10 ++---
 7 files changed, 154 insertions(+), 26 deletions(-)

diff --git a/enclave/core/CMakeLists.txt b/enclave/core/CMakeLists.txt
index 99ca83ea16..de279c6ead 100644
--- a/enclave/core/CMakeLists.txt
+++ b/enclave/core/CMakeLists.txt
@@ -51,6 +51,7 @@ set(MUSL_SRC_DIR ${PROJECT_SOURCE_DIR}/3rdparty/musl/musl/src)
 if (OE_SGX)
     list(APPEND PLATFORM_SRC
         ../../common/sgx/endorsements.c
+        ../../host/sgx/sgxmeasure.c
         sgx/backtrace.c
         sgx/calls.c
         sgx/cpuid.c
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index 483aa188d0..c501da2e8b 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -20,6 +20,7 @@
 #include <openenclave/internal/thread.h>
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
+#include "../../../host/sgx/sgxmeasure.h"
 #include "../../sgx/report.h"
 #include "../arena.h"
 #include "../atexit.h"
@@ -32,6 +33,8 @@
 #include "td.h"
 #include "tee_t.h"
 
+// #include <openenclave/internal/hexdump.h>
+
 oe_result_t __oe_enclave_status = OE_OK;
 uint8_t __oe_initialized = 0;
 
@@ -134,14 +137,36 @@ static oe_result_t _oe_check_eeid()
     if (eeid != __oe_get_enclave_base())
     {
         oe_sha256_context_t hctx;
-        OE_SHA256 h;
-        oe_sha256_init(&hctx);
-        oe_sha256_update(&hctx, eeid->data, eeid->data_size);
-        oe_sha256_update(&hctx, eeid->mrenclave, sizeof(eeid->mrenclave));
-        oe_sha256_update(&hctx, eeid->signature, sizeof(eeid->signature));
-        oe_sha256_final(&hctx, &h);
-
-        if (memcmp(eeid->hash, h.buf, OE_SHA256_SIZE) != 0)
+        oe_sha256_restore(&hctx, eeid->hash_state_H, eeid->hash_state_N);
+
+        size_t num_pages =
+            oe_round_up_to_page_size(__oe_get_eeid_size()) / OE_PAGE_SIZE;
+        oe_page_t* pages = (oe_page_t*)__oe_get_eeid_base();
+        uint64_t addr = (uint64_t)__oe_get_eeid_base();
+        for (size_t i = 0; i < num_pages; i++)
+        {
+            OE_CHECK(oe_sgx_measure_load_enclave_data(
+                &hctx,
+                (uint64_t)__oe_get_enclave_base(),
+                addr,
+                (uint64_t)&pages[i],
+                SGX_SECINFO_REG | SGX_SECINFO_R,
+                true));
+
+            addr += sizeof(oe_page_t);
+        }
+
+        OE_SHA256 th;
+        oe_sha256_final(&hctx, &th);
+
+        // char str_old[OE_SHA256_SIZE * 2 + 1], str_new[OE_SHA256_SIZE * 2 +
+        // 1]; oe_hex_string(str_old, OE_SHA256_SIZE * 2 + 1,
+        // eeid->sigstruct.enclavehash, OE_SHA256_SIZE); oe_host_printf(" | ***
+        // OLD: %s\n", str_old); oe_hex_string(str_new, OE_SHA256_SIZE * 2 + 1,
+        // th.buf, OE_SHA256_SIZE); oe_host_printf(" | *** NEW: %s\n", str_new);
+
+        if (false) // Figure out how to get the enclave hash from inside the
+                   // enclave?
             OE_RAISE(OE_VERIFY_FAILED);
     }
 
diff --git a/enclave/crypto/sha.c b/enclave/crypto/sha.c
index 59334a3cbe..1f57cb0148 100644
--- a/enclave/crypto/sha.c
+++ b/enclave/crypto/sha.c
@@ -77,3 +77,49 @@ oe_result_t oe_sha256_final(oe_sha256_context_t* context, OE_SHA256* sha256)
 done:
     return result;
 }
+
+oe_result_t oe_sha256_save(
+    const oe_sha256_context_t* context,
+    uint32_t* H,
+    uint32_t* N)
+{
+    oe_result_t result = OE_INVALID_PARAMETER;
+
+    if (!context || !H || !N)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    oe_sha256_context_impl_t* impl = (oe_sha256_context_impl_t*)context;
+
+    for (size_t i = 0; i < 8; i++)
+        H[i] = impl->ctx.state[i];
+
+    N[0] = impl->ctx.total[0] << 3;
+    N[1] = (impl->ctx.total[1] << 3) + (impl->ctx.total[0] >> 29);
+
+done:
+    return result;
+}
+
+oe_result_t oe_sha256_restore(
+    oe_sha256_context_t* context,
+    const uint32_t* H,
+    const uint32_t* N)
+{
+    oe_result_t result = OE_INVALID_PARAMETER;
+
+    if (!context || !H || !N)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    oe_sha256_context_impl_t* impl = (oe_sha256_context_impl_t*)context;
+    oe_sha256_init(context);
+
+    for (size_t i = 0; i < 8; i++)
+        impl->ctx.state[i] = H[i];
+
+    uint64_t NB = ((((uint64_t)N[1]) << 32) + N[0]) / 8;
+    impl->ctx.total[0] = NB & 0xFFFFFFFF;
+    impl->ctx.total[1] = (NB >> 32) & 0xFFFFFFFF;
+
+done:
+    return result;
+}
\ No newline at end of file
diff --git a/host/crypto/openssl/sha.c b/host/crypto/openssl/sha.c
index ef571efbf7..53b7ac2f87 100644
--- a/host/crypto/openssl/sha.c
+++ b/host/crypto/openssl/sha.c
@@ -70,3 +70,48 @@ oe_result_t oe_sha256_final(oe_sha256_context_t* context, OE_SHA256* sha256)
 done:
     return result;
 }
+
+oe_result_t oe_sha256_save(
+    const oe_sha256_context_t* context,
+    uint32_t* H,
+    uint32_t* N)
+{
+    oe_result_t result = OE_INVALID_PARAMETER;
+
+    if (!context || !H || !N)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    oe_sha256_context_impl_t* impl = (oe_sha256_context_impl_t*)context;
+
+    for (size_t i = 0; i < 8; i++)
+        H[i] = impl->ctx.h[i];
+
+    N[0] = impl->ctx.Nl;
+    N[1] = impl->ctx.Nh;
+
+done:
+    return result;
+}
+
+oe_result_t oe_sha256_restore(
+    oe_sha256_context_t* context,
+    const uint32_t* H,
+    const uint32_t* N)
+{
+    oe_result_t result = OE_INVALID_PARAMETER;
+
+    if (!context || !H || !N)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    oe_sha256_context_impl_t* impl = (oe_sha256_context_impl_t*)context;
+    oe_sha256_init(context);
+
+    for (size_t i = 0; i < 8; i++)
+        impl->ctx.h[i] = H[i];
+
+    impl->ctx.Nl = N[0];
+    impl->ctx.Nh = N[1];
+
+done:
+    return result;
+}
\ No newline at end of file
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 0053138cfb..c051f9f8ec 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -49,6 +49,7 @@ static char* get_fullpath(const char* path)
 #include <openenclave/internal/switchless.h>
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
+// #include <openenclave/internal/hexdump.h>
 #include <string.h>
 #include "../memalign.h"
 #include "../signkey.h"
@@ -620,7 +621,7 @@ static oe_result_t _add_eeid_pages(
     oe_sgx_load_context_t* context,
     oe_enclave_t* enclave,
     uint64_t enclave_end,
-    oe_sgx_enclave_properties_t* properties,
+    const oe_sgx_enclave_properties_t* properties,
     uint64_t* vaddr,
     uint8_t* id,
     uint32_t id_size)
@@ -631,23 +632,20 @@ static oe_result_t _add_eeid_pages(
     {
         sgx_sigstruct_t* sigstruct = (sgx_sigstruct_t*)properties->sigstruct;
 
+        // char str[OE_SHA256_SIZE * 2 + 1];
+        // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, sigstruct->enclavehash,
+        // OE_SHA256_SIZE); OE_TRACE_INFO("*** OLD: %s\n", str);
+
         uint64_t sz = eeid_pages_size(id_size);
         assert(*vaddr == enclave_end - sz);
 
-        oe_sha256_context_t hctx;
-        OE_SHA256 eeid_hash;
-        oe_sha256_init(&hctx);
-        oe_sha256_update(&hctx, id, id_size);
-        oe_sha256_update(&hctx, sigstruct->enclavehash, OE_SHA256_SIZE);
-        oe_sha256_update(&hctx, sigstruct->signature, OE_KEY_SIZE);
-        oe_sha256_final(&hctx, &eeid_hash);
-
         oe_eeid_t* eeid = (oe_eeid_t*)calloc(1, sz);
-        memcpy(eeid->data, id, id_size);
+        eeid->sigstruct = *sigstruct;
         eeid->data_size = id_size;
-        memcpy(eeid->mrenclave, sigstruct->enclavehash, OE_SHA256_SIZE);
-        memcpy(eeid->signature, sigstruct->signature, OE_KEY_SIZE);
-        memcpy(eeid->hash, eeid_hash.buf, sizeof(eeid_hash));
+        memcpy(eeid->data, id, id_size);
+
+        oe_sha256_save(
+            &context->hash_context, eeid->hash_state_H, eeid->hash_state_N);
 
         OE_CHECK(_add_extra_data_pages(
             context,
@@ -670,6 +668,9 @@ static oe_result_t _add_eeid_pages(
             OE_DEBUG_SIGN_KEY_SIZE,
             sigstruct));
 
+        // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, sigstruct->enclavehash,
+        // OE_SHA256_SIZE); OE_TRACE_INFO("*** NEW: %s\n", str);
+
         assert(*vaddr == enclave_end);
     }
 
diff --git a/include/openenclave/internal/crypto/sha.h b/include/openenclave/internal/crypto/sha.h
index 796b091c47..defb59639e 100644
--- a/include/openenclave/internal/crypto/sha.h
+++ b/include/openenclave/internal/crypto/sha.h
@@ -66,6 +66,16 @@ oe_result_t oe_sha256_update(
  */
 oe_result_t oe_sha256_final(oe_sha256_context_t* context, OE_SHA256* sha256);
 
+oe_result_t oe_sha256_save(
+    const oe_sha256_context_t* context,
+    uint32_t* H,
+    uint32_t* N);
+
+oe_result_t oe_sha256_restore(
+    oe_sha256_context_t* context,
+    const uint32_t* H,
+    const uint32_t* N);
+
 OE_EXTERNC_END
 
 #endif /* _OE_SHA_H */
diff --git a/include/openenclave/internal/sgxtypes.h b/include/openenclave/internal/sgxtypes.h
index 04c315914c..ae0ddb823b 100644
--- a/include/openenclave/internal/sgxtypes.h
+++ b/include/openenclave/internal/sgxtypes.h
@@ -1170,11 +1170,11 @@ typedef struct _sgx_key
 */
 typedef struct oe_eeid_t_
 {
-    uint8_t mrenclave[OE_SHA256_SIZE]; /* normal/non-extended mrenclave */
-    uint8_t signature[OE_KEY_SIZE];    /* signature over normal mrenclave */
-    uint8_t hash[OE_SHA256_SIZE];      /* sha256(eeid, signature) */
-    uint64_t data_size;                /* size of initialization data */
-    uint8_t data[];                    /* actual initialization data */
+    uint32_t hash_state_H[8];
+    uint32_t hash_state_N[2];
+    sgx_sigstruct_t sigstruct; /* complete sigstruct before eeid */
+    uint64_t data_size;        /* size of initialization data */
+    uint8_t data[];            /* actual initialization data */
 } oe_eeid_t;
 
 OE_EXTERNC_END

From 35aa00df09ab7d47b8e598aaf1fdfe9d196d8138 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 31 Jan 2020 17:25:29 +0000
Subject: [PATCH 413/420] EEID improvements and partial report verification.

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/verify_eeid.c                      | 116 ++++++++++++++++++
 common/sgx/verify_eeid.h                      |  16 +++
 enclave/CMakeLists.txt                        |   1 +
 enclave/core/sgx/calls.c                      |  26 ++--
 enclave/crypto/sha.c                          |   4 +-
 enclave/sgx/report.c                          |  13 ++
 host/CMakeLists.txt                           |   1 +
 host/sgx/create.c                             |  80 ++++++------
 host/sgx/report.c                             |  16 +++
 include/openenclave/bits/types.h              |  17 +++
 include/openenclave/enclave.h                 |   7 ++
 include/openenclave/host.h                    |  14 ++-
 include/openenclave/internal/sgxcreate.h      |   5 +-
 include/openenclave/internal/sgxtypes.h       |  16 ---
 samples/remote_attestation_eeid/host/host.cpp |  19 ++-
 tests/report/common/tests.cpp                 |  27 ++--
 tests/report/common/tests.h                   |   4 +-
 tests/report/enc/enc.cpp                      |   8 +-
 tests/report/host/host.cpp                    |  26 ++--
 tests/report/tests.edl                        |   7 +-
 tools/oeedger8r/src/Headers.ml                |   4 +-
 tools/oeedger8r/src/Sources.ml                |   4 +-
 tools/oesign/main.c                           |   2 +-
 23 files changed, 307 insertions(+), 126 deletions(-)
 create mode 100644 common/sgx/verify_eeid.c
 create mode 100644 common/sgx/verify_eeid.h

diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
new file mode 100644
index 0000000000..ac729b963b
--- /dev/null
+++ b/common/sgx/verify_eeid.c
@@ -0,0 +1,116 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openenclave/bits/report.h>
+#include <openenclave/bits/types.h>
+#include <openenclave/internal/defs.h>
+#include <openenclave/internal/hexdump.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/sgxtypes.h>
+#include <openenclave/internal/utils.h>
+
+#include "../../host/sgx/sgxmeasure.h"
+
+#ifdef OE_BUILD_ENCLAVE
+#include <openenclave/enclave.h>
+#else
+#include <openenclave/host.h>
+#endif
+
+#include "verify_eeid.h"
+
+oe_result_t verify_eeid(
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    const oe_eeid_t* eeid)
+{
+    oe_result_t result = OE_UNEXPECTED;
+
+    if (!eeid)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    // Recompute extended mrenclave
+    oe_sha256_context_t hctx;
+    oe_sha256_restore(&hctx, eeid->hash_state_H, eeid->hash_state_N);
+
+    size_t eeid_sz =
+        oe_round_up_to_page_size(sizeof(oe_eeid_t) + eeid->data_size);
+    size_t num_pages = eeid_sz / OE_PAGE_SIZE;
+    oe_page_t* pages = (oe_page_t*)eeid;
+    uint64_t enclave_base = 0x0ab0c0d0e0f;
+    uint64_t addr = enclave_base + eeid->data_vaddr;
+
+    for (size_t i = 0; i < num_pages; i++)
+    {
+        OE_CHECK(oe_sgx_measure_load_enclave_data(
+            &hctx,
+            (uint64_t)enclave_base,
+            addr,
+            (uint64_t)&pages[i],
+            SGX_SECINFO_REG | SGX_SECINFO_R,
+            true));
+
+        addr += sizeof(oe_page_t);
+    }
+
+    OE_SHA256 cpt_mrenclave;
+    oe_sha256_final(&hctx, &cpt_mrenclave);
+
+    // Extract reported mrenclave
+    oe_report_t* treport = parsed_report;
+    OE_SHA256 reported_mrenclave;
+    uint8_t reported_mrsigner[OE_SIGNER_ID_SIZE];
+
+    if (parsed_report == NULL)
+    {
+        treport = calloc(1, sizeof(oe_report_t));
+        OE_CHECK(oe_parse_report(report, report_size, treport));
+    }
+
+    memcpy(reported_mrenclave.buf, treport->identity.unique_id, OE_SHA256_SIZE);
+    memcpy(reported_mrsigner, treport->identity.signer_id, OE_SIGNER_ID_SIZE);
+
+    if (parsed_report == NULL)
+        free(treport);
+
+    // char str[OE_SHA256_SIZE * 2 + 1];
+    // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, cpt_mrenclave.buf,
+    // OE_SHA256_SIZE); OE_TRACE_INFO("*** CPT: %s\n", str); oe_hex_string(str,
+    // OE_SHA256_SIZE * 2 + 1, reported_mrenclave.buf, OE_SHA256_SIZE);
+    // OE_TRACE_INFO("*** REP: %s\n", str);
+
+    // Check recomputed mrenclave against reported mrenclave
+    if (memcmp(cpt_mrenclave.buf, reported_mrenclave.buf, OE_SHA256_SIZE) != 0)
+        OE_RAISE(OE_VERIFY_FAILED);
+
+    static const uint8_t debug_public_key[] = {
+        0xca, 0x9a, 0xd7, 0x33, 0x14, 0x48, 0x98, 0x0a, 0xa2, 0x88, 0x90,
+        0xce, 0x73, 0xe4, 0x33, 0x63, 0x83, 0x77, 0xf1, 0x79, 0xab, 0x44,
+        0x56, 0xb2, 0xfe, 0x23, 0x71, 0x93, 0x19, 0x3a, 0x8d, 0xa};
+
+    if (memcmp(debug_public_key, reported_mrsigner, OE_SIGNER_ID_SIZE) != 0)
+        OE_RAISE(OE_VERIFY_FAILED);
+
+    // Check old signature (new signature has been checked above)
+    const sgx_sigstruct_t* ss = (const sgx_sigstruct_t*)&eeid->sigstruct;
+
+    uint8_t zero[OE_KEY_SIZE];
+    memset(zero, 0, OE_KEY_SIZE);
+
+    if (memcmp(ss->signature, zero, OE_KEY_SIZE) == 0) // Unsigned image is ok?
+        return OE_OK;
+    else
+    {
+        // TODO: Need to find mrsigner of old image somehow in order to check
+        // the signature.
+        OE_RAISE(OE_VERIFY_FAILED);
+    }
+
+done:
+
+    return result;
+}
diff --git a/common/sgx/verify_eeid.h b/common/sgx/verify_eeid.h
new file mode 100644
index 0000000000..81fb11f0e0
--- /dev/null
+++ b/common/sgx/verify_eeid.h
@@ -0,0 +1,16 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#ifndef _OE_VERIFY_EEID_H
+#define _OE_VERIFY_EEID_H
+
+#include <openenclave/bits/report.h>
+#include <openenclave/bits/types.h>
+
+oe_result_t verify_eeid(
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    const oe_eeid_t* eeid);
+
+#endif /* _OE_VERIFY_EEID_H */
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 68ad3f203d..99a2b1b024 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -15,6 +15,7 @@ if (OE_SGX)
         ../common/sgx/tcbinfo.c
         ../common/sgx/tlsverifier.c
         ../common/sgx/verifier.c
+        ../common/sgx/verify_eeid.c
         sgx/attester.c
         sgx/qeidinfo.c
         sgx/report.c
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index c501da2e8b..abefcaf072 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -19,6 +19,7 @@
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/thread.h>
 #include <openenclave/internal/trace.h>
+#include <openenclave/internal/types.h>
 #include <openenclave/internal/utils.h>
 #include "../../../host/sgx/sgxmeasure.h"
 #include "../../sgx/report.h"
@@ -133,21 +134,22 @@ static oe_result_t _oe_check_eeid()
     oe_result_t result = OE_OK;
 
     const oe_eeid_t* eeid = (const oe_eeid_t*)__oe_get_eeid_base();
+    const void* enclave_base = __oe_get_enclave_base();
 
-    if (eeid != __oe_get_enclave_base())
+    if (eeid != enclave_base)
     {
         oe_sha256_context_t hctx;
         oe_sha256_restore(&hctx, eeid->hash_state_H, eeid->hash_state_N);
 
-        size_t num_pages =
-            oe_round_up_to_page_size(__oe_get_eeid_size()) / OE_PAGE_SIZE;
-        oe_page_t* pages = (oe_page_t*)__oe_get_eeid_base();
-        uint64_t addr = (uint64_t)__oe_get_eeid_base();
+        size_t eeid_sz = __oe_get_eeid_size();
+        size_t num_pages = oe_round_up_to_page_size(eeid_sz) / OE_PAGE_SIZE;
+        oe_page_t* pages = (oe_page_t*)eeid;
+        uint64_t addr = (uint64_t)eeid;
         for (size_t i = 0; i < num_pages; i++)
         {
             OE_CHECK(oe_sgx_measure_load_enclave_data(
                 &hctx,
-                (uint64_t)__oe_get_enclave_base(),
+                (uint64_t)enclave_base,
                 addr,
                 (uint64_t)&pages[i],
                 SGX_SECINFO_REG | SGX_SECINFO_R,
@@ -156,8 +158,8 @@ static oe_result_t _oe_check_eeid()
             addr += sizeof(oe_page_t);
         }
 
-        OE_SHA256 th;
-        oe_sha256_final(&hctx, &th);
+        OE_SHA256 ext_mrenclave;
+        oe_sha256_final(&hctx, &ext_mrenclave);
 
         // char str_old[OE_SHA256_SIZE * 2 + 1], str_new[OE_SHA256_SIZE * 2 +
         // 1]; oe_hex_string(str_old, OE_SHA256_SIZE * 2 + 1,
@@ -165,8 +167,12 @@ static oe_result_t _oe_check_eeid()
         // OLD: %s\n", str_old); oe_hex_string(str_new, OE_SHA256_SIZE * 2 + 1,
         // th.buf, OE_SHA256_SIZE); oe_host_printf(" | *** NEW: %s\n", str_new);
 
-        if (false) // Figure out how to get the enclave hash from inside the
-                   // enclave?
+        sgx_report_t sgx_report;
+        OE_CHECK(sgx_create_report(NULL, 0, NULL, 0, &sgx_report));
+
+        if (memcmp(
+                ext_mrenclave.buf, sgx_report.body.mrenclave, OE_SHA256_SIZE) !=
+            0)
             OE_RAISE(OE_VERIFY_FAILED);
     }
 
diff --git a/enclave/crypto/sha.c b/enclave/crypto/sha.c
index 1f57cb0148..b70ef97de4 100644
--- a/enclave/crypto/sha.c
+++ b/enclave/crypto/sha.c
@@ -93,8 +93,8 @@ oe_result_t oe_sha256_save(
     for (size_t i = 0; i < 8; i++)
         H[i] = impl->ctx.state[i];
 
-    N[0] = impl->ctx.total[0] << 3;
-    N[1] = (impl->ctx.total[1] << 3) + (impl->ctx.total[0] >> 29);
+    N[0] = impl->ctx.total[0] * 8;
+    N[1] = (impl->ctx.total[1] * 8) + (impl->ctx.total[0] >> 29);
 
 done:
     return result;
diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c
index a77c3f1f12..3280d6fdc6 100644
--- a/enclave/sgx/report.c
+++ b/enclave/sgx/report.c
@@ -14,6 +14,7 @@
 #include <openenclave/internal/utils.h>
 #include <stdlib.h>
 #include "../common/sgx/quote.h"
+#include "../common/sgx/verify_eeid.h"
 #include "sgx_t.h"
 
 OE_STATIC_ASSERT(OE_REPORT_DATA_SIZE == sizeof(sgx_report_data_t));
@@ -49,6 +50,15 @@ oe_result_t oe_verify_report(
     const uint8_t* report,
     size_t report_size,
     oe_report_t* parsed_report)
+{
+    return oe_verify_report_eeid(report, report_size, parsed_report, NULL);
+}
+
+oe_result_t oe_verify_report_eeid(
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    oe_eeid_t* eeid)
 {
     oe_result_t result = OE_UNEXPECTED;
     oe_report_t oe_report = {0};
@@ -98,6 +108,9 @@ oe_result_t oe_verify_report(
     if (parsed_report != NULL)
         *parsed_report = oe_report;
 
+    if (eeid)
+        verify_eeid(report, report_size, parsed_report, eeid);
+
     result = OE_OK;
 
 done:
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index 06b17e63b4..b5af23daaf 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -145,6 +145,7 @@ if (OE_SGX)
     ../common/sgx/tcbinfo.c
     ../common/sgx/tlsverifier.c
     ../common/sgx/verifier.c
+    ../common/sgx/verify_eeid.c
     sgx/hostverify_report.c
     sgx/sgxquoteprovider.c)
 
diff --git a/host/sgx/create.c b/host/sgx/create.c
index c051f9f8ec..7e0f4da5b5 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -585,33 +585,38 @@ static oe_result_t _add_extra_data_pages(
     return result;
 }
 
-static uint64_t eeid_pages_size(uint64_t id_size)
+static uint64_t eeid_pages_size(const oe_eeid_t* eeid)
 {
-    return oe_round_up_to_page_size(
-        sizeof(oe_eeid_t) + id_size * sizeof(uint8_t));
+    if (!eeid || eeid->data_size == 0)
+        return 0;
+    else
+        return oe_round_up_to_page_size(sizeof(oe_eeid_t) + eeid->data_size);
 }
 
 static oe_result_t _patch_eeid_symbols(
     oe_enclave_image_t* oeimage,
     uint64_t enclave_end,
-    const size_t id_size)
+    const oe_eeid_t* eeid)
 {
     elf64_sym_t sym_rva = {0}, sym_sz = {0};
 
-    const elf64_t* eimg = &oeimage->u.elf.elf;
-    if (elf64_find_symbol_by_name(eimg, "_eeid_rva", &sym_rva) == 0)
-    {
-        uint64_t pgsz = eeid_pages_size(id_size);
-        uint64_t* sym_rva_addr = NULL;
-        sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
-        *sym_rva_addr = id_size == 0 ? 0 : enclave_end - pgsz;
-    }
-    if (elf64_find_symbol_by_name(eimg, "_eeid_size", &sym_sz) == 0)
+    if (eeid && eeid->data_size > 0)
     {
-        uint64_t* sym_sz_addr = NULL;
-        sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
-        *sym_sz_addr =
-            id_size == 0 ? 0 : sizeof(oe_eeid_t) + id_size * sizeof(uint8_t);
+        const elf64_t* eimg = &oeimage->u.elf.elf;
+        if (elf64_find_symbol_by_name(eimg, "_eeid_rva", &sym_rva) == 0)
+        {
+            uint64_t pgsz = eeid_pages_size(eeid);
+            uint64_t* sym_rva_addr = NULL;
+            sym_rva_addr = (uint64_t*)(oeimage->image_base + sym_rva.st_value);
+            *sym_rva_addr = eeid->data_size == 0 ? 0 : enclave_end - pgsz;
+        }
+        if (elf64_find_symbol_by_name(eimg, "_eeid_size", &sym_sz) == 0)
+        {
+            uint64_t* sym_sz_addr = NULL;
+            sym_sz_addr = (uint64_t*)(oeimage->image_base + sym_sz.st_value);
+            *sym_sz_addr =
+                eeid->data_size == 0 ? 0 : sizeof(oe_eeid_t) + eeid->data_size;
+        }
     }
 
     return OE_OK;
@@ -623,30 +628,25 @@ static oe_result_t _add_eeid_pages(
     uint64_t enclave_end,
     const oe_sgx_enclave_properties_t* properties,
     uint64_t* vaddr,
-    uint8_t* id,
-    uint32_t id_size)
+    oe_eeid_t* eeid)
 {
     oe_result_t result = OE_OK;
 
-    if (id_size > 0 && id != NULL)
+    if (eeid && eeid->data_size > 0)
     {
+        oe_sha256_context_t* hctx = &context->hash_context;
         sgx_sigstruct_t* sigstruct = (sgx_sigstruct_t*)properties->sigstruct;
+        memcpy(eeid->sigstruct, (uint8_t*)sigstruct, sizeof(sgx_sigstruct_t));
+        oe_sha256_save(hctx, eeid->hash_state_H, eeid->hash_state_N);
+        eeid->data_vaddr = *vaddr;
 
         // char str[OE_SHA256_SIZE * 2 + 1];
         // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, sigstruct->enclavehash,
         // OE_SHA256_SIZE); OE_TRACE_INFO("*** OLD: %s\n", str);
 
-        uint64_t sz = eeid_pages_size(id_size);
+        uint64_t sz = eeid_pages_size(eeid);
         assert(*vaddr == enclave_end - sz);
 
-        oe_eeid_t* eeid = (oe_eeid_t*)calloc(1, sz);
-        eeid->sigstruct = *sigstruct;
-        eeid->data_size = id_size;
-        memcpy(eeid->data, id, id_size);
-
-        oe_sha256_save(
-            &context->hash_context, eeid->hash_state_H, eeid->hash_state_N);
-
         OE_CHECK(_add_extra_data_pages(
             context,
             enclave->addr,
@@ -654,10 +654,8 @@ static oe_result_t _add_eeid_pages(
             sz / OE_PAGE_SIZE,
             vaddr));
 
-        free(eeid);
-
         OE_SHA256 ext_mrenclave;
-        oe_sha256_final(&context->hash_context, &ext_mrenclave);
+        oe_sha256_final(hctx, &ext_mrenclave);
 
         OE_CHECK(oe_sgx_sign_enclave(
             &ext_mrenclave,
@@ -682,8 +680,7 @@ oe_result_t oe_sgx_build_enclave(
     oe_sgx_load_context_t* context,
     const char* path,
     const oe_sgx_enclave_properties_t* properties,
-    uint8_t* eeid,
-    uint32_t eeid_size,
+    oe_eeid_t* eeid,
     oe_enclave_t* enclave)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -769,7 +766,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(oeimage.calculate_size(&oeimage, &image_size));
 
     /* Add (optional) user data pages size */
-    image_size += eeid_pages_size(eeid_size);
+    image_size += eeid_pages_size(eeid);
 
     /* Calculate the size of this enclave in memory */
     OE_CHECK(_calculate_enclave_size(
@@ -787,7 +784,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(oeimage.patch(&oeimage, enclave_end));
 
     /* Patch user data */
-    OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid_size));
+    OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid));
 
     /* Add image to enclave */
     OE_CHECK(oeimage.add_pages(&oeimage, context, enclave, &vaddr));
@@ -797,8 +794,8 @@ oe_result_t oe_sgx_build_enclave(
         _add_data_pages(context, enclave, &props, oeimage.entry_rva, &vaddr));
 
     /* Add user data for extended attestation */
-    OE_CHECK(_add_eeid_pages(
-        context, enclave, enclave_end, &props, &vaddr, eeid, eeid_size));
+    OE_CHECK(
+        _add_eeid_pages(context, enclave, enclave_end, &props, &vaddr, eeid));
 
     /* Ask the platform to initialize the enclave and finalize the hash */
     OE_CHECK(oe_sgx_initialize_enclave(
@@ -860,7 +857,6 @@ oe_result_t oe_create_enclave(
         ocall_table,
         ocall_count,
         NULL,
-        0,
         enclave_out);
 }
 
@@ -872,8 +868,7 @@ oe_result_t oe_create_enclave_eeid(
     uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
-    uint8_t* eeid,
-    uint32_t eeid_size,
+    oe_eeid_t* eeid,
     oe_enclave_t** enclave_out)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -930,8 +925,7 @@ oe_result_t oe_create_enclave_eeid(
         &context, OE_SGX_LOAD_TYPE_CREATE, flags));
 
     /* Build the enclave */
-    OE_CHECK(oe_sgx_build_enclave(
-        &context, enclave_path, NULL, eeid, eeid_size, enclave));
+    OE_CHECK(oe_sgx_build_enclave(&context, enclave_path, NULL, eeid, enclave));
 
     /* Push the new created enclave to the global list. */
     if (oe_push_enclave_instance(enclave) != 0)
diff --git a/host/sgx/report.c b/host/sgx/report.c
index fabd00486a..a943dfafcf 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -15,6 +15,8 @@
 #include "sgx_u.h"
 #include "tee_u.h"
 
+#include "../common/sgx/verify_eeid.h"
+
 #include "sgxquoteprovider.h"
 
 OE_STATIC_ASSERT(OE_REPORT_DATA_SIZE == sizeof(sgx_report_data_t));
@@ -271,6 +273,17 @@ oe_result_t oe_verify_report(
     const uint8_t* report,
     size_t report_size,
     oe_report_t* parsed_report)
+{
+    return oe_verify_report_eeid(
+        enclave, report, report_size, parsed_report, NULL);
+}
+
+oe_result_t oe_verify_report_eeid(
+    oe_enclave_t* enclave,
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    oe_eeid_t* eeid)
 {
     oe_result_t result = OE_UNEXPECTED;
     oe_report_t oe_report = {0};
@@ -316,6 +329,9 @@ oe_result_t oe_verify_report(
     if (parsed_report != NULL)
         OE_CHECK(oe_parse_report(report, report_size, parsed_report));
 
+    if (eeid)
+        verify_eeid(report, report_size, parsed_report, eeid);
+
     result = OE_OK;
 done:
     return result;
diff --git a/include/openenclave/bits/types.h b/include/openenclave/bits/types.h
index c807c56841..c18b9fd6f4 100644
--- a/include/openenclave/bits/types.h
+++ b/include/openenclave/bits/types.h
@@ -237,4 +237,21 @@ typedef struct _oe_datetime
     uint32_t seconds; /* range: 0-59 */
 } oe_datetime_t;
 
+/*
+**==============================================================================
+**
+** oe_eeid_t
+**
+**==============================================================================
+*/
+typedef struct oe_eeid_t_
+{
+    uint32_t hash_state_H[8];
+    uint32_t hash_state_N[2];
+    uint8_t sigstruct[1808]; /* complete sigstruct before eeid */
+    uint64_t data_size;      /* size of initialization data */
+    uint64_t data_vaddr;     /* location of initialization data */
+    uint8_t data[];          /* actual initialization data */
+} oe_eeid_t;
+
 #endif /* _OE_BITS_TYPES_H */
diff --git a/include/openenclave/enclave.h b/include/openenclave/enclave.h
index 8a3543cf9f..4e6272e5e5 100644
--- a/include/openenclave/enclave.h
+++ b/include/openenclave/enclave.h
@@ -385,6 +385,13 @@ oe_result_t oe_verify_report(
     size_t report_size,
     oe_report_t* parsed_report);
 
+struct oe_eeid_t_;
+oe_result_t oe_verify_report_eeid(
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    struct oe_eeid_t_* eeid);
+
 #if (OE_API_VERSION < 2)
 #error "Only OE_API_VERSION of 2 is supported"
 #else
diff --git a/include/openenclave/host.h b/include/openenclave/host.h
index 2ab9e3de04..7f62c4ce49 100644
--- a/include/openenclave/host.h
+++ b/include/openenclave/host.h
@@ -188,13 +188,12 @@ oe_result_t oe_create_enclave(
  *
  * @param eeid Optional user data for attestation.
  *
- * @param eeid_size Size of the user data.
- *
  * @param enclave This points to the enclave instance upon success.
  *
  * @returns Returns OE_OK on success.
  *
  */
+struct oe_eeid_t_;
 oe_result_t oe_create_enclave_eeid(
     const char* path,
     oe_enclave_type_t type,
@@ -203,8 +202,7 @@ oe_result_t oe_create_enclave_eeid(
     uint32_t setting_count,
     const oe_ocall_func_t* ocall_table,
     uint32_t ocall_count,
-    uint8_t* eeid,
-    uint32_t eeid_size,
+    struct oe_eeid_t_* eeid,
     oe_enclave_t** enclave);
 
 /**
@@ -346,6 +344,14 @@ oe_result_t oe_verify_report(
     size_t report_size,
     oe_report_t* parsed_report);
 
+struct oe_eeid_t_;
+oe_result_t oe_verify_report_eeid(
+    oe_enclave_t* enclave,
+    const uint8_t* report,
+    size_t report_size,
+    oe_report_t* parsed_report,
+    struct oe_eeid_t_* eeid);
+
 /**
  * Returns a public key that is associated with the identity of the enclave
  * and the specified policy.
diff --git a/include/openenclave/internal/sgxcreate.h b/include/openenclave/internal/sgxcreate.h
index c9287e8452..96360a7c32 100644
--- a/include/openenclave/internal/sgxcreate.h
+++ b/include/openenclave/internal/sgxcreate.h
@@ -5,9 +5,11 @@
 #define _OE_SGXCREATE_H
 
 #include <openenclave/bits/result.h>
+#include <openenclave/internal/types.h>
 #include "crypto/sha.h"
 #include "load.h"
 #include "sgxtypes.h"
+#include "types.h"
 
 OE_EXTERNC_BEGIN
 
@@ -75,8 +77,7 @@ oe_result_t oe_sgx_build_enclave(
     oe_sgx_load_context_t* context,
     const char* path,
     const oe_sgx_enclave_properties_t* properties,
-    uint8_t* user_data,
-    uint32_t user_data_size,
+    oe_eeid_t* eeid,
     oe_enclave_t* enclave);
 
 /**
diff --git a/include/openenclave/internal/sgxtypes.h b/include/openenclave/internal/sgxtypes.h
index ae0ddb823b..798bf6f7af 100644
--- a/include/openenclave/internal/sgxtypes.h
+++ b/include/openenclave/internal/sgxtypes.h
@@ -1161,22 +1161,6 @@ typedef struct _sgx_key
 #define OE_SEALKEY_DEFAULT_MISCMASK (~SGX_MISC_NON_SECURITY_BITS)
 #define OE_SEALKEY_DEFAULT_XFRMMASK (0X0ULL)
 
-/*
-**==============================================================================
-**
-** oe_eeid_t
-**
-**==============================================================================
-*/
-typedef struct oe_eeid_t_
-{
-    uint32_t hash_state_H[8];
-    uint32_t hash_state_N[2];
-    sgx_sigstruct_t sigstruct; /* complete sigstruct before eeid */
-    uint64_t data_size;        /* size of initialization data */
-    uint8_t data[];            /* actual initialization data */
-} oe_eeid_t;
-
 OE_EXTERNC_END
 
 #endif /* _OE_SGXTYPES_H */
diff --git a/samples/remote_attestation_eeid/host/host.cpp b/samples/remote_attestation_eeid/host/host.cpp
index 7c1bebdd6e..660273a714 100644
--- a/samples/remote_attestation_eeid/host/host.cpp
+++ b/samples/remote_attestation_eeid/host/host.cpp
@@ -5,10 +5,7 @@
 #include <stdio.h>
 #include "remoteattestation_u.h"
 
-oe_enclave_t* create_enclave(
-    const char* enclave_path,
-    uint8_t* eeid,
-    uint32_t eeid_size)
+oe_enclave_t* create_enclave(const char* enclave_path, struct oe_eeid_t_* eeid)
 {
     oe_enclave_t* enclave = NULL;
 
@@ -20,7 +17,6 @@ oe_enclave_t* create_enclave(
         NULL,
         0,
         eeid,
-        eeid_size,
         &enclave);
 
     if (result != OE_OK)
@@ -56,12 +52,15 @@ int main(int argc, const char* argv[])
     size_t remote_report_size = 0;
 
     uint32_t eeid_size = 512;
-    uint8_t eeid_a[eeid_size], eeid_b[eeid_size];
+    uint64_t sz = sizeof(oe_eeid_t) + eeid_size;
+    oe_eeid_t* eeid_a = (oe_eeid_t*)calloc(1, sz);
+    oe_eeid_t* eeid_b = (oe_eeid_t*)calloc(1, sz);
+    eeid_a->data_size = eeid_b->data_size = eeid_size;
 
     for (size_t i = 0; i < eeid_size; i++)
     {
-        eeid_a[i] = i;
-        eeid_b[i] = eeid_size - i - 1;
+        eeid_a->data[i] = i;
+        eeid_b->data[i] = eeid_size - i - 1;
     }
 
     /* Check argument count */
@@ -72,12 +71,12 @@ int main(int argc, const char* argv[])
     }
 
     printf("Host: Creating two enclaves\n");
-    enclave_a = create_enclave(argv[1], eeid_a, eeid_size);
+    enclave_a = create_enclave(argv[1], eeid_a);
     if (enclave_a == NULL)
     {
         goto exit;
     }
-    enclave_b = create_enclave(argv[2], eeid_b, eeid_size);
+    enclave_b = create_enclave(argv[2], eeid_b);
     if (enclave_b == NULL)
     {
         goto exit;
diff --git a/tests/report/common/tests.cpp b/tests/report/common/tests.cpp
index 50f86ba844..517ee5c5db 100644
--- a/tests/report/common/tests.cpp
+++ b/tests/report/common/tests.cpp
@@ -321,7 +321,7 @@ static oe_result_t oe_get_quote_validity_with_collaterals(
 
 #define GetCollaterals oe_get_collaterals
 
-#define VerifyReport oe_verify_report
+#define VerifyReport oe_verify_report_eeid
 #define VerifyReportWithCollaterals oe_verify_report_with_collaterals
 #define GetQuoteValidityWithCollaterals oe_get_quote_validity_with_collaterals
 
@@ -344,7 +344,8 @@ oe_enclave_t* g_enclave = NULL;
 oe_result_t VerifyReport(
     const uint8_t* report,
     size_t report_size,
-    oe_report_t* parsed_report)
+    oe_report_t* parsed_report,
+    oe_eeid_t* eeid = NULL)
 {
     oe_report_t tmp_report = {0};
     OE_TEST(oe_parse_report(report, report_size, &tmp_report) == OE_OK);
@@ -353,11 +354,13 @@ oe_result_t VerifyReport(
     {
         // Check that remote attestation can be done entirely on the host side.
         // No enclave is passed to oe_verify_report.
-        return oe_verify_report(NULL, report, report_size, parsed_report);
+        return oe_verify_report_eeid(
+            NULL, report, report_size, parsed_report, eeid);
     }
 
     // Local attestation requires enclave.
-    return oe_verify_report(g_enclave, report, report_size, parsed_report);
+    return oe_verify_report_eeid(
+        g_enclave, report, report_size, parsed_report, eeid);
 }
 
 oe_result_t VerifyReportWithCollaterals(
@@ -1133,7 +1136,7 @@ static void GetSGXTargetInfo(sgx_target_info_t* sgx_target_info)
     oe_free_report(report_buffer);
 }
 
-void test_local_verify_report()
+void test_local_verify_report(oe_eeid_t* eeid)
 {
     uint8_t target_info[sizeof(sgx_target_info_t)];
     size_t target_info_size = sizeof(target_info);
@@ -1160,7 +1163,7 @@ void test_local_verify_report()
             target_info_size,
             &report_ptr,
             &report_size) == OE_OK);
-    OE_TEST(VerifyReport(report_ptr, report_size, NULL) == OE_OK);
+    OE_TEST(VerifyReport(report_ptr, report_size, NULL, eeid) == OE_OK);
     oe_free_report(report_ptr);
 
 // 2. Report with full custom report data.
@@ -1174,7 +1177,7 @@ void test_local_verify_report()
             target_info_size,
             &report_ptr,
             &report_size) == OE_OK);
-    OE_TEST(VerifyReport(report_ptr, report_size, NULL) == OE_OK);
+    OE_TEST(VerifyReport(report_ptr, report_size, NULL, eeid) == OE_OK);
     oe_free_report(report_ptr);
 
     // 3. Report with partial custom report data.
@@ -1187,7 +1190,7 @@ void test_local_verify_report()
             target_info_size,
             &report_ptr,
             &report_size) == OE_OK);
-    OE_TEST(VerifyReport(report_ptr, report_size, NULL) == OE_OK);
+    OE_TEST(VerifyReport(report_ptr, report_size, NULL, eeid) == OE_OK);
     oe_free_report(report_ptr);
 #endif
 
@@ -1207,12 +1210,12 @@ void test_local_verify_report()
             &report_ptr,
             &report_size) == OE_OK);
     OE_TEST(
-        VerifyReport(report_ptr, report_size, NULL) ==
+        VerifyReport(report_ptr, report_size, NULL, eeid) ==
         OE_VERIFY_FAILED_AES_CMAC_MISMATCH);
     oe_free_report(report_ptr);
 }
 
-void test_remote_verify_report()
+void test_remote_verify_report(oe_eeid_t* eeid)
 {
     uint8_t* report_ptr;
     size_t report_size;
@@ -1240,7 +1243,7 @@ void test_remote_verify_report()
         OE_TEST(
             GetReport_v2(flags, NULL, 0, NULL, 0, &report_ptr, &report_size) ==
             OE_OK);
-        OE_TEST(VerifyReport(report_ptr, report_size, NULL) == OE_OK);
+        OE_TEST(VerifyReport(report_ptr, report_size, NULL, eeid) == OE_OK);
         oe_free_report(report_ptr);
 
 #if OE_BUILD_ENCLAVE
@@ -1254,7 +1257,7 @@ void test_remote_verify_report()
                 0,
                 &report_ptr,
                 &report_size) == OE_OK);
-        OE_TEST(VerifyReport(report_ptr, report_size, NULL) == OE_OK);
+        OE_TEST(VerifyReport(report_ptr, report_size, NULL, eeid) == OE_OK);
         oe_free_report(report_ptr);
 #endif
     }
diff --git a/tests/report/common/tests.h b/tests/report/common/tests.h
index 85fe45503d..9cb8c22ba3 100644
--- a/tests/report/common/tests.h
+++ b/tests/report/common/tests.h
@@ -23,8 +23,8 @@ extern oe_enclave_t* g_enclave;
 void test_local_report(sgx_target_info_t* target_info);
 void test_remote_report();
 void test_parse_report_negative();
-void test_local_verify_report();
-void test_remote_verify_report();
+void test_local_verify_report(oe_eeid_t* eeid);
+void test_remote_verify_report(oe_eeid_t* eeid);
 void test_verify_report_with_collaterals();
 
 #endif
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index 41579bb25d..eae1706c0b 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -122,14 +122,14 @@ void enclave_test_parse_report_negative()
     test_parse_report_negative();
 }
 
-void enclave_test_local_verify_report()
+void enclave_test_local_verify_report(oe_eeid_t* eeid)
 {
-    test_local_verify_report();
+    test_local_verify_report(eeid);
 }
 
-void enclave_test_remote_verify_report()
+void enclave_test_remote_verify_report(oe_eeid_t* eeid)
 {
-    test_remote_verify_report();
+    test_remote_verify_report(eeid);
 }
 
 void enclave_test_verify_report_with_collaterals()
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 15b731ff84..298e950add 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -13,6 +13,8 @@
 #include "../common/tests.h"
 #include "tests_u.h"
 
+#include "../host/signkey.h"
+
 #ifdef _WIN32
 #include <Shlobj.h>
 #include <Windows.h>
@@ -31,6 +33,8 @@ extern void TestVerifyTCBInfoV2_AdvisoryIDs(
     const char* test_filename);
 extern int FileToBytes(const char* path, std::vector<uint8_t>* output);
 
+oe_eeid_t* eeid = NULL;
+
 void generate_and_save_report(oe_enclave_t* enclave)
 {
 #ifdef OE_LINK_SGX_DCAP_QL
@@ -76,7 +80,6 @@ int main(int argc, const char* argv[])
 {
     oe_result_t result;
     oe_enclave_t* enclave = NULL;
-    std::vector<uint8_t> eeid;
 
     sgx_target_info_t target_info = {{0}};
 
@@ -134,9 +137,11 @@ int main(int argc, const char* argv[])
     }
     else if (argc == 3 && strcmp(argv[2], "--eeid") == 0)
     {
-        eeid.resize(512);
-        for (size_t i = 0; i < 512; i++)
-            eeid[i] = (uint8_t)i;
+        uint64_t sz = oe_round_up_to_page_size(sizeof(oe_eeid_t) + 512);
+        eeid = (oe_eeid_t*)calloc(1, sz);
+        eeid->data_size = 512;
+        for (size_t i = 0; i < eeid->data_size; i++)
+            eeid->data[i] = (uint8_t)i;
     }
 
     /* Check arguments */
@@ -147,7 +152,7 @@ int main(int argc, const char* argv[])
     }
 
     /* Create the enclave */
-    if (!eeid.empty())
+    if (eeid)
     {
         if ((result = oe_create_tests_enclave_eeid(
                  argv[1],
@@ -155,8 +160,7 @@ int main(int argc, const char* argv[])
                  flags,
                  NULL,
                  0,
-                 eeid.data(),
-                 (uint32_t)eeid.size(),
+                 eeid,
                  &enclave)) != OE_OK)
             oe_put_err("oe_create_tests_enclave_eeid(): result=%u", result);
     }
@@ -188,9 +192,9 @@ int main(int argc, const char* argv[])
     test_local_report(&target_info);
     test_remote_report();
     test_parse_report_negative();
-    test_local_verify_report();
+    test_local_verify_report(eeid);
 
-    test_remote_verify_report();
+    test_remote_verify_report(eeid);
 
     test_verify_report_with_collaterals();
 
@@ -205,9 +209,9 @@ int main(int argc, const char* argv[])
 
     OE_TEST(enclave_test_parse_report_negative(enclave) == OE_OK);
 
-    OE_TEST(enclave_test_local_verify_report(enclave) == OE_OK);
+    OE_TEST(enclave_test_local_verify_report(enclave, eeid) == OE_OK);
 
-    OE_TEST(enclave_test_remote_verify_report(enclave) == OE_OK);
+    OE_TEST(enclave_test_remote_verify_report(enclave, eeid) == OE_OK);
 
     OE_TEST(enclave_test_verify_report_with_collaterals(enclave) == OE_OK);
 
diff --git a/tests/report/tests.edl b/tests/report/tests.edl
index 30b0521cb4..ae7a206f2a 100644
--- a/tests/report/tests.edl
+++ b/tests/report/tests.edl
@@ -22,13 +22,12 @@ enclave {
             [in, out]sgx_target_info_t* target_info);
         public void enclave_test_remote_report();
         public void enclave_test_parse_report_negative();
-        public void enclave_test_local_verify_report();
-        public void enclave_test_remote_verify_report();
+        public void enclave_test_local_verify_report([in] oe_eeid_t* eeid);
+        public void enclave_test_remote_verify_report([in] oe_eeid_t* eeid);
         public void enclave_test_verify_report_with_collaterals();
     };
 
     untrusted {
-      
+
     };
 };
-
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 393bf8d70e..31c9bed939 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -305,14 +305,14 @@ let generate_untrusted (ec : enclave_content) =
     "    uint32_t setting_count,";
     "    oe_enclave_t** enclave);";
     "";
+    "struct oe_eeid_t_;";
     sprintf "oe_result_t oe_create_%s_enclave_eeid(" ec.enclave_name;
     "    const char* path,";
     "    oe_enclave_type_t type,";
     "    uint32_t flags,";
     "    const oe_enclave_setting_t* settings,";
     "    uint32_t setting_count,";
-    "    uint8_t *eeid,";
-    "    uint32_t eeid_size,";
+    "    struct oe_eeid_t_ *eeid,";
     "    oe_enclave_t** enclave);";
     "";
     "/**** ECALL prototypes. ****/";
diff --git a/tools/oeedger8r/src/Sources.ml b/tools/oeedger8r/src/Sources.ml
index 1f349feae9..b9d34e524b 100644
--- a/tools/oeedger8r/src/Sources.ml
+++ b/tools/oeedger8r/src/Sources.ml
@@ -979,8 +979,7 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     "    uint32_t flags,";
     "    const oe_enclave_setting_t* settings,";
     "    uint32_t setting_count,";
-    "    uint8_t *eeid,";
-    "    uint32_t eeid_size,";
+    "    struct oe_eeid_t_ *eeid,";
     "    oe_enclave_t** enclave)";
     "{";
     "    return oe_create_enclave_eeid(";
@@ -992,7 +991,6 @@ let generate_untrusted (ec : enclave_content) (ep : Intel.Util.edger8r_params) =
     sprintf "               __%s_ocall_function_table," ec.enclave_name;
     sprintf "               %d," (List.length ec.ufunc_decls);
     "               eeid,";
-    "               eeid_size,";
     "               enclave);";
     "}";
     "";
diff --git a/tools/oesign/main.c b/tools/oesign/main.c
index bc785aa94c..d578900451 100644
--- a/tools/oesign/main.c
+++ b/tools/oesign/main.c
@@ -581,7 +581,7 @@ int oesign(const char* enclave, const char* conffile, const char* keyfile)
 
     /* Build an enclave to obtain the MRENCLAVE measurement */
     if ((result = oe_sgx_build_enclave(
-             &context, enclave, &props, NULL, 0, &enc)) != OE_OK)
+             &context, enclave, &props, NULL, &enc)) != OE_OK)
     {
         Err("oe_sgx_build_enclave(): result=%s (%u)",
             oe_result_str(result),

From 38a37488ee457c56acd486ece5622ce0ee117f28 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Tue, 4 Feb 2020 17:42:00 +0000
Subject: [PATCH 414/420] EEID: Fixes and verification of extended reports

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/verify_eeid.c                      | 186 ++++++++++++++----
 common/sgx/verify_eeid.h                      |   6 +-
 enclave/sgx/report.c                          |   2 +-
 host/sgx/create.c                             |  29 +--
 host/sgx/report.c                             |  11 +-
 .../common/attestation.cpp                    |   7 +-
 .../common/attestation.h                      |   3 +-
 .../common/dispatcher.cpp                     |   5 +-
 .../common/dispatcher.h                       |   3 +-
 .../enclave_a/ecalls.cpp                      |   7 +-
 .../enclave_b/ecalls.cpp                      |   7 +-
 samples/remote_attestation_eeid/host/host.cpp |  16 +-
 .../remoteattestation.edl                     |   4 +-
 13 files changed, 213 insertions(+), 73 deletions(-)

diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
index ac729b963b..27942c4ace 100644
--- a/common/sgx/verify_eeid.c
+++ b/common/sgx/verify_eeid.c
@@ -5,83 +5,80 @@
 #include <string.h>
 
 #include <openenclave/bits/report.h>
+#include <openenclave/bits/safecrt.h>
 #include <openenclave/bits/types.h>
 #include <openenclave/internal/defs.h>
-#include <openenclave/internal/hexdump.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/sgxtypes.h>
 #include <openenclave/internal/utils.h>
 
 #include "../../host/sgx/sgxmeasure.h"
+#include "../common/sgx/quote.h"
 
 #ifdef OE_BUILD_ENCLAVE
 #include <openenclave/enclave.h>
+#include "../../enclave/crypto/key.h"
+#include "../../enclave/crypto/rsa.h"
 #else
 #include <openenclave/host.h>
+#include "../../host/crypto/openssl/key.h"
+#include "../../host/crypto/openssl/rsa.h"
+#include "../../host/sgx/sgxquoteprovider.h"
 #endif
 
 #include "verify_eeid.h"
 
-oe_result_t verify_eeid(
-    const uint8_t* report,
-    size_t report_size,
-    oe_report_t* parsed_report,
-    const oe_eeid_t* eeid)
+oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
 {
     oe_result_t result = OE_UNEXPECTED;
 
-    if (!eeid)
+    if (!eeid || !report)
         OE_RAISE(OE_INVALID_PARAMETER);
 
     // Recompute extended mrenclave
     oe_sha256_context_t hctx;
     oe_sha256_restore(&hctx, eeid->hash_state_H, eeid->hash_state_N);
 
-    size_t eeid_sz =
-        oe_round_up_to_page_size(sizeof(oe_eeid_t) + eeid->data_size);
-    size_t num_pages = eeid_sz / OE_PAGE_SIZE;
+    size_t eeid_sz = sizeof(oe_eeid_t) + eeid->data_size;
+    size_t num_pages = oe_round_up_to_page_size(eeid_sz) / OE_PAGE_SIZE;
     oe_page_t* pages = (oe_page_t*)eeid;
     uint64_t enclave_base = 0x0ab0c0d0e0f;
     uint64_t addr = enclave_base + eeid->data_vaddr;
 
     for (size_t i = 0; i < num_pages; i++)
     {
+        uint8_t* page = (uint8_t*)&pages[i];
+
+        if (i == num_pages - 1 && eeid_sz % OE_PAGE_SIZE != 0)
+        {
+            uint8_t* npage = calloc(1, OE_PAGE_SIZE);
+            memcpy(npage, page, eeid_sz % OE_PAGE_SIZE);
+            page = npage;
+        }
+
         OE_CHECK(oe_sgx_measure_load_enclave_data(
             &hctx,
             (uint64_t)enclave_base,
             addr,
-            (uint64_t)&pages[i],
+            (uint64_t)page,
             SGX_SECINFO_REG | SGX_SECINFO_R,
             true));
 
-        addr += sizeof(oe_page_t);
+        if (i == num_pages - 1 && eeid_sz % OE_PAGE_SIZE != 0)
+            free(page);
+
+        addr += OE_PAGE_SIZE;
     }
 
     OE_SHA256 cpt_mrenclave;
     oe_sha256_final(&hctx, &cpt_mrenclave);
 
     // Extract reported mrenclave
-    oe_report_t* treport = parsed_report;
     OE_SHA256 reported_mrenclave;
     uint8_t reported_mrsigner[OE_SIGNER_ID_SIZE];
 
-    if (parsed_report == NULL)
-    {
-        treport = calloc(1, sizeof(oe_report_t));
-        OE_CHECK(oe_parse_report(report, report_size, treport));
-    }
-
-    memcpy(reported_mrenclave.buf, treport->identity.unique_id, OE_SHA256_SIZE);
-    memcpy(reported_mrsigner, treport->identity.signer_id, OE_SIGNER_ID_SIZE);
-
-    if (parsed_report == NULL)
-        free(treport);
-
-    // char str[OE_SHA256_SIZE * 2 + 1];
-    // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, cpt_mrenclave.buf,
-    // OE_SHA256_SIZE); OE_TRACE_INFO("*** CPT: %s\n", str); oe_hex_string(str,
-    // OE_SHA256_SIZE * 2 + 1, reported_mrenclave.buf, OE_SHA256_SIZE);
-    // OE_TRACE_INFO("*** REP: %s\n", str);
+    memcpy(reported_mrenclave.buf, report->identity.unique_id, OE_SHA256_SIZE);
+    memcpy(reported_mrsigner, report->identity.signer_id, OE_SIGNER_ID_SIZE);
 
     // Check recomputed mrenclave against reported mrenclave
     if (memcmp(cpt_mrenclave.buf, reported_mrenclave.buf, OE_SHA256_SIZE) != 0)
@@ -96,18 +93,139 @@ oe_result_t verify_eeid(
         OE_RAISE(OE_VERIFY_FAILED);
 
     // Check old signature (new signature has been checked above)
-    const sgx_sigstruct_t* ss = (const sgx_sigstruct_t*)&eeid->sigstruct;
+    const sgx_sigstruct_t* sigstruct = (const sgx_sigstruct_t*)&eeid->sigstruct;
+
+    uint16_t ppid = (uint16_t)(report->identity.product_id[1] << 8) +
+                    (uint16_t)report->identity.product_id[0];
+
+    if (sigstruct->isvprodid != ppid ||
+        sigstruct->isvsvn != report->identity.security_version)
+        // TODO: check attributes?
+        OE_RAISE(OE_VERIFY_FAILED);
 
     uint8_t zero[OE_KEY_SIZE];
     memset(zero, 0, OE_KEY_SIZE);
 
-    if (memcmp(ss->signature, zero, OE_KEY_SIZE) == 0) // Unsigned image is ok?
+    if (sigstruct->type == (1ul << 31) &&
+        memcmp(sigstruct->signature, zero, OE_KEY_SIZE) ==
+            0) // Unsigned debug image is ok?
         return OE_OK;
     else
     {
-        // TODO: Need to find mrsigner of old image somehow in order to check
-        // the signature.
+        // OE_SHA256 mrsigner;
+        // oe_sha256_init(&hctx);
+        // oe_sha256_update(&hctx, sigstruct->modulus, OE_KEY_SIZE);
+        // oe_sha256_final(&hctx, &mrsigner);
+
+        unsigned char buf[sizeof(sgx_sigstruct_t)];
+        size_t n = 0;
+
+        OE_CHECK(oe_memcpy_s(
+            buf,
+            sizeof(buf),
+            sgx_sigstruct_header(sigstruct),
+            sgx_sigstruct_header_size()));
+        n += sgx_sigstruct_header_size();
+        OE_CHECK(oe_memcpy_s(
+            &buf[n],
+            sizeof(buf) - n,
+            sgx_sigstruct_body(sigstruct),
+            sgx_sigstruct_body_size()));
+        n += sgx_sigstruct_body_size();
+
+        OE_SHA256 msg_hsh;
+        oe_sha256_context_t context;
+
+        oe_sha256_init(&context);
+        oe_sha256_update(&context, buf, n);
+        oe_sha256_final(&context, &msg_hsh);
+
+        uint8_t reversed_modulus[OE_KEY_SIZE];
+        for (size_t i = 0; i < OE_KEY_SIZE; i++)
+            reversed_modulus[i] = sigstruct->modulus[OE_KEY_SIZE - 1 - i];
+
+        uint8_t reversed_exponent[OE_KEY_SIZE];
+        for (size_t i = 0; i < OE_EXPONENT_SIZE; i++)
+            reversed_exponent[i] =
+                sigstruct->exponent[OE_EXPONENT_SIZE - 1 - i];
+
+        uint8_t reversed_signature[OE_KEY_SIZE];
+        for (size_t i = 0; i < OE_KEY_SIZE; i++)
+            reversed_signature[i] = sigstruct->signature[OE_KEY_SIZE - 1 - i];
+
+        oe_rsa_public_key_t pk;
+#ifdef OE_BUILD_ENCLAVE
+        mbedtls_pk_context pkctx;
+        mbedtls_pk_init(&pkctx);
+        const mbedtls_pk_info_t* info =
+            mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+        mbedtls_pk_setup(&pkctx, info);
+
+        mbedtls_rsa_context* rsa_ctx = mbedtls_pk_rsa(pkctx);
+        mbedtls_rsa_init(rsa_ctx, 0, 0);
+        mbedtls_rsa_import_raw(
+            rsa_ctx,
+            reversed_modulus,
+            OE_KEY_SIZE, // N
+            NULL,
+            0,
+            NULL,
+            0,
+            NULL,
+            0, // P Q D
+            reversed_exponent,
+            OE_EXPONENT_SIZE);
+        int r_key = mbedtls_rsa_check_pubkey(rsa_ctx);
+        if (r_key != 0)
+            OE_RAISE(OE_INVALID_PARAMETER);
+
+        oe_rsa_public_key_init(&pk, &pkctx);
+#else
+        // TODO: load mod/exp into openssl context
         OE_RAISE(OE_VERIFY_FAILED);
+#endif
+
+        OE_CHECK(oe_rsa_public_key_verify(
+            &pk,
+            OE_HASH_TYPE_SHA256,
+            msg_hsh.buf,
+            sizeof(msg_hsh.buf),
+            reversed_signature,
+            OE_KEY_SIZE));
+
+        oe_rsa_public_key_free(&pk);
+
+#ifdef OE_BUILD_ENCLAVE
+        mbedtls_pk_free(&pkctx);
+#endif
+
+        // // Alternative: make up a fake non-extended report?
+        // oe_report_t irep;
+        // irep.size = 0;
+        // irep.type = OE_ENCLAVE_TYPE_SGX;
+        // irep.report_data_size = 0;
+        // irep.enclave_report_size = 0;
+        // irep.report_data = NULL;
+        // irep.enclave_report = NULL;
+
+        // irep.identity.id_version = report->identity.id_version;
+        // irep.identity.security_version = report->identity.security_version;
+        // irep.identity.attributes = report->identity.attributes;
+        // memcpy(irep.identity.unique_id, sigstruct->enclavehash,
+        // OE_UNIQUE_ID_SIZE); memcpy(irep.identity.signer_id, mrsigner.buf,
+        // OE_SIGNER_ID_SIZE); memcpy(irep.identity.product_id,
+        // report->identity.product_id, OE_PRODUCT_ID_SIZE);
+
+        // if (irep.identity.attributes & OE_REPORT_ATTRIBUTES_REMOTE) {
+        //     #ifndef OE_BUILD_ENCLAVE
+        //     OE_CHECK(oe_initialize_quote_provider());
+        //     #endif
+        //     // OE_CHECK(oe_verify_sgx_quote(header->report,
+        //     header->report_size, NULL, 0, NULL));
+        //     // OE_CHECK(oe_verify_quote_with_sgx_endorsements(quote,
+        //     quote_size, NULL, NULL));
+        // } else
+        //     OE_RAISE(OE_INVALID_PARAMETER);
     }
 
 done:
diff --git a/common/sgx/verify_eeid.h b/common/sgx/verify_eeid.h
index 81fb11f0e0..dd3d945ac6 100644
--- a/common/sgx/verify_eeid.h
+++ b/common/sgx/verify_eeid.h
@@ -7,10 +7,6 @@
 #include <openenclave/bits/report.h>
 #include <openenclave/bits/types.h>
 
-oe_result_t verify_eeid(
-    const uint8_t* report,
-    size_t report_size,
-    oe_report_t* parsed_report,
-    const oe_eeid_t* eeid);
+oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid);
 
 #endif /* _OE_VERIFY_EEID_H */
diff --git a/enclave/sgx/report.c b/enclave/sgx/report.c
index 3280d6fdc6..3fbaaeb253 100644
--- a/enclave/sgx/report.c
+++ b/enclave/sgx/report.c
@@ -109,7 +109,7 @@ oe_result_t oe_verify_report_eeid(
         *parsed_report = oe_report;
 
     if (eeid)
-        verify_eeid(report, report_size, parsed_report, eeid);
+        verify_eeid(&oe_report, eeid);
 
     result = OE_OK;
 
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 7e0f4da5b5..2a0ca44662 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -49,7 +49,6 @@ static char* get_fullpath(const char* path)
 #include <openenclave/internal/switchless.h>
 #include <openenclave/internal/trace.h>
 #include <openenclave/internal/utils.h>
-// #include <openenclave/internal/hexdump.h>
 #include <string.h>
 #include "../memalign.h"
 #include "../signkey.h"
@@ -640,19 +639,24 @@ static oe_result_t _add_eeid_pages(
         oe_sha256_save(hctx, eeid->hash_state_H, eeid->hash_state_N);
         eeid->data_vaddr = *vaddr;
 
-        // char str[OE_SHA256_SIZE * 2 + 1];
-        // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, sigstruct->enclavehash,
-        // OE_SHA256_SIZE); OE_TRACE_INFO("*** OLD: %s\n", str);
+        uint64_t ee_sz = sizeof(oe_eeid_t) + eeid->data_size;
+        uint64_t epg_sz = eeid_pages_size(eeid);
+        uint64_t num_pages = epg_sz / OE_PAGE_SIZE;
+        assert(*vaddr == enclave_end - epg_sz);
 
-        uint64_t sz = eeid_pages_size(eeid);
-        assert(*vaddr == enclave_end - sz);
+        oe_page_t* pages = (oe_page_t*)eeid;
+        if (ee_sz < epg_sz)
+        {
+            oe_page_t* tmp = (oe_page_t*)calloc(1, epg_sz);
+            memcpy(tmp, eeid, ee_sz);
+            pages = tmp;
+        }
 
         OE_CHECK(_add_extra_data_pages(
-            context,
-            enclave->addr,
-            (const oe_page_t*)eeid,
-            sz / OE_PAGE_SIZE,
-            vaddr));
+            context, enclave->addr, pages, num_pages, vaddr));
+
+        if (ee_sz < epg_sz)
+            free(pages);
 
         OE_SHA256 ext_mrenclave;
         oe_sha256_final(hctx, &ext_mrenclave);
@@ -666,9 +670,6 @@ static oe_result_t _add_eeid_pages(
             OE_DEBUG_SIGN_KEY_SIZE,
             sigstruct));
 
-        // oe_hex_string(str, OE_SHA256_SIZE * 2 + 1, sigstruct->enclavehash,
-        // OE_SHA256_SIZE); OE_TRACE_INFO("*** NEW: %s\n", str);
-
         assert(*vaddr == enclave_end);
     }
 
diff --git a/host/sgx/report.c b/host/sgx/report.c
index a943dfafcf..872da7d6b2 100644
--- a/host/sgx/report.c
+++ b/host/sgx/report.c
@@ -330,7 +330,16 @@ oe_result_t oe_verify_report_eeid(
         OE_CHECK(oe_parse_report(report, report_size, parsed_report));
 
     if (eeid)
-        verify_eeid(report, report_size, parsed_report, eeid);
+    {
+        if (!parsed_report)
+        {
+            oe_report_t treport;
+            OE_CHECK(oe_parse_report(report, report_size, &treport));
+            verify_eeid(&treport, eeid);
+        }
+        else
+            verify_eeid(parsed_report, eeid);
+    }
 
     result = OE_OK;
 done:
diff --git a/samples/remote_attestation_eeid/common/attestation.cpp b/samples/remote_attestation_eeid/common/attestation.cpp
index d934b42bc3..5aa11b5f97 100644
--- a/samples/remote_attestation_eeid/common/attestation.cpp
+++ b/samples/remote_attestation_eeid/common/attestation.cpp
@@ -78,7 +78,8 @@ bool Attestation::attest_remote_report(
     const uint8_t* remote_report,
     size_t remote_report_size,
     const uint8_t* data,
-    size_t data_size)
+    size_t data_size,
+    oe_eeid_t* eeid)
 {
     bool ret = false;
     uint8_t sha256[32];
@@ -95,8 +96,8 @@ bool Attestation::attest_remote_report(
 
     // 1)  Validate the report's trustworthiness
     // Verify the remote report to ensure its authenticity.
-    result =
-        oe_verify_report(remote_report, remote_report_size, &parsed_report);
+    result = oe_verify_report_eeid(
+        remote_report, remote_report_size, &parsed_report, eeid);
     if (result != OE_OK)
     {
         TRACE_ENCLAVE("oe_verify_report failed (%s).\n", oe_result_str(result));
diff --git a/samples/remote_attestation_eeid/common/attestation.h b/samples/remote_attestation_eeid/common/attestation.h
index a942acca86..4539b4a2f1 100644
--- a/samples/remote_attestation_eeid/common/attestation.h
+++ b/samples/remote_attestation_eeid/common/attestation.h
@@ -38,7 +38,8 @@ class Attestation
         const uint8_t* remote_report,
         size_t remote_report_size,
         const uint8_t* data,
-        size_t data_size);
+        size_t data_size,
+        oe_eeid_t* eeid);
 };
 
 #endif // OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
diff --git a/samples/remote_attestation_eeid/common/dispatcher.cpp b/samples/remote_attestation_eeid/common/dispatcher.cpp
index 165cb9c9ae..a57813a21b 100644
--- a/samples/remote_attestation_eeid/common/dispatcher.cpp
+++ b/samples/remote_attestation_eeid/common/dispatcher.cpp
@@ -175,7 +175,8 @@ int ecall_dispatcher::verify_report_and_set_pubkey(
     uint8_t* pem_key,
     size_t key_size,
     uint8_t* remote_report,
-    size_t remote_report_size)
+    size_t remote_report_size,
+    oe_eeid_t* eeid)
 {
     int ret = 1;
 
@@ -187,7 +188,7 @@ int ecall_dispatcher::verify_report_and_set_pubkey(
 
     // Attest the remote report and accompanying key.
     if (m_attestation->attest_remote_report(
-            remote_report, remote_report_size, pem_key, key_size))
+            remote_report, remote_report_size, pem_key, key_size, eeid))
     {
         memcpy(m_crypto->get_the_other_enclave_public_key(), pem_key, key_size);
     }
diff --git a/samples/remote_attestation_eeid/common/dispatcher.h b/samples/remote_attestation_eeid/common/dispatcher.h
index 8ab7151588..21e2b1e399 100644
--- a/samples/remote_attestation_eeid/common/dispatcher.h
+++ b/samples/remote_attestation_eeid/common/dispatcher.h
@@ -38,7 +38,8 @@ class ecall_dispatcher
         uint8_t* pem_key,
         size_t key_size,
         uint8_t* remote_report,
-        size_t remote_report_size);
+        size_t remote_report_size,
+        oe_eeid_t* eeid);
 
   private:
     bool initialize(const char* name);
diff --git a/samples/remote_attestation_eeid/enclave_a/ecalls.cpp b/samples/remote_attestation_eeid/enclave_a/ecalls.cpp
index e3b953a895..a584010c50 100644
--- a/samples/remote_attestation_eeid/enclave_a/ecalls.cpp
+++ b/samples/remote_attestation_eeid/enclave_a/ecalls.cpp
@@ -50,8 +50,11 @@ int verify_report_and_set_pubkey(
     uint8_t* pem_key,
     size_t key_size,
     uint8_t* remote_report,
-    size_t remote_report_size)
+    size_t remote_report_size,
+    oe_eeid_t* eeid,
+    size_t eeid_byte_size)
 {
+    (void)eeid_byte_size;
     return dispatcher.verify_report_and_set_pubkey(
-        pem_key, key_size, remote_report, remote_report_size);
+        pem_key, key_size, remote_report, remote_report_size, eeid);
 }
diff --git a/samples/remote_attestation_eeid/enclave_b/ecalls.cpp b/samples/remote_attestation_eeid/enclave_b/ecalls.cpp
index 216a44d2d9..d95d6f223c 100644
--- a/samples/remote_attestation_eeid/enclave_b/ecalls.cpp
+++ b/samples/remote_attestation_eeid/enclave_b/ecalls.cpp
@@ -50,8 +50,11 @@ int verify_report_and_set_pubkey(
     uint8_t* pem_key,
     size_t key_size,
     uint8_t* remote_report,
-    size_t remote_report_size)
+    size_t remote_report_size,
+    oe_eeid_t* eeid,
+    size_t eeid_byte_size)
 {
+    (void)eeid_byte_size;
     return dispatcher.verify_report_and_set_pubkey(
-        pem_key, key_size, remote_report, remote_report_size);
+        pem_key, key_size, remote_report, remote_report_size, eeid);
 }
diff --git a/samples/remote_attestation_eeid/host/host.cpp b/samples/remote_attestation_eeid/host/host.cpp
index 660273a714..49c9c49ee6 100644
--- a/samples/remote_attestation_eeid/host/host.cpp
+++ b/samples/remote_attestation_eeid/host/host.cpp
@@ -5,7 +5,7 @@
 #include <stdio.h>
 #include "remoteattestation_u.h"
 
-oe_enclave_t* create_enclave(const char* enclave_path, struct oe_eeid_t_* eeid)
+oe_enclave_t* create_enclave(const char* enclave_path, oe_eeid_t* eeid)
 {
     oe_enclave_t* enclave = NULL;
 
@@ -52,9 +52,9 @@ int main(int argc, const char* argv[])
     size_t remote_report_size = 0;
 
     uint32_t eeid_size = 512;
-    uint64_t sz = sizeof(oe_eeid_t) + eeid_size;
-    oe_eeid_t* eeid_a = (oe_eeid_t*)calloc(1, sz);
-    oe_eeid_t* eeid_b = (oe_eeid_t*)calloc(1, sz);
+    uint64_t eeid_byte_size = sizeof(oe_eeid_t) + eeid_size;
+    oe_eeid_t* eeid_a = (oe_eeid_t*)calloc(1, eeid_byte_size);
+    oe_eeid_t* eeid_b = (oe_eeid_t*)calloc(1, eeid_byte_size);
     eeid_a->data_size = eeid_b->data_size = eeid_size;
 
     for (size_t i = 0; i < eeid_size; i++)
@@ -110,7 +110,9 @@ int main(int argc, const char* argv[])
         pem_key,
         pem_key_size,
         remote_report,
-        remote_report_size);
+        remote_report_size,
+        eeid_a,
+        eeid_byte_size);
     if ((result != OE_OK) || (ret != 0))
     {
         printf(
@@ -154,7 +156,9 @@ int main(int argc, const char* argv[])
         pem_key,
         pem_key_size,
         remote_report,
-        remote_report_size);
+        remote_report_size,
+        eeid_b,
+        eeid_byte_size);
     if ((result != OE_OK) || (ret != 0))
     {
         printf(
diff --git a/samples/remote_attestation_eeid/remoteattestation.edl b/samples/remote_attestation_eeid/remoteattestation.edl
index 213a90eb9c..e1ca27b54b 100644
--- a/samples/remote_attestation_eeid/remoteattestation.edl
+++ b/samples/remote_attestation_eeid/remoteattestation.edl
@@ -16,7 +16,9 @@ enclave {
         public int verify_report_and_set_pubkey(   [in, count=key_size] uint8_t *pem_key,
                                                                   size_t key_size,
                                                [in, count=remote_report_size] uint8_t *remote_report,
-                                               size_t   remote_report_size);
+                                               size_t   remote_report_size,
+                                               [in, size=eeid_byte_size] oe_eeid_t* eeid,
+                                               size_t eeid_byte_size);
     };
 
     //untrusted {

From d1269700b35a7e7a07161d222c3f7541e365fa5b Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Wed, 5 Feb 2020 13:10:13 +0000
Subject: [PATCH 415/420] EEID signature verification via openssl

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/verify_eeid.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
index 27942c4ace..54fbefc192 100644
--- a/common/sgx/verify_eeid.c
+++ b/common/sgx/verify_eeid.c
@@ -21,9 +21,9 @@
 #include "../../enclave/crypto/rsa.h"
 #else
 #include <openenclave/host.h>
+#include <openssl/rsa.h>
 #include "../../host/crypto/openssl/key.h"
 #include "../../host/crypto/openssl/rsa.h"
-#include "../../host/sgx/sgxquoteprovider.h"
 #endif
 
 #include "verify_eeid.h"
@@ -106,9 +106,9 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
     uint8_t zero[OE_KEY_SIZE];
     memset(zero, 0, OE_KEY_SIZE);
 
-    if (sigstruct->type == (1ul << 31) &&
+    if ( // sigstruct->type == (1ul << 31) &&
         memcmp(sigstruct->signature, zero, OE_KEY_SIZE) ==
-            0) // Unsigned debug image is ok?
+        0) // Unsigned debug image is ok?
         return OE_OK;
     else
     {
@@ -175,15 +175,18 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
             0, // P Q D
             reversed_exponent,
             OE_EXPONENT_SIZE);
-        int r_key = mbedtls_rsa_check_pubkey(rsa_ctx);
-        if (r_key != 0)
+        if (mbedtls_rsa_check_pubkey(rsa_ctx) != 0)
             OE_RAISE(OE_INVALID_PARAMETER);
-
-        oe_rsa_public_key_init(&pk, &pkctx);
+        mbedtls_pk_context* ikey = &pkctx;
 #else
-        // TODO: load mod/exp into openssl context
-        OE_RAISE(OE_VERIFY_FAILED);
+        BIGNUM* rm = BN_bin2bn(reversed_modulus, OE_KEY_SIZE, 0);
+        BIGNUM* re = BN_bin2bn(reversed_exponent, OE_EXPONENT_SIZE, 0);
+        RSA* rsa = RSA_new();
+        RSA_set0_key(rsa, rm, re, NULL);
+        EVP_PKEY* ikey = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(ikey, rsa);
 #endif
+        oe_rsa_public_key_init(&pk, ikey);
 
         OE_CHECK(oe_rsa_public_key_verify(
             &pk,
@@ -196,7 +199,9 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
         oe_rsa_public_key_free(&pk);
 
 #ifdef OE_BUILD_ENCLAVE
-        mbedtls_pk_free(&pkctx);
+        mbedtls_pk_free(ikey);
+#else
+        EVP_PKEY_free(ikey);
 #endif
 
         // // Alternative: make up a fake non-extended report?

From 69a01e8e9d11c6849db5c72258cae36a7a1ac4d4 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Wed, 5 Feb 2020 13:11:04 +0000
Subject: [PATCH 416/420] Reenabled debug check

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/verify_eeid.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
index 54fbefc192..4aa7a7f5f2 100644
--- a/common/sgx/verify_eeid.c
+++ b/common/sgx/verify_eeid.c
@@ -106,9 +106,9 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
     uint8_t zero[OE_KEY_SIZE];
     memset(zero, 0, OE_KEY_SIZE);
 
-    if ( // sigstruct->type == (1ul << 31) &&
+    if (sigstruct->type == (1ul << 31) &&
         memcmp(sigstruct->signature, zero, OE_KEY_SIZE) ==
-        0) // Unsigned debug image is ok?
+            0) // Unsigned debug image is ok?
         return OE_OK;
     else
     {

From c20bc801aea051bde3f7c19af7885c96764f4d59 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Wed, 5 Feb 2020 17:45:27 +0000
Subject: [PATCH 417/420] EEID: resigning with new memory size settings

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 host/sgx/create.c                             | 37 ++++++++++++++++++-
 include/openenclave/bits/properties.h         | 18 +++++++++
 include/openenclave/bits/types.h              | 17 ---------
 .../enclave_a/enc.conf                        |  6 +--
 .../enclave_b/enc.conf                        |  6 +--
 samples/remote_attestation_eeid/host/host.cpp |  6 +++
 6 files changed, 65 insertions(+), 25 deletions(-)

diff --git a/host/sgx/create.c b/host/sgx/create.c
index 2a0ca44662..21afe7eb49 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -735,6 +735,39 @@ oe_result_t oe_sgx_build_enclave(
         memcpy(&props, oeimage.image_base + oeimage.oeinfo_rva, sizeof(props));
     }
 
+    if (eeid &&
+        (props.header.size_settings.num_heap_pages !=
+             eeid->size_settings.num_heap_pages ||
+         props.header.size_settings.num_stack_pages !=
+             eeid->size_settings.num_stack_pages ||
+         props.header.size_settings.num_tcs != eeid->size_settings.num_tcs))
+    {
+        if (props.header.size_settings.num_heap_pages != 0 ||
+            props.header.size_settings.num_stack_pages != 0 ||
+            props.header.size_settings.num_tcs != 0)
+            OE_RAISE(OE_INVALID_PARAMETER);
+
+        props.header.size_settings.num_heap_pages =
+            eeid->size_settings.num_heap_pages;
+        props.header.size_settings.num_stack_pages =
+            eeid->size_settings.num_stack_pages;
+        props.header.size_settings.num_tcs = eeid->size_settings.num_tcs;
+
+        // patch
+        elf64_sym_t sym_props = {0};
+        const elf64_t* eimg = &oeimage.u.elf.elf;
+        if (elf64_find_symbol_by_name(
+                eimg, "oe_enclave_properties_sgx", &sym_props) == 0)
+        {
+            uint64_t* sym_props_addr = NULL;
+            sym_props_addr =
+                (uint64_t*)(oeimage.image_base + sym_props.st_value);
+            oe_sgx_enclave_properties_t* p =
+                (oe_sgx_enclave_properties_t*)sym_props_addr;
+            p->header.size_settings = props.header.size_settings;
+        }
+    }
+
     /* Validate the enclave prop_override structure */
     OE_CHECK(oe_sgx_validate_enclave_properties(&props, NULL));
 
@@ -784,7 +817,7 @@ oe_result_t oe_sgx_build_enclave(
     /* Patch image */
     OE_CHECK(oeimage.patch(&oeimage, enclave_end));
 
-    /* Patch user data */
+    /* Patch EEID symbols */
     OE_CHECK(_patch_eeid_symbols(&oeimage, enclave_end, eeid));
 
     /* Add image to enclave */
@@ -794,7 +827,7 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(
         _add_data_pages(context, enclave, &props, oeimage.entry_rva, &vaddr));
 
-    /* Add user data for extended attestation */
+    /* Add EEID */
     OE_CHECK(
         _add_eeid_pages(context, enclave, enclave_end, &props, &vaddr, eeid));
 
diff --git a/include/openenclave/bits/properties.h b/include/openenclave/bits/properties.h
index fb4e1841dc..18244bcc71 100644
--- a/include/openenclave/bits/properties.h
+++ b/include/openenclave/bits/properties.h
@@ -86,6 +86,24 @@ oe_result_t __oe_sgx_set_minimum_crl_tcb_issue_date(
     uint32_t minutes,
     uint32_t seconds);
 
+/*
+**==============================================================================
+**
+** oe_eeid_t
+**
+**==============================================================================
+*/
+typedef struct oe_eeid_t_
+{
+    uint32_t hash_state_H[8];
+    uint32_t hash_state_N[2];
+    uint8_t sigstruct[1808]; /* complete sigstruct before eeid */
+    oe_enclave_size_settings_t size_settings; /* new size settings */
+    uint64_t data_size;                       /* size of initialization data */
+    uint64_t data_vaddr; /* location of initialization data */
+    uint8_t data[];      /* actual initialization data */
+} oe_eeid_t;
+
 OE_EXTERNC_END
 
 #endif /* _OE_BITS_PROPERTIES_H */
diff --git a/include/openenclave/bits/types.h b/include/openenclave/bits/types.h
index c18b9fd6f4..c807c56841 100644
--- a/include/openenclave/bits/types.h
+++ b/include/openenclave/bits/types.h
@@ -237,21 +237,4 @@ typedef struct _oe_datetime
     uint32_t seconds; /* range: 0-59 */
 } oe_datetime_t;
 
-/*
-**==============================================================================
-**
-** oe_eeid_t
-**
-**==============================================================================
-*/
-typedef struct oe_eeid_t_
-{
-    uint32_t hash_state_H[8];
-    uint32_t hash_state_N[2];
-    uint8_t sigstruct[1808]; /* complete sigstruct before eeid */
-    uint64_t data_size;      /* size of initialization data */
-    uint64_t data_vaddr;     /* location of initialization data */
-    uint8_t data[];          /* actual initialization data */
-} oe_eeid_t;
-
 #endif /* _OE_BITS_TYPES_H */
diff --git a/samples/remote_attestation_eeid/enclave_a/enc.conf b/samples/remote_attestation_eeid/enclave_a/enc.conf
index c6af0590eb..31dfe3de9e 100644
--- a/samples/remote_attestation_eeid/enclave_a/enc.conf
+++ b/samples/remote_attestation_eeid/enclave_a/enc.conf
@@ -3,8 +3,8 @@
 
 # Enclave settings:
 Debug=1
-NumHeapPages=1024
-NumStackPages=1024
-NumTCS=2
+NumHeapPages=0
+NumStackPages=0
+NumTCS=0
 ProductID=1
 SecurityVersion=1
diff --git a/samples/remote_attestation_eeid/enclave_b/enc.conf b/samples/remote_attestation_eeid/enclave_b/enc.conf
index c6af0590eb..31dfe3de9e 100644
--- a/samples/remote_attestation_eeid/enclave_b/enc.conf
+++ b/samples/remote_attestation_eeid/enclave_b/enc.conf
@@ -3,8 +3,8 @@
 
 # Enclave settings:
 Debug=1
-NumHeapPages=1024
-NumStackPages=1024
-NumTCS=2
+NumHeapPages=0
+NumStackPages=0
+NumTCS=0
 ProductID=1
 SecurityVersion=1
diff --git a/samples/remote_attestation_eeid/host/host.cpp b/samples/remote_attestation_eeid/host/host.cpp
index 49c9c49ee6..4e9d7774d1 100644
--- a/samples/remote_attestation_eeid/host/host.cpp
+++ b/samples/remote_attestation_eeid/host/host.cpp
@@ -61,6 +61,12 @@ int main(int argc, const char* argv[])
     {
         eeid_a->data[i] = i;
         eeid_b->data[i] = eeid_size - i - 1;
+
+        eeid_a->size_settings.num_heap_pages =
+            eeid_b->size_settings.num_heap_pages = 37;
+        eeid_a->size_settings.num_stack_pages =
+            eeid_b->size_settings.num_stack_pages = 6;
+        eeid_a->size_settings.num_tcs = eeid_b->size_settings.num_tcs = 1;
     }
 
     /* Check argument count */

From 0f08e1f3b2c514b9d88703b5749d5b4145c4b9e9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Thu, 6 Feb 2020 18:27:13 +0000
Subject: [PATCH 418/420] EEID: cleanup

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/verify_eeid.c       | 52 ++++++++++------------------------
 host/sgx/create.c              |  7 +----
 tools/oeedger8r/src/Headers.ml |  1 +
 3 files changed, 17 insertions(+), 43 deletions(-)

diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
index 4aa7a7f5f2..47ce0a961a 100644
--- a/common/sgx/verify_eeid.c
+++ b/common/sgx/verify_eeid.c
@@ -28,6 +28,14 @@
 
 #include "verify_eeid.h"
 
+static bool is_zero(const uint8_t* buf, size_t sz)
+{
+    while (sz != 0)
+        if (buf[--sz] != 0)
+            return false;
+    return true;
+}
+
 oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
 {
     oe_result_t result = OE_UNEXPECTED;
@@ -98,18 +106,16 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
     uint16_t ppid = (uint16_t)(report->identity.product_id[1] << 8) +
                     (uint16_t)report->identity.product_id[0];
 
-    if (sigstruct->isvprodid != ppid ||
+    bool sigstruct_debug = sigstruct->attributes.flags & SGX_FLAGS_DEBUG;
+    bool reported_debug =
+        report->identity.attributes & OE_REPORT_ATTRIBUTES_DEBUG;
+
+    if (sigstruct_debug != reported_debug || sigstruct->isvprodid != ppid ||
         sigstruct->isvsvn != report->identity.security_version)
-        // TODO: check attributes?
         OE_RAISE(OE_VERIFY_FAILED);
 
-    uint8_t zero[OE_KEY_SIZE];
-    memset(zero, 0, OE_KEY_SIZE);
-
-    if (sigstruct->type == (1ul << 31) &&
-        memcmp(sigstruct->signature, zero, OE_KEY_SIZE) ==
-            0) // Unsigned debug image is ok?
-        return OE_OK;
+    if (sigstruct_debug && is_zero(sigstruct->signature, OE_KEY_SIZE))
+        return OE_OK; // Unsigned debug image is ok?
     else
     {
         // OE_SHA256 mrsigner;
@@ -203,34 +209,6 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
 #else
         EVP_PKEY_free(ikey);
 #endif
-
-        // // Alternative: make up a fake non-extended report?
-        // oe_report_t irep;
-        // irep.size = 0;
-        // irep.type = OE_ENCLAVE_TYPE_SGX;
-        // irep.report_data_size = 0;
-        // irep.enclave_report_size = 0;
-        // irep.report_data = NULL;
-        // irep.enclave_report = NULL;
-
-        // irep.identity.id_version = report->identity.id_version;
-        // irep.identity.security_version = report->identity.security_version;
-        // irep.identity.attributes = report->identity.attributes;
-        // memcpy(irep.identity.unique_id, sigstruct->enclavehash,
-        // OE_UNIQUE_ID_SIZE); memcpy(irep.identity.signer_id, mrsigner.buf,
-        // OE_SIGNER_ID_SIZE); memcpy(irep.identity.product_id,
-        // report->identity.product_id, OE_PRODUCT_ID_SIZE);
-
-        // if (irep.identity.attributes & OE_REPORT_ATTRIBUTES_REMOTE) {
-        //     #ifndef OE_BUILD_ENCLAVE
-        //     OE_CHECK(oe_initialize_quote_provider());
-        //     #endif
-        //     // OE_CHECK(oe_verify_sgx_quote(header->report,
-        //     header->report_size, NULL, 0, NULL));
-        //     // OE_CHECK(oe_verify_quote_with_sgx_endorsements(quote,
-        //     quote_size, NULL, NULL));
-        // } else
-        //     OE_RAISE(OE_INVALID_PARAMETER);
     }
 
 done:
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 21afe7eb49..65c95bc7f4 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -735,12 +735,7 @@ oe_result_t oe_sgx_build_enclave(
         memcpy(&props, oeimage.image_base + oeimage.oeinfo_rva, sizeof(props));
     }
 
-    if (eeid &&
-        (props.header.size_settings.num_heap_pages !=
-             eeid->size_settings.num_heap_pages ||
-         props.header.size_settings.num_stack_pages !=
-             eeid->size_settings.num_stack_pages ||
-         props.header.size_settings.num_tcs != eeid->size_settings.num_tcs))
+    if (eeid)
     {
         if (props.header.size_settings.num_heap_pages != 0 ||
             props.header.size_settings.num_stack_pages != 0 ||
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 31c9bed939..33abef761e 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -213,6 +213,7 @@ let generate_args (ec : enclave_content) =
     include_errno;
     "";
     "#include <openenclave/bits/result.h>";
+    "#include <openenclave/bits/properties.h>";
     "";
     "/**** User includes. ****/";
     String.concat "\n" user_includes;

From 3f754f531f31ceb552870647198d6e198c69e2ae Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 7 Feb 2020 14:20:58 +0000
Subject: [PATCH 419/420] Add EEID serialization

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 common/sgx/eeid.c                             | 116 ++++++++++++++++++
 common/sgx/verify_eeid.c                      |  10 +-
 common/sgx/verify_eeid.h                      |   3 +-
 enclave/CMakeLists.txt                        |   1 +
 enclave/core/sgx/calls.c                      |   3 +-
 host/CMakeLists.txt                           |   1 +
 host/sgx/create.c                             |   7 ++
 include/openenclave/bits/eeid.h               |  48 ++++++++
 include/openenclave/bits/properties.h         |  18 ---
 include/openenclave/internal/sgxcreate.h      |   1 +
 .../common/attestation.h                      |   1 +
 tests/report/common/tests.h                   |   1 +
 tools/oeedger8r/src/Headers.ml                |   2 +-
 13 files changed, 188 insertions(+), 24 deletions(-)
 create mode 100644 common/sgx/eeid.c
 create mode 100644 include/openenclave/bits/eeid.h

diff --git a/common/sgx/eeid.c b/common/sgx/eeid.c
new file mode 100644
index 0000000000..83915c9db3
--- /dev/null
+++ b/common/sgx/eeid.c
@@ -0,0 +1,116 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openenclave/bits/eeid.h>
+#include <openenclave/internal/hexdump.h>
+#include <openenclave/internal/raise.h>
+
+static oe_result_t serialize_elem(
+    char** p,
+    size_t* r,
+    const uint8_t* e,
+    size_t e_sz)
+{
+    if (*r < 2 * e_sz + 1)
+        return OE_BUFFER_TOO_SMALL;
+
+    oe_hex_string(*p, *r, e, e_sz);
+    *p += 2 * e_sz;
+    **p = '\n';
+    *p += 1;
+    *r -= 2 * e_sz + 1;
+
+    return OE_OK;
+}
+
+static oe_result_t deserialize_elem(
+    const char** p,
+    size_t* r,
+    uint8_t* e,
+    size_t e_sz)
+{
+    if (*r < 2 * e_sz + 2)
+        return OE_OUT_OF_BOUNDS;
+
+    for (size_t i = 0; i < e_sz; i++)
+    {
+        unsigned digit;
+        if (sscanf(*p, "%02x", &digit) != 1)
+            return OE_INVALID_PARAMETER;
+        e[i] = (uint8_t)digit;
+        *p += 2;
+        *r -= 2;
+    }
+
+    if (**p != '\n')
+        return OE_INVALID_PARAMETER;
+
+    *p += 1;
+    *r -= 1;
+
+    return OE_OK;
+}
+
+oe_result_t oe_serialize_eeid(const oe_eeid_t* eeid, char* buf, size_t buf_size)
+{
+    oe_result_t result;
+    size_t eeid_sz = sizeof(oe_eeid_t) + eeid->data_size;
+    size_t str_sz = 2 * eeid_sz + 1;
+
+    if (str_sz >= buf_size)
+        return OE_BUFFER_TOO_SMALL;
+
+    char** p = &buf;
+    size_t r = buf_size;
+
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)eeid->hash_state_H, sizeof(eeid->hash_state_H)));
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)eeid->hash_state_N, sizeof(eeid->hash_state_N)));
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)eeid->sigstruct, sizeof(eeid->sigstruct)));
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)&eeid->size_settings, sizeof(eeid->size_settings)));
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)&eeid->data_size, sizeof(eeid->data_size)));
+    OE_CHECK(serialize_elem(
+        p, &r, (uint8_t*)&eeid->data_vaddr, sizeof(eeid->data_vaddr)));
+    OE_CHECK(serialize_elem(p, &r, (uint8_t*)eeid->data, eeid->data_size));
+
+    **p = '\0';
+
+done:
+    return OE_OK;
+}
+
+oe_result_t oe_deserialize_eeid(
+    const char* buf,
+    size_t buf_size,
+    oe_eeid_t* eeid)
+{
+    oe_result_t result;
+    const char** p = &buf;
+    size_t r = buf_size;
+
+    memset(eeid, 0, sizeof(oe_eeid_t));
+
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)eeid->hash_state_H, sizeof(eeid->hash_state_H)));
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)eeid->hash_state_N, sizeof(eeid->hash_state_N)));
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)eeid->sigstruct, sizeof(eeid->sigstruct)));
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)&eeid->size_settings, sizeof(eeid->size_settings)));
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)&eeid->data_size, sizeof(eeid->data_size)));
+    OE_CHECK(deserialize_elem(
+        p, &r, (uint8_t*)&eeid->data_vaddr, sizeof(eeid->data_vaddr)));
+    OE_CHECK(deserialize_elem(p, &r, (uint8_t*)eeid->data, eeid->data_size));
+
+done:
+    return OE_OK;
+}
\ No newline at end of file
diff --git a/common/sgx/verify_eeid.c b/common/sgx/verify_eeid.c
index 47ce0a961a..98ea85dd20 100644
--- a/common/sgx/verify_eeid.c
+++ b/common/sgx/verify_eeid.c
@@ -1,6 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -43,6 +44,13 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
     if (!eeid || !report)
         OE_RAISE(OE_INVALID_PARAMETER);
 
+    if (oe_get_current_logging_level() >= OE_LOG_LEVEL_WARNING)
+    {
+        char buf[2 * (sizeof(oe_eeid_t) + eeid->data_size) + 8];
+        OE_CHECK(oe_serialize_eeid(eeid, buf, sizeof(buf)));
+        printf("EEID:\n%s", buf);
+    }
+
     // Recompute extended mrenclave
     oe_sha256_context_t hctx;
     oe_sha256_restore(&hctx, eeid->hash_state_H, eeid->hash_state_N);
@@ -100,7 +108,6 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
     if (memcmp(debug_public_key, reported_mrsigner, OE_SIGNER_ID_SIZE) != 0)
         OE_RAISE(OE_VERIFY_FAILED);
 
-    // Check old signature (new signature has been checked above)
     const sgx_sigstruct_t* sigstruct = (const sgx_sigstruct_t*)&eeid->sigstruct;
 
     uint16_t ppid = (uint16_t)(report->identity.product_id[1] << 8) +
@@ -114,6 +121,7 @@ oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid)
         sigstruct->isvsvn != report->identity.security_version)
         OE_RAISE(OE_VERIFY_FAILED);
 
+    // Check old signature (new signature has been checked above)
     if (sigstruct_debug && is_zero(sigstruct->signature, OE_KEY_SIZE))
         return OE_OK; // Unsigned debug image is ok?
     else
diff --git a/common/sgx/verify_eeid.h b/common/sgx/verify_eeid.h
index dd3d945ac6..1eb8710d58 100644
--- a/common/sgx/verify_eeid.h
+++ b/common/sgx/verify_eeid.h
@@ -4,8 +4,7 @@
 #ifndef _OE_VERIFY_EEID_H
 #define _OE_VERIFY_EEID_H
 
-#include <openenclave/bits/report.h>
-#include <openenclave/bits/types.h>
+#include <openenclave/bits/eeid.h>
 
 oe_result_t verify_eeid(oe_report_t* report, const oe_eeid_t* eeid);
 
diff --git a/enclave/CMakeLists.txt b/enclave/CMakeLists.txt
index 99a2b1b024..ba2f275f9e 100644
--- a/enclave/CMakeLists.txt
+++ b/enclave/CMakeLists.txt
@@ -6,6 +6,7 @@ add_subdirectory(crypto)
 
 if (OE_SGX)
     set(PLATFORM_SRC
+        ../common/sgx/eeid.c
         ../common/sgx/endorsements.c
         ../common/sgx/qeidentity.c
         ../common/sgx/quote.c
diff --git a/enclave/core/sgx/calls.c b/enclave/core/sgx/calls.c
index abefcaf072..e2f84f3555 100644
--- a/enclave/core/sgx/calls.c
+++ b/enclave/core/sgx/calls.c
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 #include "../calls.h"
+#include <openenclave/bits/eeid.h>
 #include <openenclave/bits/safecrt.h>
 #include <openenclave/bits/safemath.h>
 #include <openenclave/corelibc/stdlib.h>
@@ -34,8 +35,6 @@
 #include "td.h"
 #include "tee_t.h"
 
-// #include <openenclave/internal/hexdump.h>
-
 oe_result_t __oe_enclave_status = OE_OK;
 uint8_t __oe_initialized = 0;
 
diff --git a/host/CMakeLists.txt b/host/CMakeLists.txt
index b5af23daaf..1ca5e6dce5 100644
--- a/host/CMakeLists.txt
+++ b/host/CMakeLists.txt
@@ -136,6 +136,7 @@ endif()
 # SGX specific files.
 if (OE_SGX)
   list(APPEND PLATFORM_HOST_ONLY_SRC
+    ../common/sgx/eeid.c
     ../common/sgx/endorsements.c
     ../common/sgx/qeidentity.c
     ../common/sgx/quote.c
diff --git a/host/sgx/create.c b/host/sgx/create.c
index 65c95bc7f4..f99e3597bd 100644
--- a/host/sgx/create.c
+++ b/host/sgx/create.c
@@ -826,6 +826,13 @@ oe_result_t oe_sgx_build_enclave(
     OE_CHECK(
         _add_eeid_pages(context, enclave, enclave_end, &props, &vaddr, eeid));
 
+    if (eeid && oe_get_current_logging_level() >= OE_LOG_LEVEL_WARNING)
+    {
+        char buf[2 * (sizeof(oe_eeid_t) + eeid->data_size) + 8];
+        OE_CHECK(oe_serialize_eeid(eeid, buf, sizeof(buf)));
+        printf("EEID:\n%s", buf);
+    }
+
     /* Ask the platform to initialize the enclave and finalize the hash */
     OE_CHECK(oe_sgx_initialize_enclave(
         context, enclave_addr, &props, &enclave->hash));
diff --git a/include/openenclave/bits/eeid.h b/include/openenclave/bits/eeid.h
new file mode 100644
index 0000000000..6924ab73e9
--- /dev/null
+++ b/include/openenclave/bits/eeid.h
@@ -0,0 +1,48 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+/**
+ * @file eeid.h
+ *
+ * This file defines the EEID structure.
+ *
+ */
+
+#ifndef _OE_BITS_EEID_H
+#define _OE_BITS_EEID_H
+
+#include "properties.h"
+
+OE_EXTERNC_BEGIN
+
+/*
+**==============================================================================
+**
+** oe_eeid_t
+**
+**==============================================================================
+*/
+typedef struct oe_eeid_t_
+{
+    uint32_t hash_state_H[8];
+    uint32_t hash_state_N[2];
+    uint8_t sigstruct[1808]; /* complete sigstruct before eeid */
+    oe_enclave_size_settings_t size_settings; /* new size settings */
+    uint64_t data_size;                       /* size of initialization data */
+    uint64_t data_vaddr; /* location of initialization data */
+    uint8_t data[];      /* actual initialization data */
+} oe_eeid_t;
+
+oe_result_t oe_serialize_eeid(
+    const oe_eeid_t* eeid,
+    char* buf,
+    size_t buf_size);
+
+oe_result_t oe_deserialize_eeid(
+    const char* buf,
+    size_t buf_size,
+    oe_eeid_t* eeid);
+
+OE_EXTERNC_END
+
+#endif /* _OE_BITS_EEID_H */
diff --git a/include/openenclave/bits/properties.h b/include/openenclave/bits/properties.h
index 18244bcc71..fb4e1841dc 100644
--- a/include/openenclave/bits/properties.h
+++ b/include/openenclave/bits/properties.h
@@ -86,24 +86,6 @@ oe_result_t __oe_sgx_set_minimum_crl_tcb_issue_date(
     uint32_t minutes,
     uint32_t seconds);
 
-/*
-**==============================================================================
-**
-** oe_eeid_t
-**
-**==============================================================================
-*/
-typedef struct oe_eeid_t_
-{
-    uint32_t hash_state_H[8];
-    uint32_t hash_state_N[2];
-    uint8_t sigstruct[1808]; /* complete sigstruct before eeid */
-    oe_enclave_size_settings_t size_settings; /* new size settings */
-    uint64_t data_size;                       /* size of initialization data */
-    uint64_t data_vaddr; /* location of initialization data */
-    uint8_t data[];      /* actual initialization data */
-} oe_eeid_t;
-
 OE_EXTERNC_END
 
 #endif /* _OE_BITS_PROPERTIES_H */
diff --git a/include/openenclave/internal/sgxcreate.h b/include/openenclave/internal/sgxcreate.h
index 96360a7c32..f5a21a8415 100644
--- a/include/openenclave/internal/sgxcreate.h
+++ b/include/openenclave/internal/sgxcreate.h
@@ -4,6 +4,7 @@
 #ifndef _OE_SGXCREATE_H
 #define _OE_SGXCREATE_H
 
+#include <openenclave/bits/eeid.h>
 #include <openenclave/bits/result.h>
 #include <openenclave/internal/types.h>
 #include "crypto/sha.h"
diff --git a/samples/remote_attestation_eeid/common/attestation.h b/samples/remote_attestation_eeid/common/attestation.h
index 4539b4a2f1..648077b2df 100644
--- a/samples/remote_attestation_eeid/common/attestation.h
+++ b/samples/remote_attestation_eeid/common/attestation.h
@@ -4,6 +4,7 @@
 #ifndef OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
 #define OE_SAMPLES_ATTESTATION_ENC_ATTESTATION_H
 
+#include <openenclave/bits/eeid.h>
 #include <openenclave/enclave.h>
 #include "crypto.h"
 
diff --git a/tests/report/common/tests.h b/tests/report/common/tests.h
index 9cb8c22ba3..0f9ddad825 100644
--- a/tests/report/common/tests.h
+++ b/tests/report/common/tests.h
@@ -4,6 +4,7 @@
 #ifndef _TESTS_H_
 #define _TESTS_H_
 
+#include <openenclave/bits/eeid.h>
 #include <openenclave/internal/report.h>
 
 #ifdef OE_BUILD_ENCLAVE
diff --git a/tools/oeedger8r/src/Headers.ml b/tools/oeedger8r/src/Headers.ml
index 33abef761e..7cb05f40f2 100644
--- a/tools/oeedger8r/src/Headers.ml
+++ b/tools/oeedger8r/src/Headers.ml
@@ -213,7 +213,7 @@ let generate_args (ec : enclave_content) =
     include_errno;
     "";
     "#include <openenclave/bits/result.h>";
-    "#include <openenclave/bits/properties.h>";
+    "#include <openenclave/bits/eeid.h>";
     "";
     "/**** User includes. ****/";
     String.concat "\n" user_includes;

From 593f9ad5b71ad6a29a0f88f97720e3a7000305ea Mon Sep 17 00:00:00 2001
From: "Christoph M. Wintersteiger" <cwinter@microsoft.com>
Date: Fri, 7 Feb 2020 14:52:23 +0000
Subject: [PATCH 420/420] Fix EEID report tests

Signed-off-by: Christoph M. Wintersteiger <cwinter@microsoft.com>
---
 tests/report/CMakeLists.txt     |  2 +-
 tests/report/enc/CMakeLists.txt | 12 ++++++++++++
 tests/report/enc/enc.cpp        | 10 ++++++++++
 tests/report/host/host.cpp      |  3 +++
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/tests/report/CMakeLists.txt b/tests/report/CMakeLists.txt
index b5c9fbb535..01d37793e6 100644
--- a/tests/report/CMakeLists.txt
+++ b/tests/report/CMakeLists.txt
@@ -17,5 +17,5 @@ add_enclave_test(tests/report_attestation_without_enclave report_host report_enc
 set_tests_properties(tests/report_attestation_without_enclave PROPERTIES SKIP_RETURN_CODE 2)
 
 # Run all tests with EEID
-add_enclave_test(tests/report-eeid report_host report_enc --eeid)
+add_enclave_test(tests/report-eeid report_host report_enc_eeid --eeid)
 set_tests_properties(tests/report PROPERTIES SKIP_RETURN_CODE 2)
\ No newline at end of file
diff --git a/tests/report/enc/CMakeLists.txt b/tests/report/enc/CMakeLists.txt
index 356eef0c80..a2ee0b144b 100644
--- a/tests/report/enc/CMakeLists.txt
+++ b/tests/report/enc/CMakeLists.txt
@@ -12,3 +12,15 @@ target_include_directories(report_enc PRIVATE
   ${CMAKE_CURRENT_SOURCE_DIR}/../common)
 
 target_link_libraries(report_enc oelibc)
+
+
+add_enclave(TARGET report_enc_eeid UUID 20b1a091-50da-4e57-b58c-0a8489cb64a7
+  SOURCES enc.cpp datetime.cpp ../common/tests.cpp ${gen})
+
+target_compile_definitions(report_enc_eeid PUBLIC EEID_ENABLED)
+
+target_include_directories(report_enc_eeid PRIVATE
+  ${CMAKE_CURRENT_BINARY_DIR}
+  ${CMAKE_CURRENT_SOURCE_DIR}/../common)
+
+target_link_libraries(report_enc_eeid oelibc)
\ No newline at end of file
diff --git a/tests/report/enc/enc.cpp b/tests/report/enc/enc.cpp
index eae1706c0b..e2931e7455 100644
--- a/tests/report/enc/enc.cpp
+++ b/tests/report/enc/enc.cpp
@@ -137,6 +137,15 @@ void enclave_test_verify_report_with_collaterals()
     test_verify_report_with_collaterals();
 }
 
+#ifdef EEID_ENABLED
+OE_SET_ENCLAVE_SGX(
+    0,    /* ProductID */
+    0,    /* SecurityVersion */
+    true, /* AllowDebug */
+    0,    /* HeapPageCount */
+    0,    /* StackPageCount */
+    0);   /* TCSCount */
+#else
 OE_SET_ENCLAVE_SGX(
     0,    /* ProductID */
     0,    /* SecurityVersion */
@@ -144,3 +153,4 @@ OE_SET_ENCLAVE_SGX(
     1024, /* HeapPageCount */
     1024, /* StackPageCount */
     2);   /* TCSCount */
+#endif
\ No newline at end of file
diff --git a/tests/report/host/host.cpp b/tests/report/host/host.cpp
index 298e950add..2077072f9a 100644
--- a/tests/report/host/host.cpp
+++ b/tests/report/host/host.cpp
@@ -139,6 +139,9 @@ int main(int argc, const char* argv[])
     {
         uint64_t sz = oe_round_up_to_page_size(sizeof(oe_eeid_t) + 512);
         eeid = (oe_eeid_t*)calloc(1, sz);
+        eeid->size_settings.num_heap_pages = 1024;
+        eeid->size_settings.num_stack_pages = 1024;
+        eeid->size_settings.num_tcs = 2;
         eeid->data_size = 512;
         for (size_t i = 0; i < eeid->data_size; i++)
             eeid->data[i] = (uint8_t)i;